add templates.python-data

for more info, see
<https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-flake-init.html>

.sops.yaml

@@ -23,6 +23,7 @@ creation_rules:
     key_groups:
     - age:
       - *user_desko_colin
+      - *user_lappy_colin
       - *user_servo_colin
       - *host_servo
   - path_regex: secrets/desko.yaml$
@@ -31,3 +32,16 @@ creation_rules:
       - *user_desko_colin
       - *user_lappy_colin
       - *host_desko
+  - path_regex: secrets/lappy.yaml$
+    key_groups:
+    - age:
+      - *user_lappy_colin
+      - *user_desko_colin
+      - *host_lappy
+  - path_regex: secrets/moby.yaml$
+    key_groups:
+    - age:
+      - *user_desko_colin
+      - *user_lappy_colin
+      - *user_moby_colin
+      - *host_moby

TODO.md

@@ -1,16 +0,0 @@
-# features/tweaks
-- emoji picker application
-- find a Masto/Pleroma app which works on mobile
-- remove hardcoded uid/gids outside of allocations.nix (used in impermanence code -- replace with username/groupname)
-
-
-# speed up cross compiling
-- <https://nixos.wiki/wiki/Cross_Compiling>
-- <https://nixos.wiki/wiki/NixOS_on_ARM>
-```nix
-   overlays = [{ ... }: {
-     nixpkgs.crossSystem.system = "aarch64-linux";
-   }];
-```
-- <https://github.com/nix-community/aarch64-build-box>
-	- apply for access to the community arm build box

flake.lock

@@ -22,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1665475263,
-        "narHash": "sha256-T4at7d+KsQNWh5rfjvOtQCaIMWjSDlSgQZKvxb+LcEY=",
+        "lastModified": 1667907331,
+        "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "17208be516fc36e2ab0ceb064d931e90eb88b2a3",
+        "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1661933071,
-        "narHash": "sha256-RFgfzldpbCvS+H2qwH+EvNejvqs+NhPVD5j1I7HQQPY=",
+        "lastModified": 1668668915,
+        "narHash": "sha256-QjY4ZZbs9shwO4LaLpvlU2bO9J1juYhO9NtV3nrbnYQ=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "def994adbdfc28974e87b0e4c949e776207d5557",
+        "rev": "5df9108b346f8a42021bf99e50de89c9caa251c3",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1665711470,
-        "narHash": "sha256-9cjKbTkxyWjswVExtIpglpvlR+iDY9/DWmXpZyzk5cY=",
+        "lastModified": 1668897543,
+        "narHash": "sha256-1bjvy5zi/6KDzhN3ihOUEA6y5FFEOf5xvIbf65RWIh0=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "e4b6f680b2a4f29f087a7c1299c11499d1a367b6",
+        "rev": "25eec596116553112681d72ee4880107fc3957fa",
         "type": "github"
       },
       "original": {
@@ -69,11 +69,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1665732960,
-        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
+        "lastModified": 1669542132,
+        "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
+        "rev": "a115bb9bd56831941be3776c8a94005867f316a7",
         "type": "github"
       },
       "original": {
@@ -84,11 +84,11 @@
     },
     "nixpkgs-22_05": {
       "locked": {
-        "lastModified": 1665279158,
-        "narHash": "sha256-TpbWNzoJ5RaZ302dzvjY2o//WxtOJuYT3CnDj5N69Hs=",
+        "lastModified": 1669513802,
+        "narHash": "sha256-AmTRNi8bHgJlmaNe3r5k+IMFbbXERM/KarqveMAZmsY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b3783bcfb8ec54e0de26feccfc6cc36b8e202ed5",
+        "rev": "6649e08812f579581bfb4cada3ba01e30485c891",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1665613119,
-        "narHash": "sha256-VTutbv5YKeBGWou6ladtgfx11h6et+Wlkdyh4jPJ3p0=",
+        "lastModified": 1669546925,
+        "narHash": "sha256-Gvtk9agz88tBgqmCdHl5U7gYttTkiuEd8/Rq1Im0pTg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e06bd4b64bbfda91d74f13cb5eca89485d47528f",
+        "rev": "fecf05d4861f3985e8dee73f08bc82668ef75125",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
         "nixpkgs-22_05": "nixpkgs-22_05"
       },
       "locked": {
-        "lastModified": 1665289655,
-        "narHash": "sha256-j1Q9mNBhbzeJykhObiXwEGres9qvP4vH7gxdJ+ihkLI=",
+        "lastModified": 1669714206,
+        "narHash": "sha256-9aiMbzRL8REsyi9U0eZ+lT4s7HaILA1gh9n2apKzLxU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "0ce0449e6404c4ff9d1b7bd657794ae5ca54deb3",
+        "rev": "8295b8139ef7baadeb90c5cad7a40c4c9297ebf7",
         "type": "github"
       },
       "original": {
@@ -153,11 +153,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1665758541,
-        "narHash": "sha256-ibR8bPwHlDjavri5cNVnoo5FmFk1IfNMmQXxat5biqs=",
+        "lastModified": 1666870107,
+        "narHash": "sha256-b9eXZxSwhzdJI5uQgfrMhu4SY2POrPkinUg7F5gQVYo=",
         "ref": "refs/heads/master",
-        "rev": "4ad1801f6cecd678bbeae5dfe5933448dd7b3360",
-        "revCount": 163,
+        "rev": "80c6ec95bd430e29d231cf745f19279bb76fb382",
+        "revCount": 164,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -25,8 +25,16 @@
     };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-stable, mobile-nixos, home-manager, sops-nix, impermanence, uninsane }:
-  let
+  outputs = {
+    self,
+    nixpkgs,
+    nixpkgs-stable,
+    mobile-nixos,
+    home-manager,
+    sops-nix,
+    impermanence,
+    uninsane
+  }: let
     patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
       name = "nixpkgs-patched-uninsane";
       src = nixpkgs;
@@ -37,7 +45,7 @@
     nixpkgsFor = local: target: import (patchedPkgs target) { crossSystem = target; localSystem = local; };
     # evaluate ONLY our overlay, for the provided system
     customPackagesFor = local: target: import ./pkgs/overlay.nix (nixpkgsFor local target) (nixpkgsFor local target);
-    decl-machine = { name, local, target }:
+    decl-host = { name, local, target }:
     let
       nixosSystem = import ((patchedPkgs target) + "/nixos/lib/eval-config.nix");
     in (nixosSystem {
@@ -46,13 +54,11 @@
       specialArgs = { inherit mobile-nixos home-manager impermanence; };
       modules = [
         ./modules
-        ./machines/${name}
-        (import ./helpers/set-hostname.nix name)
+        (import ./hosts/instantiate.nix name)
         home-manager.nixosModule
         impermanence.nixosModule
         sops-nix.nixosModules.sops
         {
-          nixpkgs.config.allowUnfree = true;
           nixpkgs.overlays = [
             (import "${mobile-nixos}/overlay/overlay.nix")
             uninsane.overlay
@@ -63,17 +69,16 @@
               # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
               cross = (nixpkgsFor local target) // (customPackagesFor local target);
               stable = import nixpkgs-stable { system = target; };
-              # pinned packages:
-              electrum = stable.electrum;  # 2022-10-10: build break
-              sequoia = stable.sequoia;    # 2022-10-13: build break
+              # cross-compatible packages
+              # gocryptfs = cross.gocryptfs;
             })
           ];
         }
       ];
     });
 
-    decl-bootable-machine = { name, local, target }: rec {
-      nixosConfiguration = decl-machine { inherit name local target; };
+    decl-bootable-host = { name, local, target }: rec {
+      nixosConfiguration = decl-host { inherit name local target; };
       # this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
       # after building this:
       #   - flash it to a bootable medium (SD card, flash drive, HDD)
@@ -86,35 +91,39 @@
       #   - boot
       #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
       #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
-      #   - `nixos-rebuild --flake './#<machine>' switch`
+      #   - `nixos-rebuild --flake './#<host>' switch`
       img = nixosConfiguration.config.system.build.img;
     };
-    machines.servo = decl-bootable-machine { name = "servo"; local = "aarch64-linux"; target = "aarch64-linux"; };
-    machines.desko = decl-bootable-machine { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    machines.lappy = decl-bootable-machine { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    machines.moby = decl-bootable-machine { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
+    hosts.servo = decl-bootable-host { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    hosts.desko = decl-bootable-host { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    hosts.lappy = decl-bootable-host { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    hosts.moby = decl-bootable-host { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
     # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
     # note that these *do* produce different store paths, because the closure for the tools used to cross compile
     # v.s. emulate differ.
-    # so deploying moby-cross and then moby incurs some rebuilding.
-    machines.moby-cross = decl-bootable-machine { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
-    machines.rescue = decl-bootable-machine { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    # so deploying foo-cross and then foo incurs some rebuilding.
+    hosts.moby-cross = decl-bootable-host { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
+    hosts.rescue = decl-bootable-host { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
   in {
-    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
-    imgs = builtins.mapAttrs (name: value: value.img) machines;
+    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) hosts;
+    imgs = builtins.mapAttrs (name: value: value.img) hosts;
     packages = let
-      custom-x86_64 = customPackagesFor "x86_64-linux" "x86_64-linux";
-      custom-aarch64 = customPackagesFor "aarch64-linux" "aarch64-linux";
-      nixpkgs-x86_64 = nixpkgsFor "x86_64-linux" "x86_64-linux";
-      nixpkgs-aarch64 = nixpkgsFor "aarch64-linux" "aarch64-linux";
-    in {
-      x86_64-linux = custom-x86_64 // {
-        nixpkgs = nixpkgs-x86_64;
-        uninsane = uninsane.packages.x86_64-linux;
+      allPkgsFor = sys: (customPackagesFor sys sys) // {
+        nixpkgs = nixpkgsFor sys sys;
+        uninsane = uninsane.packages."${sys}";
       };
-      aarch64-linux = custom-aarch64 // {
-        nixpkgs = nixpkgs-aarch64;
-        uninsane = uninsane.packages.aarch64-linux;
+    in {
+      x86_64-linux = allPkgsFor "x86_64-linux";
+      aarch64-linux = allPkgsFor "aarch64-linux";
+    };
+    templates = {
+      python-data = {
+        # initialize with:
+        # - `nix flake init -t '/home/colin/dev/nixos/#python-data'`
+        # then enter with:
+        # - `nix develop`
+        path = ./templates/python-data;
+        description = "python environment for data processing";
       };
     };
   };

helpers/set-hostname.nix

@@ -1,4 +0,0 @@
-hostName: { ... }:
-{
-  networking.hostName = hostName;
-}

hosts/common/default.nix

@@ -0,0 +1,74 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./fs.nix
+    ./hardware
+    ./machine-id.nix
+    ./net.nix
+    ./secrets.nix
+    ./ssh.nix
+    ./users.nix
+    ./vpn.nix
+  ];
+
+  sane.home-manager.enable = true;
+  sane.nixcache.enable-trusted-keys = true;
+  sane.packages.enableConsolePkgs = true;
+  sane.packages.enableSystemPkgs = true;
+
+  nixpkgs.config.allowUnfree = true;
+
+  # time.timeZone = "America/Los_Angeles";
+  time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
+
+  # allow `nix flake ...` command
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
+
+  # TODO: move this into home-manager?
+  fonts = {
+    enableDefaultFonts = true;
+    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
+    fontconfig.enable = true;
+    fontconfig.defaultFonts = {
+      emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
+      monospace = [ "Hack" ];
+      serif = [ "DejaVu Serif" ];
+      sansSerif = [ "DejaVu Sans" ];
+    };
+  };
+
+  # disable non-required packages like nano, perl, rsync, strace
+  environment.defaultPackages = [];
+
+  # programs.vim.defaultEditor = true;
+  environment.variables = {
+    EDITOR = "vim";
+    # git claims it should use EDITOR, but it doesn't!
+    GIT_EDITOR = "vim";
+    # TODO: these should be moved to `home.sessionVariables` (home-manager)
+    # Electron apps should use native wayland backend:
+    #   https://nixos.wiki/wiki/Slack#Wayland
+    # Discord under sway crashes with this.
+    # NIXOS_OZONE_WL = "1";
+    # LIBGL_ALWAYS_SOFTWARE = "1";
+  };
+  # enable zsh completions
+  environment.pathsToLink = [ "/share/zsh" ];
+  environment.systemPackages = with pkgs; [
+    # required for pam_mount
+    gocryptfs
+  ];
+
+  # link debug symbols into /run/current-system/sw/lib/debug
+  # hopefully picked up by gdb automatically?
+  environment.enableDebugInfo = true;
+
+  security.pam.mount.enable = true;
+  # security.pam.mount.debugLevel = 1;
+  # security.pam.enableSSHAgentAuth = true; # ??
+  # needed for `allow_other` in e.g. gocryptfs mounts
+  # or i guess going through mount.fuse sets suid so that's not necessary?
+  # programs.fuse.userAllowOther = true;
+}

hosts/common/fs.nix

@@ -19,11 +19,17 @@ let sshOpts = rec {
 
   optionsRoot = optionsBase ++ [
     # we don't transform_symlinks because that breaks the validity of remote /nix stores
-    "sftp_server=/run/wrappers/bin/sudo\\040${pkgs.openssh}/libexec/sftp-server"
+    "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
   ];
 };
 in
 {
+  environment.pathsToLink = [
+    # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
+    # we can only link whole directories here, even though we're only interested in pkgs.openssh
+    "/libexec"
+  ];
+
   fileSystems."/mnt/servo-media-wan" = {
     device = "colin@uninsane.org:/var/lib/uninsane/media";
     inherit (sshOpts) fsType;

hosts/common/hardware/x86_64.nix

@@ -2,7 +2,7 @@
 
 with lib;
 {
-  config = mkIf (pkgs.system == "x86_64-linux") { 
+  config = mkIf (pkgs.system == "x86_64-linux") {
     boot.initrd.availableKernelModules = [
       "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
       "usb_storage"   # rpi needed this to boot from usb storage, i think.

hosts/common/machine-id.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  # we wan't an /etc/machine-id which is consistent across boot so that `journalctl` will actually show us
+  # logs from previous boots.
+  # maybe there's a config option for this (since persistent machine-id is bad for reasons listed in impermanence.nix),
+  # but for now generate it from ssh keys.
+  system.activationScripts.machine-id = {
+    deps = [ "persist-ssh-host-keys" ];
+    text = "sha256sum /etc/ssh/host_keys/ssh_host_ed25519_key | cut -c 1-32 > /etc/machine-id";
+  };
+}

hosts/common/net.nix

@@ -18,10 +18,20 @@
   # docs:
   # - <https://nixos.wiki/wiki/Iwd>
   # - <https://iwd.wiki.kernel.org/networkmanager>
+  # - `man iwd.config`  for global config
+  # - `man iwd.network` for per-SSID config
   # use `iwctl` to control
-  networking.wireless.iwd.enable = true;
   networking.networkmanager.wifi.backend = "iwd";
+  networking.wireless.iwd.enable = true;
+  networking.wireless.iwd.settings = {
+    # auto-connect to a stronger network if signal drops below this value
+    # bedroom -> bedroom connection is -35 to -40 dBm
+    # bedroom -> living room connection is -60 dBm
+    General.RoamThreshold = "-52";  # default -70
+    General.RoamThreshold5G = "-52";  # default -76
+  };
 
+  # TODO: don't need to depend on binsh if we were to use a nix-style shebang
   system.activationScripts.linkIwdKeys = let
     unwrapped = ../../scripts/install-iwd;
     install-iwd = pkgs.writeShellApplication {
@@ -30,7 +40,7 @@
       text = ''${unwrapped} "$@"'';
     };
   in (lib.stringAfter
-    [ "setupSecrets" ]
+    [ "setupSecrets" "binsh" ]
     ''
     mkdir -p /var/lib/iwd
     ${install-iwd}/bin/install-iwd /run/secrets/iwd /var/lib/iwd

hosts/common/secrets.nix

@@ -16,7 +16,7 @@
   #   add the result to .sops.yaml
   #   since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
   #
-  # for each machine you want to decrypt secrets:
+  # for each host you want to decrypt secrets:
   #   $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   #   add the result to .sops.yaml
   #   $ sops updatekeys secrets/example.yaml
@@ -32,12 +32,12 @@
   # This will add secrets.yaml to the nix store
   # You can avoid this by adding a string to the full path instead, i.e.
   # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ./../../secrets/universal.yaml;
+  sops.defaultSopsFile = ../../secrets/universal.yaml;
   # This will automatically import SSH keys as age keys
   sops.age.sshKeyPaths = [
-    "/etc/ssh/ssh_host_ed25519_key"
-    # "/home/colin/.ssh/id_ed25519_dec"
+    "/etc/ssh/host_keys/ssh_host_ed25519_key"
   ];
+  sops.gnupg.sshKeyPaths = [];  # disable RSA key import
   # This is using an age key that is expected to already be in the filesystem
   # sops.age.keyFile = "/home/colin/.ssh/age.pub";
   # sops.age.keyFile = "/var/lib/sops-nix/key.txt";

hosts/common/ssh.nix

@@ -0,0 +1,21 @@
+{ ... }:
+{
+  # we place the host keys (which we want to be persisted) into their own directory so that we can
+  # bind mount that whole directory instead of doing it per-file.
+  # otherwise, this is identical to nixos defaults
+  sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
+
+  # we can't naively `mount /etc/ssh/host_keys` directly,
+  # as /etc/fstab may not be populated yet (since that file depends on e.g. activationScripts.users)
+  # we can't even depend on impermanence's `createPersistentStorageDirs` to create the source/target directories
+  # since that also depends on `users`.
+  system.activationScripts.persist-ssh-host-keys.text = ''
+    mkdir -p /etc/ssh/host_keys
+    mount --bind /nix/persist/etc/ssh/host_keys /etc/ssh/host_keys
+  '';
+
+  services.openssh.hostKeys = [
+    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
+    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
+  ];
+}

hosts/common/users.nix

@@ -43,17 +43,14 @@ in
         "feedbackd"
         "dialout" # required for modem access
       ];
+
+      # initial password is empty, in case anything goes wrong.
+      # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
       initialPassword = lib.mkDefault "";
+      passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
+
       shell = pkgs.zsh;
-      # shell = pkgs.bashInteractive;
-      # XXX colin: create ssh key for THIS user by logging in and running:
-      #   ssh-keygen -t ed25519
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
-      ];
+      openssh.authorizedKeys.keys = builtins.attrValues (import ../../modules/pubkeys.nix).users;
 
       pamMount = {
         # mount encrypted stuff at login
@@ -67,6 +64,15 @@ in
       };
     };
 
+    sane.impermanence.home-dirs = [
+      # cache is probably too big to fit on the tmpfs
+      # TODO: we could bind-mount it to something which gets cleared per boot, though.
+      ".cache"
+      ".cargo"
+      ".rustup"
+      ".local/share/keyrings"
+    ];
+
     sane.impermanence.service-dirs = mkIf cfg.guest.enable [
       { user = "guest"; group = "users"; directory = "/home/guest"; }
     ];

hosts/desko/default.nix

@@ -4,6 +4,8 @@
     ./fs.nix
   ];
 
+  # sane.packages.enableDevPkgs = true;
+
   sane.gui.sway.enable = true;
   sane.services.duplicity.enable = true;
   sane.services.nixserve.enable = true;
@@ -18,6 +20,11 @@
   users.users.usbmux.uid = config.sane.allocations.usbmux-uid;
   users.groups.usbmux.gid = config.sane.allocations.usbmux-gid;
 
+  sops.secrets.colin-passwd = {
+    sopsFile = ../../secrets/desko.yaml;
+    neededForUsers = true;
+  };
+
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
   #   - hourly snapshots

hosts/instantiate.nix

@@ -0,0 +1,10 @@
+# trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
+
+hostName: { ... }: {
+  imports = [
+    ./${hostName}
+    ./common
+  ];
+
+  networking.hostName = hostName;
+}

hosts/lappy/default.nix

@@ -4,6 +4,8 @@
     ./fs.nix
   ];
 
+  # sane.packages.enableDevPkgs = true;
+
   # sane.users.guest.enable = true;
   sane.gui.sway.enable = true;
   sane.impermanence.enable = true;
@@ -11,7 +13,10 @@
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
-  users.users.colin.initialPassword = "147147";
+  sops.secrets.colin-passwd = {
+    sopsFile = ../../secrets/lappy.yaml;
+    neededForUsers = true;
+  };
 
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:

hosts/moby/default.nix

@@ -13,17 +13,23 @@
   # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
   documentation.nixos.enable = false;
 
-  # XXX colin: phosh doesn't work well with passwordless login
+  # XXX colin: phosh doesn't work well with passwordless login,
+  # so set this more reliable default password should anything go wrong
   users.users.colin.initialPassword = "147147";
   services.getty.autologinUser = "root";  # allows for emergency maintenance?
 
+  sops.secrets.colin-passwd = {
+    sopsFile = ../../secrets/moby.yaml;
+    neededForUsers = true;
+  };
+
   # usability compromises
   sane.impermanence.home-dirs = [
-    ".librewolf"
+    config.sane.web-browser.dotDir
   ];
 
-  # sane.home-packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
-  sane.home-manager.extraPackages = [
+  # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
+  sane.packages.extraUserPkgs = [
     pkgs.plasma5Packages.konsole  # terminal
   ];
 

hosts/servo/default.nix

@@ -3,27 +3,23 @@
 {
   imports = [
     ./fs.nix
-    ./hardware.nix
     ./net.nix
     ./users.nix
     ./services
   ];
 
-  sane.home-manager.enable = true;
-  sane.home-manager.extraPackages = [
+  sane.packages.extraUserPkgs = [
     # for administering services
     pkgs.matrix-synapse
     pkgs.freshrss
   ];
   sane.impermanence.enable = true;
-  sane.services.duplicity.enable = true;
+  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
   sane.services.nixserve.enable = true;
+  sane.services.nixserve.sopsFile = ../../secrets/servo.yaml;
 
-  # TODO: look into the EFI stuff
-  boot.loader.grub.enable = false;
-  boot.loader.generic-extlinux-compatible.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
-  sane.image.extraBootFiles = [ pkgs.bootpart-u-boot-rpi-aarch64 ];
+  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   sops.secrets.duplicity_passphrase = {
     sopsFile = ../../secrets/servo.yaml;
@@ -32,7 +28,7 @@
   # both transmission and ipfs try to set different net defaults.
   # we just use the most aggressive of the two here:
   boot.kernel.sysctl = {
-    "net.core.rmem_max" = "4194304";  # 4MB
+    "net.core.rmem_max" = 4194304;  # 4MB
   };
 
   # This value determines the NixOS release from which the default
@@ -41,6 +37,6 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
+  system.stateVersion = "21.11";
 }
 

hosts/servo/fs.nix

@@ -0,0 +1,98 @@
+{ ... }:
+
+{
+  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=755"
+      "size=1G"
+      "defaults"
+    ];
+  };
+  # we need a /tmp for building large nix things
+  fileSystems."/tmp" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=777"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/cc81cca0-3cc7-4d82-a00c-6243af3e7776";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/6EE3-4171";
+    fsType = "vfat";
+  };
+
+  # slow, external storage (for archiving, etc)
+  fileSystems."/nix/persist/ext" = {
+    device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "defaults"
+    ];
+  };
+
+  sane.impermanence.service-dirs = [
+    # TODO: this is overly broad; only need media and share directories to be persisted
+    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
+  ];
+  # direct these media directories to external storage
+  environment.persistence."/nix/persist/ext/persist" = {
+    directories = [
+      ({
+        user = "colin";
+        group = "users";
+        mode = "0777";
+        directory = "/var/lib/uninsane/media/Videos";
+      })
+      ({
+        user = "colin";
+        group = "users";
+        mode = "0777";
+        directory = "/var/lib/uninsane/media/freeleech";
+      })
+    ];
+  };
+
+  # in-memory compressed RAM (seems to be dynamically sized)
+  # zramSwap = {
+  #   enable = true;
+  # };
+
+  # btrfs doesn't easily support swapfiles
+  # swapDevices = [
+  #   { device = "/nix/persist/swapfile"; size = 4096; }
+  # ];
+
+  # this can be a partition. create with:
+  #   fdisk <dev>
+  #     n
+  #     <default partno>
+  #     <start>
+  #     <end>
+  #     t
+  #     <partno>
+  #     19  # set part type to Linux swap
+  #     w   # write changes
+  #   mkswap -L swap <part>
+  # swapDevices = [
+  #   {
+  #     label = "swap";
+  #     # TODO: randomEncryption.enable = true;
+  #   }
+  # ];
+}
+

hosts/servo/net.nix

@@ -13,6 +13,7 @@
 
   # networking.firewall.enable = false;
   networking.firewall.enable = true;
+  # TODO: split these into the submodules
   networking.firewall.allowedTCPPorts = [
     25   # SMTP
     80   # HTTP

hosts/servo/services/default.nix

@@ -2,8 +2,10 @@
 {
   imports = [
     ./ddns-he.nix
+    ./ejabberd.nix
     ./freshrss.nix
     ./gitea.nix
+    ./goaccess.nix
     ./ipfs.nix
     ./jackett.nix
     ./jellyfin.nix
@@ -13,6 +15,7 @@
     ./pleroma.nix
     ./postfix.nix
     ./postgres.nix
+    ./prosody.nix
     ./transmission.nix
   ];
 }

hosts/servo/services/ejabberd.nix

@@ -0,0 +1,48 @@
+# docs:
+# - <https://docs.ejabberd.im/admin/configuration/basic>
+{ lib, ... }:
+
+# XXX disabled: fails to start because of `mnesia_tm` dependency
+# lib.mkIf false
+{
+  sane.impermanence.service-dirs = [
+    { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
+  ];
+  networking.firewall.allowedTCPPorts = [
+    5222  # XMPP client -> server
+    5269  # XMPP server -> server
+  ];
+
+  # provide access to certs
+  users.users.ejabberd.extraGroups = [ "nginx" ];
+
+  # TODO: allocate UIDs/GIDs ?
+  services.ejabberd.enable = true;
+  services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" ''
+    hosts:
+      - uninsane.org
+
+    # none | emergency | alert | critical | error | warning | notice | info | debug
+    loglevel: debug
+
+    acme:
+      auto: false
+    certfiles:
+      - /var/lib/acme/uninsane.org/fullchain.pem
+      - /var/lib/acme/uninsane.org/key.pem
+
+    pam_userinfotype: jid
+
+    # see: <https://docs.ejabberd.im/admin/configuration/listen/>
+    # TODO: host web admin panel
+    listen:
+      -
+        port: 5222
+        module: ejabberd_c2s
+        starttls: true
+      -
+        port: 5269
+        module: ejabberd_s2s_in
+        starttls: true
+  '';
+}

hosts/servo/services/freshrss.nix

@@ -30,7 +30,7 @@
   systemd.services.freshrss-import-feeds =
   let
     fresh = config.systemd.services.freshrss-config;
-    feeds = import ../../../modules/universal/env/feeds.nix { inherit lib; };
+    feeds = import ../../../modules/home-manager/feeds.nix { inherit lib; };
     opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
   in {
     inherit (fresh) wantedBy environment;
@@ -45,4 +45,8 @@
       ${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
     '';
   };
+
+  # the default ("*:0/5") is to run every 5 minutes.
+  # `systemctl list-timers` to show
+  systemd.services.freshrss-updater.startAt = lib.mkForce "*:3/30";
 }

hosts/servo/services/goaccess.nix

@@ -0,0 +1,45 @@
+{ pkgs, ... }:
+{
+  # based on <https://bytes.fyi/real-time-goaccess-reports-with-nginx/>
+  # log-format setting can be derived with this tool if custom:
+  # - <https://github.com/stockrt/nginx2goaccess>
+  # config options:
+  # - <https://github.com/allinurl/goaccess/blob/master/config/goaccess.conf>
+
+  systemd.services.goaccess = {
+    description = "GoAccess server monitoring";
+    serviceConfig = {
+      ExecStart = ''
+        ${pkgs.goaccess}/bin/goaccess \
+          -f /var/log/nginx/public.log \
+          --log-format=VCOMBINED \
+          --real-time-html \
+          --html-refresh=30 \
+          --no-query-string \
+          --anonymize-ip \
+          --ignore-panel=HOSTS \
+          --ws-url=wss://sink.uninsane.org:443/ws \
+          --port=7890 \
+          -o /var/lib/uninsane/sink/index.html
+      '';
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Type = "simple";
+      Restart = "on-failure";
+
+      # hardening
+      WorkingDirectory = "/tmp";
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      ProtectHome = "read-only";
+      ProtectSystem = "strict";
+      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
+      ReadOnlyPaths = "/";
+      ReadWritePaths = [ "/proc/self" "/var/lib/uninsane/sink" ];
+      PrivateDevices = "yes";
+      ProtectKernelModules = "yes";
+      ProtectKernelTunables = "yes";
+    };
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+}

hosts/servo/services/ipfs.nix

@@ -14,18 +14,18 @@
   ];
   # services.ipfs.enable = true;
   services.kubo.localDiscovery = true;
-  services.kubo.swarmAddress = [
-    # "/dns4/ipfs.uninsane.org/tcp/4001"
-    # "/ip4/0.0.0.0/tcp/4001"
-    "/dns4/ipfs.uninsane.org/udp/4001/quic"
-    "/ip4/0.0.0.0/udp/4001/quic"
-  ];
-  services.kubo.extraConfig = {
+  services.kubo.settings = {
     Addresses = {
       Announce = [
         # "/dns4/ipfs.uninsane.org/tcp/4001"
         "/dns4/ipfs.uninsane.org/udp/4001/quic"
       ];
+      Swarm = [
+        # "/dns4/ipfs.uninsane.org/tcp/4001"
+        # "/ip4/0.0.0.0/tcp/4001"
+        "/dns4/ipfs.uninsane.org/udp/4001/quic"
+        "/ip4/0.0.0.0/udp/4001/quic"
+      ];
     };
     Gateway = {
       # the gateway can only be used to serve content already replicated on this host

hosts/servo/services/nginx.nix

@@ -1,17 +1,50 @@
 # docs: https://nixos.wiki/wiki/Nginx
 { config, pkgs, ... }:
 
+let
+  # make the logs for this host "public" so that they show up in e.g. metrics
+  publog = vhost: vhost // {
+    extraConfig = (vhost.extraConfig or "") + ''
+      access_log /var/log/nginx/public.log vcombined;
+    '';
+  };
+
+  kTLS = true;  # in-kernel TLS for better perf
+in
 {
   services.nginx.enable = true;
+  services.nginx.appendConfig = ''
+    # use 1 process per core.
+    # may want to increase worker_connections too, but `ulimit -n` must be increased first.
+    worker_processes auto;
+  '';
+
+  # this is the standard `combined` log format, with the addition of $host
+  # so that we have the virtualHost in the log.
+  # KEEP IN SYNC WITH GOACCESS
+  # goaccess calls this VCOMBINED:
+  # - <https://gist.github.com/jyap808/10570005>
+  services.nginx.commonHttpConfig = ''
+    log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
+    access_log /var/log/nginx/private.log vcombined;
+  '';
+  # sets gzip_comp_level = 5
+  services.nginx.recommendedGzipSettings = true;
+  # enables OCSP stapling (so clients don't need contact the OCSP server -- i do instead)
+  # caches TLS sessions for 10m
+  services.nginx.recommendedTlsSettings = true;
+  # enables sendfile, tcp_nopush, tcp_nodelay, keepalive_timeout 65
+  services.nginx.recommendedOptimisation = true;
 
   # web blog/personal site
-  services.nginx.virtualHosts."uninsane.org" = {
+  services.nginx.virtualHosts."uninsane.org" = publog {
     root = "${pkgs.uninsane-dot-org}/share/uninsane-dot-org";
     # a lot of places hardcode https://uninsane.org,
     # and then when we mix http + non-https, we get CORS violations
     # and things don't look right. so force SSL.
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     # uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
     # yes, nginx does not strip the prefix when evaluating against the root.
@@ -57,10 +90,32 @@
     # };
   };
 
-  # Pleroma server and web interface
-  services.nginx.virtualHosts."fed.uninsane.org" = {
+  # server statistics
+  services.nginx.virtualHosts."sink.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
+    root = "/var/lib/uninsane/sink";
+
+    locations."/ws" = {
+      proxyPass = "http://127.0.0.1:7890";
+      # XXX not sure how much of this is necessary
+      extraConfig = ''
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_buffering off;
+        proxy_read_timeout 7d;
+      '';
+    };
+
+  };
+
+  # Pleroma server and web interface
+  services.nginx.virtualHosts."fed.uninsane.org" = publog {
+    forceSSL = true;  # pleroma redirects to https anyway
+    enableACME = true;
+    inherit kTLS;
     locations."/" = {
       proxyPass = "http://127.0.0.1:4000";
       # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
@@ -102,6 +157,7 @@
     # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
     locations."/" = {
       # proxyPass = "http://ovpns.uninsane.org:9091";
       proxyPass = "http://10.0.1.6:9091";
@@ -112,6 +168,7 @@
   services.nginx.virtualHosts."jackett.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
     locations."/" = {
       # proxyPass = "http://ovpns.uninsane.org:9117";
       proxyPass = "http://10.0.1.6:9117";
@@ -119,9 +176,10 @@
   };
 
   # matrix chat server
-  services.nginx.virtualHosts."matrix.uninsane.org" = {
+  services.nginx.virtualHosts."matrix.uninsane.org" = publog {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     # TODO colin: replace this with something helpful to the viewer
     # locations."/".extraConfig = ''
@@ -148,6 +206,7 @@
   services.nginx.virtualHosts."web.matrix.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     root = pkgs.element-web.override {
       conf = {
@@ -160,9 +219,10 @@
   };
 
   # hosted git (web view and for `git <cmd>` use
-  services.nginx.virtualHosts."git.uninsane.org" = {
-    addSSL = true;
+  services.nginx.virtualHosts."git.uninsane.org" = publog {
+    forceSSL = true;  # gitea complains if served over a different protocol than its config file says
     enableACME = true;
+    inherit kTLS;
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:3000";
@@ -174,6 +234,7 @@
   services.nginx.virtualHosts."jelly.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:8096";
@@ -220,12 +281,14 @@
   services.nginx.virtualHosts."music.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
     locations."/".proxyPass = "http://127.0.0.1:4533";
   };
 
   services.nginx.virtualHosts."rss.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
     # the routing is handled by freshrss.nix
   };
 
@@ -234,6 +297,7 @@
     # ideally we'd disable ssl entirely, but some places assume it?
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     default = true;
 
@@ -259,6 +323,7 @@
   services.nginx.virtualHosts."nixcache.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
     # serverAliases = [ "nixcache" ];
     locations."/".extraConfig = ''
       proxy_pass http://localhost:${toString config.services.nix-serve.port};
@@ -276,6 +341,5 @@
   sane.impermanence.service-dirs = [
     # TODO: mode?
     { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
-    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
   ];
 }

hosts/servo/services/pleroma.nix

@@ -1,4 +1,6 @@
-# docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
+# docs:
+# - https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
+# - https://docs.pleroma.social/backend/configuration/cheatsheet/
 #
 # to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
 { config, pkgs, ... }:
@@ -48,16 +50,19 @@
       redirect_on_failure: true
       #base_url: "https://cache.pleroma.social"
 
+    # see for reference:
+    # - `force_custom_plan`: <https://docs.pleroma.social/backend/configuration/postgresql/#disable-generic-query-plans>
     config :pleroma, Pleroma.Repo,
       adapter: Ecto.Adapters.Postgres,
       username: "pleroma",
       database: "pleroma",
       hostname: "localhost",
       pool_size: 10,
-      prepare: :named,
       parameters: [
           plan_cache_mode: "force_custom_plan"
       ]
+    # XXX: prepare: :named is needed only for PG <= 12
+    #   prepare: :named,
     #   password: "{secrets.pleroma.db_password}",
 
     # Configure web push notifications
@@ -74,9 +79,10 @@
     config :pleroma, configurable_from_database: false
 
     # strip metadata from uploaded images
-    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool]
+    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool.StripLocation]
 
     # TODO: GET /api/pleroma/captcha is broken
+    # there was a nixpkgs PR to fix this around 2022/10 though.
     config :pleroma, Pleroma.Captcha,
       enabled: false,
       method: Pleroma.Captcha.Native
@@ -109,9 +115,9 @@
 
   systemd.services.pleroma.path = [ 
     # something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
-    pkgs.bash 
+    pkgs.bash
     # used by Pleroma to strip geo tags from uploads
-    pkgs.exiftool 
+    pkgs.exiftool
     # i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
     pkgs.gawk
     # needed for email operations like password reset

hosts/servo/services/postfix.nix

@@ -20,6 +20,10 @@ in
     # TODO: mode? could be more granular
     { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
     { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
+    { user = "root"; group = "root"; directory = "/var/spool/mail"; }
+    # *probably* don't need these dirs:
+    # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
+    # "/var/lib/dovecot"
   ];
   services.postfix.enable = true;
   services.postfix.hostname = "mx.uninsane.org";

hosts/servo/services/postgres.nix

@@ -17,6 +17,11 @@
   #     LC_CTYPE = "C";
   # '';
 
+  # TODO: perf tuning
+  # - for recommended values see: <https://pgtune.leopard.in.ua/>
+  # - for official docs (sparse), see: <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
+  # services.postgresql.settings = { ... }
+
   # daily backups to /var/backup
   services.postgresqlBackup.enable = true;
 

hosts/servo/services/prosody.nix

@@ -0,0 +1,62 @@
+# create users with:
+# - `sudo -u prosody prosodyctl adduser colin@uninsane.org`
+
+{ lib, ... }:
+
+# XXX disabled: doesn't send messages to nixnet.social (only receives them).
+# nixnet runs ejabberd, so revisiting that.
+lib.mkIf false
+{
+  sane.impermanence.service-dirs = [
+    { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
+  ];
+  networking.firewall.allowedTCPPorts = [
+    5222  # XMPP client -> server
+    5269  # XMPP server -> server
+    5280  # Prosody HTTP port  (necessary?)
+    5281  # Prosody HTTPS port  (necessary?)
+  ];
+
+  # provide access to certs
+  users.users.prosody.extraGroups = [ "nginx" ];
+
+  security.acme.certs."uninsane.org".extraDomainNames = [
+    "conference.xmpp.uninsane.org"
+    "upload.xmpp.uninsane.org"
+  ];
+
+  services.prosody = {
+    enable = true;
+    admins = [ "colin@uninsane.org" ];
+    # allowRegistration = false;
+    # extraConfig = ''
+    #   s2s_require_encryption = true
+    #   c2s_require_encryption = true
+    # '';
+
+    # extraModules = [ "private" "vcard" "privacy" "compression" "component" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"];
+
+    ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";
+    ssl.key = "/var/lib/acme/uninsane.org/key.pem";
+
+    muc = [
+      {
+        domain = "conference.xmpp.uninsane.org";
+      }
+    ];
+    uploadHttp.domain = "upload.xmpp.uninsane.org";
+
+    virtualHosts = {
+      localhost = {
+        domain = "localhost";
+        enabled = true;
+      };
+      "uninsane.org" = {
+        domain = "uninsane.org";
+        enabled = true;
+        ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";
+        ssl.key = "/var/lib/acme/uninsane.org/key.pem";
+      }; 
+    };
+  };
+}

machines/servo/fs.nix

@@ -1,69 +0,0 @@
-{ ... }:
-
-{
-  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
-  fileSystems."/" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "mode=755"
-      "size=1G"
-      "defaults"
-    ];
-  };
-  # we need a /tmp for building large nix things
-  fileSystems."/tmp" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "size=40G"
-      "mode=777"
-      "defaults"
-    ];
-  };
-
-  fileSystems."/nix" = {
-    device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b";
-    fsType = "btrfs";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/31D3-40CB";
-    fsType = "vfat";
-  };
-
-
-  # fileSystems."/var/lib/pleroma" = {
-  #   device = "/opt/pleroma";
-  #   options = [ "bind" ];
-  # };
-
-  # in-memory compressed RAM (seems to be dynamically sized)
-  zramSwap = {
-    enable = true;
-  };
-
-  # btrfs doesn't easily support swapfiles
-  # swapDevices = [
-  #   { device = "/nix/persist/swapfile"; size = 4096; }
-  # ];
-
-  # this can be a partition. create with:
-  #   fdisk <dev>
-  #     n
-  #     <default partno>
-  #     <start>
-  #     <end>
-  #     t
-  #     <partno>
-  #     19  # set part type to Linux swap
-  #     w   # write changes
-  #   mkswap -L swap <part>
-  swapDevices = [
-    {
-      label = "swap";
-      # TODO: randomEncryption.enable = true;
-    }
-  ];
-}
-

machines/servo/hardware.nix

@@ -1,75 +0,0 @@
-# this file originates from ‘nixos-generate-config’
-# but has been heavily modified
-{ pkgs, ... }:
-
-{
-  # i changed this becuse linux 5.10 didn't have rpi-400 device tree blob.
-  # nixos-22.05 linux 5.15 DOES have these now.
-  # it should be possible to remove this if desired, but i'm not sure how the rpi-specific kernel differs.
-  # see: https://github.com/raspberrypi/linux
-  boot.kernelPackages = pkgs.linuxPackages_rpi4;
-
-  # raspberryPi boot loader creates extlinux.conf.
-  #   otherwise, enable the generic-extlinux-compatible loader below.
-  # note: THESE ARE MUTUALLY EXCLUSIVE. generic-extlinux-compatible causes uboot to not be built
-
-  boot.initrd.availableKernelModules = [
-    "bcm2711_thermal"
-    "bcm_phy_lib"
-    "brcmfmac"
-    "brcmutil"
-    "broadcom"
-    "clk_raspberrypi"
-    "drm"  # Direct Render Manager
-    "enclosure"  # SCSI ?
-    "fuse"
-    "mdio_bcm_unimac"
-    "pcie_brcmstb"
-    "raspberrypi_cpufreq"
-    "raspberrypi_hwmon"
-    "ses"  # SCSI Enclosure Services
-    "uas"  # USB attached storage
-    "uio"  # userspace IO
-    "uio_pdrv_genirq"
-    "xhci_pci"
-    "xhci_pci_renesas"
-  ];
-  # boot.initrd.compressor = "gzip";  # defaults to zstd
-
-  # ondemand power scaling keeps the cpu at low frequency when idle, and sets to max frequency
-  # when load is detected. (v.s. the "performance" default, which always uses the max frequency)
-  powerManagement.cpuFreqGovernor = "ondemand";
-
-  # XXX colin: this allows one to `systemctl halt` and then not remove power until the HDD has spun down.
-  # however, it doesn't work with reboot because systemd will spin the drive up again to read its reboot bin.
-  # a better solution would be to put the drive behind a powered USB hub (or get a SSD).
-  # systemd.services.diskguard = {
-  #   description = "Safely power off spinning media";
-  #   before = [ "shutdown.target" ];
-  #   wantedBy = [ "sysinit.target" ];
-  #   # old (creates dep loop, but works)
-  #   # before = [ "systemd-remount-fs.service" "shutdown.target" ];
-  #   # wantedBy = [ "systemd-remount-fs.service" ];
-  #   serviceConfig = {
-  #     Type = "oneshot";
-  #     RemainAfterExit = true;
-  #     ExecStart = "${pkgs.coreutils}/bin/true";
-  #     ExecStop = with pkgs; writeScript "diskguard" ''
-  #       #!${bash}/bin/bash
-  #       if ${procps}/bin/pgrep nixos-rebuild ;
-  #       then
-  #         exit 0  # don't halt drives unless we're actually shutting down. maybe better way to do this (check script args?)
-  #       fi
-  #       # ${coreutils}/bin/sync
-  #       # ${util-linux}/bin/mount -o remount,ro /nix/store
-  #       # ${util-linux}/bin/mount -o remount,ro /
-  #       # -S 1 retracts the spindle after 5 seconds of idle
-  #       # -B 1 spins down the drive after <vendor specific duration>
-  #       ${hdparm}/sbin/hdparm -S 1 -B 1 /dev/sda
-  #       # TODO: monitor smartmonctl until disk is idle? or try hdparm -Y
-  #       # ${coreutils}/bin/sleep 20
-  #       # exec ${util-linux}/bin/umount --all -t ext4,vfat,ext2
-  #     '';
-  #   };
-  # };
-}

modules/allocations.nix

@@ -29,7 +29,7 @@ in
     sane.allocations.colin-uid = mkId 1000;
     sane.allocations.guest-uid = mkId 1100;
 
-    # found on all machines
+    # found on all hosts
     sane.allocations.sshd-uid = mkId 2001;  # 997
     sane.allocations.sshd-gid = mkId 2001;  # 997
     sane.allocations.polkituser-gid = mkId 2002;  # 998
@@ -39,15 +39,15 @@ in
     sane.allocations.systemd-oom-uid = mkId 2005;
     sane.allocations.systemd-oom-gid = mkId 2005;
 
-    # found on graphical machines
+    # found on graphical hosts
     sane.allocations.nm-iodine-uid = mkId 2101;  # desko/moby/lappy
 
-    # found on desko machine
+    # found on desko host
     sane.allocations.usbmux-uid = mkId 2204;
     sane.allocations.usbmux-gid = mkId 2204;
 
 
-    # originally found on moby machine
+    # originally found on moby host
     sane.allocations.avahi-uid = mkId 2304;
     sane.allocations.avahi-gid = mkId 2304;
     sane.allocations.colord-uid = mkId 2305;

modules/default.nix

@@ -2,13 +2,13 @@
 
 {
   imports = [
+    ./allocations.nix
     ./gui
-    ./hardware
+    ./home-manager
+    ./packages.nix
     ./image.nix
     ./impermanence.nix
     ./nixcache.nix
-    ./services/duplicity.nix
-    ./services/nixserve.nix
-    ./universal
+    ./services
   ];
 }

modules/gui/default.nix

@@ -8,6 +8,7 @@ in
   imports = [
     ./gnome.nix
     ./phosh.nix
+    ./plasma.nix
     ./plasma-mobile.nix
     ./sway.nix
   ];
@@ -21,8 +22,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    sane.home-packages.enableGuiPkgs = lib.mkDefault true;
-    sane.home-manager.enable = lib.mkDefault true;
+    sane.packages.enableGuiPkgs = lib.mkDefault true;
     # all GUIs use network manager?
     users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
   };

modules/gui/phosh.nix

@@ -69,7 +69,7 @@ in
         NIXOS_OZONE_WL = "1";
       };
 
-      sane.home-manager.extraPackages = with pkgs; [
+      sane.packages.extraUserPkgs = with pkgs; [
         phosh-mobile-settings
 
         # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
@@ -89,19 +89,16 @@ in
       services.xserver.displayManager.lightdm.extraSeatDefaults = ''
         user-session = phosh
       '';
-      services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
-      services.xserver.displayManager.lightdm.greeter = {
-        enable = true;
-        package = pkgs.lightdm-mobile-greeter.xgreeters;
-        name = "lightdm-mobile-greeter";
-      };
-      # services.xserver.displayManager.lightdm.enable = true;
-      # # services.xserver.displayManager.lightdm.greeters.enso.enable = true;  # tried (with reboot); got a mouse then died. next time was black
-      # # services.xserver.displayManager.lightdm.greeters.gtk.enable = true;  # tried (with reboot); unusable without OSK
-      # # services.xserver.displayManager.lightdm.greeters.mini.enable = true;  # tried (with reboot); unusable without OSK
-      # # services.xserver.displayManager.lightdm.greeters.pantheon.enable = true; # tried (no reboot); unusable without OSK
-      # services.xserver.displayManager.lightdm.greeters.slick.enable = true;  # tried; unusable without OSK (a11y -> OSK doesn't work)
-      # # services.xserver.displayManager.lightdm.greeters.tiny.enable = true;  # tried; block screen
+      # services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
+      # services.xserver.displayManager.lightdm.greeter = {
+      #   enable = true;
+      #   package = pkgs.lightdm-mobile-greeter.xgreeters;
+      #   name = "lightdm-mobile-greeter";
+      # };
+      # # services.xserver.displayManager.lightdm.enable = true;
+
+      services.xserver.displayManager.lightdm.enable = true;
+      services.xserver.displayManager.lightdm.greeters.mobile.enable = true;
 
       systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
     })

modules/gui/plasma.nix

@@ -0,0 +1,28 @@
+{ lib, config, ... }:
+
+with lib;
+let
+  cfg = config.sane.gui.plasma;
+in
+{
+  options = {
+    sane.gui.plasma.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sane.gui.enable = true;
+
+    # start plasma on boot
+    services.xserver.enable = true;
+    services.xserver.desktopManager.plasma5.enable = true;
+    services.xserver.displayManager.sddm.enable = true;
+
+    # gnome does networking stuff with networkmanager
+    networking.useDHCP = false;
+    networking.networkmanager.enable = true;
+    networking.wireless.enable = lib.mkForce false;
+  };
+}

modules/gui/sway.nix

@@ -11,6 +11,14 @@ in
       default = false;
       type = types.bool;
     };
+    sane.gui.sway.useGreeter = mkOption {
+      description = ''
+        launch sway via a greeter (like greetd's gtkgreet).
+        sway is usable without a greeter, but skipping the greeter means no PAM session.
+      '';
+      default = true;
+      type = types.bool;
+    };
   };
   config = mkIf cfg.enable {
     sane.gui.enable = true;
@@ -23,22 +31,31 @@ in
 
     # alternatively, could use SDDM
     services.greetd = let
-      swayConfig = pkgs.writeText "greetd-sway-config" ''
+      swayConfig-greeter = pkgs.writeText "greetd-sway-config" ''
         # `-l` activates layer-shell mode.
         exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
       '';
-    in {
-      # greetd source/docs:
-      # - <https://git.sr.ht/~kennylevinsen/greetd>
-      enable = true;
-      settings = {
-        default_session = {
-          command = "${pkgs.sway}/bin/sway --config ${swayConfig}";
+      default_session = {
+        "01" = {
+          # greeter session config
+          command = "${pkgs.sway}/bin/sway --config ${swayConfig-greeter}";
           # alternatives:
           # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
           # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
           # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
         };
+        "0" = {
+          # no greeter
+          command = "${pkgs.sway}/bin/sway";
+          user = "colin";
+        };
+      };
+    in {
+      # greetd source/docs:
+      # - <https://git.sr.ht/~kennylevinsen/greetd>
+      enable = true;
+      settings = {
+        default_session = default_session."0${builtins.toString cfg.useGreeter}";
       };
     };
 
@@ -580,7 +597,7 @@ in
       #   }
       # '';
     };
-    sane.home-manager.extraPackages = with pkgs; [
+    sane.packages.extraUserPkgs = with pkgs; [
       swaylock
       swayidle  # (unused)
       wl-clipboard

modules/home-manager/aerc.nix

@@ -0,0 +1,16 @@
+# Terminal UI mail client
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  sops.secrets."aerc_accounts" = {
+    owner = config.users.users.colin.name;
+    sopsFile = ../../secrets/universal/aerc_accounts.conf;
+    format = "binary";
+  };
+  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
+    # aerc TUI mail client
+    xdg.configFile."aerc/accounts.conf".source =
+      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
+  };
+}

modules/home-manager/default.nix

@@ -0,0 +1,226 @@
+# docs:
+#   https://rycee.gitlab.io/home-manager/
+#   https://rycee.gitlab.io/home-manager/options.html
+#   man home-configuration.nix
+#
+
+{ lib, config, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.sane.home-manager;
+  # extract package from `sane.packages.enabledUserPkgs`
+  pkg-list = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
+  # extract `dir` from `sane.packages.enabledUserPkgs`
+  dir-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
+  private-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "private" then [ e.private ] else []) pkgspec);
+  feeds = import ./feeds.nix { inherit lib; };
+in
+{
+  imports = [
+    ./aerc.nix
+    ./discord.nix
+    ./firefox.nix
+    ./git.nix
+    ./kitty.nix
+    ./mpv.nix
+    ./nb.nix
+    ./neovim.nix
+    ./ssh.nix
+    ./sublime-music.nix
+    ./vlc.nix
+    ./zsh.nix
+  ];
+
+  options = {
+    sane.home-manager.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    # attributes to copy directly to home-manager's `wayland.windowManager` option
+    sane.home-manager.windowManager = mkOption {
+      default = {};
+      type = types.attrs;
+    };
+
+    # extra attributes to include in home-manager's `programs` option
+    sane.home-manager.programs = mkOption {
+      default = {};
+      type = types.attrs;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    sane.impermanence.home-dirs = [
+      "archive"
+      "dev"
+      "records"
+      "ref"
+      "tmp"
+      "use"
+      "Music"
+      "Pictures"
+      "Videos"
+    ] ++ (dir-list config.sane.packages.enabledUserPkgs);
+
+    home-manager.useGlobalPkgs = true;
+    home-manager.useUserPackages = true;
+
+    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
+    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
+    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
+
+      # run `home-manager-help` to access manpages
+      # or `man home-configuration.nix`
+      manual.html.enable = false;  # TODO: set to true later (build failure)
+      manual.manpages.enable = false;  # TODO: enable after https://github.com/nix-community/home-manager/issues/3344
+
+      home.packages = pkg-list sysconfig.sane.packages.enabledUserPkgs;
+      wayland.windowManager = cfg.windowManager;
+
+      home.stateVersion = "21.11";
+      home.username = "colin";
+      home.homeDirectory = "/home/colin";
+
+      home.activation = {
+        initKeyring = {
+          after = ["writeBoundary"];
+          before = [];
+          data = "${../../scripts/init-keyring}";
+        };
+      };
+
+
+      home.file = let
+        privates = builtins.listToAttrs (
+          builtins.map (path: {
+            name = path;
+            value = { source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/${path}"; };
+          })
+          (private-list sysconfig.sane.packages.enabledUserPkgs)
+        );
+      in {
+        # convenience
+        "knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
+        "nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
+        "Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
+        "Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
+        "Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
+
+        # used by password managers, e.g. unix `pass`
+        ".password-store".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge/secrets/accounts";
+      } // privates;
+
+      # XDG defines things like ~/Desktop, ~/Downloads, etc.
+      # these clutter the home, so i mostly don't use them.
+      xdg.userDirs = {
+        enable = true;
+        createDirectories = false;  # on headless systems, most xdg dirs are noise
+        desktop = "$HOME/.xdg/Desktop";
+        documents = "$HOME/dev";
+        download = "$HOME/tmp";
+        music = "$HOME/Music";
+        pictures = "$HOME/Pictures";
+        publicShare = "$HOME/.xdg/Public";
+        templates = "$HOME/.xdg/Templates";
+        videos = "$HOME/Videos";
+      };
+
+      # the xdg mime type for a file can be found with:
+      # - `xdg-mime query filetype path/to/thing.ext`
+      xdg.mimeApps.enable = true;
+      xdg.mimeApps.defaultApplications = let
+        www = sysconfig.sane.web-browser.desktop;
+        pdf = "org.gnome.Evince.desktop";
+        md = "obsidian.desktop";
+        thumb = "org.gnome.gThumb.desktop";
+        video = "vlc.desktop";
+        # audio = "mpv.desktop";
+        audio = "vlc.desktop";
+      in {
+        # HTML
+        "text/html" = [ www ];
+        "x-scheme-handler/http" = [ www ];
+        "x-scheme-handler/https" = [ www ];
+        "x-scheme-handler/about" = [ www ];
+        "x-scheme-handler/unknown" = [ www ];
+        # RICH-TEXT DOCUMENTS
+        "application/pdf" = [ pdf ];
+        "text/markdown" = [ md ];
+        # IMAGES
+        "image/heif" = [ thumb ];  # apple codec
+        "image/png" = [ thumb ];
+        "image/jpeg" = [ thumb ];
+        # VIDEO
+        "video/mp4" = [ video ];
+        "video/quicktime" = [ video ];
+        "video/x-matroska" = [ video ];
+        # AUDIO
+        "audio/flac" = [ audio ];
+        "audio/mpeg" = [ audio ];
+        "audio/x-vorbis+ogg" = [ audio ];
+      };
+
+      # libreoffice: disable first-run stuff
+      xdg.configFile."libreoffice/4/user/registrymodifications.xcu".text = ''
+        <?xml version="1.0" encoding="UTF-8"?>
+        <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+          <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
+          <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="ShowTipOfTheDay" oor:op="fuse"><value>false</value></prop></item>
+        </oor:items>
+      '';
+      # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeDonateShown" oor:op="fuse"><value>1667693880</value></prop></item>
+      # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
+
+
+
+      xdg.configFile."gpodderFeeds.opml".text = with feeds;
+        feedsToOpml feeds.podcasts;
+
+      # news-flash RSS viewer
+      xdg.configFile."newsflashFeeds.opml".text = with feeds;
+        feedsToOpml (feeds.texts ++ feeds.images);
+
+      # gnome feeds RSS viewer
+      xdg.configFile."org.gabmus.gfeeds.json".text =
+      let
+        myFeeds = feeds.texts ++ feeds.images;
+      in builtins.toJSON {
+        # feed format is a map from URL to a dict,
+        #   with dict["tags"] a list of string tags.
+        feeds = builtins.foldl' (acc: feed: acc // {
+          "${feed.url}".tags = [ feed.cat feed.freq ];
+        }) {} myFeeds;
+        dark_reader = false;
+        new_first = true;
+        # windowsize = {
+        #   width = 350;
+        #   height = 650;
+        # };
+        max_article_age_days = 90;
+        enable_js = false;
+        max_refresh_threads = 3;
+        # saved_items = {};
+        # read_items = [];
+        show_read_items = true;
+        full_article_title = true;
+        # views: "webview", "reader", "rsscont"
+        default_view = "rsscont";
+        open_links_externally = true;
+        full_feed_name = false;
+        refresh_on_startup = true;
+        tags = lib.lists.unique (
+          (builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
+        );
+        open_youtube_externally = false;
+        media_player = "vlc";  # default: mpv
+      };
+
+      programs = {
+        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
+        # "command not found" will cause the command to be searched in nixpkgs
+        nix-index.enable = true;
+      } // cfg.programs;
+    };
+  };
+}

modules/home-manager/discord.nix

@@ -0,0 +1,12 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  # TODO: this should only be enabled on gui devices
+  # make Discord usable even when client is "outdated"
+  home-manager.users.colin.xdg.configFile."discord/settings.json".text = ''
+    {
+      "SKIP_HOST_UPDATE": true
+    }
+  '';
+}

modules/home-manager/feeds.nix

@@ -18,10 +18,14 @@ let
   podcast = { format = "podcast"; };
 
   mkRss = format: url: { inherit url format; } // uncat // infrequent;
+  # format-specific helpers
   mkText = mkRss text;
   mkImg = mkRss image;
   mkPod = mkRss podcast;
 
+  # host-specific helpers
+  mkSubstack = subdomain: mkText "https://${subdomain}.substack.com/feed";
+
   # merge the attrs `new` into each value of the attrs `addTo`
   addAttrs = new: addTo: builtins.mapAttrs (k: v: v // new) addTo;
   # for each value in `attrs`, add a value to the child attrs which holds its key within the parent attrs.
@@ -57,6 +61,8 @@ in rec {
     (mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
     ## 60 minutes (NB: this features more than *just* audio?)
     (mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
+    ## The Verge - Decoder
+    (mkPod "https://feeds.megaphone.fm/recodedecode" // tech // weekly)
   ];
 
   texts = [
@@ -75,6 +81,7 @@ in rec {
     (mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
 
     # DEVELOPERS
+    (mkText "https://uninsane.org/atom.xml" // infrequent // tech)
     (mkText "https://mg.lol/blog/rss/" // infrequent // tech)
     ## Ken Shirriff
     (mkText "https://www.righto.com/feeds/posts/default" // tech // infrequent)
@@ -88,8 +95,11 @@ in rec {
     (mkText "https://ianthehenry.com/feed.xml" // tech // infrequent)
     (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
     (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
+    (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
+    (mkText "https://www.jefftk.com/news.rss" // tech // daily)
 
     # (TECH; POL) COMMENTATORS
+    (mkSubstack "edwardsnowden" // pol // infrequent)
     (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
     ## Ben Thompson
     (mkText "https://www.stratechery.com/rss" // pol // weekly)
@@ -98,15 +108,15 @@ in rec {
     (mkText "https://www.ben-evans.com/benedictevans/rss.xml" // pol // weekly)
     (mkText "https://www.lynalden.com/feed" // pol // infrequent)
     (mkText "https://austinvernon.site/rss.xml" // tech // infrequent)
-    (mkText "https://oversharing.substack.com/feed" // pol // daily)
-    (mkText "https://doomberg.substack.com/feed" // tech // weekly)
+    (mkSubstack "oversharing" // pol // daily)
+    (mkSubstack "doomberg" // tech // weekly)
     ## David Rosenthal
     (mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
     ## Matt Levine
     (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
 
     # RATIONALITY/PHILOSOPHY/ETC
-    (mkText "https://samkriss.substack.com/feed" // humor // infrequent)
+    (mkSubstack "samkriss" // humor // infrequent)
     (mkText "https://unintendedconsequenc.es/feed" // rat // infrequent)
     (mkText "https://applieddivinitystudies.com/atom.xml" // rat // weekly)
     (mkText "https://slimemoldtimemold.com/feed.xml" // rat // weekly)
@@ -117,7 +127,7 @@ in rec {
     ## Robin Hanson
     (mkText "https://www.overcomingbias.com/feed" // rat // daily)
     ## Scott Alexander
-    (mkText "https://astralcodexten.substack.com/feed.xml" // rat // daily)
+    (mkSubstack "astralcodexten" // rat // daily)
     ## Paul Christiano
     (mkText "https://sideways-view.com/feed" // rat // infrequent)
     ## Sean Carroll

modules/home-manager/firefox.nix

@@ -0,0 +1,139 @@
+# common settings to toggle (at runtime, in about:config):
+#   > security.ssl.require_safe_negotiation
+
+# librewolf is a forked firefox which patches firefox to allow more things
+# (like default search engines) to be configurable at runtime.
+# many of the settings below won't have effect without those patches.
+# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
+
+{ config, lib, pkgs, ...}:
+with lib;
+let
+  cfg = config.sane.web-browser;
+  # allow easy switching between firefox and librewolf with `defaultSettings`, below
+  librewolfSettings = {
+    browser = pkgs.librewolf-unwrapped;
+    # browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
+    #   # this allows side-loading unsigned addons
+    #   MOZ_REQUIRE_SIGNING = false;
+    # });
+    libName = "librewolf";
+    dotDir = ".librewolf";
+    desktop = "librewolf.desktop";
+  };
+  firefoxSettings = {
+    browser = pkgs.firefox-esr-unwrapped;
+    libName = "firefox";
+    dotDir = ".mozilla/firefox";
+    desktop = "firefox.desktop";
+  };
+  defaultSettings = firefoxSettings;
+  # defaultSettings = librewolfSettings;
+
+  package = pkgs.wrapFirefox cfg.browser {
+    # inherit the default librewolf.cfg
+    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
+    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
+    inherit (cfg) libName;
+
+    extraNativeMessagingHosts = [ pkgs.browserpass ];
+    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
+
+    nixExtensions = let
+      addon = name: extid: hash: pkgs.fetchFirefoxAddon {
+        inherit name hash;
+        url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
+        fixedExtid = extid;
+      };
+      localAddon = pkg: pkgs.fetchFirefoxAddon {
+        inherit (pkg) name;
+        src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";
+        fixedExtid = pkg.extid;
+      };
+    in [
+      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-C+VQyaJ8BA0ErXGVTdnppJZ6J9SP+izf6RFxdS4VJoU=")
+      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-au5GGn22n4i6VrdOKqNMOrWdMoVCcpLdjO2wwRvyx7E=")
+      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-m14onUlnpLDPHezA/soKygcc76tF1fLG52tM/LkbAXQ=")
+      (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
+      (addon "ether-metamask" "webextension@metamask.io" "sha256-dnpwKpNF0KgHMAlz5btkkZySjMsnrXECS35ClkD2XHc=")
+      # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
+      (localAddon pkgs.browserpass-extension)
+    ];
+
+    extraPolicies = {
+      NoDefaultBookmarks = true;
+      SearchEngines = {
+        Default = "DuckDuckGo";
+      };
+      AppUpdateURL = "https://localhost";
+      DisableAppUpdate = true;
+      OverrideFirstRunPage = "";
+      OverridePostUpdatePage = "";
+      DisableSystemAddonUpdate = true;
+      DisableFirefoxStudies = true;
+      DisableTelemetry = true;
+      DisableFeedbackCommands = true;
+      DisablePocket = true;
+      DisableSetDesktopBackground = false;
+
+      # remove many default search providers
+      # XXX this seems to prevent the `nixExtensions` from taking effect
+      # Extensions.Uninstall = [
+      #   "google@search.mozilla.org"
+      #   "bing@search.mozilla.org"
+      #   "amazondotcom@search.mozilla.org"
+      #   "ebay@search.mozilla.org"
+      #   "twitter@search.mozilla.org"
+      # ];
+      # XXX doesn't seem to have any effect...
+      # docs: https://github.com/mozilla/policy-templates#homepage
+      # Homepage = {
+      #   HomepageURL = "https://uninsane.org/";
+      #   StartPage = "homepage";
+      # };
+      # NewTabPage = true;
+    };
+  };
+in
+{
+  options = {
+    sane.web-browser = mkOption {
+      default = defaultSettings;
+      type = types.attrs;
+    };
+  };
+  config = lib.mkIf config.sane.home-manager.enable {
+    # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
+    home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
+      programs.firefox = {
+        enable = true;
+        inherit package;
+      };
+
+      # uBlock filter list configuration.
+      # specifically, enable the GDPR cookie prompt blocker.
+      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
+      # this configuration method is documented here:
+      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
+      # the specific attribute path is found via scraping ublock code here:
+      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
+      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
+      home.file."${cfg.dotDir}/managed-storage/uBlock0@raymondhill.net.json".text = ''
+        {
+         "name": "uBlock0@raymondhill.net",
+         "description": "ignored",
+         "type": "storage",
+         "data": {
+            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
+         }
+        }
+      '';
+      home.file."${cfg.dotDir}/${cfg.libName}.overrides.cfg".text = ''
+        // if we can't query the revocation status of a SSL cert because the issuer is offline,
+        // treat it as unrevoked.
+        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
+        defaultPref("security.OCSP.require", false);
+      '';
+    };
+  };
+}

modules/home-manager/git.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  home-manager.users.colin.programs.git = {
+    enable = true;
+    userName = "colin";
+    userEmail = "colin@uninsane.org";
+
+    aliases = { co = "checkout"; };
+    extraConfig = {
+      # difftastic docs:
+      # - <https://difftastic.wilfred.me.uk/git.html>
+      diff.tool = "difftastic";
+      difftool.prompt = false;
+      "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
+      # now run `git difftool` to use difftastic git
+    };
+  };
+}

modules/home-manager/kitty.nix

@@ -0,0 +1,71 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  home-manager.users.colin.programs.kitty = {
+    enable = true;
+    # docs: https://sw.kovidgoyal.net/kitty/conf/
+    settings = {
+      # disable terminal bell (when e.g. you backspace too many times)
+      enable_audio_bell = false;
+    };
+    keybindings = {
+      "ctrl+n" = "new_os_window_with_cwd";
+    };
+    # docs: https://github.com/kovidgoyal/kitty-themes
+    # theme = "1984 Light";  # dislike: awful, harsh blues/teals
+    # theme = "Adventure Time";  # dislike: harsh (dark)
+    # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
+    # theme = "Belafonte Day";  # dislike: too low contrast for text colors
+    # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
+    # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
+    # theme = "Desert";  # mediocre: colors are harsh
+    # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
+    # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
+    # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
+    # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
+    # theme = "kanagawabones";  # better: dark theme. colors are too background-y
+    # theme = "Kaolin Dark";  # dislike: too dark
+    # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
+    # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
+    # theme = "Material"; # decent: light theme, few colors.
+    # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
+    # theme = "Nord";  # mediocre: pale background, low contrast
+    # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
+    theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
+    # theme = "Parasio Dark";  # dislike: too low contrast
+    # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
+    # theme = "Pnevma";  # dislike: too low contrast
+    # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
+    # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
+    # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
+    # theme = "Sea Shells";  # mediocre. not all color combos are readable
+    # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
+    # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
+    # theme = "Sourcerer";  # mediocre: ugly colors
+    # theme = "Space Gray";  # mediocre: too muted
+    # theme = "Space Gray Eighties";  # better: all readable, decent colors
+    # theme = "Spacemacs";  # mediocre: too muted
+    # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
+    # theme = "Srcery";  # better: highly readable. colors are ehhh
+    # theme = "Substrata";  # decent: nice colors, but a bit flat.
+    # theme = "Sundried";  # mediocre: the solar text makes me squint
+    # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
+    # theme = "Tango Light";  # dislike: teal is too grating
+    # theme = "Tokyo Night Day";  # medicore: too muted
+    # theme = "Tokyo Night";  # better: tasteful. a bit flat
+    # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
+    # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
+    # theme = "Urple";  # dislike: weird palette
+    # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
+    # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
+    # theme = "Xcodedark";  # dislike: bad palette
+    # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
+    # theme = "neobones_light"; # better light theme. the background is maybe too muted
+    # theme = "vimbones";
+    # theme = "zenbones_dark";  # mediocre: readable, but meh colors
+    # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
+    # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
+    # extraConfig = "";
+  };
+}

modules/home-manager/mpv.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  home-manager.users.colin.programs.mpv = {
+    enable = true;
+    config = {
+      save-position-on-quit = true;
+      keep-open = "yes";
+    };
+  };
+}
+

modules/home-manager/nb.nix

@@ -0,0 +1,27 @@
+# nb is a CLI-drive Personal Knowledge Manager
+# - <https://xwmx.github.io/nb/>
+#
+# it's pretty opinionated:
+# - autocommits (to git) excessively (disable-able)
+# - inserts its own index files to give deterministic names to files
+#
+# it offers a primitive web-server
+# and it offers some CLI query tools
+
+{ config, lib, pkgs, ... }:
+
+# lib.mkIf config.sane.home-manager.enable
+lib.mkIf false # XXX disabled!
+{
+  sane.packages.extraUserPkgs = [ pkgs.nb ];
+
+  home-manager.users.colin = { config, ... }: {
+    # nb markdown/personal knowledge manager
+    home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
+    home.file.".nb/.current".text = "knowledge";
+    home.file.".nbrc".text = ''
+      # manage with `nb settings`
+      export NB_AUTO_SYNC=0
+    '';
+  };
+}

modules/home-manager/neovim.nix

@@ -0,0 +1,117 @@
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  sane.impermanence.home-dirs = [ ".cache/vim-swap" ];
+
+  home-manager.users.colin.programs.neovim = {
+    # neovim: https://github.com/neovim/neovim
+    enable = true;
+    viAlias = true;
+    vimAlias = true;
+    plugins = with pkgs.vimPlugins; [
+      # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
+      # docs: vim-surround: https://github.com/tpope/vim-surround
+      vim-surround
+      # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
+      fzf-vim
+      # docs: https://github.com/KeitaNakamura/tex-conceal.vim/
+      ({
+        plugin = tex-conceal-vim;
+        type = "viml";
+        config = ''
+          " present prettier fractions
+          let g:tex_conceal_frac=1
+        '';
+      })
+      ({
+        plugin = vim-SyntaxRange;
+        type = "viml";
+        config = ''
+          " enable markdown-style codeblock highlighting for tex code
+          autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
+          " autocmd Syntax tex set conceallevel=2
+        '';
+      })
+      # nabla renders inline math in any document, but it's buggy.
+      #   https://github.com/jbyuki/nabla.nvim
+      # ({
+      #   plugin = pkgs.nabla;
+      #   type = "lua";
+      #   config = ''
+      #     require'nabla'.enable_virt()
+      #   '';
+      # })
+      # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
+      # docs: https://github.com/nvim-treesitter/nvim-treesitter
+      # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
+      # this is required for tree-sitter to even highlight
+      ({
+        plugin = nvim-treesitter.withAllGrammars;
+        type = "lua";
+        config = ''
+          require'nvim-treesitter.configs'.setup {
+            highlight = {
+              enable = true,
+              -- disable treesitter on Rust so that we can use SyntaxRange
+              -- and leverage TeX rendering in rust projects
+              disable = { "rust", "tex", "latex" },
+              -- disable = { "tex", "latex" },
+              -- true to also use builtin vim syntax highlighting when treesitter fails
+              additional_vim_regex_highlighting = false
+            },
+            incremental_selection = {
+              enable = true,
+              keymaps = {
+                init_selection = "gnn",
+                node_incremental = "grn",
+                mcope_incremental = "grc",
+                node_decremental = "grm"
+              }
+            },
+            indent = {
+              enable = true,
+              disable = {}
+            }
+          }
+
+          vim.o.foldmethod = 'expr'
+          vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
+        '';
+      })
+    ];
+    extraConfig = ''
+      " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
+      " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
+      set mouse=
+
+      " copy/paste to system clipboard
+      set clipboard=unnamedplus
+
+      " screw tabs; always expand them into spaces
+      set expandtab
+
+      " at least don't open files with sections folded by default
+      set nofoldenable
+
+      " allow text substitutions for certain glyphs.
+      " higher number = more aggressive substitution (0, 1, 2, 3)
+      " i only make use of this for tex, but it's unclear how to
+      " apply that *just* to tex and retain the SyntaxRange stuff.
+      set conceallevel=2
+
+      " horizontal rule under the active line
+      " set cursorline
+
+      " highlight trailing space & related syntax errors (doesn't seem to work??)
+      " let c_space_errors=1
+      " let python_space_errors=1
+
+      " enable highlighting of leading/trailing spaces,
+      " and especially tabs
+      " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
+      set list
+      set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
+    '';
+  };
+}

modules/home-manager/ssh.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  home-manager.users.colin = let
+    host = config.networking.hostName;
+    user_pubkey = (import ../pubkeys.nix).users."${host}";
+    known_hosts_text = builtins.concatStringsSep
+      "\n"
+      (builtins.attrValues (import ../pubkeys.nix).hosts);
+  in { config, ...}: {
+    # ssh key is stored in private storage
+    home.file.".ssh/id_ed25519".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/.ssh/id_ed25519";
+    home.file.".ssh/id_ed25519.pub".text = user_pubkey;
+
+    programs.ssh.enable = true;
+    # this optionally accepts multiple known_hosts paths, separated by space.
+    programs.ssh.userKnownHostsFile = builtins.toString (pkgs.writeText "known_hosts" known_hosts_text);
+  };
+}

modules/home-manager/sublime-music.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  # TODO: this should only be shipped on gui platforms
+  sops.secrets."sublime_music_config" = {
+    owner = config.users.users.colin.name;
+    sopsFile = ../../secrets/universal/sublime_music_config.json.bin;
+    format = "binary";
+  };
+  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
+    # sublime music player
+    xdg.configFile."sublime-music/config.json".source =
+      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
+  };
+}

modules/home-manager/vlc.nix

@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  home-manager.users.colin.xdg.configFile."vlc/vlcrc".text =
+  let
+    feeds = import ./feeds.nix { inherit lib; };
+    podcastUrls = lib.strings.concatStringsSep "|" (
+      builtins.map (feed: feed.url) feeds.podcasts
+    );
+  in ''
+    [podcast]
+    podcast-urls=${podcastUrls}
+    [core]
+    metadata-network-access=0
+    [qt]
+    qt-privacy-ask=0
+  '';
+}

modules/home-manager/zsh.nix

@@ -0,0 +1,63 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  # we don't need to full zsh dir -- just the history file --
+  # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
+  sane.impermanence.home-dirs = [ ".local/share/zsh" ];
+
+  home-manager.users.colin.programs.zsh = {
+    enable = true;
+    enableSyntaxHighlighting = true;
+    enableVteIntegration = true;
+    history.ignorePatterns = [ "rm *" ];
+    dotDir = ".config/zsh";
+    history.path = "/home/colin/.local/share/zsh/history";
+
+    initExtraBeforeCompInit = ''
+      # p10k instant prompt
+      # run p10k configure to configure, but it can't write out its file :-(
+      POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
+    '';
+    initExtra = ''
+      # zmv is a way to do rich moves/renames, with pattern matching/substitution.
+      # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
+      autoload -Uz zmv
+
+      # disable `rm *` confirmations
+      setopt rmstarsilent
+
+      function nd() {
+        mkdir -p "$1";
+        pushd "$1";
+      }
+    '';
+
+    # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
+    # see: https://github.com/sorin-ionescu/prezto
+    prezto = {
+      enable = true;
+      pmodules = [
+        "environment"
+        "terminal"
+        "editor"
+        "history"
+        "directory"
+        "spectrum"
+        "utility"
+        "completion"
+        "prompt"
+        "git"
+      ];
+      prompt.theme = "powerlevel10k";
+      utility.safeOps = false;  # disable `mv` confirmation (and supposedly `rm`, too)
+    };
+  };
+
+  home-manager.users.colin.home.shellAliases = {
+    ":q" = "exit";
+    # common typos
+    "cd.." = "cd ..";
+    "cd../" = "cd ../";
+  };
+}

modules/image.nix

@@ -6,6 +6,11 @@ let
 in
 {
   options = {
+    sane.image.enable = mkOption {
+      default = true;
+      type = types.bool;
+      description = "whether to enable image targets. this doesn't mean they'll be built unless you specifically reference the target.";
+    };
     # packages whose contents should be copied directly into the /boot partition.
     # e.g. EFI loaders, u-boot bootloader, etc.
     sane.image.extraBootFiles = mkOption {

modules/impermanence.nix

@@ -7,6 +7,8 @@
 with lib;
 let
   cfg = config.sane.impermanence;
+  # taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
+  secretsForUsers = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
 in
 {
   options = {
@@ -14,10 +16,6 @@ in
       default = false;
       type = types.bool;
     };
-    sane.impermanence.home-files = mkOption {
-      default = [];
-      type = types.listOf types.str;
-    };
     sane.impermanence.home-dirs = mkOption {
       default = [];
       type = types.listOf (types.either types.str (types.attrsOf types.str));
@@ -38,38 +36,17 @@ in
 
     map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };
     map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
-    map-service-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
 
-    map-home-files = files: builtins.map (f: {
-      parentDirectory = {
-        user = "colin";
-        group = "users";
-        mode = "0755";
-      };
-      file = "/home/colin/${f}";
-    }) files;
   in mkIf cfg.enable {
     sane.image.extraDirectories = [ "/nix/persist/var/log" ];
     environment.persistence."/nix/persist" = {
-      directories = (map-home-dirs ([
-        # cache is probably too big to fit on the tmpfs
-        # TODO: we could bind-mount it to something which gets cleared per boot, though.
-        ".cache"
-        ".cargo"
-        ".rustup"
-        ".ssh"
-        ".local/share/keyrings"
-        # intentionally omitted:
-        # ".config"  # managed by home-manager
-        # ".local"   # nothing useful in here
-      ] ++ cfg.home-dirs)) ++ (map-sys-dirs [
-        # TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
+      directories = (map-home-dirs cfg.home-dirs) ++ (map-sys-dirs [
+        # NB: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
         # { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
         # "/etc/nixos"
         # "/etc/ssh"  # persist only the specific files we want, instead
         "/var/log"
         "/var/backup"  # for e.g. postgres dumps
-      ]) ++ (map-service-dirs ([
         # "/var/lib/AccountsService"   # not sure what this is, but it's empty
         "/var/lib/alsa"                # preserve output levels, default devices
         # "/var/lib/blueman"           # files aren't human readable
@@ -93,37 +70,25 @@ in
         # "/var/lib/upower"            # historic charge data. unnecessary, but maybe used somewhere?
         #
         # servo additions:
-        # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
-        # "/var/lib/dovecot"
-        # "/var/lib/duplicity"
-      ] ++ cfg.service-dirs));
-      files = [
-        "/etc/machine-id"
-        "/etc/ssh/ssh_host_ed25519_key"
-        "/etc/ssh/ssh_host_ed25519_key.pub"
-        "/etc/ssh/ssh_host_rsa_key"
-        "/etc/ssh/ssh_host_rsa_key.pub"
-        "/home/colin/.zsh_history"
-        # # XXX these only need persistence because i have mutableUsers = true, i think
-        # "/etc/group"
-        # "/etc/passwd"
-        # "/etc/shadow"
-      ] ++ map-home-files cfg.home-files;
+      ] ++ cfg.service-dirs);
+      # /etc/machine-id is a globally unique identifier used for:
+      # - systemd-networkd: DHCP lease renewal (instead of keying by the MAC address)
+      # - systemd-journald: to filter logs by host
+      # - chromium (potentially to track re-installations)
+      # - gdbus; system services that might upgrade to AF_LOCAL if both services can confirm they're on the same machine
+      # of these, systemd-networkd is the only legitimate case to persist the machine-id.
+      # depersisting it should be "safe"; edge-cases like systemd-networkd can be directed to use some other ID if necessary.
+      # nixos-impermanence shows binding the host ssh priv key to this; i could probably hash the host key into /etc/machine-id if necessary.
+      # files = [ "/etc/machine-id" ];
     };
 
-    systemd.services.sane-sops = {
-      # TODO: it would be better if we could inject the right dependency into setupSecrets instead of patching like this.
-      # /run/current-system/activate contains the precise ordering logic.
-      # it's largely unaware of systemd.
-      # maybe we could insert some activation script which simply waits for /etc/ssh to appear?
-      description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
-      script = ''
-      ${config.system.activationScripts.setupSecrets.text}
-      ${config.system.activationScripts.linkIwdKeys.text}
-      '';
-      after = [ "fs-local.target" ];
-      wantedBy = [ "multi-user.target" ];
+    # secret decoding depends on /etc/ssh keys, which may be persisted
+    system.activationScripts.setupSecrets.deps = [ "persist-ssh-host-keys" ];
+    system.activationScripts.setupSecretsForUsers = lib.mkIf secretsForUsers {
+      deps = [ "persist-ssh-host-keys" ];
     };
+    # populated by ssh.nix, which persists /etc/ssh/host_keys
+    system.activationScripts.persist-ssh-host-keys.text = lib.mkDefault "";
   };
 }
 

modules/nixcache.nix

@@ -1,3 +1,13 @@
+# speed up builds from e.g. moby or lappy by having them query desko and servo first.
+# if one of these hosts is offline, instead manually specify just cachix:
+# - `nixos-rebuild --option substituters https://cache.nixos.org/`
+#
+# future improvements:
+# - apply for community arm build box:
+#   - <https://github.com/nix-community/aarch64-build-box>
+# - don't require all substituters to be online:
+#   - <https://github.com/NixOS/nix/pull/7188>
+
 { lib, config, ... }:
 
 with lib;
@@ -10,22 +20,28 @@ in
       default = false;
       type = types.bool;
     };
-  };
-
-  config = mkIf cfg.enable {
-    # use our own binary cache
-    nix.settings = {
-      substituters = [
-        "https://nixcache.uninsane.org"
-        "http://desko:5000"
-        "https://nix-community.cachix.org"
-        "https://cache.nixos.org/"
-      ];
-      trusted-public-keys = [
-        "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
-        "desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      ];
+    sane.nixcache.enable-trusted-keys = mkOption {
+      default = config.sane.nixcache.enable;
+      type = types.bool;
     };
   };
+
+  config = {
+    # use our own binary cache
+    # to explicitly build from a specific cache (in case others are down):
+    # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
+    # - `nix build ... --substituters http://desko:5000`
+    nix.settings.substituters = mkIf cfg.enable [
+      "https://nixcache.uninsane.org"
+      "http://desko:5000"
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+    ];
+    # always trust our keys (so one can explicitly use a substituter even if it's not the default
+    nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
+      "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
+      "desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
 }

modules/packages.nix

@@ -3,13 +3,19 @@
 with lib;
 with pkgs;
 let
-  cfg = config.sane.home-packages;
-  universalPkgs = [
+  cfg = config.sane.packages;
+  consolePkgs = [
     backblaze-b2
     cdrtools
+    dmidecode
     duplicity
+    efivar
+    flashrom
+    fwupd
     gnupg
     gocryptfs
+    gopass
+    gopass-jsonapi
     ifuse
     ipfs
     libimobiledevice
@@ -17,7 +23,7 @@ let
     lm_sensors  # for sensors-detect
     lshw
     ffmpeg
-    nb
+    memtester
     networkmanager
     nixpkgs-review
     # nixos-generators
@@ -27,6 +33,7 @@ let
     # ponymix
     pulsemixer
     python3
+    rsync
     # python3Packages.eyeD3  # music tagging
     sane-scripts
     sequoia
@@ -49,14 +56,18 @@ let
     # GUI only
     aerc  # email client
     audacity
+    celluloid  # mpv frontend
     chromium
     clinfo
+    { pkg = dino; private = ".local/share/dino"; }
     electrum
 
     # creds/session keys, etc
-    { pkg = element-desktop; dir = ".config/Element"; }
-
-    emote  # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+    { pkg = element-desktop; private = ".config/Element"; }
+    # `emote` will show a first-run dialog based on what's in this directory.
+    # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
+    # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+    { pkg = emote; dir = ".local/share/Emote"; }
     evince  # works on phosh
 
     # { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; }  # TODO: ship normal fluffychat on non-moby?
@@ -67,7 +78,7 @@ let
     # XXX by default fractal stores its state in ~/.local/share/<UUID>.
     # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
     # then reboot (so that libsecret daemon re-loads the keyring...?)
-    { pkg = fractal-next; dir = ".local/share/fractal"; }
+    { pkg = fractal-next; private = ".local/share/fractal"; }
 
     gimp  # broken on phosh
     gnome.cheese
@@ -85,8 +96,10 @@ let
     { pkg = gpodder-configured; dir = "gPodder/Downloads"; }
 
     gthumb
+    handbrake
     inkscape
 
+    kdenlive
     kid3  # audio tagging
     krita
     libreoffice-fresh  # XXX colin: maybe don't want this on mobile
@@ -104,8 +117,11 @@ let
     { pkg = obsidian; dir = ".config/obsidian"; }
 
     pavucontrol
-    picard  # music tagging
+    # picard  # music tagging
     playerctl
+
+    libsForQt5.plasmatube  # Youtube player
+
     soundconverter
     # sublime music persists any downloaded albums here.
     # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
@@ -114,8 +130,10 @@ let
     { pkg = sublime-music; dir = ".local/share/sublime-music"; }
     tdesktop  # broken on phosh
 
+    { pkg = tokodon; dir = ".cache/KDE/tokodon"; }
+
     # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
-    { pkg = vlc; persist-files = [ ".config/vlc/vlc-qt-interface.conf" ]; }
+    { pkg = vlc; dir = ".config/vlc"; }
 
     whalebird # pleroma client. input is broken on phosh
     xdg-utils  # for xdg-open
@@ -132,8 +150,8 @@ let
       nss = pkgs.nss_latest;
     }); in { pkg = discord; dir = ".config/discord"; })
 
-    kaiteki  # Pleroma client
-    gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
+    # kaiteki  # Pleroma client
+    # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
 
     logseq
     losslesscut-bin
@@ -152,9 +170,44 @@ let
     (tor-browser-bundle-bin.override { useHardenedMalloc = false; })
 
     # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
-    { pkg = zecwallet-lite; dir = ".zcash"; }
+    { pkg = zecwallet-lite; private = ".zcash"; }
   ] else []);
 
+  # general-purpose utilities that we want any user to be able to access
+  #   (specifically: root, in case of rescue)
+  systemPkgs = [
+    btrfs-progs
+    cryptsetup
+    dig
+    efibootmgr
+    fatresize
+    fd
+    file
+    gptfdisk
+    hdparm
+    htop
+    iftop
+    inetutils  # for telnet
+    iotop
+    iptables
+    jq
+    killall
+    lsof
+    netcat
+    nethogs
+    nmap
+    openssl
+    parted
+    pciutils
+    powertop
+    ripgrep
+    screen
+    smartmontools
+    socat
+    usbutils
+    wget
+  ];
+
   # useful devtools:
   devPkgs = [
     bison
@@ -165,6 +218,7 @@ let
     # gcc-arm-embedded
     # gcc_multi
     gnumake
+    mercurial
     mix2nix
     rustup
     swig
@@ -172,11 +226,22 @@ let
 in
 {
   options = {
-    sane.home-packages.enableGuiPkgs = mkOption {
+    # packages to deploy to the user's home
+    sane.packages.extraUserPkgs = mkOption {
+      default = [ ];
+      # each entry can be either a package, or attrs:
+      #   { pkg = package; dir = optional string; private = optional string };
+      type = types.listOf (types.either types.package types.attrs);
+    };
+    sane.packages.enableConsolePkgs = mkOption {
       default = false;
       type = types.bool;
     };
-    sane.home-packages.enableDevPkgs = mkOption {
+    sane.packages.enableGuiPkgs = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.packages.enableDevPkgs = mkOption {
       description = ''
         enable packages that are useful for building other software by hand.
         you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
@@ -184,10 +249,24 @@ in
       default = false;
       type = types.bool;
     };
+    sane.packages.enableSystemPkgs = mkOption {
+      default = false;
+      type = types.bool;
+      description = "enable system-wide packages";
+    };
+
+    sane.packages.enabledUserPkgs = mkOption {
+      default = cfg.extraUserPkgs
+        ++ (if cfg.enableConsolePkgs then consolePkgs else [])
+        ++ (if cfg.enableGuiPkgs then guiPkgs else [])
+        ++ (if cfg.enableDevPkgs then devPkgs else [])
+      ;
+      type = types.listOf (types.either types.package types.attrs);
+      description = "generated from other config options";
+    };
   };
+
   config = {
-    sane.home-manager.extraPackages = universalPkgs
-      ++ (if cfg.enableGuiPkgs then guiPkgs else [])
-      ++ (if cfg.enableDevPkgs then devPkgs else []);
+    environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
   };
 }

modules/pubkeys.nix

@@ -0,0 +1,34 @@
+# create ssh key by running:
+# - `ssh-keygen -t ed25519`
+let
+  withHost = host: key: "${host} ${key}";
+  withUser = user: key: "${key} ${user}";
+
+  keys = rec {
+    lappy = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
+    };
+    desko = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
+    };
+    servo = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
+    };
+    moby = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
+    };
+
+    "uninsane.org" = servo;
+    "git.uninsane.org" = servo;
+  };
+in {
+  # map hostname -> something suitable for known_keys
+  hosts = builtins.mapAttrs (host: keys: withHost host keys.host) keys;
+  # map hostname -> something suitable for authorized_keys to allow access to colin@<hostname>
+  users = builtins.mapAttrs (host: keys: withUser "colin@${host}" keys.users.colin) keys;
+}
+

modules/services/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./duplicity.nix
+    ./nixserve.nix
+  ];
+}

modules/services/duplicity.nix

@@ -1,5 +1,5 @@
 # docs: https://search.nixos.org/options?channel=21.11&query=duplicity
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 let
@@ -18,8 +18,7 @@ in
     sane.impermanence.service-dirs = [ "/var/lib/duplicity" ];
 
     services.duplicity.enable = true;
-    services.duplicity.targetUrl = ''"$DUPLICITY_URL"'';
-    services.duplicity.escapeUrl = false;
+    services.duplicity.targetUrl = "$DUPLICITY_URL";
     # format: PASSPHRASE=<cleartext> \n DUPLICITY_URL=b2://...
     # two sisters
     # PASSPHRASE: remote backups will be encrypted using this passphrase (using gpg)
@@ -32,29 +31,28 @@ in
     services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path;
     # NB: manually trigger with `systemctl start duplicity`
     services.duplicity.frequency = "daily";
-    # TODO: this needs updating to handle impermanence changes
-    services.duplicity.exclude = [
-      # impermanent/inconsequential data:
-      "/dev"
-      "/proc"
-      "/run"
-      "/sys"
-      "/tmp"
-      # bind mounted (dupes):
-      "/var/lib"
-      # other mounts
-      "/mnt"
-      # data that's not worth the cost to backup:
-      "/nix/persist/var/lib/uninsane/media"
-      "/nix/persist/home/colin/tmp"
-      "/nix/persist/home/colin/Videos"
-      "/home/colin/tmp"
-      "/home/colin/Videos"
-    ];
 
     services.duplicity.extraFlags = [
       # without --allow-source-mismatch, duplicity will abort if you change the hostname between backups
       "--allow-source-mismatch"
+
+      # includes/exclude ordering matters, so we explicitly control it here.
+      # the first match decides a file's treatment. so here:
+      # - /nix/persist/home/colin/tmp is excluded
+      # - *other* /nix/persist/ files are included by default
+      # - anything else under `/` are excluded by default
+      "--exclude" "/nix/persist/home/colin/dev/home-logic/coremem/out"  # this can reach > 1 TB
+      "--exclude" "/nix/persist/home/colin/use/iso"  # might want to re-enable... but not critical
+      "--exclude" "/nix/persist/home/colin/.local/share/sublime-music"  # music cache. better to just keep the HQ sources
+      "--exclude" "/nix/persist/home/colin/.local/share/Steam"  # can just re-download games
+      "--exclude" "/nix/persist/home/colin/.bitmonero/lmdb"  # monero blockchain
+      "--exclude" "/nix/persist/home/colin/.rustup"
+      "--exclude" "/nix/persist/home/colin/ref"  # publicly available data: no point in duplicating it
+      "--exclude" "/nix/persist/home/colin/tmp"
+      "--exclude" "/nix/persist/home/colin/Videos"
+      "--exclude" "/nix/persist/var/lib/duplicity"  # don't back up our own backup state!
+      "--include" "/nix/persist"
+      "--exclude" "/"
     ];
 
     # set this for the FIRST backup, then remove it to enable incremental backups
@@ -70,5 +68,26 @@ in
         "/dev/mmc0 5M"
       ];
     };
+
+    # based on <nixpkgs:nixos/modules/services/backup/duplicity.nix>  with changes:
+    # - remove the cleanup step: API key doesn't have delete perms
+    # - don't escape the targetUrl: it comes from an env var set in the secret file
+    systemd.services.duplicity.script = let
+      cfg = config.services.duplicity;
+      target = cfg.targetUrl;
+      extra = escapeShellArgs ([ "--archive-dir" "/var/lib/duplicity" ] ++ cfg.extraFlags);
+      dup = "${pkgs.duplicity}/bin/duplicity";
+    in lib.mkForce ''
+      set -x
+      # ${dup} cleanup ${target} --force ${extra}
+      # ${lib.optionalString (cfg.cleanup.maxAge != null) "${dup} remove-older-than ${lib.escapeShellArg cfg.cleanup.maxAge} ${target} --force ${extra}"}
+      # ${lib.optionalString (cfg.cleanup.maxFull != null) "${dup} remove-all-but-n-full ${builtins.toString cfg.cleanup.maxFull} ${target} --force ${extra}"}
+      # ${lib.optionalString (cfg.cleanup.maxIncr != null) "${dup} remove-all-inc-of-but-n-full ${toString cfg.cleanup.maxIncr} ${target} --force ${extra}"}
+      exec ${dup} ${if cfg.fullIfOlderThan == "always" then "full" else "incr"} ${lib.escapeShellArg cfg.root} ${target} ${lib.escapeShellArgs ([]
+        ++ concatMap (p: [ "--include" p ]) cfg.include
+        ++ concatMap (p: [ "--exclude" p ]) cfg.exclude
+        ++ (lib.optionals (cfg.fullIfOlderThan != "never" && cfg.fullIfOlderThan != "always") [ "--full-if-older-than" cfg.fullIfOlderThan ])
+        )} ${extra}
+    '';
   };
 }

modules/services/nixserve.nix

@@ -14,8 +14,8 @@ in
       type = types.bool;
     };
     sane.services.nixserve.sopsFile = mkOption {
-      default = ../../secrets/servo.yaml;
       type = types.path;
+      description = "path to file that contains the nix_serv_privkey secret (can be in VCS)";
     };
   };
 

modules/universal/default.nix

@@ -1,33 +0,0 @@
-{ pkgs, ... }:
-
-{
-  imports = [
-    ./allocations.nix
-    ./env
-    ./fs.nix
-    ./net.nix
-    ./secrets.nix
-    ./users.nix
-    ./vpn.nix
-  ];
-
-  time.timeZone = "America/Los_Angeles";
-
-  fonts = {
-    enableDefaultFonts = true;
-    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
-    fontconfig.enable = true;
-    fontconfig.defaultFonts = {
-      emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
-      monospace = [ "Hack" ];
-      serif = [ "DejaVu Serif" ];
-      sansSerif = [ "DejaVu Sans" ];
-    };
-  };
-
-  # allow `nix flake ...` command
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes
-  '';
-}
-

modules/universal/env/default.nix

@@ -1,36 +0,0 @@
-{ pkgs, ... }:
-
-{
-  imports = [
-    ./home-manager.nix
-    ./home-packages.nix
-    ./system-packages.nix
-  ];
-
-  # programs.vim.defaultEditor = true;
-  environment.variables = {
-    EDITOR = "vim";
-    # git claims it should use EDITOR, but it doesn't!
-    GIT_EDITOR = "vim";
-    # TODO: these should be moved to `home.sessionVariables` (home-manager)
-    # Electron apps should use native wayland backend:
-    #   https://nixos.wiki/wiki/Slack#Wayland
-    # Discord under sway crashes with this.
-    # NIXOS_OZONE_WL = "1";
-    # LIBGL_ALWAYS_SOFTWARE = "1";
-  };
-  # enable zsh completions
-  environment.pathsToLink = [ "/share/zsh" ];
-  environment.systemPackages = with pkgs; [
-    # required for pam_mount
-    gocryptfs
-  ];
-
-  security.pam.mount.enable = true;
-  # security.pam.mount.debugLevel = 1;
-  # security.pam.enableSSHAgentAuth = true; # ??
-  # needed for `allow_other` in e.g. gocryptfs mounts
-  # or i guess going through mount.fuse sets suid so that's not necessary?
-  # programs.fuse.userAllowOther = true;
-}
-

modules/universal/env/home-manager.nix

@@ -1,527 +0,0 @@
-# docs:
-#   https://rycee.gitlab.io/home-manager/
-#   https://rycee.gitlab.io/home-manager/options.html
-#   man home-configuration.nix
-#
-
-{ lib, config, pkgs, ... }:
-
-with lib;
-let
-  cfg = config.sane.home-manager;
-  vim-swap-dir = ".cache/vim-swap";
-  # extract package from `extraPackages`
-  pkglist = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
-  # extract `dir` from `extraPackages`
-  dirlist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
-  # extract `persist-files` from `extraPackages`
-  persistfileslist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "persist-files" then e.persist-files else []) pkgspec);
-  # TODO: dirlist and persistfileslist should be folded
-  feeds = import ./feeds.nix { inherit lib; };
-in
-{
-  options = {
-    sane.home-manager.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-
-    # packages to deploy to the user's home
-    sane.home-manager.extraPackages = mkOption {
-      default = [ ];
-      # each entry can be either a package, or attrs:
-      #   { pkg = package; dir = optional string;
-      type = types.listOf (types.either types.package types.attrs);
-    };
-
-    # attributes to copy directly to home-manager's `wayland.windowManager` option
-    sane.home-manager.windowManager = mkOption {
-      default = {};
-      type = types.attrs;
-    };
-
-    # extra attributes to include in home-manager's `programs` option
-    sane.home-manager.programs = mkOption {
-      default = {};
-      type = types.attrs;
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    sops.secrets."aerc_accounts" = {
-      owner = config.users.users.colin.name;
-      sopsFile = ../../../secrets/universal/aerc_accounts.conf;
-      format = "binary";
-    };
-    sops.secrets."sublime_music_config" = {
-      owner = config.users.users.colin.name;
-      sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
-      format = "binary";
-    };
-
-    sane.impermanence.home-dirs = [
-      "archive"
-      "dev"
-      "records"
-      "ref"
-      "tmp"
-      "use"
-      "Music"
-      "Pictures"
-      "Videos"
-      vim-swap-dir
-    ] ++ (dirlist cfg.extraPackages);
-    sane.impermanence.home-files = persistfileslist cfg.extraPackages;
-
-    home-manager.useGlobalPkgs = true;
-    home-manager.useUserPackages = true;
-
-    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
-    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
-    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
-
-      # run `home-manager-help` to access manpages
-      # or `man home-configuration.nix`
-      manual.html.enable = true;
-
-      home.packages = pkglist cfg.extraPackages;
-      wayland.windowManager = cfg.windowManager;
-
-      home.stateVersion = "21.11";
-      home.username = "colin";
-      home.homeDirectory = "/home/colin";
-
-      home.activation = {
-        initKeyring = {
-          after = ["writeBoundary"];
-          before = [];
-          data = "${../../../scripts/init-keyring}";
-        };
-      };
-
-      # XDG defines things like ~/Desktop, ~/Downloads, etc.
-      # these clutter the home, so i mostly don't use them.
-      xdg.userDirs = {
-        enable = true;
-        createDirectories = false;  # on headless systems, most xdg dirs are noise
-        desktop = "$HOME/.xdg/Desktop";
-        documents = "$HOME/dev";
-        download = "$HOME/tmp";
-        music = "$HOME/Music";
-        pictures = "$HOME/Pictures";
-        publicShare = "$HOME/.xdg/Public";
-        templates = "$HOME/.xdg/Templates";
-        videos = "$HOME/Videos";
-      };
-
-      # the xdg mime type for a file can be found with:
-      # - `xdg-mime query filetype path/to/thing.ext`
-      xdg.mimeApps.enable = true;
-      xdg.mimeApps.defaultApplications = let
-        www = "librewolf.desktop";
-        pdf = "org.gnome.Evince.desktop";
-        md = "obsidian.desktop";
-        thumb = "org.gnome.gThumb.desktop";
-        video = "vlc.desktop";
-        # audio = "mpv.desktop";
-        audio = "vlc.desktop";
-      in {
-        # HTML
-        "text/html" = [ www ];
-        "x-scheme-handler/http" = [ www ];
-        "x-scheme-handler/https" = [ www ];
-        "x-scheme-handler/about" = [ www ];
-        "x-scheme-handler/unknown" = [ www ];
-        # RICH-TEXT DOCUMENTS
-        "application/pdf" = [ pdf ];
-        "text/markdown" = [ md ];
-        # IMAGES
-        "image/heif" = [ thumb ];  # apple codec
-        "image/png" = [ thumb ];
-        "image/jpeg" = [ thumb ];
-        # VIDEO
-        "video/mp4" = [ video ];
-        "video/quicktime" = [ video ];
-        "video/x-matroska" = [ video ];
-        # AUDIO
-        "audio/flac" = [ audio ];
-        "audio/mpeg" = [ audio ];
-        "audio/x-vorbis+ogg" = [ audio ];
-      };
-
-      # convenience
-      home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
-      home.file."nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
-      home.file."Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
-      home.file."Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
-      home.file."Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
-
-      # nb markdown/personal knowledge manager
-      home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
-      home.file.".nb/.current".text = "knowledge";
-      home.file.".nbrc".text = ''
-        # manage with `nb settings`
-        export NB_AUTO_SYNC=0
-      '';
-
-      # uBlock filter list configuration.
-      # specifically, enable the GDPR cookie prompt blocker.
-      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
-      # this configuration method is documented here:
-      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
-      # the specific attribute path is found via scraping ublock code here:
-      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
-      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-      home.file.".librewolf/managed-storage/uBlock0@raymondhill.net.json".text = ''
-        {
-         "name": "uBlock0@raymondhill.net",
-         "description": "ignored",
-         "type": "storage",
-         "data": {
-            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
-         }
-        }
-      '';
-      home.file.".librewolf/librewolf.overrides.cfg".text = ''
-        // if we can't query the revocation status of a SSL cert because the issuer is offline,
-        // treat it as unrevoked.
-        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
-        defaultPref("security.OCSP.require", false);
-      '';
-
-      # aerc TUI mail client
-      xdg.configFile."aerc/accounts.conf".source =
-        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
-
-      # make Discord usable even when client is "outdated"
-      xdg.configFile."discord/settings.json".text = ''
-      {
-        "SKIP_HOST_UPDATE": true
-      }
-      '';
-
-      # sublime music player
-      xdg.configFile."sublime-music/config.json".source =
-        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
-
-      xdg.configFile."vlc/vlcrc".text =
-      let
-        podcastUrls = lib.strings.concatStringsSep "|" (
-          builtins.map (feed: feed.url) feeds.podcasts
-        );
-      in ''
-        [podcast]
-        podcast-urls=${podcastUrls}
-        [core]
-        metadata-network-access=0
-        [qt]
-        qt-privacy-ask=0
-      '';
-
-      xdg.configFile."gpodderFeeds.opml".text = with feeds;
-        feedsToOpml feeds.podcasts;
-
-      # news-flash RSS viewer
-      xdg.configFile."newsflashFeeds.opml".text = with feeds;
-        feedsToOpml (feeds.texts ++ feeds.images);
-
-      # gnome feeds RSS viewer
-      xdg.configFile."org.gabmus.gfeeds.json".text =
-      let
-        myFeeds = feeds.texts ++ feeds.images;
-      in builtins.toJSON {
-        # feed format is a map from URL to a dict,
-        #   with dict["tags"] a list of string tags.
-        feeds = builtins.foldl' (acc: feed: acc // {
-          "${feed.url}".tags = [ feed.cat feed.freq ];
-        }) {} myFeeds;
-        dark_reader = false;
-        new_first = true;
-        # windowsize = {
-        #   width = 350;
-        #   height = 650;
-        # };
-        max_article_age_days = 90;
-        enable_js = false;
-        max_refresh_threads = 3;
-        # saved_items = {};
-        # read_items = [];
-        show_read_items = true;
-        full_article_title = true;
-        # views: "webview", "reader", "rsscont"
-        default_view = "rsscont";
-        open_links_externally = true;
-        full_feed_name = false;
-        refresh_on_startup = true;
-        tags = lib.lists.unique (
-          (builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
-        );
-        open_youtube_externally = false;
-        media_player = "vlc";  # default: mpv
-      };
-
-      programs = {
-        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
-
-        zsh = {
-          enable = true;
-          enableSyntaxHighlighting = true;
-          enableVteIntegration = true;
-          history.ignorePatterns = [ "rm *" ];
-          # history.path = TODO
-          dotDir = ".config/zsh";
-
-          initExtraBeforeCompInit = ''
-            # p10k instant prompt
-            # run p10k configure to configure, but it can't write out its file :-(
-            POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
-          '';
-          initExtra = ''
-            # zmv is a way to do rich moves/renames, with pattern matching/substitution.
-            # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
-            autoload -Uz zmv
-          '';
-
-          # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
-          # see: https://github.com/sorin-ionescu/prezto
-          prezto = {
-            enable = true;
-            pmodules = [
-              "environment"
-              "terminal"
-              "editor"
-              "history"
-              "directory"
-              "spectrum"
-              "utility"
-              "completion"
-              "prompt"
-              "git"
-            ];
-            prompt = {
-              theme = "powerlevel10k";
-            };
-          };
-        };
-
-        kitty = {
-          enable = true;
-          # docs: https://sw.kovidgoyal.net/kitty/conf/
-          settings = {
-            # disable terminal bell (when e.g. you backspace too many times)
-            enable_audio_bell = false;
-          };
-          keybindings = {
-            "ctrl+n" = "new_os_window_with_cwd";
-          };
-          # docs: https://github.com/kovidgoyal/kitty-themes
-          # theme = "1984 Light";  # dislike: awful, harsh blues/teals
-          # theme = "Adventure Time";  # dislike: harsh (dark)
-          # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
-          # theme = "Belafonte Day";  # dislike: too low contrast for text colors
-          # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
-          # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
-          # theme = "Desert";  # mediocre: colors are harsh
-          # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
-          # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
-          # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
-          # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
-          # theme = "kanagawabones";  # better: dark theme. colors are too background-y
-          # theme = "Kaolin Dark";  # dislike: too dark
-          # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
-          # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
-          # theme = "Material"; # decent: light theme, few colors.
-          # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
-          # theme = "Nord";  # mediocre: pale background, low contrast
-          # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
-          theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
-          # theme = "Parasio Dark";  # dislike: too low contrast
-          # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
-          # theme = "Pnevma";  # dislike: too low contrast
-          # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
-          # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
-          # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
-          # theme = "Sea Shells";  # mediocre. not all color combos are readable
-          # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
-          # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
-          # theme = "Sourcerer";  # mediocre: ugly colors
-          # theme = "Space Gray";  # mediocre: too muted
-          # theme = "Space Gray Eighties";  # better: all readable, decent colors
-          # theme = "Spacemacs";  # mediocre: too muted
-          # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
-          # theme = "Srcery";  # better: highly readable. colors are ehhh
-          # theme = "Substrata";  # decent: nice colors, but a bit flat.
-          # theme = "Sundried";  # mediocre: the solar text makes me squint
-          # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
-          # theme = "Tango Light";  # dislike: teal is too grating
-          # theme = "Tokyo Night Day";  # medicore: too muted
-          # theme = "Tokyo Night";  # better: tasteful. a bit flat
-          # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
-          # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
-          # theme = "Urple";  # dislike: weird palette
-          # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
-          # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
-          # theme = "Xcodedark";  # dislike: bad palette
-          # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
-          # theme = "neobones_light"; # better light theme. the background is maybe too muted
-          # theme = "vimbones";
-          # theme = "zenbones_dark";  # mediocre: readable, but meh colors
-          # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
-          # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
-          # extraConfig = "";
-        };
-
-        git = {
-          enable = true;
-          userName = "colin";
-          userEmail = "colin@uninsane.org";
-
-          aliases = { co = "checkout"; };
-          extraConfig = {
-            # difftastic docs:
-            # - <https://difftastic.wilfred.me.uk/git.html>
-            diff.tool = "difftastic";
-            difftool.prompt = false;
-            "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
-            # now run `git difftool` to use difftastic git
-          };
-        };
-
-        neovim = {
-          # neovim: https://github.com/neovim/neovim
-          enable = true;
-          viAlias = true;
-          vimAlias = true;
-          plugins = with pkgs.vimPlugins; [
-            # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
-            # docs: vim-surround: https://github.com/tpope/vim-surround
-            vim-surround
-            # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
-            fzf-vim
-            # docs: https://github.com/KeitaNakamura/tex-conceal.vim/
-            ({
-              plugin = tex-conceal-vim;
-              type = "viml";
-              config = ''
-                " present prettier fractions
-                let g:tex_conceal_frac=1
-              '';
-            })
-            ({
-              plugin = vim-SyntaxRange;
-              type = "viml";
-              config = ''
-                " enable markdown-style codeblock highlighting for tex code
-                autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
-                " autocmd Syntax tex set conceallevel=2
-              '';
-            })
-            # nabla renders inline math in any document, but it's buggy.
-            #   https://github.com/jbyuki/nabla.nvim
-            # ({
-            #   plugin = pkgs.nabla;
-            #   type = "lua";
-            #   config = ''
-            #     require'nabla'.enable_virt()
-            #   '';
-            # })
-            # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
-            # docs: https://github.com/nvim-treesitter/nvim-treesitter
-            # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
-            # this is required for tree-sitter to even highlight
-            ({
-              plugin = (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars));
-              type = "lua";
-              config = ''
-                require'nvim-treesitter.configs'.setup {
-                  highlight = {
-                    enable = true,
-                    -- disable treesitter on Rust so that we can use SyntaxRange
-                    -- and leverage TeX rendering in rust projects
-                    disable = { "rust", "tex", "latex" },
-                    -- disable = { "tex", "latex" },
-                    -- true to also use builtin vim syntax highlighting when treesitter fails
-                    additional_vim_regex_highlighting = false
-                  },
-                  incremental_selection = {
-                    enable = true,
-                    keymaps = {
-                      init_selection = "gnn",
-                      node_incremental = "grn",
-                      mcope_incremental = "grc",
-                      node_decremental = "grm"
-                    }
-                  },
-                  indent = {
-                    enable = true,
-                    disable = {}
-                  }
-                }
-
-                vim.o.foldmethod = 'expr'
-                vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
-              '';
-            })
-          ];
-          extraConfig = ''
-            " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
-            " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
-            set mouse=
-
-            " copy/paste to system clipboard
-            set clipboard=unnamedplus
-
-            " screw tabs; always expand them into spaces
-            set expandtab
-
-            " at least don't open files with sections folded by default
-            set nofoldenable
-
-            " allow text substitutions for certain glyphs.
-            " higher number = more aggressive substitution (0, 1, 2, 3)
-            " i only make use of this for tex, but it's unclear how to
-            " apply that *just* to tex and retain the SyntaxRange stuff.
-            set conceallevel=2
-
-            " horizontal rule under the active line
-            " set cursorline
-
-            " highlight trailing space & related syntax errors (doesn't seem to work??)
-            " let c_space_errors=1
-            " let python_space_errors=1
-
-            " enable highlighting of leading/trailing spaces,
-            " and especially tabs
-            " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
-            set list
-            set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
-          '';
-        };
-
-        # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
-        firefox = lib.mkIf (sysconfig.sane.gui.enable) {
-          enable = true;
-          package = import ./web-browser.nix pkgs;
-        };
-
-        mpv = {
-          enable = true;
-          config = {
-            save-position-on-quit = true;
-            keep-open = "yes";
-          };
-        };
-
-        # "command not found" will cause the command to be searched in nixpkgs
-        nix-index.enable = true;
-      } // cfg.programs;
-
-      home.shellAliases = {
-        ":q" = "exit";
-        # common typos
-        "cd.." = "cd ..";
-        "cd../" = "cd ../";
-      };
-    };
-  };
-}

modules/universal/env/system-packages.nix

@@ -1,38 +0,0 @@
-{ pkgs, ... }:
-{
-  # general-purpose utilities that we want any user to be able to access
-  #   (specifically: root, in case of rescue)
-  environment.systemPackages = with pkgs; [
-    btrfs-progs
-    cryptsetup
-    dig
-    efibootmgr
-    fatresize
-    fd
-    file
-    gptfdisk
-    hdparm
-    htop
-    iftop
-    inetutils  # for telnet
-    iotop
-    iptables
-    jq
-    killall
-    lsof
-    netcat
-    nethogs
-    nmap
-    openssl
-    parted
-    pciutils
-    powertop
-    ripgrep
-    screen
-    smartmontools
-    socat
-    usbutils
-    wget
-  ];
-}
-

modules/universal/env/web-browser.nix

@@ -1,55 +0,0 @@
-pkgs:
-
-# common settings to toggle (at runtime, in about:config):
-#   > security.ssl.require_safe_negotiation
-
-# librewolf is a forked firefox which patches firefox to allow more things
-# (like default search engines) to be configurable at runtime.
-# many of the settings below won't have effect without those patches.
-# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
-pkgs.wrapFirefox pkgs.librewolf-unwrapped {
-  # inherit the default librewolf.cfg
-  # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
-  inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
-  libName = "librewolf";
-  extraPolicies = {
-    NoDefaultBookmarks = true;
-    SearchEngines = {
-      Default = "DuckDuckGo";
-    };
-    AppUpdateURL = "https://localhost";
-    DisableAppUpdate = true;
-    OverrideFirstRunPage = "";
-    OverridePostUpdatePage = "";
-    DisableSystemAddonUpdate = true;
-    DisableFirefoxStudies = true;
-    DisableTelemetry = true;
-    DisableFeedbackCommands = true;
-    DisablePocket = true;
-    DisableSetDesktopBackground = false;
-    Extensions = {
-      Install = [
-        "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
-        "https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi"
-        "https://addons.mozilla.org/firefox/downloads/latest/bypass-paywalls-clean/latest.xpi"
-        "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"
-        "https://addons.mozilla.org/firefox/downloads/latest/ether-metamask/latest.xpi"
-      ];
-      # remove many default search providers
-      Uninstall = [
-        "google@search.mozilla.org"
-        "bing@search.mozilla.org"
-        "amazondotcom@search.mozilla.org"
-        "ebay@search.mozilla.org"
-        "twitter@search.mozilla.org"
-      ];
-    };
-    # XXX doesn't seem to have any effect...
-    # docs: https://github.com/mozilla/policy-templates#homepage
-    # Homepage = {
-    #   HomepageURL = "https://uninsane.org/";
-    #   StartPage = "homepage";
-    # };
-    # NewTabPage = true;
-  };
-}

nixpatches/list.nix

@@ -1,9 +1,9 @@
 fetchpatch: [
-  # phosh-mobile-settings: init at 0.21.1
+  # librewolf: build with `MOZ_REQUIRE_SIGNING=false`
   (fetchpatch {
-    url = "http://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
-    # url = "https://github.com/NixOS/nixpkgs/pull/193845.diff";
-    sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
+    url = "https://github.com/NixOS/nixpkgs/pull/199134.diff";
+    # url = "https://git.uninsane.org/colin/nixpkgs/commit/99b82e07fee4d194520d6e8d51bc45c80a4d3c7e.diff";
+    sha256 = "sha256-Ne4hyHQDwBHUlWo8Z3QyRdmEv1rYGOjFGxSfOAcLUvQ=";
   })
 
   # # kaiteki: init at 2022-09-03
@@ -15,24 +15,6 @@ fetchpatch: [
   #   sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
   # })
 
-  # freshrss: patchShebangs instead of specifying interpreter in the service
-  (fetchpatch {
-    # url = "https://git.uninsane.org/colin/nixpkgs/commit/9443d83e6fee728c1926a783647b45011bd3b514.diff";
-    url = "https://github.com/NixOS/nixpkgs/pull/196140.diff";
-    sha256 = "sha256-Lngle5YTE7ymQyUarKbebMjiaTlY5cJBoaeZk7AgbXE=";
-  })
-
-  # nautilus: look for the gtk4 FileChooser settings instead of the gtk4 one
-  (fetchpatch {
-    # original version (include the patch in nixpkgs)
-    # url = "https://git.uninsane.org/colin/nixpkgs/commit/4636a04c1c4982a0e71ae77d3aa6f52d1a3170f1.diff";
-    # sha256 = "sha256-XKfXStdcveYuk58rlORVJOv0a9Q5aRj1bYT5k79rL0g=";
-
-    # v2 (fetchpatch from upstream PR)
-    # url = "https://git.uninsane.org/colin/nixpkgs/commit/730a802808c549220144e4e62aa419bb07c5ae29.diff";
-    url = "https://github.com/NixOS/nixpkgs/pull/195985.diff";
-    sha256 = "sha256-zd7WGOTm3ygh0Wk3uiA+1S+RqD9yWDSXvo7veHs0K00=";
-  })
 
   # Fix mk flutter app
   # closed (not merged). updates fluffychat 1.2.0 -> 1.6.1, but unstable hashing
@@ -46,8 +28,7 @@ fetchpatch: [
   #   (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
   ./02-rpi4-uboot.patch
 
-  # TODO: upstream
-  ./07-duplicity-rich-url.patch
+  # ./07-duplicity-rich-url.patch
 
   # enable aarch64 support for flutter's dart package
   # ./10-flutter-arm64.patch

pkgs/browserpass-extension/default.nix

@@ -0,0 +1,67 @@
+{ stdenv
+, fetchFromGitHub
+, fetchFromGitea
+, gnused
+, jq
+, mkYarnModules
+, zip
+}:
+
+let
+  pname = "browserpass-extension";
+  version = "3.7.2-20221121";
+  # src = fetchFromGitHub {
+  #   owner = "browserpass";
+  #   repo = "browserpass-extension";
+  #   # rev = version;
+  #   rev = "21f3431d09e1d7ffd33e0b9fc5d2965b7bd93a1a";
+  #   sha256 = "sha256-XIgbaQSAXx7L1e/9rzN7oBQy9U3HWJHOX2auuvgdvbc=";
+  # };
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
+    repo = "browserpass-extension";
+    # hack in sops support
+    rev = "e3bf558ff63d002d3c15f2ce966071f04fada306";
+    sha256 = "sha256-dSRZ2ToEOPhzHNvlG8qdewa7689gT8cNB7nXkN3/Avo=";
+  };
+  browserpass-extension-yarn-modules = mkYarnModules {
+    inherit pname version;
+    packageJSON = "${src}/src/package.json";
+    yarnLock = "${src}/src/yarn.lock";
+  };
+  extid = "browserpass@maximbaz.com";
+in stdenv.mkDerivation {
+  inherit pname version src;
+
+  patchPhase = ''
+    # dependencies are built separately: skip the yarn install
+    ${gnused}/bin/sed -i /yarn\ install/d src/Makefile
+  '';
+
+  preBuild = ''
+    ln -s ${browserpass-extension-yarn-modules}/node_modules src/node_modules
+  '';
+
+  installPhase = ''
+    BASE=$out/share/mozilla/extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}
+    mkdir -p $BASE
+
+    pushd firefox
+
+    # firefox requires addons to have an id field when sideloading:
+    # - <https://extensionworkshop.com/documentation/publish/distribute-sideloading/>
+    cat manifest.json \
+      | ${jq}/bin/jq '. + { applications: {gecko: {id: "${extid}" }}, browser_specific_settings: {gecko: {id: "${extid}"}} }' \
+      > manifest.patched.json
+    mv manifest{.patched,}.json
+
+    ${zip}/bin/zip -r $BASE/browserpass@maximbaz.com.xpi ./*
+
+    popd
+  '';
+
+  passthru = {
+    inherit extid;
+  };
+}

pkgs/browserpass/default.nix

@@ -0,0 +1,48 @@
+{ pkgs
+, bash
+, fetchFromGitea
+, gnused
+, lib
+, sane-scripts
+, sops
+, stdenv
+, substituteAll
+}:
+
+let
+  sane-browserpass-gpg = stdenv.mkDerivation {
+    pname = "sane-browserpass-gpg";
+    version = "0.1.0";
+    src = ./.;
+
+    inherit bash gnused sops;
+    sane_scripts = sane-scripts;
+    installPhase = ''
+      mkdir -p $out/bin
+      substituteAll ${./sops-gpg-adapter} $out/bin/gpg
+      chmod +x $out/bin/gpg
+      ln -s $out/bin/gpg $out/bin/gpg2
+    '';
+
+  };
+in
+(pkgs.browserpass.overrideAttrs (upstream: {
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
+    repo = "browserpass-native";
+    # don't forcibly append '.gpg'
+    rev = "85bdb08379c03297c1236f66e8764160c922d397";
+    hash = "sha256-SEfihU+GreWhYfLVr7tTnMCo6Iq20a78F8iVbycOQUQ=";
+  };
+  installPhase = ''
+    make install
+
+    wrapProgram $out/bin/browserpass \
+      --prefix PATH : ${lib.makeBinPath [ sane-browserpass-gpg ]}
+
+    # This path is used by our firefox wrapper for finding native messaging hosts
+    mkdir -p $out/lib/mozilla/native-messaging-hosts
+    ln -s $out/lib/browserpass/hosts/firefox/*.json $out/lib/mozilla/native-messaging-hosts
+  '';
+}))

pkgs/browserpass/sops-gpg-adapter

@@ -0,0 +1,19 @@
+#! @bash@/bin/sh
+
+# browserpass "validates" the gpg binary by invoking it with --version
+if [ "$1" = "--version" ]
+then
+  echo "sane-browserpass-gpg @version@";
+  exit 0
+fi
+
+# ensure the secret store is unlocked
+@sane_scripts@/bin/sane-secrets-unlock
+
+# using exec here forwards our stdin
+# browserpass parses the response in
+# <browserpass-extension/src/background.js#parseFields>
+# it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
+# browserpass understands the `totp` field to hold either secret tokens, or full URLs.
+# i use totp-b32 for the base-32-encoded secrets. renaming that field works OOTB.
+exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | @gnused@/bin/sed s/\^totp-b32:/totp:/

pkgs/gopass-native-messaging-host/com.justwatch.gopass.json

@@ -0,0 +1,10 @@
+{
+    "name": "com.justwatch.gopass",
+    "description": "Gopass wrapper to search and return passwords",
+    "path": "@out@/bin/gopass-wrapper",
+    "type": "stdio",
+    "allowed_extensions": [
+        "{eec37db0-22ad-4bf1-9068-5ae08df8c7e9}"
+    ]
+}
+

pkgs/gopass-native-messaging-host/default.nix

@@ -0,0 +1,22 @@
+{ stdenv
+, bash
+, gopass-jsonapi
+, substituteAll
+}:
+
+stdenv.mkDerivation {
+  pname = "gopass-native-messaging-host";
+  version = "1.0";
+  src = ./.;
+
+  inherit bash;
+  # substituteAll doesn't work with hyphenated vars ??
+  gopassJsonapi = gopass-jsonapi;
+
+  installPhase = ''
+    mkdir -p $out/bin $out/lib/mozilla/native-messaging-hosts
+    substituteAll ${./gopass-wrapper.sh} $out/bin/gopass-wrapper
+    chmod +x $out/bin/gopass-wrapper
+    substituteAll ${./com.justwatch.gopass.json} $out/lib/mozilla/native-messaging-hosts/com.justwatch.gopass.json
+  '';
+}

pkgs/gopass-native-messaging-host/gopass-wrapper.sh

@@ -0,0 +1,2 @@
+#! @bash@/bin/sh
+exec @gopassJsonapi@/bin/gopass-jsonapi listen

pkgs/lightdm-mobile-greeter/default.nix

@@ -1,7 +1,7 @@
 { lib
 , fetchFromGitea
 , gtk3
-, libhandy_0
+, libhandy
 , lightdm
 , pkgs
 , linkFarm
@@ -11,20 +11,34 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "lightdm-mobile-greeter";
-  version = "0.1.2";
+  version = "2022-10-30";
 
+  # upstream:
+  # src = fetchFromGitea {
+  #   domain = "git.raatty.club";
+  #   owner = "raatty";
+  #   repo = "lightdm-mobile-greeter";
+  #   rev = "8c8d6dfce62799307320c8c5a1f0dd5c8c18e4d3";
+  #   hash = "sha256-SrAR2+An3BN/doFl/s8PcYZMUHLfVPXKZOo6ndO60nY=";
+  # };
+  # cargoHash = "sha256-NZ0jOkEBNa5oOydfyKm0XQB/vkAvBv9wHBbnM9egQFQ=";
+
+  # sane dev:
   src = fetchFromGitea {
     domain = "git.uninsane.org";
     owner = "colin";
     repo = "lightdm-mobile-greeter";
-    rev = "v${version}";
-    hash = "sha256-x7tpaHYDg6BPIc3k3zzPvZma0RYuGAMQ/z6vAP0wbWs=";
+    # rev = "bd2138f630db0dfb901bc28a9b70d6be8b9879dd";
+    # hash = "sha256-B3dNvnduR1pz5DedmAR8Fc/CXowR3jsyrjMUFOMizxI=";
+    rev = "f3511ec71a4a1f491d759711e0bcf031e335ea70";
+    hash = "sha256-U5chzm3q3vycgX1HSLf6sk6M3YoJ4CHGLKRg4ViIhu8=";
   };
-  cargoHash = "sha256-5WJGnLdZd4acKPEkkTS71n4gfxhlujHWnwiMsomTYck=";
+  cargoHash = "sha256-2NMXR+D/CnDhUToQmMwK2Cb2l+4/N9BrCz/lt1NZ6Wk=";
 
   buildInputs = [
     gtk3
-    libhandy_0
+    # libhandy_0
+    libhandy
     lightdm
   ];
   nativeBuildInputs = [
@@ -45,7 +59,7 @@ rustPlatform.buildRustPackage rec {
 
   meta = with lib; {
     description = "A simple log in screen for use on touch screens.";
-    homepage = "https://git.uninsane.org/colin/lightdm-mobile-greeter";
+    homepage = "https://git.raatty.club/raatty/lightdm-mobile-greeter";
     maintainers = with maintainers; [ colinsane ];
     platforms = platforms.linux;
     license = licenses.mit;

pkgs/linux-megous/default.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "6.0.0";
+  version = "6.0.2";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -15,7 +15,7 @@ buildLinux (args // rec {
     owner = "megous";
     repo = "linux";
     # branch: orange-pi-6.0
-    rev = "b16232c6156de17e1dfdb63fdaea8e317baa07a7";
-    sha256 = "sha256-Tb05IQKFdX/T7elGNnXTLVmgGLvXoeBFBq/8Q7jQhX0=";
+    rev = "2683672a2052ffda995bb987fa62a1abe8424ef4";
+    hash = "sha256-hL/SbLgaTk/CqFLFrAK/OV9/OS20O42zJvSScsvWBQk=";
   };
 } // (args.argsOverride or { }))

pkgs/overlay.nix

@@ -29,17 +29,20 @@
   jackett = prev.callPackage ./jackett { pkgs = prev; };
   # mozilla keeps nerfing itself and removing configuration options
   firefox-unwrapped = prev.callPackage ./firefox-unwrapped { pkgs = prev; };
-  # fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
-  # systemd = import ./pkgs/systemd { pkgs = prev; };
 
   # patch rpi uboot with something that fixes USB HDD boot
   ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };
 
   gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
 
+  browserpass = prev.callPackage ./browserpass { pkgs = prev; inherit sane-scripts; };
+
   #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
   kaiteki = prev.callPackage ./kaiteki { };
   lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
+  browserpass-extension = prev.callPackage ./browserpass-extension { };
+  gopass-native-messaging-host = prev.callPackage ./gopass-native-messaging-host { };
+  tokodon = prev.libsForQt5.callPackage ./tokodon { };
   # kaiteki = prev.kaiteki;
   # TODO: upstream, or delete nabla
   nabla = prev.callPackage ./nabla { };