servo: store media on external storage

servo: port to Ryzen/x86 machine
packages: ship some tools useful for debugging boot/HW state
2022-11-29 21:54:33 +00:00 · 2022-11-29 02:20:18 +00:00 · 2022-11-29 02:18:56 +00:00 · 2022-11-29 02:18:31 +00:00 · 2022-11-29 02:18:05 +00:00 · 2022-11-26 08:13:52 +00:00
196 changed files with 7525 additions and 1873 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,47 @@
 keys:
  - &user_desko_colin age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
  - &user_lappy_colin age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
  - &user_servo_colin age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
  - &user_moby_colin age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9
  - &host_desko age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v
  - &host_lappy age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn
  - &host_servo age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
  - &host_moby age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt
 creation_rules:
  - path_regex: secrets/universal*
    key_groups:
    - age:
      - *user_desko_colin
      - *user_lappy_colin
      - *user_servo_colin
      - *user_moby_colin
      - *host_desko
      - *host_lappy
      - *host_servo
      - *host_moby
  - path_regex: secrets/servo*
    key_groups:
    - age:
      - *user_desko_colin
      - *user_lappy_colin
      - *user_servo_colin
      - *host_servo
  - path_regex: secrets/desko.yaml$
    key_groups:
    - age:
      - *user_desko_colin
      - *user_lappy_colin
      - *host_desko
  - path_regex: secrets/lappy.yaml$
    key_groups:
    - age:
      - *user_lappy_colin
      - *user_desko_colin
      - *host_lappy
  - path_regex: secrets/moby.yaml$
    key_groups:
    - age:
      - *user_desko_colin
      - *user_lappy_colin
      - *user_moby_colin
      - *host_moby
--- a/TODO.md
+++ b/TODO.md
@@ -1,21 +0,0 @@
 # features/tweaks
 - enable sshfs (deskto/lappy)
 - set firefox default search engine
 - iron out video drivers
 # cleanup
 - remove helpers from outputs section (use `let .. in`)
 # speed up cross compiling
   https://nixos.wiki/wiki/Cross_Compiling
   https://nixos.wiki/wiki/NixOS_on_ARM
   overlays = [{ ... }: {
     nixpkgs.crossSystem.system = "aarch64-linux";
   }];
 # better secrets management? read:
 - decrypted at activation time: https://github.com/Mic92/sops-nix
 less promising:
 - https://christine.website/blog/nixos-encrypted-secrets-2021-01-20
 - git-crypt (https://github.com/bobbbay/dotfiles.git)
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,25 +0,0 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 # USEFUL COMMANDS:
 #   nix show-config
 #   nix eval --raw <expr>  => print an expression. e.g. nixpkgs.raspberrypifw prints store path to the package
 #   nix-option   ##  query options -- including their SET VALUE; similar to search: https://search.nixos.org/options
 #   nixos-rebuild switch --upgrade   ## pull changes from the nixos channel (e.g. security updates) and rebuild
 { config, pkgs, ... }:
 {
  # enable flake support.
  # the real config root lives in flake.nix
  nix = {
    #package = pkgs.nixFlakes;
    package = pkgs.nixUnstable;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };
 }
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,20 @@
 {
  "nodes": {
    "flake-utils": {
      "locked": {
        "lastModified": 1659877975,
        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -7,11 +22,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1654113405,
+        "lastModified": 1667907331,
-        "narHash": "sha256-VpK+0QaWG2JRgB00lw77N9TjkE3ec0iMYIX1TzGpxa4=",
+        "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "ac2287df5a2d6f0a44bbcbd11701dbbf6ec43675",
+        "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
        "type": "github"
      },
      "original": {
@@ -21,14 +36,29 @@
        "type": "github"
      }
    },
    "impermanence": {
      "locked": {
        "lastModified": 1668668915,
        "narHash": "sha256-QjY4ZZbs9shwO4LaLpvlU2bO9J1juYhO9NtV3nrbnYQ=",
        "owner": "nix-community",
        "repo": "impermanence",
        "rev": "5df9108b346f8a42021bf99e50de89c9caa251c3",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "impermanence",
        "type": "github"
      }
    },
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1654281294,
+        "lastModified": 1668897543,
-        "narHash": "sha256-hT2/u0jUOD4TFU6YyYt+5Gt+hjIeerLTyZG7ru79aDU=",
+        "narHash": "sha256-1bjvy5zi/6KDzhN3ihOUEA6y5FFEOf5xvIbf65RWIh0=",
        "owner": "nixos",
        "repo": "mobile-nixos",
-        "rev": "d798b0b34240b18a08c22f5c0ee1f59a3ce43c01",
+        "rev": "25eec596116553112681d72ee4880107fc3957fa",
        "type": "github"
      },
      "original": {
@@ -39,11 +69,42 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1654275867,
+        "lastModified": 1668994630,
-        "narHash": "sha256-pt14ZE4jVPGvfB2NynGsl34pgXfOqum5YJNpDK4+b9E=",
+        "narHash": "sha256-1lqx6HLyw6fMNX/hXrrETG1vMvZRGm2XVC9O/Jt0T6c=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "7a20c208aacf4964c19186dcad51f89165dc7ed0",
+        "rev": "af50806f7c6ab40df3e6b239099e8f8385f6c78b",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-unstable",
        "type": "indirect"
      }
    },
    "nixpkgs-22_05": {
      "locked": {
        "lastModified": 1668908668,
        "narHash": "sha256-oimCE4rY7Btuo/VYmA8khIyTHSMV7qUWTpz9w8yc9LQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "b68a6a27adb452879ab66c0eaac0c133e32823b2",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-22.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1668984258,
        "narHash": "sha256-0gDMJ2T3qf58xgcSbYoXiRGUkPWmKyr5C3vcathWhKs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "cf63ade6f74bbc9d2a017290f1b2e33e8fbfa70a",
        "type": "github"
      },
      "original": {
@@ -52,27 +113,57 @@
        "type": "indirect"
      }
    },
    "nurpkgs": {
      "locked": {
        "lastModified": 1654367137,
        "narHash": "sha256-xufB/+qvk/7rh7qrwZbzru1kTu8nsmNWBNQkYbdS84Q=",
        "owner": "nix-community",
        "repo": "NUR",
        "rev": "86ff2d098bce1d623232f4886027a1d61317b195",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "NUR",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "impermanence": "impermanence",
        "mobile-nixos": "mobile-nixos",
        "nixpkgs": "nixpkgs",
-        "nurpkgs": "nurpkgs"
+        "nixpkgs-stable": "nixpkgs-stable",
        "sops-nix": "sops-nix",
        "uninsane": "uninsane"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-22_05": "nixpkgs-22_05"
      },
      "locked": {
        "lastModified": 1668915833,
        "narHash": "sha256-7VYPiDJZdGct8Nl3kKhg580XZfoRcViO+zUGPkfBsqM=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "f72e050c3ef148b1131a0d2df55385c045e4166b",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "uninsane": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1666870107,
        "narHash": "sha256-b9eXZxSwhzdJI5uQgfrMhu4SY2POrPkinUg7F5gQVYo=",
        "ref": "refs/heads/master",
        "rev": "80c6ec95bd430e29d231cf745f19279bb76fb382",
        "revCount": 164,
        "type": "git",
        "url": "https://git.uninsane.org/colin/uninsane"
      },
      "original": {
        "type": "git",
        "url": "https://git.uninsane.org/colin/uninsane"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@@ -1,11 +1,11 @@
 # docs:
-#   https://nixos.wiki/wiki/Flakes
+# - <https://nixos.wiki/wiki/Flakes>
-#   https://serokell.io/blog/practical-nix-flakes
+# - <https://serokell.io/blog/practical-nix-flakes>
 {
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-22.05";
+    nixpkgs-stable.url = "nixpkgs/nixos-22.05";
-    # pkgs-telegram.url = "nixpkgs/33775ec9a2173a08e46edf9f46c9febadbf743e8";# 2022/04/18; telegram 3.7.3. fails: nix log /nix/store/y5kv47hnv55qknb6cnmpcyraicay79fx-telegram-desktop-3.7.3.drv: g++: fatal error: cannot execute '/nix/store/njk5sbd21305bhr7gwibxbbvgbx5lxvn-gcc-9.3.0/libexec/gcc/aarch64-unknown-linux-gnu/9.3.0/cc1plus': execv: No such file or directory
+    nixpkgs.url = "nixpkgs/nixos-unstable";
    mobile-nixos = {
      url = "github:nixos/mobile-nixos";
      flake = false;
@@ -14,100 +14,107 @@
      url = "github:nix-community/home-manager/release-22.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nurpkgs.url = "github:nix-community/NUR";
+    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    impermanence.url = "github:nix-community/impermanence";
    uninsane = {
      url = "git+https://git.uninsane.org/colin/uninsane";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
-  outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs }: {
+  outputs = {
-    machines.uninsane = self.decl-bootable-machine { name = "uninsane"; system = "aarch64-linux"; };
+    self,
-    machines.desko = self.decl-bootable-machine { name = "desko"; system = "x86_64-linux"; };
+    nixpkgs,
-    machines.lappy = self.decl-bootable-machine { name = "lappy"; system = "x86_64-linux"; };
+    nixpkgs-stable,
-
+    mobile-nixos,
-    machines.moby =
+    home-manager,
-      let machine = self.decl-machine {
+    sops-nix,
-        name = "moby";
+    impermanence,
-        system = "aarch64-linux";
+    uninsane
-        extraModules = [
+  }: let
-          (import "${mobile-nixos}/lib/configuration.nix" {
+    patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
-            device = "pine64-pinephone";
+      name = "nixpkgs-patched-uninsane";
-          })
+      src = nixpkgs;
-        ];
+      patches = import ./nixpatches/list.nix nixpkgs.legacyPackages.${system}.fetchpatch;
-      };
+    };
-      in {
+    # return something which behaves like `pkgs`, for the provided system
-        nixosConfiguration = machine;
+    # `local` = architecture of builder. `target` = architecture of the system beying deployed to
-        img = machine.config.mobile.outputs.u-boot.disk-image;
+    nixpkgsFor = local: target: import (patchedPkgs target) { crossSystem = target; localSystem = local; };
-      };
+    # evaluate ONLY our overlay, for the provided system
-
+    customPackagesFor = local: target: import ./pkgs/overlay.nix (nixpkgsFor local target) (nixpkgsFor local target);
-    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) self.machines;
+    decl-host = { name, local, target }:
-    imgs = builtins.mapAttrs (name: value: value.img) self.machines;
+    let
-
+      nixosSystem = import ((patchedPkgs target) + "/nixos/lib/eval-config.nix");
-    decl-machine = { name, system, extraModules ? [], basePkgs ? nixpkgs }: let
+    in (nixosSystem {
-      patchedPkgs = basePkgs.legacyPackages.${system}.applyPatches {
+      # by default the local system is the same as the target, employing emulation when they differ
-        name = "nixpkgs-patched-uninsane";
+      system = target;
-        src = basePkgs;
+      specialArgs = { inherit mobile-nixos home-manager impermanence; };
-        patches = [
+      modules = [
-          # for mobile: allow phoc to scale to non-integer values
+        ./modules
-          ./nixpatches/01-phosh-float-scale.patch
+        (import ./hosts/instantiate.nix name)
-          # for raspberry pi: allow building u-boot for rpi 4{,00}
+        home-manager.nixosModule
-          ./nixpatches/02-rpi4-uboot.patch
+        impermanence.nixosModule
-          ./nixpatches/03-whalebird-4.6.0.patch
+        sops-nix.nixosModules.sops
-        ];
+        {
-      };
+          nixpkgs.overlays = [
-      nixosSystem = import (patchedPkgs + "/nixos/lib/eval-config.nix");
+            (import "${mobile-nixos}/overlay/overlay.nix")
-      in (nixosSystem {
+            uninsane.overlay
-        inherit system;
+            (import ./pkgs/overlay.nix)
-        specialArgs = { inherit home-manager; inherit nurpkgs; secrets = import ./secrets/default.nix; };
+            (next: prev: rec {
-        modules = [
+              # non-emulated packages build *from* local *for* target.
-          ./configuration.nix
+              # for large packages like the linux kernel which are expensive to build under emulation,
-          ./machines/${name}
+              # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
-          (import ./helpers/set-hostname.nix name)
+              cross = (nixpkgsFor local target) // (customPackagesFor local target);
-          (self.overlaysModule system)
+              stable = import nixpkgs-stable { system = target; };
-        ] ++ extraModules;
+              # cross-compatible packages
              # gocryptfs = cross.gocryptfs;
            })
          ];
        }
      ];
    });
-    # this produces a EFI-bootable .img file (GPT with / and /boot).
+    decl-bootable-host = { name, local, target }: rec {
-    # after building this, steps are:
+      nixosConfiguration = decl-host { inherit name local target; };
-    #   run `btrfs-convert --uuid copy <device>`
+      # this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
-    #   boot, checkout this flake into /etc/nixos AND UPDATE THE UUIDS IT REFERENCES.
+      # after building this:
-    #   then `nixos-rebuild ...`
+      #   - flash it to a bootable medium (SD card, flash drive, HDD)
-    decl-img = { name, system, extraModules ? [] }: (
+      #   - resize the root partition (use cfdisk)
-      (self.decl-machine { inherit name; inherit system; extraModules = extraModules ++ [./image.nix]; })
+      #   - mount the part
-        .config.system.build.raw
+      #      - chown root:nixbld <part>/nix/store
-    );
+      #      - chown root:root -R <part>/nix/store/*
-
+      #      - chown root:root -R <part>/persist  # if using impermanence
-    decl-bootable-machine = { name, system }: {
+      #      - populate any important things (persist/, home/colin/.ssh, etc)
-      nixosConfiguration = self.decl-machine { inherit name; inherit system; };
+      #   - boot
-      img = self.decl-img { inherit name; inherit system; };
+      #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
      #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
      #   - `nixos-rebuild --flake './#<host>' switch`
      img = nixosConfiguration.config.system.build.img;
    };
-
+    hosts.servo = decl-bootable-host { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    overlaysModule = system: { config, pkgs, ...}: {
+    hosts.desko = decl-bootable-host { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
-      nixpkgs.config.allowUnfree = true;
+    hosts.lappy = decl-bootable-host { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
-
+    hosts.moby = decl-bootable-host { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
-      nixpkgs.overlays = [
+    # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
-        #mobile-nixos.overlay
+    # note that these *do* produce different store paths, because the closure for the tools used to cross compile
-        nurpkgs.overlay
+    # v.s. emulate differ.
-        (next: prev: {
+    # so deploying foo-cross and then foo incurs some rebuilding.
-          #### customized packages
+    hosts.moby-cross = decl-bootable-host { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
-          # nixos-unstable pleroma is too far out-of-date for our db
+    hosts.rescue = decl-bootable-host { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
-          pleroma = prev.callPackage ./pkgs/pleroma { };
+  in {
-          # jackett doesn't allow customization of the bind address: this will probably always be here.
+    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) hosts;
-          jackett = next.callPackage ./pkgs/jackett { pkgs = prev; };
+    imgs = builtins.mapAttrs (name: value: value.img) hosts;
-          # fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
+    packages = let
-          # systemd = import ./pkgs/systemd { pkgs = prev; };
+      allPkgsFor = sys: (customPackagesFor sys sys) // {
-
+        nixpkgs = nixpkgsFor sys sys;
-          # patch rpi uboot with something that fixes USB HDD boot
+        uninsane = uninsane.packages."${sys}";
-          ubootRaspberryPi4_64bit = next.callPackage ./pkgs/ubootRaspberryPi4_64bit { pkgs = prev; };
+      };
-
+    in {
-          #### TEMPORARY NIXOS-UNSTABLE PACKAGES
+      x86_64-linux = allPkgsFor "x86_64-linux";
-
+      aarch64-linux = allPkgsFor "aarch64-linux";
          # stable telegram doesn't build, so explicitly use the stable one.
          # TODO: apply this specifically to the moby build?
          # tdesktop = pkgs-telegram.legacyPackages.${system}.tdesktop;
          tdesktop = nixpkgs.legacyPackages.${system}.tdesktop;
          #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
          whalebird = prev.callPackage ./pkgs/whalebird { };
        })
      ];
    };
  };
 }
--- a/helpers/gui/gnome.nix
+++ b/helpers/gui/gnome.nix
@@ -1,13 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  # start gnome/gdm on boot
  services.xserver.enable = true;
  services.xserver.desktopManager.gnome.enable = true;
  services.xserver.displayManager.gdm.enable = true;
  # gnome does networking stuff with networkmanager
  networking.useDHCP = false;
  networking.networkmanager.enable = true;
  networking.wireless.enable = lib.mkForce false;
 }
--- a/helpers/gui/i3.nix
+++ b/helpers/gui/i3.nix
@@ -1,16 +0,0 @@
 { pkgs, ... }:
 {
  environment.pathsToLink = [ "/libexec" ];  # patch for i3blocks to work
  services.xserver.enable = true;
  services.xserver.displayManager.defaultSession = "none+i3";
  services.xserver.windowManager.i3 = {
    enable = true;
    extraPackages = with pkgs; [
      dmenu
      i3status
      i3lock
      i3blocks
    ];
  };
 }
--- a/helpers/gui/phosh.nix
+++ b/helpers/gui/phosh.nix
@@ -1,21 +0,0 @@
 { ... }:
 {
  # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
  services.xserver.desktopManager.phosh = {
    enable = true;
    user = "colin";
    group = "users";
    phocConfig = {
      xwayland = "true";
      # find default outputs by catting /etc/phosh/phoc.ini
      outputs.DSI-1 = {
        scale = 1.5;
      };
    };
  };
  environment.variables = {
    # Qt apps won't always start unless this env var is set
    QT_QPA_PLATFORM = "wayland";
  };
 }
--- a/helpers/gui/plasma-mobile.nix
+++ b/helpers/gui/plasma-mobile.nix
@@ -1,14 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  # start plasma-mobile on boot
  services.xserver.enable = true;
  services.xserver.desktopManager.plasma5.mobile.enable = true;
  services.xserver.desktopManager.plasma5.mobile.installRecommendedSoftware = false;  # not all plasma5-mobile packages build for aarch64
  services.xserver.displayManager.sddm.enable = true;
  # Plasma does networking stuff with networkmanager, but nix configures the defaults itself
  # networking.useDHCP = false;
  # networking.networkmanager.enable = true;
  # networking.wireless.enable = lib.mkForce false;
 }
--- a/helpers/gui/sway.nix
+++ b/helpers/gui/sway.nix
@@ -1,31 +0,0 @@
 { pkgs, ... }:
 # docs: https://nixos.wiki/wiki/Sway
 {
  programs.sway = {
    # we configure sway with home-manager, but this enable gets us e.g. opengl and fonts
    enable = true;
  };
  # TODO: should be able to use SDDM to get interactive login
  services.greetd = {
    enable = true;
    settings = rec {
      initial_session = {
        command = "${pkgs.sway}/bin/sway";
        user = "colin";
      };
      default_session = initial_session;
    };
  };
  # unlike other DEs, sway configures no audio stack
  # administer with pw-cli, pw-mon, pw-top commands
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;  # ??
    pulse.enable = true;
  };
 }
--- a/helpers/hardware-x86_64.nix
+++ b/helpers/hardware-x86_64.nix
@@ -1,65 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  boot.initrd.availableKernelModules = [
    "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
    "usb_storage"   # rpi needed this to boot from usb storage, i think.
    # "usbhid" "hid-generic"  # hopefully these will fix USB HID auto-sleep ?
  ];
  boot.initrd.kernelModules = [ ];
  boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
  # find more of these with sensors-detect
  boot.kernelModules = [
    "coretemp"
    "kvm-intel"
    "kvm-amd"  # desktop
    "amdgpu"   # desktop
  ];
  boot.extraModulePackages = [ ];
  boot.kernelParams = [ "boot.shell_on_fail" ];
  boot.consoleLogLevel = 7;
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.systemd-boot.configurationLimit = 40;  # keep this many generations
  boot.loader.efi.canTouchEfiVariables = true;
  # enable cross compilation
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  # nixpkgs.crossSystem.system = "aarch64-linux";
  powerManagement.cpuFreqGovernor = "powersave";
  hardware.enableRedistributableFirmware = true;
  hardware.cpu.amd.updateMicrocode = true;    # desktop
  hardware.cpu.intel.updateMicrocode = true;  # laptop
  services.fwupd.enable = true;
  # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
  powerManagement.powertop.enable = false;
  hardware.opengl.extraPackages = [
    # laptop
    pkgs.intel-compute-runtime
    pkgs.intel-media-driver  # new
    pkgs.libvdpau-va-gl      # new
    pkgs.vaapiIntel
    # desktop
    pkgs.rocm-opencl-icd
    pkgs.rocm-opencl-runtime
  ];
  hardware.opengl.driSupport = true;
  # For 32 bit applications
  hardware.opengl.driSupport32Bit = true;
  # TODO colin: does this *do* anything?
  swapDevices = [ ];
  # services.snapper.configs = {
  #   root = {
  #     subvolume = "/";
  #     extraConfig = {
  #       ALLOW_USERS = "colin";
  #     };
  #   };
  # };
  # services.snapper.snapshotInterval = "daily";
 }
--- a/helpers/home-manager-gen-colin.nix
+++ b/helpers/home-manager-gen-colin.nix
@@ -1,531 +0,0 @@
 # docs:
 #   https://rycee.gitlab.io/home-manager/
 #   https://rycee.gitlab.io/home-manager/options.html
 #   man home-configuration.nix
 #
 # system is e.g. x86_64-linux
 # gui is "gnome", or null
 { lib, pkgs, system, gui, extraPackages ? [] }: {
  home.stateVersion = "21.11";
  home.username = "colin";
  home.homeDirectory = "/home/colin";
  programs.home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
  # XDG defines things like ~/Desktop, ~/Downloads, etc.
  # these clutter the home, so i mostly don't use them.
  xdg.userDirs = {
    enable = true;
    createDirectories = false;  # on headless systems, most xdg dirs are noise
    desktop = "$HOME/.xdg/Desktop";
    documents = "$HOME/src";
    download = "$HOME/tmp";
    music = "$HOME/Music";
    pictures = "$HOME/Pictures";
    publicShare = "$HOME/.xdg/Public";
    templates = "$HOME/.xdg/Templates";
    videos = "$HOME/Videos";
  };
  programs.zsh = {
    enable = true;
    enableSyntaxHighlighting = true;
    enableVteIntegration = true;
    dotDir = ".config/zsh";
    initExtraBeforeCompInit = ''
      # p10k instant prompt
      # run p10k configure to configure, but it can't write out its file :-(
      POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
    '';
    # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
    # see: https://github.com/sorin-ionescu/prezto
    prezto = {
      enable = true;
      pmodules = [
        "environment"
        "terminal"
        "editor"
        "history"
        "directory"
        "spectrum"
        "utility"
        "completion"
        "prompt"
        "git"
      ];
      prompt = {
        theme = "powerlevel10k";
      };
    };
  };
  programs.kitty.enable = true;
  programs.git = {
    enable = true;
    userName = "colin";
    userEmail = "colin@uninsane.org";
  };
  programs.vim = {
    enable = true;
    extraConfig = ''
      " wtf vim project: NOBODY LIKES MOUSE FOR VISUAL MODE
      set mouse-=a
      " copy/paste to system clipboard
      set clipboard=unnamedplus
      " <tab> completion menu settings
      set wildmenu
      set wildmode=longest,list,full
      " highlight all matching searches (using / and ?)
      set hlsearch
      " allow backspace to delete empty lines in insert mode
      set backspace=indent,eol,start
      " built-in syntax highlighting
      syntax enable
      " show line/col number in bottom right
      set ruler
      " highlight trailing space & related syntax errors (does this work?)
      let c_space_errors=1
      let python_space_errors=1
    '';
  };
  # obtain these by running `dconf dump /` after manually customizing gnome
  # TODO: fix "is not of type `GVariant value'"
  # dconf.settings = lib.mkIf (gui == "gnome") {
  #   gnome = {
  #     # control alt-tab behavior
  #     "org/gnome/desktop/wm/keybindings" = {
  #       switch-applications = [ "<Super>Tab" ];
  #       switch-applications-backward=[];
  #       switch-windows=["<Alt>Tab"];
  #       switch-windows-backward=["<Super><Alt>Tab"];
  #     };
  #     # idle power savings
  #     "org/gnome/settings-deamon/plugins/power" = {
  #       idle-brigthness = 50;
  #       sleep-inactive-ac-type = "nothing";
  #       sleep-inactive-battery-timeout = 5400;  # seconds
  #     };
  #     "org/gnome/shell" = {
  #       favorite-apps = [
  #         "org.gnome.Nautilus.desktop"
  #         "firefox.desktop"
  #         "kitty.desktop"
  #         # "org.gnome.Terminal.desktop"
  #       ];
  #     };
  #     "org/gnome/desktop/session" = {
  #       # how long until considering a session idle (triggers e.g. screen blanking)
  #       idle-delay = 900;
  #     };
  #     "org/gnome/desktop/interface" = {
  #       text-scaling-factor = 1.25;
  #     };
  #     "org/gnome/desktop/media-handling" = {
  #       # don't auto-mount inserted media
  #       automount = false;
  #       automount-open = false;
  #     };
  #   };
  # };
  # home.pointerCursor = {
  #   package = pkgs.vanilla-dmz;
  #   name = "Vanilla-DMZ";
  # };
  # taken from https://github.com/srid/nix-config/blob/705a70c094da53aa50cf560179b973529617eb31/nix/home/i3.nix
  xsession.windowManager.i3 = lib.mkIf (gui == "i3") (
  let
    mod = "Mod4";
  in {
    enable = true;
    config = {
      modifier = mod;
      fonts = {
        names = [ "DejaVu Sans Mono" ];
        style = "Bold Semi-Condensed";
        size = 11.0;
      };
      # terminal = "kitty";
      # terminal = "${pkgs.kitty}/bin/kitty";
      keybindings = {
        "${mod}+Return" = "exec ${pkgs.kitty}/bin/kitty";
        "${mod}+p" = "exec ${pkgs.dmenu}/bin/dmenu_run";
        "${mod}+x" = "exec sh -c '${pkgs.maim}/bin/maim -s | xclip -selection clipboard -t image/png'";
        "${mod}+Shift+x" = "exec sh -c '${pkgs.i3lock}/bin/i3lock -c 222222 & sleep 5 && xset dpms force of'";
        # Focus
        "${mod}+j" = "focus left";
        "${mod}+k" = "focus down";
        "${mod}+l" = "focus up";
        "${mod}+semicolon" = "focus right";
        # Move
        "${mod}+Shift+j" = "move left";
        "${mod}+Shift+k" = "move down";
        "${mod}+Shift+l" = "move up";
        "${mod}+Shift+semicolon" = "move right";
        # multi monitor setup
        # "${mod}+m" = "move workspace to output DP-2";
        # "${mod}+Shift+m" = "move workspace to output DP-5";
      };
      # bars = [
      #   {
      #     position = "bottom";
      #     statusCommand = "${pkgs.i3status-rust}/bin/i3status-rs ${./i3status-rust.toml}";
      #   }
      # ];
    };
  });
  wayland.windowManager.sway = lib.mkIf (gui == "sway") {
    enable = true;
    wrapperFeatures.gtk = true;
    config = rec {
      terminal = "${pkgs.kitty}/bin/kitty";
      window.border = 3;  # pixel boundary between windows
      # defaults; required for keybindings decl.
      modifier = "Mod1";
      # list of launchers: https://www.reddit.com/r/swaywm/comments/v39hxa/your_favorite_launcher/
      # menu = "${pkgs.dmenu}/bin/dmenu_path";
      menu = "${pkgs.fuzzel}/bin/fuzzel";
      # menu = "${pkgs.albert}/bin/albert";
      left = "h";
      down = "j";
      up = "k";
      right = "l";
      keybindings = {
        "${modifier}+Return" = "exec ${terminal}";
        "${modifier}+Shift+q" = "kill";
        "${modifier}+d" = "exec ${menu}";
        "${modifier}+${left}" = "focus left";
        "${modifier}+${down}" = "focus down";
        "${modifier}+${up}" = "focus up";
        "${modifier}+${right}" = "focus right";
        "${modifier}+Left" = "focus left";
        "${modifier}+Down" = "focus down";
        "${modifier}+Up" = "focus up";
        "${modifier}+Right" = "focus right";
        "${modifier}+Shift+${left}" = "move left";
        "${modifier}+Shift+${down}" = "move down";
        "${modifier}+Shift+${up}" = "move up";
        "${modifier}+Shift+${right}" = "move right";
        "${modifier}+Shift+Left" = "move left";
        "${modifier}+Shift+Down" = "move down";
        "${modifier}+Shift+Up" = "move up";
        "${modifier}+Shift+Right" = "move right";
        "${modifier}+b" = "splith";
        "${modifier}+v" = "splitv";
        "${modifier}+f" = "fullscreen toggle";
        "${modifier}+a" = "focus parent";
        "${modifier}+s" = "layout stacking";
        "${modifier}+w" = "layout tabbed";
        "${modifier}+e" = "layout toggle split";
        "${modifier}+Shift+space" = "floating toggle";
        "${modifier}+space" = "focus mode_toggle";
        "${modifier}+1" = "workspace number 1";
        "${modifier}+2" = "workspace number 2";
        "${modifier}+3" = "workspace number 3";
        "${modifier}+4" = "workspace number 4";
        "${modifier}+5" = "workspace number 5";
        "${modifier}+6" = "workspace number 6";
        "${modifier}+7" = "workspace number 7";
        "${modifier}+8" = "workspace number 8";
        "${modifier}+9" = "workspace number 9";
        "${modifier}+Shift+1" =
          "move container to workspace number 1";
        "${modifier}+Shift+2" =
          "move container to workspace number 2";
        "${modifier}+Shift+3" =
          "move container to workspace number 3";
        "${modifier}+Shift+4" =
          "move container to workspace number 4";
        "${modifier}+Shift+5" =
          "move container to workspace number 5";
        "${modifier}+Shift+6" =
          "move container to workspace number 6";
        "${modifier}+Shift+7" =
          "move container to workspace number 7";
        "${modifier}+Shift+8" =
          "move container to workspace number 8";
        "${modifier}+Shift+9" =
          "move container to workspace number 9";
        "${modifier}+Shift+minus" = "move scratchpad";
        "${modifier}+minus" = "scratchpad show";
        "${modifier}+Shift+c" = "reload";
        "${modifier}+Shift+e" =
          "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
        "${modifier}+r" = "mode resize";
      } // {
        # media keys
        XF86MonBrightnessDown = ''exec "${pkgs.brightnessctl}/bin/brightnessctl set 2%-"'';
        XF86MonBrightnessUp = ''exec "${pkgs.brightnessctl}/bin/brightnessctl set +2%"'';
        XF86AudioRaiseVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5'";
        XF86AudioLowerVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
        XF86AudioMute = "exec '${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute'";
      };
      # mostly defaults:
      bars = [{
        mode = "dock";
        hiddenState = "hide";
        position = "top";
        command = "${pkgs.waybar}/bin/waybar";
        workspaceButtons = true;
        workspaceNumbers = true;
        statusCommand = "${pkgs.i3status}/bin/i3status";
        fonts = {
          names = [ "monospace" ];
          size = 8.0;
        };
        trayOutput = "primary";
        colors = {
          background = "#000000";
          statusline = "#ffffff";
          separator = "#666666";
          focusedWorkspace = {
            border = "#4c7899";
            background = "#285577";
            text = "#ffffff";
          };
          activeWorkspace = {
            border = "#333333";
            background = "#5f676a";
            text = "#ffffff";
          };
          inactiveWorkspace = {
            border = "#333333";
            background = "#222222";
            text = "#888888";
          };
          urgentWorkspace = {
            border = "#2f343a";
            background = "#900000";
            text = "#ffffff";
          };
          bindingMode = {
            border = "#2f343a";
            background = "#900000";
            text = "#ffffff";
          };
        };
      }];
    };
  };
  programs.waybar = lib.mkIf (gui == "sway") {
    enable = true;
    # docs: https://github.com/Alexays/Waybar/wiki/Configuration
    settings = {
      mainBar = {
        layer = "top";
        height = 40;
        modules-left = ["sway/workspaces" "sway/mode"];
        modules-center = ["sway/window"];
        modules-right = ["custom/mediaplayer" "clock" "cpu" "network"];
        "sway/window" = {
          max-length = 50;
        };
        # include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
        "custom/mediaplayer" = {
          exec = pkgs.writeShellScript "waybar-mediaplayer" ''
            player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
            if [ "$player_status" = "Playing" ]; then
              echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
            elif [ "$player_status" = "Paused" ]; then
              echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
            fi
          '';
          interval = 2;
          format = "{}  ";
          # return-type = "json";
          on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
          on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
          on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
        };
        network = {
          interval = 1;
          format-ethernet = "{ifname}: {ipaddr}/{cidr}   up: {bandwidthUpBits} down: {bandwidthDownBits}";
        };
        cpu = {
          format = "{usage}% ";
          tooltip = false;
        };
        clock = {
          format-alt = "{:%a, %d. %b  %H:%M}";
        };
      };
    };
    # style = ''
    #   * {
    #     border: none;
    #     border-radius: 0;
    #     font-family: Source Code Pro;
    #   }
    #   window#waybar {
    #     background: #16191C;
    #     color: #AAB2BF;
    #   }
    #   #workspaces button {
    #     padding: 0 5px;
    #   }
    #   .custom-spotify {
    #     padding: 0 10px;
    #     margin: 0 4px;
    #     background-color: #1DB954;
    #     color: black;
    #   }
    # '';
  };
  programs.firefox = lib.mkIf (gui != null) {
    enable = true;
    profiles.default = {
      bookmarks = {
        fed_uninsane.url = "https://fed.uninsane.org/";
        delightful.url = "https://delightful.club/";
        crowdsupply.url = "https://www.crowdsupply.com/";
        linux_phone_apps.url = "https://linuxphoneapps.org/mobile-compatibility/5/";
        mempool.url = "https://jochen-hoenicke.de/queue";
      };
    };
    # firefox profile support seems to be broken :shrug:
    # profiles.other = {
    #   id = 2;
    # };
    # NB: these must be manually enabled in the Firefox settings on first start
    # extensions can be found here: https://gitlab.com/rycee/nur-expressions/-/blob/master/pkgs/firefox-addons/addons.json
    extensions = [
      pkgs.nur.repos.rycee.firefox-addons.bypass-paywalls-clean
      pkgs.nur.repos.rycee.firefox-addons.metamask
      pkgs.nur.repos.rycee.firefox-addons.i-dont-care-about-cookies
      pkgs.nur.repos.rycee.firefox-addons.sidebery
      pkgs.nur.repos.rycee.firefox-addons.sponsorblock
      pkgs.nur.repos.rycee.firefox-addons.ublock-origin
    ];
  };
  home.shellAliases = {
    ":q" = "exit";
    # common typos
    "cd.." = "cd ..";
    "cd../" = "cd ../";
  };
  home.packages = [
    pkgs.btrfs-progs
    pkgs.dig
    pkgs.cryptsetup
    pkgs.duplicity
    pkgs.fatresize
    pkgs.fd
    pkgs.file
    pkgs.gnumake
    pkgs.gptfdisk
    pkgs.hdparm
    pkgs.htop
    pkgs.iftop
    pkgs.inetutils  # for telnet
    pkgs.iotop
    pkgs.iptables
    pkgs.jq
    pkgs.killall
    pkgs.lm_sensors  # for sensors-detect
    pkgs.lsof
    pkgs.mix2nix
    pkgs.netcat
    pkgs.nixpkgs-review
    pkgs.nixUnstable  # TODO: still needed on 22.05?
    # pkgs.nixos-generators
    # pkgs.nettools
    pkgs.nmap
    pkgs.obsidian
    pkgs.parted
    pkgs.pciutils
    # pkgs.ponymix
    pkgs.powertop
    pkgs.pulsemixer
    pkgs.python3
    pkgs.ripgrep
    pkgs.smartmontools
    pkgs.snapper
    pkgs.socat
    pkgs.sudo
    pkgs.usbutils
    pkgs.wget
    pkgs.wireguard-tools
    pkgs.youtube-dl
    pkgs.zola
  ]
  ++ (if gui != null then
  [
    # GUI only
    pkgs.chromium
    pkgs.clinfo
    pkgs.element-desktop  # broken on phosh
    pkgs.evince  # works on phosh
    pkgs.font-manager
    pkgs.gimp  # broken on phosh
    pkgs.gnome.dconf-editor
    pkgs.gnome.file-roller
    pkgs.gnome.gnome-maps  # works on phosh
    pkgs.gnome.nautilus
    pkgs.gnome-podcasts
    pkgs.gnome.gnome-terminal  # works on phosh
    pkgs.inkscape
    pkgs.libreoffice-fresh  # XXX colin: maybe don't want this on mobile
    pkgs.mesa-demos
    pkgs.playerctl
    pkgs.tdesktop  # broken on phosh
    pkgs.vlc  # works on phosh
    pkgs.whalebird # pleroma client. TODO: port kaiteki to nix: https://craftplacer.moe/projects/kaiteki/
    pkgs.xterm  # broken on phosh
  ] else [])
  ++ (if gui == "sway" then
  [
    # TODO: move this to helpers/gui/sway.nix?
    pkgs.swaylock
    pkgs.swayidle
    pkgs.wl-clipboard
    pkgs.mako # notification daemon
    # pkgs.dmenu # todo: use wofi?
    # user stuff
    # pkgs.pavucontrol
  ] else [])
  ++ (if gui != null && system == "x86_64-linux" then
  [
    # x86_64 only
    pkgs.signal-desktop
    pkgs.spotify
    pkgs.discord
  ] else [])
  ++ extraPackages;
 }
--- a/helpers/set-hostname.nix
+++ b/helpers/set-hostname.nix
@@ -1,4 +0,0 @@
 hostName: { ... }:
 {
  networking.hostName = hostName;
 }
--- a/helpers/universal/default.nix
+++ b/helpers/universal/default.nix
@@ -1,17 +0,0 @@
 { ... }:
 {
  imports = [
    ./fs.nix
    ./home-manager.nix
    ./nix-cache.nix
    ./users.nix
  ];
  time.timeZone = "America/Los_Angeles";
  environment.variables = {
    EDITOR = "vim";
  };
 }
--- a/helpers/universal/fs.nix
+++ b/helpers/universal/fs.nix
@@ -1,25 +0,0 @@
 { pkgs, ... }:
 {
  fileSystems."/mnt/media-uninsane" = {
    # device = "sshfs#colin@uninsane.org:/opt/uninsane/media";
    device = "colin@uninsane.org:/opt/uninsane/media";
    fsType = "fuse.sshfs";
    options = [
      "x-systemd.automount"
      "_netdev"
      "user"
      "idmap=user"
      "transform_symlinks"
      "identityfile=/home/colin/.ssh/id_ed25519"
      "allow_other"
      "default_permissions"
      "uid=1000"
      "gid=1000"
    ];
  };
  environment.systemPackages = [
    pkgs.sshfs-fuse
  ];
 }
--- a/helpers/universal/home-manager.nix
+++ b/helpers/universal/home-manager.nix
@@ -1,9 +0,0 @@
 { home-manager, config, pkgs, ... }:
 {
  imports = [
    home-manager.nixosModule
  ];
  home-manager.useGlobalPkgs = true;
  home-manager.useUserPackages = true;
 }
--- a/helpers/universal/nix-cache.nix
+++ b/helpers/universal/nix-cache.nix
@@ -1,16 +0,0 @@
 { ... }:
 {
  # use our own binary cache
  nix.settings = {
    substituters = [
      "https://nixcache.uninsane.org"
      "https://nix-community.cachix.org"
      "https://cache.nixos.org/"
    ];
    trusted-public-keys = [
      "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
    ];
  };
 }
--- a/helpers/universal/users.nix
+++ b/helpers/universal/users.nix
@@ -1,53 +0,0 @@
 { config, pkgs, lib, ... }:
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 {
  # Users are exactly these specified here;
  # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
  users.mutableUsers = false;
  # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
  users.users.colin = {
    # sets group to "users" (?)
    isNormalUser = true;
    home = "/home/colin";
    uid = 1000;
    # XXX colin: this is what the installer has, but is it necessary?
    # group = "users";
    extraGroups = [
      "wheel"
      "nixbuild"
      "networkmanager"
      # phosh/mobile. XXX colin: unsure if necessary
      "video"
      "feedbackd"
      "dialout" # required for modem access
    ];
    initialPassword = lib.mkDefault "";
    shell = pkgs.zsh;
    # shell = pkgs.bashInteractive;
    # XXX colin: create ssh key for THIS user by logging in and running:
    #   ssh-keygen -t ed25519
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGSDe/y0e9PSeUwYlMPjzhW0UhNsGAGsW3lCG3apxrD5 colin@colin.desktop"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+MZ/l5d8g5hbxMB9ed1uyvhV85jwNrSVNVxb5ujQjw colin@lappy"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
      # TODO: should probably only let this authenticate to my server
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCLCA9KbjXaXNNMJJvqbPO5KQQ64JCdG8sg88AfdKzi colin@moby"
    ];
  };
  security.sudo = {
    enable = true;
    wheelNeedsPassword = false;
  };
  services.openssh = {
    enable = true;
    permitRootLogin = "no";
    passwordAuthentication = false;
  };
  # TODO colin: move this somewhere else!
  programs.vim.defaultEditor = true;
 }
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -0,0 +1,74 @@
 { pkgs, ... }:
 {
  imports = [
    ./fs.nix
    ./hardware
    ./machine-id.nix
    ./net.nix
    ./secrets.nix
    ./ssh.nix
    ./users.nix
    ./vpn.nix
  ];
  sane.home-manager.enable = true;
  sane.nixcache.enable-trusted-keys = true;
  sane.packages.enableConsolePkgs = true;
  sane.packages.enableSystemPkgs = true;
  nixpkgs.config.allowUnfree = true;
  # time.timeZone = "America/Los_Angeles";
  time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
  # allow `nix flake ...` command
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
  # TODO: move this into home-manager?
  fonts = {
    enableDefaultFonts = true;
    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
    fontconfig.enable = true;
    fontconfig.defaultFonts = {
      emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
      monospace = [ "Hack" ];
      serif = [ "DejaVu Serif" ];
      sansSerif = [ "DejaVu Sans" ];
    };
  };
  # disable non-required packages like nano, perl, rsync, strace
  environment.defaultPackages = [];
  # programs.vim.defaultEditor = true;
  environment.variables = {
    EDITOR = "vim";
    # git claims it should use EDITOR, but it doesn't!
    GIT_EDITOR = "vim";
    # TODO: these should be moved to `home.sessionVariables` (home-manager)
    # Electron apps should use native wayland backend:
    #   https://nixos.wiki/wiki/Slack#Wayland
    # Discord under sway crashes with this.
    # NIXOS_OZONE_WL = "1";
    # LIBGL_ALWAYS_SOFTWARE = "1";
  };
  # enable zsh completions
  environment.pathsToLink = [ "/share/zsh" ];
  environment.systemPackages = with pkgs; [
    # required for pam_mount
    gocryptfs
  ];
  # link debug symbols into /run/current-system/sw/lib/debug
  # hopefully picked up by gdb automatically?
  environment.enableDebugInfo = true;
  security.pam.mount.enable = true;
  # security.pam.mount.debugLevel = 1;
  # security.pam.enableSSHAgentAuth = true; # ??
  # needed for `allow_other` in e.g. gocryptfs mounts
  # or i guess going through mount.fuse sets suid so that's not necessary?
  # programs.fuse.userAllowOther = true;
 }
--- a/hosts/common/fs.nix
+++ b/hosts/common/fs.nix
@@ -0,0 +1,74 @@
 { pkgs, ... }:
 let sshOpts = rec {
  fsType = "fuse.sshfs";
  optionsBase = [
    "x-systemd.automount"
    "_netdev"
    "user"
    "identityfile=/home/colin/.ssh/id_ed25519"
    "allow_other"
    "default_permissions"
  ];
  optionsColin = optionsBase ++ [
    "transform_symlinks"
    "idmap=user"
    "uid=1000"
    "gid=100"
  ];
  optionsRoot = optionsBase ++ [
    # we don't transform_symlinks because that breaks the validity of remote /nix stores
    "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
  ];
 };
 in
 {
  environment.pathsToLink = [
    # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
    # we can only link whole directories here, even though we're only interested in pkgs.openssh
    "/libexec"
  ];
  fileSystems."/mnt/servo-media-wan" = {
    device = "colin@uninsane.org:/var/lib/uninsane/media";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
    noCheck = true;
  };
  fileSystems."/mnt/servo-media-lan" = {
    device = "colin@servo:/var/lib/uninsane/media";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
    noCheck = true;
  };
  fileSystems."/mnt/servo-root-wan" = {
    device = "colin@uninsane.org:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
    noCheck = true;
  };
  fileSystems."/mnt/servo-root-lan" = {
    device = "colin@servo:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
    noCheck = true;
  };
  fileSystems."/mnt/desko-home" = {
    device = "colin@desko:/home/colin";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
    noCheck = true;
  };
  fileSystems."/mnt/desko-root" = {
    device = "colin@desko:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
    noCheck = true;
  };
  environment.systemPackages = [
    pkgs.sshfs-fuse
  ];
 }
--- a/hosts/common/hardware/all.nix
+++ b/hosts/common/hardware/all.nix
@@ -0,0 +1,40 @@
 { lib, pkgs, ... }:
 {
  boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
  # useful emergency utils
  boot.initrd.extraUtilsCommands = ''
    copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfstune
  '';
  boot.kernelParams = [ "boot.shell_on_fail" ];
  # other kernelParams:
  #   "boot.trace"
  #   "systemd.log_level=debug"
  #   "systemd.log_target=console"
  # hack in the `boot.shell_on_fail` arg since that doesn't always seem to work.
  boot.initrd.preFailCommands = "allowShell=1";
  # default: 4 (warn). 7 is debug
  boot.consoleLogLevel = 7;
  boot.loader.grub.enable = lib.mkDefault false;
  boot.loader.generic-extlinux-compatible.enable = lib.mkDefault true;
  # non-free firmware
  hardware.enableRedistributableFirmware = true;
  services.fwupd.enable = true;
  # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
  powerManagement.powertop.enable = false;
  # services.snapper.configs = {
  #   root = {
  #     subvolume = "/";
  #     extraConfig = {
  #       ALLOW_USERS = "colin";
  #     };
  #   };
  # };
  # services.snapper.snapshotInterval = "daily";
 }
--- a/hosts/common/hardware/default.nix
+++ b/hosts/common/hardware/default.nix
@@ -0,0 +1,8 @@
 { ... }:
 {
  imports = [
    ./all.nix
    ./x86_64.nix
  ];
 }
--- a/hosts/common/hardware/x86_64.nix
+++ b/hosts/common/hardware/x86_64.nix
@@ -0,0 +1,26 @@
 { lib, pkgs, ... }:
 with lib;
 {
  config = mkIf (pkgs.system == "x86_64-linux") {
    boot.initrd.availableKernelModules = [
      "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
      "usb_storage"   # rpi needed this to boot from usb storage, i think.
      "nvme"  # to boot from nvme devices
      # efi_pstore evivars
    ];
    # enable cross compilation
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    # nixpkgs.config.allowUnsupportedSystem = true;
    # nixpkgs.crossSystem.system = "aarch64-linux";
    powerManagement.cpuFreqGovernor = "powersave";
    hardware.cpu.amd.updateMicrocode = true;    # desktop
    hardware.cpu.intel.updateMicrocode = true;  # laptop
    hardware.opengl.driSupport = true;
    # For 32 bit applications
    hardware.opengl.driSupport32Bit = true;
  };
 }
--- a/hosts/common/machine-id.nix
+++ b/hosts/common/machine-id.nix
@@ -0,0 +1,11 @@
 { ... }:
 {
  # we wan't an /etc/machine-id which is consistent across boot so that `journalctl` will actually show us
  # logs from previous boots.
  # maybe there's a config option for this (since persistent machine-id is bad for reasons listed in impermanence.nix),
  # but for now generate it from ssh keys.
  system.activationScripts.machine-id = {
    deps = [ "persist-ssh-host-keys" ];
    text = "sha256sum /etc/ssh/host_keys/ssh_host_ed25519_key | cut -c 1-32 > /etc/machine-id";
  };
 }
--- a/hosts/common/net.nix
+++ b/hosts/common/net.nix
@@ -0,0 +1,79 @@
 { config, lib, pkgs, ... }:
 {
  # if using router's DNS, these mappings will already exist.
  # if using a different DNS provider (which servo does), then we need to explicity provide them.
  # ugly hack. would be better to get servo to somehow use the router's DNS
  networking.hosts = {
    "192.168.0.5" = [ "servo" ];
    "192.168.0.20" = [ "lappy" ];
    "192.168.0.22" = [ "desko" ];
    "192.168.0.48" = [ "moby" ];
  };
  # the default backend is "wpa_supplicant".
  # wpa_supplicant reliably picks weak APs to connect to.
  # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
  # iwd is an alternative that shouldn't have this problem
  # docs:
  # - <https://nixos.wiki/wiki/Iwd>
  # - <https://iwd.wiki.kernel.org/networkmanager>
  # - `man iwd.config`  for global config
  # - `man iwd.network` for per-SSID config
  # use `iwctl` to control
  networking.networkmanager.wifi.backend = "iwd";
  networking.wireless.iwd.enable = true;
  networking.wireless.iwd.settings = {
    # auto-connect to a stronger network if signal drops below this value
    # bedroom -> bedroom connection is -35 to -40 dBm
    # bedroom -> living room connection is -60 dBm
    General.RoamThreshold = "-52";  # default -70
    General.RoamThreshold5G = "-52";  # default -76
  };
  # TODO: don't need to depend on binsh if we were to use a nix-style shebang
  system.activationScripts.linkIwdKeys = let
    unwrapped = ../../scripts/install-iwd;
    install-iwd = pkgs.writeShellApplication {
      name = "install-iwd";
      runtimeInputs = with pkgs; [ coreutils gnused ];
      text = ''${unwrapped} "$@"'';
    };
  in (lib.stringAfter
    [ "setupSecrets" "binsh" ]
    ''
    mkdir -p /var/lib/iwd
    ${install-iwd}/bin/install-iwd /run/secrets/iwd /var/lib/iwd
    ''
  );
  # TODO: use a glob, or a list, or something?
  sops.secrets."iwd/community-university.psk" = {
    sopsFile = ../../secrets/universal/net/community-university.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/friend-libertarian-dod.psk" = {
    sopsFile = ../../secrets/universal/net/friend-libertarian-dod.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/friend-rationalist-empathist.psk" = {
    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-bedroom.psk" = {
    sopsFile = ../../secrets/universal/net/home-bedroom.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared-24G.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared-24G.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/iphone" = {
    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
    format = "binary";
  };
 }
--- a/hosts/common/secrets.nix
+++ b/hosts/common/secrets.nix
@@ -0,0 +1,53 @@
 { config, ... }:
 {
  # SOPS configuration:
  #   docs: https://github.com/Mic92/sops-nix
  #
  # for each new user you want to edit sops files:
  # create a private age key from ssh key:
  #   $ mkdir -p ~/.config/sops/age; ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt; chmod 600 ~/.config/sops/age/keys.txt
  #   if the private key was password protected, then first decrypt it:
  #     $ cp ~/.ssh/id_ed25519 /tmp/id_ed25519
  #     $ ssh-keygen -p -N "" -f /tmp/id_ed25519
  #
  # for each user you want to decrypt secrets:
  #   $ cat ~/.ssh/id_ed25519.pub | ssh-to-age
  #   add the result to .sops.yaml
  #   since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
  #
  # for each host you want to decrypt secrets:
  #   $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
  #   add the result to .sops.yaml
  #   $ sops updatekeys secrets/example.yaml
  #
  # to create a new secret:
  #   $ sops secrets/example.yaml
  #   control access below (sops.secret.<x>.owner = ...)
  #
  # to read a secret:
  #   $ cat /run/secrets/example_key
  # sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
  # This will add secrets.yaml to the nix store
  # You can avoid this by adding a string to the full path instead, i.e.
  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
  sops.defaultSopsFile = ../../secrets/universal.yaml;
  # This will automatically import SSH keys as age keys
  sops.age.sshKeyPaths = [
    "/etc/ssh/host_keys/ssh_host_ed25519_key"
  ];
  sops.gnupg.sshKeyPaths = [];  # disable RSA key import
  # This is using an age key that is expected to already be in the filesystem
  # sops.age.keyFile = "/home/colin/.ssh/age.pub";
  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  # This will generate a new key if the key specified above does not exist
  # sops.age.generateKey = true;
  # This is the actual specification of the secrets.
  # sops.secrets.example_key = {
  #   owner = config.users.users.colin.name;
  # };
  # sops.secrets."myservice/my_subdir/my_secret" = {};
 }
--- a/hosts/common/ssh.nix
+++ b/hosts/common/ssh.nix
@@ -0,0 +1,21 @@
 { ... }:
 {
  # we place the host keys (which we want to be persisted) into their own directory so that we can
  # bind mount that whole directory instead of doing it per-file.
  # otherwise, this is identical to nixos defaults
  sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
  # we can't naively `mount /etc/ssh/host_keys` directly,
  # as /etc/fstab may not be populated yet (since that file depends on e.g. activationScripts.users)
  # we can't even depend on impermanence's `createPersistentStorageDirs` to create the source/target directories
  # since that also depends on `users`.
  system.activationScripts.persist-ssh-host-keys.text = ''
    mkdir -p /etc/ssh/host_keys
    mount --bind /nix/persist/etc/ssh/host_keys /etc/ssh/host_keys
  '';
  services.openssh.hostKeys = [
    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
  ];
 }
--- a/hosts/common/users.nix
+++ b/hosts/common/users.nix
@@ -0,0 +1,138 @@
 { config, pkgs, lib, ... }:
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 with lib;
 let
  cfg = config.sane.users;
  # see nixpkgs/nixos/modules/services/networking/dhcpcd.nix
  hasDHCP = config.networking.dhcpcd.enable &&
    (config.networking.useDHCP || any (i: i.useDHCP == true) (attrValues config.networking.interfaces));
 in
 {
  options = {
    sane.users.guest.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = {
    # Users are exactly these specified here;
    # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
    users.mutableUsers = false;
    # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
    users.users.colin = {
      # sets group to "users" (?)
      isNormalUser = true;
      home = "/home/colin";
      uid = config.sane.allocations.colin-uid;
      # i don't get exactly what this is, but nixos defaults to this non-deterministically
      # in /var/lib/nixos/auto-subuid-map and i don't want that.
      subUidRanges = [
        { startUid=100000; count=1; }
      ];
      group = "users";
      extraGroups = [
        "wheel"
        "nixbuild"
        "networkmanager"
        # phosh/mobile. XXX colin: unsure if necessary
        "video"
        "feedbackd"
        "dialout" # required for modem access
      ];
      # initial password is empty, in case anything goes wrong.
      # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
      initialPassword = lib.mkDefault "";
      passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
      shell = pkgs.zsh;
      openssh.authorizedKeys.keys = builtins.attrValues (import ../../modules/pubkeys.nix).users;
      pamMount = {
        # mount encrypted stuff at login
        # requires that login password == fs encryption password
        # fstype = "fuse";
        # path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
        fstype = "fuse.gocryptfs";
        path = "/nix/persist/home/colin/private";
        mountpoint = "/home/colin/private";
        options="nodev,nosuid,quiet,allow_other";
      };
    };
    sane.impermanence.home-dirs = [
      # cache is probably too big to fit on the tmpfs
      # TODO: we could bind-mount it to something which gets cleared per boot, though.
      ".cache"
      ".cargo"
      ".rustup"
      ".local/share/keyrings"
    ];
    sane.impermanence.service-dirs = mkIf cfg.guest.enable [
      { user = "guest"; group = "users"; directory = "/home/guest"; }
    ];
    users.users.guest = mkIf cfg.guest.enable {
      isNormalUser = true;
      home = "/home/guest";
      uid = config.sane.allocations.guest-uid;
      subUidRanges = [
        { startUid=200000; count=1; }
      ];
      group = "users";
      initialPassword = lib.mkDefault "";
      shell = pkgs.zsh;
      openssh.authorizedKeys.keys = [
        # TODO: insert pubkeys that should be allowed in
      ];
    };
    users.users.dhcpcd = mkIf hasDHCP {
      uid = config.sane.allocations.dhcpcd-uid;
    };
    users.groups.dhcpcd = mkIf hasDHCP {
      gid = config.sane.allocations.dhcpcd-gid;
    };
    security.sudo = {
      enable = true;
      wheelNeedsPassword = false;
    };
    services.openssh = {
      enable = true;
      permitRootLogin = "no";
      passwordAuthentication = false;
    };
    # affix some UIDs which were historically auto-generated
    users.users.sshd.uid = config.sane.allocations.sshd-uid;
    users.groups.polkituser.gid = config.sane.allocations.polkituser-gid;
    users.groups.sshd.gid = config.sane.allocations.sshd-gid;
    users.groups.systemd-coredump.gid = config.sane.allocations.systemd-coredump-gid;
    users.users.nscd.uid = config.sane.allocations.nscd-uid;
    users.groups.nscd.gid = config.sane.allocations.nscd-gid;
    users.users.systemd-oom.uid = config.sane.allocations.systemd-oom-uid;
    users.groups.systemd-oom.gid = config.sane.allocations.systemd-oom-gid;
    # guarantee determinism in uid/gid generation for users:
    assertions = let
      uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
        assertion = user.uid != null;
        message = "non-deterministic uid detected for: ${name}";
      }) config.users.users);
      gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
        assertion = group.gid != null;
        message = "non-deterministic gid detected for: ${name}";
      }) config.users.groups);
      autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
        assertion = !user.autoSubUidGidRange;
        message = "non-deterministic subUids/Guids detected for: ${name}";
      }) config.users.users);
    in uidAssertions ++ gidAssertions ++ autoSubAssertions;
  };
 }
--- a/hosts/common/vpn.nix
+++ b/hosts/common/vpn.nix
@@ -0,0 +1,58 @@
 { config, ... }:
 {
  networking.wg-quick.interfaces.ovpnd-us = {
    address = [
      "172.27.237.218/32"
      "fd00:0000:1337:cafe:1111:1111:ab00:4c8f/128"
    ];
    dns = [
      "46.227.67.134"
      "192.165.9.158"
    ];
    peers = [
      {
        allowedIPs = [
          "0.0.0.0/0"
          "::/0"
        ];
        endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
        publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
      }
    ];
    privateKeyFile = config.sops.secrets.wg_ovpnd_us_privkey.path;
    # to start: `systemctl start wg-quick-ovpnd-us`
    autostart = false;
  };
  networking.wg-quick.interfaces.ovpnd-ukr = {
    address = [
      "172.18.180.159/32"
      "fd00:0000:1337:cafe:1111:1111:ec5c:add3/128"
    ];
    dns = [
      "46.227.67.134"
      "192.165.9.158"
    ];
    peers = [
      {
        allowedIPs = [
          "0.0.0.0/0"
          "::/0"
        ];
        endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
        publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
      }
    ];
    privateKeyFile = config.sops.secrets.wg_ovpnd_ukr_privkey.path;
    # to start: `systemctl start wg-quick-ovpnd-ukr`
    autostart = false;
  };
  sops.secrets."wg_ovpnd_us_privkey" = {
    sopsFile = ../../secrets/universal.yaml;
  };
  sops.secrets."wg_ovpnd_ukr_privkey" = {
    sopsFile = ../../secrets/universal.yaml;
  };
 }
--- a/hosts/desko/default.nix
+++ b/hosts/desko/default.nix
@@ -0,0 +1,59 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./fs.nix
  ];
  # sane.packages.enableDevPkgs = true;
  sane.gui.sway.enable = true;
  sane.services.duplicity.enable = true;
  sane.services.nixserve.enable = true;
  sane.services.nixserve.sopsFile = ../../secrets/desko.yaml;
  sane.impermanence.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  # needed to use libimobiledevice/ifuse, for iphone sync
  services.usbmuxd.enable = true;
  users.users.usbmux.uid = config.sane.allocations.usbmux-uid;
  users.groups.usbmux.gid = config.sane.allocations.usbmux-gid;
  sops.secrets.colin-passwd = {
    sopsFile = ../../secrets/desko.yaml;
    neededForUsers = true;
  };
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
  #   - hourly snapshots
  #   - auto cleanup; keep the last 10 hourlies, last 10 daylies, last 10 monthlys.
  services.snapper.configs.nix = {
    # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
    # but that also requires setting up the persist dir as a subvol
    subvolume = "/nix";
    # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
    extraConfig = ''
      ALLOW_USERS = "colin";
    '';
  };
  sops.secrets.duplicity_passphrase = {
    sopsFile = ../../secrets/desko.yaml;
  };
  programs.steam = {
    enable = true;
    # not sure if needed: stole this whole snippet from the wiki
    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
  };
  sane.impermanence.home-dirs = [
    ".steam"
    ".local/share/Steam"
  ];
  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
  system.stateVersion = "21.05";
 }
--- a/hosts/desko/fs.nix
+++ b/hosts/desko/fs.nix
@@ -0,0 +1,40 @@
 { ... }:
 {
  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
  fileSystems."/" = {
    device = "none";
    fsType = "tmpfs";
    options = [
      "mode=755"
      "size=1G"
      "defaults"
    ];
  };
  # we need a /tmp for building large nix things.
  # a cross-compiled kernel, particularly, will easily use 30+GB of tmp
  fileSystems."/tmp" = {
    device = "none";
    fsType = "tmpfs";
    options = [
      "mode=777"
      "size=64G"
      "defaults"
    ];
  };
  fileSystems."/nix" = {
    # device = "/dev/disk/by-uuid/985a0a32-da52-4043-9df7-615adec2e4ff";
    device = "/dev/disk/by-uuid/0ab0770b-7734-4167-88d9-6e4e20bb2a56";
    fsType = "btrfs";
    options = [
      "compress=zstd"
      "defaults"
    ];
  };
  fileSystems."/boot" = {
    # device = "/dev/disk/by-uuid/CAA7-E7D2";
    device = "/dev/disk/by-uuid/41B6-BAEF";
    fsType = "vfat";
  };
 }
--- a/hosts/instantiate.nix
+++ b/hosts/instantiate.nix
@@ -0,0 +1,10 @@
 # trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
 hostName: { ... }: {
  imports = [
    ./${hostName}
    ./common
  ];
  networking.hostName = hostName;
 }
--- a/hosts/lappy/default.nix
+++ b/hosts/lappy/default.nix
@@ -0,0 +1,36 @@
 { pkgs, ... }:
 {
  imports = [
    ./fs.nix
  ];
  # sane.packages.enableDevPkgs = true;
  # sane.users.guest.enable = true;
  sane.gui.sway.enable = true;
  sane.impermanence.enable = true;
  sane.nixcache.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  sops.secrets.colin-passwd = {
    sopsFile = ../../secrets/lappy.yaml;
    neededForUsers = true;
  };
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
  #   - hourly snapshots
  #   - auto cleanup; keep the last 10 hourlies, last 10 daylies, last 10 monthlys.
  services.snapper.configs.nix = {
    # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
    # but that also requires setting up the persist dir as a subvol
    subvolume = "/nix";
  };
  # TODO: only here for debugging
  # services.ipfs.enable = true;
  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
  system.stateVersion = "21.05";
 }
--- a/hosts/lappy/fs.nix
+++ b/hosts/lappy/fs.nix
@@ -0,0 +1,57 @@
 { ... }:
 {
  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
  fileSystems."/" = {
    device = "none";
    fsType = "tmpfs";
    options = [
      "mode=755"
      "size=1G"
      "defaults"
    ];
  };
  # we need a /tmp of default size (half RAM) for building large nix things
  fileSystems."/tmp" = {
    device = "none";
    fsType = "tmpfs";
    options = [
      "mode=777"
      "defaults"
    ];
  };
  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/75230e56-2c69-4e41-b03e-68475f119980";
    fsType = "btrfs";
    options = [
      "compress=zstd"
      "defaults"
    ];
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/BD79-D6BB";
    fsType = "vfat";
  };
  # fileSystems."/nix" = {
  #   device = "/dev/disk/by-uuid/5a7fa69c-9394-8144-a74c-6726048b129f";
  #   fsType = "btrfs";
  # };
  # fileSystems."/boot" = {
  #   device = "/dev/disk/by-uuid/4302-1685";
  #   fsType = "vfat";
  # };
  # fileSystems."/" = {
  #   device = "none";
  #   fsType = "tmpfs";
  #   options = [
  #     "mode=755"
  #     "size=1G"
  #     "defaults"
  #   ];
  # };
 }
--- a/hosts/moby/default.nix
+++ b/hosts/moby/default.nix
@@ -0,0 +1,85 @@
 { config, pkgs, lib, mobile-nixos, ... }:
 {
  imports = [
    ./firmware.nix
    ./fs.nix
    ./kernel.nix
  ];
  # cross-compiled documentation is *slow*.
  # no obvious way to natively compile docs (2022/09/29).
  # entrypoint is nixos/modules/misc/documentation.nix
  # doc building happens in nixos/doc/manual/default.nix
  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
  documentation.nixos.enable = false;
  # XXX colin: phosh doesn't work well with passwordless login,
  # so set this more reliable default password should anything go wrong
  users.users.colin.initialPassword = "147147";
  services.getty.autologinUser = "root";  # allows for emergency maintenance?
  sops.secrets.colin-passwd = {
    sopsFile = ../../secrets/moby.yaml;
    neededForUsers = true;
  };
  # usability compromises
  sane.impermanence.home-dirs = [
    config.sane.web-browser.dotDir
  ];
  # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
  sane.packages.extraUserPkgs = [
    pkgs.plasma5Packages.konsole  # terminal
  ];
  sane.nixcache.enable = true;
  sane.impermanence.enable = true;
  sane.gui.phosh.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  # /boot space is at a premium. default was 20.
  boot.loader.generic-extlinux-compatible.configurationLimit = 10;
  # mobile.bootloader.enable = false;
  # mobile.boot.stage-1.enable = false;
  # boot.initrd.systemd.enable = false;
  # boot.initrd.services.swraid.enable = false;  # attempt to fix dm_mod stuff
  # disable proximity sensor.
  # the filtering/calibration is bad that it causes the screen to go fully dark at times.
  boot.blacklistedKernelModules = [ "stk3310" ];
  # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
  # this is because they can't allocate enough video ram.
  # the default CMA seems to be 32M. we could probably get by with as little as 64M, and safely with 128M.
  # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
  boot.kernelParams = [ "cma=256M" ];
  # mobile-nixos' /lib/firmware includes:
  #   rtl_bt          (bluetooth)
  #   anx7688-fw.bin  (USB-C -> HDMI bridge)
  #   ov5640_af.bin   (camera module)
  # hardware.firmware = [ config.mobile.device.firmware ];
  hardware.firmware = [ pkgs.rtl8723cs-firmware ];
  system.stateVersion = "21.11";
  # defined: https://www.freedesktop.org/software/systemd/man/machine-info.html
  # XXX colin: not sure which, if any, software makes use of this
  environment.etc."machine-info".text = ''
    CHASSIS="handset"
  '';
  # enable rotation sensor
  hardware.sensor.iio.enable = true;
  # from https://gitlab.manjaro.org/manjaro-arm/packages/community/phosh/alsa-ucm-pinephone
  # mobile-nixos does this same thing, with *slightly different settings*.
  # i trust manjaro more because the guy maintaining that is actively trying to upstream into alsa-ucm-conf.
  # an alternative may be to build a custom alsa with the PinePhone config patch applied:
  # - <https://github.com/alsa-project/alsa-ucm-conf/pull/134>
  # that would make this be not device-specific
  environment.variables.ALSA_CONFIG_UCM2 = "${./ucm2}";
  systemd.services.pulseaudio.environment.ALSA_CONFIG_UCM2 = "${./ucm2}";
  hardware.opengl.driSupport = true;
 }
--- a/hosts/moby/firmware.nix
+++ b/hosts/moby/firmware.nix
@@ -0,0 +1,12 @@
 { config, pkgs, ... }:
 {
  # we need space in the GPT header to place tow-boot.
  # only actually need 1 MB, but better to over-allocate than under-allocate
  sane.image.extraGPTPadding = 16 * 1024 * 1024;
  sane.image.firstPartGap = 0;
  system.build.img = pkgs.runCommand "nixos_full-disk-image.img" {} ''
    cp -v ${config.system.build.img-without-firmware}/nixos.img $out
    chmod +w $out
    dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out bs=1024 seek=8 conv=notrunc
  '';
 }
--- a/hosts/moby/fs.nix
+++ b/hosts/moby/fs.nix
@@ -0,0 +1,28 @@
 { ... }:
 {
  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
  fileSystems."/" = {
    device = "none";
    fsType = "tmpfs";
    options = [
      "mode=755"
      "size=1G"
      "defaults"
    ];
  };
  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/1f1271f8-53ce-4081-8a29-60a4a6b5d6f9";
    fsType = "btrfs";
    options = [
      "compress=zstd"
      "defaults"
    ];
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/0299-F1E5";
    fsType = "vfat";
  };
 }
--- a/hosts/moby/kernel.nix
+++ b/hosts/moby/kernel.nix
@@ -0,0 +1,143 @@
 { lib, pkgs, ... }:
 let
  # use the last commit on the 5.18 branch (5.18.14)
  # manjaro's changes between kernel patch versions tend to be minimal if any.
  manjaroBase = "https://gitlab.manjaro.org/manjaro-arm/packages/core/linux/-/raw/25bd828cd47b1c6e09fcbcf394a649b89d2876dd";
  manjaroPatch = name: sha256: {
    inherit name;
    patch = pkgs.fetchpatch {
      inherit name;
      url = "${manjaroBase}/${name}?inline=false";
      inherit sha256;
    };
  };
  # the idea for patching off Manjaro's kernel comes from jakewaksbaum:
  # - https://git.sr.ht/~jakewaksbaum/pi/tree/af20aae5653545d6e67a459b59ee3e1ca8a680b0/item/kernel/default.nix
  # - he later abandoned this, i think because he's using the Pinephone Pro which received mainline support.
  manjaroPatches = [
    (manjaroPatch
      "1001-arm64-dts-allwinner-add-hdmi-sound-to-pine-devices.patch"
      "sha256-DApd791A+AxB28Ven/MVAyuyVphdo8KQDx8O7oxVPnc="
    )
    # these patches below are critical to enable wifi (RTL8723CS)
    # - the alternative is a wholly forked kernel by megi/megous:
    #   - https://xnux.eu/howtos/build-pinephone-kernel.html#toc-how-to-build-megi-s-pinehpone-kernel
    # - i don't know if these patches are based on megi's or original
    (manjaroPatch
      "2001-Bluetooth-Add-new-quirk-for-broken-local-ext-features.patch"
      "sha256-CExhJuUWivegxPdnzKINEsKrMFx/m/1kOZFmlZ2SEOc="
    )
    (manjaroPatch
      "2002-Bluetooth-btrtl-add-support-for-the-RTL8723CS.patch"
      "sha256-dDdvOphTcP/Aog93HyH+L9m55laTgtjndPSE4/rnzUA="
    )
    (manjaroPatch
      "2004-arm64-dts-allwinner-enable-bluetooth-pinetab-pinepho.patch"
      "sha256-o43P3WzXyHK1PF+Kdter4asuyGAEKO6wf5ixcco2kCQ="
    )
    # XXX: this one has a Makefile, which hardcodes /sbin/depmod:
    # - drivers/staging/rtl8723cs/Makefile
    # - not sure if this is problematic?
    (manjaroPatch
      "2005-staging-add-rtl8723cs-driver.patch"
      "sha256-6ywm3dQQ5JYl60CLKarxlSUukwi4QzqctCj3tVgzFbo="
    )
  ];
  # pinephone uses the linux dtb at arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi
  # - this includes sun50i-a64.dtsi
  # - and sun50i-a64-cpu-opp.dtsi
  # - no need to touch the allwinner-h6 stuff: that's the SBC pine product
  # - i think it's safe to ignore sun9i stuff, but i don't know what it is
  kernelConfig = with lib.kernel; {
    # NB: nix adds the CONFIG_ prefix to each of these.
    # if you add the prefix yourself nix will IGNORE YOUR CONFIG.
    RTL8723CS = module;
    BT_HCIUART_3WIRE = yes;
    BT_HCIUART_RTL = yes;
    RTL8XXXU_UNTESTED = yes;
    BT_BNEP_MC_FILTER = yes;
    BT_BNEP_PROTO_FILTER = yes;
    BT_HS = yes;
    BT_LE = yes;
    # relevant configs inherited from nixos defaults (or above additions):
    # CONFIG_BT=m
    # CONFIG_BT_BREDR=y
    # CONFIG_BT_RFCOMM=m
    # CONFIG_BT_RFCOMM_TTY=y
    # CONFIG_BT_BNEP=m
    # CONFIG_BT_HIDP=m
    # CONFIG_BT_RTL=m
    # CONFIG_BT_HCIBTUSB=m
    # CONFIG_BT_HCIBTUSB_BCM=y
    # CONFIG_BT_HCIBTUSB_RTL=y
    # CONFIG_BT_HCIUART=m
    # CONFIG_BT_HCIUART_SERDEV=y
    # CONFIG_BT_HCIUART_H4=y
    # CONFIG_BT_HCIUART_LL=y
    # CONFIG_RTL_CARDS=m
    # CONFIG_RTLWIFI=m
    # CONFIG_RTLWIFI_PCI=m
    # CONFIG_RTLWIFI_USB=m
    # CONFIG_RTLWIFI_DEBUG=y
    # CONFIG_RTL8723_COMMON=m
    # CONFIG_RTLBTCOEXIST=m
    # CONFIG_RTL8XXXU=m
    # CONFIG_RTLLIB=m
    # consider adding (from mobile-nixos):
    # maybe: CONFIG_BT_HCIUART_3WIRE=y
    # maybe: CONFIG_BT_HCIUART_RTL=y
    # maybe: CONFIG_RTL8XXXU_UNTESTED=y
    # consider adding (from manjaro):
    # CONFIG_BT_6LOWPAN=m  (not listed as option in nixos kernel)
    # these are referenced in the rtl8723 source, but not known to config (and not in mobile-nixos config
    # maybe: CONFIG_RTL_ODM_WLAN_DRIVER
    # maybe: CONFIG_RTL_TRIBAND_SUPPORT
    # maybe: CONFIG_SDIO_HCI
    # maybe: CONFIG_USB_HCI
  };
  # create a kernelPatch which overrides nixos' defconfig with extra options
  patchDefconfig = config: {
    # defconfig options. this method comes from here:
    # - https://discourse.nixos.org/t/the-correct-way-to-override-the-latest-kernel-config/533/9
    name = "sane-moby-defconfig";
    patch = null;
    extraStructuredConfig = config;
  };
 in
 {
  # use Megi's kernel:
  # even with the Manjaro patches, stock 5.18 has a few issues on Pinephone:
  # - no battery charging
  # - phone rotation sensor is off by 90 degrees
  # - ambient light sensor causes screen brightness to be shakey
  # - phosh greeter may not appear after wake from sleep
  boot.kernelPackages = pkgs.cross.linuxPackagesFor pkgs.cross.linux-megous;
  boot.kernelPatches = [
    (patchDefconfig (kernelConfig //
      (with lib.kernel; {
        # disabling the sun5i_eink driver avoids this compilation error:
        # CC [M]  drivers/video/fbdev/sun5i-eink-neon.o
        # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfloat-abi=softfp'
        # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfpu=neon'
        # make[3]: *** [../scripts/Makefile.build:289: drivers/video/fbdev/sun5i-eink-neon.o] Error 1
        FB_SUN5I_EINK = no;
      })
    ))
  ];
  # alternatively, use nixos' kernel and add the stuff we want:
  # # cross-compilation optimization:
  # boot.kernelPackages =
  #   let p = (import nixpkgs { localSystem = "x86_64-linux"; });
  #   in p.pkgsCross.aarch64-multiplatform.linuxPackages_5_18;
  # # non-cross:
  # # boot.kernelPackages = pkgs.linuxPackages_5_18;
  # boot.kernelPatches = manjaroPatches ++ [
  #   (patchDefconfig kernelConfig)
  # ];
 }
--- a/hosts/moby/ucm2/PinePhone/HiFi.conf
+++ b/hosts/moby/ucm2/PinePhone/HiFi.conf
@@ -0,0 +1,148 @@
 SectionVerb {
 	EnableSequence [
 		cset "name='Headphone Playback Switch' off"
 		cset "name='Headphone Source Playback Route' DAC"
 		cset "name='Line In Playback Switch' off"
 		cset "name='Line Out Playback Switch' off"
 		cset "name='Line Out Source Playback Route' Mono Differential"
 		cset "name='Mic1 Playback Switch' off"
 		cset "name='Mic2 Playback Switch' off"
 		cset "name='AIF1 DA0 Playback Volume' 160"
 		cset "name='AIF3 ADC Source Capture Route' None"
 		cset "name='AIF2 DAC Source Playback Route' AIF2"
 		cset "name='DAC Playback Switch' on"
 		cset "name='DAC Playback Volume' 160"
 		cset "name='ADC Digital DAC Playback Switch' off"
 		cset "name='AIF1 Slot 0 Digital DAC Playback Switch' on"
 		cset "name='AIF2 Digital DAC Playback Switch' off"
 		cset "name='DAC Reversed Playback Switch' off"
 		cset "name='Earpiece Playback Switch' off"
 		cset "name='Earpiece Source Playback Route' DACL"
 		cset "name='Line In Capture Switch' off"
 		cset "name='Mic1 Capture Switch' off"
 		cset "name='Mic1 Boost Volume' 7"
 		cset "name='Mic2 Capture Switch' off"
 		cset "name='Mic2 Boost Volume' 7"
 		cset "name='Mixer Capture Switch' off"
 		cset "name='Mixer Reversed Capture Switch' off"
 		cset "name='ADC Capture Volume' 160"
 		cset "name='ADC Gain Capture Volume' 7"
 		cset "name='AIF1 AD0 Capture Volume' 160"
 		cset "name='AIF1 Data Digital ADC Capture Switch' on"
 		cset "name='AIF2 ADC Mixer ADC Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF2 DAC Rev Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 	]
        DisableSequence [
        ]
 	Value {
 	}
 }
 SectionDevice."Speaker" {
 	Comment "Internal speaker"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Line Out Playback Switch' on"
 		cset "name='Line Out Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Line Out Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Line Out Playback Volume"
 		PlaybackSwitch "Line Out Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 300
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Earpiece" {
 	Comment "Internal Earpiece"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Earpiece Playback Switch' on"
 		cset "name='Earpiece Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Earpiece Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Earpiece Playback Volume"
 		PlaybackSwitch "Earpiece Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 200
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Mic" {
 	Comment "Internal Microphone"
 	ConflictingDevice [
 		"Headset"
 	]
 	EnableSequence [
 		cset "name='Mic1 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic1 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 100
 		CapturePCM "hw:${CardId},0"
 		CaptureChannels 2
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic1 Capture Switch"
 	}
 }
 SectionDevice."Headset" {
 	Comment "Headset Microphone"
 	ConflictingDevice [
 		"Mic"
 	]
 	EnableSequence [
 		cset "name='Mic2 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic2 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 500
 		CapturePCM "hw:${CardId},0"
 		CaptureChannels 2
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic2 Capture Switch"
 		JackControl "Headset Microphone Jack"
 	}
 }
 SectionDevice."Headphones" {
 	Comment "Headphones"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Stereo"
 		cset "name='Headphone Playback Switch' on"
 		cset "name='Headphone Playback Volume' 70%"
 	]
 	DisableSequence [
 		cset "name='Headphone Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Headphone Playback Volume"
 		PlaybackSwitch "Headphone Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 500
 		PlaybackPCM "hw:${CardId},0"
 		JackControl "Headphone Jack"
 	}
 }
--- a/hosts/moby/ucm2/PinePhone/PinePhone.conf
+++ b/hosts/moby/ucm2/PinePhone/PinePhone.conf
@@ -0,0 +1,11 @@
 Syntax 2
 SectionUseCase."HiFi" {
 	File "HiFi.conf"
 	Comment "Default"
 }
 SectionUseCase."Voice Call" {
 	File "VoiceCall.conf"
 	Comment "Phone call"
 }
--- a/hosts/moby/ucm2/PinePhone/VoiceCall.conf
+++ b/hosts/moby/ucm2/PinePhone/VoiceCall.conf
@@ -0,0 +1,153 @@
 SectionVerb {
 	EnableSequence [
 		cset "name='Headphone Playback Switch' off"
 		cset "name='Headphone Source Playback Route' DAC"
 		cset "name='Line In Playback Switch' off"
 		cset "name='Line Out Playback Switch' off"
 		cset "name='Line Out Source Playback Route' Mono Differential"
 		cset "name='Mic1 Playback Switch' off"
 		cset "name='Mic2 Playback Switch' off"
 		cset "name='AIF1 DA0 Playback Volume' 160"
 		cset "name='AIF2 DAC Playback Volume' 160"
 		cset "name='AIF3 ADC Source Capture Route' None"
 		cset "name='AIF2 DAC Source Playback Route' AIF2"
 		cset "name='DAC Playback Switch' on"
 		cset "name='DAC Playback Volume' 160"
 		cset "name='ADC Digital DAC Playback Switch' off"
 		cset "name='AIF1 Slot 0 Digital DAC Playback Switch' on"
 		cset "name='AIF2 Digital DAC Playback Switch' on"
 		cset "name='DAC Reversed Playback Switch' off"
 		cset "name='Earpiece Playback Switch' off"
 		cset "name='Earpiece Source Playback Route' DACL"
 		cset "name='Line In Capture Switch' off"
 		cset "name='Mic1 Capture Switch' off"
 		cset "name='Mic1 Boost Volume' 0"
 		cset "name='Mic1 Playback Volume' 7"
 		cset "name='Mic2 Capture Switch' off"
 		cset "name='Mic2 Boost Volume' 0"
 		cset "name='Mic2 Playback Volume' 7"
 		cset "name='Mixer Capture Switch' off"
 		cset "name='Mixer Reversed Capture Switch' off"
 		cset "name='ADC Capture Volume' 160"
 		cset "name='ADC Gain Capture Volume' 7"
 		cset "name='AIF1 AD0 Capture Volume' 160"
 		cset "name='AIF1 Data Digital ADC Capture Switch' on"
 		cset "name='AIF2 ADC Capture Volume' 160"
 		cset "name='AIF2 ADC Mixer ADC Capture Switch' on"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF2 DAC Rev Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 	]
        DisableSequence [
        ]
 	Value {
 		PlaybackRate 8000
 	}
 }
 SectionDevice."Speaker" {
 	Comment "Internal speaker"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Line Out Playback Switch' on"
 		cset "name='Line Out Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Line Out Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Line Out Playback Volume"
 		PlaybackSwitch "Line Out Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 300
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Earpiece" {
 	Comment "Internal Earpiece"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Earpiece Playback Switch' on"
 		cset "name='Earpiece Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Earpiece Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Earpiece Playback Volume"
 		PlaybackSwitch "Earpiece Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 500
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Mic" {
 	Comment "Internal Microphone"
 	ConflictingDevice [
 		"Headset"
 	]
 	EnableSequence [
 		cset "name='Mic1 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic1 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 200
 		CapturePCM "hw:${CardId},0"
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic1 Capture Switch"
 		CaptureChannels 2
 	}
 }
 SectionDevice."Headset" {
 	Comment "Headset Microphone"
 	ConflictingDevice [
 		"Mic"
 	]
 	EnableSequence [
 		cset "name='Mic2 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic2 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 500
 		CapturePCM "hw:${CardId},0"
 		CaptureChannels 2
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic2 Capture Switch"
 		JackControl "Headset Microphone Jack"
 	}
 }
 SectionDevice."Headphones" {
 	Comment "Headphones"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Stereo"
 		cset "name='Headphone Playback Switch' on"
 		cset "name='Headphone Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Headphone Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Headphone Playback Volume"
 		PlaybackSwitch "Headphone Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 500
 		PlaybackPCM "hw:${CardId},0"
 		JackControl "Headphone Jack"
 	}
 }
--- a/hosts/moby/ucm2/ucm.conf
+++ b/hosts/moby/ucm2/ucm.conf
@@ -0,0 +1,8 @@
 Syntax 3
 UseCasePath {
 	legacy {
 		Directory "PinePhone"
 		File "PinePhone.conf"
 	}
 }
--- a/hosts/rescue/default.nix
+++ b/hosts/rescue/default.nix
@@ -0,0 +1,16 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./fs.nix
  ];
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  users.users.dhcpcd.uid = config.sane.allocations.dhcpcd-uid;
  users.groups.dhcpcd.gid = config.sane.allocations.dhcpcd-gid;
  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
  system.stateVersion = "21.05";
 }
--- a/hosts/rescue/fs.nix
+++ b/hosts/rescue/fs.nix
@@ -0,0 +1,12 @@
 { ... }:
 {
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/44445555-6666-7777-8888-999900001111";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/2222-3333";
    fsType = "vfat";
  };
 }
--- a/hosts/servo/default.nix
+++ b/hosts/servo/default.nix
@@ -0,0 +1,42 @@
 { pkgs, ... }:
 {
  imports = [
    ./fs.nix
    ./net.nix
    ./users.nix
    ./services
  ];
  sane.packages.extraUserPkgs = [
    # for administering services
    pkgs.matrix-synapse
    pkgs.freshrss
  ];
  sane.impermanence.enable = true;
  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
  sane.services.nixserve.enable = true;
  sane.services.nixserve.sopsFile = ../../secrets/servo.yaml;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  sops.secrets.duplicity_passphrase = {
    sopsFile = ../../secrets/servo.yaml;
  };
  # both transmission and ipfs try to set different net defaults.
  # we just use the most aggressive of the two here:
  boot.kernel.sysctl = {
    "net.core.rmem_max" = 4194304;  # 4MB
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.11";
 }
--- a/hosts/servo/fs.nix
+++ b/hosts/servo/fs.nix
@@ -0,0 +1,98 @@
 { ... }:
 {
  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
  fileSystems."/" = {
    device = "none";
    fsType = "tmpfs";
    options = [
      "mode=755"
      "size=1G"
      "defaults"
    ];
  };
  # we need a /tmp for building large nix things
  fileSystems."/tmp" = {
    device = "none";
    fsType = "tmpfs";
    options = [
      "mode=777"
      "defaults"
    ];
  };
  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/cc81cca0-3cc7-4d82-a00c-6243af3e7776";
    fsType = "btrfs";
    options = [
      "compress=zstd"
      "defaults"
    ];
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/6EE3-4171";
    fsType = "vfat";
  };
  # slow, external storage (for archiving, etc)
  fileSystems."/nix/persist/ext" = {
    device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b";
    fsType = "btrfs";
    options = [
      "compress=zstd"
      "defaults"
    ];
  };
  sane.impermanence.service-dirs = [
    # TODO: this is overly broad; only need media and share directories to be persisted
    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
  ];
  # direct these media directories to external storage
  environment.persistence."/nix/persist/ext/persist" = {
    directories = [
      ({
        user = "colin";
        group = "users";
        mode = "0777";
        directory = "/var/lib/uninsane/media/Videos";
      })
      ({
        user = "colin";
        group = "users";
        mode = "0777";
        directory = "/var/lib/uninsane/media/freeleech";
      })
    ];
  };
  # in-memory compressed RAM (seems to be dynamically sized)
  # zramSwap = {
  #   enable = true;
  # };
  # btrfs doesn't easily support swapfiles
  # swapDevices = [
  #   { device = "/nix/persist/swapfile"; size = 4096; }
  # ];
  # this can be a partition. create with:
  #   fdisk <dev>
  #     n
  #     <default partno>
  #     <start>
  #     <end>
  #     t
  #     <partno>
  #     19  # set part type to Linux swap
  #     w   # write changes
  #   mkswap -L swap <part>
  # swapDevices = [
  #   {
  #     label = "swap";
  #     # TODO: randomEncryption.enable = true;
  #   }
  # ];
 }
--- a/machines/uninsane/net.nix
+++ b/machines/uninsane/net.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, secrets, ... }:
+{ config, pkgs, ... }:
 {
  networking.domain = "uninsane.org";
@@ -13,17 +13,21 @@
  # networking.firewall.enable = false;
  networking.firewall.enable = true;
  # TODO: split these into the submodules
  networking.firewall.allowedTCPPorts = [
    25   # SMTP
    80   # HTTP
    143  # IMAP
    443  # HTTPS
-    465  # SMTPS (maybe not required?)
+    465  # SMTPS
-    587  # SMTPS/submission (maybe not required?)
+    587  # SMTPS/submission
    993  # IMAPS
    4001 # IPFS
  ];
  networking.firewall.allowedUDPPorts = [
    1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
    4001      # IPFS
  ];
  # DLNA ports: https://jellyfin.org/docs/general/networking/index.html
  networking.firewall.allowedUDPPorts = [ 1900 7359 ];
  # we need to use externally-visible nameservers in order for VPNs to be able to resolve hosts.
  networking.nameservers = [
@@ -35,7 +39,7 @@
  # DOCS: https://nixos.wiki/wiki/WireGuard
  networking.wireguard.enable = true;
  networking.wireguard.interfaces.wg0 = {
-    privateKey = secrets.wireguard.privateKey;
+    privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
    # wg is active only in this namespace.
    # run e.g. ip netns exec ovpns <some command like ping/curl/etc, it'll go through wg>
    #   sudo ip netns exec ovpns ping www.google.com
@@ -87,6 +91,10 @@
    };
  };
  sops.secrets."wg_ovpns_privkey" = {
    sopsFile = ../../secrets/servo.yaml;
  };
  # HURRICANE ELECTRIC CONFIG:
  # networking.sits = {
  #   hurricane = {
--- a/hosts/servo/services/ddns-he.nix
+++ b/hosts/servo/services/ddns-he.nix
@@ -0,0 +1,32 @@
 { config, pkgs, ... }:
 {
  systemd.services.ddns-he = {
    description = "update dynamic DNS entries for HurricaneElectric";
    serviceConfig = {
      EnvironmentFile = config.sops.secrets.ddns_he.path;
      # TODO: ProtectSystem = "strict";
      # TODO: ProtectHome = "full";
      # TODO: PrivateTmp = true;
    };
    # HE DDNS API is documented: https://dns.he.net/docs.html
    script = let
      crl = "${pkgs.curl}/bin/curl -4";
    in ''
      ${crl} "https://he.uninsane.org:$HE_PASSPHRASE@dyn.dns.he.net/nic/update?hostname=he.uninsane.org"
      ${crl} "https://native.uninsane.org:$HE_PASSPHRASE@dyn.dns.he.net/nic/update?hostname=native.uninsane.org"
      ${crl} "https://uninsane.org:$HE_PASSPHRASE@dyn.dns.he.net/nic/update?hostname=uninsane.org"
    '';
  };
  systemd.timers.ddns-he = {
    wantedBy = [ "multi-user.target" ];
    timerConfig = {
      OnStartupSec = "2min";
      OnUnitActiveSec = "10min";
    };
  };
  sops.secrets."ddns_he" = {
    sopsFile = ../../../secrets/servo.yaml;
  };
 }
--- a/hosts/servo/services/default.nix
+++ b/hosts/servo/services/default.nix
@@ -0,0 +1,21 @@
 { ... }:
 {
  imports = [
    ./ddns-he.nix
    ./ejabberd.nix
    ./freshrss.nix
    ./gitea.nix
    ./goaccess.nix
    ./ipfs.nix
    ./jackett.nix
    ./jellyfin.nix
    ./matrix
    ./navidrome.nix
    ./nginx.nix
    ./pleroma.nix
    ./postfix.nix
    ./postgres.nix
    ./prosody.nix
    ./transmission.nix
  ];
 }
--- a/hosts/servo/services/ejabberd.nix
+++ b/hosts/servo/services/ejabberd.nix
@@ -0,0 +1,48 @@
 # docs:
 # - <https://docs.ejabberd.im/admin/configuration/basic>
 { lib, ... }:
 # XXX disabled: fails to start because of `mnesia_tm` dependency
 # lib.mkIf false
 {
  sane.impermanence.service-dirs = [
    { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
  ];
  networking.firewall.allowedTCPPorts = [
    5222  # XMPP client -> server
    5269  # XMPP server -> server
  ];
  # provide access to certs
  users.users.ejabberd.extraGroups = [ "nginx" ];
  # TODO: allocate UIDs/GIDs ?
  services.ejabberd.enable = true;
  services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" ''
    hosts:
      - uninsane.org
    # none | emergency | alert | critical | error | warning | notice | info | debug
    loglevel: debug
    acme:
      auto: false
    certfiles:
      - /var/lib/acme/uninsane.org/fullchain.pem
      - /var/lib/acme/uninsane.org/key.pem
    pam_userinfotype: jid
    # see: <https://docs.ejabberd.im/admin/configuration/listen/>
    # TODO: host web admin panel
    listen:
      -
        port: 5222
        module: ejabberd_c2s
        starttls: true
      -
        port: 5269
        module: ejabberd_s2s_in
        starttls: true
  '';
 }
--- a/hosts/servo/services/freshrss.nix
+++ b/hosts/servo/services/freshrss.nix
@@ -0,0 +1,52 @@
 # import feeds with e.g.
 # ```console
 # $ nix build '.#nixpkgs.freshrss'
 # $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/import-for-user.php --user admin --filename /home/colin/.config/newsflashFeeds.opml
 # ```
 #
 # export feeds with
 # ```console
 # $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/export-opml-for-user.php --user admin
 # ```
 { config, lib, pkgs, ... }:
 {
  sops.secrets.freshrss_passwd = {
    sopsFile = ../../../secrets/servo.yaml;
    owner = config.users.users.freshrss.name;
    mode = "400";
  };
  sane.impermanence.service-dirs = [
    { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
  ];
  users.users.freshrss.uid = config.sane.allocations.freshrss-uid;
  users.groups.freshrss.gid = config.sane.allocations.freshrss-gid;
  services.freshrss.enable = true;
  services.freshrss.baseUrl = "https://rss.uninsane.org";
  services.freshrss.virtualHost = "rss.uninsane.org";
  services.freshrss.passwordFile = config.sops.secrets.freshrss_passwd.path;
  systemd.services.freshrss-import-feeds =
  let
    fresh = config.systemd.services.freshrss-config;
    feeds = import ../../../modules/home-manager/feeds.nix { inherit lib; };
    opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
  in {
    inherit (fresh) wantedBy environment;
    serviceConfig = {
      inherit (fresh.serviceConfig) Type User Group StateDirectory WorkingDirectory
        # hardening options
        CapabilityBoundingSet DeviceAllow LockPersonality NoNewPrivileges PrivateDevices PrivateTmp PrivateUsers ProcSubset ProtectClock ProtectControlGroups ProtectHome ProtectHostname ProtectKernelLogs ProtectKernelModules ProtectKernelTunables ProtectProc ProtectSystem RemoveIPC RestrictNamespaces RestrictRealtime RestrictSUIDSGID SystemCallArchitectures SystemCallFilter UMask;
    };
    description = "import sane RSS feed list";
    after = [ "freshrss-config.service" ];
    script = ''
      ${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
    '';
  };
  # the default ("*:0/5") is to run every 5 minutes.
  # `systemctl list-timers` to show
  systemd.services.freshrss-updater.startAt = lib.mkForce "*:3/30";
 }
--- a/machines/uninsane/services/gitea.nix
+++ b/machines/uninsane/services/gitea.nix
@@ -1,6 +1,11 @@
 { config, pkgs, lib, ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
    { user = "git"; group = "gitea"; directory = "/var/lib/gitea"; }
  ];
  users.groups.gitea.gid = config.sane.allocations.gitea-gid;
  services.gitea.enable = true;
  services.gitea.user = "git";  # default is 'gitea'
  services.gitea.database.type = "postgres";
@@ -8,7 +13,7 @@
  services.gitea.appName = "Perfectly Sane Git";
  services.gitea.domain = "git.uninsane.org";
  services.gitea.rootUrl = "https://git.uninsane.org/";
-  services.gitea.cookieSecure = true;
+  services.gitea.settings.session.COOKIE_SECURE = true;
  # services.gitea.disableRegistration = true;
  services.gitea.settings = {
@@ -55,7 +60,7 @@
    };
  };
  # options: "Trace", "Debug", "Info", "Warn", "Error", "Critical"
-  services.gitea.log.level = "Info";
+  services.gitea.settings.log.LEVEL = "Warn";
  systemd.services.gitea.serviceConfig = {
    # nix default is AF_UNIX AF_INET AF_INET6.
--- a/hosts/servo/services/goaccess.nix
+++ b/hosts/servo/services/goaccess.nix
@@ -0,0 +1,45 @@
 { pkgs, ... }:
 {
  # based on <https://bytes.fyi/real-time-goaccess-reports-with-nginx/>
  # log-format setting can be derived with this tool if custom:
  # - <https://github.com/stockrt/nginx2goaccess>
  # config options:
  # - <https://github.com/allinurl/goaccess/blob/master/config/goaccess.conf>
  systemd.services.goaccess = {
    description = "GoAccess server monitoring";
    serviceConfig = {
      ExecStart = ''
        ${pkgs.goaccess}/bin/goaccess \
          -f /var/log/nginx/public.log \
          --log-format=VCOMBINED \
          --real-time-html \
          --html-refresh=30 \
          --no-query-string \
          --anonymize-ip \
          --ignore-panel=HOSTS \
          --ws-url=wss://sink.uninsane.org:443/ws \
          --port=7890 \
          -o /var/lib/uninsane/sink/index.html
      '';
      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
      Type = "simple";
      Restart = "on-failure";
      # hardening
      WorkingDirectory = "/tmp";
      NoNewPrivileges = true;
      PrivateTmp = true;
      ProtectHome = "read-only";
      ProtectSystem = "strict";
      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
      ReadOnlyPaths = "/";
      ReadWritePaths = [ "/proc/self" "/var/lib/uninsane/sink" ];
      PrivateDevices = "yes";
      ProtectKernelModules = "yes";
      ProtectKernelTunables = "yes";
    };
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
  };
 }
--- a/hosts/servo/services/ipfs.nix
+++ b/hosts/servo/services/ipfs.nix
@@ -0,0 +1,69 @@
 # admin:
 # - view stats:
 #   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ stats bw
 #   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ stats dht
 #   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ bitswap stat
 # - number of open peer connections:
 #   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ swarm peers | wc -l
 { ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
    { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
  ];
  # services.ipfs.enable = true;
  services.kubo.localDiscovery = true;
  services.kubo.settings = {
    Addresses = {
      Announce = [
        # "/dns4/ipfs.uninsane.org/tcp/4001"
        "/dns4/ipfs.uninsane.org/udp/4001/quic"
      ];
      Swarm = [
        # "/dns4/ipfs.uninsane.org/tcp/4001"
        # "/ip4/0.0.0.0/tcp/4001"
        "/dns4/ipfs.uninsane.org/udp/4001/quic"
        "/ip4/0.0.0.0/udp/4001/quic"
      ];
    };
    Gateway = {
      # the gateway can only be used to serve content already replicated on this host
      NoFetch = true;
    };
    Swarm = {
      ConnMgr = {
        # maintain between LowWater and HighWater peer connections
        # taken from: https://github.com/ipfs/ipfs-desktop/pull/2055
        # defaults are 600-900: https://github.com/ipfs/kubo/blob/master/docs/config.md#swarmconnmgr
        LowWater = 20;
        HighWater = 40;
        # default is 20s. i guess more grace period = less churn
        GracePeriod = "1m";
      };
      ResourceMgr = {
        # docs: https://github.com/libp2p/go-libp2p-resource-manager#resource-scopes
        Enabled = true;
        Limits = {
          System = {
            Conns = 196;
            ConnsInbound = 128;
            ConnsOutbound = 128;
            FD = 512;
            Memory = 1073741824;  # 1GiB
            Streams = 1536;
            StreamsInbound = 1024;
            StreamsOutbound = 1024;
          };
        };
      };
      Transports = {
        Network = {
          # disable TCP, force QUIC, for lighter resources
          TCP = false;
          QUIC = true;
        };
      };
    };
  };
 }
--- a/machines/uninsane/services/jackett.nix
+++ b/machines/uninsane/services/jackett.nix
@@ -1,6 +1,10 @@
-{ config, pkgs, lib, ... }:
+{ ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
    { user = "root"; group = "root"; directory = "/var/lib/jackett"; }
  ];
  services.jackett.enable = true;
  systemd.services.jackett.after = ["wg0veth.service"];
--- a/hosts/servo/services/jellyfin.nix
+++ b/hosts/servo/services/jellyfin.nix
@@ -0,0 +1,14 @@
 { config, ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
    { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
  ];
  # users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
  # users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
  # TODO: re-enable after migrating media dir to /var/lib/uninsane/media
  # else it's too spammy
  # services.jellyfin.enable = true;
 }
--- a/hosts/servo/services/matrix/default.nix
+++ b/hosts/servo/services/matrix/default.nix
@@ -0,0 +1,85 @@
 # docs: https://nixos.wiki/wiki/Matrix
 # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
 { config, lib, ... }:
 {
  imports = [
    ./discord-puppet.nix
    # ./irc.nix
  ];
  sane.impermanence.service-dirs = [
    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
  ];
  services.matrix-synapse.enable = true;
  services.matrix-synapse.settings.log_config = ./synapse-log_level.yaml;
  services.matrix-synapse.settings.server_name = "uninsane.org";
  # services.matrix-synapse.enable_registration_captcha = true;
  # services.matrix-synapse.enable_registration_without_verification = true;
  services.matrix-synapse.settings.enable_registration = true;
  # services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
  # default for listeners is port = 8448, tls = true, x_forwarded = false.
  # we change this because the server is situated behind nginx.
  services.matrix-synapse.settings.listeners = [
    {
      port = 8008;
      bind_addresses = [ "127.0.0.1" ];
      type = "http";
      tls = false;
      x_forwarded = true;
      resources = [
        {
          names = [ "client" "federation" ];
          compress = false;
        }
      ];
    }
  ];
  services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
  services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
  services.matrix-synapse.extraConfigFiles = [
    config.sops.secrets.matrix_synapse_secrets.path
  ];
  # services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
  #   admin_contact: "admin.matrix@uninsane.org"
  #   registrations_require_3pid:
  #     - email
  #   email:
  #     smtp_host: "mx.uninsane.org"
  #     smtp_port: 587
  #     smtp_user: "matrix-synapse"
  #     smtp_pass: "${secrets.matrix-synapse.smtp_pass}"
  #     require_transport_security: true
  #     enable_tls: true
  #     notif_from: "%(app)s <notify.matrix@uninsane.org>"
  #     app_name: "Uninsane Matrix"
  #     enable_notifs: true
  #     validation_token_lifetime: 96h
  #     invite_client_location: "https://web.matrix.uninsane.org"
  #     subjects:
  #       email_validation: "[%(server_name)s] Validate your email"
  # ''];
  # new users may be registered on the CLI:
  #   register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
  #
  # or provide an registration token then can use to register through the client.
  #   docs: https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/admin_api/registration_tokens.md
  # first, grab your own user's access token (Help & About section in Element). then:
  #   curl --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens
  # create a token with unlimited uses:
  #   curl -d '{}' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  # create a token with limited uses:
  #   curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  sops.secrets.matrix_synapse_secrets = {
    sopsFile = ../../../../secrets/servo.yaml;
    owner = config.users.users.matrix-synapse.name;
  };
 }
--- a/hosts/servo/services/matrix/discord-puppet.nix
+++ b/hosts/servo/services/matrix/discord-puppet.nix
@@ -0,0 +1,52 @@
 { lib, ... }:
 {
  sane.impermanence.service-dirs = [
    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }
  ];
  services.matrix-synapse.settings.app_service_config_files = [
    # auto-created by mx-puppet-discord service
    "/var/lib/mx-puppet-discord/discord-registration.yaml"
  ];
  services.mx-puppet-discord.enable = true;
  # schema/example: <https://gitlab.com/mx-puppet/discord/mx-puppet-discord/-/blob/main/sample.config.yaml>
  services.mx-puppet-discord.settings = {
    bridge = {
      # port = 8434
      bindAddress = "127.0.0.1";
      domain = "uninsane.org";
      homeserverUrl = "http://127.0.0.1:8008";
      # displayName = "mx-discord-puppet";  # matrix name for the bot
      # matrix "groups" were an earlier version of spaces.
      # maybe the puppet understands this, maybe not?
      enableGroupSync = false;
    };
    presence = {
      enabled = false;
      interval = 30000;
    };
    provisioning = {
      # allow these users to control the puppet
      whitelist = [ "@colin:uninsane\\.org" ];
    };
    relay = {
      whitelist = [ "@colin:uninsane\\.org" ];
    };
    selfService = {
      # who's allowed to use plumbed rooms (idk what that means)
      whitelist = [ "@colin:uninsane\\.org" ];
    };
    logging = {
      # silly, debug, verbose, info, warn, error
      console = "debug";
    };
  };
  systemd.services.mx-puppet-discord.serviceConfig = {
    # fix up to not use /var/lib/private, but just /var/lib
    DynamicUser = lib.mkForce false;
    User = "matrix-synapse";
    Group = "matrix-synapse";
  };
 }
--- a/hosts/servo/services/matrix/irc.nix
+++ b/hosts/servo/services/matrix/irc.nix
@@ -0,0 +1,97 @@
 { config, lib, ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode?
    # user and group are both "matrix-appservice-irc"
    { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
  ];
  services.matrix-synapse.settings.app_service_config_files = [
    "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
  ];
  # note: Rizon allows only FOUR simultaneous IRC connections per IP: https://wiki.rizon.net/index.php?title=Connection/Session_Limit_Exemptions
  # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
  services.matrix-appservice-irc.enable = true;
  services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
  # settings documented here: https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml
  services.matrix-appservice-irc.settings = {
    homeserver = {
      url = "http://127.0.0.1:8008";
      dropMatrixMessagesAfterSecs = 300;
      domain = "uninsane.org";
      enablePresence = true;
      bindPort = 9999;
      bindHost = "127.0.0.1";
    };
    ircService = {
      servers = {
        "irc.rizon.net" = {
          name = "Rizon";
          port = 6697;  # SSL port
          ssl = true;
          sasl = true;  # appservice doesn't support NickServ identification
          botConfig = {
            # bot has no presence in IRC channel; only real Matrix users
            enabled = false;
            # nick = "UninsaneDotOrg";
            nick = "uninsane";
            username = "uninsane";
          };
          dynamicChannels = {
            enabled = true;
            aliasTemplate = "#irc_rizon_$CHANNEL";
          };
          ircClients = {
            nickTemplate = "$LOCALPARTsane";
            # by default, Matrix will convert messages greater than (3) lines into a pastebin-like URL to send to IRC.
            lineLimit = 20;
          };
          matrixClients = {
            userTemplate = "@irc_rizon_$NICK";  # the :uninsane.org part is appended automatically
          };
          # this will let this user message the appservice with `!join #<IRCChannel>` and the rest "Just Works"
          "@colin:uninsane.org" = "admin";
          membershipLists = {
            enabled = true;
            global = {
              ircToMatrix = {
                initial = true;
                incremental = true;
                requireMatrixJoined = false;
              };
              matrixToIrc = {
                initial = true;
                incremental = true;
              };
            };
          };
          # sync room description?
          bridgeInfoState = {
            enabled = true;
            initial = true;
          };
          # hardcoded mappings, for when dynamicChannels fails us. TODO: probably safe to remove these.
          # mappings = {
          #   "#chat" = {
          #     roomIds = [ "!GXJSOTdbtxRboGtDep:uninsane.org" ];
          #   };
          #   # BakaBT requires account registration, which i think means my user needs to be added before the appservice user
          #   "#BakaBT" = {
          #     roomIds = [ "!feZKttuYuHilqPFSkD:uninsane.org" ];
          #   };
          # };
          # for per-user IRC password:
          #   invite @irc_rizon_NickServ:uninsane.org to a DM and type `help`  => register
          #   invite the matrix-appservice-irc user to a DM and type `!help`   => add PW to database
          # passwordEncryptionKeyPath = "/path/to/privkey";  # appservice will generate its own if unspecified
        };
      };
    };
  };
 }
--- a/hosts/servo/services/matrix/synapse-log_level.yaml
+++ b/hosts/servo/services/matrix/synapse-log_level.yaml
@@ -0,0 +1,27 @@
 version: 1
 # In systemd's journal, loglevel is implicitly stored, so let's omit it
 # from the message text.
 formatters:
    journal_fmt:
        format: '%(name)s: [%(request)s] %(message)s'
 filters:
    context:
        (): synapse.util.logcontext.LoggingContextFilter
        request: ""
 handlers:
    journal:
        class: systemd.journal.JournalHandler
        formatter: journal_fmt
        filters: [context]
        SYSLOG_IDENTIFIER: synapse
 # default log level: INFO
 root:
    level: WARN
    handlers: [journal]
 disable_existing_loggers: False
--- a/hosts/servo/services/navidrome.nix
+++ b/hosts/servo/services/navidrome.nix
@@ -0,0 +1,17 @@
 { ... }:
 {
  sane.impermanence.service-dirs = [
    { user = "navidrome"; group = "navidrome"; directory = "/var/lib/private/navidrome"; }
  ];
  services.navidrome.enable = true;
  services.navidrome.settings = {
    # docs: https://www.navidrome.org/docs/usage/configuration-options/
    Address = "127.0.0.1";
    Port = 4533;
    MusicFolder = "/var/lib/uninsane/media/Music";
    CovertArtPriority = "*.jpg, *.JPG, *.png, *.PNG, embedded";
    AutoImportPlaylists = false;
    ScanSchedule = "@every 1h";
  };
 }
--- a/machines/uninsane/services/nginx.nix
+++ b/machines/uninsane/services/nginx.nix
@@ -1,14 +1,54 @@
 # docs: https://nixos.wiki/wiki/Nginx
 { config, pkgs, ... }:
 let
  # make the logs for this host "public" so that they show up in e.g. metrics
  publog = vhost: vhost // {
    extraConfig = (vhost.extraConfig or "") + ''
      access_log /var/log/nginx/public.log vcombined;
    '';
  };
  kTLS = true;  # in-kernel TLS for better perf
 in
 {
  services.nginx.enable = true;
  services.nginx.appendConfig = ''
    # use 1 process per core.
    # may want to increase worker_connections too, but `ulimit -n` must be increased first.
    worker_processes auto;
  '';
  # this is the standard `combined` log format, with the addition of $host
  # so that we have the virtualHost in the log.
  # KEEP IN SYNC WITH GOACCESS
  # goaccess calls this VCOMBINED:
  # - <https://gist.github.com/jyap808/10570005>
  services.nginx.commonHttpConfig = ''
    log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
    access_log /var/log/nginx/private.log vcombined;
  '';
  # sets gzip_comp_level = 5
  services.nginx.recommendedGzipSettings = true;
  # enables OCSP stapling (so clients don't need contact the OCSP server -- i do instead)
  # caches TLS sessions for 10m
  services.nginx.recommendedTlsSettings = true;
  # enables sendfile, tcp_nopush, tcp_nodelay, keepalive_timeout 65
  services.nginx.recommendedOptimisation = true;
  # web blog/personal site
-  services.nginx.virtualHosts."uninsane.org" = {
+  services.nginx.virtualHosts."uninsane.org" = publog {
-    root = "/opt/uninsane/root";
+    root = "${pkgs.uninsane-dot-org}/share/uninsane-dot-org";
-    addSSL = true;
+    # a lot of places hardcode https://uninsane.org,
    # and then when we mix http + non-https, we get CORS violations
    # and things don't look right. so force SSL.
    forceSSL = true;
    enableACME = true;
    inherit kTLS;
    # uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
    # yes, nginx does not strip the prefix when evaluating against the root.
    locations."/share".root = "/var/lib/uninsane/root";
    # allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
    locations."= /.well-known/matrix/server".extraConfig =
@@ -50,10 +90,32 @@
    # };
  };
-  # Pleroma server and web interface
+  # server statistics
-  services.nginx.virtualHosts."fed.uninsane.org" = {
+  services.nginx.virtualHosts."sink.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    root = "/var/lib/uninsane/sink";
    locations."/ws" = {
      proxyPass = "http://127.0.0.1:7890";
      # XXX not sure how much of this is necessary
      extraConfig = ''
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_buffering off;
        proxy_read_timeout 7d;
      '';
    };
  };
  # Pleroma server and web interface
  services.nginx.virtualHosts."fed.uninsane.org" = publog {
    forceSSL = true;  # pleroma redirects to https anyway
    enableACME = true;
    inherit kTLS;
    locations."/" = {
      proxyPass = "http://127.0.0.1:4000";
      # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
@@ -95,6 +157,7 @@
    # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
    forceSSL = true;
    enableACME = true;
    inherit kTLS;
    locations."/" = {
      # proxyPass = "http://ovpns.uninsane.org:9091";
      proxyPass = "http://10.0.1.6:9091";
@@ -105,6 +168,7 @@
  services.nginx.virtualHosts."jackett.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    inherit kTLS;
    locations."/" = {
      # proxyPass = "http://ovpns.uninsane.org:9117";
      proxyPass = "http://10.0.1.6:9117";
@@ -112,9 +176,10 @@
  };
  # matrix chat server
-  services.nginx.virtualHosts."matrix.uninsane.org" = {
+  services.nginx.virtualHosts."matrix.uninsane.org" = publog {
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    # TODO colin: replace this with something helpful to the viewer
    # locations."/".extraConfig = ''
@@ -141,6 +206,7 @@
  services.nginx.virtualHosts."web.matrix.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    inherit kTLS;
    root = pkgs.element-web.override {
      conf = {
@@ -153,9 +219,10 @@
  };
  # hosted git (web view and for `git <cmd>` use
-  services.nginx.virtualHosts."git.uninsane.org" = {
+  services.nginx.virtualHosts."git.uninsane.org" = publog {
-    addSSL = true;
+    forceSSL = true;  # gitea complains if served over a different protocol than its config file says
    enableACME = true;
    inherit kTLS;
    locations."/" = {
      proxyPass = "http://127.0.0.1:3000";
@@ -167,6 +234,7 @@
  services.nginx.virtualHosts."jelly.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8096";
@@ -210,6 +278,38 @@
    };
  };
  services.nginx.virtualHosts."music.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    inherit kTLS;
    locations."/".proxyPass = "http://127.0.0.1:4533";
  };
  services.nginx.virtualHosts."rss.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    # the routing is handled by freshrss.nix
  };
  services.nginx.virtualHosts."ipfs.uninsane.org" = {
    # don't default to ssl upgrades, since this may be dnslink'd from a different domain.
    # ideally we'd disable ssl entirely, but some places assume it?
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    default = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8080";
      extraConfig = ''
        proxy_set_header Host $host;
        proxy_set_header X-Ipfs-Gateway-Prefix "";
      '';
    };
  };
  # exists only to manage certs for dovecot
  services.nginx.virtualHosts."imap.uninsane.org" = {
    forceSSL = true;
@@ -223,6 +323,7 @@
  services.nginx.virtualHosts."nixcache.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    inherit kTLS;
    # serverAliases = [ "nixcache" ];
    locations."/".extraConfig = ''
      proxy_pass http://localhost:${toString config.services.nix-serve.port};
@@ -234,4 +335,11 @@
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "admin.acme@uninsane.org";
  users.users.acme.uid = config.sane.allocations.acme-uid;
  users.groups.acme.gid = config.sane.allocations.acme-gid;
  sane.impermanence.service-dirs = [
    # TODO: mode?
    { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
  ];
 }
--- a/machines/uninsane/services/pleroma.nix
+++ b/machines/uninsane/services/pleroma.nix
@@ -1,22 +1,29 @@
-# docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
+# docs:
 # - https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
 # - https://docs.pleroma.social/backend/configuration/cheatsheet/
 #
 # to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
-{ config, pkgs, lib, secrets, ... }:
+{ config, pkgs, ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
    { user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; }
  ];
  users.users.pleroma.uid = config.sane.allocations.pleroma-uid;
  users.groups.pleroma.gid = config.sane.allocations.pleroma-gid;
  services.pleroma.enable = true;
-  # TODO: we should write a config file somewhere outside the store... somehow.
+  services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
  services.pleroma.secretConfigFile = "/dev/null";
  services.pleroma.configs = [
    ''
    import Config
-    
+
    config :pleroma, Pleroma.Web.Endpoint,
      url: [host: "fed.uninsane.org", scheme: "https", port: 443],
-      http: [ip: {127, 0, 0, 1}, port: 4000],
+      http: [ip: {127, 0, 0, 1}, port: 4000]
-      secret_key_base: "${secrets.pleroma.secret_key_base}",
+    #   secret_key_base: "{secrets.pleroma.secret_key_base}",
-      signing_salt: "${secrets.pleroma.signing_salt}"
+    #   signing_salt: "{secrets.pleroma.signing_salt}"
-    
+
    config :pleroma, :instance,
      name: "Perfectly Sane",
      description: "Single-user Pleroma instance",
@@ -42,36 +49,40 @@
      enabled: false,
      redirect_on_failure: true
      #base_url: "https://cache.pleroma.social"
-    
+
    # see for reference:
    # - `force_custom_plan`: <https://docs.pleroma.social/backend/configuration/postgresql/#disable-generic-query-plans>
    config :pleroma, Pleroma.Repo,
      adapter: Ecto.Adapters.Postgres,
      username: "pleroma",
      password: "${secrets.pleroma.db_password}",
      database: "pleroma",
      hostname: "localhost",
      pool_size: 10,
      prepare: :named,
      parameters: [
          plan_cache_mode: "force_custom_plan"
      ]
    # XXX: prepare: :named is needed only for PG <= 12
    #   prepare: :named,
    #   password: "{secrets.pleroma.db_password}",
    # Configure web push notifications
    config :web_push_encryption, :vapid_details,
-      subject: "mailto:notify.pleroma@uninsane.org",
+      subject: "mailto:notify.pleroma@uninsane.org"
-      public_key: "${secrets.pleroma.vapid_public_key}",
+    #   public_key: "{secrets.pleroma.vapid_public_key}",
-      private_key: "${secrets.pleroma.vapid_private_key}"
+    #   private_key: "{secrets.pleroma.vapid_private_key}"
    # config :joken, default_signer: "{secrets.pleroma.joken_default_signer}"
    config :joken, default_signer: "${secrets.pleroma.joken_default_signer}"
    config :pleroma, :database, rum_enabled: false
    config :pleroma, :instance, static_dir: "/var/lib/pleroma/instance/static"
    config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
    config :pleroma, configurable_from_database: false
    # strip metadata from uploaded images
-    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool]
+    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool.StripLocation]
    # TODO: GET /api/pleroma/captcha is broken
    # there was a nixpkgs PR to fix this around 2022/10 though.
    config :pleroma, Pleroma.Captcha,
      enabled: false,
      method: Pleroma.Captcha.Native
@@ -81,11 +92,11 @@
    # Enable Strict-Transport-Security once SSL is working:
    config :pleroma, :http_security,
      sts: true
-    
+
    # docs: https://docs.pleroma.social/backend/configuration/cheatsheet/#logger
    config :logger,
      backends: [{ExSyslogger, :ex_syslogger}]
-    
+
    config :logger, :ex_syslogger,
      level: :warn
    #  level: :debug
@@ -104,9 +115,9 @@
  systemd.services.pleroma.path = [ 
    # something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
-    pkgs.bash 
+    pkgs.bash
    # used by Pleroma to strip geo tags from uploads
-    pkgs.exiftool 
+    pkgs.exiftool
    # i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
    pkgs.gawk
    # needed for email operations like password reset
@@ -124,4 +135,9 @@
  #   PrivateTmp = lib.mkForce false;
  #   CapabilityBoundingSet = lib.mkForce "~";
  # };
  sops.secrets.pleroma_secrets = {
    sopsFile = ../../../secrets/servo.yaml;
    owner = config.users.users.pleroma.name;
  };
 }
--- a/machines/uninsane/services/postfix.nix
+++ b/machines/uninsane/services/postfix.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, secrets, ... }:
+{ config, lib, ... }:
 let
  submissionOptions = {
@@ -16,6 +16,15 @@ let
  };
 in
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
    { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
    { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
    { user = "root"; group = "root"; directory = "/var/spool/mail"; }
    # *probably* don't need these dirs:
    # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
    # "/var/lib/dovecot"
  ];
  services.postfix.enable = true;
  services.postfix.hostname = "mx.uninsane.org";
  services.postfix.origin = "uninsane.org";
@@ -82,10 +91,7 @@ in
  services.dovecot2.enablePAM = false;
  services.dovecot2.extraConfig =
  let
-    passwdFile = builtins.toFile "dovecot-passwd-file" ''
+    passwdFile = config.sops.secrets.dovecot_passwd.path;
      colin:${secrets.dovecot.hashedPasswd.colin}:1000:1000::/var/mail/colin/run/current-system/sw/bin/nologin:
      matrix-synapse:${secrets.dovecot.hashedPasswd.matrix-synapse}:224:224::/var/mail/colin:/run/current-system/sw/bin/nologin:
      '';
  in
    ''
    passdb {
@@ -133,4 +139,11 @@ in
    #   pattern = "/^Subject:.*activate your account/";
    # }
  ];
  sops.secrets.dovecot_passwd = {
    sopsFile = ../../../secrets/servo.yaml;
    owner = config.users.users.dovecot2.name;
    # TODO: debug why mail can't be sent without this being world-readable
    mode = "0444";
  };
 }
--- a/machines/uninsane/services/postgres.nix
+++ b/machines/uninsane/services/postgres.nix
@@ -1,8 +1,12 @@
-{ config, pkgs, lib, ... }:
+{ ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode?
    { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
  ];
  services.postgresql.enable = true;
-  services.postgresql.dataDir = "/opt/postgresql/13";
+  # services.postgresql.dataDir = "/opt/postgresql/13";
  # XXX colin: for a proper deploy, we'd want to include something for Pleroma here too.
  # services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
  #   CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '<password goes here>';
@@ -13,6 +17,11 @@
  #     LC_CTYPE = "C";
  # '';
  # TODO: perf tuning
  # - for recommended values see: <https://pgtune.leopard.in.ua/>
  # - for official docs (sparse), see: <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
  # services.postgresql.settings = { ... }
  # daily backups to /var/backup
  services.postgresqlBackup.enable = true;
--- a/hosts/servo/services/prosody.nix
+++ b/hosts/servo/services/prosody.nix
@@ -0,0 +1,62 @@
 # create users with:
 # - `sudo -u prosody prosodyctl adduser colin@uninsane.org`
 { lib, ... }:
 # XXX disabled: doesn't send messages to nixnet.social (only receives them).
 # nixnet runs ejabberd, so revisiting that.
 lib.mkIf false
 {
  sane.impermanence.service-dirs = [
    { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
  ];
  networking.firewall.allowedTCPPorts = [
    5222  # XMPP client -> server
    5269  # XMPP server -> server
    5280  # Prosody HTTP port  (necessary?)
    5281  # Prosody HTTPS port  (necessary?)
  ];
  # provide access to certs
  users.users.prosody.extraGroups = [ "nginx" ];
  security.acme.certs."uninsane.org".extraDomainNames = [
    "conference.xmpp.uninsane.org"
    "upload.xmpp.uninsane.org"
  ];
  services.prosody = {
    enable = true;
    admins = [ "colin@uninsane.org" ];
    # allowRegistration = false;
    # extraConfig = ''
    #   s2s_require_encryption = true
    #   c2s_require_encryption = true
    # '';
    # extraModules = [ "private" "vcard" "privacy" "compression" "component" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"];
    ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";
    ssl.key = "/var/lib/acme/uninsane.org/key.pem";
    muc = [
      {
        domain = "conference.xmpp.uninsane.org";
      }
    ];
    uploadHttp.domain = "upload.xmpp.uninsane.org";
    virtualHosts = {
      localhost = {
        domain = "localhost";
        enabled = true;
      };
      "uninsane.org" = {
        domain = "uninsane.org";
        enabled = true;
        ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";
        ssl.key = "/var/lib/acme/uninsane.org/key.pem";
      }; 
    };
  };
 }
--- a/machines/uninsane/services/transmission.nix
+++ b/machines/uninsane/services/transmission.nix
@@ -1,6 +1,10 @@
-{ config, pkgs, lib, ... }:
+{ ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? we need this specifically for the stats tracking in .config/
    { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
  ];
  services.transmission.enable = true;
  services.transmission.settings = {
    rpc-bind-address = "0.0.0.0";
@@ -14,6 +18,8 @@
    rpc-whitelist-enabled = false;
    # download-dir = "/opt/uninsane/media/";
    # hopefully, make the downloads world-readable
    umask = 0;
    # force peer connections to be encrypted
    encryption = 2;
@@ -21,9 +27,15 @@
    # units in kBps
    speed-limit-down = 3000;
    speed-limit-down-enabled = true;
-    speed-limit-up = 600;
+    speed-limit-up = 300;
    speed-limit-up-enabled = true;
    # see: https://git.zknt.org/mirror/transmission/commit/cfce6e2e3a9b9d31a9dafedd0bdc8bf2cdb6e876?lang=bg-BG
    anti-brute-force-enabled = false;
    download-dir = "/var/lib/uninsane/media";
    incomplete-dir = "/var/lib/uninsane/media/incomplete";
  };
  # transmission will by default not allow the world to read its files.
  services.transmission.downloadDirPermissions = "775";
@@ -32,6 +44,7 @@
  systemd.services.transmission.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
    LogLevelMax = "warning";
  };
 }
--- a/machines/uninsane/users.nix
+++ b/machines/uninsane/users.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, ... }:
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 {
@@ -12,6 +12,7 @@
    home = "/var/lib/gitea";
    useDefaultShell = true;
    group = "gitea";
    uid = config.sane.allocations.git-uid;
    isSystemUser = true;
    # sendmail access (not 100% sure if this is necessary)
    extraGroups = [ "postdrop" ];
--- a/image.nix
+++ b/image.nix
@@ -1,21 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  fileSystems."/" = {
    # boot by label instead of unpredictable uuid
    device = "/dev/disk/by-label/nixos-img";
    # make-disk-image only supports ext4
    fsType = "ext4";
  };
  # fileSystems."/boot".device = "/dev/vda1";
  fileSystems."/boot".device = "/dev/disk/by-label/ESP";
  system.build.raw = import "${toString modulesPath}/../lib/make-disk-image.nix" {
    inherit lib config pkgs;
    partitionTableType = "efi";
    label = "nixos-img";
    fsType = config.fileSystems."/".fsType;
    diskSize = "auto";
    format = "raw";
  };
 }
--- a/machines/desko/default.nix
+++ b/machines/desko/default.nix
@@ -1,25 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./../../helpers/universal
    ./../../helpers/hardware-x86_64.nix
    # ./../../helpers/gui/gnome.nix
    #./../../helpers/gui/i3.nix
    ./../../helpers/gui/sway.nix
    ./fs.nix
  ];
  home-manager.users.colin = import ./../../helpers/home-manager-gen-colin.nix {
    inherit pkgs lib;
    system = "x86_64-linux";
    # gui = "gnome";
    # gui = "i3";
    gui = "sway";
    extraPackages = [
      pkgs.electrum
    ];
  };
  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
  system.stateVersion = "21.05";
 }
--- a/machines/desko/fs.nix
+++ b/machines/desko/fs.nix
@@ -1,17 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  fileSystems."/" = lib.mkDefault {
    device = "/dev/disk/by-uuid/d969ee61-12cf-4490-be07-4440c7be593f";
    fsType = "btrfs";
    options = [
      "compress=zstd"
      "defaults"
    ];
  };
  fileSystems."/boot" = {
    device = lib.mkDefault "/dev/disk/by-uuid/F826-6192";
    fsType = "vfat";
  };
 }
--- a/machines/lappy/default.nix
+++ b/machines/lappy/default.nix
@@ -1,18 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./../../helpers/universal
    ./../../helpers/hardware-x86_64.nix
    ./../../helpers/gui/gnome.nix
    ./fs.nix
  ];
  home-manager.users.colin = import ./../../helpers/home-manager-gen-colin.nix {
    inherit pkgs lib;
    system = "x86_64-linux";
    gui = "gnome";
  };
  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
  system.stateVersion = "21.05";
 }
--- a/machines/lappy/fs.nix
+++ b/machines/lappy/fs.nix
@@ -1,17 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  fileSystems."/" = lib.mkDefault {
    device = "/dev/disk/by-uuid/75230e56-2c69-4e41-b03e-68475f119980";
    fsType = "btrfs";
    options = [
      "compress=zstd"
      "defaults"
    ];
  };
  fileSystems."/boot" = {
    device = lib.mkDefault "/dev/disk/by-uuid/BD79-D6BB";
    fsType = "vfat";
  };
 }
--- a/machines/moby/default.nix
+++ b/machines/moby/default.nix
@@ -1,56 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./../../helpers/universal
    ./../../helpers/gui/phosh.nix
    # ./../../helpers/gui/plasma-mobile.nix
    # ./../../helpers/gui/gnome.nix
  ];
  # XXX colin: phosh doesn't work well with passwordless login
  users.users.colin.initialPassword = "147147";
  home-manager.users.colin = import ./../../helpers/home-manager-gen-colin.nix {
    inherit pkgs lib;
    system = "aarch64-linux";
    gui = "phosh";
    extraPackages = [
      # for web browsers see: https://forum.pine64.org/showthread.php?tid=13669
      pkgs.angelfish  # plasma mobile web browser; broken on phosh (poor wayland support)
      # pkgs.plasma5Packages.index  # file browser
      pkgs.plasma5Packages.konsole  # terminal
      # pkgs.plasma5Packages.pix  # picture viewer
      pkgs.plasma5Packages.kalk  # calculator; broken on phosh
      # pkgs.plasma5Packages.buho  # (plasma mobile?) note application
      pkgs.plasma5Packages.kasts  #  podcast app; works on phosh after setting QT envar
      pkgs.plasma5Packages.koko  # image gallery; broken on phosh
      pkgs.plasma5Packages.kwave  # media player.
      # pkgs.plasma5Packages.neochat  #  matrix client. needs qcoro => no aarch64 support
      # pkgs.plasma5Packages.plasma-dialer  # phone dialer
      # pkgs.plasma5Packages.plasma-mobile  # the whole shebang?
      # pkgs.plasma5Packages.plasma-settings
      pkgs.plasma5Packages.bomber  # arcade game; broken on phosh
      pkgs.plasma5Packages.kapman  # pacman
      pkgs.w3m  # text-based web browser; works!
      pkgs.st  # suckless terminal; broken on phosh
      # pkgs.alacritty  # terminal; crashes phosh
    ];
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.11"; # Did you read the comment?
  # defined: https://www.freedesktop.org/software/systemd/man/machine-info.html
  # XXX colin: not sure which, if any, software makes use of this
  environment.etc."machine-info".text = ''
    CHASSIS="handset"
  '';
  # enable rotation sensor
  hardware.sensor.iio.enable = true;
 }
--- a/machines/uninsane/default.nix
+++ b/machines/uninsane/default.nix
@@ -1,39 +0,0 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ./../../helpers/universal
    ./fs.nix
    ./hardware.nix
    ./net.nix
    ./users.nix
    ./services/ddns-he.nix
    ./services/duplicity.nix
    ./services/gitea.nix
    ./services/jackett.nix
    ./services/jellyfin.nix
    ./services/matrix.nix
    ./services/nginx.nix
    ./services/nix-serve.nix
    ./services/pleroma.nix
    ./services/postfix.nix
    ./services/postgres.nix
    ./services/transmission.nix
  ];
  home-manager.users.colin = import ../../helpers/home-manager-gen-colin.nix {
    inherit pkgs lib;
    system = "aarch64-linux";
    gui = null;
    extraPackages = [ pkgs.matrix-synapse ];
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.11"; # Did you read the comment?
 }
--- a/machines/uninsane/fs.nix
+++ b/machines/uninsane/fs.nix
@@ -1,37 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  fileSystems."/" = lib.mkDefault {
    device = "/dev/disk/by-uuid/2be70d38-79f4-41b6-bee2-bce5a25f8f7b";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = lib.mkDefault "/dev/disk/by-uuid/B318-A67E";
    fsType = "vfat";
  };
  fileSystems."/var/lib/pleroma" = {
    device = "/opt/pleroma";
    options = [ "bind" ];
  };
  fileSystems."/var/lib/transmission/Downloads" = {
    device = "/opt/uninsane/media";
    options = [ "bind" ];
  };
  fileSystems."/var/lib/transmission/.incomplete" = {
    device = "/opt/uninsane/media/incomplete";
    options = [ "bind" ];
  };
  # in-memory compressed RAM (seems to be dynamically sized)
  zramSwap = {
    enable = true;
  };
  swapDevices = [
    { device = "/swapfile"; size = 4096; }
  ];
 }
--- a/machines/uninsane/hardware.nix
+++ b/machines/uninsane/hardware.nix
@@ -1,94 +0,0 @@
 # this file originates from ‘nixos-generate-config’
 # but has been heavily modified
 { config, lib, pkgs, modulesPath, ... }:
 {
  # enables non-free firmware
  hardware.enableRedistributableFirmware = true;
  # i changed this becuse linux 5.10 didn't have rpi-400 device tree blob.
  # nixos-22.05 linux 5.15 DOES have these now.
  # it should be possible to remove this if desired, but i'm not sure how the rpi-specific kernel differs.
  # see: https://github.com/raspberrypi/linux
  boot.kernelPackages = pkgs.linuxPackages_rpi4;
  # NixOS defaults to grub: we don't want that.
  boot.loader.grub.enable = false;
  # raspberryPi boot loader creates extlinux.conf.
  #   otherwise, enable the generic-extlinux-compatible loader below.
  # note: THESE ARE MUTUALLY EXCLUSIVE. generic-extlinux-compatible causes uboot to not be built
  # boot.loader.generic-extlinux-compatible.enable = true;
  boot.loader.raspberryPi.enable = true;
  boot.loader.raspberryPi.uboot.enable = true;
  boot.loader.raspberryPi.version = 4;
  boot.initrd.availableKernelModules = [
    "bcm2711_thermal"
    "bcm_phy_lib"
    "brcmfmac"
    "brcmutil"
    "broadcom"
    "clk_raspberrypi"
    "drm"  # Direct Render Manager
    "enclosure"  # SCSI ?
    "fuse"
    "mdio_bcm_unimac"
    "pcie_brcmstb"
    "raspberrypi_cpufreq"
    "raspberrypi_hwmon"
    "ses"  # SCSI Enclosure Services
    "uas"  # USB attached storage
    "uio"  # userspace IO
    "uio_pdrv_genirq"
    "xhci_pci"
    "xhci_pci_renesas"
  ];
  # boot.initrd.compressor = "gzip";  # defaults to zstd
  # hack in the `boot.shell_on_fail` arg since it doesn't seem to work otherwise
  boot.initrd.preFailCommands = "allowShell=1";
  # default: 4 (warn). 7 is debug
  boot.consoleLogLevel = 7;
  # boot.kernelParams = [
  #   "boot.shell_on_fail"
  #   # "boot.trace"
  #   # "systemd.log_level=debug"
  #   # "systemd.log_target=console"
  # ];
  # ondemand power scaling keeps the cpu at low frequency when idle, and sets to max frequency
  # when load is detected. (v.s. the "performance" default, which always uses the max frequency)
  powerManagement.cpuFreqGovernor = "ondemand";
  # XXX colin: this allows one to `systemctl halt` and then not remove power until the HDD has spun down.
  # however, it doesn't work with reboot because systemd will spin the drive up again to read its reboot bin.
  # a better solution would be to put the drive behind a powered USB hub (or get a SSD).
  # systemd.services.diskguard = {
  #   description = "Safely power off spinning media";
  #   before = [ "shutdown.target" ];
  #   wantedBy = [ "sysinit.target" ];
  #   # old (creates dep loop, but works)
  #   # before = [ "systemd-remount-fs.service" "shutdown.target" ];
  #   # wantedBy = [ "systemd-remount-fs.service" ];
  #   serviceConfig = {
  #     Type = "oneshot";
  #     RemainAfterExit = true;
  #     ExecStart = "${pkgs.coreutils}/bin/true";
  #     ExecStop = with pkgs; writeScript "diskguard" ''
  #       #!${bash}/bin/bash
  #       if ${procps}/bin/pgrep nixos-rebuild ;
  #       then
  #         exit 0  # don't halt drives unless we're actually shutting down. maybe better way to do this (check script args?)
  #       fi
  #       # ${coreutils}/bin/sync
  #       # ${util-linux}/bin/mount -o remount,ro /nix/store
  #       # ${util-linux}/bin/mount -o remount,ro /
  #       # -S 1 retracts the spindle after 5 seconds of idle
  #       # -B 1 spins down the drive after <vendor specific duration>
  #       ${hdparm}/sbin/hdparm -S 1 -B 1 /dev/sda
  #       # TODO: monitor smartmonctl until disk is idle? or try hdparm -Y
  #       # ${coreutils}/bin/sleep 20
  #       # exec ${util-linux}/bin/umount --all -t ext4,vfat,ext2
  #     '';
  #   };
  # };
 }
--- a/machines/uninsane/services/ddns-he.nix
+++ b/machines/uninsane/services/ddns-he.nix
@@ -1,20 +0,0 @@
 { pkgs, secrets, ... }:
 {
  systemd.services.ddns-he = {
    description = "update dynamic DNS entries for HurricaneElectric";
    # HE DDNS API is documented: https://dns.he.net/docs.html
    script = let
      pass = secrets.ddns-he.password;
      crl = "${pkgs.curl}/bin/curl -4";
    in ''
      ${crl} "https://he.uninsane.org:${pass}@dyn.dns.he.net/nic/update?hostname=he.uninsane.org"
      ${crl} "https://native.uninsane.org:${pass}@dyn.dns.he.net/nic/update?hostname=native.uninsane.org"
      ${crl} "https://uninsane.org:${pass}@dyn.dns.he.net/nic/update?hostname=uninsane.org"
    '';
  };
  systemd.timers.ddns-he.timerConfig = {
    OnStartupSec = "2min";
    OnUnitActiveSec = "10min";
  };
 }
--- a/machines/uninsane/services/duplicity.nix
+++ b/machines/uninsane/services/duplicity.nix
@@ -1,36 +0,0 @@
 # docs: https://search.nixos.org/options?channel=21.11&query=duplicity
 { config, pkgs, lib, secrets, ... }:
 {
  services.duplicity.enable = true;
  services.duplicity.targetUrl = secrets.duplicity.url;
  # format: PASSPHRASE=<cleartext>
  # two sisters
  services.duplicity.secretFile =
    builtins.toFile "duplicity_env" "PASSPHRASE=${secrets.duplicity.passphrase}";
  # NB: manually trigger with `systemctl start duplicity`
  services.duplicity.frequency = "daily";
  services.duplicity.exclude = [
    # impermanent/inconsequential data:
    "/dev"
    "/proc"
    "/run"
    "/sys"
    "/tmp"
    # bind mounted (dupes):
    "/var/lib/pleroma"
    "/var/lib/transmission/Downloads"
    "/var/lib/transmission/.incomplete"
    # data that's not worth the cost to backup:
    "/opt/uninsane/media"
  ];
  services.duplicity.extraFlags = [
    # without --allow-source-mismatch, duplicity will abort if you change the hostname between backups
    "--allow-source-mismatch"
  ];
  # set this for the FIRST backup, then remove it to enable incremental backups
  #   (that the first backup *isn't* full i think is a defect)
  # services.duplicity.fullIfOlderThan = "always";
 }
--- a/machines/uninsane/services/jellyfin.nix
+++ b/machines/uninsane/services/jellyfin.nix
@@ -1,5 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  services.jellyfin.enable = true;
 }
--- a/machines/uninsane/services/matrix.nix
+++ b/machines/uninsane/services/matrix.nix
@@ -1,175 +0,0 @@
 # docs: https://nixos.wiki/wiki/Matrix
 # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
 { config, pkgs, lib, secrets, ... }:
 {
  services.matrix-synapse.enable = true;
  services.matrix-synapse.settings.server_name = "uninsane.org";
  # services.matrix-synapse.enable_registration_captcha = true;
  # services.matrix-synapse.enable_registration_without_verification = true;
  services.matrix-synapse.settings.enable_registration = true;
  # services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
  # default for listeners is port = 8448, tls = true, x_forwarded = false.
  # we change this because the server is situated behind nginx.
  services.matrix-synapse.settings.listeners = [
    {
      port = 8008;
      bind_addresses = [ "127.0.0.1" ];
      type = "http";
      tls = false;
      x_forwarded = true;
      resources = [
        {
          names = [ "client" "federation" ];
          compress = false;
        }
      ];
    }
  ];
  # services.matrix-synapse.extraConfig = ''
  #   registration_requires_token: true
  #   admin_contact: "admin.matrix@uninsane.org"
  # '';
  services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
  services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
  services.matrix-synapse.settings.email = {
    smtp_host = "mx.uninsane.org";
    smtp_port = 587;
    smtp_user = "matrix-synapse";
    smtp_pass = secrets.matrix-synapse.smtp_pass;
    require_transport_security = true;
    enable_tls = true;
    notif_from = "%(app)s <notify.matrix@uninsane.org>";
    app_name = "Uninsane Matrix";
    enable_notifs = true;
    validation_token_lifetime = "96h";
    invite_client_location = "https://web.matrix.uninsane.org";
    subjects = {
      email_validation = "[%(server_name)s] Validate your email";
    };
  };
  # services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
  #   admin_contact: "admin.matrix@uninsane.org"
  #   registrations_require_3pid:
  #     - email
  #   email:
  #     smtp_host: "mx.uninsane.org"
  #     smtp_port: 587
  #     smtp_user: "matrix-synapse"
  #     smtp_pass: "${secrets.matrix-synapse.smtp_pass}"
  #     require_transport_security: true
  #     enable_tls: true
  #     notif_from: "%(app)s <notify.matrix@uninsane.org>"
  #     app_name: "Uninsane Matrix"
  #     enable_notifs: true
  #     validation_token_lifetime: 96h
  #     invite_client_location: "https://web.matrix.uninsane.org"
  #     subjects:
  #       email_validation: "[%(server_name)s] Validate your email"
  # ''];
  services.matrix-synapse.settings.app_service_config_files = [
    "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
  ];
  # new users may be registered on the CLI:
  #   register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
  #
  # or provide an registration token then can use to register through the client.
  #   docs: https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/admin_api/registration_tokens.md
  # first, grab your own user's access token (Help & About section in Element). then:
  #   curl --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens
  # create a token with unlimited uses:
  #   curl -d '{}' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  # create a token with limited uses:
  #   curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  # IRC bridging
  # note: Rizon allows only FOUR simultaneous IRC connections per IP: https://wiki.rizon.net/index.php?title=Connection/Session_Limit_Exemptions
  # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
  # services.matrix-appservice-irc.enable = true;
  services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
  # settings documented here: https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml
  services.matrix-appservice-irc.settings = {
    homeserver = {
      url = "http://127.0.0.1:8008";
      dropMatrixMessagesAfterSecs = 300;
      domain = "uninsane.org";
      enablePresence = true;
      bindPort = 9999;
      bindHost = "127.0.0.1";
    };
    ircService = {
      servers = {
        "irc.rizon.net" = {
          name = "Rizon";
          port = 6697;  # SSL port
          ssl = true;
          sasl = true;  # appservice doesn't support NickServ identification
          botConfig = {
            # bot has no presence in IRC channel; only real Matrix users
            enabled = false;
            # nick = "UninsaneDotOrg";
            nick = "uninsane";
            username = "uninsane";
          };
          dynamicChannels = {
            enabled = true;
            aliasTemplate = "#irc_rizon_$CHANNEL";
          };
          ircClients = {
            nickTemplate = "$LOCALPARTsane";
            # by default, Matrix will convert messages greater than (3) lines into a pastebin-like URL to send to IRC.
            lineLimit = 20;
          };
          matrixClients = {
            userTemplate = "@irc_rizon_$NICK";  # the :uninsane.org part is appended automatically
          };
          # this will let this user message the appservice with `!join #<IRCChannel>` and the rest "Just Works"
          "@colin:uninsane.org" = "admin";
          membershipLists = {
            enabled = true;
            global = {
              ircToMatrix = {
                initial = true;
                incremental = true;
                requireMatrixJoined = false;
              };
              matrixToIrc = {
                initial = true;
                incremental = true;
              };
            };
          };
          # sync room description?
          bridgeInfoState = {
            enabled = true;
            initial = true;
          };
          # hardcoded mappings, for when dynamicChannels fails us. TODO: probably safe to remove these.
          # mappings = {
          #   "#chat" = {
          #     roomIds = [ "!GXJSOTdbtxRboGtDep:uninsane.org" ];
          #   };
          #   # BakaBT requires account registration, which i think means my user needs to be added before the appservice user
          #   "#BakaBT" = {
          #     roomIds = [ "!feZKttuYuHilqPFSkD:uninsane.org" ];
          #   };
          # };
          # for per-user IRC password:
          #   invite @irc_rizon_NickServ:uninsane.org to a DM and type `help`  => register
          #   invite the matrix-appservice-irc user to a DM and type `!help`   => add PW to database
          # passwordEncryptionKeyPath = "/path/to/privkey";  # appservice will generate its own if unspecified
        };
      };
    };
  };
 }
--- a/machines/uninsane/services/nix-serve.nix
+++ b/machines/uninsane/services/nix-serve.nix
@@ -1,12 +0,0 @@
 # docs: https://nixos.wiki/wiki/Binary_Cache
 # to copy something to this machine's nix cache, do:
 #   nix copy --to ssh://nixcache.uninsane.org PACKAGE
 { secrets, ... }:
 {
  services.nix-serve = {
    enable = true;
    secretKeyFile = builtins.toFile "nix-serve-priv-key.pem" secrets.nix-serve.cache-priv-key;
    #  "/var/cache-priv-key.pem";
  };
 }
--- a/modules/allocations.nix
+++ b/modules/allocations.nix
@@ -0,0 +1,61 @@
 { lib, ... }:
 with lib;
 let
  mkId = id: mkOption {
    default = id;
    type = types.int;
  };
 in
 {
  options = {
    # legacy servo users, some are inconvenient to migrate
    sane.allocations.dhcpcd-gid = mkId 991;
    sane.allocations.dhcpcd-uid = mkId 992;
    sane.allocations.gitea-gid = mkId 993;
    sane.allocations.git-uid = mkId 994;
    sane.allocations.jellyfin-gid = mkId 994;
    sane.allocations.pleroma-gid = mkId 995;
    sane.allocations.jellyfin-uid = mkId 996;
    sane.allocations.acme-gid = mkId 996;
    sane.allocations.pleroma-uid = mkId 997;
    sane.allocations.acme-uid = mkId 998;
    sane.allocations.greeter-uid = mkId 999;
    sane.allocations.greeter-gid = mkId 999;
    sane.allocations.freshrss-uid = mkId 2401;
    sane.allocations.freshrss-gid = mkId 2401;
    sane.allocations.colin-uid = mkId 1000;
    sane.allocations.guest-uid = mkId 1100;
    # found on all hosts
    sane.allocations.sshd-uid = mkId 2001;  # 997
    sane.allocations.sshd-gid = mkId 2001;  # 997
    sane.allocations.polkituser-gid = mkId 2002;  # 998
    sane.allocations.systemd-coredump-gid = mkId 2003;  # 996
    sane.allocations.nscd-uid = mkId 2004;
    sane.allocations.nscd-gid = mkId 2004;
    sane.allocations.systemd-oom-uid = mkId 2005;
    sane.allocations.systemd-oom-gid = mkId 2005;
    # found on graphical hosts
    sane.allocations.nm-iodine-uid = mkId 2101;  # desko/moby/lappy
    # found on desko host
    sane.allocations.usbmux-uid = mkId 2204;
    sane.allocations.usbmux-gid = mkId 2204;
    # originally found on moby host
    sane.allocations.avahi-uid = mkId 2304;
    sane.allocations.avahi-gid = mkId 2304;
    sane.allocations.colord-uid = mkId 2305;
    sane.allocations.colord-gid = mkId 2305;
    sane.allocations.geoclue-uid = mkId 2306;
    sane.allocations.geoclue-gid = mkId 2306;
    sane.allocations.rtkit-uid = mkId 2307;
    sane.allocations.rtkit-gid = mkId 2307;
    sane.allocations.feedbackd-gid = mkId 2308;
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -0,0 +1,14 @@
 { ... }:
 {
  imports = [
    ./allocations.nix
    ./gui
    ./home-manager
    ./packages.nix
    ./image.nix
    ./impermanence.nix
    ./nixcache.nix
    ./services
  ];
 }
--- a/modules/gui/default.nix
+++ b/modules/gui/default.nix
@@ -0,0 +1,29 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.sane.gui;
 in
 {
  imports = [
    ./gnome.nix
    ./phosh.nix
    ./plasma.nix
    ./plasma-mobile.nix
    ./sway.nix
  ];
  options = {
    # doesn't directly create outputs. consumed by e.g. home-manager.nix module
    sane.gui.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = lib.mkIf cfg.enable {
    sane.packages.enableGuiPkgs = lib.mkDefault true;
    # all GUIs use network manager?
    users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
  };
 }
--- a/modules/gui/gnome.nix
+++ b/modules/gui/gnome.nix
@@ -0,0 +1,78 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.sane.gui.gnome;
 in
 {
  options = {
    sane.gui.gnome.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
    sane.gui.enable = true;
    users.users.avahi.uid = config.sane.allocations.avahi-uid;
    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
    users.users.colord.uid = config.sane.allocations.colord-uid;
    users.groups.colord.gid = config.sane.allocations.colord-gid;
    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
    # start gnome/gdm on boot
    services.xserver.enable = true;
    services.xserver.desktopManager.gnome.enable = true;
    services.xserver.displayManager.gdm.enable = true;
    # gnome does networking stuff with networkmanager
    networking.useDHCP = false;
    networking.networkmanager.enable = true;
    networking.wireless.enable = lib.mkForce false;
  };
  # home-mananger.users.colin extras
  # obtain these by running `dconf dump /` after manually customizing gnome
  # TODO: fix "is not of type `GVariant value'"
  # dconf.settings = lib.mkIf (gui == "gnome") {
  #   gnome = {
  #     # control alt-tab behavior
  #     "org/gnome/desktop/wm/keybindings" = {
  #       switch-applications = [ "<Super>Tab" ];
  #       switch-applications-backward=[];
  #       switch-windows=["<Alt>Tab"];
  #       switch-windows-backward=["<Super><Alt>Tab"];
  #     };
  #     # idle power savings
  #     "org/gnome/settings-deamon/plugins/power" = {
  #       idle-brigthness = 50;
  #       sleep-inactive-ac-type = "nothing";
  #       sleep-inactive-battery-timeout = 5400;  # seconds
  #     };
  #     "org/gnome/shell" = {
  #       favorite-apps = [
  #         "org.gnome.Nautilus.desktop"
  #         "firefox.desktop"
  #         "kitty.desktop"
  #         # "org.gnome.Terminal.desktop"
  #       ];
  #     };
  #     "org/gnome/desktop/session" = {
  #       # how long until considering a session idle (triggers e.g. screen blanking)
  #       idle-delay = 900;
  #     };
  #     "org/gnome/desktop/interface" = {
  #       text-scaling-factor = 1.25;
  #     };
  #     "org/gnome/desktop/media-handling" = {
  #       # don't auto-mount inserted media
  #       automount = false;
  #       automount-open = false;
  #     };
  #   };
  # };
 }
--- a/modules/gui/phosh.nix
+++ b/modules/gui/phosh.nix
@@ -0,0 +1,106 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.sane.gui.phosh;
 in
 {
  options = {
    sane.gui.phosh.enable = mkOption {
      default = false;
      type = types.bool;
    };
    sane.gui.phosh.useGreeter = mkOption {
      description = ''
        launch phosh via a greeter (like lightdm-mobile-greeter).
        phosh is usable without a greeter, but skipping the greeter means no PAM session.
      '';
      default = true;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable (mkMerge [
    {
      sane.gui.enable = true;
      users.users.avahi.uid = config.sane.allocations.avahi-uid;
      users.users.colord.uid = config.sane.allocations.colord-uid;
      users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
      users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
      users.groups.avahi.gid = config.sane.allocations.avahi-gid;
      users.groups.colord.gid = config.sane.allocations.colord-gid;
      users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
      users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
      users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
      # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
      services.xserver.desktopManager.phosh = {
        enable = true;
        user = "colin";
        group = "users";
        phocConfig = {
          # xwayland = "true";
          # find default outputs by catting /etc/phosh/phoc.ini
          outputs.DSI-1 = {
            scale = 1.5;
          };
        };
      };
      # XXX: phosh enables networkmanager by default; can probably disable these lines
      networking.useDHCP = false;
      networking.networkmanager.enable = true;
      networking.wireless.enable = lib.mkForce false;
      # XXX: not clear if these are actually needed?
      hardware.bluetooth.enable = true;
      services.blueman.enable = true;
      hardware.opengl.enable = true;
      hardware.opengl.driSupport = true;
      environment.variables = {
        # Qt apps won't always start unless this env var is set
        QT_QPA_PLATFORM = "wayland";
        # electron apps (e.g. Element) should use the wayland backend
        # toggle this to have electron apps (e.g. Element) use the wayland backend.
        # phocConfig.xwayland should be disabled if you do this
        NIXOS_OZONE_WL = "1";
      };
      sane.packages.extraUserPkgs = with pkgs; [
        phosh-mobile-settings
        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
        gnome.gnome-bluetooth
      ];
    }
    (mkIf cfg.useGreeter {
      services.xserver.enable = true;
      # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
      # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
      # lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
      # this requires the user we want to login as to be cached.
      services.xserver.displayManager.job.preStart = ''
        ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
      '';
      # services.xserver.displayManager.defaultSession = "sm.puri.Phosh";  # XXX: not sure why this doesn't propagate correctly.
      services.xserver.displayManager.lightdm.extraSeatDefaults = ''
        user-session = phosh
      '';
      # services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
      # services.xserver.displayManager.lightdm.greeter = {
      #   enable = true;
      #   package = pkgs.lightdm-mobile-greeter.xgreeters;
      #   name = "lightdm-mobile-greeter";
      # };
      # # services.xserver.displayManager.lightdm.enable = true;
      services.xserver.displayManager.lightdm.enable = true;
      services.xserver.displayManager.lightdm.greeters.mobile.enable = true;
      systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
    })
  ]);
 }
--- a/modules/gui/plasma-mobile.nix
+++ b/modules/gui/plasma-mobile.nix
@@ -0,0 +1,28 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.sane.gui.plasma-mobile;
 in
 {
  options = {
    sane.gui.plasma-mobile.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
    sane.gui.enable = true;
    # start plasma-mobile on boot
    services.xserver.enable = true;
    services.xserver.desktopManager.plasma5.mobile.enable = true;
    services.xserver.desktopManager.plasma5.mobile.installRecommendedSoftware = false;  # not all plasma5-mobile packages build for aarch64
    services.xserver.displayManager.sddm.enable = true;
    # Plasma does networking stuff with networkmanager, but nix configures the defaults itself
    # networking.useDHCP = false;
    # networking.networkmanager.enable = true;
    # networking.wireless.enable = lib.mkForce false;
  };
 }
--- a/modules/gui/plasma.nix
+++ b/modules/gui/plasma.nix
@@ -0,0 +1,28 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.sane.gui.plasma;
 in
 {
  options = {
    sane.gui.plasma.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
    sane.gui.enable = true;
    # start plasma on boot
    services.xserver.enable = true;
    services.xserver.desktopManager.plasma5.enable = true;
    services.xserver.displayManager.sddm.enable = true;
    # gnome does networking stuff with networkmanager
    networking.useDHCP = false;
    networking.networkmanager.enable = true;
    networking.wireless.enable = lib.mkForce false;
  };
 }
--- a/modules/gui/sway.nix
+++ b/modules/gui/sway.nix
@@ -0,0 +1,614 @@
 { pkgs, lib, config, ... }:
 # docs: https://nixos.wiki/wiki/Sway
 with lib;
 let
  cfg = config.sane.gui.sway;
 in
 {
  options = {
    sane.gui.sway.enable = mkOption {
      default = false;
      type = types.bool;
    };
    sane.gui.sway.useGreeter = mkOption {
      description = ''
        launch sway via a greeter (like greetd's gtkgreet).
        sway is usable without a greeter, but skipping the greeter means no PAM session.
      '';
      default = true;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
    sane.gui.enable = true;
    users.users.greeter.uid = config.sane.allocations.greeter-uid;
    users.groups.greeter.gid = config.sane.allocations.greeter-gid;
    programs.sway = {
      # we configure sway with home-manager, but this enable gets us e.g. opengl and fonts
      enable = true;
    };
    # alternatively, could use SDDM
    services.greetd = let
      swayConfig-greeter = pkgs.writeText "greetd-sway-config" ''
        # `-l` activates layer-shell mode.
        exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
      '';
      default_session = {
        "01" = {
          # greeter session config
          command = "${pkgs.sway}/bin/sway --config ${swayConfig-greeter}";
          # alternatives:
          # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
          # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
          # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
        };
        "0" = {
          # no greeter
          command = "${pkgs.sway}/bin/sway";
          user = "colin";
        };
      };
    in {
      # greetd source/docs:
      # - <https://git.sr.ht/~kennylevinsen/greetd>
      enable = true;
      settings = {
        default_session = default_session."0${builtins.toString cfg.useGreeter}";
      };
    };
    # some programs (e.g. fractal) **require** a "Secret Service Provider"
    services.gnome.gnome-keyring.enable = true;
    # unlike other DEs, sway configures no audio stack
    # administer with pw-cli, pw-mon, pw-top commands
    services.pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;  # ??
      pulse.enable = true;
    };
    hardware.bluetooth.enable = true;
    services.blueman.enable = true;
    networking.useDHCP = false;
    networking.networkmanager.enable = true;
    networking.wireless.enable = lib.mkForce false;
    sane.home-manager.windowManager.sway = {
      enable = true;
      wrapperFeatures.gtk = true;
      config = rec {
        terminal = "${pkgs.kitty}/bin/kitty";
        window = {
          border = 3; # pixel boundary between windows
          hideEdgeBorders = "smart"; # don't show border if only window on workspace
        };
        output = {
          ### DESKTOP
          "Samsung Electric Company S22C300 0x00007F35" = { pos = "0,0"; res = "1920x1080"; };
          "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" = { pos = "1920,0"; res = "3440x1440"; };
          ### LAPTOP
          # shen TV
          "Pioneer Electronic Corporation VSX-524 0x00000101" = { pos = "0,0"; res = "1920x1080"; };
          # internal display
          "Unknown 0x0637 0x00000000" = { pos = "1920,0"; res = "1920x1080"; };
        };
        # defaults; required for keybindings decl.
        modifier = "Mod1";
        # list of launchers: https://www.reddit.com/r/swaywm/comments/v39hxa/your_favorite_launcher/
        # menu = "${pkgs.dmenu}/bin/dmenu_path";
        menu = "${pkgs.fuzzel}/bin/fuzzel";
        # menu = "${pkgs.albert}/bin/albert";
        left = "h";
        down = "j";
        up = "k";
        right = "l";
        # XKB key names: https://wiki.linuxquestions.org/wiki/List_of_Keysyms_Recognised_by_Xmodmap
        keybindings = {
          "${modifier}+Return" = "exec ${terminal}";
          "${modifier}+Shift+q" = "kill";
          "${modifier}+d" = "exec ${menu}";
          "${modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
          # "${modifier}+${left}" = "focus left";
          # "${modifier}+${down}" = "focus down";
          # "${modifier}+${up}" = "focus up";
          # "${modifier}+${right}" = "focus right";
          "${modifier}+Left" = "focus left";
          "${modifier}+Down" = "focus down";
          "${modifier}+Up" = "focus up";
          "${modifier}+Right" = "focus right";
          # "${modifier}+Shift+${left}" = "move left";
          # "${modifier}+Shift+${down}" = "move down";
          # "${modifier}+Shift+${up}" = "move up";
          # "${modifier}+Shift+${right}" = "move right";
          "${modifier}+Shift+Left" = "move left";
          "${modifier}+Shift+Down" = "move down";
          "${modifier}+Shift+Up" = "move up";
          "${modifier}+Shift+Right" = "move right";
          "${modifier}+b" = "splith";
          "${modifier}+v" = "splitv";
          "${modifier}+f" = "fullscreen toggle";
          "${modifier}+a" = "focus parent";
          "${modifier}+s" = "layout stacking";
          "${modifier}+w" = "layout tabbed";
          "${modifier}+e" = "layout toggle split";
          "${modifier}+Shift+space" = "floating toggle";
          "${modifier}+space" = "focus mode_toggle";
          "${modifier}+1" = "workspace number 1";
          "${modifier}+2" = "workspace number 2";
          "${modifier}+3" = "workspace number 3";
          "${modifier}+4" = "workspace number 4";
          "${modifier}+5" = "workspace number 5";
          "${modifier}+6" = "workspace number 6";
          "${modifier}+7" = "workspace number 7";
          "${modifier}+8" = "workspace number 8";
          "${modifier}+9" = "workspace number 9";
          "${modifier}+Shift+1" =
            "move container to workspace number 1";
          "${modifier}+Shift+2" =
            "move container to workspace number 2";
          "${modifier}+Shift+3" =
            "move container to workspace number 3";
          "${modifier}+Shift+4" =
            "move container to workspace number 4";
          "${modifier}+Shift+5" =
            "move container to workspace number 5";
          "${modifier}+Shift+6" =
            "move container to workspace number 6";
          "${modifier}+Shift+7" =
            "move container to workspace number 7";
          "${modifier}+Shift+8" =
            "move container to workspace number 8";
          "${modifier}+Shift+9" =
            "move container to workspace number 9";
          "${modifier}+Shift+minus" = "move scratchpad";
          "${modifier}+minus" = "scratchpad show";
          "${modifier}+Shift+c" = "reload";
          "${modifier}+Shift+e" =
            "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
          "${modifier}+r" = "mode resize";
        } // {
          # media keys
          XF86MonBrightnessDown = ''exec "${pkgs.brightnessctl}/bin/brightnessctl set 2%-"'';
          XF86MonBrightnessUp = ''exec "${pkgs.brightnessctl}/bin/brightnessctl set +2%"'';
          XF86AudioRaiseVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5'";
          XF86AudioLowerVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
          XF86AudioMute = "exec '${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute'";
          "${modifier}+Page_Up" = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5'";
          "${modifier}+Page_Down" = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
          "${modifier}+Print" = "exec '${pkgs.sway-contrib.grimshot}/bin/grimshot copy area'";
        };
        # mostly defaults:
        bars = [{
          mode = "dock";
          hiddenState = "hide";
          position = "top";
          command = "${pkgs.waybar}/bin/waybar";
          workspaceButtons = true;
          workspaceNumbers = true;
          statusCommand = "${pkgs.i3status}/bin/i3status";
          fonts = {
            # names = [ "monospace" "Noto Color Emoji" ];
            # size = 8.0;
            # names = [ "Font Awesome 6 Free" "DejaVu Sans" "Hack" ];
            # names = with config.fonts.fontconfig.defaultFonts; (emoji ++ monospace ++ serif ++ sansSerif);
            names = with config.fonts.fontconfig.defaultFonts; (monospace ++ emoji);
            size = 24.0;
          };
          trayOutput = "primary";
          colors = {
            background = "#000000";
            statusline = "#ffffff";
            separator = "#666666";
            focusedWorkspace = {
              border = "#4c7899";
              background = "#285577";
              text = "#ffffff";
            };
            activeWorkspace = {
              border = "#333333";
              background = "#5f676a";
              text = "#ffffff";
            };
            inactiveWorkspace = {
              border = "#333333";
              background = "#222222";
              text = "#888888";
            };
            urgentWorkspace = {
              border = "#2f343a";
              background = "#900000";
              text = "#ffffff";
            };
            bindingMode = {
              border = "#2f343a";
              background = "#900000";
              text = "#ffffff";
            };
          };
        }];
      };
    };
    sane.home-manager.programs.waybar = {
      enable = true;
      # docs: https://github.com/Alexays/Waybar/wiki/Configuration
      # format specifiers: https://fmt.dev/latest/syntax.html#syntax
      settings = {
        mainBar = {
          layer = "top";
          height = 40;
          modules-left = ["sway/workspaces" "sway/mode"];
          modules-center = ["sway/window"];
          modules-right = ["custom/mediaplayer" "clock" "battery" "cpu" "network"];
          "sway/window" = {
            max-length = 50;
          };
          # include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
          "custom/mediaplayer" = {
            exec = pkgs.writeShellScript "waybar-mediaplayer" ''
              player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
              if [ "$player_status" = "Playing" ]; then
                echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
              elif [ "$player_status" = "Paused" ]; then
                echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
              fi
            '';
            interval = 2;
            format = "{}  ";
            # return-type = "json";
            on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
            on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
            on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
          };
          network = {
            # docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
            interval = 2;
            max-length = 40;
            # custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
            format-ethernet = "  {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            format-disconnected = "";
          };
          cpu = {
            format = " {usage:2}%";
            tooltip = false;
          };
          battery = {
            states = {
              good = 95;
              warning = 30;
              critical = 10;
            };
            format = "{icon} {capacity}%";
            format-icons = [
              ""
              ""
              ""
              ""
              ""
            ];
          };
          clock = {
            format-alt = "{:%a, %d. %b  %H:%M}";
          };
        };
      };
      # style docs: https://github.com/Alexays/Waybar/wiki/Styling
      style = ''
        * {
          font-family: monospace;
        }
        /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
        window#waybar {
          background-color: rgba(43, 48, 59, 0.5);
          border-bottom: 3px solid rgba(100, 114, 125, 0.5);
          color: #ffffff;
          transition-property: background-color;
          transition-duration: .5s;
        }
        window#waybar.hidden {
          opacity: 0.2;
        }
        /*
        window#waybar.empty {
          background-color: transparent;
        }
        window#waybar.solo {
          background-color: #FFFFFF;
        }
        */
        window#waybar.termite {
          background-color: #3F3F3F;
        }
        window#waybar.chromium {
          background-color: #000000;
          border: none;
        }
        #workspaces button {
          padding: 0 5px;
          background-color: transparent;
          color: #ffffff;
          /* Use box-shadow instead of border so the text isn't offset */
          box-shadow: inset 0 -3px transparent;
          /* Avoid rounded borders under each workspace name */
          border: none;
          border-radius: 0;
        }
        /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
        #workspaces button:hover {
          background: rgba(0, 0, 0, 0.2);
          box-shadow: inset 0 -3px #ffffff;
        }
        #workspaces button.focused {
          background-color: #64727D;
          box-shadow: inset 0 -3px #ffffff;
        }
        #workspaces button.urgent {
          background-color: #eb4d4b;
        }
        #mode {
          background-color: #64727D;
          border-bottom: 3px solid #ffffff;
        }
        #clock,
        #battery,
        #cpu,
        #memory,
        #disk,
        #temperature,
        #backlight,
        #network,
        #pulseaudio,
        #custom-media,
        #tray,
        #mode,
        #idle_inhibitor,
        #mpd {
          padding: 0 10px;
          color: #ffffff;
        }
        #window,
        #workspaces {
          margin: 0 4px;
        }
        /* If workspaces is the leftmost module, omit left margin */
        .modules-left > widget:first-child > #workspaces {
          margin-left: 0;
        }
        /* If workspaces is the rightmost module, omit right margin */
        .modules-right > widget:last-child > #workspaces {
          margin-right: 0;
        }
        #clock {
          background-color: #64727D;
        }
        #battery {
          background-color: #ffffff;
          color: #000000;
        }
        #battery.charging, #battery.plugged {
          color: #ffffff;
          background-color: #26A65B;
        }
        @keyframes blink {
          to {
            background-color: #ffffff;
            color: #000000;
          }
        }
        #battery.critical:not(.charging) {
          background-color: #f53c3c;
          color: #ffffff;
          animation-name: blink;
          animation-duration: 0.5s;
          animation-timing-function: linear;
          animation-iteration-count: infinite;
          animation-direction: alternate;
        }
        label:focus {
          background-color: #000000;
        }
        #cpu {
          background-color: #2ecc71;
          color: #000000;
        }
        #memory {
          background-color: #9b59b6;
        }
        #disk {
          background-color: #964B00;
        }
        #backlight {
          background-color: #90b1b1;
        }
        #network {
          background-color: #2980b9;
        }
        #network.disconnected {
          background-color: #f53c3c;
        }
        #pulseaudio {
          background-color: #f1c40f;
          color: #000000;
        }
        #pulseaudio.muted {
          background-color: #90b1b1;
          color: #2a5c45;
        }
        #custom-media {
          background-color: #66cc99;
          color: #2a5c45;
          min-width: 100px;
        }
        #custom-media.custom-spotify {
          background-color: #66cc99;
        }
        #custom-media.custom-vlc {
          background-color: #ffa000;
        }
        #temperature {
          background-color: #f0932b;
        }
        #temperature.critical {
          background-color: #eb4d4b;
        }
        #tray {
          background-color: #2980b9;
        }
        #tray > .passive {
          -gtk-icon-effect: dim;
        }
        #tray > .needs-attention {
          -gtk-icon-effect: highlight;
          background-color: #eb4d4b;
        }
        #idle_inhibitor {
          background-color: #2d3436;
        }
        #idle_inhibitor.activated {
          background-color: #ecf0f1;
          color: #2d3436;
        }
        #mpd {
          background-color: #66cc99;
          color: #2a5c45;
        }
        #mpd.disconnected {
          background-color: #f53c3c;
        }
        #mpd.stopped {
          background-color: #90b1b1;
        }
        #mpd.paused {
          background-color: #51a37a;
        }
        #language {
          background: #00b093;
          color: #740864;
          padding: 0 5px;
          margin: 0 5px;
          min-width: 16px;
        }
        #keyboard-state {
          background: #97e1ad;
          color: #000000;
          padding: 0 0px;
          margin: 0 5px;
          min-width: 16px;
        }
        #keyboard-state > label {
          padding: 0 5px;
        }
        #keyboard-state > label.locked {
          background: rgba(0, 0, 0, 0.2);
        }
      '';
      # style = ''
      #   * {
      #     border: none;
      #     border-radius: 0;
      #     font-family: Source Code Pro;
      #   }
      #   window#waybar {
      #     background: #16191C;
      #     color: #AAB2BF;
      #   }
      #   #workspaces button {
      #     padding: 0 5px;
      #   }
      #   .custom-spotify {
      #     padding: 0 10px;
      #     margin: 0 4px;
      #     background-color: #1DB954;
      #     color: black;
      #   }
      # '';
    };
    sane.packages.extraUserPkgs = with pkgs; [
      swaylock
      swayidle  # (unused)
      wl-clipboard
      mako # notification daemon
      xdg-utils  # for xdg-open
      # user stuff
      # pavucontrol
      sway-contrib.grimshot
      gnome.gnome-bluetooth
      gnome.gnome-control-center
    ];
  };
 }
--- a/modules/home-manager/aerc.nix
+++ b/modules/home-manager/aerc.nix
@@ -0,0 +1,16 @@
 # Terminal UI mail client
 { config, lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  sops.secrets."aerc_accounts" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../secrets/universal/aerc_accounts.conf;
    format = "binary";
  };
  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
    # aerc TUI mail client
    xdg.configFile."aerc/accounts.conf".source =
      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
  };
 }
--- a/modules/home-manager/default.nix
+++ b/modules/home-manager/default.nix
@@ -0,0 +1,226 @@
 # docs:
 #   https://rycee.gitlab.io/home-manager/
 #   https://rycee.gitlab.io/home-manager/options.html
 #   man home-configuration.nix
 #
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.sane.home-manager;
  # extract package from `sane.packages.enabledUserPkgs`
  pkg-list = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
  # extract `dir` from `sane.packages.enabledUserPkgs`
  dir-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
  private-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "private" then [ e.private ] else []) pkgspec);
  feeds = import ./feeds.nix { inherit lib; };
 in
 {
  imports = [
    ./aerc.nix
    ./discord.nix
    ./firefox.nix
    ./git.nix
    ./kitty.nix
    ./mpv.nix
    ./nb.nix
    ./neovim.nix
    ./ssh.nix
    ./sublime-music.nix
    ./vlc.nix
    ./zsh.nix
  ];
  options = {
    sane.home-manager.enable = mkOption {
      default = false;
      type = types.bool;
    };
    # attributes to copy directly to home-manager's `wayland.windowManager` option
    sane.home-manager.windowManager = mkOption {
      default = {};
      type = types.attrs;
    };
    # extra attributes to include in home-manager's `programs` option
    sane.home-manager.programs = mkOption {
      default = {};
      type = types.attrs;
    };
  };
  config = lib.mkIf cfg.enable {
    sane.impermanence.home-dirs = [
      "archive"
      "dev"
      "records"
      "ref"
      "tmp"
      "use"
      "Music"
      "Pictures"
      "Videos"
    ] ++ (dir-list config.sane.packages.enabledUserPkgs);
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
      # run `home-manager-help` to access manpages
      # or `man home-configuration.nix`
      manual.html.enable = false;  # TODO: set to true later (build failure)
      manual.manpages.enable = false;  # TODO: enable after https://github.com/nix-community/home-manager/issues/3344
      home.packages = pkg-list sysconfig.sane.packages.enabledUserPkgs;
      wayland.windowManager = cfg.windowManager;
      home.stateVersion = "21.11";
      home.username = "colin";
      home.homeDirectory = "/home/colin";
      home.activation = {
        initKeyring = {
          after = ["writeBoundary"];
          before = [];
          data = "${../../scripts/init-keyring}";
        };
      };
      home.file = let
        privates = builtins.listToAttrs (
          builtins.map (path: {
            name = path;
            value = { source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/${path}"; };
          })
          (private-list sysconfig.sane.packages.enabledUserPkgs)
        );
      in {
        # convenience
        "knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
        "nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
        "Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
        "Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
        "Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
        # used by password managers, e.g. unix `pass`
        ".password-store".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge/secrets/accounts";
      } // privates;
      # XDG defines things like ~/Desktop, ~/Downloads, etc.
      # these clutter the home, so i mostly don't use them.
      xdg.userDirs = {
        enable = true;
        createDirectories = false;  # on headless systems, most xdg dirs are noise
        desktop = "$HOME/.xdg/Desktop";
        documents = "$HOME/dev";
        download = "$HOME/tmp";
        music = "$HOME/Music";
        pictures = "$HOME/Pictures";
        publicShare = "$HOME/.xdg/Public";
        templates = "$HOME/.xdg/Templates";
        videos = "$HOME/Videos";
      };
      # the xdg mime type for a file can be found with:
      # - `xdg-mime query filetype path/to/thing.ext`
      xdg.mimeApps.enable = true;
      xdg.mimeApps.defaultApplications = let
        www = sysconfig.sane.web-browser.desktop;
        pdf = "org.gnome.Evince.desktop";
        md = "obsidian.desktop";
        thumb = "org.gnome.gThumb.desktop";
        video = "vlc.desktop";
        # audio = "mpv.desktop";
        audio = "vlc.desktop";
      in {
        # HTML
        "text/html" = [ www ];
        "x-scheme-handler/http" = [ www ];
        "x-scheme-handler/https" = [ www ];
        "x-scheme-handler/about" = [ www ];
        "x-scheme-handler/unknown" = [ www ];
        # RICH-TEXT DOCUMENTS
        "application/pdf" = [ pdf ];
        "text/markdown" = [ md ];
        # IMAGES
        "image/heif" = [ thumb ];  # apple codec
        "image/png" = [ thumb ];
        "image/jpeg" = [ thumb ];
        # VIDEO
        "video/mp4" = [ video ];
        "video/quicktime" = [ video ];
        "video/x-matroska" = [ video ];
        # AUDIO
        "audio/flac" = [ audio ];
        "audio/mpeg" = [ audio ];
        "audio/x-vorbis+ogg" = [ audio ];
      };
      # libreoffice: disable first-run stuff
      xdg.configFile."libreoffice/4/user/registrymodifications.xcu".text = ''
        <?xml version="1.0" encoding="UTF-8"?>
        <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
          <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
          <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="ShowTipOfTheDay" oor:op="fuse"><value>false</value></prop></item>
        </oor:items>
      '';
      # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeDonateShown" oor:op="fuse"><value>1667693880</value></prop></item>
      # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
      xdg.configFile."gpodderFeeds.opml".text = with feeds;
        feedsToOpml feeds.podcasts;
      # news-flash RSS viewer
      xdg.configFile."newsflashFeeds.opml".text = with feeds;
        feedsToOpml (feeds.texts ++ feeds.images);
      # gnome feeds RSS viewer
      xdg.configFile."org.gabmus.gfeeds.json".text =
      let
        myFeeds = feeds.texts ++ feeds.images;
      in builtins.toJSON {
        # feed format is a map from URL to a dict,
        #   with dict["tags"] a list of string tags.
        feeds = builtins.foldl' (acc: feed: acc // {
          "${feed.url}".tags = [ feed.cat feed.freq ];
        }) {} myFeeds;
        dark_reader = false;
        new_first = true;
        # windowsize = {
        #   width = 350;
        #   height = 650;
        # };
        max_article_age_days = 90;
        enable_js = false;
        max_refresh_threads = 3;
        # saved_items = {};
        # read_items = [];
        show_read_items = true;
        full_article_title = true;
        # views: "webview", "reader", "rsscont"
        default_view = "rsscont";
        open_links_externally = true;
        full_feed_name = false;
        refresh_on_startup = true;
        tags = lib.lists.unique (
          (builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
        );
        open_youtube_externally = false;
        media_player = "vlc";  # default: mpv
      };
      programs = {
        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
        # "command not found" will cause the command to be searched in nixpkgs
        nix-index.enable = true;
      } // cfg.programs;
    };
  };
 }
--- a/modules/home-manager/discord.nix
+++ b/modules/home-manager/discord.nix
@@ -0,0 +1,12 @@
 { config, lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  # TODO: this should only be enabled on gui devices
  # make Discord usable even when client is "outdated"
  home-manager.users.colin.xdg.configFile."discord/settings.json".text = ''
    {
      "SKIP_HOST_UPDATE": true
    }
  '';
 }
--- a/modules/home-manager/feeds.nix
+++ b/modules/home-manager/feeds.nix
@@ -0,0 +1,185 @@
 { lib }:
 let
  hourly = { freq = "hourly"; };
  daily = { freq = "daily"; };
  weekly = { freq = "weekly"; };
  infrequent = { freq = "infrequent"; };
  art = { cat = "art"; };
  humor = { cat = "humor"; };
  pol = { cat = "pol"; };  # or maybe just "social"
  rat = { cat = "rat"; };
  tech = { cat = "tech"; };
  uncat = { cat = "uncat"; };
  text = { format = "text"; };
  image = { format = "image"; };
  podcast = { format = "podcast"; };
  mkRss = format: url: { inherit url format; } // uncat // infrequent;
  # format-specific helpers
  mkText = mkRss text;
  mkImg = mkRss image;
  mkPod = mkRss podcast;
  # host-specific helpers
  mkSubstack = subdomain: mkText "https://${subdomain}.substack.com/feed";
  # merge the attrs `new` into each value of the attrs `addTo`
  addAttrs = new: addTo: builtins.mapAttrs (k: v: v // new) addTo;
  # for each value in `attrs`, add a value to the child attrs which holds its key within the parent attrs.
  withInverseMapping = key: attrs: builtins.mapAttrs (k: v: v // { "${key}" = k; }) attrs;
 in rec {
  podcasts = [
    (mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
    ## Astral Codex Ten
    (mkPod "http://feeds.libsyn.com/108018/rss" // rat // daily)
    ## Econ Talk
    (mkPod "https://feeds.simplecast.com/wgl4xEgL" // rat // daily)
    ## Cory Doctorow
    (mkPod "https://feeds.feedburner.com/doctorow_podcast" // pol // infrequent)
    (mkPod "https://congressionaldish.libsyn.com/rss" // pol // infrequent)
    ## Civboot
    (mkPod "https://anchor.fm/s/34c7232c/podcast/rss" // tech // infrequent)
    (mkPod "https://feeds.feedburner.com/80000HoursPodcast" // rat // weekly)
    (mkPod "https://allinchamathjason.libsyn.com/rss" // pol // weekly)
    (mkPod "https://acquired.libsyn.com/rss" // tech // infrequent)
    (mkPod "https://rss.acast.com/deconstructed" // pol // infrequent)
    ## The Daily
    (mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
    (mkPod "https://rss.acast.com/intercepted-with-jeremy-scahill" // pol // weekly)
    (mkPod "https://podcast.posttv.com/itunes/post-reports.xml" // pol // weekly)
    ## Eric Weinstein
    (mkPod "https://rss.art19.com/the-portal" // rat // infrequent)
    (mkPod "https://feeds.megaphone.fm/darknetdiaries" // tech // infrequent)
    (mkPod "http://feeds.wnyc.org/radiolab" // pol // infrequent)
    (mkPod "https://wakingup.libsyn.com/rss" // pol // infrequent)
    ## 99% Invisible
    (mkPod "https://feeds.simplecast.com/BqbsxVfO" // pol // infrequent)
    (mkPod "https://rss.acast.com/ft-tech-tonic" // tech // infrequent)
    (mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
    ## 60 minutes (NB: this features more than *just* audio?)
    (mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
    ## The Verge - Decoder
    (mkPod "https://feeds.megaphone.fm/recodedecode" // tech // weekly)
  ];
  texts = [
    # AGGREGATORS (> 1 post/day)
    (mkText "https://www.lesswrong.com/feed.xml" // rat // hourly)
    (mkText "http://www.econlib.org/index.xml" // pol // hourly)
    # AGGREGATORS (< 1 post/day)
    (mkText "https://palladiummag.com/feed" // uncat // weekly)
    (mkText "https://profectusmag.com/feed" // uncat // weekly)
    (mkText "https://semiaccurate.com/feed" // tech // weekly)
    (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
    (mkText "https://spectrum.ieee.org/rss" // tech // weekly)
    ## No Moods, Ads or Cutesy Fucking Icons
    (mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
    # DEVELOPERS
    (mkText "https://uninsane.org/atom.xml" // infrequent // tech)
    (mkText "https://mg.lol/blog/rss/" // infrequent // tech)
    ## Ken Shirriff
    (mkText "https://www.righto.com/feeds/posts/default" // tech // infrequent)
    ## Vitalik Buterin
    (mkText "https://vitalik.ca/feed.xml" // tech // infrequent)
    ## ian (Sanctuary)
    (mkText "https://sagacioussuricata.com/feed.xml" // tech // infrequent)
    ## Bunnie Juang
    (mkText "https://www.bunniestudios.com/blog/?feed=rss2" // tech // infrequent)
    (mkText "https://blog.danieljanus.pl/atom.xml" // tech // infrequent)
    (mkText "https://ianthehenry.com/feed.xml" // tech // infrequent)
    (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
    (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
    (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
    (mkText "https://www.jefftk.com/news.rss" // tech // daily)
    # (TECH; POL) COMMENTATORS
    (mkSubstack "edwardsnowden" // pol // infrequent)
    (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
    ## Ben Thompson
    (mkText "https://www.stratechery.com/rss" // pol // weekly)
    ## Balaji
    (mkText "https://balajis.com/rss" // pol // weekly)
    (mkText "https://www.ben-evans.com/benedictevans/rss.xml" // pol // weekly)
    (mkText "https://www.lynalden.com/feed" // pol // infrequent)
    (mkText "https://austinvernon.site/rss.xml" // tech // infrequent)
    (mkSubstack "oversharing" // pol // daily)
    (mkSubstack "doomberg" // tech // weekly)
    ## David Rosenthal
    (mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
    ## Matt Levine
    (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
    # RATIONALITY/PHILOSOPHY/ETC
    (mkSubstack "samkriss" // humor // infrequent)
    (mkText "https://unintendedconsequenc.es/feed" // rat // infrequent)
    (mkText "https://applieddivinitystudies.com/atom.xml" // rat // weekly)
    (mkText "https://slimemoldtimemold.com/feed.xml" // rat // weekly)
    (mkText "https://www.richardcarrier.info/feed" // rat // weekly)
    (mkText "https://www.gwern.net/feed.xml" // uncat // infrequent)
    ## Jason Crawford
    (mkText "https://rootsofprogress.org/feed.xml" // rat // weekly)
    ## Robin Hanson
    (mkText "https://www.overcomingbias.com/feed" // rat // daily)
    ## Scott Alexander
    (mkSubstack "astralcodexten" // rat // daily)
    ## Paul Christiano
    (mkText "https://sideways-view.com/feed" // rat // infrequent)
    ## Sean Carroll
    (mkText "https://www.preposterousuniverse.com/rss" // rat // infrequent)
    # CODE
    (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
  ];
  images = [
    (mkImg "https://www.smbc-comics.com/comic/rss" // humor // daily)
    (mkImg "https://xkcd.com/atom.xml" // humor // daily)
    (mkImg "http://dilbert.com/feed" // humor // daily)
    # ART
    (mkImg "https://miniature-calendar.com/feed" // art // daily)
  ];
  all = texts ++ images ++ podcasts;
  # return only the feed items which match this category (e.g. "tech")
  filterCat = cat: feeds: builtins.filter (item: item.cat == cat) feeds;
  # return only the feed items which match this format (e.g. "podcast")
  filterFormat = format: feeds: builtins.filter (item: item.format == format) feeds;
  # transform a list of feeds into an attrs mapping cat => [ feed0 feed1 ... ]
  partitionByCat = feeds: builtins.groupBy (f: f.cat) feeds;
  # represents a single RSS feed.
  opmlTerminal = feed: ''<outline xmlUrl="${feed.url}" type="rss"/>'';
  # a list of RSS feeds.
  opmlTerminals = feeds: lib.strings.concatStringsSep "\n" (builtins.map opmlTerminal feeds);
  # one node which packages some flat grouping of terminals.
  opmlGroup = title: feeds: ''
    <outline text="${title}" title="${title}">
      ${opmlTerminals feeds}
    </outline>
  '';
  # a list of groups (`groupMap` is an attrs mapping groupName => [ feed0 feed1 ... ]).
  opmlGroups = groupMap: lib.strings.concatStringsSep "\n" (
    builtins.attrValues (builtins.mapAttrs opmlGroup groupMap)
  );
  # top-level OPML file which could be consumed by something else.
  opmlTopLevel = body: ''
    <?xml version="1.0" encoding="utf-8"?>
    <opml version="2.0">
      <body>
        ${body}
      </body>
    </opml>
  '';
  # **primary API**: generate a OPML file from the provided feeds
  feedsToOpml = feeds: opmlTopLevel (opmlGroups (partitionByCat feeds));
 }
--- a/modules/home-manager/firefox.nix
+++ b/modules/home-manager/firefox.nix
@@ -0,0 +1,139 @@
 # common settings to toggle (at runtime, in about:config):
 #   > security.ssl.require_safe_negotiation
 # librewolf is a forked firefox which patches firefox to allow more things
 # (like default search engines) to be configurable at runtime.
 # many of the settings below won't have effect without those patches.
 # see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
 { config, lib, pkgs, ...}:
 with lib;
 let
  cfg = config.sane.web-browser;
  # allow easy switching between firefox and librewolf with `defaultSettings`, below
  librewolfSettings = {
    browser = pkgs.librewolf-unwrapped;
    # browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
    #   # this allows side-loading unsigned addons
    #   MOZ_REQUIRE_SIGNING = false;
    # });
    libName = "librewolf";
    dotDir = ".librewolf";
    desktop = "librewolf.desktop";
  };
  firefoxSettings = {
    browser = pkgs.firefox-esr-unwrapped;
    libName = "firefox";
    dotDir = ".mozilla/firefox";
    desktop = "firefox.desktop";
  };
  defaultSettings = firefoxSettings;
  # defaultSettings = librewolfSettings;
  package = pkgs.wrapFirefox cfg.browser {
    # inherit the default librewolf.cfg
    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
    inherit (cfg) libName;
    extraNativeMessagingHosts = [ pkgs.browserpass ];
    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
    nixExtensions = let
      addon = name: extid: hash: pkgs.fetchFirefoxAddon {
        inherit name hash;
        url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
        fixedExtid = extid;
      };
      localAddon = pkg: pkgs.fetchFirefoxAddon {
        inherit (pkg) name;
        src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";
        fixedExtid = pkg.extid;
      };
    in [
      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-C+VQyaJ8BA0ErXGVTdnppJZ6J9SP+izf6RFxdS4VJoU=")
      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-au5GGn22n4i6VrdOKqNMOrWdMoVCcpLdjO2wwRvyx7E=")
      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-m14onUlnpLDPHezA/soKygcc76tF1fLG52tM/LkbAXQ=")
      (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
      (addon "ether-metamask" "webextension@metamask.io" "sha256-dnpwKpNF0KgHMAlz5btkkZySjMsnrXECS35ClkD2XHc=")
      # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
      (localAddon pkgs.browserpass-extension)
    ];
    extraPolicies = {
      NoDefaultBookmarks = true;
      SearchEngines = {
        Default = "DuckDuckGo";
      };
      AppUpdateURL = "https://localhost";
      DisableAppUpdate = true;
      OverrideFirstRunPage = "";
      OverridePostUpdatePage = "";
      DisableSystemAddonUpdate = true;
      DisableFirefoxStudies = true;
      DisableTelemetry = true;
      DisableFeedbackCommands = true;
      DisablePocket = true;
      DisableSetDesktopBackground = false;
      # remove many default search providers
      # XXX this seems to prevent the `nixExtensions` from taking effect
      # Extensions.Uninstall = [
      #   "google@search.mozilla.org"
      #   "bing@search.mozilla.org"
      #   "amazondotcom@search.mozilla.org"
      #   "ebay@search.mozilla.org"
      #   "twitter@search.mozilla.org"
      # ];
      # XXX doesn't seem to have any effect...
      # docs: https://github.com/mozilla/policy-templates#homepage
      # Homepage = {
      #   HomepageURL = "https://uninsane.org/";
      #   StartPage = "homepage";
      # };
      # NewTabPage = true;
    };
  };
 in
 {
  options = {
    sane.web-browser = mkOption {
      default = defaultSettings;
      type = types.attrs;
    };
  };
  config = lib.mkIf config.sane.home-manager.enable {
    # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
    home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
      programs.firefox = {
        enable = true;
        inherit package;
      };
      # uBlock filter list configuration.
      # specifically, enable the GDPR cookie prompt blocker.
      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
      # this configuration method is documented here:
      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
      # the specific attribute path is found via scraping ublock code here:
      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
      home.file."${cfg.dotDir}/managed-storage/uBlock0@raymondhill.net.json".text = ''
        {
         "name": "uBlock0@raymondhill.net",
         "description": "ignored",
         "type": "storage",
         "data": {
            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
         }
        }
      '';
      home.file."${cfg.dotDir}/${cfg.libName}.overrides.cfg".text = ''
        // if we can't query the revocation status of a SSL cert because the issuer is offline,
        // treat it as unrevoked.
        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
        defaultPref("security.OCSP.require", false);
      '';
    };
  };
 }
--- a/modules/home-manager/git.nix
+++ b/modules/home-manager/git.nix
@@ -0,0 +1,20 @@
 { config, lib, pkgs, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  home-manager.users.colin.programs.git = {
    enable = true;
    userName = "colin";
    userEmail = "colin@uninsane.org";
    aliases = { co = "checkout"; };
    extraConfig = {
      # difftastic docs:
      # - <https://difftastic.wilfred.me.uk/git.html>
      diff.tool = "difftastic";
      difftool.prompt = false;
      "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
      # now run `git difftool` to use difftastic git
    };
  };
 }
--- a/modules/home-manager/kitty.nix
+++ b/modules/home-manager/kitty.nix
@@ -0,0 +1,71 @@
 { config, lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  home-manager.users.colin.programs.kitty = {
    enable = true;
    # docs: https://sw.kovidgoyal.net/kitty/conf/
    settings = {
      # disable terminal bell (when e.g. you backspace too many times)
      enable_audio_bell = false;
    };
    keybindings = {
      "ctrl+n" = "new_os_window_with_cwd";
    };
    # docs: https://github.com/kovidgoyal/kitty-themes
    # theme = "1984 Light";  # dislike: awful, harsh blues/teals
    # theme = "Adventure Time";  # dislike: harsh (dark)
    # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
    # theme = "Belafonte Day";  # dislike: too low contrast for text colors
    # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
    # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
    # theme = "Desert";  # mediocre: colors are harsh
    # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
    # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
    # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
    # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
    # theme = "kanagawabones";  # better: dark theme. colors are too background-y
    # theme = "Kaolin Dark";  # dislike: too dark
    # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
    # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
    # theme = "Material"; # decent: light theme, few colors.
    # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
    # theme = "Nord";  # mediocre: pale background, low contrast
    # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
    theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
    # theme = "Parasio Dark";  # dislike: too low contrast
    # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
    # theme = "Pnevma";  # dislike: too low contrast
    # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
    # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
    # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
    # theme = "Sea Shells";  # mediocre. not all color combos are readable
    # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
    # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
    # theme = "Sourcerer";  # mediocre: ugly colors
    # theme = "Space Gray";  # mediocre: too muted
    # theme = "Space Gray Eighties";  # better: all readable, decent colors
    # theme = "Spacemacs";  # mediocre: too muted
    # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
    # theme = "Srcery";  # better: highly readable. colors are ehhh
    # theme = "Substrata";  # decent: nice colors, but a bit flat.
    # theme = "Sundried";  # mediocre: the solar text makes me squint
    # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
    # theme = "Tango Light";  # dislike: teal is too grating
    # theme = "Tokyo Night Day";  # medicore: too muted
    # theme = "Tokyo Night";  # better: tasteful. a bit flat
    # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
    # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
    # theme = "Urple";  # dislike: weird palette
    # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
    # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
    # theme = "Xcodedark";  # dislike: bad palette
    # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
    # theme = "neobones_light"; # better light theme. the background is maybe too muted
    # theme = "vimbones";
    # theme = "zenbones_dark";  # mediocre: readable, but meh colors
    # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
    # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
    # extraConfig = "";
  };
 }
--- a/modules/home-manager/mpv.nix
+++ b/modules/home-manager/mpv.nix
@@ -0,0 +1,13 @@
 { config, lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  home-manager.users.colin.programs.mpv = {
    enable = true;
    config = {
      save-position-on-quit = true;
      keep-open = "yes";
    };
  };
 }
--- a/modules/home-manager/nb.nix
+++ b/modules/home-manager/nb.nix
@@ -0,0 +1,27 @@
 # nb is a CLI-drive Personal Knowledge Manager
 # - <https://xwmx.github.io/nb/>
 #
 # it's pretty opinionated:
 # - autocommits (to git) excessively (disable-able)
 # - inserts its own index files to give deterministic names to files
 #
 # it offers a primitive web-server
 # and it offers some CLI query tools
 { config, lib, pkgs, ... }:
 # lib.mkIf config.sane.home-manager.enable
 lib.mkIf false # XXX disabled!
 {
  sane.packages.extraUserPkgs = [ pkgs.nb ];
  home-manager.users.colin = { config, ... }: {
    # nb markdown/personal knowledge manager
    home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
    home.file.".nb/.current".text = "knowledge";
    home.file.".nbrc".text = ''
      # manage with `nb settings`
      export NB_AUTO_SYNC=0
    '';
  };
 }
--- a/modules/home-manager/neovim.nix
+++ b/modules/home-manager/neovim.nix
@@ -0,0 +1,117 @@
 { config, lib, pkgs, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  sane.impermanence.home-dirs = [ ".cache/vim-swap" ];
  home-manager.users.colin.programs.neovim = {
    # neovim: https://github.com/neovim/neovim
    enable = true;
    viAlias = true;
    vimAlias = true;
    plugins = with pkgs.vimPlugins; [
      # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
      # docs: vim-surround: https://github.com/tpope/vim-surround
      vim-surround
      # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
      fzf-vim
      # docs: https://github.com/KeitaNakamura/tex-conceal.vim/
      ({
        plugin = tex-conceal-vim;
        type = "viml";
        config = ''
          " present prettier fractions
          let g:tex_conceal_frac=1
        '';
      })
      ({
        plugin = vim-SyntaxRange;
        type = "viml";
        config = ''
          " enable markdown-style codeblock highlighting for tex code
          autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
          " autocmd Syntax tex set conceallevel=2
        '';
      })
      # nabla renders inline math in any document, but it's buggy.
      #   https://github.com/jbyuki/nabla.nvim
      # ({
      #   plugin = pkgs.nabla;
      #   type = "lua";
      #   config = ''
      #     require'nabla'.enable_virt()
      #   '';
      # })
      # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
      # docs: https://github.com/nvim-treesitter/nvim-treesitter
      # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
      # this is required for tree-sitter to even highlight
      ({
        plugin = nvim-treesitter.withAllGrammars;
        type = "lua";
        config = ''
          require'nvim-treesitter.configs'.setup {
            highlight = {
              enable = true,
              -- disable treesitter on Rust so that we can use SyntaxRange
              -- and leverage TeX rendering in rust projects
              disable = { "rust", "tex", "latex" },
              -- disable = { "tex", "latex" },
              -- true to also use builtin vim syntax highlighting when treesitter fails
              additional_vim_regex_highlighting = false
            },
            incremental_selection = {
              enable = true,
              keymaps = {
                init_selection = "gnn",
                node_incremental = "grn",
                mcope_incremental = "grc",
                node_decremental = "grm"
              }
            },
            indent = {
              enable = true,
              disable = {}
            }
          }
          vim.o.foldmethod = 'expr'
          vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
        '';
      })
    ];
    extraConfig = ''
      " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
      " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
      set mouse=
      " copy/paste to system clipboard
      set clipboard=unnamedplus
      " screw tabs; always expand them into spaces
      set expandtab
      " at least don't open files with sections folded by default
      set nofoldenable
      " allow text substitutions for certain glyphs.
      " higher number = more aggressive substitution (0, 1, 2, 3)
      " i only make use of this for tex, but it's unclear how to
      " apply that *just* to tex and retain the SyntaxRange stuff.
      set conceallevel=2
      " horizontal rule under the active line
      " set cursorline
      " highlight trailing space & related syntax errors (doesn't seem to work??)
      " let c_space_errors=1
      " let python_space_errors=1
      " enable highlighting of leading/trailing spaces,
      " and especially tabs
      " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
      set list
      set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
    '';
  };
 }
--- a/Show More
+++ b/Show More