moby: build/deploy kaiteki

vim: disable mouse mode by default >.>
browser: gracefully handle OCSP outages
2022-10-09 04:17:04 -07:00 · 2022-10-08 23:17:26 -07:00 · 2022-10-08 21:54:00 -07:00 · 2022-10-08 21:43:41 -07:00 · 2022-10-08 21:39:37 -07:00 · 2022-10-08 20:12:50 -07:00
40 changed files with 1381 additions and 242 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -19,7 +19,7 @@ creation_rules:
      - *host_lappy
      - *host_servo
      - *host_moby
-  - path_regex: secrets/servo.yaml$
+  - path_regex: secrets/servo*
    key_groups:
    - age:
      - *user_desko_colin
--- a/flake.lock
+++ b/flake.lock
@@ -39,11 +39,11 @@
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1664571968,
-        "narHash": "sha256-bLQ1V4bVm5cy9sPMSIr6aYTcGsCwNatc7Qh3/Ro19b4=",
+        "lastModified": 1664852186,
+        "narHash": "sha256-t0FhmTf3qRs8ScR8H9Rq7FAxptNELLSpxZG2ALL1HnE=",
        "owner": "nixos",
        "repo": "mobile-nixos",
-        "rev": "b082416ae3169e00552b8b0933c9f38ae50f181b",
+        "rev": "ca872f1a617674c4045e880aab8a45037e73700b",
        "type": "github"
      },
      "original": {
@@ -54,11 +54,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1664370076,
-        "narHash": "sha256-NDnIo0nxJozLwEw0VPM+RApMA90uTfbvaNNtC5eB7Os=",
+        "lastModified": 1665081174,
+        "narHash": "sha256-6hsmzdhdy8Kbvl5e0xZNE83pW3fKQvNiobJkM6KQrgA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "854fdc68881791812eddd33b2fed94b954979a8e",
+        "rev": "598f83ebeb2235435189cf84d844b8b73e858e0f",
        "type": "github"
      },
      "original": {
@@ -69,11 +69,11 @@
    },
    "nixpkgs-22_05": {
      "locked": {
-        "lastModified": 1664201777,
-        "narHash": "sha256-cUW9DqELUNi1jNMwVSbfq4yl5YGyOfeu+UHUUImbby0=",
+        "lastModified": 1665279158,
+        "narHash": "sha256-TpbWNzoJ5RaZ302dzvjY2o//WxtOJuYT3CnDj5N69Hs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "00f877f4927b6f7d7b75731b5a1e2ae7324eaf14",
+        "rev": "b3783bcfb8ec54e0de26feccfc6cc36b8e202ed5",
        "type": "github"
      },
      "original": {
@@ -83,13 +83,28 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1664177230,
-        "narHash": "sha256-eyo88ffm16I0K9cdcePbOsQg4MDjf1EgIdkGTLB/7iA=",
+        "lastModified": 1665132027,
+        "narHash": "sha256-zoHPqSQSENt96zTk6Mt1AP+dMNqQDshXKQ4I6MfjP80=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ff9793cfd1a25145a7e591af604675b3d6f68987",
+        "rev": "9ecc270f02b09b2f6a76b98488554dd842797357",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-22.05",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1665197809,
+        "narHash": "sha256-dRUzv/zNYV2EYtnxFG31pPBk0nErT+MBTu6ZJHm1o2A=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7b06206fa24198912cea58de690aa4943f238fbf",
        "type": "github"
      },
      "original": {
@@ -105,6 +120,7 @@
        "impermanence": "impermanence",
        "mobile-nixos": "mobile-nixos",
        "nixpkgs": "nixpkgs",
+        "nixpkgs-stable": "nixpkgs-stable",
        "sops-nix": "sops-nix"
      }
    },
@@ -114,11 +130,11 @@
        "nixpkgs-22_05": "nixpkgs-22_05"
      },
      "locked": {
-        "lastModified": 1664204020,
-        "narHash": "sha256-LAey3hr8b9EAt3n304Wt9Vm4uQFd8pSRtLX8leuYFDs=",
+        "lastModified": 1665289655,
+        "narHash": "sha256-j1Q9mNBhbzeJykhObiXwEGres9qvP4vH7gxdJ+ihkLI=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "912f9ff41fd9353dec1f783170793699789fe9aa",
+        "rev": "0ce0449e6404c4ff9d1b7bd657794ae5ca54deb3",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -4,7 +4,7 @@

 {
  inputs = {
-    # nixpkgs.url = "nixpkgs/nixos-22.05";
+    nixpkgs-stable.url = "nixpkgs/nixos-22.05";
    nixpkgs.url = "nixpkgs/nixos-unstable";
    mobile-nixos = {
      url = "github:nixos/mobile-nixos";
@@ -14,11 +14,12 @@
      url = "github:nix-community/home-manager/release-22.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    # TODO: set these up to follow our nixpkgs?
    sops-nix.url = "github:Mic92/sops-nix";
    impermanence.url = "github:nix-community/impermanence";
  };

-  outputs = { self, nixpkgs, mobile-nixos, home-manager, sops-nix, impermanence }:
+  outputs = { self, nixpkgs, nixpkgs-stable, mobile-nixos, home-manager, sops-nix, impermanence }:
  let
    patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
      name = "nixpkgs-patched-uninsane";
@@ -49,11 +50,14 @@
          nixpkgs.overlays = [
            (import "${mobile-nixos}/overlay/overlay.nix")
            (import ./pkgs/overlay.nix)
-            (next: prev: {
+            (next: prev: rec {
              # non-emulated packages build *from* local *for* target.
              # for large packages like the linux kernel which are expensive to build under emulation,
              # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
              cross = (nixpkgsFor local target) // (customPackagesFor local target);
+              stable = import nixpkgs-stable { system = target; };
+              # pinned packages:
+              electrum = stable.electrum;
            })
          ];
        }
--- a/machines/moby/default.nix
+++ b/machines/moby/default.nix
@@ -1,9 +1,6 @@
 { config, pkgs, lib, mobile-nixos, ... }:
 {
  imports = [
-    # (import "${mobile-nixos}/lib/configuration.nix" {
-    #   device = "pine64-pinephone";
-    # })
    ./firmware.nix
    ./fs.nix
    ./kernel.nix
@@ -25,26 +22,6 @@
    ".librewolf"
  ];

-  # sane.home-manager.extraPackages = [
-  #   # for web browsers see: https://forum.pine64.org/showthread.php?tid=13669
-  #   pkgs.angelfish  # plasma mobile web browser; broken on phosh (poor wayland support)
-  #   # pkgs.plasma5Packages.index  # file browser
-  #   pkgs.plasma5Packages.konsole  # terminal
-  #   # pkgs.plasma5Packages.pix  # picture viewer
-  #   pkgs.plasma5Packages.kalk  # calculator; broken on phosh
-  #   # pkgs.plasma5Packages.buho  # (plasma mobile?) note application
-  #   pkgs.plasma5Packages.kasts  #  podcast app; works on phosh after setting QT envar
-  #   pkgs.plasma5Packages.koko  # image gallery; broken on phosh
-  #   pkgs.plasma5Packages.kwave  # media player.
-  #   # pkgs.plasma5Packages.neochat  #  matrix client. needs qcoro => no aarch64 support
-  #   # pkgs.plasma5Packages.plasma-dialer  # phone dialer
-  #   # pkgs.plasma5Packages.plasma-mobile  # the whole shebang?
-  #   # pkgs.plasma5Packages.plasma-settings
-  #   pkgs.plasma5Packages.bomber  # arcade game; broken on phosh
-  #   pkgs.plasma5Packages.kapman  # pacman
-  #   pkgs.st  # suckless terminal; broken on phosh
-  #   # pkgs.alacritty  # terminal; crashes phosh
-  # ];
  # sane.home-packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
  sane.home-manager.extraPackages = [
    pkgs.plasma5Packages.konsole  # terminal
@@ -65,6 +42,12 @@
  # the filtering/calibration is bad that it causes the screen to go fully dark at times.
  boot.blacklistedKernelModules = [ "stk3310" ];

+  # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
+  # this is because they can't allocate enough video ram.
+  # the default CMA seems to be 32M. we could probably get by with as little as 64M, and safely with 128M.
+  # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
+  boot.kernelParams = [ "cma=256M" ];
+
  # mobile-nixos' /lib/firmware includes:
  #   rtl_bt          (bluetooth)
  #   anx7688-fw.bin  (USB-C -> HDMI bridge)
--- a/machines/moby/firmware.nix
+++ b/machines/moby/firmware.nix
@@ -4,7 +4,7 @@
  # only actually need 1 MB, but better to over-allocate than under-allocate
  sane.image.extraGPTPadding = 16 * 1024 * 1024;
  sane.image.firstPartGap = 0;
-  system.build.img = pkgs.runCommandNoCC "nixos_full-disk-image.img" {} ''
+  system.build.img = pkgs.runCommand "nixos_full-disk-image.img" {} ''
    cp -v ${config.system.build.img-without-firmware}/nixos.img $out
    chmod +w $out
    dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out bs=1024 seek=8 conv=notrunc
--- a/machines/moby/kernel.nix
+++ b/machines/moby/kernel.nix
@@ -114,7 +114,7 @@ in
  # - phone rotation sensor is off by 90 degrees
  # - ambient light sensor causes screen brightness to be shakey
  # - phosh greeter may not appear after wake from sleep
-  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.cross.linux-megous;
+  boot.kernelPackages = pkgs.cross.linuxPackagesFor pkgs.cross.linux-megous;

  boot.kernelPatches = [
    (patchDefconfig (kernelConfig //
--- a/machines/servo/default.nix
+++ b/machines/servo/default.nix
@@ -6,18 +6,7 @@
    ./hardware.nix
    ./net.nix
    ./users.nix
-    ./services/ddns-he.nix
-    ./services/gitea.nix
-    ./services/ipfs.nix
-    ./services/jackett.nix
-    ./services/jellyfin.nix
-    ./services/matrix
-    ./services/navidrome.nix
-    ./services/nginx.nix
-    ./services/pleroma.nix
-    ./services/postfix.nix
-    ./services/postgres.nix
-    ./services/transmission.nix
+    ./services
  ];

  sane.home-manager.enable = true;
--- a/machines/servo/services/default.nix
+++ b/machines/servo/services/default.nix
@@ -0,0 +1,17 @@
+{ ... }:
+{
+  imports = [
+    ./ddns-he.nix
+    ./gitea.nix
+    ./ipfs.nix
+    ./jackett.nix
+    ./jellyfin.nix
+    ./matrix
+    ./navidrome.nix
+    ./nginx.nix
+    ./pleroma.nix
+    ./postfix.nix
+    ./postgres.nix
+    ./transmission.nix
+  ];
+}
--- a/machines/servo/services/ipfs.nix
+++ b/machines/servo/services/ipfs.nix
@@ -12,15 +12,15 @@
    # TODO: mode? could be more granular
    { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
  ];
-  services.ipfs.enable = true;
-  services.ipfs.localDiscovery = true;
-  services.ipfs.swarmAddress = [
+  # services.ipfs.enable = true;
+  services.kubo.localDiscovery = true;
+  services.kubo.swarmAddress = [
    # "/dns4/ipfs.uninsane.org/tcp/4001"
    # "/ip4/0.0.0.0/tcp/4001"
    "/dns4/ipfs.uninsane.org/udp/4001/quic"
    "/ip4/0.0.0.0/udp/4001/quic"
  ];
-  services.ipfs.extraConfig = {
+  services.kubo.extraConfig = {
    Addresses = {
      Announce = [
        # "/dns4/ipfs.uninsane.org/tcp/4001"
--- a/machines/servo/services/matrix/default.nix
+++ b/machines/servo/services/matrix/default.nix
@@ -1,13 +1,16 @@
 # docs: https://nixos.wiki/wiki/Matrix
 # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
-{ config, ... }:
+{ config, lib, ... }:

 {
+  imports = [
+    # ./discord-appservice.nix
+    ./discord-puppet.nix
+    # ./irc.nix
+  ];
+
  sane.impermanence.service-dirs = [
-    # TODO: mode?
-    # user and group are both "matrix-appservice-irc"
-    { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
-    { user = "224"; group = "224"; directory = "/var/lib/matrix-synapse"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
  ];
  services.matrix-synapse.enable = true;
  services.matrix-synapse.settings.log_config = ./synapse-log_level.yaml;
@@ -62,9 +65,6 @@
  #     subjects:
  #       email_validation: "[%(server_name)s] Validate your email"
  # ''];
-  services.matrix-synapse.settings.app_service_config_files = [
-    "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
-  ];

  # new users may be registered on the CLI:
  #   register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
@@ -78,90 +78,6 @@
  # create a token with limited uses:
  #   curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new

-  # IRC bridging
-  # note: Rizon allows only FOUR simultaneous IRC connections per IP: https://wiki.rizon.net/index.php?title=Connection/Session_Limit_Exemptions
-  # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
-  # services.matrix-appservice-irc.enable = true;
-  services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
-  # settings documented here: https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml
-  services.matrix-appservice-irc.settings = {
-    homeserver = {
-      url = "http://127.0.0.1:8008";
-      dropMatrixMessagesAfterSecs = 300;
-      domain = "uninsane.org";
-      enablePresence = true;
-      bindPort = 9999;
-      bindHost = "127.0.0.1";
-    };
-
-    ircService = {
-      servers = {
-        "irc.rizon.net" = {
-          name = "Rizon";
-          port = 6697;  # SSL port
-          ssl = true;
-          sasl = true;  # appservice doesn't support NickServ identification
-          botConfig = {
-            # bot has no presence in IRC channel; only real Matrix users
-            enabled = false;
-            # nick = "UninsaneDotOrg";
-            nick = "uninsane";
-            username = "uninsane";
-          };
-          dynamicChannels = {
-            enabled = true;
-            aliasTemplate = "#irc_rizon_$CHANNEL";
-          };
-          ircClients = {
-            nickTemplate = "$LOCALPARTsane";
-            # by default, Matrix will convert messages greater than (3) lines into a pastebin-like URL to send to IRC.
-            lineLimit = 20;
-          };
-          matrixClients = {
-            userTemplate = "@irc_rizon_$NICK";  # the :uninsane.org part is appended automatically
-          };
-
-          # this will let this user message the appservice with `!join #<IRCChannel>` and the rest "Just Works"
-          "@colin:uninsane.org" = "admin";
-
-          membershipLists = {
-            enabled = true;
-            global = {
-              ircToMatrix = {
-                initial = true;
-                incremental = true;
-                requireMatrixJoined = false;
-              };
-              matrixToIrc = {
-                initial = true;
-                incremental = true;
-              };
-            };
-          };
-          # sync room description?
-          bridgeInfoState = {
-            enabled = true;
-            initial = true;
-          };
-
-          # hardcoded mappings, for when dynamicChannels fails us. TODO: probably safe to remove these.
-          # mappings = {
-          #   "#chat" = {
-          #     roomIds = [ "!GXJSOTdbtxRboGtDep:uninsane.org" ];
-          #   };
-          #   # BakaBT requires account registration, which i think means my user needs to be added before the appservice user
-          #   "#BakaBT" = {
-          #     roomIds = [ "!feZKttuYuHilqPFSkD:uninsane.org" ];
-          #   };
-          # };
-          # for per-user IRC password:
-          #   invite @irc_rizon_NickServ:uninsane.org to a DM and type `help`  => register
-          #   invite the matrix-appservice-irc user to a DM and type `!help`   => add PW to database
-          # passwordEncryptionKeyPath = "/path/to/privkey";  # appservice will generate its own if unspecified
-        };
-      };
-    };
-  };

  sops.secrets.matrix_synapse_secrets = {
    sopsFile = ../../../../secrets/servo.yaml;
--- a/machines/servo/services/matrix/discord-appservice.nix
+++ b/machines/servo/services/matrix/discord-appservice.nix
@@ -0,0 +1,69 @@
+{ config, lib, ... }:
+
+{
+  sane.impermanence.service-dirs = [
+    { user = "matrix-appservice-discord"; group = "matrix-appservice-discord"; directory = "/var/lib/matrix-appservice-discord"; }
+  ];
+
+  sops.secrets.matrix_appservice_discord_env = {
+    sopsFile = ../../../../secrets/servo/matrix_appservice_discord_env.bin;
+    owner = config.users.users.matrix-appservice-discord.name;
+    format = "binary";
+  };
+
+  services.matrix-synapse.settings.app_service_config_files = [
+    # auto-created by discord appservice
+    "/var/lib/matrix-appservice-discord/discord-registration.yaml"
+  ];
+
+  # Discord bridging
+  # docs: https://github.com/matrix-org/matrix-appservice-discord
+  services.matrix-appservice-discord.enable = true;
+  services.matrix-appservice-discord.settings = {
+    bridge = {
+      homeserverUrl = "http://127.0.0.1:8008";
+      domain = "uninsane.org";
+      adminMxid = "admin.matrix@uninsane.org";
+      # self-service bridging is when a Matrix user bridges by DMing @_discord_bot:<HS>
+      # i don't know what the alternative is :?
+      enableSelfServiceBridging = true;
+      presenceInterval = 30000; # milliseconds
+      # allows matrix users to search for Discord channels (somehow?)
+      disablePortalBridging = false;
+      # disableReadReceipts = true;
+      # these are Matrix -> Discord
+      disableJoinLeaveNotifications = true;
+      disableInviteNotifications = true;
+      disableRoomTopicNotifications = true;
+    };
+    # these are marked as required in the yaml schema
+    auth = {
+      # apparently not needed if you provide them as env vars (below).
+      # clientId = "FILLME";
+      # botToken = "FILLME";
+      usePrivilegedIntents = false;
+    };
+    logging = {
+      # silly, verbose, info, http, warn, error, silent
+      console = "verbose";
+    };
+  };
+  # contains what's ordinarily put into auth.clientId, auth.botToken
+  # i.e. `APPSERVICE_DISCORD_AUTH_CLIENT_I_D=...` and `APPSERVICE_DISCORD_AUTH_BOT_TOKEN=...`
+  services.matrix-appservice-discord.environmentFile = config.sops.secrets.matrix_appservice_discord_env.path;
+
+  systemd.services.matrix-appservice-discord.serviceConfig = {
+    # fix up to not use /var/lib/private, but just /var/lib
+    DynamicUser = lib.mkForce false;
+    User = "matrix-appservice-discord";
+    Group = "matrix-appservice-discord";
+  };
+  users.groups.matrix-appservice-discord = {};
+  users.users.matrix-appservice-discord = {
+    description = "User for the Matrix-Discord bridge";
+    group = "matrix-appservice-discord";
+    isSystemUser = true;
+  };
+  users.users.matrix-appservice-discord.uid = 2134;  # TODO: move to allocations
+  users.groups.matrix-appservice-discord.gid = 2134;  # TODO
+}
--- a/machines/servo/services/matrix/discord-puppet.nix
+++ b/machines/servo/services/matrix/discord-puppet.nix
@@ -0,0 +1,52 @@
+{ lib, ... }:
+{
+  sane.impermanence.service-dirs = [
+    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }
+  ];
+
+  services.matrix-synapse.settings.app_service_config_files = [
+    # auto-created by mx-puppet-discord service
+    "/var/lib/mx-puppet-discord/discord-registration.yaml"
+  ];
+
+  services.mx-puppet-discord.enable = true;
+  # schema/example: <https://gitlab.com/mx-puppet/discord/mx-puppet-discord/-/blob/main/sample.config.yaml>
+  services.mx-puppet-discord.settings = {
+    bridge = {
+      # port = 8434
+      bindAddress = "127.0.0.1";
+      domain = "uninsane.org";
+      homeserverUrl = "http://127.0.0.1:8008";
+      # displayName = "mx-discord-puppet";  # matrix name for the bot
+      # matrix "groups" were an earlier version of spaces.
+      # maybe the puppet understands this, maybe not?
+      enableGroupSync = false;
+    };
+    presence = {
+      enabled = false;
+      interval = 30000;
+    };
+    provisioning = {
+      # allow these users to control the puppet
+      whitelist = [ "@colin:uninsane\\.org" ];
+    };
+    relay = {
+      whitelist = [ "@colin:uninsane\\.org" ];
+    };
+    selfService = {
+      # who's allowed to use plumbed rooms (idk what that means)
+      whitelist = [ "@colin:uninsane\\.org" ];
+    };
+    logging = {
+      # silly, debug, verbose, info, warn, error
+      console = "debug";
+    };
+  };
+
+  systemd.services.mx-puppet-discord.serviceConfig = {
+    # fix up to not use /var/lib/private, but just /var/lib
+    DynamicUser = lib.mkForce false;
+    User = "matrix-synapse";
+    Group = "matrix-synapse";
+  };
+}
--- a/machines/servo/services/matrix/irc.nix
+++ b/machines/servo/services/matrix/irc.nix
@@ -0,0 +1,97 @@
+{ config, lib, ... }:
+
+{
+  sane.impermanence.service-dirs = [
+    # TODO: mode?
+    # user and group are both "matrix-appservice-irc"
+    { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
+  ];
+
+  services.matrix-synapse.settings.app_service_config_files = [
+    "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
+  ];
+
+  # note: Rizon allows only FOUR simultaneous IRC connections per IP: https://wiki.rizon.net/index.php?title=Connection/Session_Limit_Exemptions
+  # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
+  services.matrix-appservice-irc.enable = true;
+  services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
+  # settings documented here: https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml
+  services.matrix-appservice-irc.settings = {
+    homeserver = {
+      url = "http://127.0.0.1:8008";
+      dropMatrixMessagesAfterSecs = 300;
+      domain = "uninsane.org";
+      enablePresence = true;
+      bindPort = 9999;
+      bindHost = "127.0.0.1";
+    };
+
+    ircService = {
+      servers = {
+        "irc.rizon.net" = {
+          name = "Rizon";
+          port = 6697;  # SSL port
+          ssl = true;
+          sasl = true;  # appservice doesn't support NickServ identification
+          botConfig = {
+            # bot has no presence in IRC channel; only real Matrix users
+            enabled = false;
+            # nick = "UninsaneDotOrg";
+            nick = "uninsane";
+            username = "uninsane";
+          };
+          dynamicChannels = {
+            enabled = true;
+            aliasTemplate = "#irc_rizon_$CHANNEL";
+          };
+          ircClients = {
+            nickTemplate = "$LOCALPARTsane";
+            # by default, Matrix will convert messages greater than (3) lines into a pastebin-like URL to send to IRC.
+            lineLimit = 20;
+          };
+          matrixClients = {
+            userTemplate = "@irc_rizon_$NICK";  # the :uninsane.org part is appended automatically
+          };
+
+          # this will let this user message the appservice with `!join #<IRCChannel>` and the rest "Just Works"
+          "@colin:uninsane.org" = "admin";
+
+          membershipLists = {
+            enabled = true;
+            global = {
+              ircToMatrix = {
+                initial = true;
+                incremental = true;
+                requireMatrixJoined = false;
+              };
+              matrixToIrc = {
+                initial = true;
+                incremental = true;
+              };
+            };
+          };
+          # sync room description?
+          bridgeInfoState = {
+            enabled = true;
+            initial = true;
+          };
+
+          # hardcoded mappings, for when dynamicChannels fails us. TODO: probably safe to remove these.
+          # mappings = {
+          #   "#chat" = {
+          #     roomIds = [ "!GXJSOTdbtxRboGtDep:uninsane.org" ];
+          #   };
+          #   # BakaBT requires account registration, which i think means my user needs to be added before the appservice user
+          #   "#BakaBT" = {
+          #     roomIds = [ "!feZKttuYuHilqPFSkD:uninsane.org" ];
+          #   };
+          # };
+          # for per-user IRC password:
+          #   invite @irc_rizon_NickServ:uninsane.org to a DM and type `help`  => register
+          #   invite the matrix-appservice-irc user to a DM and type `!help`   => add PW to database
+          # passwordEncryptionKeyPath = "/path/to/privkey";  # appservice will generate its own if unspecified
+        };
+      };
+    };
+  };
+}
--- a/modules/gui/sway.nix
+++ b/modules/gui/sway.nix
@@ -33,6 +33,9 @@ in
      };
    };

+    # some programs (e.g. fractal) **require** a "Secret Service Provider"
+    services.gnome.gnome-keyring.enable = true;
+
    # unlike other DEs, sway configures no audio stack
    # administer with pw-cli, pw-mon, pw-top commands
    services.pipewire = {
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -58,6 +58,7 @@ in
        ".cargo"
        ".rustup"
        ".ssh"
+        ".local/share/keyrings"
        # intentionally omitted:
        # ".config"  # managed by home-manager
        # ".local"   # nothing useful in here
--- a/modules/universal/env/default.nix
+++ b/modules/universal/env/default.nix
@@ -13,6 +13,7 @@
    EDITOR = "vim";
    # git claims it should use EDITOR, but it doesn't!
    GIT_EDITOR = "vim";
+    # TODO: these should be moved to `home.sessionVariables` (home-manager)
    # Electron apps should use native wayland backend:
    #   https://nixos.wiki/wiki/Slack#Wayland
    # Discord under sway crashes with this.
--- a/modules/universal/env/home-manager.nix
+++ b/modules/universal/env/home-manager.nix
@@ -79,6 +79,10 @@ in
    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
    home-manager.users.colin = let sysconfig = config; in { config, ... }: {

+      # run `home-manager-help` to access manpages
+      # or `man home-configuration.nix`
+      manual.html.enable = true;
+
      home.packages = pkglist cfg.extraPackages;
      wayland.windowManager = cfg.windowManager;

@@ -86,6 +90,14 @@ in
      home.username = "colin";
      home.homeDirectory = "/home/colin";

+      home.activation = {
+        initKeyring = {
+          after = ["writeBoundary"];
+          before = [];
+          data = "${../../../scripts/init-keyring}";
+        };
+      };
+
      # XDG defines things like ~/Desktop, ~/Downloads, etc.
      # these clutter the home, so i mostly don't use them.
      xdg.userDirs = {
@@ -131,6 +143,9 @@ in
      # convenience
      home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
      home.file."nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
+      home.file."Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
+      home.file."Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
+      home.file."Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";

      # nb markdown/personal knowledge manager
      home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
@@ -158,6 +173,12 @@ in
         }
        }
      '';
+      home.file.".librewolf/librewolf.overrides.cfg".text = ''
+        // if we can't query the revocation status of a SSL cert because the issuer is offline,
+        // treat it as unrevoked.
+        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
+        defaultPref("security.OCSP.require", false);
+      '';

      # aerc TUI mail client
      xdg.configFile."aerc/accounts.conf".source =
@@ -241,6 +262,7 @@ in
          "https://www.lynalden.com/feed" = { tags = [ "infrequent" "pol" ]; };
          "https://austinvernon.site/rss.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://oversharing.substack.com/feed" = { tags = [ "daily" "pol" ]; };
+          "https://doomberg.substack.com/feed" = { tags = [ "weekly" "tech" ]; };
          ## David Rosenthal
          "https://blog.dshr.org/rss.xml" = { tags = [ "weekly" "pol" ]; };
          ## Matt Levine
@@ -325,6 +347,11 @@ in
            # run p10k configure to configure, but it can't write out its file :-(
            POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
          '';
+          initExtra = ''
+            # zmv is a way to do rich moves/renames, with pattern matching/substitution.
+            # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
+            autoload -Uz zmv
+          '';

          # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
          # see: https://github.com/sorin-ionescu/prezto
@@ -496,6 +523,10 @@ in
            })
          ];
          extraConfig = ''
+            " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
+            " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
+            set mouse=
+
            " copy/paste to system clipboard
            set clipboard=unnamedplus

--- a/modules/universal/env/home-packages.nix
+++ b/modules/universal/env/home-packages.nix
@@ -11,6 +11,7 @@ let
    ifuse
    ipfs
    libimobiledevice
+    libsecret  # for managing user keyrings
    lm_sensors  # for sensors-detect
    lshw
    ffmpeg
@@ -24,14 +25,17 @@ let
    # ponymix
    pulsemixer
    python3
+    # python3Packages.eyeD3  # music tagging
    rmlint
    sane-scripts
    sequoia
    snapper
    sops
    speedtest-cli
+    sqlite  # to debug sqlite3 databases
    ssh-to-age
    sudo
+    # tageditor  # music tagging
    unar
    visidata
    w3m
@@ -54,10 +58,16 @@ let
    emote  # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
    evince  # works on phosh

-    { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; }  # TODO: ship normal fluffychat on non-moby?
+    # { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; }  # TODO: ship normal fluffychat on non-moby?

    foliate
    font-manager
+
+    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
+    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
+    # then reboot (so that libsecret daemon re-loads the keyring...?)
+    { pkg = fractal-next; dir = ".local/share/fractal"; }
+
    gimp  # broken on phosh
    gnome.cheese
    gnome.dconf-editor
@@ -75,6 +85,11 @@ let

    gthumb
    inkscape
+
+    kaiteki  # Pleroma client
+    gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
+
+    kid3  # audio tagging
    krita
    libreoffice-fresh  # XXX colin: maybe don't want this on mobile
    lollypop
@@ -85,6 +100,7 @@ let
    { pkg = obsidian; dir = ".config/obsidian"; }

    pavucontrol
+    picard  # music tagging
    playerctl
    soundconverter
    # sublime music persists any downloaded albums here.
@@ -112,9 +128,6 @@ let
      nss = pkgs.nss_latest;
    }); in { pkg = discord; dir = ".config/discord"; })

-    # kaiteki  # Pleroma client
-    # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
-
    logseq
    losslesscut-bin
    makemkv
--- a/modules/universal/net.nix
+++ b/modules/universal/net.nix
@@ -37,6 +37,7 @@
    ''
  );

+  # TODO: use a glob, or a list, or something?
  sops.secrets."iwd/community-university.psk" = {
    sopsFile = ../../secrets/universal/net/community-university.psk.bin;
    format = "binary";
@@ -61,4 +62,8 @@
    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
    format = "binary";
  };
+  sops.secrets."iwd/iphone" = {
+    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
+    format = "binary";
+  };
 }
--- a/nixpatches/10-flutter-arm64.patch
+++ b/nixpatches/10-flutter-arm64.patch
@@ -11,7 +11,7 @@ index 565c44f72e9..f20a3d4e9be 100644
 
 +let vendorHashes = {
 +  x86_64-linux = "sha256-p5EJP2zSvWyRV1uyTHw0EpFsEwAGtX5B9WVjpLmnVew=";
-+  aarch64-linux = "sha256-DVMVPCab+7tSNRKwioQXi0WZnlpvm5tIhO/l1vFX3J8=";
+  aarch64-linux = "sha256-Ps0HmDI6BFxHrLRq3KWNk4hw0qneq5hqB/Mp99f+hO4=";
 +};
 +in
 flutter.mkFlutterApp rec {
--- a/nixpatches/11-flutter-3.3.3-189338.patch
+++ b/nixpatches/11-flutter-3.3.3-189338.patch
@@ -0,0 +1,646 @@
+diff --git a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
+index d50e7118cc1..22bbeb212f0 100644
+--- a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
+++ b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
+@@ -1,16 +1,16 @@
+ { lib
+ , fetchFromGitLab
+-, flutter
+, flutter2
+ , olm
+ , imagemagick
+ , makeDesktopItem
+ }:
+ 
+-flutter.mkFlutterApp rec {
+flutter2.mkFlutterApp rec {
+   pname = "fluffychat";
+   version = "1.2.0";
+ 
+-  vendorHash = "sha256-co+bnsVIyg42JpM9FimfGEjrd6A99GlBeow1Dgv7NBI=";
+  vendorHash = "sha256-1PDX023WXRmRe/b1L+6Du91BvGwYNp3YATqYSQdPrRY=";
+ 
+   src = fetchFromGitLab {
+     owner = "famedly";
+diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
+index 4529d2adc1a..02188335129 100644
+--- a/pkgs/development/compilers/flutter/default.nix
+++ b/pkgs/development/compilers/flutter/default.nix
+@@ -4,34 +4,40 @@ let
+   getPatches = dir:
+     let files = builtins.attrNames (builtins.readDir dir);
+     in map (f: dir + ("/" + f)) files;
+-  version = "3.0.4";
+-  channel = "stable";
+-  filename = "flutter_linux_${version}-${channel}.tar.xz";
+-
+-  # Decouples flutter derivation from dart derivation,
+-  # use specific dart version to not need to bump dart derivation when bumping flutter.
+-  dartVersion = "2.17.5";
+-  dartSourceBase = "https://storage.googleapis.com/dart-archive/channels";
+-  dartForFlutter = dart.override {
+-    version = dartVersion;
+-    sources = {
+-      "${dartVersion}-x86_64-linux" = fetchurl {
+-        url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
+-        sha256 = "sha256-AFJGeiPsjUZSO+DykmOIFETg2jIohg62tp3ghZrKJFk=";
+  flutterDrv = { version, pname, dartVersion, hash, dartHash, patches }: mkFlutter {
+    inherit version pname patches;
+    dart = dart.override {
+      version = dartVersion;
+      sources = {
+        "${dartVersion}-x86_64-linux" = fetchurl {
+          url = "https://storage.googleapis.com/dart-archive/channels/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
+          sha256 = dartHash;
+        };
+       };
+     };
+    src = fetchurl {
+      url = "https://storage.googleapis.com/flutter_infra_release/releases/stable/linux/flutter_linux_${version}-stable.tar.xz";
+      sha256 = hash;
+    };
+   };
+ in
+ {
+   inherit mkFlutter;
+-  stable = mkFlutter rec {
+-    inherit version;
+-    dart = dartForFlutter;
+  stable = flutterDrv {
+     pname = "flutter";
+-    src = fetchurl {
+-      url = "https://storage.googleapis.com/flutter_infra_release/releases/${channel}/linux/${filename}";
+-      sha256 = "sha256-vh3QjLGFBN321DUET9XhYqSkILjEj+ZqAALu/mxY+go=";
+-    };
+-    patches = getPatches ./patches;
+    version = "3.3.3";
+    dartVersion = "2.18.2";
+    hash = "sha256-MTZeWQUp4/TcPzYIT6eqIKSPUPvn2Mp/thOQzNgpTXg=";
+    dartHash = "sha256-C3+YjecXLvSmJrLwi9H7TgD9Np0AArRWx3EdBrfQpTU";
+    patches = getPatches ./patches/flutter3;
+  };
+
+  v2 = flutterDrv {
+    pname = "flutter";
+    version = "2.10.5";
+    dartVersion = "2.16.2";
+    hash = "sha256-DTZwxlMUYk8NS1SaWUJolXjD+JnRW73Ps5CdRHDGnt0=";
+    dartHash = "sha256-egrYd7B4XhkBiHPIFE2zopxKtQ58GqlogAKA/UeiXnI=";
+    patches = getPatches ./patches/flutter2;
+   };
+ }
+diff --git a/pkgs/development/compilers/flutter/flutter.nix b/pkgs/development/compilers/flutter/flutter.nix
+index 28a78c3e306..f2c861356ab 100644
+--- a/pkgs/development/compilers/flutter/flutter.nix
+++ b/pkgs/development/compilers/flutter/flutter.nix
+@@ -65,7 +65,7 @@ let
+       popd
+ 
+       local revision="$(cd "$FLUTTER_ROOT"; git rev-parse HEAD)"
+-      ${dart}/bin/dart --snapshot="$SNAPSHOT_PATH" --packages="$FLUTTER_TOOLS_DIR/.packages" "$SCRIPT_PATH"
+      ${dart}/bin/dart --snapshot="$SNAPSHOT_PATH" --packages="$FLUTTER_TOOLS_DIR/.dart_tool/package_config.json" "$SCRIPT_PATH"
+       echo "$revision" > "$STAMP_PATH"
+       echo -n "${version}" > version
+ 
+diff --git a/pkgs/development/compilers/flutter/patches/disable-auto-update.patch b/pkgs/development/compilers/flutter/patches/flutter2/disable-auto-update.patch
+similarity index 100%
+rename from pkgs/development/compilers/flutter/patches/disable-auto-update.patch
+rename to pkgs/development/compilers/flutter/patches/flutter2/disable-auto-update.patch
+diff --git a/pkgs/development/compilers/flutter/patches/flutter2/git-dir.patch b/pkgs/development/compilers/flutter/patches/flutter2/git-dir.patch
+new file mode 100644
+index 00000000000..0136ef93106
+--- /dev/null
+++ b/pkgs/development/compilers/flutter/patches/flutter2/git-dir.patch
+@@ -0,0 +1,80 @@
+diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
+index 468a91a954..5def6897ce 100644
+--- a/dev/bots/prepare_package.dart
++++ b/dev/bots/prepare_package.dart
+@@ -525,7 +525,7 @@ class ArchiveCreator {
+ 
+   Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
+     return _processRunner.runProcess(
+-      <String>['git', ...args],
++      <String>['git', '--git-dir', '.git', ...args],
+       workingDirectory: workingDirectory ?? flutterRoot,
+     );
+   }
+diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
+index f2068a6ca2..99b161689e 100644
+--- a/packages/flutter_tools/lib/src/version.dart
++++ b/packages/flutter_tools/lib/src/version.dart
+@@ -106,7 +106,7 @@ class FlutterVersion {
+     String? channel = _channel;
+     if (channel == null) {
+       final String gitChannel = _runGit(
+-        'git rev-parse --abbrev-ref --symbolic @{u}',
++        'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
+         globals.processUtils,
+         _workingDirectory,
+       );
+@@ -114,7 +114,7 @@ class FlutterVersion {
+       if (slash != -1) {
+         final String remote = gitChannel.substring(0, slash);
+         _repositoryUrl = _runGit(
+-          'git ls-remote --get-url $remote',
++          'git --git-dir .git ls-remote --get-url $remote',
+           globals.processUtils,
+           _workingDirectory,
+         );
+@@ -326,7 +326,7 @@ class FlutterVersion {
+   /// the branch name will be returned as `'[user-branch]'`.
+   String getBranchName({ bool redactUnknownBranches = false }) {
+     _branch ??= () {
+-      final String branch = _runGit('git rev-parse --abbrev-ref HEAD', globals.processUtils);
++      final String branch = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', globals.processUtils);
+       return branch == 'HEAD' ? channel : branch;
+     }();
+     if (redactUnknownBranches || _branch!.isEmpty) {
+@@ -359,7 +359,7 @@ class FlutterVersion {
+   /// wrapper that does that.
+   @visibleForTesting
+   static List<String> gitLog(List<String> args) {
+-    return <String>['git', '-c', 'log.showSignature=false', 'log'] + args;
++    return <String>['git', '-c', 'log.showSignature=false', '--git-dir', '.git', 'log'] + args;
+   }
+ 
+   /// Gets the release date of the latest available Flutter version.
+@@ -730,7 +730,7 @@ class GitTagVersion {
+ 
+   static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
+     if (fetchTags) {
+-      final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
++      final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
+       if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
+         globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
+       } else {
+@@ -739,7 +739,7 @@ class GitTagVersion {
+     }
+     // find all tags attached to the given [gitRef]
+     final List<String> tags = _runGit(
+-      'git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
++      'git --git-dir .git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
+ 
+     // Check first for a stable tag
+     final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
+@@ -760,7 +760,7 @@ class GitTagVersion {
+     // recent tag and number of commits past.
+     return parse(
+       _runGit(
+-        'git describe --match *.*.* --long --tags $gitRef',
++        'git --git-dir .git describe --match *.*.* --long --tags $gitRef',
+         processUtils,
+         workingDirectory,
+       )
+diff --git a/pkgs/development/compilers/flutter/patches/flutter2/move-cache.patch b/pkgs/development/compilers/flutter/patches/flutter2/move-cache.patch
+new file mode 100644
+index 00000000000..a81d2def242
+--- /dev/null
+++ b/pkgs/development/compilers/flutter/patches/flutter2/move-cache.patch
+@@ -0,0 +1,72 @@
+diff --git a/packages/flutter_tools/lib/src/asset.dart b/packages/flutter_tools/lib/src/asset.dart
+index ed42baea29..12941f733a 100644
+--- a/packages/flutter_tools/lib/src/asset.dart
++++ b/packages/flutter_tools/lib/src/asset.dart
+@@ -11,11 +11,11 @@ import 'base/file_system.dart';
+ import 'base/logger.dart';
+ import 'base/platform.dart';
+ import 'build_info.dart';
+-import 'cache.dart';
+ import 'convert.dart';
+ import 'dart/package_map.dart';
+ import 'devfs.dart';
+ import 'flutter_manifest.dart';
++import 'globals.dart' as globals;
+ import 'license_collector.dart';
+ import 'project.dart';
+ 
+@@ -504,7 +504,7 @@ class ManifestAssetBundle implements AssetBundle {
+         }
+         final Uri entryUri = _fileSystem.path.toUri(asset);
+         result.add(_Asset(
+-          baseDir: _fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'artifacts', 'material_fonts'),
++          baseDir: _fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'artifacts', 'material_fonts'),
+           relativeUri: Uri(path: entryUri.pathSegments.last),
+           entryUri: entryUri,
+           package: null,
+diff --git a/packages/flutter_tools/lib/src/cache.dart b/packages/flutter_tools/lib/src/cache.dart
+index defc86cc20..7fdf14d112 100644
+--- a/packages/flutter_tools/lib/src/cache.dart
++++ b/packages/flutter_tools/lib/src/cache.dart
+@@ -22,6 +22,7 @@ import 'base/user_messages.dart';
+ import 'build_info.dart';
+ import 'convert.dart';
+ import 'features.dart';
++import 'globals.dart' as globals;
+ 
+ const String kFlutterRootEnvironmentVariableName = 'FLUTTER_ROOT'; // should point to //flutter/ (root of flutter/flutter repo)
+ const String kFlutterEngineEnvironmentVariableName = 'FLUTTER_ENGINE'; // should point to //engine/src/ (root of flutter/engine repo)
+@@ -322,8 +323,13 @@ class Cache {
+       return;
+     }
+     assert(_lock == null);
++    final Directory dir = _fileSystem.directory(_fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter'));
++    if (!dir.existsSync()) {
++      dir.createSync(recursive: true);
++      globals.os.chmod(dir, '755');
++    }
+     final File lockFile =
+-      _fileSystem.file(_fileSystem.path.join(flutterRoot!, 'bin', 'cache', 'lockfile'));
++      _fileSystem.file(_fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'lockfile'));
+     try {
+       _lock = lockFile.openSync(mode: FileMode.write);
+     } on FileSystemException catch (e) {
+@@ -382,8 +388,7 @@ class Cache {
+ 
+   String get devToolsVersion {
+     if (_devToolsVersion == null) {
+-      const String devToolsDirPath = 'dart-sdk/bin/resources/devtools';
+-      final Directory devToolsDir = getCacheDir(devToolsDirPath, shouldCreate: false);
++      final Directory devToolsDir = _fileSystem.directory(_fileSystem.path.join(flutterRoot!, 'bin/cache/dart-sdk/bin/resources/devtools'));
+       if (!devToolsDir.existsSync()) {
+         throw Exception('Could not find directory at ${devToolsDir.path}');
+       }
+@@ -536,7 +541,7 @@ class Cache {
+     if (_rootOverride != null) {
+       return _fileSystem.directory(_fileSystem.path.join(_rootOverride!.path, 'bin', 'cache'));
+     } else {
+-      return _fileSystem.directory(_fileSystem.path.join(flutterRoot!, 'bin', 'cache'));
++      return _fileSystem.directory(_fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter'));
+     }
+   }
+ 
+diff --git a/pkgs/development/compilers/flutter/patches/flutter3/disable-auto-update.patch b/pkgs/development/compilers/flutter/patches/flutter3/disable-auto-update.patch
+new file mode 100644
+index 00000000000..21b676a2af3
+--- /dev/null
+++ b/pkgs/development/compilers/flutter/patches/flutter3/disable-auto-update.patch
+@@ -0,0 +1,36 @@
+diff --git a/bin/internal/shared.sh b/bin/internal/shared.sh
+index ab746724e9..1087983c87 100644
+--- a/bin/internal/shared.sh
++++ b/bin/internal/shared.sh
+@@ -215,8 +215,6 @@ function shared::execute() {
+     exit 1
+   fi
+ 
+-  upgrade_flutter 7< "$PROG_NAME"
+-
+   BIN_NAME="$(basename "$PROG_NAME")"
+   case "$BIN_NAME" in
+     flutter*)
+diff --git a/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart b/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart
+index 738fef987d..03a152e64f 100644
+--- a/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart
++++ b/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart
+@@ -241,7 +241,6 @@ class FlutterCommandRunner extends CommandRunner<void> {
+           globals.flutterUsage.suppressAnalytics = true;
+         }
+ 
+-        globals.flutterVersion.ensureVersionFile();
+         final bool machineFlag = topLevelResults['machine'] as bool? ?? false;
+         final bool ci = await globals.botDetector.isRunningOnBot;
+         final bool redirectedCompletion = !globals.stdio.hasTerminal &&
+@@ -250,10 +249,6 @@ class FlutterCommandRunner extends CommandRunner<void> {
+         final bool versionCheckFlag = topLevelResults['version-check'] as bool? ?? false;
+         final bool explicitVersionCheckPassed = topLevelResults.wasParsed('version-check') && versionCheckFlag;
+ 
+-        if (topLevelResults.command?.name != 'upgrade' &&
+-            (explicitVersionCheckPassed || (versionCheckFlag && !isMachine))) {
+-          await globals.flutterVersion.checkFlutterVersionFreshness();
+-        }
+ 
+         // See if the user specified a specific device.
+         globals.deviceManager?.specifiedDeviceId = topLevelResults['device-id'] as String?;
+diff --git a/pkgs/development/compilers/flutter/patches/git-dir.patch b/pkgs/development/compilers/flutter/patches/flutter3/git-dir.patch
+similarity index 86%
+rename from pkgs/development/compilers/flutter/patches/git-dir.patch
+rename to pkgs/development/compilers/flutter/patches/flutter3/git-dir.patch
+index 0c736f945ea..42ad756f8ea 100644
+--- a/pkgs/development/compilers/flutter/patches/git-dir.patch
+++ b/pkgs/development/compilers/flutter/patches/flutter3/git-dir.patch
+@@ -1,8 +1,8 @@
+ diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
+-index 468a91a954..5def6897ce 100644
+index 8e4cb81340..2c20940423 100644
+ --- a/dev/bots/prepare_package.dart
+ +++ b/dev/bots/prepare_package.dart
+-@@ -525,7 +525,7 @@ class ArchiveCreator {
+@@ -526,7 +526,7 @@ class ArchiveCreator {
+  
+    Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
+      return _processRunner.runProcess(
+@@ -12,7 +12,7 @@ index 468a91a954..5def6897ce 100644
+      );
+    }
+ diff --git a/packages/flutter_tools/lib/src/commands/downgrade.dart b/packages/flutter_tools/lib/src/commands/downgrade.dart
+-index bb0eb428a9..4a2a48bb5e 100644
+index 666c190067..b6c3761f6f 100644
+ --- a/packages/flutter_tools/lib/src/commands/downgrade.dart
+ +++ b/packages/flutter_tools/lib/src/commands/downgrade.dart
+ @@ -118,7 +118,7 @@ class DowngradeCommand extends FlutterCommand {
+@@ -34,19 +34,19 @@ index bb0eb428a9..4a2a48bb5e 100644
+        if (parseResult.exitCode == 0) {
+          buffer.writeln('Channel "${getNameForChannel(channel)}" was previously on: ${parseResult.stdout}.');
+ diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
+-index f2068a6ca2..99b161689e 100644
+index dc47f17057..8068e2d1f5 100644
+ --- a/packages/flutter_tools/lib/src/version.dart
+ +++ b/packages/flutter_tools/lib/src/version.dart
+-@@ -106,7 +106,7 @@ class FlutterVersion {
+@@ -111,7 +111,7 @@ class FlutterVersion {
+      String? channel = _channel;
+      if (channel == null) {
+        final String gitChannel = _runGit(
+--        'git rev-parse --abbrev-ref --symbolic @{u}',
+-+        'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
+-        'git rev-parse --abbrev-ref --symbolic $kGitTrackingUpstream',
++        'git --git-dir .git rev-parse --abbrev-ref --symbolic $kGitTrackingUpstream',
+          globals.processUtils,
+          _workingDirectory,
+        );
+-@@ -114,7 +114,7 @@ class FlutterVersion {
+@@ -119,7 +119,7 @@ class FlutterVersion {
+        if (slash != -1) {
+          final String remote = gitChannel.substring(0, slash);
+          _repositoryUrl = _runGit(
+@@ -55,7 +55,7 @@ index f2068a6ca2..99b161689e 100644
+            globals.processUtils,
+            _workingDirectory,
+          );
+-@@ -326,7 +326,7 @@ class FlutterVersion {
+@@ -298,7 +298,7 @@ class FlutterVersion {
+    /// the branch name will be returned as `'[user-branch]'`.
+    String getBranchName({ bool redactUnknownBranches = false }) {
+      _branch ??= () {
+@@ -64,7 +64,7 @@ index f2068a6ca2..99b161689e 100644
+        return branch == 'HEAD' ? channel : branch;
+      }();
+      if (redactUnknownBranches || _branch!.isEmpty) {
+-@@ -359,7 +359,7 @@ class FlutterVersion {
+@@ -331,7 +331,7 @@ class FlutterVersion {
+    /// wrapper that does that.
+    @visibleForTesting
+    static List<String> gitLog(List<String> args) {
+@@ -73,16 +73,16 @@ index f2068a6ca2..99b161689e 100644
+    }
+  
+    /// Gets the release date of the latest available Flutter version.
+-@@ -730,7 +730,7 @@ class GitTagVersion {
+- 
+-   static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
+@@ -708,7 +708,7 @@ class GitTagVersion {
+     String gitRef = 'HEAD'
+   }) {
+      if (fetchTags) {
+ -      final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
+ +      final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
+        if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
+          globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
+        } else {
+-@@ -739,7 +739,7 @@ class GitTagVersion {
+@@ -718,7 +718,7 @@ class GitTagVersion {
+      }
+      // find all tags attached to the given [gitRef]
+      final List<String> tags = _runGit(
+@@ -91,7 +91,7 @@ index f2068a6ca2..99b161689e 100644
+  
+      // Check first for a stable tag
+      final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
+-@@ -760,7 +760,7 @@ class GitTagVersion {
+@@ -739,7 +739,7 @@ class GitTagVersion {
+      // recent tag and number of commits past.
+      return parse(
+        _runGit(
+diff --git a/pkgs/development/compilers/flutter/patches/move-cache.patch b/pkgs/development/compilers/flutter/patches/flutter3/move-cache.patch
+similarity index 83%
+rename from pkgs/development/compilers/flutter/patches/move-cache.patch
+rename to pkgs/development/compilers/flutter/patches/flutter3/move-cache.patch
+index 5cb7c71e9bd..008c5959e5b 100644
+--- a/pkgs/development/compilers/flutter/patches/move-cache.patch
+++ b/pkgs/development/compilers/flutter/patches/flutter3/move-cache.patch
+@@ -1,13 +1,9 @@
+diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
+ diff --git a/packages/flutter_tools/lib/src/asset.dart b/packages/flutter_tools/lib/src/asset.dart
+-index ed42baea29..12941f733a 100644
+index 9dd7272fbe..642c8e48e4 100644
+ --- a/packages/flutter_tools/lib/src/asset.dart
+ +++ b/packages/flutter_tools/lib/src/asset.dart
+-@@ -11,11 +11,11 @@ import 'base/file_system.dart';
+- import 'base/logger.dart';
+- import 'base/platform.dart';
+- import 'build_info.dart';
+--import 'cache.dart';
+- import 'convert.dart';
+@@ -16,6 +16,7 @@ import 'convert.dart';
+  import 'dart/package_map.dart';
+  import 'devfs.dart';
+  import 'flutter_manifest.dart';
+@@ -15,17 +11,18 @@ index ed42baea29..12941f733a 100644
+  import 'license_collector.dart';
+  import 'project.dart';
+  
+-@@ -504,7 +504,7 @@ class ManifestAssetBundle implements AssetBundle {
+-         }
+@@ -530,8 +531,7 @@ class ManifestAssetBundle implements AssetBundle {
+          final Uri entryUri = _fileSystem.path.toUri(asset);
+          result.add(_Asset(
+--          baseDir: _fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'artifacts', 'material_fonts'),
+-+          baseDir: _fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'artifacts', 'material_fonts'),
+           baseDir: _fileSystem.path.join(
+-            Cache.flutterRoot!,
+-            'bin', 'cache', 'artifacts', 'material_fonts',
++            globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'artifacts', 'material_fonts',
+           ),
+            relativeUri: Uri(path: entryUri.pathSegments.last),
+            entryUri: entryUri,
+-           package: null,
+ diff --git a/packages/flutter_tools/lib/src/cache.dart b/packages/flutter_tools/lib/src/cache.dart
+-index defc86cc20..7fdf14d112 100644
+index dd80b1e46e..8e54517765 100644
+ --- a/packages/flutter_tools/lib/src/cache.dart
+ +++ b/packages/flutter_tools/lib/src/cache.dart
+ @@ -22,6 +22,7 @@ import 'base/user_messages.dart';
+@@ -36,7 +33,7 @@ index defc86cc20..7fdf14d112 100644
+  
+  const String kFlutterRootEnvironmentVariableName = 'FLUTTER_ROOT'; // should point to //flutter/ (root of flutter/flutter repo)
+  const String kFlutterEngineEnvironmentVariableName = 'FLUTTER_ENGINE'; // should point to //engine/src/ (root of flutter/engine repo)
+-@@ -322,8 +323,13 @@ class Cache {
+@@ -318,8 +319,13 @@ class Cache {
+        return;
+      }
+      assert(_lock == null);
+@@ -51,7 +48,7 @@ index defc86cc20..7fdf14d112 100644
+      try {
+        _lock = lockFile.openSync(mode: FileMode.write);
+      } on FileSystemException catch (e) {
+-@@ -382,8 +388,7 @@ class Cache {
+@@ -378,8 +384,7 @@ class Cache {
+  
+    String get devToolsVersion {
+      if (_devToolsVersion == null) {
+@@ -61,7 +58,7 @@ index defc86cc20..7fdf14d112 100644
+        if (!devToolsDir.existsSync()) {
+          throw Exception('Could not find directory at ${devToolsDir.path}');
+        }
+-@@ -536,7 +541,7 @@ class Cache {
+@@ -532,7 +537,7 @@ class Cache {
+      if (_rootOverride != null) {
+        return _fileSystem.directory(_fileSystem.path.join(_rootOverride!.path, 'bin', 'cache'));
+      } else {
+@@ -70,8 +67,7 @@ index defc86cc20..7fdf14d112 100644
+      }
+    }
+  
+-diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
+-index 2aac9686e8..32c4b98b88 100644
+index c539d67156..4e0a64f7a9 100644
+ --- a/packages/flutter_tools/lib/src/artifacts.dart
+ +++ b/packages/flutter_tools/lib/src/artifacts.dart
+ @@ -346,10 +346,10 @@ class CachedArtifacts implements Artifacts {
+@@ -82,8 +78,8 @@ index 2aac9686e8..32c4b98b88 100644
+ +        final String path = _dartSdkPath(_fileSystem);
+          return _fileSystem.directory(path);
+        case HostArtifact.engineDartBinary:
+--        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
+-+        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform));
++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform));
+          return _fileSystem.file(path);
+        case HostArtifact.flutterWebSdk:
+          final String path = _getFlutterWebSdkPath();
+@@ -91,12 +87,12 @@ index 2aac9686e8..32c4b98b88 100644
+        case HostArtifact.dart2jsSnapshot:
+        case HostArtifact.dartdevcSnapshot:
+        case HostArtifact.kernelWorkerSnapshot:
+--        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+-+        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
+          return _fileSystem.file(path);
+        case HostArtifact.iosDeploy:
+-         final String artifactFileName = _hostArtifactToFileName(artifact, _platform.isWindows);
+-@@ -461,11 +461,13 @@ class CachedArtifacts implements Artifacts {
+         final String artifactFileName = _hostArtifactToFileName(artifact, _platform);
+@@ -465,11 +465,13 @@ class CachedArtifacts implements Artifacts {
+    String _getAndroidArtifactPath(Artifact artifact, TargetPlatform platform, BuildMode mode) {
+      final String engineDir = _getEngineArtifactsPath(platform, mode)!;
+      switch (artifact) {
+@@ -125,8 +121,8 @@ index 2aac9686e8..32c4b98b88 100644
+ -      case Artifact.frontendServerSnapshotForEngineDartSdk:
+        case Artifact.constFinder:
+        case Artifact.flutterMacOSFramework:
+-       case Artifact.flutterMacOSPodspec:
+-@@ -594,14 +596,10 @@ class CachedArtifacts implements Artifacts {
+       case Artifact.flutterPatchedSdkPath:
+@@ -586,14 +588,10 @@ class CachedArtifacts implements Artifacts {
+          // For script snapshots any gen_snapshot binary will do. Returning gen_snapshot for
+          // android_arm in profile mode because it is available on all supported host platforms.
+          return _getAndroidArtifactPath(artifact, TargetPlatform.android_arm, BuildMode.profile);
+@@ -142,27 +138,27 @@ index 2aac9686e8..32c4b98b88 100644
+        case Artifact.icuData:
+          final String engineArtifactsPath = _cache.getArtifactDirectory('engine').path;
+          final String platformDirName = _enginePlatformDirectoryName(platform);
+-@@ -797,7 +795,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
+-         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+@@ -776,7 +774,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
+         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
+          return _fileSystem.file(path);
+        case HostArtifact.dartdevcSnapshot:
+--        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+-+        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
+          return _fileSystem.file(path);
+        case HostArtifact.kernelWorkerSnapshot:
+-         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+-@@ -922,9 +920,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
+-       case Artifact.windowsUwpCppClientWrapper:
+         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
+@@ -901,9 +899,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
+       case Artifact.windowsCppClientWrapper:
+          return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
+        case Artifact.frontendServerSnapshotForEngineDartSdk:
+ -        return _fileSystem.path.join(
+ -          _hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', artifactFileName,
+ -        );
+ +        return _fileSystem.path.join(_hostEngineOutPath, 'gen', artifactFileName);
+-       case Artifact.uwptool:
+-         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
+      }
+-@@ -1034,8 +1030,8 @@ class OverrideArtifacts implements Artifacts {
+   }
+ 
+@@ -1011,8 +1007,8 @@ class OverrideArtifacts implements Artifacts {
+  }
+  
+  /// Locate the Dart SDK.
+@@ -174,12 +170,12 @@ index 2aac9686e8..32c4b98b88 100644
+  
+  class _TestArtifacts implements Artifacts {
+ diff --git a/packages/flutter_tools/test/general.shard/artifacts_test.dart b/packages/flutter_tools/test/general.shard/artifacts_test.dart
+-index d906511a15..adfdd4bb42 100644
+index aed3eb9285..81b8362648 100644
+ --- a/packages/flutter_tools/test/general.shard/artifacts_test.dart
+ +++ b/packages/flutter_tools/test/general.shard/artifacts_test.dart
+-@@ -153,10 +153,6 @@ void main() {
+-         artifacts.getArtifactPath(Artifact.windowsUwpDesktopPath, platform: TargetPlatform.windows_uwp_x64, mode: BuildMode.release),
+-         fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'windows-uwp-x64-release'),
+@@ -141,10 +141,6 @@ void main() {
+         artifacts.getArtifactPath(Artifact.flutterTester, platform: TargetPlatform.linux_arm64),
+         fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'linux-arm64', 'flutter_tester'),
+        );
+ -      expect(
+ -        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
+@@ -188,7 +184,7 @@ index d906511a15..adfdd4bb42 100644
+      });
+  
+      testWithoutContext('precompiled web artifact paths are correct', () {
+-@@ -322,11 +318,6 @@ void main() {
+@@ -310,11 +306,6 @@ void main() {
+          artifacts.getHostArtifact(HostArtifact.engineDartSdkPath).path,
+          fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk'),
+        );
+@@ -197,6 +193,6 @@ index d906511a15..adfdd4bb42 100644
+ -        fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk', 'bin',
+ -          'snapshots', 'frontend_server.dart.snapshot')
+ -      );
+-     });
+- 
+-     testWithoutContext('getEngineType', () {
+       expect(
+         artifacts.getHostArtifact(HostArtifact.impellerc).path,
+         fileSystem.path.join('/out', 'host_debug_unopt', 'impellerc'),
+diff --git a/pkgs/os-specific/linux/firmware/firmware-updater/default.nix b/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
+index fb9d3a9a36c..cc906b763e8 100644
+--- a/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
+++ b/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
+@@ -1,13 +1,13 @@
+ { lib
+-, flutter
+, flutter2
+ , fetchFromGitHub
+ }:
+ 
+-flutter.mkFlutterApp {
+flutter2.mkFlutterApp {
+   pname = "firmware-updater";
+   version = "unstable";
+ 
+-  vendorHash = "sha256-3wVA9BLCnMijC0gOmskz+Hv7NQIGu/jhBDbWjmoq1Tc=";
+  vendorHash = "sha256-7uOiebGBcX61oUyNCi1h9KldTRTrCfYaHUQSH4J5OoQ=";
+ 
+   src = fetchFromGitHub {
+     owner = "canonical";
+diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
+index 4f25d9b20d8..c282471c464 100644
+--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
+@@ -13448,6 +13448,7 @@ with pkgs;
+   flutterPackages =
+     recurseIntoAttrs (callPackage ../development/compilers/flutter { });
+   flutter = flutterPackages.stable;
+  flutter2 = flutterPackages.v2;
+ 
+   fnm = callPackage ../development/tools/fnm {
+     inherit (darwin.apple_sdk.frameworks) DiskArbitration Foundation Security;
--- a/nixpatches/12-flutter-arm64-2.patch
+++ b/nixpatches/12-flutter-arm64-2.patch
@@ -0,0 +1,66 @@
+diff --git a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
+index 22bbeb212f0..c07bd8e9fd4 100644
+--- a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
+++ b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
+@@ -4,13 +4,19 @@
+ , olm
+ , imagemagick
+ , makeDesktopItem
+, stdenv
+ }:
+ 
+let vendorHashes = {
+  x86_64-linux = "sha256-Gi0mfxaMtPI/TxrxnvzQvH9M8CtLADKJfYO2JnzAz+Y=";
+  aarch64-linux = "sha256-iq8bMSJoYbDNtR82QunrpQdPUv0nceUKXRqAwDvxCpE=";
+};
+in
+ flutter2.mkFlutterApp rec {
+   pname = "fluffychat";
+   version = "1.2.0";
+ 
+-  vendorHash = "sha256-1PDX023WXRmRe/b1L+6Du91BvGwYNp3YATqYSQdPrRY=";
+  vendorHash = vendorHashes."${stdenv.hostPlatform.system}" or (throw "unsupported system: ${stdenv.hostPlatform.system}");
+ 
+   src = fetchFromGitLab {
+     owner = "famedly";
+diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
+index 02188335129..c264565e50a 100644
+--- a/pkgs/development/compilers/flutter/default.nix
+++ b/pkgs/development/compilers/flutter/default.nix
+@@ -11,7 +11,11 @@ let
+       sources = {
+         "${dartVersion}-x86_64-linux" = fetchurl {
+           url = "https://storage.googleapis.com/dart-archive/channels/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
+-          sha256 = dartHash;
+          sha256 = dartHash.x86_64-linux;
+        };
+        "${dartVersion}-aarch64-linux" = fetchurl {
+          url = "https://storage.googleapis.com/dart-archive/channels/stable/release/${dartVersion}/sdk/dartsdk-linux-arm64-release.zip";
+          sha256 = dartHash.aarch64-linux;
+         };
+       };
+     };
+@@ -28,7 +32,10 @@ in
+     version = "3.3.3";
+     dartVersion = "2.18.2";
+     hash = "sha256-MTZeWQUp4/TcPzYIT6eqIKSPUPvn2Mp/thOQzNgpTXg=";
+-    dartHash = "sha256-C3+YjecXLvSmJrLwi9H7TgD9Np0AArRWx3EdBrfQpTU";
+    dartHash = {
+      x86_64-linux = "sha256-C3+YjecXLvSmJrLwi9H7TgD9Np0AArRWx3EdBrfQpTU";
+      aarch64-linux = "sha256-zyIK1i5/9P2C+sjzdArhFwpVO4P+It+/X50l+n9gekI=";
+    };
+     patches = getPatches ./patches/flutter3;
+   };
+ 
+@@ -37,7 +44,10 @@ in
+     version = "2.10.5";
+     dartVersion = "2.16.2";
+     hash = "sha256-DTZwxlMUYk8NS1SaWUJolXjD+JnRW73Ps5CdRHDGnt0=";
+-    dartHash = "sha256-egrYd7B4XhkBiHPIFE2zopxKtQ58GqlogAKA/UeiXnI=";
+    dartHash = {
+      x86_64-linux = "sha256-egrYd7B4XhkBiHPIFE2zopxKtQ58GqlogAKA/UeiXnI=";
+      aarch64-linux = "sha256-vmerjXkUAUnI8FjK+62qLqgETmA+BLPEZXFxwYpI+KY=";
+    };
+     patches = getPatches ./patches/flutter2;
+   };
+ }
--- a/nixpatches/list.nix
+++ b/nixpatches/list.nix
@@ -1,77 +1,47 @@
 fetchpatch: [
+  # Flutter: 3.0.4 -> 3.3.3, flutter.dart: 2.17.5 -> 2.18.2
+  # merged 2022/10/07
+  # (fetchpatch {
+  #   url = "https://github.com/NixOS/nixpkgs/pull/189338.diff";
+  #   sha256 = "sha256-HRkOIBcOnSXyTKkYxnMgZou8MHU/5eNhxxARdUq9UWg=";
+  #   # url = "https://git.uninsane.org/colin/nixpkgs/commit/889c3a8cbc91c0d10b34ab7825fa1f6d1d31668a.diff";
+  #   # sha256 = "sha256-qVWLpNoW3HVSWRtXS1BcSusKOq0CAMfY0BVU9MxPm98=";
+  # })
+  #
+  # XXX this is a cherry-pick of all the commits in PR 189338 (as appears in tree).
+  # the diff yielded by Github is apparently not the same somehow (maybe because the branches being merged had diverged too much?)
+  ./11-flutter-3.3.3-189338.patch
+
+  # phosh-mobile-settings: init at 0.21.1
+  (fetchpatch {
+    url = "http://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
+    # url = "https://github.com/NixOS/nixpkgs/pull/193845.diff";
+    sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
+  })
+
+  # kaiteki: init at 2022-09-03
+  (fetchpatch {
+    url = "https://git.uninsane.org/colin/nixpkgs/commit/e2c7f5f4870fcb0e5405e9001b39a64c516852d4.diff";
+    # url = "https://github.com/NixOS/nixpkgs/pull/193169.diff";
+    sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
+  })
+
+  # Fix mk flutter app
+  # closed (not merged). updates fluffychat 1.2.0 -> 1.6.1, but unstable hashing
+  # (fetchpatch {
+  #   url = "https://github.com/NixOS/nixpkgs/pull/186839.diff";
+  #   sha256 = "sha256-NdIfie+eTy4V1vgqiiRPtWdnxZ5ZHsvCMfkEDUv9SC8=";
+  # })
+
  # for raspberry pi: allow building u-boot for rpi 4{,00}
  # TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
  #   (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
  ./02-rpi4-uboot.patch

-  # Fix mk flutter app
-  # closed. updates fluffychat 1.2.0 -> 1.6.1, but unstable hashing
-  (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/186839.diff";
-    sha256 = "sha256-NdIfie+eTy4V1vgqiiRPtWdnxZ5ZHsvCMfkEDUv9SC8=";
-  })
-
-  # # # Flutter: 3.0.4->3.3.2, flutter.dart: 2.17.5->2.18.1
-  # # (fetchpatch {
-  # #   url = "https://github.com/NixOS/nixpkgs/pull/189338.diff";
-  # #   sha256 = "sha256-MppSk1D3qQT8Z4lzEZ93UexoidT8yqM7ASPec4VvxCI=";
-  # # })
-  # enable aarch64 support for flutter's dart package
-  ./10-flutter-arm64.patch
-
-
  # TODO: upstream
  ./07-duplicity-rich-url.patch

-  # kaiteki: init at 2022-09-03
-  (fetchpatch {
-    # url = "https://git.uninsane.org/colin/nixpkgs/commit/ca8e17b15e99683e9372b4deb5dd446f1019937d.diff";
-    url = "https://github.com/NixOS/nixpkgs/pull/193169.diff";
-    sha256 = "sha256-1O9vC/r3jpvGhHGp7d2r3oL7C8kFX2Ph214JV0vWZA0=";
-  })
-
-  # zecwallet: 1.7.13 -> 1.8.8
-  (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/193276.diff";
-    sha256 = "sha256-rSWllDAxL8E42vYPR3vgGZklU5cKp9dqYowMJkPoYlY=";
-  })
-
-  # whalebird: 4.6.0 -> 4.6.5
-  (fetchpatch {
-    # url = "https://git.uninsane.org/colin/nixpkgs/commit/5f410db5e0bc24521ad413c33285a3175517941c.diff";
-    url = "https://github.com/NixOS/nixpkgs/pull/193281.diff";
-    sha256 = "sha256-SY+pJPNEB6gJDkEbFgWVjMf7Grrt05INoBtQVp2af1w=";
-  })
-
-  # (merged into master 2022/09/28): element-{web,desktop}: 1.11.5 -> 1.11.7
-  (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/193342.diff";
-    sha256 = "sha256-A9TUmabRl4BC6dGmo0e1c4YdAyUG4o097GYdMChepfw=";
-  })
-
-  # (merged into master 2022/09/28): element-{desktop,web}: 1.11.7 -> 1.11.8
-  (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/193362.diff";
-    sha256 = "sha256-ZkkbNdCKh905fDe9QHrP/alRkDfenoPc6XrLg3Hf2dI=";
-  })
-
-  # phosh: 0.21.0 -> 0.21.1
-  (fetchpatch {
-    # url = "https://git.uninsane.org/colin/nixpkgs/commit/0b81457690fce39b14c5d3463af0d6331b73b850.diff";
-    url = "https://github.com/NixOS/nixpkgs/pull/193700.diff";
-    sha256 = "sha256-GtpYSii1c/Kw1NEQ4sVR1nO/kvSa/CSIxuXxL00oBGw=";
-  })
-
-  # element-desktop: upgrade electron 19 -> 20
-  (fetchpatch {
-    # url = "https://git.uninsane.org/colin/nixpkgs/commit/7e6a47b3904f5d8f2a37c35ff2d12772524727a9.diff";
-    url = "https://github.com/NixOS/nixpkgs/pull/193799.diff";
-    sha256 = "sha256-OcqDIoBcphGZfeeOzaS7Ip1khocpkYrpG6tMGExa3S4=";
-  })
-
-  # phosh-mobile-settings: init at 0.21.1
-  (fetchpatch {
-    url = "https://git.uninsane.org/colin/nixpkgs/commit/0b197a1fc628e917572f6b0a1a0ce17790bc9a05.diff";
-    sha256 = "sha256-CXRXDQTfJeHIQpdUFr3T050c4Lj4ZLNmBDVfk/oaDcs=";
-  })
+  # enable aarch64 support for flutter's dart package
+  # ./10-flutter-arm64.patch
+  ./12-flutter-arm64-2.patch
 ]
--- a/pkgs/kaiteki/default.nix
+++ b/pkgs/kaiteki/default.nix
@@ -10,15 +10,11 @@ flutter.mkFlutterApp rec {
  pname = "kaiteki";
  version = "unstable-2022-09-03";

-  # this hash seems unstable -- depends on other nixpkgs, perhaps?
-  vendorHash = "sha256-+kVwa5FObRYOdkPrF7jd0qOB+wwBm+OvdJP8NdSXTJ8=";
+  vendorHash = "sha256-Y0BXQ7xt9w+J896ar6o+FiVGcDJw7dPHo7tgij+p6R0=";

  src = fetchFromGitHub {
    owner = "Kaiteki-Fedi";
    repo = "Kaiteki";
-    # rev = "cf94ec55063cd7af20a37103fc40c588a634962f";
-    # hash = "sha256-jtRT0Q4/i3dxRYcC6HPClL9Iw1PizkIUgswU1eusKig=";
-    # this is the last hash before the code uses features not apparently supported by our version of dart.
    rev = "fd1e26c98f37ad6a98ed549da879c91721f997d0";
    hash = "sha256-N7n6o/B9s0DCYf9HFMZSCPShpE65wKl9FaQ5dbFnr1E=";
    fetchSubmodules = true;
--- a/pkgs/linux-megous/default.nix
+++ b/pkgs/linux-megous/default.nix
@@ -3,10 +3,10 @@
 with lib;

 buildLinux (args // rec {
-  version = "6.0.0-rc4";
+  version = "6.0.0";

  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
-  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) + "-rc4" else modDirVersionArg;
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;

  # branchVersion needs to be x.y
  extraMeta.branch = versions.majorMinor version;
@@ -15,7 +15,7 @@ buildLinux (args // rec {
    owner = "megous";
    repo = "linux";
    # branch: orange-pi-6.0
-    rev = "6ada3caab0b37968f1257b3ea75e5b0466a77162";
-    sha256 = "sha256-jIhOE0ZMuoJm7NqAEJ4OTNLHN/h8i4cOphcw3le7RSw=";
+    rev = "b16232c6156de17e1dfdb63fdaea8e317baa07a7";
+    sha256 = "sha256-Tb05IQKFdX/T7elGNnXTLVmgGLvXoeBFBq/8Q7jQhX0=";
  };
 } // (args.argsOverride or { }))
--- a/pkgs/matrix-appservice-discord/01-puppet.patch
+++ b/pkgs/matrix-appservice-discord/01-puppet.patch
@@ -0,0 +1,13 @@
+diff --git a/src/clientfactory.ts b/src/clientfactory.ts
+index b7fea47..587acfd 100644
+--- a/src/clientfactory.ts
+++ b/src/clientfactory.ts
+@@ -53,7 +53,7 @@ export class DiscordClientFactory {
+         });
+ 
+         try {
+-            await this.botClient.login(this.config.botToken, true);
+            await this.botClient.login(this.config.botToken, false);
+             log.info("Waiting for shardReady signal");
+             await waitPromise;
+             log.info("Got shardReady signal");
--- a/pkgs/matrix-appservice-discord/02-auto-approve.patch
+++ b/pkgs/matrix-appservice-discord/02-auto-approve.patch
@@ -0,0 +1,16 @@
+diff --git a/src/provisioner.ts b/src/provisioner.ts
+index c1568af..28a44c5 100644
+--- a/src/provisioner.ts
+++ b/src/provisioner.ts
+@@ -99,8 +99,9 @@
+         this.pendingRequests.set(channelId, approveFn);
+         setTimeout(() => approveFn(false, true), timeout);
+ 
+-        await channel.send(`${requestor} on matrix would like to bridge this channel. Someone with permission` +
+-            " to manage webhooks please reply with `!matrix approve` or `!matrix deny` in the next 5 minutes");
+        // await channel.send(`${requestor} on matrix would like to bridge this channel. Someone with permission` +
+        //     " to manage webhooks please reply with `!matrix approve` or `!matrix deny` in the next 5 minutes");
+        approveFn(true);
+         return await deferP;
+ 
+     }
--- a/pkgs/matrix-appservice-discord/03-no-edits.patch
+++ b/pkgs/matrix-appservice-discord/03-no-edits.patch
@@ -0,0 +1,14 @@
+diff --git a/src/bot.ts b/src/bot.ts
+index 8bc73d4..1e6ea67 100644
+--- a/src/bot.ts
+++ b/src/bot.ts
+@@ -568,7 +568,8 @@ export class DiscordBot {
+             }
+             const link = `https://discord.com/channels/${chan.guild.id}/${chan.id}/${editEventId}`;
+             embedSet.messageEmbed.description = `[Edit](${link}): ${embedSet.messageEmbed.description}`;
+-            await this.send(embedSet, opts, roomLookup, event);
+            log.warn("not editing sent Matrix -> Discord message");
+            // await this.send(embedSet, opts, roomLookup, event);
+         } catch (err) {
+             // throw wrapError(err, Unstable.ForeignNetworkError, "Couldn't edit message");
+             log.warn(`Failed to edit message ${event.event_id}`);
--- a/pkgs/matrix-appservice-discord/04-no-kickbans.patch
+++ b/pkgs/matrix-appservice-discord/04-no-kickbans.patch
@@ -0,0 +1,88 @@
+diff --git a/src/bot.ts b/src/bot.ts
+index 8bc73d4..1e6ea67 100644
+--- a/src/bot.ts
+++ b/src/bot.ts
+@@ -795,82 +796,7 @@ export class DiscordBot {
+         roomId: string, kickeeUserId: string, kicker: string, kickban: "leave"|"ban",
+         previousState: string, reason?: string,
+     ) {
+-        const restore = kickban === "leave" && previousState === "ban";
+-        const client = await this.clientFactory.getClient(kicker);
+-        let channel: Discord.Channel;
+-        try {
+-            channel = await this.GetChannelFromRoomId(roomId, client);
+-        } catch (ex) {
+-            log.error("Failed to get channel for ", roomId, ex);
+-            return;
+-        }
+-        if (channel.type !== "text") {
+-            log.warn("Channel was not a text channel");
+-            return;
+-        }
+-        const tchan = (channel as Discord.TextChannel);
+-        const kickeeUser = await this.GetDiscordUserOrMember(
+-            kickeeUserId.substring("@_discord_".length, kickeeUserId.indexOf(":") - 1),
+-            tchan.guild.id,
+-        );
+-        if (!kickeeUser) {
+-            log.error("Could not find discord user for", kickeeUserId);
+-            return;
+-        }
+-        const kickee = kickeeUser as Discord.GuildMember;
+-        let res: Discord.Message;
+-        const botChannel = await this.GetChannelFromRoomId(roomId) as Discord.TextChannel;
+-        if (restore) {
+-            await tchan.overwritePermissions([
+-                {
+-                    allow: ["SEND_MESSAGES", "VIEW_CHANNEL"],
+-                    id: kickee.id,
+-                }],
+-                `Unbanned.`,
+-            );
+-            this.channelLock.set(botChannel.id);
+-            res = await botChannel.send(
+-                `${kickee} was unbanned from this channel by ${kicker}.`,
+-            ) as Discord.Message;
+-            this.sentMessages.push(res.id);
+-            this.channelLock.release(botChannel.id);
+-            return;
+-        }
+-        const existingPerms = tchan.permissionsFor(kickee);
+-        if (existingPerms && existingPerms.has(Discord.Permissions.FLAGS.VIEW_CHANNEL as number) === false ) {
+-            log.warn("User isn't allowed to read anyway.");
+-            return;
+-        }
+-        const word = `${kickban === "ban" ? "banned" : "kicked"}`;
+-        this.channelLock.set(botChannel.id);
+-        res = await botChannel.send(
+-            `${kickee} was ${word} from this channel by ${kicker}.`
+-            + (reason ? ` Reason: ${reason}` : ""),
+-        ) as Discord.Message;
+-        this.sentMessages.push(res.id);
+-        this.channelLock.release(botChannel.id);
+-        log.info(`${word} ${kickee}`);
+-
+-        await tchan.overwritePermissions([
+-            {
+-                deny: ["SEND_MESSAGES", "VIEW_CHANNEL"],
+-                id: kickee.id,
+-            }],
+-            `Matrix user was ${word} by ${kicker}.`,
+-        );
+-        if (kickban === "leave") {
+-            // Kicks will let the user back in after ~30 seconds.
+-            setTimeout(async () => {
+-                log.info(`Kick was lifted for ${kickee.displayName}`);
+-                await tchan.overwritePermissions([
+-                    {
+-                        allow: ["SEND_MESSAGES", "VIEW_CHANNEL"],
+-                        id: kickee.id,
+-                    }],
+-                    `Lifting kick since duration expired.`,
+-                );
+-            }, this.config.room.kickFor);
+-        }
+        return; // this is about letting Discord users know when Matrix users are kicked/banned
+     }
+ 
+     public async GetEmojiByMxc(mxc: string): Promise<DbEmoji> {
--- a/pkgs/matrix-appservice-discord/05-no-meta.patch
+++ b/pkgs/matrix-appservice-discord/05-no-meta.patch
@@ -0,0 +1,13 @@
+diff --git a/src/matrixeventprocessor.ts b/src/matrixeventprocessor.ts
+index f1f4611..7b57ff3 100644
+--- a/src/matrixeventprocessor.ts
+++ b/src/matrixeventprocessor.ts
+@@ -278,6 +278,8 @@ export class MatrixEventProcessor {
+             return;
+         }
+ 
+        return; // disable all meta notifications
+
+         msg += " on Matrix.";
+         const channel = await this.discord.GetChannelFromRoomId(event.room_id) as Discord.TextChannel;
+         await this.discord.sendAsBot(msg, channel, event);
--- a/pkgs/matrix-appservice-discord/default.nix
+++ b/pkgs/matrix-appservice-discord/default.nix
@@ -0,0 +1,19 @@
+{ pkgs }:
+
+(pkgs.matrix-appservice-discord.overrideAttrs (upstream: {
+  # 2022-10-05: the service can't login as an ordinary user unless i change the source
+  doCheck = false;
+  patches = (upstream.patches or []) ++ [
+    # don't register with better-discord as a bot
+    ./01-puppet.patch
+    # don't ask Discord admin for approval before bridging
+    ./02-auto-approve.patch
+    # disable Matrix -> Discord edits because they do not fit Discord semantics
+    ./03-no-edits.patch
+    # we don't want to notify Discord users that a Matrix user was kicked/banned
+    ./04-no-kickbans.patch
+    # don't notify Discord users when the Matrix room changes (name, topic, membership)
+    ./05-no-meta.patch
+  ];
+}))
+
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -27,6 +27,8 @@
  pleroma = prev.callPackage ./pleroma { };
  # jackett doesn't allow customization of the bind address: this will probably always be here.
  jackett = prev.callPackage ./jackett { pkgs = prev; };
+  # TODO: delete matrix-appservice-discord
+  matrix-appservice-discord = prev.callPackage ./matrix-appservice-discord { pkgs = prev; };
  # mozilla keeps nerfing itself and removing configuration options
  firefox-unwrapped = prev.callPackage ./firefox-unwrapped { pkgs = prev; };
  # fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
@@ -36,8 +38,9 @@
  ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };

  #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
-  # kaiteki = prev.callPackage ./kaiteki { };
-  kaiteki = prev.kaiteki;
+  kaiteki = prev.callPackage ./kaiteki { };
+  # kaiteki = prev.kaiteki;
+  # TODO: upstream, or delete nabla
  nabla = prev.callPackage ./nabla { };
 })

--- a/pkgs/sane-scripts/src/sane-mount-servo
+++ b/pkgs/sane-scripts/src/sane-mount-servo
@@ -15,4 +15,5 @@ then
 fi

 # symlink the fastest mount point into place
+# uncomment if i see the bug again: sudo unlink /mnt/servo-media  # XXX ln gets confused if the destination is a symlink to a stale mount
 sudo ln -sf $mnt /mnt/servo-media
--- a/pkgs/sane-scripts/src/sane-mount-servo-root
+++ b/pkgs/sane-scripts/src/sane-mount-servo-root
@@ -15,4 +15,5 @@ then
 fi

 # symlink the fastest mount point into place
+# uncomment if i see the bug again: sudo unlink /mnt/servo-root  # XXX ln gets confused if the destination is a symlink to a stale mount
 sudo ln -sf $mnt /mnt/servo-root
--- a/scripts/init-keyring
+++ b/scripts/init-keyring
@@ -0,0 +1,18 @@
+#!/bin/sh
+# initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
+# this initializes it to be plaintext/unencrypted.
+
+if [ -f ~/.local/share/keyrings/default ]
+then
+        echo 'keyring already initialized: not doing anything'
+        exit 0
+fi
+
+keyring=~/.local/share/keyrings/Default_keyring.keyring
+
+echo 'initializing default user keyring:' "$keyring"
+echo '[keyring]' > "$keyring"
+echo 'display-name=Default keyring' >> "$keyring"
+echo 'lock-on-idle=false' >> "$keyring"
+echo 'lock-after=false' >> "$keyring"
+echo -n "Default_keyring" > ~/.local/share/keyrings/default
--- a/scripts/install-iwd
+++ b/scripts/install-iwd
@@ -15,4 +15,6 @@ do
        # not sure that iwd can deal with un-writeable symlinks
        # ln -sf "$src_dir/$f" "$dest_dir/$ssid.psk"
        cp "$src_dir/$f" "$dest_dir/$ssid.psk"
+        # not strictly necessary, but iwd does default to rw
+        chmod 600 "$dest_dir/$ssid.psk"
 done
--- a/secrets/servo/matrix_appservice_discord_env.bin
+++ b/secrets/servo/matrix_appservice_discord_env.bin
@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:7j1l4XJ8cp8MVuSmOedOZwGDWV11hmwFyLW43ixUBaZLWbUZ6Z4P4Gt+o7bj8gc/X8aiPV8sxAR/jY28Sc5DIaAnkKnXjesPVlG0c3oRAsXemKGX8fANkoNX5iEPbWAkFiJdLS6Fgdv2g4z6DQ4odvZQKrMchx8MPYq8icBvvbhKiGs5xo+MGrMBVRCZOERM2FJSy/q9zLv6hU5SfnnYDTMt,iv:poHHiCs0YOCv74dQ2kyXogdgTUqmKRgGq2r7lcxe4bQ=,tag:rz1/FLC5Q8S13TTWNKcYyQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2TjVWenJkYVdjeExzYjVj\nUVdFeUdMRUtwOWJNYUx6dFRWRXdEUWJhdkVFClM1UnhtWndYbE91RCtVRnl4TGp4\nZHNJNUliOWhqcUorZVBEQWR0eXZaMVEKLS0tIDdsVFJ2bmdNeVk5b3FJVDQ3T1BG\nU0taQlA1QVEvYVJweDQ5L2YwTmo2ek0K+nbzpIpjAhRgJ5Lw+mx/doGMjw0aMNkZ\n5sAnPJo88Sa/TW3qBN48xFBMLWMp/SKs2JTaMu0xW0u2SkQX38TLlw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUFBSYVJZUmRBcGJXclNP\nRDRUZnRKMmYwdFhQcE1oWUhrZGxNTk5YOFIwCldUMW92NGl0VVBsS0JtYjJOTW9E\nK2ZZdm9GK3FOMitUdEU3QStsR2svQWMKLS0tIE9SWXAzVndsdGY3Uzh2eHpBRjdO\nTVc4cWNDUWRuSWRmZC8rK1ZFS2l4WEkKQR9mApDjb0k14W3jK+CEz3Dez6wSBpg+\nZ7uUfSbPXFxRxvNEascRn/+EHPcd/A7MZjViDUyWVcP6fSMPsQvxhw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWHlteTRDcHRneW9hbzlh\nMHBjZ2RHeDBIbDM2QXVxK09mcERVSUliVWw0Ckg1dGFkUUxPQW1HcDFXcEEyejFD\nWW5qUkNwRkdIdjRiTFJNd0Q5NWpLUUEKLS0tIG1wTnk1aEhudm9VZjZRVGRWWnR0\nVHlFbUJHaitadDVOSG1FMTBqeHJGV0kKAjuuw3j4dx3QfNcjyl8XCP9Q6oOkLZBN\nsW7uCqbVgBCG+uIggwefLWAy8g6PYlLj0aumgLPYVsXShbQYi32m/g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2022-10-06T05:07:20Z",
+		"mac": "ENC[AES256_GCM,data:9WR8xfs5XIkWxDlJVX1EiSJBLBgWMR99PJJXCK9RcbuChK7QvjWjEflwq419qeNbMWdHLkUwSQrBsoHomaiGWFOPZ0C8bqcqDl0zzXMk7nBxM4UgTjRLmML2tdI2bCS0DC0AtytThYPvkW+JHgKB6bOAEw/bVWVP4YJQKWEf6FY=,iv:nG+J7jCdqZHp6x6Vlvye7BbK7YSl0Y9cjTWbW/BZLxo=,tag:OWqXktZE52Q3j7D2KG+vHw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
--- a/secrets/universal/net/home-shared-24G.psk.bin
+++ b/secrets/universal/net/home-shared-24G.psk.bin
@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:U0EwYI7Y0s6SO0lCqF0J8Zw9dyAiaiUBUOMh6tC8cLP2dSbCCptKeL6r64zhjZM1JHJ7MK/DbGVyq6c9osh8OtU=,iv:6wElrgQM6r+Cm/FNGrQeWOVUG2m5TXWiEyMkiCLtnXM=,tag:xjDgGK6QCWw6UlKxvyv52A==,type:str]",
+	"data": "ENC[AES256_GCM,data:ZYCyNfJdnYij3ZPNftCq+shfLs1Du/WjRyXMnphEltKr1MRr+f5RY++na3VVtREHYq/NMFNHMjlkcsBREt8KrPOlk5CUh4oNfwrFLsvDN9mJmW7mw0h0Nl0kxwPMI+SRHh1cKsmSjDYWBQ7pLKXbDfv46wyrFKT1v2mI5OiFjWNtL/Gtq8xeA9XQPN9plkqKc1oaazT4TsBgV0kqBlsH7cWuI2l8A7dLpKGqf+fhQ0xvdCo76WcvYuphgE2Wru8xWALPx+OttRTLc2nLHX0=,iv:A7+QdWvSRVRIWf+yW9QgVXQjVY47F2Jj2FqcYbqkz+I=,tag:cU+6Kc2LC/30c2hNv2GVgw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -39,8 +39,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVTQyV0o3eWtQTEsxTXNZ\ndGJjcjQwWjA2QXFubmJSdGwyRHliRmtQSW1VCmh1K2l0NnVmNUlMUjdmd09IeG5a\nTVgvOWh1RWZZZnB1RkNHMjVSMG1pVG8KLS0tIElNbk53dnJxRE90WHZSbFVYRVAr\nNjcraVhhWVdpTDZJOG9uaUVmWFF2T00KGyNISTg/g7v1+VFlCg0MjDTjbcahdSQk\nQpxdjvqQ3qtcfOS/+OO5CZYEJIVp6YybXyHJ4SSbaED22YtTJGmRNw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2022-09-29T11:29:49Z",
-		"mac": "ENC[AES256_GCM,data:LaNUZ90jysY/2qR7UpZ14wS40AMtFYb9U/siHNRxQgWAz/6jIEWAbKm9AgkT0rA4swQoDlmcDof01UtFTrh9whfKjiOovjuqVUzeflZbKECjvbTh5UPbMedTaAJ3LU9HrO6JVB4eGlsXhO8s75larG6tRNiwvXzrVS1icRS6ebM=,iv:/uypXokTQu4IkqNyY10MBQj0XXLLtWYNmloY3rttqfw=,tag:WXX1aUnOZYUVEy8QgQNZHw==,type:str]",
+		"lastmodified": "2022-10-08T03:30:39Z",
+		"mac": "ENC[AES256_GCM,data:0qrOFciOrb0Q0ZaaYbjKMOJwaZxsOiodPJomWVliVt7OFmxIdBorE/SGgtgQGQz6twJqeSCJi9NiEFWTfnitO0NH//jaMFiAZVGBbk3r8YrZ4UyzhQsEYCED036y0cIU31qxX2DbwNBA2R69mJqzCcTgpZORVsKOoyANp+HDhzc=,iv:B7Uopjj6jS4rIYZ0uHU6nfBMBvHUJkg6CCBZIQZNaYU=,tag:Qdi1bHKpp80XhniokLHLJw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
--- a/secrets/universal/net/home-shared.psk.bin
+++ b/secrets/universal/net/home-shared.psk.bin
@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:SFlFGQxJUdMADvYgSMRB3zNsC8f3FmUbFtVylyCRt20T0ZBzxmkfApdPcpok3lXAKJ+EC042Aac9zEJU,iv:fxEsrF543nRrkfriVgdhUSJMi3FhXNTMwK4+4qzSM+w=,tag:fygQgjcedtPCZfdMOHnuEg==,type:str]",
+	"data": "ENC[AES256_GCM,data:ou55VGY+beKMouNj4qQaBOAZK/5UKu6A521lNW2i0KlSmgJ8qQ501lesy0bEmDkZqqhluP8XE5FZLwEXvqqMh/TBuN1OkCsQis53/M1s0g==,iv:Ir5uD1P8OlHlcjGCHVkUHr0AjoXzd7kOcAeajo66hUE=,tag:m+rReK9o/8TG4LBkNN1ZZQ==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -39,8 +39,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraXJQOHR6ZzE5TjNQYmpB\nSStEQS9mcUpMSXlFQ05DcllFSjNOT1pWdVJZCmtSL3FkZ2Q1cU1Fc1dZbG13eXJC\nTXJkN0NzWTlDOEFMRGNQUG5HQUNUVDgKLS0tIGRwcmVxS0lNQ09GdmxKY2pkQ2Yz\nSkpZam1ZQUN1L1FZZ010ZlhUV1N4VlkKqsFAE+xZ24IMzIFjbsgANdjiGwVZk5rq\n66y00bjw+uj6WOwQuE1I9WcYDhCXEUQB9u4Q+hzejaFzCJ90N/WF4w==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2022-09-29T11:30:17Z",
-		"mac": "ENC[AES256_GCM,data:x0pSMtOrID2h1E0PgEHLBcESOYZvkJE07UpCK+TN3zqMfyUFoDRK/Ro335QZXekQ7VSdSKFj/al7bpgscYO+ZXHrCHoFIW/HF6YSOKRzobVT3SXP0e9u/1BpGQW8qtaOVwWb0M8jpgoJ7W+OwzgMHIU9DW3NopfxZy10al+48Tw=,iv:JiA8z9MWEM68Eqip0Bp7xQR65Lu12dhWZFvH43vbABA=,tag:LyIgygW8Cr9VCxs/aKoXGw==,type:str]",
+		"lastmodified": "2022-10-08T03:39:12Z",
+		"mac": "ENC[AES256_GCM,data:4Rr2iqmzLtE9i45Hn10wuf8unKt+YNAYTF3RWwEW1AjN+pF7ZvwMbrUutRCb6uMxCQUyNl+adfFRu8Xae0/SqFBfdAPxzeQZGrBjb384seLrNS0XyUacfdoSCczrRUF8+F3mIHetaJCd2jOpoh5HotoSN3fx+nZNhD+56XmJBr0=,iv:YlDMimhG+a9Wzq0ZN0tnZ1gH69e7olyHGWhIV2/4K64=,tag:GjVzbNa/NdzVmdPyE5etXw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
--- a/secrets/universal/net/iphone.psk.bin
+++ b/secrets/universal/net/iphone.psk.bin
@@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:XGhxqtkmLOKQqcdmJvQ9rKdUW0qassF2glLvUpAs6uyO6WHVKvXKhAIJIsZZbd1RRlJ5PuwBvu7lKIrcVIswKvwF/MhXTCqfoB0fpmysaCpKdkLYojiSvsHQAXB9gIAnL0dVIEvZ+s7MRG5wp8s2+y18JsgS8jBM0vMFoLxVF41isocMcxO0a1wnCjAWy2s0845OOjhVSNCuVSjI5Oc1dTO9vycDHV4Y6MulFoBSlwfJdUf2nVR/FNuCxyxFX//wgRuN3cg1zkmoBblnvkccMGIzkmuByUAlqdaaug/Q,iv:9HIUqe5dTjVrHM5a9IrpYLtsDpg3Ts3mX9H8M8M572o=,tag:2EK0Zj6DTM/QmbVL+lG8wg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWUdWVkN2UGNBUzBqV0hK\nb0hnc1YxZWoyYkNIOVhreHlzOUJKVEdjdVJJCnRVSXYzWkl5ZktHdnJqTjIyUE9O\nQ2Jya0NuLzlDWDVoR3JTQVB3STJYSk0KLS0tIHllNisyMmJSNTBsZU85U0FuRWpU\ncnEvdGVhZlBXMjIzVUV3YTdQOXJjcE0Km66SgSPKbEC5bkCZI7l00QuPvgAH8kuD\no0A9w/lRBgcP787lqyUwULA+gu4YwvNIupvuABXm9KaFHtVqYDVJJw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsMXJYUytzRFVMYjNyZ0ZM\nb3dsVjV6blJ0K0JmcU1QYjNVY1JvSXQzTFQ0ClI5SG1tOTFYOWxuMWF3bFNxaWxL\nRDBiR2FZMVdOOVhoc1Via2xRd0t6SlkKLS0tIGUrRGZCZmxwOVl5dnVqVzJSdDNU\nUWE1VnkzSjJJZU9aOVdETklRa3VyeDgKqQpyc7UR7ValJuTD+NKIUSjKHNNAkPsS\nEgqI8DxjCvaSERKOYH/6pMSdRGklzS0ECuW5TNm0d4BvlbaFEiozlg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWVRINUFUa1lqZHZybHR5\nWmRuYmQyUTB5Z1RPaXJNc3VMUkFQZmhGMGhrCklaa3ZaNVYxYlAzaWsxRXN3c2E4\nNnB5S3VXa01ZdExzazRFcnRmdmNaQncKLS0tIEFpTksxUkVrMldSbDdPcXFMbnhB\nUGJyOVB5TFI3TU5hRXdKK25ORzIrUlUKjDGNOoLb7N+UKCEOwMXWklyQt0xapeMr\nKDFMcuxTX7WouiCF+GCXegQYfsXLsrETbbz+L6BOsV6O4uNNtYMZNA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5dnFSRVlvc293MWJlTC9k\nMGtLVmNlbWlXZVczdDlnQVhXTDJjZHE1U2tzClFucGhya1M1SFpheFVEM3JmWDlG\nSzZCd1JwalNYVVZqQWdKVWNhRDUwbE0KLS0tIGtpd3huNUtld0V0SzBJK0FXMkxC\nT3VJckV3aHFMc3c0K1V6S1d0NitNaVEKe73p65j2fb4Hd7TLJqiX6NUyKbv7K2te\nNzPxOZQCBrSogqbnT2qDt5Yptr2nk5qK4CkoELw1/Iha8xLg96qcRA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSmJGNTNpTS9QKzc0dUNt\ndGxxbnY3eTYzc1lPcXRrdjBJdlZwNm50R0hNCjE0OWdDdEdvb0ZMNlA3SkZERWhs\ndk5FMTdQc3VUTUgwQ0t5NTVZZWEzc1UKLS0tIEJNNjVrN0h2Qjl5UVh3KzRVNzBR\ndS9nL2U3T2l4MG5XNndjYkg3WnQ3cHMKUcW4kwhoqw/2VRO+qD65Hy789fppwpLg\n7PZ2YZTa/OWufYweYQnSDCtRC1dCdtOUE3mhjtBsGaqKp0pOzOmNwg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SElrMkprWXk3OUExaGEz\nQXBOM0Z1cHQzUUd3Q2ZWWC92bVJ0dmtSNGtnCk04d2E1NDkyUDhFNW5tSUtGMFQy\nMkMxR3p0QVNCUSs5UkE2Rjg1cStmc1kKLS0tIEhTS3hUcTNlT0lxRmdlK0VRSzNP\nUllGcHJ1TkpHTGVyaXFEUmhoZURVVlUKidC2z1cN6iwswN5+FKYEXSpif82MW5oC\nR1axSWsIJc7P2hPf4ua5BVoDqEn/Vei92NOcbQNfYUtEdkCGFbkYzw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNjN1cHhtYUlOQngzYjhH\nUEZzbTVwT3dSalJBQlc1b2ZBRmwwSHoyZURNCjd4WllKSTE0OElFSGd3K1dzR2oz\ncWprejcrOUJuOVZWdDBkMXNVejJsaFkKLS0tIHkvNHZ0SVdnOUlTTnBvdVZLcUFp\nNTlXSlU0UGh6NFZUYUIraEpSRTJVaGsKb85V2N1dgP65R/xdjq7vEKO+b9NdJ9D+\nh7pVfx9ghSKdmcADWxyRhpmjc7Yyfx5wzpWbuV0mAibPLS9RdLry5Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYlJWZ2t6WDlRdUJqU2pG\nYkE3T005bUhCcUJ0TEw0MEdDY1JFUzJjcVMwCkhCckRzcldLWTJPSEVjbHk3VE1p\nY21rRWR3cUVscmNiL29NL3M1QjZsYlUKLS0tIDJ4M3JtdGFRbUhFR2FtSGVuZk9n\nL1VjS1hnbzZwT1lQalJBbFU0SjFOWkUKUkGyPmpilSZdupNlR+cD4+HUOwyNm8WF\nu3vS7Ec4FJcjnx2t185yXEStZSVGptw/wKTxJiJ5P9by75XkAJZFmg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2022-10-09T02:24:20Z",
+		"mac": "ENC[AES256_GCM,data:AIRI5vLpVvWuxjvPerwzsBnwsSPrtazgCMPjP2be5aUcglT9e+98Dlg+jX60XjiO/1DvEepoCLd5Xnr6GHOkgRRR90YPsZT9eRttwhBavXaOF2Da7zwP5ZOg3cO0JGQsegTxJYFMmROCZppybL6EOsT2n18pc2M2HdEBt5oKP2k=,iv:ive5dqvbBQ3Ef5ycZP+l1Vuc38ylFTJhGh5+ksMCyAc=,tag:OP9EgZN2q2OKPRpOv2x7Tg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
Author	SHA1	Message	Date
colin	a17ad5fbf2	moby: build/deploy kaiteki	2022-10-09 04:17:04 -07:00
colin	645ca3764b	vim: disable mouse mode by default >.>	2022-10-08 23:17:26 -07:00
colin	22602283c9	browser: gracefully handle OCSP outages	2022-10-08 21:54:00 -07:00
colin	39b963e87b	flake update: sops and its deps ``` • Updated input 'sops-nix': 'github:Mic92/sops-nix/912f9ff41fd9353dec1f783170793699789fe9aa' (2022-09-26) → 'github:Mic92/sops-nix/0ce0449e6404c4ff9d1b7bd657794ae5ca54deb3' (2022-10-09) • Updated input 'sops-nix/nixpkgs': 'github:NixOS/nixpkgs/ff9793cfd1a25145a7e591af604675b3d6f68987' (2022-09-26) → 'github:NixOS/nixpkgs/7b06206fa24198912cea58de690aa4943f238fbf' (2022-10-08) • Updated input 'sops-nix/nixpkgs-22_05': 'github:NixOS/nixpkgs/00f877f4927b6f7d7b75731b5a1e2ae7324eaf14' (2022-09-26) → 'github:NixOS/nixpkgs/b3783bcfb8ec54e0de26feccfc6cc36b8e202ed5' (2022-10-09) ``` the only change appears to be that sops updated its own reference to nixpkgs.	2022-10-08 21:43:41 -07:00
colin	1a5f1260e2	Merge branch 'staging/2022-10-08-flutter-update'	2022-10-08 21:39:37 -07:00
colin	c18e8eddcc	zsh: enable zmb builtin	2022-10-08 20:12:50 -07:00
colin	874c352987	net: add psk for connecting to my mobile hotspot	2022-10-08 19:24:55 -07:00
colin	0395c5b8ee	update nixpkgs: 2022-10-06 and rebase Kaiteki	2022-10-08 18:21:38 -07:00
colin	f64c44716e	home: persist fractal IM data	2022-10-08 05:42:02 -07:00
colin	b2b61d2889	net: hex-encode the home network names. otherwise iwd doesn't seem to understand them?	2022-10-07 20:39:26 -07:00
colin	4f05a00e4a	RSS: add Doomberg	2022-10-07 20:13:26 -07:00
colin	c71346e9b8	servo: matrix: enable mx-puppet-discord for better Discord bridging	2022-10-07 04:33:23 -07:00
colin	f5576c3667	servo: matrix: rename `discord.nix` -> `discord-appservice.nix` this is in contrast to e.g. mx-discord-puppet, which i'll be trying soon	2022-10-07 02:16:01 -07:00
colin	b437ddacd9	servo: disable matrix irc bridge by just not importing the nix file	2022-10-07 02:04:25 -07:00
colin	68bda8aea7	servo: migrate ipfs options (to kubo)	2022-10-06 23:47:16 -07:00
colin	d840f947b3	Merge branch 'staging/nixpkgs-2022-10-05'	2022-10-06 18:25:22 -07:00
colin	d4261c45e6	nixpkgs: 2022-10-02 -> 2022-10-05, plus mobile-nixos update ``` • Updated input 'mobile-nixos': 'github:nixos/mobile-nixos/efa5b5fae930370753d2e09361b38d10f0e0a00d' (2022-10-03) → 'github:nixos/mobile-nixos/ca872f1a617674c4045e880aab8a45037e73700b' (2022-10-04) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/59d2991d4256cdca1c0cda45d876c80a0fe45c31' (2022-10-02) → 'github:NixOS/nixpkgs/37bd39839acf99c5b738319f42478296f827f274' (2022-10-05) • Updated input 'nixpkgs-stable': 'github:NixOS/nixpkgs/9cac45850280978a21a3eb67b15a18f34cbffa2d' (2022-10-01) → 'github:NixOS/nixpkgs/fe76645aaf2fac3baaa2813fd0089930689c53b5' (2022-10-04) ```	2022-10-06 18:24:35 -07:00
colin	6e01c59d08	default-initialize gnome keyrings, and persist them to disk	2022-10-06 17:29:10 -07:00
colin	9052291b31	add script to initialize the gnome keyring	2022-10-06 17:21:59 -07:00
colin	a95884d635	env: enable `home-manager-help` command; add `libsecret` to env	2022-10-06 15:56:37 -07:00
colin	0e9993923d	servo: matrix: move irc config to own file	2022-10-06 02:19:44 -07:00
colin	cc12b87d0e	servo: matrix: use username/groupname instead of uid/gid for impermanence	2022-10-06 01:55:25 -07:00
colin	a5393c3c84	servo: matrix: break the discord bridge out of `default.nix`	2022-10-06 01:54:46 -07:00
colin	e1cd1be48d	Merge branch 'staging/discord'	2022-10-06 01:38:49 -07:00
colin	37b931418d	servo: matrix-appservice-discord: disable annoying quirks like bad edits, bot replies, etc.	2022-10-06 01:35:00 -07:00
colin	a3db626a00	servo: matrix-appservice-discord: hide keys in sops, and enable.	2022-10-05 22:38:20 -07:00
colin	ca239ca3e6	matrix: set up Discord bridge verified working after i fill in the Discord secrets, but i need to find a way to provide those outside of the nix store.	2022-10-05 22:02:07 -07:00
colin	6c38500e52	servo: patch matrix-appservice-discord to allow 100% puppeting	2022-10-05 19:29:40 -07:00
colin	0c4dd28bc8	env: include sqlite to debug databases	2022-10-05 02:46:11 -07:00
colin	47f378e7fc	servo: consolidate service enumeration to `services/default.nix`	2022-10-04 23:08:03 -07:00
colin	0648825765	moby: update kernel 6.0.0-rc4 -> 6.0.0 (release)	2022-10-04 15:57:15 -07:00
colin	5f277f8653	moby: fix up CMA allocations so fractal (gui app) works this probably enables other apps like Element; untested	2022-10-04 02:25:59 -07:00
colin	5929286397	update nixpkgs: 2022-09-30 -> 2022-10-02 have to add nixpkgs stable to pin electrum to a buildable version ``` • Updated input 'mobile-nixos': 'github:nixos/mobile-nixos/42a30393b5eccaf7f73104fc39a71f0801340f5f' (2022-10-01) → 'github:nixos/mobile-nixos/efa5b5fae930370753d2e09361b38d10f0e0a00d' (2022-10-03) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/10ecda252ce1b3b1d6403caeadbcc8f30d5ab796' (2022-09-30) → 'github:NixOS/nixpkgs/59d2991d4256cdca1c0cda45d876c80a0fe45c31' (2022-10-02) ```	2022-10-03 13:49:01 -07:00
colin	8847147a9d	Revert "electrum: fix build using upstream patch instead of own" the proposed fix doesn't work on x86_64 This reverts commit `5058694c5b`.	2022-10-03 01:01:39 -07:00
colin	5682a3e5f1	moby: remove some dead/commented-out code	2022-10-02 20:43:52 -07:00
colin	6bc9337b3a	phosh-mobile-settings: include all the needed buildInputs	2022-10-02 19:15:44 -07:00
colin	5058694c5b	electrum: fix build using upstream patch instead of own	2022-10-02 16:42:13 -07:00
colin	94e03467ab	Merge branch 'staging/nixpkgs-2022-09-30'	2022-10-02 04:42:31 -07:00
colin	2ff9cc9d6c	pkg: sane-mount-servo: comment/note a fix about a bug i saw in this script	2022-10-02 01:26:50 -07:00
colin	a38d66073d	env: add packages for tagging mp3s	2022-10-02 01:25:31 -07:00
colin	f486fa9eda	env: symlink servo media into Videos and Music	2022-10-02 01:24:42 -07:00
colin	e3faabfad7	update nixpkgs: 2022-09-28 -> 2022-09-30 ``` • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/854fdc68881791812eddd33b2fed94b954979a8e' (2022-09-28) → 'github:NixOS/nixpkgs/10ecda252ce1b3b1d6403caeadbcc8f30d5ab796' (2022-09-30) ```	2022-10-02 01:20:50 -07:00
colin	7d4a7df2dd	replace deprecated `runCommandNoCC` with `runCommand` (fixes imgs.moby build)	2022-10-01 23:51:29 -07:00
colin	93177fffb3	pkgs: install the Fractal matrix client i'll try to deploy this to the Pinephone, because it looks very modern and supports E2E	2022-10-01 02:53:28 -07:00
colin	bc482a2621	nix flake update: mobile-nixos: 2022-09-30 -> 2022-10-01 ``` • Updated input 'mobile-nixos': 'github:nixos/mobile-nixos/b082416ae3169e00552b8b0933c9f38ae50f181b' (2022-09-30) → 'github:nixos/mobile-nixos/42a30393b5eccaf7f73104fc39a71f0801340f5f' (2022-10-01) ```	2022-09-30 21:35:24 -07:00
colin	381d41e3b4	phosh-mobile-settings: point to upstream PR	2022-09-30 21:29:37 -07:00