phosh: enable fewer gnome services/packages

this builds packages precisely as they are defined by the given host.
significant for testing whether a cross-compiled host builds things
correctly, for example.

flake.lock

@@ -15,35 +15,14 @@
         "type": "github"
       }
     },
-    "home-manager": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1667907331,
-        "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "release-22.05",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1670131242,
-        "narHash": "sha256-T/o1/3gffr010fsqgNshs1NJJjsnUYvQnUZgm6hilsY=",
+        "lastModified": 1674880620,
+        "narHash": "sha256-JMALuC7xcoH/T66sKTVLuItHfOJBCWsNKpE49Qrvs80=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "5ee45cc1f8e43f4af14ee17ccef9156b0db8cd77",
+        "rev": "7478a9ffad737486951186b66f6c5535dc5802e2",
         "type": "github"
       },
       "original": {
@@ -60,37 +39,22 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-5eJxyBRYQCoRt92ZFUOdT237Z0VscuNRd0pktDYWJYE=",
-        "path": "nixpatches",
+        "narHash": "sha256-rkVbviFmYYmbbVfvFRtOM95IjETbNu3I517Hrxp8EF4=",
+        "path": "/nix/store/8azr0ivnzf0y1sh2r7alxaxab3w49ggx-source/nixpatches",
         "type": "path"
       },
       "original": {
-        "path": "nixpatches",
+        "path": "/nix/store/8azr0ivnzf0y1sh2r7alxaxab3w49ggx-source/nixpatches",
         "type": "path"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1673163619,
-        "narHash": "sha256-B33PFBL64ZgTWgMnhFL3jgheAN/DjHPsZ1Ih3z0VE5I=",
+        "lastModified": 1675265860,
+        "narHash": "sha256-PZNqc4ZnTRT34NsHJYbXn+Yhghh56l8HEXn39SMpGNc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8c54d842d9544361aac5f5b212ba04e4089e8efe",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-22.11",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs-stable_2": {
-      "locked": {
-        "lastModified": 1673100377,
-        "narHash": "sha256-mT76pTd0YFxT6CwtPhDgHJhuIgLY+ZLSMiQpBufwMG4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "9f11a2df77cb945c115ae2a65f53f38121597d73",
+        "rev": "a3a1400571e3b9ccc270c2e8d36194cf05aab6ce",
         "type": "github"
       },
       "original": {
@@ -102,25 +66,24 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1673226411,
-        "narHash": "sha256-b6cGb5Ln7Zy80YO66+cbTyGdjZKtkoqB/iIIhDX9gRA=",
-        "owner": "NixOS",
+        "lastModified": 1675273418,
+        "narHash": "sha256-tpYc4TEGvDzh9uRf44QemyQ4TpVuUbxb07b2P99XDbM=",
+        "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "aa1d74709f5dac623adb4d48fdfb27cc2c92a4d4",
+        "rev": "4d7c2644dbac9cf8282c0afe68fca8f0f3e7b2db",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
+        "owner": "nixos",
         "ref": "nixos-unstable",
-        "type": "indirect"
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "root": {
       "inputs": {
-        "home-manager": "home-manager",
         "mobile-nixos": "mobile-nixos",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-stable": "nixpkgs-stable",
         "nixpkgs-unpatched": "nixpkgs-unpatched",
         "sops-nix": "sops-nix",
         "uninsane-dot-org": "uninsane-dot-org"
@@ -131,14 +94,14 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
+        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1673147300,
-        "narHash": "sha256-gR9OEfTzWfL6vG0qkbn1TlBAOlg4LuW8xK/u0V41Ihc=",
+        "lastModified": 1675288837,
+        "narHash": "sha256-76s8TLENa4PzWDeuIpEF78gqeUrXi6rEJJaKEAaJsXw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "2253120d2a6147e57bafb5c689e086221df8032f",
+        "rev": "a81ce6c961480b3b93498507074000c589bd9d60",
         "type": "github"
       },
       "original": {
@@ -155,11 +118,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1666870107,
-        "narHash": "sha256-b9eXZxSwhzdJI5uQgfrMhu4SY2POrPkinUg7F5gQVYo=",
+        "lastModified": 1675131883,
+        "narHash": "sha256-yBgJDG72YqIr1bltasqHD1E/kHc9uRFgDjxDmy6kI8M=",
         "ref": "refs/heads/master",
-        "rev": "80c6ec95bd430e29d231cf745f19279bb76fb382",
-        "revCount": 164,
+        "rev": "b099c24091cc192abf3997b94342d4b31cc5757b",
+        "revCount": 170,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -1,24 +1,39 @@
-# docs:
-# - <https://nixos.wiki/wiki/Flakes>
+# FLAKE FEEDBACK:
+# - if flake inputs are meant to be human-readable, a human should be able to easily track them down given the URL.
+#   - this is not the case with registry URLs, like `nixpkgs/nixos-22.11`.
+#   - this is marginally the case with schemes like `github:nixos/nixpkgs`.
+#   - given the *existing* `git+https://` scheme, i propose expressing github URLs similarly:
+#     - `github+https://github.com/nixos/nixpkgs/tree/nixos-22.11`
+# - need some way to apply local patches to inputs.
+#
+#
+# DEVELOPMENT DOCS:
+# - Flake docs: <https://nixos.wiki/wiki/Flakes>
+# - Flake RFC: <https://github.com/tweag/rfcs/blob/flakes/rfcs/0049-flakes.md>
+#   - Discussion: <https://github.com/NixOS/rfcs/pull/49>
 # - <https://serokell.io/blog/practical-nix-flakes>
 
 {
+  # XXX: use the `github:` scheme instead of the more readable git+https: because it's *way* more efficient
+  # preferably, i would rewrite the human-readable https URLs to nix-specific github: URLs with a helper,
+  # but `inputs` is required to be a strict attrset: not an expression.
   inputs = {
-    nixpkgs-stable.url = "nixpkgs/nixos-22.11";
-    nixpkgs-unpatched.url = "nixpkgs/nixos-unstable";
+    # <https://github.com/nixos/nixpkgs/tree/nixos-22.11>
+    # nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
+
+    # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
+    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
     nixpkgs = {
-      url = "path:nixpatches";
+      url = "./nixpatches";
       inputs.nixpkgs.follows = "nixpkgs-unpatched";
     };
     mobile-nixos = {
+      # <https://github.com/nixos/mobile-nixos>
       url = "github:nixos/mobile-nixos";
       flake = false;
     };
-    home-manager = {
-      url = "github:nix-community/home-manager/release-22.05";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     sops-nix = {
+      # <https://github.com/Mic92/sops-nix>
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
@@ -31,22 +46,23 @@
   outputs = {
     self,
     nixpkgs,
-    nixpkgs-stable,
     nixpkgs-unpatched,
     mobile-nixos,
-    home-manager,
     sops-nix,
-    uninsane-dot-org
-  }:
+    uninsane-dot-org,
+    ...
+  }@inputs:
     let
       nixpkgsCompiledBy = local: nixpkgs.legacyPackages."${local}";
 
       evalHost = { name, local, target }:
         let
-          # XXX: we'd prefer to use `nixosSystem = (nixpkgsCompiledBy local).nixos`
+          # XXX: we'd prefer to use `nixosSystem = (nixpkgsCompiledBy target).nixos`
           # but it doesn't propagate config to the underlying pkgs, meaning it doesn't let you use
           # non-free packages even after setting nixpkgs.allowUnfree.
-          nixosSystem = import ((nixpkgsCompiledBy local).path + "/nixos/lib/eval-config.nix");
+          # XXX: patch using the target -- not local -- otherwise the target will
+          # need to emulate the host in order to rebuild!
+          nixosSystem = import ((nixpkgsCompiledBy target).path + "/nixos/lib/eval-config.nix");
         in
           (nixosSystem {
             # we use pkgs built for and *by* the target, i.e. emulation, by default.
@@ -60,7 +76,11 @@
                 nixpkgs.overlays = [
                   self.overlays.default
                   self.overlays.passthru
+                  self.overlays.pins
                 ];
+                # nixpkgs.crossSystem = target;
+                nixpkgs.hostPlatform = target;
+                nixpkgs.buildPlatform = local;
               }
             ];
           });
@@ -94,14 +114,20 @@
       #   - `nixos-rebuild --flake './#<host>' switch`
       imgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.img) self.nixosConfigurations;
 
+      host-pkgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.pkgs) self.nixosConfigurations;
+
       overlays = rec {
         default = pkgs;
-        pkgs = import ./pkgs/overlay.nix;
+        pkgs = import ./overlays/pkgs.nix;
+        pins = import ./overlays/pins.nix;  # TODO: move to `nixpatches/` input
         passthru =
           let
-            stable = next: prev: {
-              stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform}";
-            };
+            stable =
+              if inputs ? "nixpkgs-stable" then (
+                next: prev: {
+                  stable = inputs.nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+                }
+              ) else (next: prev: {});
             mobile = (import "${mobile-nixos}/overlay/overlay.nix");
             uninsane = uninsane-dot-org.overlay;
           in
@@ -114,7 +140,6 @@
         sane = import ./modules;
         passthru = { ... }: {
           imports = [
-            home-manager.nixosModule
             sops-nix.nixosModules.sops
           ];
         };
@@ -146,6 +171,7 @@
           };
 
           init-feed = {
+            # use like `nix run '.#init-feed' uninsane.org`
             type = "app";
             program = "${pkgs.feeds.passthru.initFeedScript}";
           };

hosts/by-name/desko/default.nix

@@ -4,14 +4,16 @@
     ./fs.nix
   ];
 
-  # sane.packages.enableDevPkgs = true;
-
-  sane.gui.sway.enable = true;
+  sane.roles.client = true;
+  sane.services.wg-home.enable = true;
+  sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
   sane.services.duplicity.enable = true;
   sane.services.nixserve.enable = true;
-  sane.services.nixserve.sopsFile = ../../secrets/desko.yaml;
+  sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
   sane.persist.enable = true;
 
+  sane.gui.sway.enable = true;
+
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
@@ -19,7 +21,7 @@
   services.usbmuxd.enable = true;
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../secrets/desko.yaml;
+    sopsFile = ../../../secrets/desko.yaml;
     neededForUsers = true;
   };
 
@@ -41,7 +43,7 @@
   };
 
   sops.secrets.duplicity_passphrase = {
-    sopsFile = ../../secrets/desko.yaml;
+    sopsFile = ../../../secrets/desko.yaml;
   };
 
   programs.steam = {
@@ -50,7 +52,7 @@
     remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
     dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
   };
-  sane.persist.home.plaintext = [
+  sane.user.persist.plaintext = [
     ".steam"
     ".local/share/Steam"
   ];

hosts/by-name/lappy/default.nix

@@ -1,12 +1,14 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
   imports = [
     ./fs.nix
   ];
 
-  # sane.packages.enableDevPkgs = true;
+  sane.roles.client = true;
+  sane.services.wg-home.enable = true;
+  sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
 
-  # sane.users.guest.enable = true;
+  # sane.guest.enable = true;
   sane.gui.sway.enable = true;
   sane.persist.enable = true;
   sane.nixcache.enable = true;
@@ -14,7 +16,7 @@
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../secrets/lappy.yaml;
+    sopsFile = ../../../secrets/lappy.yaml;
     neededForUsers = true;
   };
 

hosts/by-name/moby/default.nix

@@ -6,6 +6,13 @@
     ./kernel.nix
   ];
 
+  sane.roles.client = true;
+  sane.services.wg-home.enable = true;
+  sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
+
+  # TODO: re-enable once base is cross-compiled
+  sane.programs.guiApps.enableSuggested = false;
+
   # cross-compiled documentation is *slow*.
   # no obvious way to natively compile docs (2022/09/29).
   # entrypoint is nixos/modules/misc/documentation.nix
@@ -19,20 +26,22 @@
   services.getty.autologinUser = "root";  # allows for emergency maintenance?
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../secrets/moby.yaml;
+    sopsFile = ../../../secrets/moby.yaml;
     neededForUsers = true;
   };
 
-  # usability compromises
-  sane.web-browser.persistCache = "private";
-  sane.web-browser.persistData = "private";
-  sane.persist.home.plaintext = [
-    ".config/pulse"  # persist pulseaudio volume
-  ];
+  sane.web-browser = {
+    # compromise impermanence for the sake of usability
+    persistCache = "private";
+    persistData = "private";
 
-  # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
-  sane.packages.extraUserPkgs = [
-    pkgs.plasma5Packages.konsole  # terminal
+    # i don't do crypto stuff on moby
+    addons.ether-metamask.enable = false;
+    # addons.sideberry.enable = false;
+  };
+
+  sane.user.persist.plaintext = [
+    ".config/pulse"  # persist pulseaudio volume
   ];
 
   sane.nixcache.enable = true;
@@ -54,9 +63,10 @@
 
   # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
   # this is because they can't allocate enough video ram.
-  # the default CMA seems to be 32M. we could probably get by with as little as 64M, and safely with 128M.
+  # the default CMA seems to be 32M.
+  # i was running fine with 256MB from 2022/07-ish through 2022/12-ish, but then the phone quit reliably coming back from sleep: maybe a memory leak?
   # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
-  boot.kernelParams = [ "cma=256M" ];
+  boot.kernelParams = [ "cma=512M" ];
 
   # mobile-nixos' /lib/firmware includes:
   #   rtl_bt          (bluetooth)

hosts/by-name/moby/kernel.nix

@@ -125,6 +125,9 @@ in
         # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfpu=neon'
         # make[3]: *** [../scripts/Makefile.build:289: drivers/video/fbdev/sun5i-eink-neon.o] Error 1
         FB_SUN5I_EINK = no;
+        # used by the pinephone pro, but fails to compile with:
+        # ../drivers/media/i2c/ov8858.c:1834:27: error: implicit declaration of function 'compat_ptr'
+        VIDEO_OV8858 = no;
       })
     ))
   ];

hosts/by-name/servo/default.nix

@@ -1,29 +1,33 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   imports = [
     ./fs.nix
     ./net.nix
-    ./users.nix
+    ./secrets.nix
     ./services
   ];
 
-  sane.packages.extraUserPkgs = [
+  sane.programs = {
     # for administering services
-    pkgs.matrix-synapse
-    pkgs.freshrss
-  ];
+    freshrss.enableFor.user.colin = true;
+    matrix-synapse.enableFor.user.colin = true;
+    signaldctl.enableFor.user.colin = true;
+  };
+
   sane.persist.enable = true;
   sane.services.dyn-dns.enable = true;
+  sane.services.wg-home.enable = true;
+  sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
 
+  # automatically log in at the virtual consoles.
+  # using root here makes sure we always have an escape hatch
+  services.getty.autologinUser = "root";
+
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
-  sops.secrets.duplicity_passphrase = {
-    sopsFile = ../../secrets/servo.yaml;
-  };
-
   # both transmission and ipfs try to set different net defaults.
   # we just use the most aggressive of the two here:
   boot.kernel.sysctl = {

hosts/by-name/servo/net.nix

@@ -52,18 +52,18 @@
 
   # services.resolved.extraConfig = ''
   #   # docs: `man resolved.conf`
-  #   # DNS servers to use via the `wg0` interface.
+  #   # DNS servers to use via the `wg-ovpns` interface.
   #   #   i hope that from the root ns, these aren't visible.
-  #   DNS=46.227.67.134%wg0 192.165.9.158%wg0
+  #   DNS=46.227.67.134%wg-ovpns 192.165.9.158%wg-ovpns
   #   FallbackDNS=1.1.1.1 9.9.9.9
   # '';
 
   # OVPN CONFIG (https://www.ovpn.com):
   # DOCS: https://nixos.wiki/wiki/WireGuard
-  # if you `systemctl restart wireguard-wg0`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
+  # if you `systemctl restart wireguard-wg-ovpns`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
   # TODO: why not create the namespace as a seperate operation (nix config for that?)
   networking.wireguard.enable = true;
-  networking.wireguard.interfaces.wg0 = let
+  networking.wireguard.interfaces.wg-ovpns = let
     ip = "${pkgs.iproute2}/bin/ip";
     in-ns = "${ip} netns exec ovpns";
     iptables = "${pkgs.iptables}/bin/iptables";
@@ -159,13 +159,10 @@
   # create a new routing table that we can use to proxy traffic out of the root namespace
   # through the ovpns namespace, and to the WAN via VPN.
   networking.iproute2.rttablesExtraConfig = ''
-  5 ovpns
+    5 ovpns
   '';
   networking.iproute2.enable = true;
 
-  sops.secrets."wg_ovpns_privkey" = {
-    sopsFile = ../../secrets/servo.yaml;
-  };
 
   # HURRICANE ELECTRIC CONFIG:
   # networking.sits = {

hosts/by-name/servo/secrets.nix

@@ -0,0 +1,41 @@
+{ ... }:
+
+{
+  sops.secrets."ddns_afraid" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+  sops.secrets."ddns_he" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."dovecot_passwd" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."duplicity_passphrase" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."freshrss_passwd" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."matrix_synapse_secrets" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+  sops.secrets."mautrix_signal_env" = {
+    sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
+  };
+
+  sops.secrets."mediawiki_pw" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."pleroma_secrets" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."wg_ovpns_privkey" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+}

hosts/by-name/servo/services/ddns-afraid.nix

@@ -24,8 +24,4 @@ lib.mkIf false
       OnUnitActiveSec = "10min";
     };
   };
-
-  sops.secrets."ddns_afraid" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
 }

hosts/by-name/servo/services/ddns-he.nix

@@ -27,8 +27,4 @@ lib.mkIf false
       OnUnitActiveSec = "10min";
     };
   };
-
-  sops.secrets."ddns_he" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
 }

hosts/by-name/servo/services/ejabberd.nix

@@ -46,6 +46,8 @@
   }];
 
   # provide access to certs
+  # TODO: this should just be `acme`. then we also add nginx to the `acme` group.
+  #   why is /var/lib/acme/* owned by `nginx` group??
   users.users.ejabberd.extraGroups = [ "nginx" ];
 
   security.acme.certs."uninsane.org".extraDomainNames = [

hosts/by-name/servo/services/freshrss.nix

@@ -11,8 +11,7 @@
 
 { config, lib, pkgs, sane-lib, ... }:
 {
-  sops.secrets.freshrss_passwd = {
-    sopsFile = ../../../secrets/servo.yaml;
+  sops.secrets."freshrss_passwd" = {
     owner = config.users.users.freshrss.name;
     mode = "0400";
   };
@@ -42,7 +41,10 @@
     description = "import sane RSS feed list";
     after = [ "freshrss-config.service" ];
     script = ''
-      ${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
+      # easiest way to preserve feeds: delete the user, recreate it, import feeds
+      ${pkgs.freshrss}/cli/delete-user.php --user colin || true
+      ${pkgs.freshrss}/cli/create-user.php --user colin --password "$(cat ${config.services.freshrss.passwordFile})" || true
+      ${pkgs.freshrss}/cli/import-for-user.php --user colin --filename ${opml}
     '';
   };
 

hosts/by-name/servo/services/gitea.nix

@@ -15,6 +15,17 @@
   services.gitea.settings.session.COOKIE_SECURE = true;
   # services.gitea.disableRegistration = true;
 
+  # gitea doesn't create the git user
+  users.users.git = {
+    description = "Gitea Service";
+    home = "/var/lib/gitea";
+    useDefaultShell = true;
+    group = "gitea";
+    isSystemUser = true;
+    # sendmail access (not 100% sure if this is necessary)
+    extraGroups = [ "postdrop" ];
+  };
+
   services.gitea.settings = {
     server = {
       # options: "home", "explore", "organizations", "login" or URL fragment (or full URL)

hosts/by-name/servo/services/jackett.nix

@@ -7,8 +7,8 @@
   ];
   services.jackett.enable = true;
 
-  systemd.services.jackett.after = [ "wireguard-wg0.service" ];
-  systemd.services.jackett.partOf = [ "wireguard-wg0.service" ];
+  systemd.services.jackett.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.jackett.partOf = [ "wireguard-wg-ovpns.service" ];
   systemd.services.jackett.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";

hosts/by-name/servo/services/matrix/default.nix

@@ -6,12 +6,18 @@
   imports = [
     ./discord-puppet.nix
     # ./irc.nix
+    ./signal.nix
   ];
 
+  # allow synapse to read the registration files of its appservices
+  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
+
   sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
   ];
   services.matrix-synapse.enable = true;
+  # this changes the default log level from INFO to WARN.
+  # maybe there's an easier way?
   services.matrix-synapse.settings.log_config = ./synapse-log_level.yaml;
   services.matrix-synapse.settings.server_name = "uninsane.org";
 
@@ -127,8 +133,7 @@
   };
 
 
-  sops.secrets.matrix_synapse_secrets = {
-    sopsFile = ../../../../secrets/servo.yaml;
+  sops.secrets."matrix_synapse_secrets" = {
     owner = config.users.users.matrix-synapse.name;
   };
 }

hosts/by-name/servo/services/matrix/discord-puppet.nix

@@ -43,6 +43,7 @@
     };
   };
 
+  # TODO: should use a dedicated user
   systemd.services.mx-puppet-discord.serviceConfig = {
     # fix up to not use /var/lib/private, but just /var/lib
     DynamicUser = lib.mkForce false;

hosts/by-name/servo/services/matrix/signal.nix

@@ -0,0 +1,35 @@
+# config options:
+# - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
+{ config, pkgs, ... }:
+{
+  sane.persist.sys.plaintext = [
+    { user = "mautrix-signal"; group = "mautrix-signal"; directory = "/var/lib/mautrix-signal"; }
+    { user = "signald"; group = "signald"; directory = "/var/lib/signald"; }
+  ];
+
+  services.signald.enable = true;
+  services.mautrix-signal.enable = true;
+  services.mautrix-signal.environmentFile =
+    config.sops.secrets.mautrix_signal_env.path;
+
+  services.mautrix-signal.settings.signal.socket_path = "/run/signald/signald.sock";
+  services.mautrix-signal.settings.homeserver.domain = "uninsane.org";
+  services.mautrix-signal.settings.bridge.permissions."@colin:uninsane.org" = "admin";
+  services.matrix-synapse.settings.app_service_config_files = [
+    # auto-created by mautrix-signal service
+    "/var/lib/mautrix-signal/signal-registration.yaml"
+  ];
+
+  systemd.services.mautrix-signal.serviceConfig = {
+    # allow communication to signald
+    SupplementaryGroups = [ "signald" ];
+    ReadWritePaths = [ "/run/signald" ];
+  };
+
+  sops.secrets."mautrix_signal_env" = {
+    format = "binary";
+    mode = "0440";
+    owner = config.users.users.mautrix-signal.name;
+    group = config.users.users.matrix-synapse.name;
+  };
+}

hosts/by-name/servo/services/navidrome.nix

@@ -1,11 +1,8 @@
-{ ... }:
+{ lib, ... }:
 
 {
   sane.persist.sys.plaintext = [
-    # TODO: we don't have a static user allocated for navidrome!
-    # the chown would happen too early for us to set static perms
-    "/var/lib/private/navidrome"
-    # { user = "navidrome"; group = "navidrome"; directory = "/var/lib/private/navidrome"; }
+    { user = "navidrome"; group = "navidrome"; directory = "/var/lib/navidrome"; }
   ];
   services.navidrome.enable = true;
   services.navidrome.settings = {
@@ -18,6 +15,20 @@
     ScanSchedule = "@every 1h";
   };
 
+  systemd.services.navidrome.serviceConfig = {
+    # fix to use a normal user so we can configure perms correctly
+    DynamicUser = lib.mkForce false;
+    User = "navidrome";
+    Group = "navidrome";
+  };
+
+  users.groups.navidrome = {};
+
+  users.users.navidrome = {
+    group = "navidrome";
+    isSystemUser = true;
+  };
+
   services.nginx.virtualHosts."music.uninsane.org" = {
     forceSSL = true;
     enableACME = true;

hosts/by-name/servo/services/nixserve.nix

@@ -17,5 +17,5 @@
   sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
 
   sane.services.nixserve.enable = true;
-  sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml;
+  sane.services.nixserve.sopsFile = ../../../../secrets/servo.yaml;
 }

hosts/by-name/servo/services/pleroma.nix

@@ -111,7 +111,7 @@
     ''
   ];
 
-  systemd.services.pleroma.path = [ 
+  systemd.services.pleroma.path = [
     # something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
     pkgs.bash
     # used by Pleroma to strip geo tags from uploads
@@ -135,6 +135,11 @@
   #   CapabilityBoundingSet = lib.mkForce "~";
   # };
 
+  # this is required to allow pleroma to send email.
+  # raw `sendmail` works, but i think pleroma's passing it some funny flags or something, idk.
+  # hack to fix that.
+  users.users.pleroma.extraGroups = [ "postdrop" ];
+
   # Pleroma server and web interface
   # TODO: enable publog?
   services.nginx.virtualHosts."fed.uninsane.org" = {
@@ -179,8 +184,7 @@
 
   sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = "native";
 
-  sops.secrets.pleroma_secrets = {
-    sopsFile = ../../../secrets/servo.yaml;
+  sops.secrets."pleroma_secrets" = {
     owner = config.users.users.pleroma.name;
   };
 }

hosts/by-name/servo/services/postfix.nix

@@ -1,3 +1,6 @@
+# DOCS:
+# - dovecot config: <https://doc.dovecot.org/configuration_manual/>
+
 { config, lib, ... }:
 
 let
@@ -110,8 +113,8 @@ in
   services.postfix.enableSubmissions = true;
   services.postfix.submissionsOptions = submissionOptions;
 
-  systemd.services.postfix.after = [ "wireguard-wg0.service" ];
-  systemd.services.postfix.partOf = [ "wireguard-wg0.service" ];
+  systemd.services.postfix.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.postfix.partOf = [ "wireguard-wg-ovpns.service" ];
   systemd.services.postfix.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
@@ -132,8 +135,8 @@ in
   # keeping this the same as the hostname seems simplest
   services.opendkim.selector = "mx";
 
-  systemd.services.opendkim.after = [ "wireguard-wg0.service" ];
-  systemd.services.opendkim.partOf = [ "wireguard-wg0.service" ];
+  systemd.services.opendkim.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.opendkim.partOf = [ "wireguard-wg-ovpns.service" ];
   systemd.services.opendkim.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
@@ -143,6 +146,25 @@ in
 
   # inspired by https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/
   services.dovecot2.enable = true;
+  services.dovecot2.mailboxes = {
+    # special-purpose mailboxes: "All" "Archive" "Drafts" "Flagged" "Junk" "Sent" "Trash"
+    # RFC6154 describes these special mailboxes: https://www.ietf.org/rfc/rfc6154.html
+    # how these boxes are treated is 100% up to the client and server to decide.
+    # client behavior:
+    # iOS
+    #   - Drafts: ?
+    #   - Sent: works
+    #   - Trash: works
+    # aerc
+    #   - Drafts: works
+    #   - Sent: works
+    #   - Trash: no; deleted messages are actually deleted
+    #       use `:move trash` instead
+    # Sent mailbox: all sent messages are copied to it. unclear if this happens server-side or client-side.
+    Drafts = { specialUse = "Drafts"; auto = "create"; };
+    Sent = { specialUse = "Sent"; auto = "create"; };
+    Trash = { specialUse = "Trash"; auto = "create"; };
+  };
   services.dovecot2.sslServerCert = "/var/lib/acme/imap.uninsane.org/fullchain.pem";
   services.dovecot2.sslServerKey = "/var/lib/acme/imap.uninsane.org/key.pem";
   services.dovecot2.enablePAM = false;
@@ -197,8 +219,7 @@ in
     # }
   ];
 
-  sops.secrets.dovecot_passwd = {
-    sopsFile = ../../../secrets/servo.yaml;
+  sops.secrets."dovecot_passwd" = {
     owner = config.users.users.dovecot2.name;
     # TODO: debug why mail can't be sent without this being world-readable
     mode = "0444";

hosts/by-name/servo/services/transmission.nix

@@ -40,8 +40,8 @@
   # transmission will by default not allow the world to read its files.
   services.transmission.downloadDirPermissions = "775";
 
-  systemd.services.transmission.after = [ "wireguard-wg0.service" ];
-  systemd.services.transmission.partOf = [ "wireguard-wg0.service" ];
+  systemd.services.transmission.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.transmission.partOf = [ "wireguard-wg-ovpns.service" ];
   systemd.services.transmission.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";

hosts/by-name/servo/services/trust-dns.nix

@@ -9,6 +9,7 @@
     "192.168.0.5"
     "10.0.1.5"
   ];
+  sane.services.trust-dns.quiet = true;
 
   sane.services.trust-dns.zones."uninsane.org".TTL = 900;
 

hosts/by-name/servo/services/wikipedia.nix

@@ -8,7 +8,6 @@ lib.mkIf false
 {
   sops.secrets."mediawiki_pw" = {
     owner = config.users.users.mediawiki.name;
-    sopsFile = ../../../secrets/servo.yaml;
   };
 
   services.mediawiki.enable = true;

hosts/common/bluetooth.nix

@@ -1,16 +0,0 @@
-{ lib, pkgs, ... }:
-
-{
-  # persist external pairings by default
-  sane.persist.sys.plaintext = [ "/var/lib/bluetooth" ];
-
-  sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
-  sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
-    wantedBeforeBy = [ "bluetooth.service" ];
-    # XXX: install-bluetooth uses sed, but that's part of the default systemd unit path, it seems
-    generated.script.script = builtins.readFile ../../scripts/install-bluetooth + ''
-      touch "/var/lib/bluetooth/.secrets.stamp"
-    '';
-    generated.script.scriptArgs = [ "/run/secrets/bt" ];
-  };
-}

hosts/common/cross.nix

@@ -1,15 +1,163 @@
-{ ... }:
+{ config, lib, pkgs, ... }:
 
-{
-  # the configuration of which specific package set `pkgs.cross` refers to happens elsewhere;
-  # here we just define them all.
-  nixpkgs.overlays = [
-    (next: prev: {
-      # non-emulated packages build *from* local *for* target.
-      # for large packages like the linux kernel which are expensive to build under emulation,
-      # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
-      crossFrom."x86_64-linux" = (prev.forceSystem "x86_64-linux" null).appendOverlays next.overlays;
-      crossFrom."aarch64-linux" = (prev.forceSystem "aarch64-linux" null).appendOverlays next.overlays;
-    })
+let
+  # these are the overlays which we *also* pass through to the cross and emulated package sets.
+  # TODO: refactor to not specify same overlay in multiple places (here and flake.nix).
+  overlays = [
+    (import ./../../overlays/pkgs.nix)
+    (import ./../../overlays/pins.nix)
   ];
+  mkCrossFrom = localSystem: pkgs:
+    import pkgs.path {
+      inherit localSystem;  # localSystem is equivalent to buildPlatform
+      crossSystem = pkgs.stdenv.hostPlatform.system;
+      inherit (config.nixpkgs) config;
+      inherit overlays;
+    };
+  mkEmulated = pkgs:
+    import pkgs.path {
+      localSystem = pkgs.stdenv.hostPlatform.system;
+      inherit (config.nixpkgs) config;
+      inherit overlays;
+    };
+in
+{
+  # options = {
+  #   perlPackageOverrides = lib.mkOption {
+  #   };
+  # };
+
+  config = {
+    # the configuration of which specific package set `pkgs.cross` refers to happens elsewhere;
+    # here we just define them all.
+    nixpkgs.overlays = [
+      (next: prev: rec {
+        # non-emulated packages build *from* local *for* target.
+        # for large packages like the linux kernel which are expensive to build under emulation,
+        # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
+        crossFrom."x86_64-linux" = mkCrossFrom "x86_64-linux" prev;
+        crossFrom."aarch64-linux" = mkCrossFrom "aarch64-linux" prev;
+
+        emulated = mkEmulated prev;
+      })
+      (next: prev:
+        let
+          emulated = prev.emulated;
+        in {
+          # packages which don't cross compile
+          inherit (emulated)
+            # adwaita-qt  # psqlodbc
+            apacheHttpd  # TODO: not properly patched  (we only need mod_dnssd?)
+            appstream
+            blueman
+            brltty
+            cantarell-fonts  # python3.10-skia-pathops
+            cdrtools
+            colord
+            duplicity  # python3.10-s3transfer
+            evince
+            flakpak
+            fuzzel
+            fwupd-efi
+            fwupd
+            gcr
+            gmime
+            # gnome-keyring
+            # gnome-remote-desktop
+            gnome-tour
+            # gnustep-base  # (used by unar)
+            gocryptfs  # gocryptfs-2.3-go-modules
+            # grpc
+            gst_all_1  # gst_all_1.gst-editing-services
+            gupnp
+            gupnp_1_6
+            # gvfs
+            flatpak
+            hdf5
+            http2
+            ibus
+            kitty
+            iio-sensor-proxy
+            libHX
+            libgweather
+            librest
+            librest_1_0
+            libsForQt5  # qtbase
+            libuv
+            mod_dnssd
+            ncftp
+            obex_data_server
+            openfortivpn
+            ostree
+            pam_mount
+            perl  # perl5.36.0-Test-utf8
+            pipewire
+            psqlodbc
+            pulseaudio  # python3.10-defcon
+            # qgnomeplatform
+            # qtbase
+            qt6  # psqlodbc
+            rmlint
+            sequoia
+            # splatmoji
+            squeekboard
+            sysprof
+            tracker-miners  # it just can't run tests
+            twitter-color-emoji  # python3.10-defcon
+            unar  # python3.10-psycopg2
+            visidata  # python3.10-psycopg2
+            vpnc
+            webp-pixbuf-loader
+            xdg-utils  # perl5.36.0-File-BaseDir
+          ;
+          # pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+          #   (py-next: py-prev: {
+          #     defcon = py-prev.defcon.override { inherit (prev.emulated) stdenv; };
+          #     # psycopg2 = py-prev.psycopg2.override { inherit prev.emulated.stdenv; };
+          #   })
+          # ];
+
+          gnome = prev.gnome.overrideScope' (self: super: {
+            inherit (emulated.gnome)
+              gnome-color-manager
+              gnome-keyring
+              gnome-remote-desktop  # TODO: figure out what's asking for this and remove it
+              gnome-user-share
+              mutter
+            ;
+          });
+
+          # gst_all_1.gst-editing-services = emulated.gst_all_1.gst-editing-services;
+
+          # gst_all_1 = prev.gst_all_1.overrideScope' (self: super: {
+          #   inherit (emulated.gst_all_1)
+          #     gst-editing-services
+          #   ;
+          # });
+
+          # libsForQt5 = prev.libsForQt5.overrideScope' (self: super: {
+          #   inherit (emulated.libsForQt5)
+          #     qtbase
+          #   ;
+          # });
+
+          # apacheHttpdPackagesFor = apacheHttpd: self:
+          #   let
+          #     prevHttpdPkgs = lib.fix (emulated.apacheHttpdPackagesFor apacheHttpd);
+          #   in
+          #     (prev.apacheHttpdPackagesFor apacheHttpd self) // {
+          #       # inherit (prevHttpdPkgs) mod_dnssd;
+          #       mod_dnssd = prevHttpdPkgs.mod_dnssd.override {
+          #         inherit (self) apacheHttpd;
+          #       };
+          #     };
+      })
+    ];
+
+    # perlPackageOverrides = _perl: {
+    #   inherit (pkgs.emulated.perl.pkgs)
+    #     Testutf8
+    #   ;
+    # };
+  };
 }

hosts/common/default.nix

@@ -1,34 +1,29 @@
 { pkgs, ... }:
 {
   imports = [
-    ./bluetooth.nix
     ./cross.nix
     ./feeds.nix
     ./fs.nix
-    ./hardware
+    ./hardware.nix
+    ./home
     ./i2p.nix
     ./ids.nix
     ./machine-id.nix
     ./net.nix
+    ./persist.nix
+    ./programs.nix
     ./secrets.nix
     ./ssh.nix
     ./users.nix
     ./vpn.nix
   ];
 
-  sane.home-manager.enable = true;
   sane.nixcache.enable-trusted-keys = true;
-  sane.packages.enableConsolePkgs = true;
-  sane.packages.enableSystemPkgs = true;
+  sane.programs.sysadminUtils.enableFor.system = true;
+  sane.programs.consoleUtils.enableFor.user.colin = true;
 
-  sane.persist.sys.plaintext = [
-    "/var/log"
-    "/var/backup"  # for e.g. postgres dumps
-    # TODO: move elsewhere
-    "/var/lib/alsa"                # preserve output levels, default devices
-    "/var/lib/colord"              # preserve color calibrations (?)
-    "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
-  ];
+  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
+  sane.fs."/var/lib/private".dir.acl.mode = "0700";
 
   nixpkgs.config.allowUnfree = true;
 
@@ -39,8 +34,12 @@
   nix.extraOptions = ''
     experimental-features = nix-command flakes
   '';
+  # allow `nix-shell` (and probably nix-index?) to locate our patched and custom packages
+  nix.nixPath = [
+    "nixpkgs=${pkgs.path}"
+    "nixpkgs-overlays=${../..}/overlays"
+  ];
 
-  # TODO: move this into home-manager?
   fonts = {
     enableDefaultFonts = true;
     fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
@@ -68,8 +67,20 @@
     # NIXOS_OZONE_WL = "1";
     # LIBGL_ALWAYS_SOFTWARE = "1";
   };
-  # enable zsh completions
-  environment.pathsToLink = [ "/share/zsh" ];
+
+  # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
+  # find keys/values with `dconf dump /`
+  programs.dconf.enable = true;
+  programs.dconf.packages = [
+    (pkgs.writeTextFile {
+      name = "dconf-user-profile";
+      destination = "/etc/dconf/profile/user";
+      text = ''
+        user-db:user
+        system-db:site
+      '';
+    })
+  ];
 
   # link debug symbols into /run/current-system/sw/lib/debug
   # hopefully picked up by gdb automatically?

hosts/common/feeds.nix

@@ -13,6 +13,7 @@ let
   uncat = { cat = "uncat"; };
 
   text = { format = "text"; };
+  img = { format = "image"; };
 
   mkRss = format: url: { inherit url format; } // uncat // infrequent;
   # format-specific helpers
@@ -29,32 +30,35 @@ let
     in {
       url = raw.url;
       # not sure the exact mapping with velocity here: entries per day?
-      freq = lib.mkDefault (
-        if raw.velocity or 0 > 2 then
+      freq = lib.mkIf (raw.velocity or 0 != 0) (lib.mkDefault (
+        if raw.velocity > 2 then
           "hourly"
-        else if raw.velocity or 0 > 0.5 then
+        else if raw.velocity > 0.5 then
           "daily"
-        else if raw.velocity or 0 > 0.1 then
+        else if raw.velocity > 0.1 then
           "weekly"
         else
           "infrequent"
-      );
+      ));
     } // lib.optionalAttrs (raw.is_podcast or false) {
       format = "podcast";
+    } // lib.optionalAttrs (raw.title or "" != "") {
+      title = lib.mkDefault raw.title;
     };
 
   podcasts = [
     (fromDb "lexfridman.com/podcast" // rat)
-    # (mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
     ## Astral Codex Ten
     (fromDb "sscpodcast.libsyn.com" // rat)
     ## Econ Talk
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)
     ## Cory Doctorow -- both podcast & text entries
     (fromDb "craphound.com" // pol)
-    (mkPod "https://congressionaldish.libsyn.com/rss" // pol // infrequent)
+    (fromDb "congressionaldish.libsyn.com" // pol)
     ## Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
+    ## Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
+    (mkPod "https://anchor.fm/s/21bc734/podcast/rss" // pol // infrequent)
     (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
     (fromDb "allinchamathjason.libsyn.com" // pol)
     (fromDb "acquired.libsyn.com" // tech)
@@ -83,93 +87,108 @@ let
     (fromDb "feed.podbean.com/matrixlive/feed.xml" // tech)
     ## Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
     (fromDb "rss.art19.com/your-welcome" // pol)
+    (fromDb "seattlenice.buzzsprout.com" // pol)
+    ## Sci-Fi? has Peter Watts; author of No Moods, Ads or Cutesy Fucking Icons (rifters.com)
+    (fromDb "talesfromthebridge.buzzsprout.com" // tech)
   ];
 
   texts = [
     # AGGREGATORS (> 1 post/day)
+    (fromDb "lwn.net" // tech)
     (fromDb "lesswrong.com" // rat)
     (fromDb "econlib.org" // pol)
 
     # AGGREGATORS (< 1 post/day)
-    (mkText "https://palladiummag.com/feed" // uncat // weekly)
-    (mkText "https://profectusmag.com/feed" // uncat // weekly)
-    (mkText "https://semiaccurate.com/feed" // tech // weekly)
+    (fromDb "palladiummag.com" // uncat)
+    (fromDb "profectusmag.com" // uncat)
+    (fromDb "semiaccurate.com" // tech)
     (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
-    (mkText "https://spectrum.ieee.org/rss" // tech // weekly)
+    (fromDb "spectrum.ieee.org" // tech)
+    ## n.b.: quality RSS list here: <https://forum.merveilles.town/thread/57/share-your-rss-feeds%21-6/>
+    (mkText "https://forum.merveilles.town/rss.xml" // pol // infrequent)
 
     ## No Moods, Ads or Cutesy Fucking Icons
-    (mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
+    (fromDb "rifters.com/crawl" // uncat)
 
     # DEVELOPERS
     (fromDb "uninsane.org" // tech)
     (fromDb "mg.lol" // tech)
+    (fromDb "drewdevault.com" // tech)
     ## Ken Shirriff
     (fromDb "righto.com" // tech)
+    ## shared blog by a few NixOS devs, notably onny
+    (fromDb "project-insanity.org" // tech)
     ## Vitalik Buterin
-    (mkText "https://vitalik.ca/feed.xml" // tech // infrequent)
+    (fromDb "vitalik.ca" // tech)
     ## ian (Sanctuary)
-    (mkText "https://sagacioussuricata.com/feed.xml" // tech // infrequent)
+    (fromDb "sagacioussuricata.com" // tech)
     ## Bunnie Juang
-    (mkText "https://www.bunniestudios.com/blog/?feed=rss2" // tech // infrequent)
-    (mkText "https://blog.danieljanus.pl/atom.xml" // tech // infrequent)
-    (mkText "https://ianthehenry.com/feed.xml" // tech // infrequent)
-    (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
-    (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
+    (fromDb "bunniestudios.com" // tech)
+    (fromDb "blog.danieljanus.pl" // tech)
+    (fromDb "ianthehenry.com" // tech)
+    (fromDb "bitbashing.io" // tech)
+    (fromDb "idiomdrottning.org" // uncat)
     (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
-    (mkText "https://www.jefftk.com/news.rss" // tech // daily)
-    (mkText "https://pomeroyb.com/feed.xml" // tech // infrequent)
+    (fromDb "jefftk.com" // tech)
+    (fromDb "pomeroyb.com" // tech)
 
     # (TECH; POL) COMMENTATORS
+    ## Matt Webb -- engineering-ish, but dreamy
+    (fromDb "interconnected.org/home/feed" // rat)
     (fromDb "edwardsnowden.substack.com" // pol // text)
+    ## Julia Evans
+    (mkText "https://jvns.ca/atom.xml" // tech // weekly)
     (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
     ## Ben Thompson
     (mkText "https://www.stratechery.com/rss" // pol // weekly)
     ## Balaji
-    (mkText "https://balajis.com/rss" // pol // weekly)
-    (mkText "https://www.ben-evans.com/benedictevans/rss.xml" // pol // weekly)
-    (mkText "https://www.lynalden.com/feed" // pol // infrequent)
-    (mkText "https://austinvernon.site/rss.xml" // tech // infrequent)
+    (fromDb "balajis.com" // pol)
+    (fromDb "ben-evans.com/benedictevans" // pol)
+    (fromDb "lynalden.com" // pol)
+    (fromDb "austinvernon.site" // tech)
     (mkSubstack "oversharing" // pol // daily)
     (mkSubstack "doomberg" // tech // weekly)
     ## David Rosenthal
-    (mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
+    (fromDb "blog.dshr.org" // pol)
     ## Matt Levine
     (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
-    (mkText "https://stpeter.im/atom.xml" // pol // weekly)
+    (fromDb "stpeter.im/atom.xml" // pol)
+    ## Peter Saint-Andre -- side project of stpeter.im
+    (fromDb "philosopher.coach" // rat)
 
     # RATIONALITY/PHILOSOPHY/ETC
     (mkSubstack "samkriss" // humor // infrequent)
-    (mkText "https://unintendedconsequenc.es/feed" // rat // infrequent)
-    (mkText "https://applieddivinitystudies.com/atom.xml" // rat // weekly)
-    (mkText "https://slimemoldtimemold.com/feed.xml" // rat // weekly)
-    (mkText "https://www.richardcarrier.info/feed" // rat // weekly)
-    (mkText "https://www.gwern.net/feed.xml" // uncat // infrequent)
+    (fromDb "unintendedconsequenc.es" // rat)
+    (fromDb "applieddivinitystudies.com" // rat)
+    (fromDb "slimemoldtimemold.com" // rat)
+    (fromDb "richardcarrier.info" // rat)
+    (fromDb "gwern.net" // rat)
     ## Jason Crawford
-    (mkText "https://rootsofprogress.org/feed.xml" // rat // weekly)
+    (fromDb "rootsofprogress.org" // rat)
     ## Robin Hanson
-    (mkText "https://www.overcomingbias.com/feed" // rat // daily)
+    (fromDb "overcomingbias.com" // rat)
     ## Scott Alexander
     (mkSubstack "astralcodexten" // rat // daily)
     ## Paul Christiano
-    (mkText "https://sideways-view.com/feed" // rat // infrequent)
+    (fromDb "sideways-view.com" // rat)
     ## Sean Carroll
-    (mkText "https://www.preposterousuniverse.com/rss" // rat // infrequent)
+    (fromDb "preposterousuniverse.com" // rat)
 
     ## mostly dating topics. not advice, or humor, but looking through a social lens
-    (mkText "https://putanumonit.com/feed" // rat // infrequent)
+    (fromDb "putanumonit.com" // rat)
 
     # CODE
     # (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
   ];
 
   images = [
-    (mkImg "https://www.smbc-comics.com/comic/rss" // humor // daily)
-    (mkImg "https://xkcd.com/atom.xml" // humor // daily)
-    (mkImg "https://pbfcomics.com/feed" // humor // infrequent)
+    (fromDb "smbc-comics.com" // img // humor)
+    (fromDb "xkcd.com" // img // humor)
+    (fromDb "pbfcomics.com" // img // humor)
     # (mkImg "http://dilbert.com/feed" // humor // daily)
 
     # ART
-    (mkImg "https://miniature-calendar.com/feed" // art // daily)
+    (fromDb "miniature-calendar.com" // img // art // daily)
   ];
 in
 {

hosts/common/home/aerc.nix

@@ -0,0 +1,11 @@
+# Terminal UI mail client
+{ config, sane-lib, ... }:
+
+{
+  sops.secrets."aerc_accounts" = {
+    owner = config.users.users.colin.name;
+    sopsFile = ../../../secrets/universal/aerc_accounts.conf;
+    format = "binary";
+  };
+  sane.user.fs.".config/aerc/accounts.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.aerc_accounts.path;
+}

hosts/common/home/default.nix

@@ -0,0 +1,23 @@
+{ ... }:
+{
+  imports = [
+    ./aerc.nix
+    ./firefox.nix
+    ./gfeeds.nix
+    ./git.nix
+    ./gpodder.nix
+    ./keyring.nix
+    ./kitty.nix
+    ./libreoffice.nix
+    ./mime.nix
+    ./mpv.nix
+    ./neovim.nix
+    ./newsflash.nix
+    ./splatmoji.nix
+    ./ssh.nix
+    ./sublime-music.nix
+    ./vlc.nix
+    ./xdg-dirs.nix
+    ./zsh
+  ];
+}

hosts/common/home/firefox.nix

@@ -32,6 +32,18 @@ let
   defaultSettings = firefoxSettings;
   # defaultSettings = librewolfSettings;
 
+  addon = name: extid: hash: pkgs.fetchFirefoxAddon {
+    inherit name hash;
+    url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
+    # extid can be found by unar'ing the above xpi, and copying browser_specific_settings.gecko.id field
+    fixedExtid = extid;
+  };
+  localAddon = pkg: pkgs.fetchFirefoxAddon {
+    inherit (pkg) name;
+    src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";
+    fixedExtid = pkg.extid;
+  };
+
   package = pkgs.wrapFirefox cfg.browser.browser {
     # inherit the default librewolf.cfg
     # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
@@ -41,32 +53,7 @@ let
     extraNativeMessagingHosts = [ pkgs.browserpass ];
     # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
 
-    nixExtensions = let
-      addon = name: extid: hash: pkgs.fetchFirefoxAddon {
-        inherit name hash;
-        url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
-        # extid can be found by unar'ing the above xpi, and copying browser_specific_settings.gecko.id field
-        fixedExtid = extid;
-      };
-      localAddon = pkg: pkgs.fetchFirefoxAddon {
-        inherit (pkg) name;
-        src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";
-        fixedExtid = pkg.extid;
-      };
-    in [
-      # get names from:
-      # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
-      # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
-      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=")
-      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-d2K3ufvurWnYVzqLbyR//MgejybkY9exitAf9RdLNRo=")
-      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-t6Q335Nq60mDILPmzem+DT5KflleAPVJL3bsaA+UL0g=")
-      (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
-      (addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=")
-      (addon "ublacklist" "@ublacklist" "sha256-vHe/7EYOzcKeAbTElmt0Rb4E2rX0f3JgXThJaUmaz+M=")
-      (addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=")
-      # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
-      (localAddon pkgs.browserpass-extension)
-    ];
+    nixExtensions = concatMap (ext: optional ext.enable ext.package) (attrValues cfg.addons);
 
     extraPolicies = {
       NoDefaultBookmarks = true;
@@ -102,6 +89,17 @@ let
       # NewTabPage = true;
     };
   };
+
+  addonOpts = types.submodule {
+    options = {
+      package = mkOption {
+        type = types.package;
+      };
+      enable = mkOption {
+        type = types.bool;
+      };
+    };
+  };
 in
 {
   options = {
@@ -119,9 +117,40 @@ in
       type = types.nullOr types.str;
       default = "cryptClearOnBoot";
     };
+    sane.web-browser.addons = mkOption {
+      type = types.attrsOf addonOpts;
+      default = {
+        # get names from:
+        # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
+        # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
+        # browserpass-ce.package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
+        browserpass-extension.package = localAddon pkgs.browserpass-extension;
+        bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+325k=";
+        ether-metamask.package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
+        i2p-in-private-browsing.package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
+        sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
+        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
+        ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
+        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=";
+
+        browserpass-extension.enable = lib.mkDefault true;
+        bypass-paywalls-clean.enable = lib.mkDefault true;
+        ether-metamask.enable = lib.mkDefault true;
+        i2p-in-private-browsing.enable = lib.mkDefault config.services.i2p.enable;
+        sidebery.enable = lib.mkDefault true;
+        sponsorblock.enable = lib.mkDefault true;
+        ublacklist.enable = lib.mkDefault true;
+        ublock-origin.enable = lib.mkDefault true;
+      };
+    };
   };
 
-  config = lib.mkIf config.sane.home-manager.enable {
+  config = {
+    sane.programs.web-browser = {
+      inherit package;
+      # TODO: define the persistence & fs config here
+    };
+    sane.programs.guiApps.suggestedPrograms = [ "web-browser" ];
 
     # uBlock filter list configuration.
     # specifically, enable the GDPR cookie prompt blocker.
@@ -131,7 +160,7 @@ in
     # the specific attribute path is found via scraping ublock code here:
     # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
     # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-    sane.fs."/home/colin/${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
+    sane.user.fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
       {
        "name": "uBlock0@raymondhill.net",
        "description": "ignored",
@@ -141,21 +170,33 @@ in
        }
       }
     '';
-    sane.fs."/home/colin/${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
+    sane.user.fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
       // if we can't query the revocation status of a SSL cert because the issuer is offline,
       // treat it as unrevoked.
       // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
       defaultPref("security.OCSP.require", false);
     '';
-
-    sane.packages.extraGuiPkgs = [ package ];
-    # flood the cache to disk to avoid it taking up too much tmp
-    sane.persist.home.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
+    # flush the cache to disk to avoid it taking up too much tmp
+    sane.user.persist.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
       store = cfg.persistCache;
     };
 
-    sane.persist.home.byPath."${cfg.browser.dotDir}" = lib.mkIf (cfg.persistData != null) {
+    sane.user.persist.byPath."${cfg.browser.dotDir}/default" = lib.mkIf (cfg.persistData != null) {
       store = cfg.persistData;
     };
+    sane.user.fs."${cfg.browser.dotDir}/default" = sane-lib.fs.wantedDir;
+    # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
+    # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
+    sane.user.fs."${cfg.browser.dotDir}/profiles.ini" = sane-lib.fs.wantedText ''
+      [Profile0]
+      Name=default
+      IsRelative=1
+      Path=default
+      Default=1
+
+      [General]
+      StartWithLastProfile=1
+    '';
+
   };
 }

hosts/common/home/gfeeds.nix

@@ -6,7 +6,7 @@ let
   all-feeds = config.sane.feeds;
   wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
     builtins.toJSON {
       # feed format is a map from URL to a dict,
       #   with dict["tags"] a list of string tags.

hosts/common/home/git.nix

@@ -0,0 +1,18 @@
+{ lib, pkgs, sane-lib, ... }:
+
+let
+  mkCfg = lib.generators.toINI { };
+in
+{
+  sane.user.fs.".config/git/config" = sane-lib.fs.wantedText (mkCfg {
+    user.name = "Colin";
+    user.email = "colin@uninsane.org";
+    alias.co = "checkout";
+    # difftastic docs:
+    # - <https://difftastic.wilfred.me.uk/git.html>
+    diff.tool = "difftastic";
+    difftool.prompt = false;
+    "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
+    # now run `git difftool` to use difftastic git
+  });
+}

hosts/common/home/gpodder.nix

@@ -6,7 +6,7 @@ let
   all-feeds = config.sane.feeds;
   wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
     feeds.feedsToOpml wanted-feeds
   );
 }

hosts/common/home/keyring.nix

@@ -0,0 +1,11 @@
+{ config, sane-lib, ... }:
+
+{
+  sane.user.persist.private = [ ".local/share/keyrings" ];
+
+  sane.user.fs."private/.local/share/keyrings/default" = {
+    generated.script.script = builtins.readFile ../../../scripts/init-keyring;
+    # TODO: is this `wantedBy` needed? can we inherit it?
+    wantedBy = [ config.sane.fs."/home/colin/private".unit ];
+  };
+}

hosts/common/home/kitty.nix

@@ -0,0 +1,68 @@
+{ pkgs, sane-lib, ... }:
+
+{
+  sane.user.fs.".config/kitty/kitty.conf" = sane-lib.fs.wantedText ''
+    # docs: https://sw.kovidgoyal.net/kitty/conf/
+    # disable terminal bell (when e.g. you backspace too many times)
+    enable_audio_bell no
+
+    map ctrl+n new_os_window_with_cwd
+
+    include ${pkgs.kitty-themes}/themes/PaperColor_dark.conf
+  '';
+  # THEME CHOICES:
+  #   docs: https://github.com/kovidgoyal/kitty-themes
+  # theme = "1984 Light";  # dislike: awful, harsh blues/teals
+  # theme = "Adventure Time";  # dislike: harsh (dark)
+  # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
+  # theme = "Belafonte Day";  # dislike: too low contrast for text colors
+  # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
+  # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
+  # theme = "Desert";  # mediocre: colors are harsh
+  # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
+  # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
+  # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
+  # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
+  # theme = "kanagawabones";  # better: dark theme. colors are too background-y
+  # theme = "Kaolin Dark";  # dislike: too dark
+  # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
+  # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
+  # theme = "Material"; # decent: light theme, few colors.
+  # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
+  # theme = "Nord";  # mediocre: pale background, low contrast
+  # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
+  # theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
+  # theme = "Parasio Dark";  # dislike: too low contrast
+  # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
+  # theme = "Pnevma";  # dislike: too low contrast
+  # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
+  # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
+  # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
+  # theme = "Sea Shells";  # mediocre. not all color combos are readable
+  # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
+  # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
+  # theme = "Sourcerer";  # mediocre: ugly colors
+  # theme = "Space Gray";  # mediocre: too muted
+  # theme = "Space Gray Eighties";  # better: all readable, decent colors
+  # theme = "Spacemacs";  # mediocre: too muted
+  # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
+  # theme = "Srcery";  # better: highly readable. colors are ehhh
+  # theme = "Substrata";  # decent: nice colors, but a bit flat.
+  # theme = "Sundried";  # mediocre: the solar text makes me squint
+  # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
+  # theme = "Tango Light";  # dislike: teal is too grating
+  # theme = "Tokyo Night Day";  # medicore: too muted
+  # theme = "Tokyo Night";  # better: tasteful. a bit flat
+  # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
+  # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
+  # theme = "Urple";  # dislike: weird palette
+  # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
+  # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
+  # theme = "Xcodedark";  # dislike: bad palette
+  # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
+  # theme = "neobones_light"; # better light theme. the background is maybe too muted
+  # theme = "vimbones";
+  # theme = "zenbones_dark";  # mediocre: readable, but meh colors
+  # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
+  # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
+}

hosts/common/home/libreoffice.nix

@@ -0,0 +1,14 @@
+{ sane-lib, ... }:
+
+{
+  # libreoffice: disable first-run stuff
+  sane.user.fs.".config/libreoffice/4/user/registrymodifications.xcu" = sane-lib.fs.wantedText ''
+    <?xml version="1.0" encoding="UTF-8"?>
+    <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+      <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
+      <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="ShowTipOfTheDay" oor:op="fuse"><value>false</value></prop></item>
+    </oor:items>
+  '';
+  # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeDonateShown" oor:op="fuse"><value>1667693880</value></prop></item>
+  # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
+}

hosts/common/home/mime.nix

@@ -0,0 +1,42 @@
+{ config, sane-lib, ...}:
+
+let
+  www = config.sane.web-browser.browser.desktop;
+  pdf = "org.gnome.Evince.desktop";
+  md = "obsidian.desktop";
+  thumb = "org.gnome.gThumb.desktop";
+  video = "vlc.desktop";
+  # audio = "mpv.desktop";
+  audio = "vlc.desktop";
+in
+{
+
+  # the xdg mime type for a file can be found with:
+  # - `xdg-mime query filetype path/to/thing.ext`
+  # we can have single associations or a list of associations.
+  # there's also options to *remove* [non-default] associations from specific apps
+  xdg.mime.enable = true;
+  xdg.mime.defaultApplications = {
+    # AUDIO
+    "audio/flac" = audio;
+    "audio/mpeg" = audio;
+    "audio/x-vorbis+ogg" = audio;
+    # IMAGES
+    "image/heif" = thumb;  # apple codec
+    "image/png" = thumb;
+    "image/jpeg" = thumb;
+    # VIDEO
+    "video/mp4" = video;
+    "video/quicktime" = video;
+    "video/x-matroska" = video;
+    # HTML
+    "text/html" = www;
+    "x-scheme-handler/http" = www;
+    "x-scheme-handler/https" = www;
+    "x-scheme-handler/about" = www;
+    "x-scheme-handler/unknown" = www;
+    # RICH-TEXT DOCUMENTS
+    "application/pdf" = pdf;
+    "text/markdown" = md;
+  };
+}

hosts/common/home/mpv.nix

@@ -0,0 +1,10 @@
+{ sane-lib, ... }:
+
+{
+  # format is <key>=%<length>%<value>
+  sane.user.fs.".config/mpv/mpv.conf" = sane-lib.fs.wantedText ''
+    save-position-on-quit=%3%yes
+    keep-open=%3%yes
+  '';
+}
+

hosts/common/home/neovim.nix

@@ -0,0 +1,129 @@
+{ lib, pkgs, ... }:
+
+let
+  inherit (builtins) map;
+  inherit (lib) concatMapStrings optionalString;
+  # this structure roughly mirrors home-manager's `programs.neovim.plugins` option
+  plugins = with pkgs.vimPlugins; [
+    # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
+    # docs: vim-surround: https://github.com/tpope/vim-surround
+    { plugin = vim-surround; }
+    # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
+    { plugin = fzf-vim; }
+    ({
+      # docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
+      plugin = tex-conceal-vim;
+      type = "viml";
+      config = ''
+        " present prettier fractions
+        let g:tex_conceal_frac=1
+      '';
+    })
+    ({
+      plugin = vim-SyntaxRange;
+      type = "viml";
+      config = ''
+        " enable markdown-style codeblock highlighting for tex code
+        autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
+        " autocmd Syntax tex set conceallevel=2
+      '';
+    })
+    ({
+      # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
+      # docs: https://github.com/nvim-treesitter/nvim-treesitter
+      # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
+      # this is required for tree-sitter to even highlight
+      plugin = nvim-treesitter.withAllGrammars;
+      type = "lua";
+      config = ''
+        require'nvim-treesitter.configs'.setup {
+          highlight = {
+            enable = true,
+            -- disable treesitter on Rust so that we can use SyntaxRange
+            -- and leverage TeX rendering in rust projects
+            disable = { "rust", "tex", "latex" },
+            -- disable = { "tex", "latex" },
+            -- true to also use builtin vim syntax highlighting when treesitter fails
+            additional_vim_regex_highlighting = false
+          },
+          incremental_selection = {
+            enable = true,
+            keymaps = {
+              init_selection = "gnn",
+              node_incremental = "grn",
+              mcope_incremental = "grc",
+              node_decremental = "grm"
+            }
+          },
+          indent = {
+            enable = true,
+            disable = {}
+          }
+        }
+
+        vim.o.foldmethod = 'expr'
+        vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
+      '';
+    })
+  ];
+  plugin-packages = map (p: p.plugin) plugins;
+  plugin-config-tex = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
+  plugin-config-lua = concatMapStrings (p: optionalString (p.type or "" == "lua") p.config) plugins;
+in
+{
+  # private because there could be sensitive things in the swap
+  sane.user.persist.private = [ ".cache/vim-swap" ];
+
+  programs.neovim = {
+    # neovim: https://github.com/neovim/neovim
+    enable = true;
+    viAlias = true;
+    vimAlias = true;
+    configure = {
+      packages.myVimPackage = {
+        start = plugin-packages;
+      };
+      customRC = ''
+        " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
+        " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
+        set mouse=
+
+        " copy/paste to system clipboard
+        set clipboard=unnamedplus
+
+        " screw tabs; always expand them into spaces
+        set expandtab
+
+        " at least don't open files with sections folded by default
+        set nofoldenable
+
+        " allow text substitutions for certain glyphs.
+        " higher number = more aggressive substitution (0, 1, 2, 3)
+        " i only make use of this for tex, but it's unclear how to
+        " apply that *just* to tex and retain the SyntaxRange stuff.
+        set conceallevel=2
+
+        " horizontal rule under the active line
+        " set cursorline
+
+        " highlight trailing space & related syntax errors (doesn't seem to work??)
+        " let c_space_errors=1
+        " let python_space_errors=1
+
+        " enable highlighting of leading/trailing spaces,
+        " and especially tabs
+        " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
+        set list
+        set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
+
+        """"" PLUGIN CONFIG (tex)
+        ${plugin-config-tex}
+
+        """"" PLUGIN CONFIG (lua)
+        lua <<EOF
+        ${plugin-config-lua}
+        EOF
+      '';
+    };
+  };
+}

hosts/common/home/newsflash.nix

@@ -6,7 +6,7 @@ let
   all-feeds = config.sane.feeds;
   wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
     feeds.feedsToOpml wanted-feeds
   );
 }

hosts/common/home/splatmoji.nix

@@ -4,9 +4,9 @@
 { pkgs, sane-lib, ... }:
 
 {
-  sane.persist.home.plaintext = [ ".local/state/splatmoji" ];
-  sane.fs."/home/colin/.config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
-    history_file=/home/colin/.local/state/splatmoji/history
+  sane.user.persist.plaintext = [ ".local/state/splatmoji" ];
+  sane.user.fs.".config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
+    history_file=~/.local/state/splatmoji/history
     history_length=5
     # TODO: wayland equiv
     paste_command=xdotool key ctrl+v

hosts/common/home/ssh.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ config, lib, sane-lib, ... }:
 
 with lib;
 let
@@ -9,11 +9,12 @@ let
     "\n"
     (map (k: k.asHostKey) host-keys)
   ;
-in lib.mkIf config.sane.home-manager.enable {
+in
+{
   # ssh key is stored in private storage
-  sane.persist.home.private = [ ".ssh/id_ed25519" ];
-  sane.fs."/home/colin/.ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
-  sane.fs."/home/colin/.ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
+  sane.user.persist.private = [ ".ssh/id_ed25519" ];
+  sane.user.fs.".ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
+  sane.user.fs.".ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
 
   users.users.colin.openssh.authorizedKeys.keys =
   let

hosts/common/home/sublime-music.nix

@@ -0,0 +1,11 @@
+{ config, sane-lib, ... }:
+
+{
+  # TODO: this should only be shipped on gui platforms
+  sops.secrets."sublime_music_config" = {
+    owner = config.users.users.colin.name;
+    sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
+    format = "binary";
+  };
+  sane.user.fs.".config/sublime-music/config.json" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.sublime_music_config.path;
+}

hosts/common/home/vlc.nix

@@ -8,9 +8,8 @@ let
     builtins.map (feed: feed.url) wanted-feeds
   );
 in
-lib.mkIf config.sane.home-manager.enable
 {
-  sane.fs."/home/colin/.config/vlc/vlcrc" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/vlc/vlcrc" = sane-lib.fs.wantedText ''
     [podcast]
     podcast-urls=${podcast-urls}
     [core]

hosts/common/home/xdg-dirs.nix

@@ -0,0 +1,20 @@
+{ lib, sane-lib, ...}:
+
+{
+  # XDG defines things like ~/Desktop, ~/Downloads, etc.
+  # these clutter the home, so i mostly don't use them.
+  sane.user.fs.".config/user-dirs.dirs" = sane-lib.fs.wantedText ''
+    XDG_DESKTOP_DIR="$HOME/.xdg/Desktop"
+    XDG_DOCUMENTS_DIR="$HOME/dev"
+    XDG_DOWNLOAD_DIR="$HOME/tmp"
+    XDG_MUSIC_DIR="$HOME/Music"
+    XDG_PICTURES_DIR="$HOME/Pictures"
+    XDG_PUBLICSHARE_DIR="$HOME/.xdg/Public"
+    XDG_TEMPLATES_DIR="$HOME/.xdg/Templates"
+    XDG_VIDEOS_DIR="$HOME/Videos"
+  '';
+
+  # prevent `xdg-user-dirs-update` from overriding/updating our config
+  # see <https://manpages.ubuntu.com/manpages/bionic/man5/user-dirs.conf.5.html>
+  sane.user.fs.".config/user-dirs.conf" = sane-lib.fs.wantedText "enabled=False";
+}

hosts/common/home/zsh/default.nix

@@ -0,0 +1,143 @@
+{ pkgs, sane-lib, ... }:
+
+let
+  # powerlevel10k prompt config
+  # p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
+  p10k-overrides = ''
+    # powerlevel10k launches a gitstatusd daemon to accelerate git prompt queries.
+    # this keeps open file handles for any git repo i touch for 60 minutes (by default).
+    # that prevents unmounting whatever device the git repo is on -- particularly problematic for ~/private.
+    # i can disable gitstatusd and get slower fallback git queries:
+    # - either universally
+    # - or selectively by path
+    # see: <https://github.com/romkatv/powerlevel10k/issues/246>
+    typeset -g POWERLEVEL9K_VCS_DISABLED_DIR_PATTERN='(/home/colin/private/*|/home/colin/knowledge/*)'
+    # typeset -g POWERLEVEL9K_DISABLE_GITSTATUS=true
+
+    # show user@host also when logged into the current machine.
+    # default behavior is to show it only over ssh.
+    typeset -g POWERLEVEL9K_CONTEXT_{DEFAULT,SUDO}_CONTENT_EXPANSION='$P9K_CONTENT'
+  '';
+
+  prezto-init = ''
+    source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh
+    source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+    source ${pkgs.zsh-prezto}/share/zsh-prezto/init.zsh
+  '';
+in
+{
+  sane.user.persist.plaintext = [
+    # we don't need to full zsh dir -- just the history file --
+    # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
+    # TODO: should be private?
+    ".local/share/zsh"
+    # cache gitstatus otherwise p10k fetched it from the net EVERY BOOT
+    ".cache/gitstatus"
+  ];
+
+  # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
+  sane.user.fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
+
+  # enable zsh completions
+  environment.pathsToLink = [ "/share/zsh" ];
+
+  programs.zsh = {
+    enable = true;
+    histFile = "$HOME/.local/share/zsh/history";
+    shellAliases = {
+      ":q" = "exit";
+      # common typos
+      "cd.." = "cd ..";
+      "cd../" = "cd ../";
+    };
+    setOptions = [
+      # defaults:
+      "HIST_IGNORE_DUPS"
+      "SHARE_HISTORY"
+      "HIST_FCNTL_LOCK"
+      # disable `rm *` confirmations
+      "rmstarsilent"
+    ];
+
+    # .zshenv config:
+    shellInit = ''
+      ZDOTDIR=$HOME/.config/zsh
+    '';
+
+    # .zshrc config:
+    interactiveShellInit =
+      (builtins.readFile ./p10k.zsh)
+    + p10k-overrides
+    + prezto-init
+    + ''
+      # zmv is a way to do rich moves/renames, with pattern matching/substitution.
+      # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
+      autoload -Uz zmv
+
+      HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *)'
+
+      # extra aliases
+      # TODO: move to `shellAliases` config?
+      function nd() {
+        mkdir -p "$1";
+        pushd "$1";
+      }
+
+      # auto-cd into any of these dirs by typing them and pressing 'enter':
+      hash -d 3rd="/home/colin/dev/3rd"
+      hash -d dev="/home/colin/dev"
+      hash -d knowledge="/home/colin/knowledge"
+      hash -d nixos="/home/colin/nixos"
+      hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
+      hash -d ref="/home/colin/ref"
+      hash -d secrets="/home/colin/knowledge/secrets"
+      hash -d tmp="/home/colin/tmp"
+      hash -d uninsane="/home/colin/dev/uninsane"
+      hash -d Videos="/home/colin/Videos"
+    '';
+
+    syntaxHighlighting.enable = true;
+    vteIntegration = true;
+  };
+
+  # enable a command-not-found hook to show nix packages that might provide the binary typed.
+  programs.nix-index.enable = true;
+  programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
+
+  # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
+  # see: https://github.com/sorin-ionescu/prezto
+  # i believe this file is auto-sourced by the prezto init.zsh script.
+  sane.user.fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
+    zstyle ':prezto:*:*' color 'yes'
+
+    # modules (they ship with prezto):
+    # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
+    # TERMINAL: auto-titles terminal (e.g. based on cwd)
+    # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
+    # HISTORY: `history-stat` alias, setopts for good history defaults
+    # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
+    # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
+    # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
+    #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
+    # COMPLETION: tab completion. requires `utility` module prior to loading
+    # TODO: enable AUTO_PARAM_SLASH
+    zstyle ':prezto:load' pmodule \
+      'environment' \
+      'terminal' \
+      'editor' \
+      'history' \
+      'directory' \
+      'spectrum' \
+      'utility' \
+      'completion' \
+      'prompt'
+
+    # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
+    zstyle ':prezto:module:editor' key-bindings 'emacs'
+
+    zstyle ':prezto:module:prompt' theme 'powerlevel10k'
+
+    # disable `mv` confirmation (and `rm`, too, unfortunately)
+    zstyle ':prezto:module:utility' safe-ops 'no'
+  '';
+}

hosts/common/i2p.nix

@@ -1,4 +1,4 @@
 { ... }:
 {
-  services.i2p.enable = true;
+  # services.i2p.enable = true;
 }

hosts/common/ids.nix

@@ -21,6 +21,12 @@
   sane.ids.freshrss.uid = 2401;
   sane.ids.freshrss.gid = 2401;
   sane.ids.mediawiki.uid = 2402;
+  sane.ids.signald.uid = 2403;
+  sane.ids.signald.gid = 2403;
+  sane.ids.mautrix-signal.uid = 2404;
+  sane.ids.mautrix-signal.gid = 2404;
+  sane.ids.navidrome.uid = 2405;
+  sane.ids.navidrome.gid = 2405;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/net.nix

@@ -1,16 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  # if using router's DNS, these mappings will already exist.
-  # if using a different DNS provider (which servo does), then we need to explicity provide them.
-  # ugly hack. would be better to get servo to somehow use the router's DNS
-  networking.hosts = {
-    "192.168.0.5" = [ "servo" ];
-    "192.168.0.20" = [ "lappy" ];
-    "192.168.0.22" = [ "desko" ];
-    "192.168.0.48" = [ "moby" ];
-  };
-
   # the default backend is "wpa_supplicant".
   # wpa_supplicant reliably picks weak APs to connect to.
   # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
@@ -30,14 +20,4 @@
     General.RoamThreshold = "-52";  # default -70
     General.RoamThreshold5G = "-52";  # default -76
   };
-
-  sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
-    wantedBeforeBy = [ "iwd.service" ];
-    generated.acl.mode = "0600";
-    # XXX: install-iwd uses sed, but that's part of the default systemd unit path, it seems
-    generated.script.script = builtins.readFile ../../scripts/install-iwd + ''
-      touch "/var/lib/iwd/.secrets.psk.stamp"
-    '';
-    generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
-  };
 }

hosts/common/persist.nix

@@ -0,0 +1,18 @@
+{ ... }:
+
+{
+  sane.persist.stores.private.origin = "/home/colin/private";
+  # store /home/colin/a/b in /home/private/a/b instead of /home/private/home/colin/a/b
+  sane.persist.stores.private.prefix = "/home/colin";
+
+  sane.persist.sys.plaintext = [
+    "/var/log"
+    "/var/backup"  # for e.g. postgres dumps
+    # TODO: move elsewhere
+    "/var/lib/alsa"                # preserve output levels, default devices
+    "/var/lib/colord"              # preserve color calibrations (?)
+    "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
+    "/var/lib/systemd/backlight"   # backlight brightness
+    "/var/lib/systemd/coredump"
+  ];
+}

hosts/common/programs.nix

@@ -0,0 +1,332 @@
+{ lib, pkgs, ... }:
+
+let
+  inherit (builtins) attrNames concatLists;
+  inherit (lib) mapAttrs mapAttrsToList mkDefault mkMerge optional;
+
+  sysadminPkgs = {
+    inherit (pkgs // {
+      # XXX can't `inherit` a nested attr, so we move them to the toplevel
+      "cacert.unbundled" = pkgs.cacert.unbundled;
+    })
+      btrfs-progs
+      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
+      cryptsetup
+      dig
+      efibootmgr
+      fatresize
+      fd
+      file
+      gawk
+      git
+      gptfdisk
+      hdparm
+      htop
+      iftop
+      inetutils  # for telnet
+      iotop
+      iptables
+      jq
+      killall
+      lsof
+      nano
+      netcat
+      nethogs
+      nmap
+      openssl
+      parted
+      pciutils
+      powertop
+      pstree
+      ripgrep
+      screen
+      smartmontools
+      socat
+      strace
+      tcpdump
+      tree
+      usbutils
+      wget
+    ;
+  };
+
+  # TODO: split these into smaller groups.
+  # - iphone utils (libimobiledevice, ifuse) only wanted on desko, maybe lappy
+  # - transcoders (ffmpeg, imagemagick) only wanted on desko/lappy
+  consolePkgs = {
+    inherit (pkgs)
+      # backblaze-b2  # TODO: put into the same package set as duplicity
+      cdrtools
+      dmidecode
+      # duplicity  # TODO: enable as part of some smaller package set
+      efivar
+      flashrom
+      fwupd
+      ghostscript  # TODO: imagemagick wrapper should add gs to PATH
+      gnupg
+      gocryptfs
+      gopass
+      gopass-jsonapi
+      ifuse
+      imagemagick
+      ipfs
+      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
+      libimobiledevice
+      libsecret  # for managing user keyrings
+      lm_sensors  # for sensors-detect
+      lshw
+      ffmpeg
+      memtester
+      networkmanager
+      nixpkgs-review
+      # nixos-generators
+      # nettools
+      nmon
+      oathToolkit  # for oathtool
+      # ponymix
+      pulsemixer
+      python3
+      rsync
+      # python3Packages.eyeD3  # music tagging
+      sane-scripts
+      sequoia
+      snapper
+      sops
+      sox
+      speedtest-cli
+      sqlite  # to debug sqlite3 databases
+      ssh-to-age
+      sudo
+      # tageditor  # music tagging
+      unar
+      visidata
+      w3m
+      wireguard-tools
+      # youtube-dl
+      yt-dlp
+    ;
+  };
+
+  guiPkgs = {
+    inherit (pkgs // (with pkgs; {
+      # XXX can't `inherit` a nested attr, so we move them to the toplevel
+      # TODO: could use some "flatten attrs" helper instead
+      "gnome.cheese" = gnome.cheese;
+      "gnome.dconf-editor" = gnome.dconf-editor;
+      "gnome.file-roller" = gnome.file-roller;
+      "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
+      "gnome.gnome-maps" = gnome.gnome-maps;
+      "gnome.nautilus" = gnome.nautilus;
+      "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
+      "gnome.gnome-terminal" = gnome.gnome-terminal;
+      "gnome.gnome-weather" = gnome.gnome-weather;
+      "libsForQt5.plasmatube" = libsForQt5.plasmatube;
+    }))
+      aerc  # email client
+      audacity
+      celluloid  # mpv frontend
+      chromium
+      clinfo
+      dino
+      electrum
+      element-desktop
+      emote
+      evince  # works on phosh
+
+      # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
+
+      foliate  # e-book reader
+      font-manager
+
+      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
+      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
+      # then reboot (so that libsecret daemon re-loads the keyring...?)
+      # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
+      # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
+
+      gajim  # XMPP client
+      gimp  # broken on phosh
+      "gnome.cheese"
+      "gnome.dconf-editor"
+      gnome-feeds  # RSS reader (with claimed mobile support)
+      "gnome.file-roller"
+      "gnome.gnome-disk-utility"
+      "gnome.gnome-maps"  # works on phosh
+      "gnome.nautilus"
+      # gnome-podcasts
+      "gnome.gnome-system-monitor"
+      "gnome.gnome-terminal"  # works on phosh
+      "gnome.gnome-weather"
+      gpodder-configured
+      gthumb
+      inkscape
+      kdenlive
+      kid3  # audio tagging
+      krita
+      libreoffice-fresh  # XXX colin: maybe don't want this on mobile
+      lollypop
+      mpv
+      networkmanagerapplet
+      newsflash
+      nheko
+      obsidian
+      pavucontrol
+      # picard  # music tagging
+      playerctl
+      "libsForQt5.plasmatube"  # Youtube player
+      soundconverter
+      # sublime music persists any downloaded albums here.
+      # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
+      # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
+      #   possible to pass config as a CLI arg (sublime-music -c config.json)
+      # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
+      sublime-music-mobile
+      tdesktop  # broken on phosh
+      tokodon
+      vlc
+      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
+      # whalebird
+      xdg-utils  # for xdg-open
+      xterm  # broken on phosh
+    ;
+  };
+  x86GuiPkgs = {
+    inherit (pkgs)
+      discord
+
+      # kaiteki  # Pleroma client
+      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
+      # gpt2tc  # XXX: unreliable mirror
+
+      # TODO(unpin): handbrake is broken on aarch64-linux 2023/01/29
+      handbrake
+
+      logseq
+      losslesscut-bin
+      makemkv
+      monero-gui
+      signal-desktop
+      spotify
+      tor-browser-bundle-bin
+      zecwallet-lite
+    ;
+  };
+
+  # define -- but don't enable -- the packages in some attrset.
+  # use `mkDefault` for the package here so we can customize some of them further down this file
+  declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
+    package = mkDefault p;
+  }) pkgsAsAttrs;
+in
+{
+  config = {
+    sane.programs = mkMerge [
+      (declarePkgs sysadminPkgs)
+      (declarePkgs consolePkgs)
+      (declarePkgs guiPkgs)
+      (declarePkgs x86GuiPkgs)
+      {
+        # link the various package sets into their own meta packages
+        sysadminUtils = {
+          package = null;
+          suggestedPrograms = attrNames sysadminPkgs;
+        };
+        consoleUtils = {
+          package = null;
+          suggestedPrograms = attrNames consolePkgs;
+        };
+        guiApps = {
+          package = null;
+          suggestedPrograms = (attrNames guiPkgs)
+            ++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
+        };
+        x86GuiApps = {
+          package = null;
+          suggestedPrograms = attrNames x86GuiPkgs;
+        };
+      }
+      {
+        # nontrivial package definitions
+        imagemagick.package = pkgs.imagemagick.override {
+          ghostscriptSupport = true;
+        };
+
+        dino.private = [ ".local/share/dino" ];
+
+        # creds, but also 200 MB of node modules, etc
+        discord = {
+          package = pkgs.discord.override {
+            # XXX 2022-07-31: fix to allow links to open in default web-browser:
+            #   https://github.com/NixOS/nixpkgs/issues/78961
+            nss = pkgs.nss_latest;
+          };
+          private = [ ".config/discord" ];
+        };
+
+        # creds/session keys, etc
+        element-desktop.private = [ ".config/Element" ];
+
+        # `emote` will show a first-run dialog based on what's in this directory.
+        # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
+        # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+        emote.dir = [ ".local/share/Emote" ];
+
+        # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
+        #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
+        gpodder-configured.dir = [ "gPodder" ];
+
+        # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
+        # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
+        monero-gui.dir = [ ".bitmonero" ];
+
+        mpv.dir = [ ".config/mpv/watch_later" ];
+
+        # not strictly necessary, but allows caching articles; offline use, etc.
+        newsflash.dir = [ ".local/share/news-flash" ];
+        nheko.private = [
+          ".config/nheko"  # config file (including client token)
+          ".cache/nheko"  # media cache
+          ".local/share/nheko"  # per-account state database
+        ];
+
+        # settings (electron app)
+        obsidian.dir = [ ".config/obsidian" ];
+
+        # creds, media
+        signal-desktop.private = [ ".config/Signal" ];
+
+
+        # creds, widevine .so download. TODO: could easily manage these statically.
+        spotify.dir = [ ".config/spotify" ];
+
+        # sublime music persists any downloaded albums here.
+        # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
+        # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
+        #   possible to pass config as a CLI arg (sublime-music -c config.json)
+        # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
+        sublime-music-mobile.dir = [ ".local/share/sublime-music" ];
+
+        tdesktop.private = [ ".local/share/TelegramDesktop" ];
+
+        tokodon.private = [ ".cache/KDE/tokodon" ];
+
+        # hardenedMalloc solves a crash at startup
+        # TODO 2023/02/02: is this safe to remove yet?
+        tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
+          useHardenedMalloc = false;
+        };
+
+        # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
+        vlc.dir = [ ".config/vlc" ];
+
+        whalebird.private = [ ".config/Whalebird" ];
+
+        # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
+        zecwallet-lite.private = [ ".zcash" ];
+      }
+    ];
+
+    # XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
+    environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
+  };
+}

hosts/common/ssh.nix

@@ -1,24 +1,33 @@
 { config, lib, sane-data, sane-lib, ... }:
 
+let
+  inherit (builtins) head map mapAttrs tail;
+  inherit (lib) concatStringsSep mkMerge reverseList;
+in
 {
   sane.ssh.pubkeys =
   let
     # path is a DNS-style path like [ "org" "uninsane" "root" ]
     keyNameForPath = path:
       let
-        rev = lib.reverseList path;
-        name = builtins.head rev;
-        host = lib.concatStringsSep "." (builtins.tail rev);
+        rev = reverseList path;
+        name = head rev;
+        host = concatStringsSep "." (tail rev);
       in
       "${name}@${host}";
 
     # [{ path :: [String], value :: String }] for the keys we want to install
     globalKeys = sane-lib.flattenAttrs sane-data.keys;
-    localKeys = sane-lib.flattenAttrs sane-data.keys.org.uninsane.local;
-  in lib.mkMerge (builtins.map
+    domainKeys = sane-lib.flattenAttrs (
+      mapAttrs (host: cfg: {
+        colin = cfg.ssh.user_pubkey;
+        root = cfg.ssh.host_pubkey;
+      }) config.sane.hosts.by-name
+    );
+  in mkMerge (map
     ({ path, value }: {
-      "${keyNameForPath path}" = value;
+      "${keyNameForPath path}" = lib.mkIf (value != null) value;
     })
-    (globalKeys ++ localKeys)
+    (globalKeys ++ domainKeys)
   );
 }

hosts/common/users.nix

@@ -3,12 +3,12 @@
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 with lib;
 let
-  cfg = config.sane.users;
+  cfg = config.sane.guest;
   fs = sane-lib.fs;
 in
 {
   options = {
-    sane.users.guest.enable = mkOption {
+    sane.guest.enable = mkOption {
       default = false;
       type = types.bool;
     };
@@ -66,6 +66,7 @@ in
 
     security.pam.mount.enable = true;
 
+    sane.users.colin.default = true;
     # ensure ~ perms are known to sane.fs module.
     # TODO: this is generic enough to be lifted up into sane.fs itself.
     sane.fs."/home/colin".dir.acl = {
@@ -74,7 +75,7 @@ in
       mode = config.users.users.colin.homeMode;
     };
 
-    sane.persist.home.plaintext = [
+    sane.user.persist.plaintext = [
       "archive"
       "dev"
       # TODO: records should be private
@@ -86,25 +87,28 @@ in
       "Pictures"
       "Videos"
 
-      ".cargo"
-      ".rustup"
+      ".cache/nix"
+      ".cache/nix-index"
+
+      # ".cargo"
+      # ".rustup"
     ];
 
     # convenience
-    sane.fs."/home/colin/knowledge" = fs.wantedSymlinkTo "/home/colin/private/knowledge";
-    sane.fs."/home/colin/nixos" = fs.wantedSymlinkTo "/home/colin/dev/nixos";
-    sane.fs."/home/colin/Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
-    sane.fs."/home/colin/Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
-    sane.fs."/home/colin/Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
+    sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
+    sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
+    sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
+    sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
+    sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
 
     # used by password managers, e.g. unix `pass`
-    sane.fs."/home/colin/.password-store" = fs.wantedSymlinkTo "/home/colin/knowledge/secrets/accounts";
+    sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";
 
-    sane.persist.sys.plaintext = mkIf cfg.guest.enable [
+    sane.persist.sys.plaintext = mkIf cfg.enable [
       # intentionally allow other users to write to the guest folder
       { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
     ];
-    users.users.guest = mkIf cfg.guest.enable {
+    users.users.guest = mkIf cfg.enable {
       isNormalUser = true;
       home = "/home/guest";
       subUidRanges = [
@@ -125,8 +129,8 @@ in
 
     services.openssh = {
       enable = true;
-      permitRootLogin = "no";
-      passwordAuthentication = false;
+      settings.PermitRootLogin = "no";
+      settings.PasswordAuthentication = false;
     };
   };
 }

hosts/instantiate.nix

@@ -1,12 +1,16 @@
 # trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
 
+# args from flake-level `import`
 { hostName, localSystem }:
-{ ... }:
+
+# module args
+{ config, ... }:
 
 {
   imports = [
-    ./${hostName}
+    ./by-name/${hostName}
     ./common
+    ./modules
   ];
 
   networking.hostName = hostName;
@@ -17,7 +21,7 @@
       # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
       # to explicitly opt into non-emulated cross compilation for any specific package.
       # this is most beneficial for large packages with few pre-requisites -- like Linux.
-      cross = next.crossFrom."${localSystem}";
+      cross = prev.crossFrom."${localSystem}";
     })
   ];
 }

hosts/modules/default.nix

@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  imports = [
+    ./derived-secrets.nix
+    ./gui
+    ./hardware
+    ./hostnames.nix
+    ./hosts.nix
+    ./nixcache.nix
+    ./roles
+    ./services
+    ./wg-home.nix
+  ];
+}

hosts/modules/derived-secrets.nix

@@ -0,0 +1,47 @@
+{ config, lib, ... }:
+
+let
+  inherit (builtins) toString;
+  inherit (lib) mapAttrs mkOption types;
+  cfg = config.sane.derived-secrets;
+  secret = types.submodule {
+    options = {
+      len = mkOption {
+        type = types.int;
+      };
+      encoding = mkOption {
+        type = types.enum [ "base64" ];
+      };
+    };
+  };
+in
+{
+  options = {
+    sane.derived-secrets = mkOption {
+      type = types.attrsOf secret;
+      default = {};
+      description = ''
+        fs path => secret options.
+        for each entry, we create an item at the given path whose value is deterministic,
+        but also pseudo-random and not predictable by anyone without root access to the machine.
+        as PRNG source we use the host ssh key, and derived secrets are salted based on the destination path.
+      '';
+    };
+  };
+
+  config = {
+    sane.fs = mapAttrs (path: c: {
+      generated.script.script = ''
+        echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
+          | sha512sum \
+          | cut -c 1-${toString (c.len * 2)} \
+          | tr a-z A-Z \
+          | basenc -d --base16 \
+          | basenc --${c.encoding} \
+          > "$1"
+      '';
+      generated.script.scriptArgs = [ path ];
+      generated.acl.mode = "0600";
+    }) cfg;
+  };
+}

hosts/modules/gui/default.nix

@@ -0,0 +1,15 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkDefault mkIf mkOption types;
+  cfg = config.sane.gui;
+in
+{
+  imports = [
+    ./gnome.nix
+    ./phosh.nix
+    ./plasma.nix
+    ./plasma-mobile.nix
+    ./sway.nix
+  ];
+}

hosts/modules/gui/gnome.nix

@@ -13,7 +13,7 @@ in
   };
 
   config = mkIf cfg.enable {
-    sane.gui.enable = true;
+    sane.programs.guiApps.enableFor.user.colin = true;
 
     # start gnome/gdm on boot
     services.xserver.enable = true;
@@ -25,7 +25,7 @@ in
     networking.networkmanager.enable = true;
     networking.wireless.enable = lib.mkForce false;
   };
-  # home-mananger.users.colin extras
+  # user extras:
   # obtain these by running `dconf dump /` after manually customizing gnome
   # TODO: fix "is not of type `GVariant value'"
   # dconf.settings = lib.mkIf (gui == "gnome") {

hosts/modules/gui/phosh.nix

@@ -20,9 +20,34 @@ in
     };
   };
 
-  config = mkIf cfg.enable (mkMerge [
+  config = mkMerge [
     {
-      sane.gui.enable = true;
+      sane.programs.phoshApps = {
+        package = null;
+        suggestedPrograms = [
+          "guiApps"
+          # TODO: see about removing gnome-bluetooth if the in-built gnome-settings bluetooth manager can work
+          "gnome.gnome-bluetooth"
+          "phosh-mobile-settings"
+          "plasma5Packages.konsole"  # more reliable terminal
+        ];
+      };
+    }
+    {
+      sane.programs = {
+        inherit (pkgs // {
+          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
+          "plasma5Packages.konsole" = pkgs.plasma5Packages.konsole;
+        })
+          phosh-mobile-settings
+          "plasma5Packages.konsole"
+          # "gnome.gnome-bluetooth"
+        ;
+      };
+    }
+
+    (mkIf cfg.enable {
+      sane.programs.phoshApps.enableFor.user.colin = true;
 
       # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
       services.xserver.desktopManager.phosh = {
@@ -38,6 +63,26 @@ in
         };
       };
 
+      # phosh enables `services.gnome.{core-os-services, core-shell}`
+      # and this in turn enables some default apps we don't really care about.
+      # see <nixos/modules/services/x11/desktop-managers/gnome.nix>
+      environment.gnome.excludePackages = with pkgs; [
+        # gnome.gnome-menus  # unused outside gnome classic, but probably harmless
+        gnome-tour
+      ];
+      services.dleyna-renderer.enable = false;
+      services.dleyna-server.enable = false;
+      services.gnome.gnome-browser-connector.enable = false;
+      services.gnome.gnome-initial-setup.enable = false;
+      services.gnome.gnome-online-accounts.enable = false;
+      services.gnome.gnome-remote-desktop.enable = false;
+      services.gnome.gnome-user-share.enable = false;
+      services.gnome.rygel.enable = false;
+
+      # gnome doesn't use mkDefault for these -- unclear why not
+      services.gnome.evolution-data-server.enable = mkForce false;
+      services.gnome.gnome-online-miners.enable = mkForce false;
+
       # XXX: phosh enables networkmanager by default; can probably disable these lines
       networking.useDHCP = false;
       networking.networkmanager.enable = true;
@@ -59,14 +104,26 @@ in
         NIXOS_OZONE_WL = "1";
       };
 
-      sane.packages.extraUserPkgs = with pkgs; [
-        phosh-mobile-settings
+      programs.dconf.packages = [
+        (pkgs.writeTextFile {
+          name = "dconf-phosh-settings";
+          destination = "/etc/dconf/db/site.d/00_phosh_settings";
+          text = ''
+            [org/gnome/desktop/interface]
+            show-battery-percentage=true
 
-        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
-        gnome.gnome-bluetooth
+            [org/gnome/settings-daemon/plugins/power]
+            sleep-inactive-ac-timeout=5400
+            sleep-inactive-battery-timeout=5400
+
+            [sm/puri/phosh]
+            favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.kde.konsole.desktop']
+          '';
+        })
       ];
-    }
-    (mkIf cfg.useGreeter {
+    })
+
+    (mkIf (cfg.enable && cfg.useGreeter) {
       services.xserver.enable = true;
       # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
       # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
@@ -92,5 +149,5 @@ in
 
       systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
     })
-  ]);
+  ];
 }

hosts/modules/gui/plasma-mobile.nix

@@ -13,7 +13,8 @@ in
   };
 
   config = mkIf cfg.enable {
-    sane.gui.enable = true;
+    sane.programs.guiApps.enableFor.user.colin = true;
+
     # start plasma-mobile on boot
     services.xserver.enable = true;
     services.xserver.desktopManager.plasma5.mobile.enable = true;

hosts/modules/gui/plasma.nix

@@ -13,7 +13,7 @@ in
   };
 
   config = mkIf cfg.enable {
-    sane.gui.enable = true;
+    sane.programs.guiApps.enableFor.user.colin = true;
 
     # start plasma on boot
     services.xserver.enable = true;

hosts/modules/gui/snippets.txt

@@ -1,6 +1,7 @@
 https://search.nixos.org/options?channel=unstable&query=
 https://search.nixos.org/packages?channel=unstable&query=
 https://nixos.wiki/index.php?go=Go&search=
+https://nixos.org/manual/nix/stable/language/builtins.html
 https://github.com/nixos/nixpkgs/pulls?q=
 https://nur.nix-community.org/
 https://nix-community.github.io/home-manager/options.html

hosts/modules/gui/sway.nix

@@ -0,0 +1,662 @@
+{ config, lib, pkgs, sane-lib, ... }:
+ 
+# docs: https://nixos.wiki/wiki/Sway
+with lib;
+let
+  cfg = config.sane.gui.sway;
+  # docs: https://github.com/Alexays/Waybar/wiki/Configuration
+  # format specifiers: https://fmt.dev/latest/syntax.html#syntax
+  waybar-config = [
+    { # TOP BAR
+      layer = "top";
+      height = 40;
+      modules-left = ["sway/workspaces" "sway/mode"];
+      modules-center = ["sway/window"];
+      modules-right = ["custom/mediaplayer" "clock" "battery" "cpu" "network"];
+      "sway/window" = {
+        max-length = 50;
+      };
+      # include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
+      "custom/mediaplayer" = {
+        exec = pkgs.writeShellScript "waybar-mediaplayer" ''
+          player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
+          if [ "$player_status" = "Playing" ]; then
+            echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
+          elif [ "$player_status" = "Paused" ]; then
+            echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
+          fi
+        '';
+        interval = 2;
+        format = "{}  ";
+        # return-type = "json";
+        on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
+        on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
+        on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
+      };
+      network = {
+        # docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
+        interval = 2;
+        max-length = 40;
+        # custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
+        format-ethernet = "  {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+        tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+
+        format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+        tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+
+        format-disconnected = "";
+      };
+      cpu = {
+        format = " {usage:2}%";
+        tooltip = false;
+      };
+      battery = {
+        states = {
+          good = 95;
+          warning = 30;
+          critical = 10;
+        };
+        format = "{icon} {capacity}%";
+        format-icons = [
+          ""
+          ""
+          ""
+          ""
+          ""
+        ];
+      };
+      clock = {
+        format-alt = "{:%a, %d. %b  %H:%M}";
+      };
+    }
+  ];
+  # waybar-config-text = lib.generators.toJSON {} waybar-config;
+  waybar-config-text = (pkgs.formats.json {}).generate "waybar-config.json" waybar-config;
+
+  # bare sway launcher
+  sway-launcher = pkgs.writeShellScriptBin "sway-launcher" ''
+    ${pkgs.sway}/bin/sway --debug > /tmp/sway.log 2>&1
+  '';
+  # start sway and have it construct the gtkgreeter
+  sway-as-greeter = pkgs.writeShellScriptBin "sway-as-greeter" ''
+    ${pkgs.sway}/bin/sway --debug --config ${sway-config-into-gtkgreet} > /tmp/sway-as-greeter.log 2>&1
+  '';
+  # (config file for the above)
+  sway-config-into-gtkgreet = pkgs.writeText "greetd-sway-config" ''
+    exec "${gtkgreet-launcher}"
+  '';
+  # gtkgreet which launches a layered sway instance
+  gtkgreet-launcher = pkgs.writeShellScript "gtkgreet-launcher" ''
+    # NB: the "command" field here is run in the user's shell.
+    # so that command must exist on the specific user's path who is logging in. it doesn't need to exist system-wide.
+    ${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command sway-launcher
+  '';
+  greeter-session = {
+    # greeter session config
+    command = "${sway-as-greeter}/bin/sway-as-greeter";
+    # alternatives:
+    # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
+    # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
+    # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
+  };
+  greeterless-session = {
+    # no greeter
+    command = "${sway-launcher}/bin/sway-launcher";
+    user = "colin";
+  };
+in
+{
+  options = {
+    sane.gui.sway.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.gui.sway.useGreeter = mkOption {
+      description = ''
+        launch sway via a greeter (like greetd's gtkgreet).
+        sway is usable without a greeter, but skipping the greeter means no PAM session.
+      '';
+      default = true;
+      type = types.bool;
+    };
+  };
+  config = mkMerge [
+    {
+      sane.programs.swayApps = {
+        package = null;
+        suggestedPrograms = [
+          "guiApps"
+          "swaylock"
+          "swayidle"
+          "wl-clipboard"
+          "mako"  # notification daemon
+          # # "pavucontrol"
+          "gnome.gnome-bluetooth"
+          "gnome.gnome-control-center"
+        ];
+      };
+    }
+    {
+      sane.programs = {
+        inherit (pkgs // {
+          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
+          "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
+        })
+          swaylock
+          swayidle
+          wl-clipboard
+          mako
+          "gnome.gnome-bluetooth"
+          "gnome.gnome-control-center"
+        ;
+      };
+    }
+
+    (mkIf cfg.enable {
+      sane.programs.swayApps.enableFor.user.colin = true;
+
+      # swap in these lines to use SDDM instead of `services.greetd`.
+      # services.xserver.displayManager.sddm.enable = true;
+      # services.xserver.enable = true;
+      services.greetd = {
+        # greetd source/docs:
+        # - <https://git.sr.ht/~kennylevinsen/greetd>
+        enable = true;
+        settings = {
+          default_session = if cfg.useGreeter then greeter-session else greeterless-session;
+        };
+      };
+      # we need the greeter's command to be on our PATH
+      users.users.colin.packages = [ sway-launcher ];
+
+      # some programs (e.g. fractal) **require** a "Secret Service Provider"
+      services.gnome.gnome-keyring.enable = true;
+
+      # unlike other DEs, sway configures no audio stack
+      # administer with pw-cli, pw-mon, pw-top commands
+      services.pipewire = {
+        enable = true;
+        alsa.enable = true;
+        alsa.support32Bit = true;  # ??
+        pulse.enable = true;
+      };
+
+      networking.useDHCP = false;
+      networking.networkmanager.enable = true;
+      networking.wireless.enable = lib.mkForce false;
+
+      hardware.bluetooth.enable = true;
+      services.blueman.enable = true;
+      # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
+      services.gnome.gnome-settings-daemon.enable = true;
+      # start the components of gsd we need at login
+      systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
+      # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
+      # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
+      # it doesn't actually seem to need ANY of them in the first place T_T
+      systemd.user.targets."gnome-session-initialized".enable = false;
+      # bluez can't connect to audio devices unless pipewire is running.
+      # a system service can't depend on a user service, so just launch it at graphical-session
+      systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
+
+      programs.sway = {
+        enable = true;
+        wrapperFeatures.gtk = true;
+      };
+      sane.user.fs.".config/sway/config" =
+        let
+          fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
+          sed = "${pkgs.gnused}/bin/sed";
+          wtype = "${pkgs.wtype}/bin/wtype";
+          kitty = "${pkgs.kitty}/bin/kitty";
+          launcher-cmd = fuzzel;
+          terminal-cmd = kitty;
+          lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
+          vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
+          vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
+          mute-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
+          brightness-up-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set +2%";
+          brightness-down-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set 2%-";
+          screenshot-cmd = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
+          # "bookmarking"/snippets inspired by Luke Smith:
+          # - <https://www.youtube.com/watch?v=d_11QaTlf1I>
+          snip-file = ./snippets.txt;
+          # TODO: querying sops here breaks encapsulation
+          list-snips = "cat ${snip-file} ${config.sops.secrets.snippets.path}";
+          strip-comments = "${sed} 's/ #.*$//'";
+          snip-cmd = "${wtype} $(${list-snips} | ${fuzzel} -d -i -w 60 | ${strip-comments})";
+          # TODO: next splatmoji release should allow `-s none` to disable skin tones
+          emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
+        in sane-lib.fs.wantedText ''
+          ### default font
+          font pango:monospace 8
+
+          ### pixel boundary between windows
+          default_border pixel 3
+          default_floating_border pixel 2
+          hide_edge_borders smart
+
+          ### defaults
+          focus_wrapping no
+          focus_follows_mouse yes
+          focus_on_window_activation smart
+          mouse_warping output
+          workspace_layout default
+          workspace_auto_back_and_forth no
+
+          ### default colors (#border #background #text #indicator #childBorder)
+          client.focused #4c7899 #285577 #ffffff #2e9ef4 #285577
+          client.focused_inactive #333333 #5f676a #ffffff #484e50 #5f676a
+          client.unfocused #333333 #222222 #888888 #292d2e #222222
+          client.urgent #2f343a #900000 #ffffff #900000 #900000
+          client.placeholder #000000 #0c0c0c #ffffff #000000 #0c0c0c
+          client.background #ffffff
+
+          ### key bindings
+          floating_modifier Mod1
+          ## media keys
+          bindsym XF86AudioRaiseVolume exec ${vol-up-cmd}
+          bindsym XF86AudioLowerVolume exec ${vol-down-cmd}
+          bindsym Mod1+Page_Up exec ${vol-up-cmd}
+          bindsym Mod1+Page_Down exec ${vol-down-cmd}
+          bindsym XF86AudioMute exec ${mute-cmd}
+          bindsym XF86MonBrightnessUp exec ${brightness-up-cmd}
+          bindsym XF86MonBrightnessDown exec ${brightness-down-cmd}
+          ## special functions
+          bindsym Mod1+Print exec ${screenshot-cmd}
+          bindsym Mod1+l exec ${lock-cmd}
+          bindsym Mod1+s exec ${snip-cmd}
+          bindsym Mod1+slash exec ${emoji-cmd}
+          bindsym Mod1+d exec ${launcher-cmd}
+          bindsym Mod1+Return exec ${terminal-cmd}
+          bindsym Mod1+Shift+q kill
+          bindsym Mod1+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
+          bindsym Mod1+Shift+c reload
+          ## layout
+          bindsym Mod1+b splith
+          bindsym Mod1+v splitv
+          bindsym Mod1+f fullscreen toggle
+          bindsym Mod1+a focus parent
+          bindsym Mod1+w layout tabbed
+          bindsym Mod1+e layout toggle split
+          bindsym Mod1+Shift+space floating toggle
+          bindsym Mod1+space focus mode_toggle
+          bindsym Mod1+r mode resize
+          ## movement
+          bindsym Mod1+Up focus up
+          bindsym Mod1+Down focus down
+          bindsym Mod1+Left focus left
+          bindsym Mod1+Right focus right
+          bindsym Mod1+Shift+Up move up
+          bindsym Mod1+Shift+Down move down
+          bindsym Mod1+Shift+Left move left
+          bindsym Mod1+Shift+Right move right
+          ## workspaces
+          bindsym Mod1+1 workspace number 1
+          bindsym Mod1+2 workspace number 2
+          bindsym Mod1+3 workspace number 3
+          bindsym Mod1+4 workspace number 4
+          bindsym Mod1+5 workspace number 5
+          bindsym Mod1+6 workspace number 6
+          bindsym Mod1+7 workspace number 7
+          bindsym Mod1+8 workspace number 8
+          bindsym Mod1+9 workspace number 9
+          bindsym Mod1+Shift+1 move container to workspace number 1
+          bindsym Mod1+Shift+2 move container to workspace number 2
+          bindsym Mod1+Shift+3 move container to workspace number 3
+          bindsym Mod1+Shift+4 move container to workspace number 4
+          bindsym Mod1+Shift+5 move container to workspace number 5
+          bindsym Mod1+Shift+6 move container to workspace number 6
+          bindsym Mod1+Shift+7 move container to workspace number 7
+          bindsym Mod1+Shift+8 move container to workspace number 8
+          bindsym Mod1+Shift+9 move container to workspace number 9
+          ## "scratchpad" = ??
+          bindsym Mod1+Shift+minus move scratchpad
+          bindsym Mod1+minus scratchpad show
+
+          ### defaults
+          mode "resize" {
+            bindsym Down resize grow height 10 px
+            bindsym Escape mode default
+            bindsym Left resize shrink width 10 px
+            bindsym Return mode default
+            bindsym Right resize grow width 10 px
+            bindsym Up resize shrink height 10 px
+            bindsym h resize shrink width 10 px
+            bindsym j resize grow height 10 px
+            bindsym k resize shrink height 10 px
+            bindsym l resize grow width 10 px
+          }
+
+          ### lightly modified bars
+          bar {
+            # TODO: fonts was:
+            #   config.fonts.fontconfig.defaultFonts; (monospace ++ emoji)
+            font pango:Hack, Font Awesome 6 Free, Twitter Color Emoji 24.000000
+            mode dock
+            hidden_state hide
+            position top
+            status_command ${pkgs.i3status}/bin/i3status
+            swaybar_command ${pkgs.waybar}/bin/waybar
+            workspace_buttons yes
+            strip_workspace_numbers no
+            tray_output primary
+            colors {
+              background #000000
+              statusline #ffffff
+              separator #666666
+              #  #border #background #text
+              focused_workspace #4c7899 #285577 #ffffff
+              active_workspace #333333 #5f676a #ffffff
+              inactive_workspace #333333 #222222 #888888
+              urgent_workspace #2f343a #900000 #ffffff
+              binding_mode #2f343a #900000 #ffffff
+          }
+          }
+
+          ### displays
+          ## DESKTOP
+          output "Samsung Electric Company S22C300 0x00007F35" {
+          pos 0,0
+          res 1920x1080
+          }
+          output "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" {
+          pos 1920,0
+          res 3440x1440
+          }
+
+          ## LAPTOP
+          # sh/en TV
+          output "Pioneer Electronic Corporation VSX-524 0x00000101" {
+          pos 0,0
+          res 1920x1080
+          }
+          # internal display
+          output "Unknown 0x0637 0x00000000" {
+          pos 1920,0
+          res 1920x1080
+          }
+        '';
+
+      sane.user.fs.".config/waybar/config" = sane-lib.fs.wantedSymlinkTo waybar-config-text;
+
+      # style docs: https://github.com/Alexays/Waybar/wiki/Styling
+      sane.user.fs.".config/waybar/style.css" = sane-lib.fs.wantedText ''
+        * {
+          font-family: monospace;
+        }
+
+        /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
+        window#waybar {
+          background-color: rgba(43, 48, 59, 0.5);
+          border-bottom: 3px solid rgba(100, 114, 125, 0.5);
+          color: #ffffff;
+          transition-property: background-color;
+          transition-duration: .5s;
+        }
+
+        window#waybar.hidden {
+          opacity: 0.2;
+        }
+
+        /*
+        window#waybar.empty {
+          background-color: transparent;
+        }
+        window#waybar.solo {
+          background-color: #FFFFFF;
+        }
+        */
+
+        window#waybar.termite {
+          background-color: #3F3F3F;
+        }
+
+        window#waybar.chromium {
+          background-color: #000000;
+          border: none;
+        }
+
+        #workspaces button {
+          padding: 0 5px;
+          background-color: transparent;
+          color: #ffffff;
+          /* Use box-shadow instead of border so the text isn't offset */
+          box-shadow: inset 0 -3px transparent;
+          /* Avoid rounded borders under each workspace name */
+          border: none;
+          border-radius: 0;
+        }
+
+        /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
+        #workspaces button:hover {
+          background: rgba(0, 0, 0, 0.2);
+          box-shadow: inset 0 -3px #ffffff;
+        }
+
+        #workspaces button.focused {
+          background-color: #64727D;
+          box-shadow: inset 0 -3px #ffffff;
+        }
+
+        #workspaces button.urgent {
+          background-color: #eb4d4b;
+        }
+
+        #mode {
+          background-color: #64727D;
+          border-bottom: 3px solid #ffffff;
+        }
+
+        #clock,
+        #battery,
+        #cpu,
+        #memory,
+        #disk,
+        #temperature,
+        #backlight,
+        #network,
+        #pulseaudio,
+        #custom-media,
+        #tray,
+        #mode,
+        #idle_inhibitor,
+        #mpd {
+          padding: 0 10px;
+          color: #ffffff;
+        }
+
+        #window,
+        #workspaces {
+          margin: 0 4px;
+        }
+
+        /* If workspaces is the leftmost module, omit left margin */
+        .modules-left > widget:first-child > #workspaces {
+          margin-left: 0;
+        }
+
+        /* If workspaces is the rightmost module, omit right margin */
+        .modules-right > widget:last-child > #workspaces {
+          margin-right: 0;
+        }
+
+        #clock {
+          background-color: #64727D;
+        }
+
+        #battery {
+          background-color: #ffffff;
+          color: #000000;
+        }
+
+        #battery.charging, #battery.plugged {
+          color: #ffffff;
+          background-color: #26A65B;
+        }
+
+        @keyframes blink {
+          to {
+            background-color: #ffffff;
+            color: #000000;
+          }
+        }
+
+        #battery.critical:not(.charging) {
+          background-color: #f53c3c;
+          color: #ffffff;
+          animation-name: blink;
+          animation-duration: 0.5s;
+          animation-timing-function: linear;
+          animation-iteration-count: infinite;
+          animation-direction: alternate;
+        }
+
+        label:focus {
+          background-color: #000000;
+        }
+
+        #cpu {
+          background-color: #2ecc71;
+          color: #000000;
+        }
+
+        #memory {
+          background-color: #9b59b6;
+        }
+
+        #disk {
+          background-color: #964B00;
+        }
+
+        #backlight {
+          background-color: #90b1b1;
+        }
+
+        #network {
+          background-color: #2980b9;
+        }
+
+        #network.disconnected {
+          background-color: #f53c3c;
+        }
+
+        #pulseaudio {
+          background-color: #f1c40f;
+          color: #000000;
+        }
+
+        #pulseaudio.muted {
+          background-color: #90b1b1;
+          color: #2a5c45;
+        }
+
+        #custom-media {
+          background-color: #66cc99;
+          color: #2a5c45;
+          min-width: 100px;
+        }
+
+        #custom-media.custom-spotify {
+          background-color: #66cc99;
+        }
+
+        #custom-media.custom-vlc {
+          background-color: #ffa000;
+        }
+
+        #temperature {
+          background-color: #f0932b;
+        }
+
+        #temperature.critical {
+          background-color: #eb4d4b;
+        }
+
+        #tray {
+          background-color: #2980b9;
+        }
+
+        #tray > .passive {
+          -gtk-icon-effect: dim;
+        }
+
+        #tray > .needs-attention {
+          -gtk-icon-effect: highlight;
+          background-color: #eb4d4b;
+        }
+
+        #idle_inhibitor {
+          background-color: #2d3436;
+        }
+
+        #idle_inhibitor.activated {
+          background-color: #ecf0f1;
+          color: #2d3436;
+        }
+
+        #mpd {
+          background-color: #66cc99;
+          color: #2a5c45;
+        }
+
+        #mpd.disconnected {
+          background-color: #f53c3c;
+        }
+
+        #mpd.stopped {
+          background-color: #90b1b1;
+        }
+
+        #mpd.paused {
+          background-color: #51a37a;
+        }
+
+        #language {
+          background: #00b093;
+          color: #740864;
+          padding: 0 5px;
+          margin: 0 5px;
+          min-width: 16px;
+        }
+
+        #keyboard-state {
+          background: #97e1ad;
+          color: #000000;
+          padding: 0 0px;
+          margin: 0 5px;
+          min-width: 16px;
+        }
+
+        #keyboard-state > label {
+          padding: 0 5px;
+        }
+
+        #keyboard-state > label.locked {
+          background: rgba(0, 0, 0, 0.2);
+        }
+      '';
+      # style = ''
+      #   * {
+      #     border: none;
+      #     border-radius: 0;
+      #     font-family: Source Code Pro;
+      #   }
+      #   window#waybar {
+      #     background: #16191C;
+      #     color: #AAB2BF;
+      #   }
+      #   #workspaces button {
+      #     padding: 0 5px;
+      #   }
+      #   .custom-spotify {
+      #     padding: 0 10px;
+      #     margin: 0 4px;
+      #     background-color: #1DB954;
+      #     color: black;
+      #   }
+      # '';
+    })
+  ];
+}
+

hosts/modules/hardware/default.nix

@@ -2,7 +2,6 @@
 
 {
   imports = [
-    ./all.nix
     ./x86_64.nix
   ];
 }

hosts/modules/hardware/x86_64.nix

@@ -1,8 +1,7 @@
 { lib, pkgs, ... }:
 
-with lib;
 {
-  config = mkIf (pkgs.system == "x86_64-linux") {
+  config = lib.mkIf (pkgs.system == "x86_64-linux") {
     boot.initrd.availableKernelModules = [
       "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
       "usb_storage"   # rpi needed this to boot from usb storage, i think.

hosts/modules/hostnames.nix

@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+
+{
+  # give each host a shortname that all the other hosts know, to allow easy comms.
+  networking.hosts = lib.mkMerge [
+    (lib.mapAttrs' (host: cfg: {
+      # bare-name for LAN addresses
+      # if using router's DNS, these mappings will already exist.
+      # if using a different DNS provider (which servo does), then we need to explicity provide them.
+      # ugly hack. would be better to get servo to somehow use the router's DNS
+      name = cfg.lan-ip;
+      value = [ host ];
+    }) config.sane.hosts.by-name)
+    (lib.mapAttrs' (host: cfg: {
+      # -hn suffixed name for communication over my wg-home VPN.
+      # hn = "home network"
+      name = cfg.wg-home.ip;
+      value = [ "${host}-hn" ];
+    }) config.sane.hosts.by-name)
+  ];
+}

hosts/modules/hosts.nix

@@ -0,0 +1,100 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) attrValues filterAttrs mkMerge mkOption types;
+  cfg = config.sane.hosts;
+
+  host = types.submodule ({ config, ... }: {
+    options = {
+      ssh.user_pubkey = mkOption {
+        type = types.str;
+        description = ''
+          ssh pubkey that the primary user of this machine will use when connecting to other machines.
+          e.g. "ssh-ed25519 AAAA<base64>".
+        '';
+      };
+      ssh.host_pubkey = mkOption {
+        type = types.str;
+        description = ''
+          ssh pubkey which this host will present to connections initiated against it.
+          e.g. "ssh-ed25519 AAAA<base64>".
+        '';
+      };
+      wg-home.pubkey = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          wireguard public key for the wg-home VPN.
+          e.g. "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=".
+        '';
+      };
+      wg-home.ip = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          IP address to use on the wg-home VPN.
+          e.g. "10.0.10.5";
+        '';
+      };
+      wg-home.endpoint = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      lan-ip = mkOption {
+        type = types.str;
+        description = ''
+          ip address when on the lan.
+          e.g. "192.168.0.5";
+        '';
+      };
+    };
+  });
+in
+{
+  options = {
+    sane.hosts.by-name = mkOption {
+      type = types.attrsOf host;
+      default = {};
+      description = ''
+        map of hostname => attrset of information specific to that host,
+        like its ssh pubkey, etc.
+      '';
+    };
+  };
+
+  config = {
+    # TODO: this should be populated per-host
+    sane.hosts.by-name."desko" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+      wg-home.pubkey = "17PMZssYi0D4t2d0vbmhjBKe1sGsE8kT8/dod0Q2CXc=";
+      wg-home.ip = "10.0.10.22";
+      lan-ip = "192.168.0.22";
+    };
+
+    sane.hosts.by-name."lappy" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
+      wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
+      wg-home.ip = "10.0.10.20";
+      lan-ip = "192.168.0.20";
+    };
+
+    sane.hosts.by-name."moby" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
+      wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
+      wg-home.ip = "10.0.10.48";
+      lan-ip = "192.168.0.48";
+    };
+
+    sane.hosts.by-name."servo" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+      wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
+      wg-home.ip = "10.0.10.5";
+      wg-home.endpoint = "uninsane.org:51820";
+      lan-ip = "192.168.0.5";
+    };
+  };
+}

hosts/modules/roles/client/bluetooth-pairings.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config = lib.mkIf config.sane.roles.client {
+    # persist external pairings by default
+    sane.persist.sys.plaintext = [ "/var/lib/bluetooth" ];
+
+    sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
+    sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
+      wantedBeforeBy = [ "bluetooth.service" ];
+      # XXX: install-bluetooth uses sed, but that's part of the default systemd unit path, it seems
+      generated.script.script = builtins.readFile ../../../../scripts/install-bluetooth + ''
+        touch "/var/lib/bluetooth/.secrets.stamp"
+      '';
+      generated.script.scriptArgs = [ "/run/secrets/bt" ];
+    };
+  };
+}

hosts/modules/roles/client/default.nix

@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) mkIf mkOption types;
+in
+{
+  imports = [
+    ./bluetooth-pairings.nix
+    ./wifi-pairings.nix
+  ];
+
+  # option is consumed by the other imports in this dir
+  options.sane.roles.client = mkOption {
+    type = types.bool;
+    default = false;
+  };
+}

hosts/modules/roles/client/wifi-pairings.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config = lib.mkIf config.sane.roles.client {
+    sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
+      wantedBeforeBy = [ "iwd.service" ];
+      generated.acl.mode = "0600";
+      # XXX: install-iwd uses sed, but that's part of the default systemd unit path, it seems
+      generated.script.script = builtins.readFile ../../../../scripts/install-iwd + ''
+        touch "/var/lib/iwd/.secrets.psk.stamp"
+      '';
+      generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
+    };
+  };
+}

hosts/modules/roles/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./client
+  ];
+}

hosts/modules/services/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./duplicity.nix
+  ];
+}

hosts/modules/wg-home.nix

@@ -0,0 +1,80 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (builtins) filter map;
+  inherit (lib) concatMap mapAttrsToList mkIf mkMerge mkOption optionalAttrs types;
+  cfg = config.sane.services.wg-home;
+  server-cfg = config.sane.hosts.by-name."servo".wg-home;
+  mkPeer = { ips, pubkey, endpoint }: {
+    publicKey = pubkey;
+    allowedIPs = map (k: "${k}/32") ips;
+  } // (optionalAttrs (endpoint != null) {
+    inherit endpoint;
+    # send keepalives every 25 seconds to keep NAT routes live.
+    # only need to do this from client -> server though, i think.
+    persistentKeepalive = 25;
+    # allows wireguard to notice DNS/hostname changes, with this much effective TTL.
+    dynamicEndpointRefreshSeconds = 600;
+  });
+  # make separate peers to route each given host
+  mkClientPeers = hosts: map (p: mkPeer {
+    inherit (p) pubkey endpoint;
+    ips = [ p.ip ];
+  }) hosts;
+  # make a single peer which routes all the given hosts
+  mkServerPeer = hosts: mkPeer {
+    inherit (server-cfg) pubkey endpoint;
+    ips = map (h: h.ip) hosts;
+  };
+in
+{
+  options = {
+    sane.services.wg-home.enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    sane.services.wg-home.ip = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # generate a (deterministic) wireguard private key
+    sane.derived-secrets."/run/wg-home.priv" = {
+      len = 32;
+      encoding = "base64";
+    };
+
+    # wireguard VPN which allows everything on my domain to speak to each other even when
+    # not behind a shared LAN.
+    # this config defines both the endpoint (server) and client configs
+
+    # for convenience, have both the server and client use the same port for their wireguard connections.
+    networking.firewall.allowedUDPPorts = [ 51820 ];
+    networking.wireguard.interfaces.wg-home = {
+      listenPort = 51820;
+      privateKeyFile = "/run/wg-home.priv";
+      preSetup =
+        let
+          gen-key = config.sane.fs."/run/wg-home.priv".unit;
+        in
+          "${pkgs.systemd}/bin/systemctl start '${gen-key}'";
+
+      ips = [
+        "${cfg.ip}/24"
+      ];
+
+      peers =
+        let
+          all-peers = mapAttrsToList (_: hostcfg: hostcfg.wg-home) config.sane.hosts.by-name;
+          peer-list = filter (p: p.ip != null && p.ip != cfg.ip && p.pubkey != null) all-peers;
+        in
+          if cfg.ip == server-cfg.ip then
+            # if we're the server, then we maintain the entire client list
+            mkClientPeers peer-list
+          else
+            # but if we're a client, we maintain a single peer -- the server -- which does the actual routing
+            [ (mkServerPeer peer-list) ];
+    };
+  };
+}