moby: fix lightdm-mobile-greeter config to work again

recompiling librewolf is not practical -- until the addon signing is
upstreamed

flake.lock

@@ -22,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1665996265,
-        "narHash": "sha256-/k9og6LDBQwT+f/tJ5ClcWiUl8kCX5m6ognhsAxOiCY=",
+        "lastModified": 1667299227,
+        "narHash": "sha256-vAJPFSDYUq3DdCL8OzTg4xObRNW+yA1Pt+NzbhGu1f8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b81e128fc053ab3159d7b464d9b7dedc9d6a6891",
+        "rev": "f0ecd4b1db5e15103e955b18cb94bea4296e5c45",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1666573922,
-        "narHash": "sha256-CqB8Y5HajptSFE8Em990dcYZIHJWBiO9zd1us4Mzx8M=",
+        "lastModified": 1667160126,
+        "narHash": "sha256-YRgxMHdvMuLsuXCaKs5YNMD6NKgvcATSjfi9YkUOOLk=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "1351091d2537040454fa232d8b94e745ab0eb5a3",
+        "rev": "da56c338a2b00c868697b75bdbd388f60d50c820",
         "type": "github"
       },
       "original": {
@@ -69,11 +69,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1666447894,
-        "narHash": "sha256-i9WHX4w/et4qPMzEXd9POmnO0/bthjr7R4cblKNHGms=",
+        "lastModified": 1667231093,
+        "narHash": "sha256-RERXruzBEBuf0c7OfZeX1hxEKB+PTCUNxWeB6C1jd8Y=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "95aeaf83c247b8f5aa561684317ecd860476fcd6",
+        "rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458",
         "type": "github"
       },
       "original": {
@@ -84,11 +84,11 @@
     },
     "nixpkgs-22_05": {
       "locked": {
-        "lastModified": 1666488099,
-        "narHash": "sha256-DANs2epN5QgvxWzH7xF3dzb4WE0lEuMLrMEu/vPmQxw=",
+        "lastModified": 1667091951,
+        "narHash": "sha256-62sz0fn06Nq8OaeBYrYSR3Y6hUcp8/PC4dJ7HeGaOhU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f9115594149ebcb409a42e303bec4956814a8419",
+        "rev": "6440d13df2327d2db13d3b17e419784020b71d22",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1666401273,
-        "narHash": "sha256-AG3MoIjcWwz1SPjJ2nymWu4NmeVj9P40OpB1lsmxFtg=",
+        "lastModified": 1667254466,
+        "narHash": "sha256-YrMQzDVOo+uz5gg1REj2q/uVhJE3WcpkqGiMzh3Da3o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3933d8bb9120573c0d8d49dc5e890cb211681490",
+        "rev": "1b4722674c315de0e191d0d79790b4eac51570a1",
         "type": "github"
       },
       "original": {
@@ -120,27 +120,10 @@
         "mobile-nixos": "mobile-nixos",
         "nixpkgs": "nixpkgs",
         "nixpkgs-stable": "nixpkgs-stable",
-        "rycee": "rycee",
         "sops-nix": "sops-nix",
         "uninsane": "uninsane"
       }
     },
-    "rycee": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1666843362,
-        "narHash": "sha256-xn2bW9/MT0u8Ptlk+f323p46Q/ktZkzMp7oj5SlYDxU=",
-        "owner": "rycee",
-        "repo": "nur-expressions",
-        "rev": "43d3a363c126968db46585b88b8eb97dd32634ad",
-        "type": "gitlab"
-      },
-      "original": {
-        "owner": "rycee",
-        "repo": "nur-expressions",
-        "type": "gitlab"
-      }
-    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
@@ -149,11 +132,11 @@
         "nixpkgs-22_05": "nixpkgs-22_05"
       },
       "locked": {
-        "lastModified": 1666499473,
-        "narHash": "sha256-q1eFnBFL0kHgcnUPeKagw3BfbE/5sMJNGL2E2AR+a2M=",
+        "lastModified": 1667102919,
+        "narHash": "sha256-DP5j4TwXe96eZf0PLgYSj1Hdyt7SPUoQ003iNBQSKpQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "1b5f9512a265f0c9687dbff47893180f777f4809",
+        "rev": "448ec3e7eb7c7e4563cc2471db748a71baaf9698",
         "type": "github"
       },
       "original": {
@@ -170,11 +153,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1665758541,
-        "narHash": "sha256-ibR8bPwHlDjavri5cNVnoo5FmFk1IfNMmQXxat5biqs=",
+        "lastModified": 1666870107,
+        "narHash": "sha256-b9eXZxSwhzdJI5uQgfrMhu4SY2POrPkinUg7F5gQVYo=",
         "ref": "refs/heads/master",
-        "rev": "4ad1801f6cecd678bbeae5dfe5933448dd7b3360",
-        "revCount": 163,
+        "rev": "80c6ec95bd430e29d231cf745f19279bb76fb382",
+        "revCount": 164,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -14,10 +14,6 @@
       url = "github:nix-community/home-manager/release-22.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    rycee = {
-      url = "gitlab:rycee/nur-expressions";
-      flake = false;
-    };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -35,7 +31,6 @@
     nixpkgs-stable,
     mobile-nixos,
     home-manager,
-    rycee,
     sops-nix,
     impermanence,
     uninsane
@@ -66,7 +61,6 @@
         {
           nixpkgs.overlays = [
             (import "${mobile-nixos}/overlay/overlay.nix")
-            (import "${rycee}/overlay.nix")
             uninsane.overlay
             (import ./pkgs/overlay.nix)
             (next: prev: rec {
@@ -78,6 +72,8 @@
               # pinned packages:
               electrum = stable.electrum;  # 2022-10-10: build break
               sequoia = stable.sequoia;    # 2022-10-13: build break
+              # cross-compatible packages
+              gocryptfs = cross.gocryptfs;
             })
           ];
         }
@@ -118,7 +114,6 @@
       allPkgsFor = sys: (customPackagesFor sys sys) // {
         nixpkgs = nixpkgsFor sys sys;
         uninsane = uninsane.packages."${sys}";
-        rycee = (import "${rycee}/default.nix" { pkgs = nixpkgsFor sys sys; });
       };
     in {
       x86_64-linux = allPkgsFor "x86_64-linux";

machines/desko/default.nix

@@ -4,6 +4,8 @@
     ./fs.nix
   ];
 
+  # sane.home-packages.enableDevPkgs = true;
+
   sane.gui.sway.enable = true;
   sane.services.duplicity.enable = true;
   sane.services.nixserve.enable = true;

machines/lappy/default.nix

@@ -4,6 +4,8 @@
     ./fs.nix
   ];
 
+  # sane.home-packages.enableDevPkgs = true;
+
   # sane.users.guest.enable = true;
   sane.gui.sway.enable = true;
   sane.impermanence.enable = true;

machines/moby/default.nix

@@ -25,7 +25,7 @@
 
   # usability compromises
   sane.impermanence.home-dirs = [
-    ".librewolf"
+    config.sane.web-browser.dotDir
   ];
 
   # sane.home-packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging

modules/gui/phosh.nix

@@ -89,19 +89,16 @@ in
       services.xserver.displayManager.lightdm.extraSeatDefaults = ''
         user-session = phosh
       '';
-      services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
-      services.xserver.displayManager.lightdm.greeter = {
-        enable = true;
-        package = pkgs.lightdm-mobile-greeter.xgreeters;
-        name = "lightdm-mobile-greeter";
-      };
-      # services.xserver.displayManager.lightdm.enable = true;
-      # # services.xserver.displayManager.lightdm.greeters.enso.enable = true;  # tried (with reboot); got a mouse then died. next time was black
-      # # services.xserver.displayManager.lightdm.greeters.gtk.enable = true;  # tried (with reboot); unusable without OSK
-      # # services.xserver.displayManager.lightdm.greeters.mini.enable = true;  # tried (with reboot); unusable without OSK
-      # # services.xserver.displayManager.lightdm.greeters.pantheon.enable = true; # tried (no reboot); unusable without OSK
-      # services.xserver.displayManager.lightdm.greeters.slick.enable = true;  # tried; unusable without OSK (a11y -> OSK doesn't work)
-      # # services.xserver.displayManager.lightdm.greeters.tiny.enable = true;  # tried; block screen
+      # services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
+      # services.xserver.displayManager.lightdm.greeter = {
+      #   enable = true;
+      #   package = pkgs.lightdm-mobile-greeter.xgreeters;
+      #   name = "lightdm-mobile-greeter";
+      # };
+      # # services.xserver.displayManager.lightdm.enable = true;
+
+      services.xserver.displayManager.lightdm.enable = true;
+      services.xserver.displayManager.lightdm.greeters.mobile.enable = true;
 
       systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
     })

modules/impermanence.nix

@@ -41,7 +41,7 @@ in
     sane.image.extraDirectories = [ "/nix/persist/var/log" ];
     environment.persistence."/nix/persist" = {
       directories = (map-home-dirs cfg.home-dirs) ++ (map-sys-dirs [
-        # TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
+        # NB: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
         # { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
         # "/etc/nixos"
         # "/etc/ssh"  # persist only the specific files we want, instead
@@ -71,28 +71,24 @@ in
         #
         # servo additions:
       ] ++ cfg.service-dirs);
-      files = [ "/etc/machine-id" ];
+      # /etc/machine-id is a globally unique identifier used for:
+      # - systemd-networkd: DHCP lease renewal (instead of keying by the MAC address)
+      # - systemd-journald: to filter logs by host
+      # - chromium (potentially to track re-installations)
+      # - gdbus; system services that might upgrade to AF_LOCAL if both services can confirm they're on the same machine
+      # of these, systemd-networkd is the only legitimate case to persist the machine-id.
+      # depersisting it should be "safe"; edge-cases like systemd-networkd can be directed to use some other ID if necessary.
+      # nixos-impermanence shows binding the host ssh priv key to this; i could probably hash the host key into /etc/machine-id if necessary.
+      # files = [ "/etc/machine-id" ];
     };
 
-    # secret decoding depends on /etc/ssh keys, which are persisted
-    system.activationScripts.setupSecrets.deps = [ "persist-files" ];
-    # `setupSecretsForUsers` should depend on `persist-files`,
-    # but `persist-files` itself depends on `users`, to this would be circular.
-    # we work around that by manually mounting the ssh host key.
-    # strictly speaking, this makes the `setupSecrets -> persist-files` dep extraneous,
-    # but it's a decent safety net in case something goes wrong.
-    # system.activationScripts.setupSecretsForUsers.deps = [ "persist-files" ];
-    system.activationScripts.setupSecretsForUsers= lib.mkIf secretsForUsers {
+    # secret decoding depends on /etc/ssh keys, which may be persisted
+    system.activationScripts.setupSecrets.deps = [ "persist-ssh-host-keys" ];
+    system.activationScripts.setupSecretsForUsers = lib.mkIf secretsForUsers {
       deps = [ "persist-ssh-host-keys" ];
     };
-    system.activationScripts.persist-ssh-host-keys = lib.mkIf secretsForUsers (
-      let
-        key_dir = "/etc/ssh/host_keys";
-      in ''
-        mkdir -p ${key_dir}
-        mount -o bind /nix/persist${key_dir} ${key_dir}
-      ''
-    );
+    # populated by ssh.nix, which persists /etc/ssh/host_keys
+    system.activationScripts.persist-ssh-host-keys.text = lib.mkDefault "";
   };
 }
 

modules/universal/default.nix

@@ -7,6 +7,7 @@
     ./home-manager
     ./home-packages.nix
     ./net.nix
+    ./machine-id.nix
     ./secrets.nix
     ./ssh.nix
     ./system-packages.nix

modules/universal/home-manager/default.nix

@@ -20,9 +20,9 @@ in
   imports = [
     ./aerc.nix
     ./discord.nix
+    ./firefox.nix
     ./git.nix
     ./kitty.nix
-    ./librewolf.nix
     ./mpv.nix
     ./nb.nix
     ./neovim.nix
@@ -134,7 +134,7 @@ in
       # - `xdg-mime query filetype path/to/thing.ext`
       xdg.mimeApps.enable = true;
       xdg.mimeApps.defaultApplications = let
-        www = "librewolf.desktop";
+        www = sysconfig.sane.web-browser.desktop;
         pdf = "org.gnome.Evince.desktop";
         md = "obsidian.desktop";
         thumb = "org.gnome.gThumb.desktop";

modules/universal/home-manager/firefox.nix

@@ -0,0 +1,139 @@
+# common settings to toggle (at runtime, in about:config):
+#   > security.ssl.require_safe_negotiation
+
+# librewolf is a forked firefox which patches firefox to allow more things
+# (like default search engines) to be configurable at runtime.
+# many of the settings below won't have effect without those patches.
+# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
+
+{ config, lib, pkgs, ...}:
+with lib;
+let
+  cfg = config.sane.web-browser;
+  # allow easy switching between firefox and librewolf with `defaultSettings`, below
+  librewolfSettings = {
+    browser = pkgs.librewolf-unwrapped;
+    # browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
+    #   # this allows side-loading unsigned addons
+    #   MOZ_REQUIRE_SIGNING = false;
+    # });
+    libName = "librewolf";
+    dotDir = ".librewolf";
+    desktop = "librewolf.desktop";
+  };
+  firefoxSettings = {
+    browser = pkgs.firefox-esr-unwrapped;
+    libName = "firefox";
+    dotDir = ".mozilla/firefox";
+    desktop = "firefox.desktop";
+  };
+  defaultSettings = firefoxSettings;
+  # defaultSettings = librewolfSettings;
+
+  package = pkgs.wrapFirefox cfg.browser {
+    # inherit the default librewolf.cfg
+    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
+    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
+    inherit (cfg) libName;
+
+    extraNativeMessagingHosts = [ pkgs.browserpass ];
+    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
+
+    nixExtensions = let
+      addon = name: extid: hash: pkgs.fetchFirefoxAddon {
+        inherit name hash;
+        url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
+        fixedExtid = extid;
+      };
+      localAddon = pkg: pkgs.fetchFirefoxAddon {
+        inherit (pkg) name;
+        src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";
+        fixedExtid = pkg.extid;
+      };
+    in [
+      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-C+VQyaJ8BA0ErXGVTdnppJZ6J9SP+izf6RFxdS4VJoU=")
+      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-au5GGn22n4i6VrdOKqNMOrWdMoVCcpLdjO2wwRvyx7E=")
+      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-m14onUlnpLDPHezA/soKygcc76tF1fLG52tM/LkbAXQ=")
+      (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
+      (addon "ether-metamask" "webextension@metamask.io" "sha256-dnpwKpNF0KgHMAlz5btkkZySjMsnrXECS35ClkD2XHc=")
+      # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
+      (localAddon pkgs.browserpass-extension)
+    ];
+
+    extraPolicies = {
+      NoDefaultBookmarks = true;
+      SearchEngines = {
+        Default = "DuckDuckGo";
+      };
+      AppUpdateURL = "https://localhost";
+      DisableAppUpdate = true;
+      OverrideFirstRunPage = "";
+      OverridePostUpdatePage = "";
+      DisableSystemAddonUpdate = true;
+      DisableFirefoxStudies = true;
+      DisableTelemetry = true;
+      DisableFeedbackCommands = true;
+      DisablePocket = true;
+      DisableSetDesktopBackground = false;
+
+      # remove many default search providers
+      # XXX this seems to prevent the `nixExtensions` from taking effect
+      # Extensions.Uninstall = [
+      #   "google@search.mozilla.org"
+      #   "bing@search.mozilla.org"
+      #   "amazondotcom@search.mozilla.org"
+      #   "ebay@search.mozilla.org"
+      #   "twitter@search.mozilla.org"
+      # ];
+      # XXX doesn't seem to have any effect...
+      # docs: https://github.com/mozilla/policy-templates#homepage
+      # Homepage = {
+      #   HomepageURL = "https://uninsane.org/";
+      #   StartPage = "homepage";
+      # };
+      # NewTabPage = true;
+    };
+  };
+in
+{
+  options = {
+    sane.web-browser = mkOption {
+      default = defaultSettings;
+      type = types.attrs;
+    };
+  };
+  config = {
+    # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
+    home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
+      programs.firefox = {
+        enable = true;
+        inherit package;
+      };
+
+      # uBlock filter list configuration.
+      # specifically, enable the GDPR cookie prompt blocker.
+      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
+      # this configuration method is documented here:
+      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
+      # the specific attribute path is found via scraping ublock code here:
+      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
+      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
+      home.file."${cfg.dotDir}/managed-storage/uBlock0@raymondhill.net.json".text = ''
+        {
+         "name": "uBlock0@raymondhill.net",
+         "description": "ignored",
+         "type": "storage",
+         "data": {
+            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
+         }
+        }
+      '';
+      home.file."${cfg.dotDir}/${cfg.libName}.overrides.cfg".text = ''
+        // if we can't query the revocation status of a SSL cert because the issuer is offline,
+        // treat it as unrevoked.
+        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
+        defaultPref("security.OCSP.require", false);
+      '';
+    };
+  };
+}

modules/universal/home-manager/librewolf.nix

@@ -1,102 +0,0 @@
-# common settings to toggle (at runtime, in about:config):
-#   > security.ssl.require_safe_negotiation
-
-# librewolf is a forked firefox which patches firefox to allow more things
-# (like default search engines) to be configurable at runtime.
-# many of the settings below won't have effect without those patches.
-# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
-
-{ config, lib, pkgs, ...}:
-let
-  package = pkgs.wrapFirefox pkgs.librewolf-unwrapped {
-    # inherit the default librewolf.cfg
-    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
-    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
-    libName = "librewolf";
-
-    extraNativeMessagingHosts = [ pkgs.browserpass ];
-    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
-
-    extraPolicies = {
-      NoDefaultBookmarks = true;
-      SearchEngines = {
-        Default = "DuckDuckGo";
-      };
-      AppUpdateURL = "https://localhost";
-      DisableAppUpdate = true;
-      OverrideFirstRunPage = "";
-      OverridePostUpdatePage = "";
-      DisableSystemAddonUpdate = true;
-      DisableFirefoxStudies = true;
-      DisableTelemetry = true;
-      DisableFeedbackCommands = true;
-      DisablePocket = true;
-      DisableSetDesktopBackground = false;
-      Extensions = {
-        Install = let
-          addon = pkg: addonId: "${pkg}/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/${addonId}.xpi";
-        in with pkgs.firefox-addons; [
-          # the extension key is found by building and checking the output: `nix build '.#rycee.firefox-addons.<foo>'`
-          # or by taking the `addonId` input to `buildFirefoxXpiAddon` in rycee's firefox-addons repo
-          (addon ublock-origin "uBlock0@raymondhill.net")
-          (addon sponsorblock "sponsorBlocker@ajay.app")
-          (addon bypass-paywalls-clean "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}")
-          (addon sidebery "{3c078156-979c-498b-8990-85f7987dd929}")
-          (addon browserpass "browserpass@maximbaz.com")
-          (addon metamask "webextension@metamask.io")
-          # extensions can alternatively be installed by URL, in which case they are fetched (and cached) on first run.
-          # "https://addons.mozilla.org/firefox/downloads/latest/gopass-bridge/latest.xpi"
-        ];
-        # remove many default search providers
-        Uninstall = [
-          "google@search.mozilla.org"
-          "bing@search.mozilla.org"
-          "amazondotcom@search.mozilla.org"
-          "ebay@search.mozilla.org"
-          "twitter@search.mozilla.org"
-        ];
-      };
-      # XXX doesn't seem to have any effect...
-      # docs: https://github.com/mozilla/policy-templates#homepage
-      # Homepage = {
-      #   HomepageURL = "https://uninsane.org/";
-      #   StartPage = "homepage";
-      # };
-      # NewTabPage = true;
-    };
-  };
-in
-{
-  # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
-  home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
-    programs.firefox = {
-      enable = true;
-      inherit package;
-    };
-
-    # uBlock filter list configuration.
-    # specifically, enable the GDPR cookie prompt blocker.
-    # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
-    # this configuration method is documented here:
-    # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
-    # the specific attribute path is found via scraping ublock code here:
-    # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
-    # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-    home.file.".librewolf/managed-storage/uBlock0@raymondhill.net.json".text = ''
-      {
-       "name": "uBlock0@raymondhill.net",
-       "description": "ignored",
-       "type": "storage",
-       "data": {
-          "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
-       }
-      }
-    '';
-    home.file.".librewolf/librewolf.overrides.cfg".text = ''
-      // if we can't query the revocation status of a SSL cert because the issuer is offline,
-      // treat it as unrevoked.
-      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
-      defaultPref("security.OCSP.require", false);
-    '';
-  };
-}

modules/universal/home-manager/neovim.nix

@@ -45,7 +45,7 @@
       # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
       # this is required for tree-sitter to even highlight
       ({
-        plugin = (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars));
+        plugin = nvim-treesitter.withAllGrammars;
         type = "lua";
         config = ''
           require'nvim-treesitter.configs'.setup {

modules/universal/home-packages.nix

@@ -168,6 +168,7 @@ let
     # gcc-arm-embedded
     # gcc_multi
     gnumake
+    mercurial
     mix2nix
     rustup
     swig

modules/universal/machine-id.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  # we wan't an /etc/machine-id which is consistent across boot so that `journalctl` will actually show us
+  # logs from previous boots.
+  # maybe there's a config option for this (since persistent machine-id is bad for reasons listed in impermanence.nix),
+  # but for now generate it from ssh keys.
+  system.activationScripts.machine-id = {
+    deps = [ "persist-ssh-host-keys" ];
+    text = "sha256sum /etc/ssh/host_keys/ssh_host_ed25519_key | cut -c 1-32 > /etc/machine-id";
+  };
+}

modules/universal/ssh.nix

@@ -1,9 +1,19 @@
 { ... }:
 {
-  # we place the host keys (which we want to be persisted) into their own directory to ease that.
+  # we place the host keys (which we want to be persisted) into their own directory so that we can
+  # bind mount that whole directory instead of doing it per-file.
   # otherwise, this is identical to nixos defaults
   sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
 
+  # we can't naively `mount /etc/ssh/host_keys` directly,
+  # as /etc/fstab may not be populated yet (since that file depends on e.g. activationScripts.users)
+  # we can't even depend on impermanence's `createPersistentStorageDirs` to create the source/target directories
+  # since that also depends on `users`.
+  system.activationScripts.persist-ssh-host-keys.text = ''
+    mkdir -p /etc/ssh/host_keys
+    mount --bind /nix/persist/etc/ssh/host_keys /etc/ssh/host_keys
+  '';
+
   services.openssh.hostKeys = [
     { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
     { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }

nixpatches/list.nix

@@ -1,18 +1,28 @@
 fetchpatch: [
   # phosh-mobile-settings: init at 0.21.1
   (fetchpatch {
-    url = "http://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
+    url = "https://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
     # url = "https://github.com/NixOS/nixpkgs/pull/193845.diff";
     sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
   })
 
-  # freshrss: fix ExecStart path
+  # librewolf: build with `MOZ_REQUIRE_SIGNING=false`
   (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/197731.diff";
-    # url = "http://git.uninsane.org/colin/nixpkgs/commit/e4235c60b71bec66fe8f811cdbdd229bcf98915f.diff";
-    sha256 = "sha256-SL7tddw0YZWzZ+JhosoTyBuEahEJEjMuV4WEBCg9OM0=";
+    url = "https://github.com/NixOS/nixpkgs/pull/199134.diff";
+    # url = "https://git.uninsane.org/colin/nixpkgs/commit/99b82e07fee4d194520d6e8d51bc45c80a4d3c7e.diff";
+    sha256 = "sha256-FOAZYaMpSPMYwU26xYD+V/f+df0JjlbuVtqjlcBFW5Q=";
   })
 
+  # lightdm-mobile-greeter: init at 2022-10-30
+  (fetchpatch {
+    url = "https://git.uninsane.org/colin/nixpkgs/commit/0a9018c8879d8fe871ee03bc386f8d148e4f88b8.diff";
+    sha256 = "sha256-h1+K8UO4+G6yvl6JFd8xBGitPgOCIY7BunW49eGkXQQ=";
+  })
+  # lightdm: add `greeters.mobile` config option
+  (fetchpatch {
+    url = "https://git.uninsane.org/colin/nixpkgs/commit/1144d6cfe976e7bcfb9611b1d0a66071e17cd569.diff";
+    sha256 = "sha256-ZEvLPqrkpr79yXrsBxgxELR2Awtqk3675jkYZqx2AfY=";
+  })
 
   # # kaiteki: init at 2022-09-03
   # vendorHash changes too frequently (might not be reproducible).
@@ -23,17 +33,6 @@ fetchpatch: [
   #   sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
   # })
 
-  # nautilus: look for the gtk4 FileChooser settings instead of the gtk4 one
-  (fetchpatch {
-    # original version (include the patch in nixpkgs)
-    # url = "https://git.uninsane.org/colin/nixpkgs/commit/4636a04c1c4982a0e71ae77d3aa6f52d1a3170f1.diff";
-    # sha256 = "sha256-XKfXStdcveYuk58rlORVJOv0a9Q5aRj1bYT5k79rL0g=";
-
-    # v2 (fetchpatch from upstream PR)
-    # url = "https://git.uninsane.org/colin/nixpkgs/commit/730a802808c549220144e4e62aa419bb07c5ae29.diff";
-    url = "https://github.com/NixOS/nixpkgs/pull/195985.diff";
-    sha256 = "sha256-zd7WGOTm3ygh0Wk3uiA+1S+RqD9yWDSXvo7veHs0K00=";
-  })
 
   # Fix mk flutter app
   # closed (not merged). updates fluffychat 1.2.0 -> 1.6.1, but unstable hashing
@@ -48,6 +47,7 @@ fetchpatch: [
   ./02-rpi4-uboot.patch
 
   # TODO: upstream
+  # maybe convert this patch to add a `targetUrlExpr` instead of doing the `escapeShellArgs` hack
   ./07-duplicity-rich-url.patch
 
   # enable aarch64 support for flutter's dart package

pkgs/browserpass-extension/default.nix

@@ -0,0 +1,57 @@
+{ stdenv
+, fetchFromGitHub
+, gnused
+, jq
+, mkYarnModules
+, zip
+}:
+
+let
+  pname = "browserpass-extension";
+  version = "3.7.2";
+  src = fetchFromGitHub {
+    owner = "browserpass";
+    repo = "browserpass-extension";
+    rev = version;
+    sha256 = "sha256-uDJ0ID8mD+5WLQK40+OfzRNIOOhZWsLYIi6QgcdIDvc=";
+  };
+  browserpass-extension-yarn-modules = mkYarnModules {
+    inherit pname version;
+    packageJSON = "${src}/src/package.json";
+    yarnLock = "${src}/src/yarn.lock";
+  };
+  extid = "browserpass@maximbaz.com";
+in stdenv.mkDerivation {
+  inherit pname version src;
+
+  patchPhase = ''
+    # dependencies are built separately: skip the yarn install
+    ${gnused}/bin/sed -i /yarn\ install/d src/Makefile
+  '';
+
+  preBuild = ''
+    ln -s ${browserpass-extension-yarn-modules}/node_modules src/node_modules
+  '';
+
+  installPhase = ''
+    BASE=$out/share/mozilla/extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}
+    mkdir -p $BASE
+
+    pushd firefox
+
+    # firefox requires addons to have an id field when sideloading:
+    # - <https://extensionworkshop.com/documentation/publish/distribute-sideloading/>
+    cat manifest.json \
+      | ${jq}/bin/jq '. + { applications: {gecko: {id: "${extid}" }}, browser_specific_settings: {gecko: {id: "${extid}"}} }' \
+      > manifest.patched.json
+    mv manifest{.patched,}.json
+
+    ${zip}/bin/zip -r $BASE/browserpass@maximbaz.com.xpi ./*
+
+    popd
+  '';
+
+  passthru = {
+    inherit extid;
+  };
+}

pkgs/browserpass/default.nix

@@ -1,7 +1,9 @@
 { pkgs
 , bash
 , fetchFromGitea
+, gnused
 , lib
+, sane-scripts
 , sops
 , stdenv
 , substituteAll
@@ -13,7 +15,8 @@ let
     version = "0.1.0";
     src = ./.;
 
-    inherit bash sops;
+    inherit bash gnused sops;
+    sane_scripts = sane-scripts;
     installPhase = ''
       mkdir -p $out/bin
       substituteAll ${./sops-gpg-adapter} $out/bin/gpg

pkgs/browserpass/sops-gpg-adapter

@@ -7,8 +7,13 @@ then
   exit 0
 fi
 
+# ensure the secret store is unlocked
+@sane_scripts@/bin/sane-secrets-unlock
+
 # using exec here forwards our stdin
 # browserpass parses the response in
 # <browserpass-extension/src/background.js#parseFields>
 # it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
-exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin
+# browserpass understands the `totp` field to hold either secret tokens, or full URLs.
+# i use totp-b32 for the base-32-encoded secrets. renaming that field works OOTB.
+exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | @gnused@/bin/sed s/\^totp-b32:/totp:/

pkgs/lightdm-mobile-greeter/cargo_lock-fix_lightdm_rs_url.patch

@@ -1,28 +0,0 @@
-commit c2a3a5eff2edc95108a21fc02c420a8aaa19accd
-Author: colin <colin@uninsane.org>
-Date:   Tue Oct 25 20:59:20 2022 -0700
-
-    Cargo.lock: update lightdm-rs URLs
-
-diff --git a/Cargo.lock b/Cargo.lock
-index 1051644..72d09e6 100644
---- a/Cargo.lock
-+++ b/Cargo.lock
-@@ -362,7 +362,7 @@ dependencies = [
- [[package]]
- name = "light-dm-sys"
- version = "0.0.1"
--source = "git+https://raatty.club:3000/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
-+source = "git+https://git.raatty.club/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
- dependencies = [
-  "gio-sys",
-  "glib-sys",
-@@ -374,7 +374,7 @@ dependencies = [
- [[package]]
- name = "lightdm"
- version = "0.1.0"
--source = "git+https://raatty.club:3000/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
-+source = "git+https://git.raatty.club/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
- dependencies = [
-  "gio",
-  "gio-sys",

pkgs/lightdm-mobile-greeter/default.nix

@@ -11,20 +11,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "lightdm-mobile-greeter";
-  version = "6";
+  version = "2022-10-30";
 
   src = fetchFromGitea {
     domain = "git.raatty.club";
     owner = "raatty";
     repo = "lightdm-mobile-greeter";
-    rev = "${version}";
-    hash = "sha256-uqsYOHRCOmd3tpJdndZFQ/tznZ660NhB+gE2154kJuM=";
+    rev = "8c8d6dfce62799307320c8c5a1f0dd5c8c18e4d3";
+    hash = "sha256-SrAR2+An3BN/doFl/s8PcYZMUHLfVPXKZOo6ndO60nY=";
   };
-  cargoHash = "sha256-JV8NQdZAG4EetRHwbi0dD0uIOUkn5hvzry+5WB7TCO4=";
-
-  cargoPatches = [
-    ./cargo_lock-fix_lightdm_rs_url.patch
-  ];
+  cargoHash = "sha256-NZ0jOkEBNa5oOydfyKm0XQB/vkAvBv9wHBbnM9egQFQ=";
 
   buildInputs = [
     gtk3
@@ -49,7 +45,7 @@ rustPlatform.buildRustPackage rec {
 
   meta = with lib; {
     description = "A simple log in screen for use on touch screens.";
-    homepage = "https://git.uninsane.org/colin/lightdm-mobile-greeter";
+    homepage = "https://git.raatty.club/raatty/lightdm-mobile-greeter";
     maintainers = with maintainers; [ colinsane ];
     platforms = platforms.linux;
     license = licenses.mit;

pkgs/overlay.nix

@@ -37,11 +37,12 @@
 
   gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
 
-  browserpass = prev.callPackage ./browserpass { pkgs = prev; };
+  browserpass = prev.callPackage ./browserpass { pkgs = prev; inherit sane-scripts; };
 
   #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
   kaiteki = prev.callPackage ./kaiteki { };
-  lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
+  # lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
+  browserpass-extension = prev.callPackage ./browserpass-extension { };
   gopass-native-messaging-host = prev.callPackage ./gopass-native-messaging-host { };
   # kaiteki = prev.kaiteki;
   # TODO: upstream, or delete nabla

pkgs/sane-scripts/src/sane-private-lock

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+sudo umount /home/colin/private