stuff

Reviewed-on: #1

.gitignore

@@ -1,2 +1,6 @@
-/result*
+result
+result-*
+/.generated
 .nixos-test-history
+/packages/vacu-history/target/
+/packages/altcaps/target/

archive.nix

@@ -0,0 +1,42 @@
+{
+  self,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  ignoreList = [
+    "iso"
+    "host-pxe-installer"
+    "host-pxe-installer-aarch64"
+    "pxe-initrd"
+  ];
+  # We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
+  isoContentsStr = lib.concatStringsSep "\n" (
+    map (
+      c: "${c.source} => ${c.target}"
+    ) self.nixosConfigurations.shel-installer-iso.config.isoImage.contents
+  );
+  isoContents = pkgs.writeText "iso-contents" isoContentsStr;
+  pxeConfig = self.nixosConfigurations.shel-installer-pxe.config;
+  pxeContents = pkgs.linkFarm "pxe-initrd-contents" {
+    inherit (pxeConfig.boot.initrd) compressor;
+    inherit (pxeConfig.system.build) initialRamdisk;
+    storeContents = pkgs.linkFarmFromDrvs "store-contents" pxeConfig.netboot.storeContents;
+  };
+  extraBuilds = { inherit isoContents pxeContents; };
+  buildListWithout = builtins.filter (v: !builtins.elem v ignoreList) (
+    builtins.attrNames self.buildList
+  );
+  allBuilds = self.buildList // extraBuilds;
+in
+rec {
+  archiveList = map (name: {
+    inherit name;
+    broken = builtins.elem name self.brokenBuilds;
+    impure = builtins.elem name self.impureBuilds;
+  }) (buildListWithout ++ builtins.attrNames extraBuilds);
+
+  drvs = allBuilds;
+  buildDepsDrvs = builtins.mapAttrs (_: v: pkgs.closureInfo { rootPaths = [ v.drvPath ]; }) drvs;
+}

check-eval.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+source shellvaculib.bash
+
+svl_exact_args $# 0
+svl_assert_probably_in_script_dir
+
+declare -a nix_eval=(
+  nix eval
+  --show-trace
+)
+
+declare -a hosts=(
+  triple-dezert
+  compute-deck
+  liam
+  lp0
+  #skip shel-installer-*
+  fw
+  legtop
+  mmm
+  prophecy
+)
+
+set -x
+
+"${nix_eval[@]}" --impure ".#.nixOnDroidConfigurations.default.activationPackage"
+
+for host in "${hosts[@]}"; do
+  "${nix_eval[@]}" ".#.nixosConfigurations.${host}.config.system.build.toplevel"
+done

common/assertions.nix

@@ -25,11 +25,12 @@ let
       assertions = map (x: { inherit (x) assertion message; }) (
         filter (x: x.fatal) config.vacu.assertions
       );
-      warnings = map (x: x.message) (filter (x: !x.assertion && !x.fatal) config.vacu.assertions);
+      warnings = triggeredWarnings;
     };
   };
 in
 {
+  imports = lib.optional (vacuModuleType != "plain") adapter;
   options.vacu.assertions = mkOption {
     default = [ ];
     type = types.listOf (
@@ -48,4 +49,3 @@ in
     default = withAsserts;
   };
 }
-// (if vacuModuleType != "plain" then adapter else { })

common/checks.nix

@@ -22,7 +22,7 @@ in
       (
         set -xev
         ${lines}
-        touch $out
+        touch "$out"
       )
     ''
   ) config.vacu.textChecks;

common/common-but-not.nix

@@ -3,12 +3,15 @@
 {
   inputs,
   vacuModuleType,
+  config,
   lib,
   ...
 }:
 lib.optionalAttrs (vacuModuleType != "plain") {
-  nix.registry.vacu.to = {
-    type = "path";
-    path = inputs.self.outPath;
+  nix.registry = lib.mkIf (!config.vacu.isMinimal) {
+    vacu.to = {
+      type = "path";
+      path = inputs.self.outPath;
+    };
   };
 }

common/default.nix

@@ -1,9 +1,9 @@
 {
   config,
-  pkgs,
   lib,
   inputs,
   vacuModuleType,
+  vacuModules,
   ...
 }:
 let
@@ -22,33 +22,34 @@ if !builtins.elem vacuModuleType expectedModuleTypes then
 else
   {
     imports = [
-      ./package-set.nix
-      ./shell
-      ./nixvim.nix
-      ./ssh.nix
-      ./nix.nix
-      ./verify-system
-      ./defaultPackages.nix
-      ./lib
-      ./sops.nix
+      vacuModules.packageSet
+      vacuModules.systemKind
       ../dns
-      ./assertions.nix
-      ./common-but-not.nix
-      ./nixos.nix
-      ./nix-on-droid.nix
-      ./nixos-rebuild.nix
-      ./minimal-nixos.nix
+
       ./acmeDependencies.nix
-      ./nix-on-droid.nix
-      ./remapCapsLock.nix
-      ./sourceTree.nix
-      ./units-impl.nix
-      ./units-config.nix
-      ./lix.nix
-      ./git.nix
-      ./hpn.nix
+      ./assertions.nix
       ./checks.nix
-      ./ffmpeg.nix
+      ./common-but-not.nix
+      ./git.nix
+      ./hosts.nix
+      ./hpn.nix
+      ./lix.nix
+      ./minimal-nixos.nix
+      ./nixos.nix
+      ./nixos-rebuild.nix
+      ./nixvim.nix
+      ./nix.nix
+      ./nix-on-droid.nix
+      ./packages.nix
+      ./remapCapsLock.nix
+      ./shell
+      ./sops.nix
+      ./sourceTree.nix
+      ./staticNames.nix
+      ./units-config.nix
+      ./units-impl.nix
+      ./verify-system
+      ./thunderbird.nix
     ];
     options = {
       vacu.rootCAs = mkOption { type = types.listOf types.str; };
@@ -64,15 +65,7 @@ else
       vacu.shortHostName = mkOption {
         type = types.nullOr types.str;
         default = config.vacu.hostName;
-      };
-      vacu.nixvimPkg = mkOption { readOnly = true; };
-      vacu.systemKind = mkOption {
-        type = types.enum [
-          "minimal"
-          "desktop" # need a better name for this; should include laptops; everything I intend to get computery-stuff done on.
-          "container"
-          "server"
-        ];
+        defaultText = "{option}`vacu.hostName`";
       };
       vacu.vnopnCA = mkOption {
         readOnly = true;
@@ -84,15 +77,14 @@ else
       vacu.versionInfo =
         {
           rev = anyRev self;
-          flakePath = self.outPath;
           inherit (self) lastModified lastModifiedDate;
           inherit (config.vacu) versionId;
-          inherit inputs;
           inherit vacuModuleType;
+          inputRevs = lib.mapAttrs (_: v: anyRev v) inputs;
         }
-        // lib.optionalAttrs (inputs ? nixpkgs) {
-          nixpkgs.source = "${inputs.nixpkgs}";
-          nixpkgs.rev = anyRev inputs.nixpkgs;
+        // lib.optionalAttrs (!config.vacu.isMinimal) {
+          flakePath = self.outPath;
+          inherit inputs;
         };
 
       vacu.nix.caches.vacu = {
@@ -113,59 +105,6 @@ else
         url = "https://cache.nixos.org/";
         keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
       };
-      vacu.git.enable = config.vacu.systemKind == "server" || config.vacu.systemKind == "desktop";
-      vacu.git.config = {
-        init.defaultBranch = "master";
-        pull.rebase = false;
-        user.name = "Shelvacu";
-        user.email = "git@shelvacu.com";
-        author.name = "Shelvacu";
-        author.email = "git@shelvacu.com";
-        committer.name = "Shelvacu on ${config.vacu.hostName}";
-        committer.email = "git@shelvacu.com";
-        user.useConfigOnly = true;
-        checkout.workers = 0;
-        # We *could* use atomic writes, but those are slowwwwww! Are you sure????? - git, still living in the 90s
-        # Yes git, I'm sure
-        core.fsync = "all";
-        diff.mnemonicPrefix = true;
-        gc.reflogExpire = "never";
-        gc.reflogExpireUnreachable = "never";
-
-        url."https://github.com/".insteadOf = [
-          "hgh:"
-          "github-http:"
-          "github-https:"
-        ];
-        url."git@github.com:".insteadOf = [
-          "sgh:"
-          "gh:"
-          "github-ssh:"
-        ];
-        url."git@github.com:shelvacu/".insteadOf = [ "vgh:" ];
-        url."https://gitlab.com/".insteadOf = [
-          "hgl:"
-          "gitlab-http:"
-          "gitlab-https:"
-        ];
-        url."git@gitlab.com:".insteadOf = [
-          "sgl:"
-          "gl:"
-          "gitlab-ssh:"
-        ];
-        url."git@gitlab.com:shelvacu/".insteadOf = [ "vgl:" ];
-        url."https://git.uninsane.org/".insteadOf = [
-          "hu:"
-          "uninsane-http:"
-          "uninsane-https:"
-        ];
-        url."git@git.uninsane.org:".insteadOf = [
-          "u:"
-          "su:"
-          "uninsane-ssh"
-        ];
-        url."git@git.uninsane.org:shelvacu/".insteadOf = [ "vu:" ];
-      };
       vacu.vnopnCA = ''
         -----BEGIN CERTIFICATE-----
         MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
@@ -181,179 +120,6 @@ else
       '';
       vacu.rootCAs = [ config.vacu.vnopnCA ];
 
-      vacu.ssh.authorizedKeys = {
-        # pixel6pro-termux = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86";
-        # t460s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp";
-        # pixel6pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W";
-        compute-deck = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug";
-        triple-dezert = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g";
-        triple-dezert-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8";
-        compute-deck-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I";
-        pro1x-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX";
-        fw-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m";
-        fw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C";
-        pixel9pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINznGot+L8kYoVQqdLV/R17XCd1ILMoDCILOg+I3s5wC";
-        legtop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOre0FnYDm3arsFj9c/l5H2Q8mdmv7kmvq683pL4heru";
-      };
-      vacu.ssh.config = ''
-        Host deckvacu
-          User deck
-
-        Host rsb
-          User user
-          HostName finaltask.xyz
-          Port 2222
-
-        Host awoo
-          HostName 45.142.157.71
-
-        Host trip
-          HostName trip.shelvacu.com
-          Port 6922
-
-        Host liam
-          HostName 178.128.79.152
-
-        Host pluto
-          HostName pluto.somevideogam.es
-
-        Host sdf
-          HostName tty.sdf.org
-
-        Host u
-          User git
-          HostName git.uninsane.org
-
-        Host gl
-          User git
-          HostName gitlab.com
-
-        Host gh
-          User git
-          HostName github.com
-
-        Host *
-          User shelvacu
-          GlobalKnownHostsFile ${pkgs.writeText "known_hosts" config.vacu.ssh.knownHostsText}
-      '';
-
-      vacu.ssh.knownHosts = {
-        #public hosts
-        "github.com".publicKey =
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-        "gitlab.com".publicKey =
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
-        "git.sr.ht".publicKey =
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
-        "sdf.org" = {
-          extraHostNames = [ "tty.sdf.org" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJk3a190w/1TZkzVKORvz/kwyKmFY144lVeDFm80p17";
-        };
-
-        #colin's stuff
-        "uninsane.org" = {
-          extraHostNames = [ "git.uninsane.org" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
-        };
-        "desko" = {
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-        };
-
-        #daymocker's stuff
-        "pluto" = {
-          extraHostNames = [ "74.208.184.137" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
-        };
-
-        #powerhouse hosts
-        "ostiary" = {
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
-        };
-        "habitat" = {
-          # previously known as zigbee-hub
-          extraHostNames = [ "10.78.79.114" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
-        };
-        "vnopn" = {
-          extraHostNames = [
-            "10.78.79.1"
-            "vnopn.t2d.lan"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
-        };
-
-        #work laptop
-        "tebbs-MBP" = {
-          extraHostNames = [ "10.244.10.3" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKO/ks07zSByDH/qmDrghtBSFwWnze2s62zEmtXwaMJe";
-        };
-
-        #personal hosts
-        trip = {
-          extraHostNames = [
-            "triple-dezert"
-            "trip.shelvacu.com"
-            "[trip.shelvacu.com]:6922"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
-        };
-        servacu = {
-          extraHostNames = [
-            "mail.dis8.net"
-            "servacu.shelvacu.com"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
-        };
-        finaltask = {
-          extraHostNames = [
-            "rsb"
-            "finaltask.xyz"
-            "[finaltask.xyz]:2222"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
-        };
-        compute-deck = {
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
-        };
-        "2esrever" = {
-          extraHostNames = [
-            "10.4.5.218"
-            "10.244.46.71"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
-        };
-        awoo = {
-          extraHostNames = [ "45.142.157.71" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
-        };
-        deckvacu = {
-          publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
-        };
-        liam = {
-          extraHostNames = [
-            "liam.dis8.net"
-            "178.128.79.152"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
-        };
-        fw = {
-          extraHostNames = [ "fw.t2d.lan" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
-        };
-        legtop = {
-          extraHostNames = [
-            "lt"
-            "legtop.t2d.lan"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvunOGsmHg8igMGo0FpoXaegYI20wZylG8nsMFY4+JL";
-        };
-        mmm = {
-          extraHostNames = [
-            "mmm.t2d.lan"
-            "10.78.79.11"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsorkZ3rIZ2lLigwQWfA64xZRlt5lk6QPzypg55eLlD";
-        };
-      };
+      vacu.ssh.authorizedKeys = import inputs.vacu-keys;
     };
   }

common/defaultPackages.nix

@@ -1,89 +0,0 @@
-{
-  pkgs,
-  config,
-  inputs,
-  lib,
-  ...
-}:
-lib.mkMerge [
-  (lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container") {
-    vacu.packages =
-      (with pkgs; [
-        home-manager
-        nix-index
-        rclone
-        termscp
-        man
-        neovim
-        nmap
-        ruby
-        (p7zip.override { enableUnfree = true; })
-        tcpdump
-        cargo
-        wayland-utils
-        kanidm
-        megatools
-      ])
-      ++ [
-        inputs.nix-search-cli.packages.${pkgs.system}.default
-        inputs.nix-inspect.packages.${pkgs.system}.default
-      ];
-  })
-  {
-    vacu.packages =
-      (with pkgs; [
-        netcat-openbsd
-        nixos-rebuild
-        which
-        nano
-        vim
-        wget
-        screen
-        tmux
-        lsof
-        htop
-        mosh
-        dnsutils
-        iperf3
-        rsync
-        ethtool
-        sshfs
-        ddrescue
-        pciutils
-        ncdu
-        pv
-        unzip
-        file
-        ripgrep
-        jq
-        tree
-        iputils
-        ssh-to-age
-        sops
-        inetutils
-        diffutils
-        findutils
-        util-linux
-        tzdata
-        hostname
-        gnugrep
-        gnused
-        gnutar
-        bzip2
-        gzip
-        xz
-        zip
-        unzip
-        openssh
-        dig
-        bash
-        usbutils
-        psutils
-        killall
-        curl
-        gnutls
-        progress
-      ])
-      ++ [ config.vacu.units.finalPackage ];
-  }
-]

common/ffmpeg.nix

@@ -1,13 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  vacu.packages.ffmpeg-allvrything = {
-    enable = lib.mkDefault false;
-    package = pkgs.ffmpeg_7-full.override (old: {
-      libbluray = old.libbluray.override {
-        withJava = true;
-        withAACS = true;
-        withBDplus = true;
-      };
-    });
-  };
-}

common/git.nix

@@ -1,100 +1,58 @@
+{ lib, config, vacuModules, ... }:
 {
-  lib,
-  config,
-  pkgs,
-  vacuModuleType,
-  ...
-}:
-let
-  inherit (lib) types;
-  cfg = config.vacu.git;
-in
-{
-  imports = [
-    {
-      # https://github.com/NixOS/nixpkgs/blob/e8c38b73aeb218e27163376a2d617e61a2ad9b59/nixos/modules/programs/git.nix#L16
-      options.vacu.git = {
-        package = lib.mkPackageOption pkgs "git" { };
-        enable = lib.mkEnableOption "git";
-        config = lib.mkOption {
-          type =
-            let
-              gitini = types.attrsOf (types.attrsOf types.anything);
-            in
-            types.either gitini (types.listOf gitini)
-            // {
-              merge =
-                loc: defs:
-                let
-                  config =
-                    builtins.foldl'
-                      (
-                        acc:
-                        { value, ... }@x:
-                        acc
-                        // (
-                          if builtins.isList value then
-                            { ordered = acc.ordered ++ value; }
-                          else
-                            { unordered = acc.unordered ++ [ x ]; }
-                        )
-                      )
-                      {
-                        ordered = [ ];
-                        unordered = [ ];
-                      }
-                      defs;
-                in
-                [ (gitini.merge loc config.unordered) ] ++ config.ordered;
-            };
-          default = [ ];
-        };
-        lfs.enable = lib.mkEnableOption "git lfs";
-        lfs.package = lib.mkPackageOption pkgs "git-lfs" { };
-        configText = lib.mkOption {
-          readOnly = true;
-          type = types.str;
-        };
-      };
+  imports = [ vacuModules.git ];
 
-      config.vacu.git.configText = lib.concatMapStringsSep "\n" lib.generators.toGitINI cfg.config;
-    }
-    (lib.mkIf cfg.enable {
-      vacu.packages.git = {
-        enable = true;
-        package = cfg.package;
-      };
-    })
-    (lib.mkIf (cfg.enable && cfg.lfs.enable) {
-      vacu.packages.git-lfs = {
-        enable = true;
-        package = cfg.lfs.package;
-      };
-      vacu.git.config =
-        let
-          bin = lib.getExe cfg.lfs.package;
-        in
-        {
-          filter.lfs = {
-            clean = "${bin} clean -- %f";
-            smudge = "${bin} smudge -- %f";
-            process = "${bin} filter-process";
-            required = true;
-          };
-        };
-    })
-    (lib.optionalAttrs (vacuModuleType == "nixos") {
-      vacu.assertions = [
-        {
-          assertion = !(cfg.enable && config.programs.git.enable);
-          message = "vacu.git and programs.git should not both be enabled";
-        }
-      ];
+  vacu.git.enable = lib.mkDefault config.vacu.isDev;
+  vacu.git.config = {
+    init.defaultBranch = "master";
+    pull.rebase = false;
+    user.name = "Shelvacu";
+    user.email = "git@shelvacu.com";
+    author.name = "Shelvacu";
+    author.email = "git@shelvacu.com";
+    committer.name = "Shelvacu on ${config.vacu.hostName}";
+    committer.email = "git@shelvacu.com";
+    user.useConfigOnly = true;
+    checkout.workers = 0;
+    # "We *could* use atomic writes, but those are slowwwwww! Are you sure?????" - git, still living in the 90s
+    # Yes git, I'm sure
+    core.fsync = "all";
+    diff.mnemonicPrefix = true;
+    gc.reflogExpire = "never";
+    gc.reflogExpireUnreachable = "never";
 
-      programs.git.enable = lib.mkIf cfg.enable false;
-    })
-    (lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
-      environment = lib.mkIf (cfg.enable && cfg.config != [ ]) { etc.gitconfig.text = cfg.configText; };
-    })
-  ];
+    url."https://github.com/".insteadOf = [
+      "hgh:"
+      "github-http:"
+      "github-https:"
+    ];
+    url."git@github.com:".insteadOf = [
+      "sgh:"
+      "gh:"
+      "github-ssh:"
+    ];
+    url."git@github.com:shelvacu/".insteadOf = [ "vgh:" ];
+    url."https://gitlab.com/".insteadOf = [
+      "hgl:"
+      "gitlab-http:"
+      "gitlab-https:"
+    ];
+    url."git@gitlab.com:".insteadOf = [
+      "sgl:"
+      "gl:"
+      "gitlab-ssh:"
+    ];
+    url."git@gitlab.com:shelvacu/".insteadOf = [ "vgl:" ];
+    url."https://git.uninsane.org/".insteadOf = [
+      "hu:"
+      "uninsane-http:"
+      "uninsane-https:"
+    ];
+    url."git@git.uninsane.org:".insteadOf = [
+      "u:"
+      "su:"
+      "uninsane-ssh"
+    ];
+    url."git@git.uninsane.org:shelvacu/".insteadOf = [ "vu:" ];
+  };
 }

common/hosts.nix

@@ -0,0 +1,155 @@
+{ lib, vacuModules, ... }:
+{
+  imports = [
+    vacuModules.knownHosts
+    vacuModules.ssh
+  ];
+
+  vacu.hosts = {
+    #public hosts
+    "github.com".sshKeys =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+    "gitlab.com".sshKeys =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+    "git.sr.ht".sshKeys =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+    "sdf.org" = {
+      sshHostname = "tty.sdf.org";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJk3a190w/1TZkzVKORvz/kwyKmFY144lVeDFm80p17";
+    };
+    "rsn" = {
+      altNames = [
+        "rsyncnet"
+        "rsync.net"
+      ];
+      sshUsername = "fm2382";
+      sshHostname = "fm2382.rsync.net";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINdUkGe6kKn5ssz4WRZKjcws0InbQqZayenzk9obmP1z";
+    };
+
+    #colin's stuff
+    "servo" = {
+      altNames = [
+        "git.uninsane.org"
+        "uninsane.org"
+      ];
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+    };
+    "desko" = {
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+    };
+
+    #daymocker's stuff
+    "pluto" = {
+      sshHostname = "pluto.somevideogam.es";
+      primaryIp = "74.208.184.137";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
+    };
+
+    #powerhouse hosts
+    "ostiary" = {
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
+    };
+    "habitat" = {
+      # previously known as zigbee-hub
+      primaryIp = "10.78.79.114";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
+    };
+    "vnopn" = {
+      primaryIp = "10.78.79.1";
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
+    };
+
+    #personal hosts
+    triple-dezert = {
+      altNames = [
+        "trip"
+        "trip.shelvacu.com"
+        "triple-dezert.shelvacu.com"
+      ];
+      sshAliases = [ "trip" ];
+      primaryIp = "172.83.159.53";
+      altIps = [ "10.78.79.237" ];
+      isLan = true;
+      sshPort = 6922;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
+    };
+    prophecy = {
+      altNames = [
+        "prop"
+        "prop.shelvacu.com"
+        "prophecy.shelvacu.com"
+      ];
+      sshAliases = [ "prop" ];
+      primaryIp = "205.201.63.13";
+      altIps = [ "10.78.79.22" ];
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPmy1+1CL6mLbp0IfRTLwsVdjKmw5u0kbQqHin8oXMq";
+    };
+    servacu = {
+      altNames = [
+        "mail.dis8.net"
+        "servacu.shelvacu.com"
+      ];
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
+    };
+    finaltask = {
+      altNames = [
+        "rsb"
+        "finaltask.xyz"
+      ];
+      sshAliases = [ "rsb" ];
+      primaryIp = "45.87.250.193";
+      sshPort = 2222;
+      sshUsername = "user";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
+    };
+    compute-deck = {
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
+    };
+    "2esrever" = {
+      altIps = [
+        "10.4.5.218"
+        "10.244.46.71"
+      ];
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
+    };
+    awoo = {
+      primaryIp = "45.142.157.71";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
+    };
+    deckvacu = {
+      sshUsername = "deck";
+      sshKeys = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
+    };
+    liam = {
+      altNames = [ "liam.dis8.net" ];
+      primaryIp = "178.128.79.152";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
+    };
+    fw = {
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
+    };
+    legtop = {
+      altNames = [ "lt" ];
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvunOGsmHg8igMGo0FpoXaegYI20wZylG8nsMFY4+JL";
+    };
+    mmm = {
+      primaryIp = "10.78.79.11";
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsorkZ3rIZ2lLigwQWfA64xZRlt5lk6QPzypg55eLlD";
+    };
+    solis = {
+      altNames = [ "solis.dis8.net" ];
+      primaryIp = "89.213.174.171";
+      # altIps = [ "2a0f:9400:7e11:cd44:0000:0000:0000:0001" ];
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhFKmRMfk+4Xx96Jwt6S9/ikC0cm4ukeO8hjpZDj+9n";
+    };
+  };
+}

common/hpn.nix

@@ -1,11 +1,15 @@
 {
   config,
   lib,
-  pkgs,
   vacuModuleType,
   ...
 }:
-lib.optionalAttrs (vacuModuleType == "nixos") {
-  options.vacu.ssh-hpn.enable = lib.mkEnableOption "openssh hpn";
-  config = lib.mkIf config.vacu.ssh-hpn.enable { programs.ssh.package = pkgs.openssh_hpn; };
+{
+  # options.vacu.ssh-hpn.enable = lib.mkEnableOption "openssh hpn";
+}
+// lib.optionalAttrs (vacuModuleType == "nixos") {
+  # config.nixpkgs.overlays = [ (old: new: {
+  #   openssh-without-hpn = old.openssh;
+  #   openssh = if config.vacu.ssh-hpn.enable then new.openssh_hpn else new.openssh-without-hpn;
+  # }) ];
 }

common/lib/default.nix

@@ -1,19 +0,0 @@
-{ lib, config, ... }:
-{
-  imports = [
-    ./makeWrapper.nix
-    ./outputOf.nix
-    ./strings.nix
-  ];
-
-  options.vacu.vaculib = lib.mkOption { type = lib.types.anything; };
-
-  config._module.args.vaculib = config.vacu.vaculib;
-
-  config.vacu.vaculib.mkOutOption =
-    val:
-    lib.mkOption {
-      readOnly = true;
-      default = val;
-    };
-}

common/minimal-nixos.nix

@@ -3,15 +3,23 @@
   pkgs,
   lib,
   vacuModuleType,
+  inputs,
   ...
 }:
 let
   inherit (lib) mkIf mkDefault;
 in
 lib.optionalAttrs (vacuModuleType == "nixos") {
-  config = mkIf (config.vacu.systemKind == "minimal") {
+  config = mkIf config.vacu.isMinimal {
     programs.git.lfs.enable = false;
     programs.git.package = pkgs.gitMinimal;
+
+    nix.registry.nixpkgs.to = lib.mkForce {
+      type = "github";
+      owner = "NixOS";
+      repo = "nixpkgs";
+      rev = inputs.nixpkgs.rev;
+    };
     # mostly copied from nixos's /profiles/minimal.nix
     documentation.enable = mkDefault false;
 

common/nix-on-droid.nix

@@ -8,8 +8,6 @@ let
   inherit (lib) mkDefault;
 in
 lib.optionalAttrs (vacuModuleType == "nix-on-droid") {
-  environment.packages = config.vacu.packageList;
-  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
   nix.substituters = lib.mkForce config.vacu.nix.substituterUrls;
   nix.trustedPublicKeys = lib.mkForce config.vacu.nix.trustedKeys;
   vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";

common/nixos-rebuild.nix

@@ -6,29 +6,18 @@
   ...
 }:
 let
-  nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package.out; };
+  nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package; };
 in
 lib.optionalAttrs (vacuModuleType == "nixos") {
-  options.vacu.alwaysUseRemoteSudo =
-    (lib.mkEnableOption "always deploy to this machine with --use-remote-sudo")
-    // {
-      default = true;
-    };
-  config = lib.mkIf config.vacu.alwaysUseRemoteSudo {
-    system.build.nixos-rebuild = lib.mkForce (
-      pkgs.runCommandLocal "nixos-rebuild-wrapped"
-        {
-          nativeBuildInputs = [ pkgs.makeShellWrapper ];
-          meta.mainProgram = "nixos-rebuild";
-        }
-        ''
-          runHook preInstall
-
-          mkdir -p $out/bin
-          makeShellWrapper ${lib.getExe nixos-rebuild} $out/bin/nixos-rebuild --add-flags "--use-remote-sudo"
-
-          runHook postInstall
-        ''
-    );
-  };
+  system.build.nixos-rebuild = lib.mkForce (
+    pkgs.runCommandLocal "nixos-rebuild-wrapped"
+      {
+        nativeBuildInputs = [ pkgs.makeShellWrapper ];
+        meta.mainProgram = "nixos-rebuild";
+      }
+      ''
+        mkdir -p "$out"/bin
+        makeShellWrapper ${lib.getExe nixos-rebuild} "$out"/bin/nixos-rebuild --add-flags "--use-remote-sudo --use-substitutes"
+      ''
+  );
 }

common/nixos.nix

@@ -6,51 +6,40 @@
   ...
 }:
 lib.optionalAttrs (vacuModuleType == "nixos") {
+  imports = [ ../nixos-modules ];
   options.vacu.underTest = lib.mkOption {
     default = false;
     type = lib.types.bool;
   };
   config = {
-    # the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
-    # presumably needed by nheko
-    nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
-    # nixpkgs.overlays = [ inputs.self.overlays.default ];
+    programs.mosh.enable = true;
 
     console = {
       keyMap = lib.mkDefault "us";
     };
-    networking = if config.vacu.hostName == null then { } else { hostName = config.vacu.hostName; };
+    networking = lib.mkIf (config.vacu.hostName != null) { inherit (config.vacu) hostName; };
     vacu.packages."xorg-xev" = {
       enable = config.services.xserver.enable;
       package = pkgs.xorg.xev;
     };
-    vacu.ssh-hpn.enable = true;
-    environment.systemPackages = config.vacu.packageList;
     programs.nix-ld.enable = true;
     system.nixos.tags = [
       "vacu${config.vacu.versionId}"
       config.vacu.hostName
     ];
     environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
-    environment.etc."chromium" = lib.mkIf (config.vacu.systemKind == "desktop") {
+    environment.etc."chromium" = lib.mkIf config.vacu.isGui {
       source = "/run/current-system/sw/etc/chromium";
     };
 
     i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
     time.timeZone = "America/Los_Angeles";
 
-    users.users.shelvacu = lib.mkIf (config.vacu.systemKind != "container") {
+    users.users.shelvacu = lib.mkIf (!config.vacu.isContainer) {
       openssh.authorizedKeys.keys = lib.attrValues config.vacu.ssh.authorizedKeys;
       isNormalUser = true;
       extraGroups = [ "wheel" ];
     };
-    # # safety user: if something is super fucked up with my shell stuff, I can ssh in as shelvac2
-    # users.users.shelvac2 = {
-    #   openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
-    #   isNormalUser = true;
-    #   extraGroups = [ "wheel" ];
-    #   shell = pkgs.bash;
-    # };
     services.openssh = {
       # require public key authentication for better security
       settings.PasswordAuthentication = false;
@@ -58,7 +47,7 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
       settings.PermitRootLogin = "prohibit-password";
     };
 
-    nix.settings.trusted-users = lib.mkIf (config.vacu.systemKind != "container") [ "shelvacu" ];
+    nix.settings.trusted-users = lib.mkIf (!config.vacu.isContainer) [ "shelvacu" ];
     security.sudo.wheelNeedsPassword = lib.mkDefault false;
 
     programs.screen = {
@@ -70,7 +59,7 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
       '';
     };
 
-    programs.tmux = lib.mkIf (config.vacu.systemKind != "container") {
+    programs.tmux = lib.mkIf (!config.vacu.isContainer) {
       enable = true;
       extraConfig = "setw mouse";
       clock24 = true;
@@ -86,11 +75,6 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
       trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
       extra-trusted-public-keys = lib.mkForce [ ];
     };
-    nixpkgs.config.allowUnfree = lib.mkDefault true;
-
-    programs.mosh.enable = lib.mkIf (config.vacu.systemKind != "container") (lib.mkDefault true);
-
-    programs.ssh.extraConfig = config.vacu.ssh.config;
 
     security.pki.certificates = config.vacu.rootCAs;
 

common/nixvim.nix

@@ -5,13 +5,27 @@
   lib,
   ...
 }:
+let
+  inherit (lib) mkOption types;
+  nixvim-name = if config.vacu.nixvim.minimal then "nixvim-minimal" else "nixvim";
+in
 {
-  vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.nixvim;
-  vacu.shell.functions =
-    lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container")
-      {
-        nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
-        nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
-        nvim = ''nvim-nixvim "$@"'';
-      };
+  options = {
+    vacu.nixvim.minimal = mkOption {
+      type = types.bool;
+      default = config.vacu.isMinimal;
+    };
+    vacu.nixvimPkg = mkOption {
+      type = types.package;
+      readOnly = true;
+    };
+  };
+  config = {
+    vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.${nixvim-name};
+    vacu.shell.functions = lib.mkIf (!config.vacu.isMinimal) {
+      nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
+      nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
+      nvim = ''nvim-nixvim "$@"'';
+    };
+  };
 }

common/package-set.nix

@@ -1,69 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-  pkgOptions = builtins.attrValues config.vacu.packages;
-  enabledOptions = builtins.filter (o: o.enable) pkgOptions;
-  enabledPkgs = builtins.map (o: o.package) enabledOptions;
-  packagesSetType = types.attrsOf (
-    types.submodule (
-      { name, ... }:
-      {
-        options = {
-          enable = mkOption {
-            type = types.bool;
-            description = "Will this package be installed (included in environment.systemPackages)";
-          };
-          package = mkOption {
-            type = types.package;
-            default = pkgs.${name};
-            defaultText = "pkgs.${name}";
-          };
-        };
-      }
-    )
-  );
-  packageListToSet = (
-    from:
-    let
-      enable = lib.mkOverride 900 true; # more important than mkDefault, less important than setting explicitly
-      keyvals = map (
-        val:
-        if builtins.isString val then
-          {
-            name = val;
-            value = { inherit enable; };
-          }
-        else
-          {
-            name = val.pname or val.name;
-            value = {
-              package = lib.mkDefault val;
-              inherit enable;
-            };
-          }
-      ) from;
-    in
-    builtins.listToAttrs keyvals
-  );
-in
-{
-  options = {
-    vacu.packages = mkOption {
-      default = { };
-      type = types.coercedTo (types.listOf (
-        types.either types.str types.package
-      )) packageListToSet packagesSetType;
-    };
-    vacu.packageList = mkOption {
-      type = types.listOf types.package;
-      readOnly = true;
-    };
-  };
-
-  config.vacu.packageList = enabledPkgs;
-}

common/packages.nix

@@ -0,0 +1,263 @@
+{
+  pkgs,
+  config,
+  lib,
+  vacuModuleType,
+  ...
+}:
+let
+  enableFfmpeg = !config.vacu.isMinimal;
+  enableFfmpegFull = enableFfmpeg && config.vacu.isGui;
+  enableFfmpegHeadless = enableFfmpeg && !config.vacu.isGui;
+  winePkgs = pkgs.wineWow64Packages;
+in
+{
+  vacu.packages = lib.mkMerge [
+    {
+      borgbackup.enable = config.vacu.isDev && (pkgs.system != "aarch64-linux"); # borgbackup build is borken on aarch64
+      ffmpeg-vacu-full = {
+        enable = enableFfmpegFull;
+        package = pkgs.ffmpeg-full;
+        overrides.libbluray = config.vacu.packages.libbluray-all.finalPackage;
+      };
+      ffmpeg-vacu-headless = {
+        enable = enableFfmpegHeadless;
+        package = pkgs.ffmpeg-headless;
+        overrides.libbluray = config.vacu.packages.libbluray-all.finalPackage;
+      };
+      libbluray-all = {
+        package = pkgs.libbluray;
+        overrides = {
+          withJava = true;
+          withAACS = true;
+          withBDplus = true;
+        };
+      };
+      inkscape-all = {
+        package = pkgs.inkscape-with-extensions;
+        # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
+        overrides.inkscapeExtensions = null;
+      };
+      p7zip-unfree = {
+        package = pkgs.p7zip;
+        overrides.enableUnfree = true;
+      };
+      wine.package = winePkgs.waylandFull;
+      wine-fonts.package = winePkgs.fonts;
+      vacu-units.package = config.vacu.units.finalPackage;
+    }
+    (lib.mkIf config.vacu.isGui
+      # just do all the matrix clients, surely one of them will work enough
+      ''
+        cinny-desktop
+        element-call
+        element-desktop
+        fluffychat
+        fractal
+        gomuks
+        gomuks-web
+        # hydrogen has no -desktop version
+        iamb
+        kazv
+        matrix-commander
+        matrix-commander-rs
+        matrix-dl
+        mm
+        neosay
+        nheko
+        pinecone
+        # quaternion # build is borked
+      ''
+    )
+    (lib.mkIf config.vacu.isGui
+      # pkgs for systems with a desktop GUI
+      ''
+        acpi
+        anki
+        audacity
+        arduino-ide
+        bitwarden-desktop
+        brave
+        dino
+        filezilla
+        gamemode
+        gnome-maps
+        gparted
+        ghidra
+        gimp
+        haruna
+        iio-sensor-proxy
+        inkscape-all
+        jellyfin-media-player
+        josm
+        kdePackages.elisa
+        kdePackages.kdenlive
+        libreoffice-qt6-fresh
+        # librewolf
+        linphone
+        merkaartor
+        nextcloud-client
+        obsidian
+        openscad
+        openshot-qt
+        orca-slicer
+        OSCAR
+        prismlauncher
+        shotcut
+        signal-desktop
+        svp
+        # thunderbird #managed thru vacu.programs.thunderbird
+        tremotesf
+        ungoogled-chromium
+        vlc
+        wayland-utils
+        wev
+        wine
+        wine-fonts
+        wireshark
+        wl-clipboard
+      ''
+    )
+    # pkgs for development-ish
+    (lib.mkIf config.vacu.isDev ''
+      cargo
+      clippy
+      gnumake
+      man-pages
+      patchelf
+      python3
+      ruby
+      rustc
+      rust-script
+      shellcheck
+      stdenv.cc
+    '')
+    (lib.mkIf (!config.vacu.isMinimal)
+      # big pkgs for non-minimal systems
+      ''
+        aircrack-ng
+        android-tools
+        bitwarden-cli
+        dmidecode
+        fido2-manage
+        flac
+        hdparm
+        home-manager
+        imagemagickBig
+        kanidm_1_6
+        libsmi
+        man
+        mdadm
+        megatools
+        mercurial #aka hg
+        minicom
+        mkvtoolnix-cli
+        # neovim => see common/nixvim.nix
+        net-snmp
+        nix-index
+        nix-inspect
+        nix-search-cli
+        nix-tree
+        nmap
+        nvme-cli
+        proxmark3
+        rclone
+        ripgrep-all
+        smartmontools
+        tcpdump
+        termscp
+        tshark
+        yt-dlp
+      ''
+    )
+    # pkgs included everywhere
+    ''
+      _7zip
+      altcaps
+      ddrescue
+      dig
+      dnsutils
+      ethtool
+      file
+      # git is handled by common/git.nix
+      gnutls
+      gptfdisk
+      hostname
+      htop
+      inetutils
+      iperf3
+      iputils
+      jq
+      jujutsu
+      killall
+      libossp_uuid # provides `uuid` binary
+      linuxquota
+      lshw
+      lsof
+      mosh
+      nano
+      ncdu
+      netcat-openbsd
+      nixos-rebuild
+      openssl
+      # p7zip-unfree
+      pciutils
+      progress
+      psutils
+      pv
+      ripgrep
+      rsync
+      screen
+      # sed => gnused
+      shellvaculib
+      # sops => should use `nr vacu#sops` instead
+      sshfs
+      ssh-to-age
+      # tar => gnutar
+      tmux
+      tree
+      tzdata
+      # units => vacu-units
+      unzip
+      usbutils
+      vacu-units
+      vim
+      wget
+      zip
+    ''
+    # packages that are in [`requiredPackages`][1]  in nixos, but maybe not included in nix-on-droid
+    # [1]: https://github.com/NixOS/nixpkgs/blob/26d499fc9f1d567283d5d56fcf367edd815dba1d/nixos/modules/config/system-path.nix#L11
+    (lib.optionalAttrs (vacuModuleType == "nix-on-droid") ''
+      #stdenv.cc.libc shouldn't be needed right?
+      acl
+      attr
+      bashInteractive
+      bzip2
+      cpio
+      curl
+      diffutils
+      findutils
+      gawk
+      getent
+      getconf
+      gnugrep
+      gnupatch
+      gnused
+      gnutar
+      gzip
+      less
+      libcap
+      mkpasswd
+      ncurses
+      #netcat is replaced by netcat-openbsd
+      openssh
+      procps
+      su
+      time
+      util-linux
+      which
+      xz
+      zstd
+    '')
+  ];
+}

common/remapCapsLock.nix

@@ -11,7 +11,8 @@ in
 lib.optionalAttrs (vacuModuleType == "nixos") {
   options.vacu.enableCapsLockRemap = mkOption {
     type = types.bool;
-    default = config.vacu.systemKind == "desktop";
+    default = config.vacu.isGui;
+    defaultText = "{option}`vacu.isGui`";
   };
   config = lib.mkIf config.vacu.enableCapsLockRemap {
     # https://discourse.nixos.org/t/best-way-to-remap-caps-lock-to-esc-with-wayland/39707/6

common/shell/container-aliases.nix

@@ -2,35 +2,26 @@
   pkgs,
   lib,
   config,
+  vaculib,
   ...
 }:
 let
-  inherit (pkgs) writeScriptBin;
+  inherit (vaculib) script;
 in
 {
   options.vacu.shell.containerAliases = lib.mkEnableOption "container aliases";
   config = lib.mkIf config.vacu.shell.containerAliases {
     vacu.packages = [
-      (writeScriptBin "ncrun" ''
-        if (( "$#" < 2 )); then
-          echo "need at least two args [container] and [command]" >&2
-          exit 1
-        fi
-        if [[ $UID != 0 ]]; then
-          exec /run/wrappers/bin/sudo "$0" "$@"
-        fi
+      (script "ncrun" ''
+        svl_min_args $# 2
+        svl_auto_sudo
         container="$1"
         shift
-        exec ${lib.getExe pkgs.nixos-container} run "$1" -- "$@"
+        exec ${lib.getExe pkgs.nixos-container} run "$container" -- "$@"
       '')
-      (writeScriptBin "ncrl" ''
-        if (( "$#" != 1 )); then
-          echo "need exactly one arg: [container]" >&2
-          exit 1
-        fi
-        if [[ $UID != 0 ]]; then
-          exec /run/wrappers/bin/sudo "$0" "$@"
-        fi
+      (script "ncrl" ''
+        svl_exact_args $# 1
+        svl_auto_sudo
         exec ${lib.getExe pkgs.nixos-container} root-login "$1"
       '')
     ];

common/shell/default.nix

@@ -38,6 +38,8 @@ in
     ./not-aliases.nix
     ./ps1.nix
     ./container-aliases.nix
+    ./vacuhistory.nix
+    ./qcd.nix
   ];
   options = {
     vacu.shell.functionsDir = mkOption {
@@ -60,27 +62,21 @@ in
     vacu.shell.functions = mkOption { type = types.attrsOf types.str; };
   };
   config.vacu = {
-    vaculib = {
-      # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
-      shellColors = {
-        black = 30;
-        red = 31;
-        green = 32;
-        yellow = 33;
-        blue = 34;
-        magenta = 35;
-        cyan = 36;
-        white = 37;
-      };
-    };
     shell.interactiveLines = ''
-      if [[ $- == *i* ]] && [[ -f ${cfg.functionsDir}/vacureload ]]; then
-        function __vacushell_load() { eval "$(cat ${cfg.functionsDir}/vacureload)"; }
-        __vacushell_load
-        unset __vacushell_load
+      if [[ $- == *i* ]]; then
+        SHELLVACULIB_COMPAT=1 source ${lib.escapeShellArg pkgs.shellvaculib.file}
+        if [[ -f ${cfg.functionsDir}/vacureload ]]; then
+          function __vacushell_load() { eval "$(<${cfg.functionsDir}/vacureload)"; }
+          __vacushell_load
+          unset __vacushell_load
+        fi
       fi
     '';
     shell.wrappedBash = wrappedBash;
+    shell.idempotentShellLines = lib.mkBefore ''
+      PROMPT_COMMAND=()
+      PS0=""
+    '';
     shell.functions = {
       "vacureload" = ''
         declare -gA vacuShellFunctionsLoaded
@@ -99,25 +95,27 @@ in
         for fullPath in ${cfg.functionsDir}/*; do
           local funcname="$(basename "$fullPath")"
           local followedPath="$(readlink -f "$fullPath")"
-          if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
+          if [[ "''${vacuShellFunctionsLoaded[$funcname]-}" != "$followedPath" ]]; then
             unset -f $funcname
-            eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
+            eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(<'$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
             vacuShellFunctionsLoaded[$funcname]=$followedPath
           fi
           unset followedPath
           unset funcname
         done
-        __set_idempotents
+        __run_idempotents
+        # your idempotent shell lines are idempotent, right?
+        __run_idempotents
       '';
-      "__set_idempotents" = cfg.idempotentShellLines;
+      "__run_idempotents" = cfg.idempotentShellLines;
       vhich = ''
         if [[ $# != 1 ]]; then
           echo "expected exactly one arg" 1>&2
           return 1
         fi
-        query="$1"
-        quote='`'"$query'"
-        kind="$(type -t "$query")"
+        declare query="$1"
+        declare quote='`'"$query'"
+        declare kind="$(type -t -- "$query")"
         if [[ "$kind" == "" ]]; then
           echo "could not find any command $quote" 1>&2
           return 1
@@ -147,7 +145,7 @@ in
             return 0
             ;;
           "file")
-            path="$(which "$query")"
+            path="$(type -p "$query")"
             # continue to below
             ;;
           *)
@@ -156,10 +154,10 @@ in
         esac
         echo "path:"
         while [[ -L "$path" ]]; do
-          dest="$(readlink "$path")"
+          declare dest="$(readlink -- "$path")"
           echo "  $path is a symlink to $dest"
           if [[ "$dest" != /* ]]; then
-            dest="$(dirname "$path")/$dest"
+            dest="$(dirname -- "$path")/$dest"
           fi
           path="$dest"
         done
@@ -168,18 +166,22 @@ in
           echo "$path does not exist!"
           return 1
         fi
-        canon="$(readlink -f "$path")"
+        if ! [[ -x "$path" ]]; then
+          echo "$path is not executable!"
+          return 1
+        fi
+        canon="$(readlink -f -- "$path")"
         if [[ "$path" != "$canon" ]]; then
           echo "  $path canonicalizes to $canon"
           path="$canon"
         fi
-        magic_parse="$(file --brief --mime "$path")"
+        magic_parse="$(file --brief --mime -- "$path")"
         echo "magic: $magic_parse"
         case "$magic_parse" in
           'text/x-shellscript;'* | 'text/plain;'*)
             echo "initial contents:"
             echo
-            cat "$path" | head --lines=10 | head --bytes=2000
+            head --lines=10 "$path" | head --bytes=2000
             echo "..."
             ;;
         esac

common/shell/not-aliases.nix

@@ -3,57 +3,86 @@
   pkgs,
   lib,
   config,
-  inputs,
+  vaculib,
   ...
 }:
 let
-  inherit (pkgs) writeScriptBin;
+  inherit (vaculib) script;
+  simple =
+    name: args:
+    let
+      binContents = ''
+        #!${lib.getExe pkgs.bash}
+        exec ${lib.escapeShellArgs args} "$@"'';
+      funcContents = ''
+        declare aliasName=${lib.escapeShellArg name}
+        declare -a replacementWords=(${lib.escapeShellArgs args})
+        declare replacementStr
+        declare oldIFS="$IFS"
+        IFS=' '
+        replacementStr="''${replacementWords[*]}"
+        IFS="$oldIFS"
+        COMP_LINE="''${COMP_LINE/#$aliasName/$replacementStr}"
+        COMP_POINT=$(( COMP_POINT + ''${#replacementStr} - ''${#aliasName} ))
+        COMP_CWORD=$(( COMP_CWORD + ''${#replacementWords[@]} - 1 ))
+        COMP_WORDS=("''${replacementWords[@]}" "''${COMP_WORDS[@]:1}")
+        _comp_command_offset 0
+      '';
+    in
+    pkgs.runCommandLocal "vacu-notalias-simple-${name}"
+      {
+        pname = name;
+        meta.mainProgram = name;
+      }
+      ''
+        mkdir -p "$out"/bin
+        printf '%s' ${lib.escapeShellArg binContents} > "$out"/bin/${name}
+        chmod a+x "$out"/bin/${name}
+        out_base="$(basename -- "$out")"
+        LC_ALL=C
+        completion_function_name="_completion_''${out_base//[^a-zA-Z0-9_]/_}"
+        completion_file="$out"/share/bash-completion/completions/${name}
+        mkdir -p "$(dirname -- "$completion_file")"
+        printf '%s() {\n%s\n}\n' "$completion_function_name" ${lib.escapeShellArg funcContents} > "$completion_file"
+        printf 'complete -F %s %s\n' "$completion_function_name" ${lib.escapeShellArg name} >> "$completion_file"
+      '';
   ms_text = with_sudo: ''
-    set -eo pipefail
-    if [[ $# -gt 3 ]] || [[ $# == 0 ]]; then
-      echo "wrong number of args" 1>&2
-      exit 1
-    fi
+    svl_minmax_args $# 1 2
     host="$1"
     session_name="''${2:-main}"
     set -x
     mosh -- "$host" ${lib.optionalString with_sudo "sudo"} screen -RdS "$session_name"
   '';
-  msl_text = ''
-    set -eo pipefail
-    if [[ $# != 1 ]]; then
-      echo "wrong number of args" 1>&2
-      exit 1
-    fi
-    host="$1"
-    echo 'echo "user:"; screen -ls; echo; echo "root:"; sudo screen -ls' | ssh -T "$host"
-  '';
   systemctl = "${pkgs.systemd}/bin/systemctl";
   journalctl = "${pkgs.systemd}/bin/journalctl";
-  system = pkgs.hostPlatform.system;
 in
 {
+  imports = [ { vacu.packages.copy-altcaps.enable = config.vacu.isGui; } ];
   vacu.packages = [
-    (writeScriptBin "ms" (ms_text false))
-    (writeScriptBin "mss" (ms_text true))
-    (writeScriptBin "msl" msl_text)
-    (writeScriptBin "rmln" ''
-      set -eo pipefail
+    (script "ms" (ms_text false))
+    (script "mss" (ms_text true))
+    (script "msl" ''
+      svl_exact_args $# 1
+      host="$1"
+      echo 'echo "user:"; screen -ls; echo; echo "root:"; sudo screen -ls' | ssh -T "$host"
+    '')
+    (script "rmln" ''
+      svl_min_args $# 1
       for arg in "$@"; do
-        if [[ "$arg" != "-*" ]] && [[ ! -L "$arg" ]]; then
-          echo "$0: $arg is not a symlink" 1>&2
-          exit 1
+        if [[ "$arg" != -* ]] && [[ ! -L "$arg" ]]; then
+          svl_die "$arg is not a symlink"
         fi
       done
       rm "$@"
     '')
-    (writeScriptBin "nr" ''
+    (script "copy-altcaps" ''
+      result="$(altcaps "$@")"
+      printf '%s' "$result" | wl-copy
+      echo "Copied to clipboard: $result"
+    '')
+    (script "nr" ''
       # nix run nixpkgs#<thing> -- <args>
-      set -eo pipefail
-      if [[ $# == 0 ]]; then
-        echo "need at least one arg" 1>&2
-        exit 1
-      fi
+      svl_min_args $# 1
       installable="$1"
       shift
       if [[ "$installable" != *'#'* ]]; then
@@ -61,13 +90,9 @@ in
       fi
       nix run "$installable" -- "$@"
     '')
-    (writeScriptBin "nb" ''
+    (script "nb" ''
       # nix build nixpkgs#<thing> <args>
-      set -eo pipefail
-      if [[ $# == 0 ]]; then
-        echo "need at least one arg" 1>&2
-        exit 1
-      fi
+      svl_min_args $# 1
       installable="$1"
       shift
       if [[ "$installable" != *'#'* ]]; then
@@ -75,9 +100,9 @@ in
       fi
       nix build "$installable" "$@"
     '')
-    (writeScriptBin "ns" ''
+    (script "ns" ''
       # nix shell nixpkgs#<thing>
-      set -eo pipefail
+      svl_min_args $# 1
       new_args=( )
       for arg in "$@"; do
         if [[ "$arg" != *'#'* ]] && [[ "$arg" != -* ]]; then
@@ -87,34 +112,76 @@ in
       done
       nix shell "''${new_args[@]}"
     '')
-    (writeScriptBin "sc" ''
-      exec ${systemctl} "$@"
+    (script "nixview" ''
+      svl_min_args $# 1
+      view_cmd="$1"
+      shift
+      d="$(mktemp -d --suffix=vacu-nixview)"
+      l="$d/out"
+      nix build --out-link "$l" "$@"
+      "$view_cmd" "$l"
+      rm -r "$d"
     '')
-    (writeScriptBin "scs" ''
-      exec ${systemctl} status --lines=20 --full "$@"
+    (simple "nixcat" [
+      "nixview"
+      "cat"
+    ])
+    (simple "nixless" [
+      "nixview"
+      "less"
+    ])
+    (simple "sc" [ systemctl ])
+    (simple "scs" [
+      systemctl
+      "status"
+      "--lines=20"
+      "--full"
+    ])
+    (simple "scc" [
+      systemctl
+      "cat"
+    ])
+    (simple "scr" [
+      systemctl
+      "restart"
+    ])
+    (simple "jc" [
+      journalctl
+      "--pager-end"
+    ])
+    (simple "jcu" [
+      journalctl
+      "--pager-end"
+      "-u"
+    ])
+    (simple "gs" [
+      "git"
+      "status"
+    ])
+    (script "list-auto-roots" ''
+      auto_roots="/nix/var/nix/gcroots/auto"
+      svl_exact_args $# 0
+      echo "List of auto-added nix gcroots, excluding system profiles:"
+      echo
+      for fn in "$auto_roots/"*; do
+        if ! [[ -L "$fn" ]]; then
+          die "fn is not a symlink!?: $fn"
+        fi
+        pointed="$(readlink -v -- "$fn")"
+        if ! [[ -e "$pointed" ]]; then
+          continue
+        fi
+        if [[ "$pointed" == /nix/var/nix/profiles/system-* ]]; then
+          continue
+        fi
+        printf '%s\n' "$pointed"
+      done
     '')
-    (writeScriptBin "scc" ''
-      exec ${systemctl} cat "$@"
-    '')
-    (writeScriptBin "scr" ''
-      exec ${systemctl} restart "$@"
-    '')
-    (writeScriptBin "jc" ''
-      exec ${journalctl} --pager-end "$@"
-    '')
-    (writeScriptBin "jcu" ''
-      exec ${journalctl} --pager-end -u "$@"
-    '')
-  ] ++ lib.optional (system == "x86_64-linux")
-    (writeScriptBin "dnix" ''exec ${inputs.determinate-nix.packages.${system}.nix} "$@"'')
-  ;
+  ];
   vacu.shell.functions = {
     nd = ''
+      svl_min_args $# 1
       declare -a args=("$@")
-      if [[ "''${#args[@]}" == 0 ]]; then
-        echo "nd: must provide at least one argument" 1>&1
-        return 1
-      fi
       lastarg="''${args[-1]}"
       if [[ "$lastarg" == "-"* ]]; then
         echo "nd: last argument must be the directory" 1>&2
@@ -131,6 +198,7 @@ in
     nt = ''pushd "$(mktemp -d "$@")"'';
   };
   vacu.textChecks."vacu-shell-functions-nd" = ''
+    source ${lib.escapeShellArg pkgs.shellvaculib.file}
     function nd() {
       ${config.vacu.shell.functions.nd}
     }
@@ -145,6 +213,7 @@ in
     [[ "$PWD" == "$start/b/c" ]]
   '';
   vacu.textChecks."vacu-shell-functions-nt" = ''
+    source ${lib.escapeShellArg pkgs.shellvaculib.file}
     function nt() {
       ${config.vacu.shell.functions.nt}
     }

common/shell/ps1.nix

@@ -14,29 +14,44 @@ let
   # thanks colin https://git.uninsane.org/colin/nix-files/src/commit/7f5b2628016c8ca1beec417766157c7676a9c5e5/hosts/common/programs/zsh/starship.nix#L24
   # https://man.archlinux.org/man/bash.1#PROMPTING
   # \[ and \] begins and ends "a sequence of non-printing characters"
-  set_color = colornum: "\\[\\e[1;${toString colornum}m\\]";
-  set_inverted_color = colornum: "\\[\\e[1;37;${toString (colornum + 10)}m\\]";
-  reset_color = "\\[\\e[0m\\]";
+  set_color = colornum: ''\[\e[1;${toString colornum}m\]'';
+  set_inverted_color = colornum: ''\[\e[1;37;${toString (colornum + 10)}m\]'';
+  reset_color = ''\[\e[0m\]'';
   colornum = colors.${cfg.color};
   root_text = root: lib.optionalString root "ROOT@";
   final = root: if root then (set_inverted_color colors.red) + "!!" else "$";
-  hostName = if vacuModuleType == "plain" then "\\h" else config.vacu.shortHostName;
+  hostName = if vacuModuleType == "plain" then ''\h'' else config.vacu.shortHostName;
   default_ps1 =
     root:
-    "\\n"
+    ""
+    + ''\n''
     # + ''\[${reset_without_clear}\]''
     + (set_color colornum)
     + "${root_text root}${hostName}:\\w"
+    + " "
+    + ''$(vacu_shell_show_return_code)''
+    + ''\n''
+    + (set_color colornum)
     + (final root)
     + reset_color
     + " ";
 in
 {
   vacu.shell.idempotentShellLines = ''
-    if [ $UID = 0 ]; then
-      export PS1=${lib.escapeShellArg (default_ps1 true)}
+    function vacu_shell_show_return_code() {
+      local ret=$?
+      local color=${toString colors.green}
+      if [[ "$ret" != 0 ]]; then
+        color=${toString colors.red}
+      fi
+      printf '\e[1;%dm' $color
+      printf "%d" "$ret"
+      return "$ret"
+    }
+    if [[ $EUID == 0 ]]; then
+      PS1=${lib.escapeShellArg (default_ps1 true)}
     else
-      export PS1=${lib.escapeShellArg (default_ps1 false)}
+      PS1=${lib.escapeShellArg (default_ps1 false)}
     fi
   '';
 }

common/shell/qcd.nix

@@ -0,0 +1,50 @@
+{
+  lib,
+  config,
+  vacuModuleType,
+  vaculib,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  home =
+    if vacuModuleType == "nix-on-droid" then
+      "/data/data/com.termux.nix/files/home"
+    else
+      "/home/shelvacu";
+in
+{
+  options.vacu.qcd = mkOption {
+    default = { };
+    type = types.attrsOf types.path;
+  };
+  config.vacu.shell.functions.qcd = ''
+    svl_exact_args $# 1
+    declare the_arg="$1"
+
+    declare base="''${the_arg%%/*}"
+    declare rest="''${the_arg:''${#base}}"
+    declare path
+
+    if false; then :
+    ${lib.pipe config.vacu.qcd [
+      (lib.mapAttrsToList (
+        alias: path:
+        ''elif [[ $base == ${lib.escapeShellArg alias} ]]; then path=${lib.escapeShellArg path}''
+      ))
+      (lib.concatStringsSep "\n")
+    ]}
+    fi
+    if ! [[ -v path ]]; then
+      svl_eprintln "unrecognized alias $base"
+      return 1
+    fi
+
+    cd -- "$path$rest"
+  '';
+  config.vacu.qcd = {
+    ns = "${home}/dev/nix-stuff";
+    np = "${home}/dev/nixpkgs";
+    dev = "${home}/dev";
+  };
+}

common/shell/tweaks.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  config.vacu.shell.idempotentShellLines = ''
+    if [[ $- == *i* ]]; then
+      # don't overwrite files by default when using > redirection
+      set -o noclobber
+      # disable ! history expansion
+      set +o histexpand
+    fi
+  '';
+}

common/shell/vacuhistory.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  config.vacu = {
+    shell.idempotentShellLines = ''
+      if [[ -z "''${VACU_HISTORY_SESSION_ID-}" ]]; then
+        VACU_HISTORY_SESSION_ID="$(${pkgs.libossp_uuid}/bin/uuid)"
+      fi
+      VACU_HISTORY_DB_PATH="$HOME/vacu-shell-history.sqlite"
+      function vacu_history_record() {
+        LC_ALL=C HISTTIMEFORMAT='%S|%M|%H|%d|%m|%Y|%w|%j|%z|' history 1 | VACU_HISTORY_SESSION_ID="$VACU_HISTORY_SESSION_ID" VACU_HISTORY_DB_PATH="$VACU_HISTORY_DB_PATH" ${pkgs.vacu-history}/bin/vacu-history
+      }
+      PS0='$(vacu_history_record >/dev/null)'"$PS0"
+    '';
+  };
+}

common/sops.nix

@@ -11,19 +11,16 @@ let
     sshPubText:
     vaculib.outputOf {
       name = "age-from-ssh.txt";
-      cmd = "echo ${lib.escapeShellArg sshPubText} | ${ssh-to-age} > $out";
+      cmd = ''printf '%s' ${lib.escapeShellArg sshPubText} | ${ssh-to-age} > "$out"'';
     };
   userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
   userKeysAge = map sshToAge userKeys;
-  liamKey = config.vacu.ssh.knownHosts.liam.publicKey;
-  liamKeyAge = sshToAge liamKey;
-  tripKey = config.vacu.ssh.knownHosts.trip.publicKey;
-  tripKeyAge = sshToAge tripKey;
+  agesOf = hostname: map sshToAge config.vacu.hosts.${hostname}.sshKeys;
   singleGroup = keys: [ { age = keys; } ];
   testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
   testAgePublic = vaculib.outputOf {
     name = "test-age-public-key.txt";
-    cmd = "echo ${lib.escapeShellArg testAgeSecret} | ${pkgs.age}/bin/age-keygen -y > $out";
+    cmd = ''printf '%s' ${lib.escapeShellArg testAgeSecret} | ${pkgs.age}/bin/age-keygen -y > "$out"'';
   };
   sopsConfig = {
     creation_rules = [
@@ -32,19 +29,31 @@ let
         key_groups = singleGroup userKeysAge;
       }
       {
-        path_regex = "/secrets/liam/[^/]+$";
-        key_groups = singleGroup (userKeysAge ++ [ liamKeyAge ]);
+        path_regex = "/secrets/hosts/liam\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "liam");
       }
       {
-        path_regex = "/secrets/trip/[^/]+$";
-        key_groups = singleGroup (userKeysAge ++ [ tripKeyAge ]);
+        path_regex = "/secrets/hosts/triple-dezert\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert");
       }
       {
-        path_regex = "/secrets/radicle-private.key$";
-        key_groups = singleGroup (userKeysAge ++ [ (sshToAge config.vacu.ssh.knownHosts.fw.publicKey) ]);
+        path_regex = "/secrets/hosts/prophecy\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "prophecy");
       }
       {
-        path_regex = "/tests/test_secrets/";
+        path_regex = "/secrets/hosts/solis\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "solis");
+      }
+      {
+        path_regex = "/secrets/radicle-private\\.key$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "fw");
+      }
+      {
+        path_regex = "/secrets/garage-rpc\\.key$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert" ++ agesOf "prophecy" ++ agesOf "solis");
+      }
+      {
+        path_regex = "/tests/triple-dezert/test_secrets/";
         key_groups = singleGroup [ testAgePublic ];
       }
     ];

common/sourceTree.nix

@@ -7,38 +7,7 @@
   ...
 }:
 let
-  inherit (builtins) isString isAttrs;
   inherit (lib) mkOption types;
-  inputsOf =
-    flake:
-    assert isAttrs flake;
-    let
-      inputs = removeAttrs (flake.inputs or { }) [ "self" ];
-      # inputTrees = lib.mapAttrs (_: val: inputsOf val) inputs;
-    in
-    pkgs.linkFarm "inputs-tree" (inputs // { self = flake; });
-  # traverseInputs =
-  #   linkDir: unfilteredInputs:
-  #   assert isString linkDir;
-  #   assert isAttrs unfilteredInputs;
-  #   let
-  #     inputs = removeAttrs unfilteredInputs [ "self" ];
-  #   in
-  #   lib.concatStringsSep "\n" (
-  #     lib.mapAttrsToList (
-  #       inputName: inputAttrs:
-  #       let
-  #         thisDir = linkDir + "/" + inputName;
-  #       in
-  #       assert isAttrs inputAttrs;
-  #       assert isAttrs (inputAttrs.inputs or { });
-  #       ''
-  #         mkdir -p ${thisDir}
-  #         ln -s ${inputAttrs} ${thisDir}/self
-  #         ${traverseInputs thisDir (inputAttrs.inputs or { })}
-  #       ''
-  #     ) inputs
-  #   );
 in
 {
   options.vacu.sourceTree = mkOption {
@@ -47,14 +16,11 @@ in
   };
   config =
     {
-      vacu.sourceTree = inputsOf inputs.self // { inherit inputs; };
-      # vacu.sourceTree = pkgs.runCommand "inputs-tree" { } ''
-      #   mkdir -p $out
-      #   ln -s ${inputs.self} $out/self
-      #   ${traverseInputs "$out" inputs}
-      # '';
+      vacu.sourceTree = pkgs.linkFarm "simple-inputs-tree" inputs;
     }
     // (lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
-      environment.etc."vacu/sources".source = "${config.vacu.sourceTree}";
+      environment.etc = lib.optionalAttrs (!config.vacu.isMinimal) {
+        "vacu/sources".source = "${config.vacu.sourceTree}";
+      };
     });
 }

common/ssh.nix

@@ -1,145 +0,0 @@
-{ lib, config, ... }:
-let
-  inherit (lib)
-    mkOption
-    types
-    flip
-    concatMapStringsSep
-    optionalString
-    concatStringsSep
-    readFile
-    literalExpression
-    ;
-  inherit (builtins) attrValues;
-  cfg = config.vacu;
-  knownHosts = attrValues cfg.ssh.knownHosts;
-  knownHostsText =
-    (flip (concatMapStringsSep "\n") knownHosts (
-      h:
-      assert h.hostNames != [ ];
-      optionalString h.certAuthority "@cert-authority "
-      + concatStringsSep "," h.hostNames
-      + " "
-      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-    ))
-    + "\n";
-in
-{
-  options = {
-    vacu.ssh.knownHostsText = mkOption {
-      type = types.str;
-      readOnly = true;
-      default = knownHostsText;
-    };
-    #vacu.ssh.authorizedKeys = mkOption { type = types.listOf types.str; };
-    vacu.ssh.authorizedKeys = mkOption {
-      type = types.attrsOf types.str;
-      default = { };
-    };
-    vacu.ssh.config = mkOption { type = types.lines; };
-    # Straight copied from nixpkgs
-    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
-    vacu.ssh.knownHosts = mkOption {
-      default = { };
-      type = types.attrsOf (
-        types.submodule (
-          {
-            name,
-            config,
-            options,
-            ...
-          }:
-          {
-            options = {
-              certAuthority = mkOption {
-                type = types.bool;
-                default = false;
-                description = ''
-                  This public key is an SSH certificate authority, rather than an
-                  individual host's key.
-                '';
-              };
-              hostNames = mkOption {
-                type = types.listOf types.str;
-                default = [ name ] ++ config.extraHostNames;
-                defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
-                description = ''
-                  A list of host names and/or IP numbers used for accessing
-                  the host's ssh service. This list includes the name of the
-                  containing `knownHosts` attribute by default
-                  for convenience. If you wish to configure multiple host keys
-                  for the same host use multiple `knownHosts`
-                  entries with different attribute names and the same
-                  `hostNames` list.
-                '';
-              };
-              extraHostNames = mkOption {
-                type = types.listOf types.str;
-                default = [ ];
-                description = ''
-                  A list of additional host names and/or IP numbers used for
-                  accessing the host's ssh service. This list is ignored if
-                  `hostNames` is set explicitly.
-                '';
-              };
-              publicKey = mkOption {
-                default = null;
-                type = types.nullOr types.str;
-                example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
-                description = ''
-                  The public key data for the host. You can fetch a public key
-                  from a running SSH server with the {command}`ssh-keyscan`
-                  command. The public key should not include any host names, only
-                  the key type and the key itself.
-                '';
-              };
-              publicKeyFile = mkOption {
-                default = null;
-                type = types.nullOr types.path;
-                description = ''
-                  The path to the public key file for the host. The public
-                  key file is read at build time and saved in the Nix store.
-                  You can fetch a public key file from a running SSH server
-                  with the {command}`ssh-keyscan` command. The content
-                  of the file should follow the same format as described for
-                  the `publicKey` option. Only a single key
-                  is supported. If a host has multiple keys, use
-                  {option}`programs.ssh.knownHostsFiles` instead.
-                '';
-              };
-            };
-          }
-        )
-      );
-      description = ''
-        The set of system-wide known SSH hosts. To make simple setups more
-        convenient the name of an attribute in this set is used as a host name
-        for the entry. This behaviour can be disabled by setting
-        `hostNames` explicitly. You can use
-        `extraHostNames` to add additional host names without
-        disabling this default.
-      '';
-      example = literalExpression ''
-        {
-          myhost = {
-            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
-            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
-          };
-          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
-          "myhost2.net/dsa" = {
-            hostNames = [ "myhost2.net" ];
-            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
-          };
-        }
-      '';
-    };
-  };
-  config.vacu.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (
-    name: data: {
-      assertion =
-        (data.publicKey == null && data.publicKeyFile != null)
-        || (data.publicKey != null && data.publicKeyFile == null);
-      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
-    }
-  );
-}

common/staticNames.nix

@@ -0,0 +1,89 @@
+{
+  lib,
+  vacuModuleType,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  domainPartRegex = "[[:alnum:]]([[:alnum:]-]{0,61}[[:alnum:]])?";
+  domainRegex = ''^${domainPartRegex}(\.${domainPartRegex})*$'';
+  domainType = types.strMatching domainRegex;
+  hostsLines = lib.pipe config.vacu.staticNames [
+    (lib.mapAttrsToList (k: v: [ k ] ++ v))
+    (lib.filter (v: (builtins.length v) > 1))
+    (map (lib.concatStringsSep " "))
+    (lib.concatStringsSep "\n")
+  ];
+  ip4Seg = ''[0-9]{1,3}'';
+  ip4Regex = lib.concatStringsSep ''\.'' [
+    ip4Seg
+    ip4Seg
+    ip4Seg
+    ip4Seg
+  ];
+  ip6Regex = ''[0-9a-fA-F:]+'';
+  ipRegex = ''(${ip4Regex})|(${ip6Regex})'';
+in
+{
+  imports =
+    [
+      {
+        vacu.assertions = map (ip: {
+          assertion = (builtins.match ipRegex ip) != null;
+          message = ''config.vacu.staticNames: attr name "${ip}" is invalid'';
+        }) (builtins.attrNames config.vacu.staticNames);
+      }
+    ]
+    ++ lib.optional (vacuModuleType == "nixos") { networking.hosts = config.vacu.staticNames; }
+    ++ lib.optional (vacuModuleType == "nix-on-droid") {
+      environment.etc.hosts.text = ''
+        127.0.0.1 localhost
+        ::1 localhost
+        ${hostsLines}
+      '';
+    };
+
+  options.vacu.staticNames = mkOption {
+    type = types.attrsOf (types.listOf domainType);
+    default = { };
+  };
+
+  config.vacu.staticNames = {
+    "205.201.63.13" = [
+      "prop"
+      "prophecy"
+      "prophecy.shelvacu-static"
+    ];
+    "10.78.79.22" = [ "prophecy.t2d.lan.shelvacu-static" ];
+    "178.128.79.152" = [
+      "liam"
+      "liam.shelvacu-static"
+    ];
+    "172.83.159.53" = [
+      "trip"
+      "triple-dezert"
+      "triple-dezert.shelvacu-static"
+    ];
+    "10.78.79.237" = [ "triple-dezert.t2d.lan.shelvacu-static" ];
+    "205.201.63.12" = [
+      "servo"
+      "uninsane-servo.shelvacu-static"
+    ];
+    "10.78.79.1" = [
+      "vnopn"
+      "vnopn.shelvacu-static"
+      "vnopn.t2d.lan.shelvacu-static"
+    ];
+    "10.78.79.11" = [
+      "mmm"
+      "mmm.shelvacu-static"
+      "mmm.t2d.lan.shelvacu-static"
+    ];
+    "10.78.79.69" = [
+      "oeto"
+      "oeto.shelvacu-static"
+      "oeto.t2d.lan.shelvacu-static"
+    ];
+  };
+}

common/thunderbird.nix

@@ -0,0 +1,100 @@
+{
+  lib,
+  config,
+  vacuModuleType,
+  vaculib,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  vacustoreCalUUID = "dd9a924e-57d9-4ea1-b7ec-22d1f0ff3d51";
+  vacustoreCalConfig = {
+    "cache.enabled" = true;
+    calendar-main-in-composite = true;
+    color = "#33d17a";
+    disabled = false;
+    "imip.identity.key" = "id1"; #what is this
+    name = "Personal";
+    readOnly = false;
+    type = "caldav";
+    uri = "https://vacu.store/remote.php/dav/calendars/shelvacu/personal/";
+    username = "shelvacu";
+  };
+in
+{
+  options.vacu.programs.thunderbird = {
+    enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+  config = lib.optionalAttrs (vacuModuleType == "nixos") (lib.mkIf config.vacu.programs.thunderbird.enable {
+    programs.thunderbird = {
+      enable = true;
+      policies = {
+        DisableTelemetry = true;
+        DNSOverHTTPS.Enabled = false;
+        ExtensionSettings = {
+          #*cloud - FileLink for Nextcloud and ownCloud
+          "cloud@johannes-endres.de".installation_mode = "normal_installed";
+          #NTFNTF: Notify on This Folder Not That Folder
+          "ntfntf@dan-sullivan.co.uk".installation_mode = "normal_installed";
+        };
+        SSLVersionMin = "tls1.3";
+        SearchEngines.Remove = [
+          "Amazon.com"
+          "Bing"
+          "DuckDuckGo"
+          "Google"
+          "Wikipedia (en)"
+        ];
+      };
+      preferences = {
+        "accessibility.typeaheadfind.flashBar" = 0; #what is this
+        "app.donation.eoy.version.viewed" = -1; #dunno if this actually works
+        "browser.search.region" = "US";
+        "calendar.alarms.playsound" = false;
+        "calendar.alarms.show" = false;
+        "calendar.ui.version" = 3;
+        "intl.date_time.pattern_override.date_full" = "MMMM d, yyyy G z";
+        "intl.date_time.pattern_override.date_short" = "yyyy-MM-dd";
+        "intl.date_time.pattern_override.time_medium" = "HH:mm:ss z";
+        "intl.date_time.pattern_override.time_short" = "HH:mm";
+        # "ldap_2.servers.Contacts.carddav.url" = "https://vacu.store/remote.php/dav/addressbooks/users/shelvacu/contacts/";
+        # "ldap_2.servers.Contacts.carddav.username" = "shelvacu";
+        # "ldap_2.servers.Contacts.description" = "vacu.store Contacts";
+        # "ldap_2.servers.Contacts.dirType" = 102; #no idea what this does
+        "mail.account.account1.identities" = "id1,id2,id3";
+        "mail.account.account1.server" = "server1";
+        "mail.compose.other.header" = "X-Shelvacu-Custom-Header";
+        "mail.compose.warned_about_customize_from" = true;
+        "mail.identity.id1.fullName" = "Shelvacu";
+        "mail.identity.id1.useremail" = "shelvacu@shelvacu.com";
+        "mail.identity.id1.catchAll" = true;
+        "mail.server.server1.hostname" = "imap.shelvacu.com";
+        "mail.server.server1.login_at_startup" = true;
+        "mail.server.server1.name" = "shelvacu@shelvacu.com";
+        "mail.server.server1.port" = 993;
+        "mail.server.server1.type" = "imap";
+        "mail.server.server1.socketType" = 3; #TLS (as opposed to plaintext or STARTTLS)
+        "mail.server.server1.userName" = "shelvacu";
+        "mail.shell.checkDefaultClient" = false;
+        "mail.showCondensedAddresses" = false;
+        "mail.smtp.defaultserver" = "smtp1";
+        "mail.smtpserver.smtp1.authMethod" = 3;
+        "mail.smtpserver.smtp1.hostname" = "smtp.shelvacu.com";
+        "mail.smtpserver.smtp1.port" = 465;
+        "mail.smtpserver.smtp1.try_ssl" = 3;
+        "mail.smtpserver.smtp1.type" = "smtp";
+        "mail.smtpserver.smtp1.username" = "shelvacu";
+        "mail.startup.enabledMailCheckOnce" = true;
+        "mail.threadpane.listview" = 1;
+        "mailnews.customHeaders" = "X-Vacu-Action";
+        "mailnews.default_sort_type" = 27;
+        "mailnews.mark_message_read.auto" = false;
+        "mailnews.start_page.enabled" = false;
+        # "searchintegration.enable" = false;
+      } // vaculib.mapAttrNames (n: "calendar.registry.${vacustoreCalUUID}.${n}") vacustoreCalConfig;
+    };
+  });
+}

common/units-impl.nix

@@ -36,11 +36,11 @@ let
     ];
 
     installPhase = ''
-      mkdir -p $out
-      cp {definitions,elements}.units $out
-      ln -s ${../units/currency.units} $out/currency.units
-      ln -s ${../units/cpi.units} $out/cpi.units
-      echo ${lib.escapeShellArg config.vacu.units.lines} > $out/vacu.units
+      mkdir -p "$out"
+      cp {definitions,elements}.units "$out"
+      ln -s ${../units/currency.units} "$out"/currency.units
+      ln -s ${../units/cpi.units} "$out"/cpi.units
+      printf '%s' ${lib.escapeShellArg config.vacu.units.lines} > "$out"/vacu.units
     '';
   };
 in
@@ -48,7 +48,8 @@ in
   options.vacu.units = {
     originalPackage = mkOption {
       type = types.package;
-      default = pkgs.units;
+      default = pkgs.units.override { enableCurrenciesUpdater = false; };
+      defaultText = "pkgs.units.override { ... }";
     };
     finalPackage = mkOption {
       type = types.package;
@@ -104,8 +105,8 @@ in
         #
 
         output="$(${lib.getExe config.vacu.units.finalPackage} --check)"
-        echo "$output"
-        filteredLines="$(echo "$output" \
+        printf '%s' "$output"
+        filteredLines="$(printf '%s' "$output" \
           | grep -v '^\s*$' \
           | grep -v 'Currency exchange rates from' \
           | grep -v 'Consumer price index data from' \
@@ -114,7 +115,7 @@ in
         if [[ -n "$filteredLines" ]]; then
           exit 1
         fi
-        touch $out
+        touch "$out"
       '';
     }
     {

common/verify-system/default.nix

@@ -29,6 +29,7 @@ in
               script = mkOption {
                 type = types.lines;
                 default = "## system ident check ${config.name}";
+                defaultText = lib.literalText ''## system ident check ${name}''; 
               };
             };
           }
@@ -42,20 +43,21 @@ in
         enabled = builtins.filter (s: s.enable) verifiers;
         files = map (s: pkgs.writeText "vacu-verify-system-${s.name}.sh" s.script) enabled;
         script = ''
-                  ## vacu verify-system
-          	for f in ${lib.concatStringsSep " " files}; do
-          	  echo "verifying system with $f"
-          	  if ! source $f; then
-          	    echo "ERR: $f failed" >&2
-          	    return 1
-          	  fi
-          	done
+          ## vacu verify-system
+          for f in ${lib.concatStringsSep " " files}; do
+            echo "verifying system with $f"
+            if ! source $f; then
+              echo "ERR: $f failed" >&2
+              return 1
+            fi
+          done
         '';
         scriptFile = pkgs.writeText "vacu-verify-system-all.sh" script;
       in
       mkOption {
         readOnly = true;
         default = scriptFile;
+        defaultText = "vacu-verify-system-all.sh package";
       };
   };
 }

common/verify-system/nixos.nix

@@ -10,7 +10,8 @@ let
 in
 lib.optionalAttrs (vacuModuleType == "nixos") {
   options.vacu.verifySystem.expectedMac = mkOption {
-    type = types.nullOr (types.strMatching "[A-Fa-f0-9]{2}(:[A-Fa-f0-9]{2}){5}");
+    # lowercase only
+    type = types.nullOr (types.strMatching "[a-f0-9]{2}(:[a-f0-9]{2}){5}");
     default = null;
   };
   config = lib.mkIf config.vacu.verifySystem.enable {
@@ -20,25 +21,26 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
     # };
 
     system.extraSystemBuilderCmds = ''
-      mv $out/bin/switch-to-configuration $out/bin/.switch-to-configuration-unverified
-      cat <<EOF > $out/bin/switch-to-configuration
-      #!${pkgs.bash}/bin/bash
-      oldpath="$PATH"
-      export PATH="${pkgs.coreutils}/bin"
-      if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit \$?; fi
-      export PATH="$oldpath"
-      exec $out/bin/.switch-to-configuration-unverified "\$@"
-      EOF
+      mv "$out"/bin/switch-to-configuration "$out"/bin/.switch-to-configuration-unverified
+      echo '#!${pkgs.bash}/bin/bash
+      (
+        PATH="${pkgs.coreutils}/bin"
+        if ! source ${config.vacu.verifySystem.verifyAllScript}; then
+          exit $?
+        fi
+      )
+      ' > "$out"/bin/switch-to-configuration
+      echo "exec $out/bin/.switch-to-configuration-unverified" '"$@"' >> "$out"/bin/switch-to-configuration
 
-      ${pkgs.coreutils}/bin/chmod a+x $out/bin/switch-to-configuration
+      ${pkgs.coreutils}/bin/chmod a+x "$out"/bin/switch-to-configuration
     '';
 
     vacu.verifySystem.verifiers = {
       hostname = {
         enable = lib.mkDefault config.vacu.verifySystem.expectedMac == null;
         script = ''
-          expected=${config.networking.hostName}
-          actual=$(cat /proc/sys/kernel/hostname)
+          expected=${lib.escapeShellArg config.networking.hostName}
+          actual="$(</proc/sys/kernel/hostname)"
           if [[ "$expected" != "$actual" ]]; then
             echo "ERR: unexpected hostname; Trying to deploy to $expected but this is $actual" >&2
             return 1
@@ -48,18 +50,19 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
       expectedMac = {
         enable = config.vacu.verifySystem.expectedMac != null;
         script = ''
-          	   expected=${lib.toUpper config.vacu.verifySystem.expectedMac}
-          	   declare -a actual=($(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten | join("\n")' -r))
-          	   for ifMac in "''${actual[@]}"; do
-                       if [[ "$ifMac" == "$expected" ]]; then
-          	       # all is well
-          	       return 0
-          	      fi
-          	   done
-          	   echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
-          	   echo "     Found MAC addresses: ''${actual[*]}" >&2
-          	   return 1
-          	 '';
+          declare expected=${lib.escapeShellArg (lib.toUpper config.vacu.verifySystem.expectedMac)}
+          declare -a actualMacs
+          mapfile -d"" -t actualMacs < <(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten[]' --raw-output0)
+          for ifMac in "''${actualMacs[@]}"; do
+              if [[ "$ifMac" == "$expected" ]]; then
+              # all is well
+              return 0
+             fi
+          done
+          echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
+          echo "     Found MAC addresses: ''${actualMacs[*]}" >&2
+          return 1
+        '';
       };
     };
   };

default.nix

@@ -0,0 +1,29 @@
+{
+  system ? builtins.currentSystem,
+}:
+let
+  flakeCompat = (import
+    (
+      let
+        lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+        nodeName = lock.nodes.root.inputs.flake-compat;
+      in
+      fetchTarball {
+        url = lock.nodes.${nodeName}.locked.url or "https://github.com/edolstra/flake-compat/archive/${lock.nodes.${nodeName}.locked.rev}.tar.gz";
+        sha256 = lock.nodes.${nodeName}.locked.narHash;
+      }
+    )
+    {
+      inherit system;
+      src = ./.;
+    }
+  );
+  flake = flakeCompat.outputs;
+  overlays = import ./overlays;
+  pkgs = import flake.inputs.nixpkgs {
+    inherit system overlays;
+  };
+in
+pkgs // {
+  nixpkgs-update = { ... }@args: import "${flake.inputs.nixpkgs}/maintainers/scripts/update.nix" ({ include-overlays = overlays; } // args);
+}

dns/default.nix

@@ -7,14 +7,102 @@
 }:
 let
   inherit (lib) mkOption types singleton;
-  inherit (vaculib) mkOutOption;
   inherit (dns.lib.combinators)
+    ns
+    ttl
     spf
     mx
-    ttl
-    ns
     ;
-  cfg = config.vacu.dnsData;
+  inherit (config.vacu) hosts;
+  cloudnsNameServers = [
+    "pns51.cloudns.net."
+    "pns52.cloudns.net."
+    "pns53.cloudns.net."
+    "pns54.cloudns.net."
+  ];
+  cloudnsSoa = (
+    ttl (60 * 60) {
+      nameServer = lib.head cloudnsNameServers;
+      adminEmail = "support@cloudns.net";
+      serial = 1970010101; # cloudns takes care of updating the serial
+      refresh = 7200;
+      retry = 1800;
+      expire = 1209600;
+      minimum = 3600;
+    }
+  );
+  dkimKeyLiam = {
+    name = "2024-03-liam";
+    content = "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==";
+  };
+  dmarc = lib.pipe [
+    # see https://www.rfc-editor.org/rfc/rfc7489.html#section-6.3
+    "v=DMARC1"
+    "p=reject" # policy = reject all mail that fails DKIM or SPF
+    # no need for sp=, policy applies to subdomains by default
+    "adkim=s" # match dkim domains strictly (foo.shelvacu.com != shelvacu.com)
+    "aspf=s" # match spf domains strictly
+    "fo=1" # failure reporting: report a failure if any of dkim or spf fails
+    "rua=mailto:dmarc-rua@shelvacu.com!25m"
+    "ruf=mailto:dmarc-ruf@shelvacu.com!25m"
+  ] [
+    (map (s: s + ";"))
+    (lib.concatStringsSep " ")
+  ];
+  vacuZoneExtModule = { config, ... }: {
+    imports = [ vacuDomainExtModule ];
+    options.vacu.cloudns = mkOption {
+      default = true;
+      type = types.bool;
+    };
+    config = lib.mkIf config.vacu.cloudns {
+      SOA = cloudnsSoa;
+      NS = map (server: ttl (60 * 60) (ns server)) cloudnsNameServers;
+      TTL = lib.mkDefault 300;
+    };
+  };
+  vacuDomainExtModule = { config, ... }: {
+    options.vacu = {
+      liamMail = mkOption {
+        default = false;
+        type = types.bool;
+      };
+      _ancestorHasDMARC = mkOption {
+        type = types.bool;
+        default = false;
+        internal = true;
+      };
+    };
+    options.subdomains = mkOption {
+      type = types.attrsOf (types.submodule [
+        {
+          config.vacu._ancestorHasDMARC = config.vacu.liamMail || config.vacu._ancestorHasDMARC;
+        }
+        vacuDomainExtModule
+      ]);
+    };
+    config = lib.mkMerge [
+      (lib.mkIf config.vacu.liamMail {
+        MX = singleton (mx.mx 0 "liam.dis8.net.");
+        TXT = singleton (
+          spf.strict [
+            "mx"
+            "include:outbound.mailhop.org"
+            "include:_spf.mailersend.net"
+            "a:relay.dynu.com"
+          ]
+        );
+        subdomains."${dkimKeyLiam.name}._domainkey".TXT = singleton dkimKeyLiam.content;
+      })
+      (lib.mkIf (config.vacu.liamMail && !config.vacu._ancestorHasDMARC) {
+        subdomains._dmarc.TXT = singleton dmarc;
+      })
+    ];
+  };
+  # vacuZone = lib.mkMerge [
+  #   dns.lib.types.zone
+  #   (types.submodule vacuZoneExtModule)
+  # ];
 in
 {
   imports = [
@@ -22,50 +110,28 @@ in
     ./pwrhs.win.nix
     ./shelvacu.miras.pet.nix
     ./for.miras.pet.nix
+    ./shelvacu.com.nix
+    ./dis8.net.nix
+    ./sv.mt.nix
+    ({ dns, ... }: {
+      options.vacu.dns = mkOption {
+        default = { };
+        type = types.attrsOf dns.lib.types.zone;
+      };
+    })
   ];
   options.vacu.dns = mkOption {
-    default = { };
-    type = types.attrsOf dns.lib.types.zone;
+    type = types.attrsOf (types.submodule vacuZoneExtModule);
   };
-  options.vacu.dnsData = {
-    tripPublicV4 = mkOutOption "172.83.159.53";
-    cloudnsNameServers = mkOutOption [
-      "ns1.shelvacu.com."
-      "ns2.shelvacu.com."
-      "ns3.shelvacu.com."
-      "ns4.shelvacu.com."
-    ];
-    cloudnsSoa = mkOutOption (
-      ttl (60 * 60) {
-        nameServer = lib.head cfg.cloudnsNameServers;
-        adminEmail = "support@cloudns.net";
-        serial = 2025013101;
-        refresh = 7200;
-        retry = 1800;
-        expire = 1209600;
-        minimum = 3600;
-      }
-    );
-    dkimKeys.liam = mkOutOption {
-      name = "2024-03-liam";
-      content = "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==";
-    };
-    modules.cloudns = mkOutOption {
-      SOA = cfg.cloudnsSoa;
-      NS = map (s: ttl (60 * 60) (ns s)) cfg.cloudnsNameServers;
-      TTL = lib.mkDefault 300;
-    };
-    modules.liamMail = mkOutOption {
-      MX = singleton (mx.mx 0 "liam.dis8.net.");
-      TXT = singleton (
-        spf.strict [
-          "mx"
-          "include:outbound.mailhop.org"
-          "include:_spf.mailersend.net"
-          "a:relay.dynu.com"
-        ]
-      );
-      subdomains."${cfg.dkimKeys.liam.name}._domainkey".TXT = singleton cfg.dkimKeys.liam.content;
+  options.vacu.dnsData = vaculib.mkOutOptions rec {
+    tripPublicV4 = hosts.triple-dezert.primaryIp;
+    propPublicV4 = hosts.prophecy.primaryIp;
+    digitalOcean = {
+      reservedV4 = "138.197.233.105";
+      liamPublicV4 = "178.128.79.152";
+      mailPublicV4 = "167.99.161.174";
     };
+    doV4 = digitalOcean.reservedV4;
+    awooV4 = hosts.awoo.primaryIp;
   };
 }

dns/dis8.net.nix

@@ -0,0 +1,28 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+  inherit (config.vacu.dnsData.digitalOcean) liamPublicV4 mailPublicV4 reservedV4;
+in
+{
+  vacu.dns."dis8.net" = { ... }: {
+    vacu.liamMail = true;
+
+    A = singleton mailPublicV4;
+    subdomains = {
+      do-a.A = singleton reservedV4;
+      liam.A = singleton reservedV4;
+      mail.A = singleton liamPublicV4;
+      auwwth = {
+        subdomains.ns.A = singleton dnsData.awooV4;
+        NS = singleton "ns.auwwth.dis8.net.";
+      };
+      solis.A = singleton config.vacu.hosts.solis.primaryIp;
+      "_acme-challenge".CNAME = singleton "a55a31f9-74ac-44fc-bf97-c8c9f2498d3a.auth.dis8.net.";
+    };
+  };
+}

dns/for.miras.pet.nix

@@ -7,13 +7,18 @@ in
   vacu.dns."for.miras.pet" =
     { ... }:
     {
-      imports = [ dnsData.modules.cloudns ];
-      SOA.minimum = lib.mkForce 30;
       subdomains = {
         "git".A = singleton dnsData.tripPublicV4;
         "auth".A = singleton dnsData.tripPublicV4;
         "wisdom".A = singleton dnsData.tripPublicV4;
-        "chat".A = singleton dnsData.tripPublicV4;
+        "chat" =
+          { ... }:
+          {
+            config.vacu.liamMail = true;
+            config.A = singleton dnsData.tripPublicV4;
+            config.subdomains."duo-1745490301302-14f65157._domainkey".TXT =
+              singleton "v=DKIM1; k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA/94Rh5eMPsKwGGolkleY1Rhh2Q6H22bfdGVu0lXpoHP1K7JxloWu/Ice2vVN/udztmPY+BK1x+5qubcGZKpPt1bC9amsXnyTXfKIMGD2CNd0tnaO54hmMOfv+lTA9YjF0X93tcQP3yUxJgJ9yPZcalFl/bBAqv4/lUVLYFeIVQIDAQAB";
+          };
         "gabriel-dropout".A = singleton dnsData.tripPublicV4;
         "_acme-challenge".CNAME = singleton "199b8aa4-bc9f-4f43-88bf-3f613f62b663.auwwth.dis8.net.";
       };

dns/jean-luc.org.nix

@@ -8,17 +8,11 @@ in
   vacu.dns."jean-luc.org" =
     { ... }:
     {
-      imports = [
-        dnsData.modules.cloudns
-        dnsData.modules.liamMail
-      ];
+      vacu.liamMail = true;
       A = main_ips;
+      NS = lib.mkAfter [ "ns2.afraid.org." ]; # note: appends to NS records from modules.cloudns
       subdomains = {
-        "in" =
-          { ... }:
-          {
-            imports = [ dnsData.modules.liamMail ];
-          };
+        "in".vacu.liamMail = true;
         "*".A = main_ips;
         "_acme-challenge".CNAME = singleton "8cc7a174-c4a6-40f5-9fff-dfb271c5ce0b.auwwth.dis8.net.";
         "stats".A = main_ips;

dns/pwrhs.win.nix

@@ -7,7 +7,6 @@ in
   vacu.dns."pwrhs.win" =
     { ... }:
     {
-      imports = [ dnsData.modules.cloudns ];
       A = singleton dnsData.tripPublicV4;
       subdomains.habitat.A = singleton dnsData.tripPublicV4;
       subdomains._acme-challenge.CNAME = singleton "73697955-1c51-48ba-ba1e-b3398850f59f.auwwth.dis8.net.";

dns/shelvacu.com.nix

@@ -0,0 +1,99 @@
+{
+  config,
+  lib,
+  vaculib,
+  ...
+}:
+let
+  s = v: [ v ];
+  inherit (config.vacu) dnsData;
+  trip_ips = s dnsData.tripPublicV4;
+  prop_ips = s dnsData.propPublicV4;
+  solis_ips = s config.vacu.hosts.solis.primaryIp;
+  mail_thing = s "178.128.79.152";
+  # which domains to allow dmarc reports.
+  # ex: _dmarc.dis8.net TXT has "rua=rua-reports@shelvacu.com", reports will only be sent if shelvacu.com allows them
+  # allow all domains configured in this repo, and one level of subdomain (ideally all but thats hard, this should be good enough)
+  allow_report_domains = lib.pipe config.vacu.dns [
+    lib.attrNames
+    (list: list ++ [ "theviolincase.com" "violingifts.com" ])
+    (lib.concatMap (domain: [domain "*.${domain}"]))
+  ];
+in
+{
+  vacu.dns."shelvacu.com" =
+    { ... }:
+    {
+      vacu.liamMail = true;
+      A = trip_ips;
+      CAA = [
+        {
+          issuerCritical = true;
+          tag = "issue";
+          value = "letsencrypt.org";
+        }
+        {
+          issuerCritical = true;
+          tag = "issue";
+          value = "sectigo.com";
+        }
+        {
+          issuerCritical = true;
+          tag = "issuewild";
+          value = "letsencrypt.org";
+        }
+        {
+          issuerCritical = false;
+          tag = "iodef";
+          value = "mailto:caa-violation@shelvacu.com";
+        }
+      ];
+      subdomains = {
+        _acme-challenge.CNAME = s "5cb20bf7-5203-417f-b729-fa3a3ad3b775.auwwth.dis8.net.";
+        _atproto.TXT = s "did=did:plc:oqenurzqeji6ulii3myxls64";
+        "_report._dmarc".subdomains = vaculib.mapNamesToAttrsConst { TXT = s "v=DMARC1"; } allow_report_domains;
+        admin-garage-trip.A = trip_ips;
+        auth.A = trip_ips;
+        autoconfig.A = mail_thing;
+        awoo.A = s "45.142.157.71";
+        dav.A = trip_ips;
+        dav-experiment.A = prop_ips;
+        ft.subdomains = {
+          "*".A = s "45.87.250.193";
+          _acme-challenge.CNAME = s "17aa43aa-9295-4522-8cf2-b94ba537753d.auth.acme-dns.io.";
+        };
+        # hzo3bcydh5khtpeio6zrzb7kwcwiccnh.subdomains._domainkey.CNAME = s "hzo3bcydh5khtpeio6zrzb7kwcwiccnh.dkim.amazonses.com.";
+        id.A = trip_ips;
+        imap.A = mail_thing;
+        jobs.A = trip_ips;
+        llm.A = trip_ips;
+        mail.A = mail_thing;
+        # mlsend2.subdomains._domainkey.CNAME = s "mlsend2._domainkey.mailersend.net.";
+        mumble.A = prop_ips;
+        nixcache.A = trip_ips;
+        ns1.CNAME = s "pns51.cloudns.net.";
+        ns2.CNAME = s "pns52.cloudns.net.";
+        ns3.CNAME = s "pns53.cloudns.net.";
+        ns4.CNAME = s "pns54.cloudns.net.";
+        prop.CNAME = s "prophecy";
+        prophecy.A = prop_ips;
+        prophecy.subdomains.garage.subdomains = {
+          s3.A = prop_ips;
+          admin.A = prop_ips;
+        };
+        rad.A = trip_ips;
+        s3-garage-trip.A = trip_ips;
+        servacu.A = s "167.99.161.174";
+        smtp.A = mail_thing;
+        sol.CNAME = s "solis";
+        solis.A = solis_ips;
+        solis.subdomains.garage.subdomains = {
+          s3.A = solis_ips;
+          admin.A = solis_ips;
+        };
+        trip.A = trip_ips;
+        vaultwarden.A = trip_ips;
+        www.A = trip_ips;
+      };
+    };
+}

dns/shelvacu.miras.pet.nix

@@ -7,10 +7,7 @@ in
   vacu.dns."shelvacu.miras.pet" =
     { ... }:
     {
-      imports = [
-        dnsData.modules.cloudns
-        dnsData.modules.liamMail
-      ];
+      vacu.liamMail = true;
       A = singleton dnsData.tripPublicV4;
       subdomains."_acme-challenge".CNAME =
         singleton "65e44f64-3c65-46f6-b15f-4ad6363b21eb.auwwth.dis8.net.";

dns/sv.mt.nix

@@ -0,0 +1,24 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."sv.mt" =
+    { ... }:
+    {
+      vacu.liamMail = true;
+      A = singleton dnsData.propPublicV4;
+      subdomains.www.A = singleton dnsData.propPublicV4;
+      subdomains.thisthirdlevelisownedbyshelandwasnotmadeavailabletoemily = {
+        NS = [
+          "thisns1isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns2isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns3isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns4isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns5isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+        ];
+        # TXT = singleton "ha5d5dc3ca7b34574bc60929e3910ba8a";
+      };
+    };
+}

dprop

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+git add . && nixos-rebuild --flake .#prophecy --build-host prop --target-host prop --use-remote-sudo "$@"

flake.nix

@@ -2,108 +2,84 @@
   description = "Configs for shelvacu's nix things";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.11-small";
+    nixpkgs.url = "nixpkgs/nixos-25.05-small";
     nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
 
-    flake-utils.url = "github:numtide/flake-utils";
-    nixvim = {
-      url = "github:nix-community/nixvim/nixos-24.11";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
-    };
-    nixvim-unstable = {
-      url = "github:nix-community/nixvim";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
-    nix-inspect = {
-      url = "github:bluskript/nix-inspect";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    nix-inspect-unstable = {
-      url = "github:bluskript/nix-inspect";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
-    vscode-server-unstable = {
-      url = "github:nix-community/nixos-vscode-server";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    vscode-server = {
-      url = "github:nix-community/nixos-vscode-server";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    nix-on-droid = {
-      url = "github:nix-community/nix-on-droid";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
-    };
-    jovian-unstable = {
-      # there is no stable jovian :cry:
-      url = "github:Jovian-Experiments/Jovian-NixOS";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
     disko = {
-      url = "github:nix-community/disko";
+      url = "git+https://git.uninsane.org/shelvacu/disko.git";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     disko-unstable = {
-      url = "github:nix-community/disko";
+      url = "git+https://git.uninsane.org/shelvacu/disko.git";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
+    dns = {
+      url = "github:nix-community/dns.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
+    flake-compat.url = "github:edolstra/flake-compat";
+    flake-utils.url = "github:numtide/flake-utils";
     home-manager = {
-      url = "github:nix-community/home-manager/release-24.11";
+      url = "github:nix-community/home-manager/release-25.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     home-manager-unstable = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    nix-search-cli-unstable = {
-      url = "github:peterldowns/nix-search-cli";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    nix-search-cli = {
-      url = "github:peterldowns/nix-search-cli";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    padtype-unstable = {
-      url = "git+https://git.uninsane.org/shelvacu/padtype.git";
+    impermanence.url = "github:nix-community/impermanence";
+    jovian-unstable = {
+      # there is no stable jovian :cry:
+      url = "github:Jovian-Experiments/Jovian-NixOS";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    nixos-hardware.url = "github:nixos/nixos-hardware";
     most-winningest = {
       url = "github:captain-jean-luc/most-winningest";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.flake-utils.follows = "flake-utils";
     };
+    nixos-hardware.url = "github:nixos/nixos-hardware";
     nixos-apple-silicon-unstable = {
       url = "github:tpwrules/nixos-apple-silicon";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    sm64baserom.url = "git+https://git.uninsane.org/shelvacu/sm64baserom.git";
-    dns = {
-      url = "github:nix-community/dns.nix";
+    nixvim = {
+      url = "github:nix-community/nixvim/nixos-25.05";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nixvim-unstable = {
+      url = "github:nix-community/nixvim";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    nix-colors = {
+      url = "github:Misterio77/nix-colors";
+    };
+    nix-on-droid = {
+      url = "github:nix-community/nix-on-droid";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+    padtype-unstable = {
+      url = "git+https://git.uninsane.org/shelvacu/padtype.git";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    sm64baserom.url = "git+https://git.uninsane.org/shelvacu/sm64baserom.git";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    tf2-nix = {
+      url = "gitlab:shelvacu-forks/tf2-nix/with-my-patches";
       inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
     };
     treefmt-nix = {
       url = "github:numtide/treefmt-nix";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    determinate-nix = {
-      url = "https://flakehub.com/f/DeterminateSystems/nix-src/3.0.0";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    determinate-nix-unstable = {
-      url = "https://flakehub.com/f/DeterminateSystems/nix-src/3.0.0";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    vacu-keys = {
+      url = "git+https://git.uninsane.org/shelvacu/keys.nix.git";
+      flake = false;
     };
   };
 
@@ -113,55 +89,20 @@
       nixpkgs,
       nix-on-droid,
       ...
-    }@inputs:
+    }@allInputs:
     let
       x86 = "x86_64-linux";
       arm = "aarch64-linux";
       lib = import "${nixpkgs}/lib";
       overlays = import ./overlays;
-      mkPlainInner =
-        pkgs:
-        lib.evalModules {
-          modules = [
-            ./common
-            { vacu.systemKind = "server"; }
-          ];
-          specialArgs = {
-            inherit pkgs;
-            inherit lib;
-            inherit (inputs) dns;
-            vacuModuleType = "plain";
-            inherit inputs;
-          };
-        };
-      mkPlain =
-        pkgs:
-        let
-          inner = mkPlainInner pkgs;
-        in
-        inner.config.vacu.withAsserts inner;
-      mkPkgs =
-        arg:
-        let
-          argAttrAll = if builtins.isString arg then { system = arg; } else arg;
-          useUnstable = argAttrAll.useUnstable or false;
-          whichpkgs = if useUnstable then inputs.nixpkgs-unstable else inputs.nixpkgs;
-          argAttr = lib.removeAttrs argAttrAll [ "useUnstable" ];
-          config = {
-            allowUnfree = true;
-            permittedInsecurePackages = [ "olm-3.2.16" ];
-          } // (argAttr.config or { });
-        in
-        import whichpkgs (
-          argAttr // { inherit config; } // { overlays = (argAttr.overlays or [ ]) ++ overlays; }
-        );
-      pkgs = mkPkgs x86;
-      defaultInputs = [
-        "nix-search-cli"
-        "nix-inspect"
+      vacuModules = import ./modules;
+      mkVaculib = { pkgs }: import ./vaculib { inherit pkgs; nix-colors-lib = allInputs.nix-colors.lib; };
+      vaculib = mkVaculib { inherit pkgs; };
+      defaultSuffixedInputNames = [
         "nixvim"
-        "determinate-nix"
+        "nixpkgs"
       ];
+      defaultInputs = { inherit (allInputs) self vacu-keys; };
       mkInputs =
         {
           unstable ? false,
@@ -169,16 +110,74 @@
         }:
         let
           suffix = if unstable then "-unstable" else "";
-          nixpkgs = inputs.${"nixpkgs" + suffix};
-          inp' = inp ++ defaultInputs;
-          thisInputsA = builtins.listToAttrs (
-            map (name: lib.nameValuePair name inputs.${name + suffix}) inp'
-          );
+          inputNames = inp ++ defaultSuffixedInputNames;
+          thisInputsA = vaculib.mapNamesToAttrs (name: allInputs.${name + suffix}) inputNames;
         in
-          thisInputsA // {
-            inherit nixpkgs;
-            inherit (inputs) self;
+        if inp == "all" then allInputs else thisInputsA // defaultInputs;
+      mkPkgs =
+        arg:
+        let
+          argAttrAll = if builtins.isString arg then { system = arg; } else arg;
+          unstable = argAttrAll.unstable or false;
+          whichpkgs = if unstable then allInputs.nixpkgs-unstable else allInputs.nixpkgs;
+          argAttr = lib.removeAttrs argAttrAll [ "unstable" ];
+          config = {
+            allowUnfree = true;
+            # the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
+            # presumably needed by nheko
+            permittedInsecurePackages = [
+              "olm-3.2.16"
+              "fluffychat-linux-1.27.0"
+            ];
+          } // (argAttr.config or { });
+        in
+        import whichpkgs (
+          argAttr // { inherit config; } // { overlays = (argAttr.overlays or [ ]) ++ overlays; }
+        );
+      mkCommon =
+        {
+          unstable ? false,
+          inp ? [ ],
+          system ? x86,
+          vacuModuleType,
+        }:
+        let
+          pkgsStable = mkPkgs { unstable = false; inherit system; };
+          pkgsUnstable = mkPkgs { unstable = true; inherit system; };
+          pkgs = if unstable then pkgsUnstable else pkgsStable;
+          inputs = mkInputs { inherit unstable inp; };
+          vaculib = mkVaculib { inherit pkgs; };
+        in
+        {
+          inherit pkgs pkgsStable pkgsUnstable inputs vaculib;
+          specialArgs = {
+            inherit inputs vacuModules vacuModuleType vaculib pkgsStable pkgsUnstable;
+            inherit (allInputs) dns;
           };
+        };
+      mkPlain =
+        {
+          unstable ? false,
+          system ? x86,
+        }@args:
+        let
+          common = mkCommon (args // {
+            vacuModuleType = "plain";
+            inp = "all";
+          });
+          inner = lib.evalModules {
+            modules = [
+              ./common
+              { vacu.systemKind = "server"; }
+            ];
+            specialArgs = common.specialArgs // {
+              inherit (common) pkgs;
+              inherit (common.pkgs) lib;
+            };
+          };
+        in
+        inner.config.vacu.withAsserts inner;
+      pkgs = mkPkgs x86;
       mkNixosConfig =
         {
           unstable ? false,
@@ -187,16 +186,13 @@
           inp ? [ ],
         }:
         let
-          inputs = mkInputs { inherit unstable inp; };
+          common = mkCommon { inherit unstable inp system; vacuModuleType = "nixos"; };
         in
-        inputs.nixpkgs.lib.nixosSystem {
-          specialArgs = {
-            inherit inputs;
-            inherit (inputs) dns;
-            vacuModuleType = "nixos";
-          };
+        allInputs.nixpkgs.lib.nixosSystem {
+          inherit (common) specialArgs;
           inherit system;
           modules = [
+            { nixpkgs.pkgs = common.pkgs; }
             ./common
             module
           ];
@@ -204,106 +200,130 @@
     in
     {
       debug.isoDeriv = (
-        import "${inputs.nixpkgs}/nixos/release-small.nix" {
-          nixpkgs = ({ revCount = 0; } // inputs.nixpkgs);
+        import "${allInputs.nixpkgs}/nixos/release-small.nix" {
+          nixpkgs = ({ revCount = 0; } // allInputs.nixpkgs);
         }
       );
+
+      lib = {
+        inherit
+          mkPlain
+          mkPkgs
+          mkInputs
+          mkNixosConfig
+          vaculib
+          ;
+      };
+
       nixosConfigurations = {
         triple-dezert = mkNixosConfig {
-          module = ./triple-dezert;
-          inp = [ "most-winningest" ];
+          module = ./hosts/triple-dezert;
+          inp = [
+            "most-winningest"
+            "sops-nix"
+          ];
         };
         compute-deck = mkNixosConfig {
-          module = ./compute-deck;
+          module = ./hosts/compute-deck;
           inp = [
             "jovian"
             "home-manager"
-            "vscode-server"
             "disko"
             "padtype"
           ];
           unstable = true;
         };
         liam = mkNixosConfig {
-          module = ./liam;
+          module = ./hosts/liam;
           inp = [ "sops-nix" ];
         };
-        lp0 = mkNixosConfig { module = ./lp0; };
-        shel-installer = mkNixosConfig { module = ./installer.nix; };
+        lp0 = mkNixosConfig { module = ./hosts/lp0; };
+        shel-installer-iso = mkNixosConfig { module = ./hosts/installer/iso.nix; };
+        shel-installer-pxe = mkNixosConfig { module = ./hosts/installer/pxe.nix; };
         fw = mkNixosConfig {
-          module = ./fw;
+          module = ./hosts/fw;
           inp = [
             "nixos-hardware"
             "sops-nix"
+            "tf2-nix"
           ];
         };
         legtop = mkNixosConfig {
-          module = ./legtop;
+          module = ./hosts/legtop;
           inp = [ "nixos-hardware" ];
         };
         mmm = mkNixosConfig {
-          module = ./mmm;
+          module = ./hosts/mmm;
           inp = [ "nixos-apple-silicon" ];
           system = "aarch64-linux";
           unstable = true;
         };
-        toptop = mkNixosConfig {
-          module = ./toptop;
+        prophecy = mkNixosConfig {
+          module = ./hosts/prophecy;
           system = "x86_64-linux";
+          inp = [
+            "impermanence"
+            "sops-nix"
+            "disko"
+          ];
+        };
+        solis = mkNixosConfig {
+          module = ./hosts/solis;
+          system = "x86_64-linux";
+          inp = [
+            "disko"
+            "impermanence"
+            "sops-nix"
+          ];
         };
       };
 
-      nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
-        modules = [
-          ./common
-          ./nix-on-droid
-        ];
-        extraSpecialArgs = {
-          inputs = mkInputs { };
-          inherit (inputs) dns;
-          vacuModuleType = "nix-on-droid";
+      nixOnDroidConfigurations.default =
+        let
+          common = mkCommon { system = arm; vacuModuleType = "nix-on-droid"; };
+        in
+        nix-on-droid.lib.nixOnDroidConfiguration {
+          modules = [
+            ./common
+            ./hosts/nix-on-droid
+          ];
+          extraSpecialArgs = common.specialArgs;
+          inherit (common) pkgs;
         };
-        pkgs = mkPkgs {
-          system = arm;
-        };
-      };
 
       checks = nixpkgs.lib.genAttrs [ x86 ] (
         system:
         let
-          pkgs = mkPkgs system;
-          plain = mkPlain pkgs;
-          config = {
+          common = mkCommon { inherit system; vacuModuleType = "nixos"; };
+          inherit (common) pkgs;
+          plain = mkPlain { inherit system; };
+          commonTestModule = {
+            hostPkgs = pkgs;
+            _module.args.inputs = { inherit (allInputs) self; };
             node.pkgs = pkgs;
-            node.pkgsReadOnly = false;
-            node.specialArgs.selfPackages = self.packages.${system};
-            node.specialArgs.vacuModuleType = "nixos";
+            node.pkgsReadOnly = true;
+            node.specialArgs = (lib.removeAttrs common.specialArgs [ "inputs" ]) // { selfPackages = self.packages.${system}; };
           };
+          mkTest =
+            name:
+            nixpkgs.lib.nixos.runTest {
+              imports = [
+                commonTestModule
+                ./tests/${name}
+                { node.specialArgs.inputs = self.nixosConfigurations.${name}._module.specialArgs.inputs; }
+              ];
+            };
           checksFromConfig = plain.config.vacu.checks;
         in
         assert !(checksFromConfig ? liam) && !(checksFromConfig ? trip);
         checksFromConfig
         // {
-          liam = nixpkgs.lib.nixos.runTest {
-            hostPkgs = pkgs;
-            imports = [
-              config
-              ./tests/liam.nix
-              { node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; }
-            ];
-          };
-          trip = nixpkgs.lib.nixos.runTest {
-            hostPkgs = pkgs;
-            imports = [
-              config
-              ./tests/triple-dezert.nix
-              { node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; }
-            ];
-          };
+          liam = mkTest "liam";
+          triple-dezert = mkTest "triple-dezert";
         }
       );
 
-      qb = # qb is "quick build"
+      buildList =
         let
           toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
           deterministicCerts = import ./deterministic-certs.nix { nixpkgs = mkPkgs x86; };
@@ -311,72 +331,61 @@
             name: value: lib.nameValuePair (name + "-aarch64") value
           ) self.packages.aarch64-linux;
           packages = self.packages.x86_64-linux // renamedAarchPackages;
+          pxe-build = self.nixosConfigurations.shel-installer-pxe.config.system.build;
         in
-        rec {
+        {
           fw = toplevelOf "fw";
           triple-dezert = toplevelOf "triple-dezert";
-          trip = triple-dezert;
           compute-deck = toplevelOf "compute-deck";
-          cd = compute-deck;
           liam = toplevelOf "liam";
           lp0 = toplevelOf "lp0";
           legtop = toplevelOf "legtop";
-          lt = legtop;
           mmm = toplevelOf "mmm";
-          shel-installer = toplevelOf "shel-installer";
-          toptop = toplevelOf "toptop";
-          tt = toptop;
-          iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
-          check-triple-dezert = self.checks.x86_64-linux.trip.driver;
-          check-trip = check-triple-dezert;
+          shel-installer-iso = toplevelOf "shel-installer-iso";
+          shel-installer-pxe = toplevelOf "shel-installer-pxe";
+          prophecy = toplevelOf "prophecy";
+          iso = self.nixosConfigurations.shel-installer-iso.config.system.build.isoImage;
+          pxe-toplevel = toplevelOf "shel-installer-pxe";
+          pxe-kernel = pxe-build.kernel;
+          pxe-initrd = pxe-build.netbootRamdisk;
+          check-triple-dezert = self.checks.x86_64-linux.triple-dezert.driver;
           check-liam = self.checks.x86_64-linux.liam.driver;
+          liam-sieve = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
 
           nix-on-droid = self.nixOnDroidConfigurations.default.activationPackage;
-          nod = nix-on-droid;
 
-          nod-bootstrap-x86_64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
-          nod-bootstrap-aarch64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
+          nod-bootstrap-x86_64 = allInputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
+          nod-bootstrap-aarch64 = allInputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
 
           dc-priv = deterministicCerts.privKeyFile "test";
           dc-cert = deterministicCerts.selfSigned "test" { };
 
-          # sm64 = packages.sm64coopdx;
-          ak = packages.authorizedKeys;
-          my-sops = packages.wrappedSops;
-
-          inherit (inputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
+          inherit (allInputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
             m1n1
             uboot-asahi
             installer-bootstrap
             ;
           installer-bootstrap-cross =
-            inputs.nixos-apple-silicon-unstable.packages.x86_64-linux.installer-bootstrap;
+            allInputs.nixos-apple-silicon-unstable.packages.x86_64-linux.installer-bootstrap;
         }
         // packages;
 
+      qb = self.buildList // {
+        trip = self.buildList.triple-dezert;
+        cd = self.buildList.compute-deck;
+        lt = self.buildList.legtop;
+        prop = self.buildList.prophecy;
+        check-trip = self.buildList.check-triple-dezert;
+        nod = self.buildList.nix-on-droid;
+        ak = self.buildList.authorizedKeys;
+        my-sops = self.buildList.wrappedSops;
+      };
+
       brokenBuilds = [
         "sm64coopdx-aarch64"
         "installer-bootstrap"
       ];
 
-      all =
-        let
-          linksNoContext = removeAttrs self.qb self.brokenBuilds;
-          links = builtins.mapAttrs (
-            name: val: builtins.addErrorContext "while evaluating link ${name}" val
-          ) linksNoContext;
-        in
-        pkgs.runCommand "nix-stuff-all"
-          {
-            __structuredAttrs = true;
-            inherit links;
-          }
-          ''
-            mkdir $out
-            cd $out
-            eval "$(${pkgs.jq}/bin/jq '.links | to_entries | map("ln -s "+.value+" "+.key) | join("\n")' /build/.attrs.json -r)"
-          '';
-
       impureBuilds = [
         "nix-on-droid"
         "nod"
@@ -384,112 +393,105 @@
         "nod-bootstrap-aarch64"
       ];
 
-      allPure = self.all.overrideAttrs (prev: {
-        links = removeAttrs prev.links self.impureBuilds;
-      });
-
-      archiveSmall =
-        let
-          # We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
-          isoContents = lib.concatStringsSep "\n" (
-            map (
-              c: "${c.source} => ${c.target}"
-            ) self.nixosConfigurations.shel-installer.config.isoImage.contents
-          );
-          isoContentsPkg = pkgs.writeText "iso-contents" isoContents;
-          allButImgs = self.all.overrideAttrs (prev: {
-            links = (removeAttrs prev.links [ "iso" ]) // {
-              iso-contents = isoContentsPkg;
-            };
-          });
-        in
-        allButImgs;
-
-      archive =
-        let
-          inherit (self) archiveSmall;
-        in
-        archiveSmall.overrideAttrs (prev: {
-          links = prev.links // {
-            build-deps = pkgs.closureInfo { rootPaths = [ archiveSmall.drvPath ]; };
-          };
-        });
+      archival = import ./archive.nix { inherit self pkgs lib; };
     }
-    // (inputs.flake-utils.lib.eachDefaultSystem (
+    // (allInputs.flake-utils.lib.eachDefaultSystem (
       system:
       let
-        nixpkgs-args = {
-          inherit system;
-          config.allowUnfree = true;
-          overlays = [ inputs.sm64baserom.overlays.default ];
-        };
-        pkgs-unstable = mkPkgs nixpkgs-args // {
-          useUnstable = true;
-        };
-        pkgs-stable = mkPkgs nixpkgs-args // {
-          useUnstable = false;
-        };
-        _plain = mkPlain pkgs-unstable;
-        plain = _plain.config.vacu.withAsserts _plain;
-        treefmtEval = inputs.treefmt-nix.lib.evalModule pkgs-unstable ./treefmt.nix;
+        mkNixvim =
+          { unstable, minimal }:
+          let
+            common = mkCommon { inherit unstable; vacuModuleType = "nixvim"; };
+            nixvim-input = if unstable then allInputs.nixvim-unstable else allInputs.nixvim;
+          in
+          nixvim-input.legacyPackages.${system}.makeNixvimWithModule {
+            module = {
+              imports = [ ./nixvim ];
+            };
+            extraSpecialArgs = common.specialArgs // { inherit minimal; };
+          };
+        common = mkCommon { unstable = true; vacuModuleType = "plain"; };
+        inherit (common) pkgs pkgsStable pkgsUnstable;
+        plain = mkPlain { unstable = true; };
+        treefmtEval = allInputs.treefmt-nix.lib.evalModule pkgsUnstable ./treefmt.nix;
+        formatter = treefmtEval.config.build.wrapper;
+        vacuPackagePaths = import ./packages;
+        vacuPackages = builtins.intersectAttrs vacuPackagePaths pkgsStable;
       in
       {
-        formatter = treefmtEval.config.build.wrapper;
+        inherit formatter;
+        inherit (common) vaculib;
         apps.sops = {
           type = "app";
           program = lib.getExe self.packages.${system}.wrappedSops;
         };
-        vacuconfig = plain.config;
+        vacuConfig = plain.config;
+        inherit vacuPackages;
         legacyPackages = {
-          unstable = pkgs-unstable;
-          stable = pkgs-stable;
+          unstable = pkgsUnstable;
+          stable = pkgsStable;
+          nixpkgs-update = { ... }@args: import "${allInputs.nixpkgs}/maintainers/scripts/update.nix" ({ include-overlays = [ (import ./overlays/newPackages.nix) ]; } // args);
         };
         packages = rec {
-          authorizedKeys = pkgs-stable.writeText "authorizedKeys" (
+          archive = pkgsStable.callPackage ./scripts/archive { };
+          authorizedKeys = pkgsStable.writeText "authorizedKeys" (
             lib.concatStringsSep "\n" (
               lib.mapAttrsToList (k: v: "${v} ${k}") plain.config.vacu.ssh.authorizedKeys
             )
           );
-          bandcamp-collection-downloader = pkgs-unstable.callPackage ./packages/bcd { };
-          bcd = bandcamp-collection-downloader;
-          dnix = inputs.determinate-nix.packages.${system}.nix;
           dns = import ./scripts/dns {
-            inherit pkgs lib inputs;
+            inherit pkgs lib;
+            inputs = allInputs;
             inherit (plain) config;
           };
-          haproxy-auth-request = pkgs.callPackage ./packages/haproxy-auth-request.nix {
-            inherit haproxy-lua-http;
+          inherit formatter;
+          generated = pkgsStable.linkFarm "generated" {
+            nixpkgs = "${allInputs.nixpkgs}";
+            "liam-test/hints.py" = pkgs.writeText "hints.py" (
+              import ./typesForTest.nix {
+                name = "liam";
+                inherit (pkgsStable) lib;
+                inherit self;
+                inherit (allInputs) nixpkgs;
+              }
+            );
+            "dns/python-env" = builtins.dirOf (builtins.dirOf dns.interpreter);
+            "mailtest/python-env" = builtins.dirOf (
+              builtins.dirOf self.checks.x86_64-linux.liam.nodes.checker.vacu.mailtest.smtp.interpreter
+            );
+          };
+          host-pxe-installer = pkgs.callPackage ./host-pxe-installer.nix {
+            nixosInstaller = self.nixosConfigurations.shel-installer-pxe;
           };
-          haproxy-lua-http = pkgs.callPackage ./packages/haproxy-lua-http.nix { };
           liam-sieve-script = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
-          nixvim = inputs.nixvim.legacyPackages.${system}.makeNixvimWithModule {
-            extraSpecialArgs = {
-              inputs = { };
-            };
-            module = {
-              imports = [ ./nixvim ];
-            };
+          nixvim = mkNixvim {
+            unstable = false;
+            minimal = false;
           };
-          nix-inspect = inputs.nix-inspect.packages.${system}.default;
-          nix-search-cli = inputs.nix-search-cli.packages.${system}.default;
-          openterface-qt = pkgs.callPackage ./packages/openterface-qt.nix { };
-          rg-cubexx-v1-0-1 = pkgs.fetchurlWithWetransfer {
-            url = "https://we.tl/t-nwhCNkgXwG";
-            name = "cxm_rgcubexx-v1-0-1-en32gb-2401018_2024-10-19_0631.zip";
-            recursiveHash = true;
-            hash = "sha256-kQds0/BdlEA10LJozOvpQ65TemTx6CxjO8rANi4o5K0=";
+          nixvim-unstable = mkNixvim {
+            unstable = true;
+            minimal = false;
           };
+          nixvim-minimal = mkNixvim {
+            unstable = false;
+            minimal = true;
+          };
+          nixvim-unstable-minimal = mkNixvim {
+            unstable = true;
+            minimal = true;
+          };
+          # optionsDocNixOnDroid = (pkgs.nixosOptionsDoc {
+          #   inherit (self.nixOnDroidConfigurations.default) options;
+          # }).optionsCommonMark;
+          openterface-qt-eudev = vacuPackages.openterface-qt.override { useSystemd = false; };
+          openterface-qt-systemd = vacuPackages.openterface-qt.override { useSystemd = true; };
           sopsConfig = plain.config.vacu.sopsConfigFile;
           sourceTree = plain.config.vacu.sourceTree;
-          transferwee = pkgs.callPackage ./packages/transferwee.nix { };
           units = plain.config.vacu.units.finalPackage;
-          update-git-keys = pkgs-stable.callPackage ./scripts/update-git-keys.nix { inherit (plain) config; };
-          vnopnCA = pkgs-stable.writeText "vnopnCA.cert" plain.config.vacu.vnopnCA;
+          update-git-keys = pkgsStable.callPackage ./scripts/update-git-keys.nix { inherit (plain) config; inputs = allInputs; };
+          vnopnCA = pkgsStable.writeText "vnopnCA.cert" plain.config.vacu.vnopnCA;
           wrappedSops = plain.config.vacu.wrappedSops;
-          z3 = pkgs-unstable.callPackage ./packages/z3 { };
-          # mycoopdx = pkgs-unstable.callPackage ./packages/sm64coopdx.nix { };
-          # zulip-server = pkgs.python312Packages.callPackage ./packages/zulip.nix { };
-        };
+        } // vacuPackages;
       }
     ));
 }

fw/experiment.nix

@@ -1,43 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-let
-  version = "6.10.4";
-  hash = "sha256:1y2m2pqrvsgr9ng72nnh4yvsprkvkznhnmn4p8g78350bzyrvip2";
-  customKernel = pkgs.linux_6_10.override {
-    inherit version;
-    src = pkgs.fetchurl {
-      url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz";
-      inherit hash;
-    };
-    modDirVersion = lib.versions.pad 3 version;
-  };
-  customKernelPackages = pkgs.linuxPackagesFor customKernel;
-in
-{
-  system.nixos.tags = [
-    "EXPERIMENT"
-    "kernel-${config.boot.kernelPackages.kernel.version}"
-  ];
-
-  boot.kernelPackages = lib.mkForce customKernelPackages;
-  # boot.zfs.extraPools = lib.mkForce [];
-  # fileSystems."/".fsType = lib.mkForce "ext4";
-
-  vacu.packages.sm64coopdx.enable = false;
-  vacu.verifySystem.expectedMac = lib.mkForce null;
-}
-
-# good:
-#  Linux fw 6.6.50 #1-NixOS SMP PREEMPT_DYNAMIC Sun Sep  8 05:54:49 UTC 2024 x86_64 GNU/Linux
-#  Linux fw 6.8.12 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:49:53 UTC 2024 x86_64 GNU/Linux
-#  linux-6.9.12
-#  6.10.4 (maybe?? sus)
-# Linux fw 6.10.10 #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024 x86_64 GNU/Linux (but this was supposed to be 6.10.4....)
-
-# bad:
-# Linux fw 6.10.10-gnu #1-NixOS SMP PREEMPT_DYNAMIC Tue Jan  1 00:00:00 UTC 1980 x86_64 GNU/Linux
-#  linux linux-6.10.10

fw/orca-slicer.nix

@@ -1,16 +0,0 @@
-{ pkgs, ... }:
-{
-  vacu.packages.orca-slicer = {
-    enable = true;
-    package = pkgs.orca-slicer.overrideAttrs (prev: {
-      patches = (prev.patches or [ ]) ++ [
-        (pkgs.fetchpatch {
-          name = "pr-7650-configurable-update-check.patch";
-          url = "https://github.com/SoftFever/OrcaSlicer/pull/7650.patch";
-          hash = "sha256-t4own5AwPsLYBsGA15id5IH1ngM0NSuWdFsrxMRXmTk=";
-        })
-      ];
-      cmakeFlags = (prev.cmakeFlags or [ ]) ++ [ "-DORCA_VERSION_CHECK_DEFAULT=OFF" ];
-    });
-  };
-}

fw/sops.nix

@@ -1,19 +0,0 @@
-{
-  inputs,
-  lib,
-  config,
-  ...
-}:
-{
-  imports = [ inputs.sops-nix.nixosModules.sops ];
-
-  options.vacu.secretsFolder = lib.mkOption {
-    type = lib.types.path;
-    default = ../secrets;
-  };
-
-  config = {
-    # sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
-    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  };
-}

fw/thunderbolt.nix

@@ -1,10 +0,0 @@
-{ pkgs, config, ... }:
-{
-  services.hardware.bolt.enable = true;
-
-  vacu.packages = [
-    pkgs.thunderbolt
-    config.services.hardware.bolt.package
-    pkgs.kdePackages.plasma-thunderbolt
-  ];
-}

fw/zfs.nix

@@ -1,9 +0,0 @@
-{ pkgs, ... }:
-{
-  boot.zfs.extraPools = [ "fw" ];
-  # config.boot.zfs.package.latestCompatibleLinuxPackages is fucked, if there are multiple compatible linuxes of the same version, it picks effectively an arbitrary one
-  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_6;
-  systemd.services.zfs-mount.enable = false;
-
-  # see also fileSystems."/"
-}

hosts/compute-deck/default.nix

@@ -1,8 +1,4 @@
-{
-  pkgs,
-  inputs,
-  ...
-}:
+{ pkgs, inputs, ... }:
 {
   imports = [
     inputs.jovian.nixosModules.jovian
@@ -15,12 +11,18 @@
     ./padtype.nix
   ];
 
-  boot.loader.systemd-boot.enable = false;
-  boot.loader.efi.efiSysMountPoint = "/boot/EFI";
-  boot.loader.grub.efiSupport = true;
-  boot.loader.grub.device = "nodev";
-  boot.loader.efi.canTouchEfiVariables = false;
-  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader = {
+    systemd-boot.enable = false;
+    efi = {
+      efiSysMountPoint = "/boot/EFI";
+      canTouchEfiVariables = false;
+    };
+    grub = {
+      efiSupport = true;
+      device = "nodev";
+      efiInstallAsRemovable = true;
+    };
+  };
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
@@ -45,20 +47,11 @@
 
   services.openssh.enable = true;
 
-  vacu.packages = with pkgs; [
-    audacity
-    librewolf
-    brave
+  vacu.packages = ''
     jupiter-hw-support
     steamdeck-firmware
     steamdeck-bios-fwupd
-    cargo
-    clippy
-    rust-analyzer
-    rustc
-    rustfmt
-    rustup
-  ];
+  '';
 
   # boot.kernelPatches = [
   #   {

hosts/compute-deck/home.nix

@@ -1,16 +1,7 @@
-{ inputs, ... }:
+{ ... }:
 {
   home-manager.users.shelvacu = {
-    # these make vscode-remote work
-    imports = [ inputs.vscode-server.homeModules.default ];
-    services.vscode-server.enable = true;
-
     home.stateVersion = "23.11";
-    # programs.git = {
-    #   enable = true;
-    #   userName = "Shelvacu";
-    #   userEmail = "git@shelvacu.com";
-    # };
     programs.librewolf = {
       enable = true;
 

hosts/compute-deck/padtype.nix

@@ -11,4 +11,12 @@ in
   };
 
   boot.initrd.preLVMCommands = "${padtype-pkg}/bin/padtype &";
+  boot.initrd.kernelModules = [
+    "uhid"
+    "i2c_hid_acpi"
+    "usbhid"
+    "mac_hid"
+    "evdev"
+    "uinput"
+  ];
 }

hosts/fw/apex.nix

@@ -1,5 +1,10 @@
 # everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
-{ pkgs, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
   # to match package used in config.services.pcscd, unfortunately not exposed like usual
   pcsclite-pkg = if config.security.polkit.enable then pkgs.pcscliteWithPolkit else pkgs.pcsclite;
@@ -9,14 +14,16 @@ in
   # nixpkgs.overlays = [ ( final: prev: {
   #   libfido2 = prev.libfido2.override { withPcsclite = true; };
   # } ) ];
-  vacu.packages =
-    (with pkgs; [
+  vacu.packages = lib.mkMerge [
+    ''
       libfido2
       pcsc-tools
       scmccid
       opensc
-    ])
-    ++ [ pcsclite-pkg ];
+      pcsclite
+    ''
+    { pcsclite.package = pcsclite-pkg; }
+  ];
 
   services.pcscd.enable = true;
   # conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
@@ -58,12 +65,12 @@ in
     '')
   ];
 
-  programs.firefox.enable = true;
-  #programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
+  # programs.firefox.enable = true;
+  # programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
 
   # trying CTAP-bridge
   services.udev.extraRules = ''
-    KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE+="0666", TAG+="uaccess"
-    KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE+="0666", TAG+="uaccess"
+    KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE="0666", TAG+="uaccess"
+    KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE="0666", TAG+="uaccess"
   '';
 }

hosts/fw/default.nix

@@ -1,26 +1,36 @@
-{ inputs, pkgs, ... }:
+{ inputs, pkgs, lib, vacuModules, ... }:
 {
   imports = [
     inputs.nixos-hardware.nixosModules.framework-16-7040-amd
+    "${inputs.self}/tf2"
+    vacuModules.sops
     ./apex.nix
     ./android.nix
     ./thunderbolt.nix
     ./fwupd.nix
     ./zfs.nix
     ./virtualbox.nix
-    ./sops.nix
     ./radicle.nix
-    ./orca-slicer.nix
     ./tpm-fido.nix
+    ./podman.nix
+    ./waydroid.nix
   ];
 
+  boot.supportedFilesystems = [ "bcachefs" ];
+
   vacu.hostName = "fw";
   vacu.shell.color = "magenta";
   vacu.verifySystem.expectedMac = "e8:65:38:52:5c:59";
-  vacu.systemKind = "desktop";
+  vacu.systemKind = "laptop";
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  # standard kernel: waydroid works
+  # lqx kernel: games run with less stutters
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_lqx;
+  # boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_15;
+
   networking.networkmanager.enable = true;
+  services.irqbalance.enable = true;
   # boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
 
   services.fprintd.enable = false; # kinda broken
@@ -29,74 +39,27 @@
 
   programs.steam.extraCompatPackages = [ pkgs.proton-ge-bin ];
 
-  vacu.packages =
-    (with pkgs; [
-      bitwarden-desktop
-      nheko
-      librewolf
-      brave
-      thunderbird
-      wl-clipboard
-      nextcloud-client
-      signal-desktop
-      fw-ectool
-      framework-tool
-      iio-sensor-proxy
-      power-profiles-daemon
-      acpi
-      jellyfin-media-player
-      vlc
-      dmidecode
-      prismlauncher
-      "ffmpeg-allvrything"
-      wireshark
-      obsidian
-      dino
-      aircrack-ng
-      libreoffice-qt6-fresh
-      gimp
-      # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
-      (inkscape-with-extensions.override { inkscapeExtensions = null; })
-      libsmi
-      net-snmp
-      android-tools
-      ghidra
-      wineWowPackages.stableFull
-      wineWowPackages.fonts
-      winetricks
-      tremotesf
-      smartmontools
-      nvme-cli
-      arduino-ide
-      headsetcontrol
-      OSCAR
-      # makemkv
-      mkvtoolnix-cli
-      flac
-      imagemagickBig
-      anki
-      openshot-qt
-      kdePackages.kdenlive
-      shotcut
-      radicle-node
-      josm
-      merkaartor
-      kaffeine
-      kdePackages.elisa
-      haruna
-      kdePackages.dragon
-      wev
-      svp
-      filezilla
-      mercurial
-    ])
-    ++ [ ];
+  vacu.packages = ''
+    android-studio
+    framework-tool
+    fw-ectool
+    headsetcontrol
+    openterface-qt
+    intiface-central
+    osu-lazer
+    mumble
+    obs-studio
+  '';
+
+  services.power-profiles-daemon.enable = true;
 
   networking.firewall.enable = false;
 
   services.xserver.enable = true;
   services.displayManager.sddm.enable = true;
   services.desktopManager.plasma6.enable = true;
+  services.printing.enable = true;
+  programs.system-config-printer.enable = true;
 
   boot.loader.grub.enable = true;
   boot.loader.grub.efiSupport = true;
@@ -135,6 +98,16 @@
     fsType = "zfs";
   };
 
+  fileSystems."/cache" = {
+    device = "fw/cache";
+    fsType = "zfs";
+  };
+
+  fileSystems."/home/shelvacu/cache" = {
+    device = "/cache/shelvacu";
+    options = [ "bind" ];
+  };
+
   fileSystems."/boot0" = {
     device = "/dev/disk/by-label/BOOT0";
     fsType = "vfat";
@@ -181,5 +154,5 @@
 
   services.postgresql.enable = true; # for development
 
-  virtualisation.waydroid.enable = true;
+  vacu.programs.thunderbird.enable = true;
 }

hosts/fw/podman.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  virtualisation.containers.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    # Create a `docker` alias for podman, to use it as a drop-in replacement
+    dockerCompat = true;
+    # Required for containers under podman-compose to be able to talk to each other.
+    defaultNetwork.settings.dns_enabled = true;
+  };
+
+  users.users.shelvacu.extraGroups = [ "podman" ];
+}

hosts/fw/radicle.nix

@@ -1,11 +1,11 @@
 { config, ... }:
 {
   sops.secrets.radicle-key = {
-    sopsFile = ../secrets/radicle-private.key;
+    sopsFile = "${config.vacu.sops.secretsPath}/radicle-private.key";
     format = "binary"; # its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine
   };
   services.radicle = {
-    enable = false;
+    enable = true;
     publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2HqXfjT4vPEqqM5Pty7EuswzeO80IgG6MtCvDAqOkD";
     privateKeyFile = config.sops.secrets.radicle-key.path;
     settings = {
@@ -13,4 +13,8 @@
       seedingPolicy.default = "block";
     };
   };
+  vacu.packages.radicle-node = {
+    enable = true;
+    package = config.services.radicle.package;
+  };
 }

hosts/fw/thunderbolt.nix

@@ -0,0 +1,13 @@
+{ lib, config, ... }:
+{
+  services.hardware.bolt.enable = true;
+
+  vacu.packages = lib.mkMerge [
+    ''
+      thunderbolt
+      bolt
+      kdePackages.plasma-thunderbolt
+    ''
+    { bolt.package = config.services.hardware.bolt.package; }
+  ];
+}

hosts/fw/tpm-fido.nix

@@ -1,8 +1,11 @@
 { config, ... }:
 {
   vacu.packages = [ "tpm-fido" ];
-  users.groups.uhid = {};
-  users.users.shelvacu.extraGroups = [ config.security.tpm2.tssGroup config.users.groups.uhid.name ];
+  users.groups.uhid = { };
+  users.users.shelvacu.extraGroups = [
+    config.security.tpm2.tssGroup
+    config.users.groups.uhid.name
+  ];
   security.tpm2.enable = true;
   security.tpm2.applyUdevRules = true;
   services.udev.extraRules = ''

hosts/fw/waydroid.nix

@@ -0,0 +1,5 @@
+{ ... }:
+{
+  boot.kernelParams = [ "psi=1" ];
+  virtualisation.waydroid.enable = true;
+}

hosts/fw/zfs.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  boot.zfs.extraPools = [ "fw" ];
+  systemd.services.zfs-mount.enable = false;
+
+  # see also fileSystems."/"
+}

hosts/installer/common/default.nix

@@ -0,0 +1,30 @@
+{ config, lib, ... }:
+{
+  # this is an installer image, created anew every time. There's no state we need to worry about messing up
+  system.stateVersion = config.system.nixos.release;
+  services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
+  vacu.hostName = "vacuInstaller";
+  vacu.shell.color = "red";
+  vacu.systemKind = "minimal";
+
+  vacu.packages = ''
+    acpi
+    iio-sensor-proxy
+    aircrack-ng
+    # bitwarden-cli # 800MB closure size!
+    borgbackup
+    dmidecode
+    home-manager
+    man
+    mercurial
+    nix-index
+    nix-inspect
+    nix-search-cli
+    nmap
+    nvme-cli
+    rclone
+    smartmontools
+    tcpdump
+    termscp
+  '';
+}

hosts/installer/iso.nix

@@ -0,0 +1,8 @@
+{ modulesPath, ... }:
+{
+  imports = [
+    ./common
+    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
+  ];
+  isoImage.isoBaseName = "nixos-shel-installer";
+}

hosts/installer/pxe.nix

@@ -0,0 +1,7 @@
+{ modulesPath, ... }:
+{
+  imports = [
+    ./common
+    "${modulesPath}/installer/netboot/netboot-minimal.nix"
+  ];
+}

hosts/legtop/default.nix

@@ -11,50 +11,13 @@
   vacu.shortHostName = "lt";
   vacu.shell.color = "blue";
   vacu.verifySystem.expectedMac = "30:9e:90:33:01:07";
-  vacu.systemKind = "desktop";
+  vacu.systemKind = "laptop";
 
   system.stateVersion = "24.05";
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  services.power-profiles-daemon.enable = true;
   networking.networkmanager.enable = true;
-  vacu.packages =
-    (with pkgs; [
-      bitwarden-desktop
-      nheko
-      # librewolf
-      brave
-      thunderbird
-      wl-clipboard
-      nextcloud-client
-      signal-desktop
-      iio-sensor-proxy
-      power-profiles-daemon
-      acpi
-      jellyfin-media-player
-      vlc
-      dmidecode
-      prismlauncher
-      ffmpeg_7-full
-      wireshark
-      obsidian
-      dino
-      aircrack-ng
-      libreoffice-qt6-fresh
-      gimp
-      # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
-      (inkscape-with-extensions.override { inkscapeExtensions = null; })
-      libsmi
-      net-snmp
-      android-tools
-      ghidra
-      wineWowPackages.stableFull
-      wineWowPackages.fonts
-      winetricks
-      lutris
-      radicle-node
-      proxmark3
-    ])
-    ++ [ ];
 
   services.openssh.enable = true;
 
@@ -80,4 +43,6 @@
     pulse.enable = true;
   };
   programs.steam.enable = true;
+
+  boot.kernelPackages = pkgs.linuxPackages_lqx;
 }

hosts/liam/backup.nix

@@ -0,0 +1,156 @@
+{
+  config,
+  vaculib,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkOption;
+  cfg = config.vacu.liam.backup;
+  commonServiceConfig = {
+    Type = "oneshot";
+    StateDirectory = "auto-borg";
+    CacheDirectory = "auto-borg";
+    ReadOnlyPaths = cfg.paths ++ [ cfg.keyPath ];
+
+    User = cfg.user;
+    Group = cfg.user;
+
+    LockPersonality = true;
+    MemoryDenyWriteExecute = true;
+    PrivateDevices = true;
+    # PrivateUsers = true;
+    ProcSubset = "pid";
+    PrivateTmp = true;
+    ProtectClock = true;
+    ProtectControlGroups = true;
+    ProtectHome = true;
+    ProtectHostname = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectProc = "invisible";
+    ProtectSystem = "strict";
+    RestrictAddressFamilies = [
+      "AF_INET"
+      "AF_INET6"
+    ];
+    RestrictNamespaces = true;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+    SystemCallArchitectures = "native";
+    SystemCallFilter = [
+      "@system-service"
+      "~@privileged"
+    ];
+    UMask = "0077";
+    AmbientCapabilities = [ "CAP_DAC_READ_SEARCH" ];
+    CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
+  };
+in
+{
+  options.vacu.liam.backup = {
+    user = mkOption { default = "autoborger"; };
+    rsyncUser = mkOption { default = "fm2382"; };
+    rsyncHost = mkOption {
+      default = "${cfg.rsyncUser}.rsync.net";
+      defaultText = "(output)";
+    };
+    repo = mkOption {
+      default = "${cfg.rsyncUser}@${cfg.rsyncHost}:borg-repos/liam-backup";
+      defaultText = "(output)";
+    };
+    package = mkOption {
+      default = pkgs.borgbackup;
+      defaultText = "pkgs.borgbackup";
+    };
+    cmd = mkOption {
+      default = lib.getExe cfg.package;
+      defaultText = "lib.getExe cfg.package";
+    };
+    paths = mkOption {
+      default = [
+        "/var/lib/mail"
+        "/var/lib/dovecot"
+        "/var/log"
+      ];
+    };
+    keyPath = mkOption {
+      default = config.sops.secrets.liam-borg-key.path;
+      defaultText = "TODO";
+    };
+  };
+  config = {
+    vacu.assertions = lib.singleton {
+      assertion =
+        (lib.versionAtLeast cfg.package.version "1.4.0")
+        && !(lib.versionAtLeast cfg.package.version "1.5.0");
+      message = "Only for version 1.4.x";
+      fatal = true;
+    };
+
+    sops.secrets.liam-borg-key = {
+      owner = cfg.user;
+    };
+
+    # systemd.tmpfiles.settings."10-auto-borg" = lib.genAttrs cfg.paths (_:
+    #   {
+    #     # A+ = append to ACLs recursively
+    #     "A+" = {
+    #       argument = "u:${cfg.user}:r-x";
+    #     };
+    #   }
+    # );
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.user;
+      home = "/var/lib/auto-borg";
+    };
+    users.groups.${cfg.user} = { };
+    systemd.services.auto-borg-gen-key = {
+      script = ''
+        set -euo pipefail
+        ${lib.optionalString config.vacu.underTest "${pkgs.openssh}/bin/ssh -oBatchMode=yes -oStrictHostKeyChecking=accept-new ${cfg.rsyncHost} || true"}
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f "$STATE_DIRECTORY"/id_ed25519 -N ""
+      '';
+      serviceConfig = commonServiceConfig;
+    };
+    systemd.services.auto-borg = {
+      script = ''
+        set -euo pipefail
+        # makes a date like 2025-04-15_21-24-29_UTC
+        dashed_date="$(date -u '+%F_%H-%M-%S_%Z')"
+        archive_name="liam-auto-backup--$dashed_date"
+        export BORG_PASSPHRASE="$(cat ${lib.escapeShellArg cfg.keyPath})"
+        export BORG_REMOTE_PATH="borg14"
+        export BORG_RSH="ssh -i $STATE_DIRECTORY/id_ed25519"
+        export BORG_REPO=${lib.escapeShellArg cfg.repo}
+        export BORG_CACHE_DIR="$CACHE_DIRECTORY/borg"
+        export BORG_CONFIG_DIR="$STATE_DIRECTORY/borg"
+        cmd=(
+          ${lib.escapeShellArg cfg.cmd}
+          create
+          --show-rc
+          --verbose
+          --show-version
+          --stats
+          --atime
+          "::$archive_name"
+          ${lib.escapeShellArgs cfg.paths}
+        )
+        "''${cmd[@]}"
+      '';
+      serviceConfig = commonServiceConfig;
+    };
+    systemd.timers.auto-borg = {
+      enable = !config.vacu.underTest;
+      wantedBy = [ "timers.target" ];
+      # run every day at a random time between 3am and 4am, los angeles time
+      timerConfig = {
+        OnCalendar = "*-*-* 03:00:00 America/Los_Angeles";
+        RandomizedDelaySec = 3600;
+      };
+    };
+  };
+}

hosts/liam/default.nix

@@ -18,6 +18,7 @@ in
     ./dkim.nix
     ./sieve.nix
     ./network.nix
+    ./backup.nix
   ];
 
   options = {
@@ -30,6 +31,8 @@ in
         "in.jean-luc.org"
         "vacu.store"
         "shelvacu.miras.pet"
+        "chat.for.miras.pet"
+        "sv.mt"
       ];
       julie_domains = mkOutOption [
         "violingifts.com"

hosts/liam/dovecot.nix

@@ -28,6 +28,7 @@
     mailLocation = "mdbox:~/mail";
     extraConfig = ''
       mail_home = /var/lib/mail/%n
+      mail_max_userip_connections = 100
       service auth {
         unix_listener /var/lib/postfix/queue/private/dovecot-auth {
           group = ${config.services.postfix.group}

hosts/liam/mail.nix

@@ -17,6 +17,7 @@ let
   relayable_domains = [
     "shelvacu.com"
     "vacu.store"
+    "chat.for.miras.pet"
   ];
   dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
   reject_spam_sources = [
@@ -24,6 +25,10 @@ let
     "buyerservice@made-in-china.com"
     "upgrade-plans@asuswebstorage.com"
     "info@rfidlabel.com"
+    "made-in-china.com"
+    "*.made-in-china.com"
+    "hotels.com"
+    "*.hotels.com"
   ];
   banned_ips = [
     "45.192.103.243/32"
@@ -99,6 +104,8 @@ in
     mapFiles.extra_login_maps = pkgs.writeText "extra-login-maps" (
       ''
         robot@vacu.store vacustore
+        zulip-notify@chat.for.miras.pet miracult-zulip
+        idrac-62pn9z1@shelvacu.com idrac-62pn9z1
       ''
       + config.services.postfix.virtual
     );

hosts/liam/notes.txt

@@ -0,0 +1,21 @@
+I think I can sort my email into these categories:
+- A Top priority: should be a notification
+  - personal emails
+  - here is a code to login (except ms, ugh)
+- B Normal priority: should be reviewed regularly, at least once every couple days
+  - (some) purchase receipts
+  - your credit card was used for <amount>
+  - money stuff
+  - patreons
+- C Low priority: should be skimmed occaisionally to make sure nothing got caught that shouldn't have
+  - C1 good emails:
+    - your statement is available to view
+    - 
+  - C2 spam
+- D Shit-tier: never reviewed, except if I'm missing an email I was otherwise expecting
+  - unsolicited job offers
+  - anything definitely spam
+
+- M Mailing lists
+
+searches should generally search A,B,C but not D or M

hosts/liam/sieve.nix

@@ -0,0 +1,960 @@
+{
+  pkgs,
+  lib,
+  config,
+  vaculib,
+  ...
+}:
+let
+  inherit (builtins)
+    isString
+    isList
+    length
+    head
+    all
+    isInt
+    isAttrs
+    isFloat
+    isBool
+    ;
+  inherit (lib)
+    concatStrings
+    concatStringsSep
+    splitString
+    match
+    replaceStrings
+    reverseList
+    elemAt
+    mapAttrsToList
+    ;
+  mapConcat = f: xs: concatStrings (map f xs);
+  mapConcatSep =
+    sep: f: xs:
+    concatStringsSep sep (map f xs);
+  mapConcatLines = f: xs: mapConcatSep "\n" f xs;
+  isListWhere = xs: f: (isList xs) && (all f xs);
+  stringOrList = val: (isString val) || ((isListWhere val isString) && (length val) > 0);
+  listify = val: if isList val then val else [ val ];
+  is_match = regex: s: (match regex s) != null;
+  is_not_match = regex: s: !(is_match regex s);
+  only_printable_ascii = s: is_match "[ -~\r\n]*" s;
+  has_vars = s: lib.hasInfix ("$" + "{") s;
+  sieve_raw_escape_string =
+    s:
+    if !only_printable_ascii s then
+      builtins.trace s throw "s failed only_printable_ascii check"
+    else
+      replaceStrings [ ''"'' ''\'' "\n" "\r" ] [ ''\"'' ''\\'' ''\n'' ''\r'' ] s;
+  sieve_encode_string =
+    {
+      allow_vars,
+      for_debug_comment,
+      with_quotes,
+    }:
+    s:
+    assert isString s;
+    assert allow_vars || for_debug_comment || (!has_vars s);
+    let
+      a = sieve_raw_escape_string s;
+      b = if for_debug_comment then replaceStrings [ ''*/'' ] [ ''*\/'' ] a else a;
+      res = if with_quotes then ''"${b}"'' else b;
+    in
+    res;
+  sieve_quote_string = sieve_encode_string {
+    allow_vars = false;
+    for_debug_comment = false;
+    with_quotes = true;
+  };
+  sieve_quote_string_with_interp = sieve_encode_string {
+    allow_vars = true;
+    for_debug_comment = false;
+    with_quotes = true;
+  };
+  is_valid_long_ident = is_match "[a-z_][a-z0-9_]*";
+  is_number_ident = is_match "[0-9]*";
+  is_valid_ident = s: (is_valid_long_ident s) || (is_number_ident s);
+  interp =
+    ident:
+    assert isString ident;
+    assert is_valid_ident ident;
+    "$" + "{${ident}}";
+  dest = "envelope_to";
+  dest_domain = "envelope_to_domain";
+  set_envelope = ''
+    #set_envelope START
+    if header :index 1 :matches "X-Envelope-To" "*" {
+      set ${sieve_quote_string dest} "''${1}";
+    }
+    if header :index 1 :matches "X-Envelope-To" "*@*" {
+      set ${sieve_quote_string dest_domain} "''${2}";
+    }
+    #set_envelope END
+  '';
+  envelope_is =
+    key:
+    assert stringOrList key;
+    ''string :is "${interp dest}" ${sieve_encode key}'';
+  envelope_matches =
+    key:
+    assert stringOrList key;
+    ''string :matches "${interp dest}" ${sieve_encode key}'';
+  envelope_domain_is = key: ''string :is "${interp dest_domain}" ${sieve_quote_string key}'';
+  sieve_encode_list =
+    xs:
+    assert isListWhere xs isString;
+    "[ ${mapConcatSep ", " sieve_encode xs} ]";
+  sieve_encode =
+    val:
+    if isString val then
+      sieve_quote_string val
+    else if isList val then
+      sieve_encode_list val
+    else
+      assert "dunno what to do with this";
+      null;
+  sieve_debug_list = xs: "[ ${mapConcat (s: (sieve_debug s) + " ") xs}]";
+  sieve_debug_attrs =
+    attrs:
+    let
+      toPairStr = name: val: "${sieve_debug name} = ${sieve_debug val}; ";
+      pairStrs = mapAttrsToList toPairStr attrs;
+      pairsStr = concatStrings pairStrs;
+    in
+    "{ ${pairsStr}}";
+  sieve_debug =
+    val:
+    if isString val then
+      sieve_encode_string {
+        allow_vars = true;
+        for_debug_comment = true;
+        with_quotes = true;
+      } val
+    else if (isInt val) || (isFloat val) then
+      toString val
+    else if (isBool val) then
+      (if val then "true" else "false")
+    else if isNull val then
+      "null"
+    else if isList val then
+      sieve_debug_list val
+    else if isAttrs val then
+      sieve_debug_attrs val
+    else
+      assert "dunno what to do with this";
+      null;
+  is_flagish =
+    flag_name:
+    let
+      # escape_all = map lib.escapeRegex;
+
+      # all from https://datatracker.ietf.org/doc/html/rfc9051#name-formal-syntax
+      # resp-specials = escape_all [ "]" ];
+      # DQUOTE = ''"'';
+      # quoted-specials = escape_all [ DQUOTE "\\" ];
+      # list-wildcards = escape_all [ "%" "*" ];
+      # CTL = something; # 0x00 thru 0x1F, and 0x7F
+      # SP = escape_all [ " " ];
+      # atom-specials = (escape_all [ "(" ")" "{" ]) ++ [ SP CTL list-wildcards quoted-specials resp-specials ];
+      # " "  0x20 !allowed
+      # "!"  0x21 ok
+      # "\"" 0x22 !allowed
+      # "#"  0x23 ok
+      # "$"  0x24 ok
+      # "%"  0x25 !allowed
+      # "&"  0x26 ok
+      # "'"  0x27 ok
+      # "("  0x28 !allowed
+      # ")"  0x29 !allowed
+      # "*"  0x2a !allowed
+      # "+"  0x2b ok
+      # ...
+      # "Z"  0x5a ok
+      # "["  0x5b !allowed
+      # "\\" 0x5c !allowed
+      # "]"  0x5d ok
+      # "^"  0x5e ok
+      # ...
+      # "z"  0x7a ok
+      # "{"  0x7b !allowed
+      # "|"  0x7c ok
+      # "}"  0x7d ok
+      # "~"  0x7e ok
+      # DEL  0x7f !allowed
+      # ATOM-CHAR = something; # "any CHAR except atom-specials"
+      ATOM-CHAR = ''[]!#$&'+-Z^-z|}~]'';
+      atom = "${ATOM-CHAR}+";
+      flag-keyword = ''\$MDNSent|\$Forwarded|\$Junk|\$NotJunk|\$Phishing|(${atom})'';
+      flag-extension = ''\\(${atom})'';
+      flag = ''\\Answered|\\Flagged|\\Deleted|\\Seen|\\Draft|(${flag-keyword})|(${flag-extension})'';
+    in
+    (isString flag_name) && ((builtins.match flag flag_name) != null);
+  known_flags = rec {
+    seen = ''\Seen'';
+    read = seen;
+  };
+  pure_flags_impl =
+    flags: conditions:
+    assert isListWhere flags isString;
+    assert isListWhere conditions isString;
+    assert (length flags) > 0;
+    assert (length conditions) > 0;
+    let
+      argAttrs = { inherit flags conditions; };
+      firstFlag = head flags;
+      combined_condition = if (length conditions) == 1 then head conditions else (allof conditions);
+    in
+    ''
+      # pure_flags ${sieve_debug argAttrs};
+      removeflag ${sieve_quote_string firstFlag};
+      if ${combined_condition} {
+        ${record_action "pure_flags ${concatStringsSep " " flags}"}
+        ${concatStringsSep "\n" (map (flag: ''addflag ${sieve_quote_string flag};'') flags)}
+      }
+      # pure_flags end
+    '';
+  pure_flags =
+    flags: conditions:
+    assert stringOrList flags;
+    assert stringOrList conditions;
+    pure_flags_impl (listify flags) (listify conditions);
+  exists_impl =
+    headers:
+    assert isListWhere headers isString;
+    if headers == [ ] then
+      "/* exists START: called with empty array */ false /* exists END */"
+    else
+      "/* exists START */ exists ${sieve_encode_list headers} /* exists END */";
+  exists =
+    headers:
+    assert stringOrList headers;
+    exists_impl (listify headers);
+  header_generic =
+    match_kind: header_s: match_es:
+    assert stringOrList header_s;
+    assert stringOrList match_es;
+    ''/* header_generic START */ header ${match_kind} ${sieve_encode header_s} ${sieve_encode match_es} /* header_generic END */'';
+  header_matches = header_generic ":matches";
+  header_is = header_generic ":is";
+  subject_generic = match_kind: match_es: header_generic match_kind "Subject" match_es;
+  subject_matches = subject_generic ":matches";
+  subject_is = subject_generic ":is";
+  environment_generic =
+    match_kind: environment_name_s: match_es:
+    assert stringOrList environment_name_s;
+    assert stringOrList match_es;
+    "environment ${match_kind} ${sieve_encode environment_name_s} ${sieve_encode match_es}";
+  environment_matches = environment_generic ":matches";
+  environment_is = environment_generic ":is";
+  from_is =
+    addr_list:
+    assert stringOrList addr_list;
+    ''/* from_is START */ address :is :all "From" ${sieve_encode addr_list} /* from_is END */'';
+  from_matches =
+    addr_list:
+    assert stringOrList addr_list;
+    ''/* from_is START */ address :matches :all "From" ${sieve_encode addr_list} /* from_is END */'';
+  var_is =
+    var_name: rhs:
+    assert isString var_name;
+    assert stringOrList rhs;
+    ''string :is "''${${var_name}}" ${sieve_encode rhs}'';
+  var_is_true = var_name: var_is var_name "1";
+  var_is_false = var_name: not (var_is_true var_name);
+  has_flag =
+    flag_name:
+    assert isString flag_name;
+    assert is_flagish flag_name; # no spaces allowed in flag names
+    ''hasflag :is ${sieve_encode flag_name}'';
+  set_with_interp =
+    var_name: new_val:
+    assert isString var_name;
+    assert is_valid_ident var_name;
+    assert isString new_val;
+    "set ${sieve_encode var_name} ${sieve_quote_string_with_interp new_val};";
+  set =
+    var_name: new_val:
+    assert isString var_name;
+    assert is_valid_ident var_name;
+    assert isString new_val;
+    "set ${sieve_encode var_name} ${sieve_encode new_val};";
+  set_bool_var =
+    var_name: bool_val:
+    assert isBool bool_val;
+    set var_name (if bool_val then "1" else "0");
+  over_test_list =
+    name: test_list:
+    assert isListWhere test_list isString;
+    ''
+      ${name}(
+      ${concatStringsSep ",\n" test_list}
+      )
+    '';
+  anyof = over_test_list "anyof";
+  allof = over_test_list "allof";
+  not = test: "not ${test}";
+  record_action =
+    action_desc:
+    assert isString action_desc;
+    ''addheader "X-Vacu-Action" ${sieve_encode action_desc};'';
+  fileinto =
+    folder:
+    assert isString folder;
+    ''
+      ${record_action "fileinto ${folder}"}
+      fileinto :create ${sieve_encode folder};
+    '';
+  ihave =
+    extension_name_s:
+    assert stringOrList extension_name_s;
+    "ihave ${sieve_encode extension_name_s}";
+  # email_filters = map (e: ''
+  #   elsif ${envelope_is e} { # item of email_filters
+  #     ${record_action "email_filters fileinto ${mk_email_folder_name e}"}
+  #     fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
+  #   }
+  # '') email_folders;
+  # domain_filters = map (d: ''
+  #   elsif ${envelope_domain_is d} { # item of domain_filters
+  #     ${record_action "domain_filters fileinto ${mk_domain_folder_name d}"}
+  #     fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
+  #   }
+  # '') domain_folders;
+  set_from =
+    {
+      condition,
+      var,
+      default ? "-",
+      warn_if_unset ? false,
+    }@args:
+    ''
+      # set_from ${sieve_debug args}
+      if ${condition} {
+        ${set_with_interp var (interp "1")}
+      }
+      else {
+        ${lib.optionalString warn_if_unset (
+          maybe_debug "info: Could not set ${var} from condition ${condition}, setting to default(${default})"
+        )}
+        ${set var default}
+      }
+      # set_from END
+    '';
+  set_var_from_environment =
+    item: var:
+    ''
+      # set_var_from_environment
+    ''
+    + set_from {
+      condition = ''environment :matches ${sieve_quote_string item} "*"'';
+      inherit var;
+    };
+  maybe_debug = msg: ''
+    if ${ihave "vnd.dovecot.debug"} {
+      debug_log ${sieve_quote_string_with_interp msg};
+    }
+  '';
+  # trimmed down from https://pages.ebay.com/securitycenter/security_researchers_eligible_domains.html
+  ebay_domains = vaculib.listOfLines { } ''
+    ebay.com
+    ebay.co.uk
+    ebay.com.au
+    ebay.de
+    ebay.ca
+    ebay.fr
+    ebay.it
+    ebay.es
+    ebay.at
+    ebay.ch
+    ebay.com.hk
+    ebay.com.sg
+    ebay.com.my
+    ebay.in
+    ebay.ph
+    ebay.ie
+    ebay.pl
+    ebay.be
+    ebay.nl
+    ebay.cn
+    ebay.com.tw
+    ebay.co.jp
+    ebaythailand.co.th
+  '';
+  sieve_text = ''
+    require [
+      "fileinto",
+      "mailbox",
+      "imap4flags",
+      "editheader",
+      "environment",
+      "variables",
+      "date",
+      "index",
+      "ihave"
+    ];
+
+    if ${
+      allof [
+        (ihave "imapsieve")
+        (environment_matches "imap.user" "*")
+        (environment_matches "location" "MS")
+        (environment_matches "phase" "post")
+      ]
+    } {
+      ${set_bool_var "in_imap" true}
+    } else {
+      ${set_bool_var "in_imap" false}
+    }
+
+    if ${var_is_true "in_imap"} {
+      if ${
+        not (allof [
+          (environment_is "imap.cause" [
+            "APPEND"
+            "COPY"
+            ""
+          ])
+          (environment_is "imap.mailbox" [
+            "MagicRefilter"
+            ""
+          ])
+        ])
+      } {
+        ${maybe_debug "NOT doing anything cuz imap.cause and/or imap.mailbox isn't right"}
+        stop;
+      }
+    }
+
+    ${set_envelope}
+    ${set_var_from_environment "location" "env_location"}
+    ${set_var_from_environment "phase" "env_phase"}
+    ${set_var_from_environment "imap.user" "env_imap_user"}
+    ${set_var_from_environment "imap.email" "env_imap_email"}
+    ${set_var_from_environment "imap.cause" "env_imap_cause"}
+    ${set_var_from_environment "imap.mailbox" "env_imap_mailbox"}
+    ${set_var_from_environment "imap.changedflags" "env_imap_changedflags"}
+    ${set_from {
+      condition = ''currentdate :matches "iso8601" "*"'';
+      var = "datetime";
+    }}
+    ${set_with_interp "sieved_message" ''at ''${datetime} by ${config.vacu.versionId} loc ''${env_location} phase ''${env_phase} user ''${env_imap_user} email ''${env_imap_email} cause ''${env_imap_cause} mailbox ''${env_imap_mailbox} changedflags ''${env_imap_changedflags} envelope ''${dest}''}
+    ${maybe_debug ''X-Vacu-Sieved: ''${sieved_message}''}
+
+    if ${ihave "envelope"} {
+      if envelope :all :matches "to" "*@*" {
+        ${set_with_interp "userfor" (interp "1")}
+      } else {
+        error "i dunno what to do, theres no envelope";
+      }
+    }
+    elsif ${var_is_true "in_imap"} {
+      ${set_with_interp "userfor" (interp "env_imap_user")}
+    }
+    else {
+      error "dont have envelope or imapsieve, dunno what to do";
+    }
+
+    if ${var_is "userfor" "shelvacu"} {
+      addheader "X-Vacu-Sieved" "''${sieved_message}";
+      removeflag "not-spamish";
+      removeflag "orders";
+      removeflag "banking";
+      removeflag "banking-statements";
+      removeflag "banking-transactions";
+      removeflag "A";
+      removeflag "B";
+      removeflag "B.subscriptions";
+      removeflag "C";
+      removeflag "D";
+
+      ${pure_flags [ "wells-fargo" "banking" ] (envelope_is "wf-primary@shelvacu.com")}
+      ${pure_flags
+        [ "wells-fargo-transactions" "banking-transactions" "B" ]
+        [
+          (has_flag "wells-fargo")
+          (subject_matches [
+            "You just got paid!"
+            "Wells Fargo card purchase exceeded preset amount"
+            "You made a payment"
+            "You made a credit card purchase of *"
+            "Your card wasn't present for a purchase"
+            "Account update"
+            "You've earned cash back from My Wells Fargo Deals"
+            "Confirmation of your Wells Fargo Rewards redemption"
+            "You sent money with Zelle(R)"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "wells-fargo-statements" "banking-statements" "C" ]
+        [
+          (has_flag "wells-fargo")
+          (subject_matches [
+            "Your statement for credit card account *"
+            "Your statement for account *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "wells-fargo-action-required" "A" ]
+        [
+          # wf is actually careful about saying action required
+          (has_flag "wells-fargo")
+          (subject_matches "Action Required: *")
+        ]
+      }
+      ${pure_flags
+        [ "wells-fargo-misc" "A" ]
+        [
+          (has_flag "wells-fargo")
+          (not (has_flag "wells-fargo-transactions"))
+          (not (has_flag "wells-fargo-statements"))
+          (not (has_flag "wells-fargo-action-required"))
+        ]
+      }
+      ${pure_flags [ "chase" "banking" ] (envelope_is "chase@shelvacu.com")}
+      ${pure_flags
+        [ "chase-transactions" "banking-transactions" "B" ]
+        [
+          (has_flag "chase")
+          (subject_matches [
+            "Your * payment is scheduled"
+            "You made a * transaction with *"
+            "Your * transaction with *"
+            "Chase security alert: You signed in with a new device"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "chase-statements" "banking-statements" "C" ]
+        [
+          (has_flag "chase")
+          (subject_matches [
+            "Your credit card statement is available"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "chase-spam" "D" ]
+        [
+          (has_flag "chase")
+          (anyof [
+            (header_is "From" "Chase Credit Journey <no.reply.alerts@chase.com>")
+            (subject_is [
+              "Review your recent activity"
+              "Good news: You may qualify for a credit line increase!"
+              "Your Chase card is available to use with Paze - Activate now!"
+            ])
+          ])
+        ]
+      }
+      ${pure_flags [ "experian" ] (envelope_is "fbyjemby@shelvacu.com")}
+      ${pure_flags
+        [ "experian-spam" "D" ]
+        [
+          (has_flag "experian")
+          (subject_matches [
+            "*, your FICO* Score has been updated"
+            "Your monthly account statement is here, *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "paypal" "banking" ]
+        [
+          # can't go purely on envelope, because paypal loves to give my email to every merchant I interact with
+          (envelope_is "paypal@shelvacu.com")
+          (from_matches [
+            "*@paypal.com"
+            "*@*.paypal.com"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "paypal-transactions" "banking-transactions" "B" ]
+        [
+          (has_flag "paypal")
+          (subject_matches [
+            "Receipt for your payment to *"
+            "*: $* USD"
+            "*: $* CAD"
+            "*: kr * SEK"
+            "You authorized a payment to *"
+            "You sent an automatic payment to *"
+            "Review your new automatic payment setup for *"
+            "You have a refund from *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "paypal-statements" "banking-statements" "C" ]
+        [
+          (has_flag "paypal")
+          (subject_matches [
+            "*, your * account statement is available."
+          ])
+        ]
+      }
+
+      ${pure_flags [ "usps-id" ] (envelope_is "usps-id@shelvacu.com")}
+      ${pure_flags
+        [ "usps-expected-delivery" "C" ]
+        [
+          (has_flag "usps-id")
+          (subject_matches "USPS* Expected Delivery *")
+        ]
+      }
+      ${pure_flags
+        [ "amazon-ignore" "C" ]
+        [
+          (envelope_is "amznbsns@shelvacu.com")
+          (subject_matches [
+            "Your Amazon.com order has shipped*"
+            "Your Amazon.com order of * has shipped!"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "bandcamp-ignore" "C" ]
+        [
+          (envelope_is "bandcamp@shelvacu.com")
+          (subject_matches [
+            "* just announced a listening party on Bandcamp"
+            "New items from *"
+            "Starting in *"
+            "New from *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "bandcamp-not-ignore" "B.subscriptions" ]
+        [
+          (envelope_is "bandcamp@shelvacu.com")
+          ''not hasflag "bandcamp-ignore"''
+        ]
+      }
+      ${pure_flags [ "ika-ignore" "D" ] (envelope_is "ika@dis8.net")}
+      ${pure_flags
+        [ "ally-statement" "C" ]
+        [
+          (envelope_is "ally@shelvacu.com")
+          (subject_is "Your latest statement is ready to view.")
+        ]
+      }
+
+      ${pure_flags "bloomberg" (envelope_is "bloomberg@shelvacu.com")}
+
+      ${pure_flags
+        [ "money-stuff" "not-spamish" ]
+        [
+          (envelope_is "bloomberg@shelvacu.com")
+          ''header :matches "From" "\"Matt Levine\" *"''
+        ]
+      }
+
+      ${pure_flags
+        [ "money-stuff-podcast" "D" known_flags.read ]
+        [
+          (has_flag "money-stuff")
+          (subject_matches "Money Stuff: The Podcast:*")
+        ]
+      }
+
+      ${pure_flags
+        [ "money-stuff-not-podcast" "B.subscriptions" ]
+        [
+          (has_flag "money-stuff")
+          (not (has_flag "money-stuff-podcast"))
+        ]
+      }
+
+      ${pure_flags [ "git" "not-spamish" "B" ] (exists [
+        "X-GitHub-Reason"
+        "X-GitLab-Project"
+      ])}
+      ${pure_flags [ "git-uninsane" "git" "not-spamish" "B" ] (envelope_is "git-uninsane@shelvacu.com")}
+      ${pure_flags [ "github" "git" "not-spamish" "B" ] (header_matches "List-Id" "*<*.github.com>")}
+      ${pure_flags [ "mailing-list-by-envelope" "not-spamish" "B" ] (
+        envelope_matches "*-ml@shelvacu.com"
+      )}
+      
+      ${pure_flags [ "discourse" "not-spamish" "B" ] (exists "X-Discourse-Post-Id")}
+      ${pure_flags [ "agora" "not-spamish" ] (envelope_is "agora@shelvacu.com")}
+      ${pure_flags [ "postgres-list" "not-spamish" ] (
+        header_matches "List-Id" "<*.lists.postgresql.org>"
+      )}
+      ${pure_flags [ "secureaccesswa" "not-spamish" "A" ] (from_is "help@secureaccess.wa.gov")}
+      ${pure_flags [ "letsencrypt-mailing-list" "not-spamish" "B" ] (
+        envelope_is "lets-encrypt-mailing-list@shelvacu.com"
+      )}
+      ${pure_flags [ "jmp-news" "not-spamish" "B" ] (header_matches "List-Id" "*<jmp-news.soprani.ca>")}
+      ${pure_flags
+        [ "tf2wiki" "not-spamish" "B" ]
+        [
+          (envelope_is "tf2wiki@shelvacu.com")
+          (from_is "noreply@wiki.teamfortress.com")
+        ]
+      }
+
+      ${pure_flags "gmail-fwd" (envelope_is "gmailfwd-fc2e10bec8b2@shelvacu.com")}
+      ${pure_flags [ "ebay" "orders" ] (envelope_is "ebay@shelvacu.com")}
+      ${pure_flags
+        [ "ebay-delivered" "B" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "*ORDER DELIVERED: *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-message" "B" ]
+        [
+          (has_flag "ebay")
+          (from_matches (map (domain: "*@members.${domain}") ebay_domains))
+        ]
+      }
+      ${pure_flags
+        [ "ebay-offer" "B" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "You have an offer from the seller, *"
+            "You saw it at *, but the seller is now offering *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-order-update" "C" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "Out for delivery: *"
+            "*DELIVERY UPDATE: *"
+            "*Order update: *"
+            "EARLY DELIVERY UPDATE: *"
+            "Important information regarding your Global Shipping Program transaction *" # ebay: "important information! your order is being shipped." why did you say this was ""important""???
+            "Your package is now with *"
+            "*Order confirmed: *"
+            "Your order is confirmed"
+            "Your order is in!"
+            "*An update on your order"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-bid-ongoing-notification" "C" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "Michael, your bid for * is winning"
+            "* just got a new bid."
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-feedback" "D" ]
+        [
+          (has_flag "ebay")
+          (subject_matches "Please provide feedback for your eBay items")
+        ]
+      }
+      ${pure_flags [ "royal-mail" "orders" ] (from_is "no-reply@royalmail.com")}
+      ${pure_flags
+        [ "royal-mail-delivered" "B" ]
+        [
+          (has_flag "royal-mail")
+          (subject_matches "Your Royal Mail parcel has been delivered")
+        ]
+      }
+      ${pure_flags
+        [ "royal-mail-on-the-way" "D" ]
+        [
+          (has_flag "royal-mail")
+          (subject_matches "Your Royal Mail parcel is on its way")
+        ]
+      }
+      ${pure_flags [ "aliexpress" "orders" ] (from_is [
+        "transaction@notice.aliexpress.com"
+        "aliexpress@notice.aliexpress.com"
+      ])}
+      ${pure_flags
+        [ "aliexpress-delivered" "B" ]
+        [
+          (has_flag "aliexpress")
+          (from_is "transaction@notice.aliexpress.com")
+          (subject_matches "Order * has been signed for")
+        ]
+      }
+      ${pure_flags
+        [ "aliexpress" "orders" "C" ]
+        [
+          (has_flag "aliexpress")
+          (not (has_flag "aliexpress-delivered"))
+        ]
+      }
+      ${pure_flags [ "brandcrowd" "D" ] (envelope_is "brandcrowd@shelvacu.com")}
+      ${pure_flags [ "cpapsupplies" "D" ] (envelope_is "cpapsupplies@shelvacu.com")}
+      ${pure_flags [ "genshin" "D" ] (envelope_is "genshin@shelvacu.com")}
+      ${pure_flags [ "jork" "B" ] (envelope_is "jork@shelvacu.com")}
+      ${pure_flags [ "patreon" "not-spamish" ] (envelope_is "patreon@shelvacu.com")}
+      ${pure_flags
+        [ "patreon-post" "B.subscriptions" ]
+        [
+          (has_flag "patreon")
+          (header_is "X-Mailgun-Tag" "template_newsletterpostcontrol")
+        ]
+      }
+      ${pure_flags
+        [ "patreon-free-member-digest" "D" ]
+        [
+          (has_flag "patreon")
+          (header_is "X-Mailgun-Tag" "template_freememberdigest")
+        ]
+      }
+      ${pure_flags
+        [ "patreon-other" "B" ]
+        [
+          (has_flag "patreon")
+          (not (has_flag "patreon-post"))
+          (not (has_flag "patreon-free-member-digest"))
+        ]
+      }
+      ${pure_flags [ "rsb" "B" ] (from_is "support@rapidseedbox.com")}
+      ${pure_flags [ "fresh-avocado-dis8" "D" ] (envelope_is "fresh.avocado@dis8.net")}
+      ${pure_flags [ "discord" "A" ] (envelope_matches "discord@*")}
+      ${pure_flags [ "za-sa" "D" ] (from_matches [
+        "*@*.sa.com"
+        "*@*.za.com"
+      ])}
+      ${pure_flags [ "localdomain" "D" ] (from_matches [
+        "*@*.local"
+        "*@*.localdomain"
+      ])}
+      ${pure_flags [ "helium" "D" ] (envelope_is "creepyface@dis8.net")}
+      ${pure_flags [ "sharkmood" "C" ] (envelope_is "sharkmood@dis8.net")}
+      ${pure_flags [ "im-not-district-158" "D" ] (envelope_is [
+        "khamar.anderson@dis8.net"
+        "pbooth@dis8.net"
+        "sgaylor@dis8.net"
+      ])}
+      ${pure_flags [ "next-level-burger" "D" ] (header_matches "From" "*Next Level Burger*")}
+      ${pure_flags [ "lyft" "D" ] (envelope_is "lyft@shelvacu.com")}
+      ${pure_flags [ "coursera" "D" ] (from_matches "*.*.coursera.org")}
+      ${pure_flags [ "taskrabbit" "D" ] (envelope_is "taskrabbit@shelvacu.com")}
+      ${pure_flags [ "subscribestar_code" "A" ] (allof [
+        (envelope_is "subscribestar@shelvacu.com")
+        (subject_is "Your authentication code")
+      ])}
+      ${pure_flags "itch-io" (from_is "postmaster@itch.io")}
+      ${pure_flags
+        [ "itch-io-update" "B.subscriptions" ]
+        [
+          (has_flag "itch-io")
+          (subject_matches "[itch.io] * update *")
+        ]
+      }
+      ${pure_flags
+        [ "lowering-the-bar" "B.subscriptions" ]
+        [
+          (envelope_is "ltb@shelvacu.com")
+        ]
+      }
+      ${pure_flags [ "hotels-com" "D" ] (from_matches [
+        "hotels.com"
+        "*.hotels.com"
+      ])}
+
+      ${pure_flags
+        [ "spamish-by-headers" "C" ]
+        [
+          (anyof [
+            (header_is "Precedence" "bulk")
+            (exists "List-Unsubscribe")
+            (exists "List-Unsubscribe-Post")
+          ])
+          (not (has_flag "not-spamish"))
+        ]
+      }
+
+      if hasflag "agora" {
+        ${fileinto "M.agora"}
+      } elsif hasflag "postgres-list" {
+        ${fileinto "M.postgres"}
+      } elsif hasflag "D" {
+        ${fileinto "D"}
+      } elsif hasflag "C" {
+        ${fileinto "C"}
+      } elsif hasflag "A" {
+        ${fileinto "A"}
+      } elsif hasflag "B.subscriptions" {
+        ${fileinto "B.subscriptions"}
+      } else {
+        ${fileinto "B"}
+      }
+    }
+    # disable any sieve scripts that might want to run after this one
+    stop;
+  '';
+  pigeonhole_pkg = pkgs.dovecot_pigeonhole;
+in
+{
+  imports = [
+    # Allow running a sieve filter when a message gets moved to another folder in imap
+    # see https://doc.dovecot.org/2.3/configuration_manual/sieve/plugins/imapsieve/
+    {
+      services.dovecot2 = {
+        sieve.plugins = [ "sieve_imapsieve" ];
+        mailPlugins.perProtocol.imap.enable = [ "imap_sieve" ];
+      };
+    }
+  ];
+  options.vacu.checkSieve = lib.mkOption {
+    readOnly = true;
+    default = pkgs.writeScriptBin "check-liam-sieve" ''
+      set -xev
+      ${lib.escapeShellArgs [
+        (lib.getExe' pigeonhole_pkg "sieve-test")
+        "-c"
+        config.services.dovecot2.configFile
+        "-C" # force compilation
+        "-D" # enable sieve debugging
+        "-f"
+        "some-rando@example.com"
+        "-a"
+        "shelvacu@liam.dis8.net"
+        config.services.dovecot2.sieve.scripts.before
+        "/dev/null"
+      ]}
+    '';
+    defaultText = "check-liam-sieve package";
+  };
+  options.vacu.liam-sieve-script = lib.mkOption {
+    readOnly = true;
+    default = pkgs.writeText "mainsieve" sieve_text;
+    defaultText = "mainsieve text package";
+  };
+  config = {
+    vacu.packages = [ pigeonhole_pkg ];
+    services.dovecot2.sieve = {
+      extensions = [
+        "fileinto"
+        "mailbox"
+        "editheader"
+        "vnd.dovecot.debug"
+      ];
+      scripts.before = config.vacu.liam-sieve-script;
+    };
+    services.dovecot2.imapsieve.mailbox = [
+      {
+        name = "*";
+        causes = [
+          "APPEND"
+          "COPY"
+          "FLAG"
+        ];
+        before = config.vacu.liam-sieve-script;
+      }
+    ];
+    # services.dovecot2.mailboxes."magic-refilter".auto = "create";
+  };
+}

hosts/liam/sops.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  vacuModules,
+  ...
+}:
+{
+  imports = [ vacuModules.sops ];
+
+  config.sops = {
+    secrets.dovecot-passwd = {
+      restartUnits = [ "dovecot2.service" ];
+    };
+    secrets.dkim_key = {
+      name = "dkimkeys/2024-03-liam.private";
+      restartUnits = [ "opendkim.service" ];
+      owner = config.services.opendkim.user;
+    };
+    secrets.relay_creds = {
+      restartUnits = [ "postfix.service" ];
+      owner = config.services.postfix.user;
+    };
+  };
+}

hosts/lp0/default.nix

@@ -49,11 +49,6 @@
 
   services.openssh.enable = true;
 
-  # system.autoUpgrade.enable = true;
-  # system.autoUpgrade.allowReboot = true;
-  # system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05-small;
-
-  nixpkgs.config.allowUnfree = true;
   services.zerotierone = {
     enable = true;
     joinNetworks = [ "1d719394047b32ae" ];
@@ -64,11 +59,4 @@
 
   # Disable wifi card; This is sitting directly under a router and I don't want to cause interference.
   boot.blacklistedKernelModules = [ "iwlwifi" ];
-
-  # networking.nat = {
-  #   enable = true;
-  #   externalInterface = "enp2s0";
-  #   internalIPs = [ "192.168.192.0/24" ];
-  #   internalInterfaces = [ "ztrf26rjvk" ];
-  # };
 }

hosts/nix-on-droid/default.nix

@@ -28,10 +28,17 @@
   # Set your time zone
   time.timeZone = "America/Los_Angeles";
 
-  vacu.packages.yt-dlp.enable = true;
-  vacu.packages.radicle-node.enable = true;
+  android-integration = {
+    am.enable = true;
+    termux-open.enable = true;
+    termux-open-url.enable = true;
+    termux-reload-settings.enable = true;
+    termux-setup-storage.enable = true;
+    termux-wake-lock.enable = true;
+    termux-wake-unlock.enable = true;
+    xdg-open.enable = true;
+  };
 
-  #specific to the particular install; avoids impurity
-  #user.gid = 10287;
-  #user.uid = 10287;
+  vacu.packages.jujutsu.enable = false; # build is borked on aarch64-linux
+  vacu.packages.gnupg.enable = true;
 }

hosts/nix-on-droid/sshd.nix

@@ -0,0 +1,585 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  # from <nixpkgs>/nixos/modules/networking/ssh/sshd.nix
+  settingsFormat =
+    let
+      # reports boolean as yes / no
+      mkValueString =
+        v:
+        if lib.isInt v then
+          toString v
+        else if lib.isString v then
+          v
+        else if true == v then
+          "yes"
+        else if false == v then
+          "no"
+        else
+          throw "unsupported type ${builtins.typeOf v}: ${(lib.generators.toPretty { }) v}";
+
+      base = pkgs.formats.keyValue {
+        mkKeyValue = lib.generators.mkKeyValueDefault { inherit mkValueString; } " ";
+      };
+      # OpenSSH is very inconsistent with options that can take multiple values.
+      # For some of them, they can simply appear multiple times and are appended, for others the
+      # values must be separated by whitespace or even commas.
+      # Consult either sshd_config(5) or, as last resort, the OpehSSH source for parsing
+      # the options at servconf.c:process_server_config_line_depth() to determine the right "mode"
+      # for each. But fortunately this fact is documented for most of them in the manpage.
+      commaSeparated = [
+        "Ciphers"
+        "KexAlgorithms"
+        "Macs"
+      ];
+      spaceSeparated = [
+        "AuthorizedKeysFile"
+        "AllowGroups"
+        "AllowUsers"
+        "DenyGroups"
+        "DenyUsers"
+      ];
+    in
+    {
+      inherit (base) type;
+      generate =
+        name: value:
+        let
+          transformedValue = lib.mapAttrs (
+            key: val:
+            if lib.isList val then
+              if lib.elem key commaSeparated then
+                lib.concatStringsSep "," val
+              else if lib.elem key spaceSeparated then
+                lib.concatStringsSep " " val
+              else
+                throw "list value for unknown key ${key}: ${(lib.generators.toPretty { }) val}"
+            else
+              val
+          ) value;
+        in
+        base.generate name transformedValue;
+    };
+
+  configFile = settingsFormat.generate "sshd.conf-settings" (
+    lib.filterAttrs (n: v: v != null) cfg.settings
+  );
+  sshconf = pkgs.runCommand "sshd.conf-final" { } ''
+    cat ${configFile} - >$out <<EOL
+    ${cfg.extraConfig}
+    EOL
+  '';
+
+  cfg = config.vacu.sshd;
+
+  settingsModule =
+    { name, ... }:
+    {
+      freeformType = settingsFormat.type;
+      options = {
+        AuthorizedPrincipalsFile = mkOption {
+          type = types.nullOr types.str;
+          default = "none"; # upstream default
+          description = ''
+            Specifies a file that lists principal names that are accepted for certificate authentication. The default
+            is `"none"`, i.e. not to use  a principals file.
+          '';
+        };
+        LogLevel = mkOption {
+          type = types.nullOr (
+            types.enum [
+              "QUIET"
+              "FATAL"
+              "ERROR"
+              "INFO"
+              "VERBOSE"
+              "DEBUG"
+              "DEBUG1"
+              "DEBUG2"
+              "DEBUG3"
+            ]
+          );
+          default = "INFO"; # upstream default
+          description = ''
+            Gives the verbosity level that is used when logging messages from {manpage}`sshd(8)`. Logging with a DEBUG level
+            violates the privacy of users and is not recommended.
+          '';
+        };
+        UsePAM = lib.mkEnableOption "PAM authentication" // {
+          default = true;
+          type = types.nullOr types.bool;
+        };
+        UseDns = mkOption {
+          type = types.nullOr types.bool;
+          # apply if cfg.useDns then "yes" else "no"
+          default = false;
+          description = ''
+            Specifies whether {manpage}`sshd(8)` should look up the remote host name, and to check that the resolved host name for
+            the remote IP address maps back to the very same IP address.
+            If this option is set to no (the default) then only addresses and not host names may be used in
+            ~/.ssh/authorized_keys from and sshd_config Match Host directives.
+          '';
+        };
+        X11Forwarding = mkOption {
+          type = types.nullOr types.bool;
+          default = false;
+          description = ''
+            Whether to allow X11 connections to be forwarded.
+          '';
+        };
+        PasswordAuthentication = mkOption {
+          type = types.nullOr types.bool;
+          default = true;
+          description = ''
+            Specifies whether password authentication is allowed.
+          '';
+        };
+        PermitRootLogin = mkOption {
+          default = "prohibit-password";
+          type = types.nullOr (
+            types.enum [
+              "yes"
+              "without-password"
+              "prohibit-password"
+              "forced-commands-only"
+              "no"
+            ]
+          );
+          description = ''
+            Whether the root user can login using ssh.
+          '';
+        };
+        KbdInteractiveAuthentication = mkOption {
+          type = types.nullOr types.bool;
+          default = true;
+          description = ''
+            Specifies whether keyboard-interactive authentication is allowed.
+          '';
+        };
+        GatewayPorts = mkOption {
+          type = types.nullOr types.str;
+          default = "no";
+          description = ''
+            Specifies whether remote hosts are allowed to connect to
+            ports forwarded for the client.  See
+            {manpage}`sshd_config(5)`.
+          '';
+        };
+        KexAlgorithms = mkOption {
+          type = types.nullOr (types.listOf types.str);
+          default = [
+            "mlkem768x25519-sha256"
+            "sntrup761x25519-sha512"
+            "sntrup761x25519-sha512@openssh.com"
+            "curve25519-sha256"
+            "curve25519-sha256@libssh.org"
+            "diffie-hellman-group-exchange-sha256"
+          ];
+          description = ''
+            Allowed key exchange algorithms
+
+            Uses the lower bound recommended in both
+            <https://stribika.github.io/2015/01/04/secure-secure-shell.html>
+            and
+            <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
+          '';
+        };
+        Macs = mkOption {
+          type = types.nullOr (types.listOf types.str);
+          default = [
+            "hmac-sha2-512-etm@openssh.com"
+            "hmac-sha2-256-etm@openssh.com"
+            "umac-128-etm@openssh.com"
+          ];
+          description = ''
+            Allowed MACs
+
+            Defaults to recommended settings from both
+            <https://stribika.github.io/2015/01/04/secure-secure-shell.html>
+            and
+            <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
+          '';
+        };
+        StrictModes = mkOption {
+          type = types.nullOr (types.bool);
+          default = true;
+          description = ''
+            Whether sshd should check file modes and ownership of directories
+          '';
+        };
+        Ciphers = mkOption {
+          type = types.nullOr (types.listOf types.str);
+          default = [
+            "chacha20-poly1305@openssh.com"
+            "aes256-gcm@openssh.com"
+            "aes128-gcm@openssh.com"
+            "aes256-ctr"
+            "aes192-ctr"
+            "aes128-ctr"
+          ];
+          description = ''
+            Allowed ciphers
+
+            Defaults to recommended settings from both
+            <https://stribika.github.io/2015/01/04/secure-secure-shell.html>
+            and
+            <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
+          '';
+        };
+        AllowUsers = mkOption {
+          type = with types; nullOr (listOf str);
+          default = null;
+          description = ''
+            If specified, login is allowed only for the listed users.
+            See {manpage}`sshd_config(5)` for details.
+          '';
+        };
+        DenyUsers = mkOption {
+          type = with types; nullOr (listOf str);
+          default = null;
+          description = ''
+            If specified, login is denied for all listed users. Takes
+            precedence over [](#opt-services.openssh.settings.AllowUsers).
+            See {manpage}`sshd_config(5)` for details.
+          '';
+        };
+        AllowGroups = mkOption {
+          type = with types; nullOr (listOf str);
+          default = null;
+          description = ''
+            If specified, login is allowed only for users part of the
+            listed groups.
+            See {manpage}`sshd_config(5)` for details.
+          '';
+        };
+        DenyGroups = mkOption {
+          type = with types; nullOr (listOf str);
+          default = null;
+          description = ''
+            If specified, login is denied for all users part of the listed
+            groups. Takes precedence over
+            [](#opt-services.openssh.settings.AllowGroups). See
+            {manpage}`sshd_config(5)` for details.
+          '';
+        };
+        # Disabled by default, since pam_motd handles this.
+        PrintMotd = lib.mkEnableOption "printing /etc/motd when a user logs in interactively" // {
+          type = types.nullOr types.bool;
+        };
+
+      };
+    };
+in
+{
+  options.vacu.sshd = {
+    enable = lib.mkEnableOption "openssh server";
+
+    package = mkOption {
+      type = types.package;
+      default = config.vacu.git.package;
+      defaultText = lib.literalExpression "config.vacu.git.package";
+      description = "OpenSSH package to use for sshd.";
+    };
+
+    authorizedKeys = mkOption {
+      type = types.listOf types.singleLineStr;
+      default = [ ];
+    };
+
+    allowSFTP = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to enable the SFTP subsystem in the SSH daemon.  This
+        enables the use of commands such as {command}`sftp` and
+        {command}`sshfs`.
+      '';
+    };
+
+    sftpServerExecutable = mkOption {
+      type = types.str;
+      example = "internal-sftp";
+      description = ''
+        The sftp server executable.  Can be a path or "internal-sftp" to use
+        the sftp server built into the sshd binary.
+      '';
+    };
+
+    sftpFlags = mkOption {
+      type = with types; listOf str;
+      default = [ ];
+      example = [
+        "-f AUTHPRIV"
+        "-l INFO"
+      ];
+      description = ''
+        Commandline flags to add to sftp-server.
+      '';
+    };
+
+    ports = mkOption {
+      type = types.listOf types.port;
+      default = [ 22 ];
+      description = ''
+        Specifies on which ports the SSH daemon listens.
+      '';
+    };
+
+    listenAddresses = mkOption {
+      type = types.listOf (
+        types.submodule {
+          options = {
+            addr = mkOption {
+              type = types.nullOr types.str;
+              default = null;
+              description = ''
+                Host, IPv4 or IPv6 address to listen to.
+              '';
+            };
+            port = mkOption {
+              type = types.nullOr types.int;
+              default = null;
+              description = ''
+                Port to listen to.
+              '';
+            };
+          };
+        }
+      );
+      default = [ ];
+      example = [
+        {
+          addr = "192.168.3.1";
+          port = 22;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 64022;
+        }
+      ];
+      description = ''
+        List of addresses and ports to listen on (ListenAddress directive
+        in config). If port is not specified for address sshd will listen
+        on all ports specified by `ports` option.
+        NOTE: this will override default listening on all local addresses and port 22.
+        NOTE: setting this option won't automatically enable given ports
+        in firewall configuration.
+      '';
+    };
+
+    hostKeys = mkOption {
+      type = types.listOf types.attrs;
+      default = [
+        {
+          type = "rsa";
+          bits = 4096;
+          path = "/etc/ssh/ssh_host_rsa_key";
+        }
+        {
+          type = "ed25519";
+          path = "/etc/ssh/ssh_host_ed25519_key";
+        }
+      ];
+      example = [
+        {
+          type = "rsa";
+          bits = 4096;
+          path = "/etc/ssh/ssh_host_rsa_key";
+          openSSHFormat = true;
+        }
+        {
+          type = "ed25519";
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          comment = "key comment";
+        }
+      ];
+      description = ''
+        NixOS can automatically generate SSH host keys.  This option
+        specifies the path, type and size of each key.  See
+        {manpage}`ssh-keygen(1)` for supported types
+        and sizes.
+      '';
+    };
+
+    banner = mkOption {
+      type = types.nullOr types.lines;
+      default = null;
+      description = ''
+        Message to display to the remote user before authentication is allowed.
+      '';
+    };
+
+    authorizedKeysFiles = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = ''
+        Specify the rules for which files to read on the host.
+
+        This is an advanced option. If you're looking to configure user
+        keys, you can generally use [](#opt-users.users._name_.openssh.authorizedKeys.keys)
+        or [](#opt-users.users._name_.openssh.authorizedKeys.keyFiles).
+
+        These are paths relative to the host root file system or home
+        directories and they are subject to certain token expansion rules.
+        See AuthorizedKeysFile in man sshd_config for details.
+      '';
+    };
+
+    authorizedKeysInHomedir = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Enables the use of the `~/.ssh/authorized_keys` file.
+
+        Otherwise, the only files trusted by default are those in `/etc/ssh/authorized_keys.d`,
+        *i.e.* SSH keys from [](#opt-users.users._name_.openssh.authorizedKeys.keys).
+      '';
+    };
+
+    authorizedKeysCommand = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = ''
+        Specifies a program to be used to look up the user's public
+        keys. The program must be owned by root, not writable by group
+        or others and specified by an absolute path.
+      '';
+    };
+
+    authorizedKeysCommandUser = mkOption {
+      type = types.str;
+      default = "nobody";
+      description = ''
+        Specifies the user under whose account the AuthorizedKeysCommand
+        is run. It is recommended to use a dedicated user that has no
+        other role on the host than running authorized keys commands.
+      '';
+    };
+
+    settings = mkOption {
+      description = "Configuration for `sshd_config(5)`.";
+      default = { };
+      example = lib.literalExpression ''
+        {
+          UseDns = true;
+          PasswordAuthentication = false;
+        }
+      '';
+      type = types.submodule settingsModule;
+    };
+    extraConfig = mkOption {
+      type = types.lines;
+      default = "";
+      description = "Verbatim contents of {file}`sshd_config`.";
+    };
+
+    moduliFile = mkOption {
+      example = "/etc/my-local-ssh-moduli;";
+      type = types.path;
+      description = ''
+        Path to `moduli` file to install in
+        `/etc/ssh/moduli`. If this option is unset, then
+        the `moduli` file shipped with OpenSSH will be used.
+      '';
+    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+    vacu.sshd.moduliFile = lib.mkDefault "${cfg.package}/etc/ssh/moduli";
+    vacu.sshd.sftpServerExecutable = lib.mkDefault "${cfg.package}/libexec/sftp-server";
+
+    environment.etc =
+      { }
+      # // authKeysFiles
+      # // authPrincipalsFiles
+      // {
+        "ssh/moduli".source = cfg.moduliFile;
+        "ssh/sshd_config".source = sshconf;
+      };
+
+    vacu.sshd.extraConfig = lib.mkOrder 0 ''
+      Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}
+
+      AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
+      ${lib.concatMapStrings (port: ''
+        Port ${toString port}
+      '') cfg.ports}
+
+      ${lib.concatMapStrings (
+        { port, addr, ... }:
+        ''
+          ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}
+        ''
+      ) cfg.listenAddresses}
+
+      ${lib.optionalString cfg.allowSFTP ''
+        Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}
+      ''}
+      AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
+      ${lib.optionalString (cfg.authorizedKeysCommand != null) ''
+        AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
+        AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}
+      ''}
+
+      ${lib.flip lib.concatMapStrings cfg.hostKeys (k: ''
+        HostKey ${k.path}
+      '')}
+    '';
+
+    vacu.packages = [ (pkgs.writeScriptBin "run-sshd" ''
+      ${lib.flip lib.concatMapStrings cfg.hostKeys (k: ''
+        if ! [ -s "${k.path}" ]; then
+            if ! [ -h "${k.path}" ]; then
+                rm -f "${k.path}"
+            fi
+            mkdir -p "$(dirname '${k.path}')"
+            chmod 0755 "$(dirname '${k.path}')"
+            ssh-keygen \
+              -t "${k.type}" \
+              ${lib.optionalString (k ? bits) "-b ${toString k.bits}"} \
+              ${lib.optionalString (k ? rounds) "-a ${toString k.rounds}"} \
+              ${lib.optionalString (k ? comment) "-C '${k.comment}'"} \
+              ${lib.optionalString (k ? openSSHFormat && k.openSSHFormat) "-o"} \
+              -f "${k.path}" \
+              -N ""
+        fi
+      '')}
+      exec ${cfg.package}/bin/sshd -D -f /etc/ssh/sshd_config "$@"
+    '') ];
+
+    vacu.checks = [
+      (pkgs.runCommand "check-sshd-config"
+        {
+          nativeBuildInputs = [
+            (
+              if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform then
+                cfg.package
+              else
+                pkgs.buildPackages.openssh
+            )
+          ];
+        }
+        ''
+          ${lib.concatMapStringsSep "\n" (
+            lport: "sshd -G -T -C lport=${toString lport} -f ${sshconf} > /dev/null"
+          ) cfg.ports}
+          ${lib.concatMapStringsSep "\n" (
+            la:
+            lib.concatMapStringsSep "\n" (
+              port:
+              "sshd -G -T -C ${lib.escapeShellArg "laddr=${la.addr},lport=${toString port}"} -f ${sshconf} > /dev/null"
+            ) (if la.port != null then [ la.port ] else cfg.ports)
+          ) cfg.listenAddresses}
+          touch $out
+        ''
+      )
+    ];
+
+  };
+}

hosts/prophecy/btrfs.nix

@@ -0,0 +1,115 @@
+{ pkgs, ... }:
+let
+  btrfs-progs = pkgs.btrfs-progs;
+  btrfs = "${btrfs-progs}/bin/btrfs";
+  btrfsDevice = "/dev/mapper/prophecy-root-decrypted";
+  btrfsOpts = [
+    "compress=zstd:2"
+    "datacow"
+    "datasum"
+    "discard=async"
+    "ssd_spread"
+    "noatime"
+    "fatal_errors=panic"
+  ];
+in
+{
+  fileSystems."/" = {
+    device = btrfsDevice;
+    fsType = "btrfs";
+    options = [ "subvol=root" ] ++ btrfsOpts;
+  };
+
+  systemd.tmpfiles.settings."10-vacu"."/btr-root-in-here".d = {
+    mode = "0700";
+    user = "root";
+    group = "root";
+  };
+
+  fileSystems."/btr-root-in-here/btr-root" = {
+    device = btrfsDevice;
+    fsType = "btrfs";
+    options = [ "ro" ] ++ btrfsOpts;
+  };
+
+  boot.initrd.systemd.services."vacu-impermanence-setup" = {
+    enable = true;
+    wantedBy = [ "initrd-root-device.target" ];
+    before = [
+      "sysroot.mount"
+      "create-needed-for-boot-dirs.service"
+    ];
+    serviceConfig.Type = "oneshot";
+    script = ''
+      set -euo pipefail
+      btrfs_tmp="$(mktemp -d)"
+      mount ${btrfsDevice} "$btrfs_tmp"
+      (
+        cd "$btrfs_tmp"
+        if [[ -e root ]]; then
+          mkdir -p old_roots
+          timestamp=$(date --date="@$(stat -c %Y root)" "+%Y-%m-%d_%H:%M:%S")
+          mv root "old_roots/$timestamp"
+        fi
+        btrfs subvolume create ./root
+
+        btrfs subvolume delete ./big-tmp
+        btrfs subvolume create ./big-tmp
+      )
+      umount "$btrfs_tmp"
+      rmdir "$btrfs_tmp"
+    '';
+  };
+
+  vacu.packages = [
+    btrfs-progs
+    (pkgs.writeScriptBin "delete_old_root" ''
+      set -euo pipefail
+      timestamp="$1"
+      shift
+      if [[ -z "$timestamp" ]]; then
+        echo "missing arg" >&2
+        exit 1
+      fi
+      mntpoint="$(mktemp -d)"
+      mount -t btrfs ${btrfsDevice} "$mntpoint"
+      full_path="$mntpoint/old_roots/$timestamp"
+
+      if ! [[ -d "$full_path" ]]; then
+        echo "couldnt find subvol old_roots/$timestamp" >&2
+        exit 1
+      fi
+
+      ${btrfs} subvolume delete -R "$full_path"
+    '')
+  ];
+
+  # back me up, scotty
+  fileSystems."/persistent" = {
+    device = btrfsDevice;
+    neededForBoot = true;
+    fsType = "btrfs";
+    options = [ "subvol=persistent" ] ++ btrfsOpts;
+  };
+
+  # keep me around, but no need to back me up
+  fileSystems."/persistent-cache" = {
+    device = btrfsDevice;
+    neededForBoot = true;
+    fsType = "btrfs";
+    options = [ "subvol=persistent-cache" ] ++ btrfsOpts;
+  };
+
+  # deleted and re-created on every boot, for stuff too big to go in a tmpfs
+  fileSystems."/tmp" = {
+    device = btrfsDevice;
+    fsType = "btrfs";
+    options = [ "subvol=big-tmp" ] ++ btrfsOpts;
+  };
+
+  fileSystems."/nix" = {
+    device = btrfsDevice;
+    fsType = "btrfs";
+    options = [ "subvol=nix" ] ++ btrfsOpts;
+  };
+}

hosts/prophecy/caddy.nix

@@ -0,0 +1,35 @@
+{ config, ... }:
+let
+  cfg = config.services.caddy;
+  caddyDir = directory: {
+    inherit directory;
+    inherit (cfg) user group;
+    mode = "0700";
+  };
+in
+{
+  environment.persistence."/persistent".directories = [
+    (caddyDir cfg.logDir)
+    (caddyDir cfg.dataDir)
+  ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 443 ];
+  services.caddy = {
+    enable = true;
+    email = "acme-certs@shelvacu.com";
+    globalConfig = ''
+      admin off
+    '';
+    virtualHosts."sv.mt".extraConfig = ''
+      redir / "https://www.youtube.com/watch?v=dQw4w9WgXcQ" temporary
+    '';
+  };
+  systemd.services.caddy.serviceConfig = {
+    SocketBindAllow = [
+      "tcp:80"
+      "tcp:443"
+      "udp:443"
+    ];
+    SocketBindDeny = "any";
+  };
+}

hosts/prophecy/dav-experiment.nix

@@ -0,0 +1,112 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  path = "/dav-experiment";
+  dufsConfig = {
+    bind = "/var/lib/dav-experiment/socket";
+    allow-all = true;
+    enable-cors = false;
+    render-try-index = true;
+    render-spa = true;
+    serve-path = path;
+
+    auth = [
+      "s:$6$WNI1472ebgQg9zjk$4qeOLarhHJNxNHaAkzztJMN8fzOb6iQm7KTp0SuvYWSvfFORjcNSXNBsKTLRSox2LOSYYwWSyYv/u6lQ9VstF1@/:rw"
+    ];
+  };
+  dufsConfigFile = pkgs.writeText "dufs-config.yaml" (builtins.toJSON dufsConfig);
+in
+{
+  users.users.dav-experiment = {
+    isSystemUser = true;
+    group = "dav-experiment";
+    home = "/var/lib/dav-experiment";
+  };
+  users.groups.dav-experiment = {};
+
+  environment.persistence."/persistent".directories = [
+    {
+      directory = path;
+      user = "dav-experiment";
+      group = "dav-experiment";
+      mode = "0700";
+    }
+  ];
+
+  systemd.tmpfiles.settings."10-whatever"."/var/lib/dav-experiment" = {
+    d = {
+      user = "dav-experiment";
+      group = "dav-experiment";
+      mode = "0710";
+    };
+  };
+
+  services.caddy.virtualHosts."dav-experiment.shelvacu.com".extraConfig = ''
+    reverse_proxy unix/${dufsConfig.bind}
+  '';
+
+  users.users.${config.services.caddy.user}.extraGroups = [ "dav-experiment" ];
+
+  systemd.services.dav-experiment = {
+    enable = true;
+    wantedBy = [ "multi-user.target" ];
+    description = "dufs server";
+    serviceConfig = {
+      Type = "exec";
+      ExecStart = "${lib.getExe pkgs.dufs-vacu} --config ${dufsConfigFile}";
+      KillMode = "mixed";
+      TimeoutStopSec = "10s";
+      User = "dav-experiment";
+      Group = "dav-experiment";
+      UMask = "0017";
+
+      SocketBindDeny = "any";
+      RestrictNetworkInterfaces = "";
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      DeviceAllow = "";
+      DevicePolicy = "closed";
+
+      BindPaths = [ path "/var/lib/dav-experiment" ];
+      BindReadOnlyPaths = [ "/nix/store" ];
+
+      CapabilityBoundingSet = "";
+      AmbientCapabilities = [];
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+
+      # InaccessiblePaths = [ "/" ];
+      # ReadOnlyPaths = [ "/nix/store" ];
+      # ReadWritePaths = [ path "/var/lib/dav-experiment" ];
+      PrivateTmp = true;
+      PrivateDevices = true;
+      PrivateNetwork = true;
+      PrivateIPC = true;
+      PrivatePIDs = true;
+      PrivateUsers = true;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = "strict";
+
+      RestrictAddressFamilies = [ "AF_UNIX" "AF_NETLINK" ];
+
+      RestrictNamespaces = true;
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RemoveIPC = true;
+      PrivateMounts = true;
+      SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+      SystemCallArchitectures = "native";
+    };
+  };
+}

hosts/prophecy/default.nix

@@ -0,0 +1,71 @@
+{ vacuModules, ... }:
+{
+  imports = [
+    vacuModules.sops
+    ./impermanence.nix
+    ./hardware.nix
+    ./btrfs.nix
+    ./genieacs.nix
+    ./networking.nix
+    ./doof.nix
+    ./gpu.nix
+    ./propdata.nix
+    ./silence.nix
+    ./hath.nix
+    ./image-mounts.nix
+    ./dav-experiment.nix
+    ./caddy.nix
+    ./garage.nix
+    ./murmur.nix
+  ];
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.memtest86.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.efi.efiSysMountPoint = "/boot";
+  # boot.initrd.systemd.services."debug-shell".wantedBy = [ "sysinit.target" ];
+
+  vacu.hostName = "prophecy";
+  vacu.shortHostName = "prop";
+  vacu.shell.color = "green";
+  vacu.verifySystem.expectedMac = "6c:02:e0:43:02:7a";
+  vacu.systemKind = "server";
+  networking.hostId = "f6236a3d";
+
+  vacu.packages = ''
+    httrack
+  '';
+
+  networking.networkmanager.enable = true;
+  services.openssh.enable = true;
+  system.stateVersion = "24.11";
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  users.mutableUsers = false;
+  users.users.root.initialHashedPassword = "$2b$15$D66qIGBJm27pTuX1Rc6aeuQGcrX71T2Gxg.PmTYPAdOnDI1trCtqC";
+  users.users.shelvacu.initialHashedPassword = "$2b$15$D66qIGBJm27pTuX1Rc6aeuQGcrX71T2Gxg.PmTYPAdOnDI1trCtqC";
+
+  environment.etc."nixos/flake.nix".source = "/home/shelvacu/dev/nix-stuff/flake.nix";
+
+  # zfs can break with hibernate but takes no steps to warn/prevent this >:(
+  boot.kernelParams = [ "nohibernate" ];
+  boot.supportedFilesystems = [
+    # nice to have for mounting disk images
+    "zfs"
+    "ntfs"
+    "ext4"
+    "btrfs"
+    "f2fs"
+    "xfs"
+    "exfat"
+    "vfat"
+    "squashfs"
+    "reiserfs"
+    # "bcachefs"
+    "unionfs-fuse"
+    "jfs"
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 5201 ]; # default port for iperf3
+
+  systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
+}

hosts/prophecy/doof.nix

@@ -0,0 +1,74 @@
+{ lib, config, ... }:
+let
+  inherit (lib) mkOption types;
+  cfg = config.vacu.network;
+  doof_if = "wg-doof";
+  tunnelName = "doofTun";
+in
+{
+  options.vacu.network.doofPubKey = mkOption { type = types.str; };
+  config = {
+    vacu.network.ips = {
+      doofStatic4 = "205.201.63.13";
+      doofStatic6 = "2602:fce8:106:10::1";
+    };
+    vacu.network.doofPubKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
+    vacu.packages = [ "wireguard-tools" ];
+    sops.secrets.wireguardKey = {
+      owner = config.users.users.systemd-network.name;
+    };
+    systemd.network.config.routeTables.${tunnelName} = 422;
+    systemd.network.config.addRouteTablesToIPRoute2 = true;
+    systemd.network.netdevs.${doof_if} = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = doof_if;
+        MTUBytes = 1300;
+      };
+      wireguardConfig = {
+        # FirewallMark = "0xd00f";
+        PrivateKeyFile = config.sops.secrets.wireguardKey.path;
+      };
+      wireguardPeers = lib.singleton {
+        PublicKey = cfg.doofPubKey;
+        Endpoint = "tun-sea.doof.net:53263";
+        AllowedIPs = [
+          "0.0.0.0/0"
+          "::/0"
+        ];
+        PersistentKeepalive = 5;
+      };
+    };
+    systemd.network.networks."15-doof" = {
+      matchConfig.Name = doof_if;
+      DHCP = "no";
+      networkConfig.IPv6AcceptRA = false;
+      routes = [
+        {
+          Gateway = "205.201.63.44"; # tun-sea.doof.net
+          GatewayOnLink = true;
+          Source = "${cfg.ips.doofStatic4}/32";
+          Destination = "0.0.0.0/0";
+          Table = tunnelName;
+        }
+      ];
+      routingPolicyRules = [
+        {
+          From = "${cfg.ips.doofStatic4}/32";
+          To = cfg.ips.t2dSubnets;
+          Table = "main";
+        }
+        {
+          From = "${cfg.ips.doofStatic4}/32";
+          Table = tunnelName;
+        }
+      ];
+    };
+    systemd.network.networks.${cfg.lan_bridge_network} = {
+      address = lib.mkAfter [
+        "${cfg.ips.doofStatic4}/32"
+        # "${cfg.ips.doofStatic6}/128"
+      ];
+    };
+  };
+}