nix update nixpkgs 2023-04-02 -> 2023-04-08; mobile-nixos; uninsane-dot-org

```
• Updated input 'mobile-nixos':
    'github:nixos/mobile-nixos/7a6e97e3af73c4cca87e12c83abcb4913dac7dbc' (2023-03-22)
  → 'github:nixos/mobile-nixos/4aa0afd84005b79be4d5361b56a60df9e9bd4ea3' (2023-04-03)
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/66f60deb8aa348ca81d60d0639ae420c667ff92a' (2023-04-02)
  → 'github:nixos/nixpkgs/df6db8c5b0b94b85e578d05b37e5bf3b24555638' (2023-04-08)
• Updated input 'uninsane-dot-org':
    'git+https://git.uninsane.org/colin/uninsane?ref=refs%2fheads%2fmaster&rev=068f176a64f0e26dc8c1f0eccf28cbd05be4909b' (2023-03-29)
  → 'git+https://git.uninsane.org/colin/uninsane?ref=refs%2fheads%2fmaster&rev=2970c6080187975a1fc996f541167e697d4ebebc' (2023-04-03)
```

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "flake-utils": {
       "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "lastModified": 1678901627,
+        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1677431790,
-        "narHash": "sha256-diCr0inBOSQYehHSxYQ2Wb5dYSrLfJYqbH2gJYmSL/c=",
+        "lastModified": 1680563603,
+        "narHash": "sha256-gxSci3NTlzgkAOhaC93Q4lReX/Pjd7++imD85JOAlps=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "c252e7bd9122704f0e0303c638f8b8412c2521c2",
+        "rev": "4aa0afd84005b79be4d5361b56a60df9e9bd4ea3",
         "type": "github"
       },
       "original": {
@@ -36,11 +36,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1675958846,
-        "narHash": "sha256-/nf09eM2vey9GrAXoqagccJrBo/fGyVKP7oNSxPqwdo=",
+        "lastModified": 1678202930,
+        "narHash": "sha256-SF82/tTnagdazlETJLzXD9kjZ6lyk38agdLbmMx1UZE=",
         "owner": "edolstra",
         "repo": "nix-serve",
-        "rev": "7089565e260267c9c234a81292c841958737cef6",
+        "rev": "3b6d30016d910a43e0e16f94170440a3e0b8fa8d",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1677367679,
-        "narHash": "sha256-pOMXi7F9tcHls06Qv+7XCPASTJeXu47Jhd0Pk9du8T4=",
+        "lastModified": 1680390120,
+        "narHash": "sha256-RyDJcG/7mfimadlo8vO0QjW22mvYH1+cCqMuigUntr8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ea736343e4d4a052e023d54b23334cf685de479c",
+        "rev": "c1e2efaca8d8a3db6a36f652765d6c6ba7bb8fae",
         "type": "github"
       },
       "original": {
@@ -82,16 +82,16 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1676569297,
-        "narHash": "sha256-2n4C4H3/U+3YbDrQB6xIw7AaLdFISCCFwOkcETAigqU=",
+        "lastModified": 1680976873,
+        "narHash": "sha256-zWSTl2cYSwV9mWttlR3clwJ5SBhJj+0p+zl43MNS1xA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ac1f5b72a9e95873d1de0233fddcb56f99884b37",
+        "rev": "df6db8c5b0b94b85e578d05b37e5bf3b24555638",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "staging-next",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -113,11 +113,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1677381477,
-        "narHash": "sha256-NLzWgll+Q0Af8gI1ha34OHt7Y1GtOMYhCWQWV9LXE9Y=",
+        "lastModified": 1680404136,
+        "narHash": "sha256-06D8HJmRv4DdpEQGblMhx2Vm81SBWM61XBBIx7QQfo0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "83fe25c8019db8216f5c6ffc65b394707784b4f3",
+        "rev": "b93eb910f768f9788737bfed596a598557e5625d",
         "type": "github"
       },
       "original": {
@@ -134,11 +134,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1675131883,
-        "narHash": "sha256-yBgJDG72YqIr1bltasqHD1E/kHc9uRFgDjxDmy6kI8M=",
+        "lastModified": 1680517067,
+        "narHash": "sha256-8Ew0IDRuzEGFUjIGqk7EjuB/NL80HDIvlR1YY4Iw95M=",
         "ref": "refs/heads/master",
-        "rev": "b099c24091cc192abf3997b94342d4b31cc5757b",
-        "revCount": 170,
+        "rev": "2970c6080187975a1fc996f541167e697d4ebebc",
+        "revCount": 187,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -12,6 +12,11 @@
 # - Flake RFC: <https://github.com/tweag/rfcs/blob/flakes/rfcs/0049-flakes.md>
 #   - Discussion: <https://github.com/NixOS/rfcs/pull/49>
 # - <https://serokell.io/blog/practical-nix-flakes>
+#
+#
+# COMMON OPERATIONS:
+# - update a specific flake input:
+#   - `nix flake lock --update-input nixpkgs`
 
 {
   # XXX: use the `github:` scheme instead of the more readable git+https: because it's *way* more efficient
@@ -22,7 +27,8 @@
     # nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
 
     # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
-    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
 
     # nixpkgs = {
     #   url = "./nixpatches";
@@ -61,7 +67,7 @@
     ...
   }@inputs:
     let
-      inherit (builtins) attrNames listToAttrs map mapAttrs;
+      inherit (builtins) attrNames elem listToAttrs map mapAttrs;
       mapAttrs' = f: set:
         listToAttrs (map (attr: f attr set.${attr}) (attrNames set));
       # mapAttrs but without the `name` argument
@@ -92,9 +98,10 @@
               self.nixosModules.passthru
               {
                 nixpkgs.overlays = [
-                  self.overlays.default
+                  self.overlays.disable-flakey-tests
                   self.overlays.passthru
                   self.overlays.pins
+                  self.overlays.pkgs
                   # self.overlays.optimizations
                 ];
                 nixpkgs.hostPlatform = target;
@@ -157,19 +164,22 @@
       # unofficial output
       host-pkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
 
-      overlays = rec {
-        default = pkgs;
-        pkgs = import ./overlays/pkgs.nix;
-        pins = import ./overlays/pins.nix;  # TODO: move to `nixpatches/` input
-        optimizations = import ./overlays/optimizations.nix;
-        passthru =
+      overlays = {
+        # N.B.: `nix flake check` requires every overlay to take `final: prev:` at defn site,
+        #   hence the weird redundancy.
+        default = final: prev: self.overlays.pkgs final prev;
+        disable-flakey-tests = final: prev: import ./overlays/disable-flakey-tests.nix final prev;
+        pkgs = final: prev: import ./overlays/pkgs.nix final prev;
+        pins = final: prev: import ./overlays/pins.nix final prev;
+        optimizations = final: prev: import ./overlays/optimizations.nix final prev;
+        passthru = final: prev:
           let
             stable =
               if inputs ? "nixpkgs-stable" then (
-                next: prev: {
-                  stable = inputs.nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+                final': prev': {
+                  stable = inputs.nixpkgs-stable.legacyPackages."${prev'.stdenv.hostPlatform.system}";
                 }
-              ) else (next: prev: {});
+              ) else (final': prev': {});
             mobile = (import "${mobile-nixos}/overlay/overlay.nix");
             uninsane = uninsane-dot-org.overlay;
             # nix-serve' = nix-serve.overlay;
@@ -180,11 +190,10 @@
               inherit (nix-serve.packages."${next.system}") nix-serve;
             };
           in
-            next: prev:
-              (stable next prev)
-              // (mobile next prev)
-              // (uninsane next prev)
-              // (nix-serve' next prev)
+              (stable final prev)
+              // (mobile final prev)
+              // (uninsane final prev)
+              // (nix-serve' final prev)
             ;
       };
 
@@ -209,18 +218,32 @@
           aarch64-linux = allPkgsFor "aarch64-linux";
         };
 
-      # extract only our own packages from the full set
-      packages = mapAttrValues
-        (full: full.sane // { inherit (full) sane uninsane-dot-org; })
-        self.legacyPackages;
+      # extract only our own packages from the full set.
+      # because of `nix flake check`, we flatten the package set and only surface x86_64-linux packages.
+      packages = mapAttrs
+        (system: allPkgs:
+          allPkgs.lib.filterAttrs (name: pkg:
+            # keep only packages which will pass `nix flake check`, i.e. keep only:
+            # - derivations (not package sets)
+            # - packages that build for the given platform
+            (! elem name [ "feeds" "pythonPackagesExtensions" ])
+            && (allPkgs.lib.meta.availableOn allPkgs.stdenv.hostPlatform pkg)
+          )
+          (allPkgs.sane // {
+            inherit (allPkgs) uninsane-dot-org;
+          })
+        )
+        # self.legacyPackages;
+        { inherit (self.legacyPackages) x86_64-linux; }
+      ;
 
       apps."x86_64-linux" =
         let
           pkgs = self.legacyPackages."x86_64-linux";
           deployScript = action: pkgs.writeShellScript "deploy-moby" ''
-            nixos-rebuild --flake '.#cross-moby' build
+            nixos-rebuild --flake '.#moby' build $@
             sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
-            nixos-rebuild --flake '.#cross-moby' ${action} --target-host colin@moby --use-remote-sudo
+            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby-hn --use-remote-sudo $@
           '';
         in {
           update-feeds = {

hosts/by-name/desko/default.nix

@@ -4,13 +4,12 @@
     ./fs.nix
   ];
 
-  sane.roles.build-machine = true;
+  sane.roles.build-machine.enable = true;
   sane.roles.client = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
   sane.services.duplicity.enable = true;
   sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
-  sane.persist.enable = true;
 
   sane.gui.sway.enable = true;
   sane.programs.iphoneUtils.enableFor.user.colin = true;

hosts/by-name/lappy/default.nix

@@ -4,13 +4,14 @@
     ./fs.nix
   ];
 
+  sane.yggdrasil.enable = true;
+
   sane.roles.client = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
 
   # sane.guest.enable = true;
   sane.gui.sway.enable = true;
-  sane.persist.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 

hosts/by-name/moby/default.nix

@@ -34,11 +34,11 @@
     ".config/pulse"  # persist pulseaudio volume
   ];
 
-  sane.persist.enable = true;
   sane.gui.phosh.enable = true;
   # sane.programs.consoleUtils.enableFor.user.colin = false;
   # sane.programs.guiApps.enableFor.user.colin = false;
   sane.programs.sequoia.enableFor.user.colin = false;
+  sane.programs.tuiApps.enableFor.user.colin = false;  # visidata, others, don't compile well
 
   boot.loader.efi.canTouchEfiVariables = false;
   # /boot space is at a premium. default was 20.

hosts/by-name/rescue/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   imports = [
     ./fs.nix
@@ -7,6 +7,7 @@
   boot.loader.generic-extlinux-compatible.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
+  # sane.persist.enable = false;  # TODO: disable (but run `nix flake check` to ensure it works!)
   sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
 
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion

hosts/by-name/servo/default.nix

@@ -15,8 +15,9 @@
     signaldctl.enableFor.user.colin = true;
   };
 
-  sane.roles.build-machine = true;
-  sane.persist.enable = true;
+  sane.roles.build-machine.enable = true;
+  sane.roles.build-machine.emulation = false;
+  sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
   sane.services.dyn-dns.enable = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;

hosts/by-name/servo/secrets.nix

@@ -25,6 +25,7 @@
   };
   sops.secrets."mautrix_signal_env" = {
     sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
+    format = "binary";
   };
 
   sops.secrets."mediawiki_pw" = {

hosts/by-name/servo/services/jellyfin.nix

@@ -1,16 +1,63 @@
+# configuration options (today i don't store my config in nix):
+#
+# - jellyfin-web can be statically configured (result/share/jellyfin-web/config.json)
+#   - <https://jellyfin.org/docs/general/clients/web-config>
+#   - configure server list, plugins, "menuLinks", colors
+#
+# - jellfyin server is configured in /var/lib/jellfin/
+#   - root/default/<LibraryType>/
+#     - <LibraryName>.mblink: contains the directory name where this library lives
+#     - options.xml: contains preferences which were defined in the web UI during import
+#       - e.g. `EnablePhotos`, `EnableChapterImageExtraction`, etc.
+#   - config/encoding.xml: transcoder settings
+#   - config/system.xml: misc preferences like log file duration, audiobook resume settings, etc.
+#   - data/jellyfin.db: maybe account definitions? internal state?
+
 { config, lib, ... }:
 
-# TODO: re-enable after migrating media dir to /var/lib/uninsane/media
-# else it's too spammy
-lib.mkIf false
 {
+  # identical to:
+  # services.jellyfin.openFirewall = true;
   networking.firewall.allowedUDPPorts = [
-    1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
+    # https://jellyfin.org/docs/general/networking/index.html
+    1900  # UPnP service discovery
+    7359  # Jellyfin-specific (?) client discovery
+  ];
+  networking.firewall.allowedTCPPorts = [
+    8096  # HTTP (for the LAN)
+    8920  # HTTPS (for the LAN)
   ];
   sane.persist.sys.plaintext = [
-    # TODO: mode? could be more granular
-    { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
+    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; directory = "/var/lib/jellyfin"; }
   ];
+  sane.fs."/var/lib/jellyfin/config/logging.json" = {
+    # "Emby.Dlna" logging: <https://jellyfin.org/docs/general/networking/dlna>
+    symlink.text = ''
+      {
+        "Serilog": {
+          "MinimumLevel": {
+            "Default": "Information",
+            "Override": {
+              "Microsoft": "Warning",
+              "System": "Warning",
+              "Emby.Dlna": "Debug",
+              "Emby.Dlna.Eventing": "Debug"
+            }
+          },
+          "WriteTo": [
+            {
+              "Name": "Console",
+              "Args": {
+                "outputTemplate": "[{Timestamp:HH:mm:ss}] [{Level:u3}] [{ThreadId}] {SourceContext}: {Message:lj}{NewLine}{Exception}"
+              }
+            }
+          ],
+          "Enrich": [ "FromLogContext", "WithThreadId" ]
+        }
+      }
+    '';
+    wantedBeforeBy = [ "jellyfin.service" ];
+  };
 
   # Jellyfin multimedia server
   # this is mostly taken from the official jellfin.org docs

hosts/by-name/servo/services/matrix/default.nix

@@ -6,12 +6,10 @@
   imports = [
     ./discord-puppet.nix
     # ./irc.nix
-    ./signal.nix
+    # TODO(2023/03/10): disabled because it's not bridging and mautrix_signal is hogging CPU
+    # ./signal.nix
   ];
 
-  # allow synapse to read the registration files of its appservices
-  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
-
   sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
   ];

hosts/by-name/servo/services/matrix/signal.nix

@@ -7,6 +7,9 @@
     { user = "signald"; group = "signald"; directory = "/var/lib/signald"; }
   ];
 
+  # allow synapse to read the registration file
+  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
+
   services.signald.enable = true;
   services.mautrix-signal.enable = true;
   services.mautrix-signal.environmentFile =
@@ -27,7 +30,6 @@
   };
 
   sops.secrets."mautrix_signal_env" = {
-    format = "binary";
     mode = "0440";
     owner = config.users.users.mautrix-signal.name;
     group = config.users.users.matrix-synapse.name;

hosts/by-name/servo/services/postfix.nix

@@ -30,11 +30,14 @@ in
   ];
 
   networking.firewall.allowedTCPPorts = [
-    25   # SMTP
+    # exposed over non-vpn imap.uninsane.org
     143  # IMAP
+    993  # IMAPS
+
+    # exposed over vpn mx.uninsane.org
+    25   # SMTP
     465  # SMTPS
     587  # SMTPS/submission
-    993  # IMAPS
   ];
 
   # exists only to manage certs for dovecot
@@ -62,7 +65,7 @@ in
 
     # DKIM public key:
     TXT."mx._domainkey" =
-      "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
+      "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
     ;
 
     # DMARC fields <https://datatracker.ietf.org/doc/html/rfc7489>:

hosts/common/default.nix

@@ -20,6 +20,7 @@
 
   sane.nixcache.enable-trusted-keys = true;
   sane.nixcache.enable = lib.mkDefault true;
+  sane.persist.enable = lib.mkDefault true;
   sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
   sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;
 
@@ -32,6 +33,7 @@
   time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
 
   # allow `nix flake ...` command
+  # TODO: is this still required?
   nix.extraOptions = ''
     experimental-features = nix-command flakes
   '';
@@ -40,6 +42,11 @@
     "nixpkgs=${pkgs.path}"
     "nixpkgs-overlays=${../..}/overlays"
   ];
+  # hardlinks identical files in the nix store to save 25-35% disk space.
+  # unclear _when_ this occurs. it's not a service.
+  # does the daemon continually scan the nix store?
+  # does the builder use some content-addressed db to efficiently dedupe?
+  nix.settings.auto-optimise-store = true;
 
   fonts = {
     enableDefaultFonts = true;

hosts/common/feeds.nix

@@ -1,3 +1,9 @@
+# candidates:
+# - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
+#   - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
+# - <https://www.metaculus.com/questions/11102/introducing-the-metaculus-journal-podcast/>
+#   - dead since 2022/10 - 2023/03
+
 { lib, sane-data, ... }:
 let
   hourly = { freq = "hourly"; };
@@ -50,18 +56,29 @@ let
     (fromDb "lexfridman.com/podcast" // rat)
     ## Astral Codex Ten
     (fromDb "sscpodcast.libsyn.com" // rat)
+    ## Less Wrong Curated
+    (fromDb "feeds.libsyn.com/421877" // rat)
     ## Econ Talk
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)
     ## Cory Doctorow -- both podcast & text entries
     (fromDb "craphound.com" // pol)
+    ## Maggie Killjoy -- referenced by Cory Doctorow
+    (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)
     (fromDb "congressionaldish.libsyn.com" // pol)
+    (mkPod "https://podcasts.la.utexas.edu/this-is-democracy/feed/podcast/" // pol // weekly)
     ## Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
     ## Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
     (mkPod "https://anchor.fm/s/21bc734/podcast/rss" // pol // infrequent)
     (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
+    ## Daniel Huberman on sleep
+    (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)
+    ## Multidisciplinary Association for Psychedelic Studies
+    (fromDb "mapspodcast.libsyn.com" // uncat)
     (fromDb "allinchamathjason.libsyn.com" // pol)
     (fromDb "acquired.libsyn.com" // tech)
+    ## ACQ2 - more "Acquired" episodes
+    (fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)
     # The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
     (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)
     ## The Daily
@@ -90,13 +107,18 @@ let
     (fromDb "seattlenice.buzzsprout.com" // pol)
     ## Sci-Fi? has Peter Watts; author of No Moods, Ads or Cutesy Fucking Icons (rifters.com)
     (fromDb "talesfromthebridge.buzzsprout.com" // tech)
+    ## UnNamed Reverse Engineering Podcast
+    (fromDb "reverseengineering.libsyn.com/rss" // tech)
+    ## The Witch Trials of J.K. Rowling
+    ## - <https://www.thefp.com/witchtrials>
+    (mkPod "https://feeds.megaphone.fm/RUNMED9919162779" // pol // infrequent)
   ];
 
   texts = [
     # AGGREGATORS (> 1 post/day)
     (fromDb "lwn.net" // tech)
     (fromDb "lesswrong.com" // rat)
-    (fromDb "econlib.org" // pol)
+    # (fromDb "econlib.org" // pol)
 
     # AGGREGATORS (< 1 post/day)
     (fromDb "palladiummag.com" // uncat)
@@ -104,6 +126,10 @@ let
     (fromDb "semiaccurate.com" // tech)
     (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
     (fromDb "spectrum.ieee.org" // tech)
+    (fromDb "thisweek.gnome.org" // tech)
+    # more nixos stuff here, but unclear how to subscribe: <https://nixos.org/blog/categories.html>
+    (mkText "https://nixos.org/blog/announcements-rss.xml" // tech // infrequent)
+    (mkText "https://nixos.org/blog/stories-rss.xml" // tech // weekly)
     ## n.b.: quality RSS list here: <https://forum.merveilles.town/thread/57/share-your-rss-feeds%21-6/>
     (mkText "https://forum.merveilles.town/rss.xml" // pol // infrequent)
 
@@ -112,6 +138,8 @@ let
 
     # DEVELOPERS
     (fromDb "uninsane.org" // tech)
+    (fromDb "ascii.textfiles.com" // tech)  # Jason Scott
+    (fromDb "xn--gckvb8fzb.com" // tech)
     (fromDb "mg.lol" // tech)
     (fromDb "drewdevault.com" // tech)
     ## Ken Shirriff
@@ -131,6 +159,10 @@ let
     (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
     (fromDb "jefftk.com" // tech)
     (fromDb "pomeroyb.com" // tech)
+    (mkText "https://til.simonwillison.net/tils/feed.atom" // tech // weekly)
+
+    # TECH PROJECTS
+    (fromDb "blog.rust-lang.org" // tech)
 
     # (TECH; POL) COMMENTATORS
     ## Matt Webb -- engineering-ish, but dreamy
@@ -147,7 +179,8 @@ let
     (fromDb "lynalden.com" // pol)
     (fromDb "austinvernon.site" // tech)
     (mkSubstack "oversharing" // pol // daily)
-    (mkSubstack "doomberg" // tech // weekly)
+    (mkSubstack "byrnehobart" // pol // infrequent)
+    # (mkSubstack "doomberg" // tech // weekly)  # articles are all pay-walled
     ## David Rosenthal
     (fromDb "blog.dshr.org" // pol)
     ## Matt Levine
@@ -177,6 +210,9 @@ let
     ## mostly dating topics. not advice, or humor, but looking through a social lens
     (fromDb "putanumonit.com" // rat)
 
+    # LOCAL
+    (fromDb "capitolhillseattle.com" // pol)
+
     # CODE
     # (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
   ];
@@ -186,6 +222,7 @@ let
     (fromDb "xkcd.com" // img // humor)
     (fromDb "pbfcomics.com" // img // humor)
     # (mkImg "http://dilbert.com/feed" // humor // daily)
+    (fromDb "poorlydrawnlines.com/feed" // img // humor)
 
     # ART
     (fromDb "miniature-calendar.com" // img // art // daily)

hosts/common/home/default.nix

@@ -7,7 +7,7 @@
     ./git.nix
     ./gpodder.nix
     ./keyring.nix
-    ./kitty.nix
+    ./kitty
     ./libreoffice.nix
     ./mime.nix
     ./mpv.nix

hosts/common/home/firefox.nix

@@ -132,7 +132,7 @@ in
         sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
         sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
         ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
-        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-52lYqMjrS3GVTaybDrH1p6VF90YVkifguCGxobI/fNQ=";
+        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
 
         browserpass-extension.enable = lib.mkDefault true;
         # bypass-paywalls-clean.enable = lib.mkDefault true;

hosts/common/home/kitty/PaperColor_dark.conf

@@ -0,0 +1,47 @@
+# vim:ft=kitty
+
+## name: PaperColor Dark
+## author: Nikyle Nguyen
+## license: MIT
+## blurb: Dark color scheme inspired by Google's Material Design 
+
+# special
+foreground		#d0d0d0
+background		#1c1c1c
+cursor			#d0d0d0
+cursor_text_color	background
+
+# black
+color0			#1c1c1c
+color8			#585858
+
+# red
+color1			#af005f
+color9			#5faf5f
+
+# green
+# "color2" is the green color used by ls to indicate executability
+#   both as text color
+#   or as bg color when the text is blue (color4)
+color2			#246a28
+color10			#2df200
+
+# yellow
+color3			#d7af5f
+color11			#af87d7
+
+# blue
+color4			#78c6ef
+color12			#ffaf00
+
+# magenta
+color5			#808080
+color13			#ff5faf
+
+# cyan
+color6			#d7875f
+color14			#00afaf
+
+# white
+color7			#d0d0d0
+color15			#5f8787

hosts/common/home/kitty/default.nix

@@ -7,9 +7,11 @@
     enable_audio_bell no
 
     map ctrl+n new_os_window_with_cwd
-
-    include ${pkgs.kitty-themes}/themes/PaperColor_dark.conf
+    include ${./PaperColor_dark.conf}
   '';
+
+  #  include ${pkgs.kitty-themes}/themes/PaperColor_dark.conf
+
   # THEME CHOICES:
   #   docs: https://github.com/kovidgoyal/kitty-themes
   # theme = "1984 Light";  # dislike: awful, harsh blues/teals

hosts/common/home/splatmoji.nix

@@ -6,7 +6,8 @@
 {
   sane.user.persist.plaintext = [ ".local/state/splatmoji" ];
   sane.user.fs.".config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
-    history_file=~/.local/state/splatmoji/history
+    # XXX doesn't seem to understand ~ as shorthand for `$HOME`
+    history_file=/home/colin/.local/state/splatmoji/history
     history_length=5
     # TODO: wayland equiv
     paste_command=xdotool key ctrl+v

hosts/common/home/ssh.nix

@@ -3,7 +3,8 @@
 with lib;
 let
   host = config.networking.hostName;
-  user-pubkey = config.sane.ssh.pubkeys."colin@${host}".asUserKey;
+  user-pubkey-full = config.sane.ssh.pubkeys."colin@${host}" or {};
+  user-pubkey = user-pubkey-full.asUserKey or null;
   host-keys = filter (k: k.user == "root") (attrValues config.sane.ssh.pubkeys);
   known-hosts-text = concatStringsSep
     "\n"
@@ -13,7 +14,8 @@ in
 {
   # ssh key is stored in private storage
   sane.user.persist.private = [ ".ssh/id_ed25519" ];
-  sane.user.fs.".ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
+  sane.user.fs.".ssh/id_ed25519.pub" =
+    mkIf (user-pubkey != null) (sane-lib.fs.wantedText user-pubkey);
   sane.user.fs.".ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
 
   users.users.colin.openssh.authorizedKeys.keys =

hosts/common/home/zsh/default.nix

@@ -1,6 +1,8 @@
-{ pkgs, sane-lib, ... }:
+{ config, lib, pkgs, sane-lib, ... }:
 
 let
+  inherit (lib) mkOption types;
+  cfg = config.sane.zsh;
   # powerlevel10k prompt config
   # p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
   p10k-overrides = ''
@@ -26,123 +28,134 @@ let
   '';
 in
 {
-  sane.user.persist.plaintext = [
-    # we don't need to full zsh dir -- just the history file --
-    # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
-    # TODO: should be private?
-    ".local/share/zsh"
-    # cache gitstatus otherwise p10k fetched it from the net EVERY BOOT
-    ".cache/gitstatus"
-  ];
-
-  # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
-  sane.user.fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
-
-  # enable zsh completions
-  environment.pathsToLink = [ "/share/zsh" ];
-
-  programs.zsh = {
-    enable = true;
-    histFile = "$HOME/.local/share/zsh/history";
-    shellAliases = {
-      ":q" = "exit";
-      # common typos
-      "cd.." = "cd ..";
-      "cd../" = "cd ../";
+  options = {
+    sane.zsh = {
+      showDeadlines = mkOption {
+        type = types.bool;
+        default = true;
+        description = "show upcoming deadlines (frommy PKM) upon shell init";
+      };
     };
-    setOptions = [
-      # defaults:
-      "HIST_IGNORE_DUPS"
-      "SHARE_HISTORY"
-      "HIST_FCNTL_LOCK"
-      # disable `rm *` confirmations
-      "rmstarsilent"
-    ];
-
-    # .zshenv config:
-    shellInit = ''
-      ZDOTDIR=$HOME/.config/zsh
-    '';
-
-    # .zshrc config:
-    interactiveShellInit =
-      (builtins.readFile ./p10k.zsh)
-    + p10k-overrides
-    + prezto-init
-    + ''
-      # zmv is a way to do rich moves/renames, with pattern matching/substitution.
-      # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
-      autoload -Uz zmv
-
-      HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *)'
-
-      # extra aliases
-      # TODO: move to `shellAliases` config?
-      function nd() {
-        mkdir -p "$1";
-        pushd "$1";
-      }
-
-      expiration=$(date -d "6 Mar" +%s)
-      today=$(date +%s)
-      days_until=$(( ($expiration - $today) / (24*60*60) ))
-      echo "You have $days_until days to renew your driver's license"
-
-      # auto-cd into any of these dirs by typing them and pressing 'enter':
-      hash -d 3rd="/home/colin/dev/3rd"
-      hash -d dev="/home/colin/dev"
-      hash -d knowledge="/home/colin/knowledge"
-      hash -d nixos="/home/colin/nixos"
-      hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
-      hash -d ref="/home/colin/ref"
-      hash -d secrets="/home/colin/knowledge/secrets"
-      hash -d tmp="/home/colin/tmp"
-      hash -d uninsane="/home/colin/dev/uninsane"
-      hash -d Videos="/home/colin/Videos"
-    '';
-
-    syntaxHighlighting.enable = true;
-    vteIntegration = true;
   };
 
-  # enable a command-not-found hook to show nix packages that might provide the binary typed.
-  programs.nix-index.enable = true;
-  programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
+  config = {
+    sane.user.persist.plaintext = [
+      # we don't need to full zsh dir -- just the history file --
+      # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
+      # TODO: should be private?
+      ".local/share/zsh"
+      # cache gitstatus otherwise p10k fetched it from the net EVERY BOOT
+      ".cache/gitstatus"
+    ];
 
-  # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
-  # see: https://github.com/sorin-ionescu/prezto
-  # i believe this file is auto-sourced by the prezto init.zsh script.
-  sane.user.fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
-    zstyle ':prezto:*:*' color 'yes'
+    # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
+    sane.user.fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
 
-    # modules (they ship with prezto):
-    # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
-    # TERMINAL: auto-titles terminal (e.g. based on cwd)
-    # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
-    # HISTORY: `history-stat` alias, setopts for good history defaults
-    # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
-    # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
-    # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
-    #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
-    # COMPLETION: tab completion. requires `utility` module prior to loading
-    # TODO: enable AUTO_PARAM_SLASH
-    zstyle ':prezto:load' pmodule \
-      'environment' \
-      'terminal' \
-      'editor' \
-      'history' \
-      'directory' \
-      'spectrum' \
-      'utility' \
-      'completion' \
-      'prompt'
+    # enable zsh completions
+    environment.pathsToLink = [ "/share/zsh" ];
 
-    # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
-    zstyle ':prezto:module:editor' key-bindings 'emacs'
+    programs.zsh = {
+      enable = true;
+      histFile = "$HOME/.local/share/zsh/history";
+      shellAliases = {
+        ":q" = "exit";
+        # common typos
+        "cd.." = "cd ..";
+        "cd../" = "cd ../";
+      };
+      setOptions = [
+        # defaults:
+        "HIST_IGNORE_DUPS"
+        "SHARE_HISTORY"
+        "HIST_FCNTL_LOCK"
+        # disable `rm *` confirmations
+        "rmstarsilent"
+      ];
 
-    zstyle ':prezto:module:prompt' theme 'powerlevel10k'
+      # .zshenv config:
+      shellInit = ''
+        ZDOTDIR=$HOME/.config/zsh
+      '';
 
-    # disable `mv` confirmation (and `rm`, too, unfortunately)
-    zstyle ':prezto:module:utility' safe-ops 'no'
-  '';
+      # .zshrc config:
+      interactiveShellInit =
+        (builtins.readFile ./p10k.zsh)
+      + p10k-overrides
+      + prezto-init
+      + ''
+        # zmv is a way to do rich moves/renames, with pattern matching/substitution.
+        # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
+        autoload -Uz zmv
+
+        HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *|nixos-rebuild.* switch)'
+
+        # extra aliases
+        # TODO: move to `shellAliases` config?
+        function nd() {
+          mkdir -p "$1";
+          pushd "$1";
+        }
+      ''
+      + lib.optionalString cfg.showDeadlines ''
+        ${pkgs.sane-scripts}/bin/sane-deadlines
+      ''
+      + ''
+        # auto-cd into any of these dirs by typing them and pressing 'enter':
+        hash -d 3rd="/home/colin/dev/3rd"
+        hash -d dev="/home/colin/dev"
+        hash -d knowledge="/home/colin/knowledge"
+        hash -d nixos="/home/colin/nixos"
+        hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
+        hash -d ref="/home/colin/ref"
+        hash -d secrets="/home/colin/knowledge/secrets"
+        hash -d tmp="/home/colin/tmp"
+        hash -d uninsane="/home/colin/dev/uninsane"
+        hash -d Videos="/home/colin/Videos"
+      '';
+
+      syntaxHighlighting.enable = true;
+      vteIntegration = true;
+    };
+
+    # enable a command-not-found hook to show nix packages that might provide the binary typed.
+    programs.nix-index.enable = true;
+    programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
+
+    # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
+    # see: https://github.com/sorin-ionescu/prezto
+    # i believe this file is auto-sourced by the prezto init.zsh script.
+    sane.user.fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
+      zstyle ':prezto:*:*' color 'yes'
+
+      # modules (they ship with prezto):
+      # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
+      # TERMINAL: auto-titles terminal (e.g. based on cwd)
+      # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
+      # HISTORY: `history-stat` alias, setopts for good history defaults
+      # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
+      # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
+      # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
+      #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
+      # COMPLETION: tab completion. requires `utility` module prior to loading
+      # TODO: enable AUTO_PARAM_SLASH
+      zstyle ':prezto:load' pmodule \
+        'environment' \
+        'terminal' \
+        'editor' \
+        'history' \
+        'directory' \
+        'spectrum' \
+        'utility' \
+        'completion' \
+        'prompt'
+
+      # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
+      zstyle ':prezto:module:editor' key-bindings 'emacs'
+
+      zstyle ':prezto:module:prompt' theme 'powerlevel10k'
+
+      # disable `mv` confirmation (and `rm`, too, unfortunately)
+      zstyle ':prezto:module:utility' safe-ops 'no'
+    '';
+  };
 }

hosts/common/i2p.nix

@@ -1,4 +1,4 @@
 { ... }:
 {
-  # services.i2p.enable = true;
+  services.i2p.enable = true;
 }

hosts/common/ids.nix

@@ -38,7 +38,7 @@
   sane.ids.sshd.uid = 2001;  # 997
   sane.ids.sshd.gid = 2001;  # 997
   sane.ids.polkituser.gid = 2002;  # 998
-  # sane.ids.systemd-coredump.gid = 2003;  # 996  # 2023/02/12: upstream now specifies this as 151
+  sane.ids.systemd-coredump.gid = 2003;  # 996  # 2023/02/12-2023/02/28: upstream temporarily specified this as 151
   sane.ids.nscd.uid = 2004;
   sane.ids.nscd.gid = 2004;
   sane.ids.systemd-oom.uid = 2005;

hosts/common/programs.nix

@@ -16,6 +16,7 @@ let
     "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
     "gnome.gnome-terminal" = gnome.gnome-terminal;
     "gnome.gnome-weather" = gnome.gnome-weather;
+    "gnome.totem" = gnome.totem;
     "libsForQt5.plasmatube" = libsForQt5.plasmatube;
   });
 
@@ -162,10 +163,11 @@ let
       "gnome.nautilus"
       # gnome-podcasts
       "gnome.gnome-system-monitor"
-      "gnome.gnome-terminal"  # works on phosh
+      # "gnome.gnome-terminal"  # works on phosh
       "gnome.gnome-weather"
       gpodder-configured
       gthumb
+      jellyfin-media-player
       # lollypop
       mpv
       networkmanagerapplet
@@ -193,6 +195,7 @@ let
   desktopGuiPkgs = {
     inherit (flattenedPkgs)
       audacity
+      brave  # for the integrated wallet -- as a backup
       chromium
       dino
       electrum
@@ -201,13 +204,17 @@ let
       gajim  # XMPP client
       gimp  # broken on phosh
       "gnome.gnome-disk-utility"
+      # "gnome.totem"  # video player, supposedly supports UPnP
       handbrake
+      hase
       inkscape
       kdenlive
       kid3  # audio tagging
       krita
       libreoffice-fresh  # XXX colin: maybe don't want this on mobile
+      mumble
       obsidian
+      slic3r
     ;
   };
   x86GuiPkgs = {
@@ -300,14 +307,7 @@ in
         dino.private = [ ".local/share/dino" ];
 
         # creds, but also 200 MB of node modules, etc
-        discord = {
-          package = pkgs.discord.override {
-            # XXX 2022-07-31: fix to allow links to open in default web-browser:
-            #   https://github.com/NixOS/nixpkgs/issues/78961
-            nss = pkgs.nss_latest;
-          };
-          private = [ ".config/discord" ];
-        };
+        discord.private = [ ".config/discord" ];
 
         # creds/session keys, etc
         element-desktop.private = [ ".config/Element" ];
@@ -321,12 +321,19 @@ in
         #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
         gpodder-configured.dir = [ "gPodder" ];
 
+        # jellyfin stores things in a bunch of directories: this one persists auth info.
+        # it *might* be possible to populate this externally (it's Qt stuff), but likely to
+        # be fragile and take an hour+ to figure out.
+        jellyfin-media-player.dir = [ ".local/share/Jellyfin Media Player" ];
+
         # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
         # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
         monero-gui.dir = [ ".bitmonero" ];
 
         mpv.dir = [ ".config/mpv/watch_later" ];
 
+        mumble.private = [ ".local/share/Mumble" ];
+
         # not strictly necessary, but allows caching articles; offline use, etc.
         newsflash.dir = [ ".local/share/news-flash" ];
         nheko.private = [
@@ -341,6 +348,8 @@ in
         # creds, media
         signal-desktop.private = [ ".config/Signal" ];
 
+        # printer/filament settings
+        slic3r.dir = [ ".Slic3r" ];
 
         # creds, widevine .so download. TODO: could easily manage these statically.
         spotify.dir = [ ".config/spotify" ];

hosts/common/secrets.nix

@@ -55,6 +55,9 @@
   sops.secrets."router_passwd" = {
     sopsFile = ../../secrets/universal.yaml;
   };
+  sops.secrets."transmission_passwd" = {
+    sopsFile = ../../secrets/universal.yaml;
+  };
   sops.secrets."wg_ovpnd_us_privkey" = {
     sopsFile = ../../secrets/universal.yaml;
   };

hosts/common/users.nix

@@ -97,6 +97,7 @@ in
     # convenience
     sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
     sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
+    sane.user.fs."Books/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Books";
     sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
     sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
     sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";

hosts/modules/default.nix

@@ -11,5 +11,6 @@
     ./roles
     ./services
     ./wg-home.nix
+    ./yggdrasil.nix
   ];
 }

hosts/modules/gui/phosh.nix

@@ -28,6 +28,7 @@ in
           "guiApps"
           # TODO: see about removing gnome-bluetooth if the in-built gnome-settings bluetooth manager can work
           "gnome.gnome-bluetooth"
+          "gnome.gnome-terminal"
           "phosh-mobile-settings"
           # "plasma5Packages.konsole"  # more reliable terminal
         ];
@@ -37,11 +38,13 @@ in
       sane.programs = {
         inherit (pkgs // {
           "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
+          "gnome.gnome-terminal" = pkgs.gnome.gnome-terminal;
           "plasma5Packages.konsole" = pkgs.plasma5Packages.konsole;
         })
           phosh-mobile-settings
           "plasma5Packages.konsole"
           # "gnome.gnome-bluetooth"
+          "gnome.gnome-terminal"
         ;
       };
     }

hosts/modules/hosts.nix

@@ -69,7 +69,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
       wg-home.pubkey = "17PMZssYi0D4t2d0vbmhjBKe1sGsE8kT8/dod0Q2CXc=";
       wg-home.ip = "10.0.10.22";
-      lan-ip = "192.168.15.16";
+      lan-ip = "192.168.15.25";
     };
 
     sane.hosts.by-name."lappy" = {
@@ -77,7 +77,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
       wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
       wg-home.ip = "10.0.10.20";
-      lan-ip = "192.168.15.11";
+      lan-ip = "192.168.15.13";
     };
 
     sane.hosts.by-name."moby" = {
@@ -85,7 +85,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
       wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
       wg-home.ip = "10.0.10.48";
-      lan-ip = "192.168.15.17";
+      lan-ip = "192.168.15.28";
     };
 
     sane.hosts.by-name."servo" = {
@@ -94,7 +94,7 @@ in
       wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
       wg-home.ip = "10.0.10.5";
       wg-home.endpoint = "uninsane.org:51820";
-      lan-ip = "192.168.15.28";
+      lan-ip = "192.168.15.24";
     };
   };
 }

hosts/modules/nixcache.nix

@@ -28,8 +28,9 @@ in
     sane.nixcache.substituters = mkOption {
       type = types.listOf types.string;
       default =
+        # TODO: make these blacklisted entries injectable
         (lib.optional (hostName != "servo") "https://nixcache.uninsane.org")
-        ++ (lib.optional (hostName != "desko") "http://desko:5000")
+        ++ (lib.optional (hostName != "servo" && hostName != "desko") "http://desko:5000")
         ++ [
           "https://nix-community.cachix.org"
           "https://cache.nixos.org/"

hosts/modules/roles/build-machine.nix

@@ -1,17 +1,48 @@
-{ config, lib, sane-lib, ... }:
+{ config, lib, pkgs, sane-lib, ... }:
 
 let
   inherit (lib) mkIf mkMerge mkOption types;
   inherit (config.programs.ccache) cacheDir;
+  cfg = config.sane.roles.build-machine;
 in
 {
-  options.sane.roles.build-machine = mkOption {
-    type = types.bool;
-    default = false;
+  options.sane.roles.build-machine = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    emulation = mkOption {
+      type = types.bool;
+      default = true;
+    };
+    ccache = mkOption {
+      type = types.bool;
+      default = true;
+    };
   };
 
   config = mkMerge [
-    {
+    ({
+      sane.programs.qemu = pkgs.qemu;
+    })
+    (mkIf cfg.enable {
+      # enable opt-in emulation of any package at runtime.
+      # i.e. `nix build '.#host-pkgs.moby.bash' ; qemu-aarch64 ./result/bin/bash`.
+      sane.programs.qemu.enableFor.user.colin = true;
+      # serve packages to other machines that ask for them
+      sane.services.nixserve.enable = true;
+
+      # enable cross compilation
+      # TODO: do this via stdenv injection, linking into /run/binfmt the stuff in <nixpkgs:nixos/modules/system/boot/binfmt.nix>
+      boot.binfmt.emulatedSystems = lib.optionals cfg.emulation [
+        "aarch64-linux"
+        # "aarch64-darwin"  # not supported
+        # "x86_64-darwin"   # not supported
+      ];
+      # corresponds to env var: NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1
+      # nixpkgs.config.allowUnsupportedSystem = true;
+    })
+    (mkIf (cfg.enable && cfg.ccache) {
       # programs.ccache.cacheDir = "/var/cache/ccache";  # nixos default
       # programs.ccache.cacheDir = "/homeless-shelter/.ccache";  # ccache default (~/.ccache)
 
@@ -29,14 +60,6 @@ in
       #     };
       #   })
       # ];
-    }
-    (mkIf config.sane.roles.build-machine {
-      # serve packages to other machines that ask for them
-      sane.services.nixserve.enable = true;
-
-      # enable cross compilation
-      boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-      # nixpkgs.config.allowUnsupportedSystem = true;
 
       # granular compilation cache
       # docs: <https://nixos.wiki/wiki/CCache>

hosts/modules/yggdrasil.nix

@@ -0,0 +1,30 @@
+# docs: <nixpkgs:nixos/modules/services/networking/yggdrasil.md>
+# - or message CW/0x00
+
+{ config, lib, ... }:
+
+let
+  inherit (lib) mkIf mkOption types;
+  cfg = config.sane.yggdrasil;
+in
+{
+  options.sane.yggdrasil = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+  };
+  config = mkIf cfg.enable {
+    services.yggdrasil = {
+      enable = true;
+      persistentKeys = true;
+      config = {
+        IFName = "ygg0";
+        Peers = [
+          "tls://longseason.1200bps.xyz:13122"
+        ];
+      };
+    };
+  };
+}
+

modules/data/feeds/sources/acquiredlpbonussecretsecret.libsyn.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 443732,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Ben and David are joined by expert founders and investors \u2014 writing the next generation of great company stories in real-time.\n\nWe go behind the scenes on their journeys and bring back emerging insights and lessons that are useful for anyone in the tech and investing ecosystems.\n\nAcquired covers yesterday. ACQ2 covers tomorrow.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 92,
+  "last_updated": "2023-03-02T17:03:15+00:00",
+  "score": 10,
+  "self_url": "https://acquiredlpbonussecretsecret.libsyn.com/",
+  "site_name": "ACQ2 by Acquired",
+  "site_url": "https://acquiredlpbonussecretsecret.libsyn.com",
+  "title": "ACQ2 by Acquired",
+  "url": "https://acquiredlpbonussecretsecret.libsyn.com",
+  "velocity": 0.057,
+  "version": "rss20"
+}

modules/data/feeds/sources/blog.rust-lang.org/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 76362,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "Empowering everyone to build reliable and efficient software.",
+  "favicon": "https://blog.rust-lang.org/images/favicon-16x16.png",
+  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAA3XAAAN1wFCKJt4AAAAB3RJTUUH4gseBBkAzEcAUAAAAWlJREFUOMul079L1WEUBvCPdhPUzbhC3JYQwn6MLTU4CA5C/QMJimQS2NDiZpM0NDoZ0iK4+SdIV5ykpgKtIYyiqCBSuKBBibflufBiVxt64eV73uc855z3fb7ndPh7daMPU/gR7ByeYRc/nbJGMI8GjvAKb2M34hspA84U9jgeYAIv8Bi9+IxFnMcYLqCJ12WiYTzHL0wee05Xcb6H3+EOt8CeXK0Z526b/R1ruIL74c4nVi3v+4BvOAxhHzv4lHMTb3A1WAO1zqjdhRU8SjWpOIBBvAx2hFEsRZ8pmEn28ZC+FhXLvY9L4UwHm+ksBNo79kvf4QlWC61uxR5qkSqoJttkROqN7wDvk+Q6LuIh+nEnMdVSxOYJ+zKetsEbqFVy9QXMpYE28TE3gC+YxXaKDeFGYvYqIa7jZppjI/2w1GZGzia4npiDSpz1tCjcjg5VbAW7hrtpqjqW8/3nMLXee+IwdfzvOP8BuzB3onylpecAAAAASUVORK5CYII=",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 10,
+  "last_updated": "2023-03-09T00:00:00+00:00",
+  "score": 20,
+  "self_url": "https://blog.rust-lang.org/feed.xml",
+  "site_name": "The Rust Programming Language Blog",
+  "site_url": "https://blog.rust-lang.org",
+  "title": "Rust Blog",
+  "url": "https://blog.rust-lang.org/feed.xml",
+  "velocity": 0.096,
+  "version": "atom10"
+}

modules/data/feeds/sources/capitolhillseattle.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 83424,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Community News For All of Seattle's Capitol Hill",
+  "favicon": "https://www.capitolhillseattle.com/favicon.ico",
+  "favicon_data_uri": "data:image/png;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAD///////////////////////////39/f/h4eH/vb29/729vf/i4uL//f39/////////////////////////////////////////////f39/6+vr/81NTX/AgIC/wAAAP8AAAD/AgIC/zU1Nf+wsLD//f39////////////////////////////+vr6/2pqav8BAQH/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AQEB/2xsbP/6+vr//////////////////v7+/7u7u/9VVVX/VVVV/1VVVf9VVVX/VVVV/1VVVf9VVVX/VVVV/1VVVf9VVVX/vb29//7+/v/+/v7//////87Ozv8eHh7/HBwc/xwcHP8cHBz/t7e3/z8/P/+VlZX/WVlZ/xwcHP8cHBz/HBwc/x4eHv/Q0ND//v7+//7+/v9hYWH/AAAA/yUlJf/Dw8P/4ODg//n5+f/29vb//Pz8/+Li4v9MTEz/AAAA/wAAAP8AAAD/ZGRk///////7+/v/MTEx/xUVFf8WFhb/jY2N//7+/v/+/v7//v7+//7+/v/+/v7/+vr6/2FhYf8VFRX/FRUV/zMzM//8/Pz/7+/v/xgYGP8TExP/ExMT/xMTE/+2trb//v7+//7+/v/+/v7//v7+//7+/v/z8/P/JiYm/xMTE/8ZGRn/8PDw/+zs7P8EBAT/AAAA/wAAAP8AAAD/NjY2//39/f/+/v7//v7+//7+/v/+/v7//v7+/zk5Of8AAAD/BgYG/+3t7f/5+fn/FhYW/wAAAP8AAAD/AAAA/wICAv/T09P//v7+//7+/v/+/v7//v7+//7+/v9BQUH/AAAA/xcXF//5+fn//v7+/1FRUf8AAAD/AAAA/wAAAP8AAAD/RUVF//Pz8//+/v7//v7+//7+/v/+/v7/Li4u/wAAAP9UVFT///////////+7u7v/AQEB/wAAAP8AAAD/AAAA/wAAAP8fHx//vLy8//7+/v/+/v7/8/Pz/xEREf8BAQH/vb29/////////////f39/1hYWP8AAAD/AAAA/wAAAP8AAAD/GBgY/15eXv+Li4v/39/f/2tra/8AAAD/W1tb//7+/v/////////////////x8fH/Q0ND/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wMDA/8AAAD/RUVF//Ly8v////////////////////////////b29v+EhIT/EhIS/wAAAP8AAAD/AAAA/wAAAP8TExP/hYWF//f39/////////////////////////////////////////////Ly8v+2trb/kJCQ/5CQkP+3t7f/8/Pz////////////////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 5,
+  "last_updated": "2023-04-02T02:03:11+00:00",
+  "score": 13,
+  "self_url": "https://www.capitolhillseattle.com/feed/",
+  "site_name": "CHS Capitol Hill Seattle News",
+  "site_url": "https://www.capitolhillseattle.com",
+  "title": "CHS Capitol Hill Seattle News",
+  "url": "https://www.capitolhillseattle.com/feed/",
+  "velocity": 1.6,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.libsyn.com/421877/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 272569,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "Audio version of the posts shared in the LessWrong Curated newsletter.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [
+    "https://pubsubhubbub.appspot.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 56,
+  "last_updated": "2023-03-08T08:00:00+00:00",
+  "score": 32,
+  "self_url": "https://feeds.buzzsprout.com/2037297.rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "LessWrong Curated Podcast",
+  "url": "https://feeds.buzzsprout.com/2037297.rss",
+  "velocity": 0.192,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.megaphone.fm/hubermanlab/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1377252,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "Andrew Huberman, Ph.D.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 129,
+  "last_updated": "2023-03-06T09:00:00+00:00",
+  "score": 14,
+  "self_url": "https://feeds.megaphone.fm/hubermanlab",
+  "site_name": "",
+  "site_url": "",
+  "title": "Huberman Lab",
+  "url": "https://feeds.megaphone.fm/hubermanlab",
+  "velocity": 0.159,
+  "version": "rss20"
+}

modules/data/feeds/sources/mapspodcast.libsyn.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 256360,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Hosted by Zach Leary, the intent of the podcast is to bring you the listener an easily accessible resource for a variety of topics all related to psychedelic research. There is a lot to learn about new research into the therapeutic potential of psychedelics and marijuana. Over the years, the Multidisciplinary Association for Psychedelic Studies (MAPS) has amassed an incredible treasure trove of audio archives sourced from the amazing talks, presentations and panels that have taken place at past Psychedelic Science conferences and other unique events. By selecting some of that content and then bringing it to you in a podcast we hope to create a centralized location for the greater MAPS community. If you're a researcher, scientist, medical professional or just a curiosity seeker we hope that you'll find this content a valuable resource tool.\n\nPlease visit the MAPS website at https://maps.org",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 62,
+  "last_updated": "2023-03-06T20:20:00+00:00",
+  "score": 0,
+  "self_url": "https://feeds.libsyn.com/95610/rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "MAPS Podcast",
+  "url": "https://feeds.libsyn.com/95610/rss",
+  "velocity": 0.028,
+  "version": "rss20"
+}

modules/data/feeds/sources/omny.fm/shows/cool-people-who-did-cool-stuff/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 242702,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "<p>As long as there&rsquo;s been oppression, there&rsquo;ve been people fighting it. This weekly podcast dives into history to drag up the wildest rebels, the most beautiful revolts, and all the people who long to be&mdash;and fight to be&mdash;free. It explores complex stories of resistance that offer lessons and inspiration for us today, focusing on the ensemble casts that make up each act of history. That is to say, this podcast focuses on Cool People Who Did Cool Stuff.</p>",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 86,
+  "last_updated": "2023-03-20T04:01:00+00:00",
+  "score": -12,
+  "self_url": "https://www.omnycontent.com/d/playlist/e73c998e-6e60-432f-8610-ae210140c5b1/45bcda9a-4724-45c0-82ca-ae7f00e1dd18/f21245f2-a297-42f7-a016-ae7f00e390c4/podcast.rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "Cool People Who Did Cool Stuff",
+  "url": "https://www.omnycontent.com/d/playlist/e73c998e-6e60-432f-8610-ae210140c5b1/45bcda9a-4724-45c0-82ca-ae7f00e1dd18/f21245f2-a297-42f7-a016-ae7f00e390c4/podcast.rss",
+  "velocity": 0.256,
+  "version": "rss20"
+}

modules/data/feeds/sources/poorlydrawnlines.com/feed/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 13524,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "A Comic",
+  "favicon": "http://www.poorlydrawnlines.com/wp-content/themes/PoorlyDrawnLines/images/favicon.ico",
+  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAK6wAACusBgosNWgAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtzIENTNXG14zYAAAE+SURBVDiNnZO9rgFRFIW/Yy4KCldDN4VCQ63STTyAR0BU3kEy8SQeYiIRKq+gkFytZAo/0VBZtxC5Y85McFdymr2Sb6+z9zlG0g/wTUyHwwGAcrkct6I6IumsiHa7nTqdjkqlknK5nBqNhsbjsU6nkxJ0RtI+WgmCQICMMWq323JdV4BarZbCMIwD9hZgNpsJ0Gg0kiRdr1f1+30B6vV6FiATv5TjOABUKhUA8vk8w+EQgPV6bQ3BAki6G5k/KwxDADzPswBfaYDNZsNyuWS73TKZTCgWiwwGA3sP8RnM53MBT6dQKGg6nSZtYW8leER3XZd6vY7neXS7XWq1mt09KcFisRAg3/eTOr7ewkO32y3Nek6cZjyG+W/Au0p9B58kyEYLxpi7kXkrXNYo9p0vlwur1Ypms0m1Wn0FOP4CBWA38rLJ0EUAAAAASUVORK5CYII=",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 10,
+  "last_updated": "2023-03-22T17:51:01+00:00",
+  "score": 12,
+  "self_url": "https://poorlydrawnlines.com/feed/",
+  "site_name": "Poorly Drawn Lines",
+  "site_url": "https://poorlydrawnlines.com",
+  "title": "Poorly Drawn Lines",
+  "url": "https://poorlydrawnlines.com/feed/",
+  "velocity": 0.272,
+  "version": "rss20"
+}

modules/data/feeds/sources/reverseengineering.libsyn.com/rss/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 560867,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Listen and learn about different reverse engineering hardware projects and methods as Alvaro (@alvaroprieto) and Jen(@rebelbotjen) talk with guests about their work.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 63,
+  "last_updated": "2022-12-30T15:42:48+00:00",
+  "score": 18,
+  "self_url": "https://reverseengineering.libsyn.com/rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "Unnamed Reverse Engineering Podcast",
+  "url": "https://reverseengineering.libsyn.com/rss",
+  "velocity": 0.032,
+  "version": "rss20"
+}

modules/data/feeds/sources/thisweek.gnome.org/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1250267,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "Recent content on This Week in GNOME",
+  "favicon": "https://thisweek.gnome.org/images/favicon-32x32.png",
+  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAABYAAAAWABINkT2gAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAI5SURBVFiFvdZPiE1RHAfwz/xBxhSTISxYaJSiJAklioWNjYWVhYWUtYRMslEWSv7WkPybsbHSGMmGDUmhyEKihMgsjMQsnjEW597emdt7z7vvvplvnTr3d3/n9/3ec8/vd35MHVqnkAu0YR+eoYQxPMWyZhEswH0M43DmXTuGMF5hXGyWgMEo6A8Tt/h0FfJxnGmEbA160ZU8twvbGgeenrxbgj81BKzNS746IhtIbB2ZoJ8j/6M1yIfyksORKMB3tCT2T5H9cuR/qwr5NyzMBq8nNYaj+Zxonu5GSfjnKdoqxBjBdnypg08XruFA8jwfv5W/IkUH+rAzs77XxC9/g1X1EKc4Fy3enNj2Cnl8qY71nejHk0TMzDzkcCUScCGy92BG3mD/Q3sF2w3sTuZLI/vbaN6NbVgnpN28xFYSDudjYRfiNblwTNiBqxn7VtxRO8/TUcL+RgXACsxN5otxtw7S7PiLlUVEwAbh9OclT8euIuTLheLTKPm4cE4aQgseFSR/qFw5c2NjQfJ3WNQoOZwoQH5PSMtCGGiAeBSHNKn96stJ/kAT2y3YUyfxLxw0CU1nj1BIapG/EErxpCHu+7Ljo3KlTNGNs/iQ+PzE8SIC1qu+C6cq+Fcq1yNFBMDJKgKeY1rG93UFv9tFBUwXrtdKIgaV832T0LRkfbYUFQCzVS/Lo3il8hXd3wzyFJ24WUVEtXtgVjMFpNiB9zWIx4RWLncvmAetQkt2XTh4X/ES5zWhAZlS/AMHdE5EpHwlOQAAAABJRU5ErkJggg==",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 86,
+  "last_updated": "2023-03-10T00:00:00+00:00",
+  "score": 46,
+  "self_url": "https://thisweek.gnome.org/index.xml",
+  "site_name": "This Week in GNOME",
+  "site_url": "https://thisweek.gnome.org",
+  "title": "This Week in GNOME",
+  "url": "https://thisweek.gnome.org/index.xml",
+  "velocity": 0.141,
+  "version": "rss20"
+}

modules/fs/default.nix

@@ -189,7 +189,7 @@ let
       serviceConfig.Type = "oneshot";
 
       script = wrapper.script;
-      scriptArgs = builtins.concatStringsSep " " wrapper.scriptArgs;
+      scriptArgs = escapeShellArgs wrapper.scriptArgs;
 
       after = gen-opt.depends;
       wants = gen-opt.depends;

modules/persist/default.nix

@@ -124,6 +124,9 @@ let
   #   <option>.private.".cache/vim" = { mode = "0700"; };
   # to place ".cache/vim" into the private store and create with the appropriate mode
   dirsSubModule = types.submodule ({ config, ... }: {
+    # TODO: this should be a plain-old `attrsOf (convertInlineAcl entryInStoreOrShorthand)` with downstream checks,
+    #   rather than being filled in based on *other* settings.
+    #   otherwise, it behaves poorly when `sane.persist.enable = false`
     options = lib.attrsets.unionOfDisjoint
       (mapAttrs (store: store-cfg: mkOption {
         default = [];

modules/services/trust-dns.nix

@@ -7,7 +7,20 @@ with lib;
 let
   cfg = config.sane.services.trust-dns;
   toml = pkgs.formats.toml { };
-  fmtRecord = proto: rrtype: name: value: "${name}\t${proto}\t${rrtype}\t${value}";
+  recordFormatters = {
+    # quote rules for zone files:
+    # - any character may be encoded by `\DDD`, where `DDD` represents its ascii value in base 8.
+    # - any non-digit `X` may be encoded by `\X`.
+    # - stated in: <https://www.ietf.org/rfc/rfc1035.txt>: 5.1 Format
+    # - visible in <trust-dns:crates/proto/src/serialize/txt/zone_lex.rs:escape_seq>
+    # for us, we can just replace `\` => `\\ and `"` -> `\"`
+    TXT = value: "\"" + (lib.escape [ "\\" "\"" ] value) + "\"";
+  };
+  fmtRecord = proto: rrtype: name: value:
+    let
+      formatter = recordFormatters."${rrtype}" or lib.id;
+    in
+      "${name}\t${proto}\t${rrtype}\t${formatter value}";
   fmtRecordList = proto: rrtype: name: values: concatStringsSep
     "\n"
     (map (fmtRecord proto rrtype name) values)

nixpatches/2023-02-28-mesa-22.3.6.patch

@@ -0,0 +1,23 @@
+diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
+index 52633a6d21649..20d839b74c2ea 100644
+--- a/pkgs/development/libraries/mesa/default.nix
++++ b/pkgs/development/libraries/mesa/default.nix
+@@ -88,7 +88,7 @@
+ let
+   # Release calendar: https://www.mesa3d.org/release-calendar.html
+   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
+-  version = "22.3.5";
++  version = "22.3.6";
+   branch  = lib.versions.major version;
+ 
+   withLibdrm = lib.meta.availableOn stdenv.hostPlatform libdrm;
+@@ -120,7 +120,7 @@ self = stdenv.mkDerivation {
+       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
+       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
+     ];
+-    sha256 = "3eed2ecae2bc674494566faab9fcc9beb21cd804c7ba2b59a1694f3d7236e6a9";
++    hash = "sha256-TsjsZdvbHulETbpylwiQEooZVDpYzwWTG9b1TxJOEX8=";
+   };
+ 
+   # TODO:
+

nixpatches/2023-03-10-hase.patch

@@ -0,0 +1,178 @@
+diff --git a/pkgs/development/libraries/sparrow3d/default.nix b/pkgs/development/libraries/sparrow3d/default.nix
+new file mode 100644
+index 00000000000..331a02efc5f
+--- /dev/null
++++ b/pkgs/development/libraries/sparrow3d/default.nix
+@@ -0,0 +1,53 @@
++{ lib
++, fetchFromGitHub
++, pkg-config
++, SDL
++, SDL_image
++, SDL_mixer
++, SDL_net
++, SDL_ttf
++, stdenv
++}:
++
++stdenv.mkDerivation (finalAttrs: {
++  pname = "sparrow3d";
++  version = "2020-10-06";
++
++  src = fetchFromGitHub {
++    owner = "theZiz";
++    repo = "sparrow3d";
++    rev = "2033349d7adeba34bda2c442e1fec22377471134";
++    hash = "sha256-28j5nbTYBrMN8BQ6XrTlO1D8Viw+RiT3MAl99BAbhR4=";
++  };
++
++  nativeBuildInputs = [
++    pkg-config
++  ];
++
++  propagatedBuildInputs = [
++    SDL.dev
++    SDL_image
++    SDL_ttf
++    SDL_mixer
++    SDL_net
++  ];
++
++  postConfigure = ''
++    NIX_CFLAGS_COMPILE=$(pkg-config --cflags SDL_image SDL_ttf SDL_mixer SDL_net)
++  '';
++
++  installPhase = ''
++    mkdir -p $out/{include,lib/pkgconfig}
++    cp sparrow*.h $out/include
++    cp libsparrow{3d,Net,Sound}.so $out/lib
++    substituteAll ${./sparrow3d.pc.in} $out/lib/pkgconfig/sparrow3d.pc
++  '';
++
++  meta = with lib; {
++    description = "a software renderer for different open handhelds like the gp2x, wiz, caanoo and pandora";
++    homepage = "https://github.com/theZiz/sparrow3d";
++    license = licenses.lgpl21;
++    maintainers = with maintainers; [ colinsane ];
++    platforms = [ "x86_64-linux" ];
++  };
++})
+diff --git a/pkgs/development/libraries/sparrow3d/sparrow3d.pc.in b/pkgs/development/libraries/sparrow3d/sparrow3d.pc.in
+new file mode 100644
+index 00000000000..046e174ea97
+--- /dev/null
++++ b/pkgs/development/libraries/sparrow3d/sparrow3d.pc.in
+@@ -0,0 +1,17 @@
++prefix=@out@
++includedir=${prefix}/include
++libdir=${prefix}/lib
++
++Name: sparrow3d
++Description: a software renderer for different open handhelds like the gp2x, wiz, caanoo and pandora
++URL: https://github.com/theZiz/sparrow3d
++Version: @version@
++Requires: \
++  sdl \
++  SDL_image \
++  SDL_ttf \
++  SDL_mixer \
++  SDL_net
++Cflags: -isystem${includedir}
++Libs: -L${libdir} -lsparrow3d -lsparrowNet -lsparrowSound
++
+diff --git a/pkgs/games/hase/default.nix b/pkgs/games/hase/default.nix
+new file mode 100644
+index 00000000000..794b6d017ae
+--- /dev/null
++++ b/pkgs/games/hase/default.nix
+@@ -0,0 +1,49 @@
++{ lib
++, fetchFromGitHub
++, pkg-config
++, stdenv
++, sparrow3d
++, zlib
++}:
++
++stdenv.mkDerivation {
++  pname = "hase";
++  version = "2020-10-06";
++
++  src = fetchFromGitHub {
++    owner = "theZiz";
++    repo = "hase";
++    rev = "31d6840cdf0c72fc459f10402dae7726096b2974";
++    hash = "sha256-d9So3E8nCQJ1/BdlwMkGbaFPT9mkX1VzlDGKp71ptEE=";
++  };
++  patches = [ ./prefer-dynamic.patch ];
++
++  nativeBuildInputs = [
++    pkg-config
++  ];
++
++  buildInputs = [
++    sparrow3d
++    zlib
++  ];
++
++  buildPhase = ''
++    NIX_CFLAGS_COMPILE=$(pkg-config --cflags sparrow3d zlib)
++    mkdir -p $out/{bin,share/applications,share/pixmaps}
++    # build and install are one step, and inseparable without patching
++    ./install.sh $out
++  '';
++
++  postFixup = ''
++    substituteInPlace "$out/share/applications/hase.desktop" \
++      --replace "Exec=hase" "Exec=$out/bin/hase"
++  '';
++
++  meta = with lib; {
++    description = "Hase is an open source gravity based artillery shooter. It is similar to Worms, Hedgewars or artillery, but the gravity force and direction depends on the mass nearby. It is optimized for mobile game consoles like the GP2X, Open Pandora or GCW Zero";
++    homepage = "http://ziz.gp2x.de/hase/";
++    license = licenses.gpl3;
++    maintainers = with maintainers; [ colinsane ];
++    platforms = [ "x86_64-linux" ];
++  };
++}
+diff --git a/pkgs/games/hase/prefer-dynamic.patch b/pkgs/games/hase/prefer-dynamic.patch
+new file mode 100644
+index 00000000000..ab36e6b2b3d
+--- /dev/null
++++ b/pkgs/games/hase/prefer-dynamic.patch
+@@ -0,0 +1,13 @@
++diff --git a/Makefile b/Makefile
++index 95d894e..3c561c1 100644
++--- a/Makefile
+++++ b/Makefile
++@@ -35,7 +35,7 @@ endif
++ LIB += -L$(SPARROW_LIB)
++ INCLUDE += -I$(SPARROW_FOLDER)
++ 
++-HASE_STATIC = $(SPARROW_LIB)/$(SPARROW3D_STATIC_LIB) $(SPARROW_LIB)/$(SPARROWSOUND_STATIC_LIB) $(SPARROW_LIB)/$(SPARROWNET_STATIC_LIB) $(STATIC)
+++DYNAMIC += -lsparrow3d -lsparrowSound -lsparrowNet
++ 
++ ifneq ($(TARGET),win32)
++ DYNAMIC += -lz
+diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
+index 521b00eb5f5..31052251314 100644
+--- a/pkgs/top-level/all-packages.nix
++++ b/pkgs/top-level/all-packages.nix
+@@ -23550,6 +23550,8 @@ with pkgs;
+ 
+   spaceship-prompt = callPackage ../shells/zsh/spaceship-prompt {};
+ 
++  sparrow3d = callPackage ../development/libraries/sparrow3d {};
++
+   spdk = callPackage ../development/libraries/spdk { };
+ 
+   speechd = callPackage ../development/libraries/speechd { };
+@@ -35570,6 +35572,8 @@ with pkgs;
+ 
+   harmonist = callPackage ../games/harmonist { };
+ 
++  hase = callPackage ../games/hase { };
++
+   hedgewars = libsForQt5.callPackage ../games/hedgewars {
+     inherit (haskellPackages) ghcWithPackages;
+   };

nixpatches/list.nix

@@ -1,10 +1,4 @@
 { fetchpatch, fetchurl }: [
-  # librewolf: build with `MOZ_REQUIRE_SIGNING=false`
-  (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/199134.diff";
-    # url = "https://git.uninsane.org/colin/nixpkgs/commit/99b82e07fee4d194520d6e8d51bc45c80a4d3c7e.diff";
-    sha256 = "sha256-Ne4hyHQDwBHUlWo8Z3QyRdmEv1rYGOjFGxSfOAcLUvQ=";
-  })
 
   # splatmoji: init at 1.2.0
   (fetchpatch {
@@ -26,14 +20,33 @@
   # fixed in mesa 22.3.6: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21330/diffs>
   # only necessary on aarch64.
   # it's a revert of nixpkgs commit dcf630c172df2a9ecaa47c77f868211e61ae8e52
-  ./2023-01-30-mesa-cma-leak.patch
+  # ./2023-01-30-mesa-cma-leak.patch
+  # upgrade to 22.3.6 instead
+  # ./2023-02-28-mesa-22.3.6.patch
 
   # fix qt6.qtbase and qt6.qtModule to cross-compile.
   # unfortunately there's some tangle that makes that difficult to do via the normal `override` facilities
   ./2023-03-03-qtbase-cross-compile.patch
 
   # let ccache cross-compile
-  ./2023-03-04-ccache-cross-fix.patch
+  # TODO: why doesn't this apply?
+  # ./2023-03-04-ccache-cross-fix.patch
+
+  # TODO: point to upstream PR
+  ./2023-03-10-hase.patch
+
+  # 2023-03-28: jellyfin-media-player: 1.8.1 -> 1.9.0
+  # TODO: i should review/approve this PR if it works
+  (fetchpatch {
+    url = "https://github.com/NixOS/nixpkgs/pull/220974.diff";
+    hash = "sha256-AK/l0vteCEg/ae4E0dS1oWnlLI4xyeyLFJcqMgCQ4RI=";
+  })
+
+  # 2023-04-11: sequoia: 0.27.0 -> 0.28.0 & fix staging-next build
+  (fetchpatch {
+    url = "https://github.com/NixOS/nixpkgs/pull/225823.diff";
+    hash = "sha256-6ExUJZxP1t5SbTaHimaqzScTjFdqnZhZqTIUxY452QQ=";
+  })
 
   # # kaiteki: init at 2022-09-03
   # vendorHash changes too frequently (might not be reproducible).

overlays/disable-flakey-tests.nix

@@ -8,180 +8,196 @@
   ell = prev.ell.overrideAttrs (_upstream: {
     # 2023/02/11
     # fixes "TEST FAILED in get_random_return_callback at unit/test-dbus-message-fds.c:278: !l_dbus_message_get_error(message, ((void *)0), ((void *)0))"
+    # 2023/04/06
+    # fixes "test-cipher: unit/test-cipher.c:102: test_aes_ctr: Assertion `!r' failed."
     # unclear *why* this test fails.
     doCheck = false;
   });
-  fish = prev.fish.overrideAttrs (_upstream: {
-    # 2023/02/28
-    # The following tests FAILED:
-    #     177 - sigint.fish (Failed)
-    #     241 - torn_escapes.py (Failed)
-    doCheck = false;
-  });
-  gjs = prev.gjs.overrideAttrs (_upstream: {
-    # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
-    doCheck = false;
-  });
-  gssdp = prev.gssdp.overrideAttrs (_upstream: {
-    # 2023/02/11
-    # fixes "ERROR:../tests/test-regression.c:429:test_ggo_7: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-error, 1)"
-    doCheck = false;
-  });
-  gupnp = prev.gupnp.overrideAttrs (_upstream: {
-    # 2023/02/22
-    # fixes "Bail out! ERROR:../tests/test-bugs.c:205:test_bgo_696762: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-erro>"
-    doCheck = false;
-  });
-  json-glib = prev.json-glib.overrideAttrs (_upstream: {
-    # 2023/02/11
-    # fixes: "15/15 json-glib:docs / doc-check    TIMEOUT        30.52s   killed by signal 15 SIGTERM"
-    doCheck = false;
-  });
-  lapack-reference = prev.lapack-reference.overrideAttrs (_upstream: {
-    # 2023/02/11: test timeouts
-    # > The following tests FAILED:
-    # >       93 - LAPACK-xlintstz_ztest_in (Timeout)
-    # >        98 - LAPACK-xeigtstz_svd_in (Timeout)
-    # >          99 - LAPACK-xeigtstz_zec_in (Timeout)
-    doCheck = false;
-  });
-  libadwaita = prev.libadwaita.overrideAttrs (_upstream: {
-    # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
-    doCheck = false;
-  });
-  libsecret = prev.libsecret.overrideAttrs (_upstream: {
-    # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
-    doCheck = false;
-  });
-  libuv = prev.libuv.overrideAttrs (_upstream: {
-    # 2023/02/11
-    # 2 tests fail:
-    # - not ok 261 - tcp_bind6_error_addrinuse
-    # - not ok 267 - tcp_bind_error_addrinuse_listen
+  # fish = prev.fish.overrideAttrs (_upstream: {
+  #   # 2023/02/28
+  #   # The following tests FAILED:
+  #   #     177 - sigint.fish (Failed)
+  #   #     241 - torn_escapes.py (Failed)
+  #   doCheck = false;
+  # });
+  # gjs = prev.gjs.overrideAttrs (_upstream: {
+  #   # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
+  #   doCheck = false;
+  # });
+  # gssdp = prev.gssdp.overrideAttrs (_upstream: {
+  #   # 2023/02/11
+  #   # fixes "ERROR:../tests/test-regression.c:429:test_ggo_7: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-error, 1)"
+  #   doCheck = false;
+  # });
+  # gupnp = prev.gupnp.overrideAttrs (_upstream: {
+  #   # 2023/02/22
+  #   # fixes "Bail out! ERROR:../tests/test-bugs.c:205:test_bgo_696762: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-erro>"
+  #   doCheck = false;
+  # });
+  # json-glib = prev.json-glib.overrideAttrs (_upstream: {
+  #   # 2023/02/11
+  #   # fixes: "15/15 json-glib:docs / doc-check    TIMEOUT        30.52s   killed by signal 15 SIGTERM"
+  #   doCheck = false;
+  # });
+  # lapack-reference = prev.lapack-reference.overrideAttrs (_upstream: {
+  #   # 2023/02/11: test timeouts
+  #   # > The following tests FAILED:
+  #   # >       93 - LAPACK-xlintstz_ztest_in (Timeout)
+  #   # >        98 - LAPACK-xeigtstz_svd_in (Timeout)
+  #   # >          99 - LAPACK-xeigtstz_zec_in (Timeout)
+  #   doCheck = false;
+  # });
+  # libadwaita = prev.libadwaita.overrideAttrs (_upstream: {
+  #   # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
+  #   doCheck = false;
+  # });
+  # libsecret = prev.libsecret.overrideAttrs (_upstream: {
+  #   # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
+  #   doCheck = false;
+  # });
+  # libuv = prev.libuv.overrideAttrs (_upstream: {
+  #   # 2023/02/11
+  #   # 2 tests fail:
+  #   # - not ok 261 - tcp_bind6_error_addrinuse
+  #   # - not ok 267 - tcp_bind_error_addrinuse_listen
+  #   doCheck = false;
+  # });
+  libwacom = prev.libwacom.overrideAttrs (_upstream: {
+    # 2023/03/30
+    # "libwacom:all / pytest TIMEOUT"
     doCheck = false;
+    mesonFlags = [ "-Dtests=disabled" ];
   });
 
-  llvmPackages_12 =
-    let
-      tools = prev.llvmPackages_12.tools.extend (self: super: {
-        libllvm = super.libllvm.overrideAttrs (upstream: {
-          # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITTest.return_global (2857 of 42084)"
-          # - nix log /nix/store/6vydavlxh1gvs0vmrkcx9qp67g3h7kcz-llvm-12.0.1.drv
-          # - wanted by sequoia, rav1e, rustc-1.66.1  (is this right?)
-          doCheck = false;
-          # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
-          cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
-        });
-      });
-    in
-      # see <nixpkgs:pkgs/development/compilers/llvm/12/default.nix>
-      # - we copy their strategy / attrset mutilation
-      prev.llvmPackages_12 // { inherit tools; } // tools;
+  # llvmPackages_12 =
+  #   let
+  #     tools = prev.llvmPackages_12.tools.extend (self: super: {
+  #       libllvm = super.libllvm.overrideAttrs (upstream: {
+  #         # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITTest.return_global (2857 of 42084)"
+  #         # - nix log /nix/store/6vydavlxh1gvs0vmrkcx9qp67g3h7kcz-llvm-12.0.1.drv
+  #         # - wanted by sequoia, rav1e, rustc-1.66.1  (is this right?)
+  #         doCheck = false;
+  #         # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
+  #         cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
+  #       });
+  #     });
+  #   in
+  #     # see <nixpkgs:pkgs/development/compilers/llvm/12/default.nix>
+  #     # - we copy their strategy / attrset mutilation
+  #     prev.llvmPackages_12 // { inherit tools; } // tools;
 
-  llvmPackages_14 =
-    let
-      tools = prev.llvmPackages_14.tools.extend (self: super: {
-        libllvm = super.libllvm.overrideAttrs (upstream: {
-          # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITMultipleModuleTest.two_module_global_variables_case (43769 of 46988)"
-          # - nix log /nix/store/ib2yw6sajnhlmibxkrn7lj7chllbr85h-llvm-14.0.6.drv
-          # - wanted by clang-11-12-LLVMgold-path, compiler-rt-libc-12.0.1, clang-wrapper-12.0.1  (is this right?)
-          doCheck = false;
-          # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
-          cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
-        });
-      });
-    in
-      # see <nixpkgs:pkgs/development/compilers/llvm/14/default.nix>
-      # - we copy their strategy / attrset mutilation
-      prev.llvmPackages_14 // { inherit tools; } // tools;
+  # llvmPackages_14 =
+  #   let
+  #     tools = prev.llvmPackages_14.tools.extend (self: super: {
+  #       libllvm = super.libllvm.overrideAttrs (upstream: {
+  #         # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITMultipleModuleTest.two_module_global_variables_case (43769 of 46988)"
+  #         # - nix log /nix/store/ib2yw6sajnhlmibxkrn7lj7chllbr85h-llvm-14.0.6.drv
+  #         # - wanted by clang-11-12-LLVMgold-path, compiler-rt-libc-12.0.1, clang-wrapper-12.0.1  (is this right?)
+  #         doCheck = false;
+  #         # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
+  #         cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
+  #       });
+  #     });
+  #   in
+  #     # see <nixpkgs:pkgs/development/compilers/llvm/14/default.nix>
+  #     # - we copy their strategy / attrset mutilation
+  #     prev.llvmPackages_14 // { inherit tools; } // tools;
 
-  llvmPackages_15 =
-    let
-      tools = prev.llvmPackages_15.tools.extend (self: super: {
-        libllvm = super.libllvm.override {
-          # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/..."
-          # llvm15 passes doCheck as a call arg, so we don't need to set cmakeFlags explicitly as in previous versions
-          doCheck = false;
-        };
-      });
-    in
-      prev.llvmPackages_15 // { inherit tools; } // tools;
+  # llvmPackages_15 =
+  #   let
+  #     tools = prev.llvmPackages_15.tools.extend (self: super: {
+  #       libllvm = super.libllvm.override {
+  #         # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/..."
+  #         # llvm15 passes doCheck as a call arg, so we don't need to set cmakeFlags explicitly as in previous versions
+  #         doCheck = false;
+  #       };
+  #     });
+  #   in
+  #     prev.llvmPackages_15 // { inherit tools; } // tools;
 
-  modemmanager = prev.modemmanager.overrideAttrs (_upstream: {
-    # 2023/02/25
-    # "ERROR:test-modem-helpers.c:257:test_cmgl_response: assertion failed: (list != NULL)"
-    doCheck = false;
-    doInstallCheck = false;  # tests are run during install check??
-  });
+  # modemmanager = prev.modemmanager.overrideAttrs (_upstream: {
+  #   # 2023/02/25
+  #   # "ERROR:test-modem-helpers.c:257:test_cmgl_response: assertion failed: (list != NULL)"
+  #   doCheck = false;
+  #   doInstallCheck = false;  # tests are run during install check??
+  # });
 
   pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
     (py-next: py-prev: {
-      ipython = py-prev.ipython.overridePythonAttrs (upstream: {
-        # > FAILED IPython/core/tests/test_debugger.py::test_xmode_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-        # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-        # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_disabled - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-        # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_with_breakpoint - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-        # > FAILED IPython/core/tests/test_debugger.py::test_where_erase_value - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-        # > FAILED IPython/terminal/tests/test_debug_magic.py::test_debug_magic_passes_through_generators - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-        # > FAILED IPython/terminal/tests/test_embed.py::test_nest_embed - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+      # ipython = py-prev.ipython.overridePythonAttrs (upstream: {
+      #   # > FAILED IPython/core/tests/test_debugger.py::test_xmode_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+      #   # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+      #   # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_disabled - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+      #   # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_with_breakpoint - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+      #   # > FAILED IPython/core/tests/test_debugger.py::test_where_erase_value - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+      #   # > FAILED IPython/terminal/tests/test_debug_magic.py::test_debug_magic_passes_through_generators - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+      #   # > FAILED IPython/terminal/tests/test_embed.py::test_nest_embed - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+      #   disabledTestPaths = upstream.disabledTestPaths or [] ++ [
+      #     "IPython/core/tests/test_debugger.py"
+      #     "IPython/terminal/tests/test_debug_magic.py"
+      #     "IPython/terminal/tests/test_embed.py"
+      #   ];
+      # });
+      pyarrow = py-prev.pyarrow.overridePythonAttrs (upstream: {
+        # 2023/04/02
+        # disabledTests = upstream.disabledTests ++ [ "test_generic_options" ];
         disabledTestPaths = upstream.disabledTestPaths or [] ++ [
-          "IPython/core/tests/test_debugger.py"
-          "IPython/terminal/tests/test_debug_magic.py"
-          "IPython/terminal/tests/test_embed.py"
+          "pyarrow/tests/test_flight.py"
         ];
       });
-      pytest-xdist = py-prev.pytest-xdist.overridePythonAttrs (upstream: {
-        # 2023/02/19
-        # 4 tests fail:
-        # - FAILED: testing/test_remote.py::TestWorkInteractor::* - execnet.gateway_base.TimeoutError: no item after 10.0 seconds
-        # doCheck = false;
-        disabledTestPaths = upstream.disabledTestPaths or [] ++ [
-          "testing/test_remote.py"
-        ];
-        # disabledTests = upstream.disabledTests or [] ++ [
-        #   "test_basic_collect_and_runtests"
-        #   "test_remote_collect_fail"
-        #   "test_remote_collect_skip"
-        #   "test_runtests_all"
-        # ];
-      });
-      twisted = py-prev.twisted.overridePythonAttrs (upstream: {
-        # 2023/02/25
-        # ```
-        # [ERROR]
-        # Traceback (most recent call last):
-        #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/test/test_udp.py", line 645, in test_interface
-        #     self.assertEqual(self.client.transport.getOutgoingInterface(), "0.0.0.0")
-        #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/internet/udp.py", line 449, in getOutgoingInterface
-        #     i = self.socket.getsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_IF)
-        # builtins.OSError: [Errno 92] Protocol not available
-        #
-        # twisted.test.test_udp.MulticastTests.test_interface
-        # ```
-        postPatch = upstream.postPatch + ''
-          echo 'MulticastTests.test_interface.skip = "Protocol not available"'>> src/twisted/test/test_udp.py
-        '';
-      });
+      # pytest-xdist = py-prev.pytest-xdist.overridePythonAttrs (upstream: {
+      #   # 2023/02/19
+      #   # 4 tests fail:
+      #   # - FAILED: testing/test_remote.py::TestWorkInteractor::* - execnet.gateway_base.TimeoutError: no item after 10.0 seconds
+      #   # doCheck = false;
+      #   disabledTestPaths = upstream.disabledTestPaths or [] ++ [
+      #     "testing/test_remote.py"
+      #   ];
+      #   # disabledTests = upstream.disabledTests or [] ++ [
+      #   #   "test_basic_collect_and_runtests"
+      #   #   "test_remote_collect_fail"
+      #   #   "test_remote_collect_skip"
+      #   #   "test_runtests_all"
+      #   # ];
+      # });
+      # twisted = py-prev.twisted.overridePythonAttrs (upstream: {
+      #   # 2023/02/25
+      #   # ```
+      #   # [ERROR]
+      #   # Traceback (most recent call last):
+      #   #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/test/test_udp.py", line 645, in test_interface
+      #   #     self.assertEqual(self.client.transport.getOutgoingInterface(), "0.0.0.0")
+      #   #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/internet/udp.py", line 449, in getOutgoingInterface
+      #   #     i = self.socket.getsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_IF)
+      #   # builtins.OSError: [Errno 92] Protocol not available
+      #   #
+      #   # twisted.test.test_udp.MulticastTests.test_interface
+      #   # ```
+      #   postPatch = upstream.postPatch + ''
+      #     echo 'MulticastTests.test_interface.skip = "Protocol not available"'>> src/twisted/test/test_udp.py
+      #   '';
+      # });
     })
   ];
-  strp = prev.srtp.overrideAttrs (_upstream: {
-    # 2023/02/11
-    # roc_driver test times out after 30s
-    doCheck = false;
-  });
+
+  # strp = prev.srtp.overrideAttrs (_upstream: {
+  #   # 2023/02/11
+  #   # roc_driver test times out after 30s
+  #   doCheck = false;
+  # });
   tracker = prev.tracker.overrideAttrs (_upstream: {
     # 2023/02/22
     # "27/37 tracker:core / service                          TIMEOUT         60.37s   killed by signal 15 SIGTERM"
     doCheck = false;
   });
-  udisks2 = prev.udisks2.overrideAttrs (_upstream: {
-    # 2023/02/25
-    # "udisks-test:ERROR:test.c:61:on_completed_expect_failure: assertion failed (message == expected_message): ("Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11):\nstdout: `OK, deliberately causing a segfault\n'\nstderr: `qemu: uncaught target signal 11 (Segmentation fault) - core dumped\n'" == "Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11): OK, deliberately causing a segfault\n")"
-    doCheck = false;
-  });
-  upower = prev.upower.overrideAttrs (_upstream: {
-    # 2023/02/25
-    # "Tests.test_battery_state_guessing                          TIMEOUT        60.80s   killed by signal 15 SIGTERM"
-    doCheck = false;
-  });
+  # udisks2 = prev.udisks2.overrideAttrs (_upstream: {
+  #   # 2023/02/25
+  #   # "udisks-test:ERROR:test.c:61:on_completed_expect_failure: assertion failed (message == expected_message): ("Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11):\nstdout: `OK, deliberately causing a segfault\n'\nstderr: `qemu: uncaught target signal 11 (Segmentation fault) - core dumped\n'" == "Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11): OK, deliberately causing a segfault\n")"
+  #   doCheck = false;
+  # });
+  # upower = prev.upower.overrideAttrs (_upstream: {
+  #   # 2023/02/25
+  #   # "Tests.test_battery_state_guessing                          TIMEOUT        60.80s   killed by signal 15 SIGTERM"
+  #   doCheck = false;
+  # });
 })

overlays/pins.nix

@@ -15,4 +15,7 @@
   # so just forward the unstable packages.
   inherit (next.stable or prev)
   ;
+  # chromium can take 4 hours to build from source, with no signs of progress.
+  # disable it if you're in a rush.
+  # chromium = next.emptyDirectory;
 })

overlays/pkgs.nix

@@ -1,46 +1,42 @@
 (next: prev:
+  with next;
   let
     sane = rec {
       #### my own, non-upstreamable packages:
-      sane-scripts = prev.callPackage ../pkgs/sane-scripts { };
-      feeds = prev.callPackage ../pkgs/feeds { };
-      tow-boot-pinephone = prev.callPackage ../pkgs/tow-boot-pinephone { };
-      tow-boot-rpi4 = prev.callPackage ../pkgs/tow-boot-rpi4 { };
-      bootpart-uefi-x86_64 = prev.callPackage ../pkgs/bootpart-uefi-x86_64 { };
-      bootpart-tow-boot-rpi-aarch64 = prev.callPackage ../pkgs/bootpart-tow-boot-rpi-aarch64 {
-        # not sure why i can't just do `next.callPackage` instead
-        inherit tow-boot-rpi4;
-      };
-      bootpart-u-boot-rpi-aarch64 = prev.callPackage ../pkgs/bootpart-u-boot-rpi-aarch64 {
-        # not sure why i can't just do `next.callPackage` instead
-        inherit ubootRaspberryPi4_64bit;
-      };
-      rtl8723cs-firmware = prev.callPackage ../pkgs/rtl8723cs-firmware { };
-      linux-megous = prev.callPackage ../pkgs/linux-megous {
+      static-nix-shell = callPackages ../pkgs/static-nix-shell { };
+      sane-scripts = callPackage ../pkgs/sane-scripts { };
+      feeds = recurseIntoAttrs (callPackage ../pkgs/feeds { });
+      tow-boot-pinephone = callPackage ../pkgs/tow-boot-pinephone { };
+      tow-boot-rpi4 = callPackage ../pkgs/tow-boot-rpi4 { };
+      bootpart-uefi-x86_64 = callPackage ../pkgs/bootpart-uefi-x86_64 { };
+      bootpart-tow-boot-rpi-aarch64 = callPackage ../pkgs/bootpart-tow-boot-rpi-aarch64 { };
+      bootpart-u-boot-rpi-aarch64 = callPackage ../pkgs/bootpart-u-boot-rpi-aarch64 { };
+      rtl8723cs-firmware = callPackage ../pkgs/rtl8723cs-firmware { };
+      linux-megous = callPackage ../pkgs/linux-megous {
         kernelPatches = [
           prev.kernelPatches.bridge_stp_helper
           prev.kernelPatches.request_key_helper
         ];
       };
 
-      sublime-music-mobile = prev.callPackage ../pkgs/sublime-music-mobile { };
+      sublime-music-mobile = callPackage ../pkgs/sublime-music-mobile { };
 
       #### customized packages
-      fluffychat-moby = prev.callPackage ../pkgs/fluffychat-moby { };
-      gpodder-configured = prev.callPackage ../pkgs/gpodder-configured { };
+      fluffychat-moby = callPackage ../pkgs/fluffychat-moby { };
+      gpodder-configured = callPackage ../pkgs/gpodder-configured { };
       # jackett doesn't allow customization of the bind address: this will probably always be here.
-      jackett = prev.callPackage ../pkgs/jackett { inherit (prev) jackett; };
+      jackett = callPackage ../pkgs/jackett { inherit (prev) jackett; };
       # mozilla keeps nerfing itself and removing configuration options
-      firefox-unwrapped = next.callPackage ../pkgs/firefox-unwrapped { inherit (prev) firefox-unwrapped; };
+      firefox-unwrapped = callPackage ../pkgs/firefox-unwrapped { inherit (prev) firefox-unwrapped; };
 
       # patch rpi uboot with something that fixes USB HDD boot
-      ubootRaspberryPi4_64bit = prev.callPackage ../pkgs/ubootRaspberryPi4_64bit { };
+      ubootRaspberryPi4_64bit = callPackage ../pkgs/ubootRaspberryPi4_64bit { };
 
-      gocryptfs = prev.callPackage ../pkgs/gocryptfs { inherit (prev) gocryptfs; };
+      gocryptfs = callPackage ../pkgs/gocryptfs { inherit (prev) gocryptfs; };
 
-      browserpass = prev.callPackage ../pkgs/browserpass { inherit (prev) browserpass; inherit sane-scripts; };
+      browserpass = callPackage ../pkgs/browserpass { inherit (prev) browserpass; };
 
-      fractal-latest = prev.callPackage ../pkgs/fractal-latest { };
+      fractal-latest = callPackage ../pkgs/fractal-latest { };
 
       #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
 
@@ -50,14 +46,14 @@
         })
       ];
 
-      kaiteki = prev.callPackage ../pkgs/kaiteki { };
-      lightdm-mobile-greeter = prev.callPackage ../pkgs/lightdm-mobile-greeter { };
-      browserpass-extension = prev.callPackage ../pkgs/browserpass-extension { };
-      gopass-native-messaging-host = prev.callPackage ../pkgs/gopass-native-messaging-host { };
+      kaiteki = callPackage ../pkgs/kaiteki { };
+      lightdm-mobile-greeter = callPackage ../pkgs/lightdm-mobile-greeter { };
+      browserpass-extension = callPackage ../pkgs/browserpass-extension { };
+      gopass-native-messaging-host = callPackage ../pkgs/gopass-native-messaging-host { };
       tokodon = prev.libsForQt5.callPackage ../pkgs/tokodon { };
 
       # provided by nixpkgs patch or upstream preview
-      # splatmoji = prev.callPackage ../pkgs/splatmoji { };
+      # splatmoji = callPackage ../pkgs/splatmoji { };
     };
   in sane // { inherit sane; }
 )

pkgs/browserpass/default.nix

@@ -32,8 +32,8 @@ in
     owner = "colin";
     repo = "browserpass-native";
     # don't forcibly append '.gpg'
-    rev = "85bdb08379c03297c1236f66e8764160c922d397";
-    hash = "sha256-SEfihU+GreWhYfLVr7tTnMCo6Iq20a78F8iVbycOQUQ=";
+    rev = "d3ef88e12cb127914fb0ead762b7baee6913592f";
+    hash = "sha256-FRnFmCJI/1f92DOI1VXSPivSBzIR372gmgLUfLLiuPc=";
   };
   installPhase = ''
     make install

pkgs/feeds/default.nix

@@ -1,42 +1,58 @@
 { lib
-, pkgs
+, callPackage
+, python3
+, static-nix-shell
+, writeShellScript
 }:
 
-(lib.makeScope pkgs.newScope (self:
-  let
-    # TODO: dependency-inject this.
-    sane-data = import ../../modules/data { inherit lib; };
-    template = self.callPackage ./template.nix;
-    feed-pkgs = lib.mapAttrs
-      (name: feed-details: template {
-        feedName = name;
-        jsonPath = "modules/data/feeds/sources/${name}/default.json";
-        inherit (feed-details) url;
-      })
-      sane-data.feeds;
-    update-scripts = lib.mapAttrsToList
-      (name: feed: builtins.concatStringsSep " " feed.passthru.updateScript)
-      feed-pkgs;
-  in
-    feed-pkgs // {
-      passthru.updateScript = pkgs.writeShellScript
-        "feeds-update"
-        (builtins.concatStringsSep "\n" update-scripts);
+let
+  # TODO: dependency-inject this.
+  sane-data = import ../../modules/data { inherit lib; };
+  template = callPackage ./template.nix;
+  feed-pkgs = lib.mapAttrs
+    (name: feed-details: template {
+      feedName = name;
+      jsonPath = "modules/data/feeds/sources/${name}/default.json";
+      inherit (feed-details) url;
+    })
+    sane-data.feeds;
+  update-scripts = lib.mapAttrsToList
+    (name: feed: builtins.concatStringsSep " " feed.passthru.updateScript)
+    feed-pkgs;
+in rec {  # TODO: make this a scope
+  inherit feed-pkgs;
+  update = static-nix-shell.mkPython3Bin {
+    pname = "update";
+    src = ./.;
+    pyPkgs = [ "feedsearch-crawler" ];
+    srcPath = "update.py";
+  };
+  init-feed = writeShellScript
+    "init-feed"
+    ''
+      # this is the `nix run '.#init-feed' <url>` script`
+      sources_dir=modules/data/feeds/sources
+      # prettify the URL, by default
+      name=$( \
+        echo "$1" \
+        | sed 's|^https://||' \
+        | sed 's|^http://||' \
+        | sed 's|^www\.||' \
+        | sed 's|/+$||' \
+      )
+      json_path="$sources_dir/$name/default.json"
 
-      passthru.initFeedScript = pkgs.writeShellScript
-        "init-feed"
-        ''
-          sources_dir=modules/data/feeds/sources
-          name="$1"
-          url="https://$name"
-          json_path="$sources_dir/$name/default.json"
+      # the name could have slashes in it, so we want to mkdir -p that
+      # but in a way where the least could go wrong.
+      pushd "$sources_dir"; mkdir -p "$name"; popd
 
-          # the name could have slashes in it, so we want to mkdir -p that
-          # but in a way where the least could go wrong.
-          pushd "$sources_dir"; mkdir -p "$name"; popd
-
-          ${./update.py} "$url" "$json_path"
-          cat "$json_path"
-        '';
-    }
-))
+      ${update}/bin/update.py "$name" "$json_path"
+      cat "$json_path"
+    '';
+  passthru = {
+    updateScript = writeShellScript
+      "feeds-update"
+      (builtins.concatStringsSep "\n" update-scripts);
+    initFeedScript = init-feed;
+  };
+}

pkgs/feeds/update.py

@@ -13,9 +13,13 @@ logging.getLogger().setLevel(logging.DEBUG)
 logging.getLogger().addHandler(logging.StreamHandler(sys.stdout))
 logging.getLogger(__name__).debug("logging enabled")
 
-url = coerce_url(url, default_scheme="https")
-items = search(url, total_timeout=180, request_timeout=90, max_content_length=100*1024*1024)
-items = sort_urls(items)
+def try_scheme(url: str, scheme: str):
+    url = coerce_url(url, default_scheme=scheme)
+    print(f"trying {url}")
+    items = search(url, total_timeout=180, request_timeout=90, max_content_length=100*1024*1024)
+    return sort_urls(items)
+
+items = try_scheme(url, "https") or try_scheme(url, "http")
 
 # print all results
 serialized = [item.serialize() for item in items]

pkgs/sane-scripts/default.nix

@@ -1,108 +1,131 @@
 { lib
 , pkgs
 , resholve
+, static-nix-shell
+, symlinkJoin
 }:
 
-# resholve documentation:
-# - nix: https://github.com/nixos/nixpkgs/blob/master/pkgs/development/misc/resholve/README.md
-# - generic: https://github.com/abathur/resholve
-resholve.mkDerivation {
-  pname = "sane-scripts";
-  version = "0.1.0";
+let
+  shell-scripts = resholve.mkDerivation {
+    # resholve documentation:
+    # - nix: https://github.com/nixos/nixpkgs/blob/master/pkgs/development/misc/resholve/README.md
+    # - generic: https://github.com/abathur/resholve
+    pname = "sane-scripts";
+    version = "0.1.0";
 
-  src = ./src;
+    src = ./src;
 
-  solutions = {
-    default = {
-      # note: `scripts` refers to the store path here
-      scripts = [ "bin/*" ];
-      interpreter = "${pkgs.bash}/bin/bash";
-      inputs = with pkgs; [
-        # string is interpreted as relative path from @OUT@.
-        # this lets our scripts reference eachother.
-        # see: <https://github.com/abathur/resholve/issues/26>
-        "bin"
-        coreutils-full
-        curl
-        duplicity
-        file
-        findutils
-        git
-        gnugrep
-        gnused
-        gocryptfs
-        ifuse
-        inetutils
-        inotify-tools
-        iwd
-        jq
-        ncurses
-        oath-toolkit
-        openssh
-        openssl
-        rmlint
-        rsync
-        ssh-to-age
-        sops
-        sudo
-        systemd
-        util-linux
-        which
-      ];
-      keep = {
-        "/run/secrets/duplicity_passphrase" = true;
-        # we write here: keep it
-        "/tmp/rmlint.sh" = true;
-        # intentionally escapes (into user code)
-        "$external_cmd" = true;
-        "$maybe_sudo" = true;
-      };
-      fake = {
-        external = [
-          # https://github.com/abathur/resholve/issues/29
-          # "umount"
-          # "/run/wrappers/bin/sudo"
-          "sudo"
+    solutions = {
+      default = {
+        # note: `scripts` refers to the store path here
+        scripts = [ "bin/*" ];
+        interpreter = "${pkgs.bash}/bin/bash";
+        inputs = with pkgs; [
+          # string is interpreted as relative path from @OUT@.
+          # this lets our scripts reference eachother.
+          # see: <https://github.com/abathur/resholve/issues/26>
+          "bin"
+          coreutils-full
+          curl
+          duplicity
+          file
+          findutils
+          git
+          gnugrep
+          gnused
+          gocryptfs
+          ifuse
+          inetutils
+          inotify-tools
+          iwd
+          jq
+          ncurses
+          oath-toolkit
+          openssh
+          openssl
+          rmlint
+          rsync
+          ssh-to-age
+          sops
+          sudo
+          systemd
+          transmission
+          util-linux
+          which
+        ];
+        keep = {
+          "/run/secrets/duplicity_passphrase" = true;
+          # we write here: keep it
+          "/tmp/rmlint.sh" = true;
+          # intentionally escapes (into user code)
+          "$external_cmd" = true;
+          "$maybe_sudo" = true;
+        };
+        fake = {
+          external = [
+            # https://github.com/abathur/resholve/issues/29
+            # "umount"
+            # "/run/wrappers/bin/sudo"
+            "sudo"
+          ];
+        };
+        fix = {
+          # this replaces umount with the non-setuid-wrapper umount.
+          # not sure if/where that lack of suid causes problems.
+          umount = true;
+        };
+        prologue = "bin/sane-resholve-prologue";
+
+        # list of programs which *can* or *cannot* exec their arguments
+        execer = with pkgs; [
+          "cannot:${duplicity}/bin/duplicity"
+          "cannot:${git}/bin/git"
+          "cannot:${gocryptfs}/bin/gocryptfs"
+          "cannot:${ifuse}/bin/ifuse"
+          "cannot:${iwd}/bin/iwctl"
+          "cannot:${oath-toolkit}/bin/oathtool"
+          "cannot:${openssh}/bin/ssh-keygen"
+          "cannot:${rmlint}/bin/rmlint"
+          "cannot:${rsync}/bin/rsync"
+          "cannot:${sops}/bin/sops"
+          "cannot:${ssh-to-age}/bin/ssh-to-age"
+          "cannot:${systemd}/bin/systemctl"
+          "cannot:${transmission}/bin/transmission-remote"
         ];
       };
-      fix = {
-        # this replaces umount with the non-setuid-wrapper umount.
-        # not sure if/where that lack of suid causes problems.
-        umount = true;
-      };
-      prologue = "bin/sane-resholve-prologue";
-
-      # list of programs which *can* or *cannot* exec their arguments
-      execer = with pkgs; [
-        "cannot:${duplicity}/bin/duplicity"
-        "cannot:${git}/bin/git"
-        "cannot:${gocryptfs}/bin/gocryptfs"
-        "cannot:${ifuse}/bin/ifuse"
-        "cannot:${iwd}/bin/iwctl"
-        "cannot:${oath-toolkit}/bin/oathtool"
-        "cannot:${openssh}/bin/ssh-keygen"
-        "cannot:${rmlint}/bin/rmlint"
-        "cannot:${rsync}/bin/rsync"
-        "cannot:${sops}/bin/sops"
-        "cannot:${ssh-to-age}/bin/ssh-to-age"
-        "cannot:${systemd}/bin/systemctl"
-      ];
     };
+
+    patchPhase = ''
+      # remove python scripts  (we package them further below)
+      rm sane-bt-search
+      rm sane-date-math
+      rm sane-reclaim-boot-space
+    '';
+
+    installPhase = ''
+      mkdir -p $out/bin
+      cp -R * $out/bin/
+    '';
   };
 
-  patchPhase = ''
-    # remove python scripts
-    # TODO: figure out how to make resholve process only shell scripts
-    rm sane-bt-search
-    rm sane-date-math
-    rm sane-reclaim-boot-space
-  '';
-
-  installPhase = ''
-    mkdir -p $out/bin
-    cp -R * $out/bin/
-  '';
+  bt-search = static-nix-shell.mkPython3Bin {
+    pname = "sane-bt-search";
+    src = ./src;
+    pyPkgs = [ "natsort" "requests" ];
+  };
+  date-math = static-nix-shell.mkPython3Bin {
+    pname = "sane-date-math";
+    src = ./src;
+  };
+  reclaim-boot-space = static-nix-shell.mkPython3Bin {
+    pname = "sane-reclaim-boot-space";
+    src = ./src;
+  };
 
+in
+symlinkJoin {
+  name = "sane-scripts";
+  paths = [ shell-scripts bt-search date-math reclaim-boot-space ];
   meta = {
     description = "collection of scripts associated with uninsane systems";
     homepage = "https://git.uninsane.org";

pkgs/sane-scripts/src/sane-bt-add

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -e
+
+endpoint=https://bt.uninsane.org/transmission/rpc
+PASS=$(sudo cat /run/secrets/transmission_passwd)
+
+options=$(getopt -l film,series:,prefix: -- "" "${@}")
+eval "set -- ${options}"
+
+prefix=
+while true; do
+  case "$1" in
+    (--prefix)
+      shift
+      prefix="$1"
+      shift
+    ;;
+    (--film)
+      prefix=Videos/Film/
+      shift
+    ;;
+    (--series)
+      shift
+      prefix=Videos/Shows/"$1"/
+      shift
+    ;;
+    (--)
+      shift
+      if [ $# -eq 1 ]; then
+        break
+      fi
+    ;;
+    (*)
+      echo "invalid arguments"
+      exit 1
+    ;;
+  esac
+done
+# positional ("non-option") parameters
+torrent="$1"
+
+transmission-remote "$endpoint" \
+  --auth "colin:$PASS" \
+  --download-dir "/var/lib/uninsane/media/$prefix" \
+  --add "$torrent"

pkgs/sane-scripts/src/sane-bt-search

@@ -1,5 +1,6 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.natsort ps.requests ])"
+# vim: set filetype=python :
 """
 usage: sane-bt-search <query_string>
 
@@ -19,7 +20,7 @@ ENDPOINTS = dict(
     results="api/v2.0/indexers/all/results"
 )
 
-@dataclass(eq=True, order=True)
+@dataclass(eq=True, order=True, unsafe_hash=True)
 class Torrent:
     seeders: int
     pub_date: datetime
@@ -63,12 +64,12 @@ class Client:
         return resp.json()
 
     def query(self, q: str) -> list:
-        torrents = []
+        torrents = set()
         api_res = self.api_call("results", dict(Query=q))
         for r in api_res["Results"]:
             t = Torrent.from_dict(r)
             if t is not None:
-                torrents.append(t)
+                torrents.add(t)
 
         return sorted(torrents, reverse=True)
 

pkgs/sane-scripts/src/sane-bt-show

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+endpoint=https://bt.uninsane.org/transmission/rpc
+PASS=$(sudo cat /run/secrets/transmission_passwd)
+
+
+if [ "$#" -eq 0 ]; then
+  # no specific torrents we want to show, so show all of them.
+  # to query specific torrents, note the index and re-invoke this script with that.
+  transmission-remote "$endpoint" --auth "colin:$PASS" --list
+else
+  for id in $@; do
+    transmission-remote "$endpoint" --auth "colin:$PASS" -t "$id" -i
+  done
+fi

pkgs/sane-scripts/src/sane-date-math

@@ -1,4 +1,5 @@
-#!/usr/bin/env python3
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])"
 
 # i just went overboard playing around with parsers, is all.
 # use this like `./sane-date-math 'today - 5d'`

pkgs/sane-scripts/src/sane-deadlines

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# processes a tab-separated "deadlines" file and alerts for any upcoming events.
+#
+# deadlines.tsv file format:
+# - <date>\t<reminder-interval>\t<event>
+# - no header
+# - one line per entry
+# - <event> may contain any non-newline and non-tab characters
+# - <notice-interval> is the number of days before the event to start alerting, followed by 'd', e.g. `14d`
+# - <date> should be lexicographically orderable and machine-parsable, e.g. `2023-03-14`
+#
+# example `deadlines.tsv`
+# 2023-03-14	1d	celebrate pi day!
+# 2023-04-18	14d	taxes due
+# 2023-04-01	7d	the other pie day :o
+
+# configurables:
+deadlines=~/knowledge/planner/deadlines.tsv
+
+if ! test -f "$deadlines"; then
+        echo "WARNING: $deadlines sane-deadlines file not found"
+        exit 1
+fi
+
+now=$(date +%s)
+sort "$deadlines" | while read line; do
+        # parse line
+        deadline_field=$(echo "$line" | cut -f 1)
+        threshold_field=$(echo "$line" | cut -f 2)
+        description_field=$(echo "$line" | cut -f 3)
+
+        # normalize dates into seconds since unix epoch
+        deadline=$(date -d "$deadline_field" +%s)
+        threshold=$(echo "$threshold_field" | sed 's/d/day /g')
+        birthtime=$(date -d "$deadline_field - ($threshold)" +%s)
+
+        # show the event iff it's near
+        if test "$now" -ge "$birthtime"; then
+                days_until=$(( ($deadline - $now) / (24*60*60) ))
+                echo "in $days_until day(s): $description_field"
+        fi
+done

pkgs/sane-scripts/src/sane-reclaim-boot-space

@@ -1,4 +1,5 @@
-#!/usr/bin/env python3
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])"
 
 import os
 import os.path

pkgs/sane-scripts/src/sane-reclaim-disk-space

@@ -1,23 +1,52 @@
 #!/usr/bin/env bash
 # script to reclaim some hard drive space
+# some of this is documented here:
+# - <https://nixos.wiki/wiki/Storage_optimization>
 set -e
 
-options=$(getopt -l "fast" -o "f" -- "$@")
-do_rmlint=true
-for arg in $options; do
-  case $arg in
-    -f|--fast)
-      do_rmlint=false
-      ;;
-    --)
-      ;;
+options=$(getopt -l "gc,rmlint,all" -- "" "$@")
+eval "set -- ${options}"
+do_rmlint=false
+do_gc=false
+while true; do
+  case "$1" in
+    (--all)
+      shift
+      do_gc=true
+      do_rmlint=true
+    ;;
+    (--gc)
+      shift
+      do_gc=true
+    ;;
+    (--rmlint)
+      shift
+      do_rmlint=true
+    ;;
+    (--)
+      shift
+      if [ $# -eq 0 ]; then
+        break
+      fi
+    ;;
+    (*)
+      echo "invalid arguments"
+      exit 1
+    ;;
   esac
 done
 
 set -x
 
-# always claim nix garbage
-sudo nix-collect-garbage
+# scan the store and hard-link identical files
+# nix-store --optimise
+
+if [ $do_gc = true ]
+then
+  # TODO: do we need `sudo` here?
+  # TODO: `nix-store --gc`?
+  sudo nix-collect-garbage
+fi
 
 if [ $do_rmlint = true ]
 then

pkgs/static-nix-shell/default.nix

@@ -0,0 +1,30 @@
+{ stdenv
+, python3
+}:
+
+{
+  # transform a file which uses `#!/usr/bin/env nix-shell` shebang with a `python3` interpreter
+  # into a derivation that can be built statically
+  mkPython3Bin = { pname, pyPkgs ? [], srcPath ? pname, ... }@attrs: stdenv.mkDerivation (
+    let
+      evalPyPkgs = ps: builtins.map (name: ps."${name}") pyPkgs;
+      pyEnv = python3.withPackages evalPyPkgs;
+      pyPkgsStr = builtins.concatStringsSep " " (builtins.map (p: "ps.${p}") pyPkgs);
+    in {
+      version = "0.1.0";  # default version
+      patchPhase = ''
+        substituteInPlace ${srcPath} \
+          --replace '#!/usr/bin/env nix-shell' '#!${pyEnv.interpreter}' \
+          --replace \
+            '#!nix-shell -i python3 -p "python3.withPackages (ps: [ ${pyPkgsStr} ])"' \
+            '# nix deps evaluated statically'
+      '';
+      installPhase = ''
+        mkdir -p $out/bin
+        mv ${srcPath} $out/bin/${srcPath}
+        # ensure that all nix-shell references were substituted
+        ! grep nix-shell $out/bin/${srcPath}
+      '';
+    } // attrs
+  );
+}

secrets/universal.yaml

@@ -12,6 +12,7 @@ wg_ovpnd_ukr_privkey: ENC[AES256_GCM,data:5zfhsZnBk0Kb9Nb/3igsV/fN0ZDjwTAGTKyMLM
 #ENC[AES256_GCM,data:qlF8rpSMUv6Z/YrOTp7WYs0lcpmSIi/r+gCuiw==,iv:cneNp/0av/ttQvnW4JVX9mj3261QFAzkLIzEMwiKwE8=,tag:FFsPUQBsSeImtymawY4eSg==,type:comment]
 router_passwd: ENC[AES256_GCM,data:Tya3Pd75Yu4=,iv:lqi7SavFnymL+uOQXDEzGxgikB6/ckNOBifjhyjXn1Q=,tag:HG3kf6e2g53uNUGI9FXyqQ==,type:str]
 jackett_apikey: ENC[AES256_GCM,data:2oGczau3f/w/5iCx3aft0V/t0tO5zsr5Xi/HQ1koTTo=,iv:33VPT8GYCPPJ2RUBP6yuLep9YX/VMW9Kt3MyQPmZuO0=,tag:TUIbutJKV5e3Kc9INk5VUA==,type:str]
+transmission_passwd: ENC[AES256_GCM,data:wY9kBcfJCvoPc5YXMgrFxBM=,iv:kjHK30mtcJ8O82Ve1Y4YIFVxaNIoWBWUYB2Zmm0fNMY=,tag:5HjjXP2az22PfkahoMEVwA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -90,8 +91,8 @@ sops:
             YmhsY0FaSW5oWVNJMlhUSDRCeWQ4KzAKaQp321XYtAZ98f4QMl5PxivAYm6VMF43
             wCThiQgvYAP59jvVDTZngvfWAD5PyWVVvMNbjHGvAzK5WnsTPmxlsg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-20T06:57:29Z"
-    mac: ENC[AES256_GCM,data:J/yLlcmlX6st/d6c8eL/6DKZiHAELb0/zj+5qOjoE2uAgTTFnojaP4ssrmt7BaLQF1MQNnvkchvuwRv+dAVTXkuYPuDWS3YriAKQIXUx9sHIEoY6Aqa37eBwUNUBuxoR6FvfOGtXrIZuS0f7hZr+ddBZgCSBBE54yeH68Va1tZk=,iv:Y/T8qykrqRVQ8eMkNH2DZa6XoGd5nL18h/2SJucVAD8=,tag:OwZfOyLc29c1bJJIA9IW3Q==,type:str]
+    lastmodified: "2023-03-22T22:24:25Z"
+    mac: ENC[AES256_GCM,data:JJiPwkMCchOAgQ8p6Xnkpov/SJWDuhIzbHCxhEkqQeiFqpTzGPb9RayWElnGyMeyPpM/CVFfqiRhX96RX2q8+8Bp9uPMfKbt+xt521Wo/JnC3QiwChV72gswjNLYzwZx0kNhjCkoVhjITsv7S02XHV8ky1WpBA/JuvBtQcfZZbg=,iv:QwLN4ZNJIyt0XbvbuqB227WgrfkyX3u/gqdNuUYhbq0=,tag:+vwDS62V+GRrw4nDRBgoWA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3