import and update Tokodon package from <https://github.com/NixOS/nixpkgs/pull/170466 >

this hangs and then segfaults at start. i suppose i should `gdb` it.
vendor librewolf addons instead of fetching them on first run
2022-10-30 18:23:18 -07:00 · 2022-10-27 03:20:29 -07:00 · 2022-10-26 07:18:41 -07:00 · 2022-10-26 07:13:55 -07:00 · 2022-10-26 05:31:11 -07:00 · 2022-10-26 00:10:54 -07:00
112 changed files with 3318 additions and 1386 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -19,10 +19,11 @@ creation_rules:
      - *host_lappy
      - *host_servo
      - *host_moby
-  - path_regex: secrets/servo.yaml$
+  - path_regex: secrets/servo*
    key_groups:
    - age:
      - *user_desko_colin
      - *user_lappy_colin
      - *user_servo_colin
      - *host_servo
  - path_regex: secrets/desko.yaml$
@@ -31,3 +32,16 @@ creation_rules:
      - *user_desko_colin
      - *user_lappy_colin
      - *host_desko
  - path_regex: secrets/lappy.yaml$
    key_groups:
    - age:
      - *user_lappy_colin
      - *user_desko_colin
      - *host_lappy
  - path_regex: secrets/moby.yaml$
    key_groups:
    - age:
      - *user_desko_colin
      - *user_lappy_colin
      - *user_moby_colin
      - *host_moby
--- a/TODO.md
+++ b/TODO.md
@@ -1,16 +0,0 @@
 # features/tweaks
 - emoji picker application
 - find a Masto/Pleroma app which works on mobile
 - remove hardcoded uid/gids outside of allocations.nix (used in impermanence code -- replace with username/groupname)
 # speed up cross compiling
 - <https://nixos.wiki/wiki/Cross_Compiling>
 - <https://nixos.wiki/wiki/NixOS_on_ARM>
 ```nix
   overlays = [{ ... }: {
     nixpkgs.crossSystem.system = "aarch64-linux";
   }];
 ```
 - <https://github.com/nix-community/aarch64-build-box>
 	- apply for access to the community arm build box
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,20 @@
 {
  "nodes": {
    "flake-utils": {
      "locked": {
        "lastModified": 1659877975,
        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -7,11 +22,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1656169755,
+        "lastModified": 1665996265,
-        "narHash": "sha256-Nlnm4jeQWEGjYrE6hxi/7HYHjBSZ/E0RtjCYifnNsWk=",
+        "narHash": "sha256-/k9og6LDBQwT+f/tJ5ClcWiUl8kCX5m6ognhsAxOiCY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "4a3d01fb53f52ac83194081272795aa4612c2381",
+        "rev": "b81e128fc053ab3159d7b464d9b7dedc9d6a6891",
        "type": "github"
      },
      "original": {
@@ -39,11 +54,11 @@
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1661716773,
+        "lastModified": 1666573922,
-        "narHash": "sha256-uxf0aC+kx8av3/IT8/UecxSMElC9i4UQvH25RHFwna4=",
+        "narHash": "sha256-CqB8Y5HajptSFE8Em990dcYZIHJWBiO9zd1us4Mzx8M=",
        "owner": "nixos",
        "repo": "mobile-nixos",
-        "rev": "09e388c42298fa777caa7738cd8d8d2b6d1ac8db",
+        "rev": "1351091d2537040454fa232d8b94e745ab0eb5a3",
        "type": "github"
      },
      "original": {
@@ -54,26 +69,26 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1663067291,
+        "lastModified": 1666447894,
-        "narHash": "sha256-1BTrqhLMamWf53sJobtMiUDI91PEw6xF8YEwg2VE8w4=",
+        "narHash": "sha256-i9WHX4w/et4qPMzEXd9POmnO0/bthjr7R4cblKNHGms=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d86a4619b7e80bddb6c01bc01a954f368c56d1df",
+        "rev": "95aeaf83c247b8f5aa561684317ecd860476fcd6",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-22.05",
+        "ref": "nixos-unstable",
        "type": "indirect"
      }
    },
    "nixpkgs-22_05": {
      "locked": {
-        "lastModified": 1662864125,
+        "lastModified": 1666488099,
-        "narHash": "sha256-AtjyEFK7Zp9+hOOUNO1/YZRADV/wC94R3yeKN8saUK4=",
+        "narHash": "sha256-DANs2epN5QgvxWzH7xF3dzb4WE0lEuMLrMEu/vPmQxw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e6f053b6079c16e7df97531e3e0524ace1304d4d",
+        "rev": "f9115594149ebcb409a42e303bec4956814a8419",
        "type": "github"
      },
      "original": {
@@ -83,20 +98,19 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1662818301,
+        "lastModified": 1666401273,
-        "narHash": "sha256-uRjbKN924ptf5CvQ4cfki3R9nIm5EhrJBeb/xUxwfcM=",
+        "narHash": "sha256-AG3MoIjcWwz1SPjJ2nymWu4NmeVj9P40OpB1lsmxFtg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a25f0b9bbdfedee45305da5d1e1410c5bcbd48f6",
+        "rev": "3933d8bb9120573c0d8d49dc5e890cb211681490",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "id": "nixpkgs",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-22.05",
-        "repo": "nixpkgs",
+        "type": "indirect"
        "type": "github"
      }
    },
    "root": {
@@ -105,20 +119,41 @@
        "impermanence": "impermanence",
        "mobile-nixos": "mobile-nixos",
        "nixpkgs": "nixpkgs",
-        "sops-nix": "sops-nix"
+        "nixpkgs-stable": "nixpkgs-stable",
        "rycee": "rycee",
        "sops-nix": "sops-nix",
        "uninsane": "uninsane"
      }
    },
    "rycee": {
      "flake": false,
      "locked": {
        "lastModified": 1666843362,
        "narHash": "sha256-xn2bW9/MT0u8Ptlk+f323p46Q/ktZkzMp7oj5SlYDxU=",
        "owner": "rycee",
        "repo": "nur-expressions",
        "rev": "43d3a363c126968db46585b88b8eb97dd32634ad",
        "type": "gitlab"
      },
      "original": {
        "owner": "rycee",
        "repo": "nur-expressions",
        "type": "gitlab"
      }
    },
    "sops-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-22_05": "nixpkgs-22_05"
      },
      "locked": {
-        "lastModified": 1662870301,
+        "lastModified": 1666499473,
-        "narHash": "sha256-O+ABD+WzEBLVH6FwxKCIpps0hsR6b5dpYe6fB3e3Ju8=",
+        "narHash": "sha256-q1eFnBFL0kHgcnUPeKagw3BfbE/5sMJNGL2E2AR+a2M=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "20929e1c5722a6db2f2dbe4cd36d4af0de0a9df0",
+        "rev": "1b5f9512a265f0c9687dbff47893180f777f4809",
        "type": "github"
      },
      "original": {
@@ -126,6 +161,27 @@
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "uninsane": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1665758541,
        "narHash": "sha256-ibR8bPwHlDjavri5cNVnoo5FmFk1IfNMmQXxat5biqs=",
        "ref": "refs/heads/master",
        "rev": "4ad1801f6cecd678bbeae5dfe5933448dd7b3360",
        "revCount": 163,
        "type": "git",
        "url": "https://git.uninsane.org/colin/uninsane"
      },
      "original": {
        "type": "git",
        "url": "https://git.uninsane.org/colin/uninsane"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -4,7 +4,8 @@
 {
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-22.05";
+    nixpkgs-stable.url = "nixpkgs/nixos-22.05";
    nixpkgs.url = "nixpkgs/nixos-unstable";
    mobile-nixos = {
      url = "github:nixos/mobile-nixos";
      flake = false;
@@ -13,12 +14,32 @@
      url = "github:nix-community/home-manager/release-22.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    sops-nix.url = "github:Mic92/sops-nix";
+    rycee = {
      url = "gitlab:rycee/nur-expressions";
      flake = false;
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    impermanence.url = "github:nix-community/impermanence";
    uninsane = {
      url = "git+https://git.uninsane.org/colin/uninsane";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
-  outputs = { self, nixpkgs, mobile-nixos, home-manager, sops-nix, impermanence }:
+  outputs = {
-  let
+    self,
    nixpkgs,
    nixpkgs-stable,
    mobile-nixos,
    home-manager,
    rycee,
    sops-nix,
    impermanence,
    uninsane
  }: let
    patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
      name = "nixpkgs-patched-uninsane";
      src = nixpkgs;
@@ -38,21 +59,25 @@
      specialArgs = { inherit mobile-nixos home-manager impermanence; };
      modules = [
        ./modules
-        ./machines/${name}
+        (import ./machines/instantiate.nix name)
        (import ./helpers/set-hostname.nix name)
        home-manager.nixosModule
        impermanence.nixosModule
        sops-nix.nixosModules.sops
        {
          nixpkgs.config.allowUnfree = true;
          nixpkgs.overlays = [
            (import "${mobile-nixos}/overlay/overlay.nix")
            (import "${rycee}/overlay.nix")
            uninsane.overlay
            (import ./pkgs/overlay.nix)
-            (next: prev: {
+            (next: prev: rec {
              # non-emulated packages build *from* local *for* target.
              # for large packages like the linux kernel which are expensive to build under emulation,
              # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
              cross = (nixpkgsFor local target) // (customPackagesFor local target);
              stable = import nixpkgs-stable { system = target; };
              # pinned packages:
              electrum = stable.electrum;  # 2022-10-10: build break
              sequoia = stable.sequoia;    # 2022-10-13: build break
            })
          ];
        }
@@ -89,8 +114,16 @@
  in {
    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
    imgs = builtins.mapAttrs (name: value: value.img) machines;
-    packages.x86_64-linux = customPackagesFor "x86_64-linux" "x86_64-linux";
+    packages = let
-    packages.aarch64-linux = customPackagesFor "aarch64-linux" "aarch64-linux";
+      allPkgsFor = sys: (customPackagesFor sys sys) // {
        nixpkgs = nixpkgsFor sys sys;
        uninsane = uninsane.packages."${sys}";
        rycee = (import "${rycee}/default.nix" { pkgs = nixpkgsFor sys sys; });
      };
    in {
      x86_64-linux = allPkgsFor "x86_64-linux";
      aarch64-linux = allPkgsFor "aarch64-linux";
    };
  };
 }
--- a/helpers/set-hostname.nix
+++ b/helpers/set-hostname.nix
@@ -1,4 +0,0 @@
 hostName: { ... }:
 {
  networking.hostName = hostName;
 }
--- a/machines/desko/default.nix
+++ b/machines/desko/default.nix
@@ -18,6 +18,11 @@
  users.users.usbmux.uid = config.sane.allocations.usbmux-uid;
  users.groups.usbmux.gid = config.sane.allocations.usbmux-gid;
  sops.secrets.colin-passwd = {
    sopsFile = ../../secrets/desko.yaml;
    neededForUsers = true;
  };
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
  #   - hourly snapshots
--- a/machines/instantiate.nix
+++ b/machines/instantiate.nix
@@ -0,0 +1,11 @@
 # trampoline from flake.nix into the specific machine definition, while doing a tiny bit of common setup
 hostName: { ... }: {
  imports = [
    ./${hostName}
  ];
  networking.hostName = hostName;
  nixpkgs.config.allowUnfree = true;
 }
--- a/machines/lappy/default.nix
+++ b/machines/lappy/default.nix
@@ -7,9 +7,15 @@
  # sane.users.guest.enable = true;
  sane.gui.sway.enable = true;
  sane.impermanence.enable = true;
  sane.nixcache.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  sops.secrets.colin-passwd = {
    sopsFile = ../../secrets/lappy.yaml;
    neededForUsers = true;
  };
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
  #   - hourly snapshots
--- a/machines/moby/default.nix
+++ b/machines/moby/default.nix
@@ -1,42 +1,33 @@
 { config, pkgs, lib, mobile-nixos, ... }:
 {
  imports = [
    # (import "${mobile-nixos}/lib/configuration.nix" {
    #   device = "pine64-pinephone";
    # })
    ./firmware.nix
    ./fs.nix
    ./kernel.nix
  ];
-  # XXX colin: phosh doesn't work well with passwordless login
+
  # cross-compiled documentation is *slow*.
  # no obvious way to natively compile docs (2022/09/29).
  # entrypoint is nixos/modules/misc/documentation.nix
  # doc building happens in nixos/doc/manual/default.nix
  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
  documentation.nixos.enable = false;
  # XXX colin: phosh doesn't work well with passwordless login,
  # so set this more reliable default password should anything go wrong
  users.users.colin.initialPassword = "147147";
  services.getty.autologinUser = "root";  # allows for emergency maintenance?
  sops.secrets.colin-passwd = {
    sopsFile = ../../secrets/moby.yaml;
    neededForUsers = true;
  };
  # usability compromises
  sane.impermanence.home-dirs = [
    ".librewolf"
  ];
  # sane.home-manager.extraPackages = [
  #   # for web browsers see: https://forum.pine64.org/showthread.php?tid=13669
  #   pkgs.angelfish  # plasma mobile web browser; broken on phosh (poor wayland support)
  #   # pkgs.plasma5Packages.index  # file browser
  #   pkgs.plasma5Packages.konsole  # terminal
  #   # pkgs.plasma5Packages.pix  # picture viewer
  #   pkgs.plasma5Packages.kalk  # calculator; broken on phosh
  #   # pkgs.plasma5Packages.buho  # (plasma mobile?) note application
  #   pkgs.plasma5Packages.kasts  #  podcast app; works on phosh after setting QT envar
  #   pkgs.plasma5Packages.koko  # image gallery; broken on phosh
  #   pkgs.plasma5Packages.kwave  # media player.
  #   # pkgs.plasma5Packages.neochat  #  matrix client. needs qcoro => no aarch64 support
  #   # pkgs.plasma5Packages.plasma-dialer  # phone dialer
  #   # pkgs.plasma5Packages.plasma-mobile  # the whole shebang?
  #   # pkgs.plasma5Packages.plasma-settings
  #   pkgs.plasma5Packages.bomber  # arcade game; broken on phosh
  #   pkgs.plasma5Packages.kapman  # pacman
  #   pkgs.st  # suckless terminal; broken on phosh
  #   # pkgs.alacritty  # terminal; crashes phosh
  # ];
  # sane.home-packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
  sane.home-manager.extraPackages = [
    pkgs.plasma5Packages.konsole  # terminal
@@ -47,10 +38,21 @@
  sane.gui.phosh.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  # /boot space is at a premium. default was 20.
  boot.loader.generic-extlinux-compatible.configurationLimit = 10;
  # mobile.bootloader.enable = false;
  # mobile.boot.stage-1.enable = false;
  # boot.initrd.systemd.enable = false;
  # boot.initrd.services.swraid.enable = false;  # attempt to fix dm_mod stuff
  # disable proximity sensor.
  # the filtering/calibration is bad that it causes the screen to go fully dark at times.
  boot.blacklistedKernelModules = [ "stk3310" ];
  # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
  # this is because they can't allocate enough video ram.
  # the default CMA seems to be 32M. we could probably get by with as little as 64M, and safely with 128M.
  # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
  boot.kernelParams = [ "cma=256M" ];
  # mobile-nixos' /lib/firmware includes:
  #   rtl_bt          (bluetooth)
@@ -70,5 +72,14 @@
  # enable rotation sensor
  hardware.sensor.iio.enable = true;
-  users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
+  # from https://gitlab.manjaro.org/manjaro-arm/packages/community/phosh/alsa-ucm-pinephone
  # mobile-nixos does this same thing, with *slightly different settings*.
  # i trust manjaro more because the guy maintaining that is actively trying to upstream into alsa-ucm-conf.
  # an alternative may be to build a custom alsa with the PinePhone config patch applied:
  # - <https://github.com/alsa-project/alsa-ucm-conf/pull/134>
  # that would make this be not device-specific
  environment.variables.ALSA_CONFIG_UCM2 = "${./ucm2}";
  systemd.services.pulseaudio.environment.ALSA_CONFIG_UCM2 = "${./ucm2}";
  hardware.opengl.driSupport = true;
 }
--- a/machines/moby/firmware.nix
+++ b/machines/moby/firmware.nix
@@ -4,7 +4,7 @@
  # only actually need 1 MB, but better to over-allocate than under-allocate
  sane.image.extraGPTPadding = 16 * 1024 * 1024;
  sane.image.firstPartGap = 0;
-  system.build.img = pkgs.runCommandNoCC "nixos_full-disk-image.img" {} ''
+  system.build.img = pkgs.runCommand "nixos_full-disk-image.img" {} ''
    cp -v ${config.system.build.img-without-firmware}/nixos.img $out
    chmod +w $out
    dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out bs=1024 seek=8 conv=notrunc
--- a/machines/moby/kernel.nix
+++ b/machines/moby/kernel.nix
@@ -114,7 +114,7 @@ in
  # - phone rotation sensor is off by 90 degrees
  # - ambient light sensor causes screen brightness to be shakey
  # - phosh greeter may not appear after wake from sleep
-  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.cross.linux-megous;
+  boot.kernelPackages = pkgs.cross.linuxPackagesFor pkgs.cross.linux-megous;
  boot.kernelPatches = [
    (patchDefconfig (kernelConfig //
--- a/machines/moby/ucm2/PinePhone/HiFi.conf
+++ b/machines/moby/ucm2/PinePhone/HiFi.conf
@@ -0,0 +1,148 @@
 SectionVerb {
 	EnableSequence [
 		cset "name='Headphone Playback Switch' off"
 		cset "name='Headphone Source Playback Route' DAC"
 		cset "name='Line In Playback Switch' off"
 		cset "name='Line Out Playback Switch' off"
 		cset "name='Line Out Source Playback Route' Mono Differential"
 		cset "name='Mic1 Playback Switch' off"
 		cset "name='Mic2 Playback Switch' off"
 		cset "name='AIF1 DA0 Playback Volume' 160"
 		cset "name='AIF3 ADC Source Capture Route' None"
 		cset "name='AIF2 DAC Source Playback Route' AIF2"
 		cset "name='DAC Playback Switch' on"
 		cset "name='DAC Playback Volume' 160"
 		cset "name='ADC Digital DAC Playback Switch' off"
 		cset "name='AIF1 Slot 0 Digital DAC Playback Switch' on"
 		cset "name='AIF2 Digital DAC Playback Switch' off"
 		cset "name='DAC Reversed Playback Switch' off"
 		cset "name='Earpiece Playback Switch' off"
 		cset "name='Earpiece Source Playback Route' DACL"
 		cset "name='Line In Capture Switch' off"
 		cset "name='Mic1 Capture Switch' off"
 		cset "name='Mic1 Boost Volume' 7"
 		cset "name='Mic2 Capture Switch' off"
 		cset "name='Mic2 Boost Volume' 7"
 		cset "name='Mixer Capture Switch' off"
 		cset "name='Mixer Reversed Capture Switch' off"
 		cset "name='ADC Capture Volume' 160"
 		cset "name='ADC Gain Capture Volume' 7"
 		cset "name='AIF1 AD0 Capture Volume' 160"
 		cset "name='AIF1 Data Digital ADC Capture Switch' on"
 		cset "name='AIF2 ADC Mixer ADC Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF2 DAC Rev Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 	]
        DisableSequence [
        ]
 	Value {
 	}
 }
 SectionDevice."Speaker" {
 	Comment "Internal speaker"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Line Out Playback Switch' on"
 		cset "name='Line Out Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Line Out Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Line Out Playback Volume"
 		PlaybackSwitch "Line Out Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 300
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Earpiece" {
 	Comment "Internal Earpiece"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Earpiece Playback Switch' on"
 		cset "name='Earpiece Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Earpiece Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Earpiece Playback Volume"
 		PlaybackSwitch "Earpiece Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 200
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Mic" {
 	Comment "Internal Microphone"
 	ConflictingDevice [
 		"Headset"
 	]
 	EnableSequence [
 		cset "name='Mic1 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic1 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 100
 		CapturePCM "hw:${CardId},0"
 		CaptureChannels 2
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic1 Capture Switch"
 	}
 }
 SectionDevice."Headset" {
 	Comment "Headset Microphone"
 	ConflictingDevice [
 		"Mic"
 	]
 	EnableSequence [
 		cset "name='Mic2 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic2 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 500
 		CapturePCM "hw:${CardId},0"
 		CaptureChannels 2
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic2 Capture Switch"
 		JackControl "Headset Microphone Jack"
 	}
 }
 SectionDevice."Headphones" {
 	Comment "Headphones"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Stereo"
 		cset "name='Headphone Playback Switch' on"
 		cset "name='Headphone Playback Volume' 70%"
 	]
 	DisableSequence [
 		cset "name='Headphone Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Headphone Playback Volume"
 		PlaybackSwitch "Headphone Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 500
 		PlaybackPCM "hw:${CardId},0"
 		JackControl "Headphone Jack"
 	}
 }
--- a/machines/moby/ucm2/PinePhone/PinePhone.conf
+++ b/machines/moby/ucm2/PinePhone/PinePhone.conf
@@ -0,0 +1,11 @@
 Syntax 2
 SectionUseCase."HiFi" {
 	File "HiFi.conf"
 	Comment "Default"
 }
 SectionUseCase."Voice Call" {
 	File "VoiceCall.conf"
 	Comment "Phone call"
 }
--- a/machines/moby/ucm2/PinePhone/VoiceCall.conf
+++ b/machines/moby/ucm2/PinePhone/VoiceCall.conf
@@ -0,0 +1,153 @@
 SectionVerb {
 	EnableSequence [
 		cset "name='Headphone Playback Switch' off"
 		cset "name='Headphone Source Playback Route' DAC"
 		cset "name='Line In Playback Switch' off"
 		cset "name='Line Out Playback Switch' off"
 		cset "name='Line Out Source Playback Route' Mono Differential"
 		cset "name='Mic1 Playback Switch' off"
 		cset "name='Mic2 Playback Switch' off"
 		cset "name='AIF1 DA0 Playback Volume' 160"
 		cset "name='AIF2 DAC Playback Volume' 160"
 		cset "name='AIF3 ADC Source Capture Route' None"
 		cset "name='AIF2 DAC Source Playback Route' AIF2"
 		cset "name='DAC Playback Switch' on"
 		cset "name='DAC Playback Volume' 160"
 		cset "name='ADC Digital DAC Playback Switch' off"
 		cset "name='AIF1 Slot 0 Digital DAC Playback Switch' on"
 		cset "name='AIF2 Digital DAC Playback Switch' on"
 		cset "name='DAC Reversed Playback Switch' off"
 		cset "name='Earpiece Playback Switch' off"
 		cset "name='Earpiece Source Playback Route' DACL"
 		cset "name='Line In Capture Switch' off"
 		cset "name='Mic1 Capture Switch' off"
 		cset "name='Mic1 Boost Volume' 0"
 		cset "name='Mic1 Playback Volume' 7"
 		cset "name='Mic2 Capture Switch' off"
 		cset "name='Mic2 Boost Volume' 0"
 		cset "name='Mic2 Playback Volume' 7"
 		cset "name='Mixer Capture Switch' off"
 		cset "name='Mixer Reversed Capture Switch' off"
 		cset "name='ADC Capture Volume' 160"
 		cset "name='ADC Gain Capture Volume' 7"
 		cset "name='AIF1 AD0 Capture Volume' 160"
 		cset "name='AIF1 Data Digital ADC Capture Switch' on"
 		cset "name='AIF2 ADC Capture Volume' 160"
 		cset "name='AIF2 ADC Mixer ADC Capture Switch' on"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF2 DAC Rev Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 	]
        DisableSequence [
        ]
 	Value {
 		PlaybackRate 8000
 	}
 }
 SectionDevice."Speaker" {
 	Comment "Internal speaker"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Line Out Playback Switch' on"
 		cset "name='Line Out Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Line Out Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Line Out Playback Volume"
 		PlaybackSwitch "Line Out Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 300
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Earpiece" {
 	Comment "Internal Earpiece"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Earpiece Playback Switch' on"
 		cset "name='Earpiece Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Earpiece Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Earpiece Playback Volume"
 		PlaybackSwitch "Earpiece Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 500
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Mic" {
 	Comment "Internal Microphone"
 	ConflictingDevice [
 		"Headset"
 	]
 	EnableSequence [
 		cset "name='Mic1 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic1 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 200
 		CapturePCM "hw:${CardId},0"
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic1 Capture Switch"
 		CaptureChannels 2
 	}
 }
 SectionDevice."Headset" {
 	Comment "Headset Microphone"
 	ConflictingDevice [
 		"Mic"
 	]
 	EnableSequence [
 		cset "name='Mic2 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic2 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 500
 		CapturePCM "hw:${CardId},0"
 		CaptureChannels 2
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic2 Capture Switch"
 		JackControl "Headset Microphone Jack"
 	}
 }
 SectionDevice."Headphones" {
 	Comment "Headphones"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Stereo"
 		cset "name='Headphone Playback Switch' on"
 		cset "name='Headphone Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Headphone Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Headphone Playback Volume"
 		PlaybackSwitch "Headphone Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 500
 		PlaybackPCM "hw:${CardId},0"
 		JackControl "Headphone Jack"
 	}
 }
--- a/machines/moby/ucm2/ucm.conf
+++ b/machines/moby/ucm2/ucm.conf
@@ -0,0 +1,8 @@
 Syntax 3
 UseCasePath {
 	legacy {
 		Directory "PinePhone"
 		File "PinePhone.conf"
 	}
 }
--- a/machines/servo/default.nix
+++ b/machines/servo/default.nix
@@ -6,24 +6,14 @@
    ./hardware.nix
    ./net.nix
    ./users.nix
-    ./services/ddns-he.nix
+    ./services
    ./services/gitea.nix
    ./services/ipfs.nix
    ./services/jackett.nix
    ./services/jellyfin.nix
    ./services/matrix.nix
    ./services/navidrome.nix
    ./services/nginx.nix
    ./services/pleroma.nix
    ./services/postfix.nix
    ./services/postgres.nix
    ./services/transmission.nix
  ];
  sane.home-manager.enable = true;
  sane.home-manager.extraPackages = [
-    # for administering matrix
+    # for administering services
    pkgs.matrix-synapse
    pkgs.freshrss
    pkgs.goaccess
  ];
  sane.impermanence.enable = true;
  sane.services.duplicity.enable = true;
--- a/machines/servo/services/default.nix
+++ b/machines/servo/services/default.nix
@@ -0,0 +1,19 @@
 { ... }:
 {
  imports = [
    ./ddns-he.nix
    ./freshrss.nix
    ./gitea.nix
    ./goaccess.nix
    ./ipfs.nix
    ./jackett.nix
    ./jellyfin.nix
    ./matrix
    ./navidrome.nix
    ./nginx.nix
    ./pleroma.nix
    ./postfix.nix
    ./postgres.nix
    ./transmission.nix
  ];
 }
--- a/machines/servo/services/freshrss.nix
+++ b/machines/servo/services/freshrss.nix
@@ -0,0 +1,48 @@
 # import feeds with e.g.
 # ```console
 # $ nix build '.#nixpkgs.freshrss'
 # $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/import-for-user.php --user admin --filename /home/colin/.config/newsflashFeeds.opml
 # ```
 #
 # export feeds with
 # ```console
 # $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/export-opml-for-user.php --user admin
 # ```
 { config, lib, pkgs, ... }:
 {
  sops.secrets.freshrss_passwd = {
    sopsFile = ../../../secrets/servo.yaml;
    owner = config.users.users.freshrss.name;
    mode = "400";
  };
  sane.impermanence.service-dirs = [
    { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
  ];
  users.users.freshrss.uid = config.sane.allocations.freshrss-uid;
  users.groups.freshrss.gid = config.sane.allocations.freshrss-gid;
  services.freshrss.enable = true;
  services.freshrss.baseUrl = "https://rss.uninsane.org";
  services.freshrss.virtualHost = "rss.uninsane.org";
  services.freshrss.passwordFile = config.sops.secrets.freshrss_passwd.path;
  systemd.services.freshrss-import-feeds =
  let
    fresh = config.systemd.services.freshrss-config;
    feeds = import ../../../modules/universal/home-manager/feeds.nix { inherit lib; };
    opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
  in {
    inherit (fresh) wantedBy environment;
    serviceConfig = {
      inherit (fresh.serviceConfig) Type User Group StateDirectory WorkingDirectory
        # hardening options
        CapabilityBoundingSet DeviceAllow LockPersonality NoNewPrivileges PrivateDevices PrivateTmp PrivateUsers ProcSubset ProtectClock ProtectControlGroups ProtectHome ProtectHostname ProtectKernelLogs ProtectKernelModules ProtectKernelTunables ProtectProc ProtectSystem RemoveIPC RestrictNamespaces RestrictRealtime RestrictSUIDSGID SystemCallArchitectures SystemCallFilter UMask;
    };
    description = "import sane RSS feed list";
    after = [ "freshrss-config.service" ];
    script = ''
      ${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
    '';
  };
 }
--- a/machines/servo/services/gitea.nix
+++ b/machines/servo/services/gitea.nix
@@ -13,7 +13,7 @@
  services.gitea.appName = "Perfectly Sane Git";
  services.gitea.domain = "git.uninsane.org";
  services.gitea.rootUrl = "https://git.uninsane.org/";
-  services.gitea.cookieSecure = true;
+  services.gitea.settings.session.COOKIE_SECURE = true;
  # services.gitea.disableRegistration = true;
  services.gitea.settings = {
@@ -60,7 +60,7 @@
    };
  };
  # options: "Trace", "Debug", "Info", "Warn", "Error", "Critical"
-  services.gitea.log.level = "Info";
+  services.gitea.settings.log.LEVEL = "Warn";
  systemd.services.gitea.serviceConfig = {
    # nix default is AF_UNIX AF_INET AF_INET6.
--- a/machines/servo/services/goaccess.nix
+++ b/machines/servo/services/goaccess.nix
@@ -0,0 +1,44 @@
 { pkgs, ... }:
 {
  # based on <https://bytes.fyi/real-time-goaccess-reports-with-nginx/>
  # log-format setting can be derived with this tool if custom:
  # - <https://github.com/stockrt/nginx2goaccess>
  # config options:
  # - <https://github.com/allinurl/goaccess/blob/master/config/goaccess.conf>
  systemd.services.goaccess = {
    description = "GoAccess server monitoring";
    serviceConfig = {
      ExecStart = ''
        ${pkgs.goaccess}/bin/goaccess \
          -f /var/log/nginx/public.log \
          --log-format=VCOMBINED \
          --real-time-html \
          --no-query-string \
          --anonymize-ip \
          --ignore-panel=HOSTS \
          --ws-url=wss://sink.uninsane.org:443/ws \
          --port=7890 \
          -o /var/lib/uninsane/sink/index.html
      '';
      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
      Type = "simple";
      Restart = "on-failure";
      # hardening
      WorkingDirectory = "/tmp";
      NoNewPrivileges = true;
      PrivateTmp = true;
      ProtectHome = "read-only";
      ProtectSystem = "strict";
      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
      ReadOnlyPaths = "/";
      ReadWritePaths = [ "/proc/self" "/var/lib/uninsane/sink" ];
      PrivateDevices = "yes";
      ProtectKernelModules = "yes";
      ProtectKernelTunables = "yes";
    };
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
  };
 }
--- a/machines/servo/services/ipfs.nix
+++ b/machines/servo/services/ipfs.nix
@@ -12,15 +12,15 @@
    # TODO: mode? could be more granular
    { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
  ];
-  services.ipfs.enable = true;
+  # services.ipfs.enable = true;
-  services.ipfs.localDiscovery = true;
+  services.kubo.localDiscovery = true;
-  services.ipfs.swarmAddress = [
+  services.kubo.swarmAddress = [
    # "/dns4/ipfs.uninsane.org/tcp/4001"
    # "/ip4/0.0.0.0/tcp/4001"
    "/dns4/ipfs.uninsane.org/udp/4001/quic"
    "/ip4/0.0.0.0/udp/4001/quic"
  ];
-  services.ipfs.extraConfig = {
+  services.kubo.extraConfig = {
    Addresses = {
      Announce = [
        # "/dns4/ipfs.uninsane.org/tcp/4001"
--- a/machines/servo/services/jellyfin.nix
+++ b/machines/servo/services/jellyfin.nix
@@ -5,7 +5,10 @@
    # TODO: mode? could be more granular
    { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
  ];
-  users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
+
-  users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
+  # users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
-  services.jellyfin.enable = true;
+  # users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
  # TODO: re-enable after migrating media dir to /var/lib/uninsane/media
  # else it's too spammy
  # services.jellyfin.enable = true;
 }
--- a/machines/servo/services/matrix/default.nix
+++ b/machines/servo/services/matrix/default.nix
@@ -0,0 +1,85 @@
 # docs: https://nixos.wiki/wiki/Matrix
 # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
 { config, lib, ... }:
 {
  imports = [
    ./discord-puppet.nix
    # ./irc.nix
  ];
  sane.impermanence.service-dirs = [
    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
  ];
  services.matrix-synapse.enable = true;
  services.matrix-synapse.settings.log_config = ./synapse-log_level.yaml;
  services.matrix-synapse.settings.server_name = "uninsane.org";
  # services.matrix-synapse.enable_registration_captcha = true;
  # services.matrix-synapse.enable_registration_without_verification = true;
  services.matrix-synapse.settings.enable_registration = true;
  # services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
  # default for listeners is port = 8448, tls = true, x_forwarded = false.
  # we change this because the server is situated behind nginx.
  services.matrix-synapse.settings.listeners = [
    {
      port = 8008;
      bind_addresses = [ "127.0.0.1" ];
      type = "http";
      tls = false;
      x_forwarded = true;
      resources = [
        {
          names = [ "client" "federation" ];
          compress = false;
        }
      ];
    }
  ];
  services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
  services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
  services.matrix-synapse.extraConfigFiles = [
    config.sops.secrets.matrix_synapse_secrets.path
  ];
  # services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
  #   admin_contact: "admin.matrix@uninsane.org"
  #   registrations_require_3pid:
  #     - email
  #   email:
  #     smtp_host: "mx.uninsane.org"
  #     smtp_port: 587
  #     smtp_user: "matrix-synapse"
  #     smtp_pass: "${secrets.matrix-synapse.smtp_pass}"
  #     require_transport_security: true
  #     enable_tls: true
  #     notif_from: "%(app)s <notify.matrix@uninsane.org>"
  #     app_name: "Uninsane Matrix"
  #     enable_notifs: true
  #     validation_token_lifetime: 96h
  #     invite_client_location: "https://web.matrix.uninsane.org"
  #     subjects:
  #       email_validation: "[%(server_name)s] Validate your email"
  # ''];
  # new users may be registered on the CLI:
  #   register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
  #
  # or provide an registration token then can use to register through the client.
  #   docs: https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/admin_api/registration_tokens.md
  # first, grab your own user's access token (Help & About section in Element). then:
  #   curl --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens
  # create a token with unlimited uses:
  #   curl -d '{}' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  # create a token with limited uses:
  #   curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  sops.secrets.matrix_synapse_secrets = {
    sopsFile = ../../../../secrets/servo.yaml;
    owner = config.users.users.matrix-synapse.name;
  };
 }
--- a/machines/servo/services/matrix/discord-puppet.nix
+++ b/machines/servo/services/matrix/discord-puppet.nix
@@ -0,0 +1,52 @@
 { lib, ... }:
 {
  sane.impermanence.service-dirs = [
    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }
  ];
  services.matrix-synapse.settings.app_service_config_files = [
    # auto-created by mx-puppet-discord service
    "/var/lib/mx-puppet-discord/discord-registration.yaml"
  ];
  services.mx-puppet-discord.enable = true;
  # schema/example: <https://gitlab.com/mx-puppet/discord/mx-puppet-discord/-/blob/main/sample.config.yaml>
  services.mx-puppet-discord.settings = {
    bridge = {
      # port = 8434
      bindAddress = "127.0.0.1";
      domain = "uninsane.org";
      homeserverUrl = "http://127.0.0.1:8008";
      # displayName = "mx-discord-puppet";  # matrix name for the bot
      # matrix "groups" were an earlier version of spaces.
      # maybe the puppet understands this, maybe not?
      enableGroupSync = false;
    };
    presence = {
      enabled = false;
      interval = 30000;
    };
    provisioning = {
      # allow these users to control the puppet
      whitelist = [ "@colin:uninsane\\.org" ];
    };
    relay = {
      whitelist = [ "@colin:uninsane\\.org" ];
    };
    selfService = {
      # who's allowed to use plumbed rooms (idk what that means)
      whitelist = [ "@colin:uninsane\\.org" ];
    };
    logging = {
      # silly, debug, verbose, info, warn, error
      console = "debug";
    };
  };
  systemd.services.mx-puppet-discord.serviceConfig = {
    # fix up to not use /var/lib/private, but just /var/lib
    DynamicUser = lib.mkForce false;
    User = "matrix-synapse";
    Group = "matrix-synapse";
  };
 }
--- a/machines/servo/services/matrix/irc.nix
+++ b/machines/servo/services/matrix/irc.nix
@@ -1,86 +1,19 @@
-# docs: https://nixos.wiki/wiki/Matrix
+{ config, lib, ... }:
 # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
 { config, ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode?
    # user and group are both "matrix-appservice-irc"
    { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
    { user = "224"; group = "224"; directory = "/var/lib/matrix-synapse"; }
  ];
  services.matrix-synapse.enable = true;
  services.matrix-synapse.settings.server_name = "uninsane.org";
  # services.matrix-synapse.enable_registration_captcha = true;
  # services.matrix-synapse.enable_registration_without_verification = true;
  services.matrix-synapse.settings.enable_registration = true;
  # services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
  # default for listeners is port = 8448, tls = true, x_forwarded = false.
  # we change this because the server is situated behind nginx.
  services.matrix-synapse.settings.listeners = [
    {
      port = 8008;
      bind_addresses = [ "127.0.0.1" ];
      type = "http";
      tls = false;
      x_forwarded = true;
      resources = [
        {
          names = [ "client" "federation" ];
          compress = false;
        }
      ];
    }
  ];
  services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
  services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
  services.matrix-synapse.extraConfigFiles = [
    config.sops.secrets.matrix_synapse_secrets.path
  ];
  # services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
  #   admin_contact: "admin.matrix@uninsane.org"
  #   registrations_require_3pid:
  #     - email
  #   email:
  #     smtp_host: "mx.uninsane.org"
  #     smtp_port: 587
  #     smtp_user: "matrix-synapse"
  #     smtp_pass: "${secrets.matrix-synapse.smtp_pass}"
  #     require_transport_security: true
  #     enable_tls: true
  #     notif_from: "%(app)s <notify.matrix@uninsane.org>"
  #     app_name: "Uninsane Matrix"
  #     enable_notifs: true
  #     validation_token_lifetime: 96h
  #     invite_client_location: "https://web.matrix.uninsane.org"
  #     subjects:
  #       email_validation: "[%(server_name)s] Validate your email"
  # ''];
  services.matrix-synapse.settings.app_service_config_files = [
    "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
  ];
  # new users may be registered on the CLI:
  #   register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
  #
  # or provide an registration token then can use to register through the client.
  #   docs: https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/admin_api/registration_tokens.md
  # first, grab your own user's access token (Help & About section in Element). then:
  #   curl --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens
  # create a token with unlimited uses:
  #   curl -d '{}' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  # create a token with limited uses:
  #   curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  # IRC bridging
  # note: Rizon allows only FOUR simultaneous IRC connections per IP: https://wiki.rizon.net/index.php?title=Connection/Session_Limit_Exemptions
  # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
-  # services.matrix-appservice-irc.enable = true;
+  services.matrix-appservice-irc.enable = true;
  services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
  # settings documented here: https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml
  services.matrix-appservice-irc.settings = {
@@ -161,9 +94,4 @@
      };
    };
  };
  sops.secrets.matrix_synapse_secrets = {
    sopsFile = ../../../secrets/servo.yaml;
    owner = config.users.users.matrix-synapse.name;
  };
 }
--- a/machines/servo/services/matrix/synapse-log_level.yaml
+++ b/machines/servo/services/matrix/synapse-log_level.yaml
@@ -0,0 +1,27 @@
 version: 1
 # In systemd's journal, loglevel is implicitly stored, so let's omit it
 # from the message text.
 formatters:
    journal_fmt:
        format: '%(name)s: [%(request)s] %(message)s'
 filters:
    context:
        (): synapse.util.logcontext.LoggingContextFilter
        request: ""
 handlers:
    journal:
        class: systemd.journal.JournalHandler
        formatter: journal_fmt
        filters: [context]
        SYSLOG_IDENTIFIER: synapse
 # default log level: INFO
 root:
    level: WARN
    handlers: [journal]
 disable_existing_loggers: False
--- a/machines/servo/services/nginx.nix
+++ b/machines/servo/services/nginx.nix
@@ -1,18 +1,40 @@
 # docs: https://nixos.wiki/wiki/Nginx
 { config, pkgs, ... }:
 let
  # make the logs for this host "public" so that they show up in e.g. metrics
  publog = vhost: vhost // {
    extraConfig = (vhost.extraConfig or "") + ''
      access_log /var/log/nginx/public.log vcombined;
    '';
  };
 in
 {
  services.nginx.enable = true;
  # this is the standard `combined` log format, with the addition of $host
  # so that we have the virtualHost in the log.
  # KEEP IN SYNC WITH GOACCESS
  # goaccess calls this VCOMBINED:
  # - <https://gist.github.com/jyap808/10570005>
  services.nginx.commonHttpConfig = ''
    log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
    access_log /var/log/nginx/private.log vcombined;
  '';
  # web blog/personal site
-  services.nginx.virtualHosts."uninsane.org" = {
+  services.nginx.virtualHosts."uninsane.org" = publog {
-    root = "/var/lib/uninsane/root";
+    root = "${pkgs.uninsane-dot-org}/share/uninsane-dot-org";
    # a lot of places hardcode https://uninsane.org,
    # and then when we mix http + non-https, we get CORS violations
    # and things don't look right. so force SSL.
    forceSSL = true;
    enableACME = true;
    # uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
    # yes, nginx does not strip the prefix when evaluating against the root.
    locations."/share".root = "/var/lib/uninsane/root";
    # allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
    locations."= /.well-known/matrix/server".extraConfig =
      let
@@ -53,8 +75,28 @@
    # };
  };
  # server statistics
  services.nginx.virtualHosts."sink.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    root = "/var/lib/uninsane/sink";
    locations."/ws" = {
      proxyPass = "http://127.0.0.1:7890";
      # XXX not sure how much of this is necessary
      extraConfig = ''
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_buffering off;
        proxy_read_timeout 7d;
      '';
    };
  };
  # Pleroma server and web interface
-  services.nginx.virtualHosts."fed.uninsane.org" = {
+  services.nginx.virtualHosts."fed.uninsane.org" = publog {
    addSSL = true;
    enableACME = true;
    locations."/" = {
@@ -115,7 +157,7 @@
  };
  # matrix chat server
-  services.nginx.virtualHosts."matrix.uninsane.org" = {
+  services.nginx.virtualHosts."matrix.uninsane.org" = publog {
    addSSL = true;
    enableACME = true;
@@ -156,7 +198,7 @@
  };
  # hosted git (web view and for `git <cmd>` use
-  services.nginx.virtualHosts."git.uninsane.org" = {
+  services.nginx.virtualHosts."git.uninsane.org" = publog {
    addSSL = true;
    enableACME = true;
@@ -219,6 +261,12 @@
    locations."/".proxyPass = "http://127.0.0.1:4533";
  };
  services.nginx.virtualHosts."rss.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    # the routing is handled by freshrss.nix
  };
  services.nginx.virtualHosts."ipfs.uninsane.org" = {
    # don't default to ssl upgrades, since this may be dnslink'd from a different domain.
    # ideally we'd disable ssl entirely, but some places assume it?
@@ -266,6 +314,7 @@
  sane.impermanence.service-dirs = [
    # TODO: mode?
    { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
    # TODO: this is overly broad; only need media and share directories to be persisted
    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
  ];
 }
--- a/machines/servo/services/pleroma.nix
+++ b/machines/servo/services/pleroma.nix
@@ -74,9 +74,10 @@
    config :pleroma, configurable_from_database: false
    # strip metadata from uploaded images
-    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool]
+    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool.StripLocation]
    # TODO: GET /api/pleroma/captcha is broken
    # there was a nixpkgs PR to fix this around 2022/10 though.
    config :pleroma, Pleroma.Captcha,
      enabled: false,
      method: Pleroma.Captcha.Native
--- a/machines/servo/services/postfix.nix
+++ b/machines/servo/services/postfix.nix
@@ -18,8 +18,12 @@ in
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
-    { user = "221"; group = "221"; directory = "/var/lib/opendkim"; }
+    { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
    { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
    { user = "root"; group = "root"; directory = "/var/spool/mail"; }
    # *probably* don't need these dirs:
    # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
    # "/var/lib/dovecot"
  ];
  services.postfix.enable = true;
  services.postfix.hostname = "mx.uninsane.org";
--- a/machines/servo/services/postgres.nix
+++ b/machines/servo/services/postgres.nix
@@ -3,7 +3,7 @@
 {
  sane.impermanence.service-dirs = [
    # TODO: mode?
-    { user = "71"; group = "71"; directory = "/var/lib/postgresql"; }
+    { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
  ];
  services.postgresql.enable = true;
  # services.postgresql.dataDir = "/opt/postgresql/13";
--- a/machines/servo/services/transmission.nix
+++ b/machines/servo/services/transmission.nix
@@ -3,7 +3,7 @@
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? we need this specifically for the stats tracking in .config/
-    { user = "70"; group = "70"; directory = "/var/lib/transmission"; }
+    { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
  ];
  services.transmission.enable = true;
  services.transmission.settings = {
@@ -44,6 +44,7 @@
  systemd.services.transmission.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
    LogLevelMax = "warning";
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -7,8 +7,7 @@
    ./image.nix
    ./impermanence.nix
    ./nixcache.nix
-    ./services/duplicity.nix
+    ./services
    ./services/nixserve.nix
    ./universal
  ];
 }
--- a/modules/gui/default.nix
+++ b/modules/gui/default.nix
@@ -22,7 +22,6 @@ in
  config = lib.mkIf cfg.enable {
    sane.home-packages.enableGuiPkgs = lib.mkDefault true;
    sane.home-manager.enable = lib.mkDefault true;
    # all GUIs use network manager?
    users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
  };
--- a/modules/gui/gnome.nix
+++ b/modules/gui/gnome.nix
@@ -14,6 +14,16 @@ in
  config = mkIf cfg.enable {
    sane.gui.enable = true;
    users.users.avahi.uid = config.sane.allocations.avahi-uid;
    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
    users.users.colord.uid = config.sane.allocations.colord-uid;
    users.groups.colord.gid = config.sane.allocations.colord-gid;
    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
    # start gnome/gdm on boot
    services.xserver.enable = true;
    services.xserver.desktopManager.gnome.enable = true;
--- a/modules/gui/phosh.nix
+++ b/modules/gui/phosh.nix
@@ -10,9 +10,18 @@ in
      default = false;
      type = types.bool;
    };
    sane.gui.phosh.useGreeter = mkOption {
      description = ''
        launch phosh via a greeter (like lightdm-mobile-greeter).
        phosh is usable without a greeter, but skipping the greeter means no PAM session.
      '';
      default = true;
      type = types.bool;
    };
  };
-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable (mkMerge [
    {
      sane.gui.enable = true;
      users.users.avahi.uid = config.sane.allocations.avahi-uid;
@@ -21,6 +30,7 @@ in
      users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
      users.groups.avahi.gid = config.sane.allocations.avahi-gid;
      users.groups.colord.gid = config.sane.allocations.colord-gid;
      users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
      users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
      users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
@@ -60,8 +70,40 @@ in
      };
      sane.home-manager.extraPackages = with pkgs; [
        phosh-mobile-settings
        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
        gnome.gnome-bluetooth
      ];
    }
    (mkIf cfg.useGreeter {
      services.xserver.enable = true;
      # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
      # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
      # lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
      # this requires the user we want to login as to be cached.
      services.xserver.displayManager.job.preStart = ''
        ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
      '';
      # services.xserver.displayManager.defaultSession = "sm.puri.Phosh";  # XXX: not sure why this doesn't propagate correctly.
      services.xserver.displayManager.lightdm.extraSeatDefaults = ''
        user-session = phosh
      '';
      services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
      services.xserver.displayManager.lightdm.greeter = {
        enable = true;
        package = pkgs.lightdm-mobile-greeter.xgreeters;
        name = "lightdm-mobile-greeter";
      };
      # services.xserver.displayManager.lightdm.enable = true;
      # # services.xserver.displayManager.lightdm.greeters.enso.enable = true;  # tried (with reboot); got a mouse then died. next time was black
      # # services.xserver.displayManager.lightdm.greeters.gtk.enable = true;  # tried (with reboot); unusable without OSK
      # # services.xserver.displayManager.lightdm.greeters.mini.enable = true;  # tried (with reboot); unusable without OSK
      # # services.xserver.displayManager.lightdm.greeters.pantheon.enable = true; # tried (no reboot); unusable without OSK
      # services.xserver.displayManager.lightdm.greeters.slick.enable = true;  # tried; unusable without OSK (a11y -> OSK doesn't work)
      # # services.xserver.displayManager.lightdm.greeters.tiny.enable = true;  # tried; block screen
      systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
    })
  ]);
 }
--- a/modules/gui/sway.nix
+++ b/modules/gui/sway.nix
@@ -11,6 +11,14 @@ in
      default = false;
      type = types.bool;
    };
    sane.gui.sway.useGreeter = mkOption {
      description = ''
        launch sway via a greeter (like greetd's gtkgreet).
        sway is usable without a greeter, but skipping the greeter means no PAM session.
      '';
      default = true;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
    sane.gui.enable = true;
@@ -21,18 +29,39 @@ in
      enable = true;
    };
-    # TODO: should be able to use SDDM to get interactive login
+    # alternatively, could use SDDM
-    services.greetd = {
+    services.greetd = let
-      enable = true;
+      swayConfig-greeter = pkgs.writeText "greetd-sway-config" ''
-      settings = rec {
+        # `-l` activates layer-shell mode.
-        initial_session = {
+        exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
      '';
      default_session = {
        "01" = {
          # greeter session config
          command = "${pkgs.sway}/bin/sway --config ${swayConfig-greeter}";
          # alternatives:
          # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
          # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
          # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
        };
        "0" = {
          # no greeter
          command = "${pkgs.sway}/bin/sway";
          user = "colin";
        };
-        default_session = initial_session;
+      };
    in {
      # greetd source/docs:
      # - <https://git.sr.ht/~kennylevinsen/greetd>
      enable = true;
      settings = {
        default_session = default_session."0${builtins.toString cfg.useGreeter}";
      };
    };
    # some programs (e.g. fractal) **require** a "Secret Service Provider"
    services.gnome.gnome-keyring.enable = true;
    # unlike other DEs, sway configures no audio stack
    # administer with pw-cli, pw-mon, pw-top commands
    services.pipewire = {
@@ -85,21 +114,22 @@ in
          "${modifier}+Return" = "exec ${terminal}";
          "${modifier}+Shift+q" = "kill";
          "${modifier}+d" = "exec ${menu}";
          "${modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
-          "${modifier}+${left}" = "focus left";
+          # "${modifier}+${left}" = "focus left";
-          "${modifier}+${down}" = "focus down";
+          # "${modifier}+${down}" = "focus down";
-          "${modifier}+${up}" = "focus up";
+          # "${modifier}+${up}" = "focus up";
-          "${modifier}+${right}" = "focus right";
+          # "${modifier}+${right}" = "focus right";
          "${modifier}+Left" = "focus left";
          "${modifier}+Down" = "focus down";
          "${modifier}+Up" = "focus up";
          "${modifier}+Right" = "focus right";
-          "${modifier}+Shift+${left}" = "move left";
+          # "${modifier}+Shift+${left}" = "move left";
-          "${modifier}+Shift+${down}" = "move down";
+          # "${modifier}+Shift+${down}" = "move down";
-          "${modifier}+Shift+${up}" = "move up";
+          # "${modifier}+Shift+${up}" = "move up";
-          "${modifier}+Shift+${right}" = "move right";
+          # "${modifier}+Shift+${right}" = "move right";
          "${modifier}+Shift+Left" = "move left";
          "${modifier}+Shift+Down" = "move down";
@@ -569,7 +599,7 @@ in
    };
    sane.home-manager.extraPackages = with pkgs; [
      swaylock
-      swayidle
+      swayidle  # (unused)
      wl-clipboard
      mako # notification daemon
      xdg-utils  # for xdg-open
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -7,6 +7,8 @@
 with lib;
 let
  cfg = config.sane.impermanence;
  # taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
  secretsForUsers = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
 in
 {
  options = {
@@ -34,28 +36,17 @@ in
    map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };
    map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
-    map-service-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
+
  in mkIf cfg.enable {
    sane.image.extraDirectories = [ "/nix/persist/var/log" ];
    environment.persistence."/nix/persist" = {
-      directories = (map-home-dirs ([
+      directories = (map-home-dirs cfg.home-dirs) ++ (map-sys-dirs [
        # cache is probably too big to fit on the tmpfs
        # TODO: we could bind-mount it to something which gets cleared per boot, though.
        ".cache"
        ".cargo"
        ".rustup"
        ".ssh"
        # intentionally omitted:
        # ".config"  # managed by home-manager
        # ".local"   # nothing useful in here
      ] ++ cfg.home-dirs)) ++ (map-sys-dirs [
        # TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
-        { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
+        # { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
        # "/etc/nixos"
        # "/etc/ssh"  # persist only the specific files we want, instead
        "/var/log"
        "/var/backup"  # for e.g. postgres dumps
      ]) ++ (map-service-dirs ([
        # "/var/lib/AccountsService"   # not sure what this is, but it's empty
        "/var/lib/alsa"                # preserve output levels, default devices
        # "/var/lib/blueman"           # files aren't human readable
@@ -79,30 +70,29 @@ in
        # "/var/lib/upower"            # historic charge data. unnecessary, but maybe used somewhere?
        #
        # servo additions:
-        # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
+      ] ++ cfg.service-dirs);
-        # "/var/lib/dovecot"
+      files = [ "/etc/machine-id" ];
        # "/var/lib/duplicity"
      ] ++ cfg.service-dirs));
      files = [
        "/etc/machine-id"
        "/etc/ssh/ssh_host_ed25519_key"
        "/etc/ssh/ssh_host_ed25519_key.pub"
        "/etc/ssh/ssh_host_rsa_key"
        "/etc/ssh/ssh_host_rsa_key.pub"
        "/home/colin/.zsh_history"
        # # XXX these only need persistence because i have mutableUsers = true, i think
        # "/etc/group"
        # "/etc/passwd"
        # "/etc/shadow"
      ];
    };
-    systemd.services.sane-sops = {
+    # secret decoding depends on /etc/ssh keys, which are persisted
-      description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
+    system.activationScripts.setupSecrets.deps = [ "persist-files" ];
-      script = config.system.activationScripts.setupSecrets.text;
+    # `setupSecretsForUsers` should depend on `persist-files`,
-      after = [ "fs-local.target" ];
+    # but `persist-files` itself depends on `users`, to this would be circular.
-      wantedBy = [ "multi-user.target" ];
+    # we work around that by manually mounting the ssh host key.
    # strictly speaking, this makes the `setupSecrets -> persist-files` dep extraneous,
    # but it's a decent safety net in case something goes wrong.
    # system.activationScripts.setupSecretsForUsers.deps = [ "persist-files" ];
    system.activationScripts.setupSecretsForUsers= lib.mkIf secretsForUsers {
      deps = [ "persist-ssh-host-keys" ];
    };
    system.activationScripts.persist-ssh-host-keys = lib.mkIf secretsForUsers (
      let
        key_dir = "/etc/ssh/host_keys";
      in ''
        mkdir -p ${key_dir}
        mount -o bind /nix/persist${key_dir} ${key_dir}
      ''
    );
  };
 }
--- a/modules/nixcache.nix
+++ b/modules/nixcache.nix
@@ -1,3 +1,13 @@
 # speed up builds from e.g. moby or lappy by having them query desko and servo first.
 # if one of these hosts is offline, instead manually specify just cachix:
 # - `nixos-rebuild --option substituters https://cache.nixos.org/`
 #
 # future improvements:
 # - apply for community arm build box:
 #   - <https://github.com/nix-community/aarch64-build-box>
 # - don't require all substituters to be online:
 #   - <https://github.com/NixOS/nix/pull/7188>
 { lib, config, ... }:
 with lib;
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -0,0 +1,7 @@
 { ... }:
 {
  imports = [
    ./duplicity.nix
    ./nixserve.nix
  ];
 }
--- a/modules/universal/allocations.nix
+++ b/modules/universal/allocations.nix
@@ -23,6 +23,9 @@ in
    sane.allocations.greeter-uid = mkId 999;
    sane.allocations.greeter-gid = mkId 999;
    sane.allocations.freshrss-uid = mkId 2401;
    sane.allocations.freshrss-gid = mkId 2401;
    sane.allocations.colin-uid = mkId 1000;
    sane.allocations.guest-uid = mkId 1100;
@@ -31,6 +34,10 @@ in
    sane.allocations.sshd-gid = mkId 2001;  # 997
    sane.allocations.polkituser-gid = mkId 2002;  # 998
    sane.allocations.systemd-coredump-gid = mkId 2003;  # 996
    sane.allocations.nscd-uid = mkId 2004;
    sane.allocations.nscd-gid = mkId 2004;
    sane.allocations.systemd-oom-uid = mkId 2005;
    sane.allocations.systemd-oom-gid = mkId 2005;
    # found on graphical machines
    sane.allocations.nm-iodine-uid = mkId 2101;  # desko/moby/lappy
--- a/modules/universal/default.nix
+++ b/modules/universal/default.nix
@@ -3,16 +3,25 @@
 {
  imports = [
    ./allocations.nix
    ./env
    ./fs.nix
    ./home-manager
    ./home-packages.nix
    ./net.nix
    ./secrets.nix
    ./ssh.nix
    ./system-packages.nix
    ./users.nix
    ./vpn.nix
  ];
  time.timeZone = "America/Los_Angeles";
  # allow `nix flake ...` command
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
  # TODO: move this into home-manager?
  fonts = {
    enableDefaultFonts = true;
    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
@@ -25,9 +34,30 @@
    };
  };
-  # allow `nix flake ...` command
+  # programs.vim.defaultEditor = true;
-  nix.extraOptions = ''
+  environment.variables = {
-    experimental-features = nix-command flakes
+    EDITOR = "vim";
-  '';
+    # git claims it should use EDITOR, but it doesn't!
    GIT_EDITOR = "vim";
    # TODO: these should be moved to `home.sessionVariables` (home-manager)
    # Electron apps should use native wayland backend:
    #   https://nixos.wiki/wiki/Slack#Wayland
    # Discord under sway crashes with this.
    # NIXOS_OZONE_WL = "1";
    # LIBGL_ALWAYS_SOFTWARE = "1";
  };
  # enable zsh completions
  environment.pathsToLink = [ "/share/zsh" ];
  environment.systemPackages = with pkgs; [
    # required for pam_mount
    gocryptfs
  ];
  security.pam.mount.enable = true;
  # security.pam.mount.debugLevel = 1;
  # security.pam.enableSSHAgentAuth = true; # ??
  # needed for `allow_other` in e.g. gocryptfs mounts
  # or i guess going through mount.fuse sets suid so that's not necessary?
  # programs.fuse.userAllowOther = true;
 }
--- a/modules/universal/env/default.nix
+++ b/modules/universal/env/default.nix
@@ -1,21 +0,0 @@
 { ... }:
 {
  imports = [
    ./home-manager.nix
    ./home-packages.nix
    ./system-packages.nix
  ];
  # programs.vim.defaultEditor = true;
  environment.variables = {
    EDITOR = "vim";
    # git claims it should use EDITOR, but it doesn't!
    GIT_EDITOR = "vim";
    # Electron apps should use native wayland backend:
    #   https://nixos.wiki/wiki/Slack#Wayland
    # Discord under sway crashes with this.
    # NIXOS_OZONE_WL = "1";
  };
 }
--- a/modules/universal/env/home-manager.nix
+++ b/modules/universal/env/home-manager.nix
@@ -1,522 +0,0 @@
 # docs:
 #   https://rycee.gitlab.io/home-manager/
 #   https://rycee.gitlab.io/home-manager/options.html
 #   man home-configuration.nix
 #
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.sane.home-manager;
  vim-swap-dir = ".cache/vim-swap";
  # extract package from `extraPackages`
  pkglist = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
  # extract `dir` from `extraPackages`
  dirlist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
 in
 {
  options = {
    sane.home-manager.enable = mkOption {
      default = false;
      type = types.bool;
    };
    # packages to deploy to the user's home
    sane.home-manager.extraPackages = mkOption {
      default = [ ];
      # each entry can be either a package, or attrs:
      #   { pkg = package; dir = optional string;
      type = types.listOf (types.either types.package types.attrs);
    };
    # attributes to copy directly to home-manager's `wayland.windowManager` option
    sane.home-manager.windowManager = mkOption {
      default = {};
      type = types.attrs;
    };
    # extra attributes to include in home-manager's `programs` option
    sane.home-manager.programs = mkOption {
      default = {};
      type = types.attrs;
    };
  };
  config = lib.mkIf cfg.enable {
    sops.secrets."aerc_accounts" = {
      owner = config.users.users.colin.name;
      sopsFile = ../../../secrets/universal/aerc_accounts.conf;
      format = "binary";
    };
    sops.secrets."sublime_music_config" = {
      owner = config.users.users.colin.name;
      sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
      format = "binary";
    };
    sane.impermanence.home-dirs = [
      "archive"
      "dev"
      "records"
      "ref"
      "tmp"
      "use"
      "Music"
      "Pictures"
      "Videos"
      vim-swap-dir
    ] ++ (dirlist cfg.extraPackages);
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
      home.packages = pkglist cfg.extraPackages;
      wayland.windowManager = cfg.windowManager;
      home.stateVersion = "21.11";
      home.username = "colin";
      home.homeDirectory = "/home/colin";
      # XDG defines things like ~/Desktop, ~/Downloads, etc.
      # these clutter the home, so i mostly don't use them.
      xdg.userDirs = {
        enable = true;
        createDirectories = false;  # on headless systems, most xdg dirs are noise
        desktop = "$HOME/.xdg/Desktop";
        documents = "$HOME/dev";
        download = "$HOME/tmp";
        music = "$HOME/Music";
        pictures = "$HOME/Pictures";
        publicShare = "$HOME/.xdg/Public";
        templates = "$HOME/.xdg/Templates";
        videos = "$HOME/Videos";
      };
      xdg.mimeApps.enable = true;
      xdg.mimeApps.defaultApplications = {
        "text/html" = [ "librewolf.desktop" ];
        "x-scheme-handler/http" = [ "librewolf.desktop" ];
        "x-scheme-handler/https" = [ "librewolf.desktop" ];
        "x-scheme-handler/about" = [ "librewolf.desktop" ];
        "x-scheme-handler/unknown" = [ "librewolf.desktop" ];
        "image/png" = [ "org.gnome.gThumb.desktop" ];
      };
      # convenience
      home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
      home.file."nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
      # nb markdown/personal knowledge manager
      home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
      home.file.".nb/.current".text = "knowledge";
      home.file.".nbrc".text = ''
        # manage with `nb settings`
        export NB_AUTO_SYNC=0
      '';
      # uBlock filter list configuration.
      # specifically, enable the GDPR cookie prompt blocker.
      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
      # this configuration method is documented here:
      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
      # the specific attribute path is found via scraping ublock code here:
      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
      home.file.".librewolf/managed-storage/uBlock0@raymondhill.net.json".text = ''
        {
         "name": "uBlock0@raymondhill.net",
         "description": "ignored",
         "type": "storage",
         "data": {
            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
         }
        }
      '';
      # aerc TUI mail client
      xdg.configFile."aerc/accounts.conf".source =
        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
      # sublime music player
      xdg.configFile."sublime-music/config.json".source =
        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
      xdg.configFile."vlc/vlcrc".text =
      let
        podcast_urls = lib.strings.concatStringsSep "|" [
          "https://lexfridman.com/feed/podcast/"
          ## Astral Codex Ten
          "http://feeds.libsyn.com/108018/rss"
          ## Econ Talk
          "https://feeds.simplecast.com/wgl4xEgL"
          ## Cory Doctorow
          "https://feeds.feedburner.com/doctorow_podcast"
          "https://congressionaldish.libsyn.com/rss"
          ## Civboot
          "https://anchor.fm/s/34c7232c/podcast/rss"
          "https://feeds.feedburner.com/80000HoursPodcast"
          "https://allinchamathjason.libsyn.com/rss"
          ## Eric Weinstein
          "https://rss.art19.com/the-portal"
          "https://feeds.megaphone.fm/darknetdiaries"
          "http://feeds.wnyc.org/radiolab"
          "https://wakingup.libsyn.com/rss"
          ## 99% Invisible
          "https://feeds.simplecast.com/BqbsxVfO"
          "https://rss.acast.com/ft-tech-tonic"
          "https://feeds.feedburner.com/dancarlin/history?format=xml"
        ];
      in ''
      [podcast]
      podcast-urls=${podcast_urls}
      [core]
      metadata-network-access=0
      [qt]
      qt-privacy-ask=0
      '';
      # gnome feeds RSS viewer
      xdg.configFile."org.gabmus.gfeeds.json".text = builtins.toJSON {
        feeds = {
          # AGGREGATORS (> 1 post/day)
          "https://www.lesswrong.com/feed.xml" = { tags = [ "hourly" "rat" ]; };
          "http://www.econlib.org/index.xml" = { tags = [ "hourly" "pol" ]; };
          # AGGREGATORS (< 1 post/day)
          "https://palladiummag.com/feed" = { tags = [ "weekly" "uncat" ]; };
          "https://profectusmag.com/feed" = { tags = [ "weekly" "uncat" ]; };
          "https://semiaccurate.com/feed" = { tags = [ "weekly" "tech" ]; };
          "https://linuxphoneapps.org/blog/atom.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://spectrum.ieee.org/rss" = { tags = [ "weekly" "tech" ]; };
          ## No Moods, Ads or Cutesy Fucking Icons
          "https://www.rifters.com/crawl/?feed=rss2" = { tags = [ "weekly" "uncat" ]; };
          # DEVELOPERS
          "https://mg.lol/blog/rss/" = { tags = [ "infrequent" "tech" ]; };
          ## Ken Shirriff
          "https://www.righto.com/feeds/posts/default" = { tags = [ "infrequent" "tech" ]; };
          ## Vitalik Buterin
          "https://vitalik.ca/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          ## ian (Sanctuary)
          "https://sagacioussuricata.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          ## Bunnie Juang
          "https://www.bunniestudios.com/blog/?feed=rss2" = { tags = [ "infrequent" "tech" ]; };
          "https://blog.danieljanus.pl/atom.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://ianthehenry.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://bitbashing.io/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://idiomdrottning.org/feed.xml" = { tags = [ "daily" "uncat" ]; };
          # (TECH; POL) COMMENTATORS
          "http://benjaminrosshoffman.com/feed" = { tags = [ "weekly" "pol" ]; };
          ## Ben Thompson
          "https://www.stratechery.com/rss" = { tags = [ "weekly" "pol" ]; };
          ## Balaji
          "https://balajis.com/rss" = { tags = [ "weekly" "pol" ]; };
          "https://www.ben-evans.com/benedictevans/rss.xml" = { tags = [ "weekly" "pol" ]; };
          "https://www.lynalden.com/feed" = { tags = [ "infrequent" "pol" ]; };
          "https://austinvernon.site/rss.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://oversharing.substack.com/feed" = { tags = [ "daily" "pol" ]; };
          ## David Rosenthal
          "https://blog.dshr.org/rss.xml" = { tags = [ "weekly" "pol" ]; };
          ## Matt Levine
          "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" = { tags = [ "weekly" "pol" ]; };
          # RATIONALITY/PHILOSOPHY/ETC
          "https://unintendedconsequenc.es/feed" = { tags = [ "infrequent" "rat" ]; };
          "https://applieddivinitystudies.com/atom.xml" = { tags = [ "weekly" "rat" ]; };
          "https://slimemoldtimemold.com/feed.xml" = { tags = [ "weekly" "rat" ]; };
          "https://www.richardcarrier.info/feed" = { tags = [ "weekly" "rat" ]; };
          "https://www.gwern.net/feed.xml" = { tags = [ "infrequent" "uncat" ]; };
          ## Jason Crawford
          "https://rootsofprogress.org/feed.xml" = { tags = [ "weekly" "rat" ]; };
          ## Robin Hanson
          "https://www.overcomingbias.com/feed" = { tags = [ "daily" "rat" ]; };
          ## Scott Alexander
          "https://astralcodexten.substack.com/feed.xml" = { tags = [ "daily" "rat" ]; };
          ## Paul Christiano
          "https://sideways-view.com/feed" = { tags = [ "infrequent" "rat" ]; };
          ## Sean Carroll
          "https://www.preposterousuniverse.com/rss" = { tags = [ "infrequent" "rat" ]; };
          # COMICS
          "https://www.smbc-comics.com/comic/rss" = { tags = [ "daily" "visual" ]; };
          "https://xkcd.com/atom.xml" = { tags = [ "daily" "visual" ]; };
          # ART
          "https://miniature-calendar.com/feed" = { tags = [ "daily" "visual" ]; };
        };
        dark_reader = false;
        new_first = true;
        # windowsize = {
        #   width = 350;
        #   height = 650;
        # };
        max_article_age_days = 90;
        enable_js = false;
        max_refresh_threads = 3;
        # saved_items = {};
        # read_items = [];
        show_read_items = true;
        full_article_title = true;
        # views: "webview", "reader", "rsscont"
        default_view = "rsscont";
        open_links_externally = true;
        full_feed_name = false;
        refresh_on_startup = true;
        tags = [
          # hourly => aggregator
          # daily => prolifiq writer
          # weekly => i can keep up with most -- but maybe not all -- of their content
          # infrequent => i can read everything in this category
          "hourly" "daily" "weekly" "infrequent"
          # rat[ionality] gets used interchangably with philosophy, here.
          # pol[itical] gets used for social commentary and economics as well.
          # visual gets used for comics/art
          "uncat" "rat" "tech" "pol" "visual"
        ];
        open_youtube_externally = false;
        media_player = "vlc";  # default: mpv
      };
      programs = {
        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
        zsh = {
          enable = true;
          enableSyntaxHighlighting = true;
          enableVteIntegration = true;
          dotDir = ".config/zsh";
          initExtraBeforeCompInit = ''
            # p10k instant prompt
            # run p10k configure to configure, but it can't write out its file :-(
            POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
          '';
          # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
          # see: https://github.com/sorin-ionescu/prezto
          prezto = {
            enable = true;
            pmodules = [
              "environment"
              "terminal"
              "editor"
              "history"
              "directory"
              "spectrum"
              "utility"
              "completion"
              "prompt"
              "git"
            ];
            prompt = {
              theme = "powerlevel10k";
            };
          };
        };
        kitty = {
          enable = true;
          # docs: https://sw.kovidgoyal.net/kitty/conf/
          settings = {
            # disable terminal bell (when e.g. you backspace too many times)
            enable_audio_bell = false;
          };
          keybindings = {
            "ctrl+n" = "new_os_window_with_cwd";
          };
          # docs: https://github.com/kovidgoyal/kitty-themes
          # theme = "1984 Light";  # dislike: awful, harsh blues/teals
          # theme = "Adventure Time";  # dislike: harsh (dark)
          # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
          # theme = "Belafonte Day";  # dislike: too low contrast for text colors
          # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
          # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
          # theme = "Desert";  # mediocre: colors are harsh
          # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
          # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
          # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
          # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
          # theme = "kanagawabones";  # better: dark theme. colors are too background-y
          # theme = "Kaolin Dark";  # dislike: too dark
          # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
          # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
          # theme = "Material"; # decent: light theme, few colors.
          # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
          # theme = "Nord";  # mediocre: pale background, low contrast
          # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
          theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
          # theme = "Parasio Dark";  # dislike: too low contrast
          # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
          # theme = "Pnevma";  # dislike: too low contrast
          # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
          # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
          # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
          # theme = "Sea Shells";  # mediocre. not all color combos are readable
          # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
          # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
          # theme = "Sourcerer";  # mediocre: ugly colors
          # theme = "Space Gray";  # mediocre: too muted
          # theme = "Space Gray Eighties";  # better: all readable, decent colors
          # theme = "Spacemacs";  # mediocre: too muted
          # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
          # theme = "Srcery";  # better: highly readable. colors are ehhh
          # theme = "Substrata";  # decent: nice colors, but a bit flat.
          # theme = "Sundried";  # mediocre: the solar text makes me squint
          # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
          # theme = "Tango Light";  # dislike: teal is too grating
          # theme = "Tokyo Night Day";  # medicore: too muted
          # theme = "Tokyo Night";  # better: tasteful. a bit flat
          # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
          # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
          # theme = "Urple";  # dislike: weird palette
          # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
          # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
          # theme = "Xcodedark";  # dislike: bad palette
          # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
          # theme = "neobones_light"; # better light theme. the background is maybe too muted
          # theme = "vimbones";
          # theme = "zenbones_dark";  # mediocre: readable, but meh colors
          # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
          # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
          # extraConfig = "";
        };
        git = {
          enable = true;
          userName = "colin";
          userEmail = "colin@uninsane.org";
        };
        neovim = {
          # neovim: https://github.com/neovim/neovim
          enable = true;
          viAlias = true;
          vimAlias = true;
          plugins = with pkgs.vimPlugins; [
            # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
            # docs: vim-surround: https://github.com/tpope/vim-surround
            vim-surround
            # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
            fzf-vim
            # docs: https://github.com/KeitaNakamura/tex-conceal.vim/
            ({
              plugin = tex-conceal-vim;
              type = "viml";
              config = ''
                " present prettier fractions
                let g:tex_conceal_frac=1
              '';
            })
            ({
              plugin = vim-SyntaxRange;
              type = "viml";
              config = ''
                " enable markdown-style codeblock highlighting for tex code
                autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
                " autocmd Syntax tex set conceallevel=2
              '';
            })
            # nabla renders inline math in any document, but it's buggy.
            #   https://github.com/jbyuki/nabla.nvim
            # ({
            #   plugin = pkgs.nabla;
            #   type = "lua";
            #   config = ''
            #     require'nabla'.enable_virt()
            #   '';
            # })
            # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
            # docs: https://github.com/nvim-treesitter/nvim-treesitter
            # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
            # this is required for tree-sitter to even highlight
            ({
              plugin = (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars));
              type = "lua";
              config = ''
                require'nvim-treesitter.configs'.setup {
                  highlight = {
                    enable = true,
                    -- disable treesitter on Rust so that we can use SyntaxRange
                    -- and leverage TeX rendering in rust projects
                    disable = { "rust", "tex", "latex" },
                    -- disable = { "tex", "latex" },
                    -- true to also use builtin vim syntax highlighting when treesitter fails
                    additional_vim_regex_highlighting = false
                  },
                  incremental_selection = {
                    enable = true,
                    keymaps = {
                      init_selection = "gnn",
                      node_incremental = "grn",
                      mcope_incremental = "grc",
                      node_decremental = "grm"
                    }
                  },
                  indent = {
                    enable = true,
                    disable = {}
                  }
                }
                vim.o.foldmethod = 'expr'
                vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
              '';
            })
          ];
          extraConfig = ''
            " copy/paste to system clipboard
            set clipboard=unnamedplus
            " screw tabs; always expand them into spaces
            set expandtab
            " at least don't open files with sections folded by default
            set nofoldenable
            " allow text substitutions for certain glyphs.
            " higher number = more aggressive substitution (0, 1, 2, 3)
            " i only make use of this for tex, but it's unclear how to
            " apply that *just* to tex and retain the SyntaxRange stuff.
            set conceallevel=2
            " horizontal rule under the active line
            " set cursorline
            " highlight trailing space & related syntax errors (doesn't seem to work??)
            " let c_space_errors=1
            " let python_space_errors=1
            " enable highlighting of leading/trailing spaces,
            " and especially tabs
            " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
            set list
            set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
          '';
        };
        # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
        firefox = lib.mkIf (sysconfig.sane.gui.enable) {
          enable = true;
          package = import ./web-browser.nix pkgs;
        };
        # "command not found" will cause the command to be searched in nixpkgs
        nix-index.enable = true;
      } // cfg.programs;
      home.shellAliases = {
        ":q" = "exit";
        # common typos
        "cd.." = "cd ..";
        "cd../" = "cd ../";
      };
    };
  };
 }
--- a/modules/universal/env/web-browser.nix
+++ b/modules/universal/env/web-browser.nix
@@ -1,55 +0,0 @@
 pkgs:
 # common settings to toggle (at runtime, in about:config):
 #   > security.ssl.require_safe_negotiation
 # librewolf is a forked firefox which patches firefox to allow more things
 # (like default search engines) to be configurable at runtime.
 # many of the settings below won't have effect without those patches.
 # see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
 pkgs.wrapFirefox pkgs.librewolf-unwrapped {
  # inherit the default librewolf.cfg
  # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
  inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
  libName = "librewolf";
  extraPolicies = {
    NoDefaultBookmarks = true;
    SearchEngines = {
      Default = "DuckDuckGo";
    };
    AppUpdateURL = "https://localhost";
    DisableAppUpdate = true;
    OverrideFirstRunPage = "";
    OverridePostUpdatePage = "";
    DisableSystemAddonUpdate = true;
    DisableFirefoxStudies = true;
    DisableTelemetry = true;
    DisableFeedbackCommands = true;
    DisablePocket = true;
    DisableSetDesktopBackground = false;
    Extensions = {
      Install = [
        "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/bypass-paywalls-clean/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/ether-metamask/latest.xpi"
      ];
      # remove many default search providers
      Uninstall = [
        "google@search.mozilla.org"
        "bing@search.mozilla.org"
        "amazondotcom@search.mozilla.org"
        "ebay@search.mozilla.org"
        "twitter@search.mozilla.org"
      ];
    };
    # XXX doesn't seem to have any effect...
    # docs: https://github.com/mozilla/policy-templates#homepage
    # Homepage = {
    #   HomepageURL = "https://uninsane.org/";
    #   StartPage = "homepage";
    # };
    # NewTabPage = true;
  };
 }
--- a/modules/universal/fs.nix
+++ b/modules/universal/fs.nix
@@ -28,31 +28,37 @@ in
    device = "colin@uninsane.org:/var/lib/uninsane/media";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
    noCheck = true;
  };
  fileSystems."/mnt/servo-media-lan" = {
    device = "colin@servo:/var/lib/uninsane/media";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
    noCheck = true;
  };
  fileSystems."/mnt/servo-root-wan" = {
    device = "colin@uninsane.org:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
    noCheck = true;
  };
  fileSystems."/mnt/servo-root-lan" = {
    device = "colin@servo:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
    noCheck = true;
  };
  fileSystems."/mnt/desko-home" = {
    device = "colin@desko:/home/colin";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
    noCheck = true;
  };
  fileSystems."/mnt/desko-root" = {
    device = "colin@desko:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
    noCheck = true;
  };
  environment.systemPackages = [
--- a/modules/universal/home-manager/aerc.nix
+++ b/modules/universal/home-manager/aerc.nix
@@ -0,0 +1,14 @@
 # Terminal UI mail client
 { config, ... }:
 {
  sops.secrets."aerc_accounts" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../../secrets/universal/aerc_accounts.conf;
    format = "binary";
  };
  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
    # aerc TUI mail client
    xdg.configFile."aerc/accounts.conf".source =
      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
  };
 }
--- a/modules/universal/home-manager/default.nix
+++ b/modules/universal/home-manager/default.nix
@@ -0,0 +1,218 @@
 # docs:
 #   https://rycee.gitlab.io/home-manager/
 #   https://rycee.gitlab.io/home-manager/options.html
 #   man home-configuration.nix
 #
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.sane.home-manager;
  # extract package from `extraPackages`
  pkg-list = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
  # extract `dir` from `extraPackages`
  dir-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
  private-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "private" then [ e.private ] else []) pkgspec);
  feeds = import ./feeds.nix { inherit lib; };
 in
 {
  imports = [
    ./aerc.nix
    ./discord.nix
    ./git.nix
    ./kitty.nix
    ./librewolf.nix
    ./mpv.nix
    ./nb.nix
    ./neovim.nix
    ./ssh.nix
    ./sublime-music.nix
    ./vlc.nix
    ./zsh.nix
  ];
  options = {
    # packages to deploy to the user's home
    sane.home-manager.extraPackages = mkOption {
      default = [ ];
      # each entry can be either a package, or attrs:
      #   { pkg = package; dir = optional string;
      type = types.listOf (types.either types.package types.attrs);
    };
    # attributes to copy directly to home-manager's `wayland.windowManager` option
    sane.home-manager.windowManager = mkOption {
      default = {};
      type = types.attrs;
    };
    # extra attributes to include in home-manager's `programs` option
    sane.home-manager.programs = mkOption {
      default = {};
      type = types.attrs;
    };
  };
  config = {
    sane.impermanence.home-dirs = [
      "archive"
      "dev"
      "records"
      "ref"
      "tmp"
      "use"
      "Music"
      "Pictures"
      "Videos"
    ] ++ (dir-list cfg.extraPackages);
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
      # run `home-manager-help` to access manpages
      # or `man home-configuration.nix`
      manual.html.enable = false;  # TODO: set to true later (build failure)
      manual.manpages.enable = false;  # TODO: enable after https://github.com/nix-community/home-manager/issues/3344
      home.packages = pkg-list cfg.extraPackages;
      wayland.windowManager = cfg.windowManager;
      home.stateVersion = "21.11";
      home.username = "colin";
      home.homeDirectory = "/home/colin";
      home.activation = {
        initKeyring = {
          after = ["writeBoundary"];
          before = [];
          data = "${../../../scripts/init-keyring}";
        };
      };
      home.file = let
        privates = builtins.listToAttrs (
          builtins.map (path: {
            name = path;
            value = { source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/${path}"; };
          })
          (private-list cfg.extraPackages)
        );
      in {
        # convenience
        "knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
        "nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
        "Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
        "Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
        "Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
        # used by password managers, e.g. unix `pass`
        ".password-store".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge/secrets/accounts";
      } // privates;
      # XDG defines things like ~/Desktop, ~/Downloads, etc.
      # these clutter the home, so i mostly don't use them.
      xdg.userDirs = {
        enable = true;
        createDirectories = false;  # on headless systems, most xdg dirs are noise
        desktop = "$HOME/.xdg/Desktop";
        documents = "$HOME/dev";
        download = "$HOME/tmp";
        music = "$HOME/Music";
        pictures = "$HOME/Pictures";
        publicShare = "$HOME/.xdg/Public";
        templates = "$HOME/.xdg/Templates";
        videos = "$HOME/Videos";
      };
      # the xdg mime type for a file can be found with:
      # - `xdg-mime query filetype path/to/thing.ext`
      xdg.mimeApps.enable = true;
      xdg.mimeApps.defaultApplications = let
        www = "librewolf.desktop";
        pdf = "org.gnome.Evince.desktop";
        md = "obsidian.desktop";
        thumb = "org.gnome.gThumb.desktop";
        video = "vlc.desktop";
        # audio = "mpv.desktop";
        audio = "vlc.desktop";
      in {
        # HTML
        "text/html" = [ www ];
        "x-scheme-handler/http" = [ www ];
        "x-scheme-handler/https" = [ www ];
        "x-scheme-handler/about" = [ www ];
        "x-scheme-handler/unknown" = [ www ];
        # RICH-TEXT DOCUMENTS
        "application/pdf" = [ pdf ];
        "text/markdown" = [ md ];
        # IMAGES
        "image/heif" = [ thumb ];  # apple codec
        "image/png" = [ thumb ];
        "image/jpeg" = [ thumb ];
        # VIDEO
        "video/mp4" = [ video ];
        "video/quicktime" = [ video ];
        "video/x-matroska" = [ video ];
        # AUDIO
        "audio/flac" = [ audio ];
        "audio/mpeg" = [ audio ];
        "audio/x-vorbis+ogg" = [ audio ];
      };
      xdg.configFile."gpodderFeeds.opml".text = with feeds;
        feedsToOpml feeds.podcasts;
      # news-flash RSS viewer
      xdg.configFile."newsflashFeeds.opml".text = with feeds;
        feedsToOpml (feeds.texts ++ feeds.images);
      # gnome feeds RSS viewer
      xdg.configFile."org.gabmus.gfeeds.json".text =
      let
        myFeeds = feeds.texts ++ feeds.images;
      in builtins.toJSON {
        # feed format is a map from URL to a dict,
        #   with dict["tags"] a list of string tags.
        feeds = builtins.foldl' (acc: feed: acc // {
          "${feed.url}".tags = [ feed.cat feed.freq ];
        }) {} myFeeds;
        dark_reader = false;
        new_first = true;
        # windowsize = {
        #   width = 350;
        #   height = 650;
        # };
        max_article_age_days = 90;
        enable_js = false;
        max_refresh_threads = 3;
        # saved_items = {};
        # read_items = [];
        show_read_items = true;
        full_article_title = true;
        # views: "webview", "reader", "rsscont"
        default_view = "rsscont";
        open_links_externally = true;
        full_feed_name = false;
        refresh_on_startup = true;
        tags = lib.lists.unique (
          (builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
        );
        open_youtube_externally = false;
        media_player = "vlc";  # default: mpv
      };
      programs = {
        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
        # "command not found" will cause the command to be searched in nixpkgs
        nix-index.enable = true;
      } // cfg.programs;
    };
  };
 }
--- a/modules/universal/home-manager/discord.nix
+++ b/modules/universal/home-manager/discord.nix
@@ -0,0 +1,10 @@
 { ... }:
 {
  # TODO: this should only be enabled on gui devices
  # make Discord usable even when client is "outdated"
  home-manager.users.colin.xdg.configFile."discord/settings.json".text = ''
    {
      "SKIP_HOST_UPDATE": true
    }
  '';
 }
--- a/modules/universal/home-manager/feeds.nix
+++ b/modules/universal/home-manager/feeds.nix
@@ -0,0 +1,182 @@
 { lib }:
 let
  hourly = { freq = "hourly"; };
  daily = { freq = "daily"; };
  weekly = { freq = "weekly"; };
  infrequent = { freq = "infrequent"; };
  art = { cat = "art"; };
  humor = { cat = "humor"; };
  pol = { cat = "pol"; };  # or maybe just "social"
  rat = { cat = "rat"; };
  tech = { cat = "tech"; };
  uncat = { cat = "uncat"; };
  text = { format = "text"; };
  image = { format = "image"; };
  podcast = { format = "podcast"; };
  mkRss = format: url: { inherit url format; } // uncat // infrequent;
  # format-specific helpers
  mkText = mkRss text;
  mkImg = mkRss image;
  mkPod = mkRss podcast;
  # host-specific helpers
  mkSubstack = subdomain: mkText "https://${subdomain}.substack.com/feed";
  # merge the attrs `new` into each value of the attrs `addTo`
  addAttrs = new: addTo: builtins.mapAttrs (k: v: v // new) addTo;
  # for each value in `attrs`, add a value to the child attrs which holds its key within the parent attrs.
  withInverseMapping = key: attrs: builtins.mapAttrs (k: v: v // { "${key}" = k; }) attrs;
 in rec {
  podcasts = [
    (mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
    ## Astral Codex Ten
    (mkPod "http://feeds.libsyn.com/108018/rss" // rat // daily)
    ## Econ Talk
    (mkPod "https://feeds.simplecast.com/wgl4xEgL" // rat // daily)
    ## Cory Doctorow
    (mkPod "https://feeds.feedburner.com/doctorow_podcast" // pol // infrequent)
    (mkPod "https://congressionaldish.libsyn.com/rss" // pol // infrequent)
    ## Civboot
    (mkPod "https://anchor.fm/s/34c7232c/podcast/rss" // tech // infrequent)
    (mkPod "https://feeds.feedburner.com/80000HoursPodcast" // rat // weekly)
    (mkPod "https://allinchamathjason.libsyn.com/rss" // pol // weekly)
    (mkPod "https://acquired.libsyn.com/rss" // tech // infrequent)
    (mkPod "https://rss.acast.com/deconstructed" // pol // infrequent)
    ## The Daily
    (mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
    (mkPod "https://rss.acast.com/intercepted-with-jeremy-scahill" // pol // weekly)
    (mkPod "https://podcast.posttv.com/itunes/post-reports.xml" // pol // weekly)
    ## Eric Weinstein
    (mkPod "https://rss.art19.com/the-portal" // rat // infrequent)
    (mkPod "https://feeds.megaphone.fm/darknetdiaries" // tech // infrequent)
    (mkPod "http://feeds.wnyc.org/radiolab" // pol // infrequent)
    (mkPod "https://wakingup.libsyn.com/rss" // pol // infrequent)
    ## 99% Invisible
    (mkPod "https://feeds.simplecast.com/BqbsxVfO" // pol // infrequent)
    (mkPod "https://rss.acast.com/ft-tech-tonic" // tech // infrequent)
    (mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
    ## 60 minutes (NB: this features more than *just* audio?)
    (mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
  ];
  texts = [
    # AGGREGATORS (> 1 post/day)
    (mkText "https://www.lesswrong.com/feed.xml" // rat // hourly)
    (mkText "http://www.econlib.org/index.xml" // pol // hourly)
    # AGGREGATORS (< 1 post/day)
    (mkText "https://palladiummag.com/feed" // uncat // weekly)
    (mkText "https://profectusmag.com/feed" // uncat // weekly)
    (mkText "https://semiaccurate.com/feed" // tech // weekly)
    (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
    (mkText "https://spectrum.ieee.org/rss" // tech // weekly)
    ## No Moods, Ads or Cutesy Fucking Icons
    (mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
    # DEVELOPERS
    (mkText "https://uninsane.org/atom.xml" // infrequent // tech)
    (mkText "https://mg.lol/blog/rss/" // infrequent // tech)
    ## Ken Shirriff
    (mkText "https://www.righto.com/feeds/posts/default" // tech // infrequent)
    ## Vitalik Buterin
    (mkText "https://vitalik.ca/feed.xml" // tech // infrequent)
    ## ian (Sanctuary)
    (mkText "https://sagacioussuricata.com/feed.xml" // tech // infrequent)
    ## Bunnie Juang
    (mkText "https://www.bunniestudios.com/blog/?feed=rss2" // tech // infrequent)
    (mkText "https://blog.danieljanus.pl/atom.xml" // tech // infrequent)
    (mkText "https://ianthehenry.com/feed.xml" // tech // infrequent)
    (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
    (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
    (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
    # (TECH; POL) COMMENTATORS
    (mkSubstack "edwardsnowden" // pol // infrequent)
    (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
    ## Ben Thompson
    (mkText "https://www.stratechery.com/rss" // pol // weekly)
    ## Balaji
    (mkText "https://balajis.com/rss" // pol // weekly)
    (mkText "https://www.ben-evans.com/benedictevans/rss.xml" // pol // weekly)
    (mkText "https://www.lynalden.com/feed" // pol // infrequent)
    (mkText "https://austinvernon.site/rss.xml" // tech // infrequent)
    (mkSubstack "oversharing" // pol // daily)
    (mkSubstack "doomberg" // tech // weekly)
    ## David Rosenthal
    (mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
    ## Matt Levine
    (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
    # RATIONALITY/PHILOSOPHY/ETC
    (mkSubstack "samkriss" // humor // infrequent)
    (mkText "https://unintendedconsequenc.es/feed" // rat // infrequent)
    (mkText "https://applieddivinitystudies.com/atom.xml" // rat // weekly)
    (mkText "https://slimemoldtimemold.com/feed.xml" // rat // weekly)
    (mkText "https://www.richardcarrier.info/feed" // rat // weekly)
    (mkText "https://www.gwern.net/feed.xml" // uncat // infrequent)
    ## Jason Crawford
    (mkText "https://rootsofprogress.org/feed.xml" // rat // weekly)
    ## Robin Hanson
    (mkText "https://www.overcomingbias.com/feed" // rat // daily)
    ## Scott Alexander
    (mkSubstack "astralcodexten" // rat // daily)
    ## Paul Christiano
    (mkText "https://sideways-view.com/feed" // rat // infrequent)
    ## Sean Carroll
    (mkText "https://www.preposterousuniverse.com/rss" // rat // infrequent)
    # CODE
    (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
  ];
  images = [
    (mkImg "https://www.smbc-comics.com/comic/rss" // humor // daily)
    (mkImg "https://xkcd.com/atom.xml" // humor // daily)
    (mkImg "http://dilbert.com/feed" // humor // daily)
    # ART
    (mkImg "https://miniature-calendar.com/feed" // art // daily)
  ];
  all = texts ++ images ++ podcasts;
  # return only the feed items which match this category (e.g. "tech")
  filterCat = cat: feeds: builtins.filter (item: item.cat == cat) feeds;
  # return only the feed items which match this format (e.g. "podcast")
  filterFormat = format: feeds: builtins.filter (item: item.format == format) feeds;
  # transform a list of feeds into an attrs mapping cat => [ feed0 feed1 ... ]
  partitionByCat = feeds: builtins.groupBy (f: f.cat) feeds;
  # represents a single RSS feed.
  opmlTerminal = feed: ''<outline xmlUrl="${feed.url}" type="rss"/>'';
  # a list of RSS feeds.
  opmlTerminals = feeds: lib.strings.concatStringsSep "\n" (builtins.map opmlTerminal feeds);
  # one node which packages some flat grouping of terminals.
  opmlGroup = title: feeds: ''
    <outline text="${title}" title="${title}">
      ${opmlTerminals feeds}
    </outline>
  '';
  # a list of groups (`groupMap` is an attrs mapping groupName => [ feed0 feed1 ... ]).
  opmlGroups = groupMap: lib.strings.concatStringsSep "\n" (
    builtins.attrValues (builtins.mapAttrs opmlGroup groupMap)
  );
  # top-level OPML file which could be consumed by something else.
  opmlTopLevel = body: ''
    <?xml version="1.0" encoding="utf-8"?>
    <opml version="2.0">
      <body>
        ${body}
      </body>
    </opml>
  '';
  # **primary API**: generate a OPML file from the provided feeds
  feedsToOpml = feeds: opmlTopLevel (opmlGroups (partitionByCat feeds));
 }
--- a/modules/universal/home-manager/git.nix
+++ b/modules/universal/home-manager/git.nix
@@ -0,0 +1,18 @@
 { pkgs, ... }:
 {
  home-manager.users.colin.programs.git = {
    enable = true;
    userName = "colin";
    userEmail = "colin@uninsane.org";
    aliases = { co = "checkout"; };
    extraConfig = {
      # difftastic docs:
      # - <https://difftastic.wilfred.me.uk/git.html>
      diff.tool = "difftastic";
      difftool.prompt = false;
      "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
      # now run `git difftool` to use difftastic git
    };
  };
 }
--- a/modules/universal/home-manager/kitty.nix
+++ b/modules/universal/home-manager/kitty.nix
@@ -0,0 +1,69 @@
 { ... }:
 {
  home-manager.users.colin.programs.kitty = {
    enable = true;
    # docs: https://sw.kovidgoyal.net/kitty/conf/
    settings = {
      # disable terminal bell (when e.g. you backspace too many times)
      enable_audio_bell = false;
    };
    keybindings = {
      "ctrl+n" = "new_os_window_with_cwd";
    };
    # docs: https://github.com/kovidgoyal/kitty-themes
    # theme = "1984 Light";  # dislike: awful, harsh blues/teals
    # theme = "Adventure Time";  # dislike: harsh (dark)
    # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
    # theme = "Belafonte Day";  # dislike: too low contrast for text colors
    # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
    # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
    # theme = "Desert";  # mediocre: colors are harsh
    # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
    # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
    # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
    # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
    # theme = "kanagawabones";  # better: dark theme. colors are too background-y
    # theme = "Kaolin Dark";  # dislike: too dark
    # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
    # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
    # theme = "Material"; # decent: light theme, few colors.
    # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
    # theme = "Nord";  # mediocre: pale background, low contrast
    # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
    theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
    # theme = "Parasio Dark";  # dislike: too low contrast
    # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
    # theme = "Pnevma";  # dislike: too low contrast
    # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
    # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
    # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
    # theme = "Sea Shells";  # mediocre. not all color combos are readable
    # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
    # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
    # theme = "Sourcerer";  # mediocre: ugly colors
    # theme = "Space Gray";  # mediocre: too muted
    # theme = "Space Gray Eighties";  # better: all readable, decent colors
    # theme = "Spacemacs";  # mediocre: too muted
    # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
    # theme = "Srcery";  # better: highly readable. colors are ehhh
    # theme = "Substrata";  # decent: nice colors, but a bit flat.
    # theme = "Sundried";  # mediocre: the solar text makes me squint
    # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
    # theme = "Tango Light";  # dislike: teal is too grating
    # theme = "Tokyo Night Day";  # medicore: too muted
    # theme = "Tokyo Night";  # better: tasteful. a bit flat
    # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
    # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
    # theme = "Urple";  # dislike: weird palette
    # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
    # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
    # theme = "Xcodedark";  # dislike: bad palette
    # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
    # theme = "neobones_light"; # better light theme. the background is maybe too muted
    # theme = "vimbones";
    # theme = "zenbones_dark";  # mediocre: readable, but meh colors
    # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
    # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
    # extraConfig = "";
  };
 }
--- a/modules/universal/home-manager/librewolf.nix
+++ b/modules/universal/home-manager/librewolf.nix
@@ -0,0 +1,102 @@
 # common settings to toggle (at runtime, in about:config):
 #   > security.ssl.require_safe_negotiation
 # librewolf is a forked firefox which patches firefox to allow more things
 # (like default search engines) to be configurable at runtime.
 # many of the settings below won't have effect without those patches.
 # see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
 { config, lib, pkgs, ...}:
 let
  package = pkgs.wrapFirefox pkgs.librewolf-unwrapped {
    # inherit the default librewolf.cfg
    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
    libName = "librewolf";
    extraNativeMessagingHosts = [ pkgs.browserpass ];
    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
    extraPolicies = {
      NoDefaultBookmarks = true;
      SearchEngines = {
        Default = "DuckDuckGo";
      };
      AppUpdateURL = "https://localhost";
      DisableAppUpdate = true;
      OverrideFirstRunPage = "";
      OverridePostUpdatePage = "";
      DisableSystemAddonUpdate = true;
      DisableFirefoxStudies = true;
      DisableTelemetry = true;
      DisableFeedbackCommands = true;
      DisablePocket = true;
      DisableSetDesktopBackground = false;
      Extensions = {
        Install = let
          addon = pkg: addonId: "${pkg}/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/${addonId}.xpi";
        in with pkgs.firefox-addons; [
          # the extension key is found by building and checking the output: `nix build '.#rycee.firefox-addons.<foo>'`
          # or by taking the `addonId` input to `buildFirefoxXpiAddon` in rycee's firefox-addons repo
          (addon ublock-origin "uBlock0@raymondhill.net")
          (addon sponsorblock "sponsorBlocker@ajay.app")
          (addon bypass-paywalls-clean "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}")
          (addon sidebery "{3c078156-979c-498b-8990-85f7987dd929}")
          (addon browserpass "browserpass@maximbaz.com")
          (addon metamask "webextension@metamask.io")
          # extensions can alternatively be installed by URL, in which case they are fetched (and cached) on first run.
          # "https://addons.mozilla.org/firefox/downloads/latest/gopass-bridge/latest.xpi"
        ];
        # remove many default search providers
        Uninstall = [
          "google@search.mozilla.org"
          "bing@search.mozilla.org"
          "amazondotcom@search.mozilla.org"
          "ebay@search.mozilla.org"
          "twitter@search.mozilla.org"
        ];
      };
      # XXX doesn't seem to have any effect...
      # docs: https://github.com/mozilla/policy-templates#homepage
      # Homepage = {
      #   HomepageURL = "https://uninsane.org/";
      #   StartPage = "homepage";
      # };
      # NewTabPage = true;
    };
  };
 in
 {
  # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
  home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
    programs.firefox = {
      enable = true;
      inherit package;
    };
    # uBlock filter list configuration.
    # specifically, enable the GDPR cookie prompt blocker.
    # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
    # this configuration method is documented here:
    # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
    # the specific attribute path is found via scraping ublock code here:
    # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
    # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
    home.file.".librewolf/managed-storage/uBlock0@raymondhill.net.json".text = ''
      {
       "name": "uBlock0@raymondhill.net",
       "description": "ignored",
       "type": "storage",
       "data": {
          "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
       }
      }
    '';
    home.file.".librewolf/librewolf.overrides.cfg".text = ''
      // if we can't query the revocation status of a SSL cert because the issuer is offline,
      // treat it as unrevoked.
      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
      defaultPref("security.OCSP.require", false);
    '';
  };
 }
--- a/modules/universal/home-manager/mpv.nix
+++ b/modules/universal/home-manager/mpv.nix
@@ -0,0 +1,11 @@
 { ... }:
 {
  home-manager.users.colin.programs.mpv = {
    enable = true;
    config = {
      save-position-on-quit = true;
      keep-open = "yes";
    };
  };
 }
--- a/modules/universal/home-manager/nb.nix
+++ b/modules/universal/home-manager/nb.nix
@@ -0,0 +1,24 @@
 # nb is a CLI-drive Personal Knowledge Manager
 # - <https://xwmx.github.io/nb/>
 #
 # it's pretty opinionated:
 # - autocommits (to git) excessively (disable-able)
 # - inserts its own index files to give deterministic names to files
 #
 # it offers a primitive web-server
 # and it offers some CLI query tools
 { lib, pkgs, ... }: lib.mkIf false  # XXX disabled!
 {
  sane.home-manager.extraPackages = [ pkgs.nb ];
  home-manager.users.colin = { config, ... }: {
    # nb markdown/personal knowledge manager
    home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
    home.file.".nb/.current".text = "knowledge";
    home.file.".nbrc".text = ''
      # manage with `nb settings`
      export NB_AUTO_SYNC=0
    '';
  };
 }
--- a/modules/universal/home-manager/neovim.nix
+++ b/modules/universal/home-manager/neovim.nix
@@ -0,0 +1,115 @@
 { pkgs, ... }:
 {
  sane.impermanence.home-dirs = [ ".cache/vim-swap" ];
  home-manager.users.colin.programs.neovim = {
    # neovim: https://github.com/neovim/neovim
    enable = true;
    viAlias = true;
    vimAlias = true;
    plugins = with pkgs.vimPlugins; [
      # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
      # docs: vim-surround: https://github.com/tpope/vim-surround
      vim-surround
      # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
      fzf-vim
      # docs: https://github.com/KeitaNakamura/tex-conceal.vim/
      ({
        plugin = tex-conceal-vim;
        type = "viml";
        config = ''
          " present prettier fractions
          let g:tex_conceal_frac=1
        '';
      })
      ({
        plugin = vim-SyntaxRange;
        type = "viml";
        config = ''
          " enable markdown-style codeblock highlighting for tex code
          autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
          " autocmd Syntax tex set conceallevel=2
        '';
      })
      # nabla renders inline math in any document, but it's buggy.
      #   https://github.com/jbyuki/nabla.nvim
      # ({
      #   plugin = pkgs.nabla;
      #   type = "lua";
      #   config = ''
      #     require'nabla'.enable_virt()
      #   '';
      # })
      # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
      # docs: https://github.com/nvim-treesitter/nvim-treesitter
      # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
      # this is required for tree-sitter to even highlight
      ({
        plugin = (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars));
        type = "lua";
        config = ''
          require'nvim-treesitter.configs'.setup {
            highlight = {
              enable = true,
              -- disable treesitter on Rust so that we can use SyntaxRange
              -- and leverage TeX rendering in rust projects
              disable = { "rust", "tex", "latex" },
              -- disable = { "tex", "latex" },
              -- true to also use builtin vim syntax highlighting when treesitter fails
              additional_vim_regex_highlighting = false
            },
            incremental_selection = {
              enable = true,
              keymaps = {
                init_selection = "gnn",
                node_incremental = "grn",
                mcope_incremental = "grc",
                node_decremental = "grm"
              }
            },
            indent = {
              enable = true,
              disable = {}
            }
          }
          vim.o.foldmethod = 'expr'
          vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
        '';
      })
    ];
    extraConfig = ''
      " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
      " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
      set mouse=
      " copy/paste to system clipboard
      set clipboard=unnamedplus
      " screw tabs; always expand them into spaces
      set expandtab
      " at least don't open files with sections folded by default
      set nofoldenable
      " allow text substitutions for certain glyphs.
      " higher number = more aggressive substitution (0, 1, 2, 3)
      " i only make use of this for tex, but it's unclear how to
      " apply that *just* to tex and retain the SyntaxRange stuff.
      set conceallevel=2
      " horizontal rule under the active line
      " set cursorline
      " highlight trailing space & related syntax errors (doesn't seem to work??)
      " let c_space_errors=1
      " let python_space_errors=1
      " enable highlighting of leading/trailing spaces,
      " and especially tabs
      " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
      set list
      set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
    '';
  };
 }
--- a/modules/universal/home-manager/ssh.nix
+++ b/modules/universal/home-manager/ssh.nix
@@ -0,0 +1,18 @@
 { config, pkgs, ... }:
 {
  home-manager.users.colin = let
    host = config.networking.hostName;
    user_pubkey = (import ../pubkeys.nix).users."${host}";
    known_hosts_text = builtins.concatStringsSep
      "\n"
      (builtins.attrValues (import ../pubkeys.nix).hosts);
  in { config, ...}: {
    # ssh key is stored in private storage
    home.file.".ssh/id_ed25519".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/.ssh/id_ed25519";
    home.file.".ssh/id_ed25519.pub".text = user_pubkey;
    programs.ssh.enable = true;
    # this optionally accepts multiple known_hosts paths, separated by space.
    programs.ssh.userKnownHostsFile = builtins.toString (pkgs.writeText "known_hosts" known_hosts_text);
  };
 }
--- a/modules/universal/home-manager/sublime-music.nix
+++ b/modules/universal/home-manager/sublime-music.nix
@@ -0,0 +1,14 @@
 { config, ... }:
 {
  # TODO: this should only be shipped on gui platforms
  sops.secrets."sublime_music_config" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
    format = "binary";
  };
  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
    # sublime music player
    xdg.configFile."sublime-music/config.json".source =
      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
  };
 }
--- a/modules/universal/home-manager/vlc.nix
+++ b/modules/universal/home-manager/vlc.nix
@@ -0,0 +1,17 @@
 { lib, ... }:
 {
  home-manager.users.colin.xdg.configFile."vlc/vlcrc".text =
  let
    feeds = import ./feeds.nix { inherit lib; };
    podcastUrls = lib.strings.concatStringsSep "|" (
      builtins.map (feed: feed.url) feeds.podcasts
    );
  in ''
    [podcast]
    podcast-urls=${podcastUrls}
    [core]
    metadata-network-access=0
    [qt]
    qt-privacy-ask=0
  '';
 }
--- a/modules/universal/home-manager/zsh.nix
+++ b/modules/universal/home-manager/zsh.nix
@@ -0,0 +1,61 @@
 { ... }:
 {
  # we don't need to full zsh dir -- just the history file --
  # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
  sane.impermanence.home-dirs = [ ".local/share/zsh" ];
  home-manager.users.colin.programs.zsh = {
    enable = true;
    enableSyntaxHighlighting = true;
    enableVteIntegration = true;
    history.ignorePatterns = [ "rm *" ];
    dotDir = ".config/zsh";
    history.path = "/home/colin/.local/share/zsh/history";
    initExtraBeforeCompInit = ''
      # p10k instant prompt
      # run p10k configure to configure, but it can't write out its file :-(
      POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
    '';
    initExtra = ''
      # zmv is a way to do rich moves/renames, with pattern matching/substitution.
      # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
      autoload -Uz zmv
      # disable `rm *` confirmations
      setopt rmstarsilent
      function nd() {
        mkdir -p "$1";
        pushd "$1";
      }
    '';
    # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
    # see: https://github.com/sorin-ionescu/prezto
    prezto = {
      enable = true;
      pmodules = [
        "environment"
        "terminal"
        "editor"
        "history"
        "directory"
        "spectrum"
        "utility"
        "completion"
        "prompt"
        "git"
      ];
      prompt.theme = "powerlevel10k";
      utility.safeOps = false;  # disable `mv` confirmation (and supposedly `rm`, too)
    };
  };
  home-manager.users.colin.home.shellAliases = {
    ":q" = "exit";
    # common typos
    "cd.." = "cd ..";
    "cd../" = "cd ../";
  };
 }
--- a/modules/universal/env/home-packages.nix
+++ b/modules/universal/env/home-packages.nix
@@ -6,15 +6,19 @@ let
  cfg = config.sane.home-packages;
  universalPkgs = [
    backblaze-b2
    cdrtools
    duplicity
    gnupg
    gocryptfs
    gopass
    gopass-jsonapi
    ifuse
    ipfs
    libimobiledevice
    libsecret  # for managing user keyrings
    lm_sensors  # for sensors-detect
    lshw
    ffmpeg
    nb
    networkmanager
    nixpkgs-review
    # nixos-generators
@@ -24,14 +28,16 @@ let
    # ponymix
    pulsemixer
    python3
-    rmlint
+    # python3Packages.eyeD3  # music tagging
    sane-scripts
    sequoia
    snapper
    sops
    speedtest-cli
    sqlite  # to debug sqlite3 databases
    ssh-to-age
    sudo
    # tageditor  # music tagging
    unar
    visidata
    w3m
@@ -44,18 +50,27 @@ let
    # GUI only
    aerc  # email client
    audacity
    celluloid  # mpv frontend
    chromium
    clinfo
    electrum
    # creds/session keys, etc
-    { pkg = element-desktop; dir = ".config/Element"; }
+    { pkg = element-desktop; private = ".config/Element"; }
    emote  # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
    evince  # works on phosh
-    fluffychat
+
    # { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; }  # TODO: ship normal fluffychat on non-moby?
    foliate
    font-manager
    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
    # then reboot (so that libsecret daemon re-loads the keyring...?)
    { pkg = fractal-next; private = ".local/share/fractal"; }
    gimp  # broken on phosh
    gnome.cheese
    gnome.dconf-editor
@@ -64,20 +79,35 @@ let
    gnome.gnome-disk-utility
    gnome.gnome-maps  # works on phosh
    gnome.nautilus
-    gnome-podcasts
+    # gnome-podcasts
    gnome.gnome-system-monitor
    gnome.gnome-terminal  # works on phosh
    gnome.gnome-weather
    { pkg = gpodder-configured; dir = "gPodder/Downloads"; }
    gthumb
    handbrake
    inkscape
    kid3  # audio tagging
    krita
    libreoffice-fresh  # XXX colin: maybe don't want this on mobile
    lollypop
    mesa-demos
    { pkg = mpv; dir = ".config/mpv/watch_later"; }
    networkmanagerapplet
    # not strictly necessary, but allows caching articles; offline use, etc.
    { pkg = newsflash; dir = ".local/share/news-flash"; }
    # settings (electron app). TODO: can i manage these settings with home-manager?
    { pkg = obsidian; dir = ".config/obsidian"; }
    pavucontrol
    picard  # music tagging
    playerctl
    soundconverter
    # sublime music persists any downloaded albums here.
@@ -86,8 +116,14 @@ let
    #   possible to pass config as a CLI arg (sublime-music -c config.json)
    { pkg = sublime-music; dir = ".local/share/sublime-music"; }
    tdesktop  # broken on phosh
-    vlc  # works on phosh
+
    tokodon
    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
    { pkg = vlc; dir = ".config/vlc"; }
    whalebird # pleroma client. input is broken on phosh
    xdg-utils  # for xdg-open
    xterm  # broken on phosh
  ]
  ++ (if pkgs.system == "x86_64-linux" then
@@ -125,16 +161,19 @@ let
  ] else []);
  # useful devtools:
-  # bison
+  devPkgs = [
-  # dtc
+    bison
-  # flex
+    dtc
-  # gcc
+    flex
    gcc
    gdb
    # gcc-arm-embedded
    # gcc_multi
-  # gnumake
+    gnumake
-  # mix2nix
+    mix2nix
-  # rustup
+    rustup
-  # swig
+    swig
  ];
 in
 {
  options = {
@@ -142,9 +181,18 @@ in
      default = false;
      type = types.bool;
    };
    sane.home-packages.enableDevPkgs = mkOption {
      description = ''
        enable packages that are useful for building other software by hand.
        you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
      '';
      default = false;
      type = types.bool;
    };
  };
  config = {
    sane.home-manager.extraPackages = universalPkgs
-      ++ (if cfg.enableGuiPkgs then guiPkgs else []);
+      ++ (if cfg.enableGuiPkgs then guiPkgs else [])
      ++ (if cfg.enableDevPkgs then devPkgs else []);
  };
 }
--- a/modules/universal/net.nix
+++ b/modules/universal/net.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:
 {
  # if using router's DNS, these mappings will already exist.
@@ -8,5 +8,72 @@
    "192.168.0.5" = [ "servo" ];
    "192.168.0.20" = [ "lappy" ];
    "192.168.0.22" = [ "desko" ];
    "192.168.0.48" = [ "moby" ];
  };
  # the default backend is "wpa_supplicant".
  # wpa_supplicant reliably picks weak APs to connect to.
  # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
  # iwd is an alternative that shouldn't have this problem
  # docs:
  # - <https://nixos.wiki/wiki/Iwd>
  # - <https://iwd.wiki.kernel.org/networkmanager>
  # - `man iwd.config`  for global config
  # - `man iwd.network` for per-SSID config
  # use `iwctl` to control
  networking.networkmanager.wifi.backend = "iwd";
  networking.wireless.iwd.enable = true;
  networking.wireless.iwd.settings = {
    # auto-connect to a stronger network if signal drops below this value
    # bedroom -> bedroom connection is -35 to -40 dBm
    # bedroom -> living room connection is -60 dBm
    General.RoamThreshold = "-52";  # default -70
    General.RoamThreshold5G = "-52";  # default -76
  };
  # TODO: don't need to depend on binsh if we were to use a nix-style shebang
  system.activationScripts.linkIwdKeys = let
    unwrapped = ../../scripts/install-iwd;
    install-iwd = pkgs.writeShellApplication {
      name = "install-iwd";
      runtimeInputs = with pkgs; [ coreutils gnused ];
      text = ''${unwrapped} "$@"'';
    };
  in (lib.stringAfter
    [ "setupSecrets" "binsh" ]
    ''
    mkdir -p /var/lib/iwd
    ${install-iwd}/bin/install-iwd /run/secrets/iwd /var/lib/iwd
    ''
  );
  # TODO: use a glob, or a list, or something?
  sops.secrets."iwd/community-university.psk" = {
    sopsFile = ../../secrets/universal/net/community-university.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/friend-libertarian-dod.psk" = {
    sopsFile = ../../secrets/universal/net/friend-libertarian-dod.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/friend-rationalist-empathist.psk" = {
    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-bedroom.psk" = {
    sopsFile = ../../secrets/universal/net/home-bedroom.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared-24G.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared-24G.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/iphone" = {
    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
    format = "binary";
  };
 }
--- a/modules/universal/pubkeys.nix
+++ b/modules/universal/pubkeys.nix
@@ -0,0 +1,34 @@
 # create ssh key by running:
 # - `ssh-keygen -t ed25519`
 let
  withHost = host: key: "${host} ${key}";
  withUser = user: key: "${key} ${user}";
  keys = rec {
    lappy = {
      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
    };
    desko = {
      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
    };
    servo = {
      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
    };
    moby = {
      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
    };
    "uninsane.org" = servo;
    "git.uninsane.org" = servo;
  };
 in {
  # map hostname -> something suitable for known_keys
  hosts = builtins.mapAttrs (machine: keys: withHost machine keys.host) keys;
  # map hostname -> something suitable for authorized_keys to allow access to colin@<hostname>
  users = builtins.mapAttrs (machine: keys: withUser "colin@${machine}" keys.users.colin) keys;
 }
--- a/modules/universal/secrets.nix
+++ b/modules/universal/secrets.nix
@@ -29,15 +29,15 @@
  #   $ cat /run/secrets/example_key
  # sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
-  # This will add secrets.yml to the nix store
+  # This will add secrets.yaml to the nix store
  # You can avoid this by adding a string to the full path instead, i.e.
  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
  sops.defaultSopsFile = ./../../secrets/universal.yaml;
  # This will automatically import SSH keys as age keys
  sops.age.sshKeyPaths = [
-    "/etc/ssh/ssh_host_ed25519_key"
+    "/etc/ssh/host_keys/ssh_host_ed25519_key"
    # "/home/colin/.ssh/id_ed25519_dec"
  ];
  sops.gnupg.sshKeyPaths = [];  # disable RSA key import
  # This is using an age key that is expected to already be in the filesystem
  # sops.age.keyFile = "/home/colin/.ssh/age.pub";
  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
--- a/modules/universal/ssh.nix
+++ b/modules/universal/ssh.nix
@@ -0,0 +1,11 @@
 { ... }:
 {
  # we place the host keys (which we want to be persisted) into their own directory to ease that.
  # otherwise, this is identical to nixos defaults
  sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
  services.openssh.hostKeys = [
    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
  ];
 }
--- a/modules/universal/env/system-packages.nix
+++ b/modules/universal/env/system-packages.nix
--- a/modules/universal/users.nix
+++ b/modules/universal/users.nix
@@ -43,19 +43,35 @@ in
        "feedbackd"
        "dialout" # required for modem access
      ];
      # initial password is empty, in case anything goes wrong.
      # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
      initialPassword = lib.mkDefault "";
      passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
      shell = pkgs.zsh;
-      # shell = pkgs.bashInteractive;
+      openssh.authorizedKeys.keys = builtins.attrValues (import ./pubkeys.nix).users;
-      # XXX colin: create ssh key for THIS user by logging in and running:
+
-      #   ssh-keygen -t ed25519
+      pamMount = {
-      openssh.authorizedKeys.keys = [
+        # mount encrypted stuff at login
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
+        # requires that login password == fs encryption password
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
+        # fstype = "fuse";
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
+        # path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
-        # moby doesn't need to login to any other devices yet
+        fstype = "fuse.gocryptfs";
-        # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
+        path = "/nix/persist/home/colin/private";
-      ];
+        mountpoint = "/home/colin/private";
        options="nodev,nosuid,quiet,allow_other";
      };
    };
    sane.impermanence.home-dirs = [
      # cache is probably too big to fit on the tmpfs
      # TODO: we could bind-mount it to something which gets cleared per boot, though.
      ".cache"
      ".cargo"
      ".rustup"
      ".local/share/keyrings"
    ];
    sane.impermanence.service-dirs = mkIf cfg.guest.enable [
      { user = "guest"; group = "users"; directory = "/home/guest"; }
@@ -98,6 +114,10 @@ in
    users.groups.polkituser.gid = config.sane.allocations.polkituser-gid;
    users.groups.sshd.gid = config.sane.allocations.sshd-gid;
    users.groups.systemd-coredump.gid = config.sane.allocations.systemd-coredump-gid;
    users.users.nscd.uid = config.sane.allocations.nscd-uid;
    users.groups.nscd.gid = config.sane.allocations.nscd-gid;
    users.users.systemd-oom.uid = config.sane.allocations.systemd-oom-uid;
    users.groups.systemd-oom.gid = config.sane.allocations.systemd-oom-gid;
    # guarantee determinism in uid/gid generation for users:
    assertions = let
--- a/nixpatches/04-dart-2.7.0.patch
+++ b/nixpatches/04-dart-2.7.0.patch
@@ -1,302 +0,0 @@
 diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
 index 9eba6773448..f51aeb8b624 100644
 --- a/pkgs/development/compilers/flutter/default.nix
 +++ b/pkgs/development/compilers/flutter/default.nix
@@ -4,20 +4,20 @@ let
   getPatches = dir:
     let files = builtins.attrNames (builtins.readDir dir);
     in map (f: dir + ("/" + f)) files;
 -  version = "2.10.1";
 +  version = "3.0.0";
   channel = "stable";
   filename = "flutter_linux_${version}-${channel}.tar.xz";
   # Decouples flutter derivation from dart derivation,
   # use specific dart version to not need to bump dart derivation when bumping flutter.
 -  dartVersion = "2.16.1";
 +  dartVersion = "2.17.0";
   dartSourceBase = "https://storage.googleapis.com/dart-archive/channels";
   dartForFlutter = dart.override {
     version = dartVersion;
     sources = {
       "${dartVersion}-x86_64-linux" = fetchurl {
         url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
 -        sha256 = "sha256-PMY6DCFQC8XrlnFzOEPcwgBAs5/cAvNd78969Z+I1Fk=";
 +        sha256 = "57b8fd964e47c81d467aeb95b099a670ab7e8f54a1cd74d45bcd1fdc77913d86";
       };
     };
   };
@@ -29,7 +29,7 @@ in {
     pname = "flutter";
     src = fetchurl {
       url = "https://storage.googleapis.com/flutter_infra_release/releases/${channel}/linux/${filename}";
 -      sha256 = "sha256-rSfwcglDV2rvJl10j7FByAWmghd2FYxrlkgYnvRO54Y=";
 +      sha256 = "e96d75ec8e7dc2a46bc8dad5a9e01c391ab9310ad01c4e3940c963dd263788a0";
     };
     patches = getPatches ./patches;
   };
 diff --git a/pkgs/development/compilers/flutter/flutter.nix b/pkgs/development/compilers/flutter/flutter.nix
 index 43538ede339..ece25c14b55 100644
 --- a/pkgs/development/compilers/flutter/flutter.nix
 +++ b/pkgs/development/compilers/flutter/flutter.nix
@@ -56,12 +56,15 @@ let
       export STAMP_PATH="$FLUTTER_ROOT/bin/cache/flutter_tools.stamp"
       export DART_SDK_PATH="${dart}"
 +      export DART="${dart}/bin/dart"
       HOME=../.. # required for pub upgrade --offline, ~/.pub-cache
                  # path is relative otherwise it's replaced by /build/flutter
 +      # mkdir -p "$HOME/.cache"
 +      # ln -sf "$FLUTTER_ROOT" "$HOME/.cache/flutter"
       pushd "$FLUTTER_TOOLS_DIR"
 -      ${dart}/bin/pub get --offline
 +      ${dart}/bin/dart pub get --offline
       popd
       local revision="$(cd "$FLUTTER_ROOT"; git rev-parse HEAD)"
 diff --git a/pkgs/development/compilers/flutter/patches/git-dir.patch b/pkgs/development/compilers/flutter/patches/git-dir.patch
 new file mode 100644
 index 00000000000..0c736f945ea
 --- /dev/null
 +++ b/pkgs/development/compilers/flutter/patches/git-dir.patch
@@ -0,0 +1,102 @@
 +diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
 +index 468a91a954..5def6897ce 100644
 +--- a/dev/bots/prepare_package.dart
 ++++ b/dev/bots/prepare_package.dart
 +@@ -525,7 +525,7 @@ class ArchiveCreator {
 + 
 +   Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
 +     return _processRunner.runProcess(
 +-      <String>['git', ...args],
 ++      <String>['git', '--git-dir', '.git', ...args],
 +       workingDirectory: workingDirectory ?? flutterRoot,
 +     );
 +   }
 +diff --git a/packages/flutter_tools/lib/src/commands/downgrade.dart b/packages/flutter_tools/lib/src/commands/downgrade.dart
 +index bb0eb428a9..4a2a48bb5e 100644
 +--- a/packages/flutter_tools/lib/src/commands/downgrade.dart
 ++++ b/packages/flutter_tools/lib/src/commands/downgrade.dart
 +@@ -118,7 +118,7 @@ class DowngradeCommand extends FlutterCommand {
 +     // Detect unknown versions.
 +     final ProcessUtils processUtils = _processUtils!;
 +     final RunResult parseResult = await processUtils.run(<String>[
 +-      'git', 'describe', '--tags', lastFlutterVersion,
 ++      'git', '--git-dir', '.git', 'describe', '--tags', lastFlutterVersion,
 +     ], workingDirectory: workingDirectory);
 +     if (parseResult.exitCode != 0) {
 +       throwToolExit('Failed to parse version for downgrade:\n${parseResult.stderr}');
 +@@ -191,7 +191,7 @@ class DowngradeCommand extends FlutterCommand {
 +         continue;
 +       }
 +       final RunResult parseResult = await _processUtils!.run(<String>[
 +-        'git', 'describe', '--tags', sha,
 ++        'git', '--git-dir', '.git', 'describe', '--tags', sha,
 +       ], workingDirectory: workingDirectory);
 +       if (parseResult.exitCode == 0) {
 +         buffer.writeln('Channel "${getNameForChannel(channel)}" was previously on: ${parseResult.stdout}.');
 +diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
 +index f2068a6ca2..99b161689e 100644
 +--- a/packages/flutter_tools/lib/src/version.dart
 ++++ b/packages/flutter_tools/lib/src/version.dart
 +@@ -106,7 +106,7 @@ class FlutterVersion {
 +     String? channel = _channel;
 +     if (channel == null) {
 +       final String gitChannel = _runGit(
 +-        'git rev-parse --abbrev-ref --symbolic @{u}',
 ++        'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
 +         globals.processUtils,
 +         _workingDirectory,
 +       );
 +@@ -114,7 +114,7 @@ class FlutterVersion {
 +       if (slash != -1) {
 +         final String remote = gitChannel.substring(0, slash);
 +         _repositoryUrl = _runGit(
 +-          'git ls-remote --get-url $remote',
 ++          'git --git-dir .git ls-remote --get-url $remote',
 +           globals.processUtils,
 +           _workingDirectory,
 +         );
 +@@ -326,7 +326,7 @@ class FlutterVersion {
 +   /// the branch name will be returned as `'[user-branch]'`.
 +   String getBranchName({ bool redactUnknownBranches = false }) {
 +     _branch ??= () {
 +-      final String branch = _runGit('git rev-parse --abbrev-ref HEAD', globals.processUtils);
 ++      final String branch = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', globals.processUtils);
 +       return branch == 'HEAD' ? channel : branch;
 +     }();
 +     if (redactUnknownBranches || _branch!.isEmpty) {
 +@@ -359,7 +359,7 @@ class FlutterVersion {
 +   /// wrapper that does that.
 +   @visibleForTesting
 +   static List<String> gitLog(List<String> args) {
 +-    return <String>['git', '-c', 'log.showSignature=false', 'log'] + args;
 ++    return <String>['git', '-c', 'log.showSignature=false', '--git-dir', '.git', 'log'] + args;
 +   }
 + 
 +   /// Gets the release date of the latest available Flutter version.
 +@@ -730,7 +730,7 @@ class GitTagVersion {
 + 
 +   static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
 +     if (fetchTags) {
 +-      final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
 ++      final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
 +       if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
 +         globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
 +       } else {
 +@@ -739,7 +739,7 @@ class GitTagVersion {
 +     }
 +     // find all tags attached to the given [gitRef]
 +     final List<String> tags = _runGit(
 +-      'git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
 ++      'git --git-dir .git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
 + 
 +     // Check first for a stable tag
 +     final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
 +@@ -760,7 +760,7 @@ class GitTagVersion {
 +     // recent tag and number of commits past.
 +     return parse(
 +       _runGit(
 +-        'git describe --match *.*.* --long --tags $gitRef',
 ++        'git --git-dir .git describe --match *.*.* --long --tags $gitRef',
 +         processUtils,
 +         workingDirectory,
 +       )
 diff --git a/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
 new file mode 100644
 index 00000000000..f68029eb7a1
 --- /dev/null
 +++ b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
@@ -0,0 +1,130 @@
 +diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
 +index 2aac9686e8..32c4b98b88 100644
 +--- a/packages/flutter_tools/lib/src/artifacts.dart
 ++++ b/packages/flutter_tools/lib/src/artifacts.dart
 +@@ -346,10 +346,10 @@ class CachedArtifacts implements Artifacts {
 +   ) {
 +     switch (artifact) {
 +       case HostArtifact.engineDartSdkPath:
 +-        final String path = _dartSdkPath(_cache);
 ++        final String path = _dartSdkPath(_fileSystem);
 +         return _fileSystem.directory(path);
 +       case HostArtifact.engineDartBinary:
 +-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
 ++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
 +         return _fileSystem.file(path);
 +       case HostArtifact.flutterWebSdk:
 +         final String path = _getFlutterWebSdkPath();
 +@@ -398,7 +398,7 @@ class CachedArtifacts implements Artifacts {
 +       case HostArtifact.dart2jsSnapshot:
 +       case HostArtifact.dartdevcSnapshot:
 +       case HostArtifact.kernelWorkerSnapshot:
 +-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 ++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 +         return _fileSystem.file(path);
 +       case HostArtifact.iosDeploy:
 +         final String artifactFileName = _hostArtifactToFileName(artifact, _platform.isWindows);
 +@@ -461,11 +461,13 @@ class CachedArtifacts implements Artifacts {
 +   String _getAndroidArtifactPath(Artifact artifact, TargetPlatform platform, BuildMode mode) {
 +     final String engineDir = _getEngineArtifactsPath(platform, mode)!;
 +     switch (artifact) {
 ++      case Artifact.frontendServerSnapshotForEngineDartSdk:
 ++        assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
 ++        return _fileSystem.path.join(engineDir, _artifactToFileName(artifact));
 +       case Artifact.genSnapshot:
 +         assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
 +         final String hostPlatform = getNameForHostPlatform(getCurrentHostPlatform());
 +         return _fileSystem.path.join(engineDir, hostPlatform, _artifactToFileName(artifact));
 +-      case Artifact.frontendServerSnapshotForEngineDartSdk:
 +       case Artifact.constFinder:
 +       case Artifact.flutterFramework:
 +       case Artifact.flutterMacOSFramework:
 +@@ -497,13 +499,13 @@ class CachedArtifacts implements Artifacts {
 +     switch (artifact) {
 +       case Artifact.genSnapshot:
 +       case Artifact.flutterXcframework:
 ++      case Artifact.frontendServerSnapshotForEngineDartSdk:
 +         final String artifactFileName = _artifactToFileName(artifact)!;
 +         final String engineDir = _getEngineArtifactsPath(platform, mode)!;
 +         return _fileSystem.path.join(engineDir, artifactFileName);
 +       case Artifact.flutterFramework:
 +         final String engineDir = _getEngineArtifactsPath(platform, mode)!;
 +         return _getIosEngineArtifactPath(engineDir, environmentType, _fileSystem);
 +-      case Artifact.frontendServerSnapshotForEngineDartSdk:
 +       case Artifact.constFinder:
 +       case Artifact.flutterMacOSFramework:
 +       case Artifact.flutterMacOSPodspec:
 +@@ -594,14 +596,10 @@ class CachedArtifacts implements Artifacts {
 +         // For script snapshots any gen_snapshot binary will do. Returning gen_snapshot for
 +         // android_arm in profile mode because it is available on all supported host platforms.
 +         return _getAndroidArtifactPath(artifact, TargetPlatform.android_arm, BuildMode.profile);
 +-      case Artifact.frontendServerSnapshotForEngineDartSdk:
 +-        return _fileSystem.path.join(
 +-          _dartSdkPath(_cache), 'bin', 'snapshots',
 +-          _artifactToFileName(artifact),
 +-        );
 +       case Artifact.flutterTester:
 +       case Artifact.vmSnapshotData:
 +       case Artifact.isolateSnapshotData:
 ++      case Artifact.frontendServerSnapshotForEngineDartSdk:
 +       case Artifact.icuData:
 +         final String engineArtifactsPath = _cache.getArtifactDirectory('engine').path;
 +         final String platformDirName = _enginePlatformDirectoryName(platform);
 +@@ -797,7 +795,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
 +         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 +         return _fileSystem.file(path);
 +       case HostArtifact.dartdevcSnapshot:
 +-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 ++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 +         return _fileSystem.file(path);
 +       case HostArtifact.kernelWorkerSnapshot:
 +         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 +@@ -922,9 +920,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
 +       case Artifact.windowsUwpCppClientWrapper:
 +         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
 +       case Artifact.frontendServerSnapshotForEngineDartSdk:
 +-        return _fileSystem.path.join(
 +-          _hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', artifactFileName,
 +-        );
 ++        return _fileSystem.path.join(_hostEngineOutPath, 'gen', artifactFileName);
 +       case Artifact.uwptool:
 +         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
 +     }
 +@@ -1034,8 +1030,8 @@ class OverrideArtifacts implements Artifacts {
 + }
 + 
 + /// Locate the Dart SDK.
 +-String _dartSdkPath(Cache cache) {
 +-  return cache.getRoot().childDirectory('dart-sdk').path;
 ++String _dartSdkPath(FileSystem fileSystem) {
 ++  return fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'dart-sdk');
 + }
 + 
 + class _TestArtifacts implements Artifacts {
 +diff --git a/packages/flutter_tools/test/general.shard/artifacts_test.dart b/packages/flutter_tools/test/general.shard/artifacts_test.dart
 +index d906511a15..adfdd4bb42 100644
 +--- a/packages/flutter_tools/test/general.shard/artifacts_test.dart
 ++++ b/packages/flutter_tools/test/general.shard/artifacts_test.dart
 +@@ -153,10 +153,6 @@ void main() {
 +         artifacts.getArtifactPath(Artifact.windowsUwpDesktopPath, platform: TargetPlatform.windows_uwp_x64, mode: BuildMode.release),
 +         fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'windows-uwp-x64-release'),
 +       );
 +-      expect(
 +-        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
 +-        fileSystem.path.join('root', 'bin', 'cache', 'dart-sdk', 'bin', 'snapshots', 'frontend_server.dart.snapshot')
 +-      );
 +     });
 + 
 +     testWithoutContext('precompiled web artifact paths are correct', () {
 +@@ -322,11 +318,6 @@ void main() {
 +         artifacts.getHostArtifact(HostArtifact.engineDartSdkPath).path,
 +         fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk'),
 +       );
 +-      expect(
 +-        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
 +-        fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk', 'bin',
 +-          'snapshots', 'frontend_server.dart.snapshot')
 +-      );
 +     });
 + 
 +     testWithoutContext('getEngineType', () {
--- a/nixpatches/10-flutter-arm64.patch
+++ b/nixpatches/10-flutter-arm64.patch
@@ -10,15 +10,15 @@ index 565c44f72e9..f20a3d4e9be 100644
 }:
 +let vendorHashes = {
-+  x86_64-linux = "sha256-j5opwEFifa+DMG7Uziv4SWEPVokD6OSq8mSIr0AdDL0=";
+  x86_64-linux = "sha256-p5EJP2zSvWyRV1uyTHw0EpFsEwAGtX5B9WVjpLmnVew=";
-+  aarch64-linux = "sha256-gPz/j7oHO2f3DVNNy7DpY/8XTjWt2Kcf3XjFmH81HDs=";
+  aarch64-linux = "sha256-Ps0HmDI6BFxHrLRq3KWNk4hw0qneq5hqB/Mp99f+hO4=";
 +};
 +in
 flutter.mkFlutterApp rec {
   pname = "fluffychat";
-   version = "1.2.0";
+   version = "1.6.1";
-  vendorHash = "sha256-j5opwEFifa+DMG7Uziv4SWEPVokD6OSq8mSIr0AdDL0=";
+-  vendorHash = "sha256-SelMRETFYZgTStV90gRoKhazu1NPbcSMO9mYebSQskQ=";
 +  vendorHash = vendorHashes."${stdenv.hostPlatform.system}" or (throw "unsupported system: ${stdenv.hostPlatform.system}");
   src = fetchFromGitLab {
@@ -33,7 +33,7 @@ index 9eba6773448..e9d352169b2 100644
       };
 +      "${dartVersion}-aarch64-linux" = fetchurl {
 +        url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-arm64-release.zip";
-+        sha256 = "sha256-3p0cUoNn+Du9GSvVZa9bfZ1I9295uqTA5M9kcj4/uL4=";
+        sha256 = "sha256-BIK6kUx+m+/GfR/wBXv8rjVNbP6w1HFvH/RGIwiaJog=";
 +      };
     };
   };
--- a/nixpatches/list.nix
+++ b/nixpatches/list.nix
@@ -1,57 +1,55 @@
 fetchpatch: [
-  # phosh: allow fractional scaling
+  # phosh-mobile-settings: init at 0.21.1
  (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/175872.diff";
+    url = "http://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
-    sha256 = "sha256-mEmqhe8DqlyCxkFWQKQZu+2duz69nOkTANh9TcjEOdY=";
+    # url = "https://github.com/NixOS/nixpkgs/pull/193845.diff";
    sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
  })
  # freshrss: fix ExecStart path
  (fetchpatch {
    url = "https://github.com/NixOS/nixpkgs/pull/197731.diff";
    # url = "http://git.uninsane.org/colin/nixpkgs/commit/e4235c60b71bec66fe8f811cdbdd229bcf98915f.diff";
    sha256 = "sha256-SL7tddw0YZWzZ+JhosoTyBuEahEJEjMuV4WEBCg9OM0=";
  })
  # # kaiteki: init at 2022-09-03
  # vendorHash changes too frequently (might not be reproducible).
  # using local package defn until stabilized
  # (fetchpatch {
  #   url = "https://git.uninsane.org/colin/nixpkgs/commit/e2c7f5f4870fcb0e5405e9001b39a64c516852d4.diff";
  #   # url = "https://github.com/NixOS/nixpkgs/pull/193169.diff";
  #   sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
  # })
  # nautilus: look for the gtk4 FileChooser settings instead of the gtk4 one
  (fetchpatch {
    # original version (include the patch in nixpkgs)
    # url = "https://git.uninsane.org/colin/nixpkgs/commit/4636a04c1c4982a0e71ae77d3aa6f52d1a3170f1.diff";
    # sha256 = "sha256-XKfXStdcveYuk58rlORVJOv0a9Q5aRj1bYT5k79rL0g=";
    # v2 (fetchpatch from upstream PR)
    # url = "https://git.uninsane.org/colin/nixpkgs/commit/730a802808c549220144e4e62aa419bb07c5ae29.diff";
    url = "https://github.com/NixOS/nixpkgs/pull/195985.diff";
    sha256 = "sha256-zd7WGOTm3ygh0Wk3uiA+1S+RqD9yWDSXvo7veHs0K00=";
  })
  # Fix mk flutter app
  # closed (not merged). updates fluffychat 1.2.0 -> 1.6.1, but unstable hashing
  # (fetchpatch {
  #   url = "https://github.com/NixOS/nixpkgs/pull/186839.diff";
  #   sha256 = "sha256-NdIfie+eTy4V1vgqiiRPtWdnxZ5ZHsvCMfkEDUv9SC8=";
  # })
  # for raspberry pi: allow building u-boot for rpi 4{,00}
  # TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
  #   (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
  ./02-rpi4-uboot.patch
  # # flutter.dart: 2.16.1 -> 2.16.2
  # (fetchpatch {
  #   url = "https://github.com/NixOS/nixpkgs/pull/172873.diff";
  #   sha256 = "sha256-HGYk83XOhFe1wWNCKNdF6s/7laWJ0Jisb8bDJcHVlsQ=";
  # })
  # # Flutter: 2.10.1->3.0.4
  # (fetchpatch {
  #   url = "https://github.com/NixOS/nixpkgs/pull/173200.diff";
  #   sha256 = "sha256-g1tZdLTrAJx3ijgabqz8XInC20PQM3FYRENQ7c6NfQw=";
  # })
  # # dart: 2.17.3 -> 2.18.0
  # (fetchpatch {
  #   url = "https://github.com/NixOS/nixpkgs/pull/189841.diff";
  #   sha256 = "sha256-E3rTNex7PiFHsLgtb0x9/Q/naqDYD1vFuGyduV4Z6qY=";
  # })
  # # # Flutter: 3.0.4->3.3.2, flutter.dart: 2.17.5->2.18.1
  # # (fetchpatch {
  # #   url = "https://github.com/NixOS/nixpkgs/pull/189338.diff";
  # #   sha256 = "sha256-MppSk1D3qQT8Z4lzEZ93UexoidT8yqM7ASPec4VvxCI=";
  # # })
  # enable aarch64 support for flutter's dart package
  ./10-flutter-arm64.patch
  # whalebird: support aarch64
  (fetchpatch {
    url = "https://github.com/NixOS/nixpkgs/pull/176476.diff";
    sha256 = "sha256-126DljM06hqPZ3fjLZ3LBZR64nFbeTfzSazEu72d4y8=";
  })
  # TODO: upstream
  ./07-duplicity-rich-url.patch
-  # zecwallet-lite: init at 1.7.13
+  # enable aarch64 support for flutter's dart package
-  (fetchpatch {
+  # ./10-flutter-arm64.patch
    url = "https://github.com/NixOS/nixpkgs/pull/180960.diff";
    sha256 = "sha256-HVVj/T3yQtjYBoxXpoPiG9Zar/eik9IoDVDhTOehBdY=";
  })
  # makemkv: 1.16.7 -> 1.17.1
  (fetchpatch {
    url = "https://github.com/NixOS/nixpkgs/pull/188342.diff";
    sha256 = "sha256-3M4DpvXf5Us70FX5geE0L1Ns23Iw2NG82YNlwSd+WzI=";
  })
 ]
--- a/pkgs/browserpass/default.nix
+++ b/pkgs/browserpass/default.nix
@@ -0,0 +1,44 @@
 { pkgs
 , bash
 , fetchFromGitea
 , lib
 , sops
 , stdenv
 , substituteAll
 }:
 let
  sane-browserpass-gpg = stdenv.mkDerivation {
    pname = "sane-browserpass-gpg";
    version = "0.1.0";
    src = ./.;
    inherit bash sops;
    installPhase = ''
      mkdir -p $out/bin
      substituteAll ${./sops-gpg-adapter} $out/bin/gpg
      chmod +x $out/bin/gpg
      ln -s $out/bin/gpg $out/bin/gpg2
    '';
  };
 in
 (pkgs.browserpass.overrideAttrs (upstream: {
  src = fetchFromGitea {
    domain = "git.uninsane.org";
    owner = "colin";
    repo = "browserpass-native";
    rev = "8de7959fa5772aca406bf29bb17707119c64b81e";
    hash = "sha256-ewB1YdWqfZpt8d4p9LGisiGUsHzRW8RiSO/+NZRiQpk=";
  };
  installPhase = ''
    make install
    wrapProgram $out/bin/browserpass \
      --prefix PATH : ${lib.makeBinPath [ sane-browserpass-gpg ]}
    # This path is used by our firefox wrapper for finding native messaging hosts
    mkdir -p $out/lib/mozilla/native-messaging-hosts
    ln -s $out/lib/browserpass/hosts/firefox/*.json $out/lib/mozilla/native-messaging-hosts
  '';
 }))
--- a/pkgs/browserpass/sops-gpg-adapter
+++ b/pkgs/browserpass/sops-gpg-adapter
@@ -0,0 +1,14 @@
 #! @bash@/bin/sh
 # browserpass "validates" the gpg binary by invoking it with --version
 if [ "$1" = "--version" ]
 then
  echo "sane-browserpass-gpg @version@";
  exit 0
 fi
 # using exec here forwards our stdin
 # browserpass parses the response in
 # <browserpass-extension/src/background.js#parseFields>
 # it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
 exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin
--- a/pkgs/fluffychat-moby/default.nix
+++ b/pkgs/fluffychat-moby/default.nix
@@ -0,0 +1,20 @@
 { pkgs }:
 (pkgs.symlinkJoin {
  name = "fluffychat-moby";
  paths = [ pkgs.fluffychat ];
  buildInputs = [ pkgs.makeWrapper ];
  # ordinary fluffychat on moby displays blank window;
  # > Failed to start Flutter renderer: Unable to create a GL context
  # this is temporarily solved by using software renderer
  # - see https://github.com/flutter/flutter/issues/106941
  postBuild = ''
    wrapProgram $out/bin/fluffychat \
      --set LIBGL_ALWAYS_SOFTWARE 1
    # fix up the .desktop file to invoke our wrapped fluffychat
    orig_desktop=$(readlink $out/share/applications/Fluffychat.desktop)
    unlink $out/share/applications/Fluffychat.desktop
    sed "s:Exec=.*:Exec=$out/bin/fluffychat:" $orig_desktop > $out/share/applications/Fluffychat.desktop
  '';
 })
--- a/pkgs/gocryptfs/default.nix
+++ b/pkgs/gocryptfs/default.nix
@@ -0,0 +1,15 @@
 { pkgs, lib, ... }:
 (pkgs.gocryptfs.overrideAttrs (upstream: {
  # XXX `su colin` hangs when pam_mount tries to mount a gocryptfs system
  # unless `logger` (util-linux) is accessible from gocryptfs.
  # this is surprising: the code LOOKS like it's meant to handle logging failures.
  # propagating util-linux through either `environment.systemPackages` or `security.pam.mount.additionalSearchPaths` DOES NOT WORK.
  #
  # TODO: see about upstreaming this
  postInstall = ''
    wrapProgram $out/bin/gocryptfs \
      --suffix PATH : ${lib.makeBinPath [ pkgs.fuse pkgs.util-linux ]}
    ln -s $out/bin/gocryptfs $out/bin/mount.fuse.gocryptfs
  '';
 }))
--- a/pkgs/gopass-native-messaging-host/com.justwatch.gopass.json
+++ b/pkgs/gopass-native-messaging-host/com.justwatch.gopass.json
@@ -0,0 +1,10 @@
 {
    "name": "com.justwatch.gopass",
    "description": "Gopass wrapper to search and return passwords",
    "path": "@out@/bin/gopass-wrapper",
    "type": "stdio",
    "allowed_extensions": [
        "{eec37db0-22ad-4bf1-9068-5ae08df8c7e9}"
    ]
 }
--- a/pkgs/gopass-native-messaging-host/default.nix
+++ b/pkgs/gopass-native-messaging-host/default.nix
@@ -0,0 +1,22 @@
 { stdenv
 , bash
 , gopass-jsonapi
 , substituteAll
 }:
 stdenv.mkDerivation {
  pname = "gopass-native-messaging-host";
  version = "1.0";
  src = ./.;
  inherit bash;
  # substituteAll doesn't work with hyphenated vars ??
  gopassJsonapi = gopass-jsonapi;
  installPhase = ''
    mkdir -p $out/bin $out/lib/mozilla/native-messaging-hosts
    substituteAll ${./gopass-wrapper.sh} $out/bin/gopass-wrapper
    chmod +x $out/bin/gopass-wrapper
    substituteAll ${./com.justwatch.gopass.json} $out/lib/mozilla/native-messaging-hosts/com.justwatch.gopass.json
  '';
 }
--- a/pkgs/gopass-native-messaging-host/gopass-wrapper.sh
+++ b/pkgs/gopass-native-messaging-host/gopass-wrapper.sh
@@ -0,0 +1,2 @@
 #! @bash@/bin/sh
 exec @gopassJsonapi@/bin/gopass-jsonapi listen
--- a/pkgs/gpodder-configured/default.nix
+++ b/pkgs/gpodder-configured/default.nix
@@ -0,0 +1,24 @@
 { pkgs
 , writeShellScript
 , config
 }:
 (pkgs.symlinkJoin {
  name = "gpodder-configured";
  paths = [ pkgs.gpodder ];
  buildInputs = [ pkgs.makeWrapper ];
  # gpodder keeps all its feeds in a sqlite3 database.
  # we can configure the feeds externally by wrapping gpodder and just instructing it to import
  # a feedlist every time we run it.
  # repeat imports are deduplicated -- assuming network access (not sure how it behaves when disconnected).
  postBuild = ''
    makeWrapper $out/bin/gpodder $out/bin/gpodder-configured \
      --run "$out/bin/gpo import ~/.config/gpodderFeeds.opml"
    # fix up the .desktop file to invoke our wrapped application
    orig_desktop=$(readlink $out/share/applications/gpodder.desktop)
    unlink $out/share/applications/gpodder.desktop
    sed "s:Exec=.*:Exec=$out/bin/gpodder-configured:" $orig_desktop > $out/share/applications/gpodder.desktop
  '';
 })
--- a/pkgs/kaiteki/default.nix
+++ b/pkgs/kaiteki/default.nix
@@ -2,39 +2,63 @@
 , fetchFromGitHub
 , flutter
 , makeDesktopItem
 , imagemagick
 , xdg-user-dirs
 }:
 flutter.mkFlutterApp rec {
  pname = "kaiteki";
-  version = "unstable-2022-06-03";
+  version = "unstable-2022-09-03";
-  # this hash seems unstable -- depends on other nixpkgs, perhaps?
+  vendorHash = "sha256-CXEaQeXEY5PYpcoqmPcRfcyaFsEDZ8bq1pgApmjyp0c=";
  vendorHash = "sha256-IC3FAPFASuMcNOpUuaB+MDcm9nqGCtq/6A2dCxIXHEg=";
  src = fetchFromGitHub {
    owner = "Kaiteki-Fedi";
    repo = "Kaiteki";
-    rev = "0a322313071e4391949d23d9b006d74de65f58d9";
+    rev = "fd1e26c98f37ad6a98ed549da879c91721f997d0";
-    hash = "sha256-ggDIbVwueS162m15TFaC6Tcg+0lpcVGi4x/O691sxR8";
+    hash = "sha256-N7n6o/B9s0DCYf9HFMZSCPShpE65wKl9FaQ5dbFnr1E=";
    fetchSubmodules = true;
  };
-  desktopItems = [ (makeDesktopItem {
+  nativeBuildInputs = [ imagemagick ];
  desktopItem = makeDesktopItem {
    name = "Kaiteki";
-    exec = "kaiteki";
+    exec = "@out@/bin/kaiteki";
    icon = "kaiteki";
    desktopName = "Kaiteki";
    genericName = "Micro-blogging client";
    comment = meta.description;
    categories = [ "Network" "InstantMessaging" "GTK" ];
-  }) ];
+  };
  sourceRoot = "source/src/kaiteki";
  postInstall = ''
    wrapProgram $out/bin/kaiteki \
      --prefix PATH : "${xdg-user-dirs}/bin"
    FAV=$out/app/data/flutter_assets/assets/icon.png
    ICO=$out/share/icons
    install -D $FAV $ICO/kaiteki.png
    for s in 24 32 42 64 128 256 512; do
      D=$ICO/hicolor/''${s}x''${s}/apps
      mkdir -p $D
      convert $FAV -resize ''${s}x''${s} $D/kaiteki.png
    done
    mkdir $out/share/applications
    cp $desktopItem/share/applications/*.desktop $out/share/applications
    substituteInPlace $out/share/applications/*.desktop \
      --subst-var out
  '';
  meta = with lib; {
    description = "The comfy Fediverse client";
    homepage = "https://craftplacer.moe/projects/kaiteki/";
    license = licenses.agpl3Plus;
-    # maintainers = with maintainers; [ colinsane ];
+    maintainers = with maintainers; [ colinsane ];
    platforms = platforms.linux;
  };
 }
--- a/pkgs/lightdm-mobile-greeter/cargo_lock-fix_lightdm_rs_url.patch
+++ b/pkgs/lightdm-mobile-greeter/cargo_lock-fix_lightdm_rs_url.patch
@@ -0,0 +1,28 @@
 commit c2a3a5eff2edc95108a21fc02c420a8aaa19accd
 Author: colin <colin@uninsane.org>
 Date:   Tue Oct 25 20:59:20 2022 -0700
    Cargo.lock: update lightdm-rs URLs
 diff --git a/Cargo.lock b/Cargo.lock
 index 1051644..72d09e6 100644
 --- a/Cargo.lock
 +++ b/Cargo.lock
@@ -362,7 +362,7 @@ dependencies = [
 [[package]]
 name = "light-dm-sys"
 version = "0.0.1"
 -source = "git+https://raatty.club:3000/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
 +source = "git+https://git.raatty.club/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
 dependencies = [
  "gio-sys",
  "glib-sys",
@@ -374,7 +374,7 @@ dependencies = [
 [[package]]
 name = "lightdm"
 version = "0.1.0"
 -source = "git+https://raatty.club:3000/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
 +source = "git+https://git.raatty.club/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
 dependencies = [
  "gio",
  "gio-sys",
--- a/pkgs/lightdm-mobile-greeter/default.nix
+++ b/pkgs/lightdm-mobile-greeter/default.nix
@@ -0,0 +1,57 @@
 { lib
 , fetchFromGitea
 , gtk3
 , libhandy_0
 , lightdm
 , pkgs
 , linkFarm
 , pkg-config
 , rustPlatform
 }:
 rustPlatform.buildRustPackage rec {
  pname = "lightdm-mobile-greeter";
  version = "6";
  src = fetchFromGitea {
    domain = "git.raatty.club";
    owner = "raatty";
    repo = "lightdm-mobile-greeter";
    rev = "${version}";
    hash = "sha256-uqsYOHRCOmd3tpJdndZFQ/tznZ660NhB+gE2154kJuM=";
  };
  cargoHash = "sha256-JV8NQdZAG4EetRHwbi0dD0uIOUkn5hvzry+5WB7TCO4=";
  cargoPatches = [
    ./cargo_lock-fix_lightdm_rs_url.patch
  ];
  buildInputs = [
    gtk3
    libhandy_0
    lightdm
  ];
  nativeBuildInputs = [
    pkg-config
  ];
  postInstall = ''
    mkdir -p $out/share/applications
    substitute lightdm-mobile-greeter.desktop \
      $out/share/applications/lightdm-mobile-greeter.desktop \
      --replace lightdm-mobile-greeter $out/bin/lightdm-mobile-greeter
  '';
  passthru.xgreeters = linkFarm "lightdm-mobile-greeter-xgreeters" [{
    path = "${pkgs.lightdm-mobile-greeter}/share/applications/lightdm-mobile-greeter.desktop";
    name = "lightdm-mobile-greeter.desktop";
  }];
  meta = with lib; {
    description = "A simple log in screen for use on touch screens.";
    homepage = "https://git.uninsane.org/colin/lightdm-mobile-greeter";
    maintainers = with maintainers; [ colinsane ];
    platforms = platforms.linux;
    license = licenses.mit;
  };
 }
--- a/pkgs/linux-megous/default.nix
+++ b/pkgs/linux-megous/default.nix
@@ -3,7 +3,7 @@
 with lib;
 buildLinux (args // rec {
-  version = "5.18.14";
+  version = "6.0.2";
  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -14,8 +14,8 @@ buildLinux (args // rec {
  src = fetchFromGitHub {
    owner = "megous";
    repo = "linux";
-    # branch: orange-pi-5.18
+    # branch: orange-pi-6.0
-    rev = "3ef835b665191e4833ae1363245be48e96013df6";
+    rev = "2683672a2052ffda995bb987fa62a1abe8424ef4";
-    sha256 = "sha256-nQsBXeGLZhpem1p7Vnc8z7XB354AO1mn7VTj/hH5twY=";
+    hash = "sha256-hL/SbLgaTk/CqFLFrAK/OV9/OS20O42zJvSScsvWBQk=";
  };
 } // (args.argsOverride or { }))
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -21,6 +21,8 @@
  };
  #### customized packages
  fluffychat-moby = prev.callPackage ./fluffychat-moby { pkgs = prev; };
  gpodder-configured = prev.callPackage ./gpodder-configured { pkgs = prev; };
  # nixos-unstable pleroma is too far out-of-date for our db
  pleroma = prev.callPackage ./pleroma { };
  # jackett doesn't allow customization of the bind address: this will probably always be here.
@@ -33,8 +35,17 @@
  # patch rpi uboot with something that fixes USB HDD boot
  ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };
  gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
  browserpass = prev.callPackage ./browserpass { pkgs = prev; };
  #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
  kaiteki = prev.callPackage ./kaiteki { };
  lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
  gopass-native-messaging-host = prev.callPackage ./gopass-native-messaging-host { };
  tokodon = prev.libsForQt5.callPackage ./tokodon { };
  # kaiteki = prev.kaiteki;
  # TODO: upstream, or delete nabla
  nabla = prev.callPackage ./nabla { };
 })
--- a/pkgs/pleroma/default.nix
+++ b/pkgs/pleroma/default.nix
@@ -1,6 +1,7 @@
 { lib, beamPackages
 , fetchFromGitHub, fetchFromGitLab
 , file, cmake, bash
 , libxcrypt
 , nixosTests, writeText
 , cookieFile ? "/var/lib/pleroma/.cookie"
 , ...
@@ -14,11 +15,10 @@ beamPackages.mixRelease rec {
    domain = "git.pleroma.social";
    owner = "pleroma";
    repo = "pleroma";
-    rev = "4605efe272016a5ba8ba6e96a9bec9a6e40c1591";
+    rev = "7a519b6a6607bc1dd22e6a3450aebf0f1ff11fb8";
    # to update: uncomment the null hash, run nixos-rebuild and
    # compute the new hash with `nix to-sri sha256:<output from failed nix build>`
-    # sha256 = "sha256-0000000000000000000000000000000000000000000=";
+    sha256 = "sha256-6NglBcEGEvRlYMnVNB8kr4i/fccrzO6mnyp3X+O0m74=";
    sha256 = "sha256-Dp1kTUDfNC7EDoK9WToXkUvsj7v66eKuD15le5IZgiY=";
  };
  preFixup = if (cookieFile != null) then ''
@@ -49,6 +49,8 @@ beamPackages.mixRelease rec {
    done
  '' else "";
  stripDebug = false;
  mixNixDeps = import ./mix.nix {
    inherit beamPackages lib;
    overrides = (final: prev: {
@@ -70,29 +72,49 @@ beamPackages.mixRelease rec {
        name = "crypt";
        version = "0.4.3";
-        src = fetchFromGitHub {
+        # src = fetchFromGitHub {
-          owner = "msantos";
+        #   owner = "msantos";
        #   repo = "crypt";
        #   rev = "f75cd55325e33cbea198fb41fe41871392f8fb76";
        #   sha256 = "sha256-ZYhZTe7cTITkl8DZ4z2IOlxTX5gnbJImu/lVJ2ZjR1o=";
        # };
        # this is the old crypt, from before 2021/09/21.
        # nixpkgs still uses this as of 2022-10-24 and it works.
        src = fetchFromGitLab {
          domain = "git.pleroma.social";
          group = "pleroma";
          owner = "elixir-libraries";
          repo = "crypt";
-          rev = "f75cd55325e33cbea198fb41fe41871392f8fb76";
+          rev = "cf2aa3f11632e8b0634810a15b3e612c7526f6a3";
-          sha256 = "sha256-ZYhZTe7cTITkl8DZ4z2IOlxTX5gnbJImu/lVJ2ZjR1o=";
+          sha256 = "sha256-48QIsgyEaDzvnihdsFy7pYURLFcb9G8DXIrf5Luk3zo=";
        };
        postInstall = "mv $out/lib/erlang/lib/crypt-${version}/priv/{source,crypt}.so";
        beamDeps = with final; [ elixir_make ];
        buildInputs = [ libxcrypt ];
      };
      prometheus_ex = beamPackages.buildMix rec {
        name = "prometheus_ex";
        version = "3.0.5";
-        src = fetchFromGitLab {
+        src = fetchFromGitHub {
-          domain = "git.pleroma.social";
+          owner = "lanodan";
          group = "pleroma";
          owner = "elixir-libraries";
          repo = "prometheus.ex";
-          rev = "a4e9beb3c1c479d14b352fd9d6dd7b1f6d7deee5";
+          # branch = "fix/elixir-1.14";
-          sha256 = "1v0q4bi7sb253i8q016l7gwlv5562wk5zy3l2sa446csvsacnpjk";
+          rev = "31f7fbe4b71b79ba27efc2a5085746c4011ceb8f";
          sha256 = "sha256-2PZP+YnwnHt69HtIAQvjMBqBbfdbkRSoMzb1AL2Zsyc=";
        };
        # src = fetchFromGitLab {
        #   domain = "git.pleroma.social";
        #   group = "pleroma";
        #   owner = "elixir-libraries";
        #   repo = "prometheus.ex";
        #   rev = "a4e9beb3c1c479d14b352fd9d6dd7b1f6d7deee5";
        #   sha256 = "1v0q4bi7sb253i8q016l7gwlv5562wk5zy3l2sa446csvsacnpjk";
        # };
        beamDeps = with final; [ prometheus ];
      };
      prometheus_phx = beamPackages.buildMix rec {
@@ -107,8 +129,8 @@ beamPackages.mixRelease rec {
          group = "pleroma";
          owner = "elixir-libraries";
          repo = "prometheus-phx";
-          rev = "9cd8f248c9381ffedc799905050abce194a97514";
+          rev = "0c950ac2d145b1ee3fc8ee5c3290ccb9ef2331e9";
-          sha256 = "0211z4bxb0bc0zcrhnph9kbbvvi1f2v95madpr96pqzr60y21cam";
+          sha256 = "sha256-HjN0ku1q5aNtrhHopch0wpp4Z+dMCGj5GxHroiz5u/w=";
        };
        beamDeps = with final; [ prometheus_ex ];
      };
--- a/pkgs/pleroma/mix.nix
+++ b/pkgs/pleroma/mix.nix
@@ -34,7 +34,6 @@ let
      beamDeps = [ custom_base ];
    };
    # base64url = buildMix rec {
    base64url = buildRebar3 rec {
      name = "base64url";
      version = "0.0.1";
@@ -362,12 +361,12 @@ let
    eblurhash = buildRebar3 rec {
      name = "eblurhash";
-      version = "1.1.0";
+      version = "1.2.2";
      src = fetchHex {
        pkg = "${name}";
        version = "${version}";
-        sha256 = "07dmkbyafpxffh8ar6af4riqfxiqc547rias7i73gpgx16fqhsrf";
+        sha256 = "0k040pj8hlm8mwy0ra459hk35v9gfsvvgp596nl27q2dj00cl84c";
      };
      beamDeps = [];
@@ -1646,5 +1645,19 @@ let
      beamDeps = [ httpoison jose ];
    };
    websockex = buildMix rec {
      name = "websockex";
      version = "0.4.3";
      src = fetchHex {
        pkg = "${name}";
        version = "${version}";
        sha256 = "1r2kmi2pcmdzvgbd08ci9avy0g5p2lhx80jn736a98w55c3ygwlm";
      };
      beamDeps = [];
    };
  };
 in self
--- a/pkgs/pleroma/updating.txt
+++ b/pkgs/pleroma/updating.txt
@@ -1,10 +1,16 @@
 in pleroma checkout:
 - grab version: `rg 'version: ' mix.exs`
 in default.nix:
-  update `rev` and recompute sha256.
+- update `rev` and recompute sha256.
    use nix to-sri sha256:<expected>
-run mix2nix inside the pleroma git root and pipe the output into mix.nix
+in pleroma checkout:
-  inside default.nix, update all git mix deps
+- `mix2nix > mix.nix`
  inside mix.nix, change base64url to use buildRebar3 instead of buildMix
-move majic from mix.nix -> default.nix and add:
+in nix repo:
-  buildInputs = [ file ];
+- cp the new mix.nix here.
 - move majic from mix.nix -> default.nix and add:
        - buildInputs = [ file ];
 - update `mixNixDeps` in default.nix:
        - grab the version from pleroma/mix.exs or mix.lock
 - redundant?: inside mix.nix, change base64url to use buildRebar3 instead of buildMix
--- a/pkgs/sane-scripts/default.nix
+++ b/pkgs/sane-scripts/default.nix
@@ -23,8 +23,9 @@ resholve.mkDerivation {
        file
        findutils
        gnugrep
        gocryptfs
        ifuse
-        inotifyTools
+        inotify-tools
        ncurses
        oath-toolkit
        openssh
@@ -33,6 +34,7 @@ resholve.mkDerivation {
        ssh-to-age
        sops
        sudo
        util-linux
        which
      ];
      keep = {
@@ -47,20 +49,22 @@ resholve.mkDerivation {
          "umount"
          "sudo"
-          # this is actually internal; probably a better fix
+          # these are used internally; probably a better fix
          "sane-mount-servo"
          "sane-private-unlock"
        ];
      };
      # list of programs which *can* or *cannot* exec their arguments
-      execer = [
+      execer = with pkgs; [
-        "cannot:${pkgs.ifuse}/bin/ifuse"
+        "cannot:${gocryptfs}/bin/gocryptfs"
-        "cannot:${pkgs.oath-toolkit}/bin/oathtool"
+        "cannot:${ifuse}/bin/ifuse"
-        "cannot:${pkgs.openssh}/bin/ssh-keygen"
+        "cannot:${oath-toolkit}/bin/oathtool"
-        "cannot:${pkgs.rmlint}/bin/rmlint"
+        "cannot:${openssh}/bin/ssh-keygen"
-        "cannot:${pkgs.rsync}/bin/rsync"
+        "cannot:${rmlint}/bin/rmlint"
-        "cannot:${pkgs.ssh-to-age}/bin/ssh-to-age"
+        "cannot:${rsync}/bin/rsync"
-        "cannot:${pkgs.sops}/bin/sops"
+        "cannot:${sops}/bin/sops"
        "cannot:${ssh-to-age}/bin/ssh-to-age"
      ];
    };
  };
--- a/pkgs/sane-scripts/src/sane-mount-servo
+++ b/pkgs/sane-scripts/src/sane-mount-servo
@@ -15,4 +15,5 @@ then
 fi
 # symlink the fastest mount point into place
 # uncomment if i see the bug again: sudo unlink /mnt/servo-media  # XXX ln gets confused if the destination is a symlink to a stale mount
 sudo ln -sf $mnt /mnt/servo-media
--- a/pkgs/sane-scripts/src/sane-mount-servo-root
+++ b/pkgs/sane-scripts/src/sane-mount-servo-root
@@ -15,4 +15,5 @@ then
 fi
 # symlink the fastest mount point into place
 # uncomment if i see the bug again: sudo unlink /mnt/servo-root  # XXX ln gets confused if the destination is a symlink to a stale mount
 sudo ln -sf $mnt /mnt/servo-root
--- a/pkgs/sane-scripts/src/sane-private-change-passwd
+++ b/pkgs/sane-scripts/src/sane-private-change-passwd
@@ -0,0 +1,32 @@
 #!/usr/bin/env bash
 set -ex
 new_plain=/home/colin/private-new
 new_cipher="/nix/persist${new_plain}"
 dest_plain=/home/colin/private
 dest_cipher="/nix/persist${dest_plain}"
 # initialize the new store
 sudo mkdir -p "${new_cipher}" && sudo chown colin:users "${new_cipher}"
 mkdir -p "${new_plain}"
 gocryptfs -init "${new_cipher}"
 # mount the new and old store
 gocryptfs "${new_cipher}" "${new_plain}"
 sane-private-unlock
 # transfer to the new store
 rsync -arv /home/colin/private/ "${new_plain}"/
 # unmount both stores
 sudo umount "${new_plain}"
 sudo umount /home/colin/private
 # swap the stores
 sudo mv "${dest_cipher}" "${dest_cipher}-old"
 sudo mv "${new_cipher}" "${dest_cipher}"
 sane-private-unlock
 echo "if things look well, rm ${dest_cipher}-old"
--- a/pkgs/sane-scripts/src/sane-private-init
+++ b/pkgs/sane-scripts/src/sane-private-init
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 set -ex
 # configure persistent, encrypted storage that is auto-mounted on login.
 # this is a one-time setup and user should log out/back in after running it.
 p=/nix/persist/home/colin/private
 mkdir -p $p
 gocryptfs -init $p
--- a/pkgs/sane-scripts/src/sane-private-unlock
+++ b/pkgs/sane-scripts/src/sane-private-unlock
@@ -0,0 +1,14 @@
 #!/usr/bin/env bash
 set -ex
 # configure persistent, encrypted storage that is auto-mounted on login.
 # this is a one-time setup and user should log out/back in after running it.
 mount=/home/colin/private
 cipher="/nix/persist$mount"
 mkdir -p "$mount"
 if [ ! -f "$mount/init" ]
 then
  gocryptfs "$cipher" "$mount"
 fi
--- a/pkgs/sane-scripts/src/sane-rcp
+++ b/pkgs/sane-scripts/src/sane-rcp
@@ -0,0 +1,3 @@
 #!/usr/bin/env sh
 # copy some remote file(s) to the working directory, with sane defaults
 rsync -arv --progress "$@" .
--- a/pkgs/sane-scripts/src/sane-reclaim-disk-space
+++ b/pkgs/sane-scripts/src/sane-reclaim-disk-space
@@ -1,16 +1,41 @@
 #!/usr/bin/env bash
 set -ex
 # script to reclaim some hard drive space
 set -e
 options=$(getopt -l "fast" -o "f" -- "$@")
 do_rmlint=true
 for arg in $options; do
  case $arg in
    -f|--fast)
      do_rmlint=false
      ;;
    --)
      ;;
  esac
 done
 set -x
 # always claim nix garbage
 sudo nix-collect-garbage
-# identify duplicate files in the nix store
+
-rmlint --types="duplicates" --config=sh:handler=clone --output=sh:/tmp/rmlint.sh --progress /nix/store
+if [ $do_rmlint = true ]
-# link the dupes together (uses ioctl_fideduperange)
+then
-#   see: https://btrfs.wiki.kernel.org/index.php/Deduplication
+  # identify duplicate files in the nix store
-#   see: https://rmlint.readthedocs.io/en/latest/tutorial.html
+  rmlint --types="duplicates" --config=sh:handler=clone --output=sh:/tmp/rmlint.sh --output=json:/dev/null --progress /nix/store
-sudo mount -o remount,rw /nix/store
+  # link the dupes together (uses ioctl_fideduperange)
-/tmp/rmlint.sh -d || true  # on failure, we still want to remount ro
+  #   see: https://btrfs.wiki.kernel.org/index.php/Deduplication
-# XXX this doesn't work: 'mount point is busy.'
+  #   see: https://rmlint.readthedocs.io/en/latest/tutorial.html
-sudo mount -o remount,ro /nix/store
+fi
 if [ $do_rmlint = true ]
 then
  sudo mount -o remount,rw /nix/store
  # XXX: does rmlint really need to be invoked as root?
  sudo /tmp/rmlint.sh -d || true  # on failure, we still want to remount ro
  # XXX this doesn't work: 'mount point is busy.'
  sudo mount -o remount,ro /nix/store
 fi
 # TODO: instead of using rmlint, could use dduper: https://github.com/Lakshmipathi/dduper
 #   better perf for btrfs (checksum tests)
--- a/pkgs/sane-scripts/src/sane-sudo-redirect
+++ b/pkgs/sane-scripts/src/sane-sudo-redirect
@@ -0,0 +1,16 @@
 #!/usr/bin/env bash
 # redirects to $1, when writing to $1 requires sudo permissions.
 # i.e. convert a failing command:
 #
 # ```
 # $ sudo do_thing > /into/file
 # ```
 #
 # to
 #
 # ```
 # $ sudo do_thing | sane-sudo-redirect /into/file
 # ```
 exec sudo tee $@ > /dev/null
--- a/pkgs/sane-scripts/src/sane-sync-from-iphone
+++ b/pkgs/sane-scripts/src/sane-sync-from-iphone
@@ -5,8 +5,13 @@ set -ex
 # make sure the mountpoint exists
 if ! (test -e /mnt/iphone)
 then
  sudo umount /mnt/iphone || true  # maybe the mount hung
  if ! (test -e /mnt/iphone)
  then
    sudo mkdir /mnt/iphone
    sudo chown colin:users /mnt/iphone
  fi
 fi
 # make sure the device is mounted
--- a/pkgs/tokodon/default.nix
+++ b/pkgs/tokodon/default.nix
@@ -0,0 +1,64 @@
 { lib
 , stdenv
 , fetchFromGitHub
 , cmake
 , extra-cmake-modules
 , kconfig
 , kdbusaddons
 , ki18n
 , kirigami2
 , knotifications
 , libwebsockets
 , pkg-config
 , qqc2-desktop-style
 , qtbase
 , qtkeychain
 , qtmultimedia
 , qtquickcontrols2
 , qttools
 , qtwebsockets
 , wrapQtAppsHook
 }:
 stdenv.mkDerivation rec {
  pname = "tokodon";
  version = "22.09";
  src = fetchFromGitHub {
    owner = "KDE";
    repo = pname;
    rev = "v${version}";
    sha256 = "sha256-wHE8HPnjXd+5UG5WEMd7+m1hu2G3XHq/eVQNznvS/zc=";
  };
  nativeBuildInputs = [
    cmake
    extra-cmake-modules
    pkg-config
    wrapQtAppsHook
  ];
  buildInputs = [
    kconfig
    kdbusaddons
    ki18n
    kirigami2
    knotifications
    qqc2-desktop-style
    qtbase
    qtkeychain
    qtmultimedia
    qtquickcontrols2
    qttools
    qtwebsockets
  ];
  meta = with lib; {
    description = "A Mastodon client for Plasma and Plasma Mobile";
    homepage = src.meta.homepage;
    license = licenses.gpl3Plus;
    platforms = platforms.unix;
    maintainers = with maintainers; [ matthiasbeyer ];
  };
 }
--- a/pkgs/zecwallet-lite/default.nix
+++ b/pkgs/zecwallet-lite/default.nix
@@ -1,30 +0,0 @@
 { lib, fetchurl, appimageTools }:
 appimageTools.wrapType2 rec {
  pname = "zecwallet-lite";
  version = "1.7.13";
  src = fetchurl {
    url = "https://github.com/adityapk00/zecwallet-lite/releases/download/v${version}/Zecwallet.Lite-${version}.AppImage";
    hash = "sha256-uBiLGHBgm0vurfvOJjJ+RqVoGnVccEHTFO2T7LDqUzU=";
  };
  extraInstallCommands =
    let contents = appimageTools.extract { inherit pname version src; };
    in ''
      mv $out/bin/${pname}-${version} $out/bin/${pname}
      install -m 444 -D ${contents}/${pname}.desktop -t $out/share/applications
      substituteInPlace $out/share/applications/${pname}.desktop \
        --replace 'Exec=AppRun' 'Exec=${pname}'
      cp -r ${contents}/usr/share/icons $out/share
    '';
  meta = with lib; {
    description = "A fully featured shielded wallet for Zcash";
    homepage = "https://www.zecwallet.co/";
    license = licenses.mit;
    maintainers = with maintainers; [ colinsane ];
    platforms = [ "x86_64-linux" ];
  };
 }
--- a/readme.md
+++ b/readme.md
@@ -1,9 +1,11 @@
 to deploy:
 ```sh
 nixos-rebuild --flake "./#servo" {build,switch}
 ```
 more options (like building packages defined in this repo):
 ```sh
 nix flake show
 ```
@@ -24,3 +26,22 @@ this can then be `dd`'d onto a disk and directly booted from a EFI system.
 there's some post-processing to do before running a rebuild on the deployed system (deploying ssh keys, optionally changing fs UUIDs, etc).
 refer to flake.nix for more details.
 ## building packages
 to build one of the custom sane packages, just name it:
 ```sh
 nix build ./#fluffychat-moby
 ```
 to build a nixpkg:
 ```sh
 nix build ./#nixpkgs.curl
 ```
 to build a package for another platform:
 ```sh
 nix build ./#packages.aarch64-linux.nixpkgs.ubootRaspberryPi4_64bit
 ```
--- a/scripts/ensure-perms
+++ b/scripts/ensure-perms
@@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 # ensures perms on a newly-built distribution are good.
 # usage: sudo ensure-perms /path/to/nix
 nix_path=$1
 chown root:root -R $nix_path
 chown root:nixbld $nix_path/store
--- a/scripts/init-keyring
+++ b/scripts/init-keyring
@@ -0,0 +1,18 @@
 #!/bin/sh
 # initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
 # this initializes it to be plaintext/unencrypted.
 if [ -f ~/.local/share/keyrings/default ]
 then
        echo 'keyring already initialized: not doing anything'
        exit 0
 fi
 keyring=~/.local/share/keyrings/Default_keyring.keyring
 echo 'initializing default user keyring:' "$keyring"
 echo '[keyring]' > "$keyring"
 echo 'display-name=Default keyring' >> "$keyring"
 echo 'lock-on-idle=false' >> "$keyring"
 echo 'lock-after=false' >> "$keyring"
 echo -n "Default_keyring" > ~/.local/share/keyrings/default
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`#! @bash@/bin/sh`
							`exec @gopassJsonapi@/bin/gopass-jsonapi listen`