WIP: theme gtk apps

still need to do hardening and docs

.sops.yaml

@@ -8,7 +8,7 @@ keys:
   - &host_servo age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
   - &host_moby age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt
 creation_rules:
-  - path_regex: secrets/universal*
+  - path_regex: secrets/common*
     key_groups:
     - age:
       - *user_desko_colin
@@ -26,19 +26,19 @@ creation_rules:
       - *user_lappy_colin
       - *user_servo_colin
       - *host_servo
-  - path_regex: secrets/desko.yaml$
+  - path_regex: secrets/desko*
     key_groups:
     - age:
       - *user_desko_colin
       - *user_lappy_colin
       - *host_desko
-  - path_regex: secrets/lappy.yaml$
+  - path_regex: secrets/lappy*
     key_groups:
     - age:
       - *user_lappy_colin
       - *user_desko_colin
       - *host_lappy
-  - path_regex: secrets/moby.yaml$
+  - path_regex: secrets/moby*
     key_groups:
     - age:
       - *user_desko_colin

README.md

@@ -20,6 +20,8 @@ directly here; even the sources for those packages is often kept here too.
     - the bulk of config which isn't factored with external use in mind.
     - that is, if you were to add this repo to a flake.nix for your own use,
       you won't likely be depending on anything in this directory.
+- `integrations/`
+    - code intended for consumption by external tools (e.g. the Nix User Repos)
 - `modules/`
     - config which is gated behind `enable` flags, in similar style to nixpkgs'
       `nixos/` directory.
@@ -32,7 +34,7 @@ directly here; even the sources for those packages is often kept here too.
 - `pkgs/`
     - derivations for things not yet packaged in nixpkgs.
     - derivations for things from nixpkgs which i need to `override` for some reason.
-    - inline code for wholly custom packages (e.g. `pkgs/sane-scripts/` for CLI tools
+    - inline code for wholly custom packages (e.g. `pkgs/additional/sane-scripts/` for CLI tools
       that are highly specific to my setup).
 - `scripts/`
     - scripts which are referenced by other things in this repo.
@@ -94,6 +96,12 @@ this should be a pretty "standard" flake. just reference it, and import either
 - `nixosModules.sane` (for the modules)
 - `overlays.pkgs` (for the packages)
 
+## Mirrors
+
+this repo exists in a few known locations:
+- primary: <https://git.uninsane.org/colin/nix-files>
+- mirror: <https://github.com/nix-community/nur-combined/tree/master/repos/colinsane>
+
 ## Contact
 
 if you want to contact me for questions, or collaborate to split something useful into a shared repo, etc,

TODO.md

@@ -0,0 +1,86 @@
+## BUGS
+- why i need to manually restart `wireguard-wg-ovpns` on servo periodically
+	- else DNS fails
+
+## REFACTORING:
+
+### sops/secrets
+- attach secrets to the thing they're used by (sane.programs)
+- rework secrets to leverage `sane.fs`
+- remove sops activation script as it's covered by my systemd sane.fs impl
+
+### roles
+- allow any host to take the role of `uninsane.org`
+    - will make it easier to test new services?
+
+### upstreaming
+- split out a trust-dns module
+  - see: <https://github.com/NixOS/nixpkgs/pull/205866#issuecomment-1575753054>
+- split out a sxmo module usable by NUR consumers
+- bump nodejs version in lemmy-ui
+- add updateScripts to all my packages in nixpkgs
+- fix lightdm-mobile-greeter for newer libhandy
+- port zecwallet-lite to a from-source build
+- REVIEW/integrate jellyfin dataDir config: <https://github.com/NixOS/nixpkgs/pull/233617>
+- remove `libsForQt5.callPackage` broadly: <https://github.com/NixOS/nixpkgs/issues/180841>
+
+
+## IMPROVEMENTS:
+### security/resilience
+- validate duplicity backups!
+- encrypt more ~ dirs (~/archives, ~/records, ..?)
+    - best to do this after i know for sure i have good backups
+- have `sane.programs` be wrapped such that they run in a cgroup?
+    - at least, only give them access to the portion of the fs they *need*.
+    - Android takes approach of giving each app its own user: could hack that in here.
+    - **systemd-run** takes a command and runs it in a temporary scope (cgroup)
+      - presumably uses the same options as systemd services
+      - see e.g. <https://github.com/NixOS/nixpkgs/issues/113903#issuecomment-857296349>
+    - flatpak does this, somehow
+    - apparmor?  SElinux?  (desktop) "portals"?
+    - see Spectrum OS; Alyssa Ross; etc
+- canaries for important services
+    - e.g. daily email checks; daily backup checks
+    - integrate `nix check` into Gitea actions?
+
+### user experience
+- neovim: set up language server (lsp; rnix-lsp; nvim-lspconfig)
+- firefox/librewolf: don't show browserpass/sponsorblock/metamask "first run" on every boot
+- moby: improve gPodder launch time
+- moby: theme GTK apps (i.e. non-adwaita styles)
+  - especially, make the menubar collapsible
+- package Nix/NixOS docs for Zeal
+    - install [doc-browser](https://github.com/qwfy/doc-browser)
+    - this supports both dash (zeal) *and* the datasets from <https://devdocs.io> (which includes nix!)
+    - install [devhelp](https://wiki.gnome.org/Apps/Devhelp)  (gnome)
+- have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
+- `sane.programs`: auto-populate defaults with everything from `pkgs`
+- `sane.persist`: auto-create parent dirs in ~/private
+  - currently if the application doesn't autocreate dirs leading to its destination, then ~/private storage fails
+  - this might be why librewolf on mobile is still amnesiac
+- sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
+- uninsane.org: make URLs relative to allow local use (and as offline homepage)
+- email: fix so that local mail doesn't go to junk
+  - git sendmail flow adds the DKIM signatures, but gets delivered locally w/o having the sig checked, so goes into Junk
+  - could change junk filter from "no DKIM success" to explicit "DKIM failed"
+
+### perf
+- why does zsh take so long to init?
+- why does nixos-rebuild switch take 5 minutes when net is flakey?
+    - trying to auto-mount servo?
+    - something to do with systemd services restarting/stalling
+    - maybe wireguard & its refresh operation, specifically?
+- fix OOM for large builds like webkitgtk
+    - these use significant /tmp space.
+    - either place /tmp on encrypted-cleared-at-boot storage
+        - which probably causes each CPU load for the encryption
+    - or have nix builds use a subdir of /tmp like /tmp/nix/...
+        - and place that on non-encrypted clear-on-boot (with very lax writeback/swappiness to minimize writes)
+    - **or set up encrypted swap**
+        - encrypted swap could remove the need for my encrypted-cleared-at-boot stuff
+
+
+## NEW FEATURES:
+- migrate MAME cabinet to nix
+    - boot it from PXE from servo?
+- enable IPv6

flake.lock

@@ -1,12 +1,15 @@
 {
   "nodes": {
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1687709756,
+        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
         "type": "github"
       },
       "original": {
@@ -18,11 +21,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1680563603,
-        "narHash": "sha256-gxSci3NTlzgkAOhaC93Q4lReX/Pjd7++imD85JOAlps=",
+        "lastModified": 1683422260,
+        "narHash": "sha256-79zaClbubRkBNlJ04OSADILuLQHH48N5fu296hEWYlw=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "4aa0afd84005b79be4d5361b56a60df9e9bd4ea3",
+        "rev": "ba4638836e94a8f16d1d1f9e8c0530b86078029c",
         "type": "github"
       },
       "original": {
@@ -36,11 +39,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1678202930,
-        "narHash": "sha256-SF82/tTnagdazlETJLzXD9kjZ6lyk38agdLbmMx1UZE=",
+        "lastModified": 1687251388,
+        "narHash": "sha256-E9cVlgeCvzPbA/G3mCDCzz8TdRwXyGYzIjmwcvIfghg=",
         "owner": "edolstra",
         "repo": "nix-serve",
-        "rev": "3b6d30016d910a43e0e16f94170440a3e0b8fa8d",
+        "rev": "d6df5bd8584f37e22cff627db2fc4058a4aab5ee",
         "type": "github"
       },
       "original": {
@@ -66,32 +69,32 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1682173319,
-        "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=",
+        "lastModified": 1687031877,
+        "narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c",
+        "rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1682404149,
-        "narHash": "sha256-vilYNldFXiu56HGD0lPcWsiED7EmjGMViCLZoQsv7Jk=",
+        "lastModified": 1688049487,
+        "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d0ea36ece469a71a909ebff90777c2f7a49478bb",
+        "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "staging-next",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -113,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1682338428,
-        "narHash": "sha256-T7AL/Us6ecxowjMAlO77GETTQO2SO+1XX2+Y/OSfHk8=",
+        "lastModified": 1687398569,
+        "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "7c8e9727a2ecf9994d4a63d577ad5327e933b6a4",
+        "rev": "2ff6973350682f8d16371f8c071a304b8067f192",
         "type": "github"
       },
       "original": {
@@ -126,6 +129,21 @@
         "type": "github"
       }
     },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "uninsane-dot-org": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -134,11 +152,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682815555,
-        "narHash": "sha256-mu4axnbR6cSgnNBGrSydxmKlKWrnHLKlpNmmbqD2V9E=",
+        "lastModified": 1687821285,
+        "narHash": "sha256-pw0UYKG8yhW1H3nPgAhVYCzYFXYtamMh2DmF8YhtRec=",
         "ref": "refs/heads/master",
-        "rev": "da209f34ce34eb6b8c4d2b3256a02eb23ad9f655",
-        "revCount": 191,
+        "rev": "ae27eb61b55b6c6d83c25384fb163df398a80265",
+        "revCount": 201,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -23,9 +23,6 @@
   # preferably, i would rewrite the human-readable https URLs to nix-specific github: URLs with a helper,
   # but `inputs` is required to be a strict attrset: not an expression.
   inputs = {
-    # <https://github.com/nixos/nixpkgs/tree/nixos-22.11>
-    # nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
-
     # branch workflow:
     # - daily:
     #   - nixos-unstable cut from master after enough packages have been built in caches.
@@ -43,8 +40,8 @@
     #   - use `staging` if no staging-next branch has been cut.
     #
     # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
+    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
     # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging";
 
     mobile-nixos = {
@@ -92,36 +89,28 @@
         nixpkgs = nixpkgs-unpatched;
       };
 
-      nixpkgsCompiledBy = local: nixpkgs.legacyPackages."${local}";
+      nixpkgsCompiledBy = system: nixpkgs.legacyPackages."${system}";
 
-      evalHost = { name, local, target }:
-        let
-          # XXX: we'd prefer to use `nixosSystem = (nixpkgsCompiledBy target).nixos`
-          # but it doesn't propagate config to the underlying pkgs, meaning it doesn't let you use
-          # non-free packages even after setting nixpkgs.allowUnfree.
-          # XXX: patch using the target -- not local -- otherwise the target will
-          # need to emulate the host in order to rebuild!
-          nixosSystem = import ((nixpkgsCompiledBy target).path + "/nixos/lib/eval-config.nix");
-        in
-          (nixosSystem {
-            modules = [
-              (import ./hosts/instantiate.nix { localSystem = local; hostName = name; })
-              self.nixosModules.default
-              self.nixosModules.passthru
-              {
-                nixpkgs.overlays = [
-                  self.overlays.disable-flakey-tests
-                  self.overlays.passthru
-                  self.overlays.pins
-                  self.overlays.pkgs
-                  # self.overlays.optimizations
-                ];
-                nixpkgs.hostPlatform = target;
-                # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
-                # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
-              }
+      evalHost = { name, local, target }: nixpkgs.lib.nixosSystem {
+        system = target;
+        modules = [
+          (import ./hosts/instantiate.nix { localSystem = local; hostName = name; })
+          self.nixosModules.default
+          self.nixosModules.passthru
+          {
+            nixpkgs.overlays = [
+              self.overlays.passthru
+              self.overlays.sane-all
             ];
-          });
+          }
+          ({ lib, ... }: {
+            # TODO: does the earlier `system` arg to nixosSystem make its way here?
+            nixpkgs.hostPlatform.system = target;
+            # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
+            # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
+          })
+        ];
+      };
     in {
       nixosConfigurations =
         let
@@ -175,23 +164,19 @@
 
       # unofficial output
       host-pkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
+      host-programs = mapAttrValues (host: mapAttrValues (p: p.package) host.config.sane.programs) self.nixosConfigurations;
 
       overlays = {
         # N.B.: `nix flake check` requires every overlay to take `final: prev:` at defn site,
         #   hence the weird redundancy.
         default = final: prev: self.overlays.pkgs final prev;
+        sane-all = final: prev: import ./overlays/all.nix final prev;
         disable-flakey-tests = final: prev: import ./overlays/disable-flakey-tests.nix final prev;
         pkgs = final: prev: import ./overlays/pkgs.nix final prev;
         pins = final: prev: import ./overlays/pins.nix final prev;
         optimizations = final: prev: import ./overlays/optimizations.nix final prev;
         passthru = final: prev:
           let
-            stable =
-              if inputs ? "nixpkgs-stable" then (
-                final': prev': {
-                  stable = inputs.nixpkgs-stable.legacyPackages."${prev'.stdenv.hostPlatform.system}";
-                }
-              ) else (final': prev': {});
             mobile = (import "${mobile-nixos}/overlay/overlay.nix");
             uninsane = uninsane-dot-org.overlay;
             # nix-serve' = nix-serve.overlay;
@@ -202,11 +187,10 @@
               inherit (nix-serve.packages."${next.system}") nix-serve;
             };
           in
-              (stable final prev)
-              // (mobile final prev)
-              // (uninsane final prev)
-              // (nix-serve' final prev)
-            ;
+            (mobile final prev)
+            // (uninsane final prev)
+            // (nix-serve' final prev)
+          ;
       };
 
       nixosModules = rec {
@@ -258,7 +242,7 @@
           deployScript = action: pkgs.writeShellScript "deploy-moby" ''
             nixos-rebuild --flake '.#moby' build $@
             sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
-            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby-hn --use-remote-sudo $@
+            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby --use-remote-sudo $@
           '';
         in {
           update-feeds = {
@@ -282,6 +266,22 @@
             type = "app";
             program = ''${deployScript "switch"}'';
           };
+
+          check-nur = {
+            # `nix run '.#check-nur'`
+            # validates that my repo can be included in the Nix User Repository
+            type = "app";
+            program = builtins.toString (pkgs.writeShellScript "check-nur" ''
+              cd ${./.}/integrations/nur
+              NIX_PATH= NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix-env -f . -qa \* --meta --xml \
+                --allowed-uris https://static.rust-lang.org \
+                --option restrict-eval true \
+                --option allow-import-from-derivation true \
+                --drv-path --show-trace \
+                -I nixpkgs=$(nix-instantiate --find-file nixpkgs) \
+                -I ../../
+            '');
+          };
         };
 
       templates = {
@@ -305,6 +305,12 @@
           path = ./templates/pkgs/rust;
           description = "rust package fit to ship in nixpkgs";
         };
+        pkgs.make = {
+          # initialize with:
+          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.make'`
+          path = ./templates/pkgs/make;
+          description = "default Makefile-based derivation";
+        };
       };
     };
 }

hosts/README.md

@@ -0,0 +1,7 @@
+## directory structure
+- by-name/<hostname>: configuration which is evaluated _only_ for the given hostname
+- common/: configuration which applies to all hosts
+- modules/: nixpkgs-style modules which may be used by multiple hosts, but configured separately per host.
+    - ideally no module here has effect unless `enable`d
+        - however, `enable` may default to true
+        - and in practice some of these modules surely aren't fully "disableable"

hosts/by-name/desko/default.nix

@@ -4,17 +4,28 @@
     ./fs.nix
   ];
 
+  sane.guest.enable = true;
+
+  # TODO: make sure this plays nice with impermanence
+  services.distccd.enable = true;
+  sane.programs.distcc.enableFor.user.guest = true;
+
+  sops.secrets.colin-passwd.neededForUsers = true;
+
   sane.roles.build-machine.enable = true;
+  sane.roles.ac = true;
   sane.roles.client = true;
+  sane.roles.dev-machine = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
   sane.services.duplicity.enable = true;
-  sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
+  sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
 
   sane.gui.sway.enable = true;
   sane.programs.iphoneUtils.enableFor.user.colin = true;
 
   sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
+  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" ];
 
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
@@ -22,11 +33,6 @@
   # needed to use libimobiledevice/ifuse, for iphone sync
   services.usbmuxd.enable = true;
 
-  sops.secrets.colin-passwd = {
-    sopsFile = ../../../secrets/desko.yaml;
-    neededForUsers = true;
-  };
-
   # don't enable wifi by default: it messes with connectivity.
   systemd.services.iwd.enable = false;
 
@@ -37,15 +43,9 @@
   services.snapper.configs.nix = {
     # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
     # but that also requires setting up the persist dir as a subvol
-    subvolume = "/nix";
+    SUBVOLUME = "/nix";
     # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
-    extraConfig = ''
-      ALLOW_USERS = "colin";
-    '';
-  };
-
-  sops.secrets.duplicity_passphrase = {
-    sopsFile = ../../../secrets/desko.yaml;
+    ALLOW_USERS = [ "colin" ];
   };
 
   programs.steam = {

hosts/by-name/lappy/default.nix

@@ -2,11 +2,11 @@
 {
   imports = [
     ./fs.nix
+    ./polyfill.nix
   ];
 
-  sane.yggdrasil.enable = true;
-
   sane.roles.client = true;
+  sane.roles.dev-machine = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
 
@@ -19,12 +19,9 @@
     "desktopGuiApps"
     "stepmania"
   ];
-  sane.programs.mx-sanebot.enableFor.system = true;  # for the docs
+  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" ];
 
-  sops.secrets.colin-passwd = {
-    sopsFile = ../../../secrets/lappy.yaml;
-    neededForUsers = true;
-  };
+  sops.secrets.colin-passwd.neededForUsers = true;
 
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
@@ -33,7 +30,8 @@
   services.snapper.configs.nix = {
     # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
     # but that also requires setting up the persist dir as a subvol
-    subvolume = "/nix";
+    SUBVOLUME = "/nix";
+    ALLOW_USERS = [ "colin" ];
   };
 
   # TODO: only here for debugging

hosts/by-name/lappy/polyfill.nix

@@ -0,0 +1,38 @@
+# doesn't actually *enable* anything,
+# but sets up any modules such that if they *were* enabled, they'll act as expected.
+{ pkgs, ... }:
+{
+  sane.gui.sxmo = {
+    greeter = "sway";
+    settings = {
+      # XXX: make sure the user is part of the `input` group!
+      SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-id/usb-Wacom_Co._Ltd._Pen_and_multitouch_sensor-event-if00";
+      # these identifiers are from `swaymsg -t get_inputs`
+      SXMO_VOLUME_BUTTON = "1:1:AT_Translated_Set_2_keyboard";
+      # SXMO_VOLUME_BUTTON = "none";
+      SXMO_POWER_BUTTON = "0:1:Power_Button";
+      # SXMO_POWER_BUTTON = "none";
+      SXMO_DISABLE_LEDS = "1";
+      SXMO_UNLOCK_IDLE_TIME = "120";  # default
+      # sxmo tries to determine device type from /proc/device-tree/compatible,
+      # but that doesn't seem to exist on NixOS?  (or maybe it just doesn't exist
+      # on non-aarch64 builds).
+      # the device type informs (at least):
+      # - SXMO_WIFI_MODULE
+      # - SXMO_RTW_SCAN_INTERVAL
+      # - SXMO_SYS_FILES
+      # - SXMO_TOUCHSCREEN_ID
+      # - SXMO_MONITOR
+      # - SXMO_ALSA_CONTROL_NAME
+      # - SXMO_SWAY_SCALE
+      # see <repo:mil/sxmo-utils:scripts/deviceprofiles>
+      # SXMO_DEVICE_NAME = "pine64,pinephone-1.2";
+    };
+    package = pkgs.sxmo-utils.overrideAttrs (base: {
+      postPatch = (base.postPatch or "") + ''
+        # after volume-button navigation mode, restore full keyboard functionality
+        cp ${./xkb_mobile_normal_buttons} ./configs/xkb/xkb_mobile_normal_buttons
+      '';
+    });
+  };
+}

hosts/by-name/lappy/xkb_mobile_normal_buttons

@@ -0,0 +1,7 @@
+xkb_keymap {
+	xkb_keycodes  { include "evdev+aliases(qwerty)"	};
+	xkb_types     { include "complete"	};
+	xkb_compat    { include "complete"	};
+	xkb_symbols   { include "pc+us+inet(evdev)"	};
+	xkb_geometry  { include "pc(pc105)"	};
+};

hosts/by-name/moby/default.nix

@@ -4,6 +4,7 @@
     ./firmware.nix
     ./fs.nix
     ./kernel.nix
+    ./polyfill.nix
   ];
 
   sane.roles.client = true;
@@ -15,12 +16,9 @@
   users.users.colin.initialPassword = "147147";
   services.getty.autologinUser = "root";  # allows for emergency maintenance?
 
-  sops.secrets.colin-passwd = {
-    sopsFile = ../../../secrets/moby.yaml;
-    neededForUsers = true;
-  };
+  sops.secrets.colin-passwd.neededForUsers = true;
 
-  sane.web-browser = {
+  sane.programs.web-browser.config = {
     # compromise impermanence for the sake of usability
     persistCache = "private";
     persistData = "private";
@@ -31,14 +29,19 @@
   };
 
   sane.user.persist.plaintext = [
+    # TODO: make this just generally conditional upon pulse being enabled?
     ".config/pulse"  # persist pulseaudio volume
   ];
 
-  sane.gui.phosh.enable = true;
+  sane.gui.sxmo.enable = true;
   # sane.programs.consoleUtils.enableFor.user.colin = false;
   # sane.programs.guiApps.enableFor.user.colin = false;
   sane.programs.sequoia.enableFor.user.colin = false;
   sane.programs.tuiApps.enableFor.user.colin = false;  # visidata, others, don't compile well
+  # disabled for faster deploys (gthumb depends on webkitgtk, particularly)
+  sane.programs.soundconverter.enableFor.user.colin = false;
+  sane.programs.jellyfin-media-player.enableFor.user.colin = false;
+  # sane.programs.mpv.enableFor.user.colin = true;
 
   boot.loader.efi.canTouchEfiVariables = false;
   # /boot space is at a premium. default was 20.
@@ -78,14 +81,30 @@
   # enable rotation sensor
   hardware.sensor.iio.enable = true;
 
-  # from https://gitlab.manjaro.org/manjaro-arm/packages/community/phosh/alsa-ucm-pinephone
-  # mobile-nixos does this same thing, with *slightly different settings*.
-  # i trust manjaro more because the guy maintaining that is actively trying to upstream into alsa-ucm-conf.
-  # an alternative may be to build a custom alsa with the PinePhone config patch applied:
-  # - <https://github.com/alsa-project/alsa-ucm-conf/pull/134>
-  # that would make this be not device-specific
-  environment.variables.ALSA_CONFIG_UCM2 = "${./ucm2}";
-  systemd.services.pulseaudio.environment.ALSA_CONFIG_UCM2 = "${./ucm2}";
+  # inject specialized alsa configs via the environment.
+  # specifically, this gets the pinephone headphones & internal earpiece working.
+  # see pkgs/patched/alsa-ucm-conf for more info.
+  environment.variables.ALSA_CONFIG_UCM2 = "/run/current-system/sw/share/alsa/ucm2";
+  environment.pathsToLink = [ "/share/alsa/ucm2" ];
+  environment.systemPackages = [ pkgs.alsa-ucm-conf-sane ];
+  systemd =
+    let ucm-env = config.environment.variables.ALSA_CONFIG_UCM2;
+    in {
+    # cribbed from <repo:nixos/mobile-nixos:modules/quirks/audio.nix>
+
+    # pulseaudio
+    user.services.pulseaudio.environment.ALSA_CONFIG_UCM2 = ucm-env;
+    services.pulseaudio.environment.ALSA_CONFIG_UCM2      = ucm-env;
+
+    # pipewire
+    user.services.pipewire.environment.ALSA_CONFIG_UCM2       = ucm-env;
+    user.services.pipewire-pulse.environment.ALSA_CONFIG_UCM2 = ucm-env;
+    user.services.wireplumber.environment.ALSA_CONFIG_UCM2    = ucm-env;
+    services.pipewire.environment.ALSA_CONFIG_UCM2            = ucm-env;
+    services.pipewire-pulse.environment.ALSA_CONFIG_UCM2      = ucm-env;
+    services.wireplumber.environment.ALSA_CONFIG_UCM2         = ucm-env;
+  };
+
 
   hardware.opengl.driSupport = true;
 }

hosts/by-name/moby/kernel.nix

@@ -44,68 +44,6 @@ let
       "sha256-6ywm3dQQ5JYl60CLKarxlSUukwi4QzqctCj3tVgzFbo="
     )
   ];
-
-  # pinephone uses the linux dtb at arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi
-  # - this includes sun50i-a64.dtsi
-  # - and sun50i-a64-cpu-opp.dtsi
-  # - no need to touch the allwinner-h6 stuff: that's the SBC pine product
-  # - i think it's safe to ignore sun9i stuff, but i don't know what it is
-  kernelConfig = with lib.kernel; {
-    # NB: nix adds the CONFIG_ prefix to each of these.
-    # if you add the prefix yourself nix will IGNORE YOUR CONFIG.
-    RTL8723CS = module;
-    BT_HCIUART_3WIRE = yes;
-    BT_HCIUART_RTL = yes;
-    RTL8XXXU_UNTESTED = yes;
-    BT_BNEP_MC_FILTER = yes;
-    BT_BNEP_PROTO_FILTER = yes;
-    BT_HS = yes;
-    BT_LE = yes;
-    # relevant configs inherited from nixos defaults (or above additions):
-    # CONFIG_BT=m
-    # CONFIG_BT_BREDR=y
-    # CONFIG_BT_RFCOMM=m
-    # CONFIG_BT_RFCOMM_TTY=y
-    # CONFIG_BT_BNEP=m
-    # CONFIG_BT_HIDP=m
-    # CONFIG_BT_RTL=m
-    # CONFIG_BT_HCIBTUSB=m
-    # CONFIG_BT_HCIBTUSB_BCM=y
-    # CONFIG_BT_HCIBTUSB_RTL=y
-    # CONFIG_BT_HCIUART=m
-    # CONFIG_BT_HCIUART_SERDEV=y
-    # CONFIG_BT_HCIUART_H4=y
-    # CONFIG_BT_HCIUART_LL=y
-    # CONFIG_RTL_CARDS=m
-    # CONFIG_RTLWIFI=m
-    # CONFIG_RTLWIFI_PCI=m
-    # CONFIG_RTLWIFI_USB=m
-    # CONFIG_RTLWIFI_DEBUG=y
-    # CONFIG_RTL8723_COMMON=m
-    # CONFIG_RTLBTCOEXIST=m
-    # CONFIG_RTL8XXXU=m
-    # CONFIG_RTLLIB=m
-    # consider adding (from mobile-nixos):
-    # maybe: CONFIG_BT_HCIUART_3WIRE=y
-    # maybe: CONFIG_BT_HCIUART_RTL=y
-    # maybe: CONFIG_RTL8XXXU_UNTESTED=y
-    # consider adding (from manjaro):
-    # CONFIG_BT_6LOWPAN=m  (not listed as option in nixos kernel)
-    # these are referenced in the rtl8723 source, but not known to config (and not in mobile-nixos config
-    # maybe: CONFIG_RTL_ODM_WLAN_DRIVER
-    # maybe: CONFIG_RTL_TRIBAND_SUPPORT
-    # maybe: CONFIG_SDIO_HCI
-    # maybe: CONFIG_USB_HCI
-  };
-
-  # create a kernelPatch which overrides nixos' defconfig with extra options
-  patchDefconfig = config: {
-    # defconfig options. this method comes from here:
-    # - https://discourse.nixos.org/t/the-correct-way-to-override-the-latest-kernel-config/533/9
-    name = "sane-moby-defconfig";
-    patch = null;
-    extraStructuredConfig = config;
-  };
 in
 {
   # use Megi's kernel:
@@ -116,22 +54,6 @@ in
   # - phosh greeter may not appear after wake from sleep
   boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
 
-  boot.kernelPatches = [
-    (patchDefconfig (kernelConfig //
-      (with lib.kernel; {
-        # disabling the sun5i_eink driver avoids this compilation error:
-        # CC [M]  drivers/video/fbdev/sun5i-eink-neon.o
-        # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfloat-abi=softfp'
-        # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfpu=neon'
-        # make[3]: *** [../scripts/Makefile.build:289: drivers/video/fbdev/sun5i-eink-neon.o] Error 1
-        FB_SUN5I_EINK = no;
-        # used by the pinephone pro, but fails to compile with:
-        # ../drivers/media/i2c/ov8858.c:1834:27: error: implicit declaration of function 'compat_ptr'
-        VIDEO_OV8858 = no;
-      })
-    ))
-  ];
-
   # alternatively, use nixos' kernel and add the stuff we want:
   # # cross-compilation optimization:
   # boot.kernelPackages =
@@ -143,4 +65,19 @@ in
   # boot.kernelPatches = manjaroPatches ++ [
   #   (patchDefconfig kernelConfig)
   # ];
+
+  nixpkgs.hostPlatform.linux-kernel = {
+    # defaults:
+    name = "aarch64-multiplatform";
+    baseConfig = "defconfig";
+    DTB = true;
+    autoModules = true;
+    preferBuiltin = true;
+    # extraConfig = ...
+    # ^-- raspberry pi stuff: we don't need it.
+
+    # target = "Image";  # <-- default
+    target = "Image.gz";  # <-- compress the kernel image
+    # target = "zImage";  # <-- confuses other parts of nixos :-(
+  };
 }

hosts/by-name/moby/polyfill.nix

@@ -0,0 +1,26 @@
+{ pkgs, sane-lib, ... }:
+{
+  sane.gui.sxmo = {
+    settings = {
+      # touch screen
+      SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-path/platform-1c2ac00.i2c-event";
+      # vol and power are detected correctly by upstream
+
+      # preferences
+      # N.B. some deviceprofiles explicitly set SXMO_SWAY_SCALE, overwriting what we put here.
+      SXMO_SWAY_SCALE = "1.5";
+      SXMO_ROTATION_GRAVITY = "12800";
+      SXMO_LOCK_IDLE_TIME = "15";  # how long between screenoff -> lock -> back to screenoff
+      DEFAULT_COUNTRY = "US";
+      BROWSWER = "librewolf";
+    };
+    package = pkgs.sxmo-utils.overrideAttrs (base: {
+      postPatch = (base.postPatch or "") + ''
+        cat <<EOF >> ./configs/default_hooks/sxmo_hook_start.sh
+        # rotate UI based on physical display angle by default
+        sxmo_daemons.sh start autorotate sxmo_autorotate.sh
+        EOF
+      '';
+    });
+  };
+}

hosts/by-name/servo/default.nix

@@ -4,7 +4,6 @@
   imports = [
     ./fs.nix
     ./net.nix
-    ./secrets.nix
     ./services
   ];
 
@@ -15,11 +14,13 @@
     signaldctl.enableFor.user.colin = true;
   };
 
+  sane.roles.ac = true;
   sane.roles.build-machine.enable = true;
   sane.roles.build-machine.emulation = false;
   sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
   sane.services.dyn-dns.enable = true;
   sane.services.wg-home.enable = true;
+  sane.services.wg-home.enableWan = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
 

hosts/by-name/servo/net.nix

@@ -3,6 +3,12 @@
 {
   networking.domain = "uninsane.org";
 
+  sane.ports.openFirewall = true;
+  sane.ports.openUpnp = true;
+
+  # view refused packets with: `sudo journalctl -k`
+  # networking.firewall.logRefusedPackets = true;
+
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
@@ -11,9 +17,6 @@
   # XXX colin: probably don't need this. wlan0 won't be populated unless i touch a value in networking.interfaces.wlan0
   networking.wireless.enable = false;
 
-  # networking.firewall.enable = false;
-  networking.firewall.enable = true;
-
   # this is needed to forward packets from the VPN to the host
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 
@@ -33,6 +36,14 @@
   # - getent ahostsv4 www.google.com
   # - try fix: <https://serverfault.com/questions/765989/connect-to-3rd-party-vpn-server-but-dont-use-it-as-the-default-route/766290#766290>
   services.resolved.enable = true;
+  # without DNSSEC:
+  # - dig matrix.org => works
+  # - curl https://matrix.org => works
+  # with default DNSSEC:
+  # - dig matrix.org => works
+  # - curl https://matrix.org => fails
+  # i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
+  services.resolved.dnssec = "false";
   networking.nameservers = [
     # use systemd-resolved resolver
     # full resolver (which understands /etc/hosts) lives on 127.0.0.53
@@ -145,9 +156,9 @@
 
       # we also bridge DNS traffic
       ${in-ns} ${iptables} -A PREROUTING -t nat -p udp --dport 53 -m iprange --dst-range ${vpn-ip} \
-        -j DNAT --to-destination ${veth-host-ip}:53
+        -j DNAT --to-destination ${veth-host-ip}
       ${in-ns} ${iptables} -A PREROUTING -t nat -p tcp --dport 53 -m iprange --dst-range ${vpn-ip} \
-        -j DNAT --to-destination ${veth-host-ip}:53
+        -j DNAT --to-destination ${veth-host-ip}
 
       # in order to access DNS in this netns, we need to route it to the VPN's nameservers
       # - alternatively, we could fix DNS servers like 1.1.1.1.

hosts/by-name/servo/secrets.nix

@@ -1,42 +0,0 @@
-{ ... }:
-
-{
-  sops.secrets."ddns_afraid" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-  sops.secrets."ddns_he" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."dovecot_passwd" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."duplicity_passphrase" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."freshrss_passwd" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."matrix_synapse_secrets" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-  sops.secrets."mautrix_signal_env" = {
-    sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
-    format = "binary";
-  };
-
-  sops.secrets."mediawiki_pw" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."pleroma_secrets" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."wg_ovpns_privkey" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-}

hosts/by-name/servo/services/calibre.nix

@@ -30,5 +30,5 @@ lib.mkIf false
       proxyPass = "http://${ip}:${builtins.toString port}";
     };
   };
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."calibre" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."calibre" = "native";
 }

hosts/by-name/servo/services/ddns-afraid.nix

@@ -6,7 +6,7 @@ lib.mkIf false
   systemd.services.ddns-afraid = {
     description = "update dynamic DNS entries for freedns.afraid.org";
     serviceConfig = {
-      EnvironmentFile = config.sops.secrets.ddns_afraid.path;
+      EnvironmentFile = config.sops.secrets."ddns_afraid.env".path;
       # TODO: ProtectSystem = "strict";
       # TODO: ProtectHome = "full";
       # TODO: PrivateTmp = true;

hosts/by-name/servo/services/ddns-he.nix

@@ -6,7 +6,7 @@ lib.mkIf false
   systemd.services.ddns-he = {
     description = "update dynamic DNS entries for HurricaneElectric";
     serviceConfig = {
-      EnvironmentFile = config.sops.secrets.ddns_he.path;
+      EnvironmentFile = config.sops.secrets."ddns_he.env".path;
       # TODO: ProtectSystem = "strict";
       # TODO: ProtectHome = "full";
       # TODO: PrivateTmp = true;

hosts/by-name/servo/services/default.nix

@@ -7,6 +7,7 @@
     ./email
     ./ejabberd.nix
     ./freshrss.nix
+    ./ftp
     ./gitea.nix
     ./goaccess.nix
     ./ipfs.nix
@@ -17,8 +18,10 @@
     ./lemmy.nix
     ./matrix
     ./navidrome.nix
+    ./nfs.nix
     ./nixserve.nix
     ./nginx.nix
+    ./pict-rs.nix
     ./pleroma.nix
     ./postgres.nix
     ./prosody.nix

hosts/by-name/servo/services/ejabberd.nix

@@ -22,20 +22,60 @@
   sane.persist.sys.plaintext = [
     { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
   ];
-  networking.firewall.allowedTCPPorts = [
-    3478  # STUN/TURN
-    5222  # XMPP  client -> server
-    5223  # XMPPS client -> server (XMPP over TLS)
-    5269  # XMPP  server -> server
-    5270  # XMPPS server -> server (XMPP over TLS)
-    5280  # bosh
-    5281  # bosh (https) ??
-    5349  # STUN/TURN (TLS)
-    5443  # web services (file uploads, websockets, admin)
-  ];
-  networking.firewall.allowedUDPPorts = [
-    3478  # STUN/TURN
-  ];
+  sane.ports.ports."3478" = {
+    protocol = [ "tcp" "udp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpp-stun-turn";
+  };
+  sane.ports.ports."5222" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpp-client-to-server";
+  };
+  sane.ports.ports."5223" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpps-client-to-server";  # XMPP over TLS
+  };
+  sane.ports.ports."5269" = {
+    protocol = [ "tcp" ];
+    visibleTo.wan = true;
+    description = "colin-xmpp-server-to-server";
+  };
+  sane.ports.ports."5270" = {
+    protocol = [ "tcp" ];
+    visibleTo.wan = true;
+    description = "colin-xmpps-server-to-server";  # XMPP over TLS
+  };
+  sane.ports.ports."5280" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpp-bosh";
+  };
+  sane.ports.ports."5281" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpp-bosh-https";
+  };
+  sane.ports.ports."5349" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpp-stun-turn-over-tls";
+  };
+  sane.ports.ports."5443" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpp-web-services";  # file uploads, websockets, admin
+  };
+
+  # TODO: forward these TURN ports!
   networking.firewall.allowedTCPPortRanges = [{
     from = 49152;  # TURN
     to = 49408;
@@ -75,9 +115,9 @@
     useACMEHost = "uninsane.org";
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet = {
+  sane.dns.zones."uninsane.org".inet = {
     # XXX: SRV records have to point to something with a A/AAAA record; no CNAMEs
-    A."xmpp" =                "%NATIVE%";
+    A."xmpp" =                "%ANATIVE%";
     CNAME."muc.xmpp" =        "xmpp";
     CNAME."pubsub.xmpp" =     "xmpp";
     CNAME."upload.xmpp" =     "xmpp";
@@ -234,7 +274,7 @@
             use_turn: true
             turn_min_port: 49152
             turn_max_port: 65535
-            turn_ipv4_address: %NATIVE%
+            turn_ipv4_address: %ANATIVE%
           -
             # STUN+TURN UDP
             port: 3478
@@ -243,7 +283,7 @@
             use_turn: true
             turn_min_port: 49152
             turn_max_port: 65535
-            turn_ipv4_address: %NATIVE%
+            turn_ipv4_address: %ANATIVE%
           -
             # STUN+TURN TLS over TCP
             port: 5349
@@ -254,7 +294,7 @@
             use_turn: true
             turn_min_port: 49152
             turn_max_port: 65535
-            turn_ipv4_address: %NATIVE%
+            turn_ipv4_address: %ANATIVE%
 
         # TODO: enable mod_fail2ban
         # TODO(low): look into mod_http_fileserver for serving macros?
@@ -387,7 +427,7 @@
     # config is 444 (not 644), so we want to write out-of-place and then atomically move
     # TODO: factor this out into `sane-woop` helper?
     rm -f /var/lib/ejabberd/ejabberd.yaml.new
-    ${sed} "s/%NATIVE%/$ip/" ${config-in} > /var/lib/ejabberd/ejabberd.yaml.new
+    ${sed} "s/%ANATIVE%/$ip/" ${config-in} > /var/lib/ejabberd/ejabberd.yaml.new
     mv /var/lib/ejabberd/ejabberd.yaml{.new,}
   '';
 

hosts/by-name/servo/services/email/dovecot.nix

@@ -6,18 +6,25 @@
 
 { config, lib, pkgs, ... }:
 {
-  networking.firewall.allowedTCPPorts = [
-    # exposed over non-vpn imap.uninsane.org
-    143  # IMAP
-    993  # IMAPS
-  ];
+  sane.ports.ports."143" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-imap-imap.uninsane.org";
+  };
+  sane.ports.ports."993" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-imaps-imap.uninsane.org";
+  };
 
   # exists only to manage certs for dovecot
   services.nginx.virtualHosts."imap.uninsane.org" = {
     enableACME = true;
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet = {
+  sane.dns.zones."uninsane.org".inet = {
     CNAME."imap" = "native";
   };
 

hosts/by-name/servo/services/email/postfix.nix

@@ -28,12 +28,21 @@ in
     # "/var/lib/dovecot"
   ];
 
-  networking.firewall.allowedTCPPorts = [
-    # exposed over vpn mx.uninsane.org
-    25   # SMTP
-    465  # SMTPS
-    587  # SMTPS/submission
-  ];
+  sane.ports.ports."25" = {
+    protocol = [ "tcp" ];
+    visibleTo.ovpn = true;
+    description = "colin-smtp-mx.uninsane.org";
+  };
+  sane.ports.ports."465" = {
+    protocol = [ "tcp" ];
+    visibleTo.ovpn = true;
+    description = "colin-smtps-mx.uninsane.org";
+  };
+  sane.ports.ports."587" = {
+    protocol = [ "tcp" ];
+    visibleTo.ovpn = true;
+    description = "colin-smtps-submission-mx.uninsane.org";
+  };
 
   # exists only to manage certs for Postfix
   services.nginx.virtualHosts."mx.uninsane.org" = {
@@ -41,7 +50,7 @@ in
   };
 
 
-  sane.services.trust-dns.zones."uninsane.org".inet = {
+  sane.dns.zones."uninsane.org".inet = {
     MX."@" = "10 mx.uninsane.org.";
     # XXX: RFC's specify that the MX record CANNOT BE A CNAME
     A."mx" = "185.157.162.178";

hosts/by-name/servo/services/freshrss.nix

@@ -59,5 +59,5 @@
     # the routing is handled by services.freshrss.virtualHost
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."rss" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."rss" = "native";
 }

hosts/by-name/servo/services/ftp/default.nix

@@ -0,0 +1,70 @@
+# docs:
+# - <https://github.com/drakkan/sftpgo>
+# - config options: <https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md>
+# - config defaults: <https://github.com/drakkan/sftpgo/blob/main/sftpgo.json>
+# - nixos options: <repo:nixos/nixpkgs:nixos/modules/services/web-apps/sftpgo.nix>
+#
+# sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients.
+
+
+{ lib, pkgs, sane-lib, ... }:
+let
+  authProgram = pkgs.static-nix-shell.mkBash {
+    pname = "sftpgo_external_auth_hook";
+    src = ./.;
+  };
+in
+{
+  # Client initiates a FTP "control connection" on port 21.
+  # - this handles the client -> server commands, and the server -> client status, but not the actual data
+  # - file data, directory listings, etc need to be transferred on an ephemeral "data port".
+  # - 50000-50100 is a common port range for this.
+  sane.ports.ports = {
+    "21" = {
+      protocol = [ "tcp" ];
+      visibleTo.lan = true;
+      description = "colin-FTP server";
+    };
+  } // (sane-lib.mapToAttrs
+    (port: {
+      name = builtins.toString port;
+      value = {
+        protocol = [ "tcp" ];
+        visibleTo.lan = true;
+        description = "colin-FTP server data port range";
+      };
+    })
+    (lib.range 50000 50100)
+  );
+
+  services.sftpgo = {
+    enable = true;
+    settings = {
+      ftpd = {
+        bindings = [{
+          address = "10.0.10.5";
+          port = 21;
+          debug = true;
+        }];
+
+        # active mode is susceptible to "bounce attacks", without much benefit over passive mode
+        disable_active_mode = true;
+        hash_support = true;
+        passive_port_range = {
+          start = 50000;
+          end = 50100;
+        };
+
+        banner = ''
+          Welcome, friends, to Colin's read-only FTP server! Also available via NFS on the same host.
+          Please let me know if anything's broken or not as it should be. Otherwise, browse and DL freely :)
+        '';
+
+      };
+      data_provider = {
+        driver = "memory";
+        external_auth_hook = "${authProgram}/bin/sftpgo_external_auth_hook";
+      };
+    };
+  };
+}

hosts/by-name/servo/services/ftp/sftpgo_external_auth_hook

@@ -0,0 +1,55 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
+# vim: set filetype=bash :
+#
+# available environment variables:
+# - SFTPGO_AUTHD_USERNAME
+# - SFTPGO_AUTHD_USER
+# - SFTPGO_AUTHD_IP
+# - SFTPGO_AUTHD_PROTOCOL  = { "DAV", "FTP", "HTTP", "SSH" }
+# - SFTPGO_AUTHD_PASSWORD
+# - SFTPGO_AUTHD_PUBLIC_KEY
+# - SFTPGO_AUTHD_KEYBOARD_INTERACTIVE
+# - SFTPGO_AUTHD_TLS_CERT
+#
+# user permissions:
+# - see <repo:drakkan/sftpgo:internal/dataprovider/user.go>
+# - "*" = grant all permissions
+# - read-only perms:
+#   - "list" = list files and directories
+#   - "download"
+# - rw perms:
+#   - "upload"
+#   - "overwrite" = allow uploads to replace existing files
+#   - "delete" = delete files and directories
+#     - "delete_files"
+#     - "delete_dirs"
+#   - "rename" = rename files and directories
+#     - "rename_files"
+#     - "rename_dirs"
+#   - "create_dirs"
+#   - "create_symlinks"
+#   - "chmod"
+#   - "chown"
+#   - "chtimes" = change atime/mtime (access and modification times)
+#
+# home_dir:
+# - it seems (empirically) that a user can't cd above their home directory.
+#   though i don't have a reference for that in the docs.
+# TODO: don't reuse /var/nfs/export here. formalize this some other way.
+
+
+if [ "$SFTPGO_AUTHD_USERNAME" = "anonymous" ]; then
+  echo '{'
+  echo '  "status":1,'
+  echo '  "username":"anonymous","expiration_date":0,'
+  echo '  "home_dir":"/var/nfs/export","uid":65534,"gid":65534,"max_sessions":0,"quota_size":0,"quota_files":100000,'
+  echo '  "permissions":{'
+  echo '    "/":["list", "download"]'
+  echo '  },'
+  echo '  "upload_bandwidth":0,"download_bandwidth":0,'
+  echo '  "filters":{"allowed_ip":[],"denied_ip":[]},"public_keys":[]'
+  echo '}'
+else
+  echo '{"username":""}'
+fi

hosts/by-name/servo/services/gitea.nix

@@ -1,3 +1,4 @@
+# config options: <https://docs.gitea.io/en-us/administration/config-cheat-sheet/>
 { config, pkgs, lib, ... }:
 
 {
@@ -10,9 +11,6 @@
   services.gitea.database.type = "postgres";
   services.gitea.database.user = "git";
   services.gitea.appName = "Perfectly Sane Git";
-  services.gitea.domain = "git.uninsane.org";
-  services.gitea.rootUrl = "https://git.uninsane.org/";
-  services.gitea.settings.session.COOKIE_SECURE = true;
   # services.gitea.disableRegistration = true;
 
   # gitea doesn't create the git user
@@ -27,9 +25,13 @@
   };
 
   services.gitea.settings = {
+    # options: "Trace", "Debug", "Info", "Warn", "Error", "Critical"
+    log.LEVEL = "Warn";
     server = {
       # options: "home", "explore", "organizations", "login" or URL fragment (or full URL)
       LANDING_PAGE = "explore";
+      DOMAIN = "git.uninsane.org";
+      ROOT_URL = "https://git.uninsane.org/";
     };
     service = {
       # timeout for email approval. 5760 = 4 days
@@ -44,6 +46,7 @@
       ENABLE_CAPTCHA = true;
       NOREPLY_ADDRESS = "noreply.anonymous.git@uninsane.org";
     };
+    session.COOKIE_SECURE = true;
     repository = {
       DEFAULT_BRANCH = "master";
     };
@@ -58,6 +61,8 @@
     };
     #"ui.meta" = ... to customize html author/description/etc
     mailer = {
+      # alternative is to use nixos-level config:
+      # services.gitea.mailerPasswordFile = ...
       ENABLED = true;
       MAILER_TYPE = "sendmail";
       FROM = "notify.git@uninsane.org";
@@ -69,8 +74,6 @@
       FORMAT = "RFC3339";
     };
   };
-  # options: "Trace", "Debug", "Info", "Warn", "Error", "Critical"
-  services.gitea.settings.log.LEVEL = "Warn";
 
   systemd.services.gitea.serviceConfig = {
     # nix default is AF_UNIX AF_INET AF_INET6.
@@ -95,5 +98,12 @@
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."git" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."git" = "native";
+
+  sane.ports.ports."22" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-git@git.uninsane.org";
+  };
 }

hosts/by-name/servo/services/goaccess.nix

@@ -64,5 +64,5 @@
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."sink" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."sink" = "native";
 }

hosts/by-name/servo/services/ipfs.nix

@@ -34,7 +34,7 @@ lib.mkIf false # i don't actively use ipfs anymore
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."ipfs" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."ipfs" = "native";
 
   # services.ipfs.enable = true;
   services.kubo.localDiscovery = true;

hosts/by-name/servo/services/jackett.nix

@@ -24,9 +24,10 @@
     locations."/" = {
       # proxyPass = "http://ovpns.uninsane.org:9117";
       proxyPass = "http://10.0.1.6:9117";
+      recommendedProxySettings = true;
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jackett" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."jackett" = "native";
 }
 

hosts/by-name/servo/services/jellyfin.nix

@@ -16,17 +16,30 @@
 { config, lib, ... }:
 
 {
-  # identical to:
-  # services.jellyfin.openFirewall = true;
-  networking.firewall.allowedUDPPorts = [
-    # https://jellyfin.org/docs/general/networking/index.html
-    1900  # UPnP service discovery
-    7359  # Jellyfin-specific (?) client discovery
-  ];
-  networking.firewall.allowedTCPPorts = [
-    8096  # HTTP (for the LAN)
-    8920  # HTTPS (for the LAN)
-  ];
+  # https://jellyfin.org/docs/general/networking/index.html
+  sane.ports.ports."1900" = {
+    protocol = [ "udp" ];
+    visibleTo.lan = true;
+    description = "colin-upnp-for-jellyfin";
+  };
+  sane.ports.ports."7359" = {
+    protocol = [ "udp" ];
+    visibleTo.lan = true;
+    description = "colin-jellyfin-specific-client-discovery";
+    # ^ not sure if this is necessary: copied this port from nixos jellyfin.openFirewall
+  };
+  # not sure if 8096/8920 get used either:
+  sane.ports.ports."8096" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    description = "colin-jellyfin-http-lan";
+  };
+  sane.ports.ports."8920" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    description = "colin-jellyfin-https-lan";
+  };
+
   sane.persist.sys.plaintext = [
     { user = "jellyfin"; group = "jellyfin"; mode = "0700"; directory = "/var/lib/jellyfin"; }
   ];
@@ -108,7 +121,7 @@
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."jelly" = "native";
 
   services.jellyfin.enable = true;
 }

hosts/by-name/servo/services/kiwix-serve.nix

@@ -13,5 +13,5 @@
     locations."/".proxyPass = "http://127.0.0.1:8013";
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."w" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."w" = "native";
 }

hosts/by-name/servo/services/komga.nix

@@ -18,5 +18,5 @@ in
       proxyPass = "http://127.0.0.1:${builtins.toString port}";
     };
   };
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."komga" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."komga" = "native";
 }

hosts/by-name/servo/services/lemmy.nix

@@ -1,3 +1,8 @@
+# docs:
+# - <repo:LemmyNet/lemmy:docker/federation/nginx.conf>
+# - <repo:LemmyNet/lemmy:docker/nginx.conf>
+# - <repo:LemmyNet/lemmy-ansible:templates/nginx.conf>
+
 { config, lib, ... }:
 let
   inherit (builtins) toString;
@@ -9,11 +14,13 @@ in {
   services.lemmy = {
     enable = true;
     settings.hostname = "lemmy.uninsane.org";
-    settings.options.federation.enabled = true;
-    settings.options.port = backendPort;
-    # settings.database.host = "localhost";
+    # federation.debug forces outbound federation queries to be run synchronously
+    # N.B.: this option might not be read for 0.17.0+? <https://github.com/LemmyNet/lemmy/blob/c32585b03429f0f76d1e4ff738786321a0a9df98/RELEASES.md#upgrade-instructions>
+    # settings.federation.debug = true;
+    settings.port = backendPort;
     ui.port = uiPort;
     database.createLocally = true;
+    nginx.enable = true;
   };
 
   systemd.services.lemmy.serviceConfig = {
@@ -21,7 +28,21 @@ in {
     DynamicUser = mkForce false;
     User = "lemmy";
     Group = "lemmy";
-    Environment = [ "RUST_BACKTRACE=full" ];
+  };
+  systemd.services.lemmy.environment = {
+    RUST_BACKTRACE = "full";
+    # RUST_LOG = "debug";
+    # RUST_LOG = "trace";
+    # upstream defaults LEMMY_DATABASE_URL = "postgres:///lemmy?host=/run/postgresql";
+    # - Postgres complains that we didn't specify a user
+    # lemmy formats the url as:
+    # - postgres://{user}:{password}@{host}:{port}/{database}
+    # SO suggests (https://stackoverflow.com/questions/3582552/what-is-the-format-for-the-postgresql-connection-string-url):
+    # - postgresql://[user[:password]@][netloc][:port][/dbname][?param1=value1&...]
+    # LEMMY_DATABASE_URL = "postgres://lemmy@/run/postgresql";  # connection to server on socket "/run/postgresql/.s.PGSQL.5432" failed: FATAL:  database "run/postgresql" does not exist
+    # LEMMY_DATABASE_URL = "postgres://lemmy?host=/run/postgresql";  # no PostgreSQL user name specified in startup packet
+    # LEMMY_DATABASE_URL = mkForce "postgres://lemmy@?host=/run/postgresql";  # WORKS
+    LEMMY_DATABASE_URL = mkForce "postgres://lemmy@/lemmy?host=/run/postgresql";
   };
   users.groups.lemmy = {};
   users.users.lemmy = {
@@ -32,29 +53,7 @@ in {
   services.nginx.virtualHosts."lemmy.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
-    locations = let
-      ui = "http://127.0.0.1:${toString uiPort}";
-      backend = "http://127.0.0.1:${toString backendPort}";
-    in {
-      # see <LemmyNet/lemmy:docker/federation/nginx.conf>
-      "~ ^/(api|pictrs|feeds|nodeinfo|.well-known)" = {
-        extraConfig = ''
-          set $proxpass ${ui};
-          if ($http_accept = "application/activity+json") {
-            set $proxpass ${backend};
-          }
-          if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
-            set $proxpass ${backend};
-          }
-
-          # Cuts off the trailing slash on URLs to make them valid
-          rewrite ^(.+)/+$ $1 permanent;
-        '';
-        proxyPass = "$proxpass";
-      };
-      "/".proxyPass = ui;
-    };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."lemmy" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."lemmy" = "native";
 }

hosts/by-name/servo/services/matrix/default.nix

@@ -1,5 +1,6 @@
-# docs: https://nixos.wiki/wiki/Matrix
-# docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
+# docs: <https://nixos.wiki/wiki/Matrix>
+# docs: <https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse>
+# example config: <https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml>
 { config, lib, pkgs, ... }:
 
 {
@@ -41,11 +42,14 @@
     }
   ];
 
+  services.matrix-synapse.settings.x_forwarded = true;  # because we proxy matrix behind nginx
+  services.matrix-synapse.settings.max_upload_size = "100M";  # default is "50M"
+
   services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
   services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
 
   services.matrix-synapse.extraConfigFiles = [
-    config.sops.secrets.matrix_synapse_secrets.path
+    config.sops.secrets."matrix_synapse_secrets.yaml".path
   ];
 
   # services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
@@ -94,6 +98,10 @@
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:8008";
+      extraConfig = ''
+        # allow uploading large files (matrix enforces a separate limit, downstream)
+        client_max_body_size  512m;
+      '';
     };
     # redirect browsers to the web client.
     # i don't think native matrix clients ever fetch the root.
@@ -124,13 +132,13 @@
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet = {
+  sane.dns.zones."uninsane.org".inet = {
     CNAME."matrix" = "native";
     CNAME."web.matrix" = "native";
   };
 
 
-  sops.secrets."matrix_synapse_secrets" = {
+  sops.secrets."matrix_synapse_secrets.yaml" = {
     owner = config.users.users.matrix-synapse.name;
   };
 }

hosts/by-name/servo/services/matrix/discord-puppet.nix

@@ -1,4 +1,9 @@
 { lib, ... }:
+
+# XXX mx-discord-puppet uses nodejs_14 which is EOL
+# - mx-discord-puppet is abandoned upstream _and_ in nixpkgs
+# - recommended to use mautrix-discord: <https://github.com/NixOS/nixpkgs/pull/200462>
+lib.mkIf false
 {
   sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }

hosts/by-name/servo/services/matrix/irc.nix

@@ -5,12 +5,11 @@
 { config, lib, ... }:
 
 let
-  ircServer = { name, additionalAddresses ? [], sasl ? true }: let
+  ircServer = { name, additionalAddresses ? [], sasl ? true, port ? 6697 }: let
     lowerName = lib.toLower name;
   in {
     # XXX sasl: appservice doesn't support NickServ identification (only SASL, or PASS if sasl = false)
-    inherit name additionalAddresses sasl;
-    port = 6697;
+    inherit name additionalAddresses sasl port;
     ssl = true;
     botConfig = {
       # bot has no presence in IRC channel; only real Matrix users
@@ -108,11 +107,16 @@ in
     { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; directory = "/var/lib/matrix-appservice-irc"; }
   ];
 
+  # XXX: matrix-appservice-irc PreStart tries to chgrp the registration.yml to matrix-synapse,
+  # which requires matrix-appservice-irc to be of that group
+  users.users.matrix-appservice-irc.extraGroups = [ "matrix-synapse" ];
+  # weird race conditions around registration.yml mean we want matrix-synapse to be of matrix-appservice-irc group too.
+  users.users.matrix-synapse.extraGroups = [ "matrix-appservice-irc" ];
+
   services.matrix-synapse.settings.app_service_config_files = [
     "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
   ];
 
-  # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
   services.matrix-appservice-irc.enable = true;
   services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
   services.matrix-appservice-irc.settings = {
@@ -127,13 +131,38 @@ in
 
     ircService = {
       servers = {
-        "irc.rizon.net" = ircServer { name = "Rizon"; };
+        "irc.esper.net" = ircServer {
+          name = "esper";
+          sasl = false;
+          # notable channels:
+          # - #merveilles
+        };
+        "irc.libera.chat" = ircServer {
+          name = "libera";
+          sasl = false;
+          # notable channels:
+          # - #hare
+        };
         "irc.myanonamouse.net" = ircServer {
           name = "MyAnonamouse";
           additionalAddresses = [ "irc2.myanonamouse.net" ];
           sasl = false;
         };
+        "irc.oftc.net" = ircServer {
+          name = "oftc";
+          sasl = false;
+          # notable channels:
+          # - #sxmo
+          # - #sxmo-offtopic
+        };
+        "irc.rizon.net" = ircServer { name = "Rizon"; };
       };
     };
   };
+
+  systemd.services.matrix-appservice-irc.serviceConfig = {
+    # XXX 2023/06/20: nixos specifies this + @aio and @memlock as forbidden
+    # the service actively uses at least one of these, and both of them are fairly innocuous
+    SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @setuid @swap";
+  };
 }

hosts/by-name/servo/services/navidrome.nix

@@ -36,5 +36,5 @@
     locations."/".proxyPass = "http://127.0.0.1:4533";
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."music" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."music" = "native";
 }

hosts/by-name/servo/services/nfs.nix

@@ -0,0 +1,67 @@
+# docs:
+# - <https://nixos.wiki/wiki/NFS>
+# - <https://wiki.gentoo.org/wiki/Nfs-utils>
+
+{ ... }:
+{
+  services.nfs.server.enable = true;
+
+  # see which ports NFS uses with:
+  # - `rpcinfo -p`
+  sane.ports.ports."111" = {
+    protocol = [ "tcp" "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server portmapper";
+  };
+  sane.ports.ports."2049" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    description = "NFS server";
+  };
+  sane.ports.ports."4000" = {
+    protocol = [ "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server status daemon";
+  };
+  sane.ports.ports."4001" = {
+    protocol = [ "tcp" "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server lock daemon";
+  };
+  sane.ports.ports."4002" = {
+    protocol = [ "tcp" "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server mount daemon";
+  };
+
+  # NFS4 allows these to float, but NFS3 mandates specific ports, so fix them for backwards compat.
+  services.nfs.server.lockdPort = 4001;
+  services.nfs.server.mountdPort = 4002;
+  services.nfs.server.statdPort = 4000;
+
+  # format:
+  #   fspoint	visibility(options)
+  # options:
+  # - see: <https://wiki.gentoo.org/wiki/Nfs-utils#Exports>
+  # - see [man 5 exports](https://linux.die.net/man/5/exports)
+  # - insecure:  require clients use src port > 1024
+  # - rw, ro (default)
+  # - async, sync (default)
+  # - no_subtree_check (default), subtree_check: verify not just that files requested by the client live
+  #     in the expected fs, but also that they live under whatever subdirectory of that fs is exported.
+  # - no_root_squash, root_squash (default): map requests from uid 0 to user `nobody`.
+  # - crossmnt:  reveal filesystems that are mounted under this endpoint
+  # - fsid:  must be zero for the root export
+  # - mountpoint[=/path]:  only export the directory if it's a mountpoint. used to avoid exporting failed mounts.
+  #
+  # 10.0.0.0/8 to export (readonly) both to LAN (unencrypted) and wg vpn (encrypted)
+  services.nfs.server.exports = ''
+    /var/nfs/export 10.78.79.0/22(ro,crossmnt,fsid=0,subtree_check) 10.0.10.0/24(rw,no_root_squash,crossmnt,fsid=0,subtree_check)
+  '';
+
+  fileSystems."/var/nfs/export/media" = {
+    # everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
+    device = "/var/lib/uninsane/media";
+    options = [ "rbind" ];
+  };
+}

hosts/by-name/servo/services/nginx.nix

@@ -13,7 +13,19 @@ let
 in
 {
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  sane.ports.ports."80" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    visibleTo.ovpn = true;  # so that letsencrypt can procure a cert for the mx record
+    description = "colin-http-uninsane.org";
+  };
+  sane.ports.ports."443" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-https-uninsane.org";
+  };
 
   services.nginx.enable = true;
   services.nginx.appendConfig = ''

hosts/by-name/servo/services/nixserve.nix

@@ -14,8 +14,8 @@
     '';
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
 
   sane.services.nixserve.enable = true;
-  sane.services.nixserve.sopsFile = ../../../../secrets/servo.yaml;
+  sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
 }

hosts/by-name/servo/services/pict-rs.nix

@@ -0,0 +1,23 @@
+# pict-rs is an image database/store used by Lemmy.
+# i don't explicitly activate it here -- just adjust its defaults to be a bit friendlier
+{ config, lib, ... }:
+let
+  cfg = config.services.pict-rs;
+in
+{
+  sane.persist.sys.plaintext = lib.mkIf cfg.enable [
+    { user = "pict-rs"; group = "pict-rs"; directory = cfg.dataDir; }
+  ];
+
+  systemd.services.pict-rs.serviceConfig = {
+    # fix to use a normal user so we can configure perms correctly
+    DynamicUser = lib.mkForce false;
+    User = "pict-rs";
+    Group = "pict-rs";
+  };
+  users.groups.pict-rs = {};
+  users.users.pict-rs = {
+    group = "pict-rs";
+    isSystemUser = true;
+  };
+}

hosts/by-name/servo/services/pleroma.nix

@@ -3,6 +3,8 @@
 # - https://docs.pleroma.social/backend/configuration/cheatsheet/
 #
 # to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
+#
+# admin frontend: <https://fed.uninsane.org/pleroma/admin>
 { config, pkgs, ... }:
 
 {
@@ -100,6 +102,8 @@
     #  level: :debug
 
     # XXX colin: not sure if this actually _does_ anything
+    # better to steal emoji from other instances?
+    # - <https://docs.pleroma.social/backend/configuration/cheatsheet/#mrf_steal_emoji>
     config :pleroma, :emoji,
       shortcode_globs: ["/emoji/**/*.png"],
       groups: [
@@ -182,7 +186,7 @@
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."fed" = "native";
 
   sops.secrets."pleroma_secrets" = {
     owner = config.users.users.pleroma.name;

hosts/by-name/servo/services/prosody.nix

@@ -12,12 +12,29 @@ lib.mkIf false
   sane.persist.sys.plaintext = [
     { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
   ];
-  networking.firewall.allowedTCPPorts = [
-    5222  # XMPP client -> server
-    5269  # XMPP server -> server
-    5280  # bosh
-    5281  # Prosody HTTPS port  (necessary?)
-  ];
+  sane.ports.ports."5222" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpp-client-to-server";
+  };
+  sane.ports.ports."5269" = {
+    protocol = [ "tcp" ];
+    visibleTo.wan = true;
+    description = "colin-xmpp-server-to-server";
+  };
+  sane.ports.ports."5280" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpp-bosh";
+  };
+  sane.ports.ports."5281" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpp-prosody-https";  # necessary?
+  };
 
   # provide access to certs
   users.users.prosody.extraGroups = [ "nginx" ];

hosts/by-name/servo/services/transmission.nix

@@ -27,7 +27,7 @@
     # units in kBps
     speed-limit-down = 3000;
     speed-limit-down-enabled = true;
-    speed-limit-up = 300;
+    speed-limit-up = 600;
     speed-limit-up-enabled = true;
 
     # see: https://git.zknt.org/mirror/transmission/commit/cfce6e2e3a9b9d31a9dafedd0bdc8bf2cdb6e876?lang=bg-BG
@@ -75,6 +75,6 @@
     };
   };
 
-  sane.services.trust-dns.zones."uninsane.org".inet.CNAME."bt" = "native";
+  sane.dns.zones."uninsane.org".inet.CNAME."bt" = "native";
 }
 

hosts/by-name/servo/services/trust-dns.nix

@@ -1,17 +1,25 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 {
   sane.services.trust-dns.enable = true;
 
-  sane.services.trust-dns.listenAddrsIPv4 = [
+  sane.services.trust-dns.settings.listen_addrs_ipv4 = [
     # specify each address explicitly, instead of using "*".
     # this ensures responses are sent from the address at which the request was received.
     config.sane.hosts.by-name."servo".lan-ip
     "10.0.1.5"
   ];
   sane.services.trust-dns.quiet = true;
+  # sane.services.trust-dns.debug = true;
 
-  sane.services.trust-dns.zones."uninsane.org".TTL = 900;
+  sane.ports.ports."53" = {
+    protocol = [ "udp" "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-dns-hosting";
+  };
+
+  sane.dns.zones."uninsane.org".TTL = 900;
 
   # SOA record structure: <https://en.wikipedia.org/wiki/SOA_record#Structure>
   # SOA MNAME RNAME (... rest)
@@ -21,7 +29,7 @@
   # Refresh = how frequently secondary NS should query master
   # Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
   # Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
-  sane.services.trust-dns.zones."uninsane.org".inet = {
+  sane.dns.zones."uninsane.org".inet = {
     SOA."@" = ''
       ns1.uninsane.org. admin-dns.uninsane.org. (
                                       2022122101 ; Serial
@@ -30,17 +38,20 @@
                                       7d         ; Expire
                                       5m)        ; Negative response TTL
     '';
-    TXT."rev" = "2022122101";
+    TXT."rev" = "2023052901";
+
+    CNAME."native" = "%CNAMENATIVE%";
+    A."@" =      "%ANATIVE%";
+    A."wan" = "%AWAN%";
+    A."servo.lan" = config.sane.hosts.by-name."servo".lan-ip;
 
     # XXX NS records must also not be CNAME
     # it's best that we keep this identical, or a superset of, what org. lists as our NS.
     # so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
-    A."ns1" =    "%NATIVE%";
+    A."ns1" =    "%ANATIVE%";
     A."ns2" =    "185.157.162.178";
     A."ns3" =    "185.157.162.178";
     A."ovpns" =  "185.157.162.178";
-    A."native" = "%NATIVE%";
-    A."@" =      "%NATIVE%";
     NS."@" = [
       "ns1.uninsane.org."
       "ns2.uninsane.org."
@@ -48,20 +59,73 @@
     ];
   };
 
-  sane.services.trust-dns.zones."uninsane.org".file =
-    "/var/lib/trust-dns/uninsane.org.zone";
+  # we need trust-dns to load our zone by relative path instead of /nix/store path
+  # because we generate it at runtime.
+  sane.services.trust-dns.settings.zones = [
+    {
+      zone = "uninsane.org";
+    }
+  ];
 
-  systemd.services.trust-dns.preStart = let
-    sed = "${pkgs.gnused}/bin/sed";
-    zone-dir = "/var/lib/trust-dns";
-    zone-out = "${zone-dir}/uninsane.org.zone";
-    zone-template = pkgs.writeText "uninsane.org.zone.in" config.sane.services.trust-dns.generatedZones."uninsane.org";
-  in ''
-    # make WAN records available to trust-dns
-    mkdir -p ${zone-dir}
-    ip=$(cat '${config.sane.services.dyn-dns.ipPath}')
-    ${sed} s/%NATIVE%/$ip/ ${zone-template} > ${zone-out}
-  '';
+  sane.services.trust-dns.package =
+    let
+      sed = "${pkgs.gnused}/bin/sed";
+      zone-dir = "/var/lib/trust-dns";
+      zone-wan = "${zone-dir}/wan/uninsane.org.zone";
+      zone-lan = "${zone-dir}/lan/uninsane.org.zone";
+      zone-template = pkgs.writeText "uninsane.org.zone.in" config.sane.dns.zones."uninsane.org".rendered;
+    in pkgs.writeShellScriptBin "named" ''
+      # compute wan/lan values
+      mkdir -p ${zone-dir}/{ovpn,wan,lan}
+      wan=$(cat '${config.sane.services.dyn-dns.ipPath}')
+      lan=${config.sane.hosts.by-name."servo".lan-ip}
+
+      # create specializations that resolve native.uninsane.org to different CNAMEs
+      ${sed} s/%AWAN%/$wan/ ${zone-template} \
+        | ${sed} s/%CNAMENATIVE%/wan/ \
+        | ${sed} s/%ANATIVE%/$wan/ \
+        > ${zone-wan}
+      ${sed} s/%AWAN%/$wan/ ${zone-template} \
+        | ${sed} s/%CNAMENATIVE%/servo.lan/ \
+        | ${sed} s/%ANATIVE%/$lan/ \
+        > ${zone-lan}
+
+      # launch the different interfaces, separately
+      ${pkgs.trust-dns}/bin/named --port 53 --zonedir ${zone-dir}/wan/ $@ &
+      WANPID=$!
+      ${pkgs.trust-dns}/bin/named --port 1053 --zonedir ${zone-dir}/lan/ $@ &
+      LANPID=$!
+
+      # wait until any of the processes exits, then kill them all and exit error
+      while kill -0 $WANPID $LANPID ; do
+        sleep 5
+      done
+      kill $WANPID $LANPID
+      exit 1
+    '';
 
   sane.services.dyn-dns.restartOnChange = [ "trust-dns.service" ];
+
+  networking.nat.enable = true;
+  networking.nat.extraCommands = ''
+    # redirect incoming DNS requests from LAN addresses
+    #   to the LAN-specialized DNS service
+    # N.B.: use the `nixos-*` chains instead of e.g. PREROUTING
+    #   because they get cleanly reset across activations or `systemctl restart firewall`
+    #   instead of accumulating cruft
+    iptables -t nat -A nixos-nat-pre -p udp --dport 53 \
+      -m iprange --src-range 10.78.76.0-10.78.79.255 \
+      -j DNAT --to-destination :1053
+    iptables -t nat -A nixos-nat-pre -p tcp --dport 53 \
+      -m iprange --src-range 10.78.76.0-10.78.79.255 \
+      -j DNAT --to-destination :1053
+  '';
+
+  sane.ports.ports."1053" = {
+    # because the NAT above redirects in nixos-nat-pre, LAN requests behave as though they arrived on the external interface at the redirected port.
+    # TODO: try nixos-nat-post instead?
+    protocol = [ "udp" "tcp" ];
+    visibleTo.lan = true;
+    description = "colin-redirected-dns-for-lan-namespace";
+  };
 }

hosts/common/default.nix

@@ -1,20 +1,19 @@
 { lib, pkgs, ... }:
 {
   imports = [
-    ./cross
     ./feeds.nix
     ./fs.nix
     ./hardware.nix
     ./home
-    ./i2p.nix
     ./ids.nix
     ./machine-id.nix
     ./net.nix
+    ./nix-path
     ./persist.nix
     ./programs
     ./secrets.nix
     ./ssh.nix
-    ./users.nix
+    ./users
     ./vpn.nix
   ];
 
@@ -28,6 +27,7 @@
   sane.fs."/var/lib/private".dir.acl.mode = "0700";
 
   nixpkgs.config.allowUnfree = true;
+  nixpkgs.config.allowBroken = true;  # NIXPKGS_ALLOW_BROKEN
 
   # time.timeZone = "America/Los_Angeles";
   time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
@@ -37,17 +37,30 @@
   nix.extraOptions = ''
     experimental-features = nix-command flakes
   '';
-  # allow `nix-shell` (and probably nix-index?) to locate our patched and custom packages
-  nix.nixPath = [
-    "nixpkgs=${pkgs.path}"
-    "nixpkgs-overlays=${../..}/overlays"
-  ];
   # hardlinks identical files in the nix store to save 25-35% disk space.
   # unclear _when_ this occurs. it's not a service.
   # does the daemon continually scan the nix store?
   # does the builder use some content-addressed db to efficiently dedupe?
   nix.settings.auto-optimise-store = true;
 
+  systemd.services.nix-daemon.serviceConfig = {
+    # the nix-daemon manages nix builders
+    # kill nix-daemon subprocesses when systemd-oomd detects an out-of-memory condition
+    # see:
+    # - nixos PR that enabled systemd-oomd: <https://github.com/NixOS/nixpkgs/pull/169613>
+    # - systemd's docs on these properties: <https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill>
+    #
+    # systemd's docs warn that without swap, systemd-oomd might not be able to react quick enough to save the system.
+    # see `man oomd.conf` for further tunables that may help.
+    #
+    # alternatively, apply this more broadly with `systemd.oomd.enableSystemSlice = true` or `enableRootSlice`
+    # TODO: also apply this to the guest user's slice (user-1100.slice)
+    # TODO: also apply this to distccd
+    ManagedOOMMemoryPressure = "kill";
+    ManagedOOMSwap = "kill";
+  };
+
+  # TODO: move this to gui machines only
   fonts = {
     enableDefaultFonts = true;
     fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
@@ -76,19 +89,6 @@
   # disable non-required packages like nano, perl, rsync, strace
   environment.defaultPackages = [];
 
-  # programs.vim.defaultEditor = true;
-  environment.variables = {
-    EDITOR = "vim";
-    # git claims it should use EDITOR, but it doesn't!
-    GIT_EDITOR = "vim";
-    # TODO: these should be moved to `home.sessionVariables` (home-manager)
-    # Electron apps should use native wayland backend:
-    #   https://nixos.wiki/wiki/Slack#Wayland
-    # Discord under sway crashes with this.
-    # NIXOS_OZONE_WL = "1";
-    # LIBGL_ALWAYS_SOFTWARE = "1";
-  };
-
   # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
   # find keys/values with `dconf dump /`
   programs.dconf.enable = true;

hosts/common/feeds.nix

@@ -1,3 +1,6 @@
+# where to find good stuff?
+# - podcast rec thread: <https://lemmy.ml/post/1565858>
+#
 # candidates:
 # - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
 #   - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
@@ -65,7 +68,7 @@ let
     ## Maggie Killjoy -- referenced by Cory Doctorow
     (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)
     (fromDb "congressionaldish.libsyn.com" // pol)
-    (mkPod "https://podcasts.la.utexas.edu/this-is-democracy/feed/podcast/" // pol // weekly)
+    # (mkPod "https://podcasts.la.utexas.edu/this-is-democracy/feed/podcast/" // pol // weekly)
     ## Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
     ## Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
@@ -76,15 +79,17 @@ let
     ## Multidisciplinary Association for Psychedelic Studies
     (fromDb "mapspodcast.libsyn.com" // uncat)
     (fromDb "allinchamathjason.libsyn.com" // pol)
-    (fromDb "acquired.libsyn.com" // tech)
+    (fromDb "feeds.transistor.fm/acquired" // tech)
     ## ACQ2 - more "Acquired" episodes
     (fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)
-    # The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
-    (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)
+    # The Intercept - Deconstructed
+    (fromDb "rss.acast.com/deconstructed")
+    # (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)  #< possible URL rot
     ## The Daily
     (mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
-    # The Intercept - Intercepted; also available: <https://rss.acast.com/intercepted-with-jeremy-scahill>
-    (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)
+    # The Intercept - Intercepted
+    (fromDb "rss.acast.com/intercepted-with-jeremy-scahill")
+    # (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)  #< possible URL rot
     (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
     ## Eric Weinstein
     (fromDb "rss.art19.com/the-portal" // rat)
@@ -102,6 +107,8 @@ let
     (fromDb "feeds.megaphone.fm/recodedecode" // tech)
     ## Matrix (chat) Live
     (fromDb "feed.podbean.com/matrixlive/feed.xml" // tech)
+    (fromDb "cast.postmarketos.org" // tech)
+    (fromDb "podcast.thelinuxexp.com" // tech)
     ## Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
     (fromDb "rss.art19.com/your-welcome" // pol)
     (fromDb "seattlenice.buzzsprout.com" // pol)
@@ -125,7 +132,9 @@ let
     (fromDb "profectusmag.com" // uncat)
     (fromDb "semiaccurate.com" // tech)
     (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
+    (fromDb "tuxphones.com" // tech)
     (fromDb "spectrum.ieee.org" // tech)
+    (fromDb "theregister.com" // tech)
     (fromDb "thisweek.gnome.org" // tech)
     # more nixos stuff here, but unclear how to subscribe: <https://nixos.org/blog/categories.html>
     (mkText "https://nixos.org/blog/announcements-rss.xml" // tech // infrequent)
@@ -142,7 +151,7 @@ let
     (fromDb "ascii.textfiles.com" // tech)  # Jason Scott
     (fromDb "xn--gckvb8fzb.com" // tech)
     (fromDb "mg.lol" // tech)
-    (fromDb "drewdevault.com" // tech)
+    # (fromDb "drewdevault.com" // tech)
     ## Ken Shirriff
     (fromDb "righto.com" // tech)
     ## shared blog by a few NixOS devs, notably onny
@@ -189,6 +198,7 @@ let
     (fromDb "stpeter.im/atom.xml" // pol)
     ## Peter Saint-Andre -- side project of stpeter.im
     (fromDb "philosopher.coach" // rat)
+    (fromDb "morningbrew.com/feed" // pol)
 
     # RATIONALITY/PHILOSOPHY/ETC
     (mkSubstack "samkriss" // humor // infrequent)
@@ -207,6 +217,8 @@ let
     (fromDb "sideways-view.com" // rat)
     ## Sean Carroll
     (fromDb "preposterousuniverse.com" // rat)
+    (mkSubstack "eliqian" // rat // weekly)
+    (mkText "https://acoup.blog/feed" // rat // weekly)
 
     ## mostly dating topics. not advice, or humor, but looking through a social lens
     (fromDb "putanumonit.com" // rat)

hosts/common/fs.nix

@@ -1,72 +1,131 @@
-{ pkgs, ... }:
+# docs
+# - x-systemd options: <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
 
-let sshOpts = rec {
-  fsType = "fuse.sshfs";
-  optionsBase = [
-    "x-systemd.automount"
+{ pkgs, sane-lib, ... }:
+
+let fsOpts = rec {
+  common = [
     "_netdev"
-    "user"
+    "noatime"
+    "user"  # allow any user with access to the device to mount the fs
+    "x-systemd.requires=network-online.target"
+    "x-systemd.after=network-online.target"
+    "x-systemd.mount-timeout=10s"  # how long to wait for mount **and** how long to wait for unmount
+  ];
+  auto = [ "x-systemd.automount" ];
+  noauto = [ "noauto" ];  # don't mount as part of remote-fs.target
+  wg = [
+    "x-systemd.requires=wireguard-wg-home.service"
+    "x-systemd.after=wireguard-wg-home.service"
+  ];
+
+  ssh = common ++ [
     "identityfile=/home/colin/.ssh/id_ed25519"
     "allow_other"
     "default_permissions"
   ];
-  optionsColin = optionsBase ++ [
+  sshColin = ssh ++ [
     "transform_symlinks"
     "idmap=user"
     "uid=1000"
     "gid=100"
   ];
-
-  optionsRoot = optionsBase ++ [
+  sshRoot = ssh ++ [
     # we don't transform_symlinks because that breaks the validity of remote /nix stores
     "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
   ];
+  # in the event of hunt NFS mounts, consider:
+  # - <https://unix.stackexchange.com/questions/31979/stop-broken-nfs-mounts-from-locking-a-directory>
+
+  # NFS options: <https://linux.die.net/man/5/nfs>
+  # actimeo=n  = how long (in seconds) to cache file/dir attributes (default: 3-60s)
+  # bg         = retry failed mounts in the background
+  # retry=n    = for how many minutes `mount` will retry NFS mount operation
+  # soft       = on "major timeout", report I/O error to userspace
+  # retrans=n  = how many times to retry a NFS request before giving userspace a "server not responding" error (default: 3)
+  # timeo=n    = number of *deciseconds* to wait for a response before retrying it (default: 600)
+  #              note: client uses a linear backup, so the second request will have double this timeout, then triple, etc.
+  nfs = common ++ [
+    # "actimeo=10"
+    "bg"
+    "retrans=4"
+    "retry=0"
+    "soft"
+    "timeo=15"
+    "nofail"  # don't fail remote-fs.target when this mount fails  (not an option for sshfs else would be common)
+  ];
 };
 in
 {
+  # fileSystems."/mnt/servo-nfs" = {
+  #   device = "servo-hn:/";
+  #   noCheck = true;
+  #   fsType = "nfs";
+  #   options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
+  # };
+  fileSystems."/mnt/servo-nfs/media" = {
+    device = "servo-hn:/media";
+    noCheck = true;
+    fsType = "nfs";
+    options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
+  };
+  # fileSystems."/mnt/servo-media-nfs" = {
+  #   device = "servo-hn:/media";
+  #   noCheck = true;
+  #   fsType = "nfs";
+  #   options = fsOpts.common ++ fsOpts.auto;
+  # };
+  sane.fs."/mnt/servo-media" = sane-lib.fs.wantedSymlinkTo "/mnt/servo-nfs/media";
+
+  fileSystems."/mnt/servo-media-wan" = {
+    device = "colin@uninsane.org:/var/lib/uninsane/media";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshColin ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/servo-media-wan" = sane-lib.fs.wantedDir;
+  fileSystems."/mnt/servo-media-lan" = {
+    device = "colin@servo:/var/lib/uninsane/media";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshColin ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/servo-media-lan" = sane-lib.fs.wantedDir;
+  fileSystems."/mnt/servo-root-wan" = {
+    device = "colin@uninsane.org:/";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshRoot ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/servo-root-wan" = sane-lib.fs.wantedDir;
+  fileSystems."/mnt/servo-root-lan" = {
+    device = "colin@servo:/";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshRoot ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/servo-root-lan" = sane-lib.fs.wantedDir;
+  fileSystems."/mnt/desko-home" = {
+    device = "colin@desko:/home/colin";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshColin ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/desko-home" = sane-lib.fs.wantedDir;
+  fileSystems."/mnt/desko-root" = {
+    device = "colin@desko:/";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshRoot ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/desko-root" = sane-lib.fs.wantedDir;
+
   environment.pathsToLink = [
     # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
     # we can only link whole directories here, even though we're only interested in pkgs.openssh
     "/libexec"
   ];
 
-  fileSystems."/mnt/servo-media-wan" = {
-    device = "colin@uninsane.org:/var/lib/uninsane/media";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsColin;
-    noCheck = true;
-  };
-  fileSystems."/mnt/servo-media-lan" = {
-    device = "colin@servo:/var/lib/uninsane/media";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsColin;
-    noCheck = true;
-  };
-  fileSystems."/mnt/servo-root-wan" = {
-    device = "colin@uninsane.org:/";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsRoot;
-    noCheck = true;
-  };
-  fileSystems."/mnt/servo-root-lan" = {
-    device = "colin@servo:/";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsRoot;
-    noCheck = true;
-  };
-  fileSystems."/mnt/desko-home" = {
-    device = "colin@desko:/home/colin";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsColin;
-    noCheck = true;
-  };
-  fileSystems."/mnt/desko-root" = {
-    device = "colin@desko:/";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsRoot;
-    noCheck = true;
-  };
-
   environment.systemPackages = [
     pkgs.sshfs-fuse
   ];

hosts/common/hardware.nix

@@ -28,6 +28,11 @@
   # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
   powerManagement.powertop.enable = false;
 
+  services.logind.extraConfig = ''
+    # don’t shutdown when power button is short-pressed
+    HandlePowerKey=ignore
+  '';
+
   # services.snapper.configs = {
   #   root = {
   #     subvolume = "/";

hosts/common/home/keyring.nix

@@ -7,5 +7,6 @@
     generated.script.script = builtins.readFile ../../../scripts/init-keyring;
     # TODO: is this `wantedBy` needed? can we inherit it?
     wantedBy = [ config.sane.fs."/home/colin/private".unit ];
+    wantedBeforeBy = [ ];  # don't created this as part of `multi-user.target`
   };
 }

hosts/common/home/mime.nix

@@ -1,13 +1,15 @@
 { config, sane-lib, ...}:
 
 let
-  www = config.sane.web-browser.browser.desktop;
+  # TODO: should move all of this into `sane.programs` to not ship broken associations
+  www = config.sane.programs.web-browser.config.browser.desktop;
   pdf = "org.gnome.Evince.desktop";
   md = "obsidian.desktop";
   thumb = "org.gnome.gThumb.desktop";
   video = "vlc.desktop";
   # audio = "mpv.desktop";
   audio = "vlc.desktop";
+  email = "aerc.desktop";
 in
 {
 
@@ -28,6 +30,7 @@ in
     # VIDEO
     "video/mp4" = video;
     "video/quicktime" = video;
+    "video/webm" = video;
     "video/x-matroska" = video;
     # HTML
     "text/html" = www;
@@ -38,5 +41,6 @@ in
     # RICH-TEXT DOCUMENTS
     "application/pdf" = pdf;
     "text/markdown" = md;
+    "x-scheme-handler/mailto" = email;
   };
 }

hosts/common/i2p.nix

@@ -1,4 +0,0 @@
-{ ... }:
-{
-  services.i2p.enable = true;
-}

hosts/common/ids.nix

@@ -38,6 +38,10 @@
   sane.ids.komga.gid = 2407;
   sane.ids.lemmy.uid = 2408;
   sane.ids.lemmy.gid = 2408;
+  sane.ids.pict-rs.uid = 2409;
+  sane.ids.pict-rs.gid = 2409;
+  sane.ids.sftpgo.uid = 2410;
+  sane.ids.sftpgo.gid = 2410;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;
@@ -51,6 +55,7 @@
   sane.ids.nscd.gid = 2004;
   sane.ids.systemd-oom.uid = 2005;
   sane.ids.systemd-oom.gid = 2005;
+  sane.ids.wireshark.gid = 2006;
 
   # found on graphical hosts
   sane.ids.nm-iodine.uid = 2101;  # desko/moby/lappy

hosts/common/net.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ lib, ... }:
 
 {
   # the default backend is "wpa_supplicant".
@@ -20,4 +20,22 @@
     General.RoamThreshold = "-52";  # default -70
     General.RoamThreshold5G = "-52";  # default -76
   };
+
+  # plugins mostly add support for establishing different VPN connections.
+  # the default plugin set includes mostly proprietary VPNs:
+  # - fortisslvpn (Fortinet)
+  # - iodine (DNS tunnels)
+  # - l2tp
+  # - openconnect (Cisco Anyconnect / Juniper / ocserv)
+  # - openvpn
+  # - vpnc (Cisco VPN)
+  # - sstp
+  #
+  # i don't use these, and notably they drag in huge dependency sets and don't cross compile well.
+  # e.g. openconnect drags in webkitgtk (for SSO)!
+  networking.networkmanager.plugins = lib.mkForce [];
+
+  networking.firewall.allowedUDPPorts = [
+    1900  # to received UPnP advertisements. required by sane-ip-check-upnp
+  ];
 }

hosts/common/nix-path/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+{
+  # allow `nix-shell` (and probably nix-index?) to locate our patched and custom packages
+  nix.nixPath = [
+    "nixpkgs=${pkgs.path}"
+    # note the import starts at repo root: this allows `./overlay/default.nix` to access the stuff at the root
+    # "nixpkgs-overlays=${../../..}/hosts/common/nix-path/overlay"
+    # as long as my system itself doesn't rely on NIXPKGS at runtime, we can point the overlays to git
+    # to avoid switching so much during development
+    "nixpkgs-overlays=/home/colin/dev/nixos/hosts/common/nix-path/overlay"
+  ];
+}

hosts/common/nix-path/overlay/default.nix

@@ -0,0 +1,4 @@
+# XXX: NIX_PATH=...:nixpkgs-overlays=... will import every overlay in the directory
+# so we prefer to give it a directory with just this *one* overlay, otherwise it imports conflicting overlays
+# and gets stuck in a loop until it OOMs
+import ../../../../overlays/all.nix

hosts/common/programs/aerc.nix

@@ -1,6 +1,6 @@
 # Terminal UI mail client
-{ config, sane-lib, ... }:
+{ ... }:
 
 {
-  sane.programs.aerc.secrets.".config/aerc/accounts.conf" = ../../../secrets/universal/aerc_accounts.conf.bin;
+  sane.programs.aerc.secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
 }

hosts/common/programs/assorted.nix

@@ -0,0 +1,392 @@
+{ lib, pkgs, ... }:
+
+let
+  inherit (builtins) attrNames;
+
+  flattenedPkgs = pkgs // (with pkgs; {
+    # XXX can't `inherit` a nested attr, so we move them to the toplevel
+    "cacert.unbundled" = pkgs.cacert.unbundled;
+    "gnome.cheese" = gnome.cheese;
+    "gnome.dconf-editor" = gnome.dconf-editor;
+    "gnome.file-roller" = gnome.file-roller;
+    "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
+    "gnome.gnome-maps" = gnome.gnome-maps;
+    "gnome.nautilus" = gnome.nautilus;
+    "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
+    "gnome.gnome-terminal" = gnome.gnome-terminal;
+    "gnome.gnome-weather" = gnome.gnome-weather;
+    "gnome.totem" = gnome.totem;
+    "libsForQt5.plasmatube" = libsForQt5.plasmatube;
+  });
+
+  sysadminPkgs = {
+    inherit (flattenedPkgs)
+      btrfs-progs
+      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
+      cryptsetup
+      dig
+      efibootmgr
+      fatresize
+      fd
+      file
+      gawk
+      git
+      gptfdisk
+      hdparm
+      htop
+      iftop
+      inetutils  # for telnet
+      iotop
+      iptables
+      jq
+      killall
+      lsof
+      miniupnpc
+      nano
+      neovim
+      netcat
+      nethogs
+      nmap
+      openssl
+      parted
+      pciutils
+      powertop
+      pstree
+      ripgrep
+      screen
+      smartmontools
+      socat
+      strace
+      subversion
+      tcpdump
+      tree
+      usbutils
+      wget
+      wirelesstools  # iwlist
+    ;
+  };
+  sysadminExtraPkgs = {
+    # application-specific packages
+    inherit (pkgs)
+      backblaze-b2
+      duplicity
+      sqlite  # to debug sqlite3 databases
+    ;
+  };
+
+  iphonePkgs = {
+    inherit (pkgs)
+      ifuse
+      ipfs
+      libimobiledevice
+    ;
+  };
+
+  tuiPkgs = {
+    inherit (pkgs)
+      aerc  # email client
+      msmtp  # sendmail
+      offlineimap  # email mailox sync
+      sfeed  # RSS fetcher
+      visidata  # TUI spreadsheet viewer/editor
+      w3m
+    ;
+  };
+
+  consoleMediaPkgs = {
+    inherit (pkgs)
+      ffmpeg
+      imagemagick
+      sox
+      yt-dlp
+    ;
+  };
+  # TODO: split these into smaller groups.
+  # - moby doesn't want a lot of these.
+  # - categories like
+  #   - dev?
+  #   - debugging?
+  consolePkgs = {
+    inherit (pkgs)
+      alsaUtils  # for aplay, speaker-test
+      # cdrtools
+      clinfo
+      dmidecode
+      efivar
+      # flashrom
+      fwupd
+      gh  # MS GitHub cli
+      git  # needed as a user package, for config.
+      # gnupg
+      # gocryptfs
+      # gopass
+      # gopass-jsonapi
+      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
+      libsecret  # for managing user keyrings. TODO: what needs this? lift into the consumer
+      lm_sensors  # for sensors-detect. TODO: what needs this? lift into the consumer
+      lshw
+      # memtester
+      neovim  # needed as a user package, for swap persistence
+      # nettools
+      # networkmanager
+      nix-index
+      nixpkgs-review
+      # nixos-generators
+      nmon
+      # node2nix
+      # oathToolkit  # for oathtool
+      # ponymix
+      pulsemixer
+      python3
+      ripgrep  # needed as a user package so that its user-level config file can be installed
+      rsync
+      # python3Packages.eyeD3  # music tagging
+      sane-scripts
+      sequoia
+      snapper
+      sops
+      speedtest-cli
+      # ssh-to-age
+      sudo
+      # tageditor  # music tagging
+      unar
+      wireguard-tools
+      xdg-terminal-exec
+      xdg-utils  # for xdg-open
+      # yarn
+      zsh
+    ;
+  };
+
+  guiPkgs = {
+    inherit (flattenedPkgs)
+      # celluloid  # mpv frontend
+      cozy  # audiobook player
+      # emote
+      evince  # works on phosh
+
+      # { pkg = fluffychat-moby; persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
+
+      # foliate  # e-book reader
+
+      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
+      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
+      # then reboot (so that libsecret daemon re-loads the keyring...?)
+      # { pkg = fractal-latest; persist.private = [ ".local/share/fractal" ]; }
+      # { pkg = fractal-next; persist.private = [ ".local/share/fractal" ]; }
+
+      # "gnome.cheese"
+      # gnome-feeds  # RSS reader (with claimed mobile support)
+      "gnome.file-roller"
+      # "gnome.gnome-maps"  # works on phosh
+      "gnome.nautilus"
+      # gnome-podcasts
+      # "gnome.gnome-system-monitor"
+      # "gnome.gnome-terminal"  # works on phosh
+      # "gnome.gnome-weather"
+      gpodder
+      gthumb
+      jellyfin-media-player
+      komikku
+      koreader
+      lemoa  # lemmy app
+      # lollypop
+      mepo  # maps viewer
+      # mpv
+      # networkmanagerapplet
+      # newsflash
+      nheko
+      pavucontrol
+      # picard  # music tagging
+      # "libsForQt5.plasmatube"  # Youtube player
+      soundconverter
+      # sublime-music
+      # tdesktop  # broken on phosh
+      # tokodon
+      tuba  # mastodon/pleroma client (stores pw in keyring)
+      vlc
+      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
+      # whalebird
+      xterm  # broken on phosh
+    ;
+  };
+  desktopGuiPkgs = {
+    inherit (flattenedPkgs)
+      audacity
+      brave  # for the integrated wallet -- as a backup
+      chromium
+      dino
+      electrum
+      element-desktop
+      # font-manager  #< depends on webkitgtk4_0 (expensive to build)
+      gajim  # XMPP client
+      gimp  # broken on phosh
+      "gnome.dconf-editor"
+      "gnome.gnome-disk-utility"
+      # "gnome.totem"  # video player, supposedly supports UPnP
+      handbrake
+      hase
+      inkscape
+      kdenlive
+      kid3  # audio tagging
+      krita
+      libreoffice-fresh
+      mumble
+      obsidian
+      slic3r
+      steam
+      wireshark  # could maybe ship the cli as sysadmin pkg
+    ;
+  };
+  x86GuiPkgs = {
+    inherit (pkgs)
+      discord
+
+      # kaiteki  # Pleroma client
+      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
+      # gpt2tc  # XXX: unreliable mirror
+
+      # logseq  # Personal Knowledge Management
+      losslesscut-bin
+      makemkv
+      monero-gui
+      signal-desktop
+      spotify
+      tor-browser-bundle-bin
+      zecwallet-lite
+    ;
+  };
+
+  # packages not part of any package set; not enabled by default
+  otherPkgs = {
+    inherit (pkgs)
+      lemmy-server
+      mx-sanebot
+      stepmania
+    ;
+  };
+
+  # define -- but don't enable -- the packages in some attrset.
+  declarePkgs = pkgsAsAttrs: lib.mapAttrs (_n: p: {
+    # no need to actually define the package here: it's defaulted
+    # package = mkDefault p;
+  }) pkgsAsAttrs;
+in
+{
+  sane.programs = lib.mkMerge [
+    (declarePkgs consoleMediaPkgs)
+    (declarePkgs consolePkgs)
+    (declarePkgs desktopGuiPkgs)
+    (declarePkgs guiPkgs)
+    (declarePkgs iphonePkgs)
+    (declarePkgs sysadminPkgs)
+    (declarePkgs sysadminExtraPkgs)
+    (declarePkgs tuiPkgs)
+    (declarePkgs x86GuiPkgs)
+    (declarePkgs otherPkgs)
+    {
+      # link the various package sets into their own meta packages
+      consoleMediaUtils = {
+        package = null;
+        suggestedPrograms = attrNames consoleMediaPkgs;
+      };
+      consoleUtils = {
+        package = null;
+        suggestedPrograms = attrNames consolePkgs;
+      };
+      desktopGuiApps = {
+        package = null;
+        suggestedPrograms = attrNames desktopGuiPkgs;
+      };
+      guiApps = {
+        package = null;
+        suggestedPrograms = (attrNames guiPkgs)
+          ++ [ "web-browser" ]
+          ++ [ "tuiApps" ]
+          ++ lib.optional (pkgs.system == "x86_64-linux") "x86GuiApps";
+      };
+      iphoneUtils = {
+        package = null;
+        suggestedPrograms = attrNames iphonePkgs;
+      };
+      sysadminUtils = {
+        package = null;
+        suggestedPrograms = attrNames sysadminPkgs;
+      };
+      sysadminExtraUtils = {
+        package = null;
+        suggestedPrograms = attrNames sysadminExtraPkgs;
+      };
+      tuiApps = {
+        package = null;
+        suggestedPrograms = attrNames tuiPkgs;
+      };
+      x86GuiApps = {
+        package = null;
+        suggestedPrograms = attrNames x86GuiPkgs;
+      };
+    }
+    {
+      # nontrivial package definitions
+
+      dino.persist.private = [ ".local/share/dino" ];
+
+      # creds, but also 200 MB of node modules, etc
+      discord.persist.private = [ ".config/discord" ];
+
+      # creds/session keys, etc
+      element-desktop.persist.private = [ ".config/Element" ];
+
+      # `emote` will show a first-run dialog based on what's in this directory.
+      # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
+      # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+      emote.persist.plaintext = [ ".local/share/Emote" ];
+
+      # MS GitHub stores auth token in .config
+      # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
+      gh.persist.private = [ ".config/gh" ];
+
+      # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
+      # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
+      monero-gui.persist.plaintext = [ ".bitmonero" ];
+
+      mumble.persist.private = [ ".local/share/Mumble" ];
+
+      # not strictly necessary, but allows caching articles; offline use, etc.
+      nheko.persist.private = [
+        ".config/nheko"  # config file (including client token)
+        ".cache/nheko"  # media cache
+        ".local/share/nheko"  # per-account state database
+      ];
+
+      # settings (electron app)
+      obsidian.persist.plaintext = [ ".config/obsidian" ];
+
+      # creds, media
+      signal-desktop.persist.private = [ ".config/Signal" ];
+
+      # printer/filament settings
+      slic3r.persist.plaintext = [ ".Slic3r" ];
+
+      # creds, widevine .so download. TODO: could easily manage these statically.
+      spotify.persist.plaintext = [ ".config/spotify" ];
+
+      tdesktop.persist.private = [ ".local/share/TelegramDesktop" ];
+
+      tokodon.persist.private = [ ".cache/KDE/tokodon" ];
+
+      # hardenedMalloc solves a crash at startup
+      # TODO 2023/02/02: is this safe to remove yet?
+      tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
+        useHardenedMalloc = false;
+      };
+
+      whalebird.persist.private = [ ".config/Whalebird" ];
+
+      yarn.persist.plaintext = [ ".cache/yarn" ];
+
+      # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
+      zecwallet-lite.persist.private = [ ".zcash" ];
+    }
+  ];
+}

hosts/common/programs/cozy.nix

@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  sane.programs.cozy = {
+    # cozy uses a sqlite db for its config and exposes no CLI options other than --help and --debug
+    persist.plaintext = [
+      ".local/share/cozy"  # sqlite db (config & index?)
+      ".cache/cozy"  # offline cache
+    ];
+  };
+}

hosts/common/programs/default.nix

@@ -1,424 +1,43 @@
-{ config, lib, pkgs, ... }:
+{ pkgs, ... }:
 
-let
-  inherit (builtins) attrNames concatLists;
-  inherit (lib) mapAttrs mapAttrsToList mkDefault mkIf mkMerge optional;
-
-  flattenedPkgs = pkgs // (with pkgs; {
-    # XXX can't `inherit` a nested attr, so we move them to the toplevel
-    "cacert.unbundled" = pkgs.cacert.unbundled;
-    "gnome.cheese" = gnome.cheese;
-    "gnome.dconf-editor" = gnome.dconf-editor;
-    "gnome.file-roller" = gnome.file-roller;
-    "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
-    "gnome.gnome-maps" = gnome.gnome-maps;
-    "gnome.nautilus" = gnome.nautilus;
-    "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
-    "gnome.gnome-terminal" = gnome.gnome-terminal;
-    "gnome.gnome-weather" = gnome.gnome-weather;
-    "gnome.totem" = gnome.totem;
-    "libsForQt5.plasmatube" = libsForQt5.plasmatube;
-  });
-
-  sysadminPkgs = {
-    inherit (flattenedPkgs)
-      btrfs-progs
-      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
-      cryptsetup
-      dig
-      efibootmgr
-      fatresize
-      fd
-      file
-      gawk
-      git
-      gptfdisk
-      hdparm
-      htop
-      iftop
-      inetutils  # for telnet
-      iotop
-      iptables
-      jq
-      killall
-      lsof
-      nano
-      netcat
-      nethogs
-      nmap
-      openssl
-      parted
-      pciutils
-      powertop
-      pstree
-      ripgrep
-      screen
-      smartmontools
-      socat
-      strace
-      subversion
-      tcpdump
-      tree
-      usbutils
-      wget
-    ;
-  };
-  sysadminExtraPkgs = {
-    # application-specific packages
-    inherit (pkgs)
-      backblaze-b2
-      duplicity
-      sqlite  # to debug sqlite3 databases
-    ;
-  };
-
-  iphonePkgs = {
-    inherit (pkgs)
-      ifuse
-      ipfs
-      libimobiledevice
-    ;
-  };
-
-  tuiPkgs = {
-    inherit (pkgs)
-      aerc  # email client
-      offlineimap  # email mailox sync
-      visidata  # TUI spreadsheet viewer/editor
-      w3m
-    ;
-  };
-
-  # TODO: split these into smaller groups.
-  # - transcoders (ffmpeg, imagemagick) only wanted on desko/lappy ("powerutils"?)
-  consolePkgs = {
-    inherit (pkgs)
-      cdrtools
-      dmidecode
-      efivar
-      flashrom
-      fwupd
-      gh  # MS GitHub cli
-      git  # needed as a user package, for config.
-      gnupg
-      gocryptfs
-      gopass
-      gopass-jsonapi
-      imagemagick
-      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-      libsecret  # for managing user keyrings
-      lm_sensors  # for sensors-detect
-      lshw
-      ffmpeg
-      memtester
-      neovim
-      # nettools
-      # networkmanager
-      nixpkgs-review
-      # nixos-generators
-      nmon
-      # node2nix
-      oathToolkit  # for oathtool
-      # ponymix
-      pulsemixer
-      python3
-      ripgrep  # needed as a user package, for config.
-      rsync
-      # python3Packages.eyeD3  # music tagging
-      sane-scripts
-      sequoia
-      snapper
-      sops
-      sox
-      speedtest-cli
-      ssh-to-age
-      sudo
-      # tageditor  # music tagging
-      unar
-      wireguard-tools
-      xdg-utils  # for xdg-open
-      # yarn
-      # youtube-dl
-      yt-dlp
-      zsh
-    ;
-  };
-
-  guiPkgs = {
-    inherit (flattenedPkgs)
-      celluloid  # mpv frontend
-      clinfo
-      emote
-      evince  # works on phosh
-
-      # { pkg = fluffychat-moby; persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
-
-      # foliate  # e-book reader
-
-      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
-      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
-      # then reboot (so that libsecret daemon re-loads the keyring...?)
-      # { pkg = fractal-latest; persist.private = [ ".local/share/fractal" ]; }
-      # { pkg = fractal-next; persist.private = [ ".local/share/fractal" ]; }
-
-      # "gnome.cheese"
-      "gnome.dconf-editor"
-      gnome-feeds  # RSS reader (with claimed mobile support)
-      "gnome.file-roller"
-      # "gnome.gnome-maps"  # works on phosh
-      "gnome.nautilus"
-      # gnome-podcasts
-      "gnome.gnome-system-monitor"
-      # "gnome.gnome-terminal"  # works on phosh
-      "gnome.gnome-weather"
-      gpodder-configured
-      gthumb
-      jellyfin-media-player
-      # lollypop
-      mpv
-      networkmanagerapplet
-      # newsflash
-      nheko
-      pavucontrol
-      # picard  # music tagging
-      playerctl
-      # "libsForQt5.plasmatube"  # Youtube player
-      soundconverter
-      sublime-music
-      # tdesktop  # broken on phosh
-      # tokodon
-      vlc
-      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
-      # whalebird
-      xterm  # broken on phosh
-    ;
-  };
-  desktopGuiPkgs = {
-    inherit (flattenedPkgs)
-      audacity
-      brave  # for the integrated wallet -- as a backup
-      chromium
-      dino
-      electrum
-      element-desktop
-      font-manager
-      gajim  # XMPP client
-      gimp  # broken on phosh
-      "gnome.gnome-disk-utility"
-      # "gnome.totem"  # video player, supposedly supports UPnP
-      handbrake
-      hase
-      inkscape
-      kdenlive
-      kid3  # audio tagging
-      krita
-      libreoffice-fresh  # XXX colin: maybe don't want this on mobile
-      mumble
-      obsidian
-      slic3r
-      steam
-    ;
-  };
-  x86GuiPkgs = {
-    inherit (pkgs)
-      discord
-
-      # kaiteki  # Pleroma client
-      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
-      # gpt2tc  # XXX: unreliable mirror
-
-      logseq
-      losslesscut-bin
-      makemkv
-      monero-gui
-      signal-desktop
-      spotify
-      tor-browser-bundle-bin
-      zeal-qt5  # programming docs viewer. TODO: switch to zeal-qt6
-      zecwallet-lite
-    ;
-  };
-
-  # packages not part of any package set
-  otherPkgs = {
-    inherit (pkgs)
-      mx-sanebot
-      stepmania
-    ;
-  };
-
-  # define -- but don't enable -- the packages in some attrset.
-  declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
-    # no need to actually define the package here: it's defaulted
-    # package = mkDefault p;
-  }) pkgsAsAttrs;
-in
 {
-
   imports = [
     ./aerc.nix
+    ./assorted.nix
+    ./cozy.nix
     ./git.nix
     ./gnome-feeds.nix
     ./gpodder.nix
+    ./gthumb.nix
+    ./imagemagick.nix
+    ./jellyfin-media-player.nix
     ./kitty
+    ./komikku.nix
+    ./koreader
     ./libreoffice.nix
+    ./lemoa.nix
+    ./mepo.nix
     ./mpv.nix
+    ./msmtp.nix
     ./neovim.nix
     ./newsflash.nix
+    ./nix-index.nix
     ./offlineimap.nix
     ./ripgrep.nix
+    ./sfeed.nix
     ./splatmoji.nix
+    ./steam.nix
     ./sublime-music.nix
     ./vlc.nix
     ./web-browser.nix
+    ./wireshark.nix
     ./zeal.nix
     ./zsh
   ];
 
   config = {
-    sane.programs = mkMerge [
-      (declarePkgs consolePkgs)
-      (declarePkgs desktopGuiPkgs)
-      (declarePkgs guiPkgs)
-      (declarePkgs iphonePkgs)
-      (declarePkgs sysadminPkgs)
-      (declarePkgs sysadminExtraPkgs)
-      (declarePkgs tuiPkgs)
-      (declarePkgs x86GuiPkgs)
-      (declarePkgs otherPkgs)
-      {
-        # link the various package sets into their own meta packages
-        consoleUtils = {
-          package = null;
-          suggestedPrograms = attrNames consolePkgs;
-        };
-        desktopGuiApps = {
-          package = null;
-          suggestedPrograms = attrNames desktopGuiPkgs;
-        };
-        guiApps = {
-          package = null;
-          suggestedPrograms = (attrNames guiPkgs)
-            ++ [ "tuiApps" ]
-            ++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
-        };
-        iphoneUtils = {
-          package = null;
-          suggestedPrograms = attrNames iphonePkgs;
-        };
-        sysadminUtils = {
-          package = null;
-          suggestedPrograms = attrNames sysadminPkgs;
-        };
-        sysadminExtraUtils = {
-          package = null;
-          suggestedPrograms = attrNames sysadminExtraPkgs;
-        };
-        tuiApps = {
-          package = null;
-          suggestedPrograms = attrNames tuiPkgs;
-        };
-        x86GuiApps = {
-          package = null;
-          suggestedPrograms = attrNames x86GuiPkgs;
-        };
-      }
-      {
-        # nontrivial package definitions
-
-        dino.persist.private = [ ".local/share/dino" ];
-
-        # creds, but also 200 MB of node modules, etc
-        discord.persist.private = [ ".config/discord" ];
-
-        # creds/session keys, etc
-        element-desktop.persist.private = [ ".config/Element" ];
-
-        # `emote` will show a first-run dialog based on what's in this directory.
-        # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
-        # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
-        emote.persist.plaintext = [ ".local/share/Emote" ];
-
-        # MS GitHub stores auth token in .config
-        # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
-        gh.persist.private = [ ".config/gh" ];
-
-        ghostscript = {};  # used by imagemagick
-
-        # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
-        #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
-        gpodder-configured.persist.plaintext = [ "gPodder" ];
-
-        imagemagick = {
-          package = pkgs.imagemagick.override {
-            ghostscriptSupport = true;
-          };
-          suggestedPrograms = [ "ghostscript" ];
-        };
-
-        # jellyfin stores things in a bunch of directories: this one persists auth info.
-        # it *might* be possible to populate this externally (it's Qt stuff), but likely to
-        # be fragile and take an hour+ to figure out.
-        jellyfin-media-player.persist.plaintext = [ ".local/share/Jellyfin Media Player" ];
-
-        # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
-        # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
-        monero-gui.persist.plaintext = [ ".bitmonero" ];
-
-        mumble.persist.private = [ ".local/share/Mumble" ];
-
-        # not strictly necessary, but allows caching articles; offline use, etc.
-        nheko.persist.private = [
-          ".config/nheko"  # config file (including client token)
-          ".cache/nheko"  # media cache
-          ".local/share/nheko"  # per-account state database
-        ];
-
-        # settings (electron app)
-        obsidian.persist.plaintext = [ ".config/obsidian" ];
-
-        # creds, media
-        signal-desktop.persist.private = [ ".config/Signal" ];
-
-        # printer/filament settings
-        slic3r.persist.plaintext = [ ".Slic3r" ];
-
-        # creds, widevine .so download. TODO: could easily manage these statically.
-        spotify.persist.plaintext = [ ".config/spotify" ];
-
-        steam.persist.plaintext = [
-          ".steam"
-          ".local/share/Steam"
-        ];
-
-        tdesktop.persist.private = [ ".local/share/TelegramDesktop" ];
-
-        tokodon.persist.private = [ ".cache/KDE/tokodon" ];
-
-        # hardenedMalloc solves a crash at startup
-        # TODO 2023/02/02: is this safe to remove yet?
-        tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
-          useHardenedMalloc = false;
-        };
-
-        whalebird.persist.private = [ ".config/Whalebird" ];
-
-        yarn.persist.plaintext = [ ".cache/yarn" ];
-
-        # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
-        zecwallet-lite.persist.private = [ ".zcash" ];
-      }
-    ];
-
     # XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
     environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
 
-    # steam requires system-level config for e.g. firewall or controller support
-    programs.steam = mkIf config.sane.programs.steam.enabled {
-      enable = true;
-      # not sure if needed: stole this whole snippet from the wiki
-      remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
-      dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
-    };
   };
 }

hosts/common/programs/git.nix

@@ -1,18 +1,39 @@
-{ lib, pkgs, sane-lib, ... }:
+{ lib, pkgs, ... }:
 
 let
   mkCfg = lib.generators.toINI { };
 in
 {
-  sane.programs.git.fs.".config/git/config" = sane-lib.fs.wantedText (mkCfg {
+  sane.programs.git.fs.".config/git/config".symlink.text = mkCfg {
+    # top-level options documented:
+    # - <https://git-scm.com/docs/git-config#_variables>
+
     user.name = "Colin";
     user.email = "colin@uninsane.org";
-    alias.co = "checkout";
+
+    alias.br      = "branch";
+    alias.co      = "checkout";
+    alias.cp      = "cherry-pick";
+    alias.d       = "difftool";
+    alias.dif     = "diff";  # common typo
+    alias.difsum  = "diff --compact-summary";  #< show only the list of files which changed, not contents
+    alias.rb      = "rebase";
+    alias.st      = "status";
+    alias.stat    = "status";
+
     # difftastic docs:
     # - <https://difftastic.wilfred.me.uk/git.html>
     diff.tool = "difftastic";
     difftool.prompt = false;
     "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
     # now run `git difftool` to use difftastic git
-  });
+
+    # render dates as YYYY-MM-DD HH:MM:SS +TZ
+    log.date = "iso";
+
+    sendemail.annotate = "yes";
+    sendemail.confirm = "always";
+
+    stash.showPatch = true;
+  };
 }

hosts/common/programs/gnome-feeds.nix

@@ -6,37 +6,35 @@ let
   all-feeds = config.sane.feeds;
   wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.programs.gnome-feeds.fs.".config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
-    builtins.toJSON {
-      # feed format is a map from URL to a dict,
-      #   with dict["tags"] a list of string tags.
-      feeds = sane-lib.mapToAttrs (feed: {
-        name = feed.url;
-        value.tags = [ feed.cat feed.freq ];
-      }) wanted-feeds;
-      dark_reader = false;
-      new_first = true;
-      # windowsize = {
-      #   width = 350;
-      #   height = 650;
-      # };
-      max_article_age_days = 90;
-      enable_js = false;
-      max_refresh_threads = 3;
-      # saved_items = {};
-      # read_items = [];
-      show_read_items = true;
-      full_article_title = true;
-      # views: "webview", "reader", "rsscont"
-      default_view = "rsscont";
-      open_links_externally = true;
-      full_feed_name = false;
-      refresh_on_startup = true;
-      tags = lib.unique (
-        (builtins.catAttrs "cat" wanted-feeds) ++ (builtins.catAttrs "freq" wanted-feeds)
-      );
-      open_youtube_externally = false;
-      media_player = "vlc";  # default: mpv
-    }
-  );
+  sane.programs.gnome-feeds.fs.".config/org.gabmus.gfeeds.json".symlink.text = builtins.toJSON {
+    # feed format is a map from URL to a dict,
+    #   with dict["tags"] a list of string tags.
+    feeds = sane-lib.mapToAttrs (feed: {
+      name = feed.url;
+      value.tags = [ feed.cat feed.freq ];
+    }) wanted-feeds;
+    dark_reader = false;
+    new_first = true;
+    # windowsize = {
+    #   width = 350;
+    #   height = 650;
+    # };
+    max_article_age_days = 90;
+    enable_js = false;
+    max_refresh_threads = 3;
+    # saved_items = {};
+    # read_items = [];
+    show_read_items = true;
+    full_article_title = true;
+    # views: "webview", "reader", "rsscont"
+    default_view = "rsscont";
+    open_links_externally = true;
+    full_feed_name = false;
+    refresh_on_startup = true;
+    tags = lib.unique (
+      (builtins.catAttrs "cat" wanted-feeds) ++ (builtins.catAttrs "freq" wanted-feeds)
+    );
+    open_youtube_externally = false;
+    media_player = "vlc";  # default: mpv
+  };
 }

hosts/common/programs/gpodder.nix

@@ -1,12 +1,18 @@
 # gnome feeds RSS viewer
-{ config, sane-lib, ... }:
+{ config, pkgs, sane-lib, ... }:
 
 let
   feeds = sane-lib.feeds;
   all-feeds = config.sane.feeds;
   wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
 in {
-  sane.programs.gpodder.fs.".config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
-    feeds.feedsToOpml wanted-feeds
-  );
+  sane.programs.gpodder = {
+    package = pkgs.gpodder-adaptive-configured;
+    # package = pkgs.gpodder-configured;
+    fs.".config/gpodderFeeds.opml".symlink.text = feeds.feedsToOpml wanted-feeds;
+
+    # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
+    #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
+    persist.plaintext = [ "gPodder" ];
+  };
 }

hosts/common/programs/gthumb.nix

@@ -0,0 +1,4 @@
+{ pkgs, ... }:
+{
+  sane.programs.gthumb.package = pkgs.gthumb.override { withWebservices = false; };
+}

hosts/common/programs/imagemagick.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+{
+  sane.programs.imagemagick = {
+    package = pkgs.imagemagick.override {
+      ghostscriptSupport = true;
+    };
+    suggestedPrograms = [ "ghostscript" ];
+  };
+  sane.programs.ghostscript = {};
+}

hosts/common/programs/jellyfin-media-player.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+{
+  sane.programs.jellyfin-media-player = {
+    # package = pkgs.jellyfin-media-player;
+    package = pkgs.jellyfin-media-player-qt6;
+
+    # jellyfin stores things in a bunch of directories: this one persists auth info.
+    # it *might* be possible to populate this externally (it's Qt stuff), but likely to
+    # be fragile and take an hour+ to figure out.
+    persist.plaintext = [ ".local/share/Jellyfin Media Player" ];
+  };
+}

hosts/common/programs/kitty/default.nix

@@ -1,14 +1,17 @@
-{ pkgs, sane-lib, ... }:
+{ lib, ... }:
 
 {
-  sane.programs.kitty.fs.".config/kitty/kitty.conf" = sane-lib.fs.wantedText ''
-    # docs: https://sw.kovidgoyal.net/kitty/conf/
-    # disable terminal bell (when e.g. you backspace too many times)
-    enable_audio_bell no
+  sane.programs.kitty = {
+    fs.".config/kitty/kitty.conf".symlink.text = ''
+      # docs: https://sw.kovidgoyal.net/kitty/conf/
+      # disable terminal bell (when e.g. you backspace too many times)
+      enable_audio_bell no
 
-    map ctrl+n new_os_window_with_cwd
-    include ${./PaperColor_dark.conf}
-  '';
+      map ctrl+n new_os_window_with_cwd
+      include ${./PaperColor_dark.conf}
+    '';
+    env.TERMINAL = lib.mkDefault "kitty";
+  };
 
   #  include ${pkgs.kitty-themes}/themes/PaperColor_dark.conf
 

hosts/common/programs/komikku.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  sane.programs.komikku = {
+    secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin;
+    # downloads end up here, and without the toplevel database komikku doesn't know they exist.
+    persist.plaintext = [ ".local/share/komikku" ];
+  };
+}

hosts/common/programs/koreader/2-colin-NetworkManager-isConnected.lua

@@ -0,0 +1,42 @@
+-- as of 2023.05.1, koreader FTP browser always fails to load.
+-- it's convinced that it's offline, and asks to connect to wifi.
+-- this seems to be because of the following in <frontend/device/sdl/device.lua>:
+--
+-- function Device:initNetworkManager(NetworkMgr)
+--     function NetworkMgr:isWifiOn() return true end
+--     function NetworkMgr:isConnected()
+--         -- Pull the default gateway first, so we don't even try to ping anything if there isn't one...
+--         local default_gw = Device:getDefaultRoute()
+--         if not default_gw then
+--             return false
+--         end
+--         return 0 == os.execute("ping -c1 -w2 " .. default_gw .. " > /dev/null")
+--     end
+-- end
+--
+-- specifically, `os.execute` is not *expected* to return 0. it returns `true` on success:
+-- <https://www.lua.org/manual/5.3/manual.html#pdf-os.execute>
+-- this apparently changed from 5.1 -> 5.2
+--
+-- XXX: this same bug likely applies to `isCommand` and `runCommand` in <frontend/device/sdl/device.lua>
+-- - that would manifest as wikipedia links failing to open in external application (xdg-open)
+
+local logger = require("logger")
+logger.info("applying colin patch")
+
+local Device = require("device")
+logger.info("Device:" .. tostring(Device))
+
+local orig_initNetworkManager = Device.initNetworkManager
+Device.initNetworkManager = function(self, NetworkMgr)
+  logger.info("Device:initNetworkManager")
+  orig_initNetworkManager(self, NetworkMgr)
+  function NetworkMgr:isConnected()
+    logger.info("mocked `NetworkMgr:isConnected` to return true")
+    return true
+    -- unpatch to show that the boolean form works
+    -- local rc = os.execute("ping -c1 -w2 10.78.79.1 > /dev/null")
+    -- logger.info("ping rc: " .. tostring(rc))
+    -- return rc
+  end
+end

hosts/common/programs/koreader/default.nix

@@ -0,0 +1,46 @@
+{ config, lib, sane-lib, ... }:
+
+let
+  feeds = sane-lib.feeds;
+  allFeeds = config.sane.feeds;
+  wantedFeeds = feeds.filterByFormat [ "image" "text" ] allFeeds;
+  koreaderRssEntries = builtins.map (feed:
+    # format:
+    # { "<rss/atom url>", limit = <int>, download_full_article=<bool>, include_images=<bool>, enable_filter=<bool>, filter_element = "<css selector>"},
+    # limit = 0                    => download and keep *all* articles
+    # download_full_article = true => populate feed by downloading the webpage -- not just what's encoded in the RSS <article> tags
+    # - use this for articles where the RSS only encodes content previews
+    # enable_filter         = true => only render content that matches the filter_element css selector.
+    let fields = [
+      (lib.escapeShellArg feed.url)
+      "limit = 5"
+      "download_full_article = false"
+      "include_images = true"
+      "enable_filter = false"
+      "filter_element = \"\""
+    ]; in "{ ${lib.concatStringsSep ", " fields } }"
+  ) wantedFeeds;
+in {
+  sane.programs.koreader = {
+    # koreader applies these lua "patches" at boot:
+    # - <https://github.com/koreader/koreader/wiki/User-patches>
+    # - TODO: upstream this patch to koreader
+    # fs.".config/koreader/patches".symlink.target = "${./.}";
+    fs.".config/koreader/patches/2-colin-NetworkManager-isConnected.lua".symlink.target = "${./2-colin-NetworkManager-isConnected.lua}";
+
+    # koreader news plugin, enabled by default. file format described here:
+    # - <repo:koreader/koreader:plugins/newsdownloader.koplugin/feed_config.lua>
+    fs.".config/koreader/news/feed_config.lua".symlink.text = ''
+      return {--do NOT change this line
+        ${lib.concatStringsSep ",\n  " koreaderRssEntries}
+      }--do NOT change this line
+    '';
+
+    # koreader on aarch64 errors if there's no fonts directory (sandboxing thing, i guess)
+    fs.".local/share/fonts".dir = {};
+
+    # history, cache, dictionaries...
+    # could be more explicit if i symlinked the history.lua file to somewhere it can persist better.
+    persist.plaintext = [ ".config/koreader" ];
+  };
+}

hosts/common/programs/lemoa.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  sane.programs.lemoa = {
+    # creds
+    persist.private = [ ".local/share/io.github.lemmygtk.lemoa" ];
+  };
+}

hosts/common/programs/libreoffice.nix

@@ -1,8 +1,8 @@
-{ sane-lib, ... }:
+{ ... }:
 
 {
   # libreoffice: disable first-run stuff
-  sane.programs.libreoffice-fresh.fs.".config/libreoffice/4/user/registrymodifications.xcu" = sane-lib.fs.wantedText ''
+  sane.programs.libreoffice-fresh.fs.".config/libreoffice/4/user/registrymodifications.xcu".symlink.text = ''
     <?xml version="1.0" encoding="UTF-8"?>
     <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>

hosts/common/programs/mepo.nix

@@ -0,0 +1,18 @@
+# docs: <https://git.sr.ht/~mil/mepo>
+# irc #mepo:irc.oftc.net
+{ config, lib, ... }:
+
+{
+  sane.programs.mepo = {
+    persist.plaintext = [ ".cache/mepo/tiles" ];
+    # ~/.cache/mepo/savestate has precise coordinates and pins: keep those private
+    persist.private = [ ".cache/mepo/savestate" ];
+  };
+
+  programs.mepo = lib.mkIf config.sane.programs.mepo.enabled {
+    # enable location services (via geoclue)
+    enable = true;
+    # more precise, via gpsd ("may require additional config")
+    # programs.mepo.gpsd.enable = true
+  };
+}

hosts/common/programs/mpv.nix

@@ -1,10 +1,10 @@
-{ sane-lib, ... }:
+{ ... }:
 
 {
   sane.programs.mpv = {
     persist.plaintext = [ ".config/mpv/watch_later" ];
     # format is <key>=%<length>%<value>
-    fs.".config/mpv/mpv.conf" = sane-lib.fs.wantedText ''
+    fs.".config/mpv/mpv.conf".symlink.text = ''
       save-position-on-quit=%3%yes
       keep-open=%3%yes
     '';

hosts/common/programs/msmtp.nix

@@ -0,0 +1,25 @@
+# docs: <https://nixos.wiki/wiki/Msmtp>
+# validate with e.g.
+# - `echo -e "Content-Type: text/plain\r\nSubject: Test\r\n\r\nHello World" | sendmail test@uninsane.org`
+{ config, lib, ... }:
+
+{
+  sane.programs.msmtp = {
+    secrets.".config/msmtp/password.txt" = ../../../secrets/common/msmtp_password.txt.bin;
+  };
+
+  programs.msmtp = lib.mkIf config.sane.programs.msmtp.enabled {
+    enable = true;
+    accounts = {
+      default = {
+        auth = true;
+        tls = true;
+        tls_starttls = false;  # needed else sendmail hangs
+        from = "Colin <colin@uninsane.org>";
+        host = "mx.uninsane.org";
+        user = "colin";
+        passwordeval = "cat ~/.config/msmtp/password.txt";
+      };
+    };
+  };
+}

hosts/common/programs/neovim.nix

@@ -5,30 +5,11 @@ let
   inherit (lib) concatMapStrings mkIf optionalString;
   # this structure roughly mirrors home-manager's `programs.neovim.plugins` option
   plugins = with pkgs.vimPlugins; [
-    # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
-    # docs: vim-surround: https://github.com/tpope/vim-surround
-    { plugin = vim-surround; }
-    # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
-    { plugin = fzf-vim; }
-    ({
-      # docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
-      plugin = tex-conceal-vim;
-      type = "viml";
-      config = ''
-        " present prettier fractions
-        let g:tex_conceal_frac=1
-      '';
-    })
-    ({
-      plugin = vim-SyntaxRange;
-      type = "viml";
-      config = ''
-        " enable markdown-style codeblock highlighting for tex code
-        autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
-        " autocmd Syntax tex set conceallevel=2
-      '';
-    })
-    ({
+    {
+      # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
+      plugin = fzf-vim;
+    }
+    {
       # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
       # docs: https://github.com/nvim-treesitter/nvim-treesitter
       # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
@@ -64,7 +45,35 @@ let
         vim.o.foldmethod = 'expr'
         vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
       '';
-    })
+    }
+    {
+      # docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
+      plugin = tex-conceal-vim;
+      type = "viml";
+      config = ''
+        " present prettier fractions
+        let g:tex_conceal_frac=1
+      '';
+    }
+    {
+      # source: <https://github.com/LnL7/vim-nix>
+      # fixes auto-indent (incl tab size) when editing .nix files
+      plugin = vim-nix;
+    }
+    {
+      # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
+      # docs: vim-surround: https://github.com/tpope/vim-surround
+      plugin = vim-surround;
+    }
+    {
+      plugin = vim-SyntaxRange;
+      type = "viml";
+      config = ''
+        " enable markdown-style codeblock highlighting for tex code
+        autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
+        " autocmd Syntax tex set conceallevel=2
+      '';
+    }
   ];
   plugin-packages = map (p: p.plugin) plugins;
   plugin-config-tex = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
@@ -72,7 +81,12 @@ let
 in
 {
   # private because there could be sensitive things in the swap
-  sane.programs.neovim.persist.private = [ ".cache/vim-swap" ];
+  sane.programs.neovim = {
+    persist.private = [ ".cache/vim-swap" ];
+    env.EDITOR = "vim";
+    # git claims it should use EDITOR, but it doesn't!
+    env.GIT_EDITOR = "vim";
+  };
 
   programs.neovim = mkIf config.sane.programs.neovim.enabled {
     # neovim: https://github.com/neovim/neovim

hosts/common/programs/newsflash.nix

@@ -8,8 +8,8 @@ let
 in {
   sane.programs.newsflash = {
     persist.plaintext = [ ".local/share/news-flash" ];
-    fs.".config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
+    fs.".config/newsflashFeeds.opml".symlink.text =
       feeds.feedsToOpml wanted-feeds
-    );
+    ;
   };
 }

hosts/common/programs/nix-index.nix

@@ -0,0 +1,7 @@
+{ config, lib, ... }:
+{
+  # provides `nix-locate`, backed by the manually run `nix-index`
+  sane.programs.nix-index = {
+    persist.plaintext = [ ".cache/nix-index" ];
+  };
+}

hosts/common/programs/offlineimap.nix

@@ -7,6 +7,6 @@
 { ... }:
 
 {
-  sane.programs.offlineimap.secrets.".config/offlineimap/config" = ../../../secrets/universal/offlineimaprc.bin;
+  sane.programs.offlineimap.secrets.".config/offlineimap/config" = ../../../secrets/common/offlineimaprc.bin;
 }
 

hosts/common/programs/ripgrep.nix

@@ -1,9 +1,9 @@
-{ sane-lib, ... }:
+{ ... }:
 {
   # .ignore file is read by ripgrep (rg), silver searcher (ag), maybe others.
   # ignore translation files by default when searching, as they tend to have
   # a LOT of duplicate text.
-  sane.programs.ripgrep.fs.".ignore" = sane-lib.fs.wantedText ''
+  sane.programs.ripgrep.fs.".ignore".symlink.text = ''
     po/
   '';
 }

hosts/common/programs/sfeed.nix

@@ -0,0 +1,28 @@
+# simple RSS and Atom parser
+# - <https://codemadness.org/sfeed-simple-feed-parser.html>
+# - used by sxmo
+# - man 5 sfeedrc
+#
+# call `sfeed_update` to query each feed and populate entries in ~/.sfeed/feeds
+{ lib, config, sane-lib, ... }:
+let
+  feeds = sane-lib.feeds;
+  allFeeds = config.sane.feeds;
+  wantedFeeds = feeds.filterByFormat ["text"] allFeeds;
+  sfeedEntries = builtins.map (feed:
+    # format:
+    # feed <name> <feedurl> [basesiteurl] [encoding]
+    lib.escapeShellArgs [ "feed" (if feed.title != null then feed.title else feed.url) feed.url ]
+  ) wantedFeeds;
+in {
+  sane.programs.sfeed = {
+    fs.".sfeed/sfeedrc".symlink.text = ''
+      feeds() {
+        ${lib.concatStringsSep "\n  " sfeedEntries}
+      }
+    '';
+
+    # this is where the parsed feed items go
+    persist.plaintext = [ ".sfeed/feeds" ];
+  };
+}

hosts/common/programs/splatmoji.nix

@@ -1,12 +1,12 @@
 # borrows from:
 # - default config: <https://github.com/cspeterson/splatmoji/blob/master/splatmoji.config>
 # - wayland: <https://github.com/cspeterson/splatmoji/issues/32#issuecomment-830862566>
-{ pkgs, sane-lib, ... }:
+{ pkgs, ... }:
 
 {
   sane.programs.splatmoji = {
     persist.plaintext = [ ".local/state/splatmoji" ];
-    fs.".config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
+    fs.".config/splatmoji/splatmoji.config".symlink.text = ''
       # XXX doesn't seem to understand ~ as shorthand for `$HOME`
       history_file=/home/colin/.local/state/splatmoji/history
       history_length=5

hosts/common/programs/steam.nix

@@ -0,0 +1,16 @@
+{ config, lib, ...}:
+{
+  sane.programs.steam = {
+    persist.plaintext = [
+      ".steam"
+      ".local/share/Steam"
+    ];
+  };
+  # steam requires system-level config for e.g. firewall or controller support
+  programs.steam = lib.mkIf config.sane.programs.steam.enabled {
+    enable = true;
+    # not sure if needed: stole this whole snippet from the wiki
+    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
+    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
+  };
+}

hosts/common/programs/sublime-music.nix

@@ -9,6 +9,6 @@
     #   possible to pass config as a CLI arg (sublime-music -c config.json)
     persist.plaintext = [ ".local/share/sublime-music" ];
 
-    secrets.".config/sublime-music/config.json" = ../../../secrets/universal/sublime_music_config.json.bin;
+    secrets.".config/sublime-music/config.json" = ../../../secrets/common/sublime_music_config.json.bin;
   };
 }

hosts/common/programs/vlc.nix

@@ -12,7 +12,7 @@ in
   sane.programs.vlc = {
     # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
     persist.plaintext = [ ".config/vlc" ];
-    fs.".config/vlc/vlcrc" = sane-lib.fs.wantedText ''
+    fs.".config/vlc/vlcrc".symlink.text = ''
       [podcast]
       podcast-urls=${podcast-urls}
       [core]

hosts/common/programs/web-browser.nix

@@ -6,24 +6,22 @@
 # many of the settings below won't have effect without those patches.
 # see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
 
-{ config, lib, pkgs, sane-lib, ...}:
+{ config, lib, pkgs, ...}:
 with lib;
 let
-  cfg = config.sane.web-browser;
+  cfg = config.sane.programs.web-browser.config;
   # allow easy switching between firefox and librewolf with `defaultSettings`, below
   librewolfSettings = {
     browser = pkgs.librewolf-unwrapped;
-    # browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
-    #   # this allows side-loading unsigned addons
-    #   MOZ_REQUIRE_SIGNING = false;
-    # });
+    extraPrefsFiles = pkgs.librewolf-unwrapped.extraPrefsFiles ++ pkgs.librewolf-pmos-mobile.extraPrefsFiles;
     libName = "librewolf";
     dotDir = ".librewolf";
-    cacheDir = ".cache/librewolf";  # TODO: is it?
+    cacheDir = ".cache/librewolf";
     desktop = "librewolf.desktop";
   };
   firefoxSettings = {
     browser = pkgs.firefox-esr-unwrapped;
+    extraPrefsFiles = pkgs.firefox-pmos-mobile.extraPrefsFiles;
     libName = "firefox";
     dotDir = ".mozilla/firefox";
     cacheDir = ".cache/mozilla";
@@ -47,19 +45,37 @@ let
   package = pkgs.wrapFirefox cfg.browser.browser {
     # inherit the default librewolf.cfg
     # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
-    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
-    inherit (cfg.browser) libName;
+    inherit (cfg.browser) extraPrefsFiles libName;
 
-    extraNativeMessagingHosts = [ pkgs.browserpass ];
+    extraNativeMessagingHosts = optional cfg.addons.browserpass-extension.enable pkgs.browserpass;
     # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
 
     nixExtensions = concatMap (ext: optional ext.enable ext.package) (attrValues cfg.addons);
 
     extraPolicies = {
+      FirefoxHome = {
+        Search = true;
+        Pocket = false;
+        Snippets = false;
+        TopSites = false;
+        Highlights = false;
+      };
       NoDefaultBookmarks = true;
+      OfferToSaveLogins = false;
+      OfferToSaveLoginsDefault = false;
+      PasswordManagerEnabled = false;
       SearchEngines = {
         Default = "DuckDuckGo";
       };
+      UserMessaging = {
+        ExtensionRecommendations = false;
+        FeatureRecommendations = false;
+        SkipOnboarding = true;
+        UrlbarInterventions = false;
+        WhatsNew = false;
+      };
+
+      # these were taken from Librewolf
       AppUpdateURL = "https://localhost";
       DisableAppUpdate = true;
       OverrideFirstRunPage = "";
@@ -88,6 +104,7 @@ let
       # };
       # NewTabPage = true;
     };
+    # extraPrefs = ...
   };
 
   addonOpts = types.submodule {
@@ -100,58 +117,85 @@ let
       };
     };
   };
-in
-{
-  options = {
-    sane.web-browser.browser = mkOption {
-      default = defaultSettings;
-      type = types.attrs;
-    };
-    sane.web-browser.persistData = mkOption {
-      description = "optional store name to which persist browsing data (like history)";
-      type = types.nullOr types.str;
-      default = null;
-    };
-    sane.web-browser.persistCache = mkOption {
-      description = "optional store name to which persist browser cache";
-      type = types.nullOr types.str;
-      default = "cryptClearOnBoot";
-    };
-    sane.web-browser.addons = mkOption {
-      type = types.attrsOf addonOpts;
-      default = {
-        # get names from:
-        # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
-        # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
-        # browserpass-ce.package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
-        browserpass-extension.package = localAddon pkgs.browserpass-extension;
-        # TODO: build bypass-paywalls from source? it's mysteriously disappeared from the Mozilla store.
-        # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
-        ether-metamask.package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
-        i2p-in-private-browsing.package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
-        sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
-        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
-        ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
-        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
 
-        browserpass-extension.enable = lib.mkDefault true;
-        # bypass-paywalls-clean.enable = lib.mkDefault true;
-        ether-metamask.enable = lib.mkDefault true;
-        i2p-in-private-browsing.enable = lib.mkDefault config.services.i2p.enable;
-        sidebery.enable = lib.mkDefault true;
-        sponsorblock.enable = lib.mkDefault true;
-        ublacklist.enable = lib.mkDefault true;
-        ublock-origin.enable = lib.mkDefault true;
+  configOpts = {
+    options = {
+      browser = mkOption {
+        default = defaultSettings;
+        type = types.anything;
+      };
+      persistData = mkOption {
+        description = "optional store name to which persist browsing data (like history)";
+        type = types.nullOr types.str;
+        default = null;
+      };
+      persistCache = mkOption {
+        description = "optional store name to which persist browser cache";
+        type = types.nullOr types.str;
+        default = "cryptClearOnBoot";
+      };
+      addons = mkOption {
+        type = types.attrsOf addonOpts;
+        default = {};
       };
     };
   };
-
+in
+{
   config = mkMerge [
     ({
-      sane.programs.guiApps.suggestedPrograms = [ "web-browser" ];
+      sane.programs.web-browser.configOption = mkOption {
+        type = types.submodule configOpts;
+        default = {};
+      };
+      sane.programs.web-browser.config.addons = {
+        # get names from:
+        # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
+        # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
+        browserpass-extension = {
+          # package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
+          package = localAddon pkgs.browserpass-extension;
+          enable = lib.mkDefault true;
+        };
+
+        # TODO: build bypass-paywalls from source? it's mysteriously disappeared from the Mozilla store.
+        # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
+        # bypass-paywalls-clean.enable = lib.mkDefault true;
+
+        # TODO: give these update scripts, make them reachable via `pkgs`
+        ether-metamask = {
+          package = addon "ether-metamask" "webextension@metamask.io" "sha256-UI83wUUc33OlQYX+olgujeppoo2D2PAUJ+Wma5mH2O0=";
+          enable = lib.mkDefault true;
+        };
+        i2p-in-private-browsing = {
+          package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
+          enable = lib.mkDefault config.services.i2p.enable;
+        };
+        sidebery = {
+          package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
+          enable = lib.mkDefault true;
+        };
+        sponsorblock = {
+          package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-b/OTFmhSEUZ/CYrYCE4rHVMQmY+Y78k8jSGMoR8vsZA=";
+          enable = lib.mkDefault true;
+        };
+        ublacklist = {
+          package = addon "ublacklist" "@ublacklist" "sha256-NZ2FmgJiYnH7j2Lkn0wOembxaEphmUuUk0Ytmb0rNWo=";
+          enable = lib.mkDefault true;
+        };
+        ublock-origin = {
+          package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-EGGAA+cLUow/F5luNzFG055rFfd3rEyh8hTaL/23pbM=";
+          enable = lib.mkDefault true;
+        };
+      };
+    })
+    ({
       sane.programs.web-browser = {
         inherit package;
 
+        # env.BROWSER = "${package}/bin/${cfg.browser.libName}";
+        env.BROWSER = cfg.browser.libName;  # used by misc tools like xdg-email, as fallback
+
         # uBlock filter list configuration.
         # specifically, enable the GDPR cookie prompt blocker.
         # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
@@ -160,7 +204,7 @@ in
         # the specific attribute path is found via scraping ublock code here:
         # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
         # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-        fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
+        fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json".symlink.text = ''
           {
            "name": "uBlock0@raymondhill.net",
            "description": "ignored",
@@ -170,16 +214,17 @@ in
            }
           }
         '';
-        fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
+        # TODO: this is better suited in `extraPrefs` during `wrapFirefox` call
+        fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg".symlink.text = ''
           // if we can't query the revocation status of a SSL cert because the issuer is offline,
           // treat it as unrevoked.
           // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
           defaultPref("security.OCSP.require", false);
         '';
-        fs."${cfg.browser.dotDir}/default" = sane-lib.fs.wantedDir;
+        fs."${cfg.browser.dotDir}/default".dir = {};
         # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
         # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
-        fs."${cfg.browser.dotDir}/profiles.ini" = sane-lib.fs.wantedText ''
+        fs."${cfg.browser.dotDir}/profiles.ini".symlink.text = ''
           [Profile0]
           Name=default
           IsRelative=1

hosts/common/programs/wireshark.nix

@@ -0,0 +1,5 @@
+{ config, ... }:
+{
+  sane.programs.wireshark = {};
+  programs.wireshark.enable = config.sane.programs.wireshark.enabled;
+}

hosts/common/programs/zeal.nix

@@ -1,16 +1,55 @@
-{ config, lib, sane-lib, ... }:
+{ config, lib, pkgs, ... }:
 let
-  inherit (lib) mkIf;
+  inherit (builtins) map;
+  inherit (lib) mkIf mkOption optionalString types;
+  cfg = config.sane.programs.docsets.config;
+  configOpts = types.submodule {
+    options = {
+      rustPkgs = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+      };
+    };
+  };
 in {
-  sane.programs.zeal-qt5 = {
+  sane.programs.zeal = {
+    package = pkgs.zeal-qt5;
     persist.plaintext = [
       ".cache/Zeal"
       ".local/share/Zeal"
     ];
-    fs.".local/share/Zeal/Zeal/system" = sane-lib.fs.wantedSymlinkTo "/run/current-system/sw/share/docset";
+    fs.".local/share/Zeal/Zeal/docsets/system".symlink.target = "/run/current-system/sw/share/docset";
+    suggestedPrograms = [ "docsets" ];
   };
 
-  environment.pathsToLink = mkIf config.sane.programs.zeal-qt5.enabled [
+  sane.programs.docsets = {
+    configOption = mkOption {
+      type = configOpts;
+      default = {};
+    };
+    package = pkgs.symlinkJoin {
+      name = "docsets";
+      # build each package with rust docs
+      paths = map (name:
+        let
+          orig = pkgs."${name}";
+          withDocs = orig.overrideAttrs (upstream: {
+            nativeBuildInputs = upstream.nativeBuildInputs or [] ++ [
+              pkgs.cargoDocsetHook
+            ];
+          });
+        in
+        "${toString withDocs}/share/docset"
+      ) cfg.rustPkgs;
+      # link only the docs (not any binaries)
+      postBuild = optionalString (cfg.rustPkgs != []) ''
+        mkdir -p $out/share/docset
+        mv $out/*.docset $out/share/docset
+      '';
+    };
+  };
+
+  environment.pathsToLink = mkIf config.sane.programs.zeal.enabled [
     "/share/docset"
   ];
 }

hosts/common/programs/zsh/default.nix

@@ -1,4 +1,21 @@
-{ config, lib, pkgs, sane-lib, ... }:
+# zsh files/init order
+# - see `man zsh` => "STARTUP/SHUTDOWN FILES"
+# - /etc/zshenv
+# - $ZDOTDIR/.zshenv
+# - if login shell:
+#   - /etc/zprofile
+#   - $ZDOTDIR/.zprofile
+# - if interactive:
+#   - /etc/zshrc
+#   - $ZDOTDIR/.zshrc
+# - if login (again):
+#   - /etc/zlogin
+#   - ZDOTDIR/.zlogin
+# - at exit:
+#   - $ZDOTDIR/.zlogout
+#   - /etc/zlogout
+
+{ config, lib, pkgs, ... }:
 
 let
   inherit (lib) mkIf mkMerge mkOption types;
@@ -33,7 +50,7 @@ in
       showDeadlines = mkOption {
         type = types.bool;
         default = true;
-        description = "show upcoming deadlines (frommy PKM) upon shell init";
+        description = "show upcoming deadlines (from my PKM) upon shell init";
       };
     };
   };
@@ -41,41 +58,60 @@ in
   config = mkMerge [
     ({
       sane.programs.zsh = {
-        persist.plaintext = [
+        persist.private = [
           # we don't need to full zsh dir -- just the history file --
-          # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
-          # TODO: should be private?
+          # but zsh will sometimes backup the history file and symlinking just the file messes things up
           ".local/share/zsh"
-          # cache gitstatus otherwise p10k fetched it from the net EVERY BOOT
+        ];
+        persist.plaintext = [
+          # cache gitstatus otherwise p10k fetches it from the net EVERY BOOT
           ".cache/gitstatus"
         ];
 
-        # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
-        fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
+        fs.".config/zsh/.zshrc".symlink.text = ''
+          # zsh/prezto complains if zshrc doesn't exist or is empty;
+          # preserve this comment to prevent that from ever happening.
+        '' + lib.optionalString cfg.showDeadlines ''
+          ${pkgs.sane-scripts.deadlines}/bin/sane-deadlines
+        '' + ''
+          # auto-cd into any of these dirs by typing them and pressing 'enter':
+          hash -d 3rd="/home/colin/dev/3rd"
+          hash -d dev="/home/colin/dev"
+          hash -d knowledge="/home/colin/knowledge"
+          hash -d nixos="/home/colin/nixos"
+          hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
+          hash -d ref="/home/colin/ref"
+          hash -d secrets="/home/colin/knowledge/secrets"
+          hash -d tmp="/home/colin/tmp"
+          hash -d uninsane="/home/colin/dev/uninsane"
+          hash -d Videos="/home/colin/Videos"
+        '';
 
         # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
         # see: https://github.com/sorin-ionescu/prezto
-        # i believe this file is auto-sourced by the prezto init.zsh script.
-        fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
+        # this file is auto-sourced by the prezto init.zsh script.
+        # TODO: i should work to move away from prezto:
+        # - it's FUCKING SLOW to initialize (that might also be powerlevel10k tho)
+        # - it messes with my other `setopt`s
+        fs.".config/zsh/.zpreztorc".symlink.text = ''
           zstyle ':prezto:*:*' color 'yes'
+          zstyle ':prezto:module:utility' correct 'no'  # prezto: don't setopt CORRECT
 
           # modules (they ship with prezto):
           # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
           # TERMINAL: auto-titles terminal (e.g. based on cwd)
           # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
           # HISTORY: `history-stat` alias, setopts for good history defaults
-          # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
+          # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack. also overrides CLOBBER and some other options
           # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
           # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
           #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
           # COMPLETION: tab completion. requires `utility` module prior to loading
-          # TODO: enable AUTO_PARAM_SLASH
           zstyle ':prezto:load' pmodule \
             'environment' \
             'terminal' \
             'editor' \
             'history' \
-            'directory' \
             'spectrum' \
             'utility' \
             'completion' \
@@ -105,12 +141,19 @@ in
           "cd../" = "cd ../";
         };
         setOptions = [
-          # defaults:
+          # docs: `man zshoptions`
+          # nixos defaults:
+          "HIST_FCNTL_LOCK"
           "HIST_IGNORE_DUPS"
           "SHARE_HISTORY"
-          "HIST_FCNTL_LOCK"
-          # disable `rm *` confirmations
-          "rmstarsilent"
+          # customizations:
+          "AUTO_CD"  # type directory name to go there
+          "AUTO_MENU"  # show auto-complete menu on double-tab
+          "CDABLE_VARS"  # allow auto-cd to use my `hash` aliases -- not just immediate subdirs
+          "CLOBBER"  # allow `foo > bar.txt` to overwrite bar.txt
+          "NO_CORRECT"  # don't try to correct commands
+          "PIPE_FAIL"  # when `cmd_a | cmd_b`, make $? be non-zero if *any* of cmd_a or cmd_b fail
+          "RM_STAR_SILENT"  # disable `rm *` confirmations
         ];
 
         # .zshenv config:
@@ -118,7 +161,7 @@ in
           ZDOTDIR=$HOME/.config/zsh
         '';
 
-        # .zshrc config:
+        # system-wide .zshrc config:
         interactiveShellInit =
           (builtins.readFile ./p10k.zsh)
         + p10k-overrides
@@ -136,22 +179,6 @@ in
             mkdir -p "$1";
             pushd "$1";
           }
-        ''
-        + lib.optionalString cfg.showDeadlines ''
-          ${pkgs.sane-scripts}/bin/sane-deadlines
-        ''
-        + ''
-          # auto-cd into any of these dirs by typing them and pressing 'enter':
-          hash -d 3rd="/home/colin/dev/3rd"
-          hash -d dev="/home/colin/dev"
-          hash -d knowledge="/home/colin/knowledge"
-          hash -d nixos="/home/colin/nixos"
-          hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
-          hash -d ref="/home/colin/ref"
-          hash -d secrets="/home/colin/knowledge/secrets"
-          hash -d tmp="/home/colin/tmp"
-          hash -d uninsane="/home/colin/dev/uninsane"
-          hash -d Videos="/home/colin/Videos"
         '';
 
         syntaxHighlighting.enable = true;
@@ -159,8 +186,8 @@ in
       };
 
       # enable a command-not-found hook to show nix packages that might provide the binary typed.
-      programs.nix-index.enable = true;
-      programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
+      # programs.nix-index.enableZshIntegration = true;
+      programs.command-not-found.enable = false;
     })
   ];
 }

hosts/common/secrets.nix

@@ -1,38 +1,53 @@
-{ config, ... }:
+# SOPS configuration:
+#   docs: https://github.com/Mic92/sops-nix
+#
+# for each new user you want to edit sops files:
+# create a private age key from ssh key:
+#   $ mkdir -p ~/.config/sops/age; ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt; chmod 600 ~/.config/sops/age/keys.txt
+#   if the private key was password protected, then first decrypt it:
+#     $ cp ~/.ssh/id_ed25519 /tmp/id_ed25519
+#     $ ssh-keygen -p -N "" -f /tmp/id_ed25519
+#
+# for each user you want to decrypt secrets:
+#   $ cat ~/.ssh/id_ed25519.pub | ssh-to-age
+#   add the result to .sops.yaml
+#   since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
+#
+# for each host you want to decrypt secrets:
+#   $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
+#   add the result to .sops.yaml
+#   $ sops updatekeys secrets/example.yaml
+#
+# to create a new secret:
+#   $ sops secrets/example.yaml
+#   control access below (sops.secret.<x>.owner = ...)
+#
+# to read a secret:
+#   $ cat /run/secrets/example_key
 
+{ config, lib, sane-lib, ... }:
+
+let
+  inherit (lib.strings) hasSuffix removeSuffix;
+  secretsForHost = host: let
+    extraAttrsForPath = path: lib.optionalAttrs (sane-lib.path.isChild "guest" path) {
+      owner = "guest";
+    };
+  in sane-lib.joinAttrsets (
+    map
+      (path: lib.optionalAttrs (hasSuffix ".bin" path) (sane-lib.nameValueToAttrs {
+        name = removeSuffix ".bin" path;
+        value = {
+          sopsFile = ../../secrets/${host}/${path};
+          format = "binary";
+        } // (extraAttrsForPath path);
+      }))
+      (sane-lib.enumerateFilePaths ../../secrets/${host})
+  );
+in
 {
-  # SOPS configuration:
-  #   docs: https://github.com/Mic92/sops-nix
-  #
-  # for each new user you want to edit sops files:
-  # create a private age key from ssh key:
-  #   $ mkdir -p ~/.config/sops/age; ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt; chmod 600 ~/.config/sops/age/keys.txt
-  #   if the private key was password protected, then first decrypt it:
-  #     $ cp ~/.ssh/id_ed25519 /tmp/id_ed25519
-  #     $ ssh-keygen -p -N "" -f /tmp/id_ed25519
-  #
-  # for each user you want to decrypt secrets:
-  #   $ cat ~/.ssh/id_ed25519.pub | ssh-to-age
-  #   add the result to .sops.yaml
-  #   since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
-  #
-  # for each host you want to decrypt secrets:
-  #   $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
-  #   add the result to .sops.yaml
-  #   $ sops updatekeys secrets/example.yaml
-  #
-  # to create a new secret:
-  #   $ sops secrets/example.yaml
-  #   control access below (sops.secret.<x>.owner = ...)
-  #
-  # to read a secret:
-  #   $ cat /run/secrets/example_key
 
   # sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
-  # This will add secrets.yaml to the nix store
-  # You can avoid this by adding a string to the full path instead, i.e.
-  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ../../secrets/universal.yaml;
   sops.gnupg.sshKeyPaths = [];  # disable RSA key import
   # This is using an age key that is expected to already be in the filesystem
   # sops.age.keyFile = "/home/colin/.ssh/age.pub";
@@ -45,96 +60,16 @@
   # };
   # sops.secrets."myservice/my_subdir/my_secret" = {};
 
-  ## universal secrets
-  # TODO: glob these?
-
-  sops.secrets."jackett_apikey" = {
-    sopsFile = ../../secrets/universal.yaml;
-    owner = config.users.users.colin.name;
-  };
-  sops.secrets."mx-sanebot-env" = {
-    sopsFile = ../../secrets/universal/mx-sanebot-env.bin;
-    format = "binary";
-    owner = config.users.users.colin.name;
-  };
-  sops.secrets."router_passwd" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-  sops.secrets."transmission_passwd" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-  sops.secrets."wg_ovpnd_us_privkey" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-  sops.secrets."wg_ovpnd_us-atl_privkey" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-  sops.secrets."wg_ovpnd_us-mi_privkey" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-  sops.secrets."wg_ovpnd_ukr_privkey" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-
-  sops.secrets."snippets" = {
-    sopsFile = ../../secrets/universal/snippets.bin;
-    format = "binary";
-    owner = config.users.users.colin.name;
-  };
-
-  sops.secrets."bt/car" = {
-    sopsFile = ../../secrets/universal/bt/car.bin;
-    format = "binary";
-  };
-  sops.secrets."bt/earbuds" = {
-    sopsFile = ../../secrets/universal/bt/earbuds.bin;
-    format = "binary";
-  };
-  sops.secrets."bt/portable-speaker" = {
-    sopsFile = ../../secrets/universal/bt/portable-speaker.bin;
-    format = "binary";
-  };
-
-  sops.secrets."iwd/community-university.psk" = {
-    sopsFile = ../../secrets/universal/net/community-university.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/friend-libertarian-dod.psk" = {
-    sopsFile = ../../secrets/universal/net/friend-libertarian-dod.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/friend-rationalist-empathist.psk" = {
-    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/home-shared.psk" = {
-    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/makespace-south.psk" = {
-    sopsFile = ../../secrets/universal/net/makespace-south.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/archive-2023-02-home-bedroom.psk" = {
-    sopsFile = ../../secrets/universal/net/archive/2023-02-home-bedroom.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/archive-2023-02-home-shared-24G.psk" = {
-    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/archive-2023-02-home-shared.psk" = {
-    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/iphone" = {
-    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/parents" = {
-    sopsFile = ../../secrets/universal/net/parents.psk.bin;
-    format = "binary";
-  };
+  sops.secrets = lib.mkMerge [
+    (secretsForHost "common")
+    (secretsForHost config.networking.hostName)
+    {
+      "jackett_apikey".owner = config.users.users.colin.name;
+      "mx-sanebot-env".owner = config.users.users.colin.name;
+      "snippets".owner = config.users.users.colin.name;
+      "transmission_passwd".owner = config.users.users.colin.name;
+    }
+  ];
 }
 
 

hosts/common/ssh.nix

@@ -1,7 +1,7 @@
 { config, lib, sane-data, sane-lib, ... }:
 
 let
-  inherit (builtins) head map mapAttrs tail;
+  inherit (builtins) attrValues head map mapAttrs tail;
   inherit (lib) concatStringsSep mkMerge reverseList;
 in
 {
@@ -18,11 +18,21 @@ in
 
     # [{ path :: [String], value :: String }] for the keys we want to install
     globalKeys = sane-lib.flattenAttrs sane-data.keys;
+
+    keysForHost = hostCfg: sane-lib.mapToAttrs
+      (name: {
+        inherit name;
+        value = {
+          colin = hostCfg.ssh.user_pubkey;
+          root = hostCfg.ssh.host_pubkey;
+        };
+      })
+      hostCfg.names
+    ;
     domainKeys = sane-lib.flattenAttrs (
-      mapAttrs (host: cfg: {
-        colin = cfg.ssh.user_pubkey;
-        root = cfg.ssh.host_pubkey;
-      }) config.sane.hosts.by-name
+      sane-lib.joinAttrsets (
+        map keysForHost (builtins.attrValues config.sane.hosts.by-name)
+      )
     );
   in mkMerge (map
     ({ path, value }: {
@@ -30,4 +40,15 @@ in
     })
     (globalKeys ++ domainKeys)
   );
+
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "no";
+    settings.PasswordAuthentication = false;
+  };
+  sane.ports.ports."22" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    description = lib.mkDefault "colin-ssh";
+  };
 }

hosts/common/users.nix

@@ -1,138 +0,0 @@
-{ config, pkgs, lib, sane-lib, ... }:
-
-# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
-with lib;
-let
-  cfg = config.sane.guest;
-  fs = sane-lib.fs;
-in
-{
-  options = {
-    sane.guest.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-  };
-
-  config = {
-    # Users are exactly these specified here;
-    # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
-    users.mutableUsers = false;
-
-    # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
-    users.users.colin = {
-      # sets group to "users" (?)
-      isNormalUser = true;
-      home = "/home/colin";
-      createHome = true;
-      homeMode = "0700";
-      # i don't get exactly what this is, but nixos defaults to this non-deterministically
-      # in /var/lib/nixos/auto-subuid-map and i don't want that.
-      subUidRanges = [
-        { startUid=100000; count=1; }
-      ];
-      group = "users";
-      extraGroups = [
-        "wheel"
-        "nixbuild"
-        "networkmanager"
-        # phosh/mobile. XXX colin: unsure if necessary
-        "video"
-        "feedbackd"
-        "dialout" # required for modem access
-      ];
-
-      # initial password is empty, in case anything goes wrong.
-      # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
-      initialPassword = lib.mkDefault "";
-      passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
-
-      shell = pkgs.zsh;
-
-      # mount encrypted stuff at login
-      # some other nix pam users:
-      # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
-      # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
-      # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
-      pamMount = let
-        priv = config.fileSystems."/home/colin/private";
-      in {
-        fstype = priv.fsType;
-        path = priv.device;
-        mountpoint = priv.mountPoint;
-        options = builtins.concatStringsSep "," priv.options;
-      };
-    };
-
-    security.pam.mount.enable = true;
-
-    sane.users.colin.default = true;
-    # ensure ~ perms are known to sane.fs module.
-    # TODO: this is generic enough to be lifted up into sane.fs itself.
-    sane.fs."/home/colin".dir.acl = {
-      user = "colin";
-      group = config.users.users.colin.group;
-      mode = config.users.users.colin.homeMode;
-    };
-
-    sane.user.persist.plaintext = [
-      "archive"
-      "dev"
-      # TODO: records should be private
-      "records"
-      "ref"
-      "tmp"
-      "use"
-      "Music"
-      "Pictures"
-      "Videos"
-
-      ".cache/nix"
-      ".cache/nix-index"
-
-      # ".cargo"
-      # ".rustup"
-    ];
-
-    # convenience
-    sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
-    sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
-    sane.user.fs."Books/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Books";
-    sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
-    sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
-    sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
-    sane.user.fs."Pictures/servo-macros" = fs.wantedSymlinkTo "/mnt/servo-media/Pictures/macros";
-
-    # used by password managers, e.g. unix `pass`
-    sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";
-
-    sane.persist.sys.plaintext = mkIf cfg.enable [
-      # intentionally allow other users to write to the guest folder
-      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
-    ];
-    users.users.guest = mkIf cfg.enable {
-      isNormalUser = true;
-      home = "/home/guest";
-      subUidRanges = [
-        { startUid=200000; count=1; }
-      ];
-      group = "users";
-      initialPassword = lib.mkDefault "";
-      shell = pkgs.zsh;
-      openssh.authorizedKeys.keys = [
-        # TODO: insert pubkeys that should be allowed in
-      ];
-    };
-
-    security.sudo = {
-      enable = true;
-      wheelNeedsPassword = false;
-    };
-
-    services.openssh = {
-      enable = true;
-      settings.PermitRootLogin = "no";
-      settings.PasswordAuthentication = false;
-    };
-  };
-}

hosts/common/users/colin.nix

@@ -0,0 +1,93 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
+  users.users.colin = {
+    # sets group to "users" (?)
+    isNormalUser = true;
+    home = "/home/colin";
+    createHome = true;
+    homeMode = "0700";
+    # i don't get exactly what this is, but nixos defaults to this non-deterministically
+    # in /var/lib/nixos/auto-subuid-map and i don't want that.
+    subUidRanges = [
+      { startUid=100000; count=1; }
+    ];
+    group = "users";
+    extraGroups = [
+      "dialout"  # required for modem access (moby)
+      "feedbackd"
+      "input"  # for /dev/input/<xyz>: sxmo
+      "networkmanager"
+      "nixbuild"
+      "transmission"  # servo, to admin /var/lib/uninsane/media
+      "video"  # phosh/mobile. XXX colin: unsure if necessary
+      "wheel"
+      "wireshark"
+    ];
+
+    # initial password is empty, in case anything goes wrong.
+    # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
+    initialPassword = lib.mkDefault "";
+    passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
+
+    shell = pkgs.zsh;
+
+    # mount encrypted stuff at login
+    # some other nix pam users:
+    # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
+    # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
+    # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
+    pamMount = let
+      priv = config.fileSystems."/home/colin/private";
+    in {
+      fstype = priv.fsType;
+      path = priv.device;
+      mountpoint = priv.mountPoint;
+      options = builtins.concatStringsSep "," priv.options;
+    };
+  };
+
+  security.pam.mount.enable = true;
+
+  sane.users.colin = {
+    default = true;
+    # ensure ~ perms are known to sane.fs module.
+    # TODO: this is generic enough to be lifted up into sane.fs itself.
+    fs."/".dir.acl = {
+      user = "colin";
+      group = config.users.users.colin.group;
+      mode = config.users.users.colin.homeMode;
+    };
+
+    persist.plaintext = [
+      "archive"
+      "dev"
+      # TODO: records should be private
+      "records"
+      "ref"
+      "tmp"
+      "use"
+      "Music"
+      "Pictures"
+      "Videos"
+
+      ".cache/nix"
+
+      # ".cargo"
+      # ".rustup"
+    ];
+
+    # convenience
+    fs."knowledge".symlink.target = "private/knowledge";
+    fs."nixos".symlink.target = "dev/nixos";
+    fs."Books/servo".symlink.target = "/mnt/servo-media/Books";
+    fs."Videos/servo".symlink.target = "/mnt/servo-media/Videos";
+    fs."Videos/servo-incomplete".symlink.target = "/mnt/servo-media/incomplete";
+    fs."Music/servo".symlink.target = "/mnt/servo-media/Music";
+    fs."Pictures/servo-macros".symlink.target = "/mnt/servo-media/Pictures/macros";
+
+    # used by password managers, e.g. unix `pass`
+    fs.".password-store".symlink.target = "knowledge/secrets/accounts";
+  };
+}

hosts/common/users/default.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, lib, sane-lib, ... }:
+
+{
+  imports = [
+    ./colin.nix
+    ./guest.nix
+  ];
+
+  # Users are exactly these specified here;
+  # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
+  users.mutableUsers = false;
+
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+}

hosts/common/users/guest.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.sane.guest;
+in
+{
+  options = with lib; {
+    sane.guest.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+
+  config = {
+    users.users.guest = lib.mkIf cfg.enable {
+      isNormalUser = true;
+      home = "/home/guest";
+      subUidRanges = [
+        { startUid=200000; count=1; }
+      ];
+      group = "users";
+      initialPassword = lib.mkDefault "";
+      shell = pkgs.zsh;
+    };
+
+    sane.users.guest.fs.".ssh/authorized_keys".symlink.target = config.sops.secrets."guest/authorized_keys".path or "/dev/null";
+
+    sane.persist.sys.plaintext = lib.mkIf cfg.enable [
+      # intentionally allow other users to write to the guest folder
+      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
+    ];
+  };
+}

hosts/common/vpn.nix

@@ -11,7 +11,7 @@ let
   def-ovpn = name: { endpoint, publicKey, address }: {
     networking.wg-quick.interfaces."ovpnd-${name}" = {
       inherit address;
-      privateKeyFile = config.sops.secrets."wg_ovpnd_${name}_privkey".path;
+      privateKeyFile = config.sops.secrets."wg/ovpnd_${name}_privkey".path;
       dns = [
         "46.227.67.134"
         "192.165.9.158"

hosts/instantiate.nix

@@ -4,7 +4,7 @@
 { hostName, localSystem }:
 
 # module args
-{ config, lib, ... }:
+{ lib, ... }:
 
 {
   imports = [
@@ -15,15 +15,4 @@
 
   networking.hostName = hostName;
   nixpkgs.buildPlatform = lib.mkIf (localSystem != null) localSystem;
-  sane.cross.enablePatches = localSystem != null;
-
-  # nixpkgs.overlays = [
-  #   (next: prev: {
-  #     # for local != target we by default just emulate the target while building.
-  #     # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
-  #     # to explicitly opt into non-emulated cross compilation for any specific package.
-  #     # this is most beneficial for large packages with few pre-requisites -- like Linux.
-  #     cross = prev.crossFrom."${localSystem}";
-  #   })
-  # ];
 }

hosts/modules/gui/default.nix

@@ -7,9 +7,11 @@ in
 {
   imports = [
     ./gnome.nix
+    ./gtk.nix
     ./phosh.nix
     ./plasma.nix
     ./plasma-mobile.nix
-    ./sway.nix
+    ./sway
+    ./sxmo.nix
   ];
 }