geoclue: integrate with gps-share, via avahi

N.B.: this doesn't actually work on moby -- yet. need to fix avahi DNS lookups

.sops.yaml

@@ -3,6 +3,7 @@ keys:
   - &user_lappy_colin age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
   - &user_servo_colin age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
   - &user_moby_colin age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9
+  - &host_crappy age1hl50ufuxnqy0jnk8fqeu4tclh4vte2xn2d59pxff0gun20vsmv5sp78chj
   - &host_desko age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v
   - &host_lappy age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn
   - &host_servo age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
@@ -15,6 +16,7 @@ creation_rules:
       - *user_lappy_colin
       - *user_servo_colin
       - *user_moby_colin
+      - *host_crappy
       - *host_desko
       - *host_lappy
       - *host_servo

README.md

@@ -1,3 +1,9 @@
+![hello](doc/hello.gif)
+
+# .❄️≡We|_c0m3 7o m`/ f14k≡❄️.
+
+(er, it's not a flake anymore. welcome to my nix files.)
+
 ## What's Here
 
 this is the top-level repo from which i configure/deploy all my NixOS machines:
@@ -6,18 +12,18 @@ this is the top-level repo from which i configure/deploy all my NixOS machines:
 - server
 - mobile phone (Pinephone)
 
-everything outside of <./hosts/> and <./secrets/> is intended for export, to be importable for use by 3rd parties.
+everything outside of [hosts/](./hosts/) and [secrets/](./secrets/) is intended for export, to be importable for use by 3rd parties.
 the only hard dependency for my exported pkgs/modules should be [nixpkgs][nixpkgs].
-building <./hosts/> will require [sops][sops].
+building [hosts/](./hosts/) will require [sops][sops].
 
 you might specifically be interested in these files (elaborated further in #key-points-of-interest):
-- [`sxmo-utils`](./pkgs/additional/sxmo-utils/default.nix)
-  - [example SXMO deployment](./hosts/modules/gui/sxmo/default.nix)
+- ~~[`sxmo-utils`](./pkgs/additional/sxmo-utils/default.nix)~~
+  - these files will remain until my config settles down, but i no longer use or maintain SXMO.
 - [my implementation of impermanence](./modules/persist/default.nix)
 - my way of deploying dotfiles/configuring programs per-user:
-  - <./modules/fs/default.nix>
-  - <./modules/programs.nix>
-  - <./modules/users.nix>
+  - [modules/fs/](./modules/fs/default.nix)
+  - [modules/programs/](./modules/programs/default.nix)
+  - [modules/users/](./modules/users/default.nix)
 
 [nixpkgs]: https://github.com/NixOS/nixpkgs
 [sops]: https://github.com/Mic92/sops-nix
@@ -25,47 +31,38 @@ you might specifically be interested in these files (elaborated further in #key-
 
 ## Using This Repo In Your Own Config
 
-this should be a pretty "standard" flake. just reference it, and import either
-- `nixosModules.sane` (for the modules)
-- `overlays.pkgs` (for the packages)
-
-or follow the instructions [here][NUR] to use it via the Nix User Repositories.
+follow the instructions [here][NUR] to access my packages through the Nix User Repositories.
 
 [NUR]: https://nur.nix-community.org/
 
 ## Layout
 - `doc/`
-    - instructions for tasks i find myself doing semi-occasionally in this repo.
+  - instructions for tasks i find myself doing semi-occasionally in this repo.
 - `hosts/`
-    - the bulk of config which isn't factored with external use in mind.
-    - that is, if you were to add this repo to a flake.nix for your own use,
-      you won't likely be depending on anything in this directory.
+  - configs which aren't factored with external use in mind.
+  - that is, if you were to add this repo to a flake.nix for your own use,
+    you won't likely be depending on anything in this directory.
 - `integrations/`
-    - code intended for consumption by external tools (e.g. the Nix User Repos)
+  - code intended for consumption by external tools (e.g. the Nix User Repos).
 - `modules/`
-    - config which is gated behind `enable` flags, in similar style to nixpkgs'
-      `nixos/` directory.
-    - if you depend on this repo, it's most likely for something in this directory.
-- `nixpatches/`
-    - literally, diffs i apply atop upstream nixpkgs before performing further eval.
+  - config which is gated behind `enable` flags, in similar style to nixpkgs' `nixos/` directory.
+  - if you depend on this repo for anything besides packages, it's most likely for something in this directory.
 - `overlays/`
-    - exposed via the `overlays` output in `flake.nix`.
-    - predominantly a list of `callPackage` directives.
+  - predominantly a list of `callPackage` directives.
 - `pkgs/`
-    - derivations for things not yet packaged in nixpkgs.
-    - derivations for things from nixpkgs which i need to `override` for some reason.
-    - inline code for wholly custom packages (e.g. `pkgs/additional/sane-scripts/` for CLI tools
-      that are highly specific to my setup).
+  - derivations for things not yet packaged in nixpkgs.
+  - derivations for things from nixpkgs which i need to `override` for some reason.
+  - inline code for wholly custom packages (e.g. `pkgs/additional/sane-scripts/` for CLI tools
+    that are highly specific to my setup).
 - `scripts/`
-    - scripts which aren't reachable on a deployed system, but may aid manual deployments
+  - scripts which aren't reachable on a deployed system, but may aid manual deployments.
 - `secrets/`
-    - encrypted keys, API tokens, anything which one or more of my machines needs
-      read access to but shouldn't be world-readable.
-    - not much to see here
+  - encrypted keys, API tokens, anything which one or more of my machines needs
+    read access to but shouldn't be world-readable.
+  - not much to see here.
 - `templates/`
-    - exposed via the `templates` output in `flake.nix`.
-    - used to instantiate short-lived environments.
-    - used to auto-fill the boiler-plate portions of new packages.
+  - used to instantiate short-lived environments.
+  - used to auto-fill the boiler-plate portions of new packages.
 
 
 ## Key Points of Interest
@@ -73,35 +70,41 @@ or follow the instructions [here][NUR] to use it via the Nix User Repositories.
 i.e. you might find value in using these in your own config:
 
 - `modules/fs/`
-    - use this to statically define leafs and nodes anywhere in the filesystem,
-      not just inside `/nix/store`.
-    - e.g. specify that `/var/www` should be:
-        - owned by a specific user/group
-        - set to a specific mode
-        - symlinked to some other path
-        - populated with some statically-defined data
-        - populated according to some script
-        - created as a dependency of some service (e.g. `nginx`)
-    - values defined here are applied neither at evaluation time _nor_ at activation time.
-        - rather, they become systemd services.
-        - systemd manages dependencies
-        - e.g. link `/var/www -> /mnt/my-drive/www` only _after_ `/mnt/my-drive/www` appears)
-    - this is akin to using [Home Manager's][home-manager] file API -- the part which lets you
-      statically define `~/.config` files -- just with a different philosophy.
+  - use this to statically define leafs and nodes anywhere in the filesystem,
+    not just inside `/nix/store`.
+  - e.g. specify that `/var/www` should be:
+    - owned by a specific user/group
+    - set to a specific mode
+    - symlinked to some other path
+    - populated with some statically-defined data
+    - populated according to some script
+    - created as a dependency of some service (e.g. `nginx`)
+  - values defined here are applied neither at evaluation time _nor_ at activation time.
+    - rather, they become systemd services.
+    - systemd manages dependencies
+    - e.g. link `/var/www -> /mnt/my-drive/www` only _after_ `/mnt/my-drive/www` appears)
+  - this is akin to using [Home Manager's][home-manager] file API -- the part which lets you
+    statically define `~/.config` files -- just with a different philosophy.
 - `modules/persist/`
-    - my alternative to the Impermanence module.
-    - this builds atop `modules/fs/` to achieve things stock impermanence can't:
-        - persist things to encrypted storage which is unlocked at login time (pam_mount).
-        - "persist" cache directories -- to free up RAM -- but auto-wipe them on mount
-          and encrypt them to ephemeral keys so they're unreadable post shutdown/unmount.
-- `modules/programs.nix`
-    - like nixpkgs' `programs` options, but allows both system-wide or per-user deployment.
-    - allows `fs` and `persist` config values to be gated behind program deployment:
-        - e.g. `/home/<user>/.mozilla/firefox` is persisted only for users who
-          `sane.programs.firefox.enableFor.user."<user>" = true;`
-- `modules/users.nix`
-    - convenience layer atop the above modules so that you can just write
-      `fs.".config/git"` instead of `fs."/home/colin/.config/git"`
+  - my alternative to the Impermanence module.
+  - this builds atop `modules/fs/` to achieve things stock impermanence can't:
+    - persist things to encrypted storage which is unlocked at login time (pam_mount).
+    - "persist" cache directories -- to free up RAM -- but auto-wipe them on mount
+      and encrypt them to ephemeral keys so they're unreadable post shutdown/unmount.
+- `modules/programs/`
+  - like nixpkgs' `programs` options, but allows both system-wide or per-user deployment.
+  - allows `fs` and `persist` config values to be gated behind program deployment:
+    - e.g. `/home/<user>/.mozilla/firefox` is persisted only for users who
+      `sane.programs.firefox.enableFor.user."<user>" = true;`
+  - allows aggressive sandboxing any program:
+    - `sane.programs.firefox.sandbox.method = "bwrap";  # sandbox with bubblewrap`
+    - `sane.programs.firefox.sandbox.whitelistWayland = true;  # allow it to render a wayland window`
+    - `sane.programs.firefox.sandbox.extraHomePaths = [ "Downloads" ];  # allow it read/write access to ~/Downloads`
+    - integrated with `fs` and `persist` modules so that programs' config files and persisted data stores are linked into the sandbox w/o any extra involvement.
+- `modules/users/`
+  - convenience layer atop the above modules so that you can just write
+    `fs.".config/git"` instead of `fs."/home/colin/.config/git"`
+  - per-user services managed by [s6-rc](https://www.skarnet.org/software/s6-rc/)
 
 some things in here could easily find broader use. if you would find benefit in
 them being factored out of my config, message me and we could work to make that happen.

TODO.md

@@ -1,57 +1,104 @@
 ## BUGS
-- nixpkgs date is incorrect (1970.01.01...)
+- `rmDbusServices` may break sandboxing
+  - e.g. if the package ships a systemd unit which references $out, then make-sandboxed won't properly update that unit.
+  - `rmDbusServicesInPlace` is not affected
+- when moby wlan is explicitly set down (via ip link set wlan0 down), /var/lib/trust-dns/dhcp-configs doesn't get reset
+  - `ip monitor` can detect those manual link state changes (NM-dispatcher it seems cannot)
+  - or try dnsmasq?
+- trust-dns: can't recursively resolve api.mangadex.org
+  - and *sometimes* apple.com fails
+- sandbox: link cache means that if i update ~/.config/... files inline, sandboxed programs still see the old version
+- mpv: audiocast has mpv sending its output to the builtin speakers unless manually changed
+- mpv: no way to exit fullscreen video on moby
+  - uosc hides controls on FS, and touch doesn't support unhiding
+- Signal restart loop drains battery
+  - decrease s6 restart time?
+- `ssh` access doesn't grant same linux capabilities as login
 - ringer (i.e. dino incoming call) doesn't prevent moby from sleeping
-- `nix` operations from lappy hang when `desko` is unreachable
-  - could at least direct the cache to `http://desko-hn:5001`
+- syshud (volume overlay): when casting with `blast`, syshud doesn't react to volume changes
+- moby: kaslr is effectively disabled
+  - `dmesg | grep "KASLR disabled due to lack of seed"`
+  - fix by adding `kaslrseed` to uboot script before `booti`
+    - <https://github.com/armbian/build/pull/4352>
+    - not sure how that's supposed to work with tow-boot; maybe i should just update tow-boot
+- moby: bpf is effectively disabled?
+  - `dmesg | grep 'systemd[1]: bpf-lsm: Failed to load BPF object: No such process'`
+  - `dmesg | grep 'hid_bpf: error while preloading HID BPF dispatcher: -22'`
+- `s6` is not re-entrant
+  - so if the desktop crashes, the login process from `unl0kr` fails to re-launch the GUI
+- swaync brightness slider does not work
+  - it reads brightness from /sys/class/backlight/....
+  - but to *set* the brightness it assumes systemd logind is running
+    <repo:ErikReider/SwayNotificationCenter:src/controlCenter/widgets/backlight/backlightUtil.vala>
+    no reason i can't just write to that file, or exec brightnessctl (if i learn vala)
 
 ## REFACTORING:
-
+- add import checks to my Python nix-shell scripts
+- consolidate ~/dev and ~/ref
+  - ~/dev becomes a link to ~/ref/cat/mine
 - fold hosts/common/home/ssh.nix -> hosts/common/users/colin.nix
 
 ### sops/secrets
-- attach secrets to the thing they're used by (sane.programs)
 - rework secrets to leverage `sane.fs`
 - remove sops activation script as it's covered by my systemd sane.fs impl
+- user secrets could just use `gocryptfs`, like with ~/private?
+  - can gocryptfs support nested filesystems, each with different perms (for desko, moby, etc)?
 
 ### roles
 - allow any host to take the role of `uninsane.org`
   - will make it easier to test new services?
 
 ### upstreaming
-- split out a sxmo module usable by NUR consumers
-- bump nodejs version in lemmy-ui
 - add updateScripts to all my packages in nixpkgs
-- fix lightdm-mobile-greeter for newer libhandy
-- port zecwallet-lite to a from-source build
-- REVIEW/integrate jellyfin dataDir config: <https://github.com/NixOS/nixpkgs/pull/233617>
 
 #### upstreaming to non-nixpkgs repos
 - gtk: build schemas even on cross compilation: <https://github.com/NixOS/nixpkgs/pull/247844>
 
 
 ## IMPROVEMENTS:
+- systemd/journalctl: use a less shit pager
+  - there's an env var for it: SYSTEMD_PAGER? and a flag for journalctl
+- kernels: ship the same kernel on every machine
+  - then i can tune the kernels for hardening, without duplicating that work 4 times
+- zfs: replace this with something which doesn't require a custom kernel build
+- mpv: add media looping controls (e.g. loop song, loop playlist)
+
 ### security/resilience
 - validate duplicity backups!
 - encrypt more ~ dirs (~/archives, ~/records, ..?)
   - best to do this after i know for sure i have good backups
-- have `sane.programs` be wrapped such that they run in a cgroup?
-  - at least, only give them access to the portion of the fs they *need*.
-  - Android takes approach of giving each app its own user: could hack that in here.
-  - **systemd-run** takes a command and runs it in a temporary scope (cgroup)
-    - presumably uses the same options as systemd services
-    - see e.g. <https://github.com/NixOS/nixpkgs/issues/113903#issuecomment-857296349>
-  - flatpak does this, somehow
-  - apparmor?  SElinux?  (desktop) "portals"?
-  - see Spectrum OS; Alyssa Ross; etc
-  - bubblewrap-based sandboxing: <https://github.com/nixpak/nixpak>
+- /mnt/desko/home, etc, shouldn't include secrets (~/private)
+  - 95% of its use is for remote media access and stuff which isn't in VCS (~/records)
+- port all sane.programs to be sandboxed
+  - enforce that all `environment.packages` has a sandbox profile (or explicitly opts out)
+  - revisit "non-sandboxable" apps and check that i'm not actually just missing mountpoints
+    - LL_FS_RW=/ isn't enough -- need all mount points like `=/:/proc:/sys:...`.
+  - ensure non-bin package outputs are linked for sandboxed apps
+    - i.e. `outputs.man`, `outputs.debug`, `outputs.doc`, ...
+  - lock down dbus calls within the sandbox
+    - otherwise anyone can `systemd-run --user ...` to potentially escape a sandbox
+    - <https://github.com/flatpak/xdg-dbus-proxy>
+  - remove `.ssh` access from Firefox!
+    - limit access to `~/knowledge/secrets` through an agent that requires GUI approval, so a firefox exploit can't steal all my logins
+  - port sanebox to a compiled language (hare?)
+    - it adds like 50-70ms launch time _on my laptop_. i'd hate to know how much that is on the pinephone.
+- make dconf stuff less monolithic
+  - i.e. per-app dconf profiles for those which need it. possible static config.
+  - flatpak/spectrum has some stuff to proxy dconf per-app
 - canaries for important services
   - e.g. daily email checks; daily backup checks
   - integrate `nix check` into Gitea actions?
 
-### faster/better deployments
-- remove audacity's dependency on webkitgtk (via wxwidgets)
-
 ### user experience
+- rofi: sort items case-insensitively
+- xdg-desktop-portal shouldn't kill children on exit
+  - *maybe* a job for `setsid -f`?
+- replace starship prompt with something more efficient
+  - watch `forkstat`: it does way too much
+- cleanup waybar/nwg-panel so that it's not invoking playerctl every 2 seconds
+  - nwg-panel: swaync icon is stuck as the refresh icon
+  - nwg-panel: doesn't appear on all desktops
+  - nwg-panel: doesn't know that virtual-desktop 10/TV exists
 - install apps:
   - display QR codes for WiFi endpoints: <https://linuxphoneapps.org/apps/noappid.wisperwind.wifi2qr/>
   - shopping list (not in nixpkgs): <https://linuxphoneapps.org/apps/ro.hume.cosmin.shoppinglist/>
@@ -59,8 +106,9 @@
   - offline docs viewer (gtk): <https://github.com/workbenchdev/Biblioteca>
   - some type of games manager/launcher
     - Gnome Highscore (retro games)?: <https://gitlab.gnome.org/World/highscore>
-  - better maps for mobile (Osmin (QtQuick)? Pure Maps (Qt/Kirigami)? Gnome Maps is improved in 45)
+  - better maps for mobile (Osmin (QtQuick)? Pure Maps (Qt/Kirigami)?
   - note-taking app: <https://linuxphoneapps.org/categories/note-taking/>
+    - Folio is nice, uses standard markdown, though it only supports flat repos
   - OSK overlay specifically for mobile gaming
     - i.e. mock joysticks, for use with SuperTux and SuperTuxKart
 - install mobile-friendly games:
@@ -70,31 +118,34 @@
   - Shootin Stars  (Godot; not in nixpkgs) <https://gitlab.com/greenbeast/shootin-stars>
   - numberlink (generic name for Flow Free). not packaged in Nix
   - Neverball (https://neverball.org/screenshots.php). nix: as `neverball`
+  - blurble (https://linuxphoneapps.org/games/app.drey.blurble/). nix: not as of 2024-02-05
+  - Trivia Quiz (https://linuxphoneapps.org/games/io.github.nokse22.trivia-quiz/)
+- sane-sync-music: remove empty dirs
 
 #### moby
 - fix cpuidle (gets better power consumption): <https://xnux.eu/log/077.html>
+- moby: tune keyboard layout
 - SwayNC:
   - don't show MPRIS if no players detected
     - this is a problem of playerctld, i guess
   - add option to change audio output
   - fix colors (red alert) to match overall theme
 - moby: tune GPS
-  - run only geoclue, and not gpsd, to save power?
   - tune QGPS setting in eg25-control, for less jitter?
-  - direct mepo to prefer gpsd, with fallback to geoclue, for better accuracy?
   - configure geoclue to do some smoothing?
-  - manually do smoothing, as some layer between mepo and geoclue/gpsd?
+  - manually do smoothing, as some layer between mepo and geoclue?
+- moby: port `freshen-agps` timer service to s6 (maybe i want some `s6-cron` or something)
 - moby: show battery state on ssh login
 - moby: improve gPodder launch time
 - moby: theme GTK apps (i.e. non-adwaita styles)
   - especially, make the menubar collapsible
   - try Gradience tool specifically for theming adwaita? <https://linuxphoneapps.org/apps/com.github.gradienceteam.gradience/>
-- phog: remove the gnome-shell runtime dependency to save hella closure size
 
 #### non-moby
 - RSS: integrate a paywall bypass
   - e.g. self-hosted [ladder](https://github.com/everywall/ladder) (like 12ft.io)
 - neovim: set up language server (lsp; rnix-lsp; nvim-lspconfig)
+- neovim: integrate LLMs
 - Helix: make copy-to-system clipboard be the default
 - firefox/librewolf: persist history
   - just not cookies or tabs
@@ -111,13 +162,16 @@
   - could change junk filter from "no DKIM success" to explicit "DKIM failed"
 
 ### perf
+- debug nixos-rebuild times
+  - use `systemctl list-jobs` to show what's being waited on
+  - i think it's `systemd-networkd-wait-online.service` that's blocking this?
+    - i wonder what interface it's waiting for. i should use `--ignore=...` to ignore interfaces i don't care about.
+  - also `wireguard-wg-home.target` when net is offline
 - add `pkgs.impure-cached.<foo>` package set to build things with ccache enabled
   - every package here can be auto-generated, and marked with some env var so that it doesn't pollute the pure package set
   - would be super handy for package prototyping!
-- fix desko so it doesn't dispatch so many build jobs to servo by default
 
 ## NEW FEATURES:
 - migrate MAME cabinet to nix
   - boot it from PXE from servo?
 - enable IPv6
-- package lemonade lemmy app: <https://linuxphoneapps.org/apps/ml.mdwalters.lemonade/>

default.nix

@@ -1,9 +1,5 @@
-# limited, non-flake interface to this repo.
-# this file exposes the same view into `pkgs` which the flake would see when evaluated.
-#
-# the primary purpose of this file is so i can run `updateScript`s which expect
-# the root to be `default.nix`
-{ pkgs ? import <nixpkgs> {} }:
-pkgs.appendOverlays [
-  (import ./overlays/all.nix)
-]
+{ ... }@args:
+let
+  sane-nix-files = import ./pkgs/additional/sane-nix-files { };
+in
+  import "${sane-nix-files}/impure.nix" args

doc/adding-a-host.md

@@ -0,0 +1,25 @@
+to add a host:
+- create the new nix targets
+  - hosts/by-name/HOST
+  - let the toplevel (flake.nix) know about HOST
+- build and flash an image
+- optionally expand the rootfs
+  - `cfdisk /dev/sda2` -> resize partition
+  - `mount /dev/sda2 boot`
+  - `btrfs filesystem resize max root`
+- setup required persistent directories
+  - `mkdir -p root/persist/private`
+  - `gocryptfs -init root/persist/private`
+  - then boot the device, and for every dangling symlink in ~/.local/share, ~/.cache, do `mkdir -p` on it
+- setup host ssh
+  - `mkdir -p root/persist/plaintext/etc/ssh/host_keys`
+  - boot the machine and let it create its own ssh keys
+  - add the pubkey to `hosts/common/hosts.nix`
+- setup user ssh
+  - `ssh-keygen`. don't enter any password; it's stored in a password-encrypted fs.
+  - add the pubkey to `hosts/common/hosts.nix`
+- allow the new host to view secrets
+  - instructions in hosts/common/secrets.nix
+  - run `ssh-to-age` on user/host pubkeys
+  - add age key to .sops.yaml
+  - update encrypted secrets: `sops updatekeys path/to/secret.yaml`

doc/recovery.md

@@ -0,0 +1,12 @@
+## deploying to SD card
+- build a toplevel config: `nix build '.#hostSystems.moby'`
+- mount a system:
+  - `mkdir -p root/{nix,boot}`
+  - `mount /dev/sdX1 root/boot`
+  - `mount /dev/sdX2 root/nix`
+- copy the config:
+  - `sudo nix copy --no-check-sigs --to root/ $(readlink result)`
+    - nix will copy stuff to `root/nix/store`
+- install the boot files:
+  - `sudo /nix/store/sbwpwngjlgw4f736ay9hgi69pj3fdwk5-extlinux-conf-builder.sh -d ./root/boot -t 5 -c $(readlink ./result)`
+    - extlinux-conf-builder can be found in `/run/current-system/bin/switch-to-configuration`

flake.lock

@@ -1,121 +0,0 @@
-{
-  "nodes": {
-    "mobile-nixos": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1694749521,
-        "narHash": "sha256-MiVokKlpcJmfoGuWAMeW1En7gZ5hk0rCQArYm6P9XCc=",
-        "owner": "nixos",
-        "repo": "mobile-nixos",
-        "rev": "d25d3b87e7f300d8066e31d792337d9cd7ecd23b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "d25d3b87e7f300d8066e31d792337d9cd7ecd23b",
-        "repo": "mobile-nixos",
-        "type": "github"
-      }
-    },
-    "nixpkgs-next-unpatched": {
-      "locked": {
-        "lastModified": 1705233677,
-        "narHash": "sha256-eq3VE8QGJsunqqF/BlLslWE1gASp4Hlgp0c78coxat0=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "724e39ebb9b8eda97f17d423f66fbc5a991f4f8d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "staging-next",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1705033721,
-        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-23.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-unpatched": {
-      "locked": {
-        "lastModified": 1705254014,
-        "narHash": "sha256-4RrVNEqxeji4vqDgzSl7JoCD6a0ag5LF9zXFndtqrpE=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "6c08fe3ccf437d8b26bec010fd925ddd6bb0d0d5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "master",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "mobile-nixos": "mobile-nixos",
-        "nixpkgs-next-unpatched": "nixpkgs-next-unpatched",
-        "nixpkgs-unpatched": "nixpkgs-unpatched",
-        "sops-nix": "sops-nix",
-        "uninsane-dot-org": "uninsane-dot-org"
-      }
-    },
-    "sops-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unpatched"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1705201153,
-        "narHash": "sha256-y0/a4IMDZrc7lAkR7Gcm5R3W2iCBiARHnYZe6vkmiNE=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "70dd0d521f7849338e487a219c1a07c429a66d77",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
-      }
-    },
-    "uninsane-dot-org": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unpatched"
-        ]
-      },
-      "locked": {
-        "lastModified": 1704082841,
-        "narHash": "sha256-4g3lePnUALb8B1m3rEDD6rrZAq2pTN4qaSnStbd676U=",
-        "ref": "refs/heads/master",
-        "rev": "4a1fa488e64e6c87c6c951e3fafb2684692f64d3",
-        "revCount": 234,
-        "type": "git",
-        "url": "https://git.uninsane.org/colin/uninsane"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.uninsane.org/colin/uninsane"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}

flake.nix

@@ -1,549 +0,0 @@
-# FLAKE FEEDBACK:
-# - if flake inputs are meant to be human-readable, a human should be able to easily track them down given the URL.
-#   - this is not the case with registry URLs, like `nixpkgs/nixos-22.11`.
-#   - this is marginally the case with schemes like `github:nixos/nixpkgs`.
-#   - given the *existing* `git+https://` scheme, i propose expressing github URLs similarly:
-#     - `github+https://github.com/nixos/nixpkgs/tree/nixos-22.11`
-#     - this would allow for the same optimizations as today's `github:nixos/nixpkgs`, but without obscuring the source.
-#       a code reader could view the source being referenced simply by clicking the https:// portion of that URI.
-# - need some way to apply local patches to inputs.
-#
-#
-# DEVELOPMENT DOCS:
-# - Flake docs: <https://nixos.wiki/wiki/Flakes>
-# - Flake RFC: <https://github.com/tweag/rfcs/blob/flakes/rfcs/0049-flakes.md>
-#   - Discussion: <https://github.com/NixOS/rfcs/pull/49>
-# - <https://serokell.io/blog/practical-nix-flakes>
-#
-#
-# COMMON OPERATIONS:
-# - update a specific flake input:
-#   - `nix flake lock --update-input nixpkgs`
-
-{
-  # XXX: use the `github:` scheme instead of the more readable git+https: because it's *way* more efficient
-  # preferably, i would rewrite the human-readable https URLs to nix-specific github: URLs with a helper,
-  # but `inputs` is required to be a strict attrset: not an expression.
-  inputs = {
-    # branch workflow:
-    # - daily:
-    #   - nixos-unstable cut from master after enough packages have been built in caches.
-    # - every 6 hours:
-    #   - master auto-merged into staging and staging-next
-    #   - staging-next auto-merged into staging.
-    # - manually, approximately once per month:
-    #   - staging-next is cut from staging.
-    #   - staging-next merged into master.
-    #
-    # which branch to source from?
-    # - nixos-unstable: for everyday development; it provides good caching
-    # - master: temporarily if i'm otherwise cherry-picking lots of already-applied patches
-    # - staging-next: if testing stuff that's been PR'd into staging, i.e. base library updates.
-    # - staging: maybe if no staging-next -> master PR has been cut yet?
-    #
-    # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=master";
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-staging";
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-staging-next";
-    nixpkgs-next-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
-
-    mobile-nixos = {
-      # <https://github.com/nixos/mobile-nixos>
-      # only used for building disk images, not relevant after deployment
-      # TODO: replace with something else. commit `0f3ac0bef1aea70254a3bae35e3cc2561623f4c1`
-      # replaces the imageBuilder with a "new implementation from celun" and wildly breaks my use.
-      # pinning to d25d3b... is equivalent to holding at 2023-09-15
-      url = "github:nixos/mobile-nixos?ref=d25d3b87e7f300d8066e31d792337d9cd7ecd23b";
-      flake = false;
-    };
-    sops-nix = {
-      # <https://github.com/Mic92/sops-nix>
-      # used to distribute secrets to my hosts
-      url = "github:Mic92/sops-nix";
-      # inputs.nixpkgs.follows = "nixpkgs";
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
-    };
-    uninsane-dot-org = {
-      # provides the package to deploy <https://uninsane.org>, used only when building the servo host
-      url = "git+https://git.uninsane.org/colin/uninsane";
-      # inputs.nixpkgs.follows = "nixpkgs";
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
-    };
-  };
-
-  outputs = {
-    self,
-    nixpkgs-unpatched,
-    nixpkgs-next-unpatched ? nixpkgs-unpatched,
-    mobile-nixos,
-    sops-nix,
-    uninsane-dot-org,
-    ...
-  }@inputs:
-    let
-      inherit (builtins) attrNames elem listToAttrs map mapAttrs;
-      # redefine some nixpkgs `lib` functions to avoid the infinite recursion
-      # of if we tried to use patched `nixpkgs.lib` as part of the patching process.
-      mapAttrs' = f: set:
-        listToAttrs (map (attr: f attr set.${attr}) (attrNames set));
-      optionalAttrs = cond: attrs: if cond then attrs else {};
-      # mapAttrs but without the `name` argument
-      mapAttrValues = f: mapAttrs (_: f);
-
-      # rather than apply our nixpkgs patches as a flake input, do that here instead.
-      # this (temporarily?) resolves the bad UX wherein a subflake residing in the same git
-      # repo as the main flake causes the main flake to have an unstable hash.
-      patchNixpkgs = variant: nixpkgs: (import ./nixpatches/flake.nix).outputs {
-        inherit variant nixpkgs;
-        self = patchNixpkgs variant nixpkgs;
-      } // {
-        # provide values that nixpkgs ordinarily sources from the flake.lock file,
-        # inaccessible to it here because of the import-from-derivation.
-        # rev and shortRev seem to not always exist (e.g. if the working tree is dirty),
-        # so those are made conditional.
-        #
-        # these values impact the name of a produced nixos system. having date/rev in the
-        # `readlink /run/current-system` store path helps debuggability.
-        inherit (self) lastModifiedDate lastModified;
-      } // optionalAttrs (self ? rev) {
-        inherit (self) rev;
-      } // optionalAttrs (self ? shortRev) {
-        inherit (self) shortRev;
-      };
-
-      nixpkgs' = patchNixpkgs "master" nixpkgs-unpatched;
-      nixpkgsCompiledBy = system: nixpkgs'.legacyPackages."${system}";
-
-      evalHost = { name, local, target, light ? false, nixpkgs ? nixpkgs' }: nixpkgs.lib.nixosSystem {
-        system = target;
-        modules = [
-          {
-            nixpkgs.buildPlatform.system = local;
-            # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
-          }
-          (optionalAttrs (local != target) {
-            # XXX(2023/12/11): cache.nixos.org uses `system = ...` instead of `hostPlatform.system`, and that choice impacts the closure of every package.
-            # so avoid specifying hostPlatform.system on non-cross builds, so i can use upstream caches.
-            nixpkgs.hostPlatform.system = target;
-          })
-          (optionalAttrs light {
-            sane.enableSlowPrograms = false;
-          })
-          (import ./hosts/instantiate.nix { hostName = name; })
-          self.nixosModules.default
-          self.nixosModules.passthru
-          {
-            nixpkgs.overlays = [
-              self.overlays.passthru
-              self.overlays.sane-all
-            ];
-          }
-        ];
-      };
-    in {
-      nixosConfigurations = let
-        hosts = {
-          servo       = { name = "servo";  local = "x86_64-linux"; target = "x86_64-linux";  };
-          desko       = { name = "desko";  local = "x86_64-linux"; target = "x86_64-linux";  };
-          desko-light = { name = "desko";  local = "x86_64-linux"; target = "x86_64-linux";  light = true; };
-          lappy       = { name = "lappy";  local = "x86_64-linux"; target = "x86_64-linux";  };
-          lappy-light = { name = "lappy";  local = "x86_64-linux"; target = "x86_64-linux";  light = true; };
-          moby        = { name = "moby";   local = "x86_64-linux"; target = "aarch64-linux"; };
-          moby-light  = { name = "moby";   local = "x86_64-linux"; target = "aarch64-linux"; light = true; };
-          rescue      = { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux";  };
-        };
-        hostsNext = mapAttrs' (h: v: {
-          name = "${h}-next";
-          value = v // { nixpkgs = patchNixpkgs "staging-next" nixpkgs-next-unpatched; };
-        }) hosts;
-      in mapAttrValues evalHost (
-        hosts // hostsNext
-      );
-
-      # unofficial output
-      # this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
-      # after building this:
-      #   - flash it to a bootable medium (SD card, flash drive, HDD)
-      #   - resize the root partition (use cfdisk)
-      #   - mount the part
-      #      - chown root:nixbld <part>/nix/store
-      #      - chown root:root -R <part>/nix/store/*
-      #      - chown root:root -R <part>/persist  # if using impermanence
-      #      - populate any important things (persist/, home/colin/.ssh, etc)
-      #   - boot
-      #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
-      #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
-      #   - `nixos-rebuild --flake './#<host>' switch`
-      imgs = mapAttrValues (host: host.config.system.build.img) self.nixosConfigurations;
-
-      # unofficial output
-      hostConfigs = mapAttrValues (host: host.config) self.nixosConfigurations;
-      hostSystems = mapAttrValues (host: host.config.system.build.toplevel) self.nixosConfigurations;
-      hostPkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
-      hostPrograms = mapAttrValues (host: mapAttrValues (p: p.package) host.config.sane.programs) self.nixosConfigurations;
-
-      patched.nixpkgs = nixpkgs';
-
-      overlays = {
-        # N.B.: `nix flake check` requires every overlay to take `final: prev:` at defn site,
-        #   hence the weird redundancy.
-        default = final: prev: self.overlays.pkgs final prev;
-        sane-all = final: prev: import ./overlays/all.nix final prev;
-        disable-flakey-tests = final: prev: import ./overlays/disable-flakey-tests.nix final prev;
-        pkgs = final: prev: import ./overlays/pkgs.nix final prev;
-        pins = final: prev: import ./overlays/pins.nix final prev;
-        preferences = final: prev: import ./overlays/preferences.nix final prev;
-        optimizations = final: prev: import ./overlays/optimizations.nix final prev;
-        passthru = final: prev:
-          let
-            mobile = (import "${mobile-nixos}/overlay/overlay.nix");
-            uninsane = uninsane-dot-org.overlays.default;
-          in
-            (mobile final prev)
-            // (uninsane final prev)
-          ;
-      };
-
-      nixosModules = rec {
-        default = sane;
-        sane = import ./modules;
-        passthru = { ... }: {
-          imports = [
-            sops-nix.nixosModules.sops
-          ];
-        };
-      };
-
-      # this includes both our native packages and all the nixpkgs packages.
-      legacyPackages =
-        let
-          allPkgsFor = sys: (nixpkgsCompiledBy sys).appendOverlays [
-            self.overlays.passthru self.overlays.pkgs
-          ];
-        in {
-          x86_64-linux = allPkgsFor "x86_64-linux";
-          aarch64-linux = allPkgsFor "aarch64-linux";
-        };
-
-      # extract only our own packages from the full set.
-      # because of `nix flake check`, we flatten the package set and only surface x86_64-linux packages.
-      packages = mapAttrs
-        (system: passthruPkgs: passthruPkgs.lib.filterAttrs
-          (name: pkg:
-            # keep only packages which will pass `nix flake check`, i.e. keep only:
-            # - derivations (not package sets)
-            # - packages that build for the given platform
-            (! elem name [ "feeds" "pythonPackagesExtensions" ])
-            && (passthruPkgs.lib.meta.availableOn passthruPkgs.stdenv.hostPlatform pkg)
-          )
-          (
-            # expose sane packages and chosen inputs (uninsane.org)
-            (import ./pkgs { pkgs = passthruPkgs; }) // {
-              inherit (passthruPkgs) uninsane-dot-org;
-            }
-          )
-        )
-        # self.legacyPackages;
-        {
-          x86_64-linux = (nixpkgsCompiledBy "x86_64-linux").appendOverlays [
-            self.overlays.passthru
-          ];
-        }
-      ;
-
-      apps."x86_64-linux" =
-        let
-          pkgs = self.legacyPackages."x86_64-linux";
-          sanePkgs = import ./pkgs { inherit pkgs; };
-          deployScript = host: addr: action: pkgs.writeShellScript "deploy-${host}" ''
-            nix build '.#nixosConfigurations.${host}.config.system.build.toplevel' --out-link ./result-${host} "$@"
-            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result-${host})
-
-            # XXX: this triggers another config eval & (potentially) build.
-            # if the config changed between these invocations, the above signatures might not apply to the deployed config.
-            # let the user handle that edge case by re-running this whole command.
-            # N.B.: `--fast` option here is critical to cross-compiled deployments: without it the build machine will try to invoke the host machine's `nix` binary.
-            # TODO: solve this by replacing the nixos-build invocation with:
-            # - nix-copy-closure --to $host $result
-            # - on target: nix-env set -p /nix/var/nix/profiles/system $result
-            # - on target: $result/bin/switch-to-configuration
-            nixos-rebuild --flake '.#${host}' ${action} --target-host colin@${addr} --use-remote-sudo "$@" --fast
-          '';
-          deployApp = host: addr: action: {
-            type = "app";
-            program = ''${deployScript host addr action}'';
-          };
-
-          # pkg updating.
-          # a cleaner alternative lives here: <https://discourse.nixos.org/t/how-can-i-run-the-updatescript-of-personal-packages/25274/2>
-          # mkUpdater :: [ String ] -> { type = "app"; program = path; }
-          mkUpdater = attrPath: {
-            type = "app";
-            program = let
-              pkg = pkgs.lib.getAttrFromPath attrPath sanePkgs;
-              strAttrPath = pkgs.lib.concatStringsSep "." attrPath;
-              commandArgv = pkg.updateScript.command or pkg.updateScript;
-              command = pkgs.lib.escapeShellArgs commandArgv;
-            in builtins.toString (pkgs.writeShellScript "update-${strAttrPath}" ''
-              export UPDATE_NIX_NAME=${pkg.name}
-              export UPDATE_NIX_PNAME=${pkg.pname}
-              export UPDATE_NIX_OLD_VERSION=${pkg.version}
-              export UPDATE_NIX_ATTR_PATH=${strAttrPath}
-              ${command}
-            '');
-          };
-          mkUpdatersNoAliases = opts: basePath: pkgs.lib.concatMapAttrs
-            (name: pkg:
-              if pkg.recurseForDerivations or false then {
-                "${name}" = mkUpdaters opts (basePath ++ [ name ]);
-              } else if pkg.updateScript or null != null then {
-                "${name}" = mkUpdater (basePath ++ [ name ]);
-              } else {}
-            )
-            (pkgs.lib.getAttrFromPath basePath sanePkgs);
-          mkUpdaters = { ignore ? [], flakePrefix ? [] }@opts: basePath:
-            let
-              updaters = mkUpdatersNoAliases opts basePath;
-              invokeUpdater = name: pkg:
-                let
-                  fullPath = basePath ++ [ name ];
-                  doUpdateByDefault = !builtins.elem fullPath ignore;
-
-                  # in case `name` has a `.` in it, we have to quote it
-                  escapedPath = builtins.map (p: ''"${p}"'') fullPath;
-                  updatePath = builtins.concatStringsSep "." (flakePrefix ++ escapedPath);
-                in pkgs.lib.optionalString doUpdateByDefault (
-                  pkgs.lib.escapeShellArgs [
-                    "nix" "run" ".#${updatePath}"
-                  ]
-                );
-            in {
-              type = "app";
-              # top-level app just invokes the updater of everything one layer below it
-              program = builtins.toString (pkgs.writeShellScript
-                (builtins.concatStringsSep "-" (flakePrefix ++ basePath))
-                (builtins.concatStringsSep
-                  "\n"
-                  (pkgs.lib.mapAttrsToList invokeUpdater updaters)
-                )
-              );
-            } // updaters;
-        in {
-          help = {
-            type = "app";
-            program = let
-              helpMsg = builtins.toFile "nixos-config-help-message" ''
-                commands:
-                - `nix run '.#help'`
-                  - show this message
-                - `nix run '.#update.pkgs'`
-                  - updates every package
-                - `nix run '.#update.feeds'`
-                  - updates metadata for all feeds
-                - `nix run '.#init-feed' <url>`
-                - `nix run '.#deploy.{desko,lappy,moby,servo}[-light][.test]' [nixos-rebuild args ...]`
-                - `nix run '.#check'`
-                  - make sure all systems build; NUR evaluates
-
-                specific build targets of interest:
-                - `nix build '.#imgs.rescue'`
-              '';
-            in builtins.toString (pkgs.writeShellScript "nixos-config-help" ''
-              cat ${helpMsg}
-              echo ""
-              echo "complete flake structure:"
-              nix flake show --option allow-import-from-derivation true
-            '');
-          };
-          # wrangle some names to get package updaters which refer back into the flake, but also conditionally ignore certain paths (e.g. sane.feeds).
-          # TODO: better design
-          update = rec {
-            _impl.pkgs.sane = mkUpdaters { flakePrefix = [ "update" "_impl" "pkgs" ]; ignore = [ [ "sane" "feeds" ] ]; } [ "sane" ];
-            pkgs = _impl.pkgs.sane;
-            _impl.feeds.sane.feeds = mkUpdaters { flakePrefix = [ "update" "_impl" "feeds" ]; } [ "sane" "feeds" ];
-            feeds = _impl.feeds.sane.feeds;
-          };
-
-          init-feed = {
-            type = "app";
-            program = "${pkgs.feeds.init-feed}";
-          };
-
-          deploy = {
-            lappy       = deployApp "lappy"       "lappy" "switch";
-            lappy-light = deployApp "lappy-light" "lappy" "switch";
-            moby        = deployApp "moby"        "moby"  "switch";
-            moby-light  = deployApp "moby-light"  "moby"  "switch";
-            moby-test   = deployApp "moby"        "moby"  "test";
-            servo       = deployApp "servo"       "servo" "switch";
-          };
-
-          sync = {
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "sync-all" ''
-              RC_lappy=$(nix run '.#sync.lappy' -- "$@")
-              RC_moby=$(nix run '.#sync.moby' -- "$@")
-              RC_desko=$(nix run '.#sync.desko' -- "$@")
-
-              echo "lappy: $RC_lappy"
-              echo "moby: $RC_moby"
-              echo "desko: $RC_desko"
-            '');
-          };
-
-          sync.desko = {
-            # copy music from servo to desko
-            # can run this from any device that has ssh access to desko and servo
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "sync-to-desko" ''
-              sudo mount /mnt/desko-home
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compat /mnt/servo-media/Music /mnt/desko-home/Music "$@"
-            '');
-          };
-
-          sync.lappy = {
-            # copy music from servo to lappy
-            # can run this from any device that has ssh access to lappy and servo
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "sync-to-lappy" ''
-              sudo mount /mnt/lappy-home
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat /mnt/servo-media/Music /mnt/lappy-home/Music "$@"
-            '');
-          };
-
-          sync.moby = {
-            # copy music from servo to moby
-            # can run this from any device that has ssh access to moby and servo
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "sync-to-moby" ''
-              sudo mount /mnt/moby-home
-              # N.B.: limited by network/disk -> reduce job count to improve pause/resume behavior
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat --jobs 4 /mnt/servo-media/Music /mnt/moby-home/Music "$@"
-            '');
-          };
-
-          check = {
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "check-all" ''
-              nix run '.#check.nur'
-              RC0=$?
-              nix run '.#check.hostConfigs'
-              RC1=$?
-              nix run '.#check.rescue'
-              RC2=$?
-              echo "nur: $RC0"
-              echo "hostConfigs: $RC1"
-              echo "rescue: $RC2"
-              exit $(($RC0 | $RC1 | $RC2))
-            '');
-          };
-
-          check.nur = {
-            # `nix run '.#check-nur'`
-            # validates that my repo can be included in the Nix User Repository
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "check-nur" ''
-              cd ${./.}/integrations/nur
-              NIX_PATH= NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix-env -f . -qa \* --meta --xml \
-                --allowed-uris https://static.rust-lang.org \
-                --option restrict-eval true \
-                --option allow-import-from-derivation true \
-                --drv-path --show-trace \
-                -I nixpkgs=${nixpkgs-unpatched} \
-                -I ../../ \
-                | tee  # tee to prevent interactive mode
-            '');
-          };
-
-          check.hostConfigs = {
-            type = "app";
-            program = let
-              checkHost = host: let
-                shellHost = pkgs.lib.replaceStrings [ "-" ] [ "_" ] host;
-              in ''
-                nix build -v '.#nixosConfigurations.${host}.config.system.build.toplevel' --out-link ./result-${host} -j2 "$@"
-                RC_${shellHost}=$?
-              '';
-            in builtins.toString (pkgs.writeShellScript
-              "check-host-configs"
-              ''
-                # build minimally-usable hosts first, then their full image.
-                # this gives me a minimal image i can deploy or copy over, early.
-                ${checkHost "desko-light"}
-                ${checkHost "moby-light"}
-                ${checkHost "lappy-light"}
-
-                ${checkHost "desko"}
-                ${checkHost "lappy"}
-                ${checkHost "servo"}
-                ${checkHost "moby"}
-                ${checkHost "rescue"}
-
-                # still want to build the -light variants first so as to avoid multiple simultaneous webkitgtk builds
-                ${checkHost "desko-light-next"}
-                ${checkHost "moby-light-next"}
-
-                ${checkHost "desko-next"}
-                ${checkHost "lappy-next"}
-                ${checkHost "servo-next"}
-                ${checkHost "moby-next"}
-                ${checkHost "rescue-next"}
-
-                echo "desko: $RC_desko"
-                echo "lappy: $RC_lappy"
-                echo "servo: $RC_servo"
-                echo "moby: $RC_moby"
-                echo "rescue: $RC_rescue"
-
-                echo "desko-next: $RC_desko_next"
-                echo "lappy-next: $RC_lappy_next"
-                echo "servo-next: $RC_servo_next"
-                echo "moby-next: $RC_moby_next"
-                echo "rescue-next: $RC_rescue_next"
-
-                # i don't really care if the -next hosts fail. i build them mostly to keep the cache fresh/ready
-                exit $(($RC_desko | $RC_lappy | $RC_servo | $RC_moby | $RC_rescue))
-              ''
-            );
-          };
-
-          check.rescue = {
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "check-rescue" ''
-              nix build -v '.#imgs.rescue' --out-link ./result-rescue-img -j2
-            '');
-          };
-        };
-
-      templates = {
-        env.python-data = {
-          # initialize with:
-          # - `nix flake init -t '/home/colin/dev/nixos/#env.python-data'`
-          # then enter with:
-          # - `nix develop`
-          path = ./templates/env/python-data;
-          description = "python environment for data processing";
-        };
-        pkgs.rust-inline = {
-          # initialize with:
-          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.rust-inline'`
-          path = ./templates/pkgs/rust-inline;
-          description = "rust package and development environment (inline rust sources)";
-        };
-        pkgs.rust = {
-          # initialize with:
-          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.rust'`
-          path = ./templates/pkgs/rust;
-          description = "rust package fit to ship in nixpkgs";
-        };
-        pkgs.make = {
-          # initialize with:
-          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.make'`
-          path = ./templates/pkgs/make;
-          description = "default Makefile-based derivation";
-        };
-      };
-    };
-}
-

hosts/by-name/crappy/default.nix

@@ -0,0 +1,45 @@
+# Samsung chromebook XE303C12
+# - <https://wiki.postmarketos.org/wiki/Samsung_Chromebook_(google-snow)>
+{ ... }:
+{
+  imports = [
+    ./fs.nix
+  ];
+
+  sane.hal.samsung.enable = true;
+  sane.roles.client = true;
+  # sane.roles.pc = true;
+
+  users.users.colin.initialPassword = "147147";
+  sane.programs.sway.enableFor.user.colin = true;
+
+  sane.programs.calls.enableFor.user.colin = false;
+  sane.programs.consoleMediaUtils.enableFor.user.colin = true;
+  sane.programs.epiphany.enableFor.user.colin = true;
+  sane.programs."gnome.geary".enableFor.user.colin = false;
+  # sane.programs.firefox.enableFor.user.colin = true;
+  sane.programs.portfolio-filemanager.enableFor.user.colin = true;
+  sane.programs.signal-desktop.enableFor.user.colin = false;
+  sane.programs.wike.enableFor.user.colin = true;
+
+  sane.programs.dino.config.autostart = false;
+  sane.programs.dissent.config.autostart = false;
+  sane.programs.fractal.config.autostart = false;
+  sane.programs.sway.config.mod = "Mod1";  #< alt key instead of Super
+
+  # sane.programs.guiApps.enableFor.user.colin = false;
+
+  # sane.programs.pcGuiApps.enableFor.user.colin = false;  #< errors!
+
+  sane.programs.blueberry.enableFor.user.colin = false;  # bluetooth manager: doesn't cross compile!
+  # sane.programs.brave.enableFor.user.colin = false;  # 2024/06/03: fails eval if enabled on cross
+  # sane.programs.firefox.enableFor.user.colin = false;  # 2024/06/03: this triggers an eval error in yarn stuff -- i'm doing IFD somewhere!!?
+  sane.programs.mepo.enableFor.user.colin = false;  # 2024/06/04: doesn't cross compile (nodejs)
+  sane.programs.mercurial.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+  sane.programs.nixpkgs-review.enableFor.user.colin = false;  # 2024/06/03: OOMs when cross compiling
+  sane.programs.ntfy-sh.enableFor.user.colin = false;  # 2024/06/04: doesn't cross compile (nodejs)
+  sane.programs.pwvucontrol.enableFor.user.colin = false;  # 2024/06/03: doesn't cross compile (libspa-sys)
+  sane.programs."sane-scripts.bt-search".enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+  sane.programs.sequoia.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+  sane.programs.zathura.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+}

hosts/by-name/crappy/fs.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/55555555-0303-0c12-86df-eda9e9311526";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/303C-5A37";
+    fsType = "vfat";
+  };
+}

hosts/by-name/desko/default.nix

@@ -1,52 +1,50 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
   imports = [
     ./fs.nix
   ];
 
+  sane.services.trust-dns.asSystemResolver = false;  # TEMPORARY: TODO: re-enable trust-dns
+  # sane.programs.devPkgs.enableFor.user.colin = true;
   # sane.guest.enable = true;
 
-  # services.distccd.enable = true;
-  # sane.programs.distcc.enableFor.user.guest = true;
-
-  # TODO: remove emulation, but need to fix nixos-rebuild to moby for that.
-  # sane.roles.build-machine.emulation = true;
+  # don't enable wifi by default: it messes with connectivity.
+  # systemd.services.iwd.enable = false;
+  # systemd.services.wpa_supplicant.enable = false;
+  sane.programs.wpa_supplicant.enableFor.user.colin = lib.mkForce false;
+  sane.programs.wpa_supplicant.enableFor.system = lib.mkForce false;
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
-  sane.ports.openFirewall = true;  # for e.g. nix-serve
-
   sane.roles.build-machine.enable = true;
   sane.roles.client = true;
   sane.roles.dev-machine = true;
   sane.roles.pc = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
+  sane.ovpn.addrV4 = "172.26.55.21";
+  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:20c1:a73c";
   sane.services.duplicity.enable = true;
-  sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
 
-  sane.nixcache.substituters.desko = false;
   sane.nixcache.remote-builders.desko = false;
 
-  sane.gui.sway.enable = true;
+  sane.programs.sway.enableFor.user.colin = true;
   sane.programs.iphoneUtils.enableFor.user.colin = true;
   sane.programs.steam.enableFor.user.colin = true;
 
-  # sane.programs.devPkgs.enableFor.user.colin = true;
-
-  sane.programs.signal-desktop.config.autostart = true;
   sane.programs."gnome.geary".config.autostart = true;
+  sane.programs.signal-desktop.config.autostart = true;
+
+  sane.programs.nwg-panel.config = {
+    battery = false;
+    brightness = false;
+  };
 
-  boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   # needed to use libimobiledevice/ifuse, for iphone sync
   services.usbmuxd.enable = true;
 
-  # don't enable wifi by default: it messes with connectivity.
-  systemd.services.iwd.enable = false;
-  systemd.services.wpa_supplicant.enable = false;
-
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
   #   - hourly snapshots
@@ -58,7 +56,4 @@
     # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
     ALLOW_USERS = [ "colin" ];
   };
-
-  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
-  system.stateVersion = "21.05";
 }

hosts/by-name/desko/fs.nix

@@ -6,7 +6,6 @@
   fileSystems."/tmp".options = [ "size=64G" ];
 
   fileSystems."/nix" = {
-    # device = "/dev/disk/by-uuid/0ab0770b-7734-4167-88d9-6e4e20bb2a56";
     device = "/dev/disk/by-uuid/845d85bf-761d-431b-a406-e6f20909154f";
     fsType = "btrfs";
     options = [
@@ -16,7 +15,6 @@
   };
 
   fileSystems."/boot" = {
-    # device = "/dev/disk/by-uuid/41B6-BAEF";
     device = "/dev/disk/by-uuid/5049-9AFD";
     fsType = "vfat";
   };

hosts/by-name/lappy/default.nix

@@ -2,7 +2,6 @@
 {
   imports = [
     ./fs.nix
-    ./polyfill.nix
   ];
 
   sane.roles.client = true;
@@ -10,13 +9,17 @@
   sane.roles.pc = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
+  sane.ovpn.addrV4 = "172.23.119.72";
+  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:0332:aa96/128";
 
   # sane.guest.enable = true;
-  sane.gui.sway.enable = true;
-  boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   sane.programs.stepmania.enableFor.user.colin = true;
+  sane.programs.sway.enableFor.user.colin = true;
+
+  sane.programs."gnome.geary".config.autostart = true;
+  sane.programs.signal-desktop.config.autostart = true;
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
@@ -30,7 +33,4 @@
     SUBVOLUME = "/nix";
     ALLOW_USERS = [ "colin" ];
   };
-
-  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
-  system.stateVersion = "21.05";
 }

hosts/by-name/lappy/fs.nix

@@ -14,24 +14,4 @@
     device = "/dev/disk/by-uuid/BD79-D6BB";
     fsType = "vfat";
   };
-
-  # fileSystems."/nix" = {
-  #   device = "/dev/disk/by-uuid/5a7fa69c-9394-8144-a74c-6726048b129f";
-  #   fsType = "btrfs";
-  # };
-
-  # fileSystems."/boot" = {
-  #   device = "/dev/disk/by-uuid/4302-1685";
-  #   fsType = "vfat";
-  # };
-
-  # fileSystems."/" = {
-  #   device = "none";
-  #   fsType = "tmpfs";
-  #   options = [
-  #     "mode=755"
-  #     "size=1G"
-  #     "defaults"
-  #   ];
-  # };
 }

hosts/by-name/lappy/polyfill.nix

@@ -1,42 +0,0 @@
-# doesn't actually *enable* anything,
-# but sets up any modules such that if they *were* enabled, they'll act as expected.
-{ pkgs, ... }:
-{
-  sane.gui.sxmo = {
-    greeter = "greetd-sway-gtkgreet";
-    noidle = true;  #< power button requires 1s hold, which makes it impractical to be dealing with.
-    settings = {
-      # XXX: make sure the user is part of the `input` group!
-      SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-id/usb-Wacom_Co._Ltd._Pen_and_multitouch_sensor-event-if00";
-      # these identifiers are from `swaymsg -t get_inputs`
-      SXMO_VOLUME_BUTTON = "1:1:AT_Translated_Set_2_keyboard";
-      # SXMO_VOLUME_BUTTON = "none";
-      # N.B.: thinkpad's power button requires a full second press to do anything
-      SXMO_POWER_BUTTON = "0:1:Power_Button";
-      # SXMO_POWER_BUTTON = "none";
-      SXMO_DISABLE_LEDS = "1";
-      SXMO_UNLOCK_IDLE_TIME = "120";  # default
-      # sxmo tries to determine device type from /proc/device-tree/compatible,
-      # but that doesn't seem to exist on NixOS?  (or maybe it just doesn't exist
-      # on non-aarch64 builds).
-      # the device type informs (at least):
-      # - SXMO_WIFI_MODULE
-      # - SXMO_RTW_SCAN_INTERVAL
-      # - SXMO_TOUCHSCREEN_ID
-      # - SXMO_MONITOR
-      # - SXMO_ALSA_CONTROL_NAME
-      # - SXMO_SWAY_SCALE
-      # see <repo:mil/sxmo-utils:scripts/deviceprofiles>
-      # SXMO_DEVICE_NAME = "pine64,pinephone-1.2";
-      # if sxmo doesn't know the device, it can't decide whether to use one_button or three_button mode
-      #   and so it just wouldn't handle any button inputs (sxmo_hook_inputhandler.sh not on path)
-      SXMO_DEVICE_NAME = "three_button_touchscreen";
-    };
-    package = (pkgs.sxmo-utils.override { preferSystemd = true; }).overrideAttrs (base: {
-      postPatch = (base.postPatch or "") + ''
-        # after volume-button navigation mode, restore full keyboard functionality
-        cp ${./xkb_mobile_normal_buttons} ./configs/xkb/xkb_mobile_normal_buttons
-      '';
-    });
-  };
-}

hosts/by-name/lappy/xkb_mobile_normal_buttons

@@ -1,7 +0,0 @@
-xkb_keymap {
-	xkb_keycodes  { include "evdev+aliases(qwerty)"	};
-	xkb_types     { include "complete"	};
-	xkb_compat    { include "complete"	};
-	xkb_symbols   { include "pc+us+inet(evdev)"	};
-	xkb_geometry  { include "pc(pc105)"	};
-};

hosts/by-name/moby/bootloader.nix

@@ -1,12 +0,0 @@
-{ config, pkgs, ... }:
-{
-  # we need space in the GPT header to place tow-boot.
-  # only actually need 1 MB, but better to over-allocate than under-allocate
-  sane.image.extraGPTPadding = 16 * 1024 * 1024;
-  sane.image.firstPartGap = 0;
-  system.build.img = pkgs.runCommand "nixos_full-disk-image.img" {} ''
-    cp -v ${config.system.build.img-without-firmware}/nixos.img $out
-    chmod +w $out
-    dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out bs=1024 seek=8 conv=notrunc
-  '';
-}

hosts/by-name/moby/default.nix

@@ -1,7 +1,4 @@
 # Pinephone
-# other setups to reference:
-# - <https://hamblingreen.gitlab.io/2022/03/02/my-pinephone-setup.html>
-#   - sxmo Arch user. lots of app recommendations
 #
 # wikis, resources, ...:
 # - Linux Phone Apps: <https://linuxphoneapps.org/>
@@ -12,30 +9,28 @@
 { config, pkgs, lib, ... }:
 {
   imports = [
-    ./bootloader.nix
     ./fs.nix
-    ./gps.nix
-    ./kernel.nix
-    ./polyfill.nix
   ];
 
+  sane.hal.pine64.enable = true;
   sane.roles.client = true;
   sane.roles.handheld = true;
-  sane.zsh.showDeadlines = false;  # unlikely to act on them when in shell
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
+  sane.ovpn.addrV4 = "172.24.87.255";
+  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:18cd:a72b";
 
   # XXX colin: phosh doesn't work well with passwordless login,
   # so set this more reliable default password should anything go wrong
   users.users.colin.initialPassword = "147147";
-  services.getty.autologinUser = "root";  # allows for emergency maintenance?
+  # services.getty.autologinUser = "root";  # allows for emergency maintenance?
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
-  sane.gui.sxmo.enable = true;
-  # sane.programs.consoleUtils.enableFor.user.colin = false;
-  # sane.programs.guiApps.enableFor.user.colin = false;
+  sane.programs.sway.enableFor.user.colin = true;
+  sane.programs.sway.config.mod = "Mod1";  #< alt key instead of Super
   sane.programs.blueberry.enableFor.user.colin = false;  # bluetooth manager: doesn't cross compile!
+  sane.programs.fcitx5.enableFor.user.colin = false;  # does not cross compile
   sane.programs.mercurial.enableFor.user.colin = false;  # does not cross compile
   sane.programs.nvme-cli.enableFor.system = false;  # does not cross compile (libhugetlbfs)
 
@@ -45,27 +40,12 @@
 
   # sane.programs.ntfy-sh.config.autostart = true;
   sane.programs.dino.config.autostart = true;
-  sane.programs.signal-desktop.config.autostart = true;
+  # sane.programs.signal-desktop.config.autostart = true;  # TODO: enable once electron stops derping.
   # sane.programs."gnome.geary".config.autostart = true;
   # sane.programs.calls.config.autostart = true;
-  sane.programs.mpv.config.vo = "wlshm";  #< see hosts/common/programs/mpv.nix for details
 
-  sane.programs.firefox.mime.priority = 300;  # prefer other browsers when possible
-  # HACK/TODO: make `programs.P.env.VAR` behave according to `mime.priority`
-  sane.programs.firefox.env = lib.mkForce {};
-  sane.programs.epiphany.env.BROWSER = "epiphany";
-
-  # note the .conf.d approach: using ~/.config/pipewire/pipewire.conf directly breaks all audio,
-  # presumably because that deletes the defaults entirely whereas the .conf.d approach selectively overrides defaults
-  sane.user.fs.".config/pipewire/pipewire.conf.d/10-fix-dino-mic-cutout.conf".symlink.text = ''
-    # config docs: <https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-PipeWire#properties>
-    # useful to run `pw-top` to see that these settings are actually having effect,
-    # and `pw-metadata` to see if any settings conflict (e.g. max-quantum < min-quantum)
-    #
-    # restart pipewire after editing these files:
-    # - `systemctl --user restart pipewire`
-    # - pipewire users will likely stop outputting audio until they are also restarted
-    #
+  sane.programs.pipewire.config = {
+    # tune so Dino doesn't drop audio
     # there's seemingly two buffers for the mic (see: <https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/FAQ#pipewire-buffering-explained>)
     # 1. Pipewire buffering out of the driver and into its own member.
     # 2. Pipewire buffering into Dino.
@@ -76,97 +56,11 @@
     # `pw-metadata -n settings 0 clock.force-quantum 1024` reduces to about 1 error per second.
     # `pw-metadata -n settings 0 clock.force-quantum 2048` reduces to 1 error every < 10s.
     # pipewire default config includes `clock.power-of-two-quantum = true`
-    context.properties = {
-      default.clock.min-quantum = 2048
-      default.clock.max-quantum = 8192
-    }
-  '';
+    min-quantum = 2048;
+    max-quantum = 8192;
+  };
 
-  boot.loader.efi.canTouchEfiVariables = false;
   # /boot space is at a premium. default was 20.
   # even 10 can be too much
   boot.loader.generic-extlinux-compatible.configurationLimit = 8;
-  # mobile.bootloader.enable = false;
-  # mobile.boot.stage-1.enable = false;
-  # boot.initrd.systemd.enable = false;
-  # boot.initrd.services.swraid.enable = false;  # attempt to fix dm_mod stuff
-
-  # hardware.firmware makes the referenced files visible to the kernel, for whenever a driver explicitly asks for them.
-  # these files are visible from userspace by following `/sys/module/firmware_class/parameters/path`
-  #
-  # mobile-nixos' /lib/firmware includes:
-  #   rtl_bt          (bluetooth)
-  #   anx7688-fw.bin  (USB-C chip: power negotiation, HDMI/dock)
-  #   ov5640_af.bin   (camera module)
-  # hardware.firmware = [ config.mobile.device.firmware ];
-  # hardware.firmware = [ pkgs.rtl8723cs-firmware ];
-  hardware.firmware = [
-    (pkgs.linux-firmware-megous.override {
-      # rtl_bt = false probably means no bluetooth connectivity.
-      # N.B.: DON'T RE-ENABLE without first confirming that wake-on-lan works during suspend (rtcwake).
-      # it seems the rtl_bt stuff ("bluetooth coexist") might make wake-on-LAN radically more flaky.
-      rtl_bt = false;
-    })
-  ];
-
-  system.stateVersion = "21.11";
-
-  # defined: https://www.freedesktop.org/software/systemd/man/machine-info.html
-  # XXX colin: not sure which, if any, software makes use of this
-  environment.etc."machine-info".text = ''
-    CHASSIS="handset"
-  '';
-
-  # enable rotation sensor
-  hardware.sensor.iio.enable = true;
-
-  # inject specialized alsa configs via the environment.
-  # specifically, this gets the pinephone headphones & internal earpiece working.
-  # see pkgs/patched/alsa-ucm-conf for more info.
-  environment.variables.ALSA_CONFIG_UCM2 = "/run/current-system/sw/share/alsa/ucm2";
-  environment.pathsToLink = [ "/share/alsa/ucm2" ];
-  environment.systemPackages = [
-    (pkgs.alsa-ucm-conf-sane.override {
-      # internal speaker has a tendency to break :(
-      preferEarpiece = true;
-    })
-  ];
-  systemd = let
-    ucm-env = config.environment.variables.ALSA_CONFIG_UCM2;
-  in {
-    # cribbed from <repo:nixos/mobile-nixos:modules/quirks/audio.nix>
-
-    # pipewire
-    user.services.pipewire.environment.ALSA_CONFIG_UCM2       = ucm-env;
-    user.services.pipewire-pulse.environment.ALSA_CONFIG_UCM2 = ucm-env;
-    user.services.wireplumber.environment.ALSA_CONFIG_UCM2    = ucm-env;
-    services.pipewire.environment.ALSA_CONFIG_UCM2            = ucm-env;
-    services.pipewire-pulse.environment.ALSA_CONFIG_UCM2      = ucm-env;
-    services.wireplumber.environment.ALSA_CONFIG_UCM2         = ucm-env;
-
-    # pulseaudio
-    # user.services.pulseaudio.environment.ALSA_CONFIG_UCM2 = ucm-env;
-    # services.pulseaudio.environment.ALSA_CONFIG_UCM2      = ucm-env;
-
-
-    # TODO: move elsewhere...
-    services.ModemManager.serviceConfig = {
-      # N.B.: the extra "" in ExecStart serves to force upstream ExecStart to be ignored
-      ExecStart = [ "" "${pkgs.modemmanager}/bin/ModemManager --debug" ];
-      # --debug sets DEBUG level logging: so reset
-      ExecStartPost = [ "${pkgs.modemmanager}/bin/mmcli --set-logging=INFO" ];
-    };
-  };
-
-  services.udev.extraRules = let
-    chmod = "${pkgs.coreutils}/bin/chmod";
-    chown = "${pkgs.coreutils}/bin/chown";
-  in ''
-    # make Pinephone flashlight writable by user.
-    # taken from postmarketOS: <repo:postmarketOS/pmaports:device/main/device-pine64-pinephone/60-flashlight.rules>
-    SUBSYSTEM=="leds", DEVPATH=="*/*:flash", RUN+="${chmod} g+w /sys%p/brightness /sys%p/flash_strobe", RUN+="${chown} :video /sys%p/brightness /sys%p/flash_strobe"
-
-    # make Pinephone front LEDs writable by user.
-    SUBSYSTEM=="leds", DEVPATH=="*/*:indicator", RUN+="${chmod} g+w /sys%p/brightness", RUN+="${chown} :video /sys%p/brightness"
-  '';
 }

hosts/by-name/moby/gps.nix

@@ -1,69 +0,0 @@
-# pinephone GPS happens in EG25 modem
-# serial control interface to modem is /dev/ttyUSB2
-# after enabling GPS, readout is /dev/ttyUSB1
-#
-# minimal process to enable modem and GPS:
-# - `echo 1 > /sys/class/modem-power/modem-power/device/powered`
-# - `screen /dev/ttyUSB2 115200`
-#   - `AT+QGPSCFG="nmeasrc",1`
-#   - `AT+QGPS=1`
-# this process is automated by my `eg25-control` program and services (`eg25-control-powered`, `eg25-control-gps`)
-# - see the `modules/` directory further up this repository.
-#
-# now, something like `gpsd` can directly read from /dev/ttyUSB1,
-# or geoclue can query the GPS directly through modem-manager
-#
-# initial GPS fix can take 15+ minutes.
-# meanwhile, services like eg25-manager or eg25-control-freshen-agps can speed this up by uploading assisted GPS data to the modem.
-#
-# support/help:
-# - geoclue, gnome-maps
-#   - irc: #gnome-maps on irc.gimp.org
-#   - Matrix: #gnome-maps:gnome.org  (unclear if bridged to IRC)
-#
-# programs to pair this with:
-# - `satellite-gtk`: <https://codeberg.org/tpikonen/satellite>
-#   - shows/tracks which satellites the GPS is connected to; useful to understand fix characteristics
-# - `gnome-maps`: uses geoclue, has route planning
-# - `mepo`: uses gpsd, minimalist, flaky, and buttons are kinda hard to activate on mobile
-# - puremaps?
-# - osmin?
-#
-# known/outstanding bugs:
-# - `systemctl start eg25-control-gps` can the hang the whole system (2023/10/06)
-#   - i think it's actually `eg25-control-powered` which does this (started by the gps)
-#   - best guess is modem draws so much power at launch that other parts of the system see undervoltage
-#   - workaround is to hard power-cycle the system. the modem may not bring up after reboot: leave unpowered for 60s and boot again.
-#
-# future work:
-# - integrate with [wigle](https://www.wigle.net/) for offline equivalent to Mozilla Location Services
-
-{ config, lib, ... }:
-{
-  # test gpsd with `gpspipe -w -n 10 2> /dev/null | grep -m 1 TPV | jq '.lat, .lon' | tr '\n' ' '`
-  # ^ should return <lat> <long>
-  services.gpsd.enable = true;
-  services.gpsd.devices = [ "/dev/ttyUSB1" ];
-
-  # test geoclue2 by building `geoclue2-with-demo-agent`
-  # and running "${geoclue2-with-demo-agent}/libexec/geoclue-2.0/demos/where-am-i"
-  # note that geoclue is dbus-activated, and auto-stops after 60s with no caller
-  services.geoclue2.enable = true;
-  services.geoclue2.appConfig.where-am-i = {
-    # this is the default "agent", shipped by geoclue package: allow it to use location
-    isAllowed = true;
-    isSystem = false;
-    # XXX: setting users != [] might be causing `where-am-i` to time out
-    users = [
-      # restrict to only one set of users. empty array (default) means "allow any user to access geolocation".
-      (builtins.toString config.users.users.colin.uid)
-    ];
-  };
-  systemd.services.geoclue.after = lib.mkForce [];  #< defaults to network-online, but not all my sources require network
-  users.users.geoclue.extraGroups = [
-    "dialout"  # TODO: figure out if dialout is required. that's for /dev/ttyUSB1, but geoclue probably doesn't read that?
-  ];
-
-  sane.services.eg25-control.enable = true;
-  sane.programs.where-am-i.enableFor.user.colin = true;
-}

hosts/by-name/moby/kernel.nix

@@ -1,90 +0,0 @@
-{ pkgs, ... }:
-let
-  dmesg = "${pkgs.util-linux}/bin/dmesg";
-  grep = "${pkgs.gnugrep}/bin/grep";
-  modprobe = "${pkgs.kmod}/bin/modprobe";
-  ensureHWReady = ''
-    # common boot failure:
-    # blank screen (no backlight even), with the following log:
-    # ```syslog
-    # sun8i-dw-hdmi 1ee0000.hdmi: Couldn't get the HDMI PHY
-    # ...
-    # sun4i-drm display-engine: Couldn't bind all pipelines components
-    # ...
-    # sun8i-dw-hdmi: probe of 1ee0000.hdmi failed with error -17
-    # ```
-    #
-    # in particular, that `probe ... failed` occurs *only* on failed boots
-    # (the other messages might sometimes occur even on successful runs?)
-    #
-    # reloading the sun8i hdmi driver usually gets the screen on, showing boot text.
-    # then restarting display-manager.service gets us to the login.
-    #
-    # NB: the above log is default level. though less specific, there's a `err` level message that also signals this:
-    # sun4i-drm display-engine: failed to bind 1ee0000.hdmi (ops sun8i_dw_hdmi_ops [sun8i_drm_hdmi]): -17
-    # NB: this is the most common, but not the only, failure mode for `display-manager`.
-    # another error seems characterized by these dmesg logs, in which reprobing sun8i_drm_hdmi does not fix:
-    # ```syslog
-    # sun6i-mipi-dsi 1ca0000.dsi: Couldn't get the MIPI D-PHY
-    # sun4i-drm display-engine: Couldn't bind all pipelines components
-    # sun6i-mipi-dsi 1ca0000.dsi: Couldn't register our component
-    # ```
-
-    if (${dmesg} --kernel --level err --color=never --notime | ${grep} -q 'sun4i-drm display-engine: failed to bind 1ee0000.hdmi')
-    then
-      echo "reprobing sun8i_drm_hdmi"
-      # if a command here fails it errors the whole service, so prefer to log instead
-      ${modprobe} -r sun8i_drm_hdmi || echo "failed to unload sun8i_drm_hdmi"
-      ${modprobe} sun8i_drm_hdmi || echo "failed to load sub8i_drm_hdmi"
-    fi
-  '';
-in
-{
-  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
-  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-manjaro;
-  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
-
-  # alternatively, apply patches directly to stock nixos kernel:
-  # boot.kernelPatches = manjaroPatches ++ [
-  #   (patchDefconfig kernelConfig)
-  # ];
-
-  # configure nixos to build a compressed kernel image, since it doesn't usually do that for aarch64 target.
-  # without this i run out of /boot space in < 10 generations
-  nixpkgs.hostPlatform.linux-kernel = {
-    # defaults:
-    name = "aarch64-multiplatform";
-    baseConfig = "defconfig";
-    DTB = true;
-    autoModules = true;
-    preferBuiltin = true;
-    # extraConfig = ...
-    # ^-- raspberry pi stuff: we don't need it.
-
-    # target = "Image";  # <-- default
-    target = "Image.gz";  # <-- compress the kernel image
-    # target = "zImage";  # <-- confuses other parts of nixos :-(
-  };
-
-  # disable proximity sensor.
-  # the filtering/calibration is bad that it causes the screen to go fully dark at times.
-  boot.blacklistedKernelModules = [ "stk3310" ];
-
-  boot.kernelParams = [
-    # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
-    # this is because they can't allocate enough video ram.
-    # see related nixpkgs issue: <https://github.com/NixOS/nixpkgs/issues/260222>
-    # TODO(2023/12/03): remove once mesa 23.3.1 lands: <https://github.com/NixOS/nixpkgs/pull/265740>
-    #
-    # the default CMA seems to be 32M.
-    # i was running fine with 256MB from 2022/07-ish through 2022/12-ish, but then the phone quit reliably coming back from sleep (phosh): maybe a memory leak?
-    # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
-    "cma=512M"
-    # 2023/10/20: potential fix for the lima (GPU) timeout bugs:
-    # - <https://gitlab.com/postmarketOS/pmaports/-/issues/805#note_890467824>
-    "lima.sched_timeout_ms=2000"
-  ];
-
-  services.xserver.displayManager.job.preStart = ensureHWReady;
-  systemd.services.greetd.preStart = ensureHWReady;
-}

hosts/by-name/moby/polyfill.nix

@@ -1,96 +0,0 @@
-# this file configures preferences per program, without actually enabling any programs.
-# the goal is to separate the place where we decide *what* to use (i.e. `sane.programs.firefox.enable = true` -- at the toplevel)
-# from where we specific how that thing should behave *if* it's in use.
-#
-# NixOS backgrounds:
-# - <https://github.com/NixOS/nixos-artwork>
-#   - <https://github.com/NixOS/nixos-artwork/issues/50>  (colorful; unmerged)
-#   - <https://github.com/NixOS/nixos-artwork/pull/60/files>  (desktop-oriented; clean; unmerged)
-# - <https://itsfoss.com/content/images/2023/04/nixos-tutorials.png>
-
-{ lib, pkgs, sane-lib, ... }:
-{
-  sane.programs.firefox.config = {
-    # compromise impermanence for the sake of usability
-    persistCache = "private";
-    persistData = "private";
-
-    # i don't do crypto stuff on moby
-    addons.ether-metamask.enable = false;
-    # sidebery UX doesn't make sense on small screen
-    addons.sidebery.enable = false;
-  };
-  sane.programs.swaynotificationcenter.config = {
-    backlight = "backlight";  # /sys/class/backlight/*backlight*/brightness
-  };
-
-  sane.gui.sxmo = {
-    nogesture = true;
-    settings = {
-      ### hardware: touch screen
-      SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-path/platform-1c2ac00.i2c-event";
-      # vol and power are detected correctly by upstream
-
-      ### preferences
-      DEFAULT_COUNTRY = "US";
-
-      SXMO_AUTOROTATE = "1";  # enable auto-rotation at launch. has no meaning in stock/upstream sxmo-utils
-
-      # BEMENU lines (wayland DMENU):
-      # - camera is 9th entry
-      # - flashlight is 10th entry
-      # - config is 14th entry. inside that:
-      #   - autorotate is 11th entry
-      #   - system menu is 19th entry
-      #   - close is 20th entry
-      # - power is 15th entry
-      # - close is 16th entry
-      SXMO_BEMENU_LANDSCAPE_LINES = "11";  # default 8
-      SXMO_BEMENU_PORTRAIT_LINES = "16";  # default 16
-      SXMO_LOCK_IDLE_TIME = "15";  # how long between screenoff -> lock -> back to screenoff (default: 8)
-      # gravity: how far to tilt the device before the screen rotates
-      # for a given setting, normal <-> invert requires more movement then left <-> right
-      # i.e. the settingd doesn't feel completely symmetric
-      # SXMO_ROTATION_GRAVITY default is 16374
-      # SXMO_ROTATION_GRAVITY = "12800";  # uncomfortably high
-      # SXMO_ROTATION_GRAVITY = "12500";    # kinda uncomfortable when walking
-      SXMO_ROTATION_GRAVITY = "12000";
-      SXMO_SCREENSHOT_DIR = "/home/colin/Pictures";  # default: "$HOME"
-
-      # sway/wayland scaling:
-      # - conflicting info out there on how scaling actually works
-      #   at the least, for things where it matters (mpv), it seems like scale settings have 0 effect on perf
-      # ways to enforce scaling:
-      # - <https://wiki.archlinux.org/title/HiDPI>
-      # - `swaymsg -- output DSI-1 scale 2.0`  (scales everything)
-      # - `dconf write /org/gnome/desktop/interface/text-scaling-factor 2.0`  (scales ONLY TEXT)
-      # - `GDK_DPI_SCALE=2.0`  (scales ONLY TEXT)
-      #
-      # application notes:
-      # - cozy: in landscape, playback position is not visible unless scale <= 1.7
-      #   - if in a tab, then scale 1.6 is the max
-      # SXMO_SWAY_SCALE = "1.5";  # hard to press gPodder icons
-      SXMO_SWAY_SCALE = "1.6";
-      # SXMO_SWAY_SCALE = "1.8";
-      # SXMO_SWAY_SCALE = "2";
-      SXMO_WORKSPACE_WRAPPING = "5";  # how many workspaces. default: 4
-
-      # wvkbd layers:
-      # - full
-      # - landscape
-      # - special  (e.g. coding symbols like ~)
-      # - emoji
-      # - nav
-      # - simple  (like landscape, but no parens/tab/etc; even fewer chars)
-      # - simplegrid  (simple, but grid layout)
-      # - dialer  (digits)
-      # - cyrillic
-      # - arabic
-      # - persian
-      # - greek
-      # - georgian
-      WVKBD_LANDSCAPE_LAYERS = "landscape,special,emoji";
-      WVKBD_LAYERS = "full,special,emoji";
-    };
-  };
-}

hosts/by-name/rescue/default.nix

@@ -4,15 +4,11 @@
     ./fs.nix
   ];
 
-  boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
-  sane.persist.enable = false;
+  sane.persist.enable = false;  # what we mean here is that the image is immutable; `/` is still tmpfs.
   sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
 
   # auto-login at shell
   services.getty.autologinUser = "colin";
   # users.users.colin.initialPassword = "colin";
-
-  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
-  system.stateVersion = "21.05";
 }

hosts/by-name/servo/default.nix

@@ -15,20 +15,21 @@
   };
 
   sane.roles.build-machine.enable = true;
-  sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
+  sane.programs.zsh.config.showDeadlines = false;  # ~/knowledge doesn't always exist
   sane.programs.consoleUtils.suggestedPrograms = [
     "consoleMediaUtils"  # notably, for go2tv / casting
     "pcConsoleUtils"
     "sane-scripts.stop-all-servo"
   ];
   sane.services.dyn-dns.enable = true;
+  sane.services.trust-dns.asSystemResolver = false;  # TODO: enable once it's all working well
   sane.services.wg-home.enable = true;
   sane.services.wg-home.visibleToWan = true;
   sane.services.wg-home.forwardToWan = true;
   sane.services.wg-home.routeThroughServo = false;
   sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
-  sane.nixcache.substituters.servo = false;
-  sane.nixcache.substituters.desko = false;
+  sane.ovpn.addrV4 = "172.23.174.114";
+  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:8df3:14b0";
   sane.nixcache.remote-builders.desko = false;
   sane.nixcache.remote-builders.servo = false;
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
@@ -37,7 +38,6 @@
   # using root here makes sure we always have an escape hatch
   services.getty.autologinUser = "root";
 
-  boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   # both transmission and ipfs try to set different net defaults.
@@ -45,13 +45,5 @@
   boot.kernel.sysctl = {
     "net.core.rmem_max" = 4194304;  # 4MB
   };
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11";
 }
 

hosts/by-name/servo/fs.nix

@@ -8,6 +8,7 @@
 # - 1. identify disk IDs: `ls -l /dev/disk/by-id`
 # - 2. pool these disks: `zpool create -f -m legacy pool raidz ata-ST4000VN008-2DR166_WDH0VB45 ata-ST4000VN008-2DR166_WDH17616 ata-ST4000VN008-2DR166_WDH0VC8Q ata-ST4000VN008-2DR166_WDH17680`
 #   - legacy documented: <https://superuser.com/questions/790036/what-is-a-zfs-legacy-mount-point>
+# - 3. enable acl support: `zfs set acltype=posixacl pool`
 #
 # import pools: `zpool import pool`
 # show zfs datasets: `zfs list` (will be empty if haven't imported)
@@ -25,6 +26,7 @@
   # scrub all zfs pools weekly:
   services.zfs.autoScrub.enable = true;
   boot.extraModprobeConfig = ''
+    ### zfs_arc_max tunable:
     # ZFS likes to use half the ram for its own cache and let the kernel push everything else to swap.
     # so, reduce its cache size
     # see: <https://askubuntu.com/a/1290387>
@@ -33,7 +35,13 @@
     # for all tunables, see: `man 4 zfs`
     # to update these parameters without rebooting:
     # - `echo '4294967296' | sane-sudo-redirect /sys/module/zfs/parameters/zfs_arc_max`
-    options zfs zfs_arc_max=4294967296
+    ### zfs_bclone_enabled tunable
+    # this allows `cp --reflink=always FOO BAR` to work. i.e. shallow copies.
+    # it's unstable as of 2.2.3. led to *actual* corruption in 2.2.1, but hopefully better by now.
+    # - <https://github.com/openzfs/zfs/issues/405>
+    # note that `du -h` won't *always* show the reduced size for reflink'd files (?).
+    # `zpool get all | grep clone` seems to be the way to *actually* see how much data is being deduped
+    options zfs zfs_arc_max=4294967296 zfs_bclone_enabled=1
   '';
   # to be able to mount the pool like this, make sure to tell zfs to NOT manage it itself.
   # otherwise local-fs.target will FAIL and you will be dropped into a rescue shell.
@@ -43,6 +51,7 @@
   fileSystems."/mnt/pool" = {
     device = "pool";
     fsType = "zfs";
+    options = [ "acl" ];  #< not sure if this `acl` flag is actually necessary. it mounts without it.
   };
   # services.zfs.zed = ... # TODO: zfs can send me emails when disks fail
   sane.programs.sysadminUtils.suggestedPrograms = [ "zfs" ];
@@ -50,6 +59,7 @@
   sane.persist.stores."ext" = {
     origin = "/mnt/pool/persist";
     storeDescription = "external HDD storage";
+    defaultMethod = "bind";  #< TODO: change to "symlink"?
   };
 
   # increase /tmp space (defaults to 50% of RAM) for building large nix things.
@@ -81,59 +91,45 @@
   };
   sane.fs."/mnt/usb-hdd".mount = {};
 
-  sane.persist.sys.byStore.plaintext = [
-    # TODO: this is overly broad; only need media and share directories to be persisted
-    { user = "colin"; group = "users"; path = "/var/lib/uninsane"; }
-  ];
-  # force some problematic directories to always get correct permissions:
-  sane.fs."/var/lib/uninsane/media".dir.acl = {
-    user = "colin"; group = "media"; mode = "0775";
-  };
-  sane.fs."/var/lib/uninsane/media/archive".dir = {};
-  sane.fs."/var/lib/uninsane/media/archive/README.md".file.text = ''
+  # FIRST TIME SETUP FOR MEDIA DIRECTORY:
+  # - set the group stick bit: `sudo find /var/media -type d -exec chmod g+s {} +`
+  #   - this ensures new files/dirs inherit the group of their parent dir (instead of the user who creates them)
+  # - ensure everything under /var/media is mounted with `-o acl`, to support acls
+  # - ensure all files are rwx by group: `setfacl --recursive --modify d:g::rwx /var/media`
+  #   - alternatively, `d:g:media:rwx` to grant `media` group even when file has a different owner, but that's a bit complex
+  sane.persist.sys.byStore.ext = [{
+    path = "/var/media";
+    user = "colin";
+    group = "media";
+    mode = "0775";
+  }];
+  sane.fs."/var/media/archive".dir = {};
+  # this is file.text instead of symlink.text so that it may be read over a remote mount (where consumers might not have any /nix/store/.../README.md path)
+  sane.fs."/var/media/archive/README.md".file.text = ''
     this directory is for media i wish to remove from my library,
     but keep for a short time in case i reverse my decision.
     treat it like a system trash can.
   '';
-  sane.fs."/var/lib/uninsane/media/Books".dir = {};
-  sane.fs."/var/lib/uninsane/media/Books/Audiobooks".dir = {};
-  sane.fs."/var/lib/uninsane/media/Books/Books".dir = {};
-  sane.fs."/var/lib/uninsane/media/Books/Visual".dir = {};
-  sane.fs."/var/lib/uninsane/media/collections".dir = {};
-  sane.fs."/var/lib/uninsane/media/datasets".dir = {};
-  sane.fs."/var/lib/uninsane/media/freeleech".dir = {};
-  sane.fs."/var/lib/uninsane/media/Music".dir = {};
-  sane.fs."/var/lib/uninsane/media/Pictures".dir = {};
-  sane.fs."/var/lib/uninsane/media/Videos".dir = {};
-  sane.fs."/var/lib/uninsane/media/Videos/Film".dir = {};
-  sane.fs."/var/lib/uninsane/media/Videos/Shows".dir = {};
-  sane.fs."/var/lib/uninsane/media/Videos/Talks".dir = {};
+  sane.fs."/var/media/Books".dir = {};
+  sane.fs."/var/media/Books/Audiobooks".dir = {};
+  sane.fs."/var/media/Books/Books".dir = {};
+  sane.fs."/var/media/Books/Visual".dir = {};
+  sane.fs."/var/media/collections".dir = {};
+  # sane.fs."/var/media/datasets".dir = {};
+  sane.fs."/var/media/freeleech".dir = {};
+  sane.fs."/var/media/Music".dir = {};
+  sane.fs."/var/media/Pictures".dir = {};
+  sane.fs."/var/media/Videos".dir = {};
+  sane.fs."/var/media/Videos/Film".dir = {};
+  sane.fs."/var/media/Videos/Shows".dir = {};
+  sane.fs."/var/media/Videos/Talks".dir = {};
+
+  # this is file.text instead of symlink.text so that it may be read over a remote mount (where consumers might not have any /nix/store/.../README.md path)
   sane.fs."/var/lib/uninsane/datasets/README.md".file.text = ''
     this directory may seem redundant with ../media/datasets. it isn't.
     this directory exists on SSD, allowing for speedy access to specific datasets when necessary.
     the contents should be a subset of what's in ../media/datasets.
   '';
-  # make sure large media is stored to the HDD
-  sane.persist.sys.byStore.ext = [
-    {
-      user = "colin";
-      group = "users";
-      mode = "0777";
-      path = "/var/lib/uninsane/media/Videos";
-    }
-    {
-      user = "colin";
-      group = "users";
-      mode = "0777";
-      path = "/var/lib/uninsane/media/freeleech";
-    }
-    {
-      user = "colin";
-      group = "users";
-      mode = "0777";
-      path = "/var/lib/uninsane/media/datasets";
-    }
-  ];
 
   # btrfs doesn't easily support swapfiles
   # swapDevices = [

hosts/by-name/servo/net.nix

@@ -3,9 +3,19 @@
 let
   portOpts = with lib; types.submodule {
     options = {
-      visibleTo.ovpn = mkOption {
+      visibleTo.ovpns = mkOption {
         type = types.bool;
         default = false;
+        description = ''
+          whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port.
+        '';
+      };
+      visibleTo.doof = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          whether to forward inbound traffic on the doofnet vpn port to the corresponding localhost port.
+        '';
       };
     };
   };
@@ -13,7 +23,7 @@ in
 {
   options = with lib; {
     sane.ports.ports = mkOption {
-      # add the `visibleTo.ovpn` option
+      # add the `visibleTo.{doof,ovpns}` options
       type = types.attrsOf portOpts;
     };
   };
@@ -24,18 +34,6 @@ in
     sane.ports.openFirewall = true;
     sane.ports.openUpnp = true;
 
-    # view refused packets with: `sudo journalctl -k`
-    # networking.firewall.logRefusedPackets = true;
-
-    # these useDHCP lines are legacy from the auto-generated config. might be safe to remove now?
-    networking.useDHCP = false;
-    networking.interfaces.eth0.useDHCP = true;
-    # XXX colin: probably don't need this. wlan0 won't be populated unless i touch a value in networking.interfaces.wlan0
-    networking.wireless.enable = false;
-
-    # this is needed to forward packets from the VPN to the host
-    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-
     # unless we add interface-specific settings for each VPN, we have to define nameservers globally.
     # networking.nameservers = [
     #   "1.1.1.1"
@@ -50,37 +48,47 @@ in
     #   FallbackDNS=1.1.1.1 9.9.9.9
     # '';
 
+    # tun-sea config
+    sane.dns.zones."uninsane.org".inet.A."doof.tunnel" = "205.201.63.12";
+    # sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51";  #< TODO: enable IPv6
+    networking.wireguard.interfaces.wg-doof = {
+      privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
+      # wg is active only in this namespace.
+      # run e.g. ip netns exec doof <some command like ping/curl/etc, it'll go through wg>
+      #   sudo ip netns exec doof ping www.google.com
+      interfaceNamespace = "doof";
+      ips = [
+        "205.201.63.12"
+        # "2602:fce8:106::51/128"  #< TODO: enable IPv6
+      ];
+      peers = [
+        {
+          publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
+          # TODO: configure DNS within the doof ns and use tun-sea.doof.net endpoint
+          # endpoint = "tun-sea.doof.net:53263";
+          endpoint = "205.201.63.44:53263";
+          allowedIPs = [ "0.0.0.0/0" "::/0" ];
+          persistentKeepalive = 25; #< keep the NAT alive
+        }
+      ];
+    };
+    sane.netns.doof.hostVethIpv4 = "10.0.2.5";
+    sane.netns.doof.netnsVethIpv4 = "10.0.2.6";
+    sane.netns.doof.netnsPubIpv4 = "205.201.63.12";
+    sane.netns.doof.routeTable = 12;
+
     # OVPN CONFIG (https://www.ovpn.com):
     # DOCS: https://nixos.wiki/wiki/WireGuard
     # if you `systemctl restart wireguard-wg-ovpns`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
     # TODO: why not create the namespace as a seperate operation (nix config for that?)
     networking.wireguard.enable = true;
-    networking.wireguard.interfaces.wg-ovpns = let
-      ip = "${pkgs.iproute2}/bin/ip";
-      in-ns = "${ip} netns exec ovpns";
-      iptables = "${pkgs.iptables}/bin/iptables";
-      veth-host-ip = "10.0.1.5";
-      veth-local-ip = "10.0.1.6";
-      vpn-ip = "185.157.162.178";
-      # DNS = 46.227.67.134, 192.165.9.158, 2a07:a880:4601:10f0:cd45::1, 2001:67c:750:1:cafe:cd45::1
-      vpn-dns = "46.227.67.134";
-      bridgePort = port: proto: ''
-        ${in-ns} ${iptables} -A PREROUTING -t nat -p ${proto} --dport ${port} -m iprange --dst-range ${vpn-ip} \
-          -j DNAT --to-destination ${veth-host-ip}
-      '';
-      bridgeStatements = lib.foldlAttrs
-        (acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol))
-        []
-        config.sane.ports.ports;
-    in {
+    networking.wireguard.interfaces.wg-ovpns = {
       privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
       # wg is active only in this namespace.
       # run e.g. ip netns exec ovpns <some command like ping/curl/etc, it'll go through wg>
       #   sudo ip netns exec ovpns ping www.google.com
       interfaceNamespace = "ovpns";
-      ips = [
-        "185.157.162.178/32"
-      ];
+      ips = [ "185.157.162.178" ];
       peers = [
         {
           publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
@@ -98,99 +106,11 @@ in
           # dynamicEndpointRefreshRestartSeconds = 5;
         }
       ];
-      preSetup = ''
-        ${ip} netns add ovpns || echo "ovpns already exists"
-      '';
-      postShutdown = ''
-        ${in-ns} ip link del ovpns-veth-b || echo "couldn't delete ovpns-veth-b"
-        ${ip} link del ovpns-veth-a || echo "couldn't delete ovpns-veth-a"
-        ${ip} netns delete ovpns || echo "couldn't delete ovpns"
-        # restore rules/routes
-        ${ip} rule del from ${veth-host-ip} lookup ovpns pref 50 || echo "couldn't delete init -> ovpns rule"
-        ${ip} route del default via ${veth-local-ip} dev ovpns-veth-a proto kernel src ${veth-host-ip} metric 1002 table ovpns || echo "couldn't delete init -> ovpns route"
-        ${ip} rule add from all lookup local pref 0
-        ${ip} rule del from all lookup local pref 100
-      '';
-      postSetup = ''
-        # DOCS:
-        # - some of this approach is described here: <https://josephmuia.ca/2018-05-16-net-namespaces-veth-nat/>
-        # - iptables primer: <https://danielmiessler.com/study/iptables/>
-        # create veth pair
-        ${ip} link add ovpns-veth-a type veth peer name ovpns-veth-b
-        ${ip} addr add ${veth-host-ip}/24 dev ovpns-veth-a
-        ${ip} link set ovpns-veth-a up
-
-        # mv veth-b into the ovpns namespace
-        ${ip} link set ovpns-veth-b netns ovpns
-        ${in-ns} ip addr add ${veth-local-ip}/24 dev ovpns-veth-b
-        ${in-ns} ip link set ovpns-veth-b up
-
-        # make it so traffic originating from the host side of the veth
-        # is sent over the veth no matter its destination.
-        ${ip} rule add from ${veth-host-ip} lookup ovpns pref 50
-        # for traffic originating at the host veth to the WAN, use the veth as our gateway
-        # not sure if the metric 1002 matters.
-        ${ip} route add default via ${veth-local-ip} dev ovpns-veth-a proto kernel src ${veth-host-ip} metric 1002 table ovpns
-        # give the default route lower priority
-        ${ip} rule add from all lookup local pref 100
-        ${ip} rule del from all lookup local pref 0
-
-        # in order to access DNS in this netns, we need to route it to the VPN's nameservers
-        # - alternatively, we could fix DNS servers like 1.1.1.1.
-        ${in-ns} ${iptables} -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.53 \
-          -j DNAT --to-destination ${vpn-dns}:53
-      '' + (lib.concatStringsSep "\n" bridgeStatements);
     };
-
-    # create a new routing table that we can use to proxy traffic out of the root namespace
-    # through the ovpns namespace, and to the WAN via VPN.
-    networking.iproute2.rttablesExtraConfig = ''
-      5 ovpns
-    '';
-    networking.iproute2.enable = true;
-
-
-    # HURRICANE ELECTRIC CONFIG:
-    # networking.sits = {
-    #   hurricane = {
-    #     remote = "216.218.226.238";
-    #     local = "192.168.0.5";
-    #     # local = "10.0.0.5";
-    #     # remote = "10.0.0.1";
-    #     # local = "10.0.0.22";
-    #     dev = "eth0";
-    #     ttl = 255;
-    #   };
-    # };
-    # networking.interfaces."hurricane".ipv6 = {
-    #   addresses = [
-    #     # mx.uninsane.org (publically routed /64)
-    #     {
-    #       address = "2001:470:b:465::1";
-    #       prefixLength = 128;
-    #     }
-    #     # client addr
-    #     # {
-    #     #   address = "2001:470:a:466::2";
-    #     #   prefixLength = 64;
-    #     # }
-    #   ];
-    #   routes = [
-    #     {
-    #       address = "::";
-    #       prefixLength = 0;
-    #       # via = "2001:470:a:466::1";
-    #     }
-    #   ];
-    # };
-
-    # # after configuration, we want the hurricane device to look like this:
-    # # hurricane: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1480
-    # #            inet6 2001:470:a:450::2  prefixlen 64  scopeid 0x0<global>
-    # #            inet6 fe80::c0a8:16  prefixlen 64  scopeid 0x20<link>
-    # #            sit  txqueuelen 1000  (IPv6-in-IPv4)
-    # # test with:
-    # #   curl --interface hurricane http://[2607:f8b0:400a:80b::2004]
-    # #   ping 2607:f8b0:400a:80b::2004
+    sane.netns.ovpns.hostVethIpv4 = "10.0.1.5";
+    sane.netns.ovpns.netnsVethIpv4 = "10.0.1.6";
+    sane.netns.ovpns.netnsPubIpv4 = "185.157.162.178";
+    sane.netns.ovpns.routeTable = 11;
+    sane.netns.ovpns.dns = "46.227.67.134";  #< DNS requests inside the namespace are forwarded here
   };
 }

hosts/by-name/servo/services/calibre.nix

@@ -13,7 +13,7 @@ in
 lib.mkIf false
 {
   sane.persist.sys.byStore.plaintext = [
-    { inherit user group; mode = "0700"; path = svc-dir; }
+    { inherit user group; mode = "0700"; path = svc-dir; method = "bind"; }
   ];
 
   services.calibre-web.enable = true;
@@ -24,7 +24,7 @@ lib.mkIf false
   # services.calibre-web.options.calibreLibrary = svc-dir;
 
   services.nginx.virtualHosts."calibre.uninsane.org" = {
-    addSSL = true;
+    forceSSL = true;
     enableACME = true;
     locations."/" = {
       proxyPass = "http://${ip}:${builtins.toString port}";

hosts/by-name/servo/services/coturn.nix

@@ -24,50 +24,65 @@
 #   that is NOT the case when the STUN server and client A are on the same LAN
 #   even if client A contacts the STUN server via its WAN address with port reflection enabled.
 #   hence, there's no obvious way to put the STUN server on the same LAN as either client and expect the rest to work.
-{ lib, ... }:
+# - there an old version which *half worked*, which is:
+#   - run the turn server in the root namespace.
+#   - bind the turn server to the veth connecting it to the VPN namespace (so it sends outgoing traffic to the right place).
+#   - NAT the turn port range from VPN into root namespace (so it receives incomming traffic).
+#   - this approach would fail the prosody conversations.im check, but i didn't notice *obvious* call routing errors.
+#
+# debugging:
+# - log messages like 'usage: realm=<turn.uninsane.org>, username=<1715915193>, rp=14, rb=1516, sp=8, sb=684'
+#   - rp = received packets
+#   - rb = received bytes
+#   - sp = sent packets
+#   - sb = sent bytes
+
+{ config, lib, ... }:
 let
-  # TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward
-  # TURN port range (inclusive)
-  turnPortLow = 49152;
-  turnPortHigh = 49167;
+  # TURN port range (inclusive).
+  # default coturn behavior is to use the upper quarter of all ports. i.e. 49152 - 65535.
+  # i believe TURN allocations expire after either 5 or 10 minutes of inactivity.
+  turnPortLow = 49152; # 49152 = 0xc000
+  turnPortHigh = turnPortLow + 256;
   turnPortRange = lib.range turnPortLow turnPortHigh;
 in
 {
-  sane.ports.ports = lib.mkMerge ([
-    {
-      "3478" = {
-        # this is the "control" port.
-        # i.e. no client data is forwarded through it, but it's where clients request tunnels.
-        protocol = [ "tcp" "udp" ];
-        # visibleTo.lan = true;
-        # visibleTo.wan = true;
-        visibleTo.ovpn = true;
-        description = "colin-stun-turn";
-      };
-      "5349" = {
-        # the other port 3478 also supports TLS/DTLS, but presumably clients wanting TLS will default 5349
-        protocol = [ "tcp" ];
-        # visibleTo.lan = true;
-        # visibleTo.wan = true;
-        visibleTo.ovpn = true;
-        description = "colin-stun-turn-over-tls";
-      };
-    }
-  ] ++ (builtins.map
-    (port: {
-      "${builtins.toString port}" = let
-        count = port - turnPortLow + 1;
-        numPorts = turnPortHigh - turnPortLow + 1;
-      in {
-        protocol = [ "tcp" "udp" ];
-        # visibleTo.lan = true;
-        # visibleTo.wan = true;
-        visibleTo.ovpn = true;
-        description = "colin-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
-      };
-    })
-    turnPortRange
-  ));
+  # the port definitions are only needed if running in the root net namespace
+  # sane.ports.ports = lib.mkMerge ([
+  #   {
+  #     "3478" = {
+  #       # this is the "control" port.
+  #       # i.e. no client data is forwarded through it, but it's where clients request tunnels.
+  #       protocol = [ "tcp" "udp" ];
+  #       # visibleTo.lan = true;
+  #       # visibleTo.wan = true;
+  #       visibleTo.ovpns = true;  # forward traffic from the VPN to the root NS
+  #       description = "colin-stun-turn";
+  #     };
+  #     "5349" = {
+  #       # the other port 3478 also supports TLS/DTLS, but presumably clients wanting TLS will default 5349
+  #       protocol = [ "tcp" ];
+  #       # visibleTo.lan = true;
+  #       # visibleTo.wan = true;
+  #       visibleTo.ovpns = true;
+  #       description = "colin-stun-turn-over-tls";
+  #     };
+  #   }
+  # ] ++ (builtins.map
+  #   (port: {
+  #     "${builtins.toString port}" = let
+  #       count = port - turnPortLow + 1;
+  #       numPorts = turnPortHigh - turnPortLow + 1;
+  #     in {
+  #       protocol = [ "tcp" "udp" ];
+  #       # visibleTo.lan = true;
+  #       # visibleTo.wan = true;
+  #       visibleTo.ovpns = true;
+  #       description = "colin-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
+  #     };
+  #   })
+  #   turnPortRange
+  # ));
 
   services.nginx.virtualHosts."turn.uninsane.org" = {
     # allow ACME to procure a cert via nginx for this domain
@@ -103,22 +118,28 @@ in
   services.coturn.realm = "turn.uninsane.org";
   services.coturn.cert = "/var/lib/acme/turn.uninsane.org/fullchain.pem";
   services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem";
+
+  #v disable to allow unauthenticated access (or set `services.coturn.no-auth = true`)
   services.coturn.use-auth-secret = true;
   services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin";
-  services.coturn.lt-cred-mech = true;
+  services.coturn.lt-cred-mech = true; #< XXX: use-auth-secret overrides lt-cred-mech
+
   services.coturn.min-port = turnPortLow;
   services.coturn.max-port = turnPortHigh;
   # services.coturn.secure-stun = true;
   services.coturn.extraConfig = lib.concatStringsSep "\n" [
     "verbose"
-    # "Verbose"  #< even MORE verbosity than "verbose"
-    # "no-multicast-peers"  # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3)
-    "listening-ip=10.0.1.5"
-    # "external-ip=185.157.162.178/10.0.1.5"
-    "external-ip=185.157.162.178"
+    # "Verbose"  #< even MORE verbosity than "verbose"  (it's TOO MUCH verbosity really)
+    "no-multicast-peers"  # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3)
+    # "listening-ip=${config.sane.netns.ovpns.hostVethIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}"  #< 2024/04/25: works, if running in root namespace
+    "listening-ip=${config.sane.netns.ovpns.netnsPubIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}"
+
+    # old attempts:
+    # "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}/${config.sane.netns.ovpns.hostVethIpv4}"
     # "listening-ip=10.78.79.51"  # can be specified multiple times; omit for *
     # "external-ip=97.113.128.229/10.78.79.51"
     # "external-ip=97.113.128.229"
     # "mobility"  # "mobility with ICE (MICE) specs support" (?)
   ];
+  systemd.services.coturn.serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
 }

hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix

@@ -30,8 +30,7 @@ let
 in
 {
   sane.persist.sys.byStore.ext = [
-    # /var/lib/monero/lmdb is what consumes most of the space
-    { user = "bitcoind-mainnet"; group = "bitcoind-mainnet"; path = "/var/lib/bitcoind-mainnet"; }
+    { user = "bitcoind-mainnet"; group = "bitcoind-mainnet"; path = "/var/lib/bitcoind-mainnet"; method = "bind"; }
   ];
 
   # sane.ports.ports."8333" = {

hosts/by-name/servo/services/cryptocurrencies/clightning-sane/clightning-sane

@@ -1,6 +1,22 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.pyln-client ])"
 
+"""
+clightning-sane: helper to perform common Lightning node admin operations:
+- view channel balances
+- rebalance channels
+
+COMMON OPERATIONS:
+- view channel balances: `clightning-sane status`
+- rebalance channels to improve routability (without paying any fees): `clightning-sane autobalance`
+
+FULL OPERATION:
+- `clightning-sane status --full`
+  - `P$`: represents how many msats i've captured in fees from this channel.
+  - `COST`: rough measure of how much it's "costing" me to let my channel partner hold funds on his side of the channel.
+            this is based on the notion that i only capture fees from outbound transactions, and so the channel partner holding all liquidity means i can't capture fees on that liquidity.
+"""
+
 # pyln-client docs: <https://github.com/ElementsProject/lightning/tree/master/contrib/pyln-client>
 # terminology:
 # - "scid": "Short Channel ID", e.g. 123456x7890x0
@@ -726,7 +742,7 @@ def main():
     logging.basicConfig()
     logger.setLevel(logging.INFO)
 
-    parser = argparse.ArgumentParser(description="rebalance lightning channel balances")
+    parser = argparse.ArgumentParser(description=__doc__)
     parser.add_argument("--verbose", action="store_true", help="more logging")
     parser.add_argument("--min-msat", default="999", help="min transaction size")
     parser.add_argument("--max-msat", default="1000000", help="max transaction size")

hosts/by-name/servo/services/cryptocurrencies/clightning.nix

@@ -73,7 +73,7 @@
 { config, pkgs, ... }:
 {
   sane.persist.sys.byStore.ext = [
-    { user = "clightning"; group = "clightning"; mode = "0710"; path = "/var/lib/clightning"; }
+    { user = "clightning"; group = "clightning"; mode = "0710"; path = "/var/lib/clightning"; method = "bind"; }
   ];
 
   # `lightning-cli` finds its RPC file via `~/.lightning/bitcoin/lightning-rpc`, to message the daemon

hosts/by-name/servo/services/cryptocurrencies/monero.nix

@@ -3,7 +3,7 @@
 {
   sane.persist.sys.byStore.ext = [
     # /var/lib/monero/lmdb is what consumes most of the space
-    { user = "monero"; group = "monero"; path = "/var/lib/monero"; }
+    { user = "monero"; group = "monero"; path = "/var/lib/monero"; method = "bind"; }
   ];
 
   services.monero.enable = true;

hosts/by-name/servo/services/cryptocurrencies/tor.nix

@@ -4,7 +4,7 @@
   # tor hidden service hostnames aren't deterministic, so persist.
   # might be able to get away with just persisting /var/lib/tor/onion, not sure.
   sane.persist.sys.byStore.plaintext = [
-    { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; }
+    { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; method = "bind"; }
   ];
 
   # tor: `tor.enable` doesn't start a relay, exit node, proxy, etc. it's minimal.

hosts/by-name/servo/services/default.nix

@@ -20,14 +20,13 @@
     ./navidrome.nix
     ./nginx.nix
     ./nixos-prebuild.nix
-    ./nixserve.nix
     ./ntfy
     ./pict-rs.nix
     ./pleroma.nix
     ./postgres.nix
     ./prosody
     ./slskd.nix
-    ./transmission.nix
+    ./transmission
     ./trust-dns.nix
     ./wikipedia.nix
   ];

hosts/by-name/servo/services/ejabberd.nix

@@ -45,60 +45,60 @@ in
 lib.mkIf false
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; }
+    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; method = "bind"; }
   ];
   sane.ports.ports = lib.mkMerge ([
     {
       "3478" = {
         protocol = [ "tcp" "udp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
-        visibleTo.wan = true;
         description = "colin-xmpp-stun-turn";
       };
       "5222" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
-        visibleTo.wan = true;
         description = "colin-xmpp-client-to-server";
       };
       "5223" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
-        visibleTo.wan = true;
         description = "colin-xmpps-client-to-server";  # XMPP over TLS
       };
       "5269" = {
         protocol = [ "tcp" ];
-        visibleTo.wan = true;
+        visibleTo.doof = true;
         description = "colin-xmpp-server-to-server";
       };
       "5270" = {
         protocol = [ "tcp" ];
-        visibleTo.wan = true;
+        visibleTo.doof = true;
         description = "colin-xmpps-server-to-server";  # XMPP over TLS
       };
       "5280" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
-        visibleTo.wan = true;
         description = "colin-xmpp-bosh";
       };
       "5281" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
-        visibleTo.wan = true;
         description = "colin-xmpp-bosh-https";
       };
       "5349" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
-        visibleTo.wan = true;
         description = "colin-xmpp-stun-turn-over-tls";
       };
       "5443" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
-        visibleTo.wan = true;
         description = "colin-xmpp-web-services";  # file uploads, websockets, admin
       };
     }
@@ -109,8 +109,8 @@ lib.mkIf false
         numPorts = turnPortHigh - turnPortLow + 1;
       in {
         protocol = [ "tcp" "udp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
-        visibleTo.wan = true;
         description = "colin-xmpp-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
       };
     })

hosts/by-name/servo/services/email/dovecot.nix

@@ -8,14 +8,14 @@
 {
   sane.ports.ports."143" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
-    visibleTo.wan = true;
     description = "colin-imap-imap.uninsane.org";
   };
   sane.ports.ports."993" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
-    visibleTo.wan = true;
     description = "colin-imaps-imap.uninsane.org";
   };
 
@@ -127,10 +127,11 @@
   services.dovecot2.modules = [
     pkgs.dovecot_pigeonhole  # enables sieve execution (?)
   ];
-  services.dovecot2.sieveScripts = {
+  services.dovecot2.sieve = {
+    extensions = [ "fileinto" ];
     # if any messages fail to pass (or lack) DKIM, move them to Junk
     # XXX the key name ("after") is only used to order sieve execution/ordering
-    after = builtins.toFile "ensuredkim.sieve" ''
+    scripts.after = builtins.toFile "ensuredkim.sieve" ''
       require "fileinto";
 
       if not header :contains "Authentication-Results" "dkim=pass" {
@@ -139,4 +140,6 @@
       }
     '';
   };
+
+  systemd.services.dovecot2.serviceConfig.RestartSec = lib.mkForce "15s";  # nixos defaults this to 1s
 }

hosts/by-name/servo/services/email/postfix.nix

@@ -1,6 +1,6 @@
 # postfix config options: <https://www.postfix.org/postconf.5.html>
 
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   submissionOptions = {
@@ -20,9 +20,9 @@ in
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? could be more granular
-    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; }
-    { user = "root"; group = "root"; path = "/var/lib/postfix"; }
-    { user = "root"; group = "root"; path = "/var/spool/mail"; }
+    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; method = "bind"; }
+    { user = "root"; group = "root"; path = "/var/lib/postfix"; method = "bind"; }
+    { user = "root"; group = "root"; path = "/var/spool/mail"; method = "bind"; }
     # *probably* don't need these dirs:
     # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
     # "/var/lib/dovecot"
@@ -56,8 +56,7 @@ in
 
   sane.dns.zones."uninsane.org".inet = {
     MX."@" = "10 mx.uninsane.org.";
-    # XXX: RFC's specify that the MX record CANNOT BE A CNAME
-    A."mx" = "185.157.162.178";
+    A."mx" = "%AOVPNS%"; #< XXX: RFC's specify that the MX record CANNOT BE A CNAME. TODO: use "%AOVPNS%?
 
     # Sender Policy Framework:
     #   +mx     => mail passes if it originated from the MX

hosts/by-name/servo/services/export/default.nix

@@ -2,14 +2,18 @@
 {
   imports = [
     ./nfs.nix
-    ./sftpgo.nix
+    ./sftpgo
   ];
 
   users.groups.export = {};
 
   fileSystems."/var/export/media" = {
     # everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
-    device = "/var/lib/uninsane/media";
+    device = "/var/media";
+    options = [ "rbind" ];
+  };
+  fileSystems."/var/export/pub" = {
+    device = "/var/www/sites/uninsane.org/share";
     options = [ "rbind" ];
   };
   # fileSystems."/var/export/playground" = {
@@ -30,14 +34,15 @@
   # to query the quota/status:
   # - `sudo btrfs qgroup show -re /var/export/playground`
   sane.persist.sys.byStore.ext = [
-    { user = "root"; group = "export"; mode = "0775"; path = "/var/export/playground"; }
+    { user = "root"; group = "export"; mode = "0775"; path = "/var/export/playground"; method = "bind"; }
   ];
 
   sane.fs."/var/export/README.md" = {
     wantedBy = [ "nfs.service" "sftpgo.service" ];
     file.text = ''
       - media/         read-only:  Videos, Music, Books, etc
-      - playground/    read-write: use it to share files with other users of this server
+      - playground/    read-write: use it to share files with other users of this server, inaccessible from the www
+      - pub/           read-only:  content made to be shared with the www
     '';
   };
 

hosts/by-name/servo/services/export/nfs.nix

@@ -15,6 +15,7 @@
 # - could maybe be done with some mount option?
 
 { config, lib, ... }:
+lib.mkIf false  #< TODO: remove nfs altogether! it's not exactly the most secure
 {
   services.nfs.server.enable = true;
 
@@ -26,7 +27,7 @@
     description = "NFS server portmapper";
   };
   sane.ports.ports."2049" = {
-    protocol = [ "tcp" ];
+    protocol = [ "tcp" "udp" ];
     visibleTo.lan = true;
     description = "NFS server";
   };
@@ -51,6 +52,23 @@
   services.nfs.server.mountdPort = 4002;
   services.nfs.server.statdPort = 4000;
 
+  services.nfs.extraConfig = ''
+    [nfsd]
+    # XXX: NFS over UDP REQUIRES SPECIAL CONFIG TO AVOID DATA LOSS.
+    # see `man 5 nfs`: "Using NFS over UDP on high-speed links".
+    # it's actually just a general property of UDP over IPv4 (IPv6 fixes it).
+    # both the client and the server should configure a shorter-than-default IPv4 fragment reassembly window to mitigate.
+    # OTOH, tunneling NFS over Wireguard also bypasses this weakness, because a mis-assembled packet would not have a valid signature.
+    udp=y
+
+    [exports]
+    # all export paths are relative to rootdir.
+    # for NFSv4, the export with fsid=0 behaves as `/` publicly,
+    # but NFSv3 implements no such feature.
+    # using `rootdir` instead of relying on `fsid=0` allows consistent export paths regardless of NFS proto version
+    rootdir=/var/export
+  '';
+
   # format:
   #   fspoint	visibility(options)
   # options:
@@ -85,13 +103,20 @@
       in "${export} 10.78.79.0/22(${lib.concatStringsSep "," lanOpts}) 10.0.10.0/24(${lib.concatStringsSep "," vpnOpts})";
   in lib.concatStringsSep "\n" [
     (fmtExport {
-      export = "/var/export";
+      export = "/";
       baseOpts = [ "crossmnt" "fsid=root" ];
       extraLanOpts = [ "ro" ];
       extraVpnOpts = [ "rw" "no_root_squash" ];
     })
     (fmtExport {
-      export = "/var/export/playground";
+      # provide /media as an explicit export. NFSv4 can transparently mount a subdir of an export, but NFSv3 can only mount paths which are exports.
+      export = "/media";
+      baseOpts = [ "crossmnt" ];  # TODO: is crossmnt needed here?
+      extraLanOpts = [ "ro" ];
+      extraVpnOpts = [ "rw" "no_root_squash" ];
+    })
+    (fmtExport {
+      export = "/playground";
       baseOpts = [
         "mountpoint"
         "all_squash"

hosts/by-name/servo/services/export/sftpgo.nix

@@ -1,186 +0,0 @@
-# docs:
-# - <https://github.com/drakkan/sftpgo>
-# - config options: <https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md>
-# - config defaults: <https://github.com/drakkan/sftpgo/blob/main/sftpgo.json>
-# - nixos options: <repo:nixos/nixpkgs:nixos/modules/services/web-apps/sftpgo.nix>
-# - nixos example: <repo:nixos/nixpkgs:nixos/tests/sftpgo.nix>
-#
-# sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients.
-#
-# TODO: change umask so sftpgo-created files default to 644.
-# - it does indeed appear that the 600 is not something sftpgo is explicitly doing.
-
-
-{ config, lib, pkgs, sane-lib, ... }:
-let
-  # user permissions:
-  # - see <repo:drakkan/sftpgo:internal/dataprovider/user.go>
-  # - "*" = grant all permissions
-  # - read-only perms:
-  #   - "list" = list files and directories
-  #   - "download"
-  # - rw perms:
-  #   - "upload"
-  #   - "overwrite" = allow uploads to replace existing files
-  #   - "delete" = delete files and directories
-  #     - "delete_files"
-  #     - "delete_dirs"
-  #   - "rename" = rename files and directories
-  #     - "rename_files"
-  #     - "rename_dirs"
-  #   - "create_dirs"
-  #   - "create_symlinks"
-  #   - "chmod"
-  #   - "chown"
-  #   - "chtimes" = change atime/mtime (access and modification times)
-  #
-  # home_dir:
-  # - it seems (empirically) that a user can't cd above their home directory.
-  #   though i don't have a reference for that in the docs.
-  authResponseSuccess = {
-    status = 1;
-    username = "anonymous";
-    expiration_date = 0;
-    home_dir = "/var/export";
-    # uid/gid 0 means to inherit sftpgo uid.
-    # - i.e. users can't read files which Linux user `sftpgo` can't read
-    # - uploaded files belong to Linux user `sftpgo`
-    # other uid/gid values aren't possible for localfs backend, unless i let sftpgo use `sudo`.
-    uid = 0;
-    gid = 0;
-    # uid = 65534;
-    # gid = 65534;
-    max_sessions = 0;
-    # quota_*: 0 means to not use SFTP's quota system
-    quota_size = 0;
-    quota_files = 0;
-    permissions = {
-      "/" = [ "list" "download" ];
-      "/playground" = [
-        # read-only:
-        "list"
-        "download"
-        # write:
-        "upload"
-        "overwrite"
-        "delete"
-        "rename"
-        "create_dirs"
-        "create_symlinks"
-        # intentionally omitted:
-        # "chmod"
-        # "chown"
-        # "chtimes"
-      ];
-    };
-    upload_bandwidth = 0;
-    download_bandwidth = 0;
-    filters = {
-      allowed_ip = [];
-      denied_ip = [];
-    };
-    public_keys = [];
-    # other fields:
-    # ? groups
-    # ? virtual_folders
-  };
-  authResponseFail = {
-    username = "";
-  };
-  authSuccessJson = pkgs.writeText "sftp-auth-success.json" (builtins.toJSON authResponseSuccess);
-  authFailJson = pkgs.writeText "sftp-auth-fail.json" (builtins.toJSON authResponseFail);
-  unwrappedAuthProgram = pkgs.static-nix-shell.mkBash {
-    pname = "sftpgo_external_auth_hook";
-    src = ./.;
-    pkgs = [ "coreutils" ];
-  };
-  authProgram = pkgs.writeShellScript "sftpgo-auth-hook" ''
-    ${unwrappedAuthProgram}/bin/sftpgo_external_auth_hook ${authFailJson} ${authSuccessJson}
-  '';
-in
-{
-  # Client initiates a FTP "control connection" on port 21.
-  # - this handles the client -> server commands, and the server -> client status, but not the actual data
-  # - file data, directory listings, etc need to be transferred on an ephemeral "data port".
-  # - 50000-50100 is a common port range for this.
-  sane.ports.ports = {
-    "21" = {
-      protocol = [ "tcp" ];
-      visibleTo.lan = true;
-      description = "colin-FTP server";
-    };
-  } // (sane-lib.mapToAttrs
-    (port: {
-      name = builtins.toString port;
-      value = {
-        protocol = [ "tcp" ];
-        visibleTo.lan = true;
-        description = "colin-FTP server data port range";
-      };
-    })
-    (lib.range 50000 50100)
-  );
-
-  services.sftpgo = {
-    enable = true;
-    group = "export";
-    settings = {
-      ftpd = {
-        bindings = [
-          {
-            # binding this means any wireguard client can connect
-            address = "10.0.10.5";
-            port = 21;
-            debug = true;
-          }
-          {
-            # binding this means any LAN client can connect
-            address = "10.78.79.51";
-            port = 21;
-            debug = true;
-          }
-        ];
-
-        # active mode is susceptible to "bounce attacks", without much benefit over passive mode
-        disable_active_mode = true;
-        hash_support = true;
-        passive_port_range = {
-          start = 50000;
-          end = 50100;
-        };
-
-        banner = ''
-          Welcome, friends, to Colin's read-only FTP server! Also available via NFS on the same host.
-          Username: "anonymous"
-          Password: "anonymous"
-          CONFIGURE YOUR CLIENT FOR "PASSIVE" mode, e.g. `ftp --passive uninsane.org`
-          Please let me know if anything's broken or not as it should be. Otherwise, browse and DL freely :)
-        '';
-
-      };
-      data_provider = {
-        driver = "memory";
-        external_auth_hook = "${authProgram}";
-        # track_quota:
-        # - 0: disable quota tracking
-        # - 1: quota is updated on every upload/delete, even if user has no quota restriction
-        # - 2: quota is updated on every upload/delete, but only if user/folder has a quota restriction  (default, i think)
-        # track_quota = 2;
-      };
-    };
-  };
-
-  users.users.sftpgo.extraGroups = [ "export" ];
-
-  systemd.services.sftpgo = {
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
-    serviceConfig = {
-      ReadOnlyPaths = [ "/var/export" ];
-      ReadWritePaths = [ "/var/export/playground" ];
-
-      Restart = "always";
-      RestartSec = "20s";
-    };
-  };
-}

hosts/by-name/servo/services/export/sftpgo/default.nix

@@ -0,0 +1,164 @@
+# docs:
+# - <https://github.com/drakkan/sftpgo>
+# - config options: <https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md>
+# - config defaults: <https://github.com/drakkan/sftpgo/blob/main/sftpgo.json>
+# - nixos options: <repo:nixos/nixpkgs:nixos/modules/services/web-apps/sftpgo.nix>
+# - nixos example: <repo:nixos/nixpkgs:nixos/tests/sftpgo.nix>
+#
+# sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients.
+
+{ config, lib, pkgs, sane-lib, ... }:
+let
+  external_auth_hook = pkgs.static-nix-shell.mkPython3Bin {
+    pname = "external_auth_hook";
+    srcRoot = ./.;
+    pyPkgs = [ "passlib" ];
+  };
+  # Client initiates a FTP "control connection" on port 21.
+  # - this handles the client -> server commands, and the server -> client status, but not the actual data
+  # - file data, directory listings, etc need to be transferred on an ephemeral "data port".
+  # - 50000-50100 is a common port range for this.
+  #   50000 is used by soulseek.
+  passiveStart = 50050;
+  passiveEnd   = 50070;
+in
+{
+  sane.ports.ports = {
+    "21" = {
+      protocol = [ "tcp" ];
+      visibleTo.lan = true;
+      description = "colin-FTP server";
+    };
+    "990" = {
+      protocol = [ "tcp" ];
+      visibleTo.doof = true;
+      visibleTo.lan = true;
+      description = "colin-FTPS server";
+    };
+  } // (sane-lib.mapToAttrs
+    (port: {
+      name = builtins.toString port;
+      value = {
+        protocol = [ "tcp" ];
+        visibleTo.doof = true;
+        visibleTo.lan = true;
+        description = "colin-FTP server data port range";
+      };
+    })
+    (lib.range passiveStart passiveEnd)
+  );
+
+  # use nginx/acme to produce a cert for FTPS
+  services.nginx.virtualHosts."ftp.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+  };
+  sane.dns.zones."uninsane.org".inet.CNAME."ftp" = "native";
+
+  services.sftpgo = {
+    enable = true;
+    group = "export";
+
+    package = pkgs.sftpgo.overrideAttrs (upstream: {
+      patches = (upstream.patches or []) ++ [
+        # fix for compatibility with kodi:
+        # ftp LIST operation returns entries over-the-wire like:
+        # - dgrwxrwxr-x 1 ftp ftp            9 Apr  9 15:05 Videos
+        # however not all clients understand all mode bits (like that `g`, indicating SGID / group sticky bit).
+        # instead, only send mode bits which are well-understood.
+        # the full set of bits, from which i filter, is found here: <https://pkg.go.dev/io/fs#FileMode>
+        ./safe_fileinfo.patch
+      ];
+    });
+
+    settings = {
+      ftpd = {
+        bindings = [
+          {
+            # binding this means any wireguard client can connect
+            address = "10.0.10.5";
+            port = 21;
+            debug = true;
+          }
+          {
+            # binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
+            address = "10.78.79.51";
+            port = 21;
+            debug = true;
+          }
+          {
+            # binding this means any wireguard client can connect
+            address = "10.0.10.5";
+            port = 990;
+            debug = true;
+            tls_mode = 2;  # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
+          }
+          {
+            # binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
+            address = "10.78.79.51";
+            port = 990;
+            debug = true;
+            tls_mode = 2;  # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
+          }
+          {
+            # binding this means any doof client can connect (TLS only)
+            address = config.sane.netns.doof.hostVethIpv4;
+            port = 990;
+            debug = true;
+            tls_mode = 2;  # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
+          }
+        ];
+
+        # active mode is susceptible to "bounce attacks", without much benefit over passive mode
+        disable_active_mode = true;
+        hash_support = true;
+        passive_port_range = {
+          start = passiveStart;
+          end = passiveEnd;
+        };
+
+        certificate_file = "/var/lib/acme/ftp.uninsane.org/full.pem";
+        certificate_key_file = "/var/lib/acme/ftp.uninsane.org/key.pem";
+
+        banner = ''
+          Welcome, friends, to Colin's FTP server! Also available via NFS on the same host, but LAN-only.
+
+          Read-only access (LAN clients see everything; WAN clients can only see /pub):
+          Username: "anonymous"
+          Password: "anonymous"
+
+          CONFIGURE YOUR CLIENT FOR "PASSIVE" MODE, e.g. `ftp --passive ftp.uninsane.org`.
+          Please let me know if anything's broken or not as it should be. Otherwise, browse and transfer freely :)
+        '';
+
+      };
+      data_provider = {
+        driver = "memory";
+        external_auth_hook = "${external_auth_hook}/bin/external_auth_hook";
+        # track_quota:
+        # - 0: disable quota tracking
+        # - 1: quota is updated on every upload/delete, even if user has no quota restriction
+        # - 2: quota is updated on every upload/delete, but only if user/folder has a quota restriction  (default, i think)
+        # track_quota = 2;
+      };
+    };
+  };
+
+  users.users.sftpgo.extraGroups = [
+    "export"
+    "media"
+    "nginx"  # to access certs
+  ];
+
+  systemd.services.sftpgo = {
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    serviceConfig = {
+      ReadWritePaths = [ "/var/export" ];
+
+      Restart = "always";
+      RestartSec = "20s";
+      UMask = lib.mkForce "0002";
+    };
+  };
+}

hosts/by-name/servo/services/export/sftpgo/external_auth_hook

@@ -0,0 +1,171 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.passlib ])"
+# vim: set filetype=python :
+#
+# available environment variables:
+# - SFTPGO_AUTHD_USERNAME
+# - SFTPGO_AUTHD_USER
+# - SFTPGO_AUTHD_IP
+# - SFTPGO_AUTHD_PROTOCOL  = { "DAV", "FTP", "HTTP", "SSH" }
+# - SFTPGO_AUTHD_PASSWORD
+# - SFTPGO_AUTHD_PUBLIC_KEY
+# - SFTPGO_AUTHD_KEYBOARD_INTERACTIVE
+# - SFTPGO_AUTHD_TLS_CERT
+#
+# user permissions:
+# - see <repo:drakkan/sftpgo:internal/dataprovider/user.go>
+# - "*" = grant all permissions
+# - read-only perms:
+#   - "list" = list files and directories
+#   - "download"
+# - rw perms:
+#   - "upload"
+#   - "overwrite" = allow uploads to replace existing files
+#   - "delete" = delete files and directories
+#     - "delete_files"
+#     - "delete_dirs"
+#   - "rename" = rename files and directories
+#     - "rename_files"
+#     - "rename_dirs"
+#   - "create_dirs"
+#   - "create_symlinks"
+#   - "chmod"
+#   - "chown"
+#   - "chtimes" = change atime/mtime (access and modification times)
+#
+# home_dir:
+# - it seems (empirically) that a user can't cd above their home directory.
+#   though i don't have a reference for that in the docs.
+
+import json
+import os
+import passlib.hosts
+
+from hmac import compare_digest
+
+authFail = dict(username="")
+
+PERM_DENY = []
+PERM_LIST = [ "list" ]
+PERM_RO = [ "list", "download" ]
+PERM_RW = [
+  # read-only:
+  "list",
+  "download",
+  # write:
+  "upload",
+  "overwrite",
+  "delete",
+  "rename",
+  "create_dirs",
+  "create_symlinks",
+  # intentionally omitted:
+  # "chmod",
+  # "chown",
+  # "chtimes",
+]
+
+TRUSTED_CREDS = [
+  # /etc/shadow style creds.
+  # mkpasswd -m sha-512
+  # $<method>$<salt>$<hash>
+  "$6$Zq3c2u4ghUH4S6EP$pOuRt13sEKfX31OqPbbd1LuhS21C9MICMc94iRdTAgdAcJ9h95gQH/6Jf6Ie4Obb0oxQtojRJ1Pd/9QHOlFMW."  #< m. rocket boy
+]
+
+def mkAuthOk(username: str, permissions: dict[str, list[str]]) -> dict:
+  return dict(
+    status = 1,
+    username = username,
+    expiration_date = 0,
+    home_dir = "/var/export",
+    # uid/gid 0 means to inherit sftpgo uid.
+    # - i.e. users can't read files which Linux user `sftpgo` can't read
+    # - uploaded files belong to Linux user `sftpgo`
+    # other uid/gid values aren't possible for localfs backend, unless i let sftpgo use `sudo`.
+    uid = 0,
+    gid = 0,
+    # uid = 65534,
+    # gid = 65534,
+    max_sessions = 0,
+    # quota_*: 0 means to not use SFTP's quota system
+    quota_size = 0,
+    quota_files = 0,
+    permissions = permissions,
+    upload_bandwidth = 0,
+    download_bandwidth = 0,
+    filters = dict(
+      allowed_ip = [],
+      denied_ip = [],
+    ),
+    public_keys = [],
+    # other fields:
+    # ? groups
+    # ? virtual_folders
+  )
+
+def isLan(ip: str) -> bool:
+  return ip.startswith("10.78.76.") \
+    or ip.startswith("10.78.77.") \
+    or ip.startswith("10.78.78.") \
+    or ip.startswith("10.78.79.")
+
+def isWireguard(ip: str) -> bool:
+  return ip.startswith("10.0.10.")
+
+def isTrustedCred(password: str) -> bool:
+  for cred in TRUSTED_CREDS:
+    if passlib.hosts.linux_context.verify(password, cred):
+      return True
+
+  return False
+
+def getAuthResponse(ip: str, username: str, password: str) -> dict:
+  """
+  return a sftpgo auth response either denying the user or approving them
+  with a set of permissions.
+  """
+  if isTrustedCred(password) and username != "colin":
+    # allow r/w access from those with a special token
+    return mkAuthOk(username, permissions = {
+      "/": PERM_RW,
+      "/playground": PERM_RW,
+      "/pub": PERM_RO,
+    })
+  if isWireguard(ip):
+    # allow any user from wireguard
+    return mkAuthOk(username, permissions = {
+      "/": PERM_RW,
+      "/playground": PERM_RW,
+      "/pub": PERM_RO,
+    })
+  if isLan(ip):
+    if username == "anonymous":
+      # allow anonymous users on the LAN
+      return mkAuthOk("anonymous", permissions = {
+        "/": PERM_RO,
+        "/playground": PERM_RW,
+        "/pub": PERM_RO,
+      })
+  if username == "anonymous":
+    # anonymous users from the www can have even more limited access.
+    # mostly because i need an easy way to test WAN connectivity :-)
+    return mkAuthOk("anonymous", permissions = {
+      # "/": PERM_DENY,
+      "/": PERM_LIST,  #< REQUIRED, even for lftp to list a subdir
+      "/media": PERM_DENY,
+      "/playground": PERM_DENY,
+      "/pub": PERM_RO,
+      # "/README.md": PERM_RO,  #< does not work
+    })
+
+  return authFail
+
+def main():
+  ip = os.environ.get("SFTPGO_AUTHD_IP", "")
+  username = os.environ.get("SFTPGO_AUTHD_USERNAME", "")
+  password = os.environ.get("SFTPGO_AUTHD_PASSWORD", "")
+  resp = getAuthResponse(ip, username, password)
+  print(json.dumps(resp))
+
+if __name__ == "__main__":
+  main()

hosts/by-name/servo/services/export/sftpgo/safe_fileinfo.patch

@@ -0,0 +1,32 @@
+diff --git a/internal/ftpd/handler.go b/internal/ftpd/handler.go
+index 036c3977..33211261 100644
+--- a/internal/ftpd/handler.go
++++ b/internal/ftpd/handler.go
+@@ -169,7 +169,7 @@ func (c *Connection) Stat(name string) (os.FileInfo, error) {
+ 		}
+ 		return nil, err
+ 	}
+-	return fi, nil
++	return vfs.NewFileInfo(name, fi.IsDir(), fi.Size(), fi.ModTime(), false), nil
+ }
+
+ // Name returns the name of this connection
+@@ -315,7 +315,17 @@ func (c *Connection) ReadDir(name string) (ftpserver.DirLister, error) {
+ 		}, nil
+ 	}
+
+-	return c.ListDir(name)
++	lister, err := c.ListDir(name)
++	if err != nil {
++		return nil, err
++	}
++	return &patternDirLister{
++		DirLister:      lister,
++		pattern:        "*",
++		lastCommand:    c.clientContext.GetLastCommand(),
++		dirName:        name,
++		connectionPath: c.clientContext.Path(),
++	}, nil
+ }
+
+ // GetHandle implements ClientDriverExtentionFileTransfer

hosts/by-name/servo/services/export/sftpgo_external_auth_hook

@@ -1,23 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p coreutils
-# vim: set filetype=bash :
-#
-# available environment variables:
-# - SFTPGO_AUTHD_USERNAME
-# - SFTPGO_AUTHD_USER
-# - SFTPGO_AUTHD_IP
-# - SFTPGO_AUTHD_PROTOCOL  = { "DAV", "FTP", "HTTP", "SSH" }
-# - SFTPGO_AUTHD_PASSWORD
-# - SFTPGO_AUTHD_PUBLIC_KEY
-# - SFTPGO_AUTHD_KEYBOARD_INTERACTIVE
-# - SFTPGO_AUTHD_TLS_CERT
-#
-#
-# call with <script_name> /path/to/fail/response.json /path/to/success/response.json
-
-
-if [ "$SFTPGO_AUTHD_USERNAME" = "anonymous" ]; then
-  cat "$2"
-else
-  cat "$1"
-fi

hosts/by-name/servo/services/freshrss.nix

@@ -16,7 +16,7 @@
     mode = "0400";
   };
   sane.persist.sys.byStore.plaintext = [
-    { user = "freshrss"; group = "freshrss"; path = "/var/lib/freshrss"; }
+    { user = "freshrss"; group = "freshrss"; path = "/var/lib/freshrss"; method = "bind"; }
   ];
 
   services.freshrss.enable = true;

hosts/by-name/servo/services/gitea.nix

@@ -4,7 +4,7 @@
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? could be more granular
-    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; }
+    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; method = "bind"; }
   ];
   services.gitea.enable = true;
   services.gitea.user = "git";  # default is 'gitea'
@@ -50,9 +50,15 @@
       ENABLE_CAPTCHA = true;
       NOREPLY_ADDRESS = "noreply.anonymous.git@uninsane.org";
     };
-    session.COOKIE_SECURE = true;
+    session = {
+      COOKIE_SECURE = true;
+      # keep me logged in for 30 days
+      SESSION_LIFE_TIME = 60 * 60 * 24 * 30;
+    };
     repository = {
       DEFAULT_BRANCH = "master";
+      ENABLE_PUSH_CREATE_USER = true;
+      ENABLE_PUSH_CREATE_ORG = true;
     };
     other = {
       SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
@@ -90,6 +96,8 @@
     ];
   };
 
+  services.openssh.settings.UsePAM = true;  #< required for `git` user to authenticate
+
   # hosted git (web view and for `git <cmd>` use
   # TODO: enable publog?
   services.nginx.virtualHosts."git.uninsane.org" = {
@@ -100,6 +108,24 @@
     locations."/" = {
       proxyPass = "http://127.0.0.1:3000";
     };
+    # gitea serves all `raw` files as content-type: plain, but i'd like to serve them as their actual content type.
+    # or at least, enough to make specific pages viewable (serving unoriginal content as arbitrary content type is dangerous).
+    locations."~ ^/colin/phone-case-cq/raw/.*.html" = {
+      proxyPass = "http://127.0.0.1:3000";
+      extraConfig = ''
+        proxy_hide_header Content-Type;
+        default_type text/html;
+        add_header Content-Type text/html;
+      '';
+    };
+    locations."~ ^/colin/phone-case-cq/raw/.*.js" = {
+      proxyPass = "http://127.0.0.1:3000";
+      extraConfig = ''
+        proxy_hide_header Content-Type;
+        default_type text/html;
+        add_header Content-Type text/javascript;
+      '';
+    };
   };
 
   sane.dns.zones."uninsane.org".inet.CNAME."git" = "native";
@@ -107,7 +133,7 @@
   sane.ports.ports."22" = {
     protocol = [ "tcp" ];
     visibleTo.lan = true;
-    visibleTo.wan = true;
+    visibleTo.doof = true;
     description = "colin-git@git.uninsane.org";
   };
 }

hosts/by-name/servo/services/goaccess.nix

@@ -20,7 +20,7 @@
           --ignore-panel=HOSTS \
           --ws-url=wss://sink.uninsane.org:443/ws \
           --port=7890 \
-          -o /var/lib/uninsane/sink/index.html
+          -o /var/lib/goaccess/index.html
       '';
       ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
       Type = "simple";
@@ -28,17 +28,19 @@
       RestartSec = "10s";
 
       # hardening
-      WorkingDirectory = "/tmp";
+      # TODO: run as `goaccess` user and add `goaccess` user to group `nginx`.
       NoNewPrivileges = true;
+      PrivateDevices = "yes";
       PrivateTmp = true;
       ProtectHome = "read-only";
-      ProtectSystem = "strict";
-      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
-      ReadOnlyPaths = "/";
-      ReadWritePaths = [ "/proc/self" "/var/lib/uninsane/sink" ];
-      PrivateDevices = "yes";
       ProtectKernelModules = "yes";
       ProtectKernelTunables = "yes";
+      ProtectSystem = "strict";
+      ReadOnlyPaths = [ "/var/log/nginx" ];
+      ReadWritePaths = [ "/proc/self" "/var/lib/goaccess" ];
+      StateDirectory = "goaccess";
+      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
+      WorkingDirectory = "/var/lib/goaccess";
     };
     after = [ "network.target" ];
     wantedBy = [ "multi-user.target" ];
@@ -49,7 +51,7 @@
     addSSL = true;
     enableACME = true;
     # inherit kTLS;
-    root = "/var/lib/uninsane/sink";
+    root = "/var/lib/goaccess";
 
     locations."/ws" = {
       proxyPass = "http://127.0.0.1:7890";

hosts/by-name/servo/services/ipfs.nix

@@ -12,7 +12,7 @@ lib.mkIf false # i don't actively use ipfs anymore
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? could be more granular
-    { user = "261"; group = "261"; path = "/var/lib/ipfs"; }
+    { user = "261"; group = "261"; path = "/var/lib/ipfs"; method = "bind"; }
   ];
 
   networking.firewall.allowedTCPPorts = [ 4001 ];

hosts/by-name/servo/services/jackett.nix

@@ -1,9 +1,9 @@
-{ ... }:
+{ config, lib, pkgs, ... }:
 
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
-    { user = "root"; group = "root"; path = "/var/lib/jackett"; }
+    { user = "root"; group = "root"; path = "/var/lib/jackett"; method = "bind"; }
   ];
   services.jackett.enable = true;
 
@@ -12,6 +12,8 @@
   systemd.services.jackett.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
+
     # patch jackett to listen on the public interfaces
     # ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic";
   };
@@ -22,8 +24,7 @@
     enableACME = true;
     # inherit kTLS;
     locations."/" = {
-      # proxyPass = "http://ovpns.uninsane.org:9117";
-      proxyPass = "http://10.0.1.6:9117";
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9117";
       recommendedProxySettings = true;
     };
   };

hosts/by-name/servo/services/jellyfin.nix

@@ -41,7 +41,7 @@
   };
 
   sane.persist.sys.byStore.plaintext = [
-    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; path = "/var/lib/jellyfin"; }
+    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; path = "/var/lib/jellyfin"; method = "bind"; }
   ];
   sane.fs."/var/lib/jellyfin/config/logging.json" = {
     # "Emby.Dlna" logging: <https://jellyfin.org/docs/general/networking/dlna>
@@ -75,7 +75,7 @@
   # Jellyfin multimedia server
   # this is mostly taken from the official jellfin.org docs
   services.nginx.virtualHosts."jelly.uninsane.org" = {
-    addSSL = true;
+    forceSSL = true;
     enableACME = true;
     # inherit kTLS;
 

hosts/by-name/servo/services/kiwix-serve.nix

@@ -7,7 +7,7 @@
 { ... }:
 {
   sane.persist.sys.byStore.ext = [
-    { user = "colin"; group = "users"; path = "/var/lib/kiwix"; }
+    { user = "colin"; group = "users"; path = "/var/lib/kiwix"; method = "bind"; }
   ];
 
   sane.services.kiwix-serve = {

hosts/by-name/servo/services/komga.nix

@@ -5,14 +5,14 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = [
-    { inherit user group; mode = "0700"; path = stateDir; }
+    { inherit user group; mode = "0700"; path = stateDir; method = "bind"; }
   ];
 
   services.komga.enable = true;
   services.komga.port = 11319;  # chosen at random
 
   services.nginx.virtualHosts."komga.uninsane.org" = {
-    addSSL = true;
+    forceSSL = true;
     enableACME = true;
     locations."/" = {
       proxyPass = "http://127.0.0.1:${builtins.toString port}";

hosts/by-name/servo/services/lemmy.nix

@@ -10,16 +10,21 @@ let
   uiPort = 1234;  # default ui port is 1234
   backendPort = 8536; # default backend port is 8536
   #^ i guess the "backend" port is used for federation?
-  pict-rs = pkgs.pict-rs.overrideAttrs (upstream: {
-    # as of v 0.4.2, all non-GIF video is forcibly transcoded.
-    # that breaks lemmy, because of the request latency.
-    # and it eats up hella CPU.
-    # pict-rs is iffy around video altogether: mp4 seems the best supported.
-    postPatch = (upstream.postPatch or "") + ''
-      substituteInPlace src/validate.rs \
-        --replace 'if transcode_options.needs_reencode() {' 'if false {'
-    '';
-  });
+  pict-rs = pkgs.pict-rs;
+  # pict-rs = pkgs.pict-rs.overrideAttrs (upstream: {
+  #   # as of v0.4.2, all non-GIF video is forcibly transcoded.
+  #   # that breaks lemmy, because of the request latency.
+  #   # and it eats up hella CPU.
+  #   # pict-rs is iffy around video altogether: mp4 seems the best supported.
+  #   # XXX: this patch no longer applies after 0.5.10 -> 0.5.11 update.
+  #   #      git log is hard to parse, but *suggests* that video is natively supported
+  #   #      better than in the 0.4.2 days, e.g. 5fd59fc5b42d31559120dc28bfef4e5002fb509e
+  #   #      "Change commandline flag to allow disabling video, since it is enabled by default"
+  #   postPatch = (upstream.postPatch or "") + ''
+  #     substituteInPlace src/validate.rs \
+  #       --replace-fail 'if transcode_options.needs_reencode() {' 'if false {'
+  #   '';
+  # });
 in {
   services.lemmy = {
     enable = true;
@@ -78,8 +83,8 @@ in {
   # CLI args: <https://git.asonix.dog/asonix/pict-rs#user-content-running>
   systemd.services.pict-rs.serviceConfig.ExecStart = lib.mkForce (lib.concatStringsSep " " [
     "${lib.getBin pict-rs}/bin/pict-rs run"
-    "--media-max-frame-count" (builtins.toString (30*60*60))
+    "--media-video-max-frame-count" (builtins.toString (30*60*60))
     "--media-process-timeout 120"
-    "--media-enable-full-video true"  # allow audio
+    "--media-video-allow-audio"  # allow audio
   ]);
 }

hosts/by-name/servo/services/matrix/default.nix

@@ -21,7 +21,7 @@
   ];
 
   sane.persist.sys.byStore.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; method = "bind"; }
   ];
   services.matrix-synapse.enable = true;
   services.matrix-synapse.settings = {

hosts/by-name/servo/services/matrix/discord-puppet.nix

@@ -6,7 +6,7 @@
 lib.mkIf false
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; method = "bind"; }
   ];
 
   services.matrix-synapse.settings.app_service_config_files = [

hosts/by-name/servo/services/matrix/irc.nix

@@ -4,12 +4,11 @@
 { config, lib, ... }:
 
 let
-  ircServer = { name, additionalAddresses ? [], sasl ? true, port ? 6697 }: let
+  ircServer = { name, additionalAddresses ? [], ssl ? true, sasl ? true, port ? if ssl then 6697 else 6667 }: let
     lowerName = lib.toLower name;
   in {
     # XXX sasl: appservice doesn't support NickServ identification (only SASL, or PASS if sasl = false)
-    inherit name additionalAddresses sasl port;
-    ssl = true;
+    inherit additionalAddresses name port sasl ssl;
     botConfig = {
       # bot has no presence in IRC channel; only real Matrix users
       enabled = false;
@@ -103,7 +102,7 @@ in
 
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode?
-    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; }
+    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; method = "bind"; }
   ];
 
   # XXX: matrix-appservice-irc PreStart tries to chgrp the registration.yml to matrix-synapse,
@@ -156,6 +155,10 @@ in
           # - #sxmo-offtopic
         };
         "irc.rizon.net" = ircServer { name = "Rizon"; };
+        "wigle.net" = ircServer {
+          name = "WiGLE";
+          ssl = false;
+        };
       };
     };
   };

hosts/by-name/servo/services/matrix/signal.nix

@@ -5,8 +5,8 @@
 lib.mkIf false  # disabled 2024/01/11: i don't use it, and pkgs.mautrix-signal had some API changes
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; }
-    { user = "signald"; group = "signald"; path = "/var/lib/signald"; }
+    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; method = "bind"; }
+    { user = "signald"; group = "signald"; path = "/var/lib/signald"; method = "bind"; }
   ];
 
   # allow synapse to read the registration file

hosts/by-name/servo/services/navidrome.nix

@@ -1,15 +1,16 @@
 { lib, ... }:
 
+lib.mkIf false  #< i don't actively use navidrome
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "navidrome"; group = "navidrome"; path = "/var/lib/navidrome"; }
+    { user = "navidrome"; group = "navidrome"; path = "/var/lib/navidrome"; method = "bind"; }
   ];
   services.navidrome.enable = true;
   services.navidrome.settings = {
     # docs: https://www.navidrome.org/docs/usage/configuration-options/
     Address = "127.0.0.1";
     Port = 4533;
-    MusicFolder = "/var/lib/uninsane/media/Music";
+    MusicFolder = "/var/media/Music";
     CovertArtPriority = "*.jpg, *.JPG, *.png, *.PNG, embedded";
     AutoImportPlaylists = false;
     ScanSchedule = "@every 1h";

hosts/by-name/servo/services/nginx.nix

@@ -17,14 +17,14 @@ in
   sane.ports.ports."80" = {
     protocol = [ "tcp" ];
     visibleTo.lan = true;
-    visibleTo.wan = true;
-    visibleTo.ovpn = true;  # so that letsencrypt can procure a cert for the mx record
+    visibleTo.ovpns = true;  # so that letsencrypt can procure a cert for the mx record
+    visibleTo.doof = true;
     description = "colin-http-uninsane.org";
   };
   sane.ports.ports."443" = {
     protocol = [ "tcp" ];
     visibleTo.lan = true;
-    visibleTo.wan = true;
+    visibleTo.doof = true;
     description = "colin-https-uninsane.org";
   };
 
@@ -55,8 +55,8 @@ in
 
   # web blog/personal site
   # alternative way to link stuff into the share:
-  # sane.fs."/var/lib/uninsane/share/Ubunchu".mount.bind = "/var/lib/uninsane/media/Books/Visual/HiroshiSeo/Ubunchu";
-  # sane.fs."/var/lib/uninsane/media/Books/Visual/HiroshiSeo/Ubunchu".dir = {};
+  # sane.fs."/var/www/sites/uninsane.org/share/Ubunchu".mount.bind = "/var/media/Books/Visual/HiroshiSeo/Ubunchu";
+  # sane.fs."/var/media/Books/Visual/HiroshiSeo/Ubunchu".dir = {};
   services.nginx.virtualHosts."uninsane.org" = publog {
     # a lot of places hardcode https://uninsane.org,
     # and then when we mix http + non-https, we get CORS violations
@@ -89,6 +89,16 @@ in
         disable_symlinks on;
       '';
     };
+    locations."/share/Milkbags/" = {
+      alias = "/var/media/Videos/Milkbags/";
+      extraConfig = ''
+        # autoindex => render directory listings
+        autoindex on;
+        # don't follow any symlinks when serving files
+        # otherwise it allows a directory escape
+        disable_symlinks on;
+      '';
+    };
 
     # allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
     locations."= /.well-known/matrix/server".extraConfig =
@@ -169,8 +179,8 @@ in
   security.acme.defaults.email = "admin.acme@uninsane.org";
 
   sane.persist.sys.byStore.plaintext = [
-    { user = "acme"; group = "acme"; path = "/var/lib/acme"; }
-    { user = "colin"; group = "users"; path = "/var/www/sites"; }
+    { user = "acme"; group = "acme"; path = "/var/lib/acme"; method = "bind"; }
+    { user = "colin"; group = "users"; path = "/var/www/sites"; method = "bind"; }
   ];
 
   # let's encrypt default chain looks like:

hosts/by-name/servo/services/nixserve.nix

@@ -1,21 +0,0 @@
-{ config, ... }:
-
-{
-  services.nginx.virtualHosts."nixcache.uninsane.org" = {
-    addSSL = true;
-    enableACME = true;
-    # inherit kTLS;
-    # serverAliases = [ "nixcache" ];
-    locations."/".extraConfig = ''
-      proxy_pass http://localhost:${toString config.services.nix-serve.port};
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    '';
-  };
-
-  sane.dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
-
-  sane.services.nixserve.enable = true;
-  sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
-}

hosts/by-name/servo/services/ntfy/ntfy-sh.nix

@@ -34,7 +34,7 @@ in
     # not 100% necessary to persist this, but ntfy does keep a 12hr (by default) cache
     # for pushing notifications to users who become offline.
     # ACLs also live here.
-    { user = "ntfy-sh"; group ="ntfy-sh"; path = "/var/lib/ntfy-sh"; }
+    { user = "ntfy-sh"; group ="ntfy-sh"; path = "/var/lib/ntfy-sh"; method = "bind"; }
   ];
 
   services.ntfy-sh.enable = true;
@@ -86,7 +86,7 @@ in
   sane.ports.ports."${builtins.toString altPort}" = {
     protocol = [ "tcp" ];
     visibleTo.lan = true;
-    visibleTo.wan = true;
+    visibleTo.doof = true;
     description = "colin-ntfy.uninsane.org";
   };
 }

hosts/by-name/servo/services/ntfy/ntfy-waiter.nix

@@ -49,7 +49,7 @@ in
       type = types.package;
       default = pkgs.static-nix-shell.mkPython3Bin {
         pname = "ntfy-waiter";
-        src = ./.;
+        srcRoot = ./.;
         pkgs = [ "ntfy-sh" ];
       };
       description = ''
@@ -62,8 +62,8 @@ in
     sane.ports.ports = lib.mkMerge (lib.forEach portRange (port: {
       "${builtins.toString port}" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
-        visibleTo.wan = true;
         description = "colin-notification-waiter-${builtins.toString (port - portLow + 1)}-of-${builtins.toString numPorts}";
       };
     }));

hosts/by-name/servo/services/pict-rs.nix

@@ -6,7 +6,7 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = lib.mkIf cfg.enable [
-    { user = "pict-rs"; group = "pict-rs"; path = cfg.dataDir; }
+    { user = "pict-rs"; group = "pict-rs"; path = cfg.dataDir; method = "bind"; }
   ];
 
   systemd.services.pict-rs.serviceConfig = {

hosts/by-name/servo/services/pleroma.nix

@@ -15,7 +15,7 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; }
+    { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; method = "bind"; }
   ];
   services.pleroma.enable = true;
   services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
@@ -25,7 +25,7 @@ in
 
     config :pleroma, Pleroma.Web.Endpoint,
       url: [host: "fed.uninsane.org", scheme: "https", port: 443],
-      http: [ip: {127, 0, 0, 1}, port: 4000]
+      http: [ip: {127, 0, 0, 1}, port: 4040]
     #   secret_key_base: "{secrets.pleroma.secret_key_base}",
     #   signing_salt: "{secrets.pleroma.signing_salt}"
 
@@ -167,7 +167,7 @@ in
     enableACME = true;
     # inherit kTLS;
     locations."/" = {
-      proxyPass = "http://127.0.0.1:4000";
+      proxyPass = "http://127.0.0.1:4040";
       recommendedProxySettings = true;
       # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
       extraConfig = ''

hosts/by-name/servo/services/postgres.nix

@@ -8,7 +8,7 @@ in
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode?
-    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; }
+    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; method = "bind"; }
   ];
   services.postgresql.enable = true;
 

hosts/by-name/servo/services/prosody/default.nix

@@ -57,46 +57,46 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; }
+    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; method = "bind"; }
   ];
   sane.ports.ports."5000" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
-    visibleTo.wan = true;
     description = "colin-xmpp-prosody-fileshare-proxy65";
   };
   sane.ports.ports."5222" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
-    visibleTo.wan = true;
     description = "colin-xmpp-client-to-server";
   };
   sane.ports.ports."5223" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
-    visibleTo.wan = true;
     description = "colin-xmpps-client-to-server";  # XMPP over TLS
   };
   sane.ports.ports."5269" = {
     protocol = [ "tcp" ];
-    visibleTo.wan = true;
+    visibleTo.doof = true;
     description = "colin-xmpp-server-to-server";
   };
   sane.ports.ports."5270" = {
     protocol = [ "tcp" ];
-    visibleTo.wan = true;
+    visibleTo.doof = true;
     description = "colin-xmpps-server-to-server";  # XMPP over TLS
   };
   sane.ports.ports."5280" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
-    visibleTo.wan = true;
     description = "colin-xmpp-bosh";
   };
   sane.ports.ports."5281" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
-    visibleTo.wan = true;
     description = "colin-xmpp-prosody-https";  # necessary?
   };
 

hosts/by-name/servo/services/slskd.nix

@@ -3,10 +3,15 @@
 #
 # config precedence (higher precedence overrules lower precedence):
 # - Default Values < Environment Variables < YAML Configuraiton File < Command Line Arguments
-{ config, lib, ... }:
+#
+# debugging:
+# - soulseek is just *flaky*. if you see e.g. DNS errors, even though you can't replicate them via `dig` or `getent ahostsv4`, just give it 10 minutes to work out:
+#   - "Soulseek.AddressException: Failed to resolve address 'vps.slsknet.org': Resource temporarily unavailable"
+{ config, lib, pkgs, ... }:
+
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "slskd"; group = "slskd"; path = "/var/lib/slskd"; }
+    { user = "slskd"; group = "media"; path = "/var/lib/slskd"; method = "bind"; }
   ];
   sops.secrets."slskd_env" = {
     owner = config.users.users.slskd.name;
@@ -15,10 +20,9 @@
 
   users.users.slskd.extraGroups = [ "media" ];
 
-  sane.ports.ports."50000" = {
+  sane.ports.ports."50300" = {
     protocol = [ "tcp" ];
-    # not visible to WAN: i run this in a separate netns
-    visibleTo.ovpn = true;
+    # visibleTo.ovpns = true;  #< not needed: it runs in the ovpns namespace
     description = "colin-soulseek";
   };
 
@@ -28,12 +32,14 @@
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      proxyPass = "http://10.0.1.6:5001";
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:5030";
       proxyWebsockets = true;
     };
   };
 
   services.slskd.enable = true;
+  services.slskd.domain = null;  # i'll manage nginx for it
+  services.slskd.group = "media";
   # env file, for auth (SLSKD_SLSK_PASSWORD, SLSKD_SLSK_USERNAME)
   services.slskd.environmentFile = config.sops.secrets.slskd_env.path;
   services.slskd.settings = {
@@ -44,13 +50,13 @@
       # [Alias]/path/on/disk
       # NOTE: Music library is quick to scan; videos take a solid 10min to scan.
       # TODO: re-enable the other libraries
-      # "[Audioooks]/var/lib/uninsane/media/Books/Audiobooks"
-      # "[Books]/var/lib/uninsane/media/Books/Books"
-      # "[Manga]/var/lib/uninsane/media/Books/Visual"
-      # "[games]/var/lib/uninsane/media/games"
-      "[Music]/var/lib/uninsane/media/Music"
-      # "[Film]/var/lib/uninsane/media/Videos/Film"
-      # "[Shows]/var/lib/uninsane/media/Videos/Shows"
+      # "[Audioooks]/var/media/Books/Audiobooks"
+      # "[Books]/var/media/Books/Books"
+      # "[Manga]/var/media/Books/Visual"
+      # "[games]/var/media/games"
+      "[Music]/var/media/Music"
+      # "[Film]/var/media/Videos/Film"
+      # "[Shows]/var/media/Videos/Shows"
     ];
     # directories.downloads = "..." # TODO
     # directories.incomplete = "..." # TODO
@@ -62,13 +68,12 @@
     # flags.volatile = true;  # store searches and active transfers in RAM (completed transfers still go to disk). rec for btrfs/zfs
   };
 
-  systemd.services.slskd = {
-    serviceConfig = {
-      # run this behind the OVPN static VPN
-      NetworkNamespacePath = "/run/netns/ovpns";
-      Restart = lib.mkForce "always";  # exits "success" when it fails to connect to soulseek server
-      RestartSec = "60s";
-      Group = "media";
-    };
+  systemd.services.slskd.serviceConfig = {
+    # run this behind the OVPN static VPN
+    NetworkNamespacePath = "/run/netns/ovpns";
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
+
+    Restart = lib.mkForce "always";  # exits "success" when it fails to connect to soulseek server
+    RestartSec = "60s";
   };
 }

hosts/by-name/servo/services/transmission.nix

@@ -1,100 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  sane.persist.sys.byStore.plaintext = [
-    # TODO: mode? we need this specifically for the stats tracking in .config/
-    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; }
-  ];
-  users.users.transmission.extraGroups = [ "media" ];
-
-  services.transmission.enable = true;
-  services.transmission.package = pkgs.transmission_4;  #< 2023/09/06: nixpkgs `transmission` defaults to old 3.00
-  #v setting `group` this way doesn't tell transmission to `chown` the files it creates
-  #  it's a nixpkgs setting which just runs the transmission daemon as this group
-  services.transmission.group = "media";
-
-  # transmission will by default not allow the world to read its files.
-  services.transmission.downloadDirPermissions = "775";
-  services.transmission.extraFlags = [
-    # "--log-level=debug"
-  ];
-
-  services.transmission.settings = {
-    # message-level = 3;  #< enable for debug logging. 0-3, default is 2.
-    # 0.0.0.0 => allow rpc from any host: we gate it via firewall and auth requirement
-    rpc-bind-address = "0.0.0.0";
-    #rpc-host-whitelist = "bt.uninsane.org";
-    #rpc-whitelist = "*.*.*.*";
-    rpc-authentication-required = true;
-    rpc-username = "colin";
-    # salted pw. to regenerate, set this plaintext, run nixos-rebuild, and then find the salted pw in:
-    # /var/lib/transmission/.config/transmission-daemon/settings.json
-    rpc-password = "{503fc8928344f495efb8e1f955111ca5c862ce0656SzQnQ5";
-    rpc-whitelist-enabled = false;
-
-    # hopefully, make the downloads world-readable
-    # umask = 0;  #< default is 2: i.e. deny writes from world
-
-    # force peer connections to be encrypted
-    encryption = 2;
-
-    # units in kBps
-    speed-limit-down = 12000;
-    speed-limit-down-enabled = true;
-    speed-limit-up = 800;
-    speed-limit-up-enabled = true;
-
-    # see: https://git.zknt.org/mirror/transmission/commit/cfce6e2e3a9b9d31a9dafedd0bdc8bf2cdb6e876?lang=bg-BG
-    anti-brute-force-enabled = false;
-
-    download-dir = "/var/lib/uninsane/media";
-    incomplete-dir = "/var/lib/uninsane/media/incomplete";
-    # transmission regularly fails to move stuff from the incomplete dir to the main one, so disable:
-    # TODO: uncomment this line!
-    incomplete-dir-enabled = false;
-  };
-
-  systemd.services.transmission.after = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.transmission.partOf = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.transmission.serviceConfig = {
-    # run this behind the OVPN static VPN
-    NetworkNamespacePath = "/run/netns/ovpns";
-    Restart = "on-failure";
-    RestartSec = "30s";
-  };
-
-  # service to automatically backup torrents i add to transmission
-  systemd.services.backup-torrents = {
-    description = "archive torrents to storage not owned by transmission";
-    script = ''
-      ${pkgs.rsync}/bin/rsync -arv /var/lib/transmission/.config/transmission-daemon/torrents/ /var/backup/torrents/
-    '';
-  };
-  systemd.timers.backup-torrents = {
-    wantedBy = [ "multi-user.target" ];
-    timerConfig = {
-      OnStartupSec = "11min";
-      OnUnitActiveSec = "240min";
-    };
-  };
-
-  # transmission web client
-  services.nginx.virtualHosts."bt.uninsane.org" = {
-    # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
-    forceSSL = true;
-    enableACME = true;
-    # inherit kTLS;
-    locations."/" = {
-      # proxyPass = "http://ovpns.uninsane.org:9091";
-      proxyPass = "http://10.0.1.6:9091";
-    };
-  };
-
-  sane.dns.zones."uninsane.org".inet.CNAME."bt" = "native";
-  sane.ports.ports."51413" = {
-    protocol = [ "tcp" "udp" ];
-    visibleTo.ovpn = true;
-    description = "colin-bittorrent";
-  };
-}
-

hosts/by-name/servo/services/transmission/default.nix

@@ -0,0 +1,156 @@
+{ config, lib, pkgs, ... }:
+
+let
+  # 2023/09/06: nixpkgs `transmission` defaults to old 3.00
+  # 2024/02/15: some torrent trackers whitelist clients; everyone is still on 3.00 for some reason :|
+  #             some do this via peer-id (e.g. baka); others via user-agent (e.g. MAM).
+  #             peer-id format is essentially the same between 3.00 and 4.x (just swap the MAJOR/MINOR/PATCH numbers).
+  #             user-agent format has changed. `Transmission/3.00` (old) v.s. `TRANSMISSION/MAJ.MIN.PATCH` (new).
+  realTransmission = pkgs.transmission_4;
+  realVersion = {
+    major = lib.versions.major realTransmission.version;
+    minor = lib.versions.minor realTransmission.version;
+    patch = lib.versions.patch realTransmission.version;
+  };
+  package = realTransmission.overrideAttrs (upstream: {
+    # `cmakeFlags = [ "-DTR_VERSION_MAJOR=3" ]`, etc, doesn't seem to take effect.
+    postPatch = (upstream.postPatch or "") + ''
+      substituteInPlace CMakeLists.txt \
+        --replace-fail 'TR_VERSION_MAJOR "${realVersion.major}"' 'TR_VERSION_MAJOR "3"' \
+        --replace-fail 'TR_VERSION_MINOR "${realVersion.minor}"' 'TR_VERSION_MINOR "0"' \
+        --replace-fail 'TR_VERSION_PATCH "${realVersion.patch}"' 'TR_VERSION_PATCH "0"' \
+        --replace-fail 'set(TR_USER_AGENT_PREFIX "''${TR_SEMVER}")' 'set(TR_USER_AGENT_PREFIX "3.00")'
+    '';
+  });
+  download-dir = "/var/media/torrents";  #< keep in sync with consts embedded in `torrent-done`
+  torrent-done = pkgs.static-nix-shell.mkBash {
+    pname = "torrent-done";
+    srcRoot = ./.;
+    pkgs = [
+      "acl"
+      "coreutils"
+      "findutils"
+      "rsync"
+      "util-linux"
+    ];
+  };
+in
+{
+  sane.persist.sys.byStore.plaintext = [
+    # TODO: mode? we need this specifically for the stats tracking in .config/
+    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; method = "bind"; }
+  ];
+  users.users.transmission.extraGroups = [ "media" ];
+
+  services.transmission.enable = true;
+  services.transmission.package = package;
+  #v setting `group` this way doesn't tell transmission to `chown` the files it creates
+  #  it's a nixpkgs setting which just runs the transmission daemon as this group
+  services.transmission.group = "media";
+
+  # transmission will by default not allow the world to read its files.
+  services.transmission.downloadDirPermissions = "775";
+  services.transmission.extraFlags = [
+    # "--log-level=debug"
+  ];
+
+  services.transmission.settings = {
+    # DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options>
+
+    # message-level = 3;  #< enable for debug logging. 0-3, default is 2.
+    # ovpns.netnsVethIpv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
+    rpc-bind-address = config.sane.netns.ovpns.netnsVethIpv4;
+    #rpc-host-whitelist = "bt.uninsane.org";
+    #rpc-whitelist = "*.*.*.*";
+    rpc-authentication-required = true;
+    rpc-username = "colin";
+    # salted pw. to regenerate, set this plaintext, run nixos-rebuild, and then find the salted pw in:
+    # /var/lib/transmission/.config/transmission-daemon/settings.json
+    rpc-password = "{503fc8928344f495efb8e1f955111ca5c862ce0656SzQnQ5";
+    rpc-whitelist-enabled = false;
+
+    # force behind ovpns in case the NetworkNamespace fails somehow
+    bind-address-ipv4 = config.sane.netns.ovpns.netnsPubIpv4;
+    port-forwarding-enabled = false;
+
+    # hopefully, make the downloads world-readable
+    # umask = 0;  #< default is 2: i.e. deny writes from world
+
+    # force peer connections to be encrypted
+    encryption = 2;
+
+    # units in kBps
+    speed-limit-down = 12000;
+    speed-limit-down-enabled = true;
+    speed-limit-up = 800;
+    speed-limit-up-enabled = true;
+
+    # see: https://git.zknt.org/mirror/transmission/commit/cfce6e2e3a9b9d31a9dafedd0bdc8bf2cdb6e876?lang=bg-BG
+    anti-brute-force-enabled = false;
+
+    inherit download-dir;
+    incomplete-dir = "${download-dir}/incomplete";
+    # transmission regularly fails to move stuff from the incomplete dir to the main one, so disable:
+    incomplete-dir-enabled = false;
+
+    # env vars available in script:
+    # - TR_APP_VERSION - Transmission's short version string, e.g. `4.0.0`
+    # - TR_TIME_LOCALTIME
+    # - TR_TORRENT_BYTES_DOWNLOADED - Number of bytes that were downloaded for this torrent
+    # - TR_TORRENT_DIR - Location of the downloaded data
+    # - TR_TORRENT_HASH - The torrent's info hash
+    # - TR_TORRENT_ID
+    # - TR_TORRENT_LABELS - A comma-delimited list of the torrent's labels
+    # - TR_TORRENT_NAME - Name of torrent (not filename)
+    # - TR_TORRENT_TRACKERS - A comma-delimited list of the torrent's trackers' announce URLs
+    script-torrent-done-enabled = true;
+    script-torrent-done-filename = "${torrent-done}/bin/torrent-done";
+  };
+
+  systemd.services.transmission.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.transmission.partOf = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.transmission.serviceConfig = {
+    # run this behind the OVPN static VPN
+    NetworkNamespacePath = "/run/netns/ovpns";
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
+
+    Restart = "on-failure";
+    RestartSec = "30s";
+    BindPaths = [ "/var/media" ];  #< so it can move completed torrents into the media library
+  };
+
+  # service to automatically backup torrents i add to transmission
+  systemd.services.backup-torrents = {
+    description = "archive torrents to storage not owned by transmission";
+    script = ''
+      ${pkgs.rsync}/bin/rsync -arv /var/lib/transmission/.config/transmission-daemon/torrents/ /var/backup/torrents/
+    '';
+  };
+  systemd.timers.backup-torrents = {
+    wantedBy = [ "multi-user.target" ];
+    timerConfig = {
+      OnStartupSec = "11min";
+      OnUnitActiveSec = "240min";
+    };
+  };
+
+  # transmission web client
+  services.nginx.virtualHosts."bt.uninsane.org" = {
+    # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
+    forceSSL = true;
+    enableACME = true;
+    # inherit kTLS;
+    locations."/" = {
+      # proxyPass = "http://ovpns.uninsane.org:9091";
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9091";
+    };
+  };
+
+  sane.dns.zones."uninsane.org".inet.CNAME."bt" = "native";
+  sane.ports.ports."51413" = {
+    protocol = [ "tcp" "udp" ];
+    # visibleTo.ovpns = true;  #< not needed: it runs in the ovpns namespace
+    description = "colin-bittorrent";
+  };
+}
+

hosts/by-name/servo/services/transmission/torrent-done

@@ -0,0 +1,74 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p acl -p bash -p coreutils -p findutils -p rsync -p util-linux
+
+# transmission invokes this with no args, and the following env vars:
+# - TR_TORRENT_DIR: full path to the folder i told transmission to download it to.
+#     e.g. /var/media/torrents/Videos/Film/Jason.Bourne-2016
+# optionally:
+# - TR_DRY_RUN=1
+# - TR_DEBUG=1
+# - TR_NO_HARDLINK=1
+
+DOWNLOAD_DIR=/var/media/torrents
+
+destructive() {
+  if [ -n "${TR_DRY_RUN-}" ]; then
+    echo "[dry-run] $*"
+  else
+    debug "$@"
+    "$@"
+  fi
+}
+debug() {
+  if [ -n "${TR_DEBUG-}" ]; then
+    echo "$@"
+  fi
+}
+
+if [[ "$TR_TORRENT_DIR" =~ ^.*freeleech.*$ ]]; then
+  # freeleech torrents have no place in my permanent library
+  echo "freeleech: nothing to do"
+  exit 0
+fi
+if ! [[ "$TR_TORRENT_DIR" =~ ^$DOWNLOAD_DIR/.*$ ]]; then
+  echo "unexpected torrent dir, aborting: $TR_TORRENT_DIR"
+  exit 0
+fi
+
+REL_DIR="${TR_TORRENT_DIR#$DOWNLOAD_DIR/}"
+MEDIA_DIR="/var/media/$REL_DIR"
+
+destructive mkdir -p "$(dirname "$MEDIA_DIR")"
+destructive rsync -arv "$TR_TORRENT_DIR/" "$MEDIA_DIR/"
+# make the media rwx by anyone in the group
+destructive find "$MEDIA_DIR" -type d -exec setfacl --recursive --modify d:g::rwx,o::rx {} \;
+destructive find "$MEDIA_DIR" -type d -exec chmod g+rw,a+rx {} \;
+
+# if there's a single directory inside the media dir, then inline that
+subdirs=("$MEDIA_DIR"/*)
+debug "top-level items in torrent dir:" "${subdirs[@]}"
+if [ ${#subdirs[@]} -eq 1 ]; then
+  dirname="${subdirs[0]}"
+  debug "exactly one top-level item, checking if directory: $dirname"
+  if [ -d "$dirname" ]; then
+    destructive mv "$dirname"/* "$MEDIA_DIR/" && destructive rmdir "$dirname"
+  fi
+fi
+
+# remove noisy files:
+destructive find "$MEDIA_DIR/" -type f \(\
+     -iname '.*downloaded.?from.*' \
+  -o -iname 'source.txt' \
+  -o -iname 'upcoming.?releases.*' \
+  -o -iname 'www.YTS.*.jpg' \
+  -o -iname 'WWW.YIFY*.COM.jpg' \
+  -o -iname 'YIFY*.com.txt' \
+  -o -iname 'YTS*.com.txt' \
+  \) -exec rm {} \;
+
+if ! [ -n "${TR_NO_HARDLINK}" ]; then
+  # dedupe the whole media library.
+  # yeah, a bit excessive: move this to a cron job if that's problematic
+  #   or make it run with only 1/N probability, etc.
+  destructive hardlink /var/media --reflink=always --ignore-time --verbose
+fi

hosts/by-name/servo/services/trust-dns.nix

@@ -2,24 +2,16 @@
 { config, lib, pkgs, ... }:
 
 let
+  dyn-dns = config.sane.services.dyn-dns;
   nativeAddrs = lib.mapAttrs (_name: builtins.head) config.sane.dns.zones."uninsane.org".inet.A;
-  bindOvpn = "10.0.1.5";
-in lib.mkMerge [
+in
 {
-  services.trust-dns.enable = true;
-
-  # don't bind to IPv6 until i explicitly test that stack
-  services.trust-dns.settings.listen_addrs_ipv6 = [];
-  services.trust-dns.quiet = true;
-  # FIXME(2023/11/26): services.trust-dns.debug doesn't log requests: use RUST_LOG=debug env for that.
-  # - see: <https://github.com/hickory-dns/hickory-dns/issues/2082>
-  # services.trust-dns.debug = true;
-
   sane.ports.ports."53" = {
     protocol = [ "udp" "tcp" ];
     visibleTo.lan = true;
-    visibleTo.wan = true;
-    visibleTo.ovpn = true;
+    # visibleTo.wan = true;
+    visibleTo.ovpns = true;
+    visibleTo.doof = true;
     description = "colin-dns-hosting";
   };
 
@@ -47,6 +39,7 @@ in lib.mkMerge [
     CNAME."native" = "%CNAMENATIVE%";
     A."@" =      "%ANATIVE%";
     A."servo.wan" = "%AWAN%";
+    A."servo.doof" = "%ADOOF%";
     A."servo.lan" = config.sane.hosts.by-name."servo".lan-ip;
     A."servo.hn" = config.sane.hosts.by-name."servo".wg-home.ip;
 
@@ -54,9 +47,9 @@ in lib.mkMerge [
     # it's best that we keep this identical, or a superset of, what org. lists as our NS.
     # so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
     A."ns1" =    "%ANATIVE%";
-    A."ns2" =    "185.157.162.178";
-    A."ns3" =    "185.157.162.178";
-    A."ovpns" =  "185.157.162.178";
+    A."ns2" =    "%ADOOF%";
+    A."ns3" =    "%AOVPNS%";
+    A."ovpns" =  "%AOVPNS%";
     NS."@" = [
       "ns1.uninsane.org."
       "ns2.uninsane.org."
@@ -66,145 +59,109 @@ in lib.mkMerge [
 
   services.trust-dns.settings.zones = [ "uninsane.org" ];
 
-  # TODO: can i transform this into some sort of service group?
-  # have `systemctl restart trust-dns.service` restart all the individual services?
-  systemd.services.trust-dns.serviceConfig = {
-    DynamicUser = lib.mkForce false;
-    User = "trust-dns";
-    Group = "trust-dns";
-    wantedBy = lib.mkForce [];
-  };
-  systemd.services.trust-dns.enable = false;
 
-  users.groups.trust-dns = {};
-  users.users.trust-dns = {
-    group = "trust-dns";
-    isSystemUser = true;
-  };
+  networking.nat.enable = true;  #< TODO: try removing this?
+  # networking.nat.extraCommands = ''
+  #   # redirect incoming DNS requests from LAN addresses
+  #   #   to the LAN-specialized DNS service
+  #   # N.B.: use the `nixos-*` chains instead of e.g. PREROUTING
+  #   #   because they get cleanly reset across activations or `systemctl restart firewall`
+  #   #   instead of accumulating cruft
+  #   iptables -t nat -A nixos-nat-pre -p udp --dport 53 \
+  #     -m iprange --src-range 10.78.76.0-10.78.79.255 \
+  #     -j DNAT --to-destination :1053
+  #   iptables -t nat -A nixos-nat-pre -p tcp --dport 53 \
+  #     -m iprange --src-range 10.78.76.0-10.78.79.255 \
+  #     -j DNAT --to-destination :1053
+  # '';
+  # sane.ports.ports."1053" = {
+  #   # because the NAT above redirects in nixos-nat-pre, LAN requests behave as though they arrived on the external interface at the redirected port.
+  #   # TODO: try nixos-nat-post instead?
+  #   # TODO: or, don't NAT from port 53 -> port 1053, but rather nat from LAN addr to a loopback addr.
+  #   # - this is complicated in that loopback is a different interface than eth0, so rewriting the destination address would cause the packets to just be dropped by the interface
+  #   protocol = [ "udp" "tcp" ];
+  #   visibleTo.lan = true;
+  #   description = "colin-redirected-dns-for-lan-namespace";
+  # };
 
-  # sane.services.dyn-dns.restartOnChange = [ "trust-dns.service" ];
 
-  networking.nat.enable = true;
-  networking.nat.extraCommands = ''
-    # redirect incoming DNS requests from LAN addresses
-    #   to the LAN-specialized DNS service
-    # N.B.: use the `nixos-*` chains instead of e.g. PREROUTING
-    #   because they get cleanly reset across activations or `systemctl restart firewall`
-    #   instead of accumulating cruft
-    iptables -t nat -A nixos-nat-pre -p udp --dport 53 \
-      -m iprange --src-range 10.78.76.0-10.78.79.255 \
-      -j DNAT --to-destination :1053
-    iptables -t nat -A nixos-nat-pre -p tcp --dport 53 \
-      -m iprange --src-range 10.78.76.0-10.78.79.255 \
-      -j DNAT --to-destination :1053
-  '';
-  sane.ports.ports."1053" = {
-    # because the NAT above redirects in nixos-nat-pre, LAN requests behave as though they arrived on the external interface at the redirected port.
-    # TODO: try nixos-nat-post instead?
-    # TODO: or, don't NAT from port 53 -> port 1053, but rather nat from LAN addr to a loopback addr.
-    # - this is complicated in that loopback is a different interface than eth0, so rewriting the destination address would cause the packets to just be dropped by the interface
-    protocol = [ "udp" "tcp" ];
-    visibleTo.lan = true;
-    description = "colin-redirected-dns-for-lan-namespace";
-  };
-}
-{
-  systemd.services =
-    let
-      sed = "${pkgs.gnused}/bin/sed";
-      stateDir = "/var/lib/trust-dns";
-      zoneTemplate = pkgs.writeText "uninsane.org.zone.in" config.sane.dns.zones."uninsane.org".rendered;
-
-      zoneDirFor = flavor: "${stateDir}/${flavor}";
-      zoneFor = flavor: "${zoneDirFor flavor}/uninsane.org.zone";
-      mkTrustDnsService = opts: flavor: let
-        flags = let baseCfg = config.services.trust-dns; in
-          (lib.optional baseCfg.debug "--debug") ++ (lib.optional baseCfg.quiet "--quiet");
-        flagsStr = builtins.concatStringsSep " " flags;
-
-        anative = nativeAddrs."servo.${flavor}";
-
-        toml = pkgs.formats.toml { };
-        configTemplate = opts.config or (toml.generate "trust-dns-${flavor}.toml" (
-          (
-            lib.filterAttrsRecursive (_: v: v != null) config.services.trust-dns.settings
-          ) // {
-            listen_addrs_ipv4 = opts.listen or [ anative ];
-          }
-        ));
-        configFile = "${stateDir}/${flavor}-config.toml";
-
-        port = opts.port or 53;
-      in {
-        description = "trust-dns Domain Name Server (serving ${flavor})";
-        unitConfig.Documentation = "https://trust-dns.org/";
-
-        preStart = ''
-          wan=$(cat '${config.sane.services.dyn-dns.ipPath}')
-          ${sed} s/%AWAN%/$wan/ ${configTemplate} > ${configFile}
-        '' + lib.optionalString (!opts ? config) ''
-          mkdir -p ${zoneDirFor flavor}
-          ${sed} \
-            -e s/%CNAMENATIVE%/servo.${flavor}/ \
-            -e s/%ANATIVE%/${anative}/ \
-            -e s/%AWAN%/$wan/ \
-            -e s/%AOVPNS%/185.157.162.178/ \
-            ${zoneTemplate} > ${zoneFor flavor}
-        '';
-        serviceConfig = config.systemd.services.trust-dns.serviceConfig // {
-          ExecStart = ''
-            ${pkgs.trust-dns}/bin/${pkgs.trust-dns.meta.mainProgram} \
-            --port ${builtins.toString port} \
-            --zonedir ${zoneDirFor flavor}/ \
-            --config ${configFile} ${flagsStr}
-          '';
-        };
-
-        after = [ "network.target" ];
-        wantedBy = [ "multi-user.target" ];
-      };
-    in {
-      trust-dns-wan = mkTrustDnsService { listen = [ nativeAddrs."servo.lan" bindOvpn ]; } "wan";
-      trust-dns-lan = mkTrustDnsService { port = 1053; } "lan";
-      trust-dns-hn = mkTrustDnsService { port = 1053; } "hn";
-      trust-dns-hn-resolver = mkTrustDnsService {
-        config = pkgs.writeText "hn-resolver-config.toml" ''
-          # i host a resolver in the wireguard VPN so that clients can resolve DNS through the VPN.
-          # (that's what this file achieves).
-          #
-          # one would expect this resolver could host the authoritative zone for `uninsane.org`, and then forward everything else to the system resolver...
-          # and while that works for `dig`, it breaks for `nslookup` (and so `ssh`, etc).
-          #
-          # DNS responses include a flag for if the responding server is the authority of the zone queried.
-          # it seems that default Linux stub resolvers either:
-          # - expect DNSSEC when the response includes that bit, or
-          # - expect A records to be in the `answer` section instead of `additional` section.
-          # or perhaps something more nuanced. but for `nslookup` to be reliable, it has to talk to an
-          # instance of trust-dns which is strictly a resolver, with no authority.
-          # hence, this config: a resolver which forwards to the actual authority.
-
-          listen_addrs_ipv4 = ["${nativeAddrs."servo.hn"}"]
-          listen_addrs_ipv6 = []
-
-          [[zones]]
-          zone = "uninsane.org"
-          zone_type = "Forward"
-          stores = { type = "forward", name_servers = [{ socket_addr = "${nativeAddrs."servo.hn"}:1053", protocol = "udp", trust_nx_responses = true }] }
-
-          [[zones]]
-          # forward the root zone to the local DNS resolver
-          zone = "."
-          zone_type = "Forward"
-          stores = { type = "forward", name_servers = [{ socket_addr = "127.0.0.53:53", protocol = "udp", trust_nx_responses = true }] }
-        '';
-      } "hn-resolver";
+  sane.services.trust-dns.enable = true;
+  sane.services.trust-dns.instances = let
+    mkSubstitutions = flavor: {
+      "%ADOOF%" = config.sane.netns.doof.netnsPubIpv4;
+      "%ANATIVE%" = nativeAddrs."servo.${flavor}";
+      "%AOVPNS%" = config.sane.netns.ovpns.netnsPubIpv4;
+      "%AWAN%" = "$(cat '${dyn-dns.ipPath}')";
+      "%CNAMENATIVE%" = "servo.${flavor}";
     };
+  in
+  {
+    doof = {
+      substitutions = mkSubstitutions "doof";
+      listenAddrsIpv4 = [
+        config.sane.netns.doof.hostVethIpv4
+        config.sane.netns.ovpns.hostVethIpv4
+      ];
+    };
+    hn = {
+      substitutions = mkSubstitutions "hn";
+      listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
+    };
+    lan = {
+      substitutions = mkSubstitutions "lan";
+      listenAddrsIpv4 = [ nativeAddrs."servo.lan" ];
+      # port = 1053;
+    };
+    # wan = {
+    #   substitutions = mkSubstitutions "wan";
+    #   listenAddrsIpv4 = [
+    #     nativeAddrs."servo.lan"
+    #   ];
+    # };
+    # hn-resolver = {
+    #   # don't need %AWAN% here because we forward to the hn instance.
+    #   listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
+    #   extraConfig = {
+    #     zones = [
+    #       {
+    #         zone = "uninsane.org";
+    #         zone_type = "Forward";
+    #         stores = {
+    #           type = "forward";
+    #           name_servers = [
+    #             {
+    #               socket_addr = "${nativeAddrs."servo.hn"}:1053";
+    #               protocol = "udp";
+    #               trust_nx_responses = true;
+    #             }
+    #           ];
+    #         };
+    #       }
+    #       {
+    #         # forward the root zone to the local DNS resolver
+    #         zone = ".";
+    #         zone_type = "Forward";
+    #         stores = {
+    #           type = "forward";
+    #           name_servers = [
+    #             {
+    #               socket_addr = "127.0.0.53:53";
+    #               protocol = "udp";
+    #               trust_nx_responses = true;
+    #             }
+    #           ];
+    #         };
+    #       }
+    #     ];
+    #   };
+    # };
+  };
 
   sane.services.dyn-dns.restartOnChange = [
-    "trust-dns-wan.service"
-    "trust-dns-lan.service"
+    "trust-dns-doof.service"
     "trust-dns-hn.service"
+    "trust-dns-lan.service"
+    # "trust-dns-wan.service"
     # "trust-dns-hn-resolver.service"  # doesn't need restart because it doesn't know about WAN IP
   ];
 }
-]

hosts/common/boot.nix

@@ -0,0 +1,50 @@
+{ lib, pkgs, ... }:
+{
+  boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
+  # useful emergency utils
+  boot.initrd.extraUtilsCommands = ''
+    copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfstune
+    copy_bin_and_libs ${pkgs.util-linux}/bin/{cfdisk,lsblk,lscpu}
+    copy_bin_and_libs ${pkgs.gptfdisk}/bin/{cgdisk,gdisk}
+    copy_bin_and_libs ${pkgs.smartmontools}/bin/smartctl
+    copy_bin_and_libs ${pkgs.e2fsprogs}/bin/resize2fs
+  '' + lib.optionalString pkgs.stdenv.hostPlatform.isx86_64 ''
+    copy_bin_and_libs ${pkgs.nvme-cli}/bin/nvme  # doesn't cross compile
+  '';
+  boot.kernelParams = [
+    "boot.shell_on_fail"
+    #v experimental full pre-emption for hopefully better call/audio latency on moby.
+    # also toggleable at runtime via /sys/kernel/debug/sched/preempt
+    # defaults to preempt=voluntary
+    # "preempt=full"
+  ];
+  # other kernelParams:
+  #   "boot.trace"
+  #   "systemd.log_level=debug"
+  #   "systemd.log_target=console"
+
+  # moby has to run recent kernels (defined elsewhere).
+  # meanwhile, kernel variation plays some minor role in things like sandboxing (landlock) and capabilities.
+  # simpler to keep near the latest kernel on all devices,
+  # and also makes certain that any weird system-level bugs i see aren't likely to be stale kernel bugs.
+  # servo needs zfs though, which doesn't support every kernel.
+  boot.kernelPackages = lib.mkDefault pkgs.zfs.latestCompatibleLinuxPackages;
+
+  # hack in the `boot.shell_on_fail` arg since that doesn't always seem to work.
+  boot.initrd.preFailCommands = "allowShell=1";
+
+  # default: 4 (warn). 7 is debug
+  boot.consoleLogLevel = 7;
+
+  boot.loader.grub.enable = lib.mkDefault false;
+  boot.loader.generic-extlinux-compatible.enable = lib.mkDefault true;
+
+  hardware.enableAllFirmware = true;  # firmware with licenses that don't allow for redistribution. fuck lawyers, fuck IP, give me the goddamn firmware.
+  # hardware.enableRedistributableFirmware = true;  # proprietary but free-to-distribute firmware (extraneous to `enableAllFirmware` option)
+
+  # default is 252274, which is too low particularly for servo.
+  # manifests as spurious "No space left on device" when trying to install watches,
+  # e.g. in dyn-dns by `systemctl start dyn-dns-watcher.path`.
+  # see: <https://askubuntu.com/questions/828779/failed-to-add-run-systemd-ask-password-to-directory-watch-no-space-left-on-dev>
+  boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
+}

hosts/common/default.nix

@@ -1,22 +1,30 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
   imports = [
+    ./boot.nix
     ./feeds.nix
     ./fs.nix
-    ./hardware
     ./home
     ./hosts.nix
     ./ids.nix
     ./machine-id.nix
     ./net
-    ./nix-path
+    ./nix.nix
     ./persist.nix
+    ./polyunfill.nix
     ./programs
+    ./quirks.nix
     ./secrets.nix
     ./ssh.nix
+    ./systemd.nix
     ./users
   ];
 
+
+  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
+  # this affects where nixos modules look for stateful data which might have been migrated across releases.
+  system.stateVersion = "21.11";
+
   sane.nixcache.enable-trusted-keys = true;
   sane.nixcache.enable = lib.mkDefault true;
   sane.persist.enable = lib.mkDefault true;
@@ -24,69 +32,9 @@
   sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
   sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;
 
-  nixpkgs.config.allowUnfree = true;  # NIXPKGS_ALLOW_UNFREE=1
-  nixpkgs.config.allowBroken = true;  # NIXPKGS_ALLOW_BROKEN=1
-
   # time.timeZone = "America/Los_Angeles";
   time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
 
-  nix.extraOptions = ''
-    # see: `man nix.conf`
-    # useful when a remote builder has a faster internet connection than me
-    builders-use-substitutes = true  # default: false
-    # maximum seconds to wait when connecting to binary substituter
-    connect-timeout = 3  # default: 0
-    # download-attempts = 5  # default: 5
-    # allow `nix flake ...` command
-    experimental-features = nix-command flakes
-    # whether to build from source when binary substitution fails
-    fallback = true  # default: false
-    # whether to keep building dependencies if any other one fails
-    keep-going = true  # default: false
-    # whether to keep build-only dependencies of GC roots (e.g. C compiler) when doing GC
-    keep-outputs = true  # default: false
-    # how many lines to show from failed build
-    log-lines = 30  # default: 10
-    # narinfo-cache-negative-ttl = 3600  # default: 3600
-    # whether to use ~/.local/state/nix/profile instead of ~/.nix-profile, etc
-    use-xdg-base-directories = true  # default: false
-    # whether to warn if repository has uncommited changes
-    warn-dirty = false  # default: true
-  '';
-  # hardlinks identical files in the nix store to save 25-35% disk space.
-  # unclear _when_ this occurs. it's not a service.
-  # does the daemon continually scan the nix store?
-  # does the builder use some content-addressed db to efficiently dedupe?
-  nix.settings.auto-optimise-store = true;
-  # TODO: see if i can remove this?
-  nix.settings.trusted-users = [ "root" ];
-
-  services.journald.extraConfig = ''
-    # docs: `man journald.conf`
-    # merged journald config is deployed to /etc/systemd/journald.conf
-    [Journal]
-    # disable journal compression because the underlying fs is compressed
-    Compress=no
-  '';
-
-  systemd.services.nix-daemon.serviceConfig = {
-    # the nix-daemon manages nix builders
-    # kill nix-daemon subprocesses when systemd-oomd detects an out-of-memory condition
-    # see:
-    # - nixos PR that enabled systemd-oomd: <https://github.com/NixOS/nixpkgs/pull/169613>
-    # - systemd's docs on these properties: <https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill>
-    #
-    # systemd's docs warn that without swap, systemd-oomd might not be able to react quick enough to save the system.
-    # see `man oomd.conf` for further tunables that may help.
-    #
-    # alternatively, apply this more broadly with `systemd.oomd.enableSystemSlice = true` or `enableRootSlice`
-    # TODO: also apply this to the guest user's slice (user-1100.slice)
-    # TODO: also apply this to distccd
-    ManagedOOMMemoryPressure = "kill";
-    ManagedOOMSwap = "kill";
-  };
-
-
   system.activationScripts.nixClosureDiff = {
     supportsDryActivation = true;
     text = ''
@@ -98,37 +46,6 @@
       fi
     '';
   };
-  system.activationScripts.notifyActive = {
-    text = ''
-      # send a notification to any sway users logged in, that the system has been activated/upgraded.
-      # this probably doesn't work if more than one sway session exists on the system.
-      _notifyActiveSwaySock="$(echo /run/user/*/sway-ipc.*.sock)"
-      if [ -e "$_notifyActiveSwaySock" ]; then
-        SWAYSOCK="$_notifyActiveSwaySock" ${pkgs.sway}/bin/swaymsg -- exec \
-          "${pkgs.libnotify}/bin/notify-send 'nixos activated' 'version: $(cat $systemConfig/nixos-version)'"
-      fi
-    '';
-  };
-
-  # disable non-required packages like nano, perl, rsync, strace
-  environment.defaultPackages = [];
-
-  # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
-  # this lets programs temporarily write user-level dconf settings (aka gsettings).
-  # they're written to ~/.config/dconf/user, unless `DCONF_PROFILE` is set to something other than the default of /etc/dconf/profile/user
-  # find keys/values with `dconf dump /`
-  programs.dconf.enable = true;
-  programs.dconf.packages = [
-    (pkgs.writeTextFile {
-      name = "dconf-user-profile";
-      destination = "/etc/dconf/profile/user";
-      text = ''
-        user-db:user
-        system-db:site
-      '';
-    })
-  ];
-  # sane.programs.glib.enableFor.user.colin = true;  # for `gsettings`
 
   # link debug symbols into /run/current-system/sw/lib/debug
   # hopefully picked up by gdb automatically?

hosts/common/feeds.nix

@@ -1,4 +1,5 @@
 # where to find good stuff?
+# - universal search/directory: <https://podcastindex.org>
 # - podcasts w/ a community: <https://lemmyverse.net/communities?query=podcast>
 # - podcast rec thread: <https://lemmy.ml/post/1565858>
 #
@@ -72,24 +73,26 @@ let
     (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
     (fromDb "feeds.feedburner.com/dancarlin/history" // rat)
     (fromDb "feeds.feedburner.com/radiolab" // pol)  # Radiolab -- also available here, but ONLY OVER HTTP: <http://feeds.wnyc.org/radiolab>
-    (fromDb "feeds.libsyn.com/421877" // rat)  # Less Wrong Curated
     (fromDb "feeds.megaphone.fm/behindthebastards" // pol)  # also Maggie Killjoy
-    # (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)  # Daniel Huberman on sleep
     (fromDb "feeds.megaphone.fm/recodedecode" // tech)  # The Verge - Decoder
     (fromDb "feeds.simplecast.com/54nAGcIl" // pol)  # The Daily
     (fromDb "feeds.simplecast.com/82FI35Px" // pol)  # Ezra Klein Show
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)  # Econ Talk
     (fromDb "feeds.simplecast.com/xKJ93w_w" // uncat)  # Atlas Obscura
-    # (fromDb "feeds.simplecast.com/l2i9YnTd" // tech // pol)  # Hard Fork (NYtimes tech)
     (fromDb "feeds.transistor.fm/acquired" // tech)
+    (fromDb "fulltimenix.com" // tech)
+    (fromDb "futureofcoding.org/episodes" // tech)
+    (fromDb "hackerpublicradio.org" // tech)
     (fromDb "lexfridman.com/podcast" // rat)
     (fromDb "mapspodcast.libsyn.com" // uncat)  # Multidisciplinary Association for Psychedelic Studies
+    (fromDb "microarch.club" // tech)
+    (fromDb "mintcast.org" // tech)
     (fromDb "omegataupodcast.net" // tech)  # 3/4 German; 1/4 eps are English
     (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)  # Maggie Killjoy -- referenced by Cory Doctorow
+    (fromDb "omny.fm/shows/money-stuff-the-podcast")  # Matt Levine
     (fromDb "omny.fm/shows/the-dollop-with-dave-anthony-and-gareth-reynolds")  # The Dollop history/comedy
     (fromDb "originstories.libsyn.com" // uncat)
     (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
-    # (fromDb "podcast.thelinuxexp.com" // tech)  # low-brow linux/foss PR announcements
     (fromDb "politicalorphanage.libsyn.com" // pol)
     (fromDb "reverseengineering.libsyn.com/rss" // tech)  # UnNamed Reverse Engineering Podcast
     (fromDb "rss.acast.com/deconstructed")  # The Intercept - Deconstructed
@@ -102,14 +105,21 @@ let
     (fromDb "sharkbytes.transistor.fm" // tech)  # Wireshark Podcast o_0
     (fromDb "sscpodcast.libsyn.com" // rat)  # Astral Codex Ten
     (fromDb "talesfromthebridge.buzzsprout.com" // tech)  # Sci-Fi? has Peter Watts; author of No Moods, Ads or Cutesy Fucking Icons (rifters.com)
+    (fromDb "theamphour.com" // tech)
+    (fromDb "techtalesshow.com" // tech)  # Corbin Davenport
     (fromDb "techwontsave.us" // pol)  # rec by Cory Doctorow
-    # (fromDb "trashfuturepodcast.podbean.com" // pol)  # rec by Cory Doctorow, but way rambly
     (fromDb "wakingup.libsyn.com" // pol)  # Sam Harris
     (fromDb "werenotwrong.fireside.fm" // pol)
+    (mkPod "https://sfconservancy.org/casts/the-corresponding-source/feeds/ogg/" // tech)
 
+    # (fromDb "feeds.libsyn.com/421877" // rat)  # Less Wrong Curated
+    # (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)  # Daniel Huberman on sleep
+    # (fromDb "feeds.simplecast.com/l2i9YnTd" // tech // pol)  # Hard Fork (NYtimes tech)
+    # (fromDb "podcast.thelinuxexp.com" // tech)  # low-brow linux/foss PR announcements
     # (fromDb "rss.art19.com/your-welcome" // pol)  # Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
     # (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)  #< possible URL rot
     # (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)  #< possible URL rot
+    # (fromDb "trashfuturepodcast.podbean.com" // pol)  # rec by Cory Doctorow, but way rambly
     # (mkPod "https://anchor.fm/s/21bc734/podcast/rss" // pol // infrequent)  # Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
     # (mkPod "https://audioboom.com/channels/5097784.rss" // tech)  # Lateral with Tom Scott
     # (mkPod "https://feeds.megaphone.fm/RUNMED9919162779" // pol // infrequent)  # The Witch Trials of J.K. Rowling: <https://www.thefp.com/witchtrials>
@@ -117,12 +127,15 @@ let
   ];
 
   texts = [
+    (fromDb "acoup.blog/feed")  # history, states. author: <https://historians.social/@bretdevereaux/following>
     (fromDb "amosbbatto.wordpress.com" // tech)
+    (fromDb "anish.lakhwara.com" // tech)
+    (fromDb "apenwarr.ca/log/rss.php" // tech)  # CEO of tailscale
     (fromDb "applieddivinitystudies.com" // rat)
     (fromDb "artemis.sh" // tech)
     (fromDb "ascii.textfiles.com" // tech)  # Jason Scott
     (fromDb "austinvernon.site" // tech)
-    (fromDb "balajis.com" // pol)  # Balaji
+    (fromDb "buttondown.email" // tech)
     (fromDb "ben-evans.com/benedictevans" // pol)
     (fromDb "bitbashing.io" // tech)
     (fromDb "bitsaboutmoney.com" // uncat)
@@ -133,19 +146,19 @@ let
     (fromDb "blog.thalheim.io" // tech)  # Mic92
     (fromDb "bunniestudios.com" // tech)  # Bunnie Juang
     (fromDb "capitolhillseattle.com" // pol)
-    # (fromDb "drewdevault.com" // tech)
-    # (fromDb "econlib.org" // pol)
     (fromDb "edwardsnowden.substack.com" // pol // text)
     (fromDb "fasterthanli.me" // tech)
     (fromDb "gwern.net" // rat)
+    (fromDb "hardcoresoftware.learningbyshipping.com" // tech)  # Steven Sinofsky
     (fromDb "harihareswara.net" // tech // pol)  # rec by Cory Doctorow
     (fromDb "ianthehenry.com" // tech)
     (fromDb "idiomdrottning.org" // uncat)
     (fromDb "interconnected.org/home/feed" // rat)  # Matt Webb -- engineering-ish, but dreamy
     (fromDb "jeffgeerling.com" // tech)
     (fromDb "jefftk.com" // tech)
+    (fromDb "jwz.org/blog" // tech // pol)  # DNA lounge guy, loooong-time blogger
+    (fromDb "kill-the-newsletter.com/feeds/joh91bv7am2pnznv.xml" // pol)  # Matt Levine - Money Stuff
     (fromDb "kosmosghost.github.io/index.xml" // tech)
-    # (fromDb "lesswrong.com" // rat)
     (fromDb "linmob.net" // tech)
     (fromDb "lwn.net" // tech)
     (fromDb "lynalden.com" // pol)
@@ -153,52 +166,64 @@ let
     (fromDb "mg.lol" // tech)
     (fromDb "mindingourway.com" // rat)
     (fromDb "morningbrew.com/feed" // pol)
+    (fromDb "nixpkgs.news" // tech)
     (fromDb "overcomingbias.com" // rat)  # Robin Hanson
     (fromDb "palladiummag.com" // uncat)
     (fromDb "philosopher.coach" // rat)  # Peter Saint-Andre -- side project of stpeter.im
     (fromDb "pomeroyb.com" // tech)
+    (fromDb "postmarketos.org/blog" // tech)
     (fromDb "preposterousuniverse.com" // rat)  # Sean Carroll
-    (fromDb "profectusmag.com" // uncat)
     (fromDb "project-insanity.org" // tech)  # shared blog by a few NixOS devs, notably onny
     (fromDb "putanumonit.com" // rat)  # mostly dating topics. not advice, or humor, but looking through a social lens
     (fromDb "richardcarrier.info" // rat)
     (fromDb "rifters.com/crawl" // uncat)  # No Moods, Ads or Cutesy Fucking Icons
     (fromDb "righto.com" // tech)  # Ken Shirriff
     (fromDb "rootsofprogress.org" // rat)  # Jason Crawford
+    (fromDb "samuel.dionne-riel.com" // tech)  # SamuelDR
     (fromDb "sagacioussuricata.com" // tech)  # ian (Sanctuary)
     (fromDb "semiaccurate.com" // tech)
     (fromDb "sideways-view.com" // rat)  # Paul Christiano
+    (fromDb "slatecave.net" // tech)
     (fromDb "slimemoldtimemold.com" // rat)
     (fromDb "spectrum.ieee.org" // tech)
     (fromDb "stpeter.im/atom.xml" // pol)
-    # (fromDb "theregister.com" // tech)
+    (fromDb "thediff.co" // pol)  # Byrne Hobart
     (fromDb "thisweek.gnome.org" // tech)
     (fromDb "tuxphones.com" // tech)
     (fromDb "uninsane.org" // tech)
     (fromDb "unintendedconsequenc.es" // rat)
-    # (fromDb "vitalik.ca" // tech)  # moved to vitalik.eth.limo
     (fromDb "vitalik.eth.limo" // tech)  # Vitalik Buterin
-    (fromDb "webcurious.co.uk" // uncat)
+    (fromDb "weekinethereumnews.com" // tech)
+    (fromDb "willow.phantoma.online")  # wizard@xyzzy.link
     (fromDb "xn--gckvb8fzb.com" // tech)
+    (fromDb "xorvoid.com" // tech)
     (mkSubstack "astralcodexten" // rat // daily)  # Scott Alexander
-    (mkSubstack "byrnehobart" // pol // infrequent)
-    # (mkSubstack "doomberg" // tech // weekly)  # articles are all pay-walled
     (mkSubstack "eliqian" // rat // weekly)
     (mkSubstack "oversharing" // pol // daily)
     (mkSubstack "samkriss" // humor // infrequent)
     (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
     (mkText "http://boginjr.com/feed" // tech // infrequent)
-    (mkText "https://acoup.blog/feed" // rat // weekly)
-    (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
     (mkText "https://forum.merveilles.town/rss.xml" // pol // infrequent)  #quality RSS list here: <https://forum.merveilles.town/thread/57/share-your-rss-feeds%21-6/>
-    # (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
     (mkText "https://jvns.ca/atom.xml" // tech // weekly)  # Julia Evans
     (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
     (mkText "https://nixos.org/blog/announcements-rss.xml" // tech // infrequent)  # more nixos stuff here, but unclear how to subscribe: <https://nixos.org/blog/categories.html>
     (mkText "https://nixos.org/blog/stories-rss.xml" // tech // weekly)
-    # (mkText "https://til.simonwillison.net/tils/feed.atom" // tech // weekly)
-    (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)  # Matt Levine
+    (mkText "https://solar.lowtechmagazine.com/posts/index.xml" // tech // weekly)
     (mkText "https://www.stratechery.com/rss" // pol // weekly)  # Ben Thompson
+
+    # (fromDb "balajis.com" // pol)  # Balaji
+    # (fromDb "drewdevault.com" // tech)
+    # (fromDb "econlib.org" // pol)
+    # (fromDb "lesswrong.com" // rat)
+    # (fromDb "profectusmag.com" // pol)  # some conservative/libertarian think tank
+    # (fromDb "thesideview.co" // uncat)  # spiritual journal; RSS items are stubs
+    # (fromDb "theregister.com" // tech)
+    # (fromDb "vitalik.ca" // tech)  # moved to vitalik.eth.limo
+    # (fromDb "webcurious.co.uk" // uncat)  # link aggregator; defunct?
+    # (mkSubstack "doomberg" // tech // weekly)  # articles are all pay-walled
+    # (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
+    # (mkText "https://til.simonwillison.net/tils/feed.atom" // tech // weekly)
+    # (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)  # Matt Levine (preview/paywalled)
   ];
 
   videos = [
@@ -208,17 +233,22 @@ let
     (fromDb "youtube.com/@Exurb1a")
     (fromDb "youtube.com/@hbomberguy")
     (fromDb "youtube.com/@JackStauber")
+    (fromDb "youtube.com/@NativLang")
     (fromDb "youtube.com/@PolyMatter")
-    # (fromDb "youtube.com/@rossmanngroup" // pol // tech)  # Louis Rossmann
     (fromDb "youtube.com/@TechnologyConnections" // tech)
     (fromDb "youtube.com/@TheB1M")
     (fromDb "youtube.com/@TomScottGo")
     (fromDb "youtube.com/@Vihart")
     (fromDb "youtube.com/@Vox")
-    (fromDb "youtube.com/@Vsauce")
+    # (fromDb "youtube.com/@Vsauce")  # they're all like 1-minute long videos now? what happened @Vsauce?
+
+    # (fromDb "youtube.com/@rossmanngroup" // pol // tech)  # Louis Rossmann
   ];
 
   images = [
+    (fromDb "catandgirl.com" // img // humor)
+    (fromDb "davidrevoy.com" // img // art)
+    (fromDb "grumpy.website" // img // humor)
     (fromDb "miniature-calendar.com" // img // art // daily)
     (fromDb "pbfcomics.com" // img // humor)
     (fromDb "poorlydrawnlines.com/feed" // img // humor)

hosts/common/fs.nix

@@ -1,40 +1,73 @@
 # docs
 # - x-systemd options: <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
+# - fuse options: `man mount.fuse`
 
-{ lib, pkgs, sane-lib, ... }:
+{ config, lib, pkgs, sane-lib, utils, ... }:
 
 let
   fsOpts = rec {
     common = [
       "_netdev"
       "noatime"
-      "user"  # allow any user with access to the device to mount the fs
+      # user: allow any user with access to the device to mount the fs.
+      #       note that this requires a suid `mount` binary; see: <https://zameermanji.com/blog/2022/8/5/using-fuse-without-root-on-linux/>
+      "user"
       "x-systemd.requires=network-online.target"
       "x-systemd.after=network-online.target"
       "x-systemd.mount-timeout=10s"  # how long to wait for mount **and** how long to wait for unmount
     ];
-    auto = [ "x-systemd.automount" ];
-    noauto = [ "noauto" ];  # don't mount as part of remote-fs.target
+    # x-systemd.automount: mount the fs automatically *on first access*.
+    # creates a `path-to-mount.automount` systemd unit.
+    automount = [ "x-systemd.automount" ];
+    # noauto: don't mount as part of remote-fs.target.
+    # N.B.: `remote-fs.target` is a dependency of multi-user.target, itself of graphical.target.
+    # hence, omitting `noauto` can slow down boots.
+    noauto = [ "noauto" ];
+    # lazyMount: defer mounting until first access from userspace.
+    # see: `man systemd.automount`, `man automount`, `man autofs`
+    lazyMount = noauto ++ automount;
     wg = [
       "x-systemd.requires=wireguard-wg-home.service"
       "x-systemd.after=wireguard-wg-home.service"
     ];
 
-    ssh = common ++ [
-      "identityfile=/home/colin/.ssh/id_ed25519"
-      "allow_other"
+    fuse = [
+      "allow_other"  # allow users other than the one who mounts it to access it. needed, if systemd is the one mounting this fs (as root)
+      # allow_root: allow root to access files on this fs (if mounted by non-root, else it can always access them).
+      #             N.B.: if both allow_root and allow_other are specified, then only allow_root takes effect.
+      # "allow_root"
+      # default_permissions: enforce local permissions check. CRUCIAL if using `allow_other`.
+      # w/o this, permissions mode of sshfs is like:
+      # - sshfs runs all remote commands as the remote user.
+      # - if a local user has local permissions to the sshfs mount, then their file ops are sent blindly across the tunnel.
+      # - `allow_other` allows *any* local user to access the mount, and hence any local user can now freely become the remote mapped user.
+      # with default_permissions, sshfs doesn't tunnel file ops from users until checking that said user could perform said op on an equivalent local fs.
       "default_permissions"
     ];
-    sshColin = ssh ++ [
-      "transform_symlinks"
-      "idmap=user"
+    fuseColin = fuse ++ [
       "uid=1000"
       "gid=100"
     ];
-    sshRoot = ssh ++ [
-      # we don't transform_symlinks because that breaks the validity of remote /nix stores
-      "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
+
+    ssh = common ++ fuse ++ [
+      "identityfile=/home/colin/.ssh/id_ed25519"
+      # i *think* idmap=user means that `colin` on `localhost` and `colin` on the remote are actually treated as the same user, even if their uid/gid differs?
+      # i.e., local colin's id is translated to/from remote colin's id on every operation?
+      "idmap=user"
     ];
+    sshColin = ssh ++ fuseColin ++ [
+      # follow_symlinks: remote files which are symlinks are presented to the local system as ordinary files (as the target of the symlink).
+      #                  if the symlink target does not exist, the presentation is unspecified.
+      #                  symlinks which point outside the mount ARE followed. so this is more capable than `transform_symlinks`
+      "follow_symlinks"
+      # symlinks on the remote fs which are absolute paths are presented to the local system as relative symlinks pointing to the expected data on the remote fs.
+      # only symlinks which would point inside the mountpoint are translated.
+      "transform_symlinks"
+    ];
+    # sshRoot = ssh ++ [
+    #   # we don't transform_symlinks because that breaks the validity of remote /nix stores
+    #   "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
+    # ];
     # in the event of hunt NFS mounts, consider:
     # - <https://unix.stackexchange.com/questions/31979/stop-broken-nfs-mounts-from-locking-a-directory>
 
@@ -42,28 +75,103 @@ let
     # actimeo=n  = how long (in seconds) to cache file/dir attributes (default: 3-60s)
     # bg         = retry failed mounts in the background
     # retry=n    = for how many minutes `mount` will retry NFS mount operation
+    # intr       = allow Ctrl+C to abort I/O (it will error with `EINTR`)
     # soft       = on "major timeout", report I/O error to userspace
+    # softreval  = on "major timeout", service the request using known-stale cache results instead of erroring -- if such cache data exists
     # retrans=n  = how many times to retry a NFS request before giving userspace a "server not responding" error (default: 3)
     # timeo=n    = number of *deciseconds* to wait for a response before retrying it (default: 600)
     #              note: client uses a linear backup, so the second request will have double this timeout, then triple, etc.
+    # proto=udp  = encapsulate protocol ops inside UDP packets instead of a TCP session.
+    #              requires `nfsvers=3` and a kernel compiled with `NFS_DISABLE_UDP_SUPPORT=n`.
+    #              UDP might be preferable to TCP because the latter is liable to hang for ~100s (kernel TCP timeout) after a link drop.
+    #              however, even UDP has issues with `umount` hanging.
+    #
+    # N.B.: don't change these without first testing the behavior of sandboxed apps on a flaky network.
     nfs = common ++ [
-      # "actimeo=10"
-      "bg"
-      "retrans=4"
+      # "actimeo=5"
+      # "bg"
+      "retrans=1"
       "retry=0"
+      # "intr"
       "soft"
-      "timeo=15"
+      "softreval"
+      "timeo=30"
       "nofail"  # don't fail remote-fs.target when this mount fails  (not an option for sshfs else would be common)
+      # "proto=udp"  # default kernel config doesn't support NFS over UDP: <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1964093> (see comment 11).
+      # "nfsvers=3"  # NFSv4+ doesn't support UDP at *all*. it's ok to omit nfsvers -- server + client will negotiate v3 based on udp requirement. but omitting causes confusing mount errors when the server is *offline*, because the client defaults to v4 and thinks the udp option is a config error.
+      # "x-systemd.idle-timeout=10"  # auto-unmount after this much inactivity
+    ];
+
+    # manually perform a ftp mount via e.g.
+    #   curlftpfs -o ftpfs_debug=2,user=anonymous:anonymous,connect_timeout=10 -f -s ftp://servo-hn /mnt/my-ftp
+    ftp = common ++ fuseColin ++ [
+      # "ftpfs_debug=2"
+      "user=colin:ipauth"
+      # connect_timeout=10: casting shows to T.V. fails partway through about half the time
+      "connect_timeout=20"
     ];
   };
   remoteHome = host: {
-    fileSystems."/mnt/${host}-home" = {
+    sane.programs.sshfs-fuse.enableFor.system = true;
+    fileSystems."/mnt/${host}/home" = {
       device = "colin@${host}:/home/colin";
       fsType = "fuse.sshfs";
-      options = fsOpts.sshColin ++ fsOpts.noauto;
+      options = fsOpts.sshColin ++ fsOpts.lazyMount;
       noCheck = true;
     };
-    sane.fs."/mnt/${host}-home" = sane-lib.fs.wantedDir;
+    sane.fs."/mnt/${host}/home" = sane-lib.fs.wanted {
+      dir.acl.user = "colin";
+      dir.acl.group = "users";
+      dir.acl.mode = "0700";
+    };
+  };
+  remoteServo = subdir: {
+    sane.programs.curlftpfs.enableFor.system = true;
+    sane.fs."/mnt/servo/${subdir}" = sane-lib.fs.wanted {
+      dir.acl.user = "colin";
+      dir.acl.group = "users";
+      dir.acl.mode = "0750";
+    };
+    fileSystems."/mnt/servo/${subdir}" = {
+      device = "ftp://servo-hn:/${subdir}";
+      noCheck = true;
+      fsType = "fuse.curlftpfs";
+      options = fsOpts.ftp ++ fsOpts.noauto ++ fsOpts.wg;
+      # fsType = "nfs";
+      # options = fsOpts.nfs ++ fsOpts.lazyMount ++ fsOpts.wg;
+    };
+    systemd.services."automount-servo-${utils.escapeSystemdPath subdir}" = let
+      fs = config.fileSystems."/mnt/servo/${subdir}";
+    in {
+      # this is a *flaky* network mount, especially on moby.
+      # if done as a normal autofs mount, access will eternally block when network is dropped.
+      # notably, this would block *any* sandboxed app which allows media access, whether they actually try to use that media or not.
+      # a practical solution is this: mount as a service -- instead of autofs -- and unmount on timeout error, in a restart loop.
+      # until the ftp handshake succeeds, nothing is actually mounted to the vfs, so this doesn't slow down any I/O when network is down.
+      description = "automount /mnt/servo/${subdir} in a fault-tolerant and non-blocking manner";
+      after = [ "network-online.target" ];
+      requires = [ "network-online.target" ];
+      wantedBy = [ "default.target" ];
+
+      serviceConfig.Type = "simple";
+      serviceConfig.ExecStart = lib.escapeShellArgs [
+        "/usr/bin/env"
+        "PATH=/run/current-system/sw/bin"
+        "mount.${fs.fsType}"
+        "-f"  # foreground (i.e. don't daemonize)
+        "-s"  # single-threaded (TODO: it's probably ok to disable this?)
+        "-o"
+        (lib.concatStringsSep "," (lib.filter (o: !lib.hasPrefix "x-systemd." o) fs.options))
+        fs.device
+        "/mnt/servo/${subdir}"
+      ];
+      # not sure if this configures a linear, or exponential backoff.
+      # but the first restart will be after `RestartSec`, and the n'th restart (n = RestartSteps) will be RestartMaxDelaySec after the n-1'th exit.
+      serviceConfig.Restart = "always";
+      serviceConfig.RestartSec = "10s";
+      serviceConfig.RestartMaxDelaySec = "120s";
+      serviceConfig.RestartSteps = "5";
+    };
   };
 in
 lib.mkMerge [
@@ -99,45 +207,31 @@ lib.mkMerge [
     # but it decreases working memory under the heaviest of loads by however much space the compressed memory occupies (e.g. 50% if 2:1; 25% if 4:1)
     zramSwap.memoryPercent = 100;
 
-    # fileSystems."/mnt/servo-nfs" = {
-    #   device = "servo-hn:/";
-    #   noCheck = true;
-    #   fsType = "nfs";
-    #   options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
-    # };
-    fileSystems."/mnt/servo-nfs/media" = {
-      device = "servo-hn:/media";
-      noCheck = true;
-      fsType = "nfs";
-      options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
-    };
-    fileSystems."/mnt/servo-nfs/playground" = {
-      device = "servo-hn:/playground";
-      noCheck = true;
-      fsType = "nfs";
-      options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
-    };
-    # fileSystems."/mnt/servo-media-nfs" = {
-    #   device = "servo-hn:/media";
-    #   noCheck = true;
-    #   fsType = "nfs";
-    #   options = fsOpts.common ++ fsOpts.auto;
-    # };
-    sane.fs."/mnt/servo-media" = sane-lib.fs.wantedSymlinkTo "/mnt/servo-nfs/media";
+    # environment.pathsToLink = [
+    #   # needed to achieve superuser access for user-mounted filesystems (see sshRoot above)
+    #   # we can only link whole directories here, even though we're only interested in pkgs.openssh
+    #   "/libexec"
+    # ];
 
-    environment.pathsToLink = [
-      # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
-      # we can only link whole directories here, even though we're only interested in pkgs.openssh
-      "/libexec"
-    ];
-
-    environment.systemPackages = [
-      pkgs.sshfs-fuse
-    ];
+    programs.fuse.userAllowOther = true;  #< necessary for `allow_other` or `allow_root` options.
   }
 
+  (remoteHome "crappy")
   (remoteHome "desko")
   (remoteHome "lappy")
   (remoteHome "moby")
+  # this granularity of servo media mounts is necessary to support sandboxing:
+  # for flaky mounts, we can only bind the mountpoint itself into the sandbox,
+  # so it's either this or unconditionally bind all of media/.
+  (remoteServo "media/archive")
+  (remoteServo "media/Books")
+  (remoteServo "media/collections")
+  # (remoteServo "media/datasets")
+  (remoteServo "media/games")
+  (remoteServo "media/Music")
+  (remoteServo "media/Pictures/macros")
+  (remoteServo "media/torrents")
+  (remoteServo "media/Videos")
+  (remoteServo "playground")
 ]
 

hosts/common/hardware/default.nix

@@ -1,89 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ./x86_64.nix
-  ];
-
-  boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
-  # useful emergency utils
-  boot.initrd.extraUtilsCommands = ''
-    copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfstune
-    copy_bin_and_libs ${pkgs.util-linux}/bin/{cfdisk,lsblk,lscpu}
-    copy_bin_and_libs ${pkgs.gptfdisk}/bin/{cgdisk,gdisk}
-    copy_bin_and_libs ${pkgs.smartmontools}/bin/smartctl
-    copy_bin_and_libs ${pkgs.e2fsprogs}/bin/resize2fs
-  '' + lib.optionalString pkgs.stdenv.hostPlatform.isx86_64 ''
-    copy_bin_and_libs ${pkgs.nvme-cli}/bin/nvme  # doesn't cross compile
-  '';
-  boot.kernelParams = [
-    "boot.shell_on_fail"
-    #v experimental full pre-emption for hopefully better call/audio latency on moby.
-    # also toggleable at runtime via /sys/kernel/debug/sched/preempt
-    # defaults to preempt=voluntary
-    # "preempt=full"
-  ];
-  # other kernelParams:
-  #   "boot.trace"
-  #   "systemd.log_level=debug"
-  #   "systemd.log_target=console"
-
-  # hack in the `boot.shell_on_fail` arg since that doesn't always seem to work.
-  boot.initrd.preFailCommands = "allowShell=1";
-
-  # default: 4 (warn). 7 is debug
-  boot.consoleLogLevel = 7;
-
-  boot.loader.grub.enable = lib.mkDefault false;
-  boot.loader.generic-extlinux-compatible.enable = lib.mkDefault true;
-
-  # non-free firmware
-  hardware.enableRedistributableFirmware = true;
-
-  # default is 252274, which is too low particularly for servo.
-  # manifests as spurious "No space left on device" when trying to install watches,
-  # e.g. in dyn-dns by `systemctl start dyn-dns-watcher.path`.
-  # see: <https://askubuntu.com/questions/828779/failed-to-add-run-systemd-ask-password-to-directory-watch-no-space-left-on-dev>
-  boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
-
-  # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
-  powerManagement.powertop.enable = false;
-  # linux CPU governor: <https://www.kernel.org/doc/Documentation/cpu-freq/governors.txt>
-  # - options:
-  #   - "powersave" => force CPU to always run at lowest supported frequency
-  #   - "performance" => force CPU to always run at highest frequency
-  #   - "ondemand" => adjust frequency based on load
-  #   - "conservative"  (ondemand but slower to adjust)
-  #   - "schedutil"
-  #   - "userspace"
-  # - not all options are available for all platforms
-  #   - intel (intel_pstate) appears to manage scaling w/o intervention/control from the OS.
-  #   - AMD (acpi-cpufreq) appears to manage scaling via the OS *or* HW. but the ondemand defaults never put it to max hardware frequency.
-  #   - qualcomm (cpufreq-dt) appears to manage scaling *only* via the OS. ondemand governor exercises the full range.
-  # - query details with `sudo cpupower frequency-info`
-  powerManagement.cpuFreqGovernor = "ondemand";
-
-  services.logind.extraConfig = ''
-    # see: `man logind.conf`
-    # don’t shutdown when power button is short-pressed (commonly done an accident, or by cats).
-    #   but do on long-press: useful to gracefully power-off server.
-    HandlePowerKey=lock
-    HandlePowerKeyLongPress=poweroff
-    HandleLidSwitch=lock
-  '';
-
-  # some packages build only if binfmt *isn't* present
-  nix.settings.system-features = lib.mkIf (config.boot.binfmt.emulatedSystems == []) [
-    "no-binfmt"
-  ];
-
-  # services.snapper.configs = {
-  #   root = {
-  #     subvolume = "/";
-  #     extraConfig = {
-  #       ALLOW_USERS = "colin";
-  #     };
-  #   };
-  # };
-  # services.snapper.snapshotInterval = "daily";
-}

hosts/common/hardware/x86_64.nix

@@ -1,15 +0,0 @@
-{ lib, pkgs, ... }:
-
-{
-  config = lib.mkIf (pkgs.system == "x86_64-linux") {
-    boot.initrd.availableKernelModules = [
-      "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
-      "usb_storage"   # rpi needed this to boot from usb storage, i think.
-      "nvme"  # to boot from nvme devices
-      # efi_pstore evivars
-    ];
-
-    hardware.cpu.amd.updateMicrocode = true;    # desktop
-    hardware.cpu.intel.updateMicrocode = true;  # laptop
-  };
-}

hosts/common/home/default.nix

@@ -1,7 +1,7 @@
 { ... }:
 {
   imports = [
-    ./keyring
+    ./fs.nix
     ./mime.nix
     ./ssh.nix
     ./xdg-dirs.nix

hosts/common/home/fs.nix

@@ -0,0 +1,45 @@
+{ config, lib, ... }:
+{
+  sane.user.persist.byStore.plaintext = [
+    "archive"
+    "dev"
+    # TODO: records should be private
+    "records"
+    "ref"
+    "tmp"
+    "use"
+    "Books/local"
+    "Music"
+    "Pictures/albums"
+    "Pictures/cat"
+    "Pictures/from"
+    "Pictures/Screenshots"  #< XXX: something is case-sensitive about this?
+    "Pictures/Photos"
+    "Videos/local"
+
+    # these are persisted simply to save on RAM.
+    # ~/.cache/nix can become several GB.
+    # mesa_shader_cache is < 10 MB.
+    # TODO: integrate with sane.programs.sandbox?
+    ".cache/mesa_shader_cache"
+    ".cache/nix"
+  ];
+  sane.user.persist.byStore.private = [
+    "knowledge"
+  ];
+
+  # convenience
+  sane.user.fs = let
+    persistEnabled = config.sane.persist.enable;
+  in {
+    ".persist/private" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.private.origin; };
+    ".persist/plaintext" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.plaintext.origin; };
+    ".persist/ephemeral" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.cryptClearOnBoot.origin; };
+
+    "nixos".symlink.target = "dev/nixos";
+
+    "Books/servo".symlink.target = "/mnt/servo/media/Books";
+    "Videos/servo".symlink.target = "/mnt/servo/media/Videos";
+    "Pictures/servo-macros".symlink.target = "/mnt/servo/media/Pictures/macros";
+  };
+}

hosts/common/home/keyring/default.nix

@@ -1,17 +0,0 @@
-{ config, pkgs, sane-lib, ... }:
-
-let
-  init-keyring = pkgs.static-nix-shell.mkBash {
-    pname = "init-keyring";
-    src = ./.;
-  };
-in
-{
-  sane.user.persist.byStore.private = [ ".local/share/keyrings" ];
-
-  sane.user.fs."private/.local/share/keyrings/default" = {
-    generated.command = [ "${init-keyring}/bin/init-keyring" ];
-    wantedBy = [ config.sane.fs."/home/colin/private".unit ];
-    wantedBeforeBy = [ ];  # don't created this as part of `multi-user.target`
-  };
-}

hosts/common/home/keyring/init-keyring

@@ -1,21 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash
-# initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
-# this initializes it to be plaintext/unencrypted.
-
-ringdir=/home/colin/private/.local/share/keyrings
-if test -f "$ringdir/default"
-then
-  echo 'keyring already initialized: not doing anything'
-else
-  keyring="$ringdir/Default_keyring.keyring"
-
-  echo 'initializing default user keyring:' "$keyring.new"
-  echo '[keyring]' > "$keyring.new"
-  echo 'display-name=Default keyring' >> "$keyring.new"
-  echo 'lock-on-idle=false' >> "$keyring.new"
-  echo 'lock-after=false' >> "$keyring.new"
-  chown colin:users "$keyring.new"
-  # closest to an atomic update we can achieve
-  mv "$keyring.new" "$keyring" && echo -n "Default_keyring" > "$ringdir/default"
-fi

hosts/common/home/mime.nix

@@ -1,4 +1,5 @@
-{ config, lib, ...}:
+# TODO: move into modules/users.nix
+{ config, lib, pkgs, ...}:
 
 let
   # [ ProgramConfig ]
@@ -6,6 +7,9 @@ let
     (p: p.enabled)
     (builtins.attrValues config.sane.programs);
 
+  # [ ProgramConfig ]
+  enabledProgramsWithPackage = builtins.filter (p: p.package != null) enabledPrograms;
+
   # [ { "<mime-type>" = { prority, desktop } ]
   enabledWeightedMimes = builtins.map weightedMimes enabledPrograms;
 
@@ -21,23 +25,70 @@ let
 
   # [ { priority, desktop } ... ] -> Self
   sortOneMimeType = associations: builtins.sort
-    (l: r: assert l.priority != r.priority; l.priority < r.priority)
+    (l: r: lib.throwIf
+      (l.priority == r.priority)
+      "${l.desktop} and ${r.desktop} share a preferred mime type with identical priority ${builtins.toString l.priority} (and so the desired association is ambiguous)"
+      (l.priority < r.priority)
+    )
     associations;
   sortMimes = mimes: builtins.mapAttrs (_k: sortOneMimeType) mimes;
+  # { "<mime-type>"} = [ { priority, desktop } ... ]; } -> { "<mime-type>" = [ "<desktop>" ... ]; }
   removePriorities = mimes: builtins.mapAttrs
     (_k: associations: builtins.map (a: a.desktop) associations)
     mimes;
+  # { "<mime-type>" = [ "<desktop>" ... ]; } -> { "<mime-type>" = "<desktop1>;<desktop2>;..."; }
+  formatDesktopLists = mimes: builtins.mapAttrs
+    (_k: desktops: lib.concatStringsSep ";" desktops)
+    mimes;
+
+  mimeappsListPkg = pkgs.writeTextDir "share/applications/mimeapps.list" (
+    lib.generators.toINI { } {
+      "Default Applications" = formatDesktopLists (removePriorities (sortMimes (mergeMimes enabledWeightedMimes)));
+    }
+  );
+
+  localShareApplicationsPkg = (pkgs.symlinkJoin {
+    name = "user-local-share-applications";
+    paths = builtins.map
+      (p: builtins.toString p.package)
+      (enabledProgramsWithPackage ++ [ { package=mimeappsListPkg; } ]);
+  }).overrideAttrs (orig: {
+    # like normal symlinkJoin, but don't error if the path doesn't exist
+    buildCommand = ''
+      mkdir -p $out/share/applications
+      for i in $(cat $pathsPath); do
+        if [ -e "$i/share/applications" ]; then
+          ${pkgs.buildPackages.xorg.lndir}/bin/lndir -silent $i/share/applications $out/share/applications
+        fi
+      done
+      runHook postBuild
+    '';
+    postBuild = ''
+      # rebuild `mimeinfo.cache`, used by file openers to show the list of *all* apps, not just the user's defaults.
+      ${pkgs.buildPackages.desktop-file-utils}/bin/update-desktop-database $out/share/applications
+    '';
+  });
+
 in
 {
   # the xdg mime type for a file can be found with:
   # - `xdg-mime query filetype path/to/thing.ext`
   # the default handler for a mime type can be found with:
   # - `xdg-mime query default <mimetype>`  (e.g. x-scheme-handler/http)
+  # the nix-configured handler can be found `nix-repl > :lf . > hostConfigs.desko.xdg.mime.defaultApplications`
+  #
+  # glib/gio is queried via glib.bin output:
+  # - `gio mime x-scheme-handler/https`
+  # - `gio open <path_or_url>`
+  # - `gio launch </path/to/app.desktop>`
   #
   # we can have single associations or a list of associations.
   # there's also options to *remove* [non-default] associations from specific apps
-  xdg.mime.enable = true;
-  xdg.mime.defaultApplications = removePriorities (sortMimes (mergeMimes enabledWeightedMimes));
-
+  # N.B.: don't use nixos' `xdg.mime` option becaue that caues `/share/applications` to be linked into the whole system,
+  # which limits what i can do around sandboxing. getting the default associations to live in ~/ makes it easier to expose
+  # the associations to apps selectively.
+  # xdg.mime.enable = true;
+  # xdg.mime.defaultApplications = removePriorities (sortMimes (mergeMimes enabledWeightedMimes));
 
+  sane.user.fs.".local/share/applications".symlink.target = "${localShareApplicationsPkg}/share/applications";
 }

hosts/common/home/xdg-dirs.nix

@@ -3,13 +3,18 @@
 {
   # XDG defines things like ~/Desktop, ~/Downloads, etc.
   # these clutter the home, so i mostly don't use them.
+  # note that several of these are not actually standardized anywhere.
+  # some are even non-conventional, like:
+  # - XDG_PHOTOS_DIR: only works because i patch e.g. megapixels
   sane.user.fs.".config/user-dirs.dirs".symlink.text = ''
     XDG_DESKTOP_DIR="$HOME/.xdg/Desktop"
     XDG_DOCUMENTS_DIR="$HOME/dev"
     XDG_DOWNLOAD_DIR="$HOME/tmp"
     XDG_MUSIC_DIR="$HOME/Music"
+    XDG_PHOTOS_DIR="$HOME/Pictures/Photos"
     XDG_PICTURES_DIR="$HOME/Pictures"
     XDG_PUBLICSHARE_DIR="$HOME/.xdg/Public"
+    XDG_SCREENSHOTS_DIR="$HOME/Pictures/Screenshots"
     XDG_TEMPLATES_DIR="$HOME/.xdg/Templates"
     XDG_VIDEOS_DIR="$HOME/Videos"
   '';
@@ -17,4 +22,6 @@
   # prevent `xdg-user-dirs-update` from overriding/updating our config
   # see <https://manpages.ubuntu.com/manpages/bionic/man5/user-dirs.conf.5.html>
   sane.user.fs.".config/user-dirs.conf".symlink.text = "enabled=False";
+
+  sane.user.fs.".config/environment.d/30-user-dirs.conf".symlink.target = "../user-dirs.dirs";
 }

hosts/common/hosts.nix

@@ -2,6 +2,14 @@
 
 {
   # TODO: this should be populated per-host
+  sane.hosts.by-name."crappy" = {
+    ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIvSQAGKqmymXIL4La9B00LPxBIqWAr5AsJxk3UQeY5";
+    ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMN0cpRAloCBOE5/2wuzgik35iNDv5KLceWMCVaa7DIQ";
+    # wg-home.pubkey = "TODO";
+    # wg-home.ip = "10.0.10.55";
+    lan-ip = "10.78.79.55";
+  };
+
   sane.hosts.by-name."desko" = {
     ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
     ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
@@ -36,10 +44,4 @@
     wg-home.endpoint = "uninsane.org:51820";
     lan-ip = "10.78.79.51";
   };
-
-  sane.hosts.by-name."supercap" = {
-    ssh.authorized = false;
-    ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHf/mqqkX45EWAcquV04MC3SUljTApdclH1gjI19F+PA";
-    lan-ip = "10.78.79.232";
-  };
 }

hosts/common/ids.nix

@@ -4,6 +4,9 @@
 { ... }:
 
 {
+  # partially supported in nixpkgs  <repo:nixos/nixpkgs:nixos/modules/misc/ids.nix>
+  sane.ids.networkmanager.uid = 57;  #< nixpkgs unofficially reserves this, to match networkmanager's gid
+
   # legacy servo users, some are inconvenient to migrate
   sane.ids.dhcpcd.gid = 991;
   sane.ids.dhcpcd.uid = 992;
@@ -18,7 +21,7 @@
   sane.ids.matrix-appservice-irc.uid = 993;
   sane.ids.matrix-appservice-irc.gid = 992;
 
-  # greetd (used by sway)
+  # greetd (legacy)
   sane.ids.greeter.uid = 999;
   sane.ids.greeter.gid = 999;
 
@@ -57,6 +60,8 @@
   sane.ids.bitcoind-mainnet.gid = 2418;
   sane.ids.clightning.uid = 2419;
   sane.ids.clightning.gid = 2419;
+  sane.ids.nix-serve.uid = 2420;
+  sane.ids.nix-serve.gid = 2420;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;
@@ -76,6 +81,7 @@
 
   # found on graphical hosts
   sane.ids.nm-iodine.uid = 2101;  # desko/moby/lappy
+  sane.ids.seat.gid = 2102;
 
   # found on desko host
   # from services.usbmuxd

hosts/common/net/default.nix

@@ -4,46 +4,26 @@
   imports = [
     ./dns.nix
     ./hostnames.nix
+    ./modemmanager.nix
+    ./networkmanager.nix
     ./upnp.nix
     ./vpn.nix
   ];
-  # the default backend is "wpa_supplicant".
-  # wpa_supplicant reliably picks weak APs to connect to.
-  # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
-  # iwd is an alternative that shouldn't have this problem
-  # docs:
-  # - <https://nixos.wiki/wiki/Iwd>
-  # - <https://iwd.wiki.kernel.org/networkmanager>
-  # - `man iwd.config`  for global config
-  # - `man iwd.network` for per-SSID config
-  # use `iwctl` to control
-  # networking.networkmanager.wifi.backend = "iwd";
-  # networking.wireless.iwd.enable = true;
-  # networking.wireless.iwd.settings = {
-  #   # auto-connect to a stronger network if signal drops below this value
-  #   # bedroom -> bedroom connection is -35 to -40 dBm
-  #   # bedroom -> living room connection is -60 dBm
-  #   General.RoamThreshold = "-52";  # default -70
-  #   General.RoamThreshold5G = "-52";  # default -76
-  # };
 
-  # plugins mostly add support for establishing different VPN connections.
-  # the default plugin set includes mostly proprietary VPNs:
-  # - fortisslvpn (Fortinet)
-  # - iodine (DNS tunnels)
-  # - l2tp
-  # - openconnect (Cisco Anyconnect / Juniper / ocserv)
-  # - openvpn
-  # - vpnc (Cisco VPN)
-  # - sstp
-  #
-  # i don't use these, and notably they drag in huge dependency sets and don't cross compile well.
-  # e.g. openconnect drags in webkitgtk (for SSO)!
-  networking.networkmanager.plugins = lib.mkForce [];
+  systemd.network.enable = true;
+  networking.useNetworkd = true;
 
-  # keyfile.path = where networkmanager should look for connection credentials
-  networking.networkmanager.extraConfig = ''
-    [keyfile]
-    path=/var/lib/NetworkManager/system-connections
-  '';
+  # view refused/dropped packets with: `sudo journalctl -k`
+  # networking.firewall.logRefusedPackets = true;
+  # networking.firewall.logRefusedUnicastsOnly = false;
+  networking.firewall.logReversePathDrops = true;
+  # linux will drop inbound packets if it thinks a reply to that packet wouldn't exit via the same interface (rpfilter).
+  #   that heuristic fails for complicated VPN-style routing, especially with SNAT.
+  # networking.firewall.checkReversePath = false;  # or "loose" to keep it partially.
+  # networking.firewall.enable = false;  #< set false to debug
+
+  # this is needed to forward packets from the VPN to the host.
+  # this is required separately by servo and by any `sane-vpn` users,
+  # however Nix requires this be set centrally, in only one location (i.e. here)
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 }

hosts/common/net/dns.nix

@@ -1,15 +1,39 @@
-{ ... }:
+# things to consider when changing these parameters:
+# - temporary VPN access (`sane-vpn up ...`)
+# - servo `ovpns` namespace (it *relies* on /etc/resolv.conf mentioning 127.0.0.53)
+#
+# components:
+# - /etc/nsswitch.conf:
+#   - glibc uses this to provide `getaddrinfo`, i.e. host -> ip address lookup
+#     call directly with `getent ahostsv4 www.google.com`
+#   - `nss` (a component of glibc) is modular: names mentioned in that file are `dlopen`'d (i think that's the mechanism)
+#     in NixOS, that means _they have to be on LDPATH_.
+#   - `nscd` is used by NixOS simply to proxy nss requests.
+#      here, /etc/nsswitch.conf consumers contact nscd via /var/run/nscd/socket.
+#      in this way, only `nscd` needs to have the nss modules on LDPATH.
+# - /etc/resolv.conf
+#   - contains the DNS servers for a system.
+#   - historically, NetworkManager would update this file as you switch networks.
+#   - modern implementations hardcodes `127.0.0.53` and then systemd-resolved proxies everything (and caches).
+#
+# namespacing:
+# - each namespace may use a different /etc/resolv.conf to specify different DNS servers
+# - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so directs the guest's DNS requests to the host's servers.
+#   - this is fixed by either removing `/var/run/nscd/socket` from the namespace, or disabling nscd altogether.
+{ config, lib, ... }:
+lib.mkMerge [
 {
+  sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver;
+  sane.services.trust-dns.asSystemResolver = lib.mkDefault true;
+}
+(lib.mkIf (!config.sane.services.trust-dns.asSystemResolver) {
   # use systemd's stub resolver.
   # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
   # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
-  # in the ovnps namespace to use the provider's DNS resolvers.
+  # in servo's ovnps namespace to use the provider's DNS resolvers.
   # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
-  # there also seems to be some cache somewhere that's shared between the two namespaces.
-  # i think this is a libc thing. might need to leverage proper cgroups to _really_ kill it.
-  # - getent ahostsv4 www.google.com
-  # - try fix: <https://serverfault.com/questions/765989/connect-to-3rd-party-vpn-server-but-dont-use-it-as-the-default-route/766290#766290>
-  services.resolved.enable = true;
+  # TODO: improve trust-dns recursive resolver and then remove this
+  services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
   # without DNSSEC:
   # - dig matrix.org => works
   # - curl https://matrix.org => works
@@ -24,7 +48,8 @@
     # stub resolver (just forwards upstream) lives on 127.0.0.54
     "127.0.0.53"
   ];
-
+})
+{
   # nscd -- the Name Service Caching Daemon -- caches DNS query responses
   # in a way that's unaware of my VPN routing, so routes are frequently poor against
   # services which advertise different IPs based on geolocation.
@@ -32,6 +57,17 @@
   # nsncd is the Name Service NON-Caching Daemon. it's a drop-in that doesn't cache;
   # this is OK on the host -- because systemd-resolved caches. it's probably sub-optimal
   # in the netns and we query upstream DNS more often than needed. hm.
-  # TODO: run a separate recursive resolver in each namespace.
-  services.nscd.enableNsncd = true;
+  # services.nscd.enableNsncd = true;
+
+  # disabling nscd LOSES US SOME FUNCTIONALITY. in particular, only the glibc-builtin modules are accessible via /etc/resolv.conf.
+  # - dns: glibc-bultin
+  # - files: glibc-builtin
+  # - myhostname: systemd
+  # - mymachines: systemd
+  # - resolve: systemd
+  # in practice, i see no difference with nscd disabled.
+  # disabling nscd VASTLY simplifies netns and process isolation. see explainer at top of file.
+  services.nscd.enable = false;
+  system.nssModules = lib.mkForce [];
 }
+]

hosts/common/net/modemmanager.nix

@@ -0,0 +1,78 @@
+{ config, lib, pkgs, ... }:
+{
+  networking.modemmanager.package = pkgs.modemmanager-split.daemon.overrideAttrs (upstream: {
+    # patch to allow the dbus endpoints to be owned by networkmanager user
+    postInstall = (upstream.postInstall or "") + ''
+      substitute $out/share/dbus-1/system.d/org.freedesktop.ModemManager1.conf \
+        $out/share/dbus-1/system.d/networkmanager-org.freedesktop.ModemManager1.conf \
+        --replace-fail 'user="root"' 'group="networkmanager"'
+    '';
+  });
+
+  systemd.services.ModemManager = {
+    # aliases = [ "dbus-org.freedesktop.ModemManager1.service" ];
+    # after = [ "polkit.service" ];
+    # requires = [ "polkit.service" ];
+    wantedBy = [ "network.target" ];  #< default is `multi-user.target`, somehow it doesn't auto-start with that...
+    # path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
+
+    # serviceConfig.Type = "dbus";
+    # serviceConfig.BusName = "org.freedesktop.ModemManager1";
+
+    # only if started with `--debug` does mmcli let us issue AT commands like
+    # `mmcli --modem any --command=<AT_CMD>`
+    serviceConfig.ExecStart = [
+      ""  # first blank line is to clear the upstream `ExecStart` field.
+      "${lib.getExe' config.networking.modemmanager.package "ModemManager"} --debug"
+    ];
+    # --debug sets DEBUG level logging: so reset
+    serviceConfig.ExecStartPost = "${lib.getExe config.sane.programs.mmcli.package} --set-logging=INFO";
+
+    # v this is what upstream ships
+    # serviceConfig.Restart = "on-abort";
+    # serviceConfig.StandardError = "null";
+    # serviceConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_NET_ADMIN";
+    # serviceConfig.ProtectSystem = true;  # makes empty: /boot, /usr
+    # serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    # serviceConfig.PrivateTmp = true;
+    # serviceConfig.RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR";
+    # serviceConfig.NoNewPrivileges = true;
+
+    serviceConfig.CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];  #< TODO: make sure this is *really* taking effect, and isn't supplemental to upstream's `CAP_SYS_ADMIN` setting
+    serviceConfig.LockPersonality = true;
+    # serviceConfig.PrivateUsers = true;  #< untried, not likely to work since it needs capabilities
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectSystem = "strict";  # makes read-only all but /dev, /proc, /sys
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_NETLINK"
+      "AF_QIPCRTR"
+      "AF_UNIX"
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+
+    # from earlier `landlock` sandboxing, i know it needs these directories:
+    # - # "/"
+    # - "/dev" #v modem-power + net are not enough
+    # - # "/dev/modem-power"
+    # - # "/dev/net"
+    # - "/proc"
+    # - # /run  #v can likely be reduced more
+    # - "/run/dbus"
+    # - "/run/NetworkManager"
+    # - "/run/resolvconf"
+    # - "/run/systemd"
+    # - "/run/udev"
+    # - "/sys"
+  };
+
+  # so that ModemManager can discover when the modem appears
+  # services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
+}

hosts/common/net/networkmanager.nix

@@ -0,0 +1,268 @@
+{ config, pkgs, ... }:
+let
+  # networkmanager = pkgs.networkmanager;
+  networkmanager = pkgs.networkmanager.overrideAttrs (upstream: {
+    src = pkgs.fetchFromGitea {
+      domain = "git.uninsane.org";
+      owner = "colin";
+      repo = "NetworkManager";
+      # patched to fix polkit permissions (with `nmcli`) when NetworkManager runs as user networkmanager
+      rev = "dev-sane-1.48.0";
+      hash = "sha256-vGmOKtwVItxjYioZJlb1og3K6u9s4rcmDnjAPLBC3ao=";
+    };
+    # patches = [];
+  });
+  # split the package into `daemon` and `nmcli` outputs, because the networkmanager *service*
+  # doesn't need `nmcli`/`nmtui` tooling
+  networkmanager-split = pkgs.networkmanager-split.override { inherit networkmanager; };
+in {
+  networking.networkmanager.enable = true;
+  # plugins mostly add support for establishing different VPN connections.
+  # the default plugin set includes mostly proprietary VPNs:
+  # - fortisslvpn (Fortinet)
+  # - iodine (DNS tunnels)
+  # - l2tp
+  # - openconnect (Cisco Anyconnect / Juniper / ocserv)
+  # - openvpn
+  # - vpnc (Cisco VPN)
+  # - sstp
+  #
+  # i don't use these, and notably they drag in huge dependency sets and don't cross compile well.
+  # e.g. openconnect drags in webkitgtk (for SSO)!
+  # networking.networkmanager.plugins = lib.mkForce [];
+  networking.networkmanager.enableDefaultPlugins = false;
+
+  networking.networkmanager.package = networkmanager-split.daemon.overrideAttrs (upstream: {
+    # postPatch = (upstream.postPatch or "") + ''
+    #   substituteInPlace src/{core/org.freedesktop.NetworkManager,nm-dispatcher/nm-dispatcher}.conf --replace-fail \
+    #     'user="root"' 'user="networkmanager"'
+    # '';
+    postInstall = (upstream.postInstall or "") + ''
+      # allow the bus to owned by either root or networkmanager users
+      # use the group here, that way ordinary users can be elevated to control networkmanager
+      # (via e.g. `nmcli`)
+      for f in org.freedesktop.NetworkManager.conf nm-dispatcher.conf ; do
+        substitute $out/share/dbus-1/system.d/$f \
+          $out/share/dbus-1/system.d/networkmanager-$f \
+          --replace-fail 'user="root"' 'group="networkmanager"'
+      done
+
+      # remove unused services to prevent any unexpected interactions
+      rm $out/etc/systemd/system/{nm-cloud-setup.service,nm-cloud-setup.timer,nm-priv-helper.service}
+    '';
+  });
+
+  # fixup the services to run as `networkmanager` and with less permissions
+  systemd.services.NetworkManager = {
+    serviceConfig.RuntimeDirectory = "NetworkManager";  #< tells systemd to create /run/NetworkManager
+    # serviceConfig.StateDirectory = "NetworkManager";  #< tells systemd to create /var/lib/NetworkManager
+    serviceConfig.User = "networkmanager";
+    serviceConfig.Group = "networkmanager";
+    serviceConfig.AmbientCapabilities = [
+      # "CAP_DAC_OVERRIDE"
+      "CAP_NET_ADMIN"
+      "CAP_NET_RAW"  #< required, else `libndp: ndp_sock_open: Failed to create ICMP6 socket.`
+      "CAP_NET_BIND_SERVICE"  #< this *does* seem to be necessary, though i don't understand why. DHCP?
+      # "CAP_SYS_MODULE"
+      # "CAP_AUDIT_WRITE"  #< allow writing to the audit log (optional)
+      # "CAP_KILL"
+    ];
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
+    # serviceConfig.PrivateUsers = true;  #< BREAKS NetworkManager (presumably, it causes a new user namespace, breaking CAP_NET_ADMIN & others).  "platform-linux: do-change-link[3]: failure 1 (Operation not permitted)"
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # probably not upstreamable: prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls (probably not upstreamable: NM will want to load modules like `ppp`)
+    serviceConfig.ProtectKernelTunables = true;  # but NM might need to write /proc/sys/net/...
+    serviceConfig.ProtectSystem = "strict";  # makes read-only: all but /dev, /proc, /sys.
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_INET"
+      "AF_INET6"
+      "AF_NETLINK"  # breaks near DHCP without this
+      "AF_PACKET"  # for DHCP
+      "AF_UNIX"
+      # AF_ALG ?
+      # AF_BLUETOOTH ?
+      # AF_BRIDGE ?
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+    # from earlier `landlock` sandboxing, i know it needs these directories:
+    # - "/proc/net"
+    # - "/proc/sys/net"
+    # - "/run/NetworkManager"
+    # - "/run/systemd"  # for trust-dns-nmhook
+    # - "/run/udev"
+    # - # "/run/wg-home.priv"
+    # - "/sys/class"
+    # - "/sys/devices"
+    # - "/var/lib/NetworkManager"
+    # - "/var/lib/trust-dns"  #< for trust-dns-nmhook
+    # - "/run/systemd"
+  };
+
+  systemd.services.NetworkManager-wait-online = {
+    serviceConfig.User = "networkmanager";
+    serviceConfig.Group = "networkmanager";
+  };
+
+  # fix NetworkManager-dispatcher to actually run as a daemon,
+  # and sandbox it a bit
+  systemd.services.NetworkManager-dispatcher = {
+    after = [ "trust-dns-localhost.service" ];  #< so that /var/lib/trust-dns will exist
+    # serviceConfig.ExecStart = [
+    #   ""  # first blank line is to clear the upstream `ExecStart` field.
+    #   "${cfg.package}/libexec/nm-dispatcher --persist"  # --persist is needed for it to actually run as a daemon
+    # ];
+    # serviceConfig.Restart = "always";
+    # serviceConfig.RestartSec = "1s";
+
+    # serviceConfig.DynamicUser = true;  #< not possible, else we lose group perms (so can't write to `trust-dns`'s files in the nm hook)
+    serviceConfig.User = "networkmanager";  # TODO: should arguably use `DynamicUser`
+    serviceConfig.Group = "networkmanager";
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # probably not upstreamable: prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. `strict` isn't possible due to trust-dns hook
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_UNIX"  # required, probably for dbus or systemd connectivity
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+  };
+
+  # harden wpa_supplicant (used by NetworkManager)
+  systemd.services.wpa_supplicant = {
+    serviceConfig.User = "networkmanager";
+    serviceConfig.Group = "networkmanager";
+    serviceConfig.AmbientCapabilities = [
+      "CAP_NET_ADMIN"
+      "CAP_NET_RAW"
+    ];
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    # serviceConfig.PrivateDevices = true;  # untried, not likely to work. remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
+    # serviceConfig.PrivateUsers = true;  #< untried, not likely to work
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    serviceConfig.ProtectKernelTunables = true;  #< N.B.: i think this makes certain /proc writes fail
+    serviceConfig.ProtectSystem = "strict";  # makes read-only: all but /dev, /proc, /sys.
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_INET"  #< required
+      "AF_INET6"
+      "AF_NETLINK"  #< required
+      "AF_PACKET"  #< required
+      "AF_UNIX"  #< required (wpa_supplicant wants to use dbus)
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+
+    # from earlier `landlock` sandboxing, i know it needs only these paths:
+    # - "/dev/net"
+    # - "/dev/rfkill"
+    # - "/proc/sys/net"
+    # - "/sys/class/net"
+    # - "/sys/devices"
+    # - "/run/systemd"
+  };
+
+  networking.networkmanager.settings = {
+    # keyfile.path = where networkmanager should look for connection credentials
+    keyfile.path = "/var/lib/NetworkManager/system-connections";
+
+    # wifi.backend = "wpa_supplicant";  #< default
+    # wifi.scan-rand-mac-address = true;  #< default
+
+    # logging.audit = false;  #< default
+    logging.level = "INFO";
+
+    # main.dhcp = "internal";  #< default
+    main.dns = if config.services.resolved.enable then
+      "systemd-resolved"
+    else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then
+      "none"
+    else
+      "internal"
+    ;
+    main.systemd-resolved = false;
+  };
+  environment.etc."NetworkManager/system-connections".source = "/var/lib/NetworkManager/system-connections";
+
+  # the default backend is "wpa_supplicant".
+  # wpa_supplicant reliably picks weak APs to connect to.
+  # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
+  # iwd is an alternative that shouldn't have this problem
+  # docs:
+  # - <https://nixos.wiki/wiki/Iwd>
+  # - <https://iwd.wiki.kernel.org/networkmanager>
+  # - `man iwd.config`  for global config
+  # - `man iwd.network` for per-SSID config
+  # use `iwctl` to control
+  # networking.networkmanager.wifi.backend = "iwd";
+  # networking.wireless.iwd.enable = true;
+  # networking.wireless.iwd.settings = {
+  #   # auto-connect to a stronger network if signal drops below this value
+  #   # bedroom -> bedroom connection is -35 to -40 dBm
+  #   # bedroom -> living room connection is -60 dBm
+  #   General.RoamThreshold = "-52";  # default -70
+  #   General.RoamThreshold5G = "-52";  # default -76
+  # };
+
+  # allow networkmanager to control systemd-resolved,
+  # which it needs to do to apply new DNS settings when using systemd-resolved.
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.resolve1.") == 0) {
+        return polkit.Result.YES;
+      }
+    });
+  '';
+
+  users.users.networkmanager = {
+    isSystemUser = true;
+    group = "networkmanager";
+    extraGroups = [ "trust-dns" ];
+  };
+
+  # there is, unfortunately, no proper interface by which to plumb wpa_supplicant into the NixOS service, except by overlay.
+  nixpkgs.overlays = [(self: super: {
+    wpa_supplicant = super.wpa_supplicant.overrideAttrs (upstream: {
+      # postPatch = (upstream.postPatch or "") + ''
+      #   substituteInPlace wpa_supplicant/dbus/dbus-wpa_supplicant.conf --replace-fail \
+      #     'user="root"' 'user="networkmanager"'
+      # '';
+      postInstall = (upstream.postInstall or "") + ''
+        substitute $out/share/dbus-1/system.d/dbus-wpa_supplicant.conf \
+          $out/share/dbus-1/system.d/networkmanager-wpa_supplicant.conf \
+          --replace-fail 'user="root"' 'group="networkmanager"'
+      '';
+
+      postFixup = (upstream.postFixup or "") + ''
+        # remove unused services to avoid unexpected interactions
+        rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
+      '';
+    });
+  })];
+}

hosts/common/net/vpn.nix

@@ -1,89 +1,68 @@
-{ config, lib, pkgs, ... }:
-
 # to add a new OVPN VPN:
 # - generate a privkey `wg genkey`
 # - add this key to `sops secrets/universal.yaml`
-# - upload pubkey to OVPN.com
+# - upload pubkey to OVPN.com (`cat wg.priv | wg pubkey`)
 # - generate config @ OVPN.com
 # - copy the Address, PublicKey, Endpoint from OVPN's config
-# N.B.: maximum interface name in Linux is 15 characters.
+
+{ config, lib, pkgs, ... }:
 let
-  def-wg-vpn = name: { endpoint, publicKey, address, dns, privateKeyFile }: {
-    # networking.wg-quick.interfaces."${name}" = {
-    #   inherit address privateKeyFile dns;
-    #   peers = [
-    #     {
-    #       allowedIPs = [
-    #         "0.0.0.0/0"
-    #         "::/0"
-    #       ];
-    #       inherit endpoint publicKey;
-    #     }
-    #   ];
-    #   # to start: `systemctl start wg-quick-${name}`
-    #   autostart = false;
-    # };
-    systemd.network.netdevs."${name}" = {
-      # see: `man 5 systemd.netdev`
-      wireguardConfig = {
-        PrivateKeyFile = privateKeyFile;
-      };
-      wireguardPeers = [{
-        AllowedIPs = [
-          "0.0.0.0/0"
-          "::/0"
-        ];
-        Endpoint = endpoint;
-        PublicKey = publicKey;
-      }];
+  # N.B.: OVPN issues each key (i.e. device) a different IP (addrV4), and requires you use it.
+  # the IP it issues can be used to connect to any of their VPNs.
+  # effectively the IP and key map 1-to-1.
+  # it seems to still be possible to keep two active tunnels on one device, using the same key/IP address, though.
+  def-ovpn = name: { endpoint, publicKey, id }: let
+    inherit (config.sane.ovpn) addrV4;
+  in {
+    sane.vpn."ovpnd-${name}" = lib.mkIf (addrV4 != null) {
+      inherit addrV4 endpoint publicKey id;
+      privateKeyFile = config.sops.secrets."ovpn_privkey".path;
+      dns = [
+        "46.227.67.134"
+        "192.165.9.158"
+        # "2a07:a880:4601:10f0:cd45::1"
+        # "2001:67c:750:1:cafe:cd45::1"
+      ];
     };
-    systemd.network.networks."${name}" = {
-      # see: `man 5 systemd.network`
-      matchConfig.Name = name;
-      networkConfig.Address = address;
-      networkConfig.DNS = dns;
+
+    sops.secrets."ovpn_privkey" = lib.mkIf (addrV4 != null) {
+      # needs to be readable by systemd-network or else it says "Ignoring network device" and doesn't expose it to networkctl.
+      owner = "systemd-network";
     };
   };
-  def-ovpn = name: { endpoint, publicKey, address }: def-wg-vpn "ovpnd-${name}" {
-    inherit endpoint publicKey address;
-    privateKeyFile = config.sops.secrets."wg/ovpnd_${name}_privkey".path;
-    dns = [
-      "46.227.67.134"
-      "192.165.9.158"
-    ];
+in {
+  options = with lib; {
+    sane.ovpn.addrV4 = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = ''
+        ovpn issues one IP address per device.
+        set `null` to disable OVPN for this host.
+      '';
+    };
   };
-in lib.mkMerge [
-  (def-ovpn "us" {
-    endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
-    publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
-    address = [
-      "172.27.237.218/32"
-      "fd00:0000:1337:cafe:1111:1111:ab00:4c8f/128"
-    ];
-  })
-  # NB: us-* share the same wg key and link-local addrs, but distinct public addresses
-  (def-ovpn "us-atl" {
-    endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
-    publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
-    address = [
-      "172.21.182.178/32"
-      "fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
-    ];
-  })
-  (def-ovpn "us-mi" {
-    endpoint = "vpn34.prd.miami.ovpn.com:9929";
-    publicKey = "VtJz2irbu8mdkIQvzlsYhU+k9d55or9mx4A2a14t0V0=";
-    address = [
-      "172.21.182.178/32"
-      "fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
-    ];
-  })
-  (def-ovpn "ukr" {
-    endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
-    publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
-    address = [
-      "172.18.180.159/32"
-      "fd00:0000:1337:cafe:1111:1111:ec5c:add3/128"
-    ];
-  })
-]
+
+  config = lib.mkMerge [
+    (def-ovpn "us" {
+      endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
+      publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
+      id = 1;
+    })
+    (def-ovpn "us-mi" {
+      endpoint = "vpn34.prd.miami.ovpn.com:9929";
+      publicKey = "VtJz2irbu8mdkIQvzlsYhU+k9d55or9mx4A2a14t0V0=";
+      id = 2;
+    })
+    (def-ovpn "ukr" {
+      endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
+      publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
+      id = 3;
+    })
+    # TODO: us-atl disabled until i need it again, i guess.
+    # (def-ovpn "us-atl" {
+    #   endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
+    #   publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
+    #   id = 4;
+    # })
+  ];
+}

hosts/common/nix-path/default.nix

@@ -1,16 +0,0 @@
-{ pkgs, sane-lib, ... }:
-
-{
-  # allow `nix-shell` (and probably nix-index?) to locate our patched and custom packages
-  nix.nixPath = [
-    "nixpkgs=${pkgs.path}"
-    # note the import starts at repo root: this allows `./overlay/default.nix` to access the stuff at the root
-    # "nixpkgs-overlays=${../../..}/hosts/common/nix-path/overlay"
-    # as long as my system itself doesn't rely on NIXPKGS at runtime, we can point the overlays to git
-    # to avoid switching so much during development
-    "nixpkgs-overlays=/home/colin/dev/nixos/hosts/common/nix-path/overlay"
-  ];
-
-  # ensure new deployments have a source of this repo with which they can bootstrap.
-  environment.etc."nixos".source = ../../..;
-}

hosts/common/nix-path/overlay/default.nix

@@ -1,4 +0,0 @@
-# XXX: NIX_PATH=...:nixpkgs-overlays=... will import every overlay in the directory
-# so we prefer to give it a directory with just this *one* overlay, otherwise it imports conflicting overlays
-# and gets stuck in a loop until it OOMs
-import ../../../../overlays/all.nix

hosts/common/nix.nix

@@ -0,0 +1,95 @@
+{ config, lib, pkgs, ... }:
+
+{
+  nix.settings = {
+    # see: `man nix.conf`
+
+    # useful when a remote builder has a faster internet connection than me.
+    # note that this also applies to `nix copy --to`, though.
+    # i think any time a remote machine wants a path, this means we ask them to try getting it themselves before we supply it.
+    builders-use-substitutes = true;  # default: false
+
+    # maximum seconds to wait when connecting to binary substituter
+    connect-timeout = 3;  # default: 0
+
+    # download-attempts = 5;  # default: 5
+
+    # allow `nix flake ...` command
+    experimental-features = [ "nix-command" "flakes "];
+
+    # whether to build from source when binary substitution fails
+    fallback = true;  # default: false
+
+    # whether to keep building dependencies if any other one fails
+    keep-going = true;  # default: false
+
+    # whether to keep build-only dependencies of GC roots (e.g. C compiler) when doing GC
+    keep-outputs = true;  # default: false
+
+    # how many lines to show from failed build
+    log-lines = 30;  # default: 10
+
+    # how many substitution downloads to perform in parallel.
+    # i wonder if parallelism is causing moby's substitutions to fail?
+    max-substitution-jobs = 6;  # default: 16
+
+    # narinfo-cache-negative-ttl = 3600  # default: 3600
+    # whether to use ~/.local/state/nix/profile instead of ~/.nix-profile, etc
+    use-xdg-base-directories = true;  # default: false
+
+    # whether to warn if repository has uncommited changes
+    warn-dirty = false;  # default: true
+
+    # hardlinks identical files in the nix store to save 25-35% disk space.
+    # unclear _when_ this occurs. it's not a service.
+    # does the daemon continually scan the nix store?
+    # does the builder use some content-addressed db to efficiently dedupe?
+    auto-optimise-store = true;
+
+    # allow #!nix-shell scripts to locate my patched nixpkgs & custom packages.
+    # this line might become unnecessary: see <https://github.com/NixOS/nixpkgs/pull/273170>
+    nix-path = config.nix.nixPath;
+  };
+
+  # allow `nix-shell` (and probably nix-index?) to locate our patched and custom packages.
+  # this is actually a no-op, and the real action happens in assigning `nix.settings.nix-path`.
+  nix.nixPath = (lib.optionals (config.sane.maxBuildCost >= 2) [
+    "nixpkgs=${pkgs.path}"
+  ]) ++ [
+    # note the import starts at repo root: this allows `./overlay/default.nix` to access the stuff at the root
+    # "nixpkgs-overlays=${../../..}/hosts/common/nix-path/overlay"
+    # as long as my system itself doesn't rely on NIXPKGS at runtime, we can point the overlays to git
+    # to avoid `switch`ing so much during development.
+    # TODO: it would be nice to remove this someday!
+    # it's an impurity that touches way more than i need and tends to cause hard-to-debug eval issues
+    # when it goes wrong. should i port my `nix-shell` scripts to something more tailored to my uses
+    # and then delete `nixpkgs-overlays`?
+    "nixpkgs-overlays=/home/colin/dev/nixos/integrations/nixpkgs/nixpkgs-overlays.nix"
+  ];
+
+  # ensure new deployments have a source of this repo with which they can bootstrap.
+  # this however changes on every commit and can be slow to copy for e.g. `moby`.
+  environment.etc."nixos" = lib.mkIf (config.sane.maxBuildCost >= 3) {
+    source = pkgs.sane-nix-files;
+  };
+  environment.etc."nix/registry.json" = lib.mkIf (config.sane.maxBuildCost < 3) {
+    enable = false;
+  };
+
+  systemd.services.nix-daemon.serviceConfig = {
+    # the nix-daemon manages nix builders
+    # kill nix-daemon subprocesses when systemd-oomd detects an out-of-memory condition
+    # see:
+    # - nixos PR that enabled systemd-oomd: <https://github.com/NixOS/nixpkgs/pull/169613>
+    # - systemd's docs on these properties: <https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill>
+    #
+    # systemd's docs warn that without swap, systemd-oomd might not be able to react quick enough to save the system.
+    # see `man oomd.conf` for further tunables that may help.
+    #
+    # alternatively, apply this more broadly with `systemd.oomd.enableSystemSlice = true` or `enableRootSlice`
+    # TODO: also apply this to the guest user's slice (user-1100.slice)
+    # TODO: also apply this to distccd
+    ManagedOOMMemoryPressure = "kill";
+    ManagedOOMSwap = "kill";
+  };
+}

hosts/common/persist.nix

@@ -1,13 +1,14 @@
 { ... }:
 
 {
-  sane.persist.stores.private.origin = "/home/colin/private";
-  # store /home/colin/a/b in /home/private/a/b instead of /home/private/home/colin/a/b
+  # store /home/colin/a/b in /mnt/persist/private/a/b instead of /mnt/persist/private/home/colin/a/b
   sane.persist.stores.private.prefix = "/home/colin";
 
+  sane.persist.sys.byStore.initrd = [
+    "/var/log"
+  ];
   sane.persist.sys.byStore.plaintext = [
     # TODO: these should be private.. somehow
-    "/var/log"
     "/var/backup"  # for e.g. postgres dumps
   ];
   sane.persist.sys.byStore.cryptClearOnBoot = [

hosts/common/polyunfill.nix

@@ -0,0 +1,216 @@
+# strictly *decrease* the scope of the default nixos installation/config
+
+{ lib, pkgs, ... }:
+let
+  suidlessPam = pkgs.pam.overrideAttrs (upstream: {
+    # nixpkgs' pam hardcodes unix_chkpwd path to the /run/wrappers one,
+    # but i don't want the wrapper, so undo that.
+    # ideally i would patch this via an overlay, but pam is in the bootstrap so that forces a full rebuild.
+    # TODO: add a `package` option to the nixos' pam module and substitute it that way.
+    postPatch = (if upstream.postPatch != null then upstream.postPatch else "") + ''
+      substituteInPlace modules/pam_unix/Makefile.am --replace-fail \
+        "/run/wrappers/bin/unix_chkpwd" "$out/bin/unix_chkpwd"
+    '';
+  });
+in
+{
+  # remove a few items from /run/wrappers we don't need.
+  options.security.wrappers = lib.mkOption {
+    apply = lib.filterAttrs (name: _: !(builtins.elem name [
+      # from <repo:nixos/nixpkgs:nixos/modules/security/polkit.nix>
+      "pkexec"
+      "polkit-agent-helper-1"  #< used by systemd; without this you'll have to `sudo systemctl daemon-reload` instead of unauth'd `systemctl daemon-reload`
+      # from <repo:nixos/nixpkgs:nixos/modules/services/system/dbus.nix>
+      "dbus-daemon-launch-helper"
+      # from <repo:nixos/nixpkgs:nixos/modules/security/wrappers/default.nix>
+      "fusermount"  #< only needed if you want to mount entries declared in /etc/fstab or mtab as unprivileged user
+      "fusermount3"
+      "mount"  #< only needed if you want to mount entries declared in /etc/fstab or mtab as unprivileged user
+      "umount"
+      # from <repo:nixos/nixpkgs:nixos/modules/programs/shadow.nix>
+      "newgidmap"
+      "newgrp"
+      "newuidmap"
+      "sg"
+      "su"
+      # from: <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
+      # requires associated `pam` patch to not hardcode unix_chkpwd path
+      "unix_chkpwd"
+    ]));
+  };
+  options.security.pam.services = lib.mkOption {
+    apply = services: let
+      filtered = lib.filterAttrs (name: _: !(builtins.elem name [
+        # from <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
+        "i3lock"
+        "i3lock-color"
+        "vlock"
+        "xlock"
+        "xscreensaver"
+        "runuser"
+        "runuser-l"
+        # from ??
+        "chfn"
+        "chpasswd"
+        "chsh"
+        "groupadd"
+        "groupdel"
+        "groupmems"
+        "groupmod"
+        "useradd"
+        "userdel"
+        "usermod"
+        # from <repo:nixos/nixpkgs:nixos/modules/system/boot/systemd/user.nix>
+        "systemd-user"  #< N.B.: this causes the `systemd --user` service manager to not be started!
+      ])) services;
+    in lib.mapAttrs (_serviceName: service: service // {
+      # replace references with the old pam_unix, which calls into /run/wrappers/bin/unix_chkpwd,
+      # with a pam_unix that calls into unix_chkpwd via the nix store.
+      # TODO: use `security.pam.package` instead once <https://github.com/NixOS/nixpkgs/pull/314791> lands.
+      text = lib.replaceStrings [" pam_unix.so" ] [ " ${suidlessPam}/lib/security/pam_unix.so" ] service.text;
+    }) filtered;
+  };
+
+  options.environment.systemPackages = lib.mkOption {
+    # see: <repo:nixos/nixpkgs:nixos/modules/config/system-path.nix>
+    # it's 31 "requiredPackages", with no explanation of why they're "required"...
+    # most of these can be safely removed without breaking the *boot*,
+    # but some core system services DO implicitly depend on them.
+    # TODO: see which more of these i can remove (or shadow/sandbox)
+    apply = let
+      requiredPackages = builtins.map (pkg: lib.setPrio ((pkg.meta.priority or 5) + 3) pkg) [
+        # pkgs.acl
+        # pkgs.attr
+        # pkgs.bashInteractive
+        # pkgs.bzip2
+        # pkgs.coreutils-full
+        # pkgs.cpio
+        # pkgs.curl
+        # pkgs.diffutils
+        # pkgs.findutils
+        # pkgs.gawk
+        # pkgs.stdenv.cc.libc
+        # pkgs.getent
+        # pkgs.getconf
+        # pkgs.gnugrep
+        # pkgs.gnupatch
+        # pkgs.gnused
+        # pkgs.gnutar
+        # pkgs.gzip
+        # pkgs.xz
+        pkgs.less
+        # pkgs.libcap  #< implicitly required by NetworkManager/wpa_supplicant!
+        # pkgs.ncurses
+        pkgs.netcat
+        # config.programs.ssh.package
+        # pkgs.mkpasswd
+        pkgs.procps
+        # pkgs.su
+        # pkgs.time
+        # pkgs.util-linux
+        # pkgs.which
+        # pkgs.zstd
+      ];
+    in lib.filter (p: ! builtins.elem p requiredPackages);
+  };
+
+  options.system.fsPackages = lib.mkOption {
+    # <repo:nixos/nixpkgs:nixos/modules/tasks/filesystems/vfat.nix>  adds `mtools` and `dosfstools`
+    # dosfstools actually makes its way into the initrd (`fsck.vfat`).
+    # mtools is like "MS-DOS for Linux", ancient functionality i'll never use.
+    apply = lib.filter (p: p != pkgs.mtools);
+  };
+
+  config = {
+    # disable non-required packages like nano, perl, rsync, strace
+    environment.defaultPackages = [];
+
+    # remove all the non-existent default directories from XDG_DATA_DIRS, XDG_CONFIG_DIRS to simplify debugging.
+    # this is defaulted in <repo:nixos/nixpkgs:nixos/modules/programs/environment.nix>,
+    # without being gated by any higher config.
+    environment.profiles = lib.mkForce [
+      "/etc/profiles/per-user/$USER"
+      "/run/current-system/sw"
+    ];
+
+    # NIXPKGS_CONFIG defaults to "/etc/nix/nixpkgs-config.nix" in <nixos/modules/programs/environment.nix>.
+    # that's never existed on my system and everything does fine without it set empty (no nixpkgs API to forcibly *unset* it).
+    environment.variables.NIXPKGS_CONFIG = lib.mkForce "";
+    # XDG_CONFIG_DIRS defaults to "/etc/xdg", which doesn't exist.
+    # in practice, pam appends the values i want to XDG_CONFIG_DIRS, though this approach causes an extra leading `:`
+    environment.sessionVariables.XDG_CONFIG_DIRS = lib.mkForce [];
+    # XCURSOR_PATH: defaults to `[ "$HOME/.icons" "$HOME/.local/share/icons" ]`, neither of which i use, just adding noise.
+    # see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/icons.nix>
+    environment.sessionVariables.XCURSOR_PATH = lib.mkForce [];
+
+    # disable nixos' portal module, otherwise /share/applications gets linked into the system and complicates things (sandboxing).
+    # instead, i manage portals myself via the sane.programs API (e.g. sane.programs.xdg-desktop-portal).
+    xdg.portal.enable = false;
+    xdg.menus.enable = false;  #< links /share/applications, and a bunch of other empty (i.e. unused) dirs
+
+    # xdg.autostart.enable defaults to true, and links /etc/xdg/autostart into the environment, populated with .desktop files.
+    # see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/autostart.nix>
+    # .desktop files are a questionable way to autostart things: i generally prefer a service manager for that.
+    xdg.autostart.enable = false;
+
+    # nix.channel.enable: populates `/nix/var/nix/profiles/per-user/root/channels`, `/root/.nix-channels`, `$HOME/.nix-defexpr/channels`
+    #   <repo:nixos/nixpkgs:nixos/modules/config/nix-channel.nix>
+    # TODO: may want to recreate NIX_PATH, nix.settings.nix-path
+    nix.channel.enable = false;
+
+    # environment.stub-ld: populate /lib/ld-linux.so with an object that unconditionally errors on launch,
+    # so as to inform when trying to run a non-nixos binary?
+    # IMO that's confusing: i thought /lib/ld-linux.so was some file actually required by nix.
+    environment.stub-ld.enable = false;
+
+    # `less.enable` sets LESSKEYIN_SYSTEM, LESSOPEN, LESSCLOSE env vars, which does confusing "lesspipe" things, so disable that.
+    # it's enabled by default from `<nixos/modules/programs/environment.nix>`, who also sets `PAGER="less"` and `EDITOR="nano"` (keep).
+    programs.less.enable = lib.mkForce false;
+    environment.variables.PAGER = lib.mkOverride 900 "";  # mkDefault sets 1000. non-override is 100. 900 will beat the nixpkgs `mkDefault` but not anyone else.
+    environment.variables.EDITOR = lib.mkOverride 900 "";
+
+    # several packages (dconf, modemmanager, networkmanager, gvfs, polkit, udisks, bluez/blueman, feedbackd, etc)
+    # will add themselves to the dbus search path.
+    # i prefer dbus to only search XDG paths (/share/dbus-1) for service files, as that's more introspectable.
+    # see: <repo:nixos/nixpkgs:nixos/modules/services/system/dbus.nix>
+    # TODO: sandbox dbus? i pretty explicitly don't want to use it as a launcher.
+    services.dbus.packages = lib.mkForce [
+      "/run/current-system/sw"
+      # config.system.path
+      # pkgs.dbus
+      # pkgs.polkit.out
+      # pkgs.modemmanager
+      # pkgs.networkmanager
+      # pkgs.udisks
+      # pkgs.wpa_supplicant
+    ];
+
+    # systemd by default forces shitty defaults for e.g. /tmp/.X11-unix.
+    # nixos propagates those in: <nixos/modules/system/boot/systemd/tmpfiles.nix>
+    # by overwriting this with an empty file, we can effectively remove it.
+    environment.etc."tmpfiles.d/x11.conf".text = "# (removed by Colin)";
+
+    # see: <nixos/modules/tasks/swraid.nix>
+    # it was enabled by default before 23.11
+    boot.swraid.enable = lib.mkDefault false;
+
+    # see: <nixos/modules/tasks/bcache.nix>
+    # these allow you to use the Linux block cache (cool! doesn't need to be a default though)
+    boot.bcache.enable = lib.mkDefault false;
+
+    # see: <nixos/modules/system/boot/kernel.nix>
+    # by default, it adds to boot.initrd.availableKernelModules:
+    # - SATA: "ahci" "sata_nv" "sata_via" "sata_sis" "sata_uli" "ata_piix" "pata_marvell"
+    # - "nvme"
+    # - scsi: "sd_mod" "sr_mod"
+    # - SD/eMMC: "mmc_block"
+    # - USB keyboards: "uhci_hcd" "ehci_hcd" "ehci_pci" "ohci_hcd" "ohci_pci" "xhci_hcd" "xhci_pci" "usbhid" "hid_generic" "hid_lenovo" "hid_apple" "hid_roccat" "hid_logitech_hidpp" "hid_logitech_dj" "hid_microsoft" "hid_cherry" "hid_corsair"
+    # - LVM: "dm_mod"
+    # - on x86 only: more keyboard stuff: "pcips2" "atkbd" "i8042"
+
+    boot.initrd.includeDefaultModules = lib.mkDefault false;
+
+    # see: <repo:nixos/nixpkgs:nixos/modules/virtualisation/nixos-containers.nix>
+    boot.enableContainers = lib.mkDefault false;
+  };
+}

hosts/common/programs/abaddon.nix

@@ -15,7 +15,7 @@ in
       };
     };
 
-    package = pkgs.abaddon.overrideAttrs (upstream: {
+    packageUnwrapped = pkgs.abaddon.overrideAttrs (upstream: {
       patches = (upstream.patches or []) ++ [
         (pkgs.fetchpatch {
           url = "https://git.uninsane.org/colin/abaddon/commit/eb551f188d34679f75adcbc83cb8d5beb4d19fd6.patch";
@@ -87,13 +87,8 @@ in
 
     services.abaddon = {
       description = "unofficial Discord chat client";
-      wantedBy = lib.mkIf cfg.config.autostart [ "default.target" ];
-      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/abaddon";
-        Type = "simple";
-        Restart = "always";
-        RestartSec = "20s";
-      };
+      partOf = lib.mkIf cfg.config.autostart [ "graphical-session" ];
+      command = "abaddon";
     };
   };
 }

hosts/common/programs/aerc.nix

@@ -3,6 +3,9 @@
 
 {
   sane.programs.aerc = {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";  #< /share/aerc/aerc.conf refers to other /share files by absolute path
+    sandbox.net = "clearnet";
     secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
     mime.associations."x-scheme-handler/mailto" = "aerc.desktop";
   };

hosts/common/programs/alacritty.nix

@@ -3,13 +3,28 @@
 #   - `man 5 alacritty`
 #   - defaults: <https://github.com/alacritty/alacritty/releases>  -> alacritty.yml
 # - irc: #alacritty on libera.chat
-{ lib, ... }:
+{ config, lib, ... }:
+let
+  cfg = config.sane.programs.alacritty;
+in
 {
   sane.programs.alacritty = {
+    configOption = with lib; mkOption {
+      default = {};
+      type = types.submodule {
+        options.fontSize = mkOption {
+          type = types.int;
+          default = 14;
+        };
+      };
+    };
+
+    sandbox.enable = false;
     env.TERMINAL = lib.mkDefault "alacritty";
+
     fs.".config/alacritty/alacritty.toml".symlink.text = ''
       [font]
-      size = 14
+      size = ${builtins.toString cfg.config.fontSize}
 
       [[keyboard.bindings]]
       mods = "Control"
@@ -35,6 +50,21 @@
       mods = "Control|Shift"
       key = "PageDown"
       action = "ScrollPageDown"
+
+      # disable OS shortcuts which leak through...
+      # see sway config or sane-input-handler for more info on why these leak through
+      [[keyboard.bindings]]
+      key = "AudioVolumeUp"
+      action = "None"
+      [[keyboard.bindings]]
+      key = "AudioVolumeDown"
+      action = "None"
+      [[keyboard.bindings]]
+      key = "Power"
+      action = "None"
+      [[keyboard.bindings]]
+      key = "PowerOff"
+      action = "None"
     '';
   };
 }

hosts/common/programs/alsa-ucm-conf/default.nix

@@ -0,0 +1,59 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.programs.alsa-ucm-conf;
+in
+{
+  sane.programs.alsa-ucm-conf = {
+    configOption = with lib; mkOption {
+      default = {};
+      type = types.submodule {
+        options.preferEarpiece = mkOption {
+          type = types.bool;
+          default = true;
+        };
+      };
+    };
+
+    # upstream alsa ships with PinePhone audio configs, but they don't actually produce sound.
+    # - still true as of 2024-05-26
+    # - see: <https://github.com/alsa-project/alsa-ucm-conf/pull/134>
+    #
+    # we can substitute working UCM conf in two ways:
+    # 1. nixpkgs' override for the `alsa-ucm-conf` package
+    #   - that forces a rebuild of ~500 packages (including webkitgtk).
+    # 2. set ALSA_CONFIG_UCM2 = /path/to/ucm2 in the relevant places
+    #   - e.g. pulsewire service.
+    #   - easy to miss places, though.
+    #
+    # alsa-ucm-pinephone-manjaro (2024-05-26):
+    # - headphones work
+    # - "internal earpiece" works
+    # - "internal speaker" is silent (maybe hardware issue)
+    # - 3.5mm connection is flapping when playing to my car, which eventually breaks audio and requires restarting wireplumber
+    # packageUnwrapped = pkgs.alsa-ucm-pinephone-manjaro.override {
+    #   inherit (cfg.config) preferEarpiece;
+    # };
+    # alsa-ucm-pinephone-pmos (2024-05-26):
+    # - headphones work
+    # - "internal earpiece" works
+    # - "internal speaker" is silent (maybe hardware issue)
+    packageUnwrapped = pkgs.alsa-ucm-pinephone-pmos.override {
+      inherit (cfg.config) preferEarpiece;
+    };
+
+    sandbox.enable = false;  #< only provides $out/share/alsa
+
+    # alsa-lib package only looks in its $out/share/alsa to find runtime config data, by default.
+    # but ALSA_CONFIG_UCM2 is an env var that can override that.
+    # this is particularly needed by wireplumber;
+    #   also *maybe* pipewire and pipewire-pulse.
+    # taken from <repo:nixos/mobile-nixos:modules/quirks/audio.nix>
+    env.ALSA_CONFIG_UCM2 = "/run/current-system/sw/share/alsa/ucm2";
+
+    enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
+  };
+
+  environment.pathsToLink = lib.mkIf cfg.enabled [
+    "/share/alsa/ucm2"
+  ];
+}

hosts/common/programs/animatch.nix

@@ -1,10 +1,43 @@
-{ ... }:
+# debug with:
+# - `animatch --debug`
+# - `gdb animatch`
+# try:
+# - `animatch --fullscreen`
+# - `animatch --windowed`
+# the other config options (e.g. verbose logging -- which doesn't seem to do anything) have to be configured via .ini file
+# ```ini
+# # ~/.config/Holy Pangolin/Animatch/SuperDerpy.ini
+# [SuperDerpy]
+# debug=1
+# disableTouch=1
+# [game]
+# verbose=1
+# ```
+{ pkgs, ... }:
 {
   sane.programs.animatch = {
+    packageUnwrapped = with pkgs; animatch.override {
+      # allegro has no native wayland support, and so by default crashes when run without Xwayland.
+      # enable the allegro SDL backend, and achieve Wayland support via SDL's Wayland support.
+      # TODO: see about upstreaming this to nixpkgs?
+      allegro5 = allegro5.overrideAttrs (upstream: {
+        buildInputs = upstream.buildInputs ++ [
+          SDL2
+        ];
+        cmakeFlags = upstream.cmakeFlags ++ [
+          "-DALLEGRO_SDL=on"
+        ];
+      });
+    };
+
+    buildCost = 1;
+
+    sandbox.method = "bwrap";
+    sandbox.whitelistWayland = true;
+
     persist.byStore.plaintext = [
-      # game progress
-      ".config/Holy Pangolin/Animatch"
-      ".local/share/Holy Pangolin/Animatch"  # i think this one might be wrong
+      # ".config/Holy Pangolin/Animatch"  #< used for SuperDerpy config (e.g. debug, disableTouch, fullscreen, enable sound, etc). SuperDerpy.ini
+      ".local/share/Holy Pangolin/Animatch"  #< used for game state (level clears). SuperDerpy.ini
     ];
   };
 }