fix feedsearch-crawler to build outside of overlay

having multiple scopes -- particularly near the toplevel -- was actually just a complication

README.md

@@ -0,0 +1,100 @@
+## What's Here
+
+this is the top-level repo from which i configure/deploy all my NixOS machines:
+- desktop
+- laptop
+- server
+- mobile phone
+
+i enjoy a monorepo approach. this repo references [nixpkgs][nixpkgs], a couple 3rd party
+nix modules like [sops][sops], the sources for [uninsane.org][uninsane-org], and that's
+about it. custom derivations and modules (some of which i try to upstream) live
+directly here; even the sources for those packages is often kept here too.
+
+[nixpkgs]: https://github.com/NixOS/nixpkgs
+[sops]: https://github.com/Mic92/sops-nix
+[uninsane-org]: https://uninsane.org
+
+## Layout
+- `hosts/`
+    - the bulk of config which isn't factored with external use in mind.
+    - that is, if you were to add this repo to a flake.nix for your own use,
+      you won't likely be depending on anything in this directory.
+- `modules/`
+    - config which is gated behind `enable` flags, in similar style to nixpkgs'
+      `nixos/` directory.
+    - if you depend on this repo, it's most likely for something in this directory.
+- `nixpatches/`
+    - literally, diffs i apply atop upstream nixpkgs before performing further eval.
+- `overlays/`
+    - exposed via the `overlays` output in `flake.nix`.
+    - predominantly a list of `callPackage` directives.
+- `pkgs/`
+    - derivations for things not yet packaged in nixpkgs.
+    - derivations for things from nixpkgs which i need to `override` for some reason.
+    - inline code for wholly custom packages (e.g. `pkgs/sane-scripts/` for CLI tools
+      that are highly specific to my setup).
+- `scripts/`
+    - scripts which are referenced by other things in this repo.
+    - these aren't generally user-facing, but they're factored out so that they can
+      be invoked directly when i need to debug.
+- `secrets/`
+    - encrypted keys, API tokens, anything which one or more of my machines needs
+      read access to but shouldn't be world-readable.
+    - not much to see here
+- `templates/`
+    - exposed via the `templates` output in `flake.nix`.
+    - used to instantiate short-lived environments.
+    - used to auto-fill the boiler-plate portions of new packages.
+
+
+## Key Points of Interest
+
+i.e. you might find value in using these in your own config:
+
+- `modules/fs/`
+    - use this to statically define leafs and nodes anywhere in the filesystem,
+      not just inside `/nix/store`.
+    - e.g. specify that `/var/www` should be:
+        - owned by a specific user/group
+        - set to a specific mode
+        - symlinked to some other path
+        - populated with some statically-defined data
+        - populated according to some script
+        - created as a dependency of some service (e.g. `nginx`)
+    - values defined here are applied neither at evaluation time _nor_ at activation time.
+        - rather, they become systemd services.
+        - systemd manages dependencies
+        - e.g. link `/var/www -> /mnt/my-drive/www` only _after_ `/mnt/my-drive/www` appears)
+    - this is akin to using [Home Manager's][home-manager] file API -- the part which lets you
+      statically define `~/.config` files -- just with a different philosophy.
+- `modules/persist/`
+    - my alternative to the Impermanence module.
+    - this builds atop `modules/fs/` to achieve things stock impermanence can't:
+        - persist things to encrypted storage which is unlocked at login time (pam_mount).
+        - "persist" cache directories -- to free up RAM -- but auto-wipe them on mount
+          and encrypt them to ephemeral keys so they're unreadable post shutdown/unmount.
+- `modules/programs.nix`
+    - like nixpkgs' `programs` options, but allows both system-wide or per-user deployment.
+    - allows `fs` and `persist` config values to be gated behind program deployment:
+        - e.g. `/home/<user>/.mozilla/firefox` is persisted only for users who
+          `sane.programs.firefox.enableFor.user."<user>" = true;`
+- `modules/users.nix`
+    - convenience layer atop the above modules so that you can just write
+      `fs.".config/git"` instead of `fs."/home/colin/.config/git"`
+
+some things in here could easily find broader use. if you would find benefit in
+them being factored out of my config, message me and we could work to make that happen.
+
+[home-manager]: https://github.com/nix-community/home-manager
+
+## Using This Repo In Your Own Config
+
+this should be a pretty "standard" flake. just reference it, and import either
+- `nixosModules.sane` (for the modules)
+- `overlays.pkgs` (for the packages)
+
+## Contact
+
+if you want to contact me for questions, or collaborate to split something useful into a shared repo, etc,
+you can reach me via any method listed [here](https://uninsane.org/about).

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "flake-utils": {
       "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "lastModified": 1678901627,
+        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1674880620,
-        "narHash": "sha256-JMALuC7xcoH/T66sKTVLuItHfOJBCWsNKpE49Qrvs80=",
+        "lastModified": 1680563603,
+        "narHash": "sha256-gxSci3NTlzgkAOhaC93Q4lReX/Pjd7++imD85JOAlps=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "7478a9ffad737486951186b66f6c5535dc5802e2",
+        "rev": "4aa0afd84005b79be4d5361b56a60df9e9bd4ea3",
         "type": "github"
       },
       "original": {
@@ -31,30 +31,46 @@
         "type": "github"
       }
     },
+    "nix-serve": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1678202930,
+        "narHash": "sha256-SF82/tTnagdazlETJLzXD9kjZ6lyk38agdLbmMx1UZE=",
+        "owner": "edolstra",
+        "repo": "nix-serve",
+        "rev": "3b6d30016d910a43e0e16f94170440a3e0b8fa8d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "nix-serve",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unpatched"
-        ]
-      },
       "locked": {
-        "lastModified": 1,
-        "narHash": "sha256-FTUAvxSeQToawyfVP9/S2143D5EgCbk88qI2PePLQQ8=",
-        "path": "/nix/store/s9v0l913m4drrddglbjqa384nxxwhxca-source/nixpatches",
-        "type": "path"
+        "lastModified": 1606086654,
+        "narHash": "sha256-VFl+3eGIMqNp7cyOMJ6TjM/+UcsLKtodKoYexrlTJMI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "19db3e5ea2777daa874563b5986288151f502e27",
+        "type": "github"
       },
       "original": {
-        "path": "/nix/store/s9v0l913m4drrddglbjqa384nxxwhxca-source/nixpatches",
-        "type": "path"
+        "id": "nixpkgs",
+        "ref": "nixos-20.09",
+        "type": "indirect"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1675556398,
-        "narHash": "sha256-5Gf5KlmFXfIGVQb2hmiiE7FQHoLd4UtEhIolLQvNB/A=",
+        "lastModified": 1682173319,
+        "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e32c33811815ca4a535a16faf1c83eeb4493145b",
+        "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c",
         "type": "github"
       },
       "original": {
@@ -66,16 +82,16 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1675942811,
-        "narHash": "sha256-/v4Z9mJmADTpXrdIlAjFa1e+gkpIIROR670UVDQFwIw=",
+        "lastModified": 1682404149,
+        "narHash": "sha256-vilYNldFXiu56HGD0lPcWsiED7EmjGMViCLZoQsv7Jk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "724bfc0892363087709bd3a5a1666296759154b1",
+        "rev": "d0ea36ece469a71a909ebff90777c2f7a49478bb",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "staging-next",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -83,7 +99,7 @@
     "root": {
       "inputs": {
         "mobile-nixos": "mobile-nixos",
-        "nixpkgs": "nixpkgs",
+        "nix-serve": "nix-serve",
         "nixpkgs-unpatched": "nixpkgs-unpatched",
         "sops-nix": "sops-nix",
         "uninsane-dot-org": "uninsane-dot-org"
@@ -92,16 +108,16 @@
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unpatched"
         ],
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1675872570,
-        "narHash": "sha256-RPH3CeTv7ixC2WcYiKyhmIgoH/9tur4Kr+3Vg/pleQk=",
+        "lastModified": 1682338428,
+        "narHash": "sha256-T7AL/Us6ecxowjMAlO77GETTQO2SO+1XX2+Y/OSfHk8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8fec29b009c19538e68d5d814ec74e04f662fbd1",
+        "rev": "7c8e9727a2ecf9994d4a63d577ad5327e933b6a4",
         "type": "github"
       },
       "original": {
@@ -114,15 +130,15 @@
       "inputs": {
         "flake-utils": "flake-utils",
         "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unpatched"
         ]
       },
       "locked": {
-        "lastModified": 1675131883,
-        "narHash": "sha256-yBgJDG72YqIr1bltasqHD1E/kHc9uRFgDjxDmy6kI8M=",
+        "lastModified": 1682815555,
+        "narHash": "sha256-mu4axnbR6cSgnNBGrSydxmKlKWrnHLKlpNmmbqD2V9E=",
         "ref": "refs/heads/master",
-        "rev": "b099c24091cc192abf3997b94342d4b31cc5757b",
-        "revCount": 170,
+        "rev": "da209f34ce34eb6b8c4d2b3256a02eb23ad9f655",
+        "revCount": 191,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -12,6 +12,11 @@
 # - Flake RFC: <https://github.com/tweag/rfcs/blob/flakes/rfcs/0049-flakes.md>
 #   - Discussion: <https://github.com/NixOS/rfcs/pull/49>
 # - <https://serokell.io/blog/practical-nix-flakes>
+#
+#
+# COMMON OPERATIONS:
+# - update a specific flake input:
+#   - `nix flake lock --update-input nixpkgs`
 
 {
   # XXX: use the `github:` scheme instead of the more readable git+https: because it's *way* more efficient
@@ -21,12 +26,27 @@
     # <https://github.com/nixos/nixpkgs/tree/nixos-22.11>
     # nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
 
+    # branch workflow:
+    # - daily:
+    #   - nixos-unstable cut from master after enough packages have been built in caches.
+    # - every 6 hours:
+    #   - master auto-merged into staging.
+    #   - staging-next auto-merged into staging.
+    # - manually, approximately once per month:
+    #   - staging-next is cut from staging.
+    #   - staging-next merged into master.
+    #
+    # which branch to source from?
+    # - for everyday development, prefer `nixos-unstable` branch, as it provides good caching.
+    # - if need to test bleeding updates (e.g. if submitting code into staging):
+    #   - use `staging-next` if it's been cut (i.e. if there's an active staging-next -> master PR)
+    #   - use `staging` if no staging-next branch has been cut.
+    #
     # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
-    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    nixpkgs = {
-      url = "./nixpatches";
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
-    };
+    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
+    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging";
+
     mobile-nixos = {
       # <https://github.com/nixos/mobile-nixos>
       url = "github:nixos/mobile-nixos";
@@ -35,24 +55,43 @@
     sops-nix = {
       # <https://github.com/Mic92/sops-nix>
       url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
+      # inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs-unpatched";
     };
     uninsane-dot-org = {
       url = "git+https://git.uninsane.org/colin/uninsane";
-      inputs.nixpkgs.follows = "nixpkgs";
+      # inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs-unpatched";
+    };
+    nix-serve = {
+      # <https://github.com/edolstra/nix-serve>
+      url = "github:edolstra/nix-serve";
     };
   };
 
   outputs = {
     self,
-    nixpkgs,
     nixpkgs-unpatched,
     mobile-nixos,
     sops-nix,
     uninsane-dot-org,
+    nix-serve,
     ...
   }@inputs:
     let
+      inherit (builtins) attrNames elem listToAttrs map mapAttrs;
+      mapAttrs' = f: set:
+        listToAttrs (map (attr: f attr set.${attr}) (attrNames set));
+      # mapAttrs but without the `name` argument
+      mapAttrValues = f: mapAttrs (_: f);
+      # rather than apply our nixpkgs patches as a flake input, do that here instead.
+      # this (temporarily?) resolves the bad UX wherein a subflake residing in the same git
+      # repo as the main flake causes the main flake to have an unstable hash.
+      nixpkgs = (import ./nixpatches/flake.nix).outputs {
+        self = nixpkgs;
+        nixpkgs = nixpkgs-unpatched;
+      };
+
       nixpkgsCompiledBy = local: nixpkgs.legacyPackages."${local}";
 
       evalHost = { name, local, target }:
@@ -65,35 +104,58 @@
           nixosSystem = import ((nixpkgsCompiledBy target).path + "/nixos/lib/eval-config.nix");
         in
           (nixosSystem {
-            # we use pkgs built for and *by* the target, i.e. emulation, by default.
-            # cross compilation only happens on explicit access to `pkgs.cross`
-            system = target;
             modules = [
               (import ./hosts/instantiate.nix { localSystem = local; hostName = name; })
               self.nixosModules.default
               self.nixosModules.passthru
               {
                 nixpkgs.overlays = [
-                  self.overlays.default
+                  self.overlays.disable-flakey-tests
                   self.overlays.passthru
                   self.overlays.pins
+                  self.overlays.pkgs
+                  # self.overlays.optimizations
                 ];
+                nixpkgs.hostPlatform = target;
+                # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
+                # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
               }
             ];
           });
     in {
-      nixosConfigurations = {
-        servo = evalHost { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        desko = evalHost { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        lappy = evalHost { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        moby = evalHost { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
-        # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
-        # note that these *do* produce different store paths, because the closure for the tools used to cross compile
-        # v.s. emulate differ.
-        # so deploying foo-cross and then foo incurs some rebuilding.
-        moby-cross = evalHost { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
-        rescue = evalHost { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
-      };
+      nixosConfigurations =
+        let
+          hosts = {
+            servo =  { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
+            desko =  { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
+            lappy =  { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
+            moby  =  { name = "moby";  local = "x86_64-linux"; target = "aarch64-linux"; };
+            rescue = { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
+          };
+          # cross-compiled builds: instead of emulating the host, build using a cross-compiler.
+          # - these are faster to *build* than the emulated variants (useful when tweaking packages),
+          # - but fewer of their packages can be found in upstream caches.
+          cross = mapAttrValues evalHost hosts;
+          emulated = mapAttrValues
+            ({name, local, target}: evalHost {
+              inherit name target;
+              local = null;
+            })
+            hosts;
+          prefixAttrs = prefix: attrs: mapAttrs'
+            (name: value: {
+              name = prefix + name;
+              inherit value;
+            })
+            attrs;
+        in
+          (prefixAttrs "cross-" cross) //
+          (prefixAttrs "emulated-" emulated) // {
+            # prefer native builds for these machines:
+            inherit (emulated) servo desko lappy rescue;
+            # prefer cross-compiled builds for these machines:
+            inherit (cross) moby;
+          };
 
       # unofficial output
       # this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
@@ -109,27 +171,42 @@
       #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
       #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
       #   - `nixos-rebuild --flake './#<host>' switch`
-      imgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.img) self.nixosConfigurations;
+      imgs = mapAttrValues (host: host.config.system.build.img) self.nixosConfigurations;
 
-      host-pkgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.pkgs) self.nixosConfigurations;
+      # unofficial output
+      host-pkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
 
-      overlays = rec {
-        default = pkgs;
-        pkgs = import ./overlays/pkgs.nix;
-        pins = import ./overlays/pins.nix;  # TODO: move to `nixpatches/` input
-        passthru =
+      overlays = {
+        # N.B.: `nix flake check` requires every overlay to take `final: prev:` at defn site,
+        #   hence the weird redundancy.
+        default = final: prev: self.overlays.pkgs final prev;
+        disable-flakey-tests = final: prev: import ./overlays/disable-flakey-tests.nix final prev;
+        pkgs = final: prev: import ./overlays/pkgs.nix final prev;
+        pins = final: prev: import ./overlays/pins.nix final prev;
+        optimizations = final: prev: import ./overlays/optimizations.nix final prev;
+        passthru = final: prev:
           let
             stable =
               if inputs ? "nixpkgs-stable" then (
-                next: prev: {
-                  stable = inputs.nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+                final': prev': {
+                  stable = inputs.nixpkgs-stable.legacyPackages."${prev'.stdenv.hostPlatform.system}";
                 }
-              ) else (next: prev: {});
+              ) else (final': prev': {});
             mobile = (import "${mobile-nixos}/overlay/overlay.nix");
             uninsane = uninsane-dot-org.overlay;
+            # nix-serve' = nix-serve.overlay;
+            nix-serve' = next: prev: {
+              # XXX(2023/03/02): upstream isn't compatible with modern `nix`. probably the perl bindings.
+              # - we use the package built against `nixpkgs` specified in its flake rather than use its overlay,
+              #   to get around this.
+              inherit (nix-serve.packages."${next.system}") nix-serve;
+            };
           in
-            next: prev:
-              (stable next prev) // (mobile next prev) // (uninsane next prev);
+              (stable final prev)
+              // (mobile final prev)
+              // (uninsane final prev)
+              // (nix-serve' final prev)
+            ;
       };
 
       nixosModules = rec {
@@ -153,36 +230,81 @@
           aarch64-linux = allPkgsFor "aarch64-linux";
         };
 
-      # extract only our own packages from the full set
-      packages = builtins.mapAttrs
-        (_: full: full.sane // { inherit (full) sane uninsane-dot-org; })
-        self.legacyPackages;
+      # extract only our own packages from the full set.
+      # because of `nix flake check`, we flatten the package set and only surface x86_64-linux packages.
+      packages = mapAttrs
+        (system: allPkgs:
+          allPkgs.lib.filterAttrs (name: pkg:
+            # keep only packages which will pass `nix flake check`, i.e. keep only:
+            # - derivations (not package sets)
+            # - packages that build for the given platform
+            (! elem name [ "feeds" "pythonPackagesExtensions" ])
+            && (allPkgs.lib.meta.availableOn allPkgs.stdenv.hostPlatform pkg)
+          )
+          (
+            # expose sane packages and chosen inputs (uninsane.org)
+            (import ./pkgs { pkgs = allPkgs; }) // {
+              inherit (allPkgs) uninsane-dot-org;
+            }
+          )
+        )
+        # self.legacyPackages;
+        { inherit (self.legacyPackages) x86_64-linux; }
+      ;
 
       apps."x86_64-linux" =
         let
           pkgs = self.legacyPackages."x86_64-linux";
+          deployScript = action: pkgs.writeShellScript "deploy-moby" ''
+            nixos-rebuild --flake '.#moby' build $@
+            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
+            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby-hn --use-remote-sudo $@
+          '';
         in {
           update-feeds = {
             type = "app";
-            program = "${pkgs.feeds.passthru.updateScript}";
+            program = "${pkgs.feeds.updateScript}";
           };
 
           init-feed = {
             # use like `nix run '.#init-feed' uninsane.org`
             type = "app";
-            program = "${pkgs.feeds.passthru.initFeedScript}";
+            program = "${pkgs.feeds.initFeedScript}";
+          };
+
+          deploy-moby-test = {
+            # `nix run '.#deploy-moby-test'`
+            type = "app";
+            program = ''${deployScript "test"}'';
+          };
+          deploy-moby = {
+            # `nix run '.#deploy-moby-switch'`
+            type = "app";
+            program = ''${deployScript "switch"}'';
           };
         };
 
       templates = {
-        python-data = {
+        env.python-data = {
           # initialize with:
-          # - `nix flake init -t '/home/colin/dev/nixos/#python-data'`
+          # - `nix flake init -t '/home/colin/dev/nixos/#env.python-data'`
           # then enter with:
           # - `nix develop`
-          path = ./templates/python-data;
+          path = ./templates/env/python-data;
           description = "python environment for data processing";
         };
+        pkgs.rust-inline = {
+          # initialize with:
+          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.rust-inline'`
+          path = ./templates/pkgs/rust-inline;
+          description = "rust package and development environment (inline rust sources)";
+        };
+        pkgs.rust = {
+          # initialize with:
+          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.rust'`
+          path = ./templates/pkgs/rust;
+          description = "rust package fit to ship in nixpkgs";
+        };
       };
     };
 }

hosts/by-name/desko/default.nix

@@ -4,15 +4,17 @@
     ./fs.nix
   ];
 
+  sane.roles.build-machine.enable = true;
   sane.roles.client = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
   sane.services.duplicity.enable = true;
-  sane.services.nixserve.enable = true;
   sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
-  sane.persist.enable = true;
 
   sane.gui.sway.enable = true;
+  sane.programs.iphoneUtils.enableFor.user.colin = true;
+
+  sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
 
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

hosts/by-name/lappy/default.nix

@@ -4,17 +4,23 @@
     ./fs.nix
   ];
 
+  sane.yggdrasil.enable = true;
+
   sane.roles.client = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
 
   # sane.guest.enable = true;
   sane.gui.sway.enable = true;
-  sane.persist.enable = true;
-  sane.nixcache.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
+  sane.programs.guiApps.suggestedPrograms = [
+    "desktopGuiApps"
+    "stepmania"
+  ];
+  sane.programs.mx-sanebot.enableFor.system = true;  # for the docs
+
   sops.secrets.colin-passwd = {
     sopsFile = ../../../secrets/lappy.yaml;
     neededForUsers = true;

hosts/by-name/moby/default.nix

@@ -10,13 +10,6 @@
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
 
-  # cross-compiled documentation is *slow*.
-  # no obvious way to natively compile docs (2022/09/29).
-  # entrypoint is nixos/modules/misc/documentation.nix
-  # doc building happens in nixos/doc/manual/default.nix
-  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
-  documentation.nixos.enable = false;
-
   # XXX colin: phosh doesn't work well with passwordless login,
   # so set this more reliable default password should anything go wrong
   users.users.colin.initialPassword = "147147";
@@ -41,9 +34,11 @@
     ".config/pulse"  # persist pulseaudio volume
   ];
 
-  sane.nixcache.enable = true;
-  sane.persist.enable = true;
   sane.gui.phosh.enable = true;
+  # sane.programs.consoleUtils.enableFor.user.colin = false;
+  # sane.programs.guiApps.enableFor.user.colin = false;
+  sane.programs.sequoia.enableFor.user.colin = false;
+  sane.programs.tuiApps.enableFor.user.colin = false;  # visidata, others, don't compile well
 
   boot.loader.efi.canTouchEfiVariables = false;
   # /boot space is at a premium. default was 20.

hosts/by-name/moby/kernel.nix

@@ -114,7 +114,7 @@ in
   # - phone rotation sensor is off by 90 degrees
   # - ambient light sensor causes screen brightness to be shakey
   # - phosh greeter may not appear after wake from sleep
-  boot.kernelPackages = pkgs.cross.linuxPackagesFor pkgs.cross.linux-megous;
+  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
 
   boot.kernelPatches = [
     (patchDefconfig (kernelConfig //

hosts/by-name/rescue/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   imports = [
     ./fs.nix
@@ -7,6 +7,8 @@
   boot.loader.generic-extlinux-compatible.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
+  # sane.persist.enable = false;  # TODO: disable (but run `nix flake check` to ensure it works!)
+  sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
 
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
   system.stateVersion = "21.05";

hosts/by-name/servo/default.nix

@@ -15,7 +15,9 @@
     signaldctl.enableFor.user.colin = true;
   };
 
-  sane.persist.enable = true;
+  sane.roles.build-machine.enable = true;
+  sane.roles.build-machine.emulation = false;
+  sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
   sane.services.dyn-dns.enable = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;

hosts/by-name/servo/secrets.nix

@@ -25,6 +25,7 @@
   };
   sops.secrets."mautrix_signal_env" = {
     sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
+    format = "binary";
   };
 
   sops.secrets."mediawiki_pw" = {

hosts/by-name/servo/services/calibre.nix

@@ -0,0 +1,34 @@
+{ config, lib, ... }:
+
+let
+  cweb-cfg = config.services.calibre-web;
+  inherit (cweb-cfg) user group;
+  inherit (cweb-cfg.listen) ip port;
+  svc-dir = "/var/lib/${cweb-cfg.dataDir}";
+in
+# XXX: disabled because of runtime errors like:
+# > File "/nix/store/c7jqvx980nlg9xhxi065cba61r2ain9y-calibre-web-0.6.19/lib/python3.10/site-packages/calibreweb/cps/db.py", line 926, in speaking_language
+# > languages = self.session.query(Languages) \
+# > AttributeError: 'NoneType' object has no attribute 'query'
+lib.mkIf false
+{
+  sane.persist.sys.plaintext = [
+    { inherit user group; mode = "0700"; directory = svc-dir; }
+  ];
+
+  services.calibre-web.enable = true;
+  services.calibre-web.listen.ip = "127.0.0.1";
+  # XXX: externally populate `${svc-dir}/metadata.db` (once) from
+  #   <https://github.com/janeczku/calibre-web/blob/master/library/metadata.db>
+  # i don't know why you have to do this??
+  # services.calibre-web.options.calibreLibrary = svc-dir;
+
+  services.nginx.virtualHosts."calibre.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${ip}:${builtins.toString port}";
+    };
+  };
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."calibre" = "native";
+}

hosts/by-name/servo/services/default.nix

@@ -1,8 +1,10 @@
 { ... }:
 {
   imports = [
+    ./calibre.nix
     ./ddns-afraid.nix
     ./ddns-he.nix
+    ./email
     ./ejabberd.nix
     ./freshrss.nix
     ./gitea.nix
@@ -11,12 +13,13 @@
     ./jackett.nix
     ./jellyfin.nix
     ./kiwix-serve.nix
+    ./komga.nix
+    ./lemmy.nix
     ./matrix
     ./navidrome.nix
     ./nixserve.nix
     ./nginx.nix
     ./pleroma.nix
-    ./postfix.nix
     ./postgres.nix
     ./prosody.nix
     ./transmission.nix

hosts/by-name/servo/services/ejabberd.nix

@@ -38,11 +38,11 @@
   ];
   networking.firewall.allowedTCPPortRanges = [{
     from = 49152;  # TURN
-    to = 65535;
+    to = 49408;
   }];
   networking.firewall.allowedUDPPortRanges = [{
     from = 49152;  # TURN
-    to = 65535;
+    to = 49408;
   }];
 
   # provide access to certs

hosts/by-name/servo/services/email/default.nix

@@ -0,0 +1,37 @@
+# nix configs to reference:
+# - <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver>
+# - <https://github.com/nix-community/nur-combined/-/tree/master/repos/eh5/machines/srv-m/mail-rspamd.nix>
+#   - postfix / dovecot / rspamd / stalwart-jmap / sogo
+#
+# rspamd:
+# - nixos: <https://nixos.wiki/wiki/Rspamd>
+# - guide: <https://rspamd.com/doc/quickstart.html>
+# - non-nixos example: <https://dataswamp.org/~solene/2021-07-13-smtpd-rspamd.html>
+#
+#
+# my rough understanding of the pieces:
+# - postfix handles SMTP protocol with the rest of the world.
+# - dovecot implements IMAP protocol.
+#   - client auth (i.e. validate that user@uninsane.org is who they claim)
+#   - "folders" (INBOX, JUNK) are internal to dovecot?
+#     or where do folders live, on-disk?
+#
+# - non-local clients (i.e. me) interact with BOTH postfix and dovecot, but primarily dovecot:
+#   - mail reading is done via IMAP (so, dovecot)
+#   - mail sending is done via SMTP/submission port (so, postfix)
+#     - but postfix delegates authorization of that outgoing mail to dovecot, on the server side
+#
+# - local clients (i.e. sendmail) interact only with postfix
+
+{ ... }:
+{
+  imports = [
+    ./dovecot.nix
+    ./postfix.nix
+  ];
+
+
+  #### SPAM FILTERING
+  # services.rspamd.enable = true;
+  # services.rspamd.postfix.enable = true;
+}

hosts/by-name/servo/services/email/dovecot.nix

@@ -0,0 +1,135 @@
+# dovecot config options: <https://doc.dovecot.org/configuration_manual/>
+#
+# sieve docs:
+# - sieve language examples: <https://doc.dovecot.org/configuration_manual/sieve/examples/>
+# - sieve protocol/language: <https://proton.me/support/sieve-advanced-custom-filters>
+
+{ config, lib, pkgs, ... }:
+{
+  networking.firewall.allowedTCPPorts = [
+    # exposed over non-vpn imap.uninsane.org
+    143  # IMAP
+    993  # IMAPS
+  ];
+
+  # exists only to manage certs for dovecot
+  services.nginx.virtualHosts."imap.uninsane.org" = {
+    enableACME = true;
+  };
+
+  sane.services.trust-dns.zones."uninsane.org".inet = {
+    CNAME."imap" = "native";
+  };
+
+  sops.secrets."dovecot_passwd" = {
+    owner = config.users.users.dovecot2.name;
+    # TODO: debug why mail can't be sent without this being world-readable
+    mode = "0444";
+  };
+
+  # inspired by https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/
+  services.dovecot2.enable = true;
+  # services.dovecot2.enableLmtp = true;
+  services.dovecot2.sslServerCert = "/var/lib/acme/imap.uninsane.org/fullchain.pem";
+  services.dovecot2.sslServerKey = "/var/lib/acme/imap.uninsane.org/key.pem";
+  services.dovecot2.enablePAM = false;
+
+  # sieve scripts require me to set a user for... idk why?
+  services.dovecot2.mailUser = "colin";
+  services.dovecot2.mailGroup = "users";
+  users.users.colin.isSystemUser = lib.mkForce false;
+
+  services.dovecot2.extraConfig =
+  let
+    passwdFile = config.sops.secrets.dovecot_passwd.path;
+  in
+    ''
+    passdb {
+      driver = passwd-file
+      args = ${passwdFile}
+    }
+    userdb {
+      driver = passwd-file
+      args = ${passwdFile}
+    }
+
+    # allow postfix to query our auth db
+    service auth {
+      unix_listener auth {
+        mode = 0660
+        user = postfix
+        group = postfix
+      }
+    }
+    auth_mechanisms = plain login
+
+    # accept incoming messaging from postfix
+    # service lmtp {
+    #   unix_listener dovecot-lmtp {
+    #     mode = 0600
+    #     user = postfix
+    #     group = postfix
+    #   }
+    # }
+
+    # plugin {
+    #   sieve_plugins = sieve_imapsieve
+    # }
+
+    mail_debug = yes
+    auth_debug = yes
+    # verbose_ssl = yes
+  '';
+
+  services.dovecot2.mailboxes = {
+    # special-purpose mailboxes: "All" "Archive" "Drafts" "Flagged" "Junk" "Sent" "Trash"
+    # RFC6154 describes these special mailboxes: https://www.ietf.org/rfc/rfc6154.html
+    # how these boxes are treated is 100% up to the client and server to decide.
+    # client behavior:
+    # iOS
+    #   - Drafts: ?
+    #   - Sent: works
+    #   - Trash: works
+    #   - Junk: works ("mark" -> "move to Junk")
+    # aerc
+    #   - Drafts: works
+    #   - Sent: works
+    #   - Trash: no; deleted messages are actually deleted
+    #       use `:move trash` instead
+    #   - Junk: ?
+    # Sent mailbox: all sent messages are copied to it. unclear if this happens server-side or client-side.
+    Drafts = { specialUse = "Drafts"; auto = "create"; };
+    Sent = { specialUse = "Sent"; auto = "create"; };
+    Trash = { specialUse = "Trash"; auto = "create"; };
+    Junk = { specialUse = "Junk"; auto = "create"; };
+  };
+
+  services.dovecot2.mailPlugins = {
+    perProtocol = {
+      # imap.enable = [
+      #   "imap_sieve"
+      # ];
+      lda.enable = [
+        "sieve"
+      ];
+      # lmtp.enable = [
+      #   "sieve"
+      # ];
+    };
+  };
+  services.dovecot2.modules = [
+    pkgs.dovecot_pigeonhole  # enables sieve execution (?)
+  ];
+  services.dovecot2.sieveScripts = {
+    # if any messages fail to pass (or lack) DKIM, move them to Junk
+    # XXX the key name ("after") is only used to order sieve execution/ordering
+    after = builtins.toFile "ensuredkim.sieve" ''
+      require "fileinto";
+
+      if not header :contains "Authentication-Results" "dkim=pass" {
+        fileinto "Junk";
+        stop;
+      }
+    '';
+  };
+}

hosts/by-name/servo/services/email/postfix.nix

@@ -1,7 +1,6 @@
-# DOCS:
-# - dovecot config: <https://doc.dovecot.org/configuration_manual/>
+# postfix config options: <https://www.postfix.org/postconf.5.html>
 
-{ config, lib, ... }:
+{ lib, pkgs, ... }:
 
 let
   submissionOptions = {
@@ -30,17 +29,12 @@ in
   ];
 
   networking.firewall.allowedTCPPorts = [
+    # exposed over vpn mx.uninsane.org
     25   # SMTP
-    143  # IMAP
     465  # SMTPS
     587  # SMTPS/submission
-    993  # IMAPS
   ];
 
-  # exists only to manage certs for dovecot
-  services.nginx.virtualHosts."imap.uninsane.org" = {
-    enableACME = true;
-  };
   # exists only to manage certs for Postfix
   services.nginx.virtualHosts."mx.uninsane.org" = {
     enableACME = true;
@@ -51,7 +45,6 @@ in
     MX."@" = "10 mx.uninsane.org.";
     # XXX: RFC's specify that the MX record CANNOT BE A CNAME
     A."mx" = "185.157.162.178";
-    CNAME."imap" = "native";
 
     # Sender Policy Framework:
     #   +mx     => mail passes if it originated from the MX
@@ -62,7 +55,7 @@ in
 
     # DKIM public key:
     TXT."mx._domainkey" =
-      "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
+      "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
     ;
 
     # DMARC fields <https://datatracker.ietf.org/doc/html/rfc7489>:
@@ -95,18 +88,40 @@ in
     @uninsane.org colin
   '';
 
-  services.postfix.extraConfig = ''
+  services.postfix.config = {
     # smtpd_milters = local:/run/opendkim/opendkim.sock
     # milter docs: http://www.postfix.org/MILTER_README.html
-    # mail filters for receiving email and authorized SMTP clients
+    # mail filters for receiving email and from authorized SMTP clients (i.e. via submission)
     # smtpd_milters = inet:185.157.162.190:8891
-    smtpd_milters = unix:/run/opendkim/opendkim.sock
+    # opendkim.sock will add a Authentication-Results header, with `dkim=pass|fail|...` value to received messages
+    smtpd_milters = "unix:/run/opendkim/opendkim.sock";
     # mail filters for sendmail
-    non_smtpd_milters = $smtpd_milters
-    milter_default_action = accept
-    inet_protocols = ipv4
-    smtp_tls_security_level = may
-  '';
+    non_smtpd_milters = "$smtpd_milters";
+
+    # what to do when a milter exits unexpectedly:
+    milter_default_action = "accept";
+
+    inet_protocols = "ipv4";
+    smtp_tls_security_level = "may";
+
+    # hand received mail over to dovecot so that it can run sieves & such
+    mailbox_command = ''${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"'';
+
+    # hand received mail over to dovecot
+    # virtual_alias_maps = [
+    #   "hash:/etc/postfix/virtual"
+    # ];
+    # mydestination = "";
+    # virtual_mailbox_domains = [ "localhost" "uninsane.org" ];
+    # # virtual_mailbox_maps = "hash:/etc/postfix/virtual";
+    # virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
+
+    # anti-spam options: <https://www.postfix.org/SMTPD_ACCESS_README.html>
+    # reject_unknown_sender_domain: causes postfix to `dig <sender> MX` and make sure that exists.
+    # but may cause problems receiving mail from google & others who load-balance?
+    # - <https://unix.stackexchange.com/questions/592131/how-to-reject-email-from-unknown-domains-with-postfix-on-centos>
+    # smtpd_sender_restrictions = reject_unknown_sender_domain
+  };
 
   services.postfix.enableSubmission = true;
   services.postfix.submissionOptions = submissionOptions;
@@ -121,6 +136,8 @@ in
   };
 
 
+  #### OPENDKIM
+
   services.opendkim.enable = true;
   # services.opendkim.domains = "csl:uninsane.org";
   services.opendkim.domains = "uninsane.org";
@@ -144,59 +161,6 @@ in
     UMask = lib.mkForce "0011";
   };
 
-  # inspired by https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/
-  services.dovecot2.enable = true;
-  services.dovecot2.mailboxes = {
-    # special-purpose mailboxes: "All" "Archive" "Drafts" "Flagged" "Junk" "Sent" "Trash"
-    # RFC6154 describes these special mailboxes: https://www.ietf.org/rfc/rfc6154.html
-    # how these boxes are treated is 100% up to the client and server to decide.
-    # client behavior:
-    # iOS
-    #   - Drafts: ?
-    #   - Sent: works
-    #   - Trash: works
-    # aerc
-    #   - Drafts: works
-    #   - Sent: works
-    #   - Trash: no; deleted messages are actually deleted
-    #       use `:move trash` instead
-    # Sent mailbox: all sent messages are copied to it. unclear if this happens server-side or client-side.
-    Drafts = { specialUse = "Drafts"; auto = "create"; };
-    Sent = { specialUse = "Sent"; auto = "create"; };
-    Trash = { specialUse = "Trash"; auto = "create"; };
-  };
-  services.dovecot2.sslServerCert = "/var/lib/acme/imap.uninsane.org/fullchain.pem";
-  services.dovecot2.sslServerKey = "/var/lib/acme/imap.uninsane.org/key.pem";
-  services.dovecot2.enablePAM = false;
-  services.dovecot2.extraConfig =
-  let
-    passwdFile = config.sops.secrets.dovecot_passwd.path;
-  in
-    ''
-    passdb {
-      driver = passwd-file
-      args = ${passwdFile}
-    }
-    userdb {
-      driver = passwd-file
-      args = ${passwdFile}
-    }
-
-    # allow postfix to query our auth db
-    service auth {
-      unix_listener auth {
-        mode = 0660
-        user = postfix
-        group = postfix
-      }
-    }
-    auth_mechanisms = plain login
-
-
-    mail_debug = yes
-    auth_debug = yes
-    # verbose_ssl = yes
-  '';
 
   #### OUTGOING MESSAGE REWRITING:
   services.postfix.enableHeaderChecks = true;
@@ -218,10 +182,4 @@ in
     #   pattern = "/^Subject:.*activate your account/";
     # }
   ];
-
-  sops.secrets."dovecot_passwd" = {
-    owner = config.users.users.dovecot2.name;
-    # TODO: debug why mail can't be sent without this being world-readable
-    mode = "0444";
-  };
 }

hosts/by-name/servo/services/jellyfin.nix

@@ -1,16 +1,63 @@
+# configuration options (today i don't store my config in nix):
+#
+# - jellyfin-web can be statically configured (result/share/jellyfin-web/config.json)
+#   - <https://jellyfin.org/docs/general/clients/web-config>
+#   - configure server list, plugins, "menuLinks", colors
+#
+# - jellfyin server is configured in /var/lib/jellfin/
+#   - root/default/<LibraryType>/
+#     - <LibraryName>.mblink: contains the directory name where this library lives
+#     - options.xml: contains preferences which were defined in the web UI during import
+#       - e.g. `EnablePhotos`, `EnableChapterImageExtraction`, etc.
+#   - config/encoding.xml: transcoder settings
+#   - config/system.xml: misc preferences like log file duration, audiobook resume settings, etc.
+#   - data/jellyfin.db: maybe account definitions? internal state?
+
 { config, lib, ... }:
 
-# TODO: re-enable after migrating media dir to /var/lib/uninsane/media
-# else it's too spammy
-lib.mkIf false
 {
+  # identical to:
+  # services.jellyfin.openFirewall = true;
   networking.firewall.allowedUDPPorts = [
-    1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
+    # https://jellyfin.org/docs/general/networking/index.html
+    1900  # UPnP service discovery
+    7359  # Jellyfin-specific (?) client discovery
+  ];
+  networking.firewall.allowedTCPPorts = [
+    8096  # HTTP (for the LAN)
+    8920  # HTTPS (for the LAN)
   ];
   sane.persist.sys.plaintext = [
-    # TODO: mode? could be more granular
-    { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
+    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; directory = "/var/lib/jellyfin"; }
   ];
+  sane.fs."/var/lib/jellyfin/config/logging.json" = {
+    # "Emby.Dlna" logging: <https://jellyfin.org/docs/general/networking/dlna>
+    symlink.text = ''
+      {
+        "Serilog": {
+          "MinimumLevel": {
+            "Default": "Information",
+            "Override": {
+              "Microsoft": "Warning",
+              "System": "Warning",
+              "Emby.Dlna": "Debug",
+              "Emby.Dlna.Eventing": "Debug"
+            }
+          },
+          "WriteTo": [
+            {
+              "Name": "Console",
+              "Args": {
+                "outputTemplate": "[{Timestamp:HH:mm:ss}] [{Level:u3}] [{ThreadId}] {SourceContext}: {Message:lj}{NewLine}{Exception}"
+              }
+            }
+          ],
+          "Enrich": [ "FromLogContext", "WithThreadId" ]
+        }
+      }
+    '';
+    wantedBeforeBy = [ "jellyfin.service" ];
+  };
 
   # Jellyfin multimedia server
   # this is mostly taken from the official jellfin.org docs

hosts/by-name/servo/services/komga.nix

@@ -0,0 +1,22 @@
+{ config, ... }:
+let
+  svc-cfg = config.services.komga;
+  inherit (svc-cfg) user group port stateDir;
+in
+{
+  sane.persist.sys.plaintext = [
+    { inherit user group; mode = "0700"; directory = stateDir; }
+  ];
+
+  services.komga.enable = true;
+  services.komga.port = 11319;  # chosen at random
+
+  services.nginx.virtualHosts."komga.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${builtins.toString port}";
+    };
+  };
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."komga" = "native";
+}

hosts/by-name/servo/services/lemmy.nix

@@ -0,0 +1,60 @@
+{ config, lib, ... }:
+let
+  inherit (builtins) toString;
+  inherit (lib) mkForce;
+  uiPort = 1234;  # default ui port is 1234
+  backendPort = 8536; # default backend port is 8536
+  # - i guess the "backend" port is used for federation?
+in {
+  services.lemmy = {
+    enable = true;
+    settings.hostname = "lemmy.uninsane.org";
+    settings.options.federation.enabled = true;
+    settings.options.port = backendPort;
+    # settings.database.host = "localhost";
+    ui.port = uiPort;
+    database.createLocally = true;
+  };
+
+  systemd.services.lemmy.serviceConfig = {
+    # fix to use a normal user so we can configure perms correctly
+    DynamicUser = mkForce false;
+    User = "lemmy";
+    Group = "lemmy";
+    Environment = [ "RUST_BACKTRACE=full" ];
+  };
+  users.groups.lemmy = {};
+  users.users.lemmy = {
+    group = "lemmy";
+    isSystemUser = true;
+  };
+
+  services.nginx.virtualHosts."lemmy.uninsane.org" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = let
+      ui = "http://127.0.0.1:${toString uiPort}";
+      backend = "http://127.0.0.1:${toString backendPort}";
+    in {
+      # see <LemmyNet/lemmy:docker/federation/nginx.conf>
+      "~ ^/(api|pictrs|feeds|nodeinfo|.well-known)" = {
+        extraConfig = ''
+          set $proxpass ${ui};
+          if ($http_accept = "application/activity+json") {
+            set $proxpass ${backend};
+          }
+          if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
+            set $proxpass ${backend};
+          }
+
+          # Cuts off the trailing slash on URLs to make them valid
+          rewrite ^(.+)/+$ $1 permanent;
+        '';
+        proxyPass = "$proxpass";
+      };
+      "/".proxyPass = ui;
+    };
+  };
+
+  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."lemmy" = "native";
+}

hosts/by-name/servo/services/matrix/default.nix

@@ -5,13 +5,10 @@
 {
   imports = [
     ./discord-puppet.nix
-    # ./irc.nix
+    ./irc.nix
     ./signal.nix
   ];
 
-  # allow synapse to read the registration files of its appservices
-  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
-
   sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
   ];

hosts/by-name/servo/services/matrix/irc-no-reveal-bridge.patch

@@ -0,0 +1,13 @@
+diff --git a/src/irc/ConnectionInstance.ts b/src/irc/ConnectionInstance.ts
+index 688036ca..3373fa27 100644
+--- a/src/irc/ConnectionInstance.ts
++++ b/src/irc/ConnectionInstance.ts
+@@ -149,7 +149,7 @@ export class ConnectionInstance {
+         if (this.dead) {
+             return Promise.resolve();
+         }
+-        ircReason = ircReason || reason;
++        ircReason = "bye"; // don't reveal through the IRC quit message that we're a bridge
+         log.info(
+             "disconnect()ing %s@%s - %s", this.nick, this.domain, reason
+         );

hosts/by-name/servo/services/matrix/irc-no-reveal-mxid.patch

@@ -0,0 +1,50 @@
+diff --git a/config.schema.yml b/config.schema.yml
+index 2e71c8d6..42ba8ba1 100644
+--- a/config.schema.yml
++++ b/config.schema.yml
+@@ -433,7 +433,7 @@ properties:
+                                     type: "boolean"
+                                 realnameFormat:
+                                     type: "string"
+-                                    enum: ["mxid","reverse-mxid"]
++                                    enum: ["mxid","reverse-mxid","localpart"]
+                                 ipv6:
+                                     type: "object"
+                                     properties:
+diff --git a/src/irc/IdentGenerator.ts b/src/irc/IdentGenerator.ts
+index 7a2b5cf1..50f7815a 100644
+--- a/src/irc/IdentGenerator.ts
++++ b/src/irc/IdentGenerator.ts
+@@ -74,6 +74,9 @@ export class IdentGenerator {
+         else if (server.getRealNameFormat() === "reverse-mxid") {
+             realname = IdentGenerator.sanitiseRealname(IdentGenerator.switchAroundMxid(matrixUser));
+         }
++        else if (server.getRealNameFormat() == "localpart") {
++            realname = IdentGenerator.sanitiseRealname(matrixUser.localpart);
++        }
+         else {
+             throw Error('Invalid value for realNameFormat');
+         }
+diff --git a/src/irc/IrcServer.ts b/src/irc/IrcServer.ts
+index 2af73ab4..895b9783 100644
+--- a/src/irc/IrcServer.ts
++++ b/src/irc/IrcServer.ts
+@@ -101,7 +101,7 @@ export interface IrcServerConfig {
+         };
+         lineLimit: number;
+         userModes?: string;
+-        realnameFormat?: "mxid"|"reverse-mxid";
++        realnameFormat?: "mxid"|"reverse-mxid"|"localpart";
+         pingTimeoutMs: number;
+         pingRateMs: number;
+         kickOn: {
+@@ -289,7 +289,7 @@ export class IrcServer {
+         return this.config.ircClients.userModes || "";
+     }
+ 
+-    public getRealNameFormat(): "mxid"|"reverse-mxid" {
++    public getRealNameFormat(): "mxid"|"reverse-mxid"|"localpart" {
+         return this.config.ircClients.realnameFormat || "mxid";
+     }
+ 
+

hosts/by-name/servo/services/matrix/irc.nix

@@ -1,21 +1,120 @@
+# config docs:
+# - <https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml>
+# TODO: /quit message for bridged users reveals to IRC users that i'm using a bridge;
+#       probably want to remove that.
 { config, lib, ... }:
 
+let
+  ircServer = { name, additionalAddresses ? [], sasl ? true }: let
+    lowerName = lib.toLower name;
+  in {
+    # XXX sasl: appservice doesn't support NickServ identification (only SASL, or PASS if sasl = false)
+    inherit name additionalAddresses sasl;
+    port = 6697;
+    ssl = true;
+    botConfig = {
+      # bot has no presence in IRC channel; only real Matrix users
+      enabled = false;
+      # this is the IRC username/nickname *of the bot* (not visible in channels): not of the end-user.
+      # the irc username/nick of a mapped Matrix user is determined further down in `ircClients` section.
+      # if `enabled` is false, then this name probably never shows up on the IRC side (?)
+      nick = "uninsane";
+      username = "uninsane";
+      joinChannelsIfNoUsers = false;
+    };
+    dynamicChannels = {
+      enabled = true;
+      aliasTemplate = "#irc_${lowerName}_$CHANNEL";
+      published = false;  # false => irc rooms aren't listed in homeserver public rooms list
+      federate = false;  # false => Matrix users from other homeservers can't join IRC channels
+    };
+    ircClients = {
+      nickTemplate = "$LOCALPARTsane";  # @colin:uninsane.org (Matrix) -> colinsane (IRC)
+      realnameFormat = "reverse-mxid";  # @colin:uninsane.org (Matrix) -> org.uninsane:colin (IRC)
+      # realnameFormat = "localpart";  # @colin:uninsane.org (Matrix) -> colin (IRC)  -- but requires the mxid patch below
+      # by default, Matrix will convert messages greater than (3) lines into a pastebin-like URL to send to IRC.
+      lineLimit = 20;
+      # Rizon in particular allows only 4 connections from one IP before a 30min ban.
+      # that's effectively reduced to 2 during a netsplit, or maybe during a restart.
+      #   - https://wiki.rizon.net/index.php?title=Connection/Session_Limit_Exemptions
+      # especially, misconfigurations elsewhere in this config may cause hundreds of connections
+      # so this is a safeguard.
+      maxClients = 2;
+      # don't have the bridge disconnect me from IRC when idle.
+      idleTimeout = 0;
+      concurrentReconnectLimit = 2;
+      reconnectIntervalMs = 60000;
+      kickOn = {
+        # remove Matrix user from room when...
+        channelJoinFailure = false;
+        ircConnectionFailure = false;
+        userQuit = true;
+      };
+    };
+    matrixClients = {
+      userTemplate = "@irc_${lowerName}_$NICK";  # the :uninsane.org part is appended automatically
+    };
+
+    # this will let this user message the appservice with `!join #<IRCChannel>` and the rest "Just Works"
+    "@colin:uninsane.org" = "admin";
+
+    membershipLists = {
+      enabled = true;
+      global = {
+        ircToMatrix = {
+          initial = true;
+          incremental = true;
+          requireMatrixJoined = false;
+        };
+        matrixToIrc = {
+          initial = true;
+          incremental = true;
+        };
+      };
+      ignoreIdleUsersOnStartup = {
+        enabled = false;  # false => always bridge users, even if idle
+      };
+    };
+    # sync room description?
+    bridgeInfoState = {
+      enabled = true;
+      initial = true;
+    };
+
+    # for per-user IRC password:
+    # - invite @irc_${lowerName}_NickServ:uninsane.org to a DM and type `help`  => register
+    # - invite the matrix-appservice-irc user to a DM and type `!help`   => add PW to database
+    # to validate that i'm authenticated on the IRC network, DM @irc_${lowerName}_NickServ:uninsane.org:
+    # - send: `STATUS colinsane`
+    # - response should be `3`: "user recognized as owner via password identification"
+    # passwordEncryptionKeyPath = "/path/to/privkey";  # appservice will generate its own if unspecified
+  };
+in
 {
+
+  nixpkgs.overlays = [
+    (next: prev: {
+      matrix-appservice-irc = prev.matrix-appservice-irc.overrideAttrs (super: {
+        patches = super.patches or [] ++ [
+          ./irc-no-reveal-bridge.patch
+          # ./irc-no-reveal-mxid.patch
+        ];
+      });
+    })
+  ];
+
   sane.persist.sys.plaintext = [
     # TODO: mode?
-    # user and group are both "matrix-appservice-irc"
-    { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
+    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; directory = "/var/lib/matrix-appservice-irc"; }
   ];
 
   services.matrix-synapse.settings.app_service_config_files = [
     "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
   ];
 
-  # note: Rizon allows only FOUR simultaneous IRC connections per IP: https://wiki.rizon.net/index.php?title=Connection/Session_Limit_Exemptions
   # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
   services.matrix-appservice-irc.enable = true;
   services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
-  # settings documented here: https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml
   services.matrix-appservice-irc.settings = {
     homeserver = {
       url = "http://127.0.0.1:8008";
@@ -28,68 +127,11 @@
 
     ircService = {
       servers = {
-        "irc.rizon.net" = {
-          name = "Rizon";
-          port = 6697;  # SSL port
-          ssl = true;
-          sasl = true;  # appservice doesn't support NickServ identification
-          botConfig = {
-            # bot has no presence in IRC channel; only real Matrix users
-            enabled = false;
-            # nick = "UninsaneDotOrg";
-            nick = "uninsane";
-            username = "uninsane";
-          };
-          dynamicChannels = {
-            enabled = true;
-            aliasTemplate = "#irc_rizon_$CHANNEL";
-          };
-          ircClients = {
-            nickTemplate = "$LOCALPARTsane";
-            # by default, Matrix will convert messages greater than (3) lines into a pastebin-like URL to send to IRC.
-            lineLimit = 20;
-          };
-          matrixClients = {
-            userTemplate = "@irc_rizon_$NICK";  # the :uninsane.org part is appended automatically
-          };
-
-          # this will let this user message the appservice with `!join #<IRCChannel>` and the rest "Just Works"
-          "@colin:uninsane.org" = "admin";
-
-          membershipLists = {
-            enabled = true;
-            global = {
-              ircToMatrix = {
-                initial = true;
-                incremental = true;
-                requireMatrixJoined = false;
-              };
-              matrixToIrc = {
-                initial = true;
-                incremental = true;
-              };
-            };
-          };
-          # sync room description?
-          bridgeInfoState = {
-            enabled = true;
-            initial = true;
-          };
-
-          # hardcoded mappings, for when dynamicChannels fails us. TODO: probably safe to remove these.
-          # mappings = {
-          #   "#chat" = {
-          #     roomIds = [ "!GXJSOTdbtxRboGtDep:uninsane.org" ];
-          #   };
-          #   # BakaBT requires account registration, which i think means my user needs to be added before the appservice user
-          #   "#BakaBT" = {
-          #     roomIds = [ "!feZKttuYuHilqPFSkD:uninsane.org" ];
-          #   };
-          # };
-          # for per-user IRC password:
-          #   invite @irc_rizon_NickServ:uninsane.org to a DM and type `help`  => register
-          #   invite the matrix-appservice-irc user to a DM and type `!help`   => add PW to database
-          # passwordEncryptionKeyPath = "/path/to/privkey";  # appservice will generate its own if unspecified
+        "irc.rizon.net" = ircServer { name = "Rizon"; };
+        "irc.myanonamouse.net" = ircServer {
+          name = "MyAnonamouse";
+          additionalAddresses = [ "irc2.myanonamouse.net" ];
+          sasl = false;
         };
       };
     };

hosts/by-name/servo/services/matrix/signal.nix

@@ -7,6 +7,9 @@
     { user = "signald"; group = "signald"; directory = "/var/lib/signald"; }
   ];
 
+  # allow synapse to read the registration file
+  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
+
   services.signald.enable = true;
   services.mautrix-signal.enable = true;
   services.mautrix-signal.environmentFile =
@@ -27,7 +30,6 @@
   };
 
   sops.secrets."mautrix_signal_env" = {
-    format = "binary";
     mode = "0440";
     owner = config.users.users.mautrix-signal.name;
     group = config.users.users.matrix-synapse.name;

hosts/by-name/servo/services/trust-dns.nix

@@ -6,7 +6,7 @@
   sane.services.trust-dns.listenAddrsIPv4 = [
     # specify each address explicitly, instead of using "*".
     # this ensures responses are sent from the address at which the request was received.
-    "192.168.0.5"
+    config.sane.hosts.by-name."servo".lan-ip
     "10.0.1.5"
   ];
   sane.services.trust-dns.quiet = true;

hosts/common/cross.nix

@@ -1,22 +0,0 @@
-{ config, ... }:
-
-let
-  mkCrossFrom = localSystem: pkgs: import pkgs.path {
-    inherit localSystem;
-    crossSystem = pkgs.stdenv.hostPlatform.system;
-    inherit (config.nixpkgs) config overlays;
-  };
-in
-{
-  # the configuration of which specific package set `pkgs.cross` refers to happens elsewhere;
-  # here we just define them all.
-  nixpkgs.overlays = [
-    (next: prev: {
-      # non-emulated packages build *from* local *for* target.
-      # for large packages like the linux kernel which are expensive to build under emulation,
-      # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
-      crossFrom."x86_64-linux" = mkCrossFrom "x86_64-linux" next;
-      crossFrom."aarch64-linux" = mkCrossFrom "aarch64-linux" next;
-    })
-  ];
-}

hosts/common/cross/kitty-no-docs.patch

@@ -0,0 +1,22 @@
+diff --git a/setup.py b/setup.py
+index 2b9d240e..770bc5e7 100755
+--- a/setup.py
++++ b/setup.py
+@@ -1092,11 +1092,12 @@ def c(base_path: str, **kw: object) -> None:
+ 
+ 
+ def create_linux_bundle_gunk(ddir: str, libdir_name: str) -> None:
+-    if not os.path.exists('docs/_build/html'):
+-        make = 'gmake' if is_freebsd else 'make'
+-        run_tool([make, 'docs'])
+-    copy_man_pages(ddir)
+-    copy_html_docs(ddir)
++    if not os.getenv('KITTY_NO_DOCS'):
++        if not os.path.exists('docs/_build/html'):
++            make = 'gmake' if is_freebsd else 'make'
++            run_tool([make, 'docs'])
++        copy_man_pages(ddir)
++        copy_html_docs(ddir)
+     for (icdir, ext) in {'256x256': 'png', 'scalable': 'svg'}.items():
+         icdir = os.path.join(ddir, 'share', 'icons', 'hicolor', icdir, 'apps')
+         safe_makedirs(icdir)

hosts/common/default.nix

@@ -1,7 +1,7 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
 {
   imports = [
-    ./cross.nix
+    ./cross
     ./feeds.nix
     ./fs.nix
     ./hardware.nix
@@ -11,7 +11,7 @@
     ./machine-id.nix
     ./net.nix
     ./persist.nix
-    ./programs.nix
+    ./programs
     ./secrets.nix
     ./ssh.nix
     ./users.nix
@@ -19,8 +19,10 @@
   ];
 
   sane.nixcache.enable-trusted-keys = true;
-  sane.programs.sysadminUtils.enableFor.system = true;
-  sane.programs.consoleUtils.enableFor.user.colin = true;
+  sane.nixcache.enable = lib.mkDefault true;
+  sane.persist.enable = lib.mkDefault true;
+  sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
+  sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;
 
   # some services which use private directories error if the parent (/var/lib/private) isn't 700.
   sane.fs."/var/lib/private".dir.acl.mode = "0700";
@@ -31,6 +33,7 @@
   time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
 
   # allow `nix flake ...` command
+  # TODO: is this still required?
   nix.extraOptions = ''
     experimental-features = nix-command flakes
   '';
@@ -39,19 +42,37 @@
     "nixpkgs=${pkgs.path}"
     "nixpkgs-overlays=${../..}/overlays"
   ];
+  # hardlinks identical files in the nix store to save 25-35% disk space.
+  # unclear _when_ this occurs. it's not a service.
+  # does the daemon continually scan the nix store?
+  # does the builder use some content-addressed db to efficiently dedupe?
+  nix.settings.auto-optimise-store = true;
 
   fonts = {
     enableDefaultFonts = true;
-    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
+    fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
     fontconfig.enable = true;
     fontconfig.defaultFonts = {
-      emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
+      emoji = [ "Font Awesome 6 Free" "Noto Color Emoji" ];
       monospace = [ "Hack" ];
       serif = [ "DejaVu Serif" ];
       sansSerif = [ "DejaVu Sans" ];
     };
   };
 
+  # XXX: twitter-color-emoji doesn't cross-compile; but not-fonts-emoji does
+  # fonts = {
+  #   enableDefaultFonts = true;
+  #   fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
+  #   fontconfig.enable = true;
+  #   fontconfig.defaultFonts = {
+  #     emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
+  #     monospace = [ "Hack" ];
+  #     serif = [ "DejaVu Serif" ];
+  #     sansSerif = [ "DejaVu Sans" ];
+  #   };
+  # };
+
   # disable non-required packages like nano, perl, rsync, strace
   environment.defaultPackages = [];
 

hosts/common/feeds.nix

@@ -1,3 +1,9 @@
+# candidates:
+# - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
+#   - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
+# - <https://www.metaculus.com/questions/11102/introducing-the-metaculus-journal-podcast/>
+#   - dead since 2022/10 - 2023/03
+
 { lib, sane-data, ... }:
 let
   hourly = { freq = "hourly"; };
@@ -50,18 +56,29 @@ let
     (fromDb "lexfridman.com/podcast" // rat)
     ## Astral Codex Ten
     (fromDb "sscpodcast.libsyn.com" // rat)
+    ## Less Wrong Curated
+    (fromDb "feeds.libsyn.com/421877" // rat)
     ## Econ Talk
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)
     ## Cory Doctorow -- both podcast & text entries
     (fromDb "craphound.com" // pol)
+    ## Maggie Killjoy -- referenced by Cory Doctorow
+    (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)
     (fromDb "congressionaldish.libsyn.com" // pol)
+    (mkPod "https://podcasts.la.utexas.edu/this-is-democracy/feed/podcast/" // pol // weekly)
     ## Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
     ## Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
     (mkPod "https://anchor.fm/s/21bc734/podcast/rss" // pol // infrequent)
     (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
+    ## Daniel Huberman on sleep
+    (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)
+    ## Multidisciplinary Association for Psychedelic Studies
+    (fromDb "mapspodcast.libsyn.com" // uncat)
     (fromDb "allinchamathjason.libsyn.com" // pol)
     (fromDb "acquired.libsyn.com" // tech)
+    ## ACQ2 - more "Acquired" episodes
+    (fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)
     # The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
     (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)
     ## The Daily
@@ -90,13 +107,18 @@ let
     (fromDb "seattlenice.buzzsprout.com" // pol)
     ## Sci-Fi? has Peter Watts; author of No Moods, Ads or Cutesy Fucking Icons (rifters.com)
     (fromDb "talesfromthebridge.buzzsprout.com" // tech)
+    ## UnNamed Reverse Engineering Podcast
+    (fromDb "reverseengineering.libsyn.com/rss" // tech)
+    ## The Witch Trials of J.K. Rowling
+    ## - <https://www.thefp.com/witchtrials>
+    (mkPod "https://feeds.megaphone.fm/RUNMED9919162779" // pol // infrequent)
   ];
 
   texts = [
     # AGGREGATORS (> 1 post/day)
     (fromDb "lwn.net" // tech)
     (fromDb "lesswrong.com" // rat)
-    (fromDb "econlib.org" // pol)
+    # (fromDb "econlib.org" // pol)
 
     # AGGREGATORS (< 1 post/day)
     (fromDb "palladiummag.com" // uncat)
@@ -104,6 +126,10 @@ let
     (fromDb "semiaccurate.com" // tech)
     (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
     (fromDb "spectrum.ieee.org" // tech)
+    (fromDb "thisweek.gnome.org" // tech)
+    # more nixos stuff here, but unclear how to subscribe: <https://nixos.org/blog/categories.html>
+    (mkText "https://nixos.org/blog/announcements-rss.xml" // tech // infrequent)
+    (mkText "https://nixos.org/blog/stories-rss.xml" // tech // weekly)
     ## n.b.: quality RSS list here: <https://forum.merveilles.town/thread/57/share-your-rss-feeds%21-6/>
     (mkText "https://forum.merveilles.town/rss.xml" // pol // infrequent)
 
@@ -111,7 +137,10 @@ let
     (fromDb "rifters.com/crawl" // uncat)
 
     # DEVELOPERS
+    (fromDb "blog.jmp.chat" // tech)
     (fromDb "uninsane.org" // tech)
+    (fromDb "ascii.textfiles.com" // tech)  # Jason Scott
+    (fromDb "xn--gckvb8fzb.com" // tech)
     (fromDb "mg.lol" // tech)
     (fromDb "drewdevault.com" // tech)
     ## Ken Shirriff
@@ -131,6 +160,10 @@ let
     (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
     (fromDb "jefftk.com" // tech)
     (fromDb "pomeroyb.com" // tech)
+    (mkText "https://til.simonwillison.net/tils/feed.atom" // tech // weekly)
+
+    # TECH PROJECTS
+    (fromDb "blog.rust-lang.org" // tech)
 
     # (TECH; POL) COMMENTATORS
     ## Matt Webb -- engineering-ish, but dreamy
@@ -147,7 +180,8 @@ let
     (fromDb "lynalden.com" // pol)
     (fromDb "austinvernon.site" // tech)
     (mkSubstack "oversharing" // pol // daily)
-    (mkSubstack "doomberg" // tech // weekly)
+    (mkSubstack "byrnehobart" // pol // infrequent)
+    # (mkSubstack "doomberg" // tech // weekly)  # articles are all pay-walled
     ## David Rosenthal
     (fromDb "blog.dshr.org" // pol)
     ## Matt Levine
@@ -177,6 +211,9 @@ let
     ## mostly dating topics. not advice, or humor, but looking through a social lens
     (fromDb "putanumonit.com" // rat)
 
+    # LOCAL
+    (fromDb "capitolhillseattle.com" // pol)
+
     # CODE
     # (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
   ];
@@ -186,6 +223,7 @@ let
     (fromDb "xkcd.com" // img // humor)
     (fromDb "pbfcomics.com" // img // humor)
     # (mkImg "http://dilbert.com/feed" // humor // daily)
+    (fromDb "poorlydrawnlines.com/feed" // img // humor)
 
     # ART
     (fromDb "miniature-calendar.com" // img // art // daily)

hosts/common/home/aerc.nix

@@ -1,11 +0,0 @@
-# Terminal UI mail client
-{ config, sane-lib, ... }:
-
-{
-  sops.secrets."aerc_accounts" = {
-    owner = config.users.users.colin.name;
-    sopsFile = ../../../secrets/universal/aerc_accounts.conf;
-    format = "binary";
-  };
-  sane.user.fs.".config/aerc/accounts.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.aerc_accounts.path;
-}

hosts/common/home/default.nix

@@ -1,23 +1,9 @@
 { ... }:
 {
   imports = [
-    ./aerc.nix
-    ./firefox.nix
-    ./gfeeds.nix
-    ./git.nix
-    ./gpodder.nix
     ./keyring.nix
-    ./kitty.nix
-    ./libreoffice.nix
     ./mime.nix
-    ./mpv.nix
-    ./neovim.nix
-    ./newsflash.nix
-    ./splatmoji.nix
     ./ssh.nix
-    ./sublime-music.nix
-    ./vlc.nix
     ./xdg-dirs.nix
-    ./zsh
   ];
 }

hosts/common/home/mpv.nix

@@ -1,10 +0,0 @@
-{ sane-lib, ... }:
-
-{
-  # format is <key>=%<length>%<value>
-  sane.user.fs.".config/mpv/mpv.conf" = sane-lib.fs.wantedText ''
-    save-position-on-quit=%3%yes
-    keep-open=%3%yes
-  '';
-}
-

hosts/common/home/newsflash.nix

@@ -1,12 +0,0 @@
-# news-flash RSS viewer
-{ config, sane-lib, ... }:
-
-let
-  feeds = sane-lib.feeds;
-  all-feeds = config.sane.feeds;
-  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
-in {
-  sane.user.fs.".config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
-    feeds.feedsToOpml wanted-feeds
-  );
-}

hosts/common/home/splatmoji.nix

@@ -1,19 +0,0 @@
-# borrows from:
-# - default config: <https://github.com/cspeterson/splatmoji/blob/master/splatmoji.config>
-# - wayland: <https://github.com/cspeterson/splatmoji/issues/32#issuecomment-830862566>
-{ pkgs, sane-lib, ... }:
-
-{
-  sane.user.persist.plaintext = [ ".local/state/splatmoji" ];
-  sane.user.fs.".config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
-    history_file=~/.local/state/splatmoji/history
-    history_length=5
-    # TODO: wayland equiv
-    paste_command=xdotool key ctrl+v
-    # rofi_command=${pkgs.wofi}/bin/wofi --dmenu --insensitive --cache-file /dev/null
-    rofi_command=${pkgs.fuzzel}/bin/fuzzel -d -i -w 60
-    xdotool_command=${pkgs.wtype}/bin/wtype
-    # TODO: wayland equiv
-    xsel_command=xsel -b -i
-  '';
-}

hosts/common/home/ssh.nix

@@ -3,7 +3,8 @@
 with lib;
 let
   host = config.networking.hostName;
-  user-pubkey = config.sane.ssh.pubkeys."colin@${host}".asUserKey;
+  user-pubkey-full = config.sane.ssh.pubkeys."colin@${host}" or {};
+  user-pubkey = user-pubkey-full.asUserKey or null;
   host-keys = filter (k: k.user == "root") (attrValues config.sane.ssh.pubkeys);
   known-hosts-text = concatStringsSep
     "\n"
@@ -13,7 +14,8 @@ in
 {
   # ssh key is stored in private storage
   sane.user.persist.private = [ ".ssh/id_ed25519" ];
-  sane.user.fs.".ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
+  sane.user.fs.".ssh/id_ed25519.pub" =
+    mkIf (user-pubkey != null) (sane-lib.fs.wantedText user-pubkey);
   sane.user.fs.".ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
 
   users.users.colin.openssh.authorizedKeys.keys =

hosts/common/home/sublime-music.nix

@@ -1,11 +0,0 @@
-{ config, sane-lib, ... }:
-
-{
-  # TODO: this should only be shipped on gui platforms
-  sops.secrets."sublime_music_config" = {
-    owner = config.users.users.colin.name;
-    sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
-    format = "binary";
-  };
-  sane.user.fs.".config/sublime-music/config.json" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.sublime_music_config.path;
-}

hosts/common/home/vlc.nix

@@ -1,20 +0,0 @@
-{ config, lib, sane-lib, ... }:
-
-let
-  feeds = sane-lib.feeds;
-  all-feeds = config.sane.feeds;
-  wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
-  podcast-urls = lib.concatStringsSep "|" (
-    builtins.map (feed: feed.url) wanted-feeds
-  );
-in
-{
-  sane.user.fs.".config/vlc/vlcrc" = sane-lib.fs.wantedText ''
-    [podcast]
-    podcast-urls=${podcast-urls}
-    [core]
-    metadata-network-access=0
-    [qt]
-    qt-privacy-ask=0
-  '';
-}

hosts/common/home/zsh/default.nix

@@ -1,143 +0,0 @@
-{ pkgs, sane-lib, ... }:
-
-let
-  # powerlevel10k prompt config
-  # p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
-  p10k-overrides = ''
-    # powerlevel10k launches a gitstatusd daemon to accelerate git prompt queries.
-    # this keeps open file handles for any git repo i touch for 60 minutes (by default).
-    # that prevents unmounting whatever device the git repo is on -- particularly problematic for ~/private.
-    # i can disable gitstatusd and get slower fallback git queries:
-    # - either universally
-    # - or selectively by path
-    # see: <https://github.com/romkatv/powerlevel10k/issues/246>
-    typeset -g POWERLEVEL9K_VCS_DISABLED_DIR_PATTERN='(/home/colin/private/*|/home/colin/knowledge/*)'
-    # typeset -g POWERLEVEL9K_DISABLE_GITSTATUS=true
-
-    # show user@host also when logged into the current machine.
-    # default behavior is to show it only over ssh.
-    typeset -g POWERLEVEL9K_CONTEXT_{DEFAULT,SUDO}_CONTENT_EXPANSION='$P9K_CONTENT'
-  '';
-
-  prezto-init = ''
-    source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh
-    source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
-    source ${pkgs.zsh-prezto}/share/zsh-prezto/init.zsh
-  '';
-in
-{
-  sane.user.persist.plaintext = [
-    # we don't need to full zsh dir -- just the history file --
-    # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
-    # TODO: should be private?
-    ".local/share/zsh"
-    # cache gitstatus otherwise p10k fetched it from the net EVERY BOOT
-    ".cache/gitstatus"
-  ];
-
-  # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
-  sane.user.fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
-
-  # enable zsh completions
-  environment.pathsToLink = [ "/share/zsh" ];
-
-  programs.zsh = {
-    enable = true;
-    histFile = "$HOME/.local/share/zsh/history";
-    shellAliases = {
-      ":q" = "exit";
-      # common typos
-      "cd.." = "cd ..";
-      "cd../" = "cd ../";
-    };
-    setOptions = [
-      # defaults:
-      "HIST_IGNORE_DUPS"
-      "SHARE_HISTORY"
-      "HIST_FCNTL_LOCK"
-      # disable `rm *` confirmations
-      "rmstarsilent"
-    ];
-
-    # .zshenv config:
-    shellInit = ''
-      ZDOTDIR=$HOME/.config/zsh
-    '';
-
-    # .zshrc config:
-    interactiveShellInit =
-      (builtins.readFile ./p10k.zsh)
-    + p10k-overrides
-    + prezto-init
-    + ''
-      # zmv is a way to do rich moves/renames, with pattern matching/substitution.
-      # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
-      autoload -Uz zmv
-
-      HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *)'
-
-      # extra aliases
-      # TODO: move to `shellAliases` config?
-      function nd() {
-        mkdir -p "$1";
-        pushd "$1";
-      }
-
-      # auto-cd into any of these dirs by typing them and pressing 'enter':
-      hash -d 3rd="/home/colin/dev/3rd"
-      hash -d dev="/home/colin/dev"
-      hash -d knowledge="/home/colin/knowledge"
-      hash -d nixos="/home/colin/nixos"
-      hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
-      hash -d ref="/home/colin/ref"
-      hash -d secrets="/home/colin/knowledge/secrets"
-      hash -d tmp="/home/colin/tmp"
-      hash -d uninsane="/home/colin/dev/uninsane"
-      hash -d Videos="/home/colin/Videos"
-    '';
-
-    syntaxHighlighting.enable = true;
-    vteIntegration = true;
-  };
-
-  # enable a command-not-found hook to show nix packages that might provide the binary typed.
-  programs.nix-index.enable = true;
-  programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
-
-  # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
-  # see: https://github.com/sorin-ionescu/prezto
-  # i believe this file is auto-sourced by the prezto init.zsh script.
-  sane.user.fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
-    zstyle ':prezto:*:*' color 'yes'
-
-    # modules (they ship with prezto):
-    # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
-    # TERMINAL: auto-titles terminal (e.g. based on cwd)
-    # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
-    # HISTORY: `history-stat` alias, setopts for good history defaults
-    # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
-    # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
-    # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
-    #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
-    # COMPLETION: tab completion. requires `utility` module prior to loading
-    # TODO: enable AUTO_PARAM_SLASH
-    zstyle ':prezto:load' pmodule \
-      'environment' \
-      'terminal' \
-      'editor' \
-      'history' \
-      'directory' \
-      'spectrum' \
-      'utility' \
-      'completion' \
-      'prompt'
-
-    # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
-    zstyle ':prezto:module:editor' key-bindings 'emacs'
-
-    zstyle ':prezto:module:prompt' theme 'powerlevel10k'
-
-    # disable `mv` confirmation (and `rm`, too, unfortunately)
-    zstyle ':prezto:module:utility' safe-ops 'no'
-  '';
-}

hosts/common/i2p.nix

@@ -1,4 +1,4 @@
 { ... }:
 {
-  # services.i2p.enable = true;
+  services.i2p.enable = true;
 }

hosts/common/ids.nix

@@ -1,4 +1,6 @@
 # TODO: migrate to nixpkgs `config.ids.uids`
+# - note that nixpkgs' `config.ids.uids` is strictly a database: it doesn't set anything by default
+#   whereas our impl sets the gid/uid of the user/group specified if they exist.
 { ... }:
 
 {
@@ -13,6 +15,8 @@
   sane.ids.acme.gid = 996;
   sane.ids.pleroma.uid = 997;
   sane.ids.acme.uid = 998;
+  sane.ids.matrix-appservice-irc.uid = 993;
+  sane.ids.matrix-appservice-irc.gid = 992;
 
   # greetd (used by sway)
   sane.ids.greeter.uid = 999;
@@ -28,6 +32,12 @@
   sane.ids.mautrix-signal.gid = 2404;
   sane.ids.navidrome.uid = 2405;
   sane.ids.navidrome.gid = 2405;
+  sane.ids.calibre-web.uid = 2406;
+  sane.ids.calibre-web.gid = 2406;
+  sane.ids.komga.uid = 2407;
+  sane.ids.komga.gid = 2407;
+  sane.ids.lemmy.uid = 2408;
+  sane.ids.lemmy.gid = 2408;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;
@@ -36,7 +46,7 @@
   sane.ids.sshd.uid = 2001;  # 997
   sane.ids.sshd.gid = 2001;  # 997
   sane.ids.polkituser.gid = 2002;  # 998
-  # sane.ids.systemd-coredump.gid = 2003;  # 996  # 2023/02/12: upstream now specifies this as 151
+  sane.ids.systemd-coredump.gid = 2003;  # 996  # 2023/02/12-2023/02/28: upstream temporarily specified this as 151
   sane.ids.nscd.uid = 2004;
   sane.ids.nscd.gid = 2004;
   sane.ids.systemd-oom.uid = 2005;

hosts/common/programs/aerc.nix

@@ -0,0 +1,6 @@
+# Terminal UI mail client
+{ config, sane-lib, ... }:
+
+{
+  sane.programs.aerc.secrets.".config/aerc/accounts.conf" = ../../../secrets/universal/aerc_accounts.conf.bin;
+}

hosts/common/programs/default.nix

@@ -1,14 +1,27 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   inherit (builtins) attrNames concatLists;
-  inherit (lib) mapAttrs mapAttrsToList mkDefault mkMerge optional;
+  inherit (lib) mapAttrs mapAttrsToList mkDefault mkIf mkMerge optional;
+
+  flattenedPkgs = pkgs // (with pkgs; {
+    # XXX can't `inherit` a nested attr, so we move them to the toplevel
+    "cacert.unbundled" = pkgs.cacert.unbundled;
+    "gnome.cheese" = gnome.cheese;
+    "gnome.dconf-editor" = gnome.dconf-editor;
+    "gnome.file-roller" = gnome.file-roller;
+    "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
+    "gnome.gnome-maps" = gnome.gnome-maps;
+    "gnome.nautilus" = gnome.nautilus;
+    "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
+    "gnome.gnome-terminal" = gnome.gnome-terminal;
+    "gnome.gnome-weather" = gnome.gnome-weather;
+    "gnome.totem" = gnome.totem;
+    "libsForQt5.plasmatube" = libsForQt5.plasmatube;
+  });
 
   sysadminPkgs = {
-    inherit (pkgs // {
-      # XXX can't `inherit` a nested attr, so we move them to the toplevel
-      "cacert.unbundled" = pkgs.cacert.unbundled;
-    })
+    inherit (flattenedPkgs)
       btrfs-progs
       "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
       cryptsetup
@@ -43,46 +56,73 @@ let
       smartmontools
       socat
       strace
+      subversion
       tcpdump
       tree
       usbutils
       wget
     ;
   };
-
-  consolePkgs = {
+  sysadminExtraPkgs = {
+    # application-specific packages
     inherit (pkgs)
       backblaze-b2
+      duplicity
+      sqlite  # to debug sqlite3 databases
+    ;
+  };
+
+  iphonePkgs = {
+    inherit (pkgs)
+      ifuse
+      ipfs
+      libimobiledevice
+    ;
+  };
+
+  tuiPkgs = {
+    inherit (pkgs)
+      aerc  # email client
+      offlineimap  # email mailox sync
+      visidata  # TUI spreadsheet viewer/editor
+      w3m
+    ;
+  };
+
+  # TODO: split these into smaller groups.
+  # - transcoders (ffmpeg, imagemagick) only wanted on desko/lappy ("powerutils"?)
+  consolePkgs = {
+    inherit (pkgs)
       cdrtools
       dmidecode
-      duplicity
       efivar
       flashrom
       fwupd
-      ghostscript  # TODO: imagemagick wrapper should add gs to PATH
+      gh  # MS GitHub cli
+      git  # needed as a user package, for config.
       gnupg
       gocryptfs
       gopass
       gopass-jsonapi
-      ifuse
       imagemagick
-      ipfs
       kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-      libimobiledevice
       libsecret  # for managing user keyrings
       lm_sensors  # for sensors-detect
       lshw
       ffmpeg
       memtester
-      networkmanager
+      neovim
+      # nettools
+      # networkmanager
       nixpkgs-review
       # nixos-generators
-      # nettools
       nmon
+      # node2nix
       oathToolkit  # for oathtool
       # ponymix
       pulsemixer
       python3
+      ripgrep  # needed as a user package, for config.
       rsync
       # python3Packages.eyeD3  # music tagging
       sane-scripts
@@ -91,100 +131,92 @@ let
       sops
       sox
       speedtest-cli
-      sqlite  # to debug sqlite3 databases
       ssh-to-age
       sudo
       # tageditor  # music tagging
       unar
-      visidata
-      w3m
       wireguard-tools
+      xdg-utils  # for xdg-open
+      # yarn
       # youtube-dl
       yt-dlp
+      zsh
     ;
   };
 
   guiPkgs = {
-    inherit (pkgs // (with pkgs; {
-      # XXX can't `inherit` a nested attr, so we move them to the toplevel
-      # TODO: could use some "flatten attrs" helper instead
-      "gnome.cheese" = gnome.cheese;
-      "gnome.dconf-editor" = gnome.dconf-editor;
-      "gnome.file-roller" = gnome.file-roller;
-      "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
-      "gnome.gnome-maps" = gnome.gnome-maps;
-      "gnome.nautilus" = gnome.nautilus;
-      "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
-      "gnome.gnome-terminal" = gnome.gnome-terminal;
-      "gnome.gnome-weather" = gnome.gnome-weather;
-      "libsForQt5.plasmatube" = libsForQt5.plasmatube;
-    }))
-      aerc  # email client
-      audacity
+    inherit (flattenedPkgs)
       celluloid  # mpv frontend
-      chromium
       clinfo
-      dino
-      electrum
-      element-desktop
       emote
       evince  # works on phosh
 
-      # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
+      # { pkg = fluffychat-moby; persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
 
-      foliate  # e-book reader
-      font-manager
+      # foliate  # e-book reader
 
       # XXX by default fractal stores its state in ~/.local/share/<UUID>.
       # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
       # then reboot (so that libsecret daemon re-loads the keyring...?)
-      # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
-      # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
+      # { pkg = fractal-latest; persist.private = [ ".local/share/fractal" ]; }
+      # { pkg = fractal-next; persist.private = [ ".local/share/fractal" ]; }
 
-      gajim  # XMPP client
-      gimp  # broken on phosh
-      "gnome.cheese"
+      # "gnome.cheese"
       "gnome.dconf-editor"
       gnome-feeds  # RSS reader (with claimed mobile support)
       "gnome.file-roller"
-      "gnome.gnome-disk-utility"
-      "gnome.gnome-maps"  # works on phosh
+      # "gnome.gnome-maps"  # works on phosh
       "gnome.nautilus"
       # gnome-podcasts
       "gnome.gnome-system-monitor"
-      "gnome.gnome-terminal"  # works on phosh
+      # "gnome.gnome-terminal"  # works on phosh
       "gnome.gnome-weather"
       gpodder-configured
       gthumb
+      jellyfin-media-player
+      # lollypop
+      mpv
+      networkmanagerapplet
+      # newsflash
+      nheko
+      pavucontrol
+      # picard  # music tagging
+      playerctl
+      # "libsForQt5.plasmatube"  # Youtube player
+      soundconverter
+      sublime-music
+      # tdesktop  # broken on phosh
+      # tokodon
+      vlc
+      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
+      # whalebird
+      xterm  # broken on phosh
+    ;
+  };
+  desktopGuiPkgs = {
+    inherit (flattenedPkgs)
+      audacity
+      brave  # for the integrated wallet -- as a backup
+      chromium
+      dino
+      electrum
+      element-desktop
+      font-manager
+      gajim  # XMPP client
+      gimp  # broken on phosh
+      "gnome.gnome-disk-utility"
+      # "gnome.totem"  # video player, supposedly supports UPnP
+      handbrake
+      hase
       inkscape
       kdenlive
       kid3  # audio tagging
       krita
       libreoffice-fresh  # XXX colin: maybe don't want this on mobile
-      lollypop
-      mpv
-      networkmanagerapplet
-      newsflash
-      nheko
+      mumble
       obsidian
-      pavucontrol
-      # picard  # music tagging
-      playerctl
-      "libsForQt5.plasmatube"  # Youtube player
-      soundconverter
-      # sublime music persists any downloaded albums here.
-      # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
-      # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
-      #   possible to pass config as a CLI arg (sublime-music -c config.json)
-      # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
-      sublime-music-mobile
-      tdesktop  # broken on phosh
-      tokodon
-      vlc
-      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
-      # whalebird
-      xdg-utils  # for xdg-open
-      xterm  # broken on phosh
+      slic3r
+      steam
     ;
   };
   x86GuiPkgs = {
@@ -195,9 +227,6 @@ let
       # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
       # gpt2tc  # XXX: unreliable mirror
 
-      # TODO(unpin): handbrake is broken on aarch64-linux 2023/01/29
-      handbrake
-
       logseq
       losslesscut-bin
       makemkv
@@ -205,38 +234,90 @@ let
       signal-desktop
       spotify
       tor-browser-bundle-bin
+      zeal-qt5  # programming docs viewer. TODO: switch to zeal-qt6
       zecwallet-lite
     ;
   };
 
+  # packages not part of any package set
+  otherPkgs = {
+    inherit (pkgs)
+      mx-sanebot
+      stepmania
+    ;
+  };
+
   # define -- but don't enable -- the packages in some attrset.
-  # use `mkDefault` for the package here so we can customize some of them further down this file
   declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
-    package = mkDefault p;
+    # no need to actually define the package here: it's defaulted
+    # package = mkDefault p;
   }) pkgsAsAttrs;
 in
 {
+
+  imports = [
+    ./aerc.nix
+    ./git.nix
+    ./gnome-feeds.nix
+    ./gpodder.nix
+    ./kitty
+    ./libreoffice.nix
+    ./mpv.nix
+    ./neovim.nix
+    ./newsflash.nix
+    ./offlineimap.nix
+    ./ripgrep.nix
+    ./splatmoji.nix
+    ./sublime-music.nix
+    ./vlc.nix
+    ./web-browser.nix
+    ./zeal.nix
+    ./zsh
+  ];
+
   config = {
     sane.programs = mkMerge [
-      (declarePkgs sysadminPkgs)
       (declarePkgs consolePkgs)
+      (declarePkgs desktopGuiPkgs)
       (declarePkgs guiPkgs)
+      (declarePkgs iphonePkgs)
+      (declarePkgs sysadminPkgs)
+      (declarePkgs sysadminExtraPkgs)
+      (declarePkgs tuiPkgs)
       (declarePkgs x86GuiPkgs)
+      (declarePkgs otherPkgs)
       {
         # link the various package sets into their own meta packages
-        sysadminUtils = {
-          package = null;
-          suggestedPrograms = attrNames sysadminPkgs;
-        };
         consoleUtils = {
           package = null;
           suggestedPrograms = attrNames consolePkgs;
         };
+        desktopGuiApps = {
+          package = null;
+          suggestedPrograms = attrNames desktopGuiPkgs;
+        };
         guiApps = {
           package = null;
           suggestedPrograms = (attrNames guiPkgs)
+            ++ [ "tuiApps" ]
             ++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
         };
+        iphoneUtils = {
+          package = null;
+          suggestedPrograms = attrNames iphonePkgs;
+        };
+        sysadminUtils = {
+          package = null;
+          suggestedPrograms = attrNames sysadminPkgs;
+        };
+        sysadminExtraUtils = {
+          package = null;
+          suggestedPrograms = attrNames sysadminExtraPkgs;
+        };
+        tuiApps = {
+          package = null;
+          suggestedPrograms = attrNames tuiPkgs;
+        };
         x86GuiApps = {
           package = null;
           suggestedPrograms = attrNames x86GuiPkgs;
@@ -244,68 +325,75 @@ in
       }
       {
         # nontrivial package definitions
-        imagemagick.package = pkgs.imagemagick.override {
-          ghostscriptSupport = true;
-        };
 
-        dino.private = [ ".local/share/dino" ];
+        dino.persist.private = [ ".local/share/dino" ];
 
         # creds, but also 200 MB of node modules, etc
-        discord = {
-          package = pkgs.discord.override {
-            # XXX 2022-07-31: fix to allow links to open in default web-browser:
-            #   https://github.com/NixOS/nixpkgs/issues/78961
-            nss = pkgs.nss_latest;
-          };
-          private = [ ".config/discord" ];
-        };
+        discord.persist.private = [ ".config/discord" ];
 
         # creds/session keys, etc
-        element-desktop.private = [ ".config/Element" ];
+        element-desktop.persist.private = [ ".config/Element" ];
 
         # `emote` will show a first-run dialog based on what's in this directory.
         # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
         # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
-        emote.dir = [ ".local/share/Emote" ];
+        emote.persist.plaintext = [ ".local/share/Emote" ];
+
+        # MS GitHub stores auth token in .config
+        # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
+        gh.persist.private = [ ".config/gh" ];
+
+        ghostscript = {};  # used by imagemagick
 
         # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
         #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
-        gpodder-configured.dir = [ "gPodder" ];
+        gpodder-configured.persist.plaintext = [ "gPodder" ];
+
+        imagemagick = {
+          package = pkgs.imagemagick.override {
+            ghostscriptSupport = true;
+          };
+          suggestedPrograms = [ "ghostscript" ];
+        };
+
+        # jellyfin stores things in a bunch of directories: this one persists auth info.
+        # it *might* be possible to populate this externally (it's Qt stuff), but likely to
+        # be fragile and take an hour+ to figure out.
+        jellyfin-media-player.persist.plaintext = [ ".local/share/Jellyfin Media Player" ];
 
         # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
         # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
-        monero-gui.dir = [ ".bitmonero" ];
+        monero-gui.persist.plaintext = [ ".bitmonero" ];
 
-        mpv.dir = [ ".config/mpv/watch_later" ];
+        mumble.persist.private = [ ".local/share/Mumble" ];
 
         # not strictly necessary, but allows caching articles; offline use, etc.
-        newsflash.dir = [ ".local/share/news-flash" ];
-        nheko.private = [
+        nheko.persist.private = [
           ".config/nheko"  # config file (including client token)
           ".cache/nheko"  # media cache
           ".local/share/nheko"  # per-account state database
         ];
 
         # settings (electron app)
-        obsidian.dir = [ ".config/obsidian" ];
+        obsidian.persist.plaintext = [ ".config/obsidian" ];
 
         # creds, media
-        signal-desktop.private = [ ".config/Signal" ];
+        signal-desktop.persist.private = [ ".config/Signal" ];
 
+        # printer/filament settings
+        slic3r.persist.plaintext = [ ".Slic3r" ];
 
         # creds, widevine .so download. TODO: could easily manage these statically.
-        spotify.dir = [ ".config/spotify" ];
+        spotify.persist.plaintext = [ ".config/spotify" ];
 
-        # sublime music persists any downloaded albums here.
-        # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
-        # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
-        #   possible to pass config as a CLI arg (sublime-music -c config.json)
-        # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
-        sublime-music-mobile.dir = [ ".local/share/sublime-music" ];
+        steam.persist.plaintext = [
+          ".steam"
+          ".local/share/Steam"
+        ];
 
-        tdesktop.private = [ ".local/share/TelegramDesktop" ];
+        tdesktop.persist.private = [ ".local/share/TelegramDesktop" ];
 
-        tokodon.private = [ ".cache/KDE/tokodon" ];
+        tokodon.persist.private = [ ".cache/KDE/tokodon" ];
 
         # hardenedMalloc solves a crash at startup
         # TODO 2023/02/02: is this safe to remove yet?
@@ -313,17 +401,24 @@ in
           useHardenedMalloc = false;
         };
 
-        # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
-        vlc.dir = [ ".config/vlc" ];
+        whalebird.persist.private = [ ".config/Whalebird" ];
 
-        whalebird.private = [ ".config/Whalebird" ];
+        yarn.persist.plaintext = [ ".cache/yarn" ];
 
         # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
-        zecwallet-lite.private = [ ".zcash" ];
+        zecwallet-lite.persist.private = [ ".zcash" ];
       }
     ];
 
     # XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
     environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
+
+    # steam requires system-level config for e.g. firewall or controller support
+    programs.steam = mkIf config.sane.programs.steam.enabled {
+      enable = true;
+      # not sure if needed: stole this whole snippet from the wiki
+      remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
+      dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
+    };
   };
 }

hosts/common/programs/git.nix

@@ -4,7 +4,7 @@ let
   mkCfg = lib.generators.toINI { };
 in
 {
-  sane.user.fs.".config/git/config" = sane-lib.fs.wantedText (mkCfg {
+  sane.programs.git.fs.".config/git/config" = sane-lib.fs.wantedText (mkCfg {
     user.name = "Colin";
     user.email = "colin@uninsane.org";
     alias.co = "checkout";

hosts/common/programs/gnome-feeds.nix

@@ -6,7 +6,7 @@ let
   all-feeds = config.sane.feeds;
   wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.user.fs.".config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
+  sane.programs.gnome-feeds.fs.".config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
     builtins.toJSON {
       # feed format is a map from URL to a dict,
       #   with dict["tags"] a list of string tags.

hosts/common/programs/gpodder.nix

@@ -6,7 +6,7 @@ let
   all-feeds = config.sane.feeds;
   wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
 in {
-  sane.user.fs.".config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
+  sane.programs.gpodder.fs.".config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
     feeds.feedsToOpml wanted-feeds
   );
 }

hosts/common/programs/kitty/PaperColor_dark.conf

@@ -0,0 +1,47 @@
+# vim:ft=kitty
+
+## name: PaperColor Dark
+## author: Nikyle Nguyen
+## license: MIT
+## blurb: Dark color scheme inspired by Google's Material Design 
+
+# special
+foreground		#d0d0d0
+background		#1c1c1c
+cursor			#d0d0d0
+cursor_text_color	background
+
+# black
+color0			#1c1c1c
+color8			#585858
+
+# red
+color1			#af005f
+color9			#5faf5f
+
+# green
+# "color2" is the green color used by ls to indicate executability
+#   both as text color
+#   or as bg color when the text is blue (color4)
+color2			#246a28
+color10			#2df200
+
+# yellow
+color3			#d7af5f
+color11			#af87d7
+
+# blue
+color4			#78c6ef
+color12			#ffaf00
+
+# magenta
+color5			#808080
+color13			#ff5faf
+
+# cyan
+color6			#d7875f
+color14			#00afaf
+
+# white
+color7			#d0d0d0
+color15			#5f8787

hosts/common/programs/kitty/default.nix

@@ -1,15 +1,17 @@
 { pkgs, sane-lib, ... }:
 
 {
-  sane.user.fs.".config/kitty/kitty.conf" = sane-lib.fs.wantedText ''
+  sane.programs.kitty.fs.".config/kitty/kitty.conf" = sane-lib.fs.wantedText ''
     # docs: https://sw.kovidgoyal.net/kitty/conf/
     # disable terminal bell (when e.g. you backspace too many times)
     enable_audio_bell no
 
     map ctrl+n new_os_window_with_cwd
-
-    include ${pkgs.kitty-themes}/themes/PaperColor_dark.conf
+    include ${./PaperColor_dark.conf}
   '';
+
+  #  include ${pkgs.kitty-themes}/themes/PaperColor_dark.conf
+
   # THEME CHOICES:
   #   docs: https://github.com/kovidgoyal/kitty-themes
   # theme = "1984 Light";  # dislike: awful, harsh blues/teals

hosts/common/programs/libreoffice.nix

@@ -2,7 +2,7 @@
 
 {
   # libreoffice: disable first-run stuff
-  sane.user.fs.".config/libreoffice/4/user/registrymodifications.xcu" = sane-lib.fs.wantedText ''
+  sane.programs.libreoffice-fresh.fs.".config/libreoffice/4/user/registrymodifications.xcu" = sane-lib.fs.wantedText ''
     <?xml version="1.0" encoding="UTF-8"?>
     <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>

hosts/common/programs/mpv.nix

@@ -0,0 +1,13 @@
+{ sane-lib, ... }:
+
+{
+  sane.programs.mpv = {
+    persist.plaintext = [ ".config/mpv/watch_later" ];
+    # format is <key>=%<length>%<value>
+    fs.".config/mpv/mpv.conf" = sane-lib.fs.wantedText ''
+      save-position-on-quit=%3%yes
+      keep-open=%3%yes
+    '';
+  };
+}
+

hosts/common/programs/neovim.nix

@@ -1,8 +1,8 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   inherit (builtins) map;
-  inherit (lib) concatMapStrings optionalString;
+  inherit (lib) concatMapStrings mkIf optionalString;
   # this structure roughly mirrors home-manager's `programs.neovim.plugins` option
   plugins = with pkgs.vimPlugins; [
     # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
@@ -72,9 +72,9 @@ let
 in
 {
   # private because there could be sensitive things in the swap
-  sane.user.persist.private = [ ".cache/vim-swap" ];
+  sane.programs.neovim.persist.private = [ ".cache/vim-swap" ];
 
-  programs.neovim = {
+  programs.neovim = mkIf config.sane.programs.neovim.enabled {
     # neovim: https://github.com/neovim/neovim
     enable = true;
     viAlias = true;

hosts/common/programs/newsflash.nix

@@ -0,0 +1,15 @@
+# news-flash RSS viewer
+{ config, sane-lib, ... }:
+
+let
+  feeds = sane-lib.feeds;
+  all-feeds = config.sane.feeds;
+  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
+in {
+  sane.programs.newsflash = {
+    persist.plaintext = [ ".local/share/news-flash" ];
+    fs.".config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
+      feeds.feedsToOpml wanted-feeds
+    );
+  };
+}

hosts/common/programs/offlineimap.nix

@@ -0,0 +1,12 @@
+# mail archiving/synchronization tool.
+#
+# manually download all emails for an account with
+# - `offlineimap -a <accountname>`
+#
+# view account names inside the secrets file, listed below.
+{ ... }:
+
+{
+  sane.programs.offlineimap.secrets.".config/offlineimap/config" = ../../../secrets/universal/offlineimaprc.bin;
+}
+

hosts/common/programs/ripgrep.nix

@@ -0,0 +1,9 @@
+{ sane-lib, ... }:
+{
+  # .ignore file is read by ripgrep (rg), silver searcher (ag), maybe others.
+  # ignore translation files by default when searching, as they tend to have
+  # a LOT of duplicate text.
+  sane.programs.ripgrep.fs.".ignore" = sane-lib.fs.wantedText ''
+    po/
+  '';
+}

hosts/common/programs/splatmoji.nix

@@ -0,0 +1,22 @@
+# borrows from:
+# - default config: <https://github.com/cspeterson/splatmoji/blob/master/splatmoji.config>
+# - wayland: <https://github.com/cspeterson/splatmoji/issues/32#issuecomment-830862566>
+{ pkgs, sane-lib, ... }:
+
+{
+  sane.programs.splatmoji = {
+    persist.plaintext = [ ".local/state/splatmoji" ];
+    fs.".config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
+      # XXX doesn't seem to understand ~ as shorthand for `$HOME`
+      history_file=/home/colin/.local/state/splatmoji/history
+      history_length=5
+      # TODO: wayland equiv
+      paste_command=xdotool key ctrl+v
+      # rofi_command=${pkgs.wofi}/bin/wofi --dmenu --insensitive --cache-file /dev/null
+      rofi_command=${pkgs.fuzzel}/bin/fuzzel -d -i -w 60
+      xdotool_command=${pkgs.wtype}/bin/wtype
+      # TODO: wayland equiv
+      xsel_command=xsel -b -i
+    '';
+  };
+}

hosts/common/programs/sublime-music.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+
+{
+  sane.programs.sublime-music = {
+    package = pkgs.sublime-music-mobile;
+    # sublime music persists any downloaded albums here.
+    # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
+    # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
+    #   possible to pass config as a CLI arg (sublime-music -c config.json)
+    persist.plaintext = [ ".local/share/sublime-music" ];
+
+    secrets.".config/sublime-music/config.json" = ../../../secrets/universal/sublime_music_config.json.bin;
+  };
+}

hosts/common/programs/vlc.nix

@@ -0,0 +1,24 @@
+{ config, lib, sane-lib, ... }:
+
+let
+  feeds = sane-lib.feeds;
+  all-feeds = config.sane.feeds;
+  wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
+  podcast-urls = lib.concatStringsSep "|" (
+    builtins.map (feed: feed.url) wanted-feeds
+  );
+in
+{
+  sane.programs.vlc = {
+    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
+    persist.plaintext = [ ".config/vlc" ];
+    fs.".config/vlc/vlcrc" = sane-lib.fs.wantedText ''
+      [podcast]
+      podcast-urls=${podcast-urls}
+      [core]
+      metadata-network-access=0
+      [qt]
+      qt-privacy-ask=0
+    '';
+  };
+}

hosts/common/programs/web-browser.nix

@@ -29,8 +29,8 @@ let
     cacheDir = ".cache/mozilla";
     desktop = "firefox.desktop";
   };
-  defaultSettings = firefoxSettings;
-  # defaultSettings = librewolfSettings;
+  # defaultSettings = firefoxSettings;
+  defaultSettings = librewolfSettings;
 
   addon = name: extid: hash: pkgs.fetchFirefoxAddon {
     inherit name hash;
@@ -132,7 +132,7 @@ in
         sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
         sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
         ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
-        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=";
+        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
 
         browserpass-extension.enable = lib.mkDefault true;
         # bypass-paywalls-clean.enable = lib.mkDefault true;
@@ -146,58 +146,61 @@ in
     };
   };
 
-  config = {
-    sane.programs.web-browser = {
-      inherit package;
-      # TODO: define the persistence & fs config here
-    };
-    sane.programs.guiApps.suggestedPrograms = [ "web-browser" ];
+  config = mkMerge [
+    ({
+      sane.programs.guiApps.suggestedPrograms = [ "web-browser" ];
+      sane.programs.web-browser = {
+        inherit package;
 
-    # uBlock filter list configuration.
-    # specifically, enable the GDPR cookie prompt blocker.
-    # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
-    # this configuration method is documented here:
-    # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
-    # the specific attribute path is found via scraping ublock code here:
-    # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
-    # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-    sane.user.fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
-      {
-       "name": "uBlock0@raymondhill.net",
-       "description": "ignored",
-       "type": "storage",
-       "data": {
-          "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
-       }
-      }
-    '';
-    sane.user.fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
-      // if we can't query the revocation status of a SSL cert because the issuer is offline,
-      // treat it as unrevoked.
-      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
-      defaultPref("security.OCSP.require", false);
-    '';
-    # flush the cache to disk to avoid it taking up too much tmp
-    sane.user.persist.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
-      store = cfg.persistCache;
-    };
+        # uBlock filter list configuration.
+        # specifically, enable the GDPR cookie prompt blocker.
+        # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
+        # this configuration method is documented here:
+        # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
+        # the specific attribute path is found via scraping ublock code here:
+        # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
+        # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
+        fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
+          {
+           "name": "uBlock0@raymondhill.net",
+           "description": "ignored",
+           "type": "storage",
+           "data": {
+              "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
+           }
+          }
+        '';
+        fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
+          // if we can't query the revocation status of a SSL cert because the issuer is offline,
+          // treat it as unrevoked.
+          // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
+          defaultPref("security.OCSP.require", false);
+        '';
+        fs."${cfg.browser.dotDir}/default" = sane-lib.fs.wantedDir;
+        # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
+        # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
+        fs."${cfg.browser.dotDir}/profiles.ini" = sane-lib.fs.wantedText ''
+          [Profile0]
+          Name=default
+          IsRelative=1
+          Path=default
+          Default=1
 
-    sane.user.persist.byPath."${cfg.browser.dotDir}/default" = lib.mkIf (cfg.persistData != null) {
-      store = cfg.persistData;
-    };
-    sane.user.fs."${cfg.browser.dotDir}/default" = sane-lib.fs.wantedDir;
-    # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
-    # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
-    sane.user.fs."${cfg.browser.dotDir}/profiles.ini" = sane-lib.fs.wantedText ''
-      [Profile0]
-      Name=default
-      IsRelative=1
-      Path=default
-      Default=1
+          [General]
+          StartWithLastProfile=1
+        '';
+      };
+    })
+    (mkIf config.sane.programs.web-browser.enabled {
+      # TODO: move the persistence into the sane.programs API (above)
+      # flush the cache to disk to avoid it taking up too much tmp
+      sane.user.persist.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
+        store = cfg.persistCache;
+      };
 
-      [General]
-      StartWithLastProfile=1
-    '';
-
-  };
+      sane.user.persist.byPath."${cfg.browser.dotDir}/default" = lib.mkIf (cfg.persistData != null) {
+        store = cfg.persistData;
+      };
+    })
+  ];
 }

hosts/common/programs/zeal.nix

@@ -0,0 +1,16 @@
+{ config, lib, sane-lib, ... }:
+let
+  inherit (lib) mkIf;
+in {
+  sane.programs.zeal-qt5 = {
+    persist.plaintext = [
+      ".cache/Zeal"
+      ".local/share/Zeal"
+    ];
+    fs.".local/share/Zeal/Zeal/system" = sane-lib.fs.wantedSymlinkTo "/run/current-system/sw/share/docset";
+  };
+
+  environment.pathsToLink = mkIf config.sane.programs.zeal-qt5.enabled [
+    "/share/docset"
+  ];
+}

hosts/common/programs/zsh/default.nix

@@ -0,0 +1,166 @@
+{ config, lib, pkgs, sane-lib, ... }:
+
+let
+  inherit (lib) mkIf mkMerge mkOption types;
+  cfg = config.sane.zsh;
+  # powerlevel10k prompt config
+  # p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
+  p10k-overrides = ''
+    # powerlevel10k launches a gitstatusd daemon to accelerate git prompt queries.
+    # this keeps open file handles for any git repo i touch for 60 minutes (by default).
+    # that prevents unmounting whatever device the git repo is on -- particularly problematic for ~/private.
+    # i can disable gitstatusd and get slower fallback git queries:
+    # - either universally
+    # - or selectively by path
+    # see: <https://github.com/romkatv/powerlevel10k/issues/246>
+    typeset -g POWERLEVEL9K_VCS_DISABLED_DIR_PATTERN='(/home/colin/private/*|/home/colin/knowledge/*)'
+    # typeset -g POWERLEVEL9K_DISABLE_GITSTATUS=true
+
+    # show user@host also when logged into the current machine.
+    # default behavior is to show it only over ssh.
+    typeset -g POWERLEVEL9K_CONTEXT_{DEFAULT,SUDO}_CONTENT_EXPANSION='$P9K_CONTENT'
+  '';
+
+  prezto-init = ''
+    source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh
+    source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+    source ${pkgs.zsh-prezto}/share/zsh-prezto/init.zsh
+  '';
+in
+{
+  options = {
+    sane.zsh = {
+      showDeadlines = mkOption {
+        type = types.bool;
+        default = true;
+        description = "show upcoming deadlines (frommy PKM) upon shell init";
+      };
+    };
+  };
+
+  config = mkMerge [
+    ({
+      sane.programs.zsh = {
+        persist.plaintext = [
+          # we don't need to full zsh dir -- just the history file --
+          # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
+          # TODO: should be private?
+          ".local/share/zsh"
+          # cache gitstatus otherwise p10k fetched it from the net EVERY BOOT
+          ".cache/gitstatus"
+        ];
+
+        # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
+        fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
+
+        # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
+        # see: https://github.com/sorin-ionescu/prezto
+        # i believe this file is auto-sourced by the prezto init.zsh script.
+        fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
+          zstyle ':prezto:*:*' color 'yes'
+
+          # modules (they ship with prezto):
+          # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
+          # TERMINAL: auto-titles terminal (e.g. based on cwd)
+          # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
+          # HISTORY: `history-stat` alias, setopts for good history defaults
+          # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
+          # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
+          # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
+          #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
+          # COMPLETION: tab completion. requires `utility` module prior to loading
+          # TODO: enable AUTO_PARAM_SLASH
+          zstyle ':prezto:load' pmodule \
+            'environment' \
+            'terminal' \
+            'editor' \
+            'history' \
+            'directory' \
+            'spectrum' \
+            'utility' \
+            'completion' \
+            'prompt'
+
+          # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
+          zstyle ':prezto:module:editor' key-bindings 'emacs'
+
+          zstyle ':prezto:module:prompt' theme 'powerlevel10k'
+
+          # disable `mv` confirmation (and `rm`, too, unfortunately)
+          zstyle ':prezto:module:utility' safe-ops 'no'
+        '';
+      };
+    })
+    (mkIf config.sane.programs.zsh.enabled {
+      # enable zsh completions
+      environment.pathsToLink = [ "/share/zsh" ];
+
+      programs.zsh = {
+        enable = true;
+        histFile = "$HOME/.local/share/zsh/history";
+        shellAliases = {
+          ":q" = "exit";
+          # common typos
+          "cd.." = "cd ..";
+          "cd../" = "cd ../";
+        };
+        setOptions = [
+          # defaults:
+          "HIST_IGNORE_DUPS"
+          "SHARE_HISTORY"
+          "HIST_FCNTL_LOCK"
+          # disable `rm *` confirmations
+          "rmstarsilent"
+        ];
+
+        # .zshenv config:
+        shellInit = ''
+          ZDOTDIR=$HOME/.config/zsh
+        '';
+
+        # .zshrc config:
+        interactiveShellInit =
+          (builtins.readFile ./p10k.zsh)
+        + p10k-overrides
+        + prezto-init
+        + ''
+          # zmv is a way to do rich moves/renames, with pattern matching/substitution.
+          # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
+          autoload -Uz zmv
+
+          HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *|nixos-rebuild.* switch)'
+
+          # extra aliases
+          # TODO: move to `shellAliases` config?
+          function nd() {
+            mkdir -p "$1";
+            pushd "$1";
+          }
+        ''
+        + lib.optionalString cfg.showDeadlines ''
+          ${pkgs.sane-scripts}/bin/sane-deadlines
+        ''
+        + ''
+          # auto-cd into any of these dirs by typing them and pressing 'enter':
+          hash -d 3rd="/home/colin/dev/3rd"
+          hash -d dev="/home/colin/dev"
+          hash -d knowledge="/home/colin/knowledge"
+          hash -d nixos="/home/colin/nixos"
+          hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
+          hash -d ref="/home/colin/ref"
+          hash -d secrets="/home/colin/knowledge/secrets"
+          hash -d tmp="/home/colin/tmp"
+          hash -d uninsane="/home/colin/dev/uninsane"
+          hash -d Videos="/home/colin/Videos"
+        '';
+
+        syntaxHighlighting.enable = true;
+        vteIntegration = true;
+      };
+
+      # enable a command-not-found hook to show nix packages that might provide the binary typed.
+      programs.nix-index.enable = true;
+      programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
+    })
+  ];
+}

hosts/common/secrets.nix

@@ -52,9 +52,17 @@
     sopsFile = ../../secrets/universal.yaml;
     owner = config.users.users.colin.name;
   };
+  sops.secrets."mx-sanebot-env" = {
+    sopsFile = ../../secrets/universal/mx-sanebot-env.bin;
+    format = "binary";
+    owner = config.users.users.colin.name;
+  };
   sops.secrets."router_passwd" = {
     sopsFile = ../../secrets/universal.yaml;
   };
+  sops.secrets."transmission_passwd" = {
+    sopsFile = ../../secrets/universal.yaml;
+  };
   sops.secrets."wg_ovpnd_us_privkey" = {
     sopsFile = ../../secrets/universal.yaml;
   };
@@ -99,18 +107,26 @@
     sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
     format = "binary";
   };
-  sops.secrets."iwd/home-bedroom.psk" = {
-    sopsFile = ../../secrets/universal/net/home-bedroom.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/home-shared-24G.psk" = {
-    sopsFile = ../../secrets/universal/net/home-shared-24G.psk.bin;
-    format = "binary";
-  };
   sops.secrets."iwd/home-shared.psk" = {
     sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
     format = "binary";
   };
+  sops.secrets."iwd/makespace-south.psk" = {
+    sopsFile = ../../secrets/universal/net/makespace-south.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/archive-2023-02-home-bedroom.psk" = {
+    sopsFile = ../../secrets/universal/net/archive/2023-02-home-bedroom.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/archive-2023-02-home-shared-24G.psk" = {
+    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/archive-2023-02-home-shared.psk" = {
+    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared.psk.bin;
+    format = "binary";
+  };
   sops.secrets."iwd/iphone" = {
     sopsFile = ../../secrets/universal/net/iphone.psk.bin;
     format = "binary";

hosts/common/users.nix

@@ -97,9 +97,11 @@ in
     # convenience
     sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
     sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
+    sane.user.fs."Books/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Books";
     sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
     sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
     sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
+    sane.user.fs."Pictures/servo-macros" = fs.wantedSymlinkTo "/mnt/servo-media/Pictures/macros";
 
     # used by password managers, e.g. unix `pass`
     sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";

hosts/instantiate.nix

@@ -4,7 +4,7 @@
 { hostName, localSystem }:
 
 # module args
-{ config, ... }:
+{ config, lib, ... }:
 
 {
   imports = [
@@ -14,14 +14,16 @@
   ];
 
   networking.hostName = hostName;
+  nixpkgs.buildPlatform = lib.mkIf (localSystem != null) localSystem;
+  sane.cross.enablePatches = localSystem != null;
 
-  nixpkgs.overlays = [
-    (next: prev: {
-      # for local != target we by default just emulate the target while building.
-      # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
-      # to explicitly opt into non-emulated cross compilation for any specific package.
-      # this is most beneficial for large packages with few pre-requisites -- like Linux.
-      cross = prev.crossFrom."${localSystem}";
-    })
-  ];
+  # nixpkgs.overlays = [
+  #   (next: prev: {
+  #     # for local != target we by default just emulate the target while building.
+  #     # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
+  #     # to explicitly opt into non-emulated cross compilation for any specific package.
+  #     # this is most beneficial for large packages with few pre-requisites -- like Linux.
+  #     cross = prev.crossFrom."${localSystem}";
+  #   })
+  # ];
 }

hosts/modules/default.nix

@@ -11,5 +11,6 @@
     ./roles
     ./services
     ./wg-home.nix
+    ./yggdrasil.nix
   ];
 }

hosts/modules/gui/phosh.nix

@@ -28,8 +28,9 @@ in
           "guiApps"
           # TODO: see about removing gnome-bluetooth if the in-built gnome-settings bluetooth manager can work
           "gnome.gnome-bluetooth"
+          "gnome.gnome-terminal"
           "phosh-mobile-settings"
-          "plasma5Packages.konsole"  # more reliable terminal
+          # "plasma5Packages.konsole"  # more reliable terminal
         ];
       };
     }
@@ -37,11 +38,13 @@ in
       sane.programs = {
         inherit (pkgs // {
           "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
+          "gnome.gnome-terminal" = pkgs.gnome.gnome-terminal;
           "plasma5Packages.konsole" = pkgs.plasma5Packages.konsole;
         })
           phosh-mobile-settings
           "plasma5Packages.konsole"
           # "gnome.gnome-bluetooth"
+          "gnome.gnome-terminal"
         ;
       };
     }
@@ -49,6 +52,12 @@ in
     (mkIf cfg.enable {
       sane.programs.phoshApps.enableFor.user.colin = true;
 
+      # TODO(2023/02/28): remove this qt.style = "gtk2" override.
+      # gnome by default tells qt to stylize its apps similar to gnome.
+      # but the package needed for that doesn't cross-compile, hence i disable that here.
+      # qt.platformTheme = "gtk2";
+      # qt.style = "gtk2";
+
       # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
       services.xserver.desktopManager.phosh = {
         enable = true;
@@ -63,6 +72,26 @@ in
         };
       };
 
+      # phosh enables `services.gnome.{core-os-services, core-shell}`
+      # and this in turn enables some default apps we don't really care about.
+      # see <nixos/modules/services/x11/desktop-managers/gnome.nix>
+      environment.gnome.excludePackages = with pkgs; [
+        # gnome.gnome-menus  # unused outside gnome classic, but probably harmless
+        gnome-tour
+      ];
+      services.dleyna-renderer.enable = false;
+      services.dleyna-server.enable = false;
+      services.gnome.gnome-browser-connector.enable = false;
+      services.gnome.gnome-initial-setup.enable = false;
+      services.gnome.gnome-online-accounts.enable = false;
+      services.gnome.gnome-remote-desktop.enable = false;
+      services.gnome.gnome-user-share.enable = false;
+      services.gnome.rygel.enable = false;
+
+      # gnome doesn't use mkDefault for these -- unclear why not
+      services.gnome.evolution-data-server.enable = mkForce false;
+      services.gnome.gnome-online-miners.enable = mkForce false;
+
       # XXX: phosh enables networkmanager by default; can probably disable these lines
       networking.useDHCP = false;
       networking.networkmanager.enable = true;
@@ -85,6 +114,7 @@ in
       };
 
       programs.dconf.packages = [
+        # org.kde.konsole.desktop
         (pkgs.writeTextFile {
           name = "dconf-phosh-settings";
           destination = "/etc/dconf/db/site.d/00_phosh_settings";
@@ -97,7 +127,7 @@ in
             sleep-inactive-battery-timeout=5400
 
             [sm/puri/phosh]
-            favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.kde.konsole.desktop']
+            favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.gnome.Terminal.desktop']
           '';
         })
       ];

hosts/modules/gui/sway.nix

@@ -126,6 +126,7 @@ in
         package = null;
         suggestedPrograms = [
           "guiApps"
+          "splatmoji"  # used by us, but 'enabling' it gets us persistence & cfg
           "swaylock"
           "swayidle"
           "wl-clipboard"
@@ -133,6 +134,7 @@ in
           # # "pavucontrol"
           "gnome.gnome-bluetooth"
           "gnome.gnome-control-center"
+          "sway-contrib.grimshot"
         ];
       };
     }
@@ -141,6 +143,7 @@ in
         inherit (pkgs // {
           "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
           "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
+          "sway-contrib.grimshot" = pkgs.sway-contrib.grimshot;
         })
           swaylock
           swayidle
@@ -148,6 +151,7 @@ in
           mako
           "gnome.gnome-bluetooth"
           "gnome.gnome-control-center"
+          "sway-contrib.grimshot"
         ;
       };
     }

hosts/modules/hardware/x86_64.nix

@@ -9,11 +9,6 @@
       # efi_pstore evivars
     ];
 
-    # enable cross compilation
-    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-    # nixpkgs.config.allowUnsupportedSystem = true;
-    # nixpkgs.crossSystem.system = "aarch64-linux";
-
     powerManagement.cpuFreqGovernor = "powersave";
     hardware.cpu.amd.updateMicrocode = true;    # desktop
     hardware.cpu.intel.updateMicrocode = true;  # laptop

hosts/modules/hosts.nix

@@ -69,7 +69,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
       wg-home.pubkey = "17PMZssYi0D4t2d0vbmhjBKe1sGsE8kT8/dod0Q2CXc=";
       wg-home.ip = "10.0.10.22";
-      lan-ip = "192.168.0.22";
+      lan-ip = "192.168.15.25";
     };
 
     sane.hosts.by-name."lappy" = {
@@ -77,7 +77,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
       wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
       wg-home.ip = "10.0.10.20";
-      lan-ip = "192.168.0.20";
+      lan-ip = "192.168.15.13";
     };
 
     sane.hosts.by-name."moby" = {
@@ -85,7 +85,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
       wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
       wg-home.ip = "10.0.10.48";
-      lan-ip = "192.168.0.48";
+      lan-ip = "192.168.15.28";
     };
 
     sane.hosts.by-name."servo" = {
@@ -94,7 +94,7 @@ in
       wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
       wg-home.ip = "10.0.10.5";
       wg-home.endpoint = "uninsane.org:51820";
-      lan-ip = "192.168.0.5";
+      lan-ip = "192.168.15.24";
     };
   };
 }

hosts/modules/nixcache.nix

@@ -13,6 +13,7 @@
 with lib;
 let
   cfg = config.sane.nixcache;
+  hostName = config.networking.hostName;
 in
 {
   options = {
@@ -24,6 +25,17 @@ in
       default = config.sane.nixcache.enable;
       type = types.bool;
     };
+    sane.nixcache.substituters = mkOption {
+      type = types.listOf types.string;
+      default =
+        # TODO: make these blacklisted entries injectable
+        (lib.optional (hostName != "servo") "https://nixcache.uninsane.org")
+        ++ (lib.optional (hostName != "servo" && hostName != "desko") "http://desko:5000")
+        ++ [
+          "https://nix-community.cachix.org"
+          "https://cache.nixos.org/"
+        ];
+    };
   };
 
   config = {
@@ -31,12 +43,7 @@ in
     # to explicitly build from a specific cache (in case others are down):
     # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
     # - `nix build ... --substituters http://desko:5000`
-    nix.settings.substituters = mkIf cfg.enable [
-      "https://nixcache.uninsane.org"
-      "http://desko:5000"
-      "https://nix-community.cachix.org"
-      "https://cache.nixos.org/"
-    ];
+    nix.settings.substituters = mkIf cfg.enable cfg.substituters;
     # always trust our keys (so one can explicitly use a substituter even if it's not the default
     nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
       "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="

hosts/modules/roles/build-machine.nix

@@ -0,0 +1,82 @@
+{ config, lib, pkgs, sane-lib, ... }:
+
+let
+  inherit (lib) mkIf mkMerge mkOption types;
+  inherit (config.programs.ccache) cacheDir;
+  cfg = config.sane.roles.build-machine;
+in
+{
+  options.sane.roles.build-machine = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    emulation = mkOption {
+      type = types.bool;
+      default = true;
+    };
+    ccache = mkOption {
+      type = types.bool;
+      default = true;
+    };
+  };
+
+  config = mkMerge [
+    ({
+      sane.programs.qemu = pkgs.qemu;
+    })
+    (mkIf cfg.enable {
+      # enable opt-in emulation of any package at runtime.
+      # i.e. `nix build '.#host-pkgs.moby.bash' ; qemu-aarch64 ./result/bin/bash`.
+      sane.programs.qemu.enableFor.user.colin = true;
+      # serve packages to other machines that ask for them
+      sane.services.nixserve.enable = true;
+
+      # enable cross compilation
+      # TODO: do this via stdenv injection, linking into /run/binfmt the stuff in <nixpkgs:nixos/modules/system/boot/binfmt.nix>
+      boot.binfmt.emulatedSystems = lib.optionals cfg.emulation [
+        "aarch64-linux"
+        # "aarch64-darwin"  # not supported
+        # "x86_64-darwin"   # not supported
+      ];
+      # corresponds to env var: NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1
+      # nixpkgs.config.allowUnsupportedSystem = true;
+    })
+    (mkIf (cfg.enable && cfg.ccache) {
+      # programs.ccache.cacheDir = "/var/cache/ccache";  # nixos default
+      # programs.ccache.cacheDir = "/homeless-shelter/.ccache";  # ccache default (~/.ccache)
+
+      # if the cache doesn't reside at ~/.ccache, then CCACHE_DIR has to be set.
+      # we can do that manually as commented out below, or let nixos do it for us by telling it to use ccache on a dummy package:
+      programs.ccache.packageNames = [ "dummy-pkg-to-force-ccache-config" ];
+      # nixpkgs.overlays = [
+      #   (self: super: {
+      #     # XXX: if the cache resides not at ~/.ccache (i.e. /homeless-shelter/.ccache)
+      #     # then we need to explicitly tell ccache where that is.
+      #     ccacheWrapper = super.ccacheWrapper.override {
+      #       extraConfig = ''
+      #         export CCACHE_DIR="${cacheDir}"
+      #       '';
+      #     };
+      #   })
+      # ];
+
+      # granular compilation cache
+      # docs: <https://nixos.wiki/wiki/CCache>
+      # investigate the cache with:
+      # - `nix-ccache --show-stats`
+      # - `build '.#ccache'
+      #   - `sudo CCACHE_DIR=/var/cache/ccache ./result/bin/ccache --show-stats -v`
+      # TODO: whitelist `--verbose` in <nixpkgs:nixos/modules/programs/ccache.nix>
+      # TODO: configure without compression (leverage fs-level compression), and enable file-clone (i.e. hardlinks)
+      programs.ccache.enable = true;
+      nix.settings.extra-sandbox-paths = [ cacheDir ];
+      sane.persist.sys.plaintext = [
+        { group = "nixbld"; mode = "0775"; directory = config.programs.ccache.cacheDir; }
+      ];
+      sane.fs."${cacheDir}/ccache.conf" = sane-lib.fs.wantedText ''
+        max_size = 50G
+      '';
+    })
+  ];
+}

hosts/modules/roles/default.nix

@@ -1,6 +1,7 @@
 { ... }:
 {
   imports = [
+    ./build-machine.nix
     ./client
   ];
 }

hosts/modules/yggdrasil.nix

@@ -0,0 +1,30 @@
+# docs: <nixpkgs:nixos/modules/services/networking/yggdrasil.md>
+# - or message CW/0x00
+
+{ config, lib, ... }:
+
+let
+  inherit (lib) mkIf mkOption types;
+  cfg = config.sane.yggdrasil;
+in
+{
+  options.sane.yggdrasil = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+  };
+  config = mkIf cfg.enable {
+    services.yggdrasil = {
+      enable = true;
+      persistentKeys = true;
+      config = {
+        IFName = "ygg0";
+        Peers = [
+          "tls://longseason.1200bps.xyz:13122"
+        ];
+      };
+    };
+  };
+}
+

integrations/nur/default.nix

@@ -0,0 +1,36 @@
+# Nix User Repository (NUR)
+# - <https://github.com/nix-community/NUR>
+#
+# this file is not reachable from the top-level of my nixos configs (i.e. toplevel flake.nix)
+# nor is it intended for anyone who wants to reference my config directly
+#   (consider the toplevel flake.nix outputs instead).
+#
+# rather, this is the entrypoint through which NUR finds my packages, modules, overlays.
+# it's reachable only from those using this repo via NUR.
+#
+# to manually query available packages, modules, etc, try:
+# - nix eval --impure --expr 'builtins.attrNames (import ./. {})'
+#
+# to validate this before a push that would propagate to NUR:
+#   NIX_PATH= NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix-env -f . -qa \* --meta --xml \
+#     --allowed-uris https://static.rust-lang.org \
+#     --option restrict-eval true \
+#     --option allow-import-from-derivation true \
+#     --drv-path --show-trace \
+#     -I nixpkgs=$(nix-instantiate --find-file nixpkgs) \
+#     -I ../../
+# ^ source: <https://github.com/nix-community/nur-packages-template/blob/master/.github/workflows/build.yml#L63>
+#   N.B.: nur eval allows only PATH (inherited) and NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM="1" (forced),
+#   hence the erasing of NIX_PATH above (to remove external overlays)
+
+{ pkgs ? import <nixpkgs> {} }:
+let
+  sanePkgs = import ../../pkgs { inherit pkgs; };
+in
+({
+  overlays.pkgs = import ../../overlays/pkgs.nix;
+  pkgs = sanePkgs;
+
+  modules = import ../../modules { inherit (pkgs) lib; };
+  lib = import ../../modules/lib { inherit (pkgs) lib; };
+} // sanePkgs)

modules/data/feeds/sources/acquiredlpbonussecretsecret.libsyn.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 443732,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Ben and David are joined by expert founders and investors \u2014 writing the next generation of great company stories in real-time.\n\nWe go behind the scenes on their journeys and bring back emerging insights and lessons that are useful for anyone in the tech and investing ecosystems.\n\nAcquired covers yesterday. ACQ2 covers tomorrow.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 92,
+  "last_updated": "2023-03-02T17:03:15+00:00",
+  "score": 10,
+  "self_url": "https://acquiredlpbonussecretsecret.libsyn.com/",
+  "site_name": "ACQ2 by Acquired",
+  "site_url": "https://acquiredlpbonussecretsecret.libsyn.com",
+  "title": "ACQ2 by Acquired",
+  "url": "https://acquiredlpbonussecretsecret.libsyn.com",
+  "velocity": 0.057,
+  "version": "rss20"
+}

modules/data/feeds/sources/blog.rust-lang.org/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 76362,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "Empowering everyone to build reliable and efficient software.",
+  "favicon": "https://blog.rust-lang.org/images/favicon-16x16.png",
+  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAA3XAAAN1wFCKJt4AAAAB3RJTUUH4gseBBkAzEcAUAAAAWlJREFUOMul079L1WEUBvCPdhPUzbhC3JYQwn6MLTU4CA5C/QMJimQS2NDiZpM0NDoZ0iK4+SdIV5ykpgKtIYyiqCBSuKBBibflufBiVxt64eV73uc855z3fb7ndPh7daMPU/gR7ByeYRc/nbJGMI8GjvAKb2M34hspA84U9jgeYAIv8Bi9+IxFnMcYLqCJ12WiYTzHL0wee05Xcb6H3+EOt8CeXK0Z526b/R1ruIL74c4nVi3v+4BvOAxhHzv4lHMTb3A1WAO1zqjdhRU8SjWpOIBBvAx2hFEsRZ8pmEn28ZC+FhXLvY9L4UwHm+ksBNo79kvf4QlWC61uxR5qkSqoJttkROqN7wDvk+Q6LuIh+nEnMdVSxOYJ+zKetsEbqFVy9QXMpYE28TE3gC+YxXaKDeFGYvYqIa7jZppjI/2w1GZGzia4npiDSpz1tCjcjg5VbAW7hrtpqjqW8/3nMLXee+IwdfzvOP8BuzB3onylpecAAAAASUVORK5CYII=",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 10,
+  "last_updated": "2023-03-09T00:00:00+00:00",
+  "score": 20,
+  "self_url": "https://blog.rust-lang.org/feed.xml",
+  "site_name": "The Rust Programming Language Blog",
+  "site_url": "https://blog.rust-lang.org",
+  "title": "Rust Blog",
+  "url": "https://blog.rust-lang.org/feed.xml",
+  "velocity": 0.096,
+  "version": "atom10"
+}

modules/data/feeds/sources/capitolhillseattle.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 83424,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Community News For All of Seattle's Capitol Hill",
+  "favicon": "https://www.capitolhillseattle.com/favicon.ico",
+  "favicon_data_uri": "data:image/png;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAD///////////////////////////39/f/h4eH/vb29/729vf/i4uL//f39/////////////////////////////////////////////f39/6+vr/81NTX/AgIC/wAAAP8AAAD/AgIC/zU1Nf+wsLD//f39////////////////////////////+vr6/2pqav8BAQH/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AQEB/2xsbP/6+vr//////////////////v7+/7u7u/9VVVX/VVVV/1VVVf9VVVX/VVVV/1VVVf9VVVX/VVVV/1VVVf9VVVX/vb29//7+/v/+/v7//////87Ozv8eHh7/HBwc/xwcHP8cHBz/t7e3/z8/P/+VlZX/WVlZ/xwcHP8cHBz/HBwc/x4eHv/Q0ND//v7+//7+/v9hYWH/AAAA/yUlJf/Dw8P/4ODg//n5+f/29vb//Pz8/+Li4v9MTEz/AAAA/wAAAP8AAAD/ZGRk///////7+/v/MTEx/xUVFf8WFhb/jY2N//7+/v/+/v7//v7+//7+/v/+/v7/+vr6/2FhYf8VFRX/FRUV/zMzM//8/Pz/7+/v/xgYGP8TExP/ExMT/xMTE/+2trb//v7+//7+/v/+/v7//v7+//7+/v/z8/P/JiYm/xMTE/8ZGRn/8PDw/+zs7P8EBAT/AAAA/wAAAP8AAAD/NjY2//39/f/+/v7//v7+//7+/v/+/v7//v7+/zk5Of8AAAD/BgYG/+3t7f/5+fn/FhYW/wAAAP8AAAD/AAAA/wICAv/T09P//v7+//7+/v/+/v7//v7+//7+/v9BQUH/AAAA/xcXF//5+fn//v7+/1FRUf8AAAD/AAAA/wAAAP8AAAD/RUVF//Pz8//+/v7//v7+//7+/v/+/v7/Li4u/wAAAP9UVFT///////////+7u7v/AQEB/wAAAP8AAAD/AAAA/wAAAP8fHx//vLy8//7+/v/+/v7/8/Pz/xEREf8BAQH/vb29/////////////f39/1hYWP8AAAD/AAAA/wAAAP8AAAD/GBgY/15eXv+Li4v/39/f/2tra/8AAAD/W1tb//7+/v/////////////////x8fH/Q0ND/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wMDA/8AAAD/RUVF//Ly8v////////////////////////////b29v+EhIT/EhIS/wAAAP8AAAD/AAAA/wAAAP8TExP/hYWF//f39/////////////////////////////////////////////Ly8v+2trb/kJCQ/5CQkP+3t7f/8/Pz////////////////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 5,
+  "last_updated": "2023-04-02T02:03:11+00:00",
+  "score": 13,
+  "self_url": "https://www.capitolhillseattle.com/feed/",
+  "site_name": "CHS Capitol Hill Seattle News",
+  "site_url": "https://www.capitolhillseattle.com",
+  "title": "CHS Capitol Hill Seattle News",
+  "url": "https://www.capitolhillseattle.com/feed/",
+  "velocity": 1.6,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.libsyn.com/421877/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 272569,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "Audio version of the posts shared in the LessWrong Curated newsletter.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [
+    "https://pubsubhubbub.appspot.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 56,
+  "last_updated": "2023-03-08T08:00:00+00:00",
+  "score": 32,
+  "self_url": "https://feeds.buzzsprout.com/2037297.rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "LessWrong Curated Podcast",
+  "url": "https://feeds.buzzsprout.com/2037297.rss",
+  "velocity": 0.192,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.megaphone.fm/hubermanlab/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1377252,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "Andrew Huberman, Ph.D.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 129,
+  "last_updated": "2023-03-06T09:00:00+00:00",
+  "score": 14,
+  "self_url": "https://feeds.megaphone.fm/hubermanlab",
+  "site_name": "",
+  "site_url": "",
+  "title": "Huberman Lab",
+  "url": "https://feeds.megaphone.fm/hubermanlab",
+  "velocity": 0.159,
+  "version": "rss20"
+}

modules/data/feeds/sources/mapspodcast.libsyn.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 256360,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Hosted by Zach Leary, the intent of the podcast is to bring you the listener an easily accessible resource for a variety of topics all related to psychedelic research. There is a lot to learn about new research into the therapeutic potential of psychedelics and marijuana. Over the years, the Multidisciplinary Association for Psychedelic Studies (MAPS) has amassed an incredible treasure trove of audio archives sourced from the amazing talks, presentations and panels that have taken place at past Psychedelic Science conferences and other unique events. By selecting some of that content and then bringing it to you in a podcast we hope to create a centralized location for the greater MAPS community. If you're a researcher, scientist, medical professional or just a curiosity seeker we hope that you'll find this content a valuable resource tool.\n\nPlease visit the MAPS website at https://maps.org",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 62,
+  "last_updated": "2023-03-06T20:20:00+00:00",
+  "score": 0,
+  "self_url": "https://feeds.libsyn.com/95610/rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "MAPS Podcast",
+  "url": "https://feeds.libsyn.com/95610/rss",
+  "velocity": 0.028,
+  "version": "rss20"
+}

modules/data/feeds/sources/omny.fm/shows/cool-people-who-did-cool-stuff/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 242702,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "<p>As long as there&rsquo;s been oppression, there&rsquo;ve been people fighting it. This weekly podcast dives into history to drag up the wildest rebels, the most beautiful revolts, and all the people who long to be&mdash;and fight to be&mdash;free. It explores complex stories of resistance that offer lessons and inspiration for us today, focusing on the ensemble casts that make up each act of history. That is to say, this podcast focuses on Cool People Who Did Cool Stuff.</p>",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 86,
+  "last_updated": "2023-03-20T04:01:00+00:00",
+  "score": -12,
+  "self_url": "https://www.omnycontent.com/d/playlist/e73c998e-6e60-432f-8610-ae210140c5b1/45bcda9a-4724-45c0-82ca-ae7f00e1dd18/f21245f2-a297-42f7-a016-ae7f00e390c4/podcast.rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "Cool People Who Did Cool Stuff",
+  "url": "https://www.omnycontent.com/d/playlist/e73c998e-6e60-432f-8610-ae210140c5b1/45bcda9a-4724-45c0-82ca-ae7f00e1dd18/f21245f2-a297-42f7-a016-ae7f00e390c4/podcast.rss",
+  "velocity": 0.256,
+  "version": "rss20"
+}

modules/data/feeds/sources/poorlydrawnlines.com/feed/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 13524,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "A Comic",
+  "favicon": "http://www.poorlydrawnlines.com/wp-content/themes/PoorlyDrawnLines/images/favicon.ico",
+  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAK6wAACusBgosNWgAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtzIENTNXG14zYAAAE+SURBVDiNnZO9rgFRFIW/Yy4KCldDN4VCQ63STTyAR0BU3kEy8SQeYiIRKq+gkFytZAo/0VBZtxC5Y85McFdymr2Sb6+z9zlG0g/wTUyHwwGAcrkct6I6IumsiHa7nTqdjkqlknK5nBqNhsbjsU6nkxJ0RtI+WgmCQICMMWq323JdV4BarZbCMIwD9hZgNpsJ0Gg0kiRdr1f1+30B6vV6FiATv5TjOABUKhUA8vk8w+EQgPV6bQ3BAki6G5k/KwxDADzPswBfaYDNZsNyuWS73TKZTCgWiwwGA3sP8RnM53MBT6dQKGg6nSZtYW8leER3XZd6vY7neXS7XWq1mt09KcFisRAg3/eTOr7ewkO32y3Nek6cZjyG+W/Au0p9B58kyEYLxpi7kXkrXNYo9p0vlwur1Ypms0m1Wn0FOP4CBWA38rLJ0EUAAAAASUVORK5CYII=",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 10,
+  "last_updated": "2023-03-22T17:51:01+00:00",
+  "score": 12,
+  "self_url": "https://poorlydrawnlines.com/feed/",
+  "site_name": "Poorly Drawn Lines",
+  "site_url": "https://poorlydrawnlines.com",
+  "title": "Poorly Drawn Lines",
+  "url": "https://poorlydrawnlines.com/feed/",
+  "velocity": 0.272,
+  "version": "rss20"
+}

modules/data/feeds/sources/reverseengineering.libsyn.com/rss/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 560867,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Listen and learn about different reverse engineering hardware projects and methods as Alvaro (@alvaroprieto) and Jen(@rebelbotjen) talk with guests about their work.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 63,
+  "last_updated": "2022-12-30T15:42:48+00:00",
+  "score": 18,
+  "self_url": "https://reverseengineering.libsyn.com/rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "Unnamed Reverse Engineering Podcast",
+  "url": "https://reverseengineering.libsyn.com/rss",
+  "velocity": 0.032,
+  "version": "rss20"
+}

modules/data/feeds/sources/thisweek.gnome.org/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1250267,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "Recent content on This Week in GNOME",
+  "favicon": "https://thisweek.gnome.org/images/favicon-32x32.png",
+  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAABYAAAAWABINkT2gAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAI5SURBVFiFvdZPiE1RHAfwz/xBxhSTISxYaJSiJAklioWNjYWVhYWUtYRMslEWSv7WkPybsbHSGMmGDUmhyEKihMgsjMQsnjEW597emdt7z7vvvplvnTr3d3/n9/3ec8/vd35MHVqnkAu0YR+eoYQxPMWyZhEswH0M43DmXTuGMF5hXGyWgMEo6A8Tt/h0FfJxnGmEbA160ZU8twvbGgeenrxbgj81BKzNS746IhtIbB2ZoJ8j/6M1yIfyksORKMB3tCT2T5H9cuR/qwr5NyzMBq8nNYaj+Zxonu5GSfjnKdoqxBjBdnypg08XruFA8jwfv5W/IkUH+rAzs77XxC9/g1X1EKc4Fy3enNj2Cnl8qY71nejHk0TMzDzkcCUScCGy92BG3mD/Q3sF2w3sTuZLI/vbaN6NbVgnpN28xFYSDudjYRfiNblwTNiBqxn7VtxRO8/TUcL+RgXACsxN5otxtw7S7PiLlUVEwAbh9OclT8euIuTLheLTKPm4cE4aQgseFSR/qFw5c2NjQfJ3WNQoOZwoQH5PSMtCGGiAeBSHNKn96stJ/kAT2y3YUyfxLxw0CU1nj1BIapG/EErxpCHu+7Ljo3KlTNGNs/iQ+PzE8SIC1qu+C6cq+Fcq1yNFBMDJKgKeY1rG93UFv9tFBUwXrtdKIgaV832T0LRkfbYUFQCzVS/Lo3il8hXd3wzyFJ24WUVEtXtgVjMFpNiB9zWIx4RWLncvmAetQkt2XTh4X/ES5zWhAZlS/AMHdE5EpHwlOQAAAABJRU5ErkJggg==",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 86,
+  "last_updated": "2023-03-10T00:00:00+00:00",
+  "score": 46,
+  "self_url": "https://thisweek.gnome.org/index.xml",
+  "site_name": "This Week in GNOME",
+  "site_url": "https://thisweek.gnome.org",
+  "title": "This Week in GNOME",
+  "url": "https://thisweek.gnome.org/index.xml",
+  "velocity": 0.141,
+  "version": "rss20"
+}

modules/default.nix

@@ -1,4 +1,4 @@
-{ lib, utils, ... }:
+{ lib, ... }:
 
 {
   imports = [
@@ -15,7 +15,7 @@
   ];
 
   _module.args =  {
-    sane-lib = import ./lib { inherit lib utils; };
+    sane-lib = import ./lib { inherit lib; };
     sane-data = import ./data { inherit lib; };
   };
 }

modules/fs/default.nix

@@ -189,7 +189,7 @@ let
       serviceConfig.Type = "oneshot";
 
       script = wrapper.script;
-      scriptArgs = builtins.concatStringsSep " " wrapper.scriptArgs;
+      scriptArgs = escapeShellArgs wrapper.scriptArgs;
 
       after = gen-opt.depends;
       wants = gen-opt.depends;

modules/lib/default.nix

@@ -1,12 +1,12 @@
-{ lib, ... }@moduleArgs:
+{ lib, ... }:
 
 let
 sane-lib = rec {
-  feeds = import ./feeds.nix moduleArgs;
-  fs = import ./fs.nix moduleArgs;
-  merge = import ./merge.nix ({ inherit sane-lib; } // moduleArgs);
-  path = import ./path.nix moduleArgs;
-  types = import ./types.nix moduleArgs;
+  feeds = import ./feeds.nix { inherit lib; };
+  fs = import ./fs.nix { inherit lib; };
+  merge = import ./merge.nix { inherit lib sane-lib; };
+  path = import ./path.nix { inherit lib; };
+  types = import ./types.nix { inherit lib; };
 
   # re-exports
   inherit (merge) mkTypedMerge;

modules/lib/path.nix

@@ -1,4 +1,4 @@
-{ lib, utils, ... }:
+{ lib, ... }:
 
 let path = rec {
 

modules/persist/default.nix

@@ -124,6 +124,9 @@ let
   #   <option>.private.".cache/vim" = { mode = "0700"; };
   # to place ".cache/vim" into the private store and create with the appropriate mode
   dirsSubModule = types.submodule ({ config, ... }: {
+    # TODO: this should be a plain-old `attrsOf (convertInlineAcl entryInStoreOrShorthand)` with downstream checks,
+    #   rather than being filled in based on *other* settings.
+    #   otherwise, it behaves poorly when `sane.persist.enable = false`
     options = lib.attrsets.unionOfDisjoint
       (mapAttrs (store: store-cfg: mkOption {
         default = [];

modules/programs.nix

@@ -1,11 +1,13 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ config, lib, options, pkgs, sane-lib, ... }:
 let
-  inherit (builtins) any elem map;
+  inherit (builtins) any attrValues elem map;
   inherit (lib)
+    concatMapAttrs
     filterAttrs
     hasAttrByPath
     getAttrFromPath
     mapAttrs
+    mapAttrs'
     mapAttrsToList
     mkDefault
     mkIf
@@ -18,7 +20,7 @@ let
   ;
   inherit (sane-lib) joinAttrsets;
   cfg = config.sane.programs;
-  pkgSpec = types.submodule ({ name, ... }: {
+  pkgSpec = types.submodule ({ config, name, ... }: {
     options = {
       package = mkOption {
         type = types.nullOr types.package;
@@ -59,6 +61,12 @@ let
           place this program on the PATH for some specified user(s).
         '';
       };
+      enabled = mkOption {
+        type = types.bool;
+        description = ''
+          generated (i.e. read-only) value indicating if the program is enabled either for any user or for the system.
+        '';
+      };
       suggestedPrograms = mkOption {
         type = types.listOf types.str;
         default = [];
@@ -71,18 +79,36 @@ let
         type = types.bool;
         default = true;
       };
-      dir = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = "list of home-relative paths to persist for this package";
+      persist = {
+        plaintext = mkOption {
+          type = types.listOf types.str;
+          default = [];
+          description = "list of home-relative paths to persist for this package";
+        };
+        private = mkOption {
+          type = types.listOf types.str;
+          default = [];
+          description = "list of home-relative paths to persist (in encrypted format) for this package";
+        };
       };
-      private = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = "list of home-relative paths to persist (in encrypted format) for this package";
+      fs = mkOption {
+        type = types.attrs;
+        default = {};
+        description = "files to populate when this program is enabled";
+      };
+      secrets = mkOption {
+        type = types.attrsOf types.path;
+        default = {};
+        description = ''
+          fs paths to link to some decrypted secret.
+          the secret will have same owner as the user under which the program is enabled.
+        '';
       };
     };
 
+    config = {
+      enabled = config.enableFor.system || any (en: en) (attrValues config.enableFor.user);
+    };
   });
   toPkgSpec = types.coercedTo types.package (p: { package = p; }) pkgSpec;
 
@@ -96,15 +122,45 @@ let
     environment.systemPackages = optional
       (p.package != null && p.enableFor.system)
       p.package;
+
     # conditionally add to user(s) PATH
     users.users = mapAttrs (user: en: {
       packages = optional (p.package != null && en) p.package;
     }) p.enableFor.user;
-    # conditionally persist relevant user dirs
+
+    # conditionally persist relevant user dirs and create files
     sane.users = mapAttrs (user: en: optionalAttrs en {
-      persist.plaintext = p.dir;
-      persist.private = p.private;
+      inherit (p) persist;
+      fs = mkMerge [
+        p.fs
+        (mapAttrs
+          # link every secret into the fs
+          # TODO: user the user's *actual* home directory, don't guess.
+          (homePath: _src: sane-lib.fs.wantedSymlinkTo "/run/secrets/home/${user}/${homePath}")
+          p.secrets
+        )
+      ];
     }) p.enableFor.user;
+
+    # make secrets available for each user
+    sops.secrets = concatMapAttrs
+      (user: en: optionalAttrs en (
+        mapAttrs'
+          (homePath: src: {
+            # TODO: user the user's *actual* home directory, don't guess.
+            # XXX: name CAN'T START WITH '/', else sops creates the directories funny.
+            # TODO: report this upstream.
+            name = "home/${user}/${homePath}";
+            value = {
+              owner = user;
+              sopsFile = src;
+              format = "binary";
+            };
+          })
+          p.secrets
+      ))
+      p.enableFor.user;
+
   }) cfg;
 in
 {
@@ -122,6 +178,7 @@ in
         environment.systemPackages = f.environment.systemPackages;
         users.users = f.users.users;
         sane.users = f.sane.users;
+        sops.secrets = f.sops.secrets;
       };
     in mkMerge [
       (take (sane-lib.mkTypedMerge take configs))

modules/services/dyn-dns.nix

@@ -3,6 +3,11 @@
 with lib;
 let
   cfg = config.sane.services.dyn-dns;
+  getIp = pkgs.writeShellScript "dyn-dns-query-wan" ''
+    # preferred method and fallback
+    ${pkgs.sane-scripts}/bin/sane-ip-check-router-wan || \
+      ${pkgs.sane-scripts}/bin/sane-ip-check
+  '';
 in
 {
   options = {
@@ -19,7 +24,7 @@ in
       };
 
       ipCmd = mkOption {
-        default = "${pkgs.sane-scripts}/bin/sane-ip-check-router-wan";
+        default = "${getIp}";
         type = types.path;
         description = "command to run to query the current WAN IP";
       };

modules/services/mautrix-signal.nix

@@ -2,6 +2,39 @@
 
 with lib;
 let
+  # TODO: upstream these "optional-dependencies"
+  # - search that phrase in <nixpkgs:doc/languages-frameworks/python.section.md>
+  pkg = pkgs.mautrix-signal.overridePythonAttrs (super: {
+    propagatedBuildInputs = super.propagatedBuildInputs ++ (with pkgs.python3.pkgs; [
+      # these optional deps come from mautrix-signal's "optional-requirements.txt"
+
+      # #/e2be
+      # python-olm>=3,<4
+      # pycryptodome>=3,<4
+      # unpaddedbase64>=1,<3
+      # XXX: ^above already included in nixpkgs package
+
+      # #/metrics
+      # prometheus_client>=0.6,<0.17
+      # XXX: ^above already included in nixpkgs package
+
+      # #/formattednumbers
+      # phonenumbers>=8,<9
+      # XXX: ^above already included in nixpkgs package
+
+      # #/qrlink
+      # qrcode>=6,<8
+      # Pillow>=4,<10
+      # XXX: ^above already included in nixpkgs package
+
+      # #/stickers
+      # signalstickers-client>=3,<4
+
+      # #/sqlite
+      # aiosqlite>=0.16,<0.19
+      aiosqlite
+    ]);
+  });
   dataDir = "/var/lib/mautrix-signal";
   registrationFile = "${dataDir}/signal-registration.yaml";
   cfg = config.services.mautrix-signal;
@@ -136,10 +169,10 @@ in
       preStart = ''
         # generate the appservice's registration file if absent
         if [ ! -f '${registrationFile}' ]; then
-          ${pkgs.mautrix-signal}/bin/mautrix-signal \
+          ${pkg}/bin/mautrix-signal \
             --generate-registration \
             --no-update \
-            --base-config='${pkgs.mautrix-signal}/${pkgs.mautrix-signal.pythonModule.sitePackages}/mautrix_signal/example-config.yaml' \
+            --base-config='${pkg}/${pkg.pythonModule.sitePackages}/mautrix_signal/example-config.yaml' \
             --config='${settingsFile}' \
             --registration='${registrationFile}'
         fi
@@ -158,13 +191,13 @@ in
         ProtectControlGroups = true;
 
         PrivateTmp = true;
-        WorkingDirectory = pkgs.mautrix-signal;
+        WorkingDirectory = pkg;
         StateDirectory = baseNameOf dataDir;
         UMask = "0027";
         EnvironmentFile = cfg.environmentFile;
 
         ExecStart = ''
-          ${pkgs.mautrix-signal}/bin/mautrix-signal \
+          ${pkg}/bin/mautrix-signal \
             --config='${settingsFile}' \
             --no-update
         '';

modules/services/trust-dns.nix

@@ -7,7 +7,20 @@ with lib;
 let
   cfg = config.sane.services.trust-dns;
   toml = pkgs.formats.toml { };
-  fmtRecord = proto: rrtype: name: value: "${name}\t${proto}\t${rrtype}\t${value}";
+  recordFormatters = {
+    # quote rules for zone files:
+    # - any character may be encoded by `\DDD`, where `DDD` represents its ascii value in base 8.
+    # - any non-digit `X` may be encoded by `\X`.
+    # - stated in: <https://www.ietf.org/rfc/rfc1035.txt>: 5.1 Format
+    # - visible in <trust-dns:crates/proto/src/serialize/txt/zone_lex.rs:escape_seq>
+    # for us, we can just replace `\` => `\\ and `"` -> `\"`
+    TXT = value: "\"" + (lib.escape [ "\\" "\"" ] value) + "\"";
+  };
+  fmtRecord = proto: rrtype: name: value:
+    let
+      formatter = recordFormatters."${rrtype}" or lib.id;
+    in
+      "${name}\t${proto}\t${rrtype}\t${formatter value}";
   fmtRecordList = proto: rrtype: name: values: concatStringsSep
     "\n"
     (map (fmtRecord proto rrtype name) values)

nixpatches/2023-01-25-signald-update.patch

@@ -1,78 +0,0 @@
-diff --git a/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch b/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
-index 1d9ca8d838d..d2cf9dd4315 100644
---- a/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
-+++ b/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
-@@ -11,25 +11,15 @@ diff --git a/build.gradle b/build.gradle
- index 799e782..caceaac 100644
- --- a/build.gradle
- +++ b/build.gradle
--@@ -83,6 +83,9 @@ static String getVersion() {
-- 
-- repositories {
--     maven {url "https://gitlab.com/api/v4/groups/6853927/-/packages/maven"} // https://gitlab.com/groups/signald/-/packages
--+    maven {
--+      url "https://plugins.gradle.org/m2/"
--+    }
--     mavenCentral()
-- }
-- 
--@@ -104,6 +107,8 @@ dependencies {
--     implementation 'io.prometheus:simpleclient_httpserver:0.16.0'
--     implementation 'com.squareup.okhttp3:logging-interceptor:4.9.3'
--     implementation 'io.sentry:sentry:6.4.0'
--+    implementation 'com.github.gmazzo.buildconfig:com.github.gmazzo.buildconfig.gradle.plugin:3.1.0'
--+    implementation 'org.jetbrains.kotlin:kotlin-scripting-jvm:1.7.10'
--     testImplementation 'org.junit.jupiter:junit-jupiter:5.8.2'
-+@@ -87,7 +86,7 @@ repositories {
-  }
-  
-+ dependencies {
-+-    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_1'
-++    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_2'
-+     implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
-+     implementation 'com.kohlschutter.junixsocket:junixsocket-common:2.6.1'
-+     implementation 'com.kohlschutter.junixsocket:junixsocket-native-common:2.6.1'
- @@ -171,4 +176,4 @@ allprojects {
-  runtime {
-      options = ['--strip-java-debug-attributes', '--compress', '2', '--no-header-files', '--no-man-pages']
-diff --git a/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch b/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
-index 96a7d6d2ef3..2f0f6e73159 100644
---- a/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
-+++ b/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
-@@ -47,15 +47,15 @@ index 799e782..6ecef3e 100644
-  }
-  
-  dependencies {
--@@ -104,6 +117,8 @@ dependencies {
--     implementation 'io.prometheus:simpleclient_httpserver:0.16.0'
--     implementation 'com.squareup.okhttp3:logging-interceptor:4.9.3'
--     implementation 'io.sentry:sentry:6.4.0'
--+    implementation 'com.github.gmazzo.buildconfig:com.github.gmazzo.buildconfig.gradle.plugin:3.1.0'
--+    implementation 'org.jetbrains.kotlin:kotlin-scripting-jvm:1.7.10'
--     testImplementation 'org.junit.jupiter:junit-jupiter:5.8.2'
-+@@ -87,7 +86,7 @@ repositories {
-  }
-  
-+ dependencies {
-+-    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_1'
-++    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_2'
-+     implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
-+     implementation 'com.kohlschutter.junixsocket:junixsocket-common:2.6.1'
-+     implementation 'com.kohlschutter.junixsocket:junixsocket-native-common:2.6.1'
- @@ -167,8 +182,3 @@ allprojects {
-          }
-      }
-diff --git a/pkgs/applications/networking/instant-messengers/signald/default.nix b/pkgs/applications/networking/instant-messengers/signald/default.nix
-index a9e023cdf63..8847707e137 100644
---- a/pkgs/applications/networking/instant-messengers/signald/default.nix
-+++ b/pkgs/applications/networking/instant-messengers/signald/default.nix
-@@ -54,8 +54,8 @@ let
-     outputHashMode = "recursive";
-     # Downloaded jars differ by platform
-     outputHash = {
--      x86_64-linux = "sha256-ANiNDdTuCuDEH5zUPsrVF6Uegdq3zVsMv+uMtYRX0jE=";
--      aarch64-linux = "sha256-V9zn4v/ZeLELAwFJ5y7OVAeJwZp4DmHm4KWxE6KpwGs=";
-+      x86_64-linux = "sha256-B2T8bM8xdob5507oS1CVO+sszEg9VWL8QKUEanIlXvk=";
-+      aarch64-linux = "sha256-I314eLUQP8HPbwc+10ZDKzcn9WsqLGuBtfoiCEYZRck=";
-     }.${stdenv.system} or (throw "Unsupported platform");
-   };

nixpatches/2023-01-30-mesa-cma-leak.patch

@@ -0,0 +1,22 @@
+diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
+index 56fa74e5c0c..3573bb0af49 100644
+--- a/pkgs/development/libraries/mesa/default.nix
++++ b/pkgs/development/libraries/mesa/default.nix
+@@ -88,7 +88,7 @@
+ let
+   # Release calendar: https://www.mesa3d.org/release-calendar.html
+   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
+-  version = "22.3.4";
++  version = "22.3.2";
+   branch  = lib.versions.major version;
+ 
+   withLibdrm = lib.meta.availableOn stdenv.hostPlatform libdrm;
+@@ -120,7 +120,7 @@ self = stdenv.mkDerivation {
+       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
+       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
+     ];
+-    sha256 = "37a1ddaf03f41919ee3c89c97cff41e87de96e00e9d3247959cc8279d8294593";
++    sha256 = "c15df758a8795f53e57f2a228eb4593c22b16dffd9b38f83901f76cd9533140b";
+   };
+ 
+   # TODO:

nixpatches/2023-02-28-mesa-22.3.6.patch

@@ -0,0 +1,23 @@
+diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
+index 52633a6d21649..20d839b74c2ea 100644
+--- a/pkgs/development/libraries/mesa/default.nix
++++ b/pkgs/development/libraries/mesa/default.nix
+@@ -88,7 +88,7 @@
+ let
+   # Release calendar: https://www.mesa3d.org/release-calendar.html
+   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
+-  version = "22.3.5";
++  version = "22.3.6";
+   branch  = lib.versions.major version;
+ 
+   withLibdrm = lib.meta.availableOn stdenv.hostPlatform libdrm;
+@@ -120,7 +120,7 @@ self = stdenv.mkDerivation {
+       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
+       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
+     ];
+-    sha256 = "3eed2ecae2bc674494566faab9fcc9beb21cd804c7ba2b59a1694f3d7236e6a9";
++    hash = "sha256-TsjsZdvbHulETbpylwiQEooZVDpYzwWTG9b1TxJOEX8=";
+   };
+ 
+   # TODO:
+

nixpatches/2023-03-03-qtbase-cross-compile.patch

@@ -0,0 +1,21 @@
+diff --git a/pkgs/development/libraries/qt-6/modules/qtbase.nix b/pkgs/development/libraries/qt-6/modules/qtbase.nix
+index e71b0a7613d..72779ac57a5 100644
+--- a/pkgs/development/libraries/qt-6/modules/qtbase.nix
++++ b/pkgs/development/libraries/qt-6/modules/qtbase.nix
+@@ -5,6 +5,7 @@
+ , version
+ , coreutils
+ , bison
++, buildPackages
+ , flex
+ , gdb
+ , gperf
+@@ -224,6 +225,8 @@ stdenv.mkDerivation rec {
+   ] ++ lib.optionals stdenv.isDarwin [
+     # error: 'path' is unavailable: introduced in macOS 10.15
+     "-DQT_FEATURE_cxx17_filesystem=OFF"
++  ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
++    "-DQT_HOST_PATH=${buildPackages.qt6.full}"
+   ];
+ 
+   NIX_LDFLAGS = toString (lib.optionals stdenv.isDarwin [