RecentChanges

diff --git a/services/backup.mdwn b/services/backup.mdwn
index d5f81e1e..62a59a05 100644
--- a/services/backup.mdwn
+++ b/services/backup.mdwn
@@ -611,6 +611,132 @@ Then the object store is added and fetched:
 The first line is critical: `initremote` might create a new encryption
 key instead of reusing the existing one?
 
+## rsync.net backups
+
+rsync.net is quirky. they h ave an old borg version so you need to
+specify:
+
+    export BORG_REMOTE_PATH=/usr/local/bin/borg1/borg1
+
+otherwise you get all sorts of warnings and, ultimately, can't
+actually backup. They also do daily snapshots which is not super
+useful with borg.
+
+Then it's kind of weird to figure out where to connect. You need to
+login to https://www.rsync.net/ then click on the `FMT` link that will
+show you a hostname to connect to, which is *also* your username. Then
+everything happens over SSH, for example you can look at your quota
+with:
+
+    ssh fm1234@fm1234.rsync.net quota
+
+My username, for example, is `fm1234` (redacted) above.
+
+They have nice server-side ZFS snapshots but that's not very useful
+for me as I do not want to trust them with my cleartext data, so I use
+borg for my backups. The magic borg URL is something like:
+
+    export BORG_REPO="ssh://fm1234@fm1234.rsync.net/data1/home/fm1234/borg-marcos"
+
+First backup is relatively fast, but doesn't quite saturate my uplink
+(~5-10mbps vs 50mbps), not sure where that bottleneck is, could be the
+local disk as well. Here is the server-side backup:
+
+```
+------------------------------------------------------------------------------
+Repository: ssh://fm1234@fm1234.rsync.net/data1/home/fm1234/borg-marcos
+Archive name: marcos-auto-2024-07-03T15:58:38
+Archive fingerprint: 062f69b4a6692a09ba6f8cf41e9297c37599e93b77bd1e7de14373bef5d97459
+Time (start): Wed, 2024-07-03 15:58:49
+Time (end):   Thu, 2024-07-04 00:18:29
+Duration: 8 hours 19 minutes 39.56 seconds
+Number of files: 2123411
+Utilization of max. archive size: 1%
+------------------------------------------------------------------------------
+                       Original size      Compressed size    Deduplicated size
+This archive:              204.00 GB            129.49 GB            114.67 GB
+All archives:              204.00 GB            129.49 GB            114.72 GB
+
+                       Unique chunks         Total chunks
+Chunk index:                 1791565              2170349
+------------------------------------------------------------------------------
+```
+
+Another incremental run was of course much faster:
+
+```
+------------------------------------------------------------------------------
+Repository: ssh://fm1234@fm1234.rsync.net/data1/home/fm1234/borg-marcos
+Archive name: marcos-auto-2024-07-04T13:34:44
+Archive fingerprint: 17a50d859f600af29185b4332c1f274f650d303f5aec1157a67643f4ef1b1c4f
+Time (start): Thu, 2024-07-04 13:35:00
+Time (end):   Thu, 2024-07-04 13:42:25
+Duration: 7 minutes 24.86 seconds
+Number of files: 2123656
+Utilization of max. archive size: 1%
+------------------------------------------------------------------------------
+                       Original size      Compressed size    Deduplicated size
+This archive:              204.10 GB            129.51 GB            506.07 MB
+All archives:              408.10 GB            259.00 GB            115.22 GB
+
+                       Unique chunks         Total chunks
+Chunk index:                 1792561              4330539
+------------------------------------------------------------------------------
+```
+
+Here, obviously, bandwidth is not the bottleneck, we're probably
+blocked by disk I/O, specifically walking the directories. The
+resulting bandwidth, for the above 506MB/7m25s, is 1.1MB/s.
+
+The laptop job aborted halfway (after 4.32GB and 16 hours), but that
+might be because the laptop went to sleep: indeed, the process
+terminated when I came back in the office... The final status was:
+
+```
+------------------------------------------------------------------------------
+Repository: ssh://fm1234@fm1234.rsync.net/data1/home/fm1234/borg-angela
+Archive name: angela-2024-07-04T09:48:18.194260
+Archive fingerprint: c58891e2a915a0145bd990861eaf702687747a8bf6549a612b7bce52386b382d
+Time (start): Thu, 2024-07-04 09:49:44
+Time (end):   Thu, 2024-07-04 12:27:20
+Duration: 2 hours 37 minutes 35.71 seconds
+Number of files: 2354887
+Utilization of max. archive size: 1%
+------------------------------------------------------------------------------
+                       Original size      Compressed size    Deduplicated size
+This archive:              149.95 GB            117.18 GB             49.81 GB
+All archives:              150.32 GB            117.27 GB            102.98 GB
+
+                       Unique chunks         Total chunks
+Chunk index:                 1841394              3576009
+------------------------------------------------------------------------------
+```
+
+Note that during the first full backup, both backups were running in
+parallel so that has also impacted performance.
+
+The incremental on the laptop had similar performance:
+
+```
+------------------------------------------------------------------------------
+Repository: ssh://fm1702@fm1702.rsync.net/data1/home/fm1702/borg-angela
+Archive name: angela-2024-07-04T13:48:48.403736
+Archive fingerprint: a036c2cc424340b77744cd97cb35c461a69743154c28cfbb3a7538b40e64b246
+Time (start): Thu, 2024-07-04 13:49:08
+Time (end):   Thu, 2024-07-04 13:57:54
+Duration: 8 minutes 45.95 seconds
+Number of files: 2354928
+Utilization of max. archive size: 1%
+------------------------------------------------------------------------------
+                       Original size      Compressed size    Deduplicated size
+This archive:              149.96 GB            117.18 GB            471.51 MB
+All archives:              300.28 GB            234.45 GB            103.46 GB
+
+                       Unique chunks         Total chunks
+Chunk index:                 1842235              5951877
+------------------------------------------------------------------------------
+```
+
 ## References
 
 Borg:

diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index ede191a7..1479a4f1 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -8,6 +8,192 @@ phones as well:
 
 [[!toc levels=2]]
 
+# Current phone
+
+2024: I have given up and switched to Pixels, see
+[[blog/2021-01-13-new-phone]] for details. I have used a Pixel 4a
+which had a flaky screen after a year and switched to a 6a. I liked
+the 4a but the 6a is too large. I used the "Google" case for the phone
+at first but switched to [Spigen Liquid Air](https://www.spigen.com/collections/pixel-6-series-case-collection/products/pixel-6-series-case-liquid-air?variant=41718301524015) case that seems to
+work well so far.
+
+# Previous phones
+
+## HTC One S
+
+See [[htc-one-s]] for config details. [Specs](http://www.gsmarena.com/htc_one_s-4574.php):
+
+ * Dual-core 1.5 GHz Krait
+ * 16 GB, 1 GB RAM
+ * 8 MP, autofocus, LED flash, check quality
+ * FM radio, RDS
+ * Wi-Fi 802.11 b/g/n, DLNA, hotspot
+ * A-GPS
+ * Non-removable battery, Up to 317 h, talk up to 10 h 30 min
+ * 130.9 x 65 x 7.8 mm (5.15 x 2.56 x 0.31 in)
+ * 119.5 g (4.20 oz)
+ * 4.3" (~59.9% screen-to-body ratio)
+
+## HTC Dream
+
+The [[!wikipedia HTC Dream]] was the first commercial Android phone. It still works, although it is a little old and buggy here.
+
+### Android / Cyanogenmod support
+
+One of the issues with the device is that it doesn't (or can't!) run more recent Android releases, which basically means no software support. It runs Android 2.2 / CM 6.1!
+
+ * [porting 2.3/CM 7 to it](http://forum.cyanogenmod.com/topic/13579-gingerbread-on-the-magicdream/)
+ * [android 4.1 / CM 10 ported??](http://www.theverge.com/2012/8/9/3229163/android-4-1-ported-to-the-venerable-htc-g1)
+ * [CM homepage for dream](http://wiki.cyanogenmod.org/w/Dream_sapphire_Info)
+
+### podcasting
+
+One of the thing that's missing is podcasting, various ideas:
+
+ * [volksempfaenger](https://play.google.com/store/apps/details?id=net.x4a42.volksempfaenger) (android 4.0+?, [not on fdroid yet](http://f-droid.org/forums/topic/volksempfanger-podcast-app/)
+ * Antennapod, android 2.3.3+ [fdroid](http://f-droid.org/repository/browse/?fdcategory=Multimedia&fdid=de.danoeh.antennapod&fdpage=1)
+ * <http://www.doggcatcher.com/>
+
+## Nokia n900
+
+The [[!wikipedia Nokia_N900]] was a great machine, but those machines
+are now so dead: no more software support from Nokia... and the
+hardware is somewhat slow. There's [Neo900](http://neo900.org/), a
+plan to rebuild a new phone based on the same case, but that's not yet
+shipping.
+
+I have two n900 machines, both have their SIM card socket broken now,
+either desoldered or some other broken thing. [Wikipedia says this can
+be fixed by resoldering][], and there are two references online:
+
+* <http://talk.maemo.org/showthread.php?p=1154781#post1154781>
+* <https://www.jabawok.net/?p=14>
+
+ [Wikipedia says this can be fixed by resoldering]: https://en.wikipedia.org/wiki/Nokia_N900#Known_issues
+
+ * 600MHz Cortex A8
+ * 32GB, 256MB ram
+ * 5MP
+ * FM radio and transceiver(!)
+ * Wi-Fi 802.11 b/g, DLNA
+ * A-GPS
+ * Removeable battery
+ * 3.5" (800 x 480 pixels)
+ * 110.9 x 59.8 x 18 mm, 181g
+
+## Partial inventory
+
+ * HTC Dream: works?
+ * LG GB255g: old flip phone, good condition
+ * Kyocera M2000: dead battery, slide keyboard, public mobile
+ * 2x Nokia n900: broken sim card readers?
+ * LG P999DW: old android, broken screen, still works!
+ * HTC One S: broken wifi (drivers?), no more lineage OS support,
+   rooted
+ * LG G3 d852: not rooted, on "stolen or lost" list so unusable as a
+   phone
+
+# Features
+
+Those features are nice to have. Unfortunately, they are now showing
+their age and might not be relevant anymore.
+
+## FM support
+
+FM support in newer smartphones in spotty at best. According to [pdadb.net](http://pdadb.net/index.php?m=pdachooser), only 35 phones (out of 4111) have FM support. Amongst those, only 4 run android.
+
+## External keyboard
+
+Less rare in newer phones, real keyboards are still hard to find. Out of the 4111 android phones in the padb.net inventory, only 229 have actual keyboards, and often those are only regular phone keyboards, not actual QWERTY keyboards.
+
+## Liberated baseband
+
+The "[[!wikipedia Baseband processor]]" in a phone is a second processor in the phone that handles phone calls. Very often, and in fact in almost all cases, this is proprietary hardware and software that is hidden from the main processor, as a black box. So even if you manage to install free software (like cyanogenmod) on an Android device, you are still stuck with this [problematic backdoor](http://www.extremetech.com/computing/170874-the-secret-second-operating-system-that-could-make-every-mobile-phone-insecure).
+
+Note that there is also software in the SIM card, which makes it three different operating systems running at once in your phone.
+
+Some people are trying to fix this:
+
+* [Osmocom](http://osmocom.org/) is a
+  [collection of projects](http://openbsc.osmocom.org/trac/wiki/OsmocomOverview)
+  that try to attack various communication projects, with
+  [OpenBTS](http://cgit.osmocom.org/cgit/osmo-bts/) attacking GSM in
+  particular
+* [lima](http://limadriver.org/) and
+  [freedreno](http://freedreno.github.io/) are attacking the graphics stack
+
+.. but it's not in a phone yet. Ideally, a phone would just be another
+general purpose computer, radio included, so that you'd have a simple
+[SDR](https://en.wikipedia.org/wiki/Software-defined_radio) that you
+would program GSM, FM, AM, CB, or whatever protocol acronym you would
+fancy on top of that, all in software.
+
+## Roaming and frequency support
+
+What a nightmare... since [3G](https://en.wikipedia.org/wiki/3G) came
+up, there's all sorts of very different frequencies for different
+providers *and* for different
+countries. [This map](http://www.worldtimezone.com/gsm.html) has a
+good explanation of the world-wide coverage bands...
+
+See also [the canada coverage map](http://maps.mobileworldlive.com/network.php?cid=170&cname=Canada)
+to figure out exactly what protocols and what frequencies a provider
+uses.
+
+All numbers are in MHz unless otherwise noted.
+
+### 2G
+
+* Europe: 900, 1800
+* Americas: 850, 1900 (except east of south-america)
+
+### 3G
+
+It gets complicated here. But in general:
+
+* Europe: 900, 2100
+* Americas: 850 ([Rogers][], [Bell][Bell 3G]), 1700 (Vidéotron), 1900
+  ([Rogers][], [Bell][Bell 3G]). the three big networks seem to
+  support HSDPA, HSPA+, UMTS or W-CDMA, and only Rogers not supporting
+  EV-DO
+  ([source](https://community.koodomobile.com/koodo/topics/the_big_three_canadian_network_frequencies))
+
+See the
+[source table](https://en.wikipedia.org/wiki/UMTS_frequency_bands#Deployments_by_region_.28UMTS-FDD.29)
+for this.
+
+ [Bell 3G]: http://support.bell.ca/Mobility/Smartphones_and_mobile_internet/Will_my_mobile_phone_or_smartphone_work_on_the_Bell_network
+
+### 4G
+
+Also known as `LTE`, `E-UTRA`, this is where it gets pretty messy.
+
+* Asia: 800, 1800, 2600 (bands 1, 3, 5, 7, 8, 11, 13, 40)
+* Europe: 700, 800, 900, 1800, 2600 (bands 3, 7, 20)
+* Australia: 1800, 2300 (bands 3, 40)
+* America: 700, 750, 800, 850, 1900, 1700/2100 (AWS/[Vidéotron][]), 2500, 2600
+  ([Rogers][], [Bell][]) (bands 2, 4, 7, 12, 13, 17, 25,
+  26, 41, 66)
+* S. America: 2500
+
+See also the [source][lte-frequency-bands] for the above and the [explicit deployment
+chart](https://en.wikipedia.org/wiki/LTE_frequency_bands#Deployments_by_region). Basically, we need one (or many?) of those:
+
+[lte-frequency-bands]: https://en.wikipedia.org/wiki/LTE_(telecommunication)#Frequency_bands
+
+* base 4, 7 (1700/2100, 2600 MHz: [Bell][], [Rogers][]/[Fido][], others?)
+* base 10 (700 MHz: [Vidéotron][])
+* base 13 (700 MHz: [Bell][], [Vidéotron][], Telus)
+* base 17 (700 MHz: [Bell][], [Rogers][]?/[Fido][])
+
+See also [this post on koodoo](https://community.koodomobile.com/koodo/topics/the_big_three_canadian_network_frequencies) (dead link, no archive). [This
+inventory of bands per provider in Canada/US](https://www.signalbooster.com/pages/what-are-the-cellular-frequencies-of-cell-phone-carriers-in-usa-canada) is useful as well.
+
+ [Fido]: http://www.fido.ca/web/content/phonewarranty/configure_unlocked_device_guide&lang=fr
+ [Rogers]: http://www.rogers.com/web/support/wireless/unlock/479?setLanguage=en
+ [Vidéotron]: http://soutien.videotron.com/residentiel/mobile/appareils/limite-soutien-en-telephonie-mobile
+ [Bell]: https://en.wikipedia.org/wiki/Bell_Mobility#LTE
+
 # Places to buy
 
  * [Bestbuy](https://www.bestbuy.ca/en-ca/category/unlocked-android-phones/743360.aspx?)
@@ -172,18 +358,10 @@ incredibly. repairable, IPX rating. seems like a fat phone though.
 ### Pixels
 

(Diff truncated)

diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index f777de51..ede191a7 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -8,8 +8,7 @@ phones as well:
 
 [[!toc levels=2]]
 
-Places to buy
-=============
+# Places to buy
 
  * [Bestbuy](https://www.bestbuy.ca/en-ca/category/unlocked-android-phones/743360.aspx?)
  * [B&H](https://www.bhphotovideo.com/c/buy/smartphones/ci/24039/N/3955685938)
@@ -19,8 +18,7 @@ Places to buy
  * [Recy-cell](https://recy-cell.ca/) (used phones)
  * [Tiger Direct](http://www.tigerdirect.ca/applications/category/category_tlc.asp?CatId=5116) - not a great selection
 
-Potential phones
-================
+# Potential phones
 
 Must-have criteria:
 
@@ -44,8 +42,7 @@ Nice to have:
  * removable battery
  * "fair" sourced materials
 
-Picking a phone
----------------
+## Picking a phone
 
 Picking a phone is hard with all those restrictions. The `#lineageos`
 folks are legendary for not helping you choose your phone but have
@@ -137,18 +134,15 @@ Canada (voir ci-bas) et j'ai fait une [demande](https://forum.fairphone.com/t/bu
 Update: j'ai acheté un Fairphone 2 chez Ecosto, pour ~500$CAD, voir
 [[fairphone2]] pour les détails.
 
-Fairphone 2
------------
+## Fairphone 2
 
 Moved to [[fairphone2]].
 
-Fairphone 3
------------
+## Fairphone 3
 
 Moved to [[fairphone3]].
 
-Fairphone 4 and 5
--------------------
+## Fairphone 4 and 5
 
 Fairphone keeps pushing new phones out and I can't really keep track
 anymore.
@@ -156,13 +150,11 @@ anymore.
 Note that the Fairphone 4 has come out and recently has teamed up with
 [Murena](https://murena.com/) (AKA /e/) to [ship phones in the US](https://arstechnica.com/gadgets/2023/07/fairphone-is-coming-to-america/).
 
-Murena 2
----------
+## Murena 2
 
 Murena is doing their own crowdfunding for a [new phone](https://www.kickstarter.com/projects/murena/murena-2-switch-your-privacy-on/).
 
-Purism Librem 5
----------------
+## Purism Librem 5
 
 In development at the time of writing (2019-02-21), might ship in
 "april 2019" according to their website but according to their [latest
@@ -175,8 +167,7 @@ still don't have a finished device.
 [shiftphone 8](https://www.shift.eco/en/shiftphone-8-status-page-2/) will have [mainline support](https://www.phoronix.com/news/SHIFTphone-8-Linux-Patches),
 incredibly. repairable, IPX rating. seems like a fat phone though.
 
-Google
-------
+## Google
 
 ### Pixels
 
@@ -215,8 +206,7 @@ to work well so far.
 
 No external keyboard, no FM transmitter?
 
-Motorola
---------
+## Motorola
 
 Motorola is an interesting company. They made the first ever cell
 phone and are the first company to [provide iFixit with OEM parts](https://ifixit.org/blog/11644/motorola-ifixit-partnership/),
@@ -236,8 +226,7 @@ sealed. The only problem might be the lower battery life and the lower
 resolution camera, when compared with the XA2. The body is about the
 same size as the G3 and the screen is smaller, unfortunately.
 
-Samsung
--------
+## Samsung
 
 Generally well supportedin LOS. The S7 has [good reviews](https://forum.xda-developers.com/galaxy-s7/review) but
 hasn't been ported to the newer LOS 15.1. The [S9](https://wiki.lineageos.org/devices/starlte) is better and
@@ -249,8 +238,7 @@ flashing a Samsung tablet, I'm wary of struggling against my hardware
 manufacturer to have the freedom to install what I want on them. See
 [this post for a hint](https://community.e.foundation/t/glaxay-s9-e-version-confusion/18076/27).
 
-Sony
-----
+## Sony
 
 The [XA2](https://wiki.lineageos.org/devices/pioneer) looks well maintained in LOS, and looks like generally a
 nice phone. The [reviews](https://forum.xda-developers.com/xperia-xa2/review) are generally positive, except for the
@@ -259,8 +247,7 @@ camera. The XA2 is 5.2", the Ultra is 6.0" ([comparative](https://www.gsmarena.c
 Another big downside is the repairability: you need a hot-air gun even
 to just remove the back cover, according to [this video](https://www.ifixit.com/Teardown/Sony+Xperia+XA2+Teardown/110666).
 
-Xiaomi
-------
+## Xiaomi
 
 Those make the fame [Pocophone F1](https://en.wikipedia.org/wiki/Xiaomi_Pocophone_F1) which I'm avoiding mostly
 because of the notch but also [difficult battery access](https://www.youtube.com/watch?v=L5VWWba0coY&feature=youtu.be). It's also
@@ -274,8 +261,7 @@ supported until 14. It's unclear how repairable those last three are.
 
 Xiaomi devices are also hard to find at usual locations.
 
-Cosmo communicator
-------------------
+## Cosmo communicator
 
 Huge phone running android, flip keyboard, 24MP camera, super powerful
 but expensive.
@@ -284,19 +270,15 @@ https://www.indiegogo.com/projects/cosmo-communicator
 
  * Size: 17.14(W) x 7.93cm(D) x 1.6(H)cm
 
-
-Gemini & other PDAs
--------------------
+## Gemini & other PDAs
 
 See [[laptop#gemini]].
 
-2015 phones evaluation
-======================
+# 2015 phones evaluation
 
 This is getting incredibly out of date.
 
-Fairphone 1
------------
+## Fairphone 1
 
 The [[!wikipedia Fairphone]] is a really interesting project:
 
@@ -326,8 +308,7 @@ Downside: it doesn't have an FM transmitter and the [baseband isn't
 open](https://forum.fairphone.com/t/fairphone-baseband-os-firmware/1228), but that's pretty much the case for all phones out there
 right now.
 
-Samsung Galaxy S3
------------------
+## Samsung Galaxy S3
 
 [[!wikipedia Samsung_Galaxy_S_III]] - an interesting device:
 
@@ -349,8 +330,7 @@ No FM transmitter, no external keyboard.
 
 The S4 is similar, but one generation newer so better battery and faster LTE support (100mbps!), but at a slightly higher cost (140$ used vs 50-100$).
 
-Elephone
---------
+## Elephone
 
 Very interesting phones: they are
 [actively porting Cyanogenmod to their stack](http://www.elephone.cc/news/Elephone-port-CyanogenMod-121-to-Mediatek-phone/)
@@ -551,20 +531,17 @@ News:
  * [Digital trends: Why Nokia made an Android phone it wants you to
    tear apart](https://www.digitaltrends.com/mobile/hmd-global-nokia-g22-quickfix-nokia-c32-nokia-c22-mwc-2023-news/)
 
-Other no-names
---------------
+## Other no-names
 
 There are tons of other generic phones out there. A friend got
 [this cubot phone](http://www.everbuying.net/product1055309.html)
 which will be a good test for the 3G and 4G support.
 
-Vaporware
-=========
+# Vaporware
 
 Those phones were nice ideas but never shipped.
 
-Phoneblocks
------------
+## Phoneblocks
 
 [[!wikipedia Phonebloks]] is the idea of a modular phone that could be easily fixable and field-upgradable. It was turned into a [discussion forum](https://phonebloks.com/) around 2013 by Motorola and Google in favor of their [[!wikipedia Project Ara]] scheduled for release in January 2015.
 
@@ -572,31 +549,27 @@ Here's a [pretty homepage](http://www.projectara.com/) (site dead, [archive](htt

(Diff truncated)

diff --git a/hardware/svetlana.md b/hardware/svetlana.md
index 45ca9ab2..25635c68 100644
--- a/hardware/svetlana.md
+++ b/hardware/svetlana.md
@@ -51,6 +51,11 @@ Did the following config:
  5. configured WPA password
  6. manually tuned radio channels and power
 
+Update, 2024-07-01: Tweaked the wifi security down from WPA2/WPA3
+mixed to WPA/WPA2 because a Nintendo Switch couldn't even *see* the
+access point. An old iMac also had trouble connecting, but I couldn't
+confirm if the issue was related as I haven't retried that.
+
 According to <https://fast.com> and <https://speed.cloudflare.com/>, this
 hotspot can saturate my uplink (130/30mbps) but with some bufferbloat
 (14 vs 63ms loaded).

diff --git a/services/bookmarks.mdwn b/services/bookmarks.mdwn
index 67f117c9..57433f64 100644
--- a/services/bookmarks.mdwn
+++ b/services/bookmarks.mdwn
@@ -75,6 +75,7 @@ This also overlaps with bookmarking software like:
  * [apollo](https://github.com/amirgamil/apollo)
  * [archivebox](https://archivebox.io/) (previously called [bookmark-archiver](https://pirate.github.io/bookmark-archiver/))
  * [archivy](https://archivy.github.io/)
+ * [betula](https://betula.mycorrhiza.wiki/) - federated delicious-like
  * [bookmarkos](https://bookmarkos.com/)
  * [braintool](https://braintool.org/)
  * [browsersync](https://www.xbrowsersync.org/)

diff --git a/services/dns.mdwn b/services/dns.mdwn
index beefe303..f1a9cc4c 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -209,6 +209,8 @@ Les noms suivants pourraient être utilisés pour de futures machines:
  * [Viola Desmond][] - challenged racial segregation in Canada
  * [Ada Lovelace][] - first programmer
  * [Grace Hopper][] - inventor of the compiler and linker
+ * [Lynn Conway][] - VLSI inventor, fired by IBM when coming out as
+   trans in 1968, rebuilt her carreer from scratch, died in 2024
  * [Séverine][] - journaliste, féministe, première femme à diriger un
    grand quotidien en France
  * [Sister Rosetta Tharpe][] - "first great recording star of gospel
@@ -247,6 +249,7 @@ tout aussi importantes...
 [Phillis Wheatley]: https://en.wikipedia.org/wiki/Phillis_Wheatley
 [Anahareo]: https://en.wikipedia.org/wiki/Anahareo?wprov=sfla1
 [Evelyn Berezin]: https://en.wikipedia.org/wiki/Evelyn_Berezin
+[Lynn Conway]: https://en.wikipedia.org/wiki/Lynn_Conway
 
 Relié
 =====

diff --git a/hardware/tablet.mdwn b/hardware/tablet.mdwn
index 08e9f8a6..a8509063 100644
--- a/hardware/tablet.mdwn
+++ b/hardware/tablet.mdwn
@@ -347,6 +347,15 @@ HDMI, 2x USB-C, micro SD, headphone jack, secure boot, LVFS, coreboot,
 512GB - 2TB SSD, 16GB DDR5, 2x 2k camera, 12h battery life, ubuntu
 supported out of the box, 600-900$, not yet available.
 
+pollo called it "underpowered"
+
+## Minisforum
+
+https://www.minisforum.com/page/v3/
+
+touch screen is not wacom, so less reliable, otherwise nice tech,
+high-end AMD CPU, can be used as an external monitor.
+
 ## Sony
 
 Sony has a [Xperia Z2 tablet](https://en.wikipedia.org/wiki/Sony_Xperia_Z2_tablet) that was recommended on the `#tech`

diff --git a/services/bookmarks.mdwn b/services/bookmarks.mdwn
index 74937b43..67f117c9 100644
--- a/services/bookmarks.mdwn
+++ b/services/bookmarks.mdwn
@@ -63,6 +63,7 @@ Possible alternatives
 Possible alternatives to zotero and/or wallabag include:
 
  * [i librarian](https://i-librarian.net/)
+ * [inventaire](https://inventaire.io/) - book sharing/inventory app with an open data aspect
  * [jabref](http://www.jabref.org/)
  * [lesana](https://lesana.trueelena.org/), includes a [GTK](https://git.sr.ht/~fabrixxm/Collector) and [web interface](https://git.sr.ht/~fabrixxm/lesanaweb)
  * [papis](https://github.com/papis/papis)

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index e9b93796..cb8c3128 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -401,7 +401,20 @@ flags to signal:
 
 ## Email: notmuch
 
-See Emacs, below.
+I'm using [notmuch](https://notmuchmail.org/) to manage my email firehose, and currently use
+the Emacs frontend ([notmuch-emacs](https://notmuchmail.org/notmuch-emacs/)).
+
+I've been a little uncomfortable exposing Emacs to the arbitrary input
+from the network that Email essentially is. This has shown to be
+particularly problematic with the handling of an org-mode
+vulnerability providing remote code execution ([CVE-2024-39331](https://security-tracker.debian.org/tracker/CVE-2024-39331)),
+with a [botched disclosure](https://lwn.net/ml/all/87wmmguk44.fsf@localhost/).
+
+So (starting in June 2024) I've been testing [neomutt](neomutt.org/) since it has
+[notmuch patches](https://neomutt.org/feature/notmuch) that allow somewhat clunky access to my notmuch
+database. So far, it's a learning curve, but it works.
+
+See also Emacs, below.
 
 ## File manager: thunar
 

diff --git a/hardware/keyboard.mdwn b/hardware/keyboard.mdwn
index e4dbbfef..a82a7831 100644
--- a/hardware/keyboard.mdwn
+++ b/hardware/keyboard.mdwn
@@ -376,6 +376,28 @@ feedback, trackballs.
 This is a pretty TKL keyboard, the [Multics](https://vortexgear.store/en-ca/products/multix?variant=43056025993379). Not sure about the Fn
 key on the right though.
 
+## Nuphy
+
+[Nuphy](https://nuphy.com/) has interesting mechanical keyboards, with a special focus on the
+sound and design of the keyboards.
+
+They have QMK-compatible firmware and pretty designs, with slim and
+TKL keyboards.
+
+rtings reviewed [five models](https://www.rtings.com/keyboard/tools/table/141136) and outlined:
+
+ * [Halo75 v2](https://nuphy.com/collections/keyboards/products/halo75-v2-qmk-via-wireless-custom-mechanical-keyboard): "[Best Mid-Range Mechanical Keyboard](https://www.rtings.com/keyboard/reviews/best/mechanical)" ([full review](https://www.rtings.com/keyboard/reviews/nuphy/air75-v2-air60-v2-air96-v2))
+ * [Gem 80](https://nuphy.com/collections/keyboards/products/gem80): "[Best TKL Keyboard For Enthusiasts](https://www.rtings.com/keyboard/reviews/best/tkl)" and "Best
+ modular mechanical keyboard" ([full review](https://www.rtings.com/keyboard/reviews/nuphy/gem80))
+ * [Air75 v2](https://nuphy.com/collections/keyboards/products/air75-v2): "[Best Low-Profile Keyboard](https://www.rtings.com/keyboard/reviews/best/low-profile)", "[Best Mid-Range
+   Wireless Keyboard](https://www.rtings.com/keyboard/reviews/best/by-type/wireless)", "[Best Office Keyboard Without A
+   Numpad](https://www.rtings.com/keyboard/reviews/best/work)", "[Best Mid-Range Keyboard For Programming](https://www.rtings.com/keyboard/reviews/best/by-usage/programming)" ([full
+   review](https://www.rtings.com/keyboard/reviews/nuphy/air75-v2-air60-v2-air96-v2))
+ * [Halo96](https://nuphy.com/collections/keyboards/products/halo96): "[Best Upper Mid-Range Keyboard For Typing](https://www.rtings.com/keyboard/reviews/best/by-usage/writers)" and
+   "[Best Mid-Range RGB Keyboard](https://www.rtings.com/keyboard/reviews/best/rgb#recommendation_313370)" ([full review](https://www.rtings.com/keyboard/reviews/nuphy/halo96-halo65-halo75)), replaced by
+   the Halo96 v2 and Halo75 v2
+ * [Field75](https://nuphy.com/collections/keyboards/products/field75): not best in anything ([full review](https://www.rtings.com/keyboard/reviews/nuphy/field75))
+
 # Mini / travel keyboards
 
 Those are useful for the media station or traveling on the road with a
@@ -395,6 +417,8 @@ phone or tablet.
  * [rk925](https://rkgamingstores.com/products/rk925-foldable-mechanical-keyboard): foldable keyboard, but feels in the wrong direction,
    maybe a bit too small? 112$
 
+[Nuphy](#nuphy) above, has good travel keyboards as well.
+
 # Reviews
 
 * [rtings](https://www.rtings.com/keyboard) has a keyboards section

diff --git a/blog/2021-03-19-dtach-screen-security.md b/blog/2021-03-19-dtach-screen-security.md
index f4e11635..b1a96ae3 100644
--- a/blog/2021-03-19-dtach-screen-security.md
+++ b/blog/2021-03-19-dtach-screen-security.md
@@ -189,4 +189,9 @@ Enjoy, and let me know if (or rather, how) I messed up.
     with plain `ssh`, so there's definitely something fishy going on
     here.
 
+ 5. I've found other alternatives to dtach/screen/tmux: [diss](https://github.com/yazgoo/diss)
+    (rust, simple dtach alternative), [shpool](https://github.com/shell-pool/shpool) (rust, similar to
+    dtach and diss but with a single client and some more "smart"
+    logic about rendering and shell prompts)
+
 [[!tag debian debian-planet systemd irssi irc security python-planet hack]]

diff --git a/services/bookmarks.mdwn b/services/bookmarks.mdwn
index 49830fca..74937b43 100644
--- a/services/bookmarks.mdwn
+++ b/services/bookmarks.mdwn
@@ -85,7 +85,12 @@ This also overlaps with bookmarking software like:
  * [linkwarden](https://linkwarden.app/)
  * [memex](https://worldbrain.io/)
  * [nb](https://xwmx.github.io/nb/)
- * [omnivore](https://omnivore.app/)
+ * [omnivore](https://omnivore.app/) - [not in f-droid, possibly never](https://github.com/omnivore-app/omnivore/issues/1853), Javascript-y
+   app that loads slowly here, [doesn't have a "one-click" "mark as
+   read" button, awkward workflow](https://github.com/omnivore-app/omnivore/issues/905#issuecomment-2178901104), [supports imports but not directly
+   Wallabag](https://docs.omnivore.app/using/importing.html), supports adding RSS feeds as source, PDFs, tagging
+   support, including intersection searches, [no support for
+   publishing feeds](https://github.com/omnivore-app/omnivore/issues/409)
  * [promnesia](https://github.com/karlicoss/promnesia)
  * [reminiscense](https://github.com/kanishka-linux/reminiscence)
  * [seelink](https://www.seelink.app/)

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 3f46a184..3b708785 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -129,6 +129,9 @@ HYPHEN-MINUS, MINUS SIGN, EN, EM DASH, HORIZONTAL BAR, LOW LINE
 __________________________________________________
 ```
 
+Update: [here is another such sample sheet](https://sheet.shiar.nl/sample), it's pretty good and
+has support for more languages while being still relatively small.
+
 So there you have it, got completely nerd swiped by typography
 again. Now I can go back to writing a too-long proposal again.
 

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index ce6694c0..e9b93796 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -38,11 +38,11 @@ I had to install the following packages:
         gammastep \
         gdm3 \
         grim slurp \
+        nwg-displays \
         pipewire-pulse \
         sway \
         swayidle \
         swaylock \
-        wdisplays \
         wev \
         wireplumber \
         wlr-randr \
@@ -1055,7 +1055,7 @@ case, they should be listed here:
 
 | X11          | Wayland                               | In Debian |
 |--------------|---------------------------------------|-----------|
-| `arandr`     | [wdisplays][]                         | yes       |
+| `arandr`     | [nwg-displays][]                      | yes       |
 | `autorandr`  | [kanshi][]                            | yes       |
 | `xclock`     | [wlclock][]                           | no        |
 | `xdotool`    | [wtype][]                             | yes       |
@@ -1088,12 +1088,20 @@ X. [arewewaylandyet.com][] refers to a few alternatives. We suggest
 [wdisplays][] and [kanshi][] above (see also [this service file][])
 but [wallutils][] can also do the autorandr stuff, apparently, and
 [nwg-displays][] can do the arandr part. [shikane][] is a promising
-kanshi rewrite in Rust. None of those (but kanshi) are packaged in
-Debian yet.
+kanshi rewrite in Rust. None of those (but kanshi and nwg-displays)
+are packaged in Debian yet.
 
 So I have tried [wdisplays][] and it Just Works, and well. The UI even
 looks better and more usable than arandr, so another clean win from
-Wayland here.
+Wayland here. I've since then switched to nwg-displays because it
+directly saves a Sway-compatible configuration file in
+`~/.config/sway/outputs`, it's just too bad it doesn't also save a
+kanshi config, see also the [save profile feature request in
+kanshi](https://todo.sr.ht/~emersion/kanshi/81) and the [kanshi support feature request in
+nwg-displays](https://github.com/nwg-piotr/nwg-displays/issues/2).
+
+Note that [shikane][] claims to support saving the current
+configuration to a file, but it's [not packaged in Debian](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073813).
 
 I'm currently [kanshi][] as a autorandr replacement and it mostly
 works. It can be hard to figure out the right configuration to put,
@@ -1439,12 +1447,14 @@ Note that other Wayland compositors (e.g. [Hyprland][], GNOME's
 Mutter) *do* support mirroring, so it's not a fundamental limitation
 of Wayland.
 
-One workaround is to use a tool like [wl-mirror](https://github.com/Ferdi265/wl-mirror) to make a window
+One workaround is to use a tool like
+[wl-mirror](https://github.com/Ferdi265/wl-mirror) to make a window
 that mirrors a specific output and place *that* in a different
 workspace. That way you place the output you want to mirror *to* next
 to the output you want to mirror *from*, and use wl-mirror to copy
 between the two outputs. The problem is that wl-mirror is [not
-packaged in Debian yet](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012684).
+packaged in Debian yet](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012684) (update: fixed since 2023, Debian 13
+trixie).
 
 Another workaround mentioned in the thread is to use a [[presentation
 tool|blog/2020-09-30-presentation-tools]] which supports mirroring on

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 403fbb4d..ce6694c0 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -802,7 +802,13 @@ That, unfortunately, does *not* include the fancy "hacks" provided by
 xscreensaver, and that is [unlikely to be implemented upstream][].
 
 Other alternatives include [gtklock][] ([in Debian](https://tracker.debian.org/pkg/gtklock)) and [waylock][] (zig), which
-do not solve that problem either.
+do not solve that problem either. gtklock is interesting though
+because it has all sorts of plugins to show information on the lock
+screen, which I find it quite lacking in swaylock:
+
+ * [playerctl](https://github.com/jovanlanik/gtklock-playerctl-module) support: control media players ([in Debian](https://packages.debian.org/sid/gtklock-playerctl-module))
+ * [userinfo](https://github.com/jovanlanik/gtklock-userinfo-module): show user icon and name ([in Debian](https://packages.debian.org/sid/gtklock-userinfo-module))
+ * [more](https://github.com/jovanlanik/gtklock/wiki#references-2)
 
 It looks like [swaylock-plugin][], a swaylock fork, which at least
 attempts to solve this problem, although not directly using the real

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 4ebfd286..3f46a184 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -205,6 +205,10 @@ I'm not using them:
   fancy curly braces contrast perhaps too much with the rest of the
   font, packaged in Debian as [fonts-ibm-plex](https://tracker.debian.org/fonts-ibm-plex)
 
+- [Inconsolata](https://levien.com/type/myfonts/inconsolata.html): no ligatures, maybe italics? more compressed than
+  others, feels a little out of balance because of that, packaged in
+  Debian as [fonts-inconsolata](https://tracker.debian.org/fonts-inconsolata)
+
 - [Intel One Mono](https://github.com/intel/intel-one-mono/): nice legibility, no ligatures, alignment issues
   in box drawing, not packaged in Debian
 

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index ff9bdbfb..4ebfd286 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -91,8 +91,13 @@ THE QUICK FOX JUMPS OVER THE LAZY DOG
 
 same, in french:
 
-voix ambiguë d'un cœur qui, au zéphyr, préfère les jattes de kiwis.
-VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR, PRÉFÈRE LES JATTES DE KIWIS.
+Portez ce vieux whisky au juge blond qui fume.
+
+dès noël, où un zéphyr haï me vêt de glaçons würmiens, je dîne
+d’exquis rôtis de bœuf au kir, à l’aÿ d’âge mûr, &cætera.
+
+DÈS NOËL, OÙ UN ZÉPHYR HAÏ ME VÊT DE GLAÇONS WÜRMIENS, JE DÎNE
+D’EXQUIS RÔTIS DE BŒUF AU KIR, À L’AŸ D’ÂGE MÛR, &CÆTERA.
 
 Ligatures test:
 

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index e1f5bd35..ff9bdbfb 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -122,7 +122,6 @@ HYPHEN-MINUS, MINUS SIGN, EN, EM DASH, HORIZONTAL BAR, LOW LINE
 ——————————————————————————————————————————————————
 ――――――――――――――――――――――――――――――――――――――――――――――――――
 __________________________________________________
-
 ```
 
 So there you have it, got completely nerd swiped by typography
@@ -195,6 +194,12 @@ I'm not using them:
 - [Hermit](https://github.com/Swordfish90/cool-retro-term/tree/master/app/qml/fonts/modern-hermit): no ligatures, smaller, alignment issues in box drawing
   and dashes, packaged as [fonts-hermit](https://tracker.debian.org/fonts-hermit) somehow part of [cool-retro-term](https://github.com/Swordfish90/cool-retro-term/)
 
+- [IBM Plex](https://www.ibm.com/plex/plexness/): irritating website, replaces Helvetica as the IBM
+  corporate font, no ligatures by default, italics, proportional alternatives,
+  serifs and sans, multiple languages, partial failure in box alignment test (X signs),
+  fancy curly braces contrast perhaps too much with the rest of the
+  font, packaged in Debian as [fonts-ibm-plex](https://tracker.debian.org/fonts-ibm-plex)
+
 - [Intel One Mono](https://github.com/intel/intel-one-mono/): nice legibility, no ligatures, alignment issues
   in box drawing, not packaged in Debian
 
@@ -230,6 +235,7 @@ So, if I get tired of Commit Mono, I might probably try, in order:
 
 1. Hack
 1. Jetbrains Mono
+1. IBM Plex Mono
 
 Iosevka, Monoki and Intel One Mono are also good options, but have
 alignment problems. Iosevka is particularly disappointing as the `EM

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 165920bf..e1f5bd35 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -184,10 +184,13 @@ I'm not using them:
   packaged as [fonts-cascadia-code](https://tracker.debian.org/pkg/fonts-cascadia-code)
 
 - Fira Code: ligatures, was using Fira Mono from which it is derived,
-  lacking italics except for forks, packaged as [fonts-firacode](https://tracker.debian.org/fonts-firacode)
+  lacking italics except for forks, interestingly, Fira Code succeeds
+  the alignment test but Fira Mono fails to show the X signs properly!
+  packaged as [fonts-firacode](https://tracker.debian.org/fonts-firacode)
 
-- [Hack](https://sourcefoundry.org/hack/): no ligatures, very similar to Fira, italics, good alternative,
-  packaged as [fonts-hack](https://tracker.debian.org/fonts-hack)
+- [Hack](https://sourcefoundry.org/hack/): no ligatures, very similar to Fira, italics, good
+  alternative, fails the X test in box alignment, packaged as
+  [fonts-hack](https://tracker.debian.org/fonts-hack)
 
 - [Hermit](https://github.com/Swordfish90/cool-retro-term/tree/master/app/qml/fonts/modern-hermit): no ligatures, smaller, alignment issues in box drawing
   and dashes, packaged as [fonts-hermit](https://tracker.debian.org/fonts-hermit) somehow part of [cool-retro-term](https://github.com/Swordfish90/cool-retro-term/)

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index bfe93bd1..165920bf 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -125,8 +125,6 @@ __________________________________________________
 
 ```
 
--->
-
 So there you have it, got completely nerd swiped by typography
 again. Now I can go back to writing a too-long proposal again.
 

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 6f007cdf..bfe93bd1 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -4,6 +4,8 @@ I am getting increasingly frustrated by Fira Mono's [lack of italic
 support](https://github.com/mozilla/Fira/issues/38) so I am looking at [[alternative fonts
 again|2020-03-10-font-changes]].
 
+# Commit Mono
+
 This time I seem to be settling on either [Commit Mono](https://commitmono.com/) or [Space
 Mono](https://www.colophon-foundry.org/custom-projects/space-mono). For now I'm using Commit Mono because it's a little more
 compressed than Fira and does have a italic version. I don't like how
@@ -61,6 +63,8 @@ I mentioned before, I like how the bar on the "f" aligns with the
 other top of letters, something in Fira mono that really annoys me now
 that I've noticed it (it's not aligned!).
 
+# A UTF-8 test file
+
 Here's the test sheet I've made up to test various characters. I could
 have sworn I had a good one like this lying around somewhere but
 couldn't find it so here it is, I guess.
@@ -152,8 +156,95 @@ Sources and inspiration for the above:
 
 - [UTF-8 sampler](https://web.archive.org/web/20080515024332/http://www.columbia.edu/kermit/utf8.html) - unused, similar
 
-[[!tag debian-planet python-planet typography meta theming usability]]
+# Other fonts
+
+In [[my previous blog post about fonts|2020-03-10-font-changes]], I
+had a list of alternative fonts, but it seems people are not digging
+through this, so I figured I would redo the list here to preempt "but
+have you tried Jetbrains mono" kind of comments.
+
+My requirements are:
+
+- *no* ligatures: yes, in the previous post, I *wanted* ligatures but
+  I have changed my mind. after testing this, I find them distracting,
+  confusing, and they often break the monospace nature of the display
+- monospace: this is to display code
+- italics: often used when writing Markdown, where I do make use of
+  italics... Emacs falls back to underlining text when lacking italics
+  which is hard to read
+- free-ish, ultimately should be packaged in Debian
+
+Here is the list of alternatives I have considered in the past and why
+I'm not using them:
+
+- [agave](https://b.agaric.net/page/agave): recommended by tarzeau, not sure I like the lowercase
+  `a`, a bit too exotic, packaged as [fonts-agave](https://tracker.debian.org/pkg/fonts-agave)
+
+- [Cascadia code](https://github.com/microsoft/cascadia-code): optional ligatures, multilingual, not liking the
+  alignment, ambiguous parenthesis (look too much like square
+  brackets), new default for [Windows Terminal](https://en.wikipedia.org/wiki/Windows_Terminal) and Visual Studio,
+  packaged as [fonts-cascadia-code](https://tracker.debian.org/pkg/fonts-cascadia-code)
+
+- Fira Code: ligatures, was using Fira Mono from which it is derived,
+  lacking italics except for forks, packaged as [fonts-firacode](https://tracker.debian.org/fonts-firacode)
+
+- [Hack](https://sourcefoundry.org/hack/): no ligatures, very similar to Fira, italics, good alternative,
+  packaged as [fonts-hack](https://tracker.debian.org/fonts-hack)
+
+- [Hermit](https://github.com/Swordfish90/cool-retro-term/tree/master/app/qml/fonts/modern-hermit): no ligatures, smaller, alignment issues in box drawing
+  and dashes, packaged as [fonts-hermit](https://tracker.debian.org/fonts-hermit) somehow part of [cool-retro-term](https://github.com/Swordfish90/cool-retro-term/)
+
+- [Intel One Mono](https://github.com/intel/intel-one-mono/): nice legibility, no ligatures, alignment issues
+  in box drawing, not packaged in Debian
 
+- [Iosevka](https://typeof.net/Iosevka/): optional ligatures, italics, multilingual, good
+  legibility, has a proportional option, serifs and sans, line height
+  issue in box drawing, fails dash test, not in Debian
+
+- [Jetbrains Mono](https://www.jetbrains.com/lp/mono/): (mandatory?) ligatures, good coverage,
+  originally rumored to be not DFSG-free (Debian Free Software
+  Guidelines) but ultimately [packaged in Debian](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950152) as
+  [fonts-jetbrains-mono](https://tracker.debian.org/pkg/fonts-jetbrains-mono)
+
+- [Monoid](https://larsenwork.com/monoid/): optional ligatures, feels much "thinner" than
+  Jetbrains, not liking alignment or spacing on that one, ambiguous
+  `2Z`, problems rendering box drawing, packaged as [fonts-monoid](https://tracker.debian.org/fonts-monoid)
+
+- [Mononoki](https://madmalik.github.io/mononoki/): no ligatures, looks good, good alternative, suggested
+  by the Debian fonts team as part of [fonts-recommended](https://tracker.debian.org/fonts-recommended), problems
+  rendering box drawing, em dash bigger than en dash, packaged as
+  [fonts-mononoki](https://tracker.debian.org/fonts-mononoki)
+
+- [Source Code Pro](http://adobe-fonts.github.io/source-code-pro/): italics, looks good, but dash metrics look
+  whacky, [not in Debian](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736681)
+
+- [spleen](https://github.com/fcambus/spleen): bitmap font, old school, spacing issue in box drawing
+  test, packaged as [fonts-spleen](https://tracker.debian.org/pkg/fonts-spleen)
+
+- [sudo](https://www.kutilek.de/sudo-font/): personal project, no ligatures, zero originally not
+  dotted, relied on metrics for legibility, spacing issue in box
+  drawing, not in Debian
+
+So, if I get tired of Commit Mono, I might probably try, in order:
+
+1. Hack
+1. Jetbrains Mono
+
+Iosevka, Monoki and Intel One Mono are also good options, but have
+alignment problems. Iosevka is particularly disappointing as the `EM
+DASH` metrics are just completely wrong (much too wide).
+
+This was tested using the [Programming fonts](https://www.programmingfonts.org/) site which has *all*
+the above fonts, which cannot be said of [Font Squirrel](https://www.fontsquirrel.com/) or [Google
+Fonts](fonts.google.com/), amazingly. Other such tools:
+
+ * [Coding Font](https://www.codingfont.com/) (broken in Firefox as of 2024-05-30)
+ * [dev fonts comparator](https://devfonts.gafi.dev/)
+ * [Font Squirrel](https://www.fontsquirrel.com/)
+ * [Google Fonts](fonts.google.com/)
+ * [Programming fonts](https://www.programmingfonts.org/)
+
+[[!tag debian-planet python-planet typography meta theming usability]]
 
 <!-- posted to the federation on 2024-05-29T17:44:57.933852 -->
 [[!mastodon "https://kolektiva.social/@Anarcat/112526563590503074"]]

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 91a85d0c..6f007cdf 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -71,19 +71,14 @@ US keyboard coverage:
 abcdefghijklmnopqrstuvwxyz`1234567890-=[]\;',./
 ABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*()_+{}|:"<>?
 
-ambiguity test:
+latin1 coverage: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
+EURO SIGN, TRADE MARK SIGN: €™
 
-iI71lL!|¦ 
-[](){}/\
-e¢coC0ODQ
-b6G&0B83
-zs$S52Z%
+ambiguity test:
 
-MIDDLE DOT, BULLET, HORIZONTAL ELLIPSIS: ·•…
-curly ‘single’ and “double” quotes
-ACUTE ACCENT, GRAVE ACCENT: ´`
-EURO SIGN: €
-unicode A1-BF: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
+e¢coC0ODQ iI71lL!|¦
+b6G&0B83  [](){}/\.…·•
+zs$S52Z%  ´`'"‘’“”«»
 
 all characters in a sentence, uppercase:
 
@@ -92,10 +87,8 @@ THE QUICK FOX JUMPS OVER THE LAZY DOG
 
 same, in french:
 
-voix ambiguë d'un cœur qui, au zéphyr,
-préfère les jattes de kiwis.
-VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR,
-PRÉFÈRE LES JATTES DE KIWIS.
+voix ambiguë d'un cœur qui, au zéphyr, préfère les jattes de kiwis.
+VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR, PRÉFÈRE LES JATTES DE KIWIS.
 
 Ligatures test:
 
@@ -106,15 +99,15 @@ Ligatures test:
 <: := *= *+ <* <*> *> <| <|> |> <. <.> .> +* =* =: :>
 (* *) /* */ [| |] {| |} ++ +++ \/ /\ |- -| <!-- <!---
 
-Box drawing alignment tests:                                          █
-                                                                      ▉
-  ╔══╦══╗  ┌──┬──┐  ╭──┬──╮  ╭──┬──╮  ┏━━┳━━┓  ┎┒┏┑   ╷  ╻ ┏┯┓ ┌┰┐    ▊ ╱╲╱╲╳╳╳
-  ║┌─╨─┐║  │╔═╧═╗│  │╒═╪═╕│  │╓─╁─╖│  ┃┌─╂─┐┃  ┗╃╄┙  ╶┼╴╺╋╸┠┼┨ ┝╋┥    ▋ ╲╱╲╱╳╳╳
-  ║│╲ ╱│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╿ │┃  ┍╅╆┓   ╵  ╹ ┗┷┛ └┸┘    ▌ ╱╲╱╲╳╳╳
-  ╠╡ ╳ ╞╣  ├╢   ╟┤  ├┼─┼─┼┤  ├╫─╂─╫┤  ┣┿╾┼╼┿┫  ┕┛┖┚     ┌┄┄┐ ╎ ┏┅┅┓ ┋ ▍ ╲╱╲╱╳╳╳
-  ║│╱ ╲│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╽ │┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▎
-  ║└─╥─┘║  │╚═╤═╝│  │╘═╪═╛│  │╙─╀─╜│  ┃└─╂─┘┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▏
-  ╚══╩══╝  └──┴──┘  ╰──┴──╯  ╰──┴──╯  ┗━━┻━━┛           └╌╌┘ ╎ ┗╍╍┛ ┋  ▁▂▃▄▅▆▇█
+Box drawing alignment tests:
+                                                                   █
+╔══╦══╗  ┌──┬──┐  ╭──┬──╮  ╭──┬──╮  ┏━━┳━━┓ ┎┒┏┑   ╷  ╻ ┏┯┓ ┌┰┐    ▉ ╱╲╱╲╳╳╳
+║┌─╨─┐║  │╔═╧═╗│  │╒═╪═╕│  │╓─╁─╖│  ┃┌─╂─┐┃ ┗╃╄┙  ╶┼╴╺╋╸┠┼┨ ┝╋┥    ▊ ╲╱╲╱╳╳╳
+║│╲ ╱│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╿ │┃ ┍╅╆┓   ╵  ╹ ┗┷┛ └┸┘    ▋ ╱╲╱╲╳╳╳
+╠╡ ╳ ╞╣  ├╢   ╟┤  ├┼─┼─┼┤  ├╫─╂─╫┤  ┣┿╾┼╼┿┫ ┕┛┖┚     ┌┄┄┐ ╎ ┏┅┅┓ ┋ ▌ ╲╱╲╱╳╳╳
+║│╱ ╲│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╽ │┃ ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▍
+║└─╥─┘║  │╚═╤═╝│  │╘═╪═╛│  │╙─╀─╜│  ┃└─╂─┘┃ ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▎
+╚══╩══╝  └──┴──┘  ╰──┴──╯  ╰──┴──╯  ┗━━┻━━┛          └╌╌┘ ╎ ┗╍╍┛ ┋ ▏▁▂▃▄▅▆▇█
 
 Dashes alignment test:
 

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 19881144..91a85d0c 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -66,12 +66,12 @@ have sworn I had a good one like this lying around somewhere but
 couldn't find it so here it is, I guess.
 
 ```
-US keyboard coverage
+US keyboard coverage:
 
 abcdefghijklmnopqrstuvwxyz`1234567890-=[]\;',./
 ABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*()_+{}|:"<>?
 
-ambiguous characters
+ambiguity test:
 
 iI71lL!|¦ 
 [](){}/\
@@ -85,19 +85,20 @@ ACUTE ACCENT, GRAVE ACCENT: ´`
 EURO SIGN: €
 unicode A1-BF: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
 
-all characters in a sentence, uppercase
+all characters in a sentence, uppercase:
 
 the quick fox jumps over the lazy dog
 THE QUICK FOX JUMPS OVER THE LAZY DOG
 
-same, in french
+same, in french:
 
 voix ambiguë d'un cœur qui, au zéphyr,
 préfère les jattes de kiwis.
 VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR,
 PRÉFÈRE LES JATTES DE KIWIS.
 
-Ligatures test
+Ligatures test:
+
 -<< -< -<- <-- <--- <<- <- -> ->> --> ---> ->- >- >>-
 =<< =< =<= <== <=== <<= <= => =>> ==> ===> =>= >= >>=
 <-> <--> <---> <----> <=> <==> <===> <====> :: ::: __
@@ -115,6 +116,8 @@ Box drawing alignment tests:                                          █
   ║└─╥─┘║  │╚═╤═╝│  │╘═╪═╛│  │╙─╀─╜│  ┃└─╂─┘┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▏
   ╚══╩══╝  └──┴──┘  ╰──┴──╯  ╰──┴──╯  ┗━━┻━━┛           └╌╌┘ ╎ ┗╍╍┛ ┋  ▁▂▃▄▅▆▇█
 
+Dashes alignment test:
+
 HYPHEN-MINUS, MINUS SIGN, EN, EM DASH, HORIZONTAL BAR, LOW LINE
 --------------------------------------------------
 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index d3de4833..19881144 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -79,6 +79,12 @@ e¢coC0ODQ
 b6G&0B83
 zs$S52Z%
 
+MIDDLE DOT, BULLET, HORIZONTAL ELLIPSIS: ·•…
+curly ‘single’ and “double” quotes
+ACUTE ACCENT, GRAVE ACCENT: ´`
+EURO SIGN: €
+unicode A1-BF: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
+
 all characters in a sentence, uppercase
 
 the quick fox jumps over the lazy dog
@@ -91,6 +97,14 @@ préfère les jattes de kiwis.
 VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR,
 PRÉFÈRE LES JATTES DE KIWIS.
 
+Ligatures test
+-<< -< -<- <-- <--- <<- <- -> ->> --> ---> ->- >- >>-
+=<< =< =<= <== <=== <<= <= => =>> ==> ===> =>= >= >>=
+<-> <--> <---> <----> <=> <==> <===> <====> :: ::: __
+<~~ </ </> /> ~~> == != /= ~= <> === !== !=== =/= =!=
+<: := *= *+ <* <*> *> <| <|> |> <. <.> .> +* =* =: :>
+(* *) /* */ [| |] {| |} ++ +++ \/ /\ |- -| <!-- <!---
+
 Box drawing alignment tests:                                          █
                                                                       ▉
   ╔══╦══╗  ┌──┬──┐  ╭──┬──╮  ╭──┬──╮  ┏━━┳━━┓  ┎┒┏┑   ╷  ╻ ┏┯┓ ┌┰┐    ▊ ╱╲╱╲╳╳╳
@@ -101,12 +115,6 @@ Box drawing alignment tests:                                          █
   ║└─╥─┘║  │╚═╤═╝│  │╘═╪═╛│  │╙─╀─╜│  ┃└─╂─┘┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▏
   ╚══╩══╝  └──┴──┘  ╰──┴──╯  ╰──┴──╯  ┗━━┻━━┛           └╌╌┘ ╎ ┗╍╍┛ ┋  ▁▂▃▄▅▆▇█
 
-MIDDLE DOT, BULLET, HORIZONTAL ELLIPSIS: ·•…
-curly ‘single’ and “double” quotes
-ACUTE ACCENT, GRAVE ACCENT: ´`
-EURO SIGN: €
-unicode A1-BF: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
-
 HYPHEN-MINUS, MINUS SIGN, EN, EM DASH, HORIZONTAL BAR, LOW LINE
 --------------------------------------------------
 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
@@ -117,6 +125,8 @@ __________________________________________________
 
 ```
 
+-->
+
 So there you have it, got completely nerd swiped by typography
 again. Now I can go back to writing a too-long proposal again.
 

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index aab9b70c..d3de4833 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -73,8 +73,11 @@ ABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*()_+{}|:"<>?
 
 ambiguous characters
 
-iI71lL!| ecoC0ODQ
-[](){}/\ b6G&0B83 $sS52Z%
+iI71lL!|¦ 
+[](){}/\
+e¢coC0ODQ
+b6G&0B83
+zs$S52Z%
 
 all characters in a sentence, uppercase
 

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index ccad50ee..aab9b70c 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -66,14 +66,15 @@ have sworn I had a good one like this lying around somewhere but
 couldn't find it so here it is, I guess.
 
 ```
-ASCII test
+US keyboard coverage
 
-abcdefghijklmnopqrstuvwxyz1234567890-=
-ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_+
+abcdefghijklmnopqrstuvwxyz`1234567890-=[]\;',./
+ABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*()_+{}|:"<>?
 
 ambiguous characters
 
-&iIL7l1!|[](){}/\oO0DQ8B3;:,./?~`'"$
+iI71lL!| ecoC0ODQ
+[](){}/\ b6G&0B83 $sS52Z%
 
 all characters in a sentence, uppercase
 

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 252125c6..ccad50ee 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -73,7 +73,7 @@ ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_+
 
 ambiguous characters
 
-&iIL7l1!|[](){}/\oO0DQ8B;:,./?~`'"$
+&iIL7l1!|[](){}/\oO0DQ8B3;:,./?~`'"$
 
 all characters in a sentence, uppercase
 

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index d0bcd45a..252125c6 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -145,8 +145,5 @@ Sources and inspiration for the above:
 [[!tag debian-planet python-planet typography meta theming usability]]
 
 
-<!-- posted to the federation on 2024-05-29T17:44:57.665346 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/112526563552199519"]]
-
 <!-- posted to the federation on 2024-05-29T17:44:57.933852 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/112526563590503074"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/112526563590503074"]]

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 8d88f6c0..d0bcd45a 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -1,4 +1,4 @@
-[[meta title="Playing with fonts again"]]
+[[!meta title="Playing with fonts again"]]
 
 I am getting increasingly frustrated by Fira Mono's [lack of italic
 support](https://github.com/mozilla/Fira/issues/38) so I am looking at [[alternative fonts

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index 048a59e0..8d88f6c0 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -143,3 +143,10 @@ Sources and inspiration for the above:
 - [UTF-8 sampler](https://web.archive.org/web/20080515024332/http://www.columbia.edu/kermit/utf8.html) - unused, similar
 
 [[!tag debian-planet python-planet typography meta theming usability]]
+
+
+<!-- posted to the federation on 2024-05-29T17:44:57.665346 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/112526563552199519"]]
+
+<!-- posted to the federation on 2024-05-29T17:44:57.933852 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/112526563590503074"]]
\ No newline at end of file

diff --git a/software/desktop/x11.md b/software/desktop/x11.md
index 82a27606..5ae8c443 100644
--- a/software/desktop/x11.md
+++ b/software/desktop/x11.md
@@ -189,6 +189,9 @@ Other alternatives I have considered or used in the past:
  * [nomacs](https://github.com/nomacs/nomacs): gorgeous, fast, but badly maintained, [vendored
    exiv](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974616), [unfixed CVE](https://github.com/nomacs/nomacs/issues/516) ([CVE-2020-23884](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014124)), no release in 2
    years (as of 2022)
+ * [oculante](https://github.com/woelper/oculante): fast startup, animation-level sequential image
+   display, hardware acceleration, minimal editing capabilities, not
+   in Debian
  * [pho](http://shallowsky.com/software/pho/): streamlined, minimal, batch operations, not in Debian
  * [plio][]: sxiv rewrite, with sorting capacities
  * [sxiv](https://github.com/muennich/sxiv): abandoned upstream

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index dc9a9254..048a59e0 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -142,4 +142,4 @@ Sources and inspiration for the above:
 
 - [UTF-8 sampler](https://web.archive.org/web/20080515024332/http://www.columbia.edu/kermit/utf8.html) - unused, similar
 
-[[!tag draft]]
+[[!tag debian-planet python-planet typography meta theming usability]]

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
index c877f3d6..dc9a9254 100644
--- a/blog/2024-05-29-playing-with-fonts-again.md
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -41,22 +41,25 @@ originals *look* sharp on my display, I suspect this is something to
 do with the Wayland transition. I've tried with both [grim](https://sr.ht/~emersion/grim/) and
 [flameshot](https://github.com/flameshot-org/flameshot), for what its worth.)
 
-They are pretty similar! Commit Mono feels a *bit* more compressed,
-maybe too much so, actually -- the line height feels too low.  But
-it's heavily customizable so that's something that's relatively easy
-to fix, if it's really a problem. Its weight is also a little heavier
-than Fira which I find a little distracting right now, but maybe I'll
-get used to it.
+They are pretty similar! Commit Mono feels a *bit* more vertically
+compressed maybe too much so, actually -- the line height feels too
+low.  But it's heavily customizable so that's something that's
+relatively easy to fix, if it's really a problem. Its weight is also a
+little heavier and wider than Fira which I find a little distracting
+right now, but maybe I'll get used to it.
 
 All characters seem properly distinguishable, although, if I'd really
-want to nitpick I'd say the © and ® are too different, with the latter
-(`REGISTERED SIGN`) being way too small, basically unreadable
-here. Since I see this approximately never, it probably doesn't
-matter.
+want to nitpick I'd say the © and ® are *too* different, with the
+latter (`REGISTERED SIGN`) being way too small, basically unreadable
+here. Since I see this sign approximately never, it probably doesn't
+matter at all.
 
 I like how the ampersand (`&`) is more traditional, although I'll miss
-the exotic Fira one... I like how the back quotes (`\``, `GRAVE ACCENT`)
-drop down low, nicely aligned with the apostrophe.
+the exotic one Fira produced... I like how the back quotes (`` ` ``,
+`GRAVE ACCENT`) drop down low, nicely aligned with the apostrophe. As
+I mentioned before, I like how the bar on the "f" aligns with the
+other top of letters, something in Fira mono that really annoys me now
+that I've noticed it (it's not aligned!).
 
 Here's the test sheet I've made up to test various characters. I could
 have sworn I had a good one like this lying around somewhere but

diff --git a/blog/2024-05-29-playing-with-fonts-again.md b/blog/2024-05-29-playing-with-fonts-again.md
new file mode 100644
index 00000000..c877f3d6
--- /dev/null
+++ b/blog/2024-05-29-playing-with-fonts-again.md
@@ -0,0 +1,142 @@
+[[meta title="Playing with fonts again"]]
+
+I am getting increasingly frustrated by Fira Mono's [lack of italic
+support](https://github.com/mozilla/Fira/issues/38) so I am looking at [[alternative fonts
+again|2020-03-10-font-changes]].
+
+This time I seem to be settling on either [Commit Mono](https://commitmono.com/) or [Space
+Mono](https://www.colophon-foundry.org/custom-projects/space-mono). For now I'm using Commit Mono because it's a little more
+compressed than Fira and does have a italic version. I don't like how
+Space Mono's parenthesis (`()`) is "squarish", it feels visually
+ambiguous with the square brackets (`[]`), a big no-no for my primary
+use case (code).
+
+So here I am using a new font, again. It required changing a bunch of
+configuration files in my home directory (which is in a private
+repository, sorry) and Emacs configuration (thankfully that's
+public!). 
+
+One gotcha is I realized I didn't actually have a global font
+configuration in Emacs, as some [Faces](https://www.gnu.org/software/emacs/manual/html_node/emacs/Faces.html) define their own font
+family, which overrides the frame defaults.
+
+This is what it looks like, before:
+
+<figure>
+<img src="snap-20240529T171950-fira-mono.png" alt="A dark terminal
+showing the test sheet in Fira Mono" />
+<figcaption>Fira Mono</figcaption>
+</figure>
+
+After:
+
+<figure>
+<img src="snap-20240529T171846-commit-mono.png" alt="A dark terminal
+showing the test sheet in Fira Mono" />
+<figcaption>Commit Mono</figcaption>
+</figure>
+
+(Notice how those screenshots are not sharp? I'm surprised too. The
+originals *look* sharp on my display, I suspect this is something to
+do with the Wayland transition. I've tried with both [grim](https://sr.ht/~emersion/grim/) and
+[flameshot](https://github.com/flameshot-org/flameshot), for what its worth.)
+
+They are pretty similar! Commit Mono feels a *bit* more compressed,
+maybe too much so, actually -- the line height feels too low.  But
+it's heavily customizable so that's something that's relatively easy
+to fix, if it's really a problem. Its weight is also a little heavier
+than Fira which I find a little distracting right now, but maybe I'll
+get used to it.
+
+All characters seem properly distinguishable, although, if I'd really
+want to nitpick I'd say the © and ® are too different, with the latter
+(`REGISTERED SIGN`) being way too small, basically unreadable
+here. Since I see this approximately never, it probably doesn't
+matter.
+
+I like how the ampersand (`&`) is more traditional, although I'll miss
+the exotic Fira one... I like how the back quotes (`\``, `GRAVE ACCENT`)
+drop down low, nicely aligned with the apostrophe.
+
+Here's the test sheet I've made up to test various characters. I could
+have sworn I had a good one like this lying around somewhere but
+couldn't find it so here it is, I guess.
+
+```
+ASCII test
+
+abcdefghijklmnopqrstuvwxyz1234567890-=
+ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_+
+
+ambiguous characters
+
+&iIL7l1!|[](){}/\oO0DQ8B;:,./?~`'"$
+
+all characters in a sentence, uppercase
+
+the quick fox jumps over the lazy dog
+THE QUICK FOX JUMPS OVER THE LAZY DOG
+
+same, in french
+
+voix ambiguë d'un cœur qui, au zéphyr,
+préfère les jattes de kiwis.
+VOIX AMBIGUË D'UN CŒUR QUI, AU ZÉPHYR,
+PRÉFÈRE LES JATTES DE KIWIS.
+
+Box drawing alignment tests:                                          █
+                                                                      ▉
+  ╔══╦══╗  ┌──┬──┐  ╭──┬──╮  ╭──┬──╮  ┏━━┳━━┓  ┎┒┏┑   ╷  ╻ ┏┯┓ ┌┰┐    ▊ ╱╲╱╲╳╳╳
+  ║┌─╨─┐║  │╔═╧═╗│  │╒═╪═╕│  │╓─╁─╖│  ┃┌─╂─┐┃  ┗╃╄┙  ╶┼╴╺╋╸┠┼┨ ┝╋┥    ▋ ╲╱╲╱╳╳╳
+  ║│╲ ╱│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╿ │┃  ┍╅╆┓   ╵  ╹ ┗┷┛ └┸┘    ▌ ╱╲╱╲╳╳╳
+  ╠╡ ╳ ╞╣  ├╢   ╟┤  ├┼─┼─┼┤  ├╫─╂─╫┤  ┣┿╾┼╼┿┫  ┕┛┖┚     ┌┄┄┐ ╎ ┏┅┅┓ ┋ ▍ ╲╱╲╱╳╳╳
+  ║│╱ ╲│║  │║   ║│  ││ │ ││  │║ ┃ ║│  ┃│ ╽ │┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▎
+  ║└─╥─┘║  │╚═╤═╝│  │╘═╪═╛│  │╙─╀─╜│  ┃└─╂─┘┃  ░░▒▒▓▓██ ┊  ┆ ╎ ╏  ┇ ┋ ▏
+  ╚══╩══╝  └──┴──┘  ╰──┴──╯  ╰──┴──╯  ┗━━┻━━┛           └╌╌┘ ╎ ┗╍╍┛ ┋  ▁▂▃▄▅▆▇█
+
+MIDDLE DOT, BULLET, HORIZONTAL ELLIPSIS: ·•…
+curly ‘single’ and “double” quotes
+ACUTE ACCENT, GRAVE ACCENT: ´`
+EURO SIGN: €
+unicode A1-BF: ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿
+
+HYPHEN-MINUS, MINUS SIGN, EN, EM DASH, HORIZONTAL BAR, LOW LINE
+--------------------------------------------------
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
+––––––––––––––––––––––––––––––––––––––––––––––––––
+——————————————————————————————————————————————————
+――――――――――――――――――――――――――――――――――――――――――――――――――
+__________________________________________________
+
+```
+
+So there you have it, got completely nerd swiped by typography
+again. Now I can go back to writing a too-long proposal again.
+
+Sources and inspiration for the above:
+
+- the `unicode(1)` command, to lookup individual characters to
+  disambiguate, for example, `-` (`U+002D HYPHEN-MINUS`, the minus
+  sign next to zero on US keyboards) and − (`U+2212 MINUS SIGN`, a
+  math symbol)
+
+- [searchable list of characters and their names](https://web.archive.org/web/20080515015236/http://www.columbia.edu/kermit/utf8-t1.html) - roughly
+  equivalent to the `unicode(1)` command, but in one page, amazingly
+  the `/usr/share/unicode` database doesn't have any one file like
+  this
+
+- [bits/UTF-8-Unicode-Test-Documents](https://github.com/bits/UTF-8-Unicode-Test-Documents) - full list of UTF-8
+  characters
+
+- [UTF-8 encoded plain text file](https://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-demo.txt) - nice examples of edge cases,
+  curly quotes example and box drawing alignment test which,
+  incidentally, showed me I needed specific faces customisation in
+  Emacs to get the Markdown code areas to display properly, also the
+  idea of comparing various dashes
+
+- [sample sentences in many languages](https://www.cl.cam.ac.uk/~mgk25/ucs/examples/quickbrown.txt) - unused, "Sentences that
+  contain all letters commonly used in a language"
+
+- [UTF-8 sampler](https://web.archive.org/web/20080515024332/http://www.columbia.edu/kermit/utf8.html) - unused, similar
+
+[[!tag draft]]
diff --git a/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171846-commit-mono.png b/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171846-commit-mono.png
new file mode 100644
index 00000000..2ceafccc
Binary files /dev/null and b/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171846-commit-mono.png differ
diff --git a/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171950-fira-mono.png b/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171950-fira-mono.png
new file mode 100644
index 00000000..569b4e84
Binary files /dev/null and b/blog/2024-05-29-playing-with-fonts-again/snap-20240529T171950-fira-mono.png differ

diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index 593215b6..1c6aa85f 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -30,9 +30,12 @@ upload:
 	@echo "next time, try using GitLab API: https://docs.gitlab.com/ee/api/users.html#list-all-gpg-keys"
 	@echo "list, parse for fingerprint, delete, then upload"
 	@echo "last test with plain 'python-gitlab' CLI failed though"
+	gpg --export --export-options export-minimal -a $(FINGERPRINT) | wl-copy
+	@echo "key copied to clipboard"
 
 renew:
 	gpg --quick-set-expire $(FINGERPRINT) $(NEXT_EXPIRE)
+	@echo "note that this doesn't upload or update the key! run '$(MAKE) hu upload upload-tpo' to complete the procedure"
 
 upload-tpo:
 	@echo "updating TPO keyring"

diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index 973b6889..593215b6 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -24,8 +24,12 @@ upload:
 	@echo "Not covered: GitLab and GitHub accounts:"
 	@echo "https://gitlab.torproject.org/-/profile/gpg_keys"
 	@echo "https://gitlab.com/-/profile/gpg_keys"
+	@echo "https://salsa.debian.org/-/profile/gpg_keys"
 	@echo "https://github.com/settings/keys"
-	@echo "https://salsa.debian.org/settings/keys"
+	@echo "most involves deleting the old key then reuploading the new one"
+	@echo "next time, try using GitLab API: https://docs.gitlab.com/ee/api/users.html#list-all-gpg-keys"
+	@echo "list, parse for fingerprint, delete, then upload"
+	@echo "last test with plain 'python-gitlab' CLI failed though"
 
 renew:
 	gpg --quick-set-expire $(FINGERPRINT) $(NEXT_EXPIRE)
@@ -36,10 +40,3 @@ upload-tpo:
 	gpg --export --export-options export-minimal $(FINGERPRINT) > $(TPO_KEYRING)/torproject-keyring/anarcat-$(FINGERPRINT).gpg
 	git -C $(TPO_KEYRING) commit torproject-keyring/anarcat-$(FINGERPRINT).gpg
 	git -C $(TPO_KEYRING) push
-	git -C $(TPO_KEYRING) push alberti
-
-	@echo "updating TPO password manager keyring"
-	git -C $(TPO_PWMANAGER) pull
-	gpg --export --export-options export-minimal $(FINGERPRINT) | gpg --no-default-keyring --keyring=$(TPO_PWMANAGER)/.keyring --import
-	git -C $(TPO_PWMANAGER) commit .keyring
-	git -C $(TPO_PWMANAGER) push
diff --git a/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe b/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe
index 5fc43adf..1d3f569e 100644
Binary files a/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe and b/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe differ

diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 94e7a168..12a074cd 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -144,7 +144,7 @@ I found that weird little thing through [this Twitter post](https://twitter.com/
 [Benedict Reuschling](https://twitter.com/bsdbcr), from [this blog post](https://klarasystems.com/articles/openzfs-data-security-vs-integrity/), from [2.5 admins
 episode 127](https://2.5admins.com/2-5-admins-127/) (phew!).
 
-I ordered a TOFU power station in February (2023-02-20) and it landed
+I ordered a [TOFU power station](https://www.zentofu.com/tps.php) in February (2023-02-20) and it landed
 on my doorstep about two weeks later (2023-03-08).
 
 The power output is a little disappointing: my laptop tells me it's
@@ -156,7 +156,7 @@ fine for charging the laptop overnight during my travels, which is
 basically my use case here.
 
 The "travel" thing is a little plastic contraption that holds three
-different power adapters: [Australian](https://en.wikipedia.org/wiki/AS/NZS_3112), [British](https://en.wikipedia.org/wiki/AC_power_plugs_and_sockets:_British_and_related_types#BS_1363_three-pin_(rectangular)_plugs_and_sockets), [Europe](https://en.wikipedia.org/wiki/Europlug),
+different power adapters: [Australian](https://en.wikipedia.org/wiki/AS/NZS_3112), [British][], [Europe](https://en.wikipedia.org/wiki/Europlug),
 and [USA](https://en.wikipedia.org/wiki/NEMA_connector). The clever thing here is the other end is what looks
 like a [IEC 60320](https://en.wikipedia.org/wiki/IEC_60320) C7/C8 coupler, AKA a "figure-8", "infinity" or
 "shotgun", according to Wikipedia. It seems design to fit with Macbook
@@ -244,6 +244,8 @@ Update 2: I traveled quite a bit with this device and I like it. The
 main downside is the cable is just too damn short and a larger cable
 doesn't fit well in the case. Otherwise it's really nice.
 
+[British]: https://en.wikipedia.org/wiki/AC_power_plugs_and_sockets:_British_and_related_types#BS_1363_three-pin_(rectangular)_plugs_and_sockets
+
 ### TOFU YOYO Cable
 
 I also bought the [YOYO cable](https://www.elvesfactory.com/worldshop/EN/TOFU/TYC) in the hope it would fix that

diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index 7c7eca6b..f777de51 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -170,6 +170,11 @@ report](https://puri.sm/posts/massive-progress-exact-cpu-selected-minor-shipping
 shipping", so that means at least July 2019, if not later. Their demos
 still don't have a finished device.
 
+## SHIFTphone
+
+[shiftphone 8](https://www.shift.eco/en/shiftphone-8-status-page-2/) will have [mainline support](https://www.phoronix.com/news/SHIFTphone-8-Linux-Patches),
+incredibly. repairable, IPX rating. seems like a fat phone though.
+
 Google
 ------
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index bb8dc235..1730c6cf 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1165,6 +1165,14 @@ You can now test revocation with:
     cat cacert.pem crl.pem > cacrl.pem
     service dovecot restart
 
+Note that, by default, that damn crl expires after 30 days, you'll
+probably want to bump that expiry date (with `default_crl_days=3650`
+in `openssl.conf` or with the `-crldays` option) and then:
+
+    openssl ca -config openssl.cnf  -gencrl  > crl.pem
+    cat cacert.pem crl.pem > cacrl.pem
+    service dovecot restart
+
 And now the above `curl` command should fail. Notice how dovecot needs
 a kick after revocation, a `reload` might be sufficient as well.
 

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 74e16c24..403fbb4d 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -411,44 +411,29 @@ Unchanged.
 
 See Email, above, or Emacs in Editor, below.
 
-## Editor: Emacs okay-ish
+## Editor: Emacs
 
-Emacs is being actively ported to Wayland. According to [this LWN
+Emacs was ported to Wayland in version 29. According to [this LWN
 article][], the first (partial, to Cairo) port was done in 2014 and a
 working port (to GTK3) was completed in 2021, but wasn't merged until
-[late 2021][]. That is: after [Emacs 28 was released][] (April
-2022). 
+[late 2021][]. That is: after [Emacs 28 was released][] (April 2022)
+and [Debian bookworm freeze][]. The Emacs 29 bookworm backport works.
 
-So we'll probably need to wait for Emacs 29 to have native Wayland
-support in Emacs, which, in turn, is unlikely to arrive in time for
-the [Debian bookworm freeze][]. There are, however, [unofficial
-builds][] for both Emacs 28 and 29 provided by [spwhitton][] which
-may provide native Wayland support. 
+To get the native builds, you need to install the [emacs-pgtk
+package](https://packages.debian.org/unstable/emacs-pgtk).
 
-I tested the snapshot packages and they do not quite work well
-enough. First off, they completely take over the builtin Emacs — they
-hijack the `$PATH` in `/etc`! — and certain things are simply not
-working in my setup. For example, this hook never gets ran on startup:
-
-    (add-hook 'after-init-hook 'server-start t) 
-
-Still, like many X11 applications, Emacs mostly works fine under
-Xwayland. The clipboard works as expected, for example.
-
-Scaling is a bit of an issue: fonts look fuzzy.
+In any case, like many X11 applications, Emacs mostly works fine under
+Xwayland. The clipboard works as expected, for example. Scaling is a
+bit of an issue: fonts look fuzzy.
 
 I have heard anecdotal evidence of hard lockups with Emacs running
 under Xwayland as well, but haven't experienced any problem so far. I
 did experience a Wayland crash with the snapshot version however.
 
-TODO: look again at Wayland in Emacs 29.
-
 [this LWN article]: https://lwn.net/Articles/843896/
 [late 2021]: https://batsov.com/articles/2021/12/19/building-emacs-from-source-with-pgtk/
 [Emacs 28 was released]: https://www.gnu.org/savannah-checkouts/gnu/emacs/emacs.html#Releases
 [Debian bookworm freeze]: https://lists.debian.org/debian-devel/2022/03/msg00251.html
-[unofficial builds]: https://silentflame.com/debian/
-[spwhitton]: https://spwhitton.name/
 
 ## Backups: borg
 

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index 0a083c6a..d5653cc8 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -235,7 +235,8 @@ the laptop.
  * the EC (Embedded Controller) is [open source](https://github.com/FrameworkComputer/EmbeddedController) so of course
    people are [hacking at it](https://github.com/lhl/linuxlaptops/wiki/2022-Framework-Laptop-DIY-Edition-12th-Gen-Intel-Batch-1#ectool), [some documentation on what's
    possible](https://www.howett.net/posts/2021-12-framework-ec/) (e.g. changing LED colors, fan curves, etc), [see
-   also](https://github.com/lhl/linuxlaptops/wiki/2022-Framework-Laptop-DIY-Edition-12th-Gen-Intel-Batch-1#ectool)
+   also](https://github.com/lhl/linuxlaptops/wiki/2022-Framework-Laptop-DIY-Edition-12th-Gen-Intel-Batch-1#ectool) and possible [mainline inclusion](https://www.phoronix.com/news/Framework-Laptop-EC-Driver) for the charge
+   controller
 
 ## Cons
 

diff --git a/blog/2019-11-20-file-monitoring-tools.mdwn b/blog/2019-11-20-file-monitoring-tools.mdwn
index 0e8b768b..99163956 100644
--- a/blog/2019-11-20-file-monitoring-tools.mdwn
+++ b/blog/2019-11-20-file-monitoring-tools.mdwn
@@ -408,6 +408,16 @@ to fit a square peg in this round hole:
 
 # Other
 
+## inotify-info
+
+<https://github.com/mikesart/inotify-info>
+
+ * 2021-...
+ * C++
+ * MIT
+ * Debian package
+ * simply lists active inotify watches
+
 ## kfmon (kobo launcher)
 
 <https://github.com/NiLuJe/kfmon>

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 931a957e..74e16c24 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -496,12 +496,15 @@ Possible alternatives:
 
  * [lightdm elephant greeter][] (I tried [[!debpkg slick-greeter]] and
    [[!debpkg ukui-greeter]], neither could start the Sway session)
- * [greetd][], [tuigreet][] (in Debian) and [QtGreet][] (not in
+ * [greetd][] is a login manager that delegates to greeters, like
+   [gtkgreet][], [tuigreet][] (in Debian) and [QtGreet][] (not in
    Debian), tested [agreety][] (part of greetd) but it didn't work at
    all
  * [sddm][]: KDE's default, in Debian, probably heavier or as heavy as
    gdm3
 
+ [gtkgreet]: https://git.sr.ht/~kennylevinsen/gtkgreet
+
 [lightdm elephant greeter]: https://github.com/max-moser/lightdm-elephant-greeter
 [greetd]: https://sr.ht/~kennylevinsen/greetd/
 [QtGreet]: https://gitlab.com/marcusbritanicus/QtGreet

diff --git a/blog/2022-06-17-matrix-notes.md b/blog/2022-06-17-matrix-notes.md
index 2b5bec2d..e8da1388 100644
--- a/blog/2022-06-17-matrix-notes.md
+++ b/blog/2022-06-17-matrix-notes.md
@@ -352,7 +352,7 @@ a space in the future where it isn't or should be hidden behind a
 proxy, for example. That still feels like a security issue, and that
 still isn't something Matrix seem to care about.)
 
-[Mastodon has the same problem](https://github.com/mastodon/mastodon/issues/23662).
+[Mastodon has the same problem](https://github.com/mastodon/mastodon/issues/23662), and [people are starting to notice](https://news.itsfoss.com/mastodon-link-problem/).
 
 # Moderation
 

diff --git a/blog/2024-05-01-gitolite-gitlab-migration.md b/blog/2024-05-01-gitolite-gitlab-migration.md
index 991a2c2c..b3833611 100644
--- a/blog/2024-05-01-gitolite-gitlab-migration.md
+++ b/blog/2024-05-01-gitolite-gitlab-migration.md
@@ -5,12 +5,17 @@
 > contrary, I've been very busy but just didn't have time to write
 > about anything. So I've taken it upon myself to write *something*
 > about my work this week, and published [this post on the Tor
-> blog](https://blog.torproject.org/gitolite-gitlab-migration/) which I copy here for a broader audience. Let me know if
+> blog][] which I copy here for a broader audience. Let me know if
 > you like this or not.
 
+ [this post on the Tor blog]: https://blog.torproject.org/gitolite-gitlab-migration/
+
 Tor has finally completed a long migration from legacy Git
-infrastructure ([Gitolite and GitWeb](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git)) to our self-hosted
-[GitLab](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab) server.
+infrastructure ([Gitolite and GitWeb][]) to our self-hosted
+[GitLab][] server.
+
+ [GitLab]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab
+ [Gitolite and GitWeb]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git
 
 Git repository addresses have therefore changed. Many of you probably
 have made the switch already, but if not, you will need to change:
@@ -23,12 +28,15 @@ to:
 
 In your Git configuration.
 
-The [GitWeb front page](https://gitweb.torproject.org/) is now an archived listing of all the
+The [GitWeb front page][] is now an archived listing of all the
 repositories before the migration. Inactive git repositories were
-archived in GitLab [legacy/gitolite namespace](https://gitlab.torproject.org/legacy/gitolite/) and the
+archived in GitLab [legacy/gitolite namespace][] and the
 `gitweb.torproject.org` and `git.torproject.org` web sites now
 redirect to GitLab.
 
+ [legacy/gitolite namespace]: https://gitlab.torproject.org/legacy/gitolite/
+ [GitWeb front page]: https://gitweb.torproject.org/
+
 Best effort was made to reproduce the original gitolite repositories
 faithfully and also avoid duplicating too much data in the
 migration. But it's *possible* that some data present in Gitolite has
@@ -54,69 +62,99 @@ problems we faced during the migration.
 
 Normally, nothing should be lost. All repositories in gitolite have
 been either explicitly migrated by their owners, forcibly migrated by
-the sysadmin team ([TPA](https://gitlab.torproject.org/tpo/tpa/team/)), or explicitly destroyed at their owner's
+the sysadmin team ([TPA][]), or explicitly destroyed at their owner's
 request.
 
-An exhaustive [rewrite map](https://archive.torproject.org/websites/gitolite2gitlab.txt) translates gitolite projects to GitLab
+ [TPA]: https://gitlab.torproject.org/tpo/tpa/team/
+
+An exhaustive [rewrite map][] translates gitolite projects to GitLab
 projects. Some of those projects actually redirect to their *parent*
 in cases of empty repositories that were obvious forks. Destroyed
 repositories redirect to the GitLab front page.
 
+ [rewrite map]: https://archive.torproject.org/websites/gitolite2gitlab.txt
+
 Because the migration happened progressively, it's technically
 possible that commits pushed to gitolite were lost after the
 migration. We took great care to avoid that scenario. First, we
-adopted a proposal ([TPA-RFC-36](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-36-gitolite-gitweb-retirement)) in June 2023 to announce the
-transition. Then, in [March 2024](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41213), we locked down all repositories
+adopted a proposal ([TPA-RFC-36][]) in June 2023 to announce the
+transition. Then, in [March 2024][], we locked down all repositories
 from any further changes. Around that time, only a [handful of
-repositories](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41214#note_2983302 "handful of repositories") had changes made after the adoption date, and we
+repositories][] had changes made after the adoption date, and we
 examined each repository carefully to make sure nothing was lost.
 
-Still, we built a [diff of all the changes in the git references](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215#note_3023924)
+ [handful of repositories]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41214#note_2983302 "handful of repositories"
+ [March 2024]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41213
+ [TPA-RFC-36]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-36-gitolite-gitweb-retirement
+
+Still, we built a [diff of all the changes in the git references][]
 that archivists can peruse to check for data loss. It's large (6MiB+)
 because a lot of repositories were migrated before the mass migration
 and then kept evolving in GitLab. Many other repositories were rebuilt
 in GitLab from parent to rebuild a fork relationship which added extra
 references to those clones.
 
+ [diff of all the changes in the git references]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215#note_3023924
+
 A note to amateur archivists out there, it's probably too late for one
 last crawl now. The Git repositories now all redirect to GitLab and
 are effectively unavailable in their original form.
 
-That said, the GitWeb site was crawled into the [Internet Archive](https://archive.org/) [in
-February 2024](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41218#note_2992296), so at least some copy of it is available in the
-[Wayback Machine](https://web.archive.org/web/20240204162238/https://gitweb.torproject.org/). At that point, however, many developers had already
+That said, the GitWeb site was crawled into the [Internet Archive][] [in
+February 2024][], so at least some copy of it is available in the
+[Wayback Machine][]. At that point, however, many developers had already
 migrated their projects to GitLab, so the copies there were already
 possibly out of date compared with the repositories in GitLab.
 
-[Software Heritage](https://www.softwareheritage.org/) also has a copy of all repositories hosted on
-Gitolite [since June 2023](https://gitlab.softwareheritage.org/swh/infra/sysadm-environment/-/issues/4939) and have continuously kept mirroring the
+ [Wayback Machine]: https://web.archive.org/web/20240204162238/https://gitweb.torproject.org/
+ [in February 2024]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41218#note_2992296
+ [Internet Archive]: https://archive.org/
+
+[Software Heritage][] also has a copy of all repositories hosted on
+Gitolite [since June 2023][] and have continuously kept mirroring the
 repositories, where they will be kept hopefully in eternity. There's
-an [issue](https://gitlab.softwareheritage.org/swh/devel/swh-web/-/issues/4787) where the main website can't find the repositories when
+an [issue][] where the main website can't find the repositories when
 you search for `gitweb.torproject.org`, instead [search for
-`git.torproject.org`](https://archive.softwareheritage.org/browse/search/?q=git.torproject.org&visit_type=git&with_content=true&with_visit=true).
+`git.torproject.org`][].
+
+ [search for `git.torproject.org`]: https://archive.softwareheritage.org/browse/search/?q=git.torproject.org&visit_type=git&with_content=true&with_visit=true
+ [issue]: https://gitlab.softwareheritage.org/swh/devel/swh-web/-/issues/4787
+ [since June 2023]: https://gitlab.softwareheritage.org/swh/infra/sysadm-environment/-/issues/4939
+ [Software Heritage]: https://www.softwareheritage.org/
 
 In any case, if you believe data is missing, please do let us know by
-[opening an issue with TPA](https://gitlab.torproject.org/tpo/tpa/team/-/issues/new).
+[opening an issue with TPA][].
+
+ [opening an issue with TPA]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/new
 
 # Why?
 
 This is an old project in the making. The first [discussion about
-migrating from gitolite to GitLab](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40472) started in 2020 (almost 4 years
-ago). But [going further back](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/trac#history), the first GitLab experiment was in
+migrating from gitolite to GitLab][] started in 2020 (almost 4 years
+ago). But [going further back][], the first GitLab experiment was in
 2016, almost a decade ago.
 
+ [going further back]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/trac#history
+
+ [discussion about migrating from gitolite to GitLab]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40472
+
 The current GitLab server dates from 2019, [replacing Trac for issue
-tracking in 2020](https://blog.torproject.org/from-trac-into-gitlab-for-tor/). It was originally supposed to host only mirrors
+tracking in 2020][]. It was originally supposed to host only mirrors
 for merge requests and issue trackers but, naturally, one thing led to
 another and eventually, GitLab had grown a container registry,
 continuous integration (CI) runners, GitLab Pages, and, of course,
 hosted most Git repositories.
 
+ [replacing Trac for issue tracking in 2020]: https://blog.torproject.org/from-trac-into-gitlab-for-tor/
+
 There were hesitations at moving to GitLab for code hosting. We had
-[discussions about the increased attack surface](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/81) and [ways to
-mitigate that](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/98), but, ultimately, it seems the issues were not that
+[discussions about the increased attack surface][] and [ways to
+mitigate that][], but, ultimately, it seems the issues were not that
 serious and the community embraced GitLab.
 
+ [ways to mitigate that]: https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/98
+ [discussions about the increased attack surface]: https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/81
+
 TPA actually migrated its most critical repositories out of shared
 hosting entirely, into specific servers (e.g. the Puppet Git
 repository is just on the Puppet server now), leveraging Git's
@@ -138,21 +176,30 @@ When Gitolite access was shutdown, we had repositories on both GitLab
 and Gitolite, without a clear relationship between the two. A priori,
 the plan then was to import all the remaining Gitolite repositories
 into the `legacy/gitolite` namespace, but that seemed wasteful,
-particularly for large repositories like [Tor Browser](https://gitlab.torproject.org/tpo/applications/tor-browser) which uses
+particularly for large repositories like [Tor Browser][] which uses
 nearly a gigabyte of disk space. So we took special care to avoid
 duplicating repositories.
 
-When the [mass migration](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215) started, only 71 of the 538 Gitolite
+ [Tor Browser]: https://gitlab.torproject.org/tpo/applications/tor-browser
+
+When the [mass migration][] started, only 71 of the 538 Gitolite
 repositories were `Migrated to GitLab` in the `gitolite.conf`
 file. So, given that we had *hundreds* of repositories to migrate:, we
-developed some automation to "[save time](https://xkcd.com/1205/)". We already automate
-similar ad-hoc tasks with [Fabric](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/fabric/), so we used that framework here
-as well. (Our normal configuration management tool is [Puppet](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet),
+developed some automation to "[save time][]". We already automate
+similar ad-hoc tasks with [Fabric][], so we used that framework here
+as well. (Our normal configuration management tool is [Puppet][],
 which is a poor fit here.)
 
-So a relatively [large amount of Python code](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/blob/85121b4a8a293cebb0d9dfd68ebf26e2cc95ed76/fabric_tpa/gitolite.py) was produced to
+ [Puppet]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet
+ [Fabric]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/fabric/
+ [save time]: https://xkcd.com/1205/
+ [mass migration]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215
+
+So a relatively [large amount of Python code][] was produced to
 basically do the following:
 
+ [large amount of Python code]: https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/blob/85121b4a8a293cebb0d9dfd68ebf26e2cc95ed76/fabric_tpa/gitolite.py
+
  1. check if all on-disk repositories are listed in `gitolite.conf`
     (and vice versa) and either add missing repositories or delete
     them from disk if garbage
@@ -186,9 +233,11 @@ first-come-first-served basis from the `gitolite.conf` order.

(fichier de différences tronqué)

diff --git a/blog/2024-05-01-gitolite-gitlab-migration.md b/blog/2024-05-01-gitolite-gitlab-migration.md
index a93b36ca..991a2c2c 100644
--- a/blog/2024-05-01-gitolite-gitlab-migration.md
+++ b/blog/2024-05-01-gitolite-gitlab-migration.md
@@ -535,3 +535,7 @@ The reference copy of those is available in our (currently private)
 Puppet git repository.
 
 [[!tag tor gitlab debian-planet gitlab git sysadmin python python-planet]]
+
+
+<!-- posted to the federation on 2024-05-01T10:58:47.676656 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/112366421768959691"]]
\ No newline at end of file

diff --git a/blog/2024-05-01-gitolite-gitlab-migration.md b/blog/2024-05-01-gitolite-gitlab-migration.md
index 6862f96b..a93b36ca 100644
--- a/blog/2024-05-01-gitolite-gitlab-migration.md
+++ b/blog/2024-05-01-gitolite-gitlab-migration.md
@@ -534,3 +534,4 @@ RewriteRule .* https://gitlab.torproject.org [R=302,L]
 The reference copy of those is available in our (currently private)
 Puppet git repository.
 
+[[!tag tor gitlab debian-planet gitlab git sysadmin python python-planet]]

diff --git a/blog/2024-05-01-gitolite-gitlab-migration.md b/blog/2024-05-01-gitolite-gitlab-migration.md
new file mode 100644
index 00000000..6862f96b
--- /dev/null
+++ b/blog/2024-05-01-gitolite-gitlab-migration.md
@@ -0,0 +1,536 @@
+[[!meta title="Tor migrates from Gitolite/GitWeb to GitLab"]]
+
+> Note: I've been awfully silent here for the past ... (checks notes)
+> oh dear, 3 months! But that's not because I've been idle, quite the
+> contrary, I've been very busy but just didn't have time to write
+> about anything. So I've taken it upon myself to write *something*
+> about my work this week, and published [this post on the Tor
+> blog](https://blog.torproject.org/gitolite-gitlab-migration/) which I copy here for a broader audience. Let me know if
+> you like this or not.
+
+Tor has finally completed a long migration from legacy Git
+infrastructure ([Gitolite and GitWeb](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git)) to our self-hosted
+[GitLab](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab) server.
+
+Git repository addresses have therefore changed. Many of you probably
+have made the switch already, but if not, you will need to change:
+
+    https://git.torproject.org/
+
+to:
+
+    https://gitlab.torproject.org/
+
+In your Git configuration.
+
+The [GitWeb front page](https://gitweb.torproject.org/) is now an archived listing of all the
+repositories before the migration. Inactive git repositories were
+archived in GitLab [legacy/gitolite namespace](https://gitlab.torproject.org/legacy/gitolite/) and the
+`gitweb.torproject.org` and `git.torproject.org` web sites now
+redirect to GitLab.
+
+Best effort was made to reproduce the original gitolite repositories
+faithfully and also avoid duplicating too much data in the
+migration. But it's *possible* that some data present in Gitolite has
+not migrated to GitLab.
+
+User repositories are particularly at risk, because they were
+massively migrated, and they were "re-forked" from their upstreams, to
+avoid wasting disk space. If a user had a project with a matching name
+it was *assumed* to have the right data, which might be inaccurate.
+
+The two virtual machines responsible for the legacy service (`cupani`
+for `git-rw.torproject.org` and `vineale` for `git.torproject.org` and
+`gitweb.torproject.org`) have been shutdown. Their disks will remain
+for 3 months (until the end of July 2024) and their backups for
+another year after that (until the end of July 2025), after which
+point all the data from those hosts will be destroyed, with only the
+GitLab archives remaining.
+
+The rest of this article expands on how this was done and what kind of
+problems we faced during the migration.
+
+# Where is the code?
+
+Normally, nothing should be lost. All repositories in gitolite have
+been either explicitly migrated by their owners, forcibly migrated by
+the sysadmin team ([TPA](https://gitlab.torproject.org/tpo/tpa/team/)), or explicitly destroyed at their owner's
+request.
+
+An exhaustive [rewrite map](https://archive.torproject.org/websites/gitolite2gitlab.txt) translates gitolite projects to GitLab
+projects. Some of those projects actually redirect to their *parent*
+in cases of empty repositories that were obvious forks. Destroyed
+repositories redirect to the GitLab front page.
+
+Because the migration happened progressively, it's technically
+possible that commits pushed to gitolite were lost after the
+migration. We took great care to avoid that scenario. First, we
+adopted a proposal ([TPA-RFC-36](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-36-gitolite-gitweb-retirement)) in June 2023 to announce the
+transition. Then, in [March 2024](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41213), we locked down all repositories
+from any further changes. Around that time, only a [handful of
+repositories](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41214#note_2983302 "handful of repositories") had changes made after the adoption date, and we
+examined each repository carefully to make sure nothing was lost.
+
+Still, we built a [diff of all the changes in the git references](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215#note_3023924)
+that archivists can peruse to check for data loss. It's large (6MiB+)
+because a lot of repositories were migrated before the mass migration
+and then kept evolving in GitLab. Many other repositories were rebuilt
+in GitLab from parent to rebuild a fork relationship which added extra
+references to those clones.
+
+A note to amateur archivists out there, it's probably too late for one
+last crawl now. The Git repositories now all redirect to GitLab and
+are effectively unavailable in their original form.
+
+That said, the GitWeb site was crawled into the [Internet Archive](https://archive.org/) [in
+February 2024](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41218#note_2992296), so at least some copy of it is available in the
+[Wayback Machine](https://web.archive.org/web/20240204162238/https://gitweb.torproject.org/). At that point, however, many developers had already
+migrated their projects to GitLab, so the copies there were already
+possibly out of date compared with the repositories in GitLab.
+
+[Software Heritage](https://www.softwareheritage.org/) also has a copy of all repositories hosted on
+Gitolite [since June 2023](https://gitlab.softwareheritage.org/swh/infra/sysadm-environment/-/issues/4939) and have continuously kept mirroring the
+repositories, where they will be kept hopefully in eternity. There's
+an [issue](https://gitlab.softwareheritage.org/swh/devel/swh-web/-/issues/4787) where the main website can't find the repositories when
+you search for `gitweb.torproject.org`, instead [search for
+`git.torproject.org`](https://archive.softwareheritage.org/browse/search/?q=git.torproject.org&visit_type=git&with_content=true&with_visit=true).
+
+In any case, if you believe data is missing, please do let us know by
+[opening an issue with TPA](https://gitlab.torproject.org/tpo/tpa/team/-/issues/new).
+
+# Why?
+
+This is an old project in the making. The first [discussion about
+migrating from gitolite to GitLab](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40472) started in 2020 (almost 4 years
+ago). But [going further back](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/trac#history), the first GitLab experiment was in
+2016, almost a decade ago.
+
+The current GitLab server dates from 2019, [replacing Trac for issue
+tracking in 2020](https://blog.torproject.org/from-trac-into-gitlab-for-tor/). It was originally supposed to host only mirrors
+for merge requests and issue trackers but, naturally, one thing led to
+another and eventually, GitLab had grown a container registry,
+continuous integration (CI) runners, GitLab Pages, and, of course,
+hosted most Git repositories.
+
+There were hesitations at moving to GitLab for code hosting. We had
+[discussions about the increased attack surface](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/81) and [ways to
+mitigate that](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/98), but, ultimately, it seems the issues were not that
+serious and the community embraced GitLab.
+
+TPA actually migrated its most critical repositories out of shared
+hosting entirely, into specific servers (e.g. the Puppet Git
+repository is just on the Puppet server now), leveraging Git's
+decentralized nature and removing an entire attack surface from our
+infrastructure. Some of those repositories are *mirrored* back into
+GitLab, but the authoritative copy is not on GitLab.
+
+In any case, the proposal to migrate from Gitolite to GitLab was
+effectively just formalizing a *fait accompli*.
+
+# How to migrate from Gitolite / cgit to GitLab
+
+The progressive migration was a challenge. If you intend to migrate
+between hosting platforms, we strongly recommend to make a "flag day"
+during which you migrate *all* repositories *at once*. This ensures a
+smoother transition and avoids elaborate rewrite rules.
+
+When Gitolite access was shutdown, we had repositories on both GitLab
+and Gitolite, without a clear relationship between the two. A priori,
+the plan then was to import all the remaining Gitolite repositories
+into the `legacy/gitolite` namespace, but that seemed wasteful,
+particularly for large repositories like [Tor Browser](https://gitlab.torproject.org/tpo/applications/tor-browser) which uses
+nearly a gigabyte of disk space. So we took special care to avoid
+duplicating repositories.
+
+When the [mass migration](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41215) started, only 71 of the 538 Gitolite
+repositories were `Migrated to GitLab` in the `gitolite.conf`
+file. So, given that we had *hundreds* of repositories to migrate:, we
+developed some automation to "[save time](https://xkcd.com/1205/)". We already automate
+similar ad-hoc tasks with [Fabric](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/fabric/), so we used that framework here
+as well. (Our normal configuration management tool is [Puppet](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet),
+which is a poor fit here.)
+
+So a relatively [large amount of Python code](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/blob/85121b4a8a293cebb0d9dfd68ebf26e2cc95ed76/fabric_tpa/gitolite.py) was produced to
+basically do the following:
+
+ 1. check if all on-disk repositories are listed in `gitolite.conf`
+    (and vice versa) and either add missing repositories or delete
+    them from disk if garbage
+ 2. for each repository in `gitolite.conf`, if its category is marked
+    `Migrated to GitLab`, skip, otherwise;
+ 3. find a matching GitLab project by name, prompt the user for
+    multiple matches
+ 4. if a match is found, redirect if the repository is non-empty 
+    * we have GitLab projects that *look* like the real thing, but are
+    only present to host migrated Trac issues
+    * in such cases we cloned the Gitolite project locally and pushed
+    to the existing repository instead
+ 5. otherwise, a new repository is created in the `legacy/gitolite`
+    namespace, using the "import" mechanism in GitLab to automatically
+    import the repository from Gitolite, creating redirections and
+    updating `gitolite.conf` to document the change
+
+User repositories (those under the `user/` directory in Gitolite) were
+handled specially. First, the existing redirection map was checked to
+see if a similarly named project was migrated (so that,
+e.g. `user/dgoulet/tor` is properly treated as a fork of
+`tpo/core/tor`). Then the parent project was forked in GitLab and the
+Gitolite project force-pushed to the fork. This allows us to show the
+fork relationship in GitLab and, more importantly, benefit from the
+"pool" feature in GitLab which deduplicates disk usage between forks.
+
+Sometimes, we found no such relationships. Then we simply imported
+multiple repositories with similar names in the `legacy/gitolite`
+namespace, sometimes creating forks between user repositories, on a
+first-come-first-served basis from the `gitolite.conf` order.
+
+The code used in this migration is now available publicly. We
+encourage other groups planning to migrate from Gitolite/GitWeb to
+GitLab to use (and contribute to) our [fabric-tasks](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/) repository,
+even though it does have its fair share of hard-coded assertions. 
+
+The main entry point is the `gitolite.mass-repos-migration` task. A
+typical migration job looked like:
+

(fichier de différences tronqué)

diff --git a/hardware/tablet/kobo-clara-hd.md b/hardware/tablet/kobo-clara-hd.md
index 1decbdad..eab362df 100644
--- a/hardware/tablet/kobo-clara-hd.md
+++ b/hardware/tablet/kobo-clara-hd.md
@@ -206,6 +206,18 @@ decided *not* to do here because my time is precious:
  * using calibre to generate e-books based on RSS feeds (yes, I did
    that, and yes, it was pretty bad and almost useless)
  * [SSH support][]: builtin to koreader
+ * offline Wikipedia support: incredibly, 512GiB micro-SD cards are a
+   thing now, so all of Wikipedia could fit on a Kobo... Koreader has
+   [Wikipedia support](https://github.com/koreader/koreader/wiki/Wikipedia-support) but cannot [work offline](https://github.com/koreader/koreader/issues/2333), although
+   there's a [PR to add a plugin that works on a SQLite database
+   converted from ZIM files](https://github.com/koreader/koreader/pull/9534). I've also found [hacks to make it
+   work again on Nickel](https://phire.cc/Offline-Wikipedia-on-the-Kobo.html) ([another](https://a3nm.net/blog/kobo_glo_hacking.html)). But also, Kobo forcibly
+   forces the `vfat` filesystem type for `/mnt/onboard`, so it's
+   actually impossible to write the full Wikipedia archives, as FAT
+   filesystems are limited to 4GB files. I tried patching that out of
+   `/etc/init.d/rcS` but failed. The workaround typically used is to
+   make another filesystem and add an extra init command to mount it
+   at boot, and write files there.
 
 Now maybe I'll have time to actually read a book...
 

diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index e0992c51..94e7a168 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -379,6 +379,12 @@ reddit](https://old.reddit.com/r/UsbCHardware/comments/161t5d4/absolutely_smalle
 It's not small enough to beat the Sharge as a daily driver, but if I
 find it too bulky / heavy, maybe I'll indulge.
 
+### Others
+
+Russell Coker [bought](https://etbe.coker.com.au/2024/04/29/usb-psus/) [this device from Ali Express](https://www.aliexpress.com/item/1005006105371654.html) which is
+not quite in the same range of things as the above, but could serve
+well as a home charger.
+
 ## USB testers
 
 Now that a USB cable isn't a simple 5V electric signal, cables and

diff --git a/software/zfs.md b/software/zfs.md
index 4c8aaf6e..76ea279f 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -282,6 +282,10 @@ It has a setup command to initialize a configuration, example setup:
 There is no official Debian package but upstream has a [debian source
 package](https://github.com/Gregy/znapzend-debian). It is written in Perl.
 
+### zelta
+
+[zelta](https://github.com/bellhyve/zelta) is written in Awk. Incomplete, ran with [zfsnap](https://github.com/zfsnap/zfsnap).
+
 ### Other DIY solutions
 
 twb (`#debian-til`) wrote [cyber-zfs-backup](https://github.com/cyberitsolutions/cyber-zfs-backup). It's short (~300

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index eed45781..931a957e 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -1465,7 +1465,7 @@ There's a lot of improvements Sway could bring over using plain
 i3. There are pretty neat auto-tilers that could replicate the
 configurations I used to have in Xmonad or Awesome, see:
 
- * [autotiling][]
+ * [autotiling][] (now in Debian)
  * [swaymonad][]
 
 [autotiling]: https://github.com/nwg-piotr/autotiling

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 287598d2..eed45781 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -496,15 +496,17 @@ Possible alternatives:
 
  * [lightdm elephant greeter][] (I tried [[!debpkg slick-greeter]] and
    [[!debpkg ukui-greeter]], neither could start the Sway session)
- * [greetd][] and [QtGreet][] (former in Debian, not latter, which
-   means we're stuck with the weird [agreety](https://manpages.debian.org/agreety) which doesn't work at
-   all)
+ * [greetd][], [tuigreet][] (in Debian) and [QtGreet][] (not in
+   Debian), tested [agreety][] (part of greetd) but it didn't work at
+   all
  * [sddm][]: KDE's default, in Debian, probably heavier or as heavy as
    gdm3
 
 [lightdm elephant greeter]: https://github.com/max-moser/lightdm-elephant-greeter
 [greetd]: https://sr.ht/~kennylevinsen/greetd/
 [QtGreet]: https://gitlab.com/marcusbritanicus/QtGreet
+[tuigreet]: https://github.com/apognu/tuigreet
+[agreety]: https://manpages.debian.org/agreety
 [sddm]: https://github.com/sddm/sddm
 
 ## Terminal: xterm → foot
@@ -983,9 +985,9 @@ how many things you were using are tightly bound to X.
    programs, basically)
 
  * notifications: previously [dunst][] in some places, which works
-   well in both Xorg and Wayland, not a blocker, [fnott][] ([not in
-   Debian](https://bugs.debian.org/997020)), [salut][] (not in Debian) possible alternatives:
-   damjan [uses mako][]. Eventually migrated to [sway-nc][].
+   well in both Xorg and Wayland, not a blocker, [fnott][], [salut][]
+   (not in Debian) possible alternatives: damjan [uses
+   mako][]. Eventually migrated to [sway-nc][].
 
  * notification area: I had trouble making `nm-applet` work. based on
    [this nm-applet.service][], I found that you need to pass `--indicator`.  In

diff --git a/blog/2021-11-21-mbsync-vs-offlineimap.md b/blog/2021-11-21-mbsync-vs-offlineimap.md
index d4b29a30..5222390f 100644
--- a/blog/2021-11-21-mbsync-vs-offlineimap.md
+++ b/blog/2021-11-21-mbsync-vs-offlineimap.md
@@ -1062,6 +1062,9 @@ Those are all the options I have considered, in alphabetical order
    mentions UUCP in the manpage, mentions `rsmtp` which is a nice name
    for `rsendmail`. not evaluated because it seems awfully complex to
    setup, Haskell
+ * [neverest](https://git.sr.ht/~soywod/neverest-cli): rust, IMAP/Maildir/Notmuch sync, filters, lacks
+   client TLS support, see [comparison](https://pimalaya.org/neverest/cli/latest/faq.html), layout [incompatible with
+   mbsync](https://todo.sr.ht/~soywod/pimalaya/196), [unclear if it supports IDLE/notify](https://todo.sr.ht/~soywod/pimalaya/162#event-346614)
  * [nncp](http://www.nncpgo.org/): treat the local spool as another mail server, not really
    compatible with my "multiple clients" setup, Golang
  * [offlineimap3](https://github.com/OfflineIMAP/offlineimap3): requires IMAP, used the py2 version in the past,

diff --git a/hardware/keyboard.mdwn b/hardware/keyboard.mdwn
index 515b4639..e4dbbfef 100644
--- a/hardware/keyboard.mdwn
+++ b/hardware/keyboard.mdwn
@@ -376,6 +376,25 @@ feedback, trackballs.
 This is a pretty TKL keyboard, the [Multics](https://vortexgear.store/en-ca/products/multix?variant=43056025993379). Not sure about the Fn
 key on the right though.
 
+# Mini / travel keyboards
+
+Those are useful for the media station or traveling on the road with a
+phone or tablet.
+
+ * [Voyager](https://www.zsa.io/voyager), from the moonlander folks, a bit big, "ergonomic" (so
+   columnar, split layout, unusual keys), expensive (365$USD+)
+
+ * [rii](http://www.riitek.com/product/214.html): bluetooth, tiny keyboard, mostly for thumbs, media
+   server, cheap-ish (25$) but proprietary battery
+
+ * [adafruit mini keyboard](https://www.adafruit.com/product/3601): 13$ but no mouse, back ordered, really
+   tiny, looks like [this keyboard](https://gromaudio.com/store/accessories/keyboard-k-wbtk3.html)
+
+ * [iclever bk08](https://office.iclever.com/products/BK08-Portable-Tri-folding-Bluetooth-Keyboard-with-Touchpad): foldable keyboard, 60$
+ 
+ * [rk925](https://rkgamingstores.com/products/rk925-foldable-mechanical-keyboard): foldable keyboard, but feels in the wrong direction,
+   maybe a bit too small? 112$
+
 # Reviews
 
 * [rtings](https://www.rtings.com/keyboard) has a keyboards section

diff --git a/blog/2022-03-20-20-years-emacs.md b/blog/2022-03-20-20-years-emacs.md
index 37757d33..a7649c61 100644
--- a/blog/2022-03-20-20-years-emacs.md
+++ b/blog/2022-03-20-20-years-emacs.md
@@ -1,6 +1,6 @@
 [[!meta title="20+ years of Emacs"]]
 
-I enjoyed reading [this article named "22 years of Emacs"](https://arjenwiersma.nl/writeups/emacs/22-years-of-emacs/)
+I enjoyed reading [this article named "22 years of Emacs"](https://arjenwiersma.nl/posts/22-years-of-emacs/)
 recently. It's kind of fascinating, because I realised I don't exactly
 know for how long I've been using Emacs. It's lost in the mists of
 [[history|blog/2012-11-01-my-short-computing-history]]. If I would

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index 66ed3b07..0a083c6a 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -2079,6 +2079,18 @@ USB-C|blog/2023-02-10-usb-c]]. I'm considering a Dell
  * [logitech dongle hider with USB-A output](https://github.com/LeoDJ/FW-EC-DongleHiderPlus)
 * check out [this forum category](https://community.frame.work/c/developer-program/expansion-card/90) for a cornucopia of those
 
+## Sleeves and cases
+
+I carry the 13" Framework laptop in a [tomtoc Defender A13
+sleeve](https://www.tomtoc.com/products/tomtoc-a13-versatile-laptop-sleeve-for-13-5-inch-microsoft-surface-laptop-navy-blue). It's a nice soft sleeve with a pocket where I fit all the
+expansion cards and a power supply. There's a [pretty long thread
+about carrying bags and sleeves](https://community.frame.work/t/suggestions-on-carry-bag-or-sleeve/3763) where I [participated](https://community.frame.work/t/suggestions-on-carry-bag-or-sleeve/3763/115?u=anarcat) (and,
+you'll notice, bought another Timbuk sleeve I didn't like so much.
+
+In retrospect, I might consider buying a hard shell next time. The
+Smatree 13.5 looks pretty cool, but it's [not clear if it actually
+fits](https://community.frame.work/t/hard-case-compatibility/13016/4?u=anarcat). [This one comment points at one case that does fit](https://community.frame.work/t/suggestions-on-carry-bag-or-sleeve/3763/131?u=anarcat)
+
 ## Upstream resources
 
  * [community forum](https://community.frame.work/), lots of information, much support, wow!

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index f7cc84f7..66ed3b07 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -940,6 +940,15 @@ can be deployed through LVFS with:
 Those instructions come from the [beta forum post](https://community.frame.work/t/12th-gen-intel-core-bios-3-06-beta/25726). I performed the
 BIOS update on 2023-01-16T16:00-0500.
 
+Update: more than a year later, that update never came out of
+beta. Worse, they published a new update (3.08) including security fixes, but
+only for Windows. See [this very long thread on the forum](https://community.frame.work/t/12th-gen-intel-core-bios-3-08-release/43244), [my
+comment](https://community.frame.work/t/12th-gen-intel-core-bios-3-08-release/43244/329?u=anarcat), and [this Ars article](https://arstechnica.com/gadgets/2024/04/frameworks-software-and-firmware-have-been-a-mess-but-its-working-on-them/).
+
+I have filed a formal complaint with support, threatening a refund, as
+I find it simply unacceptable that they just drop support for Linux
+like this.
+
 ## Resolution tweaks
 
 The Framework laptop resolution (2256px X 1504px) is big enough to

diff --git a/software/desktop/calibre.mdwn b/software/desktop/calibre.mdwn
index 63e43524..e2ae6e5e 100644
--- a/software/desktop/calibre.mdwn
+++ b/software/desktop/calibre.mdwn
@@ -561,6 +561,53 @@ until we're satisfied.
 
 Or we can just keep using Calibre.
 
+Another big problem I have with Calibre right now is that it enforces
+this `Author/Title/Title.epub` folder structure which is really
+*heavy* and annoying. It feels like iTunes. I have 355 authors in my
+collection here and 952 books (or at least 952 second-level folders),
+so the Author/Title distinction is really not helping much: a flat
+hierarchy of `Author - Title.epub` would really work just as well, and
+would make the book collection much easier to browse using standard
+tools (e.g. Koreader would render it much more nicely).
+
+Compare, for example, before:
+
+[[!img snap-20240415T135134.png]]
+
+and after flatting:
+
+[[!img snap-20240415T135538.png]]
+
+Now, I cheated a little bit there as I don't show the other Ada Palmer
+books, for which Koreader somehow can't generate a cover for (which is
+a problem!) and I deleted the `cover.jpg` that Calibre adds everywhere
+which would otherwise double the listings everywhere. (But I'm
+considering ditching those files anyways, since they clutter
+everything and needlessly inflate the library.)
+
+But this is something the Calibre author has been [completely
+inflexible](https://manual.calibre-ebook.com/faq.html#why-doesn-t-calibre-let-me-store-books-in-my-own-folder-structure) on since basically forever:
+
+> If you are still not convinced, then I’m afraid calibre is not for
+> you. Look elsewhere for your book cataloguing needs. Just so we’re
+> clear, this is not going to change. Kindly do not contact us in an
+> attempt to get us to change this.
+
+... which is a recurring pattern of "my way or the highway" with this
+software. Totally within their right of course, but exactly the kind
+of things that make me want to look elsewhere.
+
+In any case, if we're going to ditch Calibre, this would be the
+procedure:
+
+    rm */*/cover.jpg # remove all covers
+    # rename all actual book files without the directories, keeping extension
+    rename 's,([^/]*)/([^/]*)/.*-.*(\....),$1 - $2$3,' */*/*
+    # rename remaining files, should just be metadata.opf
+    rename 's,([^/]*)/([^/]*)/metadata.opf,$1 - $2.opf,' */*/*
+    # remove empty directories, if this fails, we forgot some
+    rmdir */*
+
 [work Peter Keel did]: https://seegras.discordia.ch/Blog/life-with-calibre/
 [epub-tools]: https://sourceforge.net/projects/ebook-tools/
 [Thunar]: https://docs.xfce.org/xfce/thunar/start
diff --git a/software/desktop/calibre/snap-20240415T135134.png b/software/desktop/calibre/snap-20240415T135134.png
new file mode 100644
index 00000000..e5f2e845
Binary files /dev/null and b/software/desktop/calibre/snap-20240415T135134.png differ
diff --git a/software/desktop/calibre/snap-20240415T135538.png b/software/desktop/calibre/snap-20240415T135538.png
new file mode 100644
index 00000000..2bba3b43
Binary files /dev/null and b/software/desktop/calibre/snap-20240415T135538.png differ

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index affe47f1..287598d2 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -848,8 +848,8 @@ although it's not clear to me what its purpose is...
 I'm a heavy user of [maim][] (and a package uploader in Debian). It
 looks like the direct replacement to maim (and [slop][]) is [grim][]
 (and [slurp][]). There's also [swappy][] which goes on *top* of grim
-and allows preview/edit of the resulting image, nice touch (not in
-Debian though).
+and allows preview/edit of the resulting image, nice touch (in Debian
+since Trixie).
 
 See also [awesome-wayland screenshots][] for other alternatives:
 there are many, including X11 tools like [Flameshot][] that also

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index e9a3cd5c..f7cc84f7 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -500,7 +500,10 @@ Note that there's another solution flying around that fixes this by
 that or seen confirmation it works.
 
 Update: it seems like this issue [has been fixed in newer kernels](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/103)
-([6.6.6+](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/98?u=anarcat)?), but I couldn't figure out if the light sensor still works.
+([6.6.6+](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/98?u=anarcat)?), but I couldn't figure out if the light sensor still
+works. Worse, I *thought* it was fixed, but then it wasn't: I think I
+forgot to run `depmod -a`, because at some point my <kbd>fn lock</kbd>
+key broke...
 
 ### Kill switches
 

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index 18868775..e9a3cd5c 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -243,7 +243,7 @@ the laptop.
    are much less affordable (700$+)
 
  * the 12th gen has compatibility issues with Debian, followup in the
-   [DebianOn page](https://wiki.debian.org/InstallingDebianOn/FrameWork/12thGen), but basically: [brightness hotkeys](https://community.frame.work/t/12th-gen-not-sending-xf86monbrightnessup-down/20605/6), [power
+   [DebianOn page](https://wiki.debian.org/InstallingDebianOn/FrameWork/12thGen), but basically: [brightness hotkeys](https://community.frame.work/t/12th-gen-not-sending-xf86monbrightnessup-down/20605/6) (fixed!), [power
    management](https://community.frame.work/t/12th-gen-power-management-on-linux/21330), [wifi](https://community.frame.work/t/debian-11-gen12th-wifi-working/21799), the webcam is okay even though the
    chipset is the [infamous alder lake](https://www.phoronix.com/news/Greg-KH-No-ADL-Webcam-Laptop) because it [does not have
    the fancy camera](https://www.phoronix.com/forums/forum/linux-graphics-x-org-drivers/intel-linux/1340695-greg-kh-recommends-avoiding-alder-lake-laptops-intel-webcam-linux-driver-long-ways-out?p=1340968#post1340968); most issues currently seem solvable, and
@@ -499,6 +499,9 @@ Note that there's another solution flying around that fixes this by
 [changing permissions on the input device](https://community.frame.work/t/12th-gen-not-sending-xf86monbrightnessup-down/20605/24?u=anarcat) but I haven't tested
 that or seen confirmation it works.
 
+Update: it seems like this issue [has been fixed in newer kernels](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/103)
+([6.6.6+](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/98?u=anarcat)?), but I couldn't figure out if the light sensor still works.
+
 ### Kill switches
 
 The Framework has two "[kill switches](https://en.wikipedia.org/wiki/Kill_switch)": one for the camera and the

diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 556c045e..e0992c51 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -104,9 +104,14 @@ Sharge, ZMI all within 1.5mm of each other) by only 4mm for depth, so
 maybe not worth it? Interestingly, it's not much lighter than the
 travel-friendly Oneworld.
 
-The Sharge is my current "left in my bag" driver, even though it's
+### Current picks
+
+The Sharge is my current "every day carry" driver, even though it's
 heavier than the TOFU, because the latter is a little too bulky (one
-of the largest by volume).
+of the largest by volume). I do bring the TOFU and/or the Oneworld on
+trips however, especially the TOFU for conferences and the Oneworld
+for hotel rooms (and having *both* means I can leave the latter in the
+hotel room!).
 
 ### Sharge
 
@@ -492,7 +497,7 @@ Also: [this post from Big Mess Of Wires](https://www.bigmessowires.com/2019/05/1
 *anything* might work at all. It's where I had the Cable Matters
 reference however...
 
-Update: I ordered a [this dock from Cable Matters](https://www.cablematters.com/pc-1054-127-usb-c-docking-station-with-dual-4k-hdmi-and-80w-charging-for-windows-computers.aspx) [from Amazon](https://www.amazon.ca/dp/B07PFFN219)
+Update (2023-02-22): I ordered a [this dock from Cable Matters](https://www.cablematters.com/pc-1054-127-usb-c-docking-station-with-dual-4k-hdmi-and-80w-charging-for-windows-computers.aspx) [from Amazon](https://www.amazon.ca/dp/B07PFFN219)
 (reluctantly). It promises “Linux” support and checked all the boxes
 for me (4x USB-A, audio, network, 2xHDMI).
 
@@ -509,16 +514,35 @@ fun. I suspect foul play inside Sway.
 And yeah, those things are costly! This one goes for 300$ a pop, not
 great.
 
-Update 2: Cable Matters support responded by simply giving me this
+Update (2023-02-27): Cable Matters support responded by simply giving me this
 hack that solved it at least for now. Just reverse the USB-C cable,
 and poof, everything works. *Magic*.
 
-Update 3: turns out that was overly optimistic. It seems the problem
+Update (2023-05-10): turns out that was overly optimistic. It seems the problem
 actually resides in Sway, because when it happens (and it still does),
 logging out fixes the issue: GDM3 takes over and reinitializes the
 monitors properly. Then Sway can do its thing when I log back in
 again.
 
+Update (2024-04-13): I have since then returned the dock to Cable
+Matters who have been gracious enough to do a RMA (although I paid for
+shipping). I have now a USB-C twin-[[hardware/monitor]] setup that
+works really well, but the reason for that is that I downgraded Sway
+to the version in stable. It seems like there was some impedance
+mismatch there, and I was rather distressed to find out I still had
+the bugs with the shiny new monitors. So, I guess I'm sorry for the
+Cable Matters folks, their dock was fine after all...
+
+### Current status
+
+I'm using the USB-C docks built-in my [[hardware/monitor]]s, two [Dell
+U2723QE][]. The first monitor's USB ports are completely full, so I
+daisy-chained to the second monitor and, amazingly, that all works
+over a single USB-C cable. The only annoyance is that USB-C cable is
+rather short, so it's not as neatly tucked in as it should ne.
+
+[Dell U2723QE]: https://www.dell.com/en-ca/shop/cty/apd/210-bdpf
+
 ## Power banks
 
 This has been spun out in another page, see [[hardware/battery]].

diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 87effe79..556c045e 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -3,7 +3,7 @@
 Dear lazy web, help me pick the right hardware to make my shiny new
 laptop work better. I want a new USB-C dock and travel power supply.
 
-[[!toc]]
+[[!toc levels=3]]
 
 # Background
 

diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 744c78c0..87effe79 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -374,6 +374,61 @@ reddit](https://old.reddit.com/r/UsbCHardware/comments/161t5d4/absolutely_smalle
 It's not small enough to beat the Sharge as a daily driver, but if I
 find it too bulky / heavy, maybe I'll indulge.
 
+## USB testers
+
+Now that a USB cable isn't a simple 5V electric signal, cables and
+chargers matter. A lot. A given cable might not be able to deliver the
+power you need, and it is far from clear which part of the connection
+is to blame, as it could be the charger, the cable, or the charged
+device.
+
+So there are now testers for this. They typically will show you
+voltage and amperage, but can also show wattage, mAh or Wh, and the
+best ones will also show the resistance of the cable alongside the
+protocol negotiated.
+
+We're looking for:
+
+ * voltmeter
+ * anmeter
+ * protocol detection (power delivery, etc)
+ * USB-C in/out (to test USB-C power supplies and cables)
+
+Ideally:
+
+ * wattmeter (yes, i know that's the product of voltage and amperage)
+ * thunderbolt 3, PD 3.1 detection and triggers
+ * USB-A output (to test charging micro-USB devices)
+ * USB-A and micro-USB input (to test old chargers and cables)
+ * e-marker detection
+ * resistance measurement
+
+Other things that those devices can check I care less about:
+
+ * device temperature
+ * "DASH" cable compatibility
+ * Bluetooth support to send results to a phone
+
+The Firefox people have been [running power usage tests](https://github.com/fqueze/usb-power-profiling) with those
+devices, by connecting them to another computer and checking how code
+changes affect power usage. I'm using their list as a basis for
+devices that are not total junk from the "weird internet market place"
+thing.
+
+ * [FNIRSI FNB58](https://www.amazon.com/FNIRSI-Multimeter-Bluetooth-Detection-Measurement/dp/B0BJ253W31): almost has it all, only missing PD 3.1, 50-60$
+   depending on Bluetooth support
+ * [ChargerLAB Power-Z KT002](https://www.amazon.com/ChargerLAB-Power-Z-Voltage-Current-Capacity/dp/B092R533WV?m=A31UM8SRXYVF2Z): everything but micro-USB PD 3.1
+   test, 50$... frustratingly, they have another device (KM002C) that
+   *does* support PD 3.1, but it lacks USB-A/micro USB and cable
+   resistance, and it's *way* more expensive ([100+$ at amazon](https://www.amazon.ca/Charging-Motherboard-Voltmeter-Detector-Accessories/dp/B0CYPG26D2))
+ * AVHzY has a bunch, but those are rather hard to figure out and more
+   expensive, like the [CT3](https://www.aliexpress.com/item/4001280718072.html#nav-specification) is 85CAD, but the [TC66](https://www.aliexpress.com/item/1005006261935936.html?algo_exp_id=b5cf4a97-54ca-42fb-b882-66ad45f33749-0&pdp_npi=4%40dis%21CAD%2132.21%2121.01%21%21%2123.01%2115.01%21%402103249617129781964942450eeb8f%2112000036514751945%21sea%21CA%210%21AB&curPageLogUid=6meoFWJIqWLV&utparam-url=scene%3Asearch%7Cquery_from%3A) is
+   ... 20$!
+ * [ATORCH ACD15P](https://www.aliexpress.com/item/1005005674681544.html): *everything* but USB PD 3.1 (including
+   alligator clips for testing other batteries which is a nice touch),
+   23$
+ * [WITRN C5](https://www.aliexpress.com/item/1005006194408105.html): everything including PD 3.1, but only USB-C, 80$
+
 ## USB Docks
 
 Specification: 

diff --git a/hardware/margaret.md b/hardware/margaret.md
index 2cd2c452..4ba4e616 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -315,8 +315,15 @@ router](https://openwrt.org/toh/views/toh_sfp_ports). The [MicroTik hAP ac](http
    SATA PCIe](https://www.supermicro.com/en/products/system/iot/mini-itx/sys-e200-12d-4c), a bit overkill, and not enough ports to act as a
    switch
  * Protectli has interesting series, e.g. [4x2.5gbit switch + wifi](https://ca.protectli.com/product/fw4c/)
-   and coreboot, but no SFP
+   and coreboot, but no SFP (that's what we ended up going with here)
  * Qotom has a [4xSFP+ 5x2.5gbit beast](https://www.qotom.net/product/RouterPC_Q20331G9S10.html), but no wifi
+ * Mikrotik has sturdy routers and switches, the latter are often
+   locked in their proprietary hardware, but their routers are a
+   little better, e.g. [noodles](https://www.earth.li/~noodles/) says he uses a [mikrotik
+   RB5009](https://mikrotik.com/product/rb5009ug_s_in) in [this blog post about DNS](https://www.earth.li/~noodles/blog/2024/04/backup-internet-rdns.html), but, surprisingly, i
+   don't see *any* Mikrotik entry in [InstallingDebianOn](https://wiki.debian.org/InstallingDebianOn). in [this
+   post](https://www.earth.li/~noodles/blog/2022/02/yak-shaving-internet.html) noodles says the mikrotik run mainline, so that's really
+   encouraging
 
 One option is to move the Omnia to the office and replace the core
 router with something beefier, and add a new AP downstairs.
diff --git a/services/wifi.mdwn b/services/wifi.mdwn
index 4a763d6b..6232ace0 100644
--- a/services/wifi.mdwn
+++ b/services/wifi.mdwn
@@ -384,6 +384,8 @@ Notes:
    protectli or the switch, depending on arrivals
  * [[hardware/rosa]] can serve as a replacement for the omnia if we
    don't want to get another U6
+ * this article previously had comparisons between various routers,
+   this is now in [[hardware/margaret]]
 
 Another build could be done with the Turris Mox:
 

diff --git a/blog/2022-06-17-matrix-notes.md b/blog/2022-06-17-matrix-notes.md
index a2483dad..2b5bec2d 100644
--- a/blog/2022-06-17-matrix-notes.md
+++ b/blog/2022-06-17-matrix-notes.md
@@ -881,6 +881,13 @@ One thing I haven't found an equivalent for is Debian's
 [MeetBot](https://wiki.debian.org/MeetBot). There's an [archive bot](https://github.com/russelldavies/matrix-archive) but it doesn't have topics
 or a meeting chair, or HTML logs.
 
+Update: it's not a bot but [progval/matrix2051](https://github.com/progval/matrix2051) is quite
+interesting for me, as a long-time IRC user: it's a homeserver gateway
+that presents itself as an IRC server. So you can treat Matrix as one
+big weird IRC server. Main limitation is DMs are basically broken, but
+lack of TLS also keeps it from being useful as a drop-in replacement
+for migrating an existing IRC network.
+
 ## Working on Matrix
 
 As a developer, I find Matrix kind of intimidating. The specification

diff --git a/blog/2018-05-04-terminal-emulators-2.mdwn b/blog/2018-05-04-terminal-emulators-2.mdwn
index 6d246c17..18ac33d6 100644
--- a/blog/2018-05-04-terminal-emulators-2.mdwn
+++ b/blog/2018-05-04-terminal-emulators-2.mdwn
@@ -347,7 +347,7 @@ The above latency benchmarks were done with Typometer on X11 by
 [beuke.org](https://beuke.org/terminal-latency/). Their results are different on some points: xterm's
 maximum latency (9.8ms) is much higher than ours (2.4ms) which makes
 me think there's something wrong with their test bench. But other
-results (rxvt, st, Terminaor) are strickingly similar. One notable
+results (rxvt, st, Terminator) are strikingly similar. One notable
 change is how well Alacritty performs, probably because it improved in
 6 years since I ran those benchmarks.
 
@@ -356,4 +356,23 @@ under wayland and compare against foot. Right now it's really hard to
 tell, but I get the feeling Alacritty and xterm are pretty close, and
 that foot and gnome-terminal are slower.
 
+Update: 9 days later, just found out about [Ivan Molodetskikh VTE
+end-to-end tests](https://bxt.rs/blog/just-how-much-faster-are-the-gnome-46-terminals/) which show precisely how well VTE has improved
+over the years, to be on par with Alacritty (which, somehow, managed
+to become a reference after lagging behind). Excellent work! My only
+criticism is the article focuses exclusively on VTE but the author
+also made [other benchmarks](https://mastodon.online/@YaLTeR/110837121102628111) including of Foot, the terminal
+emulator I'm currently using now and that I was, above, feeling
+slower, but that tests show is the *fastest* on the block, which is
+really nice to hear.
+
+They also made [compositor tests](https://mastodon.online/@YaLTeR/110848066454900941) which show Sway (~12ms) is ahead
+of Mutter (~14ms, GNOME's simplest compositor), itself ahead of normal
+GNOME (~16ms). Only X11/i3 goes below the 10ms mark there, which is a
+bit depressing, but the author is quick to point out that "work to add
+tearing flips to kernel and Wayland is ongoing".
+
+Oh, and they don't test Emacs in their editors, arguing it lacks a
+good editor, ha ha.
+
 [[!tag debian-planet lwn geek review terminals performance]]
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 5ebad3cc..affe47f1 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -185,6 +185,7 @@ Other options include:
  * [Hyprland][]: tiling, fancy animations, not in Debian ([1040971][])
  * [Qtile][]: tiling, extensible, in Python, not in Debian ([1015267][])
  * [river][]: Zig, stackable, tagging, not in Debian  ([1006593][])
+ * [smithay][], and many derivatives: Rust, not in Debian
  * [velox][]: inspired by xmonad and dwm, not in Debian
  * [vivarium][]: inspired by xmonad, not in Debian
  * [wlmaker][]: inspired by Window Maker, not in Debian
@@ -208,6 +209,7 @@ Other options include:
 [hikari]: https://hikari.acmelabs.space/
 [1040971]: https://bugs.debian.org/1040971
 [wlmaker]: https://github.com/phkaeser/wlmaker
+[smithay]: https://github.com/Smithay/smithay
 
 ## Status bar: py3status → waybar
 

diff --git a/hardware/battery.md b/hardware/battery.md
index 1ba325c1..73e8d25b 100644
--- a/hardware/battery.md
+++ b/hardware/battery.md
@@ -258,6 +258,11 @@ fluctuates between 60 and 80 watts, with about 50 minutes of standby time.
   * spare batteries: <https://www.upsbatterycenter.ca/>
   * how to pick a UPS (TL;DR: VA = 1.6*W): <https://www.howtogeek.com/161479/how-to-select-a-battery-backup-for-your-computer/>
 
+See also [pc parts picker](https://ca.pcpartpicker.com/products/ups/) for this, cheapest rack-mount 1500KVA
+UPS seems to be the [cyberpower CPS1500AVR](https://ca.pcpartpicker.com/product/wWX2FT/cyberpower-ups-cps1500avr) at 585$CAD at the time
+of writing, but at that price you don't even get an LCD, for that you
+need [640$](https://ca.pcpartpicker.com/product/JKZ2FT/cyberpower-ups-or1500lcdrt2u).
+
 ## Actual hardware
 
 I ended up ordering this from Amazon (yes, I know):

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 915310e0..bb8dc235 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -903,6 +903,11 @@ Create basic directories and files:
     mkdir private certs req newcerts
     echo 00 > serial
 
+We don't have a serial `crlnumber` but if we would, we would start
+with:
+
+    printf 00 > crlnumber
+
 Generate the CA secret key:
 
     openssl genpkey -algorithm ed25519 -out private/cakey.pem -aes256
@@ -945,13 +950,21 @@ Copy the CSR and CRT files to the CA server and sign the request with:
 
     openssl ca -days 365 -in req/test.anarc.at.csr -out certs/test.anarc.at.crt
 
-Alternatively, this can be done without the CA, with the lower-level
-`x509` command:
+... from [this guide](https://pub.nethence.com/security/sslhappy-ca). Alternatively, this can be done without the
+CA, with the lower-level `x509` command:
 
     openssl x509 -req -in req/angela.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/angela.anarc.at.crt
 
 Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
 
+The cert can be checked with:
+
+    openssl x509 -text < certs/angela.anarc.at.crt
+
+... and:
+
+    openssl verify -CAfile cacrt.pem  certs/angela.anarc.at.crt
+
 Generate the CRL file, currently just the cert because we haven't
 revoked anything yet:
 
@@ -1059,9 +1072,11 @@ Turn up the logging level on the client:
 
 ### Dovecot configuration
 
-https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication
+The [dovecot SSL configuration docs](https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication) are quite limited. So we're
+using [another guide](https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html) instead. The also have [limited SSL
+docs](https://doc.dovecot.org/admin_manual/ssl/certificate_creation/)...
 
-in `10-ssl.conf`:
+Enable TLS verification in `conf.d/10-ssl.conf`:
 
     ssl_ca = </etc/ssl/ca/cacrl.pem
     ssl_verify_client_cert = yes
@@ -1100,6 +1115,9 @@ Create `conf.d/auth-tls.conf.ext`:
        #override_fields = home=/home/virtual/%u
     }
 
+Note that the above uses the normal [user database](https://doc.dovecot.org/configuration_manual/authentication/user_database_extra_fields/#authentication-user-database-extra-fields) so the user
+need to exist on the system as well.
+
 Then include that in `conf.d/10-auth.conf`, and comment out the other includes:
 
     #!include auth-system.conf.ext
@@ -1150,6 +1168,9 @@ You can now test revocation with:
 And now the above `curl` command should fail. Notice how dovecot needs
 a kick after revocation, a `reload` might be sufficient as well.
 
+[Another guide](https://pub.nethence.com/mail/dovecot-clientcert) has instructions on how to disable TLS certs for
+some services, e.g. if Postfix would still require SASL auth.
+
 ### Adding a new satellite
 
 To add a new satellite to this setup, you need to generate a new key

diff --git a/services/mail.mdwn b/services/mail.mdwn
index b8e1e734..915310e0 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -898,9 +898,10 @@ actually tried a configuration-file-less setup, but it breaks down
 when you start using the `openssl ca` command, necessary to revoke
 certificates.
 
-Create basic directories:
+Create basic directories and files:
 
-    mkdir private certs req
+    mkdir private certs req newcerts
+    echo 00 > serial
 
 Generate the CA secret key:
 
@@ -940,7 +941,12 @@ Create the CSR with:
 
     openssl req -key angela.anarc.at.key -out angela.anarc.at.csr -config openssl.cnf -new 
 
-Copy the CSR and CRT files to the CA server and sign those keys with:
+Copy the CSR and CRT files to the CA server and sign the request with:
+
+    openssl ca -days 365 -in req/test.anarc.at.csr -out certs/test.anarc.at.crt
+
+Alternatively, this can be done without the CA, with the lower-level
+`x509` command:
 
     openssl x509 -req -in req/angela.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/angela.anarc.at.crt
 
@@ -1179,9 +1185,9 @@ Then generate the private key and the CSR:
     openssl req -key client.key -out client.csr -config openssl.cnf -new
 
 Then copy that over to the CA in `/etc/ssl/ca/req/tubman.anarc.at.csr`
-and generate the cert:
+and sign the request:
 
-    openssl x509 -req -in req/tubman.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/tubman.anarc.at.crt
+    openssl ca -days 365 -in req/tubman.anarc.at.csr -out certs/tubman.anarc.at.crt
 
 Then regenerate the list of trusted certs:
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 6eaa5356..b8e1e734 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -996,7 +996,7 @@ The certificates list is created with:
                 openssl pkey -pubin -outform DER |
                 openssl dgst -sha256 -c |
                 sed 's/.*= //'
-            )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+            )" $cert >> /etc/postfix/client-certs-fingerprints
     done
 
 And of course the map needs to be rehashed each time:
@@ -1144,7 +1144,69 @@ You can now test revocation with:
 And now the above `curl` command should fail. Notice how dovecot needs
 a kick after revocation, a `reload` might be sufficient as well.
 
-### Easy-RSA CA
+### Adding a new satellite
+
+To add a new satellite to this setup, you need to generate a new key
+on the client, and a CSR, based on the following config. Typically,
+you only need to do this for Postfix, so this can more easily be done
+in `/etc/postfix/x509` (and that is where Puppet configures Postfix to
+look for certs).
+
+This is how [[hardware/tubman]] was configured. First, make the
+directory:
+
+    mkdir /etc/postfix/x509
+    cd /etc/postfix/x509
+
+Then create `openssl.conf`:
+
+    [client-cert]
+    keyUsage = cRLSign, keyCertSign
+    extendedKeyUsage = clientAuth
+
+    [req]
+    distinguished_name = dn
+    prompt = no
+    x509_extensions = client-cert
+
+    [dn]
+    CN = tubman.anarc.at
+    emailAddress = tubman-mail
+
+Then generate the private key and the CSR:
+
+    openssl genpkey -algorithm ed25519 -out client.key
+    openssl req -key client.key -out client.csr -config openssl.cnf -new
+
+Then copy that over to the CA in `/etc/ssl/ca/req/tubman.anarc.at.csr`
+and generate the cert:
+
+    openssl x509 -req -in req/tubman.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/tubman.anarc.at.crt
+
+Then regenerate the list of trusted certs:
+
+    rm /etc/postfix/client-certs-fingerprints
+    for cert in certs/* ; do 
+        printf "%s %s\n" "$(
+            openssl x509 -in $cert -noout -pubkey |
+                openssl pkey -pubin -outform DER |
+                openssl dgst -sha256 -c |
+                sed 's/.*= //'
+            )" $cert >> /etc/postfix/client-certs-fingerprints
+    done
+    postmap /etc/postfix/client-certs-fingerprints
+
+Add the `profile::postfix::satellite` class to the node and it should
+be able to send mail. Test with:
+
+    mail -s test anarcat@example.com < /dev/null
+
+### Easy-RSA CA notes
+
+I tested building a CA with easy-rsa but ended up not using it because
+my end goal is to do this in Puppet, so I couldn't rely on such a
+large third-party tool directly. Plus, I didn't think it supported
+ed25519 keys at first (it does though!).
 
 To get started with easy-rsa:
 
@@ -1235,9 +1297,8 @@ meaningful regression.
 
 ### Remaining work
 
- * TODO: expiration, switch to easyrsa fully?
+ * TODO: renewals, switch to easyrsa fully?
  * TODO: generate and distribute certs with Puppet
- * TOOD: migrate tubman to TLS
 
 ## Todo
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index dfb7c6ba..6eaa5356 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1201,6 +1201,38 @@ configuration, with `permit_tls_all_clientcerts`, which leads me to
 think it *might* be possible to avoid listing all fingerprints. To be
 tested/confirmed.
 
+### Conversion effect on performance
+
+I have sampled the last ~100 `mbsync` runs, which is from April 08
+01:52:56 to April 09 14:42:37 (non-inclusively), with:
+
+    journalctl -u mbsync.service --user -n 1000 | grep Consumed | sed '/avr 09 14:42:37/,$d;s/.*Consumed //;s/s CPU time.//' > timings-over-ssh
+
+This gave me 132 samples:
+
+    $ wc -l timings-over-ssh
+    132 timings-over-ssh
+
+The average CPU usage was:
+
+    $ awk 'BEGIN { sum = 0; count = 0 } { sum += $1; count++ } END { print sum / count}' < timings-over-ssh
+    2.70843
+
+Things *seem* faster. The evidence is a bit anecdotal now, as I have
+only 4 samples, but there *is* already a clear reduction in CPU usage:
+
+    $ journalctl -u mbsync.service --user -n 1000 | grep Consumed | sed -n '/avr 09 14:42:37/,$p' | sed 's/.*Consumed //;s/s CPU time.//' | awk 'BEGIN { sum = 0; count = 0 } { sum += $1; count++ } END { print sum / count}'
+    2.1356
+
+This could be because the TLS key exchange is better optimized than
+SSH. And indeed, a casual look at the logs seem to suggest it was
+taking 4 seconds to sync before *and* after, so it could just be an
+accounting issue.
+
+Given that this work was done for security reasons and not
+optimization reasons, I'm satisfied with the results since there's no
+meaningful regression.
+
 ### Remaining work
 
  * TODO: expiration, switch to easyrsa fully?

diff --git a/services/mail.mdwn b/services/mail.mdwn
index d37d26c2..dfb7c6ba 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -968,6 +968,7 @@ After:
         -o header_checks=regexp:/etc/postfix/header_authenticated_redaction
         -o milter_macro_daemon_name=ORIGINATING
         -o smtpd_tls_security_level=encrypt
+        -o smtpd_tls_fingerprint_digest=sha256
         -o smtpd_tls_ask_ccert=yes
         -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
         -o smtpd_relay_restrictions=permit_tls_clientcerts,reject

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 05580640..d37d26c2 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -893,34 +893,24 @@ in [[blog/2016-05-12-email-setup]].
 
 ### Creating a self-signed ed25519 private CA
 
-    openssl genpkey -algorithm ed25519 -out ca.anarc.at.key -aes256
-    openssl req -new -key ca.anarc.at.key -out ca.anarc.at.csr -config ca.anarc.at.cnf
+We copied over the `/usr/lib/ssl/openssl.cnf` config file. We have
+actually tried a configuration-file-less setup, but it breaks down
+when you start using the `openssl ca` command, necessary to revoke
+certificates.
 
-RHEL [proposes](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#creating-a-private-ca-using-openssl_creating-and-managing-tls-keys-and-certificates):
+Create basic directories:
 
-    openssl req -key <ca.key> -new -x509 -days 3650 -addext keyUsage=critical,keyCertSign,cRLSign -subj "/CN=<Example CA>" -out <ca.crt>
+    mkdir private certs req
 
-cnf:
+Generate the CA secret key:
 
-    [req]
-    distinguished_name = req_distinguished_name
-    req_extensions = v3_req
-    prompt = no
-    [req_distinguished_name]
-    C = CA
-    CN = ca.anarc.at
-    [v3_req]
-    keyUsage = keyEncipherment, dataEncipherment
-    extendedKeyUsage = serverAuth
-    subjectAltName = @alt_names
-    [alt_names]
-    DNS.1 = ca.anarc.at
+    openssl genpkey -algorithm ed25519 -out private/cakey.pem -aes256
 
-Self-signed cert:
+ED25519 instructions were taken from [this post](https://blog.pinterjann.is/ed25519-certificates.html).
 
-    openssl x509 -req -days 365 -in ca.anarc.at.csr -signkey ca.anarc.at.key -out ca.anarc.at.crt
+Then generate a self-signed cert:
 
-ED25519 instructions were taken from [this post](https://blog.pinterjann.is/ed25519-certificates.html).
+    openssl req -subj "/CN=ca.anarc.at/" -key private/cakey.pem -out cacert.pem -new -x509 -days 3650 -reqexts v3_ca -config openssl.cnf
 
 Alternatives include OpenVPN's [easy-rsa](https://github.com/OpenVPN/easy-rsa/) and [cfssl](https://github.com/cloudflare/cfssl), which
 also has a [puppet module](https://forge.puppet.com/modules/mmack/cfssl/).
@@ -931,33 +921,36 @@ Then the client key is generated, *on the client*, again with (but without encry
 
     openssl genpkey -algorithm ed25519 -out angela.anarc.at.key
 
-CSR is a little special:
+The `openssl.cnf` file for the certificate request:
 
     [client-cert]
-    keyUsage = critical, digitalSignature, keyEncipherment
+    keyUsage = cRLSign, keyCertSign
     extendedKeyUsage = clientAuth
-    subjectAltName = @alt_name
 
     [req]
     distinguished_name = dn
     prompt = no
+    x509_extensions = client-cert
 
     [dn]
     CN = angela.anarc.at
-
-    [alt_name]
     emailAddress = anarcat
 
-But the CSR is created as expected:
+Create the CSR with:
 
-    openssl req -key angela.anarc.at.key -config angela.anarc.at.cnf -new -out angela.anarc.at.csr
+    openssl req -key angela.anarc.at.key -out angela.anarc.at.csr -config openssl.cnf -new 
 
 Copy the CSR and CRT files to the CA server and sign those keys with:
 
-    openssl x509 -req -in angela.anarc.at.csr -CA ca.anarc.at.crt -CAkey ca.anarc.at.key -days 365 -out angela.anarc.at.crt
+    openssl x509 -req -in req/angela.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/angela.anarc.at.crt
 
 Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
 
+Generate the CRL file, currently just the cert because we haven't
+revoked anything yet:
+
+    cp cacert.pem cacrl.pem
+
 ### Postfix server configuration
 
 Before:
@@ -980,23 +973,38 @@ After:
         -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
         -o relay_clientcerts=hash:/etc/postfix/client-certs-fingerprints
 
-We were hoping to use [permit_tls_all_clientcerts](https://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts) but that silly
-thing doesn't support certificate revocation, so it's impossible to
-remove client certificates. So we need to use the static list.
+We were hoping to use [permit_tls_all_clientcerts](https://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts) like this:
 
-The list is created with:
+        -o tls_append_default_CA=no
+        -o smtpd_tls_CAfile=/etc/ssl/ca/cacrl.pem
+        -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject
+        -o smtpd_relay_restrictions=permit_tls_all_clientcerts,reject
 
-    printf "%s %s\n" "$(
-        openssl x509 -in angela.anarc.at.crt -noout -pubkey |
-            openssl pkey -pubin -outform DER |
-            openssl dgst -sha256 -c |
-            sed 's/.*= //'
-        )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+but that silly thing doesn't support certificate revocation: it looks
+like the CRL part of the `cacrl.pem` file is ignore. So it's
+impossible to remove client certificates, so we need to use the static
+list. An alternative is to use Dovecot 2.3 submission functionality,
+since the CRL works there.
+
+The certificates list is created with:
+
+    rm /etc/postfix/client-certs-fingerprints
+    for cert in certs/* ; do 
+        printf "%s %s\n" "$(
+            openssl x509 -in $cert -noout -pubkey |
+                openssl pkey -pubin -outform DER |
+                openssl dgst -sha256 -c |
+                sed 's/.*= //'
+            )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+    done
 
 And of course the map needs to be rehashed each time:
 
     postmap /etc/postfix/client-certs-fingerprints
 
+Note that this *does* include revoked certificates as well, so you
+kind of have to manually skip the bad certs. (TODO.)
+
 Then this should work:
 
     swaks --tls --tls-cert ~/.config/x509/angela.anarc.at2.crt --tls-key ~/.config/x509/angela.anarc.at.key -s marcos.anarc.at -t anarcat@torproject.org -p 587
@@ -1048,13 +1056,11 @@ https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-c
 
 in `10-ssl.conf`:
 
-    ssl_ca = </etc/ssl/ca/ca.anarc.at.crt
+    ssl_ca = </etc/ssl/ca/cacrl.pem
     ssl_verify_client_cert = yes
     ssl_cert_username_field = email
     ssl_require_crl = yes
 
-TODO: CRL stuff
-
 Create `conf.d/auth-tls.conf.ext`:
 
     # Take the username from client's SSL certificate, using 
@@ -1107,13 +1113,13 @@ pretty fantastic.
 
 This can be tested with:
 
-    openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -verify 4 -cert pki/issued/angela.anarc.at.crt -key pki/private/angela.anarc.at.key  -starttls imap -connect localhost:imap
+    openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -verify 4 -cert angela.anarc.at.crt -key angela.anarc.at.key  -starttls imap -connect localhost:imap
 
 That will not actually do any IMAP query (although you *could* try
 `10 AUTHENTICATE EXTERNAL` to confirm login works). Better try the
 swiss-army-knife of everything:
 
-    curl --cert pki/issued/angela.anarc.at.crt --key pki/private/angela.anarc.at.key --login-options AUTH=EXTERNAL imaps://imap.anarc.at
+    curl --cert angela.anarc.at.crt --key angela.anarc.at.key --login-options AUTH=EXTERNAL imaps://imap.anarc.at
 
 This should list your folders. Use `-v` for more debugging if things fail.
 
@@ -1128,6 +1134,15 @@ To debug issues with TLS, turn on Dovecot's verbose logging in
 
     verbose_ssl = yes
 
+You can now test revocation with:
+
+    openssl ca -config openssl.cnf -revoke certs/angela.anarc.at.crt -gencrl > crl.pem
+    cat cacert.pem crl.pem > cacrl.pem
+    service dovecot restart
+
+And now the above `curl` command should fail. Notice how dovecot needs
+a kick after revocation, a `reload` might be sufficient as well.
+
 ### Easy-RSA CA
 
 To get started with easy-rsa:

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 67000bb5..05580640 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -945,7 +945,7 @@ CSR is a little special:
     [dn]
     CN = angela.anarc.at
 
-    [clnt_alt_name]
+    [alt_name]
     emailAddress = anarcat
 
 But the CSR is created as expected:
@@ -1051,47 +1051,143 @@ in `10-ssl.conf`:
     ssl_ca = </etc/ssl/ca/ca.anarc.at.crt
     ssl_verify_client_cert = yes
     ssl_cert_username_field = email
+    ssl_require_crl = yes
 
-in `10-auth.conf`:
+TODO: CRL stuff
 
-    auth_ssl_username_from_cert=yes
+Create `conf.d/auth-tls.conf.ext`:
 
-if we'd like to keep Postfix using passwords, we could do:
+    # Take the username from client's SSL certificate, using 
+    # X509_NAME_get_text_by_NID() which returns the subject's DN's
+    # CommonName. 
+    auth_ssl_username_from_cert = yes
+     
+    # Space separated list of wanted authentication mechanisms:
+    #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
+    #   gss-spnego
+    # NOTE: See also disable_plaintext_auth setting.
+    auth_mechanisms = plain login external
+
+    passdb {
+      driver = passwd-file
+      args = scheme=PLAIN username_format=%u /etc/dovecot/users-external
+
+      mechanisms = external
+     
+      override_fields = nopassword
+    }
+
+    userdb {
+       # <doc/wiki/AuthDatabase.Passwd.txt>
+       driver = passwd
+       # [blocking=no]
+       #args = 
+      
+       # Override fields from passwd
+       #override_fields = home=/home/virtual/%u
+    }
+
+Then include that in `conf.d/10-auth.conf`, and comment out the other includes:
+
+    #!include auth-system.conf.ext
+    !include auth-tls.conf.ext
+
+If we'd like to keep Postfix using passwords, we could do:
 
     protocol !smtp {
       auth_ssl_require_client_cert=yes
     }
 
-but since we're going to use TLS there too, that makes obviously no
-sense. Plus it gets rid of the weird SASL shim between the two, woot.
+... but since we're going to use TLS there too, that makes obviously
+no sense. Plus it gets rid of the weird SASL shim between the two,
+woot.
 
 During this deployment, SSH-based IMAP connexions still work, which is
 pretty fantastic.
 
-### Testing client connexion
+This can be tested with:
+
+    openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -verify 4 -cert pki/issued/angela.anarc.at.crt -key pki/private/angela.anarc.at.key  -starttls imap -connect localhost:imap
 
-Not sure this is the correct way, but this *seems* to work in the
-sense that it loads the cert and tries to connect:
+That will not actually do any IMAP query (although you *could* try
+`10 AUTHENTICATE EXTERNAL` to confirm login works). Better try the
+swiss-army-knife of everything:
 
-    curl -v --cert ~/.config/x509/angela.anarc.at.crt --key ~/.config/x509/angela.anarc.at.key imaps://imap.anarc.at/
+    curl --cert pki/issued/angela.anarc.at.crt --key pki/private/angela.anarc.at.key --login-options AUTH=EXTERNAL imaps://imap.anarc.at
 
-Do use the `-v` flag, as it will show at which step it will fail. In
-my case, if fails *after* the client cert is accepted, which is
-interesting.
+This should list your folders. Use `-v` for more debugging if things fail.
 
-This currently fails in Dovecot with:
+At first, this was failing with:
 
     dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, [...]
 
-I've also tried generating a CA using the [Postfix instructions](https://www.postfix.org/TLS_README.html#quick-client)
-but that fails similarly. Since Postfix *does* work, it means the CA
-is operational and instead there is something wrong with the Dovecot
-configuration.
+... and that was because I was missing the `AUTH=EXTERNAL` option.
+
+To debug issues with TLS, turn on Dovecot's verbose logging in
+`conf.d/10-logging.conf`:
+
+    verbose_ssl = yes
+
+### Easy-RSA CA
+
+To get started with easy-rsa:
+
+    apt install easy-rsa
+    make-cadir easyrsa
+    ./easyrsa init-pki
+    
+To make a ED25519 CA, add those to `vars`:
+
+    set_var EASYRSA_ALGO ed
+    set_var EASYRSA_CURVE           ed25519
+
+Then:
+
+    ./easyrsa build-ca
+
+That prompts for a password then runs something like:
+
+    ["openssl", "req", "-config", "/etc/ssl/easyrsa/pki/5892315c/temp.4ff4e933", "-utf8", "-new", "-key", "/etc/ssl/easyrsa/pki/5892315c/temp.fa90dc32", "-keyout", "/etc/ssl/easyrsa/pki/5892315c/temp.fa90dc32", "-out", "/etc/ssl/easyrsa/pki/5892315c/temp.591dfebb", "-x509", "-days", "3650", "-sha256", "-passin", "file:/etc/ssl/easyrsa/pki/5892315c/temp.c5904947"],
+
+Interesting facts:
+
+ 1. it generates a key on the fly
+ 2. `-utf-8`
+ 3. `-x509`
+ 4. `-days 3650`
+
+A client cert can be created with:
+
+    ./easyrsa build-client-full angela.anarc.at
+
+To get the `emailAddress` field, the `vars` need to be modified to
+have:
+
+    set_var EASYRSA_DN      "org"
+    set_var EASYRSA_REQ_EMAIL       "anarcat"
+
+Then the [guide](https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html) mentions "exporting the combined CA+CRL" with:
+
+    ./easyrsa gen-crl
+
+That runs:
+
+    ["openssl", "ca", "-config", "/etc/ssl/easyrsa/pki/d1f80f21/temp.7ec4b8d2", "-utf8", "-gencrl", "-out", "/etc/ssl/easyrsa/pki/d1f80f21/temp.12bd618a"],
+
+... and generates `/etc/ssl/easyrsa/pki/crl.pem` but this is odd
+because the guide also says it generates a `pki/ca+crl.pem` file,
+which cannot be found. That can be fixed with:
+
+    cat /etc/ssl/easyrsa/pki/{ca.crt,crl.pem} > /etc/ssl/easyrsa/pki/ca+crl.pem
+
+Also, interestingly, it uses that `ca+crl.pem` file in the Postfix
+configuration, with `permit_tls_all_clientcerts`, which leads me to
+think it *might* be possible to avoid listing all fingerprints. To be
+tested/confirmed.
 
 ### Remaining work
 
- * TODO: fix dovecot
- * TODO: expiration
+ * TODO: expiration, switch to easyrsa fully?
  * TODO: generate and distribute certs with Puppet
  * TOOD: migrate tubman to TLS
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 43826ac2..67000bb5 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -679,6 +679,10 @@ This makes it so I do not need to use clear-text passwords to deliver
 or retrieve email which means everything can be fully automated
 without writing any password on disk.
 
+Update: I am abandoning this approach, as it requires exposing SSH to
+the universe, something I want to avoid now. Looking into [client
+certs](#client-certs) instead.
+
 # Spam filtering
 
 Quick notes on how to configure spam filtering with Spamassassin on
@@ -1080,7 +1084,16 @@ This currently fails in Dovecot with:
     dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, [...]
 
 I've also tried generating a CA using the [Postfix instructions](https://www.postfix.org/TLS_README.html#quick-client)
-but that fails similarly.
+but that fails similarly. Since Postfix *does* work, it means the CA
+is operational and instead there is something wrong with the Dovecot
+configuration.
+
+### Remaining work
+
+ * TODO: fix dovecot
+ * TODO: expiration
+ * TODO: generate and distribute certs with Puppet
+ * TOOD: migrate tubman to TLS
 
 ## Todo
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index deb20ac3..43826ac2 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1011,11 +1011,14 @@ Then we configure that transport as such:
 
     smtptlsc  unix  -       -       y       -       -       smtp
         -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
-        -o smtp_tls_cert_file=/home/anarcat/.config/x509/angela.anarc.at.crt
-        -o smtp_tls_key_file=/home/anarcat/.config/x509/angela.anarc.at.key
+        -o smtp_tls_cert_file=/etc/ssl/private/angela.anarc.at.crt
+        -o smtp_tls_key_file=/etc/ssl/private/angela.anarc.at.key
         -o smtp_tls_fingerprint_digest=sha256
         -o smtp_tls_security_level=secure
 
+The cert need to be copied in `/etc/ssl/private` and the key given to
+the `ssl-cert` group.
+
 Note that this is done in the `profile::postfix::satellite` class
 ([satellite.pp](https://gitlab.com/anarcat/puppet/-/blob/main/site-modules/profile/manifests/postfix/satellite.pp?ref_type=heads)) and the above configuration might be out of
 date. Also note that we use the whole `smtp_tls_CAfile` instead of the

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 6a45d507..deb20ac3 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1010,14 +1010,30 @@ mechanisms (e.g. passwords):
 Then we configure that transport as such:
 
     smtptlsc  unix  -       -       y       -       -       smtp
-        -o smtp_tls_CApath=/etc/ssl/certs
+        -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
         -o smtp_tls_cert_file=/home/anarcat/.config/x509/angela.anarc.at.crt
         -o smtp_tls_key_file=/home/anarcat/.config/x509/angela.anarc.at.key
         -o smtp_tls_fingerprint_digest=sha256
-        -o smtp_tls_security_level=encrypt
+        -o smtp_tls_security_level=secure
 
-WARNING: the above is vulnerable to MITM attacks, as the
-`smtp_tls_security_level` is not `verify`.
+Note that this is done in the `profile::postfix::satellite` class
+([satellite.pp](https://gitlab.com/anarcat/puppet/-/blob/main/site-modules/profile/manifests/postfix/satellite.pp?ref_type=heads)) and the above configuration might be out of
+date. Also note that we use the whole `smtp_tls_CAfile` instead of the
+`CApath` because the latter doesn't work in the chroot.
+
+To test this, try to relay mail locally:
+
+    mail anarcat@example.com -s test < /dev/null
+
+Turn up the logging level on the client:
+
+    smtp_tls_loglevel=2
+
+... and the server:
+
+    smtpd_tls_loglevel=2
+
+... if you have issues.
 
 ### Dovecot configuration
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 916a2bae..6a45d507 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -954,10 +954,70 @@ Copy the CSR and CRT files to the CA server and sign those keys with:
 
 Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
 
-### Next step: try Postfix
+### Postfix server configuration
 
-Dovecot is not collaborating, and we do not have a working
-example. Try again with Postfix, since we know that works on eugeni.
+Before:
+
+    submission inet  n       -       y       -       -       smtpd
+        -o header_checks=regexp:/etc/postfix/header_authenticated_redaction
+        -o smtpd_tls_security_level=encrypt
+        -o smtpd_sasl_auth_enable=yes
+        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+        -o milter_macro_daemon_name=ORIGINATING
+
+After:
+
+    submission inet  n       -       y       -       -       smtpd
+        -o header_checks=regexp:/etc/postfix/header_authenticated_redaction
+        -o milter_macro_daemon_name=ORIGINATING
+        -o smtpd_tls_security_level=encrypt
+        -o smtpd_tls_ask_ccert=yes
+        -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
+        -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
+        -o relay_clientcerts=hash:/etc/postfix/client-certs-fingerprints
+
+We were hoping to use [permit_tls_all_clientcerts](https://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts) but that silly
+thing doesn't support certificate revocation, so it's impossible to
+remove client certificates. So we need to use the static list.
+
+The list is created with:
+
+    printf "%s %s\n" "$(
+        openssl x509 -in angela.anarc.at.crt -noout -pubkey |
+            openssl pkey -pubin -outform DER |
+            openssl dgst -sha256 -c |
+            sed 's/.*= //'
+        )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+
+And of course the map needs to be rehashed each time:
+
+    postmap /etc/postfix/client-certs-fingerprints
+
+Then this should work:
+
+    swaks --tls --tls-cert ~/.config/x509/angela.anarc.at2.crt --tls-key ~/.config/x509/angela.anarc.at.key -s marcos.anarc.at -t anarcat@torproject.org -p 587
+
+### Postfix client configuration
+
+This is relatively simple. First, we create a new transport to
+encapsulate our configuration because we have *other* relays with
+either no client TLS authentication or different authentication
+mechanisms (e.g. passwords):
+
+    default_transport = smtptlsc:
+    relayhost = smtp.anarc.at:587
+
+Then we configure that transport as such:
+
+    smtptlsc  unix  -       -       y       -       -       smtp
+        -o smtp_tls_CApath=/etc/ssl/certs
+        -o smtp_tls_cert_file=/home/anarcat/.config/x509/angela.anarc.at.crt
+        -o smtp_tls_key_file=/home/anarcat/.config/x509/angela.anarc.at.key
+        -o smtp_tls_fingerprint_digest=sha256
+        -o smtp_tls_security_level=encrypt
+
+WARNING: the above is vulnerable to MITM attacks, as the
+`smtp_tls_security_level` is not `verify`.
 
 ### Dovecot configuration
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index fbdeb529..916a2bae 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -885,6 +885,124 @@ when the cert is renewed. I use those simple symlink:
 I also configured filtering and many more things that are documented
 in [[blog/2016-05-12-email-setup]].
 
+## Client certs
+
+### Creating a self-signed ed25519 private CA
+
+    openssl genpkey -algorithm ed25519 -out ca.anarc.at.key -aes256
+    openssl req -new -key ca.anarc.at.key -out ca.anarc.at.csr -config ca.anarc.at.cnf
+
+RHEL [proposes](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#creating-a-private-ca-using-openssl_creating-and-managing-tls-keys-and-certificates):
+
+    openssl req -key <ca.key> -new -x509 -days 3650 -addext keyUsage=critical,keyCertSign,cRLSign -subj "/CN=<Example CA>" -out <ca.crt>
+
+cnf:
+
+    [req]
+    distinguished_name = req_distinguished_name
+    req_extensions = v3_req
+    prompt = no
+    [req_distinguished_name]
+    C = CA
+    CN = ca.anarc.at
+    [v3_req]
+    keyUsage = keyEncipherment, dataEncipherment
+    extendedKeyUsage = serverAuth
+    subjectAltName = @alt_names
+    [alt_names]
+    DNS.1 = ca.anarc.at
+
+Self-signed cert:
+
+    openssl x509 -req -days 365 -in ca.anarc.at.csr -signkey ca.anarc.at.key -out ca.anarc.at.crt
+
+ED25519 instructions were taken from [this post](https://blog.pinterjann.is/ed25519-certificates.html).
+
+Alternatives include OpenVPN's [easy-rsa](https://github.com/OpenVPN/easy-rsa/) and [cfssl](https://github.com/cloudflare/cfssl), which
+also has a [puppet module](https://forge.puppet.com/modules/mmack/cfssl/).
+
+### Client key and certificate creation
+
+Then the client key is generated, *on the client*, again with (but without encryption):
+
+    openssl genpkey -algorithm ed25519 -out angela.anarc.at.key
+
+CSR is a little special:
+
+    [client-cert]
+    keyUsage = critical, digitalSignature, keyEncipherment
+    extendedKeyUsage = clientAuth
+    subjectAltName = @alt_name
+
+    [req]
+    distinguished_name = dn
+    prompt = no
+
+    [dn]
+    CN = angela.anarc.at
+
+    [clnt_alt_name]
+    emailAddress = anarcat
+
+But the CSR is created as expected:
+
+    openssl req -key angela.anarc.at.key -config angela.anarc.at.cnf -new -out angela.anarc.at.csr
+
+Copy the CSR and CRT files to the CA server and sign those keys with:
+
+    openssl x509 -req -in angela.anarc.at.csr -CA ca.anarc.at.crt -CAkey ca.anarc.at.key -days 365 -out angela.anarc.at.crt
+
+Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
+
+### Next step: try Postfix
+
+Dovecot is not collaborating, and we do not have a working
+example. Try again with Postfix, since we know that works on eugeni.
+
+### Dovecot configuration
+
+https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication
+
+in `10-ssl.conf`:
+
+    ssl_ca = </etc/ssl/ca/ca.anarc.at.crt
+    ssl_verify_client_cert = yes
+    ssl_cert_username_field = email
+
+in `10-auth.conf`:
+
+    auth_ssl_username_from_cert=yes
+
+if we'd like to keep Postfix using passwords, we could do:
+
+    protocol !smtp {
+      auth_ssl_require_client_cert=yes
+    }
+
+but since we're going to use TLS there too, that makes obviously no
+sense. Plus it gets rid of the weird SASL shim between the two, woot.
+
+During this deployment, SSH-based IMAP connexions still work, which is
+pretty fantastic.
+
+### Testing client connexion
+
+Not sure this is the correct way, but this *seems* to work in the
+sense that it loads the cert and tries to connect:
+
+    curl -v --cert ~/.config/x509/angela.anarc.at.crt --key ~/.config/x509/angela.anarc.at.key imaps://imap.anarc.at/
+
+Do use the `-v` flag, as it will show at which step it will fail. In
+my case, if fails *after* the client cert is accepted, which is
+interesting.
+
+This currently fails in Dovecot with:
+
+    dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, [...]
+
+I've also tried generating a CA using the [Postfix instructions](https://www.postfix.org/TLS_README.html#quick-client)
+but that fails similarly.
+
 ## Todo
 
 On the fly [OpenPGP encryption of incoming emails](https://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve)?

diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 96ffe4a2..39278fbd 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -599,7 +599,7 @@ A few handy `qemu` related commands:
  * enter the VM to make *permanent* changes, which will *not* be
    discarded:
 
-        sudo sbuild-qemu-boot --readwrite /srv/sbuild/qemu/unstable-amd64.img
+        sudo sbuild-qemu-boot --read-write /srv/sbuild/qemu/unstable-amd64.img
 
    Equivalent command:
 

diff --git a/blog/2018-05-04-terminal-emulators-2.mdwn b/blog/2018-05-04-terminal-emulators-2.mdwn
index c0ea0f7a..6d246c17 100644
--- a/blog/2018-05-04-terminal-emulators-2.mdwn
+++ b/blog/2018-05-04-terminal-emulators-2.mdwn
@@ -341,4 +341,19 @@ I have started some notes on reviewing the terminal emulators
 available in Wayland, which significantly lowers the range of
 applications available. See [[2022-09-19-wayland-terminal-emulators]].
 
+## Similar research
+
+The above latency benchmarks were done with Typometer on X11 by
+[beuke.org](https://beuke.org/terminal-latency/). Their results are different on some points: xterm's
+maximum latency (9.8ms) is much higher than ours (2.4ms) which makes
+me think there's something wrong with their test bench. But other
+results (rxvt, st, Terminaor) are strickingly similar. One notable
+change is how well Alacritty performs, probably because it improved in
+6 years since I ran those benchmarks.
+
+I'm still waiting for someone to figure out how to perform those tests
+under wayland and compare against foot. Right now it's really hard to
+tell, but I get the feeling Alacritty and xterm are pretty close, and
+that foot and gnome-terminal are slower.
+
 [[!tag debian-planet lwn geek review terminals performance]]

diff --git a/services/wifi.mdwn b/services/wifi.mdwn
index cc641dc0..4a763d6b 100644
--- a/services/wifi.mdwn
+++ b/services/wifi.mdwn
@@ -125,6 +125,14 @@ ever since.
    rack](https://www.canadacomputers.com/product_info.php?cPath=38_944&item_id=166475) is quite interesting, 385$
  * [recyborg sometimes has racks](https://recyborg.com/?s=rack&post_type=product&type_aws=true) and [gigabit switches](https://recyborg.com/?s=gigabit&post_type=product&type_aws=true)
 
+Some other home lab had the following recommendations:
+
+ * [1U power switch](https://www.adj.com/pc-100a): basically a rack-mounted power bar
+ * [1U cyberpower UPS](https://www.cyberpowersystems.com/product/ups/smart-app-lcd/or500lcdrm1u/): but i've also heard bad things about those,
+   that they just crash when the battery runs out, even when plugged
+   in?
+ * [10" rack shelf](https://acinfinity.com/racks-accessories/rack-shelves/vented-cantilever-1u-rack-shelf-10/)
+
 ## Why OpenWRT
 
 The point of running OpenWRT on the APs is to get monitoring about

diff --git a/hardware/printer.md b/hardware/printer.md
index 6737a181..3b430fd3 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -1,3 +1,5 @@
+[[!toc levels=3]]
+
 # Requirements
 
 ## Must have

diff --git a/hardware/printer.md b/hardware/printer.md
index 8e15b70e..6737a181 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -2,20 +2,20 @@
 
 ## Must have
 
- * network port
- * "driverless printing"
+ * Ethernet port
+ * "driverless printing" AKA "airprint" AKA stellar Linux support
  * laser (specifically, cheap per-page prints)
- * stellar Linux support
 
 ## Nice to have
 
  * colors
- * scanner, or at least photocopier
  * double-sided printing, AKA "[duplex printing](https://en.wikipedia.org/wiki/Duplex_printing)"
  * fits one "ream" ("rame", 500 sheets)
 
 ## Must not have
 
+ * scanner, or at least photocopier - I've given up on that completely
+   and typically use my phone camera to scan documents
  * ink-jet printing, or specifically:
    * high cost
    * "drying out", I don't print often and this needs to keep working
@@ -97,6 +97,9 @@ a tad expensive for an EOL device. In the 3280 review, they say:
 It seems the cost per page is slightly lower on the older model, that
 said. The older printer is bulkier, however.
 
+Unclear if non-OEM cartridges work, but honestly I just get the OEM
+typically...
+
 ## HP Color LaserJet Pro MFP M479FDW
 
 <https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-mfp-m479fdw>

diff --git a/blog/on-dying.mdwn b/blog/on-dying.mdwn
index 78f677ec..feeb9a02 100644
--- a/blog/on-dying.mdwn
+++ b/blog/on-dying.mdwn
@@ -31,6 +31,8 @@ http://varnish-cache.org/docs/6.6/phk/lucky.html
 https://g3rv4.com/2022/04/a-plan-for-my-secrets is basically SSSS but
 he wrote his own thing.
 
+https://longnow.org/ideas/digital-avatars-and-our-refusal-to-die/
+
 # maintainer deaths
 
 https://www.schafe-sind-bessere-rasenmaeher.de/tech/how-i-inherited-an-open-source-project/

diff --git a/services/wiki/ikiwiki-hugo-conversion.mdwn b/services/wiki/ikiwiki-hugo-conversion.mdwn
index d999014e..0c977b95 100644
--- a/services/wiki/ikiwiki-hugo-conversion.mdwn
+++ b/services/wiki/ikiwiki-hugo-conversion.mdwn
@@ -380,3 +380,9 @@ See also those comparisons:
 Inspiring themes:
 
  * [this hugo theme](https://andreyorst.gitlab.io/posts/2022-02-22-new-look/)
+
+Other ideas:
+
+ * [soupault](https://soupault.app/) can do post-processing of the HTML rendered by *any*
+   SSG, which might provide an interesting base to build what's
+   missing from an alternative

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index c74a4452..18868775 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -2061,6 +2061,7 @@ USB-C|blog/2023-02-10-usb-c]]. I'm considering a Dell
  * [spring-loaded expansion card](https://community.frame.work/t/spring-loaded-expansion-card/36013) (probably also a joke)
  * [RTL SDR](https://community.frame.work/t/rtl-sdr-expansion-card/37098)
  * [joystick](https://community.frame.work/t/framework-joystick-modules-turning-your-frame-work-13-into-an-handheld-coming-soon/39011)
+ * [logitech dongle hider with USB-A output](https://github.com/LeoDJ/FW-EC-DongleHiderPlus)
 * check out [this forum category](https://community.frame.work/c/developer-program/expansion-card/90) for a cornucopia of those
 
 ## Upstream resources

diff --git a/hardware/printer.md b/hardware/printer.md
index a05cb698..8e15b70e 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -55,6 +55,48 @@ come to the following conclusion:
    which doesn't have duplex scanning, but is cheaper (see [bh
    comparison](https://www.bhphotovideo.com/c/compare/Canon_MF743Cdw_vs_Canon_MF644Cdw_vs_Canon_MF741Cdw/BHitems/1489652-REG_1489654-REG_1489653-REG)). it's out of stock at Staples and Bestbuy as well
 
+## Brother
+
+After being recommended Brother by a family member and the [internet](https://hachyderm.io/@jbcrawford/112018421075831627),
+[twice](https://mas.to/@zekjur/112117296104194523), I've mostly given up and decided to just go with Brother
+printers.
+
+Rtings suggests the [Brother HL-L2325DW](https://www.rtings.com/printer/reviews/brother/hl-l2325dw#page-retailers), a plain black and white
+laser printer, in their [2023 best laser printer review](https://www.rtings.com/printer/reviews/best/by-type/laser). [206$ at
+Staples](https://www.staples.ca/products/2764645-en-brother-hl-l2370dw-wireless-monochrome-laser-printer) for the Brother HL-L2370DW variant, which features an
+Ethernet port as well. Wirecutters [suggest the HL-L2350DW variant](https://www.nytimes.com/wirecutter/reviews/best-laser-printer/)
+as well. They do not rate devices available locally (bestbuy or staples).
+
+For color printers, Staples' cheapest is the [Brother HL-L3220CDW](https://www.staples.ca/products/3074146-en-brother-hl-l3220cdw-wireless-colour-laser-printer)
+at 286$ (on sale from 405$!). It is also [well rated at rtings](https://www.rtings.com/printer/reviews/brother/hl-l3280cdw-hl-l3220cdw-hl-l3295cdw),
+but the 3220 doesn't have Ethernet. For that you need the [Brother
+HL-L3280CDW](https://www.staples.ca/products/3074145-en-brother-hl-l3280cdw-wireless-colour-laser-printer) (356$, on sale from 486$) which is the model reviewed
+by rtings. 
+
+Naturally, the color printer is larger (27.4cm x 39.9cm x 40.2cm) and
+heavier (15.4Kg) than its monochrome counterpart (20cm x 36.4cm x
+40.8cm). It also has a visual touch screen instead of a single-line
+LCD display. The color printer will also stop printing when it thinks
+the toner is empty, whereas the black-and-white one will keep pushing
+out dimmer pages. The color printer prints the first page faster (12s)
+than the black and white (24s).
+
+They both hold 250 sheets.
+
+Another alternative is the Brother HL-L3270CDW ([306$ in clearance at
+staples](https://www.staples.ca/products/24342682-en-brother-hl-l3270cdw-wireless-colour-mobile-ready-laser-printer)) which has also a [good review at rtings](https://www.rtings.com/printer/reviews/brother/hl-l3270cdw-laser), but it feels
+a tad expensive for an EOL device. In the 3280 review, they say:
+
+> The Brother HL-L3280CDW is a newer version of the Brother
+> HL-L3270CDW Laser. They have identical features and perform
+> similarly in print quality. The HL-L3280CDW prints slightly faster
+> but doesn't yield as many color prints as the older HL-L3270CDW. The
+> biggest difference is that the HL-L3270CDW requires more maintenance
+> because its drum unit wears out much faster.
+
+It seems the cost per page is slightly lower on the older model, that
+said. The older printer is bulkier, however.
+
 ## HP Color LaserJet Pro MFP M479FDW
 
 <https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-mfp-m479fdw>
@@ -68,8 +110,10 @@ Carefully review this thread before buying anything HP: https://news.ycombinator
 ## References
 
  * [Wirecutters review](https://www.nytimes.com/wirecutter/reviews/best-laser-printer/), updated yearly, currently recommends the
-   [HP Color LaserJet Pro M255dw](https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-m255dw)
- * [RTINGS](https://www.rtings.com/printer/reviews/best/by-type/laser) also produce a yearly review, currently recomments the
+   [HP Color LaserJet Pro M255dw](https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-m255dw). update: they now (2024) switched
+   to the HP Color LaserJet Pro MFP M283fdw, and the Brother
+   HL-L2350DW for "budget"
+ * [RTINGS](https://www.rtings.com/printer/reviews/best/by-type/laser) also produce a yearly review, currently (2023) recommends the
    [Canon imageCLASS MF743Cdw](https://www.rtings.com/printer/reviews/canon/imageclass-mf743cdw) ([656$ at BestBuy](https://www.bestbuy.ca/fr-ca/produit/13796853), back-order,
    [656$ at Staples](https://www.staples.ca/products/2948189-en-canon-imageclass-mf743cdw-colour-laser-printer)), 300 sheets only, toner is expensive [200$
    for black at Staples](https://www.staples.ca/products/3029652-en-fuzion-canon-3020c001-055h-compatible-toner-high-yield-black) but has a high yield (7600 pages,

diff --git a/services/bookmarks.mdwn b/services/bookmarks.mdwn
index d677619f..49830fca 100644
--- a/services/bookmarks.mdwn
+++ b/services/bookmarks.mdwn
@@ -93,6 +93,7 @@ This also overlaps with bookmarking software like:
  * [Shiori](https://github.com/RadhiFadlillah/shiori)
  * [Turtl](https://turtlapp.com/)
  * [Wallabag](https://wallabag.org/)
+ * [webtag.io](https://webtag.io)
 
 ... and archival software in the [[WARC ecosystem|services/archive]].
 

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 5b4eb0cc..5ebad3cc 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -898,6 +898,10 @@ screencasting list][]. In particular, see [wl-screenrec][] which has
 hardware encoding and much better performance, not in Debian (see
 [1040786][]).
 
+I also use [wshowkeys][] to ... well... show keys pressed during a
+recording. Not in Debian, but trivial to package ([947858][]), main
+annoyance is it requires a `setuid` binary to work.
+
 [peek]: https://github.com/phw/peek
 [simplescreenrecorder]: https://www.maartenbaert.be/simplescreenrecorder/
 [no sound support]: https://github.com/phw/peek/issues/105
@@ -906,6 +910,8 @@ hardware encoding and much better performance, not in Debian (see
 [awesome Wayland screencasting list]: https://github.com/natpen/awesome-wayland#screencasting
 [wl-screenrec]: https://github.com/russelltg/wl-screenrec
 [1040786]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040786
+[wshowkeys]: https://git.sr.ht/~sircmpwn/wshowkeys
+[947858]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947858
 
 ## RSI: workrave → nothing?
 

diff --git a/hardware/printer.md b/hardware/printer.md
index 34153f38..a05cb698 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -38,6 +38,7 @@
    it do have a hefty upfront cost, and they still seem to suffer from
    "drying out" problems when not in use
  * [use Brother or Epson](https://hachyderm.io/@jbcrawford/112018421075831627)
+ * [brother label printer](https://mas.to/@zekjur/112117296104194523)
 
 # Options
 

diff --git a/services/dns.mdwn b/services/dns.mdwn
index ac6dcc50..beefe303 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -121,11 +121,13 @@ Situation actuelle:
 
  * opensrs: test account created, hosted: `debian-policy.info`
    (2025-10-15), not sure I want to keep, could be just for `anarc.at`
- * mythic beasts: idem, to be closed, hosted: `alterne.ca` (2025-09-11)
- * porkbun: secondary account, hosted: `orangeseeds.net`
-   `orangeseeds.org` (transfer started 2023-12-19)
- * gandi: `reseaulibre.ca` (2024-04-28), `vichama.ca` (2024-05-17),
-   `anarc.at` (2024-09-06), `insomniaque.org` (2029-04-28)
+ * mythic beasts: idem, to be closed, hosted: `alterne.ca`
+   (2025-09-11), maybe keep for `anarc.at` and close OpenSRS because
+   it's too complicated?
+ * porkbun: `orangeseeds.net` `orangeseeds.org` (transfer started
+   2023-12-19), `vichama.ca` (2024-05-17)
+ * gandi: `reseaulibre.ca` (2024-04-28), `anarc.at` (2024-09-06),
+   `insomniaque.org` (2029-04-28)
 
 Convention de noms
 ==================

diff --git a/software/zfs.md b/software/zfs.md
index 53d7680f..4c8aaf6e 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -163,6 +163,10 @@ with:
 
     zpool import -l -a
 
+For rescue operations, that would be the right incantation:
+
+    zpool import -l -a -R /mnt
+
 ## Deprecated: zfsutil
 
 This is another way to use an alternate mountpoint, although I'm less

diff --git a/hardware/printer.md b/hardware/printer.md
index d180855b..34153f38 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -37,6 +37,7 @@
    laser-like price for ink jet printers... the Epson printers that do
    it do have a hefty upfront cost, and they still seem to suffer from
    "drying out" problems when not in use
+ * [use Brother or Epson](https://hachyderm.io/@jbcrawford/112018421075831627)
 
 # Options
 

diff --git a/hardware/margaret.md b/hardware/margaret.md
index c87087bd..2cd2c452 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -292,6 +292,8 @@ model](https://fr.aliexpress.com/item/1005004093716962.html) for 233$. Go figure
 of the [Qotom Q20332G9-S10](https://www.qotom.net/product/RouterPC_Q20331G9S10.html) (4x2.5G 4xSFP+ 10G). I was also
 recommended [this 4x2.5G router](https://www.aliexpress.com/item/1005004360072281.html). 
 
+They have been [negatively reviewed on OpenWRT forums](https://forum.openwrt.org/t/recommendations-for-a-gigabit-bridge-possibly-with-sfp/177592/13).
+
 ## Turris
 
 The Turris Omnia is the device that was used as a core router before

diff --git "a/services/r\303\251seau.mdwn" "b/services/r\303\251seau.mdwn"
index 025f91fd..bce398a5 100644
--- "a/services/r\303\251seau.mdwn"
+++ "b/services/r\303\251seau.mdwn"
@@ -55,7 +55,29 @@ another DNS server.
 The key question is whether two DNS servers need to be provided,
 because that configuration would obviously more involved.
 
-# Plan du réseau
+# Plans réseau
+
+## 2024-...
+
+![Plan du réseau][2024]
+
+  [2024]: plan-2024.svg "IP addresses specified if present, otherwise model number detailed."
+
+The network is setup generally like this:
+
+ 1. internet (TekSavvy, business line)
+ 2. bonder (TekSavvy owned PC that does some magic to get a static IP
+    address and, optionally, redundancy)
+ 3. router ([[hardware/margaret]])
+ 4. switch to which is connected:
+    * wifi access point with PoE ([[hardware/svetlana]])
+    * office wifi access point connected over fibre because of the
+      long, outdoors link ([[hardware/octavia]])
+    * ATA (Cisco SPA-112 VoIP adapter)
+    * main server [[hardware/server/marcos]]
+    * home cinema ([[hardware/ursula]])
+
+## 2015-2022
 
 ![Plan du réseau][1]
 
diff --git "a/services/r\303\251seau/plan-2024.svg" "b/services/r\303\251seau/plan-2024.svg"
new file mode 100644
index 00000000..c0c7c392
--- /dev/null
+++ "b/services/r\303\251seau/plan-2024.svg"
@@ -0,0 +1,1540 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="17cm"
+   height="22cm"
+   viewBox="330 1 324 439"
+   version="1.1"
+   id="svg682"
+   sodipodi:docname="plan-2024.svg"
+   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs686" />
+  <sodipodi:namedview
+     id="namedview684"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:document-units="cm"
+     showgrid="false"
+     inkscape:zoom="0.75647728"
+     inkscape:cx="705.90355"
+     inkscape:cy="470.60237"
+     inkscape:window-width="1502"
+     inkscape:window-height="974"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="Arrière-plan" />
+  <g
+     id="Background" />
+  <g
+     id="Arrière-plan">
+    <g
+       id="g183"
+       transform="matrix(0.99999483,0,0,1.1667581,0.00257886,-17.830284)">
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 584.709,165.832 -0.067,-2.917 -0.235,-2.918 -0.437,-2.865 -0.605,-2.866 -0.807,-2.917 -0.907,-2.815 -1.143,-2.764 -1.277,-2.712 -1.378,-2.712 -1.613,-2.559 -1.714,-2.559 -1.883,-2.405 -2.05,-2.405 -2.151,-2.252 -2.285,-2.201 -2.454,-2.047 -2.52,-1.996 -2.622,-1.842 -2.756,-1.74 -2.857,-1.587 -2.958,-1.535 -3.058,-1.279 -3.058,-1.28 -3.193,-1.074 -3.261,-0.973 -3.26,-0.819 -3.327,-0.665 -3.361,-0.46 -3.395,-0.41 -3.428,-0.205 -3.428,-0.102 v 0 l -3.395,0.102 -3.461,0.205 -3.361,0.41 -3.361,0.46 -3.361,0.665 -3.26,0.819 -3.261,0.973 -3.159,1.074 -3.126,1.28 -2.991,1.279 -2.958,1.535 -2.823,1.587 -2.789,1.74 -2.622,1.842 -2.554,1.996 -2.454,2.047 -2.285,2.201 -2.151,2.252 -2.05,2.405 -1.883,2.405 -1.714,2.559 -1.579,2.559 -1.446,2.712 -1.21,2.712 -1.142,2.764 -0.941,2.815 -0.807,2.917 -0.538,2.866 -0.437,2.865 -0.302,2.918 -0.034,2.917 v 0 l 0.034,2.968 0.302,2.917 0.437,2.917 0.538,2.866 0.807,2.866 0.941,2.814 1.142,2.764 1.21,2.763 1.446,2.662 1.579,2.558 1.714,2.559 1.883,2.457 2.05,2.354 2.151,2.252 2.285,2.2 2.454,2.098 2.554,1.894 2.622,1.945 2.789,1.74 2.823,1.586 2.958,1.433 2.991,1.382 3.126,1.228 3.159,1.075 3.261,0.972 3.26,0.819 3.361,0.614 3.361,0.512 3.361,0.46 3.461,0.154 3.395,0.051 v 0 l 3.428,-0.051 3.428,-0.154 3.395,-0.46 3.361,-0.512 3.327,-0.614 3.26,-0.819 3.261,-0.972 3.193,-1.075 3.058,-1.228 3.058,-1.382 2.958,-1.433 2.857,-1.586 2.756,-1.74 2.622,-1.945 2.52,-1.894 2.454,-2.098 2.285,-2.2 2.151,-2.252 2.05,-2.354 1.883,-2.457 1.714,-2.559 1.613,-2.558 1.378,-2.662 1.277,-2.763 1.143,-2.764 0.907,-2.814 0.807,-2.866 0.605,-2.866 0.437,-2.917 0.235,-2.917 z"
+         id="path133" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 478.94,196.23 -0.068,-2.917 -0.235,-2.917 -0.269,-2.866 -0.47,-2.917 -0.605,-2.866 -0.74,-2.814 -0.874,-2.764 -0.941,-2.712 -1.075,-2.712 -1.21,-2.559 -1.311,-2.559 -1.445,-2.405 -1.613,-2.406 -1.647,-2.251 -1.748,-2.201 -1.882,-2.047 -1.882,-1.996 -2.084,-1.842 -2.084,-1.74 -2.218,-1.536 -2.218,-1.586 -2.319,-1.382 -2.42,-1.177 -2.42,-1.075 -2.487,-0.972 -2.521,-0.819 -2.554,-0.665 -2.588,-0.461 -2.555,-0.409 -2.621,-0.256 -2.622,-0.051 v 0 l -2.621,0.051 -2.622,0.256 -2.622,0.409 -2.554,0.461 -2.588,0.665 -2.521,0.819 -2.453,0.972 -2.42,1.075 -2.386,1.177 -2.319,1.382 -2.286,1.586 -2.151,1.536 -2.151,1.74 -2.016,1.842 -1.916,1.996 -1.882,2.047 -1.748,2.201 -1.681,2.251 -1.579,2.406 -1.412,2.405 -1.344,2.559 -1.177,2.559 -1.109,2.712 -0.974,2.712 -0.841,2.764 -0.739,2.814 -0.605,2.866 -0.437,2.917 -0.336,2.866 -0.202,2.917 -0.067,2.917 v 0 l 0.067,2.969 0.202,2.917 0.336,2.917 0.437,2.866 0.605,2.865 0.739,2.815 0.841,2.764 0.974,2.712 1.109,2.712 1.177,2.559 1.344,2.559 1.412,2.405 1.579,2.406 1.681,2.251 1.748,2.201 1.882,2.047 1.916,1.945 2.016,1.842 2.151,1.842 2.151,1.587 2.286,1.433 2.319,1.433 2.386,1.177 2.42,1.074 2.453,0.973 2.521,0.767 2.588,0.666 2.554,0.512 2.622,0.46 2.622,0.154 2.621,0.051 v 0 l 2.622,-0.051 2.621,-0.154 2.555,-0.46 2.588,-0.512 2.554,-0.666 2.521,-0.767 2.487,-0.973 2.42,-1.074 2.42,-1.177 2.319,-1.433 2.218,-1.433 2.218,-1.587 2.084,-1.842 2.084,-1.842 1.882,-1.945 1.882,-2.047 1.748,-2.201 1.647,-2.251 1.613,-2.406 1.445,-2.405 1.311,-2.559 1.21,-2.559 1.075,-2.712 0.941,-2.712 0.874,-2.764 0.74,-2.815 0.605,-2.865 0.47,-2.866 0.269,-2.917 0.235,-2.917 z"
+         id="path135" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 413.703,255.339 -0.034,-2.405 -0.1,-2.406 -0.236,-2.405 -0.302,-2.354 -0.437,-2.252 -0.504,-2.354 -0.538,-2.303 -0.639,-2.2 -0.739,-2.201 -0.84,-2.098 -0.908,-1.996 -0.974,-2.047 -1.042,-1.945 -1.109,-1.893 -1.21,-1.74 -1.244,-1.638 -1.277,-1.689 -1.345,-1.484 -1.445,-1.433 -1.479,-1.33 -1.512,-1.177 -1.58,-1.126 -1.579,-0.973 -1.647,-0.87 -1.681,-0.818 -1.68,-0.615 -1.714,-0.614 -1.782,-0.358 -1.747,-0.307 -1.714,-0.154 -1.782,-0.102 v 0 l -1.781,0.102 -1.781,0.154 -1.748,0.307 -1.714,0.358 -1.748,0.614 -1.714,0.615 -1.647,0.818 -1.613,0.87 -1.647,0.973 -1.58,1.126 -1.512,1.177 -1.479,1.33 -1.411,1.433 -1.378,1.484 -1.278,1.689 -1.243,1.638 -1.177,1.74 -1.142,1.893 -1.042,1.945 -0.975,2.047 -0.907,1.996 -0.773,2.098 -0.74,2.201 -0.638,2.2 -0.605,2.303 -0.504,2.354 -0.37,2.252 -0.303,2.354 -0.269,2.405 -0.134,2.406 v 2.405 0 2.303 l 0.134,2.405 0.269,2.354 0.303,2.355 0.37,2.405 0.504,2.252 0.605,2.251 0.638,2.252 0.74,2.201 0.773,2.098 0.907,2.047 0.975,1.996 1.042,1.945 1.142,1.842 1.177,1.74 1.243,1.689 1.278,1.689 1.378,1.432 1.411,1.433 1.479,1.331 1.512,1.228 1.58,1.126 1.647,0.972 1.613,0.87 1.647,0.768 1.714,0.665 1.748,0.563 1.714,0.461 1.748,0.256 1.781,0.153 1.781,0.103 v 0 l 1.782,-0.103 1.714,-0.153 1.747,-0.256 1.782,-0.461 1.714,-0.563 1.68,-0.665 1.681,-0.768 1.647,-0.87 1.579,-0.972 1.58,-1.126 1.512,-1.228 1.479,-1.331 1.445,-1.433 1.345,-1.432 1.277,-1.689 1.244,-1.689 1.21,-1.74 1.109,-1.842 1.042,-1.945 0.974,-1.996 0.908,-2.047 0.84,-2.098 0.739,-2.201 0.639,-2.252 0.538,-2.251 0.504,-2.252 0.437,-2.405 0.302,-2.355 0.236,-2.354 0.1,-2.405 z"
+         id="path137" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 469.966,300.835 -0.034,-2.61 -0.235,-2.559 -0.37,-2.61 -0.437,-2.559 -0.605,-2.507 -0.706,-2.508 -0.907,-2.457 -0.941,-2.405 -1.143,-2.252 -1.21,-2.354 -1.378,-2.251 -1.445,-2.099 -1.546,-2.098 -1.681,-2.098 -1.781,-1.894 -1.882,-1.842 -1.983,-1.689 -2.084,-1.689 -2.117,-1.484 -2.218,-1.484 -2.32,-1.279 -2.352,-1.229 -2.42,-1.074 -2.454,-0.973 -2.52,-0.818 -2.588,-0.666 -2.555,-0.614 -2.621,-0.512 -2.622,-0.307 -2.655,-0.204 -2.689,-0.052 v 0 l -2.655,0.052 -2.621,0.204 -2.689,0.307 -2.588,0.512 -2.622,0.614 -2.52,0.666 -2.521,0.818 -2.487,0.973 -2.42,1.074 -2.319,1.229 -2.319,1.279 -2.219,1.484 -2.151,1.484 -2.05,1.689 -1.983,1.689 -1.882,1.842 -1.781,1.894 -1.681,2.098 -1.579,2.098 -1.446,2.099 -1.378,2.251 -1.243,2.354 -1.076,2.252 -0.974,2.405 -0.908,2.457 -0.739,2.508 -0.538,2.507 -0.504,2.559 -0.336,2.61 -0.202,2.559 -0.067,2.61 v 0 l 0.067,2.559 0.202,2.61 0.336,2.558 0.504,2.559 0.538,2.508 0.739,2.508 0.908,2.507 0.974,2.406 1.076,2.302 1.243,2.252 1.378,2.252 1.446,2.149 1.579,2.15 1.681,2.047 1.781,1.893 1.882,1.792 1.983,1.74 2.05,1.637 2.151,1.535 2.219,1.485 2.319,1.279 2.319,1.228 2.42,1.024 2.487,0.972 2.521,0.819 2.52,0.716 2.622,0.666 2.588,0.46 2.689,0.307 2.621,0.205 h 2.655 v 0 h 2.689 l 2.655,-0.205 2.622,-0.307 2.621,-0.46 2.555,-0.666 2.588,-0.716 2.52,-0.819 2.454,-0.972 2.42,-1.024 2.352,-1.228 2.32,-1.279 2.218,-1.485 2.117,-1.535 2.084,-1.637 1.983,-1.74 1.882,-1.792 1.781,-1.893 1.681,-2.047 1.546,-2.15 1.445,-2.149 1.378,-2.252 1.21,-2.252 1.143,-2.302 0.941,-2.406 0.907,-2.507 0.706,-2.508 0.605,-2.508 0.437,-2.559 0.37,-2.558 0.235,-2.61 z"
+         id="path139" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 595.969,327.293 -0.135,-3.122 -0.269,-3.121 -0.537,-3.02 -0.706,-3.019 -0.874,-3.02 -1.076,-2.917 -1.277,-2.866 -1.479,-2.917 -1.68,-2.814 -1.815,-2.713 -2.05,-2.61 -2.151,-2.559 -2.353,-2.507 -2.487,-2.405 -2.722,-2.303 -2.756,-2.15 -2.958,-2.098 -3.092,-1.945 -3.16,-1.791 -3.36,-1.689 -3.395,-1.586 -3.529,-1.382 -3.596,-1.331 -3.731,-1.125 -3.731,-1.024 -3.831,-0.819 -3.832,-0.716 -3.966,-0.512 -3.865,-0.358 -3.999,-0.307 h -3.966 v 0 h -3.966 l -3.966,0.307 -3.933,0.358 -3.898,0.512 -3.899,0.716 -3.798,0.819 -3.764,1.024 -3.664,1.125 -3.663,1.331 -3.462,1.382 -3.462,1.586 -3.293,1.689 -3.193,1.791 -3.059,1.945 -2.958,2.098 -2.823,2.15 -2.655,2.303 -2.487,2.405 -2.386,2.507 -2.185,2.559 -2.017,2.61 -1.781,2.713 -1.68,2.814 -1.479,2.917 -1.277,2.866 -1.109,2.917 -0.874,3.02 -0.74,3.019 -0.504,3.02 -0.302,3.121 -0.101,3.122 v 0 l 0.101,2.968 0.302,3.122 0.504,3.019 0.74,3.071 0.874,3.019 1.109,2.917 1.277,2.866 1.479,2.917 1.68,2.815 1.781,2.712 2.017,2.61 2.185,2.662 2.386,2.405 2.487,2.405 2.655,2.252 2.823,2.252 2.958,2.047 3.059,1.944 3.193,1.792 3.293,1.74 3.462,1.484 3.462,1.433 3.663,1.279 3.664,1.126 3.764,1.075 3.798,0.767 3.899,0.717 3.898,0.563 3.933,0.358 3.966,0.307 h 3.966 v 0 h 3.966 l 3.999,-0.307 3.865,-0.358 3.966,-0.563 3.832,-0.717 3.831,-0.767 3.731,-1.075 3.731,-1.126 3.596,-1.279 3.529,-1.433 3.395,-1.484 3.36,-1.74 3.16,-1.792 3.092,-1.944 2.958,-2.047 2.756,-2.252 2.722,-2.252 2.487,-2.405 2.353,-2.405 2.151,-2.662 2.05,-2.61 1.815,-2.712 1.68,-2.815 1.479,-2.917 1.277,-2.866 1.076,-2.917 0.874,-3.019 0.706,-3.071 0.537,-3.019 0.269,-3.122 z"
+         id="path141" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 639.46,187.223 -0.034,-2.251 -0.202,-2.355 -0.369,-2.302 -0.404,-2.252 -0.605,-2.201 -0.672,-2.252 -0.84,-2.2 -0.975,-2.15 -1.042,-2.047 -1.142,-2.098 -1.311,-1.996 -1.412,-1.944 -1.479,-1.792 -1.646,-1.842 -1.681,-1.689 -1.849,-1.586 -1.882,-1.638 -1.949,-1.433 -2.084,-1.33 -2.117,-1.28 -2.151,-1.177 -2.286,-1.075 -2.319,-0.972 -2.352,-0.87 -2.42,-0.768 -2.42,-0.511 -2.487,-0.614 -2.488,-0.41 -2.554,-0.256 -2.521,-0.153 -2.554,-0.103 v 0 l -2.588,0.103 -2.521,0.153 -2.554,0.256 -2.487,0.41 -2.454,0.614 -2.453,0.511 -2.386,0.768 -2.387,0.87 -2.319,0.972 -2.285,1.075 -2.185,1.177 -2.084,1.28 -2.083,1.33 -1.95,1.433 -1.882,1.638 -1.815,1.586 -1.714,1.689 -1.647,1.842 -1.479,1.792 -1.378,1.944 -1.344,1.996 -1.143,2.098 -1.042,2.047 -0.974,2.15 -0.841,2.2 -0.672,2.252 -0.571,2.201 -0.471,2.252 -0.302,2.302 -0.168,2.355 -0.101,2.251 v 0 l 0.101,2.303 0.168,2.303 0.302,2.252 0.471,2.303 0.571,2.252 0.672,2.2 0.841,2.201 0.974,2.149 1.042,2.15 1.143,1.996 1.344,1.944 1.378,1.996 1.479,1.842 1.647,1.74 1.714,1.74 1.815,1.638 1.882,1.535 1.95,1.433 2.083,1.433 2.084,1.28 2.185,1.126 2.285,1.125 2.319,0.922 2.387,0.818 2.386,0.819 2.453,0.614 2.454,0.512 2.487,0.461 2.554,0.204 2.521,0.256 h 2.588 v 0 h 2.554 l 2.521,-0.256 2.554,-0.204 2.488,-0.461 2.487,-0.512 2.42,-0.614 2.42,-0.819 2.352,-0.818 2.319,-0.922 2.286,-1.125 2.151,-1.126 2.117,-1.28 2.084,-1.433 1.949,-1.433 1.882,-1.535 1.849,-1.638 1.681,-1.74 1.646,-1.74 1.479,-1.842 1.412,-1.996 1.311,-1.944 1.142,-1.996 1.042,-2.15 0.975,-2.149 0.84,-2.201 0.672,-2.2 0.605,-2.252 0.404,-2.303 0.369,-2.252 0.202,-2.303 z"
+         id="path143" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 653.71,245.718 -0.101,-2.303 -0.134,-2.303 -0.336,-2.252 -0.437,-2.251 -0.605,-2.303 -0.672,-2.15 -0.807,-2.252 -0.975,-2.098 -1.042,-2.149 -1.142,-1.996 -1.311,-2.047 -1.412,-1.894 -1.445,-1.791 -1.647,-1.893 -1.68,-1.638 -1.748,-1.689 -1.882,-1.535 -2.017,-1.433 -1.983,-1.382 -2.117,-1.279 -2.151,-1.177 -2.252,-1.075 -2.285,-0.921 -2.353,-0.87 -2.42,-0.768 -2.42,-0.614 -2.453,-0.512 -2.521,-0.46 -2.487,-0.205 -2.521,-0.154 -2.521,-0.102 v 0 l -2.554,0.102 -2.487,0.154 -2.521,0.205 -2.453,0.46 -2.454,0.512 -2.453,0.614 -2.387,0.768 -2.319,0.87 -2.319,0.921 -2.252,1.075 -2.151,1.177 -2.117,1.279 -2.05,1.382 -1.916,1.433 -1.882,1.535 -1.849,1.689 -1.68,1.638 -1.58,1.893 -1.445,1.791 -1.412,1.894 -1.277,2.047 -1.21,1.996 -1.042,2.149 -0.907,2.098 -0.84,2.252 -0.74,2.15 -0.538,2.303 -0.437,2.251 -0.336,2.252 -0.201,2.303 -0.034,2.303 v 0 l 0.034,2.303 0.201,2.354 0.336,2.252 0.437,2.251 0.538,2.252 0.74,2.201 0.84,2.252 0.907,2.098 1.042,2.047 1.21,2.098 1.277,1.945 1.412,1.945 1.445,1.842 1.58,1.791 1.68,1.74 1.849,1.586 1.882,1.587 1.916,1.433 2.05,1.33 2.117,1.28 2.151,1.177 2.252,1.075 2.319,0.972 2.319,0.921 2.387,0.768 2.453,0.512 2.454,0.614 2.453,0.358 2.521,0.307 2.487,0.154 2.554,0.051 v 0 l 2.521,-0.051 2.521,-0.154 2.487,-0.307 2.521,-0.358 2.453,-0.614 2.42,-0.512 2.42,-0.768 2.353,-0.921 2.285,-0.972 2.252,-1.075 2.151,-1.177 2.117,-1.28 1.983,-1.33 2.017,-1.433 1.882,-1.587 1.748,-1.586 1.68,-1.74 1.647,-1.791 1.445,-1.842 1.412,-1.945 1.311,-1.945 1.142,-2.098 1.042,-2.047 0.975,-2.098 0.807,-2.252 0.672,-2.201 0.605,-2.252 0.437,-2.251 0.336,-2.252 0.134,-2.354 z"
+         id="path145" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 643.963,294.08 -0.067,-3.736 -0.202,-3.839 -0.268,-3.684 -0.437,-3.787 -0.572,-3.685 -0.706,-3.633 -0.806,-3.583 -0.975,-3.531 -1.042,-3.429 -1.109,-3.377 -1.277,-3.276 -1.412,-3.122 -1.478,-3.07 -1.614,-2.917 -1.68,-2.815 -1.748,-2.712 -1.882,-2.559 -1.916,-2.303 -2.05,-2.252 -2.084,-2.047 -2.151,-1.944 -2.184,-1.74 -2.286,-1.638 -2.319,-1.433 -2.42,-1.228 -2.386,-0.973 -2.487,-0.921 -2.454,-0.665 -2.453,-0.461 -2.487,-0.307 -2.521,-0.051 v 0 l -2.521,0.051 -2.487,0.307 -2.521,0.461 -2.453,0.665 -2.42,0.921 -2.454,0.973 -2.352,1.228 -2.319,1.433 -2.286,1.638 -2.252,1.74 -2.151,1.944 -2.084,2.047 -1.983,2.252 -1.983,2.303 -1.848,2.559 -1.781,2.712 -1.681,2.815 -1.58,2.917 -1.512,3.07 -1.344,3.122 -1.278,3.276 -1.176,3.377 -1.042,3.429 -0.907,3.531 -0.807,3.583 -0.706,3.633 -0.571,3.685 -0.437,3.787 -0.336,3.684 -0.202,3.839 -0.067,3.736 v 0 l 0.067,3.787 0.202,3.838 0.336,3.685 0.437,3.735 0.571,3.787 0.706,3.583 0.807,3.531 0.907,3.582 1.042,3.378 1.176,3.378 1.278,3.326 1.344,3.122 1.512,3.019 1.58,2.968 1.681,2.815 1.781,2.661 1.848,2.559 1.983,2.405 1.983,2.201 2.084,2.098 2.151,1.894 2.252,1.791 2.286,1.586 2.319,1.433 2.352,1.177 2.454,1.075 2.42,0.819 2.453,0.665 2.521,0.461 2.487,0.307 2.521,0.153 v 0 l 2.521,-0.153 2.487,-0.307 2.453,-0.461 2.454,-0.665 2.487,-0.819 2.386,-1.075 2.42,-1.177 2.319,-1.433 2.286,-1.586 2.184,-1.791 2.151,-1.894 2.084,-2.098 2.05,-2.201 1.916,-2.405 1.882,-2.559 1.748,-2.661 1.68,-2.815 1.614,-2.968 1.478,-3.019 1.412,-3.122 1.277,-3.326 1.109,-3.378 1.042,-3.378 0.975,-3.582 0.806,-3.531 0.706,-3.583 0.572,-3.787 0.437,-3.735 0.268,-3.685 0.202,-3.838 z"
+         id="path147" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 601.212,249.096 -0.135,-3.839 -0.403,-3.684 -0.639,-3.839 -0.873,-3.684 -1.143,-3.685 -1.412,-3.685 -1.647,-3.582 -1.915,-3.531 -2.084,-3.429 -2.353,-3.326 -2.621,-3.327 -2.79,-3.173 -3.025,-2.968 -3.226,-2.968 -3.429,-2.866 -3.562,-2.661 -3.798,-2.508 -3.966,-2.405 -4.067,-2.252 -4.268,-2.098 -4.403,-1.894 -4.504,-1.791 -4.604,-1.586 -4.706,-1.382 -4.84,-1.177 -4.907,-1.075 -4.94,-0.819 -5.008,-0.665 -5.042,-0.563 -5.075,-0.256 -5.142,-0.102 v 0 l -5.075,0.102 -5.075,0.256 -5.042,0.563 -5.041,0.665 -4.941,0.819 -4.907,1.075 -4.806,1.177 -4.705,1.382 -4.672,1.586 -4.437,1.791 -4.402,1.894 -4.302,2.098 -4.101,2.252 -3.899,2.405 -3.831,2.508 -3.596,2.661 -3.361,2.866 -3.26,2.968 -3.025,2.968 -2.756,3.173 -2.622,3.327 -2.319,3.326 -2.117,3.429 -1.95,3.531 -1.613,3.582 -1.378,3.685 -1.21,3.685 -0.874,3.684 -0.638,3.839 -0.404,3.684 -0.101,3.839 v 0 l 0.101,3.735 0.404,3.787 0.638,3.736 0.874,3.787 1.21,3.685 1.378,3.634 1.613,3.531 1.95,3.582 2.117,3.48 2.319,3.327 2.622,3.224 2.756,3.173 3.025,3.07 3.26,2.917 3.361,2.815 3.596,2.712 3.831,2.559 3.899,2.405 4.101,2.252 4.302,1.996 4.402,1.996 4.437,1.689 4.672,1.586 4.705,1.433 4.806,1.228 4.907,1.024 4.941,0.87 5.041,0.665 5.042,0.461 5.075,0.358 5.075,0.051 v 0 l 5.142,-0.051 5.075,-0.358 5.042,-0.461 5.008,-0.665 4.94,-0.87 4.907,-1.024 4.84,-1.228 4.706,-1.433 4.604,-1.586 4.504,-1.689 4.403,-1.996 4.268,-1.996 4.067,-2.252 3.966,-2.405 3.798,-2.559 3.562,-2.712 3.429,-2.815 3.226,-2.917 3.025,-3.07 2.79,-3.173 2.621,-3.224 2.353,-3.327 2.084,-3.48 1.915,-3.582 1.647,-3.531 1.412,-3.634 1.143,-3.685 0.873,-3.787 0.639,-3.736 0.403,-3.787 z"
+         id="path149" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 517.994,165.32 66.514,-12.897 -0.841,-2.814 -1.041,-2.866 -1.143,-2.815 -1.378,-2.712 -1.479,-2.61 -1.68,-2.661 -1.748,-2.508 -2.017,-2.405 -2.05,-2.354 -2.218,-2.252 -2.387,-2.15 -2.487,-1.995 -2.621,-1.945 -2.723,-1.894 -2.823,-1.689 -2.924,-1.535 -2.958,-1.535 -3.125,-1.28 -3.16,-1.177 -3.192,-1.074 -3.328,-0.921 -3.327,-0.717 -3.361,-0.665 -3.395,-0.461 -3.428,-0.307 -3.462,-0.153 h -3.428 l -3.462,0.153 -3.462,0.205 -3.361,0.409 -3.394,0.666 -3.361,0.665 -3.327,0.921 -3.261,0.972 -3.159,1.126 -3.092,1.28 -3.058,1.433 -2.958,1.484 -2.79,1.689 -2.756,1.791 -2.655,1.893 -2.521,1.996 -2.386,2.15 -2.252,2.251 -2.151,2.303 -2.016,2.405 -1.883,2.508 -1.714,2.559 -1.478,2.712 -1.446,2.61 -1.243,2.815 -1.042,2.764 -0.874,2.865 -0.739,2.866 z"
+         id="path151" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 584.508,152.321 -0.874,-2.866 -1.008,-2.815 -1.177,-2.814 -1.344,-2.661 -1.546,-2.662 -1.647,-2.61 -1.781,-2.507 -2.017,-2.406 -2.084,-2.302 -2.151,-2.252 -2.42,-2.252 -2.42,-1.996 -2.655,-1.945 -2.722,-1.791 -2.79,-1.791 -2.924,-1.535 -2.991,-1.433 -3.126,-1.331 -3.159,-1.126 -3.159,-1.074 -3.328,-0.921 -3.361,-0.717 -3.361,-0.665 -3.394,-0.461 -3.395,-0.307 -3.495,-0.153 h -3.429 l -3.428,0.153 -3.428,0.205 -3.428,0.409 -3.361,0.666 -3.361,0.614 -3.294,0.87 -3.226,1.074 -3.227,1.126 -3.058,1.28 -3.059,1.433 -2.924,1.484 -2.857,1.637 -2.722,1.843 -2.655,1.893 -2.521,1.945 -2.386,2.149 -2.286,2.201 -2.151,2.354 -2.016,2.405 -1.815,2.457 -1.748,2.661 -1.512,2.559 -1.412,2.712 -1.21,2.712 -1.109,2.815 -0.874,2.866 -0.706,2.866"
+         id="path153" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 427.55,195.667 33.543,-44.779 -2.084,-1.842 -2.185,-1.74 -2.218,-1.536 -2.285,-1.535 -2.319,-1.33 -2.42,-1.229 -2.488,-1.023 -2.453,-0.973 -2.588,-0.767 -2.554,-0.665 -2.622,-0.461 -2.621,-0.358 -2.622,-0.205 h -2.622 l -2.655,0.102 -2.621,0.307 -2.622,0.359 -2.588,0.563 -2.554,0.716 -2.521,0.819 -2.521,0.972 -2.419,1.126 -2.42,1.28 -2.319,1.381 -2.252,1.536 -2.151,1.688 -2.151,1.792 -2.017,1.842 -1.916,2.047 -1.882,2.098 -1.748,2.252 -1.613,2.252 -1.546,2.456 -1.411,2.457 -1.345,2.558 -1.176,2.662 -1.109,2.712 -0.941,2.712 -0.841,2.815 -0.672,2.866 -0.538,2.866 -0.47,2.968 -0.336,2.968 -0.135,2.917 -0.067,2.917 0.101,2.969 0.202,3.019 0.403,2.866 z"
+         id="path155" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 460.925,150.735 -2.084,-1.843 -2.118,-1.689 -2.218,-1.586 -2.319,-1.433 -2.386,-1.382 -2.386,-1.177 -2.454,-1.075 -2.521,-0.921 -2.52,-0.716 -2.622,-0.665 -2.588,-0.461 -2.588,-0.358 -2.621,-0.205 h -2.689 l -2.555,0.102 -2.621,0.307 -2.689,0.359 -2.554,0.614 -2.521,0.665 -2.588,0.921 -2.453,0.921 -2.42,1.177 -2.387,1.28 -2.352,1.382 -2.252,1.535 -2.151,1.689 -2.084,1.74 -2.017,1.944 -1.983,1.945 -1.781,2.201 -1.781,2.149 -1.647,2.354 -1.512,2.354 -1.446,2.457 -1.277,2.61 -1.176,2.661 -1.109,2.712 -0.975,2.713 -0.807,2.866 -0.672,2.763 -0.605,2.917 -0.403,2.968 -0.336,2.917 -0.135,2.917 -0.067,2.969 0.168,2.917 0.202,2.968 0.336,2.968"
+         id="path157" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 418.207,300.272 -53.978,-1.587 v 2.713 l 0.101,2.559 0.269,2.712 0.437,2.559 0.504,2.61 0.639,2.661 0.84,2.456 0.874,2.508 1.109,2.457 1.176,2.354 1.244,2.405 1.479,2.252 1.479,2.2 1.68,2.099 1.714,2.047 1.849,1.944 1.983,1.791 2.016,1.74 2.118,1.74 2.218,1.485 2.285,1.432 2.387,1.382 2.42,1.126 2.419,1.126 2.555,0.972 2.588,0.819 2.621,0.665 2.656,0.615 2.655,0.46 2.688,0.307 2.723,0.154 h 2.756 l 2.655,-0.103 2.722,-0.204 2.689,-0.307 2.655,-0.461 2.689,-0.665 2.554,-0.768 2.622,-0.819 2.454,-1.074 2.487,-1.024 2.42,-1.279 2.285,-1.382 2.319,-1.484 2.118,-1.587 2.117,-1.637 z"
+         id="path159" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 364.297,298.685 -0.101,2.61 0.202,2.662 0.201,2.61 0.437,2.661 0.504,2.559 0.672,2.61 0.807,2.558 0.941,2.508 1.042,2.405 1.109,2.406 1.311,2.303 1.378,2.303 1.58,2.149 1.613,2.201 1.748,1.944 1.814,1.945 1.95,1.893 2.016,1.74 2.118,1.638 2.218,1.535 2.286,1.433 2.319,1.331 2.42,1.228 2.52,1.126 2.487,0.87 2.555,0.819 2.621,0.767 2.689,0.512 2.655,0.563 2.655,0.205 2.723,0.256 h 2.722 2.689 l 2.689,-0.256 2.689,-0.358 2.655,-0.461 2.688,-0.614 2.555,-0.717 2.621,-0.87 2.487,-1.023 2.42,-1.126 2.42,-1.228 2.319,-1.331 2.319,-1.433 2.185,-1.586 2.05,-1.638"
+         id="path161" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 589.952,186.149 47.491,14.79 0.807,-2.201 0.605,-2.201 0.571,-2.251 0.336,-2.303 0.336,-2.303 0.067,-2.303 v -2.354 l -0.067,-2.252 -0.269,-2.303 -0.369,-2.303 -0.538,-2.252 -0.639,-2.251 -0.739,-2.15 -0.874,-2.2 -1.008,-2.099 -1.143,-2.098 -1.277,-2.047 -1.311,-1.945 -1.445,-1.893 -1.546,-1.791 -1.647,-1.843 -1.815,-1.637 -1.815,-1.587 -1.983,-1.484 -1.983,-1.433 -2.084,-1.279 -2.151,-1.28 -2.252,-1.126 -2.285,-1.023 -2.353,-0.921 -2.42,-0.768 -2.386,-0.665 -2.521,-0.614 -2.487,-0.461 -2.52,-0.358 -2.555,-0.154 -2.521,-0.153 h -2.52 l -2.555,0.153 -2.554,0.205 -2.487,0.358 -2.521,0.461 -2.487,0.563 -2.453,0.716 z"
+         id="path163" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 633.074,209.28 4.335,-8.239 0.807,-2.149 0.639,-2.252 0.504,-2.252 0.403,-2.303 0.269,-2.303 0.101,-2.252 0.033,-2.405 -0.1,-2.252 -0.236,-2.303 -0.369,-2.303 -0.538,-2.251 -0.639,-2.252 -0.706,-2.201 -0.873,-2.098 -1.042,-2.2 -1.143,-2.099 -1.176,-2.047 -1.378,-1.944 -1.446,-1.894 -1.546,-1.842 -1.646,-1.74 -1.748,-1.638 -1.849,-1.638 -1.915,-1.535 -2.051,-1.382 -2.083,-1.33 -2.152,-1.228 -2.251,-1.024 -2.286,-1.075 -2.319,-0.972 -2.386,-0.819 -2.454,-0.665 -2.42,-0.614 -2.487,-0.461 -2.52,-0.307 -2.555,-0.205 -2.554,-0.153 h -2.588 l -2.521,0.153 -2.554,0.205 -2.521,0.307 -2.487,0.461 -2.454,0.563 -2.453,0.716"
+         id="path165" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 596.708,246.281 53.473,18.73 1.076,-2.456 0.874,-2.405 0.806,-2.559 0.639,-2.559 0.437,-2.559 0.302,-2.559 0.101,-2.661 v -2.61 l -0.202,-2.61 -0.302,-2.559 -0.538,-2.61 -0.639,-2.507 -0.84,-2.508 -0.907,-2.508 -1.143,-2.405 -1.277,-2.303 -1.378,-2.354 -1.58,-2.303 -1.68,-2.149 z"
+         id="path167" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 643.392,273.507 6.722,-8.393 1.008,-2.406 1.009,-2.558 0.773,-2.508 0.638,-2.61 0.437,-2.559 0.336,-2.559 0.135,-2.661 -0.034,-2.61 -0.202,-2.661 -0.369,-2.559 -0.471,-2.559 -0.639,-2.558 -0.84,-2.559 -0.941,-2.508 -1.176,-2.456 -1.244,-2.303 -1.479,-2.354 -1.512,-2.252 -1.714,-2.15 -10.755,-8.444"
+         id="path169" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 594.456,295.717 -16.872,71.084 2.487,1.126 2.521,1.024 2.521,0.767 2.621,0.614 2.555,0.461 2.554,0.205 h 2.655 l 2.588,-0.205 2.554,-0.307 2.588,-0.614 2.521,-0.768 2.521,-0.87 2.487,-1.126 2.453,-1.381 2.353,-1.485 2.353,-1.688 2.285,-1.843 2.218,-2.047 2.152,-2.098 2.05,-2.405 1.949,-2.508 1.882,-2.61 1.815,-2.815 1.714,-2.917 1.546,-3.019 1.479,-3.173 1.412,-3.224 1.243,-3.378 1.109,-3.377 1.042,-3.532 0.874,-3.633 0.807,-3.685 0.638,-3.685 0.538,-3.787 0.336,-3.735 0.303,-3.839 0.067,-3.838 v -3.838 l -0.134,-3.838 -0.269,-3.839 -0.404,-3.787 -0.504,-3.736 -0.672,-3.684 z"
+         id="path171" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 577.719,366.852 2.52,1.229 2.487,0.972 2.555,0.819 2.554,0.512 2.622,0.409 2.554,0.205 2.588,0.102 2.588,-0.307 2.621,-0.307 2.555,-0.614 2.52,-0.768 2.521,-0.972 2.487,-1.126 2.42,-1.331 2.42,-1.535 2.319,-1.638 2.252,-1.791 2.185,-2.047 2.151,-2.252 2.05,-2.354 1.949,-2.559 1.882,-2.61 1.815,-2.712 1.681,-2.968 1.613,-3.071 1.412,-3.07 1.411,-3.327 1.244,-3.377 1.109,-3.378 1.008,-3.531 0.908,-3.685 0.806,-3.633 0.605,-3.736 0.538,-3.736 0.403,-3.736 0.236,-3.838 0.067,-3.838 v -3.839 l -0.168,-3.838 -0.235,-3.838 -0.437,-3.787 -0.572,-3.736 -0.571,-3.685"
+         id="path173" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 380.698,255.339 -2.554,-48.259 -1.882,0.256 -1.782,0.307 -1.882,0.511 -1.815,0.615 -1.781,0.716 -1.748,0.921 -1.714,0.87 -1.68,1.177 -1.681,1.126 -1.579,1.28 -1.546,1.433 -1.479,1.484 -1.445,1.586 -1.311,1.74 -1.311,1.74 -1.21,1.842 -1.143,1.945 -1.042,2.047 -1.042,2.047 -0.907,2.201 -0.773,2.252 -0.739,2.251 -0.706,2.252 -0.538,2.354 -0.437,2.406 -0.403,2.405 -0.303,2.456 -0.134,2.508 -0.101,2.405 v 2.457 l 0.101,2.405 0.201,2.508 0.303,2.405 0.336,2.405 0.504,2.405 0.538,2.355 0.672,2.303 0.74,2.251 0.84,2.201 0.907,2.2 1.042,1.996 1.042,2.047 1.176,1.945 1.244,1.842 1.277,1.792 1.378,1.637 1.445,1.587 1.479,1.535 1.58,1.382 1.546,1.279 1.68,1.177 z"
+         id="path175" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 378.144,207.08 -1.781,0.256 -1.849,0.307 -1.815,0.511 -1.748,0.563 -1.781,0.717 -1.748,0.768 -1.68,0.972 -1.647,1.023 -1.647,1.126 -1.512,1.28 -1.58,1.381 -1.445,1.433 -1.412,1.536 -1.344,1.688 -1.345,1.74 -1.176,1.74 -1.176,1.945 -1.042,1.945 -1.008,2.047 -0.874,2.098 -0.841,2.15 -0.806,2.149 -0.672,2.252 -0.605,2.303 -0.504,2.354 -0.37,2.354 -0.37,2.405 -0.202,2.405 -0.134,2.406 v 2.405 2.405 l 0.202,2.406 0.201,2.405 0.303,2.405 0.437,2.354 0.437,2.303 0.605,2.252 0.739,2.354 0.739,2.201 0.841,2.098 0.941,2.098 0.974,2.047 1.042,1.945 1.143,1.893 1.244,1.792 1.31,1.74 1.345,1.637 1.445,1.536 1.412,1.484 1.546,1.33 1.579,1.229 1.614,1.177"
+         id="path177" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 516.851,332.82 -76.495,5.578 0.504,2.815 0.638,2.866 0.874,2.763 1.109,2.713 1.177,2.61 1.445,2.661 1.579,2.559 1.782,2.559 1.983,2.405 2.117,2.405 2.218,2.252 2.454,2.2 2.554,2.099 2.723,2.047 2.856,1.842 2.958,1.842 3.159,1.638 3.16,1.638 3.327,1.433 3.395,1.381 3.562,1.126 3.563,1.126 3.596,0.921 3.764,0.819 3.765,0.666 3.798,0.511 3.764,0.41 3.865,0.204 3.899,0.154 h 3.831 l 3.899,-0.205 3.832,-0.307 3.797,-0.46 3.765,-0.666 3.764,-0.716 3.63,-0.87 3.63,-1.075 3.529,-1.023 3.495,-1.28 3.361,-1.433 3.227,-1.535 3.159,-1.638 3.059,-1.791 2.924,-1.842 2.789,-1.945 2.588,-2.047 2.521,-2.149 2.319,-2.252 2.218,-2.354 2.05,-2.406 1.815,-2.405 1.681,-2.559 1.546,-2.661 1.311,-2.61 z"
+         id="path179" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 440.423,338.501 0.437,2.763 0.672,2.815 0.84,2.763 1.109,2.713 1.244,2.712 1.378,2.559 1.613,2.559 1.748,2.559 1.983,2.405 2.117,2.405 2.218,2.252 2.454,2.2 2.621,2.099 2.656,2.047 2.856,1.842 2.958,1.842 3.159,1.638 3.16,1.587 3.327,1.484 3.395,1.381 3.495,1.126 3.563,1.126 3.63,0.921 3.764,0.819 3.731,0.666 3.797,0.46 3.798,0.461 3.832,0.204 3.865,0.154 3.865,-0.051 3.832,-0.154 3.831,-0.409 3.865,-0.358 3.765,-0.666 3.697,-0.767 3.697,-0.819 3.596,-0.973 3.529,-1.125 3.462,-1.28 3.327,-1.433 3.294,-1.535 3.159,-1.587 3.025,-1.688 2.924,-1.894 2.756,-1.945 2.689,-2.047 2.487,-2.251 2.353,-2.201 2.218,-2.354 1.983,-2.303 1.882,-2.559 1.681,-2.507 1.478,-2.61 1.378,-2.662"
+         id="path181" />

(fichier de différences tronqué)

diff --git "a/services/r\303\251seau/plan.jpg" "b/services/r\303\251seau/plan.jpg"
new file mode 100644
index 00000000..dab7ef3c
Binary files /dev/null and "b/services/r\303\251seau/plan.jpg" differ
diff --git "a/services/r\303\251seau/plan.svg" "b/services/r\303\251seau/plan.svg"
index dab7ef3c..7c1a1159 100644
Binary files "a/services/r\303\251seau/plan.svg" and "b/services/r\303\251seau/plan.svg" differ

diff --git a/hardware/server/plastik.mdwn b/hardware/server/plastik.mdwn
index 54e2c77b..a11483f4 100644
--- a/hardware/server/plastik.mdwn
+++ b/hardware/server/plastik.mdwn
@@ -1,4 +1,4 @@
-Plastik est un point d'accès dans la maison. Il est configuré en
+Plastik était un point d'accès dans la maison. Il est configuré en
 bridge pour étendre le réseau wifi, mais doit être connecté par fil,
 dans un des ports LAN, afin de fonctionne (ie. il ne "mesh" pas avec
 les autres points d'accès).