update nixpkgs: 2022-11-27 -> 2022-12-02

```
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/a115bb9bd56831941be3776c8a94005867f316a7' (2022-11-27)
  → 'github:NixOS/nixpkgs/b72b8b94cf0c012b0252a9100a636cad69696666' (2022-12-02)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/fecf05d4861f3985e8dee73f08bc82668ef75125' (2022-11-27)
  → 'github:NixOS/nixpkgs/5d7d1d5f742e6bb57dd2e3d7b433fb4010c7af22' (2022-12-02)
```

flake.lock

@@ -69,11 +69,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1669542132,
-        "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=",
+        "lastModified": 1669969257,
+        "narHash": "sha256-mOS13sK3v+kfgP+1Mh56ohiG8uVhLHAo7m/q9kqAehc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a115bb9bd56831941be3776c8a94005867f316a7",
+        "rev": "b72b8b94cf0c012b0252a9100a636cad69696666",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1669546925,
-        "narHash": "sha256-Gvtk9agz88tBgqmCdHl5U7gYttTkiuEd8/Rq1Im0pTg=",
+        "lastModified": 1670009241,
+        "narHash": "sha256-MwpkQIvxgF0EWf0h9SQ1V2D1ZaPhelwZsc86uS3YXxo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fecf05d4861f3985e8dee73f08bc82668ef75125",
+        "rev": "5d7d1d5f742e6bb57dd2e3d7b433fb4010c7af22",
         "type": "github"
       },
       "original": {

hosts/common/bluetooth.nix

@@ -0,0 +1,24 @@
+{ lib, pkgs, ... }:
+
+{
+  # TODO: don't need to depend on binsh if we were to use a nix-style shebang
+  system.activationScripts.linkBluetoothKeys = let
+    unwrapped = ../../scripts/install-bluetooth;
+    install-bluetooth = pkgs.writeShellApplication {
+      name = "install-bluetooth";
+      runtimeInputs = with pkgs; [ coreutils gnused ];
+      text = ''${unwrapped} "$@"'';
+    };
+  in (lib.stringAfter
+    [ "setupSecrets" "binsh" ]
+    ''
+    ${install-bluetooth}/bin/install-bluetooth /run/secrets/bt
+    ''
+  );
+
+  # TODO: use a glob, or a list, or something?
+  sops.secrets."bt/portable-speaker" = {
+    sopsFile = ../../secrets/universal/bt/portable-speaker.bin;
+    format = "binary";
+  };
+}

hosts/common/default.nix

@@ -1,6 +1,7 @@
 { pkgs, ... }:
 {
   imports = [
+    ./bluetooth.nix
     ./fs.nix
     ./hardware
     ./machine-id.nix

hosts/servo/services/ejabberd.nix

@@ -13,11 +13,16 @@
   networking.firewall.allowedTCPPorts = [
     5222  # XMPP client -> server
     5269  # XMPP server -> server
+    5443  # web services (file uploads, websockets, admin)
   ];
 
   # provide access to certs
   users.users.ejabberd.extraGroups = [ "nginx" ];
 
+  security.acme.certs."uninsane.org".extraDomainNames = [
+    "upload.xmpp.uninsane.org"
+  ];
+
   # TODO: allocate UIDs/GIDs ?
   services.ejabberd.enable = true;
   services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" ''
@@ -35,6 +40,14 @@
 
     pam_userinfotype: jid
 
+    acl:
+      local:
+        user_regexp: ""
+
+    access_rules:
+      local:
+        - allow: local
+
     # docs: <https://docs.ejabberd.im/admin/configuration/basic/#shaper-rules>
     shaper_rules:
       max_s2s_connections: 3
@@ -72,13 +85,47 @@
         module: ejabberd_s2s_in
         shaper: s2s_shaper
       -
-        port: 5280
+        port: 5443
         module: ejabberd_http
+        tls: true
         request_handlers:
           /admin: ejabberd_web_admin
           /api: mod_http_api
           /bosh: mod_bosh
           /upload: mod_http_upload
           /ws: ejabberd_http_ws
+
+    # TODO: enable mod_client_state for net optimization
+    # TODO: enable mod_conversejs for web-hosted XMPP client
+    # TODO: enable mod_fail2ban
+    # TODO: enable mod_host_meta
+    # TODO(low): look into mod_http_fileserver for serving macros?
+    # TODO: enable mod_muc ?
+    # TODO: enable mod_offline for buffering messages to offline users/servers?
+    modules:
+      mod_disco:
+        server_info:
+          -
+            modules: all
+            name: abuse-addresses
+            urls:
+              - "mailto:admin.xmpp@uninsane.org"
+              - "xmpp:colin@uninsane.org"
+          -
+            modules: all
+            name: admin-addresses
+            urls:
+              - "mailto:admin.xmpp@uninsane.org"
+              - "xmpp:colin@uninsane.org"
+      mod_http_upload:
+        host: upload.xmpp.uninsane.org
+        hosts:
+          - upload.xmpp.uninsane.org
+        put_url: "https://@HOST@:5443/upload"
+        dir_mode: "0750"
+        file_mode: "0750"
+        rm_on_unregister: false
+      mod_ping: {}
+      mod_version: {}
   '';
 }

modules/impermanence.nix

@@ -50,6 +50,7 @@ in
         # "/var/lib/AccountsService"   # not sure what this is, but it's empty
         "/var/lib/alsa"                # preserve output levels, default devices
         # "/var/lib/blueman"           # files aren't human readable
+        # TODO: if we changed the bluetooth installer to auto-discover the host MAC address, we could de-persist this
         "/var/lib/bluetooth"           # preserve bluetooth handshakes
         "/var/lib/colord"              # preserve color calibrations (?)
         # "/var/lib/dhclient"          # empty on lappy; dunno about desko

modules/packages.nix

@@ -208,6 +208,7 @@ let
     smartmontools
     socat
     strace
+    tree
     usbutils
     wget
   ];

scripts/install-bluetooth

@@ -0,0 +1,25 @@
+#!/bin/sh
+# usage: install-bluetooth <source_dir> <dest_dir>
+# source_dir contains plain-text files of any filename.
+# for each file, this extracts the MAC and creates a symlink in dest_dir which
+# points to the original file, using the MAC name as file path
+#
+# bluetooth connection structure is /var/lib/bluetooth/<HOST_MAC>/<DEVICE_MAX>/{attributes,info}
+#
+set -ex
+
+src_dir="$1"
+dest_dir="$2"
+
+if [ "x$dest_dir" = "x" ]
+then
+  # default to the first MAC address on the host
+  dest_dir="/var/lib/bluetooth/$(ls /var/lib/bluetooth)"
+fi
+
+for f in $(ls "$src_dir")
+do
+  mac=$(sed -rn 's/# MAC=(.*)/\1/p' "$src_dir/$f")
+  mkdir -p "$dest_dir/$mac"
+  ln -sf "$src_dir/$f" "$dest_dir/$mac/info"
+done

secrets/universal/bt/portable-speaker.bin

@@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:639/SycbUOC4kwBAJvk2sQCBfnXZrYDzucXFXysOW8DOPU7nZwsdWKmB+41zvLg3vS5GyPTzMco/EaytPbGj+HvRqyKEYCJvBY/ZOoPpAZKltqMkkIS449OFy3vuOS46TPLQ1c5AgsBnHuSFrGGcVXRs+yP1A4rRcn5Au3Z7hPujZA/W3lUR+/Cp4UYc2tk1w2kpWD/SXLqkSX2XTRNPXb1rOva6xxllUiFuG7Yt1a7KfjrkaF4GJK5TNWgGVrY1N7IKzC75Sh1x5wvumF7A1mwLE1I+sa55Sn9qtGsmWwfsDBN+9SRg7uCUipTCrAEAgJK07QdN5P0ZFrQlxqNGn0i5BvKSxn+GK+f7xJIHjb+sexQgNMFQ56V83Zej8U5HQ9vyrx7EHpE44UneUQQ8FkckQVWyhSGs3MVSkfbznb3L2WnOCEogb0xft56pXPOG/K4q7uLkOwUtgcq0Jlf+gZZmuXRoVnNQc//o0u296CF8AFnxA/MJJc67bkONITjlekB7f23NFoywhzyX4RYjjbflRkMF8BRu0RDuynGu0xLZLLlK8QM4uJfpPyH8L2ThiKRbYO7OGaKCYJy6fYx+ViUVsRf3hpHMiDn8yGHxrqABOTv6HSIZvIKo3G4Kn5iF/GPxWQISTZxE7YdYhgUf61UpZEfkgw==,iv:jqWb8k8f8jKscWPwcZy9o9QmOJKG38m9ukbeBDX3IN8=,tag:vZh6J2mtUhaoiwpn17l80g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTXp0RHN2bW9wUDdvWlJa\nNFhyMEJ0OUhSS2RvLyswejc3ZUx2SW1rdDFVCmtZVG9wZitidEZMaE1rdjZSZito\nclB1N2s2bU93S0IwK1UrYlk4NjU1UFUKLS0tIEdvcytSOElhRHlKY1FyRTlTYUlR\najdHeGh6d2FROUJab3d1cExkYlJLQUEKJQUv1/2YuAOEQGaaJ5itEtXrfwB18RcI\nC3V0MXuLqpQpVzsMz6tBU66+343gPTVMZXi/cLLKjpzARKUCPJ3ghA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdmtuT0NaUEplbzQ0WWV2\nQUsrOFRYN0ZET2lwNkhMeTE3bTV6OUUzWW5jCmtsT3dNbXdlSFQyTmlNdndqT0V6\nSGFDM3BaY1plUVYrRkZRSXQ3eno4dWsKLS0tIGRBSzQzVVdCQ3Q2WGpwdTlsSHJO\nZGR5NjRrbW1lWW80NCtVUWtIUEhGcTAKSRPJHEUFWCCe4v2nLnaDY3FIeWvc75jd\nMb8+grC61jBRO3kpMLrHb5dn3/okLX33nZtJNnkCA8jDlR1tyCXUuA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRWZFWkVWVWlpWjBWenE3\naHp2d1RVcmNrQVVYNkVuWHRUcGRBNTBFbmdNCk4zUGFFSm5lWXhzR05RelNvbnBX\neHhoZDZjZTJPWndQT0dJajh0K2xhWGsKLS0tIHIyeUVoQ0szZHpBQkdBc0hVbFVF\nU29JWFNPT2VtaEFTSTc0OEpsYVVRbWMKLq33uUYhelMgkz/zuI3wmYTPbn+fv4uB\nkwUX2KDOzunPkfznFJ0/uGDHBRgTj5kYKid53IPPAByCGrWemXbbBA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNlFGNGZyZWdLQnRkSE1z\nTUgwOWFvL2ZQSWVOVTBBOHJOM0RSaHNFOWlBCmljOTdKQzB1UTU3ZFFENDJFRnps\nYi8xa0czTTNvTFFGc2QydWVmTmN2bEUKLS0tIFJQMkNQOUhDazlsRTlrRDR3TFJP\nLzl3UGRSakhITXdnYzEvMXdsZ3M2RjgKbXJw6e5aFsrL52zknH5vva3y7sLvqVTd\nsyOnStwaTwBWEMRAvG+vtEhgLIJDVCJGEYqKIBzzoOOujJ9ojuzOqw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRmh3R05RNXhjclRHYnB6\ndmxIV1dPQTNud0htRFFHN3ZveUd3NSt1RENRCkRmQzJvNUxZQzc3enlvZjRGTE9x\nWmFxaGRrYzNTUm5WNUtkaHJzbmo1Q3cKLS0tIFVJdXliL0xnZHRnYVBwYkcrTnhx\nc1M2bzQvNmxHcEsyZmZNVUYycDh5QTQKyOSJlIwrwUaglkvdAw24NxxdZnmy88J5\nNWo04oEImdlMCEZQBQ3/o1xyftU8BNY+ovNy7Nym0darKM9f8ka1PA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiR3VhRUZybjJuVVFrNXVo\nMkJwNDgweFFmb3BIeEhSZ01RNWk0dEQ1bHlVCkI5Wm42d3haTms3bjlJdldpSGtW\nSGN5cnlkZmlpSm11VjBFeHI4blI0aUkKLS0tIHhESkdjbGFPZis4V0tQcUpXaVJ1\nTEpadHlVL3NUeUZudU15WldZWlpKNXMKVxsLBUb7BwJJ0lJRQk1ZppMID8bt/cbC\namvKeagoT6QDR42FyA6W2Rp8+tBrrkBD3CGRAcXMfUSPIzN9p6kcQg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSXRPbW9OeGFpYng5RXR4\nT3BUMDZmOTRoNlVsVlp3endKOEJCWno2TjFZClpYWklWbDU3OGoySFFJUkRjS2tw\nUFhtZ0puTkV2ckRPMUhLY01MVW1kR2MKLS0tIGJkdHhaNzQ3WG9JRXF6OTNMNnF5\nQ3FVU2FVVDJyYUNqaVlhSkEyZmd6RGcKMRxyVMpxCYxoWXK6zlAPyo3YcPJtTWIO\no2RUlS8oSTB05G7sGkjq3VSFRSgNnekvXOBE513Qmym/cDDbusxpAQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzYnMxbDNUR2xyV3B5VzFQ\nM1IxQzV5OXM5L1VYdFRYWUt0cWl4ZUdsQVNJCmRjUjdPMmhoaEFmUUxrVmJCRlFl\nNzZqY3p0YUF3T2lYdysvakx4WVg0bFUKLS0tIFFlazJzb3hmVXNyUU5leUFKL3p0\nNlN0TGxVbGtoUHFtK3hBS2RiYUViVFEKii4w04zeDD6HWURzmAhJdxNdNmQgsPw/\nawI6HSVbbmEGXyL23Pe0oultY8k/ZVE4oHRKBkHh00XoCZM/Ye6neA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2022-12-03T10:23:14Z",
+		"mac": "ENC[AES256_GCM,data:KBm0rXwAGPa0ZkqGI9K3rW5B4vJ1FLmITa8xV5WR1SG2MlSqvCqSj4Qe5kxcIc3AqqHF2W+LDaJ0f1fXOCVqWRe1mi/LJyYgPERL5Hn3iOHty9g984Q/QSGvH13O7eY/Fuk2h0mpIX4pOhdpW74qlp1zYDXqUswsKW7ERTTRf6E=,iv:maE+9/OgdgYNX4F/MrzIpJr+/XXyFSayC1YX382oc2Y=,tag:NmrKXA9AjnoTXrQThnvxvg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}