From 41710c109b1d502756e2034d1597e92469068ddb Mon Sep 17 00:00:00 2001
From: Patrick <patrick@failmail.dev>
Date: Tue, 26 Nov 2024 18:14:27 +0100
Subject: [PATCH] feat: new hetzner server

---
 README.md                                     |  19 ++--
 hosts/desktopnix/default.nix                  |   8 +-
 hosts/elisabeth/guests.nix                    |   3 +-
 hosts/mailnix/default.nix                     |  25 ++++++
 hosts/mailnix/fs.nix                          |  32 +++++++
 hosts/mailnix/net.nix                         |  73 +++++++++++++++
 .../mailnix/secrets/cloudflare_api_token.age  |  15 ++++
 .../generated/initrd_host_ed25519_key.age     |  18 ++++
 hosts/mailnix/secrets/host.pub                |   1 +
 hosts/mailnix/secrets/secrets.nix.age         | Bin 0 -> 1021 bytes
 hosts/testienix/default.nix                   |  26 ------
 hosts/testienix/fs.nix                        |  83 ------------------
 hosts/testienix/net.nix                       |  18 ----
 .../generated/initrd_host_ed25519_key.age     | Bin 1211 -> 0 bytes
 hosts/testienix/secrets/host.pub              |   1 -
 hosts/testienix/secrets/secrets.nix.age       | Bin 901 -> 0 bytes
 modules/smb-mounts.nix                        |  81 +++++++++--------
 secrets/secrets.nix.age                       | Bin 7851 -> 7968 bytes
 users/patrick/ssh.nix                         |   4 +
 users/root/default.nix                        |   6 +-
 20 files changed, 230 insertions(+), 183 deletions(-)
 create mode 100644 hosts/mailnix/default.nix
 create mode 100644 hosts/mailnix/fs.nix
 create mode 100644 hosts/mailnix/net.nix
 create mode 100644 hosts/mailnix/secrets/cloudflare_api_token.age
 create mode 100644 hosts/mailnix/secrets/generated/initrd_host_ed25519_key.age
 create mode 100644 hosts/mailnix/secrets/host.pub
 create mode 100644 hosts/mailnix/secrets/secrets.nix.age
 delete mode 100644 hosts/testienix/default.nix
 delete mode 100644 hosts/testienix/fs.nix
 delete mode 100644 hosts/testienix/net.nix
 delete mode 100644 hosts/testienix/secrets/generated/initrd_host_ed25519_key.age
 delete mode 100644 hosts/testienix/secrets/host.pub
 delete mode 100644 hosts/testienix/secrets/secrets.nix.age

diff --git a/README.md b/README.md
index 41ddb84..550653f 100644
--- a/README.md
+++ b/README.md
@@ -17,15 +17,14 @@ This showcases my end user setup, which I dailydrive on all my hosts.
 | | Programm | Description
 ---|---|---
 ðŸš Shell | [ZSH](./users/common/shells/zsh/default.nix) & [Starship](./users/common/shells/starfish.nix) | ZSH with FZF autocomplete, starship prompt, sqlite history and histdb-skim for fancy reverse search
-ðŸªŸ WM | [Sway](./users/common/graphical/wayland/sway.nix) & [i3](./users/common/graphical/Xorg/i3.nix) | Tiling window managers with similar behaviour for wayland and xorg
-ðŸ–¼ï¸ Styling | [Stylix](./modules/graphical/default.nix) | globally consistent styling 
-ðŸ“ Editor | [NeoVim](./users/common/programs/nvim/default.nix) | Extensively configured neovim
-ðŸŽ® Gaming | [Bottles](./users/common/programs/bottles.nix) & [Steam](./modules/optional/steam.nix) | Pew, Pew and such
+ðŸªŸ WM | [Hyprland](./users/patrick/wayland/hyprland.nix) | Tiling window manager
+ðŸ–¼ï¸ Styling | [Stylix](./users/patrick/theme.nix) | globally consistent styling 
+ðŸ“ Editor | [NeoVim](./users/patrick/programs/nvim/default.nix) | Extensively configured neovim
+ðŸŽ® Gaming | [Bottles](./users/patrick/programs/bottles.nix) & [Steam](./users/patrick/programs/steam.nix) | Pew, Pew and such
 ðŸŒ Browser | [Firefox](./users/patrick/firefox.nix) | Heavily configured Firefox to still my privacy and security needs
-ðŸ’» Terminal | [Kitty](./users/common/programs/kitty.nix) | fast terminal
-ðŸŽµ Music | [Spotify](./users/common/programs/spicetify.nix) | Fancy looking spotify using spicetify
+ðŸ’» Terminal | [Kitty](./users/patrick/programs/kitty.nix) | fast terminal
+ðŸŽµ Music | [Spotify](./users/patrick/programs/spicetify.nix) | Fancy looking spotify using spicetify
 ðŸ“« Mail | [Thunderbird](./users/common/programs/thunderbird.nix) | Best email client there is
-ðŸŽ›ï¸ StreamDeck | [StreamDeck](./users/patrick/streamdeck.nix) | More hotkeys = more better
 
 ## Service Configuration
 These are services I've set up
@@ -64,7 +63,7 @@ These are notable external flakes which this config depend upon
 [impermanence](https://github.com/nix-community/impermanence) | stateless filesystem
 [lanzaboote](https://github.com/nix-community/lanzaboote) | Secure Boot
 [stylix](https://github.com/danth/stylix) | theming
-[spicetify](https://github.com/the-argus/spicetify-nix) | spotify looking fancy
+[spicetify](https://github.com/Gerg-l/spicetify-nix) | spotify looking fancy
 
 
 
@@ -82,9 +81,9 @@ These are notable external flakes which this config depend upon
     - This might take multiple minutes(~10)
     - Alternatively boot an official nixos image connect with password
 3. Copy ISO to usb using dd
-3. After booting copy the installer to the live system using `nix copy --to <target> .#nodes.<target-system>.config.system.build.installFromLive`
+3. After booting copy the installer to the live system using `nix copy --to <target> .#minimalConfigurations.<target-system>.config.system.build.installFromLive`
 4. Run the installer script from the nix store of the live system
-    - you can get the path using `nix path-info .#nodes.<target-system>.config.system.build.installFromLive`
+    - you can get the path using `nix path-info .#minimalConfigurations.<target-system>.config.system.build.installFromLive`
 4. Export all zpools and reboot into system
 6. Retrieve hostkeys using `ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub`
 5. Deploy system
diff --git a/hosts/desktopnix/default.nix b/hosts/desktopnix/default.nix
index b62f95c..5942e73 100644
--- a/hosts/desktopnix/default.nix
+++ b/hosts/desktopnix/default.nix
@@ -37,10 +37,10 @@
   services.xserver.xkb = {
     layout = "de";
   };
-  services.logkeys = {
-    enable = true;
-    device = "/dev/input/event15";
-  };
+  # services.logkeys = {
+  #   enable = true;
+  #   device = "/dev/input/event15";
+  # };
 
   boot.binfmt.emulatedSystems = [
     "aarch64-linux"
diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix
index 8437783..2d2a794 100644
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@@ -38,7 +38,8 @@ let
   ipOf =
     hostName:
     if hostName == "octoprint" then
-      nodes.testienix.config.wireguard.elisabeth.ipv4
+      #nodes.testienix.config.wireguard.elisabeth.ipv4
+      "0.0.0.0"
     else
       nodes."elisabeth-${hostName}".config.wireguard.elisabeth.ipv4;
 in
diff --git a/hosts/mailnix/default.nix b/hosts/mailnix/default.nix
new file mode 100644
index 0000000..427303d
--- /dev/null
+++ b/hosts/mailnix/default.nix
@@ -0,0 +1,25 @@
+{
+  imports = [
+    ../../config/basic
+    ../../config/support/initrd-ssh.nix
+    ../../config/support/zfs.nix
+
+    ./net.nix
+    ./fs.nix
+  ];
+  boot = {
+    initrd.availableKernelModules = [
+      "virtio_pci"
+      "virtio_net"
+      "virtio_scsi"
+      "virtio_blk"
+      "virtio_gpu"
+    ];
+    kernelParams = [ "console=tty" ];
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+  };
+  nixpkgs.hostPlatform = "aarch64-linux";
+}
diff --git a/hosts/mailnix/fs.nix b/hosts/mailnix/fs.nix
new file mode 100644
index 0000000..081ed51
--- /dev/null
+++ b/hosts/mailnix/fs.nix
@@ -0,0 +1,32 @@
+{ config, lib, ... }:
+{
+  disko.devices = {
+    disk = {
+      drive = rec {
+        type = "disk";
+        device = "/dev/disk/by-id/${config.secrets.secrets.local.disko.drive}";
+        content = with lib.disko.gpt; {
+          type = "gpt";
+          partitions = {
+            boot = (partEfi "256M") // {
+              device = "${device}-part1";
+            };
+            rpool = (partLuksZfs "drive" "rpool" "100%") // {
+              device = "${device}-part2";
+            };
+          };
+        };
+      };
+    };
+
+    zpool = with lib.disko.zfs; {
+      rpool = mkZpool { datasets = impermanenceZfsDatasets; };
+    };
+  };
+
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/persist".neededForBoot = true;
+  boot.initrd.systemd.services."zfs-import-panzer".after = [ "cryptsetup.target" ];
+  boot.initrd.systemd.services."zfs-import-rpool".after = [ "cryptsetup.target" ];
+
+}
diff --git a/hosts/mailnix/net.nix b/hosts/mailnix/net.nix
new file mode 100644
index 0000000..9fd06dd
--- /dev/null
+++ b/hosts/mailnix/net.nix
@@ -0,0 +1,73 @@
+{ config, lib, ... }:
+{
+  networking.hostId = config.secrets.secrets.local.networking.hostId;
+  networking.domain = config.secrets.secrets.global.domains.mail_public;
+
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {
+      inherit (config.systemd.network.networks) "lan01";
+    };
+  };
+
+  systemd.network.networks = {
+    "lan01" =
+      let
+        icfg = config.secrets.secrets.local.networking.interfaces.lan01;
+      in
+      {
+        address = [
+          icfg.hostCidrv4
+          (lib.net.cidr.hostCidr 1 icfg.hostCidrv6)
+        ];
+        gateway = [ "fe80::1" ];
+        routes = [
+          { Destination = "172.31.1.1"; }
+          {
+            Gateway = "172.31.1.1";
+            GatewayOnLink = true;
+          }
+        ];
+        matchConfig.MACAddress = icfg.mac;
+        networkConfig.IPv6PrivacyExtensions = "yes";
+        linkConfig.RequiredForOnline = "routable";
+      };
+  };
+  age.secrets.cloudflare_token_acme = {
+    rekeyFile = ./secrets/cloudflare_api_token.age;
+    mode = "440";
+    group = "acme";
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = config.secrets.secrets.global.devEmail;
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      reloadServices = [ "nginx" ];
+      credentialFiles = {
+        "CF_DNS_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
+        "CF_ZONE_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
+      };
+    };
+  };
+  networking.nftables.firewall.zones.untrusted.interfaces = [ "lan01" ];
+  security.acme.certs = {
+    # mail_public = {
+    #   domain = config.secrets.secrets.global.domains.mail_public;
+    #   extraDomainNames = [ "*.${config.secrets.secrets.global.domains.mail_public}" ];
+    # };
+    # mail_private = {
+    #   domain = config.secrets.secrets.global.domains.mail_private;
+    #   extraDomainNames = [ "*.${config.secrets.secrets.global.domains.mail_private}" ];
+    # };
+  };
+  environment.persistence."/state".directories = [
+    {
+      directory = "/var/lib/acme";
+      user = "acme";
+      group = "acme";
+      mode = "0755";
+    }
+  ];
+}
diff --git a/hosts/mailnix/secrets/cloudflare_api_token.age b/hosts/mailnix/secrets/cloudflare_api_token.age
new file mode 100644
index 0000000..5306a75
--- /dev/null
+++ b/hosts/mailnix/secrets/cloudflare_api_token.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 uhnRibm92XSz2UcJWT43CrsZfOrSzUyqVFU8nWiYEXs
+QNxh6YGDCgSSoCWLthZlou7F7i9OJpunB+/6J4ogk2k
+-> piv-p256 XTQkUA AzTDTMXLU5jTp54ysvnVIDo5lIb5ED1zkP8659tTH2JJ
+VLO6rtfY5poFGVH/eeD+T/xrlNdPGnlLQ6mK1HytT8A
+-> piv-p256 ZFgiIw AnwL/t0GNZI3/y7KlatHLebToW1pJLfOasODGQ7ogriz
+Wl7xm6+a1qmqLeTZszpO0XG96BcDRO5l8wvpc0atW0Y
+-> piv-p256 5vmPtQ AzC3t9sPdKF/IPkJSqhldnx3Mnkc84DCD13l8tYqZIWd
+GaNzRxPoSOy/kEuLzbXpiRDo5F2hZT8KriXpgqZkQ5Y
+-> piv-p256 ZFgiIw ApFdJVoW4zoWq38fE27TR/OFEDs4Wub1g3q6RiF+fDTR
+IypnQqeluntk31gez5I6eYtlKiY/8sy+dXNkpWhdwPs
+-> wX-grease
+neAQttCOcpQWsfSpI38jdOjODJYK8uOhqjWsZOLWlHZaRUQtoyXI
+--- r44AgWizs6H92oY6hKMs67ARXqr8Je0Z0cIJr9xidBg
+°ß¦Ñ¨âŸîÌªøÙ¤Ph\œdv_µúí¥]’ÀÓšÆÜŠÚ˜ùÄEÊƒ´¯‹æewI’é‡t.¬²WÃÂ6ZFi
\ No newline at end of file
diff --git a/hosts/mailnix/secrets/generated/initrd_host_ed25519_key.age b/hosts/mailnix/secrets/generated/initrd_host_ed25519_key.age
new file mode 100644
index 0000000..6575020
--- /dev/null
+++ b/hosts/mailnix/secrets/generated/initrd_host_ed25519_key.age
@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> X25519 ddFv+EKlJUwePVA7CiwFOA/mECyJ9pC328u5r9Bjhz4
+5c05Nlc1ADOpUq5MugDuHJqSz4OW4Yupl0UBl9DxyDk
+-> piv-p256 ZFgiIw AgiBCvmbqRaShnyh+NuDFFESQ9Q5sZZ/YjYXelOzCYyV
+/6/igWsiKPwTlydwiAR1ZECyURFkBiJWCppdXP5GDRk
+-> piv-p256 XTQkUA An4etg/KtGFdnw74QM+QW9vRkrAxEZmMjhexLKENVnV3
+m8UleuJcvy/OZhlZrOEguL+0hWo5n2Ykgboq8BqFrdU
+-> piv-p256 ZFgiIw A1vxQkA8CeZGrXNcvBZo57iL82PiTPm0hP3KODzWnU/z
+USt8rTNK7l9VUUyAiSnDiLVQgLZiFZQgcy04lWdk+nM
+-> piv-p256 5vmPtQ AnAB3M/AWePGjmIUdoH0rSHg+gDnxg62RPy9qgHAgIIN
+7PPd5p4sXrbDvZBITS3zMnG7qNmlj61hdHPlVo5cJDQ
+-> qtLMz'K-grease ?Rtv +~4H. vh
+ZBK1Zs8LKTiGvOSxH/dacE3yc1ouqSylHM5Ahv+HmR89RQX/JR4y3Gtec+G2W0Ty
+Dh9z2wVbCDlJTTt+N+9sLvV/b5+wETpwhPmiSWbh92yvNYH1yLQ
+--- jynsWcgTRZR51+fu9nqHP5yTxxz1BovM1s2YY+0uL2I
+ìS€Ó¿Þ4}°NTÀ (Úë®ƒ+¬e9•_³qÛã2OÚÂ)=òw¸»/¼/D|šv`ÓàŒ6æXI³/™®””Âˆ‹îw^ÆÇ+hñ¨ˆÃÀ6núrÒå˜q†²ü¢@Îf—2ÇlîÞ/¤Ý“z—7,ôrFÇPÈ6ÎÓ€‰e1Nè4‡F»SÒ©¹ª8»Ì·¯g…]iÏ³}n)ÒM×D¬ªH%ë^28(…«8\Ç`AñCƒÐ½/û•<÷%ûØ8°ú©ÀÚÔ\eÑäÿ=¹ýâ(*6§a ß“‘V\G³ôuIÕø›ÓÓ|•´gÝ—™Õ#²v&@ÞæóÑ…‡æÉHâ´IhþXÀìñ÷îšÓÈY9­ƒÐøÎÛM5%‡ËeÆ6?2º¿—"„¥
+YæíM#Žñã‘L*6*!ùJMœ&Gó%C3ô4sÇÙ‚©mÑÛA?—€³9|þMÈº¿OSrÍÍ+ó3†ÇQeþãRLK—Âue–?{=‡ýíîö­š™€-±¼[â¾Šˆüôëm
+Û•øœ>¦QT7‰œ™–ô1‹z
\ No newline at end of file
diff --git a/hosts/mailnix/secrets/host.pub b/hosts/mailnix/secrets/host.pub
new file mode 100644
index 0000000..3489444
--- /dev/null
+++ b/hosts/mailnix/secrets/host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFqG1mU7UX0uNATdPaodHdSm9YYDV4grqmf266D0ajO
diff --git a/hosts/mailnix/secrets/secrets.nix.age b/hosts/mailnix/secrets/secrets.nix.age
new file mode 100644
index 0000000000000000000000000000000000000000..c5438301e5bbf217726afda14144dcd41a08ab98
GIT binary patch
literal 1021
zcmY+>`-|HI0KoBc>_oFu<~YU>!H6Pgt!Z9OGd<5VZSRu4E@{#iLu`{YX__|8vu(H&
zrW2XmFAjxy`@zYH=%()2#@O8^PDMCnpw8!f&M9&_MaA758#>(&{&0W6hcDlns)Ut}
zWDmM-)9l=9+A8G3K==W$jNmv-f|X*+E*T<`#Rh>D2{5Ec%ZW<F@?%9@Bqlt|j-=b1
zGU)^okmq!P<I8kis+0y<u5M)pkzA4&Tt(vjLa|DxS#`n>EY1|K3f-n3?jm>;tftf^
z(*r3uKqq1n0b^9V#yUh<5<IOcN^u!)#KdYcuSgUf7-d@05<uQ9kW>`SWEHegW6La~
zNlvn8^K8Pmq?VO6<u244)EP*1)>vhMYl##{8C(dF3q`0bbD3I2<NJc_l?@#2sL8lC
zi4m5Z?hVQ?ilkaVLKg#1Lr_9WpaY%Y+x=Wr^9V~Q)bn0DS>SyK4qTFyy3!i!|1Q@@
z(^8Xe#1NC^@akj;3B@UlWf`bc!2(KZ$^AS<>TMx}0cPHAN{9~iLlcG!)pR<|$c+fy
zXF9cPCS*7cT46GwKAID;H5Tr-r(6!CNYdkF7^yQxoHWdg7C@5HM|mcn?K=jUmOGrl
z7vQqk;XNSX@Kq?<44Jhw){G@cT-7Ie0&Dg~9Wm0lBTl75xjLjo`pi`;lMk!5Qgak=
zEP}Fj3JjZm?O}Zyoc3$Q$Qan;i_<{EE(l)A@FIb&r!)jAx|Ee<2tQh9yD7+P>MkBd
z<D{H!X2^hsElg9*NX{<FdWt1-Vh@<o-B7eLg%)|5hHWmMcRd3a5sKHFZnOu4!(out
zV3otNGLfp5XvwO^1uUh=0$i1*q-2{T{`-@Nn(jbV9Dpkya~}M7ekpnC7AF70W7MrJ
zr*-|}@x~>|y|B;_&OfmlyXoE4uQwk1d&Au2A#aSbUe%y0`p~(H!TRv|XRm#E_YIHk
ziq6b#{%8N@XHF=@k<`ZJpSG;yK3Tdk`Qgyg(9zRRJ`L{K5FY=%H@rFnoI3i}9Xq$!
z4^0-L)@?oXt1yH8vTgpF+s}xHS3aE`om)J<@9`aMYJB4Co{>Y_=kEXVx5EdC6W@;R
zT?A{Z%gH+z?&_Y29oqHl%s1Nb-08btLf0J_0Dru)GJEk)^G$X5!r=1j=!*+8<fadv
zI;efOJoNM4t+Ur{D~)V_|LxbZT<ml3`OzYCZe{+*^*iU@IqB&K;`^Ta;>vw*oV~OI
Zd9U=y?$1U(`s<z}-)|jvU%2_C^)C<JdNKe2

literal 0
HcmV?d00001

diff --git a/hosts/testienix/default.nix b/hosts/testienix/default.nix
deleted file mode 100644
index 53fbdfe..0000000
--- a/hosts/testienix/default.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-  inputs,
-  lib,
-  minimal,
-  ...
-}:
-{
-  imports = [
-    inputs.nixos-hardware.nixosModules.common-pc
-    inputs.nixos-hardware.nixosModules.common-pc-ssd
-
-    ../../config/basic
-
-    ../../config/support/initrd-ssh.nix
-    ../../config/support/physical.nix
-    ../../config/support/zfs.nix
-
-    ./net.nix
-    ./fs.nix
-  ] ++ lib.lists.optionals (!minimal) [ ../../config/services/octoprint.nix ];
-  services.xserver.xkb = {
-    layout = "de";
-  };
-  services.thermald.enable = lib.mkForce false;
-  nixpkgs.hostPlatform = "x86_64-linux";
-}
diff --git a/hosts/testienix/fs.nix b/hosts/testienix/fs.nix
deleted file mode 100644
index 22f8e4e..0000000
--- a/hosts/testienix/fs.nix
+++ /dev/null
@@ -1,83 +0,0 @@
-{ config, lib, ... }:
-{
-  disko.devices = {
-    disk = {
-      internal-hdd = {
-        type = "disk";
-        device = "/dev/disk/by-id/${config.secrets.secrets.local.disko.internal-hdd}";
-        content = with lib.disko.gpt; {
-          type = "gpt";
-          partitions = {
-            boot = partEfi "1G";
-            swap = partSwap "16G";
-            rpool = lib.attrsets.recursiveUpdate (partLuksZfs "rpool" "rpool" "100%") {
-              content.extraFormatArgs = [ "--pbkdf pbkdf2" ];
-            };
-          };
-        };
-      };
-    };
-
-    zpool = with lib.disko.zfs; {
-      rpool = mkZpool { datasets = impermanenceZfsDatasets; };
-    };
-  };
-
-  services.zrepl = {
-    enable = true;
-    settings = {
-      global = {
-        logging = [
-          {
-            type = "syslog";
-            level = "info";
-            format = "human";
-          }
-        ];
-        # TODO Monitoring
-      };
-      jobs = [
-        #{
-        #  type = "push";
-        #  name = "push-to-remote";
-        #}
-        {
-          type = "snap";
-          name = "mach-schnipp-schusss";
-          filesystems = {
-            "rpool/local/state<" = true;
-            "rpool/safe<" = true;
-          };
-          snapshotting = {
-            type = "periodic";
-            prefix = "zrepl-";
-            interval = "10m";
-            timestamp_format = "iso-8601";
-          };
-          pruning = {
-            keep = [
-              {
-                type = "regex";
-                regex = "^zrepl-.*$";
-                negate = true;
-              }
-              {
-                type = "grid";
-                grid = lib.concatStringsSep " | " [
-                  "1x1d(keep=all)"
-                  "142x1h(keep=2)"
-                  "90x1d(keep=2)"
-                  "500x7d"
-                ];
-                regex = "^zrepl-.*$";
-              }
-            ];
-          };
-        }
-      ];
-    };
-  };
-
-  fileSystems."/state".neededForBoot = true;
-  fileSystems."/persist".neededForBoot = true;
-}
diff --git a/hosts/testienix/net.nix b/hosts/testienix/net.nix
deleted file mode 100644
index 9e32bdb..0000000
--- a/hosts/testienix/net.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ config, ... }:
-{
-  networking = {
-    inherit (config.secrets.secrets.local.networking) hostId;
-  };
-  networking.nftables.firewall.zones.untrusted.interfaces = [ "lan01" ];
-  systemd.network.networks = {
-    "lan01" = {
-      address = [ "192.168.178.32/24" ];
-      gateway = [ "192.168.178.1" ];
-      matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
-      networkConfig = {
-        IPv6PrivacyExtensions = "yes";
-        MulticastDNS = true;
-      };
-    };
-  };
-}
diff --git a/hosts/testienix/secrets/generated/initrd_host_ed25519_key.age b/hosts/testienix/secrets/generated/initrd_host_ed25519_key.age
deleted file mode 100644
index 9b9ab489038c18aa5980114fbeec0ef374b105ed..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1211
zcmZwC`)?Bk0KoC_P^3g04v-1V28C#vdc9k(4-{h8YrE?`dhI=Ws}Q_vuh;A2`nc=$
zvCL^Q1ZH@QM--e92tP<LWcUCC<}U`OM5iPoi#W&21;!)dD?E+zBZ>dO_mi(6OIAsZ
zmudxF$*V8sOEO@9ChKxD55X|#Hmgb`fw?rUfThqFpQ~BYYE+3w<2jZD!o^gCWl4hf
zGG(0aFolQ`o=E7RjRy-LB_|CH$w*?W&Y_wSBMcdJBNS5i7w~fUflyEkYXO2C=9phr
z(2CjPERndwM(09KJP9Zw6g4tBCJAa%4mn8{Bi&vxC?iqLf<h*LLT_usvlT~01!UEg
z)fr#d#ZbIhg=8ZE+6rl&fH|-ORvxx^CY)hCW=}01t&v2Um&Hh%#jOBYx|GT|iGnk1
z3#8pSji~t}0G@F~In?A$SdvO8MbzU$u~wubyc@}cgFy?L3M!x*D2DN<%~x$Ni3<9^
zUv-=%L|PKrj7l*c!=8>%nSkAohRI?)fm3BtPJ0DR3!*A-;!rRtbVv;Az|kVb#VdiR
zofM>aTP1E0V>u_5&SKTpnn%pD4_UC0qx7)Z1CiB8ykzl4*etA7vQ8U?csL>B3<Prk
z$G27-y5Hl1LXjY;n8NK)B~VWzLC_+H_(0B<$d`33g`)8?WKX3H(2=UvGAXwWBpz7L
zc3I_;BxsT;6vAU1lkUiRJsjxq;!&ZNh1yvGjD--v9|Qa%mh|f7whSP~Tm_7d3Wk!U
zp@>wE)j3E;OjU#lc=c$+A(A$&t^;)dmlU@*P*Q^g#7b<sBVh@0Oh8S$=tNdS|4Yzv
zLL^i<1QhL1*+kMllhtZ9V;Ixsv}6lnjAUyZOn|hVg?$23wF_kcrvt875T!sl)LyZh
zzR2ua)Y(U$^?h=*rT@^4eY3RVub(AXT^&2=8eG`aGAO{a0-+|A9{RG<e|<;mi96FK
zKXUfQrtGc9szZ~$S>AMT$W?4yU!|m->yX1+^gFNYMi1_amO*3vu~F@-4R1Sl7N>pO
zx%<2N$d1Qhhxf|Wfd&Fu?E4zo*tEbjqqpni#At8dME_f>-dOqCsX0HN+p{6FY)AcC
z{!E129Qu8B%NlKZ?r{5k{MfrWa}Twe+r0Aj>1D;<ry8Cd`*CF5lGS^+$0m*&$>H-k
zIxfwhv1`5K`d<LK=%&4nY`M3e8ex6?OLw0JpLy=@xeH!;V&VC1li$ahKbvBVZQ4I$
z*n2d3;7UXLAMixad)MjiBwWtV@sEukSPNe~KJ(Ue$Hm5;zF+2cUfXKByye8U)6$Ak
z=WxC@#{bi>@CaY;dUVCc+qomnrGigzZvD1*$iMy4M?Ew7#-^7~VfQc4`0C4x2d0e-
zj+{a+e?Q)|_Vc8Vn>yY-<()}XSMyeLdCj@`1I!0cZ=U!3t3MgPQgilRnKfSNJ9PKY
z3(beRdt1&d*)Xy6!%LH1NZreOilY~f=KZs~_l>Un4gGZB%^xlfcHUjOr__TlBIjc6
P;d%NzCf{{){?vZ~MuySS

diff --git a/hosts/testienix/secrets/host.pub b/hosts/testienix/secrets/host.pub
deleted file mode 100644
index 705773e..0000000
--- a/hosts/testienix/secrets/host.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTiFpqpCiJaFOcSjFrJWk7YPBiZLwoJRbyy1JgZWFmN
diff --git a/hosts/testienix/secrets/secrets.nix.age b/hosts/testienix/secrets/secrets.nix.age
deleted file mode 100644
index efe7e8882488d8060c49d13f35405b26b5df7974..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 901
zcmY+?ONiWb00wZ2sF1RHX;muH*jhYH$4N5(WHLy_OrDe3%uF7Wok<1F=J8J^^GGt;
zWM<G?rFsyd2T$rn&>}s_YF$)ZsM7j4^-xL+wFkAfDlB-AT12bhVQ=5<$M^Bs&?|cr
zCtbu@IGsE_O<^U+k@B->pCC!Rj!G<F2}FNVFIsMvvBXrfG7po6{Dhj4(P%0)#k`LP
zbRMaQZpvPk$Z~s)1DTEaKnparQ>l&ehJ$gzGFXk;j!)#n8vm~lhj}?BND8$C7&Z%(
znLvdbb9Lxh4rS}a95!m%($TRbF&W`*qAl881>~$07KoGqVT~Tm<X*213NNe;_(69>
zBo<t_>t-Tbxz}PQU3WQGcUgTyjd~2qY_tr1D1bSQ3%wS!6IRQ@?hKO!W<(~D2<N3@
z-G-K|8Ws|1Hb-lOzUYPvNuyZUWMH>8vz?G%l(_bI&5{j?<J&n#@3Q{yHFjX&b^H?F
z%mqFZR(;G&h35JUq%yhDuJg5a5iiH}xiZlZb{t@$)-q+oaMtmK>%}6~21>5CbxChR
zz9I@U&U91>gS#v;A9phqWrhnC&nZkNU4n88fv+om!6^oAHyYDcSdw7h?8Ox|XxTV2
z0{y810?;RQqg4wga+q(VIzgF(q0%()!Ve3sM{y)0{I}t}_8fS!3{%gZd1xs`kD`sr
zQ;2WRVj#p_CSv&_w#+<B<0{|_(dpECbalxxCO!c3oQI=nKfL>af|dAUqc@-|Um?>0
zVh5r=q|=}xlB})MEl?E~u2x-=yn>X=WfTJgX)y9_Iq7ST24_~I?!zTxxP6jKqA0Y5
zwI#EZoCyR-fnU6O%Bp;1%kL@=zxPAuBysZEANO2Y2~S<!e{}oEt*;)c$;own>zOl~
zD_dvY+;@CCI(^{V6E9Ua|J)<J^Wn}7(;V%4b@<6EzWdwx(~tg595}Z33HFy4AHQ{T
zW%bafpQj&heJ!16UV;bDy?*%Yk+U}s{Rlqm-2Th^K>p(QW8d7_dEvs(*ME9r&v*0l
zJKGPwZQlFk@%HzR{rboQZyk*D+xKr?eyw`>8kMBaYjFQz=g#~0U7)-hFQ5AdB2z&t

diff --git a/modules/smb-mounts.nix b/modules/smb-mounts.nix
index 904da1a..ff936df 100644
--- a/modules/smb-mounts.nix
+++ b/modules/smb-mounts.nix
@@ -6,6 +6,7 @@
 }:
 let
   inherit (lib)
+    any
     mkOption
     types
     flip
@@ -64,42 +65,48 @@ in
     }
   ];
 
-  imports = [
-    {
-      environment.systemPackages = [ pkgs.cifs-utils ];
-      fileSystems = mkMerge (
-        flip concatMap (attrNames config.home-manager.users) (
-          user:
-          let
-            parentPath = "/home/${user}/smb";
-            cfg = config.home-manager.users.${user}.home.smb;
-            inherit (config.users.users.${user}) uid;
-            inherit (config.users.groups.${user}) gid;
-          in
-          flip map cfg (cfg: {
-            "${parentPath}/${cfg.localPath}" =
-              let
-                options =
-                  baseOptions
-                  ++ [
-                    "uid=${toString uid}"
-                    "gid=${toString gid}"
-                    "file_mode=0600"
-                    "dir_mode=0700"
-                    "credentials=${cfg.credentials}"
-                    "x-systemd.automount"
-                    "_netdev"
-                  ]
-                  ++ (optional (!cfg.automatic) "noauto");
-              in
-              {
-                inherit options;
-                device = "//${cfg.address}/${cfg.remotePath}";
-                fsType = "cifs";
-              };
-          })
-        )
+  imports =
+    let
+      existingCfg = flip any (attrNames config.home-manager.users) (
+        user: (config.home-manager.users.${user}.home.smb != [ ])
       );
-    }
-  ];
+    in
+    [
+      {
+        environment.systemPackages = lib.optional existingCfg pkgs.cifs-utils;
+        fileSystems = mkMerge (
+          flip concatMap (attrNames config.home-manager.users) (
+            user:
+            let
+              parentPath = "/home/${user}/smb";
+              cfg = config.home-manager.users.${user}.home.smb;
+              inherit (config.users.users.${user}) uid;
+              inherit (config.users.groups.${user}) gid;
+            in
+            flip map cfg (cfg: {
+              "${parentPath}/${cfg.localPath}" =
+                let
+                  options =
+                    baseOptions
+                    ++ [
+                      "uid=${toString uid}"
+                      "gid=${toString gid}"
+                      "file_mode=0600"
+                      "dir_mode=0700"
+                      "credentials=${cfg.credentials}"
+                      "x-systemd.automount"
+                      "_netdev"
+                    ]
+                    ++ (optional (!cfg.automatic) "noauto");
+                in
+                {
+                  inherit options;
+                  device = "//${cfg.address}/${cfg.remotePath}";
+                  fsType = "cifs";
+                };
+            })
+          )
+        );
+      }
+    ];
 }
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index 92a34079caef0405c769bcacbe85d9426914e929..96c9c4e5d520d73ab05b548121eb0f91fe63eedf 100644
GIT binary patch
literal 7968
zcmV+*AK&0%XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVfNI7g+O-4#-VRKnY
zWpY+dP<2T!Ido8IMp1b|M`KY_ZfiDfNo+-NX>SU6Pfv4AOLk^Va&m2MaWHLJXL467
zQcrAeM?o)DFKkjXG%G|*SVBisO>+t@J|J*ub}eu+H8vnxMrUbBcOXGFY(-cvWHmEc
zT2WeSN^w$eM|MGWc~^QudUs+<GH63|Vq`f^Ml)<pRYM9vZ+KcbMqz7OVq#i)OExz!
zV@_pBQ*m=aVOlhJLt<ofRV#KcZA(ftS5XQrJ|J*ub}eu+H8vnvR8ebHK_EeOb8c*M
zNk%hhc13J=YDF<qL}OZWS3*u{LNsl3VO4BNI8ZZraCA>uWK{}KH#Tf*b~I~fc~d!S
zG*n1JNmpbyG+0+icvVzXS$KDFc~etHNOVq8aBB)JJ|J*ub}eu+H8vnxMrUbBcOXG@
zYIS)tFl{w+Y(;KIHCRqlN-K0rWl=U)Ls~_6SU7KMdRR(rc63-wa4-rtLUwRkL1ScL
zQ!{u*Zg6*UH#Jd5HeoMTcy>c)cxhU4WiMoNR8vG#NmU9hJ|J*ub}eu+H8vnMc5P5}
zQ6NEYS7$*@SxtFbGDB5%b~tiDL`6YkWN=GNYh!M4S!hLJFGy>4S9fP=L}LnaVq#@E
zNlb7tLUU$rPcmylRC;MPOfN`9Nq2WqP<L%PH&ReRP-<34W<?4uJ|IDLNk>#8OD$(|
zWnpt=AS*;WZy<gzHA#7ABOo_rWMy?rK}aAqW=K^eI#@gkcTPo0bb5DkYDsT;M{QzB
zcuHAlOG`6pFG6EALUTEGYiwmfSb1hQF-S3SQEhKGRC!@_S2AUBZ+S#&YH3GP3Pe_L
zb!l}tY<E&-Yj1f`Z)9v^MQSuvHVQ2*Eg)7mQ&nbjI8ZA%b#`uLQgm)sML{t_L`*?*
zH!)>-Zc{mBQEx~}P)}KSXA0R5&1H9%f+dyDF{6b@T9Lnyxik4y6&yKq2~X)QSM~Oc
zTN>e=JvwomzBx=>L?aIQl?SZ~+v0z!oSf!%fqrMaJ+f%p*={1JC7z2OAcFFR>ru{)
z5CxH|7nmU-d&6bvF=e~3EkNqBLg_H`=b5=h0G6Bqm;xm4R!$>irC=_gEUFr7VxRgo
zaDV;L>p#@ZaF+aU-SMA1e2-guPY}JL(grbqaZ$IIdA1K3D{J5nY|@;OyN-IlM7Wm`
z9~enT6_fts_O*g5|A2A(`j<hhe19|IyS8Iac5T}j2smjD|KpJ+NQBYj&1s2rb?3PM
zhItQ?q4EScK$bh8jtZ*1k$Kp>^?G#iSW>>b``14r={|EaE8o#V_*HsJFpRAs1ZXIp
z${`7J9Rr<u>piE{DenD4MOZFu-agPGUhhy0Zg$=uK-caU!*NR{car(;FhQ69R!p)=
z?J-oF6{89O<ovA4+sLJoZ*BKUHiM8Aai-+1omI6$aQ7`JZ(eAS1kPJDw22zBgd;Z8
zz3J)n;eBB3%itp*&j5XD*r%vsm+dqlf}ZNExo)wbne*Ivf05x6{S2V&?M?2=f{Ma@
zyPGFPT0`=v01Oa{B;LEpSPuWWeU*^o`zWVe0g<L|WK*XHM%^Sg>M)NI9|afx+M0&^
zGuZT-2SeZI@7?^1y(NS}Ow)LNhTSvwofZ!6l<{5&fJB9vIL)k1U2b|U!|9*SPhdhx
zYa$a5>1$dqX5CnTW4O+m1L#8kF$T4kB;6{jngA~}d{_g#2=FoKp_vpiJ?c7MzZfPP
z2Bn7i6xFf-Qrm1`cSX(>3d>qY4Qjp&qlX)DBCuXS2uXT;Zkj-~3Z$rE<$rpGnIki@
z=IMMS;V+^i>e#8<;wpa`!|U8skS~^Vs)Hzs1igbvKmw4ElmP>`Rk>Uo_fjPWe57;0
zUG)b6=e-vTlJOIZf0V`_2OE1w9Pn1wB2Td)B!S|_kiA{1v}a6<ztBDpgh=Z;ebTxT
z38S_geJIbVExIIG@;FmOEA3@)fW~h@KfF5YW*Ao)^*fghhUMjqi1rzIII%>@4W-y`
zA5KKm0Mkq!1DBw3hh%&A*FIGa4>J^B6}^(`?@(6GFz~#4M~+$-Ive|knbsMQU~j3n
z-zBf5{ubHICV&+lLn{R3Qu{s6Z%?C^KYm3l>97$FFT19bSxyEyPV*zS3pk?<s{&>S
zz!gP=Ov~(C)6e!gjP)bIyaZ@)zv*DB7p*pdz1ntJii<dK%CocX7z~a-fz5w%7!As9
z4B&QE>wkI~z$i?x-r41(3P(IZh{To`E*ltjBjY4K%WIxGZNd>qpH6BRo1G0QLek{r
z-7G`U3Yr!~x;0hxh~Ab8aIhH9k4G!$Y_HuEDkH#p^euL*3hu+7OMmY|tT;Cm=*y;X
zvS0Oy=9%Z0<xOMGv`;G{b~I7QCVZXI5iFpSAe}%lr*c}BT8;72B3D&Xr<Mt8C2x2d
zYP+YMIO?roD&9RmI8BY6sCx{G6h1cdmTCh<I5TGPLc&y3kAU#YZmA%hEy<SMK-mZl
zdiNT$k8y4LKK_6p0vqxk&)RO$YjdSe<ZUa|&)aJt`*hwbS5zy^`s4AJ#)1$oK4(No
zUyM`1N{kP)ZGSRgvWu&-LWoF4{NX#SnXq)AnC)PHB4#g`O;6daXtF>NHP<93*T_Y!
zuym$IHFV7>7p1X<s{&B(6fY)rz((qT@mh2mOcWE4G55YJ?31kAZ~{i+;PFWD*sLoF
zeS_#Kr6igm=ZBF6CV?7U!uENo$?IsR!+jLCa1dii)+OKlM>07c)VdnG^czH_x0h{u
z7>FngE|3X<r?B8EmFHG0gxC2<Vj#VF)-xovbNO;Kkuys2YkHcN87>0HNuq(-^^uP|
zd|mc7FWs-1M|^Q!0bYA~%=^lICDPisv*<henmn5Ss+oQlStV%8iKuNMy6iLgz5Hl|
za=e;#OdooBlM_4RRR&Cq9aD)?8GZj0-Av$0kCL6w$oJu6h+f8}^wwP94NY#2KED{W
zC@@>b-sf-US(kx3(MZXWOu=3o)~xONAFuI8du-*Yb7-=N^c@)QJmLYW0scY{c|>p8
z_7bR1^}`Oi5M<E<L{ej*+#j|GSIyOu>@aOPw6>mBq^KUUt*fk`GckrDTFnU%bKshZ
z)C!`by+!i;pRVehVOW(v#?Z}O%cWR0X74v2)Ru%NREelOyng4;DvQ)Sn6=uMO$&($
zn=CRj>+iwA$ehrT)W{*w5e1p&Z>Mj9U-cGr9l0yQrHF^aA1c13I$Wq|cafk&2V|@_
z?FvVG&7kVVmARDH*5!<yS!f^~<P4`U!*j72O}{x;MaPM1`)fDBXyCKyV~luJfK;g|
zsK033^94U?6B(&3{O^DOs@Y1QX5ZsY)@Ck=uR_tC<9A>R#yAJa#!zkFun8t>L+E6m
zOf-7jJ0V+biE(Tlx)<lvIoKe*Ytgj)l!?;%4i5;0)mKNZ=W==ckWec)j8(~wsC2i^
z-6{rLxZ-byi{dG-HC#a`i$0M182fBvZgS02?)kO&Jdlg=I1+|Z9Hlj)k9f9s1xjKg
zk>kB&S2$(SkOh^ZXGWe>`${P{bwK-chyB%)*$p~!K1;egq$(!T<x5jdd1z9JDGa5*
zkv4&2O;}qxDqR!0Hz0yMqNfom`fO7zfKY%VU(qyKQOJVYOz6-H2j_E)25w%BBE;mz
z{G`NL32}sRNyANbfE0=12KaKDbB{KW3SY%PUs+M%x__gU6vPM$g3Fn76}~;RNAi4e
zM46)hhA3+_tp~@9&*Gq{H<yvcq^Wlxez0TGWTp`aL|w##y9;jhwghmq<+U$vZ$JX=
zVnH3Nn!^r;wmeZ^M!*m(+L4~l%?<wn=h3FVX{J!_St8T_1LZ|h8#%?V^5F;R-b!Lf
z{3A8tzvK?0Pg^tH^zvm#j-jy{BnJD&j%i<%S%qHk3p=2);_f^zbwx=nL{C9JEfv`R
zQ#SkMZO2*9le?jC=W2hf8$!5=T-+||^oO1)ABOwUS!DrN702^wA&sUFZ(-G&p!t(U
zku?Kuat435%Xn{Z!jNNOg_&;t|9G<)^#eh?D$ELK)%Oa}PI7lk)_g)3WwC2V?8}Yf
z^;MBp^HvmfV>WhLlDFKv>DnnwpGNt3kh8y>KAz+zZTm8bc`*YJnzL9<4~`<|><=kx
zU<NEF&h(l>eUlH^lum@>^dzUFmaLaHz=f0y#pP}AcE&4v39BK}7QOP&?4QI2xKK==
zOWo)~qN+)ys}6RIwy!YxN1HsYALuUc!~8Fn2=pWR5|vPrSd&0D^5RY@!(9jN&)3~)
z`?0@pV~2Ah?4(V=OCH`$Wqh$6)@1UK@ZL9Q1o@OylprKDc*9~x0dy8E%wHSjWZ2sT
z`eqfL#24%HFKbNhX{rcfq+0cFcVn`4KzSdk*}(`ql?+c_9u*|(-CbH^ni?oQ>Zx|u
z)7!&s8-jx=EfZ64V^pNipyqxcAH0wNN$D-;nb3z!db)jaQn%%dI`Mk_6WgkQhZ!Z@
zs!ZBEND^5GvCj5dYZE1WfOST`A0(d;v3t8XM6GpX^kj5*{y*f1($r3;Q%fPQ%{r^f
zhz8duyKe>HQ^h5FND#JExx<}^(n@smj9X2^geJ!!=;*2Yr#CBS!#~l!xfY${V}V7h
zjQ<q9)VX4rMw@C4Ab;}s8C=}!&T5L-P!DV?_^=KOVrk7En#@y9Z0-x)Ohcb<@y=|c
z*zCwjO!b{rfAlo>;s9i79xuIb8%Ok+ulN%}=%UJknZYVYu2iRQZ|O@`i&Lu<PwsG9
z<&^W%S&4UE`4=>R(aK!_!9PW{C*&>nL!+m}kmtxb-JiR{6E4wWQs>w&)$!)`LCjwp
z1$Ohj=zN(f)0U59*C>N}d*qPG>nq;sgzH-g?AI82?C*<jRpnuat@V3vvvniZV(%{@
z48E7Al32p3{`Y++_J6IhP||#=G2RU*SzXc#QUS=^^3b>dK9tB{Jf3L7ctZV6@EO+s
z3c=M~SNskjdoswL<0m&M>u)ohkUD)nbp!4;^}8{*+pQ!liNOx%K=x{|JYs=m6_Z^u
zdtxTzR0>Tb-^ctW(4xI|32Winl^jgWdjFULg>;}e?3O`3L&JL=KxuyC6t_ya+Zx`3
z#|dVfM!(t_x1j>rRbTSi5^YJ`>s;jXc@XtA$)+CQdMYdu2r!fo+ViqlhQocs#~w8E
z9ki{G@W1ul6natu3#z<(RdOmPgrZSj=i(?ZTp`S#hJ@L(a)1}2Y_UQIXU_E^3KB6o
zdS^Ygdw*R!TjcI9A2q6zuNr6Y-jq=Vvum9p`j!T00RWO14tw6Lm>YTT`vj8M2!r;T
zXa?EJO1s|{X@Le!B*0yiQf5FDb{5a=+XT9+t!;uAwC(H&{gNUY!Qt-JAmZ;WMm^+>
ztBrN|OsSm&m0|d+AU+q4f0Z(lb1GyGTL@(ECTZ|PQM^m!kU5r)C$(F%PeS$o_^Xvt
zNZ6DW8-Y~ym&^U~^vD1ONlsx4Nw*%llE41(2(?=$_@m&dEXl4-+3tb8mt1PLv}+}X
zz9|mwW!sd=5v>Fz-iH^YZK99H#Wdu#ce9rn=UJBmvCxI_h8o?47~sFStE;jdnXnP!
z)8zbdyAUmcS%+KKupRc67q;In$An>os8$#MHQrog+l!HRl|L2QKu-V|#b8IVA>{ze
zruFFY9mD}n@Zl`YA~KMw=YI1@d=q=i94UqAXolX2`F5iWqSM!~sjri!k=Nq;fh*jg
zgpurJy^ov-HbajN5D(L<W4G*#2<0n$D@^tw;7SxeWVqj&5Nfs^LT?}?!R*V!i6%Ov
z>cKJd6G1ChI6ANc*rlh9gv3j0sB{RkCEoA-tNQD*6;_m>fw)!~byz98%j?1~6DlgX
z6mcyt?0X)Q%TQ-U)GSU$_cr=vh}?!kA?GQ17a*5O9@Gyzoq6JrI~XA4;6`m8SF2eV
zEG3<7=x}XAVgqA0R=<TffZ3|^JbiN1Gjtu6#gS0A`)PFZ1zeJ&!S25GE6&+PTv+6F
zG^ffP7$BA5sc-HbCoWaM&;U5&u95yVyPF?9tX+P=>d^&_Lo3NZ`dJ=yb#$+J8>s7n
z!Ud>_zwDWT#$csgT~q9B&oo?!KS=$Gh+>pAk}v6<Kls+I$ka}IT~TPtDfJ}r63lP-
z*78=&J&+>eu=rtmx5zqLp0lG_4U16@XFsT4!OaO?s3TJUIj^>XV9uX}qQ2<_#<Sb`
zgTucEe=L;gk0T_vaPe`z{zAj604Z0t<2?R%Qi}*cE)8Ika)R}tmCDlaVu}Q^maY5u
z6lr=90S6*-FuVx>YE)h32@LxZ6CM9A|EHddVOn_G;~ap+Ia(j>N|k{dFNjKRNs<**
z*c0j!r&bSU|EH-7q)b)C_Pl~!z~tS$eC0OoZUZO38&bTjPb_-Q_+4i;uL;pi>F^YN
zk=;5MJGZ3C$L33<OBE%v4>(<{XmFcssL>n+rD`n&$scOJ4HG(bvI~p2zq4|Z3cCjY
z9@vyWyPVOQQE;kSaU7G#lA@um<=1@FL$^h4Ve8gF<>NR*Bi5Q6oDYVFvSGUaWg}s#
zx`P<2y-Pdo>U5W9p=8=Ey%83>A|cS|6upeaogEDK#&d1^{Uc_FPr~xX1FfJW9B0cR
z!xTQ#162}0?d(P@pVJJ{C5Wn4mVl(-0MKQq0M5vVJB%e>T#8K>aG)abL>|gClORnN
z5qQF$A3G=AM8;WH@u1!2A_LBtRr&zOB<58>D@R1Y&IR2sp0>8pTBmkcDy7iPU{><=
z*;=&;Q=xY98&GfhC4D^<$4N)o<LeAC{7HjdX@#(L%FY}|c=P}zRqAHJmMiWN&{K|i
z>0pcR1=@0!Kak`d-!58GD6x5ES9)_$mT<Ma9r~WrVoyI=^vMMfuwd_m(LK-?oJ;}V
zNG_9o<v!({?ZVOedL4$Cx7K0!bp?Tdgb{@9Pkm0EALsJ&Y+K(F4hKt`I$ZrSicwI1
zCaTc{ngim^7jR6DyKQ;{2Kack%Y|@Pv|_EyH*eD%#K^b&ldl=^uE|=+rFpiISj3bI
z3JHgSu29JQCOqpV6!L+tZ4fHKM@{@w<ZPhXgT)b}yYxc!OJdRn0}rL@3iTqCe%d8q
z%S-I->p`}lM#t{33K-Vx&_5T+Je*_olZ7%7>*+TslXBb`i#Cu6&csl{Hc@b0Wo&iO
zS9K4%3p5uUcfea%%Npc@sRMa1m@mY%wOR{p2nOj@^+dX%xzukjzXCO)%V#oYtb4E)
zt#Bpa2iAQ)F61Vz(xdBmR`2ng4qM-|KJ;kHXyEuQfrf6z{75}W{EySjf&S5@Sds%9
zs|NmlqB18*GLdIna1j4ssqjN1!|S7<#_)86bfsxrlPWSnXs7h%XWWi=Bsl4vNfN{L
z1z0_<nHoV%VlsXG`<g8su<ji5*Xb&0$Fguc-=;CyiDA4|)@U+k!OZkyId><y>9fUi
zKwKw^{v(`Nmx*ulgAcy7>4(yn3Bt<>3nNGMlpZdF)#16L_L<Ux_6lR9)U2#Mh`W-{
zt(|fgsC8S2dGwh|fngfA!n_kSr|929_+3d=ob^ZTg4vGlt#*Q6025=%H%lnqlL0^f
z5-IQEc7|8t%OvVH76B`ZqQoX0W4)ub6{79Lu19lVFo38IF+bqsgM(i!<7Di)eY>-<
z4HvQ;_9<y*5w2G$)KdkYS2I3YN~%^EzB&QjGoz{;7wB$nqs*!4?)Lzj3um-dfblBf
z@h}OFv9h9)ulT{nz88SKB&>1SAzyN4dZO)bj$pTZ|Kl!_I-W?rHg|!e-fo8T+13TY
zuln=-Rq}dFR~k7%rs?Fm`_7fpn%=_M5A8V^5s3>Z7&vQJsf)P#lTXe`c(Mj#$VktU
zo|hVZpXjMxh3{Nw0xG18Dn7A&K$qJZoMiAB%j4P(oCkkNga*BhGP5vSuO2kcL5R-7
zVa@q!K=XA%gH5>ti@xOzdA|ppJV9^H6~#TOK~OXu{tnMI0UEO$3fzFfU5Fg#JmZGJ
zcMydbc9?VVhe*5qwjfrhDs-8f;_f3XZgS!o%YRVv9O?us3+q;ifyVYbY7B=wj2el|
z@nc)6fR1%)3IkM(?Hmm1$eva9tU3v0k`<=7d_ne4cfdFX^FjWrPYAKM>v0^r6Re|>
zVWvx|Rzg@Ud((rk=AkSyCv^)Dn;EQ!K2xU?d_B%vkmW%jv=_$OwWO-7>SjzZNtv)J
zrVzCBX7zitAchXB_t~vwObnDM?kqg)Jb)J>F8C1y;Wddd1Px3@x2=+IOZ4;$q=`DM
zfcSj}3;x@-n#Lz6k5?ER@Ek<y)C~8g;nZkN))X`RlrS*DH>wi&<f>H96?&)L5{oWP
z*;b_!2YRk^KxKL8hXPB{VAQ1fAI@gN_Liw*DAcmEOZn^2TwM6sCU-C>Y-M*_Y{%us
zJpjH>1{g?qK1!{TWQ3JUW61U%VEqIV_|8Y^C)5kw0cxo}I|P4c2o&dr!Uk{zXYa93
zD>!A5c+2Wx5j{5YYCGc#!O3;$Vq%))Rhrp>wrX|k^Zn#c@0JP&GQ43@R}?G+frzl_
zjHqsjgx-R*5Sri;8F;dJ37l$jbZ}HY0n7nlYJVxJhGoc9(HGNaD&c`jCYqe<b*et<
z9&SQSPMndcrwfXY&y@m|iF9;hnxqENrFMfpjq>;YblbmcR~!s%0ObFQGVjky=YYn7
z*g@}iJCFiTRRqRQJ(QgHSSpBk(X7;J9eD}R0L^rhWB>@nh*Qjlp|0b!xL@3Tujs3C
z2XGz>%3p{|bT4kJNUg{(%2LdPZ1tG3dBDWZ;h!AALRb1<>?Ke4qh@_D48YFI6+LRa
zc;W^}EHr@zE4J)N#xfgU%9;#)3rnl!P-%I&8_9KeY~xwo9Nlowu^$&3OgL6Tk@t94
zYm0O7uA^%P16=hB$&T-X0NqQ08kaU=CnITOCM@%stk&C}6g0oSBdRF0HGj1$b`dk2
zXka(U6$IZBgV}B)?g8{uxs&U=`#jRZV_`j-Pc9@%l{+Hc-Og)I-}}pW$FAQGToNv|
z!l3{eJ}?sH4zJq=h~gT5u9$8HoRZ+Do;HVHEDoxCK*X4-<18NrU@vd?B_=M(D)dkL
zAAY>;$vNv6zwkoL=-G%+7XXl{q~+zE1p``!So>{49iK>N1hBcr6|vg=^(oJb13qBD
zLko_i)O|#d7>7iP_X8)gUdW0nDz=&*ICOH-`Rc~Yv*a^ZD5*#AzI-|&RU{L-&h6pN
z306z}9avb@nh?Xt;x^J`gtMYJOTKORGw!7E>;Oy<j6O@V-{|?eJ(*xpBTt|o&oj<x
zR5hooZ(3tl+om-~Hx^!yy9spF!|cWof9=Uafycf28atmaADA$RU6K69Wz`}11gtPM
zqofpH6n^U6=5X-?!6`Oh5~-WA9K~Jw=J{ko8~C8#VUk!=uCGI~L@dLVu1Q805EOTj
zW4qPW4C9C28g>R9B?~eY6e34iVQl@oRRywdR_y)()YvySaEg_SyIDdXiy|4iP*c9b
z%GP*6QP*j8Z#Fhco;H4bY0tZ`vr1qp@%fOTxj5i8Fy@NGBI-j%1w_FT-)(S+c9M9d
z3$0x#2t@?@Mjsu)=SlC)u}VQUtCi;|hNxS?eYlv)j7Hk}VTTGS<_ASo(<O6=W*dbB
zvrX}U`7`8IYrK|i7yX3Gj-SirrMuk59iDEVjo3xkt5SOfS&3jmW#bg8mn#;}*Z9zw
zg0HduX+3~OLo&d_d7H-=Qdft#l6T&G?0f9^f1FEwK6U4PASIi6CtcK$m*G>kh3H@j
z7L0-AkM@Z_hF!beBSyY{U9amt`Aify_q!D_lMXsBt@arx%c)u=GoRR2*uC_*?O>d!
zf15>O$Uj>Y4Jr5In!cL!_aw6CY_|1d?m+V@3qR{s)r#Iq+Hr*0LI$%cWt<=SrP;Da
z(uY+_WM8ZgSp3T|i~B^gcodbmMpJNm@iQHa`62e+k`;k|S++YtW@K$zpCz|X>tZNT
z5blXZqmw!DPO}Lv(F#fyJ0~>8VRq6~c>-jvqCh8!mk4NK@YN}K9HYVK<YF~!GBFL#
z$*w*;_|^Rp;@JG=$(45W$6TELDCDI!C&;XCOrKO32f5np*fm@T;JMiLKM=d49a6`&
z2V7V>!bau47XpUw^j7e%uH@($v>hg}aO6np$x)J+q{GO#@H2+}c4awd69=>?0enK9
zUTuA&V%gpz*DVOTR(!<~zQ!>XA`l`7*W9!?u^D>LFSI`HzsA)xq-Iieuk(Ag2lO_~
zVM&{=9}PaTi)0L+aaksk_Y_9Fg}M4z>_e=>t+Qj!GrZn#`w?6c$4Y>&XF<&qJ4sV~
zwZ>eQ#%Nlr%9NulLy!tfzq$|VS6$SNj;tVK5CZ{5T;N;3DnCk8*BVr6%shFrN4Jc=
zAgW8j?h%$589gc=Lt%_e=<_N<?WeNwt~(1ntse5OKUnlc-T26h@z#)h`YascyObb)
WP3sx%7KfK~C1c+0V}!PaF=R7DYxB1N

literal 7851
zcmV;c9#r9BXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVdRWnj+Z9`5%XGcs+
zY-3MhOGal>Wn*MAR#P-Kc4$*MPg62eWNu|*S8EDrT1!(eaYZ&%QDQMORC;$wN<vUi
zL1%GDM>kAuXi!&hNJ&~zb6I#YOjQakJ|J*ub}eu+H8vnxMrUbBcOXGHIWur~QbT%5
zFfd0(FH~zXV{JKMNpw?MV>L~9Z*)pTFjP=ybXIe7Q9%l6Wmi^dL}Y4pNj618Y<gjB
zL~uz@WN>z7OlU!2b9QWOLrG6^LSkb`L|F<gJ|J*ub}eu+H8vnvR8ebHK_EeSZ+9?D
zF-b%)LvL$%N@Z7Uc0zSVdP#C^ZcbrBR5n#iN@`X@Xfro%W;O~_GBhhpHdJphFfT<~
zcuqA=Z$UFrPc%ViRCPsVHZxdMZgy!`Q8-~nGf@gHJ|J*ub}eu+H8vnxMrUbBcOXG+
zLpgR;XK`mtbZ|ykZ+B8wcuy-hR&8xrYh`3<Wn)B6MOAfXa56||D^&_ONHR_}Zc}DX
zST%ZVctkjNV>CEaO>sz5K}%+Db}MRVRZUlTP;GWbM>q;CJ|J*ub}eu+H8vnMc5P5}
zQ6NEQZZ~>*HBwDkF>Z8fXG1|@RzhJ-VOd2pIdyt@LvChpNNI31acg%kb4ChHN^?SI
zLvJ=wS2ZhdSZ-ovW;1OsN_uN%cv*KzWoA%PLufQsQF%scbu<bsJ|J9dFGMY8a%Ew2
zWgsqaLrDsHHf&9AY)p4@WNL0ycThucaY=bHQ8srsc11CEQ*TICD_UX-EiEk|cr`g>
zMKf1%Xl6)oFjr4xYBG3dP+3<rGkQ66HdJ$HGBikKMpAfmF*Gm=iRWN{z63kc?=fS<
zOl2e`ry#kBIbfuxDwUAxby2q6_euC%d(&ZvdY@N{pG}5Jh;Vq5y(CUK-OdC3()9K!
zYYm*&?6@I@GuJ+M8yM)15U3s9L@@oeTaTFA#6*(Wf{jMvPG>A}GgW~?^Pb<t9YIA!
z2yniS&jLZ+%p$JUHwt^|6k9%@T(~nX`Da2KVy*f=Np8!zizUuPh7)F>CxS$yu52Md
z;Qs93qHh$KP_+M-T=>(ExA_^xfyQfXBcgxgI=rSr2!aMbVsK+B_Ba+e(ujPgAkmTu
zj=Q+ttW4q4WDfqMJmJ|kM!=@+he5^txWm(tNOqX*&Pwdr(D{>G=oXGGu7`*R$338S
zC}=#mJW}9eOYBX`yyhTc!_P0&gX-9kgX^Fmrz<Pv7?dvSr(|FycPEn~hq_1GMm4t`
zs5QZ#;`Q<?wY%I+t>R;9VTS+_wP8<r|I!HbJnLX!#8<`&kMfg{#BrD>Fm;I5Nuh7~
zw&p2@S2<PU(nY~;IHiQYutbTU_6qYT^Y({*ITkfeNEhM78c~z4!lv><7k9@kYP;*?
z)&|(u_J~;MqO^&AlCBaXe>36Mj#n-^T1?R^>3%W3Mkypdzhcd4pK%7wSO^ZeRBpc%
zMY}o4DNQ*zjFtG6)~~0>m~l9FOJ7`pB(R;*%E^0j%RCvX5Ta;mK{t51mnAcQ?aO_E
ztd^=s5iUrEPuDSTI$|Cm0A*GvRmLhnhti?-L_YOP`ikVB8=94XYYe@TL1)*6T?;<K
zcTVSoqL8VmuMM1EuZK~djk0n|2>`rBvi;T=WtMy+--P|MhUp67S^qfSOYKsYIbqjo
zq(UsPQK)u8EdR&N5)iuAGvaGQ-5^VeMR1Nrz<G*XVDwic|9N&ElNsljU9tBt9<_3N
z?d4Wr6}cp*8`N0olJrqmk&p~qdW06QuES#@AFA+G{<fYI{SB{o?bbGvBWr(+vd#kg
zZL!E0X0rYi>&eKJ%A6zHJ|6Y`H_Ih6_aq*Vs-p=l-*CpGOv_(J2s8yxL9pDy-h7o?
zw=1w7>2orQGqCBc(6laSijJaek4nJ89%z(Ch%y5jwC48)p-HfCJR{(~<i=XB6ZOlG
z(cMk(yS5;aa&KYJ*q<|Fn8a<4Ldd8@$RVH{%v*7dZt<+>IaOVpUQ6oYwmBrx<fU%N
zL&I{}HV||GDG+Z|UIwD_)oo!p)}FD(bfJYaZg3}s5fGi1xsf@XVxQU-Vx0B5g+GOS
zTAQ2V=^w$T0simyCtnUU_DVw1EccC^q*t_GEZ(>dmejnU%47!9S~f1m@-+ue;|Vfb
zGwGfmVX{rMuy^I*P*`(0u!PlaE5`)Ne#NIlIS!SL853v^<oPRqVP9jze^ia+Tm!y0
zyWjoJk9;Sy*4FqvE7kyD6s2f|_@GptIpjNe3osX(F|I6%6G0>)uOIi|8ccfvWI7o!
zflNjCOX{zPHj(D(`>Ne-n67+&{oJ1OfMCOY1<LHu@VrDt*d;p=1+nu+mI=kAu!sLc
zpb)8`CH65pX4NJ=dkS%hXl59`y4$(-2iv#=7V(qk4c?!LpuM@Z#IX*A#VgoKJfYYj
zjUelG4yHMST?Wd|<>Lu)hGHbDI(r?OGS4J^U=3q}u_vLXw$@cznV;Hu!+XwUss{Aj
z#?<A`58KwjQ8?cx*h=)@vv3iKrIRqIiSKoNnYA)<hJ}hlrkI@#U(FZZPy@hqsUClQ
z>LX_(e%Qxy4zsMfkaiMmKPm6I;LDi2X6}3OM-Jv&^|oew^bBKxD-jv4D)v=Kij>wq
z@bU%TqEWLwrxYJdPCrW<k%v#yCpbH*d|Vr5TrZnT#&JE}JgBgM;!9NaHhX6pp+uZ3
zM+gx^7oxDdRc8{^G*F@PMma1d*~${+%-L$<RBHjy6m3o+-+aIiT=n?6US&2+a%B?H
z3}kwd^Aa#lC<v$-<N)!EGO%S6>1}^&jeg5sL8#D+$X{sZp$aNK2<7D;7|FuAHQm(*
z{aK;3?|Jr?Faz&Wtb}=Mh<3weGZUa|-%Cy!Ni;e|bNl<pRr$7l5Sz36$>KURL;7!i
zpckh^WG#qUc^^H%UNz-Hz_o%8w+#{I%lZ|PW$w2C?4h`~D$oABOJo6kIt4e<*12?u
za9x`~_qGEZEJyvluMA#0`P;x-CLiKRYkE2-E@&0D_&dya;OgB1U^kBigSDJQAy22c
zuNQ{)xoGSkX-?I&u_92J?!7xr(I@iIM`?@_>l!OUTA(GpR(?{7f%yR5=4B`A&Qp`e
zNr2lid+|&WFV5Cr1>+d*S>j$*B(G}^a_uJy+68L|uKrbk)W94?_iHP3!`9~k#kLAl
zN{qaA5rUdL?@tdy4Mpy|F6Yr;4w@!0v!`do+e1IHGsE+=gZW6BnBYFTs|~-fK?dR_
znhQT19e(6re=?Q8)~JodzWuG%PZ%1M%qSa%QfxF=og@NgyA^|vdIJjZ^TchepEJW;
zII$R38J|A_@o$0jw+ba=Hik!f7=+TdA7iIERD8&@V^B#JcUPorQ~P?df)%{(t>ZOy
z%3uycI0ZIHL=j||+P&t{oa?oZpGH~zg)~1Ufl=rNl0j@PkQ7&znN<l;_>Q(TqI`l6
z`5oUF3yd5_kvpwh&6}a~D+Mj30Fmr7gJ-8lKE#=cU{QQwBA+7gLm9LnsDScz)c&yD
z2W#&~)SamOr`C2ya;<O}yQ4}Nb&r()bmH`r-fc0k2@6Lt2W%8zooI3wMCN0DfR*V&
zCVxUj3f9bvU|TnxyDi7XAeY8qh~Ekudj0qn=qQaHozZ0H>>eF7ZV~QhlA)!Raa7rw
zmZfgXl45AQ1WwIJ0n9)E6h6k6-m`)J?p#sTj5yD$l1uC-=ROB+jnzcE5xIq@*7%(u
zwb?tj$n3ijLbEs&!r4+cQ@|sc+l4969WtfHG!MS4|Hlb_=5^HX?0AGSQu_Cxbv0E|
zCFOeHmdnAadKVMGD$gUnTmhHCu;53Erlb5iHyJc{U|an#k96*;a%x_VwIB~V?H|&K
z>|)J<&>*0IldgC=ldb;|Zqy0=4c$HApu;I>{<^EJ`b&2!LLbyVFig11Eaho%VMMo-
zPW2yK#nI$q*H&-!K}EA{v~u=1m7F)4k?4v_BW`=WFh{3SY2{m#Q5t_G^JLw$1ApBm
zBFHtbqI27gXfF=@)=Y9f8GG~MjzT3^#5|K)2P;QJEkf(bz-8AMDD*8YkaaKLZvxRN
zOJNI;cgTbRhK~KBITex&bl<v(--WFsP^4*dg?^Nuwex_hM<S%(ouO~89@F@R`%kvG
zc+fztD{S`89cx^4s&McwG6b!1Ka8R*yP<>G3~dC(gL2}=B(6MhV-45{<9|DL&U}kS
z%e~uj+niK9Kgt7vLGHAOXUXJm%KEonTj+foDU!reE-&kWVT_o!N_tupIBX5nORe=<
zX&|l84Tf^OFF|!~r-<-HEqJJbktaG(7z@jDK5#6Kx139M;LP5CY{mI~Ae9{y6WID+
z_X`8JFcK6%Vd$ENwz@JaH`fI@SqZ0Uvz$@rS<}vO8o8ZfFmp{CjmJjwDs_TmG#9-b
zbxHmvig&v{6=k08>giV{f5W)EH~iv+bJo}8yGK7ots7M`A7~Lz33}^n|E*y+?5Sxq
z|95T~f4-^GN6~NB_*g~3AeEGc0Sy7vd$>>WH{nf%SqBy-o=aH^7*(Gb-PtiUw^|ZD
z#i%2Ls>05JXCpn(hF=u0>|p1<9(Eti;7vdT4m+jfBzI>^UaAiZ93OcIthe-mGAc9!
zK}{o_#JO^olj9Ja(@biqeY25B&HcAsGxe`r_(mVDH(dsiD1};-?1+j@KIN)e*$Zq(
zmT>XnBXgW@89|`NQBlG$uw)@ROcc;}Z~InLT)5vIy?lJ5^amwSm+`f_ZT3abhDXao
zNJQATXOjQtG1~)2xE~=E_^ZVh51LmNzA{K1P!yU22dc$76)nS7lEz^VW()409KMN<
zj6(866I6)Z)<9Tdnji|w6<AHHUA_x#{#esBr5zFGa~T17I6k!^POZeaA<_R?6lVI7
z3{8JF<zmremvnQ3BWC;;r<htXzo)#QY4fzVrpfKG88f6$A)@_2^lSddDw~v{E!hmi
zZJmI3FJ65pBK6roEI!q&05Y*IqOWZIo$0lO9wC?xL_9JPwmXXZSA3&W#+GX$DcvW@
z=9X01>vwMJ-TM3<4|_GQQBUBDWoP4B;l>E*KvfS`^2*K22c35|@+tk!By$>zqcf4T
zBi3iNj_w<sn=Z>?G_LF))KukQn%3yk{Xe>6CUtoIB(D>g6;jcR?DfJD!xr&fg1JxK
zXd$n|PWi&v%R1G&N>N-4xz6t+SD4mkLpU@PUu^v(TnsTW;<|i3s=fCM<WMpHOz{sW
z!426_)`Ms&zm}jDOzOTtLSMx;_Cl!Jj$RB6ep}jj1aIIi3SXj)I)`c?aXxZR(hBQ;
zFwQAZB0g^ytwg<|+%9s>hOcBr@br+U3ZivMk8g)GD#z0@d=5L}A%O(!Jrm#;CkZel
zFHX4T;F|0eVyYTl65E1hyksi%ZCJ_a0~Ai3G5$Vl%?PigzDEH;o|i1*IgI(N%@i7;
zv?y};9E7QpxxN(K*+z=?h+>~UUDcd~MuWx!#yhK=VBx;?Yfs6i^$(8*fn8vJD>zi@
zF6Xf#Hov5haR^cZWI6VQvAs8KlzfJ#B_5Ox6m<egAX#xhf@9vkXtt9X^_|Ew4JrLE
zx1&o&bqL=j<RHE}Nq^#&=ou@%6Dk5eY!bOfFE-0lMTYXYz`Jb}_wkICrd)1<oA68J
z-n`Q&Q-PAV@u}A!Fl$UhYBA8=idMluOfkkW7l3ji*PS3mz=PP<St`VxJuW~ABJU6s
zU4luOs$amZ|8$URUwouu+pJXyWjqp2&OeZInQ)8t+4q9zPo$nFe%VS=9e8+x@a|7u
zc=MWtqozelN*E<(uLJ)X06AUTosHG>Je`SUo=2FI5;;e+4^`yQB~~7V*p1mW_S3>U
zm}q+mzk}OZk_SVD+lQL`X=sN`QzcDl8xd8mPU;G~v99%d@H`tKiV=H#oiGb;xbv*l
z$Y6^RjgdHXV`~kmR*3rs2>Jy)3a&o{YuiZxZ&$7l;-|;r7+XmXzxLIyutxLM?Z==L
zarC`GMZxD}n#}_^#9T9gL@GWTUX9XtNr(0{{>BRAPf4NBqTETjUCY4r#`WT7wz1JH
zhP%SfV^CTHT+T!4kXjF;tHmu_suwMD|KJB58ajV6iw>O@?0V82T>K4fAder%QcX6Q
z02)M&>pK=nA>!$$vmyffR$s;JcGguL&taNDzB6U9RoZZEzKaW644myyjJvdNElUlA
zf{LHu-r_q3$9Cy!nM9(oXIO1K-tL`VoK?YBzu0+-&pm&2s!`c3JN<m5aPNhe6Jpj&
zIw>QV{m7c-!zFXs^W~(^pgR+GnJ{Qqd)tLiuMhl?)-bzv5kY_FUwYmQC1zu6q2WAx
zd4k}UvSJ)dKpCa&3sg>-nzcc^$KaT`K(lalI%98%QFhLjx*YLegGE9^w(ico4_2-(
z-NEluGNt^007bGlh<KmHNB_DpRa+A(vNgGuUlVj6J7S}T(f9lpT++NhrJO5Mveuq8
z9RVJ_X$)TM7c5sBUv&17d_g}r(~hV0y~Y~R=|;c}(-PA%{ePhtpS*0VtMLHKrrB9;
zd50dZc&Oo(T+~8T8+BotVU+|sgj#yzp?VLN6>!?WO8Sbg<E7ESN797~l>|V(J?ufy
zDiPqgjZkbdEx-cRt!c1f#PX}qTuBDvnuZx*&cnRp(cu*4AJ!P<YqQbydAH|NzjG+M
zyxKbM5(Y_#k_nv6YbeF^-ijw-CoNYws1fY)*of_a)3y<_ZBcOdTyR{3&E`ctqN~&T
z6CMw<vlavZwEWpX{W%MfPNLZH(`oj_!galr*`wHWj!(ejXV+SsvP|gH&;f_R^lei1
zQIn!`(lK$<QS9G<hhLnoad?#r-5{^$9~){&mj{y|53<oIVv)gbtMk`IbX86E5PqX_
z2p{^=@YA9P<5m4kaK$;2F&g~(p?m~po1aN#hjq@`b^w|D_ceg&=!}5`Nl0$q{J)8>
ziL!A9kLO0Y-0HGLVxj8w$)4n|cIU4e4+n7lG+TsK_F46TyS3CGgz}of@4+*}j1%x<
zrVcVl*Hs!r;a?zS2;>nHBOHlT+Ri=Lt`o&Tw-~$}6s0My%DBMGTwU#Lh&l=qokw>w
z=q#d(E;H08Swr0lFHeLPztWt!ExlN-5?I_(-E(N)cyaGS3D5!r1f)g79a4qC4T3j9
z3Yt)s%{<)kK|v<Tfl)b!ACIkxG2ZJUmr$qh!!kb@9@$wW2?T`pb#1r~$Qh6SzcbUC
zZxBe0waK@RyWz(Y3MZ8dv3XrunwNnVVl0eO>Gm&MR~d}7nibsur$5fBmF_Sjj&h0E
zdt5Q$4vSUwZ0>Y@p|CnY=lcsBaSiFLIEY&!bkV37JX{fxbe2>$1BJ?@hR1Aqd2`|4
zs8;AW9bifelLh_%qvbI%hbRyv+l2*8&mHsHCL|kWCYg@^><yMW@O)$p+Cuk`-7djB
zS4oa2m=rgochY$bzeN_?3LgpI<O*fU&BS$Ea5#)wNDE+r%LTfW#Gx`^b7|O=PU!b-
zTg6jm7q1XjY*5^a;NxZ`&$U|FrPOp5DU#YExMMw+j8>vL?I?~&$@8-@zZZ;o1p^b$
zDRmj|hM07em-H*<gC{{lNjt$(=eB+X3lqn?vS&H97;Lv@sFF~EyT0;bf;UmJKy;oB
zFqsxt{c2zyDW=}$V#j6D8to*Fw?M3S!mUH-INNX{c3FK|LpDCWJU@8{v@NZGwCMDZ
zS7R0gLIoArvVJ(|SiGtVyIF83`2;K6_w!I41k=vwCbH4%<j_y~d2Xi!iUCO=icwv!
z%HswsI4)O0S9@A$W_+nfigp@|NiBUl*jvculX}d_g?^zhF0tMTWPl5MF~p4`)tt?0
zTcAeTAYsEbU+ZsfX{Wgr5&+YK6%{9biB_Uqe~S{8xv1B2G~}f7Txo;*1qj)LRq^5)
zrlUfazPT0l5D(0(JKN4a(aEKS2SjcA&Cl8>5loSeQ+W}FR_0D{JnC{FGCK3`MyWC3
zi2AbH#{Ber_UX7cgVKST0~x=O6nHnl_f+yVQ}rT@pv6tuy8I!sTsqOb5aPRWag#l|
zNMXi!x;~*Gp?iqn$oO<1!9X{%jV;`Ft#JZHCCSUZ9y+cI>vzf2vL8M?ijnB&iSmhG
z%!QQ0&*1^X?)zDO!-;>%{9tKMS6cc%IjrvJfg&@GRo?BR0X?N!mSdT<`$wc6rwt4=
z|4jL(F4=`1ZLwCcLX@B7=|U6b3arp$of&0eK0!;Da$-imAZYs+Z<dS&pCB?0R*yv#
zrErPuXsdoog+Borai$~OkAuV7T39&46@N^9WvlsHN~ab3I3LE-jABco2Z1c~&`IgI
z+ZxZz+N<x=pw;adY;0UHC*Y60D0;rR{_#T4gWS_Dy$L-W$C{p?RNa;Ic)El=lWM1_
z8Z(sdG$=UbLrR8{{^qmETxX(^0#?}swQ^w7dw*JYt3+b)-zdzAN@tmMN8<2%C96{r
zHD{;EPAr_soJ7NdQhNS|r}sI-Ji+~3n8>p}OV>IFcFK{Jbc!#3dcQa&O*%Sb_S=ht
z(jetf#S279U0(%;xn}d|YmHw8olCD#?XBsmJHEyAFV+3edY8+4P6W1KQtsG^J6%*O
zyhX<ntqj6Y(Le=S;XLe#{%XU4&F!eh*=gq@Du{m&W13bfP<Ij5sy2yOjIO+%p8g-k
zT#b<2;Hc|J=Gl|7P!AkN_IT2Pi(JK2&jG>7E<84qnlf)a3W&-zgo~F4ZR^g*7Da(E
z*^ro?J`=;r@Rd&_go<gPgAyF3Jt>3v2GORWpo7!Zq$xhiBboBy;zB>KCfw|t(IVCm
zuFso61sg(vpmrJyUyGdsFgkN>1+Ml^pe>Yz7WvcZm8^;mNXI$6<TKhlI{IpQz_p0$
zJSfumgzQbJ7lETr;<HR3fak@KSv-ROM-Yx8!LjCTI@H<OE_mO}>(hh)_<W#flyI-{
zdx){Ke0GEei~@+KvPrr68xCBZB_ptghnadcf@PHfvzcz;0!rY4Ca?;t0W@dc(P|&N
zBv+gLZSy-fKQzk|xbK;fk@XX_5UE46eKqKcp>Jz&iswv%f%W45TUU?8tsk9jYS16`
z4<IT{<oTh@@eJx2CYN4PPbU<mG*pmR$YEvRGAd~1x6{P8{Eb8yK&0VW7>+=!zc%f(
zWmG@DuQGRyMB|TldLv3ef-4?q1|moM*Fdc`O`pj&=8V42yPK+R#xi#6aqwK1@pgwn
z2~!w1CN!?nhhA(U(v;T2W}wTf-oD-C>r2<5L27yxnp$z(SJyBS^fYb15%BH*)nVSH
zrugX#r}cMu^x(YB#^fFP(+s(5M9JZ(US1OG6{0nY8qUT@(A-}V?OJ)8c&pC3x;#^O
zi~Of*#OEfND1N7R?+YO!1h56CG=N755tJvlQv~A~S0mT>zSfP^FxT->CBjg&ojuRD
zs`b{hb?86(5nEWI&Ma+j8{Ot<md>1D0C*-+hOsj(ST#y%vF3z9v%MFX<O9jek}=*u
z077Euhyp!eAZSvu%A}B{kfiHj1zvVP2IitrEr;zd1>51LzfdkE9{#k)EWmt8ib#2F
z5`P>NeBl^!v`74XX5#&eX+)6TaMCqivUt=&VrH{vm%NlVs8x0Je(dF1f+tRdqzuC(
z3vUrGPJq;0L2CCfu89S6jsZWix#5OI|BXX51422A%l7N91K6~r<nUl+>1cJJ>2BGM
z1BI$f#lTwDo=X=}%*#_$LihQzxY51}dQQU>DE~zT28f|v_3PqOJ(S-2mxbZOpi7Kh
z8cL&v7QM6VdAzmNK<_54!hL{fOwO%oe|nb{FNco`LquU4e%9-Pa&i+Zi)Q2OC<v$4
z5<un5_W?$a&AlqNmQkyln?(}eHE&$Ygw&s+ClX(+-&Et2!jzjhpT!zsgNjy~OXV~B
z0YA$(J==4kIM#_N91jrsmoa}?=q2ml;!H+D`kCe(G(>`wlsH1_EjS|3dAXFM{4KIT
zwn1_6={8MXOW_k$S4b2X`1t5}JMg^}vo6SS@ho)ag|#0c$}1_YX$B;7fR^R0{5?8E
zrv&uI&-e@Ds>rIabrD)WK=5k)0qB*U*cv$@SZU4r`J#gc3CYXXn0ziTVDw|m<e1OU
zDRznXgsS{W+#haq>HM(h%aS_dq-HA&7NqrT*iU^Bd5F--6m&Abv{X`YP9jX{`=QmE
z*RW<`nB4sjBIOD~x3t%uPff{BhJ7hLmWqgUy{Meo^gmy0c6x3$RJ|Z9h`FoM2191;
zD4wDh;Fx6#!~%dJ_i0#p;}@q7CPbr(7q9Y6wjY80Vmi1|sCO_Zz^W88v?#d3m<qn+
JBu_JC6`?kB#~%Oy

diff --git a/users/patrick/ssh.nix b/users/patrick/ssh.nix
index 4c6fe13..8f89338 100644
--- a/users/patrick/ssh.nix
+++ b/users/patrick/ssh.nix
@@ -40,6 +40,10 @@
           hostname = config.secrets.secrets.global.user.hetzner_ip;
           user = "root";
         };
+        "mailnix" = {
+          hostname = config.secrets.secrets.global.user.mailnix_ip;
+          user = "root";
+        };
 
         "desktopnix" = {
           hostname = "desktopnix.local";
diff --git a/users/root/default.nix b/users/root/default.nix
index 651eb8e..9a72218 100644
--- a/users/root/default.nix
+++ b/users/root/default.nix
@@ -1,6 +1,8 @@
 {
   pkgs,
   config,
+  lib,
+  minimal,
   ...
 }:
 {
@@ -10,12 +12,10 @@
       # Patrick
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZixkix0KfKuq7Q19whS5FQQg51/AJGB5BiNF/7h/LM"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ"
-      # Simon old yubikey
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmees72GMKG/rsQQRhs2I/lQnJa0uW5KmZlNBeriCh0"
     ];
     hashedPassword = config.secrets.secrets.global.users.root.passwordHash;
   };
-  imports = [
+  imports = lib.optionals (!minimal) [
 
     ../patrick/alias.nix
     ../patrick/theme.nix