moby: upgrade kernel 6.0.2 -> 6.1.0-rc7

it doesn't support arm

hosts/moby/default.nix

@@ -26,6 +26,7 @@
   # usability compromises
   sane.impermanence.home-dirs = [
     config.sane.web-browser.dotDir
+    ".config/pulse"  # persist pulseaudio volume
   ];
 
   # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging

hosts/servo/services/ejabberd.nix

@@ -1,5 +1,7 @@
 # docs:
 # - <https://docs.ejabberd.im/admin/configuration/basic>
+# example configs:
+# - 2013: <https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example>
 { lib, ... }:
 
 # XXX disabled: fails to start because of `mnesia_tm` dependency
@@ -33,16 +35,50 @@
 
     pam_userinfotype: jid
 
+    # docs: <https://docs.ejabberd.im/admin/configuration/basic/#shaper-rules>
+    shaper_rules:
+      max_s2s_connections: 3
+      max_user_offline_messages: 5000
+      c2s_shaper:
+        fast: all
+      s2s_shaper:
+        med: all
+
+    # docs: <https://docs.ejabberd.im/admin/configuration/basic/#shapers>
+    # this limits the bytes/sec.
+    # for example, burst: 3_000_000 and rate: 100_000 means:
+    # - each client has a BW budget that accumulates 100kB/sec and is capped at 3 MB
+    shaper:
+      fast: 1000000
+      med:   500000
+    #   fast:
+    #     - rate:        1000000
+    #     - burst_size: 10000000
+    #   med:
+    #     - rate:         500000
+    #     - burst_size:  5000000
+
     # see: <https://docs.ejabberd.im/admin/configuration/listen/>
     # TODO: host web admin panel
+    s2s_use_starttls: true
     listen:
       -
         port: 5222
         module: ejabberd_c2s
+        shaper: c2s_shaper
         starttls: true
       -
         port: 5269
         module: ejabberd_s2s_in
-        starttls: true
+        shaper: s2s_shaper
+      -
+        port: 5280
+        module: ejabberd_http
+        request_handlers:
+          /admin: ejabberd_web_admin
+          /api: mod_http_api
+          /bosh: mod_bosh
+          /upload: mod_http_upload
+          /ws: ejabberd_http_ws
   '';
 }

hosts/servo/services/ipfs.nix

@@ -6,7 +6,9 @@
 # - number of open peer connections:
 #   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ swarm peers | wc -l
 
-{ ... }:
+{ lib, ... }:
+
+lib.mkIf false # i don't actively use ipfs anymore
 {
   sane.impermanence.service-dirs = [
     # TODO: mode? could be more granular

hosts/servo/services/nginx.nix

@@ -31,6 +31,7 @@ in
   # sets gzip_comp_level = 5
   services.nginx.recommendedGzipSettings = true;
   # enables OCSP stapling (so clients don't need contact the OCSP server -- i do instead)
+  # - doesn't seem to, actually: <https://www.ssllabs.com/ssltest/analyze.html?d=uninsane.org>
   # caches TLS sessions for 10m
   services.nginx.recommendedTlsSettings = true;
   # enables sendfile, tcp_nopush, tcp_nodelay, keepalive_timeout 65
@@ -45,6 +46,8 @@ in
     forceSSL = true;
     enableACME = true;
     inherit kTLS;
+    # for OCSP stapling
+    sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
 
     # uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
     # yes, nginx does not strip the prefix when evaluating against the root.
@@ -299,8 +302,6 @@ in
     enableACME = true;
     inherit kTLS;
 
-    default = true;
-
     locations."/" = {
       proxyPass = "http://127.0.0.1:8080";
       extraConfig = ''
@@ -333,6 +334,26 @@ in
     '';
   };
 
+  # serve any site not listed above, if it's static.
+  # because we define it dynamically, SSL isn't trivial. support only http
+  # documented <https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name>
+  services.nginx.virtualHosts."~^(?<domain>.+)$" = {
+    default = true;
+    addSSL = true;
+    enableACME = false;
+    sslCertificate = "/var/www/certs/wildcard/cert.pem";
+    sslCertificateKey = "/var/www/certs/wildcard/key.pem";
+    # sslCertificate = "/var/lib/acme/.minica/cert.pem";
+    # sslCertificateKey = "/var/lib/acme/.minica/key.pem";
+    # serverName = null;
+    locations."/" = {
+      # somehow this doesn't escape -- i get error 400 if i:
+      # curl 'http://..' --resolve '..:80:127.0.0.1'
+      root = "/var/www/sites/$domain";
+      # tryFiles = "$domain/$uri $domain/$uri/ =404";
+    };
+  };
+
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "admin.acme@uninsane.org";
 
@@ -341,5 +362,22 @@ in
   sane.impermanence.service-dirs = [
     # TODO: mode?
     { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
+    { user = "colin"; group = "users"; directory = "/var/www/sites"; }
   ];
+
+  # create a self-signed SSL certificate for use with literally any domain.
+  # browsers will reject this, but proxies and local testing tools can be configured
+  # to accept it.
+  system.activationScripts.generate-x509-self-signed.text = ''
+    mkdir -p /var/www/certs/wildcard
+    test -f /var/www/certs/wildcard/key.pem || ${pkgs.openssl}/bin/openssl \
+      req -x509 -newkey rsa:4096 \
+      -keyout /var/www/certs/wildcard/key.pem \
+      -out /var/www/certs/wildcard/cert.pem \
+      -sha256 -nodes -days 3650 \
+      -addext 'subjectAltName=DNS:*' \
+      -subj '/CN=self-signed'
+    chmod 640 /var/www/certs/wildcard/{key,cert}.pem
+    chown root:nginx /var/www/certs/wildcard /var/www/certs/wildcard/{key,cert}.pem
+  '';
 }

modules/home-manager/feeds.nix

@@ -97,6 +97,7 @@ in rec {
     (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
     (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
     (mkText "https://www.jefftk.com/news.rss" // tech // daily)
+    (mkText "https://pomeroyb.com/feed.xml" // tech // infrequent)
 
     # (TECH; POL) COMMENTATORS
     (mkSubstack "edwardsnowden" // pol // infrequent)
@@ -114,6 +115,7 @@ in rec {
     (mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
     ## Matt Levine
     (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
+    (mkText "https://stpeter.im/atom.xml" // pol // weekly)
 
     # RATIONALITY/PHILOSOPHY/ETC
     (mkSubstack "samkriss" // humor // infrequent)

modules/home-manager/firefox.nix

@@ -51,11 +51,11 @@ let
         fixedExtid = pkg.extid;
       };
     in [
-      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-C+VQyaJ8BA0ErXGVTdnppJZ6J9SP+izf6RFxdS4VJoU=")
-      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-au5GGn22n4i6VrdOKqNMOrWdMoVCcpLdjO2wwRvyx7E=")
-      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-m14onUlnpLDPHezA/soKygcc76tF1fLG52tM/LkbAXQ=")
+      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-+xc4lcdsOwXxMsr4enFsdePbIb6GHq0bFLpqvH5xXos=")
+      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-30F8oDIgshXVY7YKgnfoc1tUTHfgeFbzXISJuVJs0AM=")
+      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-aDBRpcOeMyROnXjmveHKm9zsPC+LzXCG0uhAqI1EWf0=")
       (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
-      (addon "ether-metamask" "webextension@metamask.io" "sha256-dnpwKpNF0KgHMAlz5btkkZySjMsnrXECS35ClkD2XHc=")
+      (addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=")
       # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
       (localAddon pkgs.browserpass-extension)
     ];

modules/home-manager/neovim.nix

@@ -33,15 +33,6 @@ lib.mkIf config.sane.home-manager.enable
           " autocmd Syntax tex set conceallevel=2
         '';
       })
-      # nabla renders inline math in any document, but it's buggy.
-      #   https://github.com/jbyuki/nabla.nvim
-      # ({
-      #   plugin = pkgs.nabla;
-      #   type = "lua";
-      #   config = ''
-      #     require'nabla'.enable_virt()
-      #   '';
-      # })
       # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
       # docs: https://github.com/nvim-treesitter/nvim-treesitter
       # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix

modules/packages.nix

@@ -127,7 +127,8 @@ let
     # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
     # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
     #   possible to pass config as a CLI arg (sublime-music -c config.json)
-    { pkg = sublime-music; dir = ".local/share/sublime-music"; }
+    # { pkg = sublime-music; dir = ".local/share/sublime-music"; }
+    { pkg = sublime-music-mobile; dir = ".local/share/sublime-music"; }
     tdesktop  # broken on phosh
 
     { pkg = tokodon; dir = ".cache/KDE/tokodon"; }
@@ -152,6 +153,7 @@ let
 
     # kaiteki  # Pleroma client
     # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
+    gpt2tc
 
     logseq
     losslesscut-bin
@@ -183,6 +185,7 @@ let
     fatresize
     fd
     file
+    gawk
     gptfdisk
     hdparm
     htop
@@ -204,6 +207,7 @@ let
     screen
     smartmontools
     socat
+    strace
     usbutils
     wget
   ];

pkgs/linux-megous/default.nix

@@ -2,11 +2,15 @@
 
 with lib;
 
-buildLinux (args // rec {
-  version = "6.0.2";
+let
+  base = "6.1.0";
+  # set to empty if not a release candidate
+  rc = "-rc7";
+in buildLinux (args // rec {
+  version = base + rc;
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
-  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) + rc else modDirVersionArg;
 
   # branchVersion needs to be x.y
   extraMeta.branch = versions.majorMinor version;
@@ -14,8 +18,7 @@ buildLinux (args // rec {
   src = fetchFromGitHub {
     owner = "megous";
     repo = "linux";
-    # branch: orange-pi-6.0
-    rev = "2683672a2052ffda995bb987fa62a1abe8424ef4";
-    hash = "sha256-hL/SbLgaTk/CqFLFrAK/OV9/OS20O42zJvSScsvWBQk=";
+    rev = "orange-pi-6.1-20221128-1027";
+    hash = "sha256-kEujs4v5rPHPYy4YLyEWHa1Bu0sxoXLgSvmOH9QPWos=";
   };
 } // (args.argsOverride or { }))

pkgs/nabla/default.nix

@@ -1,14 +0,0 @@
-{ pkgs, fetchFromGitHub, ... }:
-
-# buildVimPluginFrom2Nix {
-pkgs.vimUtils.buildVimPlugin {
-  pname = "nabla";
-  version = "2022-08-17";
-  src = fetchFromGitHub {
-    owner = "jbyuki";
-    repo = "nabla.nvim";
-    rev = "5379635d71b9877eaa4df822e8a2a5c575d808b0";
-    sha256 = "sha256-1VabgTnOSsfdhmHnfXl/h9djgNV3Gqro5VOr8ZbUlWw=";
-  };
-  meta.homepage = "https://github.com/jbyuki/nabla.nvim/";
-}

pkgs/overlay.nix

@@ -20,6 +20,8 @@
     ];
   };
 
+  sublime-music-mobile = prev.callPackage ./sublime-music-mobile { };
+
   #### customized packages
   fluffychat-moby = prev.callPackage ./fluffychat-moby { pkgs = prev; };
   gpodder-configured = prev.callPackage ./gpodder-configured { pkgs = prev; };
@@ -44,7 +46,5 @@
   gopass-native-messaging-host = prev.callPackage ./gopass-native-messaging-host { };
   tokodon = prev.libsForQt5.callPackage ./tokodon { };
   # kaiteki = prev.kaiteki;
-  # TODO: upstream, or delete nabla
-  nabla = prev.callPackage ./nabla { };
 })
 

pkgs/sublime-music-mobile/default.nix

@@ -0,0 +1,186 @@
+# { pkgs
+# , lib
+# , libhandy
+# , ... }:
+# 
+# (pkgs.sublime-music.overrideAttrs (upstream: {
+#   pname = "sublime-music-mobile";
+#   version = "0.11.10";
+#   # <https://gitlab.com/BenjaminSchaaf/sublime-music/-/tree/libhandy>
+#   src = pkgs.fetchFromGitLab {
+#     owner = "BenjaminSchaaf";
+#     repo = "sublime-music";
+#     rev = "4ce2f222f13020574d54110d90839f48d8689b9d";
+#     sha256 = "sha256-V6YyBbPKAfZb5FVOesNcC6TfJbO73WZ4DvlOSWSSZzU=";
+#   };
+# 
+#   buildInputs = upstream.buildInputs ++ [
+#     # requires this PR that adds the drawtab:
+#     # - <https://gitlab.gnome.org/GNOME/libhandy/-/merge_requests/707>
+#     (libhandy.overrideAttrs (superhandy: {
+#       version = "1.5.0";
+#       src = pkgs.fetchFromGitLab {
+#         domain = "gitlab.gnome.org";
+#         owner = "BenjaminSchaaf";
+#         repo = "libhandy";
+#         rev = "0557503278a099c1b9999ceebb7c21fa9c15a3a5";
+#         sha256 = "sha256-MwOnQ2h1ypSvxOSaXDdSFoMKOMr9DonTCMNT796kaQs=";
+#       };
+#       nativeBuildInputs = superhandy.nativeBuildInputs ++ [
+#         pkgs.docbook_xml_dtd_43
+#         pkgs.docbook-xsl-nons
+#         pkgs.gtk-doc
+#       ];
+#     }))
+#   ];
+# 
+#   # i think Benjamin didn't update the tests?
+#   doCheck = false;
+#   doInstallCheck = false;
+# 
+#   meta.description = "A mobile-friendly sublime music fork";
+# }))
+
+{ fetchFromGitLab
+, fetchFromGitea
+, docbook_xml_dtd_43
+, docbook-xsl-nons
+, gtk-doc
+, lib
+, libhandy
+, python3Packages
+, gobject-introspection
+, gtk3
+, pango
+, wrapGAppsHook
+, xvfb-run
+, chromecastSupport ? false
+, serverSupport ? false
+, keyringSupport ? true
+, notifySupport ? true, libnotify
+, networkSupport ? true, networkmanager
+}:
+
+python3Packages.buildPythonApplication rec {
+  pname = "sublime-music-mobile";
+  version = "0.11.16";
+  format = "pyproject";
+
+  # src = fetchFromGitLab {
+  #   owner = "sublime-music";
+  #   repo = pname;
+  #   rev = "v${version}";
+  #   sha256 = "sha256-n77mTgElwwFaX3WQL8tZzbkPwnsyQ08OW9imSOjpBlg=";
+  # };
+  # src = fetchFromGitLab {
+  #   owner = "BenjaminSchaaf";
+  #   repo = "sublime-music";
+  #   rev = "4ce2f222f13020574d54110d90839f48d8689b9d";
+  #   sha256 = "sha256-V6YyBbPKAfZb5FVOesNcC6TfJbO73WZ4DvlOSWSSZzU=";
+  # };
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
+    repo = "sublime-music";
+    rev = "5d8eb1f15c946a43dcf15266ce109f6bec810ce3";
+    sha256 = "sha256-qMCyRNPtmd29dQKKcPi+Jy5gr39crZUBizprdOZlmY4=";
+  };
+
+  nativeBuildInputs = [
+    gobject-introspection
+    python3Packages.poetry-core
+    python3Packages.pythonRelaxDepsHook
+    wrapGAppsHook
+  ];
+
+  # Can be removed in later versions (probably > 0.11.16)
+  pythonRelaxDeps = [
+    "deepdiff"
+    "python-mpv"
+  ];
+
+  buildInputs = [
+    gtk3
+    pango
+    (libhandy.overrideAttrs (superhandy: {
+      version = "1.5.0";
+      src = fetchFromGitLab {
+        domain = "gitlab.gnome.org";
+        owner = "BenjaminSchaaf";
+        repo = "libhandy";
+        rev = "0557503278a099c1b9999ceebb7c21fa9c15a3a5";
+        sha256 = "sha256-MwOnQ2h1ypSvxOSaXDdSFoMKOMr9DonTCMNT796kaQs=";
+      };
+      nativeBuildInputs = superhandy.nativeBuildInputs ++ [
+        docbook_xml_dtd_43
+        docbook-xsl-nons
+        gtk-doc
+      ];
+    }))
+  ]
+   ++ lib.optional notifySupport libnotify
+   ++ lib.optional networkSupport networkmanager
+  ;
+
+  propagatedBuildInputs = with python3Packages; [
+    bleach
+    dataclasses-json
+    deepdiff
+    fuzzywuzzy
+    mpv
+    peewee
+    pygobject3
+    python-Levenshtein
+    python-dateutil
+    requests
+    semver
+  ]
+   ++ lib.optional chromecastSupport PyChromecast
+   ++ lib.optional keyringSupport keyring
+   ++ lib.optional serverSupport bottle
+  ;
+
+  postPatch = ''
+    sed -i "/--cov/d" setup.cfg
+    sed -i "/--no-cov-on-fail/d" setup.cfg
+    substituteInPlace pyproject.toml \
+      --replace 'deepdiff = "^5.8.1"' 'deepdiff = ">=5.8.1"'
+  '';
+
+  # hook for gobject-introspection doesn't like strictDeps
+  # https://github.com/NixOS/nixpkgs/issues/56943
+  strictDeps = false;
+
+  checkInputs = with python3Packages; [
+    pytest
+  ];
+
+  checkPhase = ''
+    ${xvfb-run}/bin/xvfb-run pytest
+  '';
+
+  pythonImportsCheck = [
+    "sublime_music"
+  ];
+
+  # i think Benjamin didn't update the tests?
+  doCheck = false;
+  doInstallCheck = false;
+
+  postInstall = ''
+    install -Dm444 sublime-music.desktop      -t $out/share/applications
+    install -Dm444 sublime-music.metainfo.xml -t $out/share/metainfo
+
+    for size in 16 22 32 48 64 72 96 128 192 512 1024; do
+        install -Dm444 logo/rendered/"$size".png \
+          $out/share/icons/hicolor/"$size"x"$size"/apps/sublime-music.png
+    done
+  '';
+
+  meta = with lib; {
+    description = "GTK3 Subsonic/Airsonic client";
+    homepage = "https://sublimemusic.app/";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ albakham sumnerevans ];
+  };
+}