servo: add munin for monitoring/metrics

this is especially useful for `coredumpctl`.
maybe useful enough that it should be in `environment.systemPackages`...

flake.lock

@@ -1,5 +1,20 @@
 {
   "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -7,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1656169755,
-        "narHash": "sha256-Nlnm4jeQWEGjYrE6hxi/7HYHjBSZ/E0RtjCYifnNsWk=",
+        "lastModified": 1665475263,
+        "narHash": "sha256-T4at7d+KsQNWh5rfjvOtQCaIMWjSDlSgQZKvxb+LcEY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "4a3d01fb53f52ac83194081272795aa4612c2381",
+        "rev": "17208be516fc36e2ab0ceb064d931e90eb88b2a3",
         "type": "github"
       },
       "original": {
@@ -39,11 +54,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1664852186,
-        "narHash": "sha256-t0FhmTf3qRs8ScR8H9Rq7FAxptNELLSpxZG2ALL1HnE=",
+        "lastModified": 1665711470,
+        "narHash": "sha256-9cjKbTkxyWjswVExtIpglpvlR+iDY9/DWmXpZyzk5cY=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "ca872f1a617674c4045e880aab8a45037e73700b",
+        "rev": "e4b6f680b2a4f29f087a7c1299c11499d1a367b6",
         "type": "github"
       },
       "original": {
@@ -54,11 +69,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1665081174,
-        "narHash": "sha256-6hsmzdhdy8Kbvl5e0xZNE83pW3fKQvNiobJkM6KQrgA=",
+        "lastModified": 1665732960,
+        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "598f83ebeb2235435189cf84d844b8b73e858e0f",
+        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
         "type": "github"
       },
       "original": {
@@ -69,11 +84,11 @@
     },
     "nixpkgs-22_05": {
       "locked": {
-        "lastModified": 1664201777,
-        "narHash": "sha256-cUW9DqELUNi1jNMwVSbfq4yl5YGyOfeu+UHUUImbby0=",
+        "lastModified": 1665279158,
+        "narHash": "sha256-TpbWNzoJ5RaZ302dzvjY2o//WxtOJuYT3CnDj5N69Hs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "00f877f4927b6f7d7b75731b5a1e2ae7324eaf14",
+        "rev": "b3783bcfb8ec54e0de26feccfc6cc36b8e202ed5",
         "type": "github"
       },
       "original": {
@@ -85,11 +100,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1665132027,
-        "narHash": "sha256-zoHPqSQSENt96zTk6Mt1AP+dMNqQDshXKQ4I6MfjP80=",
+        "lastModified": 1665613119,
+        "narHash": "sha256-VTutbv5YKeBGWou6ladtgfx11h6et+Wlkdyh4jPJ3p0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9ecc270f02b09b2f6a76b98488554dd842797357",
+        "rev": "e06bd4b64bbfda91d74f13cb5eca89485d47528f",
         "type": "github"
       },
       "original": {
@@ -98,22 +113,6 @@
         "type": "indirect"
       }
     },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1664177230,
-        "narHash": "sha256-eyo88ffm16I0K9cdcePbOsQg4MDjf1EgIdkGTLB/7iA=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "ff9793cfd1a25145a7e591af604675b3d6f68987",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "home-manager": "home-manager",
@@ -121,20 +120,23 @@
         "mobile-nixos": "mobile-nixos",
         "nixpkgs": "nixpkgs",
         "nixpkgs-stable": "nixpkgs-stable",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
+        "uninsane": "uninsane"
       }
     },
     "sops-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
         "nixpkgs-22_05": "nixpkgs-22_05"
       },
       "locked": {
-        "lastModified": 1664204020,
-        "narHash": "sha256-LAey3hr8b9EAt3n304Wt9Vm4uQFd8pSRtLX8leuYFDs=",
+        "lastModified": 1665289655,
+        "narHash": "sha256-j1Q9mNBhbzeJykhObiXwEGres9qvP4vH7gxdJ+ihkLI=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "912f9ff41fd9353dec1f783170793699789fe9aa",
+        "rev": "0ce0449e6404c4ff9d1b7bd657794ae5ca54deb3",
         "type": "github"
       },
       "original": {
@@ -142,6 +144,27 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "uninsane": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1665758541,
+        "narHash": "sha256-ibR8bPwHlDjavri5cNVnoo5FmFk1IfNMmQXxat5biqs=",
+        "ref": "refs/heads/master",
+        "rev": "4ad1801f6cecd678bbeae5dfe5933448dd7b3360",
+        "revCount": 163,
+        "type": "git",
+        "url": "https://git.uninsane.org/colin/uninsane"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.uninsane.org/colin/uninsane"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -14,12 +14,18 @@
       url = "github:nix-community/home-manager/release-22.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    # TODO: set these up to follow our nixpkgs?
-    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     impermanence.url = "github:nix-community/impermanence";
+    uninsane = {
+      url = "git+https://git.uninsane.org/colin/uninsane";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-stable, mobile-nixos, home-manager, sops-nix, impermanence }:
+  outputs = { self, nixpkgs, nixpkgs-stable, mobile-nixos, home-manager, sops-nix, impermanence, uninsane }:
   let
     patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
       name = "nixpkgs-patched-uninsane";
@@ -49,6 +55,7 @@
           nixpkgs.config.allowUnfree = true;
           nixpkgs.overlays = [
             (import "${mobile-nixos}/overlay/overlay.nix")
+            uninsane.overlay
             (import ./pkgs/overlay.nix)
             (next: prev: rec {
               # non-emulated packages build *from* local *for* target.
@@ -57,7 +64,8 @@
               cross = (nixpkgsFor local target) // (customPackagesFor local target);
               stable = import nixpkgs-stable { system = target; };
               # pinned packages:
-              electrum = stable.electrum;
+              electrum = stable.electrum;  # 2022-10-10: build break
+              sequoia = stable.sequoia;    # 2022-10-13: build break
             })
           ];
         }
@@ -94,8 +102,21 @@
   in {
     nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
     imgs = builtins.mapAttrs (name: value: value.img) machines;
-    packages.x86_64-linux = customPackagesFor "x86_64-linux" "x86_64-linux";
-    packages.aarch64-linux = customPackagesFor "aarch64-linux" "aarch64-linux";
+    packages = let
+      custom-x86_64 = customPackagesFor "x86_64-linux" "x86_64-linux";
+      custom-aarch64 = customPackagesFor "aarch64-linux" "aarch64-linux";
+      nixpkgs-x86_64 = nixpkgsFor "x86_64-linux" "x86_64-linux";
+      nixpkgs-aarch64 = nixpkgsFor "aarch64-linux" "aarch64-linux";
+    in {
+      x86_64-linux = custom-x86_64 // {
+        nixpkgs = nixpkgs-x86_64;
+        uninsane = uninsane.packages.x86_64-linux;
+      };
+      aarch64-linux = custom-aarch64 // {
+        nixpkgs = nixpkgs-aarch64;
+        uninsane = uninsane.packages.aarch64-linux;
+      };
+    };
   };
 }
 

machines/lappy/default.nix

@@ -11,6 +11,8 @@
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
+  users.users.colin.initialPassword = "147147";
+
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
   #   - hourly snapshots

machines/moby/default.nix

@@ -75,7 +75,5 @@
   environment.variables.ALSA_CONFIG_UCM2 = "${./ucm2}";
   systemd.services.pulseaudio.environment.ALSA_CONFIG_UCM2 = "${./ucm2}";
 
-  users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
-
   hardware.opengl.driSupport = true;
 }

machines/servo/default.nix

@@ -11,8 +11,9 @@
 
   sane.home-manager.enable = true;
   sane.home-manager.extraPackages = [
-    # for administering matrix
+    # for administering services
     pkgs.matrix-synapse
+    pkgs.freshrss
   ];
   sane.impermanence.enable = true;
   sane.services.duplicity.enable = true;

machines/servo/services/default.nix

@@ -2,11 +2,13 @@
 {
   imports = [
     ./ddns-he.nix
+    ./freshrss.nix
     ./gitea.nix
     ./ipfs.nix
     ./jackett.nix
     ./jellyfin.nix
     ./matrix
+    ./munin.nix
     ./navidrome.nix
     ./nginx.nix
     ./pleroma.nix

machines/servo/services/freshrss.nix

@@ -0,0 +1,48 @@
+# import feeds with e.g.
+# ```console
+# $ nix build '.#nixpkgs.freshrss'
+# $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/import-for-user.php --user admin --filename /home/colin/.config/newsflashFeeds.opml
+# ```
+#
+# export feeds with
+# ```console
+# $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/export-opml-for-user.php --user admin
+# ```
+
+{ config, lib, pkgs, ... }:
+{
+  sops.secrets.freshrss_passwd = {
+    sopsFile = ../../../secrets/servo.yaml;
+    owner = config.users.users.freshrss.name;
+    mode = "400";
+  };
+  sane.impermanence.service-dirs = [
+    { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
+  ];
+
+  users.users.freshrss.uid = config.sane.allocations.freshrss-uid;
+  users.groups.freshrss.gid = config.sane.allocations.freshrss-gid;
+  services.freshrss.enable = true;
+  services.freshrss.baseUrl = "https://rss.uninsane.org";
+  services.freshrss.virtualHost = "rss.uninsane.org";
+  services.freshrss.passwordFile = config.sops.secrets.freshrss_passwd.path;
+
+  systemd.services.freshrss-import-feeds =
+  let
+    fresh = config.systemd.services.freshrss-config;
+    feeds = import ../../../modules/universal/env/feeds.nix { inherit lib; };
+    opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
+  in {
+    inherit (fresh) wantedBy environment;
+    serviceConfig = {
+      inherit (fresh.serviceConfig) Type User Group StateDirectory WorkingDirectory
+        # hardening options
+        CapabilityBoundingSet DeviceAllow LockPersonality NoNewPrivileges PrivateDevices PrivateTmp PrivateUsers ProcSubset ProtectClock ProtectControlGroups ProtectHome ProtectHostname ProtectKernelLogs ProtectKernelModules ProtectKernelTunables ProtectProc ProtectSystem RemoveIPC RestrictNamespaces RestrictRealtime RestrictSUIDSGID SystemCallArchitectures SystemCallFilter UMask;
+    };
+    description = "import sane RSS feed list";
+    after = [ "freshrss-config.service" ];
+    script = ''
+      ${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
+    '';
+  };
+}

machines/servo/services/matrix/default.nix

@@ -4,7 +4,6 @@
 
 {
   imports = [
-    # ./discord-appservice.nix
     ./discord-puppet.nix
     # ./irc.nix
   ];

machines/servo/services/matrix/discord-appservice.nix

@@ -1,69 +0,0 @@
-{ config, lib, ... }:
-
-{
-  sane.impermanence.service-dirs = [
-    { user = "matrix-appservice-discord"; group = "matrix-appservice-discord"; directory = "/var/lib/matrix-appservice-discord"; }
-  ];
-
-  sops.secrets.matrix_appservice_discord_env = {
-    sopsFile = ../../../../secrets/servo/matrix_appservice_discord_env.bin;
-    owner = config.users.users.matrix-appservice-discord.name;
-    format = "binary";
-  };
-
-  services.matrix-synapse.settings.app_service_config_files = [
-    # auto-created by discord appservice
-    "/var/lib/matrix-appservice-discord/discord-registration.yaml"
-  ];
-
-  # Discord bridging
-  # docs: https://github.com/matrix-org/matrix-appservice-discord
-  services.matrix-appservice-discord.enable = true;
-  services.matrix-appservice-discord.settings = {
-    bridge = {
-      homeserverUrl = "http://127.0.0.1:8008";
-      domain = "uninsane.org";
-      adminMxid = "admin.matrix@uninsane.org";
-      # self-service bridging is when a Matrix user bridges by DMing @_discord_bot:<HS>
-      # i don't know what the alternative is :?
-      enableSelfServiceBridging = true;
-      presenceInterval = 30000; # milliseconds
-      # allows matrix users to search for Discord channels (somehow?)
-      disablePortalBridging = false;
-      # disableReadReceipts = true;
-      # these are Matrix -> Discord
-      disableJoinLeaveNotifications = true;
-      disableInviteNotifications = true;
-      disableRoomTopicNotifications = true;
-    };
-    # these are marked as required in the yaml schema
-    auth = {
-      # apparently not needed if you provide them as env vars (below).
-      # clientId = "FILLME";
-      # botToken = "FILLME";
-      usePrivilegedIntents = false;
-    };
-    logging = {
-      # silly, verbose, info, http, warn, error, silent
-      console = "verbose";
-    };
-  };
-  # contains what's ordinarily put into auth.clientId, auth.botToken
-  # i.e. `APPSERVICE_DISCORD_AUTH_CLIENT_I_D=...` and `APPSERVICE_DISCORD_AUTH_BOT_TOKEN=...`
-  services.matrix-appservice-discord.environmentFile = config.sops.secrets.matrix_appservice_discord_env.path;
-
-  systemd.services.matrix-appservice-discord.serviceConfig = {
-    # fix up to not use /var/lib/private, but just /var/lib
-    DynamicUser = lib.mkForce false;
-    User = "matrix-appservice-discord";
-    Group = "matrix-appservice-discord";
-  };
-  users.groups.matrix-appservice-discord = {};
-  users.users.matrix-appservice-discord = {
-    description = "User for the Matrix-Discord bridge";
-    group = "matrix-appservice-discord";
-    isSystemUser = true;
-  };
-  users.users.matrix-appservice-discord.uid = 2134;  # TODO: move to allocations
-  users.groups.matrix-appservice-discord.gid = 2134;  # TODO
-}

machines/servo/services/munin.nix

@@ -0,0 +1,12 @@
+{ config, ... }:
+{
+  services.munin-node.enable = true;
+  services.munin-cron = {
+    enable = true;
+    # collect data from the localhost
+    hosts = ''
+      [${config.networking.hostName}]
+      address localhost
+    '';
+  };
+}

machines/servo/services/nginx.nix

@@ -6,13 +6,17 @@
 
   # web blog/personal site
   services.nginx.virtualHosts."uninsane.org" = {
-    root = "/var/lib/uninsane/root";
+    root = "${pkgs.uninsane-dot-org}/share/uninsane-dot-org";
     # a lot of places hardcode https://uninsane.org,
     # and then when we mix http + non-https, we get CORS violations
     # and things don't look right. so force SSL.
     forceSSL = true;
     enableACME = true;
 
+    # uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
+    # yes, nginx does not strip the prefix when evaluating against the root.
+    locations."/share".root = "/var/lib/uninsane/root";
+
     # allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
     locations."= /.well-known/matrix/server".extraConfig =
       let
@@ -53,6 +57,13 @@
     # };
   };
 
+  # server statistics
+  services.nginx.virtualHosts."sink.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    root = "/var/www/munin";
+  };
+
   # Pleroma server and web interface
   services.nginx.virtualHosts."fed.uninsane.org" = {
     addSSL = true;
@@ -219,6 +230,12 @@
     locations."/".proxyPass = "http://127.0.0.1:4533";
   };
 
+  services.nginx.virtualHosts."rss.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    # the routing is handled by freshrss.nix
+  };
+
   services.nginx.virtualHosts."ipfs.uninsane.org" = {
     # don't default to ssl upgrades, since this may be dnslink'd from a different domain.
     # ideally we'd disable ssl entirely, but some places assume it?

machines/servo/services/pleroma.nix

@@ -92,8 +92,8 @@
       backends: [{ExSyslogger, :ex_syslogger}]
 
     config :logger, :ex_syslogger,
-      level: :debug
-    #  level: :warn
+      level: :warn
+    #  level: :debug
 
     # XXX colin: not sure if this actually _does_ anything
     config :pleroma, :emoji,

machines/servo/services/postfix.nix

@@ -18,7 +18,7 @@ in
 {
   sane.impermanence.service-dirs = [
     # TODO: mode? could be more granular
-    { user = "221"; group = "221"; directory = "/var/lib/opendkim"; }
+    { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
     { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
   ];
   services.postfix.enable = true;

machines/servo/services/postgres.nix

@@ -3,7 +3,7 @@
 {
   sane.impermanence.service-dirs = [
     # TODO: mode?
-    { user = "71"; group = "71"; directory = "/var/lib/postgresql"; }
+    { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
   ];
   services.postgresql.enable = true;
   # services.postgresql.dataDir = "/opt/postgresql/13";

machines/servo/services/transmission.nix

@@ -3,7 +3,7 @@
 {
   sane.impermanence.service-dirs = [
     # TODO: mode? we need this specifically for the stats tracking in .config/
-    { user = "70"; group = "70"; directory = "/var/lib/transmission"; }
+    { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
   ];
   services.transmission.enable = true;
   services.transmission.settings = {

modules/gui/gnome.nix

@@ -14,6 +14,16 @@ in
 
   config = mkIf cfg.enable {
     sane.gui.enable = true;
+
+    users.users.avahi.uid = config.sane.allocations.avahi-uid;
+    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
+    users.users.colord.uid = config.sane.allocations.colord-uid;
+    users.groups.colord.gid = config.sane.allocations.colord-gid;
+    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
+    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
+    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
+    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
+
     # start gnome/gdm on boot
     services.xserver.enable = true;
     services.xserver.desktopManager.gnome.enable = true;

modules/gui/phosh.nix

@@ -10,60 +10,100 @@ in
       default = false;
       type = types.bool;
     };
+    sane.gui.phosh.useGreeter = mkOption {
+      description = ''
+        launch phosh via a greeter (like lightdm-mobile-greeter).
+        phosh is usable without a greeter, but skipping the greeter means no PAM session.
+      '';
+      default = true;
+      type = types.bool;
+    };
   };
 
-  config = mkIf cfg.enable {
-    sane.gui.enable = true;
+  config = mkIf cfg.enable (mkMerge [
+    {
+      sane.gui.enable = true;
 
-    users.users.avahi.uid = config.sane.allocations.avahi-uid;
-    users.users.colord.uid = config.sane.allocations.colord-uid;
-    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
-    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
-    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
-    users.groups.colord.gid = config.sane.allocations.colord-gid;
-    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
-    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
+      users.users.avahi.uid = config.sane.allocations.avahi-uid;
+      users.users.colord.uid = config.sane.allocations.colord-uid;
+      users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
+      users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
+      users.groups.avahi.gid = config.sane.allocations.avahi-gid;
+      users.groups.colord.gid = config.sane.allocations.colord-gid;
+      users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
+      users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
+      users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
 
-    # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
-    services.xserver.desktopManager.phosh = {
-      enable = true;
-      user = "colin";
-      group = "users";
-      phocConfig = {
-        # xwayland = "true";
-        # find default outputs by catting /etc/phosh/phoc.ini
-        outputs.DSI-1 = {
-          scale = 1.5;
+      # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
+      services.xserver.desktopManager.phosh = {
+        enable = true;
+        user = "colin";
+        group = "users";
+        phocConfig = {
+          # xwayland = "true";
+          # find default outputs by catting /etc/phosh/phoc.ini
+          outputs.DSI-1 = {
+            scale = 1.5;
+          };
         };
       };
-    };
 
-    # XXX: phosh enables networkmanager by default; can probably disable these lines
-    networking.useDHCP = false;
-    networking.networkmanager.enable = true;
-    networking.wireless.enable = lib.mkForce false;
+      # XXX: phosh enables networkmanager by default; can probably disable these lines
+      networking.useDHCP = false;
+      networking.networkmanager.enable = true;
+      networking.wireless.enable = lib.mkForce false;
 
-    # XXX: not clear if these are actually needed?
-    hardware.bluetooth.enable = true;
-    services.blueman.enable = true;
+      # XXX: not clear if these are actually needed?
+      hardware.bluetooth.enable = true;
+      services.blueman.enable = true;
 
-    hardware.opengl.enable = true;
-    hardware.opengl.driSupport = true;
+      hardware.opengl.enable = true;
+      hardware.opengl.driSupport = true;
 
-    environment.variables = {
-      # Qt apps won't always start unless this env var is set
-      QT_QPA_PLATFORM = "wayland";
-      # electron apps (e.g. Element) should use the wayland backend
-      # toggle this to have electron apps (e.g. Element) use the wayland backend.
-      # phocConfig.xwayland should be disabled if you do this
-      NIXOS_OZONE_WL = "1";
-    };
+      environment.variables = {
+        # Qt apps won't always start unless this env var is set
+        QT_QPA_PLATFORM = "wayland";
+        # electron apps (e.g. Element) should use the wayland backend
+        # toggle this to have electron apps (e.g. Element) use the wayland backend.
+        # phocConfig.xwayland should be disabled if you do this
+        NIXOS_OZONE_WL = "1";
+      };
 
-    sane.home-manager.extraPackages = with pkgs; [
-      phosh-mobile-settings
+      sane.home-manager.extraPackages = with pkgs; [
+        phosh-mobile-settings
 
-      # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
-      gnome.gnome-bluetooth
-    ];
-  };
+        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
+        gnome.gnome-bluetooth
+      ];
+    }
+    (mkIf cfg.useGreeter {
+      services.xserver.enable = true;
+      # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
+      # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
+      # lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
+      # this requires the user we want to login as to be cached.
+      services.xserver.displayManager.job.preStart = ''
+        ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
+      '';
+      # services.xserver.displayManager.defaultSession = "sm.puri.Phosh";  # XXX: not sure why this doesn't propagate correctly.
+      services.xserver.displayManager.lightdm.extraSeatDefaults = ''
+        user-session = phosh
+      '';
+      services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
+      services.xserver.displayManager.lightdm.greeter = {
+        enable = true;
+        package = pkgs.lightdm-mobile-greeter.xgreeters;
+        name = "lightdm-mobile-greeter";
+      };
+      # services.xserver.displayManager.lightdm.enable = true;
+      # # services.xserver.displayManager.lightdm.greeters.enso.enable = true;  # tried (with reboot); got a mouse then died. next time was black
+      # # services.xserver.displayManager.lightdm.greeters.gtk.enable = true;  # tried (with reboot); unusable without OSK
+      # # services.xserver.displayManager.lightdm.greeters.mini.enable = true;  # tried (with reboot); unusable without OSK
+      # # services.xserver.displayManager.lightdm.greeters.pantheon.enable = true; # tried (no reboot); unusable without OSK
+      # services.xserver.displayManager.lightdm.greeters.slick.enable = true;  # tried; unusable without OSK (a11y -> OSK doesn't work)
+      # # services.xserver.displayManager.lightdm.greeters.tiny.enable = true;  # tried; block screen
+
+      systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
+    })
+  ]);
 }

modules/gui/sway.nix

@@ -21,15 +21,24 @@ in
       enable = true;
     };
 
-    # TODO: should be able to use SDDM to get interactive login
-    services.greetd = {
+    # alternatively, could use SDDM
+    services.greetd = let
+      swayConfig = pkgs.writeText "greetd-sway-config" ''
+        # `-l` activates layer-shell mode.
+        exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
+      '';
+    in {
+      # greetd source/docs:
+      # - <https://git.sr.ht/~kennylevinsen/greetd>
       enable = true;
-      settings = rec {
-        initial_session = {
-          command = "${pkgs.sway}/bin/sway";
-          user = "colin";
+      settings = {
+        default_session = {
+          command = "${pkgs.sway}/bin/sway --config ${swayConfig}";
+          # alternatives:
+          # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
+          # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
+          # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
         };
-        default_session = initial_session;
       };
     };
 
@@ -88,21 +97,22 @@ in
           "${modifier}+Return" = "exec ${terminal}";
           "${modifier}+Shift+q" = "kill";
           "${modifier}+d" = "exec ${menu}";
+          "${modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
 
-          "${modifier}+${left}" = "focus left";
-          "${modifier}+${down}" = "focus down";
-          "${modifier}+${up}" = "focus up";
-          "${modifier}+${right}" = "focus right";
+          # "${modifier}+${left}" = "focus left";
+          # "${modifier}+${down}" = "focus down";
+          # "${modifier}+${up}" = "focus up";
+          # "${modifier}+${right}" = "focus right";
 
           "${modifier}+Left" = "focus left";
           "${modifier}+Down" = "focus down";
           "${modifier}+Up" = "focus up";
           "${modifier}+Right" = "focus right";
 
-          "${modifier}+Shift+${left}" = "move left";
-          "${modifier}+Shift+${down}" = "move down";
-          "${modifier}+Shift+${up}" = "move up";
-          "${modifier}+Shift+${right}" = "move right";
+          # "${modifier}+Shift+${left}" = "move left";
+          # "${modifier}+Shift+${down}" = "move down";
+          # "${modifier}+Shift+${up}" = "move up";
+          # "${modifier}+Shift+${right}" = "move right";
 
           "${modifier}+Shift+Left" = "move left";
           "${modifier}+Shift+Down" = "move down";
@@ -572,7 +582,7 @@ in
     };
     sane.home-manager.extraPackages = with pkgs; [
       swaylock
-      swayidle
+      swayidle  # (unused)
       wl-clipboard
       mako # notification daemon
       xdg-utils  # for xdg-open

modules/universal/allocations.nix

@@ -23,6 +23,9 @@ in
     sane.allocations.greeter-uid = mkId 999;
     sane.allocations.greeter-gid = mkId 999;
 
+    sane.allocations.freshrss-uid = mkId 2401;
+    sane.allocations.freshrss-gid = mkId 2401;
+
     sane.allocations.colin-uid = mkId 1000;
     sane.allocations.guest-uid = mkId 1100;
 

modules/universal/env/default.nix

@@ -1,8 +1,7 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
   imports = [
-    ./feeds.nix
     ./home-manager.nix
     ./home-packages.nix
     ./system-packages.nix
@@ -20,5 +19,18 @@
     # NIXOS_OZONE_WL = "1";
     # LIBGL_ALWAYS_SOFTWARE = "1";
   };
+  # enable zsh completions
+  environment.pathsToLink = [ "/share/zsh" ];
+  environment.systemPackages = with pkgs; [
+    # required for pam_mount
+    gocryptfs
+  ];
+
+  security.pam.mount.enable = true;
+  # security.pam.mount.debugLevel = 1;
+  # security.pam.enableSSHAgentAuth = true; # ??
+  # needed for `allow_other` in e.g. gocryptfs mounts
+  # or i guess going through mount.fuse sets suid so that's not necessary?
+  # programs.fuse.userAllowOther = true;
 }
 

modules/universal/env/feeds.nix

@@ -1,41 +1,175 @@
-{ lib, ... }:
+{ lib }:
 
-with lib;
-{
-  options = {
-    sane.feeds.podcastUrls = mkOption {
-      type = types.listOf types.str;
-      default = [
-        "https://lexfridman.com/feed/podcast/"
-        ## Astral Codex Ten
-        "http://feeds.libsyn.com/108018/rss"
-        ## Econ Talk
-        "https://feeds.simplecast.com/wgl4xEgL"
-        ## Cory Doctorow
-        "https://feeds.feedburner.com/doctorow_podcast"
-        "https://congressionaldish.libsyn.com/rss"
-        ## Civboot
-        "https://anchor.fm/s/34c7232c/podcast/rss"
-        "https://feeds.feedburner.com/80000HoursPodcast"
-        "https://allinchamathjason.libsyn.com/rss"
-        "https://acquired.libsyn.com/rss"
-        "https://rss.acast.com/deconstructed"
-        ## The Daily
-        "https://feeds.simplecast.com/54nAGcIl"
-        "https://rss.acast.com/intercepted-with-jeremy-scahill"
-        "https://podcast.posttv.com/itunes/post-reports.xml"
-        ## Eric Weinstein
-        "https://rss.art19.com/the-portal"
-        "https://feeds.megaphone.fm/darknetdiaries"
-        "http://feeds.wnyc.org/radiolab"
-        "https://wakingup.libsyn.com/rss"
-        ## 99% Invisible
-        "https://feeds.simplecast.com/BqbsxVfO"
-        "https://rss.acast.com/ft-tech-tonic"
-        "https://feeds.feedburner.com/dancarlin/history?format=xml"
-        ## 60 minutes (NB: this features more than *just* audio?)
-        "https://www.cbsnews.com/latest/rss/60-minutes"
-      ];
-    };
-  };
+let
+  hourly = { freq = "hourly"; };
+  daily = { freq = "daily"; };
+  weekly = { freq = "weekly"; };
+  infrequent = { freq = "infrequent"; };
+
+  art = { cat = "art"; };
+  humor = { cat = "humor"; };
+  pol = { cat = "pol"; };  # or maybe just "social"
+  rat = { cat = "rat"; };
+  tech = { cat = "tech"; };
+  uncat = { cat = "uncat"; };
+
+  text = { format = "text"; };
+  image = { format = "image"; };
+  podcast = { format = "podcast"; };
+
+  mkRss = format: url: { inherit url format; } // uncat // infrequent;
+  mkText = mkRss text;
+  mkImg = mkRss image;
+  mkPod = mkRss podcast;
+
+  # merge the attrs `new` into each value of the attrs `addTo`
+  addAttrs = new: addTo: builtins.mapAttrs (k: v: v // new) addTo;
+  # for each value in `attrs`, add a value to the child attrs which holds its key within the parent attrs.
+  withInverseMapping = key: attrs: builtins.mapAttrs (k: v: v // { "${key}" = k; }) attrs;
+in rec {
+  podcasts = [
+    (mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
+    ## Astral Codex Ten
+    (mkPod "http://feeds.libsyn.com/108018/rss" // rat // daily)
+    ## Econ Talk
+    (mkPod "https://feeds.simplecast.com/wgl4xEgL" // rat // daily)
+    ## Cory Doctorow
+    (mkPod "https://feeds.feedburner.com/doctorow_podcast" // pol // infrequent)
+    (mkPod "https://congressionaldish.libsyn.com/rss" // pol // infrequent)
+    ## Civboot
+    (mkPod "https://anchor.fm/s/34c7232c/podcast/rss" // tech // infrequent)
+    (mkPod "https://feeds.feedburner.com/80000HoursPodcast" // rat // weekly)
+    (mkPod "https://allinchamathjason.libsyn.com/rss" // pol // weekly)
+    (mkPod "https://acquired.libsyn.com/rss" // tech // infrequent)
+    (mkPod "https://rss.acast.com/deconstructed" // pol // infrequent)
+    ## The Daily
+    (mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
+    (mkPod "https://rss.acast.com/intercepted-with-jeremy-scahill" // pol // weekly)
+    (mkPod "https://podcast.posttv.com/itunes/post-reports.xml" // pol // weekly)
+    ## Eric Weinstein
+    (mkPod "https://rss.art19.com/the-portal" // rat // infrequent)
+    (mkPod "https://feeds.megaphone.fm/darknetdiaries" // tech // infrequent)
+    (mkPod "http://feeds.wnyc.org/radiolab" // pol // infrequent)
+    (mkPod "https://wakingup.libsyn.com/rss" // pol // infrequent)
+    ## 99% Invisible
+    (mkPod "https://feeds.simplecast.com/BqbsxVfO" // pol // infrequent)
+    (mkPod "https://rss.acast.com/ft-tech-tonic" // tech // infrequent)
+    (mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
+    ## 60 minutes (NB: this features more than *just* audio?)
+    (mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
+  ];
+
+  texts = [
+    # AGGREGATORS (> 1 post/day)
+    (mkText "https://www.lesswrong.com/feed.xml" // rat // hourly)
+    (mkText "http://www.econlib.org/index.xml" // pol // hourly)
+
+    # AGGREGATORS (< 1 post/day)
+    (mkText "https://palladiummag.com/feed" // uncat // weekly)
+    (mkText "https://profectusmag.com/feed" // uncat // weekly)
+    (mkText "https://semiaccurate.com/feed" // tech // weekly)
+    (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
+    (mkText "https://spectrum.ieee.org/rss" // tech // weekly)
+
+    ## No Moods, Ads or Cutesy Fucking Icons
+    (mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
+
+    # DEVELOPERS
+    (mkText "https://mg.lol/blog/rss/" // infrequent // tech)
+    ## Ken Shirriff
+    (mkText "https://www.righto.com/feeds/posts/default" // tech // infrequent)
+    ## Vitalik Buterin
+    (mkText "https://vitalik.ca/feed.xml" // tech // infrequent)
+    ## ian (Sanctuary)
+    (mkText "https://sagacioussuricata.com/feed.xml" // tech // infrequent)
+    ## Bunnie Juang
+    (mkText "https://www.bunniestudios.com/blog/?feed=rss2" // tech // infrequent)
+    (mkText "https://blog.danieljanus.pl/atom.xml" // tech // infrequent)
+    (mkText "https://ianthehenry.com/feed.xml" // tech // infrequent)
+    (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
+    (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
+
+    # (TECH; POL) COMMENTATORS
+    (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
+    ## Ben Thompson
+    (mkText "https://www.stratechery.com/rss" // pol // weekly)
+    ## Balaji
+    (mkText "https://balajis.com/rss" // pol // weekly)
+    (mkText "https://www.ben-evans.com/benedictevans/rss.xml" // pol // weekly)
+    (mkText "https://www.lynalden.com/feed" // pol // infrequent)
+    (mkText "https://austinvernon.site/rss.xml" // tech // infrequent)
+    (mkText "https://oversharing.substack.com/feed" // pol // daily)
+    (mkText "https://doomberg.substack.com/feed" // tech // weekly)
+    ## David Rosenthal
+    (mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
+    ## Matt Levine
+    (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
+
+    # RATIONALITY/PHILOSOPHY/ETC
+    (mkText "https://samkriss.substack.com/feed" // humor // infrequent)
+    (mkText "https://unintendedconsequenc.es/feed" // rat // infrequent)
+    (mkText "https://applieddivinitystudies.com/atom.xml" // rat // weekly)
+    (mkText "https://slimemoldtimemold.com/feed.xml" // rat // weekly)
+    (mkText "https://www.richardcarrier.info/feed" // rat // weekly)
+    (mkText "https://www.gwern.net/feed.xml" // uncat // infrequent)
+    ## Jason Crawford
+    (mkText "https://rootsofprogress.org/feed.xml" // rat // weekly)
+    ## Robin Hanson
+    (mkText "https://www.overcomingbias.com/feed" // rat // daily)
+    ## Scott Alexander
+    (mkText "https://astralcodexten.substack.com/feed.xml" // rat // daily)
+    ## Paul Christiano
+    (mkText "https://sideways-view.com/feed" // rat // infrequent)
+    ## Sean Carroll
+    (mkText "https://www.preposterousuniverse.com/rss" // rat // infrequent)
+
+    # CODE
+    (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
+  ];
+
+  images = [
+    (mkImg "https://www.smbc-comics.com/comic/rss" // humor // daily)
+    (mkImg "https://xkcd.com/atom.xml" // humor // daily)
+    (mkImg "http://dilbert.com/feed" // humor // daily)
+
+    # ART
+    (mkImg "https://miniature-calendar.com/feed" // art // daily)
+  ];
+
+  all = texts ++ images ++ podcasts;
+
+  # return only the feed items which match this category (e.g. "tech")
+  filterCat = cat: feeds: builtins.filter (item: item.cat == cat) feeds;
+  # return only the feed items which match this format (e.g. "podcast")
+  filterFormat = format: feeds: builtins.filter (item: item.format == format) feeds;
+
+  # transform a list of feeds into an attrs mapping cat => [ feed0 feed1 ... ]
+  partitionByCat = feeds: builtins.groupBy (f: f.cat) feeds;
+
+  # represents a single RSS feed.
+  opmlTerminal = feed: ''<outline xmlUrl="${feed.url}" type="rss"/>'';
+  # a list of RSS feeds.
+  opmlTerminals = feeds: lib.strings.concatStringsSep "\n" (builtins.map opmlTerminal feeds);
+  # one node which packages some flat grouping of terminals.
+  opmlGroup = title: feeds: ''
+    <outline text="${title}" title="${title}">
+      ${opmlTerminals feeds}
+    </outline>
+  '';
+  # a list of groups (`groupMap` is an attrs mapping groupName => [ feed0 feed1 ... ]).
+  opmlGroups = groupMap: lib.strings.concatStringsSep "\n" (
+    builtins.attrValues (builtins.mapAttrs opmlGroup groupMap)
+  );
+  # top-level OPML file which could be consumed by something else.
+  opmlTopLevel = body: ''
+    <?xml version="1.0" encoding="utf-8"?>
+    <opml version="2.0">
+      <body>
+        ${body}
+      </body>
+    </opml>
+  '';
+
+  # **primary API**: generate a OPML file from the provided feeds
+  feedsToOpml = feeds: opmlTopLevel (opmlGroups (partitionByCat feeds));
 }

modules/universal/env/home-manager.nix

@@ -17,6 +17,7 @@ let
   # extract `persist-files` from `extraPackages`
   persistfileslist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "persist-files" then e.persist-files else []) pkgspec);
   # TODO: dirlist and persistfileslist should be folded
+  feeds = import ./feeds.nix { inherit lib; };
 in
 {
   options = {
@@ -116,28 +117,36 @@ in
       # the xdg mime type for a file can be found with:
       # - `xdg-mime query filetype path/to/thing.ext`
       xdg.mimeApps.enable = true;
-      xdg.mimeApps.defaultApplications = {
+      xdg.mimeApps.defaultApplications = let
+        www = "librewolf.desktop";
+        pdf = "org.gnome.Evince.desktop";
+        md = "obsidian.desktop";
+        thumb = "org.gnome.gThumb.desktop";
+        video = "vlc.desktop";
+        # audio = "mpv.desktop";
+        audio = "vlc.desktop";
+      in {
         # HTML
-        "text/html" = [ "librewolf.desktop" ];
-        "x-scheme-handler/http" = [ "librewolf.desktop" ];
-        "x-scheme-handler/https" = [ "librewolf.desktop" ];
-        "x-scheme-handler/about" = [ "librewolf.desktop" ];
-        "x-scheme-handler/unknown" = [ "librewolf.desktop" ];
+        "text/html" = [ www ];
+        "x-scheme-handler/http" = [ www ];
+        "x-scheme-handler/https" = [ www ];
+        "x-scheme-handler/about" = [ www ];
+        "x-scheme-handler/unknown" = [ www ];
         # RICH-TEXT DOCUMENTS
-        "application/pdf" = [ "org.gnome.Evince.desktop" ];
-        "text/markdown" = [ "obsidian.desktop" ];
+        "application/pdf" = [ pdf ];
+        "text/markdown" = [ md ];
         # IMAGES
-        "image/heif" = [ "org.gnome.gThumb.desktop" ];  # apple codec
-        "image/png" = [ "org.gnome.gThumb.desktop" ];
-        "image/jpeg" = [ "org.gnome.gThumb.desktop" ];
+        "image/heif" = [ thumb ];  # apple codec
+        "image/png" = [ thumb ];
+        "image/jpeg" = [ thumb ];
         # VIDEO
-        "video/mp4" = [ "vlc.desktop" ];
-        "video/quicktime" = [ "vlc.desktop" ];
-        "video/x-matroska" = [ "vlc.desktop" ];
+        "video/mp4" = [ video ];
+        "video/quicktime" = [ video ];
+        "video/x-matroska" = [ video ];
         # AUDIO
-        "audio/flag" = [ "vlc.desktop" ];
-        "audio/mpeg" = [ "vlc.desktop" ];
-        "audio/x-vorbis+ogg" = [ "vlc.desktop" ];
+        "audio/flac" = [ audio ];
+        "audio/mpeg" = [ audio ];
+        "audio/x-vorbis+ogg" = [ audio ];
       };
 
       # convenience
@@ -173,6 +182,12 @@ in
          }
         }
       '';
+      home.file.".librewolf/librewolf.overrides.cfg".text = ''
+        // if we can't query the revocation status of a SSL cert because the issuer is offline,
+        // treat it as unrevoked.
+        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
+        defaultPref("security.OCSP.require", false);
+      '';
 
       # aerc TUI mail client
       xdg.configFile."aerc/accounts.conf".source =
@@ -191,108 +206,35 @@ in
 
       xdg.configFile."vlc/vlcrc".text =
       let
-        podcastUrls = lib.strings.concatStringsSep "|" sysconfig.sane.feeds.podcastUrls;
-      in ''
-      [podcast]
-      podcast-urls=${podcastUrls}
-      [core]
-      metadata-network-access=0
-      [qt]
-      qt-privacy-ask=0
-      '';
-      xdg.configFile."gpodderFeeds.opml".text =
-      let
-        entries = builtins.toString (builtins.map
-          (url: ''\n    <outline xmlUrl="${url}" type="rss"/>'')
-          sysconfig.sane.feeds.podcastUrls
+        podcastUrls = lib.strings.concatStringsSep "|" (
+          builtins.map (feed: feed.url) feeds.podcasts
         );
       in ''
-        <?xml version="1.0" encoding="utf-8"?>
-        <opml version="2.0">
-          <body>${entries}
-          </body>
-        </opml>
+        [podcast]
+        podcast-urls=${podcastUrls}
+        [core]
+        metadata-network-access=0
+        [qt]
+        qt-privacy-ask=0
       '';
 
+      xdg.configFile."gpodderFeeds.opml".text = with feeds;
+        feedsToOpml feeds.podcasts;
+
+      # news-flash RSS viewer
+      xdg.configFile."newsflashFeeds.opml".text = with feeds;
+        feedsToOpml (feeds.texts ++ feeds.images);
+
       # gnome feeds RSS viewer
-      xdg.configFile."org.gabmus.gfeeds.json".text = builtins.toJSON {
-        feeds = {
-          # AGGREGATORS (> 1 post/day)
-          "https://www.lesswrong.com/feed.xml" = { tags = [ "hourly" "rat" ]; };
-          "http://www.econlib.org/index.xml" = { tags = [ "hourly" "pol" ]; };
-          # AGGREGATORS (< 1 post/day)
-          "https://palladiummag.com/feed" = { tags = [ "weekly" "uncat" ]; };
-          "https://profectusmag.com/feed" = { tags = [ "weekly" "uncat" ]; };
-
-          "https://semiaccurate.com/feed" = { tags = [ "weekly" "tech" ]; };
-          "https://linuxphoneapps.org/blog/atom.xml" = { tags = [ "infrequent" "tech" ]; };
-          "https://spectrum.ieee.org/rss" = { tags = [ "weekly" "tech" ]; };
-
-          ## No Moods, Ads or Cutesy Fucking Icons
-          "https://www.rifters.com/crawl/?feed=rss2" = { tags = [ "weekly" "uncat" ]; };
-
-          # DEVELOPERS
-          "https://mg.lol/blog/rss/" = { tags = [ "infrequent" "tech" ]; };
-          ## Ken Shirriff
-          "https://www.righto.com/feeds/posts/default" = { tags = [ "infrequent" "tech" ]; };
-          ## Vitalik Buterin
-          "https://vitalik.ca/feed.xml" = { tags = [ "infrequent" "tech" ]; };
-          ## ian (Sanctuary)
-          "https://sagacioussuricata.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
-          ## Bunnie Juang
-          "https://www.bunniestudios.com/blog/?feed=rss2" = { tags = [ "infrequent" "tech" ]; };
-          "https://blog.danieljanus.pl/atom.xml" = { tags = [ "infrequent" "tech" ]; };
-          "https://ianthehenry.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
-          "https://bitbashing.io/feed.xml" = { tags = [ "infrequent" "tech" ]; };
-          "https://idiomdrottning.org/feed.xml" = { tags = [ "daily" "uncat" ]; };
-
-          # (TECH; POL) COMMENTATORS
-          "http://benjaminrosshoffman.com/feed" = { tags = [ "weekly" "pol" ]; };
-          ## Ben Thompson
-          "https://www.stratechery.com/rss" = { tags = [ "weekly" "pol" ]; };
-          ## Balaji
-          "https://balajis.com/rss" = { tags = [ "weekly" "pol" ]; };
-          "https://www.ben-evans.com/benedictevans/rss.xml" = { tags = [ "weekly" "pol" ]; };
-          "https://www.lynalden.com/feed" = { tags = [ "infrequent" "pol" ]; };
-          "https://austinvernon.site/rss.xml" = { tags = [ "infrequent" "tech" ]; };
-          "https://oversharing.substack.com/feed" = { tags = [ "daily" "pol" ]; };
-          ## David Rosenthal
-          "https://blog.dshr.org/rss.xml" = { tags = [ "weekly" "pol" ]; };
-          ## Matt Levine
-          "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" = { tags = [ "weekly" "pol" ]; };
-
-          # RATIONALITY/PHILOSOPHY/ETC
-          "https://samkriss.substack.com/feed" = { tags = [ "infrequent" "uncat" ]; };  # ... satire? phil?
-          "https://unintendedconsequenc.es/feed" = { tags = [ "infrequent" "rat" ]; };
-
-          "https://applieddivinitystudies.com/atom.xml" = { tags = [ "weekly" "rat" ]; };
-          "https://slimemoldtimemold.com/feed.xml" = { tags = [ "weekly" "rat" ]; };
-
-          "https://www.richardcarrier.info/feed" = { tags = [ "weekly" "rat" ]; };
-          "https://www.gwern.net/feed.xml" = { tags = [ "infrequent" "uncat" ]; };
-
-          ## Jason Crawford
-          "https://rootsofprogress.org/feed.xml" = { tags = [ "weekly" "rat" ]; };
-          ## Robin Hanson
-          "https://www.overcomingbias.com/feed" = { tags = [ "daily" "rat" ]; };
-          ## Scott Alexander
-          "https://astralcodexten.substack.com/feed.xml" = { tags = [ "daily" "rat" ]; };
-          ## Paul Christiano
-          "https://sideways-view.com/feed" = { tags = [ "infrequent" "rat" ]; };
-          ## Sean Carroll
-          "https://www.preposterousuniverse.com/rss" = { tags = [ "infrequent" "rat" ]; };
-
-          # COMICS
-          "https://www.smbc-comics.com/comic/rss" = { tags = [ "daily" "visual" ]; };
-          "https://xkcd.com/atom.xml" = { tags = [ "daily" "visual" ]; };
-          "http://dilbert.com/feed" = { tags = ["daily" "visual" ]; };
-
-          # ART
-          "https://miniature-calendar.com/feed" = { tags = [ "daily" "visual" ]; };
-
-          # CODE
-          "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" = { tags = [ "infrequent" "tech" ]; };
-        };
+      xdg.configFile."org.gabmus.gfeeds.json".text =
+      let
+        myFeeds = feeds.texts ++ feeds.images;
+      in builtins.toJSON {
+        # feed format is a map from URL to a dict,
+        #   with dict["tags"] a list of string tags.
+        feeds = builtins.foldl' (acc: feed: acc // {
+          "${feed.url}".tags = [ feed.cat feed.freq ];
+        }) {} myFeeds;
         dark_reader = false;
         new_first = true;
         # windowsize = {
@@ -311,17 +253,9 @@ in
         open_links_externally = true;
         full_feed_name = false;
         refresh_on_startup = true;
-        tags = [
-          # hourly => aggregator
-          # daily => prolifiq writer
-          # weekly => i can keep up with most -- but maybe not all -- of their content
-          # infrequent => i can read everything in this category
-          "hourly" "daily" "weekly" "infrequent"
-          # rat[ionality] gets used interchangably with philosophy, here.
-          # pol[itical] gets used for social commentary and economics as well.
-          # visual gets used for comics/art
-          "uncat" "rat" "tech" "pol" "visual"
-        ];
+        tags = lib.lists.unique (
+          (builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
+        );
         open_youtube_externally = false;
         media_player = "vlc";  # default: mpv
       };
@@ -333,6 +267,8 @@ in
           enable = true;
           enableSyntaxHighlighting = true;
           enableVteIntegration = true;
+          history.ignorePatterns = [ "rm *" ];
+          # history.path = TODO
           dotDir = ".config/zsh";
 
           initExtraBeforeCompInit = ''
@@ -367,6 +303,7 @@ in
             };
           };
         };
+
         kitty = {
           enable = true;
           # docs: https://sw.kovidgoyal.net/kitty/conf/
@@ -433,10 +370,21 @@ in
           # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
           # extraConfig = "";
         };
+
         git = {
           enable = true;
           userName = "colin";
           userEmail = "colin@uninsane.org";
+
+          aliases = { co = "checkout"; };
+          extraConfig = {
+            # difftastic docs:
+            # - <https://difftastic.wilfred.me.uk/git.html>
+            diff.tool = "difftastic";
+            difftool.prompt = false;
+            "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
+            # now run `git difftool` to use difftastic git
+          };
         };
 
         neovim = {
@@ -516,6 +464,10 @@ in
             })
           ];
           extraConfig = ''
+            " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
+            " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
+            set mouse=
+
             " copy/paste to system clipboard
             set clipboard=unnamedplus
 
@@ -552,6 +504,14 @@ in
           package = import ./web-browser.nix pkgs;
         };
 
+        mpv = {
+          enable = true;
+          config = {
+            save-position-on-quit = true;
+            keep-open = "yes";
+          };
+        };
+
         # "command not found" will cause the command to be searched in nixpkgs
         nix-index.enable = true;
       } // cfg.programs;

modules/universal/env/home-packages.nix

@@ -6,8 +6,10 @@ let
   cfg = config.sane.home-packages;
   universalPkgs = [
     backblaze-b2
+    cdrtools
     duplicity
     gnupg
+    gocryptfs
     ifuse
     ipfs
     libimobiledevice
@@ -26,7 +28,6 @@ let
     pulsemixer
     python3
     # python3Packages.eyeD3  # music tagging
-    rmlint
     sane-scripts
     sequoia
     snapper
@@ -62,7 +63,12 @@ let
 
     foliate
     font-manager
-    fractal-next
+
+    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
+    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
+    # then reboot (so that libsecret daemon re-loads the keyring...?)
+    { pkg = fractal-next; dir = ".local/share/fractal"; }
+
     gimp  # broken on phosh
     gnome.cheese
     gnome.dconf-editor
@@ -71,7 +77,7 @@ let
     gnome.gnome-disk-utility
     gnome.gnome-maps  # works on phosh
     gnome.nautilus
-    gnome-podcasts
+    # gnome-podcasts
     gnome.gnome-system-monitor
     gnome.gnome-terminal  # works on phosh
     gnome.gnome-weather
@@ -86,8 +92,14 @@ let
     libreoffice-fresh  # XXX colin: maybe don't want this on mobile
     lollypop
     mesa-demos
+
+    { pkg = mpv; dir = ".config/mpv/watch_later"; }
+
     networkmanagerapplet
 
+    # not strictly necessary, but allows caching articles; offline use, etc.
+    { pkg = newsflash; dir = ".local/share/news-flash"; }
+
     # settings (electron app). TODO: can i manage these settings with home-manager?
     { pkg = obsidian; dir = ".config/obsidian"; }
 
@@ -144,16 +156,19 @@ let
   ] else []);
 
   # useful devtools:
-  # bison
-  # dtc
-  # flex
-  # gcc
-  # gcc-arm-embedded
-  # gcc_multi
-  # gnumake
-  # mix2nix
-  # rustup
-  # swig
+  devPkgs = [
+    bison
+    dtc
+    flex
+    gcc
+    gdb
+    # gcc-arm-embedded
+    # gcc_multi
+    gnumake
+    mix2nix
+    rustup
+    swig
+  ];
 in
 {
   options = {
@@ -161,9 +176,18 @@ in
       default = false;
       type = types.bool;
     };
+    sane.home-packages.enableDevPkgs = mkOption {
+      description = ''
+        enable packages that are useful for building other software by hand.
+        you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
+      '';
+      default = false;
+      type = types.bool;
+    };
   };
   config = {
     sane.home-manager.extraPackages = universalPkgs
-      ++ (if cfg.enableGuiPkgs then guiPkgs else []);
+      ++ (if cfg.enableGuiPkgs then guiPkgs else [])
+      ++ (if cfg.enableDevPkgs then devPkgs else []);
   };
 }

modules/universal/users.nix

@@ -52,9 +52,19 @@ in
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
-        # moby doesn't need to login to any other devices yet
-        # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
       ];
+
+      pamMount = {
+        # mount encrypted stuff at login
+        # requires that login password == fs encryption password
+        # fstype = "fuse";
+        # path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
+        fstype = "fuse.gocryptfs";
+        path = "/nix/persist/home/colin/private";
+        mountpoint = "/home/colin/private";
+        options="nodev,nosuid,quiet,allow_other";
+      };
     };
 
     sane.impermanence.service-dirs = mkIf cfg.guest.enable [

nixpatches/04-dart-2.7.0.patch

@@ -1,302 +0,0 @@
-diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
-index 9eba6773448..f51aeb8b624 100644
---- a/pkgs/development/compilers/flutter/default.nix
-+++ b/pkgs/development/compilers/flutter/default.nix
-@@ -4,20 +4,20 @@ let
-   getPatches = dir:
-     let files = builtins.attrNames (builtins.readDir dir);
-     in map (f: dir + ("/" + f)) files;
--  version = "2.10.1";
-+  version = "3.0.0";
-   channel = "stable";
-   filename = "flutter_linux_${version}-${channel}.tar.xz";
- 
-   # Decouples flutter derivation from dart derivation,
-   # use specific dart version to not need to bump dart derivation when bumping flutter.
--  dartVersion = "2.16.1";
-+  dartVersion = "2.17.0";
-   dartSourceBase = "https://storage.googleapis.com/dart-archive/channels";
-   dartForFlutter = dart.override {
-     version = dartVersion;
-     sources = {
-       "${dartVersion}-x86_64-linux" = fetchurl {
-         url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
--        sha256 = "sha256-PMY6DCFQC8XrlnFzOEPcwgBAs5/cAvNd78969Z+I1Fk=";
-+        sha256 = "57b8fd964e47c81d467aeb95b099a670ab7e8f54a1cd74d45bcd1fdc77913d86";
-       };
-     };
-   };
-@@ -29,7 +29,7 @@ in {
-     pname = "flutter";
-     src = fetchurl {
-       url = "https://storage.googleapis.com/flutter_infra_release/releases/${channel}/linux/${filename}";
--      sha256 = "sha256-rSfwcglDV2rvJl10j7FByAWmghd2FYxrlkgYnvRO54Y=";
-+      sha256 = "e96d75ec8e7dc2a46bc8dad5a9e01c391ab9310ad01c4e3940c963dd263788a0";
-     };
-     patches = getPatches ./patches;
-   };
-diff --git a/pkgs/development/compilers/flutter/flutter.nix b/pkgs/development/compilers/flutter/flutter.nix
-index 43538ede339..ece25c14b55 100644
---- a/pkgs/development/compilers/flutter/flutter.nix
-+++ b/pkgs/development/compilers/flutter/flutter.nix
-@@ -56,12 +56,15 @@ let
-       export STAMP_PATH="$FLUTTER_ROOT/bin/cache/flutter_tools.stamp"
- 
-       export DART_SDK_PATH="${dart}"
-+      export DART="${dart}/bin/dart"
- 
-       HOME=../.. # required for pub upgrade --offline, ~/.pub-cache
-                  # path is relative otherwise it's replaced by /build/flutter
-+      # mkdir -p "$HOME/.cache"
-+      # ln -sf "$FLUTTER_ROOT" "$HOME/.cache/flutter"
- 
-       pushd "$FLUTTER_TOOLS_DIR"
--      ${dart}/bin/pub get --offline
-+      ${dart}/bin/dart pub get --offline
-       popd
- 
-       local revision="$(cd "$FLUTTER_ROOT"; git rev-parse HEAD)"
-diff --git a/pkgs/development/compilers/flutter/patches/git-dir.patch b/pkgs/development/compilers/flutter/patches/git-dir.patch
-new file mode 100644
-index 00000000000..0c736f945ea
---- /dev/null
-+++ b/pkgs/development/compilers/flutter/patches/git-dir.patch
-@@ -0,0 +1,102 @@
-+diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
-+index 468a91a954..5def6897ce 100644
-+--- a/dev/bots/prepare_package.dart
-++++ b/dev/bots/prepare_package.dart
-+@@ -525,7 +525,7 @@ class ArchiveCreator {
-+ 
-+   Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
-+     return _processRunner.runProcess(
-+-      <String>['git', ...args],
-++      <String>['git', '--git-dir', '.git', ...args],
-+       workingDirectory: workingDirectory ?? flutterRoot,
-+     );
-+   }
-+diff --git a/packages/flutter_tools/lib/src/commands/downgrade.dart b/packages/flutter_tools/lib/src/commands/downgrade.dart
-+index bb0eb428a9..4a2a48bb5e 100644
-+--- a/packages/flutter_tools/lib/src/commands/downgrade.dart
-++++ b/packages/flutter_tools/lib/src/commands/downgrade.dart
-+@@ -118,7 +118,7 @@ class DowngradeCommand extends FlutterCommand {
-+     // Detect unknown versions.
-+     final ProcessUtils processUtils = _processUtils!;
-+     final RunResult parseResult = await processUtils.run(<String>[
-+-      'git', 'describe', '--tags', lastFlutterVersion,
-++      'git', '--git-dir', '.git', 'describe', '--tags', lastFlutterVersion,
-+     ], workingDirectory: workingDirectory);
-+     if (parseResult.exitCode != 0) {
-+       throwToolExit('Failed to parse version for downgrade:\n${parseResult.stderr}');
-+@@ -191,7 +191,7 @@ class DowngradeCommand extends FlutterCommand {
-+         continue;
-+       }
-+       final RunResult parseResult = await _processUtils!.run(<String>[
-+-        'git', 'describe', '--tags', sha,
-++        'git', '--git-dir', '.git', 'describe', '--tags', sha,
-+       ], workingDirectory: workingDirectory);
-+       if (parseResult.exitCode == 0) {
-+         buffer.writeln('Channel "${getNameForChannel(channel)}" was previously on: ${parseResult.stdout}.');
-+diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
-+index f2068a6ca2..99b161689e 100644
-+--- a/packages/flutter_tools/lib/src/version.dart
-++++ b/packages/flutter_tools/lib/src/version.dart
-+@@ -106,7 +106,7 @@ class FlutterVersion {
-+     String? channel = _channel;
-+     if (channel == null) {
-+       final String gitChannel = _runGit(
-+-        'git rev-parse --abbrev-ref --symbolic @{u}',
-++        'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
-+         globals.processUtils,
-+         _workingDirectory,
-+       );
-+@@ -114,7 +114,7 @@ class FlutterVersion {
-+       if (slash != -1) {
-+         final String remote = gitChannel.substring(0, slash);
-+         _repositoryUrl = _runGit(
-+-          'git ls-remote --get-url $remote',
-++          'git --git-dir .git ls-remote --get-url $remote',
-+           globals.processUtils,
-+           _workingDirectory,
-+         );
-+@@ -326,7 +326,7 @@ class FlutterVersion {
-+   /// the branch name will be returned as `'[user-branch]'`.
-+   String getBranchName({ bool redactUnknownBranches = false }) {
-+     _branch ??= () {
-+-      final String branch = _runGit('git rev-parse --abbrev-ref HEAD', globals.processUtils);
-++      final String branch = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', globals.processUtils);
-+       return branch == 'HEAD' ? channel : branch;
-+     }();
-+     if (redactUnknownBranches || _branch!.isEmpty) {
-+@@ -359,7 +359,7 @@ class FlutterVersion {
-+   /// wrapper that does that.
-+   @visibleForTesting
-+   static List<String> gitLog(List<String> args) {
-+-    return <String>['git', '-c', 'log.showSignature=false', 'log'] + args;
-++    return <String>['git', '-c', 'log.showSignature=false', '--git-dir', '.git', 'log'] + args;
-+   }
-+ 
-+   /// Gets the release date of the latest available Flutter version.
-+@@ -730,7 +730,7 @@ class GitTagVersion {
-+ 
-+   static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
-+     if (fetchTags) {
-+-      final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
-++      final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
-+       if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
-+         globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
-+       } else {
-+@@ -739,7 +739,7 @@ class GitTagVersion {
-+     }
-+     // find all tags attached to the given [gitRef]
-+     final List<String> tags = _runGit(
-+-      'git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
-++      'git --git-dir .git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
-+ 
-+     // Check first for a stable tag
-+     final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
-+@@ -760,7 +760,7 @@ class GitTagVersion {
-+     // recent tag and number of commits past.
-+     return parse(
-+       _runGit(
-+-        'git describe --match *.*.* --long --tags $gitRef',
-++        'git --git-dir .git describe --match *.*.* --long --tags $gitRef',
-+         processUtils,
-+         workingDirectory,
-+       )
-diff --git a/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
-new file mode 100644
-index 00000000000..f68029eb7a1
---- /dev/null
-+++ b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
-@@ -0,0 +1,130 @@
-+diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
-+index 2aac9686e8..32c4b98b88 100644
-+--- a/packages/flutter_tools/lib/src/artifacts.dart
-++++ b/packages/flutter_tools/lib/src/artifacts.dart
-+@@ -346,10 +346,10 @@ class CachedArtifacts implements Artifacts {
-+   ) {
-+     switch (artifact) {
-+       case HostArtifact.engineDartSdkPath:
-+-        final String path = _dartSdkPath(_cache);
-++        final String path = _dartSdkPath(_fileSystem);
-+         return _fileSystem.directory(path);
-+       case HostArtifact.engineDartBinary:
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.flutterWebSdk:
-+         final String path = _getFlutterWebSdkPath();
-+@@ -398,7 +398,7 @@ class CachedArtifacts implements Artifacts {
-+       case HostArtifact.dart2jsSnapshot:
-+       case HostArtifact.dartdevcSnapshot:
-+       case HostArtifact.kernelWorkerSnapshot:
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.iosDeploy:
-+         final String artifactFileName = _hostArtifactToFileName(artifact, _platform.isWindows);
-+@@ -461,11 +461,13 @@ class CachedArtifacts implements Artifacts {
-+   String _getAndroidArtifactPath(Artifact artifact, TargetPlatform platform, BuildMode mode) {
-+     final String engineDir = _getEngineArtifactsPath(platform, mode)!;
-+     switch (artifact) {
-++      case Artifact.frontendServerSnapshotForEngineDartSdk:
-++        assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
-++        return _fileSystem.path.join(engineDir, _artifactToFileName(artifact));
-+       case Artifact.genSnapshot:
-+         assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
-+         final String hostPlatform = getNameForHostPlatform(getCurrentHostPlatform());
-+         return _fileSystem.path.join(engineDir, hostPlatform, _artifactToFileName(artifact));
-+-      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+       case Artifact.constFinder:
-+       case Artifact.flutterFramework:
-+       case Artifact.flutterMacOSFramework:
-+@@ -497,13 +499,13 @@ class CachedArtifacts implements Artifacts {
-+     switch (artifact) {
-+       case Artifact.genSnapshot:
-+       case Artifact.flutterXcframework:
-++      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+         final String artifactFileName = _artifactToFileName(artifact)!;
-+         final String engineDir = _getEngineArtifactsPath(platform, mode)!;
-+         return _fileSystem.path.join(engineDir, artifactFileName);
-+       case Artifact.flutterFramework:
-+         final String engineDir = _getEngineArtifactsPath(platform, mode)!;
-+         return _getIosEngineArtifactPath(engineDir, environmentType, _fileSystem);
-+-      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+       case Artifact.constFinder:
-+       case Artifact.flutterMacOSFramework:
-+       case Artifact.flutterMacOSPodspec:
-+@@ -594,14 +596,10 @@ class CachedArtifacts implements Artifacts {
-+         // For script snapshots any gen_snapshot binary will do. Returning gen_snapshot for
-+         // android_arm in profile mode because it is available on all supported host platforms.
-+         return _getAndroidArtifactPath(artifact, TargetPlatform.android_arm, BuildMode.profile);
-+-      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+-        return _fileSystem.path.join(
-+-          _dartSdkPath(_cache), 'bin', 'snapshots',
-+-          _artifactToFileName(artifact),
-+-        );
-+       case Artifact.flutterTester:
-+       case Artifact.vmSnapshotData:
-+       case Artifact.isolateSnapshotData:
-++      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+       case Artifact.icuData:
-+         final String engineArtifactsPath = _cache.getArtifactDirectory('engine').path;
-+         final String platformDirName = _enginePlatformDirectoryName(platform);
-+@@ -797,7 +795,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
-+         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.dartdevcSnapshot:
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.kernelWorkerSnapshot:
-+         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+@@ -922,9 +920,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
-+       case Artifact.windowsUwpCppClientWrapper:
-+         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
-+       case Artifact.frontendServerSnapshotForEngineDartSdk:
-+-        return _fileSystem.path.join(
-+-          _hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', artifactFileName,
-+-        );
-++        return _fileSystem.path.join(_hostEngineOutPath, 'gen', artifactFileName);
-+       case Artifact.uwptool:
-+         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
-+     }
-+@@ -1034,8 +1030,8 @@ class OverrideArtifacts implements Artifacts {
-+ }
-+ 
-+ /// Locate the Dart SDK.
-+-String _dartSdkPath(Cache cache) {
-+-  return cache.getRoot().childDirectory('dart-sdk').path;
-++String _dartSdkPath(FileSystem fileSystem) {
-++  return fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'dart-sdk');
-+ }
-+ 
-+ class _TestArtifacts implements Artifacts {
-+diff --git a/packages/flutter_tools/test/general.shard/artifacts_test.dart b/packages/flutter_tools/test/general.shard/artifacts_test.dart
-+index d906511a15..adfdd4bb42 100644
-+--- a/packages/flutter_tools/test/general.shard/artifacts_test.dart
-++++ b/packages/flutter_tools/test/general.shard/artifacts_test.dart
-+@@ -153,10 +153,6 @@ void main() {
-+         artifacts.getArtifactPath(Artifact.windowsUwpDesktopPath, platform: TargetPlatform.windows_uwp_x64, mode: BuildMode.release),
-+         fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'windows-uwp-x64-release'),
-+       );
-+-      expect(
-+-        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
-+-        fileSystem.path.join('root', 'bin', 'cache', 'dart-sdk', 'bin', 'snapshots', 'frontend_server.dart.snapshot')
-+-      );
-+     });
-+ 
-+     testWithoutContext('precompiled web artifact paths are correct', () {
-+@@ -322,11 +318,6 @@ void main() {
-+         artifacts.getHostArtifact(HostArtifact.engineDartSdkPath).path,
-+         fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk'),
-+       );
-+-      expect(
-+-        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
-+-        fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk', 'bin',
-+-          'snapshots', 'frontend_server.dart.snapshot')
-+-      );
-+     });
-+ 
-+     testWithoutContext('getEngineType', () {

nixpatches/11-flutter-3.3.3-189338.patch

@@ -1,646 +0,0 @@
-diff --git a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
-index d50e7118cc1..22bbeb212f0 100644
---- a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
-+++ b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
-@@ -1,16 +1,16 @@
- { lib
- , fetchFromGitLab
--, flutter
-+, flutter2
- , olm
- , imagemagick
- , makeDesktopItem
- }:
- 
--flutter.mkFlutterApp rec {
-+flutter2.mkFlutterApp rec {
-   pname = "fluffychat";
-   version = "1.2.0";
- 
--  vendorHash = "sha256-co+bnsVIyg42JpM9FimfGEjrd6A99GlBeow1Dgv7NBI=";
-+  vendorHash = "sha256-1PDX023WXRmRe/b1L+6Du91BvGwYNp3YATqYSQdPrRY=";
- 
-   src = fetchFromGitLab {
-     owner = "famedly";
-diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
-index 4529d2adc1a..02188335129 100644
---- a/pkgs/development/compilers/flutter/default.nix
-+++ b/pkgs/development/compilers/flutter/default.nix
-@@ -4,34 +4,40 @@ let
-   getPatches = dir:
-     let files = builtins.attrNames (builtins.readDir dir);
-     in map (f: dir + ("/" + f)) files;
--  version = "3.0.4";
--  channel = "stable";
--  filename = "flutter_linux_${version}-${channel}.tar.xz";
--
--  # Decouples flutter derivation from dart derivation,
--  # use specific dart version to not need to bump dart derivation when bumping flutter.
--  dartVersion = "2.17.5";
--  dartSourceBase = "https://storage.googleapis.com/dart-archive/channels";
--  dartForFlutter = dart.override {
--    version = dartVersion;
--    sources = {
--      "${dartVersion}-x86_64-linux" = fetchurl {
--        url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
--        sha256 = "sha256-AFJGeiPsjUZSO+DykmOIFETg2jIohg62tp3ghZrKJFk=";
-+  flutterDrv = { version, pname, dartVersion, hash, dartHash, patches }: mkFlutter {
-+    inherit version pname patches;
-+    dart = dart.override {
-+      version = dartVersion;
-+      sources = {
-+        "${dartVersion}-x86_64-linux" = fetchurl {
-+          url = "https://storage.googleapis.com/dart-archive/channels/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
-+          sha256 = dartHash;
-+        };
-       };
-     };
-+    src = fetchurl {
-+      url = "https://storage.googleapis.com/flutter_infra_release/releases/stable/linux/flutter_linux_${version}-stable.tar.xz";
-+      sha256 = hash;
-+    };
-   };
- in
- {
-   inherit mkFlutter;
--  stable = mkFlutter rec {
--    inherit version;
--    dart = dartForFlutter;
-+  stable = flutterDrv {
-     pname = "flutter";
--    src = fetchurl {
--      url = "https://storage.googleapis.com/flutter_infra_release/releases/${channel}/linux/${filename}";
--      sha256 = "sha256-vh3QjLGFBN321DUET9XhYqSkILjEj+ZqAALu/mxY+go=";
--    };
--    patches = getPatches ./patches;
-+    version = "3.3.3";
-+    dartVersion = "2.18.2";
-+    hash = "sha256-MTZeWQUp4/TcPzYIT6eqIKSPUPvn2Mp/thOQzNgpTXg=";
-+    dartHash = "sha256-C3+YjecXLvSmJrLwi9H7TgD9Np0AArRWx3EdBrfQpTU";
-+    patches = getPatches ./patches/flutter3;
-+  };
-+
-+  v2 = flutterDrv {
-+    pname = "flutter";
-+    version = "2.10.5";
-+    dartVersion = "2.16.2";
-+    hash = "sha256-DTZwxlMUYk8NS1SaWUJolXjD+JnRW73Ps5CdRHDGnt0=";
-+    dartHash = "sha256-egrYd7B4XhkBiHPIFE2zopxKtQ58GqlogAKA/UeiXnI=";
-+    patches = getPatches ./patches/flutter2;
-   };
- }
-diff --git a/pkgs/development/compilers/flutter/flutter.nix b/pkgs/development/compilers/flutter/flutter.nix
-index 28a78c3e306..f2c861356ab 100644
---- a/pkgs/development/compilers/flutter/flutter.nix
-+++ b/pkgs/development/compilers/flutter/flutter.nix
-@@ -65,7 +65,7 @@ let
-       popd
- 
-       local revision="$(cd "$FLUTTER_ROOT"; git rev-parse HEAD)"
--      ${dart}/bin/dart --snapshot="$SNAPSHOT_PATH" --packages="$FLUTTER_TOOLS_DIR/.packages" "$SCRIPT_PATH"
-+      ${dart}/bin/dart --snapshot="$SNAPSHOT_PATH" --packages="$FLUTTER_TOOLS_DIR/.dart_tool/package_config.json" "$SCRIPT_PATH"
-       echo "$revision" > "$STAMP_PATH"
-       echo -n "${version}" > version
- 
-diff --git a/pkgs/development/compilers/flutter/patches/disable-auto-update.patch b/pkgs/development/compilers/flutter/patches/flutter2/disable-auto-update.patch
-similarity index 100%
-rename from pkgs/development/compilers/flutter/patches/disable-auto-update.patch
-rename to pkgs/development/compilers/flutter/patches/flutter2/disable-auto-update.patch
-diff --git a/pkgs/development/compilers/flutter/patches/flutter2/git-dir.patch b/pkgs/development/compilers/flutter/patches/flutter2/git-dir.patch
-new file mode 100644
-index 00000000000..0136ef93106
---- /dev/null
-+++ b/pkgs/development/compilers/flutter/patches/flutter2/git-dir.patch
-@@ -0,0 +1,80 @@
-+diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
-+index 468a91a954..5def6897ce 100644
-+--- a/dev/bots/prepare_package.dart
-++++ b/dev/bots/prepare_package.dart
-+@@ -525,7 +525,7 @@ class ArchiveCreator {
-+ 
-+   Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
-+     return _processRunner.runProcess(
-+-      <String>['git', ...args],
-++      <String>['git', '--git-dir', '.git', ...args],
-+       workingDirectory: workingDirectory ?? flutterRoot,
-+     );
-+   }
-+diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
-+index f2068a6ca2..99b161689e 100644
-+--- a/packages/flutter_tools/lib/src/version.dart
-++++ b/packages/flutter_tools/lib/src/version.dart
-+@@ -106,7 +106,7 @@ class FlutterVersion {
-+     String? channel = _channel;
-+     if (channel == null) {
-+       final String gitChannel = _runGit(
-+-        'git rev-parse --abbrev-ref --symbolic @{u}',
-++        'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
-+         globals.processUtils,
-+         _workingDirectory,
-+       );
-+@@ -114,7 +114,7 @@ class FlutterVersion {
-+       if (slash != -1) {
-+         final String remote = gitChannel.substring(0, slash);
-+         _repositoryUrl = _runGit(
-+-          'git ls-remote --get-url $remote',
-++          'git --git-dir .git ls-remote --get-url $remote',
-+           globals.processUtils,
-+           _workingDirectory,
-+         );
-+@@ -326,7 +326,7 @@ class FlutterVersion {
-+   /// the branch name will be returned as `'[user-branch]'`.
-+   String getBranchName({ bool redactUnknownBranches = false }) {
-+     _branch ??= () {
-+-      final String branch = _runGit('git rev-parse --abbrev-ref HEAD', globals.processUtils);
-++      final String branch = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', globals.processUtils);
-+       return branch == 'HEAD' ? channel : branch;
-+     }();
-+     if (redactUnknownBranches || _branch!.isEmpty) {
-+@@ -359,7 +359,7 @@ class FlutterVersion {
-+   /// wrapper that does that.
-+   @visibleForTesting
-+   static List<String> gitLog(List<String> args) {
-+-    return <String>['git', '-c', 'log.showSignature=false', 'log'] + args;
-++    return <String>['git', '-c', 'log.showSignature=false', '--git-dir', '.git', 'log'] + args;
-+   }
-+ 
-+   /// Gets the release date of the latest available Flutter version.
-+@@ -730,7 +730,7 @@ class GitTagVersion {
-+ 
-+   static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
-+     if (fetchTags) {
-+-      final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
-++      final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
-+       if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
-+         globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
-+       } else {
-+@@ -739,7 +739,7 @@ class GitTagVersion {
-+     }
-+     // find all tags attached to the given [gitRef]
-+     final List<String> tags = _runGit(
-+-      'git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
-++      'git --git-dir .git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
-+ 
-+     // Check first for a stable tag
-+     final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
-+@@ -760,7 +760,7 @@ class GitTagVersion {
-+     // recent tag and number of commits past.
-+     return parse(
-+       _runGit(
-+-        'git describe --match *.*.* --long --tags $gitRef',
-++        'git --git-dir .git describe --match *.*.* --long --tags $gitRef',
-+         processUtils,
-+         workingDirectory,
-+       )
-diff --git a/pkgs/development/compilers/flutter/patches/flutter2/move-cache.patch b/pkgs/development/compilers/flutter/patches/flutter2/move-cache.patch
-new file mode 100644
-index 00000000000..a81d2def242
---- /dev/null
-+++ b/pkgs/development/compilers/flutter/patches/flutter2/move-cache.patch
-@@ -0,0 +1,72 @@
-+diff --git a/packages/flutter_tools/lib/src/asset.dart b/packages/flutter_tools/lib/src/asset.dart
-+index ed42baea29..12941f733a 100644
-+--- a/packages/flutter_tools/lib/src/asset.dart
-++++ b/packages/flutter_tools/lib/src/asset.dart
-+@@ -11,11 +11,11 @@ import 'base/file_system.dart';
-+ import 'base/logger.dart';
-+ import 'base/platform.dart';
-+ import 'build_info.dart';
-+-import 'cache.dart';
-+ import 'convert.dart';
-+ import 'dart/package_map.dart';
-+ import 'devfs.dart';
-+ import 'flutter_manifest.dart';
-++import 'globals.dart' as globals;
-+ import 'license_collector.dart';
-+ import 'project.dart';
-+ 
-+@@ -504,7 +504,7 @@ class ManifestAssetBundle implements AssetBundle {
-+         }
-+         final Uri entryUri = _fileSystem.path.toUri(asset);
-+         result.add(_Asset(
-+-          baseDir: _fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'artifacts', 'material_fonts'),
-++          baseDir: _fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'artifacts', 'material_fonts'),
-+           relativeUri: Uri(path: entryUri.pathSegments.last),
-+           entryUri: entryUri,
-+           package: null,
-+diff --git a/packages/flutter_tools/lib/src/cache.dart b/packages/flutter_tools/lib/src/cache.dart
-+index defc86cc20..7fdf14d112 100644
-+--- a/packages/flutter_tools/lib/src/cache.dart
-++++ b/packages/flutter_tools/lib/src/cache.dart
-+@@ -22,6 +22,7 @@ import 'base/user_messages.dart';
-+ import 'build_info.dart';
-+ import 'convert.dart';
-+ import 'features.dart';
-++import 'globals.dart' as globals;
-+ 
-+ const String kFlutterRootEnvironmentVariableName = 'FLUTTER_ROOT'; // should point to //flutter/ (root of flutter/flutter repo)
-+ const String kFlutterEngineEnvironmentVariableName = 'FLUTTER_ENGINE'; // should point to //engine/src/ (root of flutter/engine repo)
-+@@ -322,8 +323,13 @@ class Cache {
-+       return;
-+     }
-+     assert(_lock == null);
-++    final Directory dir = _fileSystem.directory(_fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter'));
-++    if (!dir.existsSync()) {
-++      dir.createSync(recursive: true);
-++      globals.os.chmod(dir, '755');
-++    }
-+     final File lockFile =
-+-      _fileSystem.file(_fileSystem.path.join(flutterRoot!, 'bin', 'cache', 'lockfile'));
-++      _fileSystem.file(_fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'lockfile'));
-+     try {
-+       _lock = lockFile.openSync(mode: FileMode.write);
-+     } on FileSystemException catch (e) {
-+@@ -382,8 +388,7 @@ class Cache {
-+ 
-+   String get devToolsVersion {
-+     if (_devToolsVersion == null) {
-+-      const String devToolsDirPath = 'dart-sdk/bin/resources/devtools';
-+-      final Directory devToolsDir = getCacheDir(devToolsDirPath, shouldCreate: false);
-++      final Directory devToolsDir = _fileSystem.directory(_fileSystem.path.join(flutterRoot!, 'bin/cache/dart-sdk/bin/resources/devtools'));
-+       if (!devToolsDir.existsSync()) {
-+         throw Exception('Could not find directory at ${devToolsDir.path}');
-+       }
-+@@ -536,7 +541,7 @@ class Cache {
-+     if (_rootOverride != null) {
-+       return _fileSystem.directory(_fileSystem.path.join(_rootOverride!.path, 'bin', 'cache'));
-+     } else {
-+-      return _fileSystem.directory(_fileSystem.path.join(flutterRoot!, 'bin', 'cache'));
-++      return _fileSystem.directory(_fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter'));
-+     }
-+   }
-+ 
-diff --git a/pkgs/development/compilers/flutter/patches/flutter3/disable-auto-update.patch b/pkgs/development/compilers/flutter/patches/flutter3/disable-auto-update.patch
-new file mode 100644
-index 00000000000..21b676a2af3
---- /dev/null
-+++ b/pkgs/development/compilers/flutter/patches/flutter3/disable-auto-update.patch
-@@ -0,0 +1,36 @@
-+diff --git a/bin/internal/shared.sh b/bin/internal/shared.sh
-+index ab746724e9..1087983c87 100644
-+--- a/bin/internal/shared.sh
-++++ b/bin/internal/shared.sh
-+@@ -215,8 +215,6 @@ function shared::execute() {
-+     exit 1
-+   fi
-+ 
-+-  upgrade_flutter 7< "$PROG_NAME"
-+-
-+   BIN_NAME="$(basename "$PROG_NAME")"
-+   case "$BIN_NAME" in
-+     flutter*)
-+diff --git a/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart b/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart
-+index 738fef987d..03a152e64f 100644
-+--- a/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart
-++++ b/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart
-+@@ -241,7 +241,6 @@ class FlutterCommandRunner extends CommandRunner<void> {
-+           globals.flutterUsage.suppressAnalytics = true;
-+         }
-+ 
-+-        globals.flutterVersion.ensureVersionFile();
-+         final bool machineFlag = topLevelResults['machine'] as bool? ?? false;
-+         final bool ci = await globals.botDetector.isRunningOnBot;
-+         final bool redirectedCompletion = !globals.stdio.hasTerminal &&
-+@@ -250,10 +249,6 @@ class FlutterCommandRunner extends CommandRunner<void> {
-+         final bool versionCheckFlag = topLevelResults['version-check'] as bool? ?? false;
-+         final bool explicitVersionCheckPassed = topLevelResults.wasParsed('version-check') && versionCheckFlag;
-+ 
-+-        if (topLevelResults.command?.name != 'upgrade' &&
-+-            (explicitVersionCheckPassed || (versionCheckFlag && !isMachine))) {
-+-          await globals.flutterVersion.checkFlutterVersionFreshness();
-+-        }
-+ 
-+         // See if the user specified a specific device.
-+         globals.deviceManager?.specifiedDeviceId = topLevelResults['device-id'] as String?;
-diff --git a/pkgs/development/compilers/flutter/patches/git-dir.patch b/pkgs/development/compilers/flutter/patches/flutter3/git-dir.patch
-similarity index 86%
-rename from pkgs/development/compilers/flutter/patches/git-dir.patch
-rename to pkgs/development/compilers/flutter/patches/flutter3/git-dir.patch
-index 0c736f945ea..42ad756f8ea 100644
---- a/pkgs/development/compilers/flutter/patches/git-dir.patch
-+++ b/pkgs/development/compilers/flutter/patches/flutter3/git-dir.patch
-@@ -1,8 +1,8 @@
- diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
--index 468a91a954..5def6897ce 100644
-+index 8e4cb81340..2c20940423 100644
- --- a/dev/bots/prepare_package.dart
- +++ b/dev/bots/prepare_package.dart
--@@ -525,7 +525,7 @@ class ArchiveCreator {
-+@@ -526,7 +526,7 @@ class ArchiveCreator {
-  
-    Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
-      return _processRunner.runProcess(
-@@ -12,7 +12,7 @@ index 468a91a954..5def6897ce 100644
-      );
-    }
- diff --git a/packages/flutter_tools/lib/src/commands/downgrade.dart b/packages/flutter_tools/lib/src/commands/downgrade.dart
--index bb0eb428a9..4a2a48bb5e 100644
-+index 666c190067..b6c3761f6f 100644
- --- a/packages/flutter_tools/lib/src/commands/downgrade.dart
- +++ b/packages/flutter_tools/lib/src/commands/downgrade.dart
- @@ -118,7 +118,7 @@ class DowngradeCommand extends FlutterCommand {
-@@ -34,19 +34,19 @@ index bb0eb428a9..4a2a48bb5e 100644
-        if (parseResult.exitCode == 0) {
-          buffer.writeln('Channel "${getNameForChannel(channel)}" was previously on: ${parseResult.stdout}.');
- diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
--index f2068a6ca2..99b161689e 100644
-+index dc47f17057..8068e2d1f5 100644
- --- a/packages/flutter_tools/lib/src/version.dart
- +++ b/packages/flutter_tools/lib/src/version.dart
--@@ -106,7 +106,7 @@ class FlutterVersion {
-+@@ -111,7 +111,7 @@ class FlutterVersion {
-      String? channel = _channel;
-      if (channel == null) {
-        final String gitChannel = _runGit(
---        'git rev-parse --abbrev-ref --symbolic @{u}',
--+        'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
-+-        'git rev-parse --abbrev-ref --symbolic $kGitTrackingUpstream',
-++        'git --git-dir .git rev-parse --abbrev-ref --symbolic $kGitTrackingUpstream',
-          globals.processUtils,
-          _workingDirectory,
-        );
--@@ -114,7 +114,7 @@ class FlutterVersion {
-+@@ -119,7 +119,7 @@ class FlutterVersion {
-        if (slash != -1) {
-          final String remote = gitChannel.substring(0, slash);
-          _repositoryUrl = _runGit(
-@@ -55,7 +55,7 @@ index f2068a6ca2..99b161689e 100644
-            globals.processUtils,
-            _workingDirectory,
-          );
--@@ -326,7 +326,7 @@ class FlutterVersion {
-+@@ -298,7 +298,7 @@ class FlutterVersion {
-    /// the branch name will be returned as `'[user-branch]'`.
-    String getBranchName({ bool redactUnknownBranches = false }) {
-      _branch ??= () {
-@@ -64,7 +64,7 @@ index f2068a6ca2..99b161689e 100644
-        return branch == 'HEAD' ? channel : branch;
-      }();
-      if (redactUnknownBranches || _branch!.isEmpty) {
--@@ -359,7 +359,7 @@ class FlutterVersion {
-+@@ -331,7 +331,7 @@ class FlutterVersion {
-    /// wrapper that does that.
-    @visibleForTesting
-    static List<String> gitLog(List<String> args) {
-@@ -73,16 +73,16 @@ index f2068a6ca2..99b161689e 100644
-    }
-  
-    /// Gets the release date of the latest available Flutter version.
--@@ -730,7 +730,7 @@ class GitTagVersion {
-- 
--   static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
-+@@ -708,7 +708,7 @@ class GitTagVersion {
-+     String gitRef = 'HEAD'
-+   }) {
-      if (fetchTags) {
- -      final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
- +      final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
-        if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
-          globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
-        } else {
--@@ -739,7 +739,7 @@ class GitTagVersion {
-+@@ -718,7 +718,7 @@ class GitTagVersion {
-      }
-      // find all tags attached to the given [gitRef]
-      final List<String> tags = _runGit(
-@@ -91,7 +91,7 @@ index f2068a6ca2..99b161689e 100644
-  
-      // Check first for a stable tag
-      final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
--@@ -760,7 +760,7 @@ class GitTagVersion {
-+@@ -739,7 +739,7 @@ class GitTagVersion {
-      // recent tag and number of commits past.
-      return parse(
-        _runGit(
-diff --git a/pkgs/development/compilers/flutter/patches/move-cache.patch b/pkgs/development/compilers/flutter/patches/flutter3/move-cache.patch
-similarity index 83%
-rename from pkgs/development/compilers/flutter/patches/move-cache.patch
-rename to pkgs/development/compilers/flutter/patches/flutter3/move-cache.patch
-index 5cb7c71e9bd..008c5959e5b 100644
---- a/pkgs/development/compilers/flutter/patches/move-cache.patch
-+++ b/pkgs/development/compilers/flutter/patches/flutter3/move-cache.patch
-@@ -1,13 +1,9 @@
-+diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
- diff --git a/packages/flutter_tools/lib/src/asset.dart b/packages/flutter_tools/lib/src/asset.dart
--index ed42baea29..12941f733a 100644
-+index 9dd7272fbe..642c8e48e4 100644
- --- a/packages/flutter_tools/lib/src/asset.dart
- +++ b/packages/flutter_tools/lib/src/asset.dart
--@@ -11,11 +11,11 @@ import 'base/file_system.dart';
-- import 'base/logger.dart';
-- import 'base/platform.dart';
-- import 'build_info.dart';
---import 'cache.dart';
-- import 'convert.dart';
-+@@ -16,6 +16,7 @@ import 'convert.dart';
-  import 'dart/package_map.dart';
-  import 'devfs.dart';
-  import 'flutter_manifest.dart';
-@@ -15,17 +11,18 @@ index ed42baea29..12941f733a 100644
-  import 'license_collector.dart';
-  import 'project.dart';
-  
--@@ -504,7 +504,7 @@ class ManifestAssetBundle implements AssetBundle {
--         }
-+@@ -530,8 +531,7 @@ class ManifestAssetBundle implements AssetBundle {
-          final Uri entryUri = _fileSystem.path.toUri(asset);
-          result.add(_Asset(
---          baseDir: _fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'artifacts', 'material_fonts'),
--+          baseDir: _fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'artifacts', 'material_fonts'),
-+           baseDir: _fileSystem.path.join(
-+-            Cache.flutterRoot!,
-+-            'bin', 'cache', 'artifacts', 'material_fonts',
-++            globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'artifacts', 'material_fonts',
-+           ),
-            relativeUri: Uri(path: entryUri.pathSegments.last),
-            entryUri: entryUri,
--           package: null,
- diff --git a/packages/flutter_tools/lib/src/cache.dart b/packages/flutter_tools/lib/src/cache.dart
--index defc86cc20..7fdf14d112 100644
-+index dd80b1e46e..8e54517765 100644
- --- a/packages/flutter_tools/lib/src/cache.dart
- +++ b/packages/flutter_tools/lib/src/cache.dart
- @@ -22,6 +22,7 @@ import 'base/user_messages.dart';
-@@ -36,7 +33,7 @@ index defc86cc20..7fdf14d112 100644
-  
-  const String kFlutterRootEnvironmentVariableName = 'FLUTTER_ROOT'; // should point to //flutter/ (root of flutter/flutter repo)
-  const String kFlutterEngineEnvironmentVariableName = 'FLUTTER_ENGINE'; // should point to //engine/src/ (root of flutter/engine repo)
--@@ -322,8 +323,13 @@ class Cache {
-+@@ -318,8 +319,13 @@ class Cache {
-        return;
-      }
-      assert(_lock == null);
-@@ -51,7 +48,7 @@ index defc86cc20..7fdf14d112 100644
-      try {
-        _lock = lockFile.openSync(mode: FileMode.write);
-      } on FileSystemException catch (e) {
--@@ -382,8 +388,7 @@ class Cache {
-+@@ -378,8 +384,7 @@ class Cache {
-  
-    String get devToolsVersion {
-      if (_devToolsVersion == null) {
-@@ -61,7 +58,7 @@ index defc86cc20..7fdf14d112 100644
-        if (!devToolsDir.existsSync()) {
-          throw Exception('Could not find directory at ${devToolsDir.path}');
-        }
--@@ -536,7 +541,7 @@ class Cache {
-+@@ -532,7 +537,7 @@ class Cache {
-      if (_rootOverride != null) {
-        return _fileSystem.directory(_fileSystem.path.join(_rootOverride!.path, 'bin', 'cache'));
-      } else {
-@@ -70,8 +67,7 @@ index defc86cc20..7fdf14d112 100644
-      }
-    }
-  
--diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
--index 2aac9686e8..32c4b98b88 100644
-+index c539d67156..4e0a64f7a9 100644
- --- a/packages/flutter_tools/lib/src/artifacts.dart
- +++ b/packages/flutter_tools/lib/src/artifacts.dart
- @@ -346,10 +346,10 @@ class CachedArtifacts implements Artifacts {
-@@ -82,8 +78,8 @@ index 2aac9686e8..32c4b98b88 100644
- +        final String path = _dartSdkPath(_fileSystem);
-          return _fileSystem.directory(path);
-        case HostArtifact.engineDartBinary:
---        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
--+        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform));
-          return _fileSystem.file(path);
-        case HostArtifact.flutterWebSdk:
-          final String path = _getFlutterWebSdkPath();
-@@ -91,12 +87,12 @@ index 2aac9686e8..32c4b98b88 100644
-        case HostArtifact.dart2jsSnapshot:
-        case HostArtifact.dartdevcSnapshot:
-        case HostArtifact.kernelWorkerSnapshot:
---        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
--+        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
-          return _fileSystem.file(path);
-        case HostArtifact.iosDeploy:
--         final String artifactFileName = _hostArtifactToFileName(artifact, _platform.isWindows);
--@@ -461,11 +461,13 @@ class CachedArtifacts implements Artifacts {
-+         final String artifactFileName = _hostArtifactToFileName(artifact, _platform);
-+@@ -465,11 +465,13 @@ class CachedArtifacts implements Artifacts {
-    String _getAndroidArtifactPath(Artifact artifact, TargetPlatform platform, BuildMode mode) {
-      final String engineDir = _getEngineArtifactsPath(platform, mode)!;
-      switch (artifact) {
-@@ -125,8 +121,8 @@ index 2aac9686e8..32c4b98b88 100644
- -      case Artifact.frontendServerSnapshotForEngineDartSdk:
-        case Artifact.constFinder:
-        case Artifact.flutterMacOSFramework:
--       case Artifact.flutterMacOSPodspec:
--@@ -594,14 +596,10 @@ class CachedArtifacts implements Artifacts {
-+       case Artifact.flutterPatchedSdkPath:
-+@@ -586,14 +588,10 @@ class CachedArtifacts implements Artifacts {
-          // For script snapshots any gen_snapshot binary will do. Returning gen_snapshot for
-          // android_arm in profile mode because it is available on all supported host platforms.
-          return _getAndroidArtifactPath(artifact, TargetPlatform.android_arm, BuildMode.profile);
-@@ -142,27 +138,27 @@ index 2aac9686e8..32c4b98b88 100644
-        case Artifact.icuData:
-          final String engineArtifactsPath = _cache.getArtifactDirectory('engine').path;
-          final String platformDirName = _enginePlatformDirectoryName(platform);
--@@ -797,7 +795,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
--         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+@@ -776,7 +774,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
-+         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
-          return _fileSystem.file(path);
-        case HostArtifact.dartdevcSnapshot:
---        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
--+        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
-          return _fileSystem.file(path);
-        case HostArtifact.kernelWorkerSnapshot:
--         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
--@@ -922,9 +920,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
--       case Artifact.windowsUwpCppClientWrapper:
-+         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
-+@@ -901,9 +899,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
-+       case Artifact.windowsCppClientWrapper:
-          return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
-        case Artifact.frontendServerSnapshotForEngineDartSdk:
- -        return _fileSystem.path.join(
- -          _hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', artifactFileName,
- -        );
- +        return _fileSystem.path.join(_hostEngineOutPath, 'gen', artifactFileName);
--       case Artifact.uwptool:
--         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
-      }
--@@ -1034,8 +1030,8 @@ class OverrideArtifacts implements Artifacts {
-+   }
-+ 
-+@@ -1011,8 +1007,8 @@ class OverrideArtifacts implements Artifacts {
-  }
-  
-  /// Locate the Dart SDK.
-@@ -174,12 +170,12 @@ index 2aac9686e8..32c4b98b88 100644
-  
-  class _TestArtifacts implements Artifacts {
- diff --git a/packages/flutter_tools/test/general.shard/artifacts_test.dart b/packages/flutter_tools/test/general.shard/artifacts_test.dart
--index d906511a15..adfdd4bb42 100644
-+index aed3eb9285..81b8362648 100644
- --- a/packages/flutter_tools/test/general.shard/artifacts_test.dart
- +++ b/packages/flutter_tools/test/general.shard/artifacts_test.dart
--@@ -153,10 +153,6 @@ void main() {
--         artifacts.getArtifactPath(Artifact.windowsUwpDesktopPath, platform: TargetPlatform.windows_uwp_x64, mode: BuildMode.release),
--         fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'windows-uwp-x64-release'),
-+@@ -141,10 +141,6 @@ void main() {
-+         artifacts.getArtifactPath(Artifact.flutterTester, platform: TargetPlatform.linux_arm64),
-+         fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'linux-arm64', 'flutter_tester'),
-        );
- -      expect(
- -        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
-@@ -188,7 +184,7 @@ index d906511a15..adfdd4bb42 100644
-      });
-  
-      testWithoutContext('precompiled web artifact paths are correct', () {
--@@ -322,11 +318,6 @@ void main() {
-+@@ -310,11 +306,6 @@ void main() {
-          artifacts.getHostArtifact(HostArtifact.engineDartSdkPath).path,
-          fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk'),
-        );
-@@ -197,6 +193,6 @@ index d906511a15..adfdd4bb42 100644
- -        fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk', 'bin',
- -          'snapshots', 'frontend_server.dart.snapshot')
- -      );
--     });
-- 
--     testWithoutContext('getEngineType', () {
-+       expect(
-+         artifacts.getHostArtifact(HostArtifact.impellerc).path,
-+         fileSystem.path.join('/out', 'host_debug_unopt', 'impellerc'),
-diff --git a/pkgs/os-specific/linux/firmware/firmware-updater/default.nix b/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
-index fb9d3a9a36c..cc906b763e8 100644
---- a/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
-+++ b/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
-@@ -1,13 +1,13 @@
- { lib
--, flutter
-+, flutter2
- , fetchFromGitHub
- }:
- 
--flutter.mkFlutterApp {
-+flutter2.mkFlutterApp {
-   pname = "firmware-updater";
-   version = "unstable";
- 
--  vendorHash = "sha256-3wVA9BLCnMijC0gOmskz+Hv7NQIGu/jhBDbWjmoq1Tc=";
-+  vendorHash = "sha256-7uOiebGBcX61oUyNCi1h9KldTRTrCfYaHUQSH4J5OoQ=";
- 
-   src = fetchFromGitHub {
-     owner = "canonical";
-diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
-index 4f25d9b20d8..c282471c464 100644
---- a/pkgs/top-level/all-packages.nix
-+++ b/pkgs/top-level/all-packages.nix
-@@ -13448,6 +13448,7 @@ with pkgs;
-   flutterPackages =
-     recurseIntoAttrs (callPackage ../development/compilers/flutter { });
-   flutter = flutterPackages.stable;
-+  flutter2 = flutterPackages.v2;
- 
-   fnm = callPackage ../development/tools/fnm {
-     inherit (darwin.apple_sdk.frameworks) DiskArbitration Foundation Security;

nixpatches/list.nix

@@ -1,17 +1,4 @@
 fetchpatch: [
-  # Flutter: 3.0.4 -> 3.3.3, flutter.dart: 2.17.5 -> 2.18.2
-  # merged 2022/10/07
-  # (fetchpatch {
-  #   url = "https://github.com/NixOS/nixpkgs/pull/189338.diff";
-  #   sha256 = "sha256-HRkOIBcOnSXyTKkYxnMgZou8MHU/5eNhxxARdUq9UWg=";
-  #   # url = "https://git.uninsane.org/colin/nixpkgs/commit/889c3a8cbc91c0d10b34ab7825fa1f6d1d31668a.diff";
-  #   # sha256 = "sha256-qVWLpNoW3HVSWRtXS1BcSusKOq0CAMfY0BVU9MxPm98=";
-  # })
-  #
-  # XXX this is a cherry-pick of all the commits in PR 189338 (as appears in tree).
-  # the diff yielded by Github is apparently not the same somehow (maybe because the branches being merged had diverged too much?)
-  ./11-flutter-3.3.3-189338.patch
-
   # phosh-mobile-settings: init at 0.21.1
   (fetchpatch {
     url = "http://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
@@ -19,11 +6,32 @@ fetchpatch: [
     sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
   })
 
-  # kaiteki: init at 2022-09-03
+  # # kaiteki: init at 2022-09-03
+  # vendorHash changes too frequently (might not be reproducible).
+  # using local package defn until stabilized
+  # (fetchpatch {
+  #   url = "https://git.uninsane.org/colin/nixpkgs/commit/e2c7f5f4870fcb0e5405e9001b39a64c516852d4.diff";
+  #   # url = "https://github.com/NixOS/nixpkgs/pull/193169.diff";
+  #   sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
+  # })
+
+  # freshrss: patchShebangs instead of specifying interpreter in the service
   (fetchpatch {
-    url = "https://git.uninsane.org/colin/nixpkgs/commit/e2c7f5f4870fcb0e5405e9001b39a64c516852d4.diff";
-    # url = "https://github.com/NixOS/nixpkgs/pull/193169.diff";
-    sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
+    # url = "https://git.uninsane.org/colin/nixpkgs/commit/9443d83e6fee728c1926a783647b45011bd3b514.diff";
+    url = "https://github.com/NixOS/nixpkgs/pull/196140.diff";
+    sha256 = "sha256-Lngle5YTE7ymQyUarKbebMjiaTlY5cJBoaeZk7AgbXE=";
+  })
+
+  # nautilus: look for the gtk4 FileChooser settings instead of the gtk4 one
+  (fetchpatch {
+    # original version (include the patch in nixpkgs)
+    # url = "https://git.uninsane.org/colin/nixpkgs/commit/4636a04c1c4982a0e71ae77d3aa6f52d1a3170f1.diff";
+    # sha256 = "sha256-XKfXStdcveYuk58rlORVJOv0a9Q5aRj1bYT5k79rL0g=";
+
+    # v2 (fetchpatch from upstream PR)
+    # url = "https://git.uninsane.org/colin/nixpkgs/commit/730a802808c549220144e4e62aa419bb07c5ae29.diff";
+    url = "https://github.com/NixOS/nixpkgs/pull/195985.diff";
+    sha256 = "sha256-zd7WGOTm3ygh0Wk3uiA+1S+RqD9yWDSXvo7veHs0K00=";
   })
 
   # Fix mk flutter app

pkgs/gocryptfs/default.nix

@@ -0,0 +1,15 @@
+{ pkgs, lib, ... }:
+
+(pkgs.gocryptfs.overrideAttrs (upstream: {
+  # XXX `su colin` hangs when pam_mount tries to mount a gocryptfs system
+  # unless `logger` (util-linux) is accessible from gocryptfs.
+  # this is surprising: the code LOOKS like it's meant to handle logging failures.
+  # propagating util-linux through either `environment.systemPackages` or `security.pam.mount.additionalSearchPaths` DOES NOT WORK.
+  #
+  # TODO: see about upstreaming this
+  postInstall = ''
+    wrapProgram $out/bin/gocryptfs \
+      --suffix PATH : ${lib.makeBinPath [ pkgs.fuse pkgs.util-linux ]}
+    ln -s $out/bin/gocryptfs $out/bin/mount.fuse.gocryptfs
+  '';
+}))

pkgs/kaiteki/default.nix

@@ -10,7 +10,7 @@ flutter.mkFlutterApp rec {
   pname = "kaiteki";
   version = "unstable-2022-09-03";
 
-  vendorHash = "sha256-IlsMoJjgB/fWI5QxSnnFSChVWFMnMGUD4QJdDUuTE+Q=";
+  vendorHash = "sha256-CXEaQeXEY5PYpcoqmPcRfcyaFsEDZ8bq1pgApmjyp0c=";
 
   src = fetchFromGitHub {
     owner = "Kaiteki-Fedi";

pkgs/lightdm-mobile-greeter/default.nix

@@ -0,0 +1,53 @@
+{ lib
+, fetchFromGitea
+, gtk3
+, libhandy_0
+, lightdm
+, pkgs
+, linkFarm
+, pkg-config
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "lightdm-mobile-greeter";
+  version = "0.1.2";
+
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
+    repo = "lightdm-mobile-greeter";
+    rev = "v${version}";
+    hash = "sha256-x7tpaHYDg6BPIc3k3zzPvZma0RYuGAMQ/z6vAP0wbWs=";
+  };
+  cargoHash = "sha256-5WJGnLdZd4acKPEkkTS71n4gfxhlujHWnwiMsomTYck=";
+
+  buildInputs = [
+    gtk3
+    libhandy_0
+    lightdm
+  ];
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  postInstall = ''
+    mkdir -p $out/share/applications
+    substitute lightdm-mobile-greeter.desktop \
+      $out/share/applications/lightdm-mobile-greeter.desktop \
+      --replace lightdm-mobile-greeter $out/bin/lightdm-mobile-greeter
+  '';
+
+  passthru.xgreeters = linkFarm "lightdm-mobile-greeter-xgreeters" [{
+    path = "${pkgs.lightdm-mobile-greeter}/share/applications/lightdm-mobile-greeter.desktop";
+    name = "lightdm-mobile-greeter.desktop";
+  }];
+
+  meta = with lib; {
+    description = "A simple log in screen for use on touch screens.";
+    homepage = "https://git.uninsane.org/colin/lightdm-mobile-greeter";
+    maintainers = with maintainers; [ colinsane ];
+    platforms = platforms.linux;
+    license = licenses.mit;
+  };
+}

pkgs/matrix-appservice-discord/01-puppet.patch

@@ -1,13 +0,0 @@
-diff --git a/src/clientfactory.ts b/src/clientfactory.ts
-index b7fea47..587acfd 100644
---- a/src/clientfactory.ts
-+++ b/src/clientfactory.ts
-@@ -53,7 +53,7 @@ export class DiscordClientFactory {
-         });
- 
-         try {
--            await this.botClient.login(this.config.botToken, true);
-+            await this.botClient.login(this.config.botToken, false);
-             log.info("Waiting for shardReady signal");
-             await waitPromise;
-             log.info("Got shardReady signal");

pkgs/matrix-appservice-discord/02-auto-approve.patch

@@ -1,16 +0,0 @@
-diff --git a/src/provisioner.ts b/src/provisioner.ts
-index c1568af..28a44c5 100644
---- a/src/provisioner.ts
-+++ b/src/provisioner.ts
-@@ -99,8 +99,9 @@
-         this.pendingRequests.set(channelId, approveFn);
-         setTimeout(() => approveFn(false, true), timeout);
- 
--        await channel.send(`${requestor} on matrix would like to bridge this channel. Someone with permission` +
--            " to manage webhooks please reply with `!matrix approve` or `!matrix deny` in the next 5 minutes");
-+        // await channel.send(`${requestor} on matrix would like to bridge this channel. Someone with permission` +
-+        //     " to manage webhooks please reply with `!matrix approve` or `!matrix deny` in the next 5 minutes");
-+        approveFn(true);
-         return await deferP;
- 
-     }

pkgs/matrix-appservice-discord/03-no-edits.patch

@@ -1,14 +0,0 @@
-diff --git a/src/bot.ts b/src/bot.ts
-index 8bc73d4..1e6ea67 100644
---- a/src/bot.ts
-+++ b/src/bot.ts
-@@ -568,7 +568,8 @@ export class DiscordBot {
-             }
-             const link = `https://discord.com/channels/${chan.guild.id}/${chan.id}/${editEventId}`;
-             embedSet.messageEmbed.description = `[Edit](${link}): ${embedSet.messageEmbed.description}`;
--            await this.send(embedSet, opts, roomLookup, event);
-+            log.warn("not editing sent Matrix -> Discord message");
-+            // await this.send(embedSet, opts, roomLookup, event);
-         } catch (err) {
-             // throw wrapError(err, Unstable.ForeignNetworkError, "Couldn't edit message");
-             log.warn(`Failed to edit message ${event.event_id}`);

pkgs/matrix-appservice-discord/04-no-kickbans.patch

@@ -1,88 +0,0 @@
-diff --git a/src/bot.ts b/src/bot.ts
-index 8bc73d4..1e6ea67 100644
---- a/src/bot.ts
-+++ b/src/bot.ts
-@@ -795,82 +796,7 @@ export class DiscordBot {
-         roomId: string, kickeeUserId: string, kicker: string, kickban: "leave"|"ban",
-         previousState: string, reason?: string,
-     ) {
--        const restore = kickban === "leave" && previousState === "ban";
--        const client = await this.clientFactory.getClient(kicker);
--        let channel: Discord.Channel;
--        try {
--            channel = await this.GetChannelFromRoomId(roomId, client);
--        } catch (ex) {
--            log.error("Failed to get channel for ", roomId, ex);
--            return;
--        }
--        if (channel.type !== "text") {
--            log.warn("Channel was not a text channel");
--            return;
--        }
--        const tchan = (channel as Discord.TextChannel);
--        const kickeeUser = await this.GetDiscordUserOrMember(
--            kickeeUserId.substring("@_discord_".length, kickeeUserId.indexOf(":") - 1),
--            tchan.guild.id,
--        );
--        if (!kickeeUser) {
--            log.error("Could not find discord user for", kickeeUserId);
--            return;
--        }
--        const kickee = kickeeUser as Discord.GuildMember;
--        let res: Discord.Message;
--        const botChannel = await this.GetChannelFromRoomId(roomId) as Discord.TextChannel;
--        if (restore) {
--            await tchan.overwritePermissions([
--                {
--                    allow: ["SEND_MESSAGES", "VIEW_CHANNEL"],
--                    id: kickee.id,
--                }],
--                `Unbanned.`,
--            );
--            this.channelLock.set(botChannel.id);
--            res = await botChannel.send(
--                `${kickee} was unbanned from this channel by ${kicker}.`,
--            ) as Discord.Message;
--            this.sentMessages.push(res.id);
--            this.channelLock.release(botChannel.id);
--            return;
--        }
--        const existingPerms = tchan.permissionsFor(kickee);
--        if (existingPerms && existingPerms.has(Discord.Permissions.FLAGS.VIEW_CHANNEL as number) === false ) {
--            log.warn("User isn't allowed to read anyway.");
--            return;
--        }
--        const word = `${kickban === "ban" ? "banned" : "kicked"}`;
--        this.channelLock.set(botChannel.id);
--        res = await botChannel.send(
--            `${kickee} was ${word} from this channel by ${kicker}.`
--            + (reason ? ` Reason: ${reason}` : ""),
--        ) as Discord.Message;
--        this.sentMessages.push(res.id);
--        this.channelLock.release(botChannel.id);
--        log.info(`${word} ${kickee}`);
--
--        await tchan.overwritePermissions([
--            {
--                deny: ["SEND_MESSAGES", "VIEW_CHANNEL"],
--                id: kickee.id,
--            }],
--            `Matrix user was ${word} by ${kicker}.`,
--        );
--        if (kickban === "leave") {
--            // Kicks will let the user back in after ~30 seconds.
--            setTimeout(async () => {
--                log.info(`Kick was lifted for ${kickee.displayName}`);
--                await tchan.overwritePermissions([
--                    {
--                        allow: ["SEND_MESSAGES", "VIEW_CHANNEL"],
--                        id: kickee.id,
--                    }],
--                    `Lifting kick since duration expired.`,
--                );
--            }, this.config.room.kickFor);
--        }
-+        return; // this is about letting Discord users know when Matrix users are kicked/banned
-     }
- 
-     public async GetEmojiByMxc(mxc: string): Promise<DbEmoji> {

pkgs/matrix-appservice-discord/05-no-meta.patch

@@ -1,13 +0,0 @@
-diff --git a/src/matrixeventprocessor.ts b/src/matrixeventprocessor.ts
-index f1f4611..7b57ff3 100644
---- a/src/matrixeventprocessor.ts
-+++ b/src/matrixeventprocessor.ts
-@@ -278,6 +278,8 @@ export class MatrixEventProcessor {
-             return;
-         }
- 
-+        return; // disable all meta notifications
-+
-         msg += " on Matrix.";
-         const channel = await this.discord.GetChannelFromRoomId(event.room_id) as Discord.TextChannel;
-         await this.discord.sendAsBot(msg, channel, event);

pkgs/matrix-appservice-discord/default.nix

@@ -1,19 +0,0 @@
-{ pkgs }:
-
-(pkgs.matrix-appservice-discord.overrideAttrs (upstream: {
-  # 2022-10-05: the service can't login as an ordinary user unless i change the source
-  doCheck = false;
-  patches = (upstream.patches or []) ++ [
-    # don't register with better-discord as a bot
-    ./01-puppet.patch
-    # don't ask Discord admin for approval before bridging
-    ./02-auto-approve.patch
-    # disable Matrix -> Discord edits because they do not fit Discord semantics
-    ./03-no-edits.patch
-    # we don't want to notify Discord users that a Matrix user was kicked/banned
-    ./04-no-kickbans.patch
-    # don't notify Discord users when the Matrix room changes (name, topic, membership)
-    ./05-no-meta.patch
-  ];
-}))
-

pkgs/overlay.nix

@@ -27,8 +27,6 @@
   pleroma = prev.callPackage ./pleroma { };
   # jackett doesn't allow customization of the bind address: this will probably always be here.
   jackett = prev.callPackage ./jackett { pkgs = prev; };
-  # TODO: delete matrix-appservice-discord
-  matrix-appservice-discord = prev.callPackage ./matrix-appservice-discord { pkgs = prev; };
   # mozilla keeps nerfing itself and removing configuration options
   firefox-unwrapped = prev.callPackage ./firefox-unwrapped { pkgs = prev; };
   # fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
@@ -37,9 +35,12 @@
   # patch rpi uboot with something that fixes USB HDD boot
   ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };
 
+  gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
+
   #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
-  # kaiteki = prev.callPackage ./kaiteki { };
-  kaiteki = prev.kaiteki;
+  kaiteki = prev.callPackage ./kaiteki { };
+  lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
+  # kaiteki = prev.kaiteki;
   # TODO: upstream, or delete nabla
   nabla = prev.callPackage ./nabla { };
 })

pkgs/sane-scripts/default.nix

@@ -23,6 +23,7 @@ resholve.mkDerivation {
         file
         findutils
         gnugrep
+        gocryptfs
         ifuse
         inotify-tools
         ncurses
@@ -54,14 +55,15 @@ resholve.mkDerivation {
       };
 
       # list of programs which *can* or *cannot* exec their arguments
-      execer = [
-        "cannot:${pkgs.ifuse}/bin/ifuse"
-        "cannot:${pkgs.oath-toolkit}/bin/oathtool"
-        "cannot:${pkgs.openssh}/bin/ssh-keygen"
-        "cannot:${pkgs.rmlint}/bin/rmlint"
-        "cannot:${pkgs.rsync}/bin/rsync"
-        "cannot:${pkgs.ssh-to-age}/bin/ssh-to-age"
-        "cannot:${pkgs.sops}/bin/sops"
+      execer = with pkgs; [
+        "cannot:${gocryptfs}/bin/gocryptfs"
+        "cannot:${ifuse}/bin/ifuse"
+        "cannot:${oath-toolkit}/bin/oathtool"
+        "cannot:${openssh}/bin/ssh-keygen"
+        "cannot:${rmlint}/bin/rmlint"
+        "cannot:${rsync}/bin/rsync"
+        "cannot:${sops}/bin/sops"
+        "cannot:${ssh-to-age}/bin/ssh-to-age"
       ];
     };
   };

pkgs/sane-scripts/src/sane-private-init

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -ex
+
+# configure persistent, encrypted storage that is auto-mounted on login.
+# this is a one-time setup and user should log out/back in after running it.
+
+p=/nix/persist/home/colin/private
+mkdir -p $p
+gocryptfs -init $p

readme.md

@@ -1,9 +1,11 @@
 to deploy:
+
 ```sh
 nixos-rebuild --flake "./#servo" {build,switch}
 ```
 
 more options (like building packages defined in this repo):
+
 ```sh
 nix flake show
 ```
@@ -28,6 +30,18 @@ refer to flake.nix for more details.
 
 to build one of the custom sane packages, just name it:
 
-```
+```sh
 nix build ./#fluffychat-moby
 ```
+
+to build a nixpkg:
+
+```sh
+nix build ./#nixpkgs.curl
+```
+
+to build a package for another platform:
+
+```sh
+nix build ./#packages.aarch64-linux.nixpkgs.ubootRaspberryPi4_64bit
+```

scripts/install-iwd

@@ -15,4 +15,6 @@ do
         # not sure that iwd can deal with un-writeable symlinks
         # ln -sf "$src_dir/$f" "$dest_dir/$ssid.psk"
         cp "$src_dir/$f" "$dest_dir/$ssid.psk"
+        # not strictly necessary, but iwd does default to rw
+        chmod 600 "$dest_dir/$ssid.psk"
 done

secrets/servo.yaml

@@ -7,6 +7,7 @@ wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2H
 #ENC[AES256_GCM,data:857w7AqbAbVTOKFLxKcMkcQjJ7EkHZFwBRwtCJFspOk8do2f,iv:bIrXzdrhRYk79ZV+JCdIw4UVxq11/tTZUDL6Bwf+NoE=,tag:igMRz5UPX//JrF9NGCOwHQ==,type:comment]
 #ENC[AES256_GCM,data:KzCOrdCiXHrVx+oGj2mz/+zkZ8eRRnFhHadx6FlXj8OXQDMvDkSPi6G2f6j5FE//G2F321mZCiMJ1Mf32tItGb0SxoEhyO9wxTesNn45hmA7M0z5HqTxACU=,iv:ksdz8j2fq1W/xnzu0y1JaIgbKzjiqj2KHCEYhkEKsrM=,tag:dbH/vy4JgL1eUeNpv7afSQ==,type:comment]
 dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXIlTSwVrHbx5Vw5wLHI0zN14rvYy5sycJvEMiCC1YPVphAYNm7VHdo97sUGLpjZ1BpUaJ2KBx77jErxbPrJUSpAroojQFtXFYA2t2bTpOSjZGH7UeyZoLckZtdDqXmnBDvirwVDPNaPv04RrhnqehGyh8EN+b2b5KAm99U9H1oyxIL6mAMJo6FtduVejiVqJB2sl/myI5fJ+bvwkW1CLRmVi0JdVHs4BlTQpi5Q8Kx2SMOH02TP+QDSHv/O8ROpbZ8m0oTk2YbgAG7U8K0t55j8jjWX/7OD4nMv485PgzAMINdzI46g9l9afzo,iv:8MqpUkRPpGJiuWtrdTJAIDXrKZMI73LcwzOiqVMWR88=,tag:+zXmEPV90loAMJtL/+v3vA==,type:str]
+freshrss_passwd: ENC[AES256_GCM,data:MilteAOk+MZjta+E7Zhxq80y,iv:VigZk0nNHvQNlm36jVN5YXY7bhxmx2CFBizbVFCA8O0=,tag:DKsxGsv53SsJsp3J7UIsgg==,type:str]
 #ENC[AES256_GCM,data:1zQ8X9W4ZGquYEjEsN8YNLhwBt6kaRCKYMjM8GiZbKzsaqwt/cFk+4cC85+QKWF0FNlX38Uba7bI2FvC8fTIO8eoZ5VymJ9Du3NcExE1976FSIze44FhtkSKQkm/vQw5cb2sPNKBGFLSNV/IpdPu,iv:xwv2+Fns0k2STkS760v9p1XZ5s2HAz3wLb8xyIOGTGA=,tag:OGtHxQgyWxGKtg5I9nJAag==,type:comment]
 nix_serve_privkey: ENC[AES256_GCM,data:JlLuslwyjKARo3Mo36SeRz6ctVuV+jzDMXACekaGs/UjP+Jm8PoxZsWjMcN+qq0tJB9xGMfi7TKHDi+XnK2k60h+7+yDyeqJQfjID6axMYmgxYUivq4CugutFVB27FmDPljUs2M7CRqe1IHrdjc=,iv:1iQVr9rP80hHCRSVD95KW7bpOWj3oZReJAvqa9TllJ8=,tag:6DDGtHF4suOyy2kcnqSDsQ==,type:str]
 #ENC[AES256_GCM,data:cyptbs4VfXY4P4+W5e2LRZOHkpqvWzn2JEpV80w8cIaQ0lTZa/Hg7IwDNQcsYobmBFO2yLrKawHDKlDos2fMy0KgIhUrw4f8WksxdC06oMqS0mDtgA==,iv:StB34bvA8GWR+7nwOOpsiJ3yqGgeSg5frAgRMhff8nw=,tag:b1LYFzII2Ik1nmGXxgMZuw==,type:comment]
@@ -46,8 +47,8 @@ sops:
             U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce
             xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-10T08:38:03Z"
-    mac: ENC[AES256_GCM,data:DroE9KGyV6hba0aPVYmwxpL8yXDa+AFsjyF5ttImW5bKzE9EM2I76APoGOyvOnnnbBRrOditWXA2HQzhf4M/7hq0CmLLph1J3I8xgEsaiJiExaKZQpQTBS/ZAHeygR/fvRcMmAY9VZRubv1iQ94rDkZ3C3UJ+8SMuwpdmdlaPYc=,iv:KkY0Kmd02QYx0Ds0LUY9tXz+AayKj6Y5p/rUO8sLYCc=,tag:gZDe+GOw2ULJ1yHONlt7bw==,type:str]
+    lastmodified: "2022-10-14T00:37:52Z"
+    mac: ENC[AES256_GCM,data:qKr1aKWxuJWwjUYX+JWAdwHFAwApHm9hOYBgZxAIXbXHhOo04K1MFBDTsAvtvN1a11QtCJYDNuVNpuRu3bf/5Ji5ROTaKfQCgPk+ZScJuWpLsxchYV+TnlREwQI+qgvogyMKMlPInozgd7RNnsePdg7DtYFfGMAvUtX9OidxAXI=,iv:EAkNQkIqoXtRy+uSb7ccl9T5b6hiyRll/m76nhir9AI=,tag:kCDEBJDW34VgLQPd4V+uYA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

secrets/servo/matrix_appservice_discord_env.bin

@@ -1,28 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:7j1l4XJ8cp8MVuSmOedOZwGDWV11hmwFyLW43ixUBaZLWbUZ6Z4P4Gt+o7bj8gc/X8aiPV8sxAR/jY28Sc5DIaAnkKnXjesPVlG0c3oRAsXemKGX8fANkoNX5iEPbWAkFiJdLS6Fgdv2g4z6DQ4odvZQKrMchx8MPYq8icBvvbhKiGs5xo+MGrMBVRCZOERM2FJSy/q9zLv6hU5SfnnYDTMt,iv:poHHiCs0YOCv74dQ2kyXogdgTUqmKRgGq2r7lcxe4bQ=,tag:rz1/FLC5Q8S13TTWNKcYyQ==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2TjVWenJkYVdjeExzYjVj\nUVdFeUdMRUtwOWJNYUx6dFRWRXdEUWJhdkVFClM1UnhtWndYbE91RCtVRnl4TGp4\nZHNJNUliOWhqcUorZVBEQWR0eXZaMVEKLS0tIDdsVFJ2bmdNeVk5b3FJVDQ3T1BG\nU0taQlA1QVEvYVJweDQ5L2YwTmo2ek0K+nbzpIpjAhRgJ5Lw+mx/doGMjw0aMNkZ\n5sAnPJo88Sa/TW3qBN48xFBMLWMp/SKs2JTaMu0xW0u2SkQX38TLlw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUFBSYVJZUmRBcGJXclNP\nRDRUZnRKMmYwdFhQcE1oWUhrZGxNTk5YOFIwCldUMW92NGl0VVBsS0JtYjJOTW9E\nK2ZZdm9GK3FOMitUdEU3QStsR2svQWMKLS0tIE9SWXAzVndsdGY3Uzh2eHpBRjdO\nTVc4cWNDUWRuSWRmZC8rK1ZFS2l4WEkKQR9mApDjb0k14W3jK+CEz3Dez6wSBpg+\nZ7uUfSbPXFxRxvNEascRn/+EHPcd/A7MZjViDUyWVcP6fSMPsQvxhw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWHlteTRDcHRneW9hbzlh\nMHBjZ2RHeDBIbDM2QXVxK09mcERVSUliVWw0Ckg1dGFkUUxPQW1HcDFXcEEyejFD\nWW5qUkNwRkdIdjRiTFJNd0Q5NWpLUUEKLS0tIG1wTnk1aEhudm9VZjZRVGRWWnR0\nVHlFbUJHaitadDVOSG1FMTBqeHJGV0kKAjuuw3j4dx3QfNcjyl8XCP9Q6oOkLZBN\nsW7uCqbVgBCG+uIggwefLWAy8g6PYlLj0aumgLPYVsXShbQYi32m/g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2022-10-06T05:07:20Z",
-		"mac": "ENC[AES256_GCM,data:9WR8xfs5XIkWxDlJVX1EiSJBLBgWMR99PJJXCK9RcbuChK7QvjWjEflwq419qeNbMWdHLkUwSQrBsoHomaiGWFOPZ0C8bqcqDl0zzXMk7nBxM4UgTjRLmML2tdI2bCS0DC0AtytThYPvkW+JHgKB6bOAEw/bVWVP4YJQKWEf6FY=,iv:nG+J7jCdqZHp6x6Vlvye7BbK7YSl0Y9cjTWbW/BZLxo=,tag:OWqXktZE52Q3j7D2KG+vHw==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.3"
-	}
-}

secrets/universal/net/home-shared-24G.psk.bin

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:U0EwYI7Y0s6SO0lCqF0J8Zw9dyAiaiUBUOMh6tC8cLP2dSbCCptKeL6r64zhjZM1JHJ7MK/DbGVyq6c9osh8OtU=,iv:6wElrgQM6r+Cm/FNGrQeWOVUG2m5TXWiEyMkiCLtnXM=,tag:xjDgGK6QCWw6UlKxvyv52A==,type:str]",
+	"data": "ENC[AES256_GCM,data:eB7lM7gzQVRrs31/vb4D19N0xvmau5mp77scLaj6h9HHI/6sJ9LTu+gfSGQIOID7xJA4m1T77aYLC6wC9tXBOAVwcdFcXrFsoYuVU2COtRPWTjeMWiK3t5eQ6TLrgru6OUcC0bpeCtZhQbXYkBTBViMNOfXdah0t9NxGPrSn0pNwMs22Ndcc1zRJFPqvjcaVWCxRsfWWBZfDx+AK0PWwxCbHaDMx9Vw5vJltmF1NVc37dTqIVRY/n4xNbqA1pEs4Ese8rjojU9VZFObpJb0k,iv:JAJIuOzPM3/jw/3APWPCCwuhXaFlKABFqch8GUDFX9E=,tag:S7Tk3T+/8H7pIWMKkrfGSg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -39,8 +39,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVTQyV0o3eWtQTEsxTXNZ\ndGJjcjQwWjA2QXFubmJSdGwyRHliRmtQSW1VCmh1K2l0NnVmNUlMUjdmd09IeG5a\nTVgvOWh1RWZZZnB1RkNHMjVSMG1pVG8KLS0tIElNbk53dnJxRE90WHZSbFVYRVAr\nNjcraVhhWVdpTDZJOG9uaUVmWFF2T00KGyNISTg/g7v1+VFlCg0MjDTjbcahdSQk\nQpxdjvqQ3qtcfOS/+OO5CZYEJIVp6YybXyHJ4SSbaED22YtTJGmRNw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2022-09-29T11:29:49Z",
-		"mac": "ENC[AES256_GCM,data:LaNUZ90jysY/2qR7UpZ14wS40AMtFYb9U/siHNRxQgWAz/6jIEWAbKm9AgkT0rA4swQoDlmcDof01UtFTrh9whfKjiOovjuqVUzeflZbKECjvbTh5UPbMedTaAJ3LU9HrO6JVB4eGlsXhO8s75larG6tRNiwvXzrVS1icRS6ebM=,iv:/uypXokTQu4IkqNyY10MBQj0XXLLtWYNmloY3rttqfw=,tag:WXX1aUnOZYUVEy8QgQNZHw==,type:str]",
+		"lastmodified": "2022-10-10T06:28:09Z",
+		"mac": "ENC[AES256_GCM,data:GnYn/2ZxpiaNiS/nXITkyETliL8HLnhP7iIlagna7xEnng5ttWTRvrzvF2P2ehUcCb7t7c0M7DPhA4rqLZlqvNNP+qi9UKkZ+Skn9e7d67hPmIrp6bOPpY+UGFmIA71xWjGUehtT7AfbHqYo26VjaYzP/OPrVT3uuAMkw8xsRo8=,iv:ISQUmG3speflSfQoU9eefYmfPw3Sq0cJPzIirk7W9rA=,tag:LkSnOJfBca/8KQggXmvYdA==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"

secrets/universal/net/home-shared.psk.bin

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:SFlFGQxJUdMADvYgSMRB3zNsC8f3FmUbFtVylyCRt20T0ZBzxmkfApdPcpok3lXAKJ+EC042Aac9zEJU,iv:fxEsrF543nRrkfriVgdhUSJMi3FhXNTMwK4+4qzSM+w=,tag:fygQgjcedtPCZfdMOHnuEg==,type:str]",
+	"data": "ENC[AES256_GCM,data:ou55VGY+beKMouNj4qQaBOAZK/5UKu6A521lNW2i0KlSmgJ8qQ501lesy0bEmDkZqqhluP8XE5FZLwEXvqqMh/TBuN1OkCsQis53/M1s0g==,iv:Ir5uD1P8OlHlcjGCHVkUHr0AjoXzd7kOcAeajo66hUE=,tag:m+rReK9o/8TG4LBkNN1ZZQ==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -39,8 +39,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraXJQOHR6ZzE5TjNQYmpB\nSStEQS9mcUpMSXlFQ05DcllFSjNOT1pWdVJZCmtSL3FkZ2Q1cU1Fc1dZbG13eXJC\nTXJkN0NzWTlDOEFMRGNQUG5HQUNUVDgKLS0tIGRwcmVxS0lNQ09GdmxKY2pkQ2Yz\nSkpZam1ZQUN1L1FZZ010ZlhUV1N4VlkKqsFAE+xZ24IMzIFjbsgANdjiGwVZk5rq\n66y00bjw+uj6WOwQuE1I9WcYDhCXEUQB9u4Q+hzejaFzCJ90N/WF4w==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2022-09-29T11:30:17Z",
-		"mac": "ENC[AES256_GCM,data:x0pSMtOrID2h1E0PgEHLBcESOYZvkJE07UpCK+TN3zqMfyUFoDRK/Ro335QZXekQ7VSdSKFj/al7bpgscYO+ZXHrCHoFIW/HF6YSOKRzobVT3SXP0e9u/1BpGQW8qtaOVwWb0M8jpgoJ7W+OwzgMHIU9DW3NopfxZy10al+48Tw=,iv:JiA8z9MWEM68Eqip0Bp7xQR65Lu12dhWZFvH43vbABA=,tag:LyIgygW8Cr9VCxs/aKoXGw==,type:str]",
+		"lastmodified": "2022-10-08T03:39:12Z",
+		"mac": "ENC[AES256_GCM,data:4Rr2iqmzLtE9i45Hn10wuf8unKt+YNAYTF3RWwEW1AjN+pF7ZvwMbrUutRCb6uMxCQUyNl+adfFRu8Xae0/SqFBfdAPxzeQZGrBjb384seLrNS0XyUacfdoSCczrRUF8+F3mIHetaJCd2jOpoh5HotoSN3fx+nZNhD+56XmJBr0=,iv:YlDMimhG+a9Wzq0ZN0tnZ1gH69e7olyHGWhIV2/4K64=,tag:GjVzbNa/NdzVmdPyE5etXw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"

secrets/universal/net/iphone.psk.bin

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:XGhxqtkmLOKQqcdmJvQ9rKdUW0qassF2glLvUpAs6uyO6WHVKvXKhAIJIsZZbd1RRlJ5PuwBvu7lKIrcVIswKvwF/MhXTCqfoB0fpmysaCpKdkLYojiSvsHQAXB9gIAnL0dVIEvZ+s7MRG5wp8s2+y18JsgS8jBM0vMFoLxVF41isocMcxO0a1wnCjAWy2s0845OOjhVSNCuVSjI5Oc1dTO9vycDHV4Y6MulFoBSlwfJdUf2nVR/FNuCxyxFX//wgRuN3cg1zkmoBblnvkccMGIzkmuByUAlqdaaug/Q,iv:9HIUqe5dTjVrHM5a9IrpYLtsDpg3Ts3mX9H8M8M572o=,tag:2EK0Zj6DTM/QmbVL+lG8wg==,type:str]",
+	"data": "ENC[AES256_GCM,data:fFb8QudY/dQNjrEtPMs7fnJxywLrSN1A4mgpZRw0Bicz5kFlr70qSSAd3jOg1YJm/x7nRLWLcEAv9Nn99bLywkLiiWaVhWmVGp6jTI3Mj0SX5lET7Xt0slcrJm6qUt6rTkH2dGueOm37m0rU7iR44bs/rWStNBbmuQRurRGo3zaxRSC0djyQ1wwbALJ1zhHQhf4=,iv:58ZLkQra5PJ6u4Xc1aztZ1ywlAmbudRSrk23MEbNv64=,tag:Nr4SNsqUytUMlM3i/nf0LA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -39,8 +39,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYlJWZ2t6WDlRdUJqU2pG\nYkE3T005bUhCcUJ0TEw0MEdDY1JFUzJjcVMwCkhCckRzcldLWTJPSEVjbHk3VE1p\nY21rRWR3cUVscmNiL29NL3M1QjZsYlUKLS0tIDJ4M3JtdGFRbUhFR2FtSGVuZk9n\nL1VjS1hnbzZwT1lQalJBbFU0SjFOWkUKUkGyPmpilSZdupNlR+cD4+HUOwyNm8WF\nu3vS7Ec4FJcjnx2t185yXEStZSVGptw/wKTxJiJ5P9by75XkAJZFmg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2022-10-09T02:24:20Z",
-		"mac": "ENC[AES256_GCM,data:AIRI5vLpVvWuxjvPerwzsBnwsSPrtazgCMPjP2be5aUcglT9e+98Dlg+jX60XjiO/1DvEepoCLd5Xnr6GHOkgRRR90YPsZT9eRttwhBavXaOF2Da7zwP5ZOg3cO0JGQsegTxJYFMmROCZppybL6EOsT2n18pc2M2HdEBt5oKP2k=,iv:ive5dqvbBQ3Ef5ycZP+l1Vuc38ylFTJhGh5+ksMCyAc=,tag:OP9EgZN2q2OKPRpOv2x7Tg==,type:str]",
+		"lastmodified": "2022-10-10T11:53:54Z",
+		"mac": "ENC[AES256_GCM,data:CnF1ePN5hPJU37H0Qx7R1K9qvLDJuTv0hppv+sIjYyetVUjxVduS6e8szGPmZz4uBgglmtSIEOSc+j2MCrQ2AIkJmS9LoGH2FX1lzId4h8KdBs+aJZmngNPiO6apcVsNDKBmcQnw1gweJefpTKgJnhVbo9cw/bwRqs9hJMrQDDU=,iv:G5Hwonp9AB12xOxPFFVK1+xo5JSYOGacSbAZ2RFy5wo=,tag:p5zHaSzjZcVaIgTsBb0Ohw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"