servo: store media on external storage

i haven't used this for several months. it doesn't seem to matter, and
maintaining custom systemd patches is very impractical.

flake.lock

@@ -22,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1667299227,
-        "narHash": "sha256-vAJPFSDYUq3DdCL8OzTg4xObRNW+yA1Pt+NzbhGu1f8=",
+        "lastModified": 1667907331,
+        "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "f0ecd4b1db5e15103e955b18cb94bea4296e5c45",
+        "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1661933071,
-        "narHash": "sha256-RFgfzldpbCvS+H2qwH+EvNejvqs+NhPVD5j1I7HQQPY=",
+        "lastModified": 1668668915,
+        "narHash": "sha256-QjY4ZZbs9shwO4LaLpvlU2bO9J1juYhO9NtV3nrbnYQ=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "def994adbdfc28974e87b0e4c949e776207d5557",
+        "rev": "5df9108b346f8a42021bf99e50de89c9caa251c3",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1667160126,
-        "narHash": "sha256-YRgxMHdvMuLsuXCaKs5YNMD6NKgvcATSjfi9YkUOOLk=",
+        "lastModified": 1668897543,
+        "narHash": "sha256-1bjvy5zi/6KDzhN3ihOUEA6y5FFEOf5xvIbf65RWIh0=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "da56c338a2b00c868697b75bdbd388f60d50c820",
+        "rev": "25eec596116553112681d72ee4880107fc3957fa",
         "type": "github"
       },
       "original": {
@@ -69,11 +69,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1667231093,
-        "narHash": "sha256-RERXruzBEBuf0c7OfZeX1hxEKB+PTCUNxWeB6C1jd8Y=",
+        "lastModified": 1668994630,
+        "narHash": "sha256-1lqx6HLyw6fMNX/hXrrETG1vMvZRGm2XVC9O/Jt0T6c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458",
+        "rev": "af50806f7c6ab40df3e6b239099e8f8385f6c78b",
         "type": "github"
       },
       "original": {
@@ -84,11 +84,11 @@
     },
     "nixpkgs-22_05": {
       "locked": {
-        "lastModified": 1667091951,
-        "narHash": "sha256-62sz0fn06Nq8OaeBYrYSR3Y6hUcp8/PC4dJ7HeGaOhU=",
+        "lastModified": 1668908668,
+        "narHash": "sha256-oimCE4rY7Btuo/VYmA8khIyTHSMV7qUWTpz9w8yc9LQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6440d13df2327d2db13d3b17e419784020b71d22",
+        "rev": "b68a6a27adb452879ab66c0eaac0c133e32823b2",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1667254466,
-        "narHash": "sha256-YrMQzDVOo+uz5gg1REj2q/uVhJE3WcpkqGiMzh3Da3o=",
+        "lastModified": 1668984258,
+        "narHash": "sha256-0gDMJ2T3qf58xgcSbYoXiRGUkPWmKyr5C3vcathWhKs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1b4722674c315de0e191d0d79790b4eac51570a1",
+        "rev": "cf63ade6f74bbc9d2a017290f1b2e33e8fbfa70a",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
         "nixpkgs-22_05": "nixpkgs-22_05"
       },
       "locked": {
-        "lastModified": 1667102919,
-        "narHash": "sha256-DP5j4TwXe96eZf0PLgYSj1Hdyt7SPUoQ003iNBQSKpQ=",
+        "lastModified": 1668915833,
+        "narHash": "sha256-7VYPiDJZdGct8Nl3kKhg580XZfoRcViO+zUGPkfBsqM=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "448ec3e7eb7c7e4563cc2471db748a71baaf9698",
+        "rev": "f72e050c3ef148b1131a0d2df55385c045e4166b",
         "type": "github"
       },
       "original": {

flake.nix

@@ -45,7 +45,7 @@
     nixpkgsFor = local: target: import (patchedPkgs target) { crossSystem = target; localSystem = local; };
     # evaluate ONLY our overlay, for the provided system
     customPackagesFor = local: target: import ./pkgs/overlay.nix (nixpkgsFor local target) (nixpkgsFor local target);
-    decl-machine = { name, local, target }:
+    decl-host = { name, local, target }:
     let
       nixosSystem = import ((patchedPkgs target) + "/nixos/lib/eval-config.nix");
     in (nixosSystem {
@@ -54,7 +54,7 @@
       specialArgs = { inherit mobile-nixos home-manager impermanence; };
       modules = [
         ./modules
-        (import ./machines/instantiate.nix name)
+        (import ./hosts/instantiate.nix name)
         home-manager.nixosModule
         impermanence.nixosModule
         sops-nix.nixosModules.sops
@@ -69,19 +69,16 @@
               # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
               cross = (nixpkgsFor local target) // (customPackagesFor local target);
               stable = import nixpkgs-stable { system = target; };
-              # pinned packages:
-              electrum = stable.electrum;  # 2022-10-10: build break
-              sequoia = stable.sequoia;    # 2022-10-13: build break
               # cross-compatible packages
-              gocryptfs = cross.gocryptfs;
+              # gocryptfs = cross.gocryptfs;
             })
           ];
         }
       ];
     });
 
-    decl-bootable-machine = { name, local, target }: rec {
-      nixosConfiguration = decl-machine { inherit name local target; };
+    decl-bootable-host = { name, local, target }: rec {
+      nixosConfiguration = decl-host { inherit name local target; };
       # this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
       # after building this:
       #   - flash it to a bootable medium (SD card, flash drive, HDD)
@@ -94,22 +91,22 @@
       #   - boot
       #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
       #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
-      #   - `nixos-rebuild --flake './#<machine>' switch`
+      #   - `nixos-rebuild --flake './#<host>' switch`
       img = nixosConfiguration.config.system.build.img;
     };
-    machines.servo = decl-bootable-machine { name = "servo"; local = "aarch64-linux"; target = "aarch64-linux"; };
-    machines.desko = decl-bootable-machine { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    machines.lappy = decl-bootable-machine { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    machines.moby = decl-bootable-machine { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
+    hosts.servo = decl-bootable-host { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    hosts.desko = decl-bootable-host { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    hosts.lappy = decl-bootable-host { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    hosts.moby = decl-bootable-host { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
     # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
     # note that these *do* produce different store paths, because the closure for the tools used to cross compile
     # v.s. emulate differ.
-    # so deploying moby-cross and then moby incurs some rebuilding.
-    machines.moby-cross = decl-bootable-machine { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
-    machines.rescue = decl-bootable-machine { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    # so deploying foo-cross and then foo incurs some rebuilding.
+    hosts.moby-cross = decl-bootable-host { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
+    hosts.rescue = decl-bootable-host { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
   in {
-    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
-    imgs = builtins.mapAttrs (name: value: value.img) machines;
+    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) hosts;
+    imgs = builtins.mapAttrs (name: value: value.img) hosts;
     packages = let
       allPkgsFor = sys: (customPackagesFor sys sys) // {
         nixpkgs = nixpkgsFor sys sys;

hosts/common/default.nix

@@ -1,21 +1,25 @@
 { pkgs, ... }:
-
 {
   imports = [
-    ./allocations.nix
     ./fs.nix
-    ./home-manager
-    ./home-packages.nix
-    ./net.nix
+    ./hardware
     ./machine-id.nix
+    ./net.nix
     ./secrets.nix
     ./ssh.nix
-    ./system-packages.nix
     ./users.nix
     ./vpn.nix
   ];
 
-  time.timeZone = "America/Los_Angeles";
+  sane.home-manager.enable = true;
+  sane.nixcache.enable-trusted-keys = true;
+  sane.packages.enableConsolePkgs = true;
+  sane.packages.enableSystemPkgs = true;
+
+  nixpkgs.config.allowUnfree = true;
+
+  # time.timeZone = "America/Los_Angeles";
+  time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
 
   # allow `nix flake ...` command
   nix.extraOptions = ''
@@ -35,6 +39,9 @@
     };
   };
 
+  # disable non-required packages like nano, perl, rsync, strace
+  environment.defaultPackages = [];
+
   # programs.vim.defaultEditor = true;
   environment.variables = {
     EDITOR = "vim";
@@ -54,6 +61,10 @@
     gocryptfs
   ];
 
+  # link debug symbols into /run/current-system/sw/lib/debug
+  # hopefully picked up by gdb automatically?
+  environment.enableDebugInfo = true;
+
   security.pam.mount.enable = true;
   # security.pam.mount.debugLevel = 1;
   # security.pam.enableSSHAgentAuth = true; # ??
@@ -61,4 +72,3 @@
   # or i guess going through mount.fuse sets suid so that's not necessary?
   # programs.fuse.userAllowOther = true;
 }
-

hosts/common/fs.nix

@@ -19,11 +19,17 @@ let sshOpts = rec {
 
   optionsRoot = optionsBase ++ [
     # we don't transform_symlinks because that breaks the validity of remote /nix stores
-    "sftp_server=/run/wrappers/bin/sudo\\040${pkgs.openssh}/libexec/sftp-server"
+    "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
   ];
 };
 in
 {
+  environment.pathsToLink = [
+    # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
+    # we can only link whole directories here, even though we're only interested in pkgs.openssh
+    "/libexec"
+  ];
+
   fileSystems."/mnt/servo-media-wan" = {
     device = "colin@uninsane.org:/var/lib/uninsane/media";
     inherit (sshOpts) fsType;

hosts/common/hardware/x86_64.nix

@@ -2,7 +2,7 @@
 
 with lib;
 {
-  config = mkIf (pkgs.system == "x86_64-linux") { 
+  config = mkIf (pkgs.system == "x86_64-linux") {
     boot.initrd.availableKernelModules = [
       "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
       "usb_storage"   # rpi needed this to boot from usb storage, i think.

hosts/common/secrets.nix

@@ -16,7 +16,7 @@
   #   add the result to .sops.yaml
   #   since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
   #
-  # for each machine you want to decrypt secrets:
+  # for each host you want to decrypt secrets:
   #   $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   #   add the result to .sops.yaml
   #   $ sops updatekeys secrets/example.yaml
@@ -32,7 +32,7 @@
   # This will add secrets.yaml to the nix store
   # You can avoid this by adding a string to the full path instead, i.e.
   # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ./../../secrets/universal.yaml;
+  sops.defaultSopsFile = ../../secrets/universal.yaml;
   # This will automatically import SSH keys as age keys
   sops.age.sshKeyPaths = [
     "/etc/ssh/host_keys/ssh_host_ed25519_key"

hosts/common/users.nix

@@ -50,7 +50,7 @@ in
       passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
 
       shell = pkgs.zsh;
-      openssh.authorizedKeys.keys = builtins.attrValues (import ./pubkeys.nix).users;
+      openssh.authorizedKeys.keys = builtins.attrValues (import ../../modules/pubkeys.nix).users;
 
       pamMount = {
         # mount encrypted stuff at login

hosts/desko/default.nix

@@ -4,7 +4,7 @@
     ./fs.nix
   ];
 
-  # sane.home-packages.enableDevPkgs = true;
+  # sane.packages.enableDevPkgs = true;
 
   sane.gui.sway.enable = true;
   sane.services.duplicity.enable = true;

hosts/instantiate.nix

@@ -0,0 +1,10 @@
+# trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
+
+hostName: { ... }: {
+  imports = [
+    ./${hostName}
+    ./common
+  ];
+
+  networking.hostName = hostName;
+}

hosts/lappy/default.nix

@@ -4,7 +4,7 @@
     ./fs.nix
   ];
 
-  # sane.home-packages.enableDevPkgs = true;
+  # sane.packages.enableDevPkgs = true;
 
   # sane.users.guest.enable = true;
   sane.gui.sway.enable = true;

hosts/moby/default.nix

@@ -28,8 +28,8 @@
     config.sane.web-browser.dotDir
   ];
 
-  # sane.home-packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
-  sane.home-manager.extraPackages = [
+  # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
+  sane.packages.extraUserPkgs = [
     pkgs.plasma5Packages.konsole  # terminal
   ];
 

hosts/servo/default.nix

@@ -3,27 +3,23 @@
 {
   imports = [
     ./fs.nix
-    ./hardware.nix
     ./net.nix
     ./users.nix
     ./services
   ];
 
-  sane.home-manager.extraPackages = [
+  sane.packages.extraUserPkgs = [
     # for administering services
     pkgs.matrix-synapse
     pkgs.freshrss
-    pkgs.goaccess
   ];
   sane.impermanence.enable = true;
-  sane.services.duplicity.enable = true;
+  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
   sane.services.nixserve.enable = true;
+  sane.services.nixserve.sopsFile = ../../secrets/servo.yaml;
 
-  # TODO: look into the EFI stuff
-  boot.loader.grub.enable = false;
-  boot.loader.generic-extlinux-compatible.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
-  sane.image.extraBootFiles = [ pkgs.bootpart-u-boot-rpi-aarch64 ];
+  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   sops.secrets.duplicity_passphrase = {
     sopsFile = ../../secrets/servo.yaml;
@@ -32,7 +28,7 @@
   # both transmission and ipfs try to set different net defaults.
   # we just use the most aggressive of the two here:
   boot.kernel.sysctl = {
-    "net.core.rmem_max" = "4194304";  # 4MB
+    "net.core.rmem_max" = 4194304;  # 4MB
   };
 
   # This value determines the NixOS release from which the default
@@ -41,6 +37,6 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
+  system.stateVersion = "21.11";
 }
 

hosts/servo/fs.nix

@@ -0,0 +1,98 @@
+{ ... }:
+
+{
+  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=755"
+      "size=1G"
+      "defaults"
+    ];
+  };
+  # we need a /tmp for building large nix things
+  fileSystems."/tmp" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=777"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/cc81cca0-3cc7-4d82-a00c-6243af3e7776";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/6EE3-4171";
+    fsType = "vfat";
+  };
+
+  # slow, external storage (for archiving, etc)
+  fileSystems."/nix/persist/ext" = {
+    device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "defaults"
+    ];
+  };
+
+  sane.impermanence.service-dirs = [
+    # TODO: this is overly broad; only need media and share directories to be persisted
+    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
+  ];
+  # direct these media directories to external storage
+  environment.persistence."/nix/persist/ext/persist" = {
+    directories = [
+      ({
+        user = "colin";
+        group = "users";
+        mode = "0777";
+        directory = "/var/lib/uninsane/media/Videos";
+      })
+      ({
+        user = "colin";
+        group = "users";
+        mode = "0777";
+        directory = "/var/lib/uninsane/media/freeleech";
+      })
+    ];
+  };
+
+  # in-memory compressed RAM (seems to be dynamically sized)
+  # zramSwap = {
+  #   enable = true;
+  # };
+
+  # btrfs doesn't easily support swapfiles
+  # swapDevices = [
+  #   { device = "/nix/persist/swapfile"; size = 4096; }
+  # ];
+
+  # this can be a partition. create with:
+  #   fdisk <dev>
+  #     n
+  #     <default partno>
+  #     <start>
+  #     <end>
+  #     t
+  #     <partno>
+  #     19  # set part type to Linux swap
+  #     w   # write changes
+  #   mkswap -L swap <part>
+  # swapDevices = [
+  #   {
+  #     label = "swap";
+  #     # TODO: randomEncryption.enable = true;
+  #   }
+  # ];
+}
+

hosts/servo/net.nix

@@ -13,6 +13,7 @@
 
   # networking.firewall.enable = false;
   networking.firewall.enable = true;
+  # TODO: split these into the submodules
   networking.firewall.allowedTCPPorts = [
     25   # SMTP
     80   # HTTP

hosts/servo/services/default.nix

@@ -2,6 +2,7 @@
 {
   imports = [
     ./ddns-he.nix
+    ./ejabberd.nix
     ./freshrss.nix
     ./gitea.nix
     ./goaccess.nix
@@ -14,6 +15,7 @@
     ./pleroma.nix
     ./postfix.nix
     ./postgres.nix
+    ./prosody.nix
     ./transmission.nix
   ];
 }

hosts/servo/services/ejabberd.nix

@@ -0,0 +1,48 @@
+# docs:
+# - <https://docs.ejabberd.im/admin/configuration/basic>
+{ lib, ... }:
+
+# XXX disabled: fails to start because of `mnesia_tm` dependency
+# lib.mkIf false
+{
+  sane.impermanence.service-dirs = [
+    { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
+  ];
+  networking.firewall.allowedTCPPorts = [
+    5222  # XMPP client -> server
+    5269  # XMPP server -> server
+  ];
+
+  # provide access to certs
+  users.users.ejabberd.extraGroups = [ "nginx" ];
+
+  # TODO: allocate UIDs/GIDs ?
+  services.ejabberd.enable = true;
+  services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" ''
+    hosts:
+      - uninsane.org
+
+    # none | emergency | alert | critical | error | warning | notice | info | debug
+    loglevel: debug
+
+    acme:
+      auto: false
+    certfiles:
+      - /var/lib/acme/uninsane.org/fullchain.pem
+      - /var/lib/acme/uninsane.org/key.pem
+
+    pam_userinfotype: jid
+
+    # see: <https://docs.ejabberd.im/admin/configuration/listen/>
+    # TODO: host web admin panel
+    listen:
+      -
+        port: 5222
+        module: ejabberd_c2s
+        starttls: true
+      -
+        port: 5269
+        module: ejabberd_s2s_in
+        starttls: true
+  '';
+}

hosts/servo/services/freshrss.nix

@@ -30,7 +30,7 @@
   systemd.services.freshrss-import-feeds =
   let
     fresh = config.systemd.services.freshrss-config;
-    feeds = import ../../../modules/universal/home-manager/feeds.nix { inherit lib; };
+    feeds = import ../../../modules/home-manager/feeds.nix { inherit lib; };
     opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
   in {
     inherit (fresh) wantedBy environment;
@@ -45,4 +45,8 @@
       ${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
     '';
   };
+
+  # the default ("*:0/5") is to run every 5 minutes.
+  # `systemctl list-timers` to show
+  systemd.services.freshrss-updater.startAt = lib.mkForce "*:3/30";
 }

hosts/servo/services/goaccess.nix

@@ -14,6 +14,7 @@
           -f /var/log/nginx/public.log \
           --log-format=VCOMBINED \
           --real-time-html \
+          --html-refresh=30 \
           --no-query-string \
           --anonymize-ip \
           --ignore-panel=HOSTS \

hosts/servo/services/ipfs.nix

@@ -14,18 +14,18 @@
   ];
   # services.ipfs.enable = true;
   services.kubo.localDiscovery = true;
-  services.kubo.swarmAddress = [
-    # "/dns4/ipfs.uninsane.org/tcp/4001"
-    # "/ip4/0.0.0.0/tcp/4001"
-    "/dns4/ipfs.uninsane.org/udp/4001/quic"
-    "/ip4/0.0.0.0/udp/4001/quic"
-  ];
-  services.kubo.extraConfig = {
+  services.kubo.settings = {
     Addresses = {
       Announce = [
         # "/dns4/ipfs.uninsane.org/tcp/4001"
         "/dns4/ipfs.uninsane.org/udp/4001/quic"
       ];
+      Swarm = [
+        # "/dns4/ipfs.uninsane.org/tcp/4001"
+        # "/ip4/0.0.0.0/tcp/4001"
+        "/dns4/ipfs.uninsane.org/udp/4001/quic"
+        "/ip4/0.0.0.0/udp/4001/quic"
+      ];
     };
     Gateway = {
       # the gateway can only be used to serve content already replicated on this host

hosts/servo/services/nginx.nix

@@ -8,9 +8,16 @@ let
       access_log /var/log/nginx/public.log vcombined;
     '';
   };
+
+  kTLS = true;  # in-kernel TLS for better perf
 in
 {
   services.nginx.enable = true;
+  services.nginx.appendConfig = ''
+    # use 1 process per core.
+    # may want to increase worker_connections too, but `ulimit -n` must be increased first.
+    worker_processes auto;
+  '';
 
   # this is the standard `combined` log format, with the addition of $host
   # so that we have the virtualHost in the log.
@@ -21,6 +28,13 @@ in
     log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
     access_log /var/log/nginx/private.log vcombined;
   '';
+  # sets gzip_comp_level = 5
+  services.nginx.recommendedGzipSettings = true;
+  # enables OCSP stapling (so clients don't need contact the OCSP server -- i do instead)
+  # caches TLS sessions for 10m
+  services.nginx.recommendedTlsSettings = true;
+  # enables sendfile, tcp_nopush, tcp_nodelay, keepalive_timeout 65
+  services.nginx.recommendedOptimisation = true;
 
   # web blog/personal site
   services.nginx.virtualHosts."uninsane.org" = publog {
@@ -30,6 +44,7 @@ in
     # and things don't look right. so force SSL.
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     # uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
     # yes, nginx does not strip the prefix when evaluating against the root.
@@ -79,6 +94,7 @@ in
   services.nginx.virtualHosts."sink.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
     root = "/var/lib/uninsane/sink";
 
     locations."/ws" = {
@@ -97,8 +113,9 @@ in
 
   # Pleroma server and web interface
   services.nginx.virtualHosts."fed.uninsane.org" = publog {
-    addSSL = true;
+    forceSSL = true;  # pleroma redirects to https anyway
     enableACME = true;
+    inherit kTLS;
     locations."/" = {
       proxyPass = "http://127.0.0.1:4000";
       # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
@@ -140,6 +157,7 @@ in
     # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
     locations."/" = {
       # proxyPass = "http://ovpns.uninsane.org:9091";
       proxyPass = "http://10.0.1.6:9091";
@@ -150,6 +168,7 @@ in
   services.nginx.virtualHosts."jackett.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
     locations."/" = {
       # proxyPass = "http://ovpns.uninsane.org:9117";
       proxyPass = "http://10.0.1.6:9117";
@@ -160,6 +179,7 @@ in
   services.nginx.virtualHosts."matrix.uninsane.org" = publog {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     # TODO colin: replace this with something helpful to the viewer
     # locations."/".extraConfig = ''
@@ -186,6 +206,7 @@ in
   services.nginx.virtualHosts."web.matrix.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     root = pkgs.element-web.override {
       conf = {
@@ -199,8 +220,9 @@ in
 
   # hosted git (web view and for `git <cmd>` use
   services.nginx.virtualHosts."git.uninsane.org" = publog {
-    addSSL = true;
+    forceSSL = true;  # gitea complains if served over a different protocol than its config file says
     enableACME = true;
+    inherit kTLS;
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:3000";
@@ -212,6 +234,7 @@ in
   services.nginx.virtualHosts."jelly.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:8096";
@@ -258,12 +281,14 @@ in
   services.nginx.virtualHosts."music.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
     locations."/".proxyPass = "http://127.0.0.1:4533";
   };
 
   services.nginx.virtualHosts."rss.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
     # the routing is handled by freshrss.nix
   };
 
@@ -272,6 +297,7 @@ in
     # ideally we'd disable ssl entirely, but some places assume it?
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     default = true;
 
@@ -297,6 +323,7 @@ in
   services.nginx.virtualHosts."nixcache.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
     # serverAliases = [ "nixcache" ];
     locations."/".extraConfig = ''
       proxy_pass http://localhost:${toString config.services.nix-serve.port};
@@ -314,7 +341,5 @@ in
   sane.impermanence.service-dirs = [
     # TODO: mode?
     { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
-    # TODO: this is overly broad; only need media and share directories to be persisted
-    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
   ];
 }

hosts/servo/services/pleroma.nix

@@ -1,4 +1,6 @@
-# docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
+# docs:
+# - https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
+# - https://docs.pleroma.social/backend/configuration/cheatsheet/
 #
 # to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
 { config, pkgs, ... }:
@@ -48,16 +50,19 @@
       redirect_on_failure: true
       #base_url: "https://cache.pleroma.social"
 
+    # see for reference:
+    # - `force_custom_plan`: <https://docs.pleroma.social/backend/configuration/postgresql/#disable-generic-query-plans>
     config :pleroma, Pleroma.Repo,
       adapter: Ecto.Adapters.Postgres,
       username: "pleroma",
       database: "pleroma",
       hostname: "localhost",
       pool_size: 10,
-      prepare: :named,
       parameters: [
           plan_cache_mode: "force_custom_plan"
       ]
+    # XXX: prepare: :named is needed only for PG <= 12
+    #   prepare: :named,
     #   password: "{secrets.pleroma.db_password}",
 
     # Configure web push notifications
@@ -110,9 +115,9 @@
 
   systemd.services.pleroma.path = [ 
     # something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
-    pkgs.bash 
+    pkgs.bash
     # used by Pleroma to strip geo tags from uploads
-    pkgs.exiftool 
+    pkgs.exiftool
     # i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
     pkgs.gawk
     # needed for email operations like password reset

hosts/servo/services/postgres.nix

@@ -17,6 +17,11 @@
   #     LC_CTYPE = "C";
   # '';
 
+  # TODO: perf tuning
+  # - for recommended values see: <https://pgtune.leopard.in.ua/>
+  # - for official docs (sparse), see: <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
+  # services.postgresql.settings = { ... }
+
   # daily backups to /var/backup
   services.postgresqlBackup.enable = true;
 

hosts/servo/services/prosody.nix

@@ -0,0 +1,62 @@
+# create users with:
+# - `sudo -u prosody prosodyctl adduser colin@uninsane.org`
+
+{ lib, ... }:
+
+# XXX disabled: doesn't send messages to nixnet.social (only receives them).
+# nixnet runs ejabberd, so revisiting that.
+lib.mkIf false
+{
+  sane.impermanence.service-dirs = [
+    { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
+  ];
+  networking.firewall.allowedTCPPorts = [
+    5222  # XMPP client -> server
+    5269  # XMPP server -> server
+    5280  # Prosody HTTP port  (necessary?)
+    5281  # Prosody HTTPS port  (necessary?)
+  ];
+
+  # provide access to certs
+  users.users.prosody.extraGroups = [ "nginx" ];
+
+  security.acme.certs."uninsane.org".extraDomainNames = [
+    "conference.xmpp.uninsane.org"
+    "upload.xmpp.uninsane.org"
+  ];
+
+  services.prosody = {
+    enable = true;
+    admins = [ "colin@uninsane.org" ];
+    # allowRegistration = false;
+    # extraConfig = ''
+    #   s2s_require_encryption = true
+    #   c2s_require_encryption = true
+    # '';
+
+    # extraModules = [ "private" "vcard" "privacy" "compression" "component" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"];
+
+    ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";
+    ssl.key = "/var/lib/acme/uninsane.org/key.pem";
+
+    muc = [
+      {
+        domain = "conference.xmpp.uninsane.org";
+      }
+    ];
+    uploadHttp.domain = "upload.xmpp.uninsane.org";
+
+    virtualHosts = {
+      localhost = {
+        domain = "localhost";
+        enabled = true;
+      };
+      "uninsane.org" = {
+        domain = "uninsane.org";
+        enabled = true;
+        ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";
+        ssl.key = "/var/lib/acme/uninsane.org/key.pem";
+      }; 
+    };
+  };
+}

machines/instantiate.nix

@@ -1,11 +0,0 @@
-# trampoline from flake.nix into the specific machine definition, while doing a tiny bit of common setup
-
-hostName: { ... }: {
-  imports = [
-    ./${hostName}
-  ];
-
-  networking.hostName = hostName;
-
-  nixpkgs.config.allowUnfree = true;
-}

machines/servo/fs.nix

@@ -1,69 +0,0 @@
-{ ... }:
-
-{
-  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
-  fileSystems."/" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "mode=755"
-      "size=1G"
-      "defaults"
-    ];
-  };
-  # we need a /tmp for building large nix things
-  fileSystems."/tmp" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "size=40G"
-      "mode=777"
-      "defaults"
-    ];
-  };
-
-  fileSystems."/nix" = {
-    device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b";
-    fsType = "btrfs";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/31D3-40CB";
-    fsType = "vfat";
-  };
-
-
-  # fileSystems."/var/lib/pleroma" = {
-  #   device = "/opt/pleroma";
-  #   options = [ "bind" ];
-  # };
-
-  # in-memory compressed RAM (seems to be dynamically sized)
-  zramSwap = {
-    enable = true;
-  };
-
-  # btrfs doesn't easily support swapfiles
-  # swapDevices = [
-  #   { device = "/nix/persist/swapfile"; size = 4096; }
-  # ];
-
-  # this can be a partition. create with:
-  #   fdisk <dev>
-  #     n
-  #     <default partno>
-  #     <start>
-  #     <end>
-  #     t
-  #     <partno>
-  #     19  # set part type to Linux swap
-  #     w   # write changes
-  #   mkswap -L swap <part>
-  swapDevices = [
-    {
-      label = "swap";
-      # TODO: randomEncryption.enable = true;
-    }
-  ];
-}
-

machines/servo/hardware.nix

@@ -1,75 +0,0 @@
-# this file originates from ‘nixos-generate-config’
-# but has been heavily modified
-{ pkgs, ... }:
-
-{
-  # i changed this becuse linux 5.10 didn't have rpi-400 device tree blob.
-  # nixos-22.05 linux 5.15 DOES have these now.
-  # it should be possible to remove this if desired, but i'm not sure how the rpi-specific kernel differs.
-  # see: https://github.com/raspberrypi/linux
-  boot.kernelPackages = pkgs.linuxPackages_rpi4;
-
-  # raspberryPi boot loader creates extlinux.conf.
-  #   otherwise, enable the generic-extlinux-compatible loader below.
-  # note: THESE ARE MUTUALLY EXCLUSIVE. generic-extlinux-compatible causes uboot to not be built
-
-  boot.initrd.availableKernelModules = [
-    "bcm2711_thermal"
-    "bcm_phy_lib"
-    "brcmfmac"
-    "brcmutil"
-    "broadcom"
-    "clk_raspberrypi"
-    "drm"  # Direct Render Manager
-    "enclosure"  # SCSI ?
-    "fuse"
-    "mdio_bcm_unimac"
-    "pcie_brcmstb"
-    "raspberrypi_cpufreq"
-    "raspberrypi_hwmon"
-    "ses"  # SCSI Enclosure Services
-    "uas"  # USB attached storage
-    "uio"  # userspace IO
-    "uio_pdrv_genirq"
-    "xhci_pci"
-    "xhci_pci_renesas"
-  ];
-  # boot.initrd.compressor = "gzip";  # defaults to zstd
-
-  # ondemand power scaling keeps the cpu at low frequency when idle, and sets to max frequency
-  # when load is detected. (v.s. the "performance" default, which always uses the max frequency)
-  powerManagement.cpuFreqGovernor = "ondemand";
-
-  # XXX colin: this allows one to `systemctl halt` and then not remove power until the HDD has spun down.
-  # however, it doesn't work with reboot because systemd will spin the drive up again to read its reboot bin.
-  # a better solution would be to put the drive behind a powered USB hub (or get a SSD).
-  # systemd.services.diskguard = {
-  #   description = "Safely power off spinning media";
-  #   before = [ "shutdown.target" ];
-  #   wantedBy = [ "sysinit.target" ];
-  #   # old (creates dep loop, but works)
-  #   # before = [ "systemd-remount-fs.service" "shutdown.target" ];
-  #   # wantedBy = [ "systemd-remount-fs.service" ];
-  #   serviceConfig = {
-  #     Type = "oneshot";
-  #     RemainAfterExit = true;
-  #     ExecStart = "${pkgs.coreutils}/bin/true";
-  #     ExecStop = with pkgs; writeScript "diskguard" ''
-  #       #!${bash}/bin/bash
-  #       if ${procps}/bin/pgrep nixos-rebuild ;
-  #       then
-  #         exit 0  # don't halt drives unless we're actually shutting down. maybe better way to do this (check script args?)
-  #       fi
-  #       # ${coreutils}/bin/sync
-  #       # ${util-linux}/bin/mount -o remount,ro /nix/store
-  #       # ${util-linux}/bin/mount -o remount,ro /
-  #       # -S 1 retracts the spindle after 5 seconds of idle
-  #       # -B 1 spins down the drive after <vendor specific duration>
-  #       ${hdparm}/sbin/hdparm -S 1 -B 1 /dev/sda
-  #       # TODO: monitor smartmonctl until disk is idle? or try hdparm -Y
-  #       # ${coreutils}/bin/sleep 20
-  #       # exec ${util-linux}/bin/umount --all -t ext4,vfat,ext2
-  #     '';
-  #   };
-  # };
-}

modules/allocations.nix

@@ -29,7 +29,7 @@ in
     sane.allocations.colin-uid = mkId 1000;
     sane.allocations.guest-uid = mkId 1100;
 
-    # found on all machines
+    # found on all hosts
     sane.allocations.sshd-uid = mkId 2001;  # 997
     sane.allocations.sshd-gid = mkId 2001;  # 997
     sane.allocations.polkituser-gid = mkId 2002;  # 998
@@ -39,15 +39,15 @@ in
     sane.allocations.systemd-oom-uid = mkId 2005;
     sane.allocations.systemd-oom-gid = mkId 2005;
 
-    # found on graphical machines
+    # found on graphical hosts
     sane.allocations.nm-iodine-uid = mkId 2101;  # desko/moby/lappy
 
-    # found on desko machine
+    # found on desko host
     sane.allocations.usbmux-uid = mkId 2204;
     sane.allocations.usbmux-gid = mkId 2204;
 
 
-    # originally found on moby machine
+    # originally found on moby host
     sane.allocations.avahi-uid = mkId 2304;
     sane.allocations.avahi-gid = mkId 2304;
     sane.allocations.colord-uid = mkId 2305;

modules/default.nix

@@ -2,12 +2,13 @@
 
 {
   imports = [
+    ./allocations.nix
     ./gui
-    ./hardware
+    ./home-manager
+    ./packages.nix
     ./image.nix
     ./impermanence.nix
     ./nixcache.nix
     ./services
-    ./universal
   ];
 }

modules/gui/default.nix

@@ -8,6 +8,7 @@ in
   imports = [
     ./gnome.nix
     ./phosh.nix
+    ./plasma.nix
     ./plasma-mobile.nix
     ./sway.nix
   ];
@@ -21,7 +22,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    sane.home-packages.enableGuiPkgs = lib.mkDefault true;
+    sane.packages.enableGuiPkgs = lib.mkDefault true;
     # all GUIs use network manager?
     users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
   };

modules/gui/phosh.nix

@@ -69,7 +69,7 @@ in
         NIXOS_OZONE_WL = "1";
       };
 
-      sane.home-manager.extraPackages = with pkgs; [
+      sane.packages.extraUserPkgs = with pkgs; [
         phosh-mobile-settings
 
         # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work

modules/gui/plasma.nix

@@ -0,0 +1,28 @@
+{ lib, config, ... }:
+
+with lib;
+let
+  cfg = config.sane.gui.plasma;
+in
+{
+  options = {
+    sane.gui.plasma.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sane.gui.enable = true;
+
+    # start plasma on boot
+    services.xserver.enable = true;
+    services.xserver.desktopManager.plasma5.enable = true;
+    services.xserver.displayManager.sddm.enable = true;
+
+    # gnome does networking stuff with networkmanager
+    networking.useDHCP = false;
+    networking.networkmanager.enable = true;
+    networking.wireless.enable = lib.mkForce false;
+  };
+}

modules/gui/sway.nix

@@ -597,7 +597,7 @@ in
       #   }
       # '';
     };
-    sane.home-manager.extraPackages = with pkgs; [
+    sane.packages.extraUserPkgs = with pkgs; [
       swaylock
       swayidle  # (unused)
       wl-clipboard

modules/home-manager/aerc.nix

@@ -1,9 +1,11 @@
 # Terminal UI mail client
-{ config, ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   sops.secrets."aerc_accounts" = {
     owner = config.users.users.colin.name;
-    sopsFile = ../../../secrets/universal/aerc_accounts.conf;
+    sopsFile = ../../secrets/universal/aerc_accounts.conf;
     format = "binary";
   };
   home-manager.users.colin = let sysconfig = config; in { config, ... }: {

modules/home-manager/default.nix

@@ -9,9 +9,9 @@
 with lib;
 let
   cfg = config.sane.home-manager;
-  # extract package from `extraPackages`
+  # extract package from `sane.packages.enabledUserPkgs`
   pkg-list = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
-  # extract `dir` from `extraPackages`
+  # extract `dir` from `sane.packages.enabledUserPkgs`
   dir-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
   private-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "private" then [ e.private ] else []) pkgspec);
   feeds = import ./feeds.nix { inherit lib; };
@@ -33,14 +33,10 @@ in
   ];
 
   options = {
-    # packages to deploy to the user's home
-    sane.home-manager.extraPackages = mkOption {
-      default = [ ];
-      # each entry can be either a package, or attrs:
-      #   { pkg = package; dir = optional string;
-      type = types.listOf (types.either types.package types.attrs);
+    sane.home-manager.enable = mkOption {
+      default = false;
+      type = types.bool;
     };
-
     # attributes to copy directly to home-manager's `wayland.windowManager` option
     sane.home-manager.windowManager = mkOption {
       default = {};
@@ -54,7 +50,7 @@ in
     };
   };
 
-  config = {
+  config = lib.mkIf cfg.enable {
     sane.impermanence.home-dirs = [
       "archive"
       "dev"
@@ -65,7 +61,7 @@ in
       "Music"
       "Pictures"
       "Videos"
-    ] ++ (dir-list cfg.extraPackages);
+    ] ++ (dir-list config.sane.packages.enabledUserPkgs);
 
     home-manager.useGlobalPkgs = true;
     home-manager.useUserPackages = true;
@@ -79,7 +75,7 @@ in
       manual.html.enable = false;  # TODO: set to true later (build failure)
       manual.manpages.enable = false;  # TODO: enable after https://github.com/nix-community/home-manager/issues/3344
 
-      home.packages = pkg-list cfg.extraPackages;
+      home.packages = pkg-list sysconfig.sane.packages.enabledUserPkgs;
       wayland.windowManager = cfg.windowManager;
 
       home.stateVersion = "21.11";
@@ -90,7 +86,7 @@ in
         initKeyring = {
           after = ["writeBoundary"];
           before = [];
-          data = "${../../../scripts/init-keyring}";
+          data = "${../../scripts/init-keyring}";
         };
       };
 
@@ -101,7 +97,7 @@ in
             name = path;
             value = { source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/${path}"; };
           })
-          (private-list cfg.extraPackages)
+          (private-list sysconfig.sane.packages.enabledUserPkgs)
         );
       in {
         # convenience
@@ -165,6 +161,18 @@ in
         "audio/x-vorbis+ogg" = [ audio ];
       };
 
+      # libreoffice: disable first-run stuff
+      xdg.configFile."libreoffice/4/user/registrymodifications.xcu".text = ''
+        <?xml version="1.0" encoding="UTF-8"?>
+        <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+          <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
+          <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="ShowTipOfTheDay" oor:op="fuse"><value>false</value></prop></item>
+        </oor:items>
+      '';
+      # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeDonateShown" oor:op="fuse"><value>1667693880</value></prop></item>
+      # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
+
+
 
       xdg.configFile."gpodderFeeds.opml".text = with feeds;
         feedsToOpml feeds.podcasts;

modules/home-manager/discord.nix

@@ -1,4 +1,6 @@
-{ ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   # TODO: this should only be enabled on gui devices
   # make Discord usable even when client is "outdated"

modules/home-manager/feeds.nix

@@ -61,6 +61,8 @@ in rec {
     (mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
     ## 60 minutes (NB: this features more than *just* audio?)
     (mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
+    ## The Verge - Decoder
+    (mkPod "https://feeds.megaphone.fm/recodedecode" // tech // weekly)
   ];
 
   texts = [
@@ -94,6 +96,7 @@ in rec {
     (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
     (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
     (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
+    (mkText "https://www.jefftk.com/news.rss" // tech // daily)
 
     # (TECH; POL) COMMENTATORS
     (mkSubstack "edwardsnowden" // pol // infrequent)

modules/home-manager/firefox.nix

@@ -102,7 +102,7 @@ in
       type = types.attrs;
     };
   };
-  config = {
+  config = lib.mkIf config.sane.home-manager.enable {
     # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
     home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
       programs.firefox = {

modules/home-manager/git.nix

@@ -1,4 +1,6 @@
-{ pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   home-manager.users.colin.programs.git = {
     enable = true;

modules/home-manager/kitty.nix

@@ -1,4 +1,6 @@
-{ ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   home-manager.users.colin.programs.kitty = {
     enable = true;

modules/home-manager/mpv.nix

@@ -1,4 +1,6 @@
-{ ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   home-manager.users.colin.programs.mpv = {
     enable = true;

modules/home-manager/nb.nix

@@ -8,9 +8,12 @@
 # it offers a primitive web-server
 # and it offers some CLI query tools
 
-{ lib, pkgs, ... }: lib.mkIf false  # XXX disabled!
+{ config, lib, pkgs, ... }:
+
+# lib.mkIf config.sane.home-manager.enable
+lib.mkIf false # XXX disabled!
 {
-  sane.home-manager.extraPackages = [ pkgs.nb ];
+  sane.packages.extraUserPkgs = [ pkgs.nb ];
 
   home-manager.users.colin = { config, ... }: {
     # nb markdown/personal knowledge manager

modules/home-manager/neovim.nix

@@ -1,4 +1,6 @@
-{ pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   sane.impermanence.home-dirs = [ ".cache/vim-swap" ];
 

modules/home-manager/ssh.nix

@@ -1,4 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   home-manager.users.colin = let
     host = config.networking.hostName;

modules/home-manager/sublime-music.nix

@@ -1,9 +1,11 @@
-{ config, ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   # TODO: this should only be shipped on gui platforms
   sops.secrets."sublime_music_config" = {
     owner = config.users.users.colin.name;
-    sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
+    sopsFile = ../../secrets/universal/sublime_music_config.json.bin;
     format = "binary";
   };
   home-manager.users.colin = let sysconfig = config; in { config, ... }: {

modules/home-manager/vlc.nix

@@ -1,4 +1,6 @@
-{ lib, ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   home-manager.users.colin.xdg.configFile."vlc/vlcrc".text =
   let

modules/home-manager/zsh.nix

@@ -1,4 +1,6 @@
-{ ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   # we don't need to full zsh dir -- just the history file --
   # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.

modules/image.nix

@@ -6,6 +6,11 @@ let
 in
 {
   options = {
+    sane.image.enable = mkOption {
+      default = true;
+      type = types.bool;
+      description = "whether to enable image targets. this doesn't mean they'll be built unless you specifically reference the target.";
+    };
     # packages whose contents should be copied directly into the /boot partition.
     # e.g. EFI loaders, u-boot bootloader, etc.
     sane.image.extraBootFiles = mkOption {

modules/nixcache.nix

@@ -20,22 +20,28 @@ in
       default = false;
       type = types.bool;
     };
-  };
-
-  config = mkIf cfg.enable {
-    # use our own binary cache
-    nix.settings = {
-      substituters = [
-        "https://nixcache.uninsane.org"
-        "http://desko:5000"
-        "https://nix-community.cachix.org"
-        "https://cache.nixos.org/"
-      ];
-      trusted-public-keys = [
-        "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
-        "desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      ];
+    sane.nixcache.enable-trusted-keys = mkOption {
+      default = config.sane.nixcache.enable;
+      type = types.bool;
     };
   };
+
+  config = {
+    # use our own binary cache
+    # to explicitly build from a specific cache (in case others are down):
+    # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
+    # - `nix build ... --substituters http://desko:5000`
+    nix.settings.substituters = mkIf cfg.enable [
+      "https://nixcache.uninsane.org"
+      "http://desko:5000"
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+    ];
+    # always trust our keys (so one can explicitly use a substituter even if it's not the default
+    nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
+      "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
+      "desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
 }

modules/packages.nix

@@ -3,11 +3,15 @@
 with lib;
 with pkgs;
 let
-  cfg = config.sane.home-packages;
-  universalPkgs = [
+  cfg = config.sane.packages;
+  consolePkgs = [
     backblaze-b2
     cdrtools
+    dmidecode
     duplicity
+    efivar
+    flashrom
+    fwupd
     gnupg
     gocryptfs
     gopass
@@ -19,6 +23,7 @@ let
     lm_sensors  # for sensors-detect
     lshw
     ffmpeg
+    memtester
     networkmanager
     nixpkgs-review
     # nixos-generators
@@ -28,6 +33,7 @@ let
     # ponymix
     pulsemixer
     python3
+    rsync
     # python3Packages.eyeD3  # music tagging
     sane-scripts
     sequoia
@@ -53,12 +59,15 @@ let
     celluloid  # mpv frontend
     chromium
     clinfo
+    { pkg = dino; private = ".local/share/dino"; }
     electrum
 
     # creds/session keys, etc
     { pkg = element-desktop; private = ".config/Element"; }
-
-    emote  # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+    # `emote` will show a first-run dialog based on what's in this directory.
+    # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
+    # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+    { pkg = emote; dir = ".local/share/Emote"; }
     evince  # works on phosh
 
     # { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; }  # TODO: ship normal fluffychat on non-moby?
@@ -90,6 +99,7 @@ let
     handbrake
     inkscape
 
+    kdenlive
     kid3  # audio tagging
     krita
     libreoffice-fresh  # XXX colin: maybe don't want this on mobile
@@ -107,8 +117,11 @@ let
     { pkg = obsidian; dir = ".config/obsidian"; }
 
     pavucontrol
-    picard  # music tagging
+    # picard  # music tagging
     playerctl
+
+    libsForQt5.plasmatube  # Youtube player
+
     soundconverter
     # sublime music persists any downloaded albums here.
     # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
@@ -117,6 +130,8 @@ let
     { pkg = sublime-music; dir = ".local/share/sublime-music"; }
     tdesktop  # broken on phosh
 
+    { pkg = tokodon; dir = ".cache/KDE/tokodon"; }
+
     # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
     { pkg = vlc; dir = ".config/vlc"; }
 
@@ -155,9 +170,44 @@ let
     (tor-browser-bundle-bin.override { useHardenedMalloc = false; })
 
     # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
-    { pkg = zecwallet-lite; dir = ".zcash"; }
+    { pkg = zecwallet-lite; private = ".zcash"; }
   ] else []);
 
+  # general-purpose utilities that we want any user to be able to access
+  #   (specifically: root, in case of rescue)
+  systemPkgs = [
+    btrfs-progs
+    cryptsetup
+    dig
+    efibootmgr
+    fatresize
+    fd
+    file
+    gptfdisk
+    hdparm
+    htop
+    iftop
+    inetutils  # for telnet
+    iotop
+    iptables
+    jq
+    killall
+    lsof
+    netcat
+    nethogs
+    nmap
+    openssl
+    parted
+    pciutils
+    powertop
+    ripgrep
+    screen
+    smartmontools
+    socat
+    usbutils
+    wget
+  ];
+
   # useful devtools:
   devPkgs = [
     bison
@@ -176,11 +226,22 @@ let
 in
 {
   options = {
-    sane.home-packages.enableGuiPkgs = mkOption {
+    # packages to deploy to the user's home
+    sane.packages.extraUserPkgs = mkOption {
+      default = [ ];
+      # each entry can be either a package, or attrs:
+      #   { pkg = package; dir = optional string; private = optional string };
+      type = types.listOf (types.either types.package types.attrs);
+    };
+    sane.packages.enableConsolePkgs = mkOption {
       default = false;
       type = types.bool;
     };
-    sane.home-packages.enableDevPkgs = mkOption {
+    sane.packages.enableGuiPkgs = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.packages.enableDevPkgs = mkOption {
       description = ''
         enable packages that are useful for building other software by hand.
         you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
@@ -188,10 +249,24 @@ in
       default = false;
       type = types.bool;
     };
+    sane.packages.enableSystemPkgs = mkOption {
+      default = false;
+      type = types.bool;
+      description = "enable system-wide packages";
+    };
+
+    sane.packages.enabledUserPkgs = mkOption {
+      default = cfg.extraUserPkgs
+        ++ (if cfg.enableConsolePkgs then consolePkgs else [])
+        ++ (if cfg.enableGuiPkgs then guiPkgs else [])
+        ++ (if cfg.enableDevPkgs then devPkgs else [])
+      ;
+      type = types.listOf (types.either types.package types.attrs);
+      description = "generated from other config options";
+    };
   };
+
   config = {
-    sane.home-manager.extraPackages = universalPkgs
-      ++ (if cfg.enableGuiPkgs then guiPkgs else [])
-      ++ (if cfg.enableDevPkgs then devPkgs else []);
+    environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
   };
 }

modules/pubkeys.nix

@@ -27,8 +27,8 @@ let
   };
 in {
   # map hostname -> something suitable for known_keys
-  hosts = builtins.mapAttrs (machine: keys: withHost machine keys.host) keys;
+  hosts = builtins.mapAttrs (host: keys: withHost host keys.host) keys;
   # map hostname -> something suitable for authorized_keys to allow access to colin@<hostname>
-  users = builtins.mapAttrs (machine: keys: withUser "colin@${machine}" keys.users.colin) keys;
+  users = builtins.mapAttrs (host: keys: withUser "colin@${host}" keys.users.colin) keys;
 }
 

modules/services/duplicity.nix

@@ -1,5 +1,5 @@
 # docs: https://search.nixos.org/options?channel=21.11&query=duplicity
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 let
@@ -18,8 +18,7 @@ in
     sane.impermanence.service-dirs = [ "/var/lib/duplicity" ];
 
     services.duplicity.enable = true;
-    services.duplicity.targetUrl = ''"$DUPLICITY_URL"'';
-    services.duplicity.escapeUrl = false;
+    services.duplicity.targetUrl = "$DUPLICITY_URL";
     # format: PASSPHRASE=<cleartext> \n DUPLICITY_URL=b2://...
     # two sisters
     # PASSPHRASE: remote backups will be encrypted using this passphrase (using gpg)
@@ -32,29 +31,28 @@ in
     services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path;
     # NB: manually trigger with `systemctl start duplicity`
     services.duplicity.frequency = "daily";
-    # TODO: this needs updating to handle impermanence changes
-    services.duplicity.exclude = [
-      # impermanent/inconsequential data:
-      "/dev"
-      "/proc"
-      "/run"
-      "/sys"
-      "/tmp"
-      # bind mounted (dupes):
-      "/var/lib"
-      # other mounts
-      "/mnt"
-      # data that's not worth the cost to backup:
-      "/nix/persist/var/lib/uninsane/media"
-      "/nix/persist/home/colin/tmp"
-      "/nix/persist/home/colin/Videos"
-      "/home/colin/tmp"
-      "/home/colin/Videos"
-    ];
 
     services.duplicity.extraFlags = [
       # without --allow-source-mismatch, duplicity will abort if you change the hostname between backups
       "--allow-source-mismatch"
+
+      # includes/exclude ordering matters, so we explicitly control it here.
+      # the first match decides a file's treatment. so here:
+      # - /nix/persist/home/colin/tmp is excluded
+      # - *other* /nix/persist/ files are included by default
+      # - anything else under `/` are excluded by default
+      "--exclude" "/nix/persist/home/colin/dev/home-logic/coremem/out"  # this can reach > 1 TB
+      "--exclude" "/nix/persist/home/colin/use/iso"  # might want to re-enable... but not critical
+      "--exclude" "/nix/persist/home/colin/.local/share/sublime-music"  # music cache. better to just keep the HQ sources
+      "--exclude" "/nix/persist/home/colin/.local/share/Steam"  # can just re-download games
+      "--exclude" "/nix/persist/home/colin/.bitmonero/lmdb"  # monero blockchain
+      "--exclude" "/nix/persist/home/colin/.rustup"
+      "--exclude" "/nix/persist/home/colin/ref"  # publicly available data: no point in duplicating it
+      "--exclude" "/nix/persist/home/colin/tmp"
+      "--exclude" "/nix/persist/home/colin/Videos"
+      "--exclude" "/nix/persist/var/lib/duplicity"  # don't back up our own backup state!
+      "--include" "/nix/persist"
+      "--exclude" "/"
     ];
 
     # set this for the FIRST backup, then remove it to enable incremental backups
@@ -70,5 +68,26 @@ in
         "/dev/mmc0 5M"
       ];
     };
+
+    # based on <nixpkgs:nixos/modules/services/backup/duplicity.nix>  with changes:
+    # - remove the cleanup step: API key doesn't have delete perms
+    # - don't escape the targetUrl: it comes from an env var set in the secret file
+    systemd.services.duplicity.script = let
+      cfg = config.services.duplicity;
+      target = cfg.targetUrl;
+      extra = escapeShellArgs ([ "--archive-dir" "/var/lib/duplicity" ] ++ cfg.extraFlags);
+      dup = "${pkgs.duplicity}/bin/duplicity";
+    in lib.mkForce ''
+      set -x
+      # ${dup} cleanup ${target} --force ${extra}
+      # ${lib.optionalString (cfg.cleanup.maxAge != null) "${dup} remove-older-than ${lib.escapeShellArg cfg.cleanup.maxAge} ${target} --force ${extra}"}
+      # ${lib.optionalString (cfg.cleanup.maxFull != null) "${dup} remove-all-but-n-full ${builtins.toString cfg.cleanup.maxFull} ${target} --force ${extra}"}
+      # ${lib.optionalString (cfg.cleanup.maxIncr != null) "${dup} remove-all-inc-of-but-n-full ${toString cfg.cleanup.maxIncr} ${target} --force ${extra}"}
+      exec ${dup} ${if cfg.fullIfOlderThan == "always" then "full" else "incr"} ${lib.escapeShellArg cfg.root} ${target} ${lib.escapeShellArgs ([]
+        ++ concatMap (p: [ "--include" p ]) cfg.include
+        ++ concatMap (p: [ "--exclude" p ]) cfg.exclude
+        ++ (lib.optionals (cfg.fullIfOlderThan != "never" && cfg.fullIfOlderThan != "always") [ "--full-if-older-than" cfg.fullIfOlderThan ])
+        )} ${extra}
+    '';
   };
 }

modules/services/nixserve.nix

@@ -14,8 +14,8 @@ in
       type = types.bool;
     };
     sane.services.nixserve.sopsFile = mkOption {
-      default = ../../secrets/servo.yaml;
       type = types.path;
+      description = "path to file that contains the nix_serv_privkey secret (can be in VCS)";
     };
   };
 

modules/universal/system-packages.nix

@@ -1,38 +0,0 @@
-{ pkgs, ... }:
-{
-  # general-purpose utilities that we want any user to be able to access
-  #   (specifically: root, in case of rescue)
-  environment.systemPackages = with pkgs; [
-    btrfs-progs
-    cryptsetup
-    dig
-    efibootmgr
-    fatresize
-    fd
-    file
-    gptfdisk
-    hdparm
-    htop
-    iftop
-    inetutils  # for telnet
-    iotop
-    iptables
-    jq
-    killall
-    lsof
-    netcat
-    nethogs
-    nmap
-    openssl
-    parted
-    pciutils
-    powertop
-    ripgrep
-    screen
-    smartmontools
-    socat
-    usbutils
-    wget
-  ];
-}
-

nixpatches/list.nix

@@ -1,27 +1,22 @@
 fetchpatch: [
+  # phosh: 0.21.1 -> 0.22.0
+  (fetchpatch {
+    url = "https://github.com/NixOS/nixpkgs/pull/201881.diff";
+    sha256 = "sha256-7tV7F1gKTfMwNJ0evweD7p6RXOvOHQXXtuuBqnRGyCc=";
+  })
   # phosh-mobile-settings: init at 0.21.1
   (fetchpatch {
-    url = "https://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
-    # url = "https://github.com/NixOS/nixpkgs/pull/193845.diff";
-    sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
+    # url = "https://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
+    # sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
+    url = "https://github.com/NixOS/nixpkgs/pull/193845.diff";
+    sha256 = "sha256-/9c8hUF7DO54f8/6oSRzxLOwMdts5UPa4pfXsdBa2pM=";
   })
 
   # librewolf: build with `MOZ_REQUIRE_SIGNING=false`
   (fetchpatch {
     url = "https://github.com/NixOS/nixpkgs/pull/199134.diff";
     # url = "https://git.uninsane.org/colin/nixpkgs/commit/99b82e07fee4d194520d6e8d51bc45c80a4d3c7e.diff";
-    sha256 = "sha256-FOAZYaMpSPMYwU26xYD+V/f+df0JjlbuVtqjlcBFW5Q=";
-  })
-
-  # lightdm-mobile-greeter: init at 2022-10-30
-  (fetchpatch {
-    url = "https://git.uninsane.org/colin/nixpkgs/commit/0a9018c8879d8fe871ee03bc386f8d148e4f88b8.diff";
-    sha256 = "sha256-h1+K8UO4+G6yvl6JFd8xBGitPgOCIY7BunW49eGkXQQ=";
-  })
-  # lightdm: add `greeters.mobile` config option
-  (fetchpatch {
-    url = "https://git.uninsane.org/colin/nixpkgs/commit/1144d6cfe976e7bcfb9611b1d0a66071e17cd569.diff";
-    sha256 = "sha256-ZEvLPqrkpr79yXrsBxgxELR2Awtqk3675jkYZqx2AfY=";
+    sha256 = "sha256-Ne4hyHQDwBHUlWo8Z3QyRdmEv1rYGOjFGxSfOAcLUvQ=";
   })
 
   # # kaiteki: init at 2022-09-03
@@ -46,9 +41,7 @@ fetchpatch: [
   #   (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
   ./02-rpi4-uboot.patch
 
-  # TODO: upstream
-  # maybe convert this patch to add a `targetUrlExpr` instead of doing the `escapeShellArgs` hack
-  ./07-duplicity-rich-url.patch
+  # ./07-duplicity-rich-url.patch
 
   # enable aarch64 support for flutter's dart package
   # ./10-flutter-arm64.patch

pkgs/browserpass-extension/default.nix

@@ -1,5 +1,6 @@
 { stdenv
 , fetchFromGitHub
+, fetchFromGitea
 , gnused
 , jq
 , mkYarnModules
@@ -8,12 +9,21 @@
 
 let
   pname = "browserpass-extension";
-  version = "3.7.2";
-  src = fetchFromGitHub {
-    owner = "browserpass";
+  version = "3.7.2-20221121";
+  # src = fetchFromGitHub {
+  #   owner = "browserpass";
+  #   repo = "browserpass-extension";
+  #   # rev = version;
+  #   rev = "21f3431d09e1d7ffd33e0b9fc5d2965b7bd93a1a";
+  #   sha256 = "sha256-XIgbaQSAXx7L1e/9rzN7oBQy9U3HWJHOX2auuvgdvbc=";
+  # };
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
     repo = "browserpass-extension";
-    rev = version;
-    sha256 = "sha256-uDJ0ID8mD+5WLQK40+OfzRNIOOhZWsLYIi6QgcdIDvc=";
+    # hack in sops support
+    rev = "e3bf558ff63d002d3c15f2ce966071f04fada306";
+    sha256 = "sha256-dSRZ2ToEOPhzHNvlG8qdewa7689gT8cNB7nXkN3/Avo=";
   };
   browserpass-extension-yarn-modules = mkYarnModules {
     inherit pname version;

pkgs/browserpass/default.nix

@@ -31,8 +31,9 @@ in
     domain = "git.uninsane.org";
     owner = "colin";
     repo = "browserpass-native";
-    rev = "8de7959fa5772aca406bf29bb17707119c64b81e";
-    hash = "sha256-ewB1YdWqfZpt8d4p9LGisiGUsHzRW8RiSO/+NZRiQpk=";
+    # don't forcibly append '.gpg'
+    rev = "85bdb08379c03297c1236f66e8764160c922d397";
+    hash = "sha256-SEfihU+GreWhYfLVr7tTnMCo6Iq20a78F8iVbycOQUQ=";
   };
   installPhase = ''
     make install

pkgs/lightdm-mobile-greeter/default.nix

@@ -1,7 +1,7 @@
 { lib
 , fetchFromGitea
 , gtk3
-, libhandy_0
+, libhandy
 , lightdm
 , pkgs
 , linkFarm
@@ -13,18 +13,32 @@ rustPlatform.buildRustPackage rec {
   pname = "lightdm-mobile-greeter";
   version = "2022-10-30";
 
+  # upstream:
+  # src = fetchFromGitea {
+  #   domain = "git.raatty.club";
+  #   owner = "raatty";
+  #   repo = "lightdm-mobile-greeter";
+  #   rev = "8c8d6dfce62799307320c8c5a1f0dd5c8c18e4d3";
+  #   hash = "sha256-SrAR2+An3BN/doFl/s8PcYZMUHLfVPXKZOo6ndO60nY=";
+  # };
+  # cargoHash = "sha256-NZ0jOkEBNa5oOydfyKm0XQB/vkAvBv9wHBbnM9egQFQ=";
+
+  # sane dev:
   src = fetchFromGitea {
-    domain = "git.raatty.club";
-    owner = "raatty";
+    domain = "git.uninsane.org";
+    owner = "colin";
     repo = "lightdm-mobile-greeter";
-    rev = "8c8d6dfce62799307320c8c5a1f0dd5c8c18e4d3";
-    hash = "sha256-SrAR2+An3BN/doFl/s8PcYZMUHLfVPXKZOo6ndO60nY=";
+    # rev = "bd2138f630db0dfb901bc28a9b70d6be8b9879dd";
+    # hash = "sha256-B3dNvnduR1pz5DedmAR8Fc/CXowR3jsyrjMUFOMizxI=";
+    rev = "f3511ec71a4a1f491d759711e0bcf031e335ea70";
+    hash = "sha256-U5chzm3q3vycgX1HSLf6sk6M3YoJ4CHGLKRg4ViIhu8=";
   };
-  cargoHash = "sha256-NZ0jOkEBNa5oOydfyKm0XQB/vkAvBv9wHBbnM9egQFQ=";
+  cargoHash = "sha256-2NMXR+D/CnDhUToQmMwK2Cb2l+4/N9BrCz/lt1NZ6Wk=";
 
   buildInputs = [
     gtk3
-    libhandy_0
+    # libhandy_0
+    libhandy
     lightdm
   ];
   nativeBuildInputs = [

pkgs/overlay.nix

@@ -29,8 +29,6 @@
   jackett = prev.callPackage ./jackett { pkgs = prev; };
   # mozilla keeps nerfing itself and removing configuration options
   firefox-unwrapped = prev.callPackage ./firefox-unwrapped { pkgs = prev; };
-  # fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
-  # systemd = import ./pkgs/systemd { pkgs = prev; };
 
   # patch rpi uboot with something that fixes USB HDD boot
   ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };
@@ -41,9 +39,10 @@
 
   #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
   kaiteki = prev.callPackage ./kaiteki { };
-  # lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
+  lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
   browserpass-extension = prev.callPackage ./browserpass-extension { };
   gopass-native-messaging-host = prev.callPackage ./gopass-native-messaging-host { };
+  tokodon = prev.libsForQt5.callPackage ./tokodon { };
   # kaiteki = prev.kaiteki;
   # TODO: upstream, or delete nabla
   nabla = prev.callPackage ./nabla { };

pkgs/sane-scripts/default.nix

@@ -20,11 +20,13 @@ resholve.mkDerivation {
       inputs = with pkgs; [
         coreutils
         curl
+        duplicity
         file
         findutils
         gnugrep
         gocryptfs
         ifuse
+        inetutils
         inotify-tools
         ncurses
         oath-toolkit
@@ -38,6 +40,7 @@ resholve.mkDerivation {
         which
       ];
       keep = {
+        "/run/secrets/duplicity_passphrase" = true;
         # we write here: keep it
         "/tmp/rmlint.sh" = true;
         # intentionally escapes (into user code)
@@ -57,6 +60,7 @@ resholve.mkDerivation {
 
       # list of programs which *can* or *cannot* exec their arguments
       execer = with pkgs; [
+        "cannot:${duplicity}/bin/duplicity"
         "cannot:${gocryptfs}/bin/gocryptfs"
         "cannot:${ifuse}/bin/ifuse"
         "cannot:${oath-toolkit}/bin/oathtool"

pkgs/sane-scripts/src/sane-backup-ls

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# N.B. must be run as root
+
+set -ex
+
+# source the URL; hack to satisfy resholve
+external_cmd="source /run/secrets/duplicity_passphrase"
+$external_cmd
+duplicity list-current-files --archive-dir /var/lib/duplicity $DUPLICITY_URL

pkgs/sane-scripts/src/sane-backup-restore

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+# N.B. must be run as root
+
+set -ex
+
+dest_path="$1"
+source_path="$2"
+
+# source the URL; hack to satisfy resholve
+external_cmd="source /run/secrets/duplicity_passphrase"
+$external_cmd
+duplicity restore --archive-dir /var/lib/duplicity --file-to-restore "$source_path" $DUPLICITY_URL "$dest_path"

pkgs/sane-scripts/src/sane-find-dotfiles

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# find where a package stores its dotfiles/dotdir
+# e.g. `sane-find-dotfiles foo` might print `/home/colin/.foo`, `/home/colin/.local/share/foo`, etc.
+
+find ~/ -maxdepth 1 -iname "*$1*" -print
+find ~/.local/share/*/ -maxdepth 1 -iname "*$1*" -print
+find ~/.config/*/ -maxdepth 1 -iname "*$1*" -print
+find ~/.cache/*/ -maxdepth 1 -iname "*$1*" -print
+

pkgs/sane-scripts/src/sane-rcp

@@ -1,3 +1,3 @@
 #!/usr/bin/env sh
 # copy some remote file(s) to the working directory, with sane defaults
-rsync -arv --progress "$@" .
+rsync -arv --progress --append-verify "$@" .

pkgs/sane-scripts/src/sane-reboot

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+target="$1"
+host="$(hostname)"
+if [ "$host" = "$target" ]
+then
+  sudo reboot now
+else
+  echo "WRONG MACHINE. you're on $host."
+  exit 1
+fi
+

pkgs/sane-scripts/src/sane-stop-all-servo

@@ -1,7 +1,11 @@
 #!/usr/bin/env bash
-sudo systemctl stop pleroma gitea matrix-synapse jellyfin dovecot2 opendkim transmission jackett postfix nginx
+sudo systemctl stop matrix-appservice-irc mx-puppet-discord
+sudo systemctl stop pleroma gitea matrix-synapse jellyfin transmission jackett
+# TODO: stop the freshrss timer
+sudo systemctl stop phpfpm-freshrss
+sudo systemctl stop dovecot2 opendkin postfix
+sudo systemctl stop nginx
 sudo systemctl stop postgresql
-sudo systemctl stop matrix-appservice-irc
 sudo systemctl stop duplicity.timer
 sudo systemctl stop duplicity
 sudo systemctl stop wg0veth wireguard-wg0

pkgs/systemd/01-spindown-drive.patch

@@ -1,28 +0,0 @@
-diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c
-index 2c3cbec02c..8eef305578 100644
---- a/src/shutdown/shutdown.c
-+++ b/src/shutdown/shutdown.c
-@@ -603,6 +603,7 @@ int main(int argc, char *argv[]) {
-                                 execv(args[0], (char * const *) args);
- 
-                                 /* execv failed (kexec binary missing?), so try simply reboot(RB_KEXEC) */
-+                                sleep(15);
-                                 (void) reboot(cmd);
-                                 _exit(EXIT_FAILURE);
-                         }
-@@ -614,6 +615,7 @@ int main(int argc, char *argv[]) {
-                 _fallthrough_;
- 
-         case RB_AUTOBOOT:
-+                sleep(15);
-                 (void) reboot_with_parameter(REBOOT_LOG);
-                 log_info("Rebooting.");
-                 break;
-@@ -630,6 +632,7 @@ int main(int argc, char *argv[]) {
-                 assert_not_reached();
-         }
- 
-+        sleep(15);
-         (void) reboot(cmd);
-         if (errno == EPERM && in_container) {
-                 /* If we are in a container, and we lacked

pkgs/systemd/default.nix

@@ -1,9 +0,0 @@
-{ pkgs }:
-
-(pkgs.systemd.overrideAttrs (upstream: {
-  patches = (upstream.patches or []) ++ [
-    # give the HDD time to spin down before abruptly cutting power
-    ./01-spindown-drive.patch
-  ];
-}))
-

pkgs/tokodon/default.nix

@@ -0,0 +1,70 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, extra-cmake-modules
+, kconfig
+, kdbusaddons
+, ki18n
+, kirigami2
+, kitemmodels
+, knotifications
+, libwebsockets
+, pimcommon
+, pkg-config
+, qqc2-desktop-style
+, qtbase
+, qtkeychain
+, qtmultimedia
+, qtquickcontrols2
+, qttools
+, qtwebsockets
+, wrapQtAppsHook
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tokodon";
+  version = "22.09";
+
+  src = fetchFromGitHub {
+    owner = "KDE";
+    repo = pname;
+    # rev = "f919a7ae62dec665646d2ff3ca02e2e256b7a8a9";
+    # sha256 = "sha256-HVDM93nJTs7uTWs1n0t7UUtXQW6jFfoImaDxbTmlc0A=";
+    rev = "v${version}";
+    sha256 = "sha256-wHE8HPnjXd+5UG5WEMd7+m1hu2G3XHq/eVQNznvS/zc=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+    extra-cmake-modules
+    pkg-config
+    wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    kconfig
+    kdbusaddons
+    ki18n
+    kirigami2
+    kitemmodels
+    knotifications
+    pimcommon
+    qqc2-desktop-style
+    qtbase
+    qtkeychain
+    qtmultimedia
+    qtquickcontrols2
+    qttools
+    qtwebsockets
+  ];
+
+  meta = with lib; {
+    description = "A Mastodon client for Plasma and Plasma Mobile";
+    homepage = src.meta.homepage;
+    license = licenses.gpl3Plus;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ matthiasbeyer ];
+  };
+}
+

readme.md

@@ -4,6 +4,12 @@ to deploy:
 nixos-rebuild --flake "./#servo" {build,switch}
 ```
 
+if the target is the same as the host, nix will grab the hostname automatically:
+
+```sh
+nixos-rebuild --flake . {build,switch}
+```
+
 more options (like building packages defined in this repo):
 
 ```sh
@@ -45,3 +51,16 @@ to build a package for another platform:
 ```sh
 nix build ./#packages.aarch64-linux.nixpkgs.ubootRaspberryPi4_64bit
 ```
+
+## using this repo in your own config
+
+i try to ensure everything in the `modules/` directory is hidden behind some enable flag or other.
+it should be possible to copy that whole directory into your own config, and then selectively
+populate what you want (like the impermenance paths, etc).
+more practically, a lot of things in there still assume a user named `colin`, so you'll probably
+want to patch it for your name -- or just use it as a reference.
+
+## contact
+
+if you want to contact me for questions, or collaborate to split something useful into a shared repo, etc,
+you can reach me via any method listed [here](https://uninsane.org/about).

secrets/desko.yaml

@@ -1,4 +1,4 @@
-duplicity_passphrase: ENC[AES256_GCM,data:rzUfcxe5YPloOrqgVwdCjsccexWc5RvmFf1i3Xs459iVTfWHlVJeT/IqReY6ZqdAkPJteTtrUZzak2GXyRUkE13+W0kE8isnDjPX/YDQwoK2sa+dwc4xGTekboc0gf6HH3vQpF1aiJDBfb3GtGyDVLH9MVIRPJGXSztZBduUDezA2wAx2wI=,iv:EHJg8kE/07v+ySSFDtW4FA4y1y/+fcGxfNCWoainwBI=,tag:S3ecM4DbDl8jqXLRKipZmQ==,type:str]
+duplicity_passphrase: ENC[AES256_GCM,data:+UXXMiMNR3r3xvIzQVctDnFpVElx9xYOQBQsWHSZKlCDZs/Jlte48IPp3bc1u+bx1U9y5Frm5QiZYo/gAksRCjFcOTE6pc/bIREyAqB59psp5Ijhg59ToVBl3cm0II55rIDqDcBbHV2UUIvbbKn4/FBnY9y8uW8X383cHvpDPqxiPOTa,iv:eDkE+NmM2kKG4wr9sLM5IXlmlkNUaHNyE3r9rY/uayI=,tag:n9QmRFvmKv8H3gi8OAQdcw==,type:str]
 #ENC[AES256_GCM,data:yU9cr6MXjS4m69BeIUjUw477wt4c1djYof3Qlfr4Dytv8hWqCuqThDwQTMY5jfHdv5ipS0aEjf7GWu2M2t9W88fYdxnTN2m8IfYZp76YcjxO4fup5BXiLGIjnm+qI0g=,iv:nPo8FyGiyLRQozE4kZ6Rei6CObvbVynOs3jdMvdkpZw=,tag:+4esxPiewSsjwao6ZhAMxA==,type:comment]
 nix_serve_privkey: ENC[AES256_GCM,data:/Ph9J00cV7PcfpJw/NWcBpkQR+a0SQyHv1jmF4CkH+Uj8l+cRcXWynAc2APenMSfHdighXMqjsXuwRbGo0S57YuMXQjFbI8jhbXEhhAWlmET1q7uRaaZRSgq34qABw==,iv:LLYgLauPsD+3mx1GTjEUkiXgdWsnqixCJl4UfSdS5Ac=,tag:S7V6GKezS/JsbZVfq9DjjA==,type:str]
 colin-passwd: ENC[AES256_GCM,data:/b+l5zTlOhdoiFaMVG5HB98AOGfGZtwkH+IS/mhDgHNZ4J+t3OiEBAFPl/KPctg6ZM55QiAjNnnJ8zAsKL85om6amvrWF/Qz17qC9+pZF+6Ef8xvTQr3VPlFEYq4rGb74jQ7uyvtCjn0Ow==,iv:Z0qUimlPQMu6rsjn5b/Xfw99NzbXGS8B/hNWE+f+GoM=,tag:uGB1DZzHiLCkOtlAA58mmg==,type:str]
@@ -35,8 +35,8 @@ sops:
             Si9kT0ZMUnJJWlhUZ3FFakZFaDlPdEEKXtWfh6wdGPin1h/UUs21cdspddpW1YDq
             rCKS2DI2KWdgciih9FnmWGAwGUhB3uhimUr6hgho4z+dZfLrpoP1PA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-10-24T08:49:49Z"
-    mac: ENC[AES256_GCM,data:dvxYlU/btzzH9Qor8z02kdv3S4gFUGHnEjV/XBM99+IFuAD6vuE8zFL4peGW1GiXqM2QQY0Qc9wZ+nC5/ak9ROMC8uZPXF417gs6U9yyT92FRlMSdC0AMsUhNGWjJlM733hI4YATnR+1XuwHewzzW1R3TvrouBZqSv+2rBsiZCw=,iv:A+D7IG4U+EQ6nP4xKOK1ExeZLeERpiSPzj/g87R1SdM=,tag:jSVGDO9kNxXdDSSixDrkDQ==,type:str]
+    lastmodified: "2022-11-16T03:02:28Z"
+    mac: ENC[AES256_GCM,data:EFeon4GvDEFVTJh9IR0dd8S/vVeWlMuEe9rUcL6FDYLsfm5qFb5rhsCDY/rQNanNsTcsDLK3oOXoBXP168fzwHotdjoNNyiCYAFDigVqKPt4dk9vnzH91ccyu6NUhlFlKzuDHwXkWbNJA7pNyMD3w4NKt7HbLu+r1YxOAaytWzM=,iv:xrllCUns1WY/gCuHKmZtUr5/piE4OBKHrmiewBbVBH4=,tag:8JWLLZqLFMWcDNgWwJL+Ig==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

secrets/servo.yaml

@@ -1,4 +1,4 @@
-duplicity_passphrase: ENC[AES256_GCM,data:WAQE+xhfRg+4N9Q1P9U8Lt7sVwpcEZFPJzyHIA+FIcCcZZhv+QmvCT/eTRtAOIFvII5l9f0A4GRnSEagalyaZgTgq7t8qOhvvB+s8cIj7prM1psnKstpx3+BxsinGOsZcPqbBxph9gdGuIVP3qH7pYAT+6GMPLnxW21s0r26mZFZM8Mu15VGyuvTz2Pknw==,iv:hu+6w6TWQensA4y5wBz1vPgw8YlBk5TuxEm2rRjV6Ao=,tag:UJ2joJZNxr/+O5y0dx6q9g==,type:str]
+duplicity_passphrase: ENC[AES256_GCM,data:LgPORB0HhIAfpJdQrwjS+/TWdOeddQ2YNYqfRbWhhuNlImuOlniPzrPaaFv+Mfght7OHs7rnuVr3tOHfeIEBo9S2z05ABOulttHEyeuyJZPE1/0t8IBz2gcNNWs4nhCYbVX3y/rSAG8bhz1Vdb2B/MiCicfJEZAqpXkRilQELXTR5cF5NnmEcR7zOso=,iv:NvwZhBbkYnTDt3izwwQPj4U4XAmiOD5Dv3sF50JA97o=,tag:HSJ5xr/WXn6MQdyV8QYWYw==,type:str]
 ddns_he: ENC[AES256_GCM,data:zAKbEAIMIsENUctG9bNAAjAty6g+w3QW5VM=,iv:ncIjblXnTiU3TQcHJutz9lCl0wBdWs+FybY0sZcnaH0=,tag:7O6EIob2/if1fcVDVEkVzQ==,type:str]
 #ENC[AES256_GCM,data:LMfqz2Rih6CR7RcCbA==,iv:MQ7z93Mhus2Z2q7HZMk4BzkkY/apBIR+9hIiZlknolc=,tag:HU5McecdYk12I3AcvVHEBw==,type:comment]
 #ENC[AES256_GCM,data:zhL2iNWZ8xPbBneffWcc93ZCW/SDv5FH,iv:P3a8+oucJRM8o7hnHUxAvefHdZEAbKJKhK2Y1+r75GA=,tag:VFvFucE5c780RmspW7p8Qg==,type:comment]
@@ -56,8 +56,8 @@ sops:
             cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
             aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-10-14T00:37:52Z"
-    mac: ENC[AES256_GCM,data:qKr1aKWxuJWwjUYX+JWAdwHFAwApHm9hOYBgZxAIXbXHhOo04K1MFBDTsAvtvN1a11QtCJYDNuVNpuRu3bf/5Ji5ROTaKfQCgPk+ZScJuWpLsxchYV+TnlREwQI+qgvogyMKMlPInozgd7RNnsePdg7DtYFfGMAvUtX9OidxAXI=,iv:EAkNQkIqoXtRy+uSb7ccl9T5b6hiyRll/m76nhir9AI=,tag:kCDEBJDW34VgLQPd4V+uYA==,type:str]
+    lastmodified: "2022-11-16T03:02:50Z"
+    mac: ENC[AES256_GCM,data:0/lDp6jWueeF4TPfB5rSoEzEF8QVw815DYEHRRea+SrYXGHJT80eK5sqUz00m6adG8aaSlNMAD8d2/nClar6VJKKOHdY+oN8hLztxNGQraMo107d8XOMMycj9vA4IGkCbnlng0cZTB2jsPV6Mfkmf5v+PN4N9F0bQ9W50V1Pf40=,iv:slFJjjlyCyk8aAwfRbiZ/2SKLmUGZE4OvpfrrvSJw3g=,tag:X+057fZLJnDW7CAka8+pCw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3