update to nixpkgs/staging-next

```
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/1e2590679d0ed2cee2736e8b80373178d085d263' (2023-03-09)
  → 'github:nixos/nixpkgs/140a35879a1bec9907a15a66b6350e0efbef5239' (2023-03-11)
• Updated input 'uninsane-dot-org':
    'git+https://git.uninsane.org/colin/uninsane?ref=refs%2fheads%2fmaster&rev=9b549e42da18218e46d1bf217b5eb81c0c4caf11' (2023-03-10)
  → 'git+https://git.uninsane.org/colin/uninsane?ref=refs%2fheads%2fmaster&rev=a8aa5ac6e6b5a5fb76c116caf8a1dd94d078bac2' (2023-03-11)
```

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "flake-utils": {
       "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "lastModified": 1676283394,
+        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1676240485,
-        "narHash": "sha256-bef1Zrfpo9cxaf19QhqfTwaagpeoNc08sc8OjYDjSnQ=",
+        "lastModified": 1677879564,
+        "narHash": "sha256-luJTRYY1zEoN5fSGwbZxq66IE1kdrqOq0/iBWzw7gOI=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "8701fcb1448f1eb67c0d47631ec2bdb613bd6a38",
+        "rev": "9a0c317a027d1c085c641fe6df1f51b71880b720",
         "type": "github"
       },
       "original": {
@@ -31,13 +31,46 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
+    "nix-serve": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
       "locked": {
-        "lastModified": 1676162277,
-        "narHash": "sha256-GK3cnvKNo1l0skGYXXiLJ/TLqdKyIYXd7jOlo0gN+Qw=",
+        "lastModified": 1678202930,
+        "narHash": "sha256-SF82/tTnagdazlETJLzXD9kjZ6lyk38agdLbmMx1UZE=",
+        "owner": "edolstra",
+        "repo": "nix-serve",
+        "rev": "3b6d30016d910a43e0e16f94170440a3e0b8fa8d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "nix-serve",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1606086654,
+        "narHash": "sha256-VFl+3eGIMqNp7cyOMJ6TjM/+UcsLKtodKoYexrlTJMI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d863ca850a06d91365c01620dcac342574ecf46f",
+        "rev": "19db3e5ea2777daa874563b5986288151f502e27",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-20.09",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1677948530,
+        "narHash": "sha256-BkQjq8AGHD55RJe4PUnrWRZZ8jS64p/k0bGDck5wKwY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d51554151a91cd4543a7620843cc378e3cbc767e",
         "type": "github"
       },
       "original": {
@@ -49,16 +82,16 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1676569297,
-        "narHash": "sha256-2n4C4H3/U+3YbDrQB6xIw7AaLdFISCCFwOkcETAigqU=",
+        "lastModified": 1678536071,
+        "narHash": "sha256-bj38dJO1KfHGbC8F0C3UKBPhAstqMcQed0GiFZnaNKA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ac1f5b72a9e95873d1de0233fddcb56f99884b37",
+        "rev": "140a35879a1bec9907a15a66b6350e0efbef5239",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "staging-next",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -66,6 +99,7 @@
     "root": {
       "inputs": {
         "mobile-nixos": "mobile-nixos",
+        "nix-serve": "nix-serve",
         "nixpkgs-unpatched": "nixpkgs-unpatched",
         "sops-nix": "sops-nix",
         "uninsane-dot-org": "uninsane-dot-org"
@@ -79,11 +113,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1676171095,
-        "narHash": "sha256-2laeSjBAAJ9e/C3uTIPb287iX8qeVLtWiilw1uxqG+A=",
+        "lastModified": 1678440572,
+        "narHash": "sha256-zfL09Yy6H7QQwfacCPL0gOfWpVkTbE5jXJh5oZmGf8g=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c5dab21d8706afc7ceb05c23d4244dcb48d6aade",
+        "rev": "1568702de0d2488c1e77011a9044de7fadec80c4",
         "type": "github"
       },
       "original": {
@@ -100,11 +134,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1675131883,
-        "narHash": "sha256-yBgJDG72YqIr1bltasqHD1E/kHc9uRFgDjxDmy6kI8M=",
+        "lastModified": 1678521821,
+        "narHash": "sha256-BlFdD28AeizJRa4DtnwxqZqvBTvsXIrf3kiI26Q3J1A=",
         "ref": "refs/heads/master",
-        "rev": "b099c24091cc192abf3997b94342d4b31cc5757b",
-        "revCount": 170,
+        "rev": "a8aa5ac6e6b5a5fb76c116caf8a1dd94d078bac2",
+        "revCount": 175,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -22,7 +22,8 @@
     # nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
 
     # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
-    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
 
     # nixpkgs = {
     #   url = "./nixpatches";
@@ -45,6 +46,10 @@
       # inputs.nixpkgs.follows = "nixpkgs";
       inputs.nixpkgs.follows = "nixpkgs-unpatched";
     };
+    nix-serve = {
+      # <https://github.com/edolstra/nix-serve>
+      url = "github:edolstra/nix-serve";
+    };
   };
 
   outputs = {
@@ -53,10 +58,11 @@
     mobile-nixos,
     sops-nix,
     uninsane-dot-org,
+    nix-serve,
     ...
   }@inputs:
     let
-      inherit (builtins) attrNames listToAttrs map mapAttrs;
+      inherit (builtins) attrNames elem listToAttrs map mapAttrs;
       mapAttrs' = f: set:
         listToAttrs (map (attr: f attr set.${attr}) (attrNames set));
       # mapAttrs but without the `name` argument
@@ -87,12 +93,14 @@
               self.nixosModules.passthru
               {
                 nixpkgs.overlays = [
-                  self.overlays.default
                   self.overlays.passthru
                   self.overlays.pins
+                  self.overlays.pkgs
+                  # self.overlays.optimizations
                 ];
                 nixpkgs.hostPlatform = target;
                 # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
+                # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
               }
             ];
           });
@@ -150,23 +158,36 @@
       # unofficial output
       host-pkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
 
-      overlays = rec {
-        default = pkgs;
-        pkgs = import ./overlays/pkgs.nix;
-        pins = import ./overlays/pins.nix;  # TODO: move to `nixpatches/` input
-        passthru =
+      overlays = {
+        # N.B.: `nix flake check` requires every overlay to take `final: prev:` at defn site,
+        #   hence the weird redundancy.
+        default = final: prev: self.overlays.pkgs final prev;
+        pkgs = final: prev: import ./overlays/pkgs.nix final prev;
+        pins = final: prev: import ./overlays/pins.nix final prev;
+        optimizations = final: prev: import ./overlays/optimizations.nix final prev;
+        passthru = final: prev:
           let
             stable =
               if inputs ? "nixpkgs-stable" then (
-                next: prev: {
-                  stable = inputs.nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+                final': prev': {
+                  stable = inputs.nixpkgs-stable.legacyPackages."${prev'.stdenv.hostPlatform.system}";
                 }
-              ) else (next: prev: {});
+              ) else (final': prev': {});
             mobile = (import "${mobile-nixos}/overlay/overlay.nix");
             uninsane = uninsane-dot-org.overlay;
+            # nix-serve' = nix-serve.overlay;
+            nix-serve' = next: prev: {
+              # XXX(2023/03/02): upstream isn't compatible with modern `nix`. probably the perl bindings.
+              # - we use the package built against `nixpkgs` specified in its flake rather than use its overlay,
+              #   to get around this.
+              inherit (nix-serve.packages."${next.system}") nix-serve;
+            };
           in
-            next: prev:
-              (stable next prev) // (mobile next prev) // (uninsane next prev);
+              (stable final prev)
+              // (mobile final prev)
+              // (uninsane final prev)
+              // (nix-serve' final prev)
+            ;
       };
 
       nixosModules = rec {
@@ -190,14 +211,33 @@
           aarch64-linux = allPkgsFor "aarch64-linux";
         };
 
-      # extract only our own packages from the full set
-      packages = mapAttrValues
-        (full: full.sane // { inherit (full) sane uninsane-dot-org; })
-        self.legacyPackages;
+      # extract only our own packages from the full set.
+      # because of `nix flake check`, we flatten the package set and only surface x86_64-linux packages.
+      packages = mapAttrs
+        (system: allPkgs:
+          allPkgs.lib.filterAttrs (name: pkg:
+            # keep only packages which will pass `nix flake check`, i.e. keep only:
+            # - derivations (not package sets)
+            # - packages that build for the given platform
+            (! elem name [ "feeds" "pythonPackagesExtensions" ])
+            && (allPkgs.lib.meta.availableOn allPkgs.stdenv.hostPlatform pkg)
+          )
+          (allPkgs.sane // {
+            inherit (allPkgs) uninsane-dot-org;
+          })
+        )
+        # self.legacyPackages;
+        { inherit (self.legacyPackages) x86_64-linux; }
+      ;
 
       apps."x86_64-linux" =
         let
           pkgs = self.legacyPackages."x86_64-linux";
+          deployScript = action: pkgs.writeShellScript "deploy-moby" ''
+            nixos-rebuild --flake '.#cross-moby' build
+            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
+            nixos-rebuild --flake '.#cross-moby' ${action} --target-host colin@moby --use-remote-sudo
+          '';
         in {
           update-feeds = {
             type = "app";
@@ -209,6 +249,17 @@
             type = "app";
             program = "${pkgs.feeds.passthru.initFeedScript}";
           };
+
+          deploy-moby-test = {
+            # `nix run '.#deploy-moby-test'`
+            type = "app";
+            program = ''${deployScript "test"}'';
+          };
+          deploy-moby-switch = {
+            # `nix run '.#deploy-moby-switch'`
+            type = "app";
+            program = ''${deployScript "switch"}'';
+          };
         };
 
       templates = {

hosts/by-name/desko/default.nix

@@ -4,13 +4,12 @@
     ./fs.nix
   ];
 
+  sane.roles.build-machine = true;
   sane.roles.client = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
   sane.services.duplicity.enable = true;
-  sane.services.nixserve.enable = true;
   sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
-  sane.persist.enable = true;
 
   sane.gui.sway.enable = true;
   sane.programs.iphoneUtils.enableFor.user.colin = true;
@@ -50,7 +49,7 @@
   };
 
   programs.steam = {
-    # enable = true;
+    enable = true;
     # not sure if needed: stole this whole snippet from the wiki
     remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
     dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server

hosts/by-name/lappy/default.nix

@@ -10,12 +10,13 @@
 
   # sane.guest.enable = true;
   sane.gui.sway.enable = true;
-  sane.persist.enable = true;
-  sane.nixcache.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
-  sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
+  sane.programs.guiApps.suggestedPrograms = [
+    "desktopGuiApps"
+    "stepmania"
+  ];
 
   sops.secrets.colin-passwd = {
     sopsFile = ../../../secrets/lappy.yaml;

hosts/by-name/moby/default.nix

@@ -10,13 +10,6 @@
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
 
-  # cross-compiled documentation is *slow*.
-  # no obvious way to natively compile docs (2022/09/29).
-  # entrypoint is nixos/modules/misc/documentation.nix
-  # doc building happens in nixos/doc/manual/default.nix
-  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
-  documentation.nixos.enable = false;
-
   # XXX colin: phosh doesn't work well with passwordless login,
   # so set this more reliable default password should anything go wrong
   users.users.colin.initialPassword = "147147";
@@ -41,8 +34,6 @@
     ".config/pulse"  # persist pulseaudio volume
   ];
 
-  sane.nixcache.enable = true;
-  sane.persist.enable = true;
   sane.gui.phosh.enable = true;
   # sane.programs.consoleUtils.enableFor.user.colin = false;
   # sane.programs.guiApps.enableFor.user.colin = false;

hosts/by-name/rescue/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   imports = [
     ./fs.nix
@@ -7,6 +7,8 @@
   boot.loader.generic-extlinux-compatible.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
+  # sane.persist.enable = false;  # TODO: disable (but run `nix flake check` to ensure it works!)
+  sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
 
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
   system.stateVersion = "21.05";

hosts/by-name/servo/default.nix

@@ -15,7 +15,8 @@
     signaldctl.enableFor.user.colin = true;
   };
 
-  sane.persist.enable = true;
+  sane.roles.build-machine = true;
+  sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
   sane.services.dyn-dns.enable = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;

hosts/by-name/servo/secrets.nix

@@ -25,6 +25,7 @@
   };
   sops.secrets."mautrix_signal_env" = {
     sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
+    format = "binary";
   };
 
   sops.secrets."mediawiki_pw" = {

hosts/by-name/servo/services/ejabberd.nix

@@ -38,11 +38,11 @@
   ];
   networking.firewall.allowedTCPPortRanges = [{
     from = 49152;  # TURN
-    to = 65535;
+    to = 49408;
   }];
   networking.firewall.allowedUDPPortRanges = [{
     from = 49152;  # TURN
-    to = 65535;
+    to = 49408;
   }];
 
   # provide access to certs

hosts/by-name/servo/services/matrix/default.nix

@@ -6,12 +6,10 @@
   imports = [
     ./discord-puppet.nix
     # ./irc.nix
-    ./signal.nix
+    # TODO(2023/03/10): disabled because it's not bridging and mautrix_signal is hogging CPU
+    # ./signal.nix
   ];
 
-  # allow synapse to read the registration files of its appservices
-  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
-
   sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
   ];

hosts/by-name/servo/services/matrix/signal.nix

@@ -7,6 +7,9 @@
     { user = "signald"; group = "signald"; directory = "/var/lib/signald"; }
   ];
 
+  # allow synapse to read the registration file
+  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
+
   services.signald.enable = true;
   services.mautrix-signal.enable = true;
   services.mautrix-signal.environmentFile =
@@ -27,7 +30,6 @@
   };
 
   sops.secrets."mautrix_signal_env" = {
-    format = "binary";
     mode = "0440";
     owner = config.users.users.mautrix-signal.name;
     group = config.users.users.matrix-synapse.name;

hosts/by-name/servo/services/trust-dns.nix

@@ -6,7 +6,7 @@
   sane.services.trust-dns.listenAddrsIPv4 = [
     # specify each address explicitly, instead of using "*".
     # this ensures responses are sent from the address at which the request was received.
-    "192.168.0.5"
+    config.sane.hosts.by-name."servo".lan-ip
     "10.0.1.5"
   ];
   sane.services.trust-dns.quiet = true;

hosts/common/default.nix

@@ -19,6 +19,8 @@
   ];
 
   sane.nixcache.enable-trusted-keys = true;
+  sane.nixcache.enable = lib.mkDefault true;
+  sane.persist.enable = lib.mkDefault true;
   sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
   sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;
 

hosts/common/feeds.nix

@@ -1,3 +1,9 @@
+# candidates:
+# - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
+#   - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
+# - <https://www.metaculus.com/questions/11102/introducing-the-metaculus-journal-podcast/>
+#   - dead since 2022/10 - 2023/03
+
 { lib, sane-data, ... }:
 let
   hourly = { freq = "hourly"; };
@@ -50,16 +56,23 @@ let
     (fromDb "lexfridman.com/podcast" // rat)
     ## Astral Codex Ten
     (fromDb "sscpodcast.libsyn.com" // rat)
+    ## Less Wrong Curated
+    (fromDb "feeds.libsyn.com/421877" // rat)
     ## Econ Talk
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)
     ## Cory Doctorow -- both podcast & text entries
     (fromDb "craphound.com" // pol)
     (fromDb "congressionaldish.libsyn.com" // pol)
+    (mkPod "https://podcasts.la.utexas.edu/this-is-democracy/feed/podcast/" // pol // weekly)
     ## Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
     ## Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
     (mkPod "https://anchor.fm/s/21bc734/podcast/rss" // pol // infrequent)
     (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
+    ## Daniel Huberman on sleep
+    (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)
+    ## Multidisciplinary Association for Psychedelic Studies
+    (fromDb "mapspodcast.libsyn.com" // uncat)
     (fromDb "allinchamathjason.libsyn.com" // pol)
     (fromDb "acquired.libsyn.com" // tech)
     # The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
@@ -104,6 +117,10 @@ let
     (fromDb "semiaccurate.com" // tech)
     (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
     (fromDb "spectrum.ieee.org" // tech)
+    (fromDb "thisweek.gnome.org" // tech)
+    # more nixos stuff here, but unclear how to subscribe: <https://nixos.org/blog/categories.html>
+    (mkText "https://nixos.org/blog/announcements-rss.xml" // tech // infrequent)
+    (mkText "https://nixos.org/blog/stories-rss.xml" // tech // weekly)
     ## n.b.: quality RSS list here: <https://forum.merveilles.town/thread/57/share-your-rss-feeds%21-6/>
     (mkText "https://forum.merveilles.town/rss.xml" // pol // infrequent)
 
@@ -112,6 +129,7 @@ let
 
     # DEVELOPERS
     (fromDb "uninsane.org" // tech)
+    (fromDb "ascii.textfiles.com" // tech)  # Jason Scott
     (fromDb "mg.lol" // tech)
     (fromDb "drewdevault.com" // tech)
     ## Ken Shirriff

hosts/common/home/default.nix

@@ -13,6 +13,8 @@
     ./mpv.nix
     ./neovim.nix
     ./newsflash.nix
+    ./offlineimap.nix
+    ./ripgrep.nix
     ./splatmoji.nix
     ./ssh.nix
     ./sublime-music.nix

hosts/common/home/offlineimap.nix

@@ -0,0 +1,17 @@
+# mail archiving/synchronization tool.
+#
+# manually download all emails for an account with
+# - `offlineimap -a <accountname>`
+#
+# view account names inside the secrets file, listed below.
+{ config, sane-lib, ... }:
+
+{
+  sops.secrets."offlineimaprc" = {
+    owner = config.users.users.colin.name;
+    sopsFile = ../../../secrets/universal/offlineimaprc.bin;
+    format = "binary";
+  };
+  sane.user.fs.".config/offlineimap/config" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.offlineimaprc.path;
+}
+

hosts/common/home/ripgrep.nix

@@ -0,0 +1,9 @@
+{ sane-lib, ... }:
+{
+  # .ignore file is read by ripgrep (rg), silver searcher (ag), maybe others.
+  # ignore translation files by default when searching, as they tend to have
+  # a LOT of duplicate text.
+  sane.user.fs.".ignore" = sane-lib.fs.wantedText ''
+    po/
+  '';
+}

hosts/common/home/splatmoji.nix

@@ -6,7 +6,8 @@
 {
   sane.user.persist.plaintext = [ ".local/state/splatmoji" ];
   sane.user.fs.".config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
-    history_file=~/.local/state/splatmoji/history
+    # XXX doesn't seem to understand ~ as shorthand for `$HOME`
+    history_file=/home/colin/.local/state/splatmoji/history
     history_length=5
     # TODO: wayland equiv
     paste_command=xdotool key ctrl+v

hosts/common/home/ssh.nix

@@ -3,7 +3,8 @@
 with lib;
 let
   host = config.networking.hostName;
-  user-pubkey = config.sane.ssh.pubkeys."colin@${host}".asUserKey;
+  user-pubkey-full = config.sane.ssh.pubkeys."colin@${host}" or {};
+  user-pubkey = user-pubkey-full.asUserKey or null;
   host-keys = filter (k: k.user == "root") (attrValues config.sane.ssh.pubkeys);
   known-hosts-text = concatStringsSep
     "\n"
@@ -13,7 +14,8 @@ in
 {
   # ssh key is stored in private storage
   sane.user.persist.private = [ ".ssh/id_ed25519" ];
-  sane.user.fs.".ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
+  sane.user.fs.".ssh/id_ed25519.pub" =
+    mkIf (user-pubkey != null) (sane-lib.fs.wantedText user-pubkey);
   sane.user.fs.".ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
 
   users.users.colin.openssh.authorizedKeys.keys =

hosts/common/home/zsh/default.nix

@@ -1,6 +1,8 @@
-{ pkgs, sane-lib, ... }:
+{ config, lib, pkgs, sane-lib, ... }:
 
 let
+  inherit (lib) mkOption types;
+  cfg = config.sane.zsh;
   # powerlevel10k prompt config
   # p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
   p10k-overrides = ''
@@ -26,123 +28,134 @@ let
   '';
 in
 {
-  sane.user.persist.plaintext = [
-    # we don't need to full zsh dir -- just the history file --
-    # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
-    # TODO: should be private?
-    ".local/share/zsh"
-    # cache gitstatus otherwise p10k fetched it from the net EVERY BOOT
-    ".cache/gitstatus"
-  ];
-
-  # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
-  sane.user.fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
-
-  # enable zsh completions
-  environment.pathsToLink = [ "/share/zsh" ];
-
-  programs.zsh = {
-    enable = true;
-    histFile = "$HOME/.local/share/zsh/history";
-    shellAliases = {
-      ":q" = "exit";
-      # common typos
-      "cd.." = "cd ..";
-      "cd../" = "cd ../";
+  options = {
+    sane.zsh = {
+      showDeadlines = mkOption {
+        type = types.bool;
+        default = true;
+        description = "show upcoming deadlines (frommy PKM) upon shell init";
+      };
     };
-    setOptions = [
-      # defaults:
-      "HIST_IGNORE_DUPS"
-      "SHARE_HISTORY"
-      "HIST_FCNTL_LOCK"
-      # disable `rm *` confirmations
-      "rmstarsilent"
-    ];
-
-    # .zshenv config:
-    shellInit = ''
-      ZDOTDIR=$HOME/.config/zsh
-    '';
-
-    # .zshrc config:
-    interactiveShellInit =
-      (builtins.readFile ./p10k.zsh)
-    + p10k-overrides
-    + prezto-init
-    + ''
-      # zmv is a way to do rich moves/renames, with pattern matching/substitution.
-      # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
-      autoload -Uz zmv
-
-      HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *)'
-
-      # extra aliases
-      # TODO: move to `shellAliases` config?
-      function nd() {
-        mkdir -p "$1";
-        pushd "$1";
-      }
-
-      expiration=$(date -d "6 Mar" +%s)
-      today=$(date +%s)
-      days_until=$(( ($expiration - $today) / (24*60*60) ))
-      echo "You have $days_until days to renew your driver's license"
-
-      # auto-cd into any of these dirs by typing them and pressing 'enter':
-      hash -d 3rd="/home/colin/dev/3rd"
-      hash -d dev="/home/colin/dev"
-      hash -d knowledge="/home/colin/knowledge"
-      hash -d nixos="/home/colin/nixos"
-      hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
-      hash -d ref="/home/colin/ref"
-      hash -d secrets="/home/colin/knowledge/secrets"
-      hash -d tmp="/home/colin/tmp"
-      hash -d uninsane="/home/colin/dev/uninsane"
-      hash -d Videos="/home/colin/Videos"
-    '';
-
-    syntaxHighlighting.enable = true;
-    vteIntegration = true;
   };
 
-  # enable a command-not-found hook to show nix packages that might provide the binary typed.
-  programs.nix-index.enable = true;
-  programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
+  config = {
+    sane.user.persist.plaintext = [
+      # we don't need to full zsh dir -- just the history file --
+      # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
+      # TODO: should be private?
+      ".local/share/zsh"
+      # cache gitstatus otherwise p10k fetched it from the net EVERY BOOT
+      ".cache/gitstatus"
+    ];
 
-  # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
-  # see: https://github.com/sorin-ionescu/prezto
-  # i believe this file is auto-sourced by the prezto init.zsh script.
-  sane.user.fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
-    zstyle ':prezto:*:*' color 'yes'
+    # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
+    sane.user.fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
 
-    # modules (they ship with prezto):
-    # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
-    # TERMINAL: auto-titles terminal (e.g. based on cwd)
-    # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
-    # HISTORY: `history-stat` alias, setopts for good history defaults
-    # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
-    # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
-    # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
-    #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
-    # COMPLETION: tab completion. requires `utility` module prior to loading
-    # TODO: enable AUTO_PARAM_SLASH
-    zstyle ':prezto:load' pmodule \
-      'environment' \
-      'terminal' \
-      'editor' \
-      'history' \
-      'directory' \
-      'spectrum' \
-      'utility' \
-      'completion' \
-      'prompt'
+    # enable zsh completions
+    environment.pathsToLink = [ "/share/zsh" ];
 
-    # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
-    zstyle ':prezto:module:editor' key-bindings 'emacs'
+    programs.zsh = {
+      enable = true;
+      histFile = "$HOME/.local/share/zsh/history";
+      shellAliases = {
+        ":q" = "exit";
+        # common typos
+        "cd.." = "cd ..";
+        "cd../" = "cd ../";
+      };
+      setOptions = [
+        # defaults:
+        "HIST_IGNORE_DUPS"
+        "SHARE_HISTORY"
+        "HIST_FCNTL_LOCK"
+        # disable `rm *` confirmations
+        "rmstarsilent"
+      ];
 
-    zstyle ':prezto:module:prompt' theme 'powerlevel10k'
+      # .zshenv config:
+      shellInit = ''
+        ZDOTDIR=$HOME/.config/zsh
+      '';
 
-    # disable `mv` confirmation (and `rm`, too, unfortunately)
-    zstyle ':prezto:module:utility' safe-ops 'no'
-  '';
+      # .zshrc config:
+      interactiveShellInit =
+        (builtins.readFile ./p10k.zsh)
+      + p10k-overrides
+      + prezto-init
+      + ''
+        # zmv is a way to do rich moves/renames, with pattern matching/substitution.
+        # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
+        autoload -Uz zmv
+
+        HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *|nixos-rebuild.* switch)'
+
+        # extra aliases
+        # TODO: move to `shellAliases` config?
+        function nd() {
+          mkdir -p "$1";
+          pushd "$1";
+        }
+      ''
+      + lib.optionalString cfg.showDeadlines ''
+        ${pkgs.sane-scripts}/bin/sane-deadlines
+      ''
+      + ''
+        # auto-cd into any of these dirs by typing them and pressing 'enter':
+        hash -d 3rd="/home/colin/dev/3rd"
+        hash -d dev="/home/colin/dev"
+        hash -d knowledge="/home/colin/knowledge"
+        hash -d nixos="/home/colin/nixos"
+        hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
+        hash -d ref="/home/colin/ref"
+        hash -d secrets="/home/colin/knowledge/secrets"
+        hash -d tmp="/home/colin/tmp"
+        hash -d uninsane="/home/colin/dev/uninsane"
+        hash -d Videos="/home/colin/Videos"
+      '';
+
+      syntaxHighlighting.enable = true;
+      vteIntegration = true;
+    };
+
+    # enable a command-not-found hook to show nix packages that might provide the binary typed.
+    programs.nix-index.enable = true;
+    programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
+
+    # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
+    # see: https://github.com/sorin-ionescu/prezto
+    # i believe this file is auto-sourced by the prezto init.zsh script.
+    sane.user.fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
+      zstyle ':prezto:*:*' color 'yes'
+
+      # modules (they ship with prezto):
+      # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
+      # TERMINAL: auto-titles terminal (e.g. based on cwd)
+      # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
+      # HISTORY: `history-stat` alias, setopts for good history defaults
+      # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
+      # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
+      # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
+      #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
+      # COMPLETION: tab completion. requires `utility` module prior to loading
+      # TODO: enable AUTO_PARAM_SLASH
+      zstyle ':prezto:load' pmodule \
+        'environment' \
+        'terminal' \
+        'editor' \
+        'history' \
+        'directory' \
+        'spectrum' \
+        'utility' \
+        'completion' \
+        'prompt'
+
+      # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
+      zstyle ':prezto:module:editor' key-bindings 'emacs'
+
+      zstyle ':prezto:module:prompt' theme 'powerlevel10k'
+
+      # disable `mv` confirmation (and `rm`, too, unfortunately)
+      zstyle ':prezto:module:utility' safe-ops 'no'
+    '';
+  };
 }

hosts/common/ids.nix

@@ -1,4 +1,6 @@
 # TODO: migrate to nixpkgs `config.ids.uids`
+# - note that nixpkgs' `config.ids.uids` is strictly a database: it doesn't set anything by default
+#   whereas our impl sets the gid/uid of the user/group specified if they exist.
 { ... }:
 
 {
@@ -36,7 +38,7 @@
   sane.ids.sshd.uid = 2001;  # 997
   sane.ids.sshd.gid = 2001;  # 997
   sane.ids.polkituser.gid = 2002;  # 998
-  # sane.ids.systemd-coredump.gid = 2003;  # 996  # 2023/02/12: upstream now specifies this as 151
+  sane.ids.systemd-coredump.gid = 2003;  # 996  # 2023/02/12-2023/02/28: upstream temporarily specified this as 151
   sane.ids.nscd.uid = 2004;
   sane.ids.nscd.gid = 2004;
   sane.ids.systemd-oom.uid = 2005;

hosts/common/programs.nix

@@ -55,6 +55,7 @@ let
       smartmontools
       socat
       strace
+      subversion
       tcpdump
       tree
       usbutils
@@ -81,6 +82,7 @@ let
   tuiPkgs = {
     inherit (pkgs)
       aerc  # email client
+      offlineimap  # email mailox sync
       visidata  # TUI spreadsheet viewer/editor
       w3m
     ;
@@ -160,7 +162,7 @@ let
       "gnome.nautilus"
       # gnome-podcasts
       "gnome.gnome-system-monitor"
-      "gnome.gnome-terminal"  # works on phosh
+      # "gnome.gnome-terminal"  # works on phosh
       "gnome.gnome-weather"
       gpodder-configured
       gthumb
@@ -191,6 +193,7 @@ let
   desktopGuiPkgs = {
     inherit (flattenedPkgs)
       audacity
+      brave  # for the integrated wallet -- as a backup
       chromium
       dino
       electrum
@@ -199,6 +202,8 @@ let
       gajim  # XMPP client
       gimp  # broken on phosh
       "gnome.gnome-disk-utility"
+      handbrake
+      hase
       inkscape
       kdenlive
       kid3  # audio tagging
@@ -215,9 +220,6 @@ let
       # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
       # gpt2tc  # XXX: unreliable mirror
 
-      # TODO(unpin): handbrake is broken on aarch64-linux 2023/01/29
-      handbrake
-
       logseq
       losslesscut-bin
       makemkv
@@ -229,6 +231,13 @@ let
     ;
   };
 
+  # packages not part of any package set
+  otherPkgs = {
+    inherit (pkgs)
+      stepmania
+    ;
+  };
+
   # define -- but don't enable -- the packages in some attrset.
   # use `mkDefault` for the package here so we can customize some of them further down this file
   declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
@@ -246,6 +255,7 @@ in
       (declarePkgs sysadminExtraPkgs)
       (declarePkgs tuiPkgs)
       (declarePkgs x86GuiPkgs)
+      (declarePkgs otherPkgs)
       {
         # link the various package sets into their own meta packages
         consoleUtils = {

hosts/common/secrets.nix

@@ -103,6 +103,10 @@
     sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
     format = "binary";
   };
+  sops.secrets."iwd/makespace-south.psk" = {
+    sopsFile = ../../secrets/universal/net/makespace-south.psk.bin;
+    format = "binary";
+  };
   sops.secrets."iwd/archive-2023-02-home-bedroom.psk" = {
     sopsFile = ../../secrets/universal/net/archive/2023-02-home-bedroom.psk.bin;
     format = "binary";

hosts/modules/gui/phosh.nix

@@ -28,6 +28,7 @@ in
           "guiApps"
           # TODO: see about removing gnome-bluetooth if the in-built gnome-settings bluetooth manager can work
           "gnome.gnome-bluetooth"
+          "gnome.gnome-terminal"
           "phosh-mobile-settings"
           # "plasma5Packages.konsole"  # more reliable terminal
         ];
@@ -37,11 +38,13 @@ in
       sane.programs = {
         inherit (pkgs // {
           "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
+          "gnome.gnome-terminal" = pkgs.gnome.gnome-terminal;
           "plasma5Packages.konsole" = pkgs.plasma5Packages.konsole;
         })
           phosh-mobile-settings
           "plasma5Packages.konsole"
           # "gnome.gnome-bluetooth"
+          "gnome.gnome-terminal"
         ;
       };
     }
@@ -52,8 +55,8 @@ in
       # TODO(2023/02/28): remove this qt.style = "gtk2" override.
       # gnome by default tells qt to stylize its apps similar to gnome.
       # but the package needed for that doesn't cross-compile, hence i disable that here.
-      qt.platformTheme = "gtk2";
-      qt.style = "gtk2";
+      # qt.platformTheme = "gtk2";
+      # qt.style = "gtk2";
 
       # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
       services.xserver.desktopManager.phosh = {
@@ -88,8 +91,6 @@ in
       # gnome doesn't use mkDefault for these -- unclear why not
       services.gnome.evolution-data-server.enable = mkForce false;
       services.gnome.gnome-online-miners.enable = mkForce false;
-      # TODO: re-enable this once we can cross-compile gvfs
-      services.gvfs.enable = mkForce false;
 
       # XXX: phosh enables networkmanager by default; can probably disable these lines
       networking.useDHCP = false;

hosts/modules/gui/sway.nix

@@ -133,6 +133,7 @@ in
           # # "pavucontrol"
           "gnome.gnome-bluetooth"
           "gnome.gnome-control-center"
+          "sway-contrib.grimshot"
         ];
       };
     }
@@ -141,6 +142,7 @@ in
         inherit (pkgs // {
           "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
           "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
+          "sway-contrib.grimshot" = pkgs.sway-contrib.grimshot;
         })
           swaylock
           swayidle
@@ -148,6 +150,7 @@ in
           mako
           "gnome.gnome-bluetooth"
           "gnome.gnome-control-center"
+          "sway-contrib.grimshot"
         ;
       };
     }

hosts/modules/hardware/x86_64.nix

@@ -9,11 +9,6 @@
       # efi_pstore evivars
     ];
 
-    # enable cross compilation
-    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-    # nixpkgs.config.allowUnsupportedSystem = true;
-    # nixpkgs.crossSystem.system = "aarch64-linux";
-
     powerManagement.cpuFreqGovernor = "powersave";
     hardware.cpu.amd.updateMicrocode = true;    # desktop
     hardware.cpu.intel.updateMicrocode = true;  # laptop

hosts/modules/hosts.nix

@@ -94,7 +94,7 @@ in
       wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
       wg-home.ip = "10.0.10.5";
       wg-home.endpoint = "uninsane.org:51820";
-      lan-ip = "192.168.0.5";
+      lan-ip = "192.168.15.28";
     };
   };
 }

hosts/modules/nixcache.nix

@@ -13,6 +13,7 @@
 with lib;
 let
   cfg = config.sane.nixcache;
+  hostName = config.networking.hostName;
 in
 {
   options = {
@@ -24,6 +25,16 @@ in
       default = config.sane.nixcache.enable;
       type = types.bool;
     };
+    sane.nixcache.substituters = mkOption {
+      type = types.listOf types.string;
+      default =
+        (lib.optional (hostName != "servo") "https://nixcache.uninsane.org")
+        ++ (lib.optional (hostName != "desko") "http://desko:5000")
+        ++ [
+          "https://nix-community.cachix.org"
+          "https://cache.nixos.org/"
+        ];
+    };
   };
 
   config = {
@@ -31,12 +42,7 @@ in
     # to explicitly build from a specific cache (in case others are down):
     # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
     # - `nix build ... --substituters http://desko:5000`
-    nix.settings.substituters = mkIf cfg.enable [
-      "https://nixcache.uninsane.org"
-      "http://desko:5000"
-      "https://nix-community.cachix.org"
-      "https://cache.nixos.org/"
-    ];
+    nix.settings.substituters = mkIf cfg.enable cfg.substituters;
     # always trust our keys (so one can explicitly use a substituter even if it's not the default
     nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
       "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="

hosts/modules/roles/build-machine.nix

@@ -0,0 +1,59 @@
+{ config, lib, sane-lib, ... }:
+
+let
+  inherit (lib) mkIf mkMerge mkOption types;
+  inherit (config.programs.ccache) cacheDir;
+in
+{
+  options.sane.roles.build-machine = mkOption {
+    type = types.bool;
+    default = false;
+  };
+
+  config = mkMerge [
+    {
+      # programs.ccache.cacheDir = "/var/cache/ccache";  # nixos default
+      # programs.ccache.cacheDir = "/homeless-shelter/.ccache";  # ccache default (~/.ccache)
+
+      # if the cache doesn't reside at ~/.ccache, then CCACHE_DIR has to be set.
+      # we can do that manually as commented out below, or let nixos do it for us by telling it to use ccache on a dummy package:
+      programs.ccache.packageNames = [ "dummy-pkg-to-force-ccache-config" ];
+      # nixpkgs.overlays = [
+      #   (self: super: {
+      #     # XXX: if the cache resides not at ~/.ccache (i.e. /homeless-shelter/.ccache)
+      #     # then we need to explicitly tell ccache where that is.
+      #     ccacheWrapper = super.ccacheWrapper.override {
+      #       extraConfig = ''
+      #         export CCACHE_DIR="${cacheDir}"
+      #       '';
+      #     };
+      #   })
+      # ];
+    }
+    (mkIf config.sane.roles.build-machine {
+      # serve packages to other machines that ask for them
+      sane.services.nixserve.enable = true;
+
+      # enable cross compilation
+      boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+      # nixpkgs.config.allowUnsupportedSystem = true;
+
+      # granular compilation cache
+      # docs: <https://nixos.wiki/wiki/CCache>
+      # investigate the cache with:
+      # - `nix-ccache --show-stats`
+      # - `build '.#ccache'
+      #   - `sudo CCACHE_DIR=/var/cache/ccache ./result/bin/ccache --show-stats -v`
+      # TODO: whitelist `--verbose` in <nixpkgs:nixos/modules/programs/ccache.nix>
+      # TODO: configure without compression (leverage fs-level compression), and enable file-clone (i.e. hardlinks)
+      programs.ccache.enable = true;
+      nix.settings.extra-sandbox-paths = [ cacheDir ];
+      sane.persist.sys.plaintext = [
+        { group = "nixbld"; mode = "0775"; directory = config.programs.ccache.cacheDir; }
+      ];
+      sane.fs."${cacheDir}/ccache.conf" = sane-lib.fs.wantedText ''
+        max_size = 50G
+      '';
+    })
+  ];
+}

hosts/modules/roles/default.nix

@@ -1,6 +1,7 @@
 { ... }:
 {
   imports = [
+    ./build-machine.nix
     ./client
   ];
 }

modules/data/feeds/sources/feeds.libsyn.com/421877/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 272569,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "Audio version of the posts shared in the LessWrong Curated newsletter.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [
+    "https://pubsubhubbub.appspot.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 56,
+  "last_updated": "2023-03-08T08:00:00+00:00",
+  "score": 32,
+  "self_url": "https://feeds.buzzsprout.com/2037297.rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "LessWrong Curated Podcast",
+  "url": "https://feeds.buzzsprout.com/2037297.rss",
+  "velocity": 0.192,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.megaphone.fm/hubermanlab/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1377252,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "Andrew Huberman, Ph.D.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 129,
+  "last_updated": "2023-03-06T09:00:00+00:00",
+  "score": 14,
+  "self_url": "https://feeds.megaphone.fm/hubermanlab",
+  "site_name": "",
+  "site_url": "",
+  "title": "Huberman Lab",
+  "url": "https://feeds.megaphone.fm/hubermanlab",
+  "velocity": 0.159,
+  "version": "rss20"
+}

modules/data/feeds/sources/mapspodcast.libsyn.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 256360,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Hosted by Zach Leary, the intent of the podcast is to bring you the listener an easily accessible resource for a variety of topics all related to psychedelic research. There is a lot to learn about new research into the therapeutic potential of psychedelics and marijuana. Over the years, the Multidisciplinary Association for Psychedelic Studies (MAPS) has amassed an incredible treasure trove of audio archives sourced from the amazing talks, presentations and panels that have taken place at past Psychedelic Science conferences and other unique events. By selecting some of that content and then bringing it to you in a podcast we hope to create a centralized location for the greater MAPS community. If you're a researcher, scientist, medical professional or just a curiosity seeker we hope that you'll find this content a valuable resource tool.\n\nPlease visit the MAPS website at https://maps.org",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 62,
+  "last_updated": "2023-03-06T20:20:00+00:00",
+  "score": 0,
+  "self_url": "https://feeds.libsyn.com/95610/rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "MAPS Podcast",
+  "url": "https://feeds.libsyn.com/95610/rss",
+  "velocity": 0.028,
+  "version": "rss20"
+}

modules/data/feeds/sources/thisweek.gnome.org/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1250267,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "Recent content on This Week in GNOME",
+  "favicon": "https://thisweek.gnome.org/images/favicon-32x32.png",
+  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAABYAAAAWABINkT2gAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAI5SURBVFiFvdZPiE1RHAfwz/xBxhSTISxYaJSiJAklioWNjYWVhYWUtYRMslEWSv7WkPybsbHSGMmGDUmhyEKihMgsjMQsnjEW597emdt7z7vvvplvnTr3d3/n9/3ec8/vd35MHVqnkAu0YR+eoYQxPMWyZhEswH0M43DmXTuGMF5hXGyWgMEo6A8Tt/h0FfJxnGmEbA160ZU8twvbGgeenrxbgj81BKzNS746IhtIbB2ZoJ8j/6M1yIfyksORKMB3tCT2T5H9cuR/qwr5NyzMBq8nNYaj+Zxonu5GSfjnKdoqxBjBdnypg08XruFA8jwfv5W/IkUH+rAzs77XxC9/g1X1EKc4Fy3enNj2Cnl8qY71nejHk0TMzDzkcCUScCGy92BG3mD/Q3sF2w3sTuZLI/vbaN6NbVgnpN28xFYSDudjYRfiNblwTNiBqxn7VtxRO8/TUcL+RgXACsxN5otxtw7S7PiLlUVEwAbh9OclT8euIuTLheLTKPm4cE4aQgseFSR/qFw5c2NjQfJ3WNQoOZwoQH5PSMtCGGiAeBSHNKn96stJ/kAT2y3YUyfxLxw0CU1nj1BIapG/EErxpCHu+7Ljo3KlTNGNs/iQ+PzE8SIC1qu+C6cq+Fcq1yNFBMDJKgKeY1rG93UFv9tFBUwXrtdKIgaV832T0LRkfbYUFQCzVS/Lo3il8hXd3wzyFJ24WUVEtXtgVjMFpNiB9zWIx4RWLncvmAetQkt2XTh4X/ES5zWhAZlS/AMHdE5EpHwlOQAAAABJRU5ErkJggg==",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 86,
+  "last_updated": "2023-03-10T00:00:00+00:00",
+  "score": 46,
+  "self_url": "https://thisweek.gnome.org/index.xml",
+  "site_name": "This Week in GNOME",
+  "site_url": "https://thisweek.gnome.org",
+  "title": "This Week in GNOME",
+  "url": "https://thisweek.gnome.org/index.xml",
+  "velocity": 0.141,
+  "version": "rss20"
+}

modules/persist/default.nix

@@ -124,6 +124,9 @@ let
   #   <option>.private.".cache/vim" = { mode = "0700"; };
   # to place ".cache/vim" into the private store and create with the appropriate mode
   dirsSubModule = types.submodule ({ config, ... }: {
+    # TODO: this should be a plain-old `attrsOf (convertInlineAcl entryInStoreOrShorthand)` with downstream checks,
+    #   rather than being filled in based on *other* settings.
+    #   otherwise, it behaves poorly when `sane.persist.enable = false`
     options = lib.attrsets.unionOfDisjoint
       (mapAttrs (store: store-cfg: mkOption {
         default = [];

modules/services/dyn-dns.nix

@@ -3,6 +3,11 @@
 with lib;
 let
   cfg = config.sane.services.dyn-dns;
+  getIp = pkgs.writeShellScript "dyn-dns-query-wan" ''
+    # preferred method and fallback
+    ${pkgs.sane-scripts}/bin/sane-ip-check-router-wan || \
+      ${pkgs.sane-scripts}/bin/sane-ip-check
+  '';
 in
 {
   options = {
@@ -19,7 +24,7 @@ in
       };
 
       ipCmd = mkOption {
-        default = "${pkgs.sane-scripts}/bin/sane-ip-check-router-wan";
+        default = "${getIp}";
         type = types.path;
         description = "command to run to query the current WAN IP";
       };

nixpatches/2023-02-28-mesa-22.3.6.patch

@@ -0,0 +1,23 @@
+diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
+index 52633a6d21649..20d839b74c2ea 100644
+--- a/pkgs/development/libraries/mesa/default.nix
++++ b/pkgs/development/libraries/mesa/default.nix
+@@ -88,7 +88,7 @@
+ let
+   # Release calendar: https://www.mesa3d.org/release-calendar.html
+   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
+-  version = "22.3.5";
++  version = "22.3.6";
+   branch  = lib.versions.major version;
+ 
+   withLibdrm = lib.meta.availableOn stdenv.hostPlatform libdrm;
+@@ -120,7 +120,7 @@ self = stdenv.mkDerivation {
+       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
+       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
+     ];
+-    sha256 = "3eed2ecae2bc674494566faab9fcc9beb21cd804c7ba2b59a1694f3d7236e6a9";
++    hash = "sha256-TsjsZdvbHulETbpylwiQEooZVDpYzwWTG9b1TxJOEX8=";
+   };
+ 
+   # TODO:
+

nixpatches/2023-03-03-qtbase-cross-compile.patch

@@ -0,0 +1,34 @@
+diff --git a/pkgs/development/libraries/qt-6/modules/qtbase.nix b/pkgs/development/libraries/qt-6/modules/qtbase.nix
+index e71b0a7613d..72779ac57a5 100644
+--- a/pkgs/development/libraries/qt-6/modules/qtbase.nix
++++ b/pkgs/development/libraries/qt-6/modules/qtbase.nix
+@@ -5,6 +5,7 @@
+ , version
+ , coreutils
+ , bison
++, buildPackages
+ , flex
+ , gdb
+ , gperf
+@@ -224,6 +225,8 @@ stdenv.mkDerivation rec {
+   ] ++ lib.optionals stdenv.isDarwin [
+     # error: 'path' is unavailable: introduced in macOS 10.15
+     "-DQT_FEATURE_cxx17_filesystem=OFF"
++  ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
++    "-DQT_HOST_PATH=${buildPackages.qt6.full}"
+   ];
+ 
+   NIX_LDFLAGS = toString (lib.optionals stdenv.isDarwin [
+diff --git a/pkgs/development/libraries/qt-6/qtModule.nix b/pkgs/development/libraries/qt-6/qtModule.nix
+index 28180d3b0ca..f14c73b10ee 100644
+--- a/pkgs/development/libraries/qt-6/qtModule.nix
++++ b/pkgs/development/libraries/qt-6/qtModule.nix
+@@ -61,7 +61,7 @@ stdenv.mkDerivation (args // {
+       if [[ -z "$dontSyncQt" && -f sync.profile ]]; then
+         # FIXME: this probably breaks crosscompiling as it's not from nativeBuildInputs
+         # I don't know how to get /libexec from nativeBuildInputs to work, it's not under /bin
+-        ${lib.getDev self.qtbase}/libexec/syncqt.pl -version "''${version%%-*}"
++        perl ${lib.getDev self.qtbase}/libexec/syncqt.pl -version "''${version%%-*}"
+       fi
+     '';
+ 

nixpatches/2023-03-04-ccache-cross-fix.patch

@@ -0,0 +1,65 @@
+diff --git a/pkgs/development/tools/misc/ccache/default.nix b/pkgs/development/tools/misc/ccache/default.nix
+index cad25a942d6..9130097ab07 100644
+--- a/pkgs/development/tools/misc/ccache/default.nix
++++ b/pkgs/development/tools/misc/ccache/default.nix
+@@ -2,7 +2,7 @@
+ , stdenv
+ , fetchFromGitHub
+ , substituteAll
+-, binutils
++, buildPackages
+ , asciidoctor
+ , cmake
+ , perl
+@@ -33,7 +33,7 @@ let ccache = stdenv.mkDerivation rec {
+     # Darwin.
+     (substituteAll {
+       src = ./force-objdump-on-darwin.patch;
+-      objdump = "${binutils.bintools}/bin/objdump";
++      objdump = "${buildPackages.binutils.bintools}/bin/objdump";
+     })
+   ];
+ 
+@@ -71,11 +71,12 @@ let ccache = stdenv.mkDerivation rec {
+   passthru = {
+     # A derivation that provides gcc and g++ commands, but that
+     # will end up calling ccache for the given cacheDir
+-    links = {unwrappedCC, extraConfig}: stdenv.mkDerivation {
++    links = {unwrappedCC, extraConfig, targetPrefix ? ""}: stdenv.mkDerivation {
+       name = "ccache-links";
+       passthru = {
+         isClang = unwrappedCC.isClang or false;
+         isGNU = unwrappedCC.isGNU or false;
++        cc = unwrappedCC;
+       };
+       inherit (unwrappedCC) lib;
+       nativeBuildInputs = [ makeWrapper ];
+@@ -83,7 +84,7 @@ let ccache = stdenv.mkDerivation rec {
+         mkdir -p $out/bin
+ 
+         wrap() {
+-          local cname="$1"
++          local cname="${targetPrefix}$1"
+           if [ -x "${unwrappedCC}/bin/$cname" ]; then
+             makeWrapper ${ccache}/bin/ccache $out/bin/$cname \
+               --run ${lib.escapeShellArg extraConfig} \
+diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
+index cb6fd2f0c4d..da4aadff3cb 100644
+--- a/pkgs/top-level/all-packages.nix
++++ b/pkgs/top-level/all-packages.nix
+@@ -17383,10 +17383,12 @@ with pkgs;
+   # should be owned by user root, group nixbld with permissions 0770.
+   ccacheWrapper = makeOverridable ({ extraConfig, cc }:
+     cc.override {
+-      cc = ccache.links {
++      cc = ccache.links ({
+         inherit extraConfig;
+         unwrappedCC = cc.cc;
+-      };
++      } // lib.optionalAttrs (cc ? targetPrefix) {
++        inherit (cc) targetPrefix;
++      });
+     }) {
+       extraConfig = "";
+       inherit (stdenv) cc;
+

nixpatches/2023-03-10-hase.patch

@@ -0,0 +1,178 @@
+diff --git a/pkgs/development/libraries/sparrow3d/default.nix b/pkgs/development/libraries/sparrow3d/default.nix
+new file mode 100644
+index 00000000000..331a02efc5f
+--- /dev/null
++++ b/pkgs/development/libraries/sparrow3d/default.nix
+@@ -0,0 +1,53 @@
++{ lib
++, fetchFromGitHub
++, pkg-config
++, SDL
++, SDL_image
++, SDL_mixer
++, SDL_net
++, SDL_ttf
++, stdenv
++}:
++
++stdenv.mkDerivation (finalAttrs: {
++  pname = "sparrow3d";
++  version = "2020-10-06";
++
++  src = fetchFromGitHub {
++    owner = "theZiz";
++    repo = "sparrow3d";
++    rev = "2033349d7adeba34bda2c442e1fec22377471134";
++    hash = "sha256-28j5nbTYBrMN8BQ6XrTlO1D8Viw+RiT3MAl99BAbhR4=";
++  };
++
++  nativeBuildInputs = [
++    pkg-config
++  ];
++
++  propagatedBuildInputs = [
++    SDL.dev
++    SDL_image
++    SDL_ttf
++    SDL_mixer
++    SDL_net
++  ];
++
++  postConfigure = ''
++    NIX_CFLAGS_COMPILE=$(pkg-config --cflags SDL_image SDL_ttf SDL_mixer SDL_net)
++  '';
++
++  installPhase = ''
++    mkdir -p $out/{include,lib/pkgconfig}
++    cp sparrow*.h $out/include
++    cp libsparrow{3d,Net,Sound}.so $out/lib
++    substituteAll ${./sparrow3d.pc.in} $out/lib/pkgconfig/sparrow3d.pc
++  '';
++
++  meta = with lib; {
++    description = "a software renderer for different open handhelds like the gp2x, wiz, caanoo and pandora";
++    homepage = "https://github.com/theZiz/sparrow3d";
++    license = licenses.lgpl21;
++    maintainers = with maintainers; [ colinsane ];
++    platforms = [ "x86_64-linux" ];
++  };
++})
+diff --git a/pkgs/development/libraries/sparrow3d/sparrow3d.pc.in b/pkgs/development/libraries/sparrow3d/sparrow3d.pc.in
+new file mode 100644
+index 00000000000..046e174ea97
+--- /dev/null
++++ b/pkgs/development/libraries/sparrow3d/sparrow3d.pc.in
+@@ -0,0 +1,17 @@
++prefix=@out@
++includedir=${prefix}/include
++libdir=${prefix}/lib
++
++Name: sparrow3d
++Description: a software renderer for different open handhelds like the gp2x, wiz, caanoo and pandora
++URL: https://github.com/theZiz/sparrow3d
++Version: @version@
++Requires: \
++  sdl \
++  SDL_image \
++  SDL_ttf \
++  SDL_mixer \
++  SDL_net
++Cflags: -isystem${includedir}
++Libs: -L${libdir} -lsparrow3d -lsparrowNet -lsparrowSound
++
+diff --git a/pkgs/games/hase/default.nix b/pkgs/games/hase/default.nix
+new file mode 100644
+index 00000000000..794b6d017ae
+--- /dev/null
++++ b/pkgs/games/hase/default.nix
+@@ -0,0 +1,49 @@
++{ lib
++, fetchFromGitHub
++, pkg-config
++, stdenv
++, sparrow3d
++, zlib
++}:
++
++stdenv.mkDerivation {
++  pname = "hase";
++  version = "2020-10-06";
++
++  src = fetchFromGitHub {
++    owner = "theZiz";
++    repo = "hase";
++    rev = "31d6840cdf0c72fc459f10402dae7726096b2974";
++    hash = "sha256-d9So3E8nCQJ1/BdlwMkGbaFPT9mkX1VzlDGKp71ptEE=";
++  };
++  patches = [ ./prefer-dynamic.patch ];
++
++  nativeBuildInputs = [
++    pkg-config
++  ];
++
++  buildInputs = [
++    sparrow3d
++    zlib
++  ];
++
++  buildPhase = ''
++    NIX_CFLAGS_COMPILE=$(pkg-config --cflags sparrow3d zlib)
++    mkdir -p $out/{bin,share/applications,share/pixmaps}
++    # build and install are one step, and inseparable without patching
++    ./install.sh $out
++  '';
++
++  postFixup = ''
++    substituteInPlace "$out/share/applications/hase.desktop" \
++      --replace "Exec=hase" "Exec=$out/bin/hase"
++  '';
++
++  meta = with lib; {
++    description = "Hase is an open source gravity based artillery shooter. It is similar to Worms, Hedgewars or artillery, but the gravity force and direction depends on the mass nearby. It is optimized for mobile game consoles like the GP2X, Open Pandora or GCW Zero";
++    homepage = "http://ziz.gp2x.de/hase/";
++    license = licenses.gpl3;
++    maintainers = with maintainers; [ colinsane ];
++    platforms = [ "x86_64-linux" ];
++  };
++}
+diff --git a/pkgs/games/hase/prefer-dynamic.patch b/pkgs/games/hase/prefer-dynamic.patch
+new file mode 100644
+index 00000000000..ab36e6b2b3d
+--- /dev/null
++++ b/pkgs/games/hase/prefer-dynamic.patch
+@@ -0,0 +1,13 @@
++diff --git a/Makefile b/Makefile
++index 95d894e..3c561c1 100644
++--- a/Makefile
+++++ b/Makefile
++@@ -35,7 +35,7 @@ endif
++ LIB += -L$(SPARROW_LIB)
++ INCLUDE += -I$(SPARROW_FOLDER)
++ 
++-HASE_STATIC = $(SPARROW_LIB)/$(SPARROW3D_STATIC_LIB) $(SPARROW_LIB)/$(SPARROWSOUND_STATIC_LIB) $(SPARROW_LIB)/$(SPARROWNET_STATIC_LIB) $(STATIC)
+++DYNAMIC += -lsparrow3d -lsparrowSound -lsparrowNet
++ 
++ ifneq ($(TARGET),win32)
++ DYNAMIC += -lz
+diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
+index 521b00eb5f5..31052251314 100644
+--- a/pkgs/top-level/all-packages.nix
++++ b/pkgs/top-level/all-packages.nix
+@@ -23550,6 +23550,8 @@ with pkgs;
+ 
+   spaceship-prompt = callPackage ../shells/zsh/spaceship-prompt {};
+ 
++  sparrow3d = callPackage ../development/libraries/sparrow3d {};
++
+   spdk = callPackage ../development/libraries/spdk { };
+ 
+   speechd = callPackage ../development/libraries/speechd { };
+@@ -35570,6 +35572,8 @@ with pkgs;
+ 
+   harmonist = callPackage ../games/harmonist { };
+ 
++  hase = callPackage ../games/hase { };
++
+   hedgewars = libsForQt5.callPackage ../games/hedgewars {
+     inherit (haskellPackages) ghcWithPackages;
+   };

nixpatches/list.nix

@@ -13,14 +13,6 @@
     hash = "sha256-IvsIcd2wPdz4b/7FMrDrcVlIZjFecCQ9uiL0Umprbx0=";
   })
 
-  # fix handbrake build by: handbrake: 1.5.1 -> 1.6.1
-  # PR opened 2023/01/23
-  # (fetchpatch {
-  #   # see alternate fix: <https://github.com/NixOS/nixpkgs/pull/211834>
-  #   url = "https://github.com/NixOS/nixpkgs/pull/212306.diff";
-  #   hash = "sha256-PnPzvJymafa+zjkauQW0LzFsJC7S+7D9JRszTE3in+w=";
-  # })
-
   # (fetchpatch {
   #   # stdenv: fix cc for pseudo-crosscompilation
   #   # closed because it breaks pkgsStatic (as of 2023/02/12)
@@ -31,9 +23,27 @@
   ./2022-12-19-i2p-aarch64.patch
 
   # fix for CMA memory leak in mesa: <https://gitlab.freedesktop.org/mesa/mesa/-/issues/8198>
+  # fixed in mesa 22.3.6: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21330/diffs>
   # only necessary on aarch64.
   # it's a revert of nixpkgs commit dcf630c172df2a9ecaa47c77f868211e61ae8e52
-  ./2023-01-30-mesa-cma-leak.patch
+  # ./2023-01-30-mesa-cma-leak.patch
+  # upgrade to 22.3.6 instead
+  # ./2023-02-28-mesa-22.3.6.patch
+
+  # fix qt6.qtbase and qt6.qtModule to cross-compile.
+  # unfortunately there's some tangle that makes that difficult to do via the normal `override` facilities
+  ./2023-03-03-qtbase-cross-compile.patch
+
+  # let ccache cross-compile
+  ./2023-03-04-ccache-cross-fix.patch
+
+  # 2023-03-09: phosh: 0.23 -> 0.25.1
+  # (fetchpatch {
+  #   url = "https://github.com/NixOS/nixpkgs/pull/219355.diff";
+  #   hash = "sha256-hx2keVWuokla2Oi92zoXsnjVuwakxL2cB55ctzlO8OQ=";
+  # })
+
+  ./2023-03-10-hase.patch
 
   # # kaiteki: init at 2022-09-03
   # vendorHash changes too frequently (might not be reproducible).

overlays/optimizations.nix

@@ -0,0 +1,32 @@
+(self: super:
+with self;
+let
+  # ccache-able = drv: drv.override { stdenv = builtins.trace "with ccache ${drv.name}" ccacheStdenv; };
+  ccache-able = drv: drv.override { stdenv = builtins.trace "with ccache: ${drv.name}" ccacheStdenv; };
+in {
+  # TODO: if we link /homeless-shelter/.ccache into the nix environment,
+  # then maybe we get better use of upstream caches?
+  # ccacheWrapper = super.ccacheWrapper.override {
+  #   extraConfig = ''
+  #     export CCACHE_DIR="/var/cache/ccache"
+  #   '';
+  # };
+  # ccacheStdenv = super.ccacheStdenv.override {
+  #   extraConfig = ''
+  #     export CCACHE_DIR="/homeless-shelter/.ccache"
+  #   '';
+  # };
+  # firefox-esr = ccache-able super.firefox-esr;
+  # firefox/librewolf distribution is wacky: it grabs the stdenv off of `rustc.llvmPackages`, and really wants those to match.
+  # buildMozillaMach = opts: ccache-able (super.buildMozillaMach opts);
+  # webkitgtk = ccache-able super.webkitgtk;
+  # mesa = ccache-able super.mesa;
+
+  webkitgtk = super.webkitgtk.overrideAttrs (_upstream: {
+    # means we drop debug info when linking.
+    # this is a trade-off to require less memory when linking, since
+    # building `webkitgtk` otherwise requires about 40G+ of RAM.
+    # <https://github.com/NixOS/nixpkgs/issues/153528>
+    separateDebugInfo = false;
+  });
+})

overlays/pins.nix

@@ -15,4 +15,7 @@
   # so just forward the unstable packages.
   inherit (next.stable or prev)
   ;
+  # chromium can take 4 hours to build from source, with no signs of progress.
+  # disable it if you're in a rush.
+  # chromium = next.emptyDirectory;
 })

overlays/pkgs.nix

@@ -1,46 +1,41 @@
 (next: prev:
+  with next;
   let
     sane = rec {
       #### my own, non-upstreamable packages:
-      sane-scripts = prev.callPackage ../pkgs/sane-scripts { };
-      feeds = prev.callPackage ../pkgs/feeds { };
-      tow-boot-pinephone = prev.callPackage ../pkgs/tow-boot-pinephone { };
-      tow-boot-rpi4 = prev.callPackage ../pkgs/tow-boot-rpi4 { };
-      bootpart-uefi-x86_64 = prev.callPackage ../pkgs/bootpart-uefi-x86_64 { };
-      bootpart-tow-boot-rpi-aarch64 = prev.callPackage ../pkgs/bootpart-tow-boot-rpi-aarch64 {
-        # not sure why i can't just do `next.callPackage` instead
-        inherit tow-boot-rpi4;
-      };
-      bootpart-u-boot-rpi-aarch64 = prev.callPackage ../pkgs/bootpart-u-boot-rpi-aarch64 {
-        # not sure why i can't just do `next.callPackage` instead
-        inherit ubootRaspberryPi4_64bit;
-      };
-      rtl8723cs-firmware = prev.callPackage ../pkgs/rtl8723cs-firmware { };
-      linux-megous = prev.callPackage ../pkgs/linux-megous {
+      sane-scripts = callPackage ../pkgs/sane-scripts { };
+      feeds = recurseIntoAttrs (callPackage ../pkgs/feeds { });
+      tow-boot-pinephone = callPackage ../pkgs/tow-boot-pinephone { };
+      tow-boot-rpi4 = callPackage ../pkgs/tow-boot-rpi4 { };
+      bootpart-uefi-x86_64 = callPackage ../pkgs/bootpart-uefi-x86_64 { };
+      bootpart-tow-boot-rpi-aarch64 = callPackage ../pkgs/bootpart-tow-boot-rpi-aarch64 { };
+      bootpart-u-boot-rpi-aarch64 = callPackage ../pkgs/bootpart-u-boot-rpi-aarch64 { };
+      rtl8723cs-firmware = callPackage ../pkgs/rtl8723cs-firmware { };
+      linux-megous = callPackage ../pkgs/linux-megous {
         kernelPatches = [
           prev.kernelPatches.bridge_stp_helper
           prev.kernelPatches.request_key_helper
         ];
       };
 
-      sublime-music-mobile = prev.callPackage ../pkgs/sublime-music-mobile { };
+      sublime-music-mobile = callPackage ../pkgs/sublime-music-mobile { };
 
       #### customized packages
-      fluffychat-moby = prev.callPackage ../pkgs/fluffychat-moby { };
-      gpodder-configured = prev.callPackage ../pkgs/gpodder-configured { };
+      fluffychat-moby = callPackage ../pkgs/fluffychat-moby { };
+      gpodder-configured = callPackage ../pkgs/gpodder-configured { };
       # jackett doesn't allow customization of the bind address: this will probably always be here.
-      jackett = prev.callPackage ../pkgs/jackett { inherit (prev) jackett; };
+      jackett = callPackage ../pkgs/jackett { inherit (prev) jackett; };
       # mozilla keeps nerfing itself and removing configuration options
-      firefox-unwrapped = next.callPackage ../pkgs/firefox-unwrapped { inherit (prev) firefox-unwrapped; };
+      firefox-unwrapped = callPackage ../pkgs/firefox-unwrapped { inherit (prev) firefox-unwrapped; };
 
       # patch rpi uboot with something that fixes USB HDD boot
-      ubootRaspberryPi4_64bit = prev.callPackage ../pkgs/ubootRaspberryPi4_64bit { };
+      ubootRaspberryPi4_64bit = callPackage ../pkgs/ubootRaspberryPi4_64bit { };
 
-      gocryptfs = prev.callPackage ../pkgs/gocryptfs { inherit (prev) gocryptfs; };
+      gocryptfs = callPackage ../pkgs/gocryptfs { inherit (prev) gocryptfs; };
 
-      browserpass = prev.callPackage ../pkgs/browserpass { inherit (prev) browserpass; inherit sane-scripts; };
+      browserpass = callPackage ../pkgs/browserpass { inherit (prev) browserpass; };
 
-      fractal-latest = prev.callPackage ../pkgs/fractal-latest { };
+      fractal-latest = callPackage ../pkgs/fractal-latest { };
 
       #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
 
@@ -50,14 +45,14 @@
         })
       ];
 
-      kaiteki = prev.callPackage ../pkgs/kaiteki { };
-      lightdm-mobile-greeter = prev.callPackage ../pkgs/lightdm-mobile-greeter { };
-      browserpass-extension = prev.callPackage ../pkgs/browserpass-extension { };
-      gopass-native-messaging-host = prev.callPackage ../pkgs/gopass-native-messaging-host { };
+      kaiteki = callPackage ../pkgs/kaiteki { };
+      lightdm-mobile-greeter = callPackage ../pkgs/lightdm-mobile-greeter { };
+      browserpass-extension = callPackage ../pkgs/browserpass-extension { };
+      gopass-native-messaging-host = callPackage ../pkgs/gopass-native-messaging-host { };
       tokodon = prev.libsForQt5.callPackage ../pkgs/tokodon { };
 
       # provided by nixpkgs patch or upstream preview
-      # splatmoji = prev.callPackage ../pkgs/splatmoji { };
+      # splatmoji = callPackage ../pkgs/splatmoji { };
     };
   in sane // { inherit sane; }
 )

pkgs/feeds/default.nix

@@ -1,42 +1,68 @@
 { lib
-, pkgs
+, callPackage
+, python3
+, stdenv
+, writeShellScript
 }:
 
-(lib.makeScope pkgs.newScope (self:
-  let
-    # TODO: dependency-inject this.
-    sane-data = import ../../modules/data { inherit lib; };
-    template = self.callPackage ./template.nix;
-    feed-pkgs = lib.mapAttrs
-      (name: feed-details: template {
-        feedName = name;
-        jsonPath = "modules/data/feeds/sources/${name}/default.json";
-        inherit (feed-details) url;
-      })
-      sane-data.feeds;
-    update-scripts = lib.mapAttrsToList
-      (name: feed: builtins.concatStringsSep " " feed.passthru.updateScript)
-      feed-pkgs;
-  in
-    feed-pkgs // {
-      passthru.updateScript = pkgs.writeShellScript
-        "feeds-update"
-        (builtins.concatStringsSep "\n" update-scripts);
+let
+  # TODO: dependency-inject this.
+  sane-data = import ../../modules/data { inherit lib; };
+  template = callPackage ./template.nix;
+  feed-pkgs = lib.mapAttrs
+    (name: feed-details: template {
+      feedName = name;
+      jsonPath = "modules/data/feeds/sources/${name}/default.json";
+      inherit (feed-details) url;
+    })
+    sane-data.feeds;
+  update-scripts = lib.mapAttrsToList
+    (name: feed: builtins.concatStringsSep " " feed.passthru.updateScript)
+    feed-pkgs;
+in rec {  # TODO: make this a scope
+  inherit feed-pkgs;
+  update = stdenv.mkDerivation {
+    pname = "update";
+    version = "0.1.0";
+    src = ./.;
+    patchPhase =
+      let
+        pyEnv = python3.withPackages (ps: [ ps.feedsearch-crawler ]);
+      in ''
+      substituteInPlace ./update.py \
+        --replace "#!/usr/bin/env nix-shell" "#!${pyEnv.interpreter}"
+    '';
+    installPhase = ''
+      mkdir -p $out/bin
+      mv update.py $out/bin/update.py
+    '';
+  };
+  init-feed = writeShellScript
+    "init-feed"
+    ''
+      # this is the `nix run '.#init-feed' <url>` script`
+      sources_dir=modules/data/feeds/sources
+      # prettify the URL, by default
+      name=$( \
+        echo "$1" \
+        | sed 's|^https://||' \
+        | sed 's|^http://||' \
+        | sed 's|^www\.||' \
+        | sed 's|/+$||' \
+      )
+      json_path="$sources_dir/$name/default.json"
 
-      passthru.initFeedScript = pkgs.writeShellScript
-        "init-feed"
-        ''
-          sources_dir=modules/data/feeds/sources
-          name="$1"
-          url="https://$name"
-          json_path="$sources_dir/$name/default.json"
+      # the name could have slashes in it, so we want to mkdir -p that
+      # but in a way where the least could go wrong.
+      pushd "$sources_dir"; mkdir -p "$name"; popd
 
-          # the name could have slashes in it, so we want to mkdir -p that
-          # but in a way where the least could go wrong.
-          pushd "$sources_dir"; mkdir -p "$name"; popd
-
-          ${./update.py} "$url" "$json_path"
-          cat "$json_path"
-        '';
-    }
-))
+      ${update}/bin/update.py "$name" "$json_path"
+      cat "$json_path"
+    '';
+  passthru = {
+    updateScript = writeShellScript
+      "feeds-update"
+      (builtins.concatStringsSep "\n" update-scripts);
+    initFeedScript = init-feed;
+  };
+}

pkgs/feeds/update.py

@@ -13,9 +13,13 @@ logging.getLogger().setLevel(logging.DEBUG)
 logging.getLogger().addHandler(logging.StreamHandler(sys.stdout))
 logging.getLogger(__name__).debug("logging enabled")
 
-url = coerce_url(url, default_scheme="https")
-items = search(url, total_timeout=180, request_timeout=90, max_content_length=100*1024*1024)
-items = sort_urls(items)
+def try_scheme(url: str, scheme: str):
+    url = coerce_url(url, default_scheme=scheme)
+    print(f"trying {url}")
+    items = search(url, total_timeout=180, request_timeout=90, max_content_length=100*1024*1024)
+    return sort_urls(items)
+
+items = try_scheme(url, "https") or try_scheme(url, "http")
 
 # print all results
 serialized = [item.serialize() for item in items]

pkgs/gpodder-configured/default.nix

@@ -1,13 +1,29 @@
-{ makeWrapper
+{ stdenv
+, gnome-feeds
 , gpodder
-, linkFarm
+, makeWrapper
+, python3
 , symlinkJoin
 }:
 
 let
-  remove-extra = linkFarm "gpodder-remove-extra" [
-    { name = "bin/gpodder-remove-extra"; path = ./remove_extra.py; }
-  ];
+  pyEnv = python3.withPackages (_ps: [ gnome-feeds.listparser ]);
+  remove-extra = stdenv.mkDerivation {
+    pname = "gpodder-remove-extra";
+    version = "0.1.0";
+
+    src = ./.;
+
+    patchPhase = ''
+      substituteInPlace ./remove_extra.py \
+        --replace "#!/usr/bin/env nix-shell" "#!${pyEnv.interpreter}"
+    '';
+
+    installPhase = ''
+      mkdir -p $out/bin
+      mv remove_extra.py $out/bin/gpodder-remove-extra
+    '';
+  };
 in
 # we use a symlinkJoin so that we can inherit the .desktop and icon files from the original gPodder
 (symlinkJoin {
@@ -29,4 +45,8 @@ in
     unlink $out/share/applications/gpodder.desktop
     sed "s:Exec=.*:Exec=$out/bin/gpodder-configured:" $orig_desktop > $out/share/applications/gpodder.desktop
   '';
+
+  passthru = {
+    remove-extra = remove-extra;
+  };
 })

pkgs/sane-scripts/src/sane-deadlines

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# processes a tab-separated "deadlines" file and alerts for any upcoming events.
+#
+# deadlines.tsv file format:
+# - <date>\t<reminder-interval>\t<event>
+# - no header
+# - one line per entry
+# - <event> may contain any non-newline and non-tab characters
+# - <notice-interval> is the number of days before the event to start alerting, followed by 'd', e.g. `14d`
+# - <date> should be lexicographically orderable and machine-parsable, e.g. `2023-03-14`
+#
+# example `deadlines.tsv`
+# 2023-03-14	1d	celebrate pi day!
+# 2023-04-18	14d	taxes due
+# 2023-04-01	7d	the other pie day :o
+
+# configurables:
+deadlines=~/knowledge/planner/deadlines.tsv
+
+if ! test -f "$deadlines"; then
+        echo "WARNING: $deadlines sane-deadlines file not found"
+        exit 1
+fi
+
+now=$(date +%s)
+sort "$deadlines" | while read line; do
+        # parse line
+        deadline_field=$(echo "$line" | cut -f 1)
+        threshold_field=$(echo "$line" | cut -f 2)
+        description_field=$(echo "$line" | cut -f 3)
+
+        # normalize dates into seconds since unix epoch
+        deadline=$(date -d "$deadline_field" +%s)
+        threshold=$(echo "$threshold_field" | sed 's/d/day /g')
+        birthtime=$(date -d "$deadline_field - ($threshold)" +%s)
+
+        # show the event iff it's near
+        if test "$now" -ge "$birthtime"; then
+                days_until=$(( ($deadline - $now) / (24*60*60) ))
+                echo "in $days_until day(s): $description_field"
+        fi
+done

pkgs/sane-scripts/src/sane-ip-check

@@ -1,3 +1,4 @@
 #!/usr/bin/env bash
-curl https://ipinfo.io/ip
-echo
+ip=$(curl --silent https://ipinfo.io/ip)
+echo "$ip" | grep -P " *^\d+\.\d+\.\d+\.\d+ *$"
+exit $?

pkgs/sane-scripts/src/sane-ip-check-router-wan

@@ -3,13 +3,16 @@
 # requires creds
 passwd=$(sudo cat /run/secrets/router_passwd)
 cookie=$(mktemp)
+curlflags="curl --silent --insecure --cookie-jar $cookie --connect-timeout 5"
 
 # authenticate
-curl -s --insecure --cookie-jar $cookie \
+curl $curlflags \
   --data "username=admin&password=$passwd" \
   https://192.168.0.1
 # query the WAN IP
-curl -s --insecure --cookie $cookie \
+ip=$(curl $curlflags \
   -H "X-Requested-With: XMLHttpRequest" \
   "https://192.168.0.1/cgi/cgi_action?Action=GetConnectionStatus" \
-  | jq -r .wan_status.ipaddr
+  | jq -r .wan_status.ipaddr)
+echo "$ip" | grep -P " *^\d+\.\d+\.\d+\.\d+ *$"
+exit $?

readme.md

@@ -35,9 +35,9 @@ refer to flake.nix for more details.
 ## remote deployment
 
 some of my systems support cross compilation (i.e. building from x86-64 for an aarch64 host without using emulation).
-- `nixos-rebuild --flake '.#moby-cross' build`
+- `nixos-rebuild --flake '.#cross-moby' build`
 - `sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)`
-- `nixos-rebuild --flake '.#moby-cross' switch --target-host colin@moby --use-remote-sudo`
+- `nixos-rebuild --flake '.#cross-moby' switch --target-host colin@moby --use-remote-sudo`
 
 ## building packages
 

secrets/universal/net/makespace-south.psk.bin

@@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:tNQEuMx+Cp8vRELzeQoWLQail2jy5TEBSqJM1o+tV5mSStTLQFMR+L/cnKQYqEpNWJgZ3kSaqkAUqvY5yG/y7TIUZDWqeLLnOJDrmahku0CFPmC3BC8yjrTaISaDRT0FlLH7Osdk2pbDlmcerPwRaEtptovgHvMeJC9cMrfFUOF6LXdNIh7zslWyYvEzrAPtnxKiyIA7pan8sua2FG6AIfMj10c+p/ck29pqhtxAGJvmMMCjMBB1XNjaYjzRzEddbry84cJjhF2Hyr0j/W4U0SLDdD9cfh8idwmrBAP9zI1/nlHjO1labI+U9WGdyyeoPFY+Phm8qm7WxpFsDZnk4B5IGaN1yB9I7KP4tneSw8VOmz5L7BBJszJRUEOQ95Q7D7gos+ytfbnzIBeHh55eSuRzj5xSqG4dPSp8biBGEC9Y4gShCvxNa7r7tGF82jrI32Xe3MFz5zRsx5HvbpB/xytBS0fguxgtnFm8OJf7j3vyGwQoCCJT4pLpHmhei0JpmicbAIgKCcmz//sSUZKXNMV+rb58ntjvNu/Cy9TgOaNTpmeIpe60Gg5ONXypM8Zdmv+cY3NATg9ukdXpdtjW0+SMTTOC+Ug2z9D0Wy4NUQOsNevVUr/22155v+SGcSImVJtiOZ3xYgjND1n/smoUs7tvOVxb1Qjwty40VLwHi+Od3w==,iv:cBgkFEs/bUBRdQnmxqYiJwqQWMXoJ61lHEnMwkfQ6YQ=,tag:E/Vj1nwF1VrxjSyo55W/Ag==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieFRHNnN3L2FzMGcraHds\ndDFYU2dwUUU1OVh3WnhtWWk5QlZJNmFLd1Q4CkVaNTYreVRGOXdLWitSc2pleDly\nQjRBbERydFFZbkRpekN5T2xCM2x0bkEKLS0tIFhvNnc5M2x0Q2FvUkRXUVNHOXR5\ncThGazRYaHhrdjlCSFE3TWJ6L09jR2cK50dHVdb6XAsgB9WGlfnbIeYluFNFcfSb\n1m+ElNfsE9VOdEzeEI8sNHvfNtleEv0i1CwdRA48mmMc1LetiDgV+g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhOStKYTkvYTFZWkFJZk9F\nbW55RTZLWHJXK1lwSE9OSERrdlRQZWdzbDFzCjcycDdsaVNtVTlPYkh5QVZScExl\nbjNzaVRHaVdlU0dHOTRxS1VvSkRjS1kKLS0tIE1zZkJ2K2FxZFpmeEVxdGVkSXEv\nSklmYmJ0TWx6K0FGc2FqejRQQjNmM1UKwInOj1HG+4zKMkocVI7japkdc1FHNORF\nAMfAlEaB36alown3NmxBVD7zZexEU6Stsvv9eKE6clX/vj7Ny+dKgA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTby9zMm5UTmpGS0JMNlNj\nYVlES0RpVWxsV1ZQZm5NTHZzV0pzdjZFS3o4CkRLWVJGU2g5WjN0eWdDMTIvTzE5\naDJnNjJNNitIaDZaaURxVnhacldtODAKLS0tIDNnRWhlN3ZJNklWUVFkOXdCVjVl\nRkdLcTVsb09oemhxWWZEWENsTlFZM00KQRYOR6rD7pOFSWl9KfNRxbWPVwLnMMXW\nLYRReL1xvK+UdYpae/rKbmExoo94W6IZSxoxeB2BFR9Bna5obbFNjA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQU2k1WkRVZW1paS9id0hw\ncXhucTlCeThjYm5Fb3A1RnNzREN4eFA5OGh3Cmg2Ym9nOEF3Y0FGYVlra0RuTXh3\nZFVKUnVlSEZGaXlMdVJuZno5K3RTL00KLS0tIHNDV3FJOVhybWpGZ1h3TTZDWGtj\nNEhQQ1A0SGFYNnVzQUhFa25tOW82NWcKTX/QwhOVAWL9tgfzopMAdWuBmzCni1mg\nTfI9R6ZP6gdBESUk7+kLc8uiEJIxuiWCivp9gWr7Xletbm00Pnkglg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVjN6Q2gvNVFwQ3hjOElE\ndXVUVDdQQWNCdTB0Y1VuVnlsNjg3UlhyMWdRCmpEQ3pZUyswditHd2s2dUlMRmFa\nY3lFc0FwdzNrZzdyZ2hOYzJXdWVXUUUKLS0tIHV4dWcyb0dnWVJnY1pudUxUK1Y0\nbWVhRzdLMjNpc2xxaWQ5U2x0SVdHck0K2gB1itweNVt0kKZj2gO+ek7hlJoxfkoY\ndMCEH+kWxhtXuXHznCZb+Itrm7vGgqWQdXlqilMEYuhLbPHvs5jXMw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxNVhjK3hWSVNnb1Y5SUFy\nRWt6TDByWFphNnhNbThubnpIaHc0RERpTlhFCk5reUIzanIvVUxuSEg3RWhZNTBL\nUlNMc2hvejZSUUtXZFFDQ0M0QzBiTjQKLS0tIHhtUjd6ZUVpM2JXaXdsejU3bmFE\nQklLL0NwNjFzOGpGUHoxd2drNUVyTnMKGOEhPALGhyvDBPpuib1R425JBih3cBzs\nofk+eL5cRTwfLe7a/kOeNudNtamKLR8IEfJKgokjtBEaYBNo1P+Vuw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOVVwZUM5ODNsNFFzOWdo\nS2RiejlsQVVrSmJ2SVFGbklsSUpCckVnSlZ3CjlmSTJZaE9pMlRiamNtUmxyK3Na\nMFljczFnNktCaUs0eC90M0c1akNxdWcKLS0tIDFoRlNyZVo2R243WGNHR3B3cDI5\nRHZYK2lBM1ZLZWFWM3hzdnR2cTM4aTgK67Ik3qwQEuOuL60BRRGmpmVgdIv/Bavi\njeC4BTwBanXxbhZodFfdtHmgxkqE3w2Eu5ojwFje+obUagj8B3PmNA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcndDbG03cW0ycTlNeFBT\nbEhxcWVDb2N0MkwxNlN5Tjk0T2NTaEw3bFdFCmJYZnZXZ2xYblBtTi9MWEN5amVa\neDFEN01sTHgxLzNrcVB5OC9TU0ViYUEKLS0tIG8rQ21kU0xlcUEvZkVObFJhRUdp\nNG1EYXBZNVpKUGUxK2xXdFpieVBNZ3MK+bGQrmaY1bE23iuKu1UPoChOOnuSBl9d\ncQlr+Wh4CoKp8YTnTTkFAVrWoXcM0eAVapR7f89GqO2vgefo6bnFHg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-02-27T01:05:22Z",
+		"mac": "ENC[AES256_GCM,data:QWj5rcyT9xBLdVCkf1mo0lnpeNR3o+HK6MP1n/XWwSWzMM794+byWDWEfjJIq5EuNL3YirbB5ANrGjdWTzL3UU1WsW3kr0pan2dSrBs9wR4d9RNS1TcFXvxhC0WEEVP1n3wwfOb/TKd9irpv8n2M973atQKJXSTecqOFgDxDa0M=,iv:TcjQuwW9SZlMbHtEj2O+76qnvPsvhrJ3mNmsobEA6rU=,tag:GeVf5bPecUNn8TQ1C12aFA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

secrets/universal/offlineimaprc.bin

@@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:YQ3g+zqZoOv6+cjsxahFLlzzJsyNmIzOf0UW/V5Q8WJ5BlfJem/u9SJd9HbYfAZuTGkSzRVTvC3woivV0WOCf+EZ1SPSOLwCFtNKh0kgIsSbZRHJqfMQPzZkd93tAARXj7Gtgi2yGGvIhW9MTDvUDDW1umho46fP61f9JRPflAXRu9JwEDpwVIIkAqk4Jdq3G3wnrkjK7fNQkpULAYqDJzH7IeUUNFbt1/tsI8uj1bzpYzjLkZ9r8grgSO7mpt2h4vPdGrd+XVRT0WG/MLZnukN9rXDfHkrqFtn4XBkp+biQj4RFflNr9/FyZUEqb5wvB5pMMatRdv+PUdgtuSQubfKPHdYXic0Bi+Lgm3gA8FlYnel6dP5I8DXgo4Jupyhw/KMTySn3nhHrhFieSmTItZZ1KKtaQxFGNdnYVcCJCUkwKNM6M5nX+LryxD9MkAn+L2o11QYW6q9HhxO+hXi0IWfq9aRRtU/mw2Og7nA9oesoJqmid7zXVsErsRhnFlEHt7Z6qCbnhcC9lyT/KhK4E0+sJpeukyDVmNAb31040zIKEOQMFyMHw1nRFHxth4Kw2AGIRA/UiB1JxR/QW+1tZSB8MPS6GtklXE6GAlphAnssrkIc+5L+bWJTOwSYsw6T6SYCMO5I/0OEgZTys6/dYVLSl6GVmYb5Ck8GEzOx7W1fnFQt7KepZUTGstMQ0CsI1zktmXzJel1C+MBga7IC6+P8mB42GZv1mBRiEGs8fjo3HqaoF3omC/7FUrc6UlQnExMEXqgm7jbENL5mfk04zS1YzbMHR6JZapVSD8ykHMkGSYbpqhzgcam0c6aQLD7mGcMZ4L+2FZtgnSPmmfjKxlZJIQE66NWq586N7e+7SWSi9rqEstXGhAahM1RWIog4EW3npOUmNBbz152QaYZeNNTYE+L/9n+oVeWT0evlHxiCpATxgo+DoR6z66U5QYN5EFXcsR/I1s2UUc8xTwwjgEfXkM/IEZUkEHH/kZNJPdmqtpA=,iv:HYjtUSGs1JgxE8HzZ+xYUZoPYanOC6HAVlIdJR8O77o=,tag:teJOFIMtHLs9yzDQIPV0oA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Wmx4QUZSZVFYM1NjRGxO\nRzhmSGV1RTViTjljM0kyaitsV05Jc1dQcXpNCjdFR1FWTFY0L1NkclVJQ2t2bk1P\nNk1WeDA4TE9Zcjc2MkNTeDltQk5TSW8KLS0tIGIvcmNVdDN6eldMamxrWUJ0ekZF\nWlcyN0haZFpmQVcyWS9vOFBHVmFiamMKwROo4FD5Y6TiSDK8byxAq4T9Rtvy1Dr+\nExZFzLeJxXBukLJgzxV8UpBNbcGejetyOZiH+GPwdwO4QKlMGiCsog==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYzhiZjFVWEZidGJpRkpl\nOSszdUNiWDlIMVVTaGFVdi9oZjFoYVhwOFM0CjFNR0ZadExxZDBnOEU1eEJXaHda\nK0NyWmhHZzdSOHFHbEYrQnhwMTcxdVUKLS0tIGd0WjFOczRCSkpkZFpOSDdlTFhG\nQUFQMlRDa1YwM0F0N2U2ZFdxa3YrMFEKXNdULEzPEh3Wk+PxgRt0fypVNAaa682u\nMZBfQbNnAOVU5xlM66+YGWXY/ENWwr3nEauNKq7pWLZqQOCA9RnvvQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TFcvWll5RGZDeU5RYnpS\nb1hHcG4vbzBxL3RiRjl2eUhGbHFjSTJYZ0hBCkhyQUtacktuR0ZZNkM3cEdyMTd1\nVnpMZlNPL1NzcUZzWnd0VC9veW1jL0UKLS0tIHdQalI4N3ZRVFdsMEtCUllBREZG\nUmdQYVVqUGZ0QXJKODFvblgvYnRnZTgKKMmEswejP1HdEtg9hK10pRlt89Iz2iF8\npcZTBFjMnahLvxI4M8HCF7ESxI46jebyna43ZzELQQLPGLuZG0n3Bg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBScXJpV2NkMFhJaDNGVHRZ\nVlRCZVkzSWFyTFRCUktYNFNYekwrNkpITUMwCkZlZm14Q2dZVGlFd2VZZWpmSFU4\nelhNVmE1b015YWYzcGRRa2VMS1ErMDQKLS0tIHFxaEJ4M3cxSHlNV2ppaFUzcTlk\nZWVuN085TnRES0ZGZko3Ym9vOXRhSEEKU8YZFKtDzokS1OXlqA3vBe2C5N7Em+Oq\nDh5N+2qrvqKUzT/YVg9j/YIPswrn2WMJ2xgMgT5VVK+2kn38fk4n4A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZWWFFZGVPTEVlc1hvQ3Qy\nUTNrc1Y0ek9ONlQ0RzlkbTNWangrdnFVZ0hNCkovNCtkaG9JUlpnRFJBMFE0Nmkz\nNXByUjlLRUd6RUV1OU53UjBEZnNjTUUKLS0tIDd4S3VrVDkvanlzZStkYllQT3NN\nYWxyYW1pVmt3djIyWVhtdEZCVlducmMKI94q+UTXpUGa/up0lVbWqmBYcPpuoLZD\neW2KbX2MTzotJVXlJyckYvaylEyyN1pKO37OViPnzik2cJYCyD8QSQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhN2ZkbzB1K0g4V0NPQ21x\nckQ3MFVwZzBwNDMzVk9mb0YvVmJxYm5hTTB3CkgzWTR1dUkrdkFKeDBjNWpCcnl2\nY2lCU0dPcUh1VXdWbExST29nRFFQcHMKLS0tIEFucEpGc2s4VGhGYWlQQW9Kd1pt\nTGY5YURVa1NYUit1UHpPVm4zTHNTVVUKTyKPabMpXBkiV9MSfoJr41DfJjzW6FVP\nHWVfUwoVeKEYVJEPYIcso4kywroBWJ5tBpeOdsbth9en3TOHHlBXCQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvN2dvUDRXUWc2eVVoQ2xK\ndXc2anJZVjhobjJrODVlbXNuZjNhZ2lpNERnCkN6V0Y2QmlGNHVJM3JoQ3hwbHJo\nTncrVVN3R0wvQVAzb293WFpCV29BNUEKLS0tIFdhV3RSbkZQVVBxVWpuYzk4bzZt\nekhxSEFFMHRBZWZaOWxUVnFUbkluUFUK53HBDttykEO7lB/86d/ey4I4AZsLrvLm\n7J/rItqQeNJ1qYp/J3HSilbDZmQBI8jM95SP75tUPsmWndK1i9gHlA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNXB2dkJoMzlJRlJxbGRS\nNTl2YmRUb3YxdEcwRnhuT1RHMTJMNm1MQUZjCkMrNGEzV05sdWc1OUROU2V2UVlJ\nSGl1bGxNSzBZalRZd0YyMElEbGlXZWsKLS0tIFRVQmpqRGNmTW9YaTN2Y0JtNHp6\nbkw0dTlmNVFwQkl6Q1ZIcUNxTGp2TzAKaZawNzF3mYl/m0X/IbfWL8WhLllF6fkT\nl5BQg3uMLC4pTnRcZHmBLrzRHhoOy9qLLkiimkQaseUhI+hAUt9bAQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-03-03T08:41:07Z",
+		"mac": "ENC[AES256_GCM,data:cxu1p3O0CLiIrqD7HrFUiDPrbF7N3puR3C6VKLfmWa0liHIrkwylOHhyP2WYL1GnbXrMdSZEZ9W487yqsFMiVLyVYmvrg6/TB0I936+PdPgb3miBlb1aE+g23FHQNbpTthbdLJow2tbw1n152ZwtjHPZ+swQhoexeZrpNJipBZ4=,iv:/uua9R2uXvJISgETRBaAREFW3+DsAi+dN4DoMMYHKi8=,tag:wUITr1eIhndhK6EVEyOmog==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}