stuff

Reviewed-on: #1

.gitignore

@@ -1,2 +1,6 @@
-/result
+result
+result-*
+/.generated
 .nixos-test-history
+/packages/vacu-history/target/
+/packages/altcaps/target/

.sops.yaml

@@ -1,40 +0,0 @@
-shel_keys: &shel_keys
-  - &a age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
-  - &b age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
-  - &c age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
-  - &d age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
-  - &e age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
-  - &f age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
-  - &g age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
-  - &h age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
-  - &i age1ck6lhd8thjcrdcnkn2epc8npztg0sfswahunjkwcf57rr0xaevys8fh0x6
-  - &j age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
-  - &k age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
-machine_host_keys:
-  - &trip age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
-  - &compute-deck-host age1hcqem868xhjdj3lzsvgf0duylwrdp9nqs06a9d0043cpsuhms4as7cqnv4
-  - &liam age1hkve3khk7fthyrwxjqdf4r37lrqpmnkz6mke7psuphvu2ykynqaq9g6ja5
-the_test_key: &test_key age1eqv5759uknu7d46rqyyzsmgt43qumsge33yp2xygapprnt8zu3sqx6kt8w
-creation_rules:
-  - path_regex: secrets/[^/]+$
-    key_groups:
-    - age: *shel_keys
-  - path_regex: ^secrets/liam/
-    key_groups:
-    - age:
-      - *a
-      - *b
-      - *c
-      - *d
-      - *e
-      - *f
-      - *g
-      - *h
-      - *i
-      - *j
-      - *k
-      - *liam
-  - path_regex: ^tests/test_secrets/
-    key_groups:
-    - age:
-      - *test_key

README.md

@@ -1,31 +1,31 @@
-more just notes for now
-
----
-
-deploy:
-
-```sh
-nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
-```
-
----
-
-build flake on remote machine, including eval:
-
-```sh
-git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
-```
-
----
-
-search for string in closure
-
-```sh
-rg search_str $(nix path-info --recursive ./result)
-```
-
-or
-
-```sh
-rg search_str $(nix path-info --recursive .#qb.trip)
-```
+more just notes for now
+
+---
+
+deploy:
+
+```sh
+nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
+```
+
+---
+
+build flake on remote machine, including eval:
+
+```sh
+git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
+```
+
+---
+
+search for string in closure
+
+```sh
+rg search_str $(nix path-info --recursive ./result)
+```
+
+or
+
+```sh
+rg search_str $(nix path-info --recursive .#qb.trip)
+```

archive.nix

@@ -0,0 +1,42 @@
+{
+  self,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  ignoreList = [
+    "iso"
+    "host-pxe-installer"
+    "host-pxe-installer-aarch64"
+    "pxe-initrd"
+  ];
+  # We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
+  isoContentsStr = lib.concatStringsSep "\n" (
+    map (
+      c: "${c.source} => ${c.target}"
+    ) self.nixosConfigurations.shel-installer-iso.config.isoImage.contents
+  );
+  isoContents = pkgs.writeText "iso-contents" isoContentsStr;
+  pxeConfig = self.nixosConfigurations.shel-installer-pxe.config;
+  pxeContents = pkgs.linkFarm "pxe-initrd-contents" {
+    inherit (pxeConfig.boot.initrd) compressor;
+    inherit (pxeConfig.system.build) initialRamdisk;
+    storeContents = pkgs.linkFarmFromDrvs "store-contents" pxeConfig.netboot.storeContents;
+  };
+  extraBuilds = { inherit isoContents pxeContents; };
+  buildListWithout = builtins.filter (v: !builtins.elem v ignoreList) (
+    builtins.attrNames self.buildList
+  );
+  allBuilds = self.buildList // extraBuilds;
+in
+rec {
+  archiveList = map (name: {
+    inherit name;
+    broken = builtins.elem name self.brokenBuilds;
+    impure = builtins.elem name self.impureBuilds;
+  }) (buildListWithout ++ builtins.attrNames extraBuilds);
+
+  drvs = allBuilds;
+  buildDepsDrvs = builtins.mapAttrs (_: v: pkgs.closureInfo { rootPaths = [ v.drvPath ]; }) drvs;
+}

check-eval.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+source shellvaculib.bash
+
+svl_exact_args $# 0
+svl_assert_probably_in_script_dir
+
+declare -a nix_eval=(
+  nix eval
+  --show-trace
+)
+
+declare -a hosts=(
+  triple-dezert
+  compute-deck
+  liam
+  lp0
+  #skip shel-installer-*
+  fw
+  legtop
+  mmm
+  prophecy
+)
+
+set -x
+
+"${nix_eval[@]}" --impure ".#.nixOnDroidConfigurations.default.activationPackage"
+
+for host in "${hosts[@]}"; do
+  "${nix_eval[@]}" ".#.nixosConfigurations.${host}.config.system.build.toplevel"
+done

common/acmeDependencies.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  utils,
+  vacuModuleType,
+  ...
+}:
+let
+  for-systemd-services = lib.concatMapAttrs (cert: units: {
+    "acme-selfsigned-${cert}" = {
+      wantedBy = units;
+      before = units;
+    };
+  }) config.vacu.acmeCertDependencies;
+  for-security-acme-certs = lib.concatMapAttrs (cert: units: {
+    ${cert}.reloadServices = units;
+  }) config.vacu.acmeCertDependencies;
+in
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.acmeCertDependencies = lib.mkOption {
+    default = { };
+    example = ''
+      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
+    '';
+    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
+  };
+  config = {
+    systemd.services = for-systemd-services;
+    security.acme.certs = for-security-acme-certs;
+  };
+}

common/assertions.nix

@@ -0,0 +1,51 @@
+{
+  lib,
+  vacuModuleType,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkOption types filter;
+  fatalAssertions = map (x: x.message) (filter (x: !x.assertion && x.fatal) config.vacu.assertions);
+  triggeredWarnings = map (x: x.message) (
+    filter (x: !x.assertion && !x.fatal) config.vacu.assertions
+  );
+  withAsserts =
+    x:
+    if fatalAssertions != [ ] then
+      throw ''
+
+        Failed assertions:
+        ${lib.concatStringsSep "\n" (map (x: "- ${x}") fatalAssertions)}''
+    else
+      lib.showWarnings triggeredWarnings x;
+
+  adapter = {
+    config = {
+      assertions = map (x: { inherit (x) assertion message; }) (
+        filter (x: x.fatal) config.vacu.assertions
+      );
+      warnings = triggeredWarnings;
+    };
+  };
+in
+{
+  imports = lib.optional (vacuModuleType != "plain") adapter;
+  options.vacu.assertions = mkOption {
+    default = [ ];
+    type = types.listOf (
+      types.submodule {
+        options.assertion = mkOption { type = types.bool; };
+        options.message = mkOption { type = types.str; };
+        options.fatal = mkOption {
+          type = types.bool;
+          default = true;
+        };
+      }
+    );
+  };
+  options.vacu.withAsserts = mkOption {
+    readOnly = true;
+    default = withAsserts;
+  };
+}

common/checks.nix

@@ -0,0 +1,29 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  inherit (lib) types;
+in
+{
+  options.vacu.checks = lib.mkOption {
+    type = types.attrsOf types.package;
+    default = { };
+  };
+  options.vacu.textChecks = lib.mkOption {
+    type = types.attrsOf types.lines;
+    default = { };
+  };
+  config.vacu.checks = lib.mapAttrs (
+    name: lines:
+    pkgs.runCommand "vacu-textChecks-${name}" { } ''
+      (
+        set -xev
+        ${lines}
+        touch "$out"
+      )
+    ''
+  ) config.vacu.textChecks;
+}

common/common-but-not.nix

@@ -1,9 +1,17 @@
 # todo: rename this module
 # stuff that does actual configuring (so can't be in ./module.nix) but works in nixos module, home-manager modules, and nix-on-droid modules
-{ inputs, ... }:
 {
-  nix.registry.vacu.to = {
-    type = "path";
-    path = inputs.self.outPath;
+  inputs,
+  vacuModuleType,
+  config,
+  lib,
+  ...
+}:
+lib.optionalAttrs (vacuModuleType != "plain") {
+  nix.registry = lib.mkIf (!config.vacu.isMinimal) {
+    vacu.to = {
+      type = "path";
+      path = inputs.self.outPath;
+    };
   };
 }

common/default.nix

@@ -0,0 +1,125 @@
+{
+  config,
+  lib,
+  inputs,
+  vacuModuleType,
+  vacuModules,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  inherit (inputs) self;
+  expectedModuleTypes = [
+    "nixos"
+    "nix-on-droid"
+    "plain"
+  ];
+  anyRev = attrs: toString (attrs.rev or attrs.dirtyRev or "unk");
+  anyShortRev = attrs: toString (attrs.shortRev or attrs.dirtyShortRev or "unk");
+in
+if !builtins.elem vacuModuleType expectedModuleTypes then
+  builtins.throw "error: unrecognized vacuModuleType ${builtins.toString vacuModuleType}"
+else
+  {
+    imports = [
+      vacuModules.packageSet
+      vacuModules.systemKind
+      ../dns
+
+      ./acmeDependencies.nix
+      ./assertions.nix
+      ./checks.nix
+      ./common-but-not.nix
+      ./git.nix
+      ./hosts.nix
+      ./hpn.nix
+      ./lix.nix
+      ./minimal-nixos.nix
+      ./nixos.nix
+      ./nixos-rebuild.nix
+      ./nixvim.nix
+      ./nix.nix
+      ./nix-on-droid.nix
+      ./packages.nix
+      ./remapCapsLock.nix
+      ./shell
+      ./sops.nix
+      ./sourceTree.nix
+      ./staticNames.nix
+      ./units-config.nix
+      ./units-impl.nix
+      ./verify-system
+      ./thunderbird.nix
+    ];
+    options = {
+      vacu.rootCAs = mkOption { type = types.listOf types.str; };
+      vacu.versionId = mkOption {
+        type = types.str;
+        readOnly = true;
+      };
+      vacu.versionInfo = mkOption { readOnly = true; };
+      vacu.hostName = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      vacu.shortHostName = mkOption {
+        type = types.nullOr types.str;
+        default = config.vacu.hostName;
+        defaultText = "{option}`vacu.hostName`";
+      };
+      vacu.vnopnCA = mkOption {
+        readOnly = true;
+        type = types.str;
+      };
+    };
+    config = {
+      vacu.versionId = "${anyShortRev self}-${self.lastModifiedDate or "unk"}";
+      vacu.versionInfo =
+        {
+          rev = anyRev self;
+          inherit (self) lastModified lastModifiedDate;
+          inherit (config.vacu) versionId;
+          inherit vacuModuleType;
+          inputRevs = lib.mapAttrs (_: v: anyRev v) inputs;
+        }
+        // lib.optionalAttrs (!config.vacu.isMinimal) {
+          flakePath = self.outPath;
+          inherit inputs;
+        };
+
+      vacu.nix.caches.vacu = {
+        url = "https://nixcache.shelvacu.com/";
+        keys = [ "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM=" ];
+      };
+      vacu.nix.caches.nix-community = {
+        url = "https://nix-community.cachix.org/";
+        keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
+        enable = false;
+      };
+      vacu.nix.caches.nix-on-droid = {
+        url = "https://nix-on-droid.cachix.org/";
+        keys = [ "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU=" ];
+        enable = false;
+      };
+      vacu.nix.caches.nixos = {
+        url = "https://cache.nixos.org/";
+        keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
+      };
+      vacu.vnopnCA = ''
+        -----BEGIN CERTIFICATE-----
+        MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
+        A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
+        MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
+        hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
+        AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
+        MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
+        BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
+        CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
+        AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
+        -----END CERTIFICATE-----
+      '';
+      vacu.rootCAs = [ config.vacu.vnopnCA ];
+
+      vacu.ssh.authorizedKeys = import inputs.vacu-keys;
+    };
+  }

common/desktopApps.nix

@@ -0,0 +1,5 @@
+{ lib, vacuModuleType, ... }:
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.desktopApps = lib.mkEnableOption "asdf";
+  #todo
+}

common/git.nix

@@ -0,0 +1,58 @@
+{ lib, config, vacuModules, ... }:
+{
+  imports = [ vacuModules.git ];
+
+  vacu.git.enable = lib.mkDefault config.vacu.isDev;
+  vacu.git.config = {
+    init.defaultBranch = "master";
+    pull.rebase = false;
+    user.name = "Shelvacu";
+    user.email = "git@shelvacu.com";
+    author.name = "Shelvacu";
+    author.email = "git@shelvacu.com";
+    committer.name = "Shelvacu on ${config.vacu.hostName}";
+    committer.email = "git@shelvacu.com";
+    user.useConfigOnly = true;
+    checkout.workers = 0;
+    # "We *could* use atomic writes, but those are slowwwwww! Are you sure?????" - git, still living in the 90s
+    # Yes git, I'm sure
+    core.fsync = "all";
+    diff.mnemonicPrefix = true;
+    gc.reflogExpire = "never";
+    gc.reflogExpireUnreachable = "never";
+
+    url."https://github.com/".insteadOf = [
+      "hgh:"
+      "github-http:"
+      "github-https:"
+    ];
+    url."git@github.com:".insteadOf = [
+      "sgh:"
+      "gh:"
+      "github-ssh:"
+    ];
+    url."git@github.com:shelvacu/".insteadOf = [ "vgh:" ];
+    url."https://gitlab.com/".insteadOf = [
+      "hgl:"
+      "gitlab-http:"
+      "gitlab-https:"
+    ];
+    url."git@gitlab.com:".insteadOf = [
+      "sgl:"
+      "gl:"
+      "gitlab-ssh:"
+    ];
+    url."git@gitlab.com:shelvacu/".insteadOf = [ "vgl:" ];
+    url."https://git.uninsane.org/".insteadOf = [
+      "hu:"
+      "uninsane-http:"
+      "uninsane-https:"
+    ];
+    url."git@git.uninsane.org:".insteadOf = [
+      "u:"
+      "su:"
+      "uninsane-ssh"
+    ];
+    url."git@git.uninsane.org:shelvacu/".insteadOf = [ "vu:" ];
+  };
+}

common/home.nix

@@ -1,7 +1,4 @@
 { ... }:
-let
-
-in
 {
   imports = [ ./common-but-not.nix ];
 }

common/hosts.nix

@@ -0,0 +1,155 @@
+{ lib, vacuModules, ... }:
+{
+  imports = [
+    vacuModules.knownHosts
+    vacuModules.ssh
+  ];
+
+  vacu.hosts = {
+    #public hosts
+    "github.com".sshKeys =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+    "gitlab.com".sshKeys =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+    "git.sr.ht".sshKeys =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+    "sdf.org" = {
+      sshHostname = "tty.sdf.org";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJk3a190w/1TZkzVKORvz/kwyKmFY144lVeDFm80p17";
+    };
+    "rsn" = {
+      altNames = [
+        "rsyncnet"
+        "rsync.net"
+      ];
+      sshUsername = "fm2382";
+      sshHostname = "fm2382.rsync.net";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINdUkGe6kKn5ssz4WRZKjcws0InbQqZayenzk9obmP1z";
+    };
+
+    #colin's stuff
+    "servo" = {
+      altNames = [
+        "git.uninsane.org"
+        "uninsane.org"
+      ];
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+    };
+    "desko" = {
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+    };
+
+    #daymocker's stuff
+    "pluto" = {
+      sshHostname = "pluto.somevideogam.es";
+      primaryIp = "74.208.184.137";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
+    };
+
+    #powerhouse hosts
+    "ostiary" = {
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
+    };
+    "habitat" = {
+      # previously known as zigbee-hub
+      primaryIp = "10.78.79.114";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
+    };
+    "vnopn" = {
+      primaryIp = "10.78.79.1";
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
+    };
+
+    #personal hosts
+    triple-dezert = {
+      altNames = [
+        "trip"
+        "trip.shelvacu.com"
+        "triple-dezert.shelvacu.com"
+      ];
+      sshAliases = [ "trip" ];
+      primaryIp = "172.83.159.53";
+      altIps = [ "10.78.79.237" ];
+      isLan = true;
+      sshPort = 6922;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
+    };
+    prophecy = {
+      altNames = [
+        "prop"
+        "prop.shelvacu.com"
+        "prophecy.shelvacu.com"
+      ];
+      sshAliases = [ "prop" ];
+      primaryIp = "205.201.63.13";
+      altIps = [ "10.78.79.22" ];
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPmy1+1CL6mLbp0IfRTLwsVdjKmw5u0kbQqHin8oXMq";
+    };
+    servacu = {
+      altNames = [
+        "mail.dis8.net"
+        "servacu.shelvacu.com"
+      ];
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
+    };
+    finaltask = {
+      altNames = [
+        "rsb"
+        "finaltask.xyz"
+      ];
+      sshAliases = [ "rsb" ];
+      primaryIp = "45.87.250.193";
+      sshPort = 2222;
+      sshUsername = "user";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
+    };
+    compute-deck = {
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
+    };
+    "2esrever" = {
+      altIps = [
+        "10.4.5.218"
+        "10.244.46.71"
+      ];
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
+    };
+    awoo = {
+      primaryIp = "45.142.157.71";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
+    };
+    deckvacu = {
+      sshUsername = "deck";
+      sshKeys = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
+    };
+    liam = {
+      altNames = [ "liam.dis8.net" ];
+      primaryIp = "178.128.79.152";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
+    };
+    fw = {
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
+    };
+    legtop = {
+      altNames = [ "lt" ];
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvunOGsmHg8igMGo0FpoXaegYI20wZylG8nsMFY4+JL";
+    };
+    mmm = {
+      primaryIp = "10.78.79.11";
+      isLan = true;
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsorkZ3rIZ2lLigwQWfA64xZRlt5lk6QPzypg55eLlD";
+    };
+    solis = {
+      altNames = [ "solis.dis8.net" ];
+      primaryIp = "89.213.174.171";
+      # altIps = [ "2a0f:9400:7e11:cd44:0000:0000:0000:0001" ];
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhFKmRMfk+4Xx96Jwt6S9/ikC0cm4ukeO8hjpZDj+9n";
+    };
+  };
+}

common/hpn.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  vacuModuleType,
+  ...
+}:
+{
+  # options.vacu.ssh-hpn.enable = lib.mkEnableOption "openssh hpn";
+}
+// lib.optionalAttrs (vacuModuleType == "nixos") {
+  # config.nixpkgs.overlays = [ (old: new: {
+  #   openssh-without-hpn = old.openssh;
+  #   openssh = if config.vacu.ssh-hpn.enable then new.openssh_hpn else new.openssh-without-hpn;
+  # }) ];
+}

common/lix.nix

@@ -0,0 +1,7 @@
+{ vacuModuleType, ... }:
+if vacuModuleType == "nixos" then
+  {
+    # imports = [ inputs.lix-module.nixosModules.default ];
+  }
+else
+  { }

common/minimal-nixos.nix

@@ -0,0 +1,53 @@
+{
+  config,
+  pkgs,
+  lib,
+  vacuModuleType,
+  inputs,
+  ...
+}:
+let
+  inherit (lib) mkIf mkDefault;
+in
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  config = mkIf config.vacu.isMinimal {
+    programs.git.lfs.enable = false;
+    programs.git.package = pkgs.gitMinimal;
+
+    nix.registry.nixpkgs.to = lib.mkForce {
+      type = "github";
+      owner = "NixOS";
+      repo = "nixpkgs";
+      rev = inputs.nixpkgs.rev;
+    };
+    # mostly copied from nixos's /profiles/minimal.nix
+    documentation.enable = mkDefault false;
+
+    documentation.doc.enable = mkDefault false;
+
+    documentation.info.enable = mkDefault false;
+
+    documentation.man.enable = mkDefault false;
+
+    documentation.nixos.enable = mkDefault false;
+
+    # Perl is a default package.
+    environment.defaultPackages = mkDefault [ ];
+
+    environment.stub-ld.enable = false;
+
+    # The lessopen package pulls in Perl.
+    programs.less.lessopen = mkDefault null;
+
+    programs.command-not-found.enable = mkDefault false;
+
+    services.logrotate.enable = mkDefault false;
+
+    services.udisks2.enable = mkDefault false;
+
+    xdg.autostart.enable = mkDefault false;
+    xdg.icons.enable = mkDefault false;
+    xdg.mime.enable = mkDefault false;
+    xdg.sounds.enable = mkDefault false;
+  };
+}

common/module.nix

@@ -1,292 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  inputs,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-  inherit (inputs) self;
-in
-{
-  imports = [
-    ./package-set.nix
-    ./shell
-    ./ssh.nix
-    ./nix.nix
-    ./verify-system
-  ];
-  options = {
-    vacu.rootCAs = mkOption { type = types.listOf types.str; };
-    vacu.versionId = mkOption {
-      type = types.str;
-      readOnly = true;
-    };
-    vacu.versionInfo = mkOption { readOnly = true; };
-    vacu.hostName = mkOption { type = types.str; };
-    vacu.shortHostName = mkOption {
-      type = types.str;
-      default = config.vacu.hostName;
-    };
-    vacu.nixvimPkg = mkOption { readOnly = true; };
-  };
-  config = {
-    vacu.packages =
-      (with pkgs; [
-        home-manager
-        nixos-rebuild
-        which
-        nano
-        vim
-        wget
-        screen
-        tmux
-        lsof
-        htop
-        mosh
-        dnsutils
-        iperf3
-        nmap
-        rsync
-        ethtool
-        sshfs
-        ddrescue
-        pciutils
-        ncdu
-        nix-index
-        git
-        pv
-        unzip
-        file
-        ripgrep
-        jq
-        units
-        tree
-        rclone
-        iputils
-        ssh-to-age
-        sops
-        inetutils
-        neovim
-        diffutils
-        findutils
-        utillinux
-        tzdata
-        hostname
-        man
-        gnugrep
-        gnused
-        gnutar
-        bzip2
-        gzip
-        xz
-        zip
-        unzip
-        openssh
-        dig
-        bash
-        termscp
-        usbutils
-        ruby
-        psutils
-        killall
-        git
-        curl
-      ])
-      ++ [
-        inputs.nix-search-cli.packages.${pkgs.system}.default
-        inputs.nix-inspect.packages.${pkgs.system}.default
-      ];
-    vacu.nixvimPkg = inputs.nixvim.legacyPackages.${pkgs.system}.makeNixvimWithModule {
-      extraSpecialArgs = {
-        inherit inputs;
-      };
-      module = {
-        imports = [ ../nixvim ];
-      };
-    };
-    vacu.versionId = toString (self.shortRev or self.dirtyShortRev);
-    vacu.versionInfo = {
-      id = self.rev or self.dirtyRev;
-      flakePath = self.outPath;
-      inherit inputs; # inputs = lib.mapAttrs (i: i.outPath) inputs;
-    };
-    vacu.nix.caches.nixcache-shelvacu = {
-      url = "https://nixcache.shelvacu.com/";
-      keys = [ "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM=" ];
-    };
-    vacu.nix.caches.nix-community = {
-      url = "https://nix-community.cachix.org/";
-      keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
-    };
-    vacu.nix.caches.nix-on-droid = {
-      url = "https://nix-on-droid.cachix.org/";
-      keys = [ "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU=" ];
-    };
-    vacu.nix.caches.nixos = {
-      url = "https://cache.nixos.org/";
-      keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
-    };
-    vacu.rootCAs = [
-      ''
-        -----BEGIN CERTIFICATE-----
-        MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
-        A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
-        MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
-        hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
-        AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
-        MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
-        BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
-        CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
-        AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
-        -----END CERTIFICATE-----
-      ''
-    ];
-
-    vacu.ssh.authorizedKeys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W" # pixel6pro nix-on-droid
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug" # compute-deck
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g" # triple-dezert
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExSObd1lZprdqAFLqFhtxDEckV0q/vZZIYqrYFKfkoC" # devver
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m" # fw (root)
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C" # fw
-    ];
-    vacu.ssh.config = ''
-      Host deckvacu
-        User deck
-
-      Host rsb
-        User user
-        HostName finaltask.xyz
-        Port 2222
-
-      Host awoo
-        HostName 45.142.157.71
-
-      Host trip
-        HostName trip.shelvacu.com
-        Port 6922
-
-      Host liam
-        HostName 178.128.79.152
-
-      Host pluto
-        HostName pluto.somevideogam.es
-
-      Host *
-        User shelvacu
-        GlobalKnownHostsFile ${pkgs.writeText "known_hosts" config.vacu.ssh.knownHostsText}
-    '';
-
-    vacu.ssh.knownHosts = {
-      #public hosts
-      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
-      "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
-
-      #colin's stuff
-      "uninsane.org" = {
-        extraHostNames = [ "git.uninsane.org" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
-      };
-      "desko" = {
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-      };
-
-      #daymocker's stuff
-      "pluto" = {
-        extraHostNames = [ "74.208.184.137" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
-      };
-
-      #powerhouse hosts
-      "ostiary" = {
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
-      };
-      "habitat" = {
-        # previously known as zigbee-hub
-        extraHostNames = [ "10.78.79.114" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
-      };
-      "vnopn" = {
-        extraHostNames = [
-          "10.78.79.1"
-          "vnopn.t2d.lan"
-        ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
-      };
-
-      #work laptop
-      "tebbs-MBP" = {
-        extraHostNames = [ "10.244.10.3" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKO/ks07zSByDH/qmDrghtBSFwWnze2s62zEmtXwaMJe";
-      };
-
-      #personal hosts
-      trip = {
-        extraHostNames = [
-          "triple-dezert"
-          "trip.shelvacu.com"
-          "[trip.shelvacu.com]:6922"
-        ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
-      };
-      servacu = {
-        extraHostNames = [
-          "mail.dis8.net"
-          "servacu.shelvacu.com"
-        ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
-      };
-      finaltask = {
-        extraHostNames = [
-          "rsb"
-          "finaltask.xyz"
-          "[finaltask.xyz]:2222"
-        ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
-      };
-      compute-deck = {
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
-      };
-      "2esrever" = {
-        extraHostNames = [
-          "10.4.5.218"
-          "10.244.46.71"
-        ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
-      };
-      awoo = {
-        extraHostNames = [ "45.142.157.71" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
-      };
-      deckvacu = {
-        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
-      };
-      liam = {
-        extraHostNames = [
-          "liam.dis8.net"
-          "178.128.79.152"
-        ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
-      };
-      devver = {
-        extraHostNames = [
-          "devver.t2d.lan"
-          "10.78.79.10"
-        ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeFaH2tzWIiCPdKNmxl3NqCnPTdmVIOBinauUAEl+UU";
-      };
-      fw = {
-        extraHostNames = [ "fw.t2d.lan" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
-      };
-    };
-  };
-}

common/nix-command-extensions/default.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}

common/nix-command-extensions/nix.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# replaceme START
+declare -A cache_to_url
+cache_to_url["foo"]="https://example.com/some-nix-cache"
+
+declare -a caches_to_use=("foo")
+
+declare nixCmd="foo"
+# replaceme END
+
+declare -a preArgs
+declare -a passThruArgs
+cache_name=""
+function valid_cache_name() {
+  cache_name="$1"
+  if [[ $cache_name == -* ]]; then
+    echo "invalid cache name" >&2
+    exit 1
+  fi
+}
+while [[ -n $1 ]]; do
+  arg="$1"
+  shift
+  case "$arg" in
+  "--without-cache")
+    cache_name="$1"
+    shift
+    valid_cache_name "$cache_name"
+    caches_to_use=("${caches_to_use[@]/$cache_name/}")
+    ;;
+  "--with-cache")
+    cache_name="$1"
+    shift
+    valid_cache_name "$cache_name"
+    caches_to_use+=("$cache_name")
+    ;;
+  "--only-cache")
+    cache_name="$1"
+    shift
+    valid_cache_name "$cache_name"
+    caches_to_use=("$cache_name")
+    ;;
+  "--on-trip")
+    if [[ $HOSTNAME == "triple-dezert" ]]; then
+      echo "Warn: skipping --on-trip: already on trip" >&2
+    else
+      passThruArgs+=("--builders" "ssh://trip x86_64-linux,aarch64-linux" "--max-jobs" "0" "--option" "builders-use-substitutes" "true")
+    fi
+    ;;
+  "--")
+    passThruArgs+=("$arg" "$@")
+    break
+    ;;
+  *)
+    passThruArgs+=("$arg")
+    ;;
+  esac
+done
+
+declare -a substituters
+for c in "${caches_to_use[@]}"; do
+  url="${cache_to_url["$c"]}"
+  substituters+=("$url")
+done
+
+substituters_together="${substituters[*]}"
+
+preArgs+=("--option" "substituters" "$substituters_together")
+
+exec "$nixCmd" "${preArgs[@]}" "${passThruArgs[@]}"

common/nix-on-droid.nix

@@ -1,20 +1,19 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  vacuModuleType,
+  ...
+}:
 let
   inherit (lib) mkDefault;
 in
-{
-  imports = [
-    ./module.nix
-    ./common-but-not.nix
-  ];
-  environment.packages = config.vacu.packageList;
-  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
+lib.optionalAttrs (vacuModuleType == "nix-on-droid") {
   nix.substituters = lib.mkForce config.vacu.nix.substituterUrls;
   nix.trustedPublicKeys = lib.mkForce config.vacu.nix.trustedKeys;
   vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";
   environment.etc.bashrc.text = config.vacu.shell.interactiveLines;
   environment.etc.profile.text = config.vacu.shell.interactiveLines;
-  environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
+  environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
 
   vacu.hostName = mkDefault "nix-on-droid";
   vacu.shortHostName = mkDefault "nod";

common/nix.nix

@@ -9,7 +9,7 @@ in
     vacu.nix.caches = mkOption {
       type = types.attrsOf (
         types.submodule (
-          { name, ... }:
+          { ... }:
           {
             options = {
               url = mkOption { type = types.str; };
@@ -28,9 +28,7 @@ in
     };
     vacu.nix.substituterUrls = mkOption { readOnly = true; };
     vacu.nix.trustedKeys = mkOption { readOnly = true; };
-    vacu.nix.plainOptions = mkOption { };
   };
   config.vacu.nix.substituterUrls = map (c: c.url) enabledCaches;
   config.vacu.nix.trustedKeys = builtins.concatMap (c: c.keys) enabledCaches;
-  config.vacu.nix.plainOptions.allowUnfree = true;
 }

common/nixos-rebuild.nix

@@ -0,0 +1,23 @@
+{
+  pkgs,
+  config,
+  lib,
+  vacuModuleType,
+  ...
+}:
+let
+  nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package; };
+in
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  system.build.nixos-rebuild = lib.mkForce (
+    pkgs.runCommandLocal "nixos-rebuild-wrapped"
+      {
+        nativeBuildInputs = [ pkgs.makeShellWrapper ];
+        meta.mainProgram = "nixos-rebuild";
+      }
+      ''
+        mkdir -p "$out"/bin
+        makeShellWrapper ${lib.getExe nixos-rebuild} "$out"/bin/nixos-rebuild --add-flags "--use-remote-sudo --use-substitutes"
+      ''
+  );
+}

common/nixos.nix

@@ -2,113 +2,90 @@
   lib,
   pkgs,
   config,
-  inputs,
-  utils,
+  vacuModuleType,
   ...
 }:
-{
-  imports = [
-    ./module.nix
-    ./common-but-not.nix
-    ./verify-system/nixos.nix
-  ];
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  imports = [ ../nixos-modules ];
   options.vacu.underTest = lib.mkOption {
     default = false;
     type = lib.types.bool;
   };
-  options.vacu.acmeCertDependencies = lib.mkOption {
-    default = { };
-    example = ''
-      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
-    '';
-    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
-  };
-  config =
-    let
-      for-systemd-services = lib.concatMapAttrs (cert: units: {
-        "acme-selfsigned-${cert}" = {
-          wantedBy = units;
-          before = units;
-        };
-      }) config.vacu.acmeCertDependencies;
-      for-security-acme-certs = lib.concatMapAttrs (cert: units: {
-        ${cert}.reloadServices = units;
-      }) config.vacu.acmeCertDependencies;
-    in
-    {
-      console = {
-        keyMap = lib.mkDefault "us";
-      };
-      networking.hostName = config.vacu.hostName;
-      vacu.packages."xorg-xev" = {
-        enable = config.services.xserver.enable;
-        package = pkgs.xorg.xev;
-      };
-      environment.systemPackages = config.vacu.packageList;
-      programs.git = {
-        enable = true;
-        lfs.enable = true;
-      };
-      system.nixos.tags = [
-        "vacu${config.vacu.versionId}"
-        config.vacu.hostName
-      ];
-      environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
+  config = {
+    programs.mosh.enable = true;
 
-      i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
-      time.timeZone = "America/Los_Angeles";
-
-      users.users.shelvacu = {
-        openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
-        isNormalUser = true;
-        extraGroups = [ "wheel" ];
-      };
-      systemd.services = for-systemd-services;
-      security.acme.certs = for-security-acme-certs;
-      services.openssh = {
-        # require public key authentication for better security
-        settings.PasswordAuthentication = false;
-        settings.KbdInteractiveAuthentication = false;
-        settings.PermitRootLogin = "prohibit-password";
-      };
-
-      nix.settings.trusted-users = [ "shelvacu" ];
-      security.sudo.wheelNeedsPassword = lib.mkDefault false;
-
-      programs.screen = {
-        screenrc = ''
-                  defscrollback 10000
-                  termcapinfo xterm* ti@:te@
-          	maptimeout 5
-        '';
-      } // (if config.system.nixos.release == "23.11" then { } else { enable = true; });
-
-      programs.tmux.enable = true;
-      programs.tmux.extraConfig = "setw mouse";
-      programs.tmux.clock24 = true;
-
-      nix.settings = {
-        experimental-features = [
-          "nix-command"
-          "flakes"
-        ];
-        substituters = lib.mkForce config.vacu.nix.substituterUrls;
-        extra-substituters = lib.mkForce [ ];
-        trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
-        extra-trusted-public-keys = lib.mkForce [ ];
-      };
-      nixpkgs.config.allowUnfree = lib.mkDefault true;
-
-      programs.mosh.enable = lib.mkDefault true;
-
-      programs.ssh.extraConfig = config.vacu.ssh.config;
-
-      security.pki.certificates = config.vacu.rootCAs;
-
-      # commands.nix
-      environment.pathsToLink = [ "/share/vacufuncs" ];
-      vacu.shell.functionsDir = "/run/current-system/sw/share/vacufuncs";
-      programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
-      programs.bash.promptInit = lib.mkForce "";
+    console = {
+      keyMap = lib.mkDefault "us";
     };
+    networking = lib.mkIf (config.vacu.hostName != null) { inherit (config.vacu) hostName; };
+    vacu.packages."xorg-xev" = {
+      enable = config.services.xserver.enable;
+      package = pkgs.xorg.xev;
+    };
+    programs.nix-ld.enable = true;
+    system.nixos.tags = [
+      "vacu${config.vacu.versionId}"
+      config.vacu.hostName
+    ];
+    environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
+    environment.etc."chromium" = lib.mkIf config.vacu.isGui {
+      source = "/run/current-system/sw/etc/chromium";
+    };
+
+    i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
+    time.timeZone = "America/Los_Angeles";
+
+    users.users.shelvacu = lib.mkIf (!config.vacu.isContainer) {
+      openssh.authorizedKeys.keys = lib.attrValues config.vacu.ssh.authorizedKeys;
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+    };
+    services.openssh = {
+      # require public key authentication for better security
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+      settings.PermitRootLogin = "prohibit-password";
+    };
+
+    nix.settings.trusted-users = lib.mkIf (!config.vacu.isContainer) [ "shelvacu" ];
+    security.sudo.wheelNeedsPassword = lib.mkDefault false;
+
+    programs.screen = {
+      enable = true;
+      screenrc = ''
+        defscrollback 10000
+        termcapinfo xterm* ti@:te@
+        maptimeout 5
+      '';
+    };
+
+    programs.tmux = lib.mkIf (!config.vacu.isContainer) {
+      enable = true;
+      extraConfig = "setw mouse";
+      clock24 = true;
+    };
+
+    nix.settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+      substituters = lib.mkForce config.vacu.nix.substituterUrls;
+      extra-substituters = lib.mkForce [ ];
+      trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
+      extra-trusted-public-keys = lib.mkForce [ ];
+    };
+
+    security.pki.certificates = config.vacu.rootCAs;
+
+    # commands.nix
+    environment.pathsToLink = [
+      "/share/vacufuncs"
+      "/etc/chromium"
+    ];
+    programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
+    programs.bash.promptInit = lib.mkForce "";
+
+    systemd.services.nix-daemon.serviceConfig.Nice = "10";
+  };
 }

common/nixvim.nix

@@ -0,0 +1,31 @@
+{
+  pkgs,
+  config,
+  inputs,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  nixvim-name = if config.vacu.nixvim.minimal then "nixvim-minimal" else "nixvim";
+in
+{
+  options = {
+    vacu.nixvim.minimal = mkOption {
+      type = types.bool;
+      default = config.vacu.isMinimal;
+    };
+    vacu.nixvimPkg = mkOption {
+      type = types.package;
+      readOnly = true;
+    };
+  };
+  config = {
+    vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.${nixvim-name};
+    vacu.shell.functions = lib.mkIf (!config.vacu.isMinimal) {
+      nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
+      nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
+      nvim = ''nvim-nixvim "$@"'';
+    };
+  };
+}

common/package-set.nix

@@ -1,76 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-  pkgOptions = builtins.attrValues config.vacu.packages;
-  enabledOptions = builtins.filter (o: o.enable) pkgOptions;
-  enabledPkgs = builtins.map (o: o.package) enabledOptions;
-  packagesSetType = types.attrsOf (
-    types.submodule (
-      {
-        name,
-        config,
-        options,
-        ...
-      }:
-      {
-        options = {
-          enable = mkOption {
-            type = types.bool;
-            description = "Will this package be installed (included in environment.systemPackages)";
-          };
-          package = mkOption {
-            type = types.package;
-            default = pkgs.${name};
-            defaultText = "pkgs.${name}";
-          };
-        };
-      }
-    )
-  );
-  packageListToSet = (
-    from:
-    let
-      keyvals = map (
-        val:
-        if builtins.isString val then
-          {
-            name = val;
-            value = {
-              package = pkgs."${val}";
-              enable = lib.mkDefault true;
-            };
-          }
-        else
-          {
-            name = val.name;
-            value = {
-              package = val;
-              enable = lib.mkDefault true;
-            };
-          }
-      ) from;
-    in
-    builtins.listToAttrs keyvals
-  );
-in
-{
-  options = {
-    vacu.packages = mkOption {
-      default = { };
-      type = types.coercedTo (types.listOf (
-        types.either types.str types.package
-      )) packageListToSet packagesSetType;
-    };
-    vacu.packageList = mkOption {
-      type = types.listOf types.package;
-      readOnly = true;
-    };
-  };
-
-  config.vacu.packageList = enabledPkgs;
-}

common/packages.nix

@@ -0,0 +1,263 @@
+{
+  pkgs,
+  config,
+  lib,
+  vacuModuleType,
+  ...
+}:
+let
+  enableFfmpeg = !config.vacu.isMinimal;
+  enableFfmpegFull = enableFfmpeg && config.vacu.isGui;
+  enableFfmpegHeadless = enableFfmpeg && !config.vacu.isGui;
+  winePkgs = pkgs.wineWow64Packages;
+in
+{
+  vacu.packages = lib.mkMerge [
+    {
+      borgbackup.enable = config.vacu.isDev && (pkgs.system != "aarch64-linux"); # borgbackup build is borken on aarch64
+      ffmpeg-vacu-full = {
+        enable = enableFfmpegFull;
+        package = pkgs.ffmpeg-full;
+        overrides.libbluray = config.vacu.packages.libbluray-all.finalPackage;
+      };
+      ffmpeg-vacu-headless = {
+        enable = enableFfmpegHeadless;
+        package = pkgs.ffmpeg-headless;
+        overrides.libbluray = config.vacu.packages.libbluray-all.finalPackage;
+      };
+      libbluray-all = {
+        package = pkgs.libbluray;
+        overrides = {
+          withJava = true;
+          withAACS = true;
+          withBDplus = true;
+        };
+      };
+      inkscape-all = {
+        package = pkgs.inkscape-with-extensions;
+        # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
+        overrides.inkscapeExtensions = null;
+      };
+      p7zip-unfree = {
+        package = pkgs.p7zip;
+        overrides.enableUnfree = true;
+      };
+      wine.package = winePkgs.waylandFull;
+      wine-fonts.package = winePkgs.fonts;
+      vacu-units.package = config.vacu.units.finalPackage;
+    }
+    (lib.mkIf config.vacu.isGui
+      # just do all the matrix clients, surely one of them will work enough
+      ''
+        cinny-desktop
+        element-call
+        element-desktop
+        fluffychat
+        fractal
+        gomuks
+        gomuks-web
+        # hydrogen has no -desktop version
+        iamb
+        kazv
+        matrix-commander
+        matrix-commander-rs
+        matrix-dl
+        mm
+        neosay
+        nheko
+        pinecone
+        # quaternion # build is borked
+      ''
+    )
+    (lib.mkIf config.vacu.isGui
+      # pkgs for systems with a desktop GUI
+      ''
+        acpi
+        anki
+        audacity
+        arduino-ide
+        bitwarden-desktop
+        brave
+        dino
+        filezilla
+        gamemode
+        gnome-maps
+        gparted
+        ghidra
+        gimp
+        haruna
+        iio-sensor-proxy
+        inkscape-all
+        jellyfin-media-player
+        josm
+        kdePackages.elisa
+        kdePackages.kdenlive
+        libreoffice-qt6-fresh
+        # librewolf
+        linphone
+        merkaartor
+        nextcloud-client
+        obsidian
+        openscad
+        openshot-qt
+        orca-slicer
+        OSCAR
+        prismlauncher
+        shotcut
+        signal-desktop
+        svp
+        # thunderbird #managed thru vacu.programs.thunderbird
+        tremotesf
+        ungoogled-chromium
+        vlc
+        wayland-utils
+        wev
+        wine
+        wine-fonts
+        wireshark
+        wl-clipboard
+      ''
+    )
+    # pkgs for development-ish
+    (lib.mkIf config.vacu.isDev ''
+      cargo
+      clippy
+      gnumake
+      man-pages
+      patchelf
+      python3
+      ruby
+      rustc
+      rust-script
+      shellcheck
+      stdenv.cc
+    '')
+    (lib.mkIf (!config.vacu.isMinimal)
+      # big pkgs for non-minimal systems
+      ''
+        aircrack-ng
+        android-tools
+        bitwarden-cli
+        dmidecode
+        fido2-manage
+        flac
+        hdparm
+        home-manager
+        imagemagickBig
+        kanidm_1_6
+        libsmi
+        man
+        mdadm
+        megatools
+        mercurial #aka hg
+        minicom
+        mkvtoolnix-cli
+        # neovim => see common/nixvim.nix
+        net-snmp
+        nix-index
+        nix-inspect
+        nix-search-cli
+        nix-tree
+        nmap
+        nvme-cli
+        proxmark3
+        rclone
+        ripgrep-all
+        smartmontools
+        tcpdump
+        termscp
+        tshark
+        yt-dlp
+      ''
+    )
+    # pkgs included everywhere
+    ''
+      _7zip
+      altcaps
+      ddrescue
+      dig
+      dnsutils
+      ethtool
+      file
+      # git is handled by common/git.nix
+      gnutls
+      gptfdisk
+      hostname
+      htop
+      inetutils
+      iperf3
+      iputils
+      jq
+      jujutsu
+      killall
+      libossp_uuid # provides `uuid` binary
+      linuxquota
+      lshw
+      lsof
+      mosh
+      nano
+      ncdu
+      netcat-openbsd
+      nixos-rebuild
+      openssl
+      # p7zip-unfree
+      pciutils
+      progress
+      psutils
+      pv
+      ripgrep
+      rsync
+      screen
+      # sed => gnused
+      shellvaculib
+      # sops => should use `nr vacu#sops` instead
+      sshfs
+      ssh-to-age
+      # tar => gnutar
+      tmux
+      tree
+      tzdata
+      # units => vacu-units
+      unzip
+      usbutils
+      vacu-units
+      vim
+      wget
+      zip
+    ''
+    # packages that are in [`requiredPackages`][1]  in nixos, but maybe not included in nix-on-droid
+    # [1]: https://github.com/NixOS/nixpkgs/blob/26d499fc9f1d567283d5d56fcf367edd815dba1d/nixos/modules/config/system-path.nix#L11
+    (lib.optionalAttrs (vacuModuleType == "nix-on-droid") ''
+      #stdenv.cc.libc shouldn't be needed right?
+      acl
+      attr
+      bashInteractive
+      bzip2
+      cpio
+      curl
+      diffutils
+      findutils
+      gawk
+      getent
+      getconf
+      gnugrep
+      gnupatch
+      gnused
+      gnutar
+      gzip
+      less
+      libcap
+      mkpasswd
+      ncurses
+      #netcat is replaced by netcat-openbsd
+      openssh
+      procps
+      su
+      time
+      util-linux
+      which
+      xz
+      zstd
+    '')
+  ];
+}

common/remapCapsLock.nix

@@ -0,0 +1,36 @@
+{
+  pkgs,
+  lib,
+  config,
+  vacuModuleType,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+in
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.enableCapsLockRemap = mkOption {
+    type = types.bool;
+    default = config.vacu.isGui;
+    defaultText = "{option}`vacu.isGui`";
+  };
+  config = lib.mkIf config.vacu.enableCapsLockRemap {
+    # https://discourse.nixos.org/t/best-way-to-remap-caps-lock-to-esc-with-wayland/39707/6
+    services.interception-tools =
+      let
+        itools = pkgs.interception-tools;
+        itools-caps = pkgs.interception-tools-plugins.caps2esc;
+      in
+      {
+        enable = true;
+        plugins = [ itools-caps ];
+        # requires explicit paths: https://github.com/NixOS/nixpkgs/issues/126681
+        udevmonConfig = pkgs.lib.mkDefault ''
+          - JOB: "${itools}/bin/intercept -g $DEVNODE | ${itools-caps}/bin/caps2esc -m 1 | ${itools}/bin/uinput -d $DEVNODE"
+            DEVICE:
+              EVENTS:
+                EV_KEY: [KEY_CAPSLOCK, KEY_ESC]
+        '';
+      };
+  };
+}

common/shell/container-aliases.nix

@@ -0,0 +1,29 @@
+{
+  pkgs,
+  lib,
+  config,
+  vaculib,
+  ...
+}:
+let
+  inherit (vaculib) script;
+in
+{
+  options.vacu.shell.containerAliases = lib.mkEnableOption "container aliases";
+  config = lib.mkIf config.vacu.shell.containerAliases {
+    vacu.packages = [
+      (script "ncrun" ''
+        svl_min_args $# 2
+        svl_auto_sudo
+        container="$1"
+        shift
+        exec ${lib.getExe pkgs.nixos-container} run "$container" -- "$@"
+      '')
+      (script "ncrl" ''
+        svl_exact_args $# 1
+        svl_auto_sudo
+        exec ${lib.getExe pkgs.nixos-container} root-login "$1"
+      '')
+    ];
+  };
+}

common/shell/default.nix

@@ -21,77 +21,172 @@ let
         ${pkgs.stdenv.shellDryRun} "$target"
       '';
     };
-  vacureload = writeShellFunction "vacureload" ''
-    declare -gA vacuShellFunctionsLoaded
-    if ! [[ -f ${cfg.functionsDir}/vacureload ]]; then
-      echo "vacureload: I think that's my cue to leave (${cfg.functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
-      for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
-        unset -f $funcname
-      done
-      return
-    fi
-    for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
-      if ! [[ -f ${cfg.functionsDir}/$funcname ]]; then
-        unset -f $funcname
-      fi
-    done
-    for fullPath in ${cfg.functionsDir}/*; do
-      local funcname="$(basename "$fullPath")"
-      local followedPath="$(readlink -f "$fullPath")"
-      if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
-        unset -f $funcname
-        eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
-        vacuShellFunctionsLoaded[$funcname]=$followedPath
-      fi
-      unset followedPath
-      unset funcname
-    done
-    __set_idempotents
-  '';
-  set_idempotents = writeShellFunction "__set_idempotents" cfg.idempotentShellLines;
+  functionPackages = lib.mapAttrsToList writeShellFunction cfg.functions;
+  vacuInitFile = pkgs.writeText "vacu.shell.interactiveLines.sh" cfg.interactiveLines;
+  wrappedBashPkg = vaculib.makeWrapper {
+    original = pkgs.bash;
+    new = "vacuinit-bash";
+    prepend_flags = [
+      "--init-file"
+      vacuInitFile
+    ];
+  };
+  wrappedBash = lib.getExe wrappedBashPkg;
 in
 {
   imports = [
     ./not-aliases.nix
     ./ps1.nix
+    ./container-aliases.nix
+    ./vacuhistory.nix
+    ./qcd.nix
   ];
   options = {
-    vacu.shell.functionsDir = mkOption { type = types.path; };
+    vacu.shell.functionsDir = mkOption {
+      type = types.path;
+      default = "/run/current-system/sw/share/vacufuncs";
+    };
     vacu.shell.interactiveLines = mkOption {
       type = types.lines;
-      default = "";
+      readOnly = true;
     };
+    vacu.shell.wrappedBash = mkOption { readOnly = true; };
     vacu.shell.idempotentShellLines = mkOption {
       type = types.lines;
       default = "";
     };
-    vacu.shell.color = mkOption { type = types.enum (builtins.attrNames vaculib.shellColors); };
-  };
-  config = {
-    _module.args.vaculib = {
-      writeShellFunction = writeShellFunction;
-      # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
-      shellColors = {
-        black = 30;
-        red = 31;
-        green = 32;
-        yellow = 33;
-        blue = 34;
-        magenta = 35;
-        cyan = 36;
-        white = 37;
-      };
+    vacu.shell.color = mkOption {
+      type = types.enum (builtins.attrNames vaculib.shellColors);
+      default = "white";
     };
-    vacu.shell.interactiveLines = ''
-      if [[ $- == *i* ]] && [[ -f ${cfg.functionsDir}/vacureload ]]; then
-        function __vacushell_load() { eval "$(cat ${cfg.functionsDir}/vacureload)"; }
-        __vacushell_load
-        unset __vacushell_load
+    vacu.shell.functions = mkOption { type = types.attrsOf types.str; };
+  };
+  config.vacu = {
+    shell.interactiveLines = ''
+      if [[ $- == *i* ]]; then
+        SHELLVACULIB_COMPAT=1 source ${lib.escapeShellArg pkgs.shellvaculib.file}
+        if [[ -f ${cfg.functionsDir}/vacureload ]]; then
+          function __vacushell_load() { eval "$(<${cfg.functionsDir}/vacureload)"; }
+          __vacushell_load
+          unset __vacushell_load
+        fi
       fi
     '';
-    vacu.packages = [
-      vacureload
-      set_idempotents
-    ];
+    shell.wrappedBash = wrappedBash;
+    shell.idempotentShellLines = lib.mkBefore ''
+      PROMPT_COMMAND=()
+      PS0=""
+    '';
+    shell.functions = {
+      "vacureload" = ''
+        declare -gA vacuShellFunctionsLoaded
+        if ! [[ -f ${cfg.functionsDir}/vacureload ]]; then
+          echo "vacureload: I think that's my cue to leave (${cfg.functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
+          for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
+            unset -f $funcname
+          done
+          return
+        fi
+        for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
+          if ! [[ -f ${cfg.functionsDir}/$funcname ]]; then
+            unset -f $funcname
+          fi
+        done
+        for fullPath in ${cfg.functionsDir}/*; do
+          local funcname="$(basename "$fullPath")"
+          local followedPath="$(readlink -f "$fullPath")"
+          if [[ "''${vacuShellFunctionsLoaded[$funcname]-}" != "$followedPath" ]]; then
+            unset -f $funcname
+            eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(<'$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
+            vacuShellFunctionsLoaded[$funcname]=$followedPath
+          fi
+          unset followedPath
+          unset funcname
+        done
+        __run_idempotents
+        # your idempotent shell lines are idempotent, right?
+        __run_idempotents
+      '';
+      "__run_idempotents" = cfg.idempotentShellLines;
+      vhich = ''
+        if [[ $# != 1 ]]; then
+          echo "expected exactly one arg" 1>&2
+          return 1
+        fi
+        declare query="$1"
+        declare quote='`'"$query'"
+        declare kind="$(type -t -- "$query")"
+        if [[ "$kind" == "" ]]; then
+          echo "could not find any command $quote" 1>&2
+          return 1
+        fi
+        echo "$quote is a $kind"
+        case "$kind" in
+          "alias")
+            alias "$query"
+            return 0
+            ;;
+          "keyword")
+            echo "See https://www.gnu.org/software/bash/manual/html_node/Reserved-Word-Index.html"
+            return 0
+            ;;
+          "function")
+            if [[ -v vacuShellFunctionsLoaded["$query"] ]]; then
+              echo "$quote is a vacufunc"
+              path="''${vacuShellFunctionsLoaded[$query]}"
+              # continue to below
+            else
+              declare -f "$query"
+              return 0
+            fi
+            ;;
+          "builtin")
+            echo "Docs: https://www.gnu.org/software/bash/manual/html_node/Bash-Builtins.html#index-$query"
+            return 0
+            ;;
+          "file")
+            path="$(type -p "$query")"
+            # continue to below
+            ;;
+          *)
+            echo 'ERR: unexpected return from `type -t`: '"$kind" 1>&2
+            return 1
+        esac
+        echo "path:"
+        while [[ -L "$path" ]]; do
+          declare dest="$(readlink -- "$path")"
+          echo "  $path is a symlink to $dest"
+          if [[ "$dest" != /* ]]; then
+            dest="$(dirname -- "$path")/$dest"
+          fi
+          path="$dest"
+        done
+        echo "  $path"
+        if ! [[ -e "$path" ]]; then
+          echo "$path does not exist!"
+          return 1
+        fi
+        if ! [[ -x "$path" ]]; then
+          echo "$path is not executable!"
+          return 1
+        fi
+        canon="$(readlink -f -- "$path")"
+        if [[ "$path" != "$canon" ]]; then
+          echo "  $path canonicalizes to $canon"
+          path="$canon"
+        fi
+        magic_parse="$(file --brief --mime -- "$path")"
+        echo "magic: $magic_parse"
+        case "$magic_parse" in
+          'text/x-shellscript;'* | 'text/plain;'*)
+            echo "initial contents:"
+            echo
+            head --lines=10 "$path" | head --bytes=2000
+            echo "..."
+            ;;
+        esac
+      '';
+    };
+    packages = functionPackages;
   };
 }

common/shell/not-aliases.nix

@@ -1,52 +1,226 @@
 # These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
 {
   pkgs,
-  vaculib,
+  lib,
   config,
+  vaculib,
   ...
 }:
 let
-  inherit (pkgs) writeScriptBin;
-  inherit (vaculib) writeShellFunction;
+  inherit (vaculib) script;
+  simple =
+    name: args:
+    let
+      binContents = ''
+        #!${lib.getExe pkgs.bash}
+        exec ${lib.escapeShellArgs args} "$@"'';
+      funcContents = ''
+        declare aliasName=${lib.escapeShellArg name}
+        declare -a replacementWords=(${lib.escapeShellArgs args})
+        declare replacementStr
+        declare oldIFS="$IFS"
+        IFS=' '
+        replacementStr="''${replacementWords[*]}"
+        IFS="$oldIFS"
+        COMP_LINE="''${COMP_LINE/#$aliasName/$replacementStr}"
+        COMP_POINT=$(( COMP_POINT + ''${#replacementStr} - ''${#aliasName} ))
+        COMP_CWORD=$(( COMP_CWORD + ''${#replacementWords[@]} - 1 ))
+        COMP_WORDS=("''${replacementWords[@]}" "''${COMP_WORDS[@]:1}")
+        _comp_command_offset 0
+      '';
+    in
+    pkgs.runCommandLocal "vacu-notalias-simple-${name}"
+      {
+        pname = name;
+        meta.mainProgram = name;
+      }
+      ''
+        mkdir -p "$out"/bin
+        printf '%s' ${lib.escapeShellArg binContents} > "$out"/bin/${name}
+        chmod a+x "$out"/bin/${name}
+        out_base="$(basename -- "$out")"
+        LC_ALL=C
+        completion_function_name="_completion_''${out_base//[^a-zA-Z0-9_]/_}"
+        completion_file="$out"/share/bash-completion/completions/${name}
+        mkdir -p "$(dirname -- "$completion_file")"
+        printf '%s() {\n%s\n}\n' "$completion_function_name" ${lib.escapeShellArg funcContents} > "$completion_file"
+        printf 'complete -F %s %s\n' "$completion_function_name" ${lib.escapeShellArg name} >> "$completion_file"
+      '';
+  ms_text = with_sudo: ''
+    svl_minmax_args $# 1 2
+    host="$1"
+    session_name="''${2:-main}"
+    set -x
+    mosh -- "$host" ${lib.optionalString with_sudo "sudo"} screen -RdS "$session_name"
+  '';
+  systemctl = "${pkgs.systemd}/bin/systemctl";
+  journalctl = "${pkgs.systemd}/bin/journalctl";
 in
 {
+  imports = [ { vacu.packages.copy-altcaps.enable = config.vacu.isGui; } ];
   vacu.packages = [
-    (writeScriptBin "ms" ''
-      set -e
-      if [[ $# != 1 ]]; then
-        echo "wrong number of args" 1>&2
-        exit 1
-      fi
-      set -x
-      mosh -- $1 screen -Rd
+    (script "ms" (ms_text false))
+    (script "mss" (ms_text true))
+    (script "msl" ''
+      svl_exact_args $# 1
+      host="$1"
+      echo 'echo "user:"; screen -ls; echo; echo "root:"; sudo screen -ls' | ssh -T "$host"
     '')
-    (writeScriptBin "mss" ''
-      set -e
-      if [[ $# != 1 ]]; then
-        echo "wrong number of args" 1>&2
-        exit 1
-      fi
-      set -x
-      mosh -- $1 sudo screen -Rd
-    '')
-    (writeScriptBin "rmln" ''
-      set -eo pipefail
+    (script "rmln" ''
+      svl_min_args $# 1
       for arg in "$@"; do
-        if [[ "$arg" != "-*" ]] && [[ ! -L "$arg" ]]; then
-          echo "$0: $arg is not a symlink" 1>&2
-          exit 1
+        if [[ "$arg" != -* ]] && [[ ! -L "$arg" ]]; then
+          svl_die "$arg is not a symlink"
         fi
       done
       rm "$@"
     '')
-    (writeShellFunction "nd" ''
-      declare -a args
-      args=("$@")
-      mkdir "''${args[@]}" && cd "''${args[-1]}"
+    (script "copy-altcaps" ''
+      result="$(altcaps "$@")"
+      printf '%s' "$result" | wl-copy
+      echo "Copied to clipboard: $result"
+    '')
+    (script "nr" ''
+      # nix run nixpkgs#<thing> -- <args>
+      svl_min_args $# 1
+      installable="$1"
+      shift
+      if [[ "$installable" != *'#'* ]]; then
+        installable="nixpkgs#$installable"
+      fi
+      nix run "$installable" -- "$@"
+    '')
+    (script "nb" ''
+      # nix build nixpkgs#<thing> <args>
+      svl_min_args $# 1
+      installable="$1"
+      shift
+      if [[ "$installable" != *'#'* ]]; then
+        installable="nixpkgs#$installable"
+      fi
+      nix build "$installable" "$@"
+    '')
+    (script "ns" ''
+      # nix shell nixpkgs#<thing>
+      svl_min_args $# 1
+      new_args=( )
+      for arg in "$@"; do
+        if [[ "$arg" != *'#'* ]] && [[ "$arg" != -* ]]; then
+          arg="nixpkgs#$arg"
+        fi
+        new_args+=("$arg")
+      done
+      nix shell "''${new_args[@]}"
+    '')
+    (script "nixview" ''
+      svl_min_args $# 1
+      view_cmd="$1"
+      shift
+      d="$(mktemp -d --suffix=vacu-nixview)"
+      l="$d/out"
+      nix build --out-link "$l" "$@"
+      "$view_cmd" "$l"
+      rm -r "$d"
+    '')
+    (simple "nixcat" [
+      "nixview"
+      "cat"
+    ])
+    (simple "nixless" [
+      "nixview"
+      "less"
+    ])
+    (simple "sc" [ systemctl ])
+    (simple "scs" [
+      systemctl
+      "status"
+      "--lines=20"
+      "--full"
+    ])
+    (simple "scc" [
+      systemctl
+      "cat"
+    ])
+    (simple "scr" [
+      systemctl
+      "restart"
+    ])
+    (simple "jc" [
+      journalctl
+      "--pager-end"
+    ])
+    (simple "jcu" [
+      journalctl
+      "--pager-end"
+      "-u"
+    ])
+    (simple "gs" [
+      "git"
+      "status"
+    ])
+    (script "list-auto-roots" ''
+      auto_roots="/nix/var/nix/gcroots/auto"
+      svl_exact_args $# 0
+      echo "List of auto-added nix gcroots, excluding system profiles:"
+      echo
+      for fn in "$auto_roots/"*; do
+        if ! [[ -L "$fn" ]]; then
+          die "fn is not a symlink!?: $fn"
+        fi
+        pointed="$(readlink -v -- "$fn")"
+        if ! [[ -e "$pointed" ]]; then
+          continue
+        fi
+        if [[ "$pointed" == /nix/var/nix/profiles/system-* ]]; then
+          continue
+        fi
+        printf '%s\n' "$pointed"
+      done
     '')
-    (writeShellFunction "td" ''pushd $(mktemp "$@")'')
-    (writeShellFunction "nvim-plain" ''${pkgs.neovim}/bin/nvim "$@"'')
-    (writeShellFunction "nvim-nixvim" ''${config.vacu.nixvimPkg}/bin/nvim "$@"'')
-    (writeShellFunction "nvim" ''nvim-plain "$@"'')
   ];
+  vacu.shell.functions = {
+    nd = ''
+      svl_min_args $# 1
+      declare -a args=("$@")
+      lastarg="''${args[-1]}"
+      if [[ "$lastarg" == "-"* ]]; then
+        echo "nd: last argument must be the directory" 1>&2
+        return 1
+      fi
+      for arg in "''${args[@]::''${#args[@]}-1}"; do
+        if [[ "$arg" != "-"* ]]; then
+          echo "nd: last argument must be the directory" 1>&2
+          return 1
+        fi
+      done
+      mkdir "''${args[@]}" && cd "''${args[-1]}"
+    '';
+    nt = ''pushd "$(mktemp -d "$@")"'';
+  };
+  vacu.textChecks."vacu-shell-functions-nd" = ''
+    source ${lib.escapeShellArg pkgs.shellvaculib.file}
+    function nd() {
+      ${config.vacu.shell.functions.nd}
+    }
+
+    start=/tmp/test-place
+    mkdir -p $start
+    cd $start
+    nd a
+    [[ "$PWD" == "$start/a" ]]
+    cd $start
+    nd -p b/c
+    [[ "$PWD" == "$start/b/c" ]]
+  '';
+  vacu.textChecks."vacu-shell-functions-nt" = ''
+    source ${lib.escapeShellArg pkgs.shellvaculib.file}
+    function nt() {
+      ${config.vacu.shell.functions.nt}
+    }
+    start=$PWD
+    nt
+    [[ "$PWD" != "$start" ]]
+    popd
+    [[ "$PWD" == "$start" ]]
+  '';
 }

common/shell/ps1.nix

@@ -2,12 +2,16 @@
   config,
   lib,
   vaculib,
+  vacuModuleType,
   ...
 }:
 let
   cfg = config.vacu.shell;
   # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
   colors = vaculib.shellColors;
+
+  # TODO: reset_without_clear doesn't fully work
+  # thanks colin https://git.uninsane.org/colin/nix-files/src/commit/7f5b2628016c8ca1beec417766157c7676a9c5e5/hosts/common/programs/zsh/starship.nix#L24
   # https://man.archlinux.org/man/bash.1#PROMPTING
   # \[ and \] begins and ends "a sequence of non-printing characters"
   set_color = colornum: ''\[\e[1;${toString colornum}m\]'';
@@ -16,21 +20,38 @@ let
   colornum = colors.${cfg.color};
   root_text = root: lib.optionalString root "ROOT@";
   final = root: if root then (set_inverted_color colors.red) + "!!" else "$";
+  hostName = if vacuModuleType == "plain" then ''\h'' else config.vacu.shortHostName;
   default_ps1 =
     root:
-    ''\n''
+    ""
+    + ''\n''
+    # + ''\[${reset_without_clear}\]''
+    + (set_color colornum)
+    + "${root_text root}${hostName}:\\w"
+    + " "
+    + ''$(vacu_shell_show_return_code)''
+    + ''\n''
     + (set_color colornum)
-    + ''${root_text root}${config.vacu.shortHostName}:\w''
     + (final root)
     + reset_color
     + " ";
 in
 {
   vacu.shell.idempotentShellLines = ''
-    if [ $UID = 0 ]; then
-      export PS1=${lib.escapeShellArg (default_ps1 true)}
+    function vacu_shell_show_return_code() {
+      local ret=$?
+      local color=${toString colors.green}
+      if [[ "$ret" != 0 ]]; then
+        color=${toString colors.red}
+      fi
+      printf '\e[1;%dm' $color
+      printf "%d" "$ret"
+      return "$ret"
+    }
+    if [[ $EUID == 0 ]]; then
+      PS1=${lib.escapeShellArg (default_ps1 true)}
     else
-      export PS1=${lib.escapeShellArg (default_ps1 false)}
+      PS1=${lib.escapeShellArg (default_ps1 false)}
     fi
   '';
 }

common/shell/qcd.nix

@@ -0,0 +1,50 @@
+{
+  lib,
+  config,
+  vacuModuleType,
+  vaculib,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  home =
+    if vacuModuleType == "nix-on-droid" then
+      "/data/data/com.termux.nix/files/home"
+    else
+      "/home/shelvacu";
+in
+{
+  options.vacu.qcd = mkOption {
+    default = { };
+    type = types.attrsOf types.path;
+  };
+  config.vacu.shell.functions.qcd = ''
+    svl_exact_args $# 1
+    declare the_arg="$1"
+
+    declare base="''${the_arg%%/*}"
+    declare rest="''${the_arg:''${#base}}"
+    declare path
+
+    if false; then :
+    ${lib.pipe config.vacu.qcd [
+      (lib.mapAttrsToList (
+        alias: path:
+        ''elif [[ $base == ${lib.escapeShellArg alias} ]]; then path=${lib.escapeShellArg path}''
+      ))
+      (lib.concatStringsSep "\n")
+    ]}
+    fi
+    if ! [[ -v path ]]; then
+      svl_eprintln "unrecognized alias $base"
+      return 1
+    fi
+
+    cd -- "$path$rest"
+  '';
+  config.vacu.qcd = {
+    ns = "${home}/dev/nix-stuff";
+    np = "${home}/dev/nixpkgs";
+    dev = "${home}/dev";
+  };
+}

common/shell/tweaks.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  config.vacu.shell.idempotentShellLines = ''
+    if [[ $- == *i* ]]; then
+      # don't overwrite files by default when using > redirection
+      set -o noclobber
+      # disable ! history expansion
+      set +o histexpand
+    fi
+  '';
+}

common/shell/vacuhistory.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  config.vacu = {
+    shell.idempotentShellLines = ''
+      if [[ -z "''${VACU_HISTORY_SESSION_ID-}" ]]; then
+        VACU_HISTORY_SESSION_ID="$(${pkgs.libossp_uuid}/bin/uuid)"
+      fi
+      VACU_HISTORY_DB_PATH="$HOME/vacu-shell-history.sqlite"
+      function vacu_history_record() {
+        LC_ALL=C HISTTIMEFORMAT='%S|%M|%H|%d|%m|%Y|%w|%j|%z|' history 1 | VACU_HISTORY_SESSION_ID="$VACU_HISTORY_SESSION_ID" VACU_HISTORY_DB_PATH="$VACU_HISTORY_DB_PATH" ${pkgs.vacu-history}/bin/vacu-history
+      }
+      PS0='$(vacu_history_record >/dev/null)'"$PS0"
+    '';
+  };
+}

common/sops.nix

@@ -0,0 +1,82 @@
+{
+  lib,
+  pkgs,
+  config,
+  vaculib,
+  ...
+}:
+let
+  ssh-to-age = lib.getExe pkgs.ssh-to-age;
+  sshToAge =
+    sshPubText:
+    vaculib.outputOf {
+      name = "age-from-ssh.txt";
+      cmd = ''printf '%s' ${lib.escapeShellArg sshPubText} | ${ssh-to-age} > "$out"'';
+    };
+  userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
+  userKeysAge = map sshToAge userKeys;
+  agesOf = hostname: map sshToAge config.vacu.hosts.${hostname}.sshKeys;
+  singleGroup = keys: [ { age = keys; } ];
+  testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
+  testAgePublic = vaculib.outputOf {
+    name = "test-age-public-key.txt";
+    cmd = ''printf '%s' ${lib.escapeShellArg testAgeSecret} | ${pkgs.age}/bin/age-keygen -y > "$out"'';
+  };
+  sopsConfig = {
+    creation_rules = [
+      {
+        path_regex = "/secrets/misc/[^/]+$";
+        key_groups = singleGroup userKeysAge;
+      }
+      {
+        path_regex = "/secrets/hosts/liam\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "liam");
+      }
+      {
+        path_regex = "/secrets/hosts/triple-dezert\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert");
+      }
+      {
+        path_regex = "/secrets/hosts/prophecy\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "prophecy");
+      }
+      {
+        path_regex = "/secrets/hosts/solis\\.yaml$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "solis");
+      }
+      {
+        path_regex = "/secrets/radicle-private\\.key$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "fw");
+      }
+      {
+        path_regex = "/secrets/garage-rpc\\.key$";
+        key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert" ++ agesOf "prophecy" ++ agesOf "solis");
+      }
+      {
+        path_regex = "/tests/triple-dezert/test_secrets/";
+        key_groups = singleGroup [ testAgePublic ];
+      }
+    ];
+  };
+  sopsConfigFile = pkgs.writers.writeYAML "sops.yaml" sopsConfig;
+  wrappedSops = vaculib.makeWrapper {
+    original = lib.getExe pkgs.sops;
+    new = "vacu-nix-stuff-sops";
+    add_flags = [
+      "--config"
+      sopsConfigFile
+    ];
+    run = lib.singleton ''
+      set -e
+      age_keys=("${testAgeSecret}" "$(cat $HOME/.ssh/id_ed25519 | ${lib.getExe pkgs.ssh-to-age} -private-key)")
+
+      export SOPS_AGE_KEY
+      printf -v SOPS_AGE_KEY "%s\n" "''${age_keys[@]}"
+      # declare -p SOPS_AGE_KEY
+    '';
+  };
+in
+{
+  options.vacu.sopsConfigFile = vaculib.mkOutOption sopsConfigFile;
+  options.vacu.wrappedSops = vaculib.mkOutOption wrappedSops;
+}

common/sourceTree.nix

@@ -0,0 +1,26 @@
+{
+  inputs,
+  pkgs,
+  lib,
+  config,
+  vacuModuleType,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+in
+{
+  options.vacu.sourceTree = mkOption {
+    readOnly = true;
+    type = types.package;
+  };
+  config =
+    {
+      vacu.sourceTree = pkgs.linkFarm "simple-inputs-tree" inputs;
+    }
+    // (lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
+      environment.etc = lib.optionalAttrs (!config.vacu.isMinimal) {
+        "vacu/sources".source = "${config.vacu.sourceTree}";
+      };
+    });
+}

common/ssh.nix

@@ -1,147 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-let
-  inherit (lib)
-    mkOption
-    types
-    flip
-    concatMapStringsSep
-    optionalString
-    concatStringsSep
-    readFile
-    mapAttrsToList
-    literalExpression
-    ;
-  inherit (builtins) attrValues;
-  cfg = config.vacu;
-  knownHosts = attrValues cfg.ssh.knownHosts;
-  knownHostsText =
-    (flip (concatMapStringsSep "\n") knownHosts (
-      h:
-      assert h.hostNames != [ ];
-      optionalString h.certAuthority "@cert-authority "
-      + concatStringsSep "," h.hostNames
-      + " "
-      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-    ))
-    + "\n";
-in
-{
-  options = {
-    vacu.ssh.knownHostsText = mkOption {
-      type = types.str;
-      readOnly = true;
-      default = knownHostsText;
-    };
-    vacu.ssh.authorizedKeys = mkOption { type = types.listOf types.str; };
-    vacu.ssh.config = mkOption { type = types.lines; };
-    # Straight copied from nixpkgs 
-    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
-    vacu.ssh.knownHosts = mkOption {
-      default = { };
-      type = types.attrsOf (
-        types.submodule (
-          {
-            name,
-            config,
-            options,
-            ...
-          }:
-          {
-            options = {
-              certAuthority = mkOption {
-                type = types.bool;
-                default = false;
-                description = ''
-                  This public key is an SSH certificate authority, rather than an
-                  individual host's key.
-                '';
-              };
-              hostNames = mkOption {
-                type = types.listOf types.str;
-                default = [ name ] ++ config.extraHostNames;
-                defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
-                description = ''
-                  A list of host names and/or IP numbers used for accessing
-                  the host's ssh service. This list includes the name of the
-                  containing `knownHosts` attribute by default
-                  for convenience. If you wish to configure multiple host keys
-                  for the same host use multiple `knownHosts`
-                  entries with different attribute names and the same
-                  `hostNames` list.
-                '';
-              };
-              extraHostNames = mkOption {
-                type = types.listOf types.str;
-                default = [ ];
-                description = ''
-                  A list of additional host names and/or IP numbers used for
-                  accessing the host's ssh service. This list is ignored if
-                  `hostNames` is set explicitly.
-                '';
-              };
-              publicKey = mkOption {
-                default = null;
-                type = types.nullOr types.str;
-                example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
-                description = ''
-                  The public key data for the host. You can fetch a public key
-                  from a running SSH server with the {command}`ssh-keyscan`
-                  command. The public key should not include any host names, only
-                  the key type and the key itself.
-                '';
-              };
-              publicKeyFile = mkOption {
-                default = null;
-                type = types.nullOr types.path;
-                description = ''
-                  The path to the public key file for the host. The public
-                  key file is read at build time and saved in the Nix store.
-                  You can fetch a public key file from a running SSH server
-                  with the {command}`ssh-keyscan` command. The content
-                  of the file should follow the same format as described for
-                  the `publicKey` option. Only a single key
-                  is supported. If a host has multiple keys, use
-                  {option}`programs.ssh.knownHostsFiles` instead.
-                '';
-              };
-            };
-          }
-        )
-      );
-      description = ''
-        The set of system-wide known SSH hosts. To make simple setups more
-        convenient the name of an attribute in this set is used as a host name
-        for the entry. This behaviour can be disabled by setting
-        `hostNames` explicitly. You can use
-        `extraHostNames` to add additional host names without
-        disabling this default.
-      '';
-      example = literalExpression ''
-        {
-          myhost = {
-            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
-            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
-          };
-          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
-          "myhost2.net/dsa" = {
-            hostNames = [ "myhost2.net" ];
-            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
-          };
-        }
-      '';
-    };
-    config.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (
-      name: data: {
-        assertion =
-          (data.publicKey == null && data.publicKeyFile != null)
-          || (data.publicKey != null && data.publicKeyFile == null);
-        message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
-      }
-    );
-  };
-}

common/staticNames.nix

@@ -0,0 +1,89 @@
+{
+  lib,
+  vacuModuleType,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  domainPartRegex = "[[:alnum:]]([[:alnum:]-]{0,61}[[:alnum:]])?";
+  domainRegex = ''^${domainPartRegex}(\.${domainPartRegex})*$'';
+  domainType = types.strMatching domainRegex;
+  hostsLines = lib.pipe config.vacu.staticNames [
+    (lib.mapAttrsToList (k: v: [ k ] ++ v))
+    (lib.filter (v: (builtins.length v) > 1))
+    (map (lib.concatStringsSep " "))
+    (lib.concatStringsSep "\n")
+  ];
+  ip4Seg = ''[0-9]{1,3}'';
+  ip4Regex = lib.concatStringsSep ''\.'' [
+    ip4Seg
+    ip4Seg
+    ip4Seg
+    ip4Seg
+  ];
+  ip6Regex = ''[0-9a-fA-F:]+'';
+  ipRegex = ''(${ip4Regex})|(${ip6Regex})'';
+in
+{
+  imports =
+    [
+      {
+        vacu.assertions = map (ip: {
+          assertion = (builtins.match ipRegex ip) != null;
+          message = ''config.vacu.staticNames: attr name "${ip}" is invalid'';
+        }) (builtins.attrNames config.vacu.staticNames);
+      }
+    ]
+    ++ lib.optional (vacuModuleType == "nixos") { networking.hosts = config.vacu.staticNames; }
+    ++ lib.optional (vacuModuleType == "nix-on-droid") {
+      environment.etc.hosts.text = ''
+        127.0.0.1 localhost
+        ::1 localhost
+        ${hostsLines}
+      '';
+    };
+
+  options.vacu.staticNames = mkOption {
+    type = types.attrsOf (types.listOf domainType);
+    default = { };
+  };
+
+  config.vacu.staticNames = {
+    "205.201.63.13" = [
+      "prop"
+      "prophecy"
+      "prophecy.shelvacu-static"
+    ];
+    "10.78.79.22" = [ "prophecy.t2d.lan.shelvacu-static" ];
+    "178.128.79.152" = [
+      "liam"
+      "liam.shelvacu-static"
+    ];
+    "172.83.159.53" = [
+      "trip"
+      "triple-dezert"
+      "triple-dezert.shelvacu-static"
+    ];
+    "10.78.79.237" = [ "triple-dezert.t2d.lan.shelvacu-static" ];
+    "205.201.63.12" = [
+      "servo"
+      "uninsane-servo.shelvacu-static"
+    ];
+    "10.78.79.1" = [
+      "vnopn"
+      "vnopn.shelvacu-static"
+      "vnopn.t2d.lan.shelvacu-static"
+    ];
+    "10.78.79.11" = [
+      "mmm"
+      "mmm.shelvacu-static"
+      "mmm.t2d.lan.shelvacu-static"
+    ];
+    "10.78.79.69" = [
+      "oeto"
+      "oeto.shelvacu-static"
+      "oeto.t2d.lan.shelvacu-static"
+    ];
+  };
+}

common/thunderbird.nix

@@ -0,0 +1,100 @@
+{
+  lib,
+  config,
+  vacuModuleType,
+  vaculib,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  vacustoreCalUUID = "dd9a924e-57d9-4ea1-b7ec-22d1f0ff3d51";
+  vacustoreCalConfig = {
+    "cache.enabled" = true;
+    calendar-main-in-composite = true;
+    color = "#33d17a";
+    disabled = false;
+    "imip.identity.key" = "id1"; #what is this
+    name = "Personal";
+    readOnly = false;
+    type = "caldav";
+    uri = "https://vacu.store/remote.php/dav/calendars/shelvacu/personal/";
+    username = "shelvacu";
+  };
+in
+{
+  options.vacu.programs.thunderbird = {
+    enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+  config = lib.optionalAttrs (vacuModuleType == "nixos") (lib.mkIf config.vacu.programs.thunderbird.enable {
+    programs.thunderbird = {
+      enable = true;
+      policies = {
+        DisableTelemetry = true;
+        DNSOverHTTPS.Enabled = false;
+        ExtensionSettings = {
+          #*cloud - FileLink for Nextcloud and ownCloud
+          "cloud@johannes-endres.de".installation_mode = "normal_installed";
+          #NTFNTF: Notify on This Folder Not That Folder
+          "ntfntf@dan-sullivan.co.uk".installation_mode = "normal_installed";
+        };
+        SSLVersionMin = "tls1.3";
+        SearchEngines.Remove = [
+          "Amazon.com"
+          "Bing"
+          "DuckDuckGo"
+          "Google"
+          "Wikipedia (en)"
+        ];
+      };
+      preferences = {
+        "accessibility.typeaheadfind.flashBar" = 0; #what is this
+        "app.donation.eoy.version.viewed" = -1; #dunno if this actually works
+        "browser.search.region" = "US";
+        "calendar.alarms.playsound" = false;
+        "calendar.alarms.show" = false;
+        "calendar.ui.version" = 3;
+        "intl.date_time.pattern_override.date_full" = "MMMM d, yyyy G z";
+        "intl.date_time.pattern_override.date_short" = "yyyy-MM-dd";
+        "intl.date_time.pattern_override.time_medium" = "HH:mm:ss z";
+        "intl.date_time.pattern_override.time_short" = "HH:mm";
+        # "ldap_2.servers.Contacts.carddav.url" = "https://vacu.store/remote.php/dav/addressbooks/users/shelvacu/contacts/";
+        # "ldap_2.servers.Contacts.carddav.username" = "shelvacu";
+        # "ldap_2.servers.Contacts.description" = "vacu.store Contacts";
+        # "ldap_2.servers.Contacts.dirType" = 102; #no idea what this does
+        "mail.account.account1.identities" = "id1,id2,id3";
+        "mail.account.account1.server" = "server1";
+        "mail.compose.other.header" = "X-Shelvacu-Custom-Header";
+        "mail.compose.warned_about_customize_from" = true;
+        "mail.identity.id1.fullName" = "Shelvacu";
+        "mail.identity.id1.useremail" = "shelvacu@shelvacu.com";
+        "mail.identity.id1.catchAll" = true;
+        "mail.server.server1.hostname" = "imap.shelvacu.com";
+        "mail.server.server1.login_at_startup" = true;
+        "mail.server.server1.name" = "shelvacu@shelvacu.com";
+        "mail.server.server1.port" = 993;
+        "mail.server.server1.type" = "imap";
+        "mail.server.server1.socketType" = 3; #TLS (as opposed to plaintext or STARTTLS)
+        "mail.server.server1.userName" = "shelvacu";
+        "mail.shell.checkDefaultClient" = false;
+        "mail.showCondensedAddresses" = false;
+        "mail.smtp.defaultserver" = "smtp1";
+        "mail.smtpserver.smtp1.authMethod" = 3;
+        "mail.smtpserver.smtp1.hostname" = "smtp.shelvacu.com";
+        "mail.smtpserver.smtp1.port" = 465;
+        "mail.smtpserver.smtp1.try_ssl" = 3;
+        "mail.smtpserver.smtp1.type" = "smtp";
+        "mail.smtpserver.smtp1.username" = "shelvacu";
+        "mail.startup.enabledMailCheckOnce" = true;
+        "mail.threadpane.listview" = 1;
+        "mailnews.customHeaders" = "X-Vacu-Action";
+        "mailnews.default_sort_type" = 27;
+        "mailnews.mark_message_read.auto" = false;
+        "mailnews.start_page.enabled" = false;
+        # "searchintegration.enable" = false;
+      } // vaculib.mapAttrNames (n: "calendar.registry.${vacustoreCalUUID}.${n}") vacustoreCalConfig;
+    };
+  });
+}

common/units-config.nix

@@ -0,0 +1,35 @@
+{
+  vacu.units.extraUnits = {
+    b = "bit";
+    B = "byte";
+    kibi- = "1024";
+    Ki- = "kibi";
+    mebi- = "1024 kibi";
+    Mi- = "mebi";
+    gibi- = "1024 mebi";
+    Gi- = "gibi";
+    tebi- = "1024 gibi";
+    Ti- = "tebi";
+    pebi- = "1024 tebi";
+    Pi- = "pebi";
+    baud = "bit/s";
+    kbps = "kilobit/s";
+    kibps = "kibibit/s";
+    mbps = "megabit/s";
+    mibps = "mebibit/s";
+    gbps = "gigabit/s";
+    gibps = "gibibit/s";
+    tbps = "terabit/s";
+    tibps = "tebibit/s";
+    pbps = "petabit/s";
+    pibps = "pebibit/s";
+
+    month = "year/12";
+    mo = "month";
+    usd = "USD";
+    dollar = "USD";
+    cent = "0.01 USD";
+    "$" = "USD";
+    BTC = "bitcoin";
+  };
+}

common/units-impl.nix

@@ -0,0 +1,127 @@
+{
+  config,
+  lib,
+  pkgs,
+  vaculib,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  unitNameRegex =
+    let
+      # Unit  names cannot begin or end with an underscore (‘_’), a comma (‘,’) or a decimal point (‘.’).  Names must not contain any of the operator characters ‘+’, ‘-’, ‘*’, ‘/’, ‘|’, ‘^’, ‘;’, ‘~’, the comment character ‘#’, or parentheses.  To facilitate copying and pasting from documents, several typographical characters are converted to operators: the figure dash (U+2012), minus (‘-’; U+2212), and en dash (‘–’; U+2013) are converted to the operator ‘-’; the multiplication sign (‘×’; U+00D7), N-ary times operator (U+2A09), dot operator (‘⋅’; U+22C5), and middle dot (‘·’; U+00B7) are converted to the operator ‘*’; the division sign (‘÷’; U+00F7) is converted to the operator ‘/’; and the fraction slash (U+2044) is converted to the operator ‘|’; accordingly, none of these characters can appear in unit names.
+      disallowedAnywhere =
+        "+*/|^;~#()" + (builtins.fromJSON ''"\u2012\u2212\u2013\u00d7\u2a09\u22c5\u00b7\u00f7\u2044"'');
+      disallowedMiddle = "-" + disallowedAnywhere;
+      disallowedAtEnd = "23456789_,." + disallowedAnywhere;
+      disallowedAtBegin = "-01" + disallowedAtEnd;
+      anyExcept = chars: "[^${lib.escapeRegex chars}]";
+      singleChar = anyExcept disallowedAtBegin;
+      multiChar = "${anyExcept disallowedAtBegin}${anyExcept disallowedMiddle}*${anyExcept disallowedAtEnd}";
+      numberSuffix = regex: "${regex}_[0-9\\.,]+";
+      fullRegex = "${singleChar}|${multiChar}|${numberSuffix singleChar}|${numberSuffix multiChar}";
+    in
+    fullRegex;
+  unitsAttrsType = types.addCheck (types.attrsOf types.str) (
+    attrs: builtins.all (name: (builtins.match unitNameRegex name) != null) (builtins.attrNames attrs)
+  );
+  unitsDir = pkgs.stdenvNoCC.mkDerivation {
+    name = "vacu-units-files";
+
+    src = pkgs.units.src;
+
+    phases = [
+      "unpackPhase"
+      "installPhase"
+    ];
+
+    installPhase = ''
+      mkdir -p "$out"
+      cp {definitions,elements}.units "$out"
+      ln -s ${../units/currency.units} "$out"/currency.units
+      ln -s ${../units/cpi.units} "$out"/cpi.units
+      printf '%s' ${lib.escapeShellArg config.vacu.units.lines} > "$out"/vacu.units
+    '';
+  };
+in
+{
+  options.vacu.units = {
+    originalPackage = mkOption {
+      type = types.package;
+      default = pkgs.units.override { enableCurrenciesUpdater = false; };
+      defaultText = "pkgs.units.override { ... }";
+    };
+    finalPackage = mkOption {
+      type = types.package;
+      readOnly = true;
+    };
+    check = mkOption {
+      type = types.package;
+      readOnly = true;
+    };
+    generatedConfigDir = mkOption {
+      readOnly = true;
+      type = types.package;
+    };
+    generatedConfigFile = mkOption {
+      readOnly = true;
+      type = types.pathInStore;
+    };
+    lines = mkOption {
+      default = "";
+      type = types.lines;
+    };
+    extraUnits = mkOption {
+      type = unitsAttrsType;
+      default = { };
+    };
+  };
+  config = lib.mkMerge [
+    {
+      vacu.units = {
+        finalPackage = vaculib.makeWrapper {
+          original = config.vacu.units.originalPackage;
+          new = "units";
+          prepend_flags = [
+            "--file"
+            config.vacu.units.generatedConfigFile
+          ];
+        };
+        generatedConfigDir = unitsDir;
+        generatedConfigFile = "${unitsDir}/vacu.units";
+        lines = lib.mkOrder 750 ''
+          # default units file, includes elements.units, currency.units, cpi.units
+          !include definitions.units
+        '';
+      };
+      vacu.textChecks.units-config = ''
+        # `units --check` returns success (exit code 0) regardless of success >:(
+        # example output:
+
+        # $ result/bin/units --check
+        # Currency exchange rates from exchangerate-api.com (USD base) on 2024-11-14 
+        # Consumer price index data from US BLS, 2024-02-18 
+        # 7247 units, 125 prefixes, 134 nonlinear units
+        #
+
+        output="$(${lib.getExe config.vacu.units.finalPackage} --check)"
+        printf '%s' "$output"
+        filteredLines="$(printf '%s' "$output" \
+          | grep -v '^\s*$' \
+          | grep -v 'Currency exchange rates from' \
+          | grep -v 'Consumer price index data from' \
+          | grep -vE '[0-9]+ units, [0-9]+ prefixes, [0-9]+ nonlinear units' || true
+        )"
+        if [[ -n "$filteredLines" ]]; then
+          exit 1
+        fi
+        touch "$out"
+      '';
+    }
+    {
+      vacu.units.lines = lib.concatStringsSep "\n" (
+        lib.mapAttrsToList (name: value: "+${name}	${value}") config.vacu.units.extraUnits
+      );
+    }
+  ];
+}

common/verify-system/default.nix

@@ -1,35 +1,63 @@
-{ pkgs, lib, config, ... }: let
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
   inherit (lib) mkOption mkEnableOption types;
   cfg = config.vacu.verifySystem;
-in {
+in
+{
+  imports = [ ./nixos.nix ];
   options.vacu.verifySystem = {
-    enable = (mkEnableOption "verify system is what is expected") // { default = true; };
+    enable = (mkEnableOption "verify system is what is expected") // {
+      default = false;
+    };
     verifiers = mkOption {
-      default = {};
-      type = types.attrsOf (types.submodule ({ name, config, ... }: {
-        options = {
-          enable = mkEnableOption "Enable system ident check ${name}";
-	  name = mkOption { type = types.str; default = name; };
-	  script = mkOption { type = types.lines; default = "## system ident check ${config.name}"; };
-	};
-      }));
+      default = { };
+      type = types.attrsOf (
+        types.submodule (
+          { name, config, ... }:
+          {
+            options = {
+              enable = mkEnableOption "Enable system ident check ${name}";
+              name = mkOption {
+                type = types.str;
+                default = name;
+              };
+              script = mkOption {
+                type = types.lines;
+                default = "## system ident check ${config.name}";
+                defaultText = lib.literalText ''## system ident check ${name}''; 
+              };
+            };
+          }
+        )
+      );
     };
 
-    verifyAllScript = let
-      verifiers = (builtins.attrValues cfg.verifiers);
-      enabled = builtins.filter (s: s.enable) verifiers;
-      files = map (s: pkgs.writeText "vacu-verify-system-${s.name}.sh" s.script) enabled;
-      script = ''
-        ## vacu verify-system
-	for f in ${lib.concatStringsSep " " files}; do
-	  echo "verifying system with $f"
-	  if ! source $f; then
-	    echo "ERR: $f failed" >&2
-	    return 1
-	  fi
-	done
-      '';
-      scriptFile = pkgs.writeText "vacu-verify-system-all.sh" script;
-    in mkOption { readOnly = true; default = scriptFile; };
+    verifyAllScript =
+      let
+        verifiers = (builtins.attrValues cfg.verifiers);
+        enabled = builtins.filter (s: s.enable) verifiers;
+        files = map (s: pkgs.writeText "vacu-verify-system-${s.name}.sh" s.script) enabled;
+        script = ''
+          ## vacu verify-system
+          for f in ${lib.concatStringsSep " " files}; do
+            echo "verifying system with $f"
+            if ! source $f; then
+              echo "ERR: $f failed" >&2
+              return 1
+            fi
+          done
+        '';
+        scriptFile = pkgs.writeText "vacu-verify-system-all.sh" script;
+      in
+      mkOption {
+        readOnly = true;
+        default = scriptFile;
+        defaultText = "vacu-verify-system-all.sh package";
+      };
   };
 }

common/verify-system/nixos.nix

@@ -1,7 +1,19 @@
-{ lib, config, pkgs, ... }: let
+{
+  lib,
+  config,
+  pkgs,
+  vacuModuleType,
+  ...
+}:
+let
   inherit (lib) mkOption types;
-in {
-  options.vacu.verifySystem.expectedMac = mkOption { type = types.nullOr (types.strMatching "[A-Fa-f0-9]{2}(:[A-Fa-f0-9]{2}){5}"); default = null; };
+in
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.verifySystem.expectedMac = mkOption {
+    # lowercase only
+    type = types.nullOr (types.strMatching "[a-f0-9]{2}(:[a-f0-9]{2}){5}");
+    default = null;
+  };
   config = lib.mkIf config.vacu.verifySystem.enable {
     # system.activationScripts."00-verify-system" = {
     #   text = "if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit $?; fi";
@@ -9,47 +21,49 @@ in {
     # };
 
     system.extraSystemBuilderCmds = ''
-      mv $out/bin/switch-to-configuration $out/bin/.switch-to-configuration-unverified
-      cat <<EOF > $out/bin/switch-to-configuration
-      #!${pkgs.bash}/bin/bash
-      oldpath="$PATH"
-      export PATH="${pkgs.coreutils}/bin"
-      if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit \$?; fi
-      export PATH="$oldpath"
-      exec $out/bin/.switch-to-configuration-unverified "\$@"
-      EOF
+      mv "$out"/bin/switch-to-configuration "$out"/bin/.switch-to-configuration-unverified
+      echo '#!${pkgs.bash}/bin/bash
+      (
+        PATH="${pkgs.coreutils}/bin"
+        if ! source ${config.vacu.verifySystem.verifyAllScript}; then
+          exit $?
+        fi
+      )
+      ' > "$out"/bin/switch-to-configuration
+      echo "exec $out/bin/.switch-to-configuration-unverified" '"$@"' >> "$out"/bin/switch-to-configuration
 
-      ${pkgs.coreutils}/bin/chmod a+x $out/bin/switch-to-configuration
+      ${pkgs.coreutils}/bin/chmod a+x "$out"/bin/switch-to-configuration
     '';
 
     vacu.verifySystem.verifiers = {
       hostname = {
-        enable = lib.mkDefault true;
-	script = ''
-	  expected=${config.networking.hostName}
-	  actual=$(cat /proc/sys/kernel/hostname)
-	  if [[ "$expected" != "$actual" ]]; then
-	    echo "ERR: unexpected hostname; Trying to deploy to $expected but this is $actual" >&2
-	    return 1
-	  fi
-	'';
-       };
-       expectedMac = {
-         enable = config.vacu.verifySystem.expectedMac != null;
-	 script = ''
-	   expected=${lib.toUpper config.vacu.verifySystem.expectedMac}
-	   declare -a actual=($(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map(.address | ascii_upcase) | join("\n")' -r))
-	   for ifMac in "''${actual[@]}"; do
-             if [[ "$ifMac" == "$expected" ]]; then
-	       # all is well
-	       return 0
-	      fi
-	   done
-	   echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
-	   echo "     Found MAC addresses: ''${actual[*]}" >&2
-	   return 1
-	 '';
-       };
-     };
+        enable = lib.mkDefault config.vacu.verifySystem.expectedMac == null;
+        script = ''
+          expected=${lib.escapeShellArg config.networking.hostName}
+          actual="$(</proc/sys/kernel/hostname)"
+          if [[ "$expected" != "$actual" ]]; then
+            echo "ERR: unexpected hostname; Trying to deploy to $expected but this is $actual" >&2
+            return 1
+          fi
+        '';
+      };
+      expectedMac = {
+        enable = config.vacu.verifySystem.expectedMac != null;
+        script = ''
+          declare expected=${lib.escapeShellArg (lib.toUpper config.vacu.verifySystem.expectedMac)}
+          declare -a actualMacs
+          mapfile -d"" -t actualMacs < <(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten[]' --raw-output0)
+          for ifMac in "''${actualMacs[@]}"; do
+              if [[ "$ifMac" == "$expected" ]]; then
+              # all is well
+              return 0
+             fi
+          done
+          echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
+          echo "     Found MAC addresses: ''${actualMacs[*]}" >&2
+          return 1
+        '';
+      };
+    };
   };
 }

coopdx.nix

@@ -1,103 +0,0 @@
-{
-  callPackage,
-  fetchFromGitHub,
-  autoPatchelfHook,
-  zlib,
-  curl,
-  libcxx,
-  stdenvNoCC,
-  nixpkgs ? <nixpkgs>,
-  writeTextFile,
-  lib,
-  bash,
-
-  enableTextureFix ? true,
-  enableDiscord ? false,
-}:
-let
-  libc_hack = writeTextFile {
-    name = "libc-hack";
-    # https://stackoverflow.com/questions/21768542/libc-h-no-such-file-or-directory-when-compiling-nanomsg-pipeline-sample
-    text = ''
-      #include <unistd.h>
-      #include <string.h>
-      #include <pthread.h>
-    '';
-    destination = "/include/libc.h";
-  };
-  target = stdenvNoCC.targetPlatform;
-  bits =
-    if target.is64bit then
-      "64"
-    else if target.is32bit then
-      "32"
-    else
-      throw "unspported bits";
-  pname = "sm64coopdx";
-  version = "1.0.3";
-  region = "us"; # dx removed support for other regions
-in
-(callPackage "${nixpkgs}/pkgs/games/sm64ex/generic.nix" {
-  inherit pname version region;
-
-  src = fetchFromGitHub {
-    owner = "coop-deluxe";
-    repo = pname;
-    rev = "v${version}";
-    hash = "sha256-cIH3escLFMcHgtFxeSKIo5nZXvaknti+EVt72uB4XXc=";
-  };
-
-  extraNativeBuildInputs = [ autoPatchelfHook ];
-
-  extraBuildInputs = [
-    zlib
-    curl
-    libcxx
-    libc_hack
-  ];
-
-  # Normally there's no need to set TARGET_ARCH, but if we don't it adds -march=native which is impure
-  compileFlags = [
-    "BREW_PREFIX=/not-exist"
-    "TARGET_ARCH=generic"
-    "TARGET_BITS=${bits}"
-    "DISCORD_SDK=${if enableDiscord then "1" else "0"}"
-    "TEXTURE_FIX=${if enableTextureFix then "1" else "0"}"
-  ];
-
-  extraMeta = {
-    mainProgram = pname;
-    homepage = "https://sm64coopdx.com/";
-    description = "Super Mario 64 online co-op mod, forked from sm64ex";
-  };
-}).overrideAttrs
-  {
-    installPhase =
-      let
-        sharedLib = target.extensions.sharedLibrary;
-      in
-      ''
-              runHook preInstall
-
-              local built=$PWD/build/${region}_pc
-
-              mkdir -p $out/share/${pname}
-              cp $built/${pname} $out/share/${pname}/${pname}-unwrapped
-              cp -r $built/{dynos,lang,mods,palettes} $out/share/${pname}
-              cp ./baserom.*.z64 $out/share/
-
-              ${lib.optionalString enableDiscord ''
-                cp $built/libdiscord_game_sdk${sharedLib} $out/share/${pname}
-              ''}
-
-              mkdir -p $out/bin
-              (
-                echo '#!${bash}/bin/bash'
-        	echo "cd $out/share/${pname}"
-        	echo 'exec ./${pname}-unwrapped "$@"'
-              ) > $out/bin/${pname}
-              chmod a+x $out/bin/${pname}
-
-              runHook postInstall
-      '';
-  }

dcd

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo $@
+git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo "$@"

default.nix

@@ -0,0 +1,29 @@
+{
+  system ? builtins.currentSystem,
+}:
+let
+  flakeCompat = (import
+    (
+      let
+        lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+        nodeName = lock.nodes.root.inputs.flake-compat;
+      in
+      fetchTarball {
+        url = lock.nodes.${nodeName}.locked.url or "https://github.com/edolstra/flake-compat/archive/${lock.nodes.${nodeName}.locked.rev}.tar.gz";
+        sha256 = lock.nodes.${nodeName}.locked.narHash;
+      }
+    )
+    {
+      inherit system;
+      src = ./.;
+    }
+  );
+  flake = flakeCompat.outputs;
+  overlays = import ./overlays;
+  pkgs = import flake.inputs.nixpkgs {
+    inherit system overlays;
+  };
+in
+pkgs // {
+  nixpkgs-update = { ... }@args: import "${flake.inputs.nixpkgs}/maintainers/scripts/update.nix" ({ include-overlays = overlays; } // args);
+}

devver/default.nix

@@ -1,76 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  inputs,
-  modulesPath,
-  ...
-}:
-
-{
-  imports = [
-    inputs.home-manager.nixosModules.default
-    ../common/nixos.nix
-    (modulesPath + "/profiles/qemu-guest.nix")
-  ];
-
-  boot.initrd.availableKernelModules = [
-    "virtio_pci"
-    "usbhid"
-    "virtio_blk"
-    "9pnet_virtio"
-    "9p"
-    "autofs4"
-  ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [
-    "kvm-intel"
-    "9pnet_virtio"
-    "9p"
-    "autofs4"
-  ];
-  boot.extraModulePackages = [ ];
-
-  vacu.hostName = "devver";
-  vacu.shortHostName = "dvr";
-  vacu.shell.color = "green";
-  boot.loader.external.enable = true;
-  boot.loader.external.installHook = pkgs.writeShellScript "vacuDirectBootInstaller" ''
-    PATH="$PATH:${pkgs.coreutils}/bin:${pkgs.gnused}/bin"
-    set -xev
-    mkdir -p /boot
-    cp $1/kernel /boot/kernel
-    cp $1/initrd /boot/initrd
-    cp $1/kernel-params /boot/kernel-params
-    sed -i "1 s|$| init=$1/sw/bin/init|" /boot/kernel-params
-  '';
-
-  users.users.root.shell = pkgs.bashInteractive;
-
-  fileSystems."/boot" = {
-    fsType = "9p";
-    device = "boot";
-    options = [
-      "trans=virtio"
-      "access=any"
-      "version=9p2000.L"
-      "posixacl"
-      "cache=mmap"
-      "nofail"
-      "noauto"
-    ];
-  };
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/a373835d-b942-4232-85fe-922cb1880af3";
-    fsType = "ext4";
-  };
-
-  #boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-
-  services.openssh.enable = true;
-
-  vacu.packages.nix-inspect.enable = false; # its broken for some reason I don't understand
-
-  system.stateVersion = "23.11";
-}

dliam

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo $@
+git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo "$@"

dmmm

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+git add . && nixos-rebuild --flake .#mmm --build-host trip --target-host mmm --use-remote-sudo "$@"

dns/default.nix

@@ -0,0 +1,137 @@
+{
+  dns,
+  lib,
+  vaculib,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkOption types singleton;
+  inherit (dns.lib.combinators)
+    ns
+    ttl
+    spf
+    mx
+    ;
+  inherit (config.vacu) hosts;
+  cloudnsNameServers = [
+    "pns51.cloudns.net."
+    "pns52.cloudns.net."
+    "pns53.cloudns.net."
+    "pns54.cloudns.net."
+  ];
+  cloudnsSoa = (
+    ttl (60 * 60) {
+      nameServer = lib.head cloudnsNameServers;
+      adminEmail = "support@cloudns.net";
+      serial = 1970010101; # cloudns takes care of updating the serial
+      refresh = 7200;
+      retry = 1800;
+      expire = 1209600;
+      minimum = 3600;
+    }
+  );
+  dkimKeyLiam = {
+    name = "2024-03-liam";
+    content = "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==";
+  };
+  dmarc = lib.pipe [
+    # see https://www.rfc-editor.org/rfc/rfc7489.html#section-6.3
+    "v=DMARC1"
+    "p=reject" # policy = reject all mail that fails DKIM or SPF
+    # no need for sp=, policy applies to subdomains by default
+    "adkim=s" # match dkim domains strictly (foo.shelvacu.com != shelvacu.com)
+    "aspf=s" # match spf domains strictly
+    "fo=1" # failure reporting: report a failure if any of dkim or spf fails
+    "rua=mailto:dmarc-rua@shelvacu.com!25m"
+    "ruf=mailto:dmarc-ruf@shelvacu.com!25m"
+  ] [
+    (map (s: s + ";"))
+    (lib.concatStringsSep " ")
+  ];
+  vacuZoneExtModule = { config, ... }: {
+    imports = [ vacuDomainExtModule ];
+    options.vacu.cloudns = mkOption {
+      default = true;
+      type = types.bool;
+    };
+    config = lib.mkIf config.vacu.cloudns {
+      SOA = cloudnsSoa;
+      NS = map (server: ttl (60 * 60) (ns server)) cloudnsNameServers;
+      TTL = lib.mkDefault 300;
+    };
+  };
+  vacuDomainExtModule = { config, ... }: {
+    options.vacu = {
+      liamMail = mkOption {
+        default = false;
+        type = types.bool;
+      };
+      _ancestorHasDMARC = mkOption {
+        type = types.bool;
+        default = false;
+        internal = true;
+      };
+    };
+    options.subdomains = mkOption {
+      type = types.attrsOf (types.submodule [
+        {
+          config.vacu._ancestorHasDMARC = config.vacu.liamMail || config.vacu._ancestorHasDMARC;
+        }
+        vacuDomainExtModule
+      ]);
+    };
+    config = lib.mkMerge [
+      (lib.mkIf config.vacu.liamMail {
+        MX = singleton (mx.mx 0 "liam.dis8.net.");
+        TXT = singleton (
+          spf.strict [
+            "mx"
+            "include:outbound.mailhop.org"
+            "include:_spf.mailersend.net"
+            "a:relay.dynu.com"
+          ]
+        );
+        subdomains."${dkimKeyLiam.name}._domainkey".TXT = singleton dkimKeyLiam.content;
+      })
+      (lib.mkIf (config.vacu.liamMail && !config.vacu._ancestorHasDMARC) {
+        subdomains._dmarc.TXT = singleton dmarc;
+      })
+    ];
+  };
+  # vacuZone = lib.mkMerge [
+  #   dns.lib.types.zone
+  #   (types.submodule vacuZoneExtModule)
+  # ];
+in
+{
+  imports = [
+    ./jean-luc.org.nix
+    ./pwrhs.win.nix
+    ./shelvacu.miras.pet.nix
+    ./for.miras.pet.nix
+    ./shelvacu.com.nix
+    ./dis8.net.nix
+    ./sv.mt.nix
+    ({ dns, ... }: {
+      options.vacu.dns = mkOption {
+        default = { };
+        type = types.attrsOf dns.lib.types.zone;
+      };
+    })
+  ];
+  options.vacu.dns = mkOption {
+    type = types.attrsOf (types.submodule vacuZoneExtModule);
+  };
+  options.vacu.dnsData = vaculib.mkOutOptions rec {
+    tripPublicV4 = hosts.triple-dezert.primaryIp;
+    propPublicV4 = hosts.prophecy.primaryIp;
+    digitalOcean = {
+      reservedV4 = "138.197.233.105";
+      liamPublicV4 = "178.128.79.152";
+      mailPublicV4 = "167.99.161.174";
+    };
+    doV4 = digitalOcean.reservedV4;
+    awooV4 = hosts.awoo.primaryIp;
+  };
+}

dns/dis8.net.nix

@@ -0,0 +1,28 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+  inherit (config.vacu.dnsData.digitalOcean) liamPublicV4 mailPublicV4 reservedV4;
+in
+{
+  vacu.dns."dis8.net" = { ... }: {
+    vacu.liamMail = true;
+
+    A = singleton mailPublicV4;
+    subdomains = {
+      do-a.A = singleton reservedV4;
+      liam.A = singleton reservedV4;
+      mail.A = singleton liamPublicV4;
+      auwwth = {
+        subdomains.ns.A = singleton dnsData.awooV4;
+        NS = singleton "ns.auwwth.dis8.net.";
+      };
+      solis.A = singleton config.vacu.hosts.solis.primaryIp;
+      "_acme-challenge".CNAME = singleton "a55a31f9-74ac-44fc-bf97-c8c9f2498d3a.auth.dis8.net.";
+    };
+  };
+}

dns/for.miras.pet.nix

@@ -0,0 +1,26 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."for.miras.pet" =
+    { ... }:
+    {
+      subdomains = {
+        "git".A = singleton dnsData.tripPublicV4;
+        "auth".A = singleton dnsData.tripPublicV4;
+        "wisdom".A = singleton dnsData.tripPublicV4;
+        "chat" =
+          { ... }:
+          {
+            config.vacu.liamMail = true;
+            config.A = singleton dnsData.tripPublicV4;
+            config.subdomains."duo-1745490301302-14f65157._domainkey".TXT =
+              singleton "v=DKIM1; k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA/94Rh5eMPsKwGGolkleY1Rhh2Q6H22bfdGVu0lXpoHP1K7JxloWu/Ice2vVN/udztmPY+BK1x+5qubcGZKpPt1bC9amsXnyTXfKIMGD2CNd0tnaO54hmMOfv+lTA9YjF0X93tcQP3yUxJgJ9yPZcalFl/bBAqv4/lUVLYFeIVQIDAQAB";
+          };
+        "gabriel-dropout".A = singleton dnsData.tripPublicV4;
+        "_acme-challenge".CNAME = singleton "199b8aa4-bc9f-4f43-88bf-3f613f62b663.auwwth.dis8.net.";
+      };
+    };
+}

dns/jean-luc.org.nix

@@ -0,0 +1,24 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+  main_ips = singleton dnsData.tripPublicV4;
+in
+{
+  vacu.dns."jean-luc.org" =
+    { ... }:
+    {
+      vacu.liamMail = true;
+      A = main_ips;
+      NS = lib.mkAfter [ "ns2.afraid.org." ]; # note: appends to NS records from modules.cloudns
+      subdomains = {
+        "in".vacu.liamMail = true;
+        "*".A = main_ips;
+        "_acme-challenge".CNAME = singleton "8cc7a174-c4a6-40f5-9fff-dfb271c5ce0b.auwwth.dis8.net.";
+        "stats".A = main_ips;
+        "tdi-readings".CNAME = singleton "d20l6bh1gp7s8.cloudfront.net.";
+        "_a908498ee692a9729bf12e161ae1887d.tdi-readings".CNAME =
+          singleton "_1f055e4fc0f439e67304a33945d09002.hkvuiqjoua.acm-validations.aws.";
+      };
+    };
+}

dns/pwrhs.win.nix

@@ -0,0 +1,14 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."pwrhs.win" =
+    { ... }:
+    {
+      A = singleton dnsData.tripPublicV4;
+      subdomains.habitat.A = singleton dnsData.tripPublicV4;
+      subdomains._acme-challenge.CNAME = singleton "73697955-1c51-48ba-ba1e-b3398850f59f.auwwth.dis8.net.";
+    };
+}

dns/shelvacu.com.nix

@@ -0,0 +1,99 @@
+{
+  config,
+  lib,
+  vaculib,
+  ...
+}:
+let
+  s = v: [ v ];
+  inherit (config.vacu) dnsData;
+  trip_ips = s dnsData.tripPublicV4;
+  prop_ips = s dnsData.propPublicV4;
+  solis_ips = s config.vacu.hosts.solis.primaryIp;
+  mail_thing = s "178.128.79.152";
+  # which domains to allow dmarc reports.
+  # ex: _dmarc.dis8.net TXT has "rua=rua-reports@shelvacu.com", reports will only be sent if shelvacu.com allows them
+  # allow all domains configured in this repo, and one level of subdomain (ideally all but thats hard, this should be good enough)
+  allow_report_domains = lib.pipe config.vacu.dns [
+    lib.attrNames
+    (list: list ++ [ "theviolincase.com" "violingifts.com" ])
+    (lib.concatMap (domain: [domain "*.${domain}"]))
+  ];
+in
+{
+  vacu.dns."shelvacu.com" =
+    { ... }:
+    {
+      vacu.liamMail = true;
+      A = trip_ips;
+      CAA = [
+        {
+          issuerCritical = true;
+          tag = "issue";
+          value = "letsencrypt.org";
+        }
+        {
+          issuerCritical = true;
+          tag = "issue";
+          value = "sectigo.com";
+        }
+        {
+          issuerCritical = true;
+          tag = "issuewild";
+          value = "letsencrypt.org";
+        }
+        {
+          issuerCritical = false;
+          tag = "iodef";
+          value = "mailto:caa-violation@shelvacu.com";
+        }
+      ];
+      subdomains = {
+        _acme-challenge.CNAME = s "5cb20bf7-5203-417f-b729-fa3a3ad3b775.auwwth.dis8.net.";
+        _atproto.TXT = s "did=did:plc:oqenurzqeji6ulii3myxls64";
+        "_report._dmarc".subdomains = vaculib.mapNamesToAttrsConst { TXT = s "v=DMARC1"; } allow_report_domains;
+        admin-garage-trip.A = trip_ips;
+        auth.A = trip_ips;
+        autoconfig.A = mail_thing;
+        awoo.A = s "45.142.157.71";
+        dav.A = trip_ips;
+        dav-experiment.A = prop_ips;
+        ft.subdomains = {
+          "*".A = s "45.87.250.193";
+          _acme-challenge.CNAME = s "17aa43aa-9295-4522-8cf2-b94ba537753d.auth.acme-dns.io.";
+        };
+        # hzo3bcydh5khtpeio6zrzb7kwcwiccnh.subdomains._domainkey.CNAME = s "hzo3bcydh5khtpeio6zrzb7kwcwiccnh.dkim.amazonses.com.";
+        id.A = trip_ips;
+        imap.A = mail_thing;
+        jobs.A = trip_ips;
+        llm.A = trip_ips;
+        mail.A = mail_thing;
+        # mlsend2.subdomains._domainkey.CNAME = s "mlsend2._domainkey.mailersend.net.";
+        mumble.A = prop_ips;
+        nixcache.A = trip_ips;
+        ns1.CNAME = s "pns51.cloudns.net.";
+        ns2.CNAME = s "pns52.cloudns.net.";
+        ns3.CNAME = s "pns53.cloudns.net.";
+        ns4.CNAME = s "pns54.cloudns.net.";
+        prop.CNAME = s "prophecy";
+        prophecy.A = prop_ips;
+        prophecy.subdomains.garage.subdomains = {
+          s3.A = prop_ips;
+          admin.A = prop_ips;
+        };
+        rad.A = trip_ips;
+        s3-garage-trip.A = trip_ips;
+        servacu.A = s "167.99.161.174";
+        smtp.A = mail_thing;
+        sol.CNAME = s "solis";
+        solis.A = solis_ips;
+        solis.subdomains.garage.subdomains = {
+          s3.A = solis_ips;
+          admin.A = solis_ips;
+        };
+        trip.A = trip_ips;
+        vaultwarden.A = trip_ips;
+        www.A = trip_ips;
+      };
+    };
+}

dns/shelvacu.miras.pet.nix

@@ -0,0 +1,15 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."shelvacu.miras.pet" =
+    { ... }:
+    {
+      vacu.liamMail = true;
+      A = singleton dnsData.tripPublicV4;
+      subdomains."_acme-challenge".CNAME =
+        singleton "65e44f64-3c65-46f6-b15f-4ad6363b21eb.auwwth.dis8.net.";
+    };
+}

dns/sv.mt.nix

@@ -0,0 +1,24 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."sv.mt" =
+    { ... }:
+    {
+      vacu.liamMail = true;
+      A = singleton dnsData.propPublicV4;
+      subdomains.www.A = singleton dnsData.propPublicV4;
+      subdomains.thisthirdlevelisownedbyshelandwasnotmadeavailabletoemily = {
+        NS = [
+          "thisns1isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns2isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns3isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns4isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+          "thisns5isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
+        ];
+        # TXT = singleton "ha5d5dc3ca7b34574bc60929e3910ba8a";
+      };
+    };
+}

dprop

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+git add . && nixos-rebuild --flake .#prophecy --build-host prop --target-host prop --use-remote-sudo "$@"

dtrip

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo $@
+git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo "$@"

flake.nix

@@ -1,88 +1,86 @@
 {
-  description = "Config for triple-dezert server";
+  description = "Configs for shelvacu's nix things";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05-small";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "nixpkgs/nixos-25.05-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
 
-    flake-utils.url = "github:numtide/flake-utils";
-    nixvim = {
-      url = "github:nix-community/nixvim/nixos-24.05";
+    disko = {
+      url = "git+https://git.uninsane.org/shelvacu/disko.git";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nixvim-unstable = {
-      url = "github:nix-community/nixvim";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
-    nix-inspect = {
-      url = "github:bluskript/nix-inspect";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    nix-inspect-unstable = {
-      url = "github:bluskript/nix-inspect";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
-    vscode-server-unstable = {
-      url = "github:nix-community/nixos-vscode-server";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    vscode-server = {
-      url = "github:nix-community/nixos-vscode-server";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    nix-on-droid = {
-      url = "github:nix-community/nix-on-droid";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
-    };
-    jovian-unstable = {
-      # there is no stable jovian :cry:
-      url = "github:Jovian-Experiments/Jovian-NixOS";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
     disko-unstable = {
-      url = "github:nix-community/disko";
+      url = "git+https://git.uninsane.org/shelvacu/disko.git";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
+    dns = {
+      url = "github:nix-community/dns.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
+    flake-compat.url = "github:edolstra/flake-compat";
+    flake-utils.url = "github:numtide/flake-utils";
     home-manager = {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-25.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     home-manager-unstable = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    nix-search-cli-unstable = {
-      url = "github:peterldowns/nix-search-cli";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    nix-search-cli = {
-      url = "github:peterldowns/nix-search-cli";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    padtype-unstable = {
-      url = "gitlab:shelvacu/padtype";
+    impermanence.url = "github:nix-community/impermanence";
+    jovian-unstable = {
+      # there is no stable jovian :cry:
+      url = "github:Jovian-Experiments/Jovian-NixOS";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    microvm = {
-      url = "github:astro/microvm.nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    nixos-hardware.url = "github:nixos/nixos-hardware";
     most-winningest = {
       url = "github:captain-jean-luc/most-winningest";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.flake-utils.follows = "flake-utils";
     };
+    nixos-hardware.url = "github:nixos/nixos-hardware";
+    nixos-apple-silicon-unstable = {
+      url = "github:tpwrules/nixos-apple-silicon";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    nixvim = {
+      url = "github:nix-community/nixvim/nixos-25.05";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nixvim-unstable = {
+      url = "github:nix-community/nixvim";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    nix-colors = {
+      url = "github:Misterio77/nix-colors";
+    };
+    nix-on-droid = {
+      url = "github:nix-community/nix-on-droid";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+    padtype-unstable = {
+      url = "git+https://git.uninsane.org/shelvacu/padtype.git";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    sm64baserom.url = "git+https://git.uninsane.org/shelvacu/sm64baserom.git";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    tf2-nix = {
+      url = "gitlab:shelvacu-forks/tf2-nix/with-my-patches";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    treefmt-nix = {
+      url = "github:numtide/treefmt-nix";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    vacu-keys = {
+      url = "git+https://git.uninsane.org/shelvacu/keys.nix.git";
+      flake = false;
+    };
   };
 
   outputs =
@@ -90,247 +88,410 @@
       self,
       nixpkgs,
       nix-on-droid,
-      home-manager,
       ...
-    }@inputs:
+    }@allInputs:
     let
-      blarg = {
-        config.allowUnfree = true;
-      };
-      pkgs = import nixpkgs ({ system = "x86_64-linux"; } // blarg);
-      aarchpkgs = import nixpkgs ({ system = "aarch64-linux"; } // blarg);
-      defaultInputs = {
-        inherit (inputs)
-          self
-          nix-search-cli
-          nix-inspect
-          nixvim
-          ;
-      };
-      defaultArgs = {
-        inputs = defaultInputs;
-      };
+      x86 = "x86_64-linux";
+      arm = "aarch64-linux";
+      lib = import "${nixpkgs}/lib";
+      overlays = import ./overlays;
+      vacuModules = import ./modules;
+      mkVaculib = { pkgs }: import ./vaculib { inherit pkgs; nix-colors-lib = allInputs.nix-colors.lib; };
+      vaculib = mkVaculib { inherit pkgs; };
+      defaultSuffixedInputNames = [
+        "nixvim"
+        "nixpkgs"
+      ];
+      defaultInputs = { inherit (allInputs) self vacu-keys; };
+      mkInputs =
+        {
+          unstable ? false,
+          inp ? [ ],
+        }:
+        let
+          suffix = if unstable then "-unstable" else "";
+          inputNames = inp ++ defaultSuffixedInputNames;
+          thisInputsA = vaculib.mapNamesToAttrs (name: allInputs.${name + suffix}) inputNames;
+        in
+        if inp == "all" then allInputs else thisInputsA // defaultInputs;
+      mkPkgs =
+        arg:
+        let
+          argAttrAll = if builtins.isString arg then { system = arg; } else arg;
+          unstable = argAttrAll.unstable or false;
+          whichpkgs = if unstable then allInputs.nixpkgs-unstable else allInputs.nixpkgs;
+          argAttr = lib.removeAttrs argAttrAll [ "unstable" ];
+          config = {
+            allowUnfree = true;
+            # the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
+            # presumably needed by nheko
+            permittedInsecurePackages = [
+              "olm-3.2.16"
+              "fluffychat-linux-1.27.0"
+            ];
+          } // (argAttr.config or { });
+        in
+        import whichpkgs (
+          argAttr // { inherit config; } // { overlays = (argAttr.overlays or [ ]) ++ overlays; }
+        );
+      mkCommon =
+        {
+          unstable ? false,
+          inp ? [ ],
+          system ? x86,
+          vacuModuleType,
+        }:
+        let
+          pkgsStable = mkPkgs { unstable = false; inherit system; };
+          pkgsUnstable = mkPkgs { unstable = true; inherit system; };
+          pkgs = if unstable then pkgsUnstable else pkgsStable;
+          inputs = mkInputs { inherit unstable inp; };
+          vaculib = mkVaculib { inherit pkgs; };
+        in
+        {
+          inherit pkgs pkgsStable pkgsUnstable inputs vaculib;
+          specialArgs = {
+            inherit inputs vacuModules vacuModuleType vaculib pkgsStable pkgsUnstable;
+            inherit (allInputs) dns;
+          };
+        };
+      mkPlain =
+        {
+          unstable ? false,
+          system ? x86,
+        }@args:
+        let
+          common = mkCommon (args // {
+            vacuModuleType = "plain";
+            inp = "all";
+          });
+          inner = lib.evalModules {
+            modules = [
+              ./common
+              { vacu.systemKind = "server"; }
+            ];
+            specialArgs = common.specialArgs // {
+              inherit (common) pkgs;
+              inherit (common.pkgs) lib;
+            };
+          };
+        in
+        inner.config.vacu.withAsserts inner;
+      pkgs = mkPkgs x86;
+      mkNixosConfig =
+        {
+          unstable ? false,
+          module,
+          system ? "x86_64-linux",
+          inp ? [ ],
+        }:
+        let
+          common = mkCommon { inherit unstable inp system; vacuModuleType = "nixos"; };
+        in
+        allInputs.nixpkgs.lib.nixosSystem {
+          inherit (common) specialArgs;
+          inherit system;
+          modules = [
+            { nixpkgs.pkgs = common.pkgs; }
+            ./common
+            module
+          ];
+        };
     in
     {
       debug.isoDeriv = (
-        import "${inputs.nixpkgs}/nixos/release-small.nix" {
-          nixpkgs = ({ revCount = 0; } // inputs.nixpkgs);
+        import "${allInputs.nixpkgs}/nixos/release-small.nix" {
+          nixpkgs = ({ revCount = 0; } // allInputs.nixpkgs);
         }
       );
-      nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [ ./triple-dezert ];
-        specialArgs = {
-          inputs = defaultInputs // {
-            inherit (inputs) most-winningest;
-          };
+
+      lib = {
+        inherit
+          mkPlain
+          mkPkgs
+          mkInputs
+          mkNixosConfig
+          vaculib
+          ;
+      };
+
+      nixosConfigurations = {
+        triple-dezert = mkNixosConfig {
+          module = ./hosts/triple-dezert;
+          inp = [
+            "most-winningest"
+            "sops-nix"
+          ];
+        };
+        compute-deck = mkNixosConfig {
+          module = ./hosts/compute-deck;
+          inp = [
+            "jovian"
+            "home-manager"
+            "disko"
+            "padtype"
+          ];
+          unstable = true;
+        };
+        liam = mkNixosConfig {
+          module = ./hosts/liam;
+          inp = [ "sops-nix" ];
+        };
+        lp0 = mkNixosConfig { module = ./hosts/lp0; };
+        shel-installer-iso = mkNixosConfig { module = ./hosts/installer/iso.nix; };
+        shel-installer-pxe = mkNixosConfig { module = ./hosts/installer/pxe.nix; };
+        fw = mkNixosConfig {
+          module = ./hosts/fw;
+          inp = [
+            "nixos-hardware"
+            "sops-nix"
+            "tf2-nix"
+          ];
+        };
+        legtop = mkNixosConfig {
+          module = ./hosts/legtop;
+          inp = [ "nixos-hardware" ];
+        };
+        mmm = mkNixosConfig {
+          module = ./hosts/mmm;
+          inp = [ "nixos-apple-silicon" ];
+          system = "aarch64-linux";
+          unstable = true;
+        };
+        prophecy = mkNixosConfig {
+          module = ./hosts/prophecy;
+          system = "x86_64-linux";
+          inp = [
+            "impermanence"
+            "sops-nix"
+            "disko"
+          ];
+        };
+        solis = mkNixosConfig {
+          module = ./hosts/solis;
+          system = "x86_64-linux";
+          inp = [
+            "disko"
+            "impermanence"
+            "sops-nix"
+          ];
         };
       };
 
-      nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [ ./compute-deck ];
-        specialArgs = {
-          inputs = {
-            jovian = inputs.jovian-unstable;
-            home-manager = inputs.home-manager-unstable;
-            vscode-server = inputs.vscode-server-unstable;
-            disko = inputs.disko-unstable;
-            padtype = inputs.padtype-unstable;
-            nix-search-cli = inputs.nix-search-cli-unstable;
-            nix-inspect = inputs.nix-inspect-unstable;
-            nixvim = inputs.nixvim-unstable;
-            self = inputs.self;
-          };
+      nixOnDroidConfigurations.default =
+        let
+          common = mkCommon { system = arm; vacuModuleType = "nix-on-droid"; };
+        in
+        nix-on-droid.lib.nixOnDroidConfiguration {
+          modules = [
+            ./common
+            ./hosts/nix-on-droid
+          ];
+          extraSpecialArgs = common.specialArgs;
+          inherit (common) pkgs;
         };
-      };
 
-      nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [ ./liam ];
-        specialArgs = {
-          inputs = defaultInputs // {
-            inherit (inputs) sops-nix;
-          };
-        };
-      };
-
-      nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [ ./lp0 ];
-        specialArgs = defaultArgs;
-      };
-
-      nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [ ./installer.nix ];
-        specialArgs = defaultArgs;
-      };
-
-      nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [ ./devver ];
-        specialArgs = {
-          inputs = defaultInputs // {
-            inherit (inputs) home-manager;
-          };
-        };
-      };
-
-      nixosConfigurations.fw = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [ ./fw ];
-        specialArgs = {
-          inputs = defaultInputs // {
-            inherit (inputs) nixos-hardware;
-          };
-        };
-      };
-
-      nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
-        modules = [ ./nix-on-droid ];
-        extraSpecialArgs = {
-          inputs = defaultInputs // {
-            inherit (inputs) nixpkgs;
-          };
-        };
-        pkgs = import nixpkgs { system = "aarch64-linux"; };
-      };
-
-      homeConfigurations."nix-on-droid" = home-manager.lib.homeManagerConfiguration {
-        modules = [
-          ./home/nix-on-droid.nix
-          { _module.args.inputs = defaultInputs; }
-        ];
-        pkgs = import nixpkgs { system = "aarch64-linux"; };
-      };
-
-      checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (
+      checks = nixpkgs.lib.genAttrs [ x86 ] (
         system:
         let
-          pkgs = import nixpkgs { inherit system; };
-          config = {
+          common = mkCommon { inherit system; vacuModuleType = "nixos"; };
+          inherit (common) pkgs;
+          plain = mkPlain { inherit system; };
+          commonTestModule = {
+            hostPkgs = pkgs;
+            _module.args.inputs = { inherit (allInputs) self; };
             node.pkgs = pkgs;
-            node.pkgsReadOnly = false;
-            node.specialArgs.selfPackages = self.packages.${system};
+            node.pkgsReadOnly = true;
+            node.specialArgs = (lib.removeAttrs common.specialArgs [ "inputs" ]) // { selfPackages = self.packages.${system}; };
           };
+          mkTest =
+            name:
+            nixpkgs.lib.nixos.runTest {
+              imports = [
+                commonTestModule
+                ./tests/${name}
+                { node.specialArgs.inputs = self.nixosConfigurations.${name}._module.specialArgs.inputs; }
+              ];
+            };
+          checksFromConfig = plain.config.vacu.checks;
         in
-        {
-          liam = nixpkgs.lib.nixos.runTest {
-            hostPkgs = pkgs;
-            imports = [
-              config
-              ./tests/liam.nix
-              { node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; }
-            ];
-          };
-          trip = nixpkgs.lib.nixos.runTest {
-            hostPkgs = pkgs;
-            imports = [
-              config
-              ./tests/triple-dezert.nix
-              { node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; }
-            ];
-          };
+        assert !(checksFromConfig ? liam) && !(checksFromConfig ? trip);
+        checksFromConfig
+        // {
+          liam = mkTest "liam";
+          triple-dezert = mkTest "triple-dezert";
         }
       );
 
-      nixosModules.common = import ./common/module.nix;
-      packages.x86_64-linux.sm64coopdx = pkgs.callPackage ./coopdx.nix { inherit nixpkgs; };
-      packages.x86_64-linux.snmpb = pkgs.libsForQt5.callPackage ./packages/snmpb/package.nix { };
-      packages.x86_64-linux.snmp-mibs-downloader =
-        pkgs.callPackage ./packages/snmp-mibs-downloader.nix
-          { };
-      packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix {
-        inherit inputs;
-      };
-      packages.x86_64-linux.authorizedKeys = pkgs.writeText "authorizedKeys" (
-        pkgs.lib.concatStringsSep "\n" self.nixosConfigurations.fw.config.vacu.ssh.authorizedKeys
-      );
-      packages.aarch64-linux.authorizedKeys =
-        let
-          pkgs = aarchpkgs;
-        in
-        pkgs.writeText "authorizedKeys" (
-          pkgs.lib.concatStringsSep "\n" self.nixOnDroidConfigurations.default.config.vacu.ssh.authorizedKeys
-        );
-
-      qb = # qb is "quick build"
+      buildList =
         let
           toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
-          deterministicCerts = import ./deterministic-certs.nix { nixpkgs = pkgs; };
+          deterministicCerts = import ./deterministic-certs.nix { nixpkgs = mkPkgs x86; };
+          renamedAarchPackages = lib.mapAttrs' (
+            name: value: lib.nameValuePair (name + "-aarch64") value
+          ) self.packages.aarch64-linux;
+          packages = self.packages.x86_64-linux // renamedAarchPackages;
+          pxe-build = self.nixosConfigurations.shel-installer-pxe.config.system.build;
         in
-        rec {
+        {
           fw = toplevelOf "fw";
           triple-dezert = toplevelOf "triple-dezert";
-          trip = triple-dezert;
           compute-deck = toplevelOf "compute-deck";
-          cd = compute-deck;
           liam = toplevelOf "liam";
           lp0 = toplevelOf "lp0";
-          devver = toplevelOf "devver";
-          shel-installer = toplevelOf "shel-installer";
-          iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
-          do = self.packages.x86_64-linux.digitalOceanImage;
-          snmpb = self.packages.x86_64-linux.snmpb;
-          check-triple-dezert = self.checks.x86_64-linux.trip.driver;
-          check-trip = check-triple-dezert;
+          legtop = toplevelOf "legtop";
+          mmm = toplevelOf "mmm";
+          shel-installer-iso = toplevelOf "shel-installer-iso";
+          shel-installer-pxe = toplevelOf "shel-installer-pxe";
+          prophecy = toplevelOf "prophecy";
+          iso = self.nixosConfigurations.shel-installer-iso.config.system.build.isoImage;
+          pxe-toplevel = toplevelOf "shel-installer-pxe";
+          pxe-kernel = pxe-build.kernel;
+          pxe-initrd = pxe-build.netbootRamdisk;
+          check-triple-dezert = self.checks.x86_64-linux.triple-dezert.driver;
           check-liam = self.checks.x86_64-linux.liam.driver;
+          liam-sieve = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
 
           nix-on-droid = self.nixOnDroidConfigurations.default.activationPackage;
-          nod = nix-on-droid;
 
-          nod-bootstrap-x86_64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
-          nod-bootstrap-aarch64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
-
-          inherit (self.packages.x86_64-linux) authorizedKeys sm64coopdx;
-          authorizedKeysAarch = self.packages.aarch64-linux.authorizedKeys;
-          ak = authorizedKeys;
-
-          coopdx = sm64coopdx;
+          nod-bootstrap-x86_64 = allInputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
+          nod-bootstrap-aarch64 = allInputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
 
           dc-priv = deterministicCerts.privKeyFile "test";
           dc-cert = deterministicCerts.selfSigned "test" { };
-        };
 
-      all =
-        pkgs.runCommand "nix-stuff-all"
-          {
-            __structuredAttrs = true;
-            links = self.qb;
-          }
-          ''
-            mkdir $out
-            cd $out
-            eval "$(${pkgs.jq}/bin/jq '.links | to_entries | map("ln -s "+.value+" "+.key) | join("\n")' /build/.attrs.json -r)"
-          '';
+          inherit (allInputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
+            m1n1
+            uboot-asahi
+            installer-bootstrap
+            ;
+          installer-bootstrap-cross =
+            allInputs.nixos-apple-silicon-unstable.packages.x86_64-linux.installer-bootstrap;
+        }
+        // packages;
 
-      allPure = self.all.overrideAttrs (prev: {
-        links = removeAttrs prev.links [
-          "nix-on-droid"
-          "nod"
-          "nod-bootstrap-x86_64"
-          "nod-bootstrap-aarch64"
-        ];
-      });
+      qb = self.buildList // {
+        trip = self.buildList.triple-dezert;
+        cd = self.buildList.compute-deck;
+        lt = self.buildList.legtop;
+        prop = self.buildList.prophecy;
+        check-trip = self.buildList.check-triple-dezert;
+        nod = self.buildList.nix-on-droid;
+        ak = self.buildList.authorizedKeys;
+        my-sops = self.buildList.wrappedSops;
+      };
 
-      allWithBuildDeps =
-        let
-          info = pkgs.closureInfo { rootPaths = [ self.all.drvPath ]; };
-        in
-        self.all.overrideAttrs (prev: {
-          links = prev.links // {
-            build-deps = info;
-          };
-        });
+      brokenBuilds = [
+        "sm64coopdx-aarch64"
+        "installer-bootstrap"
+      ];
+
+      impureBuilds = [
+        "nix-on-droid"
+        "nod"
+        "nod-bootstrap-x86_64"
+        "nod-bootstrap-aarch64"
+      ];
+
+      archival = import ./archive.nix { inherit self pkgs lib; };
     }
-    // (inputs.flake-utils.lib.eachDefaultSystem (
+    // (allInputs.flake-utils.lib.eachDefaultSystem (
       system:
       let
-        pkgs = import nixpkgs { inherit system; };
+        mkNixvim =
+          { unstable, minimal }:
+          let
+            common = mkCommon { inherit unstable; vacuModuleType = "nixvim"; };
+            nixvim-input = if unstable then allInputs.nixvim-unstable else allInputs.nixvim;
+          in
+          nixvim-input.legacyPackages.${system}.makeNixvimWithModule {
+            module = {
+              imports = [ ./nixvim ];
+            };
+            extraSpecialArgs = common.specialArgs // { inherit minimal; };
+          };
+        common = mkCommon { unstable = true; vacuModuleType = "plain"; };
+        inherit (common) pkgs pkgsStable pkgsUnstable;
+        plain = mkPlain { unstable = true; };
+        treefmtEval = allInputs.treefmt-nix.lib.evalModule pkgsUnstable ./treefmt.nix;
+        formatter = treefmtEval.config.build.wrapper;
+        vacuPackagePaths = import ./packages;
+        vacuPackages = builtins.intersectAttrs vacuPackagePaths pkgsStable;
       in
       {
-        formatter = pkgs.nixfmt-rfc-style;
+        inherit formatter;
+        inherit (common) vaculib;
+        apps.sops = {
+          type = "app";
+          program = lib.getExe self.packages.${system}.wrappedSops;
+        };
+        vacuConfig = plain.config;
+        inherit vacuPackages;
+        legacyPackages = {
+          unstable = pkgsUnstable;
+          stable = pkgsStable;
+          nixpkgs-update = { ... }@args: import "${allInputs.nixpkgs}/maintainers/scripts/update.nix" ({ include-overlays = [ (import ./overlays/newPackages.nix) ]; } // args);
+        };
+        packages = rec {
+          archive = pkgsStable.callPackage ./scripts/archive { };
+          authorizedKeys = pkgsStable.writeText "authorizedKeys" (
+            lib.concatStringsSep "\n" (
+              lib.mapAttrsToList (k: v: "${v} ${k}") plain.config.vacu.ssh.authorizedKeys
+            )
+          );
+          dns = import ./scripts/dns {
+            inherit pkgs lib;
+            inputs = allInputs;
+            inherit (plain) config;
+          };
+          inherit formatter;
+          generated = pkgsStable.linkFarm "generated" {
+            nixpkgs = "${allInputs.nixpkgs}";
+            "liam-test/hints.py" = pkgs.writeText "hints.py" (
+              import ./typesForTest.nix {
+                name = "liam";
+                inherit (pkgsStable) lib;
+                inherit self;
+                inherit (allInputs) nixpkgs;
+              }
+            );
+            "dns/python-env" = builtins.dirOf (builtins.dirOf dns.interpreter);
+            "mailtest/python-env" = builtins.dirOf (
+              builtins.dirOf self.checks.x86_64-linux.liam.nodes.checker.vacu.mailtest.smtp.interpreter
+            );
+          };
+          host-pxe-installer = pkgs.callPackage ./host-pxe-installer.nix {
+            nixosInstaller = self.nixosConfigurations.shel-installer-pxe;
+          };
+          liam-sieve-script = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
+          nixvim = mkNixvim {
+            unstable = false;
+            minimal = false;
+          };
+          nixvim-unstable = mkNixvim {
+            unstable = true;
+            minimal = false;
+          };
+          nixvim-minimal = mkNixvim {
+            unstable = false;
+            minimal = true;
+          };
+          nixvim-unstable-minimal = mkNixvim {
+            unstable = true;
+            minimal = true;
+          };
+          # optionsDocNixOnDroid = (pkgs.nixosOptionsDoc {
+          #   inherit (self.nixOnDroidConfigurations.default) options;
+          # }).optionsCommonMark;
+          openterface-qt-eudev = vacuPackages.openterface-qt.override { useSystemd = false; };
+          openterface-qt-systemd = vacuPackages.openterface-qt.override { useSystemd = true; };
+          sopsConfig = plain.config.vacu.sopsConfigFile;
+          sourceTree = plain.config.vacu.sourceTree;
+          units = plain.config.vacu.units.finalPackage;
+          update-git-keys = pkgsStable.callPackage ./scripts/update-git-keys.nix { inherit (plain) config; inputs = allInputs; };
+          vnopnCA = pkgsStable.writeText "vnopnCA.cert" plain.config.vacu.vnopnCA;
+          wrappedSops = plain.config.vacu.wrappedSops;
+        } // vacuPackages;
       }
     ));
 }

generic-digitalocean-nixos.nix

@@ -1,15 +0,0 @@
-{
-  inputs,
-  system ? "x86_64-linux",
-}:
-let
-  pkgs = inputs.nixpkgs.legacyPackages.${system};
-  config =
-    { config, ... }:
-    {
-      imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix" ];
-
-      system.stateVersion = config.system.nixos.release;
-    };
-in
-(pkgs.nixos config).digitalOceanImage

hosts/compute-deck/default.nix

@@ -1,12 +1,4 @@
-{
-  config,
-  pkgs,
-  lib,
-  jovian,
-  inputs,
-  ...
-}:
-
+{ pkgs, inputs, ... }:
 {
   imports = [
     inputs.jovian.nixosModules.jovian
@@ -17,21 +9,27 @@
     ./bluetooth.nix
     ./partitioning.nix
     ./padtype.nix
-    ../common/nixos.nix
   ];
 
-  boot.loader.systemd-boot.enable = false;
-  boot.loader.efi.efiSysMountPoint = "/boot/EFI";
-  boot.loader.grub.efiSupport = true;
-  boot.loader.grub.device = "nodev";
-  boot.loader.efi.canTouchEfiVariables = false;
-  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader = {
+    systemd-boot.enable = false;
+    efi = {
+      efiSysMountPoint = "/boot/EFI";
+      canTouchEfiVariables = false;
+    };
+    grub = {
+      efiSupport = true;
+      device = "nodev";
+      efiInstallAsRemovable = true;
+    };
+  };
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
   vacu.hostName = "compute-deck";
   vacu.shortHostName = "cd";
   vacu.shell.color = "blue";
+  vacu.systemKind = "desktop";
   networking.hostId = "e595d9b0";
 
   boot.supportedFilesystems = [ "zfs" ];
@@ -45,23 +43,15 @@
 
   services.xserver.enable = true;
   services.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.plasma5.enable = true;
+  services.desktopManager.plasma6.enable = true;
 
   services.openssh.enable = true;
 
-  environment.systemPackages = with pkgs; [
-    audacity
-    librewolf
+  vacu.packages = ''
     jupiter-hw-support
     steamdeck-firmware
     steamdeck-bios-fwupd
-    cargo
-    clippy
-    rust-analyzer
-    rustc
-    rustfmt
-    rustup
-  ];
+  '';
 
   # boot.kernelPatches = [
   #   {

hosts/compute-deck/hardware.nix

@@ -1,7 +1,6 @@
 {
   config,
   lib,
-  pkgs,
   modulesPath,
   ...
 }:
@@ -49,11 +48,13 @@
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
     fsType = "ext4";
+    options = [ "nofail" ];
   };
 
   fileSystems."/boot/EFI" = {
     device = "/dev/disk/by-uuid/C268-79C8";
     fsType = "vfat";
+    options = [ "nofail" ];
   };
 
   swapDevices = [ ];

hosts/compute-deck/home.nix

@@ -1,16 +1,7 @@
-{ inputs, ... }:
+{ ... }:
 {
   home-manager.users.shelvacu = {
-    # these make vscode-remote work
-    imports = [ inputs.vscode-server.homeModules.default ];
-    services.vscode-server.enable = true;
-
     home.stateVersion = "23.11";
-    programs.git = {
-      enable = true;
-      userName = "Shelvacu";
-      userEmail = "git@shelvacu.com";
-    };
     programs.librewolf = {
       enable = true;
 

hosts/compute-deck/padtype.nix

@@ -11,4 +11,12 @@ in
   };
 
   boot.initrd.preLVMCommands = "${padtype-pkg}/bin/padtype &";
+  boot.initrd.kernelModules = [
+    "uhid"
+    "i2c_hid_acpi"
+    "usbhid"
+    "mac_hid"
+    "evdev"
+    "uinput"
+  ];
 }

hosts/fw/apex.nix

@@ -1,16 +1,28 @@
 # everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
-{ pkgs, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  # to match package used in config.services.pcscd, unfortunately not exposed like usual
+  pcsclite-pkg = if config.security.polkit.enable then pkgs.pcscliteWithPolkit else pkgs.pcsclite;
+in
 {
   # apparently this is already enabled??
   # nixpkgs.overlays = [ ( final: prev: {
   #   libfido2 = prev.libfido2.override { withPcsclite = true; };
   # } ) ];
-  vacu.packages = with pkgs; [
-    libfido2
-    pcsclite
-    pcsc-tools
-    scmccid
-    opensc
+  vacu.packages = lib.mkMerge [
+    ''
+      libfido2
+      pcsc-tools
+      scmccid
+      opensc
+      pcsclite
+    ''
+    { pcsclite.package = pcsclite-pkg; }
   ];
 
   services.pcscd.enable = true;
@@ -53,12 +65,12 @@
     '')
   ];
 
-  programs.firefox.enable = true;
-  #programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
+  # programs.firefox.enable = true;
+  # programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
 
   # trying CTAP-bridge
   services.udev.extraRules = ''
-    KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE+="0666", TAG+="uaccess"
-    KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE+="0666", TAG+="uaccess"
+    KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE="0666", TAG+="uaccess"
+    KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE="0666", TAG+="uaccess"
   '';
 }

hosts/fw/default.nix

@@ -1,69 +1,65 @@
-{
-  config,
-  inputs,
-  pkgs,
-  lib,
-  ...
-}:
+{ inputs, pkgs, lib, vacuModules, ... }:
 {
   imports = [
-    ../common/nixos.nix
     inputs.nixos-hardware.nixosModules.framework-16-7040-amd
+    "${inputs.self}/tf2"
+    vacuModules.sops
     ./apex.nix
     ./android.nix
+    ./thunderbolt.nix
+    ./fwupd.nix
+    ./zfs.nix
+    ./virtualbox.nix
+    ./radicle.nix
+    ./tpm-fido.nix
+    ./podman.nix
+    ./waydroid.nix
   ];
 
-  vacu.hostName = "fw"; # Define your hostname.
+  boot.supportedFilesystems = [ "bcachefs" ];
+
+  vacu.hostName = "fw";
   vacu.shell.color = "magenta";
   vacu.verifySystem.expectedMac = "e8:65:38:52:5c:59";
+  vacu.systemKind = "laptop";
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  # standard kernel: waydroid works
+  # lqx kernel: games run with less stutters
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_lqx;
+  # boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_15;
+
   networking.networkmanager.enable = true;
+  services.irqbalance.enable = true;
   # boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
 
   services.fprintd.enable = false; # kinda broken
 
-  vacu.packages = with pkgs; [
-    bitwarden-desktop
-    nheko
-    librewolf
-    brave
-    thunderbird
-    wl-clipboard
-    nextcloud-client
-    signal-desktop
-    fw-ectool
-    framework-tool
-    iio-sensor-proxy
-    power-profiles-daemon
-    acpi
-    jellyfin-media-player
-    vlc
-    dmidecode
-    prismlauncher
-    ffmpeg_7-full
-    wireshark
-    obsidian
-    dino
-    aircrack-ng
-    libreoffice-qt6-fresh
-    gimp
-    # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
-    (inkscape-with-extensions.override { inkscapeExtensions = null; })
-    libsmi
-    net-snmp
-  ];
+  users.users.shelvacu.extraGroups = [ "dialout" ];
 
-  services.fwupd.enable = true;
-  #fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
-  #update: it didn't work, I dunno why. Leaving this here anyways
-  services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
+  programs.steam.extraCompatPackages = [ pkgs.proton-ge-bin ];
+
+  vacu.packages = ''
+    android-studio
+    framework-tool
+    fw-ectool
+    headsetcontrol
+    openterface-qt
+    intiface-central
+    osu-lazer
+    mumble
+    obs-studio
+  '';
+
+  services.power-profiles-daemon.enable = true;
 
   networking.firewall.enable = false;
 
   services.xserver.enable = true;
   services.displayManager.sddm.enable = true;
   services.desktopManager.plasma6.enable = true;
+  services.printing.enable = true;
+  programs.system-config-printer.enable = true;
 
   boot.loader.grub.enable = true;
   boot.loader.grub.efiSupport = true;
@@ -82,9 +78,6 @@
   ];
 
   networking.hostId = "c6e309d5";
-  boot.zfs.extraPools = [ "fw" ];
-  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-  systemd.services.zfs-mount.enable = false;
 
   services.openssh.enable = true;
   system.stateVersion = "23.11"; # Did you read the comment?
@@ -96,21 +89,32 @@
     "usbhid"
     "sd_mod"
   ];
-  boot.initrd.kernelModules = [ ];
+  #boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
+  #boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
     device = "fw/root";
     fsType = "zfs";
   };
 
+  fileSystems."/cache" = {
+    device = "fw/cache";
+    fsType = "zfs";
+  };
+
+  fileSystems."/home/shelvacu/cache" = {
+    device = "/cache/shelvacu";
+    options = [ "bind" ];
+  };
+
   fileSystems."/boot0" = {
     device = "/dev/disk/by-label/BOOT0";
     fsType = "vfat";
     options = [
       "fmask=0022"
       "dmask=0022"
+      "nofail"
     ];
   };
 
@@ -120,14 +124,13 @@
     options = [
       "fmask=0022"
       "dmask=0022"
+      "nofail"
     ];
   };
 
   hardware.cpu.amd.updateMicrocode = true;
   hardware.enableAllFirmware = true;
-  hardware.opengl = {
-    driSupport = true;
-    driSupport32Bit = true;
+  hardware.graphics = {
     extraPackages = [
       pkgs.rocmPackages.clr.icd
       pkgs.amdvlk
@@ -150,4 +153,6 @@
   services.blueman.enable = true;
 
   services.postgresql.enable = true; # for development
+
+  vacu.programs.thunderbird.enable = true;
 }

hosts/fw/fwupd.nix

@@ -0,0 +1,8 @@
+{ config, lib, ... }:
+{
+  vacu.packages = [ config.services.fwupd.package ];
+  services.fwupd.enable = true;
+  #fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
+  #update: it didn't work, I dunno why. Leaving this here anyways
+  services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
+}

hosts/fw/podman.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  virtualisation.containers.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    # Create a `docker` alias for podman, to use it as a drop-in replacement
+    dockerCompat = true;
+    # Required for containers under podman-compose to be able to talk to each other.
+    defaultNetwork.settings.dns_enabled = true;
+  };
+
+  users.users.shelvacu.extraGroups = [ "podman" ];
+}

hosts/fw/radicle.nix

@@ -0,0 +1,20 @@
+{ config, ... }:
+{
+  sops.secrets.radicle-key = {
+    sopsFile = "${config.vacu.sops.secretsPath}/radicle-private.key";
+    format = "binary"; # its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine
+  };
+  services.radicle = {
+    enable = true;
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2HqXfjT4vPEqqM5Pty7EuswzeO80IgG6MtCvDAqOkD";
+    privateKeyFile = config.sops.secrets.radicle-key.path;
+    settings = {
+      node.alias = "shelvacu-fw";
+      seedingPolicy.default = "block";
+    };
+  };
+  vacu.packages.radicle-node = {
+    enable = true;
+    package = config.services.radicle.package;
+  };
+}

hosts/fw/thunderbolt.nix

@@ -0,0 +1,13 @@
+{ lib, config, ... }:
+{
+  services.hardware.bolt.enable = true;
+
+  vacu.packages = lib.mkMerge [
+    ''
+      thunderbolt
+      bolt
+      kdePackages.plasma-thunderbolt
+    ''
+    { bolt.package = config.services.hardware.bolt.package; }
+  ];
+}

hosts/fw/tpm-fido.nix

@@ -0,0 +1,14 @@
+{ config, ... }:
+{
+  vacu.packages = [ "tpm-fido" ];
+  users.groups.uhid = { };
+  users.users.shelvacu.extraGroups = [
+    config.security.tpm2.tssGroup
+    config.users.groups.uhid.name
+  ];
+  security.tpm2.enable = true;
+  security.tpm2.applyUdevRules = true;
+  services.udev.extraRules = ''
+    KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="${config.users.groups.uhid.name}", MODE="0660"
+  '';
+}

hosts/fw/virtualbox.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  virtualisation.virtualbox.host = {
+    enable = true;
+    enableExtensionPack = true;
+  };
+  users.extraGroups.vboxusers.members = [ "shelvacu" ];
+}

hosts/fw/waydroid.nix

@@ -0,0 +1,5 @@
+{ ... }:
+{
+  boot.kernelParams = [ "psi=1" ];
+  virtualisation.waydroid.enable = true;
+}

hosts/fw/zfs.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  boot.zfs.extraPools = [ "fw" ];
+  systemd.services.zfs-mount.enable = false;
+
+  # see also fileSystems."/"
+}

hosts/installer/common/default.nix

@@ -0,0 +1,30 @@
+{ config, lib, ... }:
+{
+  # this is an installer image, created anew every time. There's no state we need to worry about messing up
+  system.stateVersion = config.system.nixos.release;
+  services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
+  vacu.hostName = "vacuInstaller";
+  vacu.shell.color = "red";
+  vacu.systemKind = "minimal";
+
+  vacu.packages = ''
+    acpi
+    iio-sensor-proxy
+    aircrack-ng
+    # bitwarden-cli # 800MB closure size!
+    borgbackup
+    dmidecode
+    home-manager
+    man
+    mercurial
+    nix-index
+    nix-inspect
+    nix-search-cli
+    nmap
+    nvme-cli
+    rclone
+    smartmontools
+    tcpdump
+    termscp
+  '';
+}

hosts/installer/iso.nix

@@ -0,0 +1,8 @@
+{ modulesPath, ... }:
+{
+  imports = [
+    ./common
+    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
+  ];
+  isoImage.isoBaseName = "nixos-shel-installer";
+}

hosts/installer/pxe.nix

@@ -0,0 +1,7 @@
+{ modulesPath, ... }:
+{
+  imports = [
+    ./common
+    "${modulesPath}/installer/netboot/netboot-minimal.nix"
+  ];
+}

hosts/legtop/bluetooth.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+
+  # services.blueman.enable = true;
+}

hosts/legtop/default.nix

@@ -0,0 +1,48 @@
+{ pkgs, inputs, ... }:
+{
+  imports = [
+    ../common/nixos.nix
+    inputs.nixos-hardware.nixosModules.gpd-micropc
+    ./hardware.nix
+    ./bluetooth.nix
+  ];
+
+  vacu.hostName = "legtop";
+  vacu.shortHostName = "lt";
+  vacu.shell.color = "blue";
+  vacu.verifySystem.expectedMac = "30:9e:90:33:01:07";
+  vacu.systemKind = "laptop";
+
+  system.stateVersion = "24.05";
+
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  services.power-profiles-daemon.enable = true;
+  networking.networkmanager.enable = true;
+
+  services.openssh.enable = true;
+
+  services.xserver.enable = true;
+  services.displayManager.sddm.enable = true;
+  services.displayManager.sddm.wayland.enable = true;
+  services.desktopManager.plasma6.enable = true;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.device = "nodev";
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  hardware.cpu.intel.updateMicrocode = true;
+  hardware.enableAllFirmware = true;
+
+  services.fwupd.enable = true;
+
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  programs.steam.enable = true;
+
+  boot.kernelPackages = pkgs.linuxPackages_lqx;
+}

hosts/legtop/hardware.nix

@@ -0,0 +1,33 @@
+{ ... }:
+{
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/e3aebf24-be76-4064-a9f5-3930c8cd1382";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/7fd2ca2d-7faf-4d40-8cde-ce531fa679b5";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/4C47-D9A3";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+      "nofail"
+    ];
+  };
+  nixpkgs.hostPlatform = "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+}

hosts/liam/backup.nix

@@ -0,0 +1,156 @@
+{
+  config,
+  vaculib,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkOption;
+  cfg = config.vacu.liam.backup;
+  commonServiceConfig = {
+    Type = "oneshot";
+    StateDirectory = "auto-borg";
+    CacheDirectory = "auto-borg";
+    ReadOnlyPaths = cfg.paths ++ [ cfg.keyPath ];
+
+    User = cfg.user;
+    Group = cfg.user;
+
+    LockPersonality = true;
+    MemoryDenyWriteExecute = true;
+    PrivateDevices = true;
+    # PrivateUsers = true;
+    ProcSubset = "pid";
+    PrivateTmp = true;
+    ProtectClock = true;
+    ProtectControlGroups = true;
+    ProtectHome = true;
+    ProtectHostname = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectProc = "invisible";
+    ProtectSystem = "strict";
+    RestrictAddressFamilies = [
+      "AF_INET"
+      "AF_INET6"
+    ];
+    RestrictNamespaces = true;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+    SystemCallArchitectures = "native";
+    SystemCallFilter = [
+      "@system-service"
+      "~@privileged"
+    ];
+    UMask = "0077";
+    AmbientCapabilities = [ "CAP_DAC_READ_SEARCH" ];
+    CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
+  };
+in
+{
+  options.vacu.liam.backup = {
+    user = mkOption { default = "autoborger"; };
+    rsyncUser = mkOption { default = "fm2382"; };
+    rsyncHost = mkOption {
+      default = "${cfg.rsyncUser}.rsync.net";
+      defaultText = "(output)";
+    };
+    repo = mkOption {
+      default = "${cfg.rsyncUser}@${cfg.rsyncHost}:borg-repos/liam-backup";
+      defaultText = "(output)";
+    };
+    package = mkOption {
+      default = pkgs.borgbackup;
+      defaultText = "pkgs.borgbackup";
+    };
+    cmd = mkOption {
+      default = lib.getExe cfg.package;
+      defaultText = "lib.getExe cfg.package";
+    };
+    paths = mkOption {
+      default = [
+        "/var/lib/mail"
+        "/var/lib/dovecot"
+        "/var/log"
+      ];
+    };
+    keyPath = mkOption {
+      default = config.sops.secrets.liam-borg-key.path;
+      defaultText = "TODO";
+    };
+  };
+  config = {
+    vacu.assertions = lib.singleton {
+      assertion =
+        (lib.versionAtLeast cfg.package.version "1.4.0")
+        && !(lib.versionAtLeast cfg.package.version "1.5.0");
+      message = "Only for version 1.4.x";
+      fatal = true;
+    };
+
+    sops.secrets.liam-borg-key = {
+      owner = cfg.user;
+    };
+
+    # systemd.tmpfiles.settings."10-auto-borg" = lib.genAttrs cfg.paths (_:
+    #   {
+    #     # A+ = append to ACLs recursively
+    #     "A+" = {
+    #       argument = "u:${cfg.user}:r-x";
+    #     };
+    #   }
+    # );
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.user;
+      home = "/var/lib/auto-borg";
+    };
+    users.groups.${cfg.user} = { };
+    systemd.services.auto-borg-gen-key = {
+      script = ''
+        set -euo pipefail
+        ${lib.optionalString config.vacu.underTest "${pkgs.openssh}/bin/ssh -oBatchMode=yes -oStrictHostKeyChecking=accept-new ${cfg.rsyncHost} || true"}
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f "$STATE_DIRECTORY"/id_ed25519 -N ""
+      '';
+      serviceConfig = commonServiceConfig;
+    };
+    systemd.services.auto-borg = {
+      script = ''
+        set -euo pipefail
+        # makes a date like 2025-04-15_21-24-29_UTC
+        dashed_date="$(date -u '+%F_%H-%M-%S_%Z')"
+        archive_name="liam-auto-backup--$dashed_date"
+        export BORG_PASSPHRASE="$(cat ${lib.escapeShellArg cfg.keyPath})"
+        export BORG_REMOTE_PATH="borg14"
+        export BORG_RSH="ssh -i $STATE_DIRECTORY/id_ed25519"
+        export BORG_REPO=${lib.escapeShellArg cfg.repo}
+        export BORG_CACHE_DIR="$CACHE_DIRECTORY/borg"
+        export BORG_CONFIG_DIR="$STATE_DIRECTORY/borg"
+        cmd=(
+          ${lib.escapeShellArg cfg.cmd}
+          create
+          --show-rc
+          --verbose
+          --show-version
+          --stats
+          --atime
+          "::$archive_name"
+          ${lib.escapeShellArgs cfg.paths}
+        )
+        "''${cmd[@]}"
+      '';
+      serviceConfig = commonServiceConfig;
+    };
+    systemd.timers.auto-borg = {
+      enable = !config.vacu.underTest;
+      wantedBy = [ "timers.target" ];
+      # run every day at a random time between 3am and 4am, los angeles time
+      timerConfig = {
+        OnCalendar = "*-*-* 03:00:00 America/Los_Angeles";
+        RandomizedDelaySec = 3600;
+      };
+    };
+  };
+}

hosts/liam/default.nix

@@ -0,0 +1,74 @@
+{
+  modulesPath,
+  config,
+  vaculib,
+  ...
+}:
+let
+  inherit (vaculib) mkOutOption;
+in
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/virtualisation/digital-ocean-config.nix")
+    ./nginx.nix
+    ./sops.nix
+    ./dovecot.nix
+    ./mail.nix
+    ./dkim.nix
+    ./sieve.nix
+    ./network.nix
+    ./backup.nix
+  ];
+
+  options = {
+    vacu.liam = {
+      shel_domains = mkOutOption [
+        "shelvacu.com"
+        "dis8.net"
+        "mail.dis8.net"
+        "jean-luc.org"
+        "in.jean-luc.org"
+        "vacu.store"
+        "shelvacu.miras.pet"
+        "chat.for.miras.pet"
+        "sv.mt"
+      ];
+      julie_domains = mkOutOption [
+        "violingifts.com"
+        "theviolincase.com"
+        "shop.theviolincase.com"
+      ];
+      domains = mkOutOption (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
+      relayhosts = {
+        allDomains = (mkOutOption "[outbound.mailhop.org]:587") // {
+          readOnly = false;
+        };
+        shelvacuAlt = (mkOutOption "[relay.dynu.com]:587") // {
+          readOnly = false;
+        };
+      };
+      reservedIpLocal = mkOutOption "10.46.0.7";
+    };
+  };
+
+  config = {
+    vacu.hostName = "liam";
+    vacu.shell.color = "cyan";
+    networking.domain = "dis8.net";
+    vacu.systemKind = "minimal";
+
+    hardware.enableAllFirmware = false;
+    hardware.enableRedistributableFirmware = false;
+
+    # networking.interfaces."ens3".useDHCP = false;
+    services.openssh.enable = true;
+
+    virtualisation.digitalOcean.setSshKeys = false;
+
+    users.users.root.openssh.authorizedKeys.keys =
+      config.users.users.shelvacu.openssh.authorizedKeys.keys;
+
+    system.stateVersion = "23.11";
+  };
+}

hosts/liam/dovecot.nix

@@ -1,9 +1,4 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
+{ config, lib, ... }:
 {
   networking.firewall.allowedTCPPorts = [ 993 ];
   systemd.tmpfiles.settings.whatever."/var/lib/mail".d = {
@@ -27,13 +22,13 @@
       "lmtp"
       "sieve"
     ];
-    modules = [ pkgs.dovecot_pigeonhole ];
     mailUser = "vmail";
     mailGroup = "vmail";
     createMailUser = true;
     mailLocation = "mdbox:~/mail";
     extraConfig = ''
       mail_home = /var/lib/mail/%n
+      mail_max_userip_connections = 100
       service auth {
         unix_listener /var/lib/postfix/queue/private/dovecot-auth {
           group = ${config.services.postfix.group}
@@ -97,9 +92,20 @@
       namespace {
         separator = .
         inbox = yes
+        
+        mailbox MagicRefilter {
+          auto = create
+        }
       }
 
       # mail_debug = yes
+      mail_plugins = $mail_plugins notify mail_log
+
+      plugin {
+        # sieve_trace_debug = yes
+        mail_log_events = delete undelete expunge save copy mailbox_create mailbox_delete mailbox_rename flag_change
+        mail_log_fields = uid box msgid size from
+      }
     '';
   };
 }

hosts/liam/mail.nix

@@ -9,11 +9,37 @@ let
     shel_domains
     julie_domains
     domains
-    relayhost
+    relayhosts
     ;
+  mapLines = f: lis: lib.concatStringsSep "\n" (map f lis);
   debug = false;
   fqdn = config.networking.fqdn;
+  relayable_domains = [
+    "shelvacu.com"
+    "vacu.store"
+    "chat.for.miras.pet"
+  ];
   dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
+  reject_spam_sources = [
+    "reject-spam-test@example.com"
+    "buyerservice@made-in-china.com"
+    "upgrade-plans@asuswebstorage.com"
+    "info@rfidlabel.com"
+    "made-in-china.com"
+    "*.made-in-china.com"
+    "hotels.com"
+    "*.hotels.com"
+  ];
+  banned_ips = [
+    "45.192.103.243/32"
+    "165.154.207.0/24"
+    "165.154.226.0/24"
+    "210.242.134.0/26"
+    "137.220.198.0/24"
+    "122.96.0.0/15"
+  ];
+  # must be bigger than gmail's 25MB "attachment limit" which after base64 encoding (x 1.33) is ~33MB
+  mailSizeLimit = 35 * 1024 * 1024;
 in
 {
   networking.firewall.allowedTCPPorts = [
@@ -34,9 +60,9 @@ in
         mom@shelvacu.com julie
         psv@shelvacu.com psv
       ''
-      + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains)
+      + (mapLines (d: "@${d} shelvacu") shel_domains)
       + "\n"
-      + (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains);
+      + (mapLines (d: "@${d} julie") julie_domains);
 
     transport = ''
       shelvacu@${fqdn} ${dovecot_transport}
@@ -52,18 +78,37 @@ in
     enableSubmission = false;
     enableSubmissions = true;
     mapFiles.header_checks = pkgs.writeText "header-checks" (
-      "/./ INFO checker headers\n"
-      + (lib.concatMapStringsSep "\n" (
+      ''
+        /./ INFO checker headers
+      ''
+      + (mapLines (
         d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT"
       ) domains)
     );
     mapFiles.sender_access = pkgs.writeText "sender-access" (
-      lib.concatMapStringsSep "\n" (d: "${d} REJECT") domains
+      mapLines (pattern: "${pattern} REJECT spam") (domains ++ reject_spam_sources)
     );
+    mapFiles.banned_ips = pkgs.writeText "banned-ips" (mapLines (ip: "${ip} REJECT spam") banned_ips);
     # hack to get postfix to add a X-Original-To header
     mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
-    mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
-    mapFiles.sender_relay = pkgs.writeText "sender-relay" "@shelvacu.com ${relayhost}";
+    # mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
+    mapFiles.sender_transport = pkgs.writeText "sender-transport" (
+      mapLines (d: "@${d} relayservice") relayable_domains
+    );
+    mapFiles.sender_relay = pkgs.writeText "sender-relay" (
+      ''
+        @shelvacu.com ${relayhosts.allDomains} ${relayhosts.shelvacuAlt} 
+      ''
+      + (mapLines (d: "@${d} ${relayhosts.allDomains}") relayable_domains)
+    );
+    mapFiles.extra_login_maps = pkgs.writeText "extra-login-maps" (
+      ''
+        robot@vacu.store vacustore
+        zulip-notify@chat.for.miras.pet miracult-zulip
+        idrac-62pn9z1@shelvacu.com idrac-62pn9z1
+      ''
+      + config.services.postfix.virtual
+    );
 
     # verbatim appended to main.cf
     extraConfig = ''
@@ -72,12 +117,15 @@ in
       virtual_alias_domains =
         ${lib.concatStringsSep ",\n  " domains}
 
+      message_size_limit = ${toString mailSizeLimit}
+
       sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
       sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
 
       header_checks = pcre:/etc/postfix/header_checks
-      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
-      smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to
+      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access permit
+      smtpd_client_restrictions = check_client_access cidr:/etc/postfix/banned_ips permit
+      smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to permit
       recipient_delimiter = +
 
       #we should never use these transport methods unless thru transport map
@@ -86,8 +134,8 @@ in
       # X.3.X = mail system failure
       # X.3.5 = System incorrectly configured
       # I would've never thought there'd be a standard way to specifically say "you found an error in my config"
-      local_transport   = error:5.3.5 how did this even hapenn??
-      virtual_transport = error:5.3.5 how did this even happenn??
+      local_transport   = error:5.3.5 how did this even happen?? (e-local)
+      virtual_transport = error:5.3.5 how did this even happen?? (e-virtual)
       # X.7.1 = Delivery not authorized, message refused
       relay_transport = error:5.7.1 relay is so very disabled
 
@@ -124,7 +172,6 @@ in
         "smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
         "-o"
         "smtp_tls_wrappermode=no"
-        #"-o" "relayhost=${relayhost}"
       ] ++ (if debug then [ "-v" ] else [ ]);
     };
 
@@ -144,7 +191,7 @@ in
       smtpd_sasl_type = "dovecot";
       smtpd_sasl_path = "private/dovecot-auth";
       message_size_limit = "100000000";
-      smtpd_sender_login_maps = "hash:/etc/postfix/virtual";
+      smtpd_sender_login_maps = "hash:/etc/postfix/extra_login_maps";
       smtpd_sender_restrictions = "reject_authenticated_sender_login_mismatch";
       header_checks = "";
 

hosts/liam/nginx.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ ... }:
 let
   domains = [
     "smtp.shelvacu.com"

hosts/liam/notes.txt

@@ -0,0 +1,21 @@
+I think I can sort my email into these categories:
+- A Top priority: should be a notification
+  - personal emails
+  - here is a code to login (except ms, ugh)
+- B Normal priority: should be reviewed regularly, at least once every couple days
+  - (some) purchase receipts
+  - your credit card was used for <amount>
+  - money stuff
+  - patreons
+- C Low priority: should be skimmed occaisionally to make sure nothing got caught that shouldn't have
+  - C1 good emails:
+    - your statement is available to view
+    - 
+  - C2 spam
+- D Shit-tier: never reviewed, except if I'm missing an email I was otherwise expecting
+  - unsolicited job offers
+  - anything definitely spam
+
+- M Mailing lists
+
+searches should generally search A,B,C but not D or M

hosts/liam/sieve.nix

@@ -0,0 +1,960 @@
+{
+  pkgs,
+  lib,
+  config,
+  vaculib,
+  ...
+}:
+let
+  inherit (builtins)
+    isString
+    isList
+    length
+    head
+    all
+    isInt
+    isAttrs
+    isFloat
+    isBool
+    ;
+  inherit (lib)
+    concatStrings
+    concatStringsSep
+    splitString
+    match
+    replaceStrings
+    reverseList
+    elemAt
+    mapAttrsToList
+    ;
+  mapConcat = f: xs: concatStrings (map f xs);
+  mapConcatSep =
+    sep: f: xs:
+    concatStringsSep sep (map f xs);
+  mapConcatLines = f: xs: mapConcatSep "\n" f xs;
+  isListWhere = xs: f: (isList xs) && (all f xs);
+  stringOrList = val: (isString val) || ((isListWhere val isString) && (length val) > 0);
+  listify = val: if isList val then val else [ val ];
+  is_match = regex: s: (match regex s) != null;
+  is_not_match = regex: s: !(is_match regex s);
+  only_printable_ascii = s: is_match "[ -~\r\n]*" s;
+  has_vars = s: lib.hasInfix ("$" + "{") s;
+  sieve_raw_escape_string =
+    s:
+    if !only_printable_ascii s then
+      builtins.trace s throw "s failed only_printable_ascii check"
+    else
+      replaceStrings [ ''"'' ''\'' "\n" "\r" ] [ ''\"'' ''\\'' ''\n'' ''\r'' ] s;
+  sieve_encode_string =
+    {
+      allow_vars,
+      for_debug_comment,
+      with_quotes,
+    }:
+    s:
+    assert isString s;
+    assert allow_vars || for_debug_comment || (!has_vars s);
+    let
+      a = sieve_raw_escape_string s;
+      b = if for_debug_comment then replaceStrings [ ''*/'' ] [ ''*\/'' ] a else a;
+      res = if with_quotes then ''"${b}"'' else b;
+    in
+    res;
+  sieve_quote_string = sieve_encode_string {
+    allow_vars = false;
+    for_debug_comment = false;
+    with_quotes = true;
+  };
+  sieve_quote_string_with_interp = sieve_encode_string {
+    allow_vars = true;
+    for_debug_comment = false;
+    with_quotes = true;
+  };
+  is_valid_long_ident = is_match "[a-z_][a-z0-9_]*";
+  is_number_ident = is_match "[0-9]*";
+  is_valid_ident = s: (is_valid_long_ident s) || (is_number_ident s);
+  interp =
+    ident:
+    assert isString ident;
+    assert is_valid_ident ident;
+    "$" + "{${ident}}";
+  dest = "envelope_to";
+  dest_domain = "envelope_to_domain";
+  set_envelope = ''
+    #set_envelope START
+    if header :index 1 :matches "X-Envelope-To" "*" {
+      set ${sieve_quote_string dest} "''${1}";
+    }
+    if header :index 1 :matches "X-Envelope-To" "*@*" {
+      set ${sieve_quote_string dest_domain} "''${2}";
+    }
+    #set_envelope END
+  '';
+  envelope_is =
+    key:
+    assert stringOrList key;
+    ''string :is "${interp dest}" ${sieve_encode key}'';
+  envelope_matches =
+    key:
+    assert stringOrList key;
+    ''string :matches "${interp dest}" ${sieve_encode key}'';
+  envelope_domain_is = key: ''string :is "${interp dest_domain}" ${sieve_quote_string key}'';
+  sieve_encode_list =
+    xs:
+    assert isListWhere xs isString;
+    "[ ${mapConcatSep ", " sieve_encode xs} ]";
+  sieve_encode =
+    val:
+    if isString val then
+      sieve_quote_string val
+    else if isList val then
+      sieve_encode_list val
+    else
+      assert "dunno what to do with this";
+      null;
+  sieve_debug_list = xs: "[ ${mapConcat (s: (sieve_debug s) + " ") xs}]";
+  sieve_debug_attrs =
+    attrs:
+    let
+      toPairStr = name: val: "${sieve_debug name} = ${sieve_debug val}; ";
+      pairStrs = mapAttrsToList toPairStr attrs;
+      pairsStr = concatStrings pairStrs;
+    in
+    "{ ${pairsStr}}";
+  sieve_debug =
+    val:
+    if isString val then
+      sieve_encode_string {
+        allow_vars = true;
+        for_debug_comment = true;
+        with_quotes = true;
+      } val
+    else if (isInt val) || (isFloat val) then
+      toString val
+    else if (isBool val) then
+      (if val then "true" else "false")
+    else if isNull val then
+      "null"
+    else if isList val then
+      sieve_debug_list val
+    else if isAttrs val then
+      sieve_debug_attrs val
+    else
+      assert "dunno what to do with this";
+      null;
+  is_flagish =
+    flag_name:
+    let
+      # escape_all = map lib.escapeRegex;
+
+      # all from https://datatracker.ietf.org/doc/html/rfc9051#name-formal-syntax
+      # resp-specials = escape_all [ "]" ];
+      # DQUOTE = ''"'';
+      # quoted-specials = escape_all [ DQUOTE "\\" ];
+      # list-wildcards = escape_all [ "%" "*" ];
+      # CTL = something; # 0x00 thru 0x1F, and 0x7F
+      # SP = escape_all [ " " ];
+      # atom-specials = (escape_all [ "(" ")" "{" ]) ++ [ SP CTL list-wildcards quoted-specials resp-specials ];
+      # " "  0x20 !allowed
+      # "!"  0x21 ok
+      # "\"" 0x22 !allowed
+      # "#"  0x23 ok
+      # "$"  0x24 ok
+      # "%"  0x25 !allowed
+      # "&"  0x26 ok
+      # "'"  0x27 ok
+      # "("  0x28 !allowed
+      # ")"  0x29 !allowed
+      # "*"  0x2a !allowed
+      # "+"  0x2b ok
+      # ...
+      # "Z"  0x5a ok
+      # "["  0x5b !allowed
+      # "\\" 0x5c !allowed
+      # "]"  0x5d ok
+      # "^"  0x5e ok
+      # ...
+      # "z"  0x7a ok
+      # "{"  0x7b !allowed
+      # "|"  0x7c ok
+      # "}"  0x7d ok
+      # "~"  0x7e ok
+      # DEL  0x7f !allowed
+      # ATOM-CHAR = something; # "any CHAR except atom-specials"
+      ATOM-CHAR = ''[]!#$&'+-Z^-z|}~]'';
+      atom = "${ATOM-CHAR}+";
+      flag-keyword = ''\$MDNSent|\$Forwarded|\$Junk|\$NotJunk|\$Phishing|(${atom})'';
+      flag-extension = ''\\(${atom})'';
+      flag = ''\\Answered|\\Flagged|\\Deleted|\\Seen|\\Draft|(${flag-keyword})|(${flag-extension})'';
+    in
+    (isString flag_name) && ((builtins.match flag flag_name) != null);
+  known_flags = rec {
+    seen = ''\Seen'';
+    read = seen;
+  };
+  pure_flags_impl =
+    flags: conditions:
+    assert isListWhere flags isString;
+    assert isListWhere conditions isString;
+    assert (length flags) > 0;
+    assert (length conditions) > 0;
+    let
+      argAttrs = { inherit flags conditions; };
+      firstFlag = head flags;
+      combined_condition = if (length conditions) == 1 then head conditions else (allof conditions);
+    in
+    ''
+      # pure_flags ${sieve_debug argAttrs};
+      removeflag ${sieve_quote_string firstFlag};
+      if ${combined_condition} {
+        ${record_action "pure_flags ${concatStringsSep " " flags}"}
+        ${concatStringsSep "\n" (map (flag: ''addflag ${sieve_quote_string flag};'') flags)}
+      }
+      # pure_flags end
+    '';
+  pure_flags =
+    flags: conditions:
+    assert stringOrList flags;
+    assert stringOrList conditions;
+    pure_flags_impl (listify flags) (listify conditions);
+  exists_impl =
+    headers:
+    assert isListWhere headers isString;
+    if headers == [ ] then
+      "/* exists START: called with empty array */ false /* exists END */"
+    else
+      "/* exists START */ exists ${sieve_encode_list headers} /* exists END */";
+  exists =
+    headers:
+    assert stringOrList headers;
+    exists_impl (listify headers);
+  header_generic =
+    match_kind: header_s: match_es:
+    assert stringOrList header_s;
+    assert stringOrList match_es;
+    ''/* header_generic START */ header ${match_kind} ${sieve_encode header_s} ${sieve_encode match_es} /* header_generic END */'';
+  header_matches = header_generic ":matches";
+  header_is = header_generic ":is";
+  subject_generic = match_kind: match_es: header_generic match_kind "Subject" match_es;
+  subject_matches = subject_generic ":matches";
+  subject_is = subject_generic ":is";
+  environment_generic =
+    match_kind: environment_name_s: match_es:
+    assert stringOrList environment_name_s;
+    assert stringOrList match_es;
+    "environment ${match_kind} ${sieve_encode environment_name_s} ${sieve_encode match_es}";
+  environment_matches = environment_generic ":matches";
+  environment_is = environment_generic ":is";
+  from_is =
+    addr_list:
+    assert stringOrList addr_list;
+    ''/* from_is START */ address :is :all "From" ${sieve_encode addr_list} /* from_is END */'';
+  from_matches =
+    addr_list:
+    assert stringOrList addr_list;
+    ''/* from_is START */ address :matches :all "From" ${sieve_encode addr_list} /* from_is END */'';
+  var_is =
+    var_name: rhs:
+    assert isString var_name;
+    assert stringOrList rhs;
+    ''string :is "''${${var_name}}" ${sieve_encode rhs}'';
+  var_is_true = var_name: var_is var_name "1";
+  var_is_false = var_name: not (var_is_true var_name);
+  has_flag =
+    flag_name:
+    assert isString flag_name;
+    assert is_flagish flag_name; # no spaces allowed in flag names
+    ''hasflag :is ${sieve_encode flag_name}'';
+  set_with_interp =
+    var_name: new_val:
+    assert isString var_name;
+    assert is_valid_ident var_name;
+    assert isString new_val;
+    "set ${sieve_encode var_name} ${sieve_quote_string_with_interp new_val};";
+  set =
+    var_name: new_val:
+    assert isString var_name;
+    assert is_valid_ident var_name;
+    assert isString new_val;
+    "set ${sieve_encode var_name} ${sieve_encode new_val};";
+  set_bool_var =
+    var_name: bool_val:
+    assert isBool bool_val;
+    set var_name (if bool_val then "1" else "0");
+  over_test_list =
+    name: test_list:
+    assert isListWhere test_list isString;
+    ''
+      ${name}(
+      ${concatStringsSep ",\n" test_list}
+      )
+    '';
+  anyof = over_test_list "anyof";
+  allof = over_test_list "allof";
+  not = test: "not ${test}";
+  record_action =
+    action_desc:
+    assert isString action_desc;
+    ''addheader "X-Vacu-Action" ${sieve_encode action_desc};'';
+  fileinto =
+    folder:
+    assert isString folder;
+    ''
+      ${record_action "fileinto ${folder}"}
+      fileinto :create ${sieve_encode folder};
+    '';
+  ihave =
+    extension_name_s:
+    assert stringOrList extension_name_s;
+    "ihave ${sieve_encode extension_name_s}";
+  # email_filters = map (e: ''
+  #   elsif ${envelope_is e} { # item of email_filters
+  #     ${record_action "email_filters fileinto ${mk_email_folder_name e}"}
+  #     fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
+  #   }
+  # '') email_folders;
+  # domain_filters = map (d: ''
+  #   elsif ${envelope_domain_is d} { # item of domain_filters
+  #     ${record_action "domain_filters fileinto ${mk_domain_folder_name d}"}
+  #     fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
+  #   }
+  # '') domain_folders;
+  set_from =
+    {
+      condition,
+      var,
+      default ? "-",
+      warn_if_unset ? false,
+    }@args:
+    ''
+      # set_from ${sieve_debug args}
+      if ${condition} {
+        ${set_with_interp var (interp "1")}
+      }
+      else {
+        ${lib.optionalString warn_if_unset (
+          maybe_debug "info: Could not set ${var} from condition ${condition}, setting to default(${default})"
+        )}
+        ${set var default}
+      }
+      # set_from END
+    '';
+  set_var_from_environment =
+    item: var:
+    ''
+      # set_var_from_environment
+    ''
+    + set_from {
+      condition = ''environment :matches ${sieve_quote_string item} "*"'';
+      inherit var;
+    };
+  maybe_debug = msg: ''
+    if ${ihave "vnd.dovecot.debug"} {
+      debug_log ${sieve_quote_string_with_interp msg};
+    }
+  '';
+  # trimmed down from https://pages.ebay.com/securitycenter/security_researchers_eligible_domains.html
+  ebay_domains = vaculib.listOfLines { } ''
+    ebay.com
+    ebay.co.uk
+    ebay.com.au
+    ebay.de
+    ebay.ca
+    ebay.fr
+    ebay.it
+    ebay.es
+    ebay.at
+    ebay.ch
+    ebay.com.hk
+    ebay.com.sg
+    ebay.com.my
+    ebay.in
+    ebay.ph
+    ebay.ie
+    ebay.pl
+    ebay.be
+    ebay.nl
+    ebay.cn
+    ebay.com.tw
+    ebay.co.jp
+    ebaythailand.co.th
+  '';
+  sieve_text = ''
+    require [
+      "fileinto",
+      "mailbox",
+      "imap4flags",
+      "editheader",
+      "environment",
+      "variables",
+      "date",
+      "index",
+      "ihave"
+    ];
+
+    if ${
+      allof [
+        (ihave "imapsieve")
+        (environment_matches "imap.user" "*")
+        (environment_matches "location" "MS")
+        (environment_matches "phase" "post")
+      ]
+    } {
+      ${set_bool_var "in_imap" true}
+    } else {
+      ${set_bool_var "in_imap" false}
+    }
+
+    if ${var_is_true "in_imap"} {
+      if ${
+        not (allof [
+          (environment_is "imap.cause" [
+            "APPEND"
+            "COPY"
+            ""
+          ])
+          (environment_is "imap.mailbox" [
+            "MagicRefilter"
+            ""
+          ])
+        ])
+      } {
+        ${maybe_debug "NOT doing anything cuz imap.cause and/or imap.mailbox isn't right"}
+        stop;
+      }
+    }
+
+    ${set_envelope}
+    ${set_var_from_environment "location" "env_location"}
+    ${set_var_from_environment "phase" "env_phase"}
+    ${set_var_from_environment "imap.user" "env_imap_user"}
+    ${set_var_from_environment "imap.email" "env_imap_email"}
+    ${set_var_from_environment "imap.cause" "env_imap_cause"}
+    ${set_var_from_environment "imap.mailbox" "env_imap_mailbox"}
+    ${set_var_from_environment "imap.changedflags" "env_imap_changedflags"}
+    ${set_from {
+      condition = ''currentdate :matches "iso8601" "*"'';
+      var = "datetime";
+    }}
+    ${set_with_interp "sieved_message" ''at ''${datetime} by ${config.vacu.versionId} loc ''${env_location} phase ''${env_phase} user ''${env_imap_user} email ''${env_imap_email} cause ''${env_imap_cause} mailbox ''${env_imap_mailbox} changedflags ''${env_imap_changedflags} envelope ''${dest}''}
+    ${maybe_debug ''X-Vacu-Sieved: ''${sieved_message}''}
+
+    if ${ihave "envelope"} {
+      if envelope :all :matches "to" "*@*" {
+        ${set_with_interp "userfor" (interp "1")}
+      } else {
+        error "i dunno what to do, theres no envelope";
+      }
+    }
+    elsif ${var_is_true "in_imap"} {
+      ${set_with_interp "userfor" (interp "env_imap_user")}
+    }
+    else {
+      error "dont have envelope or imapsieve, dunno what to do";
+    }
+
+    if ${var_is "userfor" "shelvacu"} {
+      addheader "X-Vacu-Sieved" "''${sieved_message}";
+      removeflag "not-spamish";
+      removeflag "orders";
+      removeflag "banking";
+      removeflag "banking-statements";
+      removeflag "banking-transactions";
+      removeflag "A";
+      removeflag "B";
+      removeflag "B.subscriptions";
+      removeflag "C";
+      removeflag "D";
+
+      ${pure_flags [ "wells-fargo" "banking" ] (envelope_is "wf-primary@shelvacu.com")}
+      ${pure_flags
+        [ "wells-fargo-transactions" "banking-transactions" "B" ]
+        [
+          (has_flag "wells-fargo")
+          (subject_matches [
+            "You just got paid!"
+            "Wells Fargo card purchase exceeded preset amount"
+            "You made a payment"
+            "You made a credit card purchase of *"
+            "Your card wasn't present for a purchase"
+            "Account update"
+            "You've earned cash back from My Wells Fargo Deals"
+            "Confirmation of your Wells Fargo Rewards redemption"
+            "You sent money with Zelle(R)"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "wells-fargo-statements" "banking-statements" "C" ]
+        [
+          (has_flag "wells-fargo")
+          (subject_matches [
+            "Your statement for credit card account *"
+            "Your statement for account *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "wells-fargo-action-required" "A" ]
+        [
+          # wf is actually careful about saying action required
+          (has_flag "wells-fargo")
+          (subject_matches "Action Required: *")
+        ]
+      }
+      ${pure_flags
+        [ "wells-fargo-misc" "A" ]
+        [
+          (has_flag "wells-fargo")
+          (not (has_flag "wells-fargo-transactions"))
+          (not (has_flag "wells-fargo-statements"))
+          (not (has_flag "wells-fargo-action-required"))
+        ]
+      }
+      ${pure_flags [ "chase" "banking" ] (envelope_is "chase@shelvacu.com")}
+      ${pure_flags
+        [ "chase-transactions" "banking-transactions" "B" ]
+        [
+          (has_flag "chase")
+          (subject_matches [
+            "Your * payment is scheduled"
+            "You made a * transaction with *"
+            "Your * transaction with *"
+            "Chase security alert: You signed in with a new device"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "chase-statements" "banking-statements" "C" ]
+        [
+          (has_flag "chase")
+          (subject_matches [
+            "Your credit card statement is available"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "chase-spam" "D" ]
+        [
+          (has_flag "chase")
+          (anyof [
+            (header_is "From" "Chase Credit Journey <no.reply.alerts@chase.com>")
+            (subject_is [
+              "Review your recent activity"
+              "Good news: You may qualify for a credit line increase!"
+              "Your Chase card is available to use with Paze - Activate now!"
+            ])
+          ])
+        ]
+      }
+      ${pure_flags [ "experian" ] (envelope_is "fbyjemby@shelvacu.com")}
+      ${pure_flags
+        [ "experian-spam" "D" ]
+        [
+          (has_flag "experian")
+          (subject_matches [
+            "*, your FICO* Score has been updated"
+            "Your monthly account statement is here, *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "paypal" "banking" ]
+        [
+          # can't go purely on envelope, because paypal loves to give my email to every merchant I interact with
+          (envelope_is "paypal@shelvacu.com")
+          (from_matches [
+            "*@paypal.com"
+            "*@*.paypal.com"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "paypal-transactions" "banking-transactions" "B" ]
+        [
+          (has_flag "paypal")
+          (subject_matches [
+            "Receipt for your payment to *"
+            "*: $* USD"
+            "*: $* CAD"
+            "*: kr * SEK"
+            "You authorized a payment to *"
+            "You sent an automatic payment to *"
+            "Review your new automatic payment setup for *"
+            "You have a refund from *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "paypal-statements" "banking-statements" "C" ]
+        [
+          (has_flag "paypal")
+          (subject_matches [
+            "*, your * account statement is available."
+          ])
+        ]
+      }
+
+      ${pure_flags [ "usps-id" ] (envelope_is "usps-id@shelvacu.com")}
+      ${pure_flags
+        [ "usps-expected-delivery" "C" ]
+        [
+          (has_flag "usps-id")
+          (subject_matches "USPS* Expected Delivery *")
+        ]
+      }
+      ${pure_flags
+        [ "amazon-ignore" "C" ]
+        [
+          (envelope_is "amznbsns@shelvacu.com")
+          (subject_matches [
+            "Your Amazon.com order has shipped*"
+            "Your Amazon.com order of * has shipped!"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "bandcamp-ignore" "C" ]
+        [
+          (envelope_is "bandcamp@shelvacu.com")
+          (subject_matches [
+            "* just announced a listening party on Bandcamp"
+            "New items from *"
+            "Starting in *"
+            "New from *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "bandcamp-not-ignore" "B.subscriptions" ]
+        [
+          (envelope_is "bandcamp@shelvacu.com")
+          ''not hasflag "bandcamp-ignore"''
+        ]
+      }
+      ${pure_flags [ "ika-ignore" "D" ] (envelope_is "ika@dis8.net")}
+      ${pure_flags
+        [ "ally-statement" "C" ]
+        [
+          (envelope_is "ally@shelvacu.com")
+          (subject_is "Your latest statement is ready to view.")
+        ]
+      }
+
+      ${pure_flags "bloomberg" (envelope_is "bloomberg@shelvacu.com")}
+
+      ${pure_flags
+        [ "money-stuff" "not-spamish" ]
+        [
+          (envelope_is "bloomberg@shelvacu.com")
+          ''header :matches "From" "\"Matt Levine\" *"''
+        ]
+      }
+
+      ${pure_flags
+        [ "money-stuff-podcast" "D" known_flags.read ]
+        [
+          (has_flag "money-stuff")
+          (subject_matches "Money Stuff: The Podcast:*")
+        ]
+      }
+
+      ${pure_flags
+        [ "money-stuff-not-podcast" "B.subscriptions" ]
+        [
+          (has_flag "money-stuff")
+          (not (has_flag "money-stuff-podcast"))
+        ]
+      }
+
+      ${pure_flags [ "git" "not-spamish" "B" ] (exists [
+        "X-GitHub-Reason"
+        "X-GitLab-Project"
+      ])}
+      ${pure_flags [ "git-uninsane" "git" "not-spamish" "B" ] (envelope_is "git-uninsane@shelvacu.com")}
+      ${pure_flags [ "github" "git" "not-spamish" "B" ] (header_matches "List-Id" "*<*.github.com>")}
+      ${pure_flags [ "mailing-list-by-envelope" "not-spamish" "B" ] (
+        envelope_matches "*-ml@shelvacu.com"
+      )}
+      
+      ${pure_flags [ "discourse" "not-spamish" "B" ] (exists "X-Discourse-Post-Id")}
+      ${pure_flags [ "agora" "not-spamish" ] (envelope_is "agora@shelvacu.com")}
+      ${pure_flags [ "postgres-list" "not-spamish" ] (
+        header_matches "List-Id" "<*.lists.postgresql.org>"
+      )}
+      ${pure_flags [ "secureaccesswa" "not-spamish" "A" ] (from_is "help@secureaccess.wa.gov")}
+      ${pure_flags [ "letsencrypt-mailing-list" "not-spamish" "B" ] (
+        envelope_is "lets-encrypt-mailing-list@shelvacu.com"
+      )}
+      ${pure_flags [ "jmp-news" "not-spamish" "B" ] (header_matches "List-Id" "*<jmp-news.soprani.ca>")}
+      ${pure_flags
+        [ "tf2wiki" "not-spamish" "B" ]
+        [
+          (envelope_is "tf2wiki@shelvacu.com")
+          (from_is "noreply@wiki.teamfortress.com")
+        ]
+      }
+
+      ${pure_flags "gmail-fwd" (envelope_is "gmailfwd-fc2e10bec8b2@shelvacu.com")}
+      ${pure_flags [ "ebay" "orders" ] (envelope_is "ebay@shelvacu.com")}
+      ${pure_flags
+        [ "ebay-delivered" "B" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "*ORDER DELIVERED: *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-message" "B" ]
+        [
+          (has_flag "ebay")
+          (from_matches (map (domain: "*@members.${domain}") ebay_domains))
+        ]
+      }
+      ${pure_flags
+        [ "ebay-offer" "B" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "You have an offer from the seller, *"
+            "You saw it at *, but the seller is now offering *"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-order-update" "C" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "Out for delivery: *"
+            "*DELIVERY UPDATE: *"
+            "*Order update: *"
+            "EARLY DELIVERY UPDATE: *"
+            "Important information regarding your Global Shipping Program transaction *" # ebay: "important information! your order is being shipped." why did you say this was ""important""???
+            "Your package is now with *"
+            "*Order confirmed: *"
+            "Your order is confirmed"
+            "Your order is in!"
+            "*An update on your order"
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-bid-ongoing-notification" "C" ]
+        [
+          (has_flag "ebay")
+          (subject_matches [
+            "Michael, your bid for * is winning"
+            "* just got a new bid."
+          ])
+        ]
+      }
+      ${pure_flags
+        [ "ebay-feedback" "D" ]
+        [
+          (has_flag "ebay")
+          (subject_matches "Please provide feedback for your eBay items")
+        ]
+      }
+      ${pure_flags [ "royal-mail" "orders" ] (from_is "no-reply@royalmail.com")}
+      ${pure_flags
+        [ "royal-mail-delivered" "B" ]
+        [
+          (has_flag "royal-mail")
+          (subject_matches "Your Royal Mail parcel has been delivered")
+        ]
+      }
+      ${pure_flags
+        [ "royal-mail-on-the-way" "D" ]
+        [
+          (has_flag "royal-mail")
+          (subject_matches "Your Royal Mail parcel is on its way")
+        ]
+      }
+      ${pure_flags [ "aliexpress" "orders" ] (from_is [
+        "transaction@notice.aliexpress.com"
+        "aliexpress@notice.aliexpress.com"
+      ])}
+      ${pure_flags
+        [ "aliexpress-delivered" "B" ]
+        [
+          (has_flag "aliexpress")
+          (from_is "transaction@notice.aliexpress.com")
+          (subject_matches "Order * has been signed for")
+        ]
+      }
+      ${pure_flags
+        [ "aliexpress" "orders" "C" ]
+        [
+          (has_flag "aliexpress")
+          (not (has_flag "aliexpress-delivered"))
+        ]
+      }
+      ${pure_flags [ "brandcrowd" "D" ] (envelope_is "brandcrowd@shelvacu.com")}
+      ${pure_flags [ "cpapsupplies" "D" ] (envelope_is "cpapsupplies@shelvacu.com")}
+      ${pure_flags [ "genshin" "D" ] (envelope_is "genshin@shelvacu.com")}
+      ${pure_flags [ "jork" "B" ] (envelope_is "jork@shelvacu.com")}
+      ${pure_flags [ "patreon" "not-spamish" ] (envelope_is "patreon@shelvacu.com")}
+      ${pure_flags
+        [ "patreon-post" "B.subscriptions" ]
+        [
+          (has_flag "patreon")
+          (header_is "X-Mailgun-Tag" "template_newsletterpostcontrol")
+        ]
+      }
+      ${pure_flags
+        [ "patreon-free-member-digest" "D" ]
+        [
+          (has_flag "patreon")
+          (header_is "X-Mailgun-Tag" "template_freememberdigest")
+        ]
+      }
+      ${pure_flags
+        [ "patreon-other" "B" ]
+        [
+          (has_flag "patreon")
+          (not (has_flag "patreon-post"))
+          (not (has_flag "patreon-free-member-digest"))
+        ]
+      }
+      ${pure_flags [ "rsb" "B" ] (from_is "support@rapidseedbox.com")}
+      ${pure_flags [ "fresh-avocado-dis8" "D" ] (envelope_is "fresh.avocado@dis8.net")}
+      ${pure_flags [ "discord" "A" ] (envelope_matches "discord@*")}
+      ${pure_flags [ "za-sa" "D" ] (from_matches [
+        "*@*.sa.com"
+        "*@*.za.com"
+      ])}
+      ${pure_flags [ "localdomain" "D" ] (from_matches [
+        "*@*.local"
+        "*@*.localdomain"
+      ])}
+      ${pure_flags [ "helium" "D" ] (envelope_is "creepyface@dis8.net")}
+      ${pure_flags [ "sharkmood" "C" ] (envelope_is "sharkmood@dis8.net")}
+      ${pure_flags [ "im-not-district-158" "D" ] (envelope_is [
+        "khamar.anderson@dis8.net"
+        "pbooth@dis8.net"
+        "sgaylor@dis8.net"
+      ])}
+      ${pure_flags [ "next-level-burger" "D" ] (header_matches "From" "*Next Level Burger*")}
+      ${pure_flags [ "lyft" "D" ] (envelope_is "lyft@shelvacu.com")}
+      ${pure_flags [ "coursera" "D" ] (from_matches "*.*.coursera.org")}
+      ${pure_flags [ "taskrabbit" "D" ] (envelope_is "taskrabbit@shelvacu.com")}
+      ${pure_flags [ "subscribestar_code" "A" ] (allof [
+        (envelope_is "subscribestar@shelvacu.com")
+        (subject_is "Your authentication code")
+      ])}
+      ${pure_flags "itch-io" (from_is "postmaster@itch.io")}
+      ${pure_flags
+        [ "itch-io-update" "B.subscriptions" ]
+        [
+          (has_flag "itch-io")
+          (subject_matches "[itch.io] * update *")
+        ]
+      }
+      ${pure_flags
+        [ "lowering-the-bar" "B.subscriptions" ]
+        [
+          (envelope_is "ltb@shelvacu.com")
+        ]
+      }
+      ${pure_flags [ "hotels-com" "D" ] (from_matches [
+        "hotels.com"
+        "*.hotels.com"
+      ])}
+
+      ${pure_flags
+        [ "spamish-by-headers" "C" ]
+        [
+          (anyof [
+            (header_is "Precedence" "bulk")
+            (exists "List-Unsubscribe")
+            (exists "List-Unsubscribe-Post")
+          ])
+          (not (has_flag "not-spamish"))
+        ]
+      }
+
+      if hasflag "agora" {
+        ${fileinto "M.agora"}
+      } elsif hasflag "postgres-list" {
+        ${fileinto "M.postgres"}
+      } elsif hasflag "D" {
+        ${fileinto "D"}
+      } elsif hasflag "C" {
+        ${fileinto "C"}
+      } elsif hasflag "A" {
+        ${fileinto "A"}
+      } elsif hasflag "B.subscriptions" {
+        ${fileinto "B.subscriptions"}
+      } else {
+        ${fileinto "B"}
+      }
+    }
+    # disable any sieve scripts that might want to run after this one
+    stop;
+  '';
+  pigeonhole_pkg = pkgs.dovecot_pigeonhole;
+in
+{
+  imports = [
+    # Allow running a sieve filter when a message gets moved to another folder in imap
+    # see https://doc.dovecot.org/2.3/configuration_manual/sieve/plugins/imapsieve/
+    {
+      services.dovecot2 = {
+        sieve.plugins = [ "sieve_imapsieve" ];
+        mailPlugins.perProtocol.imap.enable = [ "imap_sieve" ];
+      };
+    }
+  ];
+  options.vacu.checkSieve = lib.mkOption {
+    readOnly = true;
+    default = pkgs.writeScriptBin "check-liam-sieve" ''
+      set -xev
+      ${lib.escapeShellArgs [
+        (lib.getExe' pigeonhole_pkg "sieve-test")
+        "-c"
+        config.services.dovecot2.configFile
+        "-C" # force compilation
+        "-D" # enable sieve debugging
+        "-f"
+        "some-rando@example.com"
+        "-a"
+        "shelvacu@liam.dis8.net"
+        config.services.dovecot2.sieve.scripts.before
+        "/dev/null"
+      ]}
+    '';
+    defaultText = "check-liam-sieve package";
+  };
+  options.vacu.liam-sieve-script = lib.mkOption {
+    readOnly = true;
+    default = pkgs.writeText "mainsieve" sieve_text;
+    defaultText = "mainsieve text package";
+  };
+  config = {
+    vacu.packages = [ pigeonhole_pkg ];
+    services.dovecot2.sieve = {
+      extensions = [
+        "fileinto"
+        "mailbox"
+        "editheader"
+        "vnd.dovecot.debug"
+      ];
+      scripts.before = config.vacu.liam-sieve-script;
+    };
+    services.dovecot2.imapsieve.mailbox = [
+      {
+        name = "*";
+        causes = [
+          "APPEND"
+          "COPY"
+          "FLAG"
+        ];
+        before = config.vacu.liam-sieve-script;
+      }
+    ];
+    # services.dovecot2.mailboxes."magic-refilter".auto = "create";
+  };
+}

hosts/liam/sops.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  vacuModules,
+  ...
+}:
+{
+  imports = [ vacuModules.sops ];
+
+  config.sops = {
+    secrets.dovecot-passwd = {
+      restartUnits = [ "dovecot2.service" ];
+    };
+    secrets.dkim_key = {
+      name = "dkimkeys/2024-03-liam.private";
+      restartUnits = [ "opendkim.service" ];
+      owner = config.services.opendkim.user;
+    };
+    secrets.relay_creds = {
+      restartUnits = [ "postfix.service" ];
+      owner = config.services.postfix.user;
+    };
+  };
+}

hosts/lp0/default.nix

@@ -1,9 +1,6 @@
 { config, pkgs, ... }:
 {
-  imports = [
-    ../common/nixos.nix
-    ./hardware-config.nix
-  ];
+  imports = [ ./hardware-config.nix ];
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
@@ -12,6 +9,7 @@
   vacu.hostName = "lp0onfire"; # Define your hostname.
   vacu.shortHostName = "lp0";
   vacu.shell.color = "green";
+  vacu.systemKind = "server";
 
   # Set your time zone.
   time.timeZone = "America/Los_Angeles";
@@ -39,7 +37,6 @@
     pciutils
     ncdu
     nix-index
-    git
   ];
 
   # This value determines the NixOS release from which the default
@@ -52,11 +49,6 @@
 
   services.openssh.enable = true;
 
-  # system.autoUpgrade.enable = true;
-  # system.autoUpgrade.allowReboot = true;
-  # system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05-small;
-
-  nixpkgs.config.allowUnfree = true;
   services.zerotierone = {
     enable = true;
     joinNetworks = [ "1d719394047b32ae" ];
@@ -67,11 +59,4 @@
 
   # Disable wifi card; This is sitting directly under a router and I don't want to cause interference.
   boot.blacklistedKernelModules = [ "iwlwifi" ];
-
-  # networking.nat = {
-  #   enable = true;
-  #   externalInterface = "enp2s0";
-  #   internalIPs = [ "192.168.192.0/24" ];
-  #   internalInterfaces = [ "ztrf26rjvk" ];
-  # };
 }

hosts/lp0/hardware-config.nix

@@ -1,13 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}:
+{ lib, modulesPath, ... }:
 
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
@@ -31,6 +25,7 @@
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/36B4-78A2";
     fsType = "vfat";
+    options = [ "nofail" ];
   };
 
   swapDevices = [ ];

hosts/mmm/default.nix

@@ -0,0 +1,23 @@
+{ inputs, ... }:
+{
+  imports = [
+    ../common/nixos.nix
+    inputs.nixos-apple-silicon.nixosModules.default
+    ./hardware.nix
+  ];
+
+  vacu.hostName = "mmm";
+  vacu.shell.color = "red";
+  vacu.verifySystem.enable = false;
+  vacu.verifySystem.expectedMac = "14:98:77:3f:b8:2e";
+  vacu.systemKind = "server";
+
+  # asahi recommends systemd-boot
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = false;
+  hardware.asahi.peripheralFirmwareDirectory = ./firmware;
+
+  services.openssh.enable = true;
+
+  system.stateVersion = "24.05";
+}