RecentChanges

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index 66ed3b07..0a083c6a 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -2079,6 +2079,18 @@ USB-C|blog/2023-02-10-usb-c]]. I'm considering a Dell
  * [logitech dongle hider with USB-A output](https://github.com/LeoDJ/FW-EC-DongleHiderPlus)
 * check out [this forum category](https://community.frame.work/c/developer-program/expansion-card/90) for a cornucopia of those
 
+## Sleeves and cases
+
+I carry the 13" Framework laptop in a [tomtoc Defender A13
+sleeve](https://www.tomtoc.com/products/tomtoc-a13-versatile-laptop-sleeve-for-13-5-inch-microsoft-surface-laptop-navy-blue). It's a nice soft sleeve with a pocket where I fit all the
+expansion cards and a power supply. There's a [pretty long thread
+about carrying bags and sleeves](https://community.frame.work/t/suggestions-on-carry-bag-or-sleeve/3763) where I [participated](https://community.frame.work/t/suggestions-on-carry-bag-or-sleeve/3763/115?u=anarcat) (and,
+you'll notice, bought another Timbuk sleeve I didn't like so much.
+
+In retrospect, I might consider buying a hard shell next time. The
+Smatree 13.5 looks pretty cool, but it's [not clear if it actually
+fits](https://community.frame.work/t/hard-case-compatibility/13016/4?u=anarcat). [This one comment points at one case that does fit](https://community.frame.work/t/suggestions-on-carry-bag-or-sleeve/3763/131?u=anarcat)
+
 ## Upstream resources
 
  * [community forum](https://community.frame.work/), lots of information, much support, wow!

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index f7cc84f7..66ed3b07 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -940,6 +940,15 @@ can be deployed through LVFS with:
 Those instructions come from the [beta forum post](https://community.frame.work/t/12th-gen-intel-core-bios-3-06-beta/25726). I performed the
 BIOS update on 2023-01-16T16:00-0500.
 
+Update: more than a year later, that update never came out of
+beta. Worse, they published a new update (3.08) including security fixes, but
+only for Windows. See [this very long thread on the forum](https://community.frame.work/t/12th-gen-intel-core-bios-3-08-release/43244), [my
+comment](https://community.frame.work/t/12th-gen-intel-core-bios-3-08-release/43244/329?u=anarcat), and [this Ars article](https://arstechnica.com/gadgets/2024/04/frameworks-software-and-firmware-have-been-a-mess-but-its-working-on-them/).
+
+I have filed a formal complaint with support, threatening a refund, as
+I find it simply unacceptable that they just drop support for Linux
+like this.
+
 ## Resolution tweaks
 
 The Framework laptop resolution (2256px X 1504px) is big enough to

diff --git a/software/desktop/calibre.mdwn b/software/desktop/calibre.mdwn
index 63e43524..e2ae6e5e 100644
--- a/software/desktop/calibre.mdwn
+++ b/software/desktop/calibre.mdwn
@@ -561,6 +561,53 @@ until we're satisfied.
 
 Or we can just keep using Calibre.
 
+Another big problem I have with Calibre right now is that it enforces
+this `Author/Title/Title.epub` folder structure which is really
+*heavy* and annoying. It feels like iTunes. I have 355 authors in my
+collection here and 952 books (or at least 952 second-level folders),
+so the Author/Title distinction is really not helping much: a flat
+hierarchy of `Author - Title.epub` would really work just as well, and
+would make the book collection much easier to browse using standard
+tools (e.g. Koreader would render it much more nicely).
+
+Compare, for example, before:
+
+[[!img snap-20240415T135134.png]]
+
+and after flatting:
+
+[[!img snap-20240415T135538.png]]
+
+Now, I cheated a little bit there as I don't show the other Ada Palmer
+books, for which Koreader somehow can't generate a cover for (which is
+a problem!) and I deleted the `cover.jpg` that Calibre adds everywhere
+which would otherwise double the listings everywhere. (But I'm
+considering ditching those files anyways, since they clutter
+everything and needlessly inflate the library.)
+
+But this is something the Calibre author has been [completely
+inflexible](https://manual.calibre-ebook.com/faq.html#why-doesn-t-calibre-let-me-store-books-in-my-own-folder-structure) on since basically forever:
+
+> If you are still not convinced, then I’m afraid calibre is not for
+> you. Look elsewhere for your book cataloguing needs. Just so we’re
+> clear, this is not going to change. Kindly do not contact us in an
+> attempt to get us to change this.
+
+... which is a recurring pattern of "my way or the highway" with this
+software. Totally within their right of course, but exactly the kind
+of things that make me want to look elsewhere.
+
+In any case, if we're going to ditch Calibre, this would be the
+procedure:
+
+    rm */*/cover.jpg # remove all covers
+    # rename all actual book files without the directories, keeping extension
+    rename 's,([^/]*)/([^/]*)/.*-.*(\....),$1 - $2$3,' */*/*
+    # rename remaining files, should just be metadata.opf
+    rename 's,([^/]*)/([^/]*)/metadata.opf,$1 - $2.opf,' */*/*
+    # remove empty directories, if this fails, we forgot some
+    rmdir */*
+
 [work Peter Keel did]: https://seegras.discordia.ch/Blog/life-with-calibre/
 [epub-tools]: https://sourceforge.net/projects/ebook-tools/
 [Thunar]: https://docs.xfce.org/xfce/thunar/start
diff --git a/software/desktop/calibre/snap-20240415T135134.png b/software/desktop/calibre/snap-20240415T135134.png
new file mode 100644
index 00000000..e5f2e845
Binary files /dev/null and b/software/desktop/calibre/snap-20240415T135134.png differ
diff --git a/software/desktop/calibre/snap-20240415T135538.png b/software/desktop/calibre/snap-20240415T135538.png
new file mode 100644
index 00000000..2bba3b43
Binary files /dev/null and b/software/desktop/calibre/snap-20240415T135538.png differ

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index affe47f1..287598d2 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -848,8 +848,8 @@ although it's not clear to me what its purpose is...
 I'm a heavy user of [maim][] (and a package uploader in Debian). It
 looks like the direct replacement to maim (and [slop][]) is [grim][]
 (and [slurp][]). There's also [swappy][] which goes on *top* of grim
-and allows preview/edit of the resulting image, nice touch (not in
-Debian though).
+and allows preview/edit of the resulting image, nice touch (in Debian
+since Trixie).
 
 See also [awesome-wayland screenshots][] for other alternatives:
 there are many, including X11 tools like [Flameshot][] that also

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index e9a3cd5c..f7cc84f7 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -500,7 +500,10 @@ Note that there's another solution flying around that fixes this by
 that or seen confirmation it works.
 
 Update: it seems like this issue [has been fixed in newer kernels](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/103)
-([6.6.6+](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/98?u=anarcat)?), but I couldn't figure out if the light sensor still works.
+([6.6.6+](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/98?u=anarcat)?), but I couldn't figure out if the light sensor still
+works. Worse, I *thought* it was fixed, but then it wasn't: I think I
+forgot to run `depmod -a`, because at some point my <kbd>fn lock</kbd>
+key broke...
 
 ### Kill switches
 

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index 18868775..e9a3cd5c 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -243,7 +243,7 @@ the laptop.
    are much less affordable (700$+)
 
  * the 12th gen has compatibility issues with Debian, followup in the
-   [DebianOn page](https://wiki.debian.org/InstallingDebianOn/FrameWork/12thGen), but basically: [brightness hotkeys](https://community.frame.work/t/12th-gen-not-sending-xf86monbrightnessup-down/20605/6), [power
+   [DebianOn page](https://wiki.debian.org/InstallingDebianOn/FrameWork/12thGen), but basically: [brightness hotkeys](https://community.frame.work/t/12th-gen-not-sending-xf86monbrightnessup-down/20605/6) (fixed!), [power
    management](https://community.frame.work/t/12th-gen-power-management-on-linux/21330), [wifi](https://community.frame.work/t/debian-11-gen12th-wifi-working/21799), the webcam is okay even though the
    chipset is the [infamous alder lake](https://www.phoronix.com/news/Greg-KH-No-ADL-Webcam-Laptop) because it [does not have
    the fancy camera](https://www.phoronix.com/forums/forum/linux-graphics-x-org-drivers/intel-linux/1340695-greg-kh-recommends-avoiding-alder-lake-laptops-intel-webcam-linux-driver-long-ways-out?p=1340968#post1340968); most issues currently seem solvable, and
@@ -499,6 +499,9 @@ Note that there's another solution flying around that fixes this by
 [changing permissions on the input device](https://community.frame.work/t/12th-gen-not-sending-xf86monbrightnessup-down/20605/24?u=anarcat) but I haven't tested
 that or seen confirmation it works.
 
+Update: it seems like this issue [has been fixed in newer kernels](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/103)
+([6.6.6+](https://community.frame.work/t/solved-guide-12th-gen-not-sending-xf86monbrightnessup-down/20605/98?u=anarcat)?), but I couldn't figure out if the light sensor still works.
+
 ### Kill switches
 
 The Framework has two "[kill switches](https://en.wikipedia.org/wiki/Kill_switch)": one for the camera and the

diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 556c045e..e0992c51 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -104,9 +104,14 @@ Sharge, ZMI all within 1.5mm of each other) by only 4mm for depth, so
 maybe not worth it? Interestingly, it's not much lighter than the
 travel-friendly Oneworld.
 
-The Sharge is my current "left in my bag" driver, even though it's
+### Current picks
+
+The Sharge is my current "every day carry" driver, even though it's
 heavier than the TOFU, because the latter is a little too bulky (one
-of the largest by volume).
+of the largest by volume). I do bring the TOFU and/or the Oneworld on
+trips however, especially the TOFU for conferences and the Oneworld
+for hotel rooms (and having *both* means I can leave the latter in the
+hotel room!).
 
 ### Sharge
 
@@ -492,7 +497,7 @@ Also: [this post from Big Mess Of Wires](https://www.bigmessowires.com/2019/05/1
 *anything* might work at all. It's where I had the Cable Matters
 reference however...
 
-Update: I ordered a [this dock from Cable Matters](https://www.cablematters.com/pc-1054-127-usb-c-docking-station-with-dual-4k-hdmi-and-80w-charging-for-windows-computers.aspx) [from Amazon](https://www.amazon.ca/dp/B07PFFN219)
+Update (2023-02-22): I ordered a [this dock from Cable Matters](https://www.cablematters.com/pc-1054-127-usb-c-docking-station-with-dual-4k-hdmi-and-80w-charging-for-windows-computers.aspx) [from Amazon](https://www.amazon.ca/dp/B07PFFN219)
 (reluctantly). It promises “Linux” support and checked all the boxes
 for me (4x USB-A, audio, network, 2xHDMI).
 
@@ -509,16 +514,35 @@ fun. I suspect foul play inside Sway.
 And yeah, those things are costly! This one goes for 300$ a pop, not
 great.
 
-Update 2: Cable Matters support responded by simply giving me this
+Update (2023-02-27): Cable Matters support responded by simply giving me this
 hack that solved it at least for now. Just reverse the USB-C cable,
 and poof, everything works. *Magic*.
 
-Update 3: turns out that was overly optimistic. It seems the problem
+Update (2023-05-10): turns out that was overly optimistic. It seems the problem
 actually resides in Sway, because when it happens (and it still does),
 logging out fixes the issue: GDM3 takes over and reinitializes the
 monitors properly. Then Sway can do its thing when I log back in
 again.
 
+Update (2024-04-13): I have since then returned the dock to Cable
+Matters who have been gracious enough to do a RMA (although I paid for
+shipping). I have now a USB-C twin-[[hardware/monitor]] setup that
+works really well, but the reason for that is that I downgraded Sway
+to the version in stable. It seems like there was some impedance
+mismatch there, and I was rather distressed to find out I still had
+the bugs with the shiny new monitors. So, I guess I'm sorry for the
+Cable Matters folks, their dock was fine after all...
+
+### Current status
+
+I'm using the USB-C docks built-in my [[hardware/monitor]]s, two [Dell
+U2723QE][]. The first monitor's USB ports are completely full, so I
+daisy-chained to the second monitor and, amazingly, that all works
+over a single USB-C cable. The only annoyance is that USB-C cable is
+rather short, so it's not as neatly tucked in as it should ne.
+
+[Dell U2723QE]: https://www.dell.com/en-ca/shop/cty/apd/210-bdpf
+
 ## Power banks
 
 This has been spun out in another page, see [[hardware/battery]].

diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 87effe79..556c045e 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -3,7 +3,7 @@
 Dear lazy web, help me pick the right hardware to make my shiny new
 laptop work better. I want a new USB-C dock and travel power supply.
 
-[[!toc]]
+[[!toc levels=3]]
 
 # Background
 

diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 744c78c0..87effe79 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -374,6 +374,61 @@ reddit](https://old.reddit.com/r/UsbCHardware/comments/161t5d4/absolutely_smalle
 It's not small enough to beat the Sharge as a daily driver, but if I
 find it too bulky / heavy, maybe I'll indulge.
 
+## USB testers
+
+Now that a USB cable isn't a simple 5V electric signal, cables and
+chargers matter. A lot. A given cable might not be able to deliver the
+power you need, and it is far from clear which part of the connection
+is to blame, as it could be the charger, the cable, or the charged
+device.
+
+So there are now testers for this. They typically will show you
+voltage and amperage, but can also show wattage, mAh or Wh, and the
+best ones will also show the resistance of the cable alongside the
+protocol negotiated.
+
+We're looking for:
+
+ * voltmeter
+ * anmeter
+ * protocol detection (power delivery, etc)
+ * USB-C in/out (to test USB-C power supplies and cables)
+
+Ideally:
+
+ * wattmeter (yes, i know that's the product of voltage and amperage)
+ * thunderbolt 3, PD 3.1 detection and triggers
+ * USB-A output (to test charging micro-USB devices)
+ * USB-A and micro-USB input (to test old chargers and cables)
+ * e-marker detection
+ * resistance measurement
+
+Other things that those devices can check I care less about:
+
+ * device temperature
+ * "DASH" cable compatibility
+ * Bluetooth support to send results to a phone
+
+The Firefox people have been [running power usage tests](https://github.com/fqueze/usb-power-profiling) with those
+devices, by connecting them to another computer and checking how code
+changes affect power usage. I'm using their list as a basis for
+devices that are not total junk from the "weird internet market place"
+thing.
+
+ * [FNIRSI FNB58](https://www.amazon.com/FNIRSI-Multimeter-Bluetooth-Detection-Measurement/dp/B0BJ253W31): almost has it all, only missing PD 3.1, 50-60$
+   depending on Bluetooth support
+ * [ChargerLAB Power-Z KT002](https://www.amazon.com/ChargerLAB-Power-Z-Voltage-Current-Capacity/dp/B092R533WV?m=A31UM8SRXYVF2Z): everything but micro-USB PD 3.1
+   test, 50$... frustratingly, they have another device (KM002C) that
+   *does* support PD 3.1, but it lacks USB-A/micro USB and cable
+   resistance, and it's *way* more expensive ([100+$ at amazon](https://www.amazon.ca/Charging-Motherboard-Voltmeter-Detector-Accessories/dp/B0CYPG26D2))
+ * AVHzY has a bunch, but those are rather hard to figure out and more
+   expensive, like the [CT3](https://www.aliexpress.com/item/4001280718072.html#nav-specification) is 85CAD, but the [TC66](https://www.aliexpress.com/item/1005006261935936.html?algo_exp_id=b5cf4a97-54ca-42fb-b882-66ad45f33749-0&pdp_npi=4%40dis%21CAD%2132.21%2121.01%21%21%2123.01%2115.01%21%402103249617129781964942450eeb8f%2112000036514751945%21sea%21CA%210%21AB&curPageLogUid=6meoFWJIqWLV&utparam-url=scene%3Asearch%7Cquery_from%3A) is
+   ... 20$!
+ * [ATORCH ACD15P](https://www.aliexpress.com/item/1005005674681544.html): *everything* but USB PD 3.1 (including
+   alligator clips for testing other batteries which is a nice touch),
+   23$
+ * [WITRN C5](https://www.aliexpress.com/item/1005006194408105.html): everything including PD 3.1, but only USB-C, 80$
+
 ## USB Docks
 
 Specification: 

diff --git a/hardware/margaret.md b/hardware/margaret.md
index 2cd2c452..4ba4e616 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -315,8 +315,15 @@ router](https://openwrt.org/toh/views/toh_sfp_ports). The [MicroTik hAP ac](http
    SATA PCIe](https://www.supermicro.com/en/products/system/iot/mini-itx/sys-e200-12d-4c), a bit overkill, and not enough ports to act as a
    switch
  * Protectli has interesting series, e.g. [4x2.5gbit switch + wifi](https://ca.protectli.com/product/fw4c/)
-   and coreboot, but no SFP
+   and coreboot, but no SFP (that's what we ended up going with here)
  * Qotom has a [4xSFP+ 5x2.5gbit beast](https://www.qotom.net/product/RouterPC_Q20331G9S10.html), but no wifi
+ * Mikrotik has sturdy routers and switches, the latter are often
+   locked in their proprietary hardware, but their routers are a
+   little better, e.g. [noodles](https://www.earth.li/~noodles/) says he uses a [mikrotik
+   RB5009](https://mikrotik.com/product/rb5009ug_s_in) in [this blog post about DNS](https://www.earth.li/~noodles/blog/2024/04/backup-internet-rdns.html), but, surprisingly, i
+   don't see *any* Mikrotik entry in [InstallingDebianOn](https://wiki.debian.org/InstallingDebianOn). in [this
+   post](https://www.earth.li/~noodles/blog/2022/02/yak-shaving-internet.html) noodles says the mikrotik run mainline, so that's really
+   encouraging
 
 One option is to move the Omnia to the office and replace the core
 router with something beefier, and add a new AP downstairs.
diff --git a/services/wifi.mdwn b/services/wifi.mdwn
index 4a763d6b..6232ace0 100644
--- a/services/wifi.mdwn
+++ b/services/wifi.mdwn
@@ -384,6 +384,8 @@ Notes:
    protectli or the switch, depending on arrivals
  * [[hardware/rosa]] can serve as a replacement for the omnia if we
    don't want to get another U6
+ * this article previously had comparisons between various routers,
+   this is now in [[hardware/margaret]]
 
 Another build could be done with the Turris Mox:
 

diff --git a/blog/2022-06-17-matrix-notes.md b/blog/2022-06-17-matrix-notes.md
index a2483dad..2b5bec2d 100644
--- a/blog/2022-06-17-matrix-notes.md
+++ b/blog/2022-06-17-matrix-notes.md
@@ -881,6 +881,13 @@ One thing I haven't found an equivalent for is Debian's
 [MeetBot](https://wiki.debian.org/MeetBot). There's an [archive bot](https://github.com/russelldavies/matrix-archive) but it doesn't have topics
 or a meeting chair, or HTML logs.
 
+Update: it's not a bot but [progval/matrix2051](https://github.com/progval/matrix2051) is quite
+interesting for me, as a long-time IRC user: it's a homeserver gateway
+that presents itself as an IRC server. So you can treat Matrix as one
+big weird IRC server. Main limitation is DMs are basically broken, but
+lack of TLS also keeps it from being useful as a drop-in replacement
+for migrating an existing IRC network.
+
 ## Working on Matrix
 
 As a developer, I find Matrix kind of intimidating. The specification

diff --git a/blog/2018-05-04-terminal-emulators-2.mdwn b/blog/2018-05-04-terminal-emulators-2.mdwn
index 6d246c17..18ac33d6 100644
--- a/blog/2018-05-04-terminal-emulators-2.mdwn
+++ b/blog/2018-05-04-terminal-emulators-2.mdwn
@@ -347,7 +347,7 @@ The above latency benchmarks were done with Typometer on X11 by
 [beuke.org](https://beuke.org/terminal-latency/). Their results are different on some points: xterm's
 maximum latency (9.8ms) is much higher than ours (2.4ms) which makes
 me think there's something wrong with their test bench. But other
-results (rxvt, st, Terminaor) are strickingly similar. One notable
+results (rxvt, st, Terminator) are strikingly similar. One notable
 change is how well Alacritty performs, probably because it improved in
 6 years since I ran those benchmarks.
 
@@ -356,4 +356,23 @@ under wayland and compare against foot. Right now it's really hard to
 tell, but I get the feeling Alacritty and xterm are pretty close, and
 that foot and gnome-terminal are slower.
 
+Update: 9 days later, just found out about [Ivan Molodetskikh VTE
+end-to-end tests](https://bxt.rs/blog/just-how-much-faster-are-the-gnome-46-terminals/) which show precisely how well VTE has improved
+over the years, to be on par with Alacritty (which, somehow, managed
+to become a reference after lagging behind). Excellent work! My only
+criticism is the article focuses exclusively on VTE but the author
+also made [other benchmarks](https://mastodon.online/@YaLTeR/110837121102628111) including of Foot, the terminal
+emulator I'm currently using now and that I was, above, feeling
+slower, but that tests show is the *fastest* on the block, which is
+really nice to hear.
+
+They also made [compositor tests](https://mastodon.online/@YaLTeR/110848066454900941) which show Sway (~12ms) is ahead
+of Mutter (~14ms, GNOME's simplest compositor), itself ahead of normal
+GNOME (~16ms). Only X11/i3 goes below the 10ms mark there, which is a
+bit depressing, but the author is quick to point out that "work to add
+tearing flips to kernel and Wayland is ongoing".
+
+Oh, and they don't test Emacs in their editors, arguing it lacks a
+good editor, ha ha.
+
 [[!tag debian-planet lwn geek review terminals performance]]
diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 5ebad3cc..affe47f1 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -185,6 +185,7 @@ Other options include:
  * [Hyprland][]: tiling, fancy animations, not in Debian ([1040971][])
  * [Qtile][]: tiling, extensible, in Python, not in Debian ([1015267][])
  * [river][]: Zig, stackable, tagging, not in Debian  ([1006593][])
+ * [smithay][], and many derivatives: Rust, not in Debian
  * [velox][]: inspired by xmonad and dwm, not in Debian
  * [vivarium][]: inspired by xmonad, not in Debian
  * [wlmaker][]: inspired by Window Maker, not in Debian
@@ -208,6 +209,7 @@ Other options include:
 [hikari]: https://hikari.acmelabs.space/
 [1040971]: https://bugs.debian.org/1040971
 [wlmaker]: https://github.com/phkaeser/wlmaker
+[smithay]: https://github.com/Smithay/smithay
 
 ## Status bar: py3status → waybar
 

diff --git a/hardware/battery.md b/hardware/battery.md
index 1ba325c1..73e8d25b 100644
--- a/hardware/battery.md
+++ b/hardware/battery.md
@@ -258,6 +258,11 @@ fluctuates between 60 and 80 watts, with about 50 minutes of standby time.
   * spare batteries: <https://www.upsbatterycenter.ca/>
   * how to pick a UPS (TL;DR: VA = 1.6*W): <https://www.howtogeek.com/161479/how-to-select-a-battery-backup-for-your-computer/>
 
+See also [pc parts picker](https://ca.pcpartpicker.com/products/ups/) for this, cheapest rack-mount 1500KVA
+UPS seems to be the [cyberpower CPS1500AVR](https://ca.pcpartpicker.com/product/wWX2FT/cyberpower-ups-cps1500avr) at 585$CAD at the time
+of writing, but at that price you don't even get an LCD, for that you
+need [640$](https://ca.pcpartpicker.com/product/JKZ2FT/cyberpower-ups-or1500lcdrt2u).
+
 ## Actual hardware
 
 I ended up ordering this from Amazon (yes, I know):

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 915310e0..bb8dc235 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -903,6 +903,11 @@ Create basic directories and files:
     mkdir private certs req newcerts
     echo 00 > serial
 
+We don't have a serial `crlnumber` but if we would, we would start
+with:
+
+    printf 00 > crlnumber
+
 Generate the CA secret key:
 
     openssl genpkey -algorithm ed25519 -out private/cakey.pem -aes256
@@ -945,13 +950,21 @@ Copy the CSR and CRT files to the CA server and sign the request with:
 
     openssl ca -days 365 -in req/test.anarc.at.csr -out certs/test.anarc.at.crt
 
-Alternatively, this can be done without the CA, with the lower-level
-`x509` command:
+... from [this guide](https://pub.nethence.com/security/sslhappy-ca). Alternatively, this can be done without the
+CA, with the lower-level `x509` command:
 
     openssl x509 -req -in req/angela.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/angela.anarc.at.crt
 
 Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
 
+The cert can be checked with:
+
+    openssl x509 -text < certs/angela.anarc.at.crt
+
+... and:
+
+    openssl verify -CAfile cacrt.pem  certs/angela.anarc.at.crt
+
 Generate the CRL file, currently just the cert because we haven't
 revoked anything yet:
 
@@ -1059,9 +1072,11 @@ Turn up the logging level on the client:
 
 ### Dovecot configuration
 
-https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication
+The [dovecot SSL configuration docs](https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication) are quite limited. So we're
+using [another guide](https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html) instead. The also have [limited SSL
+docs](https://doc.dovecot.org/admin_manual/ssl/certificate_creation/)...
 
-in `10-ssl.conf`:
+Enable TLS verification in `conf.d/10-ssl.conf`:
 
     ssl_ca = </etc/ssl/ca/cacrl.pem
     ssl_verify_client_cert = yes
@@ -1100,6 +1115,9 @@ Create `conf.d/auth-tls.conf.ext`:
        #override_fields = home=/home/virtual/%u
     }
 
+Note that the above uses the normal [user database](https://doc.dovecot.org/configuration_manual/authentication/user_database_extra_fields/#authentication-user-database-extra-fields) so the user
+need to exist on the system as well.
+
 Then include that in `conf.d/10-auth.conf`, and comment out the other includes:
 
     #!include auth-system.conf.ext
@@ -1150,6 +1168,9 @@ You can now test revocation with:
 And now the above `curl` command should fail. Notice how dovecot needs
 a kick after revocation, a `reload` might be sufficient as well.
 
+[Another guide](https://pub.nethence.com/mail/dovecot-clientcert) has instructions on how to disable TLS certs for
+some services, e.g. if Postfix would still require SASL auth.
+
 ### Adding a new satellite
 
 To add a new satellite to this setup, you need to generate a new key

diff --git a/services/mail.mdwn b/services/mail.mdwn
index b8e1e734..915310e0 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -898,9 +898,10 @@ actually tried a configuration-file-less setup, but it breaks down
 when you start using the `openssl ca` command, necessary to revoke
 certificates.
 
-Create basic directories:
+Create basic directories and files:
 
-    mkdir private certs req
+    mkdir private certs req newcerts
+    echo 00 > serial
 
 Generate the CA secret key:
 
@@ -940,7 +941,12 @@ Create the CSR with:
 
     openssl req -key angela.anarc.at.key -out angela.anarc.at.csr -config openssl.cnf -new 
 
-Copy the CSR and CRT files to the CA server and sign those keys with:
+Copy the CSR and CRT files to the CA server and sign the request with:
+
+    openssl ca -days 365 -in req/test.anarc.at.csr -out certs/test.anarc.at.crt
+
+Alternatively, this can be done without the CA, with the lower-level
+`x509` command:
 
     openssl x509 -req -in req/angela.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/angela.anarc.at.crt
 
@@ -1179,9 +1185,9 @@ Then generate the private key and the CSR:
     openssl req -key client.key -out client.csr -config openssl.cnf -new
 
 Then copy that over to the CA in `/etc/ssl/ca/req/tubman.anarc.at.csr`
-and generate the cert:
+and sign the request:
 
-    openssl x509 -req -in req/tubman.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/tubman.anarc.at.crt
+    openssl ca -days 365 -in req/tubman.anarc.at.csr -out certs/tubman.anarc.at.crt
 
 Then regenerate the list of trusted certs:
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 6eaa5356..b8e1e734 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -996,7 +996,7 @@ The certificates list is created with:
                 openssl pkey -pubin -outform DER |
                 openssl dgst -sha256 -c |
                 sed 's/.*= //'
-            )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+            )" $cert >> /etc/postfix/client-certs-fingerprints
     done
 
 And of course the map needs to be rehashed each time:
@@ -1144,7 +1144,69 @@ You can now test revocation with:
 And now the above `curl` command should fail. Notice how dovecot needs
 a kick after revocation, a `reload` might be sufficient as well.
 
-### Easy-RSA CA
+### Adding a new satellite
+
+To add a new satellite to this setup, you need to generate a new key
+on the client, and a CSR, based on the following config. Typically,
+you only need to do this for Postfix, so this can more easily be done
+in `/etc/postfix/x509` (and that is where Puppet configures Postfix to
+look for certs).
+
+This is how [[hardware/tubman]] was configured. First, make the
+directory:
+
+    mkdir /etc/postfix/x509
+    cd /etc/postfix/x509
+
+Then create `openssl.conf`:
+
+    [client-cert]
+    keyUsage = cRLSign, keyCertSign
+    extendedKeyUsage = clientAuth
+
+    [req]
+    distinguished_name = dn
+    prompt = no
+    x509_extensions = client-cert
+
+    [dn]
+    CN = tubman.anarc.at
+    emailAddress = tubman-mail
+
+Then generate the private key and the CSR:
+
+    openssl genpkey -algorithm ed25519 -out client.key
+    openssl req -key client.key -out client.csr -config openssl.cnf -new
+
+Then copy that over to the CA in `/etc/ssl/ca/req/tubman.anarc.at.csr`
+and generate the cert:
+
+    openssl x509 -req -in req/tubman.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/tubman.anarc.at.crt
+
+Then regenerate the list of trusted certs:
+
+    rm /etc/postfix/client-certs-fingerprints
+    for cert in certs/* ; do 
+        printf "%s %s\n" "$(
+            openssl x509 -in $cert -noout -pubkey |
+                openssl pkey -pubin -outform DER |
+                openssl dgst -sha256 -c |
+                sed 's/.*= //'
+            )" $cert >> /etc/postfix/client-certs-fingerprints
+    done
+    postmap /etc/postfix/client-certs-fingerprints
+
+Add the `profile::postfix::satellite` class to the node and it should
+be able to send mail. Test with:
+
+    mail -s test anarcat@example.com < /dev/null
+
+### Easy-RSA CA notes
+
+I tested building a CA with easy-rsa but ended up not using it because
+my end goal is to do this in Puppet, so I couldn't rely on such a
+large third-party tool directly. Plus, I didn't think it supported
+ed25519 keys at first (it does though!).
 
 To get started with easy-rsa:
 
@@ -1235,9 +1297,8 @@ meaningful regression.
 
 ### Remaining work
 
- * TODO: expiration, switch to easyrsa fully?
+ * TODO: renewals, switch to easyrsa fully?
  * TODO: generate and distribute certs with Puppet
- * TOOD: migrate tubman to TLS
 
 ## Todo
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index dfb7c6ba..6eaa5356 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1201,6 +1201,38 @@ configuration, with `permit_tls_all_clientcerts`, which leads me to
 think it *might* be possible to avoid listing all fingerprints. To be
 tested/confirmed.
 
+### Conversion effect on performance
+
+I have sampled the last ~100 `mbsync` runs, which is from April 08
+01:52:56 to April 09 14:42:37 (non-inclusively), with:
+
+    journalctl -u mbsync.service --user -n 1000 | grep Consumed | sed '/avr 09 14:42:37/,$d;s/.*Consumed //;s/s CPU time.//' > timings-over-ssh
+
+This gave me 132 samples:
+
+    $ wc -l timings-over-ssh
+    132 timings-over-ssh
+
+The average CPU usage was:
+
+    $ awk 'BEGIN { sum = 0; count = 0 } { sum += $1; count++ } END { print sum / count}' < timings-over-ssh
+    2.70843
+
+Things *seem* faster. The evidence is a bit anecdotal now, as I have
+only 4 samples, but there *is* already a clear reduction in CPU usage:
+
+    $ journalctl -u mbsync.service --user -n 1000 | grep Consumed | sed -n '/avr 09 14:42:37/,$p' | sed 's/.*Consumed //;s/s CPU time.//' | awk 'BEGIN { sum = 0; count = 0 } { sum += $1; count++ } END { print sum / count}'
+    2.1356
+
+This could be because the TLS key exchange is better optimized than
+SSH. And indeed, a casual look at the logs seem to suggest it was
+taking 4 seconds to sync before *and* after, so it could just be an
+accounting issue.
+
+Given that this work was done for security reasons and not
+optimization reasons, I'm satisfied with the results since there's no
+meaningful regression.
+
 ### Remaining work
 
  * TODO: expiration, switch to easyrsa fully?

diff --git a/services/mail.mdwn b/services/mail.mdwn
index d37d26c2..dfb7c6ba 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -968,6 +968,7 @@ After:
         -o header_checks=regexp:/etc/postfix/header_authenticated_redaction
         -o milter_macro_daemon_name=ORIGINATING
         -o smtpd_tls_security_level=encrypt
+        -o smtpd_tls_fingerprint_digest=sha256
         -o smtpd_tls_ask_ccert=yes
         -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
         -o smtpd_relay_restrictions=permit_tls_clientcerts,reject

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 05580640..d37d26c2 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -893,34 +893,24 @@ in [[blog/2016-05-12-email-setup]].
 
 ### Creating a self-signed ed25519 private CA
 
-    openssl genpkey -algorithm ed25519 -out ca.anarc.at.key -aes256
-    openssl req -new -key ca.anarc.at.key -out ca.anarc.at.csr -config ca.anarc.at.cnf
+We copied over the `/usr/lib/ssl/openssl.cnf` config file. We have
+actually tried a configuration-file-less setup, but it breaks down
+when you start using the `openssl ca` command, necessary to revoke
+certificates.
 
-RHEL [proposes](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#creating-a-private-ca-using-openssl_creating-and-managing-tls-keys-and-certificates):
+Create basic directories:
 
-    openssl req -key <ca.key> -new -x509 -days 3650 -addext keyUsage=critical,keyCertSign,cRLSign -subj "/CN=<Example CA>" -out <ca.crt>
+    mkdir private certs req
 
-cnf:
+Generate the CA secret key:
 
-    [req]
-    distinguished_name = req_distinguished_name
-    req_extensions = v3_req
-    prompt = no
-    [req_distinguished_name]
-    C = CA
-    CN = ca.anarc.at
-    [v3_req]
-    keyUsage = keyEncipherment, dataEncipherment
-    extendedKeyUsage = serverAuth
-    subjectAltName = @alt_names
-    [alt_names]
-    DNS.1 = ca.anarc.at
+    openssl genpkey -algorithm ed25519 -out private/cakey.pem -aes256
 
-Self-signed cert:
+ED25519 instructions were taken from [this post](https://blog.pinterjann.is/ed25519-certificates.html).
 
-    openssl x509 -req -days 365 -in ca.anarc.at.csr -signkey ca.anarc.at.key -out ca.anarc.at.crt
+Then generate a self-signed cert:
 
-ED25519 instructions were taken from [this post](https://blog.pinterjann.is/ed25519-certificates.html).
+    openssl req -subj "/CN=ca.anarc.at/" -key private/cakey.pem -out cacert.pem -new -x509 -days 3650 -reqexts v3_ca -config openssl.cnf
 
 Alternatives include OpenVPN's [easy-rsa](https://github.com/OpenVPN/easy-rsa/) and [cfssl](https://github.com/cloudflare/cfssl), which
 also has a [puppet module](https://forge.puppet.com/modules/mmack/cfssl/).
@@ -931,33 +921,36 @@ Then the client key is generated, *on the client*, again with (but without encry
 
     openssl genpkey -algorithm ed25519 -out angela.anarc.at.key
 
-CSR is a little special:
+The `openssl.cnf` file for the certificate request:
 
     [client-cert]
-    keyUsage = critical, digitalSignature, keyEncipherment
+    keyUsage = cRLSign, keyCertSign
     extendedKeyUsage = clientAuth
-    subjectAltName = @alt_name
 
     [req]
     distinguished_name = dn
     prompt = no
+    x509_extensions = client-cert
 
     [dn]
     CN = angela.anarc.at
-
-    [alt_name]
     emailAddress = anarcat
 
-But the CSR is created as expected:
+Create the CSR with:
 
-    openssl req -key angela.anarc.at.key -config angela.anarc.at.cnf -new -out angela.anarc.at.csr
+    openssl req -key angela.anarc.at.key -out angela.anarc.at.csr -config openssl.cnf -new 
 
 Copy the CSR and CRT files to the CA server and sign those keys with:
 
-    openssl x509 -req -in angela.anarc.at.csr -CA ca.anarc.at.crt -CAkey ca.anarc.at.key -days 365 -out angela.anarc.at.crt
+    openssl x509 -req -in req/angela.anarc.at.csr -CA cacert.pem -CAkey private/cakey.pem -days 365 -out certs/angela.anarc.at.crt
 
 Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
 
+Generate the CRL file, currently just the cert because we haven't
+revoked anything yet:
+
+    cp cacert.pem cacrl.pem
+
 ### Postfix server configuration
 
 Before:
@@ -980,23 +973,38 @@ After:
         -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
         -o relay_clientcerts=hash:/etc/postfix/client-certs-fingerprints
 
-We were hoping to use [permit_tls_all_clientcerts](https://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts) but that silly
-thing doesn't support certificate revocation, so it's impossible to
-remove client certificates. So we need to use the static list.
+We were hoping to use [permit_tls_all_clientcerts](https://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts) like this:
 
-The list is created with:
+        -o tls_append_default_CA=no
+        -o smtpd_tls_CAfile=/etc/ssl/ca/cacrl.pem
+        -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject
+        -o smtpd_relay_restrictions=permit_tls_all_clientcerts,reject
 
-    printf "%s %s\n" "$(
-        openssl x509 -in angela.anarc.at.crt -noout -pubkey |
-            openssl pkey -pubin -outform DER |
-            openssl dgst -sha256 -c |
-            sed 's/.*= //'
-        )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+but that silly thing doesn't support certificate revocation: it looks
+like the CRL part of the `cacrl.pem` file is ignore. So it's
+impossible to remove client certificates, so we need to use the static
+list. An alternative is to use Dovecot 2.3 submission functionality,
+since the CRL works there.
+
+The certificates list is created with:
+
+    rm /etc/postfix/client-certs-fingerprints
+    for cert in certs/* ; do 
+        printf "%s %s\n" "$(
+            openssl x509 -in $cert -noout -pubkey |
+                openssl pkey -pubin -outform DER |
+                openssl dgst -sha256 -c |
+                sed 's/.*= //'
+            )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+    done
 
 And of course the map needs to be rehashed each time:
 
     postmap /etc/postfix/client-certs-fingerprints
 
+Note that this *does* include revoked certificates as well, so you
+kind of have to manually skip the bad certs. (TODO.)
+
 Then this should work:
 
     swaks --tls --tls-cert ~/.config/x509/angela.anarc.at2.crt --tls-key ~/.config/x509/angela.anarc.at.key -s marcos.anarc.at -t anarcat@torproject.org -p 587
@@ -1048,13 +1056,11 @@ https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-c
 
 in `10-ssl.conf`:
 
-    ssl_ca = </etc/ssl/ca/ca.anarc.at.crt
+    ssl_ca = </etc/ssl/ca/cacrl.pem
     ssl_verify_client_cert = yes
     ssl_cert_username_field = email
     ssl_require_crl = yes
 
-TODO: CRL stuff
-
 Create `conf.d/auth-tls.conf.ext`:
 
     # Take the username from client's SSL certificate, using 
@@ -1107,13 +1113,13 @@ pretty fantastic.
 
 This can be tested with:
 
-    openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -verify 4 -cert pki/issued/angela.anarc.at.crt -key pki/private/angela.anarc.at.key  -starttls imap -connect localhost:imap
+    openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -verify 4 -cert angela.anarc.at.crt -key angela.anarc.at.key  -starttls imap -connect localhost:imap
 
 That will not actually do any IMAP query (although you *could* try
 `10 AUTHENTICATE EXTERNAL` to confirm login works). Better try the
 swiss-army-knife of everything:
 
-    curl --cert pki/issued/angela.anarc.at.crt --key pki/private/angela.anarc.at.key --login-options AUTH=EXTERNAL imaps://imap.anarc.at
+    curl --cert angela.anarc.at.crt --key angela.anarc.at.key --login-options AUTH=EXTERNAL imaps://imap.anarc.at
 
 This should list your folders. Use `-v` for more debugging if things fail.
 
@@ -1128,6 +1134,15 @@ To debug issues with TLS, turn on Dovecot's verbose logging in
 
     verbose_ssl = yes
 
+You can now test revocation with:
+
+    openssl ca -config openssl.cnf -revoke certs/angela.anarc.at.crt -gencrl > crl.pem
+    cat cacert.pem crl.pem > cacrl.pem
+    service dovecot restart
+
+And now the above `curl` command should fail. Notice how dovecot needs
+a kick after revocation, a `reload` might be sufficient as well.
+
 ### Easy-RSA CA
 
 To get started with easy-rsa:

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 67000bb5..05580640 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -945,7 +945,7 @@ CSR is a little special:
     [dn]
     CN = angela.anarc.at
 
-    [clnt_alt_name]
+    [alt_name]
     emailAddress = anarcat
 
 But the CSR is created as expected:
@@ -1051,47 +1051,143 @@ in `10-ssl.conf`:
     ssl_ca = </etc/ssl/ca/ca.anarc.at.crt
     ssl_verify_client_cert = yes
     ssl_cert_username_field = email
+    ssl_require_crl = yes
 
-in `10-auth.conf`:
+TODO: CRL stuff
 
-    auth_ssl_username_from_cert=yes
+Create `conf.d/auth-tls.conf.ext`:
 
-if we'd like to keep Postfix using passwords, we could do:
+    # Take the username from client's SSL certificate, using 
+    # X509_NAME_get_text_by_NID() which returns the subject's DN's
+    # CommonName. 
+    auth_ssl_username_from_cert = yes
+     
+    # Space separated list of wanted authentication mechanisms:
+    #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
+    #   gss-spnego
+    # NOTE: See also disable_plaintext_auth setting.
+    auth_mechanisms = plain login external
+
+    passdb {
+      driver = passwd-file
+      args = scheme=PLAIN username_format=%u /etc/dovecot/users-external
+
+      mechanisms = external
+     
+      override_fields = nopassword
+    }
+
+    userdb {
+       # <doc/wiki/AuthDatabase.Passwd.txt>
+       driver = passwd
+       # [blocking=no]
+       #args = 
+      
+       # Override fields from passwd
+       #override_fields = home=/home/virtual/%u
+    }
+
+Then include that in `conf.d/10-auth.conf`, and comment out the other includes:
+
+    #!include auth-system.conf.ext
+    !include auth-tls.conf.ext
+
+If we'd like to keep Postfix using passwords, we could do:
 
     protocol !smtp {
       auth_ssl_require_client_cert=yes
     }
 
-but since we're going to use TLS there too, that makes obviously no
-sense. Plus it gets rid of the weird SASL shim between the two, woot.
+... but since we're going to use TLS there too, that makes obviously
+no sense. Plus it gets rid of the weird SASL shim between the two,
+woot.
 
 During this deployment, SSH-based IMAP connexions still work, which is
 pretty fantastic.
 
-### Testing client connexion
+This can be tested with:
+
+    openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -verify 4 -cert pki/issued/angela.anarc.at.crt -key pki/private/angela.anarc.at.key  -starttls imap -connect localhost:imap
 
-Not sure this is the correct way, but this *seems* to work in the
-sense that it loads the cert and tries to connect:
+That will not actually do any IMAP query (although you *could* try
+`10 AUTHENTICATE EXTERNAL` to confirm login works). Better try the
+swiss-army-knife of everything:
 
-    curl -v --cert ~/.config/x509/angela.anarc.at.crt --key ~/.config/x509/angela.anarc.at.key imaps://imap.anarc.at/
+    curl --cert pki/issued/angela.anarc.at.crt --key pki/private/angela.anarc.at.key --login-options AUTH=EXTERNAL imaps://imap.anarc.at
 
-Do use the `-v` flag, as it will show at which step it will fail. In
-my case, if fails *after* the client cert is accepted, which is
-interesting.
+This should list your folders. Use `-v` for more debugging if things fail.
 
-This currently fails in Dovecot with:
+At first, this was failing with:
 
     dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, [...]
 
-I've also tried generating a CA using the [Postfix instructions](https://www.postfix.org/TLS_README.html#quick-client)
-but that fails similarly. Since Postfix *does* work, it means the CA
-is operational and instead there is something wrong with the Dovecot
-configuration.
+... and that was because I was missing the `AUTH=EXTERNAL` option.
+
+To debug issues with TLS, turn on Dovecot's verbose logging in
+`conf.d/10-logging.conf`:
+
+    verbose_ssl = yes
+
+### Easy-RSA CA
+
+To get started with easy-rsa:
+
+    apt install easy-rsa
+    make-cadir easyrsa
+    ./easyrsa init-pki
+    
+To make a ED25519 CA, add those to `vars`:
+
+    set_var EASYRSA_ALGO ed
+    set_var EASYRSA_CURVE           ed25519
+
+Then:
+
+    ./easyrsa build-ca
+
+That prompts for a password then runs something like:
+
+    ["openssl", "req", "-config", "/etc/ssl/easyrsa/pki/5892315c/temp.4ff4e933", "-utf8", "-new", "-key", "/etc/ssl/easyrsa/pki/5892315c/temp.fa90dc32", "-keyout", "/etc/ssl/easyrsa/pki/5892315c/temp.fa90dc32", "-out", "/etc/ssl/easyrsa/pki/5892315c/temp.591dfebb", "-x509", "-days", "3650", "-sha256", "-passin", "file:/etc/ssl/easyrsa/pki/5892315c/temp.c5904947"],
+
+Interesting facts:
+
+ 1. it generates a key on the fly
+ 2. `-utf-8`
+ 3. `-x509`
+ 4. `-days 3650`
+
+A client cert can be created with:
+
+    ./easyrsa build-client-full angela.anarc.at
+
+To get the `emailAddress` field, the `vars` need to be modified to
+have:
+
+    set_var EASYRSA_DN      "org"
+    set_var EASYRSA_REQ_EMAIL       "anarcat"
+
+Then the [guide](https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html) mentions "exporting the combined CA+CRL" with:
+
+    ./easyrsa gen-crl
+
+That runs:
+
+    ["openssl", "ca", "-config", "/etc/ssl/easyrsa/pki/d1f80f21/temp.7ec4b8d2", "-utf8", "-gencrl", "-out", "/etc/ssl/easyrsa/pki/d1f80f21/temp.12bd618a"],
+
+... and generates `/etc/ssl/easyrsa/pki/crl.pem` but this is odd
+because the guide also says it generates a `pki/ca+crl.pem` file,
+which cannot be found. That can be fixed with:
+
+    cat /etc/ssl/easyrsa/pki/{ca.crt,crl.pem} > /etc/ssl/easyrsa/pki/ca+crl.pem
+
+Also, interestingly, it uses that `ca+crl.pem` file in the Postfix
+configuration, with `permit_tls_all_clientcerts`, which leads me to
+think it *might* be possible to avoid listing all fingerprints. To be
+tested/confirmed.
 
 ### Remaining work
 
- * TODO: fix dovecot
- * TODO: expiration
+ * TODO: expiration, switch to easyrsa fully?
  * TODO: generate and distribute certs with Puppet
  * TOOD: migrate tubman to TLS
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 43826ac2..67000bb5 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -679,6 +679,10 @@ This makes it so I do not need to use clear-text passwords to deliver
 or retrieve email which means everything can be fully automated
 without writing any password on disk.
 
+Update: I am abandoning this approach, as it requires exposing SSH to
+the universe, something I want to avoid now. Looking into [client
+certs](#client-certs) instead.
+
 # Spam filtering
 
 Quick notes on how to configure spam filtering with Spamassassin on
@@ -1080,7 +1084,16 @@ This currently fails in Dovecot with:
     dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, [...]
 
 I've also tried generating a CA using the [Postfix instructions](https://www.postfix.org/TLS_README.html#quick-client)
-but that fails similarly.
+but that fails similarly. Since Postfix *does* work, it means the CA
+is operational and instead there is something wrong with the Dovecot
+configuration.
+
+### Remaining work
+
+ * TODO: fix dovecot
+ * TODO: expiration
+ * TODO: generate and distribute certs with Puppet
+ * TOOD: migrate tubman to TLS
 
 ## Todo
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index deb20ac3..43826ac2 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1011,11 +1011,14 @@ Then we configure that transport as such:
 
     smtptlsc  unix  -       -       y       -       -       smtp
         -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
-        -o smtp_tls_cert_file=/home/anarcat/.config/x509/angela.anarc.at.crt
-        -o smtp_tls_key_file=/home/anarcat/.config/x509/angela.anarc.at.key
+        -o smtp_tls_cert_file=/etc/ssl/private/angela.anarc.at.crt
+        -o smtp_tls_key_file=/etc/ssl/private/angela.anarc.at.key
         -o smtp_tls_fingerprint_digest=sha256
         -o smtp_tls_security_level=secure
 
+The cert need to be copied in `/etc/ssl/private` and the key given to
+the `ssl-cert` group.
+
 Note that this is done in the `profile::postfix::satellite` class
 ([satellite.pp](https://gitlab.com/anarcat/puppet/-/blob/main/site-modules/profile/manifests/postfix/satellite.pp?ref_type=heads)) and the above configuration might be out of
 date. Also note that we use the whole `smtp_tls_CAfile` instead of the

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 6a45d507..deb20ac3 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -1010,14 +1010,30 @@ mechanisms (e.g. passwords):
 Then we configure that transport as such:
 
     smtptlsc  unix  -       -       y       -       -       smtp
-        -o smtp_tls_CApath=/etc/ssl/certs
+        -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
         -o smtp_tls_cert_file=/home/anarcat/.config/x509/angela.anarc.at.crt
         -o smtp_tls_key_file=/home/anarcat/.config/x509/angela.anarc.at.key
         -o smtp_tls_fingerprint_digest=sha256
-        -o smtp_tls_security_level=encrypt
+        -o smtp_tls_security_level=secure
 
-WARNING: the above is vulnerable to MITM attacks, as the
-`smtp_tls_security_level` is not `verify`.
+Note that this is done in the `profile::postfix::satellite` class
+([satellite.pp](https://gitlab.com/anarcat/puppet/-/blob/main/site-modules/profile/manifests/postfix/satellite.pp?ref_type=heads)) and the above configuration might be out of
+date. Also note that we use the whole `smtp_tls_CAfile` instead of the
+`CApath` because the latter doesn't work in the chroot.
+
+To test this, try to relay mail locally:
+
+    mail anarcat@example.com -s test < /dev/null
+
+Turn up the logging level on the client:
+
+    smtp_tls_loglevel=2
+
+... and the server:
+
+    smtpd_tls_loglevel=2
+
+... if you have issues.
 
 ### Dovecot configuration
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index 916a2bae..6a45d507 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -954,10 +954,70 @@ Copy the CSR and CRT files to the CA server and sign those keys with:
 
 Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
 
-### Next step: try Postfix
+### Postfix server configuration
 
-Dovecot is not collaborating, and we do not have a working
-example. Try again with Postfix, since we know that works on eugeni.
+Before:
+
+    submission inet  n       -       y       -       -       smtpd
+        -o header_checks=regexp:/etc/postfix/header_authenticated_redaction
+        -o smtpd_tls_security_level=encrypt
+        -o smtpd_sasl_auth_enable=yes
+        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+        -o milter_macro_daemon_name=ORIGINATING
+
+After:
+
+    submission inet  n       -       y       -       -       smtpd
+        -o header_checks=regexp:/etc/postfix/header_authenticated_redaction
+        -o milter_macro_daemon_name=ORIGINATING
+        -o smtpd_tls_security_level=encrypt
+        -o smtpd_tls_ask_ccert=yes
+        -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject
+        -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
+        -o relay_clientcerts=hash:/etc/postfix/client-certs-fingerprints
+
+We were hoping to use [permit_tls_all_clientcerts](https://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts) but that silly
+thing doesn't support certificate revocation, so it's impossible to
+remove client certificates. So we need to use the static list.
+
+The list is created with:
+
+    printf "%s %s\n" "$(
+        openssl x509 -in angela.anarc.at.crt -noout -pubkey |
+            openssl pkey -pubin -outform DER |
+            openssl dgst -sha256 -c |
+            sed 's/.*= //'
+        )" angela.anarc.at >> /etc/postfix/client-certs-fingerprints
+
+And of course the map needs to be rehashed each time:
+
+    postmap /etc/postfix/client-certs-fingerprints
+
+Then this should work:
+
+    swaks --tls --tls-cert ~/.config/x509/angela.anarc.at2.crt --tls-key ~/.config/x509/angela.anarc.at.key -s marcos.anarc.at -t anarcat@torproject.org -p 587
+
+### Postfix client configuration
+
+This is relatively simple. First, we create a new transport to
+encapsulate our configuration because we have *other* relays with
+either no client TLS authentication or different authentication
+mechanisms (e.g. passwords):
+
+    default_transport = smtptlsc:
+    relayhost = smtp.anarc.at:587
+
+Then we configure that transport as such:
+
+    smtptlsc  unix  -       -       y       -       -       smtp
+        -o smtp_tls_CApath=/etc/ssl/certs
+        -o smtp_tls_cert_file=/home/anarcat/.config/x509/angela.anarc.at.crt
+        -o smtp_tls_key_file=/home/anarcat/.config/x509/angela.anarc.at.key
+        -o smtp_tls_fingerprint_digest=sha256
+        -o smtp_tls_security_level=encrypt
+
+WARNING: the above is vulnerable to MITM attacks, as the
+`smtp_tls_security_level` is not `verify`.
 
 ### Dovecot configuration
 

diff --git a/services/mail.mdwn b/services/mail.mdwn
index fbdeb529..916a2bae 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -885,6 +885,124 @@ when the cert is renewed. I use those simple symlink:
 I also configured filtering and many more things that are documented
 in [[blog/2016-05-12-email-setup]].
 
+## Client certs
+
+### Creating a self-signed ed25519 private CA
+
+    openssl genpkey -algorithm ed25519 -out ca.anarc.at.key -aes256
+    openssl req -new -key ca.anarc.at.key -out ca.anarc.at.csr -config ca.anarc.at.cnf
+
+RHEL [proposes](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#creating-a-private-ca-using-openssl_creating-and-managing-tls-keys-and-certificates):
+
+    openssl req -key <ca.key> -new -x509 -days 3650 -addext keyUsage=critical,keyCertSign,cRLSign -subj "/CN=<Example CA>" -out <ca.crt>
+
+cnf:
+
+    [req]
+    distinguished_name = req_distinguished_name
+    req_extensions = v3_req
+    prompt = no
+    [req_distinguished_name]
+    C = CA
+    CN = ca.anarc.at
+    [v3_req]
+    keyUsage = keyEncipherment, dataEncipherment
+    extendedKeyUsage = serverAuth
+    subjectAltName = @alt_names
+    [alt_names]
+    DNS.1 = ca.anarc.at
+
+Self-signed cert:
+
+    openssl x509 -req -days 365 -in ca.anarc.at.csr -signkey ca.anarc.at.key -out ca.anarc.at.crt
+
+ED25519 instructions were taken from [this post](https://blog.pinterjann.is/ed25519-certificates.html).
+
+Alternatives include OpenVPN's [easy-rsa](https://github.com/OpenVPN/easy-rsa/) and [cfssl](https://github.com/cloudflare/cfssl), which
+also has a [puppet module](https://forge.puppet.com/modules/mmack/cfssl/).
+
+### Client key and certificate creation
+
+Then the client key is generated, *on the client*, again with (but without encryption):
+
+    openssl genpkey -algorithm ed25519 -out angela.anarc.at.key
+
+CSR is a little special:
+
+    [client-cert]
+    keyUsage = critical, digitalSignature, keyEncipherment
+    extendedKeyUsage = clientAuth
+    subjectAltName = @alt_name
+
+    [req]
+    distinguished_name = dn
+    prompt = no
+
+    [dn]
+    CN = angela.anarc.at
+
+    [clnt_alt_name]
+    emailAddress = anarcat
+
+But the CSR is created as expected:
+
+    openssl req -key angela.anarc.at.key -config angela.anarc.at.cnf -new -out angela.anarc.at.csr
+
+Copy the CSR and CRT files to the CA server and sign those keys with:
+
+    openssl x509 -req -in angela.anarc.at.csr -CA ca.anarc.at.crt -CAkey ca.anarc.at.key -days 365 -out angela.anarc.at.crt
+
+Again, from [RHEL](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#using-a-private-ca-to-issue-certificates-for-csrs-with-openssl_creating-and-managing-tls-keys-and-certificates).
+
+### Next step: try Postfix
+
+Dovecot is not collaborating, and we do not have a working
+example. Try again with Postfix, since we know that works on eugeni.
+
+### Dovecot configuration
+
+https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication
+
+in `10-ssl.conf`:
+
+    ssl_ca = </etc/ssl/ca/ca.anarc.at.crt
+    ssl_verify_client_cert = yes
+    ssl_cert_username_field = email
+
+in `10-auth.conf`:
+
+    auth_ssl_username_from_cert=yes
+
+if we'd like to keep Postfix using passwords, we could do:
+
+    protocol !smtp {
+      auth_ssl_require_client_cert=yes
+    }
+
+but since we're going to use TLS there too, that makes obviously no
+sense. Plus it gets rid of the weird SASL shim between the two, woot.
+
+During this deployment, SSH-based IMAP connexions still work, which is
+pretty fantastic.
+
+### Testing client connexion
+
+Not sure this is the correct way, but this *seems* to work in the
+sense that it loads the cert and tries to connect:
+
+    curl -v --cert ~/.config/x509/angela.anarc.at.crt --key ~/.config/x509/angela.anarc.at.key imaps://imap.anarc.at/
+
+Do use the `-v` flag, as it will show at which step it will fail. In
+my case, if fails *after* the client cert is accepted, which is
+interesting.
+
+This currently fails in Dovecot with:
+
+    dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, [...]
+
+I've also tried generating a CA using the [Postfix instructions](https://www.postfix.org/TLS_README.html#quick-client)
+but that fails similarly.
+
 ## Todo
 
 On the fly [OpenPGP encryption of incoming emails](https://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve)?

diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 96ffe4a2..39278fbd 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -599,7 +599,7 @@ A few handy `qemu` related commands:
  * enter the VM to make *permanent* changes, which will *not* be
    discarded:
 
-        sudo sbuild-qemu-boot --readwrite /srv/sbuild/qemu/unstable-amd64.img
+        sudo sbuild-qemu-boot --read-write /srv/sbuild/qemu/unstable-amd64.img
 
    Equivalent command:
 

diff --git a/blog/2018-05-04-terminal-emulators-2.mdwn b/blog/2018-05-04-terminal-emulators-2.mdwn
index c0ea0f7a..6d246c17 100644
--- a/blog/2018-05-04-terminal-emulators-2.mdwn
+++ b/blog/2018-05-04-terminal-emulators-2.mdwn
@@ -341,4 +341,19 @@ I have started some notes on reviewing the terminal emulators
 available in Wayland, which significantly lowers the range of
 applications available. See [[2022-09-19-wayland-terminal-emulators]].
 
+## Similar research
+
+The above latency benchmarks were done with Typometer on X11 by
+[beuke.org](https://beuke.org/terminal-latency/). Their results are different on some points: xterm's
+maximum latency (9.8ms) is much higher than ours (2.4ms) which makes
+me think there's something wrong with their test bench. But other
+results (rxvt, st, Terminaor) are strickingly similar. One notable
+change is how well Alacritty performs, probably because it improved in
+6 years since I ran those benchmarks.
+
+I'm still waiting for someone to figure out how to perform those tests
+under wayland and compare against foot. Right now it's really hard to
+tell, but I get the feeling Alacritty and xterm are pretty close, and
+that foot and gnome-terminal are slower.
+
 [[!tag debian-planet lwn geek review terminals performance]]

diff --git a/services/wifi.mdwn b/services/wifi.mdwn
index cc641dc0..4a763d6b 100644
--- a/services/wifi.mdwn
+++ b/services/wifi.mdwn
@@ -125,6 +125,14 @@ ever since.
    rack](https://www.canadacomputers.com/product_info.php?cPath=38_944&item_id=166475) is quite interesting, 385$
  * [recyborg sometimes has racks](https://recyborg.com/?s=rack&post_type=product&type_aws=true) and [gigabit switches](https://recyborg.com/?s=gigabit&post_type=product&type_aws=true)
 
+Some other home lab had the following recommendations:
+
+ * [1U power switch](https://www.adj.com/pc-100a): basically a rack-mounted power bar
+ * [1U cyberpower UPS](https://www.cyberpowersystems.com/product/ups/smart-app-lcd/or500lcdrm1u/): but i've also heard bad things about those,
+   that they just crash when the battery runs out, even when plugged
+   in?
+ * [10" rack shelf](https://acinfinity.com/racks-accessories/rack-shelves/vented-cantilever-1u-rack-shelf-10/)
+
 ## Why OpenWRT
 
 The point of running OpenWRT on the APs is to get monitoring about

diff --git a/hardware/printer.md b/hardware/printer.md
index 6737a181..3b430fd3 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -1,3 +1,5 @@
+[[!toc levels=3]]
+
 # Requirements
 
 ## Must have

diff --git a/hardware/printer.md b/hardware/printer.md
index 8e15b70e..6737a181 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -2,20 +2,20 @@
 
 ## Must have
 
- * network port
- * "driverless printing"
+ * Ethernet port
+ * "driverless printing" AKA "airprint" AKA stellar Linux support
  * laser (specifically, cheap per-page prints)
- * stellar Linux support
 
 ## Nice to have
 
  * colors
- * scanner, or at least photocopier
  * double-sided printing, AKA "[duplex printing](https://en.wikipedia.org/wiki/Duplex_printing)"
  * fits one "ream" ("rame", 500 sheets)
 
 ## Must not have
 
+ * scanner, or at least photocopier - I've given up on that completely
+   and typically use my phone camera to scan documents
  * ink-jet printing, or specifically:
    * high cost
    * "drying out", I don't print often and this needs to keep working
@@ -97,6 +97,9 @@ a tad expensive for an EOL device. In the 3280 review, they say:
 It seems the cost per page is slightly lower on the older model, that
 said. The older printer is bulkier, however.
 
+Unclear if non-OEM cartridges work, but honestly I just get the OEM
+typically...
+
 ## HP Color LaserJet Pro MFP M479FDW
 
 <https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-mfp-m479fdw>

diff --git a/blog/on-dying.mdwn b/blog/on-dying.mdwn
index 78f677ec..feeb9a02 100644
--- a/blog/on-dying.mdwn
+++ b/blog/on-dying.mdwn
@@ -31,6 +31,8 @@ http://varnish-cache.org/docs/6.6/phk/lucky.html
 https://g3rv4.com/2022/04/a-plan-for-my-secrets is basically SSSS but
 he wrote his own thing.
 
+https://longnow.org/ideas/digital-avatars-and-our-refusal-to-die/
+
 # maintainer deaths
 
 https://www.schafe-sind-bessere-rasenmaeher.de/tech/how-i-inherited-an-open-source-project/

diff --git a/services/wiki/ikiwiki-hugo-conversion.mdwn b/services/wiki/ikiwiki-hugo-conversion.mdwn
index d999014e..0c977b95 100644
--- a/services/wiki/ikiwiki-hugo-conversion.mdwn
+++ b/services/wiki/ikiwiki-hugo-conversion.mdwn
@@ -380,3 +380,9 @@ See also those comparisons:
 Inspiring themes:
 
  * [this hugo theme](https://andreyorst.gitlab.io/posts/2022-02-22-new-look/)
+
+Other ideas:
+
+ * [soupault](https://soupault.app/) can do post-processing of the HTML rendered by *any*
+   SSG, which might provide an interesting base to build what's
+   missing from an alternative

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index c74a4452..18868775 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -2061,6 +2061,7 @@ USB-C|blog/2023-02-10-usb-c]]. I'm considering a Dell
  * [spring-loaded expansion card](https://community.frame.work/t/spring-loaded-expansion-card/36013) (probably also a joke)
  * [RTL SDR](https://community.frame.work/t/rtl-sdr-expansion-card/37098)
  * [joystick](https://community.frame.work/t/framework-joystick-modules-turning-your-frame-work-13-into-an-handheld-coming-soon/39011)
+ * [logitech dongle hider with USB-A output](https://github.com/LeoDJ/FW-EC-DongleHiderPlus)
 * check out [this forum category](https://community.frame.work/c/developer-program/expansion-card/90) for a cornucopia of those
 
 ## Upstream resources

diff --git a/hardware/printer.md b/hardware/printer.md
index a05cb698..8e15b70e 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -55,6 +55,48 @@ come to the following conclusion:
    which doesn't have duplex scanning, but is cheaper (see [bh
    comparison](https://www.bhphotovideo.com/c/compare/Canon_MF743Cdw_vs_Canon_MF644Cdw_vs_Canon_MF741Cdw/BHitems/1489652-REG_1489654-REG_1489653-REG)). it's out of stock at Staples and Bestbuy as well
 
+## Brother
+
+After being recommended Brother by a family member and the [internet](https://hachyderm.io/@jbcrawford/112018421075831627),
+[twice](https://mas.to/@zekjur/112117296104194523), I've mostly given up and decided to just go with Brother
+printers.
+
+Rtings suggests the [Brother HL-L2325DW](https://www.rtings.com/printer/reviews/brother/hl-l2325dw#page-retailers), a plain black and white
+laser printer, in their [2023 best laser printer review](https://www.rtings.com/printer/reviews/best/by-type/laser). [206$ at
+Staples](https://www.staples.ca/products/2764645-en-brother-hl-l2370dw-wireless-monochrome-laser-printer) for the Brother HL-L2370DW variant, which features an
+Ethernet port as well. Wirecutters [suggest the HL-L2350DW variant](https://www.nytimes.com/wirecutter/reviews/best-laser-printer/)
+as well. They do not rate devices available locally (bestbuy or staples).
+
+For color printers, Staples' cheapest is the [Brother HL-L3220CDW](https://www.staples.ca/products/3074146-en-brother-hl-l3220cdw-wireless-colour-laser-printer)
+at 286$ (on sale from 405$!). It is also [well rated at rtings](https://www.rtings.com/printer/reviews/brother/hl-l3280cdw-hl-l3220cdw-hl-l3295cdw),
+but the 3220 doesn't have Ethernet. For that you need the [Brother
+HL-L3280CDW](https://www.staples.ca/products/3074145-en-brother-hl-l3280cdw-wireless-colour-laser-printer) (356$, on sale from 486$) which is the model reviewed
+by rtings. 
+
+Naturally, the color printer is larger (27.4cm x 39.9cm x 40.2cm) and
+heavier (15.4Kg) than its monochrome counterpart (20cm x 36.4cm x
+40.8cm). It also has a visual touch screen instead of a single-line
+LCD display. The color printer will also stop printing when it thinks
+the toner is empty, whereas the black-and-white one will keep pushing
+out dimmer pages. The color printer prints the first page faster (12s)
+than the black and white (24s).
+
+They both hold 250 sheets.
+
+Another alternative is the Brother HL-L3270CDW ([306$ in clearance at
+staples](https://www.staples.ca/products/24342682-en-brother-hl-l3270cdw-wireless-colour-mobile-ready-laser-printer)) which has also a [good review at rtings](https://www.rtings.com/printer/reviews/brother/hl-l3270cdw-laser), but it feels
+a tad expensive for an EOL device. In the 3280 review, they say:
+
+> The Brother HL-L3280CDW is a newer version of the Brother
+> HL-L3270CDW Laser. They have identical features and perform
+> similarly in print quality. The HL-L3280CDW prints slightly faster
+> but doesn't yield as many color prints as the older HL-L3270CDW. The
+> biggest difference is that the HL-L3270CDW requires more maintenance
+> because its drum unit wears out much faster.
+
+It seems the cost per page is slightly lower on the older model, that
+said. The older printer is bulkier, however.
+
 ## HP Color LaserJet Pro MFP M479FDW
 
 <https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-mfp-m479fdw>
@@ -68,8 +110,10 @@ Carefully review this thread before buying anything HP: https://news.ycombinator
 ## References
 
  * [Wirecutters review](https://www.nytimes.com/wirecutter/reviews/best-laser-printer/), updated yearly, currently recommends the
-   [HP Color LaserJet Pro M255dw](https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-m255dw)
- * [RTINGS](https://www.rtings.com/printer/reviews/best/by-type/laser) also produce a yearly review, currently recomments the
+   [HP Color LaserJet Pro M255dw](https://www.hp.com/us-en/shop/pdp/hp-color-laserjet-pro-m255dw). update: they now (2024) switched
+   to the HP Color LaserJet Pro MFP M283fdw, and the Brother
+   HL-L2350DW for "budget"
+ * [RTINGS](https://www.rtings.com/printer/reviews/best/by-type/laser) also produce a yearly review, currently (2023) recommends the
    [Canon imageCLASS MF743Cdw](https://www.rtings.com/printer/reviews/canon/imageclass-mf743cdw) ([656$ at BestBuy](https://www.bestbuy.ca/fr-ca/produit/13796853), back-order,
    [656$ at Staples](https://www.staples.ca/products/2948189-en-canon-imageclass-mf743cdw-colour-laser-printer)), 300 sheets only, toner is expensive [200$
    for black at Staples](https://www.staples.ca/products/3029652-en-fuzion-canon-3020c001-055h-compatible-toner-high-yield-black) but has a high yield (7600 pages,

diff --git a/services/bookmarks.mdwn b/services/bookmarks.mdwn
index d677619f..49830fca 100644
--- a/services/bookmarks.mdwn
+++ b/services/bookmarks.mdwn
@@ -93,6 +93,7 @@ This also overlaps with bookmarking software like:
  * [Shiori](https://github.com/RadhiFadlillah/shiori)
  * [Turtl](https://turtlapp.com/)
  * [Wallabag](https://wallabag.org/)
+ * [webtag.io](https://webtag.io)
 
 ... and archival software in the [[WARC ecosystem|services/archive]].
 

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 5b4eb0cc..5ebad3cc 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -898,6 +898,10 @@ screencasting list][]. In particular, see [wl-screenrec][] which has
 hardware encoding and much better performance, not in Debian (see
 [1040786][]).
 
+I also use [wshowkeys][] to ... well... show keys pressed during a
+recording. Not in Debian, but trivial to package ([947858][]), main
+annoyance is it requires a `setuid` binary to work.
+
 [peek]: https://github.com/phw/peek
 [simplescreenrecorder]: https://www.maartenbaert.be/simplescreenrecorder/
 [no sound support]: https://github.com/phw/peek/issues/105
@@ -906,6 +910,8 @@ hardware encoding and much better performance, not in Debian (see
 [awesome Wayland screencasting list]: https://github.com/natpen/awesome-wayland#screencasting
 [wl-screenrec]: https://github.com/russelltg/wl-screenrec
 [1040786]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040786
+[wshowkeys]: https://git.sr.ht/~sircmpwn/wshowkeys
+[947858]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947858
 
 ## RSI: workrave → nothing?
 

diff --git a/hardware/printer.md b/hardware/printer.md
index 34153f38..a05cb698 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -38,6 +38,7 @@
    it do have a hefty upfront cost, and they still seem to suffer from
    "drying out" problems when not in use
  * [use Brother or Epson](https://hachyderm.io/@jbcrawford/112018421075831627)
+ * [brother label printer](https://mas.to/@zekjur/112117296104194523)
 
 # Options
 

diff --git a/services/dns.mdwn b/services/dns.mdwn
index ac6dcc50..beefe303 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -121,11 +121,13 @@ Situation actuelle:
 
  * opensrs: test account created, hosted: `debian-policy.info`
    (2025-10-15), not sure I want to keep, could be just for `anarc.at`
- * mythic beasts: idem, to be closed, hosted: `alterne.ca` (2025-09-11)
- * porkbun: secondary account, hosted: `orangeseeds.net`
-   `orangeseeds.org` (transfer started 2023-12-19)
- * gandi: `reseaulibre.ca` (2024-04-28), `vichama.ca` (2024-05-17),
-   `anarc.at` (2024-09-06), `insomniaque.org` (2029-04-28)
+ * mythic beasts: idem, to be closed, hosted: `alterne.ca`
+   (2025-09-11), maybe keep for `anarc.at` and close OpenSRS because
+   it's too complicated?
+ * porkbun: `orangeseeds.net` `orangeseeds.org` (transfer started
+   2023-12-19), `vichama.ca` (2024-05-17)
+ * gandi: `reseaulibre.ca` (2024-04-28), `anarc.at` (2024-09-06),
+   `insomniaque.org` (2029-04-28)
 
 Convention de noms
 ==================

diff --git a/software/zfs.md b/software/zfs.md
index 53d7680f..4c8aaf6e 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -163,6 +163,10 @@ with:
 
     zpool import -l -a
 
+For rescue operations, that would be the right incantation:
+
+    zpool import -l -a -R /mnt
+
 ## Deprecated: zfsutil
 
 This is another way to use an alternate mountpoint, although I'm less

diff --git a/hardware/printer.md b/hardware/printer.md
index d180855b..34153f38 100644
--- a/hardware/printer.md
+++ b/hardware/printer.md
@@ -37,6 +37,7 @@
    laser-like price for ink jet printers... the Epson printers that do
    it do have a hefty upfront cost, and they still seem to suffer from
    "drying out" problems when not in use
+ * [use Brother or Epson](https://hachyderm.io/@jbcrawford/112018421075831627)
 
 # Options
 

diff --git a/hardware/margaret.md b/hardware/margaret.md
index c87087bd..2cd2c452 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -292,6 +292,8 @@ model](https://fr.aliexpress.com/item/1005004093716962.html) for 233$. Go figure
 of the [Qotom Q20332G9-S10](https://www.qotom.net/product/RouterPC_Q20331G9S10.html) (4x2.5G 4xSFP+ 10G). I was also
 recommended [this 4x2.5G router](https://www.aliexpress.com/item/1005004360072281.html). 
 
+They have been [negatively reviewed on OpenWRT forums](https://forum.openwrt.org/t/recommendations-for-a-gigabit-bridge-possibly-with-sfp/177592/13).
+
 ## Turris
 
 The Turris Omnia is the device that was used as a core router before

diff --git "a/services/r\303\251seau.mdwn" "b/services/r\303\251seau.mdwn"
index 025f91fd..bce398a5 100644
--- "a/services/r\303\251seau.mdwn"
+++ "b/services/r\303\251seau.mdwn"
@@ -55,7 +55,29 @@ another DNS server.
 The key question is whether two DNS servers need to be provided,
 because that configuration would obviously more involved.
 
-# Plan du réseau
+# Plans réseau
+
+## 2024-...
+
+![Plan du réseau][2024]
+
+  [2024]: plan-2024.svg "IP addresses specified if present, otherwise model number detailed."
+
+The network is setup generally like this:
+
+ 1. internet (TekSavvy, business line)
+ 2. bonder (TekSavvy owned PC that does some magic to get a static IP
+    address and, optionally, redundancy)
+ 3. router ([[hardware/margaret]])
+ 4. switch to which is connected:
+    * wifi access point with PoE ([[hardware/svetlana]])
+    * office wifi access point connected over fibre because of the
+      long, outdoors link ([[hardware/octavia]])
+    * ATA (Cisco SPA-112 VoIP adapter)
+    * main server [[hardware/server/marcos]]
+    * home cinema ([[hardware/ursula]])
+
+## 2015-2022
 
 ![Plan du réseau][1]
 
diff --git "a/services/r\303\251seau/plan-2024.svg" "b/services/r\303\251seau/plan-2024.svg"
new file mode 100644
index 00000000..c0c7c392
--- /dev/null
+++ "b/services/r\303\251seau/plan-2024.svg"
@@ -0,0 +1,1540 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="17cm"
+   height="22cm"
+   viewBox="330 1 324 439"
+   version="1.1"
+   id="svg682"
+   sodipodi:docname="plan-2024.svg"
+   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs686" />
+  <sodipodi:namedview
+     id="namedview684"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:document-units="cm"
+     showgrid="false"
+     inkscape:zoom="0.75647728"
+     inkscape:cx="705.90355"
+     inkscape:cy="470.60237"
+     inkscape:window-width="1502"
+     inkscape:window-height="974"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="Arrière-plan" />
+  <g
+     id="Background" />
+  <g
+     id="Arrière-plan">
+    <g
+       id="g183"
+       transform="matrix(0.99999483,0,0,1.1667581,0.00257886,-17.830284)">
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 584.709,165.832 -0.067,-2.917 -0.235,-2.918 -0.437,-2.865 -0.605,-2.866 -0.807,-2.917 -0.907,-2.815 -1.143,-2.764 -1.277,-2.712 -1.378,-2.712 -1.613,-2.559 -1.714,-2.559 -1.883,-2.405 -2.05,-2.405 -2.151,-2.252 -2.285,-2.201 -2.454,-2.047 -2.52,-1.996 -2.622,-1.842 -2.756,-1.74 -2.857,-1.587 -2.958,-1.535 -3.058,-1.279 -3.058,-1.28 -3.193,-1.074 -3.261,-0.973 -3.26,-0.819 -3.327,-0.665 -3.361,-0.46 -3.395,-0.41 -3.428,-0.205 -3.428,-0.102 v 0 l -3.395,0.102 -3.461,0.205 -3.361,0.41 -3.361,0.46 -3.361,0.665 -3.26,0.819 -3.261,0.973 -3.159,1.074 -3.126,1.28 -2.991,1.279 -2.958,1.535 -2.823,1.587 -2.789,1.74 -2.622,1.842 -2.554,1.996 -2.454,2.047 -2.285,2.201 -2.151,2.252 -2.05,2.405 -1.883,2.405 -1.714,2.559 -1.579,2.559 -1.446,2.712 -1.21,2.712 -1.142,2.764 -0.941,2.815 -0.807,2.917 -0.538,2.866 -0.437,2.865 -0.302,2.918 -0.034,2.917 v 0 l 0.034,2.968 0.302,2.917 0.437,2.917 0.538,2.866 0.807,2.866 0.941,2.814 1.142,2.764 1.21,2.763 1.446,2.662 1.579,2.558 1.714,2.559 1.883,2.457 2.05,2.354 2.151,2.252 2.285,2.2 2.454,2.098 2.554,1.894 2.622,1.945 2.789,1.74 2.823,1.586 2.958,1.433 2.991,1.382 3.126,1.228 3.159,1.075 3.261,0.972 3.26,0.819 3.361,0.614 3.361,0.512 3.361,0.46 3.461,0.154 3.395,0.051 v 0 l 3.428,-0.051 3.428,-0.154 3.395,-0.46 3.361,-0.512 3.327,-0.614 3.26,-0.819 3.261,-0.972 3.193,-1.075 3.058,-1.228 3.058,-1.382 2.958,-1.433 2.857,-1.586 2.756,-1.74 2.622,-1.945 2.52,-1.894 2.454,-2.098 2.285,-2.2 2.151,-2.252 2.05,-2.354 1.883,-2.457 1.714,-2.559 1.613,-2.558 1.378,-2.662 1.277,-2.763 1.143,-2.764 0.907,-2.814 0.807,-2.866 0.605,-2.866 0.437,-2.917 0.235,-2.917 z"
+         id="path133" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 478.94,196.23 -0.068,-2.917 -0.235,-2.917 -0.269,-2.866 -0.47,-2.917 -0.605,-2.866 -0.74,-2.814 -0.874,-2.764 -0.941,-2.712 -1.075,-2.712 -1.21,-2.559 -1.311,-2.559 -1.445,-2.405 -1.613,-2.406 -1.647,-2.251 -1.748,-2.201 -1.882,-2.047 -1.882,-1.996 -2.084,-1.842 -2.084,-1.74 -2.218,-1.536 -2.218,-1.586 -2.319,-1.382 -2.42,-1.177 -2.42,-1.075 -2.487,-0.972 -2.521,-0.819 -2.554,-0.665 -2.588,-0.461 -2.555,-0.409 -2.621,-0.256 -2.622,-0.051 v 0 l -2.621,0.051 -2.622,0.256 -2.622,0.409 -2.554,0.461 -2.588,0.665 -2.521,0.819 -2.453,0.972 -2.42,1.075 -2.386,1.177 -2.319,1.382 -2.286,1.586 -2.151,1.536 -2.151,1.74 -2.016,1.842 -1.916,1.996 -1.882,2.047 -1.748,2.201 -1.681,2.251 -1.579,2.406 -1.412,2.405 -1.344,2.559 -1.177,2.559 -1.109,2.712 -0.974,2.712 -0.841,2.764 -0.739,2.814 -0.605,2.866 -0.437,2.917 -0.336,2.866 -0.202,2.917 -0.067,2.917 v 0 l 0.067,2.969 0.202,2.917 0.336,2.917 0.437,2.866 0.605,2.865 0.739,2.815 0.841,2.764 0.974,2.712 1.109,2.712 1.177,2.559 1.344,2.559 1.412,2.405 1.579,2.406 1.681,2.251 1.748,2.201 1.882,2.047 1.916,1.945 2.016,1.842 2.151,1.842 2.151,1.587 2.286,1.433 2.319,1.433 2.386,1.177 2.42,1.074 2.453,0.973 2.521,0.767 2.588,0.666 2.554,0.512 2.622,0.46 2.622,0.154 2.621,0.051 v 0 l 2.622,-0.051 2.621,-0.154 2.555,-0.46 2.588,-0.512 2.554,-0.666 2.521,-0.767 2.487,-0.973 2.42,-1.074 2.42,-1.177 2.319,-1.433 2.218,-1.433 2.218,-1.587 2.084,-1.842 2.084,-1.842 1.882,-1.945 1.882,-2.047 1.748,-2.201 1.647,-2.251 1.613,-2.406 1.445,-2.405 1.311,-2.559 1.21,-2.559 1.075,-2.712 0.941,-2.712 0.874,-2.764 0.74,-2.815 0.605,-2.865 0.47,-2.866 0.269,-2.917 0.235,-2.917 z"
+         id="path135" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 413.703,255.339 -0.034,-2.405 -0.1,-2.406 -0.236,-2.405 -0.302,-2.354 -0.437,-2.252 -0.504,-2.354 -0.538,-2.303 -0.639,-2.2 -0.739,-2.201 -0.84,-2.098 -0.908,-1.996 -0.974,-2.047 -1.042,-1.945 -1.109,-1.893 -1.21,-1.74 -1.244,-1.638 -1.277,-1.689 -1.345,-1.484 -1.445,-1.433 -1.479,-1.33 -1.512,-1.177 -1.58,-1.126 -1.579,-0.973 -1.647,-0.87 -1.681,-0.818 -1.68,-0.615 -1.714,-0.614 -1.782,-0.358 -1.747,-0.307 -1.714,-0.154 -1.782,-0.102 v 0 l -1.781,0.102 -1.781,0.154 -1.748,0.307 -1.714,0.358 -1.748,0.614 -1.714,0.615 -1.647,0.818 -1.613,0.87 -1.647,0.973 -1.58,1.126 -1.512,1.177 -1.479,1.33 -1.411,1.433 -1.378,1.484 -1.278,1.689 -1.243,1.638 -1.177,1.74 -1.142,1.893 -1.042,1.945 -0.975,2.047 -0.907,1.996 -0.773,2.098 -0.74,2.201 -0.638,2.2 -0.605,2.303 -0.504,2.354 -0.37,2.252 -0.303,2.354 -0.269,2.405 -0.134,2.406 v 2.405 0 2.303 l 0.134,2.405 0.269,2.354 0.303,2.355 0.37,2.405 0.504,2.252 0.605,2.251 0.638,2.252 0.74,2.201 0.773,2.098 0.907,2.047 0.975,1.996 1.042,1.945 1.142,1.842 1.177,1.74 1.243,1.689 1.278,1.689 1.378,1.432 1.411,1.433 1.479,1.331 1.512,1.228 1.58,1.126 1.647,0.972 1.613,0.87 1.647,0.768 1.714,0.665 1.748,0.563 1.714,0.461 1.748,0.256 1.781,0.153 1.781,0.103 v 0 l 1.782,-0.103 1.714,-0.153 1.747,-0.256 1.782,-0.461 1.714,-0.563 1.68,-0.665 1.681,-0.768 1.647,-0.87 1.579,-0.972 1.58,-1.126 1.512,-1.228 1.479,-1.331 1.445,-1.433 1.345,-1.432 1.277,-1.689 1.244,-1.689 1.21,-1.74 1.109,-1.842 1.042,-1.945 0.974,-1.996 0.908,-2.047 0.84,-2.098 0.739,-2.201 0.639,-2.252 0.538,-2.251 0.504,-2.252 0.437,-2.405 0.302,-2.355 0.236,-2.354 0.1,-2.405 z"
+         id="path137" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 469.966,300.835 -0.034,-2.61 -0.235,-2.559 -0.37,-2.61 -0.437,-2.559 -0.605,-2.507 -0.706,-2.508 -0.907,-2.457 -0.941,-2.405 -1.143,-2.252 -1.21,-2.354 -1.378,-2.251 -1.445,-2.099 -1.546,-2.098 -1.681,-2.098 -1.781,-1.894 -1.882,-1.842 -1.983,-1.689 -2.084,-1.689 -2.117,-1.484 -2.218,-1.484 -2.32,-1.279 -2.352,-1.229 -2.42,-1.074 -2.454,-0.973 -2.52,-0.818 -2.588,-0.666 -2.555,-0.614 -2.621,-0.512 -2.622,-0.307 -2.655,-0.204 -2.689,-0.052 v 0 l -2.655,0.052 -2.621,0.204 -2.689,0.307 -2.588,0.512 -2.622,0.614 -2.52,0.666 -2.521,0.818 -2.487,0.973 -2.42,1.074 -2.319,1.229 -2.319,1.279 -2.219,1.484 -2.151,1.484 -2.05,1.689 -1.983,1.689 -1.882,1.842 -1.781,1.894 -1.681,2.098 -1.579,2.098 -1.446,2.099 -1.378,2.251 -1.243,2.354 -1.076,2.252 -0.974,2.405 -0.908,2.457 -0.739,2.508 -0.538,2.507 -0.504,2.559 -0.336,2.61 -0.202,2.559 -0.067,2.61 v 0 l 0.067,2.559 0.202,2.61 0.336,2.558 0.504,2.559 0.538,2.508 0.739,2.508 0.908,2.507 0.974,2.406 1.076,2.302 1.243,2.252 1.378,2.252 1.446,2.149 1.579,2.15 1.681,2.047 1.781,1.893 1.882,1.792 1.983,1.74 2.05,1.637 2.151,1.535 2.219,1.485 2.319,1.279 2.319,1.228 2.42,1.024 2.487,0.972 2.521,0.819 2.52,0.716 2.622,0.666 2.588,0.46 2.689,0.307 2.621,0.205 h 2.655 v 0 h 2.689 l 2.655,-0.205 2.622,-0.307 2.621,-0.46 2.555,-0.666 2.588,-0.716 2.52,-0.819 2.454,-0.972 2.42,-1.024 2.352,-1.228 2.32,-1.279 2.218,-1.485 2.117,-1.535 2.084,-1.637 1.983,-1.74 1.882,-1.792 1.781,-1.893 1.681,-2.047 1.546,-2.15 1.445,-2.149 1.378,-2.252 1.21,-2.252 1.143,-2.302 0.941,-2.406 0.907,-2.507 0.706,-2.508 0.605,-2.508 0.437,-2.559 0.37,-2.558 0.235,-2.61 z"
+         id="path139" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 595.969,327.293 -0.135,-3.122 -0.269,-3.121 -0.537,-3.02 -0.706,-3.019 -0.874,-3.02 -1.076,-2.917 -1.277,-2.866 -1.479,-2.917 -1.68,-2.814 -1.815,-2.713 -2.05,-2.61 -2.151,-2.559 -2.353,-2.507 -2.487,-2.405 -2.722,-2.303 -2.756,-2.15 -2.958,-2.098 -3.092,-1.945 -3.16,-1.791 -3.36,-1.689 -3.395,-1.586 -3.529,-1.382 -3.596,-1.331 -3.731,-1.125 -3.731,-1.024 -3.831,-0.819 -3.832,-0.716 -3.966,-0.512 -3.865,-0.358 -3.999,-0.307 h -3.966 v 0 h -3.966 l -3.966,0.307 -3.933,0.358 -3.898,0.512 -3.899,0.716 -3.798,0.819 -3.764,1.024 -3.664,1.125 -3.663,1.331 -3.462,1.382 -3.462,1.586 -3.293,1.689 -3.193,1.791 -3.059,1.945 -2.958,2.098 -2.823,2.15 -2.655,2.303 -2.487,2.405 -2.386,2.507 -2.185,2.559 -2.017,2.61 -1.781,2.713 -1.68,2.814 -1.479,2.917 -1.277,2.866 -1.109,2.917 -0.874,3.02 -0.74,3.019 -0.504,3.02 -0.302,3.121 -0.101,3.122 v 0 l 0.101,2.968 0.302,3.122 0.504,3.019 0.74,3.071 0.874,3.019 1.109,2.917 1.277,2.866 1.479,2.917 1.68,2.815 1.781,2.712 2.017,2.61 2.185,2.662 2.386,2.405 2.487,2.405 2.655,2.252 2.823,2.252 2.958,2.047 3.059,1.944 3.193,1.792 3.293,1.74 3.462,1.484 3.462,1.433 3.663,1.279 3.664,1.126 3.764,1.075 3.798,0.767 3.899,0.717 3.898,0.563 3.933,0.358 3.966,0.307 h 3.966 v 0 h 3.966 l 3.999,-0.307 3.865,-0.358 3.966,-0.563 3.832,-0.717 3.831,-0.767 3.731,-1.075 3.731,-1.126 3.596,-1.279 3.529,-1.433 3.395,-1.484 3.36,-1.74 3.16,-1.792 3.092,-1.944 2.958,-2.047 2.756,-2.252 2.722,-2.252 2.487,-2.405 2.353,-2.405 2.151,-2.662 2.05,-2.61 1.815,-2.712 1.68,-2.815 1.479,-2.917 1.277,-2.866 1.076,-2.917 0.874,-3.019 0.706,-3.071 0.537,-3.019 0.269,-3.122 z"
+         id="path141" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 639.46,187.223 -0.034,-2.251 -0.202,-2.355 -0.369,-2.302 -0.404,-2.252 -0.605,-2.201 -0.672,-2.252 -0.84,-2.2 -0.975,-2.15 -1.042,-2.047 -1.142,-2.098 -1.311,-1.996 -1.412,-1.944 -1.479,-1.792 -1.646,-1.842 -1.681,-1.689 -1.849,-1.586 -1.882,-1.638 -1.949,-1.433 -2.084,-1.33 -2.117,-1.28 -2.151,-1.177 -2.286,-1.075 -2.319,-0.972 -2.352,-0.87 -2.42,-0.768 -2.42,-0.511 -2.487,-0.614 -2.488,-0.41 -2.554,-0.256 -2.521,-0.153 -2.554,-0.103 v 0 l -2.588,0.103 -2.521,0.153 -2.554,0.256 -2.487,0.41 -2.454,0.614 -2.453,0.511 -2.386,0.768 -2.387,0.87 -2.319,0.972 -2.285,1.075 -2.185,1.177 -2.084,1.28 -2.083,1.33 -1.95,1.433 -1.882,1.638 -1.815,1.586 -1.714,1.689 -1.647,1.842 -1.479,1.792 -1.378,1.944 -1.344,1.996 -1.143,2.098 -1.042,2.047 -0.974,2.15 -0.841,2.2 -0.672,2.252 -0.571,2.201 -0.471,2.252 -0.302,2.302 -0.168,2.355 -0.101,2.251 v 0 l 0.101,2.303 0.168,2.303 0.302,2.252 0.471,2.303 0.571,2.252 0.672,2.2 0.841,2.201 0.974,2.149 1.042,2.15 1.143,1.996 1.344,1.944 1.378,1.996 1.479,1.842 1.647,1.74 1.714,1.74 1.815,1.638 1.882,1.535 1.95,1.433 2.083,1.433 2.084,1.28 2.185,1.126 2.285,1.125 2.319,0.922 2.387,0.818 2.386,0.819 2.453,0.614 2.454,0.512 2.487,0.461 2.554,0.204 2.521,0.256 h 2.588 v 0 h 2.554 l 2.521,-0.256 2.554,-0.204 2.488,-0.461 2.487,-0.512 2.42,-0.614 2.42,-0.819 2.352,-0.818 2.319,-0.922 2.286,-1.125 2.151,-1.126 2.117,-1.28 2.084,-1.433 1.949,-1.433 1.882,-1.535 1.849,-1.638 1.681,-1.74 1.646,-1.74 1.479,-1.842 1.412,-1.996 1.311,-1.944 1.142,-1.996 1.042,-2.15 0.975,-2.149 0.84,-2.201 0.672,-2.2 0.605,-2.252 0.404,-2.303 0.369,-2.252 0.202,-2.303 z"
+         id="path143" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 653.71,245.718 -0.101,-2.303 -0.134,-2.303 -0.336,-2.252 -0.437,-2.251 -0.605,-2.303 -0.672,-2.15 -0.807,-2.252 -0.975,-2.098 -1.042,-2.149 -1.142,-1.996 -1.311,-2.047 -1.412,-1.894 -1.445,-1.791 -1.647,-1.893 -1.68,-1.638 -1.748,-1.689 -1.882,-1.535 -2.017,-1.433 -1.983,-1.382 -2.117,-1.279 -2.151,-1.177 -2.252,-1.075 -2.285,-0.921 -2.353,-0.87 -2.42,-0.768 -2.42,-0.614 -2.453,-0.512 -2.521,-0.46 -2.487,-0.205 -2.521,-0.154 -2.521,-0.102 v 0 l -2.554,0.102 -2.487,0.154 -2.521,0.205 -2.453,0.46 -2.454,0.512 -2.453,0.614 -2.387,0.768 -2.319,0.87 -2.319,0.921 -2.252,1.075 -2.151,1.177 -2.117,1.279 -2.05,1.382 -1.916,1.433 -1.882,1.535 -1.849,1.689 -1.68,1.638 -1.58,1.893 -1.445,1.791 -1.412,1.894 -1.277,2.047 -1.21,1.996 -1.042,2.149 -0.907,2.098 -0.84,2.252 -0.74,2.15 -0.538,2.303 -0.437,2.251 -0.336,2.252 -0.201,2.303 -0.034,2.303 v 0 l 0.034,2.303 0.201,2.354 0.336,2.252 0.437,2.251 0.538,2.252 0.74,2.201 0.84,2.252 0.907,2.098 1.042,2.047 1.21,2.098 1.277,1.945 1.412,1.945 1.445,1.842 1.58,1.791 1.68,1.74 1.849,1.586 1.882,1.587 1.916,1.433 2.05,1.33 2.117,1.28 2.151,1.177 2.252,1.075 2.319,0.972 2.319,0.921 2.387,0.768 2.453,0.512 2.454,0.614 2.453,0.358 2.521,0.307 2.487,0.154 2.554,0.051 v 0 l 2.521,-0.051 2.521,-0.154 2.487,-0.307 2.521,-0.358 2.453,-0.614 2.42,-0.512 2.42,-0.768 2.353,-0.921 2.285,-0.972 2.252,-1.075 2.151,-1.177 2.117,-1.28 1.983,-1.33 2.017,-1.433 1.882,-1.587 1.748,-1.586 1.68,-1.74 1.647,-1.791 1.445,-1.842 1.412,-1.945 1.311,-1.945 1.142,-2.098 1.042,-2.047 0.975,-2.098 0.807,-2.252 0.672,-2.201 0.605,-2.252 0.437,-2.251 0.336,-2.252 0.134,-2.354 z"
+         id="path145" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 643.963,294.08 -0.067,-3.736 -0.202,-3.839 -0.268,-3.684 -0.437,-3.787 -0.572,-3.685 -0.706,-3.633 -0.806,-3.583 -0.975,-3.531 -1.042,-3.429 -1.109,-3.377 -1.277,-3.276 -1.412,-3.122 -1.478,-3.07 -1.614,-2.917 -1.68,-2.815 -1.748,-2.712 -1.882,-2.559 -1.916,-2.303 -2.05,-2.252 -2.084,-2.047 -2.151,-1.944 -2.184,-1.74 -2.286,-1.638 -2.319,-1.433 -2.42,-1.228 -2.386,-0.973 -2.487,-0.921 -2.454,-0.665 -2.453,-0.461 -2.487,-0.307 -2.521,-0.051 v 0 l -2.521,0.051 -2.487,0.307 -2.521,0.461 -2.453,0.665 -2.42,0.921 -2.454,0.973 -2.352,1.228 -2.319,1.433 -2.286,1.638 -2.252,1.74 -2.151,1.944 -2.084,2.047 -1.983,2.252 -1.983,2.303 -1.848,2.559 -1.781,2.712 -1.681,2.815 -1.58,2.917 -1.512,3.07 -1.344,3.122 -1.278,3.276 -1.176,3.377 -1.042,3.429 -0.907,3.531 -0.807,3.583 -0.706,3.633 -0.571,3.685 -0.437,3.787 -0.336,3.684 -0.202,3.839 -0.067,3.736 v 0 l 0.067,3.787 0.202,3.838 0.336,3.685 0.437,3.735 0.571,3.787 0.706,3.583 0.807,3.531 0.907,3.582 1.042,3.378 1.176,3.378 1.278,3.326 1.344,3.122 1.512,3.019 1.58,2.968 1.681,2.815 1.781,2.661 1.848,2.559 1.983,2.405 1.983,2.201 2.084,2.098 2.151,1.894 2.252,1.791 2.286,1.586 2.319,1.433 2.352,1.177 2.454,1.075 2.42,0.819 2.453,0.665 2.521,0.461 2.487,0.307 2.521,0.153 v 0 l 2.521,-0.153 2.487,-0.307 2.453,-0.461 2.454,-0.665 2.487,-0.819 2.386,-1.075 2.42,-1.177 2.319,-1.433 2.286,-1.586 2.184,-1.791 2.151,-1.894 2.084,-2.098 2.05,-2.201 1.916,-2.405 1.882,-2.559 1.748,-2.661 1.68,-2.815 1.614,-2.968 1.478,-3.019 1.412,-3.122 1.277,-3.326 1.109,-3.378 1.042,-3.378 0.975,-3.582 0.806,-3.531 0.706,-3.583 0.572,-3.787 0.437,-3.735 0.268,-3.685 0.202,-3.838 z"
+         id="path147" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 601.212,249.096 -0.135,-3.839 -0.403,-3.684 -0.639,-3.839 -0.873,-3.684 -1.143,-3.685 -1.412,-3.685 -1.647,-3.582 -1.915,-3.531 -2.084,-3.429 -2.353,-3.326 -2.621,-3.327 -2.79,-3.173 -3.025,-2.968 -3.226,-2.968 -3.429,-2.866 -3.562,-2.661 -3.798,-2.508 -3.966,-2.405 -4.067,-2.252 -4.268,-2.098 -4.403,-1.894 -4.504,-1.791 -4.604,-1.586 -4.706,-1.382 -4.84,-1.177 -4.907,-1.075 -4.94,-0.819 -5.008,-0.665 -5.042,-0.563 -5.075,-0.256 -5.142,-0.102 v 0 l -5.075,0.102 -5.075,0.256 -5.042,0.563 -5.041,0.665 -4.941,0.819 -4.907,1.075 -4.806,1.177 -4.705,1.382 -4.672,1.586 -4.437,1.791 -4.402,1.894 -4.302,2.098 -4.101,2.252 -3.899,2.405 -3.831,2.508 -3.596,2.661 -3.361,2.866 -3.26,2.968 -3.025,2.968 -2.756,3.173 -2.622,3.327 -2.319,3.326 -2.117,3.429 -1.95,3.531 -1.613,3.582 -1.378,3.685 -1.21,3.685 -0.874,3.684 -0.638,3.839 -0.404,3.684 -0.101,3.839 v 0 l 0.101,3.735 0.404,3.787 0.638,3.736 0.874,3.787 1.21,3.685 1.378,3.634 1.613,3.531 1.95,3.582 2.117,3.48 2.319,3.327 2.622,3.224 2.756,3.173 3.025,3.07 3.26,2.917 3.361,2.815 3.596,2.712 3.831,2.559 3.899,2.405 4.101,2.252 4.302,1.996 4.402,1.996 4.437,1.689 4.672,1.586 4.705,1.433 4.806,1.228 4.907,1.024 4.941,0.87 5.041,0.665 5.042,0.461 5.075,0.358 5.075,0.051 v 0 l 5.142,-0.051 5.075,-0.358 5.042,-0.461 5.008,-0.665 4.94,-0.87 4.907,-1.024 4.84,-1.228 4.706,-1.433 4.604,-1.586 4.504,-1.689 4.403,-1.996 4.268,-1.996 4.067,-2.252 3.966,-2.405 3.798,-2.559 3.562,-2.712 3.429,-2.815 3.226,-2.917 3.025,-3.07 2.79,-3.173 2.621,-3.224 2.353,-3.327 2.084,-3.48 1.915,-3.582 1.647,-3.531 1.412,-3.634 1.143,-3.685 0.873,-3.787 0.639,-3.736 0.403,-3.787 z"
+         id="path149" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 517.994,165.32 66.514,-12.897 -0.841,-2.814 -1.041,-2.866 -1.143,-2.815 -1.378,-2.712 -1.479,-2.61 -1.68,-2.661 -1.748,-2.508 -2.017,-2.405 -2.05,-2.354 -2.218,-2.252 -2.387,-2.15 -2.487,-1.995 -2.621,-1.945 -2.723,-1.894 -2.823,-1.689 -2.924,-1.535 -2.958,-1.535 -3.125,-1.28 -3.16,-1.177 -3.192,-1.074 -3.328,-0.921 -3.327,-0.717 -3.361,-0.665 -3.395,-0.461 -3.428,-0.307 -3.462,-0.153 h -3.428 l -3.462,0.153 -3.462,0.205 -3.361,0.409 -3.394,0.666 -3.361,0.665 -3.327,0.921 -3.261,0.972 -3.159,1.126 -3.092,1.28 -3.058,1.433 -2.958,1.484 -2.79,1.689 -2.756,1.791 -2.655,1.893 -2.521,1.996 -2.386,2.15 -2.252,2.251 -2.151,2.303 -2.016,2.405 -1.883,2.508 -1.714,2.559 -1.478,2.712 -1.446,2.61 -1.243,2.815 -1.042,2.764 -0.874,2.865 -0.739,2.866 z"
+         id="path151" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 584.508,152.321 -0.874,-2.866 -1.008,-2.815 -1.177,-2.814 -1.344,-2.661 -1.546,-2.662 -1.647,-2.61 -1.781,-2.507 -2.017,-2.406 -2.084,-2.302 -2.151,-2.252 -2.42,-2.252 -2.42,-1.996 -2.655,-1.945 -2.722,-1.791 -2.79,-1.791 -2.924,-1.535 -2.991,-1.433 -3.126,-1.331 -3.159,-1.126 -3.159,-1.074 -3.328,-0.921 -3.361,-0.717 -3.361,-0.665 -3.394,-0.461 -3.395,-0.307 -3.495,-0.153 h -3.429 l -3.428,0.153 -3.428,0.205 -3.428,0.409 -3.361,0.666 -3.361,0.614 -3.294,0.87 -3.226,1.074 -3.227,1.126 -3.058,1.28 -3.059,1.433 -2.924,1.484 -2.857,1.637 -2.722,1.843 -2.655,1.893 -2.521,1.945 -2.386,2.149 -2.286,2.201 -2.151,2.354 -2.016,2.405 -1.815,2.457 -1.748,2.661 -1.512,2.559 -1.412,2.712 -1.21,2.712 -1.109,2.815 -0.874,2.866 -0.706,2.866"
+         id="path153" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 427.55,195.667 33.543,-44.779 -2.084,-1.842 -2.185,-1.74 -2.218,-1.536 -2.285,-1.535 -2.319,-1.33 -2.42,-1.229 -2.488,-1.023 -2.453,-0.973 -2.588,-0.767 -2.554,-0.665 -2.622,-0.461 -2.621,-0.358 -2.622,-0.205 h -2.622 l -2.655,0.102 -2.621,0.307 -2.622,0.359 -2.588,0.563 -2.554,0.716 -2.521,0.819 -2.521,0.972 -2.419,1.126 -2.42,1.28 -2.319,1.381 -2.252,1.536 -2.151,1.688 -2.151,1.792 -2.017,1.842 -1.916,2.047 -1.882,2.098 -1.748,2.252 -1.613,2.252 -1.546,2.456 -1.411,2.457 -1.345,2.558 -1.176,2.662 -1.109,2.712 -0.941,2.712 -0.841,2.815 -0.672,2.866 -0.538,2.866 -0.47,2.968 -0.336,2.968 -0.135,2.917 -0.067,2.917 0.101,2.969 0.202,3.019 0.403,2.866 z"
+         id="path155" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 460.925,150.735 -2.084,-1.843 -2.118,-1.689 -2.218,-1.586 -2.319,-1.433 -2.386,-1.382 -2.386,-1.177 -2.454,-1.075 -2.521,-0.921 -2.52,-0.716 -2.622,-0.665 -2.588,-0.461 -2.588,-0.358 -2.621,-0.205 h -2.689 l -2.555,0.102 -2.621,0.307 -2.689,0.359 -2.554,0.614 -2.521,0.665 -2.588,0.921 -2.453,0.921 -2.42,1.177 -2.387,1.28 -2.352,1.382 -2.252,1.535 -2.151,1.689 -2.084,1.74 -2.017,1.944 -1.983,1.945 -1.781,2.201 -1.781,2.149 -1.647,2.354 -1.512,2.354 -1.446,2.457 -1.277,2.61 -1.176,2.661 -1.109,2.712 -0.975,2.713 -0.807,2.866 -0.672,2.763 -0.605,2.917 -0.403,2.968 -0.336,2.917 -0.135,2.917 -0.067,2.969 0.168,2.917 0.202,2.968 0.336,2.968"
+         id="path157" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 418.207,300.272 -53.978,-1.587 v 2.713 l 0.101,2.559 0.269,2.712 0.437,2.559 0.504,2.61 0.639,2.661 0.84,2.456 0.874,2.508 1.109,2.457 1.176,2.354 1.244,2.405 1.479,2.252 1.479,2.2 1.68,2.099 1.714,2.047 1.849,1.944 1.983,1.791 2.016,1.74 2.118,1.74 2.218,1.485 2.285,1.432 2.387,1.382 2.42,1.126 2.419,1.126 2.555,0.972 2.588,0.819 2.621,0.665 2.656,0.615 2.655,0.46 2.688,0.307 2.723,0.154 h 2.756 l 2.655,-0.103 2.722,-0.204 2.689,-0.307 2.655,-0.461 2.689,-0.665 2.554,-0.768 2.622,-0.819 2.454,-1.074 2.487,-1.024 2.42,-1.279 2.285,-1.382 2.319,-1.484 2.118,-1.587 2.117,-1.637 z"
+         id="path159" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 364.297,298.685 -0.101,2.61 0.202,2.662 0.201,2.61 0.437,2.661 0.504,2.559 0.672,2.61 0.807,2.558 0.941,2.508 1.042,2.405 1.109,2.406 1.311,2.303 1.378,2.303 1.58,2.149 1.613,2.201 1.748,1.944 1.814,1.945 1.95,1.893 2.016,1.74 2.118,1.638 2.218,1.535 2.286,1.433 2.319,1.331 2.42,1.228 2.52,1.126 2.487,0.87 2.555,0.819 2.621,0.767 2.689,0.512 2.655,0.563 2.655,0.205 2.723,0.256 h 2.722 2.689 l 2.689,-0.256 2.689,-0.358 2.655,-0.461 2.688,-0.614 2.555,-0.717 2.621,-0.87 2.487,-1.023 2.42,-1.126 2.42,-1.228 2.319,-1.331 2.319,-1.433 2.185,-1.586 2.05,-1.638"
+         id="path161" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 589.952,186.149 47.491,14.79 0.807,-2.201 0.605,-2.201 0.571,-2.251 0.336,-2.303 0.336,-2.303 0.067,-2.303 v -2.354 l -0.067,-2.252 -0.269,-2.303 -0.369,-2.303 -0.538,-2.252 -0.639,-2.251 -0.739,-2.15 -0.874,-2.2 -1.008,-2.099 -1.143,-2.098 -1.277,-2.047 -1.311,-1.945 -1.445,-1.893 -1.546,-1.791 -1.647,-1.843 -1.815,-1.637 -1.815,-1.587 -1.983,-1.484 -1.983,-1.433 -2.084,-1.279 -2.151,-1.28 -2.252,-1.126 -2.285,-1.023 -2.353,-0.921 -2.42,-0.768 -2.386,-0.665 -2.521,-0.614 -2.487,-0.461 -2.52,-0.358 -2.555,-0.154 -2.521,-0.153 h -2.52 l -2.555,0.153 -2.554,0.205 -2.487,0.358 -2.521,0.461 -2.487,0.563 -2.453,0.716 z"
+         id="path163" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 633.074,209.28 4.335,-8.239 0.807,-2.149 0.639,-2.252 0.504,-2.252 0.403,-2.303 0.269,-2.303 0.101,-2.252 0.033,-2.405 -0.1,-2.252 -0.236,-2.303 -0.369,-2.303 -0.538,-2.251 -0.639,-2.252 -0.706,-2.201 -0.873,-2.098 -1.042,-2.2 -1.143,-2.099 -1.176,-2.047 -1.378,-1.944 -1.446,-1.894 -1.546,-1.842 -1.646,-1.74 -1.748,-1.638 -1.849,-1.638 -1.915,-1.535 -2.051,-1.382 -2.083,-1.33 -2.152,-1.228 -2.251,-1.024 -2.286,-1.075 -2.319,-0.972 -2.386,-0.819 -2.454,-0.665 -2.42,-0.614 -2.487,-0.461 -2.52,-0.307 -2.555,-0.205 -2.554,-0.153 h -2.588 l -2.521,0.153 -2.554,0.205 -2.521,0.307 -2.487,0.461 -2.454,0.563 -2.453,0.716"
+         id="path165" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 596.708,246.281 53.473,18.73 1.076,-2.456 0.874,-2.405 0.806,-2.559 0.639,-2.559 0.437,-2.559 0.302,-2.559 0.101,-2.661 v -2.61 l -0.202,-2.61 -0.302,-2.559 -0.538,-2.61 -0.639,-2.507 -0.84,-2.508 -0.907,-2.508 -1.143,-2.405 -1.277,-2.303 -1.378,-2.354 -1.58,-2.303 -1.68,-2.149 z"
+         id="path167" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 643.392,273.507 6.722,-8.393 1.008,-2.406 1.009,-2.558 0.773,-2.508 0.638,-2.61 0.437,-2.559 0.336,-2.559 0.135,-2.661 -0.034,-2.61 -0.202,-2.661 -0.369,-2.559 -0.471,-2.559 -0.639,-2.558 -0.84,-2.559 -0.941,-2.508 -1.176,-2.456 -1.244,-2.303 -1.479,-2.354 -1.512,-2.252 -1.714,-2.15 -10.755,-8.444"
+         id="path169" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 594.456,295.717 -16.872,71.084 2.487,1.126 2.521,1.024 2.521,0.767 2.621,0.614 2.555,0.461 2.554,0.205 h 2.655 l 2.588,-0.205 2.554,-0.307 2.588,-0.614 2.521,-0.768 2.521,-0.87 2.487,-1.126 2.453,-1.381 2.353,-1.485 2.353,-1.688 2.285,-1.843 2.218,-2.047 2.152,-2.098 2.05,-2.405 1.949,-2.508 1.882,-2.61 1.815,-2.815 1.714,-2.917 1.546,-3.019 1.479,-3.173 1.412,-3.224 1.243,-3.378 1.109,-3.377 1.042,-3.532 0.874,-3.633 0.807,-3.685 0.638,-3.685 0.538,-3.787 0.336,-3.735 0.303,-3.839 0.067,-3.838 v -3.838 l -0.134,-3.838 -0.269,-3.839 -0.404,-3.787 -0.504,-3.736 -0.672,-3.684 z"
+         id="path171" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 577.719,366.852 2.52,1.229 2.487,0.972 2.555,0.819 2.554,0.512 2.622,0.409 2.554,0.205 2.588,0.102 2.588,-0.307 2.621,-0.307 2.555,-0.614 2.52,-0.768 2.521,-0.972 2.487,-1.126 2.42,-1.331 2.42,-1.535 2.319,-1.638 2.252,-1.791 2.185,-2.047 2.151,-2.252 2.05,-2.354 1.949,-2.559 1.882,-2.61 1.815,-2.712 1.681,-2.968 1.613,-3.071 1.412,-3.07 1.411,-3.327 1.244,-3.377 1.109,-3.378 1.008,-3.531 0.908,-3.685 0.806,-3.633 0.605,-3.736 0.538,-3.736 0.403,-3.736 0.236,-3.838 0.067,-3.838 v -3.839 l -0.168,-3.838 -0.235,-3.838 -0.437,-3.787 -0.572,-3.736 -0.571,-3.685"
+         id="path173" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 380.698,255.339 -2.554,-48.259 -1.882,0.256 -1.782,0.307 -1.882,0.511 -1.815,0.615 -1.781,0.716 -1.748,0.921 -1.714,0.87 -1.68,1.177 -1.681,1.126 -1.579,1.28 -1.546,1.433 -1.479,1.484 -1.445,1.586 -1.311,1.74 -1.311,1.74 -1.21,1.842 -1.143,1.945 -1.042,2.047 -1.042,2.047 -0.907,2.201 -0.773,2.252 -0.739,2.251 -0.706,2.252 -0.538,2.354 -0.437,2.406 -0.403,2.405 -0.303,2.456 -0.134,2.508 -0.101,2.405 v 2.457 l 0.101,2.405 0.201,2.508 0.303,2.405 0.336,2.405 0.504,2.405 0.538,2.355 0.672,2.303 0.74,2.251 0.84,2.201 0.907,2.2 1.042,1.996 1.042,2.047 1.176,1.945 1.244,1.842 1.277,1.792 1.378,1.637 1.445,1.587 1.479,1.535 1.58,1.382 1.546,1.279 1.68,1.177 z"
+         id="path175" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 378.144,207.08 -1.781,0.256 -1.849,0.307 -1.815,0.511 -1.748,0.563 -1.781,0.717 -1.748,0.768 -1.68,0.972 -1.647,1.023 -1.647,1.126 -1.512,1.28 -1.58,1.381 -1.445,1.433 -1.412,1.536 -1.344,1.688 -1.345,1.74 -1.176,1.74 -1.176,1.945 -1.042,1.945 -1.008,2.047 -0.874,2.098 -0.841,2.15 -0.806,2.149 -0.672,2.252 -0.605,2.303 -0.504,2.354 -0.37,2.354 -0.37,2.405 -0.202,2.405 -0.134,2.406 v 2.405 2.405 l 0.202,2.406 0.201,2.405 0.303,2.405 0.437,2.354 0.437,2.303 0.605,2.252 0.739,2.354 0.739,2.201 0.841,2.098 0.941,2.098 0.974,2.047 1.042,1.945 1.143,1.893 1.244,1.792 1.31,1.74 1.345,1.637 1.445,1.536 1.412,1.484 1.546,1.33 1.579,1.229 1.614,1.177"
+         id="path177" />
+      <path
+         style="fill:#b6c7c9;fill-opacity:1;stroke:none"
+         fill-rule="evenodd"
+         d="m 516.851,332.82 -76.495,5.578 0.504,2.815 0.638,2.866 0.874,2.763 1.109,2.713 1.177,2.61 1.445,2.661 1.579,2.559 1.782,2.559 1.983,2.405 2.117,2.405 2.218,2.252 2.454,2.2 2.554,2.099 2.723,2.047 2.856,1.842 2.958,1.842 3.159,1.638 3.16,1.638 3.327,1.433 3.395,1.381 3.562,1.126 3.563,1.126 3.596,0.921 3.764,0.819 3.765,0.666 3.798,0.511 3.764,0.41 3.865,0.204 3.899,0.154 h 3.831 l 3.899,-0.205 3.832,-0.307 3.797,-0.46 3.765,-0.666 3.764,-0.716 3.63,-0.87 3.63,-1.075 3.529,-1.023 3.495,-1.28 3.361,-1.433 3.227,-1.535 3.159,-1.638 3.059,-1.791 2.924,-1.842 2.789,-1.945 2.588,-2.047 2.521,-2.149 2.319,-2.252 2.218,-2.354 2.05,-2.406 1.815,-2.405 1.681,-2.559 1.546,-2.661 1.311,-2.61 z"
+         id="path179" />
+      <path
+         style="fill:none;stroke:#6c8f93;stroke-width:0.02;stroke-opacity:1"
+         d="m 440.423,338.501 0.437,2.763 0.672,2.815 0.84,2.763 1.109,2.713 1.244,2.712 1.378,2.559 1.613,2.559 1.748,2.559 1.983,2.405 2.117,2.405 2.218,2.252 2.454,2.2 2.621,2.099 2.656,2.047 2.856,1.842 2.958,1.842 3.159,1.638 3.16,1.587 3.327,1.484 3.395,1.381 3.495,1.126 3.563,1.126 3.63,0.921 3.764,0.819 3.731,0.666 3.797,0.46 3.798,0.461 3.832,0.204 3.865,0.154 3.865,-0.051 3.832,-0.154 3.831,-0.409 3.865,-0.358 3.765,-0.666 3.697,-0.767 3.697,-0.819 3.596,-0.973 3.529,-1.125 3.462,-1.28 3.327,-1.433 3.294,-1.535 3.159,-1.587 3.025,-1.688 2.924,-1.894 2.756,-1.945 2.689,-2.047 2.487,-2.251 2.353,-2.201 2.218,-2.354 1.983,-2.303 1.882,-2.559 1.681,-2.507 1.478,-2.61 1.378,-2.662"
+         id="path181" />

(Diff truncated)

diff --git "a/services/r\303\251seau/plan.jpg" "b/services/r\303\251seau/plan.jpg"
new file mode 100644
index 00000000..dab7ef3c
Binary files /dev/null and "b/services/r\303\251seau/plan.jpg" differ
diff --git "a/services/r\303\251seau/plan.svg" "b/services/r\303\251seau/plan.svg"
index dab7ef3c..7c1a1159 100644
Binary files "a/services/r\303\251seau/plan.svg" and "b/services/r\303\251seau/plan.svg" differ

diff --git a/hardware/server/plastik.mdwn b/hardware/server/plastik.mdwn
index 54e2c77b..a11483f4 100644
--- a/hardware/server/plastik.mdwn
+++ b/hardware/server/plastik.mdwn
@@ -1,4 +1,4 @@
-Plastik est un point d'accès dans la maison. Il est configuré en
+Plastik était un point d'accès dans la maison. Il est configuré en
 bridge pour étendre le réseau wifi, mais doit être connecté par fil,
 dans un des ports LAN, afin de fonctionne (ie. il ne "mesh" pas avec
 les autres points d'accès).

diff --git a/blog/mobile-massive-gallery.md b/blog/mobile-massive-gallery.md
index f4e7ae49..fd343fb0 100644
--- a/blog/mobile-massive-gallery.md
+++ b/blog/mobile-massive-gallery.md
@@ -1,3 +1,4 @@
+## nextcloud
 
 docker-compose -f compose-nextcloud.yml up -d
 docker-compose -f compose-nextcloud.yml down -v
@@ -34,6 +35,8 @@ https://gitlab.com/steviehs/digipics might help in fixing the "albums"?
 possibly alternative by bohwaz https://github.com/kd2org/karadav/
 https://mamot.fr/@bohwaz/109890893734823557
 
+## photoprism
+
 https://www.photoprism.app/
 
 lack of mobile app
@@ -89,6 +92,7 @@ rescan --force
 INFO[2023-02-20T17:54:11Z] indexed 82,692 files in 1h10m28.674348629s   
 ```
 
+## others
 
 https://arstechnica.com/gadgets/2021/06/the-big-alternatives-to-google-photos-showdown/
 
@@ -105,6 +109,8 @@ https://github.com/LibrePhotos/librephotos [mobile apps](https://docs.librephoto
 [piwigo](https://github.com/Piwigo/) has a [mobile app](https://github.com/Piwigo/Piwigo-Android) but is struggling to keep it up to
 date.
 
+## photochiotte
+
 [PhotoChiotte](https://gitlab.com/LaDaubePhotoChiotte/photochiotte) has an awful name but seems like a clever
 solution. All the logic is inside the mobile app and the server is a
 "dumb" web server with pregenerated thumbnails. It could be a great
@@ -135,4 +141,45 @@ consider tls client certs.
 
 update: https://apps.nextcloud.com/apps/memories seems to do what we need
 
+## ente
+
+[ente](https://ente.io/) just (March 2024) just open-sourced their server and it's
+interesting: a relatively generic API (Go + PostgreSQL) server backed
+by MinIO object storage backends. They're mostly a business that wants
+to host your data, but now it's also clearly an option.
+
+Desktop app is Electron (appimage, [not on Flathub](https://flathub.org/en-GB/apps/search?q=ente)), but they have
+a decent web app as well. Trick is we have a large collection that
+would cost somewhere between 13$ (500GB) and 30$/mth (2TB) to host on
+their servers, so that might be impractical for us, even cost-wise.
+
+Best would be if they would have some sort of CLI sync that would
+allow us to sync a local copy, but then maybe that's exactly the
+mentality we need to switch away from: just don't keep everything
+locally and sync as needed.
+
+Unclear how the mobile app works, but it does have a very exciting
+"free up device space" button that probably removes files that were
+already uploaded remotely. This would *really* help with the
+phone-to-archive workflow.
+
+I haven't tried submitting the stack to the entirety of my collection
+just yet, as I only tested the 1GB free trial. It looks pretty fast
+though, and the interface feels snappier than Photoprism's,
+*especially* since there's a native app for the phone.
+
+Still, this would mean a *major* shift (away from git-annex,
+specifically) for photo management, towards object storage
+(basically), fully encrypted (which means keys are suddenly a huge
+concern). Not sure.
+
+I like the simple design (one golang app + postgresql) especially when
+compared to Immich (2 microservices in Typescript/Dart, Redis,
+PostgreSQL).
+
+## immich
+
+complicated, lots of microservices, unsure if i want to embark on
+testing again.
+
 [[!tag draft]]

diff --git a/blog/2021-11-21-mbsync-vs-offlineimap.md b/blog/2021-11-21-mbsync-vs-offlineimap.md
index b7f5c044..d4b29a30 100644
--- a/blog/2021-11-21-mbsync-vs-offlineimap.md
+++ b/blog/2021-11-21-mbsync-vs-offlineimap.md
@@ -1048,6 +1048,7 @@ Those are all the options I have considered, in alphabetical order
    server, and written in C
  * [getmail](https://pyropus.ca./software/getmail/): fetchmail replacement, IMAP/POP3 support, supports
    incremental runs, classification rules, Python
+ * [imapsync](https://imapsync.lamiral.info/): one-way only, has another [list of alternatives](https://imapsync.lamiral.info/S/external.shtml)
  * [interimap](https://guilhem.org/interimap/): syncs two IMAP servers, [apparently faster](https://guilhem.org/interimap/benchmark.html) than
    `doveadm` and `offlineimap`, but requires running an IMAP server
    locally, Perl

diff --git a/hardware/margaret.md b/hardware/margaret.md
index f06743cb..c87087bd 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -276,4 +276,54 @@ network in case of a hardware failure. Two options are possible:
    `profile::router` Puppet class
  * use any darn PC with two network cards with the above
 
+# Alternatives
+
+In the [[service/wifi]] replacement project, I evaluated a bunch of
+options for core router replacement.
+
+## Qotom
+
+Qotom might be cheaper, and the [Q190G4U S01](https://qotom.net/product/35.html) is about as simple as
+it gets, but it means buying on [Amazon.com](https://www.amazon.com/Q190G4U-S01-Celeron-Processor-onboard-Fanless/dp/B072FQQVLQ) which refuses to ship
+to Canada for this product, or [Aliexpress](https://fr.aliexpress.com/i/32919359402.html?gatewayAdapt=glo2fra) (280$, so not actually
+cheaper). Problem with Qotom is their model line is utterly confusing,
+for example I found the above on their site, but Aliexpress has [this
+model](https://fr.aliexpress.com/item/1005004093716962.html) for 233$. Go figure. Serve the home has a [good review](https://www.servethehome.com/the-everything-fanless-home-server-firewall-router-and-nas-appliance-qotom-qnap-teamgroup/)
+of the [Qotom Q20332G9-S10](https://www.qotom.net/product/RouterPC_Q20331G9S10.html) (4x2.5G 4xSFP+ 10G). I was also
+recommended [this 4x2.5G router](https://www.aliexpress.com/item/1005004360072281.html). 
+
+## Turris
+
+The Turris Omnia is the device that was used as a core router before
+([[octavia]]), so getting a *second* device might have made sense
+here. Unfortunately, they were too [hard to find](https://forum.turris.cz/t/turris-omnia-availability/19478), (e.g. [B/O at
+Amazon](https://www.amazon.com/Turris-hi-Performance-printserver-Virtual-Dual-core/dp/B07XCKK146)). 
+
+Turris are saying they will publish a new "entreprise-ready" board
+soon, in the meantime [Discomp has some in stock and should ship
+internationally](https://www.discomp.cz/turris-omnia-2020-rtrom01-fcc-silver_d94042.html) for 262.95EUR or 390$CAD, quite reasonable,
+actually...
+
+## Others
+
+If we fail to get an Omnia, we need to [find a OpenWRT-supported SFP
+router](https://openwrt.org/toh/views/toh_sfp_ports). The [MicroTik hAP ac](https://mikrotik.com/product/RB962UiGS-5HacT2HnT) maybe? [Nope](https://forum.openwrt.org/t/mikrotik-hap-ac-tftp-kernel-image-booting-fixed-sfp-fixed-poe-in-fixed-poe-out-fixed-slow-switch-not-fixed/134302/34). Other options:
+
+ * SuperMicro has a series they call "IoT", e.g. [2 gbit 2SFP Xeon
+   SATA PCIe](https://www.supermicro.com/en/products/system/iot/mini-itx/sys-e200-12d-4c), a bit overkill, and not enough ports to act as a
+   switch
+ * Protectli has interesting series, e.g. [4x2.5gbit switch + wifi](https://ca.protectli.com/product/fw4c/)
+   and coreboot, but no SFP
+ * Qotom has a [4xSFP+ 5x2.5gbit beast](https://www.qotom.net/product/RouterPC_Q20331G9S10.html), but no wifi
+
+One option is to move the Omnia to the office and replace the core
+router with something beefier, and add a new AP downstairs.
+
+Another Omnia replacement is the replacement [Sophos series](https://www.sophos.com/en-us/products/unified-threat-management/tech-specs), which
+we were [recommended](https://forum.openwrt.org/t/recommendations-for-a-gigabit-bridge-possibly-with-sfp/177592/8?u=anarcat) the Sophos 105w Rev 3 and so on. It's
+surprisingly similar to the Omnia...
+
+[This 2021 review](https://homenetworkguy.com/review/opnsense-hardware-recommendations/) also includes Protectli and Qotom products,
+among others.
+
 [[!tag node]]
diff --git a/services/wifi.mdwn b/services/wifi.mdwn
index 7969d362..cc641dc0 100644
--- a/services/wifi.mdwn
+++ b/services/wifi.mdwn
@@ -290,29 +290,9 @@ how the [10GBASE-LX4](https://en.wikipedia.org/wiki/10_Gigabit_Ethernet#10GBASE-
  * four 1" PVC elbows: 4×[4.42$ at HD](https://www.homedepot.ca/product/carlon-schedule-40-grey-pvc-90-degree-1-in-elbow/1000410488) (17.68$)
  * safety tape, 200'×3": [11.98$ at HD](https://www.homedepot.ca/product/empire-3-inch-x-200-ft-danger-tape-in-red/1000836124)
  * SFP LC SMF module: [14$ at FS](https://www.fs.com/products/75335.html?attribute=1464&id=561932) and [19$ at FS](https://www.fs.com/products/75336.html) (33$)
- * wifi router: the Turris Omnia is [hard to find](https://forum.turris.cz/t/turris-omnia-availability/19478),
-   (e.g. [B/O at Amazon](https://www.amazon.com/Turris-hi-Performance-printserver-Virtual-Dual-core/dp/B07XCKK146)), they are saying they will publish a new
-   "entreprise-ready" board soon, in the meantime [Discomp has some in
-   stock and should ship internationally](https://www.discomp.cz/turris-omnia-2020-rtrom01-fcc-silver_d94042.html) for 262.95EUR or 390$CAD,
-   quite reasonable
+ * wifi router
  * total: 296.30 + about 400$ for a new router
 
-If we fail to get an Omnia, we need to [find a OpenWRT-supported SFP
-router](https://openwrt.org/toh/views/toh_sfp_ports). The [MicroTik hAP ac](https://mikrotik.com/product/RB962UiGS-5HacT2HnT) maybe? [Nope](https://forum.openwrt.org/t/mikrotik-hap-ac-tftp-kernel-image-booting-fixed-sfp-fixed-poe-in-fixed-poe-out-fixed-slow-switch-not-fixed/134302/34). Other options:
-
- * SuperMicro has a series they call "IoT", e.g. [2 gbit 2SFP Xeon
-   SATA PCIe](https://www.supermicro.com/en/products/system/iot/mini-itx/sys-e200-12d-4c), a bit overkill, not enough ports for a switch
- * Protectli has interesting series, e.g. [4x2.5gbit switch + wifi](https://ca.protectli.com/product/fw4c/)
-   and coreboot, but no SFP
- * Qotom has a [4xSFP+ 5x2.5gbit beast](https://www.qotom.net/product/RouterPC_Q20331G9S10.html), but no wifi
-
-One option is to move the Omnia to the office and replace the core
-router with something beefier, and add a new AP downstairs.
-
-Another Omnia replacement is the replacement [Sophos series](https://www.sophos.com/en-us/products/unified-threat-management/tech-specs), which
-we were [recommended](https://forum.openwrt.org/t/recommendations-for-a-gigabit-bridge-possibly-with-sfp/177592/8?u=anarcat) the Sophos 105w Rev 3 and so on. It's
-surprisingly similar to the Omnia...
-
 ### copper build
 
 The SFP/fiber requirement complicates significantly that setup so we
@@ -397,16 +377,6 @@ Notes:
  * [[hardware/rosa]] can serve as a replacement for the omnia if we
    don't want to get another U6
 
-Qotom might be cheaper, and the [Q190G4U S01](https://qotom.net/product/35.html) is about as simple as
-it gets, but it means buying on [Amazon.com](https://www.amazon.com/Q190G4U-S01-Celeron-Processor-onboard-Fanless/dp/B072FQQVLQ) which refuses to ship
-to Canada for this product, or [Aliexpress](https://fr.aliexpress.com/i/32919359402.html?gatewayAdapt=glo2fra) (280$, so not actually
-cheaper). Problem with Qotom is their model line is utterly confusing,
-for example I found the above on their site, but Aliexpress has [this
-model](https://fr.aliexpress.com/item/1005004093716962.html) for 233$. Go figure. Serve the home has a [good review](https://www.servethehome.com/the-everything-fanless-home-server-firewall-router-and-nas-appliance-qotom-qnap-teamgroup/)
-of the [Qotom Q20332G9-S10](https://www.qotom.net/product/RouterPC_Q20331G9S10.html) (4x2.5G 4xSFP+ 10G). I was also
-recommended [this 4x2.5G router](https://www.aliexpress.com/item/1005004360072281.html). [This 2021 review](https://homenetworkguy.com/review/opnsense-hardware-recommendations/) also
-includes Protectli and Qotom products, among others.
-
 Another build could be done with the Turris Mox:
 
  * MOX start, [101.49EUR](https://www.discomp.cz/turris-mox-start_d90848.html)

diff --git a/services/wifi.mdwn b/services/wifi.mdwn
index 503fdb56..7969d362 100644
--- a/services/wifi.mdwn
+++ b/services/wifi.mdwn
@@ -402,7 +402,10 @@ it gets, but it means buying on [Amazon.com](https://www.amazon.com/Q190G4U-S01-
 to Canada for this product, or [Aliexpress](https://fr.aliexpress.com/i/32919359402.html?gatewayAdapt=glo2fra) (280$, so not actually
 cheaper). Problem with Qotom is their model line is utterly confusing,
 for example I found the above on their site, but Aliexpress has [this
-model](https://fr.aliexpress.com/item/1005004093716962.html) for 233$. Go figure.
+model](https://fr.aliexpress.com/item/1005004093716962.html) for 233$. Go figure. Serve the home has a [good review](https://www.servethehome.com/the-everything-fanless-home-server-firewall-router-and-nas-appliance-qotom-qnap-teamgroup/)
+of the [Qotom Q20332G9-S10](https://www.qotom.net/product/RouterPC_Q20331G9S10.html) (4x2.5G 4xSFP+ 10G). I was also
+recommended [this 4x2.5G router](https://www.aliexpress.com/item/1005004360072281.html). [This 2021 review](https://homenetworkguy.com/review/opnsense-hardware-recommendations/) also
+includes Protectli and Qotom products, among others.
 
 Another build could be done with the Turris Mox:
 

diff --git a/blog/2022-06-17-matrix-notes.md b/blog/2022-06-17-matrix-notes.md
index 015d53de..a2483dad 100644
--- a/blog/2022-06-17-matrix-notes.md
+++ b/blog/2022-06-17-matrix-notes.md
@@ -847,8 +847,6 @@ there's still a good variety:
  * [maubot](https://github.com/maubot/maubot): generic bot with tons of usual plugins like sed, dice,
    karma, xkcd, echo, rss, reminder, translate, react, exec,
    gitlab/github webhook receivers, weather, etc
- * [opsdroid](https://github.com/opsdroid/opsdroid): framework to implement "chat ops" in Matrix,
-   connects with Matrix, GitHub, GitLab, Shell commands, Slack, etc
  * [matrix-nio](https://github.com/poljar/matrix-nio): another framework, used to build [lots more
    bots](https://matrix-nio.readthedocs.io/en/latest/examples.html) like:
    * [hemppa](https://github.com/vranki/hemppa): generic bot with various functionality like weather,
@@ -859,6 +857,12 @@ there's still a good variety:
    * [podbot](https://github.com/interfect/podbot): play podcast episodes from AntennaPod
    * [cody](https://gitlab.com/carlbordum/matrix-cody): Python, Ruby, Javascript REPL
    * [eno](https://github.com/8go/matrix-eno-bot): generic bot, "personal assistant"
+   * [ChatGPT](https://github.com/h1ddenpr0cess20/infinigpt-matrix) and [Ollama](https://github.com/h1ddenpr0cess20/ollamarama-matrix) AI chat bots
+   * [reminder bot](https://github.com/anoadragon453/matrix-reminder-bot)
+   * [opsdroid](https://github.com/opsdroid/opsdroid): framework to implement "chat ops" in Matrix,
+     connects with Matrix, GitHub, GitLab, Shell commands, Slack, etc
+   * [commander](https://github.com/8go/matrix-commander): CLI interface
+   * [full list](https://matrix-nio.readthedocs.io/en/latest/examples.html#projects-built-with-nio)
  * [mjolnir](https://github.com/matrix-org/mjolnir): moderation bot
  * [hookshot](https://github.com/Half-Shot/matrix-hookshot): bridge with GitLab/GitHub
  * [matrix-monitor-bot](https://github.com/turt2live/matrix-monitor-bot): latency monitor

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 1dd63967..5b4eb0cc 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -809,7 +809,7 @@ as xss-lock and xsecurelock.
 That, unfortunately, does *not* include the fancy "hacks" provided by
 xscreensaver, and that is [unlikely to be implemented upstream][].
 
-Other alternatives include [gtklock][] ([RFP](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052418)) and [waylock][] (zig), which
+Other alternatives include [gtklock][] ([in Debian](https://tracker.debian.org/pkg/gtklock)) and [waylock][] (zig), which
 do not solve that problem either.
 
 It looks like [swaylock-plugin][], a swaylock fork, which at least

diff --git a/blog/on-dying.mdwn b/blog/on-dying.mdwn
index 61be211f..78f677ec 100644
--- a/blog/on-dying.mdwn
+++ b/blog/on-dying.mdwn
@@ -210,5 +210,23 @@ As #RobertJordan writes: "Ages come and pass, leaving memories that become legen
 
 https://daniel.haxx.se/blog/2024/02/07/contingency-planning-for-me-and-curl/
 
+# archiveteam
+
+a million ways to die on the web https://wiki.archiveteam.org/index.php/A_Million_Ways_to_Die_on_the_Web
+
+# vim death
+
+https://groups.google.com/g/vim_dev/c/dq9Wu5jqVTw
+
+https://getyourshittogether.org/
+
+
+"death book": https://www.bogleheads.org/forum/viewtopic.php?t=119346
+
+"sealed notary": https://news.ycombinator.com/item?id=37076703
+
+https://longnow.org/ideas/digital-avatars-and-our-refusal-to-die/
+
+
 [[!tag draft]]
 

diff --git a/blog/on-dying.mdwn b/blog/on-dying.mdwn
index ce502367..61be211f 100644
--- a/blog/on-dying.mdwn
+++ b/blog/on-dying.mdwn
@@ -205,3 +205,10 @@ As #RobertJordan writes: "Ages come and pass, leaving memories that become legen
 
 @jgoerzen our seemingly infinite capacity at storage is, in other words, at odds with our capacity at telling what really matters, and what should really be kept around forever
 
+
+# curl plans
+
+https://daniel.haxx.se/blog/2024/02/07/contingency-planning-for-me-and-curl/
+
+[[!tag draft]]
+

diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index 01388297..42bf28e8 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -126,7 +126,7 @@ spec'd at 45dB. That fan is a weird construction that has a 92x25mm
 fan inside an enclosure that directs the airflow, see [FAN-0076L4](https://store.supermicro.com/us_en/92mm-fan-0076l4.html)
 for the detailed specs. I asked Supermicro if they had a better
 replacement fan, and so far they just keep pointing me at that fan. So
-I asked Noctua if their fans would fit.
+I asked Noctua if [their fans](https://noctua.at/en/products/fan) would fit.
 
 ## 2020 Replacement
 

diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index 660cc192..01388297 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -32,7 +32,7 @@ particulier [[services/mail]] et [[services/backup]].
 
 The server is also backed by a UPS, a [APC 1500VA BX1500m](https://www.apc.com/ca/en/product/BX1500M/apc-back-ups-1500-compact-tower-1500va-120v-avr-lcd-10-nema-outlets-5-surge/).
 
-[CSE-733TQ-500B]: https://www.supermicro.com/en/products/chassis/tower/733/SC733TQ-500B
+[CSE-733TQ-500B]: https://www.supermicro.com/en/products/archive/chassis/SC733TQ-500B
 [300$]: http://www.atic.ca/index.php?page=details&psku=63796
 [ASUS PRIME X470-PRO]: https://www.asus.com/us/Motherboards/PRIME-X470-PRO/
 [187$]: http://www.atic.ca/index.php?page=details&psku=196101

diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index 1e62ca2d..660cc192 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -120,6 +120,14 @@ I have also considered:
    MemoryExpress, more expensive ([75$ at amazon](https://www.amazon.ca/dp/B00TBHYYFK), [NH-D9L is
    70$](https://www.amazon.ca/Noctua-NH-D9L-Premium-Cooler-NF-A9/dp/B00QCEWTAW))
 
+Update: I ordered the NH-D9L and installed it and immediately realized
+the problem was actually not the CPU fan, but the board fan, which is
+spec'd at 45dB. That fan is a weird construction that has a 92x25mm
+fan inside an enclosure that directs the airflow, see [FAN-0076L4](https://store.supermicro.com/us_en/92mm-fan-0076l4.html)
+for the detailed specs. I asked Supermicro if they had a better
+replacement fan, and so far they just keep pointing me at that fan. So
+I asked Noctua if their fans would fit.
+
 ## 2020 Replacement
 
 In 2020, hardware for marcos was swapped out into a new box.

diff --git a/hardware/octavia.mdwn b/hardware/octavia.mdwn
index c07427aa..6a1f6490 100644
--- a/hardware/octavia.mdwn
+++ b/hardware/octavia.mdwn
@@ -44,6 +44,32 @@ needs to be known: it's currently hardcoded in DHCP but should be also
 visible in the router's DHCP leases. Automated upgrades should still
 be operational.
 
+## SFP configuration
+
+The SFP is not active by default. I found, [buried in some upgrade
+notes](https://docs.turris.cz/geek/tos3-migration/#turris-omnia-specifics) that:
+
+> Turris OS 5.0+ no longer supports switching between SFP and metallic in runtime. Switch is performed on boot for that boot-loader update is required. This is not yet available and so you have to switch between SFP and metallic manually. To do so you can run following command:
+> 
+>     ln -sf armada-385-turris-omnia-sfp.dtb /boot/dtb
+> 
+> To switch to metallic you just have to use phy instead of sfp in this command. Initial switch is performed as part of migration so you have to care about this only if you plan to switch between SFP and metallic WAN.
+
+So at first I couldn't make the SFP port work at all: link wouldn't
+even come up. But after running the above command and a reboot, the
+link came back up and it even fetched an IP address from upstream on
+the WAN port.
+
+Unfortunately, that's not what I wanted: I had to bridge the port with
+the `br-lan` bridge so that it keeps acting as a wireless bridge.
+
+[This section explains a bit more how that works](https://docs.turris.cz/hw/omnia/omnia/#network-interfaces): the WAN and SFP
+ports are not actually connected to the "switch-on-chip" at all and
+instead to the SoC which means packets will necessarily go through the
+CPU, which may impact performance. I might be interesting to compare
+the Omnia performance between the SFP port or a LAN port behind a
+media converter.
+
 Configuration of the Omnia router
 =================================
 

diff --git a/blog/2022-06-17-matrix-notes.md b/blog/2022-06-17-matrix-notes.md
index bf0a2f5e..015d53de 100644
--- a/blog/2022-06-17-matrix-notes.md
+++ b/blog/2022-06-17-matrix-notes.md
@@ -799,12 +799,18 @@ Matrix](https://matrix.org/clients-matrix/) (confusing right?) to try to figure
 and, even after selecting `Linux` as a filter, the chart is just too
 wide to figure out anything. So I tried those, kind of randomly:
 
- * [FluffyChat](https://fluffychat.im/) (Dart, Flutter not in Debian, [Flatpak](https://flathub.org/apps/im.fluffychat.Fluffychat), solid Android,
-   iOS app)
- * [Fractal](https://gitlab.gnome.org/GNOME/fractal) (Rust, [not in Debian](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900928))
+ * [FluffyChat](https://fluffychat.im/) (Dart, Flutter not in Debian, [Flatpak](https://flathub.org/apps/im.fluffychat.Fluffychat), solid
+   on Android, also on iOS, works well on desktop too, [segfaults on
+   calling](https://github.com/flathub/im.fluffychat.Fluffychat/issues/107), calls don't work on F-Droid)
+ * [Cinny](https://cinny.in/) (Javascript/Typescript, electron-based, not in Debian,
+   interesting, "Slack-like" interface, failed to login to Salsa
+   because of no 2FA)
+ * [Fractal](https://gitlab.gnome.org/GNOME/fractal) (Rust, [not in Debian](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900928), no support for spaces)
  * [Mirage](https://github.com/mirukana/mirage) (not in Debian, inactive upstream since 2021, forked
    into [Moment](https://mx-moment.xyz/))
- * [Nheko](https://github.com/Nheko-Reborn/nheko) (C++, Python, Qt) [![Debian Unstable package](https://repology.org/badge/version-for-repo/debian_unstable/nheko.svg)](https://repology.org/project/nheko/versions)
+ * [Nheko](https://github.com/Nheko-Reborn/nheko) (C++, Python, Qt) [![Debian Unstable
+   package](https://repology.org/badge/version-for-repo/debian_unstable/nheko.svg)](https://repology.org/project/nheko/versions),
+   not as good as Fluffy
  * [Quaternion](https://github.com/quotient-im/Quaternion) (C++, Qt) [![Debian Unstable package](https://repology.org/badge/version-for-repo/debian_unstable/quaternion.svg)](https://repology.org/project/quaternion/versions)
 
 Unfortunately, I lost my notes on those, I don't actually remember
@@ -826,6 +832,9 @@ Matrix. It does not support large multimedia rooms, for example:
 [Jitsi was used for FOSDEM](https://matrix.org/blog/2022/02/07/hosting-fosdem-2022-on-matrix/) instead of the native videoconferencing
 system.
 
+Update: I'm now (2024) using FluffyChat on desktop (through Flatpak)
+and Android (through F-Droid).
+
 ## Bots
 
 This falls a little aside the "usability" section, but I didn't know

diff --git a/blog/2020-05-28-isp-upgrade.mdwn b/blog/2020-05-28-isp-upgrade.mdwn
index 4555f684..83562a09 100644
--- a/blog/2020-05-28-isp-upgrade.mdwn
+++ b/blog/2020-05-28-isp-upgrade.mdwn
@@ -245,7 +245,7 @@ So I shopped around for options again:
    latency. possibility of ADSL fallback as well, for an extra 70$/mth
    on a 1-year contract, ~55$/mth on a 3-year contract
  * [EIcat](http://www.eicat.ca/products.py/internet?type=Business) is, amazingly, still in business, and some contact there
-   responded to a ping, but nothing heard in days now
+   responded to a ping, still trying to figure out pricing and conditions
  * Bell charges [32$/mth for a static IP](https://business.bell.ca/shop/small-business/internet/addons/static-ip) and they don't want my
    business anyway
  * Videotron is [35$/mth](https://videotron.com/en/business/business-internet/static-ip-addresses), interestingly you can get a /29 for

diff --git a/blog/2020-05-28-isp-upgrade.mdwn b/blog/2020-05-28-isp-upgrade.mdwn
index c9a87a2a..4555f684 100644
--- a/blog/2020-05-28-isp-upgrade.mdwn
+++ b/blog/2020-05-28-isp-upgrade.mdwn
@@ -239,7 +239,11 @@ So I shopped around for options again:
 
  * TekSavvy is 85$/mth for 120mbps, before the static IP, so not
    cheap, but maybe should be reconsidered. they did *try* to do IPv6
-   at least.
+   at least. update: have a business package, 108$/mth for a 250/50 on
+   a 12-month contract, 100$ installation fee, 21$/mth extra for a /29
+   (6 usable IPs), so actually cheaper than Oricom. asked about
+   latency. possibility of ADSL fallback as well, for an extra 70$/mth
+   on a 1-year contract, ~55$/mth on a 3-year contract
  * [EIcat](http://www.eicat.ca/products.py/internet?type=Business) is, amazingly, still in business, and some contact there
    responded to a ping, but nothing heard in days now
  * Bell charges [32$/mth for a static IP](https://business.bell.ca/shop/small-business/internet/addons/static-ip) and they don't want my
@@ -250,6 +254,11 @@ So I shopped around for options again:
 )
  * Cogeco might be as well, but the sales rep burst out laughing when
    I mentioned I was in Montreal, so I guess that's a nope as well
+ * Oricom is 130$+tx/mth for 250/50 all included, needs NEQ, but could
+   accept US business
+ * b2b2c is 99$+tx/mth for 100/30, 400/50 for 129$. were dithery about
+   email hosting ("maybe it will work, but won't change IP if it
+   doesn't"), asked about contract length)
 
 So the short list right now is TSI, Oricom, b2b2c (they answered a
 ping, amazingly).

diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index 6cf18ac8..1e62ca2d 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -106,7 +106,7 @@ compatibility chart but my case isn't there. The closest is the
 
 Interestingly though, it marks the 158mm [U12S](https://noctua.at/en/nh-u12s) as "insufficient
 clearance" while the [C14S](https://noctua.at/en/nh-c14s), at 115-142mm supposedly fits. Its fan
-([NF-A14-PWM](https://noctua.at/en/nf-a14-pwm)) is less interesting for me:, it's much noisier at
+([NF-A14-PWM](https://noctua.at/en/nf-a14-pwm)) is less interesting for me: it's much noisier at
 24.6db(A).
 
 I have also considered:

diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index c80c377f..6cf18ac8 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -22,7 +22,7 @@ particulier [[services/mail]] et [[services/backup]].
 
  * Case: [CSE-733TQ-500B][] ([300$][]), incl. 80+ bronze 500W PSU,
    4x3.5" hotswap bays, 2x5.25" bays, 1x3.5" bay, 7" (4U) x 20.9" x
-   16.8" (WxDxL), 17Kg ([manual](https://www.supermicro.com/manuals/chassis/Mid-tower/SC733.pdf))
+   16.8" or 178 x 531 x 427mm (WxDxL), 17Kg ([manual](https://www.supermicro.com/manuals/chassis/Mid-tower/SC733.pdf))
  * Motherboard: [ASUS PRIME X470-PRO][]: [187$][] (AM4/PGA 1331 ATX
    12"x9.6" 6 SATA Intel® I211-AT chipset, [detailed specs][])
  * Memory: Kingston KSM26ED8/16ME (16GB RAM): [114$][]
@@ -50,7 +50,76 @@ are kept only for historical reference, as the machine was rebuilt
 with new hardware in 2020.
 
 See [[services/backup]] for backup and drive replacement procedures.
- 
+
+## 2024 Fan replacement
+
+From the 2020 replacement, the server has always been away, either in
+a basement or a closet, and its noisy stock fan didn't really
+matter. But now it's moved inside the office and damn that thing is
+noisy. It's noisy when *idle* and sounds like a hair drier when it
+spins up. So, it's got to go.
+
+I've heard good things from friends about [Noctua](https://noctua.at), so let's go
+with that. My previous "gold standard" was the stock Intel fan that
+came with the [[v1]], which, according to this [old review](https://silentpcreview.com/lga775-low-profile-heatsink-roundup/) ranges
+from 14 to 26dBa in noise.
+
+Noctua seems to be Amazon sellouts, but they have products at
+memoryexpress.com and NewEgg, so I guess I'll try Memory Express
+now. Out of [their Noctua selection](https://www.memoryexpress.com/Category/CoolingCPU?FilterID=26b78891-590d-2259-fa23-6e925f4e75eb&Sort=Price), their cheapest fan
+[compatible with my CPU](https://ncc.noctua.at/cpus/model/AMD-Ryzen-5-2600X-1010) is the [NH-D9L](https://noctua.at/en/nh-d9l/) if I read all of this
+right, at 80$ + tax + 13$ purolator shipping. The [specification](https://noctua.at/en/nh-d9l/specification)
+on that is:
+
+ * dimensions: 110 x 95 x 95 mm (531 g)
+ * NSPR*: 88
+ * kit:
+   * NF-A9 PWM premium fan
+   * NA-RC7 Low-Noise Adaptor (L.N.A.)
+   * NT-H1 high-grade thermal compound
+   * SecuFirm2™ Mounting Kit
+   * Fan-clips for second NF-A9
+   * Noctua Metal Case-Badge
+ * fan ([Noctua NF-A9 PWM](https://noctua.at/en/products/fan/nf-a9-pwm.html)):
+   * 400-2000RPM
+   * max noise: 22.8db(A)
+   * stops at 0% PWN
+
+There's a big asterisk with Noctua which is that they don't follow the
+TDP (Thermal Design Power) rating and instead have their own NSPR
+([Noctua Standard Performance Rating](https://noctua.at/en/noctua-standardised-performance-rating)). So who knows what that "88"
+stands for. In their compatibility table, it's rated as "low
+turbo/overclocking headroom", which is fine by me: I haven't done
+"overclocking" in decades at this point.
+
+The sink is also [compatible with the board](https://ncc.noctua.at/motherboards/model/ASUS-Prime-X470-Pro-4796), apparently, so
+presumably I don't need to worry about pins, voltage, or actually
+knowing WTF I am doing, in general, which is reassuring but probably
+wrong.
+
+The other concern is fitting the fan in the case. There's a case
+compatibility chart but my case isn't there. The closest is the
+[Supermicro-SuperChassis-743T-500B-1842](https://ncc.noctua.at/cases/model/Supermicro-SuperChassis-743T-500B-1842) but that one is 25.5" x
+17.8" x 7" while mine is 7" (4U) x 20.9" x 16.8". But really, both are
+7" where it matters, which is 168mm, which is plenty of room for a
+110mm fan.
+
+Interestingly though, it marks the 158mm [U12S](https://noctua.at/en/nh-u12s) as "insufficient
+clearance" while the [C14S](https://noctua.at/en/nh-c14s), at 115-142mm supposedly fits. Its fan
+([NF-A14-PWM](https://noctua.at/en/nf-a14-pwm)) is less interesting for me:, it's much noisier at
+24.6db(A).
+
+I have also considered:
+
+ * [NH-U12S](https://noctua.at/en/nh-u12s/specification): 22.4db(A), slightly quieter, but much bigger, marked
+   as not fitting in the Supermicro (158mm)
+ * [NH-D12L](https://noctua.at/en/nh-d12l/specification): 22.6dB(A) but much larger dissipation power (148 vs
+   88 for the D9L), not available at MemoryExpress, more expensive
+   ([115$ at amazon](https://www.amazon.ca/dp/B09TB5KJ5V), [newegg](https://www.newegg.ca/p/13C-0005-002A0))
+ * [NH-U9S](https://noctua.at/en/nh-u9s/): 22.8dB(A), slightly more powerful, not at
+   MemoryExpress, more expensive ([75$ at amazon](https://www.amazon.ca/dp/B00TBHYYFK), [NH-D9L is
+   70$](https://www.amazon.ca/Noctua-NH-D9L-Premium-Cooler-NF-A9/dp/B00QCEWTAW))
+
 ## 2020 Replacement
 
 In 2020, hardware for marcos was swapped out into a new box.

diff --git a/hardware/server/roadkiller.mdwn b/hardware/server/roadkiller.mdwn
index aca78551..a93e69a1 100644
--- a/hardware/server/roadkiller.mdwn
+++ b/hardware/server/roadkiller.mdwn
@@ -547,3 +547,7 @@ Not sure what the fate of this device will be: I'll bring it to the
 [[contact me|contact]] if you can't show up and want this thing.
 
 [[!tag node blog debian-planet python-planet freebsd hardware]]
+
+
+<!-- posted to the federation on 2024-01-29T23:21:49.993438 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/111842984579540748"]]
\ No newline at end of file

diff --git a/hardware/server/roadkiller.mdwn b/hardware/server/roadkiller.mdwn
index ce348ed8..aca78551 100644
--- a/hardware/server/roadkiller.mdwn
+++ b/hardware/server/roadkiller.mdwn
@@ -1,4 +1,5 @@
 [[!meta title="router archeology: the Soekris net5001"]]
+[[!meta date="2024-01-29T23:20:48-0500"]]
 
 Roadkiller was a Soekris net5501 router I used as my main gateway
 between 2010 and 2016 (for [[services/réseau]] and

diff --git a/tag/planet.mdwn b/tag/planet.mdwn
deleted file mode 100644
index 0b62d6c4..00000000
--- a/tag/planet.mdwn
+++ /dev/null
@@ -1,4 +0,0 @@
-[[!meta title="pages tagged planet"]]
-
-[[!inline pages="tagged(planet)" actions="no" archive="yes"
-feedshow=10]]

diff --git a/hardware/server/roadkiller.mdwn b/hardware/server/roadkiller.mdwn
index 34c897a1..ce348ed8 100644
--- a/hardware/server/roadkiller.mdwn
+++ b/hardware/server/roadkiller.mdwn
@@ -545,4 +545,4 @@ Not sure what the fate of this device will be: I'll bring it to the
 [next Montreal Debian & Stuff](https://agendadulibre.qc.ca/events/2431) to see if anyone's interested,
 [[contact me|contact]] if you can't show up and want this thing.
 
-[[!tag node blog debian-planet python planet freebsd hardware]]
+[[!tag node blog debian-planet python-planet freebsd hardware]]

diff --git a/tag/planet.mdwn b/tag/planet.mdwn
new file mode 100644
index 00000000..0b62d6c4
--- /dev/null
+++ b/tag/planet.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged planet"]]
+
+[[!inline pages="tagged(planet)" actions="no" archive="yes"
+feedshow=10]]

diff --git a/hardware/server/roadkiller.mdwn b/hardware/server/roadkiller.mdwn
index fdc22a71..34c897a1 100644
--- a/hardware/server/roadkiller.mdwn
+++ b/hardware/server/roadkiller.mdwn
@@ -1,11 +1,15 @@
-Roadkiller was the Soekris net5501 router I used as my main gateway
-between 2010 and 2016 ([[services/réseau]] et [[services/téléphone]]).
+[[!meta title="router archeology: the Soekris net5001"]]
 
-Il a été mis à jour à FreeBSD 8.4-p12 (2014-06-06) et `pkgng`. Il
-n'est plus en service depuis l'installation de [[hardware/octavia]].
+Roadkiller was a Soekris net5501 router I used as my main gateway
+between 2010 and 2016 (for [[services/réseau]] and
+[[services/téléphone]]).
 
-10 ans plus tard (2024-01-24), le routeur a été démarré et il semble
-encore fonctionnel!
+It was upgraded to FreeBSD 8.4-p12 (2014-06-06) and `pkgng`. It was
+retired in favor of [[hardware/octavia]] around 2016.
+
+Roughly 10 years later (2024-01-24), I found it in a drawer and, to my
+surprised, it booted. After wrangling with a [RS-232 USB adapter](https://en.wikipedia.org/wiki/USB-to-serial_adapter),
+a [null modem cable](https://en.wikipedia.org/wiki/Null_modem), and bit rates, I even logged in:
 
     comBIOS ver. 1.33  20070103  Copyright (C) 2000-2007 Soekris Engineering.
 
@@ -159,14 +163,17 @@ The last log rotation is from 2016:
     [root@roadkiller /var/log]# stat /var/log/wtmp      
     65 61783 -rw-r--r-- 1 root wheel 208219 1056 "Nov  1 05:00:01 2016" "Jan 18 22:29:16 2017" "Jan 18 22:29:16 2017" "Nov  1 05:00:01 2016" 16384 4 0 /var/log/wtmp
 
-Interestingly, we switched between eicat and teksavvy on December
+Interestingly, I switched between eicat and teksavvy on December
 11th. Which year? Who knows!
 
     Dec 11 16:38:40 roadkiller mpd: [eicatL0] LCP: authorization successful
     Dec 11 16:41:15 roadkiller mpd: [teksavvyL0] LCP: authorization successful
 
-Maybe 2015, because the log dates from 2017, and the last entry is
-from November of the year after the above:
+Never realized those good old logs had a "oh dear forgot the year"
+issue (that's something like Y2K except just "Y", I guess).
+
+That was probably 2015, because the log dates from 2017, and the last
+entry is from November of the year after the above:
 
     [root@roadkiller /var/log]# stat mpd.log 
     65 47113 -rw-r--r-- 1 root wheel 193008 71939195 "Jan 18 22:39:18 2017" "Jan 18 22:39:59 2017" "Jan 18 22:39:59 2017" "Apr  2 10:41:37 2013" 16384 140640 0 mpd.log
@@ -181,7 +188,7 @@ years*, which I find utterly amazing.
 
 Another amazing thing is that there's tuptime installed on that
 server! That is a software I *thought* I discovered later and then
-sponsored in Debian, but turns out I was already using it then!
+[sponsored in Debian](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638422), but turns out I was already using it then!
 
     [root@roadkiller /var]# tuptime 
     System startups:        19   since   21:20:16 11/07/15
@@ -275,12 +282,14 @@ actually 2024-01-24 at ~12:00 local:
     This machine is doomed to be replaced with the new omnia router, Indiegogo
     campaign should ship in april 2016: http://igg.me/at/turris-omnia/x
 
-(I really like the motd I left myself there. In theory, I guess this
+(I really like the `motd` I left myself there. In theory, I guess this
 could just start connecting to the internet again if I still had the
-same PPPoE/ADSL link I had almost a decade ago; obviously, I do not.)
+same PPPoE/ADSL link I had almost a decade ago; obviously, I [[do
+not|blog/2020-05-28-isp-upgrade]].)
 
 Not sure how the system figured the 2017 time: the onboard clock
-itself believes we're in 1980, so clearly the battery has failed:
+itself believes we're in 1980, so clearly the [CMOS battery](https://en.wikipedia.org/wiki/CMOS_battery) has
+(understandably) failed:
 
     > ?
     comBIOS Monitor Commands
@@ -500,8 +509,8 @@ ISP... back in 2003!
 
 Fascinating.
 
-I suspect the hard drive might be failing as I saw two new files
-created in /var that I didn't remember seeing before:
+I suspect the ([IDE](https://en.wikipedia.org/wiki/Integrated_Drive_Electronics)!) hard drive might be failing as I saw two new
+files created in `/var` that I didn't remember seeing before:
 
     -rw-r--r--   1 root    wheel        0 Jan 18 22:55 3@T3
     -rw-r--r--   1 root    wheel        0 Jan 18 22:55 DY5
@@ -523,4 +532,17 @@ So I shutdown the machine, possibly for the last time:
     The operating system has halted.
     Please press any key to reboot.
 
-[[!tag node]]
+I'll finally note this was the last [FreeBSD](https://en.wikipedia.org/wiki/FreeBSD) server I personally
+operated. I also used FreeBSD to setup the core routers at
+[Koumbit](https://koumbit.org) but those were [replaced with Debian recently](https://koumbitstatus.net/incident/377) as
+well.
+
+Thanks Soekris, that was some sturdy hardware. Hopefully this new
+[[Protectli router|hardware/margaret]] will live up to that "decade
+plus" challenge.
+
+Not sure what the fate of this device will be: I'll bring it to the
+[next Montreal Debian & Stuff](https://agendadulibre.qc.ca/events/2431) to see if anyone's interested,
+[[contact me|contact]] if you can't show up and want this thing.
+
+[[!tag node blog debian-planet python planet freebsd hardware]]

diff --git a/blog/2020-05-28-isp-upgrade.mdwn b/blog/2020-05-28-isp-upgrade.mdwn
index 5e4a441d..c9a87a2a 100644
--- a/blog/2020-05-28-isp-upgrade.mdwn
+++ b/blog/2020-05-28-isp-upgrade.mdwn
@@ -208,6 +208,8 @@ I have *not* contacted those providers:
 
 ## Updates
 
+### 2023-07-24
+
 I had a nightmare time trying to convince bell to give me their sweet
 3gbps symmetric fiber link for 60$ / mth. I spent hours on the phone
 being bounced back between incompetence and hilarity, and eventually
@@ -219,4 +221,45 @@ probably won't allow me to host the server there, but I have to get
 *something* moving, and I've heard you get notified when fiber does
 land, so I have hope.
 
+### 2024-01-29
+
+Again, I'm confronted with this problem. Oricom is having trouble
+porting my IP address to a new subscriber: they want me to register a
+new account, and for that they need a provincial business number (a
+"NEQ"), which is another [40$/year fee](https://www.quebec.ca/entreprises-et-travailleurs-autonomes/demarrer-entreprise/immatriculer-constituer-entreprise/immatriculer-constituer-entreprise-formes-juridiques/personne-physique-entreprise-individuelle). Which means they only
+accept business registered in the province, which seems ludicrous to
+me.
+
+Compared to [others who live in the countryside](https://stgraber.org/2023/10/18/setting-up-a-new-house/), my situation is
+ridiculous. My fine colleague is getting symmetric 3gbps *and* a
+redundant 100mbps link far out of the city, and I can't get *any*
+fiber here. It's amazing.
+
+So I shopped around for options again:
+
+ * TekSavvy is 85$/mth for 120mbps, before the static IP, so not
+   cheap, but maybe should be reconsidered. they did *try* to do IPv6
+   at least.
+ * [EIcat](http://www.eicat.ca/products.py/internet?type=Business) is, amazingly, still in business, and some contact there
+   responded to a ping, but nothing heard in days now
+ * Bell charges [32$/mth for a static IP](https://business.bell.ca/shop/small-business/internet/addons/static-ip) and they don't want my
+   business anyway
+ * Videotron is [35$/mth](https://videotron.com/en/business/business-internet/static-ip-addresses), interestingly you can get a /29 for
+   80$/mth too
+ * Rogers might be interesting, but are [unavailable in my region](https://www.rogers.com/business/internet-services/dedicated
+)
+ * Cogeco might be as well, but the sales rep burst out laughing when
+   I mentioned I was in Montreal, so I guess that's a nope as well
+
+So the short list right now is TSI, Oricom, b2b2c (they answered a
+ping, amazingly).
+
+In fact, according to [this search site](https://www.whistleout.ca/Internet/Canada/Quebec) there are exactly zero
+ISPs that provide static IPs in Quebec
+
+I posted two threads on DSL reports ([1](https://www.dslreports.com/forum/r33823478-adresse-IP-statique-pour-un-serveur-Montr-al), [2](https://www.dslreports.com/forum/r33823498-server-with-static-IP-in-montreal)) and the answer
+was basically to get a proxy service, which I have considered, but I
+refuse to admit defeat. I *still* think we should be able to host a
+server at home, and that the internet should be more symmetric.
+
 [[!tag debian-planet internet neutrality québec sysadmin diy montreal]]

diff --git a/services/wifi.mdwn b/services/wifi.mdwn
index 538b7dea..503fdb56 100644
--- a/services/wifi.mdwn
+++ b/services/wifi.mdwn
@@ -381,8 +381,12 @@ So, BOM:
    * alternative: GS1900-48 *without* PoE (we keep the injector),
      [210$USD at B&H](https://www.bhphotovideo.com/c/product/1080481-REG/zyxel_gs_1900_series_gs1900_48.html)
    * alternative: GS1900-24 without PoE: [170$ at B&H](https://www.bhphotovideo.com/c/product/1166663-REG/zyxel_gs1900_24_gs1900_series_24_port_gbe.html)
- * [U6 Lite AP: 132$](https://ca.store.ui.com/ca/en/pro/products/u6-lite) (optional? maybe reuse the Mox?
-   [[hardware/atwood]])
+ * <del>[U6 Lite AP: 132$](https://ca.store.ui.com/ca/en/pro/products/u6-lite) (optional? maybe reuse the Mox?
+   [[hardware/atwood]]</del> using the Omnia
+ * simplex bidirectional SFP LC SMF module: [14$ at FS](https://www.fs.com/products/75335.html?attribute=1464&id=561932) and [19$ at
+   FS](https://www.fs.com/products/75336.html) (33$)
+ * SMF LC/LC cable LC UPC to LC UPC Simplex OS2 Single Mode [30m
+   98ft](https://www.fs.com/products/40439.html) (8.50$) ou [20m 66ft](https://www.fs.com/products/40440.html?attribute=986&id=1787390) (6.70$)
  * Total: 573$, 508$ for 24 port without PoE, 563$ for 48 ports
    without PoE, 705$ with extra AP
 

diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index c32d9946..428eb6b7 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -90,6 +90,11 @@ pre-order. It's a larger laptop than the "13" (which the 11th, 12th
 and 13th gen all fit into) with 6 expansion ports, hotswappable
 keyboard mods and a hotswappable GPU.
 
+Reviews:
+
+ * [Ars Technica](https://arstechnica.com/gadgets/2024/01/review-frameworks-laptop-16-is-unique-laudable-fascinating-and-flawed/): "unique, laudable, fascinating, and flawed"
+ * [Upstream's review index](https://frame.work/ca/en/blog/framework-laptop-16-reviews-are-live)
+
 ## GPD pocket
 
 native ubuntu

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index ceb63b59..c74a4452 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -2025,6 +2025,7 @@ USB-C|blog/2023-02-10-usb-c]]. I'm considering a Dell
  * [tablet mod](https://www.instructables.com/Framework-Tablet-Assembly-Manual/) (kind of clunky, but works!)
  * [gaming handheld mod](https://www.youtube.com/watch?v=zd6WtTUf-30) (!!!)
  * [cyberdeck](https://github.com/BenMakesEverything/cyberdeck/), [video](https://www.youtube.com/watch?v=qzEd50uzdF0)
+ * [Framedeck](https://community.frame.work/t/my-open-source-framework-powered-handheld/43151), [video part 1](https://www.youtube.com/watch?v=XlbybcZxy6A&t=4s), [part 2](https://www.youtube.com/watch?v=zO6Jn7tTwc8), [GitHub](https://github.com/redglitch2/FrameDeck)
  * [keyboard mod](https://www.tindie.com/products/crimier/framework-input-cover-controller/) (i.e. turn the Framework keyboard, touch pad,
    fingerprint reader and power buttons into a "normal" USB keyboard
    and hub)

diff --git a/hardware/margaret.md b/hardware/margaret.md
index 3259ad9a..f06743cb 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -153,7 +153,7 @@ commits on January 21st](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/co
  1. puppet bootstrap ✅
  1. systemd-networkd ✅
  1. dump fw rules on belleville ✅ and omnia ✅
- 1. firewall with nftables (forwarding and NAT) ✅ missing a few
+ 1. firewall with nftables (forwarding and NAT) ✅
  1. DHCP assignments and configuration (dnsmasq) ✅
  1. recursive DNS (dnsmasq) ✅
  1. bufferbloat tests ✅
@@ -162,7 +162,7 @@ commits on January 21st](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/co
  1. re-do bufferbloat tests ✅
  1. micah backup move ✅
  1. forward tests ✅
- 1. reflection
+ 1. reflection ✅ ([upstream discussion](https://github.com/voxpupuli/puppet-nftables/issues/236))
  1. APU move
  1. marcos move
  1. monitoring: octavia (collectd + prometheus?) and margaret

diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 4167801f..931de629 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -70,8 +70,10 @@ I am testing those and they might make it to the top list once I'm happy:
    Discard is also [recommended](https://support.mozilla.org/en-US/kb/add-on-badges)
  * [Clean URLs](https://docs.clearurls.xyz/) (no deb, [source](https://github.com/ClearURLs/Addon)) - remove garbage in URLs
  * [Dark Background and Light Text](https://addons.mozilla.org/en-GB/firefox/addon/dark-background-light-text/) (no deb, [source](https://github.com/m-khvoinitsky/dark-background-light-text-extension)) - Mozilla
-   also recommends [Midnight Lizard](https://addons.mozilla.org/addon/midnight-lizard-quantum/) for Android, and I also tested
-   [dark reader](https://addons.mozilla.org/addon/darkreader/)
+   also recommends [Midnight Lizard](https://addons.mozilla.org/addon/midnight-lizard-quantum/) for Android which I couldn't
+   figure out how to disable by default (and only enable on some
+   sites), and I also tested [dark reader](https://addons.mozilla.org/addon/darkreader/), which seem a bit
+   overkill.
  * [display anchors](https://addons.mozilla.org/en-US/firefox/addon/display-_anchors/) (no deb, [source](https://github.com/Rob--W/display-anchors))
  * [Greasemonkey](https://addons.mozilla.org/firefox/addon/greasemonkey/) (no deb, [source](https://github.com/greasemonkey/greasemonkey/)) - mostly for [this one hack
    for Nextcloud Calendar to show UTC times alongside local](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/nextcloud#showing-utc-times-in-weekly-calendar-view)

diff --git a/hardware/margaret.md b/hardware/margaret.md
index dc344f19..3259ad9a 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -159,9 +159,10 @@ commits on January 21st](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/co
  1. bufferbloat tests ✅
  1. swap omnia and router ✅ (see [[octavia]] for part of that
     procedure)
- 1. re-do bufferbloat tests
- 1. reflexion and forward tests
- 1. micah backup move
+ 1. re-do bufferbloat tests ✅
+ 1. micah backup move ✅
+ 1. forward tests ✅
+ 1. reflection
  1. APU move
  1. marcos move
  1. monitoring: octavia (collectd + prometheus?) and margaret
@@ -227,25 +228,42 @@ Installing it on the pristine router yields:
 
 And that doesn't include `netperf`.
 
-## octavia bufferbloat tests
-
-CF reports:
-
- * Bandwidth: 133mbps/22.2mbps
- * Latency: 20.5ms (loaded: 34.5ms/53.5ms)
- * Jitter: 4.32ms (loaded: 17.9ms/11.2ms)
- * 0% packet loss
- * [[full CSV|speed-results-1706020222.csv]]
-
-## with margaret in front
-
-CF reports:
-
- * Bandwidth: 131mbps/61.2mbps
- * Latency: 21ms (loaded: 40.5ms/56.5ms)
- * Jitter: 2.58ms (loaded: 14.4ms/5.53ms)
- * 0% packet loss
- * [[full CSV|speed-results-1706020410.csv]]
+## bufferbloat tests
+
+Tests were performed on <https://speed.cloudflare.com/> using Firefox
+ESR 115.6 on Debian bookworm around 2024-01-23 and -24, with too many
+tabs opened (so possibly interference).
+
+| Test             | Down | Up   | Latency | Loaded    | Jitter | Loaded    | Notes                                                    |
+|------------------|------|------|---------|-----------|--------|-----------|----------------------------------------------------------|
+| octavia          | 133  | 22.2 | 20.5    | 34.5/53.5 | 4.32   | 17.9/11.2 | old setup [CSV](speed-results-1706020222.csv)            |
+| margaret-staging | 131  | 61.2 | 21      | 40.5/56.5 | 2.58   | 14.4/5.53 | margaret as a client [CSV](speed-results-1706020410.csv) |
+| margaret-prod    | 131  | 33.7 | 20.0    | 42.5/72.0 | 3.37   | 12.8/4.32 | margaret as a router [CSV](speed-results-1706154403.csv) |
+| margaret-direct  | 132  | 22.1 | 20.0    | 42.5/26.5 | 3.63   | 14.1/5.79 | same, no switch [CSV](speed-results-1706154972.csv)      |
+| direct-2.5g      | 131  | 21.7 | 21.0    | 39.5/26.0 | 3.74   | 12.8/19.3 | same, framework card [CSV](speed-results-1706155380.csv) |
+
+All tests reported 0% packet loss. Down/Up is bandwidth in megabit per
+second. Latency/Loaded/Jitter is in milliseconds. "Loaded" is the
+column to the left when downloading/uploading (e.g. first one is the
+latency, in millisecond, when downloading / uploading content).
+
+Observations:
+
+ * ingress bandwidth is steady at 131-133 mbps
+ * egress bandwidth is strangely variable, spike at 61mbps
+   particularly odd
+ * latency stable at 20-21ms, within 1ms of each other
+ * ingress load is +20ms buffer bloat, possibly +5ms with margaret
+ * egress is much more variable, +30ms on octavia, first test +50ms
+   but direct tests are only +6ms
+ * ISP package is 120/20, so bandwidth is +10% more than spec
+
+Theories:
+
+ * switch is crap and possibly introduces +50ms buffer bloat on upload
+ * cable modem introduces +15-20ms buffer bloat on download
+ * margaret *reduces* egress buffer bloat down to 6ms
+ * margaret *increases* ingress bloat by +5-7ms
 
 # Disaster recovery procedures
 
diff --git a/hardware/margaret/speed-results-1706154403.csv b/hardware/margaret/speed-results-1706154403.csv
new file mode 100644
index 00000000..c7a67f42
--- /dev/null
+++ b/hardware/margaret/speed-results-1706154403.csv
@@ -0,0 +1,47 @@
+time,direction,bytes,latency,bps,duration,serverTime,responseSize,loadedLatencies
+1706154357567,download,100000,20.000139000000004,20236929.67666937,40.000139000000004,70.999861,101185,
+1706154360734,download,100000,21.000045999999998,16864650.504709933,48.000046,72.999954,101188,
+1706154360901,download,100000,20.00013,17598732.87314623,46.00013,60.99987,101193,20.000048
+1706154361053,download,100000,20.000055000000003,32379128.76591671,25.000055000000003,82.999945,101185,
+1706154361186,download,100000,19.000109000000002,32379698.824513122,25.000109000000002,63.999891,101187,
+1706154361286,download,100000,21.999964,29981669.605189107,26.999964,62.000036,101188,
+1706154361419,download,100000,21.00013,31133690.485393725,26.00013,60.99987,101185,17.000151000000002
+1706154361535,download,100000,27.999964,24531663.125450682,32.999964,62.000036,101193,
+1706154361632,download,100000,19.000078000000002,32379098.97721119,25.000078000000002,56.999922,101185,
+1706154361744,download,100000,20.000024999999994,31136277.75357909,26.000024999999994,75.999975,101193,
+1706154361959,download,1000000,19.000023,97699875.0354009,82.000023,98.999977,1001424,
+1706154362175,download,1000000,23.000011,97700669.82064186,82.000011,111.999989,1001432,32.999861
+1706154362368,download,1000000,20.000004000000004,101414475.87774806,79.000004,78.999996,1001468,
+1706154362527,download,1000000,19.999972999999997,101408237.19015701,78.999973,72.000027,1001406,
+1706154362695,download,1000000,21.000096999999997,98904375.38611837,81.000097,76.999903,1001408,28.000048
+1706154362849,download,1000000,18.999943000000002,102708690.44096608,77.999943,65.000057,1001409,
+1706154363047,download,1000000,20.000136999999995,101408836.79733366,79.000137,93.999863,1001414,
+1706154363210,download,1000000,21.999994,98905686.33869281,80.999994,69.000006,1001420,20.000069000000003
+1706154363376,upload,100000,49.000012999999996,5826086.956521737,138,88.999987,948,
+1706154363478,upload,100000,23.999996000000003,11485714.285714284,70,46.000004,950,20.000056999999998
+1706154363593,upload,100000,30.000275000000002,8645161.29032258,93,62.999725,959,
+1706154363688,upload,100000,26.999975,10578947.368421052,76,49.000025,957,
+1706154363803,upload,100000,27.999975,10441558.44155844,77,49.000025,959,
+1706154363899,upload,100000,29.999851,10864864.864864863,74,44.000149,967,
+1706154364028,upload,100000,29.99991,7243243.243243242,111,81.00009,958,27.000085999999996
+1706154364112,upload,100000,27.000017,11485714.285714284,70,42.999983,957,
+1706154375412,upload,1000000,40.00012400000003,19142857.14285714,420,379.999876,950,24.000109000000002
+1706154375832,upload,1000000,29.000186999999983,20099999.999999996,400,370.999813,956,51.000048
+1706154376249,upload,1000000,28.999887,20829015.544041447,386,357.000113,949,76.000141
+1706154376661,upload,1000000,30.000084000000015,20458015.26717557,393,362.999916,951,
+1706154377076,upload,1000000,0.01,84631578.94736841,95,361.000061,947,32.999903
+1706154377490,upload,1000000,0.01,59999999.99999999,134,369.999886,955,74.9998
+1706154378195,download,10000000,20.000109000000002,130767610.69661838,612.000109,63.999891,10003724,64.99999600000001
+1706154378911,download,10000000,24.000159999999994,129708660.04313515,617.00016,67.99984,10003783,32.999996 48.00012
+1706154379630,download,10000000,27.000004000000004,129080644.32851197,620.000004,78.999996,10003750,48.99987
+1706154380328,download,10000000,19.000036,130768319.10513157,612.000036,62.999964,10003777,47.999985
+1706154381047,download,10000000,19.999931000000004,130768119.31862782,611.9999310000001,78.000069,10003760,23.999985000000002
+1706154381755,download,10000000,21.000045999999998,130554822.17696276,613.000046,72.999954,10003764,28.000012999999996 47.000069
+1706154385490,upload,10000000,38.00001299999985,22167080.231596358,3627,3588.999987,954,23.999996000000003 61.000254 46.000027 43.999975 48.999975 55.000162 49.999900999999994
+1706154389175,upload,10000000,24.00004600000011,22351959.966638863,3597,3572.999954,961,19.999996000000003 61.999996 58.000214 64.000254 63.999933 67.000038 69.999924
+1706154392860,upload,10000000,30.000109000000066,22370617.696160264,3594,3563.999891,955,72.000069 82.000069 73.999943 59.000109 64.99983 70.999924 72.000265
+1706154396556,upload,10000000,28.000015000000076,22370617.696160264,3594,3565.999985,957,74.000202 75.999922 77.000038 77.000013 76.00009 83.000193 78.00018299999999
+1706154398188,download,25000000,19.000067,133284598.98063417,1501.000067,69.999933,25007524,23.999966 59.000111 56.999922
+1706154399819,download,25000000,20.000139000000004,131792646.69355871,1518.000139,70.999861,25007657,20.000183 43.00009 40.000235
+1706154401464,download,25000000,18.000212000000005,133107643.2343178,1503.000212,71.999788,25007602,28.999924 42.999975 48.999975 41.000141
+1706154403132,download,25000000,20.000136999999995,131101351.27071747,1526.000137,93.999863,25007585,49.000088000000005 40.999882 42.000048
\ No newline at end of file
diff --git a/hardware/margaret/speed-results-1706154972.csv b/hardware/margaret/speed-results-1706154972.csv
new file mode 100644
index 00000000..b61371b8
--- /dev/null
+++ b/hardware/margaret/speed-results-1706154972.csv
@@ -0,0 +1,47 @@
+time,direction,bytes,latency,bps,duration,serverTime,responseSize,loadedLatencies
+1706154918172,download,100000,21.999880000000005,15871566.756627662,50.999880000000005,74.00012,101181,
+1706154920788,download,100000,22.000202,31134219.64952426,26.000202,61.999798,101187,27.999943000000002 23.000265 26.000056999999998 26.999756000000005 21.000078000000002
+1706154920933,download,100000,20.000067,32380073.221403766,25.000067,69.999933,101188,27.000069000000003
+1706154921066,download,100000,27.000067,25297447.033470273,32.000067,69.999933,101190,
+1706154921197,download,100000,19.000012999999996,32380783.161992762,25.000012999999996,88.999987,101190,20.000059
+1706154921324,download,100000,31.000067,23129327.152430877,35.000067,69.999933,101191,
+1706154921457,download,100000,17.999920000000003,35197339.81683414,22.999920000000003,91.00008,101192,24.999903000000003
+1706154921566,download,100000,18.999900999999994,32379328.22213977,24.999900999999994,71.000099,101185,
+1706154921662,download,100000,20.000006,32380792.228609867,25.000006,55.999994,101190,20.999912000000002
+1706154921768,download,100000,22.000109000000002,29979434.52746802,27.000109000000002,63.999891,101181,36.00012 27.999924 34.00014899999999 25.999890999999998 20.00009 20.999893 20.000183 18.000027000000003 24.000036 21.000099 28.000017 25.999861000000003 25.000203999999997 22.000067 28.000038000000004 25.000076000000007 26.000120000000003 26.999924 21.000256 24.000048 35.000162 57.000111 19.000152999999997 64.999924 22.999966 55.999945 21.000099 57.000038 34.999872 53.000183 39.000162 35.999996 34.000017 81.99999600000001 71.00010900000001 17.000067 24.999921999999998 24.999954000000002 29.00009 25.000202 40.000172 37.999945 27.999975 18.000027000000003 23.999924 29.000067 35.000069 16.000027000000003 29.999924 29.000120000000003 24.000048 31.999872000000003 25.000183 28.999944999999997 28.000069000000003 26.999882 20.000059 28.000141 29.000110999999997 27.000078000000002 27.000110999999997 23.000017 32.000038 52.999924 55.000023 48.999994 56.999975 41.999954 30.000263000000004 40.00009 35.000235 25.000118 28.000162000000003 44.999985 23.999912000000002 17.999964 19.000275000000002 19.000214 21.000078000000002 19.000036 20.000027000000003 19.999954000000002 19.000109000000002 21.000017
+1706154922159,download,1000000,22.00007099999999,92083694.96617998,87.00007099999999,273.999929,1001411,21.00009
+1706154922341,download,1000000,21.000118,101409468.78079347,79.000118,73.999882,1001420,
+1706154922511,download,1000000,18.000045999999998,104043470.31169306,77.000046,72.999954,1001419,
+1706154922679,download,1000000,24.999943000000002,95373017.09835683,83.999943,65.000057,1001416,24.000048
+1706154922881,download,1000000,20.000118,71529353.21014573,112.000118,73.999882,1001412,
+1706154923049,download,1000000,19.000024999999994,101411005.8825931,79.000025,75.999975,1001434,
+1706154923217,download,1000000,20.999880000000005,100142050.21307531,79.99988,74.00012,1001419,30.999924
+1706154923377,download,1000000,21.99987,98907022.9371973,80.99987,64.00013,1001432,
+1706154923529,upload,100000,40.999859,6813559.322033898,118,77.000141,958,
+1706154923676,upload,100000,29.000076000000007,7376146.7889908245,109,79.999924,952,21.000148999999993
+1706154923808,upload,100000,43.000088000000005,7309090.909090908,110,66.999912,947,
+1706154923922,upload,100000,29.999944999999997,11166666.666666666,72,42.000055,961,
+1706154924066,upload,100000,26.000118,8039999.999999998,100,73.999882,961,
+1706154924194,upload,100000,27.000056999999998,9241379.310344826,87,59.999943,954,18.000120000000003
+1706154924297,upload,100000,29.000038000000004,11652173.913043475,69,39.999962,950,
+1706154924397,upload,100000,28.000110999999997,11652173.913043475,69,40.999889,950,
+1706154938402,upload,1000000,42.999792000000014,18917647.058823526,425,382.000208,952,27.000141
+1706154938826,upload,1000000,28.000270999999998,20775193.79844961,387,358.999729,962,22.000027000000003
+1706154939379,upload,1000000,42.000117999999986,16374745.417515274,491,448.999882,966,28.000110999999997
+1706154939795,upload,1000000,29.000031999999976,20721649.484536078,388,358.999968,958,52.999819
+1706154940257,upload,1000000,23.999990000000025,20668380.46272493,389,365.00001,956,78.000057
+1706154940680,upload,1000000,37.999866,20201005.025125626,398,360.000134,951,
+1706154941439,download,10000000,24.99995,129498172.28949615,617.99995,98.00005,10003733,59.999914 52.999903
+1706154942167,download,10000000,25.999807000000004,129289345.64272004,618.999807,73.000193,10003760,36.000141
+1706154942912,download,10000000,28.000148999999993,128459192.39097966,623.000149,80.999851,10003762,42.000162
+1706154943653,download,10000000,27.000045999999998,129080816.22948782,620.000046,72.999954,10003764,20.000017 42.000109
+1706154944376,download,10000000,21.999827999999994,130342512.0829187,613.999828,70.000172,10003785,40.000111
+1706154945118,download,10000000,19.000036,130768005.37965982,612.000036,62.999964,10003753,44.00012
+1706154948983,upload,10000000,40.000223000000005,21589688.506981734,3724,3683.999777,958,64.00017199999999 93.000057 54.000036 23.000078000000002 21.00013 27.000069000000003 16.999924
+1706154952732,upload,10000000,40.000136999999995,22124380.847550906,3634,3593.999863,955,21.000006 35.000059 25.999966 21.000235000000004 24.000006 27.00013 33.999849 17.000110999999997
+1706154956481,upload,10000000,28.999989999999798,22063666.300768383,3644,3615.00001,956,21.000141 28.000015000000005 23.000006 29.999996000000003 22.999966 28.000017 35.00013
+1706154960236,upload,10000000,23.999920000000202,22240663.900414933,3615,3591.00008,953,26.000244000000002 27.00009 23.000152999999997 30.999975 30.000017 25.000027000000003 30.00009
+1706154961902,download,25000000,19.000139000000004,133107835.99335381,1503.000139,70.999861,25007637,27.00009 48.999903 57.000179
+1706154963613,download,25000000,21.000200000000007,133019280.18360637,1504.0002,84.9998,25007628,68.999975 49.00009 48.999975
+1706154965296,download,25000000,25.999877999999995,131966796.89970264,1515.999878,97.000122,25007706,27.000059 51.000162 42.000256
+1706154966976,download,25000000,19.000041999999993,133107823.29306151,1503.000042,118.999958,25007633,18.999996000000003 43.000069 36.999900999999994
\ No newline at end of file
diff --git a/hardware/margaret/speed-results-1706155380.csv b/hardware/margaret/speed-results-1706155380.csv
new file mode 100644
index 00000000..557f7378
--- /dev/null
+++ b/hardware/margaret/speed-results-1706155380.csv
@@ -0,0 +1,47 @@
+time,direction,bytes,latency,bps,duration,serverTime,responseSize,loadedLatencies
+1706155010643,download,100000,20.000180999999998,16519938.97736827,49.000181,64.999819,101185,
+1706155013412,download,100000,22.000116000000006,29981797.11524202,27.000116000000006,96.999884,101189,28.999924 22.999994 20.999964 22.000017 23.000253999999998
+1706155013542,download,100000,21.999992000000006,29982527.402230334,26.999992000000006,92.000008,101191,17.000141
+1706155013640,download,100000,22.999964,29981373.308497746,26.999964,62.000036,101187,20.000015000000005
+1706155013743,download,100000,20.999921999999998,32381541.030408017,24.999921999999998,68.000078,101192,

(Diff truncated)

diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 95fa6818..744c78c0 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -258,7 +258,7 @@ the Framework laptop.
 
 The design is also a little gimmicky: it has a more "plasticky"
 feeling than the power station, and some parts are hard to take
-out. For example, there's a Micro-USB to USB-C adapter that I almost
+out. For example, there's a Micro-USB to USB-C adapter that I <del>almost</del>
 broke trying to figure out how to pry it out of there.
 
 It's also a bit annoying to have all those adapters dangling around
@@ -288,11 +288,18 @@ Specifications:
 The funny thing with this is there's so much stuff crammed in there
 that the manual doesn't even mention all of it. For example, the
 specifications mention a LED and an SD card reader somewhere in there,
-and I haven't found those yet, and they're not in the manual.
+and I haven't found those yet, and they're not in the manual. (Update:
+turns out that was an error on the website, which they since then
+corrected.)
 
 This and the [[MASA power bank|hardware/battery#TOFU]] were ordered
 together and took over a *month* to ship.
 
+For a universal adapter, I found one at a corner store that is simply
+a ~1m jack with USB-C on one end, and micro-USB, Lightning, and USB-C
+on the other end, that was cheap and Just Works. It's a every day
+carry at this point.
+
 ### Ugreen
 
 So I was recommended the Ugreen chargers, but unfortunately it seems

diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 3f961033..95fa6818 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -85,6 +85,29 @@ The spec here is at least 65W USB-C with international plugs.
   interesting gear nevertheless)
 * StarLabs have a [65W USB-C charger](https://ca.starlabs.systems/collections/power-cables/products/65w-gan-usb-c-power-adapter) with detachable plugs
 
+### Size comparison
+
+| Device   | Width | Height | Depth | Volume | Grams | Watts |
+|----------|-------|--------|-------|--------|-------|-------|
+| Sharge   | 59    | 77     | 29    | 132    | 220   | 100   |
+| TOFU     | 82    | 82     | 28    | 188    | 201   | 45    |
+| Ugreen   | 65    | 65*    | 33    | 139    | 340   | 65    |
+| Oneworld | 54    | 67     | 53    | 192    | 178.2 | 65    |
+| ZMI      | 70.6  | 70.6   | 29.5  | 147    | ???   | 65    |
+| BUDI     | 45*   | 97     | 25*   | 109*   | 167*  | 65    |
+
+Dimensions are in millimeters, volume in cubic centimeters.
+
+Summary: the BUDI is the smallest, both in terms of depth, width,
+volume, and grams (but not height), but beats the next ones (TOFU,
+Sharge, ZMI all within 1.5mm of each other) by only 4mm for depth, so
+maybe not worth it? Interestingly, it's not much lighter than the
+travel-friendly Oneworld.
+
+The Sharge is my current "left in my bag" driver, even though it's
+heavier than the TOFU, because the latter is a little too bulky (one
+of the largest by volume).
+
 ### Sharge
 
 I also bought [this
@@ -284,6 +307,9 @@ spam."
 The Support button on their website does exactly fuckall, so I guess
 that's it for Ugreen.
 
+- dimension: 2.56 x 2.56 x 1.28 inches
+- weight: 12 ounces
+
 ### Volta
 
 Volta has been a little more helpful and clarified it's possible to
@@ -316,14 +342,31 @@ plenty of ports.
 
 A good choice.
 
+- Dimensions: W 54 x L 53x H 67.0 mm / W 2.13 x L 2.09 x H 2.64 inch
+- Weight: 178.2 g / 6.29 oz
+
 ### ZMI
 
 [ZMI](https://www.zmifi.com/) has interesting products like [this 65W international travel
 adapter](https://www.zmifi.com/en/product/2/171.html). They have more battery packs though, see
 [[hardware/battery#zmi]] for more.
 
+ * 70.6mm x 70.6mm x 29.5mm
+ * no weight spec
+
 Untested.
 
+### BUDI
+
+The [BUDI 65W USB-C charger](https://www.amazon.com/Foldable-Ultra-Thin-Portable-Wall-Mounted-Microsoft/dp/B0B3GFD142) is interesting, [suggested on
+reddit](https://old.reddit.com/r/UsbCHardware/comments/161t5d4/absolutely_smallest_usbc_charger/), because it's *really* thin.
+
+ * Size: 4.21 x 3.82 x 1.77 inches
+ * Weight: 5.9 ounces
+
+It's not small enough to beat the Sharge as a daily driver, but if I
+find it too bulky / heavy, maybe I'll indulge.
+
 ## USB Docks
 
 Specification: 

diff --git a/hardware/margaret.md b/hardware/margaret.md
index 282aad03..dc344f19 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -164,7 +164,7 @@ commits on January 21st](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/co
  1. micah backup move
  1. APU move
  1. marcos move
- 1. monitoring
+ 1. monitoring: octavia (collectd + prometheus?) and margaret
  1. mail relay
 
 # Tests to run
@@ -197,7 +197,7 @@ noticed during later use.
 
 [Webbloatscore]: https://www.webbloatscore.com
 
-## flent bufferbloat tests
+## failed flent bufferbloat tests
 
 OpenWRT has [this guide to configure SQM to fight bufferbloat](https://wiki.openwrt.org/doc/howto/sqm).
 

diff --git a/hardware/history.mdwn b/hardware/history.mdwn
index 37c6e0b6..ada547af 100644
--- a/hardware/history.mdwn
+++ b/hardware/history.mdwn
@@ -48,7 +48,7 @@ Here's the detailed history:
   * lenny: AMD Athlon 1.1GHz 200GB disk, 1GB ram, workstation (debian lenny)
   * mumia: Pentium M 1GHz 40GB disk, 1GB ram, laptop (Debian lenny)
 * 2010: HP Mini 10 ([[many problems|blog/2010-03-18-hp-mini-10-netbook-doom]])
-* 2011-...: custom server ([[server/marcos]]), merge of marvin and
+* 2011-2020: custom server ([[server/marcos]]), merge of marvin and
   lenny, backups of marvin archived in two disks (~120GB)
 * 2012-2017: mesh experiments with [[server/plastik]], [[server/roadkiller]]
 * 2011-2018: [[laptop/thinkpad-x120e]] (angela, 600$, 4GB RAM (2x2GB),
@@ -56,20 +56,25 @@ Here's the detailed history:
   2015|blog/2015-09-28-fun-with-batteries]], debian wheezy, jessie,
   then stretch. cause of death: screen cracked)
 * 2016-...: [[octavia]] (Turris Omnia router, [[server/roadkiller]] replacement)
-* 2017-...: Intel NUC desktop (curie, 750$, 16GB, Intel i3-6100U
+* 2017-2023: Intel NUC desktop (curie, 750$, 16GB, Intel i3-6100U
   2.3Ghz 4 threads, M.2 500GB disk,
   [installation report](https://wiki.debian.org/InstallingDebianOn/Intel/NUC6i3SYH#preview),
   debian stretch)
 * 2017?-2018: [[server/mafalda]] (Raspbery Pi, print server moved to
   [[server/plastik]])
-* (2012-2017) 2018-...: [[server/plastik]] (wifi router and print
+* (2012-2017) 2018-2020?: [[server/plastik]] (wifi router and print
   server in the office)
 * 2018: Thinkpad x201 (temporary angela, 0$ from micah, i5 m520, 8GB
   RAM (2x4GB), physically worn out: keys falling off, disk slot broken, drive
   taken from old angela the x120e, running stretch, 128GB Crucial M4 SSD)
-* 2018-...: Thinkad x220 (new [[angela]], 150$ refurb from Encan Depot,
+* 2018-2023: Thinkad x220 (new [[angela]], 150$ refurb from Encan Depot,
   8GB ram, running stretch, 512GB SSD)
 * 2019-...: Vero 4k+ ([[ursula]], home cinema service replacing a part of
   marcos, which is moved to the basement)
-* 2020-...: TP-Link AC1750 router ([[emma]]), may become
-  "standard" for cheap, not-quite-gigabit, wireless bridges
+* 2020-...: [[server/marcos]] hardware replacement, OS installed in 2010
+* 2020-2022: TP-Link AC1750 router ([[emma]]), wireless bridge
+* 2023-...: [[Framework 12|hardware/laptop/framework-12th-gen]] laptop
+  (new [[angela]])
+* 2023-...: Ubiquiti [Unifi AP 6 lite](https://store.ui.com/collections/unifi-network-access-points/products/unifi-ap-6-lite) wifi bridge ([[svetlana]])
+* 2024-...: Protectli router ([[margaret]]), Omnia router
+  ([[octavia]]) downgraded to wifi bridge

diff --git a/hardware/margaret.md b/hardware/margaret.md
index 7bf6fc81..282aad03 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -247,4 +247,15 @@ CF reports:
  * 0% packet loss
  * [[full CSV|speed-results-1706020410.csv]]
 
+# Disaster recovery procedures
+
+We do not have an exact replica of the ProtectLI to recover the
+network in case of a hardware failure. Two options are possible:
+
+ * deploy the Omnia, rolling back to a previous snapshot from before
+   ~2024-01-23
+ * deploy `dal-rescue-02`, reinstalling it from scratch with the
+   `profile::router` Puppet class
+ * use any darn PC with two network cards with the above
+
 [[!tag node]]

diff --git a/hardware/margaret.md b/hardware/margaret.md
index 88fc6fac..7bf6fc81 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -157,7 +157,8 @@ commits on January 21st](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/co
  1. DHCP assignments and configuration (dnsmasq) ✅
  1. recursive DNS (dnsmasq) ✅
  1. bufferbloat tests ✅
- 1. swap omnia and router
+ 1. swap omnia and router ✅ (see [[octavia]] for part of that
+    procedure)
  1. re-do bufferbloat tests
  1. reflexion and forward tests
  1. micah backup move
diff --git a/hardware/octavia.mdwn b/hardware/octavia.mdwn
index 4c688509..c07427aa 100644
--- a/hardware/octavia.mdwn
+++ b/hardware/octavia.mdwn
@@ -15,6 +15,34 @@ of race, sex, power".
 >
 > -- Octavia Butler
 
+Important note: this router is now a **wifi bridge** and most of the
+documentation below is not applicable anymore. It was replaced with
+[[margaret]].
+
+# Bridge mode
+
+To switch the router to bridge mode, I figured I would start from a
+clean state so I tried a "factory reset", but this brings me to the
+old Turris 3.x version, from which it is hard or impossible to upgrade
+anymore. At least I couldn't get through the install wizard and I
+would get weird errors when trying to update packages.
+
+I also tried to flash the firmware with [this procedure](https://docs.turris.cz/hw/omnia/rescue-modes/#re-flash-router), but that
+also led me to the old TurrisOS 3.x.
+
+I eventually reverted back to an earlier snapshot and made the
+following changes:
+
+ 1. removed a bunch of packages
+ 2. disabled the DHCP server on LAN
+ 3. turned LAN into a DHCP client
+ 4. assigned the MAC to an address on margaret
+ 5. connected it to the switch
+
+The management interface is still available on the LAN IP, but it
+needs to be known: it's currently hardcoded in DHCP but should be also
+visible in the router's DHCP leases. Automated upgrades should still
+be operational.
 
 Configuration of the Omnia router
 =================================

diff --git a/blog/2020-05-28-isp-upgrade.mdwn b/blog/2020-05-28-isp-upgrade.mdwn
index 77102343..5e4a441d 100644
--- a/blog/2020-05-28-isp-upgrade.mdwn
+++ b/blog/2020-05-28-isp-upgrade.mdwn
@@ -63,39 +63,11 @@ services, including business service if necessary:
  * [TSI](https://teksavvy.com) - `sales@teksavvy.com`
  * <del>[Ebox](https://ebox.ca) - `sales@ebox.ca`</del> [bought by Bell][] (!?)
  * [Beanfield/Openface](https://www.beanfield.com/residential/)
- * [oxio](https://oxio.ca) - `bonjour@oxio.ca`, added ~2 years later
+ * [oxio](https://oxio.ca) - `bonjour@oxio.ca`, added ~2 years later,
+   sold to Cogeco
 
 [bought by Bell]: https://www.ledevoir.com/economie/679263/bell-achete-son-rival-en-services-internet-ebox
 
-I have *not* contacted those providers:
-
- * Bell Canada: i have sworn, two decades ago, never to do business
-   with that company ever again. They have a near-monopoly on almost
-   all telcos in Canada and I want to give them as little money as
-   possible.
-
-   Update: ironically, I'm now considering Bell again, possibly
-   breaking my vow. It's quite unfortunate, but they are the only ones
-   offering fiber in the neighborhood and while they probably won't
-   allow me to run a server or anything, they have cut-throat prices
-   currently. Their [package page](https://www.bell.ca/Bell_Internet/Internet_access) actually varies by location, but
-   on the phone (1-866-558-0708 is the magic, undocumented number to
-   call, don't try their online chat, it's useless) they can qualify
-   your line (apparently) within 24-48h and call you back.
-
-   Prices were quoted as 3gbps symmetric at 65$/mth (normally
-   80$/mth), then 1, 1.5 or 2.5gbps at 60$/mth.
-
-   Update 2: turns out I don't have to break my vow after all. They
-   were *supposed* to call me back and (of course) didn't. When I
-   called back, they told me the line couldn't be qualified, so it
-   seems like Bell insists on offering crap old copper in a central
-   Montreal area in 2023.
-
- * Videotron: I know for a fact they do not allow servers on their
-   network, and their [IPv6 has been in beta](https://support.videotron.com/residential/internet/monitor-usage/ipv6) [for so long](http://web.archive.org/web/20110713003117/http://soutien.videotron.com/residentiel/internet/ipv6) it
-   has become somewhat of a joke now
-
 I might have forgotten some, let me know if you're in the area and
 have a good recommendation. I'll update this post with findings as
 they come in.
@@ -198,6 +170,42 @@ a look as well:
 
 Those have not been reviewed by myself in any shape or form.
 
+## Discarded
+
+ * Fizz seem like a cheap option! 400/50 for 60$/mth, ports *may* be
+   open, according to [this post](https://forum.fizz.ca/fr/discussion/comment/4174931/#Comment_4174931), [unclear](https://forum.fizz.ca/fr/discussion/2277426/serveur-prive-avec-fizz-internet), but a chat with
+   tech support clearly states they do not have a "business" class, no
+   static IP address
+
+I have *not* contacted those providers:
+
+ * Bell Canada: i have sworn, two decades ago, never to do business
+   with that company ever again. They have a near-monopoly on almost
+   all telcos in Canada and I want to give them as little money as
+   possible.
+
+   Update: ironically, I'm now considering Bell again, possibly
+   breaking my vow. It's quite unfortunate, but they are the only ones
+   offering fiber in the neighborhood and while they probably won't
+   allow me to run a server or anything, they have cut-throat prices
+   currently. Their [package page](https://www.bell.ca/Bell_Internet/Internet_access) actually varies by location, but
+   on the phone (1-866-558-0708 is the magic, undocumented number to
+   call, don't try their online chat, it's useless) they can qualify
+   your line (apparently) within 24-48h and call you back.
+
+   Prices were quoted as 3gbps symmetric at 65$/mth (normally
+   80$/mth), then 1, 1.5 or 2.5gbps at 60$/mth.
+
+   Update 2: turns out I don't have to break my vow after all. They
+   were *supposed* to call me back and (of course) didn't. When I
+   called back, they told me the line couldn't be qualified, so it
+   seems like Bell insists on offering crap old copper in a central
+   Montreal area in 2023.
+
+ * Videotron: I know for a fact they do not allow servers on their
+   network, and their [IPv6 has been in beta](https://support.videotron.com/residential/internet/monitor-usage/ipv6) [for so long](http://web.archive.org/web/20110713003117/http://soutien.videotron.com/residentiel/internet/ipv6) it
+   has become somewhat of a joke now
+
 ## Updates
 
 I had a nightmare time trying to convince bell to give me their sweet

diff --git a/hardware/server/roadkiller.mdwn b/hardware/server/roadkiller.mdwn
index 7b5065ca..fdc22a71 100644
--- a/hardware/server/roadkiller.mdwn
+++ b/hardware/server/roadkiller.mdwn
@@ -1,7 +1,526 @@
 Roadkiller was the Soekris net5501 router I used as my main gateway
-([[services/réseau]] et [[services/téléphone]]).
+between 2010 and 2016 ([[services/réseau]] et [[services/téléphone]]).
 
 Il a été mis à jour à FreeBSD 8.4-p12 (2014-06-06) et `pkgng`. Il
 n'est plus en service depuis l'installation de [[hardware/octavia]].
 
+10 ans plus tard (2024-01-24), le routeur a été démarré et il semble
+encore fonctionnel!
+
+    comBIOS ver. 1.33  20070103  Copyright (C) 2000-2007 Soekris Engineering.
+
+    net5501
+
+    0512 Mbyte Memory                        CPU Geode LX 500 Mhz 
+
+    Pri Mas  WDC WD800VE-00HDT0              LBA Xlt 1024-255-63  78 Gbyte
+
+    Slot   Vend Dev  ClassRev Cmd  Stat CL LT HT  Base1    Base2   Int 
+    -------------------------------------------------------------------
+    0:01:2 1022 2082 10100000 0006 0220 08 00 00 A0000000 00000000 10
+    0:06:0 1106 3053 02000096 0117 0210 08 40 00 0000E101 A0004000 11
+    0:07:0 1106 3053 02000096 0117 0210 08 40 00 0000E201 A0004100 05
+    0:08:0 1106 3053 02000096 0117 0210 08 40 00 0000E301 A0004200 09
+    0:09:0 1106 3053 02000096 0117 0210 08 40 00 0000E401 A0004300 12
+    0:20:0 1022 2090 06010003 0009 02A0 08 40 80 00006001 00006101 
+    0:20:2 1022 209A 01018001 0005 02A0 08 00 00 00000000 00000000 
+    0:21:0 1022 2094 0C031002 0006 0230 08 00 80 A0005000 00000000 15
+    0:21:1 1022 2095 0C032002 0006 0230 08 00 00 A0006000 00000000 15
+
+     4 Seconds to automatic boot.   Press Ctrl-P for entering Monitor.
+
+    �������������������������������������������
+     �                                         �
+     �                                         �      ______
+     �                                         �     |  ____| __ ___  ___ 
+     �          Welcome to FreeBSD!            �     | |__ | '__/ _ \/ _ \
+     �                                         �     |  __|| | |  __/  __/
+     �                                         �     | |   | | |    |    |
+     �  1. Boot FreeBSD [default]              �     |_|   |_|  \___|\___|
+     �  2. Boot FreeBSD with ACPI enabled      �      ____   _____ _____
+     �  3. Boot FreeBSD in Safe Mode           �     |  _ \ / ____|  __ \
+     �  4. Boot FreeBSD in single user mode    �     | |_) | (___ | |  | |
+     �  5. Boot FreeBSD with verbose logging   �     |  _ < \___ \| |  | |
+     �  6. Escape to loader prompt             �     | |_) |____) | |__| |
+     �  7. Reboot                              �     |     |      |      |
+     �                                         �     |____/|_____/|_____/
+     �                                         �
+     �                                         �
+     �                                         �
+     �  Select option, [Enter] for default     �
+     �  or [Space] to pause timer  5           �
+     �������������������������������������������
+
+
+    Copyright (c) 1992-2013 The FreeBSD Project.
+    Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
+            The Regents of the University of California. All rights reserved.
+    FreeBSD is a registered trademark of The FreeBSD Foundation.
+    FreeBSD 8.4-RELEASE-p12 #5: Fri Jun  6 02:43:23 EDT 2014
+        root@roadkiller.anarc.at:/usr/obj/usr/src/sys/ROADKILL i386
+    gcc version 4.2.2 20070831 prerelease [FreeBSD]
+    Timecounter "i8254" frequency 1193182 Hz quality 0
+    CPU: Geode(TM) Integrated Processor by AMD PCS (499.90-MHz 586-class CPU)
+      Origin = "AuthenticAMD"  Id = 0x5a2  Family = 5  Model = a  Stepping = 2
+      Features=0x88a93d<FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CLFLUSH,MMX>
+      AMD Features=0xc0400000<MMX+,3DNow!+,3DNow!>
+    real memory  = 536870912 (512 MB)
+    avail memory = 506445824 (482 MB)
+    kbd1 at kbdmux0
+    K6-family MTRR support enabled (2 registers)
+    ACPI Error: A valid RSDP was not found (20101013/tbxfroot-309)
+    ACPI: Table initialisation failed: AE_NOT_FOUND
+    ACPI: Try disabling either ACPI or apic support.
+    cryptosoft0: <software crypto> on motherboard
+    pcib0 pcibus 0 on motherboard
+    pci0: <PCI bus> on pcib0
+    Geode LX: Soekris net5501 comBIOS ver. 1.33 20070103 Copyright (C) 2000-2007
+    pci0: <encrypt/decrypt, entertainment crypto> at device 1.2 (no driver attached)
+    vr0: <VIA VT6105M Rhine III 10/100BaseTX> port 0xe100-0xe1ff mem 0xa0004000-0xa00040ff irq 11 at device 6.0 on pci0
+    vr0: Quirks: 0x2
+    vr0: Revision: 0x96
+    miibus0: <MII bus> on vr0
+    ukphy0: <Generic IEEE 802.3u media interface> PHY 1 on miibus0
+    ukphy0:  none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
+    vr0: Ethernet address: 00:00:24:cc:93:44
+    vr0: [ITHREAD]
+    vr1: <VIA VT6105M Rhine III 10/100BaseTX> port 0xe200-0xe2ff mem 0xa0004100-0xa00041ff irq 5 at device 7.0 on pci0
+    vr1: Quirks: 0x2
+    vr1: Revision: 0x96
+    miibus1: <MII bus> on vr1
+    ukphy1: <Generic IEEE 802.3u media interface> PHY 1 on miibus1
+    ukphy1:  none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
+    vr1: Ethernet address: 00:00:24:cc:93:45
+    vr1: [ITHREAD]
+    vr2: <VIA VT6105M Rhine III 10/100BaseTX> port 0xe300-0xe3ff mem 0xa0004200-0xa00042ff irq 9 at device 8.0 on pci0
+    vr2: Quirks: 0x2
+    vr2: Revision: 0x96
+    miibus2: <MII bus> on vr2
+    ukphy2: <Generic IEEE 802.3u media interface> PHY 1 on miibus2
+    ukphy2:  none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
+    vr2: Ethernet address: 00:00:24:cc:93:46
+    vr2: [ITHREAD]
+    vr3: <VIA VT6105M Rhine III 10/100BaseTX> port 0xe400-0xe4ff mem 0xa0004300-0xa00043ff irq 12 at device 9.0 on pci0
+    vr3: Quirks: 0x2
+    vr3: Revision: 0x96
+    miibus3: <MII bus> on vr3
+    ukphy3: <Generic IEEE 802.3u media interface> PHY 1 on miibus3
+    ukphy3:  none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
+    vr3: Ethernet address: 00:00:24:cc:93:47
+    vr3: [ITHREAD]
+    isab0: <PCI-ISA bridge> at device 20.0 on pci0
+    isa0: <ISA bus> on isab0
+    atapci0: <AMD CS5536 UDMA100 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xe000-0xe00f at device 20.2 on pci0
+    ata0: <ATA channel> at channel 0 on atapci0
+    ata0: [ITHREAD]
+    ata1: <ATA channel> at channel 1 on atapci0
+    ata1: [ITHREAD]
+    ohci0: <OHCI (generic) USB controller> mem 0xa0005000-0xa0005fff irq 15 at device 21.0 on pci0
+    ohci0: [ITHREAD]
+    usbus0 on ohci0
+    ehci0: <AMD CS5536 (Geode) USB 2.0 controller> mem 0xa0006000-0xa0006fff irq 15 at device 21.1 on pci0
+    ehci0: [ITHREAD]
+    usbus1: EHCI version 1.0
+    usbus1 on ehci0
+    cpu0 on motherboard
+    pmtimer0 on isa0
+    orm0: <ISA Option ROM> at iomem 0xc8000-0xd27ff pnpid ORM0000 on isa0
+    atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
+    atkbd0: <AT Keyboard> irq 1 on atkbdc0
+    kbd0 at atkbd0
+    atkbd0: [GIANT-LOCKED]
+    atkbd0: [ITHREAD]
+    atrtc0: <AT Real Time Clock> at port 0x70 irq 8 on isa0
+    ppc0: parallel port not found.
+    uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
+    uart0: [FILTER]
+    uart0: console (19200,n,8,1)
+    uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 on isa0
+    uart1: [FILTER]
+    Timecounter "TSC" frequency 499903982 Hz quality 800
+    Timecounters tick every 1.000 msec
+    IPsec: Initialized Security Association Processing.
+    usbus0: 12Mbps Full Speed USB v1.0
+    usbus1: 480Mbps High Speed USB v2.0
+    ad0: 76319MB <WDC WD800VE-00HDT0 09.07D09> at ata0-master UDMA100 
+    ugen0.1: <AMD> at usbus0
+    uhub0: <AMD OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
+    ugen1.1: <AMD> at usbus1
+    uhub1: <AMD EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1
+    GEOM: ad0s1: geometry does not match label (255h,63s != 16h,63s).
+    uhub0: 4 ports with 4 removable, self powered
+    Root mount waiting for: usbus1
+    Root mount waiting for: usbus1
+    uhub1: 4 ports with 4 removable, self powered
+    Trying to mount root from ufs:/dev/ad0s1a
+
+The last log rotation is from 2016:
+
+    [root@roadkiller /var/log]# stat /var/log/wtmp      
+    65 61783 -rw-r--r-- 1 root wheel 208219 1056 "Nov  1 05:00:01 2016" "Jan 18 22:29:16 2017" "Jan 18 22:29:16 2017" "Nov  1 05:00:01 2016" 16384 4 0 /var/log/wtmp
+
+Interestingly, we switched between eicat and teksavvy on December
+11th. Which year? Who knows!
+
+    Dec 11 16:38:40 roadkiller mpd: [eicatL0] LCP: authorization successful
+    Dec 11 16:41:15 roadkiller mpd: [teksavvyL0] LCP: authorization successful
+
+Maybe 2015, because the log dates from 2017, and the last entry is
+from November of the year after the above:
+
+    [root@roadkiller /var/log]# stat mpd.log 
+    65 47113 -rw-r--r-- 1 root wheel 193008 71939195 "Jan 18 22:39:18 2017" "Jan 18 22:39:59 2017" "Jan 18 22:39:59 2017" "Apr  2 10:41:37 2013" 16384 140640 0 mpd.log
+
+It looks like the system was installed in 2010:
+
+    [root@roadkiller /var/log]# stat /
+    63 2 drwxr-xr-x 21 root wheel 2120 512 "Jan 18 22:34:43 2017" "Jan 18 22:28:12 2017" "Jan 18 22:28:12 2017" "Jul 18 22:25:00 2010" 16384 4 0 /
+
+... so it lived for about 6 years, but still works after almost *14
+years*, which I find utterly amazing.
+
+Another amazing thing is that there's tuptime installed on that
+server! That is a software I *thought* I discovered later and then
+sponsored in Debian, but turns out I was already using it then!
+
+    [root@roadkiller /var]# tuptime 
+    System startups:        19   since   21:20:16 11/07/15
+    System shutdowns:       0 ok   -   18 bad
+    System uptime:          85.93 %   -   1 year, 11 days, 10 hours, 3 minutes and 36 seconds
+    System downtime:        14.07 %   -   61 days, 15 hours, 22 minutes and 45 seconds
+    System life:            1 year, 73 days, 1 hour, 26 minutes and 20 seconds
+
+    Largest uptime:         122 days, 9 hours, 17 minutes and 6 seconds   from   08:17:56 02/02/16
+    Shortest uptime:        5 minutes and 4 seconds   from   21:55:00 01/18/17

(Diff truncated)

diff --git a/hardware/margaret.md b/hardware/margaret.md
index b4679b44..88fc6fac 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -151,15 +151,20 @@ commits on January 21st](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/co
 # Remaining work
 
  1. puppet bootstrap ✅
- 2. systemd-networkd ✅
- 3. dump fw rules on belleville ✅ and omnia ✅
- 4. firewall with nftables (forwarding and NAT) ✅ missing a few
- 5. DHCP assignments and configuration (dnsmasq) ✅
- 6. recursive DNS (dnsmasq) ✅
- 5. swap omnia and router
- 6. monitoring
- 7. bufferbloat tests
- 8. mail relay
+ 1. systemd-networkd ✅
+ 1. dump fw rules on belleville ✅ and omnia ✅
+ 1. firewall with nftables (forwarding and NAT) ✅ missing a few
+ 1. DHCP assignments and configuration (dnsmasq) ✅
+ 1. recursive DNS (dnsmasq) ✅
+ 1. bufferbloat tests ✅
+ 1. swap omnia and router
+ 1. re-do bufferbloat tests
+ 1. reflexion and forward tests
+ 1. micah backup move
+ 1. APU move
+ 1. marcos move
+ 1. monitoring
+ 1. mail relay
 
 # Tests to run
 
@@ -191,7 +196,7 @@ noticed during later use.
 
 [Webbloatscore]: https://www.webbloatscore.com
 
-## bufferbloat tests
+## flent bufferbloat tests
 
 OpenWRT has [this guide to configure SQM to fight bufferbloat](https://wiki.openwrt.org/doc/howto/sqm).
 
@@ -221,4 +226,24 @@ Installing it on the pristine router yields:
 
 And that doesn't include `netperf`.
 
+## octavia bufferbloat tests
+
+CF reports:
+
+ * Bandwidth: 133mbps/22.2mbps
+ * Latency: 20.5ms (loaded: 34.5ms/53.5ms)
+ * Jitter: 4.32ms (loaded: 17.9ms/11.2ms)
+ * 0% packet loss
+ * [[full CSV|speed-results-1706020222.csv]]
+
+## with margaret in front
+
+CF reports:
+
+ * Bandwidth: 131mbps/61.2mbps
+ * Latency: 21ms (loaded: 40.5ms/56.5ms)
+ * Jitter: 2.58ms (loaded: 14.4ms/5.53ms)
+ * 0% packet loss
+ * [[full CSV|speed-results-1706020410.csv]]
+
 [[!tag node]]
diff --git a/hardware/margaret/speed-results-1706020222.csv b/hardware/margaret/speed-results-1706020222.csv
new file mode 100644
index 00000000..64c73cb2
--- /dev/null
+++ b/hardware/margaret/speed-results-1706020222.csv
@@ -0,0 +1,47 @@
+time,direction,bytes,latency,bps,duration,serverTime,responseSize,loadedLatencies
+1706020149506,download,100000,28.000044000000003,14990358.156004464,54.000044,95.999956,101185,
+1706020153917,download,100000,19.999951999999993,32380542.17064098,24.999951999999993,75.000048,101189,
+1706020154065,download,100000,21.000148999999993,18825795.23154676,43.00014899999999,80.999851,101189,22.000244000000002
+1706020154185,download,100000,19.000220999999996,33729356.07551281,24.000220999999996,81.999779,101189,
+1706020154334,download,100000,21.99996,28910041.300059,27.99996,108.00004,101185,
+1706020154475,download,100000,25.999868000000006,26114433.777588982,30.999868000000006,87.000132,101193,
+1706020154580,download,100000,17.000056999999998,33730586.5565236,24.000056999999998,59.999943,101192,25.000212000000005
+1706020154701,download,100000,22.000139000000004,29982364.164865963,27.000139000000004,70.999861,101191,
+1706020154820,download,100000,21.000096999999997,31133114.618764695,26.000096999999997,76.999903,101183,
+1706020154934,download,100000,22.000253999999998,29979273.5283157,27.000253999999998,65.999746,101181,
+1706020155197,download,1000000,18.999992000000006,97699326.60481234,81.999992,92.000008,1001418,
+1706020155406,download,1000000,17.000128000000004,105418138.24313559,76.000128,83.999872,1001474,30.000235000000004
+1706020155608,download,1000000,20.000231,101410235.11690743,79.000231,91.999769,1001429,
+1706020155807,download,1000000,23.000212000000005,96522355.8706091,83.000212,71.999788,1001422,
+1706020156017,download,1000000,18.000052999999994,104042941.37304035,77.000053,105.999947,1001414,24.000109000000002
+1706020156240,download,1000000,20.000105000000005,101410396.85959911,79.000105,109.999895,1001429,
+1706020156429,download,1000000,20.999899,102709056.07198286,77.999899,94.000101,1001412,23.000048
+1706020156635,download,1000000,22.999992000000006,86144437.51780108,92.999992,92.000008,1001429,
+1706020156804,upload,100000,49.999868000000006,5868613.13868613,137,87.000132,951,
+1706020156988,upload,100000,30.000024999999994,7584905.660377357,106,75.999975,955,21.999877999999995
+1706020157083,upload,100000,30.000141,10307692.307692306,78,47.999859,952,
+1706020157177,upload,100000,30.000162000000003,10719999.999999998,75,44.999838,958,
+1706020157305,upload,100000,29.000096999999997,7584905.660377357,106,76.999903,948,
+1706020157397,upload,100000,23.999954000000002,10578947.368421052,76,52.000046,948,
+1706020157564,upload,100000,28.000165999999993,5289473.684210526,152,123.999834,956,26.999848999999998
+1706020157681,upload,100000,28.999954000000002,9925925.925925924,81,52.000046,949,
+1706020172747,upload,1000000,43.000226999999995,18654292.34338747,431,387.999773,959,19.999903000000003
+1706020173284,upload,1000000,35.999933,17253218.88412017,466,430.000067,951,16.000015000000005
+1706020173753,upload,1000000,30.999949000000015,19999999.999999996,402,371.000051,949,20.000118
+1706020174200,upload,1000000,27.999915999999985,19373493.97590361,415,387.000084,949,25.000120000000003
+1706020174645,upload,1000000,30.000135,20251889.16876574,397,366.999865,951,
+1706020175134,upload,1000000,27.999989000000028,19326923.076923076,416,388.000011,947,41.000202
+1706020175894,download,10000000,18.000052999999994,131196972.2074762,610.000053,105.999947,10003770,35.000151
+1706020176700,download,10000000,17.99995,130982609.73671111,610.99995,98.00005,10003796,27.000118
+1706020177429,download,10000000,18.000004000000004,130768195.22373728,612.000004,78.999996,10003767,21.000244000000002 34.000214
+1706020178186,download,10000000,19.000073999999998,130768310.98553102,612.000074,102.999926,10003777,63.00013
+1706020178928,download,10000000,20.000095,130554433.27459843,613.000095,99.999905,10003735,43.000139000000004
+1706020179676,download,10000000,30.000107,127843530.86380543,626.000107,86.999893,10003758,19.000118 43.999861
+1706020183430,upload,10000000,40.99997100000019,22112211.22112211,3636,3595.000029,948,19.000023000000056 44.00013 45.000181 50.000202 49.000193 51.999903
+1706020187257,upload,10000000,27.000191000000086,22320932.81510272,3602,3574.999809,953,55.000109 62.999776999999995 58.999943 61.000006 66.999943 73.000193 75.999903
+1706020191016,upload,10000000,29.00011399999994,22033433.817484237,3649,3619.999886,954,70.999859 77.000067 96.999975
+1706020194723,upload,10000000,27.99995200000012,22314737.718567856,3603,3575.000048,958,25.000275000000002
+1706020196396,download,25000000,20.000148999999993,133107739.29936583,1503.000149,80.999851,25007619,
+1706020198032,download,25000000,20.000212000000005,133196183.59681031,1502.000212,71.999788,25007587,
+1706020199667,download,25000000,19.000045999999998,133196555.17507221,1502.000046,72.999954,25007654,
+1706020201305,download,25000000,19.000096999999997,133196007.37682243,1502.000097,76.999903,25007552,
\ No newline at end of file
diff --git a/hardware/margaret/speed-results-1706020410.csv b/hardware/margaret/speed-results-1706020410.csv
new file mode 100644
index 00000000..cca4315e
--- /dev/null
+++ b/hardware/margaret/speed-results-1706020410.csv
@@ -0,0 +1,47 @@
+time,direction,bytes,latency,bps,duration,serverTime,responseSize,loadedLatencies
+1706020347396,download,100000,18.000036,17598247.097024012,46.000036,62.999964,101190,
+1706020350126,download,100000,19.000045999999998,33726935.35670724,24.000045999999998,72.999954,101181,33.9998 22.000162000000003 19.000017 21.000101 20.999933
+1706020350251,download,100000,27.000088000000005,17988053.712250516,45.000088000000005,66.999912,101183,20.000147
+1706020350404,download,100000,21.000159999999994,31138885.299167395,26.000159999999994,67.99984,101202,
+1706020350535,download,100000,29.000015000000005,22485323.964448348,36.000015000000005,65.999985,101184,26.000235000000004
+1706020350633,download,100000,19.000056999999998,32380406.172673926,25.000056999999998,59.999943,101189,
+1706020350753,download,100000,22.000036,27913068.79756977,29.000036,62.999964,101185,
+1706020350866,download,100000,20.000159999999994,32379952.76830229,25.000159999999994,67.99984,101188,20.00013
+1706020351015,download,100000,20.000147,32380929.600133955,25.000147,103.999853,101191,
+1706020351149,download,100000,23.999921999999998,27914281.97634463,28.999921999999998,68.000078,101189,19.000209999999996 0.01 28.000048 21.000069000000003 21.00009 30.999816999999993 20.000048 28.999986999999997 20.000203999999997 28.000162000000003 23.000027000000003 22.000099 25.999872000000003 24.000017 19.00009 21.999996000000003 21.000069000000003 19.000232999999994 24.000099 21.999933 28.000223 22.999851 26.999944999999997 23.999943000000002 24.000120000000003 28.000048 74.000006 69.99999600000001 51.000099 60.000006 50.000141 53.00012 41.99984 20.99987 47.000048 50.000109 25.999903000000003 59.00009 42.999931000000004 37.000036 37.000099 37.99984 46.999882 19.000099 47.000202 53.000181 36.000172 43.999933 48.00013 53.999908000000005 53.000027 55.000069 56.000141 57.000153 59.000078 65.999964 51.000172 65.000265 64.000118 70.00012000000001 52.000159999999994 57.000038 66.000036 49.000006 46.000078 47.999872 28.999966 46.999994 33.000183 43.000057 64.00012000000001 60.999786 45.000132 65.000025 57.000193 56.000162 32.999996 18.999912000000002 26.000038000000004 22.999933
+1706020351355,download,1000000,26.000116000000006,95372915.91359231,84.000116,96.999884,1001417,
+1706020351524,download,1000000,23.000045999999998,100141542.41861312,80.000046,72.999954,1001416,29.000056999999998
+1706020351701,download,1000000,28.000159999999994,92084336.39662273,87.00016,67.99984,1001419,
+1706020351855,download,1000000,19.000202,104045025.75201036,77.000202,61.999798,1001436,
+1706020352034,download,1000000,19.000096999999997,102708795.34931862,78.000097,76.999903,1001412,
+1706020352236,download,1000000,27.999941000000007,93154668.5595982,85.999941,88.000059,1001412,24.000036
+1706020352416,download,1000000,20.999888999999996,101411990.5915311,78.999889,84.000111,1001442,
+1706020352603,download,1000000,20.999931000000004,102709424.1916701,77.999931,78.000069,1001416,
+1706020352750,upload,100000,41.000305,7243243.243243242,111,69.999695,953,
+1706020352866,upload,100000,30.000172,9458823.529411763,85,54.999828,955,20.999975
+1706020353024,upload,100000,43.999912,7882352.94117647,102,58.000088,955,
+1706020353122,upload,100000,29.000038000000004,11652173.913043475,69,39.999962,952,
+1706020353263,upload,100000,30.000078000000002,9241379.310344826,87,56.999922,953,
+1706020353381,upload,100000,26.000162000000003,11323943.66197183,71,44.999838,957,
+1706020353480,upload,100000,28.000017,11323943.66197183,71,42.999983,956,19.000006
+1706020353580,upload,100000,27.000110999999997,11823529.411764704,68,40.999889,957,
+1706020379482,upload,1000000,43.999926000000016,18231292.5170068,441,397.000074,962,22.99984
+1706020379928,upload,1000000,30.000042000000008,20150375.93984962,399,368.999958,950,
+1706020380347,upload,1000000,0.01,93488372.09302326,86,355.000019,957,57.999924
+1706020380863,upload,1000000,41.000046,16441717.791411042,489,447.999954,947,20.000006
+1706020381289,upload,1000000,0.01,60909090.9090909,132,360.999823,950,69.00010900000001
+1706020381714,upload,1000000,0.01,61846153.84615384,130,364.000082,956,53.000069
+1706020382454,download,10000000,20.000076000000007,130554737.48424134,613.000076,79.999924,10003758,68.000286
+1706020383163,download,10000000,19.999943000000002,130768469.69575615,611.999943,65.000057,10003787,31.000012999999996
+1706020383885,download,10000000,19.000067,130768037.97147298,612.000067,69.999933,10003756,24.000203999999997 51.999924
+1706020384647,download,10000000,24.000109000000002,119626144.93385682,669.000109,63.999891,10003738,29.000099
+1706020385370,download,10000000,19.000096999999997,130554994.0231086,613.000097,76.999903,10003778,30.999985000000002
+1706020386087,download,10000000,20.999994,130554115.47035022,612.999994,69.000006,10003709,39.000069 54.000078
+1706020389859,upload,10000000,38.99990799999978,22069722.75597035,3643,3604.000092,948,29.000276999999997 56.999779 41.999975 34.00009 38.000088000000005 40.000265 45.000036
+1706020393584,upload,10000000,30.99995200000012,22296173.04492512,3606,3575.000048,960,19.000069000000003 49.000048 52.000027 54.999996 46.000027 51.00007600000001 49.999954
+1706020397295,upload,10000000,28.999879999999848,22314737.718567856,3603,3574.00012,957,52.000151 56.000001999999995 51.999954 58.000027 59.000057 60.000151 61.999851
+1706020401032,upload,10000000,30.000148999999965,22265300.47078371,3611,3580.999851,953,65.999954 69.99999600000001 63.000027 66.999975 56.999924 62.00009300000001
+1706020402792,download,25000000,19.999868000000006,126062639.3448446,1586.999868,87.000132,25007674,23.00009 30.00009 41.000204
+1706020404734,download,25000000,22.000076000000007,111953512.86599497,1787.000076,79.999924,25007617,25.000256 43.000017 43.999945 42.999849
+1706020406375,download,25000000,19.000263000000004,133196503.9742473,1502.000263,75.999737,25007648,54.999880000000005 66.000204 49.000048
+1706020408012,download,25000000,19.000232999999994,132843081.70488842,1506.000233,68.999767,25007714,40.000298 62.000256 28.000038000000004
\ No newline at end of file

diff --git a/hardware/margaret.md b/hardware/margaret.md
index 301ff842..b4679b44 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -150,12 +150,12 @@ commits on January 21st](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/co
 
 # Remaining work
 
- 1. puppet bootstrap (./)
- 2. systemd-networkd (./)
- 3. dump fw rules on belleville (./) and omnia
- 4. firewall (nftables)
- 5. DHCP assignments and configuration (dnsmasq) (./) - missing omnia rules
- 6. recursive DNS (dnsmasq) (./) - missing DNSSEC
+ 1. puppet bootstrap ✅
+ 2. systemd-networkd ✅
+ 3. dump fw rules on belleville ✅ and omnia ✅
+ 4. firewall with nftables (forwarding and NAT) ✅ missing a few
+ 5. DHCP assignments and configuration (dnsmasq) ✅
+ 6. recursive DNS (dnsmasq) ✅
  5. swap omnia and router
  6. monitoring
  7. bufferbloat tests

diff --git a/hardware/margaret.md b/hardware/margaret.md
index 944473d7..301ff842 100644
--- a/hardware/margaret.md
+++ b/hardware/margaret.md
@@ -150,14 +150,16 @@ commits on January 21st](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/co
 
 # Remaining work
 
- 1. puppet bootstrap
- 2. systemd-networkd
- 3. dump fw rules on omnia, office
- 4. firewall (nftables + puppet?)
- 4. DHCP assignments and configuration
+ 1. puppet bootstrap (./)
+ 2. systemd-networkd (./)
+ 3. dump fw rules on belleville (./) and omnia
+ 4. firewall (nftables)
+ 5. DHCP assignments and configuration (dnsmasq) (./) - missing omnia rules
+ 6. recursive DNS (dnsmasq) (./) - missing DNSSEC
  5. swap omnia and router
  6. monitoring
  7. bufferbloat tests
+ 8. mail relay
 
 # Tests to run
 

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index fa507f03..1dd63967 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -187,6 +187,7 @@ Other options include:
  * [river][]: Zig, stackable, tagging, not in Debian  ([1006593][])
  * [velox][]: inspired by xmonad and dwm, not in Debian
  * [vivarium][]: inspired by xmonad, not in Debian
+ * [wlmaker][]: inspired by Window Maker, not in Debian
 
 [Sway]: http://swaywm.org/
 [i3 window manager]: https://i3wm.org/
@@ -206,6 +207,7 @@ Other options include:
 [vivarium]: https://github.com/inclement/vivarium
 [hikari]: https://hikari.acmelabs.space/
 [1040971]: https://bugs.debian.org/1040971
+[wlmaker]: https://github.com/phkaeser/wlmaker
 
 ## Status bar: py3status → waybar
 

diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index 5f6ad11c..49fe9540 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -155,13 +155,12 @@ I somehow managed to collect a ridiculous pile of old monitors. Here's
 what works and doesn't, in descending order of (totally subjective)
 "quality":
 
-| Model                          | Resolution     | Size  | Contrast | Lat   | Connectors                                                    | Notes                        | Status    |
-|--------------------------------|----------------|-------|----------|-------|---------------------------------------------------------------|------------------------------|-----------|
-| [Dell U2723QE][]               | 3840x2160@60Hz | 27"   | 2000:1   | 5-8ms | HDMI DP DP-out 2xUSB-C up 90W 2xUSB-C 5x USB-A line-out RJ-45 | shiny                        | angela    |
-| [LG Flatron Wide L204WTX-SF][] | 1680x1050@60Hz | 20"   | 2000:1   | 5ms   | VGA DVI                                                       | looks great, one dead pixel  | angela |
-| [Acer P186HV][]                | 1366x768@60Hz  | 18.5" | 5000:1   | 5ms   | VGA                                                           | display looks dusty          | simon     |
-| [Dell 1704FPvt][]              | 1280x1024@60Hz | 17"   | 1000:1   | 25ms  | VGA DVI 4xUSB                                                 | square, rotating, flickering | marcos    |
-| [Dell 1704FPvt][]              | 1280x1024@60Hz | 17"   | 1000:1   | 25ms  | VGA DVI 4xUSB                                                 | square, rotating, flickering | curie     |
+| Model              | Resolution     | Size  | Contrast | Lat   | Connectors                                                    | Notes                        | Status |
+|--------------------|----------------|-------|----------|-------|---------------------------------------------------------------|------------------------------|--------|
+| 2x[Dell U2723QE][] | 3840x2160@60Hz | 27"   | 2000:1   | 5-8ms | HDMI DP DP-out 2xUSB-C up 90W 2xUSB-C 5x USB-A line-out RJ-45 | shiny                        | angela |
+| [Acer P186HV][]    | 1366x768@60Hz  | 18.5" | 5000:1   | 5ms   | VGA                                                           | display looks dusty          | simon  |
+| [Dell 1704FPvt][]  | 1280x1024@60Hz | 17"   | 1000:1   | 25ms  | VGA DVI 4xUSB                                                 | square, rotating, flickering | marcos |
+| [Dell 1704FPvt][]  | 1280x1024@60Hz | 17"   | 1000:1   | 25ms  | VGA DVI 4xUSB                                                 | square, rotating, flickering | curie  |
 
 A note on the Dell 1704FPvt monitors: they can't be used for
 desktops. Their design resolution is 1280x1024 which is a little low,
@@ -239,8 +238,9 @@ Those monitors have problems and will be scrapped eventually:
 | Model                          | Resolution     | Size | Contrast | Lat   | Connectors           | Notes                              | Status    |
 |--------------------------------|----------------|------|----------|-------|----------------------|------------------------------------|-----------|
 | [HP L2245wg][]                 | 1680x1050@60Hz | 22"  | 1000:1   | 5ms   | VGA DVI 2xUSB        | LCD TN Film, rotating, 45-65W      | simon     |
-| [Dell S2721QS][]               | 3840x2160@60Hz | 27"  | 1000:1   | 4-8ms | HDMI DP 1.2 line-out | returned                           | ex-angela    |
+| [Dell S2721QS][]               | 3840x2160@60Hz | 27"  | 1000:1   | 4-8ms | HDMI DP 1.2 line-out | returned                           | ex-angela |
 | [Dell 2208WFP][]               | 1680x1050@?Hz  | 22"  | 1000:1   | 5ms   | VGA DVI 2xUSB        | looks organge-y, 20$ from recyborg | ex-angela |
+| [LG Flatron Wide L204WTX-SF][] | 1680x1050@60Hz | 20"  | 2000:1   | 5ms   | VGA DVI              | looks great, one dead pixel        | ex-angela    |
 
 The HP was retired because it was getting finicky: it would "short"
 and blank out, get all "fuzzy" and weird. The new monitor (the [LG

diff --git a/blog/2019-11-20-file-monitoring-tools.mdwn b/blog/2019-11-20-file-monitoring-tools.mdwn
index f4c924fe..0e8b768b 100644
--- a/blog/2019-11-20-file-monitoring-tools.mdwn
+++ b/blog/2019-11-20-file-monitoring-tools.mdwn
@@ -147,6 +147,18 @@ https://github.com/tinkershack/fluffy
  * used by `cargo watch`, [watchexec](https://github.com/watchexec/watchexec) ([RFP](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946546)), and Python's
    [watchfiles](https://watchfiles.helpmanual.io/) which features a [CLI tool](https://watchfiles.helpmanual.io/cli/)
 
+## peat
+
+<https://github.com/sjl/peat>
+
+ * 2012-2016
+ * Python
+ * GPL-3
+ * Not in Debian
+ * relatively short Python script
+ * runs a command when files changed, specified on stdin
+
+
 ## systemd .path units
 
 <https://www.freedesktop.org/software/systemd/man/systemd.path.html>

diff --git a/hardware/margaret.md b/hardware/margaret.md
new file mode 100644
index 00000000..944473d7
--- /dev/null
+++ b/hardware/margaret.md
@@ -0,0 +1,222 @@
+Margaret is the name of my new core router in the home lab. It is
+named after:
+
+> [Margaret Elaine Hamilton](https://en.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer)) (née Heafield; born August 17, 1936)
+> is an American computer scientist, systems engineer, and business
+> owner. She was director of the Software Engineering Division of the
+> MIT Instrumentation Laboratory, which developed on-board flight
+> software for NASA's Apollo program. She later founded two software
+> companies—Higher Order Software in 1976 and Hamilton Technologies in
+> 1986, both in Cambridge, Massachusetts.
+>
+> Hamilton has published more than 130 papers, proceedings, and
+> reports, about sixty projects, and six major programs. She invented
+> the term "software engineering". -- [Wikipedia](https://en.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer))
+
+Hamilton wrote the software that landed men on the moon, yet no woman
+has yet to have that privilege.
+
+> I began to use the term 'software engineering' to distinguish it
+> from hardware and other kinds of engineering, yet treat each type of
+> engineering as part of the overall systems engineering process. --
+> Margaret Hamilton
+
+# Specifications
+
+The machine is currently implemented using a [Protectli FW2B](https://ca.protectli.com/product/fw2b/) with
+the following specifications:
+
+ * Processor: Intel J3060 (64 Bit, 1.6 GHz, Turbo 2.48 GHz, 2MB L2 Cache)
+ * Processor Cores: 2
+ * Network: 2x Intel 1G Ethernet, RJ-45
+ * Graphics: Intel Clear Video HD, 2x HDMI 1.4
+ * Audio: HDMI, 1x 3.5mm Audio Jack
+ * Memory: 1x SO-DIMM DDR3L-1600, 1.35v, 8GB (max)
+ * Storage: 1x mSATA (Protectli 64GB SSD)
+ * Optional Storage: 1x Internal SATA 3.0 (unused)
+ * 2x USB 3.0 Type A, 4x USB 2.0 Type A
+ * 2x HDMI
+ * 2x WiFi/LTE Antenna Mounting Holes
+ * 1x 12V DC Power Jack
+ * 1x Full Height mPCIe (USB/PCIe 2.0) for WiFi or LTE
+ * 1x USB 2.0 Header
+ * 1x CMOS Reset (2 pin)
+ * 1x CPU Fan Header (4 pin)
+ * 1x Front Panel Header (9 pin)
+ * BIOS: coreboot v4.9.0.3, SeaBIOS 0.4-0-g5137b91
+ * Indicators: 1x LED Power Button (Blue), 1x LED Power Indicator (Green), 1x LED Disk Activity Indicator (Red), 1x LED Disk Activity Indicator (Yellow)
+ * Power Usage: Max 16W
+ * Chassis: Fanless, Aluminum, Black, 4.5 x 4.3 x 1.5 in, 115 x 107.5 x 39 mm
+ * Mounting Options: Desktop, VESA Bracket, Optional 1RU Rack Mount
+ * Weight: 1.1 lbs, .50 Kg
+ * Operating Temperature: +14° - +122° F, -10° - +50° C
+ * Operating Humidity: 0 – 95% relative humidity, non-condensing
+ * Approvals: UL (Power Supply), FCC Part 15 Class B, CE, RoHS
+ * Country of Origin: Made in China, Assembled in USA
+
+It's basically a small black box with two network ports, 8GB of RAM,
+64GB of storage, and that's it.
+
+# Bootstrapping
+
+To boot from the USB stick, I stuck a cable in the serial console port
+with a DB9 to USB-A adapter, then booted the machine. I got served
+with the prompt, which looked like this after pressing <kbd>F11</kbd>:
+
+    SeaBIOS (version v1.0.4-0-g5137b91)
+    coreboot version v4.9.0.3
+    Press F11 key for boot menu
+    Select boot device:
+
+    1. AHCI/0: Protectli 64GB mSATA ATA-11 Hard-Disk (61057 MiBytes)
+
+That is: I didn't see the USB stick. Strangely, moving it to the
+*bottom* USB port then worked, after rebooting:
+
+    SeaBIOS (version v1.0.4-0-g5137b91)
+    coreboot version v4.9.0.3
+    Press F11 key for boot menu
+    Select boot device:
+
+    1. AHCI/0: Protectli 64GB mSATA ATA-11 Hard-Disk (61057 MiBytes)
+    2. USB MSC Drive Kingston DataTraveler 3.0
+
+    Booting from Hard Disk...
+
+    ISOLINUX 6.04 20200816 EHDD Copyright (C) 1994-2015 H. Peter Anvin et al
+
+But then I was stuck at that prompt. grml, or more exactly ISOLINUX,
+somehow didn't manage to display its terminal properly. I could see
+the cursor moving, but it would just display a blank screen.
+
+The [grml cheatcodes](https://grml.org/cheatcodes/) say you should
+just be able to type `serial` then <kbd>ENTER</kbd> but that didn't
+work in my tests. I had to type <kbd>TAB</kbd> then <kbd>SPACE</kbd>
+then `console=ttyS0,115200n8` to get the serial console to work.
+
+Obviously, the machine also ships with HDMI and USB, so I could have
+used a monitor instead, but I wanted to test the serial console... Not
+sure if this is a bug in the serial console or the (coreboot) BIOS.
+
+# Installation
+
+For installation, I'm reusing the installer I built for Tor, from the
+[fabric-tasks](https://gitlab.torproject.org/tpo/tpa/fabric-tasks) repository.
+
+I first configure the network over DHCP with:
+
+    netcardconfig
+
+that could have simply been:
+
+    killall dhclient ; dhclient -d eth0 &
+
+... as well.
+
+Then I set my SSH key:
+
+    cat > ~/.ssh/authorized_keys
+    service ssh restart
+
+... and dump the host keys for Fabric to use after:
+
+    for key in /etc/ssh/ssh_host_*_key; do
+        ssh-keygen -E md5 -l -f $key
+    done
+
+There's a bug in the installer that doesn't use the right format
+anymore, so we need to remove some colons, the magic incantation is
+now:
+
+    ./install -H root@192.168.0.221 \
+              --fingerprint b41e:db22:5576:2168:e694:bb59:6934:cad2 \
+              hetzner-robot \
+              --fqdn=margaret.torproject.org \
+              --fai-disk-config=installer/disk-config/single-disk-plaintext \
+              --package-list=installer/packages \
+              --post-scripts-dir=installer/post-scripts/ \
+              --ipv4-address 192.168.0.2 \
+              --ipv4-subnet 24 \
+              --ipv4-gateway 192.168.0.1
+
+The resulting SSH keys were:
+
+    ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFAtMq1j+tznnC0Tlf3oYtlyY28yMELX7E0tVAyOHlvv+Wvr+1sGbHq3fHG+qBvzjcKZz+KJzqKlgfc+zfGl4d8= root@margaret
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILjhQGDtv+c8zOkdJe8OR5483QbZeA8jEaKS7PZKhnLS root@margaret
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCteIzijiRrq0P94WeZ8F0GS64u58zA+9Alpc9OfPbKST7oSjmml/u30bIJxDGuumVp9dbVqRcp54lK/DUHGBacJQdNy4kV0tacQbUr6F2LNXlZWgSafYoLaZdywi3hcTqjtNxl/j/8iIVp8xBk0dcXAOfaH9726dkaSZOUUBQoG6itsefW1kg0QIfVU5kNhvWkO9BSRvXjGNx/KmVzCK9vvRDrQsZSp41uRIJTS5sSd8UkT5/qsfbx3zyRMfqHZVAu50FV+P2IZVt3UN3Qxqys+oqmL6GB0GhT6kPAP65Ja2xPeexptjBE1ddOPi/YPKpM8NqrqlH8FGG/dIkTk4WqaT5kdD7j09GjUAD49HFtymxSy0JJZ4awTH9FE+mliOzqUqJJZub9cTtuICy4dxKcUFqpm3Wf5XtZl7YBIkJC/zEhE68JXXxxsRhUREECXL8/4ERLmTw2TnedoI5Pt58JUcVNoplo/pL27fx4OGF3bVFJZQSlLlmdNR/Xd+ElrXs= root@margaret
+
+This required a *lot* of changes to the installer, basically [all
+commits on January 21st](https://gitlab.torproject.org/tpo/tpa/fabric-tasks/-/commits/604a4000ea19ef4aa103ad991d53dfcf6ebac9c8) were for this project.
+
+# Remaining work
+
+ 1. puppet bootstrap
+ 2. systemd-networkd
+ 3. dump fw rules on omnia, office
+ 4. firewall (nftables + puppet?)
+ 4. DHCP assignments and configuration
+ 5. swap omnia and router
+ 6. monitoring
+ 7. bufferbloat tests
+
+# Tests to run
+
+From [[octavia]]:
+
+ 1. Web, on another host:
+
+        curl https://anarc.at/
+
+    If no shell access, try [Webbloatscore][] since it produces a
+    screenshot.
+
+ 2. DNS: local network should resolve locally, outside should show
+    CNAMEs
+
+        $ host shell.anarc.at
+        shell.anarc.at is an alias for marcos.anarc.at.
+        marcos.anarc.at has address 206.248.172.91
+
+ 3. SSH: test if we can reach the inside server from the outside of
+    the network (and not the router)
+
+        $ nc -v shell.anarc.at 22
+        Connection to shell.anarc.at 22 port [tcp/ssh] succeeded!
+        SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
+
+Other ports are assumed to be correctly configured unless otherwise
+noticed during later use.
+
+[Webbloatscore]: https://www.webbloatscore.com
+
+## bufferbloat tests
+
+OpenWRT has [this guide to configure SQM to fight bufferbloat](https://wiki.openwrt.org/doc/howto/sqm).

(Diff truncated)

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 33cc6d24..fa507f03 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -255,7 +255,7 @@ Other alternatives include:
  * [HybridBar](https://github.com/vars1ty/HybridBar) (yes, another)
  * [rootbar](https://hg.sr.ht/~scoopta/rootbar)
  * [sandbar](https://github.com/kolunmi/sandbar)
- * [sfwbar](https://github.com/LBCrion/sfwbar)
+ * [sfwbar](https://github.com/LBCrion/sfwbar) (now in Debian)
  * [yambar](https://codeberg.org/dnkl/yambar)
 
 ## Web browser: Firefox

diff --git a/software/desktop/calibre.mdwn b/software/desktop/calibre.mdwn
index f67c7f5c..63e43524 100644
--- a/software/desktop/calibre.mdwn
+++ b/software/desktop/calibre.mdwn
@@ -297,6 +297,12 @@ provide, which is that it's also... a web server!
 
 See below for web-based collection browsers.
 
+Update: [citadel][] looks really promising, Rust backend with JS
+frontend. There's about 4 or 5 different frameworks in there so it
+will be hellish to package. A [Flatpak maybe](https://github.com/every-day-things/citadel/issues/5)? [Blog post](https://denhoff.ca/posts/replacing-calibre), [HN](https://news.ycombinator.com/item?id=38988019).
+
+[citadel]: https://github.com/every-day-things/citadel
+
 ## ebook web server
 
 Calibre can indeed also act as a web server, presenting your entire ebook
@@ -317,7 +323,7 @@ the database using SQLAlchemy. It does use calibre components to
 convert books but it might be an interesting alternative to the web
 interface shipped with Calibre.
 
-[AnthoLume][], [kavita][] (C#), [librum][] (dotnet), [readarr][] ("arr" stands for
+[AnthoLume][], [kavita][] (C#), [librum][] (dotnet), [storyteller][] [kiosk][], [readarr][] ("arr" stands for
 "aaargh C#/Windows again!") and [Ubooquity][] (... Java) are things as
 well, none of which are packaged in Debian. (What is it with e-book
 webservers being written in C#?!)
@@ -333,6 +339,8 @@ webservers being written in C#?!)
 [calibre-web]: https://github.com/janeczku/calibre-web
 [librum]: https://librumreader.com/
 [AnthoLume]: https://gitea.va.reichard.io/evan/AnthoLume
+[kiosk]: https://github.com/project-kiosk/kiosk
+[storyteller]: https://smoores.gitlab.io/storyteller/
 
 ### calibre webserver setup
 
@@ -514,8 +522,9 @@ usable to generate our own importer, as it can parse (and edit!)
 metadata from books.
 
 [Liber][] can also fetch metadata from Google books, but not
-interactively.
-   
+interactively. [Citadel][] also seems capable of getting (or at least
+editing) metadata.
+
 So I still use Calibre for importing books, but mostly rely on
 Koreader to browse the library, basically using the folder hierarchy
 with modification timestamps as a guide.

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 0612ee94..33cc6d24 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -182,7 +182,7 @@ Other options include:
 
  * [dwl][]: tiling, minimalist, dwm for Wayland, not in Debian
  * [hikari][]: tiling/stacking, not in Debian
- * [Hyprland][]: tiling, fancy animations, not in Debian
+ * [Hyprland][]: tiling, fancy animations, not in Debian ([1040971][])
  * [Qtile][]: tiling, extensible, in Python, not in Debian ([1015267][])
  * [river][]: Zig, stackable, tagging, not in Debian  ([1006593][])
  * [velox][]: inspired by xmonad and dwm, not in Debian
@@ -205,6 +205,7 @@ Other options include:
 [velox]: https://github.com/michaelforney/velox
 [vivarium]: https://github.com/inclement/vivarium
 [hikari]: https://hikari.acmelabs.space/
+[1040971]: https://bugs.debian.org/1040971
 
 ## Status bar: py3status → waybar
 

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 50fd5efc..0612ee94 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -204,6 +204,7 @@ Other options include:
 [1006593]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006593
 [velox]: https://github.com/michaelforney/velox
 [vivarium]: https://github.com/inclement/vivarium
+[hikari]: https://hikari.acmelabs.space/
 
 ## Status bar: py3status → waybar
 

diff --git a/blog/2024-01-08-one-more-year.md b/blog/2024-01-08-one-more-year.md
index e395d42d..3f43bacb 100644
--- a/blog/2024-01-08-one-more-year.md
+++ b/blog/2024-01-08-one-more-year.md
@@ -210,3 +210,7 @@ So anyway, thanks for coming, faithful reader, and see you in the
 coming 2024 year...
 
 [[!tag debian-planet python-planet gloating meta stats]]
+
+
+<!-- posted to the federation on 2024-01-09T15:38:17.848871 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/111727915674900043"]]
\ No newline at end of file

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 541b9271..50fd5efc 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -1163,9 +1163,13 @@ I have also configured those services, but that's somewhat optional:
 
 You will also need at least part of my [[sway config|config/sway/config]], which
 sends the systemd notification (because, no, Sway doesn't support any
-sort of readiness notification, that would be too easy). And you might
+sort of readiness notification, that would be too easy). (And they [do
+not want it](https://github.com/swaywm/sway/pull/7659), [nor does Debian want to carry a patch](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039857).) And you might
 like to see my [[swayidle config|config/swayidle/config]] while you're there.
 
+Update: see [my latest attempt at sway readiness notification](https://github.com/swaywm/sway/pull/7904) for
+the last hope.
+
 Finally, you need to hook this up somehow to the login manager. This
 is typically done with a desktop file, so drop
 [sway-session.desktop][] in `/usr/share/wayland-sessions` and
@@ -1278,7 +1282,6 @@ I think that's pretty neat.
 
  * TODO: consider this improved script: <https://github.com/xdbob/sway-services/blob/master/bin/sway-user-service>
  * TODO: move config into Puppet so it's in sync
- * TODO: maybe submit as a PR on the Debian package?
 
 [sway-setup]: https://github.com/gdamjan/sway-setup
 [submitted upstream]: https://github.com/swaywm/sway/pull/3486

diff --git a/hardware/laptop/framework-12th-gen.md b/hardware/laptop/framework-12th-gen.md
index 90d4b836..ceb63b59 100644
--- a/hardware/laptop/framework-12th-gen.md
+++ b/hardware/laptop/framework-12th-gen.md
@@ -2054,7 +2054,8 @@ USB-C|blog/2023-02-10-usb-c]]. I'm considering a Dell
    internal USB-A port on top of the external one, two extra USB
    pinouts that can mount *another* mini-expansion card inside the
    expansion card, which in turn can be a MicroSD card reader, a USB-C
-   (USB2 only) port, a USB-UART debugging card, or a [QWIIC](https://www.sparkfun.com/qwiic)
+   (USB2 only) port, a USB-UART debugging card, or a [QWIIC](https://www.sparkfun.com/qwiic),
+   [concerns about this being a scam](https://community.frame.work/t/usb-a-ugment-usb-a-port-card-with-internal-dongle-port-and-addons/35735/15?u=anarcat)
    pinout, no 3D-printed shell yet
  * [spring-loaded expansion card](https://community.frame.work/t/spring-loaded-expansion-card/36013) (probably also a joke)
  * [RTL SDR](https://community.frame.work/t/rtl-sdr-expansion-card/37098)

diff --git a/blog/2024-01-08-one-more-year.md b/blog/2024-01-08-one-more-year.md
index 29aa055d..e395d42d 100644
--- a/blog/2024-01-08-one-more-year.md
+++ b/blog/2024-01-08-one-more-year.md
@@ -209,4 +209,4 @@ sharing that with the world...
 So anyway, thanks for coming, faithful reader, and see you in the
 coming 2024 year...
 
-[[!tags gloating meta stats]]
+[[!tag debian-planet python-planet gloating meta stats]]

diff --git a/blog.mdwn b/blog.mdwn
index 8098ba11..ea26f0b6 100644
--- a/blog.mdwn
+++ b/blog.mdwn
@@ -29,6 +29,8 @@ trail=yes
 
 # Favoris
 
+ * [Framework 12th gen laptop review](https://anarc.at/hardware/laptop/framework-12th-gen) (2023)
+ * [How to nationalize the internet in Canada](https://anarc.at/blog/2022-08-26-nationalize-internet/) (2022)
  * [The Neo-Colonial Internet](https://anarc.at/blog/2021-10-23-neo-colonial-internet/) (2021)
  * [Remote presence tools for social distancing](https://anarc.at/blog/2020-03-15-remote-tools/) (2020)
  * [On free speech at Puri.sm and Mastodon](https://anarc.at/blog/2019-05-13-free-speech/) (2019)
@@ -95,6 +97,21 @@ more socially acceptable and less politically controversial.
 <!-- add it. yes, this is kind of silly. -->
 
 <!-- end copy-paste -->
+## 2024
+
+[[!inline pages="
+(
+  page(blog/*)
+  or tagged(blog)
+)
+and creation_year(2024)
+and !blog/*/*
+and !tagged(draft)
+and !tagged(redirection)"
+archive=yes
+quick=yes
+]]
+
 ## 2023
 
 [[!inline pages="
diff --git a/blog/2024-01-08-one-more-year.md b/blog/2024-01-08-one-more-year.md
new file mode 100644
index 00000000..29aa055d
--- /dev/null
+++ b/blog/2024-01-08-one-more-year.md
@@ -0,0 +1,212 @@
+[[!meta title="Last year on this blog"]]
+
+So this blog is now celebrating its 21st birthday (or 20 if you count
+from zero, or 18 if you want to be pedantic), and I figured I would do
+this yearly thing of reviewing how that went.
+
+# Number of posts
+
+2022 was the [[official 20th
+anniversary|blog/2023-01-07-bring-back-blogging]] in any case, and
+that was one of my best years on record, with 46 posts, surpassed only
+by the noisy 2005 (62) and matching 2006 (46). 2023, in comparison,
+was underwhelming: a feeble 11 posts! What happened!
+
+Well, I was busy with other things, mostly away from keyboard, that I
+will not bore you with here...
+
+The other thing that happened is that the one-liner I used to collect
+stats was broken (it counted folders and other unrelated files) and
+wildly overestimated 2022! Turns out I didn't write *that* much then:
+
+    anarc.at$ ls blog | grep '^[0-9][0-9][0-9][0-9].*.md' | se
+    d s/-.*// | sort | uniq -c  | sort -n -k2
+         57 2005
+         43 2006
+         20 2007
+         20 2008
+          7 2009
+         13 2010
+         16 2011
+         11 2012
+         13 2013
+          5 2014
+         13 2015
+         18 2016
+         29 2017
+         27 2018
+         17 2019
+         18 2020
+         14 2021
+         28 2022
+         10 2023
+          1 2024
+
+But even that is inaccurate because, in ikiwiki, I can tag any page as
+being featured on the blog. So we actually need to process the HTML
+itself because we don't have much better on hand without going through
+ikiwiki's internals:
+
+    anarcat@angela:anarc.at$ curl -sSL https://anarc.at/blog/ | grep 'href="\./' | grep -o 20[0-9][0-9] | sort | uniq -c 
+         56 2005
+         42 2006
+         19 2007
+         18 2008
+          6 2009
+         12 2010
+         15 2011
+         10 2012
+         11 2013
+          3 2014
+         15 2015
+         32 2016
+         50 2017
+         37 2018
+         19 2019
+         19 2020
+         15 2021
+         28 2022
+         13 2023
+
+Which puts the top 10 years at:
+
+    $ curl -sSL https://anarc.at/blog/ | grep 'href="\./' | grep -o 20[0-9][0-9] | sort | uniq -c  | sort -nr | head -10
+         56 2005
+         50 2017
+         42 2006
+         37 2018
+         32 2016
+         28 2022
+         19 2020
+         19 2019
+         19 2007
+         18 2008
+
+Anyway. 2023 is certainly not a glorious year in that regard, in any case.
+
+# Visitors
+
+In terms of visits, however, we had quite a few hits. According to
+[Goatcounter](https://github.com/arp242/goatcounter), I had 122 300 visits in 2023! 2022, in comparison,
+had 89 363, so that's quite a rise.
+
+## What you read
+
+I seem to have hit the Hacker News front page at least twice. I say
+"seem" because it's actually pretty hard to tell *what* the HN
+frontpage actually is on any given day. I had 22k visits on
+2023-03-13, in any case, and you [can't see me on the front that
+day](https://news.ycombinator.com/front?day=2023-03-13). We do see a post of mine [on 2023-09-02](https://news.ycombinator.com/front?day=2023-09-02), all the way down
+there, which seem to have generated another 10k visits.
+
+In any case, here were the most popular stories for you fine visitors:
+
+ * [[Framework 12th gen laptop
+   review|hardware/laptop/framework-12th-gen]]: 24k visits, which is
+   surprising for a 13k words article "without images", as some
+   critics have complained. 15k referred by Hacker News. Good
+   reference and time-consuming benchmarks, slowly bit-rotting.
+
+   That is, by far, my most popular article ever. A popular article in
+   2021 or 2022 was around 6k to 9k, so that's a big one. I suspect it
+   will keep getting traffic for a long while.
+
+ * [[Calibre replacement considerations|software/desktop/calibre]]:
+   15k visits, most of which without a referrer. Was actually an old
+   article, but I suspect HN brought it back to light. I keep updating
+   that wiki page regularly when I find new things, but I'm still
+   using Calibre to import ebooks.
+
+ * [[Hacking my Kobo Clara HD|hardware/tablet/kobo-clara-hd]]: is not
+   new but always gathering more and more hits, it had 1800 hits in
+   the first year, 4600 hits last year and now brought 6400 visitors
+   to the blog! Not directly related, but [this iFixit
+   battery replacement guide I wrote](https://www.ifixit.com/Guide/Kobo+Glo+HD+eReader+Battery+Replacement/143903) also seem to be quite popular
+
+Everything else was published before 2023. [Replacing Smokeping with
+Prometheus](https://anarc.at/blog/2020-06-04-replacing-smokeping-prometheus) is still around and [[Looking at Wayland terminal
+emulators|software/desktop/wayland]] makes an entry in the top five.
+
+## Where you've been
+
+People send less and less private information when they browse the
+web. The number of visitors without referrers was 41% in 2021, it rose
+to 44% in 2023. Most of the remaining traffic comes from Google, but
+Hacker News is now a significant chunk, almost as big as Google.
+
+In 2021, Google represented 23% of my traffic, in 2022, it was down to
+15% so 18% is actually a rise from last year, even if it seems much
+smaller than what I usually think of.
+
+| Ratio | Referrer              | Visits |
+|-------|-----------------------|--------|
+| 18%   | Google                | 22 098 |
+| 13%   | Hacker News           | 16 003 |
+| 2%    | duckduckgo.com        | 2 640  |
+| 1%    | community.frame.work  | 1 090  |
+| 1%    | missing.csail.mit.edu | 918    |
+
+Note that Facebook and Twitter do not appear at all in my referrers.
+
+## Where you are
+
+Unsurprisingly, most visits still come from the US:
+
+| Ratio | Country        | Visits |
+|-------|----------------|--------|
+| 26%   | United States  | 32 010 |
+| 14%   | France         | 17 046 |
+| 10%   | Germany        | 11 650 |

(Diff truncated)

diff --git a/blog/secrets-recovery.md b/blog/secrets-recovery.md
index fd5afeb2..454baae3 100644
--- a/blog/secrets-recovery.md
+++ b/blog/secrets-recovery.md
@@ -50,3 +50,9 @@ https://sites.google.com/view/chewkeanho/guides/gnupg/delete-primary-key-master-
 
 17:53:28 <diederik> TIL you can specify a successor in GH account settings for when you die :-O
 qr-backup ITP https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021089
+
+
+https://github.com/cyphar/paperback
+
+
+to review: https://news.ycombinator.com/item?id=37534615