stuff

2025-03-17 18:14:50 -07:00 · 2025-03-16 21:39:21 -07:00 · 2025-03-16 21:26:36 -07:00 · 2025-03-16 21:23:35 -07:00 · 2025-03-16 20:37:35 -07:00 · 2025-03-16 20:25:37 -07:00
194 changed files with 12937 additions and 2326 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-/result
+/result*
 .nixos-test-history
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,26 +0,0 @@
 shel_keys: &shel_keys
  - &pixel-termux age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
  - &t460s age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
  - &pixel-nix age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
  - &compute-deck-user age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
 machine_host_keys:
  - &trip age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
  - &compute-deck-host age1hcqem868xhjdj3lzsvgf0duylwrdp9nqs06a9d0043cpsuhms4as7cqnv4
  - &liam age1hkve3khk7fthyrwxjqdf4r37lrqpmnkz6mke7psuphvu2ykynqaq9g6ja5
 the_test_key: &test_key age1eqv5759uknu7d46rqyyzsmgt43qumsge33yp2xygapprnt8zu3sqx6kt8w
 creation_rules:
  - path_regex: secrets/[^/]+$
    key_groups:
    - age: *shel_keys
  - path_regex: ^secrets/liam/
    key_groups:
    - age:
      - *pixel-termux
      - *t460s
      - *pixel-nix
      - *compute-deck-user
      - *liam
  - path_regex: ^tests/test_secrets/
    key_groups:
    - age:
      - *test_key
--- a/README.md
+++ b/README.md
@@ -1,13 +1,31 @@
-more just notes for now
+more just notes for now
-
+
-deploy:
+---
-
+
-```sh
+deploy:
-nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
+
-```
+```sh
-
+nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
-build flake on remote machine, including eval:
+```
-
+
-```sh
+---
-git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
+
-```
+build flake on remote machine, including eval:
 ```sh
 git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
 ```
 ---
 search for string in closure
 ```sh
 rg search_str $(nix path-info --recursive ./result)
 ```
 or
 ```sh
 rg search_str $(nix path-info --recursive .#qb.trip)
 ```
--- a/common-config.nix
+++ b/common-config.nix
@@ -1,288 +0,0 @@
 { config, pkgs, lib, inputs, ... }: let
  inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
  inherit (builtins) attrValues;
  cfg = config.vacu;
  knownHosts = attrValues cfg.ssh.knownHosts;
  knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
  (h: assert h.hostNames != [];
    optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
    + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
  )) + "\n";
  packageNames = lib.splitString "\n" ''
    nixos-rebuild
    nano
    vim
    wget
    screen
    tmux
    lsof
    htop
    mosh
    dnsutils
    iperf3
    nmap
    rsync
    ethtool
    sshfs
    ddrescue
    pciutils
    ncdu
    nix-index
    git
    pv
    unzip
    file
    ripgrep
    jq
    units
    tree
    rclone
    iputils
    ssh-to-age
    sops
    inetutils
    neovim
    diffutils
    findutils
    utillinux
    tzdata
    hostname
    man
    gnugrep
    gnused
    gnutar
    bzip2
    gzip
    xz
    zip
    unzip
    openssh
    dig
    bash
    git'';
  plainPackageOpts = map (name: { name = name; value = { enable = lib.mkDefault true; }; }) packageNames;
  packageOpts = lib.recursiveUpdate (builtins.listToAttrs plainPackageOpts) {
    nix-search-cli.package = inputs.nix-search-cli.packages.${pkgs.system}.default;
    nix-search-cli.enable = lib.mkDefault true;
    nix-inspect.package = inputs.nix-inspect.packages.${pkgs.system}.default;
    nix-inspect.enable = lib.mkDefault true;
  };
 in {
  imports = [ ./package-set.nix ];
  options = {
    vacu.ssh.authorizedKeys = mkOption {
      type = types.listOf types.str;
    };
    vacu.ssh.config = mkOption {
      type = types.lines;
    };
    # Straight copied from nixpkgs 
    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
    vacu.ssh.knownHosts = mkOption {
      default = {};
      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
        options = {
          certAuthority = mkOption {
            type = types.bool;
            default = false;
            description = ''
              This public key is an SSH certificate authority, rather than an
              individual host's key.
            '';
          };
          hostNames = mkOption {
            type = types.listOf types.str;
            default = [ name ] ++ config.extraHostNames;
            defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
            description = ''
              A list of host names and/or IP numbers used for accessing
              the host's ssh service. This list includes the name of the
              containing `knownHosts` attribute by default
              for convenience. If you wish to configure multiple host keys
              for the same host use multiple `knownHosts`
              entries with different attribute names and the same
              `hostNames` list.
            '';
          };
          extraHostNames = mkOption {
            type = types.listOf types.str;
            default = [];
            description = ''
              A list of additional host names and/or IP numbers used for
              accessing the host's ssh service. This list is ignored if
              `hostNames` is set explicitly.
            '';
          };
          publicKey = mkOption {
            default = null;
            type = types.nullOr types.str;
            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
            description = ''
              The public key data for the host. You can fetch a public key
              from a running SSH server with the {command}`ssh-keyscan`
              command. The public key should not include any host names, only
              the key type and the key itself.
            '';
          };
          publicKeyFile = mkOption {
            default = null;
            type = types.nullOr types.path;
            description = ''
              The path to the public key file for the host. The public
              key file is read at build time and saved in the Nix store.
              You can fetch a public key file from a running SSH server
              with the {command}`ssh-keyscan` command. The content
              of the file should follow the same format as described for
              the `publicKey` option. Only a single key
              is supported. If a host has multiple keys, use
              {option}`programs.ssh.knownHostsFiles` instead.
            '';
          };
        };
      }));
      description = ''
        The set of system-wide known SSH hosts. To make simple setups more
        convenient the name of an attribute in this set is used as a host name
        for the entry. This behaviour can be disabled by setting
        `hostNames` explicitly. You can use
        `extraHostNames` to add additional host names without
        disabling this default.
      '';
      example = literalExpression ''
        {
          myhost = {
            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
          };
          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
          "myhost2.net/dsa" = {
            hostNames = [ "myhost2.net" ];
            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
          };
        }
      '';
    };
    vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
    vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
  };
  config = {
    vacu.packages = packageOpts;
    vacu.nix.extraSubstituters = [
      "https://nixcache.shelvacu.com/"
      "https://nix-community.cachix.org/"
    ];
    vacu.nix.extraTrustedKeys = [
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
    ];
    assertions = flip mapAttrsToList cfg.ssh.knownHosts (name: data: {
      assertion = (data.publicKey == null && data.publicKeyFile != null) ||
                  (data.publicKey != null && data.publicKeyFile == null);
      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
    });
    vacu.ssh.authorizedKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W" # pixel6pro nix-on-droid
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug" # compute-deck
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g" # triple-dezert
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
 	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExSObd1lZprdqAFLqFhtxDEckV0q/vZZIYqrYFKfkoC" # devver
 	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m" # fw (root)
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C" # fw
    ];
    vacu.ssh.config = ''
      Host deckvacu
        User deck
      Host rsb
        User user
        HostName finaltask.xyz
        Port 2222
      Host awoo
        HostName 45.142.157.71
      Host trip
        HostName trip.shelvacu.com
        Port 6922
      Host liam
        HostName 178.128.79.152
      Host pluto
        HostName pluto.somevideogam.es
      Host *
        User shelvacu
        GlobalKnownHostsFile ${pkgs.writeText "known_hosts" knownHostsText}
    '';
    vacu.ssh.knownHosts = {
      #public hosts
      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
      #colin's stuff
      "uninsane.org" = {
        extraHostNames = [ "git.uninsane.org" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
      };
      "desko" = {
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
      };
      #daymocker's stuff
      "pluto" = {
        extraHostNames = [ "74.208.184.137" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
      };
      #personal hosts
      "zigbee-hub" = {
        extraHostNames = [ "10.78.79.114" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN root@zigbee-hub";
      };
      trip = {
        extraHostNames = [ "triple-dezert" "trip.shelvacu.com" "[trip.shelvacu.com]:6922" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
      };
      servacu = {
        extraHostNames = [ "mail.dis8.net" "servacu.shelvacu.com" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
      };
      finaltask = {
        extraHostNames = [ "rsb" "finaltask.xyz" "[finaltask.xyz]:2222" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
      };
      compute-deck = {
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
      };
      "2esrever" = {
        extraHostNames = [ "10.4.5.218" "10.244.46.71" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
      };
      awoo = {
        extraHostNames = [ "45.142.157.71" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
      };
      deckvacu = {
        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
      };
      liam = {
        extraHostNames = [ "liam.dis8.net" "178.128.79.152" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
      };
      devver = {
        extraHostNames = [ "devver.t2d.lan" "10.78.79.10" ];
 	publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeFaH2tzWIiCPdKNmxl3NqCnPTdmVIOBinauUAEl+UU";
      };
      fw = {
        extraHostNames = [ "fw.t2d.lan" ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
      };
    };
  };
 }
--- a/common-nixos-config.nix
+++ b/common-nixos-config.nix
@@ -1,81 +0,0 @@
 { lib, pkgs, config, inputs, utils, ... }:
 {
  imports = [ ./common-config.nix ];
  options.vacu.acmeCertDependencies = lib.mkOption {
    default = {};
    example = ''
      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
    '';
    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
  };
  config = let
    for-systemd-services = lib.concatMapAttrs
      (cert: units:
        {
          "acme-selfsigned-${cert}" = {
            wantedBy = units;
            before = units;
          };
        }
      )
      config.vacu.acmeCertDependencies;
    for-security-acme-certs = lib.concatMapAttrs
      (cert: units:
        {
          ${cert}.reloadServices = units;
        }
      )
      config.vacu.acmeCertDependencies;
  in {
    console = {
      keyMap = lib.mkDefault "us";
    };
    vacu.packages."xorg-xev" = {
      enable = config.services.xserver.enable;
      package = pkgs.xorg.xev;
    };
    environment.systemPackages = config.vacu.packageList;
    i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
    time.timeZone = "America/Los_Angeles";
    users.users.shelvacu = {
      openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
      isNormalUser = true;
      extraGroups = [ "wheel" ];
    };
    systemd.services = for-systemd-services;
    security.acme.certs = for-security-acme-certs;
    services.openssh = {
      # require public key authentication for better security
      settings.PasswordAuthentication = false;
      settings.KbdInteractiveAuthentication = false;
      settings.PermitRootLogin = "prohibit-password";
    };
    nix.settings.trusted-users = [ "shelvacu" ];
    security.sudo.wheelNeedsPassword = lib.mkDefault false;
    programs.screen = {
      screenrc = ''
        defscrollback 10000
        termcapinfo xterm* ti@:te@
      '';
    } // (if config.system.nixos.release == "23.11" then {} else { enable = true; });
    programs.tmux.enable = true;
    programs.tmux.extraConfig = "setw mouse";
    programs.tmux.clock24 = true;
    nix.settings = {
      experimental-features = [ "nix-command" "flakes" ];
      substituters = config.vacu.nix.extraSubstituters;
      trusted-public-keys = config.vacu.nix.extraTrustedKeys;
    };
    nixpkgs.config.allowUnfree = lib.mkDefault true;
    programs.mosh.enable = lib.mkDefault true;
    programs.ssh.extraConfig = config.vacu.ssh.config;
  };
 }
--- a/common-packages.nix
+++ b/common-packages.nix
@@ -1,37 +0,0 @@
 { pkgs, inputs }: (with pkgs; [
  inputs.nix-search-cli.packages.${pkgs.system}.default
  inputs.nix-inspect.packages.${pkgs.system}.default
  nixos-rebuild
  nano
  vim
  wget
  screen
  tmux
  lsof
  htop
  mosh
  dnsutils
  iperf3
  nmap
  rsync
  ethtool
  sshfs
  ddrescue
  pciutils
  ncdu
  nix-index
  git
  pv
  unzip
  file
  ripgrep
  jq
  units
  tree
  rclone
  iputils
  ssh-to-age
  sops
  inetutils
  neovim
 ])
--- a/common/acmeDependencies.nix
+++ b/common/acmeDependencies.nix
@@ -0,0 +1,31 @@
 {
  config,
  lib,
  utils,
  vacuModuleType,
  ...
 }:
 let
  for-systemd-services = lib.concatMapAttrs (cert: units: {
    "acme-selfsigned-${cert}" = {
      wantedBy = units;
      before = units;
    };
  }) config.vacu.acmeCertDependencies;
  for-security-acme-certs = lib.concatMapAttrs (cert: units: {
    ${cert}.reloadServices = units;
  }) config.vacu.acmeCertDependencies;
 in
 lib.optionalAttrs (vacuModuleType == "nixos") {
  options.vacu.acmeCertDependencies = lib.mkOption {
    default = { };
    example = ''
      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
    '';
    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
  };
  config = {
    systemd.services = for-systemd-services;
    security.acme.certs = for-security-acme-certs;
  };
 }
--- a/common/assertions.nix
+++ b/common/assertions.nix
@@ -0,0 +1,51 @@
 {
  lib,
  vacuModuleType,
  config,
  ...
 }:
 let
  inherit (lib) mkOption types filter;
  fatalAssertions = map (x: x.message) (filter (x: !x.assertion && x.fatal) config.vacu.assertions);
  triggeredWarnings = map (x: x.message) (
    filter (x: !x.assertion && !x.fatal) config.vacu.assertions
  );
  withAsserts =
    x:
    if fatalAssertions != [ ] then
      throw ''
        Failed assertions:
        ${lib.concatStringsSep "\n" (map (x: "- ${x}") fatalAssertions)}''
    else
      lib.showWarnings triggeredWarnings x;
  adapter = {
    config = {
      assertions = map (x: { inherit (x) assertion message; }) (
        filter (x: x.fatal) config.vacu.assertions
      );
      warnings = map (x: x.message) (filter (x: !x.assertion && !x.fatal) config.vacu.assertions);
    };
  };
 in
 {
  options.vacu.assertions = mkOption {
    default = [ ];
    type = types.listOf (
      types.submodule {
        options.assertion = mkOption { type = types.bool; };
        options.message = mkOption { type = types.str; };
        options.fatal = mkOption {
          type = types.bool;
          default = true;
        };
      }
    );
  };
  options.vacu.withAsserts = mkOption {
    readOnly = true;
    default = withAsserts;
  };
 }
 // (if vacuModuleType != "plain" then adapter else { })
--- a/common/checks.nix
+++ b/common/checks.nix
@@ -0,0 +1,29 @@
 {
  lib,
  pkgs,
  config,
  ...
 }:
 let
  inherit (lib) types;
 in
 {
  options.vacu.checks = lib.mkOption {
    type = types.attrsOf types.package;
    default = { };
  };
  options.vacu.textChecks = lib.mkOption {
    type = types.attrsOf types.lines;
    default = { };
  };
  config.vacu.checks = lib.mapAttrs (
    name: lines:
    pkgs.runCommand "vacu-textChecks-${name}" { } ''
      (
        set -xev
        ${lines}
        touch $out
      )
    ''
  ) config.vacu.textChecks;
 }
--- a/common/common-but-not.nix
+++ b/common/common-but-not.nix
@@ -0,0 +1,14 @@
 # todo: rename this module
 # stuff that does actual configuring (so can't be in ./module.nix) but works in nixos module, home-manager modules, and nix-on-droid modules
 {
  inputs,
  vacuModuleType,
  lib,
  ...
 }:
 lib.optionalAttrs (vacuModuleType != "plain") {
  nix.registry.vacu.to = {
    type = "path";
    path = inputs.self.outPath;
  };
 }
--- a/common/default.nix
+++ b/common/default.nix
@@ -0,0 +1,359 @@
 {
  config,
  pkgs,
  lib,
  inputs,
  vacuModuleType,
  ...
 }:
 let
  inherit (lib) mkOption types;
  inherit (inputs) self;
  expectedModuleTypes = [
    "nixos"
    "nix-on-droid"
    "plain"
  ];
  anyRev = attrs: toString (attrs.rev or attrs.dirtyRev or "unk");
  anyShortRev = attrs: toString (attrs.shortRev or attrs.dirtyShortRev or "unk");
 in
 if !builtins.elem vacuModuleType expectedModuleTypes then
  builtins.throw "error: unrecognized vacuModuleType ${builtins.toString vacuModuleType}"
 else
  {
    imports = [
      ./package-set.nix
      ./shell
      ./nixvim.nix
      ./ssh.nix
      ./nix.nix
      ./verify-system
      ./defaultPackages.nix
      ./lib
      ./sops.nix
      ../dns
      ./assertions.nix
      ./common-but-not.nix
      ./nixos.nix
      ./nix-on-droid.nix
      ./nixos-rebuild.nix
      ./minimal-nixos.nix
      ./acmeDependencies.nix
      ./nix-on-droid.nix
      ./remapCapsLock.nix
      ./sourceTree.nix
      ./units-impl.nix
      ./units-config.nix
      ./lix.nix
      ./git.nix
      ./hpn.nix
      ./checks.nix
      ./ffmpeg.nix
    ];
    options = {
      vacu.rootCAs = mkOption { type = types.listOf types.str; };
      vacu.versionId = mkOption {
        type = types.str;
        readOnly = true;
      };
      vacu.versionInfo = mkOption { readOnly = true; };
      vacu.hostName = mkOption {
        type = types.nullOr types.str;
        default = null;
      };
      vacu.shortHostName = mkOption {
        type = types.nullOr types.str;
        default = config.vacu.hostName;
      };
      vacu.nixvimPkg = mkOption { readOnly = true; };
      vacu.systemKind = mkOption {
        type = types.enum [
          "minimal"
          "desktop" # need a better name for this; should include laptops; everything I intend to get computery-stuff done on.
          "container"
          "server"
        ];
      };
      vacu.vnopnCA = mkOption {
        readOnly = true;
        type = types.str;
      };
    };
    config = {
      vacu.versionId = "${anyShortRev self}-${self.lastModifiedDate or "unk"}";
      vacu.versionInfo =
        {
          rev = anyRev self;
          flakePath = self.outPath;
          inherit (self) lastModified lastModifiedDate;
          inherit (config.vacu) versionId;
          inherit inputs;
          inherit vacuModuleType;
        }
        // lib.optionalAttrs (inputs ? nixpkgs) {
          nixpkgs.source = "${inputs.nixpkgs}";
          nixpkgs.rev = anyRev inputs.nixpkgs;
        };
      vacu.nix.caches.vacu = {
        url = "https://nixcache.shelvacu.com/";
        keys = [ "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM=" ];
      };
      vacu.nix.caches.nix-community = {
        url = "https://nix-community.cachix.org/";
        keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
        enable = false;
      };
      vacu.nix.caches.nix-on-droid = {
        url = "https://nix-on-droid.cachix.org/";
        keys = [ "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU=" ];
        enable = false;
      };
      vacu.nix.caches.nixos = {
        url = "https://cache.nixos.org/";
        keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
      };
      vacu.git.enable = config.vacu.systemKind == "server" || config.vacu.systemKind == "desktop";
      vacu.git.config = {
        init.defaultBranch = "master";
        pull.rebase = false;
        user.name = "Shelvacu";
        user.email = "git@shelvacu.com";
        author.name = "Shelvacu";
        author.email = "git@shelvacu.com";
        committer.name = "Shelvacu on ${config.vacu.hostName}";
        committer.email = "git@shelvacu.com";
        user.useConfigOnly = true;
        checkout.workers = 0;
        # We *could* use atomic writes, but those are slowwwwww! Are you sure????? - git, still living in the 90s
        # Yes git, I'm sure
        core.fsync = "all";
        diff.mnemonicPrefix = true;
        gc.reflogExpire = "never";
        gc.reflogExpireUnreachable = "never";
        url."https://github.com/".insteadOf = [
          "hgh:"
          "github-http:"
          "github-https:"
        ];
        url."git@github.com:".insteadOf = [
          "sgh:"
          "gh:"
          "github-ssh:"
        ];
        url."git@github.com:shelvacu/".insteadOf = [ "vgh:" ];
        url."https://gitlab.com/".insteadOf = [
          "hgl:"
          "gitlab-http:"
          "gitlab-https:"
        ];
        url."git@gitlab.com:".insteadOf = [
          "sgl:"
          "gl:"
          "gitlab-ssh:"
        ];
        url."git@gitlab.com:shelvacu/".insteadOf = [ "vgl:" ];
        url."https://git.uninsane.org/".insteadOf = [
          "hu:"
          "uninsane-http:"
          "uninsane-https:"
        ];
        url."git@git.uninsane.org:".insteadOf = [
          "u:"
          "su:"
          "uninsane-ssh"
        ];
        url."git@git.uninsane.org:shelvacu/".insteadOf = [ "vu:" ];
      };
      vacu.vnopnCA = ''
        -----BEGIN CERTIFICATE-----
        MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
        A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
        MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
        hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
        AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
        MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
        BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
        CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
        AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
        -----END CERTIFICATE-----
      '';
      vacu.rootCAs = [ config.vacu.vnopnCA ];
      vacu.ssh.authorizedKeys = {
        # pixel6pro-termux = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86";
        # t460s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp";
        # pixel6pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W";
        compute-deck = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug";
        triple-dezert = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g";
        triple-dezert-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8";
        compute-deck-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I";
        pro1x-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX";
        fw-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m";
        fw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C";
        pixel9pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINznGot+L8kYoVQqdLV/R17XCd1ILMoDCILOg+I3s5wC";
        legtop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOre0FnYDm3arsFj9c/l5H2Q8mdmv7kmvq683pL4heru";
      };
      vacu.ssh.config = ''
        Host deckvacu
          User deck
        Host rsb
          User user
          HostName finaltask.xyz
          Port 2222
        Host awoo
          HostName 45.142.157.71
        Host trip
          HostName trip.shelvacu.com
          Port 6922
        Host liam
          HostName 178.128.79.152
        Host pluto
          HostName pluto.somevideogam.es
        Host sdf
          HostName tty.sdf.org
        Host u
          User git
          HostName git.uninsane.org
        Host gl
          User git
          HostName gitlab.com
        Host gh
          User git
          HostName github.com
        Host *
          User shelvacu
          GlobalKnownHostsFile ${pkgs.writeText "known_hosts" config.vacu.ssh.knownHostsText}
      '';
      vacu.ssh.knownHosts = {
        #public hosts
        "github.com".publicKey =
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
        "gitlab.com".publicKey =
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
        "git.sr.ht".publicKey =
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
        "sdf.org" = {
          extraHostNames = [ "tty.sdf.org" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJk3a190w/1TZkzVKORvz/kwyKmFY144lVeDFm80p17";
        };
        #colin's stuff
        "uninsane.org" = {
          extraHostNames = [ "git.uninsane.org" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
        };
        "desko" = {
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
        };
        #daymocker's stuff
        "pluto" = {
          extraHostNames = [ "74.208.184.137" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
        };
        #powerhouse hosts
        "ostiary" = {
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
        };
        "habitat" = {
          # previously known as zigbee-hub
          extraHostNames = [ "10.78.79.114" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
        };
        "vnopn" = {
          extraHostNames = [
            "10.78.79.1"
            "vnopn.t2d.lan"
          ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
        };
        #work laptop
        "tebbs-MBP" = {
          extraHostNames = [ "10.244.10.3" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKO/ks07zSByDH/qmDrghtBSFwWnze2s62zEmtXwaMJe";
        };
        #personal hosts
        trip = {
          extraHostNames = [
            "triple-dezert"
            "trip.shelvacu.com"
            "[trip.shelvacu.com]:6922"
          ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
        };
        servacu = {
          extraHostNames = [
            "mail.dis8.net"
            "servacu.shelvacu.com"
          ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
        };
        finaltask = {
          extraHostNames = [
            "rsb"
            "finaltask.xyz"
            "[finaltask.xyz]:2222"
          ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
        };
        compute-deck = {
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
        };
        "2esrever" = {
          extraHostNames = [
            "10.4.5.218"
            "10.244.46.71"
          ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
        };
        awoo = {
          extraHostNames = [ "45.142.157.71" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
        };
        deckvacu = {
          publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
        };
        liam = {
          extraHostNames = [
            "liam.dis8.net"
            "178.128.79.152"
          ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
        };
        fw = {
          extraHostNames = [ "fw.t2d.lan" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
        };
        legtop = {
          extraHostNames = [
            "lt"
            "legtop.t2d.lan"
          ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvunOGsmHg8igMGo0FpoXaegYI20wZylG8nsMFY4+JL";
        };
        mmm = {
          extraHostNames = [
            "mmm.t2d.lan"
            "10.78.79.11"
          ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsorkZ3rIZ2lLigwQWfA64xZRlt5lk6QPzypg55eLlD";
        };
      };
    };
  }
--- a/common/defaultPackages.nix
+++ b/common/defaultPackages.nix
@@ -0,0 +1,89 @@
 {
  pkgs,
  config,
  inputs,
  lib,
  ...
 }:
 lib.mkMerge [
  (lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container") {
    vacu.packages =
      (with pkgs; [
        home-manager
        nix-index
        rclone
        termscp
        man
        neovim
        nmap
        ruby
        (p7zip.override { enableUnfree = true; })
        tcpdump
        cargo
        wayland-utils
        kanidm
        megatools
      ])
      ++ [
        inputs.nix-search-cli.packages.${pkgs.system}.default
        inputs.nix-inspect.packages.${pkgs.system}.default
      ];
  })
  {
    vacu.packages =
      (with pkgs; [
        netcat-openbsd
        nixos-rebuild
        which
        nano
        vim
        wget
        screen
        tmux
        lsof
        htop
        mosh
        dnsutils
        iperf3
        rsync
        ethtool
        sshfs
        ddrescue
        pciutils
        ncdu
        pv
        unzip
        file
        ripgrep
        jq
        tree
        iputils
        ssh-to-age
        sops
        inetutils
        diffutils
        findutils
        util-linux
        tzdata
        hostname
        gnugrep
        gnused
        gnutar
        bzip2
        gzip
        xz
        zip
        unzip
        openssh
        dig
        bash
        usbutils
        psutils
        killall
        curl
        gnutls
        progress
      ])
      ++ [ config.vacu.units.finalPackage ];
  }
 ]
--- a/common/desktopApps.nix
+++ b/common/desktopApps.nix
@@ -0,0 +1,5 @@
 { lib, vacuModuleType, ... }:
 lib.optionalAttrs (vacuModuleType == "nixos") {
  options.vacu.desktopApps = lib.mkEnableOption "asdf";
  #todo
 }
--- a/common/ffmpeg.nix
+++ b/common/ffmpeg.nix
@@ -0,0 +1,13 @@
 { pkgs, lib, ... }:
 {
  vacu.packages.ffmpeg-allvrything = {
    enable = lib.mkDefault false;
    package = pkgs.ffmpeg_7-full.override (old: {
      libbluray = old.libbluray.override {
        withJava = true;
        withAACS = true;
        withBDplus = true;
      };
    });
  };
 }
--- a/common/git.nix
+++ b/common/git.nix
@@ -0,0 +1,100 @@
 {
  lib,
  config,
  pkgs,
  vacuModuleType,
  ...
 }:
 let
  inherit (lib) types;
  cfg = config.vacu.git;
 in
 {
  imports = [
    {
      # https://github.com/NixOS/nixpkgs/blob/e8c38b73aeb218e27163376a2d617e61a2ad9b59/nixos/modules/programs/git.nix#L16
      options.vacu.git = {
        package = lib.mkPackageOption pkgs "git" { };
        enable = lib.mkEnableOption "git";
        config = lib.mkOption {
          type =
            let
              gitini = types.attrsOf (types.attrsOf types.anything);
            in
            types.either gitini (types.listOf gitini)
            // {
              merge =
                loc: defs:
                let
                  config =
                    builtins.foldl'
                      (
                        acc:
                        { value, ... }@x:
                        acc
                        // (
                          if builtins.isList value then
                            { ordered = acc.ordered ++ value; }
                          else
                            { unordered = acc.unordered ++ [ x ]; }
                        )
                      )
                      {
                        ordered = [ ];
                        unordered = [ ];
                      }
                      defs;
                in
                [ (gitini.merge loc config.unordered) ] ++ config.ordered;
            };
          default = [ ];
        };
        lfs.enable = lib.mkEnableOption "git lfs";
        lfs.package = lib.mkPackageOption pkgs "git-lfs" { };
        configText = lib.mkOption {
          readOnly = true;
          type = types.str;
        };
      };
      config.vacu.git.configText = lib.concatMapStringsSep "\n" lib.generators.toGitINI cfg.config;
    }
    (lib.mkIf cfg.enable {
      vacu.packages.git = {
        enable = true;
        package = cfg.package;
      };
    })
    (lib.mkIf (cfg.enable && cfg.lfs.enable) {
      vacu.packages.git-lfs = {
        enable = true;
        package = cfg.lfs.package;
      };
      vacu.git.config =
        let
          bin = lib.getExe cfg.lfs.package;
        in
        {
          filter.lfs = {
            clean = "${bin} clean -- %f";
            smudge = "${bin} smudge -- %f";
            process = "${bin} filter-process";
            required = true;
          };
        };
    })
    (lib.optionalAttrs (vacuModuleType == "nixos") {
      vacu.assertions = [
        {
          assertion = !(cfg.enable && config.programs.git.enable);
          message = "vacu.git and programs.git should not both be enabled";
        }
      ];
      programs.git.enable = lib.mkIf cfg.enable false;
    })
    (lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
      environment = lib.mkIf (cfg.enable && cfg.config != [ ]) { etc.gitconfig.text = cfg.configText; };
    })
  ];
 }
--- a/common/home.nix
+++ b/common/home.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
  imports = [ ./common-but-not.nix ];
 }
--- a/common/hpn.nix
+++ b/common/hpn.nix
@@ -0,0 +1,11 @@
 {
  config,
  lib,
  pkgs,
  vacuModuleType,
  ...
 }:
 lib.optionalAttrs (vacuModuleType == "nixos") {
  options.vacu.ssh-hpn.enable = lib.mkEnableOption "openssh hpn";
  config = lib.mkIf config.vacu.ssh-hpn.enable { programs.ssh.package = pkgs.openssh_hpn; };
 }
--- a/common/lib/default.nix
+++ b/common/lib/default.nix
@@ -0,0 +1,19 @@
 { lib, config, ... }:
 {
  imports = [
    ./makeWrapper.nix
    ./outputOf.nix
    ./strings.nix
  ];
  options.vacu.vaculib = lib.mkOption { type = lib.types.anything; };
  config._module.args.vaculib = config.vacu.vaculib;
  config.vacu.vaculib.mkOutOption =
    val:
    lib.mkOption {
      readOnly = true;
      default = val;
    };
 }
--- a/common/lib/makeWrapper.nix
+++ b/common/lib/makeWrapper.nix
@@ -0,0 +1,93 @@
 { pkgs, lib, ... }:
 let
  inherit (lib)
    optionals
    optional
    mapAttrsToList
    concatMap
    escapeShellArg
    escapeShellArgs
    ;
 in
 {
  config.vacu.vaculib.makeWrapper =
    {
      original,
      new,
      argv0 ? null,
      inherit_argv0 ? false,
      resolve_argv0 ? false,
      set ? { },
      set_default ? { },
      unset ? [ ],
      chdir ? null,
      run ? [ ],
      prepend_flags ? [ ],
      add_flags ? [ ],
      append_flags ? [ ],
      runtimeHook ? null,
    }:
    let
      prependFlags = prepend_flags ++ add_flags;
      escapeFlags = escapeShellArgs;
      # escapeFlags = flags: builtins.concatStringsSep " " (map escapeShellArg flags);
      originalBin = if lib.isDerivation original then lib.getExe original else original;
      makeWrapperFlags =
        (optionals (argv0 != null) [
          "--argv0"
          argv0
        ])
        ++ (optional inherit_argv0 "--inherit-argv0")
        ++ (optional resolve_argv0 "--resolve-argv0")
        ++ (mapAttrsToList (k: v: [
          "--set"
          k
          v
        ]) set)
        ++ (mapAttrsToList (k: v: [
          "--set-default"
          k
          v
        ]) set_default)
        ++ (concatMap (k: [
          "--unset"
          k
        ]) unset)
        ++ (optionals (chdir != null) [
          "--chdir"
          chdir
        ])
        ++ (concatMap (k: [
          "--run"
          k
        ]) run)
        ++ (optionals (prependFlags != [ ]) [
          "--add-flags"
          (escapeFlags prependFlags)
        ])
        ++ (optionals (append_flags != [ ]) [
          "--append-flags"
          (escapeFlags append_flags)
        ]);
    in
    pkgs.stdenvNoCC.mkDerivation {
      name = new;
      nativeBuildInputs = [ pkgs.makeWrapper ];
      phases = [ "installPhase" ];
      installPhase = ''
        runHook preInstall
        mkdir -p $out/bin
        makeWrapper ${escapeShellArg originalBin} $out/bin/${escapeShellArg new} ${escapeShellArgs makeWrapperFlags}
        runHook postInstall
      '';
      inherit runtimeHook;
      meta.mainProgram = new;
    };
 }
--- a/common/lib/outputOf.nix
+++ b/common/lib/outputOf.nix
@@ -0,0 +1,47 @@
 {
  pkgs,
  lib,
  vaculib,
  ...
 }:
 let
  runCommandBare =
    {
      cmd,
      local ? true,
      ...
    }@args:
    assert !vaculib.isPrefixOf "-" cmd;
    derivation (
      {
        builder = lib.getExe pkgs.bash;
        args = [
          "-c"
          cmd
        ];
        system = pkgs.buildPlatform.system;
      }
      // (lib.optionalAttrs local {
        allowSubstitutes = false;
        preferLocalBuild = true;
      })
      // (lib.removeAttrs args [
        "cmd"
        "local"
      ])
    );
  outputOf =
    {
      removeNewline ? true,
      ...
    }@args:
    let
      passThruArgs = lib.removeAttrs args [ "removeNewline" ];
      res = builtins.readFile (runCommandBare passThruArgs);
      noNewline = lib.removeSuffix "\n" res;
    in
    if removeNewline then noNewline else res;
 in
 {
  config.vacu.vaculib = { inherit runCommandBare outputOf; };
 }
--- a/common/lib/strings.nix
+++ b/common/lib/strings.nix
@@ -0,0 +1,22 @@
 { ... }:
 let
  inherit (builtins) stringLength substring;
  # aka startsWith but hopefully clear from the name what order the arguments go
  isPrefixOf =
    prefix: s:
    let
      prefixl = stringLength prefix;
      sl = stringLength s;
    in
    (sl >= prefixl) && (substring 0 prefixl s) == prefix;
  isSuffixOf =
    suffix: s:
    let
      suffixl = stringLength suffix;
      sl = stringLength s;
    in
    (sl >= suffixl) && (substring (sl - suffixl - 1) - 1 s) == suffix;
 in
 {
  config.vacu.vaculib = { inherit isPrefixOf isSuffixOf; };
 }
--- a/common/lix.nix
+++ b/common/lix.nix
@@ -0,0 +1,7 @@
 { vacuModuleType, ... }:
 if vacuModuleType == "nixos" then
  {
    # imports = [ inputs.lix-module.nixosModules.default ];
  }
 else
  { }
--- a/common/minimal-nixos.nix
+++ b/common/minimal-nixos.nix
@@ -0,0 +1,45 @@
 {
  config,
  pkgs,
  lib,
  vacuModuleType,
  ...
 }:
 let
  inherit (lib) mkIf mkDefault;
 in
 lib.optionalAttrs (vacuModuleType == "nixos") {
  config = mkIf (config.vacu.systemKind == "minimal") {
    programs.git.lfs.enable = false;
    programs.git.package = pkgs.gitMinimal;
    # mostly copied from nixos's /profiles/minimal.nix
    documentation.enable = mkDefault false;
    documentation.doc.enable = mkDefault false;
    documentation.info.enable = mkDefault false;
    documentation.man.enable = mkDefault false;
    documentation.nixos.enable = mkDefault false;
    # Perl is a default package.
    environment.defaultPackages = mkDefault [ ];
    environment.stub-ld.enable = false;
    # The lessopen package pulls in Perl.
    programs.less.lessopen = mkDefault null;
    programs.command-not-found.enable = mkDefault false;
    services.logrotate.enable = mkDefault false;
    services.udisks2.enable = mkDefault false;
    xdg.autostart.enable = mkDefault false;
    xdg.icons.enable = mkDefault false;
    xdg.mime.enable = mkDefault false;
    xdg.sounds.enable = mkDefault false;
  };
 }
--- a/common/nix-command-extensions/default.nix
+++ b/common/nix-command-extensions/default.nix
@@ -0,0 +1,4 @@
 { ... }:
 {
 }
--- a/common/nix-command-extensions/nix.sh
+++ b/common/nix-command-extensions/nix.sh
@@ -0,0 +1,71 @@
 #!/bin/bash
 # replaceme START
 declare -A cache_to_url
 cache_to_url["foo"]="https://example.com/some-nix-cache"
 declare -a caches_to_use=("foo")
 declare nixCmd="foo"
 # replaceme END
 declare -a preArgs
 declare -a passThruArgs
 cache_name=""
 function valid_cache_name() {
  cache_name="$1"
  if [[ $cache_name == -* ]]; then
    echo "invalid cache name" >&2
    exit 1
  fi
 }
 while [[ -n $1 ]]; do
  arg="$1"
  shift
  case "$arg" in
  "--without-cache")
    cache_name="$1"
    shift
    valid_cache_name "$cache_name"
    caches_to_use=("${caches_to_use[@]/$cache_name/}")
    ;;
  "--with-cache")
    cache_name="$1"
    shift
    valid_cache_name "$cache_name"
    caches_to_use+=("$cache_name")
    ;;
  "--only-cache")
    cache_name="$1"
    shift
    valid_cache_name "$cache_name"
    caches_to_use=("$cache_name")
    ;;
  "--on-trip")
    if [[ $HOSTNAME == "triple-dezert" ]]; then
      echo "Warn: skipping --on-trip: already on trip" >&2
    else
      passThruArgs+=("--builders" "ssh://trip x86_64-linux,aarch64-linux" "--max-jobs" "0" "--option" "builders-use-substitutes" "true")
    fi
    ;;
  "--")
    passThruArgs+=("$arg" "$@")
    break
    ;;
  *)
    passThruArgs+=("$arg")
    ;;
  esac
 done
 declare -a substituters
 for c in "${caches_to_use[@]}"; do
  url="${cache_to_url["$c"]}"
  substituters+=("$url")
 done
 substituters_together="${substituters[*]}"
 preArgs+=("--option" "substituters" "$substituters_together")
 exec "$nixCmd" "${preArgs[@]}" "${passThruArgs[@]}"
--- a/common/nix-on-droid.nix
+++ b/common/nix-on-droid.nix
@@ -0,0 +1,22 @@
 {
  config,
  lib,
  vacuModuleType,
  ...
 }:
 let
  inherit (lib) mkDefault;
 in
 lib.optionalAttrs (vacuModuleType == "nix-on-droid") {
  environment.packages = config.vacu.packageList;
  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
  nix.substituters = lib.mkForce config.vacu.nix.substituterUrls;
  nix.trustedPublicKeys = lib.mkForce config.vacu.nix.trustedKeys;
  vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";
  environment.etc.bashrc.text = config.vacu.shell.interactiveLines;
  environment.etc.profile.text = config.vacu.shell.interactiveLines;
  environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
  vacu.hostName = mkDefault "nix-on-droid";
  vacu.shortHostName = mkDefault "nod";
 }
--- a/common/nix.nix
+++ b/common/nix.nix
@@ -0,0 +1,34 @@
 { lib, config, ... }:
 let
  inherit (lib) mkOption types;
  caches = builtins.attrValues config.vacu.nix.caches;
  enabledCaches = builtins.filter (c: c.enable) caches;
 in
 {
  options = {
    vacu.nix.caches = mkOption {
      type = types.attrsOf (
        types.submodule (
          { ... }:
          {
            options = {
              url = mkOption { type = types.str; };
              keys = mkOption {
                type = types.listOf types.str;
                default = [ ];
              };
              enable = mkOption {
                default = true;
                type = types.bool;
              };
            };
          }
        )
      );
    };
    vacu.nix.substituterUrls = mkOption { readOnly = true; };
    vacu.nix.trustedKeys = mkOption { readOnly = true; };
  };
  config.vacu.nix.substituterUrls = map (c: c.url) enabledCaches;
  config.vacu.nix.trustedKeys = builtins.concatMap (c: c.keys) enabledCaches;
 }
--- a/common/nixos-rebuild.nix
+++ b/common/nixos-rebuild.nix
@@ -0,0 +1,34 @@
 {
  pkgs,
  config,
  lib,
  vacuModuleType,
  ...
 }:
 let
  nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package.out; };
 in
 lib.optionalAttrs (vacuModuleType == "nixos") {
  options.vacu.alwaysUseRemoteSudo =
    (lib.mkEnableOption "always deploy to this machine with --use-remote-sudo")
    // {
      default = true;
    };
  config = lib.mkIf config.vacu.alwaysUseRemoteSudo {
    system.build.nixos-rebuild = lib.mkForce (
      pkgs.runCommandLocal "nixos-rebuild-wrapped"
        {
          nativeBuildInputs = [ pkgs.makeShellWrapper ];
          meta.mainProgram = "nixos-rebuild";
        }
        ''
          runHook preInstall
          mkdir -p $out/bin
          makeShellWrapper ${lib.getExe nixos-rebuild} $out/bin/nixos-rebuild --add-flags "--use-remote-sudo"
          runHook postInstall
        ''
    );
  };
 }
--- a/common/nixos.nix
+++ b/common/nixos.nix
@@ -0,0 +1,107 @@
 {
  lib,
  pkgs,
  config,
  vacuModuleType,
  ...
 }:
 lib.optionalAttrs (vacuModuleType == "nixos") {
  options.vacu.underTest = lib.mkOption {
    default = false;
    type = lib.types.bool;
  };
  config = {
    # the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
    # presumably needed by nheko
    nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
    # nixpkgs.overlays = [ inputs.self.overlays.default ];
    console = {
      keyMap = lib.mkDefault "us";
    };
    networking = if config.vacu.hostName == null then { } else { hostName = config.vacu.hostName; };
    vacu.packages."xorg-xev" = {
      enable = config.services.xserver.enable;
      package = pkgs.xorg.xev;
    };
    vacu.ssh-hpn.enable = true;
    environment.systemPackages = config.vacu.packageList;
    programs.nix-ld.enable = true;
    system.nixos.tags = [
      "vacu${config.vacu.versionId}"
      config.vacu.hostName
    ];
    environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
    environment.etc."chromium" = lib.mkIf (config.vacu.systemKind == "desktop") {
      source = "/run/current-system/sw/etc/chromium";
    };
    i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
    time.timeZone = "America/Los_Angeles";
    users.users.shelvacu = lib.mkIf (config.vacu.systemKind != "container") {
      openssh.authorizedKeys.keys = lib.attrValues config.vacu.ssh.authorizedKeys;
      isNormalUser = true;
      extraGroups = [ "wheel" ];
    };
    # # safety user: if something is super fucked up with my shell stuff, I can ssh in as shelvac2
    # users.users.shelvac2 = {
    #   openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
    #   isNormalUser = true;
    #   extraGroups = [ "wheel" ];
    #   shell = pkgs.bash;
    # };
    services.openssh = {
      # require public key authentication for better security
      settings.PasswordAuthentication = false;
      settings.KbdInteractiveAuthentication = false;
      settings.PermitRootLogin = "prohibit-password";
    };
    nix.settings.trusted-users = lib.mkIf (config.vacu.systemKind != "container") [ "shelvacu" ];
    security.sudo.wheelNeedsPassword = lib.mkDefault false;
    programs.screen = {
      enable = true;
      screenrc = ''
        defscrollback 10000
        termcapinfo xterm* ti@:te@
        maptimeout 5
      '';
    };
    programs.tmux = lib.mkIf (config.vacu.systemKind != "container") {
      enable = true;
      extraConfig = "setw mouse";
      clock24 = true;
    };
    nix.settings = {
      experimental-features = [
        "nix-command"
        "flakes"
      ];
      substituters = lib.mkForce config.vacu.nix.substituterUrls;
      extra-substituters = lib.mkForce [ ];
      trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
      extra-trusted-public-keys = lib.mkForce [ ];
    };
    nixpkgs.config.allowUnfree = lib.mkDefault true;
    programs.mosh.enable = lib.mkIf (config.vacu.systemKind != "container") (lib.mkDefault true);
    programs.ssh.extraConfig = config.vacu.ssh.config;
    security.pki.certificates = config.vacu.rootCAs;
    # commands.nix
    environment.pathsToLink = [
      "/share/vacufuncs"
      "/etc/chromium"
    ];
    programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
    programs.bash.promptInit = lib.mkForce "";
    systemd.services.nix-daemon.serviceConfig.Nice = "10";
  };
 }
--- a/common/nixvim.nix
+++ b/common/nixvim.nix
@@ -0,0 +1,17 @@
 {
  pkgs,
  config,
  inputs,
  lib,
  ...
 }:
 {
  vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.nixvim;
  vacu.shell.functions =
    lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container")
      {
        nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
        nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
        nvim = ''nvim-nixvim "$@"'';
      };
 }
--- a/common/package-set.nix
+++ b/common/package-set.nix
@@ -0,0 +1,69 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  inherit (lib) mkOption types;
  pkgOptions = builtins.attrValues config.vacu.packages;
  enabledOptions = builtins.filter (o: o.enable) pkgOptions;
  enabledPkgs = builtins.map (o: o.package) enabledOptions;
  packagesSetType = types.attrsOf (
    types.submodule (
      { name, ... }:
      {
        options = {
          enable = mkOption {
            type = types.bool;
            description = "Will this package be installed (included in environment.systemPackages)";
          };
          package = mkOption {
            type = types.package;
            default = pkgs.${name};
            defaultText = "pkgs.${name}";
          };
        };
      }
    )
  );
  packageListToSet = (
    from:
    let
      enable = lib.mkOverride 900 true; # more important than mkDefault, less important than setting explicitly
      keyvals = map (
        val:
        if builtins.isString val then
          {
            name = val;
            value = { inherit enable; };
          }
        else
          {
            name = val.pname or val.name;
            value = {
              package = lib.mkDefault val;
              inherit enable;
            };
          }
      ) from;
    in
    builtins.listToAttrs keyvals
  );
 in
 {
  options = {
    vacu.packages = mkOption {
      default = { };
      type = types.coercedTo (types.listOf (
        types.either types.str types.package
      )) packageListToSet packagesSetType;
    };
    vacu.packageList = mkOption {
      type = types.listOf types.package;
      readOnly = true;
    };
  };
  config.vacu.packageList = enabledPkgs;
 }
--- a/common/remapCapsLock.nix
+++ b/common/remapCapsLock.nix
@@ -0,0 +1,35 @@
 {
  pkgs,
  lib,
  config,
  vacuModuleType,
  ...
 }:
 let
  inherit (lib) mkOption types;
 in
 lib.optionalAttrs (vacuModuleType == "nixos") {
  options.vacu.enableCapsLockRemap = mkOption {
    type = types.bool;
    default = config.vacu.systemKind == "desktop";
  };
  config = lib.mkIf config.vacu.enableCapsLockRemap {
    # https://discourse.nixos.org/t/best-way-to-remap-caps-lock-to-esc-with-wayland/39707/6
    services.interception-tools =
      let
        itools = pkgs.interception-tools;
        itools-caps = pkgs.interception-tools-plugins.caps2esc;
      in
      {
        enable = true;
        plugins = [ itools-caps ];
        # requires explicit paths: https://github.com/NixOS/nixpkgs/issues/126681
        udevmonConfig = pkgs.lib.mkDefault ''
          - JOB: "${itools}/bin/intercept -g $DEVNODE | ${itools-caps}/bin/caps2esc -m 1 | ${itools}/bin/uinput -d $DEVNODE"
            DEVICE:
              EVENTS:
                EV_KEY: [KEY_CAPSLOCK, KEY_ESC]
        '';
      };
  };
 }
--- a/common/shell/container-aliases.nix
+++ b/common/shell/container-aliases.nix
@@ -0,0 +1,38 @@
 {
  pkgs,
  lib,
  config,
  ...
 }:
 let
  inherit (pkgs) writeScriptBin;
 in
 {
  options.vacu.shell.containerAliases = lib.mkEnableOption "container aliases";
  config = lib.mkIf config.vacu.shell.containerAliases {
    vacu.packages = [
      (writeScriptBin "ncrun" ''
        if (( "$#" < 2 )); then
          echo "need at least two args [container] and [command]" >&2
          exit 1
        fi
        if [[ $UID != 0 ]]; then
          exec /run/wrappers/bin/sudo "$0" "$@"
        fi
        container="$1"
        shift
        exec ${lib.getExe pkgs.nixos-container} run "$1" -- "$@"
      '')
      (writeScriptBin "ncrl" ''
        if (( "$#" != 1 )); then
          echo "need exactly one arg: [container]" >&2
          exit 1
        fi
        if [[ $UID != 0 ]]; then
          exec /run/wrappers/bin/sudo "$0" "$@"
        fi
        exec ${lib.getExe pkgs.nixos-container} root-login "$1"
      '')
    ];
  };
 }
--- a/common/shell/default.nix
+++ b/common/shell/default.nix
@@ -0,0 +1,190 @@
 {
  config,
  lib,
  pkgs,
  vaculib,
  ...
 }:
 let
  inherit (lib) mkOption types;
  cfg = config.vacu.shell;
  writeShellFunction =
    name: text:
    pkgs.writeTextFile {
      inherit name;
      executable = false;
      destination = "/share/vacufuncs/${name}";
      text = ''
        ${text}
      '';
      checkPhase = ''
        ${pkgs.stdenv.shellDryRun} "$target"
      '';
    };
  functionPackages = lib.mapAttrsToList writeShellFunction cfg.functions;
  vacuInitFile = pkgs.writeText "vacu.shell.interactiveLines.sh" cfg.interactiveLines;
  wrappedBashPkg = vaculib.makeWrapper {
    original = pkgs.bash;
    new = "vacuinit-bash";
    prepend_flags = [
      "--init-file"
      vacuInitFile
    ];
  };
  wrappedBash = lib.getExe wrappedBashPkg;
 in
 {
  imports = [
    ./not-aliases.nix
    ./ps1.nix
    ./container-aliases.nix
  ];
  options = {
    vacu.shell.functionsDir = mkOption {
      type = types.path;
      default = "/run/current-system/sw/share/vacufuncs";
    };
    vacu.shell.interactiveLines = mkOption {
      type = types.lines;
      readOnly = true;
    };
    vacu.shell.wrappedBash = mkOption { readOnly = true; };
    vacu.shell.idempotentShellLines = mkOption {
      type = types.lines;
      default = "";
    };
    vacu.shell.color = mkOption {
      type = types.enum (builtins.attrNames vaculib.shellColors);
      default = "white";
    };
    vacu.shell.functions = mkOption { type = types.attrsOf types.str; };
  };
  config.vacu = {
    vaculib = {
      # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
      shellColors = {
        black = 30;
        red = 31;
        green = 32;
        yellow = 33;
        blue = 34;
        magenta = 35;
        cyan = 36;
        white = 37;
      };
    };
    shell.interactiveLines = ''
      if [[ $- == *i* ]] && [[ -f ${cfg.functionsDir}/vacureload ]]; then
        function __vacushell_load() { eval "$(cat ${cfg.functionsDir}/vacureload)"; }
        __vacushell_load
        unset __vacushell_load
      fi
    '';
    shell.wrappedBash = wrappedBash;
    shell.functions = {
      "vacureload" = ''
        declare -gA vacuShellFunctionsLoaded
        if ! [[ -f ${cfg.functionsDir}/vacureload ]]; then
          echo "vacureload: I think that's my cue to leave (${cfg.functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
          for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
            unset -f $funcname
          done
          return
        fi
        for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
          if ! [[ -f ${cfg.functionsDir}/$funcname ]]; then
            unset -f $funcname
          fi
        done
        for fullPath in ${cfg.functionsDir}/*; do
          local funcname="$(basename "$fullPath")"
          local followedPath="$(readlink -f "$fullPath")"
          if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
            unset -f $funcname
            eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
            vacuShellFunctionsLoaded[$funcname]=$followedPath
          fi
          unset followedPath
          unset funcname
        done
        __set_idempotents
      '';
      "__set_idempotents" = cfg.idempotentShellLines;
      vhich = ''
        if [[ $# != 1 ]]; then
          echo "expected exactly one arg" 1>&2
          return 1
        fi
        query="$1"
        quote='`'"$query'"
        kind="$(type -t "$query")"
        if [[ "$kind" == "" ]]; then
          echo "could not find any command $quote" 1>&2
          return 1
        fi
        echo "$quote is a $kind"
        case "$kind" in
          "alias")
            alias "$query"
            return 0
            ;;
          "keyword")
            echo "See https://www.gnu.org/software/bash/manual/html_node/Reserved-Word-Index.html"
            return 0
            ;;
          "function")
            if [[ -v vacuShellFunctionsLoaded["$query"] ]]; then
              echo "$quote is a vacufunc"
              path="''${vacuShellFunctionsLoaded[$query]}"
              # continue to below
            else
              declare -f "$query"
              return 0
            fi
            ;;
          "builtin")
            echo "Docs: https://www.gnu.org/software/bash/manual/html_node/Bash-Builtins.html#index-$query"
            return 0
            ;;
          "file")
            path="$(which "$query")"
            # continue to below
            ;;
          *)
            echo 'ERR: unexpected return from `type -t`: '"$kind" 1>&2
            return 1
        esac
        echo "path:"
        while [[ -L "$path" ]]; do
          dest="$(readlink "$path")"
          echo "  $path is a symlink to $dest"
          if [[ "$dest" != /* ]]; then
            dest="$(dirname "$path")/$dest"
          fi
          path="$dest"
        done
        echo "  $path"
        if ! [[ -e "$path" ]]; then
          echo "$path does not exist!"
          return 1
        fi
        canon="$(readlink -f "$path")"
        if [[ "$path" != "$canon" ]]; then
          echo "  $path canonicalizes to $canon"
          path="$canon"
        fi
        magic_parse="$(file --brief --mime "$path")"
        echo "magic: $magic_parse"
        case "$magic_parse" in
          'text/x-shellscript;'* | 'text/plain;'*)
            echo "initial contents:"
            echo
            cat "$path" | head --lines=10 | head --bytes=2000
            echo "..."
            ;;
        esac
      '';
    };
    packages = functionPackages;
  };
 }
--- a/common/shell/not-aliases.nix
+++ b/common/shell/not-aliases.nix
@@ -0,0 +1,157 @@
 # These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
 {
  pkgs,
  lib,
  config,
  inputs,
  ...
 }:
 let
  inherit (pkgs) writeScriptBin;
  ms_text = with_sudo: ''
    set -eo pipefail
    if [[ $# -gt 3 ]] || [[ $# == 0 ]]; then
      echo "wrong number of args" 1>&2
      exit 1
    fi
    host="$1"
    session_name="''${2:-main}"
    set -x
    mosh -- "$host" ${lib.optionalString with_sudo "sudo"} screen -RdS "$session_name"
  '';
  msl_text = ''
    set -eo pipefail
    if [[ $# != 1 ]]; then
      echo "wrong number of args" 1>&2
      exit 1
    fi
    host="$1"
    echo 'echo "user:"; screen -ls; echo; echo "root:"; sudo screen -ls' | ssh -T "$host"
  '';
  systemctl = "${pkgs.systemd}/bin/systemctl";
  journalctl = "${pkgs.systemd}/bin/journalctl";
  system = pkgs.hostPlatform.system;
 in
 {
  vacu.packages = [
    (writeScriptBin "ms" (ms_text false))
    (writeScriptBin "mss" (ms_text true))
    (writeScriptBin "msl" msl_text)
    (writeScriptBin "rmln" ''
      set -eo pipefail
      for arg in "$@"; do
        if [[ "$arg" != "-*" ]] && [[ ! -L "$arg" ]]; then
          echo "$0: $arg is not a symlink" 1>&2
          exit 1
        fi
      done
      rm "$@"
    '')
    (writeScriptBin "nr" ''
      # nix run nixpkgs#<thing> -- <args>
      set -eo pipefail
      if [[ $# == 0 ]]; then
        echo "need at least one arg" 1>&2
        exit 1
      fi
      installable="$1"
      shift
      if [[ "$installable" != *'#'* ]]; then
        installable="nixpkgs#$installable"
      fi
      nix run "$installable" -- "$@"
    '')
    (writeScriptBin "nb" ''
      # nix build nixpkgs#<thing> <args>
      set -eo pipefail
      if [[ $# == 0 ]]; then
        echo "need at least one arg" 1>&2
        exit 1
      fi
      installable="$1"
      shift
      if [[ "$installable" != *'#'* ]]; then
        installable="nixpkgs#$installable"
      fi
      nix build "$installable" "$@"
    '')
    (writeScriptBin "ns" ''
      # nix shell nixpkgs#<thing>
      set -eo pipefail
      new_args=( )
      for arg in "$@"; do
        if [[ "$arg" != *'#'* ]] && [[ "$arg" != -* ]]; then
          arg="nixpkgs#$arg"
        fi
        new_args+=("$arg")
      done
      nix shell "''${new_args[@]}"
    '')
    (writeScriptBin "sc" ''
      exec ${systemctl} "$@"
    '')
    (writeScriptBin "scs" ''
      exec ${systemctl} status --lines=20 --full "$@"
    '')
    (writeScriptBin "scc" ''
      exec ${systemctl} cat "$@"
    '')
    (writeScriptBin "scr" ''
      exec ${systemctl} restart "$@"
    '')
    (writeScriptBin "jc" ''
      exec ${journalctl} --pager-end "$@"
    '')
    (writeScriptBin "jcu" ''
      exec ${journalctl} --pager-end -u "$@"
    '')
  ] ++ lib.optional (system == "x86_64-linux")
    (writeScriptBin "dnix" ''exec ${inputs.determinate-nix.packages.${system}.nix} "$@"'')
  ;
  vacu.shell.functions = {
    nd = ''
      declare -a args=("$@")
      if [[ "''${#args[@]}" == 0 ]]; then
        echo "nd: must provide at least one argument" 1>&1
        return 1
      fi
      lastarg="''${args[-1]}"
      if [[ "$lastarg" == "-"* ]]; then
        echo "nd: last argument must be the directory" 1>&2
        return 1
      fi
      for arg in "''${args[@]::''${#args[@]}-1}"; do
        if [[ "$arg" != "-"* ]]; then
          echo "nd: last argument must be the directory" 1>&2
          return 1
        fi
      done
      mkdir "''${args[@]}" && cd "''${args[-1]}"
    '';
    nt = ''pushd "$(mktemp -d "$@")"'';
  };
  vacu.textChecks."vacu-shell-functions-nd" = ''
    function nd() {
      ${config.vacu.shell.functions.nd}
    }
    start=/tmp/test-place
    mkdir -p $start
    cd $start
    nd a
    [[ "$PWD" == "$start/a" ]]
    cd $start
    nd -p b/c
    [[ "$PWD" == "$start/b/c" ]]
  '';
  vacu.textChecks."vacu-shell-functions-nt" = ''
    function nt() {
      ${config.vacu.shell.functions.nt}
    }
    start=$PWD
    nt
    [[ "$PWD" != "$start" ]]
    popd
    [[ "$PWD" == "$start" ]]
  '';
 }
--- a/common/shell/ps1.nix
+++ b/common/shell/ps1.nix
@@ -0,0 +1,42 @@
 {
  config,
  lib,
  vaculib,
  vacuModuleType,
  ...
 }:
 let
  cfg = config.vacu.shell;
  # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
  colors = vaculib.shellColors;
  # TODO: reset_without_clear doesn't fully work
  # thanks colin https://git.uninsane.org/colin/nix-files/src/commit/7f5b2628016c8ca1beec417766157c7676a9c5e5/hosts/common/programs/zsh/starship.nix#L24
  # https://man.archlinux.org/man/bash.1#PROMPTING
  # \[ and \] begins and ends "a sequence of non-printing characters"
  set_color = colornum: "\\[\\e[1;${toString colornum}m\\]";
  set_inverted_color = colornum: "\\[\\e[1;37;${toString (colornum + 10)}m\\]";
  reset_color = "\\[\\e[0m\\]";
  colornum = colors.${cfg.color};
  root_text = root: lib.optionalString root "ROOT@";
  final = root: if root then (set_inverted_color colors.red) + "!!" else "$";
  hostName = if vacuModuleType == "plain" then "\\h" else config.vacu.shortHostName;
  default_ps1 =
    root:
    "\\n"
    # + ''\[${reset_without_clear}\]''
    + (set_color colornum)
    + "${root_text root}${hostName}:\\w"
    + (final root)
    + reset_color
    + " ";
 in
 {
  vacu.shell.idempotentShellLines = ''
    if [ $UID = 0 ]; then
      export PS1=${lib.escapeShellArg (default_ps1 true)}
    else
      export PS1=${lib.escapeShellArg (default_ps1 false)}
    fi
  '';
 }
--- a/common/sops-integrate.nix
+++ b/common/sops-integrate.nix
@@ -0,0 +1,10 @@
 {
  inputs,
  config,
  ...
 }:
 {
  imports = [ inputs.sops-nix.nixosModules.sops ];
  sops.defaultSopsFile = config.vacu.secretsFolder + "/${config.vacu.hostName}/main.yaml";
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 }
--- a/common/sops.nix
+++ b/common/sops.nix
@@ -0,0 +1,77 @@
 {
  lib,
  pkgs,
  config,
  vaculib,
  ...
 }:
 let
  ssh-to-age = lib.getExe pkgs.ssh-to-age;
  sshToAge =
    sshPubText:
    vaculib.outputOf {
      name = "age-from-ssh.txt";
      cmd = "echo ${lib.escapeShellArg sshPubText} | ${ssh-to-age} > $out";
    };
  userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
  userKeysAge = map sshToAge userKeys;
  liamKey = config.vacu.ssh.knownHosts.liam.publicKey;
  liamKeyAge = sshToAge liamKey;
  tripKey = config.vacu.ssh.knownHosts.trip.publicKey;
  tripKeyAge = sshToAge tripKey;
  singleGroup = keys: [ { age = keys; } ];
  testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
  testAgePublic = vaculib.outputOf {
    name = "test-age-public-key.txt";
    cmd = "echo ${lib.escapeShellArg testAgeSecret} | ${pkgs.age}/bin/age-keygen -y > $out";
  };
  sopsConfig = {
    creation_rules = [
      {
        path_regex = "/secrets/misc/[^/]+$";
        key_groups = singleGroup userKeysAge;
      }
      {
        path_regex = "/secrets/liam/[^/]+$";
        key_groups = singleGroup (userKeysAge ++ [ liamKeyAge ]);
      }
      {
        path_regex = "/secrets/trip/[^/]+$";
        key_groups = singleGroup (userKeysAge ++ [ tripKeyAge ]);
      }
      {
        path_regex = "/secrets/radicle-private.key$";
        key_groups = singleGroup (userKeysAge ++ [ (sshToAge config.vacu.ssh.knownHosts.fw.publicKey) ]);
      }
      {
        path_regex = "/tests/test_secrets/";
        key_groups = singleGroup [ testAgePublic ];
      }
    ];
  };
  sopsConfigFile = pkgs.writers.writeYAML "sops.yaml" sopsConfig;
  wrappedSops = vaculib.makeWrapper {
    original = lib.getExe pkgs.sops;
    new = "vacu-nix-stuff-sops";
    add_flags = [
      "--config"
      sopsConfigFile
    ];
    run = lib.singleton ''
      set -e
      age_keys=("${testAgeSecret}" "$(cat $HOME/.ssh/id_ed25519 | ${lib.getExe pkgs.ssh-to-age} -private-key)")
      export SOPS_AGE_KEY
      printf -v SOPS_AGE_KEY "%s\n" "''${age_keys[@]}"
      # declare -p SOPS_AGE_KEY
    '';
  };
 in
 {
  options.vacu.sopsConfigFile = vaculib.mkOutOption sopsConfigFile;
  options.vacu.wrappedSops = vaculib.mkOutOption wrappedSops;
  options.vacu.secretsFolder = lib.mkOption {
    type = lib.types.path;
    default = ../secrets;
  };
 }
--- a/common/sourceTree.nix
+++ b/common/sourceTree.nix
@@ -0,0 +1,60 @@
 {
  inputs,
  pkgs,
  lib,
  config,
  vacuModuleType,
  ...
 }:
 let
  inherit (builtins) isString isAttrs;
  inherit (lib) mkOption types;
  inputsOf =
    flake:
    assert isAttrs flake;
    let
      inputs = removeAttrs (flake.inputs or { }) [ "self" ];
      # inputTrees = lib.mapAttrs (_: val: inputsOf val) inputs;
    in
    pkgs.linkFarm "inputs-tree" (inputs // { self = flake; });
  # traverseInputs =
  #   linkDir: unfilteredInputs:
  #   assert isString linkDir;
  #   assert isAttrs unfilteredInputs;
  #   let
  #     inputs = removeAttrs unfilteredInputs [ "self" ];
  #   in
  #   lib.concatStringsSep "\n" (
  #     lib.mapAttrsToList (
  #       inputName: inputAttrs:
  #       let
  #         thisDir = linkDir + "/" + inputName;
  #       in
  #       assert isAttrs inputAttrs;
  #       assert isAttrs (inputAttrs.inputs or { });
  #       ''
  #         mkdir -p ${thisDir}
  #         ln -s ${inputAttrs} ${thisDir}/self
  #         ${traverseInputs thisDir (inputAttrs.inputs or { })}
  #       ''
  #     ) inputs
  #   );
 in
 {
  options.vacu.sourceTree = mkOption {
    readOnly = true;
    type = types.package;
  };
  config =
    {
      vacu.sourceTree = inputsOf inputs.self // { inherit inputs; };
      # vacu.sourceTree = pkgs.runCommand "inputs-tree" { } ''
      #   mkdir -p $out
      #   ln -s ${inputs.self} $out/self
      #   ${traverseInputs "$out" inputs}
      # '';
    }
    // (lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
      environment.etc."vacu/sources".source = "${config.vacu.sourceTree}";
    });
 }
--- a/common/ssh.nix
+++ b/common/ssh.nix
@@ -0,0 +1,145 @@
 { lib, config, ... }:
 let
  inherit (lib)
    mkOption
    types
    flip
    concatMapStringsSep
    optionalString
    concatStringsSep
    readFile
    literalExpression
    ;
  inherit (builtins) attrValues;
  cfg = config.vacu;
  knownHosts = attrValues cfg.ssh.knownHosts;
  knownHostsText =
    (flip (concatMapStringsSep "\n") knownHosts (
      h:
      assert h.hostNames != [ ];
      optionalString h.certAuthority "@cert-authority "
      + concatStringsSep "," h.hostNames
      + " "
      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
    ))
    + "\n";
 in
 {
  options = {
    vacu.ssh.knownHostsText = mkOption {
      type = types.str;
      readOnly = true;
      default = knownHostsText;
    };
    #vacu.ssh.authorizedKeys = mkOption { type = types.listOf types.str; };
    vacu.ssh.authorizedKeys = mkOption {
      type = types.attrsOf types.str;
      default = { };
    };
    vacu.ssh.config = mkOption { type = types.lines; };
    # Straight copied from nixpkgs
    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
    vacu.ssh.knownHosts = mkOption {
      default = { };
      type = types.attrsOf (
        types.submodule (
          {
            name,
            config,
            options,
            ...
          }:
          {
            options = {
              certAuthority = mkOption {
                type = types.bool;
                default = false;
                description = ''
                  This public key is an SSH certificate authority, rather than an
                  individual host's key.
                '';
              };
              hostNames = mkOption {
                type = types.listOf types.str;
                default = [ name ] ++ config.extraHostNames;
                defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
                description = ''
                  A list of host names and/or IP numbers used for accessing
                  the host's ssh service. This list includes the name of the
                  containing `knownHosts` attribute by default
                  for convenience. If you wish to configure multiple host keys
                  for the same host use multiple `knownHosts`
                  entries with different attribute names and the same
                  `hostNames` list.
                '';
              };
              extraHostNames = mkOption {
                type = types.listOf types.str;
                default = [ ];
                description = ''
                  A list of additional host names and/or IP numbers used for
                  accessing the host's ssh service. This list is ignored if
                  `hostNames` is set explicitly.
                '';
              };
              publicKey = mkOption {
                default = null;
                type = types.nullOr types.str;
                example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
                description = ''
                  The public key data for the host. You can fetch a public key
                  from a running SSH server with the {command}`ssh-keyscan`
                  command. The public key should not include any host names, only
                  the key type and the key itself.
                '';
              };
              publicKeyFile = mkOption {
                default = null;
                type = types.nullOr types.path;
                description = ''
                  The path to the public key file for the host. The public
                  key file is read at build time and saved in the Nix store.
                  You can fetch a public key file from a running SSH server
                  with the {command}`ssh-keyscan` command. The content
                  of the file should follow the same format as described for
                  the `publicKey` option. Only a single key
                  is supported. If a host has multiple keys, use
                  {option}`programs.ssh.knownHostsFiles` instead.
                '';
              };
            };
          }
        )
      );
      description = ''
        The set of system-wide known SSH hosts. To make simple setups more
        convenient the name of an attribute in this set is used as a host name
        for the entry. This behaviour can be disabled by setting
        `hostNames` explicitly. You can use
        `extraHostNames` to add additional host names without
        disabling this default.
      '';
      example = literalExpression ''
        {
          myhost = {
            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
          };
          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
          "myhost2.net/dsa" = {
            hostNames = [ "myhost2.net" ];
            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
          };
        }
      '';
    };
  };
  config.vacu.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (
    name: data: {
      assertion =
        (data.publicKey == null && data.publicKeyFile != null)
        || (data.publicKey != null && data.publicKeyFile == null);
      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
    }
  );
 }
--- a/common/units-config.nix
+++ b/common/units-config.nix
@@ -0,0 +1,35 @@
 {
  vacu.units.extraUnits = {
    b = "bit";
    B = "byte";
    kibi- = "1024";
    Ki- = "kibi";
    mebi- = "1024 kibi";
    Mi- = "mebi";
    gibi- = "1024 mebi";
    Gi- = "gibi";
    tebi- = "1024 gibi";
    Ti- = "tebi";
    pebi- = "1024 tebi";
    Pi- = "pebi";
    baud = "bit/s";
    kbps = "kilobit/s";
    kibps = "kibibit/s";
    mbps = "megabit/s";
    mibps = "mebibit/s";
    gbps = "gigabit/s";
    gibps = "gibibit/s";
    tbps = "terabit/s";
    tibps = "tebibit/s";
    pbps = "petabit/s";
    pibps = "pebibit/s";
    month = "year/12";
    mo = "month";
    usd = "USD";
    dollar = "USD";
    cent = "0.01 USD";
    "$" = "USD";
    BTC = "bitcoin";
  };
 }
--- a/common/units-impl.nix
+++ b/common/units-impl.nix
@@ -0,0 +1,126 @@
 {
  config,
  lib,
  pkgs,
  vaculib,
  ...
 }:
 let
  inherit (lib) mkOption types;
  unitNameRegex =
    let
      # Unit  names cannot begin or end with an underscore (‘_’), a comma (‘,’) or a decimal point (‘.’).  Names must not contain any of the operator characters ‘+’, ‘-’, ‘*’, ‘/’, ‘|’, ‘^’, ‘;’, ‘~’, the comment character ‘#’, or parentheses.  To facilitate copying and pasting from documents, several typographical characters are converted to operators: the figure dash (U+2012), minus (‘-’; U+2212), and en dash (‘–’; U+2013) are converted to the operator ‘-’; the multiplication sign (‘×’; U+00D7), N-ary times operator (U+2A09), dot operator (‘⋅’; U+22C5), and middle dot (‘·’; U+00B7) are converted to the operator ‘*’; the division sign (‘÷’; U+00F7) is converted to the operator ‘/’; and the fraction slash (U+2044) is converted to the operator ‘|’; accordingly, none of these characters can appear in unit names.
      disallowedAnywhere =
        "+*/|^;~#()" + (builtins.fromJSON ''"\u2012\u2212\u2013\u00d7\u2a09\u22c5\u00b7\u00f7\u2044"'');
      disallowedMiddle = "-" + disallowedAnywhere;
      disallowedAtEnd = "23456789_,." + disallowedAnywhere;
      disallowedAtBegin = "-01" + disallowedAtEnd;
      anyExcept = chars: "[^${lib.escapeRegex chars}]";
      singleChar = anyExcept disallowedAtBegin;
      multiChar = "${anyExcept disallowedAtBegin}${anyExcept disallowedMiddle}*${anyExcept disallowedAtEnd}";
      numberSuffix = regex: "${regex}_[0-9\\.,]+";
      fullRegex = "${singleChar}|${multiChar}|${numberSuffix singleChar}|${numberSuffix multiChar}";
    in
    fullRegex;
  unitsAttrsType = types.addCheck (types.attrsOf types.str) (
    attrs: builtins.all (name: (builtins.match unitNameRegex name) != null) (builtins.attrNames attrs)
  );
  unitsDir = pkgs.stdenvNoCC.mkDerivation {
    name = "vacu-units-files";
    src = pkgs.units.src;
    phases = [
      "unpackPhase"
      "installPhase"
    ];
    installPhase = ''
      mkdir -p $out
      cp {definitions,elements}.units $out
      ln -s ${../units/currency.units} $out/currency.units
      ln -s ${../units/cpi.units} $out/cpi.units
      echo ${lib.escapeShellArg config.vacu.units.lines} > $out/vacu.units
    '';
  };
 in
 {
  options.vacu.units = {
    originalPackage = mkOption {
      type = types.package;
      default = pkgs.units;
    };
    finalPackage = mkOption {
      type = types.package;
      readOnly = true;
    };
    check = mkOption {
      type = types.package;
      readOnly = true;
    };
    generatedConfigDir = mkOption {
      readOnly = true;
      type = types.package;
    };
    generatedConfigFile = mkOption {
      readOnly = true;
      type = types.pathInStore;
    };
    lines = mkOption {
      default = "";
      type = types.lines;
    };
    extraUnits = mkOption {
      type = unitsAttrsType;
      default = { };
    };
  };
  config = lib.mkMerge [
    {
      vacu.units = {
        finalPackage = vaculib.makeWrapper {
          original = config.vacu.units.originalPackage;
          new = "units";
          prepend_flags = [
            "--file"
            config.vacu.units.generatedConfigFile
          ];
        };
        generatedConfigDir = unitsDir;
        generatedConfigFile = "${unitsDir}/vacu.units";
        lines = lib.mkOrder 750 ''
          # default units file, includes elements.units, currency.units, cpi.units
          !include definitions.units
        '';
      };
      vacu.textChecks.units-config = ''
        # `units --check` returns success (exit code 0) regardless of success >:(
        # example output:
        # $ result/bin/units --check
        # Currency exchange rates from exchangerate-api.com (USD base) on 2024-11-14 
        # Consumer price index data from US BLS, 2024-02-18 
        # 7247 units, 125 prefixes, 134 nonlinear units
        #
        output="$(${lib.getExe config.vacu.units.finalPackage} --check)"
        echo "$output"
        filteredLines="$(echo "$output" \
          | grep -v '^\s*$' \
          | grep -v 'Currency exchange rates from' \
          | grep -v 'Consumer price index data from' \
          | grep -vE '[0-9]+ units, [0-9]+ prefixes, [0-9]+ nonlinear units' || true
        )"
        if [[ -n "$filteredLines" ]]; then
          exit 1
        fi
        touch $out
      '';
    }
    {
      vacu.units.lines = lib.concatStringsSep "\n" (
        lib.mapAttrsToList (name: value: "+${name}	${value}") config.vacu.units.extraUnits
      );
    }
  ];
 }
--- a/common/verify-system/default.nix
+++ b/common/verify-system/default.nix
@@ -0,0 +1,61 @@
 {
  pkgs,
  lib,
  config,
  ...
 }:
 let
  inherit (lib) mkOption mkEnableOption types;
  cfg = config.vacu.verifySystem;
 in
 {
  imports = [ ./nixos.nix ];
  options.vacu.verifySystem = {
    enable = (mkEnableOption "verify system is what is expected") // {
      default = false;
    };
    verifiers = mkOption {
      default = { };
      type = types.attrsOf (
        types.submodule (
          { name, config, ... }:
          {
            options = {
              enable = mkEnableOption "Enable system ident check ${name}";
              name = mkOption {
                type = types.str;
                default = name;
              };
              script = mkOption {
                type = types.lines;
                default = "## system ident check ${config.name}";
              };
            };
          }
        )
      );
    };
    verifyAllScript =
      let
        verifiers = (builtins.attrValues cfg.verifiers);
        enabled = builtins.filter (s: s.enable) verifiers;
        files = map (s: pkgs.writeText "vacu-verify-system-${s.name}.sh" s.script) enabled;
        script = ''
                  ## vacu verify-system
          	for f in ${lib.concatStringsSep " " files}; do
          	  echo "verifying system with $f"
          	  if ! source $f; then
          	    echo "ERR: $f failed" >&2
          	    return 1
          	  fi
          	done
        '';
        scriptFile = pkgs.writeText "vacu-verify-system-all.sh" script;
      in
      mkOption {
        readOnly = true;
        default = scriptFile;
      };
  };
 }
--- a/common/verify-system/nixos.nix
+++ b/common/verify-system/nixos.nix
@@ -0,0 +1,66 @@
 {
  lib,
  config,
  pkgs,
  vacuModuleType,
  ...
 }:
 let
  inherit (lib) mkOption types;
 in
 lib.optionalAttrs (vacuModuleType == "nixos") {
  options.vacu.verifySystem.expectedMac = mkOption {
    type = types.nullOr (types.strMatching "[A-Fa-f0-9]{2}(:[A-Fa-f0-9]{2}){5}");
    default = null;
  };
  config = lib.mkIf config.vacu.verifySystem.enable {
    # system.activationScripts."00-verify-system" = {
    #   text = "if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit $?; fi";
    #   supportsDryActivation = true;
    # };
    system.extraSystemBuilderCmds = ''
      mv $out/bin/switch-to-configuration $out/bin/.switch-to-configuration-unverified
      cat <<EOF > $out/bin/switch-to-configuration
      #!${pkgs.bash}/bin/bash
      oldpath="$PATH"
      export PATH="${pkgs.coreutils}/bin"
      if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit \$?; fi
      export PATH="$oldpath"
      exec $out/bin/.switch-to-configuration-unverified "\$@"
      EOF
      ${pkgs.coreutils}/bin/chmod a+x $out/bin/switch-to-configuration
    '';
    vacu.verifySystem.verifiers = {
      hostname = {
        enable = lib.mkDefault config.vacu.verifySystem.expectedMac == null;
        script = ''
          expected=${config.networking.hostName}
          actual=$(cat /proc/sys/kernel/hostname)
          if [[ "$expected" != "$actual" ]]; then
            echo "ERR: unexpected hostname; Trying to deploy to $expected but this is $actual" >&2
            return 1
          fi
        '';
      };
      expectedMac = {
        enable = config.vacu.verifySystem.expectedMac != null;
        script = ''
          	   expected=${lib.toUpper config.vacu.verifySystem.expectedMac}
          	   declare -a actual=($(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten | join("\n")' -r))
          	   for ifMac in "''${actual[@]}"; do
                       if [[ "$ifMac" == "$expected" ]]; then
          	       # all is well
          	       return 0
          	      fi
          	   done
          	   echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
          	   echo "     Found MAC addresses: ''${actual[*]}" >&2
          	   return 1
          	 '';
      };
    };
  };
 }
--- a/compute-deck/bluetooth.nix
+++ b/compute-deck/bluetooth.nix
@@ -1,6 +1,7 @@
-{ ... }: {
+{ ... }:
-hardware.bluetooth.enable = true;
+{
-hardware.bluetooth.powerOnBoot = true;
+  hardware.bluetooth.enable = true;
  hardware.bluetooth.powerOnBoot = true;
-services.blueman.enable = true;
+  services.blueman.enable = true;
 }
--- a/compute-deck/default.nix
+++ b/compute-deck/default.nix
@@ -1,18 +1,19 @@
-{ config, pkgs, lib, jovian, inputs, ... }:
+{
-
+  pkgs,
  inputs,
  ...
 }:
 {
  imports = [
    inputs.jovian.nixosModules.jovian
-    inputs.disko.nixosModules.default
+    # inputs.disko.nixosModules.default
-    inputs.homeManager.nixosModules.default
+    inputs.home-manager.nixosModules.default
    ./hardware.nix
    ./partitioning.nix
    ./home.nix
    ./bluetooth.nix
    ./partitioning.nix
    ./padtype.nix
    ../common-nixos-config.nix
  ];
  system.nixos.tags = [ "host-${config.networking.hostName}" ];
  boot.loader.systemd-boot.enable = false;
  boot.loader.efi.efiSysMountPoint = "/boot/EFI";
@@ -23,7 +24,10 @@
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-  networking.hostName = "compute-deck";
+  vacu.hostName = "compute-deck";
  vacu.shortHostName = "cd";
  vacu.shell.color = "blue";
  vacu.systemKind = "desktop";
  networking.hostId = "e595d9b0";
  boot.supportedFilesystems = [ "zfs" ];
@@ -37,40 +41,35 @@
  services.xserver.enable = true;
  services.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.plasma5.enable = true;
+  services.desktopManager.plasma6.enable = true;
  services.openssh.enable = true;
-  environment.systemPackages = with pkgs; [
+  vacu.packages = with pkgs; [
    audacity
    librewolf
    brave
    jupiter-hw-support
    steamdeck-firmware
    steamdeck-bios-fwupd
    cargo
    clippy
    rust-analyzer
    rustc
    rustfmt
    rustup
  ];
-  boot.kernelPatches = [
+  # boot.kernelPatches = [
-    {
+  #   {
-      name = "gadget";
+  #     name = "gadget";
-      patch = null;
+  #     patch = null;
-      extraStructuredConfig = with lib.kernel; {
+  #     extraStructuredConfig = with lib.kernel; {
-        USB_ETH=module;
+  #       USB_ETH=module;
-        USB_GADGET=yes;
+  #       USB_GADGET=yes;
-        USB_LIBCOMPOSITE=yes;
+  #       USB_LIBCOMPOSITE=yes;
-        USB_CONFIGFS=yes;
+  #       USB_CONFIGFS=yes;
-        USB_DWC3=module;
+  #       USB_DWC3=module;
-        USB_DWC3_PCI=module;
+  #       USB_DWC3_PCI=module;
-        USB_DWC3_DUAL_ROLE=yes;
+  #       USB_DWC3_DUAL_ROLE=yes;
-        USB_DWC3_HOST=no;
+  #       USB_DWC3_HOST=no;
-        USB_DWC3_GADGET=no;
+  #       USB_DWC3_GADGET=no;
-        USB_ROLE_SWITCH=yes;
+  #       USB_ROLE_SWITCH=yes;
-      };
+  #     };
-    }
+  #   }
-  ];
+  # ];
 }
--- a/compute-deck/hardware.nix
+++ b/compute-deck/hardware.nix
@@ -1,51 +1,61 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{
  config,
  lib,
  modulesPath,
  ...
 }:
 {
-  imports =
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "nvme" "usbhid" "sdhci_pci" ];
+  boot.initrd.availableKernelModules = [
    "nvme"
    "xhci_pci"
    "usbhid"
    "sdhci_pci"
    "dwc3_pci"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
-/*
+  /*
-  fileSystems."/" =
+    fileSystems."/" =
-    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-      fsType = "btrfs";
+        fsType = "btrfs";
-      options = [ "subvol=root" ];
+        options = [ "subvol=root" ];
-    };
+      };
-  fileSystems."/home" =
+    fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-      fsType = "btrfs";
+        fsType = "btrfs";
-      options = [ "subvol=home" ];
+        options = [ "subvol=home" ];
-    };
+      };
-  fileSystems."/nix" =
+    fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-      fsType = "btrfs";
+        fsType = "btrfs";
-      options = [ "subvol=nix" ];
+        options = [ "subvol=nix" ];
-    };
+      };
-  fileSystems."/boot" =
+    fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-      fsType = "btrfs";
+        fsType = "btrfs";
-      options = [ "subvol=boot" ];
+        options = [ "subvol=boot" ];
-    };
+      };
-*/
+  */
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
    fsType = "ext4";
    options = [ "nofail" ];
  };
-  fileSystems."/boot" =
+  fileSystems."/boot/EFI" = {
-    { device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
+    device = "/dev/disk/by-uuid/C268-79C8";
-      fsType = "ext4";
+    fsType = "vfat";
-    };
+    options = [ "nofail" ];
-
+  };
  fileSystems."/boot/EFI" =
    { device = "/dev/disk/by-uuid/C268-79C8";
      fsType = "vfat";
    };
  swapDevices = [ ];
--- a/compute-deck/home.nix
+++ b/compute-deck/home.nix
@@ -2,17 +2,15 @@
 {
  home-manager.users.shelvacu = {
    # these make vscode-remote work
-    imports = [
+    imports = [ inputs.vscode-server.homeModules.default ];
      inputs.vscode-server.homeModules.default
    ];
    services.vscode-server.enable = true;
    home.stateVersion = "23.11";
-    programs.git = {
+    # programs.git = {
-      enable = true;
+    #   enable = true;
-      userName = "Shelvacu";
+    #   userName = "Shelvacu";
-      userEmail = "git@shelvacu.com";
+    #   userEmail = "git@shelvacu.com";
-    };
+    # };
    programs.librewolf = {
      enable = true;
--- a/compute-deck/padtype.nix
+++ b/compute-deck/padtype.nix
@@ -1,8 +1,10 @@
-{ inputs, ... }: let
+{ inputs, ... }:
 let
  padtype-pkg = inputs.padtype.packages."x86_64-linux".default;
-in {
+in
 {
  environment.systemPackages = [ padtype-pkg ];
-  
+
  systemd.services."padtype" = {
    wantedBy = [ "multi-user.target" ];
    script = "${padtype-pkg}/bin/padtype";
--- a/compute-deck/partitioning.nix
+++ b/compute-deck/partitioning.nix
@@ -1,5 +1,6 @@
-{ ... }:
+{ inputs, ... }:
 {
  imports = [ inputs.disko.nixosModules.default ];
  disko.devices.disk.blarg = {
    device = "/dev/disk/by-id/nvme-Micron_2400_MTFDKBK2T0QFM_230341951668_1-part11";
    content = {
@@ -13,20 +14,29 @@
        subvolumes = {
          "/root" = {
            mountpoint = "/";
-            mountOptions = [ "compress=zstd" "noatime" ];
+            mountOptions = [
              "compress=zstd"
              "noatime"
            ];
          };
          "/home" = {
            mountpoint = "/home";
-            mountOptions = [ "compress=zstd" "noatime" ];
+            mountOptions = [
              "compress=zstd"
              "noatime"
            ];
          };
          "/nix" = {
            mountpoint = "/nix";
-            mountOptions = [ "compress=zstd" "noatime" ];
+            mountOptions = [
              "compress=zstd"
              "noatime"
            ];
          };
-#           "/swap" = {
+          #           "/swap" = {
-#             mountpoint = "/.swapvol";
+          #             mountpoint = "/.swapvol";
-#             swap.swapfile.size = "20M";
+          #             swap.swapfile.size = "20M";
-#           };
+          #           };
        };
      };
    };
--- a/2
+++ b/2
@@ -1,3 +1,3 @@
 #!/bin/sh
-git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo $@
+git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo "$@"
--- a/deterministic-certs.nix
+++ b/deterministic-certs.nix
@@ -0,0 +1,88 @@
 {
  nixpkgs ? import <nixpkgs>,
 }:
 let
  pkgs = nixpkgs;
  lib = nixpkgs.lib;
  defaultCertTemplate = {
    serial = 1;
    activation_date = "1970-01-01 00:00:00 UTC";
    expiration_date = "2500-01-01 00:00:00 UTC";
  };
  keyValToConfigLines = (
    key: value:
    if (builtins.isString value) || (builtins.isPath value) then
      ''${key} = "${value}"''
    else if builtins.isInt value then
      "${key} = ${builtins.toString value}"
    else if builtins.isList value then
      map (innerValue: keyValToConfigLines key innerValue)
    else if builtins.isBool value then
      (if value then "${key}" else "# no ${key}")
    else
      throw "don't know how to handle ${builtins.typeOf value}"
  );
  mkTemplateConfig =
    config:
    lib.concatStringsSep "\n" (
      lib.lists.flatten (lib.attrsets.mapAttrsToList keyValToConfigLines config)
    );
  privKeyFile =
    name:
    let
      keySizeBits = 256;
      keySizeHex = builtins.toString (keySizeBits / 4);
    in
    pkgs.runCommand "deterministic-privkey-${name}.pem" { } ''
      seed=$(echo ${lib.escapeShellArg (builtins.toJSON name)} | ${pkgs.ruby_3_2}/bin/ruby -rjson -e 'name = JSON.parse(STDIN.gets); print name.unpack("H*")[0].ljust(${keySizeHex}, "0")')
      ${pkgs.gnutls}/bin/certtool --generate-privkey --outfile=$out --key-type=rsa --sec-param=high --seed=$seed
    '';
  generateCert =
    {
      name,
      config,
      args,
      preCommands ? "",
    }:
    let
      deriv = pkgs.runCommand "deterministic-cert-${name}" { } ''
        mkdir -p $out
        cd $out
        ln -s ${privKeyFile name} privkey.pem
        ln -s ${
          pkgs.writeText "${name}-template.cfg" (mkTemplateConfig (defaultCertTemplate // config))
        } template.cfg
        ${preCommands}
        ${pkgs.gnutls}/bin/certtool ${lib.escapeShellArgs args} --load-privkey=privkey.pem --outfile=cert.pem --template=template.cfg
      '';
    in
    deriv
    // {
      privateKeyPath = "${deriv}/privkey.pem";
      certificatePath = "${deriv}/cert.pem";
    };
 in
 {
  inherit privKeyFile;
  selfSigned =
    name: config:
    generateCert {
      inherit name config;
      args = [ "--generate-self-signed" ];
    };
  caSigned =
    name: ca: config:
    generateCert {
      inherit name config;
      preCommands = ''
        ln -s ${ca.privateKeyPath} ca-privkey.pem
        ln -s ${ca.certificatePath} ca-cert.pem
      '';
      args = [
        "--generate-certificate"
        "--load-ca-certificate=ca-cert.pem"
        "--load-ca-privkey=ca-privkey.pem"
      ];
    };
 }
--- a/devver/default.nix
+++ b/devver/default.nix
@@ -1,57 +0,0 @@
 { config, pkgs, lib, inputs, modulesPath, ... }:
 {
  imports = [
    inputs.homeManager.nixosModules.default
    ../common-nixos-config.nix
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" "virtio_blk" "9pnet_virtio" "9p" "autofs4" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" "9pnet_virtio" "9p" "autofs4" ];
  boot.extraModulePackages = [ ];
  system.nixos.tags = [ "host-${config.networking.hostName}" ];
  networking.hostName = "devver";
  boot.loader.external.enable = true;
  boot.loader.external.installHook = pkgs.writeShellScript "vacuDirectBootInstaller" ''
    PATH="$PATH:${pkgs.coreutils}/bin:${pkgs.gnused}/bin"
    set -xev
    mkdir -p /boot
    cp $1/kernel /boot/kernel
    cp $1/initrd /boot/initrd
    cp $1/kernel-params /boot/kernel-params
    sed -i "1 s|$| init=$1/sw/bin/init|" /boot/kernel-params
  '';
  users.users.root.shell = pkgs.bashInteractive;
  fileSystems."/boot" = {
    fsType = "9p";
    device = "boot";
    options = [
      "trans=virtio"
      "access=any"
      "version=9p2000.L"
      "posixacl"
      "cache=mmap"
      "nofail"
      "noauto"
    ];
  };
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/a373835d-b942-4232-85fe-922cb1880af3";
    fsType = "ext4";
  };
  #boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  services.openssh.enable = true;
  vacu.packages.nix-inspect.enable = false; #its broken for some reason I don't understand
  system.stateVersion = "23.11";
 }
--- a/2
+++ b/2
@@ -1,3 +1,3 @@
 #!/bin/sh
-git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo $@
+git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo "$@"
--- a/3
+++ b/3
@@ -0,0 +1,3 @@
 #!/bin/sh
 git add . && nixos-rebuild --flake .#mmm --build-host trip --target-host mmm --use-remote-sudo "$@"
--- a/dns/default.nix
+++ b/dns/default.nix
@@ -0,0 +1,71 @@
 {
  dns,
  lib,
  vaculib,
  config,
  ...
 }:
 let
  inherit (lib) mkOption types singleton;
  inherit (vaculib) mkOutOption;
  inherit (dns.lib.combinators)
    spf
    mx
    ttl
    ns
    ;
  cfg = config.vacu.dnsData;
 in
 {
  imports = [
    ./jean-luc.org.nix
    ./pwrhs.win.nix
    ./shelvacu.miras.pet.nix
    ./for.miras.pet.nix
  ];
  options.vacu.dns = mkOption {
    default = { };
    type = types.attrsOf dns.lib.types.zone;
  };
  options.vacu.dnsData = {
    tripPublicV4 = mkOutOption "172.83.159.53";
    cloudnsNameServers = mkOutOption [
      "ns1.shelvacu.com."
      "ns2.shelvacu.com."
      "ns3.shelvacu.com."
      "ns4.shelvacu.com."
    ];
    cloudnsSoa = mkOutOption (
      ttl (60 * 60) {
        nameServer = lib.head cfg.cloudnsNameServers;
        adminEmail = "support@cloudns.net";
        serial = 2025013101;
        refresh = 7200;
        retry = 1800;
        expire = 1209600;
        minimum = 3600;
      }
    );
    dkimKeys.liam = mkOutOption {
      name = "2024-03-liam";
      content = "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==";
    };
    modules.cloudns = mkOutOption {
      SOA = cfg.cloudnsSoa;
      NS = map (s: ttl (60 * 60) (ns s)) cfg.cloudnsNameServers;
      TTL = lib.mkDefault 300;
    };
    modules.liamMail = mkOutOption {
      MX = singleton (mx.mx 0 "liam.dis8.net.");
      TXT = singleton (
        spf.strict [
          "mx"
          "include:outbound.mailhop.org"
          "include:_spf.mailersend.net"
          "a:relay.dynu.com"
        ]
      );
      subdomains."${cfg.dkimKeys.liam.name}._domainkey".TXT = singleton cfg.dkimKeys.liam.content;
    };
  };
 }
--- a/dns/for.miras.pet.nix
+++ b/dns/for.miras.pet.nix
@@ -0,0 +1,21 @@
 { lib, config, ... }:
 let
  inherit (lib) singleton;
  inherit (config.vacu) dnsData;
 in
 {
  vacu.dns."for.miras.pet" =
    { ... }:
    {
      imports = [ dnsData.modules.cloudns ];
      SOA.minimum = lib.mkForce 30;
      subdomains = {
        "git".A = singleton dnsData.tripPublicV4;
        "auth".A = singleton dnsData.tripPublicV4;
        "wisdom".A = singleton dnsData.tripPublicV4;
        "chat".A = singleton dnsData.tripPublicV4;
        "gabriel-dropout".A = singleton dnsData.tripPublicV4;
        "_acme-challenge".CNAME = singleton "199b8aa4-bc9f-4f43-88bf-3f613f62b663.auwwth.dis8.net.";
      };
    };
 }
--- a/dns/jean-luc.org.nix
+++ b/dns/jean-luc.org.nix
@@ -0,0 +1,30 @@
 { lib, config, ... }:
 let
  inherit (lib) singleton;
  inherit (config.vacu) dnsData;
  main_ips = singleton dnsData.tripPublicV4;
 in
 {
  vacu.dns."jean-luc.org" =
    { ... }:
    {
      imports = [
        dnsData.modules.cloudns
        dnsData.modules.liamMail
      ];
      A = main_ips;
      subdomains = {
        "in" =
          { ... }:
          {
            imports = [ dnsData.modules.liamMail ];
          };
        "*".A = main_ips;
        "_acme-challenge".CNAME = singleton "8cc7a174-c4a6-40f5-9fff-dfb271c5ce0b.auwwth.dis8.net.";
        "stats".A = main_ips;
        "tdi-readings".CNAME = singleton "d20l6bh1gp7s8.cloudfront.net.";
        "_a908498ee692a9729bf12e161ae1887d.tdi-readings".CNAME =
          singleton "_1f055e4fc0f439e67304a33945d09002.hkvuiqjoua.acm-validations.aws.";
      };
    };
 }
--- a/dns/pwrhs.win.nix
+++ b/dns/pwrhs.win.nix
@@ -0,0 +1,15 @@
 { lib, config, ... }:
 let
  inherit (lib) singleton;
  inherit (config.vacu) dnsData;
 in
 {
  vacu.dns."pwrhs.win" =
    { ... }:
    {
      imports = [ dnsData.modules.cloudns ];
      A = singleton dnsData.tripPublicV4;
      subdomains.habitat.A = singleton dnsData.tripPublicV4;
      subdomains._acme-challenge.CNAME = singleton "73697955-1c51-48ba-ba1e-b3398850f59f.auwwth.dis8.net.";
    };
 }
--- a/dns/shelvacu.miras.pet.nix
+++ b/dns/shelvacu.miras.pet.nix
@@ -0,0 +1,18 @@
 { lib, config, ... }:
 let
  inherit (lib) singleton;
  inherit (config.vacu) dnsData;
 in
 {
  vacu.dns."shelvacu.miras.pet" =
    { ... }:
    {
      imports = [
        dnsData.modules.cloudns
        dnsData.modules.liamMail
      ];
      A = singleton dnsData.tripPublicV4;
      subdomains."_acme-challenge".CNAME =
        singleton "65e44f64-3c65-46f6-b15f-4ad6363b21eb.auwwth.dis8.net.";
    };
 }
--- a/2
+++ b/2
@@ -1,3 +1,3 @@
 #!/bin/sh
-git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo $@
+git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo "$@"
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@@ -1,141 +1,495 @@
 {
-  description = "Config for triple-dezert server";
+  description = "Configs for shelvacu's nix things";
  inputs = {
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
+    nixpkgs.url = "nixpkgs/nixos-24.11-small";
-    nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
-    nixpkgs2405.url = "nixpkgs/nixos-24.05-small";
+
    flake-utils.url = "github:numtide/flake-utils";
    nixvim = {
      url = "github:nix-community/nixvim/nixos-24.11";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.home-manager.follows = "home-manager";
    };
    nixvim-unstable = {
      url = "github:nix-community/nixvim";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    nix-inspect = {
      url = "github:bluskript/nix-inspect";
-      #inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-inspect-unstable = {
      url = "github:bluskript/nix-inspect";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    vscode-server-unstable = {
      url = "github:nix-community/nixos-vscode-server";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
      inputs.flake-utils.follows = "flake-utils";
    };
    vscode-server = {
      url = "github:nix-community/nixos-vscode-server";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    nix-on-droid = {
-      url = "github:nix-community/nix-on-droid/release-23.05";
+      url = "github:nix-community/nix-on-droid";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.home-manager.follows = "home-manager";
    };
-    jovian = {
+    jovian-unstable = {
      # there is no stable jovian :cry:
      url = "github:Jovian-Experiments/Jovian-NixOS";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    disko-unstable = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
-    homeManager = {
+    home-manager = {
-      url = "github:nix-community/home-manager/master";
+      url = "github:nix-community/home-manager/release-24.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    home-manager-unstable = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    nix-search-cli-unstable = {
      url = "github:peterldowns/nix-search-cli";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
      inputs.flake-utils.follows = "flake-utils";
    };
    nix-search-cli = {
      url = "github:peterldowns/nix-search-cli";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
-    padtype = {
+    padtype-unstable = {
-      url = "gitlab:shelvacu/padtype";
+      url = "git+https://git.uninsane.org/shelvacu/padtype.git";
-      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    microvm = {
+    nixos-hardware.url = "github:nixos/nixos-hardware";
-      url = "github:astro/microvm.nix";
+    most-winningest = {
      url = "github:captain-jean-luc/most-winningest";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    nixos-apple-silicon-unstable = {
      url = "github:tpwrules/nixos-apple-silicon";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    sm64baserom.url = "git+https://git.uninsane.org/shelvacu/sm64baserom.git";
    dns = {
      url = "github:nix-community/dns.nix";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    treefmt-nix = {
      url = "github:numtide/treefmt-nix";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    determinate-nix = {
      url = "https://flakehub.com/f/DeterminateSystems/nix-src/3.0.0";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    determinate-nix-unstable = {
      url = "https://flakehub.com/f/DeterminateSystems/nix-src/3.0.0";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
  };
-  outputs = { self, nixpkgs, nix-on-droid, ... }@inputs: {
+  outputs =
-    debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); });
+    {
-    nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
+      self,
-      system =  "x86_64-linux";
+      nixpkgs,
-      modules = [ ./triple-dezert ];
+      nix-on-droid,
-      specialArgs = { inherit inputs; };
+      ...
-    };
+    }@inputs:
-
+    let
-    nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
+      x86 = "x86_64-linux";
-      system = "x86_64-linux";
+      arm = "aarch64-linux";
-      modules = [ ./compute-deck ];
+      lib = import "${nixpkgs}/lib";
-      specialArgs = { inherit inputs; };
+      overlays = import ./overlays;
-    };
+      mkPlainInner =
-
+        pkgs:
-    nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
+        lib.evalModules {
-      system =  "x86_64-linux";
+          modules = [
-      modules = [ ./liam ];
+            ./common
-      specialArgs = { inherit inputs; };
+            { vacu.systemKind = "server"; }
-    };
+          ];
-
+          specialArgs = {
-    nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
+            inherit pkgs;
-      system = "x86_64-linux";
+            inherit lib;
-      modules = [ ./lp0 ];
+            inherit (inputs) dns;
-      specialArgs = { inherit inputs; };
+            vacuModuleType = "plain";
-    };
+            inherit inputs;
-    
+          };
    nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [ ./installer.nix ];
      specialArgs = { inherit inputs; };
    };
    nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
      system =  "x86_64-linux";
      modules = [ ./devver ];
      specialArgs = { inherit inputs; };
    };
    nixosConfigurations.fw = inputs.nixpkgs2405.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [ ./fw ];
      specialArgs = { inherit inputs; };
    };
    nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
      modules = [ ./nix-on-droid.nix ];
      extraSpecialArgs = { inherit inputs; };
    };
    diskoConfigurations.compute-deck = import ./compute-deck/partitioning.nix;
    checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
        config = {
          node.pkgs = pkgs;
          node.pkgsReadOnly = false;
          node.specialArgs.selfPackages = self.packages.${system};
          node.specialArgs.inputs = inputs;
        };
      mkPlain =
        pkgs:
        let
          inner = mkPlainInner pkgs;
        in
        inner.config.vacu.withAsserts inner;
      mkPkgs =
        arg:
        let
          argAttrAll = if builtins.isString arg then { system = arg; } else arg;
          useUnstable = argAttrAll.useUnstable or false;
          whichpkgs = if useUnstable then inputs.nixpkgs-unstable else inputs.nixpkgs;
          argAttr = lib.removeAttrs argAttrAll [ "useUnstable" ];
          config = {
            allowUnfree = true;
            permittedInsecurePackages = [ "olm-3.2.16" ];
          } // (argAttr.config or { });
        in
        import whichpkgs (
          argAttr // { inherit config; } // { overlays = (argAttr.overlays or [ ]) ++ overlays; }
        );
      pkgs = mkPkgs x86;
      defaultInputs = [
        "nix-search-cli"
        "nix-inspect"
        "nixvim"
        "determinate-nix"
      ];
      mkInputs =
        {
          unstable ? false,
          inp ? [ ],
        }:
        let
          suffix = if unstable then "-unstable" else "";
          nixpkgs = inputs.${"nixpkgs" + suffix};
          inp' = inp ++ defaultInputs;
          thisInputsA = builtins.listToAttrs (
            map (name: lib.nameValuePair name inputs.${name + suffix}) inp'
          );
        in
          thisInputsA // {
            inherit nixpkgs;
            inherit (inputs) self;
          };
      mkNixosConfig =
        {
          unstable ? false,
          module,
          system ? "x86_64-linux",
          inp ? [ ],
        }:
        let
          inputs = mkInputs { inherit unstable inp; };
        in
        inputs.nixpkgs.lib.nixosSystem {
          specialArgs = {
            inherit inputs;
            inherit (inputs) dns;
            vacuModuleType = "nixos";
          };
          inherit system;
          modules = [
            ./common
            module
          ];
        };
    in
    {
      debug.isoDeriv = (
        import "${inputs.nixpkgs}/nixos/release-small.nix" {
          nixpkgs = ({ revCount = 0; } // inputs.nixpkgs);
        }
      );
      nixosConfigurations = {
        triple-dezert = mkNixosConfig {
          module = ./triple-dezert;
          inp = [ "most-winningest" "sops-nix" ];
        };
        compute-deck = mkNixosConfig {
          module = ./compute-deck;
          inp = [
            "jovian"
            "home-manager"
            "vscode-server"
            "disko"
            "padtype"
          ];
          unstable = true;
        };
        liam = mkNixosConfig {
          module = ./liam;
          inp = [ "sops-nix" ];
        };
        lp0 = mkNixosConfig { module = ./lp0; };
        shel-installer = mkNixosConfig { module = ./installer.nix; };
        fw = mkNixosConfig {
          module = ./fw;
          inp = [
            "nixos-hardware"
            "sops-nix"
          ];
        };
        legtop = mkNixosConfig {
          module = ./legtop;
          inp = [ "nixos-hardware" ];
        };
        mmm = mkNixosConfig {
          module = ./mmm;
          inp = [ "nixos-apple-silicon" ];
          system = "aarch64-linux";
          unstable = true;
        };
        toptop = mkNixosConfig {
          module = ./toptop;
          system = "x86_64-linux";
        };
      };
      nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
        modules = [
          ./common
          ./nix-on-droid
        ];
        extraSpecialArgs = {
          inputs = mkInputs { };
          inherit (inputs) dns;
          vacuModuleType = "nix-on-droid";
        };
        pkgs = mkPkgs {
          system = arm;
        };
      };
      checks = nixpkgs.lib.genAttrs [ x86 ] (
        system:
        let
          pkgs = mkPkgs system;
          plain = mkPlain pkgs;
          config = {
            node.pkgs = pkgs;
            node.pkgsReadOnly = false;
            node.specialArgs.selfPackages = self.packages.${system};
            node.specialArgs.vacuModuleType = "nixos";
          };
          checksFromConfig = plain.config.vacu.checks;
        in
        assert !(checksFromConfig ? liam) && !(checksFromConfig ? trip);
        checksFromConfig
        // {
          liam = nixpkgs.lib.nixos.runTest {
            hostPkgs = pkgs;
            imports = [
              config
              ./tests/liam.nix
              { node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; }
            ];
          };
          trip = nixpkgs.lib.nixos.runTest {
            hostPkgs = pkgs;
            imports = [
              config
              ./tests/triple-dezert.nix
              { node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; }
            ];
          };
        }
      );
      qb = # qb is "quick build"
        let
          toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
          deterministicCerts = import ./deterministic-certs.nix { nixpkgs = mkPkgs x86; };
          renamedAarchPackages = lib.mapAttrs' (
            name: value: lib.nameValuePair (name + "-aarch64") value
          ) self.packages.aarch64-linux;
          packages = self.packages.x86_64-linux // renamedAarchPackages;
        in
        rec {
          fw = toplevelOf "fw";
          triple-dezert = toplevelOf "triple-dezert";
          trip = triple-dezert;
          compute-deck = toplevelOf "compute-deck";
          cd = compute-deck;
          liam = toplevelOf "liam";
          lp0 = toplevelOf "lp0";
          legtop = toplevelOf "legtop";
          lt = legtop;
          mmm = toplevelOf "mmm";
          shel-installer = toplevelOf "shel-installer";
          toptop = toplevelOf "toptop";
          tt = toptop;
          iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
          check-triple-dezert = self.checks.x86_64-linux.trip.driver;
          check-trip = check-triple-dezert;
          check-liam = self.checks.x86_64-linux.liam.driver;
          nix-on-droid = self.nixOnDroidConfigurations.default.activationPackage;
          nod = nix-on-droid;
          nod-bootstrap-x86_64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
          nod-bootstrap-aarch64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
          dc-priv = deterministicCerts.privKeyFile "test";
          dc-cert = deterministicCerts.selfSigned "test" { };
          # sm64 = packages.sm64coopdx;
          ak = packages.authorizedKeys;
          my-sops = packages.wrappedSops;
          inherit (inputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
            m1n1
            uboot-asahi
            installer-bootstrap
            ;
          installer-bootstrap-cross =
            inputs.nixos-apple-silicon-unstable.packages.x86_64-linux.installer-bootstrap;
        }
        // packages;
      brokenBuilds = [
        "sm64coopdx-aarch64"
        "installer-bootstrap"
      ];
      all =
        let
          linksNoContext = removeAttrs self.qb self.brokenBuilds;
          links = builtins.mapAttrs (
            name: val: builtins.addErrorContext "while evaluating link ${name}" val
          ) linksNoContext;
        in
        pkgs.runCommand "nix-stuff-all"
          {
            __structuredAttrs = true;
            inherit links;
          }
          ''
            mkdir $out
            cd $out
            eval "$(${pkgs.jq}/bin/jq '.links | to_entries | map("ln -s "+.value+" "+.key) | join("\n")' /build/.attrs.json -r)"
          '';
      impureBuilds = [
        "nix-on-droid"
        "nod"
        "nod-bootstrap-x86_64"
        "nod-bootstrap-aarch64"
      ];
      allPure = self.all.overrideAttrs (prev: {
        links = removeAttrs prev.links self.impureBuilds;
      });
      archiveSmall =
        let
          # We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
          isoContents = lib.concatStringsSep "\n" (
            map (
              c: "${c.source} => ${c.target}"
            ) self.nixosConfigurations.shel-installer.config.isoImage.contents
          );
          isoContentsPkg = pkgs.writeText "iso-contents" isoContents;
          allButImgs = self.all.overrideAttrs (prev: {
            links = (removeAttrs prev.links [ "iso" ]) // {
              iso-contents = isoContentsPkg;
            };
          });
        in
        allButImgs;
      archive =
        let
          inherit (self) archiveSmall;
        in
        archiveSmall.overrideAttrs (prev: {
          links = prev.links // {
            build-deps = pkgs.closureInfo { rootPaths = [ archiveSmall.drvPath ]; };
          };
        });
    }
    // (inputs.flake-utils.lib.eachDefaultSystem (
      system:
      let
        nixpkgs-args = {
          inherit system;
          config.allowUnfree = true;
          overlays = [ inputs.sm64baserom.overlays.default ];
        };
        pkgs-unstable = mkPkgs nixpkgs-args // {
          useUnstable = true;
        };
        pkgs-stable = mkPkgs nixpkgs-args // {
          useUnstable = false;
        };
        _plain = mkPlain pkgs-unstable;
        plain = _plain.config.vacu.withAsserts _plain;
        treefmtEval = inputs.treefmt-nix.lib.evalModule pkgs-unstable ./treefmt.nix;
      in
      {
-        liam = nixpkgs.lib.nixos.runTest {
+        formatter = treefmtEval.config.build.wrapper;
-          hostPkgs = pkgs;
+        apps.sops = {
-          imports = [ config ./tests/liam.nix ];
+          type = "app";
          program = lib.getExe self.packages.${system}.wrappedSops;
        };
-        trip = nixpkgs.lib.nixos.runTest {
+        vacuconfig = plain.config;
-          hostPkgs = pkgs;
+        legacyPackages = {
-          imports = [ config ./tests/triple-dezert.nix ];
+          unstable = pkgs-unstable;
          stable = pkgs-stable;
        };
        packages = rec {
          authorizedKeys = pkgs-stable.writeText "authorizedKeys" (
            lib.concatStringsSep "\n" (
              lib.mapAttrsToList (k: v: "${v} ${k}") plain.config.vacu.ssh.authorizedKeys
            )
          );
          bandcamp-collection-downloader = pkgs-unstable.callPackage ./packages/bcd { };
          bcd = bandcamp-collection-downloader;
          dnix = inputs.determinate-nix.packages.${system}.nix;
          dns = import ./scripts/dns {
            inherit pkgs lib inputs;
            inherit (plain) config;
          };
          haproxy-auth-request = pkgs.callPackage ./packages/haproxy-auth-request.nix {
            inherit haproxy-lua-http;
          };
          haproxy-lua-http = pkgs.callPackage ./packages/haproxy-lua-http.nix { };
          liam-sieve-script = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
          nixvim = inputs.nixvim.legacyPackages.${system}.makeNixvimWithModule {
            extraSpecialArgs = {
              inputs = { };
            };
            module = {
              imports = [ ./nixvim ];
            };
          };
          nix-inspect = inputs.nix-inspect.packages.${system}.default;
          nix-search-cli = inputs.nix-search-cli.packages.${system}.default;
          openterface-qt = pkgs.callPackage ./packages/openterface-qt.nix { };
          rg-cubexx-v1-0-1 = pkgs.fetchurlWithWetransfer {
            url = "https://we.tl/t-nwhCNkgXwG";
            name = "cxm_rgcubexx-v1-0-1-en32gb-2401018_2024-10-19_0631.zip";
            recursiveHash = true;
            hash = "sha256-kQds0/BdlEA10LJozOvpQ65TemTx6CxjO8rANi4o5K0=";
          };
          sopsConfig = plain.config.vacu.sopsConfigFile;
          sourceTree = plain.config.vacu.sourceTree;
          transferwee = pkgs.callPackage ./packages/transferwee.nix { };
          units = plain.config.vacu.units.finalPackage;
          update-git-keys = pkgs-stable.callPackage ./scripts/update-git-keys.nix { inherit (plain) config; };
          vnopnCA = pkgs-stable.writeText "vnopnCA.cert" plain.config.vacu.vnopnCA;
          wrappedSops = plain.config.vacu.wrappedSops;
          z3 = pkgs-unstable.callPackage ./packages/z3 { };
          # mycoopdx = pkgs-unstable.callPackage ./packages/sm64coopdx.nix { };
          # zulip-server = pkgs.python312Packages.callPackage ./packages/zulip.nix { };
        };
        # trip_haproxy_config = let
        #   hacfg = self.nixosConfigurations.triple-dezert.config.containers.frontproxy.config.services.haproxy;
        # in pkgs.stdenvNoCC.mkDerivation {
        #   name = "trip-haproxy-config-check";
        #   script = ''
        #     mkdir -p certs/shelvacu.com/
        #     touch certs/shelvacu.com/full.pem
        #     ${hacfg.package}/bin/haproxy \
        #       -f ${pkgs.writeText "haproxy-config" hacfg.config} \
        #       -c \
        #       -dW \
        #       -dD \
        #       -C $PWD
        #   '';
        # };
      }
-    );
+    ));
    nixosModules.common = import ./common-config.nix;
    packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
  };
 }
--- a/fw/android.nix
+++ b/fw/android.nix
@@ -0,0 +1,5 @@
 { pkgs, ... }:
 {
  vacu.packages = pkgs.androidStudioPackages.stable.all;
  users.users.shelvacu.extraGroups = [ "kvm" ];
 }
--- a/fw/apex.nix
+++ b/fw/apex.nix
@@ -0,0 +1,69 @@
 # everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
 { pkgs, config, ... }:
 let
  # to match package used in config.services.pcscd, unfortunately not exposed like usual
  pcsclite-pkg = if config.security.polkit.enable then pkgs.pcscliteWithPolkit else pkgs.pcsclite;
 in
 {
  # apparently this is already enabled??
  # nixpkgs.overlays = [ ( final: prev: {
  #   libfido2 = prev.libfido2.override { withPcsclite = true; };
  # } ) ];
  vacu.packages =
    (with pkgs; [
      libfido2
      pcsc-tools
      scmccid
      opensc
    ])
    ++ [ pcsclite-pkg ];
  services.pcscd.enable = true;
  # conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
  boot.blacklistedKernelModules = [
    "pn533_usb"
    "pn533"
    "nfc"
  ];
  # bunch of stuff from https://wiki.nixos.org/wiki/Web_eID
  # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
  # (PIN1 for authentication/decryption, PIN2 for signing).
  # environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
  #   module: ${pkgs.opensc}/lib/opensc-pkcs11.so
  # '';
  # environment.etc."opensc.conf".text = ''
  #   app default {
  #     reader_driver pcsc {
  #       enable_pinpad = false;
  #     }
  #   }
  # '';
  environment.systemPackages = [
    # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
    # security devices, so they can be used for TLS client auth.
    # Each user needs to run this themselves, it does not work on a system level
    # due to a bug in Chromium:
    #
    # https://bugs.chromium.org/p/chromium/issues/detail?id=16387
    (pkgs.writeShellScriptBin "setup-browser-eid" ''
      NSSDB="''${HOME}/.pki/nssdb"
      mkdir -p ''${NSSDB}
      ${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
        -libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
    '')
  ];
  programs.firefox.enable = true;
  #programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
  # trying CTAP-bridge
  services.udev.extraRules = ''
    KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE+="0666", TAG+="uaccess"
    KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE+="0666", TAG+="uaccess"
  '';
 }
--- a/fw/default.nix
+++ b/fw/default.nix
@@ -1,24 +1,98 @@
-{ config, inputs, pkgs, lib, ... }: {
+{ inputs, pkgs, ... }:
-  imports = [ 
+{
-    ../common-nixos-config.nix
+  imports = [
    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
    ./apex.nix
    ./android.nix
    ./thunderbolt.nix
    ./fwupd.nix
    ./zfs.nix
    ./virtualbox.nix
    ./sops.nix
    ./radicle.nix
    ./orca-slicer.nix
    ./tpm-fido.nix
  ];
-  system.nixos.tags = [ "host-${config.networking.hostName}" ];
+
  vacu.hostName = "fw";
  vacu.shell.color = "magenta";
  vacu.verifySystem.expectedMac = "e8:65:38:52:5c:59";
  vacu.systemKind = "desktop";
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  networking.networkmanager.enable = true;
  # boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
-  vacu.packages.bitwarden-desktop.enable = true;
+  services.fprintd.enable = false; # kinda broken
-  vacu.packages.nheko.enable = true;
+
-  vacu.packages.librewolf.enable = true;
+  users.users.shelvacu.extraGroups = [ "dialout" ];
-  vacu.packages.brave.enable = true;
+
-  vacu.packages.thunderbird.enable = true;
+  programs.steam.extraCompatPackages = [ pkgs.proton-ge-bin ];
-  vacu.packages.wl-clipboard.enable = true;
+
-  vacu.packages.nextcloud-client.enable = true;
+  vacu.packages =
-  vacu.packages.signal-desktop.enable = true;
+    (with pkgs; [
-  vacu.packages.fw-ectool.enable = true;
+      bitwarden-desktop
-  vacu.packages.framework-tool.enable = true;
+      nheko
-  vacu.packages.iio-sensor-proxy.enable = true;
+      librewolf
-  vacu.packages.power-profiles-daemon.enable = true;
+      brave
-  vacu.packages.acpi.enable = true;
+      thunderbird
      wl-clipboard
      nextcloud-client
      signal-desktop
      fw-ectool
      framework-tool
      iio-sensor-proxy
      power-profiles-daemon
      acpi
      jellyfin-media-player
      vlc
      dmidecode
      prismlauncher
      "ffmpeg-allvrything"
      wireshark
      obsidian
      dino
      aircrack-ng
      libreoffice-qt6-fresh
      gimp
      # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
      (inkscape-with-extensions.override { inkscapeExtensions = null; })
      libsmi
      net-snmp
      android-tools
      ghidra
      wineWowPackages.stableFull
      wineWowPackages.fonts
      winetricks
      tremotesf
      smartmontools
      nvme-cli
      arduino-ide
      headsetcontrol
      OSCAR
      # makemkv
      mkvtoolnix-cli
      flac
      imagemagickBig
      anki
      openshot-qt
      kdePackages.kdenlive
      shotcut
      radicle-node
      josm
      merkaartor
      kaffeine
      kdePackages.elisa
      haruna
      kdePackages.dragon
      wev
      svp
      filezilla
      mercurial
    ])
    ++ [ ];
  networking.firewall.enable = false;
  services.xserver.enable = true;
  services.displayManager.sddm.enable = true;
@@ -40,41 +114,54 @@
    }
  ];
  networking.hostName = "fw"; # Define your hostname.
  networking.hostId = "c6e309d5";
  boot.zfs.extraPools = [ "fw" ];
  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  systemd.services.zfs-mount.enable = false;
  services.openssh.enable = true;
  system.stateVersion = "23.11"; # Did you read the comment?
-  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
-  boot.initrd.kernelModules = [ ];
+    "nvme"
    "xhci_pci"
    "thunderbolt"
    "usb_storage"
    "usbhid"
    "sd_mod"
  ];
  #boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
+  #boot.extraModulePackages = [ ];
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "fw/root";
+    device = "fw/root";
-      fsType = "zfs";
+    fsType = "zfs";
-    };
+  };
-  fileSystems."/boot0" =
+  fileSystems."/boot0" = {
-    { device = "/dev/disk/by-label/BOOT0";
+    device = "/dev/disk/by-label/BOOT0";
-      fsType = "vfat";
+    fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+    options = [
-    };
+      "fmask=0022"
      "dmask=0022"
      "nofail"
    ];
  };
-  fileSystems."/boot1" =
+  fileSystems."/boot1" = {
-    { device = "/dev/disk/by-label/BOOT1";
+    device = "/dev/disk/by-label/BOOT1";
-      fsType = "vfat";
+    fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+    options = [
-    };
+      "fmask=0022"
      "dmask=0022"
      "nofail"
    ];
  };
  hardware.cpu.amd.updateMicrocode = true;
  hardware.enableAllFirmware = true;
-  hardware.opengl = {
+  hardware.graphics = {
-    driSupport = true;
+    extraPackages = [
-    driSupport32Bit = true;
+      pkgs.rocmPackages.clr.icd
      pkgs.amdvlk
    ];
  };
  programs.nix-ld.enable = true;
  programs.steam = {
@@ -91,4 +178,8 @@
  hardware.bluetooth.enable = true;
  hardware.bluetooth.powerOnBoot = true;
  services.blueman.enable = true;
  services.postgresql.enable = true; # for development
  virtualisation.waydroid.enable = true;
 }
--- a/fw/experiment.nix
+++ b/fw/experiment.nix
@@ -0,0 +1,43 @@
 {
  pkgs,
  config,
  lib,
  ...
 }:
 let
  version = "6.10.4";
  hash = "sha256:1y2m2pqrvsgr9ng72nnh4yvsprkvkznhnmn4p8g78350bzyrvip2";
  customKernel = pkgs.linux_6_10.override {
    inherit version;
    src = pkgs.fetchurl {
      url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz";
      inherit hash;
    };
    modDirVersion = lib.versions.pad 3 version;
  };
  customKernelPackages = pkgs.linuxPackagesFor customKernel;
 in
 {
  system.nixos.tags = [
    "EXPERIMENT"
    "kernel-${config.boot.kernelPackages.kernel.version}"
  ];
  boot.kernelPackages = lib.mkForce customKernelPackages;
  # boot.zfs.extraPools = lib.mkForce [];
  # fileSystems."/".fsType = lib.mkForce "ext4";
  vacu.packages.sm64coopdx.enable = false;
  vacu.verifySystem.expectedMac = lib.mkForce null;
 }
 # good:
 #  Linux fw 6.6.50 #1-NixOS SMP PREEMPT_DYNAMIC Sun Sep  8 05:54:49 UTC 2024 x86_64 GNU/Linux
 #  Linux fw 6.8.12 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:49:53 UTC 2024 x86_64 GNU/Linux
 #  linux-6.9.12
 #  6.10.4 (maybe?? sus)
 # Linux fw 6.10.10 #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024 x86_64 GNU/Linux (but this was supposed to be 6.10.4....)
 # bad:
 # Linux fw 6.10.10-gnu #1-NixOS SMP PREEMPT_DYNAMIC Tue Jan  1 00:00:00 UTC 1980 x86_64 GNU/Linux
 #  linux linux-6.10.10
--- a/fw/fwupd.nix
+++ b/fw/fwupd.nix
@@ -0,0 +1,8 @@
 { config, lib, ... }:
 {
  vacu.packages = [ config.services.fwupd.package ];
  services.fwupd.enable = true;
  #fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
  #update: it didn't work, I dunno why. Leaving this here anyways
  services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
 }
--- a/fw/orca-slicer.nix
+++ b/fw/orca-slicer.nix
@@ -0,0 +1,16 @@
 { pkgs, ... }:
 {
  vacu.packages.orca-slicer = {
    enable = true;
    package = pkgs.orca-slicer.overrideAttrs (prev: {
      patches = (prev.patches or [ ]) ++ [
        (pkgs.fetchpatch {
          name = "pr-7650-configurable-update-check.patch";
          url = "https://github.com/SoftFever/OrcaSlicer/pull/7650.patch";
          hash = "sha256-t4own5AwPsLYBsGA15id5IH1ngM0NSuWdFsrxMRXmTk=";
        })
      ];
      cmakeFlags = (prev.cmakeFlags or [ ]) ++ [ "-DORCA_VERSION_CHECK_DEFAULT=OFF" ];
    });
  };
 }
--- a/fw/radicle.nix
+++ b/fw/radicle.nix
@@ -0,0 +1,16 @@
 { config, ... }:
 {
  sops.secrets.radicle-key = {
    sopsFile = ../secrets/radicle-private.key;
    format = "binary"; # its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine
  };
  services.radicle = {
    enable = false;
    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2HqXfjT4vPEqqM5Pty7EuswzeO80IgG6MtCvDAqOkD";
    privateKeyFile = config.sops.secrets.radicle-key.path;
    settings = {
      node.alias = "shelvacu-fw";
      seedingPolicy.default = "block";
    };
  };
 }
--- a/fw/sops.nix
+++ b/fw/sops.nix
@@ -0,0 +1,19 @@
 {
  inputs,
  lib,
  config,
  ...
 }:
 {
  imports = [ inputs.sops-nix.nixosModules.sops ];
  options.vacu.secretsFolder = lib.mkOption {
    type = lib.types.path;
    default = ../secrets;
  };
  config = {
    # sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
 }
--- a/fw/thunderbolt.nix
+++ b/fw/thunderbolt.nix
@@ -0,0 +1,10 @@
 { pkgs, config, ... }:
 {
  services.hardware.bolt.enable = true;
  vacu.packages = [
    pkgs.thunderbolt
    config.services.hardware.bolt.package
    pkgs.kdePackages.plasma-thunderbolt
  ];
 }
--- a/fw/tpm-fido.nix
+++ b/fw/tpm-fido.nix
@@ -0,0 +1,11 @@
 { config, ... }:
 {
  vacu.packages = [ "tpm-fido" ];
  users.groups.uhid = {};
  users.users.shelvacu.extraGroups = [ config.security.tpm2.tssGroup config.users.groups.uhid.name ];
  security.tpm2.enable = true;
  security.tpm2.applyUdevRules = true;
  services.udev.extraRules = ''
    KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="${config.users.groups.uhid.name}", MODE="0660"
  '';
 }
--- a/fw/virtualbox.nix
+++ b/fw/virtualbox.nix
@@ -0,0 +1,8 @@
 { ... }:
 {
  virtualisation.virtualbox.host = {
    enable = true;
    enableExtensionPack = true;
  };
  users.extraGroups.vboxusers.members = [ "shelvacu" ];
 }
--- a/fw/zfs.nix
+++ b/fw/zfs.nix
@@ -0,0 +1,9 @@
 { pkgs, ... }:
 {
  boot.zfs.extraPools = [ "fw" ];
  # config.boot.zfs.package.latestCompatibleLinuxPackages is fucked, if there are multiple compatible linuxes of the same version, it picks effectively an arbitrary one
  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_6;
  systemd.services.zfs-mount.enable = false;
  # see also fileSystems."/"
 }
--- a/generic-digitalocean-nixos.nix
+++ b/generic-digitalocean-nixos.nix
@@ -1,10 +0,0 @@
 { inputs, system ? "x86_64-linux" }:
 let
 pkgs = inputs.nixpkgs.legacyPackages.${system};
 config = { config, ... }: {
  imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix" ];
  system.stateVersion = config.system.nixos.release;
 };
 in
 (pkgs.nixos config).digitalOceanImage
--- a/home/nix-on-droid.nix
+++ b/home/nix-on-droid.nix
@@ -0,0 +1,7 @@
 { ... }:
 {
  imports = [ ../common/home.nix ];
  home.stateVersion = "24.05";
  home.homeDirectory = "/data/data/com.termux.nix/files/home";
  home.username = "nix-on-droid";
 }
--- a/installer.nix
+++ b/installer.nix
@@ -1,18 +1,16 @@
-{ config, inputs, modulesPath, lib, ... }: {
+{
-  imports = [
+  config,
-    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
+  modulesPath,
-    ./common-nixos-config.nix
+  lib,
-  ];
+  ...
 }:
 {
  imports = [ "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" ];
  # this is an installer image, created anew every time. There's no state we need to worry about messing up
-  system.stateVersion = config.system.nixos.version; 
+  system.stateVersion = config.system.nixos.version;
  isoImage.isoBaseName = "nixos-shel-installer";
  services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
-  # boot.kernelPatches = [{
+  vacu.hostName = "vacuInstaller";
-  #   name = "foo";
+  vacu.shell.color = "red";
-  #   patch = null;
+  vacu.systemKind = "server";
  #   extraStructuredConfig = {
  #     VIRTIO = lib.kernel.yes;
  #     VIRTIO_BLK = lib.kernel.yes;
  #   };
  # }];
 }
--- a/jobs/public/index.html
+++ b/jobs/public/index.html
@@ -0,0 +1,92 @@
 <!DOCTYPE html>
 <html>
  <head>
    <title>Hire Shelvacu today!</title>
    <style>
      /* with thanks to http://bettermotherfuckingwebsite.com/ */
      body {
        margin: 40px auto;
        max-width: 650px;
        line-height: 1.6;
        font-size: 18px;
        color: #444;
        background: #eee;
        padding: 0 10px;
      }
      h1,h2,h3 { line-height: 1.2; }
      form {
        padding: 5px;
        border: 1px solid black;
        border-radius: 3px;
        margin: 5px;
      }
      form label { display: block; }
    </style>
  </head>
  <body>
    <h1>Jobs info</h1>
    <p>Hi! I am currently looking to find a Software Engineering job. I am a professional developer specializing in Ruby on Rails and Rust, with over 10 years of experience.</p>
    <p>
      What I want in a job:
      <ul>
        <li><b>Fully Remote</b> - that means 1 visit to an office per month or less. Strongly preferred; non-remote jobs will have to be very tempting in every other category.</li>
        <li>Prefer direct hire, but not required.</li>
        <li>W2 employment preferred, but also open to C2C/1099.</li>
        <li>While I could be productive in nearly any language, I would most like to work with Rust.</li>
      </ul>
    </p>
    <p>
      Things you probably want to know:
      <ul>
        <li>I am a US citizen (USC), for work authorization purposes I can work anywhere in the US.</li>
        <li>Open to both contract and permanent positions.</li>
        <li>I can start within a week.</li>
        <li>I do not have a formal degree, but more than enough experience to make up for it.</li>
      </ul>
    </p>
    <h2>Resume</h2>
    <p>
      <a href="/shelvacu-resume.pdf">You can see my latest, up-to-date resume here</a>.
    </p>
    <h2>To send me job offers</h2>
    <p>Unfortunately I get a lot of bad job offers if I just give out my email to anyone. As such, I will only accept job offers sent using this form.</b>
    <p>Each time you want to send me an email about a new job offer, you must return to this page. The process may change from time to time. If you have multiple jobs you think I am a good fit for, please combine them in one email.</p>
    <form method="get" action="/email">
      <label>
        <input type="checkbox" name="confirm_fully_remote_or_exceptional" value="yes" required>
        <span>This is a fully remote job, or you will give an exceptional reason why the offer should be considered despite not being fully remote.</span>
      </label>
      <label>
        <input type="checkbox" name="confirm_i_read_the_above" value="yes" required>
        <span>You have read the above and will not ask about work authorization status, earliest date to start, or formal education because you already have that information.</span>
      </label>
      <label>
        <input type="checkbox" name="confirm_include_pay" value="yes" required>
        <span>You will include an estimated pay range. No "depends on experience", my resume clearly shows how much experience I have.</span>
      </label>
      <label>
        <input type="checkbox" name="confirm_no_ask_resume" value="yes" required>
        <span>You will not ask for an updated resume. The latest resume is always available on this page.</span>
      </label>
      <label>
        <div>Your email:</div>
        <input type="email" name="email" required>
      </label>
      <button type="submit">Submit</button>
    </form>
    <p>I apologize for the hassle. I promise that if you follow everything here before sending a job offer to me, I <i>will</i> respond, and I will make every effort to respond within 1 week.</p>
  </body>
 </html>
--- a/jobs/public/shelvacu-resume.pdf
+++ b/jobs/public/shelvacu-resume.pdf
--- a/legtop/bluetooth.nix
+++ b/legtop/bluetooth.nix
@@ -0,0 +1,7 @@
 { ... }:
 {
  hardware.bluetooth.enable = true;
  hardware.bluetooth.powerOnBoot = true;
  # services.blueman.enable = true;
 }
--- a/legtop/default.nix
+++ b/legtop/default.nix
@@ -0,0 +1,83 @@
 { pkgs, inputs, ... }:
 {
  imports = [
    ../common/nixos.nix
    inputs.nixos-hardware.nixosModules.gpd-micropc
    ./hardware.nix
    ./bluetooth.nix
  ];
  vacu.hostName = "legtop";
  vacu.shortHostName = "lt";
  vacu.shell.color = "blue";
  vacu.verifySystem.expectedMac = "30:9e:90:33:01:07";
  vacu.systemKind = "desktop";
  system.stateVersion = "24.05";
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  networking.networkmanager.enable = true;
  vacu.packages =
    (with pkgs; [
      bitwarden-desktop
      nheko
      # librewolf
      brave
      thunderbird
      wl-clipboard
      nextcloud-client
      signal-desktop
      iio-sensor-proxy
      power-profiles-daemon
      acpi
      jellyfin-media-player
      vlc
      dmidecode
      prismlauncher
      ffmpeg_7-full
      wireshark
      obsidian
      dino
      aircrack-ng
      libreoffice-qt6-fresh
      gimp
      # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
      (inkscape-with-extensions.override { inkscapeExtensions = null; })
      libsmi
      net-snmp
      android-tools
      ghidra
      wineWowPackages.stableFull
      wineWowPackages.fonts
      winetricks
      lutris
      radicle-node
      proxmark3
    ])
    ++ [ ];
  services.openssh.enable = true;
  services.xserver.enable = true;
  services.displayManager.sddm.enable = true;
  services.displayManager.sddm.wayland.enable = true;
  services.desktopManager.plasma6.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.efiSupport = true;
  boot.loader.grub.device = "nodev";
  boot.loader.efi.canTouchEfiVariables = true;
  hardware.cpu.intel.updateMicrocode = true;
  hardware.enableAllFirmware = true;
  services.fwupd.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
  };
  programs.steam.enable = true;
 }
--- a/legtop/hardware.nix
+++ b/legtop/hardware.nix
@@ -0,0 +1,33 @@
 { ... }:
 {
  boot.initrd.availableKernelModules = [
    "ahci"
    "xhci_pci"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sdhci_pci"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/e3aebf24-be76-4064-a9f5-3930c8cd1382";
    fsType = "ext4";
  };
  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/7fd2ca2d-7faf-4d40-8cde-ce531fa679b5";
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/4C47-D9A3";
    fsType = "vfat";
    options = [
      "fmask=0022"
      "dmask=0022"
      "nofail"
    ];
  };
  nixpkgs.hostPlatform = "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = true;
 }
--- a/liam/default.nix
+++ b/liam/default.nix
@@ -1,57 +1,71 @@
-{ modulesPath, config, lib, ... }: {
+{
  modulesPath,
  config,
  vaculib,
  ...
 }:
 let
  inherit (vaculib) mkOutOption;
 in
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/virtualisation/digital-ocean-config.nix")
    ../common-nixos-config.nix
    ./nginx.nix
    ./sops.nix
    ./dovecot.nix
    ./mail.nix
    ./dkim.nix
    ./sieve.nix
    ./network.nix
  ];
-  options = let
+  options = {
    mkReadOnly = val: lib.options.mkOption { default = val; readOnly = true; };
  in {
    vacu.liam = {
-      shel_domains = mkReadOnly [
+      shel_domains = mkOutOption [
        "shelvacu.com"
        "dis8.net"
        "mail.dis8.net"
        "jean-luc.org"
        "in.jean-luc.org"
        "vacu.store"
        "shelvacu.miras.pet"
      ];
-      julie_domains = mkReadOnly [
+      julie_domains = mkOutOption [
        "violingifts.com"
        "theviolincase.com"
        "shop.theviolincase.com"
      ];
-      domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
+      domains = mkOutOption (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
-      reservedIpLocal = mkReadOnly "10.46.0.7";
+      relayhosts = {
        allDomains = (mkOutOption "[outbound.mailhop.org]:587") // {
          readOnly = false;
        };
        shelvacuAlt = (mkOutOption "[relay.dynu.com]:587") // {
          readOnly = false;
        };
      };
      reservedIpLocal = mkOutOption "10.46.0.7";
    };
  };
  config = {
-    system.nixos.tags = [ "host-${config.networking.hostName}" ];
+    vacu.hostName = "liam";
-    networking.hostName = "liam";
+    vacu.shell.color = "cyan";
    networking.domain = "dis8.net";
    vacu.systemKind = "minimal";
    hardware.enableAllFirmware = false;
    hardware.enableRedistributableFirmware = false;
    # networking.interfaces."ens3".useDHCP = false;
    # from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
    # {
    #   "ip_address": "10.46.0.7",
    #   "netmask": "255.255.0.0",
    #   "gateway": "10.46.0.1"
    # }
    services.openssh.enable = true;
    virtualisation.digitalOcean.setSshKeys = false;
-    users.users.root.openssh.authorizedKeys.keys = config.users.users.shelvacu.openssh.authorizedKeys.keys;
+    users.users.root.openssh.authorizedKeys.keys =
      config.users.users.shelvacu.openssh.authorizedKeys.keys;
    system.stateVersion = "23.11";
  };
-}
+}
--- a/liam/dkim.nix
+++ b/liam/dkim.nix
@@ -1,7 +1,13 @@
-{ config, pkgs, lib, ... }: 
+{
  config,
  pkgs,
  lib,
  ...
 }:
 let
-inherit (config.vacu.liam) domains;
+  inherit (config.vacu.liam) domains;
-in {
+in
 {
  services.opendkim = {
    enable = true;
    keyPath = "/run/secrets/dkimkeys";
@@ -15,4 +21,4 @@ in {
  systemd.services.postfix.after = [ "opendkim.service" ];
 }
 # 2024-03-liam._domainkey
-# v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==
+# v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==
--- a/liam/dovecot.nix
+++ b/liam/dovecot.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:
 {
  networking.firewall.allowedTCPPorts = [ 993 ];
  systemd.tmpfiles.settings.whatever."/var/lib/mail".d = {
@@ -17,8 +17,11 @@
    sslServerKey = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
    sslServerCert = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
    enablePAM = false;
-    protocols = lib.mkForce [ "imap" "lmtp" "sieve" ];
+    protocols = lib.mkForce [
-    modules = [ pkgs.dovecot_pigeonhole ];
+      "imap"
      "lmtp"
      "sieve"
    ];
    mailUser = "vmail";
    mailGroup = "vmail";
    createMailUser = true;
@@ -75,22 +78,33 @@
      userdb {
        driver = passwd-file
-        args = username_format=%n /run/secrets/dovecot-passwd
+        args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
        override_fields = uid=${config.services.dovecot2.mailUser} gid=${config.services.dovecot2.mailGroup} user=%n
      }
      passdb {
        driver = passwd-file
-        args = username_format=%n /run/secrets/dovecot-passwd
+        args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
        override_fields = user=%n
      }
      namespace {
        separator = .
        inbox = yes
        mailbox MagicRefilter {
          auto = create
        }
      }
      # mail_debug = yes
      mail_plugins = $mail_plugins notify mail_log
      plugin {
        # sieve_trace_debug = yes
        mail_log_events = delete undelete expunge save copy mailbox_create mailbox_delete mailbox_rename flag_change
        mail_log_fields = uid box msgid size from
      }
    '';
  };
-}
+}
--- a/liam/mail.nix
+++ b/liam/mail.nix
@@ -1,10 +1,46 @@
-{ config, lib, pkgs, ... }:
+{
  config,
  lib,
  pkgs,
  ...
 }:
 let
-inherit (config.vacu.liam) shel_domains julie_domains domains;
+  inherit (config.vacu.liam)
-fqdn = config.networking.fqdn;
+    shel_domains
-dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
+    julie_domains
-in {
+    domains
-  networking.firewall.allowedTCPPorts = [ 25 465 ];
+    relayhosts
    ;
  mapLines = f: lis: lib.concatStringsSep "\n" (map f lis);
  debug = false;
  fqdn = config.networking.fqdn;
  relayable_domains = [
    "shelvacu.com"
    "vacu.store"
  ];
  dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
  reject_spam_sources = [
    "reject-spam-test@example.com"
    "buyerservice@made-in-china.com"
    "upgrade-plans@asuswebstorage.com"
    "info@rfidlabel.com"
  ];
  banned_ips = [
    "45.192.103.243/32"
    "165.154.207.0/24"
    "165.154.226.0/24"
    "210.242.134.0/26"
    "137.220.198.0/24"
    "122.96.0.0/15"
  ];
  # must be bigger than gmail's 25MB "attachment limit" which after base64 encoding (x 1.33) is ~33MB
  mailSizeLimit = 35 * 1024 * 1024;
 in
 {
  networking.firewall.allowedTCPPorts = [
    25
    465
  ];
  vacu.acmeCertDependencies."liam.dis8.net" = [ "postfix.service" ];
  services.postfix = {
@@ -13,12 +49,15 @@ in {
    # this goes into virtual_alias_maps
    # "Note: for historical reasons, virtual_alias_maps apply to recipients in all domain classes, not only the virtual alias domain class."
-    virtual = ''
+    virtual =
-      julie@shelvacu.com julie
+      ''
-      mom@shelvacu.com julie
+        julie@shelvacu.com julie
-      psv@shelvacu.com psv
+        mom@shelvacu.com julie
-    '' + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains) + "\n"
+        psv@shelvacu.com psv
-    + (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains);
+      ''
      + (mapLines (d: "@${d} shelvacu") shel_domains)
      + "\n"
      + (mapLines (d: "@${d} julie") julie_domains);
    transport = ''
      shelvacu@${fqdn} ${dovecot_transport}
@@ -33,19 +72,54 @@ in {
    rootAlias = "shelvacu";
    enableSubmission = false;
    enableSubmissions = true;
-    mapFiles.header_checks = pkgs.writeText "header-checks" ("/./ INFO checker headers\n" + (lib.concatMapStringsSep "\n" (d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT") domains));
+    mapFiles.header_checks = pkgs.writeText "header-checks" (
-    mapFiles.sender_access = pkgs.writeText "sender-access" (lib.concatMapStringsSep "\n" (d: "${d} REJECT") domains);
+      ''
        /./ INFO checker headers
      ''
      + (mapLines (
        d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT"
      ) domains)
    );
    mapFiles.sender_access = pkgs.writeText "sender-access" (
      mapLines (pattern: "${pattern} REJECT spam") (domains ++ reject_spam_sources)
    );
    mapFiles.banned_ips = pkgs.writeText "banned-ips" (mapLines (ip: "${ip} REJECT spam") banned_ips);
    # hack to get postfix to add a X-Original-To header
    mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
    # mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
    mapFiles.sender_transport = pkgs.writeText "sender-transport" (
      mapLines (d: "@${d} relayservice") relayable_domains
    );
    mapFiles.sender_relay = pkgs.writeText "sender-relay" (
      ''
        @shelvacu.com ${relayhosts.allDomains} ${relayhosts.shelvacuAlt} 
      ''
      + (mapLines (d: "@${d} ${relayhosts.allDomains}") relayable_domains)
    );
    mapFiles.extra_login_maps = pkgs.writeText "extra-login-maps" (
      ''
        robot@vacu.store vacustore
      ''
      + config.services.postfix.virtual
    );
    # verbatim appended to main.cf
    extraConfig = ''
      smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
      inet_protocols = ipv4
      virtual_alias_domains =
        ${lib.concatStringsSep ",\n  " domains}
      message_size_limit = ${toString mailSizeLimit}
      sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
      sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
      header_checks = pcre:/etc/postfix/header_checks
-      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
+      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access permit
-      smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to
+      smtpd_client_restrictions = check_client_access cidr:/etc/postfix/banned_ips permit
      smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to permit
      recipient_delimiter = +
      #we should never use these transport methods unless thru transport map
      # RFC3463:
@@ -53,8 +127,8 @@ in {
      # X.3.X = mail system failure
      # X.3.5 = System incorrectly configured
      # I would've never thought there'd be a standard way to specifically say "you found an error in my config"
-      local_transport   = error:5.3.5 how did this even hapenn??
+      local_transport   = error:5.3.5 how did this even happen?? (e-local)
-      virtual_transport = error:5.3.5 how did this even happenn??
+      virtual_transport = error:5.3.5 how did this even happen?? (e-virtual)
      # X.7.1 = Delivery not authorized, message refused
      relay_transport = error:5.7.1 relay is so very disabled
@@ -66,13 +140,37 @@ in {
      smtpd_tls_dh1024_param_file = ${lib.optionalString config.services.dovecot2.enableDHE config.security.dhparams.params.dovecot2.path}
      # smtp_bind_address = 10.46.0.7
-
+      # inet_interfaces = all
-      ${lib.optionalString config.services.opendkim.enable (assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock"); ''
+      # inet_protocols = ipv4
-        smtpd_milters = unix:/run/opendkim/opendkim.sock
+      ${lib.optionalString config.services.opendkim.enable (
-        non_smtpd_milters = unix:/run/opendkim/opendkim.sock
+        assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock");
-      '')}
+        ''
          smtpd_milters = unix:/run/opendkim/opendkim.sock
          non_smtpd_milters = unix:/run/opendkim/opendkim.sock
        ''
      )}
    '';
    masterConfig."relayservice" = {
      command = "smtp";
      type = "unix";
      args = [
        "-o"
        "smtp_sasl_auth_enable=yes"
        "-o"
        "smtp_sasl_security_options=noanonymous"
        "-o"
        "smtp_tls_security_level=secure"
        "-o"
        "smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
        "-o"
        "smtp_tls_wrappermode=no"
      ] ++ (if debug then [ "-v" ] else [ ]);
    };
    masterConfig.qmgr = lib.mkIf debug { args = [ "-v" ]; };
    masterConfig.cleanup = lib.mkIf debug { args = [ "-v" ]; };
    masterConfig.smtpd = lib.mkIf debug { args = [ "-v" ]; };
    submissionsOptions = {
      smtpd_tls_key_file = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
      smtpd_tls_cert_file = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
@@ -86,7 +184,7 @@ in {
      smtpd_sasl_type = "dovecot";
      smtpd_sasl_path = "private/dovecot-auth";
      message_size_limit = "100000000";
-      smtpd_sender_login_maps = "hash:/etc/postfix/virtual";
+      smtpd_sender_login_maps = "hash:/etc/postfix/extra_login_maps";
      smtpd_sender_restrictions = "reject_authenticated_sender_login_mismatch";
      header_checks = "";
@@ -99,6 +197,5 @@ in {
      tls_preempt_cipherlist = "no";
    };
  };
-}
+}
--- a/liam/network.nix
+++ b/liam/network.nix
@@ -0,0 +1,32 @@
 { lib, config, ... }:
 let
  # from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
  # {
  #   "ip_address": "10.46.0.7",
  #   "netmask": "255.255.0.0",
  #   "gateway": "10.46.0.1"
  # }
  interface_conf = {
    useDHCP = true;
    ipv4.addresses = [
      {
        address = "10.46.0.7";
        prefixLength = 24;
      }
    ];
    ipv4.routes = [
      {
        address = "0.0.0.0";
        prefixLength = 0;
        via = "10.46.0.1";
        options.scope = "global";
        options.src = "10.46.0.7";
        options.metric = "1200";
      }
    ];
  };
 in
 {
  networking.interfaces."ens3" = lib.mkIf (!config.vacu.underTest) interface_conf;
  networking.interfaces."eth0" = lib.mkIf (config.vacu.underTest) interface_conf;
 }
--- a/liam/nginx.nix
+++ b/liam/nginx.nix
@@ -1,16 +1,19 @@
-{ config, ... }:
+{ ... }:
 let
-domains = [
+  domains = [
-  "smtp.shelvacu.com"
+    "smtp.shelvacu.com"
-  "imap.shelvacu.com"
+    "imap.shelvacu.com"
-  "mail.shelvacu.com"
+    "mail.shelvacu.com"
-  "autoconfig.shelvacu.com"
+    "autoconfig.shelvacu.com"
-  "mail.dis8.net"
+    "mail.dis8.net"
-  "liam.dis8.net"
+    "liam.dis8.net"
-];
+  ];
 in
 {
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  security.acme.acceptTerms = true;
  security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
  security.acme.defaults.email = "shelvacu@gmail.com";
@@ -31,4 +34,4 @@ in
      default = true;
    };
  };
-}
+}
--- a/liam/sieve.nix
+++ b/liam/sieve.nix
@@ -1,4 +1,18 @@
-{ config, pkgs, lib, ... }: with lib.strings; with lib.lists; let
+{
  pkgs,
  lib,
  config,
  ...
 }:
 let
  inherit (lib.strings)
    concatStringsSep
    splitString
    match
    replaceStrings
    concatStrings
    ;
  inherit (lib.lists) reverseList length elemAt;
  email_folders = [
    "24nm-domain@shelvacu.com"
    "agora@shelvacu.com"
@@ -7,6 +21,7 @@
    "paxful@shelvacu.com"
    "postgres-lists@shelvacu.com"
    "cpapsupplies@shelvacu.com"
    "jork@shelvacu.com"
    "bob@dis8.net"
    "fresh.avocado@dis8.net"
@@ -18,7 +33,7 @@
    "jean-luc@jean-luc.org"
    "mariceayukawa@jean-luc.org"
    "snow@jean-luc.org"
-  
+
    "capt@in.jean-luc.org"
  ];
  domain_folders = [
@@ -26,48 +41,388 @@
    "shelvacu.com"
    "jean-luc.org"
    "in.jean-luc.org"
    "mail.dis8.net"
    "liam.dis8.net"
    # no longer used:
    "tulpaudcast.info"
    "tulpae.info"
    "xn--tulp-yoa.info"
  ];
  valid_ish_domain = domain: match "[a-z0-9][a-z0-9-]*(\\.[a-z0-9][a-z0-9-]*)+" domain != null;
-  mk_domain_folder_name = domain: assert valid_ish_domain domain; concatStringsSep "." (reverseList (splitString "." domain));
+  mk_domain_folder_name =
-  mk_email_folder_name = email: let
+    domain:
-    parts = splitString "@" email;
+    assert valid_ish_domain domain;
-    domain_part = assert (length parts) == 2; elemAt parts 1;
+    concatStringsSep "." (reverseList (splitString "." domain));
-    user_part = assert (length parts) == 2; elemAt parts 0;
+  mk_email_folder_name =
-    domain_folder = mk_domain_folder_name domain_part;
+    email:
-    folder_name = domain_folder + ".@" + user_part;
+    let
-  in folder_name;
+      parts = splitString "@" email;
-  is_quoteable = s: match "[ -~]*" s != null;
+      domain_part =
-  sieve_quote_string = s: assert is_quoteable s; "\"" + (replaceStrings ["\"" "\\"] ["\\\"" "\\\\"] s) + "\"";
+        assert (length parts) == 2;
-  email_filters = map (e: 
+        elemAt parts 1;
-    ''
+      user_part =
-      elsif header :is "X-Envelope-To" ${sieve_quote_string e} {
+        assert (length parts) == 2;
-        fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
+        elemAt parts 0;
-      }
+      domain_folder = mk_domain_folder_name domain_part;
-    ''
+      folder_name = domain_folder + ".@" + user_part;
-  ) email_folders;
+    in
-  domain_filters = map (d:
+    folder_name;
-    ''
+  is_match = regex: s: (match regex s) != null;
-      elsif header :matches "X-Envelope-To" ${sieve_quote_string ("*@" + d)} {
+  is_not_match = regex: s: !(is_match regex s);
-        fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
+  is_quoteable = s: (is_match "[ -~]*" s) && (is_not_match ("\\$" + "\\{") s);
-      }
+  sieve_quote_string_bare =
-    ''
+    s:
-  ) domain_folders;
+    assert is_quoteable s;
-  sieve_text = ''
+    replaceStrings [ ''"'' "\\" ] [ ''\"'' "\\\\" ] s;
-    require ["fileinto", "mailbox"];
+  sieve_quote_string = s: ''"'' + (sieve_quote_string_bare s) + ''"'';
-
+  interp = ident: "$" + "{${ident}}";
-    if header :is "X-Envelope-To" "brandcrowd@shelvacu.com" {
+  dest = "envelope_to";
-      discard;
+  dest_domain = "envelope_to_domain";
  set_envelope = ''
    #set_envelope START
    if header :index 1 :matches "X-Envelope-To" "*" {
      set ${sieve_quote_string dest} "''${1}";
    }
-    elsif header :is "X-Envelope-To" "gmailfwd-fc2e10bec8b2@shelvacu.com" {
+    if header :index 1 :matches "X-Envelope-To" "*@*" {
-      fileinto :create "gmail";
+      set ${sieve_quote_string dest_domain} "''${2}";
    }
-    ${concatStrings email_filters}
+    #set_envelope END
    ${concatStrings domain_filters}
  '';
-in {
+  envelope_is = key: ''string :is "${interp dest}" ${sieve_quote_string key}'';
-  services.dovecot2.sieveScripts.before = pkgs.writeText "blargsieve" sieve_text;
+  envelope_domain_is = key: ''string :is "${interp dest_domain}" ${sieve_quote_string key}'';
-}
+  email_filters = map (e: ''
    elsif ${envelope_is e} { # item of email_filters
      addheader "X-Vacu-Action" "email_filters fileinto ${sieve_quote_string_bare (mk_email_folder_name e)}";
      fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
    }
  '') email_folders;
  domain_filters = map (d: ''
    elsif ${envelope_domain_is d} { # item of domain_filters
      addheader "X-Vacu-Action" "domain_filters fileinto ${sieve_quote_string_bare (mk_domain_folder_name d)}";
      fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
    }
  '') domain_folders;
  set_from =
    {
      condition,
      var,
      default ? "-",
      warn_if_unset ? false,
    }:
    ''
      # set_from { condition = ${sieve_quote_string condition}; var = ${sieve_quote_string var}; default = ${sieve_quote_string default}; warn_if_unset = ${toString warn_if_unset}; }
      if ${condition} {
        set ${sieve_quote_string var} "''${1}";
      }
      else {
        ${lib.optionalString warn_if_unset ''
          if ihave "vnd.dovecot.debug" {
            debug_log "info: Could not set ${sieve_quote_string_bare var} from condition ${sieve_quote_string_bare condition}, setting to default(${sieve_quote_string_bare default})";
          }
        ''}
        set ${sieve_quote_string var} ${sieve_quote_string default};
      }
      # set_from END
    '';
  set_var_from_environment =
    item: var:
    ''
      # set_var_from_environment
    ''
    + set_from {
      condition = ''environment :matches ${sieve_quote_string item} "*"'';
      inherit var;
    };
  sieve_text = ''
    require [
      "fileinto",
      "mailbox",
      "imap4flags",
      "editheader",
      "environment",
      "variables",
      "date",
      "index",
      "ihave"
    ];
    # if ihave "vnd.dovecot.debug" {
    #   debug_log "debug log is available";
    #   if environment :matches "location" "*" {
    #     debug_log "environment ''${1}";
    #   }
    #   if environment :matches "phase" "*" {
    #     debug_log "phase ''${1}";
    #   }
    # }
    if allof(
      ihave "imapsieve",
      environment :matches "imap.user" "*",
      environment :matches "location" "MS",
      environment :matches "phase" "post"
    ) {
      set "in_imap" "1";
    } else {
      set "in_imap" "0";
    }
    if string "''${in_imap}" "1" {
      if not allof(
        environment :is "imap.cause" ["APPEND", "COPY", ""],
        environment :is "imap.mailbox" ["MagicRefilter", ""]
      ) {
        if ihave "vnd.dovecot.debug" {
          debug_log "NOT doing anything cuz imap.cause and/or imap.mailbox isn't right";
        }
        stop;
      }
    }
    ${set_envelope}
    ${set_var_from_environment "location" "env_location"}
    ${set_var_from_environment "phase" "env_phase"}
    ${set_var_from_environment "imap.user" "env_imap_user"}
    ${set_var_from_environment "imap.email" "env_imap_email"}
    ${set_var_from_environment "imap.cause" "env_imap_cause"}
    ${set_var_from_environment "imap.mailbox" "env_imap_mailbox"}
    ${set_var_from_environment "imap.changedflags" "env_imap_changedflags"}
    ${set_from {
      condition = ''currentdate :matches "iso8601" "*"'';
      var = "datetime";
    }}
    set "sieved_message" "at ''${datetime} by ${config.vacu.versionId} loc ''${env_location} phase ''${env_phase} user ''${env_imap_user} email ''${env_imap_email} cause ''${env_imap_cause} mailbox ''${env_imap_mailbox} changedflags ''${env_imap_changedflags} envelope ${interp dest}";
    if ihave "vnd.dovecot.debug" {
      debug_log "X-Vacu-Sieved: ''${sieved_message}";
    }
    if ihave "envelope" {
      if envelope :all :matches "to" "*@*" {
        set "userfor" "''${1}";
      } else {
        error "i dunno what to do, theres no envelope";
      }
    }
    elsif string "''${in_imap}" "1" {
      set "userfor" "''${env_imap_user}";
    }
    else {
      error "dont have envelope or imapsieve, dunno what to do";
    }
    if string :is "''${userfor}" "shelvacu" {
      addheader "X-Vacu-Sieved" "''${sieved_message}";
      removeflag "auto-amazon-ignore";
      if allof(
        ${envelope_is "amznbsns@shelvacu.com"},
        header :matches "Subject" ["Your Amazon.com order has shipped*", "Your Amazon.com order of * has shipped!"]
      ) {
        addheader "X-Vacu-Action" "amazon-ignore";
        addflag "auto-amazon-ignore";
      }
      removeflag "auto-bandcamp-ignore";
      if allof(
          ${envelope_is "bandcamp@shelvacu.com"},
          header :matches "Subject" ["* just announced a listening party on Bandcamp", "New items from *", "Starting in *", "New from *"]
      ) {
        addheader "X-Vacu-Action" "bandcamp-ignore";
        addflag "auto-bandcamp-ignore";
      }
      removeflag "auto-ika-ignore";
      if ${envelope_is "ika@dis8.net"} {
        addheader "X-Vacu-Action" "ika-ignore";
        addflag "auto-ika-ignore";
      }
      removeflag "bloomberg";
      if ${envelope_is "bloomberg@shelvacu.com"} {
        addheader "X-Vacu-Action" "flag-bloomberg";
        addflag "bloomberg";
      }
      removeflag "money-stuff";
      if allof (
        ${envelope_is "bloomberg@shelvacu.com"},
        header :matches "From" "\"Matt Levine\" *"
      ) {
        addheader "X-Vacu-Action" "flag-money-stuff";
        addflag "money-stuff";
      }
      removeflag "git-uninsane";
      removeflag "git";
      if ${envelope_is "git-uninsane@shelvacu.com"} {
        addheader "X-Vacu-Action" "flag-git-uninsane";
        addflag "git-uninsane";
        addheader "X-Vacu-Action" "flag-git";
        addflag "git";
      } elsif anyof (
        exists "X-GitHub-Reason",
        exists "X-GitLab-Project"
      ) {
        addheader "X-Vacu-Action" "flag-git";
        addflag "git";
      }
      removeflag "discourse";
      if exists "X-Discourse-Post-Id" {
        addheader "X-Vacu-Action" "flag-discourse";
        addflag "discourse";
      }
      removeflag "agora";
      if ${envelope_is "agora@shelvacu.com"} {
        addheader "X-Vacu-Action" "flag-agora";
        addflag "agora";
      }
      removeflag "postgres-list";
      if header :matches "List-Id" "<*.lists.postgresql.org>" {
        addheader "X-Vacu-Action" "flag-postgres-list";
        addflag "postgres-list";
      }
      removeflag "gmail-fwd";
      if ${envelope_is "gmailfwd-fc2e10bec8b2@shelvacu.com"} {
        addheader "X-Vacu-Action" "gmail-fwd";
        addflag "gmail-fwd";
      }
      removeflag "aliexpress";
      if header :matches "From" [ "*<transaction@notice.aliexpress.com>", "*<aliexpress@notice.aliexpress.com>" ] {
        addheader "X-Vacu-Action" "aliexpress";
        addflag "aliexpress";
      }
      removeflag "secureaccesswa";
      if header :is "From" "help@secureaccess.wa.gov" {
        addheader "X-Vacu-Action" "secureaccesswa";
        addflag "secureaccesswa";
      }
      removeflag "letsencrypt-mailing-list";
      if ${envelope_is "lets-encrypt-mailing-list@shelvacu.com"} {
        addheader "X-Vacu-Action" "letsencrypt-mailing-list";
        addflag "letsencrypt-mailing-list";
      }
      removeflag "jmp-news";
      if header :matches "List-Id" "*<jmp-news.soprani.ca>" {
        addheader "X-Vacu-Action" "jmp-news";
        addflag "jmp-news";
      }
      removeflag "ally-statement";
      if allof(
        ${envelope_is "ally@shelvacu.com"},
        header :is "Subject" "Your latest statement is ready to view."
      ) {
        addheader "X-Vacu-Action" "ally-statement";
        addflag "ally-statement";
      }
      removeflag "auto-marked-read";
      if hasflag ["auto-amazon-ignore", "auto-bandcamp-ignore", "auto-ika-ignore", "ally-statement"] {
        addheader "X-Vacu-Action" "auto-mark-read";
        addflag "\\Seen";
        addflag "auto-marked-read";
      }
      removeflag "spamish";
      if allof (
        anyof (
          header :is "Precedence" "bulk",
          exists "List-Unsubscribe",
          exists "List-Unsubscribe-Post"
        ),
        not hasflag "agora",
        not hasflag "git",
        not hasflag "money-stuff",
        not hasflag "discourse",
        not hasflag "postgres-list",
        not hasflag "letsencrypt-mailing-list",
        not hasflag "secureaccesswa",
        not hasflag "jmp-news"
      ) {
        addheader "X-Vacu-Action" "spamish";
        addflag "spamish";
      }
      if ${envelope_is "brandcrowd@shelvacu.com"} {
        discard;
      }
      elsif allof (
        ${envelope_domain_is "shelvacu.com"},
        hasflag "spamish"
      ) {
        addheader "X-Vacu-Action" "fileinto com.shelvacu.#spamish";
        fileinto :create "com.shelvacu.#spamish";
      }
      elsif hasflag "gmail-fwd" {
        addheader "X-Vacu-Action" "fileinto gmail";
        fileinto :create "gmail";
      }
      elsif hasflag "money-stuff" {
        addheader "X-Vacu-Action" "fileinto com.shelvacu.#money-stuff";
        fileinto :create "com.shelvacu.#money-stuff";
      }
      elsif hasflag "aliexpress" {
        addheader "X-Vacu-Action" "aliexpress fileinto";
        fileinto :create "aliexpress";
      }
      ${concatStrings email_filters}
      ${concatStrings domain_filters}
      else {
        keep;
      }
    }
    # disable any sieve scripts that might want to run after this one
    stop;
  '';
  pigeonhole_pkg = pkgs.dovecot_pigeonhole;
 in
 {
  imports = [
    # Allow running a sieve filter when a message gets moved to another folder in imap
    # see https://doc.dovecot.org/2.3/configuration_manual/sieve/plugins/imapsieve/
    {
      services.dovecot2 = {
        sieve.plugins = [ "sieve_imapsieve" ];
        mailPlugins.perProtocol.imap.enable = [ "imap_sieve" ];
      };
    }
  ];
  options.vacu.checkSieve = lib.mkOption {
    readOnly = true;
    default = pkgs.writeScriptBin "check-liam-sieve" ''
      set -xev
      ${lib.escapeShellArgs [
        (lib.getExe' pigeonhole_pkg "sieve-test")
        "-c"
        config.services.dovecot2.configFile
        "-C" # force compilation
        "-D" # enable sieve debugging
        "-f"
        "some-rando@example.com"
        "-a"
        "shelvacu@liam.dis8.net"
        config.services.dovecot2.sieve.scripts.before
        "/dev/null"
      ]}
    '';
  };
  options.vacu.liam-sieve-script = lib.mkOption {
    readOnly = true;
    default = pkgs.writeText "mainsieve" sieve_text;
  };
  config = {
    services.dovecot2.modules = [ pigeonhole_pkg ];
    services.dovecot2.sieve = {
      extensions = [
        "fileinto"
        "mailbox"
        "editheader"
        "vnd.dovecot.debug"
      ];
      scripts.before = config.vacu.liam-sieve-script;
    };
    services.dovecot2.imapsieve.mailbox = [
      {
        name = "*";
        causes = [
          "APPEND"
          "COPY"
          "FLAG"
        ];
        before = config.vacu.liam-sieve-script;
      }
    ];
    # services.dovecot2.mailboxes."magic-refilter".auto = "create";
  };
 }
--- a/liam/sops.nix
+++ b/liam/sops.nix
@@ -1,17 +1,10 @@
 { inputs, lib, config, ... }:
 {
-  imports = [
+  config,
-    inputs.sops-nix.nixosModules.sops
+  ...
-  ];
+}:
-
+{
-  options.vacu.secretsFolder = lib.mkOption {
+  imports = [ ../common/sops-integrate.nix ];
    type = lib.types.path;
    default = ../secrets;
  };
  config = {
    sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    sops.secrets.dovecot-passwd = {
      restartUnits = [ "dovecot2.service" ];
    };
@@ -20,5 +13,9 @@
      restartUnits = [ "opendkim.service" ];
      owner = config.services.opendkim.user;
    };
    sops.secrets.relay_creds = {
      restartUnits = [ "postfix.service" ];
      owner = config.services.postfix.user;
    };
  };
-}
+}
--- a/lp0/default.nix
+++ b/lp0/default.nix
@@ -1,15 +1,15 @@
 { config, pkgs, ... }:
 {
-  imports = [
+  imports = [ ./hardware-config.nix ];
    ../common-nixos-config.nix
    ./hardware-config.nix
  ];
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
-  networking.hostName = "lp0onfire"; # Define your hostname.
+  vacu.hostName = "lp0onfire"; # Define your hostname.
  vacu.shortHostName = "lp0";
  vacu.shell.color = "green";
  vacu.systemKind = "server";
  # Set your time zone.
  time.timeZone = "America/Los_Angeles";
@@ -37,7 +37,6 @@
    pciutils
    ncdu
    nix-index
    git
  ];
  # This value determines the NixOS release from which the default
@@ -53,7 +52,7 @@
  # system.autoUpgrade.enable = true;
  # system.autoUpgrade.allowReboot = true;
  # system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05-small;
-  
+
  nixpkgs.config.allowUnfree = true;
  services.zerotierone = {
    enable = true;
@@ -73,4 +72,3 @@
  #   internalInterfaces = [ "ztrf26rjvk" ];
  # };
 }
--- a/lp0/hardware-config.nix
+++ b/lp0/hardware-config.nix
@@ -1,27 +1,32 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, modulesPath, ... }:
 {
-  imports =
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "ahci"
    "usb_storage"
    "usbhid"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
+    device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
-      fsType = "ext4";
+    fsType = "ext4";
-    };
+  };
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/36B4-78A2";
+    device = "/dev/disk/by-uuid/36B4-78A2";
-      fsType = "vfat";
+    fsType = "vfat";
-    };
+    options = [ "nofail" ];
  };
  swapDevices = [ ];
--- a/mmm/default.nix
+++ b/mmm/default.nix
@@ -0,0 +1,23 @@
 { inputs, ... }:
 {
  imports = [
    ../common/nixos.nix
    inputs.nixos-apple-silicon.nixosModules.default
    ./hardware.nix
  ];
  vacu.hostName = "mmm";
  vacu.shell.color = "red";
  vacu.verifySystem.enable = false;
  vacu.verifySystem.expectedMac = "14:98:77:3f:b8:2e";
  vacu.systemKind = "server";
  # asahi recommends systemd-boot
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  hardware.asahi.peripheralFirmwareDirectory = ./firmware;
  services.openssh.enable = true;
  system.stateVersion = "24.05";
 }
--- a/mmm/firmware/all_firmware.tar.gz
+++ b/mmm/firmware/all_firmware.tar.gz
--- a/mmm/firmware/kernelcache.release.mac13g
+++ b/mmm/firmware/kernelcache.release.mac13g
--- a/mmm/hardware.nix
+++ b/mmm/hardware.nix
@@ -0,0 +1,69 @@
 { lib, ... }:
 let
  btrfsopts = [
    "noatime"
    "compress=zstd"
  ];
 in
 {
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "usbhid"
    "usb_storage"
    "xhci_hcd"
    "uas"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
    fsType = "btrfs";
    options = [ "subvol=root" ] ++ btrfsopts;
  };
  boot.initrd.luks.devices."cryptroot" = {
    device = "/dev/disk/by-uuid/4e75b9ed-ac4f-48a2-b38c-c5026723171f";
    # note: creation requires --new-key-file-size not --key-file-size
    keyFileSize = 2048;
    keyFile = "/dev/disk/by-partuuid/9d171b52-329e-4e21-9399-dcc66ff572cd";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/4407-1EF3";
    fsType = "vfat";
    options = [
      "fmask=0022"
      "dmask=0022"
      "nofail"
    ];
  };
  fileSystems."/nix/store" = {
    device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
    fsType = "btrfs";
    options = [ "subvol=nix-store" ] ++ btrfsopts;
  };
  fileSystems."/btrfs-root" = {
    device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
    fsType = "btrfs";
    options = [
      "subvol=/"
      "noauto"
    ] ++ btrfsopts;
  };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
--- a/nix-on-droid/default.nix
+++ b/nix-on-droid/default.nix
@@ -1,19 +1,19 @@
-{ config, lib, pkgs, inputs, ... }:
+{ lib, ... }:
 {
-  imports = [ ./common-config.nix ];
+  imports = [ ./flake-registry.nix ];
-  environment.packages = config.vacu.packageList;
+
  vacu.shell.color = "white";
  vacu.systemKind = "server";
  environment.etc."resolv.conf".text = lib.mkForce ''
-    nameserver 10.78.79.1
+    # nameserver 10.78.79.1
    nameserver 9.9.9.10
    nameserver 149.112.112.10
    options timeout:1 attempts:5
  '';
  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
  # Backup etc files instead of failing to activate generation if a file already exists in /etc
  environment.etcBackupExtension = ".bak";
@@ -24,14 +24,13 @@
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
  nix.substituters = config.vacu.nix.extraSubstituters;
  nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
  environment.sessionVariables."PS1" = "\\w $ ";
  # Set your time zone
  time.timeZone = "America/Los_Angeles";
  vacu.packages.yt-dlp.enable = true;
  vacu.packages.radicle-node.enable = true;
  #specific to the particular install; avoids impurity
  #user.gid = 10287;
  #user.uid = 10287;
--- a/nix-on-droid/flake-registry.nix
+++ b/nix-on-droid/flake-registry.nix
@@ -0,0 +1,9 @@
 # To make `nix run nixpkgs#hello` and such use the same nixpkgs used to build this, so that it doesn't take forever
 { inputs, ... }:
 {
  nix.registry.nixpkgs.to = {
    type = "path";
    path = inputs.nixpkgs.outPath;
  };
  nix.nixPath = [ "nixpkgs=flake:nixpkgs" ];
 }
--- a/nixvim/default.nix
+++ b/nixvim/default.nix
@@ -0,0 +1,33 @@
 { ... }:
 {
  opts = {
    smartindent = true;
    expandtab = true;
    shiftwidth = 2;
    softtabstop = -1;
  };
  plugins.comment.enable = true;
  plugins.vim-surround.enable = true;
  plugins.lsp = {
    enable = true;
    # onAttach = builtins.readFile ./nixd-init.lua;
    servers = {
      bashls.enable = true;
      jsonls.enable = true;
      # nil-ls.enable = true;
      nixd = {
        enable = true;
      };
      pyright.enable = true;
      ts_ls.enable = true;
      lua_ls.enable = true;
      rust_analyzer = {
        enable = true;
        installCargo = false;
        installRustc = false;
      };
      html.enable = true;
      yamlls.enable = true;
    };
  };
 }
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`/result`	`/result*`
	`.nixos-test-history`	`.nixos-test-history`
`@@ -1,3 +1,3 @@`
	`#!/bin/sh`	`#!/bin/sh`

	`git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo $@`	`git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo "$@"`
		`@@ -0,0 +1,3 @@`
							`#!/bin/sh`

							`git add . && nixos-rebuild --flake .#mmm --build-host trip --target-host mmm --use-remote-sudo "$@"`