servo: add munin for monitoring/metrics

2022-10-21 02:15:07 -07:00
73 changed files with 850 additions and 1553 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -23,7 +23,6 @@ creation_rules:
    key_groups:
    - age:
      - *user_desko_colin
      - *user_lappy_colin
      - *user_servo_colin
      - *host_servo
  - path_regex: secrets/desko.yaml$
@@ -32,16 +31,3 @@ creation_rules:
      - *user_desko_colin
      - *user_lappy_colin
      - *host_desko
  - path_regex: secrets/lappy.yaml$
    key_groups:
    - age:
      - *user_lappy_colin
      - *user_desko_colin
      - *host_lappy
  - path_regex: secrets/moby.yaml$
    key_groups:
    - age:
      - *user_desko_colin
      - *user_lappy_colin
      - *user_moby_colin
      - *host_moby
--- a/TODO.md
+++ b/TODO.md
@@ -0,0 +1,16 @@
 # features/tweaks
 - emoji picker application
 - find a Masto/Pleroma app which works on mobile
 - remove hardcoded uid/gids outside of allocations.nix (used in impermanence code -- replace with username/groupname)
 # speed up cross compiling
 - <https://nixos.wiki/wiki/Cross_Compiling>
 - <https://nixos.wiki/wiki/NixOS_on_ARM>
 ```nix
   overlays = [{ ... }: {
     nixpkgs.crossSystem.system = "aarch64-linux";
   }];
 ```
 - <https://github.com/nix-community/aarch64-build-box>
 	- apply for access to the community arm build box
--- a/flake.lock
+++ b/flake.lock
@@ -22,11 +22,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1665996265,
+        "lastModified": 1665475263,
-        "narHash": "sha256-/k9og6LDBQwT+f/tJ5ClcWiUl8kCX5m6ognhsAxOiCY=",
+        "narHash": "sha256-T4at7d+KsQNWh5rfjvOtQCaIMWjSDlSgQZKvxb+LcEY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "b81e128fc053ab3159d7b464d9b7dedc9d6a6891",
+        "rev": "17208be516fc36e2ab0ceb064d931e90eb88b2a3",
        "type": "github"
      },
      "original": {
@@ -54,11 +54,11 @@
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1666573922,
+        "lastModified": 1665711470,
-        "narHash": "sha256-CqB8Y5HajptSFE8Em990dcYZIHJWBiO9zd1us4Mzx8M=",
+        "narHash": "sha256-9cjKbTkxyWjswVExtIpglpvlR+iDY9/DWmXpZyzk5cY=",
        "owner": "nixos",
        "repo": "mobile-nixos",
-        "rev": "1351091d2537040454fa232d8b94e745ab0eb5a3",
+        "rev": "e4b6f680b2a4f29f087a7c1299c11499d1a367b6",
        "type": "github"
      },
      "original": {
@@ -69,11 +69,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1666447894,
+        "lastModified": 1665732960,
-        "narHash": "sha256-i9WHX4w/et4qPMzEXd9POmnO0/bthjr7R4cblKNHGms=",
+        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "95aeaf83c247b8f5aa561684317ecd860476fcd6",
+        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
        "type": "github"
      },
      "original": {
@@ -84,11 +84,11 @@
    },
    "nixpkgs-22_05": {
      "locked": {
-        "lastModified": 1666488099,
+        "lastModified": 1665279158,
-        "narHash": "sha256-DANs2epN5QgvxWzH7xF3dzb4WE0lEuMLrMEu/vPmQxw=",
+        "narHash": "sha256-TpbWNzoJ5RaZ302dzvjY2o//WxtOJuYT3CnDj5N69Hs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "f9115594149ebcb409a42e303bec4956814a8419",
+        "rev": "b3783bcfb8ec54e0de26feccfc6cc36b8e202ed5",
        "type": "github"
      },
      "original": {
@@ -100,11 +100,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1666401273,
+        "lastModified": 1665613119,
-        "narHash": "sha256-AG3MoIjcWwz1SPjJ2nymWu4NmeVj9P40OpB1lsmxFtg=",
+        "narHash": "sha256-VTutbv5YKeBGWou6ladtgfx11h6et+Wlkdyh4jPJ3p0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3933d8bb9120573c0d8d49dc5e890cb211681490",
+        "rev": "e06bd4b64bbfda91d74f13cb5eca89485d47528f",
        "type": "github"
      },
      "original": {
@@ -120,27 +120,10 @@
        "mobile-nixos": "mobile-nixos",
        "nixpkgs": "nixpkgs",
        "nixpkgs-stable": "nixpkgs-stable",
        "rycee": "rycee",
        "sops-nix": "sops-nix",
        "uninsane": "uninsane"
      }
    },
    "rycee": {
      "flake": false,
      "locked": {
        "lastModified": 1666843362,
        "narHash": "sha256-xn2bW9/MT0u8Ptlk+f323p46Q/ktZkzMp7oj5SlYDxU=",
        "owner": "rycee",
        "repo": "nur-expressions",
        "rev": "43d3a363c126968db46585b88b8eb97dd32634ad",
        "type": "gitlab"
      },
      "original": {
        "owner": "rycee",
        "repo": "nur-expressions",
        "type": "gitlab"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
@@ -149,11 +132,11 @@
        "nixpkgs-22_05": "nixpkgs-22_05"
      },
      "locked": {
-        "lastModified": 1666499473,
+        "lastModified": 1665289655,
-        "narHash": "sha256-q1eFnBFL0kHgcnUPeKagw3BfbE/5sMJNGL2E2AR+a2M=",
+        "narHash": "sha256-j1Q9mNBhbzeJykhObiXwEGres9qvP4vH7gxdJ+ihkLI=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "1b5f9512a265f0c9687dbff47893180f777f4809",
+        "rev": "0ce0449e6404c4ff9d1b7bd657794ae5ca54deb3",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -14,10 +14,6 @@
      url = "github:nix-community/home-manager/release-22.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    rycee = {
      url = "gitlab:rycee/nur-expressions";
      flake = false;
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -29,17 +25,8 @@
    };
  };
-  outputs = {
+  outputs = { self, nixpkgs, nixpkgs-stable, mobile-nixos, home-manager, sops-nix, impermanence, uninsane }:
-    self,
+  let
    nixpkgs,
    nixpkgs-stable,
    mobile-nixos,
    home-manager,
    rycee,
    sops-nix,
    impermanence,
    uninsane
  }: let
    patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
      name = "nixpkgs-patched-uninsane";
      src = nixpkgs;
@@ -59,14 +46,15 @@
      specialArgs = { inherit mobile-nixos home-manager impermanence; };
      modules = [
        ./modules
-        (import ./machines/instantiate.nix name)
+        ./machines/${name}
        (import ./helpers/set-hostname.nix name)
        home-manager.nixosModule
        impermanence.nixosModule
        sops-nix.nixosModules.sops
        {
          nixpkgs.config.allowUnfree = true;
          nixpkgs.overlays = [
            (import "${mobile-nixos}/overlay/overlay.nix")
            (import "${rycee}/overlay.nix")
            uninsane.overlay
            (import ./pkgs/overlay.nix)
            (next: prev: rec {
@@ -115,14 +103,19 @@
    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
    imgs = builtins.mapAttrs (name: value: value.img) machines;
    packages = let
-      allPkgsFor = sys: (customPackagesFor sys sys) // {
+      custom-x86_64 = customPackagesFor "x86_64-linux" "x86_64-linux";
-        nixpkgs = nixpkgsFor sys sys;
+      custom-aarch64 = customPackagesFor "aarch64-linux" "aarch64-linux";
-        uninsane = uninsane.packages."${sys}";
+      nixpkgs-x86_64 = nixpkgsFor "x86_64-linux" "x86_64-linux";
-        rycee = (import "${rycee}/default.nix" { pkgs = nixpkgsFor sys sys; });
+      nixpkgs-aarch64 = nixpkgsFor "aarch64-linux" "aarch64-linux";
      };
    in {
-      x86_64-linux = allPkgsFor "x86_64-linux";
+      x86_64-linux = custom-x86_64 // {
-      aarch64-linux = allPkgsFor "aarch64-linux";
+        nixpkgs = nixpkgs-x86_64;
        uninsane = uninsane.packages.x86_64-linux;
      };
      aarch64-linux = custom-aarch64 // {
        nixpkgs = nixpkgs-aarch64;
        uninsane = uninsane.packages.aarch64-linux;
      };
    };
  };
 }
--- a/helpers/set-hostname.nix
+++ b/helpers/set-hostname.nix
@@ -0,0 +1,4 @@
 hostName: { ... }:
 {
  networking.hostName = hostName;
 }
--- a/machines/desko/default.nix
+++ b/machines/desko/default.nix
@@ -18,11 +18,6 @@
  users.users.usbmux.uid = config.sane.allocations.usbmux-uid;
  users.groups.usbmux.gid = config.sane.allocations.usbmux-gid;
  sops.secrets.colin-passwd = {
    sopsFile = ../../secrets/desko.yaml;
    neededForUsers = true;
  };
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
  #   - hourly snapshots
--- a/machines/instantiate.nix
+++ b/machines/instantiate.nix
@@ -1,11 +0,0 @@
 # trampoline from flake.nix into the specific machine definition, while doing a tiny bit of common setup
 hostName: { ... }: {
  imports = [
    ./${hostName}
  ];
  networking.hostName = hostName;
  nixpkgs.config.allowUnfree = true;
 }
--- a/machines/lappy/default.nix
+++ b/machines/lappy/default.nix
@@ -11,10 +11,7 @@
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
-  sops.secrets.colin-passwd = {
+  users.users.colin.initialPassword = "147147";
    sopsFile = ../../secrets/lappy.yaml;
    neededForUsers = true;
  };
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
--- a/machines/moby/default.nix
+++ b/machines/moby/default.nix
@@ -13,16 +13,10 @@
  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
  documentation.nixos.enable = false;
-  # XXX colin: phosh doesn't work well with passwordless login,
+  # XXX colin: phosh doesn't work well with passwordless login
  # so set this more reliable default password should anything go wrong
  users.users.colin.initialPassword = "147147";
  services.getty.autologinUser = "root";  # allows for emergency maintenance?
  sops.secrets.colin-passwd = {
    sopsFile = ../../secrets/moby.yaml;
    neededForUsers = true;
  };
  # usability compromises
  sane.impermanence.home-dirs = [
    ".librewolf"
--- a/machines/servo/default.nix
+++ b/machines/servo/default.nix
@@ -9,11 +9,11 @@
    ./services
  ];
  sane.home-manager.enable = true;
  sane.home-manager.extraPackages = [
    # for administering services
    pkgs.matrix-synapse
    pkgs.freshrss
    pkgs.goaccess
  ];
  sane.impermanence.enable = true;
  sane.services.duplicity.enable = true;
--- a/machines/servo/services/default.nix
+++ b/machines/servo/services/default.nix
@@ -4,11 +4,11 @@
    ./ddns-he.nix
    ./freshrss.nix
    ./gitea.nix
    ./goaccess.nix
    ./ipfs.nix
    ./jackett.nix
    ./jellyfin.nix
    ./matrix
    ./munin.nix
    ./navidrome.nix
    ./nginx.nix
    ./pleroma.nix
--- a/machines/servo/services/freshrss.nix
+++ b/machines/servo/services/freshrss.nix
@@ -30,7 +30,7 @@
  systemd.services.freshrss-import-feeds =
  let
    fresh = config.systemd.services.freshrss-config;
-    feeds = import ../../../modules/universal/home-manager/feeds.nix { inherit lib; };
+    feeds = import ../../../modules/universal/env/feeds.nix { inherit lib; };
    opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
  in {
    inherit (fresh) wantedBy environment;
--- a/machines/servo/services/goaccess.nix
+++ b/machines/servo/services/goaccess.nix
@@ -1,44 +0,0 @@
 { pkgs, ... }:
 {
  # based on <https://bytes.fyi/real-time-goaccess-reports-with-nginx/>
  # log-format setting can be derived with this tool if custom:
  # - <https://github.com/stockrt/nginx2goaccess>
  # config options:
  # - <https://github.com/allinurl/goaccess/blob/master/config/goaccess.conf>
  systemd.services.goaccess = {
    description = "GoAccess server monitoring";
    serviceConfig = {
      ExecStart = ''
        ${pkgs.goaccess}/bin/goaccess \
          -f /var/log/nginx/public.log \
          --log-format=VCOMBINED \
          --real-time-html \
          --no-query-string \
          --anonymize-ip \
          --ignore-panel=HOSTS \
          --ws-url=wss://sink.uninsane.org:443/ws \
          --port=7890 \
          -o /var/lib/uninsane/sink/index.html
      '';
      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
      Type = "simple";
      Restart = "on-failure";
      # hardening
      WorkingDirectory = "/tmp";
      NoNewPrivileges = true;
      PrivateTmp = true;
      ProtectHome = "read-only";
      ProtectSystem = "strict";
      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
      ReadOnlyPaths = "/";
      ReadWritePaths = [ "/proc/self" "/var/lib/uninsane/sink" ];
      PrivateDevices = "yes";
      ProtectKernelModules = "yes";
      ProtectKernelTunables = "yes";
    };
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
  };
 }
--- a/machines/servo/services/munin.nix
+++ b/machines/servo/services/munin.nix
@@ -0,0 +1,12 @@
 { config, ... }:
 {
  services.munin-node.enable = true;
  services.munin-cron = {
    enable = true;
    # collect data from the localhost
    hosts = ''
      [${config.networking.hostName}]
      address localhost
    '';
  };
 }
--- a/machines/servo/services/nginx.nix
+++ b/machines/servo/services/nginx.nix
@@ -1,29 +1,11 @@
 # docs: https://nixos.wiki/wiki/Nginx
 { config, pkgs, ... }:
 let
  # make the logs for this host "public" so that they show up in e.g. metrics
  publog = vhost: vhost // {
    extraConfig = (vhost.extraConfig or "") + ''
      access_log /var/log/nginx/public.log vcombined;
    '';
  };
 in
 {
  services.nginx.enable = true;
  # this is the standard `combined` log format, with the addition of $host
  # so that we have the virtualHost in the log.
  # KEEP IN SYNC WITH GOACCESS
  # goaccess calls this VCOMBINED:
  # - <https://gist.github.com/jyap808/10570005>
  services.nginx.commonHttpConfig = ''
    log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
    access_log /var/log/nginx/private.log vcombined;
  '';
  # web blog/personal site
-  services.nginx.virtualHosts."uninsane.org" = publog {
+  services.nginx.virtualHosts."uninsane.org" = {
    root = "${pkgs.uninsane-dot-org}/share/uninsane-dot-org";
    # a lot of places hardcode https://uninsane.org,
    # and then when we mix http + non-https, we get CORS violations
@@ -79,24 +61,11 @@ in
  services.nginx.virtualHosts."sink.uninsane.org" = {
    addSSL = true;
    enableACME = true;
-    root = "/var/lib/uninsane/sink";
+    root = "/var/www/munin";
    locations."/ws" = {
      proxyPass = "http://127.0.0.1:7890";
      # XXX not sure how much of this is necessary
      extraConfig = ''
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_buffering off;
        proxy_read_timeout 7d;
      '';
    };
  };
  # Pleroma server and web interface
-  services.nginx.virtualHosts."fed.uninsane.org" = publog {
+  services.nginx.virtualHosts."fed.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    locations."/" = {
@@ -157,7 +126,7 @@ in
  };
  # matrix chat server
-  services.nginx.virtualHosts."matrix.uninsane.org" = publog {
+  services.nginx.virtualHosts."matrix.uninsane.org" = {
    addSSL = true;
    enableACME = true;
@@ -198,7 +167,7 @@ in
  };
  # hosted git (web view and for `git <cmd>` use
-  services.nginx.virtualHosts."git.uninsane.org" = publog {
+  services.nginx.virtualHosts."git.uninsane.org" = {
    addSSL = true;
    enableACME = true;
@@ -314,7 +283,6 @@ in
  sane.impermanence.service-dirs = [
    # TODO: mode?
    { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
    # TODO: this is overly broad; only need media and share directories to be persisted
    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
  ];
 }
--- a/machines/servo/services/pleroma.nix
+++ b/machines/servo/services/pleroma.nix
@@ -74,10 +74,9 @@
    config :pleroma, configurable_from_database: false
    # strip metadata from uploaded images
-    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool.StripLocation]
+    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool]
    # TODO: GET /api/pleroma/captcha is broken
    # there was a nixpkgs PR to fix this around 2022/10 though.
    config :pleroma, Pleroma.Captcha,
      enabled: false,
      method: Pleroma.Captcha.Native
--- a/machines/servo/services/postfix.nix
+++ b/machines/servo/services/postfix.nix
@@ -20,10 +20,6 @@ in
    # TODO: mode? could be more granular
    { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
    { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
    { user = "root"; group = "root"; directory = "/var/spool/mail"; }
    # *probably* don't need these dirs:
    # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
    # "/var/lib/dovecot"
  ];
  services.postfix.enable = true;
  services.postfix.hostname = "mx.uninsane.org";
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -7,7 +7,8 @@
    ./image.nix
    ./impermanence.nix
    ./nixcache.nix
-    ./services
+    ./services/duplicity.nix
    ./services/nixserve.nix
    ./universal
  ];
 }
--- a/modules/gui/default.nix
+++ b/modules/gui/default.nix
@@ -22,6 +22,7 @@ in
  config = lib.mkIf cfg.enable {
    sane.home-packages.enableGuiPkgs = lib.mkDefault true;
    sane.home-manager.enable = lib.mkDefault true;
    # all GUIs use network manager?
    users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
  };
--- a/modules/gui/sway.nix
+++ b/modules/gui/sway.nix
@@ -11,14 +11,6 @@ in
      default = false;
      type = types.bool;
    };
    sane.gui.sway.useGreeter = mkOption {
      description = ''
        launch sway via a greeter (like greetd's gtkgreet).
        sway is usable without a greeter, but skipping the greeter means no PAM session.
      '';
      default = true;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
    sane.gui.enable = true;
@@ -31,31 +23,22 @@ in
    # alternatively, could use SDDM
    services.greetd = let
-      swayConfig-greeter = pkgs.writeText "greetd-sway-config" ''
+      swayConfig = pkgs.writeText "greetd-sway-config" ''
        # `-l` activates layer-shell mode.
        exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
      '';
      default_session = {
        "01" = {
          # greeter session config
          command = "${pkgs.sway}/bin/sway --config ${swayConfig-greeter}";
          # alternatives:
          # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
          # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
          # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
        };
        "0" = {
          # no greeter
          command = "${pkgs.sway}/bin/sway";
          user = "colin";
        };
      };
    in {
      # greetd source/docs:
      # - <https://git.sr.ht/~kennylevinsen/greetd>
      enable = true;
      settings = {
-        default_session = default_session."0${builtins.toString cfg.useGreeter}";
+        default_session = {
          command = "${pkgs.sway}/bin/sway --config ${swayConfig}";
          # alternatives:
          # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
          # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
          # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
        };
      };
    };
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -7,8 +7,6 @@
 with lib;
 let
  cfg = config.sane.impermanence;
  # taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
  secretsForUsers = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
 in
 {
  options = {
@@ -16,6 +14,10 @@ in
      default = false;
      type = types.bool;
    };
    sane.impermanence.home-files = mkOption {
      default = [];
      type = types.listOf types.str;
    };
    sane.impermanence.home-dirs = mkOption {
      default = [];
      type = types.listOf (types.either types.str (types.attrsOf types.str));
@@ -36,17 +38,38 @@ in
    map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };
    map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
    map-service-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
    map-home-files = files: builtins.map (f: {
      parentDirectory = {
        user = "colin";
        group = "users";
        mode = "0755";
      };
      file = "/home/colin/${f}";
    }) files;
  in mkIf cfg.enable {
    sane.image.extraDirectories = [ "/nix/persist/var/log" ];
    environment.persistence."/nix/persist" = {
-      directories = (map-home-dirs cfg.home-dirs) ++ (map-sys-dirs [
+      directories = (map-home-dirs ([
        # cache is probably too big to fit on the tmpfs
        # TODO: we could bind-mount it to something which gets cleared per boot, though.
        ".cache"
        ".cargo"
        ".rustup"
        ".ssh"
        ".local/share/keyrings"
        # intentionally omitted:
        # ".config"  # managed by home-manager
        # ".local"   # nothing useful in here
      ] ++ cfg.home-dirs)) ++ (map-sys-dirs [
        # TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
        # { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
        # "/etc/nixos"
        # "/etc/ssh"  # persist only the specific files we want, instead
        "/var/log"
        "/var/backup"  # for e.g. postgres dumps
      ]) ++ (map-service-dirs ([
        # "/var/lib/AccountsService"   # not sure what this is, but it's empty
        "/var/lib/alsa"                # preserve output levels, default devices
        # "/var/lib/blueman"           # files aren't human readable
@@ -70,29 +93,37 @@ in
        # "/var/lib/upower"            # historic charge data. unnecessary, but maybe used somewhere?
        #
        # servo additions:
-      ] ++ cfg.service-dirs);
+        # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
-      files = [ "/etc/machine-id" ];
+        # "/var/lib/dovecot"
        # "/var/lib/duplicity"
      ] ++ cfg.service-dirs));
      files = [
        "/etc/machine-id"
        "/etc/ssh/ssh_host_ed25519_key"
        "/etc/ssh/ssh_host_ed25519_key.pub"
        "/etc/ssh/ssh_host_rsa_key"
        "/etc/ssh/ssh_host_rsa_key.pub"
        "/home/colin/.zsh_history"
        # # XXX these only need persistence because i have mutableUsers = true, i think
        # "/etc/group"
        # "/etc/passwd"
        # "/etc/shadow"
      ] ++ map-home-files cfg.home-files;
    };
-    # secret decoding depends on /etc/ssh keys, which are persisted
+    systemd.services.sane-sops = {
-    system.activationScripts.setupSecrets.deps = [ "persist-files" ];
+      # TODO: it would be better if we could inject the right dependency into setupSecrets instead of patching like this.
-    # `setupSecretsForUsers` should depend on `persist-files`,
+      # /run/current-system/activate contains the precise ordering logic.
-    # but `persist-files` itself depends on `users`, to this would be circular.
+      # it's largely unaware of systemd.
-    # we work around that by manually mounting the ssh host key.
+      # maybe we could insert some activation script which simply waits for /etc/ssh to appear?
-    # strictly speaking, this makes the `setupSecrets -> persist-files` dep extraneous,
+      description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
-    # but it's a decent safety net in case something goes wrong.
+      script = ''
-    # system.activationScripts.setupSecretsForUsers.deps = [ "persist-files" ];
+      ${config.system.activationScripts.setupSecrets.text}
-    system.activationScripts.setupSecretsForUsers= lib.mkIf secretsForUsers {
+      ${config.system.activationScripts.linkIwdKeys.text}
-      deps = [ "persist-ssh-host-keys" ];
+      '';
      after = [ "fs-local.target" ];
      wantedBy = [ "multi-user.target" ];
    };
    system.activationScripts.persist-ssh-host-keys = lib.mkIf secretsForUsers (
      let
        key_dir = "/etc/ssh/host_keys";
      in ''
        mkdir -p ${key_dir}
        mount -o bind /nix/persist${key_dir} ${key_dir}
      ''
    );
  };
 }
--- a/modules/nixcache.nix
+++ b/modules/nixcache.nix
@@ -1,13 +1,3 @@
 # speed up builds from e.g. moby or lappy by having them query desko and servo first.
 # if one of these hosts is offline, instead manually specify just cachix:
 # - `nixos-rebuild --option substituters https://cache.nixos.org/`
 #
 # future improvements:
 # - apply for community arm build box:
 #   - <https://github.com/nix-community/aarch64-build-box>
 # - don't require all substituters to be online:
 #   - <https://github.com/NixOS/nix/pull/7188>
 { lib, config, ... }:
 with lib;
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -1,7 +0,0 @@
 { ... }:
 {
  imports = [
    ./duplicity.nix
    ./nixserve.nix
  ];
 }
--- a/modules/universal/default.nix
+++ b/modules/universal/default.nix
@@ -3,25 +3,16 @@
 {
  imports = [
    ./allocations.nix
    ./env
    ./fs.nix
    ./home-manager
    ./home-packages.nix
    ./net.nix
    ./secrets.nix
    ./ssh.nix
    ./system-packages.nix
    ./users.nix
    ./vpn.nix
  ];
  time.timeZone = "America/Los_Angeles";
  # allow `nix flake ...` command
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
  # TODO: move this into home-manager?
  fonts = {
    enableDefaultFonts = true;
    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
@@ -34,30 +25,9 @@
    };
  };
-  # programs.vim.defaultEditor = true;
+  # allow `nix flake ...` command
-  environment.variables = {
+  nix.extraOptions = ''
-    EDITOR = "vim";
+    experimental-features = nix-command flakes
-    # git claims it should use EDITOR, but it doesn't!
+  '';
    GIT_EDITOR = "vim";
    # TODO: these should be moved to `home.sessionVariables` (home-manager)
    # Electron apps should use native wayland backend:
    #   https://nixos.wiki/wiki/Slack#Wayland
    # Discord under sway crashes with this.
    # NIXOS_OZONE_WL = "1";
    # LIBGL_ALWAYS_SOFTWARE = "1";
  };
  # enable zsh completions
  environment.pathsToLink = [ "/share/zsh" ];
  environment.systemPackages = with pkgs; [
    # required for pam_mount
    gocryptfs
  ];
  security.pam.mount.enable = true;
  # security.pam.mount.debugLevel = 1;
  # security.pam.enableSSHAgentAuth = true; # ??
  # needed for `allow_other` in e.g. gocryptfs mounts
  # or i guess going through mount.fuse sets suid so that's not necessary?
  # programs.fuse.userAllowOther = true;
 }
--- a/modules/universal/env/default.nix
+++ b/modules/universal/env/default.nix
@@ -0,0 +1,36 @@
 { pkgs, ... }:
 {
  imports = [
    ./home-manager.nix
    ./home-packages.nix
    ./system-packages.nix
  ];
  # programs.vim.defaultEditor = true;
  environment.variables = {
    EDITOR = "vim";
    # git claims it should use EDITOR, but it doesn't!
    GIT_EDITOR = "vim";
    # TODO: these should be moved to `home.sessionVariables` (home-manager)
    # Electron apps should use native wayland backend:
    #   https://nixos.wiki/wiki/Slack#Wayland
    # Discord under sway crashes with this.
    # NIXOS_OZONE_WL = "1";
    # LIBGL_ALWAYS_SOFTWARE = "1";
  };
  # enable zsh completions
  environment.pathsToLink = [ "/share/zsh" ];
  environment.systemPackages = with pkgs; [
    # required for pam_mount
    gocryptfs
  ];
  security.pam.mount.enable = true;
  # security.pam.mount.debugLevel = 1;
  # security.pam.enableSSHAgentAuth = true; # ??
  # needed for `allow_other` in e.g. gocryptfs mounts
  # or i guess going through mount.fuse sets suid so that's not necessary?
  # programs.fuse.userAllowOther = true;
 }
--- a/modules/universal/home-manager/feeds.nix
+++ b/modules/universal/home-manager/feeds.nix
@@ -18,14 +18,10 @@ let
  podcast = { format = "podcast"; };
  mkRss = format: url: { inherit url format; } // uncat // infrequent;
  # format-specific helpers
  mkText = mkRss text;
  mkImg = mkRss image;
  mkPod = mkRss podcast;
  # host-specific helpers
  mkSubstack = subdomain: mkText "https://${subdomain}.substack.com/feed";
  # merge the attrs `new` into each value of the attrs `addTo`
  addAttrs = new: addTo: builtins.mapAttrs (k: v: v // new) addTo;
  # for each value in `attrs`, add a value to the child attrs which holds its key within the parent attrs.
@@ -79,7 +75,6 @@ in rec {
    (mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
    # DEVELOPERS
    (mkText "https://uninsane.org/atom.xml" // infrequent // tech)
    (mkText "https://mg.lol/blog/rss/" // infrequent // tech)
    ## Ken Shirriff
    (mkText "https://www.righto.com/feeds/posts/default" // tech // infrequent)
@@ -93,10 +88,8 @@ in rec {
    (mkText "https://ianthehenry.com/feed.xml" // tech // infrequent)
    (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
    (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
    (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
    # (TECH; POL) COMMENTATORS
    (mkSubstack "edwardsnowden" // pol // infrequent)
    (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
    ## Ben Thompson
    (mkText "https://www.stratechery.com/rss" // pol // weekly)
@@ -105,15 +98,15 @@ in rec {
    (mkText "https://www.ben-evans.com/benedictevans/rss.xml" // pol // weekly)
    (mkText "https://www.lynalden.com/feed" // pol // infrequent)
    (mkText "https://austinvernon.site/rss.xml" // tech // infrequent)
-    (mkSubstack "oversharing" // pol // daily)
+    (mkText "https://oversharing.substack.com/feed" // pol // daily)
-    (mkSubstack "doomberg" // tech // weekly)
+    (mkText "https://doomberg.substack.com/feed" // tech // weekly)
    ## David Rosenthal
    (mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
    ## Matt Levine
    (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
    # RATIONALITY/PHILOSOPHY/ETC
-    (mkSubstack "samkriss" // humor // infrequent)
+    (mkText "https://samkriss.substack.com/feed" // humor // infrequent)
    (mkText "https://unintendedconsequenc.es/feed" // rat // infrequent)
    (mkText "https://applieddivinitystudies.com/atom.xml" // rat // weekly)
    (mkText "https://slimemoldtimemold.com/feed.xml" // rat // weekly)
@@ -124,7 +117,7 @@ in rec {
    ## Robin Hanson
    (mkText "https://www.overcomingbias.com/feed" // rat // daily)
    ## Scott Alexander
-    (mkSubstack "astralcodexten" // rat // daily)
+    (mkText "https://astralcodexten.substack.com/feed.xml" // rat // daily)
    ## Paul Christiano
    (mkText "https://sideways-view.com/feed" // rat // infrequent)
    ## Sean Carroll
--- a/modules/universal/env/home-manager.nix
+++ b/modules/universal/env/home-manager.nix
@@ -0,0 +1,527 @@
 # docs:
 #   https://rycee.gitlab.io/home-manager/
 #   https://rycee.gitlab.io/home-manager/options.html
 #   man home-configuration.nix
 #
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.sane.home-manager;
  vim-swap-dir = ".cache/vim-swap";
  # extract package from `extraPackages`
  pkglist = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
  # extract `dir` from `extraPackages`
  dirlist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
  # extract `persist-files` from `extraPackages`
  persistfileslist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "persist-files" then e.persist-files else []) pkgspec);
  # TODO: dirlist and persistfileslist should be folded
  feeds = import ./feeds.nix { inherit lib; };
 in
 {
  options = {
    sane.home-manager.enable = mkOption {
      default = false;
      type = types.bool;
    };
    # packages to deploy to the user's home
    sane.home-manager.extraPackages = mkOption {
      default = [ ];
      # each entry can be either a package, or attrs:
      #   { pkg = package; dir = optional string;
      type = types.listOf (types.either types.package types.attrs);
    };
    # attributes to copy directly to home-manager's `wayland.windowManager` option
    sane.home-manager.windowManager = mkOption {
      default = {};
      type = types.attrs;
    };
    # extra attributes to include in home-manager's `programs` option
    sane.home-manager.programs = mkOption {
      default = {};
      type = types.attrs;
    };
  };
  config = lib.mkIf cfg.enable {
    sops.secrets."aerc_accounts" = {
      owner = config.users.users.colin.name;
      sopsFile = ../../../secrets/universal/aerc_accounts.conf;
      format = "binary";
    };
    sops.secrets."sublime_music_config" = {
      owner = config.users.users.colin.name;
      sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
      format = "binary";
    };
    sane.impermanence.home-dirs = [
      "archive"
      "dev"
      "records"
      "ref"
      "tmp"
      "use"
      "Music"
      "Pictures"
      "Videos"
      vim-swap-dir
    ] ++ (dirlist cfg.extraPackages);
    sane.impermanence.home-files = persistfileslist cfg.extraPackages;
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
      # run `home-manager-help` to access manpages
      # or `man home-configuration.nix`
      manual.html.enable = true;
      home.packages = pkglist cfg.extraPackages;
      wayland.windowManager = cfg.windowManager;
      home.stateVersion = "21.11";
      home.username = "colin";
      home.homeDirectory = "/home/colin";
      home.activation = {
        initKeyring = {
          after = ["writeBoundary"];
          before = [];
          data = "${../../../scripts/init-keyring}";
        };
      };
      # XDG defines things like ~/Desktop, ~/Downloads, etc.
      # these clutter the home, so i mostly don't use them.
      xdg.userDirs = {
        enable = true;
        createDirectories = false;  # on headless systems, most xdg dirs are noise
        desktop = "$HOME/.xdg/Desktop";
        documents = "$HOME/dev";
        download = "$HOME/tmp";
        music = "$HOME/Music";
        pictures = "$HOME/Pictures";
        publicShare = "$HOME/.xdg/Public";
        templates = "$HOME/.xdg/Templates";
        videos = "$HOME/Videos";
      };
      # the xdg mime type for a file can be found with:
      # - `xdg-mime query filetype path/to/thing.ext`
      xdg.mimeApps.enable = true;
      xdg.mimeApps.defaultApplications = let
        www = "librewolf.desktop";
        pdf = "org.gnome.Evince.desktop";
        md = "obsidian.desktop";
        thumb = "org.gnome.gThumb.desktop";
        video = "vlc.desktop";
        # audio = "mpv.desktop";
        audio = "vlc.desktop";
      in {
        # HTML
        "text/html" = [ www ];
        "x-scheme-handler/http" = [ www ];
        "x-scheme-handler/https" = [ www ];
        "x-scheme-handler/about" = [ www ];
        "x-scheme-handler/unknown" = [ www ];
        # RICH-TEXT DOCUMENTS
        "application/pdf" = [ pdf ];
        "text/markdown" = [ md ];
        # IMAGES
        "image/heif" = [ thumb ];  # apple codec
        "image/png" = [ thumb ];
        "image/jpeg" = [ thumb ];
        # VIDEO
        "video/mp4" = [ video ];
        "video/quicktime" = [ video ];
        "video/x-matroska" = [ video ];
        # AUDIO
        "audio/flac" = [ audio ];
        "audio/mpeg" = [ audio ];
        "audio/x-vorbis+ogg" = [ audio ];
      };
      # convenience
      home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
      home.file."nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
      home.file."Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
      home.file."Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
      home.file."Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
      # nb markdown/personal knowledge manager
      home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
      home.file.".nb/.current".text = "knowledge";
      home.file.".nbrc".text = ''
        # manage with `nb settings`
        export NB_AUTO_SYNC=0
      '';
      # uBlock filter list configuration.
      # specifically, enable the GDPR cookie prompt blocker.
      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
      # this configuration method is documented here:
      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
      # the specific attribute path is found via scraping ublock code here:
      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
      home.file.".librewolf/managed-storage/uBlock0@raymondhill.net.json".text = ''
        {
         "name": "uBlock0@raymondhill.net",
         "description": "ignored",
         "type": "storage",
         "data": {
            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
         }
        }
      '';
      home.file.".librewolf/librewolf.overrides.cfg".text = ''
        // if we can't query the revocation status of a SSL cert because the issuer is offline,
        // treat it as unrevoked.
        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
        defaultPref("security.OCSP.require", false);
      '';
      # aerc TUI mail client
      xdg.configFile."aerc/accounts.conf".source =
        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
      # make Discord usable even when client is "outdated"
      xdg.configFile."discord/settings.json".text = ''
      {
        "SKIP_HOST_UPDATE": true
      }
      '';
      # sublime music player
      xdg.configFile."sublime-music/config.json".source =
        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
      xdg.configFile."vlc/vlcrc".text =
      let
        podcastUrls = lib.strings.concatStringsSep "|" (
          builtins.map (feed: feed.url) feeds.podcasts
        );
      in ''
        [podcast]
        podcast-urls=${podcastUrls}
        [core]
        metadata-network-access=0
        [qt]
        qt-privacy-ask=0
      '';
      xdg.configFile."gpodderFeeds.opml".text = with feeds;
        feedsToOpml feeds.podcasts;
      # news-flash RSS viewer
      xdg.configFile."newsflashFeeds.opml".text = with feeds;
        feedsToOpml (feeds.texts ++ feeds.images);
      # gnome feeds RSS viewer
      xdg.configFile."org.gabmus.gfeeds.json".text =
      let
        myFeeds = feeds.texts ++ feeds.images;
      in builtins.toJSON {
        # feed format is a map from URL to a dict,
        #   with dict["tags"] a list of string tags.
        feeds = builtins.foldl' (acc: feed: acc // {
          "${feed.url}".tags = [ feed.cat feed.freq ];
        }) {} myFeeds;
        dark_reader = false;
        new_first = true;
        # windowsize = {
        #   width = 350;
        #   height = 650;
        # };
        max_article_age_days = 90;
        enable_js = false;
        max_refresh_threads = 3;
        # saved_items = {};
        # read_items = [];
        show_read_items = true;
        full_article_title = true;
        # views: "webview", "reader", "rsscont"
        default_view = "rsscont";
        open_links_externally = true;
        full_feed_name = false;
        refresh_on_startup = true;
        tags = lib.lists.unique (
          (builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
        );
        open_youtube_externally = false;
        media_player = "vlc";  # default: mpv
      };
      programs = {
        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
        zsh = {
          enable = true;
          enableSyntaxHighlighting = true;
          enableVteIntegration = true;
          history.ignorePatterns = [ "rm *" ];
          # history.path = TODO
          dotDir = ".config/zsh";
          initExtraBeforeCompInit = ''
            # p10k instant prompt
            # run p10k configure to configure, but it can't write out its file :-(
            POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
          '';
          initExtra = ''
            # zmv is a way to do rich moves/renames, with pattern matching/substitution.
            # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
            autoload -Uz zmv
          '';
          # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
          # see: https://github.com/sorin-ionescu/prezto
          prezto = {
            enable = true;
            pmodules = [
              "environment"
              "terminal"
              "editor"
              "history"
              "directory"
              "spectrum"
              "utility"
              "completion"
              "prompt"
              "git"
            ];
            prompt = {
              theme = "powerlevel10k";
            };
          };
        };
        kitty = {
          enable = true;
          # docs: https://sw.kovidgoyal.net/kitty/conf/
          settings = {
            # disable terminal bell (when e.g. you backspace too many times)
            enable_audio_bell = false;
          };
          keybindings = {
            "ctrl+n" = "new_os_window_with_cwd";
          };
          # docs: https://github.com/kovidgoyal/kitty-themes
          # theme = "1984 Light";  # dislike: awful, harsh blues/teals
          # theme = "Adventure Time";  # dislike: harsh (dark)
          # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
          # theme = "Belafonte Day";  # dislike: too low contrast for text colors
          # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
          # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
          # theme = "Desert";  # mediocre: colors are harsh
          # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
          # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
          # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
          # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
          # theme = "kanagawabones";  # better: dark theme. colors are too background-y
          # theme = "Kaolin Dark";  # dislike: too dark
          # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
          # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
          # theme = "Material"; # decent: light theme, few colors.
          # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
          # theme = "Nord";  # mediocre: pale background, low contrast
          # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
          theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
          # theme = "Parasio Dark";  # dislike: too low contrast
          # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
          # theme = "Pnevma";  # dislike: too low contrast
          # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
          # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
          # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
          # theme = "Sea Shells";  # mediocre. not all color combos are readable
          # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
          # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
          # theme = "Sourcerer";  # mediocre: ugly colors
          # theme = "Space Gray";  # mediocre: too muted
          # theme = "Space Gray Eighties";  # better: all readable, decent colors
          # theme = "Spacemacs";  # mediocre: too muted
          # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
          # theme = "Srcery";  # better: highly readable. colors are ehhh
          # theme = "Substrata";  # decent: nice colors, but a bit flat.
          # theme = "Sundried";  # mediocre: the solar text makes me squint
          # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
          # theme = "Tango Light";  # dislike: teal is too grating
          # theme = "Tokyo Night Day";  # medicore: too muted
          # theme = "Tokyo Night";  # better: tasteful. a bit flat
          # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
          # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
          # theme = "Urple";  # dislike: weird palette
          # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
          # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
          # theme = "Xcodedark";  # dislike: bad palette
          # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
          # theme = "neobones_light"; # better light theme. the background is maybe too muted
          # theme = "vimbones";
          # theme = "zenbones_dark";  # mediocre: readable, but meh colors
          # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
          # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
          # extraConfig = "";
        };
        git = {
          enable = true;
          userName = "colin";
          userEmail = "colin@uninsane.org";
          aliases = { co = "checkout"; };
          extraConfig = {
            # difftastic docs:
            # - <https://difftastic.wilfred.me.uk/git.html>
            diff.tool = "difftastic";
            difftool.prompt = false;
            "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
            # now run `git difftool` to use difftastic git
          };
        };
        neovim = {
          # neovim: https://github.com/neovim/neovim
          enable = true;
          viAlias = true;
          vimAlias = true;
          plugins = with pkgs.vimPlugins; [
            # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
            # docs: vim-surround: https://github.com/tpope/vim-surround
            vim-surround
            # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
            fzf-vim
            # docs: https://github.com/KeitaNakamura/tex-conceal.vim/
            ({
              plugin = tex-conceal-vim;
              type = "viml";
              config = ''
                " present prettier fractions
                let g:tex_conceal_frac=1
              '';
            })
            ({
              plugin = vim-SyntaxRange;
              type = "viml";
              config = ''
                " enable markdown-style codeblock highlighting for tex code
                autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
                " autocmd Syntax tex set conceallevel=2
              '';
            })
            # nabla renders inline math in any document, but it's buggy.
            #   https://github.com/jbyuki/nabla.nvim
            # ({
            #   plugin = pkgs.nabla;
            #   type = "lua";
            #   config = ''
            #     require'nabla'.enable_virt()
            #   '';
            # })
            # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
            # docs: https://github.com/nvim-treesitter/nvim-treesitter
            # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
            # this is required for tree-sitter to even highlight
            ({
              plugin = (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars));
              type = "lua";
              config = ''
                require'nvim-treesitter.configs'.setup {
                  highlight = {
                    enable = true,
                    -- disable treesitter on Rust so that we can use SyntaxRange
                    -- and leverage TeX rendering in rust projects
                    disable = { "rust", "tex", "latex" },
                    -- disable = { "tex", "latex" },
                    -- true to also use builtin vim syntax highlighting when treesitter fails
                    additional_vim_regex_highlighting = false
                  },
                  incremental_selection = {
                    enable = true,
                    keymaps = {
                      init_selection = "gnn",
                      node_incremental = "grn",
                      mcope_incremental = "grc",
                      node_decremental = "grm"
                    }
                  },
                  indent = {
                    enable = true,
                    disable = {}
                  }
                }
                vim.o.foldmethod = 'expr'
                vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
              '';
            })
          ];
          extraConfig = ''
            " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
            " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
            set mouse=
            " copy/paste to system clipboard
            set clipboard=unnamedplus
            " screw tabs; always expand them into spaces
            set expandtab
            " at least don't open files with sections folded by default
            set nofoldenable
            " allow text substitutions for certain glyphs.
            " higher number = more aggressive substitution (0, 1, 2, 3)
            " i only make use of this for tex, but it's unclear how to
            " apply that *just* to tex and retain the SyntaxRange stuff.
            set conceallevel=2
            " horizontal rule under the active line
            " set cursorline
            " highlight trailing space & related syntax errors (doesn't seem to work??)
            " let c_space_errors=1
            " let python_space_errors=1
            " enable highlighting of leading/trailing spaces,
            " and especially tabs
            " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
            set list
            set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
          '';
        };
        # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
        firefox = lib.mkIf (sysconfig.sane.gui.enable) {
          enable = true;
          package = import ./web-browser.nix pkgs;
        };
        mpv = {
          enable = true;
          config = {
            save-position-on-quit = true;
            keep-open = "yes";
          };
        };
        # "command not found" will cause the command to be searched in nixpkgs
        nix-index.enable = true;
      } // cfg.programs;
      home.shellAliases = {
        ":q" = "exit";
        # common typos
        "cd.." = "cd ..";
        "cd../" = "cd ../";
      };
    };
  };
 }
--- a/modules/universal/env/home-packages.nix
+++ b/modules/universal/env/home-packages.nix
@@ -10,8 +10,6 @@ let
    duplicity
    gnupg
    gocryptfs
    gopass
    gopass-jsonapi
    ifuse
    ipfs
    libimobiledevice
@@ -19,6 +17,7 @@ let
    lm_sensors  # for sensors-detect
    lshw
    ffmpeg
    nb
    networkmanager
    nixpkgs-review
    # nixos-generators
@@ -50,13 +49,12 @@ let
    # GUI only
    aerc  # email client
    audacity
    celluloid  # mpv frontend
    chromium
    clinfo
    electrum
    # creds/session keys, etc
-    { pkg = element-desktop; private = ".config/Element"; }
+    { pkg = element-desktop; dir = ".config/Element"; }
    emote  # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
    evince  # works on phosh
@@ -69,7 +67,7 @@ let
    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
    # then reboot (so that libsecret daemon re-loads the keyring...?)
-    { pkg = fractal-next; private = ".local/share/fractal"; }
+    { pkg = fractal-next; dir = ".local/share/fractal"; }
    gimp  # broken on phosh
    gnome.cheese
@@ -87,7 +85,6 @@ let
    { pkg = gpodder-configured; dir = "gPodder/Downloads"; }
    gthumb
    handbrake
    inkscape
    kid3  # audio tagging
@@ -117,10 +114,8 @@ let
    { pkg = sublime-music; dir = ".local/share/sublime-music"; }
    tdesktop  # broken on phosh
    tokodon
    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
-    { pkg = vlc; dir = ".config/vlc"; }
+    { pkg = vlc; persist-files = [ ".config/vlc/vlc-qt-interface.conf" ]; }
    whalebird # pleroma client. input is broken on phosh
    xdg-utils  # for xdg-open
@@ -137,8 +132,8 @@ let
      nss = pkgs.nss_latest;
    }); in { pkg = discord; dir = ".config/discord"; })
-    # kaiteki  # Pleroma client
+    kaiteki  # Pleroma client
-    # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
+    gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
    logseq
    losslesscut-bin
--- a/modules/universal/env/system-packages.nix
+++ b/modules/universal/env/system-packages.nix
--- a/modules/universal/env/web-browser.nix
+++ b/modules/universal/env/web-browser.nix
@@ -0,0 +1,55 @@
 pkgs:
 # common settings to toggle (at runtime, in about:config):
 #   > security.ssl.require_safe_negotiation
 # librewolf is a forked firefox which patches firefox to allow more things
 # (like default search engines) to be configurable at runtime.
 # many of the settings below won't have effect without those patches.
 # see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
 pkgs.wrapFirefox pkgs.librewolf-unwrapped {
  # inherit the default librewolf.cfg
  # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
  inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
  libName = "librewolf";
  extraPolicies = {
    NoDefaultBookmarks = true;
    SearchEngines = {
      Default = "DuckDuckGo";
    };
    AppUpdateURL = "https://localhost";
    DisableAppUpdate = true;
    OverrideFirstRunPage = "";
    OverridePostUpdatePage = "";
    DisableSystemAddonUpdate = true;
    DisableFirefoxStudies = true;
    DisableTelemetry = true;
    DisableFeedbackCommands = true;
    DisablePocket = true;
    DisableSetDesktopBackground = false;
    Extensions = {
      Install = [
        "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/bypass-paywalls-clean/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/ether-metamask/latest.xpi"
      ];
      # remove many default search providers
      Uninstall = [
        "google@search.mozilla.org"
        "bing@search.mozilla.org"
        "amazondotcom@search.mozilla.org"
        "ebay@search.mozilla.org"
        "twitter@search.mozilla.org"
      ];
    };
    # XXX doesn't seem to have any effect...
    # docs: https://github.com/mozilla/policy-templates#homepage
    # Homepage = {
    #   HomepageURL = "https://uninsane.org/";
    #   StartPage = "homepage";
    # };
    # NewTabPage = true;
  };
 }
--- a/modules/universal/home-manager/aerc.nix
+++ b/modules/universal/home-manager/aerc.nix
@@ -1,14 +0,0 @@
 # Terminal UI mail client
 { config, ... }:
 {
  sops.secrets."aerc_accounts" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../../secrets/universal/aerc_accounts.conf;
    format = "binary";
  };
  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
    # aerc TUI mail client
    xdg.configFile."aerc/accounts.conf".source =
      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
  };
 }
--- a/modules/universal/home-manager/default.nix
+++ b/modules/universal/home-manager/default.nix
@@ -1,218 +0,0 @@
 # docs:
 #   https://rycee.gitlab.io/home-manager/
 #   https://rycee.gitlab.io/home-manager/options.html
 #   man home-configuration.nix
 #
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.sane.home-manager;
  # extract package from `extraPackages`
  pkg-list = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
  # extract `dir` from `extraPackages`
  dir-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
  private-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "private" then [ e.private ] else []) pkgspec);
  feeds = import ./feeds.nix { inherit lib; };
 in
 {
  imports = [
    ./aerc.nix
    ./discord.nix
    ./git.nix
    ./kitty.nix
    ./librewolf.nix
    ./mpv.nix
    ./nb.nix
    ./neovim.nix
    ./ssh.nix
    ./sublime-music.nix
    ./vlc.nix
    ./zsh.nix
  ];
  options = {
    # packages to deploy to the user's home
    sane.home-manager.extraPackages = mkOption {
      default = [ ];
      # each entry can be either a package, or attrs:
      #   { pkg = package; dir = optional string;
      type = types.listOf (types.either types.package types.attrs);
    };
    # attributes to copy directly to home-manager's `wayland.windowManager` option
    sane.home-manager.windowManager = mkOption {
      default = {};
      type = types.attrs;
    };
    # extra attributes to include in home-manager's `programs` option
    sane.home-manager.programs = mkOption {
      default = {};
      type = types.attrs;
    };
  };
  config = {
    sane.impermanence.home-dirs = [
      "archive"
      "dev"
      "records"
      "ref"
      "tmp"
      "use"
      "Music"
      "Pictures"
      "Videos"
    ] ++ (dir-list cfg.extraPackages);
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
      # run `home-manager-help` to access manpages
      # or `man home-configuration.nix`
      manual.html.enable = false;  # TODO: set to true later (build failure)
      manual.manpages.enable = false;  # TODO: enable after https://github.com/nix-community/home-manager/issues/3344
      home.packages = pkg-list cfg.extraPackages;
      wayland.windowManager = cfg.windowManager;
      home.stateVersion = "21.11";
      home.username = "colin";
      home.homeDirectory = "/home/colin";
      home.activation = {
        initKeyring = {
          after = ["writeBoundary"];
          before = [];
          data = "${../../../scripts/init-keyring}";
        };
      };
      home.file = let
        privates = builtins.listToAttrs (
          builtins.map (path: {
            name = path;
            value = { source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/${path}"; };
          })
          (private-list cfg.extraPackages)
        );
      in {
        # convenience
        "knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
        "nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
        "Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
        "Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
        "Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
        # used by password managers, e.g. unix `pass`
        ".password-store".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge/secrets/accounts";
      } // privates;
      # XDG defines things like ~/Desktop, ~/Downloads, etc.
      # these clutter the home, so i mostly don't use them.
      xdg.userDirs = {
        enable = true;
        createDirectories = false;  # on headless systems, most xdg dirs are noise
        desktop = "$HOME/.xdg/Desktop";
        documents = "$HOME/dev";
        download = "$HOME/tmp";
        music = "$HOME/Music";
        pictures = "$HOME/Pictures";
        publicShare = "$HOME/.xdg/Public";
        templates = "$HOME/.xdg/Templates";
        videos = "$HOME/Videos";
      };
      # the xdg mime type for a file can be found with:
      # - `xdg-mime query filetype path/to/thing.ext`
      xdg.mimeApps.enable = true;
      xdg.mimeApps.defaultApplications = let
        www = "librewolf.desktop";
        pdf = "org.gnome.Evince.desktop";
        md = "obsidian.desktop";
        thumb = "org.gnome.gThumb.desktop";
        video = "vlc.desktop";
        # audio = "mpv.desktop";
        audio = "vlc.desktop";
      in {
        # HTML
        "text/html" = [ www ];
        "x-scheme-handler/http" = [ www ];
        "x-scheme-handler/https" = [ www ];
        "x-scheme-handler/about" = [ www ];
        "x-scheme-handler/unknown" = [ www ];
        # RICH-TEXT DOCUMENTS
        "application/pdf" = [ pdf ];
        "text/markdown" = [ md ];
        # IMAGES
        "image/heif" = [ thumb ];  # apple codec
        "image/png" = [ thumb ];
        "image/jpeg" = [ thumb ];
        # VIDEO
        "video/mp4" = [ video ];
        "video/quicktime" = [ video ];
        "video/x-matroska" = [ video ];
        # AUDIO
        "audio/flac" = [ audio ];
        "audio/mpeg" = [ audio ];
        "audio/x-vorbis+ogg" = [ audio ];
      };
      xdg.configFile."gpodderFeeds.opml".text = with feeds;
        feedsToOpml feeds.podcasts;
      # news-flash RSS viewer
      xdg.configFile."newsflashFeeds.opml".text = with feeds;
        feedsToOpml (feeds.texts ++ feeds.images);
      # gnome feeds RSS viewer
      xdg.configFile."org.gabmus.gfeeds.json".text =
      let
        myFeeds = feeds.texts ++ feeds.images;
      in builtins.toJSON {
        # feed format is a map from URL to a dict,
        #   with dict["tags"] a list of string tags.
        feeds = builtins.foldl' (acc: feed: acc // {
          "${feed.url}".tags = [ feed.cat feed.freq ];
        }) {} myFeeds;
        dark_reader = false;
        new_first = true;
        # windowsize = {
        #   width = 350;
        #   height = 650;
        # };
        max_article_age_days = 90;
        enable_js = false;
        max_refresh_threads = 3;
        # saved_items = {};
        # read_items = [];
        show_read_items = true;
        full_article_title = true;
        # views: "webview", "reader", "rsscont"
        default_view = "rsscont";
        open_links_externally = true;
        full_feed_name = false;
        refresh_on_startup = true;
        tags = lib.lists.unique (
          (builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
        );
        open_youtube_externally = false;
        media_player = "vlc";  # default: mpv
      };
      programs = {
        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
        # "command not found" will cause the command to be searched in nixpkgs
        nix-index.enable = true;
      } // cfg.programs;
    };
  };
 }
--- a/modules/universal/home-manager/discord.nix
+++ b/modules/universal/home-manager/discord.nix
@@ -1,10 +0,0 @@
 { ... }:
 {
  # TODO: this should only be enabled on gui devices
  # make Discord usable even when client is "outdated"
  home-manager.users.colin.xdg.configFile."discord/settings.json".text = ''
    {
      "SKIP_HOST_UPDATE": true
    }
  '';
 }
--- a/modules/universal/home-manager/git.nix
+++ b/modules/universal/home-manager/git.nix
@@ -1,18 +0,0 @@
 { pkgs, ... }:
 {
  home-manager.users.colin.programs.git = {
    enable = true;
    userName = "colin";
    userEmail = "colin@uninsane.org";
    aliases = { co = "checkout"; };
    extraConfig = {
      # difftastic docs:
      # - <https://difftastic.wilfred.me.uk/git.html>
      diff.tool = "difftastic";
      difftool.prompt = false;
      "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
      # now run `git difftool` to use difftastic git
    };
  };
 }
--- a/modules/universal/home-manager/kitty.nix
+++ b/modules/universal/home-manager/kitty.nix
@@ -1,69 +0,0 @@
 { ... }:
 {
  home-manager.users.colin.programs.kitty = {
    enable = true;
    # docs: https://sw.kovidgoyal.net/kitty/conf/
    settings = {
      # disable terminal bell (when e.g. you backspace too many times)
      enable_audio_bell = false;
    };
    keybindings = {
      "ctrl+n" = "new_os_window_with_cwd";
    };
    # docs: https://github.com/kovidgoyal/kitty-themes
    # theme = "1984 Light";  # dislike: awful, harsh blues/teals
    # theme = "Adventure Time";  # dislike: harsh (dark)
    # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
    # theme = "Belafonte Day";  # dislike: too low contrast for text colors
    # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
    # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
    # theme = "Desert";  # mediocre: colors are harsh
    # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
    # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
    # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
    # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
    # theme = "kanagawabones";  # better: dark theme. colors are too background-y
    # theme = "Kaolin Dark";  # dislike: too dark
    # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
    # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
    # theme = "Material"; # decent: light theme, few colors.
    # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
    # theme = "Nord";  # mediocre: pale background, low contrast
    # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
    theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
    # theme = "Parasio Dark";  # dislike: too low contrast
    # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
    # theme = "Pnevma";  # dislike: too low contrast
    # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
    # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
    # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
    # theme = "Sea Shells";  # mediocre. not all color combos are readable
    # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
    # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
    # theme = "Sourcerer";  # mediocre: ugly colors
    # theme = "Space Gray";  # mediocre: too muted
    # theme = "Space Gray Eighties";  # better: all readable, decent colors
    # theme = "Spacemacs";  # mediocre: too muted
    # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
    # theme = "Srcery";  # better: highly readable. colors are ehhh
    # theme = "Substrata";  # decent: nice colors, but a bit flat.
    # theme = "Sundried";  # mediocre: the solar text makes me squint
    # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
    # theme = "Tango Light";  # dislike: teal is too grating
    # theme = "Tokyo Night Day";  # medicore: too muted
    # theme = "Tokyo Night";  # better: tasteful. a bit flat
    # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
    # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
    # theme = "Urple";  # dislike: weird palette
    # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
    # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
    # theme = "Xcodedark";  # dislike: bad palette
    # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
    # theme = "neobones_light"; # better light theme. the background is maybe too muted
    # theme = "vimbones";
    # theme = "zenbones_dark";  # mediocre: readable, but meh colors
    # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
    # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
    # extraConfig = "";
  };
 }
--- a/modules/universal/home-manager/librewolf.nix
+++ b/modules/universal/home-manager/librewolf.nix
@@ -1,102 +0,0 @@
 # common settings to toggle (at runtime, in about:config):
 #   > security.ssl.require_safe_negotiation
 # librewolf is a forked firefox which patches firefox to allow more things
 # (like default search engines) to be configurable at runtime.
 # many of the settings below won't have effect without those patches.
 # see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
 { config, lib, pkgs, ...}:
 let
  package = pkgs.wrapFirefox pkgs.librewolf-unwrapped {
    # inherit the default librewolf.cfg
    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
    libName = "librewolf";
    extraNativeMessagingHosts = [ pkgs.browserpass ];
    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
    extraPolicies = {
      NoDefaultBookmarks = true;
      SearchEngines = {
        Default = "DuckDuckGo";
      };
      AppUpdateURL = "https://localhost";
      DisableAppUpdate = true;
      OverrideFirstRunPage = "";
      OverridePostUpdatePage = "";
      DisableSystemAddonUpdate = true;
      DisableFirefoxStudies = true;
      DisableTelemetry = true;
      DisableFeedbackCommands = true;
      DisablePocket = true;
      DisableSetDesktopBackground = false;
      Extensions = {
        Install = let
          addon = pkg: addonId: "${pkg}/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/${addonId}.xpi";
        in with pkgs.firefox-addons; [
          # the extension key is found by building and checking the output: `nix build '.#rycee.firefox-addons.<foo>'`
          # or by taking the `addonId` input to `buildFirefoxXpiAddon` in rycee's firefox-addons repo
          (addon ublock-origin "uBlock0@raymondhill.net")
          (addon sponsorblock "sponsorBlocker@ajay.app")
          (addon bypass-paywalls-clean "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}")
          (addon sidebery "{3c078156-979c-498b-8990-85f7987dd929}")
          (addon browserpass "browserpass@maximbaz.com")
          (addon metamask "webextension@metamask.io")
          # extensions can alternatively be installed by URL, in which case they are fetched (and cached) on first run.
          # "https://addons.mozilla.org/firefox/downloads/latest/gopass-bridge/latest.xpi"
        ];
        # remove many default search providers
        Uninstall = [
          "google@search.mozilla.org"
          "bing@search.mozilla.org"
          "amazondotcom@search.mozilla.org"
          "ebay@search.mozilla.org"
          "twitter@search.mozilla.org"
        ];
      };
      # XXX doesn't seem to have any effect...
      # docs: https://github.com/mozilla/policy-templates#homepage
      # Homepage = {
      #   HomepageURL = "https://uninsane.org/";
      #   StartPage = "homepage";
      # };
      # NewTabPage = true;
    };
  };
 in
 {
  # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
  home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
    programs.firefox = {
      enable = true;
      inherit package;
    };
    # uBlock filter list configuration.
    # specifically, enable the GDPR cookie prompt blocker.
    # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
    # this configuration method is documented here:
    # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
    # the specific attribute path is found via scraping ublock code here:
    # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
    # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
    home.file.".librewolf/managed-storage/uBlock0@raymondhill.net.json".text = ''
      {
       "name": "uBlock0@raymondhill.net",
       "description": "ignored",
       "type": "storage",
       "data": {
          "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
       }
      }
    '';
    home.file.".librewolf/librewolf.overrides.cfg".text = ''
      // if we can't query the revocation status of a SSL cert because the issuer is offline,
      // treat it as unrevoked.
      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
      defaultPref("security.OCSP.require", false);
    '';
  };
 }
--- a/modules/universal/home-manager/mpv.nix
+++ b/modules/universal/home-manager/mpv.nix
@@ -1,11 +0,0 @@
 { ... }:
 {
  home-manager.users.colin.programs.mpv = {
    enable = true;
    config = {
      save-position-on-quit = true;
      keep-open = "yes";
    };
  };
 }
--- a/modules/universal/home-manager/nb.nix
+++ b/modules/universal/home-manager/nb.nix
@@ -1,24 +0,0 @@
 # nb is a CLI-drive Personal Knowledge Manager
 # - <https://xwmx.github.io/nb/>
 #
 # it's pretty opinionated:
 # - autocommits (to git) excessively (disable-able)
 # - inserts its own index files to give deterministic names to files
 #
 # it offers a primitive web-server
 # and it offers some CLI query tools
 { lib, pkgs, ... }: lib.mkIf false  # XXX disabled!
 {
  sane.home-manager.extraPackages = [ pkgs.nb ];
  home-manager.users.colin = { config, ... }: {
    # nb markdown/personal knowledge manager
    home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
    home.file.".nb/.current".text = "knowledge";
    home.file.".nbrc".text = ''
      # manage with `nb settings`
      export NB_AUTO_SYNC=0
    '';
  };
 }
--- a/modules/universal/home-manager/neovim.nix
+++ b/modules/universal/home-manager/neovim.nix
@@ -1,115 +0,0 @@
 { pkgs, ... }:
 {
  sane.impermanence.home-dirs = [ ".cache/vim-swap" ];
  home-manager.users.colin.programs.neovim = {
    # neovim: https://github.com/neovim/neovim
    enable = true;
    viAlias = true;
    vimAlias = true;
    plugins = with pkgs.vimPlugins; [
      # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
      # docs: vim-surround: https://github.com/tpope/vim-surround
      vim-surround
      # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
      fzf-vim
      # docs: https://github.com/KeitaNakamura/tex-conceal.vim/
      ({
        plugin = tex-conceal-vim;
        type = "viml";
        config = ''
          " present prettier fractions
          let g:tex_conceal_frac=1
        '';
      })
      ({
        plugin = vim-SyntaxRange;
        type = "viml";
        config = ''
          " enable markdown-style codeblock highlighting for tex code
          autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
          " autocmd Syntax tex set conceallevel=2
        '';
      })
      # nabla renders inline math in any document, but it's buggy.
      #   https://github.com/jbyuki/nabla.nvim
      # ({
      #   plugin = pkgs.nabla;
      #   type = "lua";
      #   config = ''
      #     require'nabla'.enable_virt()
      #   '';
      # })
      # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
      # docs: https://github.com/nvim-treesitter/nvim-treesitter
      # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
      # this is required for tree-sitter to even highlight
      ({
        plugin = (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars));
        type = "lua";
        config = ''
          require'nvim-treesitter.configs'.setup {
            highlight = {
              enable = true,
              -- disable treesitter on Rust so that we can use SyntaxRange
              -- and leverage TeX rendering in rust projects
              disable = { "rust", "tex", "latex" },
              -- disable = { "tex", "latex" },
              -- true to also use builtin vim syntax highlighting when treesitter fails
              additional_vim_regex_highlighting = false
            },
            incremental_selection = {
              enable = true,
              keymaps = {
                init_selection = "gnn",
                node_incremental = "grn",
                mcope_incremental = "grc",
                node_decremental = "grm"
              }
            },
            indent = {
              enable = true,
              disable = {}
            }
          }
          vim.o.foldmethod = 'expr'
          vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
        '';
      })
    ];
    extraConfig = ''
      " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
      " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
      set mouse=
      " copy/paste to system clipboard
      set clipboard=unnamedplus
      " screw tabs; always expand them into spaces
      set expandtab
      " at least don't open files with sections folded by default
      set nofoldenable
      " allow text substitutions for certain glyphs.
      " higher number = more aggressive substitution (0, 1, 2, 3)
      " i only make use of this for tex, but it's unclear how to
      " apply that *just* to tex and retain the SyntaxRange stuff.
      set conceallevel=2
      " horizontal rule under the active line
      " set cursorline
      " highlight trailing space & related syntax errors (doesn't seem to work??)
      " let c_space_errors=1
      " let python_space_errors=1
      " enable highlighting of leading/trailing spaces,
      " and especially tabs
      " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
      set list
      set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
    '';
  };
 }
--- a/modules/universal/home-manager/ssh.nix
+++ b/modules/universal/home-manager/ssh.nix
@@ -1,18 +0,0 @@
 { config, pkgs, ... }:
 {
  home-manager.users.colin = let
    host = config.networking.hostName;
    user_pubkey = (import ../pubkeys.nix).users."${host}";
    known_hosts_text = builtins.concatStringsSep
      "\n"
      (builtins.attrValues (import ../pubkeys.nix).hosts);
  in { config, ...}: {
    # ssh key is stored in private storage
    home.file.".ssh/id_ed25519".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/.ssh/id_ed25519";
    home.file.".ssh/id_ed25519.pub".text = user_pubkey;
    programs.ssh.enable = true;
    # this optionally accepts multiple known_hosts paths, separated by space.
    programs.ssh.userKnownHostsFile = builtins.toString (pkgs.writeText "known_hosts" known_hosts_text);
  };
 }
--- a/modules/universal/home-manager/sublime-music.nix
+++ b/modules/universal/home-manager/sublime-music.nix
@@ -1,14 +0,0 @@
 { config, ... }:
 {
  # TODO: this should only be shipped on gui platforms
  sops.secrets."sublime_music_config" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
    format = "binary";
  };
  home-manager.users.colin = let sysconfig = config; in { config, ... }: {
    # sublime music player
    xdg.configFile."sublime-music/config.json".source =
      config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
  };
 }
--- a/modules/universal/home-manager/vlc.nix
+++ b/modules/universal/home-manager/vlc.nix
@@ -1,17 +0,0 @@
 { lib, ... }:
 {
  home-manager.users.colin.xdg.configFile."vlc/vlcrc".text =
  let
    feeds = import ./feeds.nix { inherit lib; };
    podcastUrls = lib.strings.concatStringsSep "|" (
      builtins.map (feed: feed.url) feeds.podcasts
    );
  in ''
    [podcast]
    podcast-urls=${podcastUrls}
    [core]
    metadata-network-access=0
    [qt]
    qt-privacy-ask=0
  '';
 }
--- a/modules/universal/home-manager/zsh.nix
+++ b/modules/universal/home-manager/zsh.nix
@@ -1,61 +0,0 @@
 { ... }:
 {
  # we don't need to full zsh dir -- just the history file --
  # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
  sane.impermanence.home-dirs = [ ".local/share/zsh" ];
  home-manager.users.colin.programs.zsh = {
    enable = true;
    enableSyntaxHighlighting = true;
    enableVteIntegration = true;
    history.ignorePatterns = [ "rm *" ];
    dotDir = ".config/zsh";
    history.path = "/home/colin/.local/share/zsh/history";
    initExtraBeforeCompInit = ''
      # p10k instant prompt
      # run p10k configure to configure, but it can't write out its file :-(
      POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
    '';
    initExtra = ''
      # zmv is a way to do rich moves/renames, with pattern matching/substitution.
      # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
      autoload -Uz zmv
      # disable `rm *` confirmations
      setopt rmstarsilent
      function nd() {
        mkdir -p "$1";
        pushd "$1";
      }
    '';
    # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
    # see: https://github.com/sorin-ionescu/prezto
    prezto = {
      enable = true;
      pmodules = [
        "environment"
        "terminal"
        "editor"
        "history"
        "directory"
        "spectrum"
        "utility"
        "completion"
        "prompt"
        "git"
      ];
      prompt.theme = "powerlevel10k";
      utility.safeOps = false;  # disable `mv` confirmation (and supposedly `rm`, too)
    };
  };
  home-manager.users.colin.home.shellAliases = {
    ":q" = "exit";
    # common typos
    "cd.." = "cd ..";
    "cd../" = "cd ../";
  };
 }
--- a/modules/universal/net.nix
+++ b/modules/universal/net.nix
@@ -18,20 +18,10 @@
  # docs:
  # - <https://nixos.wiki/wiki/Iwd>
  # - <https://iwd.wiki.kernel.org/networkmanager>
  # - `man iwd.config`  for global config
  # - `man iwd.network` for per-SSID config
  # use `iwctl` to control
  networking.networkmanager.wifi.backend = "iwd";
  networking.wireless.iwd.enable = true;
-  networking.wireless.iwd.settings = {
+  networking.networkmanager.wifi.backend = "iwd";
    # auto-connect to a stronger network if signal drops below this value
    # bedroom -> bedroom connection is -35 to -40 dBm
    # bedroom -> living room connection is -60 dBm
    General.RoamThreshold = "-52";  # default -70
    General.RoamThreshold5G = "-52";  # default -76
  };
  # TODO: don't need to depend on binsh if we were to use a nix-style shebang
  system.activationScripts.linkIwdKeys = let
    unwrapped = ../../scripts/install-iwd;
    install-iwd = pkgs.writeShellApplication {
@@ -40,7 +30,7 @@
      text = ''${unwrapped} "$@"'';
    };
  in (lib.stringAfter
-    [ "setupSecrets" "binsh" ]
+    [ "setupSecrets" ]
    ''
    mkdir -p /var/lib/iwd
    ${install-iwd}/bin/install-iwd /run/secrets/iwd /var/lib/iwd
--- a/modules/universal/pubkeys.nix
+++ b/modules/universal/pubkeys.nix
@@ -1,34 +0,0 @@
 # create ssh key by running:
 # - `ssh-keygen -t ed25519`
 let
  withHost = host: key: "${host} ${key}";
  withUser = user: key: "${key} ${user}";
  keys = rec {
    lappy = {
      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
    };
    desko = {
      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
    };
    servo = {
      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
    };
    moby = {
      host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
      users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
    };
    "uninsane.org" = servo;
    "git.uninsane.org" = servo;
  };
 in {
  # map hostname -> something suitable for known_keys
  hosts = builtins.mapAttrs (machine: keys: withHost machine keys.host) keys;
  # map hostname -> something suitable for authorized_keys to allow access to colin@<hostname>
  users = builtins.mapAttrs (machine: keys: withUser "colin@${machine}" keys.users.colin) keys;
 }
--- a/modules/universal/secrets.nix
+++ b/modules/universal/secrets.nix
@@ -35,9 +35,9 @@
  sops.defaultSopsFile = ./../../secrets/universal.yaml;
  # This will automatically import SSH keys as age keys
  sops.age.sshKeyPaths = [
-    "/etc/ssh/host_keys/ssh_host_ed25519_key"
+    "/etc/ssh/ssh_host_ed25519_key"
    # "/home/colin/.ssh/id_ed25519_dec"
  ];
  sops.gnupg.sshKeyPaths = [];  # disable RSA key import
  # This is using an age key that is expected to already be in the filesystem
  # sops.age.keyFile = "/home/colin/.ssh/age.pub";
  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
--- a/modules/universal/ssh.nix
+++ b/modules/universal/ssh.nix
@@ -1,11 +0,0 @@
 { ... }:
 {
  # we place the host keys (which we want to be persisted) into their own directory to ease that.
  # otherwise, this is identical to nixos defaults
  sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
  services.openssh.hostKeys = [
    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
  ];
 }
--- a/modules/universal/users.nix
+++ b/modules/universal/users.nix
@@ -43,14 +43,17 @@ in
        "feedbackd"
        "dialout" # required for modem access
      ];
      # initial password is empty, in case anything goes wrong.
      # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
      initialPassword = lib.mkDefault "";
      passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
      shell = pkgs.zsh;
-      openssh.authorizedKeys.keys = builtins.attrValues (import ./pubkeys.nix).users;
+      # shell = pkgs.bashInteractive;
      # XXX colin: create ssh key for THIS user by logging in and running:
      #   ssh-keygen -t ed25519
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
      ];
      pamMount = {
        # mount encrypted stuff at login
@@ -64,15 +67,6 @@ in
      };
    };
    sane.impermanence.home-dirs = [
      # cache is probably too big to fit on the tmpfs
      # TODO: we could bind-mount it to something which gets cleared per boot, though.
      ".cache"
      ".cargo"
      ".rustup"
      ".local/share/keyrings"
    ];
    sane.impermanence.service-dirs = mkIf cfg.guest.enable [
      { user = "guest"; group = "users"; directory = "/home/guest"; }
    ];
--- a/nixpatches/list.nix
+++ b/nixpatches/list.nix
@@ -6,14 +6,6 @@ fetchpatch: [
    sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
  })
  # freshrss: fix ExecStart path
  (fetchpatch {
    url = "https://github.com/NixOS/nixpkgs/pull/197731.diff";
    # url = "http://git.uninsane.org/colin/nixpkgs/commit/e4235c60b71bec66fe8f811cdbdd229bcf98915f.diff";
    sha256 = "sha256-SL7tddw0YZWzZ+JhosoTyBuEahEJEjMuV4WEBCg9OM0=";
  })
  # # kaiteki: init at 2022-09-03
  # vendorHash changes too frequently (might not be reproducible).
  # using local package defn until stabilized
@@ -23,6 +15,13 @@ fetchpatch: [
  #   sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
  # })
  # freshrss: patchShebangs instead of specifying interpreter in the service
  (fetchpatch {
    # url = "https://git.uninsane.org/colin/nixpkgs/commit/9443d83e6fee728c1926a783647b45011bd3b514.diff";
    url = "https://github.com/NixOS/nixpkgs/pull/196140.diff";
    sha256 = "sha256-Lngle5YTE7ymQyUarKbebMjiaTlY5cJBoaeZk7AgbXE=";
  })
  # nautilus: look for the gtk4 FileChooser settings instead of the gtk4 one
  (fetchpatch {
    # original version (include the patch in nixpkgs)
--- a/pkgs/browserpass/default.nix
+++ b/pkgs/browserpass/default.nix
@@ -1,44 +0,0 @@
 { pkgs
 , bash
 , fetchFromGitea
 , lib
 , sops
 , stdenv
 , substituteAll
 }:
 let
  sane-browserpass-gpg = stdenv.mkDerivation {
    pname = "sane-browserpass-gpg";
    version = "0.1.0";
    src = ./.;
    inherit bash sops;
    installPhase = ''
      mkdir -p $out/bin
      substituteAll ${./sops-gpg-adapter} $out/bin/gpg
      chmod +x $out/bin/gpg
      ln -s $out/bin/gpg $out/bin/gpg2
    '';
  };
 in
 (pkgs.browserpass.overrideAttrs (upstream: {
  src = fetchFromGitea {
    domain = "git.uninsane.org";
    owner = "colin";
    repo = "browserpass-native";
    rev = "8de7959fa5772aca406bf29bb17707119c64b81e";
    hash = "sha256-ewB1YdWqfZpt8d4p9LGisiGUsHzRW8RiSO/+NZRiQpk=";
  };
  installPhase = ''
    make install
    wrapProgram $out/bin/browserpass \
      --prefix PATH : ${lib.makeBinPath [ sane-browserpass-gpg ]}
    # This path is used by our firefox wrapper for finding native messaging hosts
    mkdir -p $out/lib/mozilla/native-messaging-hosts
    ln -s $out/lib/browserpass/hosts/firefox/*.json $out/lib/mozilla/native-messaging-hosts
  '';
 }))
--- a/pkgs/browserpass/sops-gpg-adapter
+++ b/pkgs/browserpass/sops-gpg-adapter
@@ -1,14 +0,0 @@
 #! @bash@/bin/sh
 # browserpass "validates" the gpg binary by invoking it with --version
 if [ "$1" = "--version" ]
 then
  echo "sane-browserpass-gpg @version@";
  exit 0
 fi
 # using exec here forwards our stdin
 # browserpass parses the response in
 # <browserpass-extension/src/background.js#parseFields>
 # it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
 exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin
--- a/pkgs/gopass-native-messaging-host/com.justwatch.gopass.json
+++ b/pkgs/gopass-native-messaging-host/com.justwatch.gopass.json
@@ -1,10 +0,0 @@
 {
    "name": "com.justwatch.gopass",
    "description": "Gopass wrapper to search and return passwords",
    "path": "@out@/bin/gopass-wrapper",
    "type": "stdio",
    "allowed_extensions": [
        "{eec37db0-22ad-4bf1-9068-5ae08df8c7e9}"
    ]
 }
--- a/pkgs/gopass-native-messaging-host/default.nix
+++ b/pkgs/gopass-native-messaging-host/default.nix
@@ -1,22 +0,0 @@
 { stdenv
 , bash
 , gopass-jsonapi
 , substituteAll
 }:
 stdenv.mkDerivation {
  pname = "gopass-native-messaging-host";
  version = "1.0";
  src = ./.;
  inherit bash;
  # substituteAll doesn't work with hyphenated vars ??
  gopassJsonapi = gopass-jsonapi;
  installPhase = ''
    mkdir -p $out/bin $out/lib/mozilla/native-messaging-hosts
    substituteAll ${./gopass-wrapper.sh} $out/bin/gopass-wrapper
    chmod +x $out/bin/gopass-wrapper
    substituteAll ${./com.justwatch.gopass.json} $out/lib/mozilla/native-messaging-hosts/com.justwatch.gopass.json
  '';
 }
--- a/pkgs/gopass-native-messaging-host/gopass-wrapper.sh
+++ b/pkgs/gopass-native-messaging-host/gopass-wrapper.sh
@@ -1,2 +0,0 @@
 #! @bash@/bin/sh
 exec @gopassJsonapi@/bin/gopass-jsonapi listen
--- a/pkgs/lightdm-mobile-greeter/cargo_lock-fix_lightdm_rs_url.patch
+++ b/pkgs/lightdm-mobile-greeter/cargo_lock-fix_lightdm_rs_url.patch
@@ -1,28 +0,0 @@
 commit c2a3a5eff2edc95108a21fc02c420a8aaa19accd
 Author: colin <colin@uninsane.org>
 Date:   Tue Oct 25 20:59:20 2022 -0700
    Cargo.lock: update lightdm-rs URLs
 diff --git a/Cargo.lock b/Cargo.lock
 index 1051644..72d09e6 100644
 --- a/Cargo.lock
 +++ b/Cargo.lock
@@ -362,7 +362,7 @@ dependencies = [
 [[package]]
 name = "light-dm-sys"
 version = "0.0.1"
 -source = "git+https://raatty.club:3000/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
 +source = "git+https://git.raatty.club/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
 dependencies = [
  "gio-sys",
  "glib-sys",
@@ -374,7 +374,7 @@ dependencies = [
 [[package]]
 name = "lightdm"
 version = "0.1.0"
 -source = "git+https://raatty.club:3000/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
 +source = "git+https://git.raatty.club/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
 dependencies = [
  "gio",
  "gio-sys",
--- a/pkgs/lightdm-mobile-greeter/default.nix
+++ b/pkgs/lightdm-mobile-greeter/default.nix
@@ -11,20 +11,16 @@
 rustPlatform.buildRustPackage rec {
  pname = "lightdm-mobile-greeter";
-  version = "6";
+  version = "0.1.2";
  src = fetchFromGitea {
-    domain = "git.raatty.club";
+    domain = "git.uninsane.org";
-    owner = "raatty";
+    owner = "colin";
    repo = "lightdm-mobile-greeter";
-    rev = "${version}";
+    rev = "v${version}";
-    hash = "sha256-uqsYOHRCOmd3tpJdndZFQ/tznZ660NhB+gE2154kJuM=";
+    hash = "sha256-x7tpaHYDg6BPIc3k3zzPvZma0RYuGAMQ/z6vAP0wbWs=";
  };
-  cargoHash = "sha256-JV8NQdZAG4EetRHwbi0dD0uIOUkn5hvzry+5WB7TCO4=";
+  cargoHash = "sha256-5WJGnLdZd4acKPEkkTS71n4gfxhlujHWnwiMsomTYck=";
  cargoPatches = [
    ./cargo_lock-fix_lightdm_rs_url.patch
  ];
  buildInputs = [
    gtk3
--- a/pkgs/linux-megous/default.nix
+++ b/pkgs/linux-megous/default.nix
@@ -3,7 +3,7 @@
 with lib;
 buildLinux (args // rec {
-  version = "6.0.2";
+  version = "6.0.0";
  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -15,7 +15,7 @@ buildLinux (args // rec {
    owner = "megous";
    repo = "linux";
    # branch: orange-pi-6.0
-    rev = "2683672a2052ffda995bb987fa62a1abe8424ef4";
+    rev = "b16232c6156de17e1dfdb63fdaea8e317baa07a7";
-    hash = "sha256-hL/SbLgaTk/CqFLFrAK/OV9/OS20O42zJvSScsvWBQk=";
+    sha256 = "sha256-Tb05IQKFdX/T7elGNnXTLVmgGLvXoeBFBq/8Q7jQhX0=";
  };
 } // (args.argsOverride or { }))
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -37,13 +37,9 @@
  gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
  browserpass = prev.callPackage ./browserpass { pkgs = prev; };
  #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
  kaiteki = prev.callPackage ./kaiteki { };
  lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
  gopass-native-messaging-host = prev.callPackage ./gopass-native-messaging-host { };
  tokodon = prev.libsForQt5.callPackage ./tokodon { };
  # kaiteki = prev.kaiteki;
  # TODO: upstream, or delete nabla
  nabla = prev.callPackage ./nabla { };
--- a/pkgs/pleroma/default.nix
+++ b/pkgs/pleroma/default.nix
@@ -1,7 +1,6 @@
 { lib, beamPackages
 , fetchFromGitHub, fetchFromGitLab
 , file, cmake, bash
 , libxcrypt
 , nixosTests, writeText
 , cookieFile ? "/var/lib/pleroma/.cookie"
 , ...
@@ -15,10 +14,11 @@ beamPackages.mixRelease rec {
    domain = "git.pleroma.social";
    owner = "pleroma";
    repo = "pleroma";
-    rev = "7a519b6a6607bc1dd22e6a3450aebf0f1ff11fb8";
+    rev = "4605efe272016a5ba8ba6e96a9bec9a6e40c1591";
    # to update: uncomment the null hash, run nixos-rebuild and
    # compute the new hash with `nix to-sri sha256:<output from failed nix build>`
-    sha256 = "sha256-6NglBcEGEvRlYMnVNB8kr4i/fccrzO6mnyp3X+O0m74=";
+    # sha256 = "sha256-0000000000000000000000000000000000000000000=";
    sha256 = "sha256-Dp1kTUDfNC7EDoK9WToXkUvsj7v66eKuD15le5IZgiY=";
  };
  preFixup = if (cookieFile != null) then ''
@@ -72,49 +72,29 @@ beamPackages.mixRelease rec {
        name = "crypt";
        version = "0.4.3";
-        # src = fetchFromGitHub {
+        src = fetchFromGitHub {
-        #   owner = "msantos";
+          owner = "msantos";
        #   repo = "crypt";
        #   rev = "f75cd55325e33cbea198fb41fe41871392f8fb76";
        #   sha256 = "sha256-ZYhZTe7cTITkl8DZ4z2IOlxTX5gnbJImu/lVJ2ZjR1o=";
        # };
        # this is the old crypt, from before 2021/09/21.
        # nixpkgs still uses this as of 2022-10-24 and it works.
        src = fetchFromGitLab {
          domain = "git.pleroma.social";
          group = "pleroma";
          owner = "elixir-libraries";
          repo = "crypt";
-          rev = "cf2aa3f11632e8b0634810a15b3e612c7526f6a3";
+          rev = "f75cd55325e33cbea198fb41fe41871392f8fb76";
-          sha256 = "sha256-48QIsgyEaDzvnihdsFy7pYURLFcb9G8DXIrf5Luk3zo=";
+          sha256 = "sha256-ZYhZTe7cTITkl8DZ4z2IOlxTX5gnbJImu/lVJ2ZjR1o=";
        };
        postInstall = "mv $out/lib/erlang/lib/crypt-${version}/priv/{source,crypt}.so";
        beamDeps = with final; [ elixir_make ];
        buildInputs = [ libxcrypt ];
      };
      prometheus_ex = beamPackages.buildMix rec {
        name = "prometheus_ex";
        version = "3.0.5";
-        src = fetchFromGitHub {
+        src = fetchFromGitLab {
-          owner = "lanodan";
+          domain = "git.pleroma.social";
          group = "pleroma";
          owner = "elixir-libraries";
          repo = "prometheus.ex";
-          # branch = "fix/elixir-1.14";
+          rev = "a4e9beb3c1c479d14b352fd9d6dd7b1f6d7deee5";
-          rev = "31f7fbe4b71b79ba27efc2a5085746c4011ceb8f";
+          sha256 = "1v0q4bi7sb253i8q016l7gwlv5562wk5zy3l2sa446csvsacnpjk";
          sha256 = "sha256-2PZP+YnwnHt69HtIAQvjMBqBbfdbkRSoMzb1AL2Zsyc=";
        };
        # src = fetchFromGitLab {
        #   domain = "git.pleroma.social";
        #   group = "pleroma";
        #   owner = "elixir-libraries";
        #   repo = "prometheus.ex";
        #   rev = "a4e9beb3c1c479d14b352fd9d6dd7b1f6d7deee5";
        #   sha256 = "1v0q4bi7sb253i8q016l7gwlv5562wk5zy3l2sa446csvsacnpjk";
        # };
        beamDeps = with final; [ prometheus ];
      };
      prometheus_phx = beamPackages.buildMix rec {
@@ -129,8 +109,8 @@ beamPackages.mixRelease rec {
          group = "pleroma";
          owner = "elixir-libraries";
          repo = "prometheus-phx";
-          rev = "0c950ac2d145b1ee3fc8ee5c3290ccb9ef2331e9";
+          rev = "9cd8f248c9381ffedc799905050abce194a97514";
-          sha256 = "sha256-HjN0ku1q5aNtrhHopch0wpp4Z+dMCGj5GxHroiz5u/w=";
+          sha256 = "0211z4bxb0bc0zcrhnph9kbbvvi1f2v95madpr96pqzr60y21cam";
        };
        beamDeps = with final; [ prometheus_ex ];
      };
--- a/pkgs/pleroma/mix.nix
+++ b/pkgs/pleroma/mix.nix
@@ -34,6 +34,7 @@ let
      beamDeps = [ custom_base ];
    };
    # base64url = buildMix rec {
    base64url = buildRebar3 rec {
      name = "base64url";
      version = "0.0.1";
@@ -361,12 +362,12 @@ let
    eblurhash = buildRebar3 rec {
      name = "eblurhash";
-      version = "1.2.2";
+      version = "1.1.0";
      src = fetchHex {
        pkg = "${name}";
        version = "${version}";
-        sha256 = "0k040pj8hlm8mwy0ra459hk35v9gfsvvgp596nl27q2dj00cl84c";
+        sha256 = "07dmkbyafpxffh8ar6af4riqfxiqc547rias7i73gpgx16fqhsrf";
      };
      beamDeps = [];
@@ -1645,19 +1646,5 @@ let
      beamDeps = [ httpoison jose ];
    };
    websockex = buildMix rec {
      name = "websockex";
      version = "0.4.3";
      src = fetchHex {
        pkg = "${name}";
        version = "${version}";
        sha256 = "1r2kmi2pcmdzvgbd08ci9avy0g5p2lhx80jn736a98w55c3ygwlm";
      };
      beamDeps = [];
    };
  };
 in self
--- a/pkgs/pleroma/updating.txt
+++ b/pkgs/pleroma/updating.txt
@@ -1,16 +1,10 @@
 in pleroma checkout:
 - grab version: `rg 'version: ' mix.exs`
 in default.nix:
- update `rev` and recompute sha256.
+  update `rev` and recompute sha256.
    use nix to-sri sha256:<expected>
-in pleroma checkout:
+run mix2nix inside the pleroma git root and pipe the output into mix.nix
- `mix2nix > mix.nix`
+  inside default.nix, update all git mix deps
  inside mix.nix, change base64url to use buildRebar3 instead of buildMix
-in nix repo:
+move majic from mix.nix -> default.nix and add:
- cp the new mix.nix here.
+  buildInputs = [ file ];
 - move majic from mix.nix -> default.nix and add:
        - buildInputs = [ file ];
 - update `mixNixDeps` in default.nix:
        - grab the version from pleroma/mix.exs or mix.lock
 - redundant?: inside mix.nix, change base64url to use buildRebar3 instead of buildMix
--- a/pkgs/sane-scripts/default.nix
+++ b/pkgs/sane-scripts/default.nix
@@ -49,9 +49,8 @@ resholve.mkDerivation {
          "umount"
          "sudo"
-          # these are used internally; probably a better fix
+          # this is actually internal; probably a better fix
          "sane-mount-servo"
          "sane-private-unlock"
        ];
      };
--- a/pkgs/sane-scripts/src/sane-private-change-passwd
+++ b/pkgs/sane-scripts/src/sane-private-change-passwd
@@ -1,32 +0,0 @@
 #!/usr/bin/env bash
 set -ex
 new_plain=/home/colin/private-new
 new_cipher="/nix/persist${new_plain}"
 dest_plain=/home/colin/private
 dest_cipher="/nix/persist${dest_plain}"
 # initialize the new store
 sudo mkdir -p "${new_cipher}" && sudo chown colin:users "${new_cipher}"
 mkdir -p "${new_plain}"
 gocryptfs -init "${new_cipher}"
 # mount the new and old store
 gocryptfs "${new_cipher}" "${new_plain}"
 sane-private-unlock
 # transfer to the new store
 rsync -arv /home/colin/private/ "${new_plain}"/
 # unmount both stores
 sudo umount "${new_plain}"
 sudo umount /home/colin/private
 # swap the stores
 sudo mv "${dest_cipher}" "${dest_cipher}-old"
 sudo mv "${new_cipher}" "${dest_cipher}"
 sane-private-unlock
 echo "if things look well, rm ${dest_cipher}-old"
--- a/pkgs/sane-scripts/src/sane-private-unlock
+++ b/pkgs/sane-scripts/src/sane-private-unlock
@@ -1,14 +0,0 @@
 #!/usr/bin/env bash
 set -ex
 # configure persistent, encrypted storage that is auto-mounted on login.
 # this is a one-time setup and user should log out/back in after running it.
 mount=/home/colin/private
 cipher="/nix/persist$mount"
 mkdir -p "$mount"
 if [ ! -f "$mount/init" ]
 then
  gocryptfs "$cipher" "$mount"
 fi
--- a/pkgs/sane-scripts/src/sane-rcp
+++ b/pkgs/sane-scripts/src/sane-rcp
@@ -1,3 +0,0 @@
 #!/usr/bin/env sh
 # copy some remote file(s) to the working directory, with sane defaults
 rsync -arv --progress "$@" .
--- a/pkgs/sane-scripts/src/sane-sudo-redirect
+++ b/pkgs/sane-scripts/src/sane-sudo-redirect
@@ -1,16 +0,0 @@
 #!/usr/bin/env bash
 # redirects to $1, when writing to $1 requires sudo permissions.
 # i.e. convert a failing command:
 #
 # ```
 # $ sudo do_thing > /into/file
 # ```
 #
 # to
 #
 # ```
 # $ sudo do_thing | sane-sudo-redirect /into/file
 # ```
 exec sudo tee $@ > /dev/null
--- a/pkgs/sane-scripts/src/sane-sync-from-iphone
+++ b/pkgs/sane-scripts/src/sane-sync-from-iphone
@@ -5,13 +5,8 @@ set -ex
 # make sure the mountpoint exists
 if ! (test -e /mnt/iphone)
 then
-  sudo umount /mnt/iphone || true  # maybe the mount hung
+  sudo mkdir /mnt/iphone
-
+  sudo chown colin:users /mnt/iphone
  if ! (test -e /mnt/iphone)
  then
    sudo mkdir /mnt/iphone
    sudo chown colin:users /mnt/iphone
  fi
 fi
 # make sure the device is mounted
--- a/pkgs/tokodon/default.nix
+++ b/pkgs/tokodon/default.nix
@@ -1,64 +0,0 @@
 { lib
 , stdenv
 , fetchFromGitHub
 , cmake
 , extra-cmake-modules
 , kconfig
 , kdbusaddons
 , ki18n
 , kirigami2
 , knotifications
 , libwebsockets
 , pkg-config
 , qqc2-desktop-style
 , qtbase
 , qtkeychain
 , qtmultimedia
 , qtquickcontrols2
 , qttools
 , qtwebsockets
 , wrapQtAppsHook
 }:
 stdenv.mkDerivation rec {
  pname = "tokodon";
  version = "22.09";
  src = fetchFromGitHub {
    owner = "KDE";
    repo = pname;
    rev = "v${version}";
    sha256 = "sha256-wHE8HPnjXd+5UG5WEMd7+m1hu2G3XHq/eVQNznvS/zc=";
  };
  nativeBuildInputs = [
    cmake
    extra-cmake-modules
    pkg-config
    wrapQtAppsHook
  ];
  buildInputs = [
    kconfig
    kdbusaddons
    ki18n
    kirigami2
    knotifications
    qqc2-desktop-style
    qtbase
    qtkeychain
    qtmultimedia
    qtquickcontrols2
    qttools
    qtwebsockets
  ];
  meta = with lib; {
    description = "A Mastodon client for Plasma and Plasma Mobile";
    homepage = src.meta.homepage;
    license = licenses.gpl3Plus;
    platforms = platforms.unix;
    maintainers = with maintainers; [ matthiasbeyer ];
  };
 }
--- a/scripts/ensure-perms
+++ b/scripts/ensure-perms
@@ -1,8 +0,0 @@
 #!/usr/bin/env bash
 # ensures perms on a newly-built distribution are good.
 # usage: sudo ensure-perms /path/to/nix
 nix_path=$1
 chown root:root -R $nix_path
 chown root:nixbld $nix_path/store
--- a/secrets/desko.yaml
+++ b/secrets/desko.yaml
@@ -1,7 +1,6 @@
 duplicity_passphrase: ENC[AES256_GCM,data:rzUfcxe5YPloOrqgVwdCjsccexWc5RvmFf1i3Xs459iVTfWHlVJeT/IqReY6ZqdAkPJteTtrUZzak2GXyRUkE13+W0kE8isnDjPX/YDQwoK2sa+dwc4xGTekboc0gf6HH3vQpF1aiJDBfb3GtGyDVLH9MVIRPJGXSztZBduUDezA2wAx2wI=,iv:EHJg8kE/07v+ySSFDtW4FA4y1y/+fcGxfNCWoainwBI=,tag:S3ecM4DbDl8jqXLRKipZmQ==,type:str]
 #ENC[AES256_GCM,data:yU9cr6MXjS4m69BeIUjUw477wt4c1djYof3Qlfr4Dytv8hWqCuqThDwQTMY5jfHdv5ipS0aEjf7GWu2M2t9W88fYdxnTN2m8IfYZp76YcjxO4fup5BXiLGIjnm+qI0g=,iv:nPo8FyGiyLRQozE4kZ6Rei6CObvbVynOs3jdMvdkpZw=,tag:+4esxPiewSsjwao6ZhAMxA==,type:comment]
 nix_serve_privkey: ENC[AES256_GCM,data:/Ph9J00cV7PcfpJw/NWcBpkQR+a0SQyHv1jmF4CkH+Uj8l+cRcXWynAc2APenMSfHdighXMqjsXuwRbGo0S57YuMXQjFbI8jhbXEhhAWlmET1q7uRaaZRSgq34qABw==,iv:LLYgLauPsD+3mx1GTjEUkiXgdWsnqixCJl4UfSdS5Ac=,tag:S7V6GKezS/JsbZVfq9DjjA==,type:str]
 colin-passwd: ENC[AES256_GCM,data:/b+l5zTlOhdoiFaMVG5HB98AOGfGZtwkH+IS/mhDgHNZ4J+t3OiEBAFPl/KPctg6ZM55QiAjNnnJ8zAsKL85om6amvrWF/Qz17qC9+pZF+6Ef8xvTQr3VPlFEYq4rGb74jQ7uyvtCjn0Ow==,iv:Z0qUimlPQMu6rsjn5b/Xfw99NzbXGS8B/hNWE+f+GoM=,tag:uGB1DZzHiLCkOtlAA58mmg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -35,8 +34,8 @@ sops:
            Si9kT0ZMUnJJWlhUZ3FFakZFaDlPdEEKXtWfh6wdGPin1h/UUs21cdspddpW1YDq
            rCKS2DI2KWdgciih9FnmWGAwGUhB3uhimUr6hgho4z+dZfLrpoP1PA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-10-24T08:49:49Z"
+    lastmodified: "2022-09-14T21:34:55Z"
-    mac: ENC[AES256_GCM,data:dvxYlU/btzzH9Qor8z02kdv3S4gFUGHnEjV/XBM99+IFuAD6vuE8zFL4peGW1GiXqM2QQY0Qc9wZ+nC5/ak9ROMC8uZPXF417gs6U9yyT92FRlMSdC0AMsUhNGWjJlM733hI4YATnR+1XuwHewzzW1R3TvrouBZqSv+2rBsiZCw=,iv:A+D7IG4U+EQ6nP4xKOK1ExeZLeERpiSPzj/g87R1SdM=,tag:jSVGDO9kNxXdDSSixDrkDQ==,type:str]
+    mac: ENC[AES256_GCM,data:Zex69KG2a2Rxyodyci40azr9qGbA5XwH4Qhip0BDbrJymHjZzqCeRDKjdHjAWXPdPyglvUY0kADfm7xxlE1zU84oOahI9FldADtQrGUWS0elU+a3F93LVNGlhlKc+g8JGzUyBvPr6Toi52L2hI18K5bmWFPesczWedL07r85s9M=,iv:W+SMAX0HY5GbAqqgXWbSxm4wbzXZt5PEsLhwWcxkRWY=,tag:VPnw2X+6i0EyiFB3rkon8Q==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/lappy.yaml
+++ b/secrets/lappy.yaml
@@ -1,42 +0,0 @@
 #ENC[AES256_GCM,data:s512crIo2ylwy1pWPDs6324+NpP3dHvW0QmuZzvOOyrepTQvmB4NW07NFXYzY/UUPn7E4HrB7mzhvQYxVYDBlZKAMr9llT80Nnpt0AqrxnLiqnnY79EvP+aXvNmi0yWsTGqh6k36BWNTUyPSzgjGtvjQgTLSvr9uRzfy9e4C6NVWBm5sTEbYg9y3ZslToVSsEyGHYMVT6fSKM7ewH8wV,iv:sbBWcHYP5Ak4h7gWbdu8JyL2SEeUgrvkjji11Sp2GoA=,tag:yQTWlrrcBxotdKBbB54x5g==,type:comment]
 #ENC[AES256_GCM,data:XcQaEDhsAG2kY0Rdw2AKOwaHQIm3/zrWMjpQlU8pWlifNY9eoPqndzIbCNDKhbEJqrzeAuxGYFRBgohRcHQz2O/cbgr8GwTZ3Uo+NHsX6qcoUhzUKd1xlUnIKLjNcV7vlxofrmXikQ==,iv:OKSw1bw2TiPweUJeqCqwr8V+A+ovIT+meygH9l9m4cI=,tag:aTROLuGpTgoxF1JV/w2Cpw==,type:comment]
 #ENC[AES256_GCM,data:GFdHTjsr2DJtg/BIyOSeM6EQw92Q/8JFdqXLwpg/FWn9olTws2KDchSWRDlkrEbgoXSMP3Atd33YgckUebDYMIK8ctJai2SUxLJK5fW8LX1JbKUAC5PHUygAIkWYsHlNse7Qbgrw1rtBuR43L6NbMw==,iv:5beGhtM2wja2GgrLCzizsqamfakDIBlZ74ZJhNr33lg=,tag:Ej1za572vRpPcvcHXliQDA==,type:comment]
 colin-passwd: ENC[AES256_GCM,data:+vPsqF9XiY9USDQuTt6n7K9f4/+/Sdgp6J8LnWvhYdlTTltz8a4/RYdg0JHC4o/pNae3k7KwYGMJI+vY25mgvLGj+kL23Fc9j1EYJgJk5uTz8MlmKOlKxKcSfmI3v+zOUOlQm/warktksQ==,iv:cZEFjTvHCXogXEh+xQG++aJCUFp/NtT6t7qjPIjUtAU=,tag:fnzz6uYwU9j4RZXj9MV6jg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bzFLUFloMU1uUWRmdkZu
            TllhSGxvNzBJQTZRaE9EbTA3R3JLNGpVT25nCmd0SG1BWEJWL1JlKzhmSFdFS3Fk
            SnRGbUFqdzVFTy95eVhiZGN6a3VMOGcKLS0tIHFJQUtEYVhGWWlTRlQrbEpoQ2h1
            VXJ5SXNlS1ZNNjhuVDFrMnlrVHp2NlUKwD3ZznQVcz1ZLb/weULpXET9uZb4aj/U
            FnY9ktEEtKeSl10jzU3/sUla6Ap6K6b9KLmmqd5Rnp0ZhbxVOR8rkg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOa1dpZHVoY2tTWVJ2bG1J
            Z0xjVGplMGZqajFlcWtPL0YwUXcxWThNOWcwCmQvZllaZ1JSK3N1WmIvV2F6YjZv
            U1ZtMVVSSU1LZ3M4SWExSm9yRzRTR3MKLS0tIFU1dERKdko1SVZLcmVXQXMydExm
            OWVEdDJsbENOYkJNSzc5MzlEanVSL0EKbKVgN0/LUiC92N9/MvoXJouiIRHE5aWO
            R7xPtxYG91vC+HVj8ThHbu0fcUIqD7LTX82XCrWoYMwkplbTC/F2cw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SGk4YzhEaldpcTBRSG1T
            Nkpla0s3d2ZRU2RsK2ZDRlhEdVY0NkRYUVU0CjYrTjhxZDVyYUlmbnRQQXBQZVhD
            OTcrbmV0YjdyeEhEaHVRUm03Z2hTNTQKLS0tIGVrTjhCL3RlZ2dIOFduVVdSbnJ3
            L2JhVWhmQk9qZzdnYkYrQTBCZnI3eE0KHju7x28mP5jLt4u6T6CnQ3ThiEYFhG5P
            D7c0h2YhqeqdewuwQWjqJMbUc308N5f0Hz/BsUgYZNanl9qqQRXkrA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-10-24T07:43:11Z"
    mac: ENC[AES256_GCM,data:1n1iOEJPnVbvvlVp9Cw9wY+HB6KYLwZDcr5UkbXbQUZMm+LQS8Pib/0R8AeQLnNrfyJMnsvoNpmYWLQ6i4BZFJp4rsdjpHb4/FqIAEOwTb5SP5FC8rFpn9UeduUs9tq+fyvezywqaoLPBsXXqb092XZvHv6w1osgyfbLepiyJ2s=,iv:qM2d9smvsRwhuJ/MyD8bqVfD4IJM7T6Hu4wy/2/COiM=,tag:TlcJX1USn3TgPSMWy5hZPg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/moby.yaml
+++ b/secrets/moby.yaml
@@ -1,51 +0,0 @@
 #ENC[AES256_GCM,data:akcgE1j3wiKoyB9Uara51P/DPVcKyzt5lZ0kTuxqotjBvVtsGdPVHaeMPMi5blNyPIuiWxo9Jn0MJGyknCs9AL+g96G/yDvvD7or44sK1v8ED+2glfdMi0cjDm80anh7SMchyA6tmtgJhMW1EtkhZ/b/xpysNBzsn5e+zb9jXS4a7LF23jJr7d6tbJo9jks7vVJ7/p33cONglhO573TD,iv:M+S7WCO3V6pQg0UuzWF2y9IgH7p/P4at+qm2Y38To1o=,tag:DPlXsDSYySaHNgSzywiJRQ==,type:comment]
 #ENC[AES256_GCM,data:De/BSe24Uf4Ch+JBzJMOEc7W+E72vYrqQWG4LeEk8vVHa/3eGHyKylHIgkMTr5CvwhX7/uCkjm8fgz1QHuRb8jLru8n2u/AxoY9kLUTZ/7VyYes3t9tawZ7tTFzbcqMxjV0Xy5eTzw==,iv:q3bDj1iYv3JBPzSoRU2ANCpfwWtLyCzyn81r5kl2tcw=,tag:f+d6+cWQEb83qK8I/oOCkw==,type:comment]
 #ENC[AES256_GCM,data:tYLNlC3Ov2RRnaEH0QAALmMYRc4fyDDM5A7J2sfJbMvoDmkgKoP0HYWy3diJMEcLsw3ZoDGibcU03QduisxjP0eWfEHkzE4R2+tWY+yWYy7TFx7Qg3BfSTtnMt5V9vSWcVLMAgoYaRUMqykIRMRaCQ==,iv:81HzxZyAJvXa5fQDOIIqRTL3dhKA4S2TftE3yfw6VIk=,tag:9+3stfyHrrmkfZpLGpmMOA==,type:comment]
 colin-passwd: ENC[AES256_GCM,data:+2uEyJX6FUbOSoJpJpjF+TmwWu3eJlrN5S9J1kRtTbS84c23E4AKTHojk5zEcPZZ9RG3vYjH6C37dRj4/SK/Z1/G31B31RgzwkLnmf11JXK+HSQZHZATgSvH07ANEYIg5VR78IQUz6qbGg==,iv:jyF/QzLyrQU+ebRfBrWRcu5/dmwY9LB4D1FxHVo8+TQ=,tag:3u7HO1VYzenIqvq0iZwuRw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpck5EWDVkWjdIU2YzQ2Mx
            VUpJbW96dXIvM0pPK2Vnd3ZZU3lmSlVheEdRCmVXNFZWV0FjT2p6b3FZOW1vaFNO
            MCtubi9QL1Jtd2FQL05vZmd5SjQxelEKLS0tICtaa3VRQ2JJZXpnd3pRd1lndUQ3
            d1JCZ3JtZENsSGR4SkVrNHIvTEhndTQK6pQqmcq7xmhZ9E099rBy9MtCdZghBTmU
            UCVWxq8zWanK11GLyh6cvs8hHSLIyvpbODnBYA1WM0AeIJoxtRRWEw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OWl2dlcyU0VoRW90Q3ZR
            eURXS1hPSG0reFFhUmxyTGRFNVdIZVJHYVJ3Cm0rcFpjQjQzVGVEcjhNR2RldkVL
            WnA4U3N1ZUFUTTBkSEdCbHZCeGxNNFkKLS0tIHY3RFdxUC9SaFhVTFBLemVEQytZ
            R01wWFBYR1dYNWlNUkw5M2VNK04yWE0KBPcJduySzwhAnx4BshPX/7QVdeN+L3fH
            4sZqC4gYFj3KXZhIOkUcCtwS/dObBoy02EhPsUtSKRheacFVs46w8A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSZVBzNG5pOGlXZzI0c3J4
            YnFsTDdsQjFwZ3czenlUVkJYcWxJbDAxNkFjCjYyK3VDOS8xRkhBSVRFYTRFSTZ5
            Y0htSE13Q1NFNDg3czVuZ3dPOUFlekUKLS0tIDJpRHBWdU9hMnpUSWV0cSsvNjF5
            cHVGRXdla0NGZ2lOMVQ3Ym43dDMvaVUKmx7p/TMj5uu/RJjRe4yCKt87brs7E7s0
            F88swQCwY41lCdFwISM0jRbY/MymTtbtP+2gcSYlq/S619ytQqf7SQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbWlCZW1VR2FXNHZ3VjZP
            R3UrbGgvZEdYdWhBcFJnV0FZZkJWZ3pxcVJNCjR5bzE3M3dHQWZSbWhqS0MrTURp
            NnBPQS9xeE1nZFV1VFd5MW9NaFFlM1kKLS0tICsrUkpOaEFFMVExUHhJNSs4eHdB
            SlMyTGQ5SWVCU3NLeVcvWmhUc3VSVGsKHJSSl1QFrHq6iefNEL7kpM+XYQ5abz8H
            aL6KiK6wvPOWB2RAT5DDicPYSEPXWGpHYTzNT+/hVFk5fXk/zqzOhQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-10-24T15:24:12Z"
    mac: ENC[AES256_GCM,data:cYWayG+pAQv1wTsx4ozbx33cl5QwuR+a480zQVl2RVJF028NlVR3yuYdndvwIT9QY79UVcix0pYtK3pm/zTpPLMz59oLIv1TNUdE4/10o3RGw+6fllKdxNftNBcos/1n6ENZRw6K7lviuG4ZKEZMDO3tvPC+XPoPofROyu9WMQE=,iv:Kddn/71vylvLkK7gT4p5juW2nI/qWB3Q+oCQ5hN4Zqk=,tag:AOrjSII1zWXPB0VPpol6Zw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/servo.yaml
+++ b/secrets/servo.yaml
@@ -23,38 +23,29 @@ sops:
        - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1TUlOMTlaemdpa2RxWDVL
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTWJwNXplSnJQTzUxVjBt
-            MFVPM254czF1VWh2MTljZTcwekpiVzZCTlNFCkJGeTVCRE1zMERJclRwU3JzbW5m
+            TzZ2aUZ4RUkyejVUQnpOdnpKajcxa0l3WWlrCmkwZVJuenhpN0R2OUxFV1pXUkVa
-            WEdOSGxtUzJSS3JhS3NPK2Q4MXc3bG8KLS0tIGdBWEdYVXJNYitzTFVlUzkzekpJ
+            dk8ydnlnU1JvOElvNVovVlBjKzZVYlkKLS0tIHlVbkRRYllJR2J5UWhKeGg5SWJj
-            enFjWnhIVGR3WWVMMFRGSldhRWZPKzgKHp6QWSNQBy8a6odEiELsr+FV05kGiby7
+            VExDaHc3amdTcWdUU3ZRUDNGREtxelEKXHuDfNM3uc3UBiPCAveG/u5b7C8zPzTi
-            4Wc+AyGTvuvIpoN4SQlYlUslHCHGd+Yk0hVutNVozLCY1//IpH8Dmw==
+            GGCx0R+6swS9yVSAJ//nUvu1zFuFfGgm3mKaSqfqWKfDSMFvAp0Pyg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHZmU5OUVQNkRSL0ZRKzNU
            R3RIMERDV1NRdi81TkV0OVdGQlFIRG0vekFvCjg3dHI3WWJic3h5cTQrdjFINDdr
            bndHSEc4dWk5WGM4K29FRXh2WCs5ZDgKLS0tIFY5UlNrQ0dtNW5IYXlUNnltelJX
            Y0xFNFFtek5hZFZMWXhWQy9GWlBneEEKZqsFgGGCIMH58kaZJoO8yn8KlrJooDvp
            iGO4qMjjgM5WvJjZbfk7trO1dNAhpKzjiJyirw9+lToqWPNnRw2Zwg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNEl5K3dGQWVFRFI4SVlt
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDY3NCbCtjY2ZHNkE2dWxN
-            NFpvSFZaMGs0ZzYrWW4vbldaOWVpa3ZWV0c0CmxqOFR3RkdKNWUvQWtnSWZSUVlL
+            Vk5nQ0Z2M1pQOXUzMVYyS3MxT252T1lhKzFJCm5NZ25DSlpZbnhTV0JMbVBvbm9j
-            SUlHbWIvWGpsN1Vsclk4VWo1dUR2OGsKLS0tIFhRVU9NUzlnQkhDelEzalVFOHFM
+            SEtzdDJWS3gxby8rVlpzZ20yY3hRK2MKLS0tIGVqNUFZeGYxRnVSd3E1eitNUGFW
-            UW9YZG9DUSt2OU03Sll5d1RZYlcySzAK9LneAD2s+me3ZkRGC098nhUlcVgRwMt9
+            dEszSTFicTZRUzZxbFF5YWF1RmtwSkkKPle5Xw5gyd5YCPIAABaABNdgbpialJTV
-            yVgTCleC9groGaUq0J4rwhVQ4CuUHV2GL188QtmqVTBGLEftfHIDmQ==
+            hUOVdYCsmqd+spCA0Q9f0D3S5ud59iFq8moBh97BZQuLcc2qUeyJ2g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpMlNZZGpVU1h3NkUyNkND
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UGdCMjRpRUFMdXJRQVgx
-            RnVpSWxrRmNxMjJ6dUJ5RkdaTWx0SHZMQlRNCjQzUFI5ejhuZ0RDcHNYQnZ5eFN4
+            aklIY1dkOXRXNmliVjIyNHlUN1B1ZmZZbTB3CnFxQjZLbWkwWHRTN2lycEx4K3RL
-            Z3djZ2g3ajRxQXNEcUMzQWl0QzYyV0UKLS0tIFlDYXlhNFB5ekVKblJudmM3TEU0
+            UGdFVktETXJCSXhKSWFsbnNyU25tRzgKLS0tIDVsdmdxRDFnQU9XeHpibm00bm1C
-            cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
+            U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce
-            aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
+            xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-10-14T00:37:52Z"
    mac: ENC[AES256_GCM,data:qKr1aKWxuJWwjUYX+JWAdwHFAwApHm9hOYBgZxAIXbXHhOo04K1MFBDTsAvtvN1a11QtCJYDNuVNpuRu3bf/5Ji5ROTaKfQCgPk+ZScJuWpLsxchYV+TnlREwQI+qgvogyMKMlPInozgd7RNnsePdg7DtYFfGMAvUtX9OidxAXI=,iv:EAkNQkIqoXtRy+uSb7ccl9T5b6hiyRll/m76nhir9AI=,tag:kCDEBJDW34VgLQPd4V+uYA==,type:str]
		`@@ -1,2 +0,0 @@`
			`#! @bash@/bin/sh`
			`exec @gopassJsonapi@/bin/gopass-jsonapi listen`