Recent changes to this wiki. Not to be confused with my history.

Complete source to the wiki is available on GitLab:

git clone http://gitlab.com/anarcat/anarc.at.git
another unicode sample file, excellent
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 3f46a184..3b708785 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -129,6 +129,9 @@ HYPHEN-MINUS, MINUS SIGN, EN, EM DASH, HORIZONTAL BAR, LOW LINE
 __________________________________________________
 ```
 
+Update: [here is another such sample sheet](https://sheet.shiar.nl/sample), it's pretty good and
+has support for more languages while being still relatively small.
+
 So there you have it, got completely nerd swiped by typography
 again. Now I can go back to writing a too-long proposal again.
 

switch to nwg-displays
it supports saving the configuration to disk and doesn't start the
fans on my computer because it doesn't try to mirror outputs the same
way wdisplays does.
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index ce6694c0..e9b93796 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -38,11 +38,11 @@ I had to install the following packages:
         gammastep \
         gdm3 \
         grim slurp \
+        nwg-displays \
         pipewire-pulse \
         sway \
         swayidle \
         swaylock \
-        wdisplays \
         wev \
         wireplumber \
         wlr-randr \
@@ -1055,7 +1055,7 @@ case, they should be listed here:
 
 | X11          | Wayland                               | In Debian |
 |--------------|---------------------------------------|-----------|
-| `arandr`     | [wdisplays][]                         | yes       |
+| `arandr`     | [nwg-displays][]                      | yes       |
 | `autorandr`  | [kanshi][]                            | yes       |
 | `xclock`     | [wlclock][]                           | no        |
 | `xdotool`    | [wtype][]                             | yes       |
@@ -1088,12 +1088,20 @@ X. [arewewaylandyet.com][] refers to a few alternatives. We suggest
 [wdisplays][] and [kanshi][] above (see also [this service file][])
 but [wallutils][] can also do the autorandr stuff, apparently, and
 [nwg-displays][] can do the arandr part. [shikane][] is a promising
-kanshi rewrite in Rust. None of those (but kanshi) are packaged in
-Debian yet.
+kanshi rewrite in Rust. None of those (but kanshi and nwg-displays)
+are packaged in Debian yet.
 
 So I have tried [wdisplays][] and it Just Works, and well. The UI even
 looks better and more usable than arandr, so another clean win from
-Wayland here.
+Wayland here. I've since then switched to nwg-displays because it
+directly saves a Sway-compatible configuration file in
+`~/.config/sway/outputs`, it's just too bad it doesn't also save a
+kanshi config, see also the [save profile feature request in
+kanshi](https://todo.sr.ht/~emersion/kanshi/81) and the [kanshi support feature request in
+nwg-displays](https://github.com/nwg-piotr/nwg-displays/issues/2).
+
+Note that [shikane][] claims to support saving the current
+configuration to a file, but it's [not packaged in Debian](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073813).
 
 I'm currently [kanshi][] as a autorandr replacement and it mostly
 works. It can be hard to figure out the right configuration to put,
@@ -1439,12 +1447,14 @@ Note that other Wayland compositors (e.g. [Hyprland][], GNOME's
 Mutter) *do* support mirroring, so it's not a fundamental limitation
 of Wayland.
 
-One workaround is to use a tool like [wl-mirror](https://github.com/Ferdi265/wl-mirror) to make a window
+One workaround is to use a tool like
+[wl-mirror](https://github.com/Ferdi265/wl-mirror) to make a window
 that mirrors a specific output and place *that* in a different
 workspace. That way you place the output you want to mirror *to* next
 to the output you want to mirror *from*, and use wl-mirror to copy
 between the two outputs. The problem is that wl-mirror is [not
-packaged in Debian yet](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012684).
+packaged in Debian yet](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012684) (update: fixed since 2023, Debian 13
+trixie).
 
 Another workaround mentioned in the thread is to use a [[presentation
 tool|blog/2020-09-30-presentation-tools]] which supports mirroring on

more gtklock stuff
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 403fbb4d..ce6694c0 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -802,7 +802,13 @@ That, unfortunately, does *not* include the fancy "hacks" provided by
 xscreensaver, and that is [unlikely to be implemented upstream][].
 
 Other alternatives include [gtklock][] ([in Debian](https://tracker.debian.org/pkg/gtklock)) and [waylock][] (zig), which
-do not solve that problem either.
+do not solve that problem either. gtklock is interesting though
+because it has all sorts of plugins to show information on the lock
+screen, which I find it quite lacking in swaylock:
+
+ * [playerctl](https://github.com/jovanlanik/gtklock-playerctl-module) support: control media players ([in Debian](https://packages.debian.org/sid/gtklock-playerctl-module))
+ * [userinfo](https://github.com/jovanlanik/gtklock-userinfo-module): show user icon and name ([in Debian](https://packages.debian.org/sid/gtklock-userinfo-module))
+ * [more](https://github.com/jovanlanik/gtklock/wiki#references-2)
 
 It looks like [swaylock-plugin][], a swaylock fork, which at least
 attempts to solve this problem, although not directly using the real

another font
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 4ebfd286..3f46a184 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -205,6 +205,10 @@ I'm not using them:
   fancy curly braces contrast perhaps too much with the rest of the
   font, packaged in Debian as [fonts-ibm-plex](https://tracker.debian.org/fonts-ibm-plex)
 
+- [Inconsolata](https://levien.com/type/myfonts/inconsolata.html): no ligatures, maybe italics? more compressed than
+  others, feels a little out of balance because of that, packaged in
+  Debian as [fonts-inconsolata](https://tracker.debian.org/fonts-inconsolata)
+
 - [Intel One Mono](https://github.com/intel/intel-one-mono/): nice legibility, no ligatures, alignment issues
   in box drawing, not packaged in Debian
 

more french pangrams
So the original one there had diacritics but didn't have all of
them. Get a new one that *does* have all the 50 characters. Tested
with:
sed 's/\(.\)/\1\n/g' | sort -u | wc -l
Source: https://fr.wikipedia.org/wiki/Pangramme#Avec_les_signes_diacritiques
We also include the more classic "whisky" quote that is traditionally
used:
https://fr.wikipedia.org/wiki/Portez_ce_vieux_whisky_au_juge_blond_qui_fume
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index ff9bdbfb..4ebfd286 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -91,8 +91,13 @@ THE QUICK FOX JUMPS OVER THE LAZY DOG
 
 same, in french:
 
-voix ambiguë d'un cœur qui, au zéphyr, préfère les jattes de kiwis.
-VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR, PRÉFÈRE LES JATTES DE KIWIS.
+Portez ce vieux whisky au juge blond qui fume.
+
+dès noël, où un zéphyr haï me vêt de glaçons würmiens, je dîne
+d’exquis rôtis de bœuf au kir, à l’aÿ d’âge mûr, &cætera.
+
+DÈS NOËL, OÙ UN ZÉPHYR HAÏ ME VÊT DE GLAÇONS WÜRMIENS, JE DÎNE
+D’EXQUIS RÔTIS DE BŒUF AU KIR, À L’AŸ D’ÂGE MÛR, &CÆTERA.
 
 Ligatures test:
 

add IBM plex, good candidate
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index e1f5bd35..ff9bdbfb 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -122,7 +122,6 @@ HYPHEN-MINUS, MINUS SIGN, EN, EM DASH, HORIZONTAL BAR, LOW LINE
 ——————————————————————————————————————————————————
 ――――――――――――――――――――――――――――――――――――――――――――――――――
 __________________________________________________
-
 ```
 
 So there you have it, got completely nerd swiped by typography
@@ -195,6 +194,12 @@ I'm not using them:
 - [Hermit](https://github.com/Swordfish90/cool-retro-term/tree/master/app/qml/fonts/modern-hermit): no ligatures, smaller, alignment issues in box drawing
   and dashes, packaged as [fonts-hermit](https://tracker.debian.org/fonts-hermit) somehow part of [cool-retro-term](https://github.com/Swordfish90/cool-retro-term/)
 
+- [IBM Plex](https://www.ibm.com/plex/plexness/): irritating website, replaces Helvetica as the IBM
+  corporate font, no ligatures by default, italics, proportional alternatives,
+  serifs and sans, multiple languages, partial failure in box alignment test (X signs),
+  fancy curly braces contrast perhaps too much with the rest of the
+  font, packaged in Debian as [fonts-ibm-plex](https://tracker.debian.org/fonts-ibm-plex)
+
 - [Intel One Mono](https://github.com/intel/intel-one-mono/): nice legibility, no ligatures, alignment issues
   in box drawing, not packaged in Debian
 
@@ -230,6 +235,7 @@ So, if I get tired of Commit Mono, I might probably try, in order:
 
 1. Hack
 1. Jetbrains Mono
+1. IBM Plex Mono
 
 Iosevka, Monoki and Intel One Mono are also good options, but have
 alignment problems. Iosevka is particularly disappointing as the `EM

more test (failures)
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 165920bf..e1f5bd35 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -184,10 +184,13 @@ I'm not using them:
   packaged as [fonts-cascadia-code](https://tracker.debian.org/pkg/fonts-cascadia-code)
 
 - Fira Code: ligatures, was using Fira Mono from which it is derived,
-  lacking italics except for forks, packaged as [fonts-firacode](https://tracker.debian.org/fonts-firacode)
+  lacking italics except for forks, interestingly, Fira Code succeeds
+  the alignment test but Fira Mono fails to show the X signs properly!
+  packaged as [fonts-firacode](https://tracker.debian.org/fonts-firacode)
 
-- [Hack](https://sourcefoundry.org/hack/): no ligatures, very similar to Fira, italics, good alternative,
-  packaged as [fonts-hack](https://tracker.debian.org/fonts-hack)
+- [Hack](https://sourcefoundry.org/hack/): no ligatures, very similar to Fira, italics, good
+  alternative, fails the X test in box alignment, packaged as
+  [fonts-hack](https://tracker.debian.org/fonts-hack)
 
 - [Hermit](https://github.com/Swordfish90/cool-retro-term/tree/master/app/qml/fonts/modern-hermit): no ligatures, smaller, alignment issues in box drawing
   and dashes, packaged as [fonts-hermit](https://tracker.debian.org/fonts-hermit) somehow part of [cool-retro-term](https://github.com/Swordfish90/cool-retro-term/)

remove HTML comment end that I put there to unconfuse emacs
It doesn't seem confused anymore.
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index bfe93bd1..165920bf 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -125,8 +125,6 @@ __________________________________________________
 
 ```
 
--->
-
 So there you have it, got completely nerd swiped by typography
 again. Now I can go back to writing a too-long proposal again.
 

review all fonts, again
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 6f007cdf..bfe93bd1 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -4,6 +4,8 @@ I am getting increasingly frustrated by Fira Mono's [lack of italic
 support](https://github.com/mozilla/Fira/issues/38) so I am looking at [[alternative fonts
 again|2020-03-10-font-changes]].
 
+# Commit Mono
+
 This time I seem to be settling on either [Commit Mono](https://commitmono.com/) or [Space
 Mono](https://www.colophon-foundry.org/custom-projects/space-mono). For now I'm using Commit Mono because it's a little more
 compressed than Fira and does have a italic version. I don't like how
@@ -61,6 +63,8 @@ I mentioned before, I like how the bar on the "f" aligns with the
 other top of letters, something in Fira mono that really annoys me now
 that I've noticed it (it's not aligned!).
 
+# A UTF-8 test file
+
 Here's the test sheet I've made up to test various characters. I could
 have sworn I had a good one like this lying around somewhere but
 couldn't find it so here it is, I guess.
@@ -152,8 +156,95 @@ Sources and inspiration for the above:
 
 - [UTF-8 sampler](https://web.archive.org/web/20080515024332/http://www.columbia.edu/kermit/utf8.html) - unused, similar
 
-[[!tag debian-planet python-planet typography meta theming usability]]
+# Other fonts
+
+In [[my previous blog post about fonts|2020-03-10-font-changes]], I
+had a list of alternative fonts, but it seems people are not digging
+through this, so I figured I would redo the list here to preempt "but
+have you tried Jetbrains mono" kind of comments.
+
+My requirements are:
+
+- *no* ligatures: yes, in the previous post, I *wanted* ligatures but
+  I have changed my mind. after testing this, I find them distracting,
+  confusing, and they often break the monospace nature of the display
+- monospace: this is to display code
+- italics: often used when writing Markdown, where I do make use of
+  italics... Emacs falls back to underlining text when lacking italics
+  which is hard to read
+- free-ish, ultimately should be packaged in Debian
+
+Here is the list of alternatives I have considered in the past and why
+I'm not using them:
+
+- [agave](https://b.agaric.net/page/agave): recommended by tarzeau, not sure I like the lowercase
+  `a`, a bit too exotic, packaged as [fonts-agave](https://tracker.debian.org/pkg/fonts-agave)
+
+- [Cascadia code](https://github.com/microsoft/cascadia-code): optional ligatures, multilingual, not liking the
+  alignment, ambiguous parenthesis (look too much like square
+  brackets), new default for [Windows Terminal](https://en.wikipedia.org/wiki/Windows_Terminal) and Visual Studio,
+  packaged as [fonts-cascadia-code](https://tracker.debian.org/pkg/fonts-cascadia-code)
+
+- Fira Code: ligatures, was using Fira Mono from which it is derived,
+  lacking italics except for forks, packaged as [fonts-firacode](https://tracker.debian.org/fonts-firacode)
+
+- [Hack](https://sourcefoundry.org/hack/): no ligatures, very similar to Fira, italics, good alternative,
+  packaged as [fonts-hack](https://tracker.debian.org/fonts-hack)
+
+- [Hermit](https://github.com/Swordfish90/cool-retro-term/tree/master/app/qml/fonts/modern-hermit): no ligatures, smaller, alignment issues in box drawing
+  and dashes, packaged as [fonts-hermit](https://tracker.debian.org/fonts-hermit) somehow part of [cool-retro-term](https://github.com/Swordfish90/cool-retro-term/)
+
+- [Intel One Mono](https://github.com/intel/intel-one-mono/): nice legibility, no ligatures, alignment issues
+  in box drawing, not packaged in Debian
 
+- [Iosevka](https://typeof.net/Iosevka/): optional ligatures, italics, multilingual, good
+  legibility, has a proportional option, serifs and sans, line height
+  issue in box drawing, fails dash test, not in Debian
+
+- [Jetbrains Mono](https://www.jetbrains.com/lp/mono/): (mandatory?) ligatures, good coverage,
+  originally rumored to be not DFSG-free (Debian Free Software
+  Guidelines) but ultimately [packaged in Debian](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950152) as
+  [fonts-jetbrains-mono](https://tracker.debian.org/pkg/fonts-jetbrains-mono)
+
+- [Monoid](https://larsenwork.com/monoid/): optional ligatures, feels much "thinner" than
+  Jetbrains, not liking alignment or spacing on that one, ambiguous
+  `2Z`, problems rendering box drawing, packaged as [fonts-monoid](https://tracker.debian.org/fonts-monoid)
+
+- [Mononoki](https://madmalik.github.io/mononoki/): no ligatures, looks good, good alternative, suggested
+  by the Debian fonts team as part of [fonts-recommended](https://tracker.debian.org/fonts-recommended), problems
+  rendering box drawing, em dash bigger than en dash, packaged as
+  [fonts-mononoki](https://tracker.debian.org/fonts-mononoki)
+
+- [Source Code Pro](http://adobe-fonts.github.io/source-code-pro/): italics, looks good, but dash metrics look
+  whacky, [not in Debian](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736681)
+
+- [spleen](https://github.com/fcambus/spleen): bitmap font, old school, spacing issue in box drawing
+  test, packaged as [fonts-spleen](https://tracker.debian.org/pkg/fonts-spleen)
+
+- [sudo](https://www.kutilek.de/sudo-font/): personal project, no ligatures, zero originally not
+  dotted, relied on metrics for legibility, spacing issue in box
+  drawing, not in Debian
+
+So, if I get tired of Commit Mono, I might probably try, in order:
+
+1. Hack
+1. Jetbrains Mono
+
+Iosevka, Monoki and Intel One Mono are also good options, but have
+alignment problems. Iosevka is particularly disappointing as the `EM
+DASH` metrics are just completely wrong (much too wide).
+
+This was tested using the [Programming fonts](https://www.programmingfonts.org/) site which has *all*
+the above fonts, which cannot be said of [Font Squirrel](https://www.fontsquirrel.com/) or [Google
+Fonts](fonts.google.com/), amazingly. Other such tools:
+
+ * [Coding Font](https://www.codingfont.com/) (broken in Firefox as of 2024-05-30)
+ * [dev fonts comparator](https://devfonts.gafi.dev/)
+ * [Font Squirrel](https://www.fontsquirrel.com/)
+ * [Google Fonts](fonts.google.com/)
+ * [Programming fonts](https://www.programmingfonts.org/)
+
+[[!tag debian-planet python-planet typography meta theming usability]]
 
 <!-- posted to the federation on 2024-05-29T17:44:57.933852 -->
 [[!mastodon "https://kolektiva.social/@Anarcat/112526563590503074"]]

compress test sheet
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 91a85d0c..6f007cdf 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -71,19 +71,14 @@ US keyboard coverage:
 abcdefghijklmnopqrstuvwxyz`1234567890-=[]\;',./
 ABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*()_+{}|:"<>?
 
-ambiguity test:
+latin1 coverage: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
+EURO SIGN, TRADE MARK SIGN: €™
 
-iI71lL!|¦ 
-[](){}/\
-e¢coC0ODQ
-b6G&0B83
-zs$S52Z%
+ambiguity test:
 
-MIDDLE DOT, BULLET, HORIZONTAL ELLIPSIS: ·•…
-curly ‘single’ and “double” quotes
-ACUTE ACCENT, GRAVE ACCENT: ´`
-EURO SIGN: €
-unicode A1-BF: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
+e¢coC0ODQ iI71lL!|¦
+b6G&0B83  [](){}/\.…·•
+zs$S52Z%  ´`'"‘’“”«»
 
 all characters in a sentence, uppercase:
 
@@ -92,10 +87,8 @@ THE QUICK FOX JUMPS OVER THE LAZY DOG
 
 same, in french:
 
-voix ambiguë d'un cœur qui, au zéphyr,
-préfère les jattes de kiwis.
-VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR,
-PRÉFÈRE LES JATTES DE KIWIS.
+voix ambiguë d'un cœur qui, au zéphyr, préfère les jattes de kiwis.
+VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR, PRÉFÈRE LES JATTES DE KIWIS.
 
 Ligatures test:
 
@@ -106,15 +99,15 @@ Ligatures test:
 <: := *= *+ <* <*> *> <| <|> |> <. <.> .> +* =* =: :>
 (* *) /* */ [| |] {| |} ++ +++ \/ /\ |- -| <!-- <!---
 
-Box drawing alignment tests:                                          █
-                                                                      ▉
-  ╔══╦══╗  ┌──┬──┐  ╭──┬──╮  ╭──┬──╮  ┏━━┳━━┓  ┎┒┏┑   ╷  ╻ ┏┯┓ ┌┰┐    ▊ ╱╲╱╲╳╳╳
-  ║┌─╨─┐║  │╔═╧═╗│  │╒═╪═╕│  │╓─╁─╖│  ┃┌─╂─┐┃  ┗╃╄┙  ╶┼╴╺╋╸┠┼┨ ┝╋┥    ▋ ╲╱╲╱╳╳╳
-  ║│╲ ╱│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╿ │┃  ┍╅╆┓   ╵  ╹ ┗┷┛ └┸┘    ▌ ╱╲╱╲╳╳╳
-  ╠╡ ╳ ╞╣  ├╢   ╟┤  ├┼─┼─┼┤  ├╫─╂─╫┤  ┣┿╾┼╼┿┫  ┕┛┖┚     ┌┄┄┐ ╎ ┏┅┅┓ ┋ ▍ ╲╱╲╱╳╳╳
-  ║│╱ ╲│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╽ │┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▎
-  ║└─╥─┘║  │╚═╤═╝│  │╘═╪═╛│  │╙─╀─╜│  ┃└─╂─┘┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▏
-  ╚══╩══╝  └──┴──┘  ╰──┴──╯  ╰──┴──╯  ┗━━┻━━┛           └╌╌┘ ╎ ┗╍╍┛ ┋  ▁▂▃▄▅▆▇█
+Box drawing alignment tests:
+                                                                   █
+╔══╦══╗  ┌──┬──┐  ╭──┬──╮  ╭──┬──╮  ┏━━┳━━┓ ┎┒┏┑   ╷  ╻ ┏┯┓ ┌┰┐    ▉ ╱╲╱╲╳╳╳
+║┌─╨─┐║  │╔═╧═╗│  │╒═╪═╕│  │╓─╁─╖│  ┃┌─╂─┐┃ ┗╃╄┙  ╶┼╴╺╋╸┠┼┨ ┝╋┥    ▊ ╲╱╲╱╳╳╳
+║│╲ ╱│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╿ │┃ ┍╅╆┓   ╵  ╹ ┗┷┛ └┸┘    ▋ ╱╲╱╲╳╳╳
+╠╡ ╳ ╞╣  ├╢   ╟┤  ├┼─┼─┼┤  ├╫─╂─╫┤  ┣┿╾┼╼┿┫ ┕┛┖┚     ┌┄┄┐ ╎ ┏┅┅┓ ┋ ▌ ╲╱╲╱╳╳╳
+║│╱ ╲│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╽ │┃ ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▍
+║└─╥─┘║  │╚═╤═╝│  │╘═╪═╛│  │╙─╀─╜│  ┃└─╂─┘┃ ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▎
+╚══╩══╝  └──┴──┘  ╰──┴──╯  ╰──┴──╯  ┗━━┻━━┛          └╌╌┘ ╎ ┗╍╍┛ ┋ ▏▁▂▃▄▅▆▇█
 
 Dashes alignment test:
 

tweak font test file titles
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 19881144..91a85d0c 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -66,12 +66,12 @@ have sworn I had a good one like this lying around somewhere but
 couldn't find it so here it is, I guess.
 
 ```
-US keyboard coverage
+US keyboard coverage:
 
 abcdefghijklmnopqrstuvwxyz`1234567890-=[]\;',./
 ABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*()_+{}|:"<>?
 
-ambiguous characters
+ambiguity test:
 
 iI71lL!|¦ 
 [](){}/\
@@ -85,19 +85,20 @@ ACUTE ACCENT, GRAVE ACCENT: ´`
 EURO SIGN: €
 unicode A1-BF: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
 
-all characters in a sentence, uppercase
+all characters in a sentence, uppercase:
 
 the quick fox jumps over the lazy dog
 THE QUICK FOX JUMPS OVER THE LAZY DOG
 
-same, in french
+same, in french:
 
 voix ambiguë d'un cœur qui, au zéphyr,
 préfère les jattes de kiwis.
 VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR,
 PRÉFÈRE LES JATTES DE KIWIS.
 
-Ligatures test
+Ligatures test:
+
 -<< -< -<- <-- <--- <<- <- -> ->> --> ---> ->- >- >>-
 =<< =< =<= <== <=== <<= <= => =>> ==> ===> =>= >= >>=
 <-> <--> <---> <----> <=> <==> <===> <====> :: ::: __
@@ -115,6 +116,8 @@ Box drawing alignment tests:                                          █
   ║└─╥─┘║  │╚═╤═╝│  │╘═╪═╛│  │╙─╀─╜│  ┃└─╂─┘┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▏
   ╚══╩══╝  └──┴──┘  ╰──┴──╯  ╰──┴──╯  ┗━━┻━━┛           └╌╌┘ ╎ ┗╍╍┛ ┋  ▁▂▃▄▅▆▇█
 
+Dashes alignment test:
+
 HYPHEN-MINUS, MINUS SIGN, EN, EM DASH, HORIZONTAL BAR, LOW LINE
 --------------------------------------------------
 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

add ligatures test, from https://typeof.net/Iosevka/
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index d3de4833..19881144 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -79,6 +79,12 @@ e¢coC0ODQ
 b6G&0B83
 zs$S52Z%
 
+MIDDLE DOT, BULLET, HORIZONTAL ELLIPSIS: ·•…
+curly ‘single’ and “double” quotes
+ACUTE ACCENT, GRAVE ACCENT: ´`
+EURO SIGN: €
+unicode A1-BF: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
+
 all characters in a sentence, uppercase
 
 the quick fox jumps over the lazy dog
@@ -91,6 +97,14 @@ préfère les jattes de kiwis.
 VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR,
 PRÉFÈRE LES JATTES DE KIWIS.
 
+Ligatures test
+-<< -< -<- <-- <--- <<- <- -> ->> --> ---> ->- >- >>-
+=<< =< =<= <== <=== <<= <= => =>> ==> ===> =>= >= >>=
+<-> <--> <---> <----> <=> <==> <===> <====> :: ::: __
+<~~ </ </> /> ~~> == != /= ~= <> === !== !=== =/= =!=
+<: := *= *+ <* <*> *> <| <|> |> <. <.> .> +* =* =: :>
+(* *) /* */ [| |] {| |} ++ +++ \/ /\ |- -| <!-- <!---
+
 Box drawing alignment tests:                                          █
                                                                       ▉
   ╔══╦══╗  ┌──┬──┐  ╭──┬──╮  ╭──┬──╮  ┏━━┳━━┓  ┎┒┏┑   ╷  ╻ ┏┯┓ ┌┰┐    ▊ ╱╲╱╲╳╳╳
@@ -101,12 +115,6 @@ Box drawing alignment tests:                                          █
   ║└─╥─┘║  │╚═╤═╝│  │╘═╪═╛│  │╙─╀─╜│  ┃└─╂─┘┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▏
   ╚══╩══╝  └──┴──┘  ╰──┴──╯  ╰──┴──╯  ┗━━┻━━┛           └╌╌┘ ╎ ┗╍╍┛ ┋  ▁▂▃▄▅▆▇█
 
-MIDDLE DOT, BULLET, HORIZONTAL ELLIPSIS: ·•…
-curly ‘single’ and “double” quotes
-ACUTE ACCENT, GRAVE ACCENT: ´`
-EURO SIGN: €
-unicode A1-BF: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
-
 HYPHEN-MINUS, MINUS SIGN, EN, EM DASH, HORIZONTAL BAR, LOW LINE
 --------------------------------------------------
 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
@@ -117,6 +125,8 @@ __________________________________________________
 
 ```
 
+-->
+
 So there you have it, got completely nerd swiped by typography
 again. Now I can go back to writing a too-long proposal again.
 

add cent, vertical pipe, z to ambiguity sample
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index aab9b70c..d3de4833 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -73,8 +73,11 @@ ABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*()_+{}|:"<>?
 
 ambiguous characters
 
-iI71lL!| ecoC0ODQ
-[](){}/\ b6G&0B83 $sS52Z%
+iI71lL!|¦ 
+[](){}/\
+e¢coC0ODQ
+b6G&0B83
+zs$S52Z%
 
 all characters in a sentence, uppercase
 

review utf-8 sample file after reading agave's home page
It has a more extensive sample coverage like b6G& and eco that we
didn't have. Also we had $ on its own without anything to compare it
to, so add the interesting $sS52Z% string in there as well.
Shift the full keyboard sample upwars and make it ordered more
logically.
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index ccad50ee..aab9b70c 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -66,14 +66,15 @@ have sworn I had a good one like this lying around somewhere but
 couldn't find it so here it is, I guess.
 
 ```
-ASCII test
+US keyboard coverage
 
-abcdefghijklmnopqrstuvwxyz1234567890-=
-ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_+
+abcdefghijklmnopqrstuvwxyz`1234567890-=[]\;',./
+ABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*()_+{}|:"<>?
 
 ambiguous characters
 
-&iIL7l1!|[](){}/\oO0DQ8B3;:,./?~`'"$
+iI71lL!| ecoC0ODQ
+[](){}/\ b6G&0B83 $sS52Z%
 
 all characters in a sentence, uppercase
 

add 3 to B/8 ambiguity check, thanks @mdione
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 252125c6..ccad50ee 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -73,7 +73,7 @@ ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_+
 
 ambiguous characters
 
-&iIL7l1!|[](){}/\oO0DQ8B;:,./?~`'"$
+&iIL7l1!|[](){}/\oO0DQ8B3;:,./?~`'"$
 
 all characters in a sentence, uppercase
 

delete duplicated federation post
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index d0bcd45a..252125c6 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -145,8 +145,5 @@ Sources and inspiration for the above:
 [[!tag debian-planet python-planet typography meta theming usability]]
 
 
-<!-- posted to the federation on 2024-05-29T17:44:57.665346 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/112526563552199519"]]
-
 <!-- posted to the federation on 2024-05-29T17:44:57.933852 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/112526563590503074"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/112526563590503074"]]

fix blog post title
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 8d88f6c0..d0bcd45a 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -1,4 +1,4 @@
-[[meta title="Playing with fonts again"]]
+[[!meta title="Playing with fonts again"]]
 
 I am getting increasingly frustrated by Fira Mono's [lack of italic
 support](https://github.com/mozilla/Fira/issues/38) so I am looking at [[alternative fonts

automatic federated post of blog/2024-05-29-playing-with-fonts-again.md
Command: ['/usr/bin/feed2exec', '-v', 'fetch', '--nocache']
Plugin file: /usr/lib/python3/dist-packages/feed2exec/plugins/ikiwikitoot.py
Source directory: /home/w-anarcat/source
Running on: marcos
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 048a59e0..8d88f6c0 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -143,3 +143,10 @@ Sources and inspiration for the above:
 - [UTF-8 sampler](https://web.archive.org/web/20080515024332/http://www.columbia.edu/kermit/utf8.html) - unused, similar
 
 [[!tag debian-planet python-planet typography meta theming usability]]
+
+
+<!-- posted to the federation on 2024-05-29T17:44:57.665346 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/112526563552199519"]]
+
+<!-- posted to the federation on 2024-05-29T17:44:57.933852 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/112526563590503074"]]
\ No newline at end of file

another image viewer
diff --git a/software/desktop/x11.md b/software/desktop/x11.md
index 82a27606..5ae8c443 100644
--- a/software/desktop/x11.md
+++ b/software/desktop/x11.md
@@ -189,6 +189,9 @@ Other alternatives I have considered or used in the past:
  * [nomacs](https://github.com/nomacs/nomacs): gorgeous, fast, but badly maintained, [vendored
    exiv](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974616), [unfixed CVE](https://github.com/nomacs/nomacs/issues/516) ([CVE-2020-23884](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014124)), no release in 2
    years (as of 2022)
+ * [oculante](https://github.com/woelper/oculante): fast startup, animation-level sequential image
+   display, hardware acceleration, minimal editing capabilities, not
+   in Debian
  * [pho](http://shallowsky.com/software/pho/): streamlined, minimal, batch operations, not in Debian
  * [plio][]: sxiv rewrite, with sorting capacities
  * [sxiv](https://github.com/muennich/sxiv): abandoned upstream

publish blog post
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index dc9a9254..048a59e0 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -142,4 +142,4 @@ Sources and inspiration for the above:
 
 - [UTF-8 sampler](https://web.archive.org/web/20080515024332/http://www.columbia.edu/kermit/utf8.html) - unused, similar
 
-[[!tag draft]]
+[[!tag debian-planet python-planet typography meta theming usability]]

some edits
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index c877f3d6..dc9a9254 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -41,22 +41,25 @@ originals *look* sharp on my display, I suspect this is something to
 do with the Wayland transition. I've tried with both [grim](https://sr.ht/~emersion/grim/) and
 [flameshot](https://github.com/flameshot-org/flameshot), for what its worth.)
 
-They are pretty similar! Commit Mono feels a *bit* more compressed,
-maybe too much so, actually -- the line height feels too low.  But
-it's heavily customizable so that's something that's relatively easy
-to fix, if it's really a problem. Its weight is also a little heavier
-than Fira which I find a little distracting right now, but maybe I'll
-get used to it.
+They are pretty similar! Commit Mono feels a *bit* more vertically
+compressed maybe too much so, actually -- the line height feels too
+low.  But it's heavily customizable so that's something that's
+relatively easy to fix, if it's really a problem. Its weight is also a
+little heavier and wider than Fira which I find a little distracting
+right now, but maybe I'll get used to it.
 
 All characters seem properly distinguishable, although, if I'd really
-want to nitpick I'd say the © and ® are too different, with the latter
-(`REGISTERED SIGN`) being way too small, basically unreadable
-here. Since I see this approximately never, it probably doesn't
-matter.
+want to nitpick I'd say the © and ® are *too* different, with the
+latter (`REGISTERED SIGN`) being way too small, basically unreadable
+here. Since I see this sign approximately never, it probably doesn't
+matter at all.
 
 I like how the ampersand (`&`) is more traditional, although I'll miss
-the exotic Fira one... I like how the back quotes (`\``, `GRAVE ACCENT`)
-drop down low, nicely aligned with the apostrophe.
+the exotic one Fira produced... I like how the back quotes (`` ` ``,
+`GRAVE ACCENT`) drop down low, nicely aligned with the apostrophe. As
+I mentioned before, I like how the bar on the "f" aligns with the
+other top of letters, something in Fira mono that really annoys me now
+that I've noticed it (it's not aligned!).
 
 Here's the test sheet I've made up to test various characters. I could
 have sworn I had a good one like this lying around somewhere but

new blog post: new fonts
diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
new file mode 100644
index 00000000..c877f3d6
--- /dev/null
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -0,0 +1,142 @@
+[[meta title="Playing with fonts again"]]
+
+I am getting increasingly frustrated by Fira Mono's [lack of italic
+support](https://github.com/mozilla/Fira/issues/38) so I am looking at [[alternative fonts
+again|2020-03-10-font-changes]].
+
+This time I seem to be settling on either [Commit Mono](https://commitmono.com/) or [Space
+Mono](https://www.colophon-foundry.org/custom-projects/space-mono). For now I'm using Commit Mono because it's a little more
+compressed than Fira and does have a italic version. I don't like how
+Space Mono's parenthesis (`()`) is "squarish", it feels visually
+ambiguous with the square brackets (`[]`), a big no-no for my primary
+use case (code).
+
+So here I am using a new font, again. It required changing a bunch of
+configuration files in my home directory (which is in a private
+repository, sorry) and Emacs configuration (thankfully that's
+public!). 
+
+One gotcha is I realized I didn't actually have a global font
+configuration in Emacs, as some [Faces](https://www.gnu.org/software/emacs/manual/html_node/emacs/Faces.html) define their own font
+family, which overrides the frame defaults.
+
+This is what it looks like, before:
+
+<figure>
+<img src="snap-20240529T171950-fira-mono.png" alt="A dark terminal
+showing the test sheet in Fira Mono" />
+<figcaption>Fira Mono</figcaption>
+</figure>
+
+After:
+
+<figure>
+<img src="snap-20240529T171846-commit-mono.png" alt="A dark terminal
+showing the test sheet in Fira Mono" />
+<figcaption>Commit Mono</figcaption>
+</figure>
+
+(Notice how those screenshots are not sharp? I'm surprised too. The
+originals *look* sharp on my display, I suspect this is something to
+do with the Wayland transition. I've tried with both [grim](https://sr.ht/~emersion/grim/) and
+[flameshot](https://github.com/flameshot-org/flameshot), for what its worth.)
+
+They are pretty similar! Commit Mono feels a *bit* more compressed,
+maybe too much so, actually -- the line height feels too low.  But
+it's heavily customizable so that's something that's relatively easy
+to fix, if it's really a problem. Its weight is also a little heavier
+than Fira which I find a little distracting right now, but maybe I'll
+get used to it.
+
+All characters seem properly distinguishable, although, if I'd really
+want to nitpick I'd say the © and ® are too different, with the latter
+(`REGISTERED SIGN`) being way too small, basically unreadable
+here. Since I see this approximately never, it probably doesn't
+matter.
+
+I like how the ampersand (`&`) is more traditional, although I'll miss
+the exotic Fira one... I like how the back quotes (`\``, `GRAVE ACCENT`)
+drop down low, nicely aligned with the apostrophe.
+
+Here's the test sheet I've made up to test various characters. I could
+have sworn I had a good one like this lying around somewhere but
+couldn't find it so here it is, I guess.
+
+```
+ASCII test
+
+abcdefghijklmnopqrstuvwxyz1234567890-=
+ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_+
+
+ambiguous characters
+
+&iIL7l1!|[](){}/\oO0DQ8B;:,./?~`'"$
+
+all characters in a sentence, uppercase
+
+the quick fox jumps over the lazy dog
+THE QUICK FOX JUMPS OVER THE LAZY DOG
+
+same, in french
+
+voix ambiguë d'un cœur qui, au zéphyr,
+préfère les jattes de kiwis.
+VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR,
+PRÉFÈRE LES JATTES DE KIWIS.
+
+Box drawing alignment tests:                                          █
+                                                                      ▉
+  ╔══╦══╗  ┌──┬──┐  ╭──┬──╮  ╭──┬──╮  ┏━━┳━━┓  ┎┒┏┑   ╷  ╻ ┏┯┓ ┌┰┐    ▊ ╱╲╱╲╳╳╳
+  ║┌─╨─┐║  │╔═╧═╗│  │╒═╪═╕│  │╓─╁─╖│  ┃┌─╂─┐┃  ┗╃╄┙  ╶┼╴╺╋╸┠┼┨ ┝╋┥    ▋ ╲╱╲╱╳╳╳
+  ║│╲ ╱│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╿ │┃  ┍╅╆┓   ╵  ╹ ┗┷┛ └┸┘    ▌ ╱╲╱╲╳╳╳
+  ╠╡ ╳ ╞╣  ├╢   ╟┤  ├┼─┼─┼┤  ├╫─╂─╫┤  ┣┿╾┼╼┿┫  ┕┛┖┚     ┌┄┄┐ ╎ ┏┅┅┓ ┋ ▍ ╲╱╲╱╳╳╳
+  ║│╱ ╲│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╽ │┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▎
+  ║└─╥─┘║  │╚═╤═╝│  │╘═╪═╛│  │╙─╀─╜│  ┃└─╂─┘┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▏
+  ╚══╩══╝  └──┴──┘  ╰──┴──╯  ╰──┴──╯  ┗━━┻━━┛           └╌╌┘ ╎ ┗╍╍┛ ┋  ▁▂▃▄▅▆▇█
+
+MIDDLE DOT, BULLET, HORIZONTAL ELLIPSIS: ·•…
+curly ‘single’ and “double” quotes
+ACUTE ACCENT, GRAVE ACCENT: ´`
+EURO SIGN: €
+unicode A1-BF: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
+
+HYPHEN-MINUS, MINUS SIGN, EN, EM DASH, HORIZONTAL BAR, LOW LINE
+--------------------------------------------------
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
+––––––––––––––––––––––––––––––––––––––––––––––––––
+——————————————————————————————————————————————————
+――――――――――――――――――――――――――――――――――――――――――――――――――
+__________________________________________________
+
+```
+
+So there you have it, got completely nerd swiped by typography
+again. Now I can go back to writing a too-long proposal again.
+
+Sources and inspiration for the above:
+
+- the `unicode(1)` command, to lookup individual characters to
+  disambiguate, for example, `-` (`U+002D HYPHEN-MINUS`, the minus
+  sign next to zero on US keyboards) and − (`U+2212 MINUS SIGN`, a
+  math symbol)
+
+- [searchable list of characters and their names](https://web.archive.org/web/20080515015236/http://www.columbia.edu/kermit/utf8-t1.html) - roughly
+  equivalent to the `unicode(1)` command, but in one page, amazingly
+  the `/usr/share/unicode` database doesn't have any one file like
+  this
+
+- [bits/UTF-8-Unicode-Test-Documents](https://github.com/bits/UTF-8-Unicode-Test-Documents) - full list of UTF-8
+  characters
+
+- [UTF-8 encoded plain text file](https://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-demo.txt) - nice examples of edge cases,
+  curly quotes example and box drawing alignment test which,
+  incidentally, showed me I needed specific faces customisation in
+  Emacs to get the Markdown code areas to display properly, also the
+  idea of comparing various dashes
+
+- [sample sentences in many languages](https://www.cl.cam.ac.uk/~mgk25/ucs/examples/quickbrown.txt) - unused, "Sentences that
+  contain all letters commonly used in a language"
+
+- [UTF-8 sampler](https://web.archive.org/web/20080515024332/http://www.columbia.edu/kermit/utf8.html) - unused, similar
+
+[[!tag draft]]
diff --git a/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171846-commit-mono.png b/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171846-commit-mono.png
new file mode 100644
index 00000000..2ceafccc
Binary files /dev/null and b/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171846-commit-mono.png differ
diff --git a/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171950-fira-mono.png b/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171950-fira-mono.png
new file mode 100644
index 00000000..569b4e84
Binary files /dev/null and b/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171950-fira-mono.png differ

more keyring help
diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index 593215b6..1c6aa85f 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -30,9 +30,12 @@ upload:
 	@echo "next time, try using GitLab API: https://docs.gitlab.com/ee/api/users.html#list-all-gpg-keys"
 	@echo "list, parse for fingerprint, delete, then upload"
 	@echo "last test with plain 'python-gitlab' CLI failed though"
+	gpg --export --export-options export-minimal -a $(FINGERPRINT) | wl-copy
+	@echo "key copied to clipboard"
 
 renew:
 	gpg --quick-set-expire $(FINGERPRINT) $(NEXT_EXPIRE)
+	@echo "note that this doesn't upload or update the key! run '$(MAKE) hu upload upload-tpo' to complete the procedure"
 
 upload-tpo:
 	@echo "updating TPO keyring"

renew pgp key, pushed everywhere and updated procedures
diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index 973b6889..593215b6 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -24,8 +24,12 @@ upload:
 	@echo "Not covered: GitLab and GitHub accounts:"
 	@echo "https://gitlab.torproject.org/-/profile/gpg_keys"
 	@echo "https://gitlab.com/-/profile/gpg_keys"
+	@echo "https://salsa.debian.org/-/profile/gpg_keys"
 	@echo "https://github.com/settings/keys"
-	@echo "https://salsa.debian.org/settings/keys"
+	@echo "most involves deleting the old key then reuploading the new one"
+	@echo "next time, try using GitLab API: https://docs.gitlab.com/ee/api/users.html#list-all-gpg-keys"
+	@echo "list, parse for fingerprint, delete, then upload"
+	@echo "last test with plain 'python-gitlab' CLI failed though"
 
 renew:
 	gpg --quick-set-expire $(FINGERPRINT) $(NEXT_EXPIRE)
@@ -36,10 +40,3 @@ upload-tpo:
 	gpg --export --export-options export-minimal $(FINGERPRINT) > $(TPO_KEYRING)/torproject-keyring/anarcat-$(FINGERPRINT).gpg
 	git -C $(TPO_KEYRING) commit torproject-keyring/anarcat-$(FINGERPRINT).gpg
 	git -C $(TPO_KEYRING) push
-	git -C $(TPO_KEYRING) push alberti
-
-	@echo "updating TPO password manager keyring"
-	git -C $(TPO_PWMANAGER) pull
-	gpg --export --export-options export-minimal $(FINGERPRINT) | gpg --no-default-keyring --keyring=$(TPO_PWMANAGER)/.keyring --import
-	git -C $(TPO_PWMANAGER) commit .keyring
-	git -C $(TPO_PWMANAGER) push
diff --git a/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe b/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe
index 5fc43adf..1d3f569e 100644
Binary files a/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe and b/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe differ

fix links in usb-c article
diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 94e7a168..12a074cd 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -144,7 +144,7 @@ I found that weird little thing through [this Twitter post](https://twitter.com/
 [Benedict Reuschling](https://twitter.com/bsdbcr), from [this blog post](https://klarasystems.com/articles/openzfs-data-security-vs-integrity/), from [2.5 admins
 episode 127](https://2.5admins.com/2-5-admins-127/) (phew!).
 
-I ordered a TOFU power station in February (2023-02-20) and it landed
+I ordered a [TOFU power station](https://www.zentofu.com/tps.php) in February (2023-02-20) and it landed
 on my doorstep about two weeks later (2023-03-08).
 
 The power output is a little disappointing: my laptop tells me it's
@@ -156,7 +156,7 @@ fine for charging the laptop overnight during my travels, which is
 basically my use case here.
 
 The "travel" thing is a little plastic contraption that holds three
-different power adapters: [Australian](https://en.wikipedia.org/wiki/AS/NZS_3112), [British](https://en.wikipedia.org/wiki/AC_power_plugs_and_sockets:_British_and_related_types#BS_1363_three-pin_(rectangular)_plugs_and_sockets), [Europe](https://en.wikipedia.org/wiki/Europlug),
+different power adapters: [Australian](https://en.wikipedia.org/wiki/AS/NZS_3112), [British][], [Europe](https://en.wikipedia.org/wiki/Europlug),
 and [USA](https://en.wikipedia.org/wiki/NEMA_connector). The clever thing here is the other end is what looks
 like a [IEC 60320](https://en.wikipedia.org/wiki/IEC_60320) C7/C8 coupler, AKA a "figure-8", "infinity" or
 "shotgun", according to Wikipedia. It seems design to fit with Macbook
@@ -244,6 +244,8 @@ Update 2: I traveled quite a bit with this device and I like it. The
 main downside is the cable is just too damn short and a larger cable
 doesn't fit well in the case. Otherwise it's really nice.
 
+[British]: https://en.wikipedia.org/wiki/AC_power_plugs_and_sockets:_British_and_related_types#BS_1363_three-pin_(rectangular)_plugs_and_sockets
+
 ### TOFU YOYO Cable
 
 I also bought the [YOYO cable](https://www.elvesfactory.com/worldshop/EN/TOFU/TYC) in the hope it would fix that

another phone
diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index 7c7eca6b..f777de51 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -170,6 +170,11 @@ report](https://puri.sm/posts/massive-progress-exact-cpu-selected-minor-shipping
 shipping", so that means at least July 2019, if not later. Their demos
 still don't have a finished device.
 
+## SHIFTphone
+
+[shiftphone 8](https://www.shift.eco/en/shiftphone-8-status-page-2/) will have [mainline support](https://www.phoronix.com/news/SHIFTphone-8-Linux-Patches),
+incredibly. repairable, IPX rating. seems like a fat phone though.
+
 Google
 ------
 

CRLs expire, ugh
diff --git a/services/mail.mdwn b/services/mail.mdwn
index bb8dc235..1730c6cf 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1165,6 +1165,14 @@ You can now test revocation with:
     cat cacert.pem crl.pem > cacrl.pem
     service dovecot restart
 
+Note that, by default, that damn crl expires after 30 days, you'll
+probably want to bump that expiry date (with `default_crl_days=3650`
+in `openssl.conf` or with the `-crldays` option) and then:
+
+    openssl ca -config openssl.cnf  -gencrl  > crl.pem
+    cat cacert.pem crl.pem > cacrl.pem
+    service dovecot restart
+
 And now the above `curl` command should fail. Notice how dovecot needs
 a kick after revocation, a `reload` might be sufficient as well.
 

upgraded to Emacs 29 for Wayland support, amazing
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 74e16c24..403fbb4d 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -411,44 +411,29 @@ Unchanged.
 
 See Email, above, or Emacs in Editor, below.
 
-## Editor: Emacs okay-ish
+## Editor: Emacs
 
-Emacs is being actively ported to Wayland. According to [this LWN
+Emacs was ported to Wayland in version 29. According to [this LWN
 article][], the first (partial, to Cairo) port was done in 2014 and a
 working port (to GTK3) was completed in 2021, but wasn't merged until
-[late 2021][]. That is: after [Emacs 28 was released][] (April
-2022). 
+[late 2021][]. That is: after [Emacs 28 was released][] (April 2022)
+and [Debian bookworm freeze][]. The Emacs 29 bookworm backport works.
 
-So we'll probably need to wait for Emacs 29 to have native Wayland
-support in Emacs, which, in turn, is unlikely to arrive in time for
-the [Debian bookworm freeze][]. There are, however, [unofficial
-builds][] for both Emacs 28 and 29 provided by [spwhitton][] which
-may provide native Wayland support. 
+To get the native builds, you need to install the [emacs-pgtk
+package](https://packages.debian.org/unstable/emacs-pgtk).
 
-I tested the snapshot packages and they do not quite work well
-enough. First off, they completely take over the builtin Emacs — they
-hijack the `$PATH` in `/etc`! — and certain things are simply not
-working in my setup. For example, this hook never gets ran on startup:
-
-    (add-hook 'after-init-hook 'server-start t) 
-
-Still, like many X11 applications, Emacs mostly works fine under
-Xwayland. The clipboard works as expected, for example.
-
-Scaling is a bit of an issue: fonts look fuzzy.
+In any case, like many X11 applications, Emacs mostly works fine under
+Xwayland. The clipboard works as expected, for example. Scaling is a
+bit of an issue: fonts look fuzzy.
 
 I have heard anecdotal evidence of hard lockups with Emacs running
 under Xwayland as well, but haven't experienced any problem so far. I
 did experience a Wayland crash with the snapshot version however.
 
-TODO: look again at Wayland in Emacs 29.
-
 [this LWN article]: https://lwn.net/Articles/843896/
 [late 2021]: https://batsov.com/articles/2021/12/19/building-emacs-from-source-with-pgtk/
 [Emacs 28 was released]: https://www.gnu.org/savannah-checkouts/gnu/emacs/emacs.html#Releases
 [Debian bookworm freeze]: https://lists.debian.org/debian-devel/2022/03/msg00251.html
-[unofficial builds]: https://silentflame.com/debian/
-[spwhitton]: https://spwhitton.name/
 
 ## Backups: borg
 

framework ec driver progress
diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index 0a083c6a..d5653cc8 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -235,7 +235,8 @@ the laptop.
  * the EC (Embedded Controller) is [open source](https://github.com/FrameworkComputer/EmbeddedController) so of course
    people are [hacking at it](https://github.com/lhl/linuxlaptops/wiki/2022-Framework-Laptop-DIY-Edition-12th-Gen-Intel-Batch-1#ectool), [some documentation on what's
    possible](https://www.howett.net/posts/2021-12-framework-ec/) (e.g. changing LED colors, fan curves, etc), [see
-   also](https://github.com/lhl/linuxlaptops/wiki/2022-Framework-Laptop-DIY-Edition-12th-Gen-Intel-Batch-1#ectool)
+   also](https://github.com/lhl/linuxlaptops/wiki/2022-Framework-Laptop-DIY-Edition-12th-Gen-Intel-Batch-1#ectool) and possible [mainline inclusion](https://www.phoronix.com/news/Framework-Laptop-EC-Driver) for the charge
+   controller
 
 ## Cons
 

another inotify thing
diff --git a/blog/2019-11-20-file-monitoring-tools.mdwn b/blog/2019-11-20-file-monitoring-tools.mdwn
index 0e8b768b..99163956 100644
--- a/blog/2019-11-20-file-monitoring-tools.mdwn
+++ b/blog/2019-11-20-file-monitoring-tools.mdwn
@@ -408,6 +408,16 @@ to fit a square peg in this round hole:
 
 # Other
 
+## inotify-info
+
+<https://github.com/mikesart/inotify-info>
+
+ * 2021-...
+ * C++
+ * MIT
+ * Debian package
+ * simply lists active inotify watches
+
 ## kfmon (kobo launcher)
 
 <https://github.com/NiLuJe/kfmon>

gtkgreet landed in debian
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 931a957e..74e16c24 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -496,12 +496,15 @@ Possible alternatives:
 
  * [lightdm elephant greeter][] (I tried [[!debpkg slick-greeter]] and
    [[!debpkg ukui-greeter]], neither could start the Sway session)
- * [greetd][], [tuigreet][] (in Debian) and [QtGreet][] (not in
+ * [greetd][] is a login manager that delegates to greeters, like
+   [gtkgreet][], [tuigreet][] (in Debian) and [QtGreet][] (not in
    Debian), tested [agreety][] (part of greetd) but it didn't work at
    all
  * [sddm][]: KDE's default, in Debian, probably heavier or as heavy as
    gdm3
 
+ [gtkgreet]: https://git.sr.ht/~kennylevinsen/gtkgreet
+
 [lightdm elephant greeter]: https://github.com/max-moser/lightdm-elephant-greeter
 [greetd]: https://sr.ht/~kennylevinsen/greetd/
 [QtGreet]: https://gitlab.com/marcusbritanicus/QtGreet

another victim of the federation
diff --git a/blog/2022-06-17-matrix-notes.md b/blog/2022-06-17-matrix-notes.md
index 2b5bec2d..e8da1388 100644
--- a/blog/2022-06-17-matrix-notes.md
+++ b/blog/2022-06-17-matrix-notes.md
@@ -352,7 +352,7 @@ a space in the future where it isn't or should be hidden behind a
 proxy, for example. That still feels like a security issue, and that
 still isn't something Matrix seem to care about.)
 
-[Mastodon has the same problem](https://github.com/mastodon/mastodon/issues/23662).
+[Mastodon has the same problem](https://github.com/mastodon/mastodon/issues/23662), and [people are starting to notice](https://news.itsfoss.com/mastodon-link-problem/).
 
 # Moderation
 

make link references for sending by email
diff --git a/blog/2024-05-01-gitolite-gitlab-migration.md b/blog/2024-05-01-gitolite-gitlab-migration.md
index 991a2c2c..b3833611 100644
--- a/blog/2024-05-01-gitolite-gitlab-migration.md
+++ b/blog/2024-05-01-gitolite-gitlab-migration.md
@@ -5,12 +5,17 @@
 > contrary, I've been very busy but just didn't have time to write
 > about anything. So I've taken it upon myself to write *something*
 > about my work this week, and published [this post on the Tor
-> blog](https://blog.torproject.org/gitolite-gitlab-migration/) which I copy here for a broader audience. Let me know if
+> blog][] which I copy here for a broader audience. Let me know if
 > you like this or not.
 
+ [this post on the Tor blog]: https://blog.torproject.org/gitolite-gitlab-migration/
+
 Tor has finally completed a long migration from legacy Git
-infrastructure ([Gitolite and GitWeb](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git)) to our self-hosted
-[GitLab](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab) server.
+infrastructure ([Gitolite and GitWeb][]) to our self-hosted
+[GitLab][] server.
+
+ [GitLab]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab
+ [Gitolite and GitWeb]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git
 
 Git repository addresses have therefore changed. Many of you probably
 have made the switch already, but if not, you will need to change:
@@ -23,12 +28,15 @@ to:
 
 In your Git configuration.
 
-The [GitWeb front page](https://gitweb.torproject.org/) is now an archived listing of all the
+The [GitWeb front page][] is now an archived listing of all the
 repositories before the migration. Inactive git repositories were
-archived in GitLab [legacy/gitolite namespace](https://gitlab.torproject.org/legacy/gitolite/) and the
+archived in GitLab [legacy/gitolite namespace][] and the
 `gitweb.torproject.org` and `git.torproject.org` web sites now
 redirect to GitLab.
 
+ [legacy/gitolite namespace]: https://gitlab.torproject.org/legacy/gitolite/
+ [GitWeb front page]: https://gitweb.torproject.org/
+
 Best effort was made to reproduce the original gitolite repositories
 faithfully and also avoid duplicating too much data in the
 migration. But it's *possible* that some data present in Gitolite has
@@ -54,69 +62,99 @@ problems we faced during the migration.
 
 Normally, nothing should be lost. All repositories in gitolite have
 been either explicitly migrated by their owners, forcibly migrated by
-the sysadmin team ([TPA](https://gitlab.torproject.org/tpo/tpa/team/)), or explicitly destroyed at their owner's
+the sysadmin team ([TPA][]), or explicitly destroyed at their owner's
 request.
 
-An exhaustive [rewrite map](https://archive.torproject.org/websites/gitolite2gitlab.txt) translates gitolite projects to GitLab
+ [TPA]: https://gitlab.torproject.org/tpo/tpa/team/
+
+An exhaustive [rewrite map][] translates gitolite projects to GitLab
 projects. Some of those projects actually redirect to their *parent*
 in cases of empty repositories that were obvious forks. Destroyed
 repositories redirect to the GitLab front page.
 
+ [rewrite map]: https://archive.torproject.org/websites/gitolite2gitlab.txt
+
 Because the migration happened progressively, it's technically
 possible that commits pushed to gitolite were lost after the
 migration. We took great care to avoid that scenario. First, we
-adopted a proposal ([TPA-RFC-36](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-36-gitolite-gitweb-retirement)) in June 2023 to announce the
-transition. Then, in [March 2024](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41213), we locked down all repositories
+adopted a proposal ([TPA-RFC-36][]) in June 2023 to announce the
+transition. Then, in [March 2024][], we locked down all repositories
 from any further changes. Around that time, only a [handful of
-repositories](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41214#note_2983302 "handful of repositories") had changes made after the adoption date, and we
+repositories][] had changes made after the adoption date, and we
 examined each repository carefully to make sure nothing was lost.
 
-Still, we built a [diff of all the changes in the git references](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215#note_3023924)
+ [handful of repositories]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41214#note_2983302 "handful of repositories"
+ [March 2024]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41213
+ [TPA-RFC-36]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-36-gitolite-gitweb-retirement
+
+Still, we built a [diff of all the changes in the git references][]
 that archivists can peruse to check for data loss. It's large (6MiB+)
 because a lot of repositories were migrated before the mass migration
 and then kept evolving in GitLab. Many other repositories were rebuilt
 in GitLab from parent to rebuild a fork relationship which added extra
 references to those clones.
 
+ [diff of all the changes in the git references]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215#note_3023924
+
 A note to amateur archivists out there, it's probably too late for one
 last crawl now. The Git repositories now all redirect to GitLab and
 are effectively unavailable in their original form.
 
-That said, the GitWeb site was crawled into the [Internet Archive](https://archive.org/) [in
-February 2024](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41218#note_2992296), so at least some copy of it is available in the
-[Wayback Machine](https://web.archive.org/web/20240204162238/https://gitweb.torproject.org/). At that point, however, many developers had already
+That said, the GitWeb site was crawled into the [Internet Archive][] [in
+February 2024][], so at least some copy of it is available in the
+[Wayback Machine][]. At that point, however, many developers had already
 migrated their projects to GitLab, so the copies there were already
 possibly out of date compared with the repositories in GitLab.
 
-[Software Heritage](https://www.softwareheritage.org/) also has a copy of all repositories hosted on
-Gitolite [since June 2023](https://gitlab.softwareheritage.org/swh/infra/sysadm-environment/-/issues/4939) and have continuously kept mirroring the
+ [Wayback Machine]: https://web.archive.org/web/20240204162238/https://gitweb.torproject.org/
+ [in February 2024]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41218#note_2992296
+ [Internet Archive]: https://archive.org/
+
+[Software Heritage][] also has a copy of all repositories hosted on
+Gitolite [since June 2023][] and have continuously kept mirroring the
 repositories, where they will be kept hopefully in eternity. There's
-an [issue](https://gitlab.softwareheritage.org/swh/devel/swh-web/-/issues/4787) where the main website can't find the repositories when
+an [issue][] where the main website can't find the repositories when
 you search for `gitweb.torproject.org`, instead [search for
-`git.torproject.org`](https://archive.softwareheritage.org/browse/search/?q=git.torproject.org&visit_type=git&with_content=true&with_visit=true).
+`git.torproject.org`][].
+
+ [search for `git.torproject.org`]: https://archive.softwareheritage.org/browse/search/?q=git.torproject.org&visit_type=git&with_content=true&with_visit=true
+ [issue]: https://gitlab.softwareheritage.org/swh/devel/swh-web/-/issues/4787
+ [since June 2023]: https://gitlab.softwareheritage.org/swh/infra/sysadm-environment/-/issues/4939
+ [Software Heritage]: https://www.softwareheritage.org/
 
 In any case, if you believe data is missing, please do let us know by
-[opening an issue with TPA](https://gitlab.torproject.org/tpo/tpa/team/-/issues/new).
+[opening an issue with TPA][].
+
+ [opening an issue with TPA]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/new
 
 # Why?
 
 This is an old project in the making. The first [discussion about
-migrating from gitolite to GitLab](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40472) started in 2020 (almost 4 years
-ago). But [going further back](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/trac#history), the first GitLab experiment was in
+migrating from gitolite to GitLab][] started in 2020 (almost 4 years
+ago). But [going further back][], the first GitLab experiment was in
 2016, almost a decade ago.
 
+ [going further back]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/trac#history
+
+ [discussion about migrating from gitolite to GitLab]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40472
+
 The current GitLab server dates from 2019, [replacing Trac for issue
-tracking in 2020](https://blog.torproject.org/from-trac-into-gitlab-for-tor/). It was originally supposed to host only mirrors
+tracking in 2020][]. It was originally supposed to host only mirrors
 for merge requests and issue trackers but, naturally, one thing led to
 another and eventually, GitLab had grown a container registry,
 continuous integration (CI) runners, GitLab Pages, and, of course,
 hosted most Git repositories.
 
+ [replacing Trac for issue tracking in 2020]: https://blog.torproject.org/from-trac-into-gitlab-for-tor/
+
 There were hesitations at moving to GitLab for code hosting. We had
-[discussions about the increased attack surface](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/81) and [ways to
-mitigate that](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/98), but, ultimately, it seems the issues were not that
+[discussions about the increased attack surface][] and [ways to
+mitigate that][], but, ultimately, it seems the issues were not that
 serious and the community embraced GitLab.
 
+ [ways to mitigate that]: https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/98
+ [discussions about the increased attack surface]: https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/81
+
 TPA actually migrated its most critical repositories out of shared
 hosting entirely, into specific servers (e.g. the Puppet Git
 repository is just on the Puppet server now), leveraging Git's
@@ -138,21 +176,30 @@ When Gitolite access was shutdown, we had repositories on both GitLab
 and Gitolite, without a clear relationship between the two. A priori,
 the plan then was to import all the remaining Gitolite repositories
 into the `legacy/gitolite` namespace, but that seemed wasteful,
-particularly for large repositories like [Tor Browser](https://gitlab.torproject.org/tpo/applications/tor-browser) which uses
+particularly for large repositories like [Tor Browser][] which uses
 nearly a gigabyte of disk space. So we took special care to avoid
 duplicating repositories.
 
-When the [mass migration](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215) started, only 71 of the 538 Gitolite
+ [Tor Browser]: https://gitlab.torproject.org/tpo/applications/tor-browser
+
+When the [mass migration][] started, only 71 of the 538 Gitolite
 repositories were `Migrated to GitLab` in the `gitolite.conf`
 file. So, given that we had *hundreds* of repositories to migrate:, we
-developed some automation to "[save time](https://xkcd.com/1205/)". We already automate
-similar ad-hoc tasks with [Fabric](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/fabric/), so we used that framework here
-as well. (Our normal configuration management tool is [Puppet](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet),
+developed some automation to "[save time][]". We already automate
+similar ad-hoc tasks with [Fabric][], so we used that framework here
+as well. (Our normal configuration management tool is [Puppet][],
 which is a poor fit here.)
 
-So a relatively [large amount of Python code](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/blob/85121b4a8a293cebb0d9dfd68ebf26e2cc95ed76/fabric_tpa/gitolite.py) was produced to
+ [Puppet]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet
+ [Fabric]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/fabric/
+ [save time]: https://xkcd.com/1205/
+ [mass migration]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215
+
+So a relatively [large amount of Python code][] was produced to
 basically do the following:
 
+ [large amount of Python code]: https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/blob/85121b4a8a293cebb0d9dfd68ebf26e2cc95ed76/fabric_tpa/gitolite.py
+
  1. check if all on-disk repositories are listed in `gitolite.conf`
     (and vice versa) and either add missing repositories or delete
     them from disk if garbage
@@ -186,9 +233,11 @@ first-come-first-served basis from the `gitolite.conf` order.

(fichier de différences tronqué)
automatic federated post of blog/2024-05-01-gitolite-gitlab-migration.md
Command: ['/usr/bin/feed2exec', '-v', 'fetch', '--nocache']
Plugin file: /usr/lib/python3/dist-packages/feed2exec/plugins/ikiwikitoot.py
Source directory: /home/w-anarcat/source
Running on: marcos
diff --git a/blog/2024-05-01-gitolite-gitlab-migration.md b/blog/2024-05-01-gitolite-gitlab-migration.md
index a93b36ca..991a2c2c 100644
--- a/blog/2024-05-01-gitolite-gitlab-migration.md
+++ b/blog/2024-05-01-gitolite-gitlab-migration.md
@@ -535,3 +535,7 @@ The reference copy of those is available in our (currently private)
 Puppet git repository.
 
 [[!tag tor gitlab debian-planet gitlab git sysadmin python python-planet]]
+
+
+<!-- posted to the federation on 2024-05-01T10:58:47.676656 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/112366421768959691"]]
\ No newline at end of file

add tags
diff --git a/blog/2024-05-01-gitolite-gitlab-migration.md b/blog/2024-05-01-gitolite-gitlab-migration.md
index 6862f96b..a93b36ca 100644
--- a/blog/2024-05-01-gitolite-gitlab-migration.md
+++ b/blog/2024-05-01-gitolite-gitlab-migration.md
@@ -534,3 +534,4 @@ RewriteRule .* https://gitlab.torproject.org [R=302,L]
 The reference copy of those is available in our (currently private)
 Puppet git repository.
 
+[[!tag tor gitlab debian-planet gitlab git sysadmin python python-planet]]

new blog post from work
diff --git a/blog/2024-05-01-gitolite-gitlab-migration.md b/blog/2024-05-01-gitolite-gitlab-migration.md
new file mode 100644
index 00000000..6862f96b
--- /dev/null
+++ b/blog/2024-05-01-gitolite-gitlab-migration.md
@@ -0,0 +1,536 @@
+[[!meta title="Tor migrates from Gitolite/GitWeb to GitLab"]]
+
+> Note: I've been awfully silent here for the past ... (checks notes)
+> oh dear, 3 months! But that's not because I've been idle, quite the
+> contrary, I've been very busy but just didn't have time to write
+> about anything. So I've taken it upon myself to write *something*
+> about my work this week, and published [this post on the Tor
+> blog](https://blog.torproject.org/gitolite-gitlab-migration/) which I copy here for a broader audience. Let me know if
+> you like this or not.
+
+Tor has finally completed a long migration from legacy Git
+infrastructure ([Gitolite and GitWeb](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git)) to our self-hosted
+[GitLab](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab) server.
+
+Git repository addresses have therefore changed. Many of you probably
+have made the switch already, but if not, you will need to change:
+
+    https://git.torproject.org/
+
+to:
+
+    https://gitlab.torproject.org/
+
+In your Git configuration.
+
+The [GitWeb front page](https://gitweb.torproject.org/) is now an archived listing of all the
+repositories before the migration. Inactive git repositories were
+archived in GitLab [legacy/gitolite namespace](https://gitlab.torproject.org/legacy/gitolite/) and the
+`gitweb.torproject.org` and `git.torproject.org` web sites now
+redirect to GitLab.
+
+Best effort was made to reproduce the original gitolite repositories
+faithfully and also avoid duplicating too much data in the
+migration. But it's *possible* that some data present in Gitolite has
+not migrated to GitLab.
+
+User repositories are particularly at risk, because they were
+massively migrated, and they were "re-forked" from their upstreams, to
+avoid wasting disk space. If a user had a project with a matching name
+it was *assumed* to have the right data, which might be inaccurate.
+
+The two virtual machines responsible for the legacy service (`cupani`
+for `git-rw.torproject.org` and `vineale` for `git.torproject.org` and
+`gitweb.torproject.org`) have been shutdown. Their disks will remain
+for 3 months (until the end of July 2024) and their backups for
+another year after that (until the end of July 2025), after which
+point all the data from those hosts will be destroyed, with only the
+GitLab archives remaining.
+
+The rest of this article expands on how this was done and what kind of
+problems we faced during the migration.
+
+# Where is the code?
+
+Normally, nothing should be lost. All repositories in gitolite have
+been either explicitly migrated by their owners, forcibly migrated by
+the sysadmin team ([TPA](https://gitlab.torproject.org/tpo/tpa/team/)), or explicitly destroyed at their owner's
+request.
+
+An exhaustive [rewrite map](https://archive.torproject.org/websites/gitolite2gitlab.txt) translates gitolite projects to GitLab
+projects. Some of those projects actually redirect to their *parent*
+in cases of empty repositories that were obvious forks. Destroyed
+repositories redirect to the GitLab front page.
+
+Because the migration happened progressively, it's technically
+possible that commits pushed to gitolite were lost after the
+migration. We took great care to avoid that scenario. First, we
+adopted a proposal ([TPA-RFC-36](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-36-gitolite-gitweb-retirement)) in June 2023 to announce the
+transition. Then, in [March 2024](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41213), we locked down all repositories
+from any further changes. Around that time, only a [handful of
+repositories](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41214#note_2983302 "handful of repositories") had changes made after the adoption date, and we
+examined each repository carefully to make sure nothing was lost.
+
+Still, we built a [diff of all the changes in the git references](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215#note_3023924)
+that archivists can peruse to check for data loss. It's large (6MiB+)
+because a lot of repositories were migrated before the mass migration
+and then kept evolving in GitLab. Many other repositories were rebuilt
+in GitLab from parent to rebuild a fork relationship which added extra
+references to those clones.
+
+A note to amateur archivists out there, it's probably too late for one
+last crawl now. The Git repositories now all redirect to GitLab and
+are effectively unavailable in their original form.
+
+That said, the GitWeb site was crawled into the [Internet Archive](https://archive.org/) [in
+February 2024](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41218#note_2992296), so at least some copy of it is available in the
+[Wayback Machine](https://web.archive.org/web/20240204162238/https://gitweb.torproject.org/). At that point, however, many developers had already
+migrated their projects to GitLab, so the copies there were already
+possibly out of date compared with the repositories in GitLab.
+
+[Software Heritage](https://www.softwareheritage.org/) also has a copy of all repositories hosted on
+Gitolite [since June 2023](https://gitlab.softwareheritage.org/swh/infra/sysadm-environment/-/issues/4939) and have continuously kept mirroring the
+repositories, where they will be kept hopefully in eternity. There's
+an [issue](https://gitlab.softwareheritage.org/swh/devel/swh-web/-/issues/4787) where the main website can't find the repositories when
+you search for `gitweb.torproject.org`, instead [search for
+`git.torproject.org`](https://archive.softwareheritage.org/browse/search/?q=git.torproject.org&visit_type=git&with_content=true&with_visit=true).
+
+In any case, if you believe data is missing, please do let us know by
+[opening an issue with TPA](https://gitlab.torproject.org/tpo/tpa/team/-/issues/new).
+
+# Why?
+
+This is an old project in the making. The first [discussion about
+migrating from gitolite to GitLab](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40472) started in 2020 (almost 4 years
+ago). But [going further back](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/trac#history), the first GitLab experiment was in
+2016, almost a decade ago.
+
+The current GitLab server dates from 2019, [replacing Trac for issue
+tracking in 2020](https://blog.torproject.org/from-trac-into-gitlab-for-tor/). It was originally supposed to host only mirrors
+for merge requests and issue trackers but, naturally, one thing led to
+another and eventually, GitLab had grown a container registry,
+continuous integration (CI) runners, GitLab Pages, and, of course,
+hosted most Git repositories.
+
+There were hesitations at moving to GitLab for code hosting. We had
+[discussions about the increased attack surface](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/81) and [ways to
+mitigate that](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/98), but, ultimately, it seems the issues were not that
+serious and the community embraced GitLab.
+
+TPA actually migrated its most critical repositories out of shared
+hosting entirely, into specific servers (e.g. the Puppet Git
+repository is just on the Puppet server now), leveraging Git's
+decentralized nature and removing an entire attack surface from our
+infrastructure. Some of those repositories are *mirrored* back into
+GitLab, but the authoritative copy is not on GitLab.
+
+In any case, the proposal to migrate from Gitolite to GitLab was
+effectively just formalizing a *fait accompli*.
+
+# How to migrate from Gitolite / cgit to GitLab
+
+The progressive migration was a challenge. If you intend to migrate
+between hosting platforms, we strongly recommend to make a "flag day"
+during which you migrate *all* repositories *at once*. This ensures a
+smoother transition and avoids elaborate rewrite rules.
+
+When Gitolite access was shutdown, we had repositories on both GitLab
+and Gitolite, without a clear relationship between the two. A priori,
+the plan then was to import all the remaining Gitolite repositories
+into the `legacy/gitolite` namespace, but that seemed wasteful,
+particularly for large repositories like [Tor Browser](https://gitlab.torproject.org/tpo/applications/tor-browser) which uses
+nearly a gigabyte of disk space. So we took special care to avoid
+duplicating repositories.
+
+When the [mass migration](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215) started, only 71 of the 538 Gitolite
+repositories were `Migrated to GitLab` in the `gitolite.conf`
+file. So, given that we had *hundreds* of repositories to migrate:, we
+developed some automation to "[save time](https://xkcd.com/1205/)". We already automate
+similar ad-hoc tasks with [Fabric](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/fabric/), so we used that framework here
+as well. (Our normal configuration management tool is [Puppet](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet),
+which is a poor fit here.)
+
+So a relatively [large amount of Python code](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/blob/85121b4a8a293cebb0d9dfd68ebf26e2cc95ed76/fabric_tpa/gitolite.py) was produced to
+basically do the following:
+
+ 1. check if all on-disk repositories are listed in `gitolite.conf`
+    (and vice versa) and either add missing repositories or delete
+    them from disk if garbage
+ 2. for each repository in `gitolite.conf`, if its category is marked
+    `Migrated to GitLab`, skip, otherwise;
+ 3. find a matching GitLab project by name, prompt the user for
+    multiple matches
+ 4. if a match is found, redirect if the repository is non-empty 
+    * we have GitLab projects that *look* like the real thing, but are
+    only present to host migrated Trac issues
+    * in such cases we cloned the Gitolite project locally and pushed
+    to the existing repository instead
+ 5. otherwise, a new repository is created in the `legacy/gitolite`
+    namespace, using the "import" mechanism in GitLab to automatically
+    import the repository from Gitolite, creating redirections and
+    updating `gitolite.conf` to document the change
+
+User repositories (those under the `user/` directory in Gitolite) were
+handled specially. First, the existing redirection map was checked to
+see if a similarly named project was migrated (so that,
+e.g. `user/dgoulet/tor` is properly treated as a fork of
+`tpo/core/tor`). Then the parent project was forked in GitLab and the
+Gitolite project force-pushed to the fork. This allows us to show the
+fork relationship in GitLab and, more importantly, benefit from the
+"pool" feature in GitLab which deduplicates disk usage between forks.
+
+Sometimes, we found no such relationships. Then we simply imported
+multiple repositories with similar names in the `legacy/gitolite`
+namespace, sometimes creating forks between user repositories, on a
+first-come-first-served basis from the `gitolite.conf` order.
+
+The code used in this migration is now available publicly. We
+encourage other groups planning to migrate from Gitolite/GitWeb to
+GitLab to use (and contribute to) our [fabric-tasks](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/) repository,
+even though it does have its fair share of hard-coded assertions. 
+
+The main entry point is the `gitolite.mass-repos-migration` task. A
+typical migration job looked like:
+

(fichier de différences tronqué)
kobo wikipedia hacking
diff --git a/hardware/tablet/kobo-clara-hd.md b/hardware/tablet/kobo-clara-hd.md
index 1decbdad..eab362df 100644
--- a/hardware/tablet/kobo-clara-hd.md
+++ b/hardware/tablet/kobo-clara-hd.md
@@ -206,6 +206,18 @@ decided *not* to do here because my time is precious:
  * using calibre to generate e-books based on RSS feeds (yes, I did
    that, and yes, it was pretty bad and almost useless)
  * [SSH support][]: builtin to koreader
+ * offline Wikipedia support: incredibly, 512GiB micro-SD cards are a
+   thing now, so all of Wikipedia could fit on a Kobo... Koreader has
+   [Wikipedia support](https://github.com/koreader/koreader/wiki/Wikipedia-support) but cannot [work offline](https://github.com/koreader/koreader/issues/2333), although
+   there's a [PR to add a plugin that works on a SQLite database
+   converted from ZIM files](https://github.com/koreader/koreader/pull/9534). I've also found [hacks to make it
+   work again on Nickel](https://phire.cc/Offline-Wikipedia-on-the-Kobo.html) ([another](https://a3nm.net/blog/kobo_glo_hacking.html)). But also, Kobo forcibly
+   forces the `vfat` filesystem type for `/mnt/onboard`, so it's
+   actually impossible to write the full Wikipedia archives, as FAT
+   filesystems are limited to 4GB files. I tried patching that out of
+   `/etc/init.d/rcS` but failed. The workaround typically used is to
+   make another filesystem and add an extra init command to mount it
+   at boot, and write files there.
 
 Now maybe I'll have time to actually read a book...
 

another charger
diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index e0992c51..94e7a168 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -379,6 +379,12 @@ reddit](https://old.reddit.com/r/UsbCHardware/comments/161t5d4/absolutely_smalle
 It's not small enough to beat the Sharge as a daily driver, but if I
 find it too bulky / heavy, maybe I'll indulge.
 
+### Others
+
+Russell Coker [bought](https://etbe.coker.com.au/2024/04/29/usb-psus/) [this device from Ali Express](https://www.aliexpress.com/item/1005006105371654.html) which is
+not quite in the same range of things as the above, but could serve
+well as a home charger.
+
 ## USB testers
 
 Now that a USB cable isn't a simple 5V electric signal, cables and

another zfs thing
diff --git a/software/zfs.md b/software/zfs.md
index 4c8aaf6e..76ea279f 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -282,6 +282,10 @@ It has a setup command to initialize a configuration, example setup:
 There is no official Debian package but upstream has a [debian source
 package](https://github.com/Gregy/znapzend-debian). It is written in Perl.
 
+### zelta
+
+[zelta](https://github.com/bellhyve/zelta) is written in Awk. Incomplete, ran with [zfsnap](https://github.com/zfsnap/zfsnap).
+
 ### Other DIY solutions
 
 twb (`#debian-til`) wrote [cyber-zfs-backup](https://github.com/cyberitsolutions/cyber-zfs-backup). It's short (~300

sway's autotiler now in debian
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index eed45781..931a957e 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -1465,7 +1465,7 @@ There's a lot of improvements Sway could bring over using plain
 i3. There are pretty neat auto-tilers that could replicate the
 configurations I used to have in Xmonad or Awesome, see:
 
- * [autotiling][]
+ * [autotiling][] (now in Debian)
  * [swaymonad][]
 
 [autotiling]: https://github.com/nwg-piotr/autotiling

new greetd extension landed in debian
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 287598d2..eed45781 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -496,15 +496,17 @@ Possible alternatives:
 
  * [lightdm elephant greeter][] (I tried [[!debpkg slick-greeter]] and
    [[!debpkg ukui-greeter]], neither could start the Sway session)
- * [greetd][] and [QtGreet][] (former in Debian, not latter, which
-   means we're stuck with the weird [agreety](https://manpages.debian.org/agreety) which doesn't work at
-   all)
+ * [greetd][], [tuigreet][] (in Debian) and [QtGreet][] (not in
+   Debian), tested [agreety][] (part of greetd) but it didn't work at
+   all
  * [sddm][]: KDE's default, in Debian, probably heavier or as heavy as
    gdm3
 
 [lightdm elephant greeter]: https://github.com/max-moser/lightdm-elephant-greeter
 [greetd]: https://sr.ht/~kennylevinsen/greetd/
 [QtGreet]: https://gitlab.com/marcusbritanicus/QtGreet
+[tuigreet]: https://github.com/apognu/tuigreet
+[agreety]: https://manpages.debian.org/agreety
 [sddm]: https://github.com/sddm/sddm
 
 ## Terminal: xterm → foot
@@ -983,9 +985,9 @@ how many things you were using are tightly bound to X.
    programs, basically)
 
  * notifications: previously [dunst][] in some places, which works
-   well in both Xorg and Wayland, not a blocker, [fnott][] ([not in
-   Debian](https://bugs.debian.org/997020)), [salut][] (not in Debian) possible alternatives:
-   damjan [uses mako][]. Eventually migrated to [sway-nc][].
+   well in both Xorg and Wayland, not a blocker, [fnott][], [salut][]
+   (not in Debian) possible alternatives: damjan [uses
+   mako][]. Eventually migrated to [sway-nc][].
 
  * notification area: I had trouble making `nm-applet` work. based on
    [this nm-applet.service][], I found that you need to pass `--indicator`.  In

yet another sync client
diff --git a/blog/2021-11-21-mbsync-vs-offlineimap.md b/blog/2021-11-21-mbsync-vs-offlineimap.md
index d4b29a30..5222390f 100644
--- a/blog/2021-11-21-mbsync-vs-offlineimap.md
+++ b/blog/2021-11-21-mbsync-vs-offlineimap.md
@@ -1062,6 +1062,9 @@ Those are all the options I have considered, in alphabetical order
    mentions UUCP in the manpage, mentions `rsmtp` which is a nice name
    for `rsendmail`. not evaluated because it seems awfully complex to
    setup, Haskell
+ * [neverest](https://git.sr.ht/~soywod/neverest-cli): rust, IMAP/Maildir/Notmuch sync, filters, lacks
+   client TLS support, see [comparison](https://pimalaya.org/neverest/cli/latest/faq.html), layout [incompatible with
+   mbsync](https://todo.sr.ht/~soywod/pimalaya/196), [unclear if it supports IDLE/notify](https://todo.sr.ht/~soywod/pimalaya/162#event-346614)
  * [nncp](http://www.nncpgo.org/): treat the local spool as another mail server, not really
    compatible with my "multiple clients" setup, Golang
  * [offlineimap3](https://github.com/OfflineIMAP/offlineimap3): requires IMAP, used the py2 version in the past,

some research on keyboards
diff --git a/hardware/keyboard.mdwn b/hardware/keyboard.mdwn
index 515b4639..e4dbbfef 100644
--- a/hardware/keyboard.mdwn
+++ b/hardware/keyboard.mdwn
@@ -376,6 +376,25 @@ feedback, trackballs.
 This is a pretty TKL keyboard, the [Multics](https://vortexgear.store/en-ca/products/multix?variant=43056025993379). Not sure about the Fn
 key on the right though.
 
+# Mini / travel keyboards
+
+Those are useful for the media station or traveling on the road with a
+phone or tablet.
+
+ * [Voyager](https://www.zsa.io/voyager), from the moonlander folks, a bit big, "ergonomic" (so
+   columnar, split layout, unusual keys), expensive (365$USD+)
+
+ * [rii](http://www.riitek.com/product/214.html): bluetooth, tiny keyboard, mostly for thumbs, media
+   server, cheap-ish (25$) but proprietary battery
+
+ * [adafruit mini keyboard](https://www.adafruit.com/product/3601): 13$ but no mouse, back ordered, really
+   tiny, looks like [this keyboard](https://gromaudio.com/store/accessories/keyboard-k-wbtk3.html)
+
+ * [iclever bk08](https://office.iclever.com/products/BK08-Portable-Tri-folding-Bluetooth-Keyboard-with-Touchpad): foldable keyboard, 60$
+ 
+ * [rk925](https://rkgamingstores.com/products/rk925-foldable-mechanical-keyboard): foldable keyboard, but feels in the wrong direction,
+   maybe a bit too small? 112$
+
 # Reviews
 
 * [rtings](https://www.rtings.com/keyboard) has a keyboards section

fix link to other emacs article, thanks reader!
diff --git a/blog/2022-03-20-20-years-emacs.md b/blog/2022-03-20-20-years-emacs.md
index 37757d33..a7649c61 100644
--- a/blog/2022-03-20-20-years-emacs.md
+++ b/blog/2022-03-20-20-years-emacs.md
@@ -1,6 +1,6 @@
 [[!meta title="20+ years of Emacs"]]
 
-I enjoyed reading [this article named "22 years of Emacs"](https://arjenwiersma.nl/writeups/emacs/22-years-of-emacs/)
+I enjoyed reading [this article named "22 years of Emacs"](https://arjenwiersma.nl/posts/22-years-of-emacs/)
 recently. It's kind of fascinating, because I realised I don't exactly
 know for how long I've been using Emacs. It's lost in the mists of
 [[history|blog/2012-11-01-my-short-computing-history]]. If I would

document sleeves and cases
diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index 66ed3b07..0a083c6a 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -2079,6 +2079,18 @@ USB-C|blog/2023-02-10-usb-c]]. I'm considering a Dell
  * [logitech dongle hider with USB-A output](https://github.com/LeoDJ/FW-EC-DongleHiderPlus)
 * check out [this forum category](https://community.frame.work/c/developer-program/expansion-card/90) for a cornucopia of those
 
+## Sleeves and cases
+
+I carry the 13" Framework laptop in a [tomtoc Defender A13
+sleeve](https://www.tomtoc.com/products/tomtoc-a13-versatile-laptop-sleeve-for-13-5-inch-microsoft-surface-laptop-navy-blue). It's a nice soft sleeve with a pocket where I fit all the
+expansion cards and a power supply. There's a [pretty long thread
+about carrying bags and sleeves](https://community.frame.work/t/suggestions-on-carry-bag-or-sleeve/3763) where I [participated](https://community.frame.work/t/suggestions-on-carry-bag-or-sleeve/3763/115?u=anarcat) (and,
+you'll notice, bought another Timbuk sleeve I didn't like so much.
+
+In retrospect, I might consider buying a hard shell next time. The
+Smatree 13.5 looks pretty cool, but it's [not clear if it actually
+fits](https://community.frame.work/t/hard-case-compatibility/13016/4?u=anarcat). [This one comment points at one case that does fit](https://community.frame.work/t/suggestions-on-carry-bag-or-sleeve/3763/131?u=anarcat)
+
 ## Upstream resources
 
  * [community forum](https://community.frame.work/), lots of information, much support, wow!

framework BIOS update fail
diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index f7cc84f7..66ed3b07 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -940,6 +940,15 @@ can be deployed through LVFS with:
 Those instructions come from the [beta forum post](https://community.frame.work/t/12th-gen-intel-core-bios-3-06-beta/25726). I performed the
 BIOS update on 2023-01-16T16:00-0500.
 
+Update: more than a year later, that update never came out of
+beta. Worse, they published a new update (3.08) including security fixes, but
+only for Windows. See [this very long thread on the forum](https://community.frame.work/t/12th-gen-intel-core-bios-3-08-release/43244), [my
+comment](https://community.frame.work/t/12th-gen-intel-core-bios-3-08-release/43244/329?u=anarcat), and [this Ars article](https://arstechnica.com/gadgets/2024/04/frameworks-software-and-firmware-have-been-a-mess-but-its-working-on-them/).
+
+I have filed a formal complaint with support, threatening a refund, as
+I find it simply unacceptable that they just drop support for Linux
+like this.
+
 ## Resolution tweaks
 
 The Framework laptop resolution (2256px X 1504px) is big enough to

calibre can't do flat
diff --git a/software/desktop/calibre.mdwn b/software/desktop/calibre.mdwn
index 63e43524..e2ae6e5e 100644
--- a/software/desktop/calibre.mdwn
+++ b/software/desktop/calibre.mdwn
@@ -561,6 +561,53 @@ until we're satisfied.
 
 Or we can just keep using Calibre.
 
+Another big problem I have with Calibre right now is that it enforces
+this `Author/Title/Title.epub` folder structure which is really
+*heavy* and annoying. It feels like iTunes. I have 355 authors in my
+collection here and 952 books (or at least 952 second-level folders),
+so the Author/Title distinction is really not helping much: a flat
+hierarchy of `Author - Title.epub` would really work just as well, and
+would make the book collection much easier to browse using standard
+tools (e.g. Koreader would render it much more nicely).
+
+Compare, for example, before:
+
+[[!img snap-20240415T135134.png]]
+
+and after flatting:
+
+[[!img snap-20240415T135538.png]]
+
+Now, I cheated a little bit there as I don't show the other Ada Palmer
+books, for which Koreader somehow can't generate a cover for (which is
+a problem!) and I deleted the `cover.jpg` that Calibre adds everywhere
+which would otherwise double the listings everywhere. (But I'm
+considering ditching those files anyways, since they clutter
+everything and needlessly inflate the library.)
+
+But this is something the Calibre author has been [completely
+inflexible](https://manual.calibre-ebook.com/faq.html#why-doesn-t-calibre-let-me-store-books-in-my-own-folder-structure) on since basically forever:
+
+> If you are still not convinced, then I’m afraid calibre is not for
+> you. Look elsewhere for your book cataloguing needs. Just so we’re
+> clear, this is not going to change. Kindly do not contact us in an
+> attempt to get us to change this.
+
+... which is a recurring pattern of "my way or the highway" with this
+software. Totally within their right of course, but exactly the kind
+of things that make me want to look elsewhere.
+
+In any case, if we're going to ditch Calibre, this would be the
+procedure:
+
+    rm */*/cover.jpg # remove all covers
+    # rename all actual book files without the directories, keeping extension
+    rename 's,([^/]*)/([^/]*)/.*-.*(\....),$1 - $2$3,' */*/*
+    # rename remaining files, should just be metadata.opf
+    rename 's,([^/]*)/([^/]*)/metadata.opf,$1 - $2.opf,' */*/*
+    # remove empty directories, if this fails, we forgot some
+    rmdir */*
+
 [work Peter Keel did]: https://seegras.discordia.ch/Blog/life-with-calibre/
 [epub-tools]: https://sourceforge.net/projects/ebook-tools/
 [Thunar]: https://docs.xfce.org/xfce/thunar/start
diff --git a/software/desktop/calibre/snap-20240415T135134.png b/software/desktop/calibre/snap-20240415T135134.png
new file mode 100644
index 00000000..e5f2e845
Binary files /dev/null and b/software/desktop/calibre/snap-20240415T135134.png differ
diff --git a/software/desktop/calibre/snap-20240415T135538.png b/software/desktop/calibre/snap-20240415T135538.png
new file mode 100644
index 00000000..2bba3b43
Binary files /dev/null and b/software/desktop/calibre/snap-20240415T135538.png differ

new package in debian
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index affe47f1..287598d2 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -848,8 +848,8 @@ although it's not clear to me what its purpose is...
 I'm a heavy user of [maim][] (and a package uploader in Debian). It
 looks like the direct replacement to maim (and [slop][]) is [grim][]
 (and [slurp][]). There's also [swappy][] which goes on *top* of grim
-and allows preview/edit of the resulting image, nice touch (not in
-Debian though).
+and allows preview/edit of the resulting image, nice touch (in Debian
+since Trixie).
 
 See also [awesome-wayland screenshots][] for other alternatives:
 there are many, including X11 tools like [Flameshot][] that also

hid thing not fixed
diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index e9a3cd5c..f7cc84f7 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -500,7 +500,10 @@ Note that there's another solution flying around that fixes this by
 that or seen confirmation it works.
 
 Update: it seems like this issue [has been fixed in newer kernels](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/103)
-([6.6.6+](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/98?u=anarcat)?), but I couldn't figure out if the light sensor still works.
+([6.6.6+](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/98?u=anarcat)?), but I couldn't figure out if the light sensor still
+works. Worse, I *thought* it was fixed, but then it wasn't: I think I
+forgot to run `depmod -a`, because at some point my <kbd>fn lock</kbd>
+key broke...
 
 ### Kill switches
 

linux fixed the framework brightness button issue!
diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index 18868775..e9a3cd5c 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -243,7 +243,7 @@ the laptop.
    are much less affordable (700$+)
 
  * the 12th gen has compatibility issues with Debian, followup in the
-   [DebianOn page](https://wiki.debian.org/InstallingDebianOn/FrameWork/12thGen), but basically: [brightness hotkeys](https://community.frame.work/t/12th-gen-not-sending-xf86monbrightnessup-down/20605/6), [power
+   [DebianOn page](https://wiki.debian.org/InstallingDebianOn/FrameWork/12thGen), but basically: [brightness hotkeys](https://community.frame.work/t/12th-gen-not-sending-xf86monbrightnessup-down/20605/6) (fixed!), [power
    management](https://community.frame.work/t/12th-gen-power-management-on-linux/21330), [wifi](https://community.frame.work/t/debian-11-gen12th-wifi-working/21799), the webcam is okay even though the
    chipset is the [infamous alder lake](https://www.phoronix.com/news/Greg-KH-No-ADL-Webcam-Laptop) because it [does not have
    the fancy camera](https://www.phoronix.com/forums/forum/linux-graphics-x-org-drivers/intel-linux/1340695-greg-kh-recommends-avoiding-alder-lake-laptops-intel-webcam-linux-driver-long-ways-out?p=1340968#post1340968); most issues currently seem solvable, and
@@ -499,6 +499,9 @@ Note that there's another solution flying around that fixes this by
 [changing permissions on the input device](https://community.frame.work/t/12th-gen-not-sending-xf86monbrightnessup-down/20605/24?u=anarcat) but I haven't tested
 that or seen confirmation it works.
 
+Update: it seems like this issue [has been fixed in newer kernels](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/103)
+([6.6.6+](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/98?u=anarcat)?), but I couldn't figure out if the light sensor still works.
+
 ### Kill switches
 
 The Framework has two "[kill switches](https://en.wikipedia.org/wiki/Kill_switch)": one for the camera and the

usb-c status updates
diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 556c045e..e0992c51 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -104,9 +104,14 @@ Sharge, ZMI all within 1.5mm of each other) by only 4mm for depth, so
 maybe not worth it? Interestingly, it's not much lighter than the
 travel-friendly Oneworld.
 
-The Sharge is my current "left in my bag" driver, even though it's
+### Current picks
+
+The Sharge is my current "every day carry" driver, even though it's
 heavier than the TOFU, because the latter is a little too bulky (one
-of the largest by volume).
+of the largest by volume). I do bring the TOFU and/or the Oneworld on
+trips however, especially the TOFU for conferences and the Oneworld
+for hotel rooms (and having *both* means I can leave the latter in the
+hotel room!).
 
 ### Sharge
 
@@ -492,7 +497,7 @@ Also: [this post from Big Mess Of Wires](https://www.bigmessowires.com/2019/05/1
 *anything* might work at all. It's where I had the Cable Matters
 reference however...
 
-Update: I ordered a [this dock from Cable Matters](https://www.cablematters.com/pc-1054-127-usb-c-docking-station-with-dual-4k-hdmi-and-80w-charging-for-windows-computers.aspx) [from Amazon](https://www.amazon.ca/dp/B07PFFN219)
+Update (2023-02-22): I ordered a [this dock from Cable Matters](https://www.cablematters.com/pc-1054-127-usb-c-docking-station-with-dual-4k-hdmi-and-80w-charging-for-windows-computers.aspx) [from Amazon](https://www.amazon.ca/dp/B07PFFN219)
 (reluctantly). It promises “Linux” support and checked all the boxes
 for me (4x USB-A, audio, network, 2xHDMI).
 
@@ -509,16 +514,35 @@ fun. I suspect foul play inside Sway.
 And yeah, those things are costly! This one goes for 300$ a pop, not
 great.
 
-Update 2: Cable Matters support responded by simply giving me this
+Update (2023-02-27): Cable Matters support responded by simply giving me this
 hack that solved it at least for now. Just reverse the USB-C cable,
 and poof, everything works. *Magic*.
 
-Update 3: turns out that was overly optimistic. It seems the problem
+Update (2023-05-10): turns out that was overly optimistic. It seems the problem
 actually resides in Sway, because when it happens (and it still does),
 logging out fixes the issue: GDM3 takes over and reinitializes the
 monitors properly. Then Sway can do its thing when I log back in
 again.
 
+Update (2024-04-13): I have since then returned the dock to Cable
+Matters who have been gracious enough to do a RMA (although I paid for
+shipping). I have now a USB-C twin-[[hardware/monitor]] setup that
+works really well, but the reason for that is that I downgraded Sway
+to the version in stable. It seems like there was some impedance
+mismatch there, and I was rather distressed to find out I still had
+the bugs with the shiny new monitors. So, I guess I'm sorry for the
+Cable Matters folks, their dock was fine after all...
+
+### Current status
+
+I'm using the USB-C docks built-in my [[hardware/monitor]]s, two [Dell
+U2723QE][]. The first monitor's USB ports are completely full, so I
+daisy-chained to the second monitor and, amazingly, that all works
+over a single USB-C cable. The only annoyance is that USB-C cable is
+rather short, so it's not as neatly tucked in as it should ne.
+
+[Dell U2723QE]: https://www.dell.com/en-ca/shop/cty/apd/210-bdpf
+
 ## Power banks
 
 This has been spun out in another page, see [[hardware/battery]].

improve tok
diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 87effe79..556c045e 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -3,7 +3,7 @@
 Dear lazy web, help me pick the right hardware to make my shiny new
 laptop work better. I want a new USB-C dock and travel power supply.
 
-[[!toc]]
+[[!toc levels=3]]
 
 # Background
 

review USB testers
diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 744c78c0..87effe79 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -374,6 +374,61 @@ reddit](https://old.reddit.com/r/UsbCHardware/comments/161t5d4/absolutely_smalle
 It's not small enough to beat the Sharge as a daily driver, but if I
 find it too bulky / heavy, maybe I'll indulge.
 
+## USB testers
+
+Now that a USB cable isn't a simple 5V electric signal, cables and
+chargers matter. A lot. A given cable might not be able to deliver the
+power you need, and it is far from clear which part of the connection
+is to blame, as it could be the charger, the cable, or the charged
+device.
+
+So there are now testers for this. They typically will show you
+voltage and amperage, but can also show wattage, mAh or Wh, and the
+best ones will also show the resistance of the cable alongside the
+protocol negotiated.
+
+We're looking for:
+
+ * voltmeter
+ * anmeter
+ * protocol detection (power delivery, etc)
+ * USB-C in/out (to test USB-C power supplies and cables)
+
+Ideally:
+
+ * wattmeter (yes, i know that's the product of voltage and amperage)
+ * thunderbolt 3, PD 3.1 detection and triggers
+ * USB-A output (to test charging micro-USB devices)
+ * USB-A and micro-USB input (to test old chargers and cables)
+ * e-marker detection
+ * resistance measurement
+
+Other things that those devices can check I care less about:
+
+ * device temperature
+ * "DASH" cable compatibility
+ * Bluetooth support to send results to a phone
+
+The Firefox people have been [running power usage tests](https://github.com/fqueze/usb-power-profiling) with those
+devices, by connecting them to another computer and checking how code
+changes affect power usage. I'm using their list as a basis for
+devices that are not total junk from the "weird internet market place"
+thing.
+
+ * [FNIRSI FNB58](https://www.amazon.com/FNIRSI-Multimeter-Bluetooth-Detection-Measurement/dp/B0BJ253W31): almost has it all, only missing PD 3.1, 50-60$
+   depending on Bluetooth support
+ * [ChargerLAB Power-Z KT002](https://www.amazon.com/ChargerLAB-Power-Z-Voltage-Current-Capacity/dp/B092R533WV?m=A31UM8SRXYVF2Z): everything but micro-USB PD 3.1
+   test, 50$... frustratingly, they have another device (KM002C) that
+   *does* support PD 3.1, but it lacks USB-A/micro USB and cable
+   resistance, and it's *way* more expensive ([100+$ at amazon](https://www.amazon.ca/Charging-Motherboard-Voltmeter-Detector-Accessories/dp/B0CYPG26D2))
+ * AVHzY has a bunch, but those are rather hard to figure out and more
+   expensive, like the [CT3](https://www.aliexpress.com/item/4001280718072.html#nav-specification) is 85CAD, but the [TC66](https://www.aliexpress.com/item/1005006261935936.html?algo_exp_id=b5cf4a97-54ca-42fb-b882-66ad45f33749-0&pdp_npi=4%40dis%21CAD%2132.21%2121.01%21%21%2123.01%2115.01%21%402103249617129781964942450eeb8f%2112000036514751945%21sea%21CA%210%21AB&curPageLogUid=6meoFWJIqWLV&utparam-url=scene%3Asearch%7Cquery_from%3A) is
+   ... 20$!
+ * [ATORCH ACD15P](https://www.aliexpress.com/item/1005005674681544.html): *everything* but USB PD 3.1 (including
+   alligator clips for testing other batteries which is a nice touch),
+   23$
+ * [WITRN C5](https://www.aliexpress.com/item/1005006194408105.html): everything including PD 3.1, but only USB-C, 80$
+
 ## USB Docks
 
 Specification: 

add mikrotik to list of routers, cross-ref with wifi page since i looked there first
diff --git a/hardware/margaret.md b/hardware/margaret.md
index 2cd2c452..4ba4e616 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -315,8 +315,15 @@ router](https://openwrt.org/toh/views/toh_sfp_ports). The [MicroTik hAP ac](http
    SATA PCIe](https://www.supermicro.com/en/products/system/iot/mini-itx/sys-e200-12d-4c), a bit overkill, and not enough ports to act as a
    switch
  * Protectli has interesting series, e.g. [4x2.5gbit switch + wifi](https://ca.protectli.com/product/fw4c/)
-   and coreboot, but no SFP
+   and coreboot, but no SFP (that's what we ended up going with here)
  * Qotom has a [4xSFP+ 5x2.5gbit beast](https://www.qotom.net/product/RouterPC_Q20331G9S10.html), but no wifi
+ * Mikrotik has sturdy routers and switches, the latter are often
+   locked in their proprietary hardware, but their routers are a
+   little better, e.g. [noodles](https://www.earth.li/~noodles/) says he uses a [mikrotik
+   RB5009](https://mikrotik.com/product/rb5009ug_s_in) in [this blog post about DNS](https://www.earth.li/~noodles/blog/2024/04/backup-internet-rdns.html), but, surprisingly, i
+   don't see *any* Mikrotik entry in [InstallingDebianOn](https://wiki.debian.org/InstallingDebianOn). in [this
+   post](https://www.earth.li/~noodles/blog/2022/02/yak-shaving-internet.html) noodles says the mikrotik run mainline, so that's really
+   encouraging
 
 One option is to move the Omnia to the office and replace the core
 router with something beefier, and add a new AP downstairs.
diff --git a/services/wifi.mdwn b/services/wifi.mdwn
index 4a763d6b..6232ace0 100644
--- a/services/wifi.mdwn
+++ b/services/wifi.mdwn
@@ -384,6 +384,8 @@ Notes:
    protectli or the switch, depending on arrivals
  * [[hardware/rosa]] can serve as a replacement for the omnia if we
    don't want to get another U6
+ * this article previously had comparisons between various routers,
+   this is now in [[hardware/margaret]]
 
 Another build could be done with the Turris Mox:
 

another matrix thing
diff --git a/blog/2022-06-17-matrix-notes.md b/blog/2022-06-17-matrix-notes.md
index a2483dad..2b5bec2d 100644
--- a/blog/2022-06-17-matrix-notes.md
+++ b/blog/2022-06-17-matrix-notes.md
@@ -881,6 +881,13 @@ One thing I haven't found an equivalent for is Debian's
 [MeetBot](https://wiki.debian.org/MeetBot). There's an [archive bot](https://github.com/russelldavies/matrix-archive) but it doesn't have topics
 or a meeting chair, or HTML logs.
 
+Update: it's not a bot but [progval/matrix2051](https://github.com/progval/matrix2051) is quite
+interesting for me, as a long-time IRC user: it's a homeserver gateway
+that presents itself as an IRC server. So you can treat Matrix as one
+big weird IRC server. Main limitation is DMs are basically broken, but
+lack of TLS also keeps it from being useful as a drop-in replacement
+for migrating an existing IRC network.
+
 ## Working on Matrix
 
 As a developer, I find Matrix kind of intimidating. The specification

wayland/latency notes
diff --git a/blog/2018-05-04-terminal-emulators-2.mdwn b/blog/2018-05-04-terminal-emulators-2.mdwn
index 6d246c17..18ac33d6 100644
--- a/blog/2018-05-04-terminal-emulators-2.mdwn
+++ b/blog/2018-05-04-terminal-emulators-2.mdwn
@@ -347,7 +347,7 @@ The above latency benchmarks were done with Typometer on X11 by
 [beuke.org](https://beuke.org/terminal-latency/). Their results are different on some points: xterm's
 maximum latency (9.8ms) is much higher than ours (2.4ms) which makes
 me think there's something wrong with their test bench. But other
-results (rxvt, st, Terminaor) are strickingly similar. One notable
+results (rxvt, st, Terminator) are strikingly similar. One notable
 change is how well Alacritty performs, probably because it improved in
 6 years since I ran those benchmarks.
 
@@ -356,4 +356,23 @@ under wayland and compare against foot. Right now it's really hard to
 tell, but I get the feeling Alacritty and xterm are pretty close, and
 that foot and gnome-terminal are slower.
 
+Update: 9 days later, just found out about [Ivan Molodetskikh VTE
+end-to-end tests](https://bxt.rs/blog/just-how-much-faster-are-the-gnome-46-terminals/) which show precisely how well VTE has improved
+over the years, to be on par with Alacritty (which, somehow, managed
+to become a reference after lagging behind). Excellent work! My only
+criticism is the article focuses exclusively on VTE but the author
+also made [other benchmarks](https://mastodon.online/@YaLTeR/110837121102628111) including of Foot, the terminal
+emulator I'm currently using now and that I was, above, feeling
+slower, but that tests show is the *fastest* on the block, which is
+really nice to hear.
+
+They also made [compositor tests](https://mastodon.online/@YaLTeR/110848066454900941) which show Sway (~12ms) is ahead
+of Mutter (~14ms, GNOME's simplest compositor), itself ahead of normal
+GNOME (~16ms). Only X11/i3 goes below the 10ms mark there, which is a
+bit depressing, but the author is quick to point out that "work to add
+tearing flips to kernel and Wayland is ongoing".
+
+Oh, and they don't test Emacs in their editors, arguing it lacks a
+good editor, ha ha.
+
 [[!tag debian-planet lwn geek review terminals performance]]
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 5ebad3cc..affe47f1 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -185,6 +185,7 @@ Other options include:
  * [Hyprland][]: tiling, fancy animations, not in Debian ([1040971][])
  * [Qtile][]: tiling, extensible, in Python, not in Debian ([1015267][])
  * [river][]: Zig, stackable, tagging, not in Debian  ([1006593][])
+ * [smithay][], and many derivatives: Rust, not in Debian
  * [velox][]: inspired by xmonad and dwm, not in Debian
  * [vivarium][]: inspired by xmonad, not in Debian
  * [wlmaker][]: inspired by Window Maker, not in Debian
@@ -208,6 +209,7 @@ Other options include:
 [hikari]: https://hikari.acmelabs.space/
 [1040971]: https://bugs.debian.org/1040971
 [wlmaker]: https://github.com/phkaeser/wlmaker
+[smithay]: https://github.com/Smithay/smithay
 
 ## Status bar: py3status → waybar
 

add pcpartspicker
diff --git a/hardware/battery.md b/hardware/battery.md
index 1ba325c1..73e8d25b 100644
--- a/hardware/battery.md
+++ b/hardware/battery.md
@@ -258,6 +258,11 @@ fluctuates between 60 and 80 watts, with about 50 minutes of standby time.
   * spare batteries: <https://www.upsbatterycenter.ca/>
   * how to pick a UPS (TL;DR: VA = 1.6*W): <https://www.howtogeek.com/161479/how-to-select-a-battery-backup-for-your-computer/>
 
+See also [pc parts picker](https://ca.pcpartpicker.com/products/ups/) for this, cheapest rack-mount 1500KVA
+UPS seems to be the [cyberpower CPS1500AVR](https://ca.pcpartpicker.com/product/wWX2FT/cyberpower-ups-cps1500avr) at 585$CAD at the time
+of writing, but at that price you don't even get an LCD, for that you
+need [640$](https://ca.pcpartpicker.com/product/JKZ2FT/cyberpower-ups-or1500lcdrt2u).
+
 ## Actual hardware
 
 I ended up ordering this from Amazon (yes, I know):

more tls docs
diff --git a/services/mail.mdwn b/services/mail.mdwn
index 915310e0..bb8dc235 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -903,6 +903,11 @@ Create basic directories and files:
     mkdir private certs req newcerts
     echo 00 > serial
 
+We don't have a serial `crlnumber` but if we would, we would start
+with:
+
+    printf 00 > crlnumber
+
 Generate the CA secret key:
 
     openssl genpkey -algorithm ed25519 -out private/cakey.pem -aes256
@@ -945,13 +950,21 @@ Copy the CSR and CRT files to the CA server and sign the request with:
 
     openssl ca -days 365 -in req/test.anarc.at.csr -out certs/test.anarc.at.crt
 
-Alternatively, this can be done without the CA, with the lower-level
-`x509` command:
+... from [this guide](https://pub.nethence.com/security/sslhappy-ca). Alternatively, this can be done without the
+CA, with the lower-level `x509` command:
 
     openssl x509 -req -in req/angela.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/angela.anarc.at.crt
 
 Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
 
+The cert can be checked with:
+
+    openssl x509 -text < certs/angela.anarc.at.crt
+
+... and:
+
+    openssl verify -CAfile cacrt.pem  certs/angela.anarc.at.crt
+
 Generate the CRL file, currently just the cert because we haven't
 revoked anything yet:
 
@@ -1059,9 +1072,11 @@ Turn up the logging level on the client:
 
 ### Dovecot configuration
 
-https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication
+The [dovecot SSL configuration docs](https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication) are quite limited. So we're
+using [another guide](https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html) instead. The also have [limited SSL
+docs](https://doc.dovecot.org/admin_manual/ssl/certificate_creation/)...
 
-in `10-ssl.conf`:
+Enable TLS verification in `conf.d/10-ssl.conf`:
 
     ssl_ca = </etc/ssl/ca/cacrl.pem
     ssl_verify_client_cert = yes
@@ -1100,6 +1115,9 @@ Create `conf.d/auth-tls.conf.ext`:
        #override_fields = home=/home/virtual/%u
     }
 
+Note that the above uses the normal [user database](https://doc.dovecot.org/configuration_manual/authentication/user_database_extra_fields/#authentication-user-database-extra-fields) so the user
+need to exist on the system as well.
+
 Then include that in `conf.d/10-auth.conf`, and comment out the other includes:
 
     #!include auth-system.conf.ext
@@ -1150,6 +1168,9 @@ You can now test revocation with:
 And now the above `curl` command should fail. Notice how dovecot needs
 a kick after revocation, a `reload` might be sufficient as well.
 
+[Another guide](https://pub.nethence.com/mail/dovecot-clientcert) has instructions on how to disable TLS certs for
+some services, e.g. if Postfix would still require SASL auth.
+
 ### Adding a new satellite
 
 To add a new satellite to this setup, you need to generate a new key

use the openssl CA command to sign certs, duh
diff --git a/services/mail.mdwn b/services/mail.mdwn
index b8e1e734..915310e0 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -898,9 +898,10 @@ actually tried a configuration-file-less setup, but it breaks down
 when you start using the `openssl ca` command, necessary to revoke
 certificates.
 
-Create basic directories:
+Create basic directories and files:
 
-    mkdir private certs req
+    mkdir private certs req newcerts
+    echo 00 > serial
 
 Generate the CA secret key:
 
@@ -940,7 +941,12 @@ Create the CSR with:
 
     openssl req -key angela.anarc.at.key -out angela.anarc.at.csr -config openssl.cnf -new 
 
-Copy the CSR and CRT files to the CA server and sign those keys with:
+Copy the CSR and CRT files to the CA server and sign the request with:
+
+    openssl ca -days 365 -in req/test.anarc.at.csr -out certs/test.anarc.at.crt
+
+Alternatively, this can be done without the CA, with the lower-level
+`x509` command:
 
     openssl x509 -req -in req/angela.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/angela.anarc.at.crt
 
@@ -1179,9 +1185,9 @@ Then generate the private key and the CSR:
     openssl req -key client.key -out client.csr -config openssl.cnf -new
 
 Then copy that over to the CA in `/etc/ssl/ca/req/tubman.anarc.at.csr`
-and generate the cert:
+and sign the request:
 
-    openssl x509 -req -in req/tubman.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/tubman.anarc.at.crt
+    openssl ca -days 365 -in req/tubman.anarc.at.csr -out certs/tubman.anarc.at.crt
 
 Then regenerate the list of trusted certs:
 

migrated tubman
diff --git a/services/mail.mdwn b/services/mail.mdwn
index 6eaa5356..b8e1e734 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -996,7 +996,7 @@ The certificates list is created with:
                 openssl pkey -pubin -outform DER |
                 openssl dgst -sha256 -c |
                 sed 's/.*= //'
-            )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+            )" $cert >> /etc/postfix/client-certs-fingerprints
     done
 
 And of course the map needs to be rehashed each time:
@@ -1144,7 +1144,69 @@ You can now test revocation with:
 And now the above `curl` command should fail. Notice how dovecot needs
 a kick after revocation, a `reload` might be sufficient as well.
 
-### Easy-RSA CA
+### Adding a new satellite
+
+To add a new satellite to this setup, you need to generate a new key
+on the client, and a CSR, based on the following config. Typically,
+you only need to do this for Postfix, so this can more easily be done
+in `/etc/postfix/x509` (and that is where Puppet configures Postfix to
+look for certs).
+
+This is how [[hardware/tubman]] was configured. First, make the
+directory:
+
+    mkdir /etc/postfix/x509
+    cd /etc/postfix/x509
+
+Then create `openssl.conf`:
+
+    [client-cert]
+    keyUsage = cRLSign, keyCertSign
+    extendedKeyUsage = clientAuth
+
+    [req]
+    distinguished_name = dn
+    prompt = no
+    x509_extensions = client-cert
+
+    [dn]
+    CN = tubman.anarc.at
+    emailAddress = tubman-mail
+
+Then generate the private key and the CSR:
+
+    openssl genpkey -algorithm ed25519 -out client.key
+    openssl req -key client.key -out client.csr -config openssl.cnf -new
+
+Then copy that over to the CA in `/etc/ssl/ca/req/tubman.anarc.at.csr`
+and generate the cert:
+
+    openssl x509 -req -in req/tubman.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/tubman.anarc.at.crt
+
+Then regenerate the list of trusted certs:
+
+    rm /etc/postfix/client-certs-fingerprints
+    for cert in certs/* ; do 
+        printf "%s %s\n" "$(
+            openssl x509 -in $cert -noout -pubkey |
+                openssl pkey -pubin -outform DER |
+                openssl dgst -sha256 -c |
+                sed 's/.*= //'
+            )" $cert >> /etc/postfix/client-certs-fingerprints
+    done
+    postmap /etc/postfix/client-certs-fingerprints
+
+Add the `profile::postfix::satellite` class to the node and it should
+be able to send mail. Test with:
+
+    mail -s test anarcat@example.com < /dev/null
+
+### Easy-RSA CA notes
+
+I tested building a CA with easy-rsa but ended up not using it because
+my end goal is to do this in Puppet, so I couldn't rely on such a
+large third-party tool directly. Plus, I didn't think it supported
+ed25519 keys at first (it does though!).
 
 To get started with easy-rsa:
 
@@ -1235,9 +1297,8 @@ meaningful regression.
 
 ### Remaining work
 
- * TODO: expiration, switch to easyrsa fully?
+ * TODO: renewals, switch to easyrsa fully?
  * TODO: generate and distribute certs with Puppet
- * TOOD: migrate tubman to TLS
 
 ## Todo
 

benchmark
diff --git a/services/mail.mdwn b/services/mail.mdwn
index dfb7c6ba..6eaa5356 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1201,6 +1201,38 @@ configuration, with `permit_tls_all_clientcerts`, which leads me to
 think it *might* be possible to avoid listing all fingerprints. To be
 tested/confirmed.
 
+### Conversion effect on performance
+
+I have sampled the last ~100 `mbsync` runs, which is from April 08
+01:52:56 to April 09 14:42:37 (non-inclusively), with:
+
+    journalctl -u mbsync.service --user -n 1000 | grep Consumed | sed '/avr 09 14:42:37/,$d;s/.*Consumed //;s/s CPU time.//' > timings-over-ssh
+
+This gave me 132 samples:
+
+    $ wc -l timings-over-ssh
+    132 timings-over-ssh
+
+The average CPU usage was:
+
+    $ awk 'BEGIN { sum = 0; count = 0 } { sum += $1; count++ } END { print sum / count}' < timings-over-ssh
+    2.70843
+
+Things *seem* faster. The evidence is a bit anecdotal now, as I have
+only 4 samples, but there *is* already a clear reduction in CPU usage:
+
+    $ journalctl -u mbsync.service --user -n 1000 | grep Consumed | sed -n '/avr 09 14:42:37/,$p' | sed 's/.*Consumed //;s/s CPU time.//' | awk 'BEGIN { sum = 0; count = 0 } { sum += $1; count++ } END { print sum / count}'
+    2.1356
+
+This could be because the TLS key exchange is better optimized than
+SSH. And indeed, a casual look at the logs seem to suggest it was
+taking 4 seconds to sync before *and* after, so it could just be an
+accounting issue.
+
+Given that this work was done for security reasons and not
+optimization reasons, I'm satisfied with the results since there's no
+meaningful regression.
+
 ### Remaining work
 
  * TODO: expiration, switch to easyrsa fully?

add backwards compat postfix setting
diff --git a/services/mail.mdwn b/services/mail.mdwn
index d37d26c2..dfb7c6ba 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -968,6 +968,7 @@ After:
         -o header_checks=regexp:/etc/postfix/header_authenticated_redaction
         -o milter_macro_daemon_name=ORIGINATING
         -o smtpd_tls_security_level=encrypt
+        -o smtpd_tls_fingerprint_digest=sha256
         -o smtpd_tls_ask_ccert=yes
         -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
         -o smtpd_relay_restrictions=permit_tls_clientcerts,reject

rebuild CA from scratch with a config file, working
diff --git a/services/mail.mdwn b/services/mail.mdwn
index 05580640..d37d26c2 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -893,34 +893,24 @@ in [[blog/2016-05-12-email-setup]].
 
 ### Creating a self-signed ed25519 private CA
 
-    openssl genpkey -algorithm ed25519 -out ca.anarc.at.key -aes256
-    openssl req -new -key ca.anarc.at.key -out ca.anarc.at.csr -config ca.anarc.at.cnf
+We copied over the `/usr/lib/ssl/openssl.cnf` config file. We have
+actually tried a configuration-file-less setup, but it breaks down
+when you start using the `openssl ca` command, necessary to revoke
+certificates.
 
-RHEL [proposes](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#creating-a-private-ca-using-openssl_creating-and-managing-tls-keys-and-certificates):
+Create basic directories:
 
-    openssl req -key <ca.key> -new -x509 -days 3650 -addext keyUsage=critical,keyCertSign,cRLSign -subj "/CN=<Example CA>" -out <ca.crt>
+    mkdir private certs req
 
-cnf:
+Generate the CA secret key:
 
-    [req]
-    distinguished_name = req_distinguished_name
-    req_extensions = v3_req
-    prompt = no
-    [req_distinguished_name]
-    C = CA
-    CN = ca.anarc.at
-    [v3_req]
-    keyUsage = keyEncipherment, dataEncipherment
-    extendedKeyUsage = serverAuth
-    subjectAltName = @alt_names
-    [alt_names]
-    DNS.1 = ca.anarc.at
+    openssl genpkey -algorithm ed25519 -out private/cakey.pem -aes256
 
-Self-signed cert:
+ED25519 instructions were taken from [this post](https://blog.pinterjann.is/ed25519-certificates.html).
 
-    openssl x509 -req -days 365 -in ca.anarc.at.csr -signkey ca.anarc.at.key -out ca.anarc.at.crt
+Then generate a self-signed cert:
 
-ED25519 instructions were taken from [this post](https://blog.pinterjann.is/ed25519-certificates.html).
+    openssl req -subj "/CN=ca.anarc.at/" -key private/cakey.pem -out cacert.pem -new -x509 -days 3650 -reqexts v3_ca -config openssl.cnf
 
 Alternatives include OpenVPN's [easy-rsa](https://github.com/OpenVPN/easy-rsa/) and [cfssl](https://github.com/cloudflare/cfssl), which
 also has a [puppet module](https://forge.puppet.com/modules/mmack/cfssl/).
@@ -931,33 +921,36 @@ Then the client key is generated, *on the client*, again with (but without encry
 
     openssl genpkey -algorithm ed25519 -out angela.anarc.at.key
 
-CSR is a little special:
+The `openssl.cnf` file for the certificate request:
 
     [client-cert]
-    keyUsage = critical, digitalSignature, keyEncipherment
+    keyUsage = cRLSign, keyCertSign
     extendedKeyUsage = clientAuth
-    subjectAltName = @alt_name
 
     [req]
     distinguished_name = dn
     prompt = no
+    x509_extensions = client-cert
 
     [dn]
     CN = angela.anarc.at
-
-    [alt_name]
     emailAddress = anarcat
 
-But the CSR is created as expected:
+Create the CSR with:
 
-    openssl req -key angela.anarc.at.key -config angela.anarc.at.cnf -new -out angela.anarc.at.csr
+    openssl req -key angela.anarc.at.key -out angela.anarc.at.csr -config openssl.cnf -new 
 
 Copy the CSR and CRT files to the CA server and sign those keys with:
 
-    openssl x509 -req -in angela.anarc.at.csr -CA ca.anarc.at.crt -CAkey ca.anarc.at.key -days 365 -out angela.anarc.at.crt
+    openssl x509 -req -in req/angela.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/angela.anarc.at.crt
 
 Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
 
+Generate the CRL file, currently just the cert because we haven't
+revoked anything yet:
+
+    cp cacert.pem cacrl.pem
+
 ### Postfix server configuration
 
 Before:
@@ -980,23 +973,38 @@ After:
         -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
         -o relay_clientcerts=hash:/etc/postfix/client-certs-fingerprints
 
-We were hoping to use [permit_tls_all_clientcerts](https://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts) but that silly
-thing doesn't support certificate revocation, so it's impossible to
-remove client certificates. So we need to use the static list.
+We were hoping to use [permit_tls_all_clientcerts](https://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts) like this:
 
-The list is created with:
+        -o tls_append_default_CA=no
+        -o smtpd_tls_CAfile=/etc/ssl/ca/cacrl.pem
+        -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject
+        -o smtpd_relay_restrictions=permit_tls_all_clientcerts,reject
 
-    printf "%s %s\n" "$(
-        openssl x509 -in angela.anarc.at.crt -noout -pubkey |
-            openssl pkey -pubin -outform DER |
-            openssl dgst -sha256 -c |
-            sed 's/.*= //'
-        )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+but that silly thing doesn't support certificate revocation: it looks
+like the CRL part of the `cacrl.pem` file is ignore. So it's
+impossible to remove client certificates, so we need to use the static
+list. An alternative is to use Dovecot 2.3 submission functionality,
+since the CRL works there.
+
+The certificates list is created with:
+
+    rm /etc/postfix/client-certs-fingerprints
+    for cert in certs/* ; do 
+        printf "%s %s\n" "$(
+            openssl x509 -in $cert -noout -pubkey |
+                openssl pkey -pubin -outform DER |
+                openssl dgst -sha256 -c |
+                sed 's/.*= //'
+            )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+    done
 
 And of course the map needs to be rehashed each time:
 
     postmap /etc/postfix/client-certs-fingerprints
 
+Note that this *does* include revoked certificates as well, so you
+kind of have to manually skip the bad certs. (TODO.)
+
 Then this should work:
 
     swaks --tls --tls-cert ~/.config/x509/angela.anarc.at2.crt --tls-key ~/.config/x509/angela.anarc.at.key -s marcos.anarc.at -t anarcat@torproject.org -p 587
@@ -1048,13 +1056,11 @@ https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-c
 
 in `10-ssl.conf`:
 
-    ssl_ca = </etc/ssl/ca/ca.anarc.at.crt
+    ssl_ca = </etc/ssl/ca/cacrl.pem
     ssl_verify_client_cert = yes
     ssl_cert_username_field = email
     ssl_require_crl = yes
 
-TODO: CRL stuff
-
 Create `conf.d/auth-tls.conf.ext`:
 
     # Take the username from client's SSL certificate, using 
@@ -1107,13 +1113,13 @@ pretty fantastic.
 
 This can be tested with:
 
-    openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -verify 4 -cert pki/issued/angela.anarc.at.crt -key pki/private/angela.anarc.at.key  -starttls imap -connect localhost:imap
+    openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -verify 4 -cert angela.anarc.at.crt -key angela.anarc.at.key  -starttls imap -connect localhost:imap
 
 That will not actually do any IMAP query (although you *could* try
 `10 AUTHENTICATE EXTERNAL` to confirm login works). Better try the
 swiss-army-knife of everything:
 
-    curl --cert pki/issued/angela.anarc.at.crt --key pki/private/angela.anarc.at.key --login-options AUTH=EXTERNAL imaps://imap.anarc.at
+    curl --cert angela.anarc.at.crt --key angela.anarc.at.key --login-options AUTH=EXTERNAL imaps://imap.anarc.at
 
 This should list your folders. Use `-v` for more debugging if things fail.
 
@@ -1128,6 +1134,15 @@ To debug issues with TLS, turn on Dovecot's verbose logging in
 
     verbose_ssl = yes
 
+You can now test revocation with:
+
+    openssl ca -config openssl.cnf -revoke certs/angela.anarc.at.crt -gencrl > crl.pem
+    cat cacert.pem crl.pem > cacrl.pem
+    service dovecot restart
+
+And now the above `curl` command should fail. Notice how dovecot needs
+a kick after revocation, a `reload` might be sufficient as well.
+
 ### Easy-RSA CA
 
 To get started with easy-rsa:

made dovecot work
diff --git a/services/mail.mdwn b/services/mail.mdwn
index 67000bb5..05580640 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -945,7 +945,7 @@ CSR is a little special:
     [dn]
     CN = angela.anarc.at
 
-    [clnt_alt_name]
+    [alt_name]
     emailAddress = anarcat
 
 But the CSR is created as expected:
@@ -1051,47 +1051,143 @@ in `10-ssl.conf`:
     ssl_ca = </etc/ssl/ca/ca.anarc.at.crt
     ssl_verify_client_cert = yes
     ssl_cert_username_field = email
+    ssl_require_crl = yes
 
-in `10-auth.conf`:
+TODO: CRL stuff
 
-    auth_ssl_username_from_cert=yes
+Create `conf.d/auth-tls.conf.ext`:
 
-if we'd like to keep Postfix using passwords, we could do:
+    # Take the username from client's SSL certificate, using 
+    # X509_NAME_get_text_by_NID() which returns the subject's DN's
+    # CommonName. 
+    auth_ssl_username_from_cert = yes
+     
+    # Space separated list of wanted authentication mechanisms:
+    #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
+    #   gss-spnego
+    # NOTE: See also disable_plaintext_auth setting.
+    auth_mechanisms = plain login external
+
+    passdb {
+      driver = passwd-file
+      args = scheme=PLAIN username_format=%u /etc/dovecot/users-external
+
+      mechanisms = external
+     
+      override_fields = nopassword
+    }
+
+    userdb {
+       # <doc/wiki/AuthDatabase.Passwd.txt>
+       driver = passwd
+       # [blocking=no]
+       #args = 
+      
+       # Override fields from passwd
+       #override_fields = home=/home/virtual/%u
+    }
+
+Then include that in `conf.d/10-auth.conf`, and comment out the other includes:
+
+    #!include auth-system.conf.ext
+    !include auth-tls.conf.ext
+
+If we'd like to keep Postfix using passwords, we could do:
 
     protocol !smtp {
       auth_ssl_require_client_cert=yes
     }
 
-but since we're going to use TLS there too, that makes obviously no
-sense. Plus it gets rid of the weird SASL shim between the two, woot.
+... but since we're going to use TLS there too, that makes obviously
+no sense. Plus it gets rid of the weird SASL shim between the two,
+woot.
 
 During this deployment, SSH-based IMAP connexions still work, which is
 pretty fantastic.
 
-### Testing client connexion
+This can be tested with:
+
+    openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -verify 4 -cert pki/issued/angela.anarc.at.crt -key pki/private/angela.anarc.at.key  -starttls imap -connect localhost:imap
 
-Not sure this is the correct way, but this *seems* to work in the
-sense that it loads the cert and tries to connect:
+That will not actually do any IMAP query (although you *could* try
+`10 AUTHENTICATE EXTERNAL` to confirm login works). Better try the
+swiss-army-knife of everything:
 
-    curl -v --cert ~/.config/x509/angela.anarc.at.crt --key ~/.config/x509/angela.anarc.at.key imaps://imap.anarc.at/
+    curl --cert pki/issued/angela.anarc.at.crt --key pki/private/angela.anarc.at.key --login-options AUTH=EXTERNAL imaps://imap.anarc.at
 
-Do use the `-v` flag, as it will show at which step it will fail. In
-my case, if fails *after* the client cert is accepted, which is
-interesting.
+This should list your folders. Use `-v` for more debugging if things fail.
 
-This currently fails in Dovecot with:
+At first, this was failing with:
 
     dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, [...]
 
-I've also tried generating a CA using the [Postfix instructions](https://www.postfix.org/TLS_README.html#quick-client)
-but that fails similarly. Since Postfix *does* work, it means the CA
-is operational and instead there is something wrong with the Dovecot
-configuration.
+... and that was because I was missing the `AUTH=EXTERNAL` option.
+
+To debug issues with TLS, turn on Dovecot's verbose logging in
+`conf.d/10-logging.conf`:
+
+    verbose_ssl = yes
+
+### Easy-RSA CA
+
+To get started with easy-rsa:
+
+    apt install easy-rsa
+    make-cadir easyrsa
+    ./easyrsa init-pki
+    
+To make a ED25519 CA, add those to `vars`:
+
+    set_var EASYRSA_ALGO ed
+    set_var EASYRSA_CURVE           ed25519
+
+Then:
+
+    ./easyrsa build-ca
+
+That prompts for a password then runs something like:
+
+    ["openssl", "req", "-config", "/etc/ssl/easyrsa/pki/5892315c/temp.4ff4e933", "-utf8", "-new", "-key", "/etc/ssl/easyrsa/pki/5892315c/temp.fa90dc32", "-keyout", "/etc/ssl/easyrsa/pki/5892315c/temp.fa90dc32", "-out", "/etc/ssl/easyrsa/pki/5892315c/temp.591dfebb", "-x509", "-days", "3650", "-sha256", "-passin", "file:/etc/ssl/easyrsa/pki/5892315c/temp.c5904947"],
+
+Interesting facts:
+
+ 1. it generates a key on the fly
+ 2. `-utf-8`
+ 3. `-x509`
+ 4. `-days 3650`
+
+A client cert can be created with:
+
+    ./easyrsa build-client-full angela.anarc.at
+
+To get the `emailAddress` field, the `vars` need to be modified to
+have:
+
+    set_var EASYRSA_DN      "org"
+    set_var EASYRSA_REQ_EMAIL       "anarcat"
+
+Then the [guide](https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html) mentions "exporting the combined CA+CRL" with:
+
+    ./easyrsa gen-crl
+
+That runs:
+
+    ["openssl", "ca", "-config", "/etc/ssl/easyrsa/pki/d1f80f21/temp.7ec4b8d2", "-utf8", "-gencrl", "-out", "/etc/ssl/easyrsa/pki/d1f80f21/temp.12bd618a"],
+
+... and generates `/etc/ssl/easyrsa/pki/crl.pem` but this is odd
+because the guide also says it generates a `pki/ca+crl.pem` file,
+which cannot be found. That can be fixed with:
+
+    cat /etc/ssl/easyrsa/pki/{ca.crt,crl.pem} > /etc/ssl/easyrsa/pki/ca+crl.pem
+
+Also, interestingly, it uses that `ca+crl.pem` file in the Postfix
+configuration, with `permit_tls_all_clientcerts`, which leads me to
+think it *might* be possible to avoid listing all fingerprints. To be
+tested/confirmed.
 
 ### Remaining work
 
- * TODO: fix dovecot
- * TODO: expiration
+ * TODO: expiration, switch to easyrsa fully?
  * TODO: generate and distribute certs with Puppet
  * TOOD: migrate tubman to TLS
 

progress update
diff --git a/services/mail.mdwn b/services/mail.mdwn
index 43826ac2..67000bb5 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -679,6 +679,10 @@ This makes it so I do not need to use clear-text passwords to deliver
 or retrieve email which means everything can be fully automated
 without writing any password on disk.
 
+Update: I am abandoning this approach, as it requires exposing SSH to
+the universe, something I want to avoid now. Looking into [client
+certs](#client-certs) instead.
+
 # Spam filtering
 
 Quick notes on how to configure spam filtering with Spamassassin on
@@ -1080,7 +1084,16 @@ This currently fails in Dovecot with:
     dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, [...]
 
 I've also tried generating a CA using the [Postfix instructions](https://www.postfix.org/TLS_README.html#quick-client)
-but that fails similarly.
+but that fails similarly. Since Postfix *does* work, it means the CA
+is operational and instead there is something wrong with the Dovecot
+configuration.
+
+### Remaining work
+
+ * TODO: fix dovecot
+ * TODO: expiration
+ * TODO: generate and distribute certs with Puppet
+ * TOOD: migrate tubman to TLS
 
 ## Todo
 

move certs to system dir
diff --git a/services/mail.mdwn b/services/mail.mdwn
index deb20ac3..43826ac2 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1011,11 +1011,14 @@ Then we configure that transport as such:
 
     smtptlsc  unix  -       -       y       -       -       smtp
         -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
-        -o smtp_tls_cert_file=/home/anarcat/.config/x509/angela.anarc.at.crt
-        -o smtp_tls_key_file=/home/anarcat/.config/x509/angela.anarc.at.key
+        -o smtp_tls_cert_file=/etc/ssl/private/angela.anarc.at.crt
+        -o smtp_tls_key_file=/etc/ssl/private/angela.anarc.at.key
         -o smtp_tls_fingerprint_digest=sha256
         -o smtp_tls_security_level=secure
 
+The cert need to be copied in `/etc/ssl/private` and the key given to
+the `ssl-cert` group.
+
 Note that this is done in the `profile::postfix::satellite` class
 ([satellite.pp](https://gitlab.com/anarcat/puppet/-/blob/main/site-modules/profile/manifests/postfix/satellite.pp?ref_type=heads)) and the above configuration might be out of
 date. Also note that we use the whole `smtp_tls_CAfile` instead of the

fix server verification
diff --git a/services/mail.mdwn b/services/mail.mdwn
index 6a45d507..deb20ac3 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1010,14 +1010,30 @@ mechanisms (e.g. passwords):
 Then we configure that transport as such:
 
     smtptlsc  unix  -       -       y       -       -       smtp
-        -o smtp_tls_CApath=/etc/ssl/certs
+        -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
         -o smtp_tls_cert_file=/home/anarcat/.config/x509/angela.anarc.at.crt
         -o smtp_tls_key_file=/home/anarcat/.config/x509/angela.anarc.at.key
         -o smtp_tls_fingerprint_digest=sha256
-        -o smtp_tls_security_level=encrypt
+        -o smtp_tls_security_level=secure
 
-WARNING: the above is vulnerable to MITM attacks, as the
-`smtp_tls_security_level` is not `verify`.
+Note that this is done in the `profile::postfix::satellite` class
+([satellite.pp](https://gitlab.com/anarcat/puppet/-/blob/main/site-modules/profile/manifests/postfix/satellite.pp?ref_type=heads)) and the above configuration might be out of
+date. Also note that we use the whole `smtp_tls_CAfile` instead of the
+`CApath` because the latter doesn't work in the chroot.
+
+To test this, try to relay mail locally:
+
+    mail anarcat@example.com -s test < /dev/null
+
+Turn up the logging level on the client:
+
+    smtp_tls_loglevel=2
+
+... and the server:
+
+    smtpd_tls_loglevel=2
+
+... if you have issues.
 
 ### Dovecot configuration
 

working postfix TLS client configuration, incomplete
diff --git a/services/mail.mdwn b/services/mail.mdwn
index 916a2bae..6a45d507 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -954,10 +954,70 @@ Copy the CSR and CRT files to the CA server and sign those keys with:
 
 Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
 
-### Next step: try Postfix
+### Postfix server configuration
 
-Dovecot is not collaborating, and we do not have a working
-example. Try again with Postfix, since we know that works on eugeni.
+Before:
+
+    submission inet  n       -       y       -       -       smtpd
+        -o header_checks=regexp:/etc/postfix/header_authenticated_redaction
+        -o smtpd_tls_security_level=encrypt
+        -o smtpd_sasl_auth_enable=yes
+        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+        -o milter_macro_daemon_name=ORIGINATING
+
+After:
+
+    submission inet  n       -       y       -       -       smtpd
+        -o header_checks=regexp:/etc/postfix/header_authenticated_redaction
+        -o milter_macro_daemon_name=ORIGINATING
+        -o smtpd_tls_security_level=encrypt
+        -o smtpd_tls_ask_ccert=yes
+        -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
+        -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
+        -o relay_clientcerts=hash:/etc/postfix/client-certs-fingerprints
+
+We were hoping to use [permit_tls_all_clientcerts](https://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts) but that silly
+thing doesn't support certificate revocation, so it's impossible to
+remove client certificates. So we need to use the static list.
+
+The list is created with:
+
+    printf "%s %s\n" "$(
+        openssl x509 -in angela.anarc.at.crt -noout -pubkey |
+            openssl pkey -pubin -outform DER |
+            openssl dgst -sha256 -c |
+            sed 's/.*= //'
+        )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+
+And of course the map needs to be rehashed each time:
+
+    postmap /etc/postfix/client-certs-fingerprints
+
+Then this should work:
+
+    swaks --tls --tls-cert ~/.config/x509/angela.anarc.at2.crt --tls-key ~/.config/x509/angela.anarc.at.key -s marcos.anarc.at -t anarcat@torproject.org -p 587
+
+### Postfix client configuration
+
+This is relatively simple. First, we create a new transport to
+encapsulate our configuration because we have *other* relays with
+either no client TLS authentication or different authentication
+mechanisms (e.g. passwords):
+
+    default_transport = smtptlsc:
+    relayhost = smtp.anarc.at:587
+
+Then we configure that transport as such:
+
+    smtptlsc  unix  -       -       y       -       -       smtp
+        -o smtp_tls_CApath=/etc/ssl/certs
+        -o smtp_tls_cert_file=/home/anarcat/.config/x509/angela.anarc.at.crt
+        -o smtp_tls_key_file=/home/anarcat/.config/x509/angela.anarc.at.key
+        -o smtp_tls_fingerprint_digest=sha256
+        -o smtp_tls_security_level=encrypt
+
+WARNING: the above is vulnerable to MITM attacks, as the
+`smtp_tls_security_level` is not `verify`.
 
 ### Dovecot configuration
 

attempts at client-side TLS, failing
diff --git a/services/mail.mdwn b/services/mail.mdwn
index fbdeb529..916a2bae 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -885,6 +885,124 @@ when the cert is renewed. I use those simple symlink:
 I also configured filtering and many more things that are documented
 in [[blog/2016-05-12-email-setup]].
 
+## Client certs
+
+### Creating a self-signed ed25519 private CA
+
+    openssl genpkey -algorithm ed25519 -out ca.anarc.at.key -aes256
+    openssl req -new -key ca.anarc.at.key -out ca.anarc.at.csr -config ca.anarc.at.cnf
+
+RHEL [proposes](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#creating-a-private-ca-using-openssl_creating-and-managing-tls-keys-and-certificates):
+
+    openssl req -key <ca.key> -new -x509 -days 3650 -addext keyUsage=critical,keyCertSign,cRLSign -subj "/CN=<Example CA>" -out <ca.crt>
+
+cnf:
+
+    [req]
+    distinguished_name = req_distinguished_name
+    req_extensions = v3_req
+    prompt = no
+    [req_distinguished_name]
+    C = CA
+    CN = ca.anarc.at
+    [v3_req]
+    keyUsage = keyEncipherment, dataEncipherment
+    extendedKeyUsage = serverAuth
+    subjectAltName = @alt_names
+    [alt_names]
+    DNS.1 = ca.anarc.at
+
+Self-signed cert:
+
+    openssl x509 -req -days 365 -in ca.anarc.at.csr -signkey ca.anarc.at.key -out ca.anarc.at.crt
+
+ED25519 instructions were taken from [this post](https://blog.pinterjann.is/ed25519-certificates.html).
+
+Alternatives include OpenVPN's [easy-rsa](https://github.com/OpenVPN/easy-rsa/) and [cfssl](https://github.com/cloudflare/cfssl), which
+also has a [puppet module](https://forge.puppet.com/modules/mmack/cfssl/).
+
+### Client key and certificate creation
+
+Then the client key is generated, *on the client*, again with (but without encryption):
+
+    openssl genpkey -algorithm ed25519 -out angela.anarc.at.key
+
+CSR is a little special:
+
+    [client-cert]
+    keyUsage = critical, digitalSignature, keyEncipherment
+    extendedKeyUsage = clientAuth
+    subjectAltName = @alt_name
+
+    [req]
+    distinguished_name = dn
+    prompt = no
+
+    [dn]
+    CN = angela.anarc.at
+
+    [clnt_alt_name]
+    emailAddress = anarcat
+
+But the CSR is created as expected:
+
+    openssl req -key angela.anarc.at.key -config angela.anarc.at.cnf -new -out angela.anarc.at.csr
+
+Copy the CSR and CRT files to the CA server and sign those keys with:
+
+    openssl x509 -req -in angela.anarc.at.csr -CA ca.anarc.at.crt -CAkey ca.anarc.at.key -days 365 -out angela.anarc.at.crt
+
+Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
+
+### Next step: try Postfix
+
+Dovecot is not collaborating, and we do not have a working
+example. Try again with Postfix, since we know that works on eugeni.
+
+### Dovecot configuration
+
+https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication
+
+in `10-ssl.conf`:
+
+    ssl_ca = </etc/ssl/ca/ca.anarc.at.crt
+    ssl_verify_client_cert = yes
+    ssl_cert_username_field = email
+
+in `10-auth.conf`:
+
+    auth_ssl_username_from_cert=yes
+
+if we'd like to keep Postfix using passwords, we could do:
+
+    protocol !smtp {
+      auth_ssl_require_client_cert=yes
+    }
+
+but since we're going to use TLS there too, that makes obviously no
+sense. Plus it gets rid of the weird SASL shim between the two, woot.
+
+During this deployment, SSH-based IMAP connexions still work, which is
+pretty fantastic.
+
+### Testing client connexion
+
+Not sure this is the correct way, but this *seems* to work in the
+sense that it loads the cert and tries to connect:
+
+    curl -v --cert ~/.config/x509/angela.anarc.at.crt --key ~/.config/x509/angela.anarc.at.key imaps://imap.anarc.at/
+
+Do use the `-v` flag, as it will show at which step it will fail. In
+my case, if fails *after* the client cert is accepted, which is
+interesting.
+
+This currently fails in Dovecot with:
+
+    dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, [...]
+
+I've also tried generating a CA using the [Postfix instructions](https://www.postfix.org/TLS_README.html#quick-client)
+but that fails similarly.
+
 ## Todo
 
 On the fly [OpenPGP encryption of incoming emails](https://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve)?

fix another typo
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 96ffe4a2..39278fbd 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -599,7 +599,7 @@ A few handy `qemu` related commands:
  * enter the VM to make *permanent* changes, which will *not* be
    discarded:
 
-        sudo sbuild-qemu-boot --readwrite /srv/sbuild/qemu/unstable-amd64.img
+        sudo sbuild-qemu-boot --read-write /srv/sbuild/qemu/unstable-amd64.img
 
    Equivalent command:
 

found another latency research
diff --git a/blog/2018-05-04-terminal-emulators-2.mdwn b/blog/2018-05-04-terminal-emulators-2.mdwn
index c0ea0f7a..6d246c17 100644
--- a/blog/2018-05-04-terminal-emulators-2.mdwn
+++ b/blog/2018-05-04-terminal-emulators-2.mdwn
@@ -341,4 +341,19 @@ I have started some notes on reviewing the terminal emulators
 available in Wayland, which significantly lowers the range of
 applications available. See [[2022-09-19-wayland-terminal-emulators]].
 
+## Similar research
+
+The above latency benchmarks were done with Typometer on X11 by
+[beuke.org](https://beuke.org/terminal-latency/). Their results are different on some points: xterm's
+maximum latency (9.8ms) is much higher than ours (2.4ms) which makes
+me think there's something wrong with their test bench. But other
+results (rxvt, st, Terminaor) are strickingly similar. One notable
+change is how well Alacritty performs, probably because it improved in
+6 years since I ran those benchmarks.
+
+I'm still waiting for someone to figure out how to perform those tests
+under wayland and compare against foot. Right now it's really hard to
+tell, but I get the feeling Alacritty and xterm are pretty close, and
+that foot and gnome-terminal are slower.
+
 [[!tag debian-planet lwn geek review terminals performance]]

more hardware, forgot from which article i got this
diff --git a/services/wifi.mdwn b/services/wifi.mdwn
index cc641dc0..4a763d6b 100644
--- a/services/wifi.mdwn
+++ b/services/wifi.mdwn
@@ -125,6 +125,14 @@ ever since.
    rack](https://www.canadacomputers.com/product_info.php?cPath=38_944&item_id=166475) is quite interesting, 385$
  * [recyborg sometimes has racks](https://recyborg.com/?s=rack&post_type=product&type_aws=true) and [gigabit switches](https://recyborg.com/?s=gigabit&post_type=product&type_aws=true)
 
+Some other home lab had the following recommendations:
+
+ * [1U power switch](https://www.adj.com/pc-100a): basically a rack-mounted power bar
+ * [1U cyberpower UPS](https://www.cyberpowersystems.com/product/ups/smart-app-lcd/or500lcdrm1u/): but i've also heard bad things about those,
+   that they just crash when the battery runs out, even when plugged
+   in?
+ * [10" rack shelf](https://acinfinity.com/racks-accessories/rack-shelves/vented-cantilever-1u-rack-shelf-10/)
+
 ## Why OpenWRT
 
 The point of running OpenWRT on the APs is to get monitoring about

add toc
diff --git a/hardware/printer.md b/hardware/printer.md
index 6737a181..3b430fd3 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -1,3 +1,5 @@
+[[!toc levels=3]]
+
 # Requirements
 
 ## Must have

clarify printer reqs
diff --git a/hardware/printer.md b/hardware/printer.md
index 8e15b70e..6737a181 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -2,20 +2,20 @@
 
 ## Must have
 
- * network port
- * "driverless printing"
+ * Ethernet port
+ * "driverless printing" AKA "airprint" AKA stellar Linux support
  * laser (specifically, cheap per-page prints)
- * stellar Linux support
 
 ## Nice to have
 
  * colors
- * scanner, or at least photocopier
  * double-sided printing, AKA "[duplex printing](https://en.wikipedia.org/wiki/Duplex_printing)"
  * fits one "ream" ("rame", 500 sheets)
 
 ## Must not have
 
+ * scanner, or at least photocopier - I've given up on that completely
+   and typically use my phone camera to scan documents
  * ink-jet printing, or specifically:
    * high cost
    * "drying out", I don't print often and this needs to keep working
@@ -97,6 +97,9 @@ a tad expensive for an EOL device. In the 3280 review, they say:
 It seems the cost per page is slightly lower on the older model, that
 said. The older printer is bulkier, however.
 
+Unclear if non-OEM cartridges work, but honestly I just get the OEM
+typically...
+
 ## HP Color LaserJet Pro MFP M479FDW
 
 <https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-mfp-m479fdw>

another death thing
diff --git a/blog/on-dying.mdwn b/blog/on-dying.mdwn
index 78f677ec..feeb9a02 100644
--- a/blog/on-dying.mdwn
+++ b/blog/on-dying.mdwn
@@ -31,6 +31,8 @@ http://varnish-cache.org/docs/6.6/phk/lucky.html
 https://g3rv4.com/2022/04/a-plan-for-my-secrets is basically SSSS but
 he wrote his own thing.
 
+https://longnow.org/ideas/digital-avatars-and-our-refusal-to-die/
+
 # maintainer deaths
 
 https://www.schafe-sind-bessere-rasenmaeher.de/tech/how-i-inherited-an-open-source-project/

another ssg
diff --git a/services/wiki/ikiwiki-hugo-conversion.mdwn b/services/wiki/ikiwiki-hugo-conversion.mdwn
index d999014e..0c977b95 100644
--- a/services/wiki/ikiwiki-hugo-conversion.mdwn
+++ b/services/wiki/ikiwiki-hugo-conversion.mdwn
@@ -380,3 +380,9 @@ See also those comparisons:
 Inspiring themes:
 
  * [this hugo theme](https://andreyorst.gitlab.io/posts/2022-02-22-new-look/)
+
+Other ideas:
+
+ * [soupault](https://soupault.app/) can do post-processing of the HTML rendered by *any*
+   SSG, which might provide an interesting base to build what's
+   missing from an alternative

another expansion card
diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index c74a4452..18868775 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -2061,6 +2061,7 @@ USB-C|blog/2023-02-10-usb-c]]. I'm considering a Dell
  * [spring-loaded expansion card](https://community.frame.work/t/spring-loaded-expansion-card/36013) (probably also a joke)
  * [RTL SDR](https://community.frame.work/t/rtl-sdr-expansion-card/37098)
  * [joystick](https://community.frame.work/t/framework-joystick-modules-turning-your-frame-work-13-into-an-handheld-coming-soon/39011)
+ * [logitech dongle hider with USB-A output](https://github.com/LeoDJ/FW-EC-DongleHiderPlus)
 * check out [this forum category](https://community.frame.work/c/developer-program/expansion-card/90) for a cornucopia of those
 
 ## Upstream resources

review brother printers
diff --git a/hardware/printer.md b/hardware/printer.md
index a05cb698..8e15b70e 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -55,6 +55,48 @@ come to the following conclusion:
    which doesn't have duplex scanning, but is cheaper (see [bh
    comparison](https://www.bhphotovideo.com/c/compare/Canon_MF743Cdw_vs_Canon_MF644Cdw_vs_Canon_MF741Cdw/BHitems/1489652-REG_1489654-REG_1489653-REG)). it's out of stock at Staples and Bestbuy as well
 
+## Brother
+
+After being recommended Brother by a family member and the [internet](https://hachyderm.io/@jbcrawford/112018421075831627),
+[twice](https://mas.to/@zekjur/112117296104194523), I've mostly given up and decided to just go with Brother
+printers.
+
+Rtings suggests the [Brother HL-L2325DW](https://www.rtings.com/printer/reviews/brother/hl-l2325dw#page-retailers), a plain black and white
+laser printer, in their [2023 best laser printer review](https://www.rtings.com/printer/reviews/best/by-type/laser). [206$ at
+Staples](https://www.staples.ca/products/2764645-en-brother-hl-l2370dw-wireless-monochrome-laser-printer) for the Brother HL-L2370DW variant, which features an
+Ethernet port as well. Wirecutters [suggest the HL-L2350DW variant](https://www.nytimes.com/wirecutter/reviews/best-laser-printer/)
+as well. They do not rate devices available locally (bestbuy or staples).
+
+For color printers, Staples' cheapest is the [Brother HL-L3220CDW](https://www.staples.ca/products/3074146-en-brother-hl-l3220cdw-wireless-colour-laser-printer)
+at 286$ (on sale from 405$!). It is also [well rated at rtings](https://www.rtings.com/printer/reviews/brother/hl-l3280cdw-hl-l3220cdw-hl-l3295cdw),
+but the 3220 doesn't have Ethernet. For that you need the [Brother
+HL-L3280CDW](https://www.staples.ca/products/3074145-en-brother-hl-l3280cdw-wireless-colour-laser-printer) (356$, on sale from 486$) which is the model reviewed
+by rtings. 
+
+Naturally, the color printer is larger (27.4cm x 39.9cm x 40.2cm) and
+heavier (15.4Kg) than its monochrome counterpart (20cm x 36.4cm x
+40.8cm). It also has a visual touch screen instead of a single-line
+LCD display. The color printer will also stop printing when it thinks
+the toner is empty, whereas the black-and-white one will keep pushing
+out dimmer pages. The color printer prints the first page faster (12s)
+than the black and white (24s).
+
+They both hold 250 sheets.
+
+Another alternative is the Brother HL-L3270CDW ([306$ in clearance at
+staples](https://www.staples.ca/products/24342682-en-brother-hl-l3270cdw-wireless-colour-mobile-ready-laser-printer)) which has also a [good review at rtings](https://www.rtings.com/printer/reviews/brother/hl-l3270cdw-laser), but it feels
+a tad expensive for an EOL device. In the 3280 review, they say:
+
+> The Brother HL-L3280CDW is a newer version of the Brother
+> HL-L3270CDW Laser. They have identical features and perform
+> similarly in print quality. The HL-L3280CDW prints slightly faster
+> but doesn't yield as many color prints as the older HL-L3270CDW. The
+> biggest difference is that the HL-L3270CDW requires more maintenance
+> because its drum unit wears out much faster.
+
+It seems the cost per page is slightly lower on the older model, that
+said. The older printer is bulkier, however.
+
 ## HP Color LaserJet Pro MFP M479FDW
 
 <https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-mfp-m479fdw>
@@ -68,8 +110,10 @@ Carefully review this thread before buying anything HP: https://news.ycombinator
 ## References
 
  * [Wirecutters review](https://www.nytimes.com/wirecutter/reviews/best-laser-printer/), updated yearly, currently recommends the
-   [HP Color LaserJet Pro M255dw](https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-m255dw)
- * [RTINGS](https://www.rtings.com/printer/reviews/best/by-type/laser) also produce a yearly review, currently recomments the
+   [HP Color LaserJet Pro M255dw](https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-m255dw). update: they now (2024) switched
+   to the HP Color LaserJet Pro MFP M283fdw, and the Brother
+   HL-L2350DW for "budget"
+ * [RTINGS](https://www.rtings.com/printer/reviews/best/by-type/laser) also produce a yearly review, currently (2023) recommends the
    [Canon imageCLASS MF743Cdw](https://www.rtings.com/printer/reviews/canon/imageclass-mf743cdw) ([656$ at BestBuy](https://www.bestbuy.ca/fr-ca/produit/13796853), back-order,
    [656$ at Staples](https://www.staples.ca/products/2948189-en-canon-imageclass-mf743cdw-colour-laser-printer)), 300 sheets only, toner is expensive [200$
    for black at Staples](https://www.staples.ca/products/3029652-en-fuzion-canon-3020c001-055h-compatible-toner-high-yield-black) but has a high yield (7600 pages,

add webtag
diff --git a/services/bookmarks.mdwn b/services/bookmarks.mdwn
index d677619f..49830fca 100644
--- a/services/bookmarks.mdwn
+++ b/services/bookmarks.mdwn
@@ -93,6 +93,7 @@ This also overlaps with bookmarking software like:
  * [Shiori](https://github.com/RadhiFadlillah/shiori)
  * [Turtl](https://turtlapp.com/)
  * [Wallabag](https://wallabag.org/)
+ * [webtag.io](https://webtag.io)
 
 ... and archival software in the [[WARC ecosystem|services/archive]].
 

mention wshowkeys
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 5b4eb0cc..5ebad3cc 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -898,6 +898,10 @@ screencasting list][]. In particular, see [wl-screenrec][] which has
 hardware encoding and much better performance, not in Debian (see
 [1040786][]).
 
+I also use [wshowkeys][] to ... well... show keys pressed during a
+recording. Not in Debian, but trivial to package ([947858][]), main
+annoyance is it requires a `setuid` binary to work.
+
 [peek]: https://github.com/phw/peek
 [simplescreenrecorder]: https://www.maartenbaert.be/simplescreenrecorder/
 [no sound support]: https://github.com/phw/peek/issues/105
@@ -906,6 +910,8 @@ hardware encoding and much better performance, not in Debian (see
 [awesome Wayland screencasting list]: https://github.com/natpen/awesome-wayland#screencasting
 [wl-screenrec]: https://github.com/russelltg/wl-screenrec
 [1040786]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040786
+[wshowkeys]: https://git.sr.ht/~sircmpwn/wshowkeys
+[947858]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947858
 
 ## RSI: workrave → nothing?
 

another printer
diff --git a/hardware/printer.md b/hardware/printer.md
index 34153f38..a05cb698 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -38,6 +38,7 @@
    it do have a hefty upfront cost, and they still seem to suffer from
    "drying out" problems when not in use
  * [use Brother or Epson](https://hachyderm.io/@jbcrawford/112018421075831627)
+ * [brother label printer](https://mas.to/@zekjur/112117296104194523)
 
 # Options
 

move vichama.ca to porkbun
diff --git a/services/dns.mdwn b/services/dns.mdwn
index ac6dcc50..beefe303 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -121,11 +121,13 @@ Situation actuelle:
 
  * opensrs: test account created, hosted: `debian-policy.info`
    (2025-10-15), not sure I want to keep, could be just for `anarc.at`
- * mythic beasts: idem, to be closed, hosted: `alterne.ca` (2025-09-11)
- * porkbun: secondary account, hosted: `orangeseeds.net`
-   `orangeseeds.org` (transfer started 2023-12-19)
- * gandi: `reseaulibre.ca` (2024-04-28), `vichama.ca` (2024-05-17),
-   `anarc.at` (2024-09-06), `insomniaque.org` (2029-04-28)
+ * mythic beasts: idem, to be closed, hosted: `alterne.ca`
+   (2025-09-11), maybe keep for `anarc.at` and close OpenSRS because
+   it's too complicated?
+ * porkbun: `orangeseeds.net` `orangeseeds.org` (transfer started
+   2023-12-19), `vichama.ca` (2024-05-17)
+ * gandi: `reseaulibre.ca` (2024-04-28), `anarc.at` (2024-09-06),
+   `insomniaque.org` (2029-04-28)
 
 Convention de noms
 ==================

zfs: example rescue encrypted operation
diff --git a/software/zfs.md b/software/zfs.md
index 53d7680f..4c8aaf6e 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -163,6 +163,10 @@ with:
 
     zpool import -l -a
 
+For rescue operations, that would be the right incantation:
+
+    zpool import -l -a -R /mnt
+
 ## Deprecated: zfsutil
 
 This is another way to use an alternate mountpoint, although I'm less

printer rec
diff --git a/hardware/printer.md b/hardware/printer.md
index d180855b..34153f38 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -37,6 +37,7 @@
    laser-like price for ink jet printers... the Epson printers that do
    it do have a hefty upfront cost, and they still seem to suffer from
    "drying out" problems when not in use
+ * [use Brother or Epson](https://hachyderm.io/@jbcrawford/112018421075831627)
 
 # Options
 

negative qotom review
diff --git a/hardware/margaret.md b/hardware/margaret.md
index c87087bd..2cd2c452 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -292,6 +292,8 @@ model](https://fr.aliexpress.com/item/1005004093716962.html) for 233$. Go figure
 of the [Qotom Q20332G9-S10](https://www.qotom.net/product/RouterPC_Q20331G9S10.html) (4x2.5G 4xSFP+ 10G). I was also
 recommended [this 4x2.5G router](https://www.aliexpress.com/item/1005004360072281.html). 
 
+They have been [negatively reviewed on OpenWRT forums](https://forum.openwrt.org/t/recommendations-for-a-gigabit-bridge-possibly-with-sfp/177592/13).
+
 ## Turris
 
 The Turris Omnia is the device that was used as a core router before

update network map
diff --git "a/services/r\303\251seau.mdwn" "b/services/r\303\251seau.mdwn"
index 025f91fd..bce398a5 100644
--- "a/services/r\303\251seau.mdwn"
+++ "b/services/r\303\251seau.mdwn"
@@ -55,7 +55,29 @@ another DNS server.
 The key question is whether two DNS servers need to be provided,
 because that configuration would obviously more involved.
 
-# Plan du réseau
+# Plans réseau
+
+## 2024-...
+
+![Plan du réseau][2024]
+
+  [2024]: plan-2024.svg "IP addresses specified if present, otherwise model number detailed."
+
+The network is setup generally like this:
+
+ 1. internet (TekSavvy, business line)
+ 2. bonder (TekSavvy owned PC that does some magic to get a static IP
+    address and, optionally, redundancy)
+ 3. router ([[hardware/margaret]])
+ 4. switch to which is connected:
+    * wifi access point with PoE ([[hardware/svetlana]])
+    * office wifi access point connected over fibre because of the
+      long, outdoors link ([[hardware/octavia]])
+    * ATA (Cisco SPA-112 VoIP adapter)
+    * main server [[hardware/server/marcos]]
+    * home cinema ([[hardware/ursula]])
+
+## 2015-2022
 
 ![Plan du réseau][1]
 
diff --git "a/services/r\303\251seau/plan-2024.svg" "b/services/r\303\251seau/plan-2024.svg"
new file mode 100644
index 00000000..c0c7c392
--- /dev/null
+++ "b/services/r\303\251seau/plan-2024.svg"
@@ -0,0 +1,1540 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="17cm"
+   height="22cm"
+   viewBox="330 1 324 439"
+   version="1.1"
+   id="svg682"
+   sodipodi:docname="plan-2024.svg"
+   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs686" />
+  <sodipodi:namedview
+     id="namedview684"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:document-units="cm"
+     showgrid="false"
+     inkscape:zoom="0.75647728"
+     inkscape:cx="705.90355"
+     inkscape:cy="470.60237"
+     inkscape:window-width="1502"
+     inkscape:window-height="974"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="Arrière-plan" />
+  <g
+     id="Background" />
+  <g
+     id="Arrière-plan">
+    <g
+       id="g183"
+       transform="matrix(0.99999483,0,0,1.1667581,0.00257886,-17.830284)">
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 584.709,165.832 -0.067,-2.917 -0.235,-2.918 -0.437,-2.865 -0.605,-2.866 -0.807,-2.917 -0.907,-2.815 -1.143,-2.764 -1.277,-2.712 -1.378,-2.712 -1.613,-2.559 -1.714,-2.559 -1.883,-2.405 -2.05,-2.405 -2.151,-2.252 -2.285,-2.201 -2.454,-2.047 -2.52,-1.996 -2.622,-1.842 -2.756,-1.74 -2.857,-1.587 -2.958,-1.535 -3.058,-1.279 -3.058,-1.28 -3.193,-1.074 -3.261,-0.973 -3.26,-0.819 -3.327,-0.665 -3.361,-0.46 -3.395,-0.41 -3.428,-0.205 -3.428,-0.102 v 0 l -3.395,0.102 -3.461,0.205 -3.361,0.41 -3.361,0.46 -3.361,0.665 -3.26,0.819 -3.261,0.973 -3.159,1.074 -3.126,1.28 -2.991,1.279 -2.958,1.535 -2.823,1.587 -2.789,1.74 -2.622,1.842 -2.554,1.996 -2.454,2.047 -2.285,2.201 -2.151,2.252 -2.05,2.405 -1.883,2.405 -1.714,2.559 -1.579,2.559 -1.446,2.712 -1.21,2.712 -1.142,2.764 -0.941,2.815 -0.807,2.917 -0.538,2.866 -0.437,2.865 -0.302,2.918 -0.034,2.917 v 0 l 0.034,2.968 0.302,2.917 0.437,2.917 0.538,2.866 0.807,2.866 0.941,2.814 1.142,2.764 1.21,2.763 1.446,2.662 1.579,2.558 1.714,2.559 1.883,2.457 2.05,2.354 2.151,2.252 2.285,2.2 2.454,2.098 2.554,1.894 2.622,1.945 2.789,1.74 2.823,1.586 2.958,1.433 2.991,1.382 3.126,1.228 3.159,1.075 3.261,0.972 3.26,0.819 3.361,0.614 3.361,0.512 3.361,0.46 3.461,0.154 3.395,0.051 v 0 l 3.428,-0.051 3.428,-0.154 3.395,-0.46 3.361,-0.512 3.327,-0.614 3.26,-0.819 3.261,-0.972 3.193,-1.075 3.058,-1.228 3.058,-1.382 2.958,-1.433 2.857,-1.586 2.756,-1.74 2.622,-1.945 2.52,-1.894 2.454,-2.098 2.285,-2.2 2.151,-2.252 2.05,-2.354 1.883,-2.457 1.714,-2.559 1.613,-2.558 1.378,-2.662 1.277,-2.763 1.143,-2.764 0.907,-2.814 0.807,-2.866 0.605,-2.866 0.437,-2.917 0.235,-2.917 z"
+         id="path133" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 478.94,196.23 -0.068,-2.917 -0.235,-2.917 -0.269,-2.866 -0.47,-2.917 -0.605,-2.866 -0.74,-2.814 -0.874,-2.764 -0.941,-2.712 -1.075,-2.712 -1.21,-2.559 -1.311,-2.559 -1.445,-2.405 -1.613,-2.406 -1.647,-2.251 -1.748,-2.201 -1.882,-2.047 -1.882,-1.996 -2.084,-1.842 -2.084,-1.74 -2.218,-1.536 -2.218,-1.586 -2.319,-1.382 -2.42,-1.177 -2.42,-1.075 -2.487,-0.972 -2.521,-0.819 -2.554,-0.665 -2.588,-0.461 -2.555,-0.409 -2.621,-0.256 -2.622,-0.051 v 0 l -2.621,0.051 -2.622,0.256 -2.622,0.409 -2.554,0.461 -2.588,0.665 -2.521,0.819 -2.453,0.972 -2.42,1.075 -2.386,1.177 -2.319,1.382 -2.286,1.586 -2.151,1.536 -2.151,1.74 -2.016,1.842 -1.916,1.996 -1.882,2.047 -1.748,2.201 -1.681,2.251 -1.579,2.406 -1.412,2.405 -1.344,2.559 -1.177,2.559 -1.109,2.712 -0.974,2.712 -0.841,2.764 -0.739,2.814 -0.605,2.866 -0.437,2.917 -0.336,2.866 -0.202,2.917 -0.067,2.917 v 0 l 0.067,2.969 0.202,2.917 0.336,2.917 0.437,2.866 0.605,2.865 0.739,2.815 0.841,2.764 0.974,2.712 1.109,2.712 1.177,2.559 1.344,2.559 1.412,2.405 1.579,2.406 1.681,2.251 1.748,2.201 1.882,2.047 1.916,1.945 2.016,1.842 2.151,1.842 2.151,1.587 2.286,1.433 2.319,1.433 2.386,1.177 2.42,1.074 2.453,0.973 2.521,0.767 2.588,0.666 2.554,0.512 2.622,0.46 2.622,0.154 2.621,0.051 v 0 l 2.622,-0.051 2.621,-0.154 2.555,-0.46 2.588,-0.512 2.554,-0.666 2.521,-0.767 2.487,-0.973 2.42,-1.074 2.42,-1.177 2.319,-1.433 2.218,-1.433 2.218,-1.587 2.084,-1.842 2.084,-1.842 1.882,-1.945 1.882,-2.047 1.748,-2.201 1.647,-2.251 1.613,-2.406 1.445,-2.405 1.311,-2.559 1.21,-2.559 1.075,-2.712 0.941,-2.712 0.874,-2.764 0.74,-2.815 0.605,-2.865 0.47,-2.866 0.269,-2.917 0.235,-2.917 z"
+         id="path135" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 413.703,255.339 -0.034,-2.405 -0.1,-2.406 -0.236,-2.405 -0.302,-2.354 -0.437,-2.252 -0.504,-2.354 -0.538,-2.303 -0.639,-2.2 -0.739,-2.201 -0.84,-2.098 -0.908,-1.996 -0.974,-2.047 -1.042,-1.945 -1.109,-1.893 -1.21,-1.74 -1.244,-1.638 -1.277,-1.689 -1.345,-1.484 -1.445,-1.433 -1.479,-1.33 -1.512,-1.177 -1.58,-1.126 -1.579,-0.973 -1.647,-0.87 -1.681,-0.818 -1.68,-0.615 -1.714,-0.614 -1.782,-0.358 -1.747,-0.307 -1.714,-0.154 -1.782,-0.102 v 0 l -1.781,0.102 -1.781,0.154 -1.748,0.307 -1.714,0.358 -1.748,0.614 -1.714,0.615 -1.647,0.818 -1.613,0.87 -1.647,0.973 -1.58,1.126 -1.512,1.177 -1.479,1.33 -1.411,1.433 -1.378,1.484 -1.278,1.689 -1.243,1.638 -1.177,1.74 -1.142,1.893 -1.042,1.945 -0.975,2.047 -0.907,1.996 -0.773,2.098 -0.74,2.201 -0.638,2.2 -0.605,2.303 -0.504,2.354 -0.37,2.252 -0.303,2.354 -0.269,2.405 -0.134,2.406 v 2.405 0 2.303 l 0.134,2.405 0.269,2.354 0.303,2.355 0.37,2.405 0.504,2.252 0.605,2.251 0.638,2.252 0.74,2.201 0.773,2.098 0.907,2.047 0.975,1.996 1.042,1.945 1.142,1.842 1.177,1.74 1.243,1.689 1.278,1.689 1.378,1.432 1.411,1.433 1.479,1.331 1.512,1.228 1.58,1.126 1.647,0.972 1.613,0.87 1.647,0.768 1.714,0.665 1.748,0.563 1.714,0.461 1.748,0.256 1.781,0.153 1.781,0.103 v 0 l 1.782,-0.103 1.714,-0.153 1.747,-0.256 1.782,-0.461 1.714,-0.563 1.68,-0.665 1.681,-0.768 1.647,-0.87 1.579,-0.972 1.58,-1.126 1.512,-1.228 1.479,-1.331 1.445,-1.433 1.345,-1.432 1.277,-1.689 1.244,-1.689 1.21,-1.74 1.109,-1.842 1.042,-1.945 0.974,-1.996 0.908,-2.047 0.84,-2.098 0.739,-2.201 0.639,-2.252 0.538,-2.251 0.504,-2.252 0.437,-2.405 0.302,-2.355 0.236,-2.354 0.1,-2.405 z"
+         id="path137" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 469.966,300.835 -0.034,-2.61 -0.235,-2.559 -0.37,-2.61 -0.437,-2.559 -0.605,-2.507 -0.706,-2.508 -0.907,-2.457 -0.941,-2.405 -1.143,-2.252 -1.21,-2.354 -1.378,-2.251 -1.445,-2.099 -1.546,-2.098 -1.681,-2.098 -1.781,-1.894 -1.882,-1.842 -1.983,-1.689 -2.084,-1.689 -2.117,-1.484 -2.218,-1.484 -2.32,-1.279 -2.352,-1.229 -2.42,-1.074 -2.454,-0.973 -2.52,-0.818 -2.588,-0.666 -2.555,-0.614 -2.621,-0.512 -2.622,-0.307 -2.655,-0.204 -2.689,-0.052 v 0 l -2.655,0.052 -2.621,0.204 -2.689,0.307 -2.588,0.512 -2.622,0.614 -2.52,0.666 -2.521,0.818 -2.487,0.973 -2.42,1.074 -2.319,1.229 -2.319,1.279 -2.219,1.484 -2.151,1.484 -2.05,1.689 -1.983,1.689 -1.882,1.842 -1.781,1.894 -1.681,2.098 -1.579,2.098 -1.446,2.099 -1.378,2.251 -1.243,2.354 -1.076,2.252 -0.974,2.405 -0.908,2.457 -0.739,2.508 -0.538,2.507 -0.504,2.559 -0.336,2.61 -0.202,2.559 -0.067,2.61 v 0 l 0.067,2.559 0.202,2.61 0.336,2.558 0.504,2.559 0.538,2.508 0.739,2.508 0.908,2.507 0.974,2.406 1.076,2.302 1.243,2.252 1.378,2.252 1.446,2.149 1.579,2.15 1.681,2.047 1.781,1.893 1.882,1.792 1.983,1.74 2.05,1.637 2.151,1.535 2.219,1.485 2.319,1.279 2.319,1.228 2.42,1.024 2.487,0.972 2.521,0.819 2.52,0.716 2.622,0.666 2.588,0.46 2.689,0.307 2.621,0.205 h 2.655 v 0 h 2.689 l 2.655,-0.205 2.622,-0.307 2.621,-0.46 2.555,-0.666 2.588,-0.716 2.52,-0.819 2.454,-0.972 2.42,-1.024 2.352,-1.228 2.32,-1.279 2.218,-1.485 2.117,-1.535 2.084,-1.637 1.983,-1.74 1.882,-1.792 1.781,-1.893 1.681,-2.047 1.546,-2.15 1.445,-2.149 1.378,-2.252 1.21,-2.252 1.143,-2.302 0.941,-2.406 0.907,-2.507 0.706,-2.508 0.605,-2.508 0.437,-2.559 0.37,-2.558 0.235,-2.61 z"
+         id="path139" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 595.969,327.293 -0.135,-3.122 -0.269,-3.121 -0.537,-3.02 -0.706,-3.019 -0.874,-3.02 -1.076,-2.917 -1.277,-2.866 -1.479,-2.917 -1.68,-2.814 -1.815,-2.713 -2.05,-2.61 -2.151,-2.559 -2.353,-2.507 -2.487,-2.405 -2.722,-2.303 -2.756,-2.15 -2.958,-2.098 -3.092,-1.945 -3.16,-1.791 -3.36,-1.689 -3.395,-1.586 -3.529,-1.382 -3.596,-1.331 -3.731,-1.125 -3.731,-1.024 -3.831,-0.819 -3.832,-0.716 -3.966,-0.512 -3.865,-0.358 -3.999,-0.307 h -3.966 v 0 h -3.966 l -3.966,0.307 -3.933,0.358 -3.898,0.512 -3.899,0.716 -3.798,0.819 -3.764,1.024 -3.664,1.125 -3.663,1.331 -3.462,1.382 -3.462,1.586 -3.293,1.689 -3.193,1.791 -3.059,1.945 -2.958,2.098 -2.823,2.15 -2.655,2.303 -2.487,2.405 -2.386,2.507 -2.185,2.559 -2.017,2.61 -1.781,2.713 -1.68,2.814 -1.479,2.917 -1.277,2.866 -1.109,2.917 -0.874,3.02 -0.74,3.019 -0.504,3.02 -0.302,3.121 -0.101,3.122 v 0 l 0.101,2.968 0.302,3.122 0.504,3.019 0.74,3.071 0.874,3.019 1.109,2.917 1.277,2.866 1.479,2.917 1.68,2.815 1.781,2.712 2.017,2.61 2.185,2.662 2.386,2.405 2.487,2.405 2.655,2.252 2.823,2.252 2.958,2.047 3.059,1.944 3.193,1.792 3.293,1.74 3.462,1.484 3.462,1.433 3.663,1.279 3.664,1.126 3.764,1.075 3.798,0.767 3.899,0.717 3.898,0.563 3.933,0.358 3.966,0.307 h 3.966 v 0 h 3.966 l 3.999,-0.307 3.865,-0.358 3.966,-0.563 3.832,-0.717 3.831,-0.767 3.731,-1.075 3.731,-1.126 3.596,-1.279 3.529,-1.433 3.395,-1.484 3.36,-1.74 3.16,-1.792 3.092,-1.944 2.958,-2.047 2.756,-2.252 2.722,-2.252 2.487,-2.405 2.353,-2.405 2.151,-2.662 2.05,-2.61 1.815,-2.712 1.68,-2.815 1.479,-2.917 1.277,-2.866 1.076,-2.917 0.874,-3.019 0.706,-3.071 0.537,-3.019 0.269,-3.122 z"
+         id="path141" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 639.46,187.223 -0.034,-2.251 -0.202,-2.355 -0.369,-2.302 -0.404,-2.252 -0.605,-2.201 -0.672,-2.252 -0.84,-2.2 -0.975,-2.15 -1.042,-2.047 -1.142,-2.098 -1.311,-1.996 -1.412,-1.944 -1.479,-1.792 -1.646,-1.842 -1.681,-1.689 -1.849,-1.586 -1.882,-1.638 -1.949,-1.433 -2.084,-1.33 -2.117,-1.28 -2.151,-1.177 -2.286,-1.075 -2.319,-0.972 -2.352,-0.87 -2.42,-0.768 -2.42,-0.511 -2.487,-0.614 -2.488,-0.41 -2.554,-0.256 -2.521,-0.153 -2.554,-0.103 v 0 l -2.588,0.103 -2.521,0.153 -2.554,0.256 -2.487,0.41 -2.454,0.614 -2.453,0.511 -2.386,0.768 -2.387,0.87 -2.319,0.972 -2.285,1.075 -2.185,1.177 -2.084,1.28 -2.083,1.33 -1.95,1.433 -1.882,1.638 -1.815,1.586 -1.714,1.689 -1.647,1.842 -1.479,1.792 -1.378,1.944 -1.344,1.996 -1.143,2.098 -1.042,2.047 -0.974,2.15 -0.841,2.2 -0.672,2.252 -0.571,2.201 -0.471,2.252 -0.302,2.302 -0.168,2.355 -0.101,2.251 v 0 l 0.101,2.303 0.168,2.303 0.302,2.252 0.471,2.303 0.571,2.252 0.672,2.2 0.841,2.201 0.974,2.149 1.042,2.15 1.143,1.996 1.344,1.944 1.378,1.996 1.479,1.842 1.647,1.74 1.714,1.74 1.815,1.638 1.882,1.535 1.95,1.433 2.083,1.433 2.084,1.28 2.185,1.126 2.285,1.125 2.319,0.922 2.387,0.818 2.386,0.819 2.453,0.614 2.454,0.512 2.487,0.461 2.554,0.204 2.521,0.256 h 2.588 v 0 h 2.554 l 2.521,-0.256 2.554,-0.204 2.488,-0.461 2.487,-0.512 2.42,-0.614 2.42,-0.819 2.352,-0.818 2.319,-0.922 2.286,-1.125 2.151,-1.126 2.117,-1.28 2.084,-1.433 1.949,-1.433 1.882,-1.535 1.849,-1.638 1.681,-1.74 1.646,-1.74 1.479,-1.842 1.412,-1.996 1.311,-1.944 1.142,-1.996 1.042,-2.15 0.975,-2.149 0.84,-2.201 0.672,-2.2 0.605,-2.252 0.404,-2.303 0.369,-2.252 0.202,-2.303 z"
+         id="path143" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 653.71,245.718 -0.101,-2.303 -0.134,-2.303 -0.336,-2.252 -0.437,-2.251 -0.605,-2.303 -0.672,-2.15 -0.807,-2.252 -0.975,-2.098 -1.042,-2.149 -1.142,-1.996 -1.311,-2.047 -1.412,-1.894 -1.445,-1.791 -1.647,-1.893 -1.68,-1.638 -1.748,-1.689 -1.882,-1.535 -2.017,-1.433 -1.983,-1.382 -2.117,-1.279 -2.151,-1.177 -2.252,-1.075 -2.285,-0.921 -2.353,-0.87 -2.42,-0.768 -2.42,-0.614 -2.453,-0.512 -2.521,-0.46 -2.487,-0.205 -2.521,-0.154 -2.521,-0.102 v 0 l -2.554,0.102 -2.487,0.154 -2.521,0.205 -2.453,0.46 -2.454,0.512 -2.453,0.614 -2.387,0.768 -2.319,0.87 -2.319,0.921 -2.252,1.075 -2.151,1.177 -2.117,1.279 -2.05,1.382 -1.916,1.433 -1.882,1.535 -1.849,1.689 -1.68,1.638 -1.58,1.893 -1.445,1.791 -1.412,1.894 -1.277,2.047 -1.21,1.996 -1.042,2.149 -0.907,2.098 -0.84,2.252 -0.74,2.15 -0.538,2.303 -0.437,2.251 -0.336,2.252 -0.201,2.303 -0.034,2.303 v 0 l 0.034,2.303 0.201,2.354 0.336,2.252 0.437,2.251 0.538,2.252 0.74,2.201 0.84,2.252 0.907,2.098 1.042,2.047 1.21,2.098 1.277,1.945 1.412,1.945 1.445,1.842 1.58,1.791 1.68,1.74 1.849,1.586 1.882,1.587 1.916,1.433 2.05,1.33 2.117,1.28 2.151,1.177 2.252,1.075 2.319,0.972 2.319,0.921 2.387,0.768 2.453,0.512 2.454,0.614 2.453,0.358 2.521,0.307 2.487,0.154 2.554,0.051 v 0 l 2.521,-0.051 2.521,-0.154 2.487,-0.307 2.521,-0.358 2.453,-0.614 2.42,-0.512 2.42,-0.768 2.353,-0.921 2.285,-0.972 2.252,-1.075 2.151,-1.177 2.117,-1.28 1.983,-1.33 2.017,-1.433 1.882,-1.587 1.748,-1.586 1.68,-1.74 1.647,-1.791 1.445,-1.842 1.412,-1.945 1.311,-1.945 1.142,-2.098 1.042,-2.047 0.975,-2.098 0.807,-2.252 0.672,-2.201 0.605,-2.252 0.437,-2.251 0.336,-2.252 0.134,-2.354 z"
+         id="path145" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 643.963,294.08 -0.067,-3.736 -0.202,-3.839 -0.268,-3.684 -0.437,-3.787 -0.572,-3.685 -0.706,-3.633 -0.806,-3.583 -0.975,-3.531 -1.042,-3.429 -1.109,-3.377 -1.277,-3.276 -1.412,-3.122 -1.478,-3.07 -1.614,-2.917 -1.68,-2.815 -1.748,-2.712 -1.882,-2.559 -1.916,-2.303 -2.05,-2.252 -2.084,-2.047 -2.151,-1.944 -2.184,-1.74 -2.286,-1.638 -2.319,-1.433 -2.42,-1.228 -2.386,-0.973 -2.487,-0.921 -2.454,-0.665 -2.453,-0.461 -2.487,-0.307 -2.521,-0.051 v 0 l -2.521,0.051 -2.487,0.307 -2.521,0.461 -2.453,0.665 -2.42,0.921 -2.454,0.973 -2.352,1.228 -2.319,1.433 -2.286,1.638 -2.252,1.74 -2.151,1.944 -2.084,2.047 -1.983,2.252 -1.983,2.303 -1.848,2.559 -1.781,2.712 -1.681,2.815 -1.58,2.917 -1.512,3.07 -1.344,3.122 -1.278,3.276 -1.176,3.377 -1.042,3.429 -0.907,3.531 -0.807,3.583 -0.706,3.633 -0.571,3.685 -0.437,3.787 -0.336,3.684 -0.202,3.839 -0.067,3.736 v 0 l 0.067,3.787 0.202,3.838 0.336,3.685 0.437,3.735 0.571,3.787 0.706,3.583 0.807,3.531 0.907,3.582 1.042,3.378 1.176,3.378 1.278,3.326 1.344,3.122 1.512,3.019 1.58,2.968 1.681,2.815 1.781,2.661 1.848,2.559 1.983,2.405 1.983,2.201 2.084,2.098 2.151,1.894 2.252,1.791 2.286,1.586 2.319,1.433 2.352,1.177 2.454,1.075 2.42,0.819 2.453,0.665 2.521,0.461 2.487,0.307 2.521,0.153 v 0 l 2.521,-0.153 2.487,-0.307 2.453,-0.461 2.454,-0.665 2.487,-0.819 2.386,-1.075 2.42,-1.177 2.319,-1.433 2.286,-1.586 2.184,-1.791 2.151,-1.894 2.084,-2.098 2.05,-2.201 1.916,-2.405 1.882,-2.559 1.748,-2.661 1.68,-2.815 1.614,-2.968 1.478,-3.019 1.412,-3.122 1.277,-3.326 1.109,-3.378 1.042,-3.378 0.975,-3.582 0.806,-3.531 0.706,-3.583 0.572,-3.787 0.437,-3.735 0.268,-3.685 0.202,-3.838 z"
+         id="path147" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 601.212,249.096 -0.135,-3.839 -0.403,-3.684 -0.639,-3.839 -0.873,-3.684 -1.143,-3.685 -1.412,-3.685 -1.647,-3.582 -1.915,-3.531 -2.084,-3.429 -2.353,-3.326 -2.621,-3.327 -2.79,-3.173 -3.025,-2.968 -3.226,-2.968 -3.429,-2.866 -3.562,-2.661 -3.798,-2.508 -3.966,-2.405 -4.067,-2.252 -4.268,-2.098 -4.403,-1.894 -4.504,-1.791 -4.604,-1.586 -4.706,-1.382 -4.84,-1.177 -4.907,-1.075 -4.94,-0.819 -5.008,-0.665 -5.042,-0.563 -5.075,-0.256 -5.142,-0.102 v 0 l -5.075,0.102 -5.075,0.256 -5.042,0.563 -5.041,0.665 -4.941,0.819 -4.907,1.075 -4.806,1.177 -4.705,1.382 -4.672,1.586 -4.437,1.791 -4.402,1.894 -4.302,2.098 -4.101,2.252 -3.899,2.405 -3.831,2.508 -3.596,2.661 -3.361,2.866 -3.26,2.968 -3.025,2.968 -2.756,3.173 -2.622,3.327 -2.319,3.326 -2.117,3.429 -1.95,3.531 -1.613,3.582 -1.378,3.685 -1.21,3.685 -0.874,3.684 -0.638,3.839 -0.404,3.684 -0.101,3.839 v 0 l 0.101,3.735 0.404,3.787 0.638,3.736 0.874,3.787 1.21,3.685 1.378,3.634 1.613,3.531 1.95,3.582 2.117,3.48 2.319,3.327 2.622,3.224 2.756,3.173 3.025,3.07 3.26,2.917 3.361,2.815 3.596,2.712 3.831,2.559 3.899,2.405 4.101,2.252 4.302,1.996 4.402,1.996 4.437,1.689 4.672,1.586 4.705,1.433 4.806,1.228 4.907,1.024 4.941,0.87 5.041,0.665 5.042,0.461 5.075,0.358 5.075,0.051 v 0 l 5.142,-0.051 5.075,-0.358 5.042,-0.461 5.008,-0.665 4.94,-0.87 4.907,-1.024 4.84,-1.228 4.706,-1.433 4.604,-1.586 4.504,-1.689 4.403,-1.996 4.268,-1.996 4.067,-2.252 3.966,-2.405 3.798,-2.559 3.562,-2.712 3.429,-2.815 3.226,-2.917 3.025,-3.07 2.79,-3.173 2.621,-3.224 2.353,-3.327 2.084,-3.48 1.915,-3.582 1.647,-3.531 1.412,-3.634 1.143,-3.685 0.873,-3.787 0.639,-3.736 0.403,-3.787 z"
+         id="path149" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 517.994,165.32 66.514,-12.897 -0.841,-2.814 -1.041,-2.866 -1.143,-2.815 -1.378,-2.712 -1.479,-2.61 -1.68,-2.661 -1.748,-2.508 -2.017,-2.405 -2.05,-2.354 -2.218,-2.252 -2.387,-2.15 -2.487,-1.995 -2.621,-1.945 -2.723,-1.894 -2.823,-1.689 -2.924,-1.535 -2.958,-1.535 -3.125,-1.28 -3.16,-1.177 -3.192,-1.074 -3.328,-0.921 -3.327,-0.717 -3.361,-0.665 -3.395,-0.461 -3.428,-0.307 -3.462,-0.153 h -3.428 l -3.462,0.153 -3.462,0.205 -3.361,0.409 -3.394,0.666 -3.361,0.665 -3.327,0.921 -3.261,0.972 -3.159,1.126 -3.092,1.28 -3.058,1.433 -2.958,1.484 -2.79,1.689 -2.756,1.791 -2.655,1.893 -2.521,1.996 -2.386,2.15 -2.252,2.251 -2.151,2.303 -2.016,2.405 -1.883,2.508 -1.714,2.559 -1.478,2.712 -1.446,2.61 -1.243,2.815 -1.042,2.764 -0.874,2.865 -0.739,2.866 z"
+         id="path151" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 584.508,152.321 -0.874,-2.866 -1.008,-2.815 -1.177,-2.814 -1.344,-2.661 -1.546,-2.662 -1.647,-2.61 -1.781,-2.507 -2.017,-2.406 -2.084,-2.302 -2.151,-2.252 -2.42,-2.252 -2.42,-1.996 -2.655,-1.945 -2.722,-1.791 -2.79,-1.791 -2.924,-1.535 -2.991,-1.433 -3.126,-1.331 -3.159,-1.126 -3.159,-1.074 -3.328,-0.921 -3.361,-0.717 -3.361,-0.665 -3.394,-0.461 -3.395,-0.307 -3.495,-0.153 h -3.429 l -3.428,0.153 -3.428,0.205 -3.428,0.409 -3.361,0.666 -3.361,0.614 -3.294,0.87 -3.226,1.074 -3.227,1.126 -3.058,1.28 -3.059,1.433 -2.924,1.484 -2.857,1.637 -2.722,1.843 -2.655,1.893 -2.521,1.945 -2.386,2.149 -2.286,2.201 -2.151,2.354 -2.016,2.405 -1.815,2.457 -1.748,2.661 -1.512,2.559 -1.412,2.712 -1.21,2.712 -1.109,2.815 -0.874,2.866 -0.706,2.866"
+         id="path153" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 427.55,195.667 33.543,-44.779 -2.084,-1.842 -2.185,-1.74 -2.218,-1.536 -2.285,-1.535 -2.319,-1.33 -2.42,-1.229 -2.488,-1.023 -2.453,-0.973 -2.588,-0.767 -2.554,-0.665 -2.622,-0.461 -2.621,-0.358 -2.622,-0.205 h -2.622 l -2.655,0.102 -2.621,0.307 -2.622,0.359 -2.588,0.563 -2.554,0.716 -2.521,0.819 -2.521,0.972 -2.419,1.126 -2.42,1.28 -2.319,1.381 -2.252,1.536 -2.151,1.688 -2.151,1.792 -2.017,1.842 -1.916,2.047 -1.882,2.098 -1.748,2.252 -1.613,2.252 -1.546,2.456 -1.411,2.457 -1.345,2.558 -1.176,2.662 -1.109,2.712 -0.941,2.712 -0.841,2.815 -0.672,2.866 -0.538,2.866 -0.47,2.968 -0.336,2.968 -0.135,2.917 -0.067,2.917 0.101,2.969 0.202,3.019 0.403,2.866 z"
+         id="path155" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 460.925,150.735 -2.084,-1.843 -2.118,-1.689 -2.218,-1.586 -2.319,-1.433 -2.386,-1.382 -2.386,-1.177 -2.454,-1.075 -2.521,-0.921 -2.52,-0.716 -2.622,-0.665 -2.588,-0.461 -2.588,-0.358 -2.621,-0.205 h -2.689 l -2.555,0.102 -2.621,0.307 -2.689,0.359 -2.554,0.614 -2.521,0.665 -2.588,0.921 -2.453,0.921 -2.42,1.177 -2.387,1.28 -2.352,1.382 -2.252,1.535 -2.151,1.689 -2.084,1.74 -2.017,1.944 -1.983,1.945 -1.781,2.201 -1.781,2.149 -1.647,2.354 -1.512,2.354 -1.446,2.457 -1.277,2.61 -1.176,2.661 -1.109,2.712 -0.975,2.713 -0.807,2.866 -0.672,2.763 -0.605,2.917 -0.403,2.968 -0.336,2.917 -0.135,2.917 -0.067,2.969 0.168,2.917 0.202,2.968 0.336,2.968"
+         id="path157" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 418.207,300.272 -53.978,-1.587 v 2.713 l 0.101,2.559 0.269,2.712 0.437,2.559 0.504,2.61 0.639,2.661 0.84,2.456 0.874,2.508 1.109,2.457 1.176,2.354 1.244,2.405 1.479,2.252 1.479,2.2 1.68,2.099 1.714,2.047 1.849,1.944 1.983,1.791 2.016,1.74 2.118,1.74 2.218,1.485 2.285,1.432 2.387,1.382 2.42,1.126 2.419,1.126 2.555,0.972 2.588,0.819 2.621,0.665 2.656,0.615 2.655,0.46 2.688,0.307 2.723,0.154 h 2.756 l 2.655,-0.103 2.722,-0.204 2.689,-0.307 2.655,-0.461 2.689,-0.665 2.554,-0.768 2.622,-0.819 2.454,-1.074 2.487,-1.024 2.42,-1.279 2.285,-1.382 2.319,-1.484 2.118,-1.587 2.117,-1.637 z"
+         id="path159" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 364.297,298.685 -0.101,2.61 0.202,2.662 0.201,2.61 0.437,2.661 0.504,2.559 0.672,2.61 0.807,2.558 0.941,2.508 1.042,2.405 1.109,2.406 1.311,2.303 1.378,2.303 1.58,2.149 1.613,2.201 1.748,1.944 1.814,1.945 1.95,1.893 2.016,1.74 2.118,1.638 2.218,1.535 2.286,1.433 2.319,1.331 2.42,1.228 2.52,1.126 2.487,0.87 2.555,0.819 2.621,0.767 2.689,0.512 2.655,0.563 2.655,0.205 2.723,0.256 h 2.722 2.689 l 2.689,-0.256 2.689,-0.358 2.655,-0.461 2.688,-0.614 2.555,-0.717 2.621,-0.87 2.487,-1.023 2.42,-1.126 2.42,-1.228 2.319,-1.331 2.319,-1.433 2.185,-1.586 2.05,-1.638"
+         id="path161" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 589.952,186.149 47.491,14.79 0.807,-2.201 0.605,-2.201 0.571,-2.251 0.336,-2.303 0.336,-2.303 0.067,-2.303 v -2.354 l -0.067,-2.252 -0.269,-2.303 -0.369,-2.303 -0.538,-2.252 -0.639,-2.251 -0.739,-2.15 -0.874,-2.2 -1.008,-2.099 -1.143,-2.098 -1.277,-2.047 -1.311,-1.945 -1.445,-1.893 -1.546,-1.791 -1.647,-1.843 -1.815,-1.637 -1.815,-1.587 -1.983,-1.484 -1.983,-1.433 -2.084,-1.279 -2.151,-1.28 -2.252,-1.126 -2.285,-1.023 -2.353,-0.921 -2.42,-0.768 -2.386,-0.665 -2.521,-0.614 -2.487,-0.461 -2.52,-0.358 -2.555,-0.154 -2.521,-0.153 h -2.52 l -2.555,0.153 -2.554,0.205 -2.487,0.358 -2.521,0.461 -2.487,0.563 -2.453,0.716 z"
+         id="path163" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 633.074,209.28 4.335,-8.239 0.807,-2.149 0.639,-2.252 0.504,-2.252 0.403,-2.303 0.269,-2.303 0.101,-2.252 0.033,-2.405 -0.1,-2.252 -0.236,-2.303 -0.369,-2.303 -0.538,-2.251 -0.639,-2.252 -0.706,-2.201 -0.873,-2.098 -1.042,-2.2 -1.143,-2.099 -1.176,-2.047 -1.378,-1.944 -1.446,-1.894 -1.546,-1.842 -1.646,-1.74 -1.748,-1.638 -1.849,-1.638 -1.915,-1.535 -2.051,-1.382 -2.083,-1.33 -2.152,-1.228 -2.251,-1.024 -2.286,-1.075 -2.319,-0.972 -2.386,-0.819 -2.454,-0.665 -2.42,-0.614 -2.487,-0.461 -2.52,-0.307 -2.555,-0.205 -2.554,-0.153 h -2.588 l -2.521,0.153 -2.554,0.205 -2.521,0.307 -2.487,0.461 -2.454,0.563 -2.453,0.716"
+         id="path165" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 596.708,246.281 53.473,18.73 1.076,-2.456 0.874,-2.405 0.806,-2.559 0.639,-2.559 0.437,-2.559 0.302,-2.559 0.101,-2.661 v -2.61 l -0.202,-2.61 -0.302,-2.559 -0.538,-2.61 -0.639,-2.507 -0.84,-2.508 -0.907,-2.508 -1.143,-2.405 -1.277,-2.303 -1.378,-2.354 -1.58,-2.303 -1.68,-2.149 z"
+         id="path167" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 643.392,273.507 6.722,-8.393 1.008,-2.406 1.009,-2.558 0.773,-2.508 0.638,-2.61 0.437,-2.559 0.336,-2.559 0.135,-2.661 -0.034,-2.61 -0.202,-2.661 -0.369,-2.559 -0.471,-2.559 -0.639,-2.558 -0.84,-2.559 -0.941,-2.508 -1.176,-2.456 -1.244,-2.303 -1.479,-2.354 -1.512,-2.252 -1.714,-2.15 -10.755,-8.444"
+         id="path169" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 594.456,295.717 -16.872,71.084 2.487,1.126 2.521,1.024 2.521,0.767 2.621,0.614 2.555,0.461 2.554,0.205 h 2.655 l 2.588,-0.205 2.554,-0.307 2.588,-0.614 2.521,-0.768 2.521,-0.87 2.487,-1.126 2.453,-1.381 2.353,-1.485 2.353,-1.688 2.285,-1.843 2.218,-2.047 2.152,-2.098 2.05,-2.405 1.949,-2.508 1.882,-2.61 1.815,-2.815 1.714,-2.917 1.546,-3.019 1.479,-3.173 1.412,-3.224 1.243,-3.378 1.109,-3.377 1.042,-3.532 0.874,-3.633 0.807,-3.685 0.638,-3.685 0.538,-3.787 0.336,-3.735 0.303,-3.839 0.067,-3.838 v -3.838 l -0.134,-3.838 -0.269,-3.839 -0.404,-3.787 -0.504,-3.736 -0.672,-3.684 z"
+         id="path171" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 577.719,366.852 2.52,1.229 2.487,0.972 2.555,0.819 2.554,0.512 2.622,0.409 2.554,0.205 2.588,0.102 2.588,-0.307 2.621,-0.307 2.555,-0.614 2.52,-0.768 2.521,-0.972 2.487,-1.126 2.42,-1.331 2.42,-1.535 2.319,-1.638 2.252,-1.791 2.185,-2.047 2.151,-2.252 2.05,-2.354 1.949,-2.559 1.882,-2.61 1.815,-2.712 1.681,-2.968 1.613,-3.071 1.412,-3.07 1.411,-3.327 1.244,-3.377 1.109,-3.378 1.008,-3.531 0.908,-3.685 0.806,-3.633 0.605,-3.736 0.538,-3.736 0.403,-3.736 0.236,-3.838 0.067,-3.838 v -3.839 l -0.168,-3.838 -0.235,-3.838 -0.437,-3.787 -0.572,-3.736 -0.571,-3.685"
+         id="path173" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 380.698,255.339 -2.554,-48.259 -1.882,0.256 -1.782,0.307 -1.882,0.511 -1.815,0.615 -1.781,0.716 -1.748,0.921 -1.714,0.87 -1.68,1.177 -1.681,1.126 -1.579,1.28 -1.546,1.433 -1.479,1.484 -1.445,1.586 -1.311,1.74 -1.311,1.74 -1.21,1.842 -1.143,1.945 -1.042,2.047 -1.042,2.047 -0.907,2.201 -0.773,2.252 -0.739,2.251 -0.706,2.252 -0.538,2.354 -0.437,2.406 -0.403,2.405 -0.303,2.456 -0.134,2.508 -0.101,2.405 v 2.457 l 0.101,2.405 0.201,2.508 0.303,2.405 0.336,2.405 0.504,2.405 0.538,2.355 0.672,2.303 0.74,2.251 0.84,2.201 0.907,2.2 1.042,1.996 1.042,2.047 1.176,1.945 1.244,1.842 1.277,1.792 1.378,1.637 1.445,1.587 1.479,1.535 1.58,1.382 1.546,1.279 1.68,1.177 z"
+         id="path175" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 378.144,207.08 -1.781,0.256 -1.849,0.307 -1.815,0.511 -1.748,0.563 -1.781,0.717 -1.748,0.768 -1.68,0.972 -1.647,1.023 -1.647,1.126 -1.512,1.28 -1.58,1.381 -1.445,1.433 -1.412,1.536 -1.344,1.688 -1.345,1.74 -1.176,1.74 -1.176,1.945 -1.042,1.945 -1.008,2.047 -0.874,2.098 -0.841,2.15 -0.806,2.149 -0.672,2.252 -0.605,2.303 -0.504,2.354 -0.37,2.354 -0.37,2.405 -0.202,2.405 -0.134,2.406 v 2.405 2.405 l 0.202,2.406 0.201,2.405 0.303,2.405 0.437,2.354 0.437,2.303 0.605,2.252 0.739,2.354 0.739,2.201 0.841,2.098 0.941,2.098 0.974,2.047 1.042,1.945 1.143,1.893 1.244,1.792 1.31,1.74 1.345,1.637 1.445,1.536 1.412,1.484 1.546,1.33 1.579,1.229 1.614,1.177"
+         id="path177" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 516.851,332.82 -76.495,5.578 0.504,2.815 0.638,2.866 0.874,2.763 1.109,2.713 1.177,2.61 1.445,2.661 1.579,2.559 1.782,2.559 1.983,2.405 2.117,2.405 2.218,2.252 2.454,2.2 2.554,2.099 2.723,2.047 2.856,1.842 2.958,1.842 3.159,1.638 3.16,1.638 3.327,1.433 3.395,1.381 3.562,1.126 3.563,1.126 3.596,0.921 3.764,0.819 3.765,0.666 3.798,0.511 3.764,0.41 3.865,0.204 3.899,0.154 h 3.831 l 3.899,-0.205 3.832,-0.307 3.797,-0.46 3.765,-0.666 3.764,-0.716 3.63,-0.87 3.63,-1.075 3.529,-1.023 3.495,-1.28 3.361,-1.433 3.227,-1.535 3.159,-1.638 3.059,-1.791 2.924,-1.842 2.789,-1.945 2.588,-2.047 2.521,-2.149 2.319,-2.252 2.218,-2.354 2.05,-2.406 1.815,-2.405 1.681,-2.559 1.546,-2.661 1.311,-2.61 z"
+         id="path179" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 440.423,338.501 0.437,2.763 0.672,2.815 0.84,2.763 1.109,2.713 1.244,2.712 1.378,2.559 1.613,2.559 1.748,2.559 1.983,2.405 2.117,2.405 2.218,2.252 2.454,2.2 2.621,2.099 2.656,2.047 2.856,1.842 2.958,1.842 3.159,1.638 3.16,1.587 3.327,1.484 3.395,1.381 3.495,1.126 3.563,1.126 3.63,0.921 3.764,0.819 3.731,0.666 3.797,0.46 3.798,0.461 3.832,0.204 3.865,0.154 3.865,-0.051 3.832,-0.154 3.831,-0.409 3.865,-0.358 3.765,-0.666 3.697,-0.767 3.697,-0.819 3.596,-0.973 3.529,-1.125 3.462,-1.28 3.327,-1.433 3.294,-1.535 3.159,-1.587 3.025,-1.688 2.924,-1.894 2.756,-1.945 2.689,-2.047 2.487,-2.251 2.353,-2.201 2.218,-2.354 1.983,-2.303 1.882,-2.559 1.681,-2.507 1.478,-2.61 1.378,-2.662"
+         id="path181" />

(fichier de différences tronqué)
that svg is a JPEG
diff --git "a/services/r\303\251seau/plan.jpg" "b/services/r\303\251seau/plan.jpg"
new file mode 100644
index 00000000..dab7ef3c
Binary files /dev/null and "b/services/r\303\251seau/plan.jpg" differ
diff --git "a/services/r\303\251seau/plan.svg" "b/services/r\303\251seau/plan.svg"
index dab7ef3c..7c1a1159 100644
Binary files "a/services/r\303\251seau/plan.svg" and "b/services/r\303\251seau/plan.svg" differ

plastik is retired
diff --git a/hardware/server/plastik.mdwn b/hardware/server/plastik.mdwn
index 54e2c77b..a11483f4 100644
--- a/hardware/server/plastik.mdwn
+++ b/hardware/server/plastik.mdwn
@@ -1,4 +1,4 @@
-Plastik est un point d'accès dans la maison. Il est configuré en
+Plastik était un point d'accès dans la maison. Il est configuré en
 bridge pour étendre le réseau wifi, mais doit être connecté par fil,
 dans un des ports LAN, afin de fonctionne (ie. il ne "mesh" pas avec
 les autres points d'accès).

add headings, document ente.io
diff --git a/blog/mobile-massive-gallery.md b/blog/mobile-massive-gallery.md
index f4e7ae49..fd343fb0 100644
--- a/blog/mobile-massive-gallery.md
+++ b/blog/mobile-massive-gallery.md
@@ -1,3 +1,4 @@
+## nextcloud
 
 docker-compose -f compose-nextcloud.yml up -d
 docker-compose -f compose-nextcloud.yml down -v
@@ -34,6 +35,8 @@ https://gitlab.com/steviehs/digipics might help in fixing the "albums"?
 possibly alternative by bohwaz https://github.com/kd2org/karadav/
 https://mamot.fr/@bohwaz/109890893734823557
 
+## photoprism
+
 https://www.photoprism.app/
 
 lack of mobile app
@@ -89,6 +92,7 @@ rescan --force
 INFO[2023-02-20T17:54:11Z] indexed 82,692 files in 1h10m28.674348629s   
 ```
 
+## others
 
 https://arstechnica.com/gadgets/2021/06/the-big-alternatives-to-google-photos-showdown/
 
@@ -105,6 +109,8 @@ https://github.com/LibrePhotos/librephotos [mobile apps](https://docs.librephoto
 [piwigo](https://github.com/Piwigo/) has a [mobile app](https://github.com/Piwigo/Piwigo-Android) but is struggling to keep it up to
 date.
 
+## photochiotte
+
 [PhotoChiotte](https://gitlab.com/LaDaubePhotoChiotte/photochiotte) has an awful name but seems like a clever
 solution. All the logic is inside the mobile app and the server is a
 "dumb" web server with pregenerated thumbnails. It could be a great
@@ -135,4 +141,45 @@ consider tls client certs.
 
 update: https://apps.nextcloud.com/apps/memories seems to do what we need
 
+## ente
+
+[ente](https://ente.io/) just (March 2024) just open-sourced their server and it's
+interesting: a relatively generic API (Go + PostgreSQL) server backed
+by MinIO object storage backends. They're mostly a business that wants
+to host your data, but now it's also clearly an option.
+
+Desktop app is Electron (appimage, [not on Flathub](https://flathub.org/en-GB/apps/search?q=ente)), but they have
+a decent web app as well. Trick is we have a large collection that
+would cost somewhere between 13$ (500GB) and 30$/mth (2TB) to host on
+their servers, so that might be impractical for us, even cost-wise.
+
+Best would be if they would have some sort of CLI sync that would
+allow us to sync a local copy, but then maybe that's exactly the
+mentality we need to switch away from: just don't keep everything
+locally and sync as needed.
+
+Unclear how the mobile app works, but it does have a very exciting
+"free up device space" button that probably removes files that were
+already uploaded remotely. This would *really* help with the
+phone-to-archive workflow.
+
+I haven't tried submitting the stack to the entirety of my collection
+just yet, as I only tested the 1GB free trial. It looks pretty fast
+though, and the interface feels snappier than Photoprism's,
+*especially* since there's a native app for the phone.
+
+Still, this would mean a *major* shift (away from git-annex,
+specifically) for photo management, towards object storage
+(basically), fully encrypted (which means keys are suddenly a huge
+concern). Not sure.
+
+I like the simple design (one golang app + postgresql) especially when
+compared to Immich (2 microservices in Typescript/Dart, Redis,
+PostgreSQL).
+
+## immich
+
+complicated, lots of microservices, unsure if i want to embark on
+testing again.
+
 [[!tag draft]]

another imap sync tool
diff --git a/blog/2021-11-21-mbsync-vs-offlineimap.md b/blog/2021-11-21-mbsync-vs-offlineimap.md
index b7f5c044..d4b29a30 100644
--- a/blog/2021-11-21-mbsync-vs-offlineimap.md
+++ b/blog/2021-11-21-mbsync-vs-offlineimap.md
@@ -1048,6 +1048,7 @@ Those are all the options I have considered, in alphabetical order
    server, and written in C
  * [getmail](https://pyropus.ca./software/getmail/): fetchmail replacement, IMAP/POP3 support, supports
    incremental runs, classification rules, Python
+ * [imapsync](https://imapsync.lamiral.info/): one-way only, has another [list of alternatives](https://imapsync.lamiral.info/S/external.shtml)
  * [interimap](https://guilhem.org/interimap/): syncs two IMAP servers, [apparently faster](https://guilhem.org/interimap/benchmark.html) than
    `doveadm` and `offlineimap`, but requires running an IMAP server
    locally, Perl

move router alternatives in the main router page
This way it will be easier to find
diff --git a/hardware/margaret.md b/hardware/margaret.md
index f06743cb..c87087bd 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -276,4 +276,54 @@ network in case of a hardware failure. Two options are possible:
    `profile::router` Puppet class
  * use any darn PC with two network cards with the above
 
+# Alternatives
+
+In the [[service/wifi]] replacement project, I evaluated a bunch of
+options for core router replacement.
+
+## Qotom
+
+Qotom might be cheaper, and the [Q190G4U S01](https://qotom.net/product/35.html) is about as simple as
+it gets, but it means buying on [Amazon.com](https://www.amazon.com/Q190G4U-S01-Celeron-Processor-onboard-Fanless/dp/B072FQQVLQ) which refuses to ship
+to Canada for this product, or [Aliexpress](https://fr.aliexpress.com/i/32919359402.html?gatewayAdapt=glo2fra) (280$, so not actually
+cheaper). Problem with Qotom is their model line is utterly confusing,
+for example I found the above on their site, but Aliexpress has [this
+model](https://fr.aliexpress.com/item/1005004093716962.html) for 233$. Go figure. Serve the home has a [good review](https://www.servethehome.com/the-everything-fanless-home-server-firewall-router-and-nas-appliance-qotom-qnap-teamgroup/)
+of the [Qotom Q20332G9-S10](https://www.qotom.net/product/RouterPC_Q20331G9S10.html) (4x2.5G 4xSFP+ 10G). I was also
+recommended [this 4x2.5G router](https://www.aliexpress.com/item/1005004360072281.html). 
+
+## Turris
+
+The Turris Omnia is the device that was used as a core router before
+([[octavia]]), so getting a *second* device might have made sense
+here. Unfortunately, they were too [hard to find](https://forum.turris.cz/t/turris-omnia-availability/19478), (e.g. [B/O at
+Amazon](https://www.amazon.com/Turris-hi-Performance-printserver-Virtual-Dual-core/dp/B07XCKK146)). 
+
+Turris are saying they will publish a new "entreprise-ready" board
+soon, in the meantime [Discomp has some in stock and should ship
+internationally](https://www.discomp.cz/turris-omnia-2020-rtrom01-fcc-silver_d94042.html) for 262.95EUR or 390$CAD, quite reasonable,
+actually...
+
+## Others
+
+If we fail to get an Omnia, we need to [find a OpenWRT-supported SFP
+router](https://openwrt.org/toh/views/toh_sfp_ports). The [MicroTik hAP ac](https://mikrotik.com/product/RB962UiGS-5HacT2HnT) maybe? [Nope](https://forum.openwrt.org/t/mikrotik-hap-ac-tftp-kernel-image-booting-fixed-sfp-fixed-poe-in-fixed-poe-out-fixed-slow-switch-not-fixed/134302/34). Other options:
+
+ * SuperMicro has a series they call "IoT", e.g. [2 gbit 2SFP Xeon
+   SATA PCIe](https://www.supermicro.com/en/products/system/iot/mini-itx/sys-e200-12d-4c), a bit overkill, and not enough ports to act as a
+   switch
+ * Protectli has interesting series, e.g. [4x2.5gbit switch + wifi](https://ca.protectli.com/product/fw4c/)
+   and coreboot, but no SFP
+ * Qotom has a [4xSFP+ 5x2.5gbit beast](https://www.qotom.net/product/RouterPC_Q20331G9S10.html), but no wifi
+
+One option is to move the Omnia to the office and replace the core
+router with something beefier, and add a new AP downstairs.
+
+Another Omnia replacement is the replacement [Sophos series](https://www.sophos.com/en-us/products/unified-threat-management/tech-specs), which
+we were [recommended](https://forum.openwrt.org/t/recommendations-for-a-gigabit-bridge-possibly-with-sfp/177592/8?u=anarcat) the Sophos 105w Rev 3 and so on. It's
+surprisingly similar to the Omnia...
+
+[This 2021 review](https://homenetworkguy.com/review/opnsense-hardware-recommendations/) also includes Protectli and Qotom products,
+among others.
+
 [[!tag node]]
diff --git a/services/wifi.mdwn b/services/wifi.mdwn
index 7969d362..cc641dc0 100644
--- a/services/wifi.mdwn
+++ b/services/wifi.mdwn
@@ -290,29 +290,9 @@ how the [10GBASE-LX4](https://en.wikipedia.org/wiki/10_Gigabit_Ethernet#10GBASE-
  * four 1" PVC elbows: 4×[4.42$ at HD](https://www.homedepot.ca/product/carlon-schedule-40-grey-pvc-90-degree-1-in-elbow/1000410488) (17.68$)
  * safety tape, 200'×3": [11.98$ at HD](https://www.homedepot.ca/product/empire-3-inch-x-200-ft-danger-tape-in-red/1000836124)
  * SFP LC SMF module: [14$ at FS](https://www.fs.com/products/75335.html?attribute=1464&id=561932) and [19$ at FS](https://www.fs.com/products/75336.html) (33$)
- * wifi router: the Turris Omnia is [hard to find](https://forum.turris.cz/t/turris-omnia-availability/19478),
-   (e.g. [B/O at Amazon](https://www.amazon.com/Turris-hi-Performance-printserver-Virtual-Dual-core/dp/B07XCKK146)), they are saying they will publish a new
-   "entreprise-ready" board soon, in the meantime [Discomp has some in
-   stock and should ship internationally](https://www.discomp.cz/turris-omnia-2020-rtrom01-fcc-silver_d94042.html) for 262.95EUR or 390$CAD,
-   quite reasonable
+ * wifi router
  * total: 296.30 + about 400$ for a new router
 
-If we fail to get an Omnia, we need to [find a OpenWRT-supported SFP
-router](https://openwrt.org/toh/views/toh_sfp_ports). The [MicroTik hAP ac](https://mikrotik.com/product/RB962UiGS-5HacT2HnT) maybe? [Nope](https://forum.openwrt.org/t/mikrotik-hap-ac-tftp-kernel-image-booting-fixed-sfp-fixed-poe-in-fixed-poe-out-fixed-slow-switch-not-fixed/134302/34). Other options:
-
- * SuperMicro has a series they call "IoT", e.g. [2 gbit 2SFP Xeon
-   SATA PCIe](https://www.supermicro.com/en/products/system/iot/mini-itx/sys-e200-12d-4c), a bit overkill, not enough ports for a switch
- * Protectli has interesting series, e.g. [4x2.5gbit switch + wifi](https://ca.protectli.com/product/fw4c/)
-   and coreboot, but no SFP
- * Qotom has a [4xSFP+ 5x2.5gbit beast](https://www.qotom.net/product/RouterPC_Q20331G9S10.html), but no wifi
-
-One option is to move the Omnia to the office and replace the core
-router with something beefier, and add a new AP downstairs.
-
-Another Omnia replacement is the replacement [Sophos series](https://www.sophos.com/en-us/products/unified-threat-management/tech-specs), which
-we were [recommended](https://forum.openwrt.org/t/recommendations-for-a-gigabit-bridge-possibly-with-sfp/177592/8?u=anarcat) the Sophos 105w Rev 3 and so on. It's
-surprisingly similar to the Omnia...
-
 ### copper build
 
 The SFP/fiber requirement complicates significantly that setup so we
@@ -397,16 +377,6 @@ Notes:
  * [[hardware/rosa]] can serve as a replacement for the omnia if we
    don't want to get another U6
 
-Qotom might be cheaper, and the [Q190G4U S01](https://qotom.net/product/35.html) is about as simple as
-it gets, but it means buying on [Amazon.com](https://www.amazon.com/Q190G4U-S01-Celeron-Processor-onboard-Fanless/dp/B072FQQVLQ) which refuses to ship
-to Canada for this product, or [Aliexpress](https://fr.aliexpress.com/i/32919359402.html?gatewayAdapt=glo2fra) (280$, so not actually
-cheaper). Problem with Qotom is their model line is utterly confusing,
-for example I found the above on their site, but Aliexpress has [this
-model](https://fr.aliexpress.com/item/1005004093716962.html) for 233$. Go figure. Serve the home has a [good review](https://www.servethehome.com/the-everything-fanless-home-server-firewall-router-and-nas-appliance-qotom-qnap-teamgroup/)
-of the [Qotom Q20332G9-S10](https://www.qotom.net/product/RouterPC_Q20331G9S10.html) (4x2.5G 4xSFP+ 10G). I was also
-recommended [this 4x2.5G router](https://www.aliexpress.com/item/1005004360072281.html). [This 2021 review](https://homenetworkguy.com/review/opnsense-hardware-recommendations/) also
-includes Protectli and Qotom products, among others.
-
 Another build could be done with the Turris Mox:
 
  * MOX start, [101.49EUR](https://www.discomp.cz/turris-mox-start_d90848.html)

more hardware examples
diff --git a/services/wifi.mdwn b/services/wifi.mdwn
index 503fdb56..7969d362 100644
--- a/services/wifi.mdwn
+++ b/services/wifi.mdwn
@@ -402,7 +402,10 @@ it gets, but it means buying on [Amazon.com](https://www.amazon.com/Q190G4U-S01-
 to Canada for this product, or [Aliexpress](https://fr.aliexpress.com/i/32919359402.html?gatewayAdapt=glo2fra) (280$, so not actually
 cheaper). Problem with Qotom is their model line is utterly confusing,
 for example I found the above on their site, but Aliexpress has [this
-model](https://fr.aliexpress.com/item/1005004093716962.html) for 233$. Go figure.
+model](https://fr.aliexpress.com/item/1005004093716962.html) for 233$. Go figure. Serve the home has a [good review](https://www.servethehome.com/the-everything-fanless-home-server-firewall-router-and-nas-appliance-qotom-qnap-teamgroup/)
+of the [Qotom Q20332G9-S10](https://www.qotom.net/product/RouterPC_Q20331G9S10.html) (4x2.5G 4xSFP+ 10G). I was also
+recommended [this 4x2.5G router](https://www.aliexpress.com/item/1005004360072281.html). [This 2021 review](https://homenetworkguy.com/review/opnsense-hardware-recommendations/) also
+includes Protectli and Qotom products, among others.
 
 Another build could be done with the Turris Mox:
 

more matrix bots
diff --git a/blog/2022-06-17-matrix-notes.md b/blog/2022-06-17-matrix-notes.md
index 015d53de..a2483dad 100644
--- a/blog/2022-06-17-matrix-notes.md
+++ b/blog/2022-06-17-matrix-notes.md
@@ -847,8 +847,6 @@ there's still a good variety:
  * [maubot](https://github.com/maubot/maubot): generic bot with tons of usual plugins like sed, dice,
    karma, xkcd, echo, rss, reminder, translate, react, exec,
    gitlab/github webhook receivers, weather, etc
- * [opsdroid](https://github.com/opsdroid/opsdroid): framework to implement "chat ops" in Matrix,
-   connects with Matrix, GitHub, GitLab, Shell commands, Slack, etc
  * [matrix-nio](https://github.com/poljar/matrix-nio): another framework, used to build [lots more
    bots](https://matrix-nio.readthedocs.io/en/latest/examples.html) like:
    * [hemppa](https://github.com/vranki/hemppa): generic bot with various functionality like weather,
@@ -859,6 +857,12 @@ there's still a good variety:
    * [podbot](https://github.com/interfect/podbot): play podcast episodes from AntennaPod
    * [cody](https://gitlab.com/carlbordum/matrix-cody): Python, Ruby, Javascript REPL
    * [eno](https://github.com/8go/matrix-eno-bot): generic bot, "personal assistant"
+   * [ChatGPT](https://github.com/h1ddenpr0cess20/infinigpt-matrix) and [Ollama](https://github.com/h1ddenpr0cess20/ollamarama-matrix) AI chat bots
+   * [reminder bot](https://github.com/anoadragon453/matrix-reminder-bot)
+   * [opsdroid](https://github.com/opsdroid/opsdroid): framework to implement "chat ops" in Matrix,
+     connects with Matrix, GitHub, GitLab, Shell commands, Slack, etc
+   * [commander](https://github.com/8go/matrix-commander): CLI interface
+   * [full list](https://matrix-nio.readthedocs.io/en/latest/examples.html#projects-built-with-nio)
  * [mjolnir](https://github.com/matrix-org/mjolnir): moderation bot
  * [hookshot](https://github.com/Half-Shot/matrix-hookshot): bridge with GitLab/GitHub
  * [matrix-monitor-bot](https://github.com/turt2live/matrix-monitor-bot): latency monitor

gtklock entered debian
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 1dd63967..5b4eb0cc 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -809,7 +809,7 @@ as xss-lock and xsecurelock.
 That, unfortunately, does *not* include the fancy "hacks" provided by
 xscreensaver, and that is [unlikely to be implemented upstream][].
 
-Other alternatives include [gtklock][] ([RFP](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052418)) and [waylock][] (zig), which
+Other alternatives include [gtklock][] ([in Debian](https://tracker.debian.org/pkg/gtklock)) and [waylock][] (zig), which
 do not solve that problem either.
 
 It looks like [swaylock-plugin][], a swaylock fork, which at least

more death notes i found
diff --git a/blog/on-dying.mdwn b/blog/on-dying.mdwn
index 61be211f..78f677ec 100644
--- a/blog/on-dying.mdwn
+++ b/blog/on-dying.mdwn
@@ -210,5 +210,23 @@ As #RobertJordan writes: "Ages come and pass, leaving memories that become legen
 
 https://daniel.haxx.se/blog/2024/02/07/contingency-planning-for-me-and-curl/
 
+# archiveteam
+
+a million ways to die on the web https://wiki.archiveteam.org/index.php/A_Million_Ways_to_Die_on_the_Web
+
+# vim death
+
+https://groups.google.com/g/vim_dev/c/dq9Wu5jqVTw
+
+https://getyourshittogether.org/
+
+
+"death book": https://www.bogleheads.org/forum/viewtopic.php?t=119346
+
+"sealed notary": https://news.ycombinator.com/item?id=37076703
+
+https://longnow.org/ideas/digital-avatars-and-our-refusal-to-die/
+
+
 [[!tag draft]]
 

add curl note, mark as draft
diff --git a/blog/on-dying.mdwn b/blog/on-dying.mdwn
index ce502367..61be211f 100644
--- a/blog/on-dying.mdwn
+++ b/blog/on-dying.mdwn
@@ -205,3 +205,10 @@ As #RobertJordan writes: "Ages come and pass, leaving memories that become legen
 
 @jgoerzen our seemingly infinite capacity at storage is, in other words, at odds with our capacity at telling what really matters, and what should really be kept around forever
 
+
+# curl plans
+
+https://daniel.haxx.se/blog/2024/02/07/contingency-planning-for-me-and-curl/
+
+[[!tag draft]]
+

link to noctua's fan list
diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index 01388297..42bf28e8 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -126,7 +126,7 @@ spec'd at 45dB. That fan is a weird construction that has a 92x25mm
 fan inside an enclosure that directs the airflow, see [FAN-0076L4](https://store.supermicro.com/us_en/92mm-fan-0076l4.html)
 for the detailed specs. I asked Supermicro if they had a better
 replacement fan, and so far they just keep pointing me at that fan. So
-I asked Noctua if their fans would fit.
+I asked Noctua if [their fans](https://noctua.at/en/products/fan) would fit.
 
 ## 2020 Replacement
 

chase URL for case specs
diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index 660cc192..01388297 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -32,7 +32,7 @@ particulier [[services/mail]] et [[services/backup]].
 
 The server is also backed by a UPS, a [APC 1500VA BX1500m](https://www.apc.com/ca/en/product/BX1500M/apc-back-ups-1500-compact-tower-1500va-120v-avr-lcd-10-nema-outlets-5-surge/).
 
-[CSE-733TQ-500B]: https://www.supermicro.com/en/products/chassis/tower/733/SC733TQ-500B
+[CSE-733TQ-500B]: https://www.supermicro.com/en/products/archive/chassis/SC733TQ-500B
 [300$]: http://www.atic.ca/index.php?page=details&psku=63796
 [ASUS PRIME X470-PRO]: https://www.asus.com/us/Motherboards/PRIME-X470-PRO/
 [187$]: http://www.atic.ca/index.php?page=details&psku=196101

case fan was the problem, oops
diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index 1e62ca2d..660cc192 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -120,6 +120,14 @@ I have also considered:
    MemoryExpress, more expensive ([75$ at amazon](https://www.amazon.ca/dp/B00TBHYYFK), [NH-D9L is
    70$](https://www.amazon.ca/Noctua-NH-D9L-Premium-Cooler-NF-A9/dp/B00QCEWTAW))
 
+Update: I ordered the NH-D9L and installed it and immediately realized
+the problem was actually not the CPU fan, but the board fan, which is
+spec'd at 45dB. That fan is a weird construction that has a 92x25mm
+fan inside an enclosure that directs the airflow, see [FAN-0076L4](https://store.supermicro.com/us_en/92mm-fan-0076l4.html)
+for the detailed specs. I asked Supermicro if they had a better
+replacement fan, and so far they just keep pointing me at that fan. So
+I asked Noctua if their fans would fit.
+
 ## 2020 Replacement
 
 In 2020, hardware for marcos was swapped out into a new box.

Archival link:

The above link creates a machine-readable RSS feed that can be used to easily archive new changes to the site. It is used by internal scripts to do sanity checks on new entries in the wiki.

Created . Edited .