From 633f26d24d851b994789221d88e5b233afeb8f59 Mon Sep 17 00:00:00 2001
From: Noratrieb <48135649+Noratrieb@users.noreply.github.com>
Date: Thu, 1 Aug 2024 15:20:21 +0200
Subject: [PATCH] yee haw

---
 newinfra/README.md                            |  16 +++-
 newinfra/nix/hive.nix                         |  78 ++++++++++++++++--
 newinfra/nix/modules/default/default.nix      |   1 +
 newinfra/nix/modules/dns/default.nix          |   4 +-
 newinfra/nix/modules/ingress/default.nix      |   1 -
 newinfra/nix/modules/wg-mesh/default.nix      |   6 ++
 .../nix/secrets/docker_registry_password.age  |   8 +-
 newinfra/nix/secrets/hugochat_db_password.age |   8 +-
 newinfra/nix/secrets/minio_env_file.age       | Bin 397 -> 397 bytes
 newinfra/nix/secrets/secrets.nix              |   2 +
 newinfra/nix/secrets/wg_private_vps1.age      | Bin 257 -> 257 bytes
 newinfra/nix/secrets/wg_private_vps3.age      | Bin 257 -> 257 bytes
 newinfra/nix/secrets/wg_private_vps4.age      |   5 ++
 newinfra/nix/secrets/widetom_bot_token.age    |   8 +-
 newinfra/nix/secrets/widetom_config_toml.age  | Bin 4006 -> 4006 bytes
 newinfra/provision/README.md                  |  13 ---
 newinfra/secrets-git-crypt/wg_private_vps4    | Bin 0 -> 66 bytes
 17 files changed, 115 insertions(+), 35 deletions(-)
 create mode 100644 newinfra/nix/secrets/wg_private_vps4.age
 delete mode 100644 newinfra/provision/README.md
 create mode 100644 newinfra/secrets-git-crypt/wg_private_vps4

diff --git a/newinfra/README.md b/newinfra/README.md
index 2a8c0bc..fe67e82 100644
--- a/newinfra/README.md
+++ b/newinfra/README.md
@@ -24,6 +24,18 @@ All records are fully static, generated in the NixOS config.
 
 ## HTTP(S)
 
-Right now, there's only a single server (`vps1`) serving Caddy.
+stuff.
 
-In the future, there might be a second one in a shared-storage HA setup (with a postgres cluster probably)?
+## provisioning
+
+NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-infect) over a default image.
+
+> Contabo sets the hostname to something like vmi######.contaboserver.net, Nixos only allows RFC 1035 compliant hostnames (see here).
+> Run `hostname something_without_dots` before running the script.
+> If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname.
+
+```
+hostname tmp
+curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect
+bash nixos-infect
+```
diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix
index b8764bd..0ed67e4 100644
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@@ -23,7 +23,7 @@
           wg = {
             privateIP = "10.0.0.1";
             publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ=";
-            peers = [ "vps3" ];
+            peers = [ "vps3" "vps4" ];
           };
         };
         vps3 = {
@@ -32,7 +32,16 @@
           wg = {
             privateIP = "10.0.0.3";
             publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0=";
-            peers = [ "vps1" ];
+            peers = [ "vps1" "vps4" ];
+          };
+        };
+        vps4 = {
+          publicIPv4 = "195.201.147.17";
+          publicIPv6 = "2a01:4f8:1c1c:cb18::";
+          wg = {
+            privateIP = "10.0.0.5";
+            publicKey = "+n2XKKaSFdCanEGRd41cvnuwJ0URY0HsnpBl6ZrSBRs=";
+            peers = [ "vps1" "vps3" ];
           };
         };
       };
@@ -62,7 +71,7 @@
 
     # The name and nodes parameters are supported in Colmena,
     # allowing you to reference configurations in other nodes.
-    deployment.tags = [ "dns" "us" ];
+    deployment.tags = [ "dns" "us" "contabo" ];
     system.stateVersion = "23.11";
   };
   dns2 = { name, nodes, modulesPath, lib, ... }: {
@@ -71,7 +80,7 @@
       ./modules/dns
     ];
 
-    deployment.tags = [ "dns" "eu" ];
+    deployment.tags = [ "dns" "eu" "hetzner" ];
     system.stateVersion = "23.11";
 
     boot.loader.grub.device = "/dev/sda";
@@ -123,7 +132,7 @@
 
     age.secrets.docker_registry_password.file = ./secrets/docker_registry_password.age;
 
-    deployment.tags = [ "ingress" "eu" "apps" "wg" ];
+    deployment.tags = [ "ingress" "eu" "apps" "wg" "contabo" ];
     system.stateVersion = "23.11";
   };
   vps3 = { name, nodes, modulesPath, config, ... }: {
@@ -131,9 +140,68 @@
       (modulesPath + "/profiles/qemu-guest.nix")
       ./modules/contabo
       ./modules/wg-mesh
+      ./modules/ingress
     ];
 
     deployment.tags = [ "eu" "apps" "wg" ];
     system.stateVersion = "23.11";
   };
+  vps4 = { lib, modulesPath, ... }: {
+    imports = [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      ./modules/ingress
+      ./modules/wg-mesh
+    ];
+
+    deployment.tags = [ "eu" "apps" "hetzner" ];
+    system.stateVersion = "23.11";
+
+    boot.loader.grub.device = "/dev/sda";
+    boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+    boot.initrd.kernelModules = [ "nvme" ];
+    fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+    # This file was populated at runtime with the networking
+    # details gathered from the active system.
+    networking = {
+      nameservers = [
+        "8.8.8.8"
+      ];
+      defaultGateway = "172.31.1.1";
+      defaultGateway6 = {
+        address = "fe80::1";
+        interface = "eth0";
+      };
+      dhcpcd.enable = false;
+      usePredictableInterfaceNames = lib.mkForce false;
+      interfaces = {
+        eth0 = {
+          ipv4.addresses = [
+            { address = "195.201.147.17"; prefixLength = 32; }
+          ];
+          ipv6.addresses = [
+            { address = "2a01:4f8:1c1c:cb18::1"; prefixLength = 64; }
+            { address = "fe80::9400:3ff:fe95:a9e4"; prefixLength = 64; }
+          ];
+          ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
+          ipv6.routes = [{ address = "fe80::1"; prefixLength = 128; }];
+        };
+
+      };
+    };
+    services.udev.extraRules = ''
+      ATTR{address}=="96:00:03:95:a9:e4", NAME="eth0"
+    
+    '';
+  };
+  /*vps5 = { name, nodes, modulesPath, config, ... }: {
+    imports = [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      ./modules/contabo
+      ./modules/ingress
+    ];
+
+    deployment.tags = [ "eu" "apps" "wg" ];
+    system.stateVersion = "23.11";
+  };*/
 }
diff --git a/newinfra/nix/modules/default/default.nix b/newinfra/nix/modules/default/default.nix
index 6070161..3a5980a 100644
--- a/newinfra/nix/modules/default/default.nix
+++ b/newinfra/nix/modules/default/default.nix
@@ -23,6 +23,7 @@
 
   services.openssh = {
     enable = true;
+    openFirewall = true;
     banner = "meoooooow!! ðŸ˜¼ :3\n";
     settings = {
       PasswordAuthentication = false;
diff --git a/newinfra/nix/modules/dns/default.nix b/newinfra/nix/modules/dns/default.nix
index 4f28471..085a82a 100644
--- a/newinfra/nix/modules/dns/default.nix
+++ b/newinfra/nix/modules/dns/default.nix
@@ -2,8 +2,8 @@
   # get the package for the debugging tools
   environment.systemPackages = with pkgs; [ knot-dns ];
 
-  networking.firewall.allowedUDPPortRanges = [
-    { from = 53; to = 53; }
+  networking.firewall.allowedUDPPorts = [
+    53
   ];
 
   nixpkgs.overlays = [
diff --git a/newinfra/nix/modules/ingress/default.nix b/newinfra/nix/modules/ingress/default.nix
index 5ca23c0..399c802 100644
--- a/newinfra/nix/modules/ingress/default.nix
+++ b/newinfra/nix/modules/ingress/default.nix
@@ -1,6 +1,5 @@
 { pkgs, config, ... }: {
   networking.firewall.allowedTCPPorts = [
-    22
     443
   ];
 
diff --git a/newinfra/nix/modules/wg-mesh/default.nix b/newinfra/nix/modules/wg-mesh/default.nix
index 862462d..c3677b9 100644
--- a/newinfra/nix/modules/wg-mesh/default.nix
+++ b/newinfra/nix/modules/wg-mesh/default.nix
@@ -19,6 +19,10 @@ in
     in
     builtins.listToAttrs wgHostEntries;
 
+  networking.firewall.allowedUDPPorts = [
+    listenPort
+  ];
+
   age.secrets.wg_private.file = ../../secrets/wg_private_${name}.age;
   networking.wg-quick.interfaces = {
     wg0 = {
@@ -33,6 +37,8 @@ in
             inherit (peerConfig) publicKey;
             endpoint = "${peer}.infra.noratrieb.dev:${toString listenPort}";
             allowedIPs = [ "${peerConfig.privateIP}/32" ];
+            # sometimes there's some weirdness....??
+            persistentKeepalive = 25;
           }
         )
         wgSettings.peers;
diff --git a/newinfra/nix/secrets/docker_registry_password.age b/newinfra/nix/secrets/docker_registry_password.age
index 334b141..0f0beef 100644
--- a/newinfra/nix/secrets/docker_registry_password.age
+++ b/newinfra/nix/secrets/docker_registry_password.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg Mi5DHbfLOMSQaKaB78XZbA273KGvj/HHF4vOiMRsMjA
-Zf7+IY93cTywmg7qjGyQ00YLJTc3MstQKyfFfpDqWic
---- KCKAhA7w141LPjEGSUI/azd8YFPn2EJWPGTyYXlnX+4
-œ æØPÉ_íg$vCý¢ÃÜh/…Êjz:chðíd#W¤ci ãjE3…ëkó>tû`ð
\ No newline at end of file
+-> ssh-ed25519 qM6TYg YI3rrnP9953xk8JnzhJSZR+tKaD6C3sCXJBiX0+KCHE
+CIfSlpyqhS66umh4/nv7v6qH5mqz2xh2AeDW19CGbYs
+--- 889zGO43+oX2nau25zROguc37dsi38Bnyzw/shG1x5g
+Ïo]Ì—y§Næød_ÂÆ—ñæ¶+ÀwBiÈå¾s÷ÒE™•	5 yœŠ^`[ƒ5ì
\ No newline at end of file
diff --git a/newinfra/nix/secrets/hugochat_db_password.age b/newinfra/nix/secrets/hugochat_db_password.age
index adc8f3c..dc61b07 100644
--- a/newinfra/nix/secrets/hugochat_db_password.age
+++ b/newinfra/nix/secrets/hugochat_db_password.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg f2NnXHIO+lzuRNlvp70HCjFET8cqwLrQjEdXkK4wVgg
-HAUu/GGX/UHewWbCXfaiYx5h8xyLXN/Y3kTYHn+GT5M
---- tx0L90qNb6i1Bv1P5QsZUNu7FKQT3j09h/T1QDdwRZ8
-ž¯c³”ÖÜÿö¨aÿUòqb!ÊfFÇ”	UAiÁ{Ï”„²³|9Ã?Ð[bHp›ÅA©ÓnÃê§^g	0œµÓ“;þÆœ¤:ûyu»‘ŸÞmúïó–îæ¸±ÒÒò
\ No newline at end of file
+-> ssh-ed25519 qM6TYg vcUglH0m/mdME6tSzfZy3orW55ks1wZZAVqPe01ln0I
+Pbei2lMfgS+6N148qggu3DYUTnusItfVDqXGFqD9l8g
+--- qnH/lD17esiKbMH5M1wwJiq7cMmXXh4SQneeRNDiMPk
+Ýôt8i€~ß !®Þ¬s—‚?µt°ê¥/ªû1ã+¥Ö4:ý07ØR2ïwÝð²oühQB4ÂÖptæ÷!9#»ÊGdû#·d)÷3ïÅˆÐ¨¶Zï³¢åÖæ¸HòyKûÃ
\ No newline at end of file
diff --git a/newinfra/nix/secrets/minio_env_file.age b/newinfra/nix/secrets/minio_env_file.age
index 5e1edbdf498d06e6518da3d52b5aa1bf271b09d2..13d69b4770e2d94ce886be02d8ff87b5269efc9f 100644
GIT binary patch
delta 362
zcmeBW?q!~!Q*Y=Q5^CX<S(;s7V(DL0mK;>-R+1hO;*nA5ZR8mgTx1^Xo2ji`;^SLU
z%oR}JQ(BNz?v$&q?;DVtY~q{mpIBg;o1UrdnG=%hl^YxpV3g(N7vW}<&!uapP+Xj$
zo0?)|YHDby5K-mm92KaL7Z_gdXzEuU;t~>&?d@7sSRZNW5gcA(=9y~{6&?}cmt$Gs
z<`|*xou84<mF(>0mYr<jVXUq17aA4i=bGwLUYVOw<mzM@=;M@_6`2v0sb7{JWu9ih
zrK_u}P~c={QRp1(RhS=YSY{9s9OY+jsqYhBsclwSnd_cs?pK^0o}XV?9GH^Mb)eel
z#J})BiR1!@)dzGvSuW<=`ZDSLcbgg57ks<rQJ$Oj!@2{T|L=RW-i|N8rj@(9?{<A$
z-m47@{vEcj4$0s4_WQrPUG}Nw>jKa6l$mL#S${hl_0(QFOUccnw2!&vL~g*lhnM6R
Kznt^*!f^lu?}=9c

delta 362
zcmeBW?q!~!Q(s;Yt{qjC6XfG&YU1Ztrk&)USXyZ0S7n@=Ymx109`2fJ5o~4{>XMR~
z&gGtJ<l$|cRq7O+Vw_RxWRzZ}pC6W;>}zPAUX~i*ALv_X<l<hOVrf|H$)#(jP+Xj$
zo0?)|YHDby5K-mm92Kab?Hin)Use>7lkbv|osk#dS?^us;q9&O7v`N3mTM4{=usS5
z<y;b$QJU?`m1k_}U1;iL>XYi?WoQ~v5bhmi;1On)m=x(!6=dvYQWb3JS)Axxnw{dy
zrK_u}ke=-1Ra_qK<5}q!nC_QYrtg;Klb4%RZdPVqR2f)M6z-Lq9U2v$Z)P0G#pABO
z!eQU_AIT>fH14rG#D!d*f8^>J)^(HT<vzT<GvVT<l{=@j@`PA;v57Z+)L(C2qTy}p
zWSePt=^oSMLlc@+9$(1m)7iFoiXzk2&4p{C-oIWX#35?znf8)l!L)-u^&&x=%@d3R
LRLU7jRJQ;CHd=!w

diff --git a/newinfra/nix/secrets/secrets.nix b/newinfra/nix/secrets/secrets.nix
index 1630851..1fad625 100644
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@@ -1,6 +1,7 @@
 let
   vps1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4Xj3TsDPStoHquTfOlyxShbA/kgMfQskKN8jpfiY4R";
   vps3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvupo7d9YMZw56qhjB+tZPijxiG1dKChLpkOWZN0Y7C";
+  vps4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpoLgBTWj1BcNxXVdM26jDBZl+BCtUTj20Wv4sZdCHz";
 in
 {
   "widetom_bot_token.age".publicKeys = [ vps1 ];
@@ -10,4 +11,5 @@ in
   "minio_env_file.age".publicKeys = [ vps1 vps3 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
   "wg_private_vps3.age".publicKeys = [ vps3 ];
+  "wg_private_vps4.age".publicKeys = [ vps4 ];
 }
diff --git a/newinfra/nix/secrets/wg_private_vps1.age b/newinfra/nix/secrets/wg_private_vps1.age
index 7421c7e54d8b834388e417d9555a3981aee850ba..527a63f06b69458114736d33f6ef3c891dffe37a 100644
GIT binary patch
delta 221
zcmZo<YGj(AQ*RO!no;QFmgyQAtZ(cZ7~~b6R9Y5L;cVd-sPC3j=~R~Qo9<Pd9+4Sg
z!j)Z|lbTuR5#W<i7H;6{lAT)VYv$`#XjYO{sqgBRX=xGUZJcXR65*6<!lkRLt59KX
z?ot`z8la!#60C2M5*+006>5>_Q4r~$<R0ec<L2p766WKU=^vit5y@r#<72$8;x@Jo
zZH+zt6Yax77e4%U@^{h>&xYsDpO>$>f8V?H1M4rNs(*8y^{rg8eBJk%T^n{it?~WS
ZIfH+T%**PIO`MvyLe(@Zl;0K{005GOScd=r

delta 221
zcmZo<YGj(AQ*WN<UE&zx8&ptfZeg0~7@S{HQ5GELR9Y607F_NX=@w8{km%}>5s;Ca
z&1Iftt{<48oo%EYVPNRwoaSNTm|E;x8IYUh8dV-uVU(<&mFjGeljLIJ%B8ETtDqn1
zn3Ww^;GbF^5S8v$kdsmDota*c=j)o0Y;I-{k>Z?X6y|TN?H20c70D$Nd%~B)|If|S
z9zL7fb-x@<onQQ;vPau3Z~2<~<vw*guTEdvDtj_v<NnDSsh8FER?6Kh+3|hPm1UeJ
Yo|*UT{R%5;BDs@h9^EF!C&&;F0A;jO`Tzg`

diff --git a/newinfra/nix/secrets/wg_private_vps3.age b/newinfra/nix/secrets/wg_private_vps3.age
index c36bd9714a6a4ee1e8bd2cffb3f647f625eddc5e..603303ce5de8b760d6e160452cf694b43197854f 100644
GIT binary patch
delta 221
zcmZo<YGj(AQ}0=3T4L&7=4+a1=A|8G;an0FRpRdJ8sHyUVwC7==H+YVW$9GxRau-@
z%;j9*>}u%hoo<pIn&h2dWExRfnr`M&>~ET^?;envSefNk66qD>Z(5a?&84fWtDx_b
zoD-SoSx_2bnvv=3?i*R`Xzb@45aw>?ofn>#Ug%lj5*C<c5fyBb704xdd0LV}P4my&
z+Sfg5?&QumY4hq%wB^Kk^|k%VKd;Ob_k8s1S=N)Uabk=AY<m-vZ(Q;`@<XxA-||~s
Zx0X%6YxMDYtM<}+eCJ#ZX3uWT004D^S+)QG

delta 221
zcmZo<YGj(AQ?Kvomy=bIpXV5o<f)yKS6Gqn>k(m*QV^(b;H+&}k&@$;73}S-pBNG9
z$rTWunrcuI<*jX!SrHZ(80KDSo~&P#n^soomYU?0S7}sG5Nzn^<Y8i&&ZVoXt59l~
z?3!X09&F_7YMvM5Z)oV}VO$awlv0!yYG{xgm{FD$5oTPH6JT6u5XzON;%UFbX?;dO
zt7nm!N9gobeG5+8?d{uHUQ$soQ(lxO%;k_lYWnOC9rLRg;y2YSEahEOGvlwA_LM-D
Xc?}Enf{Se!PG!U?%x9Xkt4{_11}jdh

diff --git a/newinfra/nix/secrets/wg_private_vps4.age b/newinfra/nix/secrets/wg_private_vps4.age
new file mode 100644
index 0000000..33c4f44
--- /dev/null
+++ b/newinfra/nix/secrets/wg_private_vps4.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 51bcvA ZldYAoisAZWIno1rtaRlkMaBL6+wN2M+RsxSqdFS/Ww
+hAxVR0kTHdHh8VVXn1DA+pPrnTNe32/7hk7vG6BYFlA
+--- eY4N6LUcdlFI1fsc9QzOVt8eMZdC8/SReSaiEsk60YQ
+=$uCÚ%ºŒ`ÚÆµ>ö§HˆÀ¦6,œŸ´]£cOí£–E|÷D‘yÍ5ÍŠ10Üñõ¡t-€â©¼üì½+ž:¯Zf¿¹ÀY
\ No newline at end of file
diff --git a/newinfra/nix/secrets/widetom_bot_token.age b/newinfra/nix/secrets/widetom_bot_token.age
index 586cbc5..ba8eb5c 100644
--- a/newinfra/nix/secrets/widetom_bot_token.age
+++ b/newinfra/nix/secrets/widetom_bot_token.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg ftpW/zGgZcGI6jnmrkYlOO9bjMNHO7vk/WJIlCQzYTE
-LXRiwiUinl5HTt9ZfA+HQlSIL5K1TXFzLQXigEajU38
---- pE7CTJBICuROEQUVmK3hDad8yoiurMXvkizsAuZn6HA
-†ÐœŒ Nø&Ê‘ûã‡Ò™iD4óéQ›ËSdZÚmSI	DÎÂ$ŽIÜßîýdC’Œ¿}¦Y À¥ŽjÌ.Í-¶»HüN­€Ô;[Ûñ}†¥ŸÄd»|
\ No newline at end of file
+-> ssh-ed25519 qM6TYg bHq26LyOxpLO6+kmuVS2eeRyX69kfX/iRRpGf7E9EQA
+6bmUzKiz+snI83v0ZhY8WkyIKMU1fkzs8Z4OEimeRrk
+--- 9RLCCX/0iiNdeSN8gy1gsXBW17/YTKJStxFVo/i5+zw
+ìî…‰(%…Bº½$ŽÇ‚àö•#gÁ™kV,aô¡ïJüîÐ±4ek­Áq2\þÃw–ä)/Èßb~°5RVfÂÛ_¦ô:Ø¬'Êôh½œâ†%[EX<t9µóŸ
\ No newline at end of file
diff --git a/newinfra/nix/secrets/widetom_config_toml.age b/newinfra/nix/secrets/widetom_config_toml.age
index af4eb9d55cb3230ef2dd500a4f0aff172d4e5273..28adf586669b46b3edd777f7a69b1e13e2a56bed 100644
GIT binary patch
delta 4000
zcmZ1`zf69DPJL9WmrJC3dYN`bVp3^trgorfj#H#@c2sVvlc9H+SAltkXGL0|hgn&b
zBbQlOc|k^5XlbBXkXyEUh)c1LOIf93foow|iG`VCrKPq@x<R40ak0BsGMBEdu0mNw
zdSP-%SfsaCkc)egc1mETx4(CZnWvL`PIj1UxQUUOe|>7Ddr75FSu$5;-m<z^>}kF~
z9@<D=nCraDx0GqmOn06Ib1ukFsMx^5a#UM+!-m&ZYno1Z%k26jJ$3H?ZD~i2ZI}C!
zmN8Fc-n{A;-WL7}-KUoXemdtk$8a6bDfYOtG40`8SBov$oO)L&{xgl;)$q|_&s*l>
zrQ+cR)iNyq&MXkGpZmzYY;Sh^t2@yQduPA9A-Ppx;xoBTD%uG-ht+>Se!S&{$m#xk
zGyhYUr+3C%nb=fjlvXdg%NqCmQHyYtR6uT@*<blZA^PpwVbaOR?LMdkCcXb{DIIB5
zXRcp<dy(Kxk%gZ;9zT)YeNVd6FW)pnR#f(QZkAke=6qH|?GvVkjP+(VwJ+7gW<T<%
zKeRR3S#hcO{TaXR-L=yV6u0tbDz+}MF<!JF;o9??d_KV^Yp<-B`oG;~O6IlL>RCdJ
zQ(2cTo-N5&`EOa<{>g0LrzpI?pkOk^OPD|K=drdmLaEoksTikTsr1NtEPRzC_}#sq
zuO9}PR-EAo6>W_AXR%#)x8ui#`kBW>dT!nhURxNP(t4xD>xlQ~_4_T9%UC9zu~=7n
zdWzAUcXy^)+Q<iYvD;)nZY|ZySE|?)R~r;FOX*m;x7y(VmXMb`JD)z{Ejn}I5bFe&
zpuMb9s|89@&NZ<76%vc|ezDH+(VjhPN+wADk&2ySYJ2yd&n54jPItq8aMiwk=W1Th
z^fTqst=GByI_g}C^OK{ar+(l1{q@GpZ=a@ocFC6vON=`(fmLo^Kw@U!nMpf1Pq&-z
zw|}uL&*=WG3wfJt$}Jg>%|06Qqe=41S?m60zWRlRGWSm?SyXc^oo6~-Ve+E8AJ}b^
ze*9US(N~?U<FnDg<JAYhK87v(Ono=MdUc?AR$0CD%srZ#Py8PInI&{!6T@@|YoANA
zwjOXe{VpeO%IjU+YyYV{c+Il!%oA(D`P1?j2Rqj3xm4`^6Z+uy3)8cQj_S)KygQ`1
z@z2c*@7J!<OwXOSe1YS&t5J44FI-9X2%B;3!J(+DOHNt-u`@g##rcW7J##nH;k)a5
zK3wHu-~RpRy;*AY56X<CjvYM`UG_(L&ckWHGUlInJ7cb1b(Ngu^SRuIew8@$$1J~l
z$Rs3Cq2kUN?Oi{QTK~Q8VXXf>XWyzE^X<>nf@RfaR4SjViu+Rg%S>wL?0+E%mmM1Y
zSJv^0nr~zfvRnD6uj$6d*1p-<pM(#!z4Dr9{_4ozd3zP3?D}*P6YkgBWX@c%=egdm
zr9URcKKQo6^oE_8|HrcXN*i~5oi=H^?ySJl|EijK=?fSF4k#*ioKCyUaPVwaOKokJ
z6T^-}@&Ol&7A%^u>eAs^hUsi)_5YfDtURVV_0E>a#gZa3W<>u=zrN)CG}mvtPen$}
z+UN0j33sUySJzUJc@96HJzwEIW4B)Y(Zr0Fdqs<tUK;#%wb<t+yr@Q`u(tEPlYOk>
z&qar(%Eor5mc99ZIn@2EL2?LhxZBPrFD3Q)t{EM_E4^|y=LU|)iZ50=AI@)G`A6V@
zgZu^eg*H}#pLSOM?sRAUKOt-G<i~w0Et@vqud%z<>h$qYgc*N0`?}>Ot}EuZ?7S>>
zB(DB{^!<gZ)30f@J+{-T-X7`YTO*Tk$nZ}1_OI)Y$lGc&>+N2-p;<yxO4nPk)}rso
z60tW6-YLzioa(DAx2^lq?qz~cIyUY6@u?uMPwdIHd#V~cuBvFylImgFV%Gfmil@z*
zh-Q9^x04;Wg-bDL%`{2-)S&C~qcVC`2R~0+ii~npebN4;BOkPX|7j6h*1h*w|NDKt
z5&a+K-w4~T?sGi0NXqm1mWVTb&(FO7WP6L%>(9P5&e^4PGkf35X{FvhHT{yU#Dm78
z`#64vM#fEau@>9zGRv)^Z^;Q+FQy0G_GgSEZFrx$>L35sR%&B1?dy``OBe0frQ*7A
zMhok+148CYznu9~U+lSLW63><)AcS-er*ic_Sx#F`$CuA6s0}a8NPMK?PeDV3E_8}
z`_CXQ$-!gc4!)M(Rz{Y#pEalHbR7P9?2^_oj?RtyZC>6}O$fPuF<bLq%f)HtDxPdb
zwO-X3s^66@g-Sg&#FP!|W(wKW%bkogU^f2RnJ2TjqyC!jo>@u_kLzX5g)_w^DSm3#
zc^@M?g|{X-ddA|wwAWu4<}6cMeRawIr`G0sgYO?a8y=p#?fBbkH@x$6h3s#;cPwi<
z#`(AO>hsRdb(gZfR4cxGc;HN@&}wG?8|yi)=836Y4*j@uLff+M-&`ub9_8!iapp^p
zO80B!ll@w|J@nw=^-oowZDdT2sDBYNhjm@-u@jU2&6YLStWU8m@i*7G&yudmr7N52
z)H}V@{pj-o8Ls4dj~{9?Ldwld)Bc+Ly|8)Gu1wL*lb+N}_&?QI<Vou#u`u=98t)%6
zcJl9EH|IM`R;Xxe&8!*Eqzk=opV9K``8qX|uR7MZ&SP3WE64W77Uv50KJ6}E^lVW*
z+jeFq>xYi2tC-}@f3^%Qyg6t6=g!N!b_mq(ohDn;<y!Egy>jCOt4$_haq}mrN!e#j
z6yaWTZKqD;yw~TxCfNJ*uGfft@b<A&riS+IYi7#Z?%Zj1zQeQQmc^RqC(UvXJ(a9X
zGOn}HF;D4S{#hzUpUah_Fq%F4kKly&&H~lmdG%Ir7QQbHs(H(M_B2CK>V<8E=G#_j
z37uKoy+wb^Rog9I|3n#`4!GykZA@U{a(#RK`s61H4{vIC`&h*NyvUe5V^hN)Ws^|r
z%^LR^HMTA=3#`bW?ziKT$w_hjw`q@@U$WSB_Np#&J<%jM;c?hgUvb5`vm|#ciDG$j
zENVID=}Eq7^>sPc{vS$oD&PDpGuu$IDYw&fM!Q5+Re?msnpuo%II2=PIU;}8-rSY7
zXz#ko-1+u*8(XtKOIMyg?j0y#wK+50$JulCiX$?6;&(m%`aM5y^M3hfL5Kcn?@to6
z{4^u@qLjIrda-fQ?_QzQKaLU^zqoF4PQ1#bw8Q1IpZt=!VbkjwPw(Ghdo?suRZ>yK
zh`opH>_2gq{3jt!cJH764cESARmgZFcGrSk65d9B`L}}43mBFLTTD6a9CPNP**u#&
z50>k>*%b7Ao2xIXCaF_fc)!}2`!%cQnd+Vu4i$5Ke@@CZ{aSHzZmnw6vs(><QySk%
z$$n+3;TQZYsh_sCDo=4vy%MkcOR<|h_m&2`t*igLqw~2cW2Vrll=8L7-pSu1Hm;ex
zEpfZ#mW%GuQ(_C>pL0F4Ml|yQU)J3>n>X&eru$x%_ou_9*Nmwr8)~n=tNCl*-6hSr
zeV0&B5zCB+EXvu|JX3jhuG5LIb&$Tu*ViYxPG|E;4oB9LeWmAp)Z6)M?rf{yl>Bp9
z5U*K7mPz`n+N#8_Q>07w^-Orm^vrJd;(GPmiTzy~4?lkYvAy@w0}a9ASoOP~Sav3T
z`uq8&%<+%|H6Oc0qu)n$TgPuss{1cua=6p-wb=ok3qn=GtEa?Fe;eJL)$e*z{Ngu*
zl}@}WUabGlee8(R74EURxIF62X)hyNoBBzP)>9<D7Iu94KD~1#^OmfYKl{sC7WK5K
zoqnSkBAVfR>gjZ)+SKZ4DpS%ohwpEU*67HYHS7G7`mfxZbDqD`eg8&zj++!u)4n6o
z)Ar7^Q;iIgSjkq@c6C|Cg0mtI%@qO;t$y`6;l;1pWyW?X38&6>CSUi=NiVceTjAzA
z%T(lX{g-tY580j)o){x~^{dB?jz#wvg*6rgn=tZs1ZJ%H@n0f8Ba(ZaU5v}_8C^Na
za~0ES9bdYOC#jp~Dg|yxa1kmmjr!WPM9X~Fp5K>NoIKW3dcj|f=h=6ABekGeujF*I
z((Mm>8EQry5o+k)U$X1l%Oh3m_a5B+ZeC^P5}!qL9YgEw-u)C(sYppZxm~K+^x<VT
zp4}S#TVI-A&d8i|??0>hghv8wi_V9|ZOzo&ni<vJ8oh7Q-{S0_x8C{w3l?crnbtPh
zB`D^f`RB78%>K9UynH7%^DEbpQ&X4h%-kKd-$dBhGIxpn^!X>R^c+9<HAI2^OkehL
zcS|j20VlbplQUgj{i;8Z<G#?Z_|VJ0+sec(d=w(iKKSf+`O_RBo>^RSreTM|<AtJ(
zc{O`dIMcP<AMD+~$E{-9JoD#vxoK-8N)GJ1d9&ewiD$&I^20GHJ}2Tn{Q9CHFIC2p
z_|5t7;<TmlbB{)tR)}2E`Tx{h`@NLhqZ@a4XLOjqWpp|A>wK;M;_g|~>Y0*W%udan
zA1#_P@3oV0qMS3cvsnN6<dSb$Cxf@0axpuZG<)sp+mW(qRVy8@+MY?due8zp;enV7
z+o$|J>lGNY;7si!7AxTl&9D+)`MCK97|hi>k890nJu0_ERCY=5hxfbd+Ei9PJ=xIx
zhGmkAt;=$!_x+j$SH)kQmgcaRs=ZTRcV{y5Tv_4gb{ZS^==R)h>95i|mg35NZfBgy
z(|^muCkX~RE_7<=wceYtbVrXwux|O`RZ+7U<|i&@jQD!`jO~dBM$U2t&%+MAniuiI
zQ|?SN*LS_kWxezLw_Q6Y7N`*B`mWKd_w>V%k0r<E?u(j{cu?u=O0TIwKW|(YPuPC*
z=bieB_gar`tMB>w&~B2-i+k6qi`$>7RC$z#$j1jWta%}`c;bqc#dBiTvtPZ?=&&>8
zOnSIW>x#SKd>c*vd_CFK%G(t)ammZwjE}c2UH|Kn$M^T<1%21=$o=kTopol{-dktx
zzAO0DCCQUwCb43>+@_ytk6m>{RKBx_@0vMTzDT+_>_@%L>eUnfGU+}}OyZdF-fM$e
zLs4LH@}Y+xKgK`u$vOB$rYG>jmv8fVmia60%UUGw=I@mJGrWEE^o%_Vc0Zb$F7$QE
z*K;?1n3o?-P_Qxf`C-jjeBaJ2G|9JLaEY;m%Yxdgea`3d<&PO|sP#Rp9Ad|B+oS$b
z=y7XA%YoAcHdf0S>uXNS?p<`EVt3=l`*Z3|Bl+aRx|n54PpU6H*mzF*y+`xa1>1HB
zJE^}<6Lp!sa;AfXs^jf%t-@K+<xa1UEiKYG@crYHP2U}vYyP|nj`RO^THp4*O7xnq
zayhY#nel~67h~`3KX6x3@Pqg4SxZ?zZE1fPb~Qa`={bwQ(^t$^uM9j>zh%Kkh1v6a
zF02f1j4pI3uUWXX?84vUMHj5M?!N!k^@rUt@3P_=+v&Qp+Q)*e4~1RW`q%ncXaD`b
zi|m(kwgnomwD!5epIg5DUZ(T^YP+MK#e$<Q<v(S}TGyQ)+QxP|q3?{=RyNzE^D;kg
z=lq!SqSWwR_fnS$+`B{iC2lM@zEe*!c{;;XP7UWbTkX|nRcD#!H#l#)sqUGq#RUMC
CJgE}^

delta 4000
zcmZ1`zf69DPJLB)en^#hkVR6Ui+grNl8bMmYhqz>fPsFtaixWavAe!!xl?6HdU23P
zF;}U!d4z?#es)H>cac$ETCPD=MwW4wNtt(URbGXWiMvs5W}<O`k9Ju`K9{bpu7a7P
zrCX7UpIKySV!3yIo_|tgVY$Ccw!W`RiMw-&c}PW-Z+(iVfv1<Jw<nk3L=N+`Ul;mZ
zwf9WbeD|ho*1x5@^LFoBWBB5pw2)cyry}N$ujZGtEIRV`4|hdo+Jm!^C-&v}gt_oe
zJTB_eU(Q&=_oLJ#cDMNZ^|KrnW<*J^N<Yh%8va$`t6V}x@>~sP;UziY{C|2BKSi1A
zyzSm!CeG>B^>kBx=A(x5N?HFGT;7o@7TV_U^Vh;afuK*{s;|B}zggp=w8@7or>Tc^
zy=;0X&J;~L;O!)RpmL|=-E+cBKU>*t4mUjX`yy7%?7VXAefgR1&9^D7%RacD`TH?x
zJ(raaEDdzGgbO{BlBksJo0i{T_R~W42$$4*&1Gy06nFI>PrmBR^Rs^Iz8&EYjhj#W
zs(7tooYg7uJMVsjr08b8r#ybEML7N*be-xFF!8e2qvLCP_UD+${Qea7Rr<;DxuTQ$
zCO*5W9w&OO%9x4MN2%}Mfh%>hJ7u{V8n{iH7BM&Z85yiy$uGb0=&C>5s_9uS%Offd
zND2Aun$XmySn{zhag$!_+Qa6a^{-05{ycwqmd~T(W=~W8zRxe|Zr*&&;JJclobS(|
zQxX@y@;|=e`(<@H%hiP2)9g6K`m^Ous>q1E64$wtUBLULIJxP^{eoj=NiX@n^KYG#
z{3=^__SKKxtC#sE=gu|V)o#%H`2Q!9J@?OPXiR=O_59S`+MDzn%ox_RD|A<|PYhUF
zZ+z#Vt(Df!RPkj7+MDvVxqKat>`VM0C*R|BlvS<jbNXCWVb6mf;ta2cvbymUvG|$3
zQr%Z=cS!o$f3t!YORv{`pZG|BM(d)869tuu`yOSaZqOI%*7`G>sb;Srr^-3a;EO5|
zqW?ly^?p377j&mWude1{&0BLLuFikIjuc64XsfpjT=@CtOcwFGuN>Yh%~E5zzq{?<
zMwSUj75OG?Ombw;&70D@>*5i)_DWOX#V#3#7>k<P)~3FV|B<=dc&*RJ*puGsJ8!(*
z!{qevj1-$v{IkPMML(a_-0)N{bN4iLI3aR>id6Z-<g$5IVzD+8*dr}Xe{DRIT32=I
z$o>A=AFKmU)K?!m{`Bk}_N*pO!)+-?CU)l;gsD#Vw}?^Q`K#RN?!j}Cr3^03mtG6y
zlsw&FrgxiVlU8Gh$vah%{HpK869uwZEETGZcDy~cE&1R2Qz3~De3{A~KQQVs-<0(D
z7W1s8kH5ViJujdBG=Ifq$-7$9e3MV~X0Li~?fob=nEOQE+eOpsUvx>=M9L-HFzeA<
ze#PsLy6WMp7u0R1`(3yywLUUG=hoS^t4<W_pRBaHwKi++KAs1~H)AaFPDBJw70WgM
zcBLS2x}R-tuEeC&=qnc+Ef&w-@iEN2xTN)8t9b2$f@gKIyQ11cPdm*hE_wU2R_b!J
zYQSC2xl?Yld}&&lnqT-tWMO@@%@4b&H#E%FY<jl(iS`dR*^bQ_ZX$Qta&>!bX8WY1
z-wP4F{MO5|@chN1n%7(NndWJ*?bTH<ef`&W!nY-+8GCL9uHE4N)8}&iBw6NXeuvVR
z?O%N}N8sDK$Qh0iyxKPk&d!-J@dDq~qM3DXjoTfjt7_a_X1}r~)8)U}CGA*EvHDj_
z-nS(0c(o$%wXeU0fYi$~r+d6V{1sYy{_T&4d!H4&n{a*KM2$_ymPW39yh8kMDc>~b
zVD0NQlVTO7=(MZ(iywKsrc8p%_-RQL&x?(*it8R&am_L-bnA&U*nj4)FV{=?ZSSMr
zl{RaiJ7%P?>eySw!mhXB>c3r-HqM@4=5Xiug?iSh-a(}&4l<>Qt~u9m+_2LB&4-z(
z->O;E7;S@U4;4+Eocem-tKU5hN1Af2@7}&PJy9s$VN2Mnw_IP9>;q;LxXS9AP3zAy
zsnXBCa-#muv;U{F^0HQ}y!SRJThB}A6WhbC-78)AqF?X(&Dq|nvc_qNUd_Y<pOY3J
z7h-WT+UR6mzhFj}n~#pwoecsG>%ShoqwD@x-D8HB@rK!FIri^!F?43x`=HzFq*i!#
z@!N`%X9_K1&IH_lwWa*3PTJe|a}<LWp8i*F-)tF@x9-;Q-!^kTmmBl2y42nNveNbI
z$%h;tyQaq5=hx0u=h<Wu{<Xco%7{~}iDmKU0KG>K*H2EmQV~^uer0t3r+*(S)C0P!
z_s(53<Hur2v15CDeXq-GJ*;rrSmEm({z!@Dg(sv=?1_+1HZFDN$-A~^&C1{A+nK*I
z{+@BRYDuMRU{G?o@{{*2e*-_bF>$m`sL9@XTzvi4cc(6ypBLG%wvydqlTpOVTG2&P
zV%HOtRE@K`uT6a*`myI!$K-lH&e<mVV#|E^62v;h58VF$CyPPVGT`d+Oa5&)gueVb
zr}-&m`j?gLlO*5hW`z8G+w*$E{XPkS8C>b9L9Hud)_N-Ub9K53-zalDx>kazqNMVC
zj*v%^*w4G_sxQ54DsC%YD807({fYl`ccm<QVSjh`%y8Xs|DD~-Qg<IN{3_P{ufD{k
z;;xYWyNzw@ug%Md&EP+{GVjQ?y~ibgAGP?tf5$|R{VYr#rm>B-DSuXpux_|pv@&9%
z6@#+)%gn$}js9Y*mdbXTJrz=EY`m;!{#r({*fB87`u5R!doRI%59d8DH2D=5U&xiP
zcd`Ceu36LBn%23zdVc8iUhDf?B4Xd)7Ll;5|CPP<(5r7hS*Hof)~+;Ov-w|y#ffXx
z7o9)7cW%6JzGm_@%X?F<>6uL3?EQy7c}u&Yl-r3LPZosQDWrS<)HoT{${c$B;sL?1
zfUu9BVz+P|)~#QB*x^j(eYW>6<NLPnc(X*oG5%<I%8HX810G27GM&=6-8yYjpfkVA
zqIEs`4_f@{osM#Uw%NDNm9@`QX8X1K>#m4Cy7#+ku|d+B?8(k$5w3em7pI*soT2h;
z@-pj}hgOLmoiul~TgBhsXZf;<%B7p-WYc&aoHnXd(7P2>z>>#m(pM&ZOHpIrw%M-t
zu7ys$<khGf(R=yX!~Oab_oVFMvlbLc4HY;Z;p2OG@~kaa7tgIfw|!1^>{_lVo_{}A
zFL2S+oiXuB&1ao;uXs+M-g$geRnrE$ls+Br;_9iYiM+D^T^D%0ZcFa}pQ6*vE`GV<
zYPNpGw$%rNv%@04%*@<0fp_x*H;zNeo?n<`p4`*yPJR047+2JiD}1qi+#0ddW26l?
zE}FagpIZR;xfjld!({|NzOGMRQXD>0)~ETl&a7jh`TYUQioZU;v?h8+*{vC|3U?!g
zp38`Gzj9%6U7r6fE%xb$=P$i3y_B6gsixBE&xV`xPBpx-z2POC@8eV|Y^6Q%j<{^h
zY3YaNdw11YP3YG6^kUKBi1h6R3m^6~JKjl)&G%w5Z+RRaXnicSl(QvKxKBT!KF7d@
zC;3b3ul|hpn<u@UyO61$_4ACBCpo2@F?I`B7`wdNwQ~L^<!(FddF-KE%ca7Fx~D=a
zG@E(nPWjy;)7e=Ycqd_hVdv&4JX@O=rI!?byD{&i{wFoz#AhyjYAv;FW=r1aUtIm5
znc>r=&6DMnYj!-3<A0oSSM;XkxtPDbua4KVR$sm)-ocu#sOBE=a$ScJcl+u0r+;vp
z{0iiq<H7#m-MlMls{;I$ZtvZ5_FR9;CcZ20yB_`4{oB_bJ9+-C%F8cqFnn)F%WyGc
zwa|I9`(DaUo-ZzkW-ZN^sW4wQLu<Bt0sHaUn|ApJC`lP{eUz{l{cyV|%luAef7prw
z{@}&Zr|SQm@(KKMEIiyV&buj2U2K1D$f4>Z%WpL$8NQ8JmbPSB(Hs2-^||+d3O<{D
zdBNn#U!JMe#V9bcuSvC0^F7_l88bWik*H?=dP9RddCi3)Umh(#pn4>5{fpH3y!GqY
zOXS6$&pkdd<5&B!&k;W6y<Z-czS=Wo`?EO*e$P~Y^~>v>fBo5s(?V{Sv@c|{{`YB1
zlS5<ke4B0EVj6cjA~-5u-C36IuEgftvnFMMfm9LCdXd>IOIX(Z;k#_K$ZVf+<hu*$
za>9APTDIitu`$ltveJK1&jhCJ%@I}?rsQ;8opmQh)1i3Vt914Q4O8x!?97<|Ug25s
zltR6Z`60e-A>pq?(mz<%E5$pdou4!(X7%pVpCuxnZsOWl&%hWH!7n^ZXi~lNvvn2U
z*VyWps~qIIFW({fZQ(+>y#0pTCNMo&czN?SgRQTgb-XVPpB?n*n$@nAa;2a4Gsz}r
z+Uhe{E=yco*|d~l7gMlw=#kzxsWy?dvN0Cxy56#ISDbO4QB@)LeP->xlOFX+b-Y>E
zH|&t-)U4cOc<tVi-^@}6h1W;_i!tITS$%-nMry_lS$;wLg8!Et*V@{Y2(0;ZIBu80
z(TA!jEvMLmJJmm4I2slgsyo9y%6Nxhn)NqZanr?VyL1Fg|Ie*ZpJTCAF)QxeYQ3yO
zS%xmx%UpR21s5^iD|7oBZ{Gda!QI`lKKEvN>J%r>S3QbbTqjQLt30;)S;Oaxzl*QQ
zZ;45$GU%N%aj$HxO4GLn;UszK$s97)7b36tJ@ed@HS_uwEk}F)-~L6C7L32+${uH{
zY}>xHbe>SdylXP*N$j5T*Hkn&J3jwXT-NeWTd;G=m5)__-P1a&%I_4`shpqLS0NjF
zFt^^sXxI0>IZkK%9xl$e;uTz#_tcFu#(&Ml<vu~K7dF-G+R2zzDN^@~BeqHBWc{k{
zPvWaT|55tYWgjTGL-WIl^b2*#|Ewof#hNb-ky5t!J@Il}{lROyvK_B2eh_f`hK-J#
z*z_$+uI-G8mzr&3C(VCN;PSHQmHdaF2^n2;^$|VsyndyCW{hpkaiOgHlD~gh1`Dn`
zD#P>qiQSyuFJDg7PPgWEO_-H@_K@<9+5G>*a;#>(6>)p$vG4QS@RC@Admg7;I^`0%
zDpI!0&JvosOuj=?&0KPinH&p?pWqMaclTIYFZ}r`yzfDM>2{|LhDuUyT}w^~pJhu}
z&fWW5Iy6yzjrErL<L9?6xO7Esvv8thjOk1N@R)p`euWz+#JkQKcXzF8TOZK%vwmh6
zqv5ZOA;*tsv3Ec0eg5|*YyRPa=JRWNmmQ2f*7IQ=JLl!Z#2CwDliLk{=5lGSe(F5K
z<*N~&x~dlkM>V7D#KJ?*o;&MCvh;L%{GYJ$aQ~WTpJ)HMzVDg(?#y}%cPE4Ye73%^
z&DTSDdCyrd-@53*#$3*?JXg0G2P*h=a>s{E3I5}<_lnpQ4b>-c55#}}daKiYievWX
zOjT1;*Y<fiUk<AnO7y8Pxu1T#L23unT$gL6(QYX>`inB%)g)Ta9J9KX^3ug<3U}RX
zp~!14vvhX1eo9W&WP52+ZvW`EWQNh--+WW<zw!vqJy&`2?KV5Npo0@vIlnv)00_3C
A9RL6T

diff --git a/newinfra/provision/README.md b/newinfra/provision/README.md
deleted file mode 100644
index 1359c15..0000000
--- a/newinfra/provision/README.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# provisioning
-
-NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-infect) over a default image.
-
-> Contabo sets the hostname to something like vmi######.contaboserver.net, Nixos only allows RFC 1035 compliant hostnames (see here).
-> Run `hostname something_without_dots` before running the script.
-> If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname.
-
-```
-hostname tmp
-curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect
-bash nixos-infect
-```
diff --git a/newinfra/secrets-git-crypt/wg_private_vps4 b/newinfra/secrets-git-crypt/wg_private_vps4
new file mode 100644
index 0000000000000000000000000000000000000000..aded7691b27cb6c3c6b5fe6897ee9c9ca273580e
GIT binary patch
literal 66
zcmZQ@_Y83kiVO&0c)04g>jCFGsm(qWrq<1Nojn4XcXqyKW!M_#BD>5?bwbY0de#@M
X!av%+`A5pD<yBjXD9yQHd0!m>f*l)k

literal 0
HcmV?d00001