SwarselSystems.org

@@ -6612,14 +6612,14 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
         extraGroups = [ "video" "render" "users" ];
       };
       nixpkgs.config.packageOverrides = pkgs: {
-        intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
+        vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
       };
       hardware.graphics = {
         enable = true;
         extraPackages = with pkgs; [
           intel-media-driver # LIBVA_DRIVER_NAME=iHD
-          intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+          vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-          libva-vdpau-driver
+          vaapiVdpau
           libvdpau-va-gl
         ];
       };
@@ -7460,7 +7460,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
 
       services.${serviceName} = {
         enable = true;
-        package = pkgs.immich;
+        package = pkgs.stable.immich;
         host = "0.0.0.0";
         port = servicePort;
         openFirewall = true;
@@ -8806,12 +8806,6 @@ let
     forgejoDomain = globals.services.forgejo.domain;
     grafanaDomain = globals.services.grafana.domain;
     nextcloudDomain = globals.services.nextcloud.domain;
-
-  certBase = "/etc/ssl";
-  certsDir = "${certBase}/certs";
-  privateDir = "${certBase}/private";
-  certPath = "${certsDir}/${serviceName}.crt";
-  keyPath = "${privateDir}/${serviceName}.key";
   in
   {
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -8844,47 +8838,6 @@ in
 
       globals.services.${serviceName}.domain = serviceDomain;
 
-    system.activationScripts."generateSSLCert-${serviceName}" =
-      let
-        daysValid = 3650;
-        renewBeforeDays = 365;
-      in
-      {
-        text = ''
-          set -eu
-
-          ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
-          ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
-
-          need_gen=0
-          if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
-            need_gen=1
-          else
-            enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
-            end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
-            now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
-            seconds_left=$(( end_epoch - now_epoch ))
-            days_left=$(( seconds_left / 86400 ))
-            if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
-              need_gen=1
-            fi
-          fi
-
-          if [ "$need_gen" -eq 1 ]; then
-            ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
-              -keyout "${keyPath}" \
-              -out "${certPath}" \
-              -subj "/CN=${serviceDomain}" \
-              -addext "subjectAltName=DNS:${serviceDomain}"
-
-            chmod 0644 "${certPath}"
-            chmod 0600 "${keyPath}"
-            chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
-          fi
-        '';
-        deps = [ "etc" ];
-      };
-
       services = {
         ${serviceName} = {
           package = pkgs.kanidmWithSecretProvisioning_1_7;
@@ -8892,10 +8845,8 @@ in
           serverSettings = {
             domain = serviceDomain;
             origin = "https://${serviceDomain}";
-          # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
+            tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
-          tls_chain = certPath;
+            tls_key = config.sops.secrets.kanidm-self-signed-key.path;
-          # tls_key = config.sops.secrets.kanidm-self-signed-key.path;
-          tls_key = keyPath;
             bindaddress = "0.0.0.0:${toString servicePort}";
             trust_x_forward_for = true;
           };

index.html

@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2025-11-03 Mo 17:12 -->
+<!-- 2025-11-02 So 12:29 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>SwarselSystems: NixOS + Emacs Configurationo</title>
@@ -209,8 +209,8 @@
 <li><a href="#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">1.4. Hosts</a></li>
 <li><a href="#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">1.5. Programs</a></li>
 <li><a href="#h:191e82b6-6ae5-4ec8-ae6d-dc683ce325d9">1.6. Services</a></li>
-<li><a href="#orgdb1e0b6">1.7. Manual steps when setting up a new machine</a></li>
+<li><a href="#org24c7b51">1.7. Manual steps when setting up a new machine</a></li>
-<li><a href="#org0e21495">1.8. Current issues</a></li>
+<li><a href="#org88f8510">1.8. Current issues</a></li>
 </ul>
 </li>
 <li><a href="#h:c7588c0d-2528-485d-b2df-04d6336428d7">2. flake.nix</a>
@@ -271,7 +271,7 @@
 </li>
 <li><a href="#h:28e1a7eb-356b-4015-83f7-9c552c8c0e9d">3.1.2.4. machpizza (MacBook Pro)</a></li>
 <li><a href="#h:729af373-37e7-4379-9a3d-b09792219415">3.1.2.5. Magicant (Phone)</a></li>
-<li><a href="#org265df55">3.1.2.6. Treehouse (DGX Spark)</a></li>
+<li><a href="#org5f762ec">3.1.2.6. Treehouse (DGX Spark)</a></li>
 </ul>
 </li>
 <li><a href="#h:4dc59747-9598-4029-aa7d-92bf186d6c06">3.1.3. Virtual hosts</a>
@@ -445,15 +445,15 @@
 <li><a href="#h:15b581ab-09fe-4f84-af26-2f1fbf7d726b">3.2.5.8. Hibernation</a></li>
 <li><a href="#h:86fb3236-9e18-43f0-8a08-3a2acd61cc98">3.2.5.9. BTRFS</a></li>
 <li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.2.5.10. work</a></li>
-<li><a href="#orgf83553a">3.2.5.11. microvm-host</a></li>
+<li><a href="#org4d4148d">3.2.5.11. microvm-host</a></li>
-<li><a href="#orged413e5">3.2.5.12. microvm-guest</a></li>
+<li><a href="#orgdbde54b">3.2.5.12. microvm-guest</a></li>
 </ul>
 </li>
 </ul>
 </li>
 <li><a href="#h:08ded95b-9c43-475d-a0b2-fc088a512287">3.3. Home-manager</a>
 <ul>
-<li><a href="#org836d017">3.3.1. Steps to setup/upgrade home-manager only</a></li>
+<li><a href="#org664aad5">3.3.1. Steps to setup/upgrade home-manager only</a></li>
 <li><a href="#h:f0a6b5e0-2157-4522-b5e1-3f0abd91c05e">3.3.2. <span class="todo TODO">TODO</span> Common</a>
 <ul>
 <li><a href="#h:16fd2e85-fdd4-440a-81f0-65b9b098a43a">3.3.2.1. Imports</a></li>
@@ -475,7 +475,7 @@
 <li><a href="#h:4486b02f-4fb8-432b-bfa2-2e786206341d">3.3.2.12. Sourcing environment variables</a></li>
 <li><a href="#h:f0e0b580-2e1c-4ca6-a983-f05d3ebbbcde">3.3.2.13. General Programs: bottom, imv, less, lesspipe, sioyek, bat, carapace, wlogout, swayr, yt-dlp, mpv, jq, nix-index, ripgrep, pandoc, fzf, zoxide, timidity</a></li>
 <li><a href="#h:64dbbb9e-8097-4c1b-813c-8c10cf9b9748">3.3.2.14. nix-index</a></li>
-<li><a href="#org891c387">3.3.2.15. nix-your-shell</a></li>
+<li><a href="#orga79078b">3.3.2.15. nix-your-shell</a></li>
 <li><a href="#h:ac0e5e62-0dbf-4782-9a96-9e558eae86ae">3.3.2.16. password-store</a></li>
 <li><a href="#h:1ab84307-b3fb-4c32-9def-4b89a53a8547">3.3.2.17. direnv</a></li>
 <li><a href="#h:1bd6b0c7-f201-43e2-9624-6c50de00a1f6">3.3.2.18. eza</a></li>
@@ -498,12 +498,12 @@
 <li><a href="#h:99d05729-df35-4958-9940-3319d6a41359">3.3.2.31.3. Mako</a></li>
 <li><a href="#h:388e71be-f00a-4d45-ade1-218ce942057d">3.3.2.31.4. SwayOSD</a></li>
 <li><a href="#h:1598c90b-f195-41a0-9132-94612edf3586">3.3.2.31.5. yubikey-touch-detector</a></li>
-<li><a href="#org546b1c9">3.3.2.31.6. blueman-applet</a></li>
+<li><a href="#org167b13d">3.3.2.31.6. blueman-applet</a></li>
-<li><a href="#orgba33f75">3.3.2.31.7. network-manager-applet</a></li>
+<li><a href="#org7176458">3.3.2.31.7. network-manager-applet</a></li>
-<li><a href="#org0fb7a1d">3.3.2.31.8. obsidian service for tray</a></li>
+<li><a href="#org5685c5c">3.3.2.31.8. obsidian service for tray</a></li>
-<li><a href="#org42ea2da">3.3.2.31.9. anki service for tray</a></li>
+<li><a href="#org3698e4d">3.3.2.31.9. anki service for tray</a></li>
-<li><a href="#org215cea7">3.3.2.31.10. element service for tray</a></li>
+<li><a href="#org01fbaf4">3.3.2.31.10. element service for tray</a></li>
-<li><a href="#org08dbb21">3.3.2.31.11. vesktop service for tray</a></li>
+<li><a href="#orga07e14b">3.3.2.31.11. vesktop service for tray</a></li>
 </ul>
 </li>
 <li><a href="#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20">3.3.2.32. Sway</a></li>
@@ -512,17 +512,17 @@
 <li><a href="#h:7d384e3b-1be7-4644-b304-ada4af0b692b">3.3.2.35. gpg-agent</a></li>
 <li><a href="#h:74e236be-a977-4d38-b8c5-0b9feef8af91">3.3.2.36. gammastep</a></li>
 <li><a href="#h:d1fb3075-ad52-4c1b-ba45-5ddbd0d3b708">3.3.2.37. Spicetify</a></li>
-<li><a href="#org9d7e9f9">3.3.2.38. Obsidian</a></li>
+<li><a href="#org3c49d3d">3.3.2.38. Obsidian</a></li>
-<li><a href="#org99dcb02">3.3.2.39. Anki</a></li>
+<li><a href="#org8416663">3.3.2.39. Anki</a></li>
-<li><a href="#org2cea79e">3.3.2.40. Element-desktop</a></li>
+<li><a href="#org76002b7">3.3.2.40. Element-desktop</a></li>
-<li><a href="#org0433212">3.3.2.41. Hexchat</a></li>
+<li><a href="#orgc999246">3.3.2.41. Hexchat</a></li>
-<li><a href="#orgd461d44">3.3.2.42. obs-studio</a></li>
+<li><a href="#org479bb22">3.3.2.42. obs-studio</a></li>
-<li><a href="#org612fc22">3.3.2.43. spotify-player</a></li>
+<li><a href="#org21f2297">3.3.2.43. spotify-player</a></li>
-<li><a href="#orgdea36b4">3.3.2.44. vesktop</a></li>
+<li><a href="#org12a1fb4">3.3.2.44. vesktop</a></li>
-<li><a href="#org2d5500c">3.3.2.45. batsignal</a></li>
+<li><a href="#org5886189">3.3.2.45. batsignal</a></li>
-<li><a href="#orgb306512">3.3.2.46. autotiling</a></li>
+<li><a href="#orgeb5759e">3.3.2.46. autotiling</a></li>
-<li><a href="#org18f8945">3.3.2.47. swayidle</a></li>
+<li><a href="#orgc400b7d">3.3.2.47. swayidle</a></li>
-<li><a href="#org8cf5711">3.3.2.48. swaylock</a></li>
+<li><a href="#org00e576d">3.3.2.48. swaylock</a></li>
 </ul>
 </li>
 <li><a href="#h:b1a00339-6e9b-4ae4-b5dc-6fd5669a2ddb">3.3.3. Server</a>
@@ -587,8 +587,8 @@
 <li><a href="#h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e">3.5.31. swarsel-build</a></li>
 <li><a href="#h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa">3.5.32. swarsel-instantiate</a></li>
 <li><a href="#h:02842543-caca-4d4c-a4d2-7ac749b5c136">3.5.33. sshrm</a></li>
-<li><a href="#org78d05ab">3.5.34. endme</a></li>
+<li><a href="#orgf54c20e">3.5.34. endme</a></li>
-<li><a href="#orgfd9792b">3.5.35. git-replace</a></li>
+<li><a href="#org03b4d66">3.5.35. git-replace</a></li>
 </ul>
 </li>
 <li><a href="#h:f0f1c961-3e7a-47b8-99ab-1654bb45dffc">3.6. Profiles</a>
@@ -597,7 +597,7 @@
 <ul>
 <li><a href="#h:32d654de-8db2-403a-9a27-4c46d7b9172d">3.6.1.1. Personal</a></li>
 <li><a href="#h:b926f0c8-7968-4079-924c-a5d0ae4d3a45">3.6.1.2. Minimal</a></li>
-<li><a href="#orga4bff18">3.6.1.3. Optionals</a></li>
+<li><a href="#org196f490">3.6.1.3. Optionals</a></li>
 <li><a href="#h:b79fbb59-9cf2-48eb-b469-2589223dda95">3.6.1.4. Chaostheatre</a></li>
 <li><a href="#h:cb3631a8-9c1b-42f2-ab01-502c7b4c273d">3.6.1.5. Work</a></li>
 <li><a href="#h:87a83b10-3c2f-407c-89aa-922ad77748a4">3.6.1.6. Uni</a></li>
@@ -608,7 +608,7 @@
 <li><a href="#h:ced5841f-c088-4d88-b3a1-7d62aad8837b">3.6.2. home-manager</a>
 <ul>
 <li><a href="#h:26512487-8c29-4b92-835b-d67394c3f5ef">3.6.2.1. Personal</a></li>
-<li><a href="#org19e1871">3.6.2.2. DGX Spark</a></li>
+<li><a href="#org7852052">3.6.2.2. DGX Spark</a></li>
 <li><a href="#h:0554a271-f8ec-4885-b46f-2a02dfd967bd">3.6.2.3. Optionals</a></li>
 <li><a href="#h:26512487-8c29-4b92-835b-d67394c3f5ef">3.6.2.4. Minimal</a></li>
 <li><a href="#h:36a0209f-2c17-4808-a1d0-a9e1920c307a">3.6.2.5. Chaostheatre</a></li>
@@ -779,7 +779,7 @@
 <ul>
 <li><a href="#h:b92a18cf-eec3-4605-a8c2-37133ade3574">4.4.39.1. mu4e</a></li>
 <li><a href="#h:43209eeb-5d46-472e-b7c2-58a3fb465199">4.4.39.2. mu4e-alert</a></li>
-<li><a href="#org7d94f05">4.4.39.3. Work: Signing Mails (S/MIME, smime)</a></li>
+<li><a href="#org29e6a55">4.4.39.3. Work: Signing Mails (S/MIME, smime)</a></li>
 </ul>
 </li>
 <li><a href="#h:c760f04e-622f-4b3e-8916-53ca8cce6edc">4.4.40. Calendar</a></li>
@@ -794,8 +794,8 @@
 </li>
 <li><a href="#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c">5. Appendix A: Noweb-Ref blocks</a>
 <ul>
-<li><a href="#org6c3bc34">5.1. General steps when setting up a new machine</a></li>
+<li><a href="#org2aed48c">5.1. General steps when setting up a new machine</a></li>
-<li><a href="#org7eff7db">5.2. Current patches and fixes</a></li>
+<li><a href="#org1380fac">5.2. Current patches and fixes</a></li>
 </ul>
 </li>
 <li><a href="#h:8fc9f66a-7412-4091-8dee-a06f897baf67">6. Appendix B: Supplementary Files</a>
@@ -847,7 +847,7 @@
 </div>
 </div>
 <p>
-<b>This file has 97891 words spanning 25270 lines and was last revised on 2025-11-03 17:12:01 +0100.</b>
+<b>This file has 97685 words spanning 25221 lines and was last revised on 2025-11-02 12:29:26 +0100.</b>
 </p>
 
 <p>
@@ -916,7 +916,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
 </p>
 
 <p>
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-11-03 17:12:01 +0100)
+My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-11-02 12:29:26 +0100)
 </p></li>
 </ul>
 
@@ -1219,8 +1219,8 @@ Here I give a brief overview over the hostmachines that I am using. This is held
 </div>
 </div>
 </div>
-<div id="outline-container-orgdb1e0b6" class="outline-3">
+<div id="outline-container-org24c7b51" class="outline-3">
-<h3 id="orgdb1e0b6"><span class="section-number-3">1.7.</span> Manual steps when setting up a new machine</h3>
+<h3 id="org24c7b51"><span class="section-number-3">1.7.</span> Manual steps when setting up a new machine</h3>
 <div class="outline-text-3" id="text-1-7">
 <div class="org-src-container">
 <pre class="src src-markdown">These steps are required when setting up a normal NixOS host:
@@ -1263,8 +1263,8 @@ If the new machine is home-manager only, perform these steps:
 </div>
 </div>
 </div>
-<div id="outline-container-org0e21495" class="outline-3">
+<div id="outline-container-org88f8510" class="outline-3">
-<h3 id="org0e21495"><span class="section-number-3">1.8.</span> Current issues</h3>
+<h3 id="org88f8510"><span class="section-number-3">1.8.</span> Current issues</h3>
 <div class="outline-text-3" id="text-1-8">
 <div class="org-src-container">
 <pre class="src src-markdown">Currently, these adaptions are made to the configuration to account for bugs in upstream repos:
@@ -3779,8 +3779,8 @@ My phone. I use only a minimal config for remote debugging here.
 </div>
 </div>
 </div>
-<div id="outline-container-org265df55" class="outline-5">
+<div id="outline-container-org5f762ec" class="outline-5">
-<h5 id="org265df55"><span class="section-number-5">3.1.2.6.</span> Treehouse (DGX Spark)</h5>
+<h5 id="org5f762ec"><span class="section-number-5">3.1.2.6.</span> Treehouse (DGX Spark)</h5>
 <div class="outline-text-5" id="text-3-1-2-6">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, outputs, ... }:
@@ -7937,14 +7937,14 @@ in
       extraGroups = [ "video" "render" "users" ];
     };
     nixpkgs.config.packageOverrides = pkgs: {
-      intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
+      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
     };
     hardware.graphics = {
       enable = true;
       extraPackages = with pkgs; [
         intel-media-driver # LIBVA_DRIVER_NAME=iHD
-        intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-        libva-vdpau-driver
+        vaapiVdpau
         libvdpau-va-gl
       ];
     };
@@ -8785,7 +8785,7 @@ in
 
     services.${serviceName} = {
       enable = true;
-      package = pkgs.immich;
+      package = pkgs.stable.immich;
       host = "0.0.0.0";
       port = servicePort;
       openFirewall = true;
@@ -10157,12 +10157,6 @@ let
   forgejoDomain = globals.services.forgejo.domain;
   grafanaDomain = globals.services.grafana.domain;
   nextcloudDomain = globals.services.nextcloud.domain;
-
-  certBase = "/etc/ssl";
-  certsDir = "${certBase}/certs";
-  privateDir = "${certBase}/private";
-  certPath = "${certsDir}/${serviceName}.crt";
-  keyPath = "${privateDir}/${serviceName}.key";
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -10195,47 +10189,6 @@ in
 
     globals.services.${serviceName}.domain = serviceDomain;
 
-    system.activationScripts."generateSSLCert-${serviceName}" =
-      let
-        daysValid = 3650;
-        renewBeforeDays = 365;
-      in
-      {
-        text = ''
-          set -eu
-
-          ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
-          ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
-
-          need_gen=0
-          if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
-            need_gen=1
-          else
-            enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
-            end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
-            now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
-            seconds_left=$(( end_epoch - now_epoch ))
-            days_left=$(( seconds_left / 86400 ))
-            if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
-              need_gen=1
-            fi
-          fi
-
-          if [ "$need_gen" -eq 1 ]; then
-            ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
-              -keyout "${keyPath}" \
-              -out "${certPath}" \
-              -subj "/CN=${serviceDomain}" \
-              -addext "subjectAltName=DNS:${serviceDomain}"
-
-            chmod 0644 "${certPath}"
-            chmod 0600 "${keyPath}"
-            chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
-          fi
-        '';
-        deps = [ "etc" ];
-      };
-
     services = {
       ${serviceName} = {
         package = pkgs.kanidmWithSecretProvisioning_1_7;
@@ -10243,10 +10196,8 @@ in
         serverSettings = {
           domain = serviceDomain;
           origin = "https://${serviceDomain}";
-          # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
+          tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
-          tls_chain = certPath;
+          tls_key = config.sops.secrets.kanidm-self-signed-key.path;
-          # tls_key = config.sops.secrets.kanidm-self-signed-key.path;
-          tls_key = keyPath;
           bindaddress = "0.0.0.0:${toString servicePort}";
           trust_x_forward_for = true;
         };
@@ -12300,8 +12251,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgf83553a" class="outline-5">
+<div id="outline-container-org4d4148d" class="outline-5">
-<h5 id="orgf83553a"><span class="section-number-5">3.2.5.11.</span> microvm-host</h5>
+<h5 id="org4d4148d"><span class="section-number-5">3.2.5.11.</span> microvm-host</h5>
 <div class="outline-text-5" id="text-3-2-5-11">
 <p>
 Some standard options that should be set for every microvm host.
@@ -12327,8 +12278,8 @@ Some standard options that should be set for every microvm host.
 </div>
 </div>
 </div>
-<div id="outline-container-orged413e5" class="outline-5">
+<div id="outline-container-orgdbde54b" class="outline-5">
-<h5 id="orged413e5"><span class="section-number-5">3.2.5.12.</span> microvm-guest</h5>
+<h5 id="orgdbde54b"><span class="section-number-5">3.2.5.12.</span> microvm-guest</h5>
 <div class="outline-text-5" id="text-3-2-5-12">
 <p>
 Some standard options that should be set vor every microvm guest. We set the default
@@ -12425,8 +12376,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-org836d017" class="outline-4">
+<div id="outline-container-org664aad5" class="outline-4">
-<h4 id="org836d017"><span class="section-number-4">3.3.1.</span> Steps to setup/upgrade home-manager only</h4>
+<h4 id="org664aad5"><span class="section-number-4">3.3.1.</span> Steps to setup/upgrade home-manager only</h4>
 <div class="outline-text-4" id="text-3-3-1">
 <p>
 Steps to get a home-manager only setup up and running:
@@ -13454,8 +13405,8 @@ nix-index provides a way to find out which packages are provided by which deriva
 </div>
 </div>
 </div>
-<div id="outline-container-org891c387" class="outline-5">
+<div id="outline-container-orga79078b" class="outline-5">
-<h5 id="org891c387"><span class="section-number-5">3.3.2.15.</span> nix-your-shell</h5>
+<h5 id="orga79078b"><span class="section-number-5">3.3.2.15.</span> nix-your-shell</h5>
 <div class="outline-text-5" id="text-3-3-2-15">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15180,8 +15131,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org546b1c9" class="outline-6">
+<div id="outline-container-org167b13d" class="outline-6">
-<h6 id="org546b1c9"><span class="section-number-6">3.3.2.31.6.</span> blueman-applet</h6>
+<h6 id="org167b13d"><span class="section-number-6">3.3.2.31.6.</span> blueman-applet</h6>
 <div class="outline-text-6" id="text-3-3-2-31-6">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15195,8 +15146,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-orgba33f75" class="outline-6">
+<div id="outline-container-org7176458" class="outline-6">
-<h6 id="orgba33f75"><span class="section-number-6">3.3.2.31.7.</span> network-manager-applet</h6>
+<h6 id="org7176458"><span class="section-number-6">3.3.2.31.7.</span> network-manager-applet</h6>
 <div class="outline-text-6" id="text-3-3-2-31-7">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15211,8 +15162,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org0fb7a1d" class="outline-6">
+<div id="outline-container-org5685c5c" class="outline-6">
-<h6 id="org0fb7a1d"><span class="section-number-6">3.3.2.31.8.</span> obsidian service for tray</h6>
+<h6 id="org5685c5c"><span class="section-number-6">3.3.2.31.8.</span> obsidian service for tray</h6>
 <div class="outline-text-6" id="text-3-3-2-31-8">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15246,8 +15197,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org42ea2da" class="outline-6">
+<div id="outline-container-org3698e4d" class="outline-6">
-<h6 id="org42ea2da"><span class="section-number-6">3.3.2.31.9.</span> anki service for tray</h6>
+<h6 id="org3698e4d"><span class="section-number-6">3.3.2.31.9.</span> anki service for tray</h6>
 <div class="outline-text-6" id="text-3-3-2-31-9">
 <p>
 Sets up a systemd user service for anki that does not stall the shutdown process. Note that the outcommented <code>ExecStart</code> does not work because the home-manager anki package builds a separate anki package that - I think - cannot be referenced as no such expression exists in the module.
@@ -15294,8 +15245,8 @@ Sets up a systemd user service for anki that does not stall the shutdown process
 </div>
 </div>
 </div>
-<div id="outline-container-org215cea7" class="outline-6">
+<div id="outline-container-org01fbaf4" class="outline-6">
-<h6 id="org215cea7"><span class="section-number-6">3.3.2.31.10.</span> element service for tray</h6>
+<h6 id="org01fbaf4"><span class="section-number-6">3.3.2.31.10.</span> element service for tray</h6>
 <div class="outline-text-6" id="text-3-3-2-31-10">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -15329,8 +15280,8 @@ Sets up a systemd user service for anki that does not stall the shutdown process
 </div>
 </div>
 </div>
-<div id="outline-container-org08dbb21" class="outline-6">
+<div id="outline-container-orga07e14b" class="outline-6">
-<h6 id="org08dbb21"><span class="section-number-6">3.3.2.31.11.</span> vesktop service for tray</h6>
+<h6 id="orga07e14b"><span class="section-number-6">3.3.2.31.11.</span> vesktop service for tray</h6>
 <div class="outline-text-6" id="text-3-3-2-31-11">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -16261,8 +16212,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org9d7e9f9" class="outline-5">
+<div id="outline-container-org3c49d3d" class="outline-5">
-<h5 id="org9d7e9f9"><span class="section-number-5">3.3.2.38.</span> Obsidian</h5>
+<h5 id="org3c49d3d"><span class="section-number-5">3.3.2.38.</span> Obsidian</h5>
 <div class="outline-text-5" id="text-3-3-2-38">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, nixosConfig ? config, ... }:
@@ -16422,8 +16373,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org99dcb02" class="outline-5">
+<div id="outline-container-org8416663" class="outline-5">
-<h5 id="org99dcb02"><span class="section-number-5">3.3.2.39.</span> Anki</h5>
+<h5 id="org8416663"><span class="section-number-5">3.3.2.39.</span> Anki</h5>
 <div class="outline-text-5" id="text-3-3-2-39">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }:
@@ -16496,8 +16447,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org2cea79e" class="outline-5">
+<div id="outline-container-org76002b7" class="outline-5">
-<h5 id="org2cea79e"><span class="section-number-5">3.3.2.40.</span> Element-desktop</h5>
+<h5 id="org76002b7"><span class="section-number-5">3.3.2.40.</span> Element-desktop</h5>
 <div class="outline-text-5" id="text-3-3-2-40">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16533,8 +16484,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org0433212" class="outline-5">
+<div id="outline-container-orgc999246" class="outline-5">
-<h5 id="org0433212"><span class="section-number-5">3.3.2.41.</span> Hexchat</h5>
+<h5 id="orgc999246"><span class="section-number-5">3.3.2.41.</span> Hexchat</h5>
 <div class="outline-text-5" id="text-3-3-2-41">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, nixosConfig ? config, ... }:
@@ -16558,8 +16509,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgd461d44" class="outline-5">
+<div id="outline-container-org479bb22" class="outline-5">
-<h5 id="orgd461d44"><span class="section-number-5">3.3.2.42.</span> obs-studio</h5>
+<h5 id="org479bb22"><span class="section-number-5">3.3.2.42.</span> obs-studio</h5>
 <div class="outline-text-5" id="text-3-3-2-42">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16579,8 +16530,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org612fc22" class="outline-5">
+<div id="outline-container-org21f2297" class="outline-5">
-<h5 id="org612fc22"><span class="section-number-5">3.3.2.43.</span> spotify-player</h5>
+<h5 id="org21f2297"><span class="section-number-5">3.3.2.43.</span> spotify-player</h5>
 <div class="outline-text-5" id="text-3-3-2-43">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16600,8 +16551,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgdea36b4" class="outline-5">
+<div id="outline-container-org12a1fb4" class="outline-5">
-<h5 id="orgdea36b4"><span class="section-number-5">3.3.2.44.</span> vesktop</h5>
+<h5 id="org12a1fb4"><span class="section-number-5">3.3.2.44.</span> vesktop</h5>
 <div class="outline-text-5" id="text-3-3-2-44">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, pkgs, config, ... }:
@@ -16688,8 +16639,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org2d5500c" class="outline-5">
+<div id="outline-container-org5886189" class="outline-5">
-<h5 id="org2d5500c"><span class="section-number-5">3.3.2.45.</span> batsignal</h5>
+<h5 id="org5886189"><span class="section-number-5">3.3.2.45.</span> batsignal</h5>
 <div class="outline-text-5" id="text-3-3-2-45">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16721,8 +16672,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgb306512" class="outline-5">
+<div id="outline-container-orgeb5759e" class="outline-5">
-<h5 id="orgb306512"><span class="section-number-5">3.3.2.46.</span> autotiling</h5>
+<h5 id="orgeb5759e"><span class="section-number-5">3.3.2.46.</span> autotiling</h5>
 <div class="outline-text-5" id="text-3-3-2-46">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16743,8 +16694,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org18f8945" class="outline-5">
+<div id="outline-container-orgc400b7d" class="outline-5">
-<h5 id="org18f8945"><span class="section-number-5">3.3.2.47.</span> swayidle</h5>
+<h5 id="orgc400b7d"><span class="section-number-5">3.3.2.47.</span> swayidle</h5>
 <div class="outline-text-5" id="text-3-3-2-47">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -16785,8 +16736,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org8cf5711" class="outline-5">
+<div id="outline-container-org00e576d" class="outline-5">
-<h5 id="org8cf5711"><span class="section-number-5">3.3.2.48.</span> swaylock</h5>
+<h5 id="org00e576d"><span class="section-number-5">3.3.2.48.</span> swaylock</h5>
 <div class="outline-text-5" id="text-3-3-2-48">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -20008,8 +19959,8 @@ writeShellApplication {
 </div>
 </div>
 </div>
-<div id="outline-container-org78d05ab" class="outline-4">
+<div id="outline-container-orgf54c20e" class="outline-4">
-<h4 id="org78d05ab"><span class="section-number-4">3.5.34.</span> endme</h4>
+<h4 id="orgf54c20e"><span class="section-number-4">3.5.34.</span> endme</h4>
 <div class="outline-text-4" id="text-3-5-34">
 <p>
 Sometimes my DE crashes after putting it to suspend - to be precise, it happens when I put it into suspend when I have multiple screens plugged in. I have never taken the time to debug the issue, but instead just switch to a different TTY and then use this script to kill the hanging session.
@@ -20030,8 +19981,8 @@ writeShellApplication {
 </div>
 </div>
 </div>
-<div id="outline-container-orgfd9792b" class="outline-4">
+<div id="outline-container-org03b4d66" class="outline-4">
-<h4 id="orgfd9792b"><span class="section-number-4">3.5.35.</span> git-replace</h4>
+<h4 id="org03b4d66"><span class="section-number-4">3.5.35.</span> git-replace</h4>
 <div class="outline-text-4" id="text-3-5-35">
 <p>
 This script allows for quick git replace of a string.
@@ -20247,8 +20198,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orga4bff18" class="outline-5">
+<div id="outline-container-org196f490" class="outline-5">
-<h5 id="orga4bff18"><span class="section-number-5">3.6.1.3.</span> Optionals</h5>
+<h5 id="org196f490"><span class="section-number-5">3.6.1.3.</span> Optionals</h5>
 <div class="outline-text-5" id="text-3-6-1-3">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -20544,8 +20495,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org19e1871" class="outline-5">
+<div id="outline-container-org7852052" class="outline-5">
-<h5 id="org19e1871"><span class="section-number-5">3.6.2.2.</span> DGX Spark</h5>
+<h5 id="org7852052"><span class="section-number-5">3.6.2.2.</span> DGX Spark</h5>
 <div class="outline-text-5" id="text-3-6-2-2">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -24255,8 +24206,8 @@ This adds the simple utility of sending desktop notifications whenever a new mai
 </div>
 </div>
 </div>
-<div id="outline-container-org7d94f05" class="outline-5">
+<div id="outline-container-org29e6a55" class="outline-5">
-<h5 id="org7d94f05"><span class="section-number-5">4.4.39.3.</span> Work: Signing Mails (S/MIME, smime)</h5>
+<h5 id="org29e6a55"><span class="section-number-5">4.4.39.3.</span> Work: Signing Mails (S/MIME, smime)</h5>
 <div class="outline-text-5" id="text-4-4-39-3">
 <p>
 Used to automatically sign messages sent from my work email address using S/MIME certificate.
@@ -24540,8 +24491,8 @@ Also see `prot-window-delete-popup-frame'." command)
 This sections is no longer used really. An introduction can be found in <a href="#h:bcc3ebbe-df8a-46bd-b42d-73aad6fc66e5">Structure of this file</a> under the historical note. The little noweb-ref blocks that I still use are found in <a href="#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">Hosts</a> and <a href="#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">Services</a>.
 </p>
 </div>
-<div id="outline-container-org6c3bc34" class="outline-3">
+<div id="outline-container-org2aed48c" class="outline-3">
-<h3 id="org6c3bc34"><span class="section-number-3">5.1.</span> General steps when setting up a new machine</h3>
+<h3 id="org2aed48c"><span class="section-number-3">5.1.</span> General steps when setting up a new machine</h3>
 <div class="outline-text-3" id="text-5-1">
 <p>
 These general steps are needed when setting up a new machine and do not fit into another block well:
@@ -24554,8 +24505,8 @@ These general steps are needed when setting up a new machine and do not fit into
 </div>
 </div>
 </div>
-<div id="outline-container-org7eff7db" class="outline-3">
+<div id="outline-container-org1380fac" class="outline-3">
-<h3 id="org7eff7db"><span class="section-number-3">5.2.</span> Current patches and fixes</h3>
+<h3 id="org1380fac"><span class="section-number-3">5.2.</span> Current patches and fixes</h3>
 <div class="outline-text-3" id="text-5-2">
 <p>
 These are current deviations from the standard settings that I take while some things are broken upstream
@@ -27515,7 +27466,7 @@ similarly, there exists an version that starts from the right.
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Leon Schwarzäugl</p>
-<p class="date">Created: 2025-11-03 Mo 17:12</p>
+<p class="date">Created: 2025-11-02 So 12:29</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>

modules/nixos/server/immich.nix

@@ -19,7 +19,7 @@ in
 
     services.${serviceName} = {
       enable = true;
-      package = pkgs.immich;
+      package = pkgs.stable.immich;
       host = "0.0.0.0";
       port = servicePort;
       openFirewall = true;

modules/nixos/server/jellyfin.nix

@@ -13,14 +13,14 @@ in
       extraGroups = [ "video" "render" "users" ];
     };
     nixpkgs.config.packageOverrides = pkgs: {
-      intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
+      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
     };
     hardware.graphics = {
       enable = true;
       extraPackages = with pkgs; [
         intel-media-driver # LIBVA_DRIVER_NAME=iHD
-        intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-        libva-vdpau-driver
+        vaapiVdpau
         libvdpau-va-gl
       ];
     };

modules/nixos/server/kanidm.nix

@@ -16,12 +16,6 @@ let
   forgejoDomain = globals.services.forgejo.domain;
   grafanaDomain = globals.services.grafana.domain;
   nextcloudDomain = globals.services.nextcloud.domain;
-
-  certBase = "/etc/ssl";
-  certsDir = "${certBase}/certs";
-  privateDir = "${certBase}/private";
-  certPath = "${certsDir}/${serviceName}.crt";
-  keyPath = "${privateDir}/${serviceName}.key";
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -54,47 +48,6 @@ in
 
     globals.services.${serviceName}.domain = serviceDomain;
 
-    system.activationScripts."generateSSLCert-${serviceName}" =
-      let
-        daysValid = 3650;
-        renewBeforeDays = 365;
-      in
-      {
-        text = ''
-          set -eu
-
-          ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
-          ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
-
-          need_gen=0
-          if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
-            need_gen=1
-          else
-            enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
-            end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
-            now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
-            seconds_left=$(( end_epoch - now_epoch ))
-            days_left=$(( seconds_left / 86400 ))
-            if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
-              need_gen=1
-            fi
-          fi
-
-          if [ "$need_gen" -eq 1 ]; then
-            ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
-              -keyout "${keyPath}" \
-              -out "${certPath}" \
-              -subj "/CN=${serviceDomain}" \
-              -addext "subjectAltName=DNS:${serviceDomain}"
-
-            chmod 0644 "${certPath}"
-            chmod 0600 "${keyPath}"
-            chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
-          fi
-        '';
-        deps = [ "etc" ];
-      };
-
     services = {
       ${serviceName} = {
         package = pkgs.kanidmWithSecretProvisioning_1_7;
@@ -102,10 +55,8 @@ in
         serverSettings = {
           domain = serviceDomain;
           origin = "https://${serviceDomain}";
-          # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
+          tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
-          tls_chain = certPath;
+          tls_key = config.sops.secrets.kanidm-self-signed-key.path;
-          # tls_key = config.sops.secrets.kanidm-self-signed-key.path;
-          tls_key = keyPath;
           bindaddress = "0.0.0.0:${toString servicePort}";
           trust_x_forward_for = true;
         };

secrets/general/secrets.yaml

@@ -20,8 +20,7 @@ u2f-keys: ENC[AES256_GCM,data:4UPXyOYEQR1oybxPLR3JW8ro5gTzq0YQse1lnAP020Nm4JG4El
 #ENC[AES256_GCM,data:NoqAfw==,iv:myxrEPllN9zwXn5iCxL89qX7wSN8C0foFdxvvitq7b0=,tag:Yud5HDjWvEMrw1lMp21hMg==,type:comment]
 croc-password: ENC[AES256_GCM,data:uz7vI2rrPi1uTKEks4IPnWOt/R6ydlp/cQ==,iv:ZE01XcS6nF1sqz04rC1o20l+1DpNSRVjhC40ZmTVCww=,tag:REjnDQBcDkUzLg2ZsiDUvA==,type:str]
 #ENC[AES256_GCM,data:qsBNKxd3Ng==,iv:1fNMDJt7vgKFSdghYBZsuDoZ1sWvzj1Zu8NmkjX6Zh8=,tag:0D7EsgN8B1z7/y4iZS/PtQ==,type:comment]
-#ENC[AES256_GCM,data:G6Xk3eWNCSbuxzy91Yx/5ZGR2OgJHhJMnRWXwxJ96DW5K+igQjIimNBW90cXqs5iztjC3q4F/YUK2IStnqCgZQi1Gye2g8uHj+1Xa0bt5LKNdjWwwfcONxcKTq37R55sgMbIwdPqi2CBZAw/fdsXfKeDNz3V+7fKzkzX8EckUGj2v27TJoR0/fHjLA==,iv:la0FjH6m9ersNIEqcXmp2kpioL2kubzU2up9wJujDTQ=,tag:GvFW4wzi4PD9HdryfNQrwQ==,type:comment]
+github-api-token: ENC[AES256_GCM,data:9AhHkmv4JUjmir77INYflGvjNWW/E17FmfoXs5IUnAlL7B/l8s7UlVob0Az4lOUnm3+R0RWJz0HKMvOdZVZjd3RakdoWqvBHFqOVNF1MNthg2izIiaERsnDXcxj54qJfpD505xFSBWmnTKWVwRZlW5WEsFPuvaVy,iv:wzXT+qsn4VG+R8tGU33EWoaMKs4c/BB5W7f2JvuX2eY=,tag:EEhbktsmWHBwh0iBtfaXlA==,type:str]
-github-api-token: ENC[AES256_GCM,data:jUruDrTBfuqYuNXOxEtFsFkeXW6UqPvFiVNIXHVeTBaDkELSmJnz3u80rdfuVhxmRlFg8/ApiiBCB5X5sd+6Zh0JgH7mbaxVe+lta1m1wiCm1fWRBkDOuEoHt7p4pVbec/LUJOyvhWzcTcWTtW1GT96DFxKHBt8v,iv:WAWIck/gqZD6Oq/2LxS7YCD1F1FfCq+ZK1ls6sPdJQk=,tag:VTfKIICDvAsVN+7Fx4o1XA==,type:str]
 #ENC[AES256_GCM,data:vQF1i7rtfz/MBElKIN9j8N0=,iv:jf2SZpulx85yx2sHcnA3iwkiXJcHq4x1fdBUcSRuiK0=,tag:WpUNpH6/8jDvQA8zRGrdKg==,type:comment]
 emacs-radicale-pw: ENC[AES256_GCM,data:BIORG0geX8s1WOA=,iv:SeoVn8xHlqQGxZzHrm5I5LITMoutRnz3OygswDc96ew=,tag:C3S4a8IEvCjHgAyRrCaaRw==,type:str]
 #ENC[AES256_GCM,data:qsBNKxd3Ng==,iv:1fNMDJt7vgKFSdghYBZsuDoZ1sWvzj1Zu8NmkjX6Zh8=,tag:0D7EsgN8B1z7/y4iZS/PtQ==,type:comment]
@@ -94,8 +93,8 @@ sops:
             SjV6L3crUkdLWTlsNFgyRHBla2FFam8KILYsNbLdCirfoC/Vex8yEYpS2G4O0EQP
             wa1xzPk3Ue0/g67dv5UZFhUn0ZB2XGFC3kEPWpptTj0VL+9Z/r0zKA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-03T15:12:52Z"
+    lastmodified: "2025-10-08T23:35:53Z"
-    mac: ENC[AES256_GCM,data:86AWnB2q5xv/JIyomkJOkZh4r2tj18rmNb02JINokmBv4/eRmej/sQIBeSbCj9cJhtKewECwVk8QKtwTu2sWB/hPjtxb8qnWD7MhNs7qmHOYAeYlAON4w7abcLxt0VFMKa7gd0c28qTHOkaWsLy6gDaIB/5x468FIYqsbfIiL9U=,iv:BDiKNHKTHPazwoM6bVoCf2kb/eNrJS9zy4yj3+PFdlY=,tag:6ZFtZZHvzdWp2EhOV3S7xQ==,type:str]
+    mac: ENC[AES256_GCM,data:TxbNh/NiACHx3IwOi2esAfPf/jHV9yO86PRGarL3QQDTVB+nh5in+lx06oFh3bO5aJwpG6MWH9ZpPbX+3buyr2BTNrb6vc2YctSzaQU+ap5rvHf4AoKT3rC9rjHaR0WqJIPGV7HYcnFcoznULMrHqMTKMeEhUMqNl7xxAwxfIyk=,iv:9HAgoJN4xgxevM92K9j/5I2UYyIydOe9O+Cy3oL6/mo=,tag:1sRN7mrsRkAfp0LuZ6knBg==,type:str]
     pgp:
         - created_at: "2025-07-10T23:51:26Z"
           enc: |-