feat: migrate host Hyprland configs to Lua (Hyprland 0.55+)

- m3-kratos/home.nix: use hl.monitor({}), hl.workspace_rule({}), hl.window_rule({}) table-based Lua API - m3-ares/home.nix: same Lua API + tuxedo-backlight via hl.on() - Update flake.lock: home-manager -> 74f170c6 (2026-05-18)
2026-05-18 17:27:15 +02:00
16 changed files with 145 additions and 482 deletions
@@ -79,11 +79,11 @@
    "agents_3": {
      "flake": false,
      "locked": {
-        "lastModified": 1778518220,
+        "lastModified": 1777399938,
-        "narHash": "sha256-6AQs9VZ0/DuD4njPbYHRE4v+SgJc6SBrGwemTWxikVc=",
+        "narHash": "sha256-xXPqUQezDdDtF8MbpZnwD1HkybOYwF92evx8rJ6OXCU=",
        "ref": "refs/heads/master",
-        "rev": "b6e1aaa6261c5056d024d8d4785659eaa4e675e6",
+        "rev": "9a91f1ee0cf011a7eaf1f16a9e17610b0457e055",
-        "revCount": 87,
+        "revCount": 85,
        "type": "git",
        "url": "https://code.m3ta.dev/m3tam3re/AGENTS"
      },
@@ -214,11 +214,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1778445566,
+        "lastModified": 1777369708,
-        "narHash": "sha256-oQvcadh2BCkrog+SGrG6YffKJrveYpjj3TdQJWaKhaM=",
+        "narHash": "sha256-1xW7cRZNsFNPQD+cE0fwnLVStnDth0HSoASEIFeT7uI=",
        "owner": "nix-community",
        "repo": "bun2nix",
-        "rev": "2499dedd70744dba1815875b854818a3019e9e4c",
+        "rev": "e659e1cc4b8e1b21d0aa85f1c481f9db61ecfa98",
        "type": "github"
      },
      "original": {
@@ -280,11 +280,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1778958912,
+        "lastModified": 1777713215,
-        "narHash": "sha256-6pvS9rIF9mZRj1ENwu9fDLHeG1JFDTCpRyy6vJhXkTA=",
+        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "6e8dc7aa0e65fce67c76e18227a13a7d529f2cdf",
+        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
        "type": "github"
      },
      "original": {
@@ -322,11 +322,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1778716662,
+        "lastModified": 1777988971,
-        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
+        "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
+        "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
        "type": "github"
      },
      "original": {
@@ -406,16 +406,16 @@
        "uv2nix": "uv2nix_2"
      },
      "locked": {
-        "lastModified": 1778925537,
+        "lastModified": 1778170968,
-        "narHash": "sha256-d9qhrTy45Q5UsmjapqMHOVi9e+gR9zE8Nq9Z0wObLmc=",
+        "narHash": "sha256-YQQUEDUim2CiYpL3uG7Wi1fWPsT2wtIqoBeJuAj9hUk=",
        "owner": "NousResearch",
        "repo": "hermes-agent",
-        "rev": "a91a57fa5a13d516c38b07a141a9ce8a3daabeb0",
+        "rev": "498bfc7bc12a937621b4215312049b1000726df3",
        "type": "github"
      },
      "original": {
        "owner": "NousResearch",
-        "ref": "v2026.5.16",
+        "ref": "v2026.5.7",
        "repo": "hermes-agent",
        "type": "github"
      }
@@ -448,11 +448,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1779125151,
+        "lastModified": 1779113444,
-        "narHash": "sha256-bPHT0oJAHe5a43lkkSGAiCEg/RBqpwv5xsFrcj+Bog8=",
+        "narHash": "sha256-/L61sT1PIKmGWIQpIh0uJGH/ANvcsf6y4alxtb9kelg=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "fab3fd7327a0ac7a1fae5095bf140377704fac7f",
+        "rev": "74f170c62d57f90e656841f1f699e6bdf40f0a24",
        "type": "github"
      },
      "original": {
@@ -577,11 +577,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1779082717,
+        "lastModified": 1778304612,
-        "narHash": "sha256-TE2ynGDxq6ahXlzxCDfatOYcnvvsOIi/QTMIZS0gWq0=",
+        "narHash": "sha256-7FkBnR56KZ8RwY5kPd3ans8f68IYjF1J66gOUlLsiLA=",
        "owner": "numtide",
        "repo": "llm-agents.nix",
-        "rev": "1f1ede7969673edd1d35764f5c930ecf96487156",
+        "rev": "c741913095c4815f6651aa0a2c24b3ce15e414e4",
        "type": "github"
      },
      "original": {
@@ -602,11 +602,11 @@
        "nur": "nur"
      },
      "locked": {
-        "lastModified": 1779128125,
+        "lastModified": 1778520138,
-        "narHash": "sha256-Lt/n7O42uAZrgjoDttgVlfjauiyE91+X8XDlIKS0twM=",
+        "narHash": "sha256-X58c8BUIshyUnp6XEKumFUYXqMFnrDTj+aGuGIbKwxg=",
        "ref": "refs/heads/master",
-        "rev": "70562ceef2bf9508fbfcea13f96c073602530cf1",
+        "rev": "a87d9510bd84f51bf93970730b8688ab7221bbdd",
-        "revCount": 33,
+        "revCount": 30,
        "type": "git",
        "url": "ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home"
      },
@@ -649,11 +649,11 @@
        "openspec": "openspec_2"
      },
      "locked": {
-        "lastModified": 1779112891,
+        "lastModified": 1778518789,
-        "narHash": "sha256-UtRPNT1Pn2H42h2zc0GuyWi08wH6g00Mkth/bnuXu/Y=",
+        "narHash": "sha256-9WZvO2BBofC2Wp4dvP4/aQ6Jhmcxh9lEGTYj09hLXrI=",
        "ref": "refs/heads/master",
-        "rev": "f265aaff108496e835fcd318d5c850d8b49cbb73",
+        "rev": "d64c581516c02702ec28e5d2304330d7b035235d",
-        "revCount": 309,
+        "revCount": 295,
        "type": "git",
        "url": "ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs"
      },
@@ -846,11 +846,11 @@
    },
    "nixpkgs-master_2": {
      "locked": {
-        "lastModified": 1779112318,
+        "lastModified": 1778507606,
-        "narHash": "sha256-nuEcdfdbqAymI+Fgbw5YruK/vv1vbLo899I3rx+k5fw=",
+        "narHash": "sha256-6Yc2dIhijc8G+dbMNocyclxF19dUrjaT+EeXGrXmXlg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "caf7b95c65a9f0a94cad75dbf2ee2650286111fc",
+        "rev": "39a7b8d815fcc8b689d56fc4a3fa8de4ef93d169",
        "type": "github"
      },
      "original": {
@@ -862,11 +862,11 @@
    },
    "nixpkgs-master_3": {
      "locked": {
-        "lastModified": 1779127438,
+        "lastModified": 1778307931,
-        "narHash": "sha256-2dTsb4EIQw6WNS+zGFij2Io8ic4eHZAEbYY59d9pcyg=",
+        "narHash": "sha256-GkUOqeH6tb2/K1tv3t0F/xROIAh5/zEGutzEUIrQ+u8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "559847f92aee8e4bcb24411bc23bca1b94a8595f",
+        "rev": "8f689324e32c31a3d2c24490a19e266c3fb6508b",
        "type": "github"
      },
      "original": {
@@ -878,11 +878,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1778737229,
+        "lastModified": 1778003029,
-        "narHash": "sha256-6xWoytx8jFW4PF1GjRm/i/53trbpKGfz6zjzQGBr4cI=",
+        "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d7a713c0b7e47c908258e71cba7a2d77cc8d71d5",
+        "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
        "type": "github"
      },
      "original": {
@@ -894,11 +894,11 @@
    },
    "nixpkgs_10": {
      "locked": {
-        "lastModified": 1778869304,
+        "lastModified": 1777954456,
-        "narHash": "sha256-30sZNZoA1cqF5JNO9fVX+wgiQYjB7HJqqJ4ztCDeBZE=",
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d233902339c02a9c334e7e593de68855ad26c4cb",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
        "type": "github"
      },
      "original": {
@@ -974,11 +974,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1778869304,
+        "lastModified": 1778124196,
-        "narHash": "sha256-30sZNZoA1cqF5JNO9fVX+wgiQYjB7HJqqJ4ztCDeBZE=",
+        "narHash": "sha256-pYEytCNic/czazbV9r3tbQ6BZzqRBg/41x2dIC5ymOo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d233902339c02a9c334e7e593de68855ad26c4cb",
+        "rev": "68a8af93ff4297686cb68880845e61e5e2e41d92",
        "type": "github"
      },
      "original": {
@@ -1022,11 +1022,11 @@
    },
    "nixpkgs_8": {
      "locked": {
-        "lastModified": 1778869304,
+        "lastModified": 1777954456,
-        "narHash": "sha256-30sZNZoA1cqF5JNO9fVX+wgiQYjB7HJqqJ4ztCDeBZE=",
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d233902339c02a9c334e7e593de68855ad26c4cb",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
        "type": "github"
      },
      "original": {
@@ -1100,11 +1100,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1779124721,
+        "lastModified": 1778308643,
-        "narHash": "sha256-Z1q8QkuHAdkmXh4SItOzViVVFVLb+tzaEaYCTHI2UKk=",
+        "narHash": "sha256-MpJyLyJWAwOy7rVs7pWqRwH2b8/rj+B524VzdonvXBs=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "ad57d8faf36bb02c65c90012cd0289daa0b2d9c4",
+        "rev": "98d908741ed91101cd0649961f12d2427bdba7d3",
        "type": "github"
      },
      "original": {
@@ -1143,11 +1143,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1778774456,
+        "lastModified": 1778120451,
-        "narHash": "sha256-4V35mdLWax+GfuUK6hv2Vgri6N/vAJApjuCB3ROOY6w=",
+        "narHash": "sha256-MUSPD16+hoFBfQWYahtNLN2BIFEAlFFo2KNofrc947g=",
        "owner": "Fission-AI",
        "repo": "OpenSpec",
-        "rev": "8498042fe8a738e8ad6facd94a5fc7f5025bf81d",
+        "rev": "053d8a59d587f3c027a06ad80503a6b43d4f2a92",
        "type": "github"
      },
      "original": {
@@ -1316,11 +1316,11 @@
    "skills-anthropic": {
      "flake": false,
      "locked": {
-        "lastModified": 1779058037,
+        "lastModified": 1778286877,
-        "narHash": "sha256-GytrPFxw1PC2B0MILR6eNa83qAmxcjvLPkJzHQXT93g=",
+        "narHash": "sha256-jKNYFom6R+Qw7LQ8vFPBe51JpqIP0tTSY8LM4aPlnT4=",
        "owner": "anthropics",
        "repo": "skills",
-        "rev": "6a5bb06904ab164a345e41c381fc9097954b83da",
+        "rev": "f458cee31a7577a47ba0c9a101976fa599385174",
        "type": "github"
      },
      "original": {
@@ -1332,11 +1332,11 @@
    "skills-basecamp": {
      "flake": false,
      "locked": {
-        "lastModified": 1778520277,
+        "lastModified": 1777902228,
-        "narHash": "sha256-gaV9eIIzOTBlL+9+e8HIgCs4pa1J8lAizRykkJVoVUM=",
+        "narHash": "sha256-XDsWpUhFb/gxatRFla07nwoc2y3WwaBLsiDdtCnqx38=",
        "owner": "basecamp",
        "repo": "basecamp-cli",
-        "rev": "f948edca1dbce53640056743bf49f05cf39e736b",
+        "rev": "b56ada1b3d42b42a9422ba39b30a223f9f960231",
        "type": "github"
      },
      "original": {
@@ -1348,11 +1348,11 @@
    "skills-kestra": {
      "flake": false,
      "locked": {
-        "lastModified": 1778585472,
+        "lastModified": 1773046826,
-        "narHash": "sha256-jtK4wwLE4y4vsnonSmIhlAIJ/g0zqPDt3TO+Frb6LEU=",
+        "narHash": "sha256-w1zFqfCAcu9FsaGf8uAyaaYVbSwwtUzotfDJ1jSt+q0=",
        "owner": "kestra-io",
        "repo": "agent-skills",
-        "rev": "cc9cd71fbada02f8ac22a1f3ae7ad5e7242bda45",
+        "rev": "b536825bf5b9213d7a7fb5ab7c47823f1044490b",
        "type": "github"
      },
      "original": {
@@ -1380,11 +1380,11 @@
    "skills-vercel": {
      "flake": false,
      "locked": {
-        "lastModified": 1778774027,
+        "lastModified": 1778275952,
-        "narHash": "sha256-Dzp0Gx+EcO7daxLTZ0QpMu4EEYdDWWEE8b5RF4Fv9QM=",
+        "narHash": "sha256-RYwgUf173N4lGalTta4HkBR7sdZwuzRoAY6M8JsT+RY=",
        "owner": "vercel-labs",
        "repo": "skills",
-        "rev": "c5ad3a85b4d16666974b161131413d08bfef3f7e",
+        "rev": "c99a72b371b5b4da865f5afa87c5a686f3a46766",
        "type": "github"
      },
      "original": {
@@ -73,7 +73,7 @@
      url = "github:vercel-labs/skills";
      flake = false;
    };
-    hermes-agent.url = "github:NousResearch/hermes-agent/v2026.5.16";
+    hermes-agent.url = "github:NousResearch/hermes-agent/v2026.5.7";
    rustfs = {
      url = "github:rustfs/rustfs-flake";
@@ -39,11 +39,6 @@
      outline = 3019;
      authentik = 3023;
      tuwunel = 3024;
      honcho = 3025;
      # Agent infrastructure
      hermes-api = 8642;
      hermes-dashboard = 9119;
      # Home automation
      homarr = 7575;
@@ -36,35 +36,39 @@ with lib; {
      };
    }
-    # ── Hyprland monitor layout ──
+    # ── Hyprland monitor layout & host-specific rules ──
    (mkIf config.desktop.wm.hyprland.enable {
      wayland.windowManager.hyprland = {
        enable = true;
        settings = {
-          exec-once = ["tuxedo-backlight"];
+          # Laptop internal + external HDMI
          monitor = [
-            "eDP-1,preferred,0x0,1.25"
+            { output = "eDP-1";     mode = "preferred";       position = "0x0";     scale = 1.25; }
-            "HDMI-A-1,1920x1080@120,2560x0,1"
+            { output = "HDMI-A-1";  mode = "1920x1080@120";   position = "2560x0";  scale = 1; }
          ];
-          workspace = [
+          workspace_rule = [
-            "1, monitor:eDP-1, default:true"
+            { workspace = 1; monitor = "eDP-1";    default = true; }
-            "2, monitor:eDP-1"
+            { workspace = 2; monitor = "eDP-1"; }
-            "3, monitor:eDP-1"
+            { workspace = 3; monitor = "eDP-1"; }
-            "4, monitor:HDMI-A-1"
+            { workspace = 4; monitor = "HDMI-A-1"; }
-            "5, monitor:HDMI-A-1,border:false,rounding:false"
+            { workspace = 5; monitor = "HDMI-A-1"; border = false; rounding = false; }
-            "6, monitor:HDMI-A-1"
+            { workspace = 6; monitor = "HDMI-A-1"; }
          ];
-          windowrule = [
+          window_rule = [
-            "match:class dev.zed.Zed, workspace 1"
+            { match = { class = "dev.zed.Zed" };            workspace = "1"; }
-            "match:class Msty, workspace 1"
+            { match = { class = "Msty" };                    workspace = "1"; }
-            "match:class ^(com.obsproject.Studio)$, workspace 2"
+            { match = { class = "^com.obsproject.Studio$" }; workspace = "2"; }
-            "match:class ^(brave-browser)$, workspace 4, opacity 1.0"
+            { match = { class = "^(brave-browser)$" };      workspace = "4"; opacity = 1.0; }
-            "match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
+            { match = { class = "^(vivaldi-stable)$" };     workspace = "4"; opacity = 1.0; }
-            "match:class ^steam_app_\\d+$, fullscreen on"
+            { match = { class = "^steam_app_\\d+$" };       fullscreen = true; workspace = "5"; idle_inhibit = "focus"; }
            "match:class ^steam_app_\\d+$, workspace 5"
            "match:class ^steam_app_\\d+$, idle_inhibit focus"
          ];
        };
        extraConfig = mkAfter ''
          -- Host startup: TUXEDO backlight
          hl.on("hyprland.start", function()
            hl.exec_cmd("tuxedo-backlight")
          end)
        '';
      };
    })
  ];
@@ -17,20 +17,9 @@ in {
    settings = {
      # ── Model ──────────────────────────────────────────────────────────
      model = {
-        default = "gpt-5.5";
+        default = "glm-5.1";
        provider = "openai-codex";
      };
      fallback_providers = [
        {
        provider = "zai";
-          model = "glm-5.1";
+      };
        }
        {
          provider = "minimax";
          model = "MiniMax-M2.7";
        }
      ];
      credential_pool_strategies = {
        zai = "fill_first";
@@ -3,14 +3,6 @@
    secrets = {
      baserow-env = {file = ../../secrets/baserow-env.age;};
      ghost-env = {file = ../../secrets/ghost-env.age;};
      honcho-selfhost-db-password = {
        file = ../../secrets/honcho-selfhost-db-password.age;
        owner = "postgres";
        group = "postgres";
        mode = "400";
      };
      honcho-selfhost-env = {file = ../../secrets/honcho-selfhost-env.age;};
      honcho-selfhost-jwt-secret = {file = ../../secrets/honcho-selfhost-jwt-secret.age;};
      kestra-config = {
        file = ../../secrets/kestra-config.age;
        mode = "644";
@@ -2,7 +2,6 @@
  imports = [
    ./baserow.nix
    ./ghost.nix
    ./honcho.nix
    ./kestra.nix
    ./littlelink.nix
    ./matomo.nix
@@ -1,209 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  serviceName = "honcho";
  image = "ghcr.io/plastic-labs/honcho:v3.0.6";
  apiIp = "10.89.0.24";
  deriverIp = "10.89.0.25";
  redisIp = "10.89.0.26";
  postgresHost = "10.89.0.1";
  postgresPort = config.m3ta.ports.get "postgres";
  honchoPort = config.m3ta.ports.get "honcho";
  # m3-atlas Netbird mesh address, discovered from `netbird status -d`.
  # Binding the host port here keeps self-hosted Honcho off public interfaces.
  netbirdBindAddress = "100.81.142.56";
  netbirdRange = "100.64.0.0/16";
  dbName = "honcho";
  dbUser = "honcho";
  redisName = "${serviceName}-redis";
  runtimeDirectory = "/run/${serviceName}";
  runtimeEnvFile = "${runtimeDirectory}/env";
  # Keep auth disabled for the first deployment because Honcho clients need
  # generated JWTs. The JWT secret is still provisioned so enabling auth later is
  # a one-line change here plus client token generation.
  authUseAuth = false;
  sharedEnvironment = {
    CACHE_ENABLED = "true";
    CACHE_URL = "redis://${redisName}:6379/0?suppress=true";
    LOG_LEVEL = "INFO";
    TELEMETRY_ENABLED = "false";
    VECTOR_STORE_MIGRATED = "false";
    VECTOR_STORE_TYPE = "pgvector";
    AUTH_USE_AUTH = lib.boolToString authUseAuth;
  };
  sharedEnvironmentFiles = [
    runtimeEnvFile
    config.age.secrets."${serviceName}-selfhost-env".path
  ];
  webNetwork = ip: [
    "--add-host=postgres:${postgresHost}"
    "--network=web:ip=${ip}"
  ];
  # The shared web network is intentionally internal. API and deriver also join
  # this egress-only network so LLM provider calls can leave the host without
  # exposing any extra inbound ports.
  networksWithEgress = ip:
    (webNetwork ip)
    ++ [
      "--network=${serviceName}-egress"
    ];
  apiHealthCmd = ''/app/.venv/bin/python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health', timeout=2).read()"'';
 in {
  system.activationScripts.createPodmanNetworkHonchoEgress = lib.mkAfter ''
    if ! /run/current-system/sw/bin/podman network exists ${serviceName}-egress; then
      /run/current-system/sw/bin/podman network create ${serviceName}-egress
    fi
  '';
  virtualisation.oci-containers.containers = {
    "${serviceName}-redis" = {
      image = "docker.io/redis:8.2";
      autoStart = true;
      volumes = ["${serviceName}_redis_data:/data"];
      extraOptions =
        (webNetwork redisIp)
        ++ [
          "--health-cmd=redis-cli ping"
          "--health-interval=5s"
          "--health-timeout=5s"
          "--health-retries=5"
        ];
    };
    "${serviceName}-api" = {
      inherit image;
      autoStart = true;
      entrypoint = "sh";
      cmd = ["docker/entrypoint.sh"];
      environment = sharedEnvironment;
      environmentFiles = sharedEnvironmentFiles;
      ports = ["${netbirdBindAddress}:${toString honchoPort}:8000"];
      dependsOn = [redisName];
      extraOptions =
        (networksWithEgress apiIp)
        ++ [
          "--health-cmd=${apiHealthCmd}"
          "--health-interval=5s"
          "--health-timeout=5s"
          "--health-retries=5"
          "--health-start-period=10s"
        ];
    };
    "${serviceName}-deriver" = {
      inherit image;
      autoStart = true;
      entrypoint = "/app/.venv/bin/python";
      cmd = ["-m" "src.deriver"];
      environment = sharedEnvironment;
      environmentFiles = sharedEnvironmentFiles;
      dependsOn = ["${serviceName}-api" redisName];
      extraOptions = networksWithEgress deriverIp;
    };
  };
  systemd.services = {
    "${serviceName}-postgres-bootstrap" = {
      description = "Bootstrap Honcho PostgreSQL role, database, password, and pgvector";
      after = ["postgresql.service" "agenix.service"];
      requires = ["postgresql.service" "agenix.service"];
      before = ["${serviceName}-env.service" "podman-${serviceName}-api.service" "podman-${serviceName}-deriver.service"];
      requiredBy = ["podman-${serviceName}-api.service" "podman-${serviceName}-deriver.service"];
      path = [
        config.services.postgresql.package
        pkgs.coreutils
      ];
      serviceConfig = {
        Type = "oneshot";
        User = "postgres";
        Group = "postgres";
      };
      script = ''
        set -euo pipefail
        test -s ${config.age.secrets."${serviceName}-selfhost-db-password".path}
        psql -v ON_ERROR_STOP=1 --dbname=postgres <<'SQL'
        DO $$
        BEGIN
          CREATE ROLE ${dbUser} LOGIN;
        EXCEPTION WHEN duplicate_object THEN
          NULL;
        END
        $$;
        SELECT 'CREATE DATABASE ${dbName} OWNER ${dbUser}'
        WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${dbName}')\gexec
        ALTER DATABASE ${dbName} OWNER TO ${dbUser};
        \set honcho_password `cat ${config.age.secrets."${serviceName}-selfhost-db-password".path}`
        ALTER ROLE ${dbUser} WITH LOGIN PASSWORD :'honcho_password';
        SQL
        psql -v ON_ERROR_STOP=1 --dbname=${dbName} <<'SQL'
        CREATE EXTENSION IF NOT EXISTS vector;
        GRANT ALL PRIVILEGES ON DATABASE ${dbName} TO ${dbUser};
        SQL
      '';
    };
    "${serviceName}-env" = {
      description = "Generate Honcho runtime environment file with agenix secrets";
      after = ["agenix.service" "${serviceName}-postgres-bootstrap.service"];
      requires = ["agenix.service" "${serviceName}-postgres-bootstrap.service"];
      before = ["podman-${serviceName}-api.service" "podman-${serviceName}-deriver.service"];
      requiredBy = ["podman-${serviceName}-api.service" "podman-${serviceName}-deriver.service"];
      path = [
        pkgs.coreutils
        pkgs.python3
      ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = ''
        set -euo pipefail
        install -d -m 0750 ${runtimeDirectory}
        db_password_encoded=$(
          python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip(), safe=""))' \
            < ${config.age.secrets."${serviceName}-selfhost-db-password".path}
        )
        jwt_secret=$(tr -d '\r\n' < ${config.age.secrets."${serviceName}-selfhost-jwt-secret".path})
        umask 077
        cat > ${runtimeEnvFile} <<ENV
        DB_CONNECTION_URI=postgresql+psycopg://${dbUser}:$db_password_encoded@postgres:${toString postgresPort}/${dbName}
        AUTH_JWT_SECRET=$jwt_secret
        ENV
      '';
    };
    "podman-${serviceName}-api" = {
      after = ["${serviceName}-env.service" "${serviceName}-postgres-bootstrap.service"];
      requires = ["${serviceName}-env.service" "${serviceName}-postgres-bootstrap.service"];
    };
    "podman-${serviceName}-deriver" = {
      after = ["${serviceName}-env.service" "${serviceName}-postgres-bootstrap.service"];
      requires = ["${serviceName}-env.service" "${serviceName}-postgres-bootstrap.service"];
    };
  };
  networking.firewall.extraCommands = ''
    # Self-hosted Honcho API: only Netbird mesh peers may reach ${netbirdBindAddress}:${toString honchoPort}.
    ip46tables -A nixos-fw -p tcp --dport ${toString honchoPort} -s ${netbirdRange} -j nixos-fw-accept
  '';
 }
@@ -28,7 +28,6 @@
      host    kestra       kestra       10.89.0.0/24    scram-sha-256
      host    netbird      netbird      10.89.0.0/24    scram-sha-256
      host    authentik    authentik    10.89.0.0/24    scram-sha-256
      host    honcho       honcho       10.89.0.0/24    scram-sha-256
      # Deny all other connections
      local   all       all       reject
@@ -39,7 +38,7 @@
  services.postgresqlBackup = {
    enable = true;
    startAt = "03:10:00";
-    databases = ["baserow" "paperless" "kestra" "authentik" "netbird" "honcho"];
+    databases = ["baserow" "paperless" "kestra" "authentik" "netbird"];
  };
  networking.firewall = {
    extraCommands = ''
@@ -7,6 +7,14 @@
  # Edge TTS: Seraphina — friendly, multilingual German female voice (free, no API key)
  edgeVoice = "de-DE-SeraphinaMultilingualNeural";
  # Extra Python packages from the container's writable venv layer.
  # matrix-nio is installed via pip in /home/hermes/.venv but the hermes
  # process uses the read-only Nix store Python, so we inject the venv's
  # site-packages via PYTHONPATH and provide libstdc++ for libolm (e2e).
  # NOTE: v0.13.0 upgraded to Python 3.12 — path updated accordingly.
  venvSitePackages = "/home/hermes/.venv/lib/python3.12/site-packages";
  gccLibPath = "${pkgs.stdenv.cc.cc.lib}/lib";
  # Build skills using agents flake lib for hermes user
  hermesSkills = inputs.agents.lib.mkSkills {
    inherit pkgs;
@@ -30,9 +38,9 @@ in {
  virtualisation.docker.enable = true;
  systemd.tmpfiles.rules = [
-    "d /var/lib/hermes/.config 0755 hermes hermes -"
+    "d /home/hermes/.config 0755 hermes hermes -"
-    "d /var/lib/hermes/.config/tea 0755 hermes hermes -"
+    "d /home/hermes/.config/tea 0755 hermes hermes -"
-    "L+ /var/lib/hermes/.config/tea/yml - - - - ${pkgs.writeText "tea-yml" ''
+    "L+ /home/hermes/.config/tea/yml - - - - ${pkgs.writeText "tea-yml" ''
      logins:
        - name: m3ta
          url: https://code.m3ta.dev
@@ -56,29 +64,19 @@ in {
    '';
  };
  # Ensure 'uv' is in the hermes-agent service PATH so CronJobs and terminal
  # sessions can use 'uv run' for PEP 723 scripts (e.g. garmin-daily.py).
  systemd.services.hermes-agent.path = [pkgs.uv];
  services.hermes-agent = {
    enable = true;
    addToSystemPackages = true;
    # v0.14 lazy-installs heavy optional backends by default. In the sealed
    # Nix package, include the backends this host config actively uses so the
    # gateway, Matrix bridge, memory, web search, and TTS work
    # without runtime pip/uv mutation.
    extraDependencyGroups = [
      "matrix"
      "honcho"
      "exa"
      "edge-tts"
    ];
    extraPackages = with pkgs; [
      docker
      git
      curl
      jq
      tea
      nix
      python3Minimal
      uv
      zellij
    ];
@@ -107,7 +105,7 @@ in {
      # Bind to 0.0.0.0 so the Netbird interface can reach it.
      API_SERVER_ENABLED = "true";
      API_SERVER_HOST = "0.0.0.0";
-      API_SERVER_PORT = toString (config.m3ta.ports.get "hermes-api");
+      API_SERVER_PORT = "8642";
    };
    # ── Container mode (podman) ──────────────────────────────────────────
@@ -115,26 +113,20 @@ in {
      enable = false;
      backend = "podman";
      extraVolumes = ["/home/m3tam3re/p:/projects:rw"];
-      extraOptions = [];
+      extraOptions = [
        "--env"
        "PYTHONPATH=${venvSitePackages}"
        "--env"
        "LD_LIBRARY_PATH=${gccLibPath}"
      ];
    };
    settings = {
      # ── Model ──────────────────────────────────────────────────────────
      model = {
-        default = "gpt-5.5";
+        default = "glm-5.1";
        provider = "openai-codex";
      };
      fallback_providers = [
        {
        provider = "zai";
-          model = "glm-5.1";
+      };
        }
        {
          provider = "minimax";
          model = "MiniMax-M2.7";
        }
      ];
      credential_pool_strategies = {
        zai = "fill_first";
@@ -7,8 +7,6 @@
  # Netbird mesh VPN range — dashboard only accessible from mesh peers.
  # m3-atlas Traefik proxies to this port over Netbird.
  netbirdRange = "100.64.0.0/16";
  apiPort = config.m3ta.ports.get "hermes-api";
  dashboardPort = config.m3ta.ports.get "hermes-dashboard";
  # Reference the hermes-agent package from the running service config
  hermesPkg = config.services.hermes-agent.package or (inputs.hermes-agent.packages.${pkgs.stdenv.hostPlatform.system}.default or pkgs.hermes-agent);
@@ -16,10 +14,10 @@ in {
  # ── Hermes Dashboard systemd service ───────────────────────────────────
  # Web UI for managing Hermes Agent — sessions, config, kanban, cron, etc.
  #
-  # Flow: Browser → dash.m3ta.dev (TLS via m3-atlas Traefik) → Netbird → :${toString dashboardPort}
+  # Flow: Browser → dash.m3ta.dev (TLS via m3-atlas Traefik) → Netbird → :9119
  #
  # --insecure is required to bind 0.0.0.0 (hermes refuses non-localhost otherwise).
-  # Safe because firewall restricts the dashboard/API ports to Netbird mesh only.
+  # Safe because firewall restricts port 9119 to Netbird mesh only.
  systemd.services.hermes-dashboard = {
    description = "Hermes Agent Web Dashboard";
    after = ["network.target" "hermes-agent.service"];
@@ -31,7 +29,7 @@ in {
      User = "hermes";
      Group = "hermes";
-      ExecStart = "${hermesPkg}/bin/hermes dashboard --host 0.0.0.0 --port ${toString dashboardPort} --no-open --insecure";
+      ExecStart = "${hermesPkg}/bin/hermes dashboard --host 0.0.0.0 --port 9119 --no-open --insecure";
      # Environment matching the hermes-agent service
      Environment = [
@@ -53,17 +51,15 @@ in {
    };
  };
-  # ── Firewall: Hermes network endpoints only from Netbird mesh ──────────
+  # ── Firewall: Dashboard only from Netbird mesh ─────────────────────────
  networking.firewall = {
    extraCommands = ''
-      # Allow Hermes Dashboard and OpenAI-compatible API only from Netbird mesh VPN
+      # Allow Hermes Dashboard (9119/tcp) only from Netbird mesh VPN
-      ip46tables -A nixos-fw -p tcp --dport ${toString dashboardPort} -s ${netbirdRange} -j nixos-fw-accept
+      ip46tables -A nixos-fw -p tcp --dport 9119 -s ${netbirdRange} -j nixos-fw-accept
      ip46tables -A nixos-fw -p tcp --dport ${toString apiPort} -s ${netbirdRange} -j nixos-fw-accept
    '';
    extraStopCommands = ''
-      ip46tables -D nixos-fw -p tcp --dport ${toString dashboardPort} -s ${netbirdRange} -j nixos-fw-accept 2>/dev/null || true
+      ip46tables -D nixos-fw -p tcp --dport 9119 -s ${netbirdRange} -j nixos-fw-accept 2>/dev/null || true
      ip46tables -D nixos-fw -p tcp --dport ${toString apiPort} -s ${netbirdRange} -j nixos-fw-accept 2>/dev/null || true
    '';
  };
 }
@@ -36,31 +36,32 @@ with lib; {
      };
    }
-    # ── Hyprland monitor layout ──
+    # ── Hyprland monitor layout & host-specific rules ──
    (mkIf config.desktop.wm.hyprland.enable {
      wayland.windowManager.hyprland = {
        enable = true;
        settings = {
          # Dual monitor: DP-1 left, DP-2 right
          monitor = [
-            "DP-1,2560x1440@144,0x0,1"
+            { output = "DP-1"; mode = "2560x1440@144"; position = "0x0";     scale = 1; }
-            "DP-2,2560x1440@144,2560x0,1"
+            { output = "DP-2"; mode = "2560x1440@144"; position = "2560x0";  scale = 1; }
          ];
-          workspace = [
+          workspace_rule = [
-            "1, monitor:DP-1, default:true"
+            { workspace = 1; monitor = "DP-1"; default = true; }
-            "2, monitor:DP-1"
+            { workspace = 2; monitor = "DP-1"; }
-            "3, monitor:DP-1"
+            { workspace = 3; monitor = "DP-1"; }
-            "4, monitor:DP-2"
+            { workspace = 4; monitor = "DP-2"; }
-            "5, monitor:DP-2"
+            { workspace = 5; monitor = "DP-2"; }
-            "6, monitor:DP-2"
+            { workspace = 6; monitor = "DP-2"; }
-            "7, monitor:DP-2"
+            { workspace = 7; monitor = "DP-2"; }
          ];
-          windowrule = [
+          window_rule = [
-            "match:class dev.zed.Zed, workspace 1"
+            { match = { class = "dev.zed.Zed" };            workspace = "1"; }
-            "match:class Msty, workspace 1"
+            { match = { class = "Msty" };                    workspace = "1"; }
-            "match:class ^(com.obsproject.Studio)$, workspace 2"
+            { match = { class = "^com.obsproject.Studio$" }; workspace = "2"; }
-            "match:class ^(brave-browser)$, workspace 4, opacity 1.0"
+            { match = { class = "^(brave-browser)$" };      workspace = "4"; opacity = 1.0; }
-            "match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
+            { match = { class = "^(vivaldi-stable)$" };     workspace = "4"; opacity = 1.0; }
-            "match:class ^steam_app_\\d+$, idle_inhibit focus"
+            { match = { class = "^steam_app_\\d+$" };       idle_inhibit = "focus"; }
          ];
        };
      };
@@ -38,9 +38,6 @@ in {
  "secrets/basecamp-client-id.age".publicKeys = systems ++ users;
  "secrets/basecamp-client-secret.age".publicKeys = systems ++ users;
  "secrets/gitea-runner-token.age".publicKeys = systems ++ users;
  "secrets/honcho-selfhost-db-password.age".publicKeys = systems ++ users;
  "secrets/honcho-selfhost-env.age".publicKeys = systems ++ users;
  "secrets/honcho-selfhost-jwt-secret.age".publicKeys = systems ++ users;
  "secrets/outline-key.age".publicKeys = systems ++ users;
  "secrets/restreamer-env.age".publicKeys = systems ++ users;
  "secrets/searx.age".publicKeys = systems ++ users;
@@ -1,31 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDVrd2NzQSBJV1Fa
 U2gzWjJKOHlsK202dXAzVENFdmZ5ZmJsc01STnRnTWMvdjFyZ21NCjU5Q0hwbVlV
 dVlRTUZDb0JESHBaTzk5ancrTWNpLzYrMFk2QWU0Z0EvUmsKLT4gc3NoLWVkMjU1
 MTkgM0JjcjF3IEdia0tSQTZWcEE3ODE4VjU2M0ZGay9rbXlzbFNqZWxpb1lGSExw
 RW5keGsKWDlwRzcwT1BaTDByT0R6T3hqWTE1UWVyN2xhSzhSMlhBdW5FakNjZ1Ux
 NAotPiBzc2gtZWQyNTUxOSA5ZDRZSVEgcnNJRnA2SVVkMHRXZTErc0VFbmduMDBz
 ZkQzK3dMQ2xadkMyYllhOE1rOAprWmg4T3RiaTF5QXdmRGUxVDVpVnZWdWxRYTJv
 WGVUQUhsT0VjKzl0NnJrCi0+IHNzaC1lZDI1NTE5IDROTEtydyAvc1ZTc0hRd3R4
 V2U4dEpaeEZEZlVyc2ZHSlNiVSt3T1M3bndsVXpPNkhVCmt2WlplcVcza2YxV05T
 bnRIOWpMYWpxck5jSzRtQVZ2L2ZQS3J1VjVTWDgKLT4gc3NoLWVkMjU1MTkgYzRO
 UWxBIHZCKzR5RXN2RmYvc3ZPTGJRRG1peUN6bmNuVFpSd2NPdWJwTTJYdHllRW8K
 TEo4QUI1a3ZzQ3NSQldSN1lTMlVwVGhTcTRPaHpYVHZVdHowYmZqR1czVQotPiBz
 c2gtcnNhIERRbEU3dwpvRzJjS0h3b2p4RXJrSDI1VEszQ1BvckNUS2laV3hGVVlx
 TXd0VkcvQ1hvWElNWnVNa1JoeHhMTDFUUWZnV0YxCjNHajRtZ0lmQzVXZmhyM1Nq
 SWoyVTFFdmowNTdZV0J0WHE5cXdZb2U1OVJOb1hYb1lnSjdqN09Bd2IvOUFlckMK
 d3hBc3pUK1J2Y3VnTjNSR0Q0cVJUVlluNllBazJ2L1dmOXVvZXI0WjVYbjI1RXhr
 Rm1EMzkxcStrYWRJTFNJKwo3YjZ6MEZ3RmtLZytiWGdBWWZEYU9EQWxEZWtzV3dD
 dGhJUUd0ajcvUFlxVGJqTVhlWmhSeHpkMHQyWWs5ZS9DClNEV0gzcWM2YlJTQ1lM
 bE4zTFJKSFU1VjAybFJvY1FQR2tNSFo2NFVDczBTUW9UWjY4aDVNUzlYaVlkdzJm
 dUsKckVaVld4YXpsdGYwWHVrWEtTbDJBU2cwcXlJSGY4ZEhlT2o4QlRBVGxWRHNL
 OXlMTGp5b1ZWbnJYV2pzaFFIcApQVmJzVi9kWnRpeWcyaS9weVN3SncxQjhlanBV
 dW5FU0VtL2lpS0NSTWtoOVI4akxXOUlhWW5xMkp2SUszSU9QCk1rZVdoNkI5TGRB
 L2twWWpPYVlSWUxrRElRcjhHMFczM29lcWlWWlJhbk0vcGFEQmw3UGdXWXJBNXJV
 VURYcFQKCi0+IHNzaC1lZDI1NTE5IENTTXloZyBpOEE3YUFzcytOYndXWWNreThp
 ZEdveGFlbHlPa0FwZ2xBY0lCcmIycTM4CnI0ZE1DM2d1bzZPV3diL2lZQi9SUnB1
 UWFjVVFueTFpMzRINm9Ob0pZMTQKLS0tIFJwZy9uRklOUEl0Z2hDNmx1YWsyNVov
 aHZ5VVhtMnVyYTMwbCtkaFFtR28KZzkT96InPG4YYyVKq0ZOrIBPtCJBbTXUJu+8
 9G03diIRwzYb6cSBRMtKKGl5NEfbJE7B2OnXeHPeCIPiGArKudKxFg9COHGOUP0h
 hUDDL9RGVhd4sMs8zRkxNghRwQzD
 -----END AGE ENCRYPTED FILE-----
@@ -1,30 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDVrd2NzQSBKZllV
 QytCeGYyVmtRMUxudm5iWmF3aWdITlRQVE53RnhFNUFabXkwbkg0CkE5Wk1mbXdm
 TzRuQTdvNklORUdSdHFIZm1zSVdvMWVnWWpRTUxDSzFBMHcKLT4gc3NoLWVkMjU1
 MTkgM0JjcjF3IDlISlRMdC9Sc2hic3JRV1o0WDNsbzByNmdFNnZDdjJSLytEa0xS
 VzRzQ2sKYXJGSjJDa2xuYThLNnhIMFhwTTNUSHJWbnFFYzZSRFQxVlVWK2xjNWgv
 dwotPiBzc2gtZWQyNTUxOSA5ZDRZSVEgaGUweXhJZmhTOGt3VFQ2R04rQjNOckxx
 c3BCMTBWZ0lsQmU3NmlVRkRYWQp6QlMvQkZmemVjekdLVWlDTUlNRG04MTlzaHAz
 cW9xd2JjNlE0eFF4NzNvCi0+IHNzaC1lZDI1NTE5IDROTEtydyBWQ2FGUCtFQ2FZ
 Wk5uSzZyTDNBTHRPUTkvTlRWR0Q1bHdqRjBycmU0VFc0CkdpSUNZZGw1aGJwUVk0
 VnlIR2IxVTJNaFVSNHJQSDR2YWxuN2ZiSERQSUEKLT4gc3NoLWVkMjU1MTkgYzRO
 UWxBIHlDYUlJRGxabTZxSnNpTUNWUDRXWUtHa0h3Z3BYTlZkUEtkall1OUh1VzQK
 ZEQzSW5tM0xFdWd1a3hibXlxa0N2N2RlemUyMkplRW5CNFZHUCtTSEhWdwotPiBz
 c2gtcnNhIERRbEU3dwpoNE9FdlpHYXJFZVRYQnBZNFZPTUhLb3RDdWpNcWxtU2gv
 MVF5Tm1tdHBuK3NLQjBnM2JudFFwQVZnb0VpUUljCjhKQk5HQnVrY05yeU53QWhK
 MG9QUVN5M2NXUEw2eEhQajFmaHZ4cWpFaXcwd3ZrSzNRWFNRREl5bERac1Y2LzYK
 c3BDVXlvQ20xaUt4KzZVRkhiNU5TYkpsbGQraFdvM3RvSkFZRU54SUV4ZWNnVG0y
 VVR6Q2swV2RFeUZwNGZxdQoveVhYN3JXVXBpQzdxa1ZKVXROcXRDQXladml5c2ZD
 ZjFVSVRaUkZiRVlNUHA3bDg2ek9mcXJnVG9YYStza3BFCktzVXlyZHNCZ1BxYTBO
 TUt1T3ZYQmR2VjErdVpPWVBOVDlFZm14Ukp0dkdUamNxODZPNFNTMXNabzNWUzVT
 MHIKUkJocFBhNitCMzFkWUhyV29FU3RMWjkvMWNxbzJFbTBHb2NpbW9Cb1dheHhn
 Y0N6S2FIQ2NROWtqQm5ORWxtYwo1NnF2RVQybnY2Wm5CQlJZOXVTVVNLUGZIbWZh
 V2laZWFQaXhEaGdma3pIWnlSaFpjSlRqNHlRZGNiaWhsWXlYCi9UM0Z2MldUMW01
 ekZja1hLNXptaFVCVFN5UVVlRGh0L2wvekxEckNmNTJOTUdoUE9wRzFaNzhqQnpM
 dThmWDUKCi0+IHNzaC1lZDI1NTE5IENTTXloZyB5ZzV4Q1pIOGpBOEtUcG1rNVZB
 QjFPbEt0OThxNWl3V1VhRTV2RFVrUGhRCmpwSHpUTnhNdlRHMnRvYWk2emJlSlhJ
 aWwweUg5dG1rYmRMMEVDTVdHdnMKLS0tIHp6alVpN1IvQ2E5UEV0Zm1nQk53cWJQ
 WCtTN08wSXlCSktkaDlPRG9Wa0UKyLX9C4xDpcPIVFsimn4OmCWAKZ1IPxeSzgr0
 W6Shg1EWCeMm3dQVJ8O9mji4JW/SJHKwqlJvFTMPhIwcdIo=
 -----END AGE ENCRYPTED FILE-----
@@ -1,31 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDVrd2NzQSBTNk5O
 dmZTRnRnOU5JMHU4QitlWWMyaXhscm1aQWNQSWJmVjU3MHdvVmowClkrVTV6VVVV
 Q0tiWXlkcGtHS3AwTUtqYmJwdnowMXFLcGNYb1dVZmpVTGcKLT4gc3NoLWVkMjU1
 MTkgM0JjcjF3IGVpdFlFTUFZQS9IMzVaRkNHSHltcHV1QlFmYk1yRitvZjhZZzI2
 ZDlTR3MKQ0RKT0tWZ0JGOUZCMTk2bitENmxnZzc1VDloNktvaVJFdGxyaVFaMjhJ
 VQotPiBzc2gtZWQyNTUxOSA5ZDRZSVEgdmw1MTg1R3lLR1NFNGUzQXpnUS9TNjRq
 czVtYlFzUmJnbmJ1c3JFRVZCQQoyYzBmQzdPbFVyU3diWlNuc1JoaHptOTFCUFBX
 RFpDZk4rWHByOGp2bkJFCi0+IHNzaC1lZDI1NTE5IDROTEtydyBIZWdsejNPVkdZ
 dkN3Z1FLTkNCVTdKSHNIOGU4UUUwdklhS0oxMlc5ekVjCnNZL0ZsV1VMU1p0eEFp
 YzBOdndIRzB3KzZXNGRFaHBpVDQ4Wm1jb2E1Z1kKLT4gc3NoLWVkMjU1MTkgYzRO
 UWxBIGFteVpubkxhcm80VEllY1llYkx4YXRTRHU4clNwK1F1SWlMTWxtMTYvRncK
 YjhvRXBod2I5dUZaWGlyOHcwa3MvWjNPOCtKendiMk9zVE5mVlpTS1RVMAotPiBz
 c2gtcnNhIERRbEU3dwpoenRXZkF2ck1LWDhxK25ldG1HVmRzVEh4TVNuaTdwQmVW
 eW80TE5kYzd5YkFpZXZhdWVSdEh4VTA2TzhnMzNsCkZud1AvTUdWSHJtOWtEZzlj
 ai9SdG1PRUtCN3VWQXlyamVpV1dWTEZkaFZpZHIxQ0c0eHIva1dzeDN6MlJla24K
 dXcrNUxUWVdMTFpaRk1YbkszazNDdFhuSVdxbE9rVHNNWDBvbDF4WGlWT0d5RTJR
 WmxCSFAzbDVVNWJneWhJZApPVnozRkRsS2J2VkFRVEpDVWJicmhhWXA0eVEvZFEz
 eWtsY3ZaNEk1MzlDYVJDb09lZGRsVk9YMXhyOWJsNmJYCk5HRTRjb0RrdlRydjNs
 T3prdXMvbnF0Y0FlL0VUbHNuVzZPNWJSK09TdEpuVU83dytiUDJRbmpFazludkkz
 d3AKUUp6TkVWSWRHMkozR0lQR1JlNmZ5Nk05WkUwbWJaODUzNmJIVkNEazVRcFFO
 ZnVZengyeFhQSlFsbUlta0tPRwo5OURlRTlPNERLWlF6aE9QaS91T0kyb2tIS0kz
 L0FYNjhWVWp1Q2xqUVRialcyWkhXbTJwU0R5VmVkbE1GeGEyCmROTFErS2VsMEo1
 VHdta2RObmtwMWtJTzRuaEhRbTFFbEE0V1RKbUk3SCtLWlE1cHR5c09ncThxbVY1
 cnRETkUKCi0+IHNzaC1lZDI1NTE5IENTTXloZyBZbW1NSStwWGd5RE1kRkk5aTZX
 alZtUWk5M3pnU1ZTSFU5UExnS0d4NkcwCjAvblBmUG5MUVVTOEpncjJjY0I1QzN1
 eVVNMlVZenJ6MzVDRXFaMVgxREUKLS0tIFIwd1ZtanJuU0Q2Ym9kN3lSS1NtQlky
 NC93UWJXa0tXTUVON3NmNVpUR0kKX71fenkAzKU3aIHFjLTpemNxsc5unQTy9f1O
 jpfhFHRPG5HuUBtmi6Fuv2n8J8Gw70D0XKs6UgAYV5GY0Db1daJZRbgF9EExbadB
 JQm3DLy8LG6KAM250ooGHKJoJSfQ
 -----END AGE ENCRYPTED FILE-----