browserpass: apply PR feedback: <https://github.com/browserpass/browserpass-extension/pull/312>

```
• Updated input 'impermanence':
    'github:nix-community/impermanence/def994adbdfc28974e87b0e4c949e776207d5557' (2022-08-31)
  → 'github:nix-community/impermanence/5df9108b346f8a42021bf99e50de89c9caa251c3' (2022-11-17)
• Updated input 'mobile-nixos':
    'github:nixos/mobile-nixos/0b69b36c989d13f08c3bc563253f68c9d6ed7244' (2022-11-01)
  → 'github:nixos/mobile-nixos/25eec596116553112681d72ee4880107fc3957fa' (2022-11-19)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/872fceeed60ae6b7766cc0a4cd5bf5901b9098ec' (2022-11-09)
  → 'github:NixOS/nixpkgs/af50806f7c6ab40df3e6b239099e8f8385f6c78b' (2022-11-21)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/fa842715565307b7e05cdb187b08c05f16ed08f1' (2022-11-09)
  → 'github:NixOS/nixpkgs/cf63ade6f74bbc9d2a017290f1b2e33e8fbfa70a' (2022-11-20)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/4407353739ad74a3d9744cf2988ab10f3b83e288' (2022-11-06)
  → 'github:Mic92/sops-nix/f72e050c3ef148b1131a0d2df55385c045e4166b' (2022-11-20)
• Updated input 'sops-nix/nixpkgs-22_05':
    'github:NixOS/nixpkgs/6440d13df2327d2db13d3b17e419784020b71d22' (2022-10-30)
  → 'github:NixOS/nixpkgs/b68a6a27adb452879ab66c0eaac0c133e32823b2' (2022-11-20)
```

flake.lock

@@ -22,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1665996265,
-        "narHash": "sha256-/k9og6LDBQwT+f/tJ5ClcWiUl8kCX5m6ognhsAxOiCY=",
+        "lastModified": 1667907331,
+        "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b81e128fc053ab3159d7b464d9b7dedc9d6a6891",
+        "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1661933071,
-        "narHash": "sha256-RFgfzldpbCvS+H2qwH+EvNejvqs+NhPVD5j1I7HQQPY=",
+        "lastModified": 1668668915,
+        "narHash": "sha256-QjY4ZZbs9shwO4LaLpvlU2bO9J1juYhO9NtV3nrbnYQ=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "def994adbdfc28974e87b0e4c949e776207d5557",
+        "rev": "5df9108b346f8a42021bf99e50de89c9caa251c3",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1667160126,
-        "narHash": "sha256-YRgxMHdvMuLsuXCaKs5YNMD6NKgvcATSjfi9YkUOOLk=",
+        "lastModified": 1668897543,
+        "narHash": "sha256-1bjvy5zi/6KDzhN3ihOUEA6y5FFEOf5xvIbf65RWIh0=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "da56c338a2b00c868697b75bdbd388f60d50c820",
+        "rev": "25eec596116553112681d72ee4880107fc3957fa",
         "type": "github"
       },
       "original": {
@@ -69,11 +69,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1667050928,
-        "narHash": "sha256-xOn0ZgjImIyeecEsrjxuvlW7IW5genTwvvnDQRFncB8=",
+        "lastModified": 1668994630,
+        "narHash": "sha256-1lqx6HLyw6fMNX/hXrrETG1vMvZRGm2XVC9O/Jt0T6c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fdebb81f45a1ba2c4afca5fd9f526e1653ad0949",
+        "rev": "af50806f7c6ab40df3e6b239099e8f8385f6c78b",
         "type": "github"
       },
       "original": {
@@ -84,11 +84,11 @@
     },
     "nixpkgs-22_05": {
       "locked": {
-        "lastModified": 1667091951,
-        "narHash": "sha256-62sz0fn06Nq8OaeBYrYSR3Y6hUcp8/PC4dJ7HeGaOhU=",
+        "lastModified": 1668908668,
+        "narHash": "sha256-oimCE4rY7Btuo/VYmA8khIyTHSMV7qUWTpz9w8yc9LQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6440d13df2327d2db13d3b17e419784020b71d22",
+        "rev": "b68a6a27adb452879ab66c0eaac0c133e32823b2",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1667125965,
-        "narHash": "sha256-z/OLvPwIhwdN9J+ED/0rPz/Wh/0sPuvczURwsiEENSQ=",
+        "lastModified": 1668984258,
+        "narHash": "sha256-0gDMJ2T3qf58xgcSbYoXiRGUkPWmKyr5C3vcathWhKs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "26eb67abc9a7370a51fcb86ece18eaf19ae9207f",
+        "rev": "cf63ade6f74bbc9d2a017290f1b2e33e8fbfa70a",
         "type": "github"
       },
       "original": {
@@ -120,27 +120,10 @@
         "mobile-nixos": "mobile-nixos",
         "nixpkgs": "nixpkgs",
         "nixpkgs-stable": "nixpkgs-stable",
-        "rycee": "rycee",
         "sops-nix": "sops-nix",
         "uninsane": "uninsane"
       }
     },
-    "rycee": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1667016180,
-        "narHash": "sha256-aOyT8yG49cGqHVzQFbl+XgJ7p83yHpAAfaHDtQCVdJ4=",
-        "owner": "rycee",
-        "repo": "nur-expressions",
-        "rev": "5fb3c4733c00a7e7be69877d057f6760d85cecb8",
-        "type": "gitlab"
-      },
-      "original": {
-        "owner": "rycee",
-        "repo": "nur-expressions",
-        "type": "gitlab"
-      }
-    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
@@ -149,11 +132,11 @@
         "nixpkgs-22_05": "nixpkgs-22_05"
       },
       "locked": {
-        "lastModified": 1667102919,
-        "narHash": "sha256-DP5j4TwXe96eZf0PLgYSj1Hdyt7SPUoQ003iNBQSKpQ=",
+        "lastModified": 1668915833,
+        "narHash": "sha256-7VYPiDJZdGct8Nl3kKhg580XZfoRcViO+zUGPkfBsqM=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "448ec3e7eb7c7e4563cc2471db748a71baaf9698",
+        "rev": "f72e050c3ef148b1131a0d2df55385c045e4166b",
         "type": "github"
       },
       "original": {

flake.nix

@@ -14,10 +14,6 @@
       url = "github:nix-community/home-manager/release-22.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    rycee = {
-      url = "gitlab:rycee/nur-expressions";
-      flake = false;
-    };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -35,7 +31,6 @@
     nixpkgs-stable,
     mobile-nixos,
     home-manager,
-    rycee,
     sops-nix,
     impermanence,
     uninsane
@@ -50,7 +45,7 @@
     nixpkgsFor = local: target: import (patchedPkgs target) { crossSystem = target; localSystem = local; };
     # evaluate ONLY our overlay, for the provided system
     customPackagesFor = local: target: import ./pkgs/overlay.nix (nixpkgsFor local target) (nixpkgsFor local target);
-    decl-machine = { name, local, target }:
+    decl-host = { name, local, target }:
     let
       nixosSystem = import ((patchedPkgs target) + "/nixos/lib/eval-config.nix");
     in (nixosSystem {
@@ -59,14 +54,13 @@
       specialArgs = { inherit mobile-nixos home-manager impermanence; };
       modules = [
         ./modules
-        (import ./machines/instantiate.nix name)
+        (import ./hosts/instantiate.nix name)
         home-manager.nixosModule
         impermanence.nixosModule
         sops-nix.nixosModules.sops
         {
           nixpkgs.overlays = [
             (import "${mobile-nixos}/overlay/overlay.nix")
-            (import "${rycee}/overlay.nix")
             uninsane.overlay
             (import ./pkgs/overlay.nix)
             (next: prev: rec {
@@ -75,19 +69,16 @@
               # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
               cross = (nixpkgsFor local target) // (customPackagesFor local target);
               stable = import nixpkgs-stable { system = target; };
-              # pinned packages:
-              electrum = stable.electrum;  # 2022-10-10: build break
-              sequoia = stable.sequoia;    # 2022-10-13: build break
               # cross-compatible packages
-              gocryptfs = cross.gocryptfs;
+              # gocryptfs = cross.gocryptfs;
             })
           ];
         }
       ];
     });
 
-    decl-bootable-machine = { name, local, target }: rec {
-      nixosConfiguration = decl-machine { inherit name local target; };
+    decl-bootable-host = { name, local, target }: rec {
+      nixosConfiguration = decl-host { inherit name local target; };
       # this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
       # after building this:
       #   - flash it to a bootable medium (SD card, flash drive, HDD)
@@ -100,27 +91,27 @@
       #   - boot
       #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
       #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
-      #   - `nixos-rebuild --flake './#<machine>' switch`
+      #   - `nixos-rebuild --flake './#<host>' switch`
       img = nixosConfiguration.config.system.build.img;
     };
-    machines.servo = decl-bootable-machine { name = "servo"; local = "aarch64-linux"; target = "aarch64-linux"; };
-    machines.desko = decl-bootable-machine { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    machines.lappy = decl-bootable-machine { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    machines.moby = decl-bootable-machine { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
+    hosts.servo = decl-bootable-host { name = "servo"; local = "aarch64-linux"; target = "aarch64-linux"; };
+    hosts.desko = decl-bootable-host { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    hosts.lappy = decl-bootable-host { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    hosts.moby = decl-bootable-host { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
     # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
     # note that these *do* produce different store paths, because the closure for the tools used to cross compile
     # v.s. emulate differ.
-    # so deploying moby-cross and then moby incurs some rebuilding.
-    machines.moby-cross = decl-bootable-machine { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
-    machines.rescue = decl-bootable-machine { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    # so deploying foo-cross and then foo incurs some rebuilding.
+    hosts.servo-cross = decl-bootable-host { name = "servo"; local = "x86_64-linux"; target = "aarch64-linux"; };
+    hosts.moby-cross = decl-bootable-host { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
+    hosts.rescue = decl-bootable-host { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
   in {
-    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
-    imgs = builtins.mapAttrs (name: value: value.img) machines;
+    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) hosts;
+    imgs = builtins.mapAttrs (name: value: value.img) hosts;
     packages = let
       allPkgsFor = sys: (customPackagesFor sys sys) // {
         nixpkgs = nixpkgsFor sys sys;
         uninsane = uninsane.packages."${sys}";
-        rycee = (import "${rycee}/default.nix" { pkgs = nixpkgsFor sys sys; });
       };
     in {
       x86_64-linux = allPkgsFor "x86_64-linux";

hosts/common/default.nix

@@ -1,21 +1,25 @@
 { pkgs, ... }:
-
 {
   imports = [
-    ./allocations.nix
     ./fs.nix
-    ./home-manager
-    ./home-packages.nix
-    ./net.nix
+    ./hardware
     ./machine-id.nix
+    ./net.nix
     ./secrets.nix
     ./ssh.nix
-    ./system-packages.nix
     ./users.nix
     ./vpn.nix
   ];
 
-  time.timeZone = "America/Los_Angeles";
+  sane.home-manager.enable = true;
+  sane.nixcache.enable-trusted-keys = true;
+  sane.packages.enableConsolePkgs = true;
+  sane.packages.enableSystemPkgs = true;
+
+  nixpkgs.config.allowUnfree = true;
+
+  # time.timeZone = "America/Los_Angeles";
+  time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
 
   # allow `nix flake ...` command
   nix.extraOptions = ''
@@ -35,6 +39,9 @@
     };
   };
 
+  # disable non-required packages like nano, perl, rsync, strace
+  environment.defaultPackages = [];
+
   # programs.vim.defaultEditor = true;
   environment.variables = {
     EDITOR = "vim";
@@ -54,6 +61,10 @@
     gocryptfs
   ];
 
+  # link debug symbols into /run/current-system/sw/lib/debug
+  # hopefully picked up by gdb automatically?
+  environment.enableDebugInfo = true;
+
   security.pam.mount.enable = true;
   # security.pam.mount.debugLevel = 1;
   # security.pam.enableSSHAgentAuth = true; # ??
@@ -61,4 +72,3 @@
   # or i guess going through mount.fuse sets suid so that's not necessary?
   # programs.fuse.userAllowOther = true;
 }
-

hosts/common/fs.nix

@@ -19,11 +19,17 @@ let sshOpts = rec {
 
   optionsRoot = optionsBase ++ [
     # we don't transform_symlinks because that breaks the validity of remote /nix stores
-    "sftp_server=/run/wrappers/bin/sudo\\040${pkgs.openssh}/libexec/sftp-server"
+    "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
   ];
 };
 in
 {
+  environment.pathsToLink = [
+    # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
+    # we can only link whole directories here, even though we're only interested in pkgs.openssh
+    "/libexec"
+  ];
+
   fileSystems."/mnt/servo-media-wan" = {
     device = "colin@uninsane.org:/var/lib/uninsane/media";
     inherit (sshOpts) fsType;

hosts/common/hardware/x86_64.nix

@@ -2,7 +2,7 @@
 
 with lib;
 {
-  config = mkIf (pkgs.system == "x86_64-linux") { 
+  config = mkIf (pkgs.system == "x86_64-linux") {
     boot.initrd.availableKernelModules = [
       "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
       "usb_storage"   # rpi needed this to boot from usb storage, i think.

hosts/common/secrets.nix

@@ -16,7 +16,7 @@
   #   add the result to .sops.yaml
   #   since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
   #
-  # for each machine you want to decrypt secrets:
+  # for each host you want to decrypt secrets:
   #   $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   #   add the result to .sops.yaml
   #   $ sops updatekeys secrets/example.yaml
@@ -32,7 +32,7 @@
   # This will add secrets.yaml to the nix store
   # You can avoid this by adding a string to the full path instead, i.e.
   # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ./../../secrets/universal.yaml;
+  sops.defaultSopsFile = ../../secrets/universal.yaml;
   # This will automatically import SSH keys as age keys
   sops.age.sshKeyPaths = [
     "/etc/ssh/host_keys/ssh_host_ed25519_key"

hosts/common/users.nix

@@ -50,7 +50,7 @@ in
       passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
 
       shell = pkgs.zsh;
-      openssh.authorizedKeys.keys = builtins.attrValues (import ./pubkeys.nix).users;
+      openssh.authorizedKeys.keys = builtins.attrValues (import ../../modules/pubkeys.nix).users;
 
       pamMount = {
         # mount encrypted stuff at login

hosts/desko/default.nix

@@ -4,6 +4,8 @@
     ./fs.nix
   ];
 
+  # sane.packages.enableDevPkgs = true;
+
   sane.gui.sway.enable = true;
   sane.services.duplicity.enable = true;
   sane.services.nixserve.enable = true;

hosts/instantiate.nix

@@ -0,0 +1,10 @@
+# trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
+
+hostName: { ... }: {
+  imports = [
+    ./${hostName}
+    ./common
+  ];
+
+  networking.hostName = hostName;
+}

hosts/lappy/default.nix

@@ -4,6 +4,8 @@
     ./fs.nix
   ];
 
+  # sane.packages.enableDevPkgs = true;
+
   # sane.users.guest.enable = true;
   sane.gui.sway.enable = true;
   sane.impermanence.enable = true;

hosts/moby/default.nix

@@ -25,11 +25,11 @@
 
   # usability compromises
   sane.impermanence.home-dirs = [
-    ".librewolf"
+    config.sane.web-browser.dotDir
   ];
 
-  # sane.home-packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
-  sane.home-manager.extraPackages = [
+  # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
+  sane.packages.extraUserPkgs = [
     pkgs.plasma5Packages.konsole  # terminal
   ];
 

hosts/servo/default.nix

@@ -9,15 +9,16 @@
     ./services
   ];
 
-  sane.home-manager.extraPackages = [
+  sane.packages.extraUserPkgs = [
     # for administering services
     pkgs.matrix-synapse
     pkgs.freshrss
-    pkgs.goaccess
+    pkgs.libraspberrypi
   ];
   sane.impermanence.enable = true;
-  sane.services.duplicity.enable = true;
+  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
   sane.services.nixserve.enable = true;
+  sane.services.nixserve.sopsFile = ../../secrets/servo.yaml;
 
   # TODO: look into the EFI stuff
   boot.loader.grub.enable = false;
@@ -32,7 +33,7 @@
   # both transmission and ipfs try to set different net defaults.
   # we just use the most aggressive of the two here:
   boot.kernel.sysctl = {
-    "net.core.rmem_max" = "4194304";  # 4MB
+    "net.core.rmem_max" = 4194304;  # 4MB
   };
 
   # This value determines the NixOS release from which the default
@@ -41,6 +42,6 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
+  system.stateVersion = "21.11";
 }
 

hosts/servo/hardware.nix

@@ -7,7 +7,7 @@
   # nixos-22.05 linux 5.15 DOES have these now.
   # it should be possible to remove this if desired, but i'm not sure how the rpi-specific kernel differs.
   # see: https://github.com/raspberrypi/linux
-  boot.kernelPackages = pkgs.linuxPackages_rpi4;
+  boot.kernelPackages = pkgs.cross.linuxPackages_rpi4;
 
   # raspberryPi boot loader creates extlinux.conf.
   #   otherwise, enable the generic-extlinux-compatible loader below.

hosts/servo/net.nix

@@ -13,6 +13,7 @@
 
   # networking.firewall.enable = false;
   networking.firewall.enable = true;
+  # TODO: split these into the submodules
   networking.firewall.allowedTCPPorts = [
     25   # SMTP
     80   # HTTP

hosts/servo/services/default.nix

@@ -2,6 +2,7 @@
 {
   imports = [
     ./ddns-he.nix
+    ./ejabberd.nix
     ./freshrss.nix
     ./gitea.nix
     ./goaccess.nix
@@ -14,6 +15,7 @@
     ./pleroma.nix
     ./postfix.nix
     ./postgres.nix
+    ./prosody.nix
     ./transmission.nix
   ];
 }

hosts/servo/services/ejabberd.nix

@@ -0,0 +1,48 @@
+# docs:
+# - <https://docs.ejabberd.im/admin/configuration/basic>
+{ lib, ... }:
+
+# XXX disabled: fails to start because of `mnesia_tm` dependency
+# lib.mkIf false
+{
+  sane.impermanence.service-dirs = [
+    { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
+  ];
+  networking.firewall.allowedTCPPorts = [
+    5222  # XMPP client -> server
+    5269  # XMPP server -> server
+  ];
+
+  # provide access to certs
+  users.users.ejabberd.extraGroups = [ "nginx" ];
+
+  # TODO: allocate UIDs/GIDs ?
+  services.ejabberd.enable = true;
+  services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" ''
+    hosts:
+      - uninsane.org
+
+    # none | emergency | alert | critical | error | warning | notice | info | debug
+    loglevel: debug
+
+    acme:
+      auto: false
+    certfiles:
+      - /var/lib/acme/uninsane.org/fullchain.pem
+      - /var/lib/acme/uninsane.org/key.pem
+
+    pam_userinfotype: jid
+
+    # see: <https://docs.ejabberd.im/admin/configuration/listen/>
+    # TODO: host web admin panel
+    listen:
+      -
+        port: 5222
+        module: ejabberd_c2s
+        starttls: true
+      -
+        port: 5269
+        module: ejabberd_s2s_in
+        starttls: true
+  '';
+}

hosts/servo/services/freshrss.nix

@@ -30,7 +30,7 @@
   systemd.services.freshrss-import-feeds =
   let
     fresh = config.systemd.services.freshrss-config;
-    feeds = import ../../../modules/universal/home-manager/feeds.nix { inherit lib; };
+    feeds = import ../../../modules/home-manager/feeds.nix { inherit lib; };
     opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
   in {
     inherit (fresh) wantedBy environment;
@@ -45,4 +45,8 @@
       ${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
     '';
   };
+
+  # the default ("*:0/5") is to run every 5 minutes.
+  # `systemctl list-timers` to show
+  systemd.services.freshrss-updater.startAt = lib.mkForce "*:3/30";
 }

hosts/servo/services/goaccess.nix

@@ -14,6 +14,7 @@
           -f /var/log/nginx/public.log \
           --log-format=VCOMBINED \
           --real-time-html \
+          --html-refresh=30 \
           --no-query-string \
           --anonymize-ip \
           --ignore-panel=HOSTS \

hosts/servo/services/ipfs.nix

@@ -14,18 +14,18 @@
   ];
   # services.ipfs.enable = true;
   services.kubo.localDiscovery = true;
-  services.kubo.swarmAddress = [
-    # "/dns4/ipfs.uninsane.org/tcp/4001"
-    # "/ip4/0.0.0.0/tcp/4001"
-    "/dns4/ipfs.uninsane.org/udp/4001/quic"
-    "/ip4/0.0.0.0/udp/4001/quic"
-  ];
-  services.kubo.extraConfig = {
+  services.kubo.settings = {
     Addresses = {
       Announce = [
         # "/dns4/ipfs.uninsane.org/tcp/4001"
         "/dns4/ipfs.uninsane.org/udp/4001/quic"
       ];
+      Swarm = [
+        # "/dns4/ipfs.uninsane.org/tcp/4001"
+        # "/ip4/0.0.0.0/tcp/4001"
+        "/dns4/ipfs.uninsane.org/udp/4001/quic"
+        "/ip4/0.0.0.0/udp/4001/quic"
+      ];
     };
     Gateway = {
       # the gateway can only be used to serve content already replicated on this host

hosts/servo/services/nginx.nix

@@ -8,9 +8,16 @@ let
       access_log /var/log/nginx/public.log vcombined;
     '';
   };
+
+  kTLS = true;  # in-kernel TLS for better perf
 in
 {
   services.nginx.enable = true;
+  services.nginx.appendConfig = ''
+    # use 1 process per core.
+    # may want to increase worker_connections too, but `ulimit -n` must be increased first.
+    worker_processes auto;
+  '';
 
   # this is the standard `combined` log format, with the addition of $host
   # so that we have the virtualHost in the log.
@@ -21,6 +28,13 @@ in
     log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
     access_log /var/log/nginx/private.log vcombined;
   '';
+  # sets gzip_comp_level = 5
+  services.nginx.recommendedGzipSettings = true;
+  # enables OCSP stapling (so clients don't need contact the OCSP server -- i do instead)
+  # caches TLS sessions for 10m
+  services.nginx.recommendedTlsSettings = true;
+  # enables sendfile, tcp_nopush, tcp_nodelay, keepalive_timeout 65
+  services.nginx.recommendedOptimisation = true;
 
   # web blog/personal site
   services.nginx.virtualHosts."uninsane.org" = publog {
@@ -30,6 +44,7 @@ in
     # and things don't look right. so force SSL.
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     # uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
     # yes, nginx does not strip the prefix when evaluating against the root.
@@ -79,6 +94,7 @@ in
   services.nginx.virtualHosts."sink.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
     root = "/var/lib/uninsane/sink";
 
     locations."/ws" = {
@@ -97,8 +113,9 @@ in
 
   # Pleroma server and web interface
   services.nginx.virtualHosts."fed.uninsane.org" = publog {
-    addSSL = true;
+    forceSSL = true;  # pleroma redirects to https anyway
     enableACME = true;
+    inherit kTLS;
     locations."/" = {
       proxyPass = "http://127.0.0.1:4000";
       # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
@@ -140,6 +157,7 @@ in
     # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
     locations."/" = {
       # proxyPass = "http://ovpns.uninsane.org:9091";
       proxyPass = "http://10.0.1.6:9091";
@@ -150,6 +168,7 @@ in
   services.nginx.virtualHosts."jackett.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
     locations."/" = {
       # proxyPass = "http://ovpns.uninsane.org:9117";
       proxyPass = "http://10.0.1.6:9117";
@@ -160,6 +179,7 @@ in
   services.nginx.virtualHosts."matrix.uninsane.org" = publog {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     # TODO colin: replace this with something helpful to the viewer
     # locations."/".extraConfig = ''
@@ -186,6 +206,7 @@ in
   services.nginx.virtualHosts."web.matrix.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     root = pkgs.element-web.override {
       conf = {
@@ -199,8 +220,9 @@ in
 
   # hosted git (web view and for `git <cmd>` use
   services.nginx.virtualHosts."git.uninsane.org" = publog {
-    addSSL = true;
+    forceSSL = true;  # gitea complains if served over a different protocol than its config file says
     enableACME = true;
+    inherit kTLS;
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:3000";
@@ -212,6 +234,7 @@ in
   services.nginx.virtualHosts."jelly.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:8096";
@@ -258,12 +281,14 @@ in
   services.nginx.virtualHosts."music.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
     locations."/".proxyPass = "http://127.0.0.1:4533";
   };
 
   services.nginx.virtualHosts."rss.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
     # the routing is handled by freshrss.nix
   };
 
@@ -272,6 +297,7 @@ in
     # ideally we'd disable ssl entirely, but some places assume it?
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     default = true;
 
@@ -297,6 +323,7 @@ in
   services.nginx.virtualHosts."nixcache.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
     # serverAliases = [ "nixcache" ];
     locations."/".extraConfig = ''
       proxy_pass http://localhost:${toString config.services.nix-serve.port};

hosts/servo/services/pleroma.nix

@@ -1,4 +1,6 @@
-# docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
+# docs:
+# - https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
+# - https://docs.pleroma.social/backend/configuration/cheatsheet/
 #
 # to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
 { config, pkgs, ... }:
@@ -48,16 +50,19 @@
       redirect_on_failure: true
       #base_url: "https://cache.pleroma.social"
 
+    # see for reference:
+    # - `force_custom_plan`: <https://docs.pleroma.social/backend/configuration/postgresql/#disable-generic-query-plans>
     config :pleroma, Pleroma.Repo,
       adapter: Ecto.Adapters.Postgres,
       username: "pleroma",
       database: "pleroma",
       hostname: "localhost",
       pool_size: 10,
-      prepare: :named,
       parameters: [
           plan_cache_mode: "force_custom_plan"
       ]
+    # XXX: prepare: :named is needed only for PG <= 12
+    #   prepare: :named,
     #   password: "{secrets.pleroma.db_password}",
 
     # Configure web push notifications
@@ -110,9 +115,9 @@
 
   systemd.services.pleroma.path = [ 
     # something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
-    pkgs.bash 
+    pkgs.bash
     # used by Pleroma to strip geo tags from uploads
-    pkgs.exiftool 
+    pkgs.exiftool
     # i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
     pkgs.gawk
     # needed for email operations like password reset

hosts/servo/services/postgres.nix

@@ -17,6 +17,11 @@
   #     LC_CTYPE = "C";
   # '';
 
+  # TODO: perf tuning
+  # - for recommended values see: <https://pgtune.leopard.in.ua/>
+  # - for official docs (sparse), see: <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
+  # services.postgresql.settings = { ... }
+
   # daily backups to /var/backup
   services.postgresqlBackup.enable = true;
 

hosts/servo/services/prosody.nix

@@ -0,0 +1,62 @@
+# create users with:
+# - `sudo -u prosody prosodyctl adduser colin@uninsane.org`
+
+{ lib, ... }:
+
+# XXX disabled: doesn't send messages to nixnet.social (only receives them).
+# nixnet runs ejabberd, so revisiting that.
+lib.mkIf false
+{
+  sane.impermanence.service-dirs = [
+    { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
+  ];
+  networking.firewall.allowedTCPPorts = [
+    5222  # XMPP client -> server
+    5269  # XMPP server -> server
+    5280  # Prosody HTTP port  (necessary?)
+    5281  # Prosody HTTPS port  (necessary?)
+  ];
+
+  # provide access to certs
+  users.users.prosody.extraGroups = [ "nginx" ];
+
+  security.acme.certs."uninsane.org".extraDomainNames = [
+    "conference.xmpp.uninsane.org"
+    "upload.xmpp.uninsane.org"
+  ];
+
+  services.prosody = {
+    enable = true;
+    admins = [ "colin@uninsane.org" ];
+    # allowRegistration = false;
+    # extraConfig = ''
+    #   s2s_require_encryption = true
+    #   c2s_require_encryption = true
+    # '';
+
+    # extraModules = [ "private" "vcard" "privacy" "compression" "component" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"];
+
+    ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";
+    ssl.key = "/var/lib/acme/uninsane.org/key.pem";
+
+    muc = [
+      {
+        domain = "conference.xmpp.uninsane.org";
+      }
+    ];
+    uploadHttp.domain = "upload.xmpp.uninsane.org";
+
+    virtualHosts = {
+      localhost = {
+        domain = "localhost";
+        enabled = true;
+      };
+      "uninsane.org" = {
+        domain = "uninsane.org";
+        enabled = true;
+        ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";
+        ssl.key = "/var/lib/acme/uninsane.org/key.pem";
+      }; 
+    };
+  };
+}

machines/instantiate.nix

@@ -1,11 +0,0 @@
-# trampoline from flake.nix into the specific machine definition, while doing a tiny bit of common setup
-
-hostName: { ... }: {
-  imports = [
-    ./${hostName}
-  ];
-
-  networking.hostName = hostName;
-
-  nixpkgs.config.allowUnfree = true;
-}

modules/allocations.nix

@@ -29,7 +29,7 @@ in
     sane.allocations.colin-uid = mkId 1000;
     sane.allocations.guest-uid = mkId 1100;
 
-    # found on all machines
+    # found on all hosts
     sane.allocations.sshd-uid = mkId 2001;  # 997
     sane.allocations.sshd-gid = mkId 2001;  # 997
     sane.allocations.polkituser-gid = mkId 2002;  # 998
@@ -39,15 +39,15 @@ in
     sane.allocations.systemd-oom-uid = mkId 2005;
     sane.allocations.systemd-oom-gid = mkId 2005;
 
-    # found on graphical machines
+    # found on graphical hosts
     sane.allocations.nm-iodine-uid = mkId 2101;  # desko/moby/lappy
 
-    # found on desko machine
+    # found on desko host
     sane.allocations.usbmux-uid = mkId 2204;
     sane.allocations.usbmux-gid = mkId 2204;
 
 
-    # originally found on moby machine
+    # originally found on moby host
     sane.allocations.avahi-uid = mkId 2304;
     sane.allocations.avahi-gid = mkId 2304;
     sane.allocations.colord-uid = mkId 2305;

modules/default.nix

@@ -2,12 +2,13 @@
 
 {
   imports = [
+    ./allocations.nix
     ./gui
-    ./hardware
+    ./home-manager
+    ./packages.nix
     ./image.nix
     ./impermanence.nix
     ./nixcache.nix
     ./services
-    ./universal
   ];
 }

modules/gui/default.nix

@@ -8,6 +8,7 @@ in
   imports = [
     ./gnome.nix
     ./phosh.nix
+    ./plasma.nix
     ./plasma-mobile.nix
     ./sway.nix
   ];
@@ -21,7 +22,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    sane.home-packages.enableGuiPkgs = lib.mkDefault true;
+    sane.packages.enableGuiPkgs = lib.mkDefault true;
     # all GUIs use network manager?
     users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
   };

modules/gui/phosh.nix

@@ -69,7 +69,7 @@ in
         NIXOS_OZONE_WL = "1";
       };
 
-      sane.home-manager.extraPackages = with pkgs; [
+      sane.packages.extraUserPkgs = with pkgs; [
         phosh-mobile-settings
 
         # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
@@ -89,19 +89,16 @@ in
       services.xserver.displayManager.lightdm.extraSeatDefaults = ''
         user-session = phosh
       '';
-      services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
-      services.xserver.displayManager.lightdm.greeter = {
-        enable = true;
-        package = pkgs.lightdm-mobile-greeter.xgreeters;
-        name = "lightdm-mobile-greeter";
-      };
-      # services.xserver.displayManager.lightdm.enable = true;
-      # # services.xserver.displayManager.lightdm.greeters.enso.enable = true;  # tried (with reboot); got a mouse then died. next time was black
-      # # services.xserver.displayManager.lightdm.greeters.gtk.enable = true;  # tried (with reboot); unusable without OSK
-      # # services.xserver.displayManager.lightdm.greeters.mini.enable = true;  # tried (with reboot); unusable without OSK
-      # # services.xserver.displayManager.lightdm.greeters.pantheon.enable = true; # tried (no reboot); unusable without OSK
-      # services.xserver.displayManager.lightdm.greeters.slick.enable = true;  # tried; unusable without OSK (a11y -> OSK doesn't work)
-      # # services.xserver.displayManager.lightdm.greeters.tiny.enable = true;  # tried; block screen
+      # services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
+      # services.xserver.displayManager.lightdm.greeter = {
+      #   enable = true;
+      #   package = pkgs.lightdm-mobile-greeter.xgreeters;
+      #   name = "lightdm-mobile-greeter";
+      # };
+      # # services.xserver.displayManager.lightdm.enable = true;
+
+      services.xserver.displayManager.lightdm.enable = true;
+      services.xserver.displayManager.lightdm.greeters.mobile.enable = true;
 
       systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
     })

modules/gui/plasma.nix

@@ -0,0 +1,28 @@
+{ lib, config, ... }:
+
+with lib;
+let
+  cfg = config.sane.gui.plasma;
+in
+{
+  options = {
+    sane.gui.plasma.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sane.gui.enable = true;
+
+    # start plasma on boot
+    services.xserver.enable = true;
+    services.xserver.desktopManager.plasma5.enable = true;
+    services.xserver.displayManager.sddm.enable = true;
+
+    # gnome does networking stuff with networkmanager
+    networking.useDHCP = false;
+    networking.networkmanager.enable = true;
+    networking.wireless.enable = lib.mkForce false;
+  };
+}

modules/gui/sway.nix

@@ -597,7 +597,7 @@ in
       #   }
       # '';
     };
-    sane.home-manager.extraPackages = with pkgs; [
+    sane.packages.extraUserPkgs = with pkgs; [
       swaylock
       swayidle  # (unused)
       wl-clipboard

modules/home-manager/aerc.nix

@@ -1,9 +1,11 @@
 # Terminal UI mail client
-{ config, ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   sops.secrets."aerc_accounts" = {
     owner = config.users.users.colin.name;
-    sopsFile = ../../../secrets/universal/aerc_accounts.conf;
+    sopsFile = ../../secrets/universal/aerc_accounts.conf;
     format = "binary";
   };
   home-manager.users.colin = let sysconfig = config; in { config, ... }: {

modules/home-manager/default.nix

@@ -9,9 +9,9 @@
 with lib;
 let
   cfg = config.sane.home-manager;
-  # extract package from `extraPackages`
+  # extract package from `sane.packages.enabledUserPkgs`
   pkg-list = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
-  # extract `dir` from `extraPackages`
+  # extract `dir` from `sane.packages.enabledUserPkgs`
   dir-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
   private-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "private" then [ e.private ] else []) pkgspec);
   feeds = import ./feeds.nix { inherit lib; };
@@ -20,9 +20,9 @@ in
   imports = [
     ./aerc.nix
     ./discord.nix
+    ./firefox.nix
     ./git.nix
     ./kitty.nix
-    ./librewolf.nix
     ./mpv.nix
     ./nb.nix
     ./neovim.nix
@@ -33,14 +33,10 @@ in
   ];
 
   options = {
-    # packages to deploy to the user's home
-    sane.home-manager.extraPackages = mkOption {
-      default = [ ];
-      # each entry can be either a package, or attrs:
-      #   { pkg = package; dir = optional string;
-      type = types.listOf (types.either types.package types.attrs);
+    sane.home-manager.enable = mkOption {
+      default = false;
+      type = types.bool;
     };
-
     # attributes to copy directly to home-manager's `wayland.windowManager` option
     sane.home-manager.windowManager = mkOption {
       default = {};
@@ -54,7 +50,7 @@ in
     };
   };
 
-  config = {
+  config = lib.mkIf cfg.enable {
     sane.impermanence.home-dirs = [
       "archive"
       "dev"
@@ -65,7 +61,7 @@ in
       "Music"
       "Pictures"
       "Videos"
-    ] ++ (dir-list cfg.extraPackages);
+    ] ++ (dir-list config.sane.packages.enabledUserPkgs);
 
     home-manager.useGlobalPkgs = true;
     home-manager.useUserPackages = true;
@@ -79,7 +75,7 @@ in
       manual.html.enable = false;  # TODO: set to true later (build failure)
       manual.manpages.enable = false;  # TODO: enable after https://github.com/nix-community/home-manager/issues/3344
 
-      home.packages = pkg-list cfg.extraPackages;
+      home.packages = pkg-list sysconfig.sane.packages.enabledUserPkgs;
       wayland.windowManager = cfg.windowManager;
 
       home.stateVersion = "21.11";
@@ -90,7 +86,7 @@ in
         initKeyring = {
           after = ["writeBoundary"];
           before = [];
-          data = "${../../../scripts/init-keyring}";
+          data = "${../../scripts/init-keyring}";
         };
       };
 
@@ -101,7 +97,7 @@ in
             name = path;
             value = { source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/${path}"; };
           })
-          (private-list cfg.extraPackages)
+          (private-list sysconfig.sane.packages.enabledUserPkgs)
         );
       in {
         # convenience
@@ -134,7 +130,7 @@ in
       # - `xdg-mime query filetype path/to/thing.ext`
       xdg.mimeApps.enable = true;
       xdg.mimeApps.defaultApplications = let
-        www = "librewolf.desktop";
+        www = sysconfig.sane.web-browser.desktop;
         pdf = "org.gnome.Evince.desktop";
         md = "obsidian.desktop";
         thumb = "org.gnome.gThumb.desktop";
@@ -165,6 +161,18 @@ in
         "audio/x-vorbis+ogg" = [ audio ];
       };
 
+      # libreoffice: disable first-run stuff
+      xdg.configFile."libreoffice/4/user/registrymodifications.xcu".text = ''
+        <?xml version="1.0" encoding="UTF-8"?>
+        <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+          <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
+          <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="ShowTipOfTheDay" oor:op="fuse"><value>false</value></prop></item>
+        </oor:items>
+      '';
+      # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeDonateShown" oor:op="fuse"><value>1667693880</value></prop></item>
+      # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
+
+
 
       xdg.configFile."gpodderFeeds.opml".text = with feeds;
         feedsToOpml feeds.podcasts;

modules/home-manager/discord.nix

@@ -1,4 +1,6 @@
-{ ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   # TODO: this should only be enabled on gui devices
   # make Discord usable even when client is "outdated"

modules/home-manager/feeds.nix

@@ -61,6 +61,8 @@ in rec {
     (mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
     ## 60 minutes (NB: this features more than *just* audio?)
     (mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
+    ## The Verge - Decoder
+    (mkPod "https://feeds.megaphone.fm/recodedecode" // tech // weekly)
   ];
 
   texts = [
@@ -94,6 +96,7 @@ in rec {
     (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
     (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
     (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
+    (mkText "https://www.jefftk.com/news.rss" // tech // daily)
 
     # (TECH; POL) COMMENTATORS
     (mkSubstack "edwardsnowden" // pol // infrequent)

modules/home-manager/firefox.nix

@@ -0,0 +1,139 @@
+# common settings to toggle (at runtime, in about:config):
+#   > security.ssl.require_safe_negotiation
+
+# librewolf is a forked firefox which patches firefox to allow more things
+# (like default search engines) to be configurable at runtime.
+# many of the settings below won't have effect without those patches.
+# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
+
+{ config, lib, pkgs, ...}:
+with lib;
+let
+  cfg = config.sane.web-browser;
+  # allow easy switching between firefox and librewolf with `defaultSettings`, below
+  librewolfSettings = {
+    browser = pkgs.librewolf-unwrapped;
+    # browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
+    #   # this allows side-loading unsigned addons
+    #   MOZ_REQUIRE_SIGNING = false;
+    # });
+    libName = "librewolf";
+    dotDir = ".librewolf";
+    desktop = "librewolf.desktop";
+  };
+  firefoxSettings = {
+    browser = pkgs.firefox-esr-unwrapped;
+    libName = "firefox";
+    dotDir = ".mozilla/firefox";
+    desktop = "firefox.desktop";
+  };
+  defaultSettings = firefoxSettings;
+  # defaultSettings = librewolfSettings;
+
+  package = pkgs.wrapFirefox cfg.browser {
+    # inherit the default librewolf.cfg
+    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
+    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
+    inherit (cfg) libName;
+
+    extraNativeMessagingHosts = [ pkgs.browserpass ];
+    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
+
+    nixExtensions = let
+      addon = name: extid: hash: pkgs.fetchFirefoxAddon {
+        inherit name hash;
+        url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
+        fixedExtid = extid;
+      };
+      localAddon = pkg: pkgs.fetchFirefoxAddon {
+        inherit (pkg) name;
+        src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";
+        fixedExtid = pkg.extid;
+      };
+    in [
+      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-C+VQyaJ8BA0ErXGVTdnppJZ6J9SP+izf6RFxdS4VJoU=")
+      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-au5GGn22n4i6VrdOKqNMOrWdMoVCcpLdjO2wwRvyx7E=")
+      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-m14onUlnpLDPHezA/soKygcc76tF1fLG52tM/LkbAXQ=")
+      (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
+      (addon "ether-metamask" "webextension@metamask.io" "sha256-dnpwKpNF0KgHMAlz5btkkZySjMsnrXECS35ClkD2XHc=")
+      # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
+      (localAddon pkgs.browserpass-extension)
+    ];
+
+    extraPolicies = {
+      NoDefaultBookmarks = true;
+      SearchEngines = {
+        Default = "DuckDuckGo";
+      };
+      AppUpdateURL = "https://localhost";
+      DisableAppUpdate = true;
+      OverrideFirstRunPage = "";
+      OverridePostUpdatePage = "";
+      DisableSystemAddonUpdate = true;
+      DisableFirefoxStudies = true;
+      DisableTelemetry = true;
+      DisableFeedbackCommands = true;
+      DisablePocket = true;
+      DisableSetDesktopBackground = false;
+
+      # remove many default search providers
+      # XXX this seems to prevent the `nixExtensions` from taking effect
+      # Extensions.Uninstall = [
+      #   "google@search.mozilla.org"
+      #   "bing@search.mozilla.org"
+      #   "amazondotcom@search.mozilla.org"
+      #   "ebay@search.mozilla.org"
+      #   "twitter@search.mozilla.org"
+      # ];
+      # XXX doesn't seem to have any effect...
+      # docs: https://github.com/mozilla/policy-templates#homepage
+      # Homepage = {
+      #   HomepageURL = "https://uninsane.org/";
+      #   StartPage = "homepage";
+      # };
+      # NewTabPage = true;
+    };
+  };
+in
+{
+  options = {
+    sane.web-browser = mkOption {
+      default = defaultSettings;
+      type = types.attrs;
+    };
+  };
+  config = lib.mkIf config.sane.home-manager.enable {
+    # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
+    home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
+      programs.firefox = {
+        enable = true;
+        inherit package;
+      };
+
+      # uBlock filter list configuration.
+      # specifically, enable the GDPR cookie prompt blocker.
+      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
+      # this configuration method is documented here:
+      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
+      # the specific attribute path is found via scraping ublock code here:
+      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
+      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
+      home.file."${cfg.dotDir}/managed-storage/uBlock0@raymondhill.net.json".text = ''
+        {
+         "name": "uBlock0@raymondhill.net",
+         "description": "ignored",
+         "type": "storage",
+         "data": {
+            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
+         }
+        }
+      '';
+      home.file."${cfg.dotDir}/${cfg.libName}.overrides.cfg".text = ''
+        // if we can't query the revocation status of a SSL cert because the issuer is offline,
+        // treat it as unrevoked.
+        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
+        defaultPref("security.OCSP.require", false);
+      '';
+    };
+  };
+}

modules/home-manager/git.nix

@@ -1,4 +1,6 @@
-{ pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   home-manager.users.colin.programs.git = {
     enable = true;

modules/home-manager/kitty.nix

@@ -1,4 +1,6 @@
-{ ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   home-manager.users.colin.programs.kitty = {
     enable = true;

modules/home-manager/mpv.nix

@@ -1,4 +1,6 @@
-{ ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   home-manager.users.colin.programs.mpv = {
     enable = true;

modules/home-manager/nb.nix

@@ -8,9 +8,12 @@
 # it offers a primitive web-server
 # and it offers some CLI query tools
 
-{ lib, pkgs, ... }: lib.mkIf false  # XXX disabled!
+{ config, lib, pkgs, ... }:
+
+# lib.mkIf config.sane.home-manager.enable
+lib.mkIf false # XXX disabled!
 {
-  sane.home-manager.extraPackages = [ pkgs.nb ];
+  sane.packages.extraUserPkgs = [ pkgs.nb ];
 
   home-manager.users.colin = { config, ... }: {
     # nb markdown/personal knowledge manager

modules/home-manager/neovim.nix

@@ -1,4 +1,6 @@
-{ pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   sane.impermanence.home-dirs = [ ".cache/vim-swap" ];
 
@@ -45,7 +47,7 @@
       # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
       # this is required for tree-sitter to even highlight
       ({
-        plugin = (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars));
+        plugin = nvim-treesitter.withAllGrammars;
         type = "lua";
         config = ''
           require'nvim-treesitter.configs'.setup {

modules/home-manager/ssh.nix

@@ -1,4 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   home-manager.users.colin = let
     host = config.networking.hostName;

modules/home-manager/sublime-music.nix

@@ -1,9 +1,11 @@
-{ config, ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   # TODO: this should only be shipped on gui platforms
   sops.secrets."sublime_music_config" = {
     owner = config.users.users.colin.name;
-    sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
+    sopsFile = ../../secrets/universal/sublime_music_config.json.bin;
     format = "binary";
   };
   home-manager.users.colin = let sysconfig = config; in { config, ... }: {

modules/home-manager/vlc.nix

@@ -1,4 +1,6 @@
-{ lib, ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   home-manager.users.colin.xdg.configFile."vlc/vlcrc".text =
   let

modules/home-manager/zsh.nix

@@ -1,4 +1,6 @@
-{ ... }:
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
 {
   # we don't need to full zsh dir -- just the history file --
   # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.

modules/image.nix

@@ -6,6 +6,11 @@ let
 in
 {
   options = {
+    sane.image.enable = mkOption {
+      default = true;
+      type = types.bool;
+      description = "whether to enable image targets. this doesn't mean they'll be built unless you specifically reference the target.";
+    };
     # packages whose contents should be copied directly into the /boot partition.
     # e.g. EFI loaders, u-boot bootloader, etc.
     sane.image.extraBootFiles = mkOption {

modules/nixcache.nix

@@ -20,22 +20,28 @@ in
       default = false;
       type = types.bool;
     };
-  };
-
-  config = mkIf cfg.enable {
-    # use our own binary cache
-    nix.settings = {
-      substituters = [
-        "https://nixcache.uninsane.org"
-        "http://desko:5000"
-        "https://nix-community.cachix.org"
-        "https://cache.nixos.org/"
-      ];
-      trusted-public-keys = [
-        "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
-        "desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      ];
+    sane.nixcache.enable-trusted-keys = mkOption {
+      default = config.sane.nixcache.enable;
+      type = types.bool;
     };
   };
+
+  config = {
+    # use our own binary cache
+    # to explicitly build from a specific cache (in case others are down):
+    # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
+    # - `nix build ... --substituters http://desko:5000`
+    nix.settings.substituters = mkIf cfg.enable [
+      "https://nixcache.uninsane.org"
+      "http://desko:5000"
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+    ];
+    # always trust our keys (so one can explicitly use a substituter even if it's not the default
+    nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
+      "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
+      "desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
 }

modules/packages.nix

@@ -3,8 +3,8 @@
 with lib;
 with pkgs;
 let
-  cfg = config.sane.home-packages;
-  universalPkgs = [
+  cfg = config.sane.packages;
+  consolePkgs = [
     backblaze-b2
     cdrtools
     duplicity
@@ -28,6 +28,7 @@ let
     # ponymix
     pulsemixer
     python3
+    rsync
     # python3Packages.eyeD3  # music tagging
     sane-scripts
     sequoia
@@ -53,12 +54,15 @@ let
     celluloid  # mpv frontend
     chromium
     clinfo
+    { pkg = dino; private = ".local/share/dino"; }
     electrum
 
     # creds/session keys, etc
     { pkg = element-desktop; private = ".config/Element"; }
-
-    emote  # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+    # `emote` will show a first-run dialog based on what's in this directory.
+    # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
+    # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+    { pkg = emote; dir = ".local/share/Emote"; }
     evince  # works on phosh
 
     # { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; }  # TODO: ship normal fluffychat on non-moby?
@@ -90,6 +94,7 @@ let
     handbrake
     inkscape
 
+    kdenlive
     kid3  # audio tagging
     krita
     libreoffice-fresh  # XXX colin: maybe don't want this on mobile
@@ -107,8 +112,11 @@ let
     { pkg = obsidian; dir = ".config/obsidian"; }
 
     pavucontrol
-    picard  # music tagging
+    # picard  # music tagging
     playerctl
+
+    libsForQt5.plasmatube  # Youtube player
+
     soundconverter
     # sublime music persists any downloaded albums here.
     # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
@@ -117,6 +125,8 @@ let
     { pkg = sublime-music; dir = ".local/share/sublime-music"; }
     tdesktop  # broken on phosh
 
+    { pkg = tokodon; dir = ".cache/KDE/tokodon"; }
+
     # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
     { pkg = vlc; dir = ".config/vlc"; }
 
@@ -158,6 +168,41 @@ let
     { pkg = zecwallet-lite; dir = ".zcash"; }
   ] else []);
 
+  # general-purpose utilities that we want any user to be able to access
+  #   (specifically: root, in case of rescue)
+  systemPkgs = [
+    btrfs-progs
+    cryptsetup
+    dig
+    efibootmgr
+    fatresize
+    fd
+    file
+    gptfdisk
+    hdparm
+    htop
+    iftop
+    inetutils  # for telnet
+    iotop
+    iptables
+    jq
+    killall
+    lsof
+    netcat
+    nethogs
+    nmap
+    openssl
+    parted
+    pciutils
+    powertop
+    ripgrep
+    screen
+    smartmontools
+    socat
+    usbutils
+    wget
+  ];
+
   # useful devtools:
   devPkgs = [
     bison
@@ -168,6 +213,7 @@ let
     # gcc-arm-embedded
     # gcc_multi
     gnumake
+    mercurial
     mix2nix
     rustup
     swig
@@ -175,11 +221,22 @@ let
 in
 {
   options = {
-    sane.home-packages.enableGuiPkgs = mkOption {
+    # packages to deploy to the user's home
+    sane.packages.extraUserPkgs = mkOption {
+      default = [ ];
+      # each entry can be either a package, or attrs:
+      #   { pkg = package; dir = optional string; private = optional string };
+      type = types.listOf (types.either types.package types.attrs);
+    };
+    sane.packages.enableConsolePkgs = mkOption {
       default = false;
       type = types.bool;
     };
-    sane.home-packages.enableDevPkgs = mkOption {
+    sane.packages.enableGuiPkgs = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.packages.enableDevPkgs = mkOption {
       description = ''
         enable packages that are useful for building other software by hand.
         you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
@@ -187,10 +244,24 @@ in
       default = false;
       type = types.bool;
     };
+    sane.packages.enableSystemPkgs = mkOption {
+      default = false;
+      type = types.bool;
+      description = "enable system-wide packages";
+    };
+
+    sane.packages.enabledUserPkgs = mkOption {
+      default = cfg.extraUserPkgs
+        ++ (if cfg.enableConsolePkgs then consolePkgs else [])
+        ++ (if cfg.enableGuiPkgs then guiPkgs else [])
+        ++ (if cfg.enableDevPkgs then devPkgs else [])
+      ;
+      type = types.listOf (types.either types.package types.attrs);
+      description = "generated from other config options";
+    };
   };
+
   config = {
-    sane.home-manager.extraPackages = universalPkgs
-      ++ (if cfg.enableGuiPkgs then guiPkgs else [])
-      ++ (if cfg.enableDevPkgs then devPkgs else []);
+    environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
   };
 }

modules/pubkeys.nix

@@ -27,8 +27,8 @@ let
   };
 in {
   # map hostname -> something suitable for known_keys
-  hosts = builtins.mapAttrs (machine: keys: withHost machine keys.host) keys;
+  hosts = builtins.mapAttrs (host: keys: withHost host keys.host) keys;
   # map hostname -> something suitable for authorized_keys to allow access to colin@<hostname>
-  users = builtins.mapAttrs (machine: keys: withUser "colin@${machine}" keys.users.colin) keys;
+  users = builtins.mapAttrs (host: keys: withUser "colin@${host}" keys.users.colin) keys;
 }
 

modules/services/duplicity.nix

@@ -1,5 +1,5 @@
 # docs: https://search.nixos.org/options?channel=21.11&query=duplicity
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 let
@@ -18,8 +18,7 @@ in
     sane.impermanence.service-dirs = [ "/var/lib/duplicity" ];
 
     services.duplicity.enable = true;
-    services.duplicity.targetUrl = ''"$DUPLICITY_URL"'';
-    services.duplicity.escapeUrl = false;
+    services.duplicity.targetUrl = "$DUPLICITY_URL";
     # format: PASSPHRASE=<cleartext> \n DUPLICITY_URL=b2://...
     # two sisters
     # PASSPHRASE: remote backups will be encrypted using this passphrase (using gpg)
@@ -32,29 +31,28 @@ in
     services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path;
     # NB: manually trigger with `systemctl start duplicity`
     services.duplicity.frequency = "daily";
-    # TODO: this needs updating to handle impermanence changes
-    services.duplicity.exclude = [
-      # impermanent/inconsequential data:
-      "/dev"
-      "/proc"
-      "/run"
-      "/sys"
-      "/tmp"
-      # bind mounted (dupes):
-      "/var/lib"
-      # other mounts
-      "/mnt"
-      # data that's not worth the cost to backup:
-      "/nix/persist/var/lib/uninsane/media"
-      "/nix/persist/home/colin/tmp"
-      "/nix/persist/home/colin/Videos"
-      "/home/colin/tmp"
-      "/home/colin/Videos"
-    ];
 
     services.duplicity.extraFlags = [
       # without --allow-source-mismatch, duplicity will abort if you change the hostname between backups
       "--allow-source-mismatch"
+
+      # includes/exclude ordering matters, so we explicitly control it here.
+      # the first match decides a file's treatment. so here:
+      # - /nix/persist/home/colin/tmp is excluded
+      # - *other* /nix/persist/ files are included by default
+      # - anything else under `/` are excluded by default
+      "--exclude" "/nix/persist/home/colin/dev/home-logic/coremem/out"  # this can reach > 1 TB
+      "--exclude" "/nix/persist/home/colin/use/iso"  # might want to re-enable... but not critical
+      "--exclude" "/nix/persist/home/colin/.local/share/sublime-music"  # music cache. better to just keep the HQ sources
+      "--exclude" "/nix/persist/home/colin/.local/share/Steam"  # can just re-download games
+      "--exclude" "/nix/persist/home/colin/.bitmonero/lmdb"  # monero blockchain
+      "--exclude" "/nix/persist/home/colin/.rustup"
+      "--exclude" "/nix/persist/home/colin/ref"  # publicly available data: no point in duplicating it
+      "--exclude" "/nix/persist/home/colin/tmp"
+      "--exclude" "/nix/persist/home/colin/Videos"
+      "--exclude" "/nix/persist/var/lib/duplicity"  # don't back up our own backup state!
+      "--include" "/nix/persist"
+      "--exclude" "/"
     ];
 
     # set this for the FIRST backup, then remove it to enable incremental backups
@@ -70,5 +68,26 @@ in
         "/dev/mmc0 5M"
       ];
     };
+
+    # based on <nixpkgs:nixos/modules/services/backup/duplicity.nix>  with changes:
+    # - remove the cleanup step: API key doesn't have delete perms
+    # - don't escape the targetUrl: it comes from an env var set in the secret file
+    systemd.services.duplicity.script = let
+      cfg = config.services.duplicity;
+      target = cfg.targetUrl;
+      extra = escapeShellArgs ([ "--archive-dir" "/var/lib/duplicity" ] ++ cfg.extraFlags);
+      dup = "${pkgs.duplicity}/bin/duplicity";
+    in lib.mkForce ''
+      set -x
+      # ${dup} cleanup ${target} --force ${extra}
+      # ${lib.optionalString (cfg.cleanup.maxAge != null) "${dup} remove-older-than ${lib.escapeShellArg cfg.cleanup.maxAge} ${target} --force ${extra}"}
+      # ${lib.optionalString (cfg.cleanup.maxFull != null) "${dup} remove-all-but-n-full ${builtins.toString cfg.cleanup.maxFull} ${target} --force ${extra}"}
+      # ${lib.optionalString (cfg.cleanup.maxIncr != null) "${dup} remove-all-inc-of-but-n-full ${toString cfg.cleanup.maxIncr} ${target} --force ${extra}"}
+      exec ${dup} ${if cfg.fullIfOlderThan == "always" then "full" else "incr"} ${lib.escapeShellArg cfg.root} ${target} ${lib.escapeShellArgs ([]
+        ++ concatMap (p: [ "--include" p ]) cfg.include
+        ++ concatMap (p: [ "--exclude" p ]) cfg.exclude
+        ++ (lib.optionals (cfg.fullIfOlderThan != "never" && cfg.fullIfOlderThan != "always") [ "--full-if-older-than" cfg.fullIfOlderThan ])
+        )} ${extra}
+    '';
   };
 }

modules/services/nixserve.nix

@@ -14,8 +14,8 @@ in
       type = types.bool;
     };
     sane.services.nixserve.sopsFile = mkOption {
-      default = ../../secrets/servo.yaml;
       type = types.path;
+      description = "path to file that contains the nix_serv_privkey secret (can be in VCS)";
     };
   };
 

modules/universal/home-manager/librewolf.nix

@@ -1,102 +0,0 @@
-# common settings to toggle (at runtime, in about:config):
-#   > security.ssl.require_safe_negotiation
-
-# librewolf is a forked firefox which patches firefox to allow more things
-# (like default search engines) to be configurable at runtime.
-# many of the settings below won't have effect without those patches.
-# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
-
-{ config, lib, pkgs, ...}:
-let
-  package = pkgs.wrapFirefox pkgs.librewolf-unwrapped {
-    # inherit the default librewolf.cfg
-    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
-    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
-    libName = "librewolf";
-
-    extraNativeMessagingHosts = [ pkgs.browserpass ];
-    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
-
-    extraPolicies = {
-      NoDefaultBookmarks = true;
-      SearchEngines = {
-        Default = "DuckDuckGo";
-      };
-      AppUpdateURL = "https://localhost";
-      DisableAppUpdate = true;
-      OverrideFirstRunPage = "";
-      OverridePostUpdatePage = "";
-      DisableSystemAddonUpdate = true;
-      DisableFirefoxStudies = true;
-      DisableTelemetry = true;
-      DisableFeedbackCommands = true;
-      DisablePocket = true;
-      DisableSetDesktopBackground = false;
-      Extensions = {
-        Install = let
-          addon = pkg: addonId: "${pkg}/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/${addonId}.xpi";
-        in with pkgs.firefox-addons; [
-          # the extension key is found by building and checking the output: `nix build '.#rycee.firefox-addons.<foo>'`
-          # or by taking the `addonId` input to `buildFirefoxXpiAddon` in rycee's firefox-addons repo
-          (addon ublock-origin "uBlock0@raymondhill.net")
-          (addon sponsorblock "sponsorBlocker@ajay.app")
-          (addon bypass-paywalls-clean "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}")
-          (addon sidebery "{3c078156-979c-498b-8990-85f7987dd929}")
-          (addon browserpass "browserpass@maximbaz.com")
-          (addon metamask "webextension@metamask.io")
-          # extensions can alternatively be installed by URL, in which case they are fetched (and cached) on first run.
-          # "https://addons.mozilla.org/firefox/downloads/latest/gopass-bridge/latest.xpi"
-        ];
-        # remove many default search providers
-        Uninstall = [
-          "google@search.mozilla.org"
-          "bing@search.mozilla.org"
-          "amazondotcom@search.mozilla.org"
-          "ebay@search.mozilla.org"
-          "twitter@search.mozilla.org"
-        ];
-      };
-      # XXX doesn't seem to have any effect...
-      # docs: https://github.com/mozilla/policy-templates#homepage
-      # Homepage = {
-      #   HomepageURL = "https://uninsane.org/";
-      #   StartPage = "homepage";
-      # };
-      # NewTabPage = true;
-    };
-  };
-in
-{
-  # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
-  home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
-    programs.firefox = {
-      enable = true;
-      inherit package;
-    };
-
-    # uBlock filter list configuration.
-    # specifically, enable the GDPR cookie prompt blocker.
-    # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
-    # this configuration method is documented here:
-    # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
-    # the specific attribute path is found via scraping ublock code here:
-    # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
-    # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-    home.file.".librewolf/managed-storage/uBlock0@raymondhill.net.json".text = ''
-      {
-       "name": "uBlock0@raymondhill.net",
-       "description": "ignored",
-       "type": "storage",
-       "data": {
-          "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
-       }
-      }
-    '';
-    home.file.".librewolf/librewolf.overrides.cfg".text = ''
-      // if we can't query the revocation status of a SSL cert because the issuer is offline,
-      // treat it as unrevoked.
-      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
-      defaultPref("security.OCSP.require", false);
-    '';
-  };
-}

modules/universal/system-packages.nix

@@ -1,38 +0,0 @@
-{ pkgs, ... }:
-{
-  # general-purpose utilities that we want any user to be able to access
-  #   (specifically: root, in case of rescue)
-  environment.systemPackages = with pkgs; [
-    btrfs-progs
-    cryptsetup
-    dig
-    efibootmgr
-    fatresize
-    fd
-    file
-    gptfdisk
-    hdparm
-    htop
-    iftop
-    inetutils  # for telnet
-    iotop
-    iptables
-    jq
-    killall
-    lsof
-    netcat
-    nethogs
-    nmap
-    openssl
-    parted
-    pciutils
-    powertop
-    ripgrep
-    screen
-    smartmontools
-    socat
-    usbutils
-    wget
-  ];
-}
-

nixpatches/list.nix

@@ -1,11 +1,17 @@
 fetchpatch: [
   # phosh-mobile-settings: init at 0.21.1
   (fetchpatch {
-    url = "http://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
+    url = "https://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
     # url = "https://github.com/NixOS/nixpkgs/pull/193845.diff";
     sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
   })
 
+  # librewolf: build with `MOZ_REQUIRE_SIGNING=false`
+  (fetchpatch {
+    url = "https://github.com/NixOS/nixpkgs/pull/199134.diff";
+    # url = "https://git.uninsane.org/colin/nixpkgs/commit/99b82e07fee4d194520d6e8d51bc45c80a4d3c7e.diff";
+    sha256 = "sha256-FOAZYaMpSPMYwU26xYD+V/f+df0JjlbuVtqjlcBFW5Q=";
+  })
 
   # # kaiteki: init at 2022-09-03
   # vendorHash changes too frequently (might not be reproducible).
@@ -29,9 +35,7 @@ fetchpatch: [
   #   (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
   ./02-rpi4-uboot.patch
 
-  # TODO: upstream
-  # maybe convert this patch to add a `targetUrlExpr` instead of doing the `escapeShellArgs` hack
-  ./07-duplicity-rich-url.patch
+  # ./07-duplicity-rich-url.patch
 
   # enable aarch64 support for flutter's dart package
   # ./10-flutter-arm64.patch

pkgs/browserpass-extension/default.nix

@@ -0,0 +1,67 @@
+{ stdenv
+, fetchFromGitHub
+, fetchFromGitea
+, gnused
+, jq
+, mkYarnModules
+, zip
+}:
+
+let
+  pname = "browserpass-extension";
+  version = "3.7.2-20221121";
+  # src = fetchFromGitHub {
+  #   owner = "browserpass";
+  #   repo = "browserpass-extension";
+  #   # rev = version;
+  #   rev = "21f3431d09e1d7ffd33e0b9fc5d2965b7bd93a1a";
+  #   sha256 = "sha256-XIgbaQSAXx7L1e/9rzN7oBQy9U3HWJHOX2auuvgdvbc=";
+  # };
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
+    repo = "browserpass-extension";
+    # hack in sops support
+    rev = "f7cb5af1e6246fac26ee2d0c40eb926599f1e15a";
+    sha256 = "sha256-vdGoptqAVm6NWn22aFfvIHWNXtlAj0yc7OZN+8hGAI4=";
+  };
+  browserpass-extension-yarn-modules = mkYarnModules {
+    inherit pname version;
+    packageJSON = "${src}/src/package.json";
+    yarnLock = "${src}/src/yarn.lock";
+  };
+  extid = "browserpass@maximbaz.com";
+in stdenv.mkDerivation {
+  inherit pname version src;
+
+  patchPhase = ''
+    # dependencies are built separately: skip the yarn install
+    ${gnused}/bin/sed -i /yarn\ install/d src/Makefile
+  '';
+
+  preBuild = ''
+    ln -s ${browserpass-extension-yarn-modules}/node_modules src/node_modules
+  '';
+
+  installPhase = ''
+    BASE=$out/share/mozilla/extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}
+    mkdir -p $BASE
+
+    pushd firefox
+
+    # firefox requires addons to have an id field when sideloading:
+    # - <https://extensionworkshop.com/documentation/publish/distribute-sideloading/>
+    cat manifest.json \
+      | ${jq}/bin/jq '. + { applications: {gecko: {id: "${extid}" }}, browser_specific_settings: {gecko: {id: "${extid}"}} }' \
+      > manifest.patched.json
+    mv manifest{.patched,}.json
+
+    ${zip}/bin/zip -r $BASE/browserpass@maximbaz.com.xpi ./*
+
+    popd
+  '';
+
+  passthru = {
+    inherit extid;
+  };
+}

pkgs/browserpass/default.nix

@@ -1,7 +1,9 @@
 { pkgs
 , bash
 , fetchFromGitea
+, gnused
 , lib
+, sane-scripts
 , sops
 , stdenv
 , substituteAll
@@ -13,7 +15,8 @@ let
     version = "0.1.0";
     src = ./.;
 
-    inherit bash sops;
+    inherit bash gnused sops;
+    sane_scripts = sane-scripts;
     installPhase = ''
       mkdir -p $out/bin
       substituteAll ${./sops-gpg-adapter} $out/bin/gpg
@@ -28,8 +31,9 @@ in
     domain = "git.uninsane.org";
     owner = "colin";
     repo = "browserpass-native";
-    rev = "8de7959fa5772aca406bf29bb17707119c64b81e";
-    hash = "sha256-ewB1YdWqfZpt8d4p9LGisiGUsHzRW8RiSO/+NZRiQpk=";
+    # don't forcibly append '.gpg'
+    rev = "85bdb08379c03297c1236f66e8764160c922d397";
+    hash = "sha256-SEfihU+GreWhYfLVr7tTnMCo6Iq20a78F8iVbycOQUQ=";
   };
   installPhase = ''
     make install

pkgs/browserpass/sops-gpg-adapter

@@ -7,8 +7,13 @@ then
   exit 0
 fi
 
+# ensure the secret store is unlocked
+@sane_scripts@/bin/sane-secrets-unlock
+
 # using exec here forwards our stdin
 # browserpass parses the response in
 # <browserpass-extension/src/background.js#parseFields>
 # it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
-exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin
+# browserpass understands the `totp` field to hold either secret tokens, or full URLs.
+# i use totp-b32 for the base-32-encoded secrets. renaming that field works OOTB.
+exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | @gnused@/bin/sed s/\^totp-b32:/totp:/

pkgs/lightdm-mobile-greeter/cargo_lock-fix_lightdm_rs_url.patch

@@ -1,28 +0,0 @@
-commit c2a3a5eff2edc95108a21fc02c420a8aaa19accd
-Author: colin <colin@uninsane.org>
-Date:   Tue Oct 25 20:59:20 2022 -0700
-
-    Cargo.lock: update lightdm-rs URLs
-
-diff --git a/Cargo.lock b/Cargo.lock
-index 1051644..72d09e6 100644
---- a/Cargo.lock
-+++ b/Cargo.lock
-@@ -362,7 +362,7 @@ dependencies = [
- [[package]]
- name = "light-dm-sys"
- version = "0.0.1"
--source = "git+https://raatty.club:3000/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
-+source = "git+https://git.raatty.club/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
- dependencies = [
-  "gio-sys",
-  "glib-sys",
-@@ -374,7 +374,7 @@ dependencies = [
- [[package]]
- name = "lightdm"
- version = "0.1.0"
--source = "git+https://raatty.club:3000/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
-+source = "git+https://git.raatty.club/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
- dependencies = [
-  "gio",
-  "gio-sys",

pkgs/lightdm-mobile-greeter/default.nix

@@ -1,7 +1,7 @@
 { lib
 , fetchFromGitea
 , gtk3
-, libhandy_0
+, libhandy
 , lightdm
 , pkgs
 , linkFarm
@@ -11,24 +11,34 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "lightdm-mobile-greeter";
-  version = "6";
+  version = "2022-10-30";
 
+  # upstream:
+  # src = fetchFromGitea {
+  #   domain = "git.raatty.club";
+  #   owner = "raatty";
+  #   repo = "lightdm-mobile-greeter";
+  #   rev = "8c8d6dfce62799307320c8c5a1f0dd5c8c18e4d3";
+  #   hash = "sha256-SrAR2+An3BN/doFl/s8PcYZMUHLfVPXKZOo6ndO60nY=";
+  # };
+  # cargoHash = "sha256-NZ0jOkEBNa5oOydfyKm0XQB/vkAvBv9wHBbnM9egQFQ=";
+
+  # sane dev:
   src = fetchFromGitea {
-    domain = "git.raatty.club";
-    owner = "raatty";
+    domain = "git.uninsane.org";
+    owner = "colin";
     repo = "lightdm-mobile-greeter";
-    rev = "${version}";
-    hash = "sha256-uqsYOHRCOmd3tpJdndZFQ/tznZ660NhB+gE2154kJuM=";
+    # rev = "bd2138f630db0dfb901bc28a9b70d6be8b9879dd";
+    # hash = "sha256-B3dNvnduR1pz5DedmAR8Fc/CXowR3jsyrjMUFOMizxI=";
+    rev = "f3511ec71a4a1f491d759711e0bcf031e335ea70";
+    hash = "sha256-U5chzm3q3vycgX1HSLf6sk6M3YoJ4CHGLKRg4ViIhu8=";
   };
-  cargoHash = "sha256-JV8NQdZAG4EetRHwbi0dD0uIOUkn5hvzry+5WB7TCO4=";
-
-  cargoPatches = [
-    ./cargo_lock-fix_lightdm_rs_url.patch
-  ];
+  cargoHash = "sha256-2NMXR+D/CnDhUToQmMwK2Cb2l+4/N9BrCz/lt1NZ6Wk=";
 
   buildInputs = [
     gtk3
-    libhandy_0
+    # libhandy_0
+    libhandy
     lightdm
   ];
   nativeBuildInputs = [
@@ -49,7 +59,7 @@ rustPlatform.buildRustPackage rec {
 
   meta = with lib; {
     description = "A simple log in screen for use on touch screens.";
-    homepage = "https://git.uninsane.org/colin/lightdm-mobile-greeter";
+    homepage = "https://git.raatty.club/raatty/lightdm-mobile-greeter";
     maintainers = with maintainers; [ colinsane ];
     platforms = platforms.linux;
     license = licenses.mit;

pkgs/overlay.nix

@@ -37,12 +37,14 @@
 
   gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
 
-  browserpass = prev.callPackage ./browserpass { pkgs = prev; };
+  browserpass = prev.callPackage ./browserpass { pkgs = prev; inherit sane-scripts; };
 
   #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
   kaiteki = prev.callPackage ./kaiteki { };
   lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
+  browserpass-extension = prev.callPackage ./browserpass-extension { };
   gopass-native-messaging-host = prev.callPackage ./gopass-native-messaging-host { };
+  tokodon = prev.libsForQt5.callPackage ./tokodon { };
   # kaiteki = prev.kaiteki;
   # TODO: upstream, or delete nabla
   nabla = prev.callPackage ./nabla { };

pkgs/sane-scripts/default.nix

@@ -20,11 +20,13 @@ resholve.mkDerivation {
       inputs = with pkgs; [
         coreutils
         curl
+        duplicity
         file
         findutils
         gnugrep
         gocryptfs
         ifuse
+        inetutils
         inotify-tools
         ncurses
         oath-toolkit
@@ -38,6 +40,7 @@ resholve.mkDerivation {
         which
       ];
       keep = {
+        "/run/secrets/duplicity_passphrase" = true;
         # we write here: keep it
         "/tmp/rmlint.sh" = true;
         # intentionally escapes (into user code)
@@ -57,6 +60,7 @@ resholve.mkDerivation {
 
       # list of programs which *can* or *cannot* exec their arguments
       execer = with pkgs; [
+        "cannot:${duplicity}/bin/duplicity"
         "cannot:${gocryptfs}/bin/gocryptfs"
         "cannot:${ifuse}/bin/ifuse"
         "cannot:${oath-toolkit}/bin/oathtool"

pkgs/sane-scripts/src/sane-backup-ls

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# N.B. must be run as root
+
+set -ex
+
+# source the URL; hack to satisfy resholve
+external_cmd="source /run/secrets/duplicity_passphrase"
+$external_cmd
+duplicity list-current-files --archive-dir /var/lib/duplicity $DUPLICITY_URL

pkgs/sane-scripts/src/sane-backup-restore

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+# N.B. must be run as root
+
+set -ex
+
+dest_path="$1"
+source_path="$2"
+
+# source the URL; hack to satisfy resholve
+external_cmd="source /run/secrets/duplicity_passphrase"
+$external_cmd
+duplicity restore --archive-dir /var/lib/duplicity --file-to-restore "$source_path" $DUPLICITY_URL "$dest_path"

pkgs/sane-scripts/src/sane-find-dotfiles

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# find where a package stores its dotfiles/dotdir
+# e.g. `sane-find-dotfiles foo` might print `/home/colin/.foo`, `/home/colin/.local/share/foo`, etc.
+
+find ~/ -maxdepth 1 -iname "*$1*" -print
+find ~/.local/share/*/ -maxdepth 1 -iname "*$1*" -print
+find ~/.config/*/ -maxdepth 1 -iname "*$1*" -print
+find ~/.cache/*/ -maxdepth 1 -iname "*$1*" -print
+

pkgs/sane-scripts/src/sane-private-lock

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+sudo umount /home/colin/private

pkgs/sane-scripts/src/sane-rcp

@@ -1,3 +1,3 @@
 #!/usr/bin/env sh
 # copy some remote file(s) to the working directory, with sane defaults
-rsync -arv --progress "$@" .
+rsync -arv --progress --append-verify "$@" .

pkgs/sane-scripts/src/sane-reboot

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+target="$1"
+host="$(hostname)"
+if [ "$host" = "$target" ]
+then
+  sudo reboot now
+else
+  echo "WRONG MACHINE. you're on $host."
+  exit 1
+fi
+

pkgs/tokodon/default.nix

@@ -0,0 +1,70 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, extra-cmake-modules
+, kconfig
+, kdbusaddons
+, ki18n
+, kirigami2
+, kitemmodels
+, knotifications
+, libwebsockets
+, pimcommon
+, pkg-config
+, qqc2-desktop-style
+, qtbase
+, qtkeychain
+, qtmultimedia
+, qtquickcontrols2
+, qttools
+, qtwebsockets
+, wrapQtAppsHook
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tokodon";
+  version = "22.09";
+
+  src = fetchFromGitHub {
+    owner = "KDE";
+    repo = pname;
+    # rev = "f919a7ae62dec665646d2ff3ca02e2e256b7a8a9";
+    # sha256 = "sha256-HVDM93nJTs7uTWs1n0t7UUtXQW6jFfoImaDxbTmlc0A=";
+    rev = "v${version}";
+    sha256 = "sha256-wHE8HPnjXd+5UG5WEMd7+m1hu2G3XHq/eVQNznvS/zc=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+    extra-cmake-modules
+    pkg-config
+    wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    kconfig
+    kdbusaddons
+    ki18n
+    kirigami2
+    kitemmodels
+    knotifications
+    pimcommon
+    qqc2-desktop-style
+    qtbase
+    qtkeychain
+    qtmultimedia
+    qtquickcontrols2
+    qttools
+    qtwebsockets
+  ];
+
+  meta = with lib; {
+    description = "A Mastodon client for Plasma and Plasma Mobile";
+    homepage = src.meta.homepage;
+    license = licenses.gpl3Plus;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ matthiasbeyer ];
+  };
+}
+

readme.md

@@ -4,6 +4,12 @@ to deploy:
 nixos-rebuild --flake "./#servo" {build,switch}
 ```
 
+if the target is the same as the host, nix will grab the hostname automatically:
+
+```sh
+nixos-rebuild --flake . {build,switch}
+```
+
 more options (like building packages defined in this repo):
 
 ```sh
@@ -45,3 +51,16 @@ to build a package for another platform:
 ```sh
 nix build ./#packages.aarch64-linux.nixpkgs.ubootRaspberryPi4_64bit
 ```
+
+## using this repo in your own config
+
+i try to ensure everything in the `modules/` directory is hidden behind some enable flag or other.
+it should be possible to copy that whole directory into your own config, and then selectively
+populate what you want (like the impermenance paths, etc).
+more practically, a lot of things in there still assume a user named `colin`, so you'll probably
+want to patch it for your name -- or just use it as a reference.
+
+## contact
+
+if you want to contact me for questions, or collaborate to split something useful into a shared repo, etc,
+you can reach me via any method listed [here](https://uninsane.org/about).

secrets/desko.yaml

@@ -1,4 +1,4 @@
-duplicity_passphrase: ENC[AES256_GCM,data:rzUfcxe5YPloOrqgVwdCjsccexWc5RvmFf1i3Xs459iVTfWHlVJeT/IqReY6ZqdAkPJteTtrUZzak2GXyRUkE13+W0kE8isnDjPX/YDQwoK2sa+dwc4xGTekboc0gf6HH3vQpF1aiJDBfb3GtGyDVLH9MVIRPJGXSztZBduUDezA2wAx2wI=,iv:EHJg8kE/07v+ySSFDtW4FA4y1y/+fcGxfNCWoainwBI=,tag:S3ecM4DbDl8jqXLRKipZmQ==,type:str]
+duplicity_passphrase: ENC[AES256_GCM,data:+UXXMiMNR3r3xvIzQVctDnFpVElx9xYOQBQsWHSZKlCDZs/Jlte48IPp3bc1u+bx1U9y5Frm5QiZYo/gAksRCjFcOTE6pc/bIREyAqB59psp5Ijhg59ToVBl3cm0II55rIDqDcBbHV2UUIvbbKn4/FBnY9y8uW8X383cHvpDPqxiPOTa,iv:eDkE+NmM2kKG4wr9sLM5IXlmlkNUaHNyE3r9rY/uayI=,tag:n9QmRFvmKv8H3gi8OAQdcw==,type:str]
 #ENC[AES256_GCM,data:yU9cr6MXjS4m69BeIUjUw477wt4c1djYof3Qlfr4Dytv8hWqCuqThDwQTMY5jfHdv5ipS0aEjf7GWu2M2t9W88fYdxnTN2m8IfYZp76YcjxO4fup5BXiLGIjnm+qI0g=,iv:nPo8FyGiyLRQozE4kZ6Rei6CObvbVynOs3jdMvdkpZw=,tag:+4esxPiewSsjwao6ZhAMxA==,type:comment]
 nix_serve_privkey: ENC[AES256_GCM,data:/Ph9J00cV7PcfpJw/NWcBpkQR+a0SQyHv1jmF4CkH+Uj8l+cRcXWynAc2APenMSfHdighXMqjsXuwRbGo0S57YuMXQjFbI8jhbXEhhAWlmET1q7uRaaZRSgq34qABw==,iv:LLYgLauPsD+3mx1GTjEUkiXgdWsnqixCJl4UfSdS5Ac=,tag:S7V6GKezS/JsbZVfq9DjjA==,type:str]
 colin-passwd: ENC[AES256_GCM,data:/b+l5zTlOhdoiFaMVG5HB98AOGfGZtwkH+IS/mhDgHNZ4J+t3OiEBAFPl/KPctg6ZM55QiAjNnnJ8zAsKL85om6amvrWF/Qz17qC9+pZF+6Ef8xvTQr3VPlFEYq4rGb74jQ7uyvtCjn0Ow==,iv:Z0qUimlPQMu6rsjn5b/Xfw99NzbXGS8B/hNWE+f+GoM=,tag:uGB1DZzHiLCkOtlAA58mmg==,type:str]
@@ -35,8 +35,8 @@ sops:
             Si9kT0ZMUnJJWlhUZ3FFakZFaDlPdEEKXtWfh6wdGPin1h/UUs21cdspddpW1YDq
             rCKS2DI2KWdgciih9FnmWGAwGUhB3uhimUr6hgho4z+dZfLrpoP1PA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-10-24T08:49:49Z"
-    mac: ENC[AES256_GCM,data:dvxYlU/btzzH9Qor8z02kdv3S4gFUGHnEjV/XBM99+IFuAD6vuE8zFL4peGW1GiXqM2QQY0Qc9wZ+nC5/ak9ROMC8uZPXF417gs6U9yyT92FRlMSdC0AMsUhNGWjJlM733hI4YATnR+1XuwHewzzW1R3TvrouBZqSv+2rBsiZCw=,iv:A+D7IG4U+EQ6nP4xKOK1ExeZLeERpiSPzj/g87R1SdM=,tag:jSVGDO9kNxXdDSSixDrkDQ==,type:str]
+    lastmodified: "2022-11-16T03:02:28Z"
+    mac: ENC[AES256_GCM,data:EFeon4GvDEFVTJh9IR0dd8S/vVeWlMuEe9rUcL6FDYLsfm5qFb5rhsCDY/rQNanNsTcsDLK3oOXoBXP168fzwHotdjoNNyiCYAFDigVqKPt4dk9vnzH91ccyu6NUhlFlKzuDHwXkWbNJA7pNyMD3w4NKt7HbLu+r1YxOAaytWzM=,iv:xrllCUns1WY/gCuHKmZtUr5/piE4OBKHrmiewBbVBH4=,tag:8JWLLZqLFMWcDNgWwJL+Ig==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

secrets/servo.yaml

@@ -1,4 +1,4 @@
-duplicity_passphrase: ENC[AES256_GCM,data:WAQE+xhfRg+4N9Q1P9U8Lt7sVwpcEZFPJzyHIA+FIcCcZZhv+QmvCT/eTRtAOIFvII5l9f0A4GRnSEagalyaZgTgq7t8qOhvvB+s8cIj7prM1psnKstpx3+BxsinGOsZcPqbBxph9gdGuIVP3qH7pYAT+6GMPLnxW21s0r26mZFZM8Mu15VGyuvTz2Pknw==,iv:hu+6w6TWQensA4y5wBz1vPgw8YlBk5TuxEm2rRjV6Ao=,tag:UJ2joJZNxr/+O5y0dx6q9g==,type:str]
+duplicity_passphrase: ENC[AES256_GCM,data:LgPORB0HhIAfpJdQrwjS+/TWdOeddQ2YNYqfRbWhhuNlImuOlniPzrPaaFv+Mfght7OHs7rnuVr3tOHfeIEBo9S2z05ABOulttHEyeuyJZPE1/0t8IBz2gcNNWs4nhCYbVX3y/rSAG8bhz1Vdb2B/MiCicfJEZAqpXkRilQELXTR5cF5NnmEcR7zOso=,iv:NvwZhBbkYnTDt3izwwQPj4U4XAmiOD5Dv3sF50JA97o=,tag:HSJ5xr/WXn6MQdyV8QYWYw==,type:str]
 ddns_he: ENC[AES256_GCM,data:zAKbEAIMIsENUctG9bNAAjAty6g+w3QW5VM=,iv:ncIjblXnTiU3TQcHJutz9lCl0wBdWs+FybY0sZcnaH0=,tag:7O6EIob2/if1fcVDVEkVzQ==,type:str]
 #ENC[AES256_GCM,data:LMfqz2Rih6CR7RcCbA==,iv:MQ7z93Mhus2Z2q7HZMk4BzkkY/apBIR+9hIiZlknolc=,tag:HU5McecdYk12I3AcvVHEBw==,type:comment]
 #ENC[AES256_GCM,data:zhL2iNWZ8xPbBneffWcc93ZCW/SDv5FH,iv:P3a8+oucJRM8o7hnHUxAvefHdZEAbKJKhK2Y1+r75GA=,tag:VFvFucE5c780RmspW7p8Qg==,type:comment]
@@ -56,8 +56,8 @@ sops:
             cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
             aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-10-14T00:37:52Z"
-    mac: ENC[AES256_GCM,data:qKr1aKWxuJWwjUYX+JWAdwHFAwApHm9hOYBgZxAIXbXHhOo04K1MFBDTsAvtvN1a11QtCJYDNuVNpuRu3bf/5Ji5ROTaKfQCgPk+ZScJuWpLsxchYV+TnlREwQI+qgvogyMKMlPInozgd7RNnsePdg7DtYFfGMAvUtX9OidxAXI=,iv:EAkNQkIqoXtRy+uSb7ccl9T5b6hiyRll/m76nhir9AI=,tag:kCDEBJDW34VgLQPd4V+uYA==,type:str]
+    lastmodified: "2022-11-16T03:02:50Z"
+    mac: ENC[AES256_GCM,data:0/lDp6jWueeF4TPfB5rSoEzEF8QVw815DYEHRRea+SrYXGHJT80eK5sqUz00m6adG8aaSlNMAD8d2/nClar6VJKKOHdY+oN8hLztxNGQraMo107d8XOMMycj9vA4IGkCbnlng0cZTB2jsPV6Mfkmf5v+PN4N9F0bQ9W50V1Pf40=,iv:slFJjjlyCyk8aAwfRbiZ/2SKLmUGZE4OvpfrrvSJw3g=,tag:X+057fZLJnDW7CAka8+pCw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3