pin nheko package

flake.lock

@@ -56,26 +56,27 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs-unpatched"
-        ]
+        ],
+        "patches": []
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-5zCxdHGOS0OOP7vbgTA1iwv9GVr5JSiths7QmgUsU84=",
-        "path": "/nix/store/9a5k9pfawxzz1sng17si26sc9af39jr1-source/nixpatches",
+        "narHash": "sha256-d3XSehPFkNwvwlOYy7gch0NLxOgdXuV7j5r/Qsn7kHc=",
+        "path": "nixpatches",
         "type": "path"
       },
       "original": {
-        "path": "/nix/store/9a5k9pfawxzz1sng17si26sc9af39jr1-source/nixpatches",
+        "path": "nixpatches",
         "type": "path"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1673800717,
-        "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=",
+        "lastModified": 1673704454,
+        "narHash": "sha256-5Wdj1MgdOgn3+dMFIBtg+IAYZApjF8JzwLWDPieg0C4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f",
+        "rev": "a83ed85c14fcf242653df6f4b0974b7e1c73c6c6",
         "type": "github"
       },
       "original": {
@@ -103,11 +104,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1673796341,
-        "narHash": "sha256-1kZi9OkukpNmOaPY7S5/+SlCDOuYnP3HkXHvNDyLQcc=",
+        "lastModified": 1673631141,
+        "narHash": "sha256-AprpYQ5JvLS4wQG/ghm2UriZ9QZXvAwh1HlgA/6ZEVQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6dccdc458512abce8d19f74195bb20fdb067df50",
+        "rev": "befc83905c965adfd33e5cae49acb0351f6e0404",
         "type": "github"
       },
       "original": {

flake.nix

@@ -24,8 +24,11 @@
     # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
     nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
     nixpkgs = {
-      url = "./nixpatches";
+      url = "path:nixpatches";
       inputs.nixpkgs.follows = "nixpkgs-unpatched";
+      # XXX: `path:` urls have poor UX in that they still get "locked" and require manual updates as if they were remote.
+      # by linking back to ourselves here, we can update `nixpatches/list.nix` *without* having to run `nix flake update` afterward.
+      inputs.patches.follows = "";
     };
     mobile-nixos = {
       # <https://github.com/nixos/mobile-nixos>
@@ -185,6 +188,9 @@
           description = "python environment for data processing";
         };
       };
+
+      # unofficial output; used by inputs.nixpatches
+      nixpatches = import ./nixpatches/list.nix;
     };
 }
 

hosts/by-name/servo/secrets.nix

@@ -1,41 +0,0 @@
-{ ... }:
-
-{
-  sops.secrets."ddns_afraid" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-  sops.secrets."ddns_he" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."dovecot_passwd" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."duplicity_passphrase" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."freshrss_passwd" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."matrix_synapse_secrets" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-  sops.secrets."mautrix_signal_env" = {
-    sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
-  };
-
-  sops.secrets."mediawiki_pw" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."pleroma_secrets" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."wg_ovpns_privkey" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-}

hosts/by-name/servo/services/matrix/signal.nix

@@ -1,34 +0,0 @@
-# config options:
-# - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
-{ config, pkgs, ... }:
-{
-  services.signald.enable = true;
-  services.mautrix-signal.enable = true;
-  services.mautrix-signal.environmentFile =
-    config.sops.secrets.mautrix_signal_env.path;
-
-  services.mautrix-signal.settings.signal.socket_path = "/run/signald/signald.sock";
-  services.mautrix-signal.settings.homeserver.domain = "uninsane.org";
-  services.mautrix-signal.settings.bridge.permissions."@colin:uninsane.org" = "admin";
-  services.matrix-synapse.settings.app_service_config_files = [
-    # auto-created by mautrix-signal service
-    "/var/lib/mautrix-signal/signal-registration.yaml"
-  ];
-
-  systemd.services.mautrix-signal.serviceConfig = {
-    # allow communication to signald
-    SupplementaryGroups = [ "signald" ];
-    ReadWritePaths = [ "/run/signald" ];
-  };
-
-  sane.persist.sys.plaintext = [
-    { user = "mautrix-signal"; group = "mautrix-signal"; directory = "/var/lib/mautrix-signal"; }
-  ];
-
-  sops.secrets."mautrix_signal_env" = {
-    format = "binary";
-    mode = "0440";
-    owner = config.users.users.mautrix-signal.name;
-    group = config.users.users.matrix-synapse.name;
-  };
-}

hosts/common/bluetooth.nix

@@ -0,0 +1,16 @@
+{ lib, pkgs, ... }:
+
+{
+  # persist external pairings by default
+  sane.persist.sys.plaintext = [ "/var/lib/bluetooth" ];
+
+  sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
+  sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
+    wantedBeforeBy = [ "bluetooth.service" ];
+    # XXX: install-bluetooth uses sed, but that's part of the default systemd unit path, it seems
+    generated.script.script = builtins.readFile ../../scripts/install-bluetooth + ''
+      touch "/var/lib/bluetooth/.secrets.stamp"
+    '';
+    generated.script.scriptArgs = [ "/run/secrets/bt" ];
+  };
+}

hosts/common/default.nix

@@ -1,10 +1,11 @@
 { pkgs, ... }:
 {
   imports = [
+    ./bluetooth.nix
     ./cross.nix
     ./feeds.nix
     ./fs.nix
-    ./hardware.nix
+    ./hardware
     ./i2p.nix
     ./ids.nix
     ./machine-id.nix
@@ -29,9 +30,6 @@
     "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
   ];
 
-  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
-  sane.fs."/var/lib/private".dir.acl.mode = "0700";
-
   nixpkgs.config.allowUnfree = true;
 
   # time.timeZone = "America/Los_Angeles";

hosts/common/hardware/default.nix

@@ -2,6 +2,7 @@
 
 {
   imports = [
+    ./all.nix
     ./x86_64.nix
   ];
 }

hosts/common/hardware/x86_64.nix

@@ -1,7 +1,8 @@
 { lib, pkgs, ... }:
 
+with lib;
 {
-  config = lib.mkIf (pkgs.system == "x86_64-linux") {
+  config = mkIf (pkgs.system == "x86_64-linux") {
     boot.initrd.availableKernelModules = [
       "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
       "usb_storage"   # rpi needed this to boot from usb storage, i think.

hosts/common/ids.nix

@@ -21,10 +21,6 @@
   sane.ids.freshrss.uid = 2401;
   sane.ids.freshrss.gid = 2401;
   sane.ids.mediawiki.uid = 2402;
-  sane.ids.signald.uid = 2403;
-  sane.ids.signald.gid = 2403;
-  sane.ids.mautrix-signal.uid = 2404;
-  sane.ids.mautrix-signal.gid = 2404;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/net.nix

@@ -1,6 +1,16 @@
 { config, lib, pkgs, ... }:
 
 {
+  # if using router's DNS, these mappings will already exist.
+  # if using a different DNS provider (which servo does), then we need to explicity provide them.
+  # ugly hack. would be better to get servo to somehow use the router's DNS
+  networking.hosts = {
+    "192.168.0.5" = [ "servo" ];
+    "192.168.0.20" = [ "lappy" ];
+    "192.168.0.22" = [ "desko" ];
+    "192.168.0.48" = [ "moby" ];
+  };
+
   # the default backend is "wpa_supplicant".
   # wpa_supplicant reliably picks weak APs to connect to.
   # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
@@ -20,4 +30,14 @@
     General.RoamThreshold = "-52";  # default -70
     General.RoamThreshold5G = "-52";  # default -76
   };
+
+  sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
+    wantedBeforeBy = [ "iwd.service" ];
+    generated.acl.mode = "0600";
+    # XXX: install-iwd uses sed, but that's part of the default systemd unit path, it seems
+    generated.script.script = builtins.readFile ../../scripts/install-iwd + ''
+      touch "/var/lib/iwd/.secrets.psk.stamp"
+    '';
+    generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
+  };
 }

hosts/common/ssh.nix

@@ -1,33 +1,24 @@
 { config, lib, sane-data, sane-lib, ... }:
 
-let
-  inherit (builtins) head map mapAttrs tail;
-  inherit (lib) concatStringsSep mkMerge reverseList;
-in
 {
   sane.ssh.pubkeys =
   let
     # path is a DNS-style path like [ "org" "uninsane" "root" ]
     keyNameForPath = path:
       let
-        rev = reverseList path;
-        name = head rev;
-        host = concatStringsSep "." (tail rev);
+        rev = lib.reverseList path;
+        name = builtins.head rev;
+        host = lib.concatStringsSep "." (builtins.tail rev);
       in
       "${name}@${host}";
 
     # [{ path :: [String], value :: String }] for the keys we want to install
     globalKeys = sane-lib.flattenAttrs sane-data.keys;
-    domainKeys = sane-lib.flattenAttrs (
-      mapAttrs (host: cfg: {
-        colin = cfg.ssh.user_pubkey;
-        root = cfg.ssh.host_pubkey;
-      }) config.sane.hosts.by-name
-    );
-  in mkMerge (map
+    localKeys = sane-lib.flattenAttrs sane-data.keys.org.uninsane.local;
+  in lib.mkMerge (builtins.map
     ({ path, value }: {
-      "${keyNameForPath path}" = lib.mkIf (value != null) value;
+      "${keyNameForPath path}" = value;
     })
-    (globalKeys ++ domainKeys)
+    (globalKeys ++ localKeys)
   );
 }

hosts/desko/default.nix

@@ -6,16 +6,12 @@
 
   # sane.packages.enableDevPkgs = true;
 
-  sane.roles.client = true;
-  sane.services.wg-home.enable = true;
-  sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
+  sane.gui.sway.enable = true;
   sane.services.duplicity.enable = true;
   sane.services.nixserve.enable = true;
-  sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
+  sane.services.nixserve.sopsFile = ../../secrets/desko.yaml;
   sane.persist.enable = true;
 
-  sane.gui.sway.enable = true;
-
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
@@ -23,7 +19,7 @@
   services.usbmuxd.enable = true;
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../../secrets/desko.yaml;
+    sopsFile = ../../secrets/desko.yaml;
     neededForUsers = true;
   };
 
@@ -45,7 +41,7 @@
   };
 
   sops.secrets.duplicity_passphrase = {
-    sopsFile = ../../../secrets/desko.yaml;
+    sopsFile = ../../secrets/desko.yaml;
   };
 
   programs.steam = {

hosts/instantiate.nix

@@ -1,16 +1,12 @@
 # trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
 
-# args from flake-level `import`
 { hostName, localSystem }:
-
-# module args
-{ config, ... }:
+{ ... }:
 
 {
   imports = [
-    ./by-name/${hostName}
+    ./${hostName}
     ./common
-    ./modules
   ];
 
   networking.hostName = hostName;

hosts/lappy/default.nix

@@ -1,13 +1,9 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   imports = [
     ./fs.nix
   ];
 
-  sane.roles.client = true;
-  sane.services.wg-home.enable = true;
-  sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
-
   # sane.packages.enableDevPkgs = true;
 
   # sane.users.guest.enable = true;
@@ -18,7 +14,7 @@
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../../secrets/lappy.yaml;
+    sopsFile = ../../secrets/lappy.yaml;
     neededForUsers = true;
   };
 

hosts/moby/default.nix

@@ -6,11 +6,6 @@
     ./kernel.nix
   ];
 
-  sane.roles.client = true;
-  # TODO
-  # sane.services.wg-home.enable = true;
-  # sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
-
   # cross-compiled documentation is *slow*.
   # no obvious way to natively compile docs (2022/09/29).
   # entrypoint is nixos/modules/misc/documentation.nix
@@ -24,7 +19,7 @@
   services.getty.autologinUser = "root";  # allows for emergency maintenance?
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../../secrets/moby.yaml;
+    sopsFile = ../../secrets/moby.yaml;
     neededForUsers = true;
   };
 

hosts/modules/default.nix

@@ -1,12 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./derived-secrets.nix
-    ./hardware
-    ./hostnames.nix
-    ./hosts.nix
-    ./roles
-    ./wg-home.nix
-  ];
-}

hosts/modules/derived-secrets.nix

@@ -1,47 +0,0 @@
-{ config, lib, ... }:
-
-let
-  inherit (builtins) toString;
-  inherit (lib) mapAttrs mkOption types;
-  cfg = config.sane.derived-secrets;
-  secret = types.submodule {
-    options = {
-      len = mkOption {
-        type = types.int;
-      };
-      encoding = mkOption {
-        type = types.enum [ "base64" ];
-      };
-    };
-  };
-in
-{
-  options = {
-    sane.derived-secrets = mkOption {
-      type = types.attrsOf secret;
-      default = {};
-      description = ''
-        fs path => secret options.
-        for each entry, we create an item at the given path whose value is deterministic,
-        but also pseudo-random and not predictable by anyone without root access to the machine.
-        as PRNG source we use the host ssh key, and derived secrets are salted based on the destination path.
-      '';
-    };
-  };
-
-  config = {
-    sane.fs = mapAttrs (path: c: {
-      generated.script.script = ''
-        echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
-          | sha512sum \
-          | cut -c 1-${toString (c.len * 2)} \
-          | tr a-z A-Z \
-          | basenc -d --base16 \
-          | basenc --${c.encoding} \
-          > "$1"
-      '';
-      generated.script.scriptArgs = [ path ];
-      generated.acl.mode = "0600";
-    }) cfg;
-  };
-}

hosts/modules/hostnames.nix

@@ -1,11 +0,0 @@
-{ config, lib, ... }:
-
-{
-  # if using router's DNS, these mappings will already exist.
-  # if using a different DNS provider (which servo does), then we need to explicity provide them.
-  # ugly hack. would be better to get servo to somehow use the router's DNS
-  networking.hosts = lib.mapAttrs' (host: cfg: {
-    name = cfg.lan-ip;
-    value = [ host ];
-  }) config.sane.hosts.by-name;
-}

hosts/modules/hosts.nix

@@ -1,98 +0,0 @@
-{ config, lib, ... }:
-
-let
-  inherit (lib) attrValues filterAttrs mkMerge mkOption types;
-  cfg = config.sane.hosts;
-
-  host = types.submodule ({ config, ... }: {
-    options = {
-      ssh.user_pubkey = mkOption {
-        type = types.str;
-        description = ''
-          ssh pubkey that the primary user of this machine will use when connecting to other machines.
-          e.g. "ssh-ed25519 AAAA<base64>".
-        '';
-      };
-      ssh.host_pubkey = mkOption {
-        type = types.str;
-        description = ''
-          ssh pubkey which this host will present to connections initiated against it.
-          e.g. "ssh-ed25519 AAAA<base64>".
-        '';
-      };
-      wg-home.pubkey = mkOption {
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
-          wireguard public key for the wg-home VPN.
-          e.g. "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=".
-        '';
-      };
-      wg-home.ip = mkOption {
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
-          IP address to use on the wg-home VPN.
-          e.g. "10.0.10.5";
-        '';
-      };
-      wg-home.endpoint = mkOption {
-        type = types.nullOr types.str;
-        default = null;
-      };
-      lan-ip = mkOption {
-        type = types.str;
-        description = ''
-          ip address when on the lan.
-          e.g. "192.168.0.5";
-        '';
-      };
-    };
-  });
-in
-{
-  options = {
-    sane.hosts.by-name = mkOption {
-      type = types.attrsOf host;
-      default = {};
-      description = ''
-        map of hostname => attrset of information specific to that host,
-        like its ssh pubkey, etc.
-      '';
-    };
-  };
-
-  config = {
-    # TODO: this should be populated per-host
-    sane.hosts.by-name."desko" = {
-      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
-      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-      wg-home.pubkey = "17PMZssYi0D4t2d0vbmhjBKe1sGsE8kT8/dod0Q2CXc=";
-      wg-home.ip = "10.0.10.22";
-      lan-ip = "192.168.0.22";
-    };
-
-    sane.hosts.by-name."lappy" = {
-      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
-      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
-      wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
-      wg-home.ip = "10.0.10.20";
-      lan-ip = "192.168.0.20";
-    };
-
-    sane.hosts.by-name."moby" = {
-      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
-      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
-      lan-ip = "192.168.0.48";
-    };
-
-    sane.hosts.by-name."servo" = {
-      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
-      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
-      wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
-      wg-home.ip = "10.0.10.5";
-      wg-home.endpoint = "uninsane.org:51820";
-      lan-ip = "192.168.0.5";
-    };
-  };
-}

hosts/modules/roles/client/bluetooth-pairings.nix

@@ -1,18 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  config = lib.mkIf config.sane.roles.client {
-    # persist external pairings by default
-    sane.persist.sys.plaintext = [ "/var/lib/bluetooth" ];
-
-    sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
-    sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
-      wantedBeforeBy = [ "bluetooth.service" ];
-      # XXX: install-bluetooth uses sed, but that's part of the default systemd unit path, it seems
-      generated.script.script = builtins.readFile ../../../../scripts/install-bluetooth + ''
-        touch "/var/lib/bluetooth/.secrets.stamp"
-      '';
-      generated.script.scriptArgs = [ "/run/secrets/bt" ];
-    };
-  };
-}

hosts/modules/roles/client/default.nix

@@ -1,17 +0,0 @@
-{ config, lib, ... }:
-
-let
-  inherit (lib) mkIf mkOption types;
-in
-{
-  imports = [
-    ./bluetooth-pairings.nix
-    ./wifi-pairings.nix
-  ];
-
-  # option is consumed by the other imports in this dir
-  options.sane.roles.client = mkOption {
-    type = types.bool;
-    default = false;
-  };
-}

hosts/modules/roles/client/wifi-pairings.nix

@@ -1,15 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  config = lib.mkIf config.sane.roles.client {
-    sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
-      wantedBeforeBy = [ "iwd.service" ];
-      generated.acl.mode = "0600";
-      # XXX: install-iwd uses sed, but that's part of the default systemd unit path, it seems
-      generated.script.script = builtins.readFile ../../../../scripts/install-iwd + ''
-        touch "/var/lib/iwd/.secrets.psk.stamp"
-      '';
-      generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
-    };
-  };
-}

hosts/modules/roles/default.nix

@@ -1,6 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./client
-  ];
-}

hosts/modules/wg-home.nix

@@ -1,80 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  inherit (builtins) filter map;
-  inherit (lib) concatMap mapAttrsToList mkIf mkMerge mkOption optionalAttrs types;
-  cfg = config.sane.services.wg-home;
-  server-cfg = config.sane.hosts.by-name."servo".wg-home;
-  mkPeer = { ips, pubkey, endpoint }: {
-    publicKey = pubkey;
-    allowedIPs = map (k: "${k}/32") ips;
-  } // (optionalAttrs (endpoint != null) {
-    inherit endpoint;
-    # send keepalives every 25 seconds to keep NAT routes live.
-    # only need to do this from client -> server though, i think.
-    persistentKeepalive = 25;
-    # allows wireguard to notice DNS/hostname changes, with this much effective TTL.
-    dynamicEndpointRefreshSeconds = 600;
-  });
-  # make separate peers to route each given host
-  mkClientPeers = hosts: map (p: mkPeer {
-    inherit (p) pubkey endpoint;
-    ips = [ p.ip ];
-  }) hosts;
-  # make a single peer which routes all the given hosts
-  mkServerPeer = hosts: mkPeer {
-    inherit (server-cfg) pubkey endpoint;
-    ips = map (h: h.ip) hosts;
-  };
-in
-{
-  options = {
-    sane.services.wg-home.enable = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    sane.services.wg-home.ip = mkOption {
-      type = types.str;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    # generate a (deterministic) wireguard private key
-    sane.derived-secrets."/run/wg-home.priv" = {
-      len = 32;
-      encoding = "base64";
-    };
-
-    # wireguard VPN which allows everything on my domain to speak to each other even when
-    # not behind a shared LAN.
-    # this config defines both the endpoint (server) and client configs
-
-    # for convenience, have both the server and client use the same port for their wireguard connections.
-    networking.firewall.allowedUDPPorts = [ 51820 ];
-    networking.wireguard.interfaces.wg-home = {
-      listenPort = 51820;
-      privateKeyFile = "/run/wg-home.priv";
-      preSetup =
-        let
-          gen-key = config.sane.fs."/run/wg-home.priv".unit;
-        in
-          "${pkgs.systemd}/bin/systemctl start '${gen-key}'";
-
-      ips = [
-        "${cfg.ip}/24"
-      ];
-
-      peers =
-        let
-          all-peers = mapAttrsToList (_: hostcfg: hostcfg.wg-home) config.sane.hosts.by-name;
-          peer-list = filter (p: p.ip != null && p.ip != cfg.ip && p.pubkey != null) all-peers;
-        in
-          if cfg.ip == server-cfg.ip then
-            # if we're the server, then we maintain the entire client list
-            mkClientPeers peer-list
-          else
-            # but if we're a client, we maintain a single peer -- the server -- which does the actual routing
-            [ (mkServerPeer peer-list) ];
-    };
-  };
-}

hosts/servo/default.nix

@@ -1,29 +1,29 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 
 {
   imports = [
     ./fs.nix
     ./net.nix
     ./users.nix
-    ./secrets.nix
     ./services
   ];
 
-  sane.packages.extraUserPkgs = with pkgs; [
+  sane.packages.extraUserPkgs = [
     # for administering services
-    freshrss
-    matrix-synapse
-    signaldctl
+    pkgs.matrix-synapse
+    pkgs.freshrss
   ];
   sane.persist.enable = true;
   sane.services.dyn-dns.enable = true;
-  sane.services.wg-home.enable = true;
-  sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
 
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
+  sops.secrets.duplicity_passphrase = {
+    sopsFile = ../../secrets/servo.yaml;
+  };
+
   # both transmission and ipfs try to set different net defaults.
   # we just use the most aggressive of the two here:
   boot.kernel.sysctl = {

hosts/servo/net.nix

@@ -52,18 +52,18 @@
 
   # services.resolved.extraConfig = ''
   #   # docs: `man resolved.conf`
-  #   # DNS servers to use via the `wg-ovpns` interface.
+  #   # DNS servers to use via the `wg0` interface.
   #   #   i hope that from the root ns, these aren't visible.
-  #   DNS=46.227.67.134%wg-ovpns 192.165.9.158%wg-ovpns
+  #   DNS=46.227.67.134%wg0 192.165.9.158%wg0
   #   FallbackDNS=1.1.1.1 9.9.9.9
   # '';
 
   # OVPN CONFIG (https://www.ovpn.com):
   # DOCS: https://nixos.wiki/wiki/WireGuard
-  # if you `systemctl restart wireguard-wg-ovpns`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
+  # if you `systemctl restart wireguard-wg0`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
   # TODO: why not create the namespace as a seperate operation (nix config for that?)
   networking.wireguard.enable = true;
-  networking.wireguard.interfaces.wg-ovpns = let
+  networking.wireguard.interfaces.wg0 = let
     ip = "${pkgs.iproute2}/bin/ip";
     in-ns = "${ip} netns exec ovpns";
     iptables = "${pkgs.iptables}/bin/iptables";
@@ -159,10 +159,13 @@
   # create a new routing table that we can use to proxy traffic out of the root namespace
   # through the ovpns namespace, and to the WAN via VPN.
   networking.iproute2.rttablesExtraConfig = ''
-    5 ovpns
+  5 ovpns
   '';
   networking.iproute2.enable = true;
 
+  sops.secrets."wg_ovpns_privkey" = {
+    sopsFile = ../../secrets/servo.yaml;
+  };
 
   # HURRICANE ELECTRIC CONFIG:
   # networking.sits = {

hosts/servo/services/ddns-afraid.nix

@@ -24,4 +24,8 @@ lib.mkIf false
       OnUnitActiveSec = "10min";
     };
   };
+
+  sops.secrets."ddns_afraid" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
 }

hosts/servo/services/ddns-he.nix

@@ -27,4 +27,8 @@ lib.mkIf false
       OnUnitActiveSec = "10min";
     };
   };
+
+  sops.secrets."ddns_he" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
 }

hosts/servo/services/ejabberd.nix

@@ -46,8 +46,6 @@
   }];
 
   # provide access to certs
-  # TODO: this should just be `acme`. then we also add nginx to the `acme` group.
-  #   why is /var/lib/acme/* owned by `nginx` group??
   users.users.ejabberd.extraGroups = [ "nginx" ];
 
   security.acme.certs."uninsane.org".extraDomainNames = [

hosts/servo/services/freshrss.nix

@@ -11,7 +11,8 @@
 
 { config, lib, pkgs, sane-lib, ... }:
 {
-  sops.secrets."freshrss_passwd" = {
+  sops.secrets.freshrss_passwd = {
+    sopsFile = ../../../secrets/servo.yaml;
     owner = config.users.users.freshrss.name;
     mode = "0400";
   };

hosts/servo/services/jackett.nix

@@ -7,8 +7,8 @@
   ];
   services.jackett.enable = true;
 
-  systemd.services.jackett.after = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.jackett.partOf = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.jackett.after = [ "wireguard-wg0.service" ];
+  systemd.services.jackett.partOf = [ "wireguard-wg0.service" ];
   systemd.services.jackett.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";

hosts/servo/services/matrix/default.nix

@@ -6,12 +6,8 @@
   imports = [
     ./discord-puppet.nix
     # ./irc.nix
-    ./signal.nix
   ];
 
-  # allow synapse to read the registration files of its appservices
-  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
-
   sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
   ];
@@ -131,7 +127,8 @@
   };
 
 
-  sops.secrets."matrix_synapse_secrets" = {
+  sops.secrets.matrix_synapse_secrets = {
+    sopsFile = ../../../../secrets/servo.yaml;
     owner = config.users.users.matrix-synapse.name;
   };
 }

hosts/servo/services/matrix/discord-puppet.nix

@@ -43,7 +43,6 @@
     };
   };
 
-  # TODO: should use a dedicated user
   systemd.services.mx-puppet-discord.serviceConfig = {
     # fix up to not use /var/lib/private, but just /var/lib
     DynamicUser = lib.mkForce false;

hosts/servo/services/nixserve.nix

@@ -17,5 +17,5 @@
   sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
 
   sane.services.nixserve.enable = true;
-  sane.services.nixserve.sopsFile = ../../../../secrets/servo.yaml;
+  sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml;
 }

hosts/servo/services/pleroma.nix

@@ -179,7 +179,8 @@
 
   sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = "native";
 
-  sops.secrets."pleroma_secrets" = {
+  sops.secrets.pleroma_secrets = {
+    sopsFile = ../../../secrets/servo.yaml;
     owner = config.users.users.pleroma.name;
   };
 }

hosts/servo/services/postfix.nix

@@ -110,8 +110,8 @@ in
   services.postfix.enableSubmissions = true;
   services.postfix.submissionsOptions = submissionOptions;
 
-  systemd.services.postfix.after = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.postfix.partOf = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.postfix.after = [ "wireguard-wg0.service" ];
+  systemd.services.postfix.partOf = [ "wireguard-wg0.service" ];
   systemd.services.postfix.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
@@ -132,8 +132,8 @@ in
   # keeping this the same as the hostname seems simplest
   services.opendkim.selector = "mx";
 
-  systemd.services.opendkim.after = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.opendkim.partOf = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.opendkim.after = [ "wireguard-wg0.service" ];
+  systemd.services.opendkim.partOf = [ "wireguard-wg0.service" ];
   systemd.services.opendkim.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
@@ -197,7 +197,8 @@ in
     # }
   ];
 
-  sops.secrets."dovecot_passwd" = {
+  sops.secrets.dovecot_passwd = {
+    sopsFile = ../../../secrets/servo.yaml;
     owner = config.users.users.dovecot2.name;
     # TODO: debug why mail can't be sent without this being world-readable
     mode = "0444";

hosts/servo/services/transmission.nix

@@ -40,8 +40,8 @@
   # transmission will by default not allow the world to read its files.
   services.transmission.downloadDirPermissions = "775";
 
-  systemd.services.transmission.after = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.transmission.partOf = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.transmission.after = [ "wireguard-wg0.service" ];
+  systemd.services.transmission.partOf = [ "wireguard-wg0.service" ];
   systemd.services.transmission.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";

hosts/servo/services/wikipedia.nix

@@ -8,6 +8,7 @@ lib.mkIf false
 {
   sops.secrets."mediawiki_pw" = {
     owner = config.users.users.mediawiki.name;
+    sopsFile = ../../../secrets/servo.yaml;
   };
 
   services.mediawiki.enable = true;

modules/data/keys.nix

@@ -5,9 +5,24 @@
   org.uninsane = rec {
     root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
     git.root = root;
+
+    local = {
+      # machine aliases i specify on my lan; not actually asserted as DNS
+      desko.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
+      desko.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+
+      lappy.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
+      lappy.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
+
+      moby.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
+      moby.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
+
+      servo.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
+      servo.root = root;
+    };
   };
 
-  com.github = {
+  com.github = rec {
     # documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
     # Github actually uses multiple keys -- one per format
     root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";

modules/home-manager/default.nix

@@ -140,7 +140,5 @@ in
         cfg.programs
       ];
     };
-
-    sane.persist.home.plaintext = [ ".cache/nix-index" ];
   };
 }

modules/home-manager/firefox.nix

@@ -59,10 +59,10 @@ let
       # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
       (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=")
       (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-d2K3ufvurWnYVzqLbyR//MgejybkY9exitAf9RdLNRo=")
-      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-JOj5P7c2JTTReHCRZXm4BscaGr3i+9Y4Ey/y621x8PI=")
+      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-t6Q335Nq60mDILPmzem+DT5KflleAPVJL3bsaA+UL0g=")
       (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
       (addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=")
-      (addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=")
+      (addon "ublacklist" "@ublacklist" "sha256-vHe/7EYOzcKeAbTElmt0Rb4E2rX0f3JgXThJaUmaz+M=")
       (addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=")
       # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
       (localAddon pkgs.browserpass-extension)

modules/packages.nix

@@ -115,6 +115,7 @@ let
     krita
     libreoffice-fresh  # XXX colin: maybe don't want this on mobile
     lollypop
+    mesa-demos
 
     { pkg = mpv; dir = [ ".config/mpv/watch_later" ]; }
 

modules/services/default.nix

@@ -4,7 +4,6 @@
     ./duplicity.nix
     ./dyn-dns.nix
     ./kiwix-serve.nix
-    ./mautrix-signal.nix
     ./nixserve.nix
     ./trust-dns.nix
   ];

modules/services/mautrix-signal.nix

@@ -1,174 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
-  dataDir = "/var/lib/mautrix-signal";
-  registrationFile = "${dataDir}/signal-registration.yaml";
-  cfg = config.services.mautrix-signal;
-  settingsFormat = pkgs.formats.json {};
-  settingsFile =
-    settingsFormat.generate "mautrix-signal-config.json" cfg.settings;
-in
-{
-  options = {
-    services.mautrix-signal = {
-      enable = mkEnableOption (lib.mdDoc "Mautrix-Signal, a Matrix-Signal puppeting bridge");
-
-      settings = mkOption rec {
-        apply = recursiveUpdate default;
-        inherit (settingsFormat) type;
-        default = {
-          # defaults based on this upstream example config:
-          # - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
-          homeserver = {
-            address = "http://localhost:8008";
-            software = "standard";
-            # domain = "SETME";
-          };
-
-          appservice = rec {
-            address = "http://${hostname}:${toString port}";
-            hostname = "localhost";
-            port = 29328;
-
-            database = "sqlite:///${dataDir}/mautrix-signal.db";
-            database_opts = {};
-            bot_username = "signalbot";
-          };
-
-          bridge = {
-            username_template = "signal_{userid}";
-            permissions."*" = "relay";
-            double_puppet_server_map = {};
-            login_shared_secret_map = {};
-          };
-
-          logging = {
-            version = 1;
-
-            formatters.precise.format = "[%(levelname)s@%(name)s] %(message)s";
-
-            handlers.console = {
-              class = "logging.StreamHandler";
-              formatter = "precise";
-            };
-
-            # log to console/systemd instead of file
-            root = {
-              level = "INFO";
-              handlers = ["console"];
-            };
-          };
-        };
-        example = literalExpression ''
-          {
-            homeserver = {
-              address = "http://localhost:8008";
-              domain = "mydomain.example";
-            };
-
-            bridge.permissions = {
-              "@admin:mydomain.example" = "admin";
-              "mydomain.example" = "user";
-            };
-          }
-        '';
-        description = lib.mdDoc ''
-          {file}`config.yaml` configuration as a Nix attribute set.
-          Configuration options should match those described in
-          [example-config.yaml](https://github.com/mautrix/signale/blob/master/mautrix_signal/example-config.yaml).
-        '';
-      };
-
-      environmentFile = mkOption {
-        type = types.nullOr types.path;
-        default = null;
-        description = lib.mdDoc ''
-          File containing environment variables to be passed to the mautrix-signal service,
-          in which secret tokens can be specified securely by defining values for e.g.
-          `MAUTRIX_SIGNAL_APPSERVICE_AS_TOKEN`,
-          `MAUTRIX_SIGNAL_APPSERVICE_HS_TOKEN`
-
-          These environment variables can also be used to set other options by
-          replacing hierarchy levels by `.`, converting the name to uppercase
-          and prepending `MAUTRIX_SIGNAL_`.
-          For example, the first value above maps to
-          {option}`settings.appservice.as_token`.
-
-          The environment variable values can be prefixed with `json::` to have
-          them be parsed as JSON. For example, `login_shared_secret_map` can be
-          set as follows:
-          `MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET_MAP=json::{"example.com":"secret"}`.
-        '';
-      };
-
-      serviceDependencies = mkOption {
-        type = with types; listOf str;
-        default = optional config.services.matrix-synapse.enable "matrix-synapse.service";
-        defaultText = literalExpression ''
-          optional config.services.matrix-synapse.enable "matrix-synapse.service"
-        '';
-        description = lib.mdDoc ''
-          List of Systemd services to require and wait for when starting the application service.
-        '';
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users.groups.mautrix-signal = {};
-
-    users.users.mautrix-signal = {
-      group = "mautrix-signal";
-      isSystemUser = true;
-    };
-
-    systemd.services.mautrix-signal = {
-      description = "Mautrix-Signal, a Matrix-Signal puppeting bridge.";
-
-      wantedBy = [ "multi-user.target" ];
-      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
-      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
-      path = [ pkgs.ffmpeg ];  # voice messages need `ffmpeg`
-
-      # environment.HOME = dataDir;
-
-      preStart = ''
-        # generate the appservice's registration file if absent
-        if [ ! -f '${registrationFile}' ]; then
-          ${pkgs.mautrix-signal}/bin/mautrix-signal \
-            --generate-registration \
-            --no-update \
-            --base-config='${pkgs.mautrix-signal}/${pkgs.mautrix-signal.pythonModule.sitePackages}/mautrix_signal/example-config.yaml' \
-            --config='${settingsFile}' \
-            --registration='${registrationFile}'
-        fi
-      '';
-
-      serviceConfig = {
-        Type = "simple";
-        Restart = "always";
-
-        User = "mautrix-signal";
-
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectControlGroups = true;
-
-        PrivateTmp = true;
-        WorkingDirectory = pkgs.mautrix-signal;
-        StateDirectory = baseNameOf dataDir;
-        UMask = "0027";
-        EnvironmentFile = cfg.environmentFile;
-
-        ExecStart = ''
-          ${pkgs.mautrix-signal}/bin/mautrix-signal \
-            --config='${settingsFile}' \
-            --no-update
-        '';
-      };
-    };
-  };
-}

modules/ssh.nix

@@ -57,7 +57,7 @@ in
   options = {
     sane.ssh.pubkeys = mkOption {
       type = types.attrsOf coercedToKey;
-      default = {};
+      default = [];
       description = ''
         mapping from "user@host" to pubkey.
       '';

nixpatches/flake.nix

@@ -1,14 +1,16 @@
 {
   inputs = {
     nixpkgs = {};
+    patches = {};
   };
-  outputs = { self, nixpkgs }@inputs:
+  outputs = { self, nixpkgs, patches }@inputs:
     let
       patchedPkgsFor = system: nixpkgs.legacyPackages.${system}.applyPatches {
         name = "nixpkgs-patched-uninsane";
         src = nixpkgs;
-        patches = import ./list.nix {
-          inherit (nixpkgs.legacyPackages.${system}) fetchpatch fetchurl;
+        patches = inputs.patches.nixpatches {
+          inherit (nixpkgs.legacyPackages.${system}) fetchpatch;
+          inherit (nixpkgs.lib) fakeHash;
         };
       };
       patchedFlakeFor = system: import "${patchedPkgsFor system}/flake.nix";

nixpatches/list.nix

@@ -1,4 +1,4 @@
-{ fetchpatch, fetchurl }: [
+{ fakeHash, fetchpatch }: [
   # librewolf: build with `MOZ_REQUIRE_SIGNING=false`
   (fetchpatch {
     url = "https://github.com/NixOS/nixpkgs/pull/199134.diff";
@@ -20,18 +20,6 @@
     sha256 = "sha256-L9Ie80loaP6yl5ZFnJ1b5WMDpvO1QFE8tbrW5HBauko=";
   })
 
-  # nixos/mx-puppet-discord: move to matrix category
-  (fetchurl {
-    url = "https://git.uninsane.org/colin/nixpkgs/commit/87c877fff84717478a96d1b0c65bd2febd350dea.diff";
-    sha256 = "sha256-E5TonCj3f8j7kxApBq/suNT5mB7z8uD00NzI34Qh2SE=";
-  })
-
-  # signaldctl: init at 0.6.1
-  (fetchurl {
-    url = "https://git.uninsane.org/colin/nixpkgs/commit/f3c4303231537422267ca32eb97b37f0a9a11d19.diff";
-    hash = "sha256-9fIAie0x2VxbHDg9iC8/dxaXIrWi8LzHSoDk9cwAZG0=";
-  })
-
   ./2022-12-19-i2p-aarch64.patch
 
   # # kaiteki: init at 2022-09-03

overlays/pins.nix

@@ -1,9 +1,3 @@
-# when a `nixos-rebuild` fails after a nixpkgs update:
-# - take the failed package
-# - search it here: <https://hydra.nixos.org/search?query=pkgname>
-# - if it's broken by that upstream builder, then pin it: somebody will come along and fix the package.
-# - otherwise, search github issues/PRs for knowledge of it before pinning.
-# - if nobody's said anything about it yet, probably want to root cause it or hold off on updating.
 (next: prev: {
   inherit (next.stable)
     # TODO(unpin): broken on 2023/01/14 via mtxclient dep, aarch64-only:
@@ -26,12 +20,5 @@
     #   error: 1 dependencies of derivation '/nix/store/5qjxzhsw1jvh2d7jypbcam9409ivb472-user-environment.drv' failed to build
     #   error: 1 dependencies of derivation '/nix/store/hrb3qpdbisqh0lzlyz1g9g4164khmqwn-etc.drv' failed to build
     #   error: 1 dependencies of derivation '/nix/store/ny21xyicbgim5wy7ksg2hibd9gn7i01b-nixos-system-moby-23.05pre-git.drv' failed to build
-    nheko
-
-    # TODO(unpin): broken build on 2023/01/16, all platforms: <https://github.com/NixOS/nixpkgs/pull/208251>
-    # fix in PR: <https://github.com/NixOS/nixpkgs/pull/211135>
-    kitty
-    # TODO(unpin): broken build on 2023/01/16. <https://hydra.nixos.org/build/205551450>
-    handbrake
-  ;
+    nheko;
 })

overlays/pkgs.nix

@@ -57,10 +57,10 @@
       browserpass-extension = prev.callPackage ../pkgs/browserpass-extension { };
       gopass-native-messaging-host = prev.callPackage ../pkgs/gopass-native-messaging-host { };
       tokodon = prev.libsForQt5.callPackage ../pkgs/tokodon { };
+      signaldctl = prev.callPackage ../pkgs/signaldctl { };
       splatmoji = prev.callPackage ../pkgs/splatmoji { };
-
-      # provided by nixpkgs patch or upstream preview
-      # signaldctl = prev.callPackage ../pkgs/signaldctl { };
+      # trust-dns = prev.callPackage ../pkgs/trust-dns { };
+      # kaiteki = prev.kaiteki;
     };
   in sane // { inherit sane; }
 )

pkgs/bootpart-tow-boot-rpi-aarch64/default.nix

@@ -1,13 +1,14 @@
-{ stdenv, tow-boot-rpi4, raspberrypifw, raspberrypi-armstubs }:
+{ stdenv, tow-boot-rp4, raspberrypifw, raspberrypi-armstubs }:
 
 stdenv.mkDerivation rec {
   pname = "bootpart-tow-boot-rpi-aarch64";
   version = "1";
 
-  buildInputs = [
+  buildInputs = with [ 
     tow-boot-rpi4  # for Tow-Boot.*.bin
     raspberrypifw  # for bootcode.bin, *.dat, *.elf, *.dtb
     raspberrypi-armstubs  # for armstub*
+
   ];
 
   src = ./config.txt;

pkgs/sane-scripts/src/sane-stop-all-servo

@@ -10,4 +10,4 @@ sudo systemctl stop postgresql
 sudo systemctl stop duplicity.timer
 sudo systemctl stop duplicity
 sudo systemctl stop trust-dns
-sudo systemctl stop wireguard-wg-ovpns
+sudo systemctl stop wireguard-wg0

pkgs/splatmoji/default.nix

@@ -1,11 +1,6 @@
 { lib
-, bash
-, fetchFromGitHub
-, fpm
-, jq
-, pandoc
-, shunit2
 , stdenv
+, fetchFromGitHub
 }:
 
 stdenv.mkDerivation rec {
@@ -19,31 +14,17 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-fsZ8FhLP3vAalRJWUEi/0fe0DlwAz5zZeRZqAuwgv/U=";
   };
 
-  nativeBuildInputs = [
-    bash
-    fpm
-    jq
-    pandoc
-    shunit2
-  ];
-
-  postPatch = ''
-    patchShebangs ./build.sh
-    patchShebangs ./test/unit_tests
-  '';
-
-  buildPhase = ''
-    ./build.sh ${version} dir
-  '';
+  dontBuild = true;
 
+  # TODO: generate a wrapper so that bin/lib, bin/data aren't linked into the environment?
   installPhase = ''
-    mkdir -p $out
-    cp -R build/usr/* $out
+    mkdir -p $out/bin
+    cp splatmoji $out/bin
+    cp -R lib $out/bin/lib
+    cp -R data $out/bin/data
+    cp splatmoji.config $out/bin
 
     patchShebangs $out/bin/splatmoji
-    # splatmoji refers to its lib and data by absolute path
-    sed -i "s:/usr/lib/splatmoji:$out/lib/splatmoji:g" $out/bin/splatmoji
-    sed -i -r "s:/usr/share/+splatmoji:$out/share/splatmoji:g" $out/lib/splatmoji/functions
   '';
 
   meta = with lib; {
@@ -51,6 +32,6 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/cspeterson/splatmoji";
     license = licenses.mit;
     maintainers = with maintainers; [ colinsane ];
-    platforms = platforms.linux;
+    platforms = with platforms; linux;
   };
-}
+  }

pkgs/sublime-music-mobile/default.nix

@@ -127,10 +127,10 @@ python3Packages.buildPythonApplication rec {
     dataclasses-json
     deepdiff
     fuzzywuzzy
-    levenshtein
     mpv
     peewee
     pygobject3
+    python-Levenshtein
     python-dateutil
     requests
     semver
@@ -144,8 +144,7 @@ python3Packages.buildPythonApplication rec {
     sed -i "/--cov/d" setup.cfg
     sed -i "/--no-cov-on-fail/d" setup.cfg
     substituteInPlace pyproject.toml \
-      --replace 'deepdiff = "^5.8.1"' 'deepdiff = ">=5.8.1"' \
-      --replace 'python-Levenshtein = "^0.12.0"' 'levenshtein = ">=0.12.0"'
+      --replace 'deepdiff = "^5.8.1"' 'deepdiff = ">=5.8.1"'
   '';
 
   # hook for gobject-introspection doesn't like strictDeps

pkgs/trust-dns/default.nix

@@ -0,0 +1,33 @@
+{ lib
+, fetchFromGitHub
+, openssl
+, pkg-config
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "trust-dns";
+  version = "0.22.0";
+
+  src = fetchFromGitHub {
+    owner = "bluejekyll";
+    repo = "trust-dns";
+    rev = "v${version}";
+    sha256 = "sha256-b9tK1JbTwB3ZuRPh0wb3cOFj9dMW7URXIaFzUq0Yipw=";
+  };
+  cargoHash = "sha256-mpobdeTRWJzIEmhwtcM6UE66qRD5ot/0yLeQM6Tec+0=";
+
+  buildInputs = [ openssl ];
+  nativeBuildInputs = [ pkg-config ];
+
+  # tests expect internet connectivity to query real nameservers like 8.8.8.8
+  doCheck = false;
+
+  meta = with lib; {
+    description = "A Rust based DNS client, server, and resolver";
+    homepage = "https://trust-dns.org/";
+    maintainers = with maintainers; [ colinsane ];
+    platforms = platforms.linux;
+    license = with licenses; [ asl20 mit ];
+  };
+}

secrets/servo.yaml

@@ -60,8 +60,8 @@ sops:
             cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
             aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-20T07:08:51Z"
-    mac: ENC[AES256_GCM,data:EqVTjLmDLjAxMWvJKIqDjpUKj7oVArFSQzygVZVCYHQTp0v+EGxpn1cP8x+6frQHx8EZts090iqCpcSicwGefAe6VBVvdf408YgB9+qm6QawUMaqDypoM1q4RdOjJEKxyZ408RYorQP6OA/3yctOk39P8RbMUUBlnLvqn38mFeY=,iv:wpDcFZKRGhhoHLno1IvppCz4HUAZb4atX1mUvYZbjg4=,tag:X4BdSfGE1kWFjs4T8YZR0A==,type:str]
+    lastmodified: "2022-12-15T09:12:44Z"
+    mac: ENC[AES256_GCM,data:QQiTsQogs6MP9X0lrpf2FeSia6SeQP5/9dtUrWQOd2Vh/s0fBJfIGUdLeLgt5itvaD5QywY6lN9Rsx++BUN0rrwUu/uF42KOMC7wjHdSv07CYuDfvlFZItuIo5eWlfcEq9+p6/VwUXY0TU3M6Ex+mABT5XK67tnLuh/SoHUl+DA=,iv:12sa+wFdO5T7pZrLM3mnEwoJ0WmXZZLKpucEgMYQHMI=,tag:zZEz6+vTma6KDMwXi/fNZA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

secrets/servo/mautrix_signal_env.bin

@@ -1,32 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:5n4FNKyblSOQCC17LmLNfF49+z6ZxX9bAv/xTsyQTR+NglhEtUa+JFziu2Il0w2pscAO37sBvE9SvsM9jNG0v4GxlxlLrgEuam6Tf7Ch71lDdxDXJWMTR032WqMF7q6rYbflw8D4fkpQ9yDbgDJUErrds1JvbNhcv6oqoJ/TuhiQZLakNTprtRkw4gCDJDsyDakhv440EK80o/O1CnO+xnSmBj6mLxljQ0EeFzwhjVr1UlhWJ4wQC8TNAAvYN5gILYP0U11kROI=,iv:JZougqWF29K9mDE0kwe03FGad1CglSlxQt5xM9l7wK8=,tag:DQXUPqMvvnqP2kyYikI2ZQ==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2M01sL1JsODFvVWRHOVZX\nTk1wQlRkclFVZnlKK2lBOUQ1M053SUZxUVYwCjVkVmoxdkRvd3YvQmxvMmd6Ly9k\nWlZGc3M1Yi9lZ3ZRUFJiYWNlRjZ6M2cKLS0tIElTRnplV25wTmFkSVU1clRNa0NZ\nNW5IaDJWYVNCdDNhYTFSU0J6RUJQN28K4XJGpANIuIfHZuk4cinpsPeZ8mMI2jBH\nT2JGyRNm9Jyr3muV8oC/I22fAKLev8f9Svc+o/VAO4R6ZTWmTwk+dA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQnpqLy83eW9HaExkYWxL\nMHRKY3FsemZQcmVwVWx0a0YvRCtCclZrT1ZRCjJ6UVVjSm85TnVTaHFMRlg0YkNa\nOEQ4eUNyV0lEalVXbi9TVDZLUEVvaXcKLS0tICtvaHhHdmRIY2NNTFBZZ2taS0lX\nak45eW5oT2tIWVNRNmkxbUQ5K2lublUKkLfW5vRfjTpfTOeirLXRik9SJDm92pUX\nXcv9L5klKUb0O3+T0pwb9rYFfhk4eGSxS6ZFQnGrLv0lLTRZq6eocw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhM25NNlRaNDJYZlJkMjVh\nelZPekdjSHJ4ZnZEbnBCZGV4OVN2RVJCOHpNCnVFWFBNTkd4SkJ0SkdvcUdYUzRF\ncnpPUUQyWEpMU0FqQyszTXp0ZFhQeFkKLS0tIDFua2dscEtxQmdUTm14OWlqMjBI\nSXY5cTJEajd3WmNMNlB1eGtQN3RHUEEK3+zoziFJq/rzpnz8ROL5oGqnHUpJTXG8\nhCQEIOA6dO6PjoXUKd6B8bVPzlDLO5daPh0TS5NGiMlZ8qQe706Syw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByc1EzcmVzeHYyTkQ3N2Uw\nTERtdENyeGNONVpjU0FKRE1wR0RlSnhNUjM0ClU4MGwvQjFhM2xXYkNITjFMUHdF\naU50YWVjU08zWXhweXVOWU13enpMQlUKLS0tIDdIRm5GV2IxU1AxcFZldDBBeTBt\nZnRJV25IbGo5R1RySmx4ampnNzdYU0EK7PF9BEGfX6T+1Wit9MG+02sGZTXRUR0M\noVC+oHsCAojhnMP17xyDosnJQqwrNKFwKMQbH7mqBW5Ku4hGy56cGQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2023-01-16T11:17:12Z",
-		"mac": "ENC[AES256_GCM,data:SqOusB8Hd713NYDOkRq2Ju6q4ClN0zOeeCTCAAv+EorKHN7vgz15LuCNWj7iLX4EWrWufzHhG7JFtm6q5h64hxlfzisx3JCtMLRlb40PkDip+2gShH7X4eWcdsRw7/a40e2Qnp/hiXrhH11P1pMqbn6drUPmLy307CyRzThVrcw=,iv:gFcF4i4dqk4rOus4ZKUojD/AAkIuWzGDfqEQTej83Co=,tag:AYknOJm7QTEBR6OzN8dsiw==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.3"
-	}
-}

secrets/universal.yaml

@@ -90,8 +90,8 @@ sops:
             YmhsY0FaSW5oWVNJMlhUSDRCeWQ4KzAKaQp321XYtAZ98f4QMl5PxivAYm6VMF43
             wCThiQgvYAP59jvVDTZngvfWAD5PyWVVvMNbjHGvAzK5WnsTPmxlsg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-20T06:57:29Z"
-    mac: ENC[AES256_GCM,data:J/yLlcmlX6st/d6c8eL/6DKZiHAELb0/zj+5qOjoE2uAgTTFnojaP4ssrmt7BaLQF1MQNnvkchvuwRv+dAVTXkuYPuDWS3YriAKQIXUx9sHIEoY6Aqa37eBwUNUBuxoR6FvfOGtXrIZuS0f7hZr+ddBZgCSBBE54yeH68Va1tZk=,iv:Y/T8qykrqRVQ8eMkNH2DZa6XoGd5nL18h/2SJucVAD8=,tag:OwZfOyLc29c1bJJIA9IW3Q==,type:str]
+    lastmodified: "2022-12-26T08:04:00Z"
+    mac: ENC[AES256_GCM,data:zUXMF1Rwuf3ruypEqTxCPXidMERGVp/rx8kfHhEeEmcs61ejf6M1gjhXDBLk5A+s4FpVA++aUwn0Oix7FCEor5CUmcckITgLoZfQGhjz3kuxZ+fsUnJ7Cgp/+oQYsgsntVCVMKoE7u1D4IQt7PWyrJ9Ye0HVsN50y47jTsLKsKU=,iv:NZUnhxz5WVFvORIffynFLV6xRLdZgEoLW0T2D5yQ3Ac=,tag:IQ8Qq9/T49U+aQDjqvIEjA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3