stuff

Reviewed-on: #1

.gitignore

@@ -1,2 +1,6 @@
-/result*
+result
+result-*
+/.generated
 .nixos-test-history
+/packages/vacu-history/target/
+/packages/altcaps/target/

README.md

@@ -1,31 +1,31 @@
-more just notes for now
-
----
-
-deploy:
-
-```sh
-nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
-```
-
----
-
-build flake on remote machine, including eval:
-
-```sh
-git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
-```
-
----
-
-search for string in closure
-
-```sh
-rg search_str $(nix path-info --recursive ./result)
-```
-
-or
-
-```sh
-rg search_str $(nix path-info --recursive .#qb.trip)
-```
+more just notes for now
+
+---
+
+deploy:
+
+```sh
+nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
+```
+
+---
+
+build flake on remote machine, including eval:
+
+```sh
+git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
+```
+
+---
+
+search for string in closure
+
+```sh
+rg search_str $(nix path-info --recursive ./result)
+```
+
+or
+
+```sh
+rg search_str $(nix path-info --recursive .#qb.trip)
+```

archive.nix

@@ -0,0 +1,42 @@
+{
+  self,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  ignoreList = [
+    "iso"
+    "host-pxe-installer"
+    "host-pxe-installer-aarch64"
+    "pxe-initrd"
+  ];
+  # We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
+  isoContentsStr = lib.concatStringsSep "\n" (
+    map (
+      c: "${c.source} => ${c.target}"
+    ) self.nixosConfigurations.shel-installer-iso.config.isoImage.contents
+  );
+  isoContents = pkgs.writeText "iso-contents" isoContentsStr;
+  pxeConfig = self.nixosConfigurations.shel-installer-pxe.config;
+  pxeContents = pkgs.linkFarm "pxe-initrd-contents" {
+    inherit (pxeConfig.boot.initrd) compressor;
+    inherit (pxeConfig.system.build) initialRamdisk;
+    storeContents = pkgs.linkFarmFromDrvs "store-contents" pxeConfig.netboot.storeContents;
+  };
+  extraBuilds = { inherit isoContents pxeContents; };
+  buildListWithout = builtins.filter (v: !builtins.elem v ignoreList) (
+    builtins.attrNames self.buildList
+  );
+  allBuilds = self.buildList // extraBuilds;
+in
+rec {
+  archiveList = map (name: {
+    inherit name;
+    broken = builtins.elem name self.brokenBuilds;
+    impure = builtins.elem name self.impureBuilds;
+  }) (buildListWithout ++ builtins.attrNames extraBuilds);
+
+  drvs = allBuilds;
+  buildDepsDrvs = builtins.mapAttrs (_: v: pkgs.closureInfo { rootPaths = [ v.drvPath ]; }) drvs;
+}

check-eval.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+source shellvaculib.bash
+
+svl_exact_args $# 0
+svl_assert_probably_in_script_dir
+
+declare -a nix_eval=(
+  nix eval
+  --show-trace
+)
+
+declare -a hosts=(
+  triple-dezert
+  compute-deck
+  liam
+  lp0
+  #skip shel-installer-*
+  fw
+  legtop
+  mmm
+  prophecy
+)
+
+set -x
+
+"${nix_eval[@]}" --impure ".#.nixOnDroidConfigurations.default.activationPackage"
+
+for host in "${hosts[@]}"; do
+  "${nix_eval[@]}" ".#.nixosConfigurations.${host}.config.system.build.toplevel"
+done

common/assertions.nix

@@ -13,7 +13,10 @@ let
   withAsserts =
     x:
     if fatalAssertions != [ ] then
-      throw "\nFailed assertions:\n${lib.concatStringsSep "\n" (map (x: "- ${x}") fatalAssertions)}"
+      throw ''
+
+        Failed assertions:
+        ${lib.concatStringsSep "\n" (map (x: "- ${x}") fatalAssertions)}''
     else
       lib.showWarnings triggeredWarnings x;
 
@@ -22,11 +25,12 @@ let
       assertions = map (x: { inherit (x) assertion message; }) (
         filter (x: x.fatal) config.vacu.assertions
       );
-      warnings = map (x: x.message) (filter (x: !x.assertion && !x.fatal) config.vacu.assertions);
+      warnings = triggeredWarnings;
     };
   };
 in
 {
+  imports = lib.optional (vacuModuleType != "plain") adapter;
   options.vacu.assertions = mkOption {
     default = [ ];
     type = types.listOf (
@@ -45,4 +49,3 @@ in
     default = withAsserts;
   };
 }
-// (if vacuModuleType != "plain" then adapter else { })

common/checks.nix

@@ -0,0 +1,29 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  inherit (lib) types;
+in
+{
+  options.vacu.checks = lib.mkOption {
+    type = types.attrsOf types.package;
+    default = { };
+  };
+  options.vacu.textChecks = lib.mkOption {
+    type = types.attrsOf types.lines;
+    default = { };
+  };
+  config.vacu.checks = lib.mapAttrs (
+    name: lines:
+    pkgs.runCommand "vacu-textChecks-${name}" { } ''
+      (
+        set -xev
+        ${lines}
+        touch "$out"
+      )
+    ''
+  ) config.vacu.textChecks;
+}

common/common-but-not.nix

@@ -3,12 +3,15 @@
 {
   inputs,
   vacuModuleType,
+  config,
   lib,
   ...
 }:
 lib.optionalAttrs (vacuModuleType != "plain") {
-  nix.registry.vacu.to = {
-    type = "path";
-    path = inputs.self.outPath;
+  nix.registry = lib.mkIf (!config.vacu.isMinimal) {
+    vacu.to = {
+      type = "path";
+      path = inputs.self.outPath;
+    };
   };
 }

common/default.nix

@@ -1,9 +1,9 @@
 {
   config,
-  pkgs,
   lib,
   inputs,
   vacuModuleType,
+  vacuModules,
   ...
 }:
 let
@@ -14,36 +14,42 @@ let
     "nix-on-droid"
     "plain"
   ];
+  anyRev = attrs: toString (attrs.rev or attrs.dirtyRev or "unk");
+  anyShortRev = attrs: toString (attrs.shortRev or attrs.dirtyShortRev or "unk");
 in
 if !builtins.elem vacuModuleType expectedModuleTypes then
   builtins.throw "error: unrecognized vacuModuleType ${builtins.toString vacuModuleType}"
 else
   {
     imports = [
-      ./package-set.nix
-      ./shell
-      ./nixvim.nix
-      ./ssh.nix
-      ./nix.nix
-      ./verify-system
-      ./defaultPackages.nix
-      ./lib
-      ./sops.nix
-      ./dns
-      ./assertions.nix
-      ./common-but-not.nix
-      ./nixos.nix
-      ./nix-on-droid.nix
-      ./nixos-rebuild.nix
-      ./minimal-nixos.nix
+      vacuModules.packageSet
+      vacuModules.systemKind
+      ../dns
+
       ./acmeDependencies.nix
-      ./nix-on-droid.nix
-      ./remapCapsLock.nix
-      ./sourceTree.nix
-      ./units-impl.nix
-      ./units-config.nix
-      ./lix.nix
+      ./assertions.nix
+      ./checks.nix
+      ./common-but-not.nix
       ./git.nix
+      ./hosts.nix
+      ./hpn.nix
+      ./lix.nix
+      ./minimal-nixos.nix
+      ./nixos.nix
+      ./nixos-rebuild.nix
+      ./nixvim.nix
+      ./nix.nix
+      ./nix-on-droid.nix
+      ./packages.nix
+      ./remapCapsLock.nix
+      ./shell
+      ./sops.nix
+      ./sourceTree.nix
+      ./staticNames.nix
+      ./units-config.nix
+      ./units-impl.nix
+      ./verify-system
+      ./thunderbird.nix
     ];
     options = {
       vacu.rootCAs = mkOption { type = types.listOf types.str; };
@@ -59,15 +65,7 @@ else
       vacu.shortHostName = mkOption {
         type = types.nullOr types.str;
         default = config.vacu.hostName;
-      };
-      vacu.nixvimPkg = mkOption { readOnly = true; };
-      vacu.systemKind = mkOption {
-        type = types.enum [
-          "minimal"
-          "desktop" # need a better name for this; should include laptops; everything I intend to get computery-stuff done on.
-          "container"
-          "server"
-        ];
+        defaultText = "{option}`vacu.hostName`";
       };
       vacu.vnopnCA = mkOption {
         readOnly = true;
@@ -75,60 +73,38 @@ else
       };
     };
     config = {
-      # vacu.systemKind = lib.mkIf (vacuModuleType == "plain") ("server"); #TODO: should be mkDefault, removed for debugging
-      vacu.versionId = toString (self.shortRev or self.dirtyShortRev);
-      vacu.versionInfo = {
-        id = self.rev or self.dirtyRev;
-        flakePath = self.outPath;
-        inherit inputs;
-        inherit vacuModuleType;
-      } // (if config.nixpkgs ? flake then { nixpkgs = config.nixpkgs.flake.source; } else { });
+      vacu.versionId = "${anyShortRev self}-${self.lastModifiedDate or "unk"}";
+      vacu.versionInfo =
+        {
+          rev = anyRev self;
+          inherit (self) lastModified lastModifiedDate;
+          inherit (config.vacu) versionId;
+          inherit vacuModuleType;
+          inputRevs = lib.mapAttrs (_: v: anyRev v) inputs;
+        }
+        // lib.optionalAttrs (!config.vacu.isMinimal) {
+          flakePath = self.outPath;
+          inherit inputs;
+        };
 
-      vacu.nix.caches.nixcache-shelvacu = {
+      vacu.nix.caches.vacu = {
         url = "https://nixcache.shelvacu.com/";
         keys = [ "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM=" ];
       };
       vacu.nix.caches.nix-community = {
         url = "https://nix-community.cachix.org/";
         keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
+        enable = false;
       };
       vacu.nix.caches.nix-on-droid = {
         url = "https://nix-on-droid.cachix.org/";
         keys = [ "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU=" ];
+        enable = false;
       };
       vacu.nix.caches.nixos = {
         url = "https://cache.nixos.org/";
         keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
       };
-      vacu.git.enable = config.vacu.systemKind == "server" || config.vacu.systemKind == "desktop";
-      vacu.git.config = {
-        init.defaultBranch = "master";
-        pull.rebase = false;
-        user.name = "Shelvacu";
-        user.email = "git@shelvacu.com";
-        author.name = "Shelvacu";
-        author.email = "git@shelvacu.com";
-        committer.name = "Shelvacu on ${config.vacu.hostName}";
-        committer.email = "git@shelvacu.com";
-        user.useConfigOnly = true;
-        checkout.workers = 0;
-        # We *could* use atomic writes, but those are slow! Are you sure????? - git, still living in the 90s
-        # Yes git, I'm sure
-        core.fsync = "all";
-        diff.mnemonicPrefix = true;
-        gc.reflogExpire = "never";
-        gc.reflogExpireUnreachable = "never";
-
-        url."https://github.com/".insteadOf = [ "hgh:" "github-http:" "github-https:" ];
-        url."git@github.com:".insteadOf = [ "sgh:" "gh:" "github-ssh:" ];
-        url."git@github.com:shelvacu/".insteadOf = [ "vgh:" ];
-        url."https://gitlab.com/".insteadOf = [ "hgl:" "gitlab-http:" "gitlab-https:" ];
-        url."git@gitlab.com:".insteadOf = [ "sgl:" "gl:" "gitlab-ssh:" ];
-        url."git@gitlab.com:shelvacu/".insteadOf = [ "vgl:" ];
-        url."https://git.uninsane.org/".insteadOf = [ "hu:" "uninsane-http:" "uninsane-https:" ];
-        url."git@git.uninsane.org:".insteadOf = [ "u:" "su:" "uninsane-ssh" ];
-        url."git@git.uninsane.org:shelvacu/".insteadOf = [ "vu:" ];
-      };
       vacu.vnopnCA = ''
         -----BEGIN CERTIFICATE-----
         MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
@@ -144,176 +120,6 @@ else
       '';
       vacu.rootCAs = [ config.vacu.vnopnCA ];
 
-      vacu.ssh.authorizedKeys = {
-        # pixel6pro-termux = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86";
-        # t460s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp";
-        # pixel6pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W";
-        compute-deck = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug";
-        triple-dezert = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g";
-        triple-dezert-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8";
-        compute-deck-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I";
-        pro1x-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX";
-        fw-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m";
-        fw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C";
-        pixel9pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINznGot+L8kYoVQqdLV/R17XCd1ILMoDCILOg+I3s5wC";
-        legtop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOre0FnYDm3arsFj9c/l5H2Q8mdmv7kmvq683pL4heru";
-      };
-      vacu.ssh.config = ''
-        Host deckvacu
-          User deck
-
-        Host rsb
-          User user
-          HostName finaltask.xyz
-          Port 2222
-
-        Host awoo
-          HostName 45.142.157.71
-
-        Host trip
-          HostName trip.shelvacu.com
-          Port 6922
-
-        Host liam
-          HostName 178.128.79.152
-
-        Host pluto
-          HostName pluto.somevideogam.es
-
-        Host sdf
-          HostName tty.sdf.org
-
-        Host u
-          User git
-          HostName git.uninsane.org
-
-        Host gl
-          User git
-          HostName gitlab.com
-
-        Host gh
-          User git
-          HostName github.com
-
-        Host *
-          User shelvacu
-          GlobalKnownHostsFile ${pkgs.writeText "known_hosts" config.vacu.ssh.knownHostsText}
-      '';
-
-      vacu.ssh.knownHosts = {
-        #public hosts
-        "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-        "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
-        "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
-        "sdf.org" = {
-          extraHostNames = [ "tty.sdf.org" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJk3a190w/1TZkzVKORvz/kwyKmFY144lVeDFm80p17";
-        };
-
-        #colin's stuff
-        "uninsane.org" = {
-          extraHostNames = [ "git.uninsane.org" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
-        };
-        "desko" = {
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-        };
-
-        #daymocker's stuff
-        "pluto" = {
-          extraHostNames = [ "74.208.184.137" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
-        };
-
-        #powerhouse hosts
-        "ostiary" = {
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
-        };
-        "habitat" = {
-          # previously known as zigbee-hub
-          extraHostNames = [ "10.78.79.114" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
-        };
-        "vnopn" = {
-          extraHostNames = [
-            "10.78.79.1"
-            "vnopn.t2d.lan"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
-        };
-
-        #work laptop
-        "tebbs-MBP" = {
-          extraHostNames = [ "10.244.10.3" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKO/ks07zSByDH/qmDrghtBSFwWnze2s62zEmtXwaMJe";
-        };
-
-        #personal hosts
-        trip = {
-          extraHostNames = [
-            "triple-dezert"
-            "trip.shelvacu.com"
-            "[trip.shelvacu.com]:6922"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
-        };
-        servacu = {
-          extraHostNames = [
-            "mail.dis8.net"
-            "servacu.shelvacu.com"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
-        };
-        finaltask = {
-          extraHostNames = [
-            "rsb"
-            "finaltask.xyz"
-            "[finaltask.xyz]:2222"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
-        };
-        compute-deck = {
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
-        };
-        "2esrever" = {
-          extraHostNames = [
-            "10.4.5.218"
-            "10.244.46.71"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
-        };
-        awoo = {
-          extraHostNames = [ "45.142.157.71" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
-        };
-        deckvacu = {
-          publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
-        };
-        liam = {
-          extraHostNames = [
-            "liam.dis8.net"
-            "178.128.79.152"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
-        };
-        fw = {
-          extraHostNames = [ "fw.t2d.lan" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
-        };
-        legtop = {
-          extraHostNames = [
-            "lt"
-            "legtop.t2d.lan"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvunOGsmHg8igMGo0FpoXaegYI20wZylG8nsMFY4+JL";
-        };
-        mmm = {
-          extraHostNames = [
-            "mmm.t2d.lan"
-            "10.78.79.11"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsorkZ3rIZ2lLigwQWfA64xZRlt5lk6QPzypg55eLlD";
-        };
-      };
+      vacu.ssh.authorizedKeys = import inputs.vacu-keys;
     };
   }

common/defaultPackages.nix

@@ -1,85 +0,0 @@
-{
-  pkgs,
-  config,
-  inputs,
-  lib,
-  ...
-}:
-lib.mkMerge [
-  (lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container") {
-    vacu.packages =
-      (with pkgs; [
-        home-manager
-        nix-index
-        rclone
-        termscp
-        man
-        neovim
-        nmap
-        ruby
-        (p7zip.override { enableUnfree = true; })
-        tcpdump
-        cargo
-      ])
-      ++ [
-        inputs.nix-search-cli.packages.${pkgs.system}.default
-        inputs.nix-inspect.packages.${pkgs.system}.default
-      ];
-  })
-  {
-    vacu.packages = (with pkgs; [
-      nixos-rebuild
-      which
-      nano
-      vim
-      wget
-      screen
-      tmux
-      lsof
-      htop
-      mosh
-      dnsutils
-      iperf3
-      rsync
-      ethtool
-      sshfs
-      ddrescue
-      pciutils
-      ncdu
-      pv
-      unzip
-      file
-      ripgrep
-      jq
-      tree
-      iputils
-      ssh-to-age
-      sops
-      inetutils
-      diffutils
-      findutils
-      util-linux
-      tzdata
-      hostname
-      gnugrep
-      gnused
-      gnutar
-      bzip2
-      gzip
-      xz
-      zip
-      unzip
-      openssh
-      dig
-      bash
-      usbutils
-      psutils
-      killall
-      git
-      curl
-      gnutls
-    ]) ++ [
-      (config.vacu.units.finalPackage)
-    ];
-  }
-]

common/desktopApps.nix

@@ -0,0 +1,5 @@
+{ lib, vacuModuleType, ... }:
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.desktopApps = lib.mkEnableOption "asdf";
+  #todo
+}

common/dns/default.nix

@@ -1,15 +0,0 @@
-{
-  dns,
-  lib,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-in
-{
-  imports = [ ./jean-luc.org.nix ];
-  options.vacu.dns = mkOption {
-    default = { };
-    type = types.attrsOf dns.lib.types.zone;
-  };
-}

common/dns/jean-luc.org.nix

@@ -1,27 +0,0 @@
-{
-  dns,
-  ...
-}:
-let
-  inherit (dns.lib.combinators) spf mx;
-in
-{
-  vacu.dns."jean-luc.org" = {
-    SOA = {
-      nameServer = "ns51.cloudns.net";
-      adminEmail = "test@example.com";
-      serial = 123456;
-    };
-    NS = [
-      "ns51.cloudns.net"
-      "ns52.cloudns.net"
-      "ns53.cloudns.net"
-      "ns54.cloudns.net"
-    ];
-    A = [ "1.2.3.4" ];
-    TXT = [
-      (spf.strict [ "1.2.3.4" ])
-    ];
-    subdomains."in".MX = [ (mx.mx 0 "a.b") ];
-  };
-}

common/git.nix

@@ -1,77 +1,58 @@
-{ 
-  lib,
-  config,
-  pkgs,
-  vacuModuleType,
-  ...
-}:
-let
-  inherit (lib) types;
-  cfg = config.vacu.git;
-in
-{ imports = [
+{ lib, config, vacuModules, ... }:
 {
-  # https://github.com/NixOS/nixpkgs/blob/e8c38b73aeb218e27163376a2d617e61a2ad9b59/nixos/modules/programs/git.nix#L16
-  options.vacu.git = {
-    package = lib.mkPackageOption pkgs "git" {};
-    enable = lib.mkEnableOption "git";
-    config = lib.mkOption {
-      type =
-        let
-          gitini = types.attrsOf (types.attrsOf types.anything);
-        in
-        types.either gitini (types.listOf gitini) // {
-          merge = loc: defs:
-            let
-              config = builtins.foldl'
-                (acc: { value, ... }@x: acc // (if builtins.isList value then {
-                  ordered = acc.ordered ++ value;
-                } else {
-                  unordered = acc.unordered ++ [ x ];
-                }))
-                {
-                  ordered = [ ];
-                  unordered = [ ];
-                }
-                defs;
-            in
-            [ (gitini.merge loc config.unordered) ] ++ config.ordered;
-        };
-      default = [];
-    };
-    lfs.enable = lib.mkEnableOption "git lfs";
-    lfs.package = lib.mkPackageOption pkgs "git-lfs" {};
-    configText = lib.mkOption {
-      readOnly = true;
-      type = types.str;
-    };
-  };
+  imports = [ vacuModules.git ];
 
-  config.vacu.git.configText = lib.concatMapStringsSep "\n" lib.generators.toGitINI cfg.config;
+  vacu.git.enable = lib.mkDefault config.vacu.isDev;
+  vacu.git.config = {
+    init.defaultBranch = "master";
+    pull.rebase = false;
+    user.name = "Shelvacu";
+    user.email = "git@shelvacu.com";
+    author.name = "Shelvacu";
+    author.email = "git@shelvacu.com";
+    committer.name = "Shelvacu on ${config.vacu.hostName}";
+    committer.email = "git@shelvacu.com";
+    user.useConfigOnly = true;
+    checkout.workers = 0;
+    # "We *could* use atomic writes, but those are slowwwwww! Are you sure?????" - git, still living in the 90s
+    # Yes git, I'm sure
+    core.fsync = "all";
+    diff.mnemonicPrefix = true;
+    gc.reflogExpire = "never";
+    gc.reflogExpireUnreachable = "never";
+
+    url."https://github.com/".insteadOf = [
+      "hgh:"
+      "github-http:"
+      "github-https:"
+    ];
+    url."git@github.com:".insteadOf = [
+      "sgh:"
+      "gh:"
+      "github-ssh:"
+    ];
+    url."git@github.com:shelvacu/".insteadOf = [ "vgh:" ];
+    url."https://gitlab.com/".insteadOf = [
+      "hgl:"
+      "gitlab-http:"
+      "gitlab-https:"
+    ];
+    url."git@gitlab.com:".insteadOf = [
+      "sgl:"
+      "gl:"
+      "gitlab-ssh:"
+    ];
+    url."git@gitlab.com:shelvacu/".insteadOf = [ "vgl:" ];
+    url."https://git.uninsane.org/".insteadOf = [
+      "hu:"
+      "uninsane-http:"
+      "uninsane-https:"
+    ];
+    url."git@git.uninsane.org:".insteadOf = [
+      "u:"
+      "su:"
+      "uninsane-ssh"
+    ];
+    url."git@git.uninsane.org:shelvacu/".insteadOf = [ "vu:" ];
+  };
 }
-(lib.mkIf cfg.enable { vacu.packages.git = { enable = true; package = cfg.package; }; })
-(lib.mkIf (cfg.enable && cfg.lfs.enable) {
-  vacu.packages.git-lfs = { enable = true; package = cfg.lfs.package; };
-  vacu.git.config = let bin = lib.getExe cfg.lfs.package; in {
-    filter.lfs = {
-      clean = "${bin} clean -- %f";
-      smudge = "${bin} smudge -- %f";
-      process = "${bin} filter-process";
-      required = true;
-    };
-  };
-})
-(lib.optionalAttrs (vacuModuleType == "nixos") {
-  vacu.assertions = [
-    {
-      assertion = !(cfg.enable && config.programs.git.enable);
-      message = "vacu.git and programs.git should not both be enabled";
-    }
-  ];
-})
-(lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
-  environment = lib.mkIf (cfg.enable && cfg.config != []) {
-    etc.gitconfig.text = cfg.configText;
-  };
-})
-]; }

common/home.nix

@@ -1,7 +1,4 @@
 { ... }:
-let
-
-in
 {
   imports = [ ./common-but-not.nix ];
 }

common/hosts.nix

@@ -0,0 +1,155 @@
+{ lib, vacuModules, ... }:
+{
+  imports = [
+    vacuModules.knownHosts
+    vacuModules.ssh
+  ];
+
+  vacu.hosts = {
+    #public hosts
+    "github.com".sshKeys =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+    "gitlab.com".sshKeys =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+    "git.sr.ht".sshKeys =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+    "sdf.org" = {
+      sshHostname = "tty.sdf.org";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJk3a190w/1TZkzVKORvz/kwyKmFY144lVeDFm80p17";
+    };
+    "rsn" = {
+      altNames = [
+        "rsyncnet"
+        "rsync.net"
+      ];
+      sshUsername = "fm2382";
+      sshHostname = "fm2382.rsync.net";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINdUkGe6kKn5ssz4WRZKjcws0InbQqZayenzk9obmP1z";
+    };
+
+    #colin's stuff
+    "servo" = {
+      altNames = [
+        "git.uninsane.org"
+        "uninsane.org"
+      ];
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+    };
+    "desko" = {
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+    };
+
+    #daymocker's stuff
+    "pluto" = {
+      sshHostname = "pluto.somevideogam.es";
+      primaryIp = "74.208.184.137";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
+    };
+
+    #powerhouse hosts
+    "ostiary" = {
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
+    };
+    "habitat" = {
+      # previously known as zigbee-hub
+      primaryIp = "10.78.79.114";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
+    };
+    "vnopn" = {
+      primaryIp = "10.78.79.1";
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
+    };
+
+    #personal hosts
+    triple-dezert = {
+      altNames = [
+        "trip"
+        "trip.shelvacu.com"
+        "triple-dezert.shelvacu.com"
+      ];
+      sshAliases = [ "trip" ];
+      primaryIp = "172.83.159.53";
+      altIps = [ "10.78.79.237" ];
+      isLan = true;
+      sshPort = 6922;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
+    };
+    prophecy = {
+      altNames = [
+        "prop"
+        "prop.shelvacu.com"
+        "prophecy.shelvacu.com"
+      ];
+      sshAliases = [ "prop" ];
+      primaryIp = "205.201.63.13";
+      altIps = [ "10.78.79.22" ];
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPmy1+1CL6mLbp0IfRTLwsVdjKmw5u0kbQqHin8oXMq";
+    };
+    servacu = {
+      altNames = [
+        "mail.dis8.net"
+        "servacu.shelvacu.com"
+      ];
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
+    };
+    finaltask = {
+      altNames = [
+        "rsb"
+        "finaltask.xyz"
+      ];
+      sshAliases = [ "rsb" ];
+      primaryIp = "45.87.250.193";
+      sshPort = 2222;
+      sshUsername = "user";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
+    };
+    compute-deck = {
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
+    };
+    "2esrever" = {
+      altIps = [
+        "10.4.5.218"
+        "10.244.46.71"
+      ];
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
+    };
+    awoo = {
+      primaryIp = "45.142.157.71";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
+    };
+    deckvacu = {
+      sshUsername = "deck";
+      sshKeys = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
+    };
+    liam = {
+      altNames = [ "liam.dis8.net" ];
+      primaryIp = "178.128.79.152";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
+    };
+    fw = {
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
+    };
+    legtop = {
+      altNames = [ "lt" ];
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvunOGsmHg8igMGo0FpoXaegYI20wZylG8nsMFY4+JL";
+    };
+    mmm = {
+      primaryIp = "10.78.79.11";
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsorkZ3rIZ2lLigwQWfA64xZRlt5lk6QPzypg55eLlD";
+    };
+    solis = {
+      altNames = [ "solis.dis8.net" ];
+      primaryIp = "89.213.174.171";
+      # altIps = [ "2a0f:9400:7e11:cd44:0000:0000:0000:0001" ];
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhFKmRMfk+4Xx96Jwt6S9/ikC0cm4ukeO8hjpZDj+9n";
+    };
+  };
+}

common/hpn.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  vacuModuleType,
+  ...
+}:
+{
+  # options.vacu.ssh-hpn.enable = lib.mkEnableOption "openssh hpn";
+}
+// lib.optionalAttrs (vacuModuleType == "nixos") {
+  # config.nixpkgs.overlays = [ (old: new: {
+  #   openssh-without-hpn = old.openssh;
+  #   openssh = if config.vacu.ssh-hpn.enable then new.openssh_hpn else new.openssh-without-hpn;
+  # }) ];
+}

common/lib/default.nix

@@ -1,19 +0,0 @@
-{ lib, config, ... }:
-{
-  imports = [
-    ./makeWrapper.nix
-  ];
-
-  options.vacu.vaculib = lib.mkOption {
-    type = lib.types.anything;
-  };
-
-  config._module.args.vaculib = config.vacu.vaculib;
-
-  config.vacu.vaculib.mkOutOption =
-    val:
-    lib.mkOption {
-      readOnly = true;
-      default = val;
-    };
-}

common/lix.nix

@@ -1,7 +1,7 @@
-{
-  inputs,
-  vacuModuleType,
-  ...
-}: if vacuModuleType == "nixos" then {
-  imports = [ inputs.lix-module.nixosModules.default ];
-} else {}
+{ vacuModuleType, ... }:
+if vacuModuleType == "nixos" then
+  {
+    # imports = [ inputs.lix-module.nixosModules.default ];
+  }
+else
+  { }

common/minimal-nixos.nix

@@ -3,18 +3,24 @@
   pkgs,
   lib,
   vacuModuleType,
+  inputs,
   ...
 }:
 let
   inherit (lib) mkIf mkDefault;
 in
 lib.optionalAttrs (vacuModuleType == "nixos") {
-  config = mkIf (config.vacu.systemKind == "minimal") {
+  config = mkIf config.vacu.isMinimal {
     programs.git.lfs.enable = false;
     programs.git.package = pkgs.gitMinimal;
-    # mostly copied from nixos's /profiles/minimal.nix
-    environment.noXlibs = mkDefault true;
 
+    nix.registry.nixpkgs.to = lib.mkForce {
+      type = "github";
+      owner = "NixOS";
+      repo = "nixpkgs";
+      rev = inputs.nixpkgs.rev;
+    };
+    # mostly copied from nixos's /profiles/minimal.nix
     documentation.enable = mkDefault false;
 
     documentation.doc.enable = mkDefault false;

common/nix-command-extensions/default.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}

common/nix-command-extensions/nix.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# replaceme START
+declare -A cache_to_url
+cache_to_url["foo"]="https://example.com/some-nix-cache"
+
+declare -a caches_to_use=("foo")
+
+declare nixCmd="foo"
+# replaceme END
+
+declare -a preArgs
+declare -a passThruArgs
+cache_name=""
+function valid_cache_name() {
+  cache_name="$1"
+  if [[ $cache_name == -* ]]; then
+    echo "invalid cache name" >&2
+    exit 1
+  fi
+}
+while [[ -n $1 ]]; do
+  arg="$1"
+  shift
+  case "$arg" in
+  "--without-cache")
+    cache_name="$1"
+    shift
+    valid_cache_name "$cache_name"
+    caches_to_use=("${caches_to_use[@]/$cache_name/}")
+    ;;
+  "--with-cache")
+    cache_name="$1"
+    shift
+    valid_cache_name "$cache_name"
+    caches_to_use+=("$cache_name")
+    ;;
+  "--only-cache")
+    cache_name="$1"
+    shift
+    valid_cache_name "$cache_name"
+    caches_to_use=("$cache_name")
+    ;;
+  "--on-trip")
+    if [[ $HOSTNAME == "triple-dezert" ]]; then
+      echo "Warn: skipping --on-trip: already on trip" >&2
+    else
+      passThruArgs+=("--builders" "ssh://trip x86_64-linux,aarch64-linux" "--max-jobs" "0" "--option" "builders-use-substitutes" "true")
+    fi
+    ;;
+  "--")
+    passThruArgs+=("$arg" "$@")
+    break
+    ;;
+  *)
+    passThruArgs+=("$arg")
+    ;;
+  esac
+done
+
+declare -a substituters
+for c in "${caches_to_use[@]}"; do
+  url="${cache_to_url["$c"]}"
+  substituters+=("$url")
+done
+
+substituters_together="${substituters[*]}"
+
+preArgs+=("--option" "substituters" "$substituters_together")
+
+exec "$nixCmd" "${preArgs[@]}" "${passThruArgs[@]}"

common/nix-on-droid.nix

@@ -8,8 +8,6 @@ let
   inherit (lib) mkDefault;
 in
 lib.optionalAttrs (vacuModuleType == "nix-on-droid") {
-  environment.packages = config.vacu.packageList;
-  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
   nix.substituters = lib.mkForce config.vacu.nix.substituterUrls;
   nix.trustedPublicKeys = lib.mkForce config.vacu.nix.trustedKeys;
   vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";

common/nix.nix

@@ -9,7 +9,7 @@ in
     vacu.nix.caches = mkOption {
       type = types.attrsOf (
         types.submodule (
-          { name, ... }:
+          { ... }:
           {
             options = {
               url = mkOption { type = types.str; };
@@ -28,9 +28,7 @@ in
     };
     vacu.nix.substituterUrls = mkOption { readOnly = true; };
     vacu.nix.trustedKeys = mkOption { readOnly = true; };
-    vacu.nix.plainOptions = mkOption { };
   };
   config.vacu.nix.substituterUrls = map (c: c.url) enabledCaches;
   config.vacu.nix.trustedKeys = builtins.concatMap (c: c.keys) enabledCaches;
-  config.vacu.nix.plainOptions.allowUnfree = true;
 }

common/nixos-rebuild.nix

@@ -6,29 +6,18 @@
   ...
 }:
 let
-  nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package.out; };
+  nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package; };
 in
 lib.optionalAttrs (vacuModuleType == "nixos") {
-  options.vacu.alwaysUseRemoteSudo =
-    (lib.mkEnableOption "always deploy to this machine with --use-remote-sudo")
-    // {
-      default = true;
-    };
-  config = lib.mkIf config.vacu.alwaysUseRemoteSudo {
-    system.build.nixos-rebuild = lib.mkForce (
-      pkgs.runCommandLocal "nixos-rebuild-wrapped"
-        {
-          nativeBuildInputs = [ pkgs.makeShellWrapper ];
-          meta.mainProgram = "nixos-rebuild";
-        }
-        ''
-          runHook preInstall
-
-          mkdir -p $out/bin
-          makeShellWrapper ${lib.getExe nixos-rebuild} $out/bin/nixos-rebuild --add-flags "--use-remote-sudo"
-
-          runHook postInstall
-        ''
-    );
-  };
+  system.build.nixos-rebuild = lib.mkForce (
+    pkgs.runCommandLocal "nixos-rebuild-wrapped"
+      {
+        nativeBuildInputs = [ pkgs.makeShellWrapper ];
+        meta.mainProgram = "nixos-rebuild";
+      }
+      ''
+        mkdir -p "$out"/bin
+        makeShellWrapper ${lib.getExe nixos-rebuild} "$out"/bin/nixos-rebuild --add-flags "--use-remote-sudo --use-substitutes"
+      ''
+  );
 }

common/nixos.nix

@@ -6,50 +6,40 @@
   ...
 }:
 lib.optionalAttrs (vacuModuleType == "nixos") {
+  imports = [ ../nixos-modules ];
   options.vacu.underTest = lib.mkOption {
     default = false;
     type = lib.types.bool;
   };
   config = {
-    # the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
-    # presumably needed by nheko
-    nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
-    # nixpkgs.overlays = [ inputs.self.overlays.default ];
+    programs.mosh.enable = true;
 
     console = {
       keyMap = lib.mkDefault "us";
     };
-    networking = if config.vacu.hostName == null then { } else { hostName = config.vacu.hostName; };
+    networking = lib.mkIf (config.vacu.hostName != null) { inherit (config.vacu) hostName; };
     vacu.packages."xorg-xev" = {
       enable = config.services.xserver.enable;
       package = pkgs.xorg.xev;
     };
-    environment.systemPackages = config.vacu.packageList;
     programs.nix-ld.enable = true;
     system.nixos.tags = [
       "vacu${config.vacu.versionId}"
       config.vacu.hostName
     ];
     environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
-    environment.etc."chromium" = lib.mkIf (config.vacu.systemKind == "desktop") {
+    environment.etc."chromium" = lib.mkIf config.vacu.isGui {
       source = "/run/current-system/sw/etc/chromium";
     };
 
     i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
     time.timeZone = "America/Los_Angeles";
 
-    users.users.shelvacu = lib.mkIf (config.vacu.systemKind != "container") {
+    users.users.shelvacu = lib.mkIf (!config.vacu.isContainer) {
       openssh.authorizedKeys.keys = lib.attrValues config.vacu.ssh.authorizedKeys;
       isNormalUser = true;
       extraGroups = [ "wheel" ];
     };
-    # # safety user: if something is super fucked up with my shell stuff, I can ssh in as shelvac2
-    # users.users.shelvac2 = {
-    #   openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
-    #   isNormalUser = true;
-    #   extraGroups = [ "wheel" ];
-    #   shell = pkgs.bash;
-    # };
     services.openssh = {
       # require public key authentication for better security
       settings.PasswordAuthentication = false;
@@ -57,7 +47,7 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
       settings.PermitRootLogin = "prohibit-password";
     };
 
-    nix.settings.trusted-users = lib.mkIf (config.vacu.systemKind != "container") [ "shelvacu" ];
+    nix.settings.trusted-users = lib.mkIf (!config.vacu.isContainer) [ "shelvacu" ];
     security.sudo.wheelNeedsPassword = lib.mkDefault false;
 
     programs.screen = {
@@ -69,7 +59,7 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
       '';
     };
 
-    programs.tmux = lib.mkIf (config.vacu.systemKind != "container") {
+    programs.tmux = lib.mkIf (!config.vacu.isContainer) {
       enable = true;
       extraConfig = "setw mouse";
       clock24 = true;
@@ -85,11 +75,6 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
       trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
       extra-trusted-public-keys = lib.mkForce [ ];
     };
-    nixpkgs.config.allowUnfree = lib.mkDefault true;
-
-    programs.mosh.enable = lib.mkIf (config.vacu.systemKind != "container") (lib.mkDefault true);
-
-    programs.ssh.extraConfig = config.vacu.ssh.config;
 
     security.pki.certificates = config.vacu.rootCAs;
 
@@ -100,5 +85,7 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
     ];
     programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
     programs.bash.promptInit = lib.mkForce "";
+
+    systemd.services.nix-daemon.serviceConfig.Nice = "10";
   };
 }

common/nixvim.nix

@@ -5,13 +5,27 @@
   lib,
   ...
 }:
+let
+  inherit (lib) mkOption types;
+  nixvim-name = if config.vacu.nixvim.minimal then "nixvim-minimal" else "nixvim";
+in
 {
-  vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.nixvim;
-  vacu.shell.functions =
-    lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container")
-      {
-        nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
-        nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
-        nvim = ''nvim-nixvim "$@"'';
-      };
+  options = {
+    vacu.nixvim.minimal = mkOption {
+      type = types.bool;
+      default = config.vacu.isMinimal;
+    };
+    vacu.nixvimPkg = mkOption {
+      type = types.package;
+      readOnly = true;
+    };
+  };
+  config = {
+    vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.${nixvim-name};
+    vacu.shell.functions = lib.mkIf (!config.vacu.isMinimal) {
+      nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
+      nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
+      nvim = ''nvim-nixvim "$@"'';
+    };
+  };
 }

common/package-set.nix

@@ -1,71 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-  pkgOptions = builtins.attrValues config.vacu.packages;
-  enabledOptions = builtins.filter (o: o.enable) pkgOptions;
-  enabledPkgs = builtins.map (o: o.package) enabledOptions;
-  packagesSetType = types.attrsOf (
-    types.submodule (
-      { name, ... }:
-      {
-        options = {
-          enable = mkOption {
-            type = types.bool;
-            description = "Will this package be installed (included in environment.systemPackages)";
-          };
-          package = mkOption {
-            type = types.package;
-            default = pkgs.${name};
-            defaultText = "pkgs.${name}";
-          };
-        };
-      }
-    )
-  );
-  packageListToSet = (
-    from:
-    let
-      keyvals = map (
-        val:
-        if builtins.isString val then
-          {
-            name = val;
-            value = {
-              package = pkgs."${val}";
-              enable = lib.mkDefault true;
-            };
-          }
-        else
-          {
-            name = val.pname or val.name;
-            value = {
-              package = lib.mkDefault val;
-              enable = lib.mkDefault true;
-            };
-          }
-      ) from;
-    in
-    builtins.listToAttrs keyvals
-  );
-in
-{
-  options = {
-    vacu.packages = mkOption {
-      default = { };
-      type = types.coercedTo (types.listOf (
-        types.either types.str types.package
-      )) packageListToSet packagesSetType;
-    };
-    vacu.packageList = mkOption {
-      type = types.listOf types.package;
-      readOnly = true;
-    };
-  };
-
-  config.vacu.packageList = enabledPkgs;
-}

common/packages.nix

@@ -0,0 +1,263 @@
+{
+  pkgs,
+  config,
+  lib,
+  vacuModuleType,
+  ...
+}:
+let
+  enableFfmpeg = !config.vacu.isMinimal;
+  enableFfmpegFull = enableFfmpeg && config.vacu.isGui;
+  enableFfmpegHeadless = enableFfmpeg && !config.vacu.isGui;
+  winePkgs = pkgs.wineWow64Packages;
+in
+{
+  vacu.packages = lib.mkMerge [
+    {
+      borgbackup.enable = config.vacu.isDev && (pkgs.system != "aarch64-linux"); # borgbackup build is borken on aarch64
+      ffmpeg-vacu-full = {
+        enable = enableFfmpegFull;
+        package = pkgs.ffmpeg-full;
+        overrides.libbluray = config.vacu.packages.libbluray-all.finalPackage;
+      };
+      ffmpeg-vacu-headless = {
+        enable = enableFfmpegHeadless;
+        package = pkgs.ffmpeg-headless;
+        overrides.libbluray = config.vacu.packages.libbluray-all.finalPackage;
+      };
+      libbluray-all = {
+        package = pkgs.libbluray;
+        overrides = {
+          withJava = true;
+          withAACS = true;
+          withBDplus = true;
+        };
+      };
+      inkscape-all = {
+        package = pkgs.inkscape-with-extensions;
+        # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
+        overrides.inkscapeExtensions = null;
+      };
+      p7zip-unfree = {
+        package = pkgs.p7zip;
+        overrides.enableUnfree = true;
+      };
+      wine.package = winePkgs.waylandFull;
+      wine-fonts.package = winePkgs.fonts;
+      vacu-units.package = config.vacu.units.finalPackage;
+    }
+    (lib.mkIf config.vacu.isGui
+      # just do all the matrix clients, surely one of them will work enough
+      ''
+        cinny-desktop
+        element-call
+        element-desktop
+        fluffychat
+        fractal
+        gomuks
+        gomuks-web
+        # hydrogen has no -desktop version
+        iamb
+        kazv
+        matrix-commander
+        matrix-commander-rs
+        matrix-dl
+        mm
+        neosay
+        nheko
+        pinecone
+        # quaternion # build is borked
+      ''
+    )
+    (lib.mkIf config.vacu.isGui
+      # pkgs for systems with a desktop GUI
+      ''
+        acpi
+        anki
+        audacity
+        arduino-ide
+        bitwarden-desktop
+        brave
+        dino
+        filezilla
+        gamemode
+        gnome-maps
+        gparted
+        ghidra
+        gimp
+        haruna
+        iio-sensor-proxy
+        inkscape-all
+        jellyfin-media-player
+        josm
+        kdePackages.elisa
+        kdePackages.kdenlive
+        libreoffice-qt6-fresh
+        # librewolf
+        linphone
+        merkaartor
+        nextcloud-client
+        obsidian
+        openscad
+        openshot-qt
+        orca-slicer
+        OSCAR
+        prismlauncher
+        shotcut
+        signal-desktop
+        svp
+        # thunderbird #managed thru vacu.programs.thunderbird
+        tremotesf
+        ungoogled-chromium
+        vlc
+        wayland-utils
+        wev
+        wine
+        wine-fonts
+        wireshark
+        wl-clipboard
+      ''
+    )
+    # pkgs for development-ish
+    (lib.mkIf config.vacu.isDev ''
+      cargo
+      clippy
+      gnumake
+      man-pages
+      patchelf
+      python3
+      ruby
+      rustc
+      rust-script
+      shellcheck
+      stdenv.cc
+    '')
+    (lib.mkIf (!config.vacu.isMinimal)
+      # big pkgs for non-minimal systems
+      ''
+        aircrack-ng
+        android-tools
+        bitwarden-cli
+        dmidecode
+        fido2-manage
+        flac
+        hdparm
+        home-manager
+        imagemagickBig
+        kanidm_1_6
+        libsmi
+        man
+        mdadm
+        megatools
+        mercurial #aka hg
+        minicom
+        mkvtoolnix-cli
+        # neovim => see common/nixvim.nix
+        net-snmp
+        nix-index
+        nix-inspect
+        nix-search-cli
+        nix-tree
+        nmap
+        nvme-cli
+        proxmark3
+        rclone
+        ripgrep-all
+        smartmontools
+        tcpdump
+        termscp
+        tshark
+        yt-dlp
+      ''
+    )
+    # pkgs included everywhere
+    ''
+      _7zip
+      altcaps
+      ddrescue
+      dig
+      dnsutils
+      ethtool
+      file
+      # git is handled by common/git.nix
+      gnutls
+      gptfdisk
+      hostname
+      htop
+      inetutils
+      iperf3
+      iputils
+      jq
+      jujutsu
+      killall
+      libossp_uuid # provides `uuid` binary
+      linuxquota
+      lshw
+      lsof
+      mosh
+      nano
+      ncdu
+      netcat-openbsd
+      nixos-rebuild
+      openssl
+      # p7zip-unfree
+      pciutils
+      progress
+      psutils
+      pv
+      ripgrep
+      rsync
+      screen
+      # sed => gnused
+      shellvaculib
+      # sops => should use `nr vacu#sops` instead
+      sshfs
+      ssh-to-age
+      # tar => gnutar
+      tmux
+      tree
+      tzdata
+      # units => vacu-units
+      unzip
+      usbutils
+      vacu-units
+      vim
+      wget
+      zip
+    ''
+    # packages that are in [`requiredPackages`][1]  in nixos, but maybe not included in nix-on-droid
+    # [1]: https://github.com/NixOS/nixpkgs/blob/26d499fc9f1d567283d5d56fcf367edd815dba1d/nixos/modules/config/system-path.nix#L11
+    (lib.optionalAttrs (vacuModuleType == "nix-on-droid") ''
+      #stdenv.cc.libc shouldn't be needed right?
+      acl
+      attr
+      bashInteractive
+      bzip2
+      cpio
+      curl
+      diffutils
+      findutils
+      gawk
+      getent
+      getconf
+      gnugrep
+      gnupatch
+      gnused
+      gnutar
+      gzip
+      less
+      libcap
+      mkpasswd
+      ncurses
+      #netcat is replaced by netcat-openbsd
+      openssh
+      procps
+      su
+      time
+      util-linux
+      which
+      xz
+      zstd
+    '')
+  ];
+}

common/remapCapsLock.nix

@@ -11,7 +11,8 @@ in
 lib.optionalAttrs (vacuModuleType == "nixos") {
   options.vacu.enableCapsLockRemap = mkOption {
     type = types.bool;
-    default = config.vacu.systemKind == "desktop";
+    default = config.vacu.isGui;
+    defaultText = "{option}`vacu.isGui`";
   };
   config = lib.mkIf config.vacu.enableCapsLockRemap {
     # https://discourse.nixos.org/t/best-way-to-remap-caps-lock-to-esc-with-wayland/39707/6

common/shell/container-aliases.nix

@@ -0,0 +1,29 @@
+{
+  pkgs,
+  lib,
+  config,
+  vaculib,
+  ...
+}:
+let
+  inherit (vaculib) script;
+in
+{
+  options.vacu.shell.containerAliases = lib.mkEnableOption "container aliases";
+  config = lib.mkIf config.vacu.shell.containerAliases {
+    vacu.packages = [
+      (script "ncrun" ''
+        svl_min_args $# 2
+        svl_auto_sudo
+        container="$1"
+        shift
+        exec ${lib.getExe pkgs.nixos-container} run "$container" -- "$@"
+      '')
+      (script "ncrl" ''
+        svl_exact_args $# 1
+        svl_auto_sudo
+        exec ${lib.getExe pkgs.nixos-container} root-login "$1"
+      '')
+    ];
+  };
+}

common/shell/default.nix

@@ -37,6 +37,9 @@ in
   imports = [
     ./not-aliases.nix
     ./ps1.nix
+    ./container-aliases.nix
+    ./vacuhistory.nix
+    ./qcd.nix
   ];
   options = {
     vacu.shell.functionsDir = mkOption {
@@ -47,9 +50,7 @@ in
       type = types.lines;
       readOnly = true;
     };
-    vacu.shell.wrappedBash = mkOption {
-      readOnly = true;
-    };
+    vacu.shell.wrappedBash = mkOption { readOnly = true; };
     vacu.shell.idempotentShellLines = mkOption {
       type = types.lines;
       default = "";
@@ -58,32 +59,24 @@ in
       type = types.enum (builtins.attrNames vaculib.shellColors);
       default = "white";
     };
-    vacu.shell.functions = mkOption {
-      type = types.attrsOf types.str;
-    };
+    vacu.shell.functions = mkOption { type = types.attrsOf types.str; };
   };
   config.vacu = {
-    vaculib = {
-      # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
-      shellColors = {
-        black = 30;
-        red = 31;
-        green = 32;
-        yellow = 33;
-        blue = 34;
-        magenta = 35;
-        cyan = 36;
-        white = 37;
-      };
-    };
     shell.interactiveLines = ''
-      if [[ $- == *i* ]] && [[ -f ${cfg.functionsDir}/vacureload ]]; then
-        function __vacushell_load() { eval "$(cat ${cfg.functionsDir}/vacureload)"; }
-        __vacushell_load
-        unset __vacushell_load
+      if [[ $- == *i* ]]; then
+        SHELLVACULIB_COMPAT=1 source ${lib.escapeShellArg pkgs.shellvaculib.file}
+        if [[ -f ${cfg.functionsDir}/vacureload ]]; then
+          function __vacushell_load() { eval "$(<${cfg.functionsDir}/vacureload)"; }
+          __vacushell_load
+          unset __vacushell_load
+        fi
       fi
     '';
     shell.wrappedBash = wrappedBash;
+    shell.idempotentShellLines = lib.mkBefore ''
+      PROMPT_COMMAND=()
+      PS0=""
+    '';
     shell.functions = {
       "vacureload" = ''
         declare -gA vacuShellFunctionsLoaded
@@ -102,25 +95,27 @@ in
         for fullPath in ${cfg.functionsDir}/*; do
           local funcname="$(basename "$fullPath")"
           local followedPath="$(readlink -f "$fullPath")"
-          if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
+          if [[ "''${vacuShellFunctionsLoaded[$funcname]-}" != "$followedPath" ]]; then
             unset -f $funcname
-            eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
+            eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(<'$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
             vacuShellFunctionsLoaded[$funcname]=$followedPath
           fi
           unset followedPath
           unset funcname
         done
-        __set_idempotents
+        __run_idempotents
+        # your idempotent shell lines are idempotent, right?
+        __run_idempotents
       '';
-      "__set_idempotents" = cfg.idempotentShellLines;
+      "__run_idempotents" = cfg.idempotentShellLines;
       vhich = ''
         if [[ $# != 1 ]]; then
           echo "expected exactly one arg" 1>&2
           return 1
         fi
-        query="$1"
-        quote='`'"$query'"
-        kind="$(type -t "$query")"
+        declare query="$1"
+        declare quote='`'"$query'"
+        declare kind="$(type -t -- "$query")"
         if [[ "$kind" == "" ]]; then
           echo "could not find any command $quote" 1>&2
           return 1
@@ -150,7 +145,7 @@ in
             return 0
             ;;
           "file")
-            path="$(which "$query")"
+            path="$(type -p "$query")"
             # continue to below
             ;;
           *)
@@ -159,10 +154,10 @@ in
         esac
         echo "path:"
         while [[ -L "$path" ]]; do
-          dest="$(readlink "$path")"
+          declare dest="$(readlink -- "$path")"
           echo "  $path is a symlink to $dest"
           if [[ "$dest" != /* ]]; then
-            dest="$(dirname "$path")/$dest"
+            dest="$(dirname -- "$path")/$dest"
           fi
           path="$dest"
         done
@@ -171,18 +166,22 @@ in
           echo "$path does not exist!"
           return 1
         fi
-        canon="$(readlink -f "$path")"
+        if ! [[ -x "$path" ]]; then
+          echo "$path is not executable!"
+          return 1
+        fi
+        canon="$(readlink -f -- "$path")"
         if [[ "$path" != "$canon" ]]; then
           echo "  $path canonicalizes to $canon"
           path="$canon"
         fi
-        magic_parse="$(file --brief --mime "$path")"
+        magic_parse="$(file --brief --mime -- "$path")"
         echo "magic: $magic_parse"
         case "$magic_parse" in
           'text/x-shellscript;'* | 'text/plain;'*)
             echo "initial contents:"
             echo
-            cat "$path" | head --lines=10 | head --bytes=2000
+            head --lines=10 "$path" | head --bytes=2000
             echo "..."
             ;;
         esac

common/shell/not-aliases.nix

@@ -1,50 +1,88 @@
 # These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
-{ pkgs, lib, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  vaculib,
+  ...
+}:
 let
-  inherit (pkgs) writeScriptBin;
+  inherit (vaculib) script;
+  simple =
+    name: args:
+    let
+      binContents = ''
+        #!${lib.getExe pkgs.bash}
+        exec ${lib.escapeShellArgs args} "$@"'';
+      funcContents = ''
+        declare aliasName=${lib.escapeShellArg name}
+        declare -a replacementWords=(${lib.escapeShellArgs args})
+        declare replacementStr
+        declare oldIFS="$IFS"
+        IFS=' '
+        replacementStr="''${replacementWords[*]}"
+        IFS="$oldIFS"
+        COMP_LINE="''${COMP_LINE/#$aliasName/$replacementStr}"
+        COMP_POINT=$(( COMP_POINT + ''${#replacementStr} - ''${#aliasName} ))
+        COMP_CWORD=$(( COMP_CWORD + ''${#replacementWords[@]} - 1 ))
+        COMP_WORDS=("''${replacementWords[@]}" "''${COMP_WORDS[@]:1}")
+        _comp_command_offset 0
+      '';
+    in
+    pkgs.runCommandLocal "vacu-notalias-simple-${name}"
+      {
+        pname = name;
+        meta.mainProgram = name;
+      }
+      ''
+        mkdir -p "$out"/bin
+        printf '%s' ${lib.escapeShellArg binContents} > "$out"/bin/${name}
+        chmod a+x "$out"/bin/${name}
+        out_base="$(basename -- "$out")"
+        LC_ALL=C
+        completion_function_name="_completion_''${out_base//[^a-zA-Z0-9_]/_}"
+        completion_file="$out"/share/bash-completion/completions/${name}
+        mkdir -p "$(dirname -- "$completion_file")"
+        printf '%s() {\n%s\n}\n' "$completion_function_name" ${lib.escapeShellArg funcContents} > "$completion_file"
+        printf 'complete -F %s %s\n' "$completion_function_name" ${lib.escapeShellArg name} >> "$completion_file"
+      '';
   ms_text = with_sudo: ''
-    set -eo pipefail
-    if [[ $# -gt 3 ]] || [[ $# == 0 ]]; then
-      echo "wrong number of args" 1>&2
-      exit 1
-    fi
+    svl_minmax_args $# 1 2
     host="$1"
     session_name="''${2:-main}"
     set -x
     mosh -- "$host" ${lib.optionalString with_sudo "sudo"} screen -RdS "$session_name"
   '';
-  msl_text = ''
-    set -eo pipefail
-    if [[ $# != 1 ]]; then
-      echo "wrong number of args" 1>&2
-      exit 1
-    fi
-    host="$1"
-    echo 'echo "user:"; screen -ls; echo; echo "root:"; sudo screen -ls' | ssh -T "$host"
-  '';
+  systemctl = "${pkgs.systemd}/bin/systemctl";
+  journalctl = "${pkgs.systemd}/bin/journalctl";
 in
 {
+  imports = [ { vacu.packages.copy-altcaps.enable = config.vacu.isGui; } ];
   vacu.packages = [
-    (writeScriptBin "ms" (ms_text false))
-    (writeScriptBin "mss" (ms_text true))
-    (writeScriptBin "msl" msl_text)
-    (writeScriptBin "rmln" ''
-      set -eo pipefail
+    (script "ms" (ms_text false))
+    (script "mss" (ms_text true))
+    (script "msl" ''
+      svl_exact_args $# 1
+      host="$1"
+      echo 'echo "user:"; screen -ls; echo; echo "root:"; sudo screen -ls' | ssh -T "$host"
+    '')
+    (script "rmln" ''
+      svl_min_args $# 1
       for arg in "$@"; do
-        if [[ "$arg" != "-*" ]] && [[ ! -L "$arg" ]]; then
-          echo "$0: $arg is not a symlink" 1>&2
-          exit 1
+        if [[ "$arg" != -* ]] && [[ ! -L "$arg" ]]; then
+          svl_die "$arg is not a symlink"
         fi
       done
       rm "$@"
     '')
-    (writeScriptBin "nr" ''
+    (script "copy-altcaps" ''
+      result="$(altcaps "$@")"
+      printf '%s' "$result" | wl-copy
+      echo "Copied to clipboard: $result"
+    '')
+    (script "nr" ''
       # nix run nixpkgs#<thing> -- <args>
-      set -eo pipefail
-      if [[ $# == 0 ]]; then
-        echo "need at least one arg" 1>&2
-        exit 1
-      fi
+      svl_min_args $# 1
       installable="$1"
       shift
       if [[ "$installable" != *'#'* ]]; then
@@ -52,13 +90,9 @@ in
       fi
       nix run "$installable" -- "$@"
     '')
-    (writeScriptBin "nb" ''
+    (script "nb" ''
       # nix build nixpkgs#<thing> <args>
-      set -eo pipefail
-      if [[ $# == 0 ]]; then
-        echo "need at least one arg" 1>&2
-        exit 1
-      fi
+      svl_min_args $# 1
       installable="$1"
       shift
       if [[ "$installable" != *'#'* ]]; then
@@ -66,9 +100,9 @@ in
       fi
       nix build "$installable" "$@"
     '')
-    (writeScriptBin "ns" ''
+    (script "ns" ''
       # nix shell nixpkgs#<thing>
-      set -eo pipefail
+      svl_min_args $# 1
       new_args=( )
       for arg in "$@"; do
         if [[ "$arg" != *'#'* ]] && [[ "$arg" != -* ]]; then
@@ -78,24 +112,115 @@ in
       done
       nix shell "''${new_args[@]}"
     '')
+    (script "nixview" ''
+      svl_min_args $# 1
+      view_cmd="$1"
+      shift
+      d="$(mktemp -d --suffix=vacu-nixview)"
+      l="$d/out"
+      nix build --out-link "$l" "$@"
+      "$view_cmd" "$l"
+      rm -r "$d"
+    '')
+    (simple "nixcat" [
+      "nixview"
+      "cat"
+    ])
+    (simple "nixless" [
+      "nixview"
+      "less"
+    ])
+    (simple "sc" [ systemctl ])
+    (simple "scs" [
+      systemctl
+      "status"
+      "--lines=20"
+      "--full"
+    ])
+    (simple "scc" [
+      systemctl
+      "cat"
+    ])
+    (simple "scr" [
+      systemctl
+      "restart"
+    ])
+    (simple "jc" [
+      journalctl
+      "--pager-end"
+    ])
+    (simple "jcu" [
+      journalctl
+      "--pager-end"
+      "-u"
+    ])
+    (simple "gs" [
+      "git"
+      "status"
+    ])
+    (script "list-auto-roots" ''
+      auto_roots="/nix/var/nix/gcroots/auto"
+      svl_exact_args $# 0
+      echo "List of auto-added nix gcroots, excluding system profiles:"
+      echo
+      for fn in "$auto_roots/"*; do
+        if ! [[ -L "$fn" ]]; then
+          die "fn is not a symlink!?: $fn"
+        fi
+        pointed="$(readlink -v -- "$fn")"
+        if ! [[ -e "$pointed" ]]; then
+          continue
+        fi
+        if [[ "$pointed" == /nix/var/nix/profiles/system-* ]]; then
+          continue
+        fi
+        printf '%s\n' "$pointed"
+      done
+    '')
   ];
   vacu.shell.functions = {
     nd = ''
-      declare -a args
-      args=("$@")
+      svl_min_args $# 1
+      declare -a args=("$@")
       lastarg="''${args[-1]}"
-      if [[ "$lastarg" == "-*" ]]; then
-        echo "$0: last argument must be the directory" 1>&2
+      if [[ "$lastarg" == "-"* ]]; then
+        echo "nd: last argument must be the directory" 1>&2
         return 1
       fi
-      for arg in "''${args[@]::''${#args[@]}-1}}"; do
-        if [[ "$arg" != "-*" ]]; then
-          echo "$0: last argument must be the directory" 1>&2
+      for arg in "''${args[@]::''${#args[@]}-1}"; do
+        if [[ "$arg" != "-"* ]]; then
+          echo "nd: last argument must be the directory" 1>&2
           return 1
         fi
       done
       mkdir "''${args[@]}" && cd "''${args[-1]}"
     '';
-    nt = ''pushd $(mktemp -d "$@")'';
+    nt = ''pushd "$(mktemp -d "$@")"'';
   };
+  vacu.textChecks."vacu-shell-functions-nd" = ''
+    source ${lib.escapeShellArg pkgs.shellvaculib.file}
+    function nd() {
+      ${config.vacu.shell.functions.nd}
+    }
+
+    start=/tmp/test-place
+    mkdir -p $start
+    cd $start
+    nd a
+    [[ "$PWD" == "$start/a" ]]
+    cd $start
+    nd -p b/c
+    [[ "$PWD" == "$start/b/c" ]]
+  '';
+  vacu.textChecks."vacu-shell-functions-nt" = ''
+    source ${lib.escapeShellArg pkgs.shellvaculib.file}
+    function nt() {
+      ${config.vacu.shell.functions.nt}
+    }
+    start=$PWD
+    nt
+    [[ "$PWD" != "$start" ]]
+    popd
+    [[ "$PWD" == "$start" ]]
+  '';
 }

common/shell/ps1.nix

@@ -12,41 +12,6 @@ let
 
   # TODO: reset_without_clear doesn't fully work
   # thanks colin https://git.uninsane.org/colin/nix-files/src/commit/7f5b2628016c8ca1beec417766157c7676a9c5e5/hosts/common/programs/zsh/starship.nix#L24
-  set = opt: ''\e[?${opt}h'';
-  clear = opt: ''\e[?${opt}l'';
-  reset_without_clear = builtins.concatStringsSep "" [
-    # reset terminal mode (in case the previous command screwed with it)
-    # 'l' = turn option of, 'h' = turn option on.
-    #
-    # options are enumerated in Alacritty's VTE library's `PrivateMode` type:
-    # - <https://github.com/alacritty/vte/blob/ebc4a4d7259678a8626f5c269ea9348dfc3e79b2/src/ansi.rs#L845>
-    # see also the reset code path (does a bit too much, like clearing the screen):
-    # - <https://github.com/alacritty/alacritty/blob/6067787763e663bd308e5b724a5efafc2c54a3d1/alacritty_terminal/src/term/mod.rs#L1802>
-    # and the crucial TermMode::default: <https://github.com/alacritty/alacritty/blob/master/alacritty_terminal/src/term/mod.rs#L113>
-    #
-    # query the state of any mode bit `<n>` with `printf '\033[?<n>$p'`
-    # e.g. `printf '\033[?7$p'` returns `^[[?7;1$y` with the `1` indicating it's **set**,
-    #      `printf '\033[?1000$p'` returns `^[[?1000;2$y` with the `2` indicating it's **unset**.
-    #
-    # TODO: unset Line mode and Insert mode?
-    (clear "1") # Cursor Keys
-    # (clear "3") # Column Mode (i.e. clear screen/history)
-    (clear "6") # Origin
-    (set "7") # Line Wrap
-    (clear "12") # Blinking Cursor
-    (set "25") # Show Cursor
-    (clear "1000") # Report Mouse Clicks
-    (clear "1002") # Report Cell Mouse Motion
-    (clear "1003") # Report All Mouse Motion
-    (clear "1004") # Report Focus In/Out
-    (clear "1005") # UTF8 Mouse
-    (clear "1006") # Sgr Mouse
-    (set "1007") # Alternate Scroll
-    (set "1042") # Urgency Hints
-    # (clear "1049") # Swap Screen And Set Restore Cursor
-    (clear "2004") # Bracketed Paste
-    (clear "2026") # Sync Update
-  ];
   # https://man.archlinux.org/man/bash.1#PROMPTING
   # \[ and \] begins and ends "a sequence of non-printing characters"
   set_color = colornum: ''\[\e[1;${toString colornum}m\]'';
@@ -58,20 +23,35 @@ let
   hostName = if vacuModuleType == "plain" then ''\h'' else config.vacu.shortHostName;
   default_ps1 =
     root:
-    ''\n''
+    ""
+    + ''\n''
     # + ''\[${reset_without_clear}\]''
     + (set_color colornum)
-    + ''${root_text root}${hostName}:\w''
+    + "${root_text root}${hostName}:\\w"
+    + " "
+    + ''$(vacu_shell_show_return_code)''
+    + ''\n''
+    + (set_color colornum)
     + (final root)
     + reset_color
     + " ";
 in
 {
   vacu.shell.idempotentShellLines = ''
-    if [ $UID = 0 ]; then
-      export PS1=${lib.escapeShellArg (default_ps1 true)}
+    function vacu_shell_show_return_code() {
+      local ret=$?
+      local color=${toString colors.green}
+      if [[ "$ret" != 0 ]]; then
+        color=${toString colors.red}
+      fi
+      printf '\e[1;%dm' $color
+      printf "%d" "$ret"
+      return "$ret"
+    }
+    if [[ $EUID == 0 ]]; then
+      PS1=${lib.escapeShellArg (default_ps1 true)}
     else
-      export PS1=${lib.escapeShellArg (default_ps1 false)}
+      PS1=${lib.escapeShellArg (default_ps1 false)}
     fi
   '';
 }

common/shell/qcd.nix

@@ -0,0 +1,50 @@
+{
+  lib,
+  config,
+  vacuModuleType,
+  vaculib,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  home =
+    if vacuModuleType == "nix-on-droid" then
+      "/data/data/com.termux.nix/files/home"
+    else
+      "/home/shelvacu";
+in
+{
+  options.vacu.qcd = mkOption {
+    default = { };
+    type = types.attrsOf types.path;
+  };
+  config.vacu.shell.functions.qcd = ''
+    svl_exact_args $# 1
+    declare the_arg="$1"
+
+    declare base="''${the_arg%%/*}"
+    declare rest="''${the_arg:''${#base}}"
+    declare path
+
+    if false; then :
+    ${lib.pipe config.vacu.qcd [
+      (lib.mapAttrsToList (
+        alias: path:
+        ''elif [[ $base == ${lib.escapeShellArg alias} ]]; then path=${lib.escapeShellArg path}''
+      ))
+      (lib.concatStringsSep "\n")
+    ]}
+    fi
+    if ! [[ -v path ]]; then
+      svl_eprintln "unrecognized alias $base"
+      return 1
+    fi
+
+    cd -- "$path$rest"
+  '';
+  config.vacu.qcd = {
+    ns = "${home}/dev/nix-stuff";
+    np = "${home}/dev/nixpkgs";
+    dev = "${home}/dev";
+  };
+}

common/shell/tweaks.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  config.vacu.shell.idempotentShellLines = ''
+    if [[ $- == *i* ]]; then
+      # don't overwrite files by default when using > redirection
+      set -o noclobber
+      # disable ! history expansion
+      set +o histexpand
+    fi
+  '';
+}

common/shell/vacuhistory.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  config.vacu = {
+    shell.idempotentShellLines = ''
+      if [[ -z "''${VACU_HISTORY_SESSION_ID-}" ]]; then
+        VACU_HISTORY_SESSION_ID="$(${pkgs.libossp_uuid}/bin/uuid)"
+      fi
+      VACU_HISTORY_DB_PATH="$HOME/vacu-shell-history.sqlite"
+      function vacu_history_record() {
+        LC_ALL=C HISTTIMEFORMAT='%S|%M|%H|%d|%m|%Y|%w|%j|%z|' history 1 | VACU_HISTORY_SESSION_ID="$VACU_HISTORY_SESSION_ID" VACU_HISTORY_DB_PATH="$VACU_HISTORY_DB_PATH" ${pkgs.vacu-history}/bin/vacu-history
+      }
+      PS0='$(vacu_history_record >/dev/null)'"$PS0"
+    '';
+  };
+}

common/sops.nix

@@ -6,37 +6,65 @@
   ...
 }:
 let
-  userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
-  liamKey = config.vacu.ssh.knownHosts.liam.publicKey;
   ssh-to-age = lib.getExe pkgs.ssh-to-age;
-  sopsConfig =
-    pkgs.runCommand "sops.yaml" { env.sshUserKeys = lib.concatStringsSep "\n" userKeys; }
-      ''
-        set -e
-        liamKey="$(echo "${liamKey}" | ${ssh-to-age})"
-        declare -a userKeys
-        mapfile -t userKeys < <(echo "$sshUserKeys" | ${ssh-to-age})
-        declare -p userKeys
-        cat <<END >> $out
-        creation_rules:
-          - path_regex: secrets/misc/[^/]+$
-            key_groups:
-              - age: [$(printf '"%s", ' "''${userKeys[@]}")]
-          - path_regex: secrets/liam/[^/]+$
-            key_groups:
-              - age: ["$liamKey",$(printf '"%s", ' "''${userKeys[@]}")]
-          - path_regex: /tests/test_secrets/
-            key_groups:
-              - age: ["age1eqv5759uknu7d46rqyyzsmgt43qumsge3makeWrapp3yp2xygapprnt8zu3sqx6kt8w"]
-        END
-      '';
+  sshToAge =
+    sshPubText:
+    vaculib.outputOf {
+      name = "age-from-ssh.txt";
+      cmd = ''printf '%s' ${lib.escapeShellArg sshPubText} | ${ssh-to-age} > "$out"'';
+    };
+  userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
+  userKeysAge = map sshToAge userKeys;
+  agesOf = hostname: map sshToAge config.vacu.hosts.${hostname}.sshKeys;
+  singleGroup = keys: [ { age = keys; } ];
   testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
+  testAgePublic = vaculib.outputOf {
+    name = "test-age-public-key.txt";
+    cmd = ''printf '%s' ${lib.escapeShellArg testAgeSecret} | ${pkgs.age}/bin/age-keygen -y > "$out"'';
+  };
+  sopsConfig = {
+    creation_rules = [
+      {
+        path_regex = "/secrets/misc/[^/]+$";
+        key_groups = singleGroup userKeysAge;
+      }
+      {
+        path_regex = "/secrets/hosts/liam\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "liam");
+      }
+      {
+        path_regex = "/secrets/hosts/triple-dezert\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert");
+      }
+      {
+        path_regex = "/secrets/hosts/prophecy\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "prophecy");
+      }
+      {
+        path_regex = "/secrets/hosts/solis\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "solis");
+      }
+      {
+        path_regex = "/secrets/radicle-private\\.key$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "fw");
+      }
+      {
+        path_regex = "/secrets/garage-rpc\\.key$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert" ++ agesOf "prophecy" ++ agesOf "solis");
+      }
+      {
+        path_regex = "/tests/triple-dezert/test_secrets/";
+        key_groups = singleGroup [ testAgePublic ];
+      }
+    ];
+  };
+  sopsConfigFile = pkgs.writers.writeYAML "sops.yaml" sopsConfig;
   wrappedSops = vaculib.makeWrapper {
     original = lib.getExe pkgs.sops;
     new = "vacu-nix-stuff-sops";
     add_flags = [
       "--config"
-      sopsConfig
+      sopsConfigFile
     ];
     run = lib.singleton ''
       set -e
@@ -49,6 +77,6 @@ let
   };
 in
 {
-  options.vacu.sopsConfig = vaculib.mkOutOption sopsConfig;
+  options.vacu.sopsConfigFile = vaculib.mkOutOption sopsConfigFile;
   options.vacu.wrappedSops = vaculib.mkOutOption wrappedSops;
 }

common/sourceTree.nix

@@ -7,30 +7,7 @@
   ...
 }:
 let
-  inherit (builtins) isString isAttrs;
   inherit (lib) mkOption types;
-  traverseInputs =
-    linkDir: unfilteredInputs:
-    assert isString linkDir;
-    assert isAttrs unfilteredInputs;
-    let
-      inputs = removeAttrs unfilteredInputs [ "self" ];
-    in
-    lib.concatStringsSep "\n" (
-      lib.mapAttrsToList (
-        inputName: inputAttrs:
-        let
-          thisDir = linkDir + "/" + inputName;
-        in
-        assert isAttrs inputAttrs;
-        assert isAttrs (inputAttrs.inputs or { });
-        ''
-          mkdir -p ${thisDir}
-          ln -s ${inputAttrs} ${thisDir}/self
-          ${traverseInputs thisDir (inputAttrs.inputs or { })}
-        ''
-      ) inputs
-    );
 in
 {
   options.vacu.sourceTree = mkOption {
@@ -39,13 +16,11 @@ in
   };
   config =
     {
-      vacu.sourceTree = pkgs.runCommand "inputs-tree" { } ''
-        mkdir -p $out
-        ln -s ${inputs.self} $out/self
-        ${traverseInputs "$out" inputs}
-      '';
+      vacu.sourceTree = pkgs.linkFarm "simple-inputs-tree" inputs;
     }
     // (lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
-      environment.etc."vacu/sources".source = "${config.vacu.sourceTree}";
+      environment.etc = lib.optionalAttrs (!config.vacu.isMinimal) {
+        "vacu/sources".source = "${config.vacu.sourceTree}";
+      };
     });
 }

common/ssh.nix

@@ -1,149 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}:
-let
-  inherit (lib)
-    mkOption
-    types
-    flip
-    concatMapStringsSep
-    optionalString
-    concatStringsSep
-    readFile
-    literalExpression
-    ;
-  inherit (builtins) attrValues;
-  cfg = config.vacu;
-  knownHosts = attrValues cfg.ssh.knownHosts;
-  knownHostsText =
-    (flip (concatMapStringsSep "\n") knownHosts (
-      h:
-      assert h.hostNames != [ ];
-      optionalString h.certAuthority "@cert-authority "
-      + concatStringsSep "," h.hostNames
-      + " "
-      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-    ))
-    + "\n";
-in
-{
-  options = {
-    vacu.ssh.knownHostsText = mkOption {
-      type = types.str;
-      readOnly = true;
-      default = knownHostsText;
-    };
-    #vacu.ssh.authorizedKeys = mkOption { type = types.listOf types.str; };
-    vacu.ssh.authorizedKeys = mkOption {
-      type = types.attrsOf types.str;
-      default = { };
-    };
-    vacu.ssh.config = mkOption { type = types.lines; };
-    # Straight copied from nixpkgs 
-    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
-    vacu.ssh.knownHosts = mkOption {
-      default = { };
-      type = types.attrsOf (
-        types.submodule (
-          {
-            name,
-            config,
-            options,
-            ...
-          }:
-          {
-            options = {
-              certAuthority = mkOption {
-                type = types.bool;
-                default = false;
-                description = ''
-                  This public key is an SSH certificate authority, rather than an
-                  individual host's key.
-                '';
-              };
-              hostNames = mkOption {
-                type = types.listOf types.str;
-                default = [ name ] ++ config.extraHostNames;
-                defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
-                description = ''
-                  A list of host names and/or IP numbers used for accessing
-                  the host's ssh service. This list includes the name of the
-                  containing `knownHosts` attribute by default
-                  for convenience. If you wish to configure multiple host keys
-                  for the same host use multiple `knownHosts`
-                  entries with different attribute names and the same
-                  `hostNames` list.
-                '';
-              };
-              extraHostNames = mkOption {
-                type = types.listOf types.str;
-                default = [ ];
-                description = ''
-                  A list of additional host names and/or IP numbers used for
-                  accessing the host's ssh service. This list is ignored if
-                  `hostNames` is set explicitly.
-                '';
-              };
-              publicKey = mkOption {
-                default = null;
-                type = types.nullOr types.str;
-                example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
-                description = ''
-                  The public key data for the host. You can fetch a public key
-                  from a running SSH server with the {command}`ssh-keyscan`
-                  command. The public key should not include any host names, only
-                  the key type and the key itself.
-                '';
-              };
-              publicKeyFile = mkOption {
-                default = null;
-                type = types.nullOr types.path;
-                description = ''
-                  The path to the public key file for the host. The public
-                  key file is read at build time and saved in the Nix store.
-                  You can fetch a public key file from a running SSH server
-                  with the {command}`ssh-keyscan` command. The content
-                  of the file should follow the same format as described for
-                  the `publicKey` option. Only a single key
-                  is supported. If a host has multiple keys, use
-                  {option}`programs.ssh.knownHostsFiles` instead.
-                '';
-              };
-            };
-          }
-        )
-      );
-      description = ''
-        The set of system-wide known SSH hosts. To make simple setups more
-        convenient the name of an attribute in this set is used as a host name
-        for the entry. This behaviour can be disabled by setting
-        `hostNames` explicitly. You can use
-        `extraHostNames` to add additional host names without
-        disabling this default.
-      '';
-      example = literalExpression ''
-        {
-          myhost = {
-            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
-            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
-          };
-          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
-          "myhost2.net/dsa" = {
-            hostNames = [ "myhost2.net" ];
-            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
-          };
-        }
-      '';
-    };
-  };
-  config.vacu.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (
-    name: data: {
-      assertion =
-        (data.publicKey == null && data.publicKeyFile != null)
-        || (data.publicKey != null && data.publicKeyFile == null);
-      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
-    }
-  );
-}

common/staticNames.nix

@@ -0,0 +1,89 @@
+{
+  lib,
+  vacuModuleType,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  domainPartRegex = "[[:alnum:]]([[:alnum:]-]{0,61}[[:alnum:]])?";
+  domainRegex = ''^${domainPartRegex}(\.${domainPartRegex})*$'';
+  domainType = types.strMatching domainRegex;
+  hostsLines = lib.pipe config.vacu.staticNames [
+    (lib.mapAttrsToList (k: v: [ k ] ++ v))
+    (lib.filter (v: (builtins.length v) > 1))
+    (map (lib.concatStringsSep " "))
+    (lib.concatStringsSep "\n")
+  ];
+  ip4Seg = ''[0-9]{1,3}'';
+  ip4Regex = lib.concatStringsSep ''\.'' [
+    ip4Seg
+    ip4Seg
+    ip4Seg
+    ip4Seg
+  ];
+  ip6Regex = ''[0-9a-fA-F:]+'';
+  ipRegex = ''(${ip4Regex})|(${ip6Regex})'';
+in
+{
+  imports =
+    [
+      {
+        vacu.assertions = map (ip: {
+          assertion = (builtins.match ipRegex ip) != null;
+          message = ''config.vacu.staticNames: attr name "${ip}" is invalid'';
+        }) (builtins.attrNames config.vacu.staticNames);
+      }
+    ]
+    ++ lib.optional (vacuModuleType == "nixos") { networking.hosts = config.vacu.staticNames; }
+    ++ lib.optional (vacuModuleType == "nix-on-droid") {
+      environment.etc.hosts.text = ''
+        127.0.0.1 localhost
+        ::1 localhost
+        ${hostsLines}
+      '';
+    };
+
+  options.vacu.staticNames = mkOption {
+    type = types.attrsOf (types.listOf domainType);
+    default = { };
+  };
+
+  config.vacu.staticNames = {
+    "205.201.63.13" = [
+      "prop"
+      "prophecy"
+      "prophecy.shelvacu-static"
+    ];
+    "10.78.79.22" = [ "prophecy.t2d.lan.shelvacu-static" ];
+    "178.128.79.152" = [
+      "liam"
+      "liam.shelvacu-static"
+    ];
+    "172.83.159.53" = [
+      "trip"
+      "triple-dezert"
+      "triple-dezert.shelvacu-static"
+    ];
+    "10.78.79.237" = [ "triple-dezert.t2d.lan.shelvacu-static" ];
+    "205.201.63.12" = [
+      "servo"
+      "uninsane-servo.shelvacu-static"
+    ];
+    "10.78.79.1" = [
+      "vnopn"
+      "vnopn.shelvacu-static"
+      "vnopn.t2d.lan.shelvacu-static"
+    ];
+    "10.78.79.11" = [
+      "mmm"
+      "mmm.shelvacu-static"
+      "mmm.t2d.lan.shelvacu-static"
+    ];
+    "10.78.79.69" = [
+      "oeto"
+      "oeto.shelvacu-static"
+      "oeto.t2d.lan.shelvacu-static"
+    ];
+  };
+}

common/thunderbird.nix

@@ -0,0 +1,100 @@
+{
+  lib,
+  config,
+  vacuModuleType,
+  vaculib,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  vacustoreCalUUID = "dd9a924e-57d9-4ea1-b7ec-22d1f0ff3d51";
+  vacustoreCalConfig = {
+    "cache.enabled" = true;
+    calendar-main-in-composite = true;
+    color = "#33d17a";
+    disabled = false;
+    "imip.identity.key" = "id1"; #what is this
+    name = "Personal";
+    readOnly = false;
+    type = "caldav";
+    uri = "https://vacu.store/remote.php/dav/calendars/shelvacu/personal/";
+    username = "shelvacu";
+  };
+in
+{
+  options.vacu.programs.thunderbird = {
+    enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+  config = lib.optionalAttrs (vacuModuleType == "nixos") (lib.mkIf config.vacu.programs.thunderbird.enable {
+    programs.thunderbird = {
+      enable = true;
+      policies = {
+        DisableTelemetry = true;
+        DNSOverHTTPS.Enabled = false;
+        ExtensionSettings = {
+          #*cloud - FileLink for Nextcloud and ownCloud
+          "cloud@johannes-endres.de".installation_mode = "normal_installed";
+          #NTFNTF: Notify on This Folder Not That Folder
+          "ntfntf@dan-sullivan.co.uk".installation_mode = "normal_installed";
+        };
+        SSLVersionMin = "tls1.3";
+        SearchEngines.Remove = [
+          "Amazon.com"
+          "Bing"
+          "DuckDuckGo"
+          "Google"
+          "Wikipedia (en)"
+        ];
+      };
+      preferences = {
+        "accessibility.typeaheadfind.flashBar" = 0; #what is this
+        "app.donation.eoy.version.viewed" = -1; #dunno if this actually works
+        "browser.search.region" = "US";
+        "calendar.alarms.playsound" = false;
+        "calendar.alarms.show" = false;
+        "calendar.ui.version" = 3;
+        "intl.date_time.pattern_override.date_full" = "MMMM d, yyyy G z";
+        "intl.date_time.pattern_override.date_short" = "yyyy-MM-dd";
+        "intl.date_time.pattern_override.time_medium" = "HH:mm:ss z";
+        "intl.date_time.pattern_override.time_short" = "HH:mm";
+        # "ldap_2.servers.Contacts.carddav.url" = "https://vacu.store/remote.php/dav/addressbooks/users/shelvacu/contacts/";
+        # "ldap_2.servers.Contacts.carddav.username" = "shelvacu";
+        # "ldap_2.servers.Contacts.description" = "vacu.store Contacts";
+        # "ldap_2.servers.Contacts.dirType" = 102; #no idea what this does
+        "mail.account.account1.identities" = "id1,id2,id3";
+        "mail.account.account1.server" = "server1";
+        "mail.compose.other.header" = "X-Shelvacu-Custom-Header";
+        "mail.compose.warned_about_customize_from" = true;
+        "mail.identity.id1.fullName" = "Shelvacu";
+        "mail.identity.id1.useremail" = "shelvacu@shelvacu.com";
+        "mail.identity.id1.catchAll" = true;
+        "mail.server.server1.hostname" = "imap.shelvacu.com";
+        "mail.server.server1.login_at_startup" = true;
+        "mail.server.server1.name" = "shelvacu@shelvacu.com";
+        "mail.server.server1.port" = 993;
+        "mail.server.server1.type" = "imap";
+        "mail.server.server1.socketType" = 3; #TLS (as opposed to plaintext or STARTTLS)
+        "mail.server.server1.userName" = "shelvacu";
+        "mail.shell.checkDefaultClient" = false;
+        "mail.showCondensedAddresses" = false;
+        "mail.smtp.defaultserver" = "smtp1";
+        "mail.smtpserver.smtp1.authMethod" = 3;
+        "mail.smtpserver.smtp1.hostname" = "smtp.shelvacu.com";
+        "mail.smtpserver.smtp1.port" = 465;
+        "mail.smtpserver.smtp1.try_ssl" = 3;
+        "mail.smtpserver.smtp1.type" = "smtp";
+        "mail.smtpserver.smtp1.username" = "shelvacu";
+        "mail.startup.enabledMailCheckOnce" = true;
+        "mail.threadpane.listview" = 1;
+        "mailnews.customHeaders" = "X-Vacu-Action";
+        "mailnews.default_sort_type" = 27;
+        "mailnews.mark_message_read.auto" = false;
+        "mailnews.start_page.enabled" = false;
+        # "searchintegration.enable" = false;
+      } // vaculib.mapAttrNames (n: "calendar.registry.${vacustoreCalUUID}.${n}") vacustoreCalConfig;
+    };
+  });
+}

common/units-config.nix

@@ -30,5 +30,6 @@
     dollar = "USD";
     cent = "0.01 USD";
     "$" = "USD";
+    BTC = "bitcoin";
   };
 }

common/units-impl.nix

@@ -7,34 +7,40 @@
 }:
 let
   inherit (lib) mkOption types;
-  unitNameRegex = let
-    # Unit  names cannot begin or end with an underscore (‘_’), a comma (‘,’) or a decimal point (‘.’).  Names must not contain any of the operator characters ‘+’, ‘-’, ‘*’, ‘/’, ‘|’, ‘^’, ‘;’, ‘~’, the comment character ‘#’, or parentheses.  To facilitate copying and pasting from documents, several typographical characters are converted to operators: the figure dash (U+2012), minus (‘-’; U+2212), and en dash (‘–’; U+2013) are converted to the operator ‘-’; the multiplication sign (‘×’; U+00D7), N-ary times operator (U+2A09), dot operator (‘⋅’; U+22C5), and middle dot (‘·’; U+00B7) are converted to the operator ‘*’; the division sign (‘÷’; U+00F7) is converted to the operator ‘/’; and the fraction slash (U+2044) is converted to the operator ‘|’; accordingly, none of these characters can appear in unit names.
-    disallowedAnywhere = "+*/|^;~#()" + (builtins.fromJSON ''"\u2012\u2212\u2013\u00d7\u2a09\u22c5\u00b7\u00f7\u2044"'');
-    disallowedMiddle = "-" + disallowedAnywhere;
-    disallowedAtEnd = "23456789_,." + disallowedAnywhere;
-    disallowedAtBegin = "-01" + disallowedAtEnd;
-    anyExcept = chars: ''[^${lib.escapeRegex chars}]'';
-    singleChar = anyExcept disallowedAtBegin;
-    multiChar = ''${anyExcept disallowedAtBegin}${anyExcept disallowedMiddle}*${anyExcept disallowedAtEnd}'';
-    numberSuffix = regex: ''${regex}_[0-9\.,]+'';
-    fullRegex = ''${singleChar}|${multiChar}|${numberSuffix singleChar}|${numberSuffix multiChar}'';
-  in fullRegex;
-  unitsAttrsType = types.addCheck (types.attrsOf types.str) (attrs:
-    builtins.all (name: (builtins.match unitNameRegex name) != null) (builtins.attrNames attrs)
+  unitNameRegex =
+    let
+      # Unit  names cannot begin or end with an underscore (‘_’), a comma (‘,’) or a decimal point (‘.’).  Names must not contain any of the operator characters ‘+’, ‘-’, ‘*’, ‘/’, ‘|’, ‘^’, ‘;’, ‘~’, the comment character ‘#’, or parentheses.  To facilitate copying and pasting from documents, several typographical characters are converted to operators: the figure dash (U+2012), minus (‘-’; U+2212), and en dash (‘–’; U+2013) are converted to the operator ‘-’; the multiplication sign (‘×’; U+00D7), N-ary times operator (U+2A09), dot operator (‘⋅’; U+22C5), and middle dot (‘·’; U+00B7) are converted to the operator ‘*’; the division sign (‘÷’; U+00F7) is converted to the operator ‘/’; and the fraction slash (U+2044) is converted to the operator ‘|’; accordingly, none of these characters can appear in unit names.
+      disallowedAnywhere =
+        "+*/|^;~#()" + (builtins.fromJSON ''"\u2012\u2212\u2013\u00d7\u2a09\u22c5\u00b7\u00f7\u2044"'');
+      disallowedMiddle = "-" + disallowedAnywhere;
+      disallowedAtEnd = "23456789_,." + disallowedAnywhere;
+      disallowedAtBegin = "-01" + disallowedAtEnd;
+      anyExcept = chars: "[^${lib.escapeRegex chars}]";
+      singleChar = anyExcept disallowedAtBegin;
+      multiChar = "${anyExcept disallowedAtBegin}${anyExcept disallowedMiddle}*${anyExcept disallowedAtEnd}";
+      numberSuffix = regex: "${regex}_[0-9\\.,]+";
+      fullRegex = "${singleChar}|${multiChar}|${numberSuffix singleChar}|${numberSuffix multiChar}";
+    in
+    fullRegex;
+  unitsAttrsType = types.addCheck (types.attrsOf types.str) (
+    attrs: builtins.all (name: (builtins.match unitNameRegex name) != null) (builtins.attrNames attrs)
   );
   unitsDir = pkgs.stdenvNoCC.mkDerivation {
     name = "vacu-units-files";
 
     src = pkgs.units.src;
 
-    phases = [ "unpackPhase" "installPhase" ];
+    phases = [
+      "unpackPhase"
+      "installPhase"
+    ];
 
     installPhase = ''
-      mkdir -p $out
-      cp {definitions,elements}.units $out
-      ln -s ${../units/currency.units} $out/currency.units
-      ln -s ${../units/cpi.units} $out/cpi.units
-      echo ${lib.escapeShellArg config.vacu.units.lines} > $out/vacu.units
+      mkdir -p "$out"
+      cp {definitions,elements}.units "$out"
+      ln -s ${../units/currency.units} "$out"/currency.units
+      ln -s ${../units/cpi.units} "$out"/cpi.units
+      printf '%s' ${lib.escapeShellArg config.vacu.units.lines} > "$out"/vacu.units
     '';
   };
 in
@@ -42,7 +48,8 @@ in
   options.vacu.units = {
     originalPackage = mkOption {
       type = types.package;
-      default = pkgs.units;
+      default = pkgs.units.override { enableCurrenciesUpdater = false; };
+      defaultText = "pkgs.units.override { ... }";
     };
     finalPackage = mkOption {
       type = types.package;
@@ -66,7 +73,7 @@ in
     };
     extraUnits = mkOption {
       type = unitsAttrsType;
-      default = {};
+      default = { };
     };
   };
   config = lib.mkMerge [
@@ -76,32 +83,10 @@ in
           original = config.vacu.units.originalPackage;
           new = "units";
           prepend_flags = [
-            "--file" config.vacu.units.generatedConfigFile
+            "--file"
+            config.vacu.units.generatedConfigFile
           ];
         };
-        check = pkgs.runCommand "check-units" { } ''
-          # `units --check` returns success (exit code 0) regardless of success >:(
-          # example output:
-          
-          # $ result/bin/units --check
-          # Currency exchange rates from exchangerate-api.com (USD base) on 2024-11-14 
-          # Consumer price index data from US BLS, 2024-02-18 
-          # 7247 units, 125 prefixes, 134 nonlinear units
-          #
-
-          output="$(${lib.getExe config.vacu.units.finalPackage} --check)"
-          echo "$output"
-          filteredLines="$(echo "$output" \
-            | grep -v '^\s*$' \
-            | grep -v 'Currency exchange rates from' \
-            | grep -v 'Consumer price index data from' \
-            | grep -vE '[0-9]+ units, [0-9]+ prefixes, [0-9]+ nonlinear units' || true
-          )"
-          if [[ -n "$filteredLines" ]]; then
-            exit 1
-          fi
-          touch $out
-        '';
         generatedConfigDir = unitsDir;
         generatedConfigFile = "${unitsDir}/vacu.units";
         lines = lib.mkOrder 750 ''
@@ -109,9 +94,34 @@ in
           !include definitions.units
         '';
       };
+      vacu.textChecks.units-config = ''
+        # `units --check` returns success (exit code 0) regardless of success >:(
+        # example output:
+
+        # $ result/bin/units --check
+        # Currency exchange rates from exchangerate-api.com (USD base) on 2024-11-14 
+        # Consumer price index data from US BLS, 2024-02-18 
+        # 7247 units, 125 prefixes, 134 nonlinear units
+        #
+
+        output="$(${lib.getExe config.vacu.units.finalPackage} --check)"
+        printf '%s' "$output"
+        filteredLines="$(printf '%s' "$output" \
+          | grep -v '^\s*$' \
+          | grep -v 'Currency exchange rates from' \
+          | grep -v 'Consumer price index data from' \
+          | grep -vE '[0-9]+ units, [0-9]+ prefixes, [0-9]+ nonlinear units' || true
+        )"
+        if [[ -n "$filteredLines" ]]; then
+          exit 1
+        fi
+        touch "$out"
+      '';
     }
     {
-      vacu.units.lines = lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "+${name}\t${value}") config.vacu.units.extraUnits);
+      vacu.units.lines = lib.concatStringsSep "\n" (
+        lib.mapAttrsToList (name: value: "+${name}	${value}") config.vacu.units.extraUnits
+      );
     }
   ];
 }

common/verify-system/default.nix

@@ -9,12 +9,10 @@ let
   cfg = config.vacu.verifySystem;
 in
 {
-  imports = [
-    ./nixos.nix
-  ];
+  imports = [ ./nixos.nix ];
   options.vacu.verifySystem = {
     enable = (mkEnableOption "verify system is what is expected") // {
-      default = true;
+      default = false;
     };
     verifiers = mkOption {
       default = { };
@@ -31,6 +29,7 @@ in
               script = mkOption {
                 type = types.lines;
                 default = "## system ident check ${config.name}";
+                defaultText = lib.literalText ''## system ident check ${name}''; 
               };
             };
           }
@@ -44,20 +43,21 @@ in
         enabled = builtins.filter (s: s.enable) verifiers;
         files = map (s: pkgs.writeText "vacu-verify-system-${s.name}.sh" s.script) enabled;
         script = ''
-                  ## vacu verify-system
-          	for f in ${lib.concatStringsSep " " files}; do
-          	  echo "verifying system with $f"
-          	  if ! source $f; then
-          	    echo "ERR: $f failed" >&2
-          	    return 1
-          	  fi
-          	done
+          ## vacu verify-system
+          for f in ${lib.concatStringsSep " " files}; do
+            echo "verifying system with $f"
+            if ! source $f; then
+              echo "ERR: $f failed" >&2
+              return 1
+            fi
+          done
         '';
         scriptFile = pkgs.writeText "vacu-verify-system-all.sh" script;
       in
       mkOption {
         readOnly = true;
         default = scriptFile;
+        defaultText = "vacu-verify-system-all.sh package";
       };
   };
 }

common/verify-system/nixos.nix

@@ -10,7 +10,8 @@ let
 in
 lib.optionalAttrs (vacuModuleType == "nixos") {
   options.vacu.verifySystem.expectedMac = mkOption {
-    type = types.nullOr (types.strMatching "[A-Fa-f0-9]{2}(:[A-Fa-f0-9]{2}){5}");
+    # lowercase only
+    type = types.nullOr (types.strMatching "[a-f0-9]{2}(:[a-f0-9]{2}){5}");
     default = null;
   };
   config = lib.mkIf config.vacu.verifySystem.enable {
@@ -20,25 +21,26 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
     # };
 
     system.extraSystemBuilderCmds = ''
-      mv $out/bin/switch-to-configuration $out/bin/.switch-to-configuration-unverified
-      cat <<EOF > $out/bin/switch-to-configuration
-      #!${pkgs.bash}/bin/bash
-      oldpath="$PATH"
-      export PATH="${pkgs.coreutils}/bin"
-      if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit \$?; fi
-      export PATH="$oldpath"
-      exec $out/bin/.switch-to-configuration-unverified "\$@"
-      EOF
+      mv "$out"/bin/switch-to-configuration "$out"/bin/.switch-to-configuration-unverified
+      echo '#!${pkgs.bash}/bin/bash
+      (
+        PATH="${pkgs.coreutils}/bin"
+        if ! source ${config.vacu.verifySystem.verifyAllScript}; then
+          exit $?
+        fi
+      )
+      ' > "$out"/bin/switch-to-configuration
+      echo "exec $out/bin/.switch-to-configuration-unverified" '"$@"' >> "$out"/bin/switch-to-configuration
 
-      ${pkgs.coreutils}/bin/chmod a+x $out/bin/switch-to-configuration
+      ${pkgs.coreutils}/bin/chmod a+x "$out"/bin/switch-to-configuration
     '';
 
     vacu.verifySystem.verifiers = {
       hostname = {
         enable = lib.mkDefault config.vacu.verifySystem.expectedMac == null;
         script = ''
-          expected=${config.networking.hostName}
-          actual=$(cat /proc/sys/kernel/hostname)
+          expected=${lib.escapeShellArg config.networking.hostName}
+          actual="$(</proc/sys/kernel/hostname)"
           if [[ "$expected" != "$actual" ]]; then
             echo "ERR: unexpected hostname; Trying to deploy to $expected but this is $actual" >&2
             return 1
@@ -48,18 +50,19 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
       expectedMac = {
         enable = config.vacu.verifySystem.expectedMac != null;
         script = ''
-          	   expected=${lib.toUpper config.vacu.verifySystem.expectedMac}
-          	   declare -a actual=($(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten | join("\n")' -r))
-          	   for ifMac in "''${actual[@]}"; do
-                       if [[ "$ifMac" == "$expected" ]]; then
-          	       # all is well
-          	       return 0
-          	      fi
-          	   done
-          	   echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
-          	   echo "     Found MAC addresses: ''${actual[*]}" >&2
-          	   return 1
-          	 '';
+          declare expected=${lib.escapeShellArg (lib.toUpper config.vacu.verifySystem.expectedMac)}
+          declare -a actualMacs
+          mapfile -d"" -t actualMacs < <(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten[]' --raw-output0)
+          for ifMac in "''${actualMacs[@]}"; do
+              if [[ "$ifMac" == "$expected" ]]; then
+              # all is well
+              return 0
+             fi
+          done
+          echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
+          echo "     Found MAC addresses: ''${actualMacs[*]}" >&2
+          return 1
+        '';
       };
     };
   };

coopdx.nix

@@ -1,104 +0,0 @@
-{
-  callPackage,
-  fetchFromGitHub,
-  autoPatchelfHook,
-  zlib,
-  curl,
-  libcxx,
-  stdenvNoCC,
-  nixpkgs ? <nixpkgs>,
-  writeTextFile,
-  lib,
-  bash,
-
-  enableTextureFix ? true,
-  enableDiscord ? false,
-}:
-let
-  libc_hack = writeTextFile {
-    name = "libc-hack";
-    # https://stackoverflow.com/questions/21768542/libc-h-no-such-file-or-directory-when-compiling-nanomsg-pipeline-sample
-    text = ''
-      #include <unistd.h>
-      #include <string.h>
-      #include <pthread.h>
-    '';
-    destination = "/include/libc.h";
-  };
-  target = stdenvNoCC.targetPlatform;
-  bits =
-    if target.is64bit then
-      "64"
-    else if target.is32bit then
-      "32"
-    else
-      throw "unspported bits";
-  pname = "sm64coopdx";
-  version = "1.0.3";
-  region = "us"; # dx removed support for other regions
-in
-(callPackage "${nixpkgs}/pkgs/games/sm64ex/generic.nix" {
-  inherit pname version region;
-
-  src = fetchFromGitHub {
-    owner = "coop-deluxe";
-    repo = pname;
-    rev = "v${version}";
-    hash = "sha256-cIH3escLFMcHgtFxeSKIo5nZXvaknti+EVt72uB4XXc=";
-  };
-
-  extraNativeBuildInputs = [ autoPatchelfHook ];
-
-  extraBuildInputs = [
-    zlib
-    curl
-    libcxx
-    libc_hack
-  ];
-
-  # Normally there's no need to set TARGET_ARCH, but if we don't it adds -march=native which is impure
-  compileFlags = [
-    "BREW_PREFIX=/not-exist"
-    "TARGET_ARCH=generic"
-    "TARGET_BITS=${bits}"
-    "DISCORD_SDK=${if enableDiscord then "1" else "0"}"
-    "TEXTURE_FIX=${if enableTextureFix then "1" else "0"}"
-  ];
-
-  extraMeta = {
-    mainProgram = pname;
-    homepage = "https://sm64coopdx.com/";
-    description = "Super Mario 64 online co-op mod, forked from sm64ex";
-  };
-}).overrideAttrs
-  {
-    installPhase =
-      let
-        sharedLib = target.extensions.sharedLibrary;
-      in
-      ''
-              runHook preInstall
-
-              local built=$PWD/build/${region}_pc
-
-              share=$out/share/${pname}
-              mkdir -p $share
-              cp $built/${pname} $share/${pname}-unwrapped
-              cp -r $built/{dynos,lang,mods,palettes} $share
-              cp ./baserom.*.z64 $share
-
-              ${lib.optionalString enableDiscord ''
-                cp $built/libdiscord_game_sdk${sharedLib} $share
-              ''}
-
-              mkdir -p $out/bin
-              (
-                echo '#!${bash}/bin/bash'
-        	echo "cd $out/share/${pname}"
-        	echo 'exec ./${pname}-unwrapped "$@"'
-              ) > $out/bin/${pname}
-              chmod a+x $out/bin/${pname}
-
-              runHook postInstall
-      '';
-  }

coopdx2.nix

@@ -1,106 +0,0 @@
-{
-  # callPackage,
-  fetchFromGitHub,
-  autoPatchelfHook,
-  zlib,
-  curl,
-  SDL2,
-  hexdump,
-  stdenv,
-  writeTextFile,
-  lib,
-  bash,
-  python3,
-  sm64baserom,
-
-  enableTextureFix ? true,
-  enableDiscord ? false,
-  enableCoopNet ? true,
-}:
-let
-  libc_hack = writeTextFile {
-    name = "libc-hack";
-    # https://stackoverflow.com/questions/21768542/libc-h-no-such-file-or-directory-when-compiling-nanomsg-pipeline-sample
-    text = ''
-      #include <unistd.h>
-      #include <string.h>
-      #include <pthread.h>
-    '';
-    destination = "/include/libc.h";
-  };
-  target = stdenv.targetPlatform;
-  bits =
-    if target.is64bit then
-      "64"
-    else if target.is32bit then
-      "32"
-    else
-      throw "unspported bits";
-  pname = "sm64coopdx";
-  version = "1.0.3";
-in
-stdenv.mkDerivation {
-  inherit pname version;
-
-  src = fetchFromGitHub {
-    owner = "coop-deluxe";
-    repo = pname;
-    rev = "v${version}";
-    hash = "sha256-cIH3escLFMcHgtFxeSKIo5nZXvaknti+EVt72uB4XXc=";
-  };
-
-  buildInputs = [
-    python3
-    zlib
-    curl
-    libc_hack
-    SDL2
-    hexdump
-  ];
-
-  enableParallelBuilding = true;
-
-  # Normally there's no need to set TARGET_ARCH, but if we don't it adds -march=native which is impure
-  makeFlags = [
-    "BREW_PREFIX=/not-exist"
-    "DISCORD_SDK=${if enableDiscord then "1" else "0"}"
-    "TEXTURE_FIX=${if enableTextureFix then "1" else "0"}"
-    "COOPNET=${if enableCoopNet then "1" else "0"}"
-  ];
-
-  preBuild = ''
-    ln -s ${sm64baserom} baserom.us.z64
-    substituteInPlace Makefile \
-      --replace-fail ' -march=$(TARGET_ARCH) ' ' '
-    # workaround a bug in the build
-    # see https://github.com/coop-deluxe/sm64coopdx/issues/186#issuecomment-2216163935
-    # this can likely be removed when the next version releases
-    make build/us_pc/sound/sequences.bin
-  '';
-
-  installPhase = ''
-    runHook preInstall
-
-    local built=$PWD/build/us_pc
-
-    share=$out/share/${pname}
-    mkdir -p $share
-    cp $built/${pname} $share/${pname}-unwrapped
-    cp -r $built/{dynos,lang,mods,palettes} $share
-    ln -s ${sm64baserom} $share/baserom.us.z64
-
-    ${lib.optionalString enableDiscord ''
-      cp $built/libdiscord_game_sdk* $share
-    ''}
-
-    mkdir -p $out/bin
-    (
-      echo '#!${bash}/bin/bash'
-      echo "cd $out/share/${pname}"
-      echo 'exec ./${pname}-unwrapped "$@"'
-    ) > $out/bin/${pname}
-    chmod a+x $out/bin/${pname}
-
-    runHook postInstall
-  '';
-}

default.nix

@@ -0,0 +1,29 @@
+{
+  system ? builtins.currentSystem,
+}:
+let
+  flakeCompat = (import
+    (
+      let
+        lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+        nodeName = lock.nodes.root.inputs.flake-compat;
+      in
+      fetchTarball {
+        url = lock.nodes.${nodeName}.locked.url or "https://github.com/edolstra/flake-compat/archive/${lock.nodes.${nodeName}.locked.rev}.tar.gz";
+        sha256 = lock.nodes.${nodeName}.locked.narHash;
+      }
+    )
+    {
+      inherit system;
+      src = ./.;
+    }
+  );
+  flake = flakeCompat.outputs;
+  overlays = import ./overlays;
+  pkgs = import flake.inputs.nixpkgs {
+    inherit system overlays;
+  };
+in
+pkgs // {
+  nixpkgs-update = { ... }@args: import "${flake.inputs.nixpkgs}/maintainers/scripts/update.nix" ({ include-overlays = overlays; } // args);
+}

dns/default.nix

@@ -0,0 +1,137 @@
+{
+  dns,
+  lib,
+  vaculib,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkOption types singleton;
+  inherit (dns.lib.combinators)
+    ns
+    ttl
+    spf
+    mx
+    ;
+  inherit (config.vacu) hosts;
+  cloudnsNameServers = [
+    "pns51.cloudns.net."
+    "pns52.cloudns.net."
+    "pns53.cloudns.net."
+    "pns54.cloudns.net."
+  ];
+  cloudnsSoa = (
+    ttl (60 * 60) {
+      nameServer = lib.head cloudnsNameServers;
+      adminEmail = "support@cloudns.net";
+      serial = 1970010101; # cloudns takes care of updating the serial
+      refresh = 7200;
+      retry = 1800;
+      expire = 1209600;
+      minimum = 3600;
+    }
+  );
+  dkimKeyLiam = {
+    name = "2024-03-liam";
+    content = "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==";
+  };
+  dmarc = lib.pipe [
+    # see https://www.rfc-editor.org/rfc/rfc7489.html#section-6.3
+    "v=DMARC1"
+    "p=reject" # policy = reject all mail that fails DKIM or SPF
+    # no need for sp=, policy applies to subdomains by default
+    "adkim=s" # match dkim domains strictly (foo.shelvacu.com != shelvacu.com)
+    "aspf=s" # match spf domains strictly
+    "fo=1" # failure reporting: report a failure if any of dkim or spf fails
+    "rua=mailto:dmarc-rua@shelvacu.com!25m"
+    "ruf=mailto:dmarc-ruf@shelvacu.com!25m"
+  ] [
+    (map (s: s + ";"))
+    (lib.concatStringsSep " ")
+  ];
+  vacuZoneExtModule = { config, ... }: {
+    imports = [ vacuDomainExtModule ];
+    options.vacu.cloudns = mkOption {
+      default = true;
+      type = types.bool;
+    };
+    config = lib.mkIf config.vacu.cloudns {
+      SOA = cloudnsSoa;
+      NS = map (server: ttl (60 * 60) (ns server)) cloudnsNameServers;
+      TTL = lib.mkDefault 300;
+    };
+  };
+  vacuDomainExtModule = { config, ... }: {
+    options.vacu = {
+      liamMail = mkOption {
+        default = false;
+        type = types.bool;
+      };
+      _ancestorHasDMARC = mkOption {
+        type = types.bool;
+        default = false;
+        internal = true;
+      };
+    };
+    options.subdomains = mkOption {
+      type = types.attrsOf (types.submodule [
+        {
+          config.vacu._ancestorHasDMARC = config.vacu.liamMail || config.vacu._ancestorHasDMARC;
+        }
+        vacuDomainExtModule
+      ]);
+    };
+    config = lib.mkMerge [
+      (lib.mkIf config.vacu.liamMail {
+        MX = singleton (mx.mx 0 "liam.dis8.net.");
+        TXT = singleton (
+          spf.strict [
+            "mx"
+            "include:outbound.mailhop.org"
+            "include:_spf.mailersend.net"
+            "a:relay.dynu.com"
+          ]
+        );
+        subdomains."${dkimKeyLiam.name}._domainkey".TXT = singleton dkimKeyLiam.content;
+      })
+      (lib.mkIf (config.vacu.liamMail && !config.vacu._ancestorHasDMARC) {
+        subdomains._dmarc.TXT = singleton dmarc;
+      })
+    ];
+  };
+  # vacuZone = lib.mkMerge [
+  #   dns.lib.types.zone
+  #   (types.submodule vacuZoneExtModule)
+  # ];
+in
+{
+  imports = [
+    ./jean-luc.org.nix
+    ./pwrhs.win.nix
+    ./shelvacu.miras.pet.nix
+    ./for.miras.pet.nix
+    ./shelvacu.com.nix
+    ./dis8.net.nix
+    ./sv.mt.nix
+    ({ dns, ... }: {
+      options.vacu.dns = mkOption {
+        default = { };
+        type = types.attrsOf dns.lib.types.zone;
+      };
+    })
+  ];
+  options.vacu.dns = mkOption {
+    type = types.attrsOf (types.submodule vacuZoneExtModule);
+  };
+  options.vacu.dnsData = vaculib.mkOutOptions rec {
+    tripPublicV4 = hosts.triple-dezert.primaryIp;
+    propPublicV4 = hosts.prophecy.primaryIp;
+    digitalOcean = {
+      reservedV4 = "138.197.233.105";
+      liamPublicV4 = "178.128.79.152";
+      mailPublicV4 = "167.99.161.174";
+    };
+    doV4 = digitalOcean.reservedV4;
+    awooV4 = hosts.awoo.primaryIp;
+  };
+}

dns/dis8.net.nix

@@ -0,0 +1,28 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+  inherit (config.vacu.dnsData.digitalOcean) liamPublicV4 mailPublicV4 reservedV4;
+in
+{
+  vacu.dns."dis8.net" = { ... }: {
+    vacu.liamMail = true;
+
+    A = singleton mailPublicV4;
+    subdomains = {
+      do-a.A = singleton reservedV4;
+      liam.A = singleton reservedV4;
+      mail.A = singleton liamPublicV4;
+      auwwth = {
+        subdomains.ns.A = singleton dnsData.awooV4;
+        NS = singleton "ns.auwwth.dis8.net.";
+      };
+      solis.A = singleton config.vacu.hosts.solis.primaryIp;
+      "_acme-challenge".CNAME = singleton "a55a31f9-74ac-44fc-bf97-c8c9f2498d3a.auth.dis8.net.";
+    };
+  };
+}

dns/for.miras.pet.nix

@@ -0,0 +1,26 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."for.miras.pet" =
+    { ... }:
+    {
+      subdomains = {
+        "git".A = singleton dnsData.tripPublicV4;
+        "auth".A = singleton dnsData.tripPublicV4;
+        "wisdom".A = singleton dnsData.tripPublicV4;
+        "chat" =
+          { ... }:
+          {
+            config.vacu.liamMail = true;
+            config.A = singleton dnsData.tripPublicV4;
+            config.subdomains."duo-1745490301302-14f65157._domainkey".TXT =
+              singleton "v=DKIM1; k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA/94Rh5eMPsKwGGolkleY1Rhh2Q6H22bfdGVu0lXpoHP1K7JxloWu/Ice2vVN/udztmPY+BK1x+5qubcGZKpPt1bC9amsXnyTXfKIMGD2CNd0tnaO54hmMOfv+lTA9YjF0X93tcQP3yUxJgJ9yPZcalFl/bBAqv4/lUVLYFeIVQIDAQAB";
+          };
+        "gabriel-dropout".A = singleton dnsData.tripPublicV4;
+        "_acme-challenge".CNAME = singleton "199b8aa4-bc9f-4f43-88bf-3f613f62b663.auwwth.dis8.net.";
+      };
+    };
+}

dns/jean-luc.org.nix

@@ -0,0 +1,24 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+  main_ips = singleton dnsData.tripPublicV4;
+in
+{
+  vacu.dns."jean-luc.org" =
+    { ... }:
+    {
+      vacu.liamMail = true;
+      A = main_ips;
+      NS = lib.mkAfter [ "ns2.afraid.org." ]; # note: appends to NS records from modules.cloudns
+      subdomains = {
+        "in".vacu.liamMail = true;
+        "*".A = main_ips;
+        "_acme-challenge".CNAME = singleton "8cc7a174-c4a6-40f5-9fff-dfb271c5ce0b.auwwth.dis8.net.";
+        "stats".A = main_ips;
+        "tdi-readings".CNAME = singleton "d20l6bh1gp7s8.cloudfront.net.";
+        "_a908498ee692a9729bf12e161ae1887d.tdi-readings".CNAME =
+          singleton "_1f055e4fc0f439e67304a33945d09002.hkvuiqjoua.acm-validations.aws.";
+      };
+    };
+}

dns/pwrhs.win.nix

@@ -0,0 +1,14 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."pwrhs.win" =
+    { ... }:
+    {
+      A = singleton dnsData.tripPublicV4;
+      subdomains.habitat.A = singleton dnsData.tripPublicV4;
+      subdomains._acme-challenge.CNAME = singleton "73697955-1c51-48ba-ba1e-b3398850f59f.auwwth.dis8.net.";
+    };
+}

dns/shelvacu.com.nix

@@ -0,0 +1,99 @@
+{
+  config,
+  lib,
+  vaculib,
+  ...
+}:
+let
+  s = v: [ v ];
+  inherit (config.vacu) dnsData;
+  trip_ips = s dnsData.tripPublicV4;
+  prop_ips = s dnsData.propPublicV4;
+  solis_ips = s config.vacu.hosts.solis.primaryIp;
+  mail_thing = s "178.128.79.152";
+  # which domains to allow dmarc reports.
+  # ex: _dmarc.dis8.net TXT has "rua=rua-reports@shelvacu.com", reports will only be sent if shelvacu.com allows them
+  # allow all domains configured in this repo, and one level of subdomain (ideally all but thats hard, this should be good enough)
+  allow_report_domains = lib.pipe config.vacu.dns [
+    lib.attrNames
+    (list: list ++ [ "theviolincase.com" "violingifts.com" ])
+    (lib.concatMap (domain: [domain "*.${domain}"]))
+  ];
+in
+{
+  vacu.dns."shelvacu.com" =
+    { ... }:
+    {
+      vacu.liamMail = true;
+      A = trip_ips;
+      CAA = [
+        {
+          issuerCritical = true;
+          tag = "issue";
+          value = "letsencrypt.org";
+        }
+        {
+          issuerCritical = true;
+          tag = "issue";
+          value = "sectigo.com";
+        }
+        {
+          issuerCritical = true;
+          tag = "issuewild";
+          value = "letsencrypt.org";
+        }
+        {
+          issuerCritical = false;
+          tag = "iodef";
+          value = "mailto:caa-violation@shelvacu.com";
+        }
+      ];
+      subdomains = {
+        _acme-challenge.CNAME = s "5cb20bf7-5203-417f-b729-fa3a3ad3b775.auwwth.dis8.net.";
+        _atproto.TXT = s "did=did:plc:oqenurzqeji6ulii3myxls64";
+        "_report._dmarc".subdomains = vaculib.mapNamesToAttrsConst { TXT = s "v=DMARC1"; } allow_report_domains;
+        admin-garage-trip.A = trip_ips;
+        auth.A = trip_ips;
+        autoconfig.A = mail_thing;
+        awoo.A = s "45.142.157.71";
+        dav.A = trip_ips;
+        dav-experiment.A = prop_ips;
+        ft.subdomains = {
+          "*".A = s "45.87.250.193";
+          _acme-challenge.CNAME = s "17aa43aa-9295-4522-8cf2-b94ba537753d.auth.acme-dns.io.";
+        };
+        # hzo3bcydh5khtpeio6zrzb7kwcwiccnh.subdomains._domainkey.CNAME = s "hzo3bcydh5khtpeio6zrzb7kwcwiccnh.dkim.amazonses.com.";
+        id.A = trip_ips;
+        imap.A = mail_thing;
+        jobs.A = trip_ips;
+        llm.A = trip_ips;
+        mail.A = mail_thing;
+        # mlsend2.subdomains._domainkey.CNAME = s "mlsend2._domainkey.mailersend.net.";
+        mumble.A = prop_ips;
+        nixcache.A = trip_ips;
+        ns1.CNAME = s "pns51.cloudns.net.";
+        ns2.CNAME = s "pns52.cloudns.net.";
+        ns3.CNAME = s "pns53.cloudns.net.";
+        ns4.CNAME = s "pns54.cloudns.net.";
+        prop.CNAME = s "prophecy";
+        prophecy.A = prop_ips;
+        prophecy.subdomains.garage.subdomains = {
+          s3.A = prop_ips;
+          admin.A = prop_ips;
+        };
+        rad.A = trip_ips;
+        s3-garage-trip.A = trip_ips;
+        servacu.A = s "167.99.161.174";
+        smtp.A = mail_thing;
+        sol.CNAME = s "solis";
+        solis.A = solis_ips;
+        solis.subdomains.garage.subdomains = {
+          s3.A = solis_ips;
+          admin.A = solis_ips;
+        };
+        trip.A = trip_ips;
+        vaultwarden.A = trip_ips;
+        www.A = trip_ips;
+      };
+    };
+}

dns/shelvacu.miras.pet.nix

@@ -0,0 +1,15 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."shelvacu.miras.pet" =
+    { ... }:
+    {
+      vacu.liamMail = true;
+      A = singleton dnsData.tripPublicV4;
+      subdomains."_acme-challenge".CNAME =
+        singleton "65e44f64-3c65-46f6-b15f-4ad6363b21eb.auwwth.dis8.net.";
+    };
+}

dns/sv.mt.nix

@@ -0,0 +1,24 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."sv.mt" =
+    { ... }:
+    {
+      vacu.liamMail = true;
+      A = singleton dnsData.propPublicV4;
+      subdomains.www.A = singleton dnsData.propPublicV4;
+      subdomains.thisthirdlevelisownedbyshelandwasnotmadeavailabletoemily = {
+        NS = [
+          "thisns1isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns2isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns3isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns4isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns5isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+        ];
+        # TXT = singleton "ha5d5dc3ca7b34574bc60929e3910ba8a";
+      };
+    };
+}

dprop

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+git add . && nixos-rebuild --flake .#prophecy --build-host prop --target-host prop --use-remote-sudo "$@"

flake.nix

@@ -1,104 +1,86 @@
 {
-  description = "Config for triple-dezert server";
+  description = "Configs for shelvacu's nix things";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05-small";
-    # nixpkgs.url = "github:nixos/nixpkgs/be0ec1a45fe1a6f6534c451b935724ab48405f26";
+    nixpkgs.url = "nixpkgs/nixos-25.05-small";
     nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
 
-    flake-utils.url = "github:numtide/flake-utils";
-    nixvim = {
-      url = "github:nix-community/nixvim/nixos-24.05";
+    disko = {
+      url = "git+https://git.uninsane.org/shelvacu/disko.git";
       inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
-    };
-    nixvim-unstable = {
-      url = "github:nix-community/nixvim";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.home-manager.follows = "home-manager-unstable";
-    };
-    nix-inspect = {
-      url = "github:bluskript/nix-inspect";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    nix-inspect-unstable = {
-      url = "github:bluskript/nix-inspect";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
-    vscode-server-unstable = {
-      url = "github:nix-community/nixos-vscode-server";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    vscode-server = {
-      url = "github:nix-community/nixos-vscode-server";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    nix-on-droid = {
-      url = "github:nix-community/nix-on-droid";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
-    };
-    jovian-unstable = {
-      # there is no stable jovian :cry:
-      url = "github:Jovian-Experiments/Jovian-NixOS";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
     disko-unstable = {
-      url = "github:nix-community/disko";
+      url = "git+https://git.uninsane.org/shelvacu/disko.git";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
+    dns = {
+      url = "github:nix-community/dns.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
+    flake-compat.url = "github:edolstra/flake-compat";
+    flake-utils.url = "github:numtide/flake-utils";
     home-manager = {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-25.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     home-manager-unstable = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    nix-search-cli-unstable = {
-      url = "github:peterldowns/nix-search-cli";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    nix-search-cli = {
-      url = "github:peterldowns/nix-search-cli";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    padtype-unstable = {
-      url = "gitlab:shelvacu/padtype";
+    impermanence.url = "github:nix-community/impermanence";
+    jovian-unstable = {
+      # there is no stable jovian :cry:
+      url = "github:Jovian-Experiments/Jovian-NixOS";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    nixos-hardware.url = "github:nixos/nixos-hardware";
     most-winningest = {
       url = "github:captain-jean-luc/most-winningest";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.flake-utils.follows = "flake-utils";
     };
+    nixos-hardware.url = "github:nixos/nixos-hardware";
     nixos-apple-silicon-unstable = {
       url = "github:tpwrules/nixos-apple-silicon";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    sm64baserom.url = "git+https://git.uninsane.org/shelvacu/sm64baserom.git";
-    dns = {
-      url = "github:nix-community/dns.nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    lix-module = {
-      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=stable";
+    nixvim = {
+      url = "github:nix-community/nixvim/nixos-25.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    lix-module-unstable = {
-      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=stable";
+    nixvim-unstable = {
+      url = "github:nix-community/nixvim";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
+    nix-colors = {
+      url = "github:Misterio77/nix-colors";
+    };
+    nix-on-droid = {
+      url = "github:nix-community/nix-on-droid";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+    padtype-unstable = {
+      url = "git+https://git.uninsane.org/shelvacu/padtype.git";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    sm64baserom.url = "git+https://git.uninsane.org/shelvacu/sm64baserom.git";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    tf2-nix = {
+      url = "gitlab:shelvacu-forks/tf2-nix/with-my-patches";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    treefmt-nix = {
+      url = "github:numtide/treefmt-nix";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    vacu-keys = {
+      url = "git+https://git.uninsane.org/shelvacu/keys.nix.git";
+      flake = false;
+    };
   };
 
   outputs =
@@ -107,63 +89,110 @@
       nixpkgs,
       nix-on-droid,
       ...
-    }@inputs:
+    }@allInputs:
     let
       x86 = "x86_64-linux";
       arm = "aarch64-linux";
       lib = import "${nixpkgs}/lib";
-      mkPlain = pkgs: lib.evalModules {
-        modules = [
-          ./common
-          { vacu.systemKind = "server"; }
-        ];
-        specialArgs = {
-          inherit pkgs;
-          inherit lib;
-          inherit (inputs) dns;
-          vacuModuleType = "plain";
-          inherit inputs;
-        };
-      };
+      overlays = import ./overlays;
+      vacuModules = import ./modules;
+      mkVaculib = { pkgs }: import ./vaculib { inherit pkgs; nix-colors-lib = allInputs.nix-colors.lib; };
+      vaculib = mkVaculib { inherit pkgs; };
+      defaultSuffixedInputNames = [
+        "nixvim"
+        "nixpkgs"
+      ];
+      defaultInputs = { inherit (allInputs) self vacu-keys; };
+      mkInputs =
+        {
+          unstable ? false,
+          inp ? [ ],
+        }:
+        let
+          suffix = if unstable then "-unstable" else "";
+          inputNames = inp ++ defaultSuffixedInputNames;
+          thisInputsA = vaculib.mapNamesToAttrs (name: allInputs.${name + suffix}) inputNames;
+        in
+        if inp == "all" then allInputs else thisInputsA // defaultInputs;
       mkPkgs =
         arg:
         let
-          argAttr = if builtins.isString arg then { system = arg; } else arg;
+          argAttrAll = if builtins.isString arg then { system = arg; } else arg;
+          unstable = argAttrAll.unstable or false;
+          whichpkgs = if unstable then allInputs.nixpkgs-unstable else allInputs.nixpkgs;
+          argAttr = lib.removeAttrs argAttrAll [ "unstable" ];
           config = {
             allowUnfree = true;
+            # the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
+            # presumably needed by nheko
+            permittedInsecurePackages = [
+              "olm-3.2.16"
+              "fluffychat-linux-1.27.0"
+            ];
           } // (argAttr.config or { });
         in
-        import nixpkgs (argAttr // { inherit config; });
+        import whichpkgs (
+          argAttr // { inherit config; } // { overlays = (argAttr.overlays or [ ]) ++ overlays; }
+        );
+      mkCommon =
+        {
+          unstable ? false,
+          inp ? [ ],
+          system ? x86,
+          vacuModuleType,
+        }:
+        let
+          pkgsStable = mkPkgs { unstable = false; inherit system; };
+          pkgsUnstable = mkPkgs { unstable = true; inherit system; };
+          pkgs = if unstable then pkgsUnstable else pkgsStable;
+          inputs = mkInputs { inherit unstable inp; };
+          vaculib = mkVaculib { inherit pkgs; };
+        in
+        {
+          inherit pkgs pkgsStable pkgsUnstable inputs vaculib;
+          specialArgs = {
+            inherit inputs vacuModules vacuModuleType vaculib pkgsStable pkgsUnstable;
+            inherit (allInputs) dns;
+          };
+        };
+      mkPlain =
+        {
+          unstable ? false,
+          system ? x86,
+        }@args:
+        let
+          common = mkCommon (args // {
+            vacuModuleType = "plain";
+            inp = "all";
+          });
+          inner = lib.evalModules {
+            modules = [
+              ./common
+              { vacu.systemKind = "server"; }
+            ];
+            specialArgs = common.specialArgs // {
+              inherit (common) pkgs;
+              inherit (common.pkgs) lib;
+            };
+          };
+        in
+        inner.config.vacu.withAsserts inner;
       pkgs = mkPkgs x86;
-      defaultInputs = [
-          "nix-search-cli"
-          "nix-inspect"
-          "nixvim"
-          "lix-module"
-      ];
       mkNixosConfig =
         {
           unstable ? false,
           module,
           system ? "x86_64-linux",
           inp ? [ ],
-        }@args:
+        }:
         let
-          suffix = if unstable then "-unstable" else "";
-          nixpkgs = inputs.${"nixpkgs" + suffix};
-          inp' = inp ++ defaultInputs;
-          thisInputs = builtins.listToAttrs (map (name: lib.nameValuePair name inputs.${name + suffix}) inp');
+          common = mkCommon { inherit unstable inp system; vacuModuleType = "nixos"; };
         in
-        nixpkgs.lib.nixosSystem {
-          specialArgs = {
-            inputs = thisInputs // {
-              inherit (inputs) self;
-            };
-            inherit (inputs) dns;
-            vacuModuleType = "nixos";
-          };
+        allInputs.nixpkgs.lib.nixosSystem {
+          inherit (common) specialArgs;
           inherit system;
           modules = [
+            { nixpkgs.pkgs = common.pkgs; }
             ./common
             module
           ];
@@ -171,110 +200,130 @@
     in
     {
       debug.isoDeriv = (
-        import "${inputs.nixpkgs}/nixos/release-small.nix" {
-          nixpkgs = ({ revCount = 0; } // inputs.nixpkgs);
+        import "${allInputs.nixpkgs}/nixos/release-small.nix" {
+          nixpkgs = ({ revCount = 0; } // allInputs.nixpkgs);
         }
       );
-      # overlays.requireFileSub = (
-      #   curr: prev: { requireFile = { ... }@args: (prev args).overrideAttrs { allowSubstitutes = true; }; }
-      # );
-      # overlays.default = self.overlays.requireFileSub;
+
+      lib = {
+        inherit
+          mkPlain
+          mkPkgs
+          mkInputs
+          mkNixosConfig
+          vaculib
+          ;
+      };
+
       nixosConfigurations = {
         triple-dezert = mkNixosConfig {
-          module = ./triple-dezert;
-          inp = [ "most-winningest" ];
+          module = ./hosts/triple-dezert;
+          inp = [
+            "most-winningest"
+            "sops-nix"
+          ];
         };
         compute-deck = mkNixosConfig {
-          module = ./compute-deck;
+          module = ./hosts/compute-deck;
           inp = [
             "jovian"
             "home-manager"
-            "vscode-server"
             "disko"
             "padtype"
           ];
           unstable = true;
         };
         liam = mkNixosConfig {
-          module = ./liam;
+          module = ./hosts/liam;
           inp = [ "sops-nix" ];
         };
-        lp0 = mkNixosConfig { module = ./lp0; };
-        shel-installer = mkNixosConfig { module = ./installer.nix; };
+        lp0 = mkNixosConfig { module = ./hosts/lp0; };
+        shel-installer-iso = mkNixosConfig { module = ./hosts/installer/iso.nix; };
+        shel-installer-pxe = mkNixosConfig { module = ./hosts/installer/pxe.nix; };
         fw = mkNixosConfig {
-          module = ./fw;
-          inp = [ "nixos-hardware" ];
+          module = ./hosts/fw;
+          inp = [
+            "nixos-hardware"
+            "sops-nix"
+            "tf2-nix"
+          ];
         };
         legtop = mkNixosConfig {
-          module = ./legtop;
+          module = ./hosts/legtop;
           inp = [ "nixos-hardware" ];
         };
         mmm = mkNixosConfig {
-          module = ./mmm;
+          module = ./hosts/mmm;
           inp = [ "nixos-apple-silicon" ];
           system = "aarch64-linux";
           unstable = true;
         };
+        prophecy = mkNixosConfig {
+          module = ./hosts/prophecy;
+          system = "x86_64-linux";
+          inp = [
+            "impermanence"
+            "sops-nix"
+            "disko"
+          ];
+        };
+        solis = mkNixosConfig {
+          module = ./hosts/solis;
+          system = "x86_64-linux";
+          inp = [
+            "disko"
+            "impermanence"
+            "sops-nix"
+          ];
+        };
       };
 
-      nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
-        modules = [
-          ./common
-          ./nix-on-droid
-        ];
-        extraSpecialArgs = {
-          inputs = {
-            inherit (inputs)
-              nixpkgs
-              self
-              nixvim
-              nix-search-cli
-              nix-inspect
-              ;
-          };
-          inherit (inputs) dns;
-          vacuModuleType = "nix-on-droid";
+      nixOnDroidConfigurations.default =
+        let
+          common = mkCommon { system = arm; vacuModuleType = "nix-on-droid"; };
+        in
+        nix-on-droid.lib.nixOnDroidConfiguration {
+          modules = [
+            ./common
+            ./hosts/nix-on-droid
+          ];
+          extraSpecialArgs = common.specialArgs;
+          inherit (common) pkgs;
         };
-        pkgs = mkPkgs {
-          system = arm;
-          overlays = [ inputs.lix-module.overlays.default ];
-        };
-      };
 
       checks = nixpkgs.lib.genAttrs [ x86 ] (
         system:
         let
-          pkgs = mkPkgs system;
-          plain = mkPlain pkgs;
-          config = {
+          common = mkCommon { inherit system; vacuModuleType = "nixos"; };
+          inherit (common) pkgs;
+          plain = mkPlain { inherit system; };
+          commonTestModule = {
+            hostPkgs = pkgs;
+            _module.args.inputs = { inherit (allInputs) self; };
             node.pkgs = pkgs;
-            node.pkgsReadOnly = false;
-            node.specialArgs.selfPackages = self.packages.${system};
-            node.specialArgs.vacuModuleType = "nixos";
+            node.pkgsReadOnly = true;
+            node.specialArgs = (lib.removeAttrs common.specialArgs [ "inputs" ]) // { selfPackages = self.packages.${system}; };
           };
+          mkTest =
+            name:
+            nixpkgs.lib.nixos.runTest {
+              imports = [
+                commonTestModule
+                ./tests/${name}
+                { node.specialArgs.inputs = self.nixosConfigurations.${name}._module.specialArgs.inputs; }
+              ];
+            };
+          checksFromConfig = plain.config.vacu.checks;
         in
-        {
-          units = plain.config.vacu.units.check;
-          liam = nixpkgs.lib.nixos.runTest {
-            hostPkgs = pkgs;
-            imports = [
-              config
-              ./tests/liam.nix
-              { node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; }
-            ];
-          };
-          trip = nixpkgs.lib.nixos.runTest {
-            hostPkgs = pkgs;
-            imports = [
-              config
-              ./tests/triple-dezert.nix
-              { node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; }
-            ];
-          };
+        assert !(checksFromConfig ? liam) && !(checksFromConfig ? trip);
+        checksFromConfig
+        // {
+          liam = mkTest "liam";
+          triple-dezert = mkTest "triple-dezert";
         }
       );
 
-      qb = # qb is "quick build"
+      buildList =
         let
           toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
           deterministicCerts = import ./deterministic-certs.nix { nixpkgs = mkPkgs x86; };
@@ -282,166 +331,167 @@
             name: value: lib.nameValuePair (name + "-aarch64") value
           ) self.packages.aarch64-linux;
           packages = self.packages.x86_64-linux // renamedAarchPackages;
+          pxe-build = self.nixosConfigurations.shel-installer-pxe.config.system.build;
         in
-        rec {
+        {
           fw = toplevelOf "fw";
           triple-dezert = toplevelOf "triple-dezert";
-          trip = triple-dezert;
           compute-deck = toplevelOf "compute-deck";
-          cd = compute-deck;
           liam = toplevelOf "liam";
           lp0 = toplevelOf "lp0";
           legtop = toplevelOf "legtop";
-          lt = legtop;
           mmm = toplevelOf "mmm";
-          shel-installer = toplevelOf "shel-installer";
-          iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
-          check-triple-dezert = self.checks.x86_64-linux.trip.driver;
-          check-trip = check-triple-dezert;
+          shel-installer-iso = toplevelOf "shel-installer-iso";
+          shel-installer-pxe = toplevelOf "shel-installer-pxe";
+          prophecy = toplevelOf "prophecy";
+          iso = self.nixosConfigurations.shel-installer-iso.config.system.build.isoImage;
+          pxe-toplevel = toplevelOf "shel-installer-pxe";
+          pxe-kernel = pxe-build.kernel;
+          pxe-initrd = pxe-build.netbootRamdisk;
+          check-triple-dezert = self.checks.x86_64-linux.triple-dezert.driver;
           check-liam = self.checks.x86_64-linux.liam.driver;
+          liam-sieve = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
 
           nix-on-droid = self.nixOnDroidConfigurations.default.activationPackage;
-          nod = nix-on-droid;
 
-          nod-bootstrap-x86_64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
-          nod-bootstrap-aarch64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
+          nod-bootstrap-x86_64 = allInputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
+          nod-bootstrap-aarch64 = allInputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
 
           dc-priv = deterministicCerts.privKeyFile "test";
           dc-cert = deterministicCerts.selfSigned "test" { };
 
-          sm64 = packages.sm64coopdx;
-          ak = packages.authorizedKeys;
-          my-sops = packages.wrappedSops;
-
-          inherit (inputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
+          inherit (allInputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
             m1n1
             uboot-asahi
             installer-bootstrap
             ;
           installer-bootstrap-cross =
-            inputs.nixos-apple-silicon-unstable.packages.x86_64-linux.installer-bootstrap;
+            allInputs.nixos-apple-silicon-unstable.packages.x86_64-linux.installer-bootstrap;
         }
         // packages;
 
+      qb = self.buildList // {
+        trip = self.buildList.triple-dezert;
+        cd = self.buildList.compute-deck;
+        lt = self.buildList.legtop;
+        prop = self.buildList.prophecy;
+        check-trip = self.buildList.check-triple-dezert;
+        nod = self.buildList.nix-on-droid;
+        ak = self.buildList.authorizedKeys;
+        my-sops = self.buildList.wrappedSops;
+      };
+
       brokenBuilds = [
         "sm64coopdx-aarch64"
         "installer-bootstrap"
       ];
 
-      all =
-        let
-          linksNoContext = removeAttrs self.qb self.brokenBuilds;
-          links = builtins.mapAttrs (
-            name: val: builtins.addErrorContext "while evaluating link ${name}" val
-          ) linksNoContext;
-        in
-        pkgs.runCommand "nix-stuff-all"
-          {
-            __structuredAttrs = true;
-            inherit links;
-          }
-          ''
-            mkdir $out
-            cd $out
-            eval "$(${pkgs.jq}/bin/jq '.links | to_entries | map("ln -s "+.value+" "+.key) | join("\n")' /build/.attrs.json -r)"
-          '';
+      impureBuilds = [
+        "nix-on-droid"
+        "nod"
+        "nod-bootstrap-x86_64"
+        "nod-bootstrap-aarch64"
+      ];
 
-      allPure = self.all.overrideAttrs (prev: {
-        links = removeAttrs prev.links [
-          "nix-on-droid"
-          "nod"
-          "nod-bootstrap-x86_64"
-          "nod-bootstrap-aarch64"
-        ];
-      });
-
-      archive =
-        let
-          # We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
-          allButImgs = self.all.overrideAttrs (prev: {
-            links = removeAttrs prev.links [ "iso" ];
-          });
-          isoContents = lib.concatStringsSep "\n" (
-            map (
-              c: "${c.source} => ${c.target}"
-            ) self.nixosConfigurations.shel-installer.config.isoImage.contents
-          );
-          isoContentsPkg = pkgs.writeText "iso-contents" isoContents;
-          info = pkgs.closureInfo { rootPaths = [ allButImgs.drvPath ]; };
-        in
-        allButImgs.overrideAttrs (prev: {
-          links = prev.links // {
-            iso-contents = isoContentsPkg;
-            build-deps = info;
-          };
-        });
+      archival = import ./archive.nix { inherit self pkgs lib; };
     }
-    // (inputs.flake-utils.lib.eachDefaultSystem (
+    // (allInputs.flake-utils.lib.eachDefaultSystem (
       system:
       let
-        pkgs = import inputs.nixpkgs-unstable {
-          inherit system;
-          config.allowUnfree = true;
-          overlays = [ inputs.sm64baserom.overlays.default ];
-        };
-        _plain = mkPlain pkgs;
-        inherit (_plain.config.vacu) withAsserts;
-        plain = _plain.config.vacu.withAsserts _plain;
-        # dnsModule = lib.evalModules {
-        #   modules = [
-        #     {
-        #       config._module.check = false;
-        #       options.vacu.dns = lib.mkOption {
-        #         default = { };
-        #         type = lib.types.attrsOf inputs.dns.lib.types.zone;
-        #       };
-        #     }
-        #   ];
-        # };
+        mkNixvim =
+          { unstable, minimal }:
+          let
+            common = mkCommon { inherit unstable; vacuModuleType = "nixvim"; };
+            nixvim-input = if unstable then allInputs.nixvim-unstable else allInputs.nixvim;
+          in
+          nixvim-input.legacyPackages.${system}.makeNixvimWithModule {
+            module = {
+              imports = [ ./nixvim ];
+            };
+            extraSpecialArgs = common.specialArgs // { inherit minimal; };
+          };
+        common = mkCommon { unstable = true; vacuModuleType = "plain"; };
+        inherit (common) pkgs pkgsStable pkgsUnstable;
+        plain = mkPlain { unstable = true; };
+        treefmtEval = allInputs.treefmt-nix.lib.evalModule pkgsUnstable ./treefmt.nix;
+        formatter = treefmtEval.config.build.wrapper;
+        vacuPackagePaths = import ./packages;
+        vacuPackages = builtins.intersectAttrs vacuPackagePaths pkgsStable;
       in
       {
-        formatter = pkgs.nixfmt-rfc-style;
+        inherit formatter;
+        inherit (common) vaculib;
         apps.sops = {
           type = "app";
           program = lib.getExe self.packages.${system}.wrappedSops;
         };
-        vacuconfig = plain.config;
+        vacuConfig = plain.config;
+        inherit vacuPackages;
+        legacyPackages = {
+          unstable = pkgsUnstable;
+          stable = pkgsStable;
+          nixpkgs-update = { ... }@args: import "${allInputs.nixpkgs}/maintainers/scripts/update.nix" ({ include-overlays = [ (import ./overlays/newPackages.nix) ]; } // args);
+        };
         packages = rec {
-          nix-inspect = inputs.nix-inspect.packages.${system}.default;
-          nix-search-cli = inputs.nix-search-cli.packages.${system}.default;
-          units = plain.config.vacu.units.finalPackage;
-          sourceTree = plain.config.vacu.sourceTree;
-          z3 = pkgs.callPackage ./packages/z3 { };
-          bandcamp-collection-downloader = pkgs.callPackage ./packages/bcd { };
-          bcd = bandcamp-collection-downloader;
-          sm64coopdx = pkgs.callPackage ./coopdx2.nix { };
-          # snmpb = pkgs.libsForQt5.callPackage ./packages/snmpb/package.nix { };
-          # snmp-mibs-downloader = pkgs.callPackage ./packages/snmp-mibs-downloader.nix { };
-          authorizedKeys = pkgs.writeText "authorizedKeys" (
+          archive = pkgsStable.callPackage ./scripts/archive { };
+          authorizedKeys = pkgsStable.writeText "authorizedKeys" (
             lib.concatStringsSep "\n" (
-              lib.mapAttrsToList (k: v: "${v} ${k}") (withAsserts plain.config.vacu.ssh.authorizedKeys)
+              lib.mapAttrsToList (k: v: "${v} ${k}") plain.config.vacu.ssh.authorizedKeys
             )
           );
-          update-git-keys = withAsserts pkgs.callPackage ./scripts/update-git-keys.nix {
+          dns = import ./scripts/dns {
+            inherit pkgs lib;
+            inputs = allInputs;
             inherit (plain) config;
           };
-          sopsConfig = withAsserts plain.config.vacu.sopsConfig;
-          wrappedSops = withAsserts plain.config.vacu.wrappedSops;
-          dns = withAsserts import ./scripts/dns {
-            inherit pkgs lib inputs;
-            inherit (plain) config;
+          inherit formatter;
+          generated = pkgsStable.linkFarm "generated" {
+            nixpkgs = "${allInputs.nixpkgs}";
+            "liam-test/hints.py" = pkgs.writeText "hints.py" (
+              import ./typesForTest.nix {
+                name = "liam";
+                inherit (pkgsStable) lib;
+                inherit self;
+                inherit (allInputs) nixpkgs;
+              }
+            );
+            "dns/python-env" = builtins.dirOf (builtins.dirOf dns.interpreter);
+            "mailtest/python-env" = builtins.dirOf (
+              builtins.dirOf self.checks.x86_64-linux.liam.nodes.checker.vacu.mailtest.smtp.interpreter
+            );
           };
-          # dnsOptions = (pkgs.nixosOptionsDoc { options = dnsModule.options; }).optionsCommonMark;
-          vnopnCA = pkgs.writeText "vnopnCA.cert" plain.config.vacu.vnopnCA;
-          nixvim = inputs.nixvim.legacyPackages.${system}.makeNixvimWithModule {
-            extraSpecialArgs = {
-              inputs = { };
-            };
-            module = {
-              imports = [ ./nixvim ];
-            };
+          host-pxe-installer = pkgs.callPackage ./host-pxe-installer.nix {
+            nixosInstaller = self.nixosConfigurations.shel-installer-pxe;
           };
-        };
+          liam-sieve-script = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
+          nixvim = mkNixvim {
+            unstable = false;
+            minimal = false;
+          };
+          nixvim-unstable = mkNixvim {
+            unstable = true;
+            minimal = false;
+          };
+          nixvim-minimal = mkNixvim {
+            unstable = false;
+            minimal = true;
+          };
+          nixvim-unstable-minimal = mkNixvim {
+            unstable = true;
+            minimal = true;
+          };
+          # optionsDocNixOnDroid = (pkgs.nixosOptionsDoc {
+          #   inherit (self.nixOnDroidConfigurations.default) options;
+          # }).optionsCommonMark;
+          openterface-qt-eudev = vacuPackages.openterface-qt.override { useSystemd = false; };
+          openterface-qt-systemd = vacuPackages.openterface-qt.override { useSystemd = true; };
+          sopsConfig = plain.config.vacu.sopsConfigFile;
+          sourceTree = plain.config.vacu.sourceTree;
+          units = plain.config.vacu.units.finalPackage;
+          update-git-keys = pkgsStable.callPackage ./scripts/update-git-keys.nix { inherit (plain) config; inputs = allInputs; };
+          vnopnCA = pkgsStable.writeText "vnopnCA.cert" plain.config.vacu.vnopnCA;
+          wrappedSops = plain.config.vacu.wrappedSops;
+        } // vacuPackages;
       }
     ));
 }

fw/experiment.nix

@@ -1,43 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-let
-  version = "6.10.4";
-  hash = "sha256:1y2m2pqrvsgr9ng72nnh4yvsprkvkznhnmn4p8g78350bzyrvip2";
-  customKernel = pkgs.linux_6_10.override {
-    inherit version;
-    src = pkgs.fetchurl {
-      url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz";
-      inherit hash;
-    };
-    modDirVersion = lib.versions.pad 3 version;
-  };
-  customKernelPackages = pkgs.linuxPackagesFor customKernel;
-in
-{
-  system.nixos.tags = [
-    "EXPERIMENT"
-    "kernel-${config.boot.kernelPackages.kernel.version}"
-  ];
-
-  boot.kernelPackages = lib.mkForce customKernelPackages;
-  # boot.zfs.extraPools = lib.mkForce [];
-  # fileSystems."/".fsType = lib.mkForce "ext4";
-
-  vacu.packages.sm64coopdx.enable = false;
-  vacu.verifySystem.expectedMac = lib.mkForce null;
-}
-
-# good: 
-#  Linux fw 6.6.50 #1-NixOS SMP PREEMPT_DYNAMIC Sun Sep  8 05:54:49 UTC 2024 x86_64 GNU/Linux
-#  Linux fw 6.8.12 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:49:53 UTC 2024 x86_64 GNU/Linux
-#  linux-6.9.12
-#  6.10.4 (maybe?? sus)
-# Linux fw 6.10.10 #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024 x86_64 GNU/Linux (but this was supposed to be 6.10.4....)
-
-# bad:
-# Linux fw 6.10.10-gnu #1-NixOS SMP PREEMPT_DYNAMIC Tue Jan  1 00:00:00 UTC 1980 x86_64 GNU/Linux
-#  linux linux-6.10.10

fw/thunderbolt.nix

@@ -1,10 +0,0 @@
-{ pkgs, config, ... }:
-{
-  services.hardware.bolt.enable = true;
-
-  vacu.packages = [
-    pkgs.thunderbolt
-    config.services.hardware.bolt.package
-    pkgs.kdePackages.plasma-thunderbolt
-  ];
-}

fw/zfs.nix

@@ -1,12 +0,0 @@
-{
-  pkgs,
-  ...
-}:
-{
-  boot.zfs.extraPools = [ "fw" ];
-  # config.boot.zfs.package.latestCompatibleLinuxPackages is fucked, if there are multiple compatible linuxes of the same version, it picks effectively an arbitrary one
-  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_6;
-  systemd.services.zfs-mount.enable = false;
-
-  # see also fileSystems."/"
-}

hosts/compute-deck/default.nix

@@ -1,9 +1,4 @@
-{
-  pkgs,
-  inputs,
-  ...
-}:
-
+{ pkgs, inputs, ... }:
 {
   imports = [
     inputs.jovian.nixosModules.jovian
@@ -16,12 +11,18 @@
     ./padtype.nix
   ];
 
-  boot.loader.systemd-boot.enable = false;
-  boot.loader.efi.efiSysMountPoint = "/boot/EFI";
-  boot.loader.grub.efiSupport = true;
-  boot.loader.grub.device = "nodev";
-  boot.loader.efi.canTouchEfiVariables = false;
-  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader = {
+    systemd-boot.enable = false;
+    efi = {
+      efiSysMountPoint = "/boot/EFI";
+      canTouchEfiVariables = false;
+    };
+    grub = {
+      efiSupport = true;
+      device = "nodev";
+      efiInstallAsRemovable = true;
+    };
+  };
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
@@ -42,23 +43,15 @@
 
   services.xserver.enable = true;
   services.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.plasma5.enable = true;
+  services.desktopManager.plasma6.enable = true;
 
   services.openssh.enable = true;
 
-  environment.systemPackages = with pkgs; [
-    audacity
-    librewolf
+  vacu.packages = ''
     jupiter-hw-support
     steamdeck-firmware
     steamdeck-bios-fwupd
-    cargo
-    clippy
-    rust-analyzer
-    rustc
-    rustfmt
-    rustup
-  ];
+  '';
 
   # boot.kernelPatches = [
   #   {

hosts/compute-deck/hardware.nix

@@ -1,7 +1,6 @@
 {
   config,
   lib,
-  pkgs,
   modulesPath,
   ...
 }:
@@ -49,11 +48,13 @@
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
     fsType = "ext4";
+    options = [ "nofail" ];
   };
 
   fileSystems."/boot/EFI" = {
     device = "/dev/disk/by-uuid/C268-79C8";
     fsType = "vfat";
+    options = [ "nofail" ];
   };
 
   swapDevices = [ ];

hosts/compute-deck/home.nix

@@ -1,16 +1,7 @@
-{ inputs, ... }:
+{ ... }:
 {
   home-manager.users.shelvacu = {
-    # these make vscode-remote work
-    imports = [ inputs.vscode-server.homeModules.default ];
-    services.vscode-server.enable = true;
-
     home.stateVersion = "23.11";
-    programs.git = {
-      enable = true;
-      userName = "Shelvacu";
-      userEmail = "git@shelvacu.com";
-    };
     programs.librewolf = {
       enable = true;
 

hosts/compute-deck/padtype.nix

@@ -11,4 +11,12 @@ in
   };
 
   boot.initrd.preLVMCommands = "${padtype-pkg}/bin/padtype &";
+  boot.initrd.kernelModules = [
+    "uhid"
+    "i2c_hid_acpi"
+    "usbhid"
+    "mac_hid"
+    "evdev"
+    "uinput"
+  ];
 }

hosts/fw/apex.nix

@@ -1,5 +1,10 @@
 # everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
-{ pkgs, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
   # to match package used in config.services.pcscd, unfortunately not exposed like usual
   pcsclite-pkg = if config.security.polkit.enable then pkgs.pcscliteWithPolkit else pkgs.pcsclite;
@@ -9,14 +14,16 @@ in
   # nixpkgs.overlays = [ ( final: prev: {
   #   libfido2 = prev.libfido2.override { withPcsclite = true; };
   # } ) ];
-  vacu.packages =
-    (with pkgs; [
+  vacu.packages = lib.mkMerge [
+    ''
       libfido2
       pcsc-tools
       scmccid
       opensc
-    ])
-    ++ [ pcsclite-pkg ];
+      pcsclite
+    ''
+    { pcsclite.package = pcsclite-pkg; }
+  ];
 
   services.pcscd.enable = true;
   # conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
@@ -58,12 +65,12 @@ in
     '')
   ];
 
-  programs.firefox.enable = true;
-  #programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
+  # programs.firefox.enable = true;
+  # programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
 
   # trying CTAP-bridge
   services.udev.extraRules = ''
-    KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE+="0666", TAG+="uaccess"
-    KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE+="0666", TAG+="uaccess"
+    KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE="0666", TAG+="uaccess"
+    KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE="0666", TAG+="uaccess"
   '';
 }

hosts/fw/default.nix

@@ -1,81 +1,65 @@
-{
-  inputs,
-  pkgs,
-  ...
-}:
+{ inputs, pkgs, lib, vacuModules, ... }:
 {
   imports = [
     inputs.nixos-hardware.nixosModules.framework-16-7040-amd
+    "${inputs.self}/tf2"
+    vacuModules.sops
     ./apex.nix
     ./android.nix
     ./thunderbolt.nix
     ./fwupd.nix
     ./zfs.nix
     ./virtualbox.nix
+    ./radicle.nix
+    ./tpm-fido.nix
+    ./podman.nix
+    ./waydroid.nix
   ];
 
+  boot.supportedFilesystems = [ "bcachefs" ];
+
   vacu.hostName = "fw";
   vacu.shell.color = "magenta";
   vacu.verifySystem.expectedMac = "e8:65:38:52:5c:59";
-  vacu.systemKind = "desktop";
+  vacu.systemKind = "laptop";
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  # standard kernel: waydroid works
+  # lqx kernel: games run with less stutters
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_lqx;
+  # boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_15;
+
   networking.networkmanager.enable = true;
+  services.irqbalance.enable = true;
   # boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
 
   services.fprintd.enable = false; # kinda broken
 
   users.users.shelvacu.extraGroups = [ "dialout" ];
 
-  vacu.packages =
-    (with pkgs; [
-      bitwarden-desktop
-      nheko
-      librewolf
-      brave
-      thunderbird
-      wl-clipboard
-      nextcloud-client
-      signal-desktop
-      fw-ectool
-      framework-tool
-      iio-sensor-proxy
-      power-profiles-daemon
-      acpi
-      jellyfin-media-player
-      vlc
-      dmidecode
-      prismlauncher
-      ffmpeg_7-full
-      wireshark
-      obsidian
-      dino
-      aircrack-ng
-      libreoffice-qt6-fresh
-      gimp
-      # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
-      (inkscape-with-extensions.override { inkscapeExtensions = null; })
-      libsmi
-      net-snmp
-      android-tools
-      ghidra
-      wineWowPackages.stableFull
-      wineWowPackages.fonts
-      winetricks
-      tremotesf
-      smartmontools
-      nvme-cli
-      arduino-ide
-      headsetcontrol
-      OSCAR
-    ])
-    ++ [ inputs.self.packages.${pkgs.system}.sm64coopdx ];
+  programs.steam.extraCompatPackages = [ pkgs.proton-ge-bin ];
+
+  vacu.packages = ''
+    android-studio
+    framework-tool
+    fw-ectool
+    headsetcontrol
+    openterface-qt
+    intiface-central
+    osu-lazer
+    mumble
+    obs-studio
+  '';
+
+  services.power-profiles-daemon.enable = true;
 
   networking.firewall.enable = false;
 
   services.xserver.enable = true;
   services.displayManager.sddm.enable = true;
   services.desktopManager.plasma6.enable = true;
+  services.printing.enable = true;
+  programs.system-config-printer.enable = true;
 
   boot.loader.grub.enable = true;
   boot.loader.grub.efiSupport = true;
@@ -114,12 +98,23 @@
     fsType = "zfs";
   };
 
+  fileSystems."/cache" = {
+    device = "fw/cache";
+    fsType = "zfs";
+  };
+
+  fileSystems."/home/shelvacu/cache" = {
+    device = "/cache/shelvacu";
+    options = [ "bind" ];
+  };
+
   fileSystems."/boot0" = {
     device = "/dev/disk/by-label/BOOT0";
     fsType = "vfat";
     options = [
       "fmask=0022"
       "dmask=0022"
+      "nofail"
     ];
   };
 
@@ -129,14 +124,13 @@
     options = [
       "fmask=0022"
       "dmask=0022"
+      "nofail"
     ];
   };
 
   hardware.cpu.amd.updateMicrocode = true;
   hardware.enableAllFirmware = true;
-  hardware.opengl = {
-    driSupport = true;
-    driSupport32Bit = true;
+  hardware.graphics = {
     extraPackages = [
       pkgs.rocmPackages.clr.icd
       pkgs.amdvlk
@@ -160,5 +154,5 @@
 
   services.postgresql.enable = true; # for development
 
-  virtualisation.waydroid.enable = true;
+  vacu.programs.thunderbird.enable = true;
 }

hosts/fw/podman.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  virtualisation.containers.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    # Create a `docker` alias for podman, to use it as a drop-in replacement
+    dockerCompat = true;
+    # Required for containers under podman-compose to be able to talk to each other.
+    defaultNetwork.settings.dns_enabled = true;
+  };
+
+  users.users.shelvacu.extraGroups = [ "podman" ];
+}

hosts/fw/radicle.nix

@@ -0,0 +1,20 @@
+{ config, ... }:
+{
+  sops.secrets.radicle-key = {
+    sopsFile = "${config.vacu.sops.secretsPath}/radicle-private.key";
+    format = "binary"; # its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine
+  };
+  services.radicle = {
+    enable = true;
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2HqXfjT4vPEqqM5Pty7EuswzeO80IgG6MtCvDAqOkD";
+    privateKeyFile = config.sops.secrets.radicle-key.path;
+    settings = {
+      node.alias = "shelvacu-fw";
+      seedingPolicy.default = "block";
+    };
+  };
+  vacu.packages.radicle-node = {
+    enable = true;
+    package = config.services.radicle.package;
+  };
+}

hosts/fw/thunderbolt.nix

@@ -0,0 +1,13 @@
+{ lib, config, ... }:
+{
+  services.hardware.bolt.enable = true;
+
+  vacu.packages = lib.mkMerge [
+    ''
+      thunderbolt
+      bolt
+      kdePackages.plasma-thunderbolt
+    ''
+    { bolt.package = config.services.hardware.bolt.package; }
+  ];
+}

hosts/fw/tpm-fido.nix

@@ -0,0 +1,14 @@
+{ config, ... }:
+{
+  vacu.packages = [ "tpm-fido" ];
+  users.groups.uhid = { };
+  users.users.shelvacu.extraGroups = [
+    config.security.tpm2.tssGroup
+    config.users.groups.uhid.name
+  ];
+  security.tpm2.enable = true;
+  security.tpm2.applyUdevRules = true;
+  services.udev.extraRules = ''
+    KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="${config.users.groups.uhid.name}", MODE="0660"
+  '';
+}

hosts/fw/waydroid.nix

@@ -0,0 +1,5 @@
+{ ... }:
+{
+  boot.kernelParams = [ "psi=1" ];
+  virtualisation.waydroid.enable = true;
+}

hosts/fw/zfs.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  boot.zfs.extraPools = [ "fw" ];
+  systemd.services.zfs-mount.enable = false;
+
+  # see also fileSystems."/"
+}

hosts/installer/common/default.nix

@@ -0,0 +1,30 @@
+{ config, lib, ... }:
+{
+  # this is an installer image, created anew every time. There's no state we need to worry about messing up
+  system.stateVersion = config.system.nixos.release;
+  services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
+  vacu.hostName = "vacuInstaller";
+  vacu.shell.color = "red";
+  vacu.systemKind = "minimal";
+
+  vacu.packages = ''
+    acpi
+    iio-sensor-proxy
+    aircrack-ng
+    # bitwarden-cli # 800MB closure size!
+    borgbackup
+    dmidecode
+    home-manager
+    man
+    mercurial
+    nix-index
+    nix-inspect
+    nix-search-cli
+    nmap
+    nvme-cli
+    rclone
+    smartmontools
+    tcpdump
+    termscp
+  '';
+}

hosts/installer/iso.nix

@@ -0,0 +1,8 @@
+{ modulesPath, ... }:
+{
+  imports = [
+    ./common
+    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
+  ];
+  isoImage.isoBaseName = "nixos-shel-installer";
+}

hosts/installer/pxe.nix

@@ -0,0 +1,7 @@
+{ modulesPath, ... }:
+{
+  imports = [
+    ./common
+    "${modulesPath}/installer/netboot/netboot-minimal.nix"
+  ];
+}

hosts/legtop/bluetooth.nix

@@ -3,5 +3,5 @@
   hardware.bluetooth.enable = true;
   hardware.bluetooth.powerOnBoot = true;
 
-  services.blueman.enable = true;
+  # services.blueman.enable = true;
 }

hosts/legtop/default.nix

@@ -11,53 +11,19 @@
   vacu.shortHostName = "lt";
   vacu.shell.color = "blue";
   vacu.verifySystem.expectedMac = "30:9e:90:33:01:07";
-  vacu.systemKind = "desktop";
+  vacu.systemKind = "laptop";
 
   system.stateVersion = "24.05";
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  services.power-profiles-daemon.enable = true;
   networking.networkmanager.enable = true;
-  vacu.packages =
-    (with pkgs; [
-      bitwarden-desktop
-      nheko
-      librewolf
-      brave
-      thunderbird
-      wl-clipboard
-      nextcloud-client
-      signal-desktop
-      iio-sensor-proxy
-      power-profiles-daemon
-      acpi
-      jellyfin-media-player
-      vlc
-      dmidecode
-      prismlauncher
-      ffmpeg_7-full
-      wireshark
-      obsidian
-      dino
-      aircrack-ng
-      libreoffice-qt6-fresh
-      gimp
-      # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
-      (inkscape-with-extensions.override { inkscapeExtensions = null; })
-      libsmi
-      net-snmp
-      android-tools
-      ghidra
-      wineWowPackages.stableFull
-      wineWowPackages.fonts
-      winetricks
-      lutris
-    ])
-    ++ [ inputs.self.packages.${pkgs.system}.sm64coopdx ];
 
   services.openssh.enable = true;
 
   services.xserver.enable = true;
   services.displayManager.sddm.enable = true;
+  services.displayManager.sddm.wayland.enable = true;
   services.desktopManager.plasma6.enable = true;
 
   boot.loader.grub.enable = true;
@@ -77,4 +43,6 @@
     pulse.enable = true;
   };
   programs.steam.enable = true;
+
+  boot.kernelPackages = pkgs.linuxPackages_lqx;
 }

hosts/legtop/hardware.nix

@@ -25,6 +25,7 @@
     options = [
       "fmask=0022"
       "dmask=0022"
+      "nofail"
     ];
   };
   nixpkgs.hostPlatform = "x86_64-linux";

hosts/liam/backup.nix

@@ -0,0 +1,156 @@
+{
+  config,
+  vaculib,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkOption;
+  cfg = config.vacu.liam.backup;
+  commonServiceConfig = {
+    Type = "oneshot";
+    StateDirectory = "auto-borg";
+    CacheDirectory = "auto-borg";
+    ReadOnlyPaths = cfg.paths ++ [ cfg.keyPath ];
+
+    User = cfg.user;
+    Group = cfg.user;
+
+    LockPersonality = true;
+    MemoryDenyWriteExecute = true;
+    PrivateDevices = true;
+    # PrivateUsers = true;
+    ProcSubset = "pid";
+    PrivateTmp = true;
+    ProtectClock = true;
+    ProtectControlGroups = true;
+    ProtectHome = true;
+    ProtectHostname = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectProc = "invisible";
+    ProtectSystem = "strict";
+    RestrictAddressFamilies = [
+      "AF_INET"
+      "AF_INET6"
+    ];
+    RestrictNamespaces = true;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+    SystemCallArchitectures = "native";
+    SystemCallFilter = [
+      "@system-service"
+      "~@privileged"
+    ];
+    UMask = "0077";
+    AmbientCapabilities = [ "CAP_DAC_READ_SEARCH" ];
+    CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
+  };
+in
+{
+  options.vacu.liam.backup = {
+    user = mkOption { default = "autoborger"; };
+    rsyncUser = mkOption { default = "fm2382"; };
+    rsyncHost = mkOption {
+      default = "${cfg.rsyncUser}.rsync.net";
+      defaultText = "(output)";
+    };
+    repo = mkOption {
+      default = "${cfg.rsyncUser}@${cfg.rsyncHost}:borg-repos/liam-backup";
+      defaultText = "(output)";
+    };
+    package = mkOption {
+      default = pkgs.borgbackup;
+      defaultText = "pkgs.borgbackup";
+    };
+    cmd = mkOption {
+      default = lib.getExe cfg.package;
+      defaultText = "lib.getExe cfg.package";
+    };
+    paths = mkOption {
+      default = [
+        "/var/lib/mail"
+        "/var/lib/dovecot"
+        "/var/log"
+      ];
+    };
+    keyPath = mkOption {
+      default = config.sops.secrets.liam-borg-key.path;
+      defaultText = "TODO";
+    };
+  };
+  config = {
+    vacu.assertions = lib.singleton {
+      assertion =
+        (lib.versionAtLeast cfg.package.version "1.4.0")
+        && !(lib.versionAtLeast cfg.package.version "1.5.0");
+      message = "Only for version 1.4.x";
+      fatal = true;
+    };
+
+    sops.secrets.liam-borg-key = {
+      owner = cfg.user;
+    };
+
+    # systemd.tmpfiles.settings."10-auto-borg" = lib.genAttrs cfg.paths (_:
+    #   {
+    #     # A+ = append to ACLs recursively
+    #     "A+" = {
+    #       argument = "u:${cfg.user}:r-x";
+    #     };
+    #   }
+    # );
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.user;
+      home = "/var/lib/auto-borg";
+    };
+    users.groups.${cfg.user} = { };
+    systemd.services.auto-borg-gen-key = {
+      script = ''
+        set -euo pipefail
+        ${lib.optionalString config.vacu.underTest "${pkgs.openssh}/bin/ssh -oBatchMode=yes -oStrictHostKeyChecking=accept-new ${cfg.rsyncHost} || true"}
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f "$STATE_DIRECTORY"/id_ed25519 -N ""
+      '';
+      serviceConfig = commonServiceConfig;
+    };
+    systemd.services.auto-borg = {
+      script = ''
+        set -euo pipefail
+        # makes a date like 2025-04-15_21-24-29_UTC
+        dashed_date="$(date -u '+%F_%H-%M-%S_%Z')"
+        archive_name="liam-auto-backup--$dashed_date"
+        export BORG_PASSPHRASE="$(cat ${lib.escapeShellArg cfg.keyPath})"
+        export BORG_REMOTE_PATH="borg14"
+        export BORG_RSH="ssh -i $STATE_DIRECTORY/id_ed25519"
+        export BORG_REPO=${lib.escapeShellArg cfg.repo}
+        export BORG_CACHE_DIR="$CACHE_DIRECTORY/borg"
+        export BORG_CONFIG_DIR="$STATE_DIRECTORY/borg"
+        cmd=(
+          ${lib.escapeShellArg cfg.cmd}
+          create
+          --show-rc
+          --verbose
+          --show-version
+          --stats
+          --atime
+          "::$archive_name"
+          ${lib.escapeShellArgs cfg.paths}
+        )
+        "''${cmd[@]}"
+      '';
+      serviceConfig = commonServiceConfig;
+    };
+    systemd.timers.auto-borg = {
+      enable = !config.vacu.underTest;
+      wantedBy = [ "timers.target" ];
+      # run every day at a random time between 3am and 4am, los angeles time
+      timerConfig = {
+        OnCalendar = "*-*-* 03:00:00 America/Los_Angeles";
+        RandomizedDelaySec = 3600;
+      };
+    };
+  };
+}

hosts/liam/default.nix

@@ -1,9 +1,12 @@
 {
   modulesPath,
   config,
-  lib,
+  vaculib,
   ...
 }:
+let
+  inherit (vaculib) mkOutOption;
+in
 {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
@@ -15,41 +18,39 @@
     ./dkim.nix
     ./sieve.nix
     ./network.nix
+    ./backup.nix
   ];
 
-  options =
-    let
-      mkReadOnly =
-        val:
-        lib.options.mkOption {
-          default = val;
-          readOnly = true;
+  options = {
+    vacu.liam = {
+      shel_domains = mkOutOption [
+        "shelvacu.com"
+        "dis8.net"
+        "mail.dis8.net"
+        "jean-luc.org"
+        "in.jean-luc.org"
+        "vacu.store"
+        "shelvacu.miras.pet"
+        "chat.for.miras.pet"
+        "sv.mt"
+      ];
+      julie_domains = mkOutOption [
+        "violingifts.com"
+        "theviolincase.com"
+        "shop.theviolincase.com"
+      ];
+      domains = mkOutOption (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
+      relayhosts = {
+        allDomains = (mkOutOption "[outbound.mailhop.org]:587") // {
+          readOnly = false;
         };
-    in
-    {
-      vacu.liam = {
-        shel_domains = mkReadOnly [
-          "shelvacu.com"
-          "dis8.net"
-          "mail.dis8.net"
-          "jean-luc.org"
-          "in.jean-luc.org"
-          "vacu.store"
-        ];
-        julie_domains = mkReadOnly [
-          "violingifts.com"
-          "theviolincase.com"
-          "shop.theviolincase.com"
-        ];
-        domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
-        relayhost = lib.options.mkOption {
-          type = lib.types.str;
-          # mailhop is duocircle
-          default = "[outbound.mailhop.org]:587 [relay.dynu.com]:587";
+        shelvacuAlt = (mkOutOption "[relay.dynu.com]:587") // {
+          readOnly = false;
         };
-        reservedIpLocal = mkReadOnly "10.46.0.7";
       };
+      reservedIpLocal = mkOutOption "10.46.0.7";
     };
+  };
 
   config = {
     vacu.hostName = "liam";

hosts/liam/dovecot.nix

@@ -1,9 +1,4 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
+{ config, lib, ... }:
 {
   networking.firewall.allowedTCPPorts = [ 993 ];
   systemd.tmpfiles.settings.whatever."/var/lib/mail".d = {
@@ -27,13 +22,13 @@
       "lmtp"
       "sieve"
     ];
-    modules = [ pkgs.dovecot_pigeonhole ];
     mailUser = "vmail";
     mailGroup = "vmail";
     createMailUser = true;
     mailLocation = "mdbox:~/mail";
     extraConfig = ''
       mail_home = /var/lib/mail/%n
+      mail_max_userip_connections = 100
       service auth {
         unix_listener /var/lib/postfix/queue/private/dovecot-auth {
           group = ${config.services.postfix.group}
@@ -97,9 +92,20 @@
       namespace {
         separator = .
         inbox = yes
+        
+        mailbox MagicRefilter {
+          auto = create
+        }
       }
 
       # mail_debug = yes
+      mail_plugins = $mail_plugins notify mail_log
+
+      plugin {
+        # sieve_trace_debug = yes
+        mail_log_events = delete undelete expunge save copy mailbox_create mailbox_delete mailbox_rename flag_change
+        mail_log_fields = uid box msgid size from
+      }
     '';
   };
 }

hosts/liam/mail.nix

@@ -9,19 +9,34 @@ let
     shel_domains
     julie_domains
     domains
-    relayhost
+    relayhosts
     ;
+  mapLines = f: lis: lib.concatStringsSep "\n" (map f lis);
   debug = false;
   fqdn = config.networking.fqdn;
+  relayable_domains = [
+    "shelvacu.com"
+    "vacu.store"
+    "chat.for.miras.pet"
+  ];
   dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
   reject_spam_sources = [
     "reject-spam-test@example.com"
     "buyerservice@made-in-china.com"
     "upgrade-plans@asuswebstorage.com"
     "info@rfidlabel.com"
+    "made-in-china.com"
+    "*.made-in-china.com"
+    "hotels.com"
+    "*.hotels.com"
   ];
   banned_ips = [
-    "210.242.134.20/26"
+    "45.192.103.243/32"
+    "165.154.207.0/24"
+    "165.154.226.0/24"
+    "210.242.134.0/26"
+    "137.220.198.0/24"
+    "122.96.0.0/15"
   ];
   # must be bigger than gmail's 25MB "attachment limit" which after base64 encoding (x 1.33) is ~33MB
   mailSizeLimit = 35 * 1024 * 1024;
@@ -45,9 +60,9 @@ in
         mom@shelvacu.com julie
         psv@shelvacu.com psv
       ''
-      + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains)
+      + (mapLines (d: "@${d} shelvacu") shel_domains)
       + "\n"
-      + (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains);
+      + (mapLines (d: "@${d} julie") julie_domains);
 
     transport = ''
       shelvacu@${fqdn} ${dovecot_transport}
@@ -63,21 +78,37 @@ in
     enableSubmission = false;
     enableSubmissions = true;
     mapFiles.header_checks = pkgs.writeText "header-checks" (
-      "/./ INFO checker headers\n"
-      + (lib.concatMapStringsSep "\n" (
+      ''
+        /./ INFO checker headers
+      ''
+      + (mapLines (
         d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT"
       ) domains)
     );
     mapFiles.sender_access = pkgs.writeText "sender-access" (
-      lib.concatMapStringsSep "\n" (pattern: "${pattern} REJECT spam") (domains ++ reject_spam_sources)
-    );
-    mapFiles.banned_ips = pkgs.writeText "banned-ips" (
-      lib.concatMapStringsSep "\n" (ip: "${ip} REJECT spam") banned_ips
+      mapLines (pattern: "${pattern} REJECT spam") (domains ++ reject_spam_sources)
     );
+    mapFiles.banned_ips = pkgs.writeText "banned-ips" (mapLines (ip: "${ip} REJECT spam") banned_ips);
     # hack to get postfix to add a X-Original-To header
     mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
-    mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
-    mapFiles.sender_relay = pkgs.writeText "sender-relay" "@shelvacu.com ${relayhost}";
+    # mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
+    mapFiles.sender_transport = pkgs.writeText "sender-transport" (
+      mapLines (d: "@${d} relayservice") relayable_domains
+    );
+    mapFiles.sender_relay = pkgs.writeText "sender-relay" (
+      ''
+        @shelvacu.com ${relayhosts.allDomains} ${relayhosts.shelvacuAlt} 
+      ''
+      + (mapLines (d: "@${d} ${relayhosts.allDomains}") relayable_domains)
+    );
+    mapFiles.extra_login_maps = pkgs.writeText "extra-login-maps" (
+      ''
+        robot@vacu.store vacustore
+        zulip-notify@chat.for.miras.pet miracult-zulip
+        idrac-62pn9z1@shelvacu.com idrac-62pn9z1
+      ''
+      + config.services.postfix.virtual
+    );
 
     # verbatim appended to main.cf
     extraConfig = ''
@@ -141,7 +172,6 @@ in
         "smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
         "-o"
         "smtp_tls_wrappermode=no"
-        #"-o" "relayhost=${relayhost}"
       ] ++ (if debug then [ "-v" ] else [ ]);
     };
 
@@ -161,7 +191,7 @@ in
       smtpd_sasl_type = "dovecot";
       smtpd_sasl_path = "private/dovecot-auth";
       message_size_limit = "100000000";
-      smtpd_sender_login_maps = "hash:/etc/postfix/virtual";
+      smtpd_sender_login_maps = "hash:/etc/postfix/extra_login_maps";
       smtpd_sender_restrictions = "reject_authenticated_sender_login_mismatch";
       header_checks = "";
 

hosts/liam/nginx.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ ... }:
 let
   domains = [
     "smtp.shelvacu.com"

hosts/liam/notes.txt

@@ -0,0 +1,21 @@
+I think I can sort my email into these categories:
+- A Top priority: should be a notification
+  - personal emails
+  - here is a code to login (except ms, ugh)
+- B Normal priority: should be reviewed regularly, at least once every couple days
+  - (some) purchase receipts
+  - your credit card was used for <amount>
+  - money stuff
+  - patreons
+- C Low priority: should be skimmed occaisionally to make sure nothing got caught that shouldn't have
+  - C1 good emails:
+    - your statement is available to view
+    - 
+  - C2 spam
+- D Shit-tier: never reviewed, except if I'm missing an email I was otherwise expecting
+  - unsolicited job offers
+  - anything definitely spam
+
+- M Mailing lists
+
+searches should generally search A,B,C but not D or M

hosts/liam/sieve.nix

@@ -0,0 +1,960 @@
+{
+  pkgs,
+  lib,
+  config,
+  vaculib,
+  ...
+}:
+let
+  inherit (builtins)
+    isString
+    isList
+    length
+    head
+    all
+    isInt
+    isAttrs
+    isFloat
+    isBool
+    ;
+  inherit (lib)
+    concatStrings
+    concatStringsSep
+    splitString
+    match
+    replaceStrings
+    reverseList
+    elemAt
+    mapAttrsToList
+    ;
+  mapConcat = f: xs: concatStrings (map f xs);
+  mapConcatSep =
+    sep: f: xs:
+    concatStringsSep sep (map f xs);
+  mapConcatLines = f: xs: mapConcatSep "\n" f xs;
+  isListWhere = xs: f: (isList xs) && (all f xs);
+  stringOrList = val: (isString val) || ((isListWhere val isString) && (length val) > 0);
+  listify = val: if isList val then val else [ val ];
+  is_match = regex: s: (match regex s) != null;
+  is_not_match = regex: s: !(is_match regex s);
+  only_printable_ascii = s: is_match "[ -~\r\n]*" s;
+  has_vars = s: lib.hasInfix ("$" + "{") s;
+  sieve_raw_escape_string =
+    s:
+    if !only_printable_ascii s then
+      builtins.trace s throw "s failed only_printable_ascii check"
+    else
+      replaceStrings [ ''"'' ''\'' "\n" "\r" ] [ ''\"'' ''\\'' ''\n'' ''\r'' ] s;
+  sieve_encode_string =
+    {
+      allow_vars,
+      for_debug_comment,
+      with_quotes,
+    }:
+    s:
+    assert isString s;
+    assert allow_vars || for_debug_comment || (!has_vars s);
+    let
+      a = sieve_raw_escape_string s;
+      b = if for_debug_comment then replaceStrings [ ''*/'' ] [ ''*\/'' ] a else a;
+      res = if with_quotes then ''"${b}"'' else b;
+    in
+    res;
+  sieve_quote_string = sieve_encode_string {
+    allow_vars = false;
+    for_debug_comment = false;
+    with_quotes = true;
+  };
+  sieve_quote_string_with_interp = sieve_encode_string {
+    allow_vars = true;
+    for_debug_comment = false;
+    with_quotes = true;
+  };
+  is_valid_long_ident = is_match "[a-z_][a-z0-9_]*";
+  is_number_ident = is_match "[0-9]*";
+  is_valid_ident = s: (is_valid_long_ident s) || (is_number_ident s);
+  interp =
+    ident:
+    assert isString ident;
+    assert is_valid_ident ident;
+    "$" + "{${ident}}";
+  dest = "envelope_to";
+  dest_domain = "envelope_to_domain";
+  set_envelope = ''
+    #set_envelope START
+    if header :index 1 :matches "X-Envelope-To" "*" {
+      set ${sieve_quote_string dest} "''${1}";
+    }
+    if header :index 1 :matches "X-Envelope-To" "*@*" {
+      set ${sieve_quote_string dest_domain} "''${2}";
+    }
+    #set_envelope END
+  '';
+  envelope_is =
+    key:
+    assert stringOrList key;
+    ''string :is "${interp dest}" ${sieve_encode key}'';
+  envelope_matches =
+    key:
+    assert stringOrList key;
+    ''string :matches "${interp dest}" ${sieve_encode key}'';
+  envelope_domain_is = key: ''string :is "${interp dest_domain}" ${sieve_quote_string key}'';
+  sieve_encode_list =
+    xs:
+    assert isListWhere xs isString;
+    "[ ${mapConcatSep ", " sieve_encode xs} ]";
+  sieve_encode =
+    val:
+    if isString val then
+      sieve_quote_string val
+    else if isList val then
+      sieve_encode_list val
+    else
+      assert "dunno what to do with this";
+      null;
+  sieve_debug_list = xs: "[ ${mapConcat (s: (sieve_debug s) + " ") xs}]";
+  sieve_debug_attrs =
+    attrs:
+    let
+      toPairStr = name: val: "${sieve_debug name} = ${sieve_debug val}; ";
+      pairStrs = mapAttrsToList toPairStr attrs;
+      pairsStr = concatStrings pairStrs;
+    in
+    "{ ${pairsStr}}";
+  sieve_debug =
+    val:
+    if isString val then
+      sieve_encode_string {
+        allow_vars = true;
+        for_debug_comment = true;
+        with_quotes = true;
+      } val
+    else if (isInt val) || (isFloat val) then
+      toString val
+    else if (isBool val) then
+      (if val then "true" else "false")
+    else if isNull val then
+      "null"
+    else if isList val then
+      sieve_debug_list val
+    else if isAttrs val then
+      sieve_debug_attrs val
+    else
+      assert "dunno what to do with this";
+      null;
+  is_flagish =
+    flag_name:
+    let
+      # escape_all = map lib.escapeRegex;
+
+      # all from https://datatracker.ietf.org/doc/html/rfc9051#name-formal-syntax
+      # resp-specials = escape_all [ "]" ];
+      # DQUOTE = ''"'';
+      # quoted-specials = escape_all [ DQUOTE "\\" ];
+      # list-wildcards = escape_all [ "%" "*" ];
+      # CTL = something; # 0x00 thru 0x1F, and 0x7F
+      # SP = escape_all [ " " ];
+      # atom-specials = (escape_all [ "(" ")" "{" ]) ++ [ SP CTL list-wildcards quoted-specials resp-specials ];
+      # " "  0x20 !allowed
+      # "!"  0x21 ok
+      # "\"" 0x22 !allowed
+      # "#"  0x23 ok
+      # "$"  0x24 ok
+      # "%"  0x25 !allowed
+      # "&"  0x26 ok
+      # "'"  0x27 ok
+      # "("  0x28 !allowed
+      # ")"  0x29 !allowed
+      # "*"  0x2a !allowed
+      # "+"  0x2b ok
+      # ...
+      # "Z"  0x5a ok
+      # "["  0x5b !allowed
+      # "\\" 0x5c !allowed
+      # "]"  0x5d ok
+      # "^"  0x5e ok
+      # ...
+      # "z"  0x7a ok
+      # "{"  0x7b !allowed
+      # "|"  0x7c ok
+      # "}"  0x7d ok
+      # "~"  0x7e ok
+      # DEL  0x7f !allowed
+      # ATOM-CHAR = something; # "any CHAR except atom-specials"
+      ATOM-CHAR = ''[]!#$&'+-Z^-z|}~]'';
+      atom = "${ATOM-CHAR}+";
+      flag-keyword = ''\$MDNSent|\$Forwarded|\$Junk|\$NotJunk|\$Phishing|(${atom})'';
+      flag-extension = ''\\(${atom})'';
+      flag = ''\\Answered|\\Flagged|\\Deleted|\\Seen|\\Draft|(${flag-keyword})|(${flag-extension})'';
+    in
+    (isString flag_name) && ((builtins.match flag flag_name) != null);
+  known_flags = rec {
+    seen = ''\Seen'';
+    read = seen;
+  };
+  pure_flags_impl =
+    flags: conditions:
+    assert isListWhere flags isString;
+    assert isListWhere conditions isString;
+    assert (length flags) > 0;
+    assert (length conditions) > 0;
+    let
+      argAttrs = { inherit flags conditions; };
+      firstFlag = head flags;
+      combined_condition = if (length conditions) == 1 then head conditions else (allof conditions);
+    in
+    ''
+      # pure_flags ${sieve_debug argAttrs};
+      removeflag ${sieve_quote_string firstFlag};
+      if ${combined_condition} {
+        ${record_action "pure_flags ${concatStringsSep " " flags}"}
+        ${concatStringsSep "\n" (map (flag: ''addflag ${sieve_quote_string flag};'') flags)}
+      }
+      # pure_flags end
+    '';
+  pure_flags =
+    flags: conditions:
+    assert stringOrList flags;
+    assert stringOrList conditions;
+    pure_flags_impl (listify flags) (listify conditions);
+  exists_impl =
+    headers:
+    assert isListWhere headers isString;
+    if headers == [ ] then
+      "/* exists START: called with empty array */ false /* exists END */"
+    else
+      "/* exists START */ exists ${sieve_encode_list headers} /* exists END */";
+  exists =
+    headers:
+    assert stringOrList headers;
+    exists_impl (listify headers);
+  header_generic =
+    match_kind: header_s: match_es:
+    assert stringOrList header_s;
+    assert stringOrList match_es;
+    ''/* header_generic START */ header ${match_kind} ${sieve_encode header_s} ${sieve_encode match_es} /* header_generic END */'';
+  header_matches = header_generic ":matches";
+  header_is = header_generic ":is";
+  subject_generic = match_kind: match_es: header_generic match_kind "Subject" match_es;
+  subject_matches = subject_generic ":matches";
+  subject_is = subject_generic ":is";
+  environment_generic =
+    match_kind: environment_name_s: match_es:
+    assert stringOrList environment_name_s;
+    assert stringOrList match_es;
+    "environment ${match_kind} ${sieve_encode environment_name_s} ${sieve_encode match_es}";
+  environment_matches = environment_generic ":matches";
+  environment_is = environment_generic ":is";
+  from_is =
+    addr_list:
+    assert stringOrList addr_list;
+    ''/* from_is START */ address :is :all "From" ${sieve_encode addr_list} /* from_is END */'';
+  from_matches =
+    addr_list:
+    assert stringOrList addr_list;
+    ''/* from_is START */ address :matches :all "From" ${sieve_encode addr_list} /* from_is END */'';
+  var_is =
+    var_name: rhs:
+    assert isString var_name;
+    assert stringOrList rhs;
+    ''string :is "''${${var_name}}" ${sieve_encode rhs}'';
+  var_is_true = var_name: var_is var_name "1";
+  var_is_false = var_name: not (var_is_true var_name);
+  has_flag =
+    flag_name:
+    assert isString flag_name;
+    assert is_flagish flag_name; # no spaces allowed in flag names
+    ''hasflag :is ${sieve_encode flag_name}'';
+  set_with_interp =
+    var_name: new_val:
+    assert isString var_name;
+    assert is_valid_ident var_name;
+    assert isString new_val;
+    "set ${sieve_encode var_name} ${sieve_quote_string_with_interp new_val};";
+  set =
+    var_name: new_val:
+    assert isString var_name;
+    assert is_valid_ident var_name;
+    assert isString new_val;
+    "set ${sieve_encode var_name} ${sieve_encode new_val};";
+  set_bool_var =
+    var_name: bool_val:
+    assert isBool bool_val;
+    set var_name (if bool_val then "1" else "0");
+  over_test_list =
+    name: test_list:
+    assert isListWhere test_list isString;
+    ''
+      ${name}(
+      ${concatStringsSep ",\n" test_list}
+      )
+    '';
+  anyof = over_test_list "anyof";
+  allof = over_test_list "allof";
+  not = test: "not ${test}";
+  record_action =
+    action_desc:
+    assert isString action_desc;
+    ''addheader "X-Vacu-Action" ${sieve_encode action_desc};'';
+  fileinto =
+    folder:
+    assert isString folder;
+    ''
+      ${record_action "fileinto ${folder}"}
+      fileinto :create ${sieve_encode folder};
+    '';
+  ihave =
+    extension_name_s:
+    assert stringOrList extension_name_s;
+    "ihave ${sieve_encode extension_name_s}";
+  # email_filters = map (e: ''
+  #   elsif ${envelope_is e} { # item of email_filters
+  #     ${record_action "email_filters fileinto ${mk_email_folder_name e}"}
+  #     fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
+  #   }
+  # '') email_folders;
+  # domain_filters = map (d: ''
+  #   elsif ${envelope_domain_is d} { # item of domain_filters
+  #     ${record_action "domain_filters fileinto ${mk_domain_folder_name d}"}
+  #     fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
+  #   }
+  # '') domain_folders;
+  set_from =
+    {
+      condition,
+      var,
+      default ? "-",
+      warn_if_unset ? false,
+    }@args:
+    ''
+      # set_from ${sieve_debug args}
+      if ${condition} {
+        ${set_with_interp var (interp "1")}
+      }
+      else {
+        ${lib.optionalString warn_if_unset (
+          maybe_debug "info: Could not set ${var} from condition ${condition}, setting to default(${default})"
+        )}
+        ${set var default}
+      }
+      # set_from END
+    '';
+  set_var_from_environment =
+    item: var:
+    ''
+      # set_var_from_environment
+    ''
+    + set_from {
+      condition = ''environment :matches ${sieve_quote_string item} "*"'';
+      inherit var;
+    };
+  maybe_debug = msg: ''
+    if ${ihave "vnd.dovecot.debug"} {
+      debug_log ${sieve_quote_string_with_interp msg};
+    }
+  '';
+  # trimmed down from https://pages.ebay.com/securitycenter/security_researchers_eligible_domains.html
+  ebay_domains = vaculib.listOfLines { } ''
+    ebay.com
+    ebay.co.uk
+    ebay.com.au
+    ebay.de
+    ebay.ca
+    ebay.fr
+    ebay.it
+    ebay.es
+    ebay.at
+    ebay.ch
+    ebay.com.hk
+    ebay.com.sg
+    ebay.com.my
+    ebay.in
+    ebay.ph
+    ebay.ie
+    ebay.pl
+    ebay.be
+    ebay.nl
+    ebay.cn
+    ebay.com.tw
+    ebay.co.jp
+    ebaythailand.co.th
+  '';
+  sieve_text = ''
+    require [
+      "fileinto",
+      "mailbox",
+      "imap4flags",
+      "editheader",
+      "environment",
+      "variables",
+      "date",
+      "index",
+      "ihave"
+    ];
+
+    if ${
+      allof [
+        (ihave "imapsieve")
+        (environment_matches "imap.user" "*")
+        (environment_matches "location" "MS")
+        (environment_matches "phase" "post")
+      ]
+    } {
+      ${set_bool_var "in_imap" true}
+    } else {
+      ${set_bool_var "in_imap" false}
+    }
+
+    if ${var_is_true "in_imap"} {
+      if ${
+        not (allof [
+          (environment_is "imap.cause" [
+            "APPEND"
+            "COPY"
+            ""
+          ])
+          (environment_is "imap.mailbox" [
+            "MagicRefilter"
+            ""
+          ])
+        ])
+      } {
+        ${maybe_debug "NOT doing anything cuz imap.cause and/or imap.mailbox isn't right"}
+        stop;
+      }
+    }
+
+    ${set_envelope}
+    ${set_var_from_environment "location" "env_location"}
+    ${set_var_from_environment "phase" "env_phase"}
+    ${set_var_from_environment "imap.user" "env_imap_user"}
+    ${set_var_from_environment "imap.email" "env_imap_email"}
+    ${set_var_from_environment "imap.cause" "env_imap_cause"}
+    ${set_var_from_environment "imap.mailbox" "env_imap_mailbox"}
+    ${set_var_from_environment "imap.changedflags" "env_imap_changedflags"}
+    ${set_from {
+      condition = ''currentdate :matches "iso8601" "*"'';
+      var = "datetime";
+    }}
+    ${set_with_interp "sieved_message" ''at ''${datetime} by ${config.vacu.versionId} loc ''${env_location} phase ''${env_phase} user ''${env_imap_user} email ''${env_imap_email} cause ''${env_imap_cause} mailbox ''${env_imap_mailbox} changedflags ''${env_imap_changedflags} envelope ''${dest}''}
+    ${maybe_debug ''X-Vacu-Sieved: ''${sieved_message}''}
+
+    if ${ihave "envelope"} {
+      if envelope :all :matches "to" "*@*" {
+        ${set_with_interp "userfor" (interp "1")}
+      } else {
+        error "i dunno what to do, theres no envelope";
+      }
+    }
+    elsif ${var_is_true "in_imap"} {
+      ${set_with_interp "userfor" (interp "env_imap_user")}
+    }
+    else {
+      error "dont have envelope or imapsieve, dunno what to do";
+    }
+
+    if ${var_is "userfor" "shelvacu"} {
+      addheader "X-Vacu-Sieved" "''${sieved_message}";
+      removeflag "not-spamish";
+      removeflag "orders";
+      removeflag "banking";
+      removeflag "banking-statements";
+      removeflag "banking-transactions";
+      removeflag "A";
+      removeflag "B";
+      removeflag "B.subscriptions";
+      removeflag "C";
+      removeflag "D";
+
+      ${pure_flags [ "wells-fargo" "banking" ] (envelope_is "wf-primary@shelvacu.com")}
+      ${pure_flags
+        [ "wells-fargo-transactions" "banking-transactions" "B" ]
+        [
+          (has_flag "wells-fargo")
+          (subject_matches [
+            "You just got paid!"
+            "Wells Fargo card purchase exceeded preset amount"
+            "You made a payment"
+            "You made a credit card purchase of *"
+            "Your card wasn't present for a purchase"
+            "Account update"
+            "You've earned cash back from My Wells Fargo Deals"
+            "Confirmation of your Wells Fargo Rewards redemption"
+            "You sent money with Zelle(R)"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "wells-fargo-statements" "banking-statements" "C" ]
+        [
+          (has_flag "wells-fargo")
+          (subject_matches [
+            "Your statement for credit card account *"
+            "Your statement for account *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "wells-fargo-action-required" "A" ]
+        [
+          # wf is actually careful about saying action required
+          (has_flag "wells-fargo")
+          (subject_matches "Action Required: *")
+        ]
+      }
+      ${pure_flags
+        [ "wells-fargo-misc" "A" ]
+        [
+          (has_flag "wells-fargo")
+          (not (has_flag "wells-fargo-transactions"))
+          (not (has_flag "wells-fargo-statements"))
+          (not (has_flag "wells-fargo-action-required"))
+        ]
+      }
+      ${pure_flags [ "chase" "banking" ] (envelope_is "chase@shelvacu.com")}
+      ${pure_flags
+        [ "chase-transactions" "banking-transactions" "B" ]
+        [
+          (has_flag "chase")
+          (subject_matches [
+            "Your * payment is scheduled"
+            "You made a * transaction with *"
+            "Your * transaction with *"
+            "Chase security alert: You signed in with a new device"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "chase-statements" "banking-statements" "C" ]
+        [
+          (has_flag "chase")
+          (subject_matches [
+            "Your credit card statement is available"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "chase-spam" "D" ]
+        [
+          (has_flag "chase")
+          (anyof [
+            (header_is "From" "Chase Credit Journey <no.reply.alerts@chase.com>")
+            (subject_is [
+              "Review your recent activity"
+              "Good news: You may qualify for a credit line increase!"
+              "Your Chase card is available to use with Paze - Activate now!"
+            ])
+          ])
+        ]
+      }
+      ${pure_flags [ "experian" ] (envelope_is "fbyjemby@shelvacu.com")}
+      ${pure_flags
+        [ "experian-spam" "D" ]
+        [
+          (has_flag "experian")
+          (subject_matches [
+            "*, your FICO* Score has been updated"
+            "Your monthly account statement is here, *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "paypal" "banking" ]
+        [
+          # can't go purely on envelope, because paypal loves to give my email to every merchant I interact with
+          (envelope_is "paypal@shelvacu.com")
+          (from_matches [
+            "*@paypal.com"
+            "*@*.paypal.com"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "paypal-transactions" "banking-transactions" "B" ]
+        [
+          (has_flag "paypal")
+          (subject_matches [
+            "Receipt for your payment to *"
+            "*: $* USD"
+            "*: $* CAD"
+            "*: kr * SEK"
+            "You authorized a payment to *"
+            "You sent an automatic payment to *"
+            "Review your new automatic payment setup for *"
+            "You have a refund from *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "paypal-statements" "banking-statements" "C" ]
+        [
+          (has_flag "paypal")
+          (subject_matches [
+            "*, your * account statement is available."
+          ])
+        ]
+      }
+
+      ${pure_flags [ "usps-id" ] (envelope_is "usps-id@shelvacu.com")}
+      ${pure_flags
+        [ "usps-expected-delivery" "C" ]
+        [
+          (has_flag "usps-id")
+          (subject_matches "USPS* Expected Delivery *")
+        ]
+      }
+      ${pure_flags
+        [ "amazon-ignore" "C" ]
+        [
+          (envelope_is "amznbsns@shelvacu.com")
+          (subject_matches [
+            "Your Amazon.com order has shipped*"
+            "Your Amazon.com order of * has shipped!"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "bandcamp-ignore" "C" ]
+        [
+          (envelope_is "bandcamp@shelvacu.com")
+          (subject_matches [
+            "* just announced a listening party on Bandcamp"
+            "New items from *"
+            "Starting in *"
+            "New from *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "bandcamp-not-ignore" "B.subscriptions" ]
+        [
+          (envelope_is "bandcamp@shelvacu.com")
+          ''not hasflag "bandcamp-ignore"''
+        ]
+      }
+      ${pure_flags [ "ika-ignore" "D" ] (envelope_is "ika@dis8.net")}
+      ${pure_flags
+        [ "ally-statement" "C" ]
+        [
+          (envelope_is "ally@shelvacu.com")
+          (subject_is "Your latest statement is ready to view.")
+        ]
+      }
+
+      ${pure_flags "bloomberg" (envelope_is "bloomberg@shelvacu.com")}
+
+      ${pure_flags
+        [ "money-stuff" "not-spamish" ]
+        [
+          (envelope_is "bloomberg@shelvacu.com")
+          ''header :matches "From" "\"Matt Levine\" *"''
+        ]
+      }
+
+      ${pure_flags
+        [ "money-stuff-podcast" "D" known_flags.read ]
+        [
+          (has_flag "money-stuff")
+          (subject_matches "Money Stuff: The Podcast:*")
+        ]
+      }
+
+      ${pure_flags
+        [ "money-stuff-not-podcast" "B.subscriptions" ]
+        [
+          (has_flag "money-stuff")
+          (not (has_flag "money-stuff-podcast"))
+        ]
+      }
+
+      ${pure_flags [ "git" "not-spamish" "B" ] (exists [
+        "X-GitHub-Reason"
+        "X-GitLab-Project"
+      ])}
+      ${pure_flags [ "git-uninsane" "git" "not-spamish" "B" ] (envelope_is "git-uninsane@shelvacu.com")}
+      ${pure_flags [ "github" "git" "not-spamish" "B" ] (header_matches "List-Id" "*<*.github.com>")}
+      ${pure_flags [ "mailing-list-by-envelope" "not-spamish" "B" ] (
+        envelope_matches "*-ml@shelvacu.com"
+      )}
+      
+      ${pure_flags [ "discourse" "not-spamish" "B" ] (exists "X-Discourse-Post-Id")}
+      ${pure_flags [ "agora" "not-spamish" ] (envelope_is "agora@shelvacu.com")}
+      ${pure_flags [ "postgres-list" "not-spamish" ] (
+        header_matches "List-Id" "<*.lists.postgresql.org>"
+      )}
+      ${pure_flags [ "secureaccesswa" "not-spamish" "A" ] (from_is "help@secureaccess.wa.gov")}
+      ${pure_flags [ "letsencrypt-mailing-list" "not-spamish" "B" ] (
+        envelope_is "lets-encrypt-mailing-list@shelvacu.com"
+      )}
+      ${pure_flags [ "jmp-news" "not-spamish" "B" ] (header_matches "List-Id" "*<jmp-news.soprani.ca>")}
+      ${pure_flags
+        [ "tf2wiki" "not-spamish" "B" ]
+        [
+          (envelope_is "tf2wiki@shelvacu.com")
+          (from_is "noreply@wiki.teamfortress.com")
+        ]
+      }
+
+      ${pure_flags "gmail-fwd" (envelope_is "gmailfwd-fc2e10bec8b2@shelvacu.com")}
+      ${pure_flags [ "ebay" "orders" ] (envelope_is "ebay@shelvacu.com")}
+      ${pure_flags
+        [ "ebay-delivered" "B" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "*ORDER DELIVERED: *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-message" "B" ]
+        [
+          (has_flag "ebay")
+          (from_matches (map (domain: "*@members.${domain}") ebay_domains))
+        ]
+      }
+      ${pure_flags
+        [ "ebay-offer" "B" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "You have an offer from the seller, *"
+            "You saw it at *, but the seller is now offering *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-order-update" "C" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "Out for delivery: *"
+            "*DELIVERY UPDATE: *"
+            "*Order update: *"
+            "EARLY DELIVERY UPDATE: *"
+            "Important information regarding your Global Shipping Program transaction *" # ebay: "important information! your order is being shipped." why did you say this was ""important""???
+            "Your package is now with *"
+            "*Order confirmed: *"
+            "Your order is confirmed"
+            "Your order is in!"
+            "*An update on your order"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-bid-ongoing-notification" "C" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "Michael, your bid for * is winning"
+            "* just got a new bid."
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-feedback" "D" ]
+        [
+          (has_flag "ebay")
+          (subject_matches "Please provide feedback for your eBay items")
+        ]
+      }
+      ${pure_flags [ "royal-mail" "orders" ] (from_is "no-reply@royalmail.com")}
+      ${pure_flags
+        [ "royal-mail-delivered" "B" ]
+        [
+          (has_flag "royal-mail")
+          (subject_matches "Your Royal Mail parcel has been delivered")
+        ]
+      }
+      ${pure_flags
+        [ "royal-mail-on-the-way" "D" ]
+        [
+          (has_flag "royal-mail")
+          (subject_matches "Your Royal Mail parcel is on its way")
+        ]
+      }
+      ${pure_flags [ "aliexpress" "orders" ] (from_is [
+        "transaction@notice.aliexpress.com"
+        "aliexpress@notice.aliexpress.com"
+      ])}
+      ${pure_flags
+        [ "aliexpress-delivered" "B" ]
+        [
+          (has_flag "aliexpress")
+          (from_is "transaction@notice.aliexpress.com")
+          (subject_matches "Order * has been signed for")
+        ]
+      }
+      ${pure_flags
+        [ "aliexpress" "orders" "C" ]
+        [
+          (has_flag "aliexpress")
+          (not (has_flag "aliexpress-delivered"))
+        ]
+      }
+      ${pure_flags [ "brandcrowd" "D" ] (envelope_is "brandcrowd@shelvacu.com")}
+      ${pure_flags [ "cpapsupplies" "D" ] (envelope_is "cpapsupplies@shelvacu.com")}
+      ${pure_flags [ "genshin" "D" ] (envelope_is "genshin@shelvacu.com")}
+      ${pure_flags [ "jork" "B" ] (envelope_is "jork@shelvacu.com")}
+      ${pure_flags [ "patreon" "not-spamish" ] (envelope_is "patreon@shelvacu.com")}
+      ${pure_flags
+        [ "patreon-post" "B.subscriptions" ]
+        [
+          (has_flag "patreon")
+          (header_is "X-Mailgun-Tag" "template_newsletterpostcontrol")
+        ]
+      }
+      ${pure_flags
+        [ "patreon-free-member-digest" "D" ]
+        [
+          (has_flag "patreon")
+          (header_is "X-Mailgun-Tag" "template_freememberdigest")
+        ]
+      }
+      ${pure_flags
+        [ "patreon-other" "B" ]
+        [
+          (has_flag "patreon")
+          (not (has_flag "patreon-post"))
+          (not (has_flag "patreon-free-member-digest"))
+        ]
+      }
+      ${pure_flags [ "rsb" "B" ] (from_is "support@rapidseedbox.com")}
+      ${pure_flags [ "fresh-avocado-dis8" "D" ] (envelope_is "fresh.avocado@dis8.net")}
+      ${pure_flags [ "discord" "A" ] (envelope_matches "discord@*")}
+      ${pure_flags [ "za-sa" "D" ] (from_matches [
+        "*@*.sa.com"
+        "*@*.za.com"
+      ])}
+      ${pure_flags [ "localdomain" "D" ] (from_matches [
+        "*@*.local"
+        "*@*.localdomain"
+      ])}
+      ${pure_flags [ "helium" "D" ] (envelope_is "creepyface@dis8.net")}
+      ${pure_flags [ "sharkmood" "C" ] (envelope_is "sharkmood@dis8.net")}
+      ${pure_flags [ "im-not-district-158" "D" ] (envelope_is [
+        "khamar.anderson@dis8.net"
+        "pbooth@dis8.net"
+        "sgaylor@dis8.net"
+      ])}
+      ${pure_flags [ "next-level-burger" "D" ] (header_matches "From" "*Next Level Burger*")}
+      ${pure_flags [ "lyft" "D" ] (envelope_is "lyft@shelvacu.com")}
+      ${pure_flags [ "coursera" "D" ] (from_matches "*.*.coursera.org")}
+      ${pure_flags [ "taskrabbit" "D" ] (envelope_is "taskrabbit@shelvacu.com")}
+      ${pure_flags [ "subscribestar_code" "A" ] (allof [
+        (envelope_is "subscribestar@shelvacu.com")
+        (subject_is "Your authentication code")
+      ])}
+      ${pure_flags "itch-io" (from_is "postmaster@itch.io")}
+      ${pure_flags
+        [ "itch-io-update" "B.subscriptions" ]
+        [
+          (has_flag "itch-io")
+          (subject_matches "[itch.io] * update *")
+        ]
+      }
+      ${pure_flags
+        [ "lowering-the-bar" "B.subscriptions" ]
+        [
+          (envelope_is "ltb@shelvacu.com")
+        ]
+      }
+      ${pure_flags [ "hotels-com" "D" ] (from_matches [
+        "hotels.com"
+        "*.hotels.com"
+      ])}
+
+      ${pure_flags
+        [ "spamish-by-headers" "C" ]
+        [
+          (anyof [
+            (header_is "Precedence" "bulk")
+            (exists "List-Unsubscribe")
+            (exists "List-Unsubscribe-Post")
+          ])
+          (not (has_flag "not-spamish"))
+        ]
+      }
+
+      if hasflag "agora" {
+        ${fileinto "M.agora"}
+      } elsif hasflag "postgres-list" {
+        ${fileinto "M.postgres"}
+      } elsif hasflag "D" {
+        ${fileinto "D"}
+      } elsif hasflag "C" {
+        ${fileinto "C"}
+      } elsif hasflag "A" {
+        ${fileinto "A"}
+      } elsif hasflag "B.subscriptions" {
+        ${fileinto "B.subscriptions"}
+      } else {
+        ${fileinto "B"}
+      }
+    }
+    # disable any sieve scripts that might want to run after this one
+    stop;
+  '';
+  pigeonhole_pkg = pkgs.dovecot_pigeonhole;
+in
+{
+  imports = [
+    # Allow running a sieve filter when a message gets moved to another folder in imap
+    # see https://doc.dovecot.org/2.3/configuration_manual/sieve/plugins/imapsieve/
+    {
+      services.dovecot2 = {
+        sieve.plugins = [ "sieve_imapsieve" ];
+        mailPlugins.perProtocol.imap.enable = [ "imap_sieve" ];
+      };
+    }
+  ];
+  options.vacu.checkSieve = lib.mkOption {
+    readOnly = true;
+    default = pkgs.writeScriptBin "check-liam-sieve" ''
+      set -xev
+      ${lib.escapeShellArgs [
+        (lib.getExe' pigeonhole_pkg "sieve-test")
+        "-c"
+        config.services.dovecot2.configFile
+        "-C" # force compilation
+        "-D" # enable sieve debugging
+        "-f"
+        "some-rando@example.com"
+        "-a"
+        "shelvacu@liam.dis8.net"
+        config.services.dovecot2.sieve.scripts.before
+        "/dev/null"
+      ]}
+    '';
+    defaultText = "check-liam-sieve package";
+  };
+  options.vacu.liam-sieve-script = lib.mkOption {
+    readOnly = true;
+    default = pkgs.writeText "mainsieve" sieve_text;
+    defaultText = "mainsieve text package";
+  };
+  config = {
+    vacu.packages = [ pigeonhole_pkg ];
+    services.dovecot2.sieve = {
+      extensions = [
+        "fileinto"
+        "mailbox"
+        "editheader"
+        "vnd.dovecot.debug"
+      ];
+      scripts.before = config.vacu.liam-sieve-script;
+    };
+    services.dovecot2.imapsieve.mailbox = [
+      {
+        name = "*";
+        causes = [
+          "APPEND"
+          "COPY"
+          "FLAG"
+        ];
+        before = config.vacu.liam-sieve-script;
+      }
+    ];
+    # services.dovecot2.mailboxes."magic-refilter".auto = "create";
+  };
+}

hosts/liam/sops.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  vacuModules,
+  ...
+}:
+{
+  imports = [ vacuModules.sops ];
+
+  config.sops = {
+    secrets.dovecot-passwd = {
+      restartUnits = [ "dovecot2.service" ];
+    };
+    secrets.dkim_key = {
+      name = "dkimkeys/2024-03-liam.private";
+      restartUnits = [ "opendkim.service" ];
+      owner = config.services.opendkim.user;
+    };
+    secrets.relay_creds = {
+      restartUnits = [ "postfix.service" ];
+      owner = config.services.postfix.user;
+    };
+  };
+}

hosts/lp0/default.nix

@@ -1,8 +1,6 @@
 { config, pkgs, ... }:
 {
-  imports = [
-    ./hardware-config.nix
-  ];
+  imports = [ ./hardware-config.nix ];
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
@@ -39,7 +37,6 @@
     pciutils
     ncdu
     nix-index
-    git
   ];
 
   # This value determines the NixOS release from which the default
@@ -52,11 +49,6 @@
 
   services.openssh.enable = true;
 
-  # system.autoUpgrade.enable = true;
-  # system.autoUpgrade.allowReboot = true;
-  # system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05-small;
-
-  nixpkgs.config.allowUnfree = true;
   services.zerotierone = {
     enable = true;
     joinNetworks = [ "1d719394047b32ae" ];
@@ -67,11 +59,4 @@
 
   # Disable wifi card; This is sitting directly under a router and I don't want to cause interference.
   boot.blacklistedKernelModules = [ "iwlwifi" ];
-
-  # networking.nat = {
-  #   enable = true;
-  #   externalInterface = "enp2s0";
-  #   internalIPs = [ "192.168.192.0/24" ];
-  #   internalInterfaces = [ "ztrf26rjvk" ];
-  # };
 }

hosts/lp0/hardware-config.nix

@@ -1,13 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}:
+{ lib, modulesPath, ... }:
 
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
@@ -31,6 +25,7 @@
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/36B4-78A2";
     fsType = "vfat";
+    options = [ "nofail" ];
   };
 
   swapDevices = [ ];