give all configurations a restricted set of inputs

.sops.yaml

@@ -1,8 +1,15 @@
 shel_keys: &shel_keys
-  - &pixel-termux age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
+  - &a age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
-  - &t460s age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
+  - &b age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
-  - &pixel-nix age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
+  - &c age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
-  - &compute-deck-user age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
+  - &d age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
+  - &e age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
+  - &f age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
+  - &g age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
+  - &h age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
+  - &i age1ck6lhd8thjcrdcnkn2epc8npztg0sfswahunjkwcf57rr0xaevys8fh0x6
+  - &j age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
+  - &k age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
 machine_host_keys:
   - &trip age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
   - &compute-deck-host age1hcqem868xhjdj3lzsvgf0duylwrdp9nqs06a9d0043cpsuhms4as7cqnv4
@@ -15,10 +22,17 @@ creation_rules:
   - path_regex: ^secrets/liam/
     key_groups:
     - age:
-      - *pixel-termux
+      - *a
-      - *t460s
+      - *b
-      - *pixel-nix
+      - *c
-      - *compute-deck-user
+      - *d
+      - *e
+      - *f
+      - *g
+      - *h
+      - *i
+      - *j
+      - *k
       - *liam
   - path_regex: ^tests/test_secrets/
     key_groups:

common/commands.nix

@@ -0,0 +1,86 @@
+{ config, lib, pkgs, ... }: let
+  inherit (lib) mkOption types;
+  cfg = builtins.attrValues config.vacu.shell.functions;
+  enabled = builtins.filter (o: o.enable) cfg;
+  writeShellFunction = name: text: pkgs.writeTextFile {
+      inherit name;
+      executable = false;
+      destination = "/share/vacufuncs/${name}";
+      text = ''
+        ${text}
+      '';
+      checkPhase = ''
+        ${pkgs.stdenv.shellDryRun} "$target"
+      '';
+    };
+in {
+  options = {
+    vacu.shell.functionsDir = mkOption {
+      type = types.path;
+    };
+    vacu.shell.interactiveLines = mkOption {
+      type = types.lines;
+      default = "";
+    };
+    vacu.shell.functions = mkOption {
+      default = {};
+      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
+        options = {
+	  name = mkOption {
+            type = types.str;
+	    default = name;
+	    readonly = true;
+	  };
+          content = mkOption {
+            type = types.str;
+            default = "";
+          };
+          enable = mkOption {
+            type = types.bool;
+            default = config.content != "";
+            defaultText = ''${name}.content != ""'';
+          };
+        };
+      }));
+    };
+  };
+  config = {
+    _module.args.vaculib.writeShellFunction = writeShellFunction;
+    vacu.shell.interactiveLines = ''
+      if [[ $- == *i* ]] && [[ -f ${config.vacu.shell.functionsDir}/vacureload ]]; then
+        function __vacushell_load() { eval "$(cat ${config.vacu.shell.functionsDir}/vacureload)"; }
+        __vacushell_load
+        unset __vacushell_load
+      fi
+    '';
+    vacu.packages.vacureload.enable = true;
+    vacu.packages.vacureload.package = let
+      inherit (config.vacu.shell) functionsDir;
+    in writeShellFunction "vacureload" ''
+      declare -gA vacuShellFunctionsLoaded
+      if ! [[ -f ${functionsDir}/vacureload ]]; then
+        echo "vacureload: I think that's my cue to leave (${functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
+        for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
+          unset -f $funcname
+        done
+        return
+      fi
+      for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
+        if ! [[ -f ${functionsDir}/$funcname ]]; then
+          unset -f $funcname
+        fi
+      done
+      for fullPath in ${functionsDir}/*; do
+        local funcname="$(basename "$fullPath")"
+        local followedPath="$(readlink -f "$fullPath")"
+        if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
+          unset -f $funcname
+          eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
+          vacuShellFunctionsLoaded[$funcname]=$followedPath
+        fi
+	unset followedPath
+	unset funcname
+      done
+    '';
+  };
+}

common/common-but-not.nix

@@ -0,0 +1,9 @@
+# todo: rename this module
+# stuff that does actual configuring (so can't be in ./module.nix) but works in nixos module, home-manager modules, and nix-on-droid modules
+{ inputs, ... }:
+{
+  nix.registry.vacu.to = {
+    type = "path";
+    path = inputs.self.outPath;
+  };
+}

common/home.nix

@@ -0,0 +1,5 @@
+{ ... }: let
+
+in {
+  imports = [ ./common-but-not.nix ];
+}

common/module.nix

@@ -0,0 +1,228 @@
+{ config, pkgs, lib, inputs, ... }: let
+  inherit (lib) mkOption types;
+  inherit (inputs) self;
+in {
+  imports = [ ./package-set.nix ./not-aliases.nix ./ssh.nix ];
+  options = {
+    vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
+    vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
+    vacu.rootCAs = mkOption { type = types.listOf types.str; };
+    vacu.versionId = mkOption { type = types.str; readOnly = true; };
+    vacu.versionInfo = mkOption { readOnly = true; };
+  };
+  config = {
+    vacu.packages = with pkgs; [
+      home-manager
+      nixos-rebuild
+      which
+      nano
+      vim
+      wget
+      screen
+      tmux
+      lsof
+      htop
+      mosh
+      dnsutils
+      iperf3
+      nmap
+      rsync
+      ethtool
+      sshfs
+      ddrescue
+      pciutils
+      ncdu
+      nix-index
+      git
+      pv
+      unzip
+      file
+      ripgrep
+      jq
+      units
+      tree
+      rclone
+      iputils
+      ssh-to-age
+      sops
+      inetutils
+      neovim
+      diffutils
+      findutils
+      utillinux
+      tzdata
+      hostname
+      man
+      gnugrep
+      gnused
+      gnutar
+      bzip2
+      gzip
+      xz
+      zip
+      unzip
+      openssh
+      dig
+      bash
+      termscp
+      usbutils
+      ruby
+      psutils
+      killall
+      git
+      inputs.nix-search-cli.packages.${pkgs.system}.default
+      inputs.nix-inspect.packages.${pkgs.system}.default
+    ];
+    vacu.versionId = toString (self.shortRev or self.dirtyShortRev);
+    vacu.versionInfo = {
+      id = config.vacu.versionId;
+      flakePath = self.outPath;
+    };
+    vacu.nix.extraSubstituters = [
+      "https://nixcache.shelvacu.com/"
+      "https://nix-community.cachix.org/"
+      "https://nix-on-droid.cachix.org/"
+    ];
+    vacu.nix.extraTrustedKeys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
+      "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU="
+    ];
+    vacu.rootCAs = [
+      ''
+        -----BEGIN CERTIFICATE-----
+        MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
+        A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
+        MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
+        hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
+        AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
+        MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
+        BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
+        CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
+        AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
+        -----END CERTIFICATE-----
+      ''
+    ];
+
+    vacu.ssh.authorizedKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W" # pixel6pro nix-on-droid
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug" # compute-deck
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g" # triple-dezert
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExSObd1lZprdqAFLqFhtxDEckV0q/vZZIYqrYFKfkoC" # devver
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m" # fw (root)
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C" # fw
+    ];
+    vacu.ssh.config = ''
+      Host deckvacu
+        User deck
+      
+      Host rsb
+        User user
+        HostName finaltask.xyz
+        Port 2222
+      
+      Host awoo
+        HostName 45.142.157.71
+
+      Host trip
+        HostName trip.shelvacu.com
+        Port 6922
+      
+      Host liam
+        HostName 178.128.79.152
+
+      Host pluto
+        HostName pluto.somevideogam.es
+
+      Host *
+        User shelvacu
+        GlobalKnownHostsFile ${pkgs.writeText "known_hosts" config.vacu.ssh.knownHostsText}
+    '';
+
+    vacu.ssh.knownHosts = {
+      #public hosts
+      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+      "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+
+      #colin's stuff
+      "uninsane.org" = {
+        extraHostNames = [ "git.uninsane.org" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+      };
+      "desko" = {
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+      };
+
+      #daymocker's stuff
+      "pluto" = {
+        extraHostNames = [ "74.208.184.137" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
+      };
+
+      #powerhouse hosts
+      "ostiary" = {
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
+      };
+      "habitat" = { # previously known as zigbee-hub
+        extraHostNames = [ "10.78.79.114" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
+      };
+      "vnopn" = {
+        extraHostNames = [ "10.78.79.1" "vnopn.t2d.lan" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
+      };
+
+      #work laptop
+      "tebbs-MBP" = {
+        extraHostNames = [ "10.244.10.3" ];
+	publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKO/ks07zSByDH/qmDrghtBSFwWnze2s62zEmtXwaMJe";
+      };
+
+      #personal hosts
+      trip = {
+        extraHostNames = [ "triple-dezert" "trip.shelvacu.com" "[trip.shelvacu.com]:6922" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
+      };
+      servacu = {
+        extraHostNames = [ "mail.dis8.net" "servacu.shelvacu.com" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
+      };
+      finaltask = {
+        extraHostNames = [ "rsb" "finaltask.xyz" "[finaltask.xyz]:2222" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
+      };
+      compute-deck = {
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
+      };
+      "2esrever" = {
+        extraHostNames = [ "10.4.5.218" "10.244.46.71" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
+      };
+      awoo = {
+        extraHostNames = [ "45.142.157.71" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
+      };
+      deckvacu = {
+        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
+      };
+      liam = {
+        extraHostNames = [ "liam.dis8.net" "178.128.79.152" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
+      };
+      devver = {
+        extraHostNames = [ "devver.t2d.lan" "10.78.79.10" ];
+	publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeFaH2tzWIiCPdKNmxl3NqCnPTdmVIOBinauUAEl+UU";
+      };
+      fw = {
+        extraHostNames = [ "fw.t2d.lan" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
+      };
+    };
+  };
+}

common/nix-on-droid.nix

@@ -0,0 +1,16 @@
+{ config, ... }:
+{
+  imports = [
+    ./module.nix
+    ./commands.nix
+    ./common-but-not.nix
+  ];
+  environment.packages = config.vacu.packageList;
+  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
+  nix.substituters = config.vacu.nix.extraSubstituters;
+  nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
+  vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";
+  environment.etc.bashrc.text = config.vacu.shell.interactiveLines;
+  environment.etc.profile.text = config.vacu.shell.interactiveLines;
+  environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
+}

common/nixos.nix

@@ -0,0 +1,99 @@
+{ lib, pkgs, config, inputs, utils, ... }:
+{
+  imports = [ ./module.nix ./commands.nix ./common-but-not.nix ];
+  options.vacu.underTest = lib.mkOption {
+    default = false;
+    type = lib.types.bool;
+  };
+  options.vacu.acmeCertDependencies = lib.mkOption {
+    default = {};
+    example = ''
+      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
+    '';
+    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
+  };
+  config = let
+    for-systemd-services = lib.concatMapAttrs
+      (cert: units:
+        {
+          "acme-selfsigned-${cert}" = {
+            wantedBy = units;
+            before = units;
+          };
+        }
+      )
+      config.vacu.acmeCertDependencies;
+    for-security-acme-certs = lib.concatMapAttrs
+      (cert: units:
+        {
+          ${cert}.reloadServices = units;
+        }
+      )
+      config.vacu.acmeCertDependencies;
+  in {
+    console = {
+      keyMap = lib.mkDefault "us";
+    };
+    vacu.packages."xorg-xev" = {
+      enable = config.services.xserver.enable;
+      package = pkgs.xorg.xev;
+    };
+    environment.systemPackages = config.vacu.packageList;
+    programs.git = {
+      enable = true;
+      lfs.enable = true;
+    };
+    system.nixos.tags = [ "vacu${config.vacu.versionId}" ];
+    environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
+
+    i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
+    time.timeZone = "America/Los_Angeles";
+
+    users.users.shelvacu = {
+      openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+    };
+    systemd.services = for-systemd-services;
+    security.acme.certs = for-security-acme-certs;
+    services.openssh = {
+      # require public key authentication for better security
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+      settings.PermitRootLogin = "prohibit-password";
+    };
+
+    nix.settings.trusted-users = [ "shelvacu" ];
+    security.sudo.wheelNeedsPassword = lib.mkDefault false;
+
+    programs.screen = {
+      screenrc = ''
+        defscrollback 10000
+        termcapinfo xterm* ti@:te@
+	maptimeout 5
+      '';
+    } // (if config.system.nixos.release == "23.11" then {} else { enable = true; });
+
+    programs.tmux.enable = true;
+    programs.tmux.extraConfig = "setw mouse";
+    programs.tmux.clock24 = true;
+
+    nix.settings = {
+      experimental-features = [ "nix-command" "flakes" ];
+      substituters = config.vacu.nix.extraSubstituters;
+      trusted-public-keys = config.vacu.nix.extraTrustedKeys;
+    };
+    nixpkgs.config.allowUnfree = lib.mkDefault true;
+
+    programs.mosh.enable = lib.mkDefault true;
+
+    programs.ssh.extraConfig = config.vacu.ssh.config;
+
+    security.pki.certificates = config.vacu.rootCAs;
+
+    # commands.nix
+    environment.pathsToLink = [ "/share/vacufuncs" ];
+    vacu.shell.functionsDir = "/run/current-system/sw/share/vacufuncs";
+    programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
+  };
+}

common/not-aliases.nix

@@ -0,0 +1,34 @@
+# These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
+{ pkgs, vaculib, ... }: let
+  inherit (pkgs) writeScriptBin;
+  inherit (vaculib) writeShellFunction;
+in {
+  vacu.packages = [
+    (writeScriptBin "ms" ''
+      set -e
+      if [[ $# != 1 ]]; then
+        echo "wrong number of args" 1>&2
+	exit 1
+      fi
+      set -x
+      mosh -- $1 sudo screen -Rd
+    '')
+    (writeScriptBin "rmln" ''
+      set -eo pipefail
+      for arg in "$@"; do
+        if [[ "$arg" != "-*" ]] && [[ ! -L "$arg" ]]; then
+	  echo "$0: $arg is not a symlink" 1>&2
+	  exit 1
+	fi
+      done
+      rm $@
+    '')
+
+    (writeShellFunction "nd" ''
+      declare -a args
+      args=("$@")
+      mkdir "''${args[@]}" && cd "''${args[-1]}"
+    '')
+    (writeShellFunction "td" ''pushd $(mktemp "$@")'')
+  ];
+}

common/package-set.nix

@@ -0,0 +1,40 @@
+{ config, pkgs, lib, ... }: let
+  inherit (lib) mkOption types;
+  pkgOptions = builtins.attrValues config.vacu.packages;
+  enabledOptions = builtins.filter (o: o.enable) pkgOptions;
+  enabledPkgs = builtins.map (o: o.package) enabledOptions;
+  packagesSetType = types.attrsOf (types.submodule ({ name, config, options, ... }: {
+    options = {
+      enable = mkOption {
+        type = types.bool;
+        description = "Will this package be installed (included in environment.systemPackages)";
+      };
+      package = mkOption {
+        type = types.package;
+        default = pkgs.${name};
+        defaultText = "pkgs.${name}";
+      };
+    };
+  }));
+  packageListToSet = (from: let
+    keyvals = map (val:
+      if builtins.isString val then
+        { name = val; value = { package = pkgs."${val}"; enable = lib.mkDefault true; }; }
+      else
+        { name = val.name; value = { package = val; enable = lib.mkDefault true; }; }
+    ) from;
+  in builtins.listToAttrs keyvals);
+in {
+  options = {
+    vacu.packages = mkOption {
+      default = {};
+      type = types.coercedTo (types.listOf (types.either types.str types.package)) packageListToSet packagesSetType;
+    };
+    vacu.packageList = mkOption {
+      type = types.listOf types.package;
+      readOnly = true;
+    };
+  };
+
+  config.vacu.packageList = enabledPkgs;
+}

common/ssh.nix

@@ -0,0 +1,116 @@
+{ pkgs, lib, config, ... }: let
+  inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
+  inherit (builtins) attrValues;
+  cfg = config.vacu;
+  knownHosts = attrValues cfg.ssh.knownHosts;
+  knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
+  (h: assert h.hostNames != [];
+    optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
+    + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
+  )) + "\n";
+in {
+  options = {
+    vacu.ssh.knownHostsText = mkOption {
+      type = types.str;
+      readOnly = true;
+      default = knownHostsText;
+    };
+    vacu.ssh.authorizedKeys = mkOption {
+      type = types.listOf types.str;
+    };
+    vacu.ssh.config = mkOption {
+      type = types.lines;
+    };
+    # Straight copied from nixpkgs 
+    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
+    vacu.ssh.knownHosts = mkOption {
+      default = {};
+      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
+        options = {
+          certAuthority = mkOption {
+            type = types.bool;
+            default = false;
+            description = ''
+              This public key is an SSH certificate authority, rather than an
+              individual host's key.
+            '';
+          };
+          hostNames = mkOption {
+            type = types.listOf types.str;
+            default = [ name ] ++ config.extraHostNames;
+            defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
+            description = ''
+              A list of host names and/or IP numbers used for accessing
+              the host's ssh service. This list includes the name of the
+              containing `knownHosts` attribute by default
+              for convenience. If you wish to configure multiple host keys
+              for the same host use multiple `knownHosts`
+              entries with different attribute names and the same
+              `hostNames` list.
+            '';
+          };
+          extraHostNames = mkOption {
+            type = types.listOf types.str;
+            default = [];
+            description = ''
+              A list of additional host names and/or IP numbers used for
+              accessing the host's ssh service. This list is ignored if
+              `hostNames` is set explicitly.
+            '';
+          };
+          publicKey = mkOption {
+            default = null;
+            type = types.nullOr types.str;
+            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
+            description = ''
+              The public key data for the host. You can fetch a public key
+              from a running SSH server with the {command}`ssh-keyscan`
+              command. The public key should not include any host names, only
+              the key type and the key itself.
+            '';
+          };
+          publicKeyFile = mkOption {
+            default = null;
+            type = types.nullOr types.path;
+            description = ''
+              The path to the public key file for the host. The public
+              key file is read at build time and saved in the Nix store.
+              You can fetch a public key file from a running SSH server
+              with the {command}`ssh-keyscan` command. The content
+              of the file should follow the same format as described for
+              the `publicKey` option. Only a single key
+              is supported. If a host has multiple keys, use
+              {option}`programs.ssh.knownHostsFiles` instead.
+            '';
+          };
+        };
+      }));
+      description = ''
+        The set of system-wide known SSH hosts. To make simple setups more
+        convenient the name of an attribute in this set is used as a host name
+        for the entry. This behaviour can be disabled by setting
+        `hostNames` explicitly. You can use
+        `extraHostNames` to add additional host names without
+        disabling this default.
+      '';
+      example = literalExpression ''
+        {
+          myhost = {
+            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
+            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
+          };
+          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
+          "myhost2.net/dsa" = {
+            hostNames = [ "myhost2.net" ];
+            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
+          };
+        }
+      '';
+    };
+    config.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (name: data: {
+      assertion = (data.publicKey == null && data.publicKeyFile != null) ||
+                  (data.publicKey != null && data.publicKeyFile == null);
+      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
+    });
+  };
+}

compute-deck/default.nix

@@ -3,14 +3,14 @@
 {
   imports = [
     inputs.jovian.nixosModules.jovian
-    inputs.disko.nixosModules.default
+    # inputs.disko.nixosModules.default
-    inputs.homeManager.nixosModules.default
+    inputs.home-manager.nixosModules.default
     ./hardware.nix
-    ./partitioning.nix
     ./home.nix
     ./bluetooth.nix
+    ./partitioning.nix
     ./padtype.nix
-    ../common-nixos-config.nix
+    ../common/nixos.nix
   ];
   system.nixos.tags = [ "host-${config.networking.hostName}" ];
 
@@ -55,22 +55,22 @@
     rustup
   ];
 
-  boot.kernelPatches = [
+  # boot.kernelPatches = [
-    {
+  #   {
-      name = "gadget";
+  #     name = "gadget";
-      patch = null;
+  #     patch = null;
-      extraStructuredConfig = with lib.kernel; {
+  #     extraStructuredConfig = with lib.kernel; {
-        USB_ETH=module;
+  #       USB_ETH=module;
-        USB_GADGET=yes;
+  #       USB_GADGET=yes;
-        USB_LIBCOMPOSITE=yes;
+  #       USB_LIBCOMPOSITE=yes;
-        USB_CONFIGFS=yes;
+  #       USB_CONFIGFS=yes;
-        USB_DWC3=module;
+  #       USB_DWC3=module;
-        USB_DWC3_PCI=module;
+  #       USB_DWC3_PCI=module;
-        USB_DWC3_DUAL_ROLE=yes;
+  #       USB_DWC3_DUAL_ROLE=yes;
-        USB_DWC3_HOST=no;
+  #       USB_DWC3_HOST=no;
-        USB_DWC3_GADGET=no;
+  #       USB_DWC3_GADGET=no;
-        USB_ROLE_SWITCH=yes;
+  #       USB_ROLE_SWITCH=yes;
-      };
+  #     };
-    }
+  #   }
-  ];
+  # ];
 }

compute-deck/hardware.nix

@@ -5,7 +5,7 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "nvme" "usbhid" "sdhci_pci" ];
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "sdhci_pci" "dwc3_pci" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];

compute-deck/partitioning.nix

@@ -1,5 +1,6 @@
-{ ... }:
+{ inputs, ... }:
 {
+  imports = [ inputs.disko.nixosModules.default ];
   disko.devices.disk.blarg = {
     device = "/dev/disk/by-id/nvme-Micron_2400_MTFDKBK2T0QFM_230341951668_1-part11";
     content = {

deterministic-certs.nix

@@ -0,0 +1,55 @@
+{ nixpkgs ? import <nixpkgs> }: let
+  pkgs = nixpkgs;
+  lib = nixpkgs.lib;
+  defaultCertTemplate = {
+    serial = 1;
+    activation_date = "1970-01-01 00:00:00 UTC";
+    expiration_date = "2500-01-01 00:00:00 UTC";
+  };
+  keyValToConfigLines = (key: value:
+    if (builtins.isString value) || (builtins.isPath value) then "${key} = \"${value}\"" else
+    if builtins.isInt value then "${key} = ${builtins.toString value}" else
+    if builtins.isList value then map (innerValue: keyValToConfigLines key innerValue) else
+    if builtins.isBool value then (if value then "${key}" else "# no ${key}") else
+    throw "don't know how to handle ${builtins.typeOf value}"
+  );
+  mkTemplateConfig = config: lib.concatStringsSep "\n" (lib.lists.flatten (lib.attrsets.mapAttrsToList keyValToConfigLines config));
+  certCfg = pkgs.writeText "deterministic-cert.cfg" ''
+    serial = 1
+    activation_date = "1970-01-01 00:00:00 UTC"
+    expiration_date = "2500-01-01 00:00:00 UTC"
+  '';
+  privKeyFile = name: let
+    keySizeBits = 256;
+    keySizeHex = builtins.toString (keySizeBits / 4);
+  in pkgs.runCommand "deterministic-privkey-${name}.pem" {} ''
+    seed=$(echo ${lib.escapeShellArg (builtins.toJSON name)} | ${pkgs.ruby_3_2}/bin/ruby -rjson -e 'name = JSON.parse(STDIN.gets); print name.unpack("H*")[0].ljust(${keySizeHex}, "0")')
+    ${pkgs.gnutls}/bin/certtool --generate-privkey --outfile=$out --key-type=rsa --sec-param=high --seed=$seed
+  '';
+  generateCert = { name, config, args, preCommands ? "" }: let
+    deriv = pkgs.runCommand "deterministic-cert-${name}" {} ''
+      mkdir -p $out
+      cd $out
+      ln -s ${privKeyFile name} privkey.pem
+      ln -s ${pkgs.writeText "${name}-template.cfg" (mkTemplateConfig (defaultCertTemplate // config))} template.cfg
+      ${preCommands}
+      ${pkgs.gnutls}/bin/certtool ${lib.escapeShellArgs args} --load-privkey=privkey.pem --outfile=cert.pem --template=template.cfg
+    '';
+  in deriv // { privateKeyPath = "${deriv}/privkey.pem"; certificatePath = "${deriv}/cert.pem"; };
+    
+in {
+  inherit privKeyFile;
+  selfSigned = name: config: generateCert { inherit name config; args = [ "--generate-self-signed" ]; };
+  caSigned = name: ca: config: generateCert {
+    inherit name config;
+    preCommands = ''
+      ln -s ${ca.privateKeyPath} ca-privkey.pem
+      ln -s ${ca.certificatePath} ca-cert.pem
+    '';
+    args = [
+      "--generate-certificate"
+      "--load-ca-certificate=ca-cert.pem"
+      "--load-ca-privkey=ca-privkey.pem"
+    ];
+  };
+}

devver/default.nix

@@ -2,8 +2,8 @@
 
 {
   imports = [
-    inputs.homeManager.nixosModules.default
+    inputs.home-manager.nixosModules.default
-    ../common-nixos-config.nix
+    ../common/nixos.nix
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
 

flake.nix

@@ -2,40 +2,55 @@
   description = "Config for triple-dezert server";
 
   inputs = {
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
+    nixpkgs.url = "nixpkgs/nixos-24.05-small";
-    nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
-    nixpkgs2405.url = "nixpkgs/nixos-24.05-small";
     nix-inspect = {
       url = "github:bluskript/nix-inspect";
-      #inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nix-inspect-unstable = {
+      url = "github:bluskript/nix-inspect";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    vscode-server-unstable = {
+      url = "github:nix-community/nixos-vscode-server";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
     vscode-server = {
       url = "github:nix-community/nixos-vscode-server";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nix-on-droid = {
-      url = "github:nix-community/nix-on-droid/release-23.05";
+      url = "github:nix-community/nix-on-droid";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    jovian = {
+    jovian-unstable = { # there is no stable jovian :cry:
       url = "github:Jovian-Experiments/Jovian-NixOS";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    disko = {
+    disko-unstable = {
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    homeManager = {
+    home-manager = {
-      url = "github:nix-community/home-manager/master";
+      url = "github:nix-community/home-manager/release-24.05";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    home-manager-unstable = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    nix-search-cli-unstable = {
+      url = "github:peterldowns/nix-search-cli";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
     nix-search-cli = {
       url = "github:peterldowns/nix-search-cli";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    padtype = {
+    padtype-unstable = {
       url = "gitlab:shelvacu/padtype";
-      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
     sops-nix = {
       url = "github:Mic92/sops-nix";
@@ -45,58 +60,82 @@
       url = "github:astro/microvm.nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    nixos-hardware.url = "github:nixos/nixos-hardware";
+    most-winningest = {
+      url = "github:captain-jean-luc/most-winningest";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, nix-on-droid, ... }@inputs: {
+  outputs = { self, nixpkgs, nix-on-droid, home-manager, ... }@inputs: let
+    defaultInputs = { inherit (inputs) self nix-search-cli nix-inspect; };
+    defaultArgs = { inputs = defaultInputs; };
+  in {
     debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); });
     nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
       system =  "x86_64-linux";
       modules = [ ./triple-dezert ];
-      specialArgs = { inherit inputs; };
+      specialArgs = { inputs = defaultInputs // { inherit (inputs) most-winningest; }; };
     };
 
     nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [ ./compute-deck ];
-      specialArgs = { inherit inputs; };
+      specialArgs = { inputs = {
+	jovian = inputs.jovian-unstable;
+        home-manager = inputs.home-manager-unstable;
+	vscode-server = inputs.vscode-server-unstable;
+	disko = inputs.disko-unstable;
+	padtype = inputs.padtype-unstable;
+	nix-search-cli = inputs.nix-search-cli-unstable;
+	nix-inspect = inputs.nix-inspect-unstable;
+	self = inputs.self;
+      }; };
     };
 
     nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
       system =  "x86_64-linux";
       modules = [ ./liam ];
-      specialArgs = { inherit inputs; };
+      specialArgs = { inputs = defaultInputs // { inherit (inputs) sops-nix; }; };
     };
 
     nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [ ./lp0 ];
-      specialArgs = { inherit inputs; };
+      specialArgs = defaultArgs;
     };
     
     nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [ ./installer.nix ];
-      specialArgs = { inherit inputs; };
+      specialArgs = defaultArgs;
     };
 
     nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
       system =  "x86_64-linux";
       modules = [ ./devver ];
-      specialArgs = { inherit inputs; };
+      specialArgs = { inputs = defaultInputs // { inherit (inputs) home-manager; }; };
     };
 
-    nixosConfigurations.fw = inputs.nixpkgs2405.lib.nixosSystem {
+    nixosConfigurations.fw = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [ ./fw ];
-      specialArgs = { inherit inputs; };
+      specialArgs = { inputs = defaultInputs // { inherit (inputs) nixos-hardware; }; };
     };
 
     nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
-      modules = [ ./nix-on-droid.nix ];
+      modules = [ ./nix-on-droid ];
-      extraSpecialArgs = { inherit inputs; };
+      extraSpecialArgs = defaultArgs;
+      pkgs = import nixpkgs { system = "aarch64-linux"; };
     };
 
-    diskoConfigurations.compute-deck = import ./compute-deck/partitioning.nix;
+    homeConfigurations."nix-on-droid" = home-manager.lib.homeManagerConfiguration {
+      modules = [
+        ./home/nix-on-droid.nix
+        { _module.args.inputs = defaultInputs; }
+      ];
+      pkgs = import nixpkgs { system = "aarch64-linux"; };
+    };
 
     checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system:
       let
@@ -105,37 +144,73 @@
           node.pkgs = pkgs;
           node.pkgsReadOnly = false;
           node.specialArgs.selfPackages = self.packages.${system};
-          node.specialArgs.inputs = inputs;
+          #node.specialArgs.inputs = defaultInputs;
         };
       in
       {
         liam = nixpkgs.lib.nixos.runTest {
           hostPkgs = pkgs;
-          imports = [ config ./tests/liam.nix ];
+          imports = [ config ./tests/liam.nix { node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; } ];
         };
         trip = nixpkgs.lib.nixos.runTest {
           hostPkgs = pkgs;
-          imports = [ config ./tests/triple-dezert.nix ];
+          imports = [ config ./tests/triple-dezert.nix { node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; } ];
         };
-        # trip_haproxy_config = let
-        #   hacfg = self.nixosConfigurations.triple-dezert.config.containers.frontproxy.config.services.haproxy;
-        # in pkgs.stdenvNoCC.mkDerivation {
-        #   name = "trip-haproxy-config-check";
-        #   script = ''
-        #     mkdir -p certs/shelvacu.com/
-        #     touch certs/shelvacu.com/full.pem
-        #     ${hacfg.package}/bin/haproxy \
-        #       -f ${pkgs.writeText "haproxy-config" hacfg.config} \
-        #       -c \
-        #       -dW \
-        #       -dD \
-        #       -C $PWD
-        #   '';
-        # };
       }
     );
 
-    nixosModules.common = import ./common-config.nix;
+
+    nixosModules.common = import ./common/module.nix;
+    packages.x86_64-linux.snmpb = nixpkgs.legacyPackages.x86_64-linux.libsForQt5.callPackage ./packages/snmpb/package.nix {};
+    packages.x86_64-linux.snmp-mibs-downloader = nixpkgs.legacyPackages.x86_64-linux.callPackage ./packages/snmp-mibs-downloader.nix {};
     packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
+    packages.x86_64-linux.authorizedKeys = let
+      pkgs = nixpkgs.legacyPackages.x86_64-linux;
+    in pkgs.writeText "authorizedKeys" (pkgs.lib.concatStringsSep "\n" self.nixosConfigurations.fw.config.vacu.ssh.authorizedKeys);
+    packages.aarch64-linux.authorizedKeys = let
+      pkgs = nixpkgs.legacyPackages.aarch64-linux;
+    in pkgs.writeText "authorizedKeys" (pkgs.lib.concatStringsSep "\n" self.nixOnDroidConfigurations.default.config.vacu.ssh.authorizedKeys);
+    
+    qb = /* qb is "quick build" */ let
+      toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
+      deterministicCerts = import ./deterministic-certs.nix { nixpkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; };
+      pkgs = nixpkgs.legacyPackages.x86_64-linux;
+    in rec {
+      # nix-on-droid is impure >:(
+      # nod = self.nixOnDroidConfigurations.default.activationPackage;
+      fw = toplevelOf "fw";
+      triple-dezert = toplevelOf "triple-dezert";
+      trip = triple-dezert;
+      compute-deck = toplevelOf "compute-deck";
+      cd = compute-deck;
+      liam = toplevelOf "liam";
+      lp0 = toplevelOf "lp0";
+      devver = toplevelOf "devver";
+      shel-installer = toplevelOf "shel-installer";
+      iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
+      do = self.packages.x86_64-linux.digitalOceanImage;
+      snmpb = self.packages.x86_64-linux.snmpb;
+      check-triple-dezert = self.checks.x86_64-linux.trip.driver;
+      check-trip = check-triple-dezert;
+      check-liam = self.checks.x86_64-linux.liam.driver;
+
+      authorizedKeys = self.packages.x86_64-linux.authorizedKeys;
+      authorizedKeysAarch = self.packages.aarch64-linux.authorizedKeys;
+      ak = authorizedKeys;
+
+      dc-priv = deterministicCerts.privKeyFile "test";
+      dc-cert = deterministicCerts.selfSigned "test" {};
+    };
+
+    all = let
+      pkgs = nixpkgs.legacyPackages.x86_64-linux;
+      symlinkCommands = pkgs.lib.mapAttrsToList (name: pkg: "ln -s ${pkg} ${name}") self.qb;
+    in pkgs.runCommand "nix-stuff-all" {} ''
+      mkdir $out
+      cd $out
+      ${pkgs.lib.concatStringsSep "\n" symlinkCommands}
+    '';
+
+    allWithBuildDeps = nixpkgs.legacyPackages.x86_64-linux.closureInfo { rootPaths = [ self.all.drvPath ]; };
   };
 }

fw/android.nix

@@ -0,0 +1,4 @@
+{ pkgs, ... }: {
+  vacu.packages = pkgs.androidStudioPackages.stable.all;
+  users.users.shelvacu.extraGroups = [ "kvm" ];
+}

fw/apex.nix

@@ -0,0 +1,59 @@
+# everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
+{ pkgs, ... }: {
+  # apparently this is already enabled??
+  # nixpkgs.overlays = [ ( final: prev: {
+  #   libfido2 = prev.libfido2.override { withPcsclite = true; };
+  # } ) ];
+  vacu.packages = with pkgs; [
+    libfido2
+    pcsclite
+    pcsc-tools
+    scmccid
+    opensc
+  ];
+
+  services.pcscd.enable = true;
+  # conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
+  boot.blacklistedKernelModules = [ "pn533_usb" "pn533" "nfc" ];
+
+  # bunch of stuff from https://wiki.nixos.org/wiki/Web_eID
+  
+  # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
+  # (PIN1 for authentication/decryption, PIN2 for signing).
+  # environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
+  #   module: ${pkgs.opensc}/lib/opensc-pkcs11.so
+  # '';
+
+  # environment.etc."opensc.conf".text = ''
+  #   app default {
+  #     reader_driver pcsc {
+  #       enable_pinpad = false;
+  #     }
+  #   }
+  # '';
+
+  environment.systemPackages = [
+    # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
+    # security devices, so they can be used for TLS client auth.
+    # Each user needs to run this themselves, it does not work on a system level
+    # due to a bug in Chromium:
+    #
+    # https://bugs.chromium.org/p/chromium/issues/detail?id=16387
+    (pkgs.writeShellScriptBin "setup-browser-eid" ''
+      NSSDB="''${HOME}/.pki/nssdb"
+      mkdir -p ''${NSSDB}
+
+      ${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
+        -libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
+    '')
+  ];
+
+  programs.firefox.enable = true;
+  #programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
+
+  # trying CTAP-bridge
+  services.udev.extraRules = ''
+    KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE+="0666", TAG+="uaccess"
+    KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE+="0666", TAG+="uaccess"
+  '';
+}

fw/default.nix

@@ -1,24 +1,52 @@
 { config, inputs, pkgs, lib, ... }: {
-  imports = [ 
+  imports = [
-    ../common-nixos-config.nix
+    ../common/nixos.nix
+    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
+    ./apex.nix
+    ./android.nix
   ];
+  #boot.loader.grub.configurationLimit = 5;
   system.nixos.tags = [ "host-${config.networking.hostName}" ];
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
   networking.networkmanager.enable = true;
+  # boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
 
-  vacu.packages.bitwarden-desktop.enable = true;
+  services.fprintd.enable = false; #kinda broken
-  vacu.packages.nheko.enable = true;
+  
-  vacu.packages.librewolf.enable = true;
+  vacu.packages = with pkgs; [
-  vacu.packages.brave.enable = true;
+    bitwarden-desktop
-  vacu.packages.thunderbird.enable = true;
+    nheko
-  vacu.packages.wl-clipboard.enable = true;
+    librewolf
-  vacu.packages.nextcloud-client.enable = true;
+    brave
-  vacu.packages.signal-desktop.enable = true;
+    thunderbird
-  vacu.packages.fw-ectool.enable = true;
+    wl-clipboard
-  vacu.packages.framework-tool.enable = true;
+    nextcloud-client
-  vacu.packages.iio-sensor-proxy.enable = true;
+    signal-desktop
-  vacu.packages.power-profiles-daemon.enable = true;
+    fw-ectool
-  vacu.packages.acpi.enable = true;
+    framework-tool
+    iio-sensor-proxy
+    power-profiles-daemon
+    acpi
+    jellyfin-media-player
+    vlc
+    dmidecode
+    prismlauncher
+    ffmpeg_7-full
+    wireshark
+    obsidian
+    dino
+    aircrack-ng
+    libreoffice-qt6-fresh
+    # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
+    (inkscape-with-extensions.override { inkscapeExtensions = null; })
+    libsmi
+    net-snmp
+  ];
+
+  services.fwupd.enable = true;
+  #fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
+  #update: it didn't work, I dunno why. Leaving this here anyways
+  services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
 
   services.xserver.enable = true;
   services.displayManager.sddm.enable = true;
@@ -75,6 +103,7 @@
   hardware.opengl = {
     driSupport = true;
     driSupport32Bit = true;
+    extraPackages = [ pkgs.rocmPackages.clr.icd pkgs.amdvlk ];
   };
   programs.nix-ld.enable = true;
   programs.steam = {
@@ -91,4 +120,7 @@
   hardware.bluetooth.enable = true;
   hardware.bluetooth.powerOnBoot = true;
   services.blueman.enable = true;
+
+  services.postgresql.enable = true; #for development
 }
+

home/nix-on-droid.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [ ../common/home.nix ];
+  home.stateVersion = "24.05";
+  home.homeDirectory = "/data/data/com.termux.nix/files/home";
+  home.username = "nix-on-droid";
+}

installer.nix

@@ -1,7 +1,7 @@
 { config, inputs, modulesPath, lib, ... }: {
   imports = [
     "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
-    ./common-nixos-config.nix
+    ./common/nixos.nix
   ];
   # this is an installer image, created anew every time. There's no state we need to worry about messing up
   system.stateVersion = config.system.nixos.version; 

liam/default.nix

@@ -2,13 +2,14 @@
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
     (modulesPath + "/virtualisation/digital-ocean-config.nix")
-    ../common-nixos-config.nix
+    ../common/nixos.nix
     ./nginx.nix
     ./sops.nix
     ./dovecot.nix
     ./mail.nix
     ./dkim.nix
     ./sieve.nix
+    ./network.nix
   ];
 
   options = let
@@ -29,6 +30,11 @@
         "shop.theviolincase.com"
       ];
       domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
+      relayhost = lib.options.mkOption {
+        type = lib.types.str;
+	# mailhop is duocircle
+	default = "[outbound.mailhop.org]:587 [relay.dynu.com]:587";
+      };
       reservedIpLocal = mkReadOnly "10.46.0.7";
     };
   };
@@ -39,13 +45,6 @@
     networking.domain = "dis8.net";
 
     # networking.interfaces."ens3".useDHCP = false;
-    # from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
-    # {
-    #   "ip_address": "10.46.0.7",
-    #   "netmask": "255.255.0.0",
-    #   "gateway": "10.46.0.1"
-    # }
-
     services.openssh.enable = true;
 
     virtualisation.digitalOcean.setSshKeys = false;
@@ -54,4 +53,4 @@
 
     system.stateVersion = "23.11";
   };
-}
+}

liam/dovecot.nix

@@ -75,13 +75,13 @@
 
       userdb {
         driver = passwd-file
-        args = username_format=%n /run/secrets/dovecot-passwd
+        args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
         override_fields = uid=${config.services.dovecot2.mailUser} gid=${config.services.dovecot2.mailGroup} user=%n
       }
 
       passdb {
         driver = passwd-file
-        args = username_format=%n /run/secrets/dovecot-passwd
+        args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
         override_fields = user=%n
       }
 
@@ -93,4 +93,4 @@
       # mail_debug = yes
     '';
   };
-}
+}

liam/mail.nix

@@ -1,8 +1,8 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }: let
-let
+  inherit (config.vacu.liam) shel_domains julie_domains domains relayhost;
-inherit (config.vacu.liam) shel_domains julie_domains domains;
+  debug = false;
-fqdn = config.networking.fqdn;
+  fqdn = config.networking.fqdn;
-dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
+  dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
 in {
   networking.firewall.allowedTCPPorts = [ 25 465 ];
 
@@ -37,15 +37,23 @@ in {
     mapFiles.sender_access = pkgs.writeText "sender-access" (lib.concatMapStringsSep "\n" (d: "${d} REJECT") domains);
     # hack to get postfix to add a X-Original-To header
     mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
+    mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
+    mapFiles.sender_relay = pkgs.writeText "sender-relay" "@shelvacu.com ${relayhost}";
 
     # verbatim appended to main.cf
     extraConfig = ''
+      smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+      inet_protocols = ipv4
       virtual_alias_domains =
         ${lib.concatStringsSep ",\n  " domains}
 
+      sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
+      sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
+
       header_checks = pcre:/etc/postfix/header_checks
       smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
       smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to
+      recipient_delimiter = +
 
       #we should never use these transport methods unless thru transport map
       # RFC3463:
@@ -66,13 +74,30 @@ in {
       smtpd_tls_dh1024_param_file = ${lib.optionalString config.services.dovecot2.enableDHE config.security.dhparams.params.dovecot2.path}
 
       # smtp_bind_address = 10.46.0.7
-
+      # inet_interfaces = all
+      # inet_protocols = ipv4
       ${lib.optionalString config.services.opendkim.enable (assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock"); ''
         smtpd_milters = unix:/run/opendkim/opendkim.sock
         non_smtpd_milters = unix:/run/opendkim/opendkim.sock
       '')}
     '';
 
+    masterConfig."relayservice" = {
+      command = "smtp";
+      type = "unix";
+      args = [
+	"-o" "smtp_sasl_auth_enable=yes"
+	"-o" "smtp_sasl_security_options=noanonymous"
+	"-o" "smtp_tls_security_level=secure"
+	"-o" "smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
+	"-o" "smtp_tls_wrappermode=no"
+	#"-o" "relayhost=${relayhost}"
+      ] ++ (if debug then ["-v"] else []);
+    };
+
+    masterConfig.qmgr = lib.mkIf debug { args = ["-v"]; };
+    masterConfig.cleanup = lib.mkIf debug { args = ["-v"]; };
+    masterConfig.smtpd = lib.mkIf debug { args = ["-v"]; };
     submissionsOptions = {
       smtpd_tls_key_file = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
       smtpd_tls_cert_file = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
@@ -101,4 +126,4 @@ in {
 
 
   };
-}
+}

liam/network.nix

@@ -0,0 +1,26 @@
+{ lib, config, ... }: let
+  # from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
+  # {
+  #   "ip_address": "10.46.0.7",
+  #   "netmask": "255.255.0.0",
+  #   "gateway": "10.46.0.1"
+  # }
+  interface_conf = {
+    useDHCP = true;
+    ipv4.addresses = [{
+      address = "10.46.0.7";
+      prefixLength = 24;
+    }];
+    ipv4.routes = [{
+      address = "0.0.0.0";
+      prefixLength = 0;
+      via = "10.46.0.1";
+      options.scope = "global";
+      options.src = "10.46.0.7";
+      options.metric = "1200";
+    }];
+  };
+in {
+  networking.interfaces."ens3" = lib.mkIf (!config.vacu.underTest) interface_conf;
+  networking.interfaces."eth0" = lib.mkIf ( config.vacu.underTest) interface_conf;
+}

liam/sieve.nix

@@ -59,15 +59,18 @@
   sieve_text = ''
     require ["fileinto", "mailbox"];
 
-    if header :is "X-Envelope-To" "brandcrowd@shelvacu.com" {
+    if header :is "Delivered-To" "shelvacu@liam.dis8.net" {
-      discard;
+      if header :is "X-Envelope-To" "brandcrowd@shelvacu.com" {
+        discard;
+      }
+      elsif header :is "X-Envelope-To" "gmailfwd-fc2e10bec8b2@shelvacu.com" {
+        fileinto :create "gmail";
+      }
+      ${concatStrings email_filters}
+      ${concatStrings domain_filters}
     }
-    elsif header :is "X-Envelope-To" "gmailfwd-fc2e10bec8b2@shelvacu.com" {
-      fileinto :create "gmail";
-    }
-    ${concatStrings email_filters}
-    ${concatStrings domain_filters}
   '';
 in {
-  services.dovecot2.sieveScripts.before = pkgs.writeText "blargsieve" sieve_text;
+  services.dovecot2.sieve.extensions = [ "fileinto" "mailbox" ];
-}
+  services.dovecot2.sieve.scripts.before = pkgs.writeText "blargsieve" sieve_text;
+}

liam/sops.nix

@@ -20,5 +20,9 @@
       restartUnits = [ "opendkim.service" ];
       owner = config.services.opendkim.user;
     };
+    sops.secrets.relay_creds = {
+      restartUnits = [ "postfix.service" ];
+      owner = config.services.postfix.user;
+    };
   };
-}
+}

lp0/default.nix

@@ -1,7 +1,7 @@
 { config, pkgs, ... }:
 {
   imports = [
-    ../common-nixos-config.nix
+    ../common/nixos.nix
     ./hardware-config.nix
   ];
 

nix-on-droid/default.nix

@@ -1,19 +1,19 @@
 { config, lib, pkgs, inputs, ... }:
 
 {
-  imports = [ ./common-config.nix ];
+  imports = [
-  environment.packages = config.vacu.packageList;
+    ../common/nix-on-droid.nix
+    ./flake-registry.nix
+  ];
 
   environment.etc."resolv.conf".text = lib.mkForce ''
-    nameserver 10.78.79.1
+    # nameserver 10.78.79.1
     nameserver 9.9.9.10
     nameserver 149.112.112.10
 
     options timeout:1 attempts:5
   '';
 
-  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
-
   # Backup etc files instead of failing to activate generation if a file already exists in /etc
   environment.etcBackupExtension = ".bak";
 
@@ -24,8 +24,6 @@
   nix.extraOptions = ''
     experimental-features = nix-command flakes
   '';
-  nix.substituters = config.vacu.nix.extraSubstituters;
-  nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
 
   environment.sessionVariables."PS1" = "\\w $ ";
 

nix-on-droid/flake-registry.nix

@@ -0,0 +1,9 @@
+# To make `nix run nixpkgs#hello` and such use the same nixpkgs used to build this, so that it doesn't take forever
+{ inputs, ... }:
+{
+  nix.registry.nixpkgs.to = {
+    type = "path";
+    path = inputs.nixpkgs.outPath;
+  };
+  nix.nixPath = [ "nxipkgs=flake:nixpkgs" ];
+}

package-set.nix

@@ -1,32 +0,0 @@
-{ config, pkgs, lib, ... }: let
-  inherit (lib) mkOption types;
-  pkgOptions = builtins.attrValues config.vacu.packages;
-  enabledOptions = builtins.filter (o: o.enable) pkgOptions;
-  enabledPkgs = builtins.map (o: o.package) enabledOptions;
-in {
-  options = {
-    vacu.packages = mkOption {
-      default = {};
-      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
-        options = {
-	  enable = mkOption {
-	    type = types.bool;
-	    default = true;
-	    description = "Will this package be installed (included in environment.systemPackages)";
-	  };
-	  package = mkOption {
-	    type = types.package;
-	    default = pkgs.${name};
-	    defaultText = "pkgs.${name}";
-	  };
-	};
-      }));
-    };
-    vacu.packageList = mkOption {
-      type = types.listOf types.package;
-      readOnly = true;
-    };
-  };
-
-  config.vacu.packageList = enabledPkgs;
-}

packages/snmp-mibs-downloader.nix

@@ -0,0 +1,104 @@
+{
+  bash,
+  coreutils,
+  gzip,
+  gnutar,
+  unzip,
+  wget,
+  gnupatch,
+
+  fetchFromGitLab,
+  fetchurl,
+  #libsmi,
+  #resholve,
+  stdenv,
+  writeText,
+  lib,
+}@args:
+stdenv.mkDerivation (self: let
+  # this script depends on an old version of libsmi's smistrip
+  libsmi = stdenv.mkDerivation rec {
+   pname = "libsmi";
+   version = "0.4.8";
+
+   src = fetchurl {
+     url = "https://www.ibr.cs.tu-bs.de/projects/libsmi/download/${pname}-${version}.tar.gz";
+     hash = "sha256-8EilJw9BvIiww7Co/nDKTXFqRrUxoOyqqHxGL0nXSEk=";
+   };
+
+   env.NIX_CFLAGS_COMPILE = "-std=gnu90";
+   #env.CFLAGS="-Wno-error";
+   #env.NIX_DEBUG="7";
+
+   hardeningDisable = [ "format" ];
+
+   meta = with lib; {
+     description = "A Library to Access SMI MIB Information";
+     homepage = "https://www.ibr.cs.tu-bs.de/projects/libsmi/index.html";
+     license = licenses.free;
+     platforms = lib.platforms.linux ++ lib.platforms.darwin;
+   };
+  };
+in rec {
+  pname = "snmp-mibs-downloader";
+  version = "1.6";
+
+  src = fetchFromGitLab {
+    domain = "salsa.debian.org";
+    owner = "debian";
+    repo = "${pname}";
+    rev = "debian/${version}";
+    hash = "sha256-W2VW3EJWmHwlqMoL12dFcfkYmAADLOtUWCydcL5qUKc=";
+  };
+
+  # installPhase = ''
+  #   install -Dm755 download-mibs $out/bin
+  #   install -Dm644 *.conf *list $out/etc/snmp-mips-downloader
+  #   cp mibrfcs/* $out/share/snmp/mibs-downloader/mibrfcs
+  #   cp mibiana/* $out/share/snmp/mibs-downloader/mibiana
+  #   gzip -9 $out/share/snmp/mibs-downloader/*/*
+
+  # '';
+  postPatch = ''
+    substituteInPlace download-mibs \
+      --replace-fail SMISTRIP=/usr/bin/smistrip "" \
+      --replace-fail CONFDIR=/etc/snmp-mibs-downloader "BASEDIR=/var/lib/mibs; AUTOLOAD='rfc ianarfc iana'" \
+      --replace-fail '. $CONFDIR/snmp-mibs-downloader.conf' ""
+  '';
+  preInstall = ''
+    mkdir -p $out/usr/bin $out/etc/snmp-mibs-downloader $out/usr/share/snmp/mibs-downloader/mib{rfcs,iana} $out/usr/share/snmp/mibs
+  '';
+  installFlags = [ "INSTALL=install" "DESTDIR=$(out)" ];
+  postInstall = ''
+    mv $out/usr/* $out
+    rmdir $out/usr
+    substituteInPlace $out/etc/snmp-mibs-downloader/* \
+      --replace-quiet 'DIR=/usr/share/snmp/mibs-downloader' 'DIR='$out'/share/snmp/mibs-downloader'
+    mv $out/bin/download-mibs $out/bin/.download-mibs-unwrapped
+    cat <<EOF > $out/bin/download-mibs
+      #!${bash}/bin/bash
+      PATH=${lib.escapeShellArg (lib.concatStringsSep ":" (lib.flip map [ coreutils gzip gnutar unzip wget gnupatch ] (p: "${p}/bin")))}
+      SMISTRIP=${libsmi}/bin/smistrip
+      CONFDIR=$out/etc/snmp-mibs-downloader
+      source $out/bin/.download-mibs-unwrapped
+    EOF
+    chmod u+x $out/bin/download-mibs
+  '';
+
+  env.NIX_DEBUG="7";
+  # solutions.default = {
+  #   scripts = [ "bin/download-mibs" ];
+  #   interpreter = "${bash}/bin/bash";
+  #   inputs = [ coreutils gzip gnutar unzip wget gnupatch ]; 
+  #   keep = {
+  #     "$archive_fetcher" = true;
+  #     source = [ "$CONFDIR/$i.conf" ];
+  #     "${wget}/bin/wget" = true;
+  #   };
+  #   fix = { "$SMISTRIP" = [ "${libsmi}/bin/smistrip" ]; };
+  # };
+
+  meta = {
+    mainProgram = "download-mibs";
+  };
+})

packages/snmpb/package.nix

@@ -0,0 +1,124 @@
+{
+  fetchgit,
+  lib,
+  libsmi,
+  libtomcrypt,
+  qmake,
+  qtbase,
+  qwt,
+  stdenv,
+  wrapQtAppsHook,
+
+  breakpointHook,
+}@args:
+
+stdenv.mkDerivation (finalAttrs: let
+  # ./configure --disable-shared --disable-yang --with-pathseparator=';' --with-dirseparator='/' --with-smipath=${INSTALL_PREFIX}'/${SHARE}/snmpb/mibs;'${INSTALL_PREFIX}'/${SHARE}/snmpb/pibs'
+  libsmi = finalAttrs.passthru.libsmi;
+  # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/iana/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
+  # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/ietf/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
+  # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/tubs/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
+  # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/ietf/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
+  # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/tubs/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
+
+in {
+  pname = "snmpb";
+  version = "0.9pre1";
+
+  # __structuredAttrs = true;
+
+  passthru = {
+    proFile = "${finalAttrs.pname}.pro";
+    makeFile = "makefile.${finalAttrs.pname}";
+    smipath = "${finalAttrs.passthru.libsmi-data}/share/snmpb/mibs;${finalAttrs.passthru.libsmi-data}/share/snmpb/pibs";
+    libsmi = args.libsmi.overrideAttrs (final: prev: {
+      #preConfigure = (prev.preConfigure or "") + "\n" + ''
+      #  appendToVar configureFlags --prefix=$out/ --disable-yang --with-pathseparator=';' --with-dirseparator='/'
+      #'';
+      configureFlags = (prev.configureFlags or []) ++ ["--with-pathseparator=;" "--with-smipath=${finalAttrs.passthru.smipath}"];
+      env.NIX_DEBUG="2";
+      pname = prev.pname + "-for-snmpb";
+    });
+    libsmi-data = stdenv.mkDerivation {
+      name = "libsmi-snmpb-data";
+      phases = "unpackPhase installPhase";
+      src = libsmi.src;
+      installPhase = ''
+        mkdir -p $out/share/snmpb/{mibs,pibs}
+	shopt -s globstar
+	for foo in mibs pibs; do
+	  for node in $foo/**/*; do
+	    [[ -f $node ]] && install -m444 $node $out/share/snmpb/$foo/
+	  done
+	done
+	rm $out/share/snmpb/*/Makefile*
+      '';
+    };
+  };
+
+  src = fetchgit {
+    url = "https://git.code.sf.net/p/snmpb/code";
+    rev = "a092855bfd201778f87be578b91aeb062726e329";
+    hash = "sha256-nlS1pqv2ERZGkk0SJ8ByXqBHHho1GTSq/oxrXL2tytM=";
+  };
+
+  patches = [ ./unvendor.patch ];
+
+  buildInputs = [
+    qwt
+    qtbase
+    libtomcrypt
+    libsmi
+  ];
+
+  nativeBuildInputs = [
+    wrapQtAppsHook
+    qmake
+    breakpointHook
+  ];
+  
+  #setSourceRoot = "sourceRoot=$(echo */app)";
+
+  #NIX_DEBUG="7";
+  #installFlags = "INSTALL_PREFIX=$(out) NO_ROOT=1";
+  installPhase = ''
+    popd
+    install -Dm 555 -s app/snmpb $out/bin/snmpb
+    #mkdir -p $out/share/snmpb/{mibs,pibs}
+    #for foo in mibs pibs; do
+    #  for file in ${libsmi}/share/$foo/*; do
+    #    ln -s $file $out/share/snmpb/$foo/
+    #  done
+    #done
+    install -Dm 444 app/snmpb.desktop $out/share/applications
+    install -Dm 444 app/snmpb.xml $out/share/mime/packages
+    install -Dm 444 app/images/snmpb.png $out/share/icons/hicolor/128x128/apps
+    install -Dm 444 app/images/snmpb.png $out/share/pixmaps
+    install -Dm 444 app/images/snmpb.svg $out/share/icons/hicolor/scalable/apps
+  '';
+  postPatch = ''
+    rm -rf libsmi libtomcrypt qwt #ensures un-vendoring worked correctly
+    #smipath_parts=(${libsmi}/share/{mibs,pibs}/*)
+    #smipath=$(IFS=";" ; echo "''${smipath_parts[*]}")
+    substituteInPlace app/preferences.cpp --subst-var smipath
+    substituteInPlace app/*.pro \
+      --subst-var libs \
+      --subst-var include
+    pushd app
+  ''; 
+  env = {
+    include = "${qwt.dev}/include ${libsmi}/include ${libtomcrypt}/include";
+    libs = "${qwt}/lib/libqwt.so ${libsmi}/lib/libsmi.so ${libtomcrypt}/lib/libtomcrypt.so -lqwt -lsmi -ltomcrypt";
+    inherit (finalAttrs.passthru) smipath;
+  };
+
+  preConfigure = ''
+    qmakeFlags+=( "${finalAttrs.passthru.proFile}" "-o" "${finalAttrs.passthru.makeFile}" )
+  '';
+  makefile = finalAttrs.passthru.makeFile;
+
+  meta = {
+    description = "GUI SNMP browser and MIB editor wrtten with Qt";
+    
+  };
+})

packages/snmpb/unvendor.patch

@@ -0,0 +1,61 @@
+diff --git a/app/preferences.cpp b/app/preferences.cpp
+index 29fa8c8..98e842f 100644
+--- a/app/preferences.cpp
++++ b/app/preferences.cpp
+@@ -22,13 +22,6 @@
+ #include <qfileinfo.h>
+ #include <qtextstream.h>
+ 
+-// For DEFAULT_SMIPATH
+-#ifdef WIN32
+-#include "../libsmi/win/config.h"
+-#else
+-#include "../libsmi/config.h"
+-#endif
+-
+ #include "mibmodule.h"
+ #include "preferences.h"
+ 
+@@ -288,7 +281,7 @@ void Preferences::MibPathRefresh()
+ void Preferences::MibPathReset()
+ {
+     // "Reset to default" for MIB paths
+-    QStringList defaultpaths = QString(DEFAULT_SMIPATH).split(SMI_PATH_SEPARATOR);
++    QStringList defaultpaths = QString("@smipath@").split(SMI_PATH_SEPARATOR);
+ 
+     QSettings settings;
+     settings.beginWriteArray("mibpaths");
+diff --git a/app/snmpb.h b/app/snmpb.h
+index 63f0d6e..c1da1b8 100644
+--- a/app/snmpb.h
++++ b/app/snmpb.h
+@@ -20,6 +20,7 @@
+ #ifndef SNMPB_H
+ #define SNMPB_H
+ 
++#include <qwt_text.h>
+ #include "ui_mainw.h"
+ 
+ #define SNMPB_VERSION_STRING "1.0"
+diff --git a/app/snmpb.pro b/app/snmpb.pro
+index b6ee631..a5ff14a 100644
+--- a/app/snmpb.pro
++++ b/app/snmpb.pro
+@@ -83,14 +83,9 @@ FORMS += \
+ INCLUDEPATH += \
+ 	../snmp++/include \
+ 	../snmp++/ \
+-	../libtomcrypt/src/headers \
+-	../libsmi/lib \
+-	../qwt/src
+-LIBS	+= \
+-	-L../libtomcrypt \
+-	-L../libsmi/lib/.libs \
+-	-L../qwt/lib \
+-	-lsmi -ltomcrypt -lqwt
++        @include@
++
++LIBS	+= @libs@
+ 
+ RESOURCES	= snmpb.qrc
+ 

secrets/liam/main.yaml

@@ -1,6 +1,7 @@
-dovecot-passwd: ENC[AES256_GCM,data:cZt43pgPNbORpqX6KyXvzVt1Q8tNz1cMF9YVUyL7saZyFqA5XA+uywU5yVerjdsTXfx4QeoYbA+bDE7qwdjTQBpEoEMm99WBb77rac652VGXXCas4nrbwMmZbUY2Z57PKd4GPN/i57VAD6eHiTV8HCd5OwiX7AlpmHXImgL9jr4P9skyTPIEnLF3NUVxktmAjn+X7IwmBH1mtn5Gesc5Q+6hoTQMwLn7ilYWfcOvaf5UOsHS6zvuTlGPuISaLPEvx2CLBccu7I38kKafCLTc1FOhdrFRu2n9/6gD1yIxUnbCkDWpcIV1e/3FlU5aQM7c7duQFVuIW9KpY2U0R2Y5Miv0ciU2D1GaJWMud7S/HCxPrQo=,iv:Arppozvg9+bjNCIJl7kRwbwGm2fuf7CjBfEfDT45+MQ=,tag:+PeAznYRW9S0Ok5uEn/qpQ==,type:str]
+dovecot-passwd: ENC[AES256_GCM,data:pcj7T1AKqZfMBGiHiihW0WxVKzAiy6xsGGlOhOV4IeHPEn+SXNoQjTQQVhZoNxYsENptH54SgWwlMETCcQrQzq6prrktlT3iZCnwlwvzaNRXrMe1mk/WT+OiTpaQ0PWGfrhVkQXj4bxWKCRc2i3NJxm1AtYfE0nNL/1dUk9rzwYTH6zjiQFYmZHbwzjtxiE3YbZCwYnpNR3Ql08S4kNf5TtsecFtTY1VOPFRycjEfIIIUbVLUM06DZ5savKVNRdgaVMUuXyPoOxy65YbkwZ9vkoBleRShY0v6FOgG1YLmQmr7f8QtiHlFbA0NJ0vUkg8bgSTsw27jC/JQU0qTSNVrMHgzfApw6GUQgGTYZK24tFCVNBJ3sxvTbuVOcShy01yJA==,iv:5gTo8ySgq//ZaY88F7AcAa2CEe2hXR415EqqSsYIbF8=,tag:DOf4yEXW5kzYAL89KQOAdQ==,type:str]
 dkim_key: ENC[AES256_GCM,data:CZC/1U1cJUIyNhXAWp+YFJd0pZZKvZClJxOh3uZ3YyfEQBiK9nEQryAJHirpFXAmZTcGhsuotkAuJvVQtoh/pM9YGkrncCKlw+P96hiafHGoSOnqd77DazcVERwGEGYBPK7fIZfhpAaYiIvjwq6FbMzkkZ4vLcYRNRj+LCtrXu4K5cy5ZJaRFkLCiaIVHhrOfjyhDFCkFBd3pZ/oCGH57teisjFl+LWFqGOQFyGs3Vkv0bY1fUTUtFvpYcTdrRe6A7yI3OGveX3Q9JnDKD+PBqHhd/a/OjBF0Xme6BeipRnv6/Md2F5LNDfUWugOtDy0xigtWAp/mbVel8GYgTXEQYv+sxVu0kFM7bX8fa/A/BHNx98HFoScwLCt8VmCc26asfGvGFfADrJMBIk2IbmqjQ2NV7/ejB6Zym7tjLLpYI24LBAyZDH/Rtw7CqGPmpHXCQ9xILFxLMdqMSmgPPJtF/75qFICCQH2p3CHj7b/TmTpu8RLIVu2pxG48u4VnUgJE1zPBeaY5EY1uS7L5sF37CI+vMy1mY/3m5ZsWeOu9YigZouYy/Y6OrdtOzaEVaipQ2cYirD00MOYqO57izmjuUdw47OJ5zK7XInR4MHoLX0PfdJiw5Oq8OVir6KJf9UWPSXBbSZlj6PMkqbvQ+7VWJmDT0jKTbRg2M1eZCbcRrJAnE/YenMqYFXiVY1dOGjcrrxUn0zcnJ51UJmfDU2+UQc7urBVtqm7jfegudQ+Em735ynclMfYRWvRXQGQUm2YCUFXTwd6RhY4hHb32j6x00hi6iLjt1gjlMx8pHAcVbqcOdHFoLvNe1DlBsl/7jmL7otyY5m1VF3+H0tksDTSYfil5oudMEECTPypsZfp8iLU4xgjuh/+fXjZf4hQJMiA6OaGMw7R2cwvfiuSaHL/iz57ZtlHFW6TMWK77UBU2xZACVfylnqEaaIgzhYX0/wAsVQI+gqt03EsUx/AqlCFOCrOSwjov06k2bTDzSDcITayLkf9UjwOo/lmRz+7fCfvCaw26wZCEsEtRBfLrZc+Ibwq9uvNDsrV1hthi0qh1ngZonQOA1Y2NURDom3VMKkfu++nFIV+CGrAI5n0CVlVLkJn4RbPCDcmNGd9Kr8pYv7rU4MnMmD2n2M1OzAJbScrbb+f4Z8hEOIUk0dMVxOr/clrg+7F3vqceZC8VTzBbBAH4QuBAf67VwmZTpDB5bobFv/UwEC8pJ4HWmKcBN+s1QihtD7x+WYz+8pSNucr+oN56fiY8xAyvFFyTE7/zNWlXVi94E0is30q3/ZB/Gog5eOQT21tOI4Ak0N4y+ElfNIXSqtEUGhck2DIjfegygpvwiuu8ktEZwje9Q4SAYK8/0THT8ANyzDunwSocMdztL1zF6/ZhDub8hmOuaRJWotXzmL/zCXSGR0nEPXVSmyXKwHt/4MMGkasXOXetrENKIwDqYdm1eZBMCl8EGnyAbAo21LAfVTI0GLrNoFWNTPkpBIo3dKoBofmdRei/jHtQmBtvaILUv6UsIAyjJ+x2cpARW+yMIrv/0g8MnDMj4cCiIFk+AIXI279BvMrkVP1cOA7ESJkLe1hsL6+b7lmrhAWK1cpDnIWTXJG+v9aKlc0jz9D47gr7kD/ePC8sMaI95aQBbA93ftzYhKzsU9hINsU/IKGmT0rXS4j/BPZ0o8uC1HRaMjdE5Z0KHsebS9tn8lXfHFgX5wTDMaES9h+usUJrjc6F1lj2zYP5oTOjM8YmN6YQedo3wmi/PnA/8YMXz0tRFAZvg8VAYYtsfdV/2GLtjfD2YRK3iHsg5+GSEwqFafmWGgr+uhsl4JmKiASWJvx0Ron8RwdEzK2MC6WD1JERLU4UojOfx2xy5v15eveNnEufb7o1MJSAbjuRbVYiABqNFjIwe9hquIyTYVsiqiXi6fLeIV4fsTtiI5LLKx/6dOw31nFg/WfFWzvzLiLJ6b0NZowECP+Rsvzl3U0Qo/LbePyY/o8UYOo7u1zLpzxIOPyTqdKh64WqGYnqXmWy1ga57vnyl9mWhzr9ZlEuhM+0U8bVelIXmLTZp1Nredrs8E5ERdVnKmThbrLr8GvJAl4B7g5BIrGhSBB841wMm9h/SheKdq8SN9gUDRNgW0QNFkflBhX5ZsAHlPiJxddePbbAxfChv+ClG0oDuFDoSwSElCRR9GRayLRiws6CCDhviU8ub5JApSPTI9p/UjSJePSj+GqyqljTge0J/wgxRL2pAHk1HDQyOnv4kFZ5UhMFjU6GvbuPl2W2lqICJOcK9UuKdvivGsYkSSrOfke3mZMh52/f+03ciZ4xlwjDGV91kGONq5GME8dFEPD093xg0KbScfWanRWSoV3fOxitPWpcJ+xuNnDDOHjzLOYgt07u1QQs62rg/6BII+1XKBowLwG9Z5aWexZ3yCzrOR70pLRWPbOJNCAggEIaTkIa0ukOlaPbGzSZ6LuIyup7ex0Uabd2cOuvmAdMqGwnIB7fhtkdR7G4iDbnUqu7hbFurJn/3IZalJvbyZUuvC5X4oGU/CTWzDtdSgv5jQQ9qnr9ehCNCWjdg9T05v65XsW/OwHnRUN8A+1vxBIZ884lvFoOhJYeKXMufdAg4bCzUE/kdctRPwAVt3OjLnykXYcJV/3Ch+YIwv2vNA4pXqsMw8wgxX7DCvrCrVpkZAC1JIE32aKCXrN4tRUMrc0mnqUXa9M1rc6HCGa/vFCMj5ZW8xP9mOG+HEJFiJaV6ydxvhI7NMyXW2YDSxVh5RMMjXHUBq/bKMHPrLN57qmzvtcKUNcmS+VTvjS64wZlUsA1PEVwaJ/EQVAaY6ZeZi0CJ2A3YpklXYJpNqYhv8ICtFK2Uf6STfNYGaLTW2bgfZpWhic1y/V4wAWKa5A/XALXec+ioFr0foQR2ADiUycQYhMLZPSKPnWhcmwUPY+KPrjP11raVSM4ehtKdDlrbL3vmw6SlwowveyC3aqiceYzISWAw9o+ccvLs/bedEBeC2af2V53/vIuN4XYWjtZArRyqpzeeqlnTOb7vhpI84plXJdGHlmw0bml0yV3r3ucgB50wbAMRvQtJQ6ePPfOLOYLpDYFLPZJci8Vc3vRInskPOF39m9tSTT1noUSRZ3IxGi4LiUT76nAgI8BeTp3bqNuA6Of6I4yYS4Jmmby5C5eel0Ozl3gkMk1xuM5UTwcE7EDkr9rnzxs6rbx3CpQB3y6QB3tAe00zPpMm5YKJq1AKqvSzPco58g1vVu06e3l+tcGyt85t5wQTco3OX2kgBBxsiA629yAWcSIqKFZ+o7nTpA+zZmQrjVganWflbOhVNkvRSkLpThkYVlnkqBU9ixzQa79xVOF3WmNYBhdWfnO9VxFwE4MqgpOyL7sz0PsV5/ZsOy8m7DadM3GCS2mFtWZiM1RnGCayZvyY2KFNj3I8qM1HGMMfeF+3KXjyCBSyBkD25in85M0QaPlMzBxFZupSoleJLLwqd4BfsLk+POiZjLQQseSDVSqrjqWyE6d+baiy+m6d+z6sx4ojRf+q9wlMjZ2oRa+wsLnhbCrdHsZi6Q9eZawU6Vlsy3/KjarJABnapJsMbHYTlwPHlPYU6Du9T3lO2aJuTewOzA42Aoqm2Tlm4xh0GRV6Rx7najkMjc3cex1DAu0PNaFzWVBD7yPuv9FS+DzdEneEj9Tx81v245I9U8Oc6yacu72Ry2CG03ONld70oEU2BHrIgswoyMNg72hnhot9jfDutjJrB10b65pP5WZOAUGtwDh2a2KrdnYG/TGId+ehnkkwS2Sd87/CM4aaSYlsVneId6bXYpUcxSLroXUAHsigA3rjMpNpvR8XRiQZUfLWRQ+d8gyL5PVLp1H7R6LEDO4sZP8IuDJfxDzlP0Rh6GOQgu+dlkcxWGVHQxcexBThMURJYVMhTDoYopEfUqo3j+q7Fla4Q3HdypKg17VyVfEA/J7Nie+eDZvTEuvX0jWQmGAFdC9GbkVuT7hlzYx4kZ6/B81kVyQi8e3L3ZBAYHQXbHeK4GhSWQDwHG6ZBU16KrD6dhjIvn4HlXaGYaPMvv0Rp+yjeiur/n0NOWyvx0R1RrksbsyeaLIEDhOS19wXP4kiDrTR2qJN4LHcWu3m/hYuB4Fj72qyr2K7osXvbC/up2bSpY0IOcei8Nc/hIhqoe7uM4Jg3cpXt0hTpcDZ74HNIsd/6f592BqpoXIy5Cr1ZOxmnpkHdgZIyJ3KqwZEhYa7pSkOIIEAY9EnTPm3ViBHQdqjUpghYNzntO8EomNNw0sXUFFrwlGAY+ntLYUty0kREWt4l8Iot+XblCc8FX1gKYSqhnJOGjHHjOHO22Cr6NPJdcHfgkIBCknwwFWWMRPwZOomE=,iv:7LF3l52m6YRKGd/8rxDady3AbSEcXuVRsIaLlgNfKOs=,tag:UCjMRgFZFHQyXY5NfbZRcg==,type:str]
 dkim_pub: ENC[AES256_GCM,data:XLYRTAviK+r6DnRU4+lc58elI3FJ+FPsB1A5sQOk+pb+fNu7zFCiZdz/MwTVkE9izDP1Onv+VhV8sRgmxacTv4nW5GcukCrm3FmCp2jm6QF1/40/WRv6Lkbek0tV1bMOQPy9Zj8wdO9M05XCXUVXk4x17rj+lw8ApwJS2pJMoultMFx34tx2pNEnmO3MFtuBOxzeU2yP+NhF2sJNA62to78AiH5EblkoF0a6sUYk553U+sv3Ob0lo1nSv6c8zwl7y1WSNQnLK+/3WxSVGfePHVsVM8Zze1KFTVLQQggIzWTdcr7AgcTGbk3kaYCeucfQ60pVlqOyPnkJoUJ8HR1RSajFk6Ylzw0xBpY85qAXNT2YIRiq0HTUc1s5lD0luXLQEP+g+XUwZfzFRZgt1nWBlPmpbj2Ylj1FfrA7EXsIK9nyo+rf0qRn/4HusJATr9ddYmZdxwazl1FXkOKLHPyu1NlzwoTNSQQgMHlzxzUvrrv7+mI2nQvXRx82TSRytqrMvoBTF1NFX+pRjhNg9fcq0oPJ2ORqOVQsxzhLhB+tw7Cg+UHGWlnKnkqaKH1JDmOFyJDB96aPUnSQT2J8qkyb+hMBXz9mme8rZopkHrA4WyDXv3zpEi0P5Sj0DDwdRxKMdDdZ4hw79YQIrd63cIorN8XG6Icevb25LfekLEq/C2FS8+kADagyOM0uzCw2p/qacNz37ZNGqPK6gYkjnyoAfSm14zbgoLX/5dnf7eCuMatevTm4AcE53RawQfzz0YNJuEv5uqD/WUy+UIKHIwxPYY9FWBBPmH+8eaPC1mMPh54I444b39FwpnPU8GwxEPsjRg8TSnohawNmmhEWEpmlawEKw+C+BE6A2DmVJzyeBvVRwe/W6CPgyYxgSGWUuvfZFm1GrzwZDjCOEMRn7qMwMBxh1nr2BOAiNxA38UtsymaZO5ZOknClWlKIkIFl8NJdVITNNsI48KMuSY20o1puzkxMaAUH3OrGEhtoHrEOeIq+KCFzH2gZo6L5hbv9CHM7QgCYsbtVIMwL+cRZZaSNubS3K48OmWJnHNuqkcrSI4lqfjLhz1DbnQ==,iv:/cNMmlpq9LSOk0MwVq8NaWvp47q68lKWTx4s5nkwF5c=,tag:ZNX+yZsSxdhFsavDpX380g==,type:str]
+relay_creds: ENC[AES256_GCM,data:yWG53NaiA2s5aUudZWecDS1+fOURTHd0D0rNxZ9Tud9TsTO2F/6+5i3vRz/4qP4FoBexEVoW5Xhkqo8o8OaGOpZHh/Nla7TJTnaSCgJw9QPfFoRNiE9f46LytXYThiCGBdy3Z3gtNmSX5BQk1zNI1TiHBFG4IYfauq7e6jJ4Bp/9z3LRknDITdlLjzAPjIO5kUG95IrQQCl3SeAjS+LwxPFRuV1+zWNdOXJLmSeWv1JcAcyhkwutMhQYRGMaS09bbXp29N8DX3lsAK9pYZLr5F3gXwOrZN7nG4+K0KOqfMI4UcLpIOlCPdj9XjgAYcWC+LL5bA0W53e7je3IDVebevDheKPowKK/A6le2TfqXKfhOVi4qXaEsjOBIJzLylOqXoAb1ZCM3nTHCC3M/r3/il+6RnFgISOCHezTiEYM,iv:0kAJzoV/HEIRuEAxzWAaQqwlzWlBSwklipWquF9WeoY=,tag:SCQOQCXm6kmLSYhkT6dubQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -10,50 +11,113 @@ sops:
         - recipient: age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3S0FqZWxDYmxHYU5FZVQz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZREpDaXVwSjBPZEtaUFU1
-            V2FZMFFSVXJubVRaNDZORDJPSXhHMnludmpRCjJrendscEdqU0p6K1R6eE9FUGtj
+            d1FTYnV1STlUdW5oeis4RStVckcvUFhPcndRCnNUdndTenhxN1M1STNlZmtqcWtI
-            RVB4Z3dlNHlBSHRhZ0ZMODdDRkN6ZFEKLS0tIFlzUStVWmhlYWExV1JscHE0KzhG
+            amkxZitGZ2p1ZlNTRFVaYkNvWWdnRkUKLS0tIExLYm5PYVI4aFViaER2L1dUOGMy
-            Vm1uUmhQRzAvL1YzTWVVbllRUlE2Z0EKwg6SBat+CG8E7/j7K0sakqGSyJYNzXqt
+            d05BTDlqanFMQ1hjazRLUUVlaXpHL2cK+kXvv9khiwYlBK+lmqgYmHNNjMXHU5FZ
-            b0DMsGq9GnHE1Ph6gGVVWO+pos/FGuunSDyL0lcXk9xJE02FErnw+w==
+            x5dpXndIiTRJ0cGtEgK78efbQmVNsHAae2X0E0IxbvrSe26S5PIbMQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNVl3ZTNGWGdMT280MnhQ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONXlpMm5KTmZuKysybU0z
-            R2RHTGRWVFpjMWltMDVIWk1YSUc2eEhjbWwwCnNiTjA4dUZuOU1tNTZtd240VXpU
+            OUJCMmdrZ0V4amI4NTNtOEFqSXVtbW92cjFVCmlCZGF4bXMycXhJS3h6OWVpV000
-            c0FKY3VoR1dYUVo1MDZjMEJ5MmhjeEEKLS0tIGhuT3k2VlFpTWpJdFJYM0JhZWtS
+            SjZuQUFxelVpT3BXOVh5eU1vYnNKMjAKLS0tIG1KYjZJU1dMd1Y3bmxWaDhOSEJn
-            dzNFb0FDcERGTFVUOTgxN3czTmRUME0KihoqiXkph3sNWTwn6tFi29z9jnht6JRT
+            SUp1akQ2bUU0VmQvVkhheXZ4Zk5jWVkKqJ12/g0H8l6WwpiHxA0K3g3Ry4dpPb/h
-            zOMNiaWjMHQ7GiR+Yv1JMWrEvKRrEjNaFXt89z0Ebx4llTtyH8W2fw==
+            2m84IYzpQA28BRCSHeIEeH1hQ1jU33/625XlNE1iJncPqu9YH5mXug==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWE91QUFmTzdEUjJ3TTFX
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLM3NCcGVPTS9hWHQvMCsv
-            Y2o0Yy9BZjdkc2VVcis4a3FlcDVScDF5eGwwCkZocDFIN3B5dHdNTDNaVXI2WHBF
+            RlJ5M0tVQWZIUm1tWSt2NlFVRGtHaTN1Rmd3CndVUHpEcU15S2lmbHpIY0h6WW1B
-            dDVXMDdvOXVBM3V1NW01YngzclJ1RXMKLS0tIDV5M2JURHkvWWFlbGtUNEhxZ2ZE
+            aEpRZVgzN0puRmlMNWNQNW94TXh6UUkKLS0tIEVXSVVVL2JaMGRFcldoVnZ1TFZz
-            RVlDMDgvNVFOamlFR1BZMUtrMzJ4N1UK6r7QbX3nEBu+S8e7oqCk3ys6hqXHkyW4
+            bzJ3UGl1aGpsa0FGSVkzeGRHZDJWdmMKZgg4UtokzNDBuVZYoyYirTI1NEC3QGmm
-            z4hWz1rr/23JpGR2ENRS+DpHRCRo4KKRhUx2hLc6C2XijNgD4YsUCA==
+            ilOukMvpTZFYtKbwWVOuB8kyeudlkupavzlnHYAGBbpMVccpPeZHAw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqelVSdDFFcVZxODBiVkEv
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZ0tyczJoVzZxUmhIZG14
-            QUhYUzM5SDZLVWQ4YlB2UGorZWlidUhIa1N3Ck96TXFGTXBtSVFLdFY1b3BKK3g5
+            WDZjSlM0Q2F6VE9Yb1hRV0d5dGVoVmErVkJFCi9HbXdxZE9NZ0pLaFo1Nlk5QjRV
-            ejZFTkZOTDdqdHFsWmRKNEcyaUZZWW8KLS0tIDJtL2JaRE5XaHNvYW9HMFYrbTFP
+            TSsrMlFqV2Z0OVlWVjRnYXpyTlNWdUUKLS0tIGZ5M2ZEWFR0NDNQUFQxMW1tTXlP
-            NUFlUTVvQVdiTlBZOVZqSjA1ODNhUHcK8hnqUuHjUgjF8nbZgY4BTkk58BbRCYWV
+            dDRaYnFZajR2S3ZoZ1FFWURYVFVpSFkK8YuczSfs+j3dL1OT4sr2/kfdAxPRstJj
-            NOPw/jUdEZBRoTJqoEdOLAtW/x1h7Xo+mpVuDW0K7h07LiaU7FL8xQ==
+            SeDlvg4C0e2wKrqj0QwjN5oz8t21ELerXska7yZ3cod5gaQcFxB44w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBNWlKeHh6UjNIRTAycEJ1
+            UVhJMi9CUVBsVld3YlBEYjVwaWE0T2V0cFJzCnpEb2ZxNkNwMDBDQ3JsQXVjY1lS
+            eFhqSkcvenkvOHNOclI3dkc5NytmQjAKLS0tIHkrc3ZEQjhJVVZlZWVJMVE0b0x5
+            QkxVMkhOK2hUS0lQVGlXYXUrVm1LVFkKyFIvkGHeykZBib8gNln1mEHtU5+Xr9rC
+            RpphkvAU9AA4J5/LXQs3To/WzTg9gt2fSxtrwk9TLheheRfUcHDuRQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aENxNUpXUUxTcEZobkpW
+            SFo1UWlUSXRWbzF2bWp6WU9Idi93OWQvdGl3Ck1rdlNYZFR5dThKa3NaVFU4NWY4
+            dTdUNUdEQ1hkWkRsT0dNbVVqMytnTXcKLS0tIExXZlgydnhXTktyeDNrZmg0RFlt
+            QXAzNGk3MmRCSng2SlN5bGdiSTlJRTQKXy5hTxS47WVjw1ILaaNfMaW7YMIS3FGP
+            hvYeGGL2WHstUapyYb/Rgn46KJgk1gfDchYyHq+06SkpZRaUzCBDUw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYWl1NUQzMElhbFBrbVBu
+            eURzOGFJSW85dFMzLzR4M3UvOVhQUGYvS0ZRCm1qYXJTUnpUcUVWUTFtRWQ2OHBO
+            UVg2UC9OSDJkL21vV3VNV0l1Z3ZHcHcKLS0tIDhVaGpFZ1djSnFaRnVKckxtQU0z
+            YlAyNGxsYno2U1NIMDVtVXJwcFA0ZWsKdNW5iANSWOGdSRYeBf/+/gtk7b+IN/ir
+            lo1HtaIT1a5tA28JfAo6ixIKdF5nnSIunM6Z0JlF9zKuJbBOmdVbHw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWDd5Yk1pNGZ0UHRrc3lu
+            WWlPZTd5bFIvNVBqTWplR3NzdS8rQ0gyZVdVCkUvMEg5eWxCWHNyYTcvMFd6ek9y
+            Z0RudTRHanlTTVhYZDBuMkpsYTcwWjAKLS0tIGtDemJabDRVakJxMUdVUWQ2VjIv
+            NTBabFVLNENzWlNoUmZSUXU2eEJtdEEKuOXBlsIBsgjQvRZ4fKdoLfs1gqZYa4og
+            9o/mo+ciXYU3xPPOhnd/OTar/8pBpCBBCO0Ag+1Me/dVYbA0s8Jvvw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ck6lhd8thjcrdcnkn2epc8npztg0sfswahunjkwcf57rr0xaevys8fh0x6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUnNZSEtpb0JVOTVjazFB
+            NHdXSnVxRm4vaXN6VE5leGU1Z1JGOHFEUUNVCnNwdUxweTVlanR2ODdvTzlDWkZR
+            NWVsY0k3WmFOWktsUVJGT1p6QUlKbGsKLS0tIEtnRVdxeWVYd29XZHVQWmZCNnhE
+            OElkbHNtUG1ncXdQWEpOcDNMeUg1d0EKF9OjITJDrkfZA2wI6Gm+0+MTDw4OPkQt
+            SDbNe5Gllo8BC1jTRM3H+uxsQ5L0TRrwnrSxNYjNdDIRHMrIxi3qcg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVk12WUxKdWdDVWRCU1dk
+            VkhNZWhNeWJ6OWJJaWdXNFZwRlZMT0lOTFdJClRyYkQvank0cGlZSzJGaE1LVVpO
+            VURjMnBIY3VvMkVnbzlJVGF0dU1FR2MKLS0tIHZlV0U4azN4aEVRU1YzWDN6U3Nz
+            YlIzbFBDd1pqMTVQa0diYnZjRmRRa2MKcPAvAB0B/zNj+mcavMkJdksWl8o1j8oQ
+            gGG8xdIEPT9wjfbL75IvHOy/7TKJR0uVomD8IB4QuVi1MxJh6jNJQw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbmxpNlZvV2JWYmRJS3lq
+            Um5GVDQ0ampMTDdzZHB1RFFqZ012bFZMd3g4CjdoMzdOUXhtSEF4Tjk1UTJlNGNG
+            TzAwSDAvK3VCL3ZheW1HOHFCclU0OEkKLS0tIDY5anhYeTQ5RGxNUlZNRXg5Rm1o
+            QVk5dm5RaWpocUZrWk02Slg3N2lONjAKxWKAmAHt9x2T/9bh2mnQIF03ufffO9wF
+            79jffMh/3GyX5Pk0IbjMWwOn7ahQWOEgD58C1Lja2wpixLdwb0wgfA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hkve3khk7fthyrwxjqdf4r37lrqpmnkz6mke7psuphvu2ykynqaq9g6ja5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UDNVSG9Fb01YSWJTdXRD
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcUJUTFRrZmxiN1MrZkZB
-            UFB1dWhpRUFhWmMwTzdHeTNRdlg2YXd1ZnlnCndBRXBpMTJWdFRsMVNYeDBBY2g2
+            V2FjSlM5ZUxyUFZMKzRoYzY1M0plcmhjckJ3CjBhY0VRT2VMRUR2N01YZWZVRkJk
-            ZEZKTEw4dHpHSlFNT1BsSXQvaCs4MDQKLS0tIDg3YUlJYU1nUjRTTGtIeTJBVEhR
+            VEdqSTNvLzNBOElZVVUxZ0VBekx6RnMKLS0tIHNtVlA4V1R2bkFBaVJMYkk3eUNm
-            SjZLWG4xNmxoSmtaTFZweEd3TDJ2QUkKcI4MdgglGFJT58ugHebiE6YQUehEomnH
+            TjhQY0VoNU91Zi96VzZGaitsWHptT0UKZ3Vx/iqilkHrFkAbaSeJZNmSOzXvMDX6
-            qPZdH0SZAtJxBPqt78wJqvndR5INt5HBmLtXMDLLEk8o43lqfIkK5Q==
+            HhcXrrq+sVjnq0XhOqWVY72h8Hp3d0JWA9VOxNQRyM9hdVENXur8YA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-21T22:00:22Z"
+    lastmodified: "2024-07-10T20:44:49Z"
-    mac: ENC[AES256_GCM,data:wnRif4PVGh1P29ZXv1XPF4GdFFhrsRkYmdlun4WsLDFs0Y3xIjPQRScAbDzPnhY6vaiGKZfx0+RZHHMMFyVCz4bmo85MzGuF9H2QECBfWBNgCNCKXqz7pLQHA4c0u9jiatuc9PVc42RokJ+rITn1cWV9tLGot98ealpYkJbN91w=,iv:EL2Y5WZtWB6IRwnrGmWV5QO3XiPOB8IJkATbZTY1/oY=,tag:/z3ULuFshOw/ed+G3W8OmQ==,type:str]
+    mac: ENC[AES256_GCM,data:tSTKCP7HUUCSCrbeiLutPghjfbL9TsxuCmbARUqwQBH8pyeOsyFHyPCqmqjCDSu2ha0QTldNGM9baiIQa/05DV5KNmFfVuoWy6dd4/3L5yNd3FPkzR2SvBua1g09YZpC1G2IaGrOcqBEOY9baILeBGgXfxRtcpMVAR2C3bOqJyQ=,iv:4phBdZ/4u5DAbUn4Z7pdrJym+iG9oxZSsIPZqoDEqco=,tag:RJn0416yl+0FV9bTu5tA5w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

tests/liam.nix

@@ -1,4 +1,52 @@
-{ pkgs, nodes, ... }: {
+{ pkgs, nodes, lib, ... }: let
+  certs = import ../deterministic-certs.nix { nixpkgs = pkgs; };
+  relayDomain = "relay.test.example.com";
+  rootCA = certs.selfSigned "liam-test" { ca = true; cert_signing_key = true; cn = "Liam test CA"; };
+  relayCert = certs.caSigned "liam-relay" rootCA {
+    ca = false;
+    signing_key = true;
+    encryption_key = true;
+    data_encipherment = true;
+    tls_www_client = true;
+    tls_www_server = true;
+    cn = relayDomain;
+    dns_name = relayDomain;
+  };
+  relayUser = "foobar@shelvacu.com";
+  relayPass = "asdfghjkl";
+  relayPassFile = pkgs.writeText "relay-password-file" "${relayUser}:${relayPass}";
+
+  testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
+  testAgeSecretFile = pkgs.writeText "test-age-key" testAgeSecret;
+
+  sopsTestSecrets = {
+    "dovecot-passwd" = (lib.concatStringsSep "\n" (map (name: "${name}:{plain}${name}::::::") [ "shelvacu" "julie" ])) + "\nbackup:::::::";
+    dkim_key = ''
+      -----BEGIN PRIVATE KEY-----
+      MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANn62hMdcFw4znAB
+      CKth6N4JD8XrNezCYbvyrUcVpGkkMX3TC9sEyZgGV6Y2Cs/J2Q6jKakC47nXebzV
+      Edk/kWsApj4J7PQl4t/G3vf1rdfICQx1pIspsmqQKsYugUG18EugEZzelai3+n4U
+      wqsed4551aRtwaws8dJQePOEEq1BAgMBAAECgYEAummKgXpVkqiJ8sMPlPEgYnHB
+      aXLjJNx/FGpOwVHCzp/DK2WG6ADKHhaecmgZCuYFmDz07bKo6U9arqBQqUdxpUor
+      JT2SS9RFP5MTsTB6R+eRqX8oMRQhcXB/+MczoSV/087vIZsL3L//6XoGyvjuHKW/
+      bvUR/F8PhB84uPU6RLkCQQDzXXj80iRhY6jHDwqoGf3BXd4O4cIAzPbBXN0W41fV
+      L5ZBm0K0KAgLnyjVygbsSn6lXsZXzAa/wAbSstMeCn7PAkEA5Uv88nfZSLU99XvF
+      WB9GD7lKXsAnWlf09F8hH4a1TH/zfGUCxrDdYNmdBdG6t0XuIVjay3TZcpW68Z2Q
+      lLeW7wJACj7KJCKYo3z1kwPAGBmYBDb2bTv11eDLFpLZP+hsPy5UrghiQ4FX7V1S
+      88Ugi3wLXtzhjrqpIhNsdhxPJPmeIwJAVpx8YE4a+hbT340v/thZS4ku6Vllw/9j
+      XIcuaM0mYE4Yd81j3g9in7mzUUZmY+H7UAdTJfTuShT6t1dQDIzIawJBAIJ+azsj
+      H5M2KsE3Nuxe3RODM/D4I5M5dngTkgNZQvUAywAyj9U39ZeFPEyXJyGkKNoR2CXB
+      hCvgabgr0wsi1y0=
+      -----END PRIVATE KEY-----
+    '';
+    relay_creds = "[${relayDomain}]:587 ${relayUser}:${relayPass}";
+  };
+  sopsTestSecretsYaml = pkgs.writeText "test-secrets-plain.json.yaml" (builtins.toJSON sopsTestSecrets);
+  sopsTestSecretsFolder = pkgs.runCommand "test-secrets-encrypted" {} ''
+    mkdir -p $out/liam
+    SOPS_AGE_KEY="${testAgeSecret}" ${pkgs.sops}/bin/sops --verbose  -e --age "$(echo "${testAgeSecret}" | ${pkgs.age}/bin/age-keygen -y)" ${sopsTestSecretsYaml} --output-type yaml > $out/liam/main.yaml
+  '';
+in {
   name = "liam-receives-mail";
 
   nodes.ns = { lib, nodes, ... }: let
@@ -12,8 +60,9 @@
       master = true;
       file = pkgs.writeText "root.zone" ''
         $TTL 3600
-        . IN SOA ns. ns. ( 1 8 2 4 1 )
+        . IN SOA ns. fake-hostmaster.example.com. ( 1 1 1 1 1 )
         . IN NS ns.
+        ${relayDomain}. IN A ${nodes.relay.networking.primaryIPAddress}
         ${lib.concatMapStringsSep "\n"
           (node: "${node.networking.hostName}. IN A ${node.networking.primaryIPAddress}")
           (builtins.attrValues nodes)
@@ -21,26 +70,61 @@
         ${lib.concatMapStringsSep "\n"
           (d: ''
                 ${d}. IN  A ${nodes.liam.networking.primaryIPAddress}
-                ${d}. IN  MX  ${nodes.liam.networking.primaryIPAddress} 0
+                ${d}. IN  MX 0 ${d}.
                 ${d}. IN  TXT  ( "v=spf1 mx -all" ) ;
                 ${liam_config.services.opendkim.selector}._domainkey.${d}.  IN      TXT     ( "v=DKIM1; k=rsa; "
-                  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZ+toTHXBcOM5wAQirYejeCQ/F6zXswmG78q1HFaRpJDF90wvbBMmYBlemNgrPydkOoympAuO513m81RHZP5FrAKY+Cez
+                  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZ+toTHXBcOM5wAQirYejeCQ/F6zXswmG78q1HFaRpJDF90wvbBMmYBlemNgrPydkOoympAuO513m81RHZP5FrAKY+Cez0JeLfxt739a3XyAkMdaSLKbJqkCrGLoFBtfBLoBGc3pWot/p+FMKrHneOedWkbcGsLPHSUHjzhBKtQQIDAQAB" )
-0JeLfxt739a3XyAkMdaSLKbJqkCrGLoFBtfBLoBGc3pWot/p+FMKrHneOedWkbcGsLPHSUHjzhBKtQQIDAQAB" ) '')
+              '')
           liam_config.vacu.liam.domains
         }
       '';
     }];
   };
 
+  nodes.relay = { lib, pkgs, config, ... }: let
+    mailpit = pkgs.mailpit;
+    dir = "/var/lib/mailpit";
+  in {
+    networking.firewall.enable = false;
+    users.groups.mailpit = {};
+    users.users.mailpit = {
+      isSystemUser = true;
+      home = dir;
+      createHome = true;
+      group = config.users.groups.mailpit.name;
+    };
+    systemd.services.mailpit = {
+      environment = {
+        MP_DATABASE = "${dir}/mailpit.db";
+	MP_SMTP_TLS_CERT = relayCert.certificatePath;
+	MP_SMTP_TLS_KEY = relayCert.privateKeyPath;
+	MP_SMTP_REQUIRE_STARTTLS = "true";
+	MP_SMTP_BIND_ADDR = "0.0.0.0:587";
+	MP_SMTP_AUTH_FILE = "${relayPassFile}";
+	MP_UI_BIND_ADDR = "0.0.0.0:8025";
+      };
+      serviceConfig.ExecStart = "${mailpit}/bin/mailpit";
+      # serviceConfig.Restart = "always";
+      serviceConfig.User = config.users.users.mailpit.name;
+      serviceConfig.Group = config.users.groups.mailpit.name;
+      serviceConfig.AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+
   nodes.liam = { lib, ... }: {
     imports = [ ../liam ];
+    vacu.underTest = true;
+    #systemd.tmpfiles.settings."69-whatever"."/run/secretKey".L.argument = "${testAgeSecretFile}";
     systemd.services."acme-liam.dis8.net".enable = lib.mkForce false;
     systemd.timers."acme-liam.dis8.net".enable = lib.mkForce false;
     systemd.services."acme-selfsigned-liam.dis8.net".wantedBy = [ "postfix.service" "dovecot2.service" ];
     systemd.services."acme-selfsigned-liam.dis8.net".before = [ "postfix.service" "dovecot2.service" ];
-    # sops = lib.mkForce {};
+    vacu.secretsFolder = "${sopsTestSecretsFolder}";
-    vacu.secretsFolder = ./test_secrets;
+    vacu.liam.relayhost = "[badhost.blarg]:587 [${relayDomain}]:587";
-    sops.age.sshKeyPaths = [ ./test_key ];
+    system.activationScripts.sopsHack.text = "ln -s ${testAgeSecretFile} /run/secretKey";
+    system.activationScripts.setupSecrets.deps = [ "sopsHack" ];
+    sops.age.keyFile = "/run/secretKey";
     services.do-agent.enable = false;
     virtualisation.digitalOcean = {
       seedEntropy = false;
@@ -52,7 +136,8 @@
     services.dovecot2.enableDHE = lib.mkForce false;
     security.acme.defaults.email = lib.mkForce "me@example.org";
     security.acme.defaults.server = lib.mkForce "https://example.com"; # self-signed only
-    networking.nameservers = lib.mkForce (lib.singleton nodes.ns.networking.primaryIPAddress);
+    networking.nameservers = lib.mkForce [ nodes.ns.networking.primaryIPAddress ];
+    security.pki.certificateFiles = [ rootCA.certificatePath ];
   };
 
   nodes.checker = { pkgs, lib, ... }: {
@@ -60,12 +145,15 @@
       pkgs.wget
       pkgs.python311Packages.imap-tools
       pkgs.python311
-      (pkgs.writeScriptBin "mailtest" ''
+      (pkgs.writers.writePython3Bin "mailtest" { libraries = with pkgs.python3Packages; [ imap-tools requests ]; } ''
-      #!${pkgs.python311}/bin/python
+        # flake8: noqa
-      import sys
+        # #!${pkgs.python311}/bin/python
-      sys.argv.insert(1, "${nodes.liam.networking.primaryIPAddress}")
+        import sys
-      sys.path.append("${pkgs.python311Packages.imap-tools}/lib/python3.11/site-packages")
+        sys.argv.insert(1, "${nodes.liam.networking.primaryIPAddress}")
-      ${builtins.readFile ./mailtest.py}
+        #sys.path.append("${pkgs.python311Packages.imap-tools}/lib/python3.11/site-packages")
+        #sys.path.append("${pkgs.python311Packages.urllib3}/lib/python3.11/site-packages")
+        #sys.path.append("${pkgs.python311Packages.requests}/lib/python3.11/site-packages")
+        ${builtins.readFile ./mailtest.py}
       '')
     ];
     networking.nameservers = lib.mkForce (lib.singleton nodes.ns.networking.primaryIPAddress);
@@ -83,8 +171,16 @@
 
     liam.wait_for_unit("postfix.service")
     liam.wait_for_unit("dovecot2.service")
+    relay.wait_for_unit("mailpit.service")
 
     checks = """
+      --submission --mailfrom me@shelvacu.com --rcptto foo@example.com --username shelvacu --expect-mailpit-received --mailpit-url http://${nodes.relay.networking.primaryIPAddress}:8025
+      --submission --mailfrom me@dis8.net     --rcptto foo@example.com --username shelvacu --expect-mailpit-not-received --mailpit-url http://${nodes.relay.networking.primaryIPAddress}:8025
+
+      # julie's emails should NOT get sieve'd like mine
+      --rcptto julie@shelvacu.com --username julie --imap-dir INBOX
+      --rcptto julie+stuff@shelvacu.com --username julie --imap-dir INBOX
+
       # test the sieve script is working
       --mailfrom whoever@example.com --rcptto sievetest@shelvacu.com --username shelvacu --imap-dir com.shelvacu
 
@@ -102,6 +198,7 @@
       --mailfrom julie@shelvacu.com --expect-recipient-refused
       --mailfrom @vacu.store --expect-recipient-refused
 
+
       --submission --expect-recipient-refused --mailfrom julie@shelvacu.com --username shelvacu
       --submission --expect-recipient-refused --mailfrom fubar@theviolincase.com --username shelvacu
       --submission --expect-recipient-refused --mailfrom fubar@vacu.store --username julie
@@ -112,6 +209,7 @@
       --submission --mailfrom foo@vacu.store --rcptto foo@example.com --username shelvacu@shelvacu.com --password shelvacu --expect-sent
       --submission --mailfrom foo@violingifts.com --rcptto foo@example.com --username julie --password julie --expect-sent
       --submission --mailfrom foo@violingifts.com --rcptto foo@example.com --username julie@shelvacu.com --password julie --expect-sent
+
     """
     for check in checks.split("\n"):
       check = check.strip()
@@ -120,4 +218,4 @@
       res = checker.succeed("mailtest " + check.strip())
       print(res)
   '';
-}
+}

tests/mailtest.py

@@ -5,6 +5,7 @@ import time
 import ssl
 import argparse
 import uuid
+import requests
 
 parser = argparse.ArgumentParser()
 parser.add_argument('host', type = str)
@@ -24,6 +25,9 @@ parser.add_argument('--expect-recipient-refused',
 )
 parser.add_argument('--expect-sent', dest = 'expect', action = 'store_const', const = 'sent')
 parser.add_argument('--expect-imap-error', dest = 'expect', action = 'store_const', const = 'imap_error')
+parser.add_argument('--expect-mailpit-received', dest = 'expect', action = 'store_const', const = 'mailpit_received')
+parser.add_argument('--expect-mailpit-not-received', dest = 'expect', action = 'store_const', const = 'mailpit_not_received')
+parser.add_argument('--mailpit-url')
 
 args = parser.parse_args()
 
@@ -41,6 +45,9 @@ if password is None:
 if (username is None or password is None) and (args.submission or args.expect == 'received'):
     assert False, "Bad args"
 
+if args.expect.startswith("mailpit_") and args.mailpit_url is None:
+    assert False, "Bad args"
+
 msg_magic = str(uuid.uuid4())
 
 def mk_ctx():
@@ -68,6 +75,19 @@ except smtplib.SMTPRecipientsRefused:
 else:
     assert (not args.expect == 'recipient_refused'), "Server was supposed to reject this message, but it didn't"
 
+if args.mailpit_url is not None:
+    time.sleep(3)
+    mails = requests.get(args.mailpit_url + "/api/v1/messages").json()
+    found_message = False
+    for message_data in mails["messages"]:
+        if msg_magic in message_data["Snippet"]:
+            found_message = True
+            break
+    if args.expect == 'mailpit_received':
+        assert found_message, "Message not received by mailpit server"
+    else:
+        assert not found_message, "Message was received by the mailpit server when it wasn't supposed to be"
+
 if args.expect == 'received' or args.expect == 'imap_error':
     time.sleep(3)
     try:
@@ -93,4 +113,4 @@ if args.expect == 'received' or args.expect == 'imap_error':
     except imaplib.IMAP4.error as e:
         assert args.expect == 'imap_error', f"IMAP error: {e}"
     else:
-        assert not args.expect == 'imap_error', "Expected an IMAP error, but didn't get one"
+        assert not args.expect == 'imap_error', "Expected an IMAP error, but didn't get one"

tests/test_secrets/liam/main.yaml

@@ -1,4 +1,4 @@
-dovecot-passwd: ENC[AES256_GCM,data:OPlQGFnkklEQvFpQM3jrdHB1p1zM+n76TCCaLmM/DOYlJ6W3+8bGt4i1JJq+FbA05RiX0Yhpv5s=,iv:R47TNT306RVrAPSRpK5TjUoWJF4nXnBvpDpIhwpdxWg=,tag:iKTUIoano0Bcxjkb2VQeuA==,type:str]
+dovecot-passwd: ENC[AES256_GCM,data:Ji41+n/7D90/O/LVM+3FDNACZ6jJPT6QYVIGWLujCheIY8m6vaRmMXzPCTgbK+njDOfIv7O2Sko15U4CYqWXAi3P43Np8GKRcv5+4NE=,iv:o6+tYBHSB3reRIqvFGB39wHk3G1L5VKmkj9Fiinnvnw=,tag:wggoNMvAYyJzkh73C3bMHw==,type:str]
 dkim_key: ENC[AES256_GCM,data:nzujLrGttOL38d8mxglUcAQ9EO+sL2Gh75E4Wyt6siviFEpx5ZIpXkaC9XXmD2f6Ax4BHF8FTOB1cX0dLrRYp9gNOV007CsVUWpYf34H/J5bOUo1j+urYtbtA5Idu8FoUC3ENg5Ap4CId7jTtxQ9PlS9vTKQ2T2tIqmvXGE0t0aowUdJJdPfJLN1lMENY+/m9NxwArF06K/75BAX9LaxhNDzUHNwV9PK+htD9M1g0r7McbLtZpPut8tdkzOWGiUHIisPpXSTUk8LjrFY36DNngcXAyiRZtp6WrhINVABRKMVf92dYUQixpf6r7BkCkyRT60rAHz5UbWHI/saYHgXlH2OGK5hyZZ4JueAHU2Y7Hpvbw3UIG9jumdDcRda5W0WycJyGS4a5YZST907eDP4PuZayHOmp288Cuyc+kXOxvuCGjqiuZswokj4Ba4hIUUNJU1Ys4THYrf+j+iX0nKclGS+LXvqQI1cKUE3gBecxE2SW3BNzIOGh/ywO1kg2uZlUPpfGBr+Aupke/nULcGi2HVwX5EV47jpDyoqIEiVCy3OYSeQ2gkocIQ/y74fNMoud4kWmye8bAhprxVUHHes2TBjBb6QxQdmazjhAiCvgSI3p43QlSG2fqtQMcXMiANra1heRHHsOS8GKWk/ti9/k3/0YWycXcawYE8lpg/efpBPWkgWQ+NDUxcJBbWCKbkvA2DEfoSluwcGuxUjWGa27SKaCVX/LNAUDvXcw82F61XsTpoK2i0pme7pIZeF1bfbKyPxDnpWKoLoL2i2HchD1B5AEemr+eKh3kPGqpY3SNfqPFyUYN34Fea/gg/eM1Jw/ORWGNxMwg882a/NQLRzjjseQsPEI0r0o8Xba1KqGP1mMhursrOFVRz9xXG7l5oXhx0+GsscKDnP40CXJBMf6r2tEZobrR8NagV4/Mh4r2+zYw12KwwYZ5drmS1b0ftrLZLSugJopgLaQqYC3OAnmdW1MOkNoQSWv9Y5NaPERpMQ9BJcPcGM3W3+AyEz3zRSlFQFnjZO6kk37dFz1KVbbXkrFTXhDpGw/Z/RCMdzv6eyhPqcSSccisaOxDtlLQXy95G6tOcpJV7u7qu1LzQDehyZnBjasqMQVpCJw1Q9GRxnSBjpVKzN07dEkzXqcZHh67kPR/aoH8jzbfNq5YDQ6nxK0INcSyCzJe4w18JbY5Wq0F5U0OeYwYAwHoIV/nbMdptyyw==,iv:ol3dz4SomkwyN2s4tPWDCJEYdnMuZTvHppUA95Nz3+8=,tag:IlZBYvM8e3COjxZ/dxJT7Q==,type:str]
 dkim_pub: ENC[AES256_GCM,data:tigMKTZ5XiDViSez2WKfUPBkw9OtLKrEBrbp/I3tUk+mu7RR2YIaQEWfTH0EOzPMpDEIJ32pwlqicGQZdTf7WdpELcJZgbxKpWPWgTzjwHasgs38aJh2JIIoIuFwa1YgEuRGtSl7YT47WDhTTGbFFdvaKBlIe7vipgkFSxNX1NKGNgdkkcVczvlVgWKqbp05zzUlav1XEwBhd+3eTgPQFptYyvQbIFasiunrHBT8cbm+CQ/O8q90lUkoVrmQUu3XG6njDMa4pNULUJqsUogCyYgm/aDMdx7AN29daCbgj99g/hjnQrBFajJCzNyG36XrzQdZJGiG0AgG1oWAq98boNFxC5ux4eBDmT946FyxXFNwyZpu1p2naHkBlE01duCBS4PUuQFlw9tsCYOuL+xGR3paBafTcL6X67w=,iv:lXFMxiePwivoyQxuQu+hEHeuU0z85fJk9y7296oJNl8=,tag:0QknKaFPpNHo2v0feR+jAQ==,type:str]
 sops:
@@ -16,8 +16,8 @@ sops:
             T3dqdEJxRmkvSStuK1NmRWJkN1psWWsKuNdc6DHXXEcn63CZv/5lE30MAagPfHO0
             GDOLTLCLDzNvKmd5i9dNuYBrD1JeyotNId6E4w/3oYxCFJ56SsH32Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-21T22:00:58Z"
+    lastmodified: "2024-06-28T22:08:15Z"
-    mac: ENC[AES256_GCM,data:147XZroz5psp5Q5zGz19FZNPFr01wPGM0ivxbNVu9IcuUPw5dhnSaFQTvdYKfZPLSW2dwMJ2sPA5NAxxW0zQTh3d4vjirJ7GVj07Fn+ipL/X+wZKM42HjNSEw9IdAD5OIArZ8XjZcC+AGu7C4wHHf43uOEu7ZbWYx9Kbq+cJGbk=,iv:V9GHCN0NPWaRZOmoWhKA5fHwfKfrdays3ODfiTBrbo8=,tag:JwiHjHEjTDc6XRqtn0Aqwg==,type:str]
+    mac: ENC[AES256_GCM,data:G7ceHgkxOv1xinx2Oc5kWCDs5njnf/uUyHlOddzM8RBZTcBp4RVB6NJb3ERFpHlEBXtO5EXnXm2ggK9cfxH9BKL/4tZeFQDqT9QcwFvtynQbCcOmBi3ffrkt4uXKwOIpVZyT8bz8GYueLq/fu2fIHwjZ7Ll43Gn2Sp6gQuvFSuo=,iv:wg88Qpn5cIIr9tXUkc/WxfMDt/SHbA09CRCCv/FwUVU=,tag:QiG5ERsym5kl2g11LK0onw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

tests/triple-dezert.nix

@@ -28,6 +28,7 @@
     );
   in {
     imports = [ ../triple-dezert ];
+    vacu.underTest = true;
     systemd.services = disableAcmes // reEnableSelfsigned;
     systemd.units = disableUnits;
     #vacu.secretsFolder = ./test_secrets;
@@ -93,4 +94,4 @@
     triple_dezert.wait_for_open_port(80)
     triple_dezert.succeed("curl -vv http://shelvacu.com/ --resolve shelvacu.com:80:127.0.0.1")
   '';
-}
+}

triple-dezert/database.nix

@@ -53,10 +53,10 @@ in
     services.postgresql = rec {
       enable = true;
       package = pkgs.postgresql_16;
-      dataDir = "/trip/pg/data/${package.psqlSchema}";
+      dataDir = "/var/postgres/data/${package.psqlSchema}";
       enableJIT = true;
       initdbArgs = [
-        "--waldir=/trip/pg/wal/${package.psqlSchema}"
+        "--waldir=/var/postgres/wal/${package.psqlSchema}"
       ];
       ensureUsers = [
         {
@@ -76,4 +76,4 @@ in
 
     systemd.services.postgresql.postStart = "\n#START stuff from database.nix\n" + (concatMapStringsSep "\n" (d: ''$PSQL -tAc 'ALTER DATABASE "${d.name}" OWNER TO "${d.user}";' '') databases) + "\n#END stuff from database.nix\n";
   };
-}
+}

triple-dezert/default.nix

@@ -1,7 +1,7 @@
 { config, pkgs, inputs, lib, ... }: {
   imports =
     [
-      ../common-nixos-config.nix
+      ../common/nixos.nix
       ./hardware-configuration.nix
       ./awootrip.nix
       ./frontproxy.nix
@@ -15,12 +15,16 @@
       #./vms.nix
       ./networking.nix
       ./devver-host.nix
+      ./emily.nix
+      ./jellyfin.nix
     ];
 
   system.nixos.tags = [ "host-${config.networking.hostName}" ];
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
+  #todo: increase boot partition size
+  boot.loader.systemd-boot.configurationLimit = 10;
   # The first thing to complain was redis in the vacustore container:
   #
   #   WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
@@ -34,14 +38,23 @@
 
   services.xserver.enable = false;
 
-  environment.systemPackages = with pkgs; [
+  vacu.packages = with pkgs; [
     zfs
     smartmontools
     openvpn
     nvme-cli
     tshark
-    postgresql_16
+    config.services.postgresql.package
+    (pkgs.writeScriptBin "into-nix-cache" ''
+      if [[ $UID -ne 0 ]]; then exec sudo $0 "$@";fi
+      ${pkgs.nix}/bin/nix copy \
+        --no-update-lock-file \
+	--no-write-lock-file \
+        --to 'file:///trip/nix-binary-cache?parallel-compression=true&secret-key=/root/cache-priv-key.pem&want-mass-query=true&write-nar-listing=true' \
+	"$@"
+    '')
   ];
+  hardware.opengl.extraPackages = [ pkgs.intel-compute-runtime pkgs.ocl-icd ];
 
   services.openssh = {
     enable = true;

triple-dezert/emily.nix

@@ -0,0 +1,43 @@
+{ config, ... }: let
+  sshPort = 32767;
+  container = config.containers.emily;
+in {
+  networking.firewall.allowedTCPPorts = [ sshPort ];
+  networking.nat.forwardPorts = [{
+    destination = container.localAddress;
+    proto = "tcp";
+    sourcePort = sshPort;
+  }];
+
+  containers.emily = {
+    privateNetwork = true;
+    hostAddress = "192.168.100.20";
+    localAddress = "192.168.100.21";
+    
+    autoStart = true;
+    ephemeral = false;
+
+    bindMounts."/emdata" = {
+      hostPath = "/trip/ncdata/data/melamona/files";
+      isReadOnly = false;
+    };
+
+    config = { config, ... }: {
+      system.stateVersion = "24.05";
+
+      services.openssh.enable = true;
+      services.openssh.ports = [ sshPort ];
+      services.openssh.openFirewall = true;
+
+      users.groups.emily.gid = 999;
+      users.users.emily = {
+        isNormalUser = true;
+	isSystemUser = false;
+        hashedPassword = "$y$j9T$gP2phgJ9iSH.tWROn/T2C1$dwifP4R4SY4Fyd6W4vZ7tMDFhZB7Cfji9QvporeKUXB";
+	group = "emily";
+      };
+      users.mutableUsers = false;
+      users.allowNoPasswordLogin = true;
+    };
+  };
+}

triple-dezert/frontproxy.nix

@@ -10,6 +10,7 @@ let
     "vacu.store"
     "jean-luc.org"
     "pwrhs.win"
+    "jf.finaltask.xyz"
   ];
 in {
   security.acme.acceptTerms = true;
@@ -71,6 +72,7 @@ in {
         "${outer_config.containers.nix-cache-nginx.localAddress}" = [ "nix-cache" ];
         "${outer_config.containers.jl-stats.localAddress}" = [ "jl_stats" ];
         "${outer_config.containers.static-stuff.localAddress}" = [ "static_stuff" ];
+        "${outer_config.containers.jellyfin.localAddress}" = [ "jellyfin" ];
       };
     };
   };

triple-dezert/haproxy-config.cfg

@@ -13,8 +13,8 @@ global
 
 defaults
   # https://world.hey.com/goekesmi/haproxy-chrome-tcp-preconnect-and-error-408-a-post-preserved-from-the-past-2497d1f7
-  timeout server 302s
+  timeout server 3s
-  timeout client 302s
+  timeout client 3s
   timeout connect 10s
   option http-ignore-probes
 
@@ -25,7 +25,7 @@ defaults
 
 frontend main
   bind :80
-  bind :443 ssl crt /certs/shelvacu.com/full.pem crt /certs/vacu.store/full.pem crt /certs/jean-luc.org/full.pem crt /certs/pwrhs.win/full.pem
+  bind :443 ssl crt /certs/shelvacu.com/full.pem crt /certs/vacu.store/full.pem crt /certs/jean-luc.org/full.pem crt /certs/pwrhs.win/full.pem crt /certs/jf.finaltask.xyz/full.pem
 
   mode http
 
@@ -36,12 +36,13 @@ frontend main
   # Check whether the client is attempting domain fronting.
   acl ssl_sni_http_host_match ssl_fc_sni,strcmp(req.host) eq 0
 
-  acl host_vacustore var(req.host) -m str "vacu.store"
   # acl host_auth var(req.host) -m str "auth.shelvacu.com"
-  acl host_cache var(req.host) -m str "nixcache.shelvacu.com"
+  acl host_vacustore       var(req.host) -m str "vacu.store"
-  acl host_stats_jl var(req.host) -m str "stats.jean-luc.org"
+  acl host_cache           var(req.host) -m str "nixcache.shelvacu.com"
-  acl host_tulpaudcast_jl var(req.host) -m str "tulpaudcast.jean-luc.org"
+  acl host_stats_jl        var(req.host) -m str "stats.jean-luc.org"
-  acl host_habitat_pwrhs var(req.host) -m str "habitat.pwrhs.win"
+  acl host_tulpaudcast_jl  var(req.host) -m str "tulpaudcast.jean-luc.org"
+  acl host_habitat_pwrhs   var(req.host) -m str "habitat.pwrhs.win"
+  acl host_jellyfin        var(req.host) -m str "jf.finaltask.xyz"
 
   http-after-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" if { ssl_fc }
 
@@ -64,6 +65,7 @@ frontend main
   http-request allow if host_stats_jl
   http-request allow if host_tulpaudcast_jl
   http-request allow if host_habitat_pwrhs
+  http-request allow if host_jellyfin
   http-request return status 404 string "not found" content-type text/plain
 
   use_backend vacustore if host_vacustore
@@ -72,6 +74,7 @@ frontend main
   use_backend jl_stats if host_stats_jl
   use_backend static_stuff if host_tulpaudcast_jl
   use_backend habitat if host_habitat_pwrhs
+  use_backend jellyfin if host_jellyfin
   
 backend vacustore
   mode http
@@ -83,6 +86,11 @@ backend kani
   option forwardfor
   server main kani:8443 check maxconn 500 ssl verify none ssl-reuse
 
+backend jellyfin
+  mode http
+  option forwardfor
+  server main jellyfin:8096 check maxconn 100 proto h1
+
 # backend keycloak
 #   mode http
 #   option forwardfor

triple-dezert/jellyfin.nix

@@ -0,0 +1,42 @@
+{ config, pkgs, ... }: let
+  name = "jellyfin";
+  contain = config.containers.${name};
+in {
+  
+  systemd.tmpfiles.settings.${name}."/trip/${name}".d = {
+    mode = "0755";
+  };
+
+  containers.${name} = {
+    privateNetwork = true;
+    hostAddress = "192.168.100.22";
+    localAddress = "192.168.100.23";
+
+    autoStart = true;
+    ephemeral = true;
+    restartIfChanged = true;
+    bindMounts."/${name}" = {
+      hostPath = "/trip/${name}";
+      isReadOnly = false;
+    };
+
+    config = { pkgs, ... }: {
+      system.stateVersion = "24.05";
+
+      networking.useHostResolvConf = false;
+      networking.nameservers = [ "10.78.79.1" ];
+      networking.firewall.enable = false;
+
+      services.jellyfin = {
+        enable = true;
+	dataDir = "/${name}";
+      };
+
+      environment.systemPackages = with pkgs; [
+        jellyfin
+	jellyfin-web
+	jellyfin-ffmpeg
+      ];
+    };
+  };
+}

triple-dezert/jl-stats.nix

@@ -2,29 +2,8 @@
 let
 name = "jl-stats";
 contain = config.containers.${name}; 
-most-winningest = pkgs.callPackage ({
+pg = config.services.postgresql.package;
-  rustPlatform,
+most-winningest = inputs.most-winningest.packages."${config.nixpkgs.system}".default.override { postgresql = pg; };
-  fetchFromGitHub,
-  pkg-config,
-  openssl,
-  postgresql,
-}: rustPlatform.buildRustPackage rec {
-  pname = "most-winningest";
-  version = "69.420";
-
-  nativeBuildInputs = [ pkg-config ];
-
-  buildInputs = [ openssl postgresql ];
-
-  src = fetchFromGitHub {
-    owner = "captain-jean-luc";
-    repo = pname;
-    rev = "d203ae1b8dd450b281bc1b4bb2ae7518a5665352";
-    hash = "sha256-RDVIu4zU4BvsJ1Ek7SwlpvA7H48TlPTzTCvUk+9hZ74=";
-  };
-
-  cargoHash = "sha256-5Wbx/RBqtDmJUKdLXttryMuJfpkUJwRGTFYP3UFEPT0=";
-}) {};
 in {
   vacu.databases.${name}.authByIp = contain.localAddress;
 
@@ -86,6 +65,10 @@ in {
         timerConfig.OnBootSec = "5m";
         timerConfig.OnUnitInactiveSec = "1h";
       };
+
+      environment.systemPackages = [
+        pg #provides psql binary, helpful for debugging
+      ];
     };
   };
-}
+}

triple-dezert/vacustore.nix

@@ -31,8 +31,6 @@
       networking.useHostResolvConf = lib.mkForce false;
       services.resolved.enable = true;
 
-      systemd.services.nextcloud-setup.after = [ "network-online.target" ];
-
       services.nginx.virtualHosts."vacu.store".extraConfig = ''
         client_body_timeout 5m;
       '';
@@ -41,69 +39,69 @@
 
       services.nextcloud = {
         enable = true;
-        package = pkgs.nextcloud28;
+        package = pkgs.nextcloud29;
         configureRedis = true;
         hostName = "vacu.store";
         datadir = "/ncdata";
-        logLevel = 1;
         https = true;
         maxUploadSize = "1000G";
         database.createLocally = false;
 
         extraApps = {
           inherit (config.services.nextcloud.package.packages.apps) calendar notes tasks contacts;
-	  appointments = pkgs.fetchNextcloudApp {
+	  # appointments = pkgs.fetchNextcloudApp {
-            appName = "appointments";
+          #   appName = "appointments";
-	    url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz";
+	  #   url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz";
-	    sha256 = "sha256-LKxTF6yF7n6t34KzRRRqsf1doqS7DaKPmqscmNmtzAg=";
+	  #   sha256 = "sha256-LKxTF6yF7n6t34KzRRRqsf1doqS7DaKPmqscmNmtzAg=";
-	    appVersion = "2.1.4";
+	  #   appVersion = "2.1.4";
-	    license = "agpl3";
+	  #   license = "gpl3";
-	  };
+	  # };
           gpoddersync = pkgs.fetchNextcloudApp {
             appName = "gpoddersync";
-            url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.8.2/gpoddersync.tar.gz";
+            url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.9.0/gpoddersync.tar.gz";
-            sha256 = "sha256-eeBvRZUDVIaym0ngfPD2d7aY3SI/7lPWkrYPnqSh5Kw=";
+            sha256 = "sha256-wLiM8kv+HinOoAebarQ9MwuxqUpVeF0zS2RVYpAoYMI=";
-            appVersion = "3.8.2";
+            appVersion = "3.9.0";
-            license = "agpl3";
+            license = "gpl3";
           };
           webapppassword = pkgs.fetchNextcloudApp {
             appName = "webapppassword";
-            url = "https://github.com/digital-blueprint/webapppassword/releases/download/v23.12.0/webapppassword.tar.gz";
+            url = "https://github.com/digital-blueprint/webapppassword/releases/download/v24.6.0/webapppassword.tar.gz";
-            sha256 = "sha256-nQUHEm+cvTmRS2ECZK4lk7YAd+2gUYTFcu44A967kY4=";
+            sha256 = "sha256-x9uARo/VtkFLabif2/GZhs4cG6qmhAJs93dzhFFmhB0=";
-            appVersion = "23.12.0";
+            appVersion = "24.6.0";
-            license = "agpl3";
+            license = "gpl3";
           };
           # oidc_login = pkgs.fetchNextcloudApp {
           #   appName = "oidc_login";
           #   url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.0.2/oidc_login.tar.gz";
           #   sha256 = "sha256-cN5azlThKPKRVip14yfUNR85of5z+N6NVI7sg6pSGQI=";
           #   appVersion = "3.0.2";
-          #   license = "agpl3";
+          #   license = "gpl3";
+          # };
+          # sociallogin = pkgs.fetchNextcloudApp {
+          #   appName = "sociallogin";
+          #   url = "https://github.com/zorn-v/nextcloud-social-login/releases/download/v5.6.3/release.tar.gz";
+          #   sha256 = "sha256-XHHD87InU9P5uq9zCJnFliHhWh5tpSpSnMMOfNgJKRw=";
+          #   appVersion = "5.6.3";
+          #   license = "gpl3";
           # };
-          sociallogin = pkgs.fetchNextcloudApp {
-            appName = "sociallogin";
-            url = "https://github.com/zorn-v/nextcloud-social-login/releases/download/v5.6.3/release.tar.gz";
-            sha256 = "sha256-XHHD87InU9P5uq9zCJnFliHhWh5tpSpSnMMOfNgJKRw=";
-            appVersion = "5.6.3";
-            license = "agpl3";
-          };
         };
 
         phpOptions."opcache.interned_strings_buffer" = "32";
         
         config = {
-          trustedProxies = [ outer_config.containers.vacustore.hostAddress ];
           adminpassFile = "/etc/admin_password";
           dbtype = "pgsql";
           dbuser = "ncadmin";
           dbhost = outer_config.containers.vacustore.hostAddress;
           dbname = "nextcloud";
           dbtableprefix = "oc_";
-          overwriteProtocol = "https";
-          defaultPhoneRegion = "US";
         };
 
-        extraOptions = {
+        settings = {
+          loglevel = 1;
+          default_phone_region = "US";
+          overwriteprotocol = "https";
+          trusted_proxies = [ outer_config.containers.vacustore.hostAddress ];
           allow_user_to_change_display_name = false;
           lost_password_link = "disabled";
           oidc_login_provider_url = "https://id.shelvacu.com/oauth2/openid/vacustore/";