add templates.python-data

for more info, see
<https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-flake-init.html>

.sops.yaml

@@ -2,11 +2,11 @@ keys:
   - &user_desko_colin age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
   - &user_lappy_colin age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
   - &user_servo_colin age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
-  - &user_moby_colin age1lt739n2tq7dmpglvntjr9j2r7426md7rat7x9w930gagtx4jyvnqwts2al
+  - &user_moby_colin age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9
   - &host_desko age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v
   - &host_lappy age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn
   - &host_servo age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
-  - &host_moby age1t957gf0z865gya0khgc9x59wy76hzps3sgejjqtwcngn2xl273msxsmpe6
+  - &host_moby age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt
 creation_rules:
   - path_regex: secrets/universal*
     key_groups:
@@ -19,10 +19,11 @@ creation_rules:
       - *host_lappy
       - *host_servo
       - *host_moby
-  - path_regex: secrets/servo.yaml$
+  - path_regex: secrets/servo*
     key_groups:
     - age:
       - *user_desko_colin
+      - *user_lappy_colin
       - *user_servo_colin
       - *host_servo
   - path_regex: secrets/desko.yaml$
@@ -31,3 +32,16 @@ creation_rules:
       - *user_desko_colin
       - *user_lappy_colin
       - *host_desko
+  - path_regex: secrets/lappy.yaml$
+    key_groups:
+    - age:
+      - *user_lappy_colin
+      - *user_desko_colin
+      - *host_lappy
+  - path_regex: secrets/moby.yaml$
+    key_groups:
+    - age:
+      - *user_desko_colin
+      - *user_lappy_colin
+      - *user_moby_colin
+      - *host_moby

TODO.md

@@ -1,12 +0,0 @@
-# features/tweaks
-- iron out video drivers
-- emoji picker application
-- find a Masto/Pleroma app which works on mobile
-
-
-# speed up cross compiling
-   https://nixos.wiki/wiki/Cross_Compiling
-   https://nixos.wiki/wiki/NixOS_on_ARM
-   overlays = [{ ... }: {
-     nixpkgs.crossSystem.system = "aarch64-linux";
-   }];

flake.lock

@@ -1,5 +1,20 @@
 {
   "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -7,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1656169755,
-        "narHash": "sha256-Nlnm4jeQWEGjYrE6hxi/7HYHjBSZ/E0RtjCYifnNsWk=",
+        "lastModified": 1667907331,
+        "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "4a3d01fb53f52ac83194081272795aa4612c2381",
+        "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
         "type": "github"
       },
       "original": {
@@ -23,11 +38,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1646131459,
-        "narHash": "sha256-GPmgxvUFvQ1GmsGfWHy9+rcxWrczeDhS9XnAIPHi9XQ=",
+        "lastModified": 1668668915,
+        "narHash": "sha256-QjY4ZZbs9shwO4LaLpvlU2bO9J1juYhO9NtV3nrbnYQ=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "2f39baeb7d039fda5fc8225111bb79474138e6f4",
+        "rev": "5df9108b346f8a42021bf99e50de89c9caa251c3",
         "type": "github"
       },
       "original": {
@@ -39,11 +54,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1656299939,
-        "narHash": "sha256-gODt71CCv0gnMNeU4GYdSBJkxsfmBy0uNv8owQC1oPs=",
+        "lastModified": 1668897543,
+        "narHash": "sha256-1bjvy5zi/6KDzhN3ihOUEA6y5FFEOf5xvIbf65RWIh0=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "de9a88a70f0ae5fc0839ff94bf29e8a30af399f8",
+        "rev": "25eec596116553112681d72ee4880107fc3957fa",
         "type": "github"
       },
       "original": {
@@ -54,42 +69,26 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1656679828,
-        "narHash": "sha256-akGA97pR1BAQew1FrVTCME3p8qvYxJXB2X3a13aBphs=",
+        "lastModified": 1669542132,
+        "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "915f5a5b3cc4f8ba206afd0b70e52ba4c6a2796b",
+        "rev": "a115bb9bd56831941be3776c8a94005867f316a7",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-22.05",
+        "ref": "nixos-unstable",
         "type": "indirect"
       }
     },
-    "nixpkgs-21_11": {
-      "locked": {
-        "lastModified": 1656198488,
-        "narHash": "sha256-xe81o3Kin6a0jXA3mTxcR+jeA1jLKw3TCar5LUo/B5c=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "46af3303651699dc58cfc251d9b18c0f59d857da",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-21.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs-22_05": {
       "locked": {
-        "lastModified": 1656199498,
-        "narHash": "sha256-/BCpM7j7y1G4het6Z3idlnv9A87/s0O1glVmH7fnWvk=",
+        "lastModified": 1669513802,
+        "narHash": "sha256-AmTRNi8bHgJlmaNe3r5k+IMFbbXERM/KarqveMAZmsY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "72a1f167077060a1a7b6e0104863245d0483fa7f",
+        "rev": "6649e08812f579581bfb4cada3ba01e30485c891",
         "type": "github"
       },
       "original": {
@@ -99,35 +98,19 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1656130826,
-        "narHash": "sha256-g5Wo75ddDQmWnL70rJCMm+JJlvHbzPFUePUpuMNn5qk=",
+        "lastModified": 1669546925,
+        "narHash": "sha256-Gvtk9agz88tBgqmCdHl5U7gYttTkiuEd8/Rq1Im0pTg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "72d1b0d0fac131df1ea254b65413c85609bdd2ee",
+        "rev": "fecf05d4861f3985e8dee73f08bc82668ef75125",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nurpkgs": {
-      "locked": {
-        "lastModified": 1656786319,
-        "narHash": "sha256-MpdBL2+csFfnMu+2eUNkkACkrPt7UhUdpvXnhrLim0E=",
-        "owner": "nix-community",
-        "repo": "NUR",
-        "rev": "433704dc83b1491725e616bbb898ccd17fbe3d0e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "NUR",
-        "type": "github"
+        "id": "nixpkgs",
+        "ref": "nixos-22.05",
+        "type": "indirect"
       }
     },
     "root": {
@@ -136,22 +119,24 @@
         "impermanence": "impermanence",
         "mobile-nixos": "mobile-nixos",
         "nixpkgs": "nixpkgs",
-        "nurpkgs": "nurpkgs",
-        "sops-nix": "sops-nix"
+        "nixpkgs-stable": "nixpkgs-stable",
+        "sops-nix": "sops-nix",
+        "uninsane": "uninsane"
       }
     },
     "sops-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-21_11": "nixpkgs-21_11",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
         "nixpkgs-22_05": "nixpkgs-22_05"
       },
       "locked": {
-        "lastModified": 1656399028,
-        "narHash": "sha256-re66+rVHGR3y+0QsaDAwoAHCfoi3BlGV24t2EqRZsAE=",
+        "lastModified": 1669714206,
+        "narHash": "sha256-9aiMbzRL8REsyi9U0eZ+lT4s7HaILA1gh9n2apKzLxU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d26947f2d6252e2aae5ffddfe9b38b7c4b94e8f9",
+        "rev": "8295b8139ef7baadeb90c5cad7a40c4c9297ebf7",
         "type": "github"
       },
       "original": {
@@ -159,6 +144,27 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "uninsane": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1666870107,
+        "narHash": "sha256-b9eXZxSwhzdJI5uQgfrMhu4SY2POrPkinUg7F5gQVYo=",
+        "ref": "refs/heads/master",
+        "rev": "80c6ec95bd430e29d231cf745f19279bb76fb382",
+        "revCount": 164,
+        "type": "git",
+        "url": "https://git.uninsane.org/colin/uninsane"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.uninsane.org/colin/uninsane"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,11 +1,11 @@
 # docs:
-#   https://nixos.wiki/wiki/Flakes
-#   https://serokell.io/blog/practical-nix-flakes
+# - <https://nixos.wiki/wiki/Flakes>
+# - <https://serokell.io/blog/practical-nix-flakes>
 
 {
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-22.05";
-    # pkgs-telegram.url = "nixpkgs/33775ec9a2173a08e46edf9f46c9febadbf743e8";# 2022/04/18; telegram 3.7.3. fails: nix log /nix/store/y5kv47hnv55qknb6cnmpcyraicay79fx-telegram-desktop-3.7.3.drv: g++: fatal error: cannot execute '/nix/store/njk5sbd21305bhr7gwibxbbvgbx5lxvn-gcc-9.3.0/libexec/gcc/aarch64-unknown-linux-gnu/9.3.0/cc1plus': execv: No such file or directory
+    nixpkgs-stable.url = "nixpkgs/nixos-22.05";
+    nixpkgs.url = "nixpkgs/nixos-unstable";
     mobile-nixos = {
       url = "github:nixos/mobile-nixos";
       flake = false;
@@ -14,70 +14,118 @@
       url = "github:nix-community/home-manager/release-22.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nurpkgs.url = "github:nix-community/NUR";
-    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     impermanence.url = "github:nix-community/impermanence";
+    uninsane = {
+      url = "git+https://git.uninsane.org/colin/uninsane";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs, sops-nix, impermanence }:
-  let
+  outputs = {
+    self,
+    nixpkgs,
+    nixpkgs-stable,
+    mobile-nixos,
+    home-manager,
+    sops-nix,
+    impermanence,
+    uninsane
+  }: let
     patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
       name = "nixpkgs-patched-uninsane";
       src = nixpkgs;
       patches = import ./nixpatches/list.nix nixpkgs.legacyPackages.${system}.fetchpatch;
     };
     # return something which behaves like `pkgs`, for the provided system
-    nixpkgsFor = system: import (patchedPkgs system) { inherit system; };
+    # `local` = architecture of builder. `target` = architecture of the system beying deployed to
+    nixpkgsFor = local: target: import (patchedPkgs target) { crossSystem = target; localSystem = local; };
     # evaluate ONLY our overlay, for the provided system
-    customPackagesFor = system: import ./pkgs/overlay.nix (nixpkgsFor system) (nixpkgsFor system);
-    decl-machine = { name, system }:
+    customPackagesFor = local: target: import ./pkgs/overlay.nix (nixpkgsFor local target) (nixpkgsFor local target);
+    decl-host = { name, local, target }:
     let
-      nixosSystem = import ((patchedPkgs system) + "/nixos/lib/eval-config.nix");
+      nixosSystem = import ((patchedPkgs target) + "/nixos/lib/eval-config.nix");
     in (nixosSystem {
-      inherit system;
-      specialArgs = { inherit nixpkgs mobile-nixos home-manager nurpkgs impermanence; };
+      # by default the local system is the same as the target, employing emulation when they differ
+      system = target;
+      specialArgs = { inherit mobile-nixos home-manager impermanence; };
       modules = [
         ./modules
-        ./machines/${name}
-        (import ./helpers/set-hostname.nix name)
+        (import ./hosts/instantiate.nix name)
+        home-manager.nixosModule
+        impermanence.nixosModule
         sops-nix.nixosModules.sops
         {
-          nixpkgs.config.allowUnfree = true;
           nixpkgs.overlays = [
-            nurpkgs.overlay
             (import "${mobile-nixos}/overlay/overlay.nix")
+            uninsane.overlay
             (import ./pkgs/overlay.nix)
+            (next: prev: rec {
+              # non-emulated packages build *from* local *for* target.
+              # for large packages like the linux kernel which are expensive to build under emulation,
+              # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
+              cross = (nixpkgsFor local target) // (customPackagesFor local target);
+              stable = import nixpkgs-stable { system = target; };
+              # cross-compatible packages
+              # gocryptfs = cross.gocryptfs;
+            })
           ];
         }
       ];
     });
 
-    decl-bootable-machine = { name, system }: rec {
-      nixosConfiguration = decl-machine { inherit name system; };
+    decl-bootable-host = { name, local, target }: rec {
+      nixosConfiguration = decl-host { inherit name local target; };
       # this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
       # after building this:
       #   - flash it to a bootable medium (SD card, flash drive, HDD)
       #   - resize the root partition (use cfdisk)
       #   - mount the part
-      #     chown root:nixblkd <part>/nix/store
-      #     chmod 775 <part>/nix/store
-      #     chown root:root -R <part>/nix/store/*
-      #     populate any important things (persist/, home/colin/.ssh, etc)
+      #      - chown root:nixbld <part>/nix/store
+      #      - chown root:root -R <part>/nix/store/*
+      #      - chown root:root -R <part>/persist  # if using impermanence
+      #      - populate any important things (persist/, home/colin/.ssh, etc)
       #   - boot
       #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
       #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
-      #   - `nixos-rebuild --flake './#<machine>' switch`
+      #   - `nixos-rebuild --flake './#<host>' switch`
       img = nixosConfiguration.config.system.build.img;
     };
-    machines.servo = decl-bootable-machine { name = "servo"; system = "aarch64-linux"; };
-    machines.desko = decl-bootable-machine { name = "desko"; system = "x86_64-linux"; };
-    machines.lappy = decl-bootable-machine { name = "lappy"; system = "x86_64-linux"; };
-    machines.moby = decl-bootable-machine { name = "moby"; system = "aarch64-linux"; };
+    hosts.servo = decl-bootable-host { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    hosts.desko = decl-bootable-host { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    hosts.lappy = decl-bootable-host { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
+    hosts.moby = decl-bootable-host { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
+    # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
+    # note that these *do* produce different store paths, because the closure for the tools used to cross compile
+    # v.s. emulate differ.
+    # so deploying foo-cross and then foo incurs some rebuilding.
+    hosts.moby-cross = decl-bootable-host { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
+    hosts.rescue = decl-bootable-host { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
   in {
-    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
-    imgs = builtins.mapAttrs (name: value: value.img) machines;
-    packages.x86_64-linux = customPackagesFor "x86_64-linux";
-    packages.aarch64-linux = customPackagesFor "aarch64-linux";
+    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) hosts;
+    imgs = builtins.mapAttrs (name: value: value.img) hosts;
+    packages = let
+      allPkgsFor = sys: (customPackagesFor sys sys) // {
+        nixpkgs = nixpkgsFor sys sys;
+        uninsane = uninsane.packages."${sys}";
+      };
+    in {
+      x86_64-linux = allPkgsFor "x86_64-linux";
+      aarch64-linux = allPkgsFor "aarch64-linux";
+    };
+    templates = {
+      python-data = {
+        # initialize with:
+        # - `nix flake init -t '/home/colin/dev/nixos/#python-data'`
+        # then enter with:
+        # - `nix develop`
+        path = ./templates/python-data;
+        description = "python environment for data processing";
+      };
+    };
   };
 }
 

helpers/set-hostname.nix

@@ -1,4 +0,0 @@
-hostName: { ... }:
-{
-  networking.hostName = hostName;
-}

hosts/common/default.nix

@@ -0,0 +1,74 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./fs.nix
+    ./hardware
+    ./machine-id.nix
+    ./net.nix
+    ./secrets.nix
+    ./ssh.nix
+    ./users.nix
+    ./vpn.nix
+  ];
+
+  sane.home-manager.enable = true;
+  sane.nixcache.enable-trusted-keys = true;
+  sane.packages.enableConsolePkgs = true;
+  sane.packages.enableSystemPkgs = true;
+
+  nixpkgs.config.allowUnfree = true;
+
+  # time.timeZone = "America/Los_Angeles";
+  time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
+
+  # allow `nix flake ...` command
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
+
+  # TODO: move this into home-manager?
+  fonts = {
+    enableDefaultFonts = true;
+    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
+    fontconfig.enable = true;
+    fontconfig.defaultFonts = {
+      emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
+      monospace = [ "Hack" ];
+      serif = [ "DejaVu Serif" ];
+      sansSerif = [ "DejaVu Sans" ];
+    };
+  };
+
+  # disable non-required packages like nano, perl, rsync, strace
+  environment.defaultPackages = [];
+
+  # programs.vim.defaultEditor = true;
+  environment.variables = {
+    EDITOR = "vim";
+    # git claims it should use EDITOR, but it doesn't!
+    GIT_EDITOR = "vim";
+    # TODO: these should be moved to `home.sessionVariables` (home-manager)
+    # Electron apps should use native wayland backend:
+    #   https://nixos.wiki/wiki/Slack#Wayland
+    # Discord under sway crashes with this.
+    # NIXOS_OZONE_WL = "1";
+    # LIBGL_ALWAYS_SOFTWARE = "1";
+  };
+  # enable zsh completions
+  environment.pathsToLink = [ "/share/zsh" ];
+  environment.systemPackages = with pkgs; [
+    # required for pam_mount
+    gocryptfs
+  ];
+
+  # link debug symbols into /run/current-system/sw/lib/debug
+  # hopefully picked up by gdb automatically?
+  environment.enableDebugInfo = true;
+
+  security.pam.mount.enable = true;
+  # security.pam.mount.debugLevel = 1;
+  # security.pam.enableSSHAgentAuth = true; # ??
+  # needed for `allow_other` in e.g. gocryptfs mounts
+  # or i guess going through mount.fuse sets suid so that's not necessary?
+  # programs.fuse.userAllowOther = true;
+}

hosts/common/fs.nix

@@ -0,0 +1,74 @@
+{ pkgs, ... }:
+
+let sshOpts = rec {
+  fsType = "fuse.sshfs";
+  optionsBase = [
+    "x-systemd.automount"
+    "_netdev"
+    "user"
+    "identityfile=/home/colin/.ssh/id_ed25519"
+    "allow_other"
+    "default_permissions"
+  ];
+  optionsColin = optionsBase ++ [
+    "transform_symlinks"
+    "idmap=user"
+    "uid=1000"
+    "gid=100"
+  ];
+
+  optionsRoot = optionsBase ++ [
+    # we don't transform_symlinks because that breaks the validity of remote /nix stores
+    "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
+  ];
+};
+in
+{
+  environment.pathsToLink = [
+    # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
+    # we can only link whole directories here, even though we're only interested in pkgs.openssh
+    "/libexec"
+  ];
+
+  fileSystems."/mnt/servo-media-wan" = {
+    device = "colin@uninsane.org:/var/lib/uninsane/media";
+    inherit (sshOpts) fsType;
+    options = sshOpts.optionsColin;
+    noCheck = true;
+  };
+  fileSystems."/mnt/servo-media-lan" = {
+    device = "colin@servo:/var/lib/uninsane/media";
+    inherit (sshOpts) fsType;
+    options = sshOpts.optionsColin;
+    noCheck = true;
+  };
+  fileSystems."/mnt/servo-root-wan" = {
+    device = "colin@uninsane.org:/";
+    inherit (sshOpts) fsType;
+    options = sshOpts.optionsRoot;
+    noCheck = true;
+  };
+  fileSystems."/mnt/servo-root-lan" = {
+    device = "colin@servo:/";
+    inherit (sshOpts) fsType;
+    options = sshOpts.optionsRoot;
+    noCheck = true;
+  };
+  fileSystems."/mnt/desko-home" = {
+    device = "colin@desko:/home/colin";
+    inherit (sshOpts) fsType;
+    options = sshOpts.optionsColin;
+    noCheck = true;
+  };
+  fileSystems."/mnt/desko-root" = {
+    device = "colin@desko:/";
+    inherit (sshOpts) fsType;
+    options = sshOpts.optionsRoot;
+    noCheck = true;
+  };
+
+  environment.systemPackages = [
+    pkgs.sshfs-fuse
+  ];
+}
+

hosts/common/hardware/all.nix

@@ -0,0 +1,40 @@
+{ lib, pkgs, ... }:
+
+{
+  boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
+  # useful emergency utils
+  boot.initrd.extraUtilsCommands = ''
+    copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfstune
+  '';
+  boot.kernelParams = [ "boot.shell_on_fail" ];
+  # other kernelParams:
+  #   "boot.trace"
+  #   "systemd.log_level=debug"
+  #   "systemd.log_target=console"
+
+  # hack in the `boot.shell_on_fail` arg since that doesn't always seem to work.
+  boot.initrd.preFailCommands = "allowShell=1";
+
+  # default: 4 (warn). 7 is debug
+  boot.consoleLogLevel = 7;
+
+  boot.loader.grub.enable = lib.mkDefault false;
+  boot.loader.generic-extlinux-compatible.enable = lib.mkDefault true;
+
+  # non-free firmware
+  hardware.enableRedistributableFirmware = true;
+  services.fwupd.enable = true;
+
+  # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
+  powerManagement.powertop.enable = false;
+
+  # services.snapper.configs = {
+  #   root = {
+  #     subvolume = "/";
+  #     extraConfig = {
+  #       ALLOW_USERS = "colin";
+  #     };
+  #   };
+  # };
+  # services.snapper.snapshotInterval = "daily";
+}

hosts/common/hardware/default.nix

@@ -2,6 +2,7 @@
 
 {
   imports = [
+    ./all.nix
     ./x86_64.nix
   ];
 }

hosts/common/hardware/x86_64.nix

@@ -0,0 +1,26 @@
+{ lib, pkgs, ... }:
+
+with lib;
+{
+  config = mkIf (pkgs.system == "x86_64-linux") {
+    boot.initrd.availableKernelModules = [
+      "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
+      "usb_storage"   # rpi needed this to boot from usb storage, i think.
+      "nvme"  # to boot from nvme devices
+      # efi_pstore evivars
+    ];
+
+    # enable cross compilation
+    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+    # nixpkgs.config.allowUnsupportedSystem = true;
+    # nixpkgs.crossSystem.system = "aarch64-linux";
+
+    powerManagement.cpuFreqGovernor = "powersave";
+    hardware.cpu.amd.updateMicrocode = true;    # desktop
+    hardware.cpu.intel.updateMicrocode = true;  # laptop
+
+    hardware.opengl.driSupport = true;
+    # For 32 bit applications
+    hardware.opengl.driSupport32Bit = true;
+  };
+}

hosts/common/machine-id.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  # we wan't an /etc/machine-id which is consistent across boot so that `journalctl` will actually show us
+  # logs from previous boots.
+  # maybe there's a config option for this (since persistent machine-id is bad for reasons listed in impermanence.nix),
+  # but for now generate it from ssh keys.
+  system.activationScripts.machine-id = {
+    deps = [ "persist-ssh-host-keys" ];
+    text = "sha256sum /etc/ssh/host_keys/ssh_host_ed25519_key | cut -c 1-32 > /etc/machine-id";
+  };
+}

hosts/common/net.nix

@@ -0,0 +1,79 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # if using router's DNS, these mappings will already exist.
+  # if using a different DNS provider (which servo does), then we need to explicity provide them.
+  # ugly hack. would be better to get servo to somehow use the router's DNS
+  networking.hosts = {
+    "192.168.0.5" = [ "servo" ];
+    "192.168.0.20" = [ "lappy" ];
+    "192.168.0.22" = [ "desko" ];
+    "192.168.0.48" = [ "moby" ];
+  };
+
+  # the default backend is "wpa_supplicant".
+  # wpa_supplicant reliably picks weak APs to connect to.
+  # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
+  # iwd is an alternative that shouldn't have this problem
+  # docs:
+  # - <https://nixos.wiki/wiki/Iwd>
+  # - <https://iwd.wiki.kernel.org/networkmanager>
+  # - `man iwd.config`  for global config
+  # - `man iwd.network` for per-SSID config
+  # use `iwctl` to control
+  networking.networkmanager.wifi.backend = "iwd";
+  networking.wireless.iwd.enable = true;
+  networking.wireless.iwd.settings = {
+    # auto-connect to a stronger network if signal drops below this value
+    # bedroom -> bedroom connection is -35 to -40 dBm
+    # bedroom -> living room connection is -60 dBm
+    General.RoamThreshold = "-52";  # default -70
+    General.RoamThreshold5G = "-52";  # default -76
+  };
+
+  # TODO: don't need to depend on binsh if we were to use a nix-style shebang
+  system.activationScripts.linkIwdKeys = let
+    unwrapped = ../../scripts/install-iwd;
+    install-iwd = pkgs.writeShellApplication {
+      name = "install-iwd";
+      runtimeInputs = with pkgs; [ coreutils gnused ];
+      text = ''${unwrapped} "$@"'';
+    };
+  in (lib.stringAfter
+    [ "setupSecrets" "binsh" ]
+    ''
+    mkdir -p /var/lib/iwd
+    ${install-iwd}/bin/install-iwd /run/secrets/iwd /var/lib/iwd
+    ''
+  );
+
+  # TODO: use a glob, or a list, or something?
+  sops.secrets."iwd/community-university.psk" = {
+    sopsFile = ../../secrets/universal/net/community-university.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/friend-libertarian-dod.psk" = {
+    sopsFile = ../../secrets/universal/net/friend-libertarian-dod.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/friend-rationalist-empathist.psk" = {
+    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/home-bedroom.psk" = {
+    sopsFile = ../../secrets/universal/net/home-bedroom.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/home-shared-24G.psk" = {
+    sopsFile = ../../secrets/universal/net/home-shared-24G.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/home-shared.psk" = {
+    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/iphone" = {
+    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
+    format = "binary";
+  };
+}

hosts/common/secrets.nix

@@ -16,7 +16,7 @@
   #   add the result to .sops.yaml
   #   since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
   #
-  # for each machine you want to decrypt secrets:
+  # for each host you want to decrypt secrets:
   #   $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   #   add the result to .sops.yaml
   #   $ sops updatekeys secrets/example.yaml
@@ -29,15 +29,15 @@
   #   $ cat /run/secrets/example_key
 
   # sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
-  # This will add secrets.yml to the nix store
+  # This will add secrets.yaml to the nix store
   # You can avoid this by adding a string to the full path instead, i.e.
   # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ./../../secrets/universal.yaml;
+  sops.defaultSopsFile = ../../secrets/universal.yaml;
   # This will automatically import SSH keys as age keys
   sops.age.sshKeyPaths = [
-    "/etc/ssh/ssh_host_ed25519_key"
-    # "/home/colin/.ssh/id_ed25519_dec"
+    "/etc/ssh/host_keys/ssh_host_ed25519_key"
   ];
+  sops.gnupg.sshKeyPaths = [];  # disable RSA key import
   # This is using an age key that is expected to already be in the filesystem
   # sops.age.keyFile = "/home/colin/.ssh/age.pub";
   # sops.age.keyFile = "/var/lib/sops-nix/key.txt";

hosts/common/ssh.nix

@@ -0,0 +1,21 @@
+{ ... }:
+{
+  # we place the host keys (which we want to be persisted) into their own directory so that we can
+  # bind mount that whole directory instead of doing it per-file.
+  # otherwise, this is identical to nixos defaults
+  sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
+
+  # we can't naively `mount /etc/ssh/host_keys` directly,
+  # as /etc/fstab may not be populated yet (since that file depends on e.g. activationScripts.users)
+  # we can't even depend on impermanence's `createPersistentStorageDirs` to create the source/target directories
+  # since that also depends on `users`.
+  system.activationScripts.persist-ssh-host-keys.text = ''
+    mkdir -p /etc/ssh/host_keys
+    mount --bind /nix/persist/etc/ssh/host_keys /etc/ssh/host_keys
+  '';
+
+  services.openssh.hostKeys = [
+    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
+    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
+  ];
+}

hosts/common/users.nix

@@ -0,0 +1,138 @@
+{ config, pkgs, lib, ... }:
+
+# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
+with lib;
+let
+  cfg = config.sane.users;
+  # see nixpkgs/nixos/modules/services/networking/dhcpcd.nix
+  hasDHCP = config.networking.dhcpcd.enable &&
+    (config.networking.useDHCP || any (i: i.useDHCP == true) (attrValues config.networking.interfaces));
+
+in
+{
+  options = {
+    sane.users.guest.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+
+  config = {
+    # Users are exactly these specified here;
+    # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
+    users.mutableUsers = false;
+
+    # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
+    users.users.colin = {
+      # sets group to "users" (?)
+      isNormalUser = true;
+      home = "/home/colin";
+      uid = config.sane.allocations.colin-uid;
+      # i don't get exactly what this is, but nixos defaults to this non-deterministically
+      # in /var/lib/nixos/auto-subuid-map and i don't want that.
+      subUidRanges = [
+        { startUid=100000; count=1; }
+      ];
+      group = "users";
+      extraGroups = [
+        "wheel"
+        "nixbuild"
+        "networkmanager"
+        # phosh/mobile. XXX colin: unsure if necessary
+        "video"
+        "feedbackd"
+        "dialout" # required for modem access
+      ];
+
+      # initial password is empty, in case anything goes wrong.
+      # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
+      initialPassword = lib.mkDefault "";
+      passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
+
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = builtins.attrValues (import ../../modules/pubkeys.nix).users;
+
+      pamMount = {
+        # mount encrypted stuff at login
+        # requires that login password == fs encryption password
+        # fstype = "fuse";
+        # path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
+        fstype = "fuse.gocryptfs";
+        path = "/nix/persist/home/colin/private";
+        mountpoint = "/home/colin/private";
+        options="nodev,nosuid,quiet,allow_other";
+      };
+    };
+
+    sane.impermanence.home-dirs = [
+      # cache is probably too big to fit on the tmpfs
+      # TODO: we could bind-mount it to something which gets cleared per boot, though.
+      ".cache"
+      ".cargo"
+      ".rustup"
+      ".local/share/keyrings"
+    ];
+
+    sane.impermanence.service-dirs = mkIf cfg.guest.enable [
+      { user = "guest"; group = "users"; directory = "/home/guest"; }
+    ];
+    users.users.guest = mkIf cfg.guest.enable {
+      isNormalUser = true;
+      home = "/home/guest";
+      uid = config.sane.allocations.guest-uid;
+      subUidRanges = [
+        { startUid=200000; count=1; }
+      ];
+      group = "users";
+      initialPassword = lib.mkDefault "";
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = [
+        # TODO: insert pubkeys that should be allowed in
+      ];
+    };
+
+    users.users.dhcpcd = mkIf hasDHCP {
+      uid = config.sane.allocations.dhcpcd-uid;
+    };
+    users.groups.dhcpcd = mkIf hasDHCP {
+      gid = config.sane.allocations.dhcpcd-gid;
+    };
+
+    security.sudo = {
+      enable = true;
+      wheelNeedsPassword = false;
+    };
+
+    services.openssh = {
+      enable = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+    };
+
+    # affix some UIDs which were historically auto-generated
+    users.users.sshd.uid = config.sane.allocations.sshd-uid;
+    users.groups.polkituser.gid = config.sane.allocations.polkituser-gid;
+    users.groups.sshd.gid = config.sane.allocations.sshd-gid;
+    users.groups.systemd-coredump.gid = config.sane.allocations.systemd-coredump-gid;
+    users.users.nscd.uid = config.sane.allocations.nscd-uid;
+    users.groups.nscd.gid = config.sane.allocations.nscd-gid;
+    users.users.systemd-oom.uid = config.sane.allocations.systemd-oom-uid;
+    users.groups.systemd-oom.gid = config.sane.allocations.systemd-oom-gid;
+
+    # guarantee determinism in uid/gid generation for users:
+    assertions = let
+      uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
+        assertion = user.uid != null;
+        message = "non-deterministic uid detected for: ${name}";
+      }) config.users.users);
+      gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
+        assertion = group.gid != null;
+        message = "non-deterministic gid detected for: ${name}";
+      }) config.users.groups);
+      autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
+        assertion = !user.autoSubUidGidRange;
+        message = "non-deterministic subUids/Guids detected for: ${name}";
+      }) config.users.users);
+    in uidAssertions ++ gidAssertions ++ autoSubAssertions;
+  };
+}

hosts/common/vpn.nix

@@ -0,0 +1,58 @@
+{ config, ... }:
+
+{
+  networking.wg-quick.interfaces.ovpnd-us = {
+    address = [
+      "172.27.237.218/32"
+      "fd00:0000:1337:cafe:1111:1111:ab00:4c8f/128"
+    ];
+    dns = [
+      "46.227.67.134"
+      "192.165.9.158"
+    ];
+    peers = [
+      {
+        allowedIPs = [
+          "0.0.0.0/0"
+          "::/0"
+        ];
+        endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
+        publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
+      }
+    ];
+    privateKeyFile = config.sops.secrets.wg_ovpnd_us_privkey.path;
+    # to start: `systemctl start wg-quick-ovpnd-us`
+    autostart = false;
+  };
+
+  networking.wg-quick.interfaces.ovpnd-ukr = {
+    address = [
+      "172.18.180.159/32"
+      "fd00:0000:1337:cafe:1111:1111:ec5c:add3/128"
+    ];
+    dns = [
+      "46.227.67.134"
+      "192.165.9.158"
+    ];
+    peers = [
+      {
+        allowedIPs = [
+          "0.0.0.0/0"
+          "::/0"
+        ];
+        endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
+        publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
+      }
+    ];
+    privateKeyFile = config.sops.secrets.wg_ovpnd_ukr_privkey.path;
+    # to start: `systemctl start wg-quick-ovpnd-ukr`
+    autostart = false;
+  };
+
+  sops.secrets."wg_ovpnd_us_privkey" = {
+    sopsFile = ../../secrets/universal.yaml;
+  };
+  sops.secrets."wg_ovpnd_ukr_privkey" = {
+    sopsFile = ../../secrets/universal.yaml;
+  };
+}

hosts/desko/default.nix

@@ -1,28 +1,29 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
   imports = [
     ./fs.nix
   ];
 
-  colinsane.home-manager.extraPackages = [
-    pkgs.electrum
-  ];
-  colinsane.gui.sway.enable = true;
-  colinsane.services.duplicity.enable = true;
-  colinsane.impermanence.enable = true;
+  # sane.packages.enableDevPkgs = true;
+
+  sane.gui.sway.enable = true;
+  sane.services.duplicity.enable = true;
+  sane.services.nixserve.enable = true;
+  sane.services.nixserve.sopsFile = ../../secrets/desko.yaml;
+  sane.impermanence.enable = true;
 
-  boot.loader.generic-extlinux-compatible.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
-  colinsane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
-
-  hardware.opengl.extraPackages = with pkgs; [
-    rocm-opencl-icd
-    rocm-opencl-runtime
-    amdvlk
-  ];
+  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   # needed to use libimobiledevice/ifuse, for iphone sync
   services.usbmuxd.enable = true;
+  users.users.usbmux.uid = config.sane.allocations.usbmux-uid;
+  users.groups.usbmux.gid = config.sane.allocations.usbmux-gid;
+
+  sops.secrets.colin-passwd = {
+    sopsFile = ../../secrets/desko.yaml;
+    neededForUsers = true;
+  };
 
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
@@ -42,6 +43,17 @@
     sopsFile = ../../secrets/desko.yaml;
   };
 
+  programs.steam = {
+    enable = true;
+    # not sure if needed: stole this whole snippet from the wiki
+    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
+    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
+  };
+  sane.impermanence.home-dirs = [
+    ".steam"
+    ".local/share/Steam"
+  ];
+
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
   system.stateVersion = "21.05";
 }

hosts/desko/fs.nix

@@ -11,12 +11,14 @@
       "defaults"
     ];
   };
-  # we need a /tmp of default size (half RAM) for building large nix things
+  # we need a /tmp for building large nix things.
+  # a cross-compiled kernel, particularly, will easily use 30+GB of tmp
   fileSystems."/tmp" = {
     device = "none";
     fsType = "tmpfs";
     options = [
       "mode=777"
+      "size=64G"
       "defaults"
     ];
   };

hosts/instantiate.nix

@@ -0,0 +1,10 @@
+# trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
+
+hostName: { ... }: {
+  imports = [
+    ./${hostName}
+    ./common
+  ];
+
+  networking.hostName = hostName;
+}

hosts/lappy/default.nix

@@ -4,18 +4,19 @@
     ./fs.nix
   ];
 
-  colinsane.gui.sway.enable = true;
-  colinsane.impermanence.enable = true;
-  boot.loader.generic-extlinux-compatible.enable = true;
-  boot.loader.efi.canTouchEfiVariables = false;
-  colinsane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
+  # sane.packages.enableDevPkgs = true;
 
-  hardware.opengl.extraPackages = with pkgs; [
-    intel-compute-runtime
-    intel-media-driver  # new
-    libvdpau-va-gl      # new
-    vaapiIntel
-  ];
+  # sane.users.guest.enable = true;
+  sane.gui.sway.enable = true;
+  sane.impermanence.enable = true;
+  sane.nixcache.enable = true;
+  boot.loader.efi.canTouchEfiVariables = false;
+  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
+
+  sops.secrets.colin-passwd = {
+    sopsFile = ../../secrets/lappy.yaml;
+    neededForUsers = true;
+  };
 
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:

hosts/moby/default.nix

@@ -0,0 +1,85 @@
+{ config, pkgs, lib, mobile-nixos, ... }:
+{
+  imports = [
+    ./firmware.nix
+    ./fs.nix
+    ./kernel.nix
+  ];
+
+  # cross-compiled documentation is *slow*.
+  # no obvious way to natively compile docs (2022/09/29).
+  # entrypoint is nixos/modules/misc/documentation.nix
+  # doc building happens in nixos/doc/manual/default.nix
+  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
+  documentation.nixos.enable = false;
+
+  # XXX colin: phosh doesn't work well with passwordless login,
+  # so set this more reliable default password should anything go wrong
+  users.users.colin.initialPassword = "147147";
+  services.getty.autologinUser = "root";  # allows for emergency maintenance?
+
+  sops.secrets.colin-passwd = {
+    sopsFile = ../../secrets/moby.yaml;
+    neededForUsers = true;
+  };
+
+  # usability compromises
+  sane.impermanence.home-dirs = [
+    config.sane.web-browser.dotDir
+  ];
+
+  # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
+  sane.packages.extraUserPkgs = [
+    pkgs.plasma5Packages.konsole  # terminal
+  ];
+
+  sane.nixcache.enable = true;
+  sane.impermanence.enable = true;
+  sane.gui.phosh.enable = true;
+
+  boot.loader.efi.canTouchEfiVariables = false;
+  # /boot space is at a premium. default was 20.
+  boot.loader.generic-extlinux-compatible.configurationLimit = 10;
+  # mobile.bootloader.enable = false;
+  # mobile.boot.stage-1.enable = false;
+  # boot.initrd.systemd.enable = false;
+  # boot.initrd.services.swraid.enable = false;  # attempt to fix dm_mod stuff
+  # disable proximity sensor.
+  # the filtering/calibration is bad that it causes the screen to go fully dark at times.
+  boot.blacklistedKernelModules = [ "stk3310" ];
+
+  # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
+  # this is because they can't allocate enough video ram.
+  # the default CMA seems to be 32M. we could probably get by with as little as 64M, and safely with 128M.
+  # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
+  boot.kernelParams = [ "cma=256M" ];
+
+  # mobile-nixos' /lib/firmware includes:
+  #   rtl_bt          (bluetooth)
+  #   anx7688-fw.bin  (USB-C -> HDMI bridge)
+  #   ov5640_af.bin   (camera module)
+  # hardware.firmware = [ config.mobile.device.firmware ];
+  hardware.firmware = [ pkgs.rtl8723cs-firmware ];
+
+  system.stateVersion = "21.11";
+
+  # defined: https://www.freedesktop.org/software/systemd/man/machine-info.html
+  # XXX colin: not sure which, if any, software makes use of this
+  environment.etc."machine-info".text = ''
+    CHASSIS="handset"
+  '';
+
+  # enable rotation sensor
+  hardware.sensor.iio.enable = true;
+
+  # from https://gitlab.manjaro.org/manjaro-arm/packages/community/phosh/alsa-ucm-pinephone
+  # mobile-nixos does this same thing, with *slightly different settings*.
+  # i trust manjaro more because the guy maintaining that is actively trying to upstream into alsa-ucm-conf.
+  # an alternative may be to build a custom alsa with the PinePhone config patch applied:
+  # - <https://github.com/alsa-project/alsa-ucm-conf/pull/134>
+  # that would make this be not device-specific
+  environment.variables.ALSA_CONFIG_UCM2 = "${./ucm2}";
+  systemd.services.pulseaudio.environment.ALSA_CONFIG_UCM2 = "${./ucm2}";
+
+  hardware.opengl.driSupport = true;
+}

hosts/moby/firmware.nix

@@ -2,9 +2,9 @@
 {
   # we need space in the GPT header to place tow-boot.
   # only actually need 1 MB, but better to over-allocate than under-allocate
-  colinsane.image.extraGPTPadding = 16 * 1024 * 1024;
-  colinsane.image.firstPartGap = 0;
-  system.build.img = pkgs.runCommandNoCC "nixos_full-disk-image.img" {} ''
+  sane.image.extraGPTPadding = 16 * 1024 * 1024;
+  sane.image.firstPartGap = 0;
+  system.build.img = pkgs.runCommand "nixos_full-disk-image.img" {} ''
     cp -v ${config.system.build.img-without-firmware}/nixos.img $out
     chmod +w $out
     dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out bs=1024 seek=8 conv=notrunc

hosts/moby/fs.nix

@@ -1,7 +1,18 @@
 { ... }:
 
 {
+  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
   fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=755"
+      "size=1G"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/nix" = {
     device = "/dev/disk/by-uuid/1f1271f8-53ce-4081-8a29-60a4a6b5d6f9";
     fsType = "btrfs";
     options = [

hosts/moby/kernel.nix

@@ -0,0 +1,143 @@
+{ lib, pkgs, ... }:
+let
+  # use the last commit on the 5.18 branch (5.18.14)
+  # manjaro's changes between kernel patch versions tend to be minimal if any.
+  manjaroBase = "https://gitlab.manjaro.org/manjaro-arm/packages/core/linux/-/raw/25bd828cd47b1c6e09fcbcf394a649b89d2876dd";
+  manjaroPatch = name: sha256: {
+    inherit name;
+    patch = pkgs.fetchpatch {
+      inherit name;
+      url = "${manjaroBase}/${name}?inline=false";
+      inherit sha256;
+    };
+  };
+
+  # the idea for patching off Manjaro's kernel comes from jakewaksbaum:
+  # - https://git.sr.ht/~jakewaksbaum/pi/tree/af20aae5653545d6e67a459b59ee3e1ca8a680b0/item/kernel/default.nix
+  # - he later abandoned this, i think because he's using the Pinephone Pro which received mainline support.
+  manjaroPatches = [
+    (manjaroPatch
+      "1001-arm64-dts-allwinner-add-hdmi-sound-to-pine-devices.patch"
+      "sha256-DApd791A+AxB28Ven/MVAyuyVphdo8KQDx8O7oxVPnc="
+    )
+    # these patches below are critical to enable wifi (RTL8723CS)
+    # - the alternative is a wholly forked kernel by megi/megous:
+    #   - https://xnux.eu/howtos/build-pinephone-kernel.html#toc-how-to-build-megi-s-pinehpone-kernel
+    # - i don't know if these patches are based on megi's or original
+    (manjaroPatch
+      "2001-Bluetooth-Add-new-quirk-for-broken-local-ext-features.patch"
+      "sha256-CExhJuUWivegxPdnzKINEsKrMFx/m/1kOZFmlZ2SEOc="
+    )
+    (manjaroPatch
+      "2002-Bluetooth-btrtl-add-support-for-the-RTL8723CS.patch"
+      "sha256-dDdvOphTcP/Aog93HyH+L9m55laTgtjndPSE4/rnzUA="
+    )
+    (manjaroPatch
+      "2004-arm64-dts-allwinner-enable-bluetooth-pinetab-pinepho.patch"
+      "sha256-o43P3WzXyHK1PF+Kdter4asuyGAEKO6wf5ixcco2kCQ="
+    )
+    # XXX: this one has a Makefile, which hardcodes /sbin/depmod:
+    # - drivers/staging/rtl8723cs/Makefile
+    # - not sure if this is problematic?
+    (manjaroPatch
+      "2005-staging-add-rtl8723cs-driver.patch"
+      "sha256-6ywm3dQQ5JYl60CLKarxlSUukwi4QzqctCj3tVgzFbo="
+    )
+  ];
+
+  # pinephone uses the linux dtb at arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi
+  # - this includes sun50i-a64.dtsi
+  # - and sun50i-a64-cpu-opp.dtsi
+  # - no need to touch the allwinner-h6 stuff: that's the SBC pine product
+  # - i think it's safe to ignore sun9i stuff, but i don't know what it is
+  kernelConfig = with lib.kernel; {
+    # NB: nix adds the CONFIG_ prefix to each of these.
+    # if you add the prefix yourself nix will IGNORE YOUR CONFIG.
+    RTL8723CS = module;
+    BT_HCIUART_3WIRE = yes;
+    BT_HCIUART_RTL = yes;
+    RTL8XXXU_UNTESTED = yes;
+    BT_BNEP_MC_FILTER = yes;
+    BT_BNEP_PROTO_FILTER = yes;
+    BT_HS = yes;
+    BT_LE = yes;
+    # relevant configs inherited from nixos defaults (or above additions):
+    # CONFIG_BT=m
+    # CONFIG_BT_BREDR=y
+    # CONFIG_BT_RFCOMM=m
+    # CONFIG_BT_RFCOMM_TTY=y
+    # CONFIG_BT_BNEP=m
+    # CONFIG_BT_HIDP=m
+    # CONFIG_BT_RTL=m
+    # CONFIG_BT_HCIBTUSB=m
+    # CONFIG_BT_HCIBTUSB_BCM=y
+    # CONFIG_BT_HCIBTUSB_RTL=y
+    # CONFIG_BT_HCIUART=m
+    # CONFIG_BT_HCIUART_SERDEV=y
+    # CONFIG_BT_HCIUART_H4=y
+    # CONFIG_BT_HCIUART_LL=y
+    # CONFIG_RTL_CARDS=m
+    # CONFIG_RTLWIFI=m
+    # CONFIG_RTLWIFI_PCI=m
+    # CONFIG_RTLWIFI_USB=m
+    # CONFIG_RTLWIFI_DEBUG=y
+    # CONFIG_RTL8723_COMMON=m
+    # CONFIG_RTLBTCOEXIST=m
+    # CONFIG_RTL8XXXU=m
+    # CONFIG_RTLLIB=m
+    # consider adding (from mobile-nixos):
+    # maybe: CONFIG_BT_HCIUART_3WIRE=y
+    # maybe: CONFIG_BT_HCIUART_RTL=y
+    # maybe: CONFIG_RTL8XXXU_UNTESTED=y
+    # consider adding (from manjaro):
+    # CONFIG_BT_6LOWPAN=m  (not listed as option in nixos kernel)
+    # these are referenced in the rtl8723 source, but not known to config (and not in mobile-nixos config
+    # maybe: CONFIG_RTL_ODM_WLAN_DRIVER
+    # maybe: CONFIG_RTL_TRIBAND_SUPPORT
+    # maybe: CONFIG_SDIO_HCI
+    # maybe: CONFIG_USB_HCI
+  };
+
+  # create a kernelPatch which overrides nixos' defconfig with extra options
+  patchDefconfig = config: {
+    # defconfig options. this method comes from here:
+    # - https://discourse.nixos.org/t/the-correct-way-to-override-the-latest-kernel-config/533/9
+    name = "sane-moby-defconfig";
+    patch = null;
+    extraStructuredConfig = config;
+  };
+in
+{
+  # use Megi's kernel:
+  # even with the Manjaro patches, stock 5.18 has a few issues on Pinephone:
+  # - no battery charging
+  # - phone rotation sensor is off by 90 degrees
+  # - ambient light sensor causes screen brightness to be shakey
+  # - phosh greeter may not appear after wake from sleep
+  boot.kernelPackages = pkgs.cross.linuxPackagesFor pkgs.cross.linux-megous;
+
+  boot.kernelPatches = [
+    (patchDefconfig (kernelConfig //
+      (with lib.kernel; {
+        # disabling the sun5i_eink driver avoids this compilation error:
+        # CC [M]  drivers/video/fbdev/sun5i-eink-neon.o
+        # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfloat-abi=softfp'
+        # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfpu=neon'
+        # make[3]: *** [../scripts/Makefile.build:289: drivers/video/fbdev/sun5i-eink-neon.o] Error 1
+        FB_SUN5I_EINK = no;
+      })
+    ))
+  ];
+
+  # alternatively, use nixos' kernel and add the stuff we want:
+  # # cross-compilation optimization:
+  # boot.kernelPackages =
+  #   let p = (import nixpkgs { localSystem = "x86_64-linux"; });
+  #   in p.pkgsCross.aarch64-multiplatform.linuxPackages_5_18;
+  # # non-cross:
+  # # boot.kernelPackages = pkgs.linuxPackages_5_18;
+
+  # boot.kernelPatches = manjaroPatches ++ [
+  #   (patchDefconfig kernelConfig)
+  # ];
+}

hosts/moby/ucm2/PinePhone/HiFi.conf

@@ -0,0 +1,148 @@
+SectionVerb {
+	EnableSequence [
+		cset "name='Headphone Playback Switch' off"
+		cset "name='Headphone Source Playback Route' DAC"
+		cset "name='Line In Playback Switch' off"
+		cset "name='Line Out Playback Switch' off"
+		cset "name='Line Out Source Playback Route' Mono Differential"
+		cset "name='Mic1 Playback Switch' off"
+		cset "name='Mic2 Playback Switch' off"
+		cset "name='AIF1 DA0 Playback Volume' 160"
+		cset "name='AIF3 ADC Source Capture Route' None"
+		cset "name='AIF2 DAC Source Playback Route' AIF2"
+		cset "name='DAC Playback Switch' on"
+		cset "name='DAC Playback Volume' 160"
+		cset "name='ADC Digital DAC Playback Switch' off"
+		cset "name='AIF1 Slot 0 Digital DAC Playback Switch' on"
+		cset "name='AIF2 Digital DAC Playback Switch' off"
+		cset "name='DAC Reversed Playback Switch' off"
+		cset "name='Earpiece Playback Switch' off"
+		cset "name='Earpiece Source Playback Route' DACL"
+
+		cset "name='Line In Capture Switch' off"
+		cset "name='Mic1 Capture Switch' off"
+		cset "name='Mic1 Boost Volume' 7"
+		cset "name='Mic2 Capture Switch' off"
+		cset "name='Mic2 Boost Volume' 7"
+		cset "name='Mixer Capture Switch' off"
+		cset "name='Mixer Reversed Capture Switch' off"
+		cset "name='ADC Capture Volume' 160"
+		cset "name='ADC Gain Capture Volume' 7"
+		cset "name='AIF1 AD0 Capture Volume' 160"
+		cset "name='AIF1 Data Digital ADC Capture Switch' on"
+		cset "name='AIF2 ADC Mixer ADC Capture Switch' off"
+		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
+		cset "name='AIF2 ADC Mixer AIF2 DAC Rev Capture Switch' off"
+		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
+		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
+	]
+
+        DisableSequence [
+        ]
+
+	Value {
+	}
+}
+
+SectionDevice."Speaker" {
+	Comment "Internal speaker"
+	EnableSequence [
+		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
+		cset "name='Line Out Playback Switch' on"
+		cset "name='Line Out Playback Volume' 100%"
+	]
+
+	DisableSequence [
+		cset "name='Line Out Playback Switch' off"
+	]
+
+	Value {
+		PlaybackVolume "Line Out Playback Volume"
+		PlaybackSwitch "Line Out Playback Switch"
+		PlaybackChannels 2
+		PlaybackPriority 300
+		PlaybackPCM "hw:${CardId},0"
+	}
+}
+SectionDevice."Earpiece" {
+	Comment "Internal Earpiece"
+	EnableSequence [
+		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
+		cset "name='Earpiece Playback Switch' on"
+		cset "name='Earpiece Playback Volume' 100%"
+	]
+
+	DisableSequence [
+		cset "name='Earpiece Playback Switch' off"
+	]
+
+	Value {
+		PlaybackVolume "Earpiece Playback Volume"
+		PlaybackSwitch "Earpiece Playback Switch"
+		PlaybackChannels 2
+		PlaybackPriority 200
+		PlaybackPCM "hw:${CardId},0"
+	}
+}
+SectionDevice."Mic" {
+	Comment "Internal Microphone"
+	ConflictingDevice [
+		"Headset"
+	]
+	EnableSequence [
+		cset "name='Mic1 Capture Switch' on"
+	]
+	DisableSequence [
+		cset "name='Mic1 Capture Switch' off"
+	]
+	Value {
+		CapturePriority 100
+		CapturePCM "hw:${CardId},0"
+		CaptureChannels 2
+		CaptureMixerElem "ADC"
+		CaptureVolume "ADC Capture Volume"
+		CaptureSwitch "Mic1 Capture Switch"
+	}
+}
+SectionDevice."Headset" {
+	Comment "Headset Microphone"
+	ConflictingDevice [
+		"Mic"
+	]
+	EnableSequence [
+		cset "name='Mic2 Capture Switch' on"
+	]
+	DisableSequence [
+		cset "name='Mic2 Capture Switch' off"
+	]
+	Value {
+		CapturePriority 500
+		CapturePCM "hw:${CardId},0"
+		CaptureChannels 2
+		CaptureMixerElem "ADC"
+		CaptureVolume "ADC Capture Volume"
+		CaptureSwitch "Mic2 Capture Switch"
+		JackControl "Headset Microphone Jack"
+	}
+}
+SectionDevice."Headphones" {
+	Comment "Headphones"
+	EnableSequence [
+		cset "name='AIF1 DA0 Stereo Playback Route' Stereo"
+		cset "name='Headphone Playback Switch' on"
+		cset "name='Headphone Playback Volume' 70%"
+	]
+
+	DisableSequence [
+		cset "name='Headphone Playback Switch' off"
+	]
+
+	Value {
+		PlaybackVolume "Headphone Playback Volume"
+		PlaybackSwitch "Headphone Playback Switch"
+		PlaybackChannels 2
+		PlaybackPriority 500
+		PlaybackPCM "hw:${CardId},0"
+		JackControl "Headphone Jack"
+	}
+}

hosts/moby/ucm2/PinePhone/PinePhone.conf

@@ -0,0 +1,11 @@
+Syntax 2
+
+SectionUseCase."HiFi" {
+	File "HiFi.conf"
+	Comment "Default"
+}
+
+SectionUseCase."Voice Call" {
+	File "VoiceCall.conf"
+	Comment "Phone call"
+}

hosts/moby/ucm2/PinePhone/VoiceCall.conf

@@ -0,0 +1,153 @@
+SectionVerb {
+	EnableSequence [
+		cset "name='Headphone Playback Switch' off"
+		cset "name='Headphone Source Playback Route' DAC"
+		cset "name='Line In Playback Switch' off"
+		cset "name='Line Out Playback Switch' off"
+		cset "name='Line Out Source Playback Route' Mono Differential"
+		cset "name='Mic1 Playback Switch' off"
+		cset "name='Mic2 Playback Switch' off"
+		cset "name='AIF1 DA0 Playback Volume' 160"
+		cset "name='AIF2 DAC Playback Volume' 160"
+		cset "name='AIF3 ADC Source Capture Route' None"
+		cset "name='AIF2 DAC Source Playback Route' AIF2"
+		cset "name='DAC Playback Switch' on"
+		cset "name='DAC Playback Volume' 160"
+		cset "name='ADC Digital DAC Playback Switch' off"
+		cset "name='AIF1 Slot 0 Digital DAC Playback Switch' on"
+		cset "name='AIF2 Digital DAC Playback Switch' on"
+		cset "name='DAC Reversed Playback Switch' off"
+		cset "name='Earpiece Playback Switch' off"
+		cset "name='Earpiece Source Playback Route' DACL"
+
+		cset "name='Line In Capture Switch' off"
+		cset "name='Mic1 Capture Switch' off"
+		cset "name='Mic1 Boost Volume' 0"
+		cset "name='Mic1 Playback Volume' 7"
+		cset "name='Mic2 Capture Switch' off"
+		cset "name='Mic2 Boost Volume' 0"
+		cset "name='Mic2 Playback Volume' 7"
+		cset "name='Mixer Capture Switch' off"
+		cset "name='Mixer Reversed Capture Switch' off"
+		cset "name='ADC Capture Volume' 160"
+		cset "name='ADC Gain Capture Volume' 7"
+		cset "name='AIF1 AD0 Capture Volume' 160"
+		cset "name='AIF1 Data Digital ADC Capture Switch' on"
+		cset "name='AIF2 ADC Capture Volume' 160"
+		cset "name='AIF2 ADC Mixer ADC Capture Switch' on"
+		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
+		cset "name='AIF2 ADC Mixer AIF2 DAC Rev Capture Switch' off"
+		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
+		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
+	]
+
+        DisableSequence [
+        ]
+
+	Value {
+		PlaybackRate 8000
+	}
+}
+
+SectionDevice."Speaker" {
+	Comment "Internal speaker"
+	EnableSequence [
+		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
+		cset "name='Line Out Playback Switch' on"
+		cset "name='Line Out Playback Volume' 100%"
+	]
+
+	DisableSequence [
+		cset "name='Line Out Playback Switch' off"
+	]
+
+	Value {
+		PlaybackVolume "Line Out Playback Volume"
+		PlaybackSwitch "Line Out Playback Switch"
+		PlaybackChannels 2
+		PlaybackPriority 300
+		PlaybackPCM "hw:${CardId},0"
+	}
+}
+SectionDevice."Earpiece" {
+	Comment "Internal Earpiece"
+	EnableSequence [
+		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
+		cset "name='Earpiece Playback Switch' on"
+		cset "name='Earpiece Playback Volume' 100%"
+	]
+
+	DisableSequence [
+		cset "name='Earpiece Playback Switch' off"
+	]
+
+	Value {
+		PlaybackVolume "Earpiece Playback Volume"
+		PlaybackSwitch "Earpiece Playback Switch"
+		PlaybackChannels 2
+		PlaybackPriority 500
+		PlaybackPCM "hw:${CardId},0"
+	}
+}
+SectionDevice."Mic" {
+	Comment "Internal Microphone"
+	ConflictingDevice [
+		"Headset"
+	]
+	EnableSequence [
+		cset "name='Mic1 Capture Switch' on"
+	]
+	DisableSequence [
+		cset "name='Mic1 Capture Switch' off"
+	]
+	Value {
+		CapturePriority 200
+		CapturePCM "hw:${CardId},0"
+		CaptureMixerElem "ADC"
+		CaptureVolume "ADC Capture Volume"
+		CaptureSwitch "Mic1 Capture Switch"
+		CaptureChannels 2
+	}
+}
+SectionDevice."Headset" {
+	Comment "Headset Microphone"
+	ConflictingDevice [
+		"Mic"
+	]
+	EnableSequence [
+		cset "name='Mic2 Capture Switch' on"
+	]
+	DisableSequence [
+		cset "name='Mic2 Capture Switch' off"
+	]
+	Value {
+		CapturePriority 500
+		CapturePCM "hw:${CardId},0"
+		CaptureChannels 2
+		CaptureMixerElem "ADC"
+		CaptureVolume "ADC Capture Volume"
+		CaptureSwitch "Mic2 Capture Switch"
+		JackControl "Headset Microphone Jack"
+	}
+}
+SectionDevice."Headphones" {
+	Comment "Headphones"
+	EnableSequence [
+		cset "name='AIF1 DA0 Stereo Playback Route' Stereo"
+		cset "name='Headphone Playback Switch' on"
+		cset "name='Headphone Playback Volume' 100%"
+	]
+
+	DisableSequence [
+		cset "name='Headphone Playback Switch' off"
+	]
+
+	Value {
+		PlaybackVolume "Headphone Playback Volume"
+		PlaybackSwitch "Headphone Playback Switch"
+		PlaybackChannels 2
+		PlaybackPriority 500
+		PlaybackPCM "hw:${CardId},0"
+		JackControl "Headphone Jack"
+	}
+}

hosts/moby/ucm2/ucm.conf

@@ -0,0 +1,8 @@
+Syntax 3
+
+UseCasePath {
+	legacy {
+		Directory "PinePhone"
+		File "PinePhone.conf"
+	}
+}

hosts/rescue/default.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    ./fs.nix
+  ];
+
+  boot.loader.generic-extlinux-compatible.enable = true;
+  boot.loader.efi.canTouchEfiVariables = false;
+  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
+
+  users.users.dhcpcd.uid = config.sane.allocations.dhcpcd-uid;
+  users.groups.dhcpcd.gid = config.sane.allocations.dhcpcd-gid;
+
+  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
+  system.stateVersion = "21.05";
+}

hosts/rescue/fs.nix

@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/44445555-6666-7777-8888-999900001111";
+    fsType = "ext4";
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/2222-3333";
+    fsType = "vfat";
+  };
+}

hosts/servo/default.nix

@@ -3,35 +3,23 @@
 {
   imports = [
     ./fs.nix
-    ./hardware.nix
     ./net.nix
     ./users.nix
-    ./services/ddns-he.nix
-    ./services/gitea.nix
-    ./services/ipfs.nix
-    ./services/jackett.nix
-    ./services/jellyfin.nix
-    ./services/matrix.nix
-    ./services/nginx.nix
-    ./services/nix-serve.nix
-    ./services/pleroma.nix
-    ./services/postfix.nix
-    ./services/postgres.nix
-    ./services/transmission.nix
+    ./services
   ];
 
-  colinsane.home-manager.enable = true;
-  colinsane.home-manager.extraPackages = [
+  sane.packages.extraUserPkgs = [
+    # for administering services
     pkgs.matrix-synapse
+    pkgs.freshrss
   ];
-  colinsane.impermanence.enable = true;
-  colinsane.services.duplicity.enable = true;
+  sane.impermanence.enable = true;
+  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
+  sane.services.nixserve.enable = true;
+  sane.services.nixserve.sopsFile = ../../secrets/servo.yaml;
 
-  # TODO: validate this
-  boot.loader.grub.enable = false;
-  boot.loader.generic-extlinux-compatible.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
-  colinsane.image.extraBootFiles = [ pkgs.bootpart-u-boot-rpi-aarch64 ];
+  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   sops.secrets.duplicity_passphrase = {
     sopsFile = ../../secrets/servo.yaml;
@@ -40,7 +28,7 @@
   # both transmission and ipfs try to set different net defaults.
   # we just use the most aggressive of the two here:
   boot.kernel.sysctl = {
-    "net.core.rmem_max" = "4194304";  # 4MB
+    "net.core.rmem_max" = 4194304;  # 4MB
   };
 
   # This value determines the NixOS release from which the default
@@ -49,6 +37,6 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
+  system.stateVersion = "21.11";
 }
 

hosts/servo/fs.nix

@@ -0,0 +1,98 @@
+{ ... }:
+
+{
+  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=755"
+      "size=1G"
+      "defaults"
+    ];
+  };
+  # we need a /tmp for building large nix things
+  fileSystems."/tmp" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=777"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/cc81cca0-3cc7-4d82-a00c-6243af3e7776";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/6EE3-4171";
+    fsType = "vfat";
+  };
+
+  # slow, external storage (for archiving, etc)
+  fileSystems."/nix/persist/ext" = {
+    device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "defaults"
+    ];
+  };
+
+  sane.impermanence.service-dirs = [
+    # TODO: this is overly broad; only need media and share directories to be persisted
+    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
+  ];
+  # direct these media directories to external storage
+  environment.persistence."/nix/persist/ext/persist" = {
+    directories = [
+      ({
+        user = "colin";
+        group = "users";
+        mode = "0777";
+        directory = "/var/lib/uninsane/media/Videos";
+      })
+      ({
+        user = "colin";
+        group = "users";
+        mode = "0777";
+        directory = "/var/lib/uninsane/media/freeleech";
+      })
+    ];
+  };
+
+  # in-memory compressed RAM (seems to be dynamically sized)
+  # zramSwap = {
+  #   enable = true;
+  # };
+
+  # btrfs doesn't easily support swapfiles
+  # swapDevices = [
+  #   { device = "/nix/persist/swapfile"; size = 4096; }
+  # ];
+
+  # this can be a partition. create with:
+  #   fdisk <dev>
+  #     n
+  #     <default partno>
+  #     <start>
+  #     <end>
+  #     t
+  #     <partno>
+  #     19  # set part type to Linux swap
+  #     w   # write changes
+  #   mkswap -L swap <part>
+  # swapDevices = [
+  #   {
+  #     label = "swap";
+  #     # TODO: randomEncryption.enable = true;
+  #   }
+  # ];
+}
+

hosts/servo/net.nix

@@ -13,6 +13,7 @@
 
   # networking.firewall.enable = false;
   networking.firewall.enable = true;
+  # TODO: split these into the submodules
   networking.firewall.allowedTCPPorts = [
     25   # SMTP
     80   # HTTP

hosts/servo/services/default.nix

@@ -0,0 +1,21 @@
+{ ... }:
+{
+  imports = [
+    ./ddns-he.nix
+    ./ejabberd.nix
+    ./freshrss.nix
+    ./gitea.nix
+    ./goaccess.nix
+    ./ipfs.nix
+    ./jackett.nix
+    ./jellyfin.nix
+    ./matrix
+    ./navidrome.nix
+    ./nginx.nix
+    ./pleroma.nix
+    ./postfix.nix
+    ./postgres.nix
+    ./prosody.nix
+    ./transmission.nix
+  ];
+}

hosts/servo/services/ejabberd.nix

@@ -0,0 +1,48 @@
+# docs:
+# - <https://docs.ejabberd.im/admin/configuration/basic>
+{ lib, ... }:
+
+# XXX disabled: fails to start because of `mnesia_tm` dependency
+# lib.mkIf false
+{
+  sane.impermanence.service-dirs = [
+    { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
+  ];
+  networking.firewall.allowedTCPPorts = [
+    5222  # XMPP client -> server
+    5269  # XMPP server -> server
+  ];
+
+  # provide access to certs
+  users.users.ejabberd.extraGroups = [ "nginx" ];
+
+  # TODO: allocate UIDs/GIDs ?
+  services.ejabberd.enable = true;
+  services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" ''
+    hosts:
+      - uninsane.org
+
+    # none | emergency | alert | critical | error | warning | notice | info | debug
+    loglevel: debug
+
+    acme:
+      auto: false
+    certfiles:
+      - /var/lib/acme/uninsane.org/fullchain.pem
+      - /var/lib/acme/uninsane.org/key.pem
+
+    pam_userinfotype: jid
+
+    # see: <https://docs.ejabberd.im/admin/configuration/listen/>
+    # TODO: host web admin panel
+    listen:
+      -
+        port: 5222
+        module: ejabberd_c2s
+        starttls: true
+      -
+        port: 5269
+        module: ejabberd_s2s_in
+        starttls: true
+  '';
+}

hosts/servo/services/freshrss.nix

@@ -0,0 +1,52 @@
+# import feeds with e.g.
+# ```console
+# $ nix build '.#nixpkgs.freshrss'
+# $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/import-for-user.php --user admin --filename /home/colin/.config/newsflashFeeds.opml
+# ```
+#
+# export feeds with
+# ```console
+# $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/export-opml-for-user.php --user admin
+# ```
+
+{ config, lib, pkgs, ... }:
+{
+  sops.secrets.freshrss_passwd = {
+    sopsFile = ../../../secrets/servo.yaml;
+    owner = config.users.users.freshrss.name;
+    mode = "400";
+  };
+  sane.impermanence.service-dirs = [
+    { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
+  ];
+
+  users.users.freshrss.uid = config.sane.allocations.freshrss-uid;
+  users.groups.freshrss.gid = config.sane.allocations.freshrss-gid;
+  services.freshrss.enable = true;
+  services.freshrss.baseUrl = "https://rss.uninsane.org";
+  services.freshrss.virtualHost = "rss.uninsane.org";
+  services.freshrss.passwordFile = config.sops.secrets.freshrss_passwd.path;
+
+  systemd.services.freshrss-import-feeds =
+  let
+    fresh = config.systemd.services.freshrss-config;
+    feeds = import ../../../modules/home-manager/feeds.nix { inherit lib; };
+    opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
+  in {
+    inherit (fresh) wantedBy environment;
+    serviceConfig = {
+      inherit (fresh.serviceConfig) Type User Group StateDirectory WorkingDirectory
+        # hardening options
+        CapabilityBoundingSet DeviceAllow LockPersonality NoNewPrivileges PrivateDevices PrivateTmp PrivateUsers ProcSubset ProtectClock ProtectControlGroups ProtectHome ProtectHostname ProtectKernelLogs ProtectKernelModules ProtectKernelTunables ProtectProc ProtectSystem RemoveIPC RestrictNamespaces RestrictRealtime RestrictSUIDSGID SystemCallArchitectures SystemCallFilter UMask;
+    };
+    description = "import sane RSS feed list";
+    after = [ "freshrss-config.service" ];
+    script = ''
+      ${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
+    '';
+  };
+
+  # the default ("*:0/5") is to run every 5 minutes.
+  # `systemctl list-timers` to show
+  systemd.services.freshrss-updater.startAt = lib.mkForce "*:3/30";
+}

hosts/servo/services/gitea.nix

@@ -1,6 +1,11 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 {
+  sane.impermanence.service-dirs = [
+    # TODO: mode? could be more granular
+    { user = "git"; group = "gitea"; directory = "/var/lib/gitea"; }
+  ];
+  users.groups.gitea.gid = config.sane.allocations.gitea-gid;
   services.gitea.enable = true;
   services.gitea.user = "git";  # default is 'gitea'
   services.gitea.database.type = "postgres";
@@ -8,7 +13,7 @@
   services.gitea.appName = "Perfectly Sane Git";
   services.gitea.domain = "git.uninsane.org";
   services.gitea.rootUrl = "https://git.uninsane.org/";
-  services.gitea.cookieSecure = true;
+  services.gitea.settings.session.COOKIE_SECURE = true;
   # services.gitea.disableRegistration = true;
 
   services.gitea.settings = {
@@ -55,7 +60,7 @@
     };
   };
   # options: "Trace", "Debug", "Info", "Warn", "Error", "Critical"
-  services.gitea.log.level = "Info";
+  services.gitea.settings.log.LEVEL = "Warn";
 
   systemd.services.gitea.serviceConfig = {
     # nix default is AF_UNIX AF_INET AF_INET6.

hosts/servo/services/goaccess.nix

@@ -0,0 +1,45 @@
+{ pkgs, ... }:
+{
+  # based on <https://bytes.fyi/real-time-goaccess-reports-with-nginx/>
+  # log-format setting can be derived with this tool if custom:
+  # - <https://github.com/stockrt/nginx2goaccess>
+  # config options:
+  # - <https://github.com/allinurl/goaccess/blob/master/config/goaccess.conf>
+
+  systemd.services.goaccess = {
+    description = "GoAccess server monitoring";
+    serviceConfig = {
+      ExecStart = ''
+        ${pkgs.goaccess}/bin/goaccess \
+          -f /var/log/nginx/public.log \
+          --log-format=VCOMBINED \
+          --real-time-html \
+          --html-refresh=30 \
+          --no-query-string \
+          --anonymize-ip \
+          --ignore-panel=HOSTS \
+          --ws-url=wss://sink.uninsane.org:443/ws \
+          --port=7890 \
+          -o /var/lib/uninsane/sink/index.html
+      '';
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Type = "simple";
+      Restart = "on-failure";
+
+      # hardening
+      WorkingDirectory = "/tmp";
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      ProtectHome = "read-only";
+      ProtectSystem = "strict";
+      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
+      ReadOnlyPaths = "/";
+      ReadWritePaths = [ "/proc/self" "/var/lib/uninsane/sink" ];
+      PrivateDevices = "yes";
+      ProtectKernelModules = "yes";
+      ProtectKernelTunables = "yes";
+    };
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+}

hosts/servo/services/ipfs.nix

@@ -0,0 +1,69 @@
+# admin:
+# - view stats:
+#   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ stats bw
+#   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ stats dht
+#   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ bitswap stat
+# - number of open peer connections:
+#   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ swarm peers | wc -l
+
+{ ... }:
+{
+  sane.impermanence.service-dirs = [
+    # TODO: mode? could be more granular
+    { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
+  ];
+  # services.ipfs.enable = true;
+  services.kubo.localDiscovery = true;
+  services.kubo.settings = {
+    Addresses = {
+      Announce = [
+        # "/dns4/ipfs.uninsane.org/tcp/4001"
+        "/dns4/ipfs.uninsane.org/udp/4001/quic"
+      ];
+      Swarm = [
+        # "/dns4/ipfs.uninsane.org/tcp/4001"
+        # "/ip4/0.0.0.0/tcp/4001"
+        "/dns4/ipfs.uninsane.org/udp/4001/quic"
+        "/ip4/0.0.0.0/udp/4001/quic"
+      ];
+    };
+    Gateway = {
+      # the gateway can only be used to serve content already replicated on this host
+      NoFetch = true;
+    };
+    Swarm = {
+      ConnMgr = {
+        # maintain between LowWater and HighWater peer connections
+        # taken from: https://github.com/ipfs/ipfs-desktop/pull/2055
+        # defaults are 600-900: https://github.com/ipfs/kubo/blob/master/docs/config.md#swarmconnmgr
+        LowWater = 20;
+        HighWater = 40;
+        # default is 20s. i guess more grace period = less churn
+        GracePeriod = "1m";
+      };
+      ResourceMgr = {
+        # docs: https://github.com/libp2p/go-libp2p-resource-manager#resource-scopes
+        Enabled = true;
+        Limits = {
+          System = {
+            Conns = 196;
+            ConnsInbound = 128;
+            ConnsOutbound = 128;
+            FD = 512;
+            Memory = 1073741824;  # 1GiB
+            Streams = 1536;
+            StreamsInbound = 1024;
+            StreamsOutbound = 1024;
+          };
+        };
+      };
+      Transports = {
+        Network = {
+          # disable TCP, force QUIC, for lighter resources
+          TCP = false;
+          QUIC = true;
+        };
+      };
+    };
+  };
+}

hosts/servo/services/jackett.nix

@@ -1,6 +1,10 @@
 { ... }:
 
 {
+  sane.impermanence.service-dirs = [
+    # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
+    { user = "root"; group = "root"; directory = "/var/lib/jackett"; }
+  ];
   services.jackett.enable = true;
 
   systemd.services.jackett.after = ["wg0veth.service"];

hosts/servo/services/jellyfin.nix

@@ -0,0 +1,14 @@
+{ config, ... }:
+
+{
+  sane.impermanence.service-dirs = [
+    # TODO: mode? could be more granular
+    { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
+  ];
+
+  # users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
+  # users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
+  # TODO: re-enable after migrating media dir to /var/lib/uninsane/media
+  # else it's too spammy
+  # services.jellyfin.enable = true;
+}

hosts/servo/services/matrix/default.nix

@@ -0,0 +1,85 @@
+# docs: https://nixos.wiki/wiki/Matrix
+# docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
+{ config, lib, ... }:
+
+{
+  imports = [
+    ./discord-puppet.nix
+    # ./irc.nix
+  ];
+
+  sane.impermanence.service-dirs = [
+    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
+  ];
+  services.matrix-synapse.enable = true;
+  services.matrix-synapse.settings.log_config = ./synapse-log_level.yaml;
+  services.matrix-synapse.settings.server_name = "uninsane.org";
+
+  # services.matrix-synapse.enable_registration_captcha = true;
+  # services.matrix-synapse.enable_registration_without_verification = true;
+  services.matrix-synapse.settings.enable_registration = true;
+  # services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
+
+  # default for listeners is port = 8448, tls = true, x_forwarded = false.
+  # we change this because the server is situated behind nginx.
+  services.matrix-synapse.settings.listeners = [
+    {
+      port = 8008;
+      bind_addresses = [ "127.0.0.1" ];
+      type = "http";
+      tls = false;
+      x_forwarded = true;
+      resources = [
+        {
+          names = [ "client" "federation" ];
+          compress = false;
+        }
+      ];
+    }
+  ];
+
+  services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
+  services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
+
+  services.matrix-synapse.extraConfigFiles = [
+    config.sops.secrets.matrix_synapse_secrets.path
+  ];
+
+  # services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
+  #   admin_contact: "admin.matrix@uninsane.org"
+  #   registrations_require_3pid:
+  #     - email
+  #   email:
+  #     smtp_host: "mx.uninsane.org"
+  #     smtp_port: 587
+  #     smtp_user: "matrix-synapse"
+  #     smtp_pass: "${secrets.matrix-synapse.smtp_pass}"
+  #     require_transport_security: true
+  #     enable_tls: true
+  #     notif_from: "%(app)s <notify.matrix@uninsane.org>"
+  #     app_name: "Uninsane Matrix"
+  #     enable_notifs: true
+  #     validation_token_lifetime: 96h
+  #     invite_client_location: "https://web.matrix.uninsane.org"
+  #     subjects:
+  #       email_validation: "[%(server_name)s] Validate your email"
+  # ''];
+
+  # new users may be registered on the CLI:
+  #   register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
+  #
+  # or provide an registration token then can use to register through the client.
+  #   docs: https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/admin_api/registration_tokens.md
+  # first, grab your own user's access token (Help & About section in Element). then:
+  #   curl --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens
+  # create a token with unlimited uses:
+  #   curl -d '{}' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
+  # create a token with limited uses:
+  #   curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
+
+
+  sops.secrets.matrix_synapse_secrets = {
+    sopsFile = ../../../../secrets/servo.yaml;
+    owner = config.users.users.matrix-synapse.name;
+  };
+}

hosts/servo/services/matrix/discord-puppet.nix

@@ -0,0 +1,52 @@
+{ lib, ... }:
+{
+  sane.impermanence.service-dirs = [
+    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }
+  ];
+
+  services.matrix-synapse.settings.app_service_config_files = [
+    # auto-created by mx-puppet-discord service
+    "/var/lib/mx-puppet-discord/discord-registration.yaml"
+  ];
+
+  services.mx-puppet-discord.enable = true;
+  # schema/example: <https://gitlab.com/mx-puppet/discord/mx-puppet-discord/-/blob/main/sample.config.yaml>
+  services.mx-puppet-discord.settings = {
+    bridge = {
+      # port = 8434
+      bindAddress = "127.0.0.1";
+      domain = "uninsane.org";
+      homeserverUrl = "http://127.0.0.1:8008";
+      # displayName = "mx-discord-puppet";  # matrix name for the bot
+      # matrix "groups" were an earlier version of spaces.
+      # maybe the puppet understands this, maybe not?
+      enableGroupSync = false;
+    };
+    presence = {
+      enabled = false;
+      interval = 30000;
+    };
+    provisioning = {
+      # allow these users to control the puppet
+      whitelist = [ "@colin:uninsane\\.org" ];
+    };
+    relay = {
+      whitelist = [ "@colin:uninsane\\.org" ];
+    };
+    selfService = {
+      # who's allowed to use plumbed rooms (idk what that means)
+      whitelist = [ "@colin:uninsane\\.org" ];
+    };
+    logging = {
+      # silly, debug, verbose, info, warn, error
+      console = "debug";
+    };
+  };
+
+  systemd.services.mx-puppet-discord.serviceConfig = {
+    # fix up to not use /var/lib/private, but just /var/lib
+    DynamicUser = lib.mkForce false;
+    User = "matrix-synapse";
+    Group = "matrix-synapse";
+  };
+}

hosts/servo/services/matrix/irc.nix

@@ -1,80 +1,19 @@
-# docs: https://nixos.wiki/wiki/Matrix
-# docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
-{ config, ... }:
+{ config, lib, ... }:
 
 {
-  services.matrix-synapse.enable = true;
-  services.matrix-synapse.settings.server_name = "uninsane.org";
-
-  # services.matrix-synapse.enable_registration_captcha = true;
-  # services.matrix-synapse.enable_registration_without_verification = true;
-  services.matrix-synapse.settings.enable_registration = true;
-  # services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
-
-  # default for listeners is port = 8448, tls = true, x_forwarded = false.
-  # we change this because the server is situated behind nginx.
-  services.matrix-synapse.settings.listeners = [
-    {
-      port = 8008;
-      bind_addresses = [ "127.0.0.1" ];
-      type = "http";
-      tls = false;
-      x_forwarded = true;
-      resources = [
-        {
-          names = [ "client" "federation" ];
-          compress = false;
-        }
-      ];
-    }
+  sane.impermanence.service-dirs = [
+    # TODO: mode?
+    # user and group are both "matrix-appservice-irc"
+    { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
   ];
 
-  services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
-  services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
-
-  services.matrix-synapse.extraConfigFiles = [
-    config.sops.secrets.matrix_synapse_secrets.path
-  ];
-
-  # services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
-  #   admin_contact: "admin.matrix@uninsane.org"
-  #   registrations_require_3pid:
-  #     - email
-  #   email:
-  #     smtp_host: "mx.uninsane.org"
-  #     smtp_port: 587
-  #     smtp_user: "matrix-synapse"
-  #     smtp_pass: "${secrets.matrix-synapse.smtp_pass}"
-  #     require_transport_security: true
-  #     enable_tls: true
-  #     notif_from: "%(app)s <notify.matrix@uninsane.org>"
-  #     app_name: "Uninsane Matrix"
-  #     enable_notifs: true
-  #     validation_token_lifetime: 96h
-  #     invite_client_location: "https://web.matrix.uninsane.org"
-  #     subjects:
-  #       email_validation: "[%(server_name)s] Validate your email"
-  # ''];
   services.matrix-synapse.settings.app_service_config_files = [
     "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
   ];
 
-  # new users may be registered on the CLI:
-  #   register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
-  #
-  # or provide an registration token then can use to register through the client.
-  #   docs: https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/admin_api/registration_tokens.md
-  # first, grab your own user's access token (Help & About section in Element). then:
-  #   curl --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens
-  # create a token with unlimited uses:
-  #   curl -d '{}' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
-  # create a token with limited uses:
-  #   curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
-
-  # IRC bridging
   # note: Rizon allows only FOUR simultaneous IRC connections per IP: https://wiki.rizon.net/index.php?title=Connection/Session_Limit_Exemptions
   # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
-  # services.matrix-appservice-irc.enable = true;
+  services.matrix-appservice-irc.enable = true;
   services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
   # settings documented here: https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml
   services.matrix-appservice-irc.settings = {
@@ -155,9 +94,4 @@
       };
     };
   };
-
-  sops.secrets.matrix_synapse_secrets = {
-    sopsFile = ../../../secrets/servo.yaml;
-    owner = config.users.users.matrix-synapse.name;
-  };
 }

hosts/servo/services/matrix/synapse-log_level.yaml

@@ -0,0 +1,27 @@
+version: 1
+
+# In systemd's journal, loglevel is implicitly stored, so let's omit it
+# from the message text.
+formatters:
+    journal_fmt:
+        format: '%(name)s: [%(request)s] %(message)s'
+
+filters:
+    context:
+        (): synapse.util.logcontext.LoggingContextFilter
+        request: ""
+
+handlers:
+    journal:
+        class: systemd.journal.JournalHandler
+        formatter: journal_fmt
+        filters: [context]
+        SYSLOG_IDENTIFIER: synapse
+
+# default log level: INFO
+root:
+    level: WARN
+    handlers: [journal]
+
+disable_existing_loggers: False
+

hosts/servo/services/navidrome.nix

@@ -0,0 +1,17 @@
+{ ... }:
+
+{
+  sane.impermanence.service-dirs = [
+    { user = "navidrome"; group = "navidrome"; directory = "/var/lib/private/navidrome"; }
+  ];
+  services.navidrome.enable = true;
+  services.navidrome.settings = {
+    # docs: https://www.navidrome.org/docs/usage/configuration-options/
+    Address = "127.0.0.1";
+    Port = 4533;
+    MusicFolder = "/var/lib/uninsane/media/Music";
+    CovertArtPriority = "*.jpg, *.JPG, *.png, *.PNG, embedded";
+    AutoImportPlaylists = false;
+    ScanSchedule = "@every 1h";
+  };
+}

hosts/servo/services/nginx.nix

@@ -1,17 +1,54 @@
 # docs: https://nixos.wiki/wiki/Nginx
 { config, pkgs, ... }:
 
+let
+  # make the logs for this host "public" so that they show up in e.g. metrics
+  publog = vhost: vhost // {
+    extraConfig = (vhost.extraConfig or "") + ''
+      access_log /var/log/nginx/public.log vcombined;
+    '';
+  };
+
+  kTLS = true;  # in-kernel TLS for better perf
+in
 {
   services.nginx.enable = true;
+  services.nginx.appendConfig = ''
+    # use 1 process per core.
+    # may want to increase worker_connections too, but `ulimit -n` must be increased first.
+    worker_processes auto;
+  '';
+
+  # this is the standard `combined` log format, with the addition of $host
+  # so that we have the virtualHost in the log.
+  # KEEP IN SYNC WITH GOACCESS
+  # goaccess calls this VCOMBINED:
+  # - <https://gist.github.com/jyap808/10570005>
+  services.nginx.commonHttpConfig = ''
+    log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
+    access_log /var/log/nginx/private.log vcombined;
+  '';
+  # sets gzip_comp_level = 5
+  services.nginx.recommendedGzipSettings = true;
+  # enables OCSP stapling (so clients don't need contact the OCSP server -- i do instead)
+  # caches TLS sessions for 10m
+  services.nginx.recommendedTlsSettings = true;
+  # enables sendfile, tcp_nopush, tcp_nodelay, keepalive_timeout 65
+  services.nginx.recommendedOptimisation = true;
 
   # web blog/personal site
-  services.nginx.virtualHosts."uninsane.org" = {
-    root = "/var/lib/uninsane/root";
+  services.nginx.virtualHosts."uninsane.org" = publog {
+    root = "${pkgs.uninsane-dot-org}/share/uninsane-dot-org";
     # a lot of places hardcode https://uninsane.org,
     # and then when we mix http + non-https, we get CORS violations
     # and things don't look right. so force SSL.
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
+
+    # uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
+    # yes, nginx does not strip the prefix when evaluating against the root.
+    locations."/share".root = "/var/lib/uninsane/root";
 
     # allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
     locations."= /.well-known/matrix/server".extraConfig =
@@ -53,10 +90,32 @@
     # };
   };
 
-  # Pleroma server and web interface
-  services.nginx.virtualHosts."fed.uninsane.org" = {
+  # server statistics
+  services.nginx.virtualHosts."sink.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
+    root = "/var/lib/uninsane/sink";
+
+    locations."/ws" = {
+      proxyPass = "http://127.0.0.1:7890";
+      # XXX not sure how much of this is necessary
+      extraConfig = ''
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_buffering off;
+        proxy_read_timeout 7d;
+      '';
+    };
+
+  };
+
+  # Pleroma server and web interface
+  services.nginx.virtualHosts."fed.uninsane.org" = publog {
+    forceSSL = true;  # pleroma redirects to https anyway
+    enableACME = true;
+    inherit kTLS;
     locations."/" = {
       proxyPass = "http://127.0.0.1:4000";
       # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
@@ -98,6 +157,7 @@
     # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
     locations."/" = {
       # proxyPass = "http://ovpns.uninsane.org:9091";
       proxyPass = "http://10.0.1.6:9091";
@@ -108,6 +168,7 @@
   services.nginx.virtualHosts."jackett.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
     locations."/" = {
       # proxyPass = "http://ovpns.uninsane.org:9117";
       proxyPass = "http://10.0.1.6:9117";
@@ -115,9 +176,10 @@
   };
 
   # matrix chat server
-  services.nginx.virtualHosts."matrix.uninsane.org" = {
+  services.nginx.virtualHosts."matrix.uninsane.org" = publog {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     # TODO colin: replace this with something helpful to the viewer
     # locations."/".extraConfig = ''
@@ -144,6 +206,7 @@
   services.nginx.virtualHosts."web.matrix.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     root = pkgs.element-web.override {
       conf = {
@@ -156,9 +219,10 @@
   };
 
   # hosted git (web view and for `git <cmd>` use
-  services.nginx.virtualHosts."git.uninsane.org" = {
-    addSSL = true;
+  services.nginx.virtualHosts."git.uninsane.org" = publog {
+    forceSSL = true;  # gitea complains if served over a different protocol than its config file says
     enableACME = true;
+    inherit kTLS;
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:3000";
@@ -170,6 +234,7 @@
   services.nginx.virtualHosts."jelly.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:8096";
@@ -213,11 +278,26 @@
     };
   };
 
+  services.nginx.virtualHosts."music.uninsane.org" = {
+    forceSSL = true;
+    enableACME = true;
+    inherit kTLS;
+    locations."/".proxyPass = "http://127.0.0.1:4533";
+  };
+
+  services.nginx.virtualHosts."rss.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    inherit kTLS;
+    # the routing is handled by freshrss.nix
+  };
+
   services.nginx.virtualHosts."ipfs.uninsane.org" = {
     # don't default to ssl upgrades, since this may be dnslink'd from a different domain.
     # ideally we'd disable ssl entirely, but some places assume it?
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
 
     default = true;
 
@@ -243,6 +323,7 @@
   services.nginx.virtualHosts."nixcache.uninsane.org" = {
     addSSL = true;
     enableACME = true;
+    inherit kTLS;
     # serverAliases = [ "nixcache" ];
     locations."/".extraConfig = ''
       proxy_pass http://localhost:${toString config.services.nix-serve.port};
@@ -254,4 +335,11 @@
 
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "admin.acme@uninsane.org";
+
+  users.users.acme.uid = config.sane.allocations.acme-uid;
+  users.groups.acme.gid = config.sane.allocations.acme-gid;
+  sane.impermanence.service-dirs = [
+    # TODO: mode?
+    { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
+  ];
 }

hosts/servo/services/pleroma.nix

@@ -1,21 +1,29 @@
-# docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
+# docs:
+# - https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
+# - https://docs.pleroma.social/backend/configuration/cheatsheet/
 #
 # to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
 { config, pkgs, ... }:
 
 {
+  sane.impermanence.service-dirs = [
+    # TODO: mode? could be more granular
+    { user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; }
+  ];
+  users.users.pleroma.uid = config.sane.allocations.pleroma-uid;
+  users.groups.pleroma.gid = config.sane.allocations.pleroma-gid;
   services.pleroma.enable = true;
   services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
   services.pleroma.configs = [
     ''
     import Config
-    
+
     config :pleroma, Pleroma.Web.Endpoint,
       url: [host: "fed.uninsane.org", scheme: "https", port: 443],
       http: [ip: {127, 0, 0, 1}, port: 4000]
     #   secret_key_base: "{secrets.pleroma.secret_key_base}",
     #   signing_salt: "{secrets.pleroma.signing_salt}"
-    
+
     config :pleroma, :instance,
       name: "Perfectly Sane",
       description: "Single-user Pleroma instance",
@@ -41,17 +49,20 @@
       enabled: false,
       redirect_on_failure: true
       #base_url: "https://cache.pleroma.social"
-    
+
+    # see for reference:
+    # - `force_custom_plan`: <https://docs.pleroma.social/backend/configuration/postgresql/#disable-generic-query-plans>
     config :pleroma, Pleroma.Repo,
       adapter: Ecto.Adapters.Postgres,
       username: "pleroma",
       database: "pleroma",
       hostname: "localhost",
       pool_size: 10,
-      prepare: :named,
       parameters: [
           plan_cache_mode: "force_custom_plan"
       ]
+    # XXX: prepare: :named is needed only for PG <= 12
+    #   prepare: :named,
     #   password: "{secrets.pleroma.db_password}",
 
     # Configure web push notifications
@@ -61,16 +72,17 @@
     #   private_key: "{secrets.pleroma.vapid_private_key}"
 
     # config :joken, default_signer: "{secrets.pleroma.joken_default_signer}"
-    
+
     config :pleroma, :database, rum_enabled: false
     config :pleroma, :instance, static_dir: "/var/lib/pleroma/instance/static"
     config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
     config :pleroma, configurable_from_database: false
 
     # strip metadata from uploaded images
-    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool]
+    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool.StripLocation]
 
     # TODO: GET /api/pleroma/captcha is broken
+    # there was a nixpkgs PR to fix this around 2022/10 though.
     config :pleroma, Pleroma.Captcha,
       enabled: false,
       method: Pleroma.Captcha.Native
@@ -80,11 +92,11 @@
     # Enable Strict-Transport-Security once SSL is working:
     config :pleroma, :http_security,
       sts: true
-    
+
     # docs: https://docs.pleroma.social/backend/configuration/cheatsheet/#logger
     config :logger,
       backends: [{ExSyslogger, :ex_syslogger}]
-    
+
     config :logger, :ex_syslogger,
       level: :warn
     #  level: :debug
@@ -103,9 +115,9 @@
 
   systemd.services.pleroma.path = [ 
     # something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
-    pkgs.bash 
+    pkgs.bash
     # used by Pleroma to strip geo tags from uploads
-    pkgs.exiftool 
+    pkgs.exiftool
     # i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
     pkgs.gawk
     # needed for email operations like password reset

hosts/servo/services/postfix.nix

@@ -16,6 +16,15 @@ let
   };
 in
 {
+  sane.impermanence.service-dirs = [
+    # TODO: mode? could be more granular
+    { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
+    { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
+    { user = "root"; group = "root"; directory = "/var/spool/mail"; }
+    # *probably* don't need these dirs:
+    # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
+    # "/var/lib/dovecot"
+  ];
   services.postfix.enable = true;
   services.postfix.hostname = "mx.uninsane.org";
   services.postfix.origin = "uninsane.org";

hosts/servo/services/postgres.nix

@@ -1,6 +1,10 @@
 { ... }:
 
 {
+  sane.impermanence.service-dirs = [
+    # TODO: mode?
+    { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
+  ];
   services.postgresql.enable = true;
   # services.postgresql.dataDir = "/opt/postgresql/13";
   # XXX colin: for a proper deploy, we'd want to include something for Pleroma here too.
@@ -13,6 +17,11 @@
   #     LC_CTYPE = "C";
   # '';
 
+  # TODO: perf tuning
+  # - for recommended values see: <https://pgtune.leopard.in.ua/>
+  # - for official docs (sparse), see: <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
+  # services.postgresql.settings = { ... }
+
   # daily backups to /var/backup
   services.postgresqlBackup.enable = true;
 

hosts/servo/services/prosody.nix

@@ -0,0 +1,62 @@
+# create users with:
+# - `sudo -u prosody prosodyctl adduser colin@uninsane.org`
+
+{ lib, ... }:
+
+# XXX disabled: doesn't send messages to nixnet.social (only receives them).
+# nixnet runs ejabberd, so revisiting that.
+lib.mkIf false
+{
+  sane.impermanence.service-dirs = [
+    { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
+  ];
+  networking.firewall.allowedTCPPorts = [
+    5222  # XMPP client -> server
+    5269  # XMPP server -> server
+    5280  # Prosody HTTP port  (necessary?)
+    5281  # Prosody HTTPS port  (necessary?)
+  ];
+
+  # provide access to certs
+  users.users.prosody.extraGroups = [ "nginx" ];
+
+  security.acme.certs."uninsane.org".extraDomainNames = [
+    "conference.xmpp.uninsane.org"
+    "upload.xmpp.uninsane.org"
+  ];
+
+  services.prosody = {
+    enable = true;
+    admins = [ "colin@uninsane.org" ];
+    # allowRegistration = false;
+    # extraConfig = ''
+    #   s2s_require_encryption = true
+    #   c2s_require_encryption = true
+    # '';
+
+    # extraModules = [ "private" "vcard" "privacy" "compression" "component" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"];
+
+    ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";
+    ssl.key = "/var/lib/acme/uninsane.org/key.pem";
+
+    muc = [
+      {
+        domain = "conference.xmpp.uninsane.org";
+      }
+    ];
+    uploadHttp.domain = "upload.xmpp.uninsane.org";
+
+    virtualHosts = {
+      localhost = {
+        domain = "localhost";
+        enabled = true;
+      };
+      "uninsane.org" = {
+        domain = "uninsane.org";
+        enabled = true;
+        ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";
+        ssl.key = "/var/lib/acme/uninsane.org/key.pem";
+      }; 
+    };
+  };
+}

hosts/servo/services/transmission.nix

@@ -1,6 +1,10 @@
 { ... }:
 
 {
+  sane.impermanence.service-dirs = [
+    # TODO: mode? we need this specifically for the stats tracking in .config/
+    { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
+  ];
   services.transmission.enable = true;
   services.transmission.settings = {
     rpc-bind-address = "0.0.0.0";
@@ -29,6 +33,9 @@
     # see: https://git.zknt.org/mirror/transmission/commit/cfce6e2e3a9b9d31a9dafedd0bdc8bf2cdb6e876?lang=bg-BG
     anti-brute-force-enabled = false;
 
+    download-dir = "/var/lib/uninsane/media";
+    incomplete-dir = "/var/lib/uninsane/media/incomplete";
+
   };
   # transmission will by default not allow the world to read its files.
   services.transmission.downloadDirPermissions = "775";
@@ -37,6 +44,7 @@
   systemd.services.transmission.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
+    LogLevelMax = "warning";
   };
 }
 

hosts/servo/users.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 {
@@ -12,6 +12,7 @@
     home = "/var/lib/gitea";
     useDefaultShell = true;
     group = "gitea";
+    uid = config.sane.allocations.git-uid;
     isSystemUser = true;
     # sendmail access (not 100% sure if this is necessary)
     extraGroups = [ "postdrop" ];

machines/moby/default.nix

@@ -1,57 +0,0 @@
-{ pkgs, mobile-nixos, ... }:
-{
-  imports = [
-    (import "${mobile-nixos}/lib/configuration.nix" {
-      device = "pine64-pinephone";
-    })
-    ./firmware.nix
-    ./fs.nix
-  ];
-  # XXX colin: phosh doesn't work well with passwordless login
-  users.users.colin.initialPassword = "147147";
-
-  colinsane.home-manager.extraPackages = [
-    # for web browsers see: https://forum.pine64.org/showthread.php?tid=13669
-    pkgs.angelfish  # plasma mobile web browser; broken on phosh (poor wayland support)
-    # pkgs.plasma5Packages.index  # file browser
-    pkgs.plasma5Packages.konsole  # terminal
-    # pkgs.plasma5Packages.pix  # picture viewer
-    pkgs.plasma5Packages.kalk  # calculator; broken on phosh
-    # pkgs.plasma5Packages.buho  # (plasma mobile?) note application
-    pkgs.plasma5Packages.kasts  #  podcast app; works on phosh after setting QT envar
-    pkgs.plasma5Packages.koko  # image gallery; broken on phosh
-    pkgs.plasma5Packages.kwave  # media player.
-    # pkgs.plasma5Packages.neochat  #  matrix client. needs qcoro => no aarch64 support
-    # pkgs.plasma5Packages.plasma-dialer  # phone dialer
-    # pkgs.plasma5Packages.plasma-mobile  # the whole shebang?
-    # pkgs.plasma5Packages.plasma-settings
-    pkgs.plasma5Packages.bomber  # arcade game; broken on phosh
-    pkgs.plasma5Packages.kapman  # pacman
-    pkgs.w3m  # text-based web browser; works!
-    pkgs.st  # suckless terminal; broken on phosh
-    # pkgs.alacritty  # terminal; crashes phosh
-  ];
-
-  colinsane.nixcache.enable = true;
-  colinsane.gui.phosh.enable = true;
-  boot.loader.grub.enable = false;
-  mobile.bootloader.enable = false;
-  boot.loader.generic-extlinux-compatible.enable = true;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
-
-  # defined: https://www.freedesktop.org/software/systemd/man/machine-info.html
-  # XXX colin: not sure which, if any, software makes use of this
-  environment.etc."machine-info".text = ''
-    CHASSIS="handset"
-  '';
-
-  # enable rotation sensor
-  hardware.sensor.iio.enable = true;
-}

machines/servo/fs.nix

@@ -1,79 +0,0 @@
-{ ... }:
-
-{
-  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
-  fileSystems."/" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "mode=755"
-      "size=1G"
-      "defaults"
-    ];
-  };
-  # we need a /tmp for building large nix things
-  fileSystems."/tmp" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "size=16G"
-      "mode=777"
-      "defaults"
-    ];
-  };
-
-  fileSystems."/nix" = {
-    device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b";
-    fsType = "btrfs";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/31D3-40CB";
-    fsType = "vfat";
-  };
-
-
-  # fileSystems."/var/lib/pleroma" = {
-  #   device = "/opt/pleroma";
-  #   options = [ "bind" ];
-  # };
-
-  # TODO: does transmission handle symlinks?
-  fileSystems."/var/lib/transmission/Downloads" = {
-    device = "/var/lib/uninsane/media";
-    options = [ "bind" ];
-  };
-  fileSystems."/var/lib/transmission/.incomplete" = {
-    device = "/var/lib/uninsane/media/incomplete";
-    options = [ "bind" ];
-  };
-
-  # in-memory compressed RAM (seems to be dynamically sized)
-  zramSwap = {
-    enable = true;
-  };
-
-  # btrfs doesn't easily support swapfiles
-  # swapDevices = [
-  #   { device = "/nix/persist/swapfile"; size = 4096; }
-  # ];
-
-  # this can be a partition. create with:
-  #   fdisk <dev>
-  #     n
-  #     <default partno>
-  #     <start>
-  #     <end>
-  #     t
-  #     <partno>
-  #     19  # set part type to Linux swap
-  #     w   # write changes
-  #   mkswap -L swap <part>
-  swapDevices = [
-    {
-      label = "swap";
-      # TODO: randomEncryption.enable = true;
-    }
-  ];
-}
-

machines/servo/hardware.nix

@@ -1,88 +0,0 @@
-# this file originates from ‘nixos-generate-config’
-# but has been heavily modified
-{ pkgs, ... }:
-
-{
-  # enables non-free firmware
-  hardware.enableRedistributableFirmware = true;
-
-  # i changed this becuse linux 5.10 didn't have rpi-400 device tree blob.
-  # nixos-22.05 linux 5.15 DOES have these now.
-  # it should be possible to remove this if desired, but i'm not sure how the rpi-specific kernel differs.
-  # see: https://github.com/raspberrypi/linux
-  boot.kernelPackages = pkgs.linuxPackages_rpi4;
-
-  # raspberryPi boot loader creates extlinux.conf.
-  #   otherwise, enable the generic-extlinux-compatible loader below.
-  # note: THESE ARE MUTUALLY EXCLUSIVE. generic-extlinux-compatible causes uboot to not be built
-
-  boot.initrd.availableKernelModules = [
-    "bcm2711_thermal"
-    "bcm_phy_lib"
-    "brcmfmac"
-    "brcmutil"
-    "broadcom"
-    "clk_raspberrypi"
-    "drm"  # Direct Render Manager
-    "enclosure"  # SCSI ?
-    "fuse"
-    "mdio_bcm_unimac"
-    "pcie_brcmstb"
-    "raspberrypi_cpufreq"
-    "raspberrypi_hwmon"
-    "ses"  # SCSI Enclosure Services
-    "uas"  # USB attached storage
-    "uio"  # userspace IO
-    "uio_pdrv_genirq"
-    "xhci_pci"
-    "xhci_pci_renesas"
-  ];
-  # boot.initrd.compressor = "gzip";  # defaults to zstd
-  # hack in the `boot.shell_on_fail` arg since it doesn't seem to work otherwise
-  boot.initrd.preFailCommands = "allowShell=1";
-  # default: 4 (warn). 7 is debug
-  boot.consoleLogLevel = 7;
-  # boot.kernelParams = [
-  #   "boot.shell_on_fail"
-  #   # "boot.trace"
-  #   # "systemd.log_level=debug"
-  #   # "systemd.log_target=console"
-  # ];
-
-  # ondemand power scaling keeps the cpu at low frequency when idle, and sets to max frequency
-  # when load is detected. (v.s. the "performance" default, which always uses the max frequency)
-  powerManagement.cpuFreqGovernor = "ondemand";
-
-  # XXX colin: this allows one to `systemctl halt` and then not remove power until the HDD has spun down.
-  # however, it doesn't work with reboot because systemd will spin the drive up again to read its reboot bin.
-  # a better solution would be to put the drive behind a powered USB hub (or get a SSD).
-  # systemd.services.diskguard = {
-  #   description = "Safely power off spinning media";
-  #   before = [ "shutdown.target" ];
-  #   wantedBy = [ "sysinit.target" ];
-  #   # old (creates dep loop, but works)
-  #   # before = [ "systemd-remount-fs.service" "shutdown.target" ];
-  #   # wantedBy = [ "systemd-remount-fs.service" ];
-  #   serviceConfig = {
-  #     Type = "oneshot";
-  #     RemainAfterExit = true;
-  #     ExecStart = "${pkgs.coreutils}/bin/true";
-  #     ExecStop = with pkgs; writeScript "diskguard" ''
-  #       #!${bash}/bin/bash
-  #       if ${procps}/bin/pgrep nixos-rebuild ;
-  #       then
-  #         exit 0  # don't halt drives unless we're actually shutting down. maybe better way to do this (check script args?)
-  #       fi
-  #       # ${coreutils}/bin/sync
-  #       # ${util-linux}/bin/mount -o remount,ro /nix/store
-  #       # ${util-linux}/bin/mount -o remount,ro /
-  #       # -S 1 retracts the spindle after 5 seconds of idle
-  #       # -B 1 spins down the drive after <vendor specific duration>
-  #       ${hdparm}/sbin/hdparm -S 1 -B 1 /dev/sda
-  #       # TODO: monitor smartmonctl until disk is idle? or try hdparm -Y
-  #       # ${coreutils}/bin/sleep 20
-  #       # exec ${util-linux}/bin/umount --all -t ext4,vfat,ext2
-  #     '';
-  #   };
-  # };
-}

machines/servo/services/ipfs.nix

@@ -1,23 +0,0 @@
-{ ... }:
-{
-  services.ipfs.enable = true;
-  services.ipfs.localDiscovery = true;
-  services.ipfs.swarmAddress = [
-    "/dns4/ipfs.uninsane.org/tcp/4001"
-    "/ip4/0.0.0.0/tcp/4001"
-    "/dns4/ipfs.uninsane.org/udp/4001/quic"
-    "/ip4/0.0.0.0/udp/4001/quic"
-  ];
-  services.ipfs.extraConfig = {
-    Addresses = {
-      Announce = [
-        "/dns4/ipfs.uninsane.org/tcp/4001"
-        "/dns4/ipfs.uninsane.org/udp/4001/quic"
-      ];
-    };
-    Gateway = {
-      # the gateway can only be used to serve content already replicated on this host
-      NoFetch = true;
-    };
-  };
-}

machines/servo/services/jellyfin.nix

@@ -1,5 +0,0 @@
-{ ... }:
-
-{
-  services.jellyfin.enable = true;
-}

machines/servo/services/nix-serve.nix

@@ -1,15 +0,0 @@
-# docs: https://nixos.wiki/wiki/Binary_Cache
-# to copy something to this machine's nix cache, do:
-#   nix copy --to ssh://nixcache.uninsane.org PACKAGE
-{ config, ... }:
-
-{
-  services.nix-serve = {
-    enable = true;
-    secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
-  };
-
-  sops.secrets.nix_serve_privkey = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-}

modules/allocations.nix

@@ -0,0 +1,61 @@
+{ lib, ... }:
+
+with lib;
+let
+  mkId = id: mkOption {
+    default = id;
+    type = types.int;
+  };
+in
+{
+  options = {
+    # legacy servo users, some are inconvenient to migrate
+    sane.allocations.dhcpcd-gid = mkId 991;
+    sane.allocations.dhcpcd-uid = mkId 992;
+    sane.allocations.gitea-gid = mkId 993;
+    sane.allocations.git-uid = mkId 994;
+    sane.allocations.jellyfin-gid = mkId 994;
+    sane.allocations.pleroma-gid = mkId 995;
+    sane.allocations.jellyfin-uid = mkId 996;
+    sane.allocations.acme-gid = mkId 996;
+    sane.allocations.pleroma-uid = mkId 997;
+    sane.allocations.acme-uid = mkId 998;
+    sane.allocations.greeter-uid = mkId 999;
+    sane.allocations.greeter-gid = mkId 999;
+
+    sane.allocations.freshrss-uid = mkId 2401;
+    sane.allocations.freshrss-gid = mkId 2401;
+
+    sane.allocations.colin-uid = mkId 1000;
+    sane.allocations.guest-uid = mkId 1100;
+
+    # found on all hosts
+    sane.allocations.sshd-uid = mkId 2001;  # 997
+    sane.allocations.sshd-gid = mkId 2001;  # 997
+    sane.allocations.polkituser-gid = mkId 2002;  # 998
+    sane.allocations.systemd-coredump-gid = mkId 2003;  # 996
+    sane.allocations.nscd-uid = mkId 2004;
+    sane.allocations.nscd-gid = mkId 2004;
+    sane.allocations.systemd-oom-uid = mkId 2005;
+    sane.allocations.systemd-oom-gid = mkId 2005;
+
+    # found on graphical hosts
+    sane.allocations.nm-iodine-uid = mkId 2101;  # desko/moby/lappy
+
+    # found on desko host
+    sane.allocations.usbmux-uid = mkId 2204;
+    sane.allocations.usbmux-gid = mkId 2204;
+
+
+    # originally found on moby host
+    sane.allocations.avahi-uid = mkId 2304;
+    sane.allocations.avahi-gid = mkId 2304;
+    sane.allocations.colord-uid = mkId 2305;
+    sane.allocations.colord-gid = mkId 2305;
+    sane.allocations.geoclue-uid = mkId 2306;
+    sane.allocations.geoclue-gid = mkId 2306;
+    sane.allocations.rtkit-uid = mkId 2307;
+    sane.allocations.rtkit-gid = mkId 2307;
+    sane.allocations.feedbackd-gid = mkId 2308;
+  };
+}

modules/default.nix

@@ -2,12 +2,13 @@
 
 {
   imports = [
+    ./allocations.nix
     ./gui
-    ./hardware
+    ./home-manager
+    ./packages.nix
     ./image.nix
     ./impermanence.nix
-    ./nix.nix
-    ./services/duplicity.nix
-    ./universal
+    ./nixcache.nix
+    ./services
   ];
 }

modules/gui/default.nix

@@ -2,25 +2,28 @@
 
 with lib;
 let
-  cfg = config.colinsane.gui;
+  cfg = config.sane.gui;
 in
 {
   imports = [
     ./gnome.nix
     ./phosh.nix
+    ./plasma.nix
     ./plasma-mobile.nix
     ./sway.nix
   ];
 
   options = {
     # doesn't directly create outputs. consumed by e.g. home-manager.nix module
-    colinsane.gui.enable = mkOption {
+    sane.gui.enable = mkOption {
       default = false;
       type = types.bool;
     };
   };
 
   config = lib.mkIf cfg.enable {
-    colinsane.home-manager.enable = true;
+    sane.packages.enableGuiPkgs = lib.mkDefault true;
+    # all GUIs use network manager?
+    users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
   };
 }

modules/gui/gnome.nix

@@ -2,18 +2,28 @@
 
 with lib;
 let
-  cfg = config.colinsane.gui.gnome;
+  cfg = config.sane.gui.gnome;
 in
 {
   options = {
-    colinsane.gui.gnome.enable = mkOption {
+    sane.gui.gnome.enable = mkOption {
       default = false;
       type = types.bool;
     };
   };
 
   config = mkIf cfg.enable {
-    colinsane.gui.enable = true;
+    sane.gui.enable = true;
+
+    users.users.avahi.uid = config.sane.allocations.avahi-uid;
+    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
+    users.users.colord.uid = config.sane.allocations.colord-uid;
+    users.groups.colord.gid = config.sane.allocations.colord-gid;
+    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
+    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
+    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
+    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
+
     # start gnome/gdm on boot
     services.xserver.enable = true;
     services.xserver.desktopManager.gnome.enable = true;

modules/gui/phosh.nix

@@ -1,43 +1,106 @@
-{ lib, config, ... }:
+{ lib, config, pkgs, ... }:
 
 with lib;
 let
-  cfg = config.colinsane.gui.phosh;
+  cfg = config.sane.gui.phosh;
 in
 {
   options = {
-    colinsane.gui.phosh.enable = mkOption {
+    sane.gui.phosh.enable = mkOption {
       default = false;
       type = types.bool;
     };
+    sane.gui.phosh.useGreeter = mkOption {
+      description = ''
+        launch phosh via a greeter (like lightdm-mobile-greeter).
+        phosh is usable without a greeter, but skipping the greeter means no PAM session.
+      '';
+      default = true;
+      type = types.bool;
+    };
   };
 
-  config = mkIf cfg.enable {
-    colinsane.gui.enable = true;
-    # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
-    services.xserver.desktopManager.phosh = {
-      enable = true;
-      user = "colin";
-      group = "users";
-      phocConfig = {
-        # xwayland = "true";
-        # find default outputs by catting /etc/phosh/phoc.ini
-        outputs.DSI-1 = {
-          scale = 1.5;
+  config = mkIf cfg.enable (mkMerge [
+    {
+      sane.gui.enable = true;
+
+      users.users.avahi.uid = config.sane.allocations.avahi-uid;
+      users.users.colord.uid = config.sane.allocations.colord-uid;
+      users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
+      users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
+      users.groups.avahi.gid = config.sane.allocations.avahi-gid;
+      users.groups.colord.gid = config.sane.allocations.colord-gid;
+      users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
+      users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
+      users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
+
+      # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
+      services.xserver.desktopManager.phosh = {
+        enable = true;
+        user = "colin";
+        group = "users";
+        phocConfig = {
+          # xwayland = "true";
+          # find default outputs by catting /etc/phosh/phoc.ini
+          outputs.DSI-1 = {
+            scale = 1.5;
+          };
         };
       };
-    };
 
-    hardware.opengl.enable = true;
-    hardware.opengl.driSupport = true;
+      # XXX: phosh enables networkmanager by default; can probably disable these lines
+      networking.useDHCP = false;
+      networking.networkmanager.enable = true;
+      networking.wireless.enable = lib.mkForce false;
 
-    environment.variables = {
-      # Qt apps won't always start unless this env var is set
-      QT_QPA_PLATFORM = "wayland";
-      # electron apps (e.g. Element) should use the wayland backend
-      # toggle this to have electron apps (e.g. Element) use the wayland backend.
-      # phocConfig.xwayland should be disabled if you do this
-      NIXOS_OZONE_WL = "1";
-    };
-  };
+      # XXX: not clear if these are actually needed?
+      hardware.bluetooth.enable = true;
+      services.blueman.enable = true;
+
+      hardware.opengl.enable = true;
+      hardware.opengl.driSupport = true;
+
+      environment.variables = {
+        # Qt apps won't always start unless this env var is set
+        QT_QPA_PLATFORM = "wayland";
+        # electron apps (e.g. Element) should use the wayland backend
+        # toggle this to have electron apps (e.g. Element) use the wayland backend.
+        # phocConfig.xwayland should be disabled if you do this
+        NIXOS_OZONE_WL = "1";
+      };
+
+      sane.packages.extraUserPkgs = with pkgs; [
+        phosh-mobile-settings
+
+        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
+        gnome.gnome-bluetooth
+      ];
+    }
+    (mkIf cfg.useGreeter {
+      services.xserver.enable = true;
+      # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
+      # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
+      # lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
+      # this requires the user we want to login as to be cached.
+      services.xserver.displayManager.job.preStart = ''
+        ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
+      '';
+      # services.xserver.displayManager.defaultSession = "sm.puri.Phosh";  # XXX: not sure why this doesn't propagate correctly.
+      services.xserver.displayManager.lightdm.extraSeatDefaults = ''
+        user-session = phosh
+      '';
+      # services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
+      # services.xserver.displayManager.lightdm.greeter = {
+      #   enable = true;
+      #   package = pkgs.lightdm-mobile-greeter.xgreeters;
+      #   name = "lightdm-mobile-greeter";
+      # };
+      # # services.xserver.displayManager.lightdm.enable = true;
+
+      services.xserver.displayManager.lightdm.enable = true;
+      services.xserver.displayManager.lightdm.greeters.mobile.enable = true;
+
+      systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
+    })
+  ]);
 }

modules/gui/plasma-mobile.nix

@@ -2,18 +2,18 @@
  
 with lib;
 let
-  cfg = config.colinsane.gui.plasma-mobile;
+  cfg = config.sane.gui.plasma-mobile;
 in
 {
   options = {
-    colinsane.gui.plasma-mobile.enable = mkOption {
+    sane.gui.plasma-mobile.enable = mkOption {
       default = false;
       type = types.bool;
     };
   };
 
   config = mkIf cfg.enable {
-    colinsane.gui.enable = true;
+    sane.gui.enable = true;
     # start plasma-mobile on boot
     services.xserver.enable = true;
     services.xserver.desktopManager.plasma5.mobile.enable = true;

modules/gui/plasma.nix

@@ -0,0 +1,28 @@
+{ lib, config, ... }:
+
+with lib;
+let
+  cfg = config.sane.gui.plasma;
+in
+{
+  options = {
+    sane.gui.plasma.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sane.gui.enable = true;
+
+    # start plasma on boot
+    services.xserver.enable = true;
+    services.xserver.desktopManager.plasma5.enable = true;
+    services.xserver.displayManager.sddm.enable = true;
+
+    # gnome does networking stuff with networkmanager
+    networking.useDHCP = false;
+    networking.networkmanager.enable = true;
+    networking.wireless.enable = lib.mkForce false;
+  };
+}

modules/gui/sway.nix

@@ -3,34 +3,65 @@
 # docs: https://nixos.wiki/wiki/Sway
 with lib;
 let
-  cfg = config.colinsane.gui.sway;
+  cfg = config.sane.gui.sway;
 in
 {
   options = {
-    colinsane.gui.sway.enable = mkOption {
+    sane.gui.sway.enable = mkOption {
       default = false;
       type = types.bool;
     };
+    sane.gui.sway.useGreeter = mkOption {
+      description = ''
+        launch sway via a greeter (like greetd's gtkgreet).
+        sway is usable without a greeter, but skipping the greeter means no PAM session.
+      '';
+      default = true;
+      type = types.bool;
+    };
   };
   config = mkIf cfg.enable {
-    colinsane.gui.enable = true;
+    sane.gui.enable = true;
+    users.users.greeter.uid = config.sane.allocations.greeter-uid;
+    users.groups.greeter.gid = config.sane.allocations.greeter-gid;
     programs.sway = {
       # we configure sway with home-manager, but this enable gets us e.g. opengl and fonts
       enable = true;
     };
 
-    # TODO: should be able to use SDDM to get interactive login
-    services.greetd = {
-      enable = true;
-      settings = rec {
-        initial_session = {
+    # alternatively, could use SDDM
+    services.greetd = let
+      swayConfig-greeter = pkgs.writeText "greetd-sway-config" ''
+        # `-l` activates layer-shell mode.
+        exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
+      '';
+      default_session = {
+        "01" = {
+          # greeter session config
+          command = "${pkgs.sway}/bin/sway --config ${swayConfig-greeter}";
+          # alternatives:
+          # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
+          # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
+          # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
+        };
+        "0" = {
+          # no greeter
           command = "${pkgs.sway}/bin/sway";
           user = "colin";
         };
-        default_session = initial_session;
+      };
+    in {
+      # greetd source/docs:
+      # - <https://git.sr.ht/~kennylevinsen/greetd>
+      enable = true;
+      settings = {
+        default_session = default_session."0${builtins.toString cfg.useGreeter}";
       };
     };
 
+    # some programs (e.g. fractal) **require** a "Secret Service Provider"
+    services.gnome.gnome-keyring.enable = true;
+
     # unlike other DEs, sway configures no audio stack
     # administer with pw-cli, pw-mon, pw-top commands
     services.pipewire = {
@@ -47,12 +78,26 @@ in
     networking.networkmanager.enable = true;
     networking.wireless.enable = lib.mkForce false;
 
-    colinsane.home-manager.windowManager.sway = {
+    sane.home-manager.windowManager.sway = {
       enable = true;
       wrapperFeatures.gtk = true;
       config = rec {
         terminal = "${pkgs.kitty}/bin/kitty";
-        window.border = 3;  # pixel boundary between windows
+        window = {
+          border = 3; # pixel boundary between windows
+          hideEdgeBorders = "smart"; # don't show border if only window on workspace
+        };
+        output = {
+          ### DESKTOP
+          "Samsung Electric Company S22C300 0x00007F35" = { pos = "0,0"; res = "1920x1080"; };
+          "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" = { pos = "1920,0"; res = "3440x1440"; };
+
+          ### LAPTOP
+          # shen TV
+          "Pioneer Electronic Corporation VSX-524 0x00000101" = { pos = "0,0"; res = "1920x1080"; };
+          # internal display
+          "Unknown 0x0637 0x00000000" = { pos = "1920,0"; res = "1920x1080"; };
+        };
 
         # defaults; required for keybindings decl.
         modifier = "Mod1";
@@ -64,25 +109,27 @@ in
         down = "j";
         up = "k";
         right = "l";
+        # XKB key names: https://wiki.linuxquestions.org/wiki/List_of_Keysyms_Recognised_by_Xmodmap
         keybindings = {
           "${modifier}+Return" = "exec ${terminal}";
           "${modifier}+Shift+q" = "kill";
           "${modifier}+d" = "exec ${menu}";
+          "${modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
 
-          "${modifier}+${left}" = "focus left";
-          "${modifier}+${down}" = "focus down";
-          "${modifier}+${up}" = "focus up";
-          "${modifier}+${right}" = "focus right";
+          # "${modifier}+${left}" = "focus left";
+          # "${modifier}+${down}" = "focus down";
+          # "${modifier}+${up}" = "focus up";
+          # "${modifier}+${right}" = "focus right";
 
           "${modifier}+Left" = "focus left";
           "${modifier}+Down" = "focus down";
           "${modifier}+Up" = "focus up";
           "${modifier}+Right" = "focus right";
 
-          "${modifier}+Shift+${left}" = "move left";
-          "${modifier}+Shift+${down}" = "move down";
-          "${modifier}+Shift+${up}" = "move up";
-          "${modifier}+Shift+${right}" = "move right";
+          # "${modifier}+Shift+${left}" = "move left";
+          # "${modifier}+Shift+${down}" = "move down";
+          # "${modifier}+Shift+${up}" = "move up";
+          # "${modifier}+Shift+${right}" = "move right";
 
           "${modifier}+Shift+Left" = "move left";
           "${modifier}+Shift+Down" = "move down";
@@ -147,6 +194,9 @@ in
           XF86AudioLowerVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
           XF86AudioMute = "exec '${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute'";
 
+          "${modifier}+Page_Up" = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5'";
+          "${modifier}+Page_Down" = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
+
           "${modifier}+Print" = "exec '${pkgs.sway-contrib.grimshot}/bin/grimshot copy area'";
         };
 
@@ -163,7 +213,8 @@ in
             # names = [ "monospace" "Noto Color Emoji" ];
             # size = 8.0;
             # names = [ "Font Awesome 6 Free" "DejaVu Sans" "Hack" ];
-            names = with config.fonts.fontconfig.defaultFonts; (emoji ++ monospace ++ serif ++ sansSerif);
+            # names = with config.fonts.fontconfig.defaultFonts; (emoji ++ monospace ++ serif ++ sansSerif);
+            names = with config.fonts.fontconfig.defaultFonts; (monospace ++ emoji);
             size = 24.0;
           };
           trayOutput = "primary";
@@ -201,9 +252,10 @@ in
       };
     };
 
-    colinsane.home-manager.programs.waybar = {
+    sane.home-manager.programs.waybar = {
       enable = true;
       # docs: https://github.com/Alexays/Waybar/wiki/Configuration
+      # format specifiers: https://fmt.dev/latest/syntax.html#syntax
       settings = {
         mainBar = {
           layer = "top";
@@ -232,11 +284,20 @@ in
             on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
           };
           network = {
-            interval = 1;
-            format-ethernet = "{ifname}: {ipaddr}/{cidr}   up: {bandwidthUpBits} down: {bandwidthDownBits}";
+            # docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
+            interval = 2;
+            max-length = 40;
+            # custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
+            format-ethernet = "  {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+            tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+
+            format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+            tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+
+            format-disconnected = "";
           };
           cpu = {
-            format = "{usage}% ";
+            format = " {usage:2}%";
             tooltip = false;
           };
           battery = {
@@ -259,6 +320,262 @@ in
           };
         };
       };
+      # style docs: https://github.com/Alexays/Waybar/wiki/Styling
+      style = ''
+        * {
+          font-family: monospace;
+        }
+
+        /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
+        window#waybar {
+          background-color: rgba(43, 48, 59, 0.5);
+          border-bottom: 3px solid rgba(100, 114, 125, 0.5);
+          color: #ffffff;
+          transition-property: background-color;
+          transition-duration: .5s;
+        }
+
+        window#waybar.hidden {
+          opacity: 0.2;
+        }
+
+        /*
+        window#waybar.empty {
+          background-color: transparent;
+        }
+        window#waybar.solo {
+          background-color: #FFFFFF;
+        }
+        */
+
+        window#waybar.termite {
+          background-color: #3F3F3F;
+        }
+
+        window#waybar.chromium {
+          background-color: #000000;
+          border: none;
+        }
+
+        #workspaces button {
+          padding: 0 5px;
+          background-color: transparent;
+          color: #ffffff;
+          /* Use box-shadow instead of border so the text isn't offset */
+          box-shadow: inset 0 -3px transparent;
+          /* Avoid rounded borders under each workspace name */
+          border: none;
+          border-radius: 0;
+        }
+
+        /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
+        #workspaces button:hover {
+          background: rgba(0, 0, 0, 0.2);
+          box-shadow: inset 0 -3px #ffffff;
+        }
+
+        #workspaces button.focused {
+          background-color: #64727D;
+          box-shadow: inset 0 -3px #ffffff;
+        }
+
+        #workspaces button.urgent {
+          background-color: #eb4d4b;
+        }
+
+        #mode {
+          background-color: #64727D;
+          border-bottom: 3px solid #ffffff;
+        }
+
+        #clock,
+        #battery,
+        #cpu,
+        #memory,
+        #disk,
+        #temperature,
+        #backlight,
+        #network,
+        #pulseaudio,
+        #custom-media,
+        #tray,
+        #mode,
+        #idle_inhibitor,
+        #mpd {
+          padding: 0 10px;
+          color: #ffffff;
+        }
+
+        #window,
+        #workspaces {
+          margin: 0 4px;
+        }
+
+        /* If workspaces is the leftmost module, omit left margin */
+        .modules-left > widget:first-child > #workspaces {
+          margin-left: 0;
+        }
+
+        /* If workspaces is the rightmost module, omit right margin */
+        .modules-right > widget:last-child > #workspaces {
+          margin-right: 0;
+        }
+
+        #clock {
+          background-color: #64727D;
+        }
+
+        #battery {
+          background-color: #ffffff;
+          color: #000000;
+        }
+
+        #battery.charging, #battery.plugged {
+          color: #ffffff;
+          background-color: #26A65B;
+        }
+
+        @keyframes blink {
+          to {
+            background-color: #ffffff;
+            color: #000000;
+          }
+        }
+
+        #battery.critical:not(.charging) {
+          background-color: #f53c3c;
+          color: #ffffff;
+          animation-name: blink;
+          animation-duration: 0.5s;
+          animation-timing-function: linear;
+          animation-iteration-count: infinite;
+          animation-direction: alternate;
+        }
+
+        label:focus {
+          background-color: #000000;
+        }
+
+        #cpu {
+          background-color: #2ecc71;
+          color: #000000;
+        }
+
+        #memory {
+          background-color: #9b59b6;
+        }
+
+        #disk {
+          background-color: #964B00;
+        }
+
+        #backlight {
+          background-color: #90b1b1;
+        }
+
+        #network {
+          background-color: #2980b9;
+        }
+
+        #network.disconnected {
+          background-color: #f53c3c;
+        }
+
+        #pulseaudio {
+          background-color: #f1c40f;
+          color: #000000;
+        }
+
+        #pulseaudio.muted {
+          background-color: #90b1b1;
+          color: #2a5c45;
+        }
+
+        #custom-media {
+          background-color: #66cc99;
+          color: #2a5c45;
+          min-width: 100px;
+        }
+
+        #custom-media.custom-spotify {
+          background-color: #66cc99;
+        }
+
+        #custom-media.custom-vlc {
+          background-color: #ffa000;
+        }
+
+        #temperature {
+          background-color: #f0932b;
+        }
+
+        #temperature.critical {
+          background-color: #eb4d4b;
+        }
+
+        #tray {
+          background-color: #2980b9;
+        }
+
+        #tray > .passive {
+          -gtk-icon-effect: dim;
+        }
+
+        #tray > .needs-attention {
+          -gtk-icon-effect: highlight;
+          background-color: #eb4d4b;
+        }
+
+        #idle_inhibitor {
+          background-color: #2d3436;
+        }
+
+        #idle_inhibitor.activated {
+          background-color: #ecf0f1;
+          color: #2d3436;
+        }
+
+        #mpd {
+          background-color: #66cc99;
+          color: #2a5c45;
+        }
+
+        #mpd.disconnected {
+          background-color: #f53c3c;
+        }
+
+        #mpd.stopped {
+          background-color: #90b1b1;
+        }
+
+        #mpd.paused {
+          background-color: #51a37a;
+        }
+
+        #language {
+          background: #00b093;
+          color: #740864;
+          padding: 0 5px;
+          margin: 0 5px;
+          min-width: 16px;
+        }
+
+        #keyboard-state {
+          background: #97e1ad;
+          color: #000000;
+          padding: 0 0px;
+          margin: 0 5px;
+          min-width: 16px;
+        }
+
+        #keyboard-state > label {
+          padding: 0 5px;
+        }
+
+        #keyboard-state > label.locked {
+          background: rgba(0, 0, 0, 0.2);
+        }
+      '';
       # style = ''
       #   * {
       #     border: none;
@@ -280,9 +597,9 @@ in
       #   }
       # '';
     };
-    colinsane.home-manager.extraPackages = with pkgs; [
+    sane.packages.extraUserPkgs = with pkgs; [
       swaylock
-      swayidle
+      swayidle  # (unused)
       wl-clipboard
       mako # notification daemon
       xdg-utils  # for xdg-open
@@ -290,6 +607,7 @@ in
       # pavucontrol
       sway-contrib.grimshot
       gnome.gnome-bluetooth
+      gnome.gnome-control-center
     ];
   };
 }

modules/hardware/x86_64.nix

@@ -1,60 +0,0 @@
-{ lib, pkgs, config, ... }:
-
-with lib;
-{
-  config = mkIf (pkgs.system == "x86_64-linux") { 
-    boot.initrd.availableKernelModules = [
-      "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
-      "usb_storage"   # rpi needed this to boot from usb storage, i think.
-      "nvme"  # to boot from nvme devices
-      # efi_pstore evivars
-    ];
-    boot.initrd.kernelModules = [ ];
-    boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
-    # useful emergency utils
-    boot.initrd.extraUtilsCommands = ''
-      copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfstune
-    '';
-    boot.kernelModules = [
-      "coretemp"
-      "kvm-intel"
-      "kvm-amd"  # desktop
-      "amdgpu"   # desktop
-    ];
-    boot.extraModulePackages = [ ];
-    boot.kernelParams = [ "boot.shell_on_fail" ];
-    boot.consoleLogLevel = 7;
-
-    boot.loader.grub.enable = false;
-    # boot.loader.generic-extlinux-compatible.enable = true;
-
-    # enable cross compilation
-    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-    # nixpkgs.crossSystem.system = "aarch64-linux";
-
-    powerManagement.cpuFreqGovernor = "powersave";
-    hardware.enableRedistributableFirmware = true;
-    hardware.cpu.amd.updateMicrocode = true;    # desktop
-    hardware.cpu.intel.updateMicrocode = true;  # laptop
-    services.fwupd.enable = true;
-    # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
-    powerManagement.powertop.enable = false;
-
-    hardware.opengl.driSupport = true;
-    # For 32 bit applications
-    hardware.opengl.driSupport32Bit = true;
-
-    # TODO colin: does this *do* anything?
-    swapDevices = [ ];
-
-    # services.snapper.configs = {
-    #   root = {
-    #     subvolume = "/";
-    #     extraConfig = {
-    #       ALLOW_USERS = "colin";
-    #     };
-    #   };
-    # };
-    # services.snapper.snapshotInterval = "daily";
-  };
-}

modules/home-manager/aerc.nix

@@ -0,0 +1,16 @@
+# Terminal UI mail client
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  sops.secrets."aerc_accounts" = {
+    owner = config.users.users.colin.name;
+    sopsFile = ../../secrets/universal/aerc_accounts.conf;
+    format = "binary";
+  };
+  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
+    # aerc TUI mail client
+    xdg.configFile."aerc/accounts.conf".source =
+      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
+  };
+}

modules/home-manager/default.nix

@@ -0,0 +1,226 @@
+# docs:
+#   https://rycee.gitlab.io/home-manager/
+#   https://rycee.gitlab.io/home-manager/options.html
+#   man home-configuration.nix
+#
+
+{ lib, config, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.sane.home-manager;
+  # extract package from `sane.packages.enabledUserPkgs`
+  pkg-list = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
+  # extract `dir` from `sane.packages.enabledUserPkgs`
+  dir-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
+  private-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "private" then [ e.private ] else []) pkgspec);
+  feeds = import ./feeds.nix { inherit lib; };
+in
+{
+  imports = [
+    ./aerc.nix
+    ./discord.nix
+    ./firefox.nix
+    ./git.nix
+    ./kitty.nix
+    ./mpv.nix
+    ./nb.nix
+    ./neovim.nix
+    ./ssh.nix
+    ./sublime-music.nix
+    ./vlc.nix
+    ./zsh.nix
+  ];
+
+  options = {
+    sane.home-manager.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    # attributes to copy directly to home-manager's `wayland.windowManager` option
+    sane.home-manager.windowManager = mkOption {
+      default = {};
+      type = types.attrs;
+    };
+
+    # extra attributes to include in home-manager's `programs` option
+    sane.home-manager.programs = mkOption {
+      default = {};
+      type = types.attrs;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    sane.impermanence.home-dirs = [
+      "archive"
+      "dev"
+      "records"
+      "ref"
+      "tmp"
+      "use"
+      "Music"
+      "Pictures"
+      "Videos"
+    ] ++ (dir-list config.sane.packages.enabledUserPkgs);
+
+    home-manager.useGlobalPkgs = true;
+    home-manager.useUserPackages = true;
+
+    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
+    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
+    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
+
+      # run `home-manager-help` to access manpages
+      # or `man home-configuration.nix`
+      manual.html.enable = false;  # TODO: set to true later (build failure)
+      manual.manpages.enable = false;  # TODO: enable after https://github.com/nix-community/home-manager/issues/3344
+
+      home.packages = pkg-list sysconfig.sane.packages.enabledUserPkgs;
+      wayland.windowManager = cfg.windowManager;
+
+      home.stateVersion = "21.11";
+      home.username = "colin";
+      home.homeDirectory = "/home/colin";
+
+      home.activation = {
+        initKeyring = {
+          after = ["writeBoundary"];
+          before = [];
+          data = "${../../scripts/init-keyring}";
+        };
+      };
+
+
+      home.file = let
+        privates = builtins.listToAttrs (
+          builtins.map (path: {
+            name = path;
+            value = { source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/${path}"; };
+          })
+          (private-list sysconfig.sane.packages.enabledUserPkgs)
+        );
+      in {
+        # convenience
+        "knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
+        "nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
+        "Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
+        "Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
+        "Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
+
+        # used by password managers, e.g. unix `pass`
+        ".password-store".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge/secrets/accounts";
+      } // privates;
+
+      # XDG defines things like ~/Desktop, ~/Downloads, etc.
+      # these clutter the home, so i mostly don't use them.
+      xdg.userDirs = {
+        enable = true;
+        createDirectories = false;  # on headless systems, most xdg dirs are noise
+        desktop = "$HOME/.xdg/Desktop";
+        documents = "$HOME/dev";
+        download = "$HOME/tmp";
+        music = "$HOME/Music";
+        pictures = "$HOME/Pictures";
+        publicShare = "$HOME/.xdg/Public";
+        templates = "$HOME/.xdg/Templates";
+        videos = "$HOME/Videos";
+      };
+
+      # the xdg mime type for a file can be found with:
+      # - `xdg-mime query filetype path/to/thing.ext`
+      xdg.mimeApps.enable = true;
+      xdg.mimeApps.defaultApplications = let
+        www = sysconfig.sane.web-browser.desktop;
+        pdf = "org.gnome.Evince.desktop";
+        md = "obsidian.desktop";
+        thumb = "org.gnome.gThumb.desktop";
+        video = "vlc.desktop";
+        # audio = "mpv.desktop";
+        audio = "vlc.desktop";
+      in {
+        # HTML
+        "text/html" = [ www ];
+        "x-scheme-handler/http" = [ www ];
+        "x-scheme-handler/https" = [ www ];
+        "x-scheme-handler/about" = [ www ];
+        "x-scheme-handler/unknown" = [ www ];
+        # RICH-TEXT DOCUMENTS
+        "application/pdf" = [ pdf ];
+        "text/markdown" = [ md ];
+        # IMAGES
+        "image/heif" = [ thumb ];  # apple codec
+        "image/png" = [ thumb ];
+        "image/jpeg" = [ thumb ];
+        # VIDEO
+        "video/mp4" = [ video ];
+        "video/quicktime" = [ video ];
+        "video/x-matroska" = [ video ];
+        # AUDIO
+        "audio/flac" = [ audio ];
+        "audio/mpeg" = [ audio ];
+        "audio/x-vorbis+ogg" = [ audio ];
+      };
+
+      # libreoffice: disable first-run stuff
+      xdg.configFile."libreoffice/4/user/registrymodifications.xcu".text = ''
+        <?xml version="1.0" encoding="UTF-8"?>
+        <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+          <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
+          <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="ShowTipOfTheDay" oor:op="fuse"><value>false</value></prop></item>
+        </oor:items>
+      '';
+      # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeDonateShown" oor:op="fuse"><value>1667693880</value></prop></item>
+      # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
+
+
+
+      xdg.configFile."gpodderFeeds.opml".text = with feeds;
+        feedsToOpml feeds.podcasts;
+
+      # news-flash RSS viewer
+      xdg.configFile."newsflashFeeds.opml".text = with feeds;
+        feedsToOpml (feeds.texts ++ feeds.images);
+
+      # gnome feeds RSS viewer
+      xdg.configFile."org.gabmus.gfeeds.json".text =
+      let
+        myFeeds = feeds.texts ++ feeds.images;
+      in builtins.toJSON {
+        # feed format is a map from URL to a dict,
+        #   with dict["tags"] a list of string tags.
+        feeds = builtins.foldl' (acc: feed: acc // {
+          "${feed.url}".tags = [ feed.cat feed.freq ];
+        }) {} myFeeds;
+        dark_reader = false;
+        new_first = true;
+        # windowsize = {
+        #   width = 350;
+        #   height = 650;
+        # };
+        max_article_age_days = 90;
+        enable_js = false;
+        max_refresh_threads = 3;
+        # saved_items = {};
+        # read_items = [];
+        show_read_items = true;
+        full_article_title = true;
+        # views: "webview", "reader", "rsscont"
+        default_view = "rsscont";
+        open_links_externally = true;
+        full_feed_name = false;
+        refresh_on_startup = true;
+        tags = lib.lists.unique (
+          (builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
+        );
+        open_youtube_externally = false;
+        media_player = "vlc";  # default: mpv
+      };
+
+      programs = {
+        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
+        # "command not found" will cause the command to be searched in nixpkgs
+        nix-index.enable = true;
+      } // cfg.programs;
+    };
+  };
+}

modules/home-manager/discord.nix

@@ -0,0 +1,12 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  # TODO: this should only be enabled on gui devices
+  # make Discord usable even when client is "outdated"
+  home-manager.users.colin.xdg.configFile."discord/settings.json".text = ''
+    {
+      "SKIP_HOST_UPDATE": true
+    }
+  '';
+}

modules/home-manager/feeds.nix

@@ -0,0 +1,185 @@
+{ lib }:
+
+let
+  hourly = { freq = "hourly"; };
+  daily = { freq = "daily"; };
+  weekly = { freq = "weekly"; };
+  infrequent = { freq = "infrequent"; };
+
+  art = { cat = "art"; };
+  humor = { cat = "humor"; };
+  pol = { cat = "pol"; };  # or maybe just "social"
+  rat = { cat = "rat"; };
+  tech = { cat = "tech"; };
+  uncat = { cat = "uncat"; };
+
+  text = { format = "text"; };
+  image = { format = "image"; };
+  podcast = { format = "podcast"; };
+
+  mkRss = format: url: { inherit url format; } // uncat // infrequent;
+  # format-specific helpers
+  mkText = mkRss text;
+  mkImg = mkRss image;
+  mkPod = mkRss podcast;
+
+  # host-specific helpers
+  mkSubstack = subdomain: mkText "https://${subdomain}.substack.com/feed";
+
+  # merge the attrs `new` into each value of the attrs `addTo`
+  addAttrs = new: addTo: builtins.mapAttrs (k: v: v // new) addTo;
+  # for each value in `attrs`, add a value to the child attrs which holds its key within the parent attrs.
+  withInverseMapping = key: attrs: builtins.mapAttrs (k: v: v // { "${key}" = k; }) attrs;
+in rec {
+  podcasts = [
+    (mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
+    ## Astral Codex Ten
+    (mkPod "http://feeds.libsyn.com/108018/rss" // rat // daily)
+    ## Econ Talk
+    (mkPod "https://feeds.simplecast.com/wgl4xEgL" // rat // daily)
+    ## Cory Doctorow
+    (mkPod "https://feeds.feedburner.com/doctorow_podcast" // pol // infrequent)
+    (mkPod "https://congressionaldish.libsyn.com/rss" // pol // infrequent)
+    ## Civboot
+    (mkPod "https://anchor.fm/s/34c7232c/podcast/rss" // tech // infrequent)
+    (mkPod "https://feeds.feedburner.com/80000HoursPodcast" // rat // weekly)
+    (mkPod "https://allinchamathjason.libsyn.com/rss" // pol // weekly)
+    (mkPod "https://acquired.libsyn.com/rss" // tech // infrequent)
+    (mkPod "https://rss.acast.com/deconstructed" // pol // infrequent)
+    ## The Daily
+    (mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
+    (mkPod "https://rss.acast.com/intercepted-with-jeremy-scahill" // pol // weekly)
+    (mkPod "https://podcast.posttv.com/itunes/post-reports.xml" // pol // weekly)
+    ## Eric Weinstein
+    (mkPod "https://rss.art19.com/the-portal" // rat // infrequent)
+    (mkPod "https://feeds.megaphone.fm/darknetdiaries" // tech // infrequent)
+    (mkPod "http://feeds.wnyc.org/radiolab" // pol // infrequent)
+    (mkPod "https://wakingup.libsyn.com/rss" // pol // infrequent)
+    ## 99% Invisible
+    (mkPod "https://feeds.simplecast.com/BqbsxVfO" // pol // infrequent)
+    (mkPod "https://rss.acast.com/ft-tech-tonic" // tech // infrequent)
+    (mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
+    ## 60 minutes (NB: this features more than *just* audio?)
+    (mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
+    ## The Verge - Decoder
+    (mkPod "https://feeds.megaphone.fm/recodedecode" // tech // weekly)
+  ];
+
+  texts = [
+    # AGGREGATORS (> 1 post/day)
+    (mkText "https://www.lesswrong.com/feed.xml" // rat // hourly)
+    (mkText "http://www.econlib.org/index.xml" // pol // hourly)
+
+    # AGGREGATORS (< 1 post/day)
+    (mkText "https://palladiummag.com/feed" // uncat // weekly)
+    (mkText "https://profectusmag.com/feed" // uncat // weekly)
+    (mkText "https://semiaccurate.com/feed" // tech // weekly)
+    (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
+    (mkText "https://spectrum.ieee.org/rss" // tech // weekly)
+
+    ## No Moods, Ads or Cutesy Fucking Icons
+    (mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
+
+    # DEVELOPERS
+    (mkText "https://uninsane.org/atom.xml" // infrequent // tech)
+    (mkText "https://mg.lol/blog/rss/" // infrequent // tech)
+    ## Ken Shirriff
+    (mkText "https://www.righto.com/feeds/posts/default" // tech // infrequent)
+    ## Vitalik Buterin
+    (mkText "https://vitalik.ca/feed.xml" // tech // infrequent)
+    ## ian (Sanctuary)
+    (mkText "https://sagacioussuricata.com/feed.xml" // tech // infrequent)
+    ## Bunnie Juang
+    (mkText "https://www.bunniestudios.com/blog/?feed=rss2" // tech // infrequent)
+    (mkText "https://blog.danieljanus.pl/atom.xml" // tech // infrequent)
+    (mkText "https://ianthehenry.com/feed.xml" // tech // infrequent)
+    (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
+    (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
+    (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
+    (mkText "https://www.jefftk.com/news.rss" // tech // daily)
+
+    # (TECH; POL) COMMENTATORS
+    (mkSubstack "edwardsnowden" // pol // infrequent)
+    (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
+    ## Ben Thompson
+    (mkText "https://www.stratechery.com/rss" // pol // weekly)
+    ## Balaji
+    (mkText "https://balajis.com/rss" // pol // weekly)
+    (mkText "https://www.ben-evans.com/benedictevans/rss.xml" // pol // weekly)
+    (mkText "https://www.lynalden.com/feed" // pol // infrequent)
+    (mkText "https://austinvernon.site/rss.xml" // tech // infrequent)
+    (mkSubstack "oversharing" // pol // daily)
+    (mkSubstack "doomberg" // tech // weekly)
+    ## David Rosenthal
+    (mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
+    ## Matt Levine
+    (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
+
+    # RATIONALITY/PHILOSOPHY/ETC
+    (mkSubstack "samkriss" // humor // infrequent)
+    (mkText "https://unintendedconsequenc.es/feed" // rat // infrequent)
+    (mkText "https://applieddivinitystudies.com/atom.xml" // rat // weekly)
+    (mkText "https://slimemoldtimemold.com/feed.xml" // rat // weekly)
+    (mkText "https://www.richardcarrier.info/feed" // rat // weekly)
+    (mkText "https://www.gwern.net/feed.xml" // uncat // infrequent)
+    ## Jason Crawford
+    (mkText "https://rootsofprogress.org/feed.xml" // rat // weekly)
+    ## Robin Hanson
+    (mkText "https://www.overcomingbias.com/feed" // rat // daily)
+    ## Scott Alexander
+    (mkSubstack "astralcodexten" // rat // daily)
+    ## Paul Christiano
+    (mkText "https://sideways-view.com/feed" // rat // infrequent)
+    ## Sean Carroll
+    (mkText "https://www.preposterousuniverse.com/rss" // rat // infrequent)
+
+    # CODE
+    (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
+  ];
+
+  images = [
+    (mkImg "https://www.smbc-comics.com/comic/rss" // humor // daily)
+    (mkImg "https://xkcd.com/atom.xml" // humor // daily)
+    (mkImg "http://dilbert.com/feed" // humor // daily)
+
+    # ART
+    (mkImg "https://miniature-calendar.com/feed" // art // daily)
+  ];
+
+  all = texts ++ images ++ podcasts;
+
+  # return only the feed items which match this category (e.g. "tech")
+  filterCat = cat: feeds: builtins.filter (item: item.cat == cat) feeds;
+  # return only the feed items which match this format (e.g. "podcast")
+  filterFormat = format: feeds: builtins.filter (item: item.format == format) feeds;
+
+  # transform a list of feeds into an attrs mapping cat => [ feed0 feed1 ... ]
+  partitionByCat = feeds: builtins.groupBy (f: f.cat) feeds;
+
+  # represents a single RSS feed.
+  opmlTerminal = feed: ''<outline xmlUrl="${feed.url}" type="rss"/>'';
+  # a list of RSS feeds.
+  opmlTerminals = feeds: lib.strings.concatStringsSep "\n" (builtins.map opmlTerminal feeds);
+  # one node which packages some flat grouping of terminals.
+  opmlGroup = title: feeds: ''
+    <outline text="${title}" title="${title}">
+      ${opmlTerminals feeds}
+    </outline>
+  '';
+  # a list of groups (`groupMap` is an attrs mapping groupName => [ feed0 feed1 ... ]).
+  opmlGroups = groupMap: lib.strings.concatStringsSep "\n" (
+    builtins.attrValues (builtins.mapAttrs opmlGroup groupMap)
+  );
+  # top-level OPML file which could be consumed by something else.
+  opmlTopLevel = body: ''
+    <?xml version="1.0" encoding="utf-8"?>
+    <opml version="2.0">
+      <body>
+        ${body}
+      </body>
+    </opml>
+  '';
+
+  # **primary API**: generate a OPML file from the provided feeds
+  feedsToOpml = feeds: opmlTopLevel (opmlGroups (partitionByCat feeds));
+}

modules/home-manager/firefox.nix

@@ -0,0 +1,139 @@
+# common settings to toggle (at runtime, in about:config):
+#   > security.ssl.require_safe_negotiation
+
+# librewolf is a forked firefox which patches firefox to allow more things
+# (like default search engines) to be configurable at runtime.
+# many of the settings below won't have effect without those patches.
+# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
+
+{ config, lib, pkgs, ...}:
+with lib;
+let
+  cfg = config.sane.web-browser;
+  # allow easy switching between firefox and librewolf with `defaultSettings`, below
+  librewolfSettings = {
+    browser = pkgs.librewolf-unwrapped;
+    # browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
+    #   # this allows side-loading unsigned addons
+    #   MOZ_REQUIRE_SIGNING = false;
+    # });
+    libName = "librewolf";
+    dotDir = ".librewolf";
+    desktop = "librewolf.desktop";
+  };
+  firefoxSettings = {
+    browser = pkgs.firefox-esr-unwrapped;
+    libName = "firefox";
+    dotDir = ".mozilla/firefox";
+    desktop = "firefox.desktop";
+  };
+  defaultSettings = firefoxSettings;
+  # defaultSettings = librewolfSettings;
+
+  package = pkgs.wrapFirefox cfg.browser {
+    # inherit the default librewolf.cfg
+    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
+    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
+    inherit (cfg) libName;
+
+    extraNativeMessagingHosts = [ pkgs.browserpass ];
+    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
+
+    nixExtensions = let
+      addon = name: extid: hash: pkgs.fetchFirefoxAddon {
+        inherit name hash;
+        url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
+        fixedExtid = extid;
+      };
+      localAddon = pkg: pkgs.fetchFirefoxAddon {
+        inherit (pkg) name;
+        src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";
+        fixedExtid = pkg.extid;
+      };
+    in [
+      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-C+VQyaJ8BA0ErXGVTdnppJZ6J9SP+izf6RFxdS4VJoU=")
+      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-au5GGn22n4i6VrdOKqNMOrWdMoVCcpLdjO2wwRvyx7E=")
+      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-m14onUlnpLDPHezA/soKygcc76tF1fLG52tM/LkbAXQ=")
+      (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
+      (addon "ether-metamask" "webextension@metamask.io" "sha256-dnpwKpNF0KgHMAlz5btkkZySjMsnrXECS35ClkD2XHc=")
+      # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
+      (localAddon pkgs.browserpass-extension)
+    ];
+
+    extraPolicies = {
+      NoDefaultBookmarks = true;
+      SearchEngines = {
+        Default = "DuckDuckGo";
+      };
+      AppUpdateURL = "https://localhost";
+      DisableAppUpdate = true;
+      OverrideFirstRunPage = "";
+      OverridePostUpdatePage = "";
+      DisableSystemAddonUpdate = true;
+      DisableFirefoxStudies = true;
+      DisableTelemetry = true;
+      DisableFeedbackCommands = true;
+      DisablePocket = true;
+      DisableSetDesktopBackground = false;
+
+      # remove many default search providers
+      # XXX this seems to prevent the `nixExtensions` from taking effect
+      # Extensions.Uninstall = [
+      #   "google@search.mozilla.org"
+      #   "bing@search.mozilla.org"
+      #   "amazondotcom@search.mozilla.org"
+      #   "ebay@search.mozilla.org"
+      #   "twitter@search.mozilla.org"
+      # ];
+      # XXX doesn't seem to have any effect...
+      # docs: https://github.com/mozilla/policy-templates#homepage
+      # Homepage = {
+      #   HomepageURL = "https://uninsane.org/";
+      #   StartPage = "homepage";
+      # };
+      # NewTabPage = true;
+    };
+  };
+in
+{
+  options = {
+    sane.web-browser = mkOption {
+      default = defaultSettings;
+      type = types.attrs;
+    };
+  };
+  config = lib.mkIf config.sane.home-manager.enable {
+    # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
+    home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
+      programs.firefox = {
+        enable = true;
+        inherit package;
+      };
+
+      # uBlock filter list configuration.
+      # specifically, enable the GDPR cookie prompt blocker.
+      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
+      # this configuration method is documented here:
+      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
+      # the specific attribute path is found via scraping ublock code here:
+      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
+      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
+      home.file."${cfg.dotDir}/managed-storage/uBlock0@raymondhill.net.json".text = ''
+        {
+         "name": "uBlock0@raymondhill.net",
+         "description": "ignored",
+         "type": "storage",
+         "data": {
+            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
+         }
+        }
+      '';
+      home.file."${cfg.dotDir}/${cfg.libName}.overrides.cfg".text = ''
+        // if we can't query the revocation status of a SSL cert because the issuer is offline,
+        // treat it as unrevoked.
+        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
+        defaultPref("security.OCSP.require", false);
+      '';
+    };
+  };
+}

modules/home-manager/git.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  home-manager.users.colin.programs.git = {
+    enable = true;
+    userName = "colin";
+    userEmail = "colin@uninsane.org";
+
+    aliases = { co = "checkout"; };
+    extraConfig = {
+      # difftastic docs:
+      # - <https://difftastic.wilfred.me.uk/git.html>
+      diff.tool = "difftastic";
+      difftool.prompt = false;
+      "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
+      # now run `git difftool` to use difftastic git
+    };
+  };
+}

modules/home-manager/kitty.nix

@@ -0,0 +1,71 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  home-manager.users.colin.programs.kitty = {
+    enable = true;
+    # docs: https://sw.kovidgoyal.net/kitty/conf/
+    settings = {
+      # disable terminal bell (when e.g. you backspace too many times)
+      enable_audio_bell = false;
+    };
+    keybindings = {
+      "ctrl+n" = "new_os_window_with_cwd";
+    };
+    # docs: https://github.com/kovidgoyal/kitty-themes
+    # theme = "1984 Light";  # dislike: awful, harsh blues/teals
+    # theme = "Adventure Time";  # dislike: harsh (dark)
+    # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
+    # theme = "Belafonte Day";  # dislike: too low contrast for text colors
+    # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
+    # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
+    # theme = "Desert";  # mediocre: colors are harsh
+    # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
+    # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
+    # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
+    # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
+    # theme = "kanagawabones";  # better: dark theme. colors are too background-y
+    # theme = "Kaolin Dark";  # dislike: too dark
+    # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
+    # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
+    # theme = "Material"; # decent: light theme, few colors.
+    # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
+    # theme = "Nord";  # mediocre: pale background, low contrast
+    # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
+    theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
+    # theme = "Parasio Dark";  # dislike: too low contrast
+    # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
+    # theme = "Pnevma";  # dislike: too low contrast
+    # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
+    # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
+    # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
+    # theme = "Sea Shells";  # mediocre. not all color combos are readable
+    # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
+    # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
+    # theme = "Sourcerer";  # mediocre: ugly colors
+    # theme = "Space Gray";  # mediocre: too muted
+    # theme = "Space Gray Eighties";  # better: all readable, decent colors
+    # theme = "Spacemacs";  # mediocre: too muted
+    # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
+    # theme = "Srcery";  # better: highly readable. colors are ehhh
+    # theme = "Substrata";  # decent: nice colors, but a bit flat.
+    # theme = "Sundried";  # mediocre: the solar text makes me squint
+    # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
+    # theme = "Tango Light";  # dislike: teal is too grating
+    # theme = "Tokyo Night Day";  # medicore: too muted
+    # theme = "Tokyo Night";  # better: tasteful. a bit flat
+    # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
+    # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
+    # theme = "Urple";  # dislike: weird palette
+    # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
+    # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
+    # theme = "Xcodedark";  # dislike: bad palette
+    # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
+    # theme = "neobones_light"; # better light theme. the background is maybe too muted
+    # theme = "vimbones";
+    # theme = "zenbones_dark";  # mediocre: readable, but meh colors
+    # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
+    # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
+    # extraConfig = "";
+  };
+}

modules/home-manager/mpv.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  home-manager.users.colin.programs.mpv = {
+    enable = true;
+    config = {
+      save-position-on-quit = true;
+      keep-open = "yes";
+    };
+  };
+}
+

modules/home-manager/nb.nix

@@ -0,0 +1,27 @@
+# nb is a CLI-drive Personal Knowledge Manager
+# - <https://xwmx.github.io/nb/>
+#
+# it's pretty opinionated:
+# - autocommits (to git) excessively (disable-able)
+# - inserts its own index files to give deterministic names to files
+#
+# it offers a primitive web-server
+# and it offers some CLI query tools
+
+{ config, lib, pkgs, ... }:
+
+# lib.mkIf config.sane.home-manager.enable
+lib.mkIf false # XXX disabled!
+{
+  sane.packages.extraUserPkgs = [ pkgs.nb ];
+
+  home-manager.users.colin = { config, ... }: {
+    # nb markdown/personal knowledge manager
+    home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
+    home.file.".nb/.current".text = "knowledge";
+    home.file.".nbrc".text = ''
+      # manage with `nb settings`
+      export NB_AUTO_SYNC=0
+    '';
+  };
+}

modules/home-manager/neovim.nix

@@ -0,0 +1,117 @@
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  sane.impermanence.home-dirs = [ ".cache/vim-swap" ];
+
+  home-manager.users.colin.programs.neovim = {
+    # neovim: https://github.com/neovim/neovim
+    enable = true;
+    viAlias = true;
+    vimAlias = true;
+    plugins = with pkgs.vimPlugins; [
+      # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
+      # docs: vim-surround: https://github.com/tpope/vim-surround
+      vim-surround
+      # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
+      fzf-vim
+      # docs: https://github.com/KeitaNakamura/tex-conceal.vim/
+      ({
+        plugin = tex-conceal-vim;
+        type = "viml";
+        config = ''
+          " present prettier fractions
+          let g:tex_conceal_frac=1
+        '';
+      })
+      ({
+        plugin = vim-SyntaxRange;
+        type = "viml";
+        config = ''
+          " enable markdown-style codeblock highlighting for tex code
+          autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
+          " autocmd Syntax tex set conceallevel=2
+        '';
+      })
+      # nabla renders inline math in any document, but it's buggy.
+      #   https://github.com/jbyuki/nabla.nvim
+      # ({
+      #   plugin = pkgs.nabla;
+      #   type = "lua";
+      #   config = ''
+      #     require'nabla'.enable_virt()
+      #   '';
+      # })
+      # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
+      # docs: https://github.com/nvim-treesitter/nvim-treesitter
+      # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
+      # this is required for tree-sitter to even highlight
+      ({
+        plugin = nvim-treesitter.withAllGrammars;
+        type = "lua";
+        config = ''
+          require'nvim-treesitter.configs'.setup {
+            highlight = {
+              enable = true,
+              -- disable treesitter on Rust so that we can use SyntaxRange
+              -- and leverage TeX rendering in rust projects
+              disable = { "rust", "tex", "latex" },
+              -- disable = { "tex", "latex" },
+              -- true to also use builtin vim syntax highlighting when treesitter fails
+              additional_vim_regex_highlighting = false
+            },
+            incremental_selection = {
+              enable = true,
+              keymaps = {
+                init_selection = "gnn",
+                node_incremental = "grn",
+                mcope_incremental = "grc",
+                node_decremental = "grm"
+              }
+            },
+            indent = {
+              enable = true,
+              disable = {}
+            }
+          }
+
+          vim.o.foldmethod = 'expr'
+          vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
+        '';
+      })
+    ];
+    extraConfig = ''
+      " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
+      " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
+      set mouse=
+
+      " copy/paste to system clipboard
+      set clipboard=unnamedplus
+
+      " screw tabs; always expand them into spaces
+      set expandtab
+
+      " at least don't open files with sections folded by default
+      set nofoldenable
+
+      " allow text substitutions for certain glyphs.
+      " higher number = more aggressive substitution (0, 1, 2, 3)
+      " i only make use of this for tex, but it's unclear how to
+      " apply that *just* to tex and retain the SyntaxRange stuff.
+      set conceallevel=2
+
+      " horizontal rule under the active line
+      " set cursorline
+
+      " highlight trailing space & related syntax errors (doesn't seem to work??)
+      " let c_space_errors=1
+      " let python_space_errors=1
+
+      " enable highlighting of leading/trailing spaces,
+      " and especially tabs
+      " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
+      set list
+      set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
+    '';
+  };
+}

modules/home-manager/ssh.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  home-manager.users.colin = let
+    host = config.networking.hostName;
+    user_pubkey = (import ../pubkeys.nix).users."${host}";
+    known_hosts_text = builtins.concatStringsSep
+      "\n"
+      (builtins.attrValues (import ../pubkeys.nix).hosts);
+  in { config, ...}: {
+    # ssh key is stored in private storage
+    home.file.".ssh/id_ed25519".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/.ssh/id_ed25519";
+    home.file.".ssh/id_ed25519.pub".text = user_pubkey;
+
+    programs.ssh.enable = true;
+    # this optionally accepts multiple known_hosts paths, separated by space.
+    programs.ssh.userKnownHostsFile = builtins.toString (pkgs.writeText "known_hosts" known_hosts_text);
+  };
+}

modules/home-manager/sublime-music.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  # TODO: this should only be shipped on gui platforms
+  sops.secrets."sublime_music_config" = {
+    owner = config.users.users.colin.name;
+    sopsFile = ../../secrets/universal/sublime_music_config.json.bin;
+    format = "binary";
+  };
+  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
+    # sublime music player
+    xdg.configFile."sublime-music/config.json".source =
+      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
+  };
+}

modules/home-manager/vlc.nix

@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  home-manager.users.colin.xdg.configFile."vlc/vlcrc".text =
+  let
+    feeds = import ./feeds.nix { inherit lib; };
+    podcastUrls = lib.strings.concatStringsSep "|" (
+      builtins.map (feed: feed.url) feeds.podcasts
+    );
+  in ''
+    [podcast]
+    podcast-urls=${podcastUrls}
+    [core]
+    metadata-network-access=0
+    [qt]
+    qt-privacy-ask=0
+  '';
+}

modules/home-manager/zsh.nix

@@ -0,0 +1,63 @@
+{ config, lib, ... }:
+
+lib.mkIf config.sane.home-manager.enable
+{
+  # we don't need to full zsh dir -- just the history file --
+  # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
+  sane.impermanence.home-dirs = [ ".local/share/zsh" ];
+
+  home-manager.users.colin.programs.zsh = {
+    enable = true;
+    enableSyntaxHighlighting = true;
+    enableVteIntegration = true;
+    history.ignorePatterns = [ "rm *" ];
+    dotDir = ".config/zsh";
+    history.path = "/home/colin/.local/share/zsh/history";
+
+    initExtraBeforeCompInit = ''
+      # p10k instant prompt
+      # run p10k configure to configure, but it can't write out its file :-(
+      POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
+    '';
+    initExtra = ''
+      # zmv is a way to do rich moves/renames, with pattern matching/substitution.
+      # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
+      autoload -Uz zmv
+
+      # disable `rm *` confirmations
+      setopt rmstarsilent
+
+      function nd() {
+        mkdir -p "$1";
+        pushd "$1";
+      }
+    '';
+
+    # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
+    # see: https://github.com/sorin-ionescu/prezto
+    prezto = {
+      enable = true;
+      pmodules = [
+        "environment"
+        "terminal"
+        "editor"
+        "history"
+        "directory"
+        "spectrum"
+        "utility"
+        "completion"
+        "prompt"
+        "git"
+      ];
+      prompt.theme = "powerlevel10k";
+      utility.safeOps = false;  # disable `mv` confirmation (and supposedly `rm`, too)
+    };
+  };
+
+  home-manager.users.colin.home.shellAliases = {
+    ":q" = "exit";
+    # common typos
+    "cd.." = "cd ..";
+    "cd../" = "cd ../";
+  };
+}

modules/image.nix

@@ -2,15 +2,34 @@
 
 with lib;
 let
-  cfg = config.colinsane.image;
+  cfg = config.sane.image;
 in
 {
   options = {
-    colinsane.image.extraBootFiles = mkOption {
+    sane.image.enable = mkOption {
+      default = true;
+      type = types.bool;
+      description = "whether to enable image targets. this doesn't mean they'll be built unless you specifically reference the target.";
+    };
+    # packages whose contents should be copied directly into the /boot partition.
+    # e.g. EFI loaders, u-boot bootloader, etc.
+    sane.image.extraBootFiles = mkOption {
       default = [];
       type = types.listOf types.package;
     };
-    colinsane.image.extraGPTPadding = mkOption {
+    # extra (empty) directories to create in the rootfs.
+    # for example, /var/log might be required by the boot process, so ensure it exists.
+    sane.image.extraDirectories = mkOption {
+      default = [];
+      type = types.listOf types.str;
+    };
+
+    # the GPT header is fixed to Logical Block Address 1,
+    # but we can actually put the partition entries anywhere.
+    # this option reserves so many bytes after LBA 1 but *before* the partition entries.
+    # this is not universally supported, but is an easy hack to claim space near the start
+    # of the disk for other purposes (e.g. firmware blobs)
+    sane.image.extraGPTPadding = mkOption {
       default = 0;
       # NB: rpi doesn't like non-zero values for this.
       # at the same time, spinning disks REALLY need partitions to be aligned to 4KiB boundaries.
@@ -18,7 +37,8 @@ in
       # default = 2014 * 512;  # standard is to start part0 at sector 2048  (versus 34 if no padding)
       type = types.int;
     };
-    colinsane.image.firstPartGap = mkOption {
+    # optional space (in bytes) to leave unallocated after the GPT structure and before the first partition.
+    sane.image.firstPartGap = mkOption {
       # align the first part to 16 MiB.
       # do this by inserting a gap of 16 MiB - gptHeaderSize
       # and then multiply by 1MiB and subtract 1 because mobile-nixos
@@ -26,7 +46,7 @@ in
       default = (16 * 1024 * 1024 - 34 * 512) * 1024 * 1024 - 1;
       type = types.nullOr types.int;
     };
-    colinsane.image.bootPartSize = mkOption {
+    sane.image.bootPartSize = mkOption {
       default = 512 * 1024 * 1024;
       type = types.int;
     };
@@ -37,6 +57,7 @@ in
       (builtins.substring 0 (builtins.stringLength sub) super) == sub
     );
     # return the (string) path to get from `stem` to `path`
+    # or errors if not a sub-path
     relPath = stem: path: (
       builtins.head (builtins.match "^${stem}(.+)" path)
     );
@@ -47,14 +68,6 @@ in
     # resolves to e.g. "nix/store", "/store" or ""
     storeRelPath = relPath nixFs.mountPoint "/nix/store";
 
-    # return a list of all the `device` values -- one for each fileSystems."$x"
-    devices = builtins.attrValues (builtins.mapAttrs (mount: entry: entry.device) fileSystems);
-    # filter the devices to just those which sit under nixFs
-    subNixMounts = builtins.filter (a: startsWith (builtins.toString a) nixFs.mountPoint) devices;
-    # e.g. ["/nix/persist/var"] -> ["/persist/var"] if nixFs sits at /nix
-    subNixRelMounts = builtins.map (m: relPath nixFs.mountPoint m) subNixMounts;
-    makeSubNixMounts = builtins.toString (builtins.map (m: "mkdir -p ./${m};") subNixRelMounts);
-
     uuidFromFs = fs: builtins.head (builtins.match "/dev/disk/by-uuid/(.+)" fs.device);
     vfatUuidFromFs = fs: builtins.replaceStrings ["-"] [""] (uuidFromFs fs);
 
@@ -104,11 +117,10 @@ in
           populateCommands =
           let
             closureInfo = buildPackages.closureInfo { rootPaths = config.system.build.toplevel; };
+            extraRelPaths = builtins.toString (builtins.map (p: "./" + builtins.toString(relPath nixFs.mountPoint p)) cfg.extraDirectories);
           in
           ''
-            mkdir -p ./${storeRelPath}
-            # TODO: we should create the dirs required for boot (/var/log?). the rest are populated automatically.
-            # $(makeSubNixMounts)
+            mkdir -p ./${storeRelPath} ${extraRelPaths}
             echo "Copying system closure..."
             while IFS= read -r path; do
               echo "  Copying $path"

modules/impermanence.nix

@@ -6,69 +6,62 @@
 
 with lib;
 let
-  cfg = config.colinsane.impermanence;
+  cfg = config.sane.impermanence;
+  # taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
+  secretsForUsers = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
 in
 {
-  imports = [
-    # TODO: move to flake.nix?
-    impermanence.nixosModule
-  ];
   options = {
-    colinsane.impermanence.enable = mkOption {
+    sane.impermanence.enable = mkOption {
       default = false;
       type = types.bool;
     };
+    sane.impermanence.home-dirs = mkOption {
+      default = [];
+      type = types.listOf (types.either types.str (types.attrsOf types.str));
+    };
+    sane.impermanence.service-dirs = mkOption {
+      default = [];
+      type = types.listOf (types.either types.str (types.attrsOf types.str));
+    };
   };
 
-  config = mkIf cfg.enable {
+  config = let
+    map-dir = defaults: dir: if isString dir then
+        map-dir defaults { directory = "${defaults.directory}${dir}"; }
+      else
+        defaults // dir
+      ;
+    map-dirs = defaults: dirs: builtins.map (map-dir defaults) dirs;
+
+    map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };
+    map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
+
+  in mkIf cfg.enable {
+    sane.image.extraDirectories = [ "/nix/persist/var/log" ];
     environment.persistence."/nix/persist" = {
-      directories = [
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/archive"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/dev"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/records"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/ref"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/tmp"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/use"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/Music"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/Pictures"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/Videos"; }
-
-        # cache is probably too big to fit on the tmpfs
-        # TODO: we could bind-mount it to something which gets cleared per boot, though.
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.cache"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.cargo"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.rustup"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.ssh"; }
-        # intentionally omitted:
-        # "/home/colin/.config"  # managed by home-manager
-        # "/home/colin/.local"   # nothing useful in here
-        # "/home/colin/.mozilla" # managed by home-manager
-        # creds. TODO: can i manage this with home-manager?
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.config/spotify"; }
-        # creds, but also 200 MB of node modules, etc
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.config/discord"; }
-        # creds/session keys, etc
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.config/Element"; }
-
-        { user = "root"; group = "root"; mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
+      directories = (map-home-dirs cfg.home-dirs) ++ (map-sys-dirs [
+        # NB: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
+        # { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
         # "/etc/nixos"
-        { user = "root"; group = "root"; mode = "0755"; directory = "/etc/ssh"; }
+        # "/etc/ssh"  # persist only the specific files we want, instead
+        "/var/log"
+        "/var/backup"  # for e.g. postgres dumps
         # "/var/lib/AccountsService"   # not sure what this is, but it's empty
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/alsa"; }                # preserve output levels, default devices
+        "/var/lib/alsa"                # preserve output levels, default devices
         # "/var/lib/blueman"           # files aren't human readable
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/bluetooth"; }           # preserve bluetooth handshakes
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/colord"; }              # preserve color calibrations (?)
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/duplicity"; }           # we need this mostly because of the size of duplicity's cache
+        "/var/lib/bluetooth"           # preserve bluetooth handshakes
+        "/var/lib/colord"              # preserve color calibrations (?)
         # "/var/lib/dhclient"          # empty on lappy; dunno about desko
         # "/var/lib/fwupd"             # not sure why this would need persistent state
         # "/var/lib/geoclue"           # empty on lappy
         # "/var/lib/lockdown"          # empty on desko; might store secrets after iOS handshake?
         # "/var/lib/logrotate.status"  # seems redundant with what's in /var/log?
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/machines"; }            # maybe not needed, but would be painful to add a VM and forget.
+        "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
         # "/var/lib/misc"              # empty on lappy
         # "/var/lib/NetworkManager"    # looks to be mostly impermanent state?
         # "/var/lib/NetworkManager-fortisslvpn" # empty on lappy
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/nixos"; }               # has some uid/gid maps; not sure what happens if we lose this.
+        # "/var/lib/nixos"             # has some uid/gid maps, but we enforce these to be deterministic.
         # "/var/lib/PackageKit"        # wtf is this?
         # "/var/lib/power-profiles-daemon"  # redundant with nixos declarations
         # "/var/lib/private"           # empty on lappy
@@ -77,45 +70,25 @@ in
         # "/var/lib/upower"            # historic charge data. unnecessary, but maybe used somewhere?
         #
         # servo additions:
-        { user = "998"; group = "996"; mode = "0755"; directory = "/var/lib/acme"; }  # TODO: mode?
-        # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
-        # "/var/lib/dovecot"
-        # "/var/lib/duplicity"
-        { user = "994"; group = "993"; mode = "0755"; directory = "/var/lib/gitea"; } # TODO: mode? could be more granular
-        { user = "261"; group = "261"; mode = "0755"; directory = "/var/lib/ipfs"; }  # TODO: mode? could be more granular
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/jackett"; } # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
-        { user = "996"; group = "994"; mode = "0755"; directory = "/var/lib/jellyfin"; } # TODO: mode? could be more granular
-        { user = "993"; group = "992"; mode = "0755"; directory = "/var/lib/matrix-appservice-irc"; } # TODO: mode?
-        { user = "224"; group = "224"; mode = "0755"; directory = "/var/lib/matrix-synapse"; } # TODO: mode?
-        { user = "221"; group = "221"; mode = "0755"; directory = "/var/lib/opendkim"; } # TODO: mode? move this to the nix config (SOPS)
-        { user = "997"; group = "995"; mode = "0755"; directory = "/var/lib/pleroma"; } # TODO: mode? could be more granular
-        { user = "71"; group = "71"; mode = "0755"; directory = "/var/lib/postgresql"; } # TODO: mode?
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/postfix"; } # TODO: mode? could be more granular
-        { user = "70"; group = "70"; mode = "0755"; directory = "/var/lib/transmission"; } # TODO: mode? we need this specifically for the stats tracking in .config/
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/var/lib/uninsane"; }
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/log"; }
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/backup"; }  # for e.g. postgres dumps
-        # TODO: what even GOES in /srv?
-        { user = "root"; group = "root"; mode = "0755"; directory = "/srv"; }
-      ];
-      files = [
-        "/etc/machine-id"
-        # "/home/colin/knowledge"
-        "/home/colin/.zsh_history"
-        # # XXX these only need persistence because i have mutableUsers = true, i think
-        # "/etc/group"
-        # "/etc/passwd"
-        # "/etc/shadow"
-        # { file = "/home/test2"; persistentStoragePath = "/nix/persist"; }
-      ];
+      ] ++ cfg.service-dirs);
+      # /etc/machine-id is a globally unique identifier used for:
+      # - systemd-networkd: DHCP lease renewal (instead of keying by the MAC address)
+      # - systemd-journald: to filter logs by host
+      # - chromium (potentially to track re-installations)
+      # - gdbus; system services that might upgrade to AF_LOCAL if both services can confirm they're on the same machine
+      # of these, systemd-networkd is the only legitimate case to persist the machine-id.
+      # depersisting it should be "safe"; edge-cases like systemd-networkd can be directed to use some other ID if necessary.
+      # nixos-impermanence shows binding the host ssh priv key to this; i could probably hash the host key into /etc/machine-id if necessary.
+      # files = [ "/etc/machine-id" ];
     };
 
-    systemd.services.sane-sops = {
-      description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
-      script = config.system.activationScripts.setupSecrets.text;
-      after = [ "fs-local.target" ];
-      wantedBy = [ "multi-user.target" ];
+    # secret decoding depends on /etc/ssh keys, which may be persisted
+    system.activationScripts.setupSecrets.deps = [ "persist-ssh-host-keys" ];
+    system.activationScripts.setupSecretsForUsers = lib.mkIf secretsForUsers {
+      deps = [ "persist-ssh-host-keys" ];
     };
+    # populated by ssh.nix, which persists /etc/ssh/host_keys
+    system.activationScripts.persist-ssh-host-keys.text = lib.mkDefault "";
   };
 }
 

modules/nix.nix

@@ -1,34 +0,0 @@
-{ lib, config, ... }:
-
-with lib;
-let
-  cfg = config.colinsane.nixcache;
-in
-{
-  options = {
-    colinsane.nixcache.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-  };
-
-  config = {
-    # use our own binary cache
-    nix.settings = mkIf cfg.enable {
-      substituters = [
-        "https://nixcache.uninsane.org"
-        "https://nix-community.cachix.org"
-        "https://cache.nixos.org/"
-      ];
-      trusted-public-keys = [
-        "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      ];
-    };
-
-    # allow `nix flake ...` command
-    nix.extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-  };
-}

modules/nixcache.nix

@@ -0,0 +1,47 @@
+# speed up builds from e.g. moby or lappy by having them query desko and servo first.
+# if one of these hosts is offline, instead manually specify just cachix:
+# - `nixos-rebuild --option substituters https://cache.nixos.org/`
+#
+# future improvements:
+# - apply for community arm build box:
+#   - <https://github.com/nix-community/aarch64-build-box>
+# - don't require all substituters to be online:
+#   - <https://github.com/NixOS/nix/pull/7188>
+
+{ lib, config, ... }:
+
+with lib;
+let
+  cfg = config.sane.nixcache;
+in
+{
+  options = {
+    sane.nixcache.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.nixcache.enable-trusted-keys = mkOption {
+      default = config.sane.nixcache.enable;
+      type = types.bool;
+    };
+  };
+
+  config = {
+    # use our own binary cache
+    # to explicitly build from a specific cache (in case others are down):
+    # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
+    # - `nix build ... --substituters http://desko:5000`
+    nix.settings.substituters = mkIf cfg.enable [
+      "https://nixcache.uninsane.org"
+      "http://desko:5000"
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+    ];
+    # always trust our keys (so one can explicitly use a substituter even if it's not the default
+    nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
+      "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
+      "desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+}

modules/packages.nix

@@ -0,0 +1,272 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+with pkgs;
+let
+  cfg = config.sane.packages;
+  consolePkgs = [
+    backblaze-b2
+    cdrtools
+    dmidecode
+    duplicity
+    efivar
+    flashrom
+    fwupd
+    gnupg
+    gocryptfs
+    gopass
+    gopass-jsonapi
+    ifuse
+    ipfs
+    libimobiledevice
+    libsecret  # for managing user keyrings
+    lm_sensors  # for sensors-detect
+    lshw
+    ffmpeg
+    memtester
+    networkmanager
+    nixpkgs-review
+    # nixos-generators
+    # nettools
+    nmon
+    oathToolkit  # for oathtool
+    # ponymix
+    pulsemixer
+    python3
+    rsync
+    # python3Packages.eyeD3  # music tagging
+    sane-scripts
+    sequoia
+    snapper
+    sops
+    speedtest-cli
+    sqlite  # to debug sqlite3 databases
+    ssh-to-age
+    sudo
+    # tageditor  # music tagging
+    unar
+    visidata
+    w3m
+    wireguard-tools
+    # youtube-dl
+    yt-dlp
+  ];
+
+  guiPkgs = [
+    # GUI only
+    aerc  # email client
+    audacity
+    celluloid  # mpv frontend
+    chromium
+    clinfo
+    { pkg = dino; private = ".local/share/dino"; }
+    electrum
+
+    # creds/session keys, etc
+    { pkg = element-desktop; private = ".config/Element"; }
+    # `emote` will show a first-run dialog based on what's in this directory.
+    # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
+    # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+    { pkg = emote; dir = ".local/share/Emote"; }
+    evince  # works on phosh
+
+    # { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; }  # TODO: ship normal fluffychat on non-moby?
+
+    foliate
+    font-manager
+
+    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
+    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
+    # then reboot (so that libsecret daemon re-loads the keyring...?)
+    { pkg = fractal-next; private = ".local/share/fractal"; }
+
+    gimp  # broken on phosh
+    gnome.cheese
+    gnome.dconf-editor
+    gnome-feeds  # RSS reader (with claimed mobile support)
+    gnome.file-roller
+    gnome.gnome-disk-utility
+    gnome.gnome-maps  # works on phosh
+    gnome.nautilus
+    # gnome-podcasts
+    gnome.gnome-system-monitor
+    gnome.gnome-terminal  # works on phosh
+    gnome.gnome-weather
+
+    { pkg = gpodder-configured; dir = "gPodder/Downloads"; }
+
+    gthumb
+    handbrake
+    inkscape
+
+    kdenlive
+    kid3  # audio tagging
+    krita
+    libreoffice-fresh  # XXX colin: maybe don't want this on mobile
+    lollypop
+    mesa-demos
+
+    { pkg = mpv; dir = ".config/mpv/watch_later"; }
+
+    networkmanagerapplet
+
+    # not strictly necessary, but allows caching articles; offline use, etc.
+    { pkg = newsflash; dir = ".local/share/news-flash"; }
+
+    # settings (electron app). TODO: can i manage these settings with home-manager?
+    { pkg = obsidian; dir = ".config/obsidian"; }
+
+    pavucontrol
+    # picard  # music tagging
+    playerctl
+
+    libsForQt5.plasmatube  # Youtube player
+
+    soundconverter
+    # sublime music persists any downloaded albums here.
+    # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
+    # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
+    #   possible to pass config as a CLI arg (sublime-music -c config.json)
+    { pkg = sublime-music; dir = ".local/share/sublime-music"; }
+    tdesktop  # broken on phosh
+
+    { pkg = tokodon; dir = ".cache/KDE/tokodon"; }
+
+    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
+    { pkg = vlc; dir = ".config/vlc"; }
+
+    whalebird # pleroma client. input is broken on phosh
+    xdg-utils  # for xdg-open
+    xterm  # broken on phosh
+  ]
+  ++ (if pkgs.system == "x86_64-linux" then
+  [
+    # x86_64 only
+
+    # creds, but also 200 MB of node modules, etc
+    (let discord = (pkgs.discord.override {
+      # XXX 2022-07-31: fix to allow links to open in default web-browser:
+      #   https://github.com/NixOS/nixpkgs/issues/78961
+      nss = pkgs.nss_latest;
+    }); in { pkg = discord; dir = ".config/discord"; })
+
+    # kaiteki  # Pleroma client
+    # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
+
+    logseq
+    losslesscut-bin
+    makemkv
+
+    # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
+    { pkg = monero-gui; dir = ".bitmonero"; }
+
+    # creds, media
+    { pkg = signal-desktop; dir = ".config/Signal"; }
+
+    # creds. TODO: can i manage this with home-manager?
+    { pkg = spotify; dir = ".config/spotify"; }
+
+    # hardenedMalloc solves a crash at startup
+    (tor-browser-bundle-bin.override { useHardenedMalloc = false; })
+
+    # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
+    { pkg = zecwallet-lite; private = ".zcash"; }
+  ] else []);
+
+  # general-purpose utilities that we want any user to be able to access
+  #   (specifically: root, in case of rescue)
+  systemPkgs = [
+    btrfs-progs
+    cryptsetup
+    dig
+    efibootmgr
+    fatresize
+    fd
+    file
+    gptfdisk
+    hdparm
+    htop
+    iftop
+    inetutils  # for telnet
+    iotop
+    iptables
+    jq
+    killall
+    lsof
+    netcat
+    nethogs
+    nmap
+    openssl
+    parted
+    pciutils
+    powertop
+    ripgrep
+    screen
+    smartmontools
+    socat
+    usbutils
+    wget
+  ];
+
+  # useful devtools:
+  devPkgs = [
+    bison
+    dtc
+    flex
+    gcc
+    gdb
+    # gcc-arm-embedded
+    # gcc_multi
+    gnumake
+    mercurial
+    mix2nix
+    rustup
+    swig
+  ];
+in
+{
+  options = {
+    # packages to deploy to the user's home
+    sane.packages.extraUserPkgs = mkOption {
+      default = [ ];
+      # each entry can be either a package, or attrs:
+      #   { pkg = package; dir = optional string; private = optional string };
+      type = types.listOf (types.either types.package types.attrs);
+    };
+    sane.packages.enableConsolePkgs = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.packages.enableGuiPkgs = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.packages.enableDevPkgs = mkOption {
+      description = ''
+        enable packages that are useful for building other software by hand.
+        you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
+      '';
+      default = false;
+      type = types.bool;
+    };
+    sane.packages.enableSystemPkgs = mkOption {
+      default = false;
+      type = types.bool;
+      description = "enable system-wide packages";
+    };
+
+    sane.packages.enabledUserPkgs = mkOption {
+      default = cfg.extraUserPkgs
+        ++ (if cfg.enableConsolePkgs then consolePkgs else [])
+        ++ (if cfg.enableGuiPkgs then guiPkgs else [])
+        ++ (if cfg.enableDevPkgs then devPkgs else [])
+      ;
+      type = types.listOf (types.either types.package types.attrs);
+      description = "generated from other config options";
+    };
+  };
+
+  config = {
+    environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
+  };
+}

modules/pubkeys.nix

@@ -0,0 +1,34 @@
+# create ssh key by running:
+# - `ssh-keygen -t ed25519`
+let
+  withHost = host: key: "${host} ${key}";
+  withUser = user: key: "${key} ${user}";
+
+  keys = rec {
+    lappy = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
+    };
+    desko = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
+    };
+    servo = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
+    };
+    moby = {
+      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
+      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
+    };
+
+    "uninsane.org" = servo;
+    "git.uninsane.org" = servo;
+  };
+in {
+  # map hostname -> something suitable for known_keys
+  hosts = builtins.mapAttrs (host: keys: withHost host keys.host) keys;
+  # map hostname -> something suitable for authorized_keys to allow access to colin@<hostname>
+  users = builtins.mapAttrs (host: keys: withUser "colin@${host}" keys.users.colin) keys;
+}
+

modules/services/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./duplicity.nix
+    ./nixserve.nix
+  ];
+}

modules/services/duplicity.nix

@@ -1,22 +1,24 @@
 # docs: https://search.nixos.org/options?channel=21.11&query=duplicity
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 let
-  cfg = config.colinsane.services.duplicity;
+  cfg = config.sane.services.duplicity;
 in
 {
   options = {
-    colinsane.services.duplicity.enable = mkOption {
+    sane.services.duplicity.enable = mkOption {
       default = false;
       type = types.bool;
     };
   };
 
   config = mkIf cfg.enable {
+    # we need this mostly because of the size of duplicity's cache
+    sane.impermanence.service-dirs = [ "/var/lib/duplicity" ];
+
     services.duplicity.enable = true;
-    services.duplicity.targetUrl = ''"$DUPLICITY_URL"'';
-    services.duplicity.escapeUrl = false;
+    services.duplicity.targetUrl = "$DUPLICITY_URL";
     # format: PASSPHRASE=<cleartext> \n DUPLICITY_URL=b2://...
     # two sisters
     # PASSPHRASE: remote backups will be encrypted using this passphrase (using gpg)
@@ -29,28 +31,28 @@ in
     services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path;
     # NB: manually trigger with `systemctl start duplicity`
     services.duplicity.frequency = "daily";
-    services.duplicity.exclude = [
-      # impermanent/inconsequential data:
-      "/dev"
-      "/proc"
-      "/run"
-      "/sys"
-      "/tmp"
-      # bind mounted (dupes):
-      "/var/lib"
-      # other mounts
-      "/mnt"
-      # data that's not worth the cost to backup:
-      "/nix/persist/var/lib/uninsane/media"
-      "/nix/persist/home/colin/tmp"
-      "/nix/persist/home/colin/Videos"
-      "/home/colin/tmp"
-      "/home/colin/Videos"
-    ];
 
     services.duplicity.extraFlags = [
       # without --allow-source-mismatch, duplicity will abort if you change the hostname between backups
       "--allow-source-mismatch"
+
+      # includes/exclude ordering matters, so we explicitly control it here.
+      # the first match decides a file's treatment. so here:
+      # - /nix/persist/home/colin/tmp is excluded
+      # - *other* /nix/persist/ files are included by default
+      # - anything else under `/` are excluded by default
+      "--exclude" "/nix/persist/home/colin/dev/home-logic/coremem/out"  # this can reach > 1 TB
+      "--exclude" "/nix/persist/home/colin/use/iso"  # might want to re-enable... but not critical
+      "--exclude" "/nix/persist/home/colin/.local/share/sublime-music"  # music cache. better to just keep the HQ sources
+      "--exclude" "/nix/persist/home/colin/.local/share/Steam"  # can just re-download games
+      "--exclude" "/nix/persist/home/colin/.bitmonero/lmdb"  # monero blockchain
+      "--exclude" "/nix/persist/home/colin/.rustup"
+      "--exclude" "/nix/persist/home/colin/ref"  # publicly available data: no point in duplicating it
+      "--exclude" "/nix/persist/home/colin/tmp"
+      "--exclude" "/nix/persist/home/colin/Videos"
+      "--exclude" "/nix/persist/var/lib/duplicity"  # don't back up our own backup state!
+      "--include" "/nix/persist"
+      "--exclude" "/"
     ];
 
     # set this for the FIRST backup, then remove it to enable incremental backups
@@ -66,5 +68,26 @@ in
         "/dev/mmc0 5M"
       ];
     };
+
+    # based on <nixpkgs:nixos/modules/services/backup/duplicity.nix>  with changes:
+    # - remove the cleanup step: API key doesn't have delete perms
+    # - don't escape the targetUrl: it comes from an env var set in the secret file
+    systemd.services.duplicity.script = let
+      cfg = config.services.duplicity;
+      target = cfg.targetUrl;
+      extra = escapeShellArgs ([ "--archive-dir" "/var/lib/duplicity" ] ++ cfg.extraFlags);
+      dup = "${pkgs.duplicity}/bin/duplicity";
+    in lib.mkForce ''
+      set -x
+      # ${dup} cleanup ${target} --force ${extra}
+      # ${lib.optionalString (cfg.cleanup.maxAge != null) "${dup} remove-older-than ${lib.escapeShellArg cfg.cleanup.maxAge} ${target} --force ${extra}"}
+      # ${lib.optionalString (cfg.cleanup.maxFull != null) "${dup} remove-all-but-n-full ${builtins.toString cfg.cleanup.maxFull} ${target} --force ${extra}"}
+      # ${lib.optionalString (cfg.cleanup.maxIncr != null) "${dup} remove-all-inc-of-but-n-full ${toString cfg.cleanup.maxIncr} ${target} --force ${extra}"}
+      exec ${dup} ${if cfg.fullIfOlderThan == "always" then "full" else "incr"} ${lib.escapeShellArg cfg.root} ${target} ${lib.escapeShellArgs ([]
+        ++ concatMap (p: [ "--include" p ]) cfg.include
+        ++ concatMap (p: [ "--exclude" p ]) cfg.exclude
+        ++ (lib.optionals (cfg.fullIfOlderThan != "never" && cfg.fullIfOlderThan != "always") [ "--full-if-older-than" cfg.fullIfOlderThan ])
+        )} ${extra}
+    '';
   };
 }

modules/services/nixserve.nix

@@ -0,0 +1,33 @@
+# docs: https://nixos.wiki/wiki/Binary_Cache
+# to copy something to this machine's nix cache, do:
+#   nix copy --to ssh://nixcache.uninsane.org PACKAGE
+{ config, lib, ... }:
+
+with lib;
+let
+  cfg = config.sane.services.nixserve;
+in
+{
+  options = {
+    sane.services.nixserve.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.services.nixserve.sopsFile = mkOption {
+      type = types.path;
+      description = "path to file that contains the nix_serv_privkey secret (can be in VCS)";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nix-serve = {
+      enable = true;
+      secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
+      openFirewall = true;  # not needed for servo; only desko
+    };
+
+    sops.secrets.nix_serve_privkey = {
+      sopsFile = cfg.sopsFile;
+    };
+  };
+}

modules/universal/default.nix

@@ -1,33 +0,0 @@
-{ pkgs, ... }:
-
-{
-  imports = [
-    ./fs.nix
-    ./home-manager.nix
-    ./secrets.nix
-    ./users.nix
-    ./vpn.nix
-  ];
-
-  time.timeZone = "America/Los_Angeles";
-
-  fonts = {
-    enableDefaultFonts = true;
-    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
-    fontconfig.enable = true;
-    fontconfig.defaultFonts = {
-      emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
-      monospace = [ "Hack" ];
-      serif = [ "DejaVu Serif" ];
-      sansSerif = [ "DejaVu Sans" ];
-    };
-  };
-
-  # programs.vim.defaultEditor = true;
-  environment.variables = {
-    EDITOR = "vim";
-    # git claims it should use EDITOR, but it doesn't!
-    GIT_EDITOR = "vim";
-  };
-}
-

modules/universal/fs.nix

@@ -1,37 +0,0 @@
-{ pkgs, ... }:
-
-let sshOpts = {
-  fsType = "fuse.sshfs";
-  options = [
-    "x-systemd.automount"
-    "_netdev"
-    "user"
-    "idmap=user"
-    "transform_symlinks"
-    "identityfile=/home/colin/.ssh/id_ed25519"
-    "allow_other"
-    "default_permissions"
-    "uid=1000"
-    "gid=100"
-  ];
-};
-in
-{
-  fileSystems."/mnt/servo-media-wan" = {
-    device = "colin@uninsane.org:/var/lib/uninsane/media";
-    inherit (sshOpts) fsType options;
-  };
-  fileSystems."/mnt/servo-media-lan" = {
-    device = "colin@servo:/var/lib/uninsane/media";
-    inherit (sshOpts) fsType options;
-  };
-  fileSystems."/mnt/desko-home" = {
-    device = "colin@desko:/home/colin";
-    inherit (sshOpts) fsType options;
-  };
-
-  environment.systemPackages = [
-    pkgs.sshfs-fuse
-  ];
-}
-

modules/universal/home-manager.nix

@@ -1,365 +0,0 @@
-# docs:
-#   https://rycee.gitlab.io/home-manager/
-#   https://rycee.gitlab.io/home-manager/options.html
-#   man home-configuration.nix
-#
-
-{ home-manager, lib, config, pkgs, ... }:
-
-with lib;
-let
-  cfg = config.colinsane.home-manager;
-in
-{
-  imports = [
-    home-manager.nixosModule
-  ];
-
-  options = {
-    colinsane.home-manager.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-    colinsane.home-manager.extraPackages = mkOption {
-      default = [ ];
-      type = types.listOf types.package;
-    };
-    colinsane.home-manager.windowManager = mkOption {
-      default = {};
-      type = types.attrs;
-    };
-    colinsane.home-manager.programs = mkOption {
-      default = {};
-      type = types.attrs;
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    sops.secrets."aerc_accounts" = {
-      owner = config.users.users.colin.name;
-      sopsFile = ../../secrets/universal/aerc_accounts.conf;
-      format = "binary";
-    };
-
-    home-manager.useGlobalPkgs = true;
-    home-manager.useUserPackages = true;
-
-    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
-    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
-    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
-      home.stateVersion = "21.11";
-      home.username = "colin";
-      home.homeDirectory = "/home/colin";
-
-      # XDG defines things like ~/Desktop, ~/Downloads, etc.
-      # these clutter the home, so i mostly don't use them.
-      xdg.userDirs = {
-        enable = true;
-        createDirectories = false;  # on headless systems, most xdg dirs are noise
-        desktop = "$HOME/.xdg/Desktop";
-        documents = "$HOME/dev";
-        download = "$HOME/tmp";
-        music = "$HOME/Music";
-        pictures = "$HOME/Pictures";
-        publicShare = "$HOME/.xdg/Public";
-        templates = "$HOME/.xdg/Templates";
-        videos = "$HOME/Videos";
-      };
-      xdg.mimeApps.enable = true;
-      xdg.mimeApps.defaultApplications = {
-        "text/html" = [ "librewolf.desktop" ];
-        "x-scheme-handler/http" = [ "librewolf.desktop" ];
-        "x-scheme-handler/https" = [ "librewolf.desktop" ];
-        "x-scheme-handler/about" = [ "librewolf.desktop" ];
-        "x-scheme-handler/unknown" = [ "librewolf.desktop" ];
-      };
-
-      # convenience
-      home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
-      home.file."nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
-
-      xdg.configFile."aerc/accounts.conf".source =
-        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
-
-      programs = {
-        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
-
-        zsh = {
-          enable = true;
-          enableSyntaxHighlighting = true;
-          enableVteIntegration = true;
-          dotDir = ".config/zsh";
-
-          initExtraBeforeCompInit = ''
-            # p10k instant prompt
-            # run p10k configure to configure, but it can't write out its file :-(
-            POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
-          '';
-
-          # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
-          # see: https://github.com/sorin-ionescu/prezto
-          prezto = {
-            enable = true;
-            pmodules = [
-              "environment"
-              "terminal"
-              "editor"
-              "history"
-              "directory"
-              "spectrum"
-              "utility"
-              "completion"
-              "prompt"
-              "git"
-            ];
-            prompt = {
-              theme = "powerlevel10k";
-            };
-          };
-        };
-        kitty = {
-          enable = true;
-          settings.enable_audio_bell = false;
-        };
-        git = {
-          enable = true;
-          userName = "colin";
-          userEmail = "colin@uninsane.org";
-        };
-
-        vim = {
-          enable = true;
-          extraConfig = ''
-            " wtf vim project: NOBODY LIKES MOUSE FOR VISUAL MODE
-            set mouse-=a
-            " copy/paste to system clipboard
-            set clipboard=unnamedplus
-            " <tab> completion menu settings
-            set wildmenu
-            set wildmode=longest,list,full
-            " highlight all matching searches (using / and ?)
-            set hlsearch
-            " allow backspace to delete empty lines in insert mode
-            set backspace=indent,eol,start
-            " built-in syntax highlighting
-            syntax enable
-            " show line/col number in bottom right
-            set ruler
-            " highlight trailing space & related syntax errors (does this work?)
-            let c_space_errors=1
-            let python_space_errors=1
-          '';
-        };
-
-        firefox = lib.mkIf (sysconfig.colinsane.gui.enable) {
-          # common settings to toggle (at runtime, in about:config):
-          #   > security.ssl.require_safe_negotiation
-          enable = true;
-          # librewolf is a forked firefox which patches firefox to allow more things
-          # (like default search engines) to be configurable at runtime.
-          # many of the settings below won't have effect without those patches.
-          # see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
-          package = pkgs.wrapFirefox pkgs.librewolf-unwrapped {
-            # inherit the default librewolf.cfg
-            # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
-            inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
-            libName = "librewolf";
-            extraPolicies = {
-              NoDefaultBookmarks = true;
-              SearchEngines = {
-                Default = "DuckDuckGo";
-              };
-              AppUpdateURL = "https://localhost";
-              DisableAppUpdate = true;
-              OverrideFirstRunPage = "";
-              OverridePostUpdatePage = "";
-              DisableSystemAddonUpdate = true;
-              DisableFirefoxStudies = true;
-              DisableTelemetry = true;
-              DisableFeedbackCommands = true;
-              DisablePocket = true;
-              DisableSetDesktopBackground = false;
-              Extensions = {
-                Install = [
-                  "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
-                  "https://addons.mozilla.org/firefox/downloads/latest/i-dont-care-about-cookies/latest.xpi"
-                  "https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi"
-                  "https://addons.mozilla.org/firefox/downloads/latest/bypass-paywalls-clean/latest.xpi"
-                  "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"
-                  "https://addons.mozilla.org/firefox/downloads/latest/ether-metamask/latest.xpi"
-                ];
-                # remove many default search providers
-                Uninstall = [
-                  "google@search.mozilla.org"
-                  "bing@search.mozilla.org"
-                  "amazondotcom@search.mozilla.org"
-                  "ebay@search.mozilla.org"
-                  "twitter@search.mozilla.org"
-                ];
-              };
-              # XXX doesn't seem to have any effect...
-              # docs: https://github.com/mozilla/policy-templates#homepage
-              # Homepage = {
-              #   HomepageURL = "https://uninsane.org/";
-              #   StartPage = "homepage";
-              # };
-              # NewTabPage = true;
-              # docs: https://chromeenterprise.google/policies/?policy=ManagedBookmarks
-              # docs: https://github.com/mozilla/policy-templates#managedbookmarks
-              ManagedBookmarks = [
-                {
-                  toplevel_name = "bookmarks";
-                }
-                {
-                  name = "Pleroma";
-                  url = "https://fed.uninsane.org/";
-                }
-                {
-                  name = "Home Manager Config";
-                  url = "https://nix-community.github.io/home-manager/options.html";
-                }
-                {
-                  name = "Delightful Apps";
-                  url = "https://delightful.club/";
-                }
-                {
-                  name = "Linux Phone Apps";
-                  url = "https://linuxphoneapps.org/mobile-compatibility/5/";
-                }
-                {
-                  name = "Crowdsupply";
-                  url = "https://www.crowdsupply.com/";
-                }
-                {
-                  name = "Mempool";
-                  url = "https://jochen-hoenicke.de/queue";
-                }
-              ];
-            };
-          };
-        };
-
-        # "command not found" will cause the command to be searched in nixpkgs
-        nix-index.enable = true;
-      } // cfg.programs;
-
-      home.shellAliases = {
-        ":q" = "exit";
-        # common typos
-        "cd.." = "cd ..";
-        "cd../" = "cd ../";
-      };
-
-      wayland.windowManager = cfg.windowManager;
-
-      # devtools:
-      # bison
-      # dtc
-      # flex
-      # gcc-arm-embedded
-      # gcc_multi
-      # swig
-
-      home.packages = with pkgs; [
-        backblaze-b2
-        btrfs-progs
-        cryptsetup
-        dig
-        duplicity
-        efibootmgr
-        fatresize
-        fd
-        file
-        gcc
-        gnumake
-        gptfdisk
-        hdparm
-        htop
-        iftop
-        ifuse
-        inetutils  # for telnet
-        iotop
-        ipfs
-        iptables
-        jq
-        killall
-        libimobiledevice
-        lm_sensors  # for sensors-detect
-        lsof
-        mix2nix
-        netcat
-        nethogs
-        networkmanager
-        nixpkgs-review
-        # nixos-generators
-        # nettools
-        nmap
-        oathToolkit  # for oathtool
-        openssl
-        parted
-        pciutils
-        # ponymix
-        powertop
-        pulsemixer
-        python3
-        ripgrep
-        rmlint
-        rustup
-        sane-scripts
-        screen
-        smartmontools
-        snapper
-        socat
-        sops
-        ssh-to-age
-        sudo
-        usbutils
-        wget
-        wireguard-tools
-        youtube-dl
-        zola
-      ]
-      ++ (if sysconfig.colinsane.gui.enable then
-      with pkgs;
-      [
-        # GUI only
-        aerc  # email client
-        audacity
-        chromium
-        clinfo
-        element-desktop  # broken on phosh
-        evince  # works on phosh
-        font-manager
-        gimp  # broken on phosh
-        gnome.dconf-editor
-        gnome-feeds  # RSS reader (with claimed mobile support)
-        gnome.file-roller
-        gnome.gnome-maps  # works on phosh
-        gnome.nautilus
-        gnome-podcasts
-        gnome.gnome-terminal  # works on phosh
-        inkscape
-        libreoffice-fresh  # XXX colin: maybe don't want this on mobile
-        mesa-demos
-        networkmanagerapplet
-        obsidian
-        playerctl
-        tdesktop  # broken on phosh
-        vlc  # works on phosh
-        whalebird # pleroma client. input is broken on phosh
-        xterm  # broken on phosh
-      ] else [])
-      ++ (if sysconfig.colinsane.gui.enable && pkgs.system == "x86_64-linux" then
-      with pkgs;
-      [
-        # x86_64 only
-        discord
-        kaiteki  # Pleroma client
-        gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
-        signal-desktop
-        spotify
-      ] else [])
-      ++ cfg.extraPackages;
-    };
-  };
-}

modules/universal/users.nix

@@ -1,52 +0,0 @@
-{ pkgs, lib, ... }:
-
-# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
-{
-  # Users are exactly these specified here;
-  # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
-  users.mutableUsers = false;
-
-  # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
-  users.users.colin = {
-    # sets group to "users" (?)
-    isNormalUser = true;
-    home = "/home/colin";
-    uid = 1000;
-    # XXX colin: this is what the installer has, but is it necessary?
-    # group = "users";
-    extraGroups = [
-      "wheel"
-      "nixbuild"
-      "networkmanager"
-      # phosh/mobile. XXX colin: unsure if necessary
-      "video"
-      "feedbackd"
-      "dialout" # required for modem access
-    ];
-    initialPassword = lib.mkDefault "";
-    shell = pkgs.zsh;
-    # shell = pkgs.bashInteractive;
-    # XXX colin: create ssh key for THIS user by logging in and running:
-    #   ssh-keygen -t ed25519
-    openssh.authorizedKeys.keys = [
-      # TODO: is this key dead?
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGSDe/y0e9PSeUwYlMPjzhW0UhNsGAGsW3lCG3apxrD5 colin@colin.desktop"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
-      # TODO: should probably only let this authenticate to my server
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCLCA9KbjXaXNNMJJvqbPO5KQQ64JCdG8sg88AfdKzi colin@moby"
-    ];
-  };
-
-  security.sudo = {
-    enable = true;
-    wheelNeedsPassword = false;
-  };
-
-  services.openssh = {
-    enable = true;
-    permitRootLogin = "no";
-    passwordAuthentication = false;
-  };
-}

modules/universal/vpn.nix

@@ -1,31 +0,0 @@
-{ config, ... }:
-
-{
-  networking.wg-quick.interfaces.ovpnd = {
-    address = [
-      "172.27.237.218/32"
-      "fd00:0000:1337:cafe:1111:1111:ab00:4c8f/128"
-    ];
-    dns = [
-      "46.227.67.134"
-      "192.165.9.158"
-    ];
-    peers = [
-      {
-        allowedIPs = [
-          "0.0.0.0/0"
-          "::/0"
-        ];
-        endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
-        publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
-      }
-    ];
-    privateKeyFile = config.sops.secrets.wg_ovpnd_privkey.path;
-    # to start: `systemctl start wg-quick-ovpnd`
-    autostart = false;
-  };
-
-  sops.secrets."wg_ovpnd_privkey" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-}

nixpatches/04-dart-2.7.0.patch

@@ -1,302 +0,0 @@
-diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
-index 9eba6773448..f51aeb8b624 100644
---- a/pkgs/development/compilers/flutter/default.nix
-+++ b/pkgs/development/compilers/flutter/default.nix
-@@ -4,20 +4,20 @@ let
-   getPatches = dir:
-     let files = builtins.attrNames (builtins.readDir dir);
-     in map (f: dir + ("/" + f)) files;
--  version = "2.10.1";
-+  version = "3.0.0";
-   channel = "stable";
-   filename = "flutter_linux_${version}-${channel}.tar.xz";
- 
-   # Decouples flutter derivation from dart derivation,
-   # use specific dart version to not need to bump dart derivation when bumping flutter.
--  dartVersion = "2.16.1";
-+  dartVersion = "2.17.0";
-   dartSourceBase = "https://storage.googleapis.com/dart-archive/channels";
-   dartForFlutter = dart.override {
-     version = dartVersion;
-     sources = {
-       "${dartVersion}-x86_64-linux" = fetchurl {
-         url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
--        sha256 = "sha256-PMY6DCFQC8XrlnFzOEPcwgBAs5/cAvNd78969Z+I1Fk=";
-+        sha256 = "57b8fd964e47c81d467aeb95b099a670ab7e8f54a1cd74d45bcd1fdc77913d86";
-       };
-     };
-   };
-@@ -29,7 +29,7 @@ in {
-     pname = "flutter";
-     src = fetchurl {
-       url = "https://storage.googleapis.com/flutter_infra_release/releases/${channel}/linux/${filename}";
--      sha256 = "sha256-rSfwcglDV2rvJl10j7FByAWmghd2FYxrlkgYnvRO54Y=";
-+      sha256 = "e96d75ec8e7dc2a46bc8dad5a9e01c391ab9310ad01c4e3940c963dd263788a0";
-     };
-     patches = getPatches ./patches;
-   };
-diff --git a/pkgs/development/compilers/flutter/flutter.nix b/pkgs/development/compilers/flutter/flutter.nix
-index 43538ede339..ece25c14b55 100644
---- a/pkgs/development/compilers/flutter/flutter.nix
-+++ b/pkgs/development/compilers/flutter/flutter.nix
-@@ -56,12 +56,15 @@ let
-       export STAMP_PATH="$FLUTTER_ROOT/bin/cache/flutter_tools.stamp"
- 
-       export DART_SDK_PATH="${dart}"
-+      export DART="${dart}/bin/dart"
- 
-       HOME=../.. # required for pub upgrade --offline, ~/.pub-cache
-                  # path is relative otherwise it's replaced by /build/flutter
-+      # mkdir -p "$HOME/.cache"
-+      # ln -sf "$FLUTTER_ROOT" "$HOME/.cache/flutter"
- 
-       pushd "$FLUTTER_TOOLS_DIR"
--      ${dart}/bin/pub get --offline
-+      ${dart}/bin/dart pub get --offline
-       popd
- 
-       local revision="$(cd "$FLUTTER_ROOT"; git rev-parse HEAD)"
-diff --git a/pkgs/development/compilers/flutter/patches/git-dir.patch b/pkgs/development/compilers/flutter/patches/git-dir.patch
-new file mode 100644
-index 00000000000..0c736f945ea
---- /dev/null
-+++ b/pkgs/development/compilers/flutter/patches/git-dir.patch
-@@ -0,0 +1,102 @@
-+diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
-+index 468a91a954..5def6897ce 100644
-+--- a/dev/bots/prepare_package.dart
-++++ b/dev/bots/prepare_package.dart
-+@@ -525,7 +525,7 @@ class ArchiveCreator {
-+ 
-+   Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
-+     return _processRunner.runProcess(
-+-      <String>['git', ...args],
-++      <String>['git', '--git-dir', '.git', ...args],
-+       workingDirectory: workingDirectory ?? flutterRoot,
-+     );
-+   }
-+diff --git a/packages/flutter_tools/lib/src/commands/downgrade.dart b/packages/flutter_tools/lib/src/commands/downgrade.dart
-+index bb0eb428a9..4a2a48bb5e 100644
-+--- a/packages/flutter_tools/lib/src/commands/downgrade.dart
-++++ b/packages/flutter_tools/lib/src/commands/downgrade.dart
-+@@ -118,7 +118,7 @@ class DowngradeCommand extends FlutterCommand {
-+     // Detect unknown versions.
-+     final ProcessUtils processUtils = _processUtils!;
-+     final RunResult parseResult = await processUtils.run(<String>[
-+-      'git', 'describe', '--tags', lastFlutterVersion,
-++      'git', '--git-dir', '.git', 'describe', '--tags', lastFlutterVersion,
-+     ], workingDirectory: workingDirectory);
-+     if (parseResult.exitCode != 0) {
-+       throwToolExit('Failed to parse version for downgrade:\n${parseResult.stderr}');
-+@@ -191,7 +191,7 @@ class DowngradeCommand extends FlutterCommand {
-+         continue;
-+       }
-+       final RunResult parseResult = await _processUtils!.run(<String>[
-+-        'git', 'describe', '--tags', sha,
-++        'git', '--git-dir', '.git', 'describe', '--tags', sha,
-+       ], workingDirectory: workingDirectory);
-+       if (parseResult.exitCode == 0) {
-+         buffer.writeln('Channel "${getNameForChannel(channel)}" was previously on: ${parseResult.stdout}.');
-+diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
-+index f2068a6ca2..99b161689e 100644
-+--- a/packages/flutter_tools/lib/src/version.dart
-++++ b/packages/flutter_tools/lib/src/version.dart
-+@@ -106,7 +106,7 @@ class FlutterVersion {
-+     String? channel = _channel;
-+     if (channel == null) {
-+       final String gitChannel = _runGit(
-+-        'git rev-parse --abbrev-ref --symbolic @{u}',
-++        'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
-+         globals.processUtils,
-+         _workingDirectory,
-+       );
-+@@ -114,7 +114,7 @@ class FlutterVersion {
-+       if (slash != -1) {
-+         final String remote = gitChannel.substring(0, slash);
-+         _repositoryUrl = _runGit(
-+-          'git ls-remote --get-url $remote',
-++          'git --git-dir .git ls-remote --get-url $remote',
-+           globals.processUtils,
-+           _workingDirectory,
-+         );
-+@@ -326,7 +326,7 @@ class FlutterVersion {
-+   /// the branch name will be returned as `'[user-branch]'`.
-+   String getBranchName({ bool redactUnknownBranches = false }) {
-+     _branch ??= () {
-+-      final String branch = _runGit('git rev-parse --abbrev-ref HEAD', globals.processUtils);
-++      final String branch = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', globals.processUtils);
-+       return branch == 'HEAD' ? channel : branch;
-+     }();
-+     if (redactUnknownBranches || _branch!.isEmpty) {
-+@@ -359,7 +359,7 @@ class FlutterVersion {
-+   /// wrapper that does that.
-+   @visibleForTesting
-+   static List<String> gitLog(List<String> args) {
-+-    return <String>['git', '-c', 'log.showSignature=false', 'log'] + args;
-++    return <String>['git', '-c', 'log.showSignature=false', '--git-dir', '.git', 'log'] + args;
-+   }
-+ 
-+   /// Gets the release date of the latest available Flutter version.
-+@@ -730,7 +730,7 @@ class GitTagVersion {
-+ 
-+   static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
-+     if (fetchTags) {
-+-      final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
-++      final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
-+       if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
-+         globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
-+       } else {
-+@@ -739,7 +739,7 @@ class GitTagVersion {
-+     }
-+     // find all tags attached to the given [gitRef]
-+     final List<String> tags = _runGit(
-+-      'git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
-++      'git --git-dir .git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
-+ 
-+     // Check first for a stable tag
-+     final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
-+@@ -760,7 +760,7 @@ class GitTagVersion {
-+     // recent tag and number of commits past.
-+     return parse(
-+       _runGit(
-+-        'git describe --match *.*.* --long --tags $gitRef',
-++        'git --git-dir .git describe --match *.*.* --long --tags $gitRef',
-+         processUtils,
-+         workingDirectory,
-+       )
-diff --git a/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
-new file mode 100644
-index 00000000000..f68029eb7a1
---- /dev/null
-+++ b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
-@@ -0,0 +1,130 @@
-+diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
-+index 2aac9686e8..32c4b98b88 100644
-+--- a/packages/flutter_tools/lib/src/artifacts.dart
-++++ b/packages/flutter_tools/lib/src/artifacts.dart
-+@@ -346,10 +346,10 @@ class CachedArtifacts implements Artifacts {
-+   ) {
-+     switch (artifact) {
-+       case HostArtifact.engineDartSdkPath:
-+-        final String path = _dartSdkPath(_cache);
-++        final String path = _dartSdkPath(_fileSystem);
-+         return _fileSystem.directory(path);
-+       case HostArtifact.engineDartBinary:
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.flutterWebSdk:
-+         final String path = _getFlutterWebSdkPath();
-+@@ -398,7 +398,7 @@ class CachedArtifacts implements Artifacts {
-+       case HostArtifact.dart2jsSnapshot:
-+       case HostArtifact.dartdevcSnapshot:
-+       case HostArtifact.kernelWorkerSnapshot:
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.iosDeploy:
-+         final String artifactFileName = _hostArtifactToFileName(artifact, _platform.isWindows);
-+@@ -461,11 +461,13 @@ class CachedArtifacts implements Artifacts {
-+   String _getAndroidArtifactPath(Artifact artifact, TargetPlatform platform, BuildMode mode) {
-+     final String engineDir = _getEngineArtifactsPath(platform, mode)!;
-+     switch (artifact) {
-++      case Artifact.frontendServerSnapshotForEngineDartSdk:
-++        assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
-++        return _fileSystem.path.join(engineDir, _artifactToFileName(artifact));
-+       case Artifact.genSnapshot:
-+         assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
-+         final String hostPlatform = getNameForHostPlatform(getCurrentHostPlatform());
-+         return _fileSystem.path.join(engineDir, hostPlatform, _artifactToFileName(artifact));
-+-      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+       case Artifact.constFinder:
-+       case Artifact.flutterFramework:
-+       case Artifact.flutterMacOSFramework:
-+@@ -497,13 +499,13 @@ class CachedArtifacts implements Artifacts {
-+     switch (artifact) {
-+       case Artifact.genSnapshot:
-+       case Artifact.flutterXcframework:
-++      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+         final String artifactFileName = _artifactToFileName(artifact)!;
-+         final String engineDir = _getEngineArtifactsPath(platform, mode)!;
-+         return _fileSystem.path.join(engineDir, artifactFileName);
-+       case Artifact.flutterFramework:
-+         final String engineDir = _getEngineArtifactsPath(platform, mode)!;
-+         return _getIosEngineArtifactPath(engineDir, environmentType, _fileSystem);
-+-      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+       case Artifact.constFinder:
-+       case Artifact.flutterMacOSFramework:
-+       case Artifact.flutterMacOSPodspec:
-+@@ -594,14 +596,10 @@ class CachedArtifacts implements Artifacts {
-+         // For script snapshots any gen_snapshot binary will do. Returning gen_snapshot for
-+         // android_arm in profile mode because it is available on all supported host platforms.
-+         return _getAndroidArtifactPath(artifact, TargetPlatform.android_arm, BuildMode.profile);
-+-      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+-        return _fileSystem.path.join(
-+-          _dartSdkPath(_cache), 'bin', 'snapshots',
-+-          _artifactToFileName(artifact),
-+-        );
-+       case Artifact.flutterTester:
-+       case Artifact.vmSnapshotData:
-+       case Artifact.isolateSnapshotData:
-++      case Artifact.frontendServerSnapshotForEngineDartSdk:
-+       case Artifact.icuData:
-+         final String engineArtifactsPath = _cache.getArtifactDirectory('engine').path;
-+         final String platformDirName = _enginePlatformDirectoryName(platform);
-+@@ -797,7 +795,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
-+         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.dartdevcSnapshot:
-+-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+         return _fileSystem.file(path);
-+       case HostArtifact.kernelWorkerSnapshot:
-+         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+@@ -922,9 +920,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
-+       case Artifact.windowsUwpCppClientWrapper:
-+         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
-+       case Artifact.frontendServerSnapshotForEngineDartSdk:
-+-        return _fileSystem.path.join(
-+-          _hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', artifactFileName,
-+-        );
-++        return _fileSystem.path.join(_hostEngineOutPath, 'gen', artifactFileName);
-+       case Artifact.uwptool:
-+         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
-+     }
-+@@ -1034,8 +1030,8 @@ class OverrideArtifacts implements Artifacts {
-+ }
-+ 
-+ /// Locate the Dart SDK.
-+-String _dartSdkPath(Cache cache) {
-+-  return cache.getRoot().childDirectory('dart-sdk').path;
-++String _dartSdkPath(FileSystem fileSystem) {
-++  return fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'dart-sdk');
-+ }
-+ 
-+ class _TestArtifacts implements Artifacts {
-+diff --git a/packages/flutter_tools/test/general.shard/artifacts_test.dart b/packages/flutter_tools/test/general.shard/artifacts_test.dart
-+index d906511a15..adfdd4bb42 100644
-+--- a/packages/flutter_tools/test/general.shard/artifacts_test.dart
-++++ b/packages/flutter_tools/test/general.shard/artifacts_test.dart
-+@@ -153,10 +153,6 @@ void main() {
-+         artifacts.getArtifactPath(Artifact.windowsUwpDesktopPath, platform: TargetPlatform.windows_uwp_x64, mode: BuildMode.release),
-+         fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'windows-uwp-x64-release'),
-+       );
-+-      expect(
-+-        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
-+-        fileSystem.path.join('root', 'bin', 'cache', 'dart-sdk', 'bin', 'snapshots', 'frontend_server.dart.snapshot')
-+-      );
-+     });
-+ 
-+     testWithoutContext('precompiled web artifact paths are correct', () {
-+@@ -322,11 +318,6 @@ void main() {
-+         artifacts.getHostArtifact(HostArtifact.engineDartSdkPath).path,
-+         fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk'),
-+       );
-+-      expect(
-+-        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
-+-        fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk', 'bin',
-+-          'snapshots', 'frontend_server.dart.snapshot')
-+-      );
-+     });
-+ 
-+     testWithoutContext('getEngineType', () {

nixpatches/10-flutter-arm64.patch

@@ -0,0 +1,40 @@
+diff --git a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
+index 565c44f72e9..f20a3d4e9be 100644
+--- a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
++++ b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
+@@ -4,13 +4,19 @@
+ , olm
+ , imagemagick
+ , makeDesktopItem
++, stdenv
+ }:
+ 
++let vendorHashes = {
++  x86_64-linux = "sha256-p5EJP2zSvWyRV1uyTHw0EpFsEwAGtX5B9WVjpLmnVew=";
++  aarch64-linux = "sha256-Ps0HmDI6BFxHrLRq3KWNk4hw0qneq5hqB/Mp99f+hO4=";
++};
++in
+ flutter.mkFlutterApp rec {
+   pname = "fluffychat";
+   version = "1.6.1";
+ 
+-  vendorHash = "sha256-SelMRETFYZgTStV90gRoKhazu1NPbcSMO9mYebSQskQ=";
++  vendorHash = vendorHashes."${stdenv.hostPlatform.system}" or (throw "unsupported system: ${stdenv.hostPlatform.system}");
+ 
+   src = fetchFromGitLab {
+     owner = "famedly";
+diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
+index 9eba6773448..e9d352169b2 100644
+--- a/pkgs/development/compilers/flutter/default.nix
++++ b/pkgs/development/compilers/flutter/default.nix
+@@ -19,6 +19,10 @@ let
+         url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
+         sha256 = "sha256-PMY6DCFQC8XrlnFzOEPcwgBAs5/cAvNd78969Z+I1Fk=";
+       };
++      "${dartVersion}-aarch64-linux" = fetchurl {
++        url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-arm64-release.zip";
++        sha256 = "sha256-BIK6kUx+m+/GfR/wBXv8rjVNbP6w1HFvH/RGIwiaJog=";
++      };
+     };
+   };
+ in {