RecentChanges

diff --git a/blog/on-dying.mdwn b/blog/on-dying.mdwn
index 8df34c22..7a589485 100644
--- a/blog/on-dying.mdwn
+++ b/blog/on-dying.mdwn
@@ -239,3 +239,7 @@ take care of reassigning copyright, see id:3c73defb03d3dc44df52aefa1655edf9@debi
 customer data mid:/64127ce6-d4e3-4108-ac0c-b113d9d7cb5a.*/ + following
 
 [[!tag draft]]
+
+
+<!-- posted to the federation on 2025-10-07T15:37:08.216083 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/115334566904968092"]]
\ No newline at end of file

diff --git a/blog/2020-09-30-presentation-tools.mdwn b/blog/2020-09-30-presentation-tools.mdwn
index 5bf9f95a..22366663 100644
--- a/blog/2020-09-30-presentation-tools.mdwn
+++ b/blog/2020-09-30-presentation-tools.mdwn
@@ -206,3 +206,7 @@ See also [this X11 list][] and [this Wayland list][].
 [the README file accompanying the Kubecon rant presentation]: https://gitlab.com/anarcat/presentation-ethics/-/blob/master/README.md
 
 [[!tag debian-planet python-planet software review]]
+
+
+<!-- posted to the federation on 2025-10-07T15:36:59.966403 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/115334566363687946"]]
\ No newline at end of file

diff --git a/blog/2019-10-16-bus-factor.mdwn b/blog/2019-10-16-bus-factor.mdwn
index 45a205fd..81a75329 100644
--- a/blog/2019-10-16-bus-factor.mdwn
+++ b/blog/2019-10-16-bus-factor.mdwn
@@ -146,3 +146,7 @@ person" and "about half of the 13,000 most downloaded NPM packages are
 ONE PERSON".
 
 [[!tag debian-planet python-planet python software debian]]
+
+
+<!-- posted to the federation on 2025-10-07T15:36:51.747441 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/115334565824547685"]]
\ No newline at end of file

diff --git a/software/zfs.md b/software/zfs.md
index 1a7726b6..952fe31f 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -471,7 +471,10 @@ example, how the `tank` was synced from marcos to its backup
 
     zfs snapshot tank/srv@tubman-$(date +%Y%m%d%H%M%S%z)
     zfs list -t snapshot
-    zfs send  tank/srv@tubman-20251002220034-0400 | pv -s 7.16T | ssh root@192.168.0.55 'zfs recv tank/srv'
+    zfs send tank/srv@tubman-20251002220034-0400 | pv -s 7.16T | ssh root@192.168.0.55 'zfs recv -s tank/srv'
+
+The `-s` flag allows for interrupted transfers to be resumed and
+requires the `extensible_dataset` feature to be enabled.
 
 This is not magic, and takes a long time:
 
@@ -479,7 +482,10 @@ This is not magic, and takes a long time:
     11.9GiB 0:01:53 [ 105MiB/s] [>                                                                                                               ]   0% ETA 18:56:15
 
 ... but future syncs can be done incrementally with `-i -R`, see [this
-arch wiki doc](https://wiki.archlinux.org/title/ZFS#Incremental_Backups).
+arch wiki doc](https://wiki.archlinux.org/title/ZFS#Incremental_Backups). Notice how the `-s` flag was unfortunately not used
+here. This turned out to be:
+
+    7.18TiB 19:58:31 [ 104MiB/s] 
 
 But of course, there are tools that do all of this for you, see below.
 

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index b6483bf4..b257bd3f 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -46,7 +46,7 @@ new NVMe drive.
   - [ ] boot the new box
   - [ ] nano-kvm-pcie order
   - [ ] nano-kvme-pcie installation
-- [ ] tubman replacement
+- [x] tubman replacement
   - [ ] label tubman2 (box-02)
   - [x] install 2x12tb drives
   - [ ] test all ports
@@ -66,15 +66,15 @@ new NVMe drive.
         - [x] line out (green)
         - [ ] mic in
         - [ ] headphones
-  - [ ] sync ZFS snapshot
+  - [x] sync ZFS snapshot
   - [x] nano-kvm-pcie installation
-  - [ ] move box
-  - [ ] install m2 drive
-  - [ ] move 1xSSD drive in new box
-  - [ ] move 1x8TB and 1x4TB into new box
-  - [ ] resync array
-  - [ ] remove 1x8tb drive, add 1x4tb (end result: 16TB storage)
-  - [ ] bring back 2x8TB for tubman2
+  - [x] move box
+  - [x] install m2 drive
+  - [~] move 1xSSD drive in new box
+  - [~] move 1x8TB and 1x4TB into new box
+  - [~] resync array
+  - [~] remove 1x8tb drive, add 1x4tb (end result: 16TB storage)
+  - [x] bring back 2x8TB and 2x4TB for tubman3
 - [ ] tubman3 setup (ex-marcos body)
   - [ ] install new memory stick
   - [ ] nano-kvm-pcie order

diff --git a/blog/2020-09-30-presentation-tools.mdwn b/blog/2020-09-30-presentation-tools.mdwn
index 0d2178b0..5bf9f95a 100644
--- a/blog/2020-09-30-presentation-tools.mdwn
+++ b/blog/2020-09-30-presentation-tools.mdwn
@@ -86,6 +86,11 @@ keep up to date.
  * PDF export, presenter notes, outline view, etc
  * [Home page](https://libreoffice.org/discover/impress/), [screenshots](https://libreoffice.org/discover/screenshots/)
 
+## Lookatme
+
+ * TUI, markdown
+ * [Github](https://github.com/d0c-s4vage/lookatme)
+
 ## Magicpoint
 
  * ancestor of everyone else (1997!)
@@ -94,11 +99,10 @@ keep up to date.
  * no release since 2008
  * [Home page](http://member.wide.ad.jp/wg/mgp/)
 
-## mdp and lookatme (commandline)
+## mdp
 
  * Commandline-only, markdown
  * [Home page](https://github.com/visit1985/mdp)
- * [lookatme](https://github.com/d0c-s4vage/lookatme) is similar
 
 ## Pampi
 
@@ -134,6 +138,11 @@ Others just [use their IDE directly](https://staltz.com/your-ide-as-a-presentati
  * [Home page](https://wiki.gnome.org/Attic/Pinpoint)
  * Abandoned since at least 2019
 
+## Presenterm
+
+ * TUI, markdown, rust
+ * [Homepage](https://mfontanini.github.io/presenterm/)
+ 
 ## Remark
 
  * In-browser, HTML/Markdown/Javascript based

diff --git a/blog/2019-10-16-bus-factor.mdwn b/blog/2019-10-16-bus-factor.mdwn
index af35c843..45a205fd 100644
--- a/blog/2019-10-16-bus-factor.mdwn
+++ b/blog/2019-10-16-bus-factor.mdwn
@@ -141,4 +141,8 @@ I should probably rephrase as "most projects have a bus factor of one"
 The new research also implies that the trend is getting worse, with
 the kernel moving from 57 to 12, for example.
 
+Another update: [this blog post](https://opensourcesecurity.io/2025/08-oss-one-person/) argues that "Open Source is one
+person" and "about half of the 13,000 most downloaded NPM packages are
+ONE PERSON".
+
 [[!tag debian-planet python-planet python software debian]]

diff --git a/blog/on-dying.mdwn b/blog/on-dying.mdwn
index 064e9cc7..8df34c22 100644
--- a/blog/on-dying.mdwn
+++ b/blog/on-dying.mdwn
@@ -236,5 +236,6 @@ especially vintage/collection stuff, see a1584df8-55b5-4aa7-a991-55fc1f0f5e64@de
 
 take care of reassigning copyright, see id:3c73defb03d3dc44df52aefa1655edf9@debian.org
 
+customer data mid:/64127ce6-d4e3-4108-ac0c-b113d9d7cb5a.*/ + following
 
 [[!tag draft]]

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index e95f9fe7..8c96187f 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -2198,7 +2198,8 @@ USB-C|blog/2023-02-10-usb-c]]. I'm using a Dell
    now shipping as of 2023)
  * [votes seem to go towards Ethernet and full-sized SD card
    reader](https://community.frame.work/t/what-new-expansion-card-types-do-you-want-to-see-released/193)
- * [3D printed expansion card holder](https://www.printables.com/model/328421-framework-laptop-expansion-card-holder)
+ * [3D printed expansion card holder](https://www.printables.com/model/328421-framework-laptop-expansion-card-holder), [3-cards holder made by tvaz
+   for me!](https://www.thingiverse.com/thing:7158462), remix of this [2-card one](https://www.thingiverse.com/thing:6942670)
  * [LTE modem card](https://store.liberatedsystems.co.uk/product/opencom-lte/) ([design thread](https://community.frame.work/t/lte-cat-4-cell-modem-card/9454))
  * [ESP32-S3 expansion card](https://spacehuhn.store/products/framework-esp32-s3-expansion-card) ([source](https://github.com/SpacehuhnTech/framework), [video](https://www.youtube.com/watch?v=IML9c_MsyQU))
  * [UART adapter](https://www.tindie.com/products/i2c-labs/uart-expansion-card/), [CAN](https://community.frame.work/t/can-bus-expansioncard/35166/17), [RS485](https://www.medo64.com/2022/11/rs485-framework-expansion-card-ftdi-edition/) adapters, [logic analyzer](https://community.frame.work/t/16-channel-usb3-2-logic-analyzer/29727)

diff --git a/software/zfs.md b/software/zfs.md
index aa3e4d0a..1a7726b6 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -430,6 +430,10 @@ powerful *and* scary!
 
 # Snapshots
 
+ZFS, of course, supports snapshots and they are pretty powerful.
+
+## Example commands
+
 Creating:
 
     zfs snapshot pool/volume@LABEL

diff --git a/software/zfs.md b/software/zfs.md
index 81b655db..aa3e4d0a 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -298,34 +298,68 @@ You want to grow this array with two more mirrored drives.
             echo crypt_dev_$disk UUID=$(lsblk -n -o UUID /dev/$disk | head -1) /etc/luks/crypt_dev_$disk luks,discard | tee -a /etc/crypttab
         done
 
-    The above will ask you for the encryption key *four* times, but
-    will not require typing it on boot *while* simultaneously allowing
-    recovery without the key file.
+    The above will ask you for the encryption key *four* times *per
+    drive* (so *eight* times above!), but will not require typing it
+    on boot *while* simultaneously allowing recovery without the key
+    file.
 
  3. add the drives as a mirror vdev to the pool:
 
-        root@marcos:/home/anarcat# zpool add -n tank mirror /dev/sdb2 /dev/sdd2
+        zpool add -n tank mirror /dev/mapper/crypt_dev_sdd1 /dev/mapper/crypt_dev_sde1
+ 
+    Notice how we use `-n` to simulate the result here, which makes
+    this just a simulation, for example:
+
+        root@marcos:/home/anarcat# zpool add -n tank mirror /dev/mapper/crypt_dev_sdd1 /dev/mapper/crypt_dev_sde1
         would update 'tank' to the following configuration:
-        
+
                 tank
                   mirror-0
                     crypt_dev_sdb1
                     crypt_dev_sdc1
                   mirror
-                    sdb2
-                    sdd2
+                    crypt_dev_sdd1
+                    crypt_dev_sde1
+
+    To actually do this, run it without `-n`:
+
+        zpool add tank mirror /dev/mapper/crypt_dev_sdd1 /dev/mapper/crypt_dev_sde1
+
+    ... which should produce no output, but should expand the
+    available size in the pool. Before:
+
+        root@marcos:/home/anarcat# zfs list
+        NAME   USED  AVAIL  REFER  MOUNTPOINT
+        tank  7.10T  40.4G    96K  none
+
+    After:
+
+        root@marcos:/home/anarcat# zfs list tank
+        NAME   USED  AVAIL  REFER  MOUNTPOINT
+        tank  7.10T  7.31T    96K  none
+
+    This adds another mirror, essentially turning the pool in a
+    RAID-10 mirror. See also the notes about RAID-Z and dRAID in the
+    pool creation above.
 
-    Notice how we use `-n` to simulate the result here. This adds another
-    mirror, essentially turning the pool in a RAID-10 mirror. See also
-    the notes about RAID-Z and dRAID in the pool creation above. 
-    
     Note that this is likely *not* the right time to change the pool
     layout: if you have a mirror layout, keep a mirror layout. If you
     have a RAID-Z layout, keep that layout as well, just make a new
     RAID-Z vdev instead.
 
-Note that you `zpool add`, you do *not* `zpool attach`: that would add
-a spare to a mirror, effectively.
+    Finally, note that you `zpool add`, you do *not* `zpool attach`:
+    that would add a spare to a mirror, effectively.
+
+# Shrinking a pool
+
+Note that if, for some reason, you want to *shrink* a pool back from
+(say) a two-mirror setup to a single mirror, you can easily remove a
+mirror from a pool and ZFS will, [apparently](https://forum.level1techs.com/t/solved-how-to-remove-vdev-from-zpool/192044/5), do the right thing:
+
+    zpool remove -n tank mirror
+
+Again, the `-n` here means "dry-run" and should be removed before
+running it.
 
 # Mounts
 
@@ -424,6 +458,27 @@ This is useful if you automate snapshot creation (like, say, with
 sanoid) and you have filesystems that have ridiculous disk usage
 because of old, useless snapshots.
 
+## Copying snapshots around
+
+You can copy snapshots between pools, and this can be done
+incrementally, as a backup system between two hosts. This is, for
+example, how the `tank` was synced from marcos to its backup
+(`tubman`):
+
+    zfs snapshot tank/srv@tubman-$(date +%Y%m%d%H%M%S%z)
+    zfs list -t snapshot
+    zfs send  tank/srv@tubman-20251002220034-0400 | pv -s 7.16T | ssh root@192.168.0.55 'zfs recv tank/srv'
+
+This is not magic, and takes a long time:
+
+    root@marcos:/home/anarcat# zfs send  tank/srv@tubman-20251002220034-0400 | pv -s 7.16T | ssh root@192.168.0.55 'zfs recv tank/srv'
+    11.9GiB 0:01:53 [ 105MiB/s] [>                                                                                                               ]   0% ETA 18:56:15
+
+... but future syncs can be done incrementally with `-i -R`, see [this
+arch wiki doc](https://wiki.archlinux.org/title/ZFS#Incremental_Backups).
+
+But of course, there are tools that do all of this for you, see below.
+
 ## Automated snapshots
 
 [Automatic snapshots](https://wiki.archlinux.org/title/ZFS#Automatic_snapshots) we configured with [sanoid](https://github.com/jimsalterjrs/sanoid), see the

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index 4b2a6f04..b6483bf4 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -20,21 +20,66 @@ boxes seem to be fully functional, not yet fully tested.
 - stressant ran
 - s-tui on second as well
 
-remaining issues
-
-- [ ] test all ports
-- [x] disk fans are always on
-- [x] first still has the stock fan, which are noticeably louder (but
-      seem to have more airflow)
-- [ ] figure out which machine and disk goes where
-- [ ] replace marcos?
-- [ ] label the boxes
-- [ ] `ssh-keys.tgz` doesn't load
-
 tubman has 2x8TB, 2x4TB and 2xSSD, can't fit inside this build without
 an expansion card or moving data from 8/4TB into 12TB. or by using a
 new NVMe drive.
 
+# Next steps
+
+- build issues:
+  - [x] disk fans are always on
+  - [x] first still has the stock fan, which are noticeably louder (but
+        seem to have more airflow)
+  - [x] make a working netboot in homelab
+  - [x] `ssh-keys.tgz` doesn't load
+- [x] figure out which machine and disk goes where
+  - box-02 will be remote, box-01 will be local... i meant it the
+    other way, but installed the kvm on box-02 because it was closer
+- [ ] marcos replacement
+  - [ ] label marcos2 (box-01)
+  - [ ] order new 1TB SSD drive?
+  - [ ] install new SSD drive
+  - [ ] halt
+  - [ ] move *one* NVMe drive
+  - [ ] install two old 8TB drives
+  - [ ] move the two 8TB drives
+  - [ ] boot the new box
+  - [ ] nano-kvm-pcie order
+  - [ ] nano-kvme-pcie installation
+- [ ] tubman replacement
+  - [ ] label tubman2 (box-02)
+  - [x] install 2x12tb drives
+  - [ ] test all ports
+    - front
+      - [x] front USB-A
+      - [ ] front USB-C
+      - [x] front combo audio
+      - [x] front power and led
+    - back 
+      - [x] network
+      - [x] HDMI-A-0
+      - [ ] HDMI-A-1
+      - [ ] display port
+      - [x] 6xUSB-A
+      - [x] wifi
+      - [ ] audio ports
+        - [x] line out (green)
+        - [ ] mic in
+        - [ ] headphones
+  - [ ] sync ZFS snapshot
+  - [x] nano-kvm-pcie installation
+  - [ ] move box
+  - [ ] install m2 drive
+  - [ ] move 1xSSD drive in new box
+  - [ ] move 1x8TB and 1x4TB into new box
+  - [ ] resync array
+  - [ ] remove 1x8tb drive, add 1x4tb (end result: 16TB storage)
+  - [ ] bring back 2x8TB for tubman2
+- [ ] tubman3 setup (ex-marcos body)
+  - [ ] install new memory stick
+  - [ ] nano-kvm-pcie order
+  - [ ] nano-kvm-pcie installation
+
 # Requirements
 
 [Posted the following on r/homelab](https://www.reddit.com/r/homelab/comments/1jnug3v/advice_for_a_modest_nashome_server/):

diff --git a/blog/2025-09-30-proper-services.md b/blog/2025-09-30-proper-services.md
index 16c6819b..dd3a12df 100644
--- a/blog/2025-09-30-proper-services.md
+++ b/blog/2025-09-30-proper-services.md
@@ -136,3 +136,7 @@ At work, of course, it's another (much better) story:
     hardware failure (through Ganeti and DRBD)
 
 [[!tag debian-planet debian sysadmin]]
+
+
+<!-- posted to the federation on 2025-09-30T11:00:13.515800 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/115293839765935614"]]
\ No newline at end of file

diff --git a/blog/2025-09-30-proper-services.md b/blog/2025-09-30-proper-services.md
index 8ee8a1c9..16c6819b 100644
--- a/blog/2025-09-30-proper-services.md
+++ b/blog/2025-09-30-proper-services.md
@@ -12,10 +12,18 @@ four things:
  2. documentation
  3. monitoring
  4. automation
- 5. high availability
+ 5. high availability (HA)
 
 Yes, I miscounted. This is why you need high availability.
 
+A service doesn't properly exist if it doesn't at least have the first
+3 of those. It will be harder to maintain without automation, and
+inevitably suffer prolonged outages without HA.
+
+# The five components of a proper service
+
+[[!toc levels=2]]
+
 ## Backups
 
 Duh. If data is maliciously or accidentally destroyed, you need a copy
@@ -34,8 +42,12 @@ most important parts are:
 - install/upgrade procedures (see automation)
 
 You probably know this is hard, and this is why you're not doing
-it. Do it anyways, you'll think it sucks, but you'll be really
-grateful for whatever scraps you wrote when you're in trouble.
+it. Do it anyways, you'll think it sucks, it will grow out of sync
+with reality, but you'll be really grateful for whatever scraps you
+wrote when you're in trouble.
+
+Any docs, in other words, is better than no docs, but are no excuse
+for doing the work correctly.
 
 ## Monitoring
 
@@ -47,7 +59,7 @@ torture and is against the Geneva convention.
 Consider predictive algorithm to prevent failures, like "add storage
 within 2 weeks before this disk fills up". 
 
-This is harder than you think.
+This is also harder than you think.
 
 ## Automation
 
@@ -70,12 +82,13 @@ Make it not fail when one part goes down.
 
 Eliminate single points of failures.
 
-This is easier than you think, except for storage and DNS (which, I
-guess, means it's harder than you think too).
+This is easier than you think, except for storage and DNS ("naming
+things" not "HA DNS", *that* is easy), which, I guess, means it's
+harder than you think too.
 
-## Assessment
+# Assessment
 
-In the above 5 items, I check two:
+In the above 5 items, I currently check two in my lab:
 
  1. backups
  2. documentation
@@ -104,3 +117,22 @@ building things now, and that's just really sad, because I feel
 [[we're losing|2025-03-21-losing-war-internet]] (well that escalated
 quickly).
 
+## Side note about Tor
+
+The above applies to my personal home lab, not work!
+
+At work, of course, it's another (much better) story:
+
+ 1. all services have backups
+ 2. lots of services are well documented, but not all
+ 3. most services have at least basic monitoring
+ 4. most services are Puppetized, but not crucial parts (DNS, LDAP,
+    Puppet itself), and there are important chunks of legacy coupling
+    between various services that make the whole system brittle
+ 5. most websites, DNS and large parts of email are highly available,
+    but key services like the the Forum, GitLab and similar
+    applications are not HA, although most services run under
+    replicated VMs that can trivially survive a total, single-node
+    hardware failure (through Ganeti and DRBD)
+
+[[!tag debian-planet debian sysadmin]]

diff --git a/blog/2025-03-21-another-home-outage.md b/blog/2025-03-21-another-home-outage.md
index ac3a6b2c..ebdb81fd 100644
--- a/blog/2025-03-21-another-home-outage.md
+++ b/blog/2025-03-21-another-home-outage.md
@@ -52,106 +52,13 @@ deploy the other mitigations I had deployed in the previous incident.
 But I'm starting to seriously consider deploying a web (and caching)
 reverse proxy so that I endure such problems more gracefully.
 
-# Side note on proper servics
+# Side note on proper services
 
-Typically, I tend to think of a properly functioning service as having
-four things:
+Well that was dumb. I wrote this clever piece on what's a properly ran
+service and originally shoved it deep inside this service note instead
+of making a blog article.
 
- 1. backups
- 2. documentation
- 3. monitoring
- 4. automation
- 5. high availability
-
-Yes, I miscounted. This is why you have high availability.
-
-## Backups
-
-Duh. If data is maliciously or accidentally destroyed, you need a copy
-somewhere. Preferably in a way that malicious joe can't get to.
-
-This is harder than you think.
-
-## Documentation
-
-I have an entire [template](https://gitlab.torproject.org/tpo/tpa/wiki-replica/-/raw/master/service/template.md?ref_type=heads) for this. Essentially, it boils down to
-using <https://diataxis.fr/> and [this "audit" guide](https://bluesock.org/~willkg/blog/dev/auditing_projects.html). For me, the
-most important parts are:
-
-- disaster recovery (includes backups, probably)
-- playbook
-- install/upgrade procedures (see automation)
-
-You probably know this is hard, and this is why you're not doing
-it. Do it anyways, you'll think it sucks, but you'll be really
-grateful for whatever scraps you wrote when you're in trouble.
-
-## Monitoring
-
-If you don't have monitoring, you'll know it fails too late, and you
-won't know it recovers. Consider high availability, work hard to
-reduce noise, and don't have machine wake people up, that's literally
-torture and is against the Geneva convention.
-
-Consider predictive algorithm to prevent failures, like "add storage
-within 2 weeks before this disk fills up". 
-
-This is harder than you think.
-
-## Automation
-
-Make it easy to redeploy the service elsewhere.
-
-Yes, I know you have backups. That is not enough: that typically
-restores data and while it can also include configuration, you're
-going to need to change things when you restore, which is what
-automation (or call it "configuration management" if you will) will do
-for you anyways.
-
-This also means you can do unit tests on your configuration, otherwise
-you're building legacy.
-
-This is probably as hard as you think.
-
-## High availability
-
-Make it not fail when one part goes down.
-
-Eliminate single points of failures.
-
-This is easier than you think, except for storage and DNS (which, I
-guess, means it's harder than you think too).
-
-## Assessment
-
-In the above 5 items, I check two:
-
- 1. backups
- 2. documentation
-
-And barely: I'm not happy about the offsite backups, and my
-documentation is much better at work than at home (and even there, I
-have a 15 year backlog to catchup on).
-
-I barely have monitoring: Prometheus is scraping parts of the infra,
-but I don't have any sort of alerting -- by which I don't mean
-"electrocute myself when something goes wrong", I mean "there's a set
-of thresholds and conditions that define an outage and I can look at
-it".
-
-Automation is wildly incomplete. My home server is a random collection
-of old experiments and technologies, ranging from Apache with Perl and
-CGI scripts to Docker containers running Golang applications. Most of
-it is not Puppetized (but the ratio is growing). Puppet itself
-introduces a huge attack vector with kind of catastrophic lateral
-movement if the Puppet server gets compromised.
-
-And, fundamentally, I am not sure I can provide high availability in
-the lab. I'm just this one guy running my home network, and I'm
-growing older. I'm thinking more about winding things down than
-building things now, and that's just really sad, because I feel
-[[we're losing|2025-03-21-losing-war-internet]] (well that escalated
-quickly).
+That is now fixed, see [[2025-09-30-proper-services]] instead.
 
 # Resolution
 
@@ -180,4 +87,4 @@ Times are in UTC-4.
 
 
 <!-- posted to the federation on 2025-03-22T00:25:20.116787 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/114204181784093630"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/114204181784093630"]]
diff --git a/blog/2025-09-30-proper-services.md b/blog/2025-09-30-proper-services.md
new file mode 100644
index 00000000..8ee8a1c9
--- /dev/null
+++ b/blog/2025-09-30-proper-services.md
@@ -0,0 +1,106 @@
+[[!meta title="Proper services"]]
+
+> During [[2025-03-21-another-home-outage]], I reflected upon what's a
+> properly ran service and blurted out what turned out to be something
+> important I want to outline more. So here it is, again, on its own
+> for my own future reference.
+
+Typically, I tend to think of a properly functioning service as having
+four things:
+
+ 1. backups
+ 2. documentation
+ 3. monitoring
+ 4. automation
+ 5. high availability
+
+Yes, I miscounted. This is why you need high availability.
+
+## Backups
+
+Duh. If data is maliciously or accidentally destroyed, you need a copy
+somewhere. Preferably in a way that malicious Joe can't get to.
+
+This is harder than you think.
+
+## Documentation
+
+I have an entire [template](https://gitlab.torproject.org/tpo/tpa/wiki-replica/-/raw/master/service/template.md?ref_type=heads) for this. Essentially, it boils down to
+using <https://diataxis.fr/> and [this "audit" guide](https://bluesock.org/~willkg/blog/dev/auditing_projects.html). For me, the
+most important parts are:
+
+- disaster recovery (includes backups, probably)
+- playbook
+- install/upgrade procedures (see automation)
+
+You probably know this is hard, and this is why you're not doing
+it. Do it anyways, you'll think it sucks, but you'll be really
+grateful for whatever scraps you wrote when you're in trouble.
+
+## Monitoring
+
+If you don't have monitoring, you'll know it fails too late, and you
+won't know it recovers. Consider high availability, work hard to
+reduce noise, and don't have machine wake people up, that's literally
+torture and is against the Geneva convention.
+
+Consider predictive algorithm to prevent failures, like "add storage
+within 2 weeks before this disk fills up". 
+
+This is harder than you think.
+
+## Automation
+
+Make it easy to redeploy the service elsewhere.
+
+Yes, I know you have backups. That is not enough: that typically
+restores data and while it can also include configuration, you're
+going to need to change things when you restore, which is what
+automation (or call it "configuration management" if you will) will do
+for you anyways.
+
+This also means you can do unit tests on your configuration, otherwise
+you're building legacy.
+
+This is probably as hard as you think.
+
+## High availability
+
+Make it not fail when one part goes down.
+
+Eliminate single points of failures.

(Diff truncated)

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index 85d1d18d..4b2a6f04 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -5,6 +5,36 @@ shapes of form. I also piggy-back an external NAS/media server build
 to server as a backup for the media, but that I'm also considering as
 a full marcos replacement if it works well.
 
+# Status
+
+two replacements built, based on iteration 7 below.
+
+provisional names:
+
+- box-01: first server built by myself, two 8GB RAM sticks, two 12TB
+  HDDs
+- box-02: second server built, one 16GB stick, no disks
+
+boxes seem to be fully functional, not yet fully tested.
+
+- stressant ran
+- s-tui on second as well
+
+remaining issues
+
+- [ ] test all ports
+- [x] disk fans are always on
+- [x] first still has the stock fan, which are noticeably louder (but
+      seem to have more airflow)
+- [ ] figure out which machine and disk goes where
+- [ ] replace marcos?
+- [ ] label the boxes
+- [ ] `ssh-keys.tgz` doesn't load
+
+tubman has 2x8TB, 2x4TB and 2xSSD, can't fit inside this build without
+an expansion card or moving data from 8/4TB into 12TB. or by using a
+new NVMe drive.
+
 # Requirements
 
 [Posted the following on r/homelab](https://www.reddit.com/r/homelab/comments/1jnug3v/advice_for_a_modest_nashome_server/):

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index a9eb2d05..a9980a74 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -633,6 +633,7 @@ profusion of options:
 | [sirula][]              | no              | `.desktop` based app launcher                                            |
 | [Ulauncher][]           | [ITP 949358][]  | generic launcher like Onagre/rofi/alfred, might be overkill              |
 | [tofi][]                | yes, bookworm+  | dmenu/drun replacement, C                                                |
+| [walker][]              | no              | general launcher, dmenu, custom menus, calculator, browser, rust         |
 | [wlr-which-key][]       | no              | key-driven, limited but simple launcher, inspired by which-key.nvim      |
 | [wmenu][]               | no              | fork of dmenu-wl, but mostly a rewrite                                   |
 | [Wofi][]                | yes             | dmenu/drun replacement, not actively maintained                          |
@@ -701,6 +702,7 @@ Note that [wlogout][] could be a partial replacement (just for the
 [ydotool]: https://github.com/ReimuNotMoe/ydotool
 [yofi]: https://github.com/l4l/yofi
 [πmenu]: https://github.com/phillbush/pmenu
+[walker]: https://github.com/abenz1267/walker
 
 ### Fuzzel
 

diff --git a/blog/mobile-massive-gallery.md b/blog/mobile-massive-gallery.md
index d118f103..2b82e60e 100644
--- a/blog/mobile-massive-gallery.md
+++ b/blog/mobile-massive-gallery.md
@@ -200,6 +200,88 @@ PostgreSQL).
 complicated, lots of microservices, unsure if i want to embark on
 testing again.
 
+update, 2025-09-09: bit the bullet. microservices are somewhat swept
+under the rug in the new docker compose file which is just 4 services:
+
+- immich-server
+- immich-machine-learning
+- redis: standard "upstream" ([r/valley/valkey](https://hub.docker.com/r/valkey/valkey)), could possibly be
+  replaced by a Debian package, although one would need to [set a
+  username and password](https://immich.app/docs/install/environment-variables#redis)
+- postgresql: more complicated, [immich-specific Dockerfile](https://github.com/immich-app/base-images/blob/main/postgres/Dockerfile) based
+  on a mix of [r/pgvector/pgvector](https://hub.docker.com/r/pgvector/pgvector), [VectorChord](https://github.com/tensorchord/VectorChord), and
+  [pgvector.rs](https://github.com/tensorchord/pgvecto.rs), pgvector is in Debian, but not the latter
+  two... the [upstream instructions](https://immich.app/docs/administration/postgres-standalone) indicate that pgvector.rs will
+  be "dropped in a future release", so presumably one would only need
+  to package VectorChord, pgvector being already packaged in Debian
+
+I can get behind that, I guess.
+
+So far, I've made a user, and duct-taped it into the docker-compose
+file. It caused some issues, because (e.g.) the postgresql container
+expects to run under user `999` otherwise it fails to start when
+trying to change the ownership of the data directory, so now I have
+those files owned by `systemd-coredump`, which is weird.
+
+The valkey container has the same issue.
+
+I hadn't set a PostgreSQL password in the `.env` file which broke
+everything once I did set a random one. Logging into the pg container
+with:
+
+    docker exec -it immich_postgres psql
+
+... and `\password` fixed the issue.
+
+In general, this works pretty well! The web app is shiny and generally
+works well, but shares the same problem as other "smart" (or "single
+page"?) apps that wrong state can persist and I often have to open a
+private tab to actually see changes. For example, `/admin/jobs-status`
+would see no active job in one window (even after force-reload), but
+a private tab would show active jobs.
+
+ML features don't work out of the box. This might be due, again, to my
+weird docker setup, but the containers can't dial out, so i had to
+download the repos by hand:
+
+```
+mkdir /srv/immich/model-cache
+chown immich /srv/immich/model-cache
+cd /srv/immich/model-cache
+mkdir clip facial-recognition
+cd clip
+sudo -u immich git clone https://huggingface.co/immich-app/ViT-B-32__openai
+cd ../facial-recognition
+sudo -u immich git clone https://huggingface.co/immich-app/buffalo_l
+```
+
+Then the compose file was hacked to point at that volume. This was
+guessed from [this comment](https://github.com/immich-app/immich/issues/6616#issuecomment-1907308406).
+
+I thought the models would be stupidly large, but they're about a
+dozen gigabytes, not bad.
+
+A few things are missing, I feel like. While, in theory, Immich seemed
+to support EXIF ratings out of the box, in practice there doesn't seem
+to be a way to *search* or filter for images matching a given rating.
+
+Also, I [can't login the android app](https://github.com/immich-app/immich/discussions/21757) and thumbnail generation is
+only 50% done after a couple hours of processing.
+
+Upgrades are another issue: presumably, i'll be notified of new
+upgrades and will need to kick the compose file.
+
+Finally, I haven't started indexing videos yet. So, next steps:
+
+- [x] fix android app
+- [x] finish thumbs indexing
+- [x] name people
+- [ ] index videos
+- [x] retire photoprism?
+- [ ] ask upstream for rating search?
+- [x] see if we can "share a link" (primary reason for switching away
+      from photoprism)
+
 ## photoview
 
 refreshing: single go binary

diff --git a/index.mdwn b/index.md
similarity index 100%
rename from index.mdwn
rename to index.md

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index cacd3f60..85d1d18d 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -740,11 +740,14 @@ shipped, tracking numbers are kept in email.
 
 - [x] Memory Express (2 CPUs, shipped)
 - [x] PC Canada (2 mobos, shipped)
-- [ ] WD (2 HDDs, shipped)
+- [x] WD (2 HDDs, shipped)
 - [x] Newegg (2 cases, shipped)
 - [x] Newegg (1 fan, shipped, lost, filed a claim at newegg, new one
       shipped, and got *two* at once!?)
-- [ ] Amazon Canada (2 PSUs, shipped, in progress)
+- [ ] Amazon Canada (2 PSUs, shipped, in progress, was supposed to
+      arrive 5-10 sept, but is not yet "out for delivery" and the
+      shipper (loomis) doesn't know about amazon's tracking number,
+      suspicious)
 - [x] Amazon Canada (2x SATA cable bundles, shipped)
 - [x] Amazon Canada (2x USB-E converter, shipped)
 - [x] Amazon Canada (2x 20-pin/9pin converter, shipped)

diff --git a/hardware/margaret.md b/hardware/margaret.md
index 4ba4e616..336d567d 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -1,7 +1,7 @@
 Margaret is the name of my new core router in the home lab. It is
 named after:
 
-> [Margaret Elaine Hamilton](https://en.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer)) (née Heafield; born August 17, 1936)
+> [Margaret Elaine Hamilton][] (née Heafield; born August 17, 1936)
 > is an American computer scientist, systems engineer, and business
 > owner. She was director of the Software Engineering Division of the
 > MIT Instrumentation Laboratory, which developed on-board flight
@@ -11,7 +11,7 @@ named after:
 >
 > Hamilton has published more than 130 papers, proceedings, and
 > reports, about sixty projects, and six major programs. She invented
-> the term "software engineering". -- [Wikipedia](https://en.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer))
+> the term "software engineering". -- [Wikipedia][]
 
 Hamilton wrote the software that landed men on the moon, yet no woman
 has yet to have that privilege.
@@ -21,6 +21,9 @@ has yet to have that privilege.
 > engineering as part of the overall systems engineering process. --
 > Margaret Hamilton
 
+[Margaret Elaine Hamilton]: https://en.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer)
+[Wikipedia]: https://en.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer)
+
 # Specifications
 
 The machine is currently implemented using a [Protectli FW2B](https://ca.protectli.com/product/fw2b/) with

diff --git a/blog/2025-08-20-luks-ukify-conversion.md b/blog/2025-08-20-luks-ukify-conversion.md
index fed96793..6154a2e8 100644
--- a/blog/2025-08-20-luks-ukify-conversion.md
+++ b/blog/2025-08-20-luks-ukify-conversion.md
@@ -188,7 +188,7 @@ We assume 512 byte sectors here. Check your sector size with `fdisk
 
  6. Re-encrypt filesystem:
 
-        cryptsetup reencrypt --encrypt /dev/nvme0n1p2 --redice-device-size=32M
+        cryptsetup reencrypt --encrypt /dev/nvme0n1p2 --resize-device-size=32M
 
     This is it! This is the most important step! Make sure your laptop
     is plugged in and try not to interrupt it. This can, apparently,

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index 6f871e54..cacd3f60 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -742,7 +742,8 @@ shipped, tracking numbers are kept in email.
 - [x] PC Canada (2 mobos, shipped)
 - [ ] WD (2 HDDs, shipped)
 - [x] Newegg (2 cases, shipped)
-- [ ] Newegg (1 fan, shipped, lost? filed a claim at newegg)
+- [x] Newegg (1 fan, shipped, lost, filed a claim at newegg, new one
+      shipped, and got *two* at once!?)
 - [ ] Amazon Canada (2 PSUs, shipped, in progress)
 - [x] Amazon Canada (2x SATA cable bundles, shipped)
 - [x] Amazon Canada (2x USB-E converter, shipped)

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index 8d270d68..6f871e54 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -739,9 +739,9 @@ received. Boxes are checked when received, a note is added when
 shipped, tracking numbers are kept in email.
 
 - [x] Memory Express (2 CPUs, shipped)
-- [ ] PC Canada (2 mobos, shipped, bounced at Purolator)
+- [x] PC Canada (2 mobos, shipped)
 - [ ] WD (2 HDDs, shipped)
-- [ ] Newegg (2 cases, shipped, held at delivery center)
+- [x] Newegg (2 cases, shipped)
 - [ ] Newegg (1 fan, shipped, lost? filed a claim at newegg)
 - [ ] Amazon Canada (2 PSUs, shipped, in progress)
 - [x] Amazon Canada (2x SATA cable bundles, shipped)

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index 094f060e..8d270d68 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -741,10 +741,10 @@ shipped, tracking numbers are kept in email.
 - [x] Memory Express (2 CPUs, shipped)
 - [ ] PC Canada (2 mobos, shipped, bounced at Purolator)
 - [ ] WD (2 HDDs, shipped)
-- [ ] Newegg (2 cases, shipped)
-- [ ] Newegg (1 fan, shipped)
-- [ ] Amazon Canada (2 PSUs, shipped)
+- [ ] Newegg (2 cases, shipped, held at delivery center)
+- [ ] Newegg (1 fan, shipped, lost? filed a claim at newegg)
+- [ ] Amazon Canada (2 PSUs, shipped, in progress)
 - [x] Amazon Canada (2x SATA cable bundles, shipped)
-- [ ] Amazon Canada (2x USB-E converter, shipped)
+- [x] Amazon Canada (2x USB-E converter, shipped)
 - [x] Amazon Canada (2x 20-pin/9pin converter, shipped)
 - [ ] Friend (memory)

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index 5c3cd67d..094f060e 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -687,7 +687,7 @@ Type|Item|Price
 
 Type|Item|Price
 :----|:----|:----
- **CPU** | 2x[AMD Ryzen 5 5500GT 3.6 GHz 6-Core Processor](https://ca.pcpartpicker.com/product/VcvD4D/amd-ryzen-5-5500gt-36-ghz-6-core-processor-100-100001489box) | $179.99 @ Memory Express
+ **CPU** | 2x[AMD Ryzen 5 5500GT 3.6 GHz 6-Core Processor](https://ca.pcpartpicker.com/product/VcvD4D/amd-ryzen-5-5500gt-36-ghz-6-core-processor-100-100001489box) | $157.99 @ Memory Express
  | **Total Memory Express** | **$377.34**
  **Motherboard** | 2x[Gigabyte A520I AC Mini ITX AM4 Motherboard](https://ca.pcpartpicker.com/product/s6tKHx/gigabyte-a520i-ac-mini-itx-am4-motherboard-a520i-ac) | $171.99 @ PC-Canada
  | **Total PC-Canada** | **$418.46**
@@ -717,8 +717,8 @@ A few notes:
   "Sorry, we can't complete your checkout right now. We’re working to
   fix this issue quickly." with a 30 second timer that i retried about
   a dozen times and eventually gave up. 
-- tried a "price beat" at memory express to match the Best Buy price,
-  the above price is the normal ME price, but we could save 40$ there
+- the Memory Express price is a "price beat" from the Bestbuy price,
+  which saved 40$
 - This is, obviously, much less than the original 1500$/build amount,
   but that's because the second build doesn't have 500$ of drives,
   obviously. Drives were actually 50$ cheaper than expected at WD,

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index e2724862..5c3cd67d 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -702,7 +702,10 @@ Type|Item|Price
  **USB-3 adapter** | 2x20-pin USB-3.0 to 9-pin USB-2 converter |[14.99$](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US) @ Amazon  Canada
  | **Total Amazon** | **$687.47**
  **Memory** | [2x8GB Gskill](https://www.gskill.com/product/165/184/1535941837/F4−2400C15D−16GVR) and Kingston Technology HyperX FURY Black16 GB CL15 DIMM DDR4 2400 MT/s Internal Memory (HX424C15FB/16) | 60$
- | **Total** | **$2555.03** or **~1280$** per build or **~1000$** for  the bare-bones build and **1500$** for the 2x12TB build
+ | **Total**          | **$2555.03**  |
+ | **Per build**      | **~1280$**    |
+ | **Without drives** | **~1050$**    |
+ | **With drives**    | **~1500$**    |
 
 A few notes:
 

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index c5444b2e..e2724862 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -702,8 +702,7 @@ Type|Item|Price
  **USB-3 adapter** | 2x20-pin USB-3.0 to 9-pin USB-2 converter |[14.99$](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US) @ Amazon  Canada
  | **Total Amazon** | **$687.47**
  **Memory** | [2x8GB Gskill](https://www.gskill.com/product/165/184/1535941837/F4−2400C15D−16GVR) and Kingston Technology HyperX FURY Black16 GB CL15 DIMM DDR4 2400 MT/s Internal Memory (HX424C15FB/16) | 60$
- | **Total** | **$2555.03** or **~1280$** per build or **~1000$** for
- the bare-bones build and **1500$** for the 2x12TB build
+ | **Total** | **$2555.03** or **~1280$** per build or **~1000$** for  the bare-bones build and **1500$** for the 2x12TB build
 
 A few notes:
 

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index ff7e6ed7..c5444b2e 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -687,21 +687,21 @@ Type|Item|Price
 
 Type|Item|Price
 :----|:----|:----
-[x] **CPU** | 2x[AMD Ryzen 5 5500GT 3.6 GHz 6-Core Processor](https://ca.pcpartpicker.com/product/VcvD4D/amd-ryzen-5-5500gt-36-ghz-6-core-processor-100-100001489box) | $179.99 @ Memory Express
+ **CPU** | 2x[AMD Ryzen 5 5500GT 3.6 GHz 6-Core Processor](https://ca.pcpartpicker.com/product/VcvD4D/amd-ryzen-5-5500gt-36-ghz-6-core-processor-100-100001489box) | $179.99 @ Memory Express
  | **Total Memory Express** | **$377.34**
-[x] **Motherboard** | 2x[Gigabyte A520I AC Mini ITX AM4 Motherboard](https://ca.pcpartpicker.com/product/s6tKHx/gigabyte-a520i-ac-mini-itx-am4-motherboard-a520i-ac) | $171.99 @ PC-Canada
+ **Motherboard** | 2x[Gigabyte A520I AC Mini ITX AM4 Motherboard](https://ca.pcpartpicker.com/product/s6tKHx/gigabyte-a520i-ac-mini-itx-am4-motherboard-a520i-ac) | $171.99 @ PC-Canada
  | **Total PC-Canada** | **$418.46**
-[x] **Storage** | 2x[Western Digital WD Blue 12 TB 3.5" 7200 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/mfkqqs/western-digital-wd-blue-12-tb-35-7200-rpm-internal-hard-drive-wd120eagz) | $274.99 @ Western Digital 
+ **Storage** | 2x[Western Digital WD Blue 12 TB 3.5" 7200 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/mfkqqs/western-digital-wd-blue-12-tb-35-7200-rpm-internal-hard-drive-wd120eagz) | $274.99 @ Western Digital 
  | **Total WD** | **$498.73** (discount for "Buy More, Save More")
-[x] **Case** | 2x[Jonsbo N2 Mini ITX Desktop Case](https://ca.pcpartpicker.com/product/FtVmP6/jonsbo-n2-mini-itx-desktop-case-n2-black) | $243.00 @ Newegg Sellers $558.78 total
-[x] **Case Fan** | [Noctua A12x15 PWM 55.44 CFM 120 mm Fan](https://ca.pcpartpicker.com/product/rhQRsY/noctua-nf-a12x15-pwm-942-cfm-120mm-fan-nf-a12x15-pwm) | $27.95 @ Newegg Sellers (delivered sept 4-11) $43.25 total
+ **Case** | 2x[Jonsbo N2 Mini ITX Desktop Case](https://ca.pcpartpicker.com/product/FtVmP6/jonsbo-n2-mini-itx-desktop-case-n2-black) | $243.00 @ Newegg Sellers $558.78 total
+ **Case Fan** | [Noctua A12x15 PWM 55.44 CFM 120 mm Fan](https://ca.pcpartpicker.com/product/rhQRsY/noctua-nf-a12x15-pwm-942-cfm-120mm-fan-nf-a12x15-pwm) | $27.95 @ Newegg Sellers (delivered sept 4-11) $43.25 total
  | **Total newegg** | **$602.03**
-[x] **Power Supply** | 2x[Silverstone SFX 500 W 80+ Gold Certified Fully Modular SFX Power Supply](https://ca.pcpartpicker.com/product/vrH48d/silverstone-sfx-500-w-80-gold-certified-fully-modular-sfx-power-supply-sst-sx500-lg) | $173.26 @ Amazon Canada 
-[x] **SATA cabling** | 2x 6x elbowed SATA cables | [29.99$](https://www.amazon.ca/ADCAUDX-SATA-III-Cable-Right-Angle-Server-Raid/dp/B0B1CZHXZ1) @ Amazon Canada
-[x] **USB-E adapter** | 2x USB "E" connector to 20-pin USB 3.2 connector | [15.99$](https://www.amazon.ca/EZDIY-FAB-USB3-1-Internal-Degrees-Adapter/dp/B0B5D5GZX9) @ Amazon  Canada
-[x] **USB-3 adapter** | 2x20-pin USB-3.0 to 9-pin USB-2 converter |[14.99$](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US) @ Amazon  Canada
+ **Power Supply** | 2x[Silverstone SFX 500 W 80+ Gold Certified Fully Modular SFX Power Supply](https://ca.pcpartpicker.com/product/vrH48d/silverstone-sfx-500-w-80-gold-certified-fully-modular-sfx-power-supply-sst-sx500-lg) | $173.26 @ Amazon Canada 
+ **SATA cabling** | 2x 6x elbowed SATA cables | [29.99$](https://www.amazon.ca/ADCAUDX-SATA-III-Cable-Right-Angle-Server-Raid/dp/B0B1CZHXZ1) @ Amazon Canada
+ **USB-E adapter** | 2x USB "E" connector to 20-pin USB 3.2 connector | [15.99$](https://www.amazon.ca/EZDIY-FAB-USB3-1-Internal-Degrees-Adapter/dp/B0B5D5GZX9) @ Amazon  Canada
+ **USB-3 adapter** | 2x20-pin USB-3.0 to 9-pin USB-2 converter |[14.99$](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US) @ Amazon  Canada
  | **Total Amazon** | **$687.47**
-[ ] **Memory** | [2x8GB Gskill](https://www.gskill.com/product/165/184/1535941837/F4−2400C15D−16GVR) and Kingston Technology HyperX FURY Black16 GB CL15 DIMM DDR4 2400 MT/s Internal Memory (HX424C15FB/16) | 60$
+ **Memory** | [2x8GB Gskill](https://www.gskill.com/product/165/184/1535941837/F4−2400C15D−16GVR) and Kingston Technology HyperX FURY Black16 GB CL15 DIMM DDR4 2400 MT/s Internal Memory (HX424C15FB/16) | 60$
  | **Total** | **$2555.03** or **~1280$** per build or **~1000$** for
  the bare-bones build and **1500$** for the 2x12TB build
 

diff --git a/services/upgrades/trixie.md b/services/upgrades/trixie.md
index f92da5b3..5dbacaa5 100644
--- a/services/upgrades/trixie.md
+++ b/services/upgrades/trixie.md
@@ -37,12 +37,36 @@ to handle `clean_conflicts` output.
 This procedure *may* kill your graphical session, so make sure you
 can log back in over a serial console or virtual terminal.
 
+## Automated procedure
+
+Starting from Trixie, TPA started scripting the upgrade procedure
+altogether, which now lives in [Fabric](howto/fabric), under the `upgrade.major`
+task, and is being tested.
+
+In general, you should be able to run this from your workstation:
+
+    cd fabric-tasks
+    ttyrec -a -e tmux major-upgrade.log
+    fab -H test-01.torproject.org upgrade.major
+
+If a step fails, you can resume from that step with:
+
+    fab -H test-01.torproject.org upgrade.major --start=4
+
+By default, the script will be more careful: it will run upgrades in
+two stages, and prompt for NEWS items (but not config file diffs). You
+can skip those (and have the NEWS items logged instead) by using the
+`--reckless` flag. The `--autopurge` flag also cleans up stale
+packages at the end automatically.
+
+## Legacy procedure
+
  1. Preparation:
 
         echo reset to the default locale &&
         export LC_ALL=C.UTF-8 &&
         echo install some dependencies &&
-        sudo apt install ttyrec screen debconf-utils deborphan &&
+        sudo apt install ttyrec screen debconf-utils &&
         echo create ttyrec file with adequate permissions &&
         sudo touch /var/log/upgrade-trixie.ttyrec &&
         sudo chmod 600 /var/log/upgrade-trixie.ttyrec &&
@@ -62,7 +86,7 @@ can log back in over a serial console or virtual terminal.
         echo look for dkms packages and make sure they are relevant, if not, purge. &&
         ( dpkg -l '*dkms' || true ) &&
         echo look for leftover config files &&
-        /home/anarcat/src/koumbit-scripts/vps/clean_conflicts &&
+        /usr/local/sbin/clean_conflicts &&
         echo run backups &&
         /home/anarcat/bin/backup-$(hostname) &&
         printf "End of Step 2\a\n"
@@ -75,10 +99,9 @@ can log back in over a serial console or virtual terminal.
         rm -f /etc/apt/preferences /etc/apt/preferences.d/* &&
         rm -f /etc/apt/sources.list.d/backports.debian.org.list &&
         rm -f /etc/apt/sources.list.d/backports.list &&
-        rm -f /etc/apt/sources.list.d/*-backports.list &&
         rm -f /etc/apt/sources.list.d/trixie.list &&
         rm -f /etc/apt/sources.list.d/bookworm.list &&
-        rm -f /etc/apt/sources.list.d/bullseye.list &&
+        rm -f /etc/apt/sources.list.d/*-backports.list &&
         rm -f /etc/apt/sources.list.d/experimental.list &&
         rm -f /etc/apt/sources.list.d/incoming.list &&
         rm -f /etc/apt/sources.list.d/proposed-updates.list &&
@@ -108,7 +131,6 @@ can log back in over a serial console or virtual terminal.
         apt -y -d upgrade &&
         apt -y -d dist-upgrade &&
         df -h &&
-        echo make sure host is silenced in monitoring &&
         printf "End of Step 4\a\n"
 
  5. Actual upgrade step. Put server in maintenance here.
@@ -116,18 +138,27 @@ can log back in over a serial console or virtual terminal.
     Optional, minimal upgrade run (avoids new installs or removals):
 
         sudo touch /etc/nologin &&
-        env DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=none APT_LISTBUGS_FRONTEND=none UCF_FORCE_CONFFOLD=y \
-            apt upgrade --without-new-pkgs -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
+        env DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=log APT_LISTBUGS_FRONTEND=none UCF_FORCE_CONFFOLD=y \
+            apt upgrade --without-new-pkgs -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'
 
     Full upgrade:
 
         sudo touch /etc/nologin &&
-        env DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=none APT_LISTBUGS_FRONTEND=none UCF_FORCE_CONFFOLD=y \
+        env DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=log APT_LISTBUGS_FRONTEND=none UCF_FORCE_CONFFOLD=y \
             apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
         printf "End of Step 5\a\n"
 
+    If this is a sensitive server, consider
+    `APT_LISTCHANGES_FRONTEND=pager` and reviewing the NEWS files
+    before continuing.
+
  6. Post-upgrade procedures:
 
+        : review the NEWS items &&
+        if [ -f /var/log/apt/listchanges.log ] ; then
+           less /var/log/apt/listchanges.log;
+        fi
+        &&
         apt-get update --allow-releaseinfo-change &&
         puppet agent --enable &&
         puppet agent -t --noop &&
@@ -136,13 +167,28 @@ can log back in over a serial console or virtual terminal.
         (puppet agent -t || true) &&
         echo deploy upgrades after possible Puppet sources.list changes &&
         apt update && apt upgrade -y &&
-        echo rm -f /etc/apt/apt.conf.d/50unattended-upgrades.dpkg-dist /etc/ca-certificates.conf.dpkg-old /etc/cron.daily/bsdmainutils.dpkg-remove /etc/default/prometheus-apache-exporter.dpkg-dist /etc/default/prometheus-node-exporter.dpkg-dist /etc/logrotate.d/apache2.dpkg-dist /etc/nagios/nrpe.cfg.dpkg-dist /etc/ssh/ssh_config.dpkg-dist /etc/ssh/sshd_config.ucf-dist /etc/unbound/unbound.conf.dpkg-dist &&
+        rm -f \
+          /etc/ssh/ssh_config.dpkg-dist \
+          /etc/syslog-ng/syslog-ng.conf.dpkg-dist \
+          /etc/ca-certificates.conf.dpkg-old \
+          /etc/cron.daily/bsdmainutils.dpkg-remove \
+          /etc/systemd/system/fstrim.timer \
+          /etc/apt/apt.conf.d/50unattended-upgrades.ucf-dist \
+          /etc/bacula/bacula-fd.conf.ucf-dist \
+          &&
         printf "\a" &&
-        /home/anarcat/src/koumbit-scripts/vps/clean_conflicts &&
+        /usr/local/sbin/clean_conflicts &&
         systemctl start apt-daily.timer &&
         rm /etc/nologin &&
-        printf "End of Step 6\a\n" &&
-        shutdown -r +1 "major upgrade step 6: removing old kernel image"
+        printf "End of Step 6\a\n"
+
+    Reboot the host from Fabric:
+
+        fab -H test-01.torproject.org fleet.reboot-host \
+          --delay-shutdown-minutes=1 \
+          --reason="major upgrade: removing old kernel image" \
+          --force \
+          --silence-ends-at="in 1 hour"
 
  7. Post-upgrade cleanup:
 
@@ -155,10 +201,10 @@ can log back in over a serial console or virtual terminal.
         apt purge apt-forktracer &&
         echo purging removed packages &&
         apt purge '~c' && apt autopurge &&
-        echo try a deborphan replacement &&
+        echo trying a deborphan replacement &&
         apt-mark auto '~i !~M (~slibs|~soldlibs|~sintrospection)' &&
-        apt-mark auto $(apt search 'apt search 'transition(|n)($|ing|al|ary| package| purposes)' | grep '^[^ ].*\[installed' | sed 's,/.*,,') &&
-        apt-mark auto $(apt search dummy | grep '^[^ ].*\[installed' | sed 's,/.*,,')) &&
+        apt-mark auto $(apt search 'transition(|n)($|ing|al|ary| package| purposes)' | grep '^[^ ].*\[installed' | sed 's,/.*,,') &&
+        apt-mark auto $(apt search dummy | grep '^[^ ].*\[installed' | sed 's,/.*,,') &&
         apt autopurge &&
         echo review obsolete and odd packages &&
         apt purge '?obsolete' && apt autopurge &&
@@ -166,11 +212,18 @@ can log back in over a serial console or virtual terminal.
         apt clean &&
         echo review installed kernels: &&
         dpkg -l 'linux-image*' | less &&
-        printf "End of Step 8\a\n" &&
-        shutdown -r +1 "last major upgrade step: testing reboots one final time"
+        printf "End of Step 8\a\n"
 
 [this guide to free up space]: https://www.debian.org/releases/testing/release-notes/upgrading.en.html#make-sure-you-have-sufficient-space-for-the-upgrade
 
+    One last reboot, with Fabric:
+
+        fab -H test-01.torproject.org fleet.reboot-host \
+          --delay-shutdown-minutes=1 \
+          --reason="last major upgrade step: testing reboots one final time" \
+          --force \
+          --silence-ends-at="in 1 hour"
+
 ## Conflicts resolution
 
 When the `clean_conflicts` script gets run, it asks you to check each
@@ -473,9 +526,10 @@ that](https://www.debian.org/releases/testing/release-notes/upgrading.en.html#pr
 
  * [Official guide](https://www.debian.org/releases/testing/release-notes/upgrading.en.html)
  * [Release notes](https://www.debian.org/releases/testing/release-notes/whats-new.en.html)
- * [Koumbit guide](https://wiki.koumbit.net/TrixieUpgrade) (N/A, last checked 2024-11-27
- * [DSA guide](https://dsa.debian.org/howto/upgrade-to-trixie/) (N/A, last checked 2024-11-27)
- * [TPA guide][] (N/A, last checked 2024-11-27)
+ * [Koumbit guide](https://wiki.koumbit.net/TrixieUpgrade) (in progress, last checked 2025-09-04, they
+   switched to bolt, so a little more opaque)
+ * [DSA guide](https://dsa.debian.org/howto/upgrade-to-trixie/) (in progress, last checked 2025-09-04)
+ * [TPA guide][] (merged 2025-09-04)
  * [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)
 
 [TPA guide]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/trixie

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index a0a730dd..ff7e6ed7 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -742,7 +742,7 @@ shipped, tracking numbers are kept in email.
 - [ ] Newegg (2 cases, shipped)
 - [ ] Newegg (1 fan, shipped)
 - [ ] Amazon Canada (2 PSUs, shipped)
-- [ ] Amazon Canada (2x SATA cable bundles, shipped)
+- [x] Amazon Canada (2x SATA cable bundles, shipped)
 - [ ] Amazon Canada (2x USB-E converter, shipped)
-- [ ] Amazon Canada (2x 20-pin/9pin converter, shipped)
+- [x] Amazon Canada (2x 20-pin/9pin converter, shipped)
 - [ ] Friend (memory)

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index a27609ef..a0a730dd 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -721,3 +721,28 @@ A few notes:
   but that's because the second build doesn't have 500$ of drives,
   obviously. Drives were actually 50$ cheaper than expected at WD,
   which is nice to see.
+
+## Post-order notes
+
+Apparently, [LTT Labs](https://www.lttlabs.com/) produce [power supply
+tests](https://www.lttlabs.com/categories/power-supplies). Unfortunately, they did not test the one I ordered, so I
+don't know if it's any good. Their reviews of two other Silverstone
+PSUs did not show any significant issues, although one of them failed
+during testing (but was replaced and then passed the tests).
+
+### Shipping
+
+At this point, all orders are confirmed, but not shipped or
+received. Boxes are checked when received, a note is added when
+shipped, tracking numbers are kept in email.
+
+- [x] Memory Express (2 CPUs, shipped)
+- [ ] PC Canada (2 mobos, shipped, bounced at Purolator)
+- [ ] WD (2 HDDs, shipped)
+- [ ] Newegg (2 cases, shipped)
+- [ ] Newegg (1 fan, shipped)
+- [ ] Amazon Canada (2 PSUs, shipped)
+- [ ] Amazon Canada (2x SATA cable bundles, shipped)
+- [ ] Amazon Canada (2x USB-E converter, shipped)
+- [ ] Amazon Canada (2x 20-pin/9pin converter, shipped)
+- [ ] Friend (memory)

diff --git a/blog/2017-02-18-passwords-entropy.mdwn b/blog/2017-02-18-passwords-entropy.mdwn
index e2cb41ad..4af16038 100644
--- a/blog/2017-02-18-passwords-entropy.mdwn
+++ b/blog/2017-02-18-passwords-entropy.mdwn
@@ -367,5 +367,6 @@ Possible updates:
    H100 GPUs](https://www.tomshardware.com/news/google-a3-supercomputer-h100-googleio), "26 exaFlops"
  * [Nvidia: Grace Hopper superchip](https://www.nvidia.com/en-us/data-center/grace-hopper-superchip/)
  * [Apple's password formats](https://rmondello.com/2024/10/07/apple-passwords-generated-strong-password-format/)
+ * [Bruteforcing pwgen passwords](https://blog.sesse.net/blog/tech/2025-08-30-10-56_bruteforcing_pwgen_passwords.html)
 
 [[!tag debian-planet debian passwords lwn geek security crypto]]

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index b271b875..a27609ef 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -631,3 +631,93 @@ This build is small.
 - [gigabyte board manual](https://download.gigabyte.com/FileList/Manual/mb_manual_a520i-ac_1402_e.pdf?v=59849968edde4af54c38e4c0c1bf2ea6)
 - Jonsbo [N2 case manual](file:///home/anarcat/Downloads/Jonsbo-N2%E8%AF%B4%E6%98%8E%E4%B9%A6.pdf), [newegg page](https://www.newegg.ca/jonsbo-mini-itx-2-0mm-aluminium-alloy-1mm-steel-plate-cases-n2-black/p/2AM-006A-000B7?item=9SIAY3TK5U9252) (which has more pics
   and docs than [the homepage](https://www.jonsbo.com/en/products/N2Black.html)
+
+## The Order
+
+Ordering this build is a mess. There's about 12 tabs open from 7
+different suppliers. I'm ordering two builds, because I'm either
+stupid or courageous, and want to experiment with putting many of
+those around. One as a backup on a remote site, the other as a
+possible replacement for marcos [[v2]] *or* to provide a remote backup
+for friends.
+
+Note that we *don't* order RAM because we sourced some from a friend
+for cheaper (60$ for a 1x16GB and 2x8GB).
+
+I didn't order any OS drives. Those are now dirt cheap: a 256GB NVMe
+drive is 32$ right now. marcos already has two: i can either reuse
+those or upgrade them and reuse the spares. I also have 2x128GB 2.5"
+SSD drives I can use to start with, although one of those will need a
+bracket for the 3.5" tray.
+
+### Build 1
+
+This is the base build.
+
+Type|Item|Price
+:----|:----|:----
+**CPU** | [AMD Ryzen 5 5500GT 3.6 GHz 6-Core Processor](https://ca.pcpartpicker.com/product/VcvD4D/amd-ryzen-5-5500gt-36-ghz-6-core-processor-100-100001489box) | $159.99 @ Best Buy Canada 
+**Motherboard** | [Gigabyte A520I AC Mini ITX AM4 Motherboard](https://ca.pcpartpicker.com/product/s6tKHx/gigabyte-a520i-ac-mini-itx-am4-motherboard-a520i-ac) | $171.99 @ PC-Canada 
+**Case** | [Jonsbo N2 Mini ITX Desktop Case](https://ca.pcpartpicker.com/product/FtVmP6/jonsbo-n2-mini-itx-desktop-case-n2-black) | $243.00 @ Newegg Sellers 
+**Power Supply** | [Silverstone SFX 500 W 80+ Gold Certified Fully Modular SFX Power Supply](https://ca.pcpartpicker.com/product/vrH48d/silverstone-sfx-500-w-80-gold-certified-fully-modular-sfx-power-supply-sst-sx500-lg) | $173.26 @ Amazon Canada 
+**SATA cabling** | 6x elbowed SATA cables | [29.99$](https://www.amazon.ca/ADCAUDX-SATA-III-Cable-Right-Angle-Server-Raid/dp/B0B1CZHXZ1) @ Amazon Canada
+**USB-E adapter** | USB "E" connector to 20-pin USB 3.2 connector | [15.99$](https://www.amazon.ca/EZDIY-FAB-USB3-1-Internal-Degrees-Adapter/dp/B0B5D5GZX9) @ Amazon  Canada
+**USB-3 adapter** | 20-pin USB-3.0 to 9-pin USB-2 converter |[14.99$](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US) @ Amazon  Canada
+
+This one doesn't have drives and is the test box that might eventually
+replace marcos, so it doesn't have drives or a case fan (because noise
+is less of an issue for marcos).
+
+### Build 2
+
+Type|Item|Price
+:----|:----|:----
+**CPU** | [AMD Ryzen 5 5500GT 3.6 GHz 6-Core Processor](https://ca.pcpartpicker.com/product/VcvD4D/amd-ryzen-5-5500gt-36-ghz-6-core-processor-100-100001489box) | $159.99 @ Best Buy Canada 
+**Motherboard** | [Gigabyte A520I AC Mini ITX AM4 Motherboard](https://ca.pcpartpicker.com/product/s6tKHx/gigabyte-a520i-ac-mini-itx-am4-motherboard-a520i-ac) | $171.99 @ PC-Canada 
+**Storage** | [Western Digital WD Blue 12 TB 3.5" 7200 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/mfkqqs/western-digital-wd-blue-12-tb-35-7200-rpm-internal-hard-drive-wd120eagz) | $274.99 @ Western Digital 
+**Storage** | [Western Digital WD Blue 12 TB 3.5" 7200 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/mfkqqs/western-digital-wd-blue-12-tb-35-7200-rpm-internal-hard-drive-wd120eagz) | $274.99 @ Western Digital 
+**Case** | [Jonsbo N2 Mini ITX Desktop Case](https://ca.pcpartpicker.com/product/FtVmP6/jonsbo-n2-mini-itx-desktop-case-n2-black) | $243.00 @ Newegg Sellers 
+**Power Supply** | [Silverstone SFX 500 W 80+ Gold Certified Fully Modular SFX Power Supply](https://ca.pcpartpicker.com/product/vrH48d/silverstone-sfx-500-w-80-gold-certified-fully-modular-sfx-power-supply-sst-sx500-lg) | $173.26 @ Amazon Canada 
+**Case Fan** | [Noctua A12x15 PWM 55.44 CFM 120 mm Fan](https://ca.pcpartpicker.com/product/rhQRsY/noctua-nf-a12x15-pwm-942-cfm-120mm-fan-nf-a12x15-pwm) | $27.95 @ Newegg Sellers 
+**SATA cabling** | 6x elbowed SATA cables | [29.99$](https://www.amazon.ca/ADCAUDX-SATA-III-Cable-Right-Angle-Server-Raid/dp/B0B1CZHXZ1) @ Amazon Canada
+**USB-E adapter** | USB "E" connector to 20-pin USB 3.2 connector | [15.99$](https://www.amazon.ca/EZDIY-FAB-USB3-1-Internal-Degrees-Adapter/dp/B0B5D5GZX9) @ Amazon  Canada
+**USB-3 adapter** | 20-pin USB-3.0 to 9-pin USB-2 converter |[14.99$](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US) @ Amazon  Canada
+
+### Together
+
+Type|Item|Price
+:----|:----|:----
+[x] **CPU** | 2x[AMD Ryzen 5 5500GT 3.6 GHz 6-Core Processor](https://ca.pcpartpicker.com/product/VcvD4D/amd-ryzen-5-5500gt-36-ghz-6-core-processor-100-100001489box) | $179.99 @ Memory Express
+ | **Total Memory Express** | **$377.34**
+[x] **Motherboard** | 2x[Gigabyte A520I AC Mini ITX AM4 Motherboard](https://ca.pcpartpicker.com/product/s6tKHx/gigabyte-a520i-ac-mini-itx-am4-motherboard-a520i-ac) | $171.99 @ PC-Canada
+ | **Total PC-Canada** | **$418.46**
+[x] **Storage** | 2x[Western Digital WD Blue 12 TB 3.5" 7200 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/mfkqqs/western-digital-wd-blue-12-tb-35-7200-rpm-internal-hard-drive-wd120eagz) | $274.99 @ Western Digital 
+ | **Total WD** | **$498.73** (discount for "Buy More, Save More")
+[x] **Case** | 2x[Jonsbo N2 Mini ITX Desktop Case](https://ca.pcpartpicker.com/product/FtVmP6/jonsbo-n2-mini-itx-desktop-case-n2-black) | $243.00 @ Newegg Sellers $558.78 total
+[x] **Case Fan** | [Noctua A12x15 PWM 55.44 CFM 120 mm Fan](https://ca.pcpartpicker.com/product/rhQRsY/noctua-nf-a12x15-pwm-942-cfm-120mm-fan-nf-a12x15-pwm) | $27.95 @ Newegg Sellers (delivered sept 4-11) $43.25 total
+ | **Total newegg** | **$602.03**
+[x] **Power Supply** | 2x[Silverstone SFX 500 W 80+ Gold Certified Fully Modular SFX Power Supply](https://ca.pcpartpicker.com/product/vrH48d/silverstone-sfx-500-w-80-gold-certified-fully-modular-sfx-power-supply-sst-sx500-lg) | $173.26 @ Amazon Canada 
+[x] **SATA cabling** | 2x 6x elbowed SATA cables | [29.99$](https://www.amazon.ca/ADCAUDX-SATA-III-Cable-Right-Angle-Server-Raid/dp/B0B1CZHXZ1) @ Amazon Canada
+[x] **USB-E adapter** | 2x USB "E" connector to 20-pin USB 3.2 connector | [15.99$](https://www.amazon.ca/EZDIY-FAB-USB3-1-Internal-Degrees-Adapter/dp/B0B5D5GZX9) @ Amazon  Canada
+[x] **USB-3 adapter** | 2x20-pin USB-3.0 to 9-pin USB-2 converter |[14.99$](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US) @ Amazon  Canada
+ | **Total Amazon** | **$687.47**
+[ ] **Memory** | [2x8GB Gskill](https://www.gskill.com/product/165/184/1535941837/F4−2400C15D−16GVR) and Kingston Technology HyperX FURY Black16 GB CL15 DIMM DDR4 2400 MT/s Internal Memory (HX424C15FB/16) | 60$
+ | **Total** | **$2555.03** or **~1280$** per build or **~1000$** for
+ the bare-bones build and **1500$** for the 2x12TB build
+
+A few notes:
+
+- Amazon was, as expected, ridiculous: the 4 items are sold by 3
+  different merchants, and shipped in 3 packages, estimated delivery
+  from Sept 4 to 10
+- Best Buy was surprisingly bad: I couldn't go through checkout at
+  all, and there was that stupid one-per-user limit. The error was
+  "Sorry, we can't complete your checkout right now. We’re working to
+  fix this issue quickly." with a 30 second timer that i retried about
+  a dozen times and eventually gave up. 
+- tried a "price beat" at memory express to match the Best Buy price,
+  the above price is the normal ME price, but we could save 40$ there
+- This is, obviously, much less than the original 1500$/build amount,
+  but that's because the second build doesn't have 500$ of drives,
+  obviously. Drives were actually 50$ cheaper than expected at WD,
+  which is nice to see.

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index 2ffff609..b271b875 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -555,6 +555,59 @@ USB 3.0, believe it or not).
 Yes, something went terribly wrong around USB 3.1. I fully expect this
 to become even messier.
 
+### motherboard and CPU architecture notes
+
+The [AM4 socket](https://en.wikipedia.org/wiki/Socket_AM4) is kind of old at this point. [According to
+Wikipedia](https://en.wikipedia.org/wiki/CPU_socket#List) was released in 2016 and upgraded to the [AM5](https://en.wikipedia.org/wiki/Socket_AM5) in 2022,
+already 3 years ago. [[v2]] was built with a AM4 socket, so this is
+definitely not an upgrade: we're building a system based on a 10 year
+old socket.
+
+But then again, I'm not sure we need to upgrade the CPU that much? And
+besides, the CPU itself is not old: the [AMD Ryzen 5 5500GT](https://www.amd.com/en/support/downloads/drivers.html/processors/ryzen/ryzen-5000-series/amd-ryzen-5-5500gt.html) was
+released in 2024 and is part of the [Zen 3](https://en.wikipedia.org/wiki/Zen_3) (7nm) released
+in 2020. At the time of writing, AMD just pushed out [Zen 5](https://en.wikipedia.org/wiki/Zen_5)
+(3-4nm) and [Zen 6](https://en.wikipedia.org/wiki/Zen_6) (2-3nm) is supposed to come up somewhere in
+2026 or 2027.
+
+[Compared to the Ryzen 5 2600x](https://www.cpu-monkey.com/en/compare_cpu-amd_ryzen_5_5500gt-vs-amd_ryzen_5_2600x) in marcos [[v2]]:
+
+- it uses less power (65W vs 95W)
+- it has a GPU
+- it supports higher memory clock rates and capacity
+
+It even [rivals with my new laptop's CPU](https://www.cpu-monkey.com/en/compare_cpu-amd_ryzen_5_5500gt-vs-intel_core_i3_1315u), although it gets beaten
+up on power consumption and memory bandwidth (as my laptop has DDR5).
+
+I tried to look for newer stuff. I really did. AM5 boards don't have
+many onboard SATA sockets (those with more than two are rare) and
+opening the door to Intel reaaaally broadens the spectrum of possible
+boards, sometimes with no clear benefit. The boards were not easier to
+find, were more expensive, didn't have more USB-C sockets, or 2.5gbps,
+although there was more variety in terms of boards with support for
+more SATA sockets.
+
+As soon as we zoomed into the following specs, however:
+
+- >= 4 sata ports
+- DDR5
+- miniITX
+
+... prices just shoot through the roof: cheapest is the [Asus ROG
+STRIX B860-I GAMING WIFI Mini ITX LGA1851 Motherboard](https://ca.pcpartpicker.com/product/F4qNnQ/asus-rog-strix-b860-i-gaming-wifi-mini-itx-lga1851-motherboard-rog-strix-b860-i-gaming-wifi) at 250$ then
+we land in the atrocious [Gigabyte B650I AORUS ULTRA Mini ITX AM5
+Motherboard](https://ca.pcpartpicker.com/product/bYytt6/gigabyte-b650i-aorus-ultra-mini-itx-am5-motherboard-b650i-aorus-ultra) (290$) and it goes downhill from there.
+
+[Mini-ITX](https://en.wikipedia.org/wiki/Mini-ITX) is definitely a niche, that said. It's one of the
+smallest [motherboard form factor](https://en.wikipedia.org/wiki/Motherboard_form_factor#Mini_PC) out there and will not be easy
+to replace in the future. I remember this being a challenge in
+replacing the board in [[v1]] which lead to [[v2]] be a full ATX, but
+now I'm looking at this gigantic tower and I want small again.
+
+Or rackmount.
+
+This build is small.
+
 ## Remaining issues:
 
 - case availability (newegg)
@@ -573,11 +626,6 @@ to become even messier.
   - Note: A USB 3.2 Gen 1 to USB 3.2 Gen 2 header adapter is
     required. (solved above with an adapter)
 
-- the AM4 socket is kind of stupidly old. it was released in 2016 and
-  upgraded to the AM5 in 2022, already 3 years ago. [[v2]] was built
-  with a AM4 socket, so this is definitely not an upgrade, but then
-  again, not sure we need to upgrade the CPU that much?
-
 ## References
 
 - [gigabyte board manual](https://download.gigabyte.com/FileList/Manual/mb_manual_a520i-ac_1402_e.pdf?v=59849968edde4af54c38e4c0c1bf2ea6)

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index d3d7c007..2ffff609 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -181,6 +181,8 @@ PSU and a ITX mobo).
   
 The N2 case specs are:
 
+| spec                     | detail                                                              |
+|--------------------------|---------------------------------------------------------------------|
 | Dimension                | 222.5mm(W) * 222.5mm(D) * 224mm(H) (11.1L)                          |
 | Material                 | External cover: 2.0mm Aluminum alloy; Internal Structure: 1mm Steel |
 | Drive Bay                | 2.5SSD\*1 / 3.5HDD\*5                                               |

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index 24f6f100..d3d7c007 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -449,7 +449,6 @@ Type|Item|Price
 **Storage** | [Western Digital WD Blue 8 TB 3.5" 5640 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/bNCZxr/western-digital-wd-blue-8-tb-35-5640-rpm-internal-hard-drive-wd80eaaz) | $164.99 @ Memory Express 
 **Case** | [Jonsbo N2 Mini ITX Desktop Case](https://ca.pcpartpicker.com/product/FtVmP6/jonsbo-n2-mini-itx-desktop-case-n2-black) | $243.00 @ Newegg Sellers 
 **Power Supply** | [Silverstone SFX 500 W 80+ Gold Certified Fully Modular SFX Power Supply](https://ca.pcpartpicker.com/product/vrH48d/silverstone-sfx-500-w-80-gold-certified-fully-modular-sfx-power-supply-sst-sx500-lg) | $173.26 @ Amazon Canada 
-
  | **Total** | **1148.22**
 
 ## iteration 7: 12 TB 7200RPM drives, cabling, and back to case fan

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index 8e11530f..24f6f100 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -479,7 +479,7 @@ Type|Item|Price
  | **Total** | **$1222.91**
  | Generated by [PCPartPicker](https://pcpartpicker.com) 2025-08-30 22:04 EDT-0400 |
 
-### manual merge: 1370$
+### manual merge: 1460$
 
 Type|Item|Price
 :----|:----|:----

diff --git a/recette/ganache.md b/recette/ganache.md
new file mode 100644
index 00000000..b8ea6380
--- /dev/null
+++ b/recette/ganache.md
@@ -0,0 +1,16 @@
+# Ganache
+
+- 14 oz chocolat mi-sucré
+- 1 tasse crème à fouette
+- 1/3 tasse beurre ramolli
+
+
+1. Faire bouillir la crème (ne pas brûler!)
+2. Ajouter le chocolat, ne pas brasser, mais s'assurer que le chocolat est couvert
+3. Attendre une minute que le chocolat fonde
+4. Brasser avec un fouet jusqu'à ce la mixture soit lisse
+5. Incorporer le beurre
+6. Refroidir pendant 45 minutes au frigo (ou plus température pièce),
+   en brassant délicatement au 5-10 minutes
+
+Couvre très généreusement un gâteau deux étages écrasé de 9".

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index f4bb55f4..8e11530f 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -272,6 +272,9 @@ especially since the ridiculous situation I ended up with in the
 noise came from the case fan... And indeed, that iteration doesn't replace
 the CPU fan!
 
+In [this build](https://ca.pcpartpicker.com/b/ZXXbt6), they also complain about the case fan noise and
+replace it with a Noctua.
+
 So I think that might be the right way forward: start with the
 built-in fans, and replace the ones we find too noisy with Noctua
 fans, on demand.
@@ -449,12 +452,18 @@ Type|Item|Price
 
  | **Total** | **1148.22**
 
-## iteration 7: 12 TB drives
+## iteration 7: 12 TB 7200RPM drives, cabling, and back to case fan
 
 rationale is that i'm already considering swapping in 2x8TB in the
 source server for this, so might as well beef up the backup.
 
-[PCPartPicker Part List](https://ca.pcpartpicker.com/list/xC7Xcx)
+i'm also concerned about the noise of the N2 case fan after reading
+reviews.
+
+finally, I untangle the USB cabling mess and figure out which SATA
+cables to buy.
+
+[PCPartPicker Part List](https://ca.pcpartpicker.com/list/2Zt8Nz)
 
 Type|Item|Price
 :----|:----|:----
@@ -463,11 +472,12 @@ Type|Item|Price
 **Memory** | [Kingston ValueRAM 16 GB (1 x 16 GB) DDR4-3200 CL22 Memory](https://ca.pcpartpicker.com/product/tz2bt6/kingston-valueram-16-gb-1-x-16-gb-ddr4-3200-cl22-memory-kvr32n22s816) | $70.00 @ Vuugo 
 **Storage** | [Western Digital WD Blue 12 TB 3.5" 7200 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/mfkqqs/western-digital-wd-blue-12-tb-35-7200-rpm-internal-hard-drive-wd120eagz) | $274.99 @ Western Digital 
 **Storage** | [Western Digital WD Blue 12 TB 3.5" 7200 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/mfkqqs/western-digital-wd-blue-12-tb-35-7200-rpm-internal-hard-drive-wd120eagz) | $274.99 @ Western Digital 
-**Case** | [Jonsbo N2 Mini ITX Desktop Case](https://ca.pcpartpicker.com/product/FtVmP6/jonsbo-n2-mini-itx-desktop-case-n2-black) |-
+**Case** | [Jonsbo N2 Mini ITX Desktop Case](https://ca.pcpartpicker.com/product/FtVmP6/jonsbo-n2-mini-itx-desktop-case-n2-black) | $243.00 @ Newegg Sellers 
 **Power Supply** | [Silverstone SFX 500 W 80+ Gold Certified Fully Modular SFX Power Supply](https://ca.pcpartpicker.com/product/vrH48d/silverstone-sfx-500-w-80-gold-certified-fully-modular-sfx-power-supply-sst-sx500-lg) |-
+**Case Fan** | [Noctua A12x15 PWM 55.44 CFM 120 mm Fan](https://ca.pcpartpicker.com/product/rhQRsY/noctua-nf-a12x15-pwm-942-cfm-120mm-fan-nf-a12x15-pwm) | $27.95 @ Newegg Sellers 
  | *Prices include shipping, taxes, rebates, and discounts* |
- | **Total** | **$951.96**
- | Generated by [PCPartPicker](https://pcpartpicker.com) 2025-08-30 21:42 EDT-0400 |
+ | **Total** | **$1222.91**
+ | Generated by [PCPartPicker](https://pcpartpicker.com) 2025-08-30 22:04 EDT-0400 |
 
 ### manual merge: 1370$
 
@@ -480,7 +490,69 @@ Type|Item|Price
 **Storage** | [Western Digital WD Blue 12 TB 3.5" 7200 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/mfkqqs/western-digital-wd-blue-12-tb-35-7200-rpm-internal-hard-drive-wd120eagz) | $274.99 @ Western Digital 
 **Case** | [Jonsbo N2 Mini ITX Desktop Case](https://ca.pcpartpicker.com/product/FtVmP6/jonsbo-n2-mini-itx-desktop-case-n2-black) | $243.00 @ Newegg Sellers 
 **Power Supply** | [Silverstone SFX 500 W 80+ Gold Certified Fully Modular SFX Power Supply](https://ca.pcpartpicker.com/product/vrH48d/silverstone-sfx-500-w-80-gold-certified-fully-modular-sfx-power-supply-sst-sx500-lg) | $173.26 @ Amazon Canada 
- | **Total** | **$1368.22**
+**Case Fan** | [Noctua A12x15 PWM 55.44 CFM 120 mm Fan](https://ca.pcpartpicker.com/product/rhQRsY/noctua-nf-a12x15-pwm-942-cfm-120mm-fan-nf-a12x15-pwm) | $27.95 @ Newegg Sellers 
+**SATA cabling** | 6x elbowed SATA cables | [29.99$](https://www.amazon.ca/ADCAUDX-SATA-III-Cable-Right-Angle-Server-Raid/dp/B0B1CZHXZ1) @ Amazon Canada
+**USB-E adapter** | USB "E" connector to 20-pin USB 3.2 connector | [15.99$](https://www.amazon.ca/EZDIY-FAB-USB3-1-Internal-Degrees-Adapter/dp/B0B5D5GZX9) @ Amazon  Canada
+**USB-3 adapter** | 20-pin USB-3.0 to 9-pin USB-2 converter |[14.99$](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US) @ Amazon  Canada
+ | **Total** | **$1457.14** (missing tax on cabling)
+
+### Extras
+
+- 6x SATA cables with elbows ([29.99$](https://www.amazon.ca/ADCAUDX-SATA-III-Cable-Right-Angle-Server-Raid/dp/B0B1CZHXZ1) @ Amazon Canada)
+- the **USB "E" adapter** converts the weird "internal USB-C 3.1
+  cable" AKA USB-E to more regular 20-pin USB 3.2 connector
+  ([15.99$](https://www.amazon.ca/EZDIY-FAB-USB3-1-Internal-Degrees-Adapter/dp/B0B5D5GZX9) @ Amazon Canada), which connects the front panel USB-C
+  connector correctly
+- the **USB-3 adapter** is a 20-pin USB-3.0 to 9-pin USB-2 converter
+  ([14.99$](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US) @ Amazon Canada), which converts the, well, 20-pin
+  USB-3 front connector to a USB-2 socket, since there's only one USB
+  3 socket on the board, according to the [board manual](https://download.gigabyte.com/FileList/Manual/mb_manual_a520i-ac_1402_e.pdf?v=59849968edde4af54c38e4c0c1bf2ea6 )
+
+One flaw with that setup is the front USB-A socket will incorrectly be
+labeled "blue" which typically implies USB-3, but in the back it is a
+USB 2.0/1.1 socket.
+
+### The USB mess
+
+For older boards, one would use a USB Type-E to 9-pin converter
+([9.00$](USB ) @ Amazon Canada) to connect the front panel to an old
+USB-2 connector. This was done, in the [reference build](https://blog.briancmoses.com/2024/11/diy-nas-2025-edition.html) with a
+splitter, even, to connect both ports. Quite messy, since then even
+the modern-looking USB-C port is USB-2!
+
+Note that there's the whole front panel for sale on Ali Express of
+course ([25$](https://www.aliexpress.com/i/32791638421.html)) except it's not quite the same as the N2 because
+both sockets are USB-A. It did clarify, for me, how this was setup and
+shows the weird "USB-E" connector, which the N2 manual calls "USB-C"
+(the other, 20-pin connector is "USB 3.0" in their nomenclature").
+
+Let's try to clarify all those acronyms and connectors.
+
+- USB-A: the classic, standard, normal user-facing USB connector, can
+  be male or female, typically carries USB 2 (480mbps) or USB 3
+  (5-10gbps) if labeled blue
+- USB-C: same, but more modern as it can carry USB 3 and 4
+  (40-120gbps), reversible
+- 9-pin USB: internal connector, can be male or female, normally USB-2
+  only (so should *only* be connected to a *black* USB-A connector)
+- 20-pin USB: same, but should be able to do USB 3 (10gbps?)
+- "USB-E": internal USB 3.1 connector I just found out about,
+  apparently it's designed to deliver USB-C signals to motherboard,
+  see [this presentation](https://www.stc-cable.com/news/what-is-usb-type-e/) and [this standard](https://www.usb.org/sites/default/files/USB3p1_Front_Panel_CabCon_Implment_Doc_Rev1p1.pdf) which defines it
+  as a "20 pin shielded header"
+
+In that sense, it's perfectly normal to convert that signal to the
+20-pin USB 3.2 port, even though the USB-C connector itself has... 24
+pins!
+
+[This section of wikipedia on USB hardware](https://en.wikipedia.org/wiki/USB_hardware#Compatibilities) has comparisons between
+various external USB connectors, but does not know about the internal
+USB-C 3.1 connector (AKA "USB-E"). The [USB Signaling section](https://en.wikipedia.org/wiki/USB#Signaling)
+explains well the various "2.0", "3.1", "3.2" (which was released in
+USB 3.0, believe it or not).
+
+Yes, something went terribly wrong around USB 3.1. I fully expect this
+to become even messier.
 
 ## Remaining issues:
 
@@ -491,11 +563,22 @@ Type|Item|Price
   - Warning: The Gigabyte A520I AC Mini ITX AM4 Motherboard supports
   the AMD Ryzen 5 5500GT 3.6 GHz 6-Core Processor with BIOS version
   F13. If the motherboard is using an older BIOS version, updating the
-  BIOS will be necessary to support the CPU. 
+  BIOS will be necessary to support the CPU. (@pollo says this is
+  likely not an issue and the mobo should be up to date)
+
+  - Note: A USB 2.0 to USB 3.2 Gen 1 header adapter is
+    required. (solved above with an adapter, losing USB 3 speeds)
+
+  - Note: A USB 3.2 Gen 1 to USB 3.2 Gen 2 header adapter is
+    required. (solved above with an adapter)
 
-  - Note: A USB 2.0 to USB 3.2 Gen 1 header adapter is required.
+- the AM4 socket is kind of stupidly old. it was released in 2016 and
+  upgraded to the AM5 in 2022, already 3 years ago. [[v2]] was built
+  with a AM4 socket, so this is definitely not an upgrade, but then
+  again, not sure we need to upgrade the CPU that much?
 
-  - Note: A USB 3.2 Gen 1 to USB 3.2 Gen 2 header adapter is required.
+## References
 
-- SATA cabling, Jonsbo recommends "elbow" cables on one end, and need
-  to be bundled up to fit in the slots
+- [gigabyte board manual](https://download.gigabyte.com/FileList/Manual/mb_manual_a520i-ac_1402_e.pdf?v=59849968edde4af54c38e4c0c1bf2ea6)
+- Jonsbo [N2 case manual](file:///home/anarcat/Downloads/Jonsbo-N2%E8%AF%B4%E6%98%8E%E4%B9%A6.pdf), [newegg page](https://www.newegg.ca/jonsbo-mini-itx-2-0mm-aluminium-alloy-1mm-steel-plate-cases-n2-black/p/2AM-006A-000B7?item=9SIAY3TK5U9252) (which has more pics
+  and docs than [the homepage](https://www.jonsbo.com/en/products/N2Black.html)

diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index 90b4ef95..b48d3668 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -20,7 +20,7 @@ Marcos had many incarnations and each is tracked in its own page
 because otherwise tracking history here gets messy:
 
 - [[v3]]: 2025-present, home lab / NAS
-- [[v2]]: 2020-2025, home server/NAS, replaced because of overheating
+- [[v2]]: 2020-2025, home server/NAS, being replaced because of overheating
 - [[v1]]: 2011-2020: home cinema/server, replaced because too old,
   lacking expansion capacity
 
diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index f060b70f..f4bb55f4 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -1,3 +1,9 @@
+[[!toc levels=4]]
+
+This is the rebuild of the [[v2]] marcos server, which took many
+shapes of form. I also piggy-back an external NAS/media server build
+to server as a backup for the media, but that I'm also considering as
+a full marcos replacement if it works well.
 
 # Requirements
 
@@ -126,6 +132,11 @@ Other providers:
 
 - <http://www.atic.ca/> built marcos v2, still no HTTPS?!
 
+## Drives
+
+Apparently, [this provider](https://serverpartdeals.com/collections/manufacturer-recertified-drives?pf_st_stock_status=in-stock&pf_t_interface_type=interface%3ASATA&sort=price-ascending) resells refurb drives, 400-500$ for
+20-26TB anyone?
+
 ## Other cases
 
 - [Jonsbro](https://www.jonsbo.com/) comes up a lot, see e.g. the [N3](https://www.jonsbo.com/en/products/N3.html)
@@ -143,3 +154,348 @@ Other providers:
     4x2.5Gbps, HDMI/DP, 17x17cm Mini-ITX
 - [Minisforum](https://www.minisforum.com/) also make tiny boards, but not lots of SATA sockets,
   i had bookmarked the [BD770i](https://minixpc.com/blogs/news/minisforum-bd770i-mini-itx-on-board-amd-ryzen-7-7745hx-motherboard-available-at-us-399) for some reason
+- was recommended ASRock (e.g. [this one](https://ca.pcpartpicker.com/product/G6VG3C/asrock-b550m-itxac-mini-itx-am4-motherboard-b550m-itxac)) because, presumably,
+  they can run ECC memory, but one needs to check forums first. had
+  trouble sourcing them so switched back to gigabyte
+
+# New NAS build
+
+Starting from scratch, this is a new build for an off-site backup NAS
+/ media server. 
+
+## Requiremnts
+
+- small (think mini-ITX)
+- easy hotswap drives
+- good drive cooling
+- quiet (less than 25-30db?)
+- room for at least 4 SATA
+- video / audio output
+- local suppliers, as much as possible (AKA no amazon/newegg)
+
+### N2 case specifications
+
+Really liking the - [Jonsbro](https://www.jonsbo.com/) [N2](https://www.jonsbo.com/en/products/N2Black.html) as it's smaller than the
+N3. This drives much of the other components (e.g. it requires a SFX
+PSU and a ITX mobo).
+  
+The N2 case specs are:
+
+| Dimension                | 222.5mm(W) * 222.5mm(D) * 224mm(H) (11.1L)                          |
+| Material                 | External cover: 2.0mm Aluminum alloy; Internal Structure: 1mm Steel |
+| Drive Bay                | 2.5SSD\*1 / 3.5HDD\*5                                               |
+| Motherboard              | ITX                                                                 |
+| PCI Expansion Slot       | 1 x Low profile single slot                                         |
+| Front I/O Port           | 1\*USB3.0 / USB3.2 Gen2 Type-C/Audio+Mic (Headset+mic combined)     |
+| PSU Support              | SFX≤150mm                                                           |
+| Max. CPU Cooler Height   | ≤65mm                                                               |
+| Max. Display Card Length | ≤197mm long (Low profile)                                           |
+| Cooling System           | 120x15mm fan\*1 (built-in)                                          |
+| Weight                   | Net 2.9kg                                                           |
+
+So: 
+
+1. the CPU cooler must be ≤65mm
+2. the power supply must be SFX ≤150mm
+3. we have room for 5 x 3.5" drives and 1 x 2.5", but also room for a
+   PCI expansion card (low profile)
+
+## iteration 1: Jonsbo N2, AMD Ryzen 5 5500, 32GB, 2x8TB WD blue (885$)
+
+[PCPartPicker Part List](https://ca.pcpartpicker.com/list/Zv3F2x)
+
+Type|Item|Price
+:----|:----|:----
+**CPU** | [AMD Ryzen 5 5500 3.6 GHz 6-Core Processor](https://ca.pcpartpicker.com/product/yq2WGX/amd-ryzen-5-5500-36-ghz-6-core-processor-100-100000457box) | $109.00 @ Newegg Canada 
+**CPU Cooler** | [Noctua NH-L9a-AM4 33.84 CFM CPU Cooler](https://ca.pcpartpicker.com/product/DZfhP6/noctua-nh-l9a-am4-3384-cfm-cpu-cooler-nh-l9a-am4) | $49.95 @ Amazon Canada 
+**Thermal Compound** | [Arctic Silver Ceramique 2 Tri-Linear 2.7 g Thermal Paste](https://ca.pcpartpicker.com/product/NqCwrH/arctic-silver-thermal-paste-cmq227g) | $5.99 @ Canada Computers 
+**Motherboard** | [Gigabyte A520I AC Mini ITX AM4 Motherboard](https://ca.pcpartpicker.com/product/s6tKHx/gigabyte-a520i-ac-mini-itx-am4-motherboard-a520i-ac) | $139.99 @ Newegg Canada 
+**Memory** | [Kingston FURY Beast 32 GB (1 x 32 GB) DDR4-3200 CL16 Memory](https://ca.pcpartpicker.com/product/c2BG3C/kingston-fury-beast-32-gb-1-x-32-gb-ddr4-3200-cl16-memory-kf432c16bb32) | $93.99 @ Amazon Canada 
+**Storage** | [Western Digital WD Blue 8 TB 3.5" 5640 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/bNCZxr/western-digital-wd-blue-8-tb-35-5640-rpm-internal-hard-drive-wd80eaaz) | $164.97 @ Newegg Canada 
+**Storage** | [Western Digital WD Blue 8 TB 3.5" 5640 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/bNCZxr/western-digital-wd-blue-8-tb-35-5640-rpm-internal-hard-drive-wd80eaaz) | $164.97 @ Newegg Canada 
+**Case** | [Jonsbo N2 Mini ITX Desktop Case](https://ca.pcpartpicker.com/product/wt3NnQ/jonsbo-n2-mini-itx-desktop-case-n2-white) |-
+**Power Supply** | [Fractal Design Ion SFX 500G 500 W 80+ Gold Certified Fully Modular SFX Power Supply](https://ca.pcpartpicker.com/product/VMCFf7/fractal-design-ion-sfx-500g-500-w-80-gold-certified-fully-modular-sfx-power-supply-fd-psu-ion-sfx-500g-bk) | $156.99 @ PC-Canada  (OOS)
+ | *Prices include shipping, taxes, rebates, and discounts* |
+ | **Total** | **$885.85**
+ | Generated by [PCPartPicker](https://pcpartpicker.com) 2025-08-30 14:39 EDT-0400 |
+
+that iteration doesn't actually have a GPU, because the 5500 is missing a
+`G` suffi! I was also advised against Fractal Design for the PSU and
+instead a SeaSonic.
+
+## iteration 2: AMD Ryzen 5 5500GT GPU, SeaSonic PSU (900$)
+
+working on [PCPartPicker Part List](https://ca.pcpartpicker.com/list/L4NqFZ)
+
+| Type                 | Item                                                                                                                                                                                | Price                      |
+|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------|
+| **CPU**              | [AMD Ryzen 5 5500GT 3.6 GHz 6-Core Processor](https://ca.pcpartpicker.com/product/VcvD4D/amd-ryzen-5-5500gt-36-ghz-6-core-processor-100-100001489box)                               | $159.99 @ Best Buy Canada  |
+| **CPU Cooler**       | [Noctua NH-L9a-AM4 33.84 CFM CPU Cooler](https://ca.pcpartpicker.com/product/DZfhP6/noctua-nh-l9a-am4-3384-cfm-cpu-cooler-nh-l9a-am4)                                               | -                          |
+| **Thermal Compound** | [Arctic Silver Ceramique 2 Tri-Linear 2.7 g Thermal Paste](https://ca.pcpartpicker.com/product/NqCwrH/arctic-silver-thermal-paste-cmq227g)                                          | $5.99 @ Canada Computers   |
+| **Motherboard**      | [Gigabyte A520I AC Mini ITX AM4 Motherboard](https://ca.pcpartpicker.com/product/s6tKHx/gigabyte-a520i-ac-mini-itx-am4-motherboard-a520i-ac)                                        | $171.99 @ PC-Canada        |
+| **Memory**           | [Kingston FURY Beast 32 GB (1 x 32 GB) DDR4-3200 CL16 Memory](https://ca.pcpartpicker.com/product/c2BG3C/kingston-fury-beast-32-gb-1-x-32-gb-ddr4-3200-cl16-memory-kf432c16bb32)    | $121.99 @ PC-Canada        |
+| **Storage**          | [Western Digital WD Blue 8 TB 3.5" 5640 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/bNCZxr/western-digital-wd-blue-8-tb-35-5640-rpm-internal-hard-drive-wd80eaaz)  | $164.99 @ Memory Express   |
+| **Storage**          | [Western Digital WD Blue 8 TB 3.5" 5640 RPM Internal Hard Drive](https://ca.pcpartpicker.com/product/bNCZxr/western-digital-wd-blue-8-tb-35-5640-rpm-internal-hard-drive-wd80eaaz)  | $164.99 @ Memory Express   |
+| **Case**             | [Jonsbo N2 Mini ITX Desktop Case](https://ca.pcpartpicker.com/product/wt3NnQ/jonsbo-n2-mini-itx-desktop-case-n2-white)                                                              | -                          |
+| **Power Supply**     | [SeaSonic SSP-300SFG 300 W 80+ Gold Certified SFX Power Supply](https://ca.pcpartpicker.com/product/MJbkcf/seasonic-ssp-300sfg-300-w-80-gold-certified-sfx-power-supply-ssp-300sfg) | $115.99 @ PC-Canada  (OOS) |
+| **Total**            | **$905.93**                                                                                                                                                                         |                            |
+
+- *Prices include shipping, taxes, rebates, and discounts*
+- Generated by [PCPartPicker](https://pcpartpicker.com) 2025-08-30 14:03 EDT-0400
+
+this switches teh CPU to a 5500GT which has an onboard GPU, and a
+SeaSonic PSU (which is back-ordered *and* doesn't have enough power
+connectors, see below).
+
+### cooling noise question
+
+Note that the Ryzen 5 5500GT [apparently](https://hmc-tech.com/cpu/amd-ryzen-5-5500gt) ships with the [Wraith
+Stealth](https://hmc-tech.com/cooler/amd-wraith-stealth) fan which is rated for max 40dBa, which is out of
+spec. That's why the Noctua s in there, even though it's likely only
+available from Amazon or Newegg.
+
+Also note the Noctua fan is a really low profile one, and doesn't
+support high loads, [according to the compatibility chart](https://ncc.noctua.at/coolers/NH-L9i-23/cpu/AMD?q=5500gt). It also
+requires a (free of charge) adapter. The [NH-L9X65](https://noctua.at/en/nh-l9x65) (65mm)
+apparently fits the case and should support higher loads. It's rated
+for 24dB(A) and it's compatible with the Gigabyte A520I board and the
+5500GT CPU.
+
+Note that the built-in fan has the clearance for the case (45mm), so
+the fan could be installed later.
+
+Note that the built-in fan on the N2 might be noisy as well. In [this
+build](https://ca.pcpartpicker.com/b/9QvfrH), it seems they used [another noctua fan](https://ca.pcpartpicker.com/product/rhQRsY/noctua-nf-a12x15-pwm-942-cfm-120mm-fan-nf-a12x15-pwm), the [Noctua
+A12x15 PWM 55.44 CFM 120 mm Fan](https://noctua.at/en/products/fan/nf-a12x15-pwm) which might be worth it,
+especially since the ridiculous situation I ended up with in the
+[[v2]] build where I replaced the CPU fan only to *after* notice the
+noise came from the case fan... And indeed, that iteration doesn't replace
+the CPU fan!
+
+So I think that might be the right way forward: start with the
+built-in fans, and replace the ones we find too noisy with Noctua
+fans, on demand.
+
+### power supply issues
+
+It seems that essentially *all* SFX power supplies are back-ordered
+out there. Once we turn Amazon back on, we can get the following
+instead:
+
+- [Silverstone SFX 500 W 80+ Gold Certified Fully Modular SFX Power
+  Supply SST-EX500-B](https://ca.pcpartpicker.com/product/vrH48d/silverstone-sfx-500-w-80-gold-certified-fully-modular-sfx-power-supply-sst-sx500-lg) (173$+, 3 power connectors)
+- [Silverstone SFX 300 W 80+ Bronze Certified SFX Power Supply
+  (ST30SF-V2)](https://ca.pcpartpicker.com/product/6qw7YJ/silverstone-sfx-300w-80-bronze-certified-sfx-power-supply-st30sf-v2) (130$+, 3 power connectors), used in the [reference
+  build](https://blog.briancmoses.com/2024/11/diy-nas-2025-edition.html), which warns about the short board connector
+
+TODO: talk with pc-canada to see how back-ordered is back-order. Their
+FAQ says "you'll get a date when you pay", which sucks, especially
+when Amazon is riiiight over there.
+
+Also note that the SeaSonic power supply only has *three* SATA power
+connectors. Is that too few?
+
+From the other build I found, this [cooler master 850 sfx gold](https://ca.pcpartpicker.com/product/vJPQzy/cooler-master-v850-sfx-gold-850-w-80-gold-certified-fully-modular-sfx-power-supply-mpy-8501-sfhagv-wu)
+that has 8 ports, just like this [Cooler Master v750 SFX
+gold](https://ca.pcpartpicker.com/product/vr9tt6/cooler-master-v-sfx-gold-750-w-80-gold-certified-fully-modular-sfx-power-supply-mpy-7501-sfhagv-us). Those are probably too powerful for our needs here, the
+reference build is 300W. The [Fractal Design Ion SFX 500G 500 W 80+
+Gold Certified Fully Modular SFX Power Supply](https://ca.pcpartpicker.com/product/VMCFf7/fractal-design-ion-sfx-500g-500-w-80-gold-certified-fully-modular-sfx-power-supply-fd-psu-ion-sfx-500g-bk) from the *original*
+iteration has 4 connectors.
+
+But note that, from what I can tell from the poor documentation of the
+Jonsbo case (at least from [this image](https://c1.neweggimages.com/MPS/SellerPortal/AplusContent/ed1cabce7d585246f61cbc63e0b50ba7c02c3a38108ceda106b51616fe26ebf6.jpg)), it seems that the
+backplane only needs *two* power plugs, and D-sized ones too. So the
+SATA connectors on the PSU are not actually used! You can see the
+connected backplane on [this image as well](https://cdna.pcpartpicker.com/static/forever/images/userbuild/454224.ef9c5570cdcdeeb2d7b06c716bc2f677.1600.jpg).
+
+[This other build](https://ca.pcpartpicker.com/b/fWDqqs) also used a [Silverstone 500W (SST-EX500-B)](https://ca.pcpartpicker.com/product/N8V2FT/silverstone-extreme-500-bronze-500-w-80-bronze-certified-sfx-power-supply-sst-ex500-b)
+PSU with only 3 connectors and two AMP/Molex connectors, so it seems
+the molex connectors are the critical part of that build here, and

(Diff truncated)

diff --git a/blog/2025-08-20-luks-ukify-conversion.md b/blog/2025-08-20-luks-ukify-conversion.md
index 51899d10..fed96793 100644
--- a/blog/2025-08-20-luks-ukify-conversion.md
+++ b/blog/2025-08-20-luks-ukify-conversion.md
@@ -200,21 +200,26 @@ We assume 512 byte sectors here. Check your sector size with `fdisk
 
     Wait until the ETA has passed.
 
- 7. Mount the encrypted filesystem:
+ 7. Open and mount the encrypted filesystem and mount the EFI system
+    partition (ESP):
 
         cryptsetup open /dev/nvme0n1p2 crypt
         mount /dev/mapper/crypt /mnt
         mount /dev/nvme0n1p1 /mnt/boot/efi
-        for fs in proc sys dev ; do
-          mount --bind /$fs /mnt/$fs
-        done
 
     If this fails, now is the time to consider restoring from backups.
 
- 8. Enter the filesystem:
+ 8. Enter the `chroot`
 
+        for fs in proc sys dev ; do
+          mount --bind /$fs /mnt/$fs
+        done
         chroot /mnt
 
+    Pro tip: this can be done in one step in GRML with:
+
+        grml-chroot /mnt bash
+
  9. Generate a `crypttab`:
 
         echo crypt_dev_nvme0n1p2 UUID=$(blkid -o value -s UUID /dev/nvme0n1p2) none luks,discard >> /etc/crypttab

diff --git a/blog/mobile-massive-gallery.md b/blog/mobile-massive-gallery.md
index b48bf5d3..d118f103 100644
--- a/blog/mobile-massive-gallery.md
+++ b/blog/mobile-massive-gallery.md
@@ -90,7 +90,7 @@ calendar issues (missing parts of 2022): https://github.com/photoprism/photopris
 
 
 no support for XMP tags: https://github.com/photoprism/photoprism/issues/1143
-or 5-stars https://github.com/photoprism/photoprism/issues/713
+or 5-stars https://github.com/photoprism/photoprism/issues/713 (major blocker)
 does not write metadata back to disk https://github.com/photoprism/photoprism/issues/402
 
 
@@ -120,8 +120,12 @@ added videos, amazingly, it was super fast:
 INFO[2024-08-17T20:15:07Z] indexed 101,914 files in 20m37.481057559s
 ```
 
+another full indexing run:
+
+```
 INFO[2024-08-17T22:14:28Z] purge: removed 82 files and 12 photos [2m26.029346119s] 
 INFO[2024-08-17T22:14:28Z] indexed 102,615 files in 1h48m21.693727003s  
+```
 
 
 ## others
@@ -251,4 +255,4 @@ https://bpatrik.github.io/pigallery2/
 
 
 <!-- posted to the federation on 2025-06-11T16:30:55.303235 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/114666625772226557"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/114666625772226557"]]

diff --git a/pleinair/liste.mdwn b/pleinair/liste.mdwn
index afd5f9ab..34b463dd 100644
--- a/pleinair/liste.mdwn
+++ b/pleinair/liste.mdwn
@@ -27,14 +27,19 @@ toujours retourner sur l'ordinateur.
  * Sac de couchage
  * Tapis de sol
  * Tente
+ * Empreinte ("footprint") de tente
+ * Tapis d'entrée
+ * Tapis de picnic
  * Bâche
  * Cordes (4 x 5m aux coins de la bâche)
  * Oreiller
  * Sac a viande
- * Hamac et chaînes
+ * Hamac
+ * Chaise
  * Sac à dos, grand et/ou petit, ou valise
  * Lampe de poche
  * Lampe frontale
+ * Parasol
 
 # Kit de survie
 
@@ -146,9 +151,13 @@ toujours retourner sur l'ordinateur.
  * Ouvre-Boîte
  * Tampon à récurer avec éponge
  * Linge à vaisselle
+ * Débarbouillette / guenille
  * Glacière
  * Sacs poubelle / compost
  * Tupperwares pour les restes
+ * Tapette à mouche
+ * Élastiques
+ * Bouteille de 20L d'eau et pompe
 
 # Trousse de dépannage
 
@@ -189,7 +198,7 @@ toujours retourner sur l'ordinateur.
 
 # Vêtements
 
- * Chapeau
+ * Chapeau (de plage, plus large)
  * Lunettes de ski
  * Lunettes
  * Lunettes de soleil

diff --git a/hardware/audio.mdwn b/hardware/audio.mdwn
index fc1f8480..0407c247 100644
--- a/hardware/audio.mdwn
+++ b/hardware/audio.mdwn
@@ -111,6 +111,8 @@ consider:
    recommended by B&H staff as a Mee Audio replacement
  * [Blue audio Yeticaster](https://www.bluemic.com/en-us/products/yeticaster/) ([200$USD B&H](https://www.bhphotovideo.com/c/product/1385877-REG/blue_yeticaster_prodessional_broadcast_bundle.html?fromDisList=y)), includes boom, cable
    management, and excellent audio, [recommended by jvoisin](https://dustri.org/b/my-writing-code-from-home-setup.html)
+ * [Repeat audio](https://repeat.audio/) has "free repairs" and features a similar "extra
+   mic" approach which you can also [buy separately](https://repeat.audio/en/product/office-mic)
 
 ## Other reviews
 

diff --git a/blog/2025-08-20-luks-ukify-conversion.md b/blog/2025-08-20-luks-ukify-conversion.md
index cfa0c8bb..51899d10 100644
--- a/blog/2025-08-20-luks-ukify-conversion.md
+++ b/blog/2025-08-20-luks-ukify-conversion.md
@@ -190,6 +190,10 @@ We assume 512 byte sectors here. Check your sector size with `fdisk
 
         cryptsetup reencrypt --encrypt /dev/nvme0n1p2 --redice-device-size=32M
 
+    This is it! This is the most important step! Make sure your laptop
+    is plugged in and try not to interrupt it. This can, apparently,
+    be resumed without problem, but I'd hate to show you how.
+
     This will show progress information like:
 
         Progress:   2.4% ETA 23m45s,      53GiB written, speed   1.3 GiB/s
@@ -215,6 +219,14 @@ We assume 512 byte sectors here. Check your sector size with `fdisk
 
         echo crypt_dev_nvme0n1p2 UUID=$(blkid -o value -s UUID /dev/nvme0n1p2) none luks,discard >> /etc/crypttab
 
+ 1. Adjust root filesystem in `/etc/fstab`, make sure you have a line
+    like this:
+    
+        /dev/mapper/crypt_dev-nvme0n1p2 /               ext4    errors=remount-ro 0       1
+
+    If you were already using a UUID entry for this, there's nothing
+    to change!
+
  1. Configure the root filesystem in the `initrd`:
  
         echo root=/dev/mapper/crypt_dev_nvme0n1p2 > /etc/kernel/cmdline
@@ -223,10 +235,12 @@ We assume 512 byte sectors here. Check your sector size with `fdisk
 
         dpkg-reconfigure linux-image-$(uname -r)
 
-    be careful here: systemd-boot inherits the commandline from the
+    Be careful here! `systemd-boot` inherits the command line from the
     system where it is generated, so this will possibly feature some
-    unsupported commandline items from your boot environment, in my
-    case grml. 
+    unsupported commands from your boot environment. In my
+    case GRML had a couple of those, which broke the boot. It's still
+    possible to workaround this issue by tweaking the arguments at
+    boot time, that said.
 
  3. Exit chroot and reboot
  
@@ -246,8 +260,7 @@ physical volume/volume groups), but if you have LVM, you need to tweak
 this to also resize the LVM bits. The RHEL guide has some information
 about this.
 
-[[!tag draft]]
-
+[[!tag debian-planet debian systemd crypto sysadmin]]
 
 <!-- posted to the federation on 2025-08-20T15:45:21.679946 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/115062808342134677"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/115062808342134677"]]

diff --git a/blog/2025-08-20-luks-ukify-conversion.md b/blog/2025-08-20-luks-ukify-conversion.md
index 3ad25571..cfa0c8bb 100644
--- a/blog/2025-08-20-luks-ukify-conversion.md
+++ b/blog/2025-08-20-luks-ukify-conversion.md
@@ -10,6 +10,8 @@ screen. Then I started using the device to manage my photo collection,
 and suddenly there was a lot of "confidential" information on the
 device that I didn't want to store in clear text anymore.
 
+[[!toc levels=2]]
+
 # Pre-requisites
 
 So, how does one convert an existing install from plain text to full
@@ -117,7 +119,7 @@ computer. Otherwise, follow the following guides:
 - [Disabling Lockdown Mode with Secure Boot on Distro Kernel](https://copyninja.in/blog/disable_lockdown_on_distro_kernel.html)
 - [Signing the systemd-boot on Upgrade Using Dpkg Triggers](https://copyninja.in/blog/sign_systemd_boot_trigger.html)
 
-## Re-encrypting root filesystem
+# Re-encrypting root filesystem
 
 Now that we have a way to boot an encrypted filesystem, we can switch
 to LUKS for our filesystem. Note that you can probably follow this

diff --git a/blog/2025-08-20-luks-ukify-conversion.md b/blog/2025-08-20-luks-ukify-conversion.md
index 4630dead..3ad25571 100644
--- a/blog/2025-08-20-luks-ukify-conversion.md
+++ b/blog/2025-08-20-luks-ukify-conversion.md
@@ -245,3 +245,7 @@ this to also resize the LVM bits. The RHEL guide has some information
 about this.
 
 [[!tag draft]]
+
+
+<!-- posted to the federation on 2025-08-20T15:45:21.679946 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/115062808342134677"]]
\ No newline at end of file

diff --git a/blog/2025-08-20-luks-ukify-conversion.md b/blog/2025-08-20-luks-ukify-conversion.md
new file mode 100644
index 00000000..4630dead
--- /dev/null
+++ b/blog/2025-08-20-luks-ukify-conversion.md
@@ -0,0 +1,247 @@
+[[!meta title="Encrypting a Debian install with UKI"]]
+
+I originally setup a machine without any full disk encryption, then
+somehow regretted it quickly after. My original reasoning was that
+this was a "play" machine so I wanted as few restrictions on accessing
+the machine as possible, which meant removing passwords, mostly.
+
+I actually ended up having a user password, but disabled the lock
+screen. Then I started using the device to manage my photo collection,
+and suddenly there was a lot of "confidential" information on the
+device that I didn't want to store in clear text anymore.
+
+# Pre-requisites
+
+So, how does one convert an existing install from plain text to full
+disk encryption? One way is to backup to an external drive,
+re-partition everything and copy things back, but that's slow and
+boring. Besides, `cryptsetup` has a [cryptsetup-reencrypt](http://manpages.debian.org/cryptsetup-reencrypt) command,
+surely we can do this in place?
+
+Having not set aside enough room for `/boot`, I briefly
+considered a "encrypted /boot" configuration and conversion (e.g. with
+[this guide](https://blog.williamdes.eu/Infrastructure/tutorials/encrypt-an-existing-debian-system-with-luks/)) but remembered grub's support for this is flaky, at
+best, so I figured I would try something else.
+
+Here, I'm going to guide you through how I first converted from grub
+to `systemd-boot` then to UKI kernel, then re-encrypt my main
+partition.
+
+Note that secureboot is disabled here, see further discussion below.
+
+# systemd-boot and Unified Kernel Image conversion
+
+systemd folks have been developing [UKI](https://www.freedesktop.org/software/systemd/man/latest/ukify.html) ("unified kernel image")
+to ship kernels. The way this works is the kernel and initrd (and UEFI
+boot stub) in a single portable executable that lives in the EFI
+partition, as opposed to `/boot`. This neatly solves my problem,
+because I already have such a clear-text partition and won't need to
+re-partition my disk to convert.
+
+Debian has started some preliminary support for this. It's not
+default, but I found [this guide from Vasudeva Kamath](https://copyninja.in/blog/enable_ukify_debian.html) which was
+pretty complete. Since the guide assumes some previous configuration,
+I had to adapt it to my case.
+
+Here's how I did the conversion to both systemd-boot and UKI, all at
+once. I could have perhaps done it one at a time, but doing both at
+once works fine.
+
+Before your start, make sure secureboot is disabled, see the
+discussion below.
+
+ 1. install systemd tools:
+
+        apt install systemd-ukify systemd-boot
+
+ 2. Configure `systemd-ukify`, in `/etc/kernel/install.conf`:
+
+        layout=uki
+        initrd_generator=dracut
+        uki_generator=ukify
+
+    TODO: it doesn't look like this generates a `initrd` with dracut, do
+    we care?
+
+ 3. Configure the kernel boot arguments with the following in `/etc/kernel/uki.conf`:
+
+        [UKI]
+        Cmdline=@/etc/kernel/cmdline
+
+    The `/etc/kernel/cmdline` file doesn't actually exist here, and
+    that's fine. Defaults are okay, as the image gets generated from
+    your current `/proc/cmdline`. Check your `/etc/default/grub` and
+    `/proc/cmdline` if you are unsure. You'll see the generated
+    arguments in `bootctl list` below.
+
+ 4. Build the image:
+
+        dpkg-reconfigure linux-image-$(uname -r)
+
+ 5. Check the boot options:
+
+        bootctl list
+
+    Look for a `Type #2 (.efi)` entry for the kernel.
+
+ 6. Reboot:
+
+        reboot
+
+You can tell you have booted with `systemd-boot` because (a) you won't
+see grub and (b) the `/proc/cmdline` will reflect the configuration
+listed in `bootctl list`. In my case, a `systemd.machine_id` variable
+is set there, and not in grub (compare with `/boot/grub/grub.cfg`).
+
+By default, the `systemd-boot` loader just boots, without a menu. You
+can force the menu to show up by un-commenting the `timeout` line in
+`/boot/efit/loader/loader.conf`, by hitting keys during boot
+(e.g. hitting "space" repeatedly), or by calling:
+
+    systemctl reboot --boot-loader-menu=0
+
+See the `systemd-boot(7)` manual for details on that.
+
+I did not go through the [secureboot process](https://copyninja.in/blog/enable_secureboot_ukify.html), presumably I had
+already disabled secureboot. This is trickier: because one needs a
+"special key" to sign the UKI image, one would need the collaboration
+of `debian.org` to get this working out of the box with the
+keys shipped onboard most computers.
+
+In other words, if you want to make this work with secureboot enabled
+on your computer, you'll need to figure out how to sign the generated
+images before rebooting here, because otherwise you will break your
+computer. Otherwise, follow the following guides:
+
+- [Enabling Secure Boot with UKI on Debian](https://copyninja.in/blog/enable_secureboot_ukify.html)
+- [Disabling Lockdown Mode with Secure Boot on Distro Kernel](https://copyninja.in/blog/disable_lockdown_on_distro_kernel.html)
+- [Signing the systemd-boot on Upgrade Using Dpkg Triggers](https://copyninja.in/blog/sign_systemd_boot_trigger.html)
+
+## Re-encrypting root filesystem
+
+Now that we have a way to boot an encrypted filesystem, we can switch
+to LUKS for our filesystem. Note that you can probably follow this
+guide if, somehow, you managed to make grub work with your LUKS setup,
+although as [this guide](https://blog.williamdes.eu/Infrastructure/tutorials/encrypt-an-existing-debian-system-with-luks/) shows, you'd need to downgrade the
+cryptographic algorithms, which seems like a bad tradeoff.
+
+We're using `cryptsetup-reencrypt` for this which, amazingly, supports
+re-encrypting devices on the fly. The trick is it needs free space at
+the end of the partition for the LUKS header (which, I guess, makes it
+a footer), so we need to resize the filesystem to leave room for that,
+which is the trickiest bit.
+
+This is a possibly destructive behavior. Be sure your backups are up
+to date, or be ready to lose all data on the device.
+
+We assume 512 byte sectors here. Check your sector size with `fdisk
+-l` and adjust accordingly.
+
+ 1. Before you perform the procedure, make sure requirements are
+    installed:
+ 
+        apt install cryptsetup systemd-cryptsetup cryptsetup-initramfs
+
+    Note that this requires network access, of course.
+
+ 2. Reboot in a live image, I like [GRML](https://grml.org/) but any Debian live image
+    will work, possibly including the installer
+
+ 3. First, calculate how many sectors to free up for the LUKS header
+
+        qalc> 32Mibyte / ( 512 byte )
+
+          (32 mebibytes) / (512 bytes) = 65536
+
+ 2. Find the sector sizes of the Linux partitions:
+
+        fdisk  -l /dev/nvme0n1 | awk '/filesystem/ { print $1 " " $4 }' |
+
+    For example, here's an example with a `/boot` and `/` filesystem:
+
+        $ sudo fdisk -l /dev/nvme0n1 | awk '/filesystem/ { print $1 " " $4 }'
+        /dev/nvme0n1p2 999424
+        /dev/nvme0n1p3 3904979087
+
+ 3. Substract 1 from 2:
+
+        qalc> set precision 100
+        qalc> 3904979087 - 65536
+
+    Or, last step and this one, in one line:
+
+        fdisk -l /dev/nvme0n1 | awk '/filesystem/ { print $1 " " $4 - 65536 }'
+
+ 4. Recheck filesystem:
+
+        e2fsck -f /dev/nvme0n1p2
+
+ 5. Resize filesystem:
+
+        resize2fs /dev/nvme0n1p2 $(fdisk -l /dev/nvme0n1 | awk '/nvme0n1p2/ { print $4 - 65536 }')s
+
+    Notice the trailing `s` here: it makes resize2fs interpret the
+    number as a 512 byte sector size, as opposed to the default (4k
+    blocks).
+
+ 6. Re-encrypt filesystem:
+
+        cryptsetup reencrypt --encrypt /dev/nvme0n1p2 --redice-device-size=32M
+
+    This will show progress information like:
+
+        Progress:   2.4% ETA 23m45s,      53GiB written, speed   1.3 GiB/s
+

(Diff truncated)

diff --git a/hardware/laptop/framework-12.md b/hardware/laptop/framework-12.md
index d1a5058c..929f7d19 100644
--- a/hardware/laptop/framework-12.md
+++ b/hardware/laptop/framework-12.md
@@ -164,6 +164,8 @@ page](https://knowledgebase.frame.work/framework-laptop-12-bios-and-driver-relea
 
 ## UKI
 
+TODO move this section and the next in a blog post
+
 I originally setup the machine without any full disk encryption, then
 regretted it. Having not set aside enough room for `/boot`, I briefly
 considered a "encrypted /boot" configuration and conversion (e.g. with
@@ -314,15 +316,19 @@ We assume 512 byte sectors here. Check your sector size with `fdisk
 
     If this fails, now is the time to consider restoring from backups.
 
- 8. Generate a `crypttab`:
-
-        echo crypt_dev_nvme0n1p2 UUID=$(blkid -o value -s UUID /dev/nvme0n1p2) none luks,discard >> /mnt/etc/crypttab
-
  8. Enter the filesystem:
 
         chroot /mnt
 
- 9. Regenerate UKI:
+ 9. Generate a `crypttab`:
+
+        echo crypt_dev_nvme0n1p2 UUID=$(blkid -o value -s UUID /dev/nvme0n1p2) none luks,discard >> /etc/crypttab
+
+ 1. Configure the root filesystem in the `initrd`:
+ 
+        echo root=/dev/mapper/crypt_dev_nvme0n1p2 > /etc/kernel/cmdline
+
+ 2. Regenerate UKI:
 
         dpkg-reconfigure linux-image-$(uname -r)
 
@@ -331,14 +337,14 @@ We assume 512 byte sectors here. Check your sector size with `fdisk
     unsupported commandline items from your boot environment, in my
     case grml. 
 
- 10. Exit chroot and reboot
+ 3. Exit chroot and reboot
  
         exit
         reboot
 
 The ideas here were extracted from [this guide](https://blog.williamdes.eu/Infrastructure/tutorials/encrypt-an-existing-debian-system-with-luks/) but was mostly
 rewritten to simplify the work and avoid depending on grub or a
-specific initrd system (as the guide uses initramfs-tools and grub,
+specific initrd system (as the guide uses `initramfs-tools` and grub,
 while I, above, switched to dracut and systemd-boot). [RHEL also has a
 similar guide](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening#encrypting-existing-data-on-a-block-device-using-luks2_encrypting-block-devices-using-luks), perhaps better, even.
 

diff --git a/hardware/laptop/framework-12.md b/hardware/laptop/framework-12.md
index c1e471cf..d1a5058c 100644
--- a/hardware/laptop/framework-12.md
+++ b/hardware/laptop/framework-12.md
@@ -4,6 +4,8 @@ not to be confused with the larger [[Framework
 
 Currently in pre-order / shipping, as of 2025-07-08.
 
+[[!toc levels=3]]
+
 # First impressions
 
 - [missed first post](https://bisco.org/notes/debian-on-framework-12/)

diff --git a/hardware/laptop/framework-12.md b/hardware/laptop/framework-12.md
index f3b518e6..c1e471cf 100644
--- a/hardware/laptop/framework-12.md
+++ b/hardware/laptop/framework-12.md
@@ -160,6 +160,192 @@ There's already a BIOS update! At first it was not installable with
 LVFS, but I have recently been able to do it, see the [BIOS updates
 page](https://knowledgebase.frame.work/framework-laptop-12-bios-and-driver-releases-13th-gen-intel-core-HyrqeX2ex) and the [forum discussion](https://community.frame.work/t/framework-laptop-12-13th-gen-intel-bios-3-04-release/72019/26?u=anarcat).
 
+## UKI
+
+I originally setup the machine without any full disk encryption, then
+regretted it. Having not set aside enough room for `/boot`, I briefly
+considered a "encrypted /boot" configuration and conversion (e.g. with
+[this guide](https://blog.williamdes.eu/Infrastructure/tutorials/encrypt-an-existing-debian-system-with-luks/)) but remembered grub's support for this is flaky, at
+best, so I figured I would try something else.
+
+systemd folks have been looking at UKI to ship kernels, and Debian has
+started some preliminary support for this. It's not default, but I
+found [this guide from Vasudeva Kamath](https://copyninja.in/blog/enable_ukify_debian.html) which was pretty
+complete. It turned out to be:
+
+ 1. install systemd tools:
+
+        apt install systemd-ukify systemd-boot
+
+ 2. Configure `systemd-ukify`, in `/etc/kernel/install.conf`:
+
+        layout=uki
+        initrd_generator=dracut
+        uki_generator=ukify
+
+    TODO: it doesn't look like this generates a `initrd` with dracut, do
+    we care?
+
+ 3. Configure the kernel boot arguments with the following in `/etc/kernel/uki.conf`:
+
+        [UKI]
+        Cmdline=@/etc/kernel/cmdline
+
+    The `/etc/kernel/cmdline` file doesn't actually exist here, and
+    that's fine. Defaults are okay. Check your `/etc/default/grub` and
+    `/proc/cmdline` if you are unsure that you need anything
+    extra. You'll see the generated arguments in `bootctl list` below.
+
+ 4. Build the image:
+
+        dpkg-reconfigure linux-image-$(uname -r)
+
+ 5. Check the boot options:
+
+        bootctl list
+
+    Look for a `Type #2 (.efi)` entry for the kernel.
+
+ 6. Reboot:
+
+        reboot
+
+You can tell you have booted with `systemd-boot` because (a) you won't
+see grub and (b) the `/proc/cmdline` will reflect the configuration
+listed in `bootctl list`. In my case, a `systemd.machine_id` variable
+is set there, and not in grub (compare with `/boot/grub/grub.cfg`).
+
+By default, the `systemd-boot` loader just boots, without a menu. You
+can force the menu to show up by uncommenting the `timeout` line in
+`/boot/efit/loader/loader.conf`, by hitting keys during boot
+(e.g. hitting "space" repeatedly), or by calling:
+
+    systemctl reboot --boot-loader-menu=0
+
+See the `systemd-boot(7)` manual for details on that.
+
+I did not go through the [secureboot process](https://copyninja.in/blog/enable_secureboot_ukify.html), presumably I had
+already disabled secureboot.
+
+## Re-encrypting root filesystem
+
+Now that we have a way to boot without grub, we can switch to LUKS for
+our filesystem.
+
+We're using `cryptsetup-reencrypt` for this which, amazingly, supports
+re-encrypting devices on the fly. The trick is it needs free space at
+the end of the partition for the LUKS header (which, I guess, makes it
+a footer), so we need to resize the filesystem to leave room for that,
+which is the trickiest bit.
+
+This is a possibly destructive behavior. Be sure your backups are up
+to date, or be ready to lose all data on the device.
+
+We assume 512 byte sectors here. Check your sector size with `fdisk
+-l` and adjust accordingly.
+
+ 1. Before you perform the procedure, make sure requirements are
+    installed:
+ 
+        apt install cryptsetup systemd-cryptsetup cryptsetup-initramfs
+
+    Note that this requires network access, of course.
+
+ 2. Reboot in a live image, i like [GRML](https://grml.org/) but any Debian live image
+    will work, possibly including the installer
+
+ 3. First, calculate how many sectors to free up for the LUKS header
+
+        qalc> 32Mibyte / ( 512 byte )
+
+          (32 mebibytes) / (512 bytes) = 65536
+
+ 2. Find the sector sizes of the Linux partitions:
+
+        fdisk  -l /dev/nvme0n1 | awk '/filesystem/ { print $1 " " $4 }' |
+
+    For example, here's an example with a `/boot` and `/` filesystem:
+
+        $ sudo fdisk -l /dev/nvme0n1 | awk '/filesystem/ { print $1 " " $4 }'
+        /dev/nvme0n1p2 999424
+        /dev/nvme0n1p3 3904979087
+
+ 3. Substract 1 from 2:
+
+        qalc> set precision 100
+        qalc> 3904979087 - 65536
+
+    Or, last step and this one, in one line:
+
+        fdisk -l /dev/nvme0n1 | awk '/filesystem/ { print $1 " " $4 - 65536 }'
+
+ 4. Recheck filesystem:
+
+        e2fsck -f /dev/nvme0n1p2
+
+ 5. Resize filesystem:
+
+        resize2fs /dev/nvme0n1p2 $(fdisk -l /dev/nvme0n1 | awk '/nvme0n1p2/ { print $4 - 65536 }')s
+
+    Notice the trailing `s` here: it makes resize2fs interpret the
+    number as a 512 byte sector size, as opposed to the default (4k
+    blocks).
+
+ 6. Re-encrypt filesystem:
+
+        cryptsetup reencrypt --encrypt /dev/nvme0n1p2 --redice-device-size=32M
+
+    This will show progress information like:
+
+        Progress:   2.4% ETA 23m45s,      53GiB written, speed   1.3 GiB/s
+
+    Wait until the ETA has passed.
+
+ 7. Mount the encrypted filesystem:
+
+        cryptsetup open /dev/nvme0n1p2 crypt
+        mount /dev/mapper/crypt /mnt
+        mount /dev/nvme0n1p1 /mnt/boot/efi
+        for fs in proc sys dev ; do
+          mount --bind /$fs /mnt/$fs
+        done
+
+    If this fails, now is the time to consider restoring from backups.
+
+ 8. Generate a `crypttab`:
+
+        echo crypt_dev_nvme0n1p2 UUID=$(blkid -o value -s UUID /dev/nvme0n1p2) none luks,discard >> /mnt/etc/crypttab
+
+ 8. Enter the filesystem:
+
+        chroot /mnt
+
+ 9. Regenerate UKI:
+
+        dpkg-reconfigure linux-image-$(uname -r)
+
+    be careful here: systemd-boot inherits the commandline from the
+    system where it is generated, so this will possibly feature some
+    unsupported commandline items from your boot environment, in my
+    case grml. 
+
+ 10. Exit chroot and reboot
+ 
+        exit
+        reboot
+
+The ideas here were extracted from [this guide](https://blog.williamdes.eu/Infrastructure/tutorials/encrypt-an-existing-debian-system-with-luks/) but was mostly
+rewritten to simplify the work and avoid depending on grub or a
+specific initrd system (as the guide uses initramfs-tools and grub,
+while I, above, switched to dracut and systemd-boot). [RHEL also has a
+similar guide](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening#encrypting-existing-data-on-a-block-device-using-luks2_encrypting-block-devices-using-luks), perhaps better, even.
+
+Somehow I have made this system without LVM at all,
+which simplifies things a bit (as I don't need to also resize the
+physical volume/volume groups), but if you have LVM, you need to tweak
+this to also resize the LVM bits. The RHEL guide has some information
+about this.
+
 # Other reviews
 
 The Framework 12" received mixed reviews, in general. Most complained

diff --git a/hardware/laptop/framework-12.md b/hardware/laptop/framework-12.md
index 89f0c131..f3b518e6 100644
--- a/hardware/laptop/framework-12.md
+++ b/hardware/laptop/framework-12.md
@@ -26,6 +26,12 @@ Currently in pre-order / shipping, as of 2025-07-08.
 - power usage seems decent, after installing the base system, a bunch
   of apps, running syncthing, battery is at 45% with, presumably, 1h36
   remaining... so I guess not that great?
+- MPP pen works fine, but software support (like touch) is not great
+  in Debian (e.g. I had trouble using Krita, let alone Gimp)
+
+> Framework Laptop 12 is compatible with MPP 2.0 and USI 2.0 stylus
+> types. The default setting is MPP-compatibility, and you can
+> switch to USI mode in BIOS settings.
 
 TODO: maybe software setup goes into [[hardware/dorothea]]?
 
@@ -39,6 +45,7 @@ TODO: maybe software setup goes into [[hardware/dorothea]]?
   a whim (but i *can* use it with a DP adapter, and treat the monitor
   as a dock, presumably, to be tested)
 - a bit too heavy for a tablet
+- [nowhere to put away the pen](https://community.frame.work/t/where-to-put-the-pen/67602)
 
 ## Open questions
 
@@ -46,12 +53,6 @@ TODO: maybe software setup goes into [[hardware/dorothea]]?
 - will the screen suck? maybe [a matte protector](https://viascreens.com/screen-protector/framework/laptop-12-2-in-1/matte) (so far not
   noticed any issue, colors do look a little washed out)
 - how will battery life be? (installer doesn't show battery, oops!)
-- will the pen work well? [where to put it?](https://community.frame.work/t/where-to-put-the-pen/67602)
-
-> Framework Laptop 12 is compatible with MPP 2.0 and USI 2.0 stylus
-> types. The default setting is MPP-compatibility, and you can
-> switch to USI mode in BIOS settings.
-
 - will the sensors work for auto-rotate? ([apparently](https://community.frame.work/t/auto-rotate-and-accelerometer/70964), but not in
   the Debian installer either)
 
@@ -196,6 +197,7 @@ Overall, the pros and cons seem to be:
   "latch" design (and i don't really like the 13" design either)
 - too expensive
 - mediocre colors and large bezel
+
 # Order history
 
 - pre-orders opened on April 10 (at least, that's when the email was

diff --git a/hardware/laptop/framework-12.md b/hardware/laptop/framework-12.md
index 027d1984..89f0c131 100644
--- a/hardware/laptop/framework-12.md
+++ b/hardware/laptop/framework-12.md
@@ -4,59 +4,6 @@ not to be confused with the larger [[Framework
 
 Currently in pre-order / shipping, as of 2025-07-08.
 
-# Order history
-
-- pre-orders opened on April 10 (at least, that's when the email was
-  sent!)
-- pre-ordered on April 9th (!), with the following spec:
-  - base setup: 827.00
-    - CPU: Intel i3-1315U, a step down from the current 13", but [still
-      comparable](https://www.cpubenchmark.net/compare/4759vs5300/Intel-i5-1240P-vs-Intel-i3-1315U), but is more recent (2023-Q2 vs 2022-Q1, 6/8 cores
-      instead of 12/16, 1.2GHz vs 1.7GHz base speed, but similar turbo
-      at 4.5GHz and better TDP at 15W vs 28W)
-    - color: sage
-    - memory: DDR5-5600 - 16GB (my original setup on the 13", was mostly fine)
-  - keyboard: US English - Gray
-  - 65W power adapter: $64.00 (i thought i had a spare one of those, but seems
-    not, and those are so useful!)
-  - expansion cards:
-    - DisplayPort (2nd Gen) $25.00 (wanted to test the 2nd gen)
-    - HDMI (3rd Gen) $25.00 (same)
-    - 1TB (2nd Gen) $169.00 (same)
-    - USB-C (Translucent Green) $12.00 (wanted to test the green, i
-      have two more space USB-C, so this is actually too much)
-    - 2 x USB-A $24.00 (like my current setup, i often run out of
-      USB-A when i have a single one)
-  - total: 1146$CAD + tax, est. 1317.60$CAD, before 100$ deposit
-  - did *not* pick their NVMe drive, as the [1TB drive is 220$CAD](https://frame.work/ca/en/products/wd_black-sn770m-nvme?v=FRANTAWD0A),
-    for about that price I got a [2TB drive at B&H for 269.29$CAD](https://www.bhphotovideo.com/c/product/1802215-REG/wd_wdbdnh0020bbk_wrsn_wd_black_2tb_sn770m.html)
-    (shipping and taxes included!) instead
-- as of 2025-07-08, still not received confirmation of shipping,
-  changed a few minor things with the order (added a 1TB drive,
-  removed one USB-C module, added USB-A module), even though [others
-  have received theirs](https://bisco.org/notes/debian-on-framework-12/), seems like the [colored ones are in a
-  different batch](https://community.frame.work/t/fw12-color-batch-1-guild/71354) which is [rumored](https://community.frame.work/t/fw12-batch-1-guild/67317/234?u=anarcat) to have started shipping
-  today, although that might be [confused with the colored batch 0](https://community.frame.work/t/fw12-batch-0-guild/67353/322)
-- 2025-07-10 00:52 +0000: "step 2" (preparing your batch) email
-- 2025-07-15 14:19 +0000: "step 3" (payment complete) email
-- 2025-07-15 21:50 +0000: requested shipping delay (!)
-- 2025-07-16 04:49 +0000: response from support, will ship within 5
-  business days, too late to delay, ask Fedex for a temporary hold
-  with the confirmation number
-- 2025-07-16 09:54 +0000: "step 4" (your order has shipped) email
-- 2025-07-16 01:37: shipment info at fedex
-- 2025-07-16 03:44: picked up in Taoyuan TW
-- 2025-07-16 08:46: Ta Yuan District TW
-- 2025-07-17 02:26: Sennan-Shi JP
-- 2025-07-17 12:58: Memphis, TN
-- 2025-07-17 12:36: Winnipeg, MB
-- 2025-07-18 04:20: Mississauga, ON
-- 2025-07-18 05:17: Mirabel, PQ
-- 2025-07-18 07:45: Saint-Laurent, PQ
-- 2025-07-18 12:01: Delivered!
-
-The laptop was supposed to ship "in July", and it did!
-
 # First impressions
 
 - [missed first post](https://bisco.org/notes/debian-on-framework-12/)
@@ -108,7 +55,13 @@ TODO: maybe software setup goes into [[hardware/dorothea]]?
 - will the sensors work for auto-rotate? ([apparently](https://community.frame.work/t/auto-rotate-and-accelerometer/70964), but not in
   the Debian installer either)
 
-# KDE
+# Configuration
+
+I did something special with this machine, as opposed to the rest of
+my fleet, and just configured it by hand. I installed it using the
+beta Debian installer for trixie, which went flawlessly.
+
+## KDE
 
 Works well! Like the "retro" look compared to GNOME.
 
@@ -161,7 +114,7 @@ night mode is only night light, would like reverse video too.
 
 loving the info center, no idea how i got there or how to get back
 
-## installed
+## Installed packages
 
 - krita
 - darktable
@@ -170,7 +123,7 @@ loving the info center, no idea how i got there or how to get back
 - vlc
 - git-annex
 
-couldn't install darktable, flatpak or llm from the app center
+couldn't install darktable, flatpak or `llm` from the app center, weirdly.
 
 ### flatpaks
 
@@ -182,9 +135,9 @@ couldn't install darktable, flatpak or llm from the app center
 - speech note
 - organic maps
 
-# Firefox
+## Firefox
 
-## Installed add-ons
+### Installed add-ons
 
 - ublock
 - wallabag
@@ -200,12 +153,13 @@ logged into
 - grafana.anarc.at
 - kagi (and changed search engine)
 
-# BIOS updates
+## BIOS updates
 
-There's already a BIOS update! Should be installable with LVFS, see
-the [BIOS updates page](https://knowledgebase.frame.work/framework-laptop-12-bios-and-driver-releases-13th-gen-intel-core-HyrqeX2ex).
+There's already a BIOS update! At first it was not installable with
+LVFS, but I have recently been able to do it, see the [BIOS updates
+page](https://knowledgebase.frame.work/framework-laptop-12-bios-and-driver-releases-13th-gen-intel-core-HyrqeX2ex) and the [forum discussion](https://community.frame.work/t/framework-laptop-12-13th-gen-intel-bios-3-04-release/72019/26?u=anarcat).
 
-# Reviews
+# Other reviews
 
 The Framework 12" received mixed reviews, in general. Most complained
 about the old CPU shipped with the device, and pricing.
@@ -242,3 +196,55 @@ Overall, the pros and cons seem to be:
   "latch" design (and i don't really like the 13" design either)
 - too expensive
 - mediocre colors and large bezel
+# Order history
+
+- pre-orders opened on April 10 (at least, that's when the email was
+  sent!)
+- pre-ordered on April 9th (!), with the following spec:
+  - base setup: 827.00
+    - CPU: Intel i3-1315U, a step down from the current 13", but [still
+      comparable](https://www.cpubenchmark.net/compare/4759vs5300/Intel-i5-1240P-vs-Intel-i3-1315U), but is more recent (2023-Q2 vs 2022-Q1, 6/8 cores
+      instead of 12/16, 1.2GHz vs 1.7GHz base speed, but similar turbo
+      at 4.5GHz and better TDP at 15W vs 28W)
+    - color: sage
+    - memory: DDR5-5600 - 16GB (my original setup on the 13", was mostly fine)
+  - keyboard: US English - Gray
+  - 65W power adapter: $64.00 (i thought i had a spare one of those, but seems
+    not, and those are so useful!)
+  - expansion cards:
+    - DisplayPort (2nd Gen) $25.00 (wanted to test the 2nd gen)
+    - HDMI (3rd Gen) $25.00 (same)
+    - 1TB (2nd Gen) $169.00 (same)
+    - USB-C (Translucent Green) $12.00 (wanted to test the green, i
+      have two more space USB-C, so this is actually too much)
+    - 2 x USB-A $24.00 (like my current setup, i often run out of
+      USB-A when i have a single one)
+  - total: 1146$CAD + tax, est. 1317.60$CAD, before 100$ deposit
+  - did *not* pick their NVMe drive, as the [1TB drive is 220$CAD](https://frame.work/ca/en/products/wd_black-sn770m-nvme?v=FRANTAWD0A),
+    for about that price I got a [2TB drive at B&H for 269.29$CAD](https://www.bhphotovideo.com/c/product/1802215-REG/wd_wdbdnh0020bbk_wrsn_wd_black_2tb_sn770m.html)
+    (shipping and taxes included!) instead
+- as of 2025-07-08, still not received confirmation of shipping,
+  changed a few minor things with the order (added a 1TB drive,
+  removed one USB-C module, added USB-A module), even though [others
+  have received theirs](https://bisco.org/notes/debian-on-framework-12/), seems like the [colored ones are in a
+  different batch](https://community.frame.work/t/fw12-color-batch-1-guild/71354) which is [rumored](https://community.frame.work/t/fw12-batch-1-guild/67317/234?u=anarcat) to have started shipping
+  today, although that might be [confused with the colored batch 0](https://community.frame.work/t/fw12-batch-0-guild/67353/322)
+- 2025-07-10 00:52 +0000: "step 2" (preparing your batch) email
+- 2025-07-15 14:19 +0000: "step 3" (payment complete) email
+- 2025-07-15 21:50 +0000: requested shipping delay (!)
+- 2025-07-16 04:49 +0000: response from support, will ship within 5
+  business days, too late to delay, ask Fedex for a temporary hold
+  with the confirmation number
+- 2025-07-16 09:54 +0000: "step 4" (your order has shipped) email
+- 2025-07-16 01:37: shipment info at fedex
+- 2025-07-16 03:44: picked up in Taoyuan TW
+- 2025-07-16 08:46: Ta Yuan District TW
+- 2025-07-17 02:26: Sennan-Shi JP
+- 2025-07-17 12:58: Memphis, TN
+- 2025-07-17 12:36: Winnipeg, MB
+- 2025-07-18 04:20: Mississauga, ON
+- 2025-07-18 05:17: Mirabel, PQ
+- 2025-07-18 07:45: Saint-Laurent, PQ
+- 2025-07-18 12:01: Delivered!
+
+The laptop was supposed to ship "in July", and it did!

diff --git a/software/zfs.md b/software/zfs.md
index 3542e583..81b655db 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -502,6 +502,7 @@ package](https://github.com/Gregy/znapzend-debian). It is written in Perl.
  - rate-limiting
  - debug/dry-run mode
  - progressive thinning
+ - packaged in Debian 14/forky and later
 
 ### Other DIY solutions
 

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 3c2da63b..a9eb2d05 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -1081,8 +1081,8 @@ how many things you were using are tightly bound to X.
    basically)
 
  * notifications: previously [dunst][] in some places, which works
-   well in both Xorg and Wayland, not a blocker, [fnott][], [salut][]
-   (not in Debian) possible alternatives: damjan [uses
+   well in both Xorg and Wayland, not a blocker, [salut][] (not in
+   Debian), [fnott][]. possible alternatives: damjan [uses
    mako][]. Eventually migrated to [sway-nc][], but found it too
    complicated for my needs. Ended up with a simple mako-based setup
    with inhibition.

diff --git a/services/upgrades/trixie.md b/services/upgrades/trixie.md
index 9881bda5..f92da5b3 100644
--- a/services/upgrades/trixie.md
+++ b/services/upgrades/trixie.md
@@ -243,6 +243,11 @@ See also the [noteworthy obsolete packages](https://www.debian.org/releases/test
 - pinentry-qt now has Wayland support
 - Signal Desktop seems to work properly in Wayland
 
+## Other sources
+
+- [mikas](https://michael-prokop.at/blog/2025/07/20/what-to-expect-from-debian-trixie-newintrixie/)
+- [bisco](https://bisco.org/notes/updates-and-additions-in-debian-13-trixie/)
+
 # Issues
 
 See also the official list of [known issues](https://www.debian.org/releases/testing/release-notes/issues.en.html#known-severe-bugs).

diff --git a/hardware/radio.mdwn b/hardware/radio.mdwn
index 2fda29a7..265b8efa 100644
--- a/hardware/radio.mdwn
+++ b/hardware/radio.mdwn
@@ -47,7 +47,7 @@ I uploaded a few photos [in this album](https://photos.anarc.at/documentation/ra
 - [sBITX](https://www.sbitx.net/): 80-20m (receive 500KHz-30MHz, 25W), SSB, CW, FT8,
   packet, SDR, 400$ with a raspi kit, 10"x6"x2", 4lbs, back-order as
   of 2025-03-29, but [should be back in stock "in a month" so in
-  March](https://groups.io/g/BITX20/message/115582?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Acreated%2C%2Csbitx%20out%20of%20stock%2C20%2C2%2C0%2C111139360)
+  March](https://groups.io/g/BITX20/message/115582?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Acreated%2C%2Csbitx%20out%20of%20stock%2C20%2C2%2C0%2C111139360), [sbitx v3](https://www.hfsignals.com/index.php/sbitx-v3/) and others can apparently [run Debian!](https://www.cybertec-postgresql.com/en/the-debian-conference-2025-in-brest/)
 - [uBITX v6](https://www.hfsignals.com/index.php/ubitx-v6/): 10W HF, SSB/CW, SDR, arduino-based, GPL-3, 210$ for
   kit
 - [QMX](https://qrp-labs.com/qmx.html): low power QRP transceiver HF 20-80M, SDR / CW, packet,

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 10ece0e9..b571cd6e 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1246,33 +1246,40 @@ be able to send mail. Test with:
 
 ### Renewing a key
 
-Renewing the cert:
+If a certificate expired, you need to renew it.
 
-    cd /etc/ssl/ca
-    openssl ca --config openssl.cnf -days 365 -in req/tubman.anarc.at.csr -out certs/tubman.anarc.at.crt
+ 1. issue a new cert
 
-Updating fingerprints (copy-paste from above):
+        cd /etc/ssl/ca
+        openssl ca --config openssl.cnf -days 365 -in req/angela.anarc.at.csr -out certs/angela.anarc.at.crt
 
-    rm /etc/postfix/client-certs-fingerprints
-    for cert in certs/* ; do 
-        printf "%s %s\n" "$(
-            openssl x509 -in $cert -noout -pubkey |
-                openssl pkey -pubin -outform DER |
-                openssl dgst -sha256 -c |
-                sed 's/.*= //'
-            )" $cert >> /etc/postfix/client-certs-fingerprints
-    done
-    postmap /etc/postfix/client-certs-fingerprints
+    If you get an error like:
 
-Telling dovecot:
+        ERROR:There is already a certificate for /CN=angela.anarc.at/emailAddress=anarcat
 
-    openssl ca -config openssl.cnf  -gencrl  > crl.pem
-    cat cacert.pem crl.pem > cacrl.pem
-    service dovecot restart
+    It might be the CRL just needs an update, ignore the error and
+    regenerate the CRL (last step below).
+
+ 2. Copy the `.crt` file back to the client
+
+ 3. Updating Postfix fingerprints (copy-paste from above):
+
+        rm /etc/postfix/client-certs-fingerprints
+        for cert in certs/* ; do 
+            printf "%s %s\n" "$(
+                openssl x509 -in $cert -noout -pubkey |
+                    openssl pkey -pubin -outform DER |
+                    openssl dgst -sha256 -c |
+                    sed 's/.*= //'
+                )" $cert >> /etc/postfix/client-certs-fingerprints
+        done
+        postmap /etc/postfix/client-certs-fingerprints
 
-Then copy the `.crt` file back to the client.
+ 4. Regenerate CRL and tell Dovecot:
 
-TODO: does reload work too?
+        openssl ca -config openssl.cnf  -gencrl  > crl.pem
+        cat cacert.pem crl.pem > cacrl.pem
+        service dovecot reload
 
 ### Easy-RSA CA notes
 

diff --git a/hardware/laptop/framework-12.md b/hardware/laptop/framework-12.md
index 28f2c53d..55032cab 100644
--- a/hardware/laptop/framework-12.md
+++ b/hardware/laptop/framework-12.md
@@ -57,7 +57,7 @@ Currently in pre-order / shipping, as of 2025-07-08.
 
 The laptop was supposed to ship "in July", and it did!
 
-## First impressions
+# First impressions
 
 - [missed first post](https://bisco.org/notes/debian-on-framework-12/)
 - lid tighter
@@ -75,16 +75,12 @@ The laptop was supposed to ship "in July", and it did!
   tried it last, and like what I saw on the Steam Deck
 - really nice to see it's actually a touch screen (I expected to be
   disappointed and have the screen work only with the stylus)
+- becomes warm on my legs, presumably because syncthing
+- power usage seems decent, after installing the base system, a bunch
+  of apps, running syncthing, battery is at 45% with, presumably, 1h36
+  remaining... so I guess not that great?
 
-## Open questions
-
-- [which sleeve/case](https://community.frame.work/t/suggestions-on-carrying-bag-or-sleeves/71796)
-- will the screen suck? maybe [a matte protector](https://viascreens.com/screen-protector/framework/laptop-12-2-in-1/matte) (so far not
-  noticed any issue, maybe colors a little less punchy?)
-- how will battery life be? (installer doesn't show battery, oops!)
-- will the pen work well? [where to put it?](https://community.frame.work/t/where-to-put-the-pen/67602)
-- will the sensors work for auto-rotate? ([apparently](https://community.frame.work/t/auto-rotate-and-accelerometer/70964), but not in
-  the Debian installer either)
+TODO: maybe software setup goes into [[hardware/dorothea]]?
 
 ## Downsides
 
@@ -96,15 +92,104 @@ The laptop was supposed to ship "in July", and it did!
   a whim (but i *can* use it with a DP adapter, and treat the monitor
   as a dock, presumably, to be tested)
 
-## Other notes
+## Open questions
 
-### Stylus
+- [which sleeve/case](https://community.frame.work/t/suggestions-on-carrying-bag-or-sleeves/71796)
+- will the screen suck? maybe [a matte protector](https://viascreens.com/screen-protector/framework/laptop-12-2-in-1/matte) (so far not
+  noticed any issue, colors do look a little washed out)
+- how will battery life be? (installer doesn't show battery, oops!)
+- will the pen work well? [where to put it?](https://community.frame.work/t/where-to-put-the-pen/67602)
 
 > Framework Laptop 12 is compatible with MPP 2.0 and USI 2.0 stylus
 > types. The default setting is MPP-compatibility, and you can
 > switch to USI mode in BIOS settings.
 
-### BIOS updates
+- will the sensors work for auto-rotate? ([apparently](https://community.frame.work/t/auto-rotate-and-accelerometer/70964), but not in
+  the Debian installer either)
+
+# KDE
+
+Works well! Like the "retro" look compared to GNOME.
+
+Seems like KDE's "touch mode" (which makes UI elements bigger) does
+not trigger? It's still relatively useable.
+
+Out of the box, auto-rotation and virtual keyboard don't work.
+
+The virtual keyboard gets fixed by installing `maliit-keyboard`, then
+selecting it in the "virtual keyboard" dialog, which i found in [this
+discussion](https://discuss.kde.org/t/how-to-enable-virtual-keyboard-included-in-kde/264/11).
+
+To fix the rotating display issue, you need to install
+`iio-sensor-proxy` hack at udev and then reboot:
+
+```
+sudo apt install iio-sensor-proxy
+sudo sed -i 's/.*iio-buffer-accel/#&/' /usr/lib/udev/rules.d/80-iio-sensor-proxy.rules
+sudo udevadm trigger --settle
+sudo systemctl restart iio-sensor-proxy
+sudo reboot
+```
+
+To see if the sensors work, try: `monitor-sensor --accel`. For
+example, a normally sitting laptop flipped to the side and back should
+show this:
+
+```
+anarcat@dorothea:~$ monitor-sensor --accel
+    Waiting for iio-sensor-proxy to appear
++++ iio-sensor-proxy appeared
+=== Has accelerometer (orientation: normal, tilt: vertical)
+    Accelerometer orientation changed: left-up
+    Tilt changed: tilted-up
+    Accelerometer orientation changed: normal
+    Tilt changed: vertical
+```
+
+In my case, after installing `iio-sensor-proxy` patching its udev, and
+restarting services, the above worked, but Plasma didn't pick it up, I
+had to reboot for the fix to be complete.
+
+This is a [known issue with some component part of Ubuntu and Debian](https://github.com/FrameworkComputer/linux-docs/blob/main/framework12/Ubuntu-25-04-accel-ubuntu25.04.md#ubuntu-2504-tablet-mode-setup-udev-edit)
+
+I filed this [as a new topic](https://community.frame.work/t/tablet-mode-in-kde-auto-rotate-virtual-keyboard/72357) before finding this.
+
+
+night mode is only night light, would like reverse video too.
+
+
+loving the info center, no idea how i got there or how to get back
+
+## installed
+
+- krita
+- darktable
+- syncthingtray
+- emacs
+- vlc
+- git-annex
+
+couldn't install darktable, flatpak or llm from the app center
+
+# Firefox
+
+## Installed add-ons
+
+- ublock
+- wallabag
+- url to qr code
+- clean urls
+- bitwarden
+
+logged into
+
+- sonic.anarc.at
+- jellyfin.anarc.at
+- photoprism.anarc.at
+- grafana.anarc.at
+- kagi (and changed search engine)
+
+# BIOS updates
 
 There's already a BIOS update! Should be installable with LVFS, see
 the [BIOS updates page](https://knowledgebase.frame.work/framework-laptop-12-bios-and-driver-releases-13th-gen-intel-core-HyrqeX2ex).

diff --git a/hardware/laptop/framework-12.md b/hardware/laptop/framework-12.md
index 55032cab..027d1984 100644
--- a/hardware/laptop/framework-12.md
+++ b/hardware/laptop/framework-12.md
@@ -91,6 +91,7 @@ TODO: maybe software setup goes into [[hardware/dorothea]]?
   of setups, which means i can't use it to replace my current setup on
   a whim (but i *can* use it with a DP adapter, and treat the monitor
   as a dock, presumably, to be tested)
+- a bit too heavy for a tablet
 
 ## Open questions
 
@@ -171,6 +172,16 @@ loving the info center, no idea how i got there or how to get back
 
 couldn't install darktable, flatpak or llm from the app center
 
+### flatpaks
+
+- element
+- supersonic
+- koreader
+- zotero
+- signal desktop?
+- speech note
+- organic maps
+
 # Firefox
 
 ## Installed add-ons

diff --git a/hardware/dorothea.mdwn b/hardware/dorothea.mdwn
new file mode 100644
index 00000000..259c5ffd
--- /dev/null
+++ b/hardware/dorothea.mdwn
@@ -0,0 +1,26 @@
+`dorothea` is named after [Dorothea Lange](https://en.wikipedia.org/wiki/Dorothea_Lange), "was an American
+documentary photographer and photojournalist, best known for her
+Depression-era work for the Farm Security Administration
+(FSA). Lange's photographs influenced the development of documentary
+photography and humanized the consequences of the Great
+Depression."
+
+From 1941, "she documented the [internment of Japanese Americans](https://en.wikipedia.org/wiki/Japanese_American_internment)
+and their subsequent incarceration, traveling throughout urban and
+rural California to photograph families required to leave their houses
+and hometowns on orders of the government. Sensitive to the
+implications of her images, authorities impounded most of Lange's
+photography of the (Japanese American) internment process—these photos
+were not seen publicly during the war. "
+
+"In 1952, Lange co-founded the photography magazine [Aperture](https://en.wikipedia.org/wiki/Aperture_(magazine))",
+which is still in print today (as of 2025).
+
+> The camera is an instrument that teaches people how to see without a
+> camera. -- Dorothea Lange: A Photographer's Life. p. vii (1978)
+
+# details
+
+- hardware: [[hardware/laptop/framework-12]]
+- software: Debian 13 trixie (at the time of install)
+- purpose: play
diff --git a/hardware/laptop/framework-12.md b/hardware/laptop/framework-12.md
index 5f60d26f..28f2c53d 100644
--- a/hardware/laptop/framework-12.md
+++ b/hardware/laptop/framework-12.md
@@ -38,16 +38,53 @@ Currently in pre-order / shipping, as of 2025-07-08.
   different batch](https://community.frame.work/t/fw12-color-batch-1-guild/71354) which is [rumored](https://community.frame.work/t/fw12-batch-1-guild/67317/234?u=anarcat) to have started shipping
   today, although that might be [confused with the colored batch 0](https://community.frame.work/t/fw12-batch-0-guild/67353/322)
 - 2025-07-10 00:52 +0000: "step 2" (preparing your batch) email
-
-In theory, the laptop should ship "in July".
+- 2025-07-15 14:19 +0000: "step 3" (payment complete) email
+- 2025-07-15 21:50 +0000: requested shipping delay (!)
+- 2025-07-16 04:49 +0000: response from support, will ship within 5
+  business days, too late to delay, ask Fedex for a temporary hold
+  with the confirmation number
+- 2025-07-16 09:54 +0000: "step 4" (your order has shipped) email
+- 2025-07-16 01:37: shipment info at fedex
+- 2025-07-16 03:44: picked up in Taoyuan TW
+- 2025-07-16 08:46: Ta Yuan District TW
+- 2025-07-17 02:26: Sennan-Shi JP
+- 2025-07-17 12:58: Memphis, TN
+- 2025-07-17 12:36: Winnipeg, MB
+- 2025-07-18 04:20: Mississauga, ON
+- 2025-07-18 05:17: Mirabel, PQ
+- 2025-07-18 07:45: Saint-Laurent, PQ
+- 2025-07-18 12:01: Delivered!
+
+The laptop was supposed to ship "in July", and it did!
+
+## First impressions
+
+- [missed first post](https://bisco.org/notes/debian-on-framework-12/)
+- lid tighter
+- had trouble finding the power button!
+- secureboot couldn't boot grml, but could boot trixie. trick is there
+  is *another* BIOS than the main one, press <kbd>F2</kbd> real fast
+  while booting, and pick "Administer secure boot" to disable it to
+  boot grml. but trixie boots fine with secureboot.
+- play laptop, considering entirely password-less setup
+- installed Trixie RC2, went flawlessly, but Debian's installer is
+  still too complicated for what it does, and (IMHO) should be spun
+  out into a new applications running on top of live images, briefly
+  considered Fedora, but was scared of novelty
+- installed KDE Plasma because I was really confused by GNOME when I
+  tried it last, and like what I saw on the Steam Deck
+- really nice to see it's actually a touch screen (I expected to be
+  disappointed and have the screen work only with the stylus)
 
 ## Open questions
 
 - [which sleeve/case](https://community.frame.work/t/suggestions-on-carrying-bag-or-sleeves/71796)
-- will the screen suck?
-- how will battery life be?
+- will the screen suck? maybe [a matte protector](https://viascreens.com/screen-protector/framework/laptop-12-2-in-1/matte) (so far not
+  noticed any issue, maybe colors a little less punchy?)
+- how will battery life be? (installer doesn't show battery, oops!)
 - will the pen work well? [where to put it?](https://community.frame.work/t/where-to-put-the-pen/67602)
-- will the sensors work for auto-rotate? ([apparently](https://community.frame.work/t/auto-rotate-and-accelerometer/70964))
+- will the sensors work for auto-rotate? ([apparently](https://community.frame.work/t/auto-rotate-and-accelerometer/70964), but not in
+  the Debian installer either)
 
 ## Downsides
 
@@ -59,6 +96,19 @@ In theory, the laptop should ship "in July".
   a whim (but i *can* use it with a DP adapter, and treat the monitor
   as a dock, presumably, to be tested)
 
+## Other notes
+
+### Stylus
+
+> Framework Laptop 12 is compatible with MPP 2.0 and USI 2.0 stylus
+> types. The default setting is MPP-compatibility, and you can
+> switch to USI mode in BIOS settings.
+
+### BIOS updates
+
+There's already a BIOS update! Should be installable with LVFS, see
+the [BIOS updates page](https://knowledgebase.frame.work/framework-laptop-12-bios-and-driver-releases-13th-gen-intel-core-HyrqeX2ex).
+
 # Reviews
 
 The Framework 12" received mixed reviews, in general. Most complained
diff --git a/services/dns.mdwn b/services/dns.mdwn
index 4c419db2..088a2f85 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -144,6 +144,8 @@ femmes. Exemples utilisés:
 
  * [[hardware/angela]] ([Davis][])
  * [[hardware/bell]] ([Hooks][])
+ * [[hardware/dorothea]] ([Lange][]) - famous female photographer, I
+   admire her [Migrant Mother](https://en.wikipedia.org/wiki/Migrant_Mother)
  * [[hardware/louise]] ([Michel][])
  * ([Margaret][]) [[hardware/atwood]]
  * [[hardware/margaret]] ([Hamilton][Margaret Hamilton]) - developed
@@ -179,6 +181,7 @@ femmes. Exemples utilisés:
 [yes, the character]: https://en.wikipedia.org/wiki/Mafalda
 [Harriet]: https://en.wikipedia.org/wiki/Harriet_Tubman
 [Fumiko Kaneko]: https://en.wikipedia.org/wiki/Fumiko_Kaneko
+[Lange]: https://en.wikipedia.org/wiki/Dorothea_Lange
 
 Anciens
 -------

diff --git a/hardware/tablet/kobo-clara-hd.md b/hardware/tablet/kobo-clara-hd.md
index 09e3b4b5..04b380b9 100644
--- a/hardware/tablet/kobo-clara-hd.md
+++ b/hardware/tablet/kobo-clara-hd.md
@@ -291,3 +291,7 @@ decided *not* to do here because my time is precious:
 Now maybe I'll have time to actually read a book...
 
 [[!tag blog hardware python-planet debian-planet kobo syncthing]]
+
+
+<!-- posted to the federation on 2025-07-11T14:33:34.777083 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/114836033674441232"]]
\ No newline at end of file

diff --git a/hardware/tablet/kobo-clara-hd.md b/hardware/tablet/kobo-clara-hd.md
index 96f1a657..09e3b4b5 100644
--- a/hardware/tablet/kobo-clara-hd.md
+++ b/hardware/tablet/kobo-clara-hd.md
@@ -67,7 +67,28 @@ bypass the annoying registration step. Basically:
  4. `INSERT INTO user(UserID,UserKey) VALUES('1','');`
  5. unmount the device
 
-More details in the above guide, again.
+More details in the above guide.
+
+Update: this works on the Clara HD, or at least the firmware version I
+was using then. But on newer devices (e.g. this Kobo Libra from 2025),
+that didn't work. [Another hack](https://www.reddit.com/r/kobo/comments/mt2f30/comment/k4pt8tx/) is possible, thankfully. The trick
+is to:
+
+ 1. Mount the device
+ 2. Delete `.kobo/KoboReader.sqlite` (if you are already signed in)
+ 3. Reboot
+ 4. Edit the `.kobo/Kobo/Kobo eReader.conf` file
+ 5. Add the line `SideloadedMode=true` under the
+    `[ApplicationPreferences]` section
+ 6. (Possibly?) Delete `.kobo/KoboReader.sqlite` (again?)
+ 7. Eject and restart
+
+I'm not 100% sure of the procedure. [This guide](https://www.reddit.com/r/kobo/comments/1dl6hym/libra_colour_how_to_bypass_registration/) doesn't mention
+deleting the database at all and it didn't work for me, but I had
+already started the registration process.
+
+Also note that deleting the database will reset your reading progress
+and so on.
 
 ## Install koreader
 

diff --git a/hardware/laptop/framework-12.md b/hardware/laptop/framework-12.md
index 00b604d4..5f60d26f 100644
--- a/hardware/laptop/framework-12.md
+++ b/hardware/laptop/framework-12.md
@@ -37,6 +37,7 @@ Currently in pre-order / shipping, as of 2025-07-08.
   have received theirs](https://bisco.org/notes/debian-on-framework-12/), seems like the [colored ones are in a
   different batch](https://community.frame.work/t/fw12-color-batch-1-guild/71354) which is [rumored](https://community.frame.work/t/fw12-batch-1-guild/67317/234?u=anarcat) to have started shipping
   today, although that might be [confused with the colored batch 0](https://community.frame.work/t/fw12-batch-0-guild/67353/322)
+- 2025-07-10 00:52 +0000: "step 2" (preparing your batch) email
 
 In theory, the laptop should ship "in July".
 

diff --git a/blog/secrets-recovery.md b/blog/secrets-recovery.md
index cef602fb..1fdcbee1 100644
--- a/blog/secrets-recovery.md
+++ b/blog/secrets-recovery.md
@@ -57,9 +57,10 @@ https://github.com/cyphar/paperback
 
 to review: https://news.ycombinator.com/item?id=37534615
 
+[review of various paper encodings](https://www.monperrus.net/martin/store-data-paper)
 
 128-bit metal punch card backup https://volution.ro/pckb/
 
 
 <!-- posted to the federation on 2025-06-01T23:04:28.772798 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/114611550199170060"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/114611550199170060"]]

diff --git a/services/dns.mdwn b/services/dns.mdwn
index efc5b78a..4c419db2 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -130,6 +130,11 @@ Situation actuelle:
  * gandi: `reseaulibre.ca` (2024-04-28), `anarc.at` (2024-09-06),
    `insomniaque.org` (2029-04-28)
 
+## Secondaires
+
+[This Debian person made a list of secondary DNS
+providers](https://blog.sahilister.in/2025/07/secondary-authoritative-name-server-options-for-self-hosted-domains/). [1986.is particularly interesting](https://1984.hosting/product/freedns/).
+
 Convention de noms
 ==================
 

diff --git a/services/archive/rescue.mdwn b/services/archive/rescue.mdwn
index 9a5db6f7..9989f5ab 100644
--- a/services/archive/rescue.mdwn
+++ b/services/archive/rescue.mdwn
@@ -244,8 +244,6 @@ quality. You should end up with the following files:
 The `.bin` file is a duplicate but can be used to regenerate the
 others (except the `.iso` file of course).
 
-
-
 Identifying disks
 -----------------
 
@@ -565,7 +563,21 @@ here is a summary of what's in the box.
 
 Note that this might be poor storage on my part, others have had more
 luck with their CDs, see [this report from a fellow Debian
-developer](https://k1024.org/posts/2024/2024-10-15-optical-media-lifetime/) for example.
+developer](https://k1024.org/posts/2024/2024-10-15-optical-media-lifetime/) for example:
+
+> for all explicitly selected media - TDK, JVC and Verbatim - they hold for 10-20 years
+
+There are other [similar reports](https://blog.dshr.org/2024/08/2024-optical-media-durability-update.html):
+
+> Surprisingly, with no special storage precautions, generic low-cost
+> media, and consumer drives, I'm getting good data from CD-Rs more
+> than 20 years old, and from DVD-Rs nearly 18 years old. 
+
+That said, many of the disks processed here *might* have crossed the
+10-20 year threshold: the archival work was done in 2018, and it's
+unclear how old the disks were. Some were certainly older than at
+least 2004 (so 14 years old), others likely much older (previous
+millennia).
 
 References
 ==========

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index e5eddec5..f060b70f 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -126,7 +126,20 @@ Other providers:
 
 - <http://www.atic.ca/> built marcos v2, still no HTTPS?!
 
+## Other cases
+
+- [Jonsbro](https://www.jonsbo.com/) comes up a lot, see e.g. the [N3](https://www.jonsbo.com/en/products/N3.html)
+
 ## Other reviews
 
 - [2024: Best CPU + Motherboard combo for your NAS build](https://nascompares.com/2024/02/09/the-best-m-itx-cpumotherboard-combo-for-your-nas-build-2024-edition/)
 - [DIY NAS: 2025 edition](https://blog.briancmoses.com/2024/11/diy-nas-2025-edition.html)
+
+## Motherboards
+
+- Topton:
+  - [NAS Motherboard N6005 4x Intel i226-V 2.5G 17x17CM Soft
+    Routing](https://www.toptonpc.com/product/nas-motherboard-n6005-4x-intel-i226-v-2-5g-17x17cm-soft-routing/): 6x SATA, 2xNVMe, Intel 11th gen, 2xSO-DIMM DDR4,
+    4x2.5Gbps, HDMI/DP, 17x17cm Mini-ITX
+- [Minisforum](https://www.minisforum.com/) also make tiny boards, but not lots of SATA sockets,
+  i had bookmarked the [BD770i](https://minixpc.com/blogs/news/minisforum-bd770i-mini-itx-on-board-amd-ryzen-7-7745hx-motherboard-available-at-us-399) for some reason

diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 7c4050bf..de54d1eb 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -139,6 +139,9 @@ are mixed because it reuses the old 12th gen Intel platform, but I
 don't mind so much that platform, it's the laptop I have now, and it
 works pretty amazingly well.
 
+Review in [[framework-12]] (not to be confused with the
+[[framework-12th-gen]] review, which is the 13" Intel 12th gen laptop.
+
 ## GPD pocket
 
 native ubuntu
diff --git a/hardware/laptop/framework-12.md b/hardware/laptop/framework-12.md
new file mode 100644
index 00000000..00b604d4
--- /dev/null
+++ b/hardware/laptop/framework-12.md
@@ -0,0 +1,97 @@
+Some draft notes about the [Framework Laptop 12" 2-in-1 laptop](https://frame.work/ca/en/laptop12),
+not to be confused with the larger [[Framework
+13"|framework-12th-gen]].
+
+Currently in pre-order / shipping, as of 2025-07-08.
+
+# Order history
+
+- pre-orders opened on April 10 (at least, that's when the email was
+  sent!)
+- pre-ordered on April 9th (!), with the following spec:
+  - base setup: 827.00
+    - CPU: Intel i3-1315U, a step down from the current 13", but [still
+      comparable](https://www.cpubenchmark.net/compare/4759vs5300/Intel-i5-1240P-vs-Intel-i3-1315U), but is more recent (2023-Q2 vs 2022-Q1, 6/8 cores
+      instead of 12/16, 1.2GHz vs 1.7GHz base speed, but similar turbo
+      at 4.5GHz and better TDP at 15W vs 28W)
+    - color: sage
+    - memory: DDR5-5600 - 16GB (my original setup on the 13", was mostly fine)
+  - keyboard: US English - Gray
+  - 65W power adapter: $64.00 (i thought i had a spare one of those, but seems
+    not, and those are so useful!)
+  - expansion cards:
+    - DisplayPort (2nd Gen) $25.00 (wanted to test the 2nd gen)
+    - HDMI (3rd Gen) $25.00 (same)
+    - 1TB (2nd Gen) $169.00 (same)
+    - USB-C (Translucent Green) $12.00 (wanted to test the green, i
+      have two more space USB-C, so this is actually too much)
+    - 2 x USB-A $24.00 (like my current setup, i often run out of
+      USB-A when i have a single one)
+  - total: 1146$CAD + tax, est. 1317.60$CAD, before 100$ deposit
+  - did *not* pick their NVMe drive, as the [1TB drive is 220$CAD](https://frame.work/ca/en/products/wd_black-sn770m-nvme?v=FRANTAWD0A),
+    for about that price I got a [2TB drive at B&H for 269.29$CAD](https://www.bhphotovideo.com/c/product/1802215-REG/wd_wdbdnh0020bbk_wrsn_wd_black_2tb_sn770m.html)
+    (shipping and taxes included!) instead
+- as of 2025-07-08, still not received confirmation of shipping,
+  changed a few minor things with the order (added a 1TB drive,
+  removed one USB-C module, added USB-A module), even though [others
+  have received theirs](https://bisco.org/notes/debian-on-framework-12/), seems like the [colored ones are in a
+  different batch](https://community.frame.work/t/fw12-color-batch-1-guild/71354) which is [rumored](https://community.frame.work/t/fw12-batch-1-guild/67317/234?u=anarcat) to have started shipping
+  today, although that might be [confused with the colored batch 0](https://community.frame.work/t/fw12-batch-0-guild/67353/322)
+
+In theory, the laptop should ship "in July".
+
+## Open questions
+
+- [which sleeve/case](https://community.frame.work/t/suggestions-on-carrying-bag-or-sleeves/71796)
+- will the screen suck?
+- how will battery life be?
+- will the pen work well? [where to put it?](https://community.frame.work/t/where-to-put-the-pen/67602)
+- will the sensors work for auto-rotate? ([apparently](https://community.frame.work/t/auto-rotate-and-accelerometer/70964))
+
+## Downsides
+
+- [no keyboard backlight](https://community.frame.work/t/framework-12-backlit-keyboard/67371)
+- [poor screen color accuracy](https://community.frame.work/t/fw12-poor-screen-colour-accuracy/71025) (66% sRGB), but it turns out that's
+  [similar to the Steam Deck LCD](https://community.frame.work/t/fw12-poor-screen-colour-accuracy/71025/11?u=anarcat)
+- [no thunderbolt](https://community.frame.work/t/no-thunderbolt/67331), which means no "one wire for everything" kind
+  of setups, which means i can't use it to replace my current setup on
+  a whim (but i *can* use it with a DP adapter, and treat the monitor
+  as a dock, presumably, to be tested)
+
+# Reviews
+
+The Framework 12" received mixed reviews, in general. Most complained
+about the old CPU shipped with the device, and pricing.
+
+- [Phoronix: An Upgrade-Friendly, Convertible 2-in-1 Linux Laptop](https://www.phoronix.com/review/framework-laptop-12):
+  
+  > The only downside is the performance if you are wanting to run any
+  > moderately demanding workloads but for those looking at a
+  > well-built, upgradeable, and all-around dependable mini Linux
+  > laptop or convertible tablet that can run your favorite modern
+  > Linux distribution, the Framework Laptop 12 is another great
+  > addition to the Framework Computer family.
+
+- [The Verge: plastic fantastic](https://www.theverge.com/reviews/688959/framework-laptop-12-review-modular-touchscreen-intel)
+
+  > The quirky 2-in-1 has an endearing design that could be a great
+  > fit for students. But Framework once again has to prove itself.
+
+- [Ars: A sturdy, thoughtful, cute design that just can't compete in
+  its price range](https://arstechnica.com/gadgets/2025/06/framework-laptop-12-review-im-excited-to-see-what-the-2nd-generation-looks-like/)
+
+  > I hope that Framework does what it's done for the Laptop 13 over
+  > the last four or so years: introduce updated components, iterate
+  > on different elements of the design, and gradually bring the price
+  > down into a more reasonable range through refurbished and
+  > factory-second parts. As a $1,000-ish computer, this leaves a lot
+  > to be desired. But as the foundation for a new Framework platform,
+  > it has enough promise to be interesting.
+
+Overall, the pros and cons seem to be:
+
+- plastic seems sturdy (MIL-STD-810)
+- modular ports with "child locks" are better than the Framework 13"
+  "latch" design (and i don't really like the 13" design either)
+- too expensive
+- mediocre colors and large bezel

diff --git a/hardware/camera.mdwn b/hardware/camera.mdwn
index 7160bde6..44dbcf65 100644
--- a/hardware/camera.mdwn
+++ b/hardware/camera.mdwn
@@ -157,6 +157,8 @@ and here is my progress:
 - 2025-05-20: 12903 (-1040, plus 700+ new shots, two months mark,
   5k done, ETA 2-3 more months)
 - 2025-06-07: 12044 (-859, plus some new shots)
+- 2025-06-27: 11346 (-658, plus +452 new, done back to 2023, 2005-2022
+  to go (!), 2 weeks missed)
 
 Inventaire
 ==========

diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index f8adfb78..7c4050bf 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -37,7 +37,19 @@ Comparateur: https://www.thelaptoplist.com/
 
 <https://frame.work/>
 
-### 11th gen
+### 13"
+
+The framework line used to be divided in generations (11th gen, 12th
+gen, etc) aligned with the Intel CPU generations. But now they have
+AMD CPUs and laptops of another form factor, so a "Framework 12" is
+actually pretty confusing now, because it can refer to the "12th gen
+13" laptop (which i have) or the "12th gen 12 inch 2-1 laptop
+announced in 2025).
+
+From now on, i'll try to be specific about the size of the
+laptop. This section documents the classic 13" laptops.
+
+#### 11th gen
 
 Specs (Intel 11th gen, newer specs available, see below):
 
@@ -55,12 +67,12 @@ Specs (Intel 11th gen, newer specs available, see below):
  * Intel® Wi-Fi 6E AX210
  * fingerprint reader
 
-### 12th gen
+#### 12th gen
 
 Ordered a Framework 12th Gen intel DIY laptop in late August 2022, see
 detailed review in [[framework-12th-gen]].
 
-### 13th gen and AMD
+#### 13th gen and AMD
 
 There's now a third generation of Framework laptops, along with an AMD
 version. The AMD version is particularly interesting because AMD has
@@ -84,11 +96,32 @@ Review:
  * [Phoronix](https://www.phoronix.com/review/framework-13-amd/6), AMD - "fantastic choice for Linux users"
  * [rtings](https://www.rtings.com/laptop/reviews/framework/laptop-13-2023)
 
-### Framework 16
-
-Another product in development is the Framework 16, currently in
-pre-order. It's a larger laptop than the "13" (which the 11th, 12th
-and 13th gen all fit into) with 6 expansion ports, hotswappable
+### 16"
+
+Framework just (2023-03-23) just announced a whole bunch of new stuff:
+
+ * [AMD Ryzen 7040 and 13th gen Intel board](https://frame.work/blog/framework-laptop-13-with-13th-gen-intel-core-and-amd-ryzen-7040-series)
+ * [16" laptop version](https://frame.work/blog/introducing-the-framework-laptop-16) (pre-order) with an expansion "bay" for an
+   upgradeable graphics module which could also fit M.2 storage
+ * [audio expansion card](https://frame.work/products/audio-expansion-card), since the 16 laptop doesn't have a combo
+   jack
+ * official [mainboard case](https://frame.work/products/cooler-master-mainboard-case) (back-ordered)
+ * official *battery case* (!) (no site yet)
+ * new bezel colors, including [transluscent](https://frame.work/products/bezel?v=FRANCBCP04), green, purple and
+   red (back-ordered)
+ * new, louder (80dB) [speakers](https://frame.work/products/speaker-kit?v=FRANBXFG03)
+ * [new 61Wh battery](https://frame.work/products/battery?v=FRANGWAT01)
+ * [matte display](https://frame.work/products/display-kit?v=FRANFX0001)
+ * [new hinge](https://frame.work/products/hinge-kit-2nd-gen-3-5kg)
+
+The recording is available in [this video](https://www.youtube.com/watch?v=ccpsyRipHlk) and it's not your
+typical keynote. It starts ~25 minutes late, audio is crap, lightning
+and camera are crap, clapping seems to be from whatever staff they
+managed to get together in a room, decor is bizarre, colors are
+shit. It's amazing.
+
+The Framework 16 is a larger laptop than the "13" (which the 11th,
+12th and 13th gen all fit into) with 6 expansion ports, hotswappable
 keyboard mods and a hotswappable GPU.
 
 Reviews:
@@ -97,6 +130,15 @@ Reviews:
  * [Upstream's review index](https://frame.work/ca/en/blog/framework-laptop-16-reviews-are-live)
  * [ifixit teardown](https://www.youtube.com/watch?v=Y8uv8fajOrc) (10/10)
 
+### 12" 
+
+Framework did it again, and there's yet another line of (incompatible)
+hardware that came out: a 2-in-1 laptop. I pre-ordered it because I
+was looking for a [[tablet]], we'll see how it goes. So far reviews
+are mixed because it reuses the old 12th gen Intel platform, but I
+don't mind so much that platform, it's the laptop I have now, and it
+works pretty amazingly well.
+
 ## GPD pocket
 
 native ubuntu
diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index 25827b57..e95f9fe7 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -57,6 +57,12 @@ around the table of contents as you see fit for after you did buy the
 laptop, as it might include some crucial hints on how to make it work
 best for you, especially on (Debian) Linux.
 
+Heads up: the 3.17 BIOS upgrade changed *everything*. Performance is
+much better: i've seen three-fold performance improvements in
+asncounter benchmarks, although the fan is noisier, it's great!
+Presumably power management is better too. Lots in here needs to be
+updated to reflect that, but I lack the time to do so.
+
 [[!toc levels=5]]
 
 # Advice for buyers
@@ -98,29 +104,6 @@ I have decided to use the Framework as my daily driver, and had to buy
 a [[USB-C dock|blog/2023-02-10-usb-c]] to get my two monitors
 connected, which was own adventure.
 
-Update: Framework just (2023-03-23) just announced a whole bunch of
-new stuff:
-
- * [AMD Ryzen 7040 and 13th gen Intel board](https://frame.work/blog/framework-laptop-13-with-13th-gen-intel-core-and-amd-ryzen-7040-series)
- * [16" laptop version](https://frame.work/blog/introducing-the-framework-laptop-16) (pre-order) with an expansion "bay" for an
-   upgradeable graphics module which could also fit M.2 storage
- * [audio expansion card](https://frame.work/products/audio-expansion-card), since the 16 laptop doesn't have a combo
-   jack
- * official [mainboard case](https://frame.work/products/cooler-master-mainboard-case) (back-ordered)
- * official *battery case* (!) (no site yet)
- * new bezel colors, including [transluscent](https://frame.work/products/bezel?v=FRANCBCP04), green, purple and
-   red (back-ordered)
- * new, louder (80dB) [speakers](https://frame.work/products/speaker-kit?v=FRANBXFG03)
- * [new 61Wh battery](https://frame.work/products/battery?v=FRANGWAT01)
- * [matte display](https://frame.work/products/display-kit?v=FRANFX0001)
- * [new hinge](https://frame.work/products/hinge-kit-2nd-gen-3-5kg)
-
-The recording is available in [this video](https://www.youtube.com/watch?v=ccpsyRipHlk) and it's not your
-typical keynote. It starts ~25 minutes late, audio is crap, lightning
-and camera are crap, clapping seems to be from whatever staff they
-managed to get together in a room, decor is bizarre, colors are
-shit. It's amazing.
-
 # Specifications
 
 Those are the specifications of the 12th gen, in general terms. Your

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index 1df943e0..25827b57 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -2046,6 +2046,59 @@ Thunderbolt dock from [Cable Matters](https://www.cablematters.com/), with the l
 [201053-SIL](https://www.cablematters.com/pc-1054-127-usb-c-docking-station-with-dual-4k-hdmi-and-80w-charging-for-windows-computers.aspx). It has issues, see [[this blog
 post|blog/2023-02-10-usb-c]] for an in-depth discussion.
 
+## Touch pad replacement
+
+Today (2025-06-27), I replaced the touch pad. It was pretty flaky: I
+had [filed a request on the forum](https://community.frame.work/t/mouse-pad-click-fatigue/38052/5) but ended up reaching out to
+support for help, and after a few back and forth, they confirmed that
+the part was faulty and not under warranty. I ordered a [new one](https://frame.work/ca/en/products/touchpad-kit?v=FRANFT0001)
+(51$) which came quickly enough, and replaced it.
+
+It took 25 minutes to [follow the guide](https://guides.frame.work/Guide/Touchpad+Replacement+Guide/90) from the time I posted
+"I'm rebooting" to the time I returned, so their estimate of "5-12
+minutes" on that page is quite optimistic.
+
+The old touchpad is still somewhat functional: taps work, but
+scrolling doesn't work so well (sometimes there are spurious clicks!)
+and the "click" feature just doesn't work at all anymore, which is a
+problem because it's essentially the only way to "right-click-drag" in
+Sway, likely because of a bug in sway or wlroots itself, as it doesn't
+send dragging even for the "three finger taps" (even though `evtest`
+sees them).
+
+Timeline:
+
+- 2022-09-27: received laptop
+- 2023-10-15: first reports of click fatigue on the forum
+- 2023-10-20: followed a [workaround guide](https://guides.frame.work/Guide/Touchpad+Rubbing+Fix+Guide/103?lang=en), marginal improvements
+- 2024-05-13: still having issues, filed [as a different topic](
+https://community.frame.work/t/responded-spurious-clicks-while-using-touch-pad/50834)
+  because I forgot about the first
+- 2025-06-17 20:27:18 +00000: opened issue with Framework support (auto-reply)
+- 2025-06-17 23:57:24 +0000: first prompts from support
+- 2025-06-17 22:22:50 -0400: response to most prompts, asks for quick decision
+- 2025-06-18 03:44:51 +0000: support recommends getting a new input
+  cover
+- 2025-06-18 10:06:45 -0400: ask for clarification whether the entire
+  keyboard needs replacement
+- 2025-06-18 15:59:41 +0000: support sends correct link to touch pad
+  (<https://frame.work/ca/en/products/touchpad-kit?v=FRANFT0001>)
+- 2025-06-18 17:22:13 +0000: touchpad ordered
+- 2025-06-19 16:43:17 +0000: touchpad shipped
+- 2025-06-23 13:52:00 -0400: touchpad delivered (~4 days)
+- 2025-06-27 15:47:04 -0400: touchpad installation starts (shutdown
+  takes a couple minutes)
+- 2025-06-27 16:11:35 -0400: touchpad installation completes (fully
+  booted, ~23 minutes)
+
+All in all, from when I opened the issue to when I had the fix, it
+took 10 days, 4 of which were spent in shipping, and 4 of which were
+spent in me not doing anything. So this is a repair that could have
+been done inside a week, even including a day of back-and-forth with
+support.
+
+Pretty happy with this.
+
 # Shipping details
 
 I ordered the Framework in August 2022 and received it about a month

diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index 1cb94a29..e65f2667 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -11,17 +11,17 @@ warn:
 	@echo "run '$(MAKE) renew hu upload upload-tpo' to make a full renewal"
 	@echo "this is not default because 'renew' and 'upload-tpo' are not idempotent"
 
-# thanks to kushal for this: https://kushaldas.in/posts/setting-up-wkd.html
+# thanks to kushal for this, originally: https://kushaldas.in/posts/setting-up-wkd.html
 #
-# the hack of moving stuff around is because sq refuses to update a
-# WKD directory in "direct" mode.
-#
-# we would need to try "advanced" mode but that requires a whole
-# different vhost (openpgpkey.anarc.at), ugh.
+# since then switched to simpler sq, which i found confusing, but this
+# works, i think. see:
+# https://gitlab.com/sequoia-pgp/sequoia-sq/-/issues/576
 hu:
-	sq network wkd publish --domain=anarc.at --cert=BBB6CD4C98D74E1358A752A602293A6FA4E53473 --method=direct --create .
-	mv .well-known/openpgpkey/hu/* hu/
-	rm -rf .well-known
+	if ! [ -d hu ]; then \
+		sq network wkd publish --domain=anarc.at --cert=BBB6CD4C98D74E1358A752A602293A6FA4E53473 --method=direct --create ../.. \
+	; else \
+		sq network wkd publish --domain=anarc.at --cert=BBB6CD4C98D74E1358A752A602293A6FA4E53473 ../.. \
+	; fi
 
 upload:
 	gpg --keyserver keyring.debian.org --send-keys $(FINGERPRINT)
diff --git a/.well-known/openpgpkey/anarc.at/policy b/.well-known/openpgpkey/anarc.at/policy
deleted file mode 100644
index 6c55ace9..00000000
--- a/.well-known/openpgpkey/anarc.at/policy
+++ /dev/null
@@ -1 +0,0 @@
-# Policy flags for domain anarc.at

diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index a033da76..1cb94a29 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -12,15 +12,16 @@ warn:
 	@echo "this is not default because 'renew' and 'upload-tpo' are not idempotent"
 
 # thanks to kushal for this: https://kushaldas.in/posts/setting-up-wkd.html
-# also tried sq but couldn't make it work:
-# 	sq network wkd publish --domain=anarc.at --cert=$(FINGERPRINT) --method=direct ../..
-# this fails because it wants --create, but create fails because directory already exists
+#
+# the hack of moving stuff around is because sq refuses to update a
+# WKD directory in "direct" mode.
 #
 # we would need to try "advanced" mode but that requires a whole
 # different vhost (openpgpkey.anarc.at), ugh.
 hu:
-	echo "$(FINGERPRINT) $(ADDRESS)" | /usr/lib/gnupg/gpg-wks-client -v --install-key --directory .
-	mv anarc.at/hu/* hu/
+	sq network wkd publish --domain=anarc.at --cert=BBB6CD4C98D74E1358A752A602293A6FA4E53473 --method=direct --create .
+	mv .well-known/openpgpkey/hu/* hu/
+	rm -rf .well-known
 
 upload:
 	gpg --keyserver keyring.debian.org --send-keys $(FINGERPRINT)
diff --git a/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe b/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe
index fe41fb5d..34c381d8 100644
Binary files a/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe and b/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe differ

diff --git a/.well-known/openpgpkey/.gitattributes b/.well-known/openpgpkey/.gitattributes
new file mode 100644
index 00000000..36c68f0d
--- /dev/null
+++ b/.well-known/openpgpkey/.gitattributes
@@ -0,0 +1 @@
+hu/* diff=key
diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index ef568656..a033da76 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -12,6 +12,12 @@ warn:
 	@echo "this is not default because 'renew' and 'upload-tpo' are not idempotent"
 
 # thanks to kushal for this: https://kushaldas.in/posts/setting-up-wkd.html
+# also tried sq but couldn't make it work:
+# 	sq network wkd publish --domain=anarc.at --cert=$(FINGERPRINT) --method=direct ../..
+# this fails because it wants --create, but create fails because directory already exists
+#
+# we would need to try "advanced" mode but that requires a whole
+# different vhost (openpgpkey.anarc.at), ugh.
 hu:
 	echo "$(FINGERPRINT) $(ADDRESS)" | /usr/lib/gnupg/gpg-wks-client -v --install-key --directory .
 	mv anarc.at/hu/* hu/
diff --git a/.well-known/openpgpkey/anarc.at/.gitattributes b/.well-known/openpgpkey/anarc.at/.gitattributes
deleted file mode 100644
index af7c7edc..00000000
--- a/.well-known/openpgpkey/anarc.at/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-* diff=gpg

diff --git a/software.mdwn b/software.mdwn
index 626f57fe..47926900 100644
--- a/software.mdwn
+++ b/software.mdwn
@@ -12,6 +12,12 @@ J'ai écrit un manuel
 [[d'entretien de packages debian|debian-development]] (en anglais)
 parce qu'il semblait qu'il n'y avait rien de complet à ce niveau...
 
+## asncounter
+
+[asncounter](https://gitlab.com/anarcat/asncounter/) permet de suivre le traffic sur un serveur par
+[ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), ce qui permet de gérer des "robots" abusifs et autres
+attaques, voir [[blog/2025-05-30-asncounter]].
+
 ## feed2exec
 
 J'ai écrit un lecteur de fils RSS nommé [feed2exec](https://gitlab.com/anarcat/feed2exec) afin de

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index fa3be514..6dfe9aef 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -45,6 +45,21 @@ do with the Wayland transition. I've tried with both [grim](https://sr.ht/~emers
 complicated issue having to do with *displaying* images as well as
 screenshots, see the issues in [shotman](https://todo.sr.ht/~whynothugo/shotman/11) and [grim](https://todo.sr.ht/~emersion/grim/98).)
 
+And here is an update of those in a single screenshot with the new
+test sheet:
+
+<figure>
+<img src="snap-20250613T103257.png" alt="Two dark terminals showing
+Fira Mono and Commit Mono side by side." />
+<figcaption>Fira and Commit mono with the new test sheet, generated
+with `foot -W 80x63 -T pop-up -f 'Commit mono:size=12' --hold sh -c
+"sed -n '/```/,/```/{/```/d;p}'  *fonts-again.md ; printf 'Commit
+mono'" 2>/dev/null` and `foot -W 80x61 -T pop-up -f 'Fira
+mono:size=12' --hold sh -c "sed -n '/```/,/```/{/```/d;p}'
+*fonts-again.md ; printf 'Fira mono'" 2>/dev/null`.</figcaption>
+</figure>
+
+
 They are pretty similar! Commit Mono feels a *bit* more vertically
 compressed maybe too much so, actually -- the line height feels too
 low.  But it's heavily customizable so that's something that's
diff --git a/blog/2024-05-29-playing-with-fonts-again/snap-20250613T103257.png b/blog/2024-05-29-playing-with-fonts-again/snap-20250613T103257.png
new file mode 100644
index 00000000..fd8042ee
Binary files /dev/null and b/blog/2024-05-29-playing-with-fonts-again/snap-20250613T103257.png differ

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 15a6ffb9..fa3be514 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -41,7 +41,9 @@ showing the test sheet in Fira Mono" />
 (Notice how those screenshots are not sharp? I'm surprised too. The
 originals *look* sharp on my display, I suspect this is something to
 do with the Wayland transition. I've tried with both [grim](https://sr.ht/~emersion/grim/) and
-[flameshot](https://github.com/flameshot-org/flameshot), for what its worth.)
+[flameshot](https://github.com/flameshot-org/flameshot), for what its worth. Update: turns out this is a really
+complicated issue having to do with *displaying* images as well as
+screenshots, see the issues in [shotman](https://todo.sr.ht/~whynothugo/shotman/11) and [grim](https://todo.sr.ht/~emersion/grim/98).)
 
 They are pretty similar! Commit Mono feels a *bit* more vertically
 compressed maybe too much so, actually -- the line height feels too

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index d1745a02..15a6ffb9 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -125,6 +125,8 @@ Lines alignment test:
 ———————————————————————————————————————— EM DASH
 ―――――――――――――――――――――――――――――――――――――――― HORIZONTAL BAR
 ________________________________________ LOW LINE
+
+All in one line, surrounded by PLUS SIGN: +-−–—―_+
 ```
 
 Update: [here is another such sample sheet](https://sheet.shiar.nl/sample), it's pretty good and

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index d6e47333..d1745a02 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -118,15 +118,13 @@ Box drawing alignment tests:
 ║└─╥─┘║  │╚═╤═╝│  │╘═╪═╛│  │╙─╀─╜│  ┃└─╂─┘┃ ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▎
 ╚══╩══╝  └──┴──┘  ╰──┴──╯  ╰──┴──╯  ┗━━┻━━┛          └╌╌┘ ╎ ┗╍╍┛ ┋ ▏▁▂▃▄▅▆▇█
 
-Dashes alignment test:
-
-HYPHEN-MINUS, MINUS SIGN, EN, EM DASH, HORIZONTAL BAR, LOW LINE
---------------------------------------------------
-−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
-––––––––––––––––––––––––––––––––––––––––––––––––––
-——————————————————————————————————————————————————
-――――――――――――――――――――――――――――――――――――――――――――――――――
-__________________________________________________
+Lines alignment test:
+---------------------------------------- HYPHEN-MINUS
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− MINUS SIGN
+–––––––––––––––––––––––––––––––––––––––– EN
+———————————————————————————————————————— EM DASH
+―――――――――――――――――――――――――――――――――――――――― HORIZONTAL BAR
+________________________________________ LOW LINE
 ```
 
 Update: [here is another such sample sheet](https://sheet.shiar.nl/sample), it's pretty good and

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 2f55ca62..d6e47333 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -86,8 +86,8 @@ zs$S52Z%  ´`'"‘’“”«»
 
 all characters in a sentence, uppercase:
 
-the quick fox jumps over the lazy dog
-THE QUICK FOX JUMPS OVER THE LAZY DOG
+the quick brown fox jumps over the lazy dog
+THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG
 
 same, in french:
 

diff --git a/blog/mobile-massive-gallery.md b/blog/mobile-massive-gallery.md
index 7ffabcc3..b48bf5d3 100644
--- a/blog/mobile-massive-gallery.md
+++ b/blog/mobile-massive-gallery.md
@@ -248,3 +248,7 @@ update: https://apps.nextcloud.com/apps/memories seems to do what we need
 https://bpatrik.github.io/pigallery2/
 
 [[!tag draft]]
+
+
+<!-- posted to the federation on 2025-06-11T16:30:55.303235 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/114666625772226557"]]
\ No newline at end of file

diff --git a/blog/mobile-massive-gallery.md b/blog/mobile-massive-gallery.md
index f8f81f7b..7ffabcc3 100644
--- a/blog/mobile-massive-gallery.md
+++ b/blog/mobile-massive-gallery.md
@@ -245,4 +245,6 @@ consider tls client certs.
 
 update: https://apps.nextcloud.com/apps/memories seems to do what we need
 
+https://bpatrik.github.io/pigallery2/
+
 [[!tag draft]]

diff --git a/hardware/camera.mdwn b/hardware/camera.mdwn
index 6836c750..7160bde6 100644
--- a/hardware/camera.mdwn
+++ b/hardware/camera.mdwn
@@ -156,6 +156,7 @@ and here is my progress:
 - 2025-05-09: 13943 (-504, plus 200 new shots)
 - 2025-05-20: 12903 (-1040, plus 700+ new shots, two months mark,
   5k done, ETA 2-3 more months)
+- 2025-06-07: 12044 (-859, plus some new shots)
 
 Inventaire
 ==========
@@ -260,6 +261,14 @@ Reference
    * [Lens buying guide](https://www.dpreview.com/articles/9162056837/digital-camera-lens-buying-guide)
  * [Darktable camera support](https://www.darktable.org/resources/camera-support/): pretty uniform across brands
 
+# 2025 shopping
+
+[Fuji's X-M5](https://www.dpreview.com/reviews/fujifilm-x-m5-in-depth-review) looks interesting for travel and "every day": small,
+works with existing lenses. Big downside is lack of an EVF. A X-Pro
+*might* be coming in 2025, but I'm not sure I like it better than the
+X-T5 series, it's not smaller. The [X-E5](https://www.fujirumors.com/fujifilm-x-e5-this-is-when-it-will-be-announced/) might be coming too, and
+a possibly good compromise, exciting times.
+
 2018 shopping
 =============
 

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index f9d88562..3c2da63b 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -947,12 +947,13 @@ involved calling xterm and xmessage for user interaction. Now,
 anyone freaks out, I already had to use GTK for proper clipboard
 support, so this isn't much of a stretch...)
 
-One thing I'm, missing is some review/annotation
-tool. [Satty](https://github.com/gabm/Satty) provides a nice minimal wrapper like that. For now,
-I'm using whatever default image viewer I have configured (currently
-geeqie), one key feature is that it must support the "copy image to
-clipboard" (not the path! the actual full image!) functionality,
-typically to paste to GitHub/GitLab issues, or Signal.
+One thing I'm, missing is some review/annotation tool. [Satty](https://github.com/gabm/Satty)
+provides a nice minimal wrapper like that. See also [Gradia](https://github.com/AlexanderVanhee/Gradia).
+
+For now, I'm using whatever default image viewer I have configured
+(currently geeqie), one key feature is that it must support the "copy
+image to clipboard" (not the path! the actual full image!)
+functionality, typically to paste to GitHub/GitLab issues, or Signal.
 
 I've also started testing [shotman](https://shotman.whynothugo.nl/) (part of Debian Trixie) which
 outlined that I might have an issue with fractional display and image

diff --git a/hardware/svetlana.md b/hardware/svetlana.md
index 25635c68..28bc9425 100644
--- a/hardware/svetlana.md
+++ b/hardware/svetlana.md
@@ -40,7 +40,7 @@ maybe it's still broken.
 Followed [the flashing instructions](https://openwrt.org/toh/ubiquiti/unifi_6_lite), terrified because device
 switched to 192.168.1.1 and I thought it was bricked.
 
-# Confguration
+# Configuration
 
 Did the following config:
 

diff --git a/blog/secrets-recovery.md b/blog/secrets-recovery.md
index e394c89d..cef602fb 100644
--- a/blog/secrets-recovery.md
+++ b/blog/secrets-recovery.md
@@ -59,3 +59,7 @@ to review: https://news.ycombinator.com/item?id=37534615
 
 
 128-bit metal punch card backup https://volution.ro/pckb/
+
+
+<!-- posted to the federation on 2025-06-01T23:04:28.772798 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/114611550199170060"]]
\ No newline at end of file

diff --git a/blog/secrets-recovery.md b/blog/secrets-recovery.md
index 454baae3..e394c89d 100644
--- a/blog/secrets-recovery.md
+++ b/blog/secrets-recovery.md
@@ -56,3 +56,6 @@ https://github.com/cyphar/paperback
 
 
 to review: https://news.ycombinator.com/item?id=37534615
+
+
+128-bit metal punch card backup https://volution.ro/pckb/

diff --git a/blog/2025-05-30-asncounter.md b/blog/2025-05-30-asncounter.md
index 3a6ba5f1..44e8464c 100644
--- a/blog/2025-05-30-asncounter.md
+++ b/blog/2025-05-30-asncounter.md
@@ -113,7 +113,7 @@ script that loops over IPs and counts IPs per ASN".
 monitoring. Argos, for example, presumably does this, but it's a kind
 of a huge stack. You can also get into netflows, but there's serious
 privacy implications with those. There are also lots of per-IP
-counters like [promacct](https://github.com/kumina/promacct), but that doesn't scale.
+counters like [`promacct`](https://github.com/kumina/promacct), but that doesn't scale.
 
 Or maybe someone already had solved this problem and I just wasted a
 week of my life, who knows. Someone will let me know, I hope, either
@@ -167,7 +167,7 @@ less than an hour, just look at [the first version](https://gitlab.com/anarcat/a
 (`sloccount`) of Python, and it works, provided you have already
 downloaded the required datafiles from routeviews.org. (Obviously, the
 latest version is longer at close to 1000 lines, but it downloads the
-datafiles automatically, and has many more features).
+data files automatically, and has many more features).
 
 The way the first prototype (and later versions too, mostly) worked is
 that you feed it a list of IP addresses on standard input, it looks up
@@ -222,7 +222,7 @@ bonkers: they have *hundreds* of such prefixes.
 
 Now, clever people in the know will say "of course they do, it's an
 hyperscaler; just ASN14618 (AMAZON-AES) there is *way* more
-announcements, they have 1416 prefies!" Yes, of course, but they are
+announcements, they have 1416 prefixes!" Yes, of course, but they are
 not generating half of my traffic (at least, not yet). But even then:
 this *also* applies to Amazon! This way of counting traffic is *way*
 more useful for large scale operations like this, because you group by
@@ -230,7 +230,7 @@ organisation instead of by *server* or individual endpoint.
 
 And, ultimately, this is why `asncounter` matters: it allows you to
 group your traffic by *organisation*, the place you can actually
-negociate with.
+negotiate with.
 
 Now, of course, that assumes those are entities you can talk with. I
 have written to both Alibaba and Huawei, and have yet to receive a
@@ -257,7 +257,7 @@ At first glance, they looked legit, like:
 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
 ```
 
-Saferi on a Mac, so far so good. But when you start digging, you
+Safari on a Mac, so far so good. But when you start digging, you
 notice some strange things, like here's Safari running on Linux:
 
 ```
@@ -266,7 +266,7 @@ Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Ch
 
 Was Safari ported to Linux? I guess that's.. possible? 
 
-But here here Safari running on a 15 year old Ubuntu release (10.10):
+But here is Safari running on a 15 year old Ubuntu release (10.10):
 
 ```
 Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.702.0 Chrome/12.0.702.0 Safari/534.24
@@ -281,7 +281,7 @@ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-CA) AppleWebKit/534.13 (KHTML like G
 
 Really?
 
-Here's Firefox 3.6, released 14 years ago, there werequite a lot of
+Here's Firefox 3.6, released 14 years ago, there were quite a lot of
 those:
 
 ```
@@ -304,7 +304,7 @@ which, according their [documentation](https://developers.facebook.com/docs/shar
 
 > crawls the web for use cases such as training AI models or improving products by indexing content directly
 
-From what I coult tell, it was even respecting our rather liberal
+From what I could tell, it was even respecting our rather liberal
 `robots.txt` rules, in that it wasn't crawling the sprawling `/blame/`
 or `/commit/` endpoints, explicitly forbidden by `robots.txt`.
 
@@ -313,7 +313,7 @@ just went away. Good job Facebook, as much as I think you've given the
 empire to neo-nazis, cause depression and genocide, you know how to
 run a crawler, thanks.
 
-Huawei was blocked at the webserver level, with a friendly 429 status
+Huawei was blocked at the web server level, with a friendly 429 status
 code telling people to contact us (over email) if they need help. And
 they don't care: they're still hammering the server, from what I can
 tell, but then again, I didn't block the entire ASN just yet, just the
@@ -324,7 +324,7 @@ blocks I found crawling the server over a couple hours.
 So what does a day in asncounter look like? Well, you start with a
 problem, say you're getting too much traffic and want to see where
 it's from. First you need to sample it. Typically, you'd do that with
-`tcpdump` or tailing a logfile:
+`tcpdump` or tailing a log file:
 
     tail -F /var/log/apache2/*access*.log | awk '{print $2}' | asncounter
 
@@ -335,7 +335,7 @@ instead:
     tcpdump -q -n | asncounter --input-format=tcpdump --repl
 
 If you *really* get a lot of traffic, you might want to get a subset
-of that to avoid overwhelming asncounter, it's not fast enough to do
+of that to avoid overwhelming `asncounter`, it's not fast enough to do
 multiple gigabit/second, I bet, so here's only incoming SYN IPv4
 packets:
 
@@ -396,13 +396,13 @@ request duration stats" for various time ranges, 20h after the block:
 | 30d   | 2.08s | 3.86m | 8.86s |
 | 6m    | 901ms | 27.3s | 2.43s |
 
-We went from *two seconds* mean to 500ms! And look at that stdev!
+We went from *two seconds* mean to 500ms! And look at that standard deviation!
 39ms! It was *ten seconds* before! I doubt we'll keep it that way very
 long but for now, it feels like I won a battle, and I didn't even have
-to setup [anubis](https://github.com/TecharoHQ/anubis) or [go-away](https://git.gammaspectra.live/git/go-away), although I suspect that will
+to setup [`anubis`](https://github.com/TecharoHQ/anubis) or [`go-away`](https://git.gammaspectra.live/git/go-away), although I suspect that will
 unfortunately come.
 
-Note that asncounter also supports exporting Prometheus metrics, but
+Note that `asncounter also supports exporting Prometheus metrics, but
 you should be careful with this, as it can lead to cardinal explosion,
 especially if you track by prefix (which can be disabled with
 `--no-prefixes`.
@@ -423,7 +423,7 @@ comments. Hacker News, let it rip, I know you can give me another
 juicy quote [[for my blog|blog]].
 
 This work was done as part of my paid work for the [Tor Project](https://www.torproject.org/),
-currently in a fundraising drive, give us money if you like what you
+currently in a fundraising drive, [give us money](https://donate.torproject.org/) if you like what you
 read.
 
 [[!tag debian-planet python-planet software network sysadmin tor censorship python]]

diff --git a/blog/2025-05-30-asncounter.md b/blog/2025-05-30-asncounter.md
index faff7b37..3a6ba5f1 100644
--- a/blog/2025-05-30-asncounter.md
+++ b/blog/2025-05-30-asncounter.md
@@ -165,7 +165,9 @@ possibly also the list of prefixes (because why not). Turns out pyasn
 makes that *really* easy. I managed to build a prototype in probably
 less than an hour, just look at [the first version](https://gitlab.com/anarcat/asncounter/-/blob/efaa08c431f3145e70f7cd378d19be558a70fc38/asn-tracker.py), it's 44 lines
 (`sloccount`) of Python, and it works, provided you have already
-downloaded the required datafiles from routeviews.org.
+downloaded the required datafiles from routeviews.org. (Obviously, the
+latest version is longer at close to 1000 lines, but it downloads the
+datafiles automatically, and has many more features).
 
 The way the first prototype (and later versions too, mostly) worked is
 that you feed it a list of IP addresses on standard input, it looks up
@@ -428,4 +430,4 @@ read.
 
 
 <!-- posted to the federation on 2025-05-30T22:33:00.130467 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/114600101725690613"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/114600101725690613"]]

diff --git a/blog/2025-05-30-asncounter.md b/blog/2025-05-30-asncounter.md
index ae235aef..faff7b37 100644
--- a/blog/2025-05-30-asncounter.md
+++ b/blog/2025-05-30-asncounter.md
@@ -15,6 +15,8 @@ degenerate AI on your content with a bot army?
 
 If that rings a bell, read on.
 
+[[!toc]]
+
 # TL;DR:
 
 ... or just skip the cruft and install [asncounter](https://gitlab.com/anarcat/asncounter/):

diff --git a/blog/2025-05-30-asncounter.md b/blog/2025-05-30-asncounter.md
index 49c759c7..ae235aef 100644
--- a/blog/2025-05-30-asncounter.md
+++ b/blog/2025-05-30-asncounter.md
@@ -423,3 +423,7 @@ currently in a fundraising drive, give us money if you like what you
 read.
 
 [[!tag debian-planet python-planet software network sysadmin tor censorship python]]
+
+
+<!-- posted to the federation on 2025-05-30T22:33:00.130467 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/114600101725690613"]]
\ No newline at end of file

diff --git a/blog/2025-05-30-asncounter.md b/blog/2025-05-30-asncounter.md
new file mode 100644
index 00000000..49c759c7
--- /dev/null
+++ b/blog/2025-05-30-asncounter.md
@@ -0,0 +1,425 @@
+[[!meta title="Traffic meter per ASN without logs"]]
+
+Have you ever found yourself in the situation where you had no or
+anonymized logs and still wanted to figure out where your traffic was
+coming from?
+
+Or you have multiple upstreams and are looking to see if you can save
+fees by getting into peering agreements with some other party?
+
+Or your site is getting heavy load but you can't pinpoint it on a
+single IP and you suspect some amoral corporation is training their
+degenerate AI on your content with a bot army?
+
+(You might be getting onto something there.)
+
+If that rings a bell, read on.
+
+# TL;DR:
+
+... or just skip the cruft and install [asncounter](https://gitlab.com/anarcat/asncounter/):
+
+    pip install asncounter
+
+Also available in Debian 14 or later, or possibly in Debian 13
+backports (soon to be released) if people are interested:
+
+    apt install asncounter
+
+Then count whoever is hitting your network with:
+
+    awk '{print $2}' /var/log/apache2/*access*.log | asncounter
+
+or:
+
+    tail -F /var/log/apache2/*access*.log | awk '{print $2}' | asncounter
+
+or:
+
+    tcpdump -q -n | asncounter --input-format=tcpdump --repl
+
+or:
+
+    tcpdump -q -i eth0 -n -Q in "tcp and tcp[tcpflags] & tcp-syn != 0 and (port 80 or port 443)" | asncounter --input-format=tcpdump --repl
+
+Read on for why this matters, and why I wrote yet another weird tool
+(almost) from scratch.
+
+# Background and manual work
+
+This is a tool I've been dreaming of for a long, long time. Back in
+2006, at [Koumbit](https://koumbit.org/) a colleague had setup [TAS](https://web.archive.org/web/20011204205829/http://www.chelcom.ru/~anton/projects/tas/) ("Traffic
+Accounting System", "Система учета трафика" in Russian, apparently), a
+collection of Perl script that would do per-IP accounting. It was
+pretty cool: it would count bytes per IP addresses and, from that, you
+could do analysis. But the project died, and it was kind of bespoke.
+
+Fast forward twenty years, and I find myself fighting off bots at the
+Tor Project (the irony...), with our GitLab suffering pretty bad
+slowdowns (see issue [tpo/tpa/team#41677](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41677) for the latest public
+issue, the juicier one is confidential, unfortunately).
+
+(We did have some issues caused by overloads in CI, as we host, after
+all, a fork of Firefox, which is a massive repository, but the
+applications team did sustained, awesome work to fix issues on that
+side, again and again (see [tpo/applications/tor-browser#43121](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43121) for
+the latest, and [tpo/applications/tor-browser#43121](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43121) for some
+pretty impressive correlation work, I work with really skilled
+people). But those issues, I believe were fixed.)
+
+So I had the feeling it was our turn to get hammered by the AI
+bots. But how do we tell? I could tell *something* was hammering at
+the costly `/commit/` and (*especially* costly) `/blame/` endpoint. So
+at first, I pulled out the trusted `awk`, `sort | uniq -c | sort -n |
+tail` pipeline I am sure others have worked out before:
+
+    awk '{print $1}' /var/log/nginx/*.log | sort | uniq -c | sort -n | tail -10
+
+For people new to this, that pulls the first field out of web server
+log files, sort the list, counts the number of unique entries, and
+sorts *that* so that the most common entries (or IPs) show up first,
+then show the top 10.
+
+That, other words, answers the question of "which IP address visits
+this web server the most?" Based on this, I found a couple of IP
+addresses that looked like Alibaba. I had already addressed an abuse
+complaint to them ([tpo/tpa/team#42152](https://gitlab.torproject.org/tpo/tpa/team/-/issues/42152)) but never got a response,
+so I just blocked their entire network blocks, rather violently:
+
+```
+for cidr in 47.240.0.0/14 47.246.0.0/16 47.244.0.0/15 47.235.0.0/16 47.236.0.0/14; do 
+  iptables-legacy -I INPUT -s $cidr -j REJECT
+done
+```
+
+That made [Ali Baba and his forty thieves](https://en.wikipedia.org/wiki/Ali_Baba_and_the_Forty_Thieves) (specifically their
+[AL-3 network](https://rdap.arin.net/registry/ip/47.235.0.0) go away, but our load was still high, and I was
+still seeing various IPs crawling the costly endpoints. And this time,
+it was hard to tell who they were: you'll notice all the Alibaba IPs
+are inside the same 47.0.0.0/8 prefix. Although it's not a `/8`
+itself, it's all *inside* the same prefix, so it's *visually* easy to
+pick it apart, especially for a brain like mine who's stared too long
+at logs flowing by too fast for their own mental health.
+
+What I had then was different, and I was tired of doing the stupid
+thing I had been doing for decades at this point. I had recently
+stumbled upon [pyasn](https://github.com/hadiasghari/pyasn) recently (in January, according to my notes)
+and somehow found it again, and thought "I bet I could write a quick
+script that loops over IPs and counts IPs per ASN".
+
+(Obviously, there are *lots* of other tools out there for that kind of
+monitoring. Argos, for example, presumably does this, but it's a kind
+of a huge stack. You can also get into netflows, but there's serious
+privacy implications with those. There are also lots of per-IP
+counters like [promacct](https://github.com/kumina/promacct), but that doesn't scale.
+
+Or maybe someone already had solved this problem and I just wasted a
+week of my life, who knows. Someone will let me know, I hope, either
+way.)
+
+# ASNs and networks
+
+A quick aside, for people not familiar with how the internet
+works. People that know about ASNs, BGP announcements and so on can
+skip.
+
+The internet is the network of networks. It's made of multiple
+networks that talk to each other. The way this works is there is a
+Border Gateway Protocol (BGP), a relatively simple TCP-based protocol,
+that the edge routers of those networks used to announce each other
+what network they manage. Each of those network is called an
+Autonomous System (AS) and has an AS number (ASN) to uniquely identify
+it. Just like IP addresses, ASNs are allocated by IANA and local
+registries, they're pretty cheap and useful if you like running your
+own routers, get one.
+
+When you have an ASN, you'll use it to, say, announce to your BGP
+neighbors "I have `198.51.100.0/24`" over here and the others might
+say "okay, and I have `216.90.108.31/19` over here, and I know of this
+other ASN over there that has `192.0.2.1/24` too! And gradually, those
+announcements flood the entire network, and you end up with each BGP
+having a routing table of the global internet, with a map of which
+network block, or "prefix" is announced by which ASN.
+
+It's how the internet works, and it's a useful thing to know, because
+it's what, ultimately, makes an organisation responsible for an IP
+address. There are "looking glass" tools like [the one provided by
+routeviews.org](https://lg.routeviews.org/lg/) which allow you to effectively run "trace routes"
+(but not the same as `traceroute`, which actively sends probes from
+your location), type an IP address in that form to fiddle with it. You
+will end up with an "AS path", the way to get from the looking glass
+to the announced network. But I digress, and that's kind of out of
+scope.
+
+Point is, internet is made of networks, networks are autonomous
+systems (AS) and they have numbers (ASNs), and they announced IP
+prefixes (or "network blocks") that ultimately tells you who is
+responsible for traffic on the internet.
+
+# Introducing asncounter
+
+So my goal was to get from "lots of IP addresses" to "list of ASNs",
+possibly also the list of prefixes (because why not). Turns out pyasn
+makes that *really* easy. I managed to build a prototype in probably
+less than an hour, just look at [the first version](https://gitlab.com/anarcat/asncounter/-/blob/efaa08c431f3145e70f7cd378d19be558a70fc38/asn-tracker.py), it's 44 lines
+(`sloccount`) of Python, and it works, provided you have already
+downloaded the required datafiles from routeviews.org.
+
+The way the first prototype (and later versions too, mostly) worked is
+that you feed it a list of IP addresses on standard input, it looks up
+the ASN and prefix associated with the IP, and increments a counter
+for those, then print the result.
+
+That showed me something like this:
+
+```
+root@gitlab-02:~/anarcat-scripts# tcpdump -q -i eth0 -n -Q in "(udp or tcp)" | ./asncounter.py --tcpdump                                                                                                                                                                          
+tcpdump: verbose output suppressed, use -v[v]... for full protocol decode                                                                
+listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes                                                             
+INFO: collecting IPs from stdin, using datfile ipasn_20250523.1600.dat.gz                                                                
+INFO: loading datfile /root/.cache/pyasn/ipasn_20250523.1600.dat.gz...                                                                   
+INFO: loading /root/.cache/pyasn/asnames.json                       
+ASN     count   AS               
+136907  7811    HWCLOUDS-AS-AP HUAWEI CLOUDS, HK                                                                                         
+[----]  359     [REDACTED]
+[----]  313     [REDACTED]
+8075    254     MICROSOFT-CORP-MSN-AS-BLOCK, US
+[---]   164     [REDACTED]
+[----]  136     [REDACTED]
+24940   114     HETZNER-AS, DE  
+[----]  98      [REDACTED]
+14618   82      AMAZON-AES, US                                                                                                           
+[----]  79      [REDACTED]
+prefix  count                                         
+166.108.192.0/20        1294                                                                                                             

(Diff truncated)

diff --git a/hardware/camera.mdwn b/hardware/camera.mdwn
index 1d416311..6836c750 100644
--- a/hardware/camera.mdwn
+++ b/hardware/camera.mdwn
@@ -154,6 +154,8 @@ and here is my progress:
 - 2025-04-28: 15000 (-743 in more than 1h, past the 15k mark, -2k in about 2 mth)
 - 2025-05-02: 14447 (-553, 294 new shots processed)
 - 2025-05-09: 13943 (-504, plus 200 new shots)
+- 2025-05-20: 12903 (-1040, plus 700+ new shots, two months mark,
+  5k done, ETA 2-3 more months)
 
 Inventaire
 ==========

diff --git a/services/mail.mdwn b/services/mail.mdwn
index dd4ce5c7..10ece0e9 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1208,10 +1208,18 @@ Then create `openssl.conf`:
     CN = tubman.anarc.at
     emailAddress = tubman-mail
 
-Then generate the private key and the CSR:
+Then generate the private key and the CSR, on the client:
 
     openssl genpkey -algorithm ed25519 -out client.key
-    openssl req -key client.key -out client.csr -config openssl.cnf -new
+    openssl req -key client.key -out tubman.anarc.at.csr -config openssl.cnf -new
+
+For my (android) phone, I tried RSA:
+
+    openssl genpkey -algorithm rsa -out private/phone.anarc.at.key
+    openssl req -key private/phone.anarc.at.key -out req/phone.anarc.at.csr -config openssl.cnf -new
+
+(Note that this only works for IMAP on Thunderbird, as fails to
+configure client certs for SMTP, see <https://github.com/thunderbird/thunderbird-android/issues/3933>.)
 
 Then copy that over to the CA in `/etc/ssl/ca/req/tubman.anarc.at.csr`
 and sign the request:

diff --git a/hardware/radio.mdwn b/hardware/radio.mdwn
index ed49144a..2fda29a7 100644
--- a/hardware/radio.mdwn
+++ b/hardware/radio.mdwn
@@ -86,6 +86,7 @@ that we might want to learn from. In particular, it ships:
    really excited](https://unsigned.io/articles/2024_05_16_Are_We_There_Yet.html)
  - [CHA MPAS 2.0](https://chameleonantenna.com/products/cha-mpas-modular-portable-antenna-system-2-0): fancy multi-band "mobile" HF antenna, but
    expensive (900$CAD+)
+ - [ARRL EFHW kit](https://home.arrl.org/action/Store/Product-Details/productId/133267) (80$)
 
 ### Old stuff
 

diff --git a/hardware/camera.mdwn b/hardware/camera.mdwn
index 81c53b93..1d416311 100644
--- a/hardware/camera.mdwn
+++ b/hardware/camera.mdwn
@@ -153,6 +153,7 @@ and here is my progress:
 - 2025-04-22: 15743 (-568 in about 1h, about 32h of work left?)
 - 2025-04-28: 15000 (-743 in more than 1h, past the 15k mark, -2k in about 2 mth)
 - 2025-05-02: 14447 (-553, 294 new shots processed)
+- 2025-05-09: 13943 (-504, plus 200 new shots)
 
 Inventaire
 ==========

diff --git a/.well-known/openpgpkey/anarc.at/policy b/.well-known/openpgpkey/anarc.at/policy
new file mode 100644
index 00000000..6c55ace9
--- /dev/null
+++ b/.well-known/openpgpkey/anarc.at/policy
@@ -0,0 +1 @@
+# Policy flags for domain anarc.at

diff --git a/hardware/camera.mdwn b/hardware/camera.mdwn
index 44fce240..81c53b93 100644
--- a/hardware/camera.mdwn
+++ b/hardware/camera.mdwn
@@ -151,6 +151,8 @@ and here is my progress:
 - 2025-04-15: 16311 (-261, +6)
 - 2025-04-21: 16311 (+600~ added and rated)
 - 2025-04-22: 15743 (-568 in about 1h, about 32h of work left?)
+- 2025-04-28: 15000 (-743 in more than 1h, past the 15k mark, -2k in about 2 mth)
+- 2025-05-02: 14447 (-553, 294 new shots processed)
 
 Inventaire
 ==========