flake update: nixpkgs 2023-01-13 -> 2023-01-15

```
• Updated input 'nixpkgs-stable':
    'github:nixos/nixpkgs/a83ed85c14fcf242653df6f4b0974b7e1c73c6c6' (2023-01-14)
  → 'github:nixos/nixpkgs/2f9fd351ec37f5d479556cd48be4ca340da59b8f' (2023-01-15)
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/befc83905c965adfd33e5cae49acb0351f6e0404' (2023-01-13)
  → 'github:nixos/nixpkgs/6dccdc458512abce8d19f74195bb20fdb067df50' (2023-01-15)
```

flake.lock

@@ -36,21 +36,6 @@
         "type": "github"
       }
     },
-    "impermanence": {
-      "locked": {
-        "lastModified": 1668668915,
-        "narHash": "sha256-QjY4ZZbs9shwO4LaLpvlU2bO9J1juYhO9NtV3nrbnYQ=",
-        "owner": "nix-community",
-        "repo": "impermanence",
-        "rev": "5df9108b346f8a42021bf99e50de89c9caa251c3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "impermanence",
-        "type": "github"
-      }
-    },
     "mobile-nixos": {
       "flake": false,
       "locked": {
@@ -68,42 +53,45 @@
       }
     },
     "nixpkgs": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unpatched"
+        ]
+      },
       "locked": {
-        "lastModified": 1671722432,
-        "narHash": "sha256-ojcZUekIQeOZkHHzR81st7qxX99dB1Eaaq6PU5MNeKc=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "652e92b8064949a11bc193b90b74cb727f2a1405",
-        "type": "github"
+        "lastModified": 1,
+        "narHash": "sha256-5zCxdHGOS0OOP7vbgTA1iwv9GVr5JSiths7QmgUsU84=",
+        "path": "/nix/store/9a5k9pfawxzz1sng17si26sc9af39jr1-source/nixpatches",
+        "type": "path"
       },
       "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "path": "/nix/store/9a5k9pfawxzz1sng17si26sc9af39jr1-source/nixpatches",
+        "type": "path"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1671883564,
-        "narHash": "sha256-C15oAtyupmLB3coZY7qzEHXjhtUx/+77olVdqVMruAg=",
-        "owner": "NixOS",
+        "lastModified": 1673800717,
+        "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=",
+        "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "dac57a4eccf1442e8bf4030df6fcbb55883cb682",
+        "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
+        "owner": "nixos",
         "ref": "nixos-22.11",
-        "type": "indirect"
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1671923641,
-        "narHash": "sha256-flPauiL5UrfRJD+1oAcEefpEIUqTqnyKScWe/UUU+lE=",
+        "lastModified": 1673740915,
+        "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "939c05a176b8485971463c18c44f48e56a7801c9",
+        "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2",
         "type": "github"
       },
       "original": {
@@ -113,15 +101,31 @@
         "type": "github"
       }
     },
+    "nixpkgs-unpatched": {
+      "locked": {
+        "lastModified": 1673796341,
+        "narHash": "sha256-1kZi9OkukpNmOaPY7S5/+SlCDOuYnP3HkXHvNDyLQcc=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "6dccdc458512abce8d19f74195bb20fdb067df50",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "home-manager": "home-manager",
-        "impermanence": "impermanence",
         "mobile-nixos": "mobile-nixos",
         "nixpkgs": "nixpkgs",
         "nixpkgs-stable": "nixpkgs-stable",
+        "nixpkgs-unpatched": "nixpkgs-unpatched",
         "sops-nix": "sops-nix",
-        "uninsane": "uninsane"
+        "uninsane-dot-org": "uninsane-dot-org"
       }
     },
     "sops-nix": {
@@ -132,11 +136,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1671937829,
-        "narHash": "sha256-YtaNB+mLw0d67JFYNjRWM+/AL3JCXuD/DGlnTlyX1tY=",
+        "lastModified": 1673752321,
+        "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "855b8d51fc3991bd817978f0f093aa6ae0fae738",
+        "rev": "e18eefd2b133a58309475298052c341c08470717",
         "type": "github"
       },
       "original": {
@@ -145,7 +149,7 @@
         "type": "github"
       }
     },
-    "uninsane": {
+    "uninsane-dot-org": {
       "inputs": {
         "flake-utils": "flake-utils",
         "nixpkgs": [

flake.nix

@@ -1,25 +1,48 @@
-# docs:
-# - <https://nixos.wiki/wiki/Flakes>
+# FLAKE FEEDBACK:
+# - if flake inputs are meant to be human-readable, a human should be able to easily track them down given the URL.
+#   - this is not the case with registry URLs, like `nixpkgs/nixos-22.11`.
+#   - this is marginally the case with schemes like `github:nixos/nixpkgs`.
+#   - given the *existing* `git+https://` scheme, i propose expressing github URLs similarly:
+#     - `github+https://github.com/nixos/nixpkgs/tree/nixos-22.11`
+# - need some way to apply local patches to inputs.
+#
+#
+# DEVELOPMENT DOCS:
+# - Flake docs: <https://nixos.wiki/wiki/Flakes>
+# - Flake RFC: <https://github.com/tweag/rfcs/blob/flakes/rfcs/0049-flakes.md>
+#   - Discussion: <https://github.com/NixOS/rfcs/pull/49>
 # - <https://serokell.io/blog/practical-nix-flakes>
 
 {
+  # XXX: use the `github:` scheme instead of the more readable git+https: because it's *way* more efficient
+  # preferably, i would rewrite the human-readable https URLs to nix-specific github: URLs with a helper,
+  # but `inputs` is required to be a strict attrset: not an expression.
   inputs = {
-    nixpkgs-stable.url = "nixpkgs/nixos-22.11";
-    nixpkgs.url = "nixpkgs/nixos-unstable";
+    # <https://github.com/nixos/nixpkgs/tree/nixos-22.11>
+    nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
+
+    # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
+    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    nixpkgs = {
+      url = "./nixpatches";
+      inputs.nixpkgs.follows = "nixpkgs-unpatched";
+    };
     mobile-nixos = {
+      # <https://github.com/nixos/mobile-nixos>
       url = "github:nixos/mobile-nixos";
       flake = false;
     };
     home-manager = {
-      url = "github:nix-community/home-manager/release-22.05";
+      # <https://github.com/nix-community/home-manager/tree/release-22.05>
+      url = "github:nix-community/home-manager?ref=release-22.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     sops-nix = {
+      # <https://github.com/Mic92/sops-nix>
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    impermanence.url = "github:nix-community/impermanence";
-    uninsane = {
+    uninsane-dot-org = {
       url = "git+https://git.uninsane.org/colin/uninsane";
       inputs.nixpkgs.follows = "nixpkgs";
     };
@@ -29,66 +52,56 @@
     self,
     nixpkgs,
     nixpkgs-stable,
+    nixpkgs-unpatched,
     mobile-nixos,
     home-manager,
     sops-nix,
-    impermanence,
-    uninsane
-  }: let
-    patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
-      name = "nixpkgs-patched-uninsane";
-      src = nixpkgs;
-      patches = import ./nixpatches/list.nix {
-        inherit (nixpkgs.legacyPackages.${system}) fetchpatch;
-        inherit (nixpkgs.lib) fakeHash;
-      };
-    };
-    # return something which behaves like `pkgs`, for the provided system
-    # `local` = architecture of builder. `target` = architecture of the system beying deployed to
-    nixpkgsFor = local: target: import (patchedPkgs target) { crossSystem = target; localSystem = local; };
-    # evaluate ONLY our overlay, for the provided system
-    customPackagesFor = local: target: import ./pkgs/overlay.nix (nixpkgsFor local target) (nixpkgsFor local target);
-    decl-host = { name, local, target }:
+    uninsane-dot-org
+  }:
     let
-      nixosSystem = import ((patchedPkgs target) + "/nixos/lib/eval-config.nix");
-    in (nixosSystem {
-      # by default the local system is the same as the target, employing emulation when they differ
-      system = target;
-      specialArgs = { inherit mobile-nixos home-manager impermanence; };
-      modules = [
-        ./modules
-        (import ./hosts/instantiate.nix name)
-        home-manager.nixosModule
-        impermanence.nixosModule
-        sops-nix.nixosModules.sops
-        {
-          nixpkgs.overlays = [
-            (import "${mobile-nixos}/overlay/overlay.nix")
-            uninsane.overlay
-            (import ./pkgs/overlay.nix)
-            (next: prev: rec {
-              # non-emulated packages build *from* local *for* target.
-              # for large packages like the linux kernel which are expensive to build under emulation,
-              # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
-              cross = (nixpkgsFor local target) // (customPackagesFor local target);
-              stable = import nixpkgs-stable { system = target; };
+      nixpkgsCompiledBy = local: nixpkgs.legacyPackages."${local}";
 
-              # cross-compatible packages
-              # gocryptfs = cross.gocryptfs;
+      evalHost = { name, local, target }:
+        let
+          # XXX: we'd prefer to use `nixosSystem = (nixpkgsCompiledBy target).nixos`
+          # but it doesn't propagate config to the underlying pkgs, meaning it doesn't let you use
+          # non-free packages even after setting nixpkgs.allowUnfree.
+          # XXX: patch using the target -- not local -- otherwise the target will
+          # need to emulate the host in order to rebuild!
+          nixosSystem = import ((nixpkgsCompiledBy target).path + "/nixos/lib/eval-config.nix");
+        in
+          (nixosSystem {
+            # we use pkgs built for and *by* the target, i.e. emulation, by default.
+            # cross compilation only happens on explicit access to `pkgs.cross`
+            system = target;
+            modules = [
+              (import ./hosts/instantiate.nix { localSystem = local; hostName = name; })
+              self.nixosModules.default
+              self.nixosModules.passthru
+              {
+                nixpkgs.overlays = [
+                  self.overlays.default
+                  self.overlays.passthru
+                  self.overlays.pins
+                ];
+              }
+            ];
+          });
+    in {
+      nixosConfigurations = {
+        servo = evalHost { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
+        desko = evalHost { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
+        lappy = evalHost { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
+        moby = evalHost { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
+        # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
+        # note that these *do* produce different store paths, because the closure for the tools used to cross compile
+        # v.s. emulate differ.
+        # so deploying foo-cross and then foo incurs some rebuilding.
+        moby-cross = evalHost { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
+        rescue = evalHost { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
+      };
 
-              # pinned packages:
-              # 2022/12/13: grpc does not build on aarch64-linux. https://github.com/NixOS/nixpkgs/issues/205887
-              grpc = stable.grpc;
-              # depends on grpc, so pinned.
-              duplicity = stable.duplicity;
-            })
-          ];
-        }
-      ];
-    });
-
-    decl-bootable-host = { name, local, target }: rec {
-      nixosConfiguration = decl-host { inherit name local target; };
+      # unofficial output
       # this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
       # after building this:
       #   - flash it to a bootable medium (SD card, flash drive, HDD)
@@ -102,40 +115,76 @@
       #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
       #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
       #   - `nixos-rebuild --flake './#<host>' switch`
-      img = nixosConfiguration.config.system.build.img;
-    };
-    hosts.servo = decl-bootable-host { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    hosts.desko = decl-bootable-host { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    hosts.lappy = decl-bootable-host { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    hosts.moby = decl-bootable-host { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
-    # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
-    # note that these *do* produce different store paths, because the closure for the tools used to cross compile
-    # v.s. emulate differ.
-    # so deploying foo-cross and then foo incurs some rebuilding.
-    hosts.moby-cross = decl-bootable-host { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
-    hosts.rescue = decl-bootable-host { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
-  in {
-    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) hosts;
-    imgs = builtins.mapAttrs (name: value: value.img) hosts;
-    packages = let
-      allPkgsFor = sys: (customPackagesFor sys sys) // {
-        nixpkgs = nixpkgsFor sys sys;
-        uninsane = uninsane.packages."${sys}";
+      imgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.img) self.nixosConfigurations;
+
+      overlays = rec {
+        default = pkgs;
+        pkgs = import ./overlays/pkgs.nix;
+        pins = import ./overlays/pins.nix;  # TODO: move to `nixpatches/` input
+        passthru =
+          let
+            stable = next: prev: {
+              stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+            };
+            mobile = (import "${mobile-nixos}/overlay/overlay.nix");
+            uninsane = uninsane-dot-org.overlay;
+          in
+            next: prev:
+              (stable next prev) // (mobile next prev) // (uninsane next prev);
       };
-    in {
-      x86_64-linux = allPkgsFor "x86_64-linux";
-      aarch64-linux = allPkgsFor "aarch64-linux";
-    };
-    templates = {
-      python-data = {
-        # initialize with:
-        # - `nix flake init -t '/home/colin/dev/nixos/#python-data'`
-        # then enter with:
-        # - `nix develop`
-        path = ./templates/python-data;
-        description = "python environment for data processing";
+
+      nixosModules = rec {
+        default = sane;
+        sane = import ./modules;
+        passthru = { ... }: {
+          imports = [
+            home-manager.nixosModule
+            sops-nix.nixosModules.sops
+          ];
+        };
+      };
+
+      # this includes both our native packages and all the nixpkgs packages.
+      legacyPackages =
+        let
+          allPkgsFor = sys: (nixpkgsCompiledBy sys).appendOverlays [
+            self.overlays.passthru self.overlays.pkgs
+          ];
+        in {
+          x86_64-linux = allPkgsFor "x86_64-linux";
+          aarch64-linux = allPkgsFor "aarch64-linux";
+        };
+
+      # extract only our own packages from the full set
+      packages = builtins.mapAttrs
+        (_: full: full.sane // { inherit (full) sane uninsane-dot-org; })
+        self.legacyPackages;
+
+      apps."x86_64-linux" =
+        let
+          pkgs = self.legacyPackages."x86_64-linux";
+        in {
+          update-feeds = {
+            type = "app";
+            program = "${pkgs.feeds.passthru.updateScript}";
+          };
+
+          init-feed = {
+            type = "app";
+            program = "${pkgs.feeds.passthru.initFeedScript}";
+          };
+        };
+
+      templates = {
+        python-data = {
+          # initialize with:
+          # - `nix flake init -t '/home/colin/dev/nixos/#python-data'`
+          # then enter with:
+          # - `nix develop`
+          path = ./templates/python-data;
+          description = "python environment for data processing";
+        };
       };
     };
-  };
 }
 

hosts/common/bluetooth.nix

@@ -1,18 +1,16 @@
 { lib, pkgs, ... }:
 
 {
-  # TODO: don't need to depend on binsh if we were to use a nix-style shebang
-  system.activationScripts.linkBluetoothKeys = let
-    unwrapped = ../../scripts/install-bluetooth;
-    install-bluetooth = pkgs.writeShellApplication {
-      name = "install-bluetooth";
-      runtimeInputs = with pkgs; [ coreutils gnused ];
-      text = ''${unwrapped} "$@"'';
-    };
-  in (lib.stringAfter
-    [ "setupSecrets" "binsh" ]
-    ''
-    ${install-bluetooth}/bin/install-bluetooth /run/secrets/bt
-    ''
-  );
+  # persist external pairings by default
+  sane.persist.sys.plaintext = [ "/var/lib/bluetooth" ];
+
+  sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
+  sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
+    wantedBeforeBy = [ "bluetooth.service" ];
+    # XXX: install-bluetooth uses sed, but that's part of the default systemd unit path, it seems
+    generated.script.script = builtins.readFile ../../scripts/install-bluetooth + ''
+      touch "/var/lib/bluetooth/.secrets.stamp"
+    '';
+    generated.script.scriptArgs = [ "/run/secrets/bt" ];
+  };
 }

hosts/common/cross.nix

@@ -0,0 +1,22 @@
+{ config, ... }:
+
+let
+  mkCrossFrom = localSystem: pkgs: import pkgs.path {
+    inherit localSystem;
+    crossSystem = pkgs.stdenv.hostPlatform.system;
+    inherit (config.nixpkgs) config overlays;
+  };
+in
+{
+  # the configuration of which specific package set `pkgs.cross` refers to happens elsewhere;
+  # here we just define them all.
+  nixpkgs.overlays = [
+    (next: prev: {
+      # non-emulated packages build *from* local *for* target.
+      # for large packages like the linux kernel which are expensive to build under emulation,
+      # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
+      crossFrom."x86_64-linux" = mkCrossFrom "x86_64-linux" next;
+      crossFrom."aarch64-linux" = mkCrossFrom "aarch64-linux" next;
+    })
+  ];
+}

hosts/common/default.nix

@@ -2,9 +2,12 @@
 {
   imports = [
     ./bluetooth.nix
+    ./cross.nix
+    ./feeds.nix
     ./fs.nix
     ./hardware
     ./i2p.nix
+    ./ids.nix
     ./machine-id.nix
     ./net.nix
     ./secrets.nix
@@ -18,16 +21,18 @@
   sane.packages.enableConsolePkgs = true;
   sane.packages.enableSystemPkgs = true;
 
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     "/var/log"
     "/var/backup"  # for e.g. postgres dumps
     # TODO: move elsewhere
     "/var/lib/alsa"                # preserve output levels, default devices
-    "/var/lib/bluetooth"           # preserve bluetooth handshakes
     "/var/lib/colord"              # preserve color calibrations (?)
     "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
   ];
 
+  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
+  sane.fs."/var/lib/private".dir.acl.mode = "0700";
+
   nixpkgs.config.allowUnfree = true;
 
   # time.timeZone = "America/Los_Angeles";
@@ -37,6 +42,11 @@
   nix.extraOptions = ''
     experimental-features = nix-command flakes
   '';
+  # allow `nix-shell` (and probably nix-index?) to locate our patched and custom packages
+  nix.nixPath = [
+    "nixpkgs=${pkgs.path}"
+    "nixpkgs-overlays=${../..}/overlays"
+  ];
 
   # TODO: move this into home-manager?
   fonts = {

hosts/common/feeds.nix

@@ -1,5 +1,4 @@
-{ lib }:
-
+{ lib, sane-data, ... }:
 let
   hourly = { freq = "hourly"; };
   daily = { freq = "daily"; };
@@ -14,65 +13,84 @@ let
   uncat = { cat = "uncat"; };
 
   text = { format = "text"; };
-  image = { format = "image"; };
-  podcast = { format = "podcast"; };
 
   mkRss = format: url: { inherit url format; } // uncat // infrequent;
   # format-specific helpers
-  mkText = mkRss text;
-  mkImg = mkRss image;
-  mkPod = mkRss podcast;
+  mkText = mkRss "text";
+  mkImg = mkRss "image";
+  mkPod = mkRss "podcast";
 
   # host-specific helpers
-  mkSubstack = subdomain: mkText "https://${subdomain}.substack.com/feed";
+  mkSubstack = subdomain: { substack = subdomain; };
+
+  fromDb = name:
+    let
+      raw = sane-data.feeds."${name}";
+    in {
+      url = raw.url;
+      # not sure the exact mapping with velocity here: entries per day?
+      freq = lib.mkDefault (
+        if raw.velocity or 0 > 2 then
+          "hourly"
+        else if raw.velocity or 0 > 0.5 then
+          "daily"
+        else if raw.velocity or 0 > 0.1 then
+          "weekly"
+        else
+          "infrequent"
+      );
+    } // lib.optionalAttrs (raw.is_podcast or false) {
+      format = "podcast";
+    } // lib.optionalAttrs (raw.title or "" != "") {
+      title = lib.mkDefault raw.title;
+    };
 
-  # merge the attrs `new` into each value of the attrs `addTo`
-  addAttrs = new: addTo: builtins.mapAttrs (k: v: v // new) addTo;
-  # for each value in `attrs`, add a value to the child attrs which holds its key within the parent attrs.
-  withInverseMapping = key: attrs: builtins.mapAttrs (k: v: v // { "${key}" = k; }) attrs;
-in rec {
   podcasts = [
-    (mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
+    (fromDb "lexfridman.com/podcast" // rat)
+    # (mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
     ## Astral Codex Ten
-    (mkPod "http://feeds.libsyn.com/108018/rss" // rat // daily)
+    (fromDb "sscpodcast.libsyn.com" // rat)
     ## Econ Talk
-    (mkPod "https://feeds.simplecast.com/wgl4xEgL" // rat // daily)
-    ## Cory Doctorow
-    (mkPod "https://feeds.feedburner.com/doctorow_podcast" // pol // infrequent)
+    (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)
+    ## Cory Doctorow -- both podcast & text entries
+    (fromDb "craphound.com" // pol)
     (mkPod "https://congressionaldish.libsyn.com/rss" // pol // infrequent)
-    ## Civboot
-    (mkPod "https://anchor.fm/s/34c7232c/podcast/rss" // tech // infrequent)
-    (mkPod "https://feeds.feedburner.com/80000HoursPodcast" // rat // weekly)
-    (mkPod "https://allinchamathjason.libsyn.com/rss" // pol // weekly)
-    (mkPod "https://acquired.libsyn.com/rss" // tech // infrequent)
-    (mkPod "https://rss.acast.com/deconstructed" // pol // infrequent)
+    ## Civboot -- https://anchor.fm/civboot
+    (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
+    (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
+    (fromDb "allinchamathjason.libsyn.com" // pol)
+    (fromDb "acquired.libsyn.com" // tech)
+    # The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
+    (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)
     ## The Daily
     (mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
-    (mkPod "https://rss.acast.com/intercepted-with-jeremy-scahill" // pol // weekly)
-    (mkPod "https://podcast.posttv.com/itunes/post-reports.xml" // pol // weekly)
+    # The Intercept - Intercepted; also available: <https://rss.acast.com/intercepted-with-jeremy-scahill>
+    (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)
+    (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
     ## Eric Weinstein
-    (mkPod "https://rss.art19.com/the-portal" // rat // infrequent)
-    (mkPod "https://feeds.megaphone.fm/darknetdiaries" // tech // infrequent)
-    (mkPod "http://feeds.wnyc.org/radiolab" // pol // infrequent)
-    (mkPod "https://wakingup.libsyn.com/rss" // pol // infrequent)
-    ## 99% Invisible
-    (mkPod "https://feeds.simplecast.com/BqbsxVfO" // pol // infrequent)
-    (mkPod "https://rss.acast.com/ft-tech-tonic" // tech // infrequent)
-    (mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
-    ## 60 minutes (NB: this features more than *just* audio?)
-    (mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
+    (fromDb "rss.art19.com/the-portal" // rat)
+    (fromDb "darknetdiaries.com" // tech)
+    ## Radiolab -- also available here, but ONLY OVER HTTP: <http://feeds.wnyc.org/radiolab>
+    (fromDb "feeds.feedburner.com/radiolab" // pol)
+    ## Sam Harris
+    (fromDb "wakingup.libsyn.com" // pol)
+    ## 99% Invisible -- also available here: <https://feeds.simplecast.com/BqbsxVfO>
+    (fromDb "feeds.99percentinvisible.org/99percentinvisible" // pol)
+    (fromDb "rss.acast.com/ft-tech-tonic" // tech)
+    (fromDb "feeds.feedburner.com/dancarlin/history" // rat)
+    (fromDb "rss.art19.com/60-minutes" // pol)
     ## The Verge - Decoder
-    (mkPod "https://feeds.megaphone.fm/recodedecode" // tech // weekly)
+    (fromDb "feeds.megaphone.fm/recodedecode" // tech)
     ## Matrix (chat) Live
-    (mkPod "https://feed.podbean.com/matrixlive/feed.xml" // tech // weekly)
-    ## Michael Malice - Your Welcome
-    (mkPod "https://www.podcastone.com/podcast?categoryID2=2232" // pol // weekly)
+    (fromDb "feed.podbean.com/matrixlive/feed.xml" // tech)
+    ## Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
+    (fromDb "rss.art19.com/your-welcome" // pol)
   ];
 
   texts = [
     # AGGREGATORS (> 1 post/day)
-    (mkText "https://www.lesswrong.com/feed.xml" // rat // hourly)
-    (mkText "http://www.econlib.org/index.xml" // pol // hourly)
+    (fromDb "lesswrong.com" // rat)
+    (fromDb "econlib.org" // pol)
 
     # AGGREGATORS (< 1 post/day)
     (mkText "https://palladiummag.com/feed" // uncat // weekly)
@@ -85,10 +103,10 @@ in rec {
     (mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
 
     # DEVELOPERS
-    (mkText "https://uninsane.org/atom.xml" // infrequent // tech)
-    (mkText "https://mg.lol/blog/rss/" // infrequent // tech)
+    (fromDb "uninsane.org" // tech)
+    (fromDb "mg.lol" // tech)
     ## Ken Shirriff
-    (mkText "https://www.righto.com/feeds/posts/default" // tech // infrequent)
+    (fromDb "righto.com" // tech)
     ## Vitalik Buterin
     (mkText "https://vitalik.ca/feed.xml" // tech // infrequent)
     ## ian (Sanctuary)
@@ -104,7 +122,7 @@ in rec {
     (mkText "https://pomeroyb.com/feed.xml" // tech // infrequent)
 
     # (TECH; POL) COMMENTATORS
-    (mkSubstack "edwardsnowden" // pol // infrequent)
+    (fromDb "edwardsnowden.substack.com" // pol // text)
     (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
     ## Ben Thompson
     (mkText "https://www.stratechery.com/rss" // pol // weekly)
@@ -149,46 +167,20 @@ in rec {
   images = [
     (mkImg "https://www.smbc-comics.com/comic/rss" // humor // daily)
     (mkImg "https://xkcd.com/atom.xml" // humor // daily)
-    (mkImg "http://dilbert.com/feed" // humor // daily)
+    (mkImg "https://pbfcomics.com/feed" // humor // infrequent)
+    # (mkImg "http://dilbert.com/feed" // humor // daily)
 
     # ART
     (mkImg "https://miniature-calendar.com/feed" // art // daily)
   ];
+in
+{
+  sane.feeds = texts ++ images ++ podcasts;
 
-  all = texts ++ images ++ podcasts;
-
-  # return only the feed items which match this category (e.g. "tech")
-  filterCat = cat: feeds: builtins.filter (item: item.cat == cat) feeds;
-  # return only the feed items which match this format (e.g. "podcast")
-  filterFormat = format: feeds: builtins.filter (item: item.format == format) feeds;
-
-  # transform a list of feeds into an attrs mapping cat => [ feed0 feed1 ... ]
-  partitionByCat = feeds: builtins.groupBy (f: f.cat) feeds;
-
-  # represents a single RSS feed.
-  opmlTerminal = feed: ''<outline xmlUrl="${feed.url}" type="rss"/>'';
-  # a list of RSS feeds.
-  opmlTerminals = feeds: lib.strings.concatStringsSep "\n" (builtins.map opmlTerminal feeds);
-  # one node which packages some flat grouping of terminals.
-  opmlGroup = title: feeds: ''
-    <outline text="${title}" title="${title}">
-      ${opmlTerminals feeds}
-    </outline>
-  '';
-  # a list of groups (`groupMap` is an attrs mapping groupName => [ feed0 feed1 ... ]).
-  opmlGroups = groupMap: lib.strings.concatStringsSep "\n" (
-    builtins.attrValues (builtins.mapAttrs opmlGroup groupMap)
-  );
-  # top-level OPML file which could be consumed by something else.
-  opmlTopLevel = body: ''
-    <?xml version="1.0" encoding="utf-8"?>
-    <opml version="2.0">
-      <body>
-        ${body}
-      </body>
-    </opml>
-  '';
-
-  # **primary API**: generate a OPML file from the provided feeds
-  feedsToOpml = feeds: opmlTopLevel (opmlGroups (partitionByCat feeds));
+  assertions = builtins.map
+    (p: {
+      assertion = p.format or "unknown" == "podcast";
+      message = ''${p.url} is not a podcast: ${p.format or "unknown"}'';
+    })
+    podcasts;
 }

hosts/common/ids.nix

@@ -0,0 +1,60 @@
+{ ... }:
+
+{
+  # legacy servo users, some are inconvenient to migrate
+  sane.ids.dhcpcd.gid = 991;
+  sane.ids.dhcpcd.uid = 992;
+  sane.ids.gitea.gid = 993;
+  sane.ids.git.uid = 994;
+  sane.ids.jellyfin.gid = 994;
+  sane.ids.pleroma.gid = 995;
+  sane.ids.jellyfin.uid = 996;
+  sane.ids.acme.gid = 996;
+  sane.ids.pleroma.uid = 997;
+  sane.ids.acme.uid = 998;
+
+  # greetd (used by sway)
+  sane.ids.greeter.uid = 999;
+  sane.ids.greeter.gid = 999;
+
+  # new servo users
+  sane.ids.freshrss.uid = 2401;
+  sane.ids.freshrss.gid = 2401;
+  sane.ids.mediawiki.uid = 2402;
+
+  sane.ids.colin.uid = 1000;
+  sane.ids.guest.uid = 1100;
+
+  # found on all hosts
+  sane.ids.sshd.uid = 2001;  # 997
+  sane.ids.sshd.gid = 2001;  # 997
+  sane.ids.polkituser.gid = 2002;  # 998
+  sane.ids.systemd-coredump.gid = 2003;  # 996
+  sane.ids.nscd.uid = 2004;
+  sane.ids.nscd.gid = 2004;
+  sane.ids.systemd-oom.uid = 2005;
+  sane.ids.systemd-oom.gid = 2005;
+
+  # found on graphical hosts
+  sane.ids.nm-iodine.uid = 2101;  # desko/moby/lappy
+
+  # found on desko host
+  # from services.usbmuxd
+  sane.ids.usbmux.uid = 2204;
+  sane.ids.usbmux.gid = 2204;
+
+
+  # originally found on moby host
+  # gnome core-shell
+  sane.ids.avahi.uid = 2304;
+  sane.ids.avahi.gid = 2304;
+  sane.ids.colord.uid = 2305;
+  sane.ids.colord.gid = 2305;
+  sane.ids.geoclue.uid = 2306;
+  sane.ids.geoclue.gid = 2306;
+  # gnome core-os-services
+  sane.ids.rtkit.uid = 2307;
+  sane.ids.rtkit.gid = 2307;
+  # phosh
+  sane.ids.feedbackd.gid = 2308;
+}

hosts/common/net.nix

@@ -31,19 +31,13 @@
     General.RoamThreshold5G = "-52";  # default -76
   };
 
-  # TODO: don't need to depend on binsh if we were to use a nix-style shebang
-  system.activationScripts.linkIwdKeys = let
-    unwrapped = ../../scripts/install-iwd;
-    install-iwd = pkgs.writeShellApplication {
-      name = "install-iwd";
-      runtimeInputs = with pkgs; [ coreutils gnused ];
-      text = ''${unwrapped} "$@"'';
-    };
-  in (lib.stringAfter
-    [ "setupSecrets" "binsh" ]
-    ''
-    mkdir -p /var/lib/iwd
-    ${install-iwd}/bin/install-iwd /run/secrets/iwd /var/lib/iwd
-    ''
-  );
+  sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
+    wantedBeforeBy = [ "iwd.service" ];
+    generated.acl.mode = "0600";
+    # XXX: install-iwd uses sed, but that's part of the default systemd unit path, it seems
+    generated.script.script = builtins.readFile ../../scripts/install-iwd + ''
+      touch "/var/lib/iwd/.secrets.psk.stamp"
+    '';
+    generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
+  };
 }

hosts/common/ssh.nix

@@ -1,10 +1,24 @@
-{ config, lib, ... }:
+{ config, lib, sane-data, sane-lib, ... }:
+
 {
-  environment.etc."ssh/host_keys".source = "/nix/persist/etc/ssh/host_keys";
-
-  services.openssh.hostKeys = [
-    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
-    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
-  ];
+  sane.ssh.pubkeys =
+  let
+    # path is a DNS-style path like [ "org" "uninsane" "root" ]
+    keyNameForPath = path:
+      let
+        rev = lib.reverseList path;
+        name = builtins.head rev;
+        host = lib.concatStringsSep "." (builtins.tail rev);
+      in
+      "${name}@${host}";
 
+    # [{ path :: [String], value :: String }] for the keys we want to install
+    globalKeys = sane-lib.flattenAttrs sane-data.keys;
+    localKeys = sane-lib.flattenAttrs sane-data.keys.org.uninsane.local;
+  in lib.mkMerge (builtins.map
+    ({ path, value }: {
+      "${keyNameForPath path}" = value;
+    })
+    (globalKeys ++ localKeys)
+  );
 }

hosts/common/users.nix

@@ -1,13 +1,10 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, sane-lib, ... }:
 
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 with lib;
 let
   cfg = config.sane.users;
-  # see nixpkgs/nixos/modules/services/networking/dhcpcd.nix
-  hasDHCP = config.networking.dhcpcd.enable &&
-    (config.networking.useDHCP || any (i: i.useDHCP == true) (attrValues config.networking.interfaces));
-
+  fs = sane-lib.fs;
 in
 {
   options = {
@@ -28,8 +25,7 @@ in
       isNormalUser = true;
       home = "/home/colin";
       createHome = true;
-      homeMode = "700";
-      uid = config.sane.allocations.colin-uid;
+      homeMode = "0700";
       # i don't get exactly what this is, but nixos defaults to this non-deterministically
       # in /var/lib/nixos/auto-subuid-map and i don't want that.
       subUidRanges = [
@@ -52,53 +48,66 @@ in
       passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
 
       shell = pkgs.zsh;
-      openssh.authorizedKeys.keys = builtins.attrValues (import ../../modules/pubkeys.nix).users;
 
+      # mount encrypted stuff at login
       # some other nix pam users:
       # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
       # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
       # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
-      pamMount = {
-        # mount encrypted stuff at login
-        # requires that login password == fs encryption password
-        fstype = "fuse";
-        path = "gocryptfs#/nix/persist/home/colin/private";
-        # path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
-        # fstype = "fuse.gocryptfs";
-        # path = "/nix/persist/home/colin/private";
-        mountpoint = "/home/colin/private";
-        # without allow_other, *root* isn't allowed to list anything in ~/private.
-        # which is weird (root can just `su colin`), but probably doesn't *hurt* anything -- right?
-        options="nodev,nosuid,quiet";  # allow_other
+      pamMount = let
+        priv = config.fileSystems."/home/colin/private";
+      in {
+        fstype = priv.fsType;
+        path = priv.device;
+        mountpoint = priv.mountPoint;
+        options = builtins.concatStringsSep "," priv.options;
       };
     };
 
-    # required for PAM to find gocryptfs
-    security.pam.mount.additionalSearchPaths = [ pkgs.gocryptfs ];
     security.pam.mount.enable = true;
-    # security.pam.mount.debugLevel = 1;
-    # security.pam.enableSSHAgentAuth = true; # ??
-    # needed for `allow_other` in e.g. gocryptfs mounts
-    # or i guess going through mount.fuse sets suid so that's not necessary?
-    # programs.fuse.userAllowOther = true;
 
-    sane.impermanence.home-dirs = [
-      # cache is probably too big to fit on the tmpfs
-      # { directory = ".cache"; encryptedClearOnBoot = true; }
-      { directory = ".cache/mozilla"; encryptedClearOnBoot = true; }
+    # ensure ~ perms are known to sane.fs module.
+    # TODO: this is generic enough to be lifted up into sane.fs itself.
+    sane.fs."/home/colin".dir.acl = {
+      user = "colin";
+      group = config.users.users.colin.group;
+      mode = config.users.users.colin.homeMode;
+    };
+
+    sane.persist.home.plaintext = [
+      "archive"
+      "dev"
+      # TODO: records should be private
+      "records"
+      "ref"
+      "tmp"
+      "use"
+      "Music"
+      "Pictures"
+      "Videos"
+
+      ".cache/nix"
       ".cargo"
       ".rustup"
-      # TODO: move this to ~/private!
-      ".local/share/keyrings"
     ];
 
-    sane.impermanence.dirs = mkIf cfg.guest.enable [
-      { user = "guest"; group = "users"; directory = "/home/guest"; }
+    # convenience
+    sane.fs."/home/colin/knowledge" = fs.wantedSymlinkTo "/home/colin/private/knowledge";
+    sane.fs."/home/colin/nixos" = fs.wantedSymlinkTo "/home/colin/dev/nixos";
+    sane.fs."/home/colin/Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
+    sane.fs."/home/colin/Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
+    sane.fs."/home/colin/Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
+
+    # used by password managers, e.g. unix `pass`
+    sane.fs."/home/colin/.password-store" = fs.wantedSymlinkTo "/home/colin/knowledge/secrets/accounts";
+
+    sane.persist.sys.plaintext = mkIf cfg.guest.enable [
+      # intentionally allow other users to write to the guest folder
+      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
     ];
     users.users.guest = mkIf cfg.guest.enable {
       isNormalUser = true;
       home = "/home/guest";
-      uid = config.sane.allocations.guest-uid;
       subUidRanges = [
         { startUid=200000; count=1; }
       ];
@@ -110,13 +119,6 @@ in
       ];
     };
 
-    users.users.dhcpcd = mkIf hasDHCP {
-      uid = config.sane.allocations.dhcpcd-uid;
-    };
-    users.groups.dhcpcd = mkIf hasDHCP {
-      gid = config.sane.allocations.dhcpcd-gid;
-    };
-
     security.sudo = {
       enable = true;
       wheelNeedsPassword = false;
@@ -127,31 +129,5 @@ in
       permitRootLogin = "no";
       passwordAuthentication = false;
     };
-
-    # affix some UIDs which were historically auto-generated
-    users.users.sshd.uid = config.sane.allocations.sshd-uid;
-    users.groups.polkituser.gid = config.sane.allocations.polkituser-gid;
-    users.groups.sshd.gid = config.sane.allocations.sshd-gid;
-    users.groups.systemd-coredump.gid = config.sane.allocations.systemd-coredump-gid;
-    users.users.nscd.uid = config.sane.allocations.nscd-uid;
-    users.groups.nscd.gid = config.sane.allocations.nscd-gid;
-    users.users.systemd-oom.uid = config.sane.allocations.systemd-oom-uid;
-    users.groups.systemd-oom.gid = config.sane.allocations.systemd-oom-gid;
-
-    # guarantee determinism in uid/gid generation for users:
-    assertions = let
-      uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
-        assertion = user.uid != null;
-        message = "non-deterministic uid detected for: ${name}";
-      }) config.users.users);
-      gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
-        assertion = group.gid != null;
-        message = "non-deterministic gid detected for: ${name}";
-      }) config.users.groups);
-      autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
-        assertion = !user.autoSubUidGidRange;
-        message = "non-deterministic subUids/Guids detected for: ${name}";
-      }) config.users.users);
-    in uidAssertions ++ gidAssertions ++ autoSubAssertions;
   };
 }

hosts/desko/default.nix

@@ -10,15 +10,13 @@
   sane.services.duplicity.enable = true;
   sane.services.nixserve.enable = true;
   sane.services.nixserve.sopsFile = ../../secrets/desko.yaml;
-  sane.impermanence.enable = true;
+  sane.persist.enable = true;
 
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   # needed to use libimobiledevice/ifuse, for iphone sync
   services.usbmuxd.enable = true;
-  users.users.usbmux.uid = config.sane.allocations.usbmux-uid;
-  users.groups.usbmux.gid = config.sane.allocations.usbmux-gid;
 
   sops.secrets.colin-passwd = {
     sopsFile = ../../secrets/desko.yaml;
@@ -52,7 +50,7 @@
     remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
     dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
   };
-  sane.impermanence.home-dirs = [
+  sane.persist.home.plaintext = [
     ".steam"
     ".local/share/Steam"
   ];

hosts/desko/fs.nix

@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.impermanence.root-on-tmpfs = true;
+  sane.persist.root-on-tmpfs = true;
   # we need a /tmp for building large nix things.
   # a cross-compiled kernel, particularly, will easily use 30+GB of tmp
   fileSystems."/tmp" = {

hosts/instantiate.nix

@@ -1,10 +1,23 @@
 # trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
 
-hostName: { ... }: {
+{ hostName, localSystem }:
+{ ... }:
+
+{
   imports = [
     ./${hostName}
     ./common
   ];
 
   networking.hostName = hostName;
+
+  nixpkgs.overlays = [
+    (next: prev: {
+      # for local != target we by default just emulate the target while building.
+      # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
+      # to explicitly opt into non-emulated cross compilation for any specific package.
+      # this is most beneficial for large packages with few pre-requisites -- like Linux.
+      cross = next.crossFrom."${localSystem}";
+    })
+  ];
 }

hosts/lappy/default.nix

@@ -8,7 +8,7 @@
 
   # sane.users.guest.enable = true;
   sane.gui.sway.enable = true;
-  sane.impermanence.enable = true;
+  sane.persist.enable = true;
   sane.nixcache.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

hosts/lappy/fs.nix

@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.impermanence.root-on-tmpfs = true;
+  sane.persist.root-on-tmpfs = true;
   # we need a /tmp of default size (half RAM) for building large nix things
   fileSystems."/tmp" = {
     device = "none";

hosts/moby/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, mobile-nixos, ... }:
+{ config, pkgs, lib, ... }:
 {
   imports = [
     ./firmware.nix
@@ -24,8 +24,9 @@
   };
 
   # usability compromises
-  sane.impermanence.home-dirs = [
-    config.sane.web-browser.dotDir
+  sane.web-browser.persistCache = "private";
+  sane.web-browser.persistData = "private";
+  sane.persist.home.plaintext = [
     ".config/pulse"  # persist pulseaudio volume
   ];
 
@@ -35,7 +36,7 @@
   ];
 
   sane.nixcache.enable = true;
-  sane.impermanence.enable = true;
+  sane.persist.enable = true;
   sane.gui.phosh.enable = true;
 
   boot.loader.efi.canTouchEfiVariables = false;

hosts/moby/fs.nix

@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.impermanence.root-on-tmpfs = true;
+  sane.persist.root-on-tmpfs = true;
   fileSystems."/nix" = {
     device = "/dev/disk/by-uuid/1f1271f8-53ce-4081-8a29-60a4a6b5d6f9";
     fsType = "btrfs";

hosts/moby/kernel.nix

@@ -125,6 +125,9 @@ in
         # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfpu=neon'
         # make[3]: *** [../scripts/Makefile.build:289: drivers/video/fbdev/sun5i-eink-neon.o] Error 1
         FB_SUN5I_EINK = no;
+        # used by the pinephone pro, but fails to compile with:
+        # ../drivers/media/i2c/ov8858.c:1834:27: error: implicit declaration of function 'compat_ptr'
+        VIDEO_OV8858 = no;
       })
     ))
   ];

hosts/rescue/default.nix

@@ -8,9 +8,6 @@
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
-  users.users.dhcpcd.uid = config.sane.allocations.dhcpcd-uid;
-  users.groups.dhcpcd.gid = config.sane.allocations.dhcpcd-gid;
-
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
   system.stateVersion = "21.05";
 }

hosts/servo/default.nix

@@ -13,7 +13,7 @@
     pkgs.matrix-synapse
     pkgs.freshrss
   ];
-  sane.impermanence.enable = true;
+  sane.persist.enable = true;
   sane.services.dyn-dns.enable = true;
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
 

hosts/servo/fs.nix

@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.impermanence.root-on-tmpfs = true;
+  sane.persist.root-on-tmpfs = true;
   # we need a /tmp for building large nix things
   fileSystems."/tmp" = {
     device = "none";
@@ -27,7 +27,7 @@
   };
 
   # slow, external storage (for archiving, etc)
-  fileSystems."/nix/persist/ext" = {
+  fileSystems."/mnt/persist/ext" = {
     device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b";
     fsType = "btrfs";
     options = [
@@ -36,27 +36,31 @@
     ];
   };
 
-  sane.impermanence.dirs = [
+  sane.persist.stores."ext" = {
+    origin = "/mnt/persist/ext/persist";
+    storeDescription = "external HDD storage";
+  };
+  sane.fs."/mnt/persist/ext".mount = {};
+
+  sane.persist.sys.plaintext = [
     # TODO: this is overly broad; only need media and share directories to be persisted
     { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
   ];
-  # direct these media directories to external storage
-  environment.persistence."/nix/persist/ext/persist" = {
-    directories = [
-      ({
-        user = "colin";
-        group = "users";
-        mode = "0777";
-        directory = "/var/lib/uninsane/media/Videos";
-      })
-      ({
-        user = "colin";
-        group = "users";
-        mode = "0777";
-        directory = "/var/lib/uninsane/media/freeleech";
-      })
-    ];
-  };
+  # make sure large media is stored to the HDD
+  sane.persist.sys.ext = [
+    {
+      user = "colin";
+      group = "users";
+      mode = "0777";
+      directory = "/var/lib/uninsane/media/Videos";
+    }
+    {
+      user = "colin";
+      group = "users";
+      mode = "0777";
+      directory = "/var/lib/uninsane/media/freeleech";
+    }
+  ];
 
   # in-memory compressed RAM (seems to be dynamically sized)
   # zramSwap = {

hosts/servo/services/ejabberd.nix

@@ -19,7 +19,7 @@
 # XXX: avatar support works in MUCs but not DMs
 # lib.mkIf false
 {
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
   ];
   networking.firewall.allowedTCPPorts = [
@@ -46,6 +46,8 @@
   }];
 
   # provide access to certs
+  # TODO: this should just be `acme`. then we also add nginx to the `acme` group.
+  #   why is /var/lib/acme/* owned by `nginx` group??
   users.users.ejabberd.extraGroups = [ "nginx" ];
 
   security.acme.certs."uninsane.org".extraDomainNames = [
@@ -75,33 +77,33 @@
 
   sane.services.trust-dns.zones."uninsane.org".inet = {
     # XXX: SRV records have to point to something with a A/AAAA record; no CNAMEs
-    A."xmpp" =                [ "%NATIVE%" ];
-    CNAME."muc.xmpp" =        [ "xmpp" ];
-    CNAME."pubsub.xmpp" =     [ "xmpp" ];
-    CNAME."upload.xmpp" =     [ "xmpp" ];
-    CNAME."vjid.xmpp" =       [ "xmpp" ];
+    A."xmpp" =                "%NATIVE%";
+    CNAME."muc.xmpp" =        "xmpp";
+    CNAME."pubsub.xmpp" =     "xmpp";
+    CNAME."upload.xmpp" =     "xmpp";
+    CNAME."vjid.xmpp" =       "xmpp";
 
     # _Service._Proto.Name    TTL Class SRV    Priority Weight Port Target
     # - <https://xmpp.org/extensions/xep-0368.html>
     # something's requesting the SRV records for muc.xmpp, so let's include it
     # nothing seems to request XMPP SRVs for the other records (except @)
     # lower numerical priority field tells clients to prefer this method
-    SRV."_xmpps-client._tcp.muc.xmpp" =       [ "3 50 5223 xmpp" ];
-    SRV."_xmpps-server._tcp.muc.xmpp" =       [ "3 50 5270 xmpp" ];
-    SRV."_xmpp-client._tcp.muc.xmpp" =        [ "5 50 5222 xmpp" ];
-    SRV."_xmpp-server._tcp.muc.xmpp" =        [ "5 50 5269 xmpp" ];
+    SRV."_xmpps-client._tcp.muc.xmpp" =       "3 50 5223 xmpp";
+    SRV."_xmpps-server._tcp.muc.xmpp" =       "3 50 5270 xmpp";
+    SRV."_xmpp-client._tcp.muc.xmpp" =        "5 50 5222 xmpp";
+    SRV."_xmpp-server._tcp.muc.xmpp" =        "5 50 5269 xmpp";
 
-    SRV."_xmpps-client._tcp" =                [ "3 50 5223 xmpp" ];
-    SRV."_xmpps-server._tcp" =                [ "3 50 5270 xmpp" ];
-    SRV."_xmpp-client._tcp" =                 [ "5 50 5222 xmpp" ];
-    SRV."_xmpp-server._tcp" =                 [ "5 50 5269 xmpp" ];
+    SRV."_xmpps-client._tcp" =                "3 50 5223 xmpp";
+    SRV."_xmpps-server._tcp" =                "3 50 5270 xmpp";
+    SRV."_xmpp-client._tcp" =                 "5 50 5222 xmpp";
+    SRV."_xmpp-server._tcp" =                 "5 50 5269 xmpp";
 
-    SRV."_stun._udp" =                        [ "5 50 3478 xmpp" ];
-    SRV."_stun._tcp" =                        [ "5 50 3478 xmpp" ];
-    SRV."_stuns._tcp" =                       [ "5 50 5349 xmpp" ];
-    SRV."_turn._udp" =                        [ "5 50 3478 xmpp" ];
-    SRV."_turn._tcp" =                        [ "5 50 3478 xmpp" ];
-    SRV."_turns._tcp" =                       [ "5 50 5349 xmpp" ];
+    SRV."_stun._udp" =                        "5 50 3478 xmpp";
+    SRV."_stun._tcp" =                        "5 50 3478 xmpp";
+    SRV."_stuns._tcp" =                       "5 50 5349 xmpp";
+    SRV."_turn._udp" =                        "5 50 3478 xmpp";
+    SRV."_turn._tcp" =                        "5 50 3478 xmpp";
+    SRV."_turns._tcp" =                       "5 50 5349 xmpp";
   };
 
   # TODO: allocate UIDs/GIDs ?

hosts/servo/services/freshrss.nix

@@ -9,19 +9,17 @@
 # $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/export-opml-for-user.php --user admin
 # ```
 
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, sane-lib, ... }:
 {
   sops.secrets.freshrss_passwd = {
     sopsFile = ../../../secrets/servo.yaml;
     owner = config.users.users.freshrss.name;
-    mode = "400";
+    mode = "0400";
   };
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
   ];
 
-  users.users.freshrss.uid = config.sane.allocations.freshrss-uid;
-  users.groups.freshrss.gid = config.sane.allocations.freshrss-gid;
   services.freshrss.enable = true;
   services.freshrss.baseUrl = "https://rss.uninsane.org";
   services.freshrss.virtualHost = "rss.uninsane.org";
@@ -29,9 +27,11 @@
 
   systemd.services.freshrss-import-feeds =
   let
+    feeds = sane-lib.feeds;
     fresh = config.systemd.services.freshrss-config;
-    feeds = import ../../../modules/home-manager/feeds.nix { inherit lib; };
-    opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
+    all-feeds = config.sane.feeds;
+    wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
+    opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml wanted-feeds);
   in {
     inherit (fresh) wantedBy environment;
     serviceConfig = {
@@ -57,5 +57,5 @@
     # the routing is handled by services.freshrss.virtualHost
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."rss" = [ "native" ];
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."rss" = "native";
 }

hosts/servo/services/gitea.nix

@@ -1,11 +1,10 @@
 { config, pkgs, lib, ... }:
 
 {
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "git"; group = "gitea"; directory = "/var/lib/gitea"; }
   ];
-  users.groups.gitea.gid = config.sane.allocations.gitea-gid;
   services.gitea.enable = true;
   services.gitea.user = "git";  # default is 'gitea'
   services.gitea.database.type = "postgres";
@@ -85,5 +84,5 @@
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."git" = [ "native" ];
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."git" = "native";
 }

hosts/servo/services/goaccess.nix

@@ -64,5 +64,5 @@
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."sink" = [ "native" ];
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."sink" = "native";
 }

hosts/servo/services/ipfs.nix

@@ -10,7 +10,7 @@
 
 lib.mkIf false # i don't actively use ipfs anymore
 {
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
   ];
@@ -34,7 +34,7 @@ lib.mkIf false # i don't actively use ipfs anymore
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."ipfs" = [ "native" ];
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."ipfs" = "native";
 
   # services.ipfs.enable = true;
   services.kubo.localDiscovery = true;

hosts/servo/services/jackett.nix

@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
     { user = "root"; group = "root"; directory = "/var/lib/jackett"; }
   ];
@@ -27,6 +27,6 @@
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jackett" = [ "native" ];
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jackett" = "native";
 }
 

hosts/servo/services/jellyfin.nix

@@ -7,7 +7,7 @@ lib.mkIf false
   networking.firewall.allowedUDPPorts = [
     1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
   ];
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
   ];
@@ -61,9 +61,7 @@ lib.mkIf false
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = [ "native" ];
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = "native";
 
-  # users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
-  # users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
   services.jellyfin.enable = true;
 }

hosts/servo/services/kiwix-serve.nix

@@ -13,5 +13,5 @@
     locations."/".proxyPass = "http://127.0.0.1:8013";
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."w" = [ "native" ];
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."w" = "native";
 }

hosts/servo/services/matrix/default.nix

@@ -8,7 +8,7 @@
     # ./irc.nix
   ];
 
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
   ];
   services.matrix-synapse.enable = true;
@@ -122,8 +122,8 @@
   };
 
   sane.services.trust-dns.zones."uninsane.org".inet = {
-    CNAME."matrix" = [ "native" ];
-    CNAME."web.matrix" = [ "native" ];
+    CNAME."matrix" = "native";
+    CNAME."web.matrix" = "native";
   };
 
 

hosts/servo/services/matrix/discord-puppet.nix

@@ -1,6 +1,6 @@
 { lib, ... }:
 {
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }
   ];
 

hosts/servo/services/matrix/irc.nix

@@ -1,7 +1,7 @@
 { config, lib, ... }:
 
 {
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     # TODO: mode?
     # user and group are both "matrix-appservice-irc"
     { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }

hosts/servo/services/navidrome.nix

@@ -1,8 +1,11 @@
 { ... }:
 
 {
-  sane.impermanence.dirs = [
-    { user = "navidrome"; group = "navidrome"; directory = "/var/lib/private/navidrome"; }
+  sane.persist.sys.plaintext = [
+    # TODO: we don't have a static user allocated for navidrome!
+    # the chown would happen too early for us to set static perms
+    "/var/lib/private/navidrome"
+    # { user = "navidrome"; group = "navidrome"; directory = "/var/lib/private/navidrome"; }
   ];
   services.navidrome.enable = true;
   services.navidrome.settings = {
@@ -22,5 +25,5 @@
     locations."/".proxyPass = "http://127.0.0.1:4533";
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."music" = [ "native" ];
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."music" = "native";
 }

hosts/servo/services/nginx.nix

@@ -1,9 +1,9 @@
 # docs: https://nixos.wiki/wiki/Nginx
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   # make the logs for this host "public" so that they show up in e.g. metrics
-  publog = vhost: vhost // {
+  publog = vhost: lib.attrsets.unionOfDisjoint vhost {
     extraConfig = (vhost.extraConfig or "") + ''
       access_log /var/log/nginx/public.log vcombined;
     '';
@@ -120,9 +120,7 @@ in
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "admin.acme@uninsane.org";
 
-  users.users.acme.uid = config.sane.allocations.acme-uid;
-  users.groups.acme.gid = config.sane.allocations.acme-gid;
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     # TODO: mode?
     { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
     { user = "colin"; group = "users"; directory = "/var/www/sites"; }

hosts/servo/services/nixserve.nix

@@ -14,7 +14,7 @@
     '';
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = [ "native" ];
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
 
   sane.services.nixserve.enable = true;
   sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml;

hosts/servo/services/pleroma.nix

@@ -6,12 +6,10 @@
 { config, pkgs, ... }:
 
 {
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; }
   ];
-  users.users.pleroma.uid = config.sane.allocations.pleroma-uid;
-  users.groups.pleroma.gid = config.sane.allocations.pleroma-gid;
   services.pleroma.enable = true;
   services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
   services.pleroma.configs = [
@@ -179,7 +177,7 @@
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = [ "native" ];
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = "native";
 
   sops.secrets.pleroma_secrets = {
     sopsFile = ../../../secrets/servo.yaml;

hosts/servo/services/postfix.nix

@@ -16,7 +16,7 @@ let
   };
 in
 {
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
     { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
@@ -45,22 +45,22 @@ in
 
 
   sane.services.trust-dns.zones."uninsane.org".inet = {
-    MX."@" = [ "10 mx.uninsane.org." ];
+    MX."@" = "10 mx.uninsane.org.";
     # XXX: RFC's specify that the MX record CANNOT BE A CNAME
-    A."mx" = [ "185.157.162.178" ];
-    CNAME."imap" = [ "native" ];
+    A."mx" = "185.157.162.178";
+    CNAME."imap" = "native";
 
     # Sender Policy Framework:
     #   +mx     => mail passes if it originated from the MX
     #   +a      => mail passes if it originated from the A address of this domain
     #   +ip4:.. => mail passes if it originated from this IP
     #   -all    => mail fails if none of these conditions were met
-    TXT."@" = [ "v=spf1 a mx -all" ];
+    TXT."@" = "v=spf1 a mx -all";
 
     # DKIM public key:
-    TXT."mx._domainkey" = [
+    TXT."mx._domainkey" =
       "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
-    ];
+    ;
 
     # DMARC fields <https://datatracker.ietf.org/doc/html/rfc7489>:
     #   p=none|quarantine|reject: what to do with failures
@@ -75,9 +75,9 @@ in
     #   pct = sampling ratio for punishing failures (default 100 for 100%)
     #   rf = report format
     #   ri = report interval
-    TXT."_dmarc" = [
+    TXT."_dmarc" =
       "v=DMARC1;p=quarantine;sp=reject;rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org;fo=1:d:s"
-    ];
+    ;
   };
 
   services.postfix.enable = true;

hosts/servo/services/postgres.nix

@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     # TODO: mode?
     { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
   ];

hosts/servo/services/prosody.nix

@@ -9,7 +9,7 @@
 # nixnet runs ejabberd, so revisiting that.
 lib.mkIf false
 {
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
   ];
   networking.firewall.allowedTCPPorts = [

hosts/servo/services/transmission.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 
 {
-  sane.impermanence.dirs = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? we need this specifically for the stats tracking in .config/
     { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
   ];
@@ -75,6 +75,6 @@
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."bt" = ["native"];
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."bt" = "native";
 }
 

hosts/servo/services/trust-dns.nix

@@ -21,25 +21,25 @@
   # Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
   # Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
   sane.services.trust-dns.zones."uninsane.org".inet = {
-    SOA."@" = [''
+    SOA."@" = ''
       ns1.uninsane.org. admin-dns.uninsane.org. (
                                       2022122101 ; Serial
                                       4h         ; Refresh
                                       30m        ; Retry
                                       7d         ; Expire
                                       5m)        ; Negative response TTL
-    ''];
-    TXT."rev" = [ "2022122101" ];
+    '';
+    TXT."rev" = "2022122101";
 
     # XXX NS records must also not be CNAME
     # it's best that we keep this identical, or a superset of, what org. lists as our NS.
     # so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
-    A."ns1" = [ "%NATIVE%" ];
-    A."ns2" = [ "185.157.162.178" ];
-    A."ns3" = [ "185.157.162.178" ];
-    A."ovpns" = [ "185.157.162.178" ];
-    A."native" = [ "%NATIVE%" ];
-    A."@" = [ "%NATIVE%" ];
+    A."ns1" =    "%NATIVE%";
+    A."ns2" =    "185.157.162.178";
+    A."ns3" =    "185.157.162.178";
+    A."ovpns" =  "185.157.162.178";
+    A."native" = "%NATIVE%";
+    A."@" =      "%NATIVE%";
     NS."@" = [
       "ns1.uninsane.org."
       "ns2.uninsane.org."

hosts/servo/services/wikipedia.nix

@@ -11,8 +11,6 @@ lib.mkIf false
     sopsFile = ../../../secrets/servo.yaml;
   };
 
-  users.users.mediawiki.uid = config.sane.allocations.mediawiki-uid;
-
   services.mediawiki.enable = true;
   services.mediawiki.name = "Uninsane Wiki";
   services.mediawiki.passwordFile = config.sops.secrets.mediawiki_pw.path;

hosts/servo/users.nix

@@ -12,7 +12,6 @@
     home = "/var/lib/gitea";
     useDefaultShell = true;
     group = "gitea";
-    uid = config.sane.allocations.git-uid;
     isSystemUser = true;
     # sendmail access (not 100% sure if this is necessary)
     extraGroups = [ "postdrop" ];

modules/allocations.nix

@@ -1,63 +0,0 @@
-{ lib, ... }:
-
-with lib;
-let
-  mkId = id: mkOption {
-    default = id;
-    type = types.int;
-  };
-in
-{
-  options = {
-    # legacy servo users, some are inconvenient to migrate
-    sane.allocations.dhcpcd-gid = mkId 991;
-    sane.allocations.dhcpcd-uid = mkId 992;
-    sane.allocations.gitea-gid = mkId 993;
-    sane.allocations.git-uid = mkId 994;
-    sane.allocations.jellyfin-gid = mkId 994;
-    sane.allocations.pleroma-gid = mkId 995;
-    sane.allocations.jellyfin-uid = mkId 996;
-    sane.allocations.acme-gid = mkId 996;
-    sane.allocations.pleroma-uid = mkId 997;
-    sane.allocations.acme-uid = mkId 998;
-    sane.allocations.greeter-uid = mkId 999;
-    sane.allocations.greeter-gid = mkId 999;
-
-    # new servo users
-    sane.allocations.freshrss-uid = mkId 2401;
-    sane.allocations.freshrss-gid = mkId 2401;
-    sane.allocations.mediawiki-uid = mkId 2402;
-
-    sane.allocations.colin-uid = mkId 1000;
-    sane.allocations.guest-uid = mkId 1100;
-
-    # found on all hosts
-    sane.allocations.sshd-uid = mkId 2001;  # 997
-    sane.allocations.sshd-gid = mkId 2001;  # 997
-    sane.allocations.polkituser-gid = mkId 2002;  # 998
-    sane.allocations.systemd-coredump-gid = mkId 2003;  # 996
-    sane.allocations.nscd-uid = mkId 2004;
-    sane.allocations.nscd-gid = mkId 2004;
-    sane.allocations.systemd-oom-uid = mkId 2005;
-    sane.allocations.systemd-oom-gid = mkId 2005;
-
-    # found on graphical hosts
-    sane.allocations.nm-iodine-uid = mkId 2101;  # desko/moby/lappy
-
-    # found on desko host
-    sane.allocations.usbmux-uid = mkId 2204;
-    sane.allocations.usbmux-gid = mkId 2204;
-
-
-    # originally found on moby host
-    sane.allocations.avahi-uid = mkId 2304;
-    sane.allocations.avahi-gid = mkId 2304;
-    sane.allocations.colord-uid = mkId 2305;
-    sane.allocations.colord-gid = mkId 2305;
-    sane.allocations.geoclue-uid = mkId 2306;
-    sane.allocations.geoclue-gid = mkId 2306;
-    sane.allocations.rtkit-uid = mkId 2307;
-    sane.allocations.rtkit-gid = mkId 2307;
-    sane.allocations.feedbackd-gid = mkId 2308;
-  };
-}

modules/data/default.nix

@@ -0,0 +1,12 @@
+# this directory contains data of a factual nature.
+# for example, public ssh keys, GPG keys, DNS-type name mappings.
+#
+# don't put things like fully-specific ~/.config files in here,
+# even if they're "relatively unopinionated".
+
+moduleArgs:
+
+{
+  feeds = import ./feeds moduleArgs;
+  keys = import ./keys.nix;
+}

modules/data/feeds/default.nix

@@ -0,0 +1,51 @@
+{ lib, ... }:
+
+let
+  inherit (builtins) concatLists concatStringsSep foldl' fromJSON map readDir readFile;
+  inherit (lib) hasSuffix listToAttrs mapAttrsToList removeSuffix splitString;
+
+  # given a path to a .json file relative to sources, construct the best feed object we can.
+  # the .json file could be empty, in which case we make assumptions about the feed based
+  # on its fs path.
+  # Type: feedFromSourcePath :: String -> { name = String; value = feed; }
+  feedFromSourcePath = json-path:
+    assert hasSuffix "/default.json" json-path;
+    let
+      canonical-name = removeSuffix "/default.json" json-path;
+      default-url = "https://${canonical-name}";
+      feed-details = { url = default-url; } // (tryImportJson (./sources/${json-path}));
+    in { name = canonical-name; value = mkFeed feed-details; };
+
+  # TODO: for now, feeds are just ordinary Attrs.
+  # in the future, we'd like to set them up with an update script.
+  mkFeed = { url, ... }@details: details;
+
+  # return an AttrSet representing the json at the provided path,
+  # or {} if the path is empty.
+  tryImportJson = path:
+    let
+      as-str = readFile path;
+    in
+      if as-str == "" then
+        {}
+      else
+        fromJSON as-str;
+
+  sources = enumerateFilePaths ./sources;
+
+  # like `lib.listFilesRecursive` but does not mangle paths.
+  # Type: enumerateFilePaths :: path -> [String]
+  enumerateFilePaths = base:
+    concatLists (
+      mapAttrsToList
+        (name: type:
+          if type == "directory" then
+            # enumerate this directory and then prefix each result with the directory's name
+            map (e: "${name}/${e}") (enumerateFilePaths (base + "/${name}"))
+          else
+            [ name ]
+        )
+        (readDir base)
+    );
+in
+  listToAttrs (map feedFromSourcePath sources)

modules/data/feeds/sources/acquired.libsyn.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1369733,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Every company has a story. Learn the playbooks that built the world’s greatest companies — and how you can apply them as a founder, operator, or investor.",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 173,
+  "last_seen": "2023-01-11T15:26:37.515527+00:00",
+  "last_updated": "2022-12-19T07:22:28+00:00",
+  "score": 18,
+  "self_url": "https://acquired.libsyn.com/rss",
+  "site_name": null,
+  "site_url": null,
+  "title": "Acquired",
+  "url": "https://acquired.libsyn.com/rss",
+  "velocity": 0.066,
+  "version": "rss20"
+}

modules/data/feeds/sources/allinchamathjason.libsyn.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1030773,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Industry veterans, degenerate gamblers & besties Chamath Palihapitiya, Jason Calacanis, David Sacks & David Friedberg cover all things economic, tech, political, social & poker.",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 124,
+  "last_seen": "2023-01-11T12:44:53.606606+00:00",
+  "last_updated": "2023-01-06T10:51:00+00:00",
+  "score": 18,
+  "self_url": "https://allinchamathjason.libsyn.com/rss",
+  "site_name": "All-In with Chamath, Jason, Sacks & Friedberg",
+  "site_url": "https://allinchamathjason.libsyn.com",
+  "title": "All-In with Chamath, Jason, Sacks & Friedberg",
+  "url": "https://allinchamathjason.libsyn.com/rss",
+  "velocity": 0.12,
+  "version": "rss20"
+}

modules/data/feeds/sources/anchor.fm/s/34c7232c/podcast/rss/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 13316,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "A podcast around the idea of creating a Civilizational Bootstrapper, a set of tools and technology that can be used to replicate the foundations of civilization along with itself.",
+  "favicon": null,
+  "hubs": [
+    "https://pubsubhubbub.appspot.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 6,
+  "last_seen": "2023-01-11T16:11:01.720399+00:00",
+  "last_updated": "2022-04-13T19:37:17+00:00",
+  "score": 22,
+  "self_url": "https://anchor.fm/s/34c7232c/podcast/rss",
+  "site_name": "Anchor",
+  "site_url": "https://anchor.fm",
+  "title": "Civboot",
+  "url": "https://anchor.fm/s/34c7232c/podcast/rss",
+  "velocity": 0.009,
+  "version": "rss20"
+}

modules/data/feeds/sources/benjaminrosshoffman.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 12669,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "The territory is a map of the map.",
+  "favicon": "http://benjaminrosshoffman.com/favicon.ico",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 10,
+  "last_seen": "2023-01-11T12:32:52.176940+00:00",
+  "last_updated": "2023-01-09T04:33:31+00:00",
+  "score": -15,
+  "self_url": "http://benjaminrosshoffman.com/comments/feed/",
+  "site_name": "Compass Rose",
+  "site_url": "http://benjaminrosshoffman.com",
+  "title": "Comments for Compass Rose",
+  "url": "http://benjaminrosshoffman.com/comments/feed/",
+  "velocity": 0.312,
+  "version": "rss20"
+}

modules/data/feeds/sources/craphound.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 56666,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Cory Doctorow's Literary Works",
+  "favicon": "https://craphound.com/favicon.ico",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 20,
+  "last_seen": "2023-01-11T12:55:10.545856+00:00",
+  "last_updated": "2022-12-12T14:46:35+00:00",
+  "score": 12,
+  "self_url": "https://craphound.com/feed/",
+  "site_name": "Cory Doctorow's craphound.com | Cory Doctorow's Literary Works",
+  "site_url": "https://craphound.com",
+  "title": "Cory Doctorow's craphound.com",
+  "url": "https://craphound.com/feed/",
+  "velocity": 0.069,
+  "version": "rss20"
+}

modules/data/feeds/sources/darknetdiaries.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 227480,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "True stories from the dark side of the Internet",
+  "favicon": "https://darknetdiaries.com/imgs/favicon.png",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 131,
+  "last_seen": "2023-01-11T14:49:53.136566+00:00",
+  "last_updated": "2022-12-27T08:00:00+00:00",
+  "score": 20,
+  "self_url": "https://darknetdiaries.com/feedfree.xml",
+  "site_name": "Darknet Diaries – True stories from the dark side of the Internet.",
+  "site_url": "https://darknetdiaries.com",
+  "title": "Darknet Diaries (ad free)",
+  "url": "https://darknetdiaries.com/feedfree.xml",
+  "velocity": 0.067,
+  "version": "rss20"
+}

modules/data/feeds/sources/econlib.org/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 66775,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "The Library of Economics and Liberty",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 10,
+  "last_seen": "2023-01-11T10:46:38.526754+00:00",
+  "last_updated": "2023-01-10T05:21:31+00:00",
+  "score": 14,
+  "self_url": "https://www.econlib.org/feed/",
+  "site_name": "Econlib",
+  "site_url": "https://www.econlib.org",
+  "title": "Econlib",
+  "url": "https://www.econlib.org/feed/",
+  "velocity": 2.549,
+  "version": "rss20"
+}

modules/data/feeds/sources/econtalk.org/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 27185,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "The Library of Economics and Liberty",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 10,
+  "last_seen": "2023-01-11T13:05:47.318206+00:00",
+  "last_updated": "2023-01-09T11:30:25+00:00",
+  "score": 14,
+  "self_url": "https://www.econtalk.org/feed/",
+  "site_name": null,
+  "site_url": null,
+  "title": "EconTalk Podcast – Econlib",
+  "url": "https://www.econtalk.org/feed",
+  "velocity": 0.143,
+  "version": "rss20"
+}

modules/data/feeds/sources/edwardsnowden.substack.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 429348,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "The world's most famous whistleblower writes from exile on the intersection of technology, humanity, and power.",
+  "favicon": "https://bucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com/public/images/2a7d3aa2-3c2f-4196-ab7c-31541be1272e/favicon.ico",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 16,
+  "last_seen": "2023-01-11T12:32:02.320483+00:00",
+  "last_updated": "2022-09-20T13:03:59+00:00",
+  "score": 14,
+  "self_url": "https://edwardsnowden.substack.com/feed",
+  "site_name": "Continuing Ed  — with Edward Snowden",
+  "site_url": "https://edwardsnowden.substack.com",
+  "title": "Continuing Ed  — with Edward Snowden",
+  "url": "https://edwardsnowden.substack.com/feed",
+  "velocity": 0.032,
+  "version": "rss20"
+}

modules/data/feeds/sources/feed.podbean.com/matrixlive/feed.xml/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 281377,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "Matrix Live, now as an audio podcast",
+  "favicon": "https://feed.podbean.com/favicon.ico",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 100,
+  "last_seen": "2023-01-11T15:54:24.440541+00:00",
+  "last_updated": "2023-01-06T16:45:00+00:00",
+  "score": 18,
+  "self_url": "https://feed.podbean.com/matrixlive/feed.xml",
+  "site_name": null,
+  "site_url": "https://feed.podbean.com",
+  "title": "Matrix Live",
+  "url": "https://feed.podbean.com/matrixlive/feed.xml",
+  "velocity": 0.12,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.99percentinvisible.org/99percentinvisible/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 1600578,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "Design is everywhere in our lives, perhaps most importantly in the places where we've just stopped noticing. 99% Invisible is a weekly exploration of the process and power of design and architecture. From award winning producer Roman Mars. Learn more at 99percentinvisible.org.",
+  "favicon": null,
+  "hubs": [
+    "https://simplecast.superfeedr.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 577,
+  "last_seen": "2023-01-11T15:25:01.536556+00:00",
+  "last_updated": "2023-01-10T23:46:05+00:00",
+  "score": 4,
+  "self_url": "https://feeds.simplecast.com/BqbsxVfO",
+  "site_name": null,
+  "site_url": null,
+  "title": "99% Invisible",
+  "url": "https://feeds.simplecast.com/BqbsxVfO",
+  "velocity": 0.128,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.feedburner.com/80000HoursPodcast/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 1505641,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "<p>Unusually in-depth conversations about the world's most pressing problems and what you can do to solve them.<br /></p>",
+  "favicon": null,
+  "hubs": [
+    "https://pubsubhubbub.appspot.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 181,
+  "last_seen": "2023-01-11T13:29:43.501516+00:00",
+  "last_updated": "2023-01-09T22:57:00+00:00",
+  "score": 14,
+  "self_url": "https://feeds.backtracks.fm/feeds/80000hours/80000-hours-podcast-with-rob-wiblin/feed.xml",
+  "site_name": null,
+  "site_url": null,
+  "title": "80,000 Hours Podcast with Rob Wiblin",
+  "url": "https://feeds.feedburner.com/80000HoursPodcast",
+  "velocity": 0.087,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.feedburner.com/dancarlin/history/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 23712,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "This isn't academic history (and Carlin isn't a historian) but the podcast's unique blend of high drama, masterful narration and Twilight Zone-style twists has entertained millions of listeners.",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 13,
+  "last_seen": "2023-01-11T15:05:34.359948+00:00",
+  "last_updated": "2022-03-06T19:08:44+00:00",
+  "score": 2,
+  "self_url": "https://feeds.feedburner.com/dancarlin/history?format=xml",
+  "site_name": null,
+  "site_url": null,
+  "title": "Dan Carlin's Hardcore History",
+  "url": "https://feeds.feedburner.com/dancarlin/history",
+  "velocity": 0.005,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.feedburner.com/doctorow_podcast/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 62633,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "Articles, speeches, stories and novels by an award-winning science fiction writer, read aloud in small regular chunks",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 20,
+  "last_seen": "2023-01-11T12:57:50.103797+00:00",
+  "last_updated": "2022-12-12T14:46:35+00:00",
+  "score": 4,
+  "self_url": "https://craphound.com/category/podcast/feed/",
+  "site_name": null,
+  "site_url": null,
+  "title": "Podcast – Cory Doctorow's craphound.com",
+  "url": "https://feeds.feedburner.com/doctorow_podcast",
+  "velocity": 0.068,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.feedburner.com/radiolab/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1315558,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "Radiolab",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 150,
+  "last_seen": "2023-01-11T15:01:17.273650+00:00",
+  "last_updated": "2023-01-06T15:00:00+00:00",
+  "score": 4,
+  "self_url": "https://www.wnycstudios.org/feeds/series/podcasts",
+  "site_name": null,
+  "site_url": null,
+  "title": "Radiolab",
+  "url": "https://feeds.feedburner.com/radiolab",
+  "velocity": 0.139,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.megaphone.fm/recodedecode/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 2976783,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "A business show about big ideas — and other problems.",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 660,
+  "last_seen": "2023-01-11T15:51:13.652417+00:00",
+  "last_updated": "2023-01-10T10:00:00+00:00",
+  "score": 14,
+  "self_url": "https://feeds.megaphone.fm/recodedecode",
+  "site_name": null,
+  "site_url": null,
+  "title": "Decoder with Nilay Patel",
+  "url": "https://feeds.megaphone.fm/recodedecode",
+  "velocity": 0.24,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.simplecast.com/wgl4xEgL/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 2940192,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "EconTalk: Conversations for the Curious is an award-winning weekly podcast hosted by Russ Roberts of Shalem College in Jerusalem and Stanford's Hoover Institution. The eclectic guest list includes authors, doctors, psychologists, historians, philosophers, economists, and more. Learn how the health care system really works, the serenity that comes from humility, the challenge of interpreting data, how potato chips are made, what it's like to run an upscale Manhattan restaurant, what caused the 2008 financial crisis, the nature of consciousness, and more. EconTalk has been taking the Monday out of Mondays since 2006.  All 800+ episodes are available in the archive. Go to EconTalk.org for transcripts, related resources, and comments.",
+  "favicon": null,
+  "hubs": [
+    "https://simplecast.superfeedr.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 875,
+  "last_seen": "2023-01-11T14:31:49.308489+00:00",
+  "last_updated": "2023-01-09T11:30:00+00:00",
+  "score": 24,
+  "self_url": "https://feeds.simplecast.com/wgl4xEgL",
+  "site_name": null,
+  "site_url": null,
+  "title": "EconTalk",
+  "url": "https://feeds.simplecast.com/wgl4xEgL",
+  "velocity": 0.142,
+  "version": "rss20"
+}

modules/data/feeds/sources/lesswrong.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 337440,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "A community blog devoted to refining the art of rationality",
+  "favicon": "https://res.cloudinary.com/lesswrong-2-0/image/upload/v1497915096/favicon_lncumn.ico",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 10,
+  "last_seen": "2023-01-11T10:39:58.575828+00:00",
+  "last_updated": "2023-01-11T09:58:49+00:00",
+  "score": 32,
+  "self_url": "https://www.lesswrong.com/feed.xml?view=rss&karmaThreshold=2",
+  "site_name": "LessWrong",
+  "site_url": "https://www.lesswrong.com",
+  "title": "LessWrong",
+  "url": "https://www.lesswrong.com/feed.xml",
+  "velocity": 12.052,
+  "version": "rss20"
+}

modules/data/feeds/sources/lexfridman.com/podcast/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 841679,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Conversations about AI, science, technology, history, philosophy and the nature of intelligence, consciousness, love, and power.",
+  "favicon": "https://lexfridman.com/wordpress/wp-content/uploads/2017/06/cropped-lex-favicon-4-1-32x32.png",
+  "hubs": [
+    "https://pubsubhubbub.appspot.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 300,
+  "last_seen": "2023-01-11T12:40:59.343327+00:00",
+  "last_updated": "2022-12-29T17:35:50+00:00",
+  "score": 20,
+  "self_url": "https://lexfridman.com/feed/podcast/",
+  "site_name": "Lex Fridman",
+  "site_url": "https://lexfridman.com",
+  "title": "Lex Fridman Podcast",
+  "url": "https://lexfridman.com/feed/podcast/",
+  "velocity": 0.265,
+  "version": "rss20"
+}

modules/data/feeds/sources/mg.lol/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 83074,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "projects & research",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 14,
+  "last_seen": "2023-01-11T12:28:34.383284+00:00",
+  "last_updated": "2021-07-29T05:10:05+00:00",
+  "score": 14,
+  "self_url": "https://mg.lol/blog/rss/",
+  "site_name": null,
+  "site_url": "https://mg.lol",
+  "title": "MG",
+  "url": "https://mg.lol/blog/rss/",
+  "velocity": 0.004,
+  "version": "rss20"
+}

modules/data/feeds/sources/podcast.posttv.com/itunes/post-reports.xml/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 3568150,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Post Reports",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 1070,
+  "last_seen": "2023-01-11T14:37:23.650030+00:00",
+  "last_updated": "2023-01-10T21:40:40+00:00",
+  "score": 14,
+  "self_url": "https://podcast.posttv.com/itunes/post-reports.xml",
+  "site_name": null,
+  "site_url": null,
+  "title": "Post Reports",
+  "url": "https://podcast.posttv.com/itunes/post-reports.xml",
+  "velocity": 0.711,
+  "version": "rss20"
+}

modules/data/feeds/sources/righto.com/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 862917,
+  "content_type": "application/atom+xml; charset=utf-8",
+  "description": "Computer history, restoring vintage computers, IC reverse engineering, and whatever",
+  "favicon": "https://www.blogger.com/about/favicon/favicon.ico",
+  "hubs": [
+    "http://pubsubhubbub.appspot.com/"
+  ],
+  "is_podcast": false,
+  "is_push": true,
+  "item_count": 25,
+  "last_seen": "2023-01-11T12:29:19.820378+00:00",
+  "last_updated": "2023-01-10T18:21:20.265000+00:00",
+  "score": -2,
+  "self_url": "https://www.blogger.com/feeds/6264947694886887540/posts/default",
+  "site_name": "Blogger.com - Create a unique and beautiful blog easily.",
+  "site_url": "https://www.blogger.com",
+  "title": "Ken Shirriff's blog",
+  "url": "https://www.blogger.com/feeds/6264947694886887540/posts/default",
+  "velocity": 0.12,
+  "version": "atom10"
+}

modules/data/feeds/sources/rss.acast.com/ft-tech-tonic/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 550915,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "The show that looks at the way technology is changing our economies, societies and daily lives.",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 160,
+  "last_seen": "2023-01-11T15:31:40.303733+00:00",
+  "last_updated": "2022-11-22T05:00:36+00:00",
+  "score": 10,
+  "self_url": "https://feeds.acast.com/public/shows/125ef5a6-6c61-4024-b70e-3487a971a26c",
+  "site_name": null,
+  "site_url": null,
+  "title": "FT Tech Tonic",
+  "url": "https://feeds.acast.com/public/shows/125ef5a6-6c61-4024-b70e-3487a971a26c",
+  "velocity": 0.072,
+  "version": "rss20"
+}

modules/data/feeds/sources/rss.art19.com/60-minutes/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1041745,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "<p>Get the best reporting and storytelling on television from 60 Minutes - on your schedule. Now you can listen to the show in its entirety every week. 60 Minutes is the most successful broadcast in television history with more than 80 Emmys under its belt. 60 Minutes offers unbiased reporting on politics, in-depth investigations and important adventures from around the world- like no one else.  </p>",
+  "favicon": "https://rss.art19.com/favicon.ico",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 374,
+  "last_seen": "2023-01-11T15:45:07.189940+00:00",
+  "last_updated": "2023-01-09T03:00:00+00:00",
+  "score": 18,
+  "self_url": "https://rss.art19.com/60-minutes",
+  "site_name": null,
+  "site_url": "https://rss.art19.com",
+  "title": "60 Minutes",
+  "url": "https://rss.art19.com/60-minutes",
+  "velocity": 0.082,
+  "version": "rss20"
+}

modules/data/feeds/sources/rss.art19.com/the-portal/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 235911,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "<p>The Portal is an exploration into discovery, including conversations with thought leaders. Host Eric Weinstein, Managing Director of Thiel Capital, brings his unique expertise and diverse roster of guests for a wide range of discussions, including science, culture, business, and capitalism. The show will feature people whose lives demonstrate that portals into what we would normally consider impossible, are indeed possible.&nbsp;&nbsp;Guests include presidential candidate Andrew Yang, NY Times bestselling author Sam Harris, and retired Navy Seal and creator of the hit business podcast Jocko Willink.</p>",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 44,
+  "last_seen": "2023-01-11T14:47:44.995855+00:00",
+  "last_updated": "2020-12-02T07:50:55+00:00",
+  "score": -12,
+  "self_url": "https://www.omnycontent.com/d/playlist/9b7dacdf-a925-4f95-84dc-ac46003451ff/1713c520-edb6-43a3-b1b9-acb8002fdae7/58e33a0c-f86b-41c5-a11c-acb8002fdaf5/podcast.rss",
+  "site_name": null,
+  "site_url": null,
+  "title": "The Portal",
+  "url": "https://www.omnycontent.com/d/playlist/9b7dacdf-a925-4f95-84dc-ac46003451ff/1713c520-edb6-43a3-b1b9-acb8002fdae7/58e33a0c-f86b-41c5-a11c-acb8002fdaf5/podcast.rss",
+  "velocity": 0.082,
+  "version": "rss20"
+}

modules/data/feeds/sources/rss.art19.com/your-welcome/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1462485,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "Michael Malice brings his unique perspective – and plenty of sick burns – as he discusses everything from north Korea to American politics and culture with a bevy of guests.",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 238,
+  "last_seen": "2023-01-11T15:58:45.264936+00:00",
+  "last_updated": "2023-01-04T10:40:00+00:00",
+  "score": -10,
+  "self_url": "http://origin.podcastone.com/podcast?categoryID2=2232",
+  "site_name": null,
+  "site_url": null,
+  "title": "\"YOUR WELCOME\" with Michael Malice",
+  "url": "https://www.podcastone.com/podcast?categoryID2=2232",
+  "velocity": 0.141,
+  "version": "rss20"
+}

modules/data/feeds/sources/rss.prod.firstlook.media/deconstructed/podcast.rss/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 809084,
+  "content_type": "application/xml+rss; charset=utf-8",
+  "description": "A show that cuts through all the political drivel and media misinformation to give you a straight take on one big news story of the week.",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 217,
+  "last_seen": "2023-01-11T13:40:50.240217+00:00",
+  "last_updated": "2023-01-06T10:37:50+00:00",
+  "score": 16,
+  "self_url": "https://feeds.acast.com/public/shows/1d1223a2-9d05-473b-9e79-c2b65b71d676",
+  "site_name": null,
+  "site_url": null,
+  "title": "Deconstructed",
+  "url": "https://rss.prod.firstlook.media/deconstructed/podcast.rss",
+  "velocity": 0.122,
+  "version": "rss20"
+}

modules/data/feeds/sources/rss.prod.firstlook.media/intercepted/podcast.rss/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1034995,
+  "content_type": "application/xml+rss; charset=utf-8",
+  "description": "The people behind The Intercept’s fearless reporting and incisive commentary discuss the crucial issues of our time.",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 243,
+  "last_seen": "2023-01-11T14:04:41.283509+00:00",
+  "last_updated": "2022-12-21T10:30:43+00:00",
+  "score": 16,
+  "self_url": "https://feeds.acast.com/public/shows/f5b64019-68c3-57d4-b70b-043e63e5cbf6",
+  "site_name": null,
+  "site_url": null,
+  "title": "Intercepted",
+  "url": "https://rss.prod.firstlook.media/intercepted/podcast.rss",
+  "velocity": 0.112,
+  "version": "rss20"
+}

modules/data/feeds/sources/sscpodcast.libsyn.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 3905927,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "The official audio version of Astral Codex Ten, with an archive of posts from Slate Star Codex. It's just me reading Scott Alexander's blog posts.",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 739,
+  "last_seen": "2023-01-11T11:05:40.604126+00:00",
+  "last_updated": "2023-01-11T05:13:00+00:00",
+  "score": 18,
+  "self_url": "https://sscpodcast.libsyn.com/rss",
+  "site_name": "Astral Codex Ten Podcast",
+  "site_url": "https://sscpodcast.libsyn.com",
+  "title": "Astral Codex Ten Podcast",
+  "url": "https://sscpodcast.libsyn.com/rss",
+  "velocity": 0.384,
+  "version": "rss20"
+}

modules/data/feeds/sources/uninsane.org/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 1,
+  "content_length": 178687,
+  "content_type": "text/xml; charset=utf-8",
+  "description": null,
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 6,
+  "last_seen": "2023-01-11T10:51:13.435393+00:00",
+  "last_updated": "2022-10-13T00:00:00+00:00",
+  "score": -4,
+  "self_url": "https://uninsane.org/atom.xml",
+  "site_name": "Perfectly Sane",
+  "site_url": "https://uninsane.org",
+  "title": "Perfectly Sane",
+  "url": "https://uninsane.org/atom.xml",
+  "velocity": 0.025,
+  "version": "atom10"
+}

modules/data/feeds/sources/wakingup.libsyn.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 825822,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Join neuroscientist, philosopher, and best-selling author Sam Harris as he explores questions about the human mind, society, and current events.",
+  "favicon": null,
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 326,
+  "last_seen": "2023-01-11T15:13:28.154435+00:00",
+  "last_updated": "2023-01-05T18:36:25+00:00",
+  "score": 18,
+  "self_url": "https://wakingup.libsyn.com/rss",
+  "site_name": "Making Sense with Sam Harris",
+  "site_url": "https://wakingup.libsyn.com",
+  "title": "Making Sense with Sam Harris",
+  "url": "https://wakingup.libsyn.com/rss",
+  "velocity": 0.096,
+  "version": "rss20"
+}

modules/data/feeds/sources/xkcd.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 2302,
+  "content_type": "text/xml; charset=utf-8",
+  "description": null,
+  "favicon": "https://xkcd.com/s/919f27.ico",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 4,
+  "last_seen": "2023-01-11T10:29:36.530001+00:00",
+  "last_updated": "2023-01-09T00:00:00+00:00",
+  "score": 16,
+  "self_url": null,
+  "site_name": "xkcd",
+  "site_url": "https://xkcd.com",
+  "title": "xkcd.com",
+  "url": "https://xkcd.com/atom.xml",
+  "velocity": 0.429,
+  "version": "atom10"
+}

modules/data/keys.nix

@@ -0,0 +1,30 @@
+# hierarchical, DNS-like mapping from <name> => ssh host/user for that name.
+# host keys are represented as user keys, just with the user specified as "root".
+
+{
+  org.uninsane = rec {
+    root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+    git.root = root;
+
+    local = {
+      # machine aliases i specify on my lan; not actually asserted as DNS
+      desko.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
+      desko.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+
+      lappy.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
+      lappy.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
+
+      moby.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
+      moby.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
+
+      servo.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
+      servo.root = root;
+    };
+  };
+
+  com.github = rec {
+    # documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
+    # Github actually uses multiple keys -- one per format
+    root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+  };
+}

modules/default.nix

@@ -1,14 +1,23 @@
-{ ... }:
+{ lib, utils, ... }:
 
 {
   imports = [
-    ./allocations.nix
+    ./feeds.nix
+    ./fs
     ./gui
     ./home-manager
+    ./ids.nix
     ./packages.nix
     ./image.nix
-    ./impermanence
     ./nixcache.nix
+    ./persist
     ./services
+    ./sops.nix
+    ./ssh.nix
   ];
+
+  _module.args =  {
+    sane-lib = import ./lib { inherit lib utils; };
+    sane-data = import ./data { inherit lib; };
+  };
 }

modules/feeds.nix

@@ -0,0 +1,55 @@
+{ lib, sane-data, ... }:
+
+with lib;
+let
+  feed = types.submodule ({ config, ... }: {
+    options = {
+      freq = mkOption {
+        type = types.enum [ "hourly" "daily" "weekly" "infrequent" ];
+        default = "infrequent";
+      };
+      cat = mkOption {
+        type = types.enum [ "art" "humor" "pol" "rat" "tech" "uncat" ];
+        default = "uncat";
+      };
+      format = mkOption {
+        type = types.enum [ "text" "image" "podcast" ];
+        default = "text";
+      };
+      title = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      url = mkOption {
+        type = types.str;
+        description = ''
+          url to a RSS feed
+        '';
+      };
+      substack = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          if the feed is a substack domain, just enter the subdomain here and the url/format field can be populated automatically
+        '';
+      };
+    };
+    config = lib.mkIf (config.substack != null) {
+      url = "https://${config.substack}.substack.com/feed";
+      format = "text";
+    };
+  });
+in
+{
+  # we don't explicitly generate anything from the feeds here.
+  # instead, config.sane.feeds is used by a variety of services at their definition site.
+  options = {
+    sane.feeds = mkOption {
+      type = types.listOf feed;
+      default = [];
+      description = ''
+        RSS feeds indexed by a human-readable name.
+      '';
+    };
+  };
+}

modules/fs/default.nix

@@ -0,0 +1,357 @@
+{ config, lib, pkgs, utils, sane-lib, ... }:
+with lib;
+let
+  path-lib = sane-lib.path;
+  sane-types = sane-lib.types;
+  cfg = config.sane.fs;
+
+  mountNameFor = path: "${utils.escapeSystemdPath path}.mount";
+  serviceNameFor = path: "ensure-${utils.escapeSystemdPath path}";
+
+  # sane.fs."<path>" top-level options
+  fsEntry = types.submodule ({ name, config, ...}: let
+    parent = path-lib.parent name;
+    has-parent = path-lib.hasParent name;
+    parent-cfg = if has-parent then cfg."${parent}" else {};
+    parent-acl = if has-parent then parent-cfg.generated.acl else {};
+  in {
+    options = {
+      dir = mkOption {
+        type = types.nullOr dirEntry;
+        default = null;
+      };
+      symlink = mkOption {
+        type = types.nullOr (symlinkEntryFor name);
+        default = null;
+      };
+      generated = mkOption {
+        type = generatedEntry;
+        default = {};
+      };
+      mount = mkOption {
+        type = types.nullOr (mountEntryFor name);
+        default = null;
+      };
+      wantedBy = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          list of units or targets which, when activated, should trigger this fs entry to be created.
+        '';
+      };
+      wantedBeforeBy = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          list of units or targets which, when activated, should first start and wait for this fs entry to be created.
+          if this unit fails, it will not block the targets in this list.
+        '';
+      };
+      unit = mkOption {
+        type = types.str;
+        description = "name of the systemd unit which ensures this entry";
+      };
+    };
+    config = let
+      default-acl = {
+        user = lib.mkDefault (parent-acl.user or "root");
+        group = lib.mkDefault (parent-acl.group or "root");
+        mode = lib.mkDefault (parent-acl.mode or "0755");
+      };
+    in {
+      # we put this here instead of as a `default` to ensure that users who specify additional
+      # dependencies still get a dep on the parent (unless they assign with `mkForce`).
+      generated.depends = if has-parent then [ parent-cfg.unit ] else [];
+
+      # populate generated items from `dir` or `symlink` shorthands
+      generated.acl = lib.mkMerge [
+        default-acl
+        (lib.mkIf (config.dir != null)
+          (sane-lib.filterNonNull config.dir.acl))
+        (lib.mkIf (config.symlink != null)
+          (sane-lib.filterNonNull config.symlink.acl))
+      ];
+
+      # actually generate the item
+      generated.script = lib.mkMerge [
+        (lib.mkIf (config.dir != null) (ensureDirScript name config.dir))
+        (lib.mkIf (config.symlink != null) (ensureSymlinkScript name config.symlink))
+      ];
+
+      # make the unit file which generates the underlying thing available so that `mount` can use it.
+      generated.unit = (serviceNameFor name) + ".service";
+
+      # if we were asked to mount, make sure we create the dir that we mount over
+      dir = lib.mkIf (config.mount != null) {};
+
+      # if defaulted, this module is responsible for finalizing the entry.
+      # the user could override this if, say, they finalize some aspect of the entry
+      # with a custom service.
+      unit = lib.mkDefault (
+        if config.mount != null then
+          config.mount.unit
+        else
+          config.generated.unit
+      );
+    };
+  });
+
+  # options which can be set in dir/symlink generated items,
+  # with intention that they just propagate down
+  propagatedGenerateMod = {
+    options = {
+      acl = mkOption {
+        type = sane-types.aclOverride;
+        default = {};
+      };
+    };
+  };
+
+  # sane.fs."<path>".dir sub-options
+  # takes no special options
+  dirEntry = types.submodule propagatedGenerateMod;
+
+  symlinkEntryFor = path: types.submodule ({ config, ...}: {
+    options = {
+      inherit (propagatedGenerateMod.options) acl;
+      target = mkOption {
+        type = types.coercedTo types.package toString types.str;
+        description = "fs path to link to";
+      };
+      text = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "create a file in the /nix/store with the provided text and use that as the target";
+      };
+    };
+    config = {
+      target = lib.mkIf (config.text != null) (
+        pkgs.writeText (path-lib.leaf path) config.text
+      );
+    };
+  });
+
+  generatedEntry = types.submodule {
+    options = {
+      acl = mkOption {
+        type = sane-types.acl;
+      };
+      depends = mkOption {
+        type = types.listOf types.str;
+        description = ''
+          list of systemd units needed to be run before this item can be generated.
+        '';
+        default = [];
+      };
+      script.script = mkOption {
+        type = types.lines;
+      };
+      script.scriptArgs = mkOption {
+        type = types.listOf types.str;
+        default = [];
+      };
+      unit = mkOption {
+        type = types.str;
+        description = "name of the systemd unit which ensures this directory";
+      };
+    };
+  };
+
+  # sane.fs."<path>".mount sub-options
+  mountEntryFor = path: types.submodule {
+    options = {
+      bind = mkOption {
+        type = types.nullOr types.str;
+        description = "fs path to bind-mount from";
+        default = null;
+      };
+      depends = mkOption {
+        type = types.listOf types.str;
+        description = ''
+          list of systemd units needed to be run before this entry can be mounted
+        '';
+        default = [];
+      };
+      unit = mkOption {
+        type = types.str;
+        description = "name of the systemd unit which mounts this path";
+        default = mountNameFor path;
+      };
+    };
+  };
+
+  mkGeneratedConfig = path: opt: let
+    gen-opt = opt.generated;
+    wrapper = generateWrapperScript path gen-opt;
+  in {
+    systemd.services."${serviceNameFor path}" = {
+      description = "prepare ${path}";
+      serviceConfig.Type = "oneshot";
+
+      script = wrapper.script;
+      scriptArgs = builtins.concatStringsSep " " wrapper.scriptArgs;
+
+      after = gen-opt.depends;
+      wants = gen-opt.depends;
+      # prevent systemd making this unit implicitly dependent on sysinit.target.
+      # see: <https://www.freedesktop.org/software/systemd/man/systemd.special.html>
+      unitConfig.DefaultDependencies = "no";
+
+      before = opt.wantedBeforeBy;
+      wantedBy = opt.wantedBy ++ opt.wantedBeforeBy;
+    };
+  };
+
+  # given a mountEntry definition, evaluate its toplevel `config` output.
+  mkMountConfig = path: opt: (let
+    device = config.fileSystems."${path}".device;
+    underlying = cfg."${device}";
+    isBind = opt.mount.bind != null;
+    ifBind = lib.mkIf isBind;
+    # before mounting:
+    # - create the target directory
+    # - prepare the source directory -- assuming it's not an external device
+    # - satisfy any user-specified prerequisites ("depends")
+    requires = [ opt.generated.unit ]
+      ++ (if lib.hasPrefix "/dev/disk/" device then [] else [ underlying.unit ])
+      ++ opt.mount.depends;
+  in {
+    fileSystems."${path}" = {
+      device = ifBind opt.mount.bind;
+      options = (if isBind then ["bind"] else [])
+        ++ [
+          # disable defaults: don't require this to be mount as part of local-fs.target
+          # we'll handle that stuff precisely.
+          "noauto"
+          "nofail"
+          # x-systemd options documented here:
+          # - <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
+        ]
+        ++ (builtins.map (unit: "x-systemd.requires=${unit}") requires)
+        ++ (builtins.map (unit: "x-systemd.before=${unit}") opt.wantedBeforeBy)
+        ++ (builtins.map (unit: "x-systemd.wanted-by=${unit}") (opt.wantedBy ++ opt.wantedBeforeBy));
+      noCheck = ifBind true;
+    };
+  });
+
+
+  mkFsConfig = path: opt: lib.mkMerge [
+    (mkGeneratedConfig path opt)
+    (lib.mkIf (opt.mount != null) (mkMountConfig path opt))
+  ];
+
+  generateWrapperScript = path: gen-opt: {
+    script = ''
+      fspath="$1"
+      acluser="$2"
+      aclgroup="$3"
+      aclmode="$4"
+      shift 4
+
+      # ensure any things created by the user script have the desired mode.
+      # chmod doesn't work on symlinks, so we *have* to use this umask approach.
+      decmask=$(( 0777 - "$aclmode" ))
+      octmask=$(printf "%o" "$decmask")
+      umask "$octmask"
+
+      # try to chmod/chown the result even if the user script errors
+      _status=0
+      trap "_status=\$?" ERR
+
+      ${gen-opt.script.script}
+
+      # claim ownership of the new thing (DON'T traverse symlinks)
+      chown --no-dereference "$acluser:$aclgroup" "$fspath"
+      # AS LONG AS IT'S NOT A SYMLINK, try to fix perms in case the entity existed before this script was called
+      if ! test -L "$fspath"
+      then
+        chmod "$aclmode" "$fspath"
+      fi
+
+      exit "$_status"
+    '';
+    scriptArgs = [ path gen-opt.acl.user gen-opt.acl.group gen-opt.acl.mode ] ++ gen-opt.script.scriptArgs;
+  };
+
+  # systemd/shell script used to create and set perms for a specific dir
+  ensureDirScript = path: dir-cfg: {
+    script = ''
+      dirpath="$1"
+
+      if ! test -d "$dirpath"
+      then
+        # if the directory *doesn't* exist, try creating it
+        # if we fail to create it, ensure we raced with something else and that it's actually a directory
+        mkdir "$dirpath" || test -d "$dirpath"
+      fi
+    '';
+    scriptArgs = [ path ];
+  };
+
+  # systemd/shell script used to create a symlink
+  ensureSymlinkScript = path: link-cfg: {
+    script = ''
+      lnfrom="$1"
+      lnto="$2"
+
+      # ln is clever when there's something else at the place we want to create the link
+      # only create the link if nothing's there or what is there is another link,
+      # otherwise you'll get links at unexpected fs locations
+      ! test -e "$lnfrom" || test -L "$lnfrom"  && ln -sf --no-dereference "$lnto" "$lnfrom"
+    '';
+    scriptArgs = [ path link-cfg.target ];
+  };
+
+  # return all ancestors of this path.
+  # e.g. ancestorsOf "/foo/bar/baz" => [ "/" "/foo" "/foo/bar" ]
+  ancestorsOf = path: lib.init (path-lib.walk "/" path);
+
+  # attrsOf fsEntry type which for every entry ensures that all ancestor entries are created.
+  # we do this with a custom type to ensure that users can access `config.sane.fs."/parent/path"`
+  # when inferred.
+  fsTree = let
+    baseType = types.attrsOf fsEntry;
+    # merge is called once, with all collected `sane.fs` definitions passed and we coalesce those
+    # into a single value `x` as if the user had wrote simply `sane.fs = x` in a single location.
+    # so option defaulting and such happens *after* `merge` is called.
+    merge = loc: defs: let
+      # loc is the location of the option holding this type, e.g. ["sane" "fs"].
+      # each def is an { value = attrsOf fsEntry instance; file = "..."; }
+      pathsForDef = def: attrNames def.value;
+      origPaths = concatLists (builtins.map pathsForDef defs);
+      extraPaths = concatLists (builtins.map ancestorsOf origPaths);
+      extraDefs = builtins.map (p: {
+        file = ./.;
+        value = {
+          "${p}".dir = {};
+        };
+      }) extraPaths;
+    in
+      baseType.merge loc (defs ++ extraDefs);
+  in
+    lib.mkOptionType {
+      inherit merge;
+      name = "fsTree";
+      description = "attrset representation of a file-system tree";
+      # ensure that every path is in canonical form, else we might get duplicates and subtle errors
+      check = tree: builtins.all (p: p == path-lib.norm p) (builtins.attrNames tree);
+    };
+
+in {
+  options = {
+    sane.fs = mkOption {
+      # type = types.attrsOf fsEntry;
+      type = fsTree;
+      default = {};
+    };
+  };
+
+  config =
+    let
+      configs = lib.mapAttrsToList mkFsConfig cfg;
+      take = f: {
+        systemd.services = f.systemd.services;
+        fileSystems = f.fileSystems;
+      };
+    in take (sane-lib.mkTypedMerge take configs);
+}

modules/gui/default.nix

@@ -23,7 +23,9 @@ in
 
   config = lib.mkIf cfg.enable {
     sane.packages.enableGuiPkgs = lib.mkDefault true;
-    # all GUIs use network manager?
-    users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
+
+    # preserve backlight brightness across power cycles
+    # see `man systemd-backlight`
+    sane.persist.sys.plaintext = [ "/var/lib/systemd/backlight" ];
   };
 }

modules/gui/gnome.nix

@@ -15,15 +15,6 @@ in
   config = mkIf cfg.enable {
     sane.gui.enable = true;
 
-    users.users.avahi.uid = config.sane.allocations.avahi-uid;
-    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
-    users.users.colord.uid = config.sane.allocations.colord-uid;
-    users.groups.colord.gid = config.sane.allocations.colord-gid;
-    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
-    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
-    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
-    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
-
     # start gnome/gdm on boot
     services.xserver.enable = true;
     services.xserver.desktopManager.gnome.enable = true;

modules/gui/phosh.nix

@@ -24,16 +24,6 @@ in
     {
       sane.gui.enable = true;
 
-      users.users.avahi.uid = config.sane.allocations.avahi-uid;
-      users.users.colord.uid = config.sane.allocations.colord-uid;
-      users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
-      users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
-      users.groups.avahi.gid = config.sane.allocations.avahi-gid;
-      users.groups.colord.gid = config.sane.allocations.colord-gid;
-      users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
-      users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
-      users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
-
       # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
       services.xserver.desktopManager.phosh = {
         enable = true;

modules/gui/snippets.txt

@@ -1,7 +1,9 @@
 https://search.nixos.org/options?channel=unstable&query=
 https://search.nixos.org/packages?channel=unstable&query=
 https://nixos.wiki/index.php?go=Go&search=
+https://nixos.org/manual/nix/stable/language/builtins.html
 https://github.com/nixos/nixpkgs/pulls?q=
+https://nur.nix-community.org/
 https://nix-community.github.io/home-manager/options.html
 https://w.uninsane.org/viewer#search?books.name=wikipedia_en_all_maxi_2022-05&pattern=
 https://jackett.uninsane.org/UI/Dashboard#search=

modules/gui/sway.nix

@@ -22,14 +22,15 @@ in
   };
   config = mkIf cfg.enable {
     sane.gui.enable = true;
-    users.users.greeter.uid = config.sane.allocations.greeter-uid;
-    users.groups.greeter.gid = config.sane.allocations.greeter-gid;
+
     programs.sway = {
       # we configure sway with home-manager, but this enable gets us e.g. opengl and fonts
       enable = true;
     };
 
-    # alternatively, could use SDDM
+    # instead of using `services.greetd`, can instead use SDDM by swapping in these lines.
+    # services.xserver.displayManager.sddm.enable = true;
+    # services.xserver.enable = true;
     services.greetd = let
       swayConfig-greeter = pkgs.writeText "greetd-sway-config" ''
         # `-l` activates layer-shell mode.
@@ -71,13 +72,24 @@ in
       pulse.enable = true;
     };
 
-    hardware.bluetooth.enable = true;
-    services.blueman.enable = true;
-
     networking.useDHCP = false;
     networking.networkmanager.enable = true;
     networking.wireless.enable = lib.mkForce false;
 
+    hardware.bluetooth.enable = true;
+    services.blueman.enable = true;
+    # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
+    services.gnome.gnome-settings-daemon.enable = true;
+    # start the components of gsd we need at login
+    systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
+    # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
+    # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
+    # it doesn't actually seem to need ANY of them in the first place T_T
+    systemd.user.targets."gnome-session-initialized".enable = false;
+    # bluez can't connect to audio devices unless pipewire is running.
+    # a system service can't depend on a user service, so just launch it at graphical-session
+    systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
+
     sane.home-manager.windowManager.sway = {
       enable = true;
       wrapperFeatures.gtk = true;

modules/home-manager/aerc.nix

@@ -1,5 +1,5 @@
 # Terminal UI mail client
-{ config, lib, ... }:
+{ config, lib, sane-lib, ... }:
 
 lib.mkIf config.sane.home-manager.enable
 {
@@ -8,9 +8,5 @@ lib.mkIf config.sane.home-manager.enable
     sopsFile = ../../secrets/universal/aerc_accounts.conf;
     format = "binary";
   };
-  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
-    # aerc TUI mail client
-    xdg.configFile."aerc/accounts.conf".source =
-      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
-  };
+  sane.fs."/home/colin/.config/aerc/accounts.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.aerc_accounts.path;
 }

modules/home-manager/default.nix

@@ -9,22 +9,21 @@
 with lib;
 let
   cfg = config.sane.home-manager;
-  # extract package from `sane.packages.enabledUserPkgs`
-  pkg-list = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
-  # extract `dir` from `sane.packages.enabledUserPkgs`
-  dir-list = pkgspec: builtins.concatLists (builtins.map (e: e.dir or []) pkgspec);
-  private-list = pkgspec: builtins.concatLists (builtins.map (e: e.private or []) pkgspec);
-  feeds = import ./feeds.nix { inherit lib; };
+  # extract `pkg` from `sane.packages.enabledUserPkgs`
+  pkg-list = pkgspec: builtins.map (e: e.pkg) pkgspec;
 in
 {
   imports = [
     ./aerc.nix
     ./firefox.nix
+    ./gfeeds.nix
     ./git.nix
+    ./gpodder.nix
+    ./keyring.nix
     ./kitty.nix
     ./mpv.nix
-    ./nb.nix
     ./neovim.nix
+    ./newsflash.nix
     ./splatmoji.nix
     ./ssh.nix
     ./sublime-music.nix
@@ -51,18 +50,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    sane.impermanence.home-dirs = [
-      "archive"
-      "dev"
-      "records"
-      "ref"
-      "tmp"
-      "use"
-      "Music"
-      "Pictures"
-      "Videos"
-    ] ++ (dir-list config.sane.packages.enabledUserPkgs);
-
     home-manager.useGlobalPkgs = true;
     home-manager.useUserPackages = true;
 
@@ -82,35 +69,6 @@ in
       home.username = "colin";
       home.homeDirectory = "/home/colin";
 
-      home.activation = {
-        initKeyring = {
-          after = ["writeBoundary"];
-          before = [];
-          data = "${../../scripts/init-keyring}";
-        };
-      };
-
-
-      home.file = let
-        privates = builtins.listToAttrs (
-          builtins.map (path: {
-            name = path;
-            value = { source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/${path}"; };
-          })
-          (private-list sysconfig.sane.packages.enabledUserPkgs)
-        );
-      in {
-        # convenience
-        "knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/knowledge";
-        "nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
-        "Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
-        "Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
-        "Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
-
-        # used by password managers, e.g. unix `pass`
-        ".password-store".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/knowledge/secrets/accounts";
-      } // privates;
-
       # XDG defines things like ~/Desktop, ~/Downloads, etc.
       # these clutter the home, so i mostly don't use them.
       xdg.userDirs = {
@@ -130,7 +88,7 @@ in
       # - `xdg-mime query filetype path/to/thing.ext`
       xdg.mimeApps.enable = true;
       xdg.mimeApps.defaultApplications = let
-        www = sysconfig.sane.web-browser.desktop;
+        www = sysconfig.sane.web-browser.browser.desktop;
         pdf = "org.gnome.Evince.desktop";
         md = "obsidian.desktop";
         thumb = "org.gnome.gThumb.desktop";
@@ -173,54 +131,14 @@ in
       # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
 
 
-
-      xdg.configFile."gpodderFeeds.opml".text = with feeds;
-        feedsToOpml feeds.podcasts;
-
-      # news-flash RSS viewer
-      xdg.configFile."newsflashFeeds.opml".text = with feeds;
-        feedsToOpml (feeds.texts ++ feeds.images);
-
-      # gnome feeds RSS viewer
-      xdg.configFile."org.gabmus.gfeeds.json".text =
-      let
-        myFeeds = feeds.texts ++ feeds.images;
-      in builtins.toJSON {
-        # feed format is a map from URL to a dict,
-        #   with dict["tags"] a list of string tags.
-        feeds = builtins.foldl' (acc: feed: acc // {
-          "${feed.url}".tags = [ feed.cat feed.freq ];
-        }) {} myFeeds;
-        dark_reader = false;
-        new_first = true;
-        # windowsize = {
-        #   width = 350;
-        #   height = 650;
-        # };
-        max_article_age_days = 90;
-        enable_js = false;
-        max_refresh_threads = 3;
-        # saved_items = {};
-        # read_items = [];
-        show_read_items = true;
-        full_article_title = true;
-        # views: "webview", "reader", "rsscont"
-        default_view = "rsscont";
-        open_links_externally = true;
-        full_feed_name = false;
-        refresh_on_startup = true;
-        tags = lib.lists.unique (
-          (builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
-        );
-        open_youtube_externally = false;
-        media_player = "vlc";  # default: mpv
-      };
-
-      programs = {
-        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
-        # "command not found" will cause the command to be searched in nixpkgs
-        nix-index.enable = true;
-      } // cfg.programs;
+      programs = lib.mkMerge [
+        {
+          home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
+          # "command not found" will cause the command to be searched in nixpkgs
+          nix-index.enable = true;
+        }
+        cfg.programs
+      ];
     };
   };
 }

modules/home-manager/firefox.nix

@@ -6,7 +6,7 @@
 # many of the settings below won't have effect without those patches.
 # see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
 
-{ config, lib, pkgs, ...}:
+{ config, lib, pkgs, sane-lib, ...}:
 with lib;
 let
   cfg = config.sane.web-browser;
@@ -19,22 +19,24 @@ let
     # });
     libName = "librewolf";
     dotDir = ".librewolf";
+    cacheDir = ".cache/librewolf";  # TODO: is it?
     desktop = "librewolf.desktop";
   };
   firefoxSettings = {
     browser = pkgs.firefox-esr-unwrapped;
     libName = "firefox";
     dotDir = ".mozilla/firefox";
+    cacheDir = ".cache/mozilla";
     desktop = "firefox.desktop";
   };
   defaultSettings = firefoxSettings;
   # defaultSettings = librewolfSettings;
 
-  package = pkgs.wrapFirefox cfg.browser {
+  package = pkgs.wrapFirefox cfg.browser.browser {
     # inherit the default librewolf.cfg
     # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
     inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
-    inherit (cfg) libName;
+    inherit (cfg.browser) libName;
 
     extraNativeMessagingHosts = [ pkgs.browserpass ];
     # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
@@ -55,12 +57,12 @@ let
       # get names from:
       # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
       # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
-      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-+xc4lcdsOwXxMsr4enFsdePbIb6GHq0bFLpqvH5xXos=")
-      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-30F8oDIgshXVY7YKgnfoc1tUTHfgeFbzXISJuVJs0AM=")
-      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-7ZDkG8O1rEYdh/La0PLi9tp92JxYeQvaOFt/BmnDv3U=")
+      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=")
+      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-d2K3ufvurWnYVzqLbyR//MgejybkY9exitAf9RdLNRo=")
+      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-JOj5P7c2JTTReHCRZXm4BscaGr3i+9Y4Ey/y621x8PI=")
       (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
       (addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=")
-      (addon "ublacklist" "@ublacklist" "sha256-vHe/7EYOzcKeAbTElmt0Rb4E2rX0f3JgXThJaUmaz+M=")
+      (addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=")
       (addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=")
       # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
       (localAddon pkgs.browserpass-extension)
@@ -103,43 +105,57 @@ let
 in
 {
   options = {
-    sane.web-browser = mkOption {
+    sane.web-browser.browser = mkOption {
       default = defaultSettings;
       type = types.attrs;
     };
+    sane.web-browser.persistData = mkOption {
+      description = "optional store name to which persist browsing data (like history)";
+      type = types.nullOr types.str;
+      default = null;
+    };
+    sane.web-browser.persistCache = mkOption {
+      description = "optional store name to which persist browser cache";
+      type = types.nullOr types.str;
+      default = "cryptClearOnBoot";
+    };
   };
-  config = lib.mkIf config.sane.home-manager.enable {
-    # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
-    home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
-      programs.firefox = {
-        enable = true;
-        inherit package;
-      };
 
-      # uBlock filter list configuration.
-      # specifically, enable the GDPR cookie prompt blocker.
-      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
-      # this configuration method is documented here:
-      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
-      # the specific attribute path is found via scraping ublock code here:
-      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
-      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-      home.file."${cfg.dotDir}/managed-storage/uBlock0@raymondhill.net.json".text = ''
-        {
-         "name": "uBlock0@raymondhill.net",
-         "description": "ignored",
-         "type": "storage",
-         "data": {
-            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
-         }
-        }
-      '';
-      home.file."${cfg.dotDir}/${cfg.libName}.overrides.cfg".text = ''
-        // if we can't query the revocation status of a SSL cert because the issuer is offline,
-        // treat it as unrevoked.
-        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
-        defaultPref("security.OCSP.require", false);
-      '';
+  config = lib.mkIf config.sane.home-manager.enable {
+
+    # uBlock filter list configuration.
+    # specifically, enable the GDPR cookie prompt blocker.
+    # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
+    # this configuration method is documented here:
+    # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
+    # the specific attribute path is found via scraping ublock code here:
+    # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
+    # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
+    sane.fs."/home/colin/${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
+      {
+       "name": "uBlock0@raymondhill.net",
+       "description": "ignored",
+       "type": "storage",
+       "data": {
+          "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
+       }
+      }
+    '';
+    sane.fs."/home/colin/${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
+      // if we can't query the revocation status of a SSL cert because the issuer is offline,
+      // treat it as unrevoked.
+      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
+      defaultPref("security.OCSP.require", false);
+    '';
+
+    sane.packages.extraGuiPkgs = [ package ];
+    # flood the cache to disk to avoid it taking up too much tmp
+    sane.persist.home.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
+      store = cfg.persistCache;
+    };
+
+    sane.persist.home.byPath."${cfg.browser.dotDir}" = lib.mkIf (cfg.persistData != null) {
+      store = cfg.persistData;
     };
   };
 }

modules/home-manager/gfeeds.nix

@@ -0,0 +1,42 @@
+# gnome feeds RSS viewer
+{ config, lib, sane-lib, ... }:
+
+let
+  feeds = sane-lib.feeds;
+  all-feeds = config.sane.feeds;
+  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
+in {
+  sane.fs."/home/colin/.config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
+    builtins.toJSON {
+      # feed format is a map from URL to a dict,
+      #   with dict["tags"] a list of string tags.
+      feeds = sane-lib.mapToAttrs (feed: {
+        name = feed.url;
+        value.tags = [ feed.cat feed.freq ];
+      }) wanted-feeds;
+      dark_reader = false;
+      new_first = true;
+      # windowsize = {
+      #   width = 350;
+      #   height = 650;
+      # };
+      max_article_age_days = 90;
+      enable_js = false;
+      max_refresh_threads = 3;
+      # saved_items = {};
+      # read_items = [];
+      show_read_items = true;
+      full_article_title = true;
+      # views: "webview", "reader", "rsscont"
+      default_view = "rsscont";
+      open_links_externally = true;
+      full_feed_name = false;
+      refresh_on_startup = true;
+      tags = lib.unique (
+        (builtins.catAttrs "cat" wanted-feeds) ++ (builtins.catAttrs "freq" wanted-feeds)
+      );
+      open_youtube_externally = false;
+      media_player = "vlc";  # default: mpv
+    }
+  );
+}

modules/home-manager/gpodder.nix

@@ -0,0 +1,12 @@
+# gnome feeds RSS viewer
+{ config, sane-lib, ... }:
+
+let
+  feeds = sane-lib.feeds;
+  all-feeds = config.sane.feeds;
+  wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
+in {
+  sane.fs."/home/colin/.config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
+    feeds.feedsToOpml wanted-feeds
+  );
+}

modules/home-manager/keyring.nix

@@ -0,0 +1,11 @@
+{ config, lib, sane-lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  sane.persist.home.private = [ ".local/share/keyrings" ];
+
+  sane.fs."/home/colin/private/.local/share/keyrings/default" = {
+    generated.script.script = builtins.readFile ../../scripts/init-keyring;
+    wantedBy = [ config.sane.fs."/home/colin/private".unit ];
+  };
+}

modules/home-manager/nb.nix

@@ -1,27 +0,0 @@
-# nb is a CLI-drive Personal Knowledge Manager
-# - <https://xwmx.github.io/nb/>
-#
-# it's pretty opinionated:
-# - autocommits (to git) excessively (disable-able)
-# - inserts its own index files to give deterministic names to files
-#
-# it offers a primitive web-server
-# and it offers some CLI query tools
-
-{ config, lib, pkgs, ... }:
-
-# lib.mkIf config.sane.home-manager.enable
-lib.mkIf false # XXX disabled!
-{
-  sane.packages.extraUserPkgs = [ pkgs.nb ];
-
-  home-manager.users.colin = { config, ... }: {
-    # nb markdown/personal knowledge manager
-    home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/knowledge";
-    home.file.".nb/.current".text = "knowledge";
-    home.file.".nbrc".text = ''
-      # manage with `nb settings`
-      export NB_AUTO_SYNC=0
-    '';
-  };
-}

modules/home-manager/neovim.nix

@@ -2,7 +2,8 @@
 
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.impermanence.home-dirs = [ ".cache/vim-swap" ];
+  # private because there could be sensitive things in the swap
+  sane.persist.home.private = [ ".cache/vim-swap" ];
 
   home-manager.users.colin.programs.neovim = {
     # neovim: https://github.com/neovim/neovim

modules/home-manager/newsflash.nix

@@ -0,0 +1,12 @@
+# news-flash RSS viewer
+{ config, sane-lib, ... }:
+
+let
+  feeds = sane-lib.feeds;
+  all-feeds = config.sane.feeds;
+  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
+in {
+  sane.fs."/home/colin/.config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
+    feeds.feedsToOpml wanted-feeds
+  );
+}

modules/home-manager/splatmoji.nix

@@ -1,20 +1,19 @@
 # borrows from:
 # - default config: <https://github.com/cspeterson/splatmoji/blob/master/splatmoji.config>
 # - wayland: <https://github.com/cspeterson/splatmoji/issues/32#issuecomment-830862566>
-{ pkgs, ... }:
+{ pkgs, sane-lib, ... }:
 
 {
-  home-manager.users.colin = {
-    xdg.configFile."splatmoji/splatmoji.config".text = ''
-      history_file=/home/colin/.local/state/splatmoji/history
-      history_length=5
-      # TODO: wayland equiv
-      paste_command=xdotool key ctrl+v
-      # rofi_command=${pkgs.wofi}/bin/wofi --dmenu --insensitive --cache-file /dev/null
-      rofi_command=${pkgs.fuzzel}/bin/fuzzel -d -i -w 60
-      xdotool_command=${pkgs.wtype}/bin/wtype
-      # TODO: wayland equiv
-      xsel_command=xsel -b -i
-    '';
-  };
+  sane.persist.home.plaintext = [ ".local/state/splatmoji" ];
+  sane.fs."/home/colin/.config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
+    history_file=/home/colin/.local/state/splatmoji/history
+    history_length=5
+    # TODO: wayland equiv
+    paste_command=xdotool key ctrl+v
+    # rofi_command=${pkgs.wofi}/bin/wofi --dmenu --insensitive --cache-file /dev/null
+    rofi_command=${pkgs.fuzzel}/bin/fuzzel -d -i -w 60
+    xdotool_command=${pkgs.wtype}/bin/wtype
+    # TODO: wayland equiv
+    xsel_command=xsel -b -i
+  '';
 }

modules/home-manager/ssh.nix

@@ -1,20 +1,23 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, sane-lib, ... }:
 
-lib.mkIf config.sane.home-manager.enable
-{
-  home-manager.users.colin = let
-    host = config.networking.hostName;
-    user_pubkey = (import ../pubkeys.nix).users."${host}";
-    known_hosts_text = builtins.concatStringsSep
-      "\n"
-      (builtins.attrValues (import ../pubkeys.nix).hosts);
-  in { config, ...}: {
-    # ssh key is stored in private storage
-    home.file.".ssh/id_ed25519".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/.ssh/id_ed25519";
-    home.file.".ssh/id_ed25519.pub".text = user_pubkey;
+with lib;
+let
+  host = config.networking.hostName;
+  user-pubkey = config.sane.ssh.pubkeys."colin@${host}".asUserKey;
+  host-keys = filter (k: k.user == "root") (attrValues config.sane.ssh.pubkeys);
+  known-hosts-text = concatStringsSep
+    "\n"
+    (map (k: k.asHostKey) host-keys)
+  ;
+in lib.mkIf config.sane.home-manager.enable {
+  # ssh key is stored in private storage
+  sane.persist.home.private = [ ".ssh/id_ed25519" ];
+  sane.fs."/home/colin/.ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
+  sane.fs."/home/colin/.ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
 
-    programs.ssh.enable = true;
-    # this optionally accepts multiple known_hosts paths, separated by space.
-    programs.ssh.userKnownHostsFile = builtins.toString (pkgs.writeText "known_hosts" known_hosts_text);
-  };
+  users.users.colin.openssh.authorizedKeys.keys =
+  let
+    user-keys = filter (k: k.user == "colin") (attrValues config.sane.ssh.pubkeys);
+  in
+    map (k: k.asUserKey) user-keys;
 }

modules/home-manager/sublime-music.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, sane-lib, ... }:
 
 lib.mkIf config.sane.home-manager.enable
 {
@@ -8,9 +8,5 @@ lib.mkIf config.sane.home-manager.enable
     sopsFile = ../../secrets/universal/sublime_music_config.json.bin;
     format = "binary";
   };
-  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
-    # sublime music player
-    xdg.configFile."sublime-music/config.json".source =
-      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
-  };
+  sane.fs."/home/colin/.config/sublime-music/config.json" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.sublime_music_config.path;
 }

modules/home-manager/vlc.nix

@@ -1,16 +1,18 @@
-{ config, lib, ... }:
+{ config, lib, sane-lib, ... }:
 
+let
+  feeds = sane-lib.feeds;
+  all-feeds = config.sane.feeds;
+  wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
+  podcast-urls = lib.concatStringsSep "|" (
+    builtins.map (feed: feed.url) wanted-feeds
+  );
+in
 lib.mkIf config.sane.home-manager.enable
 {
-  home-manager.users.colin.xdg.configFile."vlc/vlcrc".text =
-  let
-    feeds = import ./feeds.nix { inherit lib; };
-    podcastUrls = lib.strings.concatStringsSep "|" (
-      builtins.map (feed: feed.url) feeds.podcasts
-    );
-  in ''
+  sane.fs."/home/colin/.config/vlc/vlcrc" = sane-lib.fs.wantedText ''
     [podcast]
-    podcast-urls=${podcastUrls}
+    podcast-urls=${podcast-urls}
     [core]
     metadata-network-access=0
     [qt]