servo: add munin for monitoring/metrics

this is especially useful for `coredumpctl`.
maybe useful enough that it should be in `environment.systemPackages`...

flake.lock

@@ -69,11 +69,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1665643254,
-        "narHash": "sha256-IBVWNJxGCsshwh62eRfR6+ry3bSXmulB3VQRzLQo3hk=",
+        "lastModified": 1665732960,
+        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ba187fbdc5e35322c7dff556ef2c47bddfd6e8d7",
+        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
         "type": "github"
       },
       "original": {

machines/lappy/default.nix

@@ -11,6 +11,8 @@
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
+  users.users.colin.initialPassword = "147147";
+
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
   #   - hourly snapshots

machines/moby/default.nix

@@ -75,7 +75,5 @@
   environment.variables.ALSA_CONFIG_UCM2 = "${./ucm2}";
   systemd.services.pulseaudio.environment.ALSA_CONFIG_UCM2 = "${./ucm2}";
 
-  users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
-
   hardware.opengl.driSupport = true;
 }

machines/servo/services/default.nix

@@ -8,6 +8,7 @@
     ./jackett.nix
     ./jellyfin.nix
     ./matrix
+    ./munin.nix
     ./navidrome.nix
     ./nginx.nix
     ./pleroma.nix

machines/servo/services/matrix/default.nix

@@ -4,7 +4,6 @@
 
 {
   imports = [
-    # ./discord-appservice.nix
     ./discord-puppet.nix
     # ./irc.nix
   ];

machines/servo/services/matrix/discord-appservice.nix

@@ -1,69 +0,0 @@
-{ config, lib, ... }:
-
-{
-  sane.impermanence.service-dirs = [
-    { user = "matrix-appservice-discord"; group = "matrix-appservice-discord"; directory = "/var/lib/matrix-appservice-discord"; }
-  ];
-
-  sops.secrets.matrix_appservice_discord_env = {
-    sopsFile = ../../../../secrets/servo/matrix_appservice_discord_env.bin;
-    owner = config.users.users.matrix-appservice-discord.name;
-    format = "binary";
-  };
-
-  services.matrix-synapse.settings.app_service_config_files = [
-    # auto-created by discord appservice
-    "/var/lib/matrix-appservice-discord/discord-registration.yaml"
-  ];
-
-  # Discord bridging
-  # docs: https://github.com/matrix-org/matrix-appservice-discord
-  services.matrix-appservice-discord.enable = true;
-  services.matrix-appservice-discord.settings = {
-    bridge = {
-      homeserverUrl = "http://127.0.0.1:8008";
-      domain = "uninsane.org";
-      adminMxid = "admin.matrix@uninsane.org";
-      # self-service bridging is when a Matrix user bridges by DMing @_discord_bot:<HS>
-      # i don't know what the alternative is :?
-      enableSelfServiceBridging = true;
-      presenceInterval = 30000; # milliseconds
-      # allows matrix users to search for Discord channels (somehow?)
-      disablePortalBridging = false;
-      # disableReadReceipts = true;
-      # these are Matrix -> Discord
-      disableJoinLeaveNotifications = true;
-      disableInviteNotifications = true;
-      disableRoomTopicNotifications = true;
-    };
-    # these are marked as required in the yaml schema
-    auth = {
-      # apparently not needed if you provide them as env vars (below).
-      # clientId = "FILLME";
-      # botToken = "FILLME";
-      usePrivilegedIntents = false;
-    };
-    logging = {
-      # silly, verbose, info, http, warn, error, silent
-      console = "verbose";
-    };
-  };
-  # contains what's ordinarily put into auth.clientId, auth.botToken
-  # i.e. `APPSERVICE_DISCORD_AUTH_CLIENT_I_D=...` and `APPSERVICE_DISCORD_AUTH_BOT_TOKEN=...`
-  services.matrix-appservice-discord.environmentFile = config.sops.secrets.matrix_appservice_discord_env.path;
-
-  systemd.services.matrix-appservice-discord.serviceConfig = {
-    # fix up to not use /var/lib/private, but just /var/lib
-    DynamicUser = lib.mkForce false;
-    User = "matrix-appservice-discord";
-    Group = "matrix-appservice-discord";
-  };
-  users.groups.matrix-appservice-discord = {};
-  users.users.matrix-appservice-discord = {
-    description = "User for the Matrix-Discord bridge";
-    group = "matrix-appservice-discord";
-    isSystemUser = true;
-  };
-  users.users.matrix-appservice-discord.uid = 2134;  # TODO: move to allocations
-  users.groups.matrix-appservice-discord.gid = 2134;  # TODO
-}

machines/servo/services/munin.nix

@@ -0,0 +1,12 @@
+{ config, ... }:
+{
+  services.munin-node.enable = true;
+  services.munin-cron = {
+    enable = true;
+    # collect data from the localhost
+    hosts = ''
+      [${config.networking.hostName}]
+      address localhost
+    '';
+  };
+}

machines/servo/services/nginx.nix

@@ -57,6 +57,13 @@
     # };
   };
 
+  # server statistics
+  services.nginx.virtualHosts."sink.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    root = "/var/www/munin";
+  };
+
   # Pleroma server and web interface
   services.nginx.virtualHosts."fed.uninsane.org" = {
     addSSL = true;

modules/gui/gnome.nix

@@ -14,6 +14,16 @@ in
 
   config = mkIf cfg.enable {
     sane.gui.enable = true;
+
+    users.users.avahi.uid = config.sane.allocations.avahi-uid;
+    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
+    users.users.colord.uid = config.sane.allocations.colord-uid;
+    users.groups.colord.gid = config.sane.allocations.colord-gid;
+    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
+    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
+    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
+    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
+
     # start gnome/gdm on boot
     services.xserver.enable = true;
     services.xserver.desktopManager.gnome.enable = true;

modules/gui/phosh.nix

@@ -10,60 +10,100 @@ in
       default = false;
       type = types.bool;
     };
+    sane.gui.phosh.useGreeter = mkOption {
+      description = ''
+        launch phosh via a greeter (like lightdm-mobile-greeter).
+        phosh is usable without a greeter, but skipping the greeter means no PAM session.
+      '';
+      default = true;
+      type = types.bool;
+    };
   };
 
-  config = mkIf cfg.enable {
-    sane.gui.enable = true;
+  config = mkIf cfg.enable (mkMerge [
+    {
+      sane.gui.enable = true;
 
-    users.users.avahi.uid = config.sane.allocations.avahi-uid;
-    users.users.colord.uid = config.sane.allocations.colord-uid;
-    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
-    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
-    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
-    users.groups.colord.gid = config.sane.allocations.colord-gid;
-    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
-    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
+      users.users.avahi.uid = config.sane.allocations.avahi-uid;
+      users.users.colord.uid = config.sane.allocations.colord-uid;
+      users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
+      users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
+      users.groups.avahi.gid = config.sane.allocations.avahi-gid;
+      users.groups.colord.gid = config.sane.allocations.colord-gid;
+      users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
+      users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
+      users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
 
-    # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
-    services.xserver.desktopManager.phosh = {
-      enable = true;
-      user = "colin";
-      group = "users";
-      phocConfig = {
-        # xwayland = "true";
-        # find default outputs by catting /etc/phosh/phoc.ini
-        outputs.DSI-1 = {
-          scale = 1.5;
+      # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
+      services.xserver.desktopManager.phosh = {
+        enable = true;
+        user = "colin";
+        group = "users";
+        phocConfig = {
+          # xwayland = "true";
+          # find default outputs by catting /etc/phosh/phoc.ini
+          outputs.DSI-1 = {
+            scale = 1.5;
+          };
         };
       };
-    };
 
-    # XXX: phosh enables networkmanager by default; can probably disable these lines
-    networking.useDHCP = false;
-    networking.networkmanager.enable = true;
-    networking.wireless.enable = lib.mkForce false;
+      # XXX: phosh enables networkmanager by default; can probably disable these lines
+      networking.useDHCP = false;
+      networking.networkmanager.enable = true;
+      networking.wireless.enable = lib.mkForce false;
 
-    # XXX: not clear if these are actually needed?
-    hardware.bluetooth.enable = true;
-    services.blueman.enable = true;
+      # XXX: not clear if these are actually needed?
+      hardware.bluetooth.enable = true;
+      services.blueman.enable = true;
 
-    hardware.opengl.enable = true;
-    hardware.opengl.driSupport = true;
+      hardware.opengl.enable = true;
+      hardware.opengl.driSupport = true;
 
-    environment.variables = {
-      # Qt apps won't always start unless this env var is set
-      QT_QPA_PLATFORM = "wayland";
-      # electron apps (e.g. Element) should use the wayland backend
-      # toggle this to have electron apps (e.g. Element) use the wayland backend.
-      # phocConfig.xwayland should be disabled if you do this
-      NIXOS_OZONE_WL = "1";
-    };
+      environment.variables = {
+        # Qt apps won't always start unless this env var is set
+        QT_QPA_PLATFORM = "wayland";
+        # electron apps (e.g. Element) should use the wayland backend
+        # toggle this to have electron apps (e.g. Element) use the wayland backend.
+        # phocConfig.xwayland should be disabled if you do this
+        NIXOS_OZONE_WL = "1";
+      };
 
-    sane.home-manager.extraPackages = with pkgs; [
-      phosh-mobile-settings
+      sane.home-manager.extraPackages = with pkgs; [
+        phosh-mobile-settings
 
-      # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
-      gnome.gnome-bluetooth
-    ];
-  };
+        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
+        gnome.gnome-bluetooth
+      ];
+    }
+    (mkIf cfg.useGreeter {
+      services.xserver.enable = true;
+      # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
+      # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
+      # lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
+      # this requires the user we want to login as to be cached.
+      services.xserver.displayManager.job.preStart = ''
+        ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
+      '';
+      # services.xserver.displayManager.defaultSession = "sm.puri.Phosh";  # XXX: not sure why this doesn't propagate correctly.
+      services.xserver.displayManager.lightdm.extraSeatDefaults = ''
+        user-session = phosh
+      '';
+      services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
+      services.xserver.displayManager.lightdm.greeter = {
+        enable = true;
+        package = pkgs.lightdm-mobile-greeter.xgreeters;
+        name = "lightdm-mobile-greeter";
+      };
+      # services.xserver.displayManager.lightdm.enable = true;
+      # # services.xserver.displayManager.lightdm.greeters.enso.enable = true;  # tried (with reboot); got a mouse then died. next time was black
+      # # services.xserver.displayManager.lightdm.greeters.gtk.enable = true;  # tried (with reboot); unusable without OSK
+      # # services.xserver.displayManager.lightdm.greeters.mini.enable = true;  # tried (with reboot); unusable without OSK
+      # # services.xserver.displayManager.lightdm.greeters.pantheon.enable = true; # tried (no reboot); unusable without OSK
+      # services.xserver.displayManager.lightdm.greeters.slick.enable = true;  # tried; unusable without OSK (a11y -> OSK doesn't work)
+      # # services.xserver.displayManager.lightdm.greeters.tiny.enable = true;  # tried; block screen
+
+      systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
+    })
+  ]);
 }

modules/gui/sway.nix

@@ -21,15 +21,24 @@ in
       enable = true;
     };
 
-    # TODO: should be able to use SDDM to get interactive login
-    services.greetd = {
+    # alternatively, could use SDDM
+    services.greetd = let
+      swayConfig = pkgs.writeText "greetd-sway-config" ''
+        # `-l` activates layer-shell mode.
+        exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
+      '';
+    in {
+      # greetd source/docs:
+      # - <https://git.sr.ht/~kennylevinsen/greetd>
       enable = true;
-      settings = rec {
-        initial_session = {
-          command = "${pkgs.sway}/bin/sway";
-          user = "colin";
+      settings = {
+        default_session = {
+          command = "${pkgs.sway}/bin/sway --config ${swayConfig}";
+          # alternatives:
+          # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
+          # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
+          # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
         };
-        default_session = initial_session;
       };
     };
 
@@ -88,21 +97,22 @@ in
           "${modifier}+Return" = "exec ${terminal}";
           "${modifier}+Shift+q" = "kill";
           "${modifier}+d" = "exec ${menu}";
+          "${modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
 
-          "${modifier}+${left}" = "focus left";
-          "${modifier}+${down}" = "focus down";
-          "${modifier}+${up}" = "focus up";
-          "${modifier}+${right}" = "focus right";
+          # "${modifier}+${left}" = "focus left";
+          # "${modifier}+${down}" = "focus down";
+          # "${modifier}+${up}" = "focus up";
+          # "${modifier}+${right}" = "focus right";
 
           "${modifier}+Left" = "focus left";
           "${modifier}+Down" = "focus down";
           "${modifier}+Up" = "focus up";
           "${modifier}+Right" = "focus right";
 
-          "${modifier}+Shift+${left}" = "move left";
-          "${modifier}+Shift+${down}" = "move down";
-          "${modifier}+Shift+${up}" = "move up";
-          "${modifier}+Shift+${right}" = "move right";
+          # "${modifier}+Shift+${left}" = "move left";
+          # "${modifier}+Shift+${down}" = "move down";
+          # "${modifier}+Shift+${up}" = "move up";
+          # "${modifier}+Shift+${right}" = "move right";
 
           "${modifier}+Shift+Left" = "move left";
           "${modifier}+Shift+Down" = "move down";
@@ -572,7 +582,7 @@ in
     };
     sane.home-manager.extraPackages = with pkgs; [
       swaylock
-      swayidle
+      swayidle  # (unused)
       wl-clipboard
       mako # notification daemon
       xdg-utils  # for xdg-open

modules/universal/env/default.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
   imports = [
@@ -19,5 +19,18 @@
     # NIXOS_OZONE_WL = "1";
     # LIBGL_ALWAYS_SOFTWARE = "1";
   };
+  # enable zsh completions
+  environment.pathsToLink = [ "/share/zsh" ];
+  environment.systemPackages = with pkgs; [
+    # required for pam_mount
+    gocryptfs
+  ];
+
+  security.pam.mount.enable = true;
+  # security.pam.mount.debugLevel = 1;
+  # security.pam.enableSSHAgentAuth = true; # ??
+  # needed for `allow_other` in e.g. gocryptfs mounts
+  # or i guess going through mount.fuse sets suid so that's not necessary?
+  # programs.fuse.userAllowOther = true;
 }
 

modules/universal/env/home-manager.nix

@@ -267,6 +267,8 @@ in
           enable = true;
           enableSyntaxHighlighting = true;
           enableVteIntegration = true;
+          history.ignorePatterns = [ "rm *" ];
+          # history.path = TODO
           dotDir = ".config/zsh";
 
           initExtraBeforeCompInit = ''
@@ -375,8 +377,14 @@ in
           userEmail = "colin@uninsane.org";
 
           aliases = { co = "checkout"; };
-          # TODO: figure out how to get the old `diff` for generating patches
-          # difftastic.enable = true;  # better diff rendering
+          extraConfig = {
+            # difftastic docs:
+            # - <https://difftastic.wilfred.me.uk/git.html>
+            diff.tool = "difftastic";
+            difftool.prompt = false;
+            "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
+            # now run `git difftool` to use difftastic git
+          };
         };
 
         neovim = {

modules/universal/env/home-packages.nix

@@ -9,6 +9,7 @@ let
     cdrtools
     duplicity
     gnupg
+    gocryptfs
     ifuse
     ipfs
     libimobiledevice
@@ -155,16 +156,19 @@ let
   ] else []);
 
   # useful devtools:
-  # bison
-  # dtc
-  # flex
-  # gcc
-  # gcc-arm-embedded
-  # gcc_multi
-  # gnumake
-  # mix2nix
-  # rustup
-  # swig
+  devPkgs = [
+    bison
+    dtc
+    flex
+    gcc
+    gdb
+    # gcc-arm-embedded
+    # gcc_multi
+    gnumake
+    mix2nix
+    rustup
+    swig
+  ];
 in
 {
   options = {
@@ -172,9 +176,18 @@ in
       default = false;
       type = types.bool;
     };
+    sane.home-packages.enableDevPkgs = mkOption {
+      description = ''
+        enable packages that are useful for building other software by hand.
+        you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
+      '';
+      default = false;
+      type = types.bool;
+    };
   };
   config = {
     sane.home-manager.extraPackages = universalPkgs
-      ++ (if cfg.enableGuiPkgs then guiPkgs else []);
+      ++ (if cfg.enableGuiPkgs then guiPkgs else [])
+      ++ (if cfg.enableDevPkgs then devPkgs else []);
   };
 }

modules/universal/users.nix

@@ -54,6 +54,17 @@ in
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
       ];
+
+      pamMount = {
+        # mount encrypted stuff at login
+        # requires that login password == fs encryption password
+        # fstype = "fuse";
+        # path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
+        fstype = "fuse.gocryptfs";
+        path = "/nix/persist/home/colin/private";
+        mountpoint = "/home/colin/private";
+        options="nodev,nosuid,quiet,allow_other";
+      };
     };
 
     sane.impermanence.service-dirs = mkIf cfg.guest.enable [

nixpatches/list.nix

@@ -17,7 +17,8 @@ fetchpatch: [
 
   # freshrss: patchShebangs instead of specifying interpreter in the service
   (fetchpatch {
-    url = "https://git.uninsane.org/colin/nixpkgs/commit/9443d83e6fee728c1926a783647b45011bd3b514.diff";
+    # url = "https://git.uninsane.org/colin/nixpkgs/commit/9443d83e6fee728c1926a783647b45011bd3b514.diff";
+    url = "https://github.com/NixOS/nixpkgs/pull/196140.diff";
     sha256 = "sha256-Lngle5YTE7ymQyUarKbebMjiaTlY5cJBoaeZk7AgbXE=";
   })
 

pkgs/gocryptfs/default.nix

@@ -0,0 +1,15 @@
+{ pkgs, lib, ... }:
+
+(pkgs.gocryptfs.overrideAttrs (upstream: {
+  # XXX `su colin` hangs when pam_mount tries to mount a gocryptfs system
+  # unless `logger` (util-linux) is accessible from gocryptfs.
+  # this is surprising: the code LOOKS like it's meant to handle logging failures.
+  # propagating util-linux through either `environment.systemPackages` or `security.pam.mount.additionalSearchPaths` DOES NOT WORK.
+  #
+  # TODO: see about upstreaming this
+  postInstall = ''
+    wrapProgram $out/bin/gocryptfs \
+      --suffix PATH : ${lib.makeBinPath [ pkgs.fuse pkgs.util-linux ]}
+    ln -s $out/bin/gocryptfs $out/bin/mount.fuse.gocryptfs
+  '';
+}))

pkgs/lightdm-mobile-greeter/default.nix

@@ -0,0 +1,53 @@
+{ lib
+, fetchFromGitea
+, gtk3
+, libhandy_0
+, lightdm
+, pkgs
+, linkFarm
+, pkg-config
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "lightdm-mobile-greeter";
+  version = "0.1.2";
+
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
+    repo = "lightdm-mobile-greeter";
+    rev = "v${version}";
+    hash = "sha256-x7tpaHYDg6BPIc3k3zzPvZma0RYuGAMQ/z6vAP0wbWs=";
+  };
+  cargoHash = "sha256-5WJGnLdZd4acKPEkkTS71n4gfxhlujHWnwiMsomTYck=";
+
+  buildInputs = [
+    gtk3
+    libhandy_0
+    lightdm
+  ];
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  postInstall = ''
+    mkdir -p $out/share/applications
+    substitute lightdm-mobile-greeter.desktop \
+      $out/share/applications/lightdm-mobile-greeter.desktop \
+      --replace lightdm-mobile-greeter $out/bin/lightdm-mobile-greeter
+  '';
+
+  passthru.xgreeters = linkFarm "lightdm-mobile-greeter-xgreeters" [{
+    path = "${pkgs.lightdm-mobile-greeter}/share/applications/lightdm-mobile-greeter.desktop";
+    name = "lightdm-mobile-greeter.desktop";
+  }];
+
+  meta = with lib; {
+    description = "A simple log in screen for use on touch screens.";
+    homepage = "https://git.uninsane.org/colin/lightdm-mobile-greeter";
+    maintainers = with maintainers; [ colinsane ];
+    platforms = platforms.linux;
+    license = licenses.mit;
+  };
+}

pkgs/matrix-appservice-discord/01-puppet.patch

@@ -1,13 +0,0 @@
-diff --git a/src/clientfactory.ts b/src/clientfactory.ts
-index b7fea47..587acfd 100644
---- a/src/clientfactory.ts
-+++ b/src/clientfactory.ts
-@@ -53,7 +53,7 @@ export class DiscordClientFactory {
-         });
- 
-         try {
--            await this.botClient.login(this.config.botToken, true);
-+            await this.botClient.login(this.config.botToken, false);
-             log.info("Waiting for shardReady signal");
-             await waitPromise;
-             log.info("Got shardReady signal");

pkgs/matrix-appservice-discord/02-auto-approve.patch

@@ -1,16 +0,0 @@
-diff --git a/src/provisioner.ts b/src/provisioner.ts
-index c1568af..28a44c5 100644
---- a/src/provisioner.ts
-+++ b/src/provisioner.ts
-@@ -99,8 +99,9 @@
-         this.pendingRequests.set(channelId, approveFn);
-         setTimeout(() => approveFn(false, true), timeout);
- 
--        await channel.send(`${requestor} on matrix would like to bridge this channel. Someone with permission` +
--            " to manage webhooks please reply with `!matrix approve` or `!matrix deny` in the next 5 minutes");
-+        // await channel.send(`${requestor} on matrix would like to bridge this channel. Someone with permission` +
-+        //     " to manage webhooks please reply with `!matrix approve` or `!matrix deny` in the next 5 minutes");
-+        approveFn(true);
-         return await deferP;
- 
-     }

pkgs/matrix-appservice-discord/03-no-edits.patch

@@ -1,14 +0,0 @@
-diff --git a/src/bot.ts b/src/bot.ts
-index 8bc73d4..1e6ea67 100644
---- a/src/bot.ts
-+++ b/src/bot.ts
-@@ -568,7 +568,8 @@ export class DiscordBot {
-             }
-             const link = `https://discord.com/channels/${chan.guild.id}/${chan.id}/${editEventId}`;
-             embedSet.messageEmbed.description = `[Edit](${link}): ${embedSet.messageEmbed.description}`;
--            await this.send(embedSet, opts, roomLookup, event);
-+            log.warn("not editing sent Matrix -> Discord message");
-+            // await this.send(embedSet, opts, roomLookup, event);
-         } catch (err) {
-             // throw wrapError(err, Unstable.ForeignNetworkError, "Couldn't edit message");
-             log.warn(`Failed to edit message ${event.event_id}`);

pkgs/matrix-appservice-discord/04-no-kickbans.patch

@@ -1,88 +0,0 @@
-diff --git a/src/bot.ts b/src/bot.ts
-index 8bc73d4..1e6ea67 100644
---- a/src/bot.ts
-+++ b/src/bot.ts
-@@ -795,82 +796,7 @@ export class DiscordBot {
-         roomId: string, kickeeUserId: string, kicker: string, kickban: "leave"|"ban",
-         previousState: string, reason?: string,
-     ) {
--        const restore = kickban === "leave" && previousState === "ban";
--        const client = await this.clientFactory.getClient(kicker);
--        let channel: Discord.Channel;
--        try {
--            channel = await this.GetChannelFromRoomId(roomId, client);
--        } catch (ex) {
--            log.error("Failed to get channel for ", roomId, ex);
--            return;
--        }
--        if (channel.type !== "text") {
--            log.warn("Channel was not a text channel");
--            return;
--        }
--        const tchan = (channel as Discord.TextChannel);
--        const kickeeUser = await this.GetDiscordUserOrMember(
--            kickeeUserId.substring("@_discord_".length, kickeeUserId.indexOf(":") - 1),
--            tchan.guild.id,
--        );
--        if (!kickeeUser) {
--            log.error("Could not find discord user for", kickeeUserId);
--            return;
--        }
--        const kickee = kickeeUser as Discord.GuildMember;
--        let res: Discord.Message;
--        const botChannel = await this.GetChannelFromRoomId(roomId) as Discord.TextChannel;
--        if (restore) {
--            await tchan.overwritePermissions([
--                {
--                    allow: ["SEND_MESSAGES", "VIEW_CHANNEL"],
--                    id: kickee.id,
--                }],
--                `Unbanned.`,
--            );
--            this.channelLock.set(botChannel.id);
--            res = await botChannel.send(
--                `${kickee} was unbanned from this channel by ${kicker}.`,
--            ) as Discord.Message;
--            this.sentMessages.push(res.id);
--            this.channelLock.release(botChannel.id);
--            return;
--        }
--        const existingPerms = tchan.permissionsFor(kickee);
--        if (existingPerms && existingPerms.has(Discord.Permissions.FLAGS.VIEW_CHANNEL as number) === false ) {
--            log.warn("User isn't allowed to read anyway.");
--            return;
--        }
--        const word = `${kickban === "ban" ? "banned" : "kicked"}`;
--        this.channelLock.set(botChannel.id);
--        res = await botChannel.send(
--            `${kickee} was ${word} from this channel by ${kicker}.`
--            + (reason ? ` Reason: ${reason}` : ""),
--        ) as Discord.Message;
--        this.sentMessages.push(res.id);
--        this.channelLock.release(botChannel.id);
--        log.info(`${word} ${kickee}`);
--
--        await tchan.overwritePermissions([
--            {
--                deny: ["SEND_MESSAGES", "VIEW_CHANNEL"],
--                id: kickee.id,
--            }],
--            `Matrix user was ${word} by ${kicker}.`,
--        );
--        if (kickban === "leave") {
--            // Kicks will let the user back in after ~30 seconds.
--            setTimeout(async () => {
--                log.info(`Kick was lifted for ${kickee.displayName}`);
--                await tchan.overwritePermissions([
--                    {
--                        allow: ["SEND_MESSAGES", "VIEW_CHANNEL"],
--                        id: kickee.id,
--                    }],
--                    `Lifting kick since duration expired.`,
--                );
--            }, this.config.room.kickFor);
--        }
-+        return; // this is about letting Discord users know when Matrix users are kicked/banned
-     }
- 
-     public async GetEmojiByMxc(mxc: string): Promise<DbEmoji> {

pkgs/matrix-appservice-discord/05-no-meta.patch

@@ -1,13 +0,0 @@
-diff --git a/src/matrixeventprocessor.ts b/src/matrixeventprocessor.ts
-index f1f4611..7b57ff3 100644
---- a/src/matrixeventprocessor.ts
-+++ b/src/matrixeventprocessor.ts
-@@ -278,6 +278,8 @@ export class MatrixEventProcessor {
-             return;
-         }
- 
-+        return; // disable all meta notifications
-+
-         msg += " on Matrix.";
-         const channel = await this.discord.GetChannelFromRoomId(event.room_id) as Discord.TextChannel;
-         await this.discord.sendAsBot(msg, channel, event);

pkgs/matrix-appservice-discord/default.nix

@@ -1,19 +0,0 @@
-{ pkgs }:
-
-(pkgs.matrix-appservice-discord.overrideAttrs (upstream: {
-  # 2022-10-05: the service can't login as an ordinary user unless i change the source
-  doCheck = false;
-  patches = (upstream.patches or []) ++ [
-    # don't register with better-discord as a bot
-    ./01-puppet.patch
-    # don't ask Discord admin for approval before bridging
-    ./02-auto-approve.patch
-    # disable Matrix -> Discord edits because they do not fit Discord semantics
-    ./03-no-edits.patch
-    # we don't want to notify Discord users that a Matrix user was kicked/banned
-    ./04-no-kickbans.patch
-    # don't notify Discord users when the Matrix room changes (name, topic, membership)
-    ./05-no-meta.patch
-  ];
-}))
-

pkgs/overlay.nix

@@ -27,8 +27,6 @@
   pleroma = prev.callPackage ./pleroma { };
   # jackett doesn't allow customization of the bind address: this will probably always be here.
   jackett = prev.callPackage ./jackett { pkgs = prev; };
-  # TODO: delete matrix-appservice-discord
-  matrix-appservice-discord = prev.callPackage ./matrix-appservice-discord { pkgs = prev; };
   # mozilla keeps nerfing itself and removing configuration options
   firefox-unwrapped = prev.callPackage ./firefox-unwrapped { pkgs = prev; };
   # fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
@@ -37,8 +35,11 @@
   # patch rpi uboot with something that fixes USB HDD boot
   ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };
 
+  gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
+
   #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
   kaiteki = prev.callPackage ./kaiteki { };
+  lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
   # kaiteki = prev.kaiteki;
   # TODO: upstream, or delete nabla
   nabla = prev.callPackage ./nabla { };

pkgs/sane-scripts/default.nix

@@ -23,6 +23,7 @@ resholve.mkDerivation {
         file
         findutils
         gnugrep
+        gocryptfs
         ifuse
         inotify-tools
         ncurses
@@ -54,14 +55,15 @@ resholve.mkDerivation {
       };
 
       # list of programs which *can* or *cannot* exec their arguments
-      execer = [
-        "cannot:${pkgs.ifuse}/bin/ifuse"
-        "cannot:${pkgs.oath-toolkit}/bin/oathtool"
-        "cannot:${pkgs.openssh}/bin/ssh-keygen"
-        "cannot:${pkgs.rmlint}/bin/rmlint"
-        "cannot:${pkgs.rsync}/bin/rsync"
-        "cannot:${pkgs.ssh-to-age}/bin/ssh-to-age"
-        "cannot:${pkgs.sops}/bin/sops"
+      execer = with pkgs; [
+        "cannot:${gocryptfs}/bin/gocryptfs"
+        "cannot:${ifuse}/bin/ifuse"
+        "cannot:${oath-toolkit}/bin/oathtool"
+        "cannot:${openssh}/bin/ssh-keygen"
+        "cannot:${rmlint}/bin/rmlint"
+        "cannot:${rsync}/bin/rsync"
+        "cannot:${sops}/bin/sops"
+        "cannot:${ssh-to-age}/bin/ssh-to-age"
       ];
     };
   };

pkgs/sane-scripts/src/sane-private-init

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -ex
+
+# configure persistent, encrypted storage that is auto-mounted on login.
+# this is a one-time setup and user should log out/back in after running it.
+
+p=/nix/persist/home/colin/private
+mkdir -p $p
+gocryptfs -init $p

secrets/servo/matrix_appservice_discord_env.bin

@@ -1,28 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:7j1l4XJ8cp8MVuSmOedOZwGDWV11hmwFyLW43ixUBaZLWbUZ6Z4P4Gt+o7bj8gc/X8aiPV8sxAR/jY28Sc5DIaAnkKnXjesPVlG0c3oRAsXemKGX8fANkoNX5iEPbWAkFiJdLS6Fgdv2g4z6DQ4odvZQKrMchx8MPYq8icBvvbhKiGs5xo+MGrMBVRCZOERM2FJSy/q9zLv6hU5SfnnYDTMt,iv:poHHiCs0YOCv74dQ2kyXogdgTUqmKRgGq2r7lcxe4bQ=,tag:rz1/FLC5Q8S13TTWNKcYyQ==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2TjVWenJkYVdjeExzYjVj\nUVdFeUdMRUtwOWJNYUx6dFRWRXdEUWJhdkVFClM1UnhtWndYbE91RCtVRnl4TGp4\nZHNJNUliOWhqcUorZVBEQWR0eXZaMVEKLS0tIDdsVFJ2bmdNeVk5b3FJVDQ3T1BG\nU0taQlA1QVEvYVJweDQ5L2YwTmo2ek0K+nbzpIpjAhRgJ5Lw+mx/doGMjw0aMNkZ\n5sAnPJo88Sa/TW3qBN48xFBMLWMp/SKs2JTaMu0xW0u2SkQX38TLlw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUFBSYVJZUmRBcGJXclNP\nRDRUZnRKMmYwdFhQcE1oWUhrZGxNTk5YOFIwCldUMW92NGl0VVBsS0JtYjJOTW9E\nK2ZZdm9GK3FOMitUdEU3QStsR2svQWMKLS0tIE9SWXAzVndsdGY3Uzh2eHpBRjdO\nTVc4cWNDUWRuSWRmZC8rK1ZFS2l4WEkKQR9mApDjb0k14W3jK+CEz3Dez6wSBpg+\nZ7uUfSbPXFxRxvNEascRn/+EHPcd/A7MZjViDUyWVcP6fSMPsQvxhw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWHlteTRDcHRneW9hbzlh\nMHBjZ2RHeDBIbDM2QXVxK09mcERVSUliVWw0Ckg1dGFkUUxPQW1HcDFXcEEyejFD\nWW5qUkNwRkdIdjRiTFJNd0Q5NWpLUUEKLS0tIG1wTnk1aEhudm9VZjZRVGRWWnR0\nVHlFbUJHaitadDVOSG1FMTBqeHJGV0kKAjuuw3j4dx3QfNcjyl8XCP9Q6oOkLZBN\nsW7uCqbVgBCG+uIggwefLWAy8g6PYlLj0aumgLPYVsXShbQYi32m/g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2022-10-06T05:07:20Z",
-		"mac": "ENC[AES256_GCM,data:9WR8xfs5XIkWxDlJVX1EiSJBLBgWMR99PJJXCK9RcbuChK7QvjWjEflwq419qeNbMWdHLkUwSQrBsoHomaiGWFOPZ0C8bqcqDl0zzXMk7nBxM4UgTjRLmML2tdI2bCS0DC0AtytThYPvkW+JHgKB6bOAEw/bVWVP4YJQKWEf6FY=,iv:nG+J7jCdqZHp6x6Vlvye7BbK7YSl0Y9cjTWbW/BZLxo=,tag:OWqXktZE52Q3j7D2KG+vHw==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.3"
-	}
-}