moby: enable the client role

This reverts commit 35e28041cd.

this "stable" update wasn't actually stable: nheko/mtxclient
is broken on all usable branches atm:
<https://github.com/NixOS/nixpkgs/issues/211758>

flake.lock

@@ -56,27 +56,26 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs-unpatched"
-        ],
-        "patches": []
+        ]
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-d3XSehPFkNwvwlOYy7gch0NLxOgdXuV7j5r/Qsn7kHc=",
-        "path": "/nix/store/wq6rmmnd7yhw9w44k54w4x5v63ah1psr-source/nixpatches",
+        "narHash": "sha256-5zCxdHGOS0OOP7vbgTA1iwv9GVr5JSiths7QmgUsU84=",
+        "path": "/nix/store/9a5k9pfawxzz1sng17si26sc9af39jr1-source/nixpatches",
         "type": "path"
       },
       "original": {
-        "path": "/nix/store/wq6rmmnd7yhw9w44k54w4x5v63ah1psr-source/nixpatches",
+        "path": "/nix/store/9a5k9pfawxzz1sng17si26sc9af39jr1-source/nixpatches",
         "type": "path"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1673704454,
-        "narHash": "sha256-5Wdj1MgdOgn3+dMFIBtg+IAYZApjF8JzwLWDPieg0C4=",
+        "lastModified": 1673800717,
+        "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a83ed85c14fcf242653df6f4b0974b7e1c73c6c6",
+        "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f",
         "type": "github"
       },
       "original": {
@@ -104,11 +103,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1673631141,
-        "narHash": "sha256-AprpYQ5JvLS4wQG/ghm2UriZ9QZXvAwh1HlgA/6ZEVQ=",
+        "lastModified": 1673796341,
+        "narHash": "sha256-1kZi9OkukpNmOaPY7S5/+SlCDOuYnP3HkXHvNDyLQcc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "befc83905c965adfd33e5cae49acb0351f6e0404",
+        "rev": "6dccdc458512abce8d19f74195bb20fdb067df50",
         "type": "github"
       },
       "original": {

flake.nix

@@ -26,8 +26,6 @@
     nixpkgs = {
       url = "./nixpatches";
       inputs.nixpkgs.follows = "nixpkgs-unpatched";
-      # TODO: remove this dependency injection: it's from when we used url = path:...
-      inputs.patches.follows = "";
     };
     mobile-nixos = {
       # <https://github.com/nixos/mobile-nixos>
@@ -187,9 +185,6 @@
           description = "python environment for data processing";
         };
       };
-
-      # unofficial output; used by inputs.nixpatches
-      nixpatches = import ./nixpatches/list.nix;
     };
 }
 

hosts/by-name/desko/default.nix

@@ -6,12 +6,16 @@
 
   # sane.packages.enableDevPkgs = true;
 
-  sane.gui.sway.enable = true;
+  sane.roles.client = true;
+  sane.services.wg-home.enable = true;
+  sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
   sane.services.duplicity.enable = true;
   sane.services.nixserve.enable = true;
-  sane.services.nixserve.sopsFile = ../../secrets/desko.yaml;
+  sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
   sane.persist.enable = true;
 
+  sane.gui.sway.enable = true;
+
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
@@ -19,7 +23,7 @@
   services.usbmuxd.enable = true;
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../secrets/desko.yaml;
+    sopsFile = ../../../secrets/desko.yaml;
     neededForUsers = true;
   };
 
@@ -41,7 +45,7 @@
   };
 
   sops.secrets.duplicity_passphrase = {
-    sopsFile = ../../secrets/desko.yaml;
+    sopsFile = ../../../secrets/desko.yaml;
   };
 
   programs.steam = {

hosts/by-name/lappy/default.nix

@@ -1,9 +1,13 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
   imports = [
     ./fs.nix
   ];
 
+  sane.roles.client = true;
+  sane.services.wg-home.enable = true;
+  sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
+
   # sane.packages.enableDevPkgs = true;
 
   # sane.users.guest.enable = true;
@@ -14,7 +18,7 @@
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../secrets/lappy.yaml;
+    sopsFile = ../../../secrets/lappy.yaml;
     neededForUsers = true;
   };
 

hosts/by-name/moby/default.nix

@@ -6,6 +6,11 @@
     ./kernel.nix
   ];
 
+  sane.roles.client = true;
+  # TODO
+  # sane.services.wg-home.enable = true;
+  # sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
+
   # cross-compiled documentation is *slow*.
   # no obvious way to natively compile docs (2022/09/29).
   # entrypoint is nixos/modules/misc/documentation.nix
@@ -19,7 +24,7 @@
   services.getty.autologinUser = "root";  # allows for emergency maintenance?
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../secrets/moby.yaml;
+    sopsFile = ../../../secrets/moby.yaml;
     neededForUsers = true;
   };
 

hosts/by-name/servo/default.nix

@@ -1,29 +1,29 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   imports = [
     ./fs.nix
     ./net.nix
     ./users.nix
+    ./secrets.nix
     ./services
   ];
 
-  sane.packages.extraUserPkgs = [
+  sane.packages.extraUserPkgs = with pkgs; [
     # for administering services
-    pkgs.matrix-synapse
-    pkgs.freshrss
+    freshrss
+    matrix-synapse
+    signaldctl
   ];
   sane.persist.enable = true;
   sane.services.dyn-dns.enable = true;
+  sane.services.wg-home.enable = true;
+  sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
 
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
-  sops.secrets.duplicity_passphrase = {
-    sopsFile = ../../secrets/servo.yaml;
-  };
-
   # both transmission and ipfs try to set different net defaults.
   # we just use the most aggressive of the two here:
   boot.kernel.sysctl = {

hosts/by-name/servo/net.nix

@@ -52,18 +52,18 @@
 
   # services.resolved.extraConfig = ''
   #   # docs: `man resolved.conf`
-  #   # DNS servers to use via the `wg0` interface.
+  #   # DNS servers to use via the `wg-ovpns` interface.
   #   #   i hope that from the root ns, these aren't visible.
-  #   DNS=46.227.67.134%wg0 192.165.9.158%wg0
+  #   DNS=46.227.67.134%wg-ovpns 192.165.9.158%wg-ovpns
   #   FallbackDNS=1.1.1.1 9.9.9.9
   # '';
 
   # OVPN CONFIG (https://www.ovpn.com):
   # DOCS: https://nixos.wiki/wiki/WireGuard
-  # if you `systemctl restart wireguard-wg0`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
+  # if you `systemctl restart wireguard-wg-ovpns`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
   # TODO: why not create the namespace as a seperate operation (nix config for that?)
   networking.wireguard.enable = true;
-  networking.wireguard.interfaces.wg0 = let
+  networking.wireguard.interfaces.wg-ovpns = let
     ip = "${pkgs.iproute2}/bin/ip";
     in-ns = "${ip} netns exec ovpns";
     iptables = "${pkgs.iptables}/bin/iptables";
@@ -163,9 +163,6 @@
   '';
   networking.iproute2.enable = true;
 
-  sops.secrets."wg_ovpns_privkey" = {
-    sopsFile = ../../secrets/servo.yaml;
-  };
 
   # HURRICANE ELECTRIC CONFIG:
   # networking.sits = {

hosts/by-name/servo/secrets.nix

@@ -0,0 +1,41 @@
+{ ... }:
+
+{
+  sops.secrets."ddns_afraid" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+  sops.secrets."ddns_he" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."dovecot_passwd" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."duplicity_passphrase" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."freshrss_passwd" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."matrix_synapse_secrets" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+  sops.secrets."mautrix_signal_env" = {
+    sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
+  };
+
+  sops.secrets."mediawiki_pw" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."pleroma_secrets" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."wg_ovpns_privkey" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+}

hosts/by-name/servo/services/ddns-afraid.nix

@@ -24,8 +24,4 @@ lib.mkIf false
       OnUnitActiveSec = "10min";
     };
   };
-
-  sops.secrets."ddns_afraid" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
 }

hosts/by-name/servo/services/ddns-he.nix

@@ -27,8 +27,4 @@ lib.mkIf false
       OnUnitActiveSec = "10min";
     };
   };
-
-  sops.secrets."ddns_he" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
 }

hosts/by-name/servo/services/freshrss.nix

@@ -11,8 +11,7 @@
 
 { config, lib, pkgs, sane-lib, ... }:
 {
-  sops.secrets.freshrss_passwd = {
-    sopsFile = ../../../secrets/servo.yaml;
+  sops.secrets."freshrss_passwd" = {
     owner = config.users.users.freshrss.name;
     mode = "0400";
   };

hosts/by-name/servo/services/jackett.nix

@@ -7,8 +7,8 @@
   ];
   services.jackett.enable = true;
 
-  systemd.services.jackett.after = [ "wireguard-wg0.service" ];
-  systemd.services.jackett.partOf = [ "wireguard-wg0.service" ];
+  systemd.services.jackett.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.jackett.partOf = [ "wireguard-wg-ovpns.service" ];
   systemd.services.jackett.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";

hosts/by-name/servo/services/matrix/default.nix

@@ -9,12 +9,8 @@
     ./signal.nix
   ];
 
-  services.matrix-appservices = {
-    # configure defaults. used by e.g. ./signal.nix
-    homeserverUrl = "http://127.0.0.1:8008";
-    homeserverDomain = "uninsane.org";
-    addRegistrationFiles = true;
-  };
+  # allow synapse to read the registration files of its appservices
+  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
 
   sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
@@ -135,8 +131,7 @@
   };
 
 
-  sops.secrets.matrix_synapse_secrets = {
-    sopsFile = ../../../../secrets/servo.yaml;
+  sops.secrets."matrix_synapse_secrets" = {
     owner = config.users.users.matrix-synapse.name;
   };
 }

hosts/by-name/servo/services/matrix/discord-puppet.nix

@@ -43,6 +43,7 @@
     };
   };
 
+  # TODO: should use a dedicated user
   systemd.services.mx-puppet-discord.serviceConfig = {
     # fix up to not use /var/lib/private, but just /var/lib
     DynamicUser = lib.mkForce false;

hosts/by-name/servo/services/matrix/signal.nix

@@ -0,0 +1,34 @@
+# config options:
+# - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
+{ config, pkgs, ... }:
+{
+  services.signald.enable = true;
+  services.mautrix-signal.enable = true;
+  services.mautrix-signal.environmentFile =
+    config.sops.secrets.mautrix_signal_env.path;
+
+  services.mautrix-signal.settings.signal.socket_path = "/run/signald/signald.sock";
+  services.mautrix-signal.settings.homeserver.domain = "uninsane.org";
+  services.mautrix-signal.settings.bridge.permissions."@colin:uninsane.org" = "admin";
+  services.matrix-synapse.settings.app_service_config_files = [
+    # auto-created by mautrix-signal service
+    "/var/lib/mautrix-signal/signal-registration.yaml"
+  ];
+
+  systemd.services.mautrix-signal.serviceConfig = {
+    # allow communication to signald
+    SupplementaryGroups = [ "signald" ];
+    ReadWritePaths = [ "/run/signald" ];
+  };
+
+  sane.persist.sys.plaintext = [
+    { user = "mautrix-signal"; group = "mautrix-signal"; directory = "/var/lib/mautrix-signal"; }
+  ];
+
+  sops.secrets."mautrix_signal_env" = {
+    format = "binary";
+    mode = "0440";
+    owner = config.users.users.mautrix-signal.name;
+    group = config.users.users.matrix-synapse.name;
+  };
+}

hosts/by-name/servo/services/nixserve.nix

@@ -17,5 +17,5 @@
   sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
 
   sane.services.nixserve.enable = true;
-  sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml;
+  sane.services.nixserve.sopsFile = ../../../../secrets/servo.yaml;
 }

hosts/by-name/servo/services/pleroma.nix

@@ -179,8 +179,7 @@
 
   sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = "native";
 
-  sops.secrets.pleroma_secrets = {
-    sopsFile = ../../../secrets/servo.yaml;
+  sops.secrets."pleroma_secrets" = {
     owner = config.users.users.pleroma.name;
   };
 }

hosts/by-name/servo/services/postfix.nix

@@ -110,8 +110,8 @@ in
   services.postfix.enableSubmissions = true;
   services.postfix.submissionsOptions = submissionOptions;
 
-  systemd.services.postfix.after = [ "wireguard-wg0.service" ];
-  systemd.services.postfix.partOf = [ "wireguard-wg0.service" ];
+  systemd.services.postfix.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.postfix.partOf = [ "wireguard-wg-ovpns.service" ];
   systemd.services.postfix.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
@@ -132,8 +132,8 @@ in
   # keeping this the same as the hostname seems simplest
   services.opendkim.selector = "mx";
 
-  systemd.services.opendkim.after = [ "wireguard-wg0.service" ];
-  systemd.services.opendkim.partOf = [ "wireguard-wg0.service" ];
+  systemd.services.opendkim.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.opendkim.partOf = [ "wireguard-wg-ovpns.service" ];
   systemd.services.opendkim.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
@@ -197,8 +197,7 @@ in
     # }
   ];
 
-  sops.secrets.dovecot_passwd = {
-    sopsFile = ../../../secrets/servo.yaml;
+  sops.secrets."dovecot_passwd" = {
     owner = config.users.users.dovecot2.name;
     # TODO: debug why mail can't be sent without this being world-readable
     mode = "0444";

hosts/by-name/servo/services/transmission.nix

@@ -40,8 +40,8 @@
   # transmission will by default not allow the world to read its files.
   services.transmission.downloadDirPermissions = "775";
 
-  systemd.services.transmission.after = [ "wireguard-wg0.service" ];
-  systemd.services.transmission.partOf = [ "wireguard-wg0.service" ];
+  systemd.services.transmission.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.transmission.partOf = [ "wireguard-wg-ovpns.service" ];
   systemd.services.transmission.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";

hosts/by-name/servo/services/wikipedia.nix

@@ -8,7 +8,6 @@ lib.mkIf false
 {
   sops.secrets."mediawiki_pw" = {
     owner = config.users.users.mediawiki.name;
-    sopsFile = ../../../secrets/servo.yaml;
   };
 
   services.mediawiki.enable = true;

hosts/common/bluetooth.nix

@@ -1,16 +0,0 @@
-{ lib, pkgs, ... }:
-
-{
-  # persist external pairings by default
-  sane.persist.sys.plaintext = [ "/var/lib/bluetooth" ];
-
-  sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
-  sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
-    wantedBeforeBy = [ "bluetooth.service" ];
-    # XXX: install-bluetooth uses sed, but that's part of the default systemd unit path, it seems
-    generated.script.script = builtins.readFile ../../scripts/install-bluetooth + ''
-      touch "/var/lib/bluetooth/.secrets.stamp"
-    '';
-    generated.script.scriptArgs = [ "/run/secrets/bt" ];
-  };
-}

hosts/common/default.nix

@@ -1,11 +1,10 @@
 { pkgs, ... }:
 {
   imports = [
-    ./bluetooth.nix
     ./cross.nix
     ./feeds.nix
     ./fs.nix
-    ./hardware
+    ./hardware.nix
     ./i2p.nix
     ./ids.nix
     ./machine-id.nix
@@ -30,6 +29,9 @@
     "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
   ];
 
+  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
+  sane.fs."/var/lib/private".dir.acl.mode = "0700";
+
   nixpkgs.config.allowUnfree = true;
 
   # time.timeZone = "America/Los_Angeles";

hosts/common/ids.nix

@@ -21,6 +21,10 @@
   sane.ids.freshrss.uid = 2401;
   sane.ids.freshrss.gid = 2401;
   sane.ids.mediawiki.uid = 2402;
+  sane.ids.signald.uid = 2403;
+  sane.ids.signald.gid = 2403;
+  sane.ids.mautrix-signal.uid = 2404;
+  sane.ids.mautrix-signal.gid = 2404;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/net.nix

@@ -1,16 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  # if using router's DNS, these mappings will already exist.
-  # if using a different DNS provider (which servo does), then we need to explicity provide them.
-  # ugly hack. would be better to get servo to somehow use the router's DNS
-  networking.hosts = {
-    "192.168.0.5" = [ "servo" ];
-    "192.168.0.20" = [ "lappy" ];
-    "192.168.0.22" = [ "desko" ];
-    "192.168.0.48" = [ "moby" ];
-  };
-
   # the default backend is "wpa_supplicant".
   # wpa_supplicant reliably picks weak APs to connect to.
   # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
@@ -30,14 +20,4 @@
     General.RoamThreshold = "-52";  # default -70
     General.RoamThreshold5G = "-52";  # default -76
   };
-
-  sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
-    wantedBeforeBy = [ "iwd.service" ];
-    generated.acl.mode = "0600";
-    # XXX: install-iwd uses sed, but that's part of the default systemd unit path, it seems
-    generated.script.script = builtins.readFile ../../scripts/install-iwd + ''
-      touch "/var/lib/iwd/.secrets.psk.stamp"
-    '';
-    generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
-  };
 }

hosts/common/ssh.nix

@@ -1,24 +1,33 @@
 { config, lib, sane-data, sane-lib, ... }:
 
+let
+  inherit (builtins) head map mapAttrs tail;
+  inherit (lib) concatStringsSep mkMerge reverseList;
+in
 {
   sane.ssh.pubkeys =
   let
     # path is a DNS-style path like [ "org" "uninsane" "root" ]
     keyNameForPath = path:
       let
-        rev = lib.reverseList path;
-        name = builtins.head rev;
-        host = lib.concatStringsSep "." (builtins.tail rev);
+        rev = reverseList path;
+        name = head rev;
+        host = concatStringsSep "." (tail rev);
       in
       "${name}@${host}";
 
     # [{ path :: [String], value :: String }] for the keys we want to install
     globalKeys = sane-lib.flattenAttrs sane-data.keys;
-    localKeys = sane-lib.flattenAttrs sane-data.keys.org.uninsane.local;
-  in lib.mkMerge (builtins.map
+    domainKeys = sane-lib.flattenAttrs (
+      mapAttrs (host: cfg: {
+        colin = cfg.ssh.user_pubkey;
+        root = cfg.ssh.host_pubkey;
+      }) config.sane.hosts.by-name
+    );
+  in mkMerge (map
     ({ path, value }: {
-      "${keyNameForPath path}" = value;
+      "${keyNameForPath path}" = lib.mkIf (value != null) value;
     })
-    (globalKeys ++ localKeys)
+    (globalKeys ++ domainKeys)
   );
 }

hosts/instantiate.nix

@@ -1,12 +1,16 @@
 # trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
 
+# args from flake-level `import`
 { hostName, localSystem }:
-{ ... }:
+
+# module args
+{ config, ... }:
 
 {
   imports = [
-    ./${hostName}
+    ./by-name/${hostName}
     ./common
+    ./modules
   ];
 
   networking.hostName = hostName;

hosts/modules/default.nix

@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+  imports = [
+    ./derived-secrets.nix
+    ./hardware
+    ./hostnames.nix
+    ./hosts.nix
+    ./roles
+    ./wg-home.nix
+  ];
+}

hosts/modules/derived-secrets.nix

@@ -0,0 +1,47 @@
+{ config, lib, ... }:
+
+let
+  inherit (builtins) toString;
+  inherit (lib) mapAttrs mkOption types;
+  cfg = config.sane.derived-secrets;
+  secret = types.submodule {
+    options = {
+      len = mkOption {
+        type = types.int;
+      };
+      encoding = mkOption {
+        type = types.enum [ "base64" ];
+      };
+    };
+  };
+in
+{
+  options = {
+    sane.derived-secrets = mkOption {
+      type = types.attrsOf secret;
+      default = {};
+      description = ''
+        fs path => secret options.
+        for each entry, we create an item at the given path whose value is deterministic,
+        but also pseudo-random and not predictable by anyone without root access to the machine.
+        as PRNG source we use the host ssh key, and derived secrets are salted based on the destination path.
+      '';
+    };
+  };
+
+  config = {
+    sane.fs = mapAttrs (path: c: {
+      generated.script.script = ''
+        echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
+          | sha512sum \
+          | cut -c 1-${toString (c.len * 2)} \
+          | tr a-z A-Z \
+          | basenc -d --base16 \
+          | basenc --${c.encoding} \
+          > "$1"
+      '';
+      generated.script.scriptArgs = [ path ];
+      generated.acl.mode = "0600";
+    }) cfg;
+  };
+}

hosts/modules/hardware/default.nix

@@ -2,7 +2,6 @@
 
 {
   imports = [
-    ./all.nix
     ./x86_64.nix
   ];
 }

hosts/modules/hardware/x86_64.nix

@@ -1,8 +1,7 @@
 { lib, pkgs, ... }:
 
-with lib;
 {
-  config = mkIf (pkgs.system == "x86_64-linux") {
+  config = lib.mkIf (pkgs.system == "x86_64-linux") {
     boot.initrd.availableKernelModules = [
       "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
       "usb_storage"   # rpi needed this to boot from usb storage, i think.

hosts/modules/hostnames.nix

@@ -0,0 +1,11 @@
+{ config, lib, ... }:
+
+{
+  # if using router's DNS, these mappings will already exist.
+  # if using a different DNS provider (which servo does), then we need to explicity provide them.
+  # ugly hack. would be better to get servo to somehow use the router's DNS
+  networking.hosts = lib.mapAttrs' (host: cfg: {
+    name = cfg.lan-ip;
+    value = [ host ];
+  }) config.sane.hosts.by-name;
+}

hosts/modules/hosts.nix

@@ -0,0 +1,98 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) attrValues filterAttrs mkMerge mkOption types;
+  cfg = config.sane.hosts;
+
+  host = types.submodule ({ config, ... }: {
+    options = {
+      ssh.user_pubkey = mkOption {
+        type = types.str;
+        description = ''
+          ssh pubkey that the primary user of this machine will use when connecting to other machines.
+          e.g. "ssh-ed25519 AAAA<base64>".
+        '';
+      };
+      ssh.host_pubkey = mkOption {
+        type = types.str;
+        description = ''
+          ssh pubkey which this host will present to connections initiated against it.
+          e.g. "ssh-ed25519 AAAA<base64>".
+        '';
+      };
+      wg-home.pubkey = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          wireguard public key for the wg-home VPN.
+          e.g. "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=".
+        '';
+      };
+      wg-home.ip = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          IP address to use on the wg-home VPN.
+          e.g. "10.0.10.5";
+        '';
+      };
+      wg-home.endpoint = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      lan-ip = mkOption {
+        type = types.str;
+        description = ''
+          ip address when on the lan.
+          e.g. "192.168.0.5";
+        '';
+      };
+    };
+  });
+in
+{
+  options = {
+    sane.hosts.by-name = mkOption {
+      type = types.attrsOf host;
+      default = {};
+      description = ''
+        map of hostname => attrset of information specific to that host,
+        like its ssh pubkey, etc.
+      '';
+    };
+  };
+
+  config = {
+    # TODO: this should be populated per-host
+    sane.hosts.by-name."desko" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+      wg-home.pubkey = "17PMZssYi0D4t2d0vbmhjBKe1sGsE8kT8/dod0Q2CXc=";
+      wg-home.ip = "10.0.10.22";
+      lan-ip = "192.168.0.22";
+    };
+
+    sane.hosts.by-name."lappy" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
+      wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
+      wg-home.ip = "10.0.10.20";
+      lan-ip = "192.168.0.20";
+    };
+
+    sane.hosts.by-name."moby" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
+      lan-ip = "192.168.0.48";
+    };
+
+    sane.hosts.by-name."servo" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+      wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
+      wg-home.ip = "10.0.10.5";
+      wg-home.endpoint = "uninsane.org:51820";
+      lan-ip = "192.168.0.5";
+    };
+  };
+}

hosts/modules/roles/client/bluetooth-pairings.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config = lib.mkIf config.sane.roles.client {
+    # persist external pairings by default
+    sane.persist.sys.plaintext = [ "/var/lib/bluetooth" ];
+
+    sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
+    sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
+      wantedBeforeBy = [ "bluetooth.service" ];
+      # XXX: install-bluetooth uses sed, but that's part of the default systemd unit path, it seems
+      generated.script.script = builtins.readFile ../../../../scripts/install-bluetooth + ''
+        touch "/var/lib/bluetooth/.secrets.stamp"
+      '';
+      generated.script.scriptArgs = [ "/run/secrets/bt" ];
+    };
+  };
+}

hosts/modules/roles/client/default.nix

@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) mkIf mkOption types;
+in
+{
+  imports = [
+    ./bluetooth-pairings.nix
+    ./wifi-pairings.nix
+  ];
+
+  # option is consumed by the other imports in this dir
+  options.sane.roles.client = mkOption {
+    type = types.bool;
+    default = false;
+  };
+}

hosts/modules/roles/client/wifi-pairings.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config = lib.mkIf config.sane.roles.client {
+    sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
+      wantedBeforeBy = [ "iwd.service" ];
+      generated.acl.mode = "0600";
+      # XXX: install-iwd uses sed, but that's part of the default systemd unit path, it seems
+      generated.script.script = builtins.readFile ../../../../scripts/install-iwd + ''
+        touch "/var/lib/iwd/.secrets.psk.stamp"
+      '';
+      generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
+    };
+  };
+}

hosts/modules/roles/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./client
+  ];
+}

hosts/modules/wg-home.nix

@@ -0,0 +1,80 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (builtins) filter map;
+  inherit (lib) concatMap mapAttrsToList mkIf mkMerge mkOption optionalAttrs types;
+  cfg = config.sane.services.wg-home;
+  server-cfg = config.sane.hosts.by-name."servo".wg-home;
+  mkPeer = { ips, pubkey, endpoint }: {
+    publicKey = pubkey;
+    allowedIPs = map (k: "${k}/32") ips;
+  } // (optionalAttrs (endpoint != null) {
+    inherit endpoint;
+    # send keepalives every 25 seconds to keep NAT routes live.
+    # only need to do this from client -> server though, i think.
+    persistentKeepalive = 25;
+    # allows wireguard to notice DNS/hostname changes, with this much effective TTL.
+    dynamicEndpointRefreshSeconds = 600;
+  });
+  # make separate peers to route each given host
+  mkClientPeers = hosts: map (p: mkPeer {
+    inherit (p) pubkey endpoint;
+    ips = [ p.ip ];
+  }) hosts;
+  # make a single peer which routes all the given hosts
+  mkServerPeer = hosts: mkPeer {
+    inherit (server-cfg) pubkey endpoint;
+    ips = map (h: h.ip) hosts;
+  };
+in
+{
+  options = {
+    sane.services.wg-home.enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    sane.services.wg-home.ip = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # generate a (deterministic) wireguard private key
+    sane.derived-secrets."/run/wg-home.priv" = {
+      len = 32;
+      encoding = "base64";
+    };
+
+    # wireguard VPN which allows everything on my domain to speak to each other even when
+    # not behind a shared LAN.
+    # this config defines both the endpoint (server) and client configs
+
+    # for convenience, have both the server and client use the same port for their wireguard connections.
+    networking.firewall.allowedUDPPorts = [ 51820 ];
+    networking.wireguard.interfaces.wg-home = {
+      listenPort = 51820;
+      privateKeyFile = "/run/wg-home.priv";
+      preSetup =
+        let
+          gen-key = config.sane.fs."/run/wg-home.priv".unit;
+        in
+          "${pkgs.systemd}/bin/systemctl start '${gen-key}'";
+
+      ips = [
+        "${cfg.ip}/24"
+      ];
+
+      peers =
+        let
+          all-peers = mapAttrsToList (_: hostcfg: hostcfg.wg-home) config.sane.hosts.by-name;
+          peer-list = filter (p: p.ip != null && p.ip != cfg.ip && p.pubkey != null) all-peers;
+        in
+          if cfg.ip == server-cfg.ip then
+            # if we're the server, then we maintain the entire client list
+            mkClientPeers peer-list
+          else
+            # but if we're a client, we maintain a single peer -- the server -- which does the actual routing
+            [ (mkServerPeer peer-list) ];
+    };
+  };
+}

hosts/servo/services/matrix/signal.nix

@@ -1,32 +0,0 @@
-{ ... }:
-{
-  services.signald.enable = true;
-
-  # TODO: required?
-  # comes from <nix-matrix-appservices:examples/mautrix.nix>
-  systemd.services.matrix-as-signal = {
-    requires = [ "signald.service" ];
-    after = [ "signald.service" ];
-    unitConfig = {
-      JoinsNamespaceOf = "signald.service";
-    };
-    path = [
-      pkgs.ffmpeg # voice messages need `ffmpeg`
-    ];
-  };
-
-
-  services.matrix-appservices.services.signal = {
-    port = 29184;
-    format = "mautrix-python";
-    package = pkgs.mautrix-signal;
-    serviceConfig = {
-      StateDirectory = [ "matrix-as-signal" "signald" ];
-      SupplementaryGroups = [ "signald" ];
-    };
-    settings.signal = {
-      socket_path = config.services.signald.socketPath;
-      outgoing_attachment_dir = "/var/lib/signald/tmp";
-    };
-  };
-}

modules/data/keys.nix

@@ -5,24 +5,9 @@
   org.uninsane = rec {
     root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
     git.root = root;
-
-    local = {
-      # machine aliases i specify on my lan; not actually asserted as DNS
-      desko.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
-      desko.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-
-      lappy.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
-      lappy.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
-
-      moby.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
-      moby.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
-
-      servo.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
-      servo.root = root;
-    };
   };
 
-  com.github = rec {
+  com.github = {
     # documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
     # Github actually uses multiple keys -- one per format
     root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";

modules/home-manager/default.nix

@@ -140,5 +140,7 @@ in
         cfg.programs
       ];
     };
+
+    sane.persist.home.plaintext = [ ".cache/nix-index" ];
   };
 }

modules/home-manager/firefox.nix

@@ -59,10 +59,10 @@ let
       # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
       (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=")
       (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-d2K3ufvurWnYVzqLbyR//MgejybkY9exitAf9RdLNRo=")
-      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-t6Q335Nq60mDILPmzem+DT5KflleAPVJL3bsaA+UL0g=")
+      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-JOj5P7c2JTTReHCRZXm4BscaGr3i+9Y4Ey/y621x8PI=")
       (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
       (addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=")
-      (addon "ublacklist" "@ublacklist" "sha256-vHe/7EYOzcKeAbTElmt0Rb4E2rX0f3JgXThJaUmaz+M=")
+      (addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=")
       (addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=")
       # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
       (localAddon pkgs.browserpass-extension)

modules/packages.nix

@@ -115,7 +115,6 @@ let
     krita
     libreoffice-fresh  # XXX colin: maybe don't want this on mobile
     lollypop
-    mesa-demos
 
     { pkg = mpv; dir = [ ".config/mpv/watch_later" ]; }
 

modules/services/default.nix

@@ -4,6 +4,7 @@
     ./duplicity.nix
     ./dyn-dns.nix
     ./kiwix-serve.nix
+    ./mautrix-signal.nix
     ./nixserve.nix
     ./trust-dns.nix
   ];

modules/services/mautrix-signal.nix

@@ -0,0 +1,174 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  dataDir = "/var/lib/mautrix-signal";
+  registrationFile = "${dataDir}/signal-registration.yaml";
+  cfg = config.services.mautrix-signal;
+  settingsFormat = pkgs.formats.json {};
+  settingsFile =
+    settingsFormat.generate "mautrix-signal-config.json" cfg.settings;
+in
+{
+  options = {
+    services.mautrix-signal = {
+      enable = mkEnableOption (lib.mdDoc "Mautrix-Signal, a Matrix-Signal puppeting bridge");
+
+      settings = mkOption rec {
+        apply = recursiveUpdate default;
+        inherit (settingsFormat) type;
+        default = {
+          # defaults based on this upstream example config:
+          # - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
+          homeserver = {
+            address = "http://localhost:8008";
+            software = "standard";
+            # domain = "SETME";
+          };
+
+          appservice = rec {
+            address = "http://${hostname}:${toString port}";
+            hostname = "localhost";
+            port = 29328;
+
+            database = "sqlite:///${dataDir}/mautrix-signal.db";
+            database_opts = {};
+            bot_username = "signalbot";
+          };
+
+          bridge = {
+            username_template = "signal_{userid}";
+            permissions."*" = "relay";
+            double_puppet_server_map = {};
+            login_shared_secret_map = {};
+          };
+
+          logging = {
+            version = 1;
+
+            formatters.precise.format = "[%(levelname)s@%(name)s] %(message)s";
+
+            handlers.console = {
+              class = "logging.StreamHandler";
+              formatter = "precise";
+            };
+
+            # log to console/systemd instead of file
+            root = {
+              level = "INFO";
+              handlers = ["console"];
+            };
+          };
+        };
+        example = literalExpression ''
+          {
+            homeserver = {
+              address = "http://localhost:8008";
+              domain = "mydomain.example";
+            };
+
+            bridge.permissions = {
+              "@admin:mydomain.example" = "admin";
+              "mydomain.example" = "user";
+            };
+          }
+        '';
+        description = lib.mdDoc ''
+          {file}`config.yaml` configuration as a Nix attribute set.
+          Configuration options should match those described in
+          [example-config.yaml](https://github.com/mautrix/signale/blob/master/mautrix_signal/example-config.yaml).
+        '';
+      };
+
+      environmentFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        description = lib.mdDoc ''
+          File containing environment variables to be passed to the mautrix-signal service,
+          in which secret tokens can be specified securely by defining values for e.g.
+          `MAUTRIX_SIGNAL_APPSERVICE_AS_TOKEN`,
+          `MAUTRIX_SIGNAL_APPSERVICE_HS_TOKEN`
+
+          These environment variables can also be used to set other options by
+          replacing hierarchy levels by `.`, converting the name to uppercase
+          and prepending `MAUTRIX_SIGNAL_`.
+          For example, the first value above maps to
+          {option}`settings.appservice.as_token`.
+
+          The environment variable values can be prefixed with `json::` to have
+          them be parsed as JSON. For example, `login_shared_secret_map` can be
+          set as follows:
+          `MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET_MAP=json::{"example.com":"secret"}`.
+        '';
+      };
+
+      serviceDependencies = mkOption {
+        type = with types; listOf str;
+        default = optional config.services.matrix-synapse.enable "matrix-synapse.service";
+        defaultText = literalExpression ''
+          optional config.services.matrix-synapse.enable "matrix-synapse.service"
+        '';
+        description = lib.mdDoc ''
+          List of Systemd services to require and wait for when starting the application service.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.groups.mautrix-signal = {};
+
+    users.users.mautrix-signal = {
+      group = "mautrix-signal";
+      isSystemUser = true;
+    };
+
+    systemd.services.mautrix-signal = {
+      description = "Mautrix-Signal, a Matrix-Signal puppeting bridge.";
+
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
+      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
+      path = [ pkgs.ffmpeg ];  # voice messages need `ffmpeg`
+
+      # environment.HOME = dataDir;
+
+      preStart = ''
+        # generate the appservice's registration file if absent
+        if [ ! -f '${registrationFile}' ]; then
+          ${pkgs.mautrix-signal}/bin/mautrix-signal \
+            --generate-registration \
+            --no-update \
+            --base-config='${pkgs.mautrix-signal}/${pkgs.mautrix-signal.pythonModule.sitePackages}/mautrix_signal/example-config.yaml' \
+            --config='${settingsFile}' \
+            --registration='${registrationFile}'
+        fi
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+
+        User = "mautrix-signal";
+
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+
+        PrivateTmp = true;
+        WorkingDirectory = pkgs.mautrix-signal;
+        StateDirectory = baseNameOf dataDir;
+        UMask = "0027";
+        EnvironmentFile = cfg.environmentFile;
+
+        ExecStart = ''
+          ${pkgs.mautrix-signal}/bin/mautrix-signal \
+            --config='${settingsFile}' \
+            --no-update
+        '';
+      };
+    };
+  };
+}

modules/ssh.nix

@@ -57,7 +57,7 @@ in
   options = {
     sane.ssh.pubkeys = mkOption {
       type = types.attrsOf coercedToKey;
-      default = [];
+      default = {};
       description = ''
         mapping from "user@host" to pubkey.
       '';

nixpatches/flake.nix

@@ -1,16 +1,14 @@
 {
   inputs = {
     nixpkgs = {};
-    patches = {};
   };
-  outputs = { self, nixpkgs, patches }@inputs:
+  outputs = { self, nixpkgs }@inputs:
     let
       patchedPkgsFor = system: nixpkgs.legacyPackages.${system}.applyPatches {
         name = "nixpkgs-patched-uninsane";
         src = nixpkgs;
-        patches = inputs.patches.nixpatches {
-          inherit (nixpkgs.legacyPackages.${system}) fetchpatch;
-          inherit (nixpkgs.lib) fakeHash;
+        patches = import ./list.nix {
+          inherit (nixpkgs.legacyPackages.${system}) fetchpatch fetchurl;
         };
       };
       patchedFlakeFor = system: import "${patchedPkgsFor system}/flake.nix";

nixpatches/list.nix

@@ -1,4 +1,4 @@
-{ fakeHash, fetchpatch }: [
+{ fetchpatch, fetchurl }: [
   # librewolf: build with `MOZ_REQUIRE_SIGNING=false`
   (fetchpatch {
     url = "https://github.com/NixOS/nixpkgs/pull/199134.diff";
@@ -20,6 +20,18 @@
     sha256 = "sha256-L9Ie80loaP6yl5ZFnJ1b5WMDpvO1QFE8tbrW5HBauko=";
   })
 
+  # nixos/mx-puppet-discord: move to matrix category
+  (fetchurl {
+    url = "https://git.uninsane.org/colin/nixpkgs/commit/87c877fff84717478a96d1b0c65bd2febd350dea.diff";
+    sha256 = "sha256-E5TonCj3f8j7kxApBq/suNT5mB7z8uD00NzI34Qh2SE=";
+  })
+
+  # signaldctl: init at 0.6.1
+  (fetchurl {
+    url = "https://git.uninsane.org/colin/nixpkgs/commit/f3c4303231537422267ca32eb97b37f0a9a11d19.diff";
+    hash = "sha256-9fIAie0x2VxbHDg9iC8/dxaXIrWi8LzHSoDk9cwAZG0=";
+  })
+
   ./2022-12-19-i2p-aarch64.patch
 
   # # kaiteki: init at 2022-09-03

overlays/pins.nix

@@ -1,3 +1,9 @@
+# when a `nixos-rebuild` fails after a nixpkgs update:
+# - take the failed package
+# - search it here: <https://hydra.nixos.org/search?query=pkgname>
+# - if it's broken by that upstream builder, then pin it: somebody will come along and fix the package.
+# - otherwise, search github issues/PRs for knowledge of it before pinning.
+# - if nobody's said anything about it yet, probably want to root cause it or hold off on updating.
 (next: prev: {
   inherit (next.stable)
     # TODO(unpin): broken on 2023/01/14 via mtxclient dep, aarch64-only:
@@ -20,5 +26,12 @@
     #   error: 1 dependencies of derivation '/nix/store/5qjxzhsw1jvh2d7jypbcam9409ivb472-user-environment.drv' failed to build
     #   error: 1 dependencies of derivation '/nix/store/hrb3qpdbisqh0lzlyz1g9g4164khmqwn-etc.drv' failed to build
     #   error: 1 dependencies of derivation '/nix/store/ny21xyicbgim5wy7ksg2hibd9gn7i01b-nixos-system-moby-23.05pre-git.drv' failed to build
-    nheko;
+    nheko
+
+    # TODO(unpin): broken build on 2023/01/16, all platforms: <https://github.com/NixOS/nixpkgs/pull/208251>
+    # fix in PR: <https://github.com/NixOS/nixpkgs/pull/211135>
+    kitty
+    # TODO(unpin): broken build on 2023/01/16. <https://hydra.nixos.org/build/205551450>
+    handbrake
+  ;
 })

overlays/pkgs.nix

@@ -57,10 +57,10 @@
       browserpass-extension = prev.callPackage ../pkgs/browserpass-extension { };
       gopass-native-messaging-host = prev.callPackage ../pkgs/gopass-native-messaging-host { };
       tokodon = prev.libsForQt5.callPackage ../pkgs/tokodon { };
-      signaldctl = prev.callPackage ../pkgs/signaldctl { };
       splatmoji = prev.callPackage ../pkgs/splatmoji { };
-      # trust-dns = prev.callPackage ../pkgs/trust-dns { };
-      # kaiteki = prev.kaiteki;
+
+      # provided by nixpkgs patch or upstream preview
+      # signaldctl = prev.callPackage ../pkgs/signaldctl { };
     };
   in sane // { inherit sane; }
 )

pkgs/bootpart-tow-boot-rpi-aarch64/default.nix

@@ -1,14 +1,13 @@
-{ stdenv, tow-boot-rp4, raspberrypifw, raspberrypi-armstubs }:
+{ stdenv, tow-boot-rpi4, raspberrypifw, raspberrypi-armstubs }:
 
 stdenv.mkDerivation rec {
   pname = "bootpart-tow-boot-rpi-aarch64";
   version = "1";
 
-  buildInputs = with [ 
+  buildInputs = [
     tow-boot-rpi4  # for Tow-Boot.*.bin
     raspberrypifw  # for bootcode.bin, *.dat, *.elf, *.dtb
     raspberrypi-armstubs  # for armstub*
-
   ];
 
   src = ./config.txt;

pkgs/sane-scripts/src/sane-stop-all-servo

@@ -10,4 +10,4 @@ sudo systemctl stop postgresql
 sudo systemctl stop duplicity.timer
 sudo systemctl stop duplicity
 sudo systemctl stop trust-dns
-sudo systemctl stop wireguard-wg0
+sudo systemctl stop wireguard-wg-ovpns

pkgs/splatmoji/default.nix

@@ -1,6 +1,11 @@
 { lib
-, stdenv
+, bash
 , fetchFromGitHub
+, fpm
+, jq
+, pandoc
+, shunit2
+, stdenv
 }:
 
 stdenv.mkDerivation rec {
@@ -14,17 +19,31 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-fsZ8FhLP3vAalRJWUEi/0fe0DlwAz5zZeRZqAuwgv/U=";
   };
 
-  dontBuild = true;
+  nativeBuildInputs = [
+    bash
+    fpm
+    jq
+    pandoc
+    shunit2
+  ];
+
+  postPatch = ''
+    patchShebangs ./build.sh
+    patchShebangs ./test/unit_tests
+  '';
+
+  buildPhase = ''
+    ./build.sh ${version} dir
+  '';
 
-  # TODO: generate a wrapper so that bin/lib, bin/data aren't linked into the environment?
   installPhase = ''
-    mkdir -p $out/bin
-    cp splatmoji $out/bin
-    cp -R lib $out/bin/lib
-    cp -R data $out/bin/data
-    cp splatmoji.config $out/bin
+    mkdir -p $out
+    cp -R build/usr/* $out
 
     patchShebangs $out/bin/splatmoji
+    # splatmoji refers to its lib and data by absolute path
+    sed -i "s:/usr/lib/splatmoji:$out/lib/splatmoji:g" $out/bin/splatmoji
+    sed -i -r "s:/usr/share/+splatmoji:$out/share/splatmoji:g" $out/lib/splatmoji/functions
   '';
 
   meta = with lib; {
@@ -32,6 +51,6 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/cspeterson/splatmoji";
     license = licenses.mit;
     maintainers = with maintainers; [ colinsane ];
-    platforms = with platforms; linux;
+    platforms = platforms.linux;
   };
-  }
+}

pkgs/sublime-music-mobile/default.nix

@@ -127,10 +127,10 @@ python3Packages.buildPythonApplication rec {
     dataclasses-json
     deepdiff
     fuzzywuzzy
+    levenshtein
     mpv
     peewee
     pygobject3
-    python-Levenshtein
     python-dateutil
     requests
     semver
@@ -144,7 +144,8 @@ python3Packages.buildPythonApplication rec {
     sed -i "/--cov/d" setup.cfg
     sed -i "/--no-cov-on-fail/d" setup.cfg
     substituteInPlace pyproject.toml \
-      --replace 'deepdiff = "^5.8.1"' 'deepdiff = ">=5.8.1"'
+      --replace 'deepdiff = "^5.8.1"' 'deepdiff = ">=5.8.1"' \
+      --replace 'python-Levenshtein = "^0.12.0"' 'levenshtein = ">=0.12.0"'
   '';
 
   # hook for gobject-introspection doesn't like strictDeps

pkgs/trust-dns/default.nix

@@ -1,33 +0,0 @@
-{ lib
-, fetchFromGitHub
-, openssl
-, pkg-config
-, rustPlatform
-}:
-
-rustPlatform.buildRustPackage rec {
-  pname = "trust-dns";
-  version = "0.22.0";
-
-  src = fetchFromGitHub {
-    owner = "bluejekyll";
-    repo = "trust-dns";
-    rev = "v${version}";
-    sha256 = "sha256-b9tK1JbTwB3ZuRPh0wb3cOFj9dMW7URXIaFzUq0Yipw=";
-  };
-  cargoHash = "sha256-mpobdeTRWJzIEmhwtcM6UE66qRD5ot/0yLeQM6Tec+0=";
-
-  buildInputs = [ openssl ];
-  nativeBuildInputs = [ pkg-config ];
-
-  # tests expect internet connectivity to query real nameservers like 8.8.8.8
-  doCheck = false;
-
-  meta = with lib; {
-    description = "A Rust based DNS client, server, and resolver";
-    homepage = "https://trust-dns.org/";
-    maintainers = with maintainers; [ colinsane ];
-    platforms = platforms.linux;
-    license = with licenses; [ asl20 mit ];
-  };
-}

secrets/servo.yaml

@@ -60,8 +60,8 @@ sops:
             cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
             aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-15T09:12:44Z"
-    mac: ENC[AES256_GCM,data:QQiTsQogs6MP9X0lrpf2FeSia6SeQP5/9dtUrWQOd2Vh/s0fBJfIGUdLeLgt5itvaD5QywY6lN9Rsx++BUN0rrwUu/uF42KOMC7wjHdSv07CYuDfvlFZItuIo5eWlfcEq9+p6/VwUXY0TU3M6Ex+mABT5XK67tnLuh/SoHUl+DA=,iv:12sa+wFdO5T7pZrLM3mnEwoJ0WmXZZLKpucEgMYQHMI=,tag:zZEz6+vTma6KDMwXi/fNZA==,type:str]
+    lastmodified: "2023-01-20T07:08:51Z"
+    mac: ENC[AES256_GCM,data:EqVTjLmDLjAxMWvJKIqDjpUKj7oVArFSQzygVZVCYHQTp0v+EGxpn1cP8x+6frQHx8EZts090iqCpcSicwGefAe6VBVvdf408YgB9+qm6QawUMaqDypoM1q4RdOjJEKxyZ408RYorQP6OA/3yctOk39P8RbMUUBlnLvqn38mFeY=,iv:wpDcFZKRGhhoHLno1IvppCz4HUAZb4atX1mUvYZbjg4=,tag:X4BdSfGE1kWFjs4T8YZR0A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

secrets/servo/mautrix_signal_env.bin

@@ -0,0 +1,32 @@
+{
+	"data": "ENC[AES256_GCM,data:5n4FNKyblSOQCC17LmLNfF49+z6ZxX9bAv/xTsyQTR+NglhEtUa+JFziu2Il0w2pscAO37sBvE9SvsM9jNG0v4GxlxlLrgEuam6Tf7Ch71lDdxDXJWMTR032WqMF7q6rYbflw8D4fkpQ9yDbgDJUErrds1JvbNhcv6oqoJ/TuhiQZLakNTprtRkw4gCDJDsyDakhv440EK80o/O1CnO+xnSmBj6mLxljQ0EeFzwhjVr1UlhWJ4wQC8TNAAvYN5gILYP0U11kROI=,iv:JZougqWF29K9mDE0kwe03FGad1CglSlxQt5xM9l7wK8=,tag:DQXUPqMvvnqP2kyYikI2ZQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2M01sL1JsODFvVWRHOVZX\nTk1wQlRkclFVZnlKK2lBOUQ1M053SUZxUVYwCjVkVmoxdkRvd3YvQmxvMmd6Ly9k\nWlZGc3M1Yi9lZ3ZRUFJiYWNlRjZ6M2cKLS0tIElTRnplV25wTmFkSVU1clRNa0NZ\nNW5IaDJWYVNCdDNhYTFSU0J6RUJQN28K4XJGpANIuIfHZuk4cinpsPeZ8mMI2jBH\nT2JGyRNm9Jyr3muV8oC/I22fAKLev8f9Svc+o/VAO4R6ZTWmTwk+dA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQnpqLy83eW9HaExkYWxL\nMHRKY3FsemZQcmVwVWx0a0YvRCtCclZrT1ZRCjJ6UVVjSm85TnVTaHFMRlg0YkNa\nOEQ4eUNyV0lEalVXbi9TVDZLUEVvaXcKLS0tICtvaHhHdmRIY2NNTFBZZ2taS0lX\nak45eW5oT2tIWVNRNmkxbUQ5K2lublUKkLfW5vRfjTpfTOeirLXRik9SJDm92pUX\nXcv9L5klKUb0O3+T0pwb9rYFfhk4eGSxS6ZFQnGrLv0lLTRZq6eocw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhM25NNlRaNDJYZlJkMjVh\nelZPekdjSHJ4ZnZEbnBCZGV4OVN2RVJCOHpNCnVFWFBNTkd4SkJ0SkdvcUdYUzRF\ncnpPUUQyWEpMU0FqQyszTXp0ZFhQeFkKLS0tIDFua2dscEtxQmdUTm14OWlqMjBI\nSXY5cTJEajd3WmNMNlB1eGtQN3RHUEEK3+zoziFJq/rzpnz8ROL5oGqnHUpJTXG8\nhCQEIOA6dO6PjoXUKd6B8bVPzlDLO5daPh0TS5NGiMlZ8qQe706Syw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByc1EzcmVzeHYyTkQ3N2Uw\nTERtdENyeGNONVpjU0FKRE1wR0RlSnhNUjM0ClU4MGwvQjFhM2xXYkNITjFMUHdF\naU50YWVjU08zWXhweXVOWU13enpMQlUKLS0tIDdIRm5GV2IxU1AxcFZldDBBeTBt\nZnRJV25IbGo5R1RySmx4ampnNzdYU0EK7PF9BEGfX6T+1Wit9MG+02sGZTXRUR0M\noVC+oHsCAojhnMP17xyDosnJQqwrNKFwKMQbH7mqBW5Ku4hGy56cGQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-01-16T11:17:12Z",
+		"mac": "ENC[AES256_GCM,data:SqOusB8Hd713NYDOkRq2Ju6q4ClN0zOeeCTCAAv+EorKHN7vgz15LuCNWj7iLX4EWrWufzHhG7JFtm6q5h64hxlfzisx3JCtMLRlb40PkDip+2gShH7X4eWcdsRw7/a40e2Qnp/hiXrhH11P1pMqbn6drUPmLy307CyRzThVrcw=,iv:gFcF4i4dqk4rOus4ZKUojD/AAkIuWzGDfqEQTej83Co=,tag:AYknOJm7QTEBR6OzN8dsiw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

secrets/universal.yaml

@@ -90,8 +90,8 @@ sops:
             YmhsY0FaSW5oWVNJMlhUSDRCeWQ4KzAKaQp321XYtAZ98f4QMl5PxivAYm6VMF43
             wCThiQgvYAP59jvVDTZngvfWAD5PyWVVvMNbjHGvAzK5WnsTPmxlsg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-26T08:04:00Z"
-    mac: ENC[AES256_GCM,data:zUXMF1Rwuf3ruypEqTxCPXidMERGVp/rx8kfHhEeEmcs61ejf6M1gjhXDBLk5A+s4FpVA++aUwn0Oix7FCEor5CUmcckITgLoZfQGhjz3kuxZ+fsUnJ7Cgp/+oQYsgsntVCVMKoE7u1D4IQt7PWyrJ9Ye0HVsN50y47jTsLKsKU=,iv:NZUnhxz5WVFvORIffynFLV6xRLdZgEoLW0T2D5yQ3Ac=,tag:IQ8Qq9/T49U+aQDjqvIEjA==,type:str]
+    lastmodified: "2023-01-20T06:57:29Z"
+    mac: ENC[AES256_GCM,data:J/yLlcmlX6st/d6c8eL/6DKZiHAELb0/zj+5qOjoE2uAgTTFnojaP4ssrmt7BaLQF1MQNnvkchvuwRv+dAVTXkuYPuDWS3YriAKQIXUx9sHIEoY6Aqa37eBwUNUBuxoR6FvfOGtXrIZuS0f7hZr+ddBZgCSBBE54yeH68Va1tZk=,iv:Y/T8qykrqRVQ8eMkNH2DZa6XoGd5nL18h/2SJucVAD8=,tag:OwZfOyLc29c1bJJIA9IW3Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3