moby: fix lightdm-mobile-greeter config to work again

browser: temporarily switch back to firefox
recompiling librewolf is not practical -- until the addon signing is upstreamed
2022-11-02 04:59:36 -07:00 · 2022-11-02 04:21:55 -07:00 · 2022-11-02 04:14:00 -07:00 · 2022-11-02 02:39:56 -07:00 · 2022-11-01 22:20:05 -07:00 · 2022-11-01 19:29:33 -07:00
111 changed files with 2901 additions and 1723 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -19,10 +19,11 @@ creation_rules:
      - *host_lappy
      - *host_servo
      - *host_moby
-  - path_regex: secrets/servo.yaml$
+  - path_regex: secrets/servo*
    key_groups:
    - age:
      - *user_desko_colin
+      - *user_lappy_colin
      - *user_servo_colin
      - *host_servo
  - path_regex: secrets/desko.yaml$
@@ -31,3 +32,16 @@ creation_rules:
      - *user_desko_colin
      - *user_lappy_colin
      - *host_desko
+  - path_regex: secrets/lappy.yaml$
+    key_groups:
+    - age:
+      - *user_lappy_colin
+      - *user_desko_colin
+      - *host_lappy
+  - path_regex: secrets/moby.yaml$
+    key_groups:
+    - age:
+      - *user_desko_colin
+      - *user_lappy_colin
+      - *user_moby_colin
+      - *host_moby
--- a/TODO.md
+++ b/TODO.md
@@ -1,16 +0,0 @@
-# features/tweaks
- emoji picker application
- find a Masto/Pleroma app which works on mobile
- remove hardcoded uid/gids outside of allocations.nix (used in impermanence code -- replace with username/groupname)
-
-
-# speed up cross compiling
- <https://nixos.wiki/wiki/Cross_Compiling>
- <https://nixos.wiki/wiki/NixOS_on_ARM>
-```nix
-   overlays = [{ ... }: {
-     nixpkgs.crossSystem.system = "aarch64-linux";
-   }];
-```
- <https://github.com/nix-community/aarch64-build-box>
-	- apply for access to the community arm build box
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,20 @@
 {
  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -7,11 +22,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1656169755,
-        "narHash": "sha256-Nlnm4jeQWEGjYrE6hxi/7HYHjBSZ/E0RtjCYifnNsWk=",
+        "lastModified": 1667299227,
+        "narHash": "sha256-vAJPFSDYUq3DdCL8OzTg4xObRNW+yA1Pt+NzbhGu1f8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "4a3d01fb53f52ac83194081272795aa4612c2381",
+        "rev": "f0ecd4b1db5e15103e955b18cb94bea4296e5c45",
        "type": "github"
      },
      "original": {
@@ -39,11 +54,11 @@
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1661716773,
-        "narHash": "sha256-uxf0aC+kx8av3/IT8/UecxSMElC9i4UQvH25RHFwna4=",
+        "lastModified": 1667160126,
+        "narHash": "sha256-YRgxMHdvMuLsuXCaKs5YNMD6NKgvcATSjfi9YkUOOLk=",
        "owner": "nixos",
        "repo": "mobile-nixos",
-        "rev": "09e388c42298fa777caa7738cd8d8d2b6d1ac8db",
+        "rev": "da56c338a2b00c868697b75bdbd388f60d50c820",
        "type": "github"
      },
      "original": {
@@ -54,11 +69,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1664017330,
-        "narHash": "sha256-919WZKBTxFdTkzIK6uJXE7hwSPQb7e/ekybxxWaotR4=",
+        "lastModified": 1667231093,
+        "narHash": "sha256-RERXruzBEBuf0c7OfZeX1hxEKB+PTCUNxWeB6C1jd8Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fde244a8c7655bc28616864e2290ad9c95409c2c",
+        "rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458",
        "type": "github"
      },
      "original": {
@@ -69,11 +84,11 @@
    },
    "nixpkgs-22_05": {
      "locked": {
-        "lastModified": 1664063819,
-        "narHash": "sha256-5wXa+9uboo7UizMDeUTMoANv3pm0g9ze1NdTleY3rCE=",
+        "lastModified": 1667091951,
+        "narHash": "sha256-62sz0fn06Nq8OaeBYrYSR3Y6hUcp8/PC4dJ7HeGaOhU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "aee4db5b9eaccd3fb7f16c742685fef9dc355077",
+        "rev": "6440d13df2327d2db13d3b17e419784020b71d22",
        "type": "github"
      },
      "original": {
@@ -83,20 +98,19 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1664028844,
-        "narHash": "sha256-wwGqnvROHW54ma0h4q6GL5toKxTVVKvAypv0CcJkraU=",
+        "lastModified": 1667254466,
+        "narHash": "sha256-YrMQzDVOo+uz5gg1REj2q/uVhJE3WcpkqGiMzh3Da3o=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "72bdd03f0d5696412b25a93218acaad530570d30",
+        "rev": "1b4722674c315de0e191d0d79790b4eac51570a1",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "id": "nixpkgs",
+        "ref": "nixos-22.05",
+        "type": "indirect"
      }
    },
    "root": {
@@ -105,20 +119,24 @@
        "impermanence": "impermanence",
        "mobile-nixos": "mobile-nixos",
        "nixpkgs": "nixpkgs",
-        "sops-nix": "sops-nix"
+        "nixpkgs-stable": "nixpkgs-stable",
+        "sops-nix": "sops-nix",
+        "uninsane": "uninsane"
      }
    },
    "sops-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
        "nixpkgs-22_05": "nixpkgs-22_05"
      },
      "locked": {
-        "lastModified": 1664080128,
-        "narHash": "sha256-obau1+3+QiTtNGfoTcbSYB5Z4Gvf4o0Or85yLttSYt8=",
+        "lastModified": 1667102919,
+        "narHash": "sha256-DP5j4TwXe96eZf0PLgYSj1Hdyt7SPUoQ003iNBQSKpQ=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "17f009daf09992d2342657f9bd7b44d877cd00e1",
+        "rev": "448ec3e7eb7c7e4563cc2471db748a71baaf9698",
        "type": "github"
      },
      "original": {
@@ -126,6 +144,27 @@
        "repo": "sops-nix",
        "type": "github"
      }
+    },
+    "uninsane": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1666870107,
+        "narHash": "sha256-b9eXZxSwhzdJI5uQgfrMhu4SY2POrPkinUg7F5gQVYo=",
+        "ref": "refs/heads/master",
+        "rev": "80c6ec95bd430e29d231cf745f19279bb76fb382",
+        "revCount": 164,
+        "type": "git",
+        "url": "https://git.uninsane.org/colin/uninsane"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.uninsane.org/colin/uninsane"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -4,7 +4,7 @@

 {
  inputs = {
-    # nixpkgs.url = "nixpkgs/nixos-22.05";
+    nixpkgs-stable.url = "nixpkgs/nixos-22.05";
    nixpkgs.url = "nixpkgs/nixos-unstable";
    mobile-nixos = {
      url = "github:nixos/mobile-nixos";
@@ -14,12 +14,27 @@
      url = "github:nix-community/home-manager/release-22.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    impermanence.url = "github:nix-community/impermanence";
+    uninsane = {
+      url = "git+https://git.uninsane.org/colin/uninsane";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

-  outputs = { self, nixpkgs, mobile-nixos, home-manager, sops-nix, impermanence }:
-  let
+  outputs = {
+    self,
+    nixpkgs,
+    nixpkgs-stable,
+    mobile-nixos,
+    home-manager,
+    sops-nix,
+    impermanence,
+    uninsane
+  }: let
    patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
      name = "nixpkgs-patched-uninsane";
      src = nixpkgs;
@@ -39,21 +54,26 @@
      specialArgs = { inherit mobile-nixos home-manager impermanence; };
      modules = [
        ./modules
-        ./machines/${name}
-        (import ./helpers/set-hostname.nix name)
+        (import ./machines/instantiate.nix name)
        home-manager.nixosModule
        impermanence.nixosModule
        sops-nix.nixosModules.sops
        {
-          nixpkgs.config.allowUnfree = true;
          nixpkgs.overlays = [
            (import "${mobile-nixos}/overlay/overlay.nix")
+            uninsane.overlay
            (import ./pkgs/overlay.nix)
-            (next: prev: {
+            (next: prev: rec {
              # non-emulated packages build *from* local *for* target.
              # for large packages like the linux kernel which are expensive to build under emulation,
              # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
              cross = (nixpkgsFor local target) // (customPackagesFor local target);
+              stable = import nixpkgs-stable { system = target; };
+              # pinned packages:
+              electrum = stable.electrum;  # 2022-10-10: build break
+              sequoia = stable.sequoia;    # 2022-10-13: build break
+              # cross-compatible packages
+              gocryptfs = cross.gocryptfs;
            })
          ];
        }
@@ -90,8 +110,15 @@
  in {
    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
    imgs = builtins.mapAttrs (name: value: value.img) machines;
-    packages.x86_64-linux = customPackagesFor "x86_64-linux" "x86_64-linux";
-    packages.aarch64-linux = customPackagesFor "aarch64-linux" "aarch64-linux";
+    packages = let
+      allPkgsFor = sys: (customPackagesFor sys sys) // {
+        nixpkgs = nixpkgsFor sys sys;
+        uninsane = uninsane.packages."${sys}";
+      };
+    in {
+      x86_64-linux = allPkgsFor "x86_64-linux";
+      aarch64-linux = allPkgsFor "aarch64-linux";
+    };
  };
 }

--- a/helpers/set-hostname.nix
+++ b/helpers/set-hostname.nix
@@ -1,4 +0,0 @@
-hostName: { ... }:
-{
-  networking.hostName = hostName;
-}
--- a/machines/desko/default.nix
+++ b/machines/desko/default.nix
@@ -4,6 +4,8 @@
    ./fs.nix
  ];

+  # sane.home-packages.enableDevPkgs = true;
+
  sane.gui.sway.enable = true;
  sane.services.duplicity.enable = true;
  sane.services.nixserve.enable = true;
@@ -18,6 +20,11 @@
  users.users.usbmux.uid = config.sane.allocations.usbmux-uid;
  users.groups.usbmux.gid = config.sane.allocations.usbmux-gid;

+  sops.secrets.colin-passwd = {
+    sopsFile = ../../secrets/desko.yaml;
+    neededForUsers = true;
+  };
+
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
  #   - hourly snapshots
--- a/machines/instantiate.nix
+++ b/machines/instantiate.nix
@@ -0,0 +1,11 @@
+# trampoline from flake.nix into the specific machine definition, while doing a tiny bit of common setup
+
+hostName: { ... }: {
+  imports = [
+    ./${hostName}
+  ];
+
+  networking.hostName = hostName;
+
+  nixpkgs.config.allowUnfree = true;
+}
--- a/machines/lappy/default.nix
+++ b/machines/lappy/default.nix
@@ -4,6 +4,8 @@
    ./fs.nix
  ];

+  # sane.home-packages.enableDevPkgs = true;
+
  # sane.users.guest.enable = true;
  sane.gui.sway.enable = true;
  sane.impermanence.enable = true;
@@ -11,6 +13,11 @@
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

+  sops.secrets.colin-passwd = {
+    sopsFile = ../../secrets/lappy.yaml;
+    neededForUsers = true;
+  };
+
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
  #   - hourly snapshots
--- a/machines/moby/default.nix
+++ b/machines/moby/default.nix
@@ -1,42 +1,33 @@
 { config, pkgs, lib, mobile-nixos, ... }:
 {
  imports = [
-    # (import "${mobile-nixos}/lib/configuration.nix" {
-    #   device = "pine64-pinephone";
-    # })
    ./firmware.nix
    ./fs.nix
    ./kernel.nix
  ];
-  # XXX colin: phosh doesn't work well with passwordless login
+
+  # cross-compiled documentation is *slow*.
+  # no obvious way to natively compile docs (2022/09/29).
+  # entrypoint is nixos/modules/misc/documentation.nix
+  # doc building happens in nixos/doc/manual/default.nix
+  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
+  documentation.nixos.enable = false;
+
+  # XXX colin: phosh doesn't work well with passwordless login,
+  # so set this more reliable default password should anything go wrong
  users.users.colin.initialPassword = "147147";
  services.getty.autologinUser = "root";  # allows for emergency maintenance?

+  sops.secrets.colin-passwd = {
+    sopsFile = ../../secrets/moby.yaml;
+    neededForUsers = true;
+  };
+
  # usability compromises
  sane.impermanence.home-dirs = [
-    ".librewolf"
+    config.sane.web-browser.dotDir
  ];

-  # sane.home-manager.extraPackages = [
-  #   # for web browsers see: https://forum.pine64.org/showthread.php?tid=13669
-  #   pkgs.angelfish  # plasma mobile web browser; broken on phosh (poor wayland support)
-  #   # pkgs.plasma5Packages.index  # file browser
-  #   pkgs.plasma5Packages.konsole  # terminal
-  #   # pkgs.plasma5Packages.pix  # picture viewer
-  #   pkgs.plasma5Packages.kalk  # calculator; broken on phosh
-  #   # pkgs.plasma5Packages.buho  # (plasma mobile?) note application
-  #   pkgs.plasma5Packages.kasts  #  podcast app; works on phosh after setting QT envar
-  #   pkgs.plasma5Packages.koko  # image gallery; broken on phosh
-  #   pkgs.plasma5Packages.kwave  # media player.
-  #   # pkgs.plasma5Packages.neochat  #  matrix client. needs qcoro => no aarch64 support
-  #   # pkgs.plasma5Packages.plasma-dialer  # phone dialer
-  #   # pkgs.plasma5Packages.plasma-mobile  # the whole shebang?
-  #   # pkgs.plasma5Packages.plasma-settings
-  #   pkgs.plasma5Packages.bomber  # arcade game; broken on phosh
-  #   pkgs.plasma5Packages.kapman  # pacman
-  #   pkgs.st  # suckless terminal; broken on phosh
-  #   # pkgs.alacritty  # terminal; crashes phosh
-  # ];
  # sane.home-packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
  sane.home-manager.extraPackages = [
    pkgs.plasma5Packages.konsole  # terminal
@@ -53,6 +44,15 @@
  # mobile.boot.stage-1.enable = false;
  # boot.initrd.systemd.enable = false;
  # boot.initrd.services.swraid.enable = false;  # attempt to fix dm_mod stuff
+  # disable proximity sensor.
+  # the filtering/calibration is bad that it causes the screen to go fully dark at times.
+  boot.blacklistedKernelModules = [ "stk3310" ];
+
+  # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
+  # this is because they can't allocate enough video ram.
+  # the default CMA seems to be 32M. we could probably get by with as little as 64M, and safely with 128M.
+  # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
+  boot.kernelParams = [ "cma=256M" ];

  # mobile-nixos' /lib/firmware includes:
  #   rtl_bt          (bluetooth)
@@ -81,5 +81,5 @@
  environment.variables.ALSA_CONFIG_UCM2 = "${./ucm2}";
  systemd.services.pulseaudio.environment.ALSA_CONFIG_UCM2 = "${./ucm2}";

-  users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
+  hardware.opengl.driSupport = true;
 }
--- a/machines/moby/firmware.nix
+++ b/machines/moby/firmware.nix
@@ -4,7 +4,7 @@
  # only actually need 1 MB, but better to over-allocate than under-allocate
  sane.image.extraGPTPadding = 16 * 1024 * 1024;
  sane.image.firstPartGap = 0;
-  system.build.img = pkgs.runCommandNoCC "nixos_full-disk-image.img" {} ''
+  system.build.img = pkgs.runCommand "nixos_full-disk-image.img" {} ''
    cp -v ${config.system.build.img-without-firmware}/nixos.img $out
    chmod +w $out
    dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out bs=1024 seek=8 conv=notrunc
--- a/machines/moby/kernel.nix
+++ b/machines/moby/kernel.nix
@@ -114,7 +114,7 @@ in
  # - phone rotation sensor is off by 90 degrees
  # - ambient light sensor causes screen brightness to be shakey
  # - phosh greeter may not appear after wake from sleep
-  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.cross.linux-megous;
+  boot.kernelPackages = pkgs.cross.linuxPackagesFor pkgs.cross.linux-megous;

  boot.kernelPatches = [
    (patchDefconfig (kernelConfig //
--- a/machines/servo/default.nix
+++ b/machines/servo/default.nix
@@ -6,24 +6,14 @@
    ./hardware.nix
    ./net.nix
    ./users.nix
-    ./services/ddns-he.nix
-    ./services/gitea.nix
-    ./services/ipfs.nix
-    ./services/jackett.nix
-    ./services/jellyfin.nix
-    ./services/matrix
-    ./services/navidrome.nix
-    ./services/nginx.nix
-    ./services/pleroma.nix
-    ./services/postfix.nix
-    ./services/postgres.nix
-    ./services/transmission.nix
+    ./services
  ];

-  sane.home-manager.enable = true;
  sane.home-manager.extraPackages = [
-    # for administering matrix
+    # for administering services
    pkgs.matrix-synapse
+    pkgs.freshrss
+    pkgs.goaccess
  ];
  sane.impermanence.enable = true;
  sane.services.duplicity.enable = true;
--- a/machines/servo/services/default.nix
+++ b/machines/servo/services/default.nix
@@ -0,0 +1,19 @@
+{ ... }:
+{
+  imports = [
+    ./ddns-he.nix
+    ./freshrss.nix
+    ./gitea.nix
+    ./goaccess.nix
+    ./ipfs.nix
+    ./jackett.nix
+    ./jellyfin.nix
+    ./matrix
+    ./navidrome.nix
+    ./nginx.nix
+    ./pleroma.nix
+    ./postfix.nix
+    ./postgres.nix
+    ./transmission.nix
+  ];
+}
--- a/machines/servo/services/freshrss.nix
+++ b/machines/servo/services/freshrss.nix
@@ -0,0 +1,48 @@
+# import feeds with e.g.
+# ```console
+# $ nix build '.#nixpkgs.freshrss'
+# $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/import-for-user.php --user admin --filename /home/colin/.config/newsflashFeeds.opml
+# ```
+#
+# export feeds with
+# ```console
+# $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/export-opml-for-user.php --user admin
+# ```
+
+{ config, lib, pkgs, ... }:
+{
+  sops.secrets.freshrss_passwd = {
+    sopsFile = ../../../secrets/servo.yaml;
+    owner = config.users.users.freshrss.name;
+    mode = "400";
+  };
+  sane.impermanence.service-dirs = [
+    { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
+  ];
+
+  users.users.freshrss.uid = config.sane.allocations.freshrss-uid;
+  users.groups.freshrss.gid = config.sane.allocations.freshrss-gid;
+  services.freshrss.enable = true;
+  services.freshrss.baseUrl = "https://rss.uninsane.org";
+  services.freshrss.virtualHost = "rss.uninsane.org";
+  services.freshrss.passwordFile = config.sops.secrets.freshrss_passwd.path;
+
+  systemd.services.freshrss-import-feeds =
+  let
+    fresh = config.systemd.services.freshrss-config;
+    feeds = import ../../../modules/universal/home-manager/feeds.nix { inherit lib; };
+    opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
+  in {
+    inherit (fresh) wantedBy environment;
+    serviceConfig = {
+      inherit (fresh.serviceConfig) Type User Group StateDirectory WorkingDirectory
+        # hardening options
+        CapabilityBoundingSet DeviceAllow LockPersonality NoNewPrivileges PrivateDevices PrivateTmp PrivateUsers ProcSubset ProtectClock ProtectControlGroups ProtectHome ProtectHostname ProtectKernelLogs ProtectKernelModules ProtectKernelTunables ProtectProc ProtectSystem RemoveIPC RestrictNamespaces RestrictRealtime RestrictSUIDSGID SystemCallArchitectures SystemCallFilter UMask;
+    };
+    description = "import sane RSS feed list";
+    after = [ "freshrss-config.service" ];
+    script = ''
+      ${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
+    '';
+  };
+}
--- a/machines/servo/services/goaccess.nix
+++ b/machines/servo/services/goaccess.nix
@@ -0,0 +1,44 @@
+{ pkgs, ... }:
+{
+  # based on <https://bytes.fyi/real-time-goaccess-reports-with-nginx/>
+  # log-format setting can be derived with this tool if custom:
+  # - <https://github.com/stockrt/nginx2goaccess>
+  # config options:
+  # - <https://github.com/allinurl/goaccess/blob/master/config/goaccess.conf>
+
+  systemd.services.goaccess = {
+    description = "GoAccess server monitoring";
+    serviceConfig = {
+      ExecStart = ''
+        ${pkgs.goaccess}/bin/goaccess \
+          -f /var/log/nginx/public.log \
+          --log-format=VCOMBINED \
+          --real-time-html \
+          --no-query-string \
+          --anonymize-ip \
+          --ignore-panel=HOSTS \
+          --ws-url=wss://sink.uninsane.org:443/ws \
+          --port=7890 \
+          -o /var/lib/uninsane/sink/index.html
+      '';
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Type = "simple";
+      Restart = "on-failure";
+
+      # hardening
+      WorkingDirectory = "/tmp";
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      ProtectHome = "read-only";
+      ProtectSystem = "strict";
+      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
+      ReadOnlyPaths = "/";
+      ReadWritePaths = [ "/proc/self" "/var/lib/uninsane/sink" ];
+      PrivateDevices = "yes";
+      ProtectKernelModules = "yes";
+      ProtectKernelTunables = "yes";
+    };
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+}
--- a/machines/servo/services/ipfs.nix
+++ b/machines/servo/services/ipfs.nix
@@ -12,15 +12,15 @@
    # TODO: mode? could be more granular
    { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
  ];
-  services.ipfs.enable = true;
-  services.ipfs.localDiscovery = true;
-  services.ipfs.swarmAddress = [
+  # services.ipfs.enable = true;
+  services.kubo.localDiscovery = true;
+  services.kubo.swarmAddress = [
    # "/dns4/ipfs.uninsane.org/tcp/4001"
    # "/ip4/0.0.0.0/tcp/4001"
    "/dns4/ipfs.uninsane.org/udp/4001/quic"
    "/ip4/0.0.0.0/udp/4001/quic"
  ];
-  services.ipfs.extraConfig = {
+  services.kubo.extraConfig = {
    Addresses = {
      Announce = [
        # "/dns4/ipfs.uninsane.org/tcp/4001"
--- a/machines/servo/services/matrix/default.nix
+++ b/machines/servo/services/matrix/default.nix
@@ -1,13 +1,15 @@
 # docs: https://nixos.wiki/wiki/Matrix
 # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
-{ config, ... }:
+{ config, lib, ... }:

 {
+  imports = [
+    ./discord-puppet.nix
+    # ./irc.nix
+  ];
+
  sane.impermanence.service-dirs = [
-    # TODO: mode?
-    # user and group are both "matrix-appservice-irc"
-    { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
-    { user = "224"; group = "224"; directory = "/var/lib/matrix-synapse"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
  ];
  services.matrix-synapse.enable = true;
  services.matrix-synapse.settings.log_config = ./synapse-log_level.yaml;
@@ -62,9 +64,6 @@
  #     subjects:
  #       email_validation: "[%(server_name)s] Validate your email"
  # ''];
-  services.matrix-synapse.settings.app_service_config_files = [
-    "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
-  ];

  # new users may be registered on the CLI:
  #   register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
@@ -78,90 +77,6 @@
  # create a token with limited uses:
  #   curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new

-  # IRC bridging
-  # note: Rizon allows only FOUR simultaneous IRC connections per IP: https://wiki.rizon.net/index.php?title=Connection/Session_Limit_Exemptions
-  # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
-  # services.matrix-appservice-irc.enable = true;
-  services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
-  # settings documented here: https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml
-  services.matrix-appservice-irc.settings = {
-    homeserver = {
-      url = "http://127.0.0.1:8008";
-      dropMatrixMessagesAfterSecs = 300;
-      domain = "uninsane.org";
-      enablePresence = true;
-      bindPort = 9999;
-      bindHost = "127.0.0.1";
-    };
-
-    ircService = {
-      servers = {
-        "irc.rizon.net" = {
-          name = "Rizon";
-          port = 6697;  # SSL port
-          ssl = true;
-          sasl = true;  # appservice doesn't support NickServ identification
-          botConfig = {
-            # bot has no presence in IRC channel; only real Matrix users
-            enabled = false;
-            # nick = "UninsaneDotOrg";
-            nick = "uninsane";
-            username = "uninsane";
-          };
-          dynamicChannels = {
-            enabled = true;
-            aliasTemplate = "#irc_rizon_$CHANNEL";
-          };
-          ircClients = {
-            nickTemplate = "$LOCALPARTsane";
-            # by default, Matrix will convert messages greater than (3) lines into a pastebin-like URL to send to IRC.
-            lineLimit = 20;
-          };
-          matrixClients = {
-            userTemplate = "@irc_rizon_$NICK";  # the :uninsane.org part is appended automatically
-          };
-
-          # this will let this user message the appservice with `!join #<IRCChannel>` and the rest "Just Works"
-          "@colin:uninsane.org" = "admin";
-
-          membershipLists = {
-            enabled = true;
-            global = {
-              ircToMatrix = {
-                initial = true;
-                incremental = true;
-                requireMatrixJoined = false;
-              };
-              matrixToIrc = {
-                initial = true;
-                incremental = true;
-              };
-            };
-          };
-          # sync room description?
-          bridgeInfoState = {
-            enabled = true;
-            initial = true;
-          };
-
-          # hardcoded mappings, for when dynamicChannels fails us. TODO: probably safe to remove these.
-          # mappings = {
-          #   "#chat" = {
-          #     roomIds = [ "!GXJSOTdbtxRboGtDep:uninsane.org" ];
-          #   };
-          #   # BakaBT requires account registration, which i think means my user needs to be added before the appservice user
-          #   "#BakaBT" = {
-          #     roomIds = [ "!feZKttuYuHilqPFSkD:uninsane.org" ];
-          #   };
-          # };
-          # for per-user IRC password:
-          #   invite @irc_rizon_NickServ:uninsane.org to a DM and type `help`  => register
-          #   invite the matrix-appservice-irc user to a DM and type `!help`   => add PW to database
-          # passwordEncryptionKeyPath = "/path/to/privkey";  # appservice will generate its own if unspecified
-        };
-      };
-    };
-  };

  sops.secrets.matrix_synapse_secrets = {
    sopsFile = ../../../../secrets/servo.yaml;
--- a/machines/servo/services/matrix/discord-puppet.nix
+++ b/machines/servo/services/matrix/discord-puppet.nix
@@ -0,0 +1,52 @@
+{ lib, ... }:
+{
+  sane.impermanence.service-dirs = [
+    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }
+  ];
+
+  services.matrix-synapse.settings.app_service_config_files = [
+    # auto-created by mx-puppet-discord service
+    "/var/lib/mx-puppet-discord/discord-registration.yaml"
+  ];
+
+  services.mx-puppet-discord.enable = true;
+  # schema/example: <https://gitlab.com/mx-puppet/discord/mx-puppet-discord/-/blob/main/sample.config.yaml>
+  services.mx-puppet-discord.settings = {
+    bridge = {
+      # port = 8434
+      bindAddress = "127.0.0.1";
+      domain = "uninsane.org";
+      homeserverUrl = "http://127.0.0.1:8008";
+      # displayName = "mx-discord-puppet";  # matrix name for the bot
+      # matrix "groups" were an earlier version of spaces.
+      # maybe the puppet understands this, maybe not?
+      enableGroupSync = false;
+    };
+    presence = {
+      enabled = false;
+      interval = 30000;
+    };
+    provisioning = {
+      # allow these users to control the puppet
+      whitelist = [ "@colin:uninsane\\.org" ];
+    };
+    relay = {
+      whitelist = [ "@colin:uninsane\\.org" ];
+    };
+    selfService = {
+      # who's allowed to use plumbed rooms (idk what that means)
+      whitelist = [ "@colin:uninsane\\.org" ];
+    };
+    logging = {
+      # silly, debug, verbose, info, warn, error
+      console = "debug";
+    };
+  };
+
+  systemd.services.mx-puppet-discord.serviceConfig = {
+    # fix up to not use /var/lib/private, but just /var/lib
+    DynamicUser = lib.mkForce false;
+    User = "matrix-synapse";
+    Group = "matrix-synapse";
+  };
+}
--- a/machines/servo/services/matrix/irc.nix
+++ b/machines/servo/services/matrix/irc.nix
@@ -0,0 +1,97 @@
+{ config, lib, ... }:
+
+{
+  sane.impermanence.service-dirs = [
+    # TODO: mode?
+    # user and group are both "matrix-appservice-irc"
+    { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
+  ];
+
+  services.matrix-synapse.settings.app_service_config_files = [
+    "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
+  ];
+
+  # note: Rizon allows only FOUR simultaneous IRC connections per IP: https://wiki.rizon.net/index.php?title=Connection/Session_Limit_Exemptions
+  # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
+  services.matrix-appservice-irc.enable = true;
+  services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
+  # settings documented here: https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml
+  services.matrix-appservice-irc.settings = {
+    homeserver = {
+      url = "http://127.0.0.1:8008";
+      dropMatrixMessagesAfterSecs = 300;
+      domain = "uninsane.org";
+      enablePresence = true;
+      bindPort = 9999;
+      bindHost = "127.0.0.1";
+    };
+
+    ircService = {
+      servers = {
+        "irc.rizon.net" = {
+          name = "Rizon";
+          port = 6697;  # SSL port
+          ssl = true;
+          sasl = true;  # appservice doesn't support NickServ identification
+          botConfig = {
+            # bot has no presence in IRC channel; only real Matrix users
+            enabled = false;
+            # nick = "UninsaneDotOrg";
+            nick = "uninsane";
+            username = "uninsane";
+          };
+          dynamicChannels = {
+            enabled = true;
+            aliasTemplate = "#irc_rizon_$CHANNEL";
+          };
+          ircClients = {
+            nickTemplate = "$LOCALPARTsane";
+            # by default, Matrix will convert messages greater than (3) lines into a pastebin-like URL to send to IRC.
+            lineLimit = 20;
+          };
+          matrixClients = {
+            userTemplate = "@irc_rizon_$NICK";  # the :uninsane.org part is appended automatically
+          };
+
+          # this will let this user message the appservice with `!join #<IRCChannel>` and the rest "Just Works"
+          "@colin:uninsane.org" = "admin";
+
+          membershipLists = {
+            enabled = true;
+            global = {
+              ircToMatrix = {
+                initial = true;
+                incremental = true;
+                requireMatrixJoined = false;
+              };
+              matrixToIrc = {
+                initial = true;
+                incremental = true;
+              };
+            };
+          };
+          # sync room description?
+          bridgeInfoState = {
+            enabled = true;
+            initial = true;
+          };
+
+          # hardcoded mappings, for when dynamicChannels fails us. TODO: probably safe to remove these.
+          # mappings = {
+          #   "#chat" = {
+          #     roomIds = [ "!GXJSOTdbtxRboGtDep:uninsane.org" ];
+          #   };
+          #   # BakaBT requires account registration, which i think means my user needs to be added before the appservice user
+          #   "#BakaBT" = {
+          #     roomIds = [ "!feZKttuYuHilqPFSkD:uninsane.org" ];
+          #   };
+          # };
+          # for per-user IRC password:
+          #   invite @irc_rizon_NickServ:uninsane.org to a DM and type `help`  => register
+          #   invite the matrix-appservice-irc user to a DM and type `!help`   => add PW to database
+          # passwordEncryptionKeyPath = "/path/to/privkey";  # appservice will generate its own if unspecified
+        };
+      };
+    };
+  };
+}
--- a/machines/servo/services/nginx.nix
+++ b/machines/servo/services/nginx.nix
@@ -1,18 +1,40 @@
 # docs: https://nixos.wiki/wiki/Nginx
 { config, pkgs, ... }:

+let
+  # make the logs for this host "public" so that they show up in e.g. metrics
+  publog = vhost: vhost // {
+    extraConfig = (vhost.extraConfig or "") + ''
+      access_log /var/log/nginx/public.log vcombined;
+    '';
+  };
+in
 {
  services.nginx.enable = true;

+  # this is the standard `combined` log format, with the addition of $host
+  # so that we have the virtualHost in the log.
+  # KEEP IN SYNC WITH GOACCESS
+  # goaccess calls this VCOMBINED:
+  # - <https://gist.github.com/jyap808/10570005>
+  services.nginx.commonHttpConfig = ''
+    log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
+    access_log /var/log/nginx/private.log vcombined;
+  '';
+
  # web blog/personal site
-  services.nginx.virtualHosts."uninsane.org" = {
-    root = "/var/lib/uninsane/root";
+  services.nginx.virtualHosts."uninsane.org" = publog {
+    root = "${pkgs.uninsane-dot-org}/share/uninsane-dot-org";
    # a lot of places hardcode https://uninsane.org,
    # and then when we mix http + non-https, we get CORS violations
    # and things don't look right. so force SSL.
    forceSSL = true;
    enableACME = true;

+    # uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
+    # yes, nginx does not strip the prefix when evaluating against the root.
+    locations."/share".root = "/var/lib/uninsane/root";
+
    # allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
    locations."= /.well-known/matrix/server".extraConfig =
      let
@@ -53,8 +75,28 @@
    # };
  };

+  # server statistics
+  services.nginx.virtualHosts."sink.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    root = "/var/lib/uninsane/sink";
+
+    locations."/ws" = {
+      proxyPass = "http://127.0.0.1:7890";
+      # XXX not sure how much of this is necessary
+      extraConfig = ''
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_buffering off;
+        proxy_read_timeout 7d;
+      '';
+    };
+
+  };
+
  # Pleroma server and web interface
-  services.nginx.virtualHosts."fed.uninsane.org" = {
+  services.nginx.virtualHosts."fed.uninsane.org" = publog {
    addSSL = true;
    enableACME = true;
    locations."/" = {
@@ -115,7 +157,7 @@
  };

  # matrix chat server
-  services.nginx.virtualHosts."matrix.uninsane.org" = {
+  services.nginx.virtualHosts."matrix.uninsane.org" = publog {
    addSSL = true;
    enableACME = true;

@@ -156,7 +198,7 @@
  };

  # hosted git (web view and for `git <cmd>` use
-  services.nginx.virtualHosts."git.uninsane.org" = {
+  services.nginx.virtualHosts."git.uninsane.org" = publog {
    addSSL = true;
    enableACME = true;

@@ -219,6 +261,12 @@
    locations."/".proxyPass = "http://127.0.0.1:4533";
  };

+  services.nginx.virtualHosts."rss.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    # the routing is handled by freshrss.nix
+  };
+
  services.nginx.virtualHosts."ipfs.uninsane.org" = {
    # don't default to ssl upgrades, since this may be dnslink'd from a different domain.
    # ideally we'd disable ssl entirely, but some places assume it?
@@ -266,6 +314,7 @@
  sane.impermanence.service-dirs = [
    # TODO: mode?
    { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
+    # TODO: this is overly broad; only need media and share directories to be persisted
    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
  ];
 }
--- a/machines/servo/services/pleroma.nix
+++ b/machines/servo/services/pleroma.nix
@@ -74,9 +74,10 @@
    config :pleroma, configurable_from_database: false

    # strip metadata from uploaded images
-    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool]
+    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool.StripLocation]

    # TODO: GET /api/pleroma/captcha is broken
+    # there was a nixpkgs PR to fix this around 2022/10 though.
    config :pleroma, Pleroma.Captcha,
      enabled: false,
      method: Pleroma.Captcha.Native
@@ -92,8 +93,8 @@
      backends: [{ExSyslogger, :ex_syslogger}]

    config :logger, :ex_syslogger,
-      level: :debug
-    #  level: :warn
+      level: :warn
+    #  level: :debug

    # XXX colin: not sure if this actually _does_ anything
    config :pleroma, :emoji,
--- a/machines/servo/services/postfix.nix
+++ b/machines/servo/services/postfix.nix
@@ -18,8 +18,12 @@ in
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
-    { user = "221"; group = "221"; directory = "/var/lib/opendkim"; }
+    { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
    { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
+    { user = "root"; group = "root"; directory = "/var/spool/mail"; }
+    # *probably* don't need these dirs:
+    # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
+    # "/var/lib/dovecot"
  ];
  services.postfix.enable = true;
  services.postfix.hostname = "mx.uninsane.org";
--- a/machines/servo/services/postgres.nix
+++ b/machines/servo/services/postgres.nix
@@ -3,7 +3,7 @@
 {
  sane.impermanence.service-dirs = [
    # TODO: mode?
-    { user = "71"; group = "71"; directory = "/var/lib/postgresql"; }
+    { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
  ];
  services.postgresql.enable = true;
  # services.postgresql.dataDir = "/opt/postgresql/13";
--- a/machines/servo/services/transmission.nix
+++ b/machines/servo/services/transmission.nix
@@ -3,7 +3,7 @@
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? we need this specifically for the stats tracking in .config/
-    { user = "70"; group = "70"; directory = "/var/lib/transmission"; }
+    { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
  ];
  services.transmission.enable = true;
  services.transmission.settings = {
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -7,8 +7,7 @@
    ./image.nix
    ./impermanence.nix
    ./nixcache.nix
-    ./services/duplicity.nix
-    ./services/nixserve.nix
+    ./services
    ./universal
  ];
 }
--- a/modules/gui/default.nix
+++ b/modules/gui/default.nix
@@ -22,7 +22,6 @@ in

  config = lib.mkIf cfg.enable {
    sane.home-packages.enableGuiPkgs = lib.mkDefault true;
-    sane.home-manager.enable = lib.mkDefault true;
    # all GUIs use network manager?
    users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
  };
--- a/modules/gui/gnome.nix
+++ b/modules/gui/gnome.nix
@@ -14,6 +14,16 @@ in

  config = mkIf cfg.enable {
    sane.gui.enable = true;
+
+    users.users.avahi.uid = config.sane.allocations.avahi-uid;
+    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
+    users.users.colord.uid = config.sane.allocations.colord-uid;
+    users.groups.colord.gid = config.sane.allocations.colord-gid;
+    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
+    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
+    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
+    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
+
    # start gnome/gdm on boot
    services.xserver.enable = true;
    services.xserver.desktopManager.gnome.enable = true;
--- a/modules/gui/phosh.nix
+++ b/modules/gui/phosh.nix
@@ -10,58 +10,97 @@ in
      default = false;
      type = types.bool;
    };
+    sane.gui.phosh.useGreeter = mkOption {
+      description = ''
+        launch phosh via a greeter (like lightdm-mobile-greeter).
+        phosh is usable without a greeter, but skipping the greeter means no PAM session.
+      '';
+      default = true;
+      type = types.bool;
+    };
  };

-  config = mkIf cfg.enable {
-    sane.gui.enable = true;
+  config = mkIf cfg.enable (mkMerge [
+    {
+      sane.gui.enable = true;

-    users.users.avahi.uid = config.sane.allocations.avahi-uid;
-    users.users.colord.uid = config.sane.allocations.colord-uid;
-    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
-    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
-    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
-    users.groups.colord.gid = config.sane.allocations.colord-gid;
-    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
-    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
+      users.users.avahi.uid = config.sane.allocations.avahi-uid;
+      users.users.colord.uid = config.sane.allocations.colord-uid;
+      users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
+      users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
+      users.groups.avahi.gid = config.sane.allocations.avahi-gid;
+      users.groups.colord.gid = config.sane.allocations.colord-gid;
+      users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
+      users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
+      users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;

-    # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
-    services.xserver.desktopManager.phosh = {
-      enable = true;
-      user = "colin";
-      group = "users";
-      phocConfig = {
-        # xwayland = "true";
-        # find default outputs by catting /etc/phosh/phoc.ini
-        outputs.DSI-1 = {
-          scale = 1.5;
+      # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
+      services.xserver.desktopManager.phosh = {
+        enable = true;
+        user = "colin";
+        group = "users";
+        phocConfig = {
+          # xwayland = "true";
+          # find default outputs by catting /etc/phosh/phoc.ini
+          outputs.DSI-1 = {
+            scale = 1.5;
+          };
        };
      };
-    };

-    # XXX: phosh enables networkmanager by default; can probably disable these lines
-    networking.useDHCP = false;
-    networking.networkmanager.enable = true;
-    networking.wireless.enable = lib.mkForce false;
+      # XXX: phosh enables networkmanager by default; can probably disable these lines
+      networking.useDHCP = false;
+      networking.networkmanager.enable = true;
+      networking.wireless.enable = lib.mkForce false;

-    # XXX: not clear if these are actually needed?
-    hardware.bluetooth.enable = true;
-    services.blueman.enable = true;
+      # XXX: not clear if these are actually needed?
+      hardware.bluetooth.enable = true;
+      services.blueman.enable = true;

-    hardware.opengl.enable = true;
-    hardware.opengl.driSupport = true;
+      hardware.opengl.enable = true;
+      hardware.opengl.driSupport = true;

-    environment.variables = {
-      # Qt apps won't always start unless this env var is set
-      QT_QPA_PLATFORM = "wayland";
-      # electron apps (e.g. Element) should use the wayland backend
-      # toggle this to have electron apps (e.g. Element) use the wayland backend.
-      # phocConfig.xwayland should be disabled if you do this
-      NIXOS_OZONE_WL = "1";
-    };
+      environment.variables = {
+        # Qt apps won't always start unless this env var is set
+        QT_QPA_PLATFORM = "wayland";
+        # electron apps (e.g. Element) should use the wayland backend
+        # toggle this to have electron apps (e.g. Element) use the wayland backend.
+        # phocConfig.xwayland should be disabled if you do this
+        NIXOS_OZONE_WL = "1";
+      };

-    sane.home-manager.extraPackages = with pkgs; [
-      # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
-      gnome.gnome-bluetooth
-    ];
-  };
+      sane.home-manager.extraPackages = with pkgs; [
+        phosh-mobile-settings
+
+        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
+        gnome.gnome-bluetooth
+      ];
+    }
+    (mkIf cfg.useGreeter {
+      services.xserver.enable = true;
+      # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
+      # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
+      # lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
+      # this requires the user we want to login as to be cached.
+      services.xserver.displayManager.job.preStart = ''
+        ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
+      '';
+      # services.xserver.displayManager.defaultSession = "sm.puri.Phosh";  # XXX: not sure why this doesn't propagate correctly.
+      services.xserver.displayManager.lightdm.extraSeatDefaults = ''
+        user-session = phosh
+      '';
+      # services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
+      # services.xserver.displayManager.lightdm.greeter = {
+      #   enable = true;
+      #   package = pkgs.lightdm-mobile-greeter.xgreeters;
+      #   name = "lightdm-mobile-greeter";
+      # };
+      # # services.xserver.displayManager.lightdm.enable = true;
+
+      services.xserver.displayManager.lightdm.enable = true;
+      services.xserver.displayManager.lightdm.greeters.mobile.enable = true;
+
+      systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
+    })
+  ]);
 }
--- a/modules/gui/sway.nix
+++ b/modules/gui/sway.nix
@@ -11,6 +11,14 @@ in
      default = false;
      type = types.bool;
    };
+    sane.gui.sway.useGreeter = mkOption {
+      description = ''
+        launch sway via a greeter (like greetd's gtkgreet).
+        sway is usable without a greeter, but skipping the greeter means no PAM session.
+      '';
+      default = true;
+      type = types.bool;
+    };
  };
  config = mkIf cfg.enable {
    sane.gui.enable = true;
@@ -21,18 +29,39 @@ in
      enable = true;
    };

-    # TODO: should be able to use SDDM to get interactive login
-    services.greetd = {
-      enable = true;
-      settings = rec {
-        initial_session = {
+    # alternatively, could use SDDM
+    services.greetd = let
+      swayConfig-greeter = pkgs.writeText "greetd-sway-config" ''
+        # `-l` activates layer-shell mode.
+        exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
+      '';
+      default_session = {
+        "01" = {
+          # greeter session config
+          command = "${pkgs.sway}/bin/sway --config ${swayConfig-greeter}";
+          # alternatives:
+          # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
+          # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
+          # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
+        };
+        "0" = {
+          # no greeter
          command = "${pkgs.sway}/bin/sway";
          user = "colin";
        };
-        default_session = initial_session;
+      };
+    in {
+      # greetd source/docs:
+      # - <https://git.sr.ht/~kennylevinsen/greetd>
+      enable = true;
+      settings = {
+        default_session = default_session."0${builtins.toString cfg.useGreeter}";
      };
    };

+    # some programs (e.g. fractal) **require** a "Secret Service Provider"
+    services.gnome.gnome-keyring.enable = true;
+
    # unlike other DEs, sway configures no audio stack
    # administer with pw-cli, pw-mon, pw-top commands
    services.pipewire = {
@@ -85,21 +114,22 @@ in
          "${modifier}+Return" = "exec ${terminal}";
          "${modifier}+Shift+q" = "kill";
          "${modifier}+d" = "exec ${menu}";
+          "${modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";

-          "${modifier}+${left}" = "focus left";
-          "${modifier}+${down}" = "focus down";
-          "${modifier}+${up}" = "focus up";
-          "${modifier}+${right}" = "focus right";
+          # "${modifier}+${left}" = "focus left";
+          # "${modifier}+${down}" = "focus down";
+          # "${modifier}+${up}" = "focus up";
+          # "${modifier}+${right}" = "focus right";

          "${modifier}+Left" = "focus left";
          "${modifier}+Down" = "focus down";
          "${modifier}+Up" = "focus up";
          "${modifier}+Right" = "focus right";

-          "${modifier}+Shift+${left}" = "move left";
-          "${modifier}+Shift+${down}" = "move down";
-          "${modifier}+Shift+${up}" = "move up";
-          "${modifier}+Shift+${right}" = "move right";
+          # "${modifier}+Shift+${left}" = "move left";
+          # "${modifier}+Shift+${down}" = "move down";
+          # "${modifier}+Shift+${up}" = "move up";
+          # "${modifier}+Shift+${right}" = "move right";

          "${modifier}+Shift+Left" = "move left";
          "${modifier}+Shift+Down" = "move down";
@@ -569,7 +599,7 @@ in
    };
    sane.home-manager.extraPackages = with pkgs; [
      swaylock
-      swayidle
+      swayidle  # (unused)
      wl-clipboard
      mako # notification daemon
      xdg-utils  # for xdg-open
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -7,6 +7,8 @@
 with lib;
 let
  cfg = config.sane.impermanence;
+  # taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
+  secretsForUsers = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
 in
 {
  options = {
@@ -34,28 +36,17 @@ in

    map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };
    map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
-    map-service-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
+
  in mkIf cfg.enable {
    sane.image.extraDirectories = [ "/nix/persist/var/log" ];
    environment.persistence."/nix/persist" = {
-      directories = (map-home-dirs ([
-        # cache is probably too big to fit on the tmpfs
-        # TODO: we could bind-mount it to something which gets cleared per boot, though.
-        ".cache"
-        ".cargo"
-        ".rustup"
-        ".ssh"
-        # intentionally omitted:
-        # ".config"  # managed by home-manager
-        # ".local"   # nothing useful in here
-      ] ++ cfg.home-dirs)) ++ (map-sys-dirs [
-        # TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
+      directories = (map-home-dirs cfg.home-dirs) ++ (map-sys-dirs [
+        # NB: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
        # { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
        # "/etc/nixos"
        # "/etc/ssh"  # persist only the specific files we want, instead
        "/var/log"
        "/var/backup"  # for e.g. postgres dumps
-      ]) ++ (map-service-dirs ([
        # "/var/lib/AccountsService"   # not sure what this is, but it's empty
        "/var/lib/alsa"                # preserve output levels, default devices
        # "/var/lib/blueman"           # files aren't human readable
@@ -79,30 +70,25 @@ in
        # "/var/lib/upower"            # historic charge data. unnecessary, but maybe used somewhere?
        #
        # servo additions:
-        # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
-        # "/var/lib/dovecot"
-        # "/var/lib/duplicity"
-      ] ++ cfg.service-dirs));
-      files = [
-        "/etc/machine-id"
-        "/etc/ssh/ssh_host_ed25519_key"
-        "/etc/ssh/ssh_host_ed25519_key.pub"
-        "/etc/ssh/ssh_host_rsa_key"
-        "/etc/ssh/ssh_host_rsa_key.pub"
-        "/home/colin/.zsh_history"
-        # # XXX these only need persistence because i have mutableUsers = true, i think
-        # "/etc/group"
-        # "/etc/passwd"
-        # "/etc/shadow"
-      ];
+      ] ++ cfg.service-dirs);
+      # /etc/machine-id is a globally unique identifier used for:
+      # - systemd-networkd: DHCP lease renewal (instead of keying by the MAC address)
+      # - systemd-journald: to filter logs by host
+      # - chromium (potentially to track re-installations)
+      # - gdbus; system services that might upgrade to AF_LOCAL if both services can confirm they're on the same machine
+      # of these, systemd-networkd is the only legitimate case to persist the machine-id.
+      # depersisting it should be "safe"; edge-cases like systemd-networkd can be directed to use some other ID if necessary.
+      # nixos-impermanence shows binding the host ssh priv key to this; i could probably hash the host key into /etc/machine-id if necessary.
+      # files = [ "/etc/machine-id" ];
    };

-    systemd.services.sane-sops = {
-      description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
-      script = config.system.activationScripts.setupSecrets.text;
-      after = [ "fs-local.target" ];
-      wantedBy = [ "multi-user.target" ];
+    # secret decoding depends on /etc/ssh keys, which may be persisted
+    system.activationScripts.setupSecrets.deps = [ "persist-ssh-host-keys" ];
+    system.activationScripts.setupSecretsForUsers = lib.mkIf secretsForUsers {
+      deps = [ "persist-ssh-host-keys" ];
    };
+    # populated by ssh.nix, which persists /etc/ssh/host_keys
+    system.activationScripts.persist-ssh-host-keys.text = lib.mkDefault "";
  };
 }

--- a/modules/nixcache.nix
+++ b/modules/nixcache.nix
@@ -1,3 +1,13 @@
+# speed up builds from e.g. moby or lappy by having them query desko and servo first.
+# if one of these hosts is offline, instead manually specify just cachix:
+# - `nixos-rebuild --option substituters https://cache.nixos.org/`
+#
+# future improvements:
+# - apply for community arm build box:
+#   - <https://github.com/nix-community/aarch64-build-box>
+# - don't require all substituters to be online:
+#   - <https://github.com/NixOS/nix/pull/7188>
+
 { lib, config, ... }:

 with lib;
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./duplicity.nix
+    ./nixserve.nix
+  ];
+}
--- a/modules/universal/allocations.nix
+++ b/modules/universal/allocations.nix
@@ -23,6 +23,9 @@ in
    sane.allocations.greeter-uid = mkId 999;
    sane.allocations.greeter-gid = mkId 999;

+    sane.allocations.freshrss-uid = mkId 2401;
+    sane.allocations.freshrss-gid = mkId 2401;
+
    sane.allocations.colin-uid = mkId 1000;
    sane.allocations.guest-uid = mkId 1100;

@@ -33,6 +36,8 @@ in
    sane.allocations.systemd-coredump-gid = mkId 2003;  # 996
    sane.allocations.nscd-uid = mkId 2004;
    sane.allocations.nscd-gid = mkId 2004;
+    sane.allocations.systemd-oom-uid = mkId 2005;
+    sane.allocations.systemd-oom-gid = mkId 2005;

    # found on graphical machines
    sane.allocations.nm-iodine-uid = mkId 2101;  # desko/moby/lappy
--- a/modules/universal/default.nix
+++ b/modules/universal/default.nix
@@ -3,16 +3,26 @@
 {
  imports = [
    ./allocations.nix
-    ./env
    ./fs.nix
+    ./home-manager
+    ./home-packages.nix
    ./net.nix
+    ./machine-id.nix
    ./secrets.nix
+    ./ssh.nix
+    ./system-packages.nix
    ./users.nix
    ./vpn.nix
  ];

  time.timeZone = "America/Los_Angeles";

+  # allow `nix flake ...` command
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
+
+  # TODO: move this into home-manager?
  fonts = {
    enableDefaultFonts = true;
    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
@@ -25,9 +35,30 @@
    };
  };

-  # allow `nix flake ...` command
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes
-  '';
+  # programs.vim.defaultEditor = true;
+  environment.variables = {
+    EDITOR = "vim";
+    # git claims it should use EDITOR, but it doesn't!
+    GIT_EDITOR = "vim";
+    # TODO: these should be moved to `home.sessionVariables` (home-manager)
+    # Electron apps should use native wayland backend:
+    #   https://nixos.wiki/wiki/Slack#Wayland
+    # Discord under sway crashes with this.
+    # NIXOS_OZONE_WL = "1";
+    # LIBGL_ALWAYS_SOFTWARE = "1";
+  };
+  # enable zsh completions
+  environment.pathsToLink = [ "/share/zsh" ];
+  environment.systemPackages = with pkgs; [
+    # required for pam_mount
+    gocryptfs
+  ];
+
+  security.pam.mount.enable = true;
+  # security.pam.mount.debugLevel = 1;
+  # security.pam.enableSSHAgentAuth = true; # ??
+  # needed for `allow_other` in e.g. gocryptfs mounts
+  # or i guess going through mount.fuse sets suid so that's not necessary?
+  # programs.fuse.userAllowOther = true;
 }

--- a/modules/universal/env/default.nix
+++ b/modules/universal/env/default.nix
@@ -1,22 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./feeds.nix
-    ./home-manager.nix
-    ./home-packages.nix
-    ./system-packages.nix
-  ];
-
-  # programs.vim.defaultEditor = true;
-  environment.variables = {
-    EDITOR = "vim";
-    # git claims it should use EDITOR, but it doesn't!
-    GIT_EDITOR = "vim";
-    # Electron apps should use native wayland backend:
-    #   https://nixos.wiki/wiki/Slack#Wayland
-    # Discord under sway crashes with this.
-    # NIXOS_OZONE_WL = "1";
-  };
-}
-
--- a/modules/universal/env/feeds.nix
+++ b/modules/universal/env/feeds.nix
@@ -1,35 +0,0 @@
-{ lib, ... }:
-
-with lib;
-{
-  options = {
-    sane.feeds.podcastUrls = mkOption {
-      type = types.listOf types.str;
-      default = [
-        "https://lexfridman.com/feed/podcast/"
-        ## Astral Codex Ten
-        "http://feeds.libsyn.com/108018/rss"
-        ## Econ Talk
-        "https://feeds.simplecast.com/wgl4xEgL"
-        ## Cory Doctorow
-        "https://feeds.feedburner.com/doctorow_podcast"
-        "https://congressionaldish.libsyn.com/rss"
-        ## Civboot
-        "https://anchor.fm/s/34c7232c/podcast/rss"
-        "https://feeds.feedburner.com/80000HoursPodcast"
-        "https://allinchamathjason.libsyn.com/rss"
-        ## Eric Weinstein
-        "https://rss.art19.com/the-portal"
-        "https://feeds.megaphone.fm/darknetdiaries"
-        "http://feeds.wnyc.org/radiolab"
-        "https://wakingup.libsyn.com/rss"
-        ## 99% Invisible
-        "https://feeds.simplecast.com/BqbsxVfO"
-        "https://rss.acast.com/ft-tech-tonic"
-        "https://feeds.feedburner.com/dancarlin/history?format=xml"
-        ## 60 minutes (NB: this features more than *just* audio?)
-        "https://www.cbsnews.com/latest/rss/60-minutes"
-      ];
-    };
-  };
-}
--- a/modules/universal/env/home-manager.nix
+++ b/modules/universal/env/home-manager.nix
@@ -1,522 +0,0 @@
-# docs:
-#   https://rycee.gitlab.io/home-manager/
-#   https://rycee.gitlab.io/home-manager/options.html
-#   man home-configuration.nix
-#
-
-{ lib, config, pkgs, ... }:
-
-with lib;
-let
-  cfg = config.sane.home-manager;
-  vim-swap-dir = ".cache/vim-swap";
-  # extract package from `extraPackages`
-  pkglist = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
-  # extract `dir` from `extraPackages`
-  dirlist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
-in
-{
-  options = {
-    sane.home-manager.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-
-    # packages to deploy to the user's home
-    sane.home-manager.extraPackages = mkOption {
-      default = [ ];
-      # each entry can be either a package, or attrs:
-      #   { pkg = package; dir = optional string;
-      type = types.listOf (types.either types.package types.attrs);
-    };
-
-    # attributes to copy directly to home-manager's `wayland.windowManager` option
-    sane.home-manager.windowManager = mkOption {
-      default = {};
-      type = types.attrs;
-    };
-
-    # extra attributes to include in home-manager's `programs` option
-    sane.home-manager.programs = mkOption {
-      default = {};
-      type = types.attrs;
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    sops.secrets."aerc_accounts" = {
-      owner = config.users.users.colin.name;
-      sopsFile = ../../../secrets/universal/aerc_accounts.conf;
-      format = "binary";
-    };
-    sops.secrets."sublime_music_config" = {
-      owner = config.users.users.colin.name;
-      sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
-      format = "binary";
-    };
-
-    sane.impermanence.home-dirs = [
-      "archive"
-      "dev"
-      "records"
-      "ref"
-      "tmp"
-      "use"
-      "Music"
-      "Pictures"
-      "Videos"
-      vim-swap-dir
-    ] ++ (dirlist cfg.extraPackages);
-
-    home-manager.useGlobalPkgs = true;
-    home-manager.useUserPackages = true;
-
-    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
-    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
-    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
-
-      home.packages = pkglist cfg.extraPackages;
-      wayland.windowManager = cfg.windowManager;
-
-      home.stateVersion = "21.11";
-      home.username = "colin";
-      home.homeDirectory = "/home/colin";
-
-      # XDG defines things like ~/Desktop, ~/Downloads, etc.
-      # these clutter the home, so i mostly don't use them.
-      xdg.userDirs = {
-        enable = true;
-        createDirectories = false;  # on headless systems, most xdg dirs are noise
-        desktop = "$HOME/.xdg/Desktop";
-        documents = "$HOME/dev";
-        download = "$HOME/tmp";
-        music = "$HOME/Music";
-        pictures = "$HOME/Pictures";
-        publicShare = "$HOME/.xdg/Public";
-        templates = "$HOME/.xdg/Templates";
-        videos = "$HOME/Videos";
-      };
-      xdg.mimeApps.enable = true;
-      xdg.mimeApps.defaultApplications = {
-        "text/html" = [ "librewolf.desktop" ];
-        "x-scheme-handler/http" = [ "librewolf.desktop" ];
-        "x-scheme-handler/https" = [ "librewolf.desktop" ];
-        "x-scheme-handler/about" = [ "librewolf.desktop" ];
-        "x-scheme-handler/unknown" = [ "librewolf.desktop" ];
-        "image/png" = [ "org.gnome.gThumb.desktop" ];
-      };
-
-      # convenience
-      home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
-      home.file."nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
-
-      # nb markdown/personal knowledge manager
-      home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
-      home.file.".nb/.current".text = "knowledge";
-      home.file.".nbrc".text = ''
-        # manage with `nb settings`
-        export NB_AUTO_SYNC=0
-      '';
-
-      # uBlock filter list configuration.
-      # specifically, enable the GDPR cookie prompt blocker.
-      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
-      # this configuration method is documented here:
-      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
-      # the specific attribute path is found via scraping ublock code here:
-      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
-      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-      home.file.".librewolf/managed-storage/uBlock0@raymondhill.net.json".text = ''
-        {
-         "name": "uBlock0@raymondhill.net",
-         "description": "ignored",
-         "type": "storage",
-         "data": {
-            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
-         }
-        }
-      '';
-
-      # aerc TUI mail client
-      xdg.configFile."aerc/accounts.conf".source =
-        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
-
-      # make Discord usable even when client is "outdated"
-      xdg.configFile."discord/settings.json".text = ''
-      {
-        "SKIP_HOST_UPDATE": true
-      }
-      '';
-
-      # sublime music player
-      xdg.configFile."sublime-music/config.json".source =
-        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
-
-      xdg.configFile."vlc/vlcrc".text =
-      let
-        podcastUrls = lib.strings.concatStringsSep "|" sysconfig.sane.feeds.podcastUrls;
-      in ''
-      [podcast]
-      podcast-urls=${podcastUrls}
-      [core]
-      metadata-network-access=0
-      [qt]
-      qt-privacy-ask=0
-      '';
-      xdg.configFile."gpodderFeeds.opml".text =
-      let
-        entries = builtins.toString (builtins.map
-          (url: ''\n    <outline xmlUrl="${url}" type="rss"/>'')
-          sysconfig.sane.feeds.podcastUrls
-        );
-      in ''
-        <?xml version="1.0" encoding="utf-8"?>
-        <opml version="2.0">
-          <body>${entries}
-          </body>
-        </opml>
-      '';
-
-      # gnome feeds RSS viewer
-      xdg.configFile."org.gabmus.gfeeds.json".text = builtins.toJSON {
-        feeds = {
-          # AGGREGATORS (> 1 post/day)
-          "https://www.lesswrong.com/feed.xml" = { tags = [ "hourly" "rat" ]; };
-          "http://www.econlib.org/index.xml" = { tags = [ "hourly" "pol" ]; };
-          # AGGREGATORS (< 1 post/day)
-          "https://palladiummag.com/feed" = { tags = [ "weekly" "uncat" ]; };
-          "https://profectusmag.com/feed" = { tags = [ "weekly" "uncat" ]; };
-
-          "https://semiaccurate.com/feed" = { tags = [ "weekly" "tech" ]; };
-          "https://linuxphoneapps.org/blog/atom.xml" = { tags = [ "infrequent" "tech" ]; };
-          "https://spectrum.ieee.org/rss" = { tags = [ "weekly" "tech" ]; };
-
-          ## No Moods, Ads or Cutesy Fucking Icons
-          "https://www.rifters.com/crawl/?feed=rss2" = { tags = [ "weekly" "uncat" ]; };
-
-          # DEVELOPERS
-          "https://mg.lol/blog/rss/" = { tags = [ "infrequent" "tech" ]; };
-          ## Ken Shirriff
-          "https://www.righto.com/feeds/posts/default" = { tags = [ "infrequent" "tech" ]; };
-          ## Vitalik Buterin
-          "https://vitalik.ca/feed.xml" = { tags = [ "infrequent" "tech" ]; };
-          ## ian (Sanctuary)
-          "https://sagacioussuricata.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
-          ## Bunnie Juang
-          "https://www.bunniestudios.com/blog/?feed=rss2" = { tags = [ "infrequent" "tech" ]; };
-          "https://blog.danieljanus.pl/atom.xml" = { tags = [ "infrequent" "tech" ]; };
-          "https://ianthehenry.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
-          "https://bitbashing.io/feed.xml" = { tags = [ "infrequent" "tech" ]; };
-          "https://idiomdrottning.org/feed.xml" = { tags = [ "daily" "uncat" ]; };
-
-          # (TECH; POL) COMMENTATORS
-          "http://benjaminrosshoffman.com/feed" = { tags = [ "weekly" "pol" ]; };
-          ## Ben Thompson
-          "https://www.stratechery.com/rss" = { tags = [ "weekly" "pol" ]; };
-          ## Balaji
-          "https://balajis.com/rss" = { tags = [ "weekly" "pol" ]; };
-          "https://www.ben-evans.com/benedictevans/rss.xml" = { tags = [ "weekly" "pol" ]; };
-          "https://www.lynalden.com/feed" = { tags = [ "infrequent" "pol" ]; };
-          "https://austinvernon.site/rss.xml" = { tags = [ "infrequent" "tech" ]; };
-          "https://oversharing.substack.com/feed" = { tags = [ "daily" "pol" ]; };
-          ## David Rosenthal
-          "https://blog.dshr.org/rss.xml" = { tags = [ "weekly" "pol" ]; };
-          ## Matt Levine
-          "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" = { tags = [ "weekly" "pol" ]; };
-
-          # RATIONALITY/PHILOSOPHY/ETC
-          "https://samkriss.substack.com/feed" = { tags = [ "infrequent" "uncat" ]; };  # ... satire? phil?
-          "https://unintendedconsequenc.es/feed" = { tags = [ "infrequent" "rat" ]; };
-
-          "https://applieddivinitystudies.com/atom.xml" = { tags = [ "weekly" "rat" ]; };
-          "https://slimemoldtimemold.com/feed.xml" = { tags = [ "weekly" "rat" ]; };
-
-          "https://www.richardcarrier.info/feed" = { tags = [ "weekly" "rat" ]; };
-          "https://www.gwern.net/feed.xml" = { tags = [ "infrequent" "uncat" ]; };
-
-          ## Jason Crawford
-          "https://rootsofprogress.org/feed.xml" = { tags = [ "weekly" "rat" ]; };
-          ## Robin Hanson
-          "https://www.overcomingbias.com/feed" = { tags = [ "daily" "rat" ]; };
-          ## Scott Alexander
-          "https://astralcodexten.substack.com/feed.xml" = { tags = [ "daily" "rat" ]; };
-          ## Paul Christiano
-          "https://sideways-view.com/feed" = { tags = [ "infrequent" "rat" ]; };
-          ## Sean Carroll
-          "https://www.preposterousuniverse.com/rss" = { tags = [ "infrequent" "rat" ]; };
-
-          # COMICS
-          "https://www.smbc-comics.com/comic/rss" = { tags = [ "daily" "visual" ]; };
-          "https://xkcd.com/atom.xml" = { tags = [ "daily" "visual" ]; };
-          "http://dilbert.com/feed" = { tags = ["daily" "visual" ]; };
-
-          # ART
-          "https://miniature-calendar.com/feed" = { tags = [ "daily" "visual" ]; };
-        };
-        dark_reader = false;
-        new_first = true;
-        # windowsize = {
-        #   width = 350;
-        #   height = 650;
-        # };
-        max_article_age_days = 90;
-        enable_js = false;
-        max_refresh_threads = 3;
-        # saved_items = {};
-        # read_items = [];
-        show_read_items = true;
-        full_article_title = true;
-        # views: "webview", "reader", "rsscont"
-        default_view = "rsscont";
-        open_links_externally = true;
-        full_feed_name = false;
-        refresh_on_startup = true;
-        tags = [
-          # hourly => aggregator
-          # daily => prolifiq writer
-          # weekly => i can keep up with most -- but maybe not all -- of their content
-          # infrequent => i can read everything in this category
-          "hourly" "daily" "weekly" "infrequent"
-          # rat[ionality] gets used interchangably with philosophy, here.
-          # pol[itical] gets used for social commentary and economics as well.
-          # visual gets used for comics/art
-          "uncat" "rat" "tech" "pol" "visual"
-        ];
-        open_youtube_externally = false;
-        media_player = "vlc";  # default: mpv
-      };
-
-      programs = {
-        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
-
-        zsh = {
-          enable = true;
-          enableSyntaxHighlighting = true;
-          enableVteIntegration = true;
-          dotDir = ".config/zsh";
-
-          initExtraBeforeCompInit = ''
-            # p10k instant prompt
-            # run p10k configure to configure, but it can't write out its file :-(
-            POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
-          '';
-
-          # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
-          # see: https://github.com/sorin-ionescu/prezto
-          prezto = {
-            enable = true;
-            pmodules = [
-              "environment"
-              "terminal"
-              "editor"
-              "history"
-              "directory"
-              "spectrum"
-              "utility"
-              "completion"
-              "prompt"
-              "git"
-            ];
-            prompt = {
-              theme = "powerlevel10k";
-            };
-          };
-        };
-        kitty = {
-          enable = true;
-          # docs: https://sw.kovidgoyal.net/kitty/conf/
-          settings = {
-            # disable terminal bell (when e.g. you backspace too many times)
-            enable_audio_bell = false;
-          };
-          keybindings = {
-            "ctrl+n" = "new_os_window_with_cwd";
-          };
-          # docs: https://github.com/kovidgoyal/kitty-themes
-          # theme = "1984 Light";  # dislike: awful, harsh blues/teals
-          # theme = "Adventure Time";  # dislike: harsh (dark)
-          # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
-          # theme = "Belafonte Day";  # dislike: too low contrast for text colors
-          # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
-          # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
-          # theme = "Desert";  # mediocre: colors are harsh
-          # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
-          # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
-          # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
-          # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
-          # theme = "kanagawabones";  # better: dark theme. colors are too background-y
-          # theme = "Kaolin Dark";  # dislike: too dark
-          # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
-          # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
-          # theme = "Material"; # decent: light theme, few colors.
-          # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
-          # theme = "Nord";  # mediocre: pale background, low contrast
-          # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
-          theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
-          # theme = "Parasio Dark";  # dislike: too low contrast
-          # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
-          # theme = "Pnevma";  # dislike: too low contrast
-          # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
-          # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
-          # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
-          # theme = "Sea Shells";  # mediocre. not all color combos are readable
-          # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
-          # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
-          # theme = "Sourcerer";  # mediocre: ugly colors
-          # theme = "Space Gray";  # mediocre: too muted
-          # theme = "Space Gray Eighties";  # better: all readable, decent colors
-          # theme = "Spacemacs";  # mediocre: too muted
-          # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
-          # theme = "Srcery";  # better: highly readable. colors are ehhh
-          # theme = "Substrata";  # decent: nice colors, but a bit flat.
-          # theme = "Sundried";  # mediocre: the solar text makes me squint
-          # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
-          # theme = "Tango Light";  # dislike: teal is too grating
-          # theme = "Tokyo Night Day";  # medicore: too muted
-          # theme = "Tokyo Night";  # better: tasteful. a bit flat
-          # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
-          # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
-          # theme = "Urple";  # dislike: weird palette
-          # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
-          # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
-          # theme = "Xcodedark";  # dislike: bad palette
-          # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
-          # theme = "neobones_light"; # better light theme. the background is maybe too muted
-          # theme = "vimbones";
-          # theme = "zenbones_dark";  # mediocre: readable, but meh colors
-          # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
-          # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
-          # extraConfig = "";
-        };
-        git = {
-          enable = true;
-          userName = "colin";
-          userEmail = "colin@uninsane.org";
-        };
-
-        neovim = {
-          # neovim: https://github.com/neovim/neovim
-          enable = true;
-          viAlias = true;
-          vimAlias = true;
-          plugins = with pkgs.vimPlugins; [
-            # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
-            # docs: vim-surround: https://github.com/tpope/vim-surround
-            vim-surround
-            # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
-            fzf-vim
-            # docs: https://github.com/KeitaNakamura/tex-conceal.vim/
-            ({
-              plugin = tex-conceal-vim;
-              type = "viml";
-              config = ''
-                " present prettier fractions
-                let g:tex_conceal_frac=1
-              '';
-            })
-            ({
-              plugin = vim-SyntaxRange;
-              type = "viml";
-              config = ''
-                " enable markdown-style codeblock highlighting for tex code
-                autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
-                " autocmd Syntax tex set conceallevel=2
-              '';
-            })
-            # nabla renders inline math in any document, but it's buggy.
-            #   https://github.com/jbyuki/nabla.nvim
-            # ({
-            #   plugin = pkgs.nabla;
-            #   type = "lua";
-            #   config = ''
-            #     require'nabla'.enable_virt()
-            #   '';
-            # })
-            # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
-            # docs: https://github.com/nvim-treesitter/nvim-treesitter
-            # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
-            # this is required for tree-sitter to even highlight
-            ({
-              plugin = (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars));
-              type = "lua";
-              config = ''
-                require'nvim-treesitter.configs'.setup {
-                  highlight = {
-                    enable = true,
-                    -- disable treesitter on Rust so that we can use SyntaxRange
-                    -- and leverage TeX rendering in rust projects
-                    disable = { "rust", "tex", "latex" },
-                    -- disable = { "tex", "latex" },
-                    -- true to also use builtin vim syntax highlighting when treesitter fails
-                    additional_vim_regex_highlighting = false
-                  },
-                  incremental_selection = {
-                    enable = true,
-                    keymaps = {
-                      init_selection = "gnn",
-                      node_incremental = "grn",
-                      mcope_incremental = "grc",
-                      node_decremental = "grm"
-                    }
-                  },
-                  indent = {
-                    enable = true,
-                    disable = {}
-                  }
-                }
-
-                vim.o.foldmethod = 'expr'
-                vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
-              '';
-            })
-          ];
-          extraConfig = ''
-            " copy/paste to system clipboard
-            set clipboard=unnamedplus
-
-            " screw tabs; always expand them into spaces
-            set expandtab
-
-            " at least don't open files with sections folded by default
-            set nofoldenable
-
-            " allow text substitutions for certain glyphs.
-            " higher number = more aggressive substitution (0, 1, 2, 3)
-            " i only make use of this for tex, but it's unclear how to
-            " apply that *just* to tex and retain the SyntaxRange stuff.
-            set conceallevel=2
-
-            " horizontal rule under the active line
-            " set cursorline
-
-            " highlight trailing space & related syntax errors (doesn't seem to work??)
-            " let c_space_errors=1
-            " let python_space_errors=1
-
-            " enable highlighting of leading/trailing spaces,
-            " and especially tabs
-            " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
-            set list
-            set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
-          '';
-        };
-
-        # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
-        firefox = lib.mkIf (sysconfig.sane.gui.enable) {
-          enable = true;
-          package = import ./web-browser.nix pkgs;
-        };
-
-        # "command not found" will cause the command to be searched in nixpkgs
-        nix-index.enable = true;
-      } // cfg.programs;
-
-      home.shellAliases = {
-        ":q" = "exit";
-        # common typos
-        "cd.." = "cd ..";
-        "cd../" = "cd ../";
-      };
-    };
-  };
-}
--- a/modules/universal/env/web-browser.nix
+++ b/modules/universal/env/web-browser.nix
@@ -1,55 +0,0 @@
-pkgs:
-
-# common settings to toggle (at runtime, in about:config):
-#   > security.ssl.require_safe_negotiation
-
-# librewolf is a forked firefox which patches firefox to allow more things
-# (like default search engines) to be configurable at runtime.
-# many of the settings below won't have effect without those patches.
-# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
-pkgs.wrapFirefox pkgs.librewolf-unwrapped {
-  # inherit the default librewolf.cfg
-  # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
-  inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
-  libName = "librewolf";
-  extraPolicies = {
-    NoDefaultBookmarks = true;
-    SearchEngines = {
-      Default = "DuckDuckGo";
-    };
-    AppUpdateURL = "https://localhost";
-    DisableAppUpdate = true;
-    OverrideFirstRunPage = "";
-    OverridePostUpdatePage = "";
-    DisableSystemAddonUpdate = true;
-    DisableFirefoxStudies = true;
-    DisableTelemetry = true;
-    DisableFeedbackCommands = true;
-    DisablePocket = true;
-    DisableSetDesktopBackground = false;
-    Extensions = {
-      Install = [
-        "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
-        "https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi"
-        "https://addons.mozilla.org/firefox/downloads/latest/bypass-paywalls-clean/latest.xpi"
-        "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"
-        "https://addons.mozilla.org/firefox/downloads/latest/ether-metamask/latest.xpi"
-      ];
-      # remove many default search providers
-      Uninstall = [
-        "google@search.mozilla.org"
-        "bing@search.mozilla.org"
-        "amazondotcom@search.mozilla.org"
-        "ebay@search.mozilla.org"
-        "twitter@search.mozilla.org"
-      ];
-    };
-    # XXX doesn't seem to have any effect...
-    # docs: https://github.com/mozilla/policy-templates#homepage
-    # Homepage = {
-    #   HomepageURL = "https://uninsane.org/";
-    #   StartPage = "homepage";
-    # };
-    # NewTabPage = true;
-  };
-}
--- a/modules/universal/fs.nix
+++ b/modules/universal/fs.nix
@@ -28,31 +28,37 @@ in
    device = "colin@uninsane.org:/var/lib/uninsane/media";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
+    noCheck = true;
  };
  fileSystems."/mnt/servo-media-lan" = {
    device = "colin@servo:/var/lib/uninsane/media";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
+    noCheck = true;
  };
  fileSystems."/mnt/servo-root-wan" = {
    device = "colin@uninsane.org:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
+    noCheck = true;
  };
  fileSystems."/mnt/servo-root-lan" = {
    device = "colin@servo:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
+    noCheck = true;
  };
  fileSystems."/mnt/desko-home" = {
    device = "colin@desko:/home/colin";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
+    noCheck = true;
  };
  fileSystems."/mnt/desko-root" = {
    device = "colin@desko:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
+    noCheck = true;
  };

  environment.systemPackages = [
--- a/modules/universal/home-manager/aerc.nix
+++ b/modules/universal/home-manager/aerc.nix
@@ -0,0 +1,14 @@
+# Terminal UI mail client
+{ config, ... }:
+{
+  sops.secrets."aerc_accounts" = {
+    owner = config.users.users.colin.name;
+    sopsFile = ../../../secrets/universal/aerc_accounts.conf;
+    format = "binary";
+  };
+  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
+    # aerc TUI mail client
+    xdg.configFile."aerc/accounts.conf".source =
+      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
+  };
+}
--- a/modules/universal/home-manager/default.nix
+++ b/modules/universal/home-manager/default.nix
@@ -0,0 +1,218 @@
+# docs:
+#   https://rycee.gitlab.io/home-manager/
+#   https://rycee.gitlab.io/home-manager/options.html
+#   man home-configuration.nix
+#
+
+{ lib, config, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.sane.home-manager;
+  # extract package from `extraPackages`
+  pkg-list = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
+  # extract `dir` from `extraPackages`
+  dir-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
+  private-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "private" then [ e.private ] else []) pkgspec);
+  feeds = import ./feeds.nix { inherit lib; };
+in
+{
+  imports = [
+    ./aerc.nix
+    ./discord.nix
+    ./firefox.nix
+    ./git.nix
+    ./kitty.nix
+    ./mpv.nix
+    ./nb.nix
+    ./neovim.nix
+    ./ssh.nix
+    ./sublime-music.nix
+    ./vlc.nix
+    ./zsh.nix
+  ];
+
+  options = {
+    # packages to deploy to the user's home
+    sane.home-manager.extraPackages = mkOption {
+      default = [ ];
+      # each entry can be either a package, or attrs:
+      #   { pkg = package; dir = optional string;
+      type = types.listOf (types.either types.package types.attrs);
+    };
+
+    # attributes to copy directly to home-manager's `wayland.windowManager` option
+    sane.home-manager.windowManager = mkOption {
+      default = {};
+      type = types.attrs;
+    };
+
+    # extra attributes to include in home-manager's `programs` option
+    sane.home-manager.programs = mkOption {
+      default = {};
+      type = types.attrs;
+    };
+  };
+
+  config = {
+    sane.impermanence.home-dirs = [
+      "archive"
+      "dev"
+      "records"
+      "ref"
+      "tmp"
+      "use"
+      "Music"
+      "Pictures"
+      "Videos"
+    ] ++ (dir-list cfg.extraPackages);
+
+    home-manager.useGlobalPkgs = true;
+    home-manager.useUserPackages = true;
+
+    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
+    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
+    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
+
+      # run `home-manager-help` to access manpages
+      # or `man home-configuration.nix`
+      manual.html.enable = false;  # TODO: set to true later (build failure)
+      manual.manpages.enable = false;  # TODO: enable after https://github.com/nix-community/home-manager/issues/3344
+
+      home.packages = pkg-list cfg.extraPackages;
+      wayland.windowManager = cfg.windowManager;
+
+      home.stateVersion = "21.11";
+      home.username = "colin";
+      home.homeDirectory = "/home/colin";
+
+      home.activation = {
+        initKeyring = {
+          after = ["writeBoundary"];
+          before = [];
+          data = "${../../../scripts/init-keyring}";
+        };
+      };
+
+
+      home.file = let
+        privates = builtins.listToAttrs (
+          builtins.map (path: {
+            name = path;
+            value = { source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/${path}"; };
+          })
+          (private-list cfg.extraPackages)
+        );
+      in {
+        # convenience
+        "knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
+        "nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
+        "Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
+        "Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
+        "Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
+
+        # used by password managers, e.g. unix `pass`
+        ".password-store".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge/secrets/accounts";
+      } // privates;
+
+      # XDG defines things like ~/Desktop, ~/Downloads, etc.
+      # these clutter the home, so i mostly don't use them.
+      xdg.userDirs = {
+        enable = true;
+        createDirectories = false;  # on headless systems, most xdg dirs are noise
+        desktop = "$HOME/.xdg/Desktop";
+        documents = "$HOME/dev";
+        download = "$HOME/tmp";
+        music = "$HOME/Music";
+        pictures = "$HOME/Pictures";
+        publicShare = "$HOME/.xdg/Public";
+        templates = "$HOME/.xdg/Templates";
+        videos = "$HOME/Videos";
+      };
+
+      # the xdg mime type for a file can be found with:
+      # - `xdg-mime query filetype path/to/thing.ext`
+      xdg.mimeApps.enable = true;
+      xdg.mimeApps.defaultApplications = let
+        www = sysconfig.sane.web-browser.desktop;
+        pdf = "org.gnome.Evince.desktop";
+        md = "obsidian.desktop";
+        thumb = "org.gnome.gThumb.desktop";
+        video = "vlc.desktop";
+        # audio = "mpv.desktop";
+        audio = "vlc.desktop";
+      in {
+        # HTML
+        "text/html" = [ www ];
+        "x-scheme-handler/http" = [ www ];
+        "x-scheme-handler/https" = [ www ];
+        "x-scheme-handler/about" = [ www ];
+        "x-scheme-handler/unknown" = [ www ];
+        # RICH-TEXT DOCUMENTS
+        "application/pdf" = [ pdf ];
+        "text/markdown" = [ md ];
+        # IMAGES
+        "image/heif" = [ thumb ];  # apple codec
+        "image/png" = [ thumb ];
+        "image/jpeg" = [ thumb ];
+        # VIDEO
+        "video/mp4" = [ video ];
+        "video/quicktime" = [ video ];
+        "video/x-matroska" = [ video ];
+        # AUDIO
+        "audio/flac" = [ audio ];
+        "audio/mpeg" = [ audio ];
+        "audio/x-vorbis+ogg" = [ audio ];
+      };
+
+
+      xdg.configFile."gpodderFeeds.opml".text = with feeds;
+        feedsToOpml feeds.podcasts;
+
+      # news-flash RSS viewer
+      xdg.configFile."newsflashFeeds.opml".text = with feeds;
+        feedsToOpml (feeds.texts ++ feeds.images);
+
+      # gnome feeds RSS viewer
+      xdg.configFile."org.gabmus.gfeeds.json".text =
+      let
+        myFeeds = feeds.texts ++ feeds.images;
+      in builtins.toJSON {
+        # feed format is a map from URL to a dict,
+        #   with dict["tags"] a list of string tags.
+        feeds = builtins.foldl' (acc: feed: acc // {
+          "${feed.url}".tags = [ feed.cat feed.freq ];
+        }) {} myFeeds;
+        dark_reader = false;
+        new_first = true;
+        # windowsize = {
+        #   width = 350;
+        #   height = 650;
+        # };
+        max_article_age_days = 90;
+        enable_js = false;
+        max_refresh_threads = 3;
+        # saved_items = {};
+        # read_items = [];
+        show_read_items = true;
+        full_article_title = true;
+        # views: "webview", "reader", "rsscont"
+        default_view = "rsscont";
+        open_links_externally = true;
+        full_feed_name = false;
+        refresh_on_startup = true;
+        tags = lib.lists.unique (
+          (builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
+        );
+        open_youtube_externally = false;
+        media_player = "vlc";  # default: mpv
+      };
+
+      programs = {
+        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
+        # "command not found" will cause the command to be searched in nixpkgs
+        nix-index.enable = true;
+      } // cfg.programs;
+    };
+  };
+}
--- a/modules/universal/home-manager/discord.nix
+++ b/modules/universal/home-manager/discord.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  # TODO: this should only be enabled on gui devices
+  # make Discord usable even when client is "outdated"
+  home-manager.users.colin.xdg.configFile."discord/settings.json".text = ''
+    {
+      "SKIP_HOST_UPDATE": true
+    }
+  '';
+}
--- a/modules/universal/home-manager/feeds.nix
+++ b/modules/universal/home-manager/feeds.nix
@@ -0,0 +1,182 @@
+{ lib }:
+
+let
+  hourly = { freq = "hourly"; };
+  daily = { freq = "daily"; };
+  weekly = { freq = "weekly"; };
+  infrequent = { freq = "infrequent"; };
+
+  art = { cat = "art"; };
+  humor = { cat = "humor"; };
+  pol = { cat = "pol"; };  # or maybe just "social"
+  rat = { cat = "rat"; };
+  tech = { cat = "tech"; };
+  uncat = { cat = "uncat"; };
+
+  text = { format = "text"; };
+  image = { format = "image"; };
+  podcast = { format = "podcast"; };
+
+  mkRss = format: url: { inherit url format; } // uncat // infrequent;
+  # format-specific helpers
+  mkText = mkRss text;
+  mkImg = mkRss image;
+  mkPod = mkRss podcast;
+
+  # host-specific helpers
+  mkSubstack = subdomain: mkText "https://${subdomain}.substack.com/feed";
+
+  # merge the attrs `new` into each value of the attrs `addTo`
+  addAttrs = new: addTo: builtins.mapAttrs (k: v: v // new) addTo;
+  # for each value in `attrs`, add a value to the child attrs which holds its key within the parent attrs.
+  withInverseMapping = key: attrs: builtins.mapAttrs (k: v: v // { "${key}" = k; }) attrs;
+in rec {
+  podcasts = [
+    (mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
+    ## Astral Codex Ten
+    (mkPod "http://feeds.libsyn.com/108018/rss" // rat // daily)
+    ## Econ Talk
+    (mkPod "https://feeds.simplecast.com/wgl4xEgL" // rat // daily)
+    ## Cory Doctorow
+    (mkPod "https://feeds.feedburner.com/doctorow_podcast" // pol // infrequent)
+    (mkPod "https://congressionaldish.libsyn.com/rss" // pol // infrequent)
+    ## Civboot
+    (mkPod "https://anchor.fm/s/34c7232c/podcast/rss" // tech // infrequent)
+    (mkPod "https://feeds.feedburner.com/80000HoursPodcast" // rat // weekly)
+    (mkPod "https://allinchamathjason.libsyn.com/rss" // pol // weekly)
+    (mkPod "https://acquired.libsyn.com/rss" // tech // infrequent)
+    (mkPod "https://rss.acast.com/deconstructed" // pol // infrequent)
+    ## The Daily
+    (mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
+    (mkPod "https://rss.acast.com/intercepted-with-jeremy-scahill" // pol // weekly)
+    (mkPod "https://podcast.posttv.com/itunes/post-reports.xml" // pol // weekly)
+    ## Eric Weinstein
+    (mkPod "https://rss.art19.com/the-portal" // rat // infrequent)
+    (mkPod "https://feeds.megaphone.fm/darknetdiaries" // tech // infrequent)
+    (mkPod "http://feeds.wnyc.org/radiolab" // pol // infrequent)
+    (mkPod "https://wakingup.libsyn.com/rss" // pol // infrequent)
+    ## 99% Invisible
+    (mkPod "https://feeds.simplecast.com/BqbsxVfO" // pol // infrequent)
+    (mkPod "https://rss.acast.com/ft-tech-tonic" // tech // infrequent)
+    (mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
+    ## 60 minutes (NB: this features more than *just* audio?)
+    (mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
+  ];
+
+  texts = [
+    # AGGREGATORS (> 1 post/day)
+    (mkText "https://www.lesswrong.com/feed.xml" // rat // hourly)
+    (mkText "http://www.econlib.org/index.xml" // pol // hourly)
+
+    # AGGREGATORS (< 1 post/day)
+    (mkText "https://palladiummag.com/feed" // uncat // weekly)
+    (mkText "https://profectusmag.com/feed" // uncat // weekly)
+    (mkText "https://semiaccurate.com/feed" // tech // weekly)
+    (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
+    (mkText "https://spectrum.ieee.org/rss" // tech // weekly)
+
+    ## No Moods, Ads or Cutesy Fucking Icons
+    (mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
+
+    # DEVELOPERS
+    (mkText "https://uninsane.org/atom.xml" // infrequent // tech)
+    (mkText "https://mg.lol/blog/rss/" // infrequent // tech)
+    ## Ken Shirriff
+    (mkText "https://www.righto.com/feeds/posts/default" // tech // infrequent)
+    ## Vitalik Buterin
+    (mkText "https://vitalik.ca/feed.xml" // tech // infrequent)
+    ## ian (Sanctuary)
+    (mkText "https://sagacioussuricata.com/feed.xml" // tech // infrequent)
+    ## Bunnie Juang
+    (mkText "https://www.bunniestudios.com/blog/?feed=rss2" // tech // infrequent)
+    (mkText "https://blog.danieljanus.pl/atom.xml" // tech // infrequent)
+    (mkText "https://ianthehenry.com/feed.xml" // tech // infrequent)
+    (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
+    (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
+    (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
+
+    # (TECH; POL) COMMENTATORS
+    (mkSubstack "edwardsnowden" // pol // infrequent)
+    (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
+    ## Ben Thompson
+    (mkText "https://www.stratechery.com/rss" // pol // weekly)
+    ## Balaji
+    (mkText "https://balajis.com/rss" // pol // weekly)
+    (mkText "https://www.ben-evans.com/benedictevans/rss.xml" // pol // weekly)
+    (mkText "https://www.lynalden.com/feed" // pol // infrequent)
+    (mkText "https://austinvernon.site/rss.xml" // tech // infrequent)
+    (mkSubstack "oversharing" // pol // daily)
+    (mkSubstack "doomberg" // tech // weekly)
+    ## David Rosenthal
+    (mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
+    ## Matt Levine
+    (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
+
+    # RATIONALITY/PHILOSOPHY/ETC
+    (mkSubstack "samkriss" // humor // infrequent)
+    (mkText "https://unintendedconsequenc.es/feed" // rat // infrequent)
+    (mkText "https://applieddivinitystudies.com/atom.xml" // rat // weekly)
+    (mkText "https://slimemoldtimemold.com/feed.xml" // rat // weekly)
+    (mkText "https://www.richardcarrier.info/feed" // rat // weekly)
+    (mkText "https://www.gwern.net/feed.xml" // uncat // infrequent)
+    ## Jason Crawford
+    (mkText "https://rootsofprogress.org/feed.xml" // rat // weekly)
+    ## Robin Hanson
+    (mkText "https://www.overcomingbias.com/feed" // rat // daily)
+    ## Scott Alexander
+    (mkSubstack "astralcodexten" // rat // daily)
+    ## Paul Christiano
+    (mkText "https://sideways-view.com/feed" // rat // infrequent)
+    ## Sean Carroll
+    (mkText "https://www.preposterousuniverse.com/rss" // rat // infrequent)
+
+    # CODE
+    (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
+  ];
+
+  images = [
+    (mkImg "https://www.smbc-comics.com/comic/rss" // humor // daily)
+    (mkImg "https://xkcd.com/atom.xml" // humor // daily)
+    (mkImg "http://dilbert.com/feed" // humor // daily)
+
+    # ART
+    (mkImg "https://miniature-calendar.com/feed" // art // daily)
+  ];
+
+  all = texts ++ images ++ podcasts;
+
+  # return only the feed items which match this category (e.g. "tech")
+  filterCat = cat: feeds: builtins.filter (item: item.cat == cat) feeds;
+  # return only the feed items which match this format (e.g. "podcast")
+  filterFormat = format: feeds: builtins.filter (item: item.format == format) feeds;
+
+  # transform a list of feeds into an attrs mapping cat => [ feed0 feed1 ... ]
+  partitionByCat = feeds: builtins.groupBy (f: f.cat) feeds;
+
+  # represents a single RSS feed.
+  opmlTerminal = feed: ''<outline xmlUrl="${feed.url}" type="rss"/>'';
+  # a list of RSS feeds.
+  opmlTerminals = feeds: lib.strings.concatStringsSep "\n" (builtins.map opmlTerminal feeds);
+  # one node which packages some flat grouping of terminals.
+  opmlGroup = title: feeds: ''
+    <outline text="${title}" title="${title}">
+      ${opmlTerminals feeds}
+    </outline>
+  '';
+  # a list of groups (`groupMap` is an attrs mapping groupName => [ feed0 feed1 ... ]).
+  opmlGroups = groupMap: lib.strings.concatStringsSep "\n" (
+    builtins.attrValues (builtins.mapAttrs opmlGroup groupMap)
+  );
+  # top-level OPML file which could be consumed by something else.
+  opmlTopLevel = body: ''
+    <?xml version="1.0" encoding="utf-8"?>
+    <opml version="2.0">
+      <body>
+        ${body}
+      </body>
+    </opml>
+  '';
+
+  # **primary API**: generate a OPML file from the provided feeds
+  feedsToOpml = feeds: opmlTopLevel (opmlGroups (partitionByCat feeds));
+}
--- a/modules/universal/home-manager/firefox.nix
+++ b/modules/universal/home-manager/firefox.nix
@@ -0,0 +1,139 @@
+# common settings to toggle (at runtime, in about:config):
+#   > security.ssl.require_safe_negotiation
+
+# librewolf is a forked firefox which patches firefox to allow more things
+# (like default search engines) to be configurable at runtime.
+# many of the settings below won't have effect without those patches.
+# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
+
+{ config, lib, pkgs, ...}:
+with lib;
+let
+  cfg = config.sane.web-browser;
+  # allow easy switching between firefox and librewolf with `defaultSettings`, below
+  librewolfSettings = {
+    browser = pkgs.librewolf-unwrapped;
+    # browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
+    #   # this allows side-loading unsigned addons
+    #   MOZ_REQUIRE_SIGNING = false;
+    # });
+    libName = "librewolf";
+    dotDir = ".librewolf";
+    desktop = "librewolf.desktop";
+  };
+  firefoxSettings = {
+    browser = pkgs.firefox-esr-unwrapped;
+    libName = "firefox";
+    dotDir = ".mozilla/firefox";
+    desktop = "firefox.desktop";
+  };
+  defaultSettings = firefoxSettings;
+  # defaultSettings = librewolfSettings;
+
+  package = pkgs.wrapFirefox cfg.browser {
+    # inherit the default librewolf.cfg
+    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
+    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
+    inherit (cfg) libName;
+
+    extraNativeMessagingHosts = [ pkgs.browserpass ];
+    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
+
+    nixExtensions = let
+      addon = name: extid: hash: pkgs.fetchFirefoxAddon {
+        inherit name hash;
+        url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
+        fixedExtid = extid;
+      };
+      localAddon = pkg: pkgs.fetchFirefoxAddon {
+        inherit (pkg) name;
+        src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";
+        fixedExtid = pkg.extid;
+      };
+    in [
+      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-C+VQyaJ8BA0ErXGVTdnppJZ6J9SP+izf6RFxdS4VJoU=")
+      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-au5GGn22n4i6VrdOKqNMOrWdMoVCcpLdjO2wwRvyx7E=")
+      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-m14onUlnpLDPHezA/soKygcc76tF1fLG52tM/LkbAXQ=")
+      (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
+      (addon "ether-metamask" "webextension@metamask.io" "sha256-dnpwKpNF0KgHMAlz5btkkZySjMsnrXECS35ClkD2XHc=")
+      # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
+      (localAddon pkgs.browserpass-extension)
+    ];
+
+    extraPolicies = {
+      NoDefaultBookmarks = true;
+      SearchEngines = {
+        Default = "DuckDuckGo";
+      };
+      AppUpdateURL = "https://localhost";
+      DisableAppUpdate = true;
+      OverrideFirstRunPage = "";
+      OverridePostUpdatePage = "";
+      DisableSystemAddonUpdate = true;
+      DisableFirefoxStudies = true;
+      DisableTelemetry = true;
+      DisableFeedbackCommands = true;
+      DisablePocket = true;
+      DisableSetDesktopBackground = false;
+
+      # remove many default search providers
+      # XXX this seems to prevent the `nixExtensions` from taking effect
+      # Extensions.Uninstall = [
+      #   "google@search.mozilla.org"
+      #   "bing@search.mozilla.org"
+      #   "amazondotcom@search.mozilla.org"
+      #   "ebay@search.mozilla.org"
+      #   "twitter@search.mozilla.org"
+      # ];
+      # XXX doesn't seem to have any effect...
+      # docs: https://github.com/mozilla/policy-templates#homepage
+      # Homepage = {
+      #   HomepageURL = "https://uninsane.org/";
+      #   StartPage = "homepage";
+      # };
+      # NewTabPage = true;
+    };
+  };
+in
+{
+  options = {
+    sane.web-browser = mkOption {
+      default = defaultSettings;
+      type = types.attrs;
+    };
+  };
+  config = {
+    # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
+    home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
+      programs.firefox = {
+        enable = true;
+        inherit package;
+      };
+
+      # uBlock filter list configuration.
+      # specifically, enable the GDPR cookie prompt blocker.
+      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
+      # this configuration method is documented here:
+      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
+      # the specific attribute path is found via scraping ublock code here:
+      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
+      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
+      home.file."${cfg.dotDir}/managed-storage/uBlock0@raymondhill.net.json".text = ''
+        {
+         "name": "uBlock0@raymondhill.net",
+         "description": "ignored",
+         "type": "storage",
+         "data": {
+            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
+         }
+        }
+      '';
+      home.file."${cfg.dotDir}/${cfg.libName}.overrides.cfg".text = ''
+        // if we can't query the revocation status of a SSL cert because the issuer is offline,
+        // treat it as unrevoked.
+        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
+        defaultPref("security.OCSP.require", false);
+      '';
+    };
+  };
+}
--- a/modules/universal/home-manager/git.nix
+++ b/modules/universal/home-manager/git.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  home-manager.users.colin.programs.git = {
+    enable = true;
+    userName = "colin";
+    userEmail = "colin@uninsane.org";
+
+    aliases = { co = "checkout"; };
+    extraConfig = {
+      # difftastic docs:
+      # - <https://difftastic.wilfred.me.uk/git.html>
+      diff.tool = "difftastic";
+      difftool.prompt = false;
+      "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
+      # now run `git difftool` to use difftastic git
+    };
+  };
+}
--- a/modules/universal/home-manager/kitty.nix
+++ b/modules/universal/home-manager/kitty.nix
@@ -0,0 +1,69 @@
+{ ... }:
+{
+  home-manager.users.colin.programs.kitty = {
+    enable = true;
+    # docs: https://sw.kovidgoyal.net/kitty/conf/
+    settings = {
+      # disable terminal bell (when e.g. you backspace too many times)
+      enable_audio_bell = false;
+    };
+    keybindings = {
+      "ctrl+n" = "new_os_window_with_cwd";
+    };
+    # docs: https://github.com/kovidgoyal/kitty-themes
+    # theme = "1984 Light";  # dislike: awful, harsh blues/teals
+    # theme = "Adventure Time";  # dislike: harsh (dark)
+    # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
+    # theme = "Belafonte Day";  # dislike: too low contrast for text colors
+    # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
+    # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
+    # theme = "Desert";  # mediocre: colors are harsh
+    # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
+    # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
+    # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
+    # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
+    # theme = "kanagawabones";  # better: dark theme. colors are too background-y
+    # theme = "Kaolin Dark";  # dislike: too dark
+    # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
+    # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
+    # theme = "Material"; # decent: light theme, few colors.
+    # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
+    # theme = "Nord";  # mediocre: pale background, low contrast
+    # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
+    theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
+    # theme = "Parasio Dark";  # dislike: too low contrast
+    # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
+    # theme = "Pnevma";  # dislike: too low contrast
+    # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
+    # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
+    # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
+    # theme = "Sea Shells";  # mediocre. not all color combos are readable
+    # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
+    # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
+    # theme = "Sourcerer";  # mediocre: ugly colors
+    # theme = "Space Gray";  # mediocre: too muted
+    # theme = "Space Gray Eighties";  # better: all readable, decent colors
+    # theme = "Spacemacs";  # mediocre: too muted
+    # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
+    # theme = "Srcery";  # better: highly readable. colors are ehhh
+    # theme = "Substrata";  # decent: nice colors, but a bit flat.
+    # theme = "Sundried";  # mediocre: the solar text makes me squint
+    # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
+    # theme = "Tango Light";  # dislike: teal is too grating
+    # theme = "Tokyo Night Day";  # medicore: too muted
+    # theme = "Tokyo Night";  # better: tasteful. a bit flat
+    # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
+    # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
+    # theme = "Urple";  # dislike: weird palette
+    # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
+    # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
+    # theme = "Xcodedark";  # dislike: bad palette
+    # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
+    # theme = "neobones_light"; # better light theme. the background is maybe too muted
+    # theme = "vimbones";
+    # theme = "zenbones_dark";  # mediocre: readable, but meh colors
+    # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
+    # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
+    # extraConfig = "";
+  };
+}
--- a/modules/universal/home-manager/mpv.nix
+++ b/modules/universal/home-manager/mpv.nix
@@ -0,0 +1,11 @@
+{ ... }:
+{
+  home-manager.users.colin.programs.mpv = {
+    enable = true;
+    config = {
+      save-position-on-quit = true;
+      keep-open = "yes";
+    };
+  };
+}
+
--- a/modules/universal/home-manager/nb.nix
+++ b/modules/universal/home-manager/nb.nix
@@ -0,0 +1,24 @@
+# nb is a CLI-drive Personal Knowledge Manager
+# - <https://xwmx.github.io/nb/>
+#
+# it's pretty opinionated:
+# - autocommits (to git) excessively (disable-able)
+# - inserts its own index files to give deterministic names to files
+#
+# it offers a primitive web-server
+# and it offers some CLI query tools
+
+{ lib, pkgs, ... }: lib.mkIf false  # XXX disabled!
+{
+  sane.home-manager.extraPackages = [ pkgs.nb ];
+
+  home-manager.users.colin = { config, ... }: {
+    # nb markdown/personal knowledge manager
+    home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
+    home.file.".nb/.current".text = "knowledge";
+    home.file.".nbrc".text = ''
+      # manage with `nb settings`
+      export NB_AUTO_SYNC=0
+    '';
+  };
+}
--- a/modules/universal/home-manager/neovim.nix
+++ b/modules/universal/home-manager/neovim.nix
@@ -0,0 +1,115 @@
+{ pkgs, ... }:
+{
+  sane.impermanence.home-dirs = [ ".cache/vim-swap" ];
+
+  home-manager.users.colin.programs.neovim = {
+    # neovim: https://github.com/neovim/neovim
+    enable = true;
+    viAlias = true;
+    vimAlias = true;
+    plugins = with pkgs.vimPlugins; [
+      # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
+      # docs: vim-surround: https://github.com/tpope/vim-surround
+      vim-surround
+      # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
+      fzf-vim
+      # docs: https://github.com/KeitaNakamura/tex-conceal.vim/
+      ({
+        plugin = tex-conceal-vim;
+        type = "viml";
+        config = ''
+          " present prettier fractions
+          let g:tex_conceal_frac=1
+        '';
+      })
+      ({
+        plugin = vim-SyntaxRange;
+        type = "viml";
+        config = ''
+          " enable markdown-style codeblock highlighting for tex code
+          autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
+          " autocmd Syntax tex set conceallevel=2
+        '';
+      })
+      # nabla renders inline math in any document, but it's buggy.
+      #   https://github.com/jbyuki/nabla.nvim
+      # ({
+      #   plugin = pkgs.nabla;
+      #   type = "lua";
+      #   config = ''
+      #     require'nabla'.enable_virt()
+      #   '';
+      # })
+      # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
+      # docs: https://github.com/nvim-treesitter/nvim-treesitter
+      # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
+      # this is required for tree-sitter to even highlight
+      ({
+        plugin = nvim-treesitter.withAllGrammars;
+        type = "lua";
+        config = ''
+          require'nvim-treesitter.configs'.setup {
+            highlight = {
+              enable = true,
+              -- disable treesitter on Rust so that we can use SyntaxRange
+              -- and leverage TeX rendering in rust projects
+              disable = { "rust", "tex", "latex" },
+              -- disable = { "tex", "latex" },
+              -- true to also use builtin vim syntax highlighting when treesitter fails
+              additional_vim_regex_highlighting = false
+            },
+            incremental_selection = {
+              enable = true,
+              keymaps = {
+                init_selection = "gnn",
+                node_incremental = "grn",
+                mcope_incremental = "grc",
+                node_decremental = "grm"
+              }
+            },
+            indent = {
+              enable = true,
+              disable = {}
+            }
+          }
+
+          vim.o.foldmethod = 'expr'
+          vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
+        '';
+      })
+    ];
+    extraConfig = ''
+      " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
+      " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
+      set mouse=
+
+      " copy/paste to system clipboard
+      set clipboard=unnamedplus
+
+      " screw tabs; always expand them into spaces
+      set expandtab
+
+      " at least don't open files with sections folded by default
+      set nofoldenable
+
+      " allow text substitutions for certain glyphs.
+      " higher number = more aggressive substitution (0, 1, 2, 3)
+      " i only make use of this for tex, but it's unclear how to
+      " apply that *just* to tex and retain the SyntaxRange stuff.
+      set conceallevel=2
+
+      " horizontal rule under the active line
+      " set cursorline
+
+      " highlight trailing space & related syntax errors (doesn't seem to work??)
+      " let c_space_errors=1
+      " let python_space_errors=1
+
+      " enable highlighting of leading/trailing spaces,
+      " and especially tabs
+      " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
+      set list
+      set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
+    '';
+  };
+}
--- a/modules/universal/home-manager/ssh.nix
+++ b/modules/universal/home-manager/ssh.nix
@@ -0,0 +1,18 @@
+{ config, pkgs, ... }:
+{
+  home-manager.users.colin = let
+    host = config.networking.hostName;
+    user_pubkey = (import ../pubkeys.nix).users."${host}";
+    known_hosts_text = builtins.concatStringsSep
+      "\n"
+      (builtins.attrValues (import ../pubkeys.nix).hosts);
+  in { config, ...}: {
+    # ssh key is stored in private storage
+    home.file.".ssh/id_ed25519".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/.ssh/id_ed25519";
+    home.file.".ssh/id_ed25519.pub".text = user_pubkey;
+
+    programs.ssh.enable = true;
+    # this optionally accepts multiple known_hosts paths, separated by space.
+    programs.ssh.userKnownHostsFile = builtins.toString (pkgs.writeText "known_hosts" known_hosts_text);
+  };
+}
--- a/modules/universal/home-manager/sublime-music.nix
+++ b/modules/universal/home-manager/sublime-music.nix
@@ -0,0 +1,14 @@
+{ config, ... }:
+{
+  # TODO: this should only be shipped on gui platforms
+  sops.secrets."sublime_music_config" = {
+    owner = config.users.users.colin.name;
+    sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
+    format = "binary";
+  };
+  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
+    # sublime music player
+    xdg.configFile."sublime-music/config.json".source =
+      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
+  };
+}
--- a/modules/universal/home-manager/vlc.nix
+++ b/modules/universal/home-manager/vlc.nix
@@ -0,0 +1,17 @@
+{ lib, ... }:
+{
+  home-manager.users.colin.xdg.configFile."vlc/vlcrc".text =
+  let
+    feeds = import ./feeds.nix { inherit lib; };
+    podcastUrls = lib.strings.concatStringsSep "|" (
+      builtins.map (feed: feed.url) feeds.podcasts
+    );
+  in ''
+    [podcast]
+    podcast-urls=${podcastUrls}
+    [core]
+    metadata-network-access=0
+    [qt]
+    qt-privacy-ask=0
+  '';
+}
--- a/modules/universal/home-manager/zsh.nix
+++ b/modules/universal/home-manager/zsh.nix
@@ -0,0 +1,61 @@
+{ ... }:
+{
+  # we don't need to full zsh dir -- just the history file --
+  # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
+  sane.impermanence.home-dirs = [ ".local/share/zsh" ];
+
+  home-manager.users.colin.programs.zsh = {
+    enable = true;
+    enableSyntaxHighlighting = true;
+    enableVteIntegration = true;
+    history.ignorePatterns = [ "rm *" ];
+    dotDir = ".config/zsh";
+    history.path = "/home/colin/.local/share/zsh/history";
+
+    initExtraBeforeCompInit = ''
+      # p10k instant prompt
+      # run p10k configure to configure, but it can't write out its file :-(
+      POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
+    '';
+    initExtra = ''
+      # zmv is a way to do rich moves/renames, with pattern matching/substitution.
+      # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
+      autoload -Uz zmv
+
+      # disable `rm *` confirmations
+      setopt rmstarsilent
+
+      function nd() {
+        mkdir -p "$1";
+        pushd "$1";
+      }
+    '';
+
+    # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
+    # see: https://github.com/sorin-ionescu/prezto
+    prezto = {
+      enable = true;
+      pmodules = [
+        "environment"
+        "terminal"
+        "editor"
+        "history"
+        "directory"
+        "spectrum"
+        "utility"
+        "completion"
+        "prompt"
+        "git"
+      ];
+      prompt.theme = "powerlevel10k";
+      utility.safeOps = false;  # disable `mv` confirmation (and supposedly `rm`, too)
+    };
+  };
+
+  home-manager.users.colin.home.shellAliases = {
+    ":q" = "exit";
+    # common typos
+    "cd.." = "cd ..";
+    "cd../" = "cd ../";
+  };
+}
--- a/modules/universal/env/home-packages.nix
+++ b/modules/universal/env/home-packages.nix
@@ -6,15 +6,19 @@ let
  cfg = config.sane.home-packages;
  universalPkgs = [
    backblaze-b2
+    cdrtools
    duplicity
    gnupg
+    gocryptfs
+    gopass
+    gopass-jsonapi
    ifuse
    ipfs
    libimobiledevice
+    libsecret  # for managing user keyrings
    lm_sensors  # for sensors-detect
    lshw
    ffmpeg
-    nb
    networkmanager
    nixpkgs-review
    # nixos-generators
@@ -24,14 +28,16 @@ let
    # ponymix
    pulsemixer
    python3
-    rmlint
+    # python3Packages.eyeD3  # music tagging
    sane-scripts
    sequoia
    snapper
    sops
    speedtest-cli
+    sqlite  # to debug sqlite3 databases
    ssh-to-age
    sudo
+    # tageditor  # music tagging
    unar
    visidata
    w3m
@@ -44,18 +50,27 @@ let
    # GUI only
    aerc  # email client
    audacity
+    celluloid  # mpv frontend
    chromium
    clinfo
    electrum

    # creds/session keys, etc
-    { pkg = element-desktop; dir = ".config/Element"; }
+    { pkg = element-desktop; private = ".config/Element"; }

    emote  # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
    evince  # works on phosh
-    { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; }  # TODO: ship normal fluffychat on non-moby?
+
+    # { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; }  # TODO: ship normal fluffychat on non-moby?
+
    foliate
    font-manager
+
+    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
+    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
+    # then reboot (so that libsecret daemon re-loads the keyring...?)
+    { pkg = fractal-next; private = ".local/share/fractal"; }
+
    gimp  # broken on phosh
    gnome.cheese
    gnome.dconf-editor
@@ -64,22 +79,35 @@ let
    gnome.gnome-disk-utility
    gnome.gnome-maps  # works on phosh
    gnome.nautilus
-    gnome-podcasts
+    # gnome-podcasts
    gnome.gnome-system-monitor
    gnome.gnome-terminal  # works on phosh
-    gpodder-configured
+    gnome.gnome-weather
+
+    { pkg = gpodder-configured; dir = "gPodder/Downloads"; }
+
    gthumb
+    handbrake
    inkscape
+
+    kid3  # audio tagging
    krita
    libreoffice-fresh  # XXX colin: maybe don't want this on mobile
    lollypop
    mesa-demos
+
+    { pkg = mpv; dir = ".config/mpv/watch_later"; }
+
    networkmanagerapplet

+    # not strictly necessary, but allows caching articles; offline use, etc.
+    { pkg = newsflash; dir = ".local/share/news-flash"; }
+
    # settings (electron app). TODO: can i manage these settings with home-manager?
    { pkg = obsidian; dir = ".config/obsidian"; }

    pavucontrol
+    picard  # music tagging
    playerctl
    soundconverter
    # sublime music persists any downloaded albums here.
@@ -88,7 +116,10 @@ let
    #   possible to pass config as a CLI arg (sublime-music -c config.json)
    { pkg = sublime-music; dir = ".local/share/sublime-music"; }
    tdesktop  # broken on phosh
-    vlc  # works on phosh
+
+    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
+    { pkg = vlc; dir = ".config/vlc"; }
+
    whalebird # pleroma client. input is broken on phosh
    xdg-utils  # for xdg-open
    xterm  # broken on phosh
@@ -128,16 +159,20 @@ let
  ] else []);

  # useful devtools:
-  # bison
-  # dtc
-  # flex
-  # gcc
-  # gcc-arm-embedded
-  # gcc_multi
-  # gnumake
-  # mix2nix
-  # rustup
-  # swig
+  devPkgs = [
+    bison
+    dtc
+    flex
+    gcc
+    gdb
+    # gcc-arm-embedded
+    # gcc_multi
+    gnumake
+    mercurial
+    mix2nix
+    rustup
+    swig
+  ];
 in
 {
  options = {
@@ -145,9 +180,18 @@ in
      default = false;
      type = types.bool;
    };
+    sane.home-packages.enableDevPkgs = mkOption {
+      description = ''
+        enable packages that are useful for building other software by hand.
+        you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
+      '';
+      default = false;
+      type = types.bool;
+    };
  };
  config = {
    sane.home-manager.extraPackages = universalPkgs
-      ++ (if cfg.enableGuiPkgs then guiPkgs else []);
+      ++ (if cfg.enableGuiPkgs then guiPkgs else [])
+      ++ (if cfg.enableDevPkgs then devPkgs else []);
  };
 }
--- a/modules/universal/machine-id.nix
+++ b/modules/universal/machine-id.nix
@@ -0,0 +1,11 @@
+{ ... }:
+{
+  # we wan't an /etc/machine-id which is consistent across boot so that `journalctl` will actually show us
+  # logs from previous boots.
+  # maybe there's a config option for this (since persistent machine-id is bad for reasons listed in impermanence.nix),
+  # but for now generate it from ssh keys.
+  system.activationScripts.machine-id = {
+    deps = [ "persist-ssh-host-keys" ];
+    text = "sha256sum /etc/ssh/host_keys/ssh_host_ed25519_key | cut -c 1-32 > /etc/machine-id";
+  };
+}
--- a/modules/universal/net.nix
+++ b/modules/universal/net.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:

 {
  # if using router's DNS, these mappings will already exist.
@@ -11,37 +11,69 @@
    "192.168.0.48" = [ "moby" ];
  };

-  sops.secrets."nm-community-university" = {
-    sopsFile = ../../secrets/universal/net/community-university.nmconnection.bin;
-    format = "binary";
-  };
-  sops.secrets."nm-friend-libertarian-dod" = {
-    sopsFile = ../../secrets/universal/net/friend-libertarian-dod.nmconnection.bin;
-    format = "binary";
-  };
-  sops.secrets."nm-friend-rationalist-empathist" = {
-    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.nmconnection.bin;
-    format = "binary";
-  };
-  sops.secrets."nm-home-bedroom" = {
-    sopsFile = ../../secrets/universal/net/home-bedroom.nmconnection.bin;
-    format = "binary";
-  };
-  sops.secrets."nm-home-shared-24G" = {
-    sopsFile = ../../secrets/universal/net/home-shared-24G.nmconnection.bin;
-    format = "binary";
-  };
-  sops.secrets."nm-home-shared" = {
-    sopsFile = ../../secrets/universal/net/home-shared.nmconnection.bin;
-    format = "binary";
+  # the default backend is "wpa_supplicant".
+  # wpa_supplicant reliably picks weak APs to connect to.
+  # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
+  # iwd is an alternative that shouldn't have this problem
+  # docs:
+  # - <https://nixos.wiki/wiki/Iwd>
+  # - <https://iwd.wiki.kernel.org/networkmanager>
+  # - `man iwd.config`  for global config
+  # - `man iwd.network` for per-SSID config
+  # use `iwctl` to control
+  networking.networkmanager.wifi.backend = "iwd";
+  networking.wireless.iwd.enable = true;
+  networking.wireless.iwd.settings = {
+    # auto-connect to a stronger network if signal drops below this value
+    # bedroom -> bedroom connection is -35 to -40 dBm
+    # bedroom -> living room connection is -60 dBm
+    General.RoamThreshold = "-52";  # default -70
+    General.RoamThreshold5G = "-52";  # default -76
  };

-  environment.etc = {
-    "NetworkManager/system-connections/nm-community-university".source = config.sops.secrets.nm-community-university.path;
-    "NetworkManager/system-connections/nm-friend-libertarian-dod".source = config.sops.secrets.nm-friend-libertarian-dod.path;
-    "NetworkManager/system-connections/nm-friend-rationalist-empathist".source = config.sops.secrets.nm-friend-rationalist-empathist.path;
-    "NetworkManager/system-connections/nm-home-bedroom".source = config.sops.secrets.nm-home-bedroom.path;
-    "NetworkManager/system-connections/nm-home-shared-24G".source = config.sops.secrets.nm-home-shared-24G.path;
-    "NetworkManager/system-connections/nm-home-shared".source = config.sops.secrets.nm-home-shared.path;
+  # TODO: don't need to depend on binsh if we were to use a nix-style shebang
+  system.activationScripts.linkIwdKeys = let
+    unwrapped = ../../scripts/install-iwd;
+    install-iwd = pkgs.writeShellApplication {
+      name = "install-iwd";
+      runtimeInputs = with pkgs; [ coreutils gnused ];
+      text = ''${unwrapped} "$@"'';
+    };
+  in (lib.stringAfter
+    [ "setupSecrets" "binsh" ]
+    ''
+    mkdir -p /var/lib/iwd
+    ${install-iwd}/bin/install-iwd /run/secrets/iwd /var/lib/iwd
+    ''
+  );
+
+  # TODO: use a glob, or a list, or something?
+  sops.secrets."iwd/community-university.psk" = {
+    sopsFile = ../../secrets/universal/net/community-university.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/friend-libertarian-dod.psk" = {
+    sopsFile = ../../secrets/universal/net/friend-libertarian-dod.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/friend-rationalist-empathist.psk" = {
+    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/home-bedroom.psk" = {
+    sopsFile = ../../secrets/universal/net/home-bedroom.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/home-shared-24G.psk" = {
+    sopsFile = ../../secrets/universal/net/home-shared-24G.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/home-shared.psk" = {
+    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/iphone" = {
+    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
+    format = "binary";
  };
 }
--- a/modules/universal/pubkeys.nix
+++ b/modules/universal/pubkeys.nix
@@ -0,0 +1,34 @@
+# create ssh key by running:
+# - `ssh-keygen -t ed25519`
+let
+  withHost = host: key: "${host} ${key}";
+  withUser = user: key: "${key} ${user}";
+
+  keys = rec {
+    lappy = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
+    };
+    desko = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
+    };
+    servo = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
+    };
+    moby = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
+    };
+
+    "uninsane.org" = servo;
+    "git.uninsane.org" = servo;
+  };
+in {
+  # map hostname -> something suitable for known_keys
+  hosts = builtins.mapAttrs (machine: keys: withHost machine keys.host) keys;
+  # map hostname -> something suitable for authorized_keys to allow access to colin@<hostname>
+  users = builtins.mapAttrs (machine: keys: withUser "colin@${machine}" keys.users.colin) keys;
+}
+
--- a/modules/universal/secrets.nix
+++ b/modules/universal/secrets.nix
@@ -35,9 +35,9 @@
  sops.defaultSopsFile = ./../../secrets/universal.yaml;
  # This will automatically import SSH keys as age keys
  sops.age.sshKeyPaths = [
-    "/etc/ssh/ssh_host_ed25519_key"
-    # "/home/colin/.ssh/id_ed25519_dec"
+    "/etc/ssh/host_keys/ssh_host_ed25519_key"
  ];
+  sops.gnupg.sshKeyPaths = [];  # disable RSA key import
  # This is using an age key that is expected to already be in the filesystem
  # sops.age.keyFile = "/home/colin/.ssh/age.pub";
  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
--- a/modules/universal/ssh.nix
+++ b/modules/universal/ssh.nix
@@ -0,0 +1,21 @@
+{ ... }:
+{
+  # we place the host keys (which we want to be persisted) into their own directory so that we can
+  # bind mount that whole directory instead of doing it per-file.
+  # otherwise, this is identical to nixos defaults
+  sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
+
+  # we can't naively `mount /etc/ssh/host_keys` directly,
+  # as /etc/fstab may not be populated yet (since that file depends on e.g. activationScripts.users)
+  # we can't even depend on impermanence's `createPersistentStorageDirs` to create the source/target directories
+  # since that also depends on `users`.
+  system.activationScripts.persist-ssh-host-keys.text = ''
+    mkdir -p /etc/ssh/host_keys
+    mount --bind /nix/persist/etc/ssh/host_keys /etc/ssh/host_keys
+  '';
+
+  services.openssh.hostKeys = [
+    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
+    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
+  ];
+}
--- a/modules/universal/env/system-packages.nix
+++ b/modules/universal/env/system-packages.nix
--- a/modules/universal/users.nix
+++ b/modules/universal/users.nix
@@ -43,20 +43,36 @@ in
        "feedbackd"
        "dialout" # required for modem access
      ];
+
+      # initial password is empty, in case anything goes wrong.
+      # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
      initialPassword = lib.mkDefault "";
+      passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
+
      shell = pkgs.zsh;
-      # shell = pkgs.bashInteractive;
-      # XXX colin: create ssh key for THIS user by logging in and running:
-      #   ssh-keygen -t ed25519
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
-        # moby doesn't need to login to any other devices yet
-        # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
-      ];
+      openssh.authorizedKeys.keys = builtins.attrValues (import ./pubkeys.nix).users;
+
+      pamMount = {
+        # mount encrypted stuff at login
+        # requires that login password == fs encryption password
+        # fstype = "fuse";
+        # path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
+        fstype = "fuse.gocryptfs";
+        path = "/nix/persist/home/colin/private";
+        mountpoint = "/home/colin/private";
+        options="nodev,nosuid,quiet,allow_other";
+      };
    };

+    sane.impermanence.home-dirs = [
+      # cache is probably too big to fit on the tmpfs
+      # TODO: we could bind-mount it to something which gets cleared per boot, though.
+      ".cache"
+      ".cargo"
+      ".rustup"
+      ".local/share/keyrings"
+    ];
+
    sane.impermanence.service-dirs = mkIf cfg.guest.enable [
      { user = "guest"; group = "users"; directory = "/home/guest"; }
    ];
@@ -100,6 +116,8 @@ in
    users.groups.systemd-coredump.gid = config.sane.allocations.systemd-coredump-gid;
    users.users.nscd.uid = config.sane.allocations.nscd-uid;
    users.groups.nscd.gid = config.sane.allocations.nscd-gid;
+    users.users.systemd-oom.uid = config.sane.allocations.systemd-oom-uid;
+    users.groups.systemd-oom.gid = config.sane.allocations.systemd-oom-gid;

    # guarantee determinism in uid/gid generation for users:
    assertions = let
--- a/nixpatches/04-dart-2.7.0.patch
+++ b/nixpatches/04-dart-2.7.0.patch
@@ -1,302 +0,0 @@
-diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
-index 9eba6773448..f51aeb8b624 100644
--- a/pkgs/development/compilers/flutter/default.nix
-+++ b/pkgs/development/compilers/flutter/default.nix
-@@ -4,20 +4,20 @@ let
-   getPatches = dir:
-     let files = builtins.attrNames (builtins.readDir dir);
-     in map (f: dir + ("/" + f)) files;
-  version = "2.10.1";
-+  version = "3.0.0";
-   channel = "stable";
-   filename = "flutter_linux_${version}-${channel}.tar.xz";
- 
-   # Decouples flutter derivation from dart derivation,
-   # use specific dart version to not need to bump dart derivation when bumping flutter.
-  dartVersion = "2.16.1";
-+  dartVersion = "2.17.0";
-   dartSourceBase = "https://storage.googleapis.com/dart-archive/channels";
-   dartForFlutter = dart.override {
-     version = dartVersion;
-     sources = {
-       "${dartVersion}-x86_64-linux" = fetchurl {
-         url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
-        sha256 = "sha256-PMY6DCFQC8XrlnFzOEPcwgBAs5/cAvNd78969Z+I1Fk=";
-+        sha256 = "57b8fd964e47c81d467aeb95b099a670ab7e8f54a1cd74d45bcd1fdc77913d86";
-       };
-     };
-   };
-@@ -29,7 +29,7 @@ in {
-     pname = "flutter";
-     src = fetchurl {
-       url = "https://storage.googleapis.com/flutter_infra_release/releases/${channel}/linux/${filename}";
-      sha256 = "sha256-rSfwcglDV2rvJl10j7FByAWmghd2FYxrlkgYnvRO54Y=";
-+      sha256 = "e96d75ec8e7dc2a46bc8dad5a9e01c391ab9310ad01c4e3940c963dd263788a0";
-     };
-     patches = getPatches ./patches;
-   };
-diff --git a/pkgs/development/compilers/flutter/flutter.nix b/pkgs/development/compilers/flutter/flutter.nix
-index 43538ede339..ece25c14b55 100644
--- a/pkgs/development/compilers/flutter/flutter.nix
-+++ b/pkgs/development/compilers/flutter/flutter.nix
-@@ -56,12 +56,15 @@ let
-       export STAMP_PATH="$FLUTTER_ROOT/bin/cache/flutter_tools.stamp"
- 
-       export DART_SDK_PATH="${dart}"
-+      export DART="${dart}/bin/dart"
- 
-       HOME=../.. # required for pub upgrade --offline, ~/.pub-cache
-                  # path is relative otherwise it's replaced by /build/flutter
-+      # mkdir -p "$HOME/.cache"
-+      # ln -sf "$FLUTTER_ROOT" "$HOME/.cache/flutter"
- 
-       pushd "$FLUTTER_TOOLS_DIR"
-      ${dart}/bin/pub get --offline
-+      ${dart}/bin/dart pub get --offline
-       popd
- 
-       local revision="$(cd "$FLUTTER_ROOT"; git rev-parse HEAD)"
-diff --git a/pkgs/development/compilers/flutter/patches/git-dir.patch b/pkgs/development/compilers/flutter/patches/git-dir.patch
-new file mode 100644
-index 00000000000..0c736f945ea
--- /dev/null
-+++ b/pkgs/development/compilers/flutter/patches/git-dir.patch
-@@ -0,0 +1,102 @@
-+diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
-+index 468a91a954..5def6897ce 100644
-+--- a/dev/bots/prepare_package.dart
-++++ b/dev/bots/prepare_package.dart
-+@@ -525,7 +525,7 @@ class ArchiveCreator {
-+ 
-+   Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
-+     return _processRunner.runProcess(
-+-      <String>['git', ...args],
-++      <String>['git', '--git-dir', '.git', ...args],
-+       workingDirectory: workingDirectory ?? flutterRoot,
-+     );
-+   }
-+diff --git a/packages/flutter_tools/lib/src/commands/downgrade.dart b/packages/flutter_tools/lib/src/commands/downgrade.dart
-+index bb0eb428a9..4a2a48bb5e 100644
-+--- a/packages/flutter_tools/lib/src/commands/downgrade.dart
-++++ b/packages/flutter_tools/lib/src/commands/downgrade.dart
-+@@ -118,7 +118,7 @@ class DowngradeCommand extends FlutterCommand {
-+     // Detect unknown versions.
-+     final ProcessUtils processUtils = _processUtils!;
-+     final RunResult parseResult = await processUtils.run(<String>[
-+-      'git', 'describe', '--tags', lastFlutterVersion,
-++      'git', '--git-dir', '.git', 'describe', '--tags', lastFlutterVersion,
-+     ], workingDirectory: workingDirectory);
-+     if (parseResult.exitCode != 0) {
-+       throwToolExit('Failed to parse version for downgrade:\n${parseResult.stderr}');
-+@@ -191,7 +191,7 @@ class DowngradeCommand extends FlutterCommand {
-+         continue;
-+       }
-+       final RunResult parseResult = await _processUtils!.run(<String>[
-+-        'git', 'describe', '--tags', sha,
-++        'git', '--git-dir', '.git', 'describe', '--tags', sha,
-+       ], workingDirectory: workingDirectory);
-+       if (parseResult.exitCode == 0) {
-+         buffer.writeln('Channel "${getNameForChannel(channel)}" was previously on: ${parseResult.stdout}.');
-+diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
-+index f2068a6ca2..99b161689e 100644
-+--- a/packages/flutter_tools/lib/src/version.dart
-++++ b/packages/flutter_tools/lib/src/version.dart
-+@@ -106,7 +106,7 @@ class FlutterVersion {
-+     String? channel = _channel;
-+     if (channel == null) {
-+       final String gitChannel = _runGit(
-+-        'git rev-parse --abbrev-ref --symbolic @{u}',
-++        'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
-+         globals.processUtils,
-+         _workingDirectory,
-+       );
-+@@ -114,7 +114,7 @@ class FlutterVersion {
-+       if (slash != -1) {
-+         final String remote = gitChannel.substring(0, slash);
-+         _repositoryUrl = _runGit(
-+-          'git ls-remote --get-url $remote',
-++          'git --git-dir .git ls-remote --get-url $remote',
-+           globals.processUtils,
-+           _workingDirectory,
-+         );
-+@@ -326,7 +326,7 @@ class FlutterVersion {
-+   /// the branch name will be returned as `'[user-branch]'`.
-+   String getBranchName({ bool redactUnknownBranches = false }) {
-+     _branch ??= () {
-+-      final String branch = _runGit('git rev-parse --abbrev-ref HEAD', globals.processUtils);
-++      final String branch = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', globals.processUtils);
-+       return branch == 'HEAD' ? channel : branch;
-+     }();
-+     if (redactUnknownBranches || _branch!.isEmpty) {
-+@@ -359,7 +359,7 @@ class FlutterVersion {
-+   /// wrapper that does that.
-+   @visibleForTesting
-+   static List<String> gitLog(List<String> args) {
-+-    return <String>['git', '-c', 'log.showSignature=false', 'log'] + args;
-++    return <String>['git', '-c', 'log.showSignature=false', '--git-dir', '.git', 'log'] + args;
-+   }
-+ 
-+   /// Gets the release date of the latest available Flutter version.
-+@@ -730,7 +730,7 @@ class GitTagVersion {
-+ 
-+   static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
-+     if (fetchTags) {
-+-      final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
-++      final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
-+       if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
-+         globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
-+       } else {
-+@@ -739,7 +739,7 @@ class GitTagVersion {
-+     }
-+     // find all tags attached to the given [gitRef]
-+     final List<String> tags = _runGit(
-+-      'git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
-++      'git --git-dir .git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
-+ 
-+     // Check first for a stable tag
-+     final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
-+@@ -760,7 +760,7 @@ class GitTagVersion {
-+     // recent tag and number of commits past.
-+     return parse(
-+       _runGit(
-+-        'git describe --match *.*.* --long --tags $gitRef',
-++        'git --git-dir .git describe --match *.*.* --long --tags $gitRef',
-+         processUtils,
-+         workingDirectory,
-+       )
-diff --git a/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
-new file mode 100644
-index 00000000000..f68029eb7a1
--- /dev/null
-+++ b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
-@@ -0,0 +1,130 @@
-+diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
-+index 2aac9686e8..32c4b98b88 100644
-+--- a/packages/flutter_tools/lib/src/artifacts.dart
-++++ b/packages/flutter_tools/lib/src/artifacts.dart
-+@@ -346,10 +346,10 @@ class CachedArtifacts implements Artifacts {
-+   ) {
-+     switch (artifact) {
-+       case HostArtifact.engineDartSdkPath:
-+-        final String path = _dartSdkPath(_cache);
-++        final String path = _dartSdkPath(_fileSystem);
-+         return _fileSystem.directory(path);
-+       case HostArtifact.engineDartBinary:
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.flutterWebSdk:
-+         final String path = _getFlutterWebSdkPath();
-+@@ -398,7 +398,7 @@ class CachedArtifacts implements Artifacts {
-+       case HostArtifact.dart2jsSnapshot:
-+       case HostArtifact.dartdevcSnapshot:
-+       case HostArtifact.kernelWorkerSnapshot:
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.iosDeploy:
-+         final String artifactFileName = _hostArtifactToFileName(artifact, _platform.isWindows);
-+@@ -461,11 +461,13 @@ class CachedArtifacts implements Artifacts {
-+   String _getAndroidArtifactPath(Artifact artifact, TargetPlatform platform, BuildMode mode) {
-+     final String engineDir = _getEngineArtifactsPath(platform, mode)!;
-+     switch (artifact) {
-++      case Artifact.frontendServerSnapshotForEngineDartSdk:
-++        assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
-++        return _fileSystem.path.join(engineDir, _artifactToFileName(artifact));
-+       case Artifact.genSnapshot:
-+         assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
-+         final String hostPlatform = getNameForHostPlatform(getCurrentHostPlatform());
-+         return _fileSystem.path.join(engineDir, hostPlatform, _artifactToFileName(artifact));
-+-      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+       case Artifact.constFinder:
-+       case Artifact.flutterFramework:
-+       case Artifact.flutterMacOSFramework:
-+@@ -497,13 +499,13 @@ class CachedArtifacts implements Artifacts {
-+     switch (artifact) {
-+       case Artifact.genSnapshot:
-+       case Artifact.flutterXcframework:
-++      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+         final String artifactFileName = _artifactToFileName(artifact)!;
-+         final String engineDir = _getEngineArtifactsPath(platform, mode)!;
-+         return _fileSystem.path.join(engineDir, artifactFileName);
-+       case Artifact.flutterFramework:
-+         final String engineDir = _getEngineArtifactsPath(platform, mode)!;
-+         return _getIosEngineArtifactPath(engineDir, environmentType, _fileSystem);
-+-      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+       case Artifact.constFinder:
-+       case Artifact.flutterMacOSFramework:
-+       case Artifact.flutterMacOSPodspec:
-+@@ -594,14 +596,10 @@ class CachedArtifacts implements Artifacts {
-+         // For script snapshots any gen_snapshot binary will do. Returning gen_snapshot for
-+         // android_arm in profile mode because it is available on all supported host platforms.
-+         return _getAndroidArtifactPath(artifact, TargetPlatform.android_arm, BuildMode.profile);
-+-      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+-        return _fileSystem.path.join(
-+-          _dartSdkPath(_cache), 'bin', 'snapshots',
-+-          _artifactToFileName(artifact),
-+-        );
-+       case Artifact.flutterTester:
-+       case Artifact.vmSnapshotData:
-+       case Artifact.isolateSnapshotData:
-++      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+       case Artifact.icuData:
-+         final String engineArtifactsPath = _cache.getArtifactDirectory('engine').path;
-+         final String platformDirName = _enginePlatformDirectoryName(platform);
-+@@ -797,7 +795,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
-+         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.dartdevcSnapshot:
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.kernelWorkerSnapshot:
-+         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+@@ -922,9 +920,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
-+       case Artifact.windowsUwpCppClientWrapper:
-+         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
-+       case Artifact.frontendServerSnapshotForEngineDartSdk:
-+-        return _fileSystem.path.join(
-+-          _hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', artifactFileName,
-+-        );
-++        return _fileSystem.path.join(_hostEngineOutPath, 'gen', artifactFileName);
-+       case Artifact.uwptool:
-+         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
-+     }
-+@@ -1034,8 +1030,8 @@ class OverrideArtifacts implements Artifacts {
-+ }
-+ 
-+ /// Locate the Dart SDK.
-+-String _dartSdkPath(Cache cache) {
-+-  return cache.getRoot().childDirectory('dart-sdk').path;
-++String _dartSdkPath(FileSystem fileSystem) {
-++  return fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'dart-sdk');
-+ }
-+ 
-+ class _TestArtifacts implements Artifacts {
-+diff --git a/packages/flutter_tools/test/general.shard/artifacts_test.dart b/packages/flutter_tools/test/general.shard/artifacts_test.dart
-+index d906511a15..adfdd4bb42 100644
-+--- a/packages/flutter_tools/test/general.shard/artifacts_test.dart
-++++ b/packages/flutter_tools/test/general.shard/artifacts_test.dart
-+@@ -153,10 +153,6 @@ void main() {
-+         artifacts.getArtifactPath(Artifact.windowsUwpDesktopPath, platform: TargetPlatform.windows_uwp_x64, mode: BuildMode.release),
-+         fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'windows-uwp-x64-release'),
-+       );
-+-      expect(
-+-        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
-+-        fileSystem.path.join('root', 'bin', 'cache', 'dart-sdk', 'bin', 'snapshots', 'frontend_server.dart.snapshot')
-+-      );
-+     });
-+ 
-+     testWithoutContext('precompiled web artifact paths are correct', () {
-+@@ -322,11 +318,6 @@ void main() {
-+         artifacts.getHostArtifact(HostArtifact.engineDartSdkPath).path,
-+         fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk'),
-+       );
-+-      expect(
-+-        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
-+-        fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk', 'bin',
-+-          'snapshots', 'frontend_server.dart.snapshot')
-+-      );
-+     });
-+ 
-+     testWithoutContext('getEngineType', () {
--- a/nixpatches/10-flutter-arm64.patch
+++ b/nixpatches/10-flutter-arm64.patch
@@ -10,8 +10,8 @@ index 565c44f72e9..f20a3d4e9be 100644
 }:
 
 +let vendorHashes = {
-+  x86_64-linux = "sha256-PSZK5frmQGeiTuEJNZ6Fh8NXSLIrLnoOzQk1Xa4jqHw=";
-+  aarch64-linux = "sha256-tU83EeFwakTNkEaLo90ZJV55CnmN+NcicHgBJ0u/RKM=";
+  x86_64-linux = "sha256-p5EJP2zSvWyRV1uyTHw0EpFsEwAGtX5B9WVjpLmnVew=";
+  aarch64-linux = "sha256-Ps0HmDI6BFxHrLRq3KWNk4hw0qneq5hqB/Mp99f+hO4=";
 +};
 +in
 flutter.mkFlutterApp rec {
--- a/nixpatches/list.nix
+++ b/nixpatches/list.nix
@@ -1,29 +1,55 @@
 fetchpatch: [
+  # phosh-mobile-settings: init at 0.21.1
+  (fetchpatch {
+    url = "https://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
+    # url = "https://github.com/NixOS/nixpkgs/pull/193845.diff";
+    sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
+  })
+
+  # librewolf: build with `MOZ_REQUIRE_SIGNING=false`
+  (fetchpatch {
+    url = "https://github.com/NixOS/nixpkgs/pull/199134.diff";
+    # url = "https://git.uninsane.org/colin/nixpkgs/commit/99b82e07fee4d194520d6e8d51bc45c80a4d3c7e.diff";
+    sha256 = "sha256-FOAZYaMpSPMYwU26xYD+V/f+df0JjlbuVtqjlcBFW5Q=";
+  })
+
+  # lightdm-mobile-greeter: init at 2022-10-30
+  (fetchpatch {
+    url = "https://git.uninsane.org/colin/nixpkgs/commit/0a9018c8879d8fe871ee03bc386f8d148e4f88b8.diff";
+    sha256 = "sha256-h1+K8UO4+G6yvl6JFd8xBGitPgOCIY7BunW49eGkXQQ=";
+  })
+  # lightdm: add `greeters.mobile` config option
+  (fetchpatch {
+    url = "https://git.uninsane.org/colin/nixpkgs/commit/1144d6cfe976e7bcfb9611b1d0a66071e17cd569.diff";
+    sha256 = "sha256-ZEvLPqrkpr79yXrsBxgxELR2Awtqk3675jkYZqx2AfY=";
+  })
+
+  # # kaiteki: init at 2022-09-03
+  # vendorHash changes too frequently (might not be reproducible).
+  # using local package defn until stabilized
+  # (fetchpatch {
+  #   url = "https://git.uninsane.org/colin/nixpkgs/commit/e2c7f5f4870fcb0e5405e9001b39a64c516852d4.diff";
+  #   # url = "https://github.com/NixOS/nixpkgs/pull/193169.diff";
+  #   sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
+  # })
+
+
+  # Fix mk flutter app
+  # closed (not merged). updates fluffychat 1.2.0 -> 1.6.1, but unstable hashing
+  # (fetchpatch {
+  #   url = "https://github.com/NixOS/nixpkgs/pull/186839.diff";
+  #   sha256 = "sha256-NdIfie+eTy4V1vgqiiRPtWdnxZ5ZHsvCMfkEDUv9SC8=";
+  # })
+
  # for raspberry pi: allow building u-boot for rpi 4{,00}
  # TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
  #   (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
  ./02-rpi4-uboot.patch

-  (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/186839.diff";
-    sha256 = "sha256-NdIfie+eTy4V1vgqiiRPtWdnxZ5ZHsvCMfkEDUv9SC8=";
-  })
-
-  # # # Flutter: 3.0.4->3.3.2, flutter.dart: 2.17.5->2.18.1
-  # # (fetchpatch {
-  # #   url = "https://github.com/NixOS/nixpkgs/pull/189338.diff";
-  # #   sha256 = "sha256-MppSk1D3qQT8Z4lzEZ93UexoidT8yqM7ASPec4VvxCI=";
-  # # })
-  # enable aarch64 support for flutter's dart package
-  ./10-flutter-arm64.patch
-
-
  # TODO: upstream
+  # maybe convert this patch to add a `targetUrlExpr` instead of doing the `escapeShellArgs` hack
  ./07-duplicity-rich-url.patch

-  # navidrome: adhoc hack to fix the build
-  (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/191467.diff";
-    sha256 = "sha256-Np0J06RER/0GGUhL/PDuVjpYYIPzB9A3EPWwTWpS/D4=";
-  })
+  # enable aarch64 support for flutter's dart package
+  # ./10-flutter-arm64.patch
 ]
--- a/pkgs/browserpass-extension/default.nix
+++ b/pkgs/browserpass-extension/default.nix
@@ -0,0 +1,57 @@
+{ stdenv
+, fetchFromGitHub
+, gnused
+, jq
+, mkYarnModules
+, zip
+}:
+
+let
+  pname = "browserpass-extension";
+  version = "3.7.2";
+  src = fetchFromGitHub {
+    owner = "browserpass";
+    repo = "browserpass-extension";
+    rev = version;
+    sha256 = "sha256-uDJ0ID8mD+5WLQK40+OfzRNIOOhZWsLYIi6QgcdIDvc=";
+  };
+  browserpass-extension-yarn-modules = mkYarnModules {
+    inherit pname version;
+    packageJSON = "${src}/src/package.json";
+    yarnLock = "${src}/src/yarn.lock";
+  };
+  extid = "browserpass@maximbaz.com";
+in stdenv.mkDerivation {
+  inherit pname version src;
+
+  patchPhase = ''
+    # dependencies are built separately: skip the yarn install
+    ${gnused}/bin/sed -i /yarn\ install/d src/Makefile
+  '';
+
+  preBuild = ''
+    ln -s ${browserpass-extension-yarn-modules}/node_modules src/node_modules
+  '';
+
+  installPhase = ''
+    BASE=$out/share/mozilla/extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}
+    mkdir -p $BASE
+
+    pushd firefox
+
+    # firefox requires addons to have an id field when sideloading:
+    # - <https://extensionworkshop.com/documentation/publish/distribute-sideloading/>
+    cat manifest.json \
+      | ${jq}/bin/jq '. + { applications: {gecko: {id: "${extid}" }}, browser_specific_settings: {gecko: {id: "${extid}"}} }' \
+      > manifest.patched.json
+    mv manifest{.patched,}.json
+
+    ${zip}/bin/zip -r $BASE/browserpass@maximbaz.com.xpi ./*
+
+    popd
+  '';
+
+  passthru = {
+    inherit extid;
+  };
+}
--- a/pkgs/browserpass/default.nix
+++ b/pkgs/browserpass/default.nix
@@ -0,0 +1,47 @@
+{ pkgs
+, bash
+, fetchFromGitea
+, gnused
+, lib
+, sane-scripts
+, sops
+, stdenv
+, substituteAll
+}:
+
+let
+  sane-browserpass-gpg = stdenv.mkDerivation {
+    pname = "sane-browserpass-gpg";
+    version = "0.1.0";
+    src = ./.;
+
+    inherit bash gnused sops;
+    sane_scripts = sane-scripts;
+    installPhase = ''
+      mkdir -p $out/bin
+      substituteAll ${./sops-gpg-adapter} $out/bin/gpg
+      chmod +x $out/bin/gpg
+      ln -s $out/bin/gpg $out/bin/gpg2
+    '';
+
+  };
+in
+(pkgs.browserpass.overrideAttrs (upstream: {
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
+    repo = "browserpass-native";
+    rev = "8de7959fa5772aca406bf29bb17707119c64b81e";
+    hash = "sha256-ewB1YdWqfZpt8d4p9LGisiGUsHzRW8RiSO/+NZRiQpk=";
+  };
+  installPhase = ''
+    make install
+
+    wrapProgram $out/bin/browserpass \
+      --prefix PATH : ${lib.makeBinPath [ sane-browserpass-gpg ]}
+
+    # This path is used by our firefox wrapper for finding native messaging hosts
+    mkdir -p $out/lib/mozilla/native-messaging-hosts
+    ln -s $out/lib/browserpass/hosts/firefox/*.json $out/lib/mozilla/native-messaging-hosts
+  '';
+}))
--- a/pkgs/browserpass/sops-gpg-adapter
+++ b/pkgs/browserpass/sops-gpg-adapter
@@ -0,0 +1,19 @@
+#! @bash@/bin/sh
+
+# browserpass "validates" the gpg binary by invoking it with --version
+if [ "$1" = "--version" ]
+then
+  echo "sane-browserpass-gpg @version@";
+  exit 0
+fi
+
+# ensure the secret store is unlocked
+@sane_scripts@/bin/sane-secrets-unlock
+
+# using exec here forwards our stdin
+# browserpass parses the response in
+# <browserpass-extension/src/background.js#parseFields>
+# it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
+# browserpass understands the `totp` field to hold either secret tokens, or full URLs.
+# i use totp-b32 for the base-32-encoded secrets. renaming that field works OOTB.
+exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | @gnused@/bin/sed s/\^totp-b32:/totp:/
--- a/pkgs/gocryptfs/default.nix
+++ b/pkgs/gocryptfs/default.nix
@@ -0,0 +1,15 @@
+{ pkgs, lib, ... }:
+
+(pkgs.gocryptfs.overrideAttrs (upstream: {
+  # XXX `su colin` hangs when pam_mount tries to mount a gocryptfs system
+  # unless `logger` (util-linux) is accessible from gocryptfs.
+  # this is surprising: the code LOOKS like it's meant to handle logging failures.
+  # propagating util-linux through either `environment.systemPackages` or `security.pam.mount.additionalSearchPaths` DOES NOT WORK.
+  #
+  # TODO: see about upstreaming this
+  postInstall = ''
+    wrapProgram $out/bin/gocryptfs \
+      --suffix PATH : ${lib.makeBinPath [ pkgs.fuse pkgs.util-linux ]}
+    ln -s $out/bin/gocryptfs $out/bin/mount.fuse.gocryptfs
+  '';
+}))
--- a/pkgs/gopass-native-messaging-host/com.justwatch.gopass.json
+++ b/pkgs/gopass-native-messaging-host/com.justwatch.gopass.json
@@ -0,0 +1,10 @@
+{
+    "name": "com.justwatch.gopass",
+    "description": "Gopass wrapper to search and return passwords",
+    "path": "@out@/bin/gopass-wrapper",
+    "type": "stdio",
+    "allowed_extensions": [
+        "{eec37db0-22ad-4bf1-9068-5ae08df8c7e9}"
+    ]
+}
+
--- a/pkgs/gopass-native-messaging-host/default.nix
+++ b/pkgs/gopass-native-messaging-host/default.nix
@@ -0,0 +1,22 @@
+{ stdenv
+, bash
+, gopass-jsonapi
+, substituteAll
+}:
+
+stdenv.mkDerivation {
+  pname = "gopass-native-messaging-host";
+  version = "1.0";
+  src = ./.;
+
+  inherit bash;
+  # substituteAll doesn't work with hyphenated vars ??
+  gopassJsonapi = gopass-jsonapi;
+
+  installPhase = ''
+    mkdir -p $out/bin $out/lib/mozilla/native-messaging-hosts
+    substituteAll ${./gopass-wrapper.sh} $out/bin/gopass-wrapper
+    chmod +x $out/bin/gopass-wrapper
+    substituteAll ${./com.justwatch.gopass.json} $out/lib/mozilla/native-messaging-hosts/com.justwatch.gopass.json
+  '';
+}
--- a/pkgs/gopass-native-messaging-host/gopass-wrapper.sh
+++ b/pkgs/gopass-native-messaging-host/gopass-wrapper.sh
@@ -0,0 +1,2 @@
+#! @bash@/bin/sh
+exec @gopassJsonapi@/bin/gopass-jsonapi listen
--- a/pkgs/kaiteki/default.nix
+++ b/pkgs/kaiteki/default.nix
@@ -2,39 +2,63 @@
 , fetchFromGitHub
 , flutter
 , makeDesktopItem
+, imagemagick
+, xdg-user-dirs
 }:

 flutter.mkFlutterApp rec {
  pname = "kaiteki";
-  version = "unstable-2022-06-03";
+  version = "unstable-2022-09-03";

-  # this hash seems unstable -- depends on other nixpkgs, perhaps?
-  vendorHash = "sha256-IC3FAPFASuMcNOpUuaB+MDcm9nqGCtq/6A2dCxIXHEg=";
+  vendorHash = "sha256-CXEaQeXEY5PYpcoqmPcRfcyaFsEDZ8bq1pgApmjyp0c=";

  src = fetchFromGitHub {
    owner = "Kaiteki-Fedi";
    repo = "Kaiteki";
-    rev = "0a322313071e4391949d23d9b006d74de65f58d9";
-    hash = "sha256-ggDIbVwueS162m15TFaC6Tcg+0lpcVGi4x/O691sxR8";
+    rev = "fd1e26c98f37ad6a98ed549da879c91721f997d0";
+    hash = "sha256-N7n6o/B9s0DCYf9HFMZSCPShpE65wKl9FaQ5dbFnr1E=";
+    fetchSubmodules = true;
  };

-  desktopItems = [ (makeDesktopItem {
+  nativeBuildInputs = [ imagemagick ];
+
+  desktopItem = makeDesktopItem {
    name = "Kaiteki";
-    exec = "kaiteki";
+    exec = "@out@/bin/kaiteki";
    icon = "kaiteki";
    desktopName = "Kaiteki";
    genericName = "Micro-blogging client";
    comment = meta.description;
    categories = [ "Network" "InstantMessaging" "GTK" ];
-  }) ];
+  };

  sourceRoot = "source/src/kaiteki";

+  postInstall = ''
+    wrapProgram $out/bin/kaiteki \
+      --prefix PATH : "${xdg-user-dirs}/bin"
+
+    FAV=$out/app/data/flutter_assets/assets/icon.png
+    ICO=$out/share/icons
+
+    install -D $FAV $ICO/kaiteki.png
+    for s in 24 32 42 64 128 256 512; do
+      D=$ICO/hicolor/''${s}x''${s}/apps
+      mkdir -p $D
+      convert $FAV -resize ''${s}x''${s} $D/kaiteki.png
+    done
+
+    mkdir $out/share/applications
+    cp $desktopItem/share/applications/*.desktop $out/share/applications
+    substituteInPlace $out/share/applications/*.desktop \
+      --subst-var out
+  '';
+
  meta = with lib; {
    description = "The comfy Fediverse client";
    homepage = "https://craftplacer.moe/projects/kaiteki/";
    license = licenses.agpl3Plus;
-    # maintainers = with maintainers; [ colinsane ];
+    maintainers = with maintainers; [ colinsane ];
    platforms = platforms.linux;
  };
 }
--- a/pkgs/lightdm-mobile-greeter/default.nix
+++ b/pkgs/lightdm-mobile-greeter/default.nix
@@ -0,0 +1,53 @@
+{ lib
+, fetchFromGitea
+, gtk3
+, libhandy_0
+, lightdm
+, pkgs
+, linkFarm
+, pkg-config
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "lightdm-mobile-greeter";
+  version = "2022-10-30";
+
+  src = fetchFromGitea {
+    domain = "git.raatty.club";
+    owner = "raatty";
+    repo = "lightdm-mobile-greeter";
+    rev = "8c8d6dfce62799307320c8c5a1f0dd5c8c18e4d3";
+    hash = "sha256-SrAR2+An3BN/doFl/s8PcYZMUHLfVPXKZOo6ndO60nY=";
+  };
+  cargoHash = "sha256-NZ0jOkEBNa5oOydfyKm0XQB/vkAvBv9wHBbnM9egQFQ=";
+
+  buildInputs = [
+    gtk3
+    libhandy_0
+    lightdm
+  ];
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  postInstall = ''
+    mkdir -p $out/share/applications
+    substitute lightdm-mobile-greeter.desktop \
+      $out/share/applications/lightdm-mobile-greeter.desktop \
+      --replace lightdm-mobile-greeter $out/bin/lightdm-mobile-greeter
+  '';
+
+  passthru.xgreeters = linkFarm "lightdm-mobile-greeter-xgreeters" [{
+    path = "${pkgs.lightdm-mobile-greeter}/share/applications/lightdm-mobile-greeter.desktop";
+    name = "lightdm-mobile-greeter.desktop";
+  }];
+
+  meta = with lib; {
+    description = "A simple log in screen for use on touch screens.";
+    homepage = "https://git.raatty.club/raatty/lightdm-mobile-greeter";
+    maintainers = with maintainers; [ colinsane ];
+    platforms = platforms.linux;
+    license = licenses.mit;
+  };
+}
--- a/pkgs/linux-megous/default.nix
+++ b/pkgs/linux-megous/default.nix
@@ -3,10 +3,10 @@
 with lib;

 buildLinux (args // rec {
-  version = "6.0.0-rc4";
+  version = "6.0.2";

  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
-  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) + "-rc4" else modDirVersionArg;
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;

  # branchVersion needs to be x.y
  extraMeta.branch = versions.majorMinor version;
@@ -15,7 +15,7 @@ buildLinux (args // rec {
    owner = "megous";
    repo = "linux";
    # branch: orange-pi-6.0
-    rev = "6ada3caab0b37968f1257b3ea75e5b0466a77162";
-    sha256 = "sha256-jIhOE0ZMuoJm7NqAEJ4OTNLHN/h8i4cOphcw3le7RSw=";
+    rev = "2683672a2052ffda995bb987fa62a1abe8424ef4";
+    hash = "sha256-hL/SbLgaTk/CqFLFrAK/OV9/OS20O42zJvSScsvWBQk=";
  };
 } // (args.argsOverride or { }))
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -35,8 +35,17 @@
  # patch rpi uboot with something that fixes USB HDD boot
  ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };

+  gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
+
+  browserpass = prev.callPackage ./browserpass { pkgs = prev; inherit sane-scripts; };
+
  #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
  kaiteki = prev.callPackage ./kaiteki { };
+  # lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
+  browserpass-extension = prev.callPackage ./browserpass-extension { };
+  gopass-native-messaging-host = prev.callPackage ./gopass-native-messaging-host { };
+  # kaiteki = prev.kaiteki;
+  # TODO: upstream, or delete nabla
  nabla = prev.callPackage ./nabla { };
 })

--- a/pkgs/pleroma/default.nix
+++ b/pkgs/pleroma/default.nix
@@ -1,6 +1,7 @@
 { lib, beamPackages
 , fetchFromGitHub, fetchFromGitLab
 , file, cmake, bash
+, libxcrypt
 , nixosTests, writeText
 , cookieFile ? "/var/lib/pleroma/.cookie"
 , ...
@@ -14,11 +15,10 @@ beamPackages.mixRelease rec {
    domain = "git.pleroma.social";
    owner = "pleroma";
    repo = "pleroma";
-    rev = "4605efe272016a5ba8ba6e96a9bec9a6e40c1591";
+    rev = "7a519b6a6607bc1dd22e6a3450aebf0f1ff11fb8";
    # to update: uncomment the null hash, run nixos-rebuild and
    # compute the new hash with `nix to-sri sha256:<output from failed nix build>`
-    # sha256 = "sha256-0000000000000000000000000000000000000000000=";
-    sha256 = "sha256-Dp1kTUDfNC7EDoK9WToXkUvsj7v66eKuD15le5IZgiY=";
+    sha256 = "sha256-6NglBcEGEvRlYMnVNB8kr4i/fccrzO6mnyp3X+O0m74=";
  };

  preFixup = if (cookieFile != null) then ''
@@ -72,29 +72,49 @@ beamPackages.mixRelease rec {
        name = "crypt";
        version = "0.4.3";

-        src = fetchFromGitHub {
-          owner = "msantos";
+        # src = fetchFromGitHub {
+        #   owner = "msantos";
+        #   repo = "crypt";
+        #   rev = "f75cd55325e33cbea198fb41fe41871392f8fb76";
+        #   sha256 = "sha256-ZYhZTe7cTITkl8DZ4z2IOlxTX5gnbJImu/lVJ2ZjR1o=";
+        # };
+
+        # this is the old crypt, from before 2021/09/21.
+        # nixpkgs still uses this as of 2022-10-24 and it works.
+        src = fetchFromGitLab {
+          domain = "git.pleroma.social";
+          group = "pleroma";
+          owner = "elixir-libraries";
          repo = "crypt";
-          rev = "f75cd55325e33cbea198fb41fe41871392f8fb76";
-          sha256 = "sha256-ZYhZTe7cTITkl8DZ4z2IOlxTX5gnbJImu/lVJ2ZjR1o=";
+          rev = "cf2aa3f11632e8b0634810a15b3e612c7526f6a3";
+          sha256 = "sha256-48QIsgyEaDzvnihdsFy7pYURLFcb9G8DXIrf5Luk3zo=";
        };

        postInstall = "mv $out/lib/erlang/lib/crypt-${version}/priv/{source,crypt}.so";

        beamDeps = with final; [ elixir_make ];
+        buildInputs = [ libxcrypt ];
      };
      prometheus_ex = beamPackages.buildMix rec {
        name = "prometheus_ex";
        version = "3.0.5";

-        src = fetchFromGitLab {
-          domain = "git.pleroma.social";
-          group = "pleroma";
-          owner = "elixir-libraries";
+        src = fetchFromGitHub {
+          owner = "lanodan";
          repo = "prometheus.ex";
-          rev = "a4e9beb3c1c479d14b352fd9d6dd7b1f6d7deee5";
-          sha256 = "1v0q4bi7sb253i8q016l7gwlv5562wk5zy3l2sa446csvsacnpjk";
+          # branch = "fix/elixir-1.14";
+          rev = "31f7fbe4b71b79ba27efc2a5085746c4011ceb8f";
+          sha256 = "sha256-2PZP+YnwnHt69HtIAQvjMBqBbfdbkRSoMzb1AL2Zsyc=";
        };
+
+        # src = fetchFromGitLab {
+        #   domain = "git.pleroma.social";
+        #   group = "pleroma";
+        #   owner = "elixir-libraries";
+        #   repo = "prometheus.ex";
+        #   rev = "a4e9beb3c1c479d14b352fd9d6dd7b1f6d7deee5";
+        #   sha256 = "1v0q4bi7sb253i8q016l7gwlv5562wk5zy3l2sa446csvsacnpjk";
+        # };
        beamDeps = with final; [ prometheus ];
      };
      prometheus_phx = beamPackages.buildMix rec {
@@ -109,8 +129,8 @@ beamPackages.mixRelease rec {
          group = "pleroma";
          owner = "elixir-libraries";
          repo = "prometheus-phx";
-          rev = "9cd8f248c9381ffedc799905050abce194a97514";
-          sha256 = "0211z4bxb0bc0zcrhnph9kbbvvi1f2v95madpr96pqzr60y21cam";
+          rev = "0c950ac2d145b1ee3fc8ee5c3290ccb9ef2331e9";
+          sha256 = "sha256-HjN0ku1q5aNtrhHopch0wpp4Z+dMCGj5GxHroiz5u/w=";
        };
        beamDeps = with final; [ prometheus_ex ];
      };
--- a/pkgs/pleroma/mix.nix
+++ b/pkgs/pleroma/mix.nix
@@ -34,7 +34,6 @@ let
      beamDeps = [ custom_base ];
    };

-    # base64url = buildMix rec {
    base64url = buildRebar3 rec {
      name = "base64url";
      version = "0.0.1";
@@ -362,12 +361,12 @@ let

    eblurhash = buildRebar3 rec {
      name = "eblurhash";
-      version = "1.1.0";
+      version = "1.2.2";

      src = fetchHex {
        pkg = "${name}";
        version = "${version}";
-        sha256 = "07dmkbyafpxffh8ar6af4riqfxiqc547rias7i73gpgx16fqhsrf";
+        sha256 = "0k040pj8hlm8mwy0ra459hk35v9gfsvvgp596nl27q2dj00cl84c";
      };

      beamDeps = [];
@@ -1646,5 +1645,19 @@ let

      beamDeps = [ httpoison jose ];
    };
+
+    websockex = buildMix rec {
+      name = "websockex";
+      version = "0.4.3";
+
+      src = fetchHex {
+        pkg = "${name}";
+        version = "${version}";
+        sha256 = "1r2kmi2pcmdzvgbd08ci9avy0g5p2lhx80jn736a98w55c3ygwlm";
+      };
+
+      beamDeps = [];
+    };
  };
 in self
+
--- a/pkgs/pleroma/updating.txt
+++ b/pkgs/pleroma/updating.txt
@@ -1,10 +1,16 @@
+in pleroma checkout:
+- grab version: `rg 'version: ' mix.exs`
+
 in default.nix:
-  update `rev` and recompute sha256.
-    use nix to-sri sha256:<expected>
+- update `rev` and recompute sha256.

-run mix2nix inside the pleroma git root and pipe the output into mix.nix
-  inside default.nix, update all git mix deps
-  inside mix.nix, change base64url to use buildRebar3 instead of buildMix
+in pleroma checkout:
+- `mix2nix > mix.nix`

-move majic from mix.nix -> default.nix and add:
-  buildInputs = [ file ];
+in nix repo:
+- cp the new mix.nix here.
+- move majic from mix.nix -> default.nix and add:
+        - buildInputs = [ file ];
+- update `mixNixDeps` in default.nix:
+        - grab the version from pleroma/mix.exs or mix.lock
+- redundant?: inside mix.nix, change base64url to use buildRebar3 instead of buildMix
--- a/pkgs/sane-scripts/default.nix
+++ b/pkgs/sane-scripts/default.nix
@@ -23,8 +23,9 @@ resholve.mkDerivation {
        file
        findutils
        gnugrep
+        gocryptfs
        ifuse
-        inotifyTools
+        inotify-tools
        ncurses
        oath-toolkit
        openssh
@@ -33,6 +34,7 @@ resholve.mkDerivation {
        ssh-to-age
        sops
        sudo
+        util-linux
        which
      ];
      keep = {
@@ -47,20 +49,22 @@ resholve.mkDerivation {
          "umount"
          "sudo"

-          # this is actually internal; probably a better fix
+          # these are used internally; probably a better fix
          "sane-mount-servo"
+          "sane-private-unlock"
        ];
      };

      # list of programs which *can* or *cannot* exec their arguments
-      execer = [
-        "cannot:${pkgs.ifuse}/bin/ifuse"
-        "cannot:${pkgs.oath-toolkit}/bin/oathtool"
-        "cannot:${pkgs.openssh}/bin/ssh-keygen"
-        "cannot:${pkgs.rmlint}/bin/rmlint"
-        "cannot:${pkgs.rsync}/bin/rsync"
-        "cannot:${pkgs.ssh-to-age}/bin/ssh-to-age"
-        "cannot:${pkgs.sops}/bin/sops"
+      execer = with pkgs; [
+        "cannot:${gocryptfs}/bin/gocryptfs"
+        "cannot:${ifuse}/bin/ifuse"
+        "cannot:${oath-toolkit}/bin/oathtool"
+        "cannot:${openssh}/bin/ssh-keygen"
+        "cannot:${rmlint}/bin/rmlint"
+        "cannot:${rsync}/bin/rsync"
+        "cannot:${sops}/bin/sops"
+        "cannot:${ssh-to-age}/bin/ssh-to-age"
      ];
    };
  };
--- a/pkgs/sane-scripts/src/sane-mount-servo
+++ b/pkgs/sane-scripts/src/sane-mount-servo
@@ -15,4 +15,5 @@ then
 fi

 # symlink the fastest mount point into place
+# uncomment if i see the bug again: sudo unlink /mnt/servo-media  # XXX ln gets confused if the destination is a symlink to a stale mount
 sudo ln -sf $mnt /mnt/servo-media
--- a/pkgs/sane-scripts/src/sane-mount-servo-root
+++ b/pkgs/sane-scripts/src/sane-mount-servo-root
@@ -15,4 +15,5 @@ then
 fi

 # symlink the fastest mount point into place
+# uncomment if i see the bug again: sudo unlink /mnt/servo-root  # XXX ln gets confused if the destination is a symlink to a stale mount
 sudo ln -sf $mnt /mnt/servo-root
--- a/pkgs/sane-scripts/src/sane-private-change-passwd
+++ b/pkgs/sane-scripts/src/sane-private-change-passwd
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -ex
+
+new_plain=/home/colin/private-new
+new_cipher="/nix/persist${new_plain}"
+dest_plain=/home/colin/private
+dest_cipher="/nix/persist${dest_plain}"
+
+# initialize the new store
+sudo mkdir -p "${new_cipher}" && sudo chown colin:users "${new_cipher}"
+mkdir -p "${new_plain}"
+gocryptfs -init "${new_cipher}"
+
+# mount the new and old store
+gocryptfs "${new_cipher}" "${new_plain}"
+sane-private-unlock
+
+# transfer to the new store
+rsync -arv /home/colin/private/ "${new_plain}"/
+
+# unmount both stores
+sudo umount "${new_plain}"
+sudo umount /home/colin/private
+
+# swap the stores
+sudo mv "${dest_cipher}" "${dest_cipher}-old"
+sudo mv "${new_cipher}" "${dest_cipher}"
+
+sane-private-unlock
+
+echo "if things look well, rm ${dest_cipher}-old"
--- a/pkgs/sane-scripts/src/sane-private-init
+++ b/pkgs/sane-scripts/src/sane-private-init
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -ex
+
+# configure persistent, encrypted storage that is auto-mounted on login.
+# this is a one-time setup and user should log out/back in after running it.
+
+p=/nix/persist/home/colin/private
+mkdir -p $p
+gocryptfs -init $p
--- a/pkgs/sane-scripts/src/sane-private-lock
+++ b/pkgs/sane-scripts/src/sane-private-lock
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+sudo umount /home/colin/private
--- a/pkgs/sane-scripts/src/sane-private-unlock
+++ b/pkgs/sane-scripts/src/sane-private-unlock
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -ex
+
+# configure persistent, encrypted storage that is auto-mounted on login.
+# this is a one-time setup and user should log out/back in after running it.
+
+mount=/home/colin/private
+cipher="/nix/persist$mount"
+mkdir -p "$mount"
+if [ ! -f "$mount/init" ]
+then
+  gocryptfs "$cipher" "$mount"
+fi
--- a/pkgs/sane-scripts/src/sane-rcp
+++ b/pkgs/sane-scripts/src/sane-rcp
@@ -0,0 +1,3 @@
+#!/usr/bin/env sh
+# copy some remote file(s) to the working directory, with sane defaults
+rsync -arv --progress "$@" .
--- a/pkgs/sane-scripts/src/sane-reclaim-disk-space
+++ b/pkgs/sane-scripts/src/sane-reclaim-disk-space
@@ -1,17 +1,41 @@
 #!/usr/bin/env bash
-set -ex
 # script to reclaim some hard drive space
+set -e
+
+options=$(getopt -l "fast" -o "f" -- "$@")
+do_rmlint=true
+for arg in $options; do
+  case $arg in
+    -f|--fast)
+      do_rmlint=false
+      ;;
+    --)
+      ;;
+  esac
+done
+
+set -x
+
+# always claim nix garbage
 sudo nix-collect-garbage
-# identify duplicate files in the nix store
-rmlint --types="duplicates" --config=sh:handler=clone --output=sh:/tmp/rmlint.sh --output=json:/dev/null --progress /nix/store
-# link the dupes together (uses ioctl_fideduperange)
-#   see: https://btrfs.wiki.kernel.org/index.php/Deduplication
-#   see: https://rmlint.readthedocs.io/en/latest/tutorial.html
-sudo mount -o remount,rw /nix/store
-# XXX: does rmlint really need to be invoked as root?
-sudo /tmp/rmlint.sh -d || true  # on failure, we still want to remount ro
-# XXX this doesn't work: 'mount point is busy.'
-sudo mount -o remount,ro /nix/store
+
+if [ $do_rmlint = true ]
+then
+  # identify duplicate files in the nix store
+  rmlint --types="duplicates" --config=sh:handler=clone --output=sh:/tmp/rmlint.sh --output=json:/dev/null --progress /nix/store
+  # link the dupes together (uses ioctl_fideduperange)
+  #   see: https://btrfs.wiki.kernel.org/index.php/Deduplication
+  #   see: https://rmlint.readthedocs.io/en/latest/tutorial.html
+fi
+
+if [ $do_rmlint = true ]
+then
+  sudo mount -o remount,rw /nix/store
+  # XXX: does rmlint really need to be invoked as root?
+  sudo /tmp/rmlint.sh -d || true  # on failure, we still want to remount ro
+  # XXX this doesn't work: 'mount point is busy.'
+  sudo mount -o remount,ro /nix/store
+fi

 # TODO: instead of using rmlint, could use dduper: https://github.com/Lakshmipathi/dduper
 #   better perf for btrfs (checksum tests)
--- a/pkgs/sane-scripts/src/sane-sudo-redirect
+++ b/pkgs/sane-scripts/src/sane-sudo-redirect
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# redirects to $1, when writing to $1 requires sudo permissions.
+# i.e. convert a failing command:
+#
+# ```
+# $ sudo do_thing > /into/file
+# ```
+#
+# to
+#
+# ```
+# $ sudo do_thing | sane-sudo-redirect /into/file
+# ```
+
+exec sudo tee $@ > /dev/null
--- a/pkgs/sane-scripts/src/sane-sync-from-iphone
+++ b/pkgs/sane-scripts/src/sane-sync-from-iphone
@@ -5,8 +5,13 @@ set -ex
 # make sure the mountpoint exists
 if ! (test -e /mnt/iphone)
 then
-  sudo mkdir /mnt/iphone
-  sudo chown colin:users /mnt/iphone
+  sudo umount /mnt/iphone || true  # maybe the mount hung
+
+  if ! (test -e /mnt/iphone)
+  then
+    sudo mkdir /mnt/iphone
+    sudo chown colin:users /mnt/iphone
+  fi
 fi

 # make sure the device is mounted
--- a/pkgs/zecwallet-lite/default.nix
+++ b/pkgs/zecwallet-lite/default.nix
@@ -1,30 +0,0 @@
-{ lib, fetchurl, appimageTools }:
-
-appimageTools.wrapType2 rec {
-  pname = "zecwallet-lite";
-  version = "1.7.13";
-
-  src = fetchurl {
-    url = "https://github.com/adityapk00/zecwallet-lite/releases/download/v${version}/Zecwallet.Lite-${version}.AppImage";
-    hash = "sha256-uBiLGHBgm0vurfvOJjJ+RqVoGnVccEHTFO2T7LDqUzU=";
-  };
-
-  extraInstallCommands =
-    let contents = appimageTools.extract { inherit pname version src; };
-    in ''
-      mv $out/bin/${pname}-${version} $out/bin/${pname}
-
-      install -m 444 -D ${contents}/${pname}.desktop -t $out/share/applications
-      substituteInPlace $out/share/applications/${pname}.desktop \
-        --replace 'Exec=AppRun' 'Exec=${pname}'
-      cp -r ${contents}/usr/share/icons $out/share
-    '';
-
-  meta = with lib; {
-    description = "A fully featured shielded wallet for Zcash";
-    homepage = "https://www.zecwallet.co/";
-    license = licenses.mit;
-    maintainers = with maintainers; [ colinsane ];
-    platforms = [ "x86_64-linux" ];
-  };
-}
--- a/readme.md
+++ b/readme.md
@@ -1,9 +1,11 @@
 to deploy:
+
 ```sh
 nixos-rebuild --flake "./#servo" {build,switch}
 ```

 more options (like building packages defined in this repo):
+
 ```sh
 nix flake show
 ```
@@ -28,6 +30,18 @@ refer to flake.nix for more details.

 to build one of the custom sane packages, just name it:

-```
+```sh
 nix build ./#fluffychat-moby
 ```
+
+to build a nixpkg:
+
+```sh
+nix build ./#nixpkgs.curl
+```
+
+to build a package for another platform:
+
+```sh
+nix build ./#packages.aarch64-linux.nixpkgs.ubootRaspberryPi4_64bit
+```
--- a/scripts/ensure-perms
+++ b/scripts/ensure-perms
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+# ensures perms on a newly-built distribution are good.
+# usage: sudo ensure-perms /path/to/nix
+
+nix_path=$1
+chown root:root -R $nix_path
+chown root:nixbld $nix_path/store
--- a/scripts/init-keyring
+++ b/scripts/init-keyring
@@ -0,0 +1,18 @@
+#!/bin/sh
+# initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
+# this initializes it to be plaintext/unencrypted.
+
+if [ -f ~/.local/share/keyrings/default ]
+then
+        echo 'keyring already initialized: not doing anything'
+        exit 0
+fi
+
+keyring=~/.local/share/keyrings/Default_keyring.keyring
+
+echo 'initializing default user keyring:' "$keyring"
+echo '[keyring]' > "$keyring"
+echo 'display-name=Default keyring' >> "$keyring"
+echo 'lock-on-idle=false' >> "$keyring"
+echo 'lock-after=false' >> "$keyring"
+echo -n "Default_keyring" > ~/.local/share/keyrings/default
--- a/scripts/install-iwd
+++ b/scripts/install-iwd
@@ -0,0 +1,20 @@
+#!/bin/sh
+# usage: install-iwd.sh <source_dir> <dest_dir>
+# source_dir contains plain-text .psk files of any filename.
+# for each file, this extracts the SSID and creates a symlink in dest_dir which
+# points to the original file, using the SSID name as filename.
+#
+# this is because iwd extracts the SSID from the filename, but users might
+# prefer the SSID be kept separate from the filename.
+
+src_dir="$1"
+dest_dir="$2"
+for f in $(ls "$src_dir")
+do
+        ssid=$(sed -rn 's/# SSID=(.*)/\1/p' "$src_dir/$f")
+        # not sure that iwd can deal with un-writeable symlinks
+        # ln -sf "$src_dir/$f" "$dest_dir/$ssid.psk"
+        cp "$src_dir/$f" "$dest_dir/$ssid.psk"
+        # not strictly necessary, but iwd does default to rw
+        chmod 600 "$dest_dir/$ssid.psk"
+done
--- a/secrets/desko.yaml
+++ b/secrets/desko.yaml
@@ -1,6 +1,7 @@
 duplicity_passphrase: ENC[AES256_GCM,data:rzUfcxe5YPloOrqgVwdCjsccexWc5RvmFf1i3Xs459iVTfWHlVJeT/IqReY6ZqdAkPJteTtrUZzak2GXyRUkE13+W0kE8isnDjPX/YDQwoK2sa+dwc4xGTekboc0gf6HH3vQpF1aiJDBfb3GtGyDVLH9MVIRPJGXSztZBduUDezA2wAx2wI=,iv:EHJg8kE/07v+ySSFDtW4FA4y1y/+fcGxfNCWoainwBI=,tag:S3ecM4DbDl8jqXLRKipZmQ==,type:str]
 #ENC[AES256_GCM,data:yU9cr6MXjS4m69BeIUjUw477wt4c1djYof3Qlfr4Dytv8hWqCuqThDwQTMY5jfHdv5ipS0aEjf7GWu2M2t9W88fYdxnTN2m8IfYZp76YcjxO4fup5BXiLGIjnm+qI0g=,iv:nPo8FyGiyLRQozE4kZ6Rei6CObvbVynOs3jdMvdkpZw=,tag:+4esxPiewSsjwao6ZhAMxA==,type:comment]
 nix_serve_privkey: ENC[AES256_GCM,data:/Ph9J00cV7PcfpJw/NWcBpkQR+a0SQyHv1jmF4CkH+Uj8l+cRcXWynAc2APenMSfHdighXMqjsXuwRbGo0S57YuMXQjFbI8jhbXEhhAWlmET1q7uRaaZRSgq34qABw==,iv:LLYgLauPsD+3mx1GTjEUkiXgdWsnqixCJl4UfSdS5Ac=,tag:S7V6GKezS/JsbZVfq9DjjA==,type:str]
+colin-passwd: ENC[AES256_GCM,data:/b+l5zTlOhdoiFaMVG5HB98AOGfGZtwkH+IS/mhDgHNZ4J+t3OiEBAFPl/KPctg6ZM55QiAjNnnJ8zAsKL85om6amvrWF/Qz17qC9+pZF+6Ef8xvTQr3VPlFEYq4rGb74jQ7uyvtCjn0Ow==,iv:Z0qUimlPQMu6rsjn5b/Xfw99NzbXGS8B/hNWE+f+GoM=,tag:uGB1DZzHiLCkOtlAA58mmg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -34,8 +35,8 @@ sops:
            Si9kT0ZMUnJJWlhUZ3FFakZFaDlPdEEKXtWfh6wdGPin1h/UUs21cdspddpW1YDq
            rCKS2DI2KWdgciih9FnmWGAwGUhB3uhimUr6hgho4z+dZfLrpoP1PA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-14T21:34:55Z"
-    mac: ENC[AES256_GCM,data:Zex69KG2a2Rxyodyci40azr9qGbA5XwH4Qhip0BDbrJymHjZzqCeRDKjdHjAWXPdPyglvUY0kADfm7xxlE1zU84oOahI9FldADtQrGUWS0elU+a3F93LVNGlhlKc+g8JGzUyBvPr6Toi52L2hI18K5bmWFPesczWedL07r85s9M=,iv:W+SMAX0HY5GbAqqgXWbSxm4wbzXZt5PEsLhwWcxkRWY=,tag:VPnw2X+6i0EyiFB3rkon8Q==,type:str]
+    lastmodified: "2022-10-24T08:49:49Z"
+    mac: ENC[AES256_GCM,data:dvxYlU/btzzH9Qor8z02kdv3S4gFUGHnEjV/XBM99+IFuAD6vuE8zFL4peGW1GiXqM2QQY0Qc9wZ+nC5/ak9ROMC8uZPXF417gs6U9yyT92FRlMSdC0AMsUhNGWjJlM733hI4YATnR+1XuwHewzzW1R3TvrouBZqSv+2rBsiZCw=,iv:A+D7IG4U+EQ6nP4xKOK1ExeZLeERpiSPzj/g87R1SdM=,tag:jSVGDO9kNxXdDSSixDrkDQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/lappy.yaml
+++ b/secrets/lappy.yaml
@@ -0,0 +1,42 @@
+#ENC[AES256_GCM,data:s512crIo2ylwy1pWPDs6324+NpP3dHvW0QmuZzvOOyrepTQvmB4NW07NFXYzY/UUPn7E4HrB7mzhvQYxVYDBlZKAMr9llT80Nnpt0AqrxnLiqnnY79EvP+aXvNmi0yWsTGqh6k36BWNTUyPSzgjGtvjQgTLSvr9uRzfy9e4C6NVWBm5sTEbYg9y3ZslToVSsEyGHYMVT6fSKM7ewH8wV,iv:sbBWcHYP5Ak4h7gWbdu8JyL2SEeUgrvkjji11Sp2GoA=,tag:yQTWlrrcBxotdKBbB54x5g==,type:comment]
+#ENC[AES256_GCM,data:XcQaEDhsAG2kY0Rdw2AKOwaHQIm3/zrWMjpQlU8pWlifNY9eoPqndzIbCNDKhbEJqrzeAuxGYFRBgohRcHQz2O/cbgr8GwTZ3Uo+NHsX6qcoUhzUKd1xlUnIKLjNcV7vlxofrmXikQ==,iv:OKSw1bw2TiPweUJeqCqwr8V+A+ovIT+meygH9l9m4cI=,tag:aTROLuGpTgoxF1JV/w2Cpw==,type:comment]
+#ENC[AES256_GCM,data:GFdHTjsr2DJtg/BIyOSeM6EQw92Q/8JFdqXLwpg/FWn9olTws2KDchSWRDlkrEbgoXSMP3Atd33YgckUebDYMIK8ctJai2SUxLJK5fW8LX1JbKUAC5PHUygAIkWYsHlNse7Qbgrw1rtBuR43L6NbMw==,iv:5beGhtM2wja2GgrLCzizsqamfakDIBlZ74ZJhNr33lg=,tag:Ej1za572vRpPcvcHXliQDA==,type:comment]
+colin-passwd: ENC[AES256_GCM,data:+vPsqF9XiY9USDQuTt6n7K9f4/+/Sdgp6J8LnWvhYdlTTltz8a4/RYdg0JHC4o/pNae3k7KwYGMJI+vY25mgvLGj+kL23Fc9j1EYJgJk5uTz8MlmKOlKxKcSfmI3v+zOUOlQm/warktksQ==,iv:cZEFjTvHCXogXEh+xQG++aJCUFp/NtT6t7qjPIjUtAU=,tag:fnzz6uYwU9j4RZXj9MV6jg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bzFLUFloMU1uUWRmdkZu
+            TllhSGxvNzBJQTZRaE9EbTA3R3JLNGpVT25nCmd0SG1BWEJWL1JlKzhmSFdFS3Fk
+            SnRGbUFqdzVFTy95eVhiZGN6a3VMOGcKLS0tIHFJQUtEYVhGWWlTRlQrbEpoQ2h1
+            VXJ5SXNlS1ZNNjhuVDFrMnlrVHp2NlUKwD3ZznQVcz1ZLb/weULpXET9uZb4aj/U
+            FnY9ktEEtKeSl10jzU3/sUla6Ap6K6b9KLmmqd5Rnp0ZhbxVOR8rkg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOa1dpZHVoY2tTWVJ2bG1J
+            Z0xjVGplMGZqajFlcWtPL0YwUXcxWThNOWcwCmQvZllaZ1JSK3N1WmIvV2F6YjZv
+            U1ZtMVVSSU1LZ3M4SWExSm9yRzRTR3MKLS0tIFU1dERKdko1SVZLcmVXQXMydExm
+            OWVEdDJsbENOYkJNSzc5MzlEanVSL0EKbKVgN0/LUiC92N9/MvoXJouiIRHE5aWO
+            R7xPtxYG91vC+HVj8ThHbu0fcUIqD7LTX82XCrWoYMwkplbTC/F2cw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SGk4YzhEaldpcTBRSG1T
+            Nkpla0s3d2ZRU2RsK2ZDRlhEdVY0NkRYUVU0CjYrTjhxZDVyYUlmbnRQQXBQZVhD
+            OTcrbmV0YjdyeEhEaHVRUm03Z2hTNTQKLS0tIGVrTjhCL3RlZ2dIOFduVVdSbnJ3
+            L2JhVWhmQk9qZzdnYkYrQTBCZnI3eE0KHju7x28mP5jLt4u6T6CnQ3ThiEYFhG5P
+            D7c0h2YhqeqdewuwQWjqJMbUc308N5f0Hz/BsUgYZNanl9qqQRXkrA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-10-24T07:43:11Z"
+    mac: ENC[AES256_GCM,data:1n1iOEJPnVbvvlVp9Cw9wY+HB6KYLwZDcr5UkbXbQUZMm+LQS8Pib/0R8AeQLnNrfyJMnsvoNpmYWLQ6i4BZFJp4rsdjpHb4/FqIAEOwTb5SP5FC8rFpn9UeduUs9tq+fyvezywqaoLPBsXXqb092XZvHv6w1osgyfbLepiyJ2s=,iv:qM2d9smvsRwhuJ/MyD8bqVfD4IJM7T6Hu4wy/2/COiM=,tag:TlcJX1USn3TgPSMWy5hZPg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/secrets/moby.yaml
+++ b/secrets/moby.yaml
@@ -0,0 +1,51 @@
+#ENC[AES256_GCM,data:akcgE1j3wiKoyB9Uara51P/DPVcKyzt5lZ0kTuxqotjBvVtsGdPVHaeMPMi5blNyPIuiWxo9Jn0MJGyknCs9AL+g96G/yDvvD7or44sK1v8ED+2glfdMi0cjDm80anh7SMchyA6tmtgJhMW1EtkhZ/b/xpysNBzsn5e+zb9jXS4a7LF23jJr7d6tbJo9jks7vVJ7/p33cONglhO573TD,iv:M+S7WCO3V6pQg0UuzWF2y9IgH7p/P4at+qm2Y38To1o=,tag:DPlXsDSYySaHNgSzywiJRQ==,type:comment]
+#ENC[AES256_GCM,data:De/BSe24Uf4Ch+JBzJMOEc7W+E72vYrqQWG4LeEk8vVHa/3eGHyKylHIgkMTr5CvwhX7/uCkjm8fgz1QHuRb8jLru8n2u/AxoY9kLUTZ/7VyYes3t9tawZ7tTFzbcqMxjV0Xy5eTzw==,iv:q3bDj1iYv3JBPzSoRU2ANCpfwWtLyCzyn81r5kl2tcw=,tag:f+d6+cWQEb83qK8I/oOCkw==,type:comment]
+#ENC[AES256_GCM,data:tYLNlC3Ov2RRnaEH0QAALmMYRc4fyDDM5A7J2sfJbMvoDmkgKoP0HYWy3diJMEcLsw3ZoDGibcU03QduisxjP0eWfEHkzE4R2+tWY+yWYy7TFx7Qg3BfSTtnMt5V9vSWcVLMAgoYaRUMqykIRMRaCQ==,iv:81HzxZyAJvXa5fQDOIIqRTL3dhKA4S2TftE3yfw6VIk=,tag:9+3stfyHrrmkfZpLGpmMOA==,type:comment]
+colin-passwd: ENC[AES256_GCM,data:+2uEyJX6FUbOSoJpJpjF+TmwWu3eJlrN5S9J1kRtTbS84c23E4AKTHojk5zEcPZZ9RG3vYjH6C37dRj4/SK/Z1/G31B31RgzwkLnmf11JXK+HSQZHZATgSvH07ANEYIg5VR78IQUz6qbGg==,iv:jyF/QzLyrQU+ebRfBrWRcu5/dmwY9LB4D1FxHVo8+TQ=,tag:3u7HO1VYzenIqvq0iZwuRw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpck5EWDVkWjdIU2YzQ2Mx
+            VUpJbW96dXIvM0pPK2Vnd3ZZU3lmSlVheEdRCmVXNFZWV0FjT2p6b3FZOW1vaFNO
+            MCtubi9QL1Jtd2FQL05vZmd5SjQxelEKLS0tICtaa3VRQ2JJZXpnd3pRd1lndUQ3
+            d1JCZ3JtZENsSGR4SkVrNHIvTEhndTQK6pQqmcq7xmhZ9E099rBy9MtCdZghBTmU
+            UCVWxq8zWanK11GLyh6cvs8hHSLIyvpbODnBYA1WM0AeIJoxtRRWEw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OWl2dlcyU0VoRW90Q3ZR
+            eURXS1hPSG0reFFhUmxyTGRFNVdIZVJHYVJ3Cm0rcFpjQjQzVGVEcjhNR2RldkVL
+            WnA4U3N1ZUFUTTBkSEdCbHZCeGxNNFkKLS0tIHY3RFdxUC9SaFhVTFBLemVEQytZ
+            R01wWFBYR1dYNWlNUkw5M2VNK04yWE0KBPcJduySzwhAnx4BshPX/7QVdeN+L3fH
+            4sZqC4gYFj3KXZhIOkUcCtwS/dObBoy02EhPsUtSKRheacFVs46w8A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSZVBzNG5pOGlXZzI0c3J4
+            YnFsTDdsQjFwZ3czenlUVkJYcWxJbDAxNkFjCjYyK3VDOS8xRkhBSVRFYTRFSTZ5
+            Y0htSE13Q1NFNDg3czVuZ3dPOUFlekUKLS0tIDJpRHBWdU9hMnpUSWV0cSsvNjF5
+            cHVGRXdla0NGZ2lOMVQ3Ym43dDMvaVUKmx7p/TMj5uu/RJjRe4yCKt87brs7E7s0
+            F88swQCwY41lCdFwISM0jRbY/MymTtbtP+2gcSYlq/S619ytQqf7SQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbWlCZW1VR2FXNHZ3VjZP
+            R3UrbGgvZEdYdWhBcFJnV0FZZkJWZ3pxcVJNCjR5bzE3M3dHQWZSbWhqS0MrTURp
+            NnBPQS9xeE1nZFV1VFd5MW9NaFFlM1kKLS0tICsrUkpOaEFFMVExUHhJNSs4eHdB
+            SlMyTGQ5SWVCU3NLeVcvWmhUc3VSVGsKHJSSl1QFrHq6iefNEL7kpM+XYQ5abz8H
+            aL6KiK6wvPOWB2RAT5DDicPYSEPXWGpHYTzNT+/hVFk5fXk/zqzOhQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-10-24T15:24:12Z"
+    mac: ENC[AES256_GCM,data:cYWayG+pAQv1wTsx4ozbx33cl5QwuR+a480zQVl2RVJF028NlVR3yuYdndvwIT9QY79UVcix0pYtK3pm/zTpPLMz59oLIv1TNUdE4/10o3RGw+6fllKdxNftNBcos/1n6ENZRw6K7lviuG4ZKEZMDO3tvPC+XPoPofROyu9WMQE=,iv:Kddn/71vylvLkK7gT4p5juW2nI/qWB3Q+oCQ5hN4Zqk=,tag:AOrjSII1zWXPB0VPpol6Zw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/secrets/servo.yaml
+++ b/secrets/servo.yaml
@@ -7,6 +7,7 @@ wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2H
 #ENC[AES256_GCM,data:857w7AqbAbVTOKFLxKcMkcQjJ7EkHZFwBRwtCJFspOk8do2f,iv:bIrXzdrhRYk79ZV+JCdIw4UVxq11/tTZUDL6Bwf+NoE=,tag:igMRz5UPX//JrF9NGCOwHQ==,type:comment]
 #ENC[AES256_GCM,data:KzCOrdCiXHrVx+oGj2mz/+zkZ8eRRnFhHadx6FlXj8OXQDMvDkSPi6G2f6j5FE//G2F321mZCiMJ1Mf32tItGb0SxoEhyO9wxTesNn45hmA7M0z5HqTxACU=,iv:ksdz8j2fq1W/xnzu0y1JaIgbKzjiqj2KHCEYhkEKsrM=,tag:dbH/vy4JgL1eUeNpv7afSQ==,type:comment]
 dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXIlTSwVrHbx5Vw5wLHI0zN14rvYy5sycJvEMiCC1YPVphAYNm7VHdo97sUGLpjZ1BpUaJ2KBx77jErxbPrJUSpAroojQFtXFYA2t2bTpOSjZGH7UeyZoLckZtdDqXmnBDvirwVDPNaPv04RrhnqehGyh8EN+b2b5KAm99U9H1oyxIL6mAMJo6FtduVejiVqJB2sl/myI5fJ+bvwkW1CLRmVi0JdVHs4BlTQpi5Q8Kx2SMOH02TP+QDSHv/O8ROpbZ8m0oTk2YbgAG7U8K0t55j8jjWX/7OD4nMv485PgzAMINdzI46g9l9afzo,iv:8MqpUkRPpGJiuWtrdTJAIDXrKZMI73LcwzOiqVMWR88=,tag:+zXmEPV90loAMJtL/+v3vA==,type:str]
+freshrss_passwd: ENC[AES256_GCM,data:MilteAOk+MZjta+E7Zhxq80y,iv:VigZk0nNHvQNlm36jVN5YXY7bhxmx2CFBizbVFCA8O0=,tag:DKsxGsv53SsJsp3J7UIsgg==,type:str]
 #ENC[AES256_GCM,data:1zQ8X9W4ZGquYEjEsN8YNLhwBt6kaRCKYMjM8GiZbKzsaqwt/cFk+4cC85+QKWF0FNlX38Uba7bI2FvC8fTIO8eoZ5VymJ9Du3NcExE1976FSIze44FhtkSKQkm/vQw5cb2sPNKBGFLSNV/IpdPu,iv:xwv2+Fns0k2STkS760v9p1XZ5s2HAz3wLb8xyIOGTGA=,tag:OGtHxQgyWxGKtg5I9nJAag==,type:comment]
 nix_serve_privkey: ENC[AES256_GCM,data:JlLuslwyjKARo3Mo36SeRz6ctVuV+jzDMXACekaGs/UjP+Jm8PoxZsWjMcN+qq0tJB9xGMfi7TKHDi+XnK2k60h+7+yDyeqJQfjID6axMYmgxYUivq4CugutFVB27FmDPljUs2M7CRqe1IHrdjc=,iv:1iQVr9rP80hHCRSVD95KW7bpOWj3oZReJAvqa9TllJ8=,tag:6DDGtHF4suOyy2kcnqSDsQ==,type:str]
 #ENC[AES256_GCM,data:cyptbs4VfXY4P4+W5e2LRZOHkpqvWzn2JEpV80w8cIaQ0lTZa/Hg7IwDNQcsYobmBFO2yLrKawHDKlDos2fMy0KgIhUrw4f8WksxdC06oMqS0mDtgA==,iv:StB34bvA8GWR+7nwOOpsiJ3yqGgeSg5frAgRMhff8nw=,tag:b1LYFzII2Ik1nmGXxgMZuw==,type:comment]
@@ -22,32 +23,41 @@ sops:
        - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTWJwNXplSnJQTzUxVjBt
-            TzZ2aUZ4RUkyejVUQnpOdnpKajcxa0l3WWlrCmkwZVJuenhpN0R2OUxFV1pXUkVa
-            dk8ydnlnU1JvOElvNVovVlBjKzZVYlkKLS0tIHlVbkRRYllJR2J5UWhKeGg5SWJj
-            VExDaHc3amdTcWdUU3ZRUDNGREtxelEKXHuDfNM3uc3UBiPCAveG/u5b7C8zPzTi
-            GGCx0R+6swS9yVSAJ//nUvu1zFuFfGgm3mKaSqfqWKfDSMFvAp0Pyg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1TUlOMTlaemdpa2RxWDVL
+            MFVPM254czF1VWh2MTljZTcwekpiVzZCTlNFCkJGeTVCRE1zMERJclRwU3JzbW5m
+            WEdOSGxtUzJSS3JhS3NPK2Q4MXc3bG8KLS0tIGdBWEdYVXJNYitzTFVlUzkzekpJ
+            enFjWnhIVGR3WWVMMFRGSldhRWZPKzgKHp6QWSNQBy8a6odEiELsr+FV05kGiby7
+            4Wc+AyGTvuvIpoN4SQlYlUslHCHGd+Yk0hVutNVozLCY1//IpH8Dmw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHZmU5OUVQNkRSL0ZRKzNU
+            R3RIMERDV1NRdi81TkV0OVdGQlFIRG0vekFvCjg3dHI3WWJic3h5cTQrdjFINDdr
+            bndHSEc4dWk5WGM4K29FRXh2WCs5ZDgKLS0tIFY5UlNrQ0dtNW5IYXlUNnltelJX
+            Y0xFNFFtek5hZFZMWXhWQy9GWlBneEEKZqsFgGGCIMH58kaZJoO8yn8KlrJooDvp
+            iGO4qMjjgM5WvJjZbfk7trO1dNAhpKzjiJyirw9+lToqWPNnRw2Zwg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDY3NCbCtjY2ZHNkE2dWxN
-            Vk5nQ0Z2M1pQOXUzMVYyS3MxT252T1lhKzFJCm5NZ25DSlpZbnhTV0JMbVBvbm9j
-            SEtzdDJWS3gxby8rVlpzZ20yY3hRK2MKLS0tIGVqNUFZeGYxRnVSd3E1eitNUGFW
-            dEszSTFicTZRUzZxbFF5YWF1RmtwSkkKPle5Xw5gyd5YCPIAABaABNdgbpialJTV
-            hUOVdYCsmqd+spCA0Q9f0D3S5ud59iFq8moBh97BZQuLcc2qUeyJ2g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNEl5K3dGQWVFRFI4SVlt
+            NFpvSFZaMGs0ZzYrWW4vbldaOWVpa3ZWV0c0CmxqOFR3RkdKNWUvQWtnSWZSUVlL
+            SUlHbWIvWGpsN1Vsclk4VWo1dUR2OGsKLS0tIFhRVU9NUzlnQkhDelEzalVFOHFM
+            UW9YZG9DUSt2OU03Sll5d1RZYlcySzAK9LneAD2s+me3ZkRGC098nhUlcVgRwMt9
+            yVgTCleC9groGaUq0J4rwhVQ4CuUHV2GL188QtmqVTBGLEftfHIDmQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UGdCMjRpRUFMdXJRQVgx
-            aklIY1dkOXRXNmliVjIyNHlUN1B1ZmZZbTB3CnFxQjZLbWkwWHRTN2lycEx4K3RL
-            UGdFVktETXJCSXhKSWFsbnNyU25tRzgKLS0tIDVsdmdxRDFnQU9XeHpibm00bm1C
-            U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce
-            xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpMlNZZGpVU1h3NkUyNkND
+            RnVpSWxrRmNxMjJ6dUJ5RkdaTWx0SHZMQlRNCjQzUFI5ejhuZ0RDcHNYQnZ5eFN4
+            Z3djZ2g3ajRxQXNEcUMzQWl0QzYyV0UKLS0tIFlDYXlhNFB5ekVKblJudmM3TEU0
+            cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
+            aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-10T08:38:03Z"
-    mac: ENC[AES256_GCM,data:DroE9KGyV6hba0aPVYmwxpL8yXDa+AFsjyF5ttImW5bKzE9EM2I76APoGOyvOnnnbBRrOditWXA2HQzhf4M/7hq0CmLLph1J3I8xgEsaiJiExaKZQpQTBS/ZAHeygR/fvRcMmAY9VZRubv1iQ94rDkZ3C3UJ+8SMuwpdmdlaPYc=,iv:KkY0Kmd02QYx0Ds0LUY9tXz+AayKj6Y5p/rUO8sLYCc=,tag:gZDe+GOw2ULJ1yHONlt7bw==,type:str]
+    lastmodified: "2022-10-14T00:37:52Z"
+    mac: ENC[AES256_GCM,data:qKr1aKWxuJWwjUYX+JWAdwHFAwApHm9hOYBgZxAIXbXHhOo04K1MFBDTsAvtvN1a11QtCJYDNuVNpuRu3bf/5Ji5ROTaKfQCgPk+ZScJuWpLsxchYV+TnlREwQI+qgvogyMKMlPInozgd7RNnsePdg7DtYFfGMAvUtX9OidxAXI=,iv:EAkNQkIqoXtRy+uSb7ccl9T5b6hiyRll/m76nhir9AI=,tag:kCDEBJDW34VgLQPd4V+uYA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/universal/net/community-university.nmconnection.bin
+++ b/secrets/universal/net/community-university.nmconnection.bin
@@ -1,48 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:Ei6XDLQznlR+FZjdpc/4Ff1yk386tvUw+v8eYyEVhlYWMbf3Im4uqdD2aylcthkLr/ypzTUBW/o6XVV/e2VtWLA/QBTM1uQKbuGKrlCxkW0uFt/L+ZzAGm6mc0EHBbRmiOLLbbZzQF3kxRlHsAUFwmuixjzjftv4ejo5jTKyK7r1DBt7Y4M8jb9paiBHGDxWmuc8wIkiTcLAlvKX7qySfl7zRO8EURI2h5YzQdcXqGLaZEpy22ktH5j8prAi2RYLGbCikKYqk3UmM/3c6Q4zI+BpF0eTpieUuUkzgv68lg/ek4PEeLa6cpPJrD/zuVlFKjVTzoo6779TFg==,iv:/8FfgfH173YrEDk9zGPUCfPjGvjEww1Q21/E1bL+YeI=,tag:0wGtRM5gGREWTefq2SGv8A==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU0VtNFBIVlNxMCtLVXBJ\nZ0lTaXY5NnJvOElGV0dHWkUyK2V1blBOR0ZFCnJxWkhkVmRnR1FYVnMybUVHb3E1\nZHhGazFTaXFRRmh5Y3dDczJnWEZ6SEkKLS0tIGY0R2FiZlV2OHpSclA3RUdPa2tM\na1pPbUh2cGFibmFidUtQdFpMSGVrcEUKG81db/ZBzHNGV49Rgwc5hfeWc6uNbbLi\nZpPjZS6y14ZVMFoyE7XPD1+D7OL3BEP+rOwICrFXLAGKpyLEvBngBA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2MzlvUTdzK096ZkswUEJv\nRlF1c3ltKzBDQmVCcUgySVRhK0xMZFlhVGxvCnFIalFJb0lxMGlIdE51WXAvMVB6\nTkNjT0hKeTB5TDl3d1hnMXNoN1p2djAKLS0tIGNmcTUzZnIrVXl6aUhVYkpPUVRi\neFV1UWtwdHZvTlNEeDg0NG10bXV3dmsK4y9+g2cxRQvePeKhKjWvtO4/KZ7dG2Kn\nXGFLEUJAI9BG4PiJoIPjvXvugHndfahqmFtdbXA8mdso99QxbW4Few==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTFQrMkdGc3ZBTFgwNVRO\nM1FOTHZ1VnVsWXlXMFBKR2NQajhmRnM0RXpzCmZ2QStTUllSelRIN3g3VnJQRG1Y\nalRKa1BaYzRPUXlwa2p5ZkxxVVBLNkEKLS0tIGd6TFNRZkVTRHA2NHNybWt3eDY3\nd2tkeXFMeVl5NDkxK3hOQkRJTXNiUlUKMrXMYYy+pGVmVW/ebmcKsAf2Xxjh0mJ4\nrWSUDmAb9sm2N9yCkkl5oQ9GRHHr3/HmS6Xek5Y8aJNdvuFJzkz8Og==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVeW5neXUxdDVjaGFKL0VX\nUDFCOFhta3Zpek1qVG9yQkYwdmlhU2N2T0VnCnJuai9qOFhIdGxzUlJjSkNaNFdI\nY0dOa1FaRTRGNU84YlNIWmg0dS9XNzAKLS0tIHdiYjlhWmNWUkhNY09nK2pPSEFV\nN1V4ZlZNU3JlQWdEVWZXTXh6UmNkWjQKD87Fm/TZGY33wqBedwHgkIhziUrKpSdw\nc8mRAUqjNdp4avomtoSAyhThPdilpKO0ES0NJiu9q8mqqK/aRwungg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTjRjSXdVUDk2eTI5cm1X\ncDlhWUJVcWdEWk1jMVdUVEd1bytYY2tCSlNRClBsTVEwQmZ6cDZlbWpSd0NZMkt5\nMzhEVU93WVdkbGZDWEdoN1FvejJwZzQKLS0tIHVJKytaUStRaDV3Q01ZL29Eellv\ndGVMU25GWFdiT0FPVW9oYXdZbGJqNXMK0vdn85DKuobJo0baVLy+0hFvTonPJzoS\nD29tcM29rea+haH/EDRLXTKEXeOgQm99SBDaumgaUAraIiwlpDB9SQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlYUp2Zjdkbi9HTUh4RUZN\nemx0VUV0QUNFTitlNVV5YUFQUDErcTI5UFNnCmYySjFRcU5jMTJQOGNwdWtWU3lC\nWmxnVmxmWEhpbjZsZlRkdnNUQ0hTaEEKLS0tIGNCY05PSUhtTEZQejhDL01wbHY0\nSkNnNFVRTGpDbEJnMGUvdDlBQmV0L3cKBswixkjiGmJZP2sZ3kT+eJus4fxzORy3\nbM+6dRYu6O+1886gWVGjqcPNBnA9YPii0ClX8vhPWS/dPN0/k421tA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRU00OG82bTZvbVBBNFdG\neTNOK3h6QWZEWWtlOUJEU2w0T28wcGVlakJZClZxR2VzajFpTmJLVWFQa1VUckdU\nOVhaeGcrYlZjY0c1RC9NWWY3cVhuVk0KLS0tIEY2SW5EY0I1N3RnM1h3VGxYMTNh\naUFXaWJoc3drMnFQNS9NTzYyK3VMbTgKGjnfsWmn8YfE9VqA4zMiALxfV1XW5FEr\nHsG3mTRnShcxiOO8XvH1cUO2tDZ3ekTz++DbA4xRvrd9aD87t56gww==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpL1ZpUGNJSkNBRUdkSEIz\nSXM1cnRwa1ovVG5NVE5URDlNeGkrSy9WOTBBCjIrTzhHZ29veGtMV1ZRUU9Xd2xF\nU2o2ckdSL3JjeEJuc0JEMjlGVXRuZ2MKLS0tIDFjVjVyMnFVVytNQVh2ZGJJUjhv\nMU1IZzNjaXJDa1lPWnUxTEtlRUYwODgKKWr698/3WsEmCrHSHFEG8LCsuQ/KyWmm\nDOMwUW6YBdF29X8tzA8845MTaOaWrPiK5f/i7RZRhZTekv1CiOZAWw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2022-09-26T01:01:07Z",
-		"mac": "ENC[AES256_GCM,data:RUWSeeRnF7sI5Rn748V5h1NYPrk488gMwf7lTJRjzJTGQJBuu+hxAeJsoeG7gWPxGYJp9C362dFyHzUYWyFmJqk+JK0p2wh6mFIDerfZS8lTxAEP9qtDcA1ZMFRJVm9X3IYq8CyOb/DHdQ1+ih7Oxbo5XDOyXMuDGvCCWD71N9o=,iv:Myy4VHpuWgS8mOJVFNkcbN3QyRIDl/h5V/YeOtPQ0kU=,tag:HaRPPUG4o2HRN0v70He0pw==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.3"
-	}
-}
--- a/secrets/universal/net/community-university.psk.bin
+++ b/secrets/universal/net/community-university.psk.bin
@@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:JJk6bnHkxhfMNecslbm/iA2hdnC/C1DdeiesZrkUpJru8DMBs9ExhcHcYSRfxwzcZ1FDPLv3a9Mnickgb9uIz9UWbNZBfPUg2xEIHIs=,iv:dWqSRR+tCSXch0OebLQPzaBtNJieMHLFUeR7yXe4NTA=,tag:C/kAerUFRhugyf91puhKYg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQnVZQ3NvWUhMSy8wQzJM\nWkZnc09UaldLc3M4RjlKZjN4ZWY3NC8ybWk0CnRwTUtmZ0NMU2tCMmM5SzRnUHht\nSUg5MWpGV010b3N3WWU5UkljV0VBWU0KLS0tIHRjUER0RkhwbmVKOXBYR0RnbCtC\nd0hUd0VuZm1wQjNhclpTL0RLZnBybE0KA1ZTaq3D3UgV4g/mhwgss4uBE0LPuPNC\niFs7ixvRBF591VWvraVWUpTqOZW5dMybMBu5EjGHYtHl7f9dbhY5aA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdCtBd0tjWmtyVGZmbHNJ\ncTZwa2xzd3VoN3RFcjZ6TUtLcUdhMm01Tm1nCnVvaDBnNG9jOVd5SFNiTjJzZnV1\nZkltV0RtYS8zays1ZVdKcENGV2J3N1kKLS0tIDF4V2gxdEoySDR2azR6THVGY3BQ\nTFE1ZE9rZ0JFZWd2TDd0Z0pQc0VZWmsKgFEfMB2W76AVPOTkGszqDLiw8aTGJ3Ym\n1Tv+OXtdaqcgD+MY67Fa396oJiD/K2zY5CfQvH2YV+VYNeAfZsRM+g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbGErdE5idTNnZzVtcXJy\neUJIbDBncytYVlcwandMUU9nRXB6TE1IUVEwCjFrZEU3VVltbVlkNW1MTk1LQkZB\nTGZ1Z3hJSFBsNEtQZVZFemZBKzZGUmsKLS0tIERpY29zZWkzcnJsRU00SDhhWXYw\nSE9tK1JJSlZpTTJ0ZUtoV0RlQ2xkOE0KCBuW93P3rgeaFewybt27fmA6BE9HY08f\n+0kix/idWFkdxtzS/v+WFHnaac2lhIl+X3EQQoU6PJGVrlV4q/qqAw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNGZZQlowTXhtZkRMNGx0\nQ0xUL1hkaWtUTkY3Ti9BMHhKS2NtTEd6MmlZCjg1WFJVZkFwOE1yQzhQbWs1bThP\nQlU4dFZWZnJOWjM5aTZZLytiMnNEdTgKLS0tIGFuRFkrakZWMmNPSmVycEdYUnVs\nTk96RWdOYmlLUmYwNGJIZ1IxVk92R2sKARCSlcel/yqCPKDXSNNDV+ej8jU3CiPI\nMktemcTe9FjEpQzRDEQQJ1izlHIqpSwlOSx0UZsUgQOFFP+fwQGUaA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZnorZkFYTkJ3d1pXMWor\ndnpjSGJYYlhCMWJaSnJJUXRLMlIzNjZhOW53CjZQdWVPdTN3eldFN3FvWW9VNmdk\nYnp1QkpoaW56bFdnL2Z3RjJERWZlK2cKLS0tIG9vUFJzNTNZVklob2hnWnMxaDNF\nWW9tV2ZJcVEyS0QvbGZaK0d4MzBIVXMKMtIMAwa+HJwAHhbM4NhLiPYgXbIZUzD8\nGwjFTyRi6K1vOw2/c+w0BYb1ZIvaChrsl9ISfU4+e3gjvSX1MP0Cyw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQenF0YnRscjJSQUFTbHNI\nSGNTS21LNklxaW9uTGlxT2pDTE5SZmJMUkRNCnBwYXRDUHJ2TDh5QXMvWjVYRWFs\nL1FjRFJyQ0hkVkpRWjNnQlVNczZjb0UKLS0tIGk0U1RFVVRMcHBLU1VtaHdxeXRj\nblRlekhIQmRYZnczcGNqNFQ0RG9UcDAKAbFvm1CGCqbd8FBbubfJNCjEFTO4LdfX\ncUBaV9xFvFD5Gy/576KBNUO4NjIEnd14JL93TC/okakJAsxnHMG/iA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQmh1dE1LZGI4SlUza2Zq\nVTc4K2NWeHFxNXVmUzgvNUNDanlQOTZXOVd3CkthcWZRby9ZbzFlang0RytsZEI1\nczVodG52MFV6RklhVGNBcUxjQXZJWVUKLS0tIFExRjM2N3N1MUtHRWpGN3I0bjEy\nWHlJN2phSW9FMUVhQ05iSDM0dUkxdkEKoNIaw3OW2JfoPL6viItBWRwm78x5j12v\nlV0/Ui3MBKoKwxbzti25mxwGRshw7dwStuGpkCVRbp1Gx3JQbggrLw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWU9YcEs3Zzk3L0RNZTFJ\ndDJleXZlOHFKNk5KUlp1REllNTFaZTlSYUY0CmdaYzU2aE40cnZUYm4xajdzK3NO\ncXlnalFZVHZ5bnlSc0RpQjBEMHBEV0kKLS0tIHNYSks5QUI0WkxJc3VBVjFmbGhP\nR1RIaDk0RnN3VXBBcmY2L1JBamx0RUUKnTymF1GRV1Zz7q0XNGLz61xkMXGuhoRs\nPpE3hFbQNrap+vf8NhpElJJ7dTnrndfZNftBco+YsocOxlVXWw52Fg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2022-09-29T11:34:03Z",
+		"mac": "ENC[AES256_GCM,data:ozFWkM2SFgTicicB1l2pMCfKVvVxoUV7k93VyR9OWtVhUqH7DYgrKWFzFCwGbR6xBSMSIZU7haeVJP8r7n3S9wwQNu7FsS/PfqVcsTfpT+g5Q83vfdVFcFnV4VsalsZ8HvTQ3OiVbNVLn3J8M94KL+5ya8mf1oNHwq8xbAYcM6U=,iv:AtHuh1VIAdUqmazPbesmmYq6gXEBE241Ejos73AFkUQ=,tag:bM9Z//NV43U5buXJ7VMSlw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
--- a/Show More
+++ b/Show More