From c3e61363aaba8d3b6e94afe0d7e5b48400215580 Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Tue, 17 Dec 2024 17:59:01 -0300
Subject: [PATCH] flake: update to NixOS 24.11

- fixed our keycloak theme with keycloak 26.1.0 in https://git.pub.solar/pub-solar/keycloak-theme/pulls/5

- fixed broken NixOS matrix-appservice-irc module in https://github.com/NixOS/nixpkgs/pull/375533

Fix warnings:
trace: evaluation warning: The option `services.forgejo.mailerPasswordFile' defined in `/nix/store/13vqhb5askjgi07wqwxawq4bdm7h0wc7-source/flake.nix, via option flake.nixosModules.forgejo' has been renamed to `services.forgejo.secrets.mailer.PASSWD'.
trace: evaluation warning: Using `services.nextcloud.config.dbtableprefix` is deprecated. Fresh installations with this option set are not allowed anymore since v20. If you have an existing installation with a custom table prefix, make sure it is set correctly in `config.php` and remove the option from your NixOS config.

Fix errors:
- The option definition `services.matrix-sliding-sync' in `/nix/store/wgxgv8rjbd2nhf7y28kfzm4n6kz85dnq-source/flake.nix, via option flake.nixosModules.matrix' no longer has any effect; please remove it.
The matrix-sliding-sync package has been removed, since matrix-synapse incorporated its functionality

- The option `services.keycloak.settings.proxy' has been removed. Set `services.keycloak.settings.proxy-headers` in combination with other hostname options as needed instead.
See [Proxy option removed](https://www.keycloak.org/docs/latest/upgrading/index.html#proxy-option-removed) for more information.

error: The option `services.matrix-appservice-irc.settings.ircService.mediaProxy.publicUrl' was accessed but has no value defined. Try setting the option.
---
 flake.lock                                    | 108 +++------
 flake.nix                                     |  14 +-
 hosts/nachtigall/configuration.nix            |  16 +-
 hosts/nachtigall/default.nix                  |   6 +-
 hosts/underground/configuration.nix           |   9 +
 hosts/underground/default.nix                 |   4 +-
 modules/forgejo/default.nix                   |   3 +-
 modules/keycloak/default.nix                  |   3 +-
 modules/matrix-irc/default.nix                | 213 ++++++++++--------
 modules/matrix/default.nix                    |  17 --
 modules/nextcloud/default.nix                 |   3 +-
 modules/nginx-matrix/default.nix              |   7 +
 overlays/default.nix                          |   2 -
 ...service-irc-mediaproxy-signing-key.jwk.age | Bin 0 -> 2700 bytes
 .../matrix-synapse-sliding-sync-secret.age    |  45 ----
 secrets/secrets.nix                           |   4 +-
 ...service-irc-mediaproxy-signing-key.jwk.age | Bin 0 -> 2700 bytes
 17 files changed, 196 insertions(+), 258 deletions(-)
 create mode 100644 secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age
 delete mode 100644 secrets/matrix-synapse-sliding-sync-secret.age
 create mode 100644 secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age

diff --git a/flake.lock b/flake.lock
index 9f98ebd..1ca3a6a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -14,11 +14,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1723293904,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "lastModified": 1736955230,
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
         "type": "github"
       },
       "original": {
@@ -94,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734343412,
-        "narHash": "sha256-b7G8oFp0Nj01BYUJ6ENC9Qf/HsYAIZvN9k/p0Kg/PFU=",
+        "lastModified": 1737038063,
+        "narHash": "sha256-rMEuiK69MDhjz1JgbaeQ9mBDXMJ2/P8vmOYRbFndXsk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "a08bfe06b39e94eec98dd089a2c1b18af01fef19",
+        "rev": "bf0abfde48f469c256f2b0f481c6281ff04a5db2",
         "type": "github"
       },
       "original": {
@@ -185,11 +185,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1733312601,
-        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "lastModified": 1736143030,
+        "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
         "type": "github"
       },
       "original": {
@@ -257,16 +257,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1726989464,
-        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
+        "lastModified": 1736373539,
+        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
+        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-24.05",
+        "ref": "release-24.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -280,11 +280,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731518114,
-        "narHash": "sha256-h9Wb3VjmXBZwTO3prRweUKwp2H9hZHCQKrkbU+2WPQs=",
+        "lastModified": 1738012343,
+        "narHash": "sha256-agMgWwVxXII+RtCqok8ROjzpKJung/5N5f2BVDmMC5Q=",
         "ref": "main",
-        "rev": "060ecccc5f8c92a0705ab91ff047811efd559468",
-        "revCount": 36,
+        "rev": "4ffd7bc8ea032991756c5e8e8a37b039789045bc",
+        "revCount": 38,
         "type": "git",
         "url": "https://git.pub.solar/pub-solar/keycloak-theme"
       },
@@ -320,11 +320,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733570843,
-        "narHash": "sha256-sQJAxY1TYWD1UyibN/FnN97paTFuwBw3Vp3DNCyKsMk=",
+        "lastModified": 1737926801,
+        "narHash": "sha256-un7IETRNjUm83jM5Gd/7BO4rCzzkom46O0FDMo5toaI=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "a35b08d09efda83625bef267eb24347b446c80b8",
+        "rev": "62ba0a22426721c94e08f0779ed8235d5672869b",
         "type": "github"
       },
       "original": {
@@ -336,30 +336,30 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1734202038,
-        "narHash": "sha256-LwcGIkORU8zfQ/8jAgptgPY8Zf9lGKB0vtNdQyEkaN8=",
+        "lastModified": 1737885640,
+        "narHash": "sha256-GFzPxJzTd1rPIVD4IW+GwJlyGwBDV1Tj5FLYwDQQ9sM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bcba2fbf6963bf6bed3a749f9f4cf5bff4adb96d",
+        "rev": "4e96537f163fad24ed9eb317798a79afc85b51b7",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1733096140,
-        "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=",
+        "lastModified": 1735774519,
+        "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
       }
     },
     "root": {
@@ -387,22 +387,21 @@
         "nixpkgs": [
           "unstable"
         ],
-        "nixpkgs-24_05": [
+        "nixpkgs-24_11": [
           "nixpkgs"
-        ],
-        "utils": "utils_2"
+        ]
       },
       "locked": {
-        "lastModified": 1718084203,
-        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
+        "lastModified": 1734884447,
+        "narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
+        "rev": "63209b1def2c9fc891ad271f474a3464a5833294",
         "type": "gitlab"
       },
       "original": {
         "owner": "simple-nixos-mailserver",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixos-mailserver",
         "type": "gitlab"
       }
@@ -467,28 +466,13 @@
         "type": "github"
       }
     },
-    "systems_5": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "unstable": {
       "locked": {
-        "lastModified": 1734119587,
-        "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
+        "lastModified": 1737885589,
+        "narHash": "sha256-Zf0hSrtzaM1DEz8//+Xs51k/wdSajticVrATqDrfQjg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5",
+        "rev": "852ff1d9e153d8875a83602e03fdef8a63f0ecf8",
         "type": "github"
       },
       "original": {
@@ -515,24 +499,6 @@
         "repo": "flake-utils",
         "type": "github"
       }
-    },
-    "utils_2": {
-      "inputs": {
-        "systems": "systems_5"
-      },
-      "locked": {
-        "lastModified": 1709126324,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 611d0e1..c7f18a6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,14 +1,14 @@
 {
   inputs = {
     # Track channels with commits tested and built by hydra
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
     unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module";
 
     nix-darwin.url = "github:lnl7/nix-darwin/master";
     nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
 
-    home-manager.url = "github:nix-community/home-manager/release-24.05";
+    home-manager.url = "github:nix-community/home-manager/release-24.11";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
     flake-parts.url = "github:hercules-ci/flake-parts";
@@ -37,8 +37,8 @@
     element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker";
     element-stickers.inputs.nixpkgs.follows = "nixpkgs";
 
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
-    simple-nixos-mailserver.inputs.nixpkgs-24_05.follows = "nixpkgs";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11";
+    simple-nixos-mailserver.inputs.nixpkgs-24_11.follows = "nixpkgs";
     simple-nixos-mailserver.inputs.nixpkgs.follows = "unstable";
   };
 
@@ -108,9 +108,9 @@
               nvfetcher
               shellcheck
               shfmt
-              inputs.unstable.legacyPackages.${system}.treefmt2
+              treefmt2
               nixos-generators
-              inputs.unstable.legacyPackages.${system}.opentofu
+              opentofu
               terraform-backend-git
               terraform-ls
               jq
@@ -132,7 +132,7 @@
           system: deployLib: deployLib.deployChecks self.deploy
         ) inputs.deploy-rs.lib;
 
-        formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;
+        formatter."x86_64-linux" = inputs.nixpkgs.legacyPackages."x86_64-linux".nixfmt-rfc-style;
 
         deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
           nachtigall = {
diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix
index 62dc644..11daca5 100644
--- a/hosts/nachtigall/configuration.nix
+++ b/hosts/nachtigall/configuration.nix
@@ -73,22 +73,24 @@
     owner = "matrix-synapse";
   };
 
-  age.secrets."matrix-synapse-sliding-sync-secret" = {
-    file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
-    mode = "400";
-    owner = "matrix-synapse";
-  };
-
   age.secrets."matrix-authentication-service-secret-config.yml" = {
     file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age";
     mode = "400";
     owner = "matrix-authentication-service";
   };
 
+  # matrix-appservice-irc
+  age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
+    file = "${flake.self}/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
+    mode = "400";
+    owner = "matrix-appservice-irc";
+  };
+
   pub-solar-os.matrix = {
     enable = true;
+    appservice-irc.mediaproxy.signingKeyPath =
+      config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
     synapse = {
-      sliding-sync.enable = false;
       signing_key_path = config.age.secrets."matrix-synapse-signing-key".path;
       extra-config-files = [
         config.age.secrets."matrix-synapse-secret-config.yaml".path
diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix
index 100759a..e928436 100644
--- a/hosts/nachtigall/default.nix
+++ b/hosts/nachtigall/default.nix
@@ -9,12 +9,10 @@
     ./networking.nix
     ./wireguard.nix
     ./backups.nix
-    "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
-    "${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix"
+    "${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
   ];
 
   disabledModules = [
-    "services/matrix/matrix-authentication-service.nix "
-    "services/web-apps/mastodon.nix"
+    "services/matrix/matrix-authentication-service.nix"
   ];
 }
diff --git a/hosts/underground/configuration.nix b/hosts/underground/configuration.nix
index ff1c809..49efdfe 100644
--- a/hosts/underground/configuration.nix
+++ b/hosts/underground/configuration.nix
@@ -42,8 +42,17 @@
     owner = "matrix-authentication-service";
   };
 
+  # matrix-appservice-irc
+  age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
+    file = "${flake.self}/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
+    mode = "400";
+    owner = "matrix-appservice-irc";
+  };
+
   pub-solar-os.matrix = {
     enable = true;
+    appservice-irc.mediaproxy.signingKeyPath =
+      config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
     synapse = {
       extra-config-files = [
         config.age.secrets."staging-matrix-synapse-secret-config.yaml".path
diff --git a/hosts/underground/default.nix b/hosts/underground/default.nix
index 5a612a4..99fe5f9 100644
--- a/hosts/underground/default.nix
+++ b/hosts/underground/default.nix
@@ -7,10 +7,10 @@
     ./configuration.nix
 
     ./networking.nix
-    "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
+    "${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
   ];
 
   disabledModules = [
-    "services/matrix/matrix-authentication-service.nix "
+    "services/matrix/matrix-authentication-service.nix"
   ];
 }
diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix
index 744d618..0de30ba 100644
--- a/modules/forgejo/default.nix
+++ b/modules/forgejo/default.nix
@@ -65,6 +65,7 @@
 
   services.forgejo = {
     enable = true;
+    package = pkgs.forgejo;
     user = "gitea";
     group = "gitea";
     database = {
@@ -75,7 +76,7 @@
     };
     stateDir = "/var/lib/forgejo";
     lfs.enable = true;
-    mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
+    secrets.mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path;
     settings = {
       DEFAULT.APP_NAME = "pub.solar git server";
 
diff --git a/modules/keycloak/default.nix b/modules/keycloak/default.nix
index 38da6cf..d924717 100644
--- a/modules/keycloak/default.nix
+++ b/modules/keycloak/default.nix
@@ -50,7 +50,8 @@
         hostname = "auth.${config.pub-solar-os.networking.domain}";
         http-host = "127.0.0.1";
         http-port = 8080;
-        proxy = "edge";
+        proxy-headers = "xforwarded";
+        http-enabled = true;
       };
       themes = {
         "pub.solar" =
diff --git a/modules/matrix-irc/default.nix b/modules/matrix-irc/default.nix
index 1b4fa82..c026d8c 100644
--- a/modules/matrix-irc/default.nix
+++ b/modules/matrix-irc/default.nix
@@ -16,111 +16,128 @@ let
   synapseClientPort = "${toString listenerWithClient.port}";
 in
 {
-  services.matrix-appservice-irc = {
-    enable = true;
-    localpart = "irc_bot";
-    port = 8010;
-    registrationUrl = "http://localhost:8010";
-    settings = {
-      homeserver = {
-        domain = "${config.pub-solar-os.networking.domain}";
-        url = "http://127.0.0.1:${synapseClientPort}";
-        media_url = "https://matrix.${config.pub-solar-os.networking.domain}";
-        enablePresence = false;
+  options.pub-solar-os = {
+    matrix.appservice-irc.mediaproxy = {
+      signingKeyPath = lib.mkOption {
+        description = "Path to file containing the IRC appservice mediaproxy signing key";
+        type = lib.types.str;
+        default = "/var/lib/matrix-appservice-irc/media-signingkey.jwk";
       };
-      ircService = {
-        ident = {
-          address = "::";
-          enabled = false;
-          port = 1113;
+    };
+  };
+  config = {
+    services.matrix-appservice-irc = {
+      enable = true;
+      localpart = "irc_bot";
+      port = 8010;
+      registrationUrl = "http://localhost:8010";
+      settings = {
+        homeserver = {
+          domain = "${config.pub-solar-os.networking.domain}";
+          url = "http://127.0.0.1:${synapseClientPort}";
+          enablePresence = false;
         };
-        logging = {
-          # set to debug for debugging
-          level = "warn";
-          maxFiles = 5;
-          toCosole = true;
-        };
-        matrixHandler = {
-          eventCacheSize = 4096;
-        };
-        metrics = {
-          enabled = true;
-          remoteUserAgeBuckets = [
-            "1h"
-            "1d"
-            "1w"
-          ];
-        };
-        provisioning = {
-          enabled = false;
-          requestTimeoutSeconds = 300;
-        };
-        servers =
-          let
-            commonConfig = {
-              allowExpiredCerts = false;
-              botConfig = {
-                enabled = false;
-                joinChannelsIfNoUsers = false;
-                nick = "MatrixBot";
-              };
-              dynamicChannels = {
-                createAlias = true;
-                enabled = true;
-                federate = true;
-                joinRule = "public";
-                published = true;
-              };
-              ircClients = {
-                allowNickChanges = true;
-                concurrentReconnectLimit = 50;
-                idleTimeout = 10800;
-                lineLimit = 3;
-                maxClients = 30;
-                nickTemplate = "$DISPLAY[m]";
-                reconnectIntervalMs = 5000;
-              };
-              matrixClients = {
-                joinAttempts = -1;
-              };
-              membershipLists = {
-                enabled = true;
-                floodDelayMs = 10000;
-                global = {
-                  ircToMatrix = {
-                    incremental = true;
-                    initial = true;
-                  };
-                  matrixToIrc = {
-                    incremental = true;
-                    initial = true;
+        ircService = {
+          ident = {
+            address = "::";
+            enabled = false;
+            port = 1113;
+          };
+          logging = {
+            # set to debug for debugging
+            level = "warn";
+            maxFiles = 5;
+            toCosole = true;
+          };
+          matrixHandler = {
+            eventCacheSize = 4096;
+          };
+          mediaProxy = {
+            signingKeyPath = config.pub-solar-os.matrix.appservice-irc.mediaproxy.signingKeyPath;
+            # keep media for 2 weeks
+            ttlSeconds = 1209600;
+            bindPort = 11111;
+            publicUrl = "https:///matrix.${config.pub-solar-os.networking.domain}/media";
+          };
+          metrics = {
+            enabled = true;
+            remoteUserAgeBuckets = [
+              "1h"
+              "1d"
+              "1w"
+            ];
+          };
+          provisioning = {
+            enabled = false;
+            requestTimeoutSeconds = 300;
+          };
+          servers =
+            let
+              commonConfig = {
+                allowExpiredCerts = false;
+                botConfig = {
+                  enabled = false;
+                  joinChannelsIfNoUsers = false;
+                  nick = "MatrixBot";
+                };
+                dynamicChannels = {
+                  createAlias = true;
+                  enabled = true;
+                  federate = true;
+                  joinRule = "public";
+                  published = true;
+                };
+                ircClients = {
+                  allowNickChanges = true;
+                  concurrentReconnectLimit = 50;
+                  idleTimeout = 10800;
+                  lineLimit = 3;
+                  maxClients = 30;
+                  nickTemplate = "$DISPLAY[m]";
+                  reconnectIntervalMs = 5000;
+                };
+                matrixClients = {
+                  joinAttempts = -1;
+                };
+                membershipLists = {
+                  enabled = true;
+                  floodDelayMs = 10000;
+                  global = {
+                    ircToMatrix = {
+                      incremental = true;
+                      initial = true;
+                    };
+                    matrixToIrc = {
+                      incremental = true;
+                      initial = true;
+                    };
                   };
                 };
+                port = 6697;
+                privateMessages = {
+                  enabled = true;
+                  federate = true;
+                };
+                sasl = false;
+                sendConnectionMessages = true;
+                ssl = true;
               };
-              port = 6697;
-              privateMessages = {
-                enabled = true;
-                federate = true;
+            in
+            {
+              "irc.libera.chat" = lib.attrsets.recursiveUpdate commonConfig {
+                name = "libera";
+                dynamicChannels.groupId = "+libera.chat:localhost";
+                dynamicChannels.aliasTemplate = "#_libera_$CHANNEL";
+                matrixClients.displayName = "$NICK (LIBERA-IRC)";
+              };
+              "irc.scratch-network.net" = lib.attrsets.recursiveUpdate commonConfig {
+                name = "scratch";
+                matrixClients.displayName = "$NICK (SCRATCH-IRC)";
+                dynamicChannels.aliasTemplate = "#_scratch_$CHANNEL";
+                dynamicChannels.groupId = "+scratch-network.net:localhost";
               };
-              sasl = false;
-              sendConnectionMessages = true;
-              ssl = true;
             };
-          in
-          {
-            "irc.libera.chat" = lib.attrsets.recursiveUpdate commonConfig {
-              name = "libera";
-              dynamicChannels.groupId = "+libera.chat:localhost";
-              dynamicChannels.aliasTemplate = "#_libera_$CHANNEL";
-              matrixClients.displayName = "$NICK (LIBERA-IRC)";
-            };
-            "irc.scratch-network.net" = lib.attrsets.recursiveUpdate commonConfig {
-              name = "scratch";
-              matrixClients.displayName = "$NICK (SCRATCH-IRC)";
-              dynamicChannels.aliasTemplate = "#_scratch_$CHANNEL";
-              dynamicChannels.groupId = "+scratch-network.net:localhost";
-            };
-          };
+        };
       };
     };
   };
diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix
index 53fbb9a..d1b2fc2 100644
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@@ -32,11 +32,6 @@ in
           type = lib.types.str;
           default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
         };
-
-        sliding-sync.enable = lib.mkEnableOption {
-          description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+";
-          default = false;
-        };
       };
 
       matrix-authentication-service = {
@@ -339,18 +334,6 @@ in
       };
     };
 
-    services.matrix-sliding-sync = {
-      enable = config.pub-solar-os.matrix.synapse.sliding-sync.enable;
-      settings = {
-        SYNCV3_SERVER = "https://${publicDomain}";
-        SYNCV3_BINDADDR = "127.0.0.1:8011";
-        # The bind addr for Prometheus metrics, which will be accessible at
-        # /metrics at this address
-        SYNCV3_PROM = "127.0.0.1:9100";
-      };
-      environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
-    };
-
     pub-solar-os.backups.restic.matrix-synapse = {
       paths = [
         "/var/lib/matrix-synapse"
diff --git a/modules/nextcloud/default.nix b/modules/nextcloud/default.nix
index 662d1ce..9cda818 100644
--- a/modules/nextcloud/default.nix
+++ b/modules/nextcloud/default.nix
@@ -27,7 +27,7 @@
     home = "/var/lib/nextcloud";
 
     enable = true;
-    package = pkgs.nextcloud29;
+    package = pkgs.nextcloud30;
     https = true;
     secretFile = config.age.secrets."nextcloud-secrets".path; # secret
     maxUploadSize = "1G";
@@ -45,7 +45,6 @@
       dbuser = "nextcloud";
       dbtype = "pgsql";
       dbname = "nextcloud";
-      dbtableprefix = "oc_";
     };
 
     settings = {
diff --git a/modules/nginx-matrix/default.nix b/modules/nginx-matrix/default.nix
index 1d82c10..f6274d8 100644
--- a/modules/nginx-matrix/default.nix
+++ b/modules/nginx-matrix/default.nix
@@ -120,6 +120,13 @@ in
           extraConfig = commonHeaders;
         };
 
+        # For IRC appservice media proxy
+        "/media" = {
+          priority = 100;
+          proxyPass = "http://127.0.0.1:${toString (config.services.matrix-appservice-irc.settings.ircService.mediaProxy.bindPort)}";
+          extraConfig = commonHeaders;
+        };
+
         # Forward to the auth service
         "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
           priority = 100;
diff --git a/overlays/default.nix b/overlays/default.nix
index 33f0e1d..af9faa9 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -16,8 +16,6 @@
                 element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
                   inherit (inputs) element-stickers maunium-stickerpicker;
                 };
-                mastodon = unstable.mastodon;
-                matrix-authentication-service = unstable.matrix-authentication-service;
               }
             )
           ];
diff --git a/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age b/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age
new file mode 100644
index 0000000000000000000000000000000000000000..f38c861d512a5f58b2aa81d330314c231f79f3c5
GIT binary patch
literal 2700
zcmZXW`^zkK9mlf{sDqURmW9=mp@_rd%<SyU&J-4N+nJrc%+76RX5)Z!+nL>+o%_yB
zM9aWTDJvwgKuqzNR1jI&)lA4s1xG6)tW%VB{2?{Tz|<dl3XX*R1E1ID^W}Z{+JS%Q
z$8O%H<vNM4Nb&%x5a9452SpJc`d$yi5b|KnjyH91Ky6{mVss2-mfG6QOawEwo}@a_
zMhe(@Kh+E(-MhJB3tK=M2N1K$Y|wBMMRbA~G`&phN~XdKa6ws3&vXkH38szpM%vzT
z*;#$i4r9EXlLdiHv~bho<_oYKOw7GVDL#dDGubIbt3T@@Q~)TuI8W)29`YF1Xrr~F
zEtRQ|(-Fna#(d+n!~Lp1?PzJlouTE0eXznbAqjx3E9z`VN&&q`1`TXZB7TvX!Pwhr
zz9r6z1WI(9=qz-{Zy8*ol3^uQT)e6MY^aAi1&m5-Za}y^(-yL12gAPCO6HCewA^S6
z81or0a{Bxzno8p#NA`HO9<jn$Cp|{2a@E9ujEARHK?)0BRy&1_Y;~LjbWjPPjxHK=
zkSBX|0SS_ttaWP%uEmM5$d@)b&cM!{`81&VcxBehoWd}gYQ%v{?LeCI`ypW_gaD7%
zHAaMd0yQ~eNi~j+mUQ0%=P^Yq;&3n%0CSX>veTupQyCy<2axBFmwaV}JB=Nz2z^f+
zy+NFfXfWBD<SKBvUe%DL*GDrG!{$T4>rI<o460jVvdec9soapPHbRVTvF{@b15Vaz
zG}BkR1<fJ_qf2$>oA7>$X6XvnQ{DkUO9;2sZi=90rpf#s92Lqgiv|_t`_7mlnw<lS
zNT(5?7{x<qfk~!TWaVt_L(_4J^T2e^(zXsF4BZD)u5dI+aJZu*j0PFEo;oI+e#}RK
z-uNvZE!Vydqj=g<Wu7EVP--kN8;iz_7hJ5bO}sE|D<&(|o>(AgB{yql7$fkomQf+?
zYlDnqs6>GV@{YiZiKr9A!~=|V74CD1i!eqcIdQz4dGV35hMEUXmIIciO=dIS3l=-q
z#Ts|z{&2vqv8E?<GRbbD4sfL<qQu)Zx|=6(FW4u1gF8?@4QMLj2yB^+ozz&jeR=Qx
zua37vR)r~GT}WtuI<J)+ZX3_lA$_bZX~WJpLEXuL+SVRyGl&b3E#tSsa_DW`g2_U}
z<H(e+TtF4}RF<)DU?)vED7mOqHl4>*$*NmrI|mFzSlsk<mmSDlg^>)JFMYg+R!BBt
zw1rUvV9^gZJd7v0Wz`e1mt&I>sg$%4!M=^g3g;KeXfPk!xXi7pkT*<%$jJe04Cksa
z&^f@SB_Yxls}c`lOKaz$N1$Oqs=+=)QCt!#Cq7yl+he2LF`<y&Lfs(pX?WqF;+C^V
zK(DP*q&H!A?Y`r;`$8DPGOtFcx(l>)<<870+_xNG7~}EM4NGnkdGpHKW01VkT+v4X
zW>i9pW?_q^PYy!7VO_|Ysk$4>i_k}FP3%K?z@`y3wRw9{b<+wVtPLeX<;cr0hz8hM
z)mb`L`0<>I<t4w-W}&Ug+P-u(OO0?|4<Z^C>p9^<dO_61k^ZZ4Hz-{`Df>kOFs9Yb
zxe03_Il3%Cs}%Jl78001*DfO+4K4d+YQo#LN(z=~QJ<++eXO0Tb2`ABjR!>BXzZb~
z(()kGu0(JdD_8|}&Pd`-uk-y#mT{ve@8+bGI3gcfx<Qg`s;#D@JlJMEfbT4;K+`?n
zc1$MBtX<`e&}6{HeM?EFvvgBBy;@?s6^-?GOzA1ha0LxYEpN80kxMo(TaiAf8G4bi
z>sl)I));P3O#vrU2m%AFj@BcVjjFXr5dYC}x~>k>9)=%ON;f}>eyV~vJ57j?3@0Lv
zQTlF3sb;RlA)%8ziOz7uWu-iJRz?aGncg#+rJ;4p7+I&v-e?I?rTW^gq_;*jora+>
zX9<Xg|Ld98SzVSv>mydyCX10U!Nv)qA*5$k{%lC9XpC%j9L_OQWeD?*%Xd}20y=5{
zTWOnf#k$xU8qJE^3YNA6na@X=oEJRi>U(CU2IcGiJkz1pP?d_{phiudZg=QLY+E|r
zS#mF2l@&DC)>BK~Z0u3RhPqsBgGL7whg(!jdpNO$d_^P8oKj<3lQce4R`Zk{@nla~
zH)sw+`k6F1Lt6_A9HkEMrq(=##>dc6AqZhaiB&XI;gBIpWnUSU6a<O~vV7hUKsO(|
zh(jeuZH_~HN>nZ#FcWR!Ok$IY6r`OACD&_?>LPd}jb0S3Mjf<r%qUWk7-nB%nrTgW
z*+5nH?Mf2I_3S8}DUwxbJSXZAz`JX@o<ew}ljs<fqy@bM)m|d_L%rTiS!vN{JX4hf
z8~Q&Qh%S1Oe6U9MWhdtKa0@2h)>>LMh$3Qw7m>qs@o-to8S2inS+SvjgxEJo0jiE!
zi8iP1^j!{@Z83~{HX9s$BvNbMS9${}l&8Sq;o-q5SSc-6^L<`360e&>vb`gHxHlaw
zD1kk4k~j>(9WHNL3OMiN3E&&IeQoxO<8OWLvOhlb(mD6N?eTwtw=QnF@;2eMZ^@US
zcQX&a2<(IJy;A@Br*{xn-FXtfxj}Ax(7E6f$fZ9Ct`VH)o`~j`{^k#_Ja(RP>BoNb
z!l`?{|0w+3_ipgB@4Wfg@mJt?Jb&Wkd)|5Yz*Qf@e~%n{@tFtiJMnI2cz@r!?1l@)
zP5Q29u7Bdzdk;^a`T+I9_U^x2{^=fZJh=LoZwD`Y^rlDN{4?$R&;I@NHTVAfq3xH?
zzV_JgkolE&`FCChPt@nM_Nnu~*~6#TtsilJaLegO-}JBasquB!K6%@#mwxd}KYrnp
z;{3JWp89(5nWtYq>vK1ye-+<y`;~WHcgOqCm%noRxfk63<i%foX&Bw2zkl-}@a;%_
z_O6R=*j{uTJ1w3*aqc}AT&Z9Q(*Eh<SHJLuV>kZosXw3m$JH->^n;(jekHjdzT}6W
e`uJnE4L|+(>cswu_=?f}FFkwK4bMOPyMF_GT&F$&

literal 0
HcmV?d00001

diff --git a/secrets/matrix-synapse-sliding-sync-secret.age b/secrets/matrix-synapse-sliding-sync-secret.age
deleted file mode 100644
index 088e91b..0000000
--- a/secrets/matrix-synapse-sliding-sync-secret.age
+++ /dev/null
@@ -1,45 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 iDKjwg GPTqfaZZC6ze7BUkT1uF4VslvE29BFKm0+AlJk+DKQQ
-GxI7erqw8p3GrCArh5vZOiTmYh40DVisCphNyFhNTqM
--> ssh-ed25519 uYcDNw oo52Nh9BCO5NNF0YyzracKfvMifSiREsxyQqiRZ6WTs
-JvqwRX5yOMtEYgWyc7dIQs85wDghMRHQCIi6t5QxIwo
--> ssh-rsa f5THog
-w+B5hc0E9u1fFWNNPaTtPmJfPJWUBbRwHYK/T69g2ORNfaBYynl0LL4vSUs8o9Gw
-rwBY+cLpth6e4tS819H5C7HtvT47KR3KF8JLxVjA2mbVO83+BnWFjThjYB452CdI
-KZvQQPhkSH/43YF6pjxnQjNWB/wroScyjGVtUamcij7YHxt71z0AAnyqE5PgWEc6
-6/ao5gLfTKhcWpxkTTz8LHn05s9IppXywDrvpwtJaU8LKgJT2H6Epsaci348lG+I
-tAZYODhQqP+yKl92DZbuQQCjxH5CJfhdBs2ZR63hQPj9OrIFRjLg4V+1gdcxzAuz
-9FwwIeLq3uxWXPdwTRR8RUsHEGhKMcVty4PkW0vlt+VwZrZBhdz3k+ApVG7Jvclz
-MPZYLzKC0DiODqPuA23ye6suFRCHXYfq3ZyCIIN6wOci0X0crSr9ZXW4M8R7aWaZ
-XDeZRaUgvd54WI0HZhVWBvJQyswgUXf+/RkS4aI8IgnNV801x12h+mTdWX9BC/cD
-YRIWBnGkfTX4WM4OEE2VEgqSDuKl/90o2LFIquIIJULVd2Vs5C2S8FhJcsT7+HmL
-TFWnLeIfGbw7RDUeH0c/Bbg9NK11SZF0/VdRZcBQ/zIXBMBlL1EZsH1HfIfhKISN
-PyHFB5kfmuVIBhDXgtDdgjKfDmQL9/9Aq1U4ZMBcUKA
--> ssh-rsa kFDS0A
-KysKtr7wrKKJ8w+Dj7qjJstyXtKIw9weFi9oVwJkMvy2utn+JARs7puh7KC27TXC
-slZJrHf4vx+y8qSjRS0W4z8CPl8/auiYOilepT9JoxwGUP7J/nTr5SCofgWcdZm5
-FtgHoCcABjzcF+mrKUofuqrx6oYSDCS0JkV2tClQI6ybXnjRwIIicLmBN9UDHCuU
-9ZOesYp5XrJyBoD3Zv51b19xJyOfuWAUQvlNPRH2TpgvisutpESU/o869z5AMn4Z
-BfDD/0oR1ALbk/sB3r13Xi6oJZAB2AbggoQRlwvPeWc3MdS+bFNV2o2ue0ov6Fkd
-U5C/GnJVlyE0cv9I+YvxtLT6T/Gf/yoUZGfB7xD5QkHpMIEmKxUYqGNBB/NcnFMY
-Tal8jMDtZDEk+uk0MahE7GsL6Z3xrkKTevG+Rr3j+beFYie2RJbNwwUyQ1lL3EoA
-Rx1AMk+nYlvxVHiciYJNh9nffgAXXwO255IkWvYzmuPBEP1LmqadA4fQPf5Rgj3u
-DuOX3hJ+rIyRIoDXOZio3SDf+bb380xCxF+7efJ27Ep0sFviAq5qKeptbyt51Dp8
-tlbeYAylhVbV9Zgd+EozwE7Btlfqt3sbUij/0Iy+BdOYSPLmvx3oKybpipZ0i3fo
-KR/bZHlMKF1Ipd5L7zEwh5aTjImuomoyRyZG3NWdv44
--> piv-p256 vRzPNw A7FwWUuml/VyHcOmha3R/DOg1RvnRXcwjaJJH/sgmsBR
-+CP1/qY8sHbR7nkFl1T5HPsjYLRPDCSR01DEJaim96o
--> piv-p256 zqq/iw AgYhaJWqe+QbVCHkXsU7AQhWhte/fjwVbOgmHVRPHsEE
-7jNmDI62i/9RakJhbo3MP0qMgXYGlhAW9BKo8HLWQYc
--> ssh-ed25519 YFSOsg cGPMyhqcd20TDBeMkSDJ8hQ/vE9cuDgVi1hfcwAKVjw
-U9GRSr607w5oUGr0rC6XqdWMD65JidY/Ri3Ex1dmGXI
--> ssh-ed25519 iHV63A cW7bblsvL1TwI6lp8KjPfUwB5EzWilLhc6Z2geE3SQw
-PzBdZ/LXA7iGI7ZjErredqC7ehHsr5MCY3qENv0nZI8
--> ssh-ed25519 BVsyTA AGDqp6Rrp2vStBU9+eJMGf5O4SZQIASE63n8vbf8PEs
-SFakjoivQrFkSUBGZ9sISKVhAxNOpc2RxugiBTSK9/k
--> ssh-ed25519 +3V2lQ MmMv45CQFAdgkV/B7InOY22iXzvIU8TY41SV5Jxx7RQ
-vNIRE5wSXVzy4miZLV90T1TEOhOjYQT12GWtZpsTxJ8
---- EBBXvYr1OpETpgXOsUfJn6h1e4rXF+olz6DbhDUWCcw
-.�
-�s�~���Hͯk�	2 ��9���Bz��?�3��T�J`�g��P��io��r���" ���w�s-K�6��f�
-�0XΌv��X�&�8
��g�=�zrH�jh>
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3678d9b..9bf2f9d 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -67,12 +67,14 @@ in
   "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
   "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
   "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
-  "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
   "matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys = nachtigallKeys ++ adminKeys;
 
   "staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys;
   "staging-matrix-authentication-service-secret-config.yml.age".publicKeys =
     undergroundKeys ++ adminKeys;
+  "staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys =
+    undergroundKeys ++ adminKeys;
 
   "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
   "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
diff --git a/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age b/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age
new file mode 100644
index 0000000000000000000000000000000000000000..8b4a65e029928738665148cc8a1d6238d738159f
GIT binary patch
literal 2700
zcmZ9NTj(?e8HY^^YA(zJrJ~>;vozPw*`3*$oz>LlxO3Q@nVsX#_EF939Cwa8v$JzZ
zLK5=CCuUGoA8J_{c2Shr*+5Vu47EfF!%(Q3NDw6i1N(cSkoPa|^IrVk-(v^f2`}4}
zU9pey?3%m`z{3bQal=tng(o~0LXgq)h@Y0wI5@(jdcc&iS{X$$fveCANQ0nlllPVN
z2CLx2MfN%sVNE{<<Wxm;JSJ2HPgh%VmUn~;(J(0T5hX=q4rxRiM2fv$Z{AO<tqmnM
zM=T1HNNNm1KiAx4o9*YaTNrM=%F(tz5Q3(cy;)VlfQ|vf#x}>7j+IH?B2i)3dud(N
zt}jlOIH{zE#NJJK3iVy~Jz81WM?Rvlc>vI>1GVjn<xXu%frXrD(<oze1Cvd@Ak;mJ
zi>Nd2qk*_aEO61Sv|xQ$v%2pSOusHm1DL^!T(lU9+%95%RqOt0M(gcnBsV=BuBi|n
zYI*8u{Z7UmYT#Gla0b_$ZF^MamP@n*S{^fa9-kCzG^u7xA0dJ`i<e8@8>+LzBq=~5
zlMpNOkv=MQaGZAa03Q^|d^GY1mf8V3(zi^|8`P<hMv>1e+aV=wEW2j5yqC3Rv-DGc
zgM*2ixD2Nno?HwOyzKQk4{CGG0#<4r9h%LO!0Haq+QJMaLuCVbpbL#R@Qpl5B51l3
z6<lylnP)th4g0<gAcPBR(meoyxS?~ZU<iq3@e1}*dA5scZsXuR9%%4BcNwQ$=@b!-
zOSS1qEWvx4p|+SBwL&(Y0KQZlg1zpJsBqEf8!54|iJoJo<>bNKBNu)+!=i;V-Hiwi
z+3yL^U=^p44qm5Z^FST}Q9~PeTr?<HSV>Fmm039m#bnpSGh!_*T2uiesH(Hp&QSWG
zR&>z^HA?nX*H~ONL;#hQ!xd73qC{_Lk8IR29Cie*ISOl8p=AbLv)^~s&NHXcO6vBw
zIOdwEGpuQ%UI?uN5TgQ>cn+asIJUgx_)KQ1Fuiz4rW|LEmkL<z4t+}7JIEXgb&=87
zz_1$3<y4a6vl5W~hD}r~SMXlylJz(a!>-H^Qk>>S-)re?x}10mO5c?6yI=E8j$?*W
zhd4lJL%OSzVX69^t>{o13L!nFxRlx*lF09Ni?U!tQ&qV}6PFn3BGnY(Y)F(x`#GpC
z0VJ>*iWtCfz1(x<fh|`!Evpa$5>*v(i*4yZ!*SlxvLw0KA|`OQS~T;?h}vVvu~Zp=
zLy=LrX&26X<8(xgh(SOt=BO|c2BR!qD3ZkNbP9*qxsV!&s2vDYHj7wKTWNJrK?TTp
zq{5~K<P7PdD4;twI$q1tSRswXHOlL09FLuBJ2a7jTxxLO)+2aN8RP(G>CHaG00o5>
z(R^t#6(u?72;I4OzOxyg?r0%0<$mm2?9%5Uu&8TM@%H1OjibpbWBkfz5ONBvyRluV
zVI-GQ*R%p*9S~CQ8G@46v^-<jPU+3L5v5B{u)sd(vQ&^Pl?+m?-f{ze0AwQGCv1g#
z+h9J?1aHbk{a7~BeiTUw7Z$SXLqZTs#fA*m^&s&qrWBfzqN)xXhWQq76mx7Ub&Ln5
zBEU8(kMt?L7N&M<b9l9l9QL41hNHQng=`Bg)m6+NV#=JOUTCL91OgfqN8rStRM9^5
zE4oWW7V#HYl*lc#P*%(Y4#!dfDu+OIF|vn4U)*?b7)ubW3~Y)5YMsD#iy~8GkKvXa
z=#-miLWuM6dXHv9Iia_U7GL%I48wWX*4QjHr{R9S#5>ZSc~u595UBgv0^Ta*$TB4_
zOPpiFfI%|$OxLRqQnNQ^I2qfK{!WgI=y0Nd5cKGv^zw1_;~C>v@T`jo)4?|CKB?vP
zQe|{w!;TepgS(m_ks(1z<WvC&Vz_eliCdcM#N@Sl&BFb9=ZS-sF^ZLwOc560=A`Wg
z`Tw!{-42Y7Sy9(AV&0CX`c{ooomPz$CDxl|-Z?FTcx<?Ix#<)uc_jrV{95*DDYWbm
zH6S{kLzq1D%T55Llo2X!MoN6Pa64r7o@d^5sKuyK6&y)2pAMs(akA>LUa#iDF6y`{
zmd%w~6~}enCsJp5)ZQ{1AYRs?P97$Li0yLDU~Lfh7n-e)hQdZ$4d=ux?`;B0lahY7
z4c?_itbxM#(aLY<ks9i8s2l`b$z@X{aCs!A@nQthv&5SDrPVbnueAW#7FeHI76&hs
z)y_ASm32I@U(l=z?XeCgqBVzecvD6A`)PzxbsBz@cZm)c<7!hC(-G6PTZ+W9%yK51
zViAL~yw*lSY@}94>%amQ@WIxgd>oc-YM!dD;TH253(d3{w}vLeb{UzOGsGh9{j>pW
zK*{nbl_9&(1+>K5q$hUEz-etKbfnSdSiipCQ+csfgUNKetblH&X|)N_+H{?u;0Rt(
zqmg1t;-=l;2$si-!$hkpqr=PqIC0{{k>fNPgsKo;@h08DIF=2TA?{MN>oz*6i-^m{
zXuI1g1`T|m_{mkzoc&W4xxu+@|B+8#IDF>H^npiC0>8WP)O|-0`nkhbFMaK*GWweF
z`5*uBOD_OF!iVRP%vpC|{@wDyyKcGU{NlFL_;dU(AHM(PPiW;wpSt{mPoQUFr$1|a
z;nV{+&z0X-mz`1Zf4cX3YW4AdpK%4Z`R_x;shm0c<n);*@4M!C@H4O6ed)8S$1Z#5
zcH^$Azj5PRkD#~w<*yIj-!V6RaZ0{=?n{rwukyFH*PS9S{pZ!!+>u%*&zih7F5iCi
z`QO^NK2BVJ=PW<-^$Q;O)*0vh?2T_Plq*i3dC_m4{n$Czo_F!?74)KOKXniF{rm1c
z>z)@Ly#A&~??}G#_&Jw6eR22UHzbJu&x;QC<RyQv{&m4ix4rr+Y8qX6?h{Wd_k6nk
z=E)mxe)`4pKXl#czkTP+{h!bN^&hS|b=~Xhi?4tCVfO1kc<RmJn*;jgpFgp^{TI(&
V`;Q-bw0-hQuJ`VI?Y{J~{{gvUo`nDa

literal 0
HcmV?d00001