stuff

.gitignore

@@ -1,2 +1,2 @@
-/result
+/result*
 .nixos-test-history

.sops.yaml

@@ -1,26 +0,0 @@
-shel_keys: &shel_keys
-  - &pixel-termux age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
-  - &t460s age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
-  - &pixel-nix age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
-  - &compute-deck-user age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
-machine_host_keys:
-  - &trip age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
-  - &compute-deck-host age1hcqem868xhjdj3lzsvgf0duylwrdp9nqs06a9d0043cpsuhms4as7cqnv4
-  - &liam age1hkve3khk7fthyrwxjqdf4r37lrqpmnkz6mke7psuphvu2ykynqaq9g6ja5
-the_test_key: &test_key age1eqv5759uknu7d46rqyyzsmgt43qumsge33yp2xygapprnt8zu3sqx6kt8w
-creation_rules:
-  - path_regex: secrets/[^/]+$
-    key_groups:
-    - age: *shel_keys
-  - path_regex: ^secrets/liam/
-    key_groups:
-    - age:
-      - *pixel-termux
-      - *t460s
-      - *pixel-nix
-      - *compute-deck-user
-      - *liam
-  - path_regex: ^tests/test_secrets/
-    key_groups:
-    - age:
-      - *test_key

README.md

@@ -1,13 +1,31 @@
-more just notes for now
-
-deploy:
-
-```sh
-nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
-```
-
-build flake on remote machine, including eval:
-
-```sh
-git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
-```
+more just notes for now
+
+---
+
+deploy:
+
+```sh
+nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
+```
+
+---
+
+build flake on remote machine, including eval:
+
+```sh
+git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
+```
+
+---
+
+search for string in closure
+
+```sh
+rg search_str $(nix path-info --recursive ./result)
+```
+
+or
+
+```sh
+rg search_str $(nix path-info --recursive .#qb.trip)
+```

common-config.nix

@@ -1,275 +0,0 @@
-{ config, pkgs, lib, inputs, ... }: let
-  inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
-  inherit (builtins) attrValues;
-  cfg = config.vacu;
-  knownHosts = attrValues cfg.ssh.knownHosts;
-  knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
-  (h: assert h.hostNames != [];
-    optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
-    + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-  )) + "\n";
-  packageNames = lib.splitString "\n" ''
-    nixos-rebuild
-    nano
-    vim
-    wget
-    screen
-    tmux
-    lsof
-    htop
-    mosh
-    dnsutils
-    iperf3
-    nmap
-    rsync
-    ethtool
-    sshfs
-    ddrescue
-    pciutils
-    ncdu
-    nix-index
-    git
-    pv
-    unzip
-    file
-    ripgrep
-    jq
-    units
-    tree
-    rclone
-    iputils
-    ssh-to-age
-    sops
-    inetutils
-    neovim
-    diffutils
-    findutils
-    utillinux
-    tzdata
-    hostname
-    man
-    gnugrep
-    gnused
-    gnutar
-    bzip2
-    gzip
-    xz
-    zip
-    unzip
-    openssh
-    git'';
-  plainPackageOpts = map (name: { name = name; value = { enable = lib.mkDefault true; }; }) packageNames;
-  packageOpts = lib.recursiveUpdate (builtins.listToAttrs plainPackageOpts) {
-    nix-search-cli.package = inputs.nix-search-cli.packages.${pkgs.system}.default;
-    nix-search-cli.enable = lib.mkDefault true;
-    nix-inspect.package = inputs.nix-inspect.packages.${pkgs.system}.default;
-    nix-inspect.enable = lib.mkDefault true;
-  };
-in {
-  imports = [ ./package-set.nix ];
-  options = {
-    vacu.ssh.authorizedKeys = mkOption {
-      type = types.listOf types.str;
-    };
-    vacu.ssh.config = mkOption {
-      type = types.lines;
-    };
-    # Straight copied from nixpkgs 
-    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
-    vacu.ssh.knownHosts = mkOption {
-      default = {};
-      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
-        options = {
-          certAuthority = mkOption {
-            type = types.bool;
-            default = false;
-            description = ''
-              This public key is an SSH certificate authority, rather than an
-              individual host's key.
-            '';
-          };
-          hostNames = mkOption {
-            type = types.listOf types.str;
-            default = [ name ] ++ config.extraHostNames;
-            defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
-            description = ''
-              A list of host names and/or IP numbers used for accessing
-              the host's ssh service. This list includes the name of the
-              containing `knownHosts` attribute by default
-              for convenience. If you wish to configure multiple host keys
-              for the same host use multiple `knownHosts`
-              entries with different attribute names and the same
-              `hostNames` list.
-            '';
-          };
-          extraHostNames = mkOption {
-            type = types.listOf types.str;
-            default = [];
-            description = ''
-              A list of additional host names and/or IP numbers used for
-              accessing the host's ssh service. This list is ignored if
-              `hostNames` is set explicitly.
-            '';
-          };
-          publicKey = mkOption {
-            default = null;
-            type = types.nullOr types.str;
-            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
-            description = ''
-              The public key data for the host. You can fetch a public key
-              from a running SSH server with the {command}`ssh-keyscan`
-              command. The public key should not include any host names, only
-              the key type and the key itself.
-            '';
-          };
-          publicKeyFile = mkOption {
-            default = null;
-            type = types.nullOr types.path;
-            description = ''
-              The path to the public key file for the host. The public
-              key file is read at build time and saved in the Nix store.
-              You can fetch a public key file from a running SSH server
-              with the {command}`ssh-keyscan` command. The content
-              of the file should follow the same format as described for
-              the `publicKey` option. Only a single key
-              is supported. If a host has multiple keys, use
-              {option}`programs.ssh.knownHostsFiles` instead.
-            '';
-          };
-        };
-      }));
-      description = ''
-        The set of system-wide known SSH hosts. To make simple setups more
-        convenient the name of an attribute in this set is used as a host name
-        for the entry. This behaviour can be disabled by setting
-        `hostNames` explicitly. You can use
-        `extraHostNames` to add additional host names without
-        disabling this default.
-      '';
-      example = literalExpression ''
-        {
-          myhost = {
-            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
-            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
-          };
-          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
-          "myhost2.net/dsa" = {
-            hostNames = [ "myhost2.net" ];
-            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
-          };
-        }
-      '';
-    };
-    vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
-    vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
-  };
-  config = {
-    vacu.packages = packageOpts;
-    vacu.nix.extraSubstituters = [
-      "https://nixcache.shelvacu.com/"
-      "https://nix-community.cachix.org/"
-    ];
-    vacu.nix.extraTrustedKeys = [
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
-    ];
-    assertions = flip mapAttrsToList cfg.ssh.knownHosts (name: data: {
-      assertion = (data.publicKey == null && data.publicKeyFile != null) ||
-                  (data.publicKey != null && data.publicKeyFile == null);
-      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
-    });
-    vacu.ssh.authorizedKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W" # pixel6pro nix-on-droid
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug" # compute-deck
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g" # triple-dezert
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
-    ];
-    vacu.ssh.config = ''
-      Host deckvacu
-        User deck
-      
-      Host rsb
-        User user
-        HostName finaltask.xyz
-        Port 2222
-      
-      Host awoo
-        HostName 45.142.157.71
-
-      Host trip
-        HostName trip.shelvacu.com
-        Port 6922
-      
-      Host liam
-        HostName 178.128.79.152
-
-      Host pluto
-        HostName pluto.somevideogam.es
-
-      Host *
-        User shelvacu
-        GlobalKnownHostsFile ${pkgs.writeText "known_hosts" knownHostsText}
-    '';
-
-    vacu.ssh.knownHosts = {
-      #public hosts
-      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
-
-      #colin's stuff
-      "uninsane.org" = {
-        extraHostNames = [ "git.uninsane.org" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
-      };
-      "desko" = {
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-      };
-
-      #daymocker's stuff
-      "pluto" = {
-        extraHostNames = [ "74.208.184.137" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
-      };
-
-      #personal hosts
-      "zigbee-hub" = {
-        extraHostNames = [ "10.78.79.114" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN root@zigbee-hub";
-      };
-      trip = {
-        extraHostNames = [ "triple-dezert" "trip.shelvacu.com" "[trip.shelvacu.com]:6922" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
-      };
-      servacu = {
-        extraHostNames = [ "mail.dis8.net" "servacu.shelvacu.com" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
-      };
-      finaltask = {
-        extraHostNames = [ "rsb" "finaltask.xyz" "[finaltask.xyz]:2222" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
-      };
-      compute-deck = {
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
-      };
-      "2esrever" = {
-        extraHostNames = [ "10.4.5.218" "10.244.46.71" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
-      };
-      awoo = {
-        extraHostNames = [ "45.142.157.71" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
-      };
-      deckvacu = {
-        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
-      };
-      liam = {
-        extraHostNames = [ "liam.dis8.net" "178.128.79.152" ];
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
-      };
-    };
-  };
-}

common-nixos-config.nix

@@ -1,81 +0,0 @@
-{ lib, pkgs, config, inputs, utils, ... }:
-{
-  imports = [ ./common-config.nix ];
-  options.vacu.acmeCertDependencies = lib.mkOption {
-    default = {};
-    example = ''
-      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
-    '';
-    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
-  };
-  config = let
-    for-systemd-services = lib.concatMapAttrs
-      (cert: units:
-        {
-          "acme-selfsigned-${cert}" = {
-            wantedBy = units;
-            before = units;
-          };
-        }
-      )
-      config.vacu.acmeCertDependencies;
-    for-security-acme-certs = lib.concatMapAttrs
-      (cert: units:
-        {
-          ${cert}.reloadServices = units;
-        }
-      )
-      config.vacu.acmeCertDependencies;
-  in {
-    console = {
-      keyMap = lib.mkDefault "us";
-    };
-    vacu.packages."xorg-xev" = {
-      enable = config.services.xserver.enable;
-      package = pkgs.xorg.xev;
-    };
-    environment.systemPackages = config.vacu.packageList;
-
-    i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
-    time.timeZone = "America/Los_Angeles";
-
-    users.users.shelvacu = {
-      openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
-      isNormalUser = true;
-      extraGroups = [ "wheel" ];
-    };
-    systemd.services = for-systemd-services;
-    security.acme.certs = for-security-acme-certs;
-    services.openssh = {
-      # require public key authentication for better security
-      settings.PasswordAuthentication = false;
-      settings.KbdInteractiveAuthentication = false;
-      settings.PermitRootLogin = "prohibit-password";
-    };
-
-    nix.settings.trusted-users = [ "shelvacu" ];
-    security.sudo.wheelNeedsPassword = lib.mkDefault false;
-
-    programs.screen = {
-      screenrc = ''
-        defscrollback 10000
-        termcapinfo xterm* ti@:te@
-      '';
-    } // (if config.system.nixos.release == "23.11" then {} else { enable = true; });
-
-    programs.tmux.enable = true;
-    programs.tmux.extraConfig = "setw mouse";
-    programs.tmux.clock24 = true;
-
-    nix.settings = {
-      experimental-features = [ "nix-command" "flakes" ];
-      substituters = config.vacu.nix.extraSubstituters;
-      trusted-public-keys = config.vacu.nix.extraTrustedKeys;
-    };
-    nixpkgs.config.allowUnfree = lib.mkDefault true;
-
-    programs.mosh.enable = lib.mkDefault true;
-
-    programs.ssh.extraConfig = config.vacu.ssh.config;
-  };
-}

common-packages.nix

@@ -1,37 +0,0 @@
-{ pkgs, inputs }: (with pkgs; [
-  inputs.nix-search-cli.packages.${pkgs.system}.default
-  inputs.nix-inspect.packages.${pkgs.system}.default
-  nixos-rebuild
-  nano
-  vim
-  wget
-  screen
-  tmux
-  lsof
-  htop
-  mosh
-  dnsutils
-  iperf3
-  nmap
-  rsync
-  ethtool
-  sshfs
-  ddrescue
-  pciutils
-  ncdu
-  nix-index
-  git
-  pv
-  unzip
-  file
-  ripgrep
-  jq
-  units
-  tree
-  rclone
-  iputils
-  ssh-to-age
-  sops
-  inetutils
-  neovim
-])

common/acmeDependencies.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  utils,
+  vacuModuleType,
+  ...
+}:
+let
+  for-systemd-services = lib.concatMapAttrs (cert: units: {
+    "acme-selfsigned-${cert}" = {
+      wantedBy = units;
+      before = units;
+    };
+  }) config.vacu.acmeCertDependencies;
+  for-security-acme-certs = lib.concatMapAttrs (cert: units: {
+    ${cert}.reloadServices = units;
+  }) config.vacu.acmeCertDependencies;
+in
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.acmeCertDependencies = lib.mkOption {
+    default = { };
+    example = ''
+      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
+    '';
+    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
+  };
+  config = {
+    systemd.services = for-systemd-services;
+    security.acme.certs = for-security-acme-certs;
+  };
+}

common/assertions.nix

@@ -0,0 +1,51 @@
+{
+  lib,
+  vacuModuleType,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkOption types filter;
+  fatalAssertions = map (x: x.message) (filter (x: !x.assertion && x.fatal) config.vacu.assertions);
+  triggeredWarnings = map (x: x.message) (
+    filter (x: !x.assertion && !x.fatal) config.vacu.assertions
+  );
+  withAsserts =
+    x:
+    if fatalAssertions != [ ] then
+      throw ''
+
+        Failed assertions:
+        ${lib.concatStringsSep "\n" (map (x: "- ${x}") fatalAssertions)}''
+    else
+      lib.showWarnings triggeredWarnings x;
+
+  adapter = {
+    config = {
+      assertions = map (x: { inherit (x) assertion message; }) (
+        filter (x: x.fatal) config.vacu.assertions
+      );
+      warnings = map (x: x.message) (filter (x: !x.assertion && !x.fatal) config.vacu.assertions);
+    };
+  };
+in
+{
+  options.vacu.assertions = mkOption {
+    default = [ ];
+    type = types.listOf (
+      types.submodule {
+        options.assertion = mkOption { type = types.bool; };
+        options.message = mkOption { type = types.str; };
+        options.fatal = mkOption {
+          type = types.bool;
+          default = true;
+        };
+      }
+    );
+  };
+  options.vacu.withAsserts = mkOption {
+    readOnly = true;
+    default = withAsserts;
+  };
+}
+// (if vacuModuleType != "plain" then adapter else { })

common/checks.nix

@@ -0,0 +1,29 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  inherit (lib) types;
+in
+{
+  options.vacu.checks = lib.mkOption {
+    type = types.attrsOf types.package;
+    default = { };
+  };
+  options.vacu.textChecks = lib.mkOption {
+    type = types.attrsOf types.lines;
+    default = { };
+  };
+  config.vacu.checks = lib.mapAttrs (
+    name: lines:
+    pkgs.runCommand "vacu-textChecks-${name}" { } ''
+      (
+        set -xev
+        ${lines}
+        touch $out
+      )
+    ''
+  ) config.vacu.textChecks;
+}

common/common-but-not.nix

@@ -0,0 +1,14 @@
+# todo: rename this module
+# stuff that does actual configuring (so can't be in ./module.nix) but works in nixos module, home-manager modules, and nix-on-droid modules
+{
+  inputs,
+  vacuModuleType,
+  lib,
+  ...
+}:
+lib.optionalAttrs (vacuModuleType != "plain") {
+  nix.registry.vacu.to = {
+    type = "path";
+    path = inputs.self.outPath;
+  };
+}

common/default.nix

@@ -0,0 +1,359 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  vacuModuleType,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  inherit (inputs) self;
+  expectedModuleTypes = [
+    "nixos"
+    "nix-on-droid"
+    "plain"
+  ];
+  anyRev = attrs: toString (attrs.rev or attrs.dirtyRev or "unk");
+  anyShortRev = attrs: toString (attrs.shortRev or attrs.dirtyShortRev or "unk");
+in
+if !builtins.elem vacuModuleType expectedModuleTypes then
+  builtins.throw "error: unrecognized vacuModuleType ${builtins.toString vacuModuleType}"
+else
+  {
+    imports = [
+      ./package-set.nix
+      ./shell
+      ./nixvim.nix
+      ./ssh.nix
+      ./nix.nix
+      ./verify-system
+      ./defaultPackages.nix
+      ./lib
+      ./sops.nix
+      ../dns
+      ./assertions.nix
+      ./common-but-not.nix
+      ./nixos.nix
+      ./nix-on-droid.nix
+      ./nixos-rebuild.nix
+      ./minimal-nixos.nix
+      ./acmeDependencies.nix
+      ./nix-on-droid.nix
+      ./remapCapsLock.nix
+      ./sourceTree.nix
+      ./units-impl.nix
+      ./units-config.nix
+      ./lix.nix
+      ./git.nix
+      ./hpn.nix
+      ./checks.nix
+      ./ffmpeg.nix
+    ];
+    options = {
+      vacu.rootCAs = mkOption { type = types.listOf types.str; };
+      vacu.versionId = mkOption {
+        type = types.str;
+        readOnly = true;
+      };
+      vacu.versionInfo = mkOption { readOnly = true; };
+      vacu.hostName = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      vacu.shortHostName = mkOption {
+        type = types.nullOr types.str;
+        default = config.vacu.hostName;
+      };
+      vacu.nixvimPkg = mkOption { readOnly = true; };
+      vacu.systemKind = mkOption {
+        type = types.enum [
+          "minimal"
+          "desktop" # need a better name for this; should include laptops; everything I intend to get computery-stuff done on.
+          "container"
+          "server"
+        ];
+      };
+      vacu.vnopnCA = mkOption {
+        readOnly = true;
+        type = types.str;
+      };
+    };
+    config = {
+      vacu.versionId = "${anyShortRev self}-${self.lastModifiedDate or "unk"}";
+      vacu.versionInfo =
+        {
+          rev = anyRev self;
+          flakePath = self.outPath;
+          inherit (self) lastModified lastModifiedDate;
+          inherit (config.vacu) versionId;
+          inherit inputs;
+          inherit vacuModuleType;
+        }
+        // lib.optionalAttrs (inputs ? nixpkgs) {
+          nixpkgs.source = "${inputs.nixpkgs}";
+          nixpkgs.rev = anyRev inputs.nixpkgs;
+        };
+
+      vacu.nix.caches.vacu = {
+        url = "https://nixcache.shelvacu.com/";
+        keys = [ "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM=" ];
+      };
+      vacu.nix.caches.nix-community = {
+        url = "https://nix-community.cachix.org/";
+        keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
+        enable = false;
+      };
+      vacu.nix.caches.nix-on-droid = {
+        url = "https://nix-on-droid.cachix.org/";
+        keys = [ "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU=" ];
+        enable = false;
+      };
+      vacu.nix.caches.nixos = {
+        url = "https://cache.nixos.org/";
+        keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
+      };
+      vacu.git.enable = config.vacu.systemKind == "server" || config.vacu.systemKind == "desktop";
+      vacu.git.config = {
+        init.defaultBranch = "master";
+        pull.rebase = false;
+        user.name = "Shelvacu";
+        user.email = "git@shelvacu.com";
+        author.name = "Shelvacu";
+        author.email = "git@shelvacu.com";
+        committer.name = "Shelvacu on ${config.vacu.hostName}";
+        committer.email = "git@shelvacu.com";
+        user.useConfigOnly = true;
+        checkout.workers = 0;
+        # We *could* use atomic writes, but those are slowwwwww! Are you sure????? - git, still living in the 90s
+        # Yes git, I'm sure
+        core.fsync = "all";
+        diff.mnemonicPrefix = true;
+        gc.reflogExpire = "never";
+        gc.reflogExpireUnreachable = "never";
+
+        url."https://github.com/".insteadOf = [
+          "hgh:"
+          "github-http:"
+          "github-https:"
+        ];
+        url."git@github.com:".insteadOf = [
+          "sgh:"
+          "gh:"
+          "github-ssh:"
+        ];
+        url."git@github.com:shelvacu/".insteadOf = [ "vgh:" ];
+        url."https://gitlab.com/".insteadOf = [
+          "hgl:"
+          "gitlab-http:"
+          "gitlab-https:"
+        ];
+        url."git@gitlab.com:".insteadOf = [
+          "sgl:"
+          "gl:"
+          "gitlab-ssh:"
+        ];
+        url."git@gitlab.com:shelvacu/".insteadOf = [ "vgl:" ];
+        url."https://git.uninsane.org/".insteadOf = [
+          "hu:"
+          "uninsane-http:"
+          "uninsane-https:"
+        ];
+        url."git@git.uninsane.org:".insteadOf = [
+          "u:"
+          "su:"
+          "uninsane-ssh"
+        ];
+        url."git@git.uninsane.org:shelvacu/".insteadOf = [ "vu:" ];
+      };
+      vacu.vnopnCA = ''
+        -----BEGIN CERTIFICATE-----
+        MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
+        A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
+        MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
+        hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
+        AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
+        MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
+        BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
+        CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
+        AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
+        -----END CERTIFICATE-----
+      '';
+      vacu.rootCAs = [ config.vacu.vnopnCA ];
+
+      vacu.ssh.authorizedKeys = {
+        # pixel6pro-termux = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86";
+        # t460s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp";
+        # pixel6pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W";
+        compute-deck = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug";
+        triple-dezert = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g";
+        triple-dezert-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8";
+        compute-deck-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I";
+        pro1x-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX";
+        fw-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m";
+        fw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C";
+        pixel9pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINznGot+L8kYoVQqdLV/R17XCd1ILMoDCILOg+I3s5wC";
+        legtop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOre0FnYDm3arsFj9c/l5H2Q8mdmv7kmvq683pL4heru";
+      };
+      vacu.ssh.config = ''
+        Host deckvacu
+          User deck
+
+        Host rsb
+          User user
+          HostName finaltask.xyz
+          Port 2222
+
+        Host awoo
+          HostName 45.142.157.71
+
+        Host trip
+          HostName trip.shelvacu.com
+          Port 6922
+
+        Host liam
+          HostName 178.128.79.152
+
+        Host pluto
+          HostName pluto.somevideogam.es
+
+        Host sdf
+          HostName tty.sdf.org
+
+        Host u
+          User git
+          HostName git.uninsane.org
+
+        Host gl
+          User git
+          HostName gitlab.com
+
+        Host gh
+          User git
+          HostName github.com
+
+        Host *
+          User shelvacu
+          GlobalKnownHostsFile ${pkgs.writeText "known_hosts" config.vacu.ssh.knownHostsText}
+      '';
+
+      vacu.ssh.knownHosts = {
+        #public hosts
+        "github.com".publicKey =
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+        "gitlab.com".publicKey =
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+        "git.sr.ht".publicKey =
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+        "sdf.org" = {
+          extraHostNames = [ "tty.sdf.org" ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJk3a190w/1TZkzVKORvz/kwyKmFY144lVeDFm80p17";
+        };
+
+        #colin's stuff
+        "uninsane.org" = {
+          extraHostNames = [ "git.uninsane.org" ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+        };
+        "desko" = {
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+        };
+
+        #daymocker's stuff
+        "pluto" = {
+          extraHostNames = [ "74.208.184.137" ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
+        };
+
+        #powerhouse hosts
+        "ostiary" = {
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
+        };
+        "habitat" = {
+          # previously known as zigbee-hub
+          extraHostNames = [ "10.78.79.114" ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
+        };
+        "vnopn" = {
+          extraHostNames = [
+            "10.78.79.1"
+            "vnopn.t2d.lan"
+          ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
+        };
+
+        #work laptop
+        "tebbs-MBP" = {
+          extraHostNames = [ "10.244.10.3" ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKO/ks07zSByDH/qmDrghtBSFwWnze2s62zEmtXwaMJe";
+        };
+
+        #personal hosts
+        trip = {
+          extraHostNames = [
+            "triple-dezert"
+            "trip.shelvacu.com"
+            "[trip.shelvacu.com]:6922"
+          ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
+        };
+        servacu = {
+          extraHostNames = [
+            "mail.dis8.net"
+            "servacu.shelvacu.com"
+          ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
+        };
+        finaltask = {
+          extraHostNames = [
+            "rsb"
+            "finaltask.xyz"
+            "[finaltask.xyz]:2222"
+          ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
+        };
+        compute-deck = {
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
+        };
+        "2esrever" = {
+          extraHostNames = [
+            "10.4.5.218"
+            "10.244.46.71"
+          ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
+        };
+        awoo = {
+          extraHostNames = [ "45.142.157.71" ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
+        };
+        deckvacu = {
+          publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
+        };
+        liam = {
+          extraHostNames = [
+            "liam.dis8.net"
+            "178.128.79.152"
+          ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
+        };
+        fw = {
+          extraHostNames = [ "fw.t2d.lan" ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
+        };
+        legtop = {
+          extraHostNames = [
+            "lt"
+            "legtop.t2d.lan"
+          ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvunOGsmHg8igMGo0FpoXaegYI20wZylG8nsMFY4+JL";
+        };
+        mmm = {
+          extraHostNames = [
+            "mmm.t2d.lan"
+            "10.78.79.11"
+          ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsorkZ3rIZ2lLigwQWfA64xZRlt5lk6QPzypg55eLlD";
+        };
+      };
+    };
+  }

common/defaultPackages.nix

@@ -0,0 +1,89 @@
+{
+  pkgs,
+  config,
+  inputs,
+  lib,
+  ...
+}:
+lib.mkMerge [
+  (lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container") {
+    vacu.packages =
+      (with pkgs; [
+        home-manager
+        nix-index
+        rclone
+        termscp
+        man
+        neovim
+        nmap
+        ruby
+        (p7zip.override { enableUnfree = true; })
+        tcpdump
+        cargo
+        wayland-utils
+        kanidm
+        megatools
+      ])
+      ++ [
+        inputs.nix-search-cli.packages.${pkgs.system}.default
+        inputs.nix-inspect.packages.${pkgs.system}.default
+      ];
+  })
+  {
+    vacu.packages =
+      (with pkgs; [
+        netcat-openbsd
+        nixos-rebuild
+        which
+        nano
+        vim
+        wget
+        screen
+        tmux
+        lsof
+        htop
+        mosh
+        dnsutils
+        iperf3
+        rsync
+        ethtool
+        sshfs
+        ddrescue
+        pciutils
+        ncdu
+        pv
+        unzip
+        file
+        ripgrep
+        jq
+        tree
+        iputils
+        ssh-to-age
+        sops
+        inetutils
+        diffutils
+        findutils
+        util-linux
+        tzdata
+        hostname
+        gnugrep
+        gnused
+        gnutar
+        bzip2
+        gzip
+        xz
+        zip
+        unzip
+        openssh
+        dig
+        bash
+        usbutils
+        psutils
+        killall
+        curl
+        gnutls
+        progress
+      ])
+      ++ [ config.vacu.units.finalPackage ];
+  }
+]

common/desktopApps.nix

@@ -0,0 +1,5 @@
+{ lib, vacuModuleType, ... }:
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.desktopApps = lib.mkEnableOption "asdf";
+  #todo
+}

common/ffmpeg.nix

@@ -0,0 +1,13 @@
+{ pkgs, lib, ... }:
+{
+  vacu.packages.ffmpeg-allvrything = {
+    enable = lib.mkDefault false;
+    package = pkgs.ffmpeg_7-full.override (old: {
+      libbluray = old.libbluray.override {
+        withJava = true;
+        withAACS = true;
+        withBDplus = true;
+      };
+    });
+  };
+}

common/git.nix

@@ -0,0 +1,100 @@
+{
+  lib,
+  config,
+  pkgs,
+  vacuModuleType,
+  ...
+}:
+let
+  inherit (lib) types;
+  cfg = config.vacu.git;
+in
+{
+  imports = [
+    {
+      # https://github.com/NixOS/nixpkgs/blob/e8c38b73aeb218e27163376a2d617e61a2ad9b59/nixos/modules/programs/git.nix#L16
+      options.vacu.git = {
+        package = lib.mkPackageOption pkgs "git" { };
+        enable = lib.mkEnableOption "git";
+        config = lib.mkOption {
+          type =
+            let
+              gitini = types.attrsOf (types.attrsOf types.anything);
+            in
+            types.either gitini (types.listOf gitini)
+            // {
+              merge =
+                loc: defs:
+                let
+                  config =
+                    builtins.foldl'
+                      (
+                        acc:
+                        { value, ... }@x:
+                        acc
+                        // (
+                          if builtins.isList value then
+                            { ordered = acc.ordered ++ value; }
+                          else
+                            { unordered = acc.unordered ++ [ x ]; }
+                        )
+                      )
+                      {
+                        ordered = [ ];
+                        unordered = [ ];
+                      }
+                      defs;
+                in
+                [ (gitini.merge loc config.unordered) ] ++ config.ordered;
+            };
+          default = [ ];
+        };
+        lfs.enable = lib.mkEnableOption "git lfs";
+        lfs.package = lib.mkPackageOption pkgs "git-lfs" { };
+        configText = lib.mkOption {
+          readOnly = true;
+          type = types.str;
+        };
+      };
+
+      config.vacu.git.configText = lib.concatMapStringsSep "\n" lib.generators.toGitINI cfg.config;
+    }
+    (lib.mkIf cfg.enable {
+      vacu.packages.git = {
+        enable = true;
+        package = cfg.package;
+      };
+    })
+    (lib.mkIf (cfg.enable && cfg.lfs.enable) {
+      vacu.packages.git-lfs = {
+        enable = true;
+        package = cfg.lfs.package;
+      };
+      vacu.git.config =
+        let
+          bin = lib.getExe cfg.lfs.package;
+        in
+        {
+          filter.lfs = {
+            clean = "${bin} clean -- %f";
+            smudge = "${bin} smudge -- %f";
+            process = "${bin} filter-process";
+            required = true;
+          };
+        };
+    })
+    (lib.optionalAttrs (vacuModuleType == "nixos") {
+      vacu.assertions = [
+        {
+          assertion = !(cfg.enable && config.programs.git.enable);
+          message = "vacu.git and programs.git should not both be enabled";
+        }
+      ];
+
+      programs.git.enable = lib.mkIf cfg.enable false;
+    })
+    (lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
+      environment = lib.mkIf (cfg.enable && cfg.config != [ ]) { etc.gitconfig.text = cfg.configText; };
+    })
+  ];
+}

common/home.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  imports = [ ./common-but-not.nix ];
+}

common/hpn.nix

@@ -0,0 +1,11 @@
+{
+  config,
+  lib,
+  pkgs,
+  vacuModuleType,
+  ...
+}:
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.ssh-hpn.enable = lib.mkEnableOption "openssh hpn";
+  config = lib.mkIf config.vacu.ssh-hpn.enable { programs.ssh.package = pkgs.openssh_hpn; };
+}

common/lib/default.nix

@@ -0,0 +1,19 @@
+{ lib, config, ... }:
+{
+  imports = [
+    ./makeWrapper.nix
+    ./outputOf.nix
+    ./strings.nix
+  ];
+
+  options.vacu.vaculib = lib.mkOption { type = lib.types.anything; };
+
+  config._module.args.vaculib = config.vacu.vaculib;
+
+  config.vacu.vaculib.mkOutOption =
+    val:
+    lib.mkOption {
+      readOnly = true;
+      default = val;
+    };
+}

common/lib/makeWrapper.nix

@@ -0,0 +1,93 @@
+{ pkgs, lib, ... }:
+let
+  inherit (lib)
+    optionals
+    optional
+    mapAttrsToList
+    concatMap
+    escapeShellArg
+    escapeShellArgs
+    ;
+in
+{
+  config.vacu.vaculib.makeWrapper =
+    {
+      original,
+      new,
+      argv0 ? null,
+      inherit_argv0 ? false,
+      resolve_argv0 ? false,
+      set ? { },
+      set_default ? { },
+      unset ? [ ],
+      chdir ? null,
+      run ? [ ],
+      prepend_flags ? [ ],
+      add_flags ? [ ],
+      append_flags ? [ ],
+      runtimeHook ? null,
+    }:
+    let
+      prependFlags = prepend_flags ++ add_flags;
+      escapeFlags = escapeShellArgs;
+      # escapeFlags = flags: builtins.concatStringsSep " " (map escapeShellArg flags);
+      originalBin = if lib.isDerivation original then lib.getExe original else original;
+      makeWrapperFlags =
+        (optionals (argv0 != null) [
+          "--argv0"
+          argv0
+        ])
+        ++ (optional inherit_argv0 "--inherit-argv0")
+        ++ (optional resolve_argv0 "--resolve-argv0")
+        ++ (mapAttrsToList (k: v: [
+          "--set"
+          k
+          v
+        ]) set)
+        ++ (mapAttrsToList (k: v: [
+          "--set-default"
+          k
+          v
+        ]) set_default)
+        ++ (concatMap (k: [
+          "--unset"
+          k
+        ]) unset)
+        ++ (optionals (chdir != null) [
+          "--chdir"
+          chdir
+        ])
+        ++ (concatMap (k: [
+          "--run"
+          k
+        ]) run)
+        ++ (optionals (prependFlags != [ ]) [
+          "--add-flags"
+          (escapeFlags prependFlags)
+        ])
+        ++ (optionals (append_flags != [ ]) [
+          "--append-flags"
+          (escapeFlags append_flags)
+        ]);
+    in
+    pkgs.stdenvNoCC.mkDerivation {
+      name = new;
+
+      nativeBuildInputs = [ pkgs.makeWrapper ];
+
+      phases = [ "installPhase" ];
+
+      installPhase = ''
+        runHook preInstall
+
+        mkdir -p $out/bin
+        makeWrapper ${escapeShellArg originalBin} $out/bin/${escapeShellArg new} ${escapeShellArgs makeWrapperFlags}
+
+        runHook postInstall
+      '';
+
+      inherit runtimeHook;
+
+      meta.mainProgram = new;
+    };
+}

common/lib/outputOf.nix

@@ -0,0 +1,47 @@
+{
+  pkgs,
+  lib,
+  vaculib,
+  ...
+}:
+let
+  runCommandBare =
+    {
+      cmd,
+      local ? true,
+      ...
+    }@args:
+    assert !vaculib.isPrefixOf "-" cmd;
+    derivation (
+      {
+        builder = lib.getExe pkgs.bash;
+        args = [
+          "-c"
+          cmd
+        ];
+        system = pkgs.buildPlatform.system;
+      }
+      // (lib.optionalAttrs local {
+        allowSubstitutes = false;
+        preferLocalBuild = true;
+      })
+      // (lib.removeAttrs args [
+        "cmd"
+        "local"
+      ])
+    );
+  outputOf =
+    {
+      removeNewline ? true,
+      ...
+    }@args:
+    let
+      passThruArgs = lib.removeAttrs args [ "removeNewline" ];
+      res = builtins.readFile (runCommandBare passThruArgs);
+      noNewline = lib.removeSuffix "\n" res;
+    in
+    if removeNewline then noNewline else res;
+in
+{
+  config.vacu.vaculib = { inherit runCommandBare outputOf; };
+}

common/lib/strings.nix

@@ -0,0 +1,22 @@
+{ ... }:
+let
+  inherit (builtins) stringLength substring;
+  # aka startsWith but hopefully clear from the name what order the arguments go
+  isPrefixOf =
+    prefix: s:
+    let
+      prefixl = stringLength prefix;
+      sl = stringLength s;
+    in
+    (sl >= prefixl) && (substring 0 prefixl s) == prefix;
+  isSuffixOf =
+    suffix: s:
+    let
+      suffixl = stringLength suffix;
+      sl = stringLength s;
+    in
+    (sl >= suffixl) && (substring (sl - suffixl - 1) - 1 s) == suffix;
+in
+{
+  config.vacu.vaculib = { inherit isPrefixOf isSuffixOf; };
+}

common/lix.nix

@@ -0,0 +1,7 @@
+{ vacuModuleType, ... }:
+if vacuModuleType == "nixos" then
+  {
+    # imports = [ inputs.lix-module.nixosModules.default ];
+  }
+else
+  { }

common/minimal-nixos.nix

@@ -0,0 +1,45 @@
+{
+  config,
+  pkgs,
+  lib,
+  vacuModuleType,
+  ...
+}:
+let
+  inherit (lib) mkIf mkDefault;
+in
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  config = mkIf (config.vacu.systemKind == "minimal") {
+    programs.git.lfs.enable = false;
+    programs.git.package = pkgs.gitMinimal;
+    # mostly copied from nixos's /profiles/minimal.nix
+    documentation.enable = mkDefault false;
+
+    documentation.doc.enable = mkDefault false;
+
+    documentation.info.enable = mkDefault false;
+
+    documentation.man.enable = mkDefault false;
+
+    documentation.nixos.enable = mkDefault false;
+
+    # Perl is a default package.
+    environment.defaultPackages = mkDefault [ ];
+
+    environment.stub-ld.enable = false;
+
+    # The lessopen package pulls in Perl.
+    programs.less.lessopen = mkDefault null;
+
+    programs.command-not-found.enable = mkDefault false;
+
+    services.logrotate.enable = mkDefault false;
+
+    services.udisks2.enable = mkDefault false;
+
+    xdg.autostart.enable = mkDefault false;
+    xdg.icons.enable = mkDefault false;
+    xdg.mime.enable = mkDefault false;
+    xdg.sounds.enable = mkDefault false;
+  };
+}

common/nix-command-extensions/default.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}

common/nix-command-extensions/nix.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# replaceme START
+declare -A cache_to_url
+cache_to_url["foo"]="https://example.com/some-nix-cache"
+
+declare -a caches_to_use=("foo")
+
+declare nixCmd="foo"
+# replaceme END
+
+declare -a preArgs
+declare -a passThruArgs
+cache_name=""
+function valid_cache_name() {
+  cache_name="$1"
+  if [[ $cache_name == -* ]]; then
+    echo "invalid cache name" >&2
+    exit 1
+  fi
+}
+while [[ -n $1 ]]; do
+  arg="$1"
+  shift
+  case "$arg" in
+  "--without-cache")
+    cache_name="$1"
+    shift
+    valid_cache_name "$cache_name"
+    caches_to_use=("${caches_to_use[@]/$cache_name/}")
+    ;;
+  "--with-cache")
+    cache_name="$1"
+    shift
+    valid_cache_name "$cache_name"
+    caches_to_use+=("$cache_name")
+    ;;
+  "--only-cache")
+    cache_name="$1"
+    shift
+    valid_cache_name "$cache_name"
+    caches_to_use=("$cache_name")
+    ;;
+  "--on-trip")
+    if [[ $HOSTNAME == "triple-dezert" ]]; then
+      echo "Warn: skipping --on-trip: already on trip" >&2
+    else
+      passThruArgs+=("--builders" "ssh://trip x86_64-linux,aarch64-linux" "--max-jobs" "0" "--option" "builders-use-substitutes" "true")
+    fi
+    ;;
+  "--")
+    passThruArgs+=("$arg" "$@")
+    break
+    ;;
+  *)
+    passThruArgs+=("$arg")
+    ;;
+  esac
+done
+
+declare -a substituters
+for c in "${caches_to_use[@]}"; do
+  url="${cache_to_url["$c"]}"
+  substituters+=("$url")
+done
+
+substituters_together="${substituters[*]}"
+
+preArgs+=("--option" "substituters" "$substituters_together")
+
+exec "$nixCmd" "${preArgs[@]}" "${passThruArgs[@]}"

common/nix-on-droid.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  vacuModuleType,
+  ...
+}:
+let
+  inherit (lib) mkDefault;
+in
+lib.optionalAttrs (vacuModuleType == "nix-on-droid") {
+  environment.packages = config.vacu.packageList;
+  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
+  nix.substituters = lib.mkForce config.vacu.nix.substituterUrls;
+  nix.trustedPublicKeys = lib.mkForce config.vacu.nix.trustedKeys;
+  vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";
+  environment.etc.bashrc.text = config.vacu.shell.interactiveLines;
+  environment.etc.profile.text = config.vacu.shell.interactiveLines;
+  environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
+
+  vacu.hostName = mkDefault "nix-on-droid";
+  vacu.shortHostName = mkDefault "nod";
+}

common/nix.nix

@@ -0,0 +1,34 @@
+{ lib, config, ... }:
+let
+  inherit (lib) mkOption types;
+  caches = builtins.attrValues config.vacu.nix.caches;
+  enabledCaches = builtins.filter (c: c.enable) caches;
+in
+{
+  options = {
+    vacu.nix.caches = mkOption {
+      type = types.attrsOf (
+        types.submodule (
+          { ... }:
+          {
+            options = {
+              url = mkOption { type = types.str; };
+              keys = mkOption {
+                type = types.listOf types.str;
+                default = [ ];
+              };
+              enable = mkOption {
+                default = true;
+                type = types.bool;
+              };
+            };
+          }
+        )
+      );
+    };
+    vacu.nix.substituterUrls = mkOption { readOnly = true; };
+    vacu.nix.trustedKeys = mkOption { readOnly = true; };
+  };
+  config.vacu.nix.substituterUrls = map (c: c.url) enabledCaches;
+  config.vacu.nix.trustedKeys = builtins.concatMap (c: c.keys) enabledCaches;
+}

common/nixos-rebuild.nix

@@ -0,0 +1,34 @@
+{
+  pkgs,
+  config,
+  lib,
+  vacuModuleType,
+  ...
+}:
+let
+  nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package.out; };
+in
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.alwaysUseRemoteSudo =
+    (lib.mkEnableOption "always deploy to this machine with --use-remote-sudo")
+    // {
+      default = true;
+    };
+  config = lib.mkIf config.vacu.alwaysUseRemoteSudo {
+    system.build.nixos-rebuild = lib.mkForce (
+      pkgs.runCommandLocal "nixos-rebuild-wrapped"
+        {
+          nativeBuildInputs = [ pkgs.makeShellWrapper ];
+          meta.mainProgram = "nixos-rebuild";
+        }
+        ''
+          runHook preInstall
+
+          mkdir -p $out/bin
+          makeShellWrapper ${lib.getExe nixos-rebuild} $out/bin/nixos-rebuild --add-flags "--use-remote-sudo"
+
+          runHook postInstall
+        ''
+    );
+  };
+}

common/nixos.nix

@@ -0,0 +1,107 @@
+{
+  lib,
+  pkgs,
+  config,
+  vacuModuleType,
+  ...
+}:
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.underTest = lib.mkOption {
+    default = false;
+    type = lib.types.bool;
+  };
+  config = {
+    # the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
+    # presumably needed by nheko
+    nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
+    # nixpkgs.overlays = [ inputs.self.overlays.default ];
+
+    console = {
+      keyMap = lib.mkDefault "us";
+    };
+    networking = if config.vacu.hostName == null then { } else { hostName = config.vacu.hostName; };
+    vacu.packages."xorg-xev" = {
+      enable = config.services.xserver.enable;
+      package = pkgs.xorg.xev;
+    };
+    vacu.ssh-hpn.enable = true;
+    environment.systemPackages = config.vacu.packageList;
+    programs.nix-ld.enable = true;
+    system.nixos.tags = [
+      "vacu${config.vacu.versionId}"
+      config.vacu.hostName
+    ];
+    environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
+    environment.etc."chromium" = lib.mkIf (config.vacu.systemKind == "desktop") {
+      source = "/run/current-system/sw/etc/chromium";
+    };
+
+    i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
+    time.timeZone = "America/Los_Angeles";
+
+    users.users.shelvacu = lib.mkIf (config.vacu.systemKind != "container") {
+      openssh.authorizedKeys.keys = lib.attrValues config.vacu.ssh.authorizedKeys;
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+    };
+    # # safety user: if something is super fucked up with my shell stuff, I can ssh in as shelvac2
+    # users.users.shelvac2 = {
+    #   openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
+    #   isNormalUser = true;
+    #   extraGroups = [ "wheel" ];
+    #   shell = pkgs.bash;
+    # };
+    services.openssh = {
+      # require public key authentication for better security
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+      settings.PermitRootLogin = "prohibit-password";
+    };
+
+    nix.settings.trusted-users = lib.mkIf (config.vacu.systemKind != "container") [ "shelvacu" ];
+    security.sudo.wheelNeedsPassword = lib.mkDefault false;
+
+    programs.screen = {
+      enable = true;
+      screenrc = ''
+        defscrollback 10000
+        termcapinfo xterm* ti@:te@
+        maptimeout 5
+      '';
+    };
+
+    programs.tmux = lib.mkIf (config.vacu.systemKind != "container") {
+      enable = true;
+      extraConfig = "setw mouse";
+      clock24 = true;
+    };
+
+    nix.settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+      substituters = lib.mkForce config.vacu.nix.substituterUrls;
+      extra-substituters = lib.mkForce [ ];
+      trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
+      extra-trusted-public-keys = lib.mkForce [ ];
+    };
+    nixpkgs.config.allowUnfree = lib.mkDefault true;
+
+    programs.mosh.enable = lib.mkIf (config.vacu.systemKind != "container") (lib.mkDefault true);
+
+    programs.ssh.extraConfig = config.vacu.ssh.config;
+
+    security.pki.certificates = config.vacu.rootCAs;
+
+    # commands.nix
+    environment.pathsToLink = [
+      "/share/vacufuncs"
+      "/etc/chromium"
+    ];
+    programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
+    programs.bash.promptInit = lib.mkForce "";
+
+    systemd.services.nix-daemon.serviceConfig.Nice = "10";
+  };
+}

common/nixvim.nix

@@ -0,0 +1,17 @@
+{
+  pkgs,
+  config,
+  inputs,
+  lib,
+  ...
+}:
+{
+  vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.nixvim;
+  vacu.shell.functions =
+    lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container")
+      {
+        nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
+        nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
+        nvim = ''nvim-nixvim "$@"'';
+      };
+}

common/package-set.nix

@@ -0,0 +1,69 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  pkgOptions = builtins.attrValues config.vacu.packages;
+  enabledOptions = builtins.filter (o: o.enable) pkgOptions;
+  enabledPkgs = builtins.map (o: o.package) enabledOptions;
+  packagesSetType = types.attrsOf (
+    types.submodule (
+      { name, ... }:
+      {
+        options = {
+          enable = mkOption {
+            type = types.bool;
+            description = "Will this package be installed (included in environment.systemPackages)";
+          };
+          package = mkOption {
+            type = types.package;
+            default = pkgs.${name};
+            defaultText = "pkgs.${name}";
+          };
+        };
+      }
+    )
+  );
+  packageListToSet = (
+    from:
+    let
+      enable = lib.mkOverride 900 true; # more important than mkDefault, less important than setting explicitly
+      keyvals = map (
+        val:
+        if builtins.isString val then
+          {
+            name = val;
+            value = { inherit enable; };
+          }
+        else
+          {
+            name = val.pname or val.name;
+            value = {
+              package = lib.mkDefault val;
+              inherit enable;
+            };
+          }
+      ) from;
+    in
+    builtins.listToAttrs keyvals
+  );
+in
+{
+  options = {
+    vacu.packages = mkOption {
+      default = { };
+      type = types.coercedTo (types.listOf (
+        types.either types.str types.package
+      )) packageListToSet packagesSetType;
+    };
+    vacu.packageList = mkOption {
+      type = types.listOf types.package;
+      readOnly = true;
+    };
+  };
+
+  config.vacu.packageList = enabledPkgs;
+}

common/remapCapsLock.nix

@@ -0,0 +1,35 @@
+{
+  pkgs,
+  lib,
+  config,
+  vacuModuleType,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+in
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.enableCapsLockRemap = mkOption {
+    type = types.bool;
+    default = config.vacu.systemKind == "desktop";
+  };
+  config = lib.mkIf config.vacu.enableCapsLockRemap {
+    # https://discourse.nixos.org/t/best-way-to-remap-caps-lock-to-esc-with-wayland/39707/6
+    services.interception-tools =
+      let
+        itools = pkgs.interception-tools;
+        itools-caps = pkgs.interception-tools-plugins.caps2esc;
+      in
+      {
+        enable = true;
+        plugins = [ itools-caps ];
+        # requires explicit paths: https://github.com/NixOS/nixpkgs/issues/126681
+        udevmonConfig = pkgs.lib.mkDefault ''
+          - JOB: "${itools}/bin/intercept -g $DEVNODE | ${itools-caps}/bin/caps2esc -m 1 | ${itools}/bin/uinput -d $DEVNODE"
+            DEVICE:
+              EVENTS:
+                EV_KEY: [KEY_CAPSLOCK, KEY_ESC]
+        '';
+      };
+  };
+}

common/shell/container-aliases.nix

@@ -0,0 +1,38 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (pkgs) writeScriptBin;
+in
+{
+  options.vacu.shell.containerAliases = lib.mkEnableOption "container aliases";
+  config = lib.mkIf config.vacu.shell.containerAliases {
+    vacu.packages = [
+      (writeScriptBin "ncrun" ''
+        if (( "$#" < 2 )); then
+          echo "need at least two args [container] and [command]" >&2
+          exit 1
+        fi
+        if [[ $UID != 0 ]]; then
+          exec /run/wrappers/bin/sudo "$0" "$@"
+        fi
+        container="$1"
+        shift
+        exec ${lib.getExe pkgs.nixos-container} run "$1" -- "$@"
+      '')
+      (writeScriptBin "ncrl" ''
+        if (( "$#" != 1 )); then
+          echo "need exactly one arg: [container]" >&2
+          exit 1
+        fi
+        if [[ $UID != 0 ]]; then
+          exec /run/wrappers/bin/sudo "$0" "$@"
+        fi
+        exec ${lib.getExe pkgs.nixos-container} root-login "$1"
+      '')
+    ];
+  };
+}

common/shell/default.nix

@@ -0,0 +1,190 @@
+{
+  config,
+  lib,
+  pkgs,
+  vaculib,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  cfg = config.vacu.shell;
+  writeShellFunction =
+    name: text:
+    pkgs.writeTextFile {
+      inherit name;
+      executable = false;
+      destination = "/share/vacufuncs/${name}";
+      text = ''
+        ${text}
+      '';
+      checkPhase = ''
+        ${pkgs.stdenv.shellDryRun} "$target"
+      '';
+    };
+  functionPackages = lib.mapAttrsToList writeShellFunction cfg.functions;
+  vacuInitFile = pkgs.writeText "vacu.shell.interactiveLines.sh" cfg.interactiveLines;
+  wrappedBashPkg = vaculib.makeWrapper {
+    original = pkgs.bash;
+    new = "vacuinit-bash";
+    prepend_flags = [
+      "--init-file"
+      vacuInitFile
+    ];
+  };
+  wrappedBash = lib.getExe wrappedBashPkg;
+in
+{
+  imports = [
+    ./not-aliases.nix
+    ./ps1.nix
+    ./container-aliases.nix
+  ];
+  options = {
+    vacu.shell.functionsDir = mkOption {
+      type = types.path;
+      default = "/run/current-system/sw/share/vacufuncs";
+    };
+    vacu.shell.interactiveLines = mkOption {
+      type = types.lines;
+      readOnly = true;
+    };
+    vacu.shell.wrappedBash = mkOption { readOnly = true; };
+    vacu.shell.idempotentShellLines = mkOption {
+      type = types.lines;
+      default = "";
+    };
+    vacu.shell.color = mkOption {
+      type = types.enum (builtins.attrNames vaculib.shellColors);
+      default = "white";
+    };
+    vacu.shell.functions = mkOption { type = types.attrsOf types.str; };
+  };
+  config.vacu = {
+    vaculib = {
+      # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
+      shellColors = {
+        black = 30;
+        red = 31;
+        green = 32;
+        yellow = 33;
+        blue = 34;
+        magenta = 35;
+        cyan = 36;
+        white = 37;
+      };
+    };
+    shell.interactiveLines = ''
+      if [[ $- == *i* ]] && [[ -f ${cfg.functionsDir}/vacureload ]]; then
+        function __vacushell_load() { eval "$(cat ${cfg.functionsDir}/vacureload)"; }
+        __vacushell_load
+        unset __vacushell_load
+      fi
+    '';
+    shell.wrappedBash = wrappedBash;
+    shell.functions = {
+      "vacureload" = ''
+        declare -gA vacuShellFunctionsLoaded
+        if ! [[ -f ${cfg.functionsDir}/vacureload ]]; then
+          echo "vacureload: I think that's my cue to leave (${cfg.functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
+          for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
+            unset -f $funcname
+          done
+          return
+        fi
+        for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
+          if ! [[ -f ${cfg.functionsDir}/$funcname ]]; then
+            unset -f $funcname
+          fi
+        done
+        for fullPath in ${cfg.functionsDir}/*; do
+          local funcname="$(basename "$fullPath")"
+          local followedPath="$(readlink -f "$fullPath")"
+          if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
+            unset -f $funcname
+            eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
+            vacuShellFunctionsLoaded[$funcname]=$followedPath
+          fi
+          unset followedPath
+          unset funcname
+        done
+        __set_idempotents
+      '';
+      "__set_idempotents" = cfg.idempotentShellLines;
+      vhich = ''
+        if [[ $# != 1 ]]; then
+          echo "expected exactly one arg" 1>&2
+          return 1
+        fi
+        query="$1"
+        quote='`'"$query'"
+        kind="$(type -t "$query")"
+        if [[ "$kind" == "" ]]; then
+          echo "could not find any command $quote" 1>&2
+          return 1
+        fi
+        echo "$quote is a $kind"
+        case "$kind" in
+          "alias")
+            alias "$query"
+            return 0
+            ;;
+          "keyword")
+            echo "See https://www.gnu.org/software/bash/manual/html_node/Reserved-Word-Index.html"
+            return 0
+            ;;
+          "function")
+            if [[ -v vacuShellFunctionsLoaded["$query"] ]]; then
+              echo "$quote is a vacufunc"
+              path="''${vacuShellFunctionsLoaded[$query]}"
+              # continue to below
+            else
+              declare -f "$query"
+              return 0
+            fi
+            ;;
+          "builtin")
+            echo "Docs: https://www.gnu.org/software/bash/manual/html_node/Bash-Builtins.html#index-$query"
+            return 0
+            ;;
+          "file")
+            path="$(which "$query")"
+            # continue to below
+            ;;
+          *)
+            echo 'ERR: unexpected return from `type -t`: '"$kind" 1>&2
+            return 1
+        esac
+        echo "path:"
+        while [[ -L "$path" ]]; do
+          dest="$(readlink "$path")"
+          echo "  $path is a symlink to $dest"
+          if [[ "$dest" != /* ]]; then
+            dest="$(dirname "$path")/$dest"
+          fi
+          path="$dest"
+        done
+        echo "  $path"
+        if ! [[ -e "$path" ]]; then
+          echo "$path does not exist!"
+          return 1
+        fi
+        canon="$(readlink -f "$path")"
+        if [[ "$path" != "$canon" ]]; then
+          echo "  $path canonicalizes to $canon"
+          path="$canon"
+        fi
+        magic_parse="$(file --brief --mime "$path")"
+        echo "magic: $magic_parse"
+        case "$magic_parse" in
+          'text/x-shellscript;'* | 'text/plain;'*)
+            echo "initial contents:"
+            echo
+            cat "$path" | head --lines=10 | head --bytes=2000
+            echo "..."
+            ;;
+        esac
+      '';
+    };
+    packages = functionPackages;
+  };
+}

common/shell/not-aliases.nix

@@ -0,0 +1,157 @@
+# These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
+{
+  pkgs,
+  lib,
+  config,
+  inputs,
+  ...
+}:
+let
+  inherit (pkgs) writeScriptBin;
+  ms_text = with_sudo: ''
+    set -eo pipefail
+    if [[ $# -gt 3 ]] || [[ $# == 0 ]]; then
+      echo "wrong number of args" 1>&2
+      exit 1
+    fi
+    host="$1"
+    session_name="''${2:-main}"
+    set -x
+    mosh -- "$host" ${lib.optionalString with_sudo "sudo"} screen -RdS "$session_name"
+  '';
+  msl_text = ''
+    set -eo pipefail
+    if [[ $# != 1 ]]; then
+      echo "wrong number of args" 1>&2
+      exit 1
+    fi
+    host="$1"
+    echo 'echo "user:"; screen -ls; echo; echo "root:"; sudo screen -ls' | ssh -T "$host"
+  '';
+  systemctl = "${pkgs.systemd}/bin/systemctl";
+  journalctl = "${pkgs.systemd}/bin/journalctl";
+  system = pkgs.hostPlatform.system;
+in
+{
+  vacu.packages = [
+    (writeScriptBin "ms" (ms_text false))
+    (writeScriptBin "mss" (ms_text true))
+    (writeScriptBin "msl" msl_text)
+    (writeScriptBin "rmln" ''
+      set -eo pipefail
+      for arg in "$@"; do
+        if [[ "$arg" != "-*" ]] && [[ ! -L "$arg" ]]; then
+          echo "$0: $arg is not a symlink" 1>&2
+          exit 1
+        fi
+      done
+      rm "$@"
+    '')
+    (writeScriptBin "nr" ''
+      # nix run nixpkgs#<thing> -- <args>
+      set -eo pipefail
+      if [[ $# == 0 ]]; then
+        echo "need at least one arg" 1>&2
+        exit 1
+      fi
+      installable="$1"
+      shift
+      if [[ "$installable" != *'#'* ]]; then
+        installable="nixpkgs#$installable"
+      fi
+      nix run "$installable" -- "$@"
+    '')
+    (writeScriptBin "nb" ''
+      # nix build nixpkgs#<thing> <args>
+      set -eo pipefail
+      if [[ $# == 0 ]]; then
+        echo "need at least one arg" 1>&2
+        exit 1
+      fi
+      installable="$1"
+      shift
+      if [[ "$installable" != *'#'* ]]; then
+        installable="nixpkgs#$installable"
+      fi
+      nix build "$installable" "$@"
+    '')
+    (writeScriptBin "ns" ''
+      # nix shell nixpkgs#<thing>
+      set -eo pipefail
+      new_args=( )
+      for arg in "$@"; do
+        if [[ "$arg" != *'#'* ]] && [[ "$arg" != -* ]]; then
+          arg="nixpkgs#$arg"
+        fi
+        new_args+=("$arg")
+      done
+      nix shell "''${new_args[@]}"
+    '')
+    (writeScriptBin "sc" ''
+      exec ${systemctl} "$@"
+    '')
+    (writeScriptBin "scs" ''
+      exec ${systemctl} status --lines=20 --full "$@"
+    '')
+    (writeScriptBin "scc" ''
+      exec ${systemctl} cat "$@"
+    '')
+    (writeScriptBin "scr" ''
+      exec ${systemctl} restart "$@"
+    '')
+    (writeScriptBin "jc" ''
+      exec ${journalctl} --pager-end "$@"
+    '')
+    (writeScriptBin "jcu" ''
+      exec ${journalctl} --pager-end -u "$@"
+    '')
+  ] ++ lib.optional (system == "x86_64-linux")
+    (writeScriptBin "dnix" ''exec ${inputs.determinate-nix.packages.${system}.nix} "$@"'')
+  ;
+  vacu.shell.functions = {
+    nd = ''
+      declare -a args=("$@")
+      if [[ "''${#args[@]}" == 0 ]]; then
+        echo "nd: must provide at least one argument" 1>&1
+        return 1
+      fi
+      lastarg="''${args[-1]}"
+      if [[ "$lastarg" == "-"* ]]; then
+        echo "nd: last argument must be the directory" 1>&2
+        return 1
+      fi
+      for arg in "''${args[@]::''${#args[@]}-1}"; do
+        if [[ "$arg" != "-"* ]]; then
+          echo "nd: last argument must be the directory" 1>&2
+          return 1
+        fi
+      done
+      mkdir "''${args[@]}" && cd "''${args[-1]}"
+    '';
+    nt = ''pushd "$(mktemp -d "$@")"'';
+  };
+  vacu.textChecks."vacu-shell-functions-nd" = ''
+    function nd() {
+      ${config.vacu.shell.functions.nd}
+    }
+
+    start=/tmp/test-place
+    mkdir -p $start
+    cd $start
+    nd a
+    [[ "$PWD" == "$start/a" ]]
+    cd $start
+    nd -p b/c
+    [[ "$PWD" == "$start/b/c" ]]
+  '';
+  vacu.textChecks."vacu-shell-functions-nt" = ''
+    function nt() {
+      ${config.vacu.shell.functions.nt}
+    }
+    start=$PWD
+    nt
+    [[ "$PWD" != "$start" ]]
+    popd
+    [[ "$PWD" == "$start" ]]
+  '';
+}

common/shell/ps1.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  vaculib,
+  vacuModuleType,
+  ...
+}:
+let
+  cfg = config.vacu.shell;
+  # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
+  colors = vaculib.shellColors;
+
+  # TODO: reset_without_clear doesn't fully work
+  # thanks colin https://git.uninsane.org/colin/nix-files/src/commit/7f5b2628016c8ca1beec417766157c7676a9c5e5/hosts/common/programs/zsh/starship.nix#L24
+  # https://man.archlinux.org/man/bash.1#PROMPTING
+  # \[ and \] begins and ends "a sequence of non-printing characters"
+  set_color = colornum: "\\[\\e[1;${toString colornum}m\\]";
+  set_inverted_color = colornum: "\\[\\e[1;37;${toString (colornum + 10)}m\\]";
+  reset_color = "\\[\\e[0m\\]";
+  colornum = colors.${cfg.color};
+  root_text = root: lib.optionalString root "ROOT@";
+  final = root: if root then (set_inverted_color colors.red) + "!!" else "$";
+  hostName = if vacuModuleType == "plain" then "\\h" else config.vacu.shortHostName;
+  default_ps1 =
+    root:
+    "\\n"
+    # + ''\[${reset_without_clear}\]''
+    + (set_color colornum)
+    + "${root_text root}${hostName}:\\w"
+    + (final root)
+    + reset_color
+    + " ";
+in
+{
+  vacu.shell.idempotentShellLines = ''
+    if [ $UID = 0 ]; then
+      export PS1=${lib.escapeShellArg (default_ps1 true)}
+    else
+      export PS1=${lib.escapeShellArg (default_ps1 false)}
+    fi
+  '';
+}

common/sops-integrate.nix

@@ -0,0 +1,10 @@
+{
+  inputs,
+  config,
+  ...
+}:
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+  sops.defaultSopsFile = config.vacu.secretsFolder + "/${config.vacu.hostName}/main.yaml";
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+}

common/sops.nix

@@ -0,0 +1,77 @@
+{
+  lib,
+  pkgs,
+  config,
+  vaculib,
+  ...
+}:
+let
+  ssh-to-age = lib.getExe pkgs.ssh-to-age;
+  sshToAge =
+    sshPubText:
+    vaculib.outputOf {
+      name = "age-from-ssh.txt";
+      cmd = "echo ${lib.escapeShellArg sshPubText} | ${ssh-to-age} > $out";
+    };
+  userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
+  userKeysAge = map sshToAge userKeys;
+  liamKey = config.vacu.ssh.knownHosts.liam.publicKey;
+  liamKeyAge = sshToAge liamKey;
+  tripKey = config.vacu.ssh.knownHosts.trip.publicKey;
+  tripKeyAge = sshToAge tripKey;
+  singleGroup = keys: [ { age = keys; } ];
+  testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
+  testAgePublic = vaculib.outputOf {
+    name = "test-age-public-key.txt";
+    cmd = "echo ${lib.escapeShellArg testAgeSecret} | ${pkgs.age}/bin/age-keygen -y > $out";
+  };
+  sopsConfig = {
+    creation_rules = [
+      {
+        path_regex = "/secrets/misc/[^/]+$";
+        key_groups = singleGroup userKeysAge;
+      }
+      {
+        path_regex = "/secrets/liam/[^/]+$";
+        key_groups = singleGroup (userKeysAge ++ [ liamKeyAge ]);
+      }
+      {
+        path_regex = "/secrets/trip/[^/]+$";
+        key_groups = singleGroup (userKeysAge ++ [ tripKeyAge ]);
+      }
+      {
+        path_regex = "/secrets/radicle-private.key$";
+        key_groups = singleGroup (userKeysAge ++ [ (sshToAge config.vacu.ssh.knownHosts.fw.publicKey) ]);
+      }
+      {
+        path_regex = "/tests/test_secrets/";
+        key_groups = singleGroup [ testAgePublic ];
+      }
+    ];
+  };
+  sopsConfigFile = pkgs.writers.writeYAML "sops.yaml" sopsConfig;
+  wrappedSops = vaculib.makeWrapper {
+    original = lib.getExe pkgs.sops;
+    new = "vacu-nix-stuff-sops";
+    add_flags = [
+      "--config"
+      sopsConfigFile
+    ];
+    run = lib.singleton ''
+      set -e
+      age_keys=("${testAgeSecret}" "$(cat $HOME/.ssh/id_ed25519 | ${lib.getExe pkgs.ssh-to-age} -private-key)")
+
+      export SOPS_AGE_KEY
+      printf -v SOPS_AGE_KEY "%s\n" "''${age_keys[@]}"
+      # declare -p SOPS_AGE_KEY
+    '';
+  };
+in
+{
+  options.vacu.sopsConfigFile = vaculib.mkOutOption sopsConfigFile;
+  options.vacu.wrappedSops = vaculib.mkOutOption wrappedSops;
+  options.vacu.secretsFolder = lib.mkOption {
+    type = lib.types.path;
+    default = ../secrets;
+  };
+}

common/sourceTree.nix

@@ -0,0 +1,60 @@
+{
+  inputs,
+  pkgs,
+  lib,
+  config,
+  vacuModuleType,
+  ...
+}:
+let
+  inherit (builtins) isString isAttrs;
+  inherit (lib) mkOption types;
+  inputsOf =
+    flake:
+    assert isAttrs flake;
+    let
+      inputs = removeAttrs (flake.inputs or { }) [ "self" ];
+      # inputTrees = lib.mapAttrs (_: val: inputsOf val) inputs;
+    in
+    pkgs.linkFarm "inputs-tree" (inputs // { self = flake; });
+  # traverseInputs =
+  #   linkDir: unfilteredInputs:
+  #   assert isString linkDir;
+  #   assert isAttrs unfilteredInputs;
+  #   let
+  #     inputs = removeAttrs unfilteredInputs [ "self" ];
+  #   in
+  #   lib.concatStringsSep "\n" (
+  #     lib.mapAttrsToList (
+  #       inputName: inputAttrs:
+  #       let
+  #         thisDir = linkDir + "/" + inputName;
+  #       in
+  #       assert isAttrs inputAttrs;
+  #       assert isAttrs (inputAttrs.inputs or { });
+  #       ''
+  #         mkdir -p ${thisDir}
+  #         ln -s ${inputAttrs} ${thisDir}/self
+  #         ${traverseInputs thisDir (inputAttrs.inputs or { })}
+  #       ''
+  #     ) inputs
+  #   );
+in
+{
+  options.vacu.sourceTree = mkOption {
+    readOnly = true;
+    type = types.package;
+  };
+  config =
+    {
+      vacu.sourceTree = inputsOf inputs.self // { inherit inputs; };
+      # vacu.sourceTree = pkgs.runCommand "inputs-tree" { } ''
+      #   mkdir -p $out
+      #   ln -s ${inputs.self} $out/self
+      #   ${traverseInputs "$out" inputs}
+      # '';
+    }
+    // (lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
+      environment.etc."vacu/sources".source = "${config.vacu.sourceTree}";
+    });
+}

common/ssh.nix

@@ -0,0 +1,145 @@
+{ lib, config, ... }:
+let
+  inherit (lib)
+    mkOption
+    types
+    flip
+    concatMapStringsSep
+    optionalString
+    concatStringsSep
+    readFile
+    literalExpression
+    ;
+  inherit (builtins) attrValues;
+  cfg = config.vacu;
+  knownHosts = attrValues cfg.ssh.knownHosts;
+  knownHostsText =
+    (flip (concatMapStringsSep "\n") knownHosts (
+      h:
+      assert h.hostNames != [ ];
+      optionalString h.certAuthority "@cert-authority "
+      + concatStringsSep "," h.hostNames
+      + " "
+      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
+    ))
+    + "\n";
+in
+{
+  options = {
+    vacu.ssh.knownHostsText = mkOption {
+      type = types.str;
+      readOnly = true;
+      default = knownHostsText;
+    };
+    #vacu.ssh.authorizedKeys = mkOption { type = types.listOf types.str; };
+    vacu.ssh.authorizedKeys = mkOption {
+      type = types.attrsOf types.str;
+      default = { };
+    };
+    vacu.ssh.config = mkOption { type = types.lines; };
+    # Straight copied from nixpkgs
+    # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
+    vacu.ssh.knownHosts = mkOption {
+      default = { };
+      type = types.attrsOf (
+        types.submodule (
+          {
+            name,
+            config,
+            options,
+            ...
+          }:
+          {
+            options = {
+              certAuthority = mkOption {
+                type = types.bool;
+                default = false;
+                description = ''
+                  This public key is an SSH certificate authority, rather than an
+                  individual host's key.
+                '';
+              };
+              hostNames = mkOption {
+                type = types.listOf types.str;
+                default = [ name ] ++ config.extraHostNames;
+                defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
+                description = ''
+                  A list of host names and/or IP numbers used for accessing
+                  the host's ssh service. This list includes the name of the
+                  containing `knownHosts` attribute by default
+                  for convenience. If you wish to configure multiple host keys
+                  for the same host use multiple `knownHosts`
+                  entries with different attribute names and the same
+                  `hostNames` list.
+                '';
+              };
+              extraHostNames = mkOption {
+                type = types.listOf types.str;
+                default = [ ];
+                description = ''
+                  A list of additional host names and/or IP numbers used for
+                  accessing the host's ssh service. This list is ignored if
+                  `hostNames` is set explicitly.
+                '';
+              };
+              publicKey = mkOption {
+                default = null;
+                type = types.nullOr types.str;
+                example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
+                description = ''
+                  The public key data for the host. You can fetch a public key
+                  from a running SSH server with the {command}`ssh-keyscan`
+                  command. The public key should not include any host names, only
+                  the key type and the key itself.
+                '';
+              };
+              publicKeyFile = mkOption {
+                default = null;
+                type = types.nullOr types.path;
+                description = ''
+                  The path to the public key file for the host. The public
+                  key file is read at build time and saved in the Nix store.
+                  You can fetch a public key file from a running SSH server
+                  with the {command}`ssh-keyscan` command. The content
+                  of the file should follow the same format as described for
+                  the `publicKey` option. Only a single key
+                  is supported. If a host has multiple keys, use
+                  {option}`programs.ssh.knownHostsFiles` instead.
+                '';
+              };
+            };
+          }
+        )
+      );
+      description = ''
+        The set of system-wide known SSH hosts. To make simple setups more
+        convenient the name of an attribute in this set is used as a host name
+        for the entry. This behaviour can be disabled by setting
+        `hostNames` explicitly. You can use
+        `extraHostNames` to add additional host names without
+        disabling this default.
+      '';
+      example = literalExpression ''
+        {
+          myhost = {
+            extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
+            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
+          };
+          "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
+          "myhost2.net/dsa" = {
+            hostNames = [ "myhost2.net" ];
+            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
+          };
+        }
+      '';
+    };
+  };
+  config.vacu.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (
+    name: data: {
+      assertion =
+        (data.publicKey == null && data.publicKeyFile != null)
+        || (data.publicKey != null && data.publicKeyFile == null);
+      message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
+    }
+  );
+}

common/units-config.nix

@@ -0,0 +1,35 @@
+{
+  vacu.units.extraUnits = {
+    b = "bit";
+    B = "byte";
+    kibi- = "1024";
+    Ki- = "kibi";
+    mebi- = "1024 kibi";
+    Mi- = "mebi";
+    gibi- = "1024 mebi";
+    Gi- = "gibi";
+    tebi- = "1024 gibi";
+    Ti- = "tebi";
+    pebi- = "1024 tebi";
+    Pi- = "pebi";
+    baud = "bit/s";
+    kbps = "kilobit/s";
+    kibps = "kibibit/s";
+    mbps = "megabit/s";
+    mibps = "mebibit/s";
+    gbps = "gigabit/s";
+    gibps = "gibibit/s";
+    tbps = "terabit/s";
+    tibps = "tebibit/s";
+    pbps = "petabit/s";
+    pibps = "pebibit/s";
+
+    month = "year/12";
+    mo = "month";
+    usd = "USD";
+    dollar = "USD";
+    cent = "0.01 USD";
+    "$" = "USD";
+    BTC = "bitcoin";
+  };
+}

common/units-impl.nix

@@ -0,0 +1,126 @@
+{
+  config,
+  lib,
+  pkgs,
+  vaculib,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+  unitNameRegex =
+    let
+      # Unit  names cannot begin or end with an underscore (‘_’), a comma (‘,’) or a decimal point (‘.’).  Names must not contain any of the operator characters ‘+’, ‘-’, ‘*’, ‘/’, ‘|’, ‘^’, ‘;’, ‘~’, the comment character ‘#’, or parentheses.  To facilitate copying and pasting from documents, several typographical characters are converted to operators: the figure dash (U+2012), minus (‘-’; U+2212), and en dash (‘–’; U+2013) are converted to the operator ‘-’; the multiplication sign (‘×’; U+00D7), N-ary times operator (U+2A09), dot operator (‘⋅’; U+22C5), and middle dot (‘·’; U+00B7) are converted to the operator ‘*’; the division sign (‘÷’; U+00F7) is converted to the operator ‘/’; and the fraction slash (U+2044) is converted to the operator ‘|’; accordingly, none of these characters can appear in unit names.
+      disallowedAnywhere =
+        "+*/|^;~#()" + (builtins.fromJSON ''"\u2012\u2212\u2013\u00d7\u2a09\u22c5\u00b7\u00f7\u2044"'');
+      disallowedMiddle = "-" + disallowedAnywhere;
+      disallowedAtEnd = "23456789_,." + disallowedAnywhere;
+      disallowedAtBegin = "-01" + disallowedAtEnd;
+      anyExcept = chars: "[^${lib.escapeRegex chars}]";
+      singleChar = anyExcept disallowedAtBegin;
+      multiChar = "${anyExcept disallowedAtBegin}${anyExcept disallowedMiddle}*${anyExcept disallowedAtEnd}";
+      numberSuffix = regex: "${regex}_[0-9\\.,]+";
+      fullRegex = "${singleChar}|${multiChar}|${numberSuffix singleChar}|${numberSuffix multiChar}";
+    in
+    fullRegex;
+  unitsAttrsType = types.addCheck (types.attrsOf types.str) (
+    attrs: builtins.all (name: (builtins.match unitNameRegex name) != null) (builtins.attrNames attrs)
+  );
+  unitsDir = pkgs.stdenvNoCC.mkDerivation {
+    name = "vacu-units-files";
+
+    src = pkgs.units.src;
+
+    phases = [
+      "unpackPhase"
+      "installPhase"
+    ];
+
+    installPhase = ''
+      mkdir -p $out
+      cp {definitions,elements}.units $out
+      ln -s ${../units/currency.units} $out/currency.units
+      ln -s ${../units/cpi.units} $out/cpi.units
+      echo ${lib.escapeShellArg config.vacu.units.lines} > $out/vacu.units
+    '';
+  };
+in
+{
+  options.vacu.units = {
+    originalPackage = mkOption {
+      type = types.package;
+      default = pkgs.units;
+    };
+    finalPackage = mkOption {
+      type = types.package;
+      readOnly = true;
+    };
+    check = mkOption {
+      type = types.package;
+      readOnly = true;
+    };
+    generatedConfigDir = mkOption {
+      readOnly = true;
+      type = types.package;
+    };
+    generatedConfigFile = mkOption {
+      readOnly = true;
+      type = types.pathInStore;
+    };
+    lines = mkOption {
+      default = "";
+      type = types.lines;
+    };
+    extraUnits = mkOption {
+      type = unitsAttrsType;
+      default = { };
+    };
+  };
+  config = lib.mkMerge [
+    {
+      vacu.units = {
+        finalPackage = vaculib.makeWrapper {
+          original = config.vacu.units.originalPackage;
+          new = "units";
+          prepend_flags = [
+            "--file"
+            config.vacu.units.generatedConfigFile
+          ];
+        };
+        generatedConfigDir = unitsDir;
+        generatedConfigFile = "${unitsDir}/vacu.units";
+        lines = lib.mkOrder 750 ''
+          # default units file, includes elements.units, currency.units, cpi.units
+          !include definitions.units
+        '';
+      };
+      vacu.textChecks.units-config = ''
+        # `units --check` returns success (exit code 0) regardless of success >:(
+        # example output:
+
+        # $ result/bin/units --check
+        # Currency exchange rates from exchangerate-api.com (USD base) on 2024-11-14 
+        # Consumer price index data from US BLS, 2024-02-18 
+        # 7247 units, 125 prefixes, 134 nonlinear units
+        #
+
+        output="$(${lib.getExe config.vacu.units.finalPackage} --check)"
+        echo "$output"
+        filteredLines="$(echo "$output" \
+          | grep -v '^\s*$' \
+          | grep -v 'Currency exchange rates from' \
+          | grep -v 'Consumer price index data from' \
+          | grep -vE '[0-9]+ units, [0-9]+ prefixes, [0-9]+ nonlinear units' || true
+        )"
+        if [[ -n "$filteredLines" ]]; then
+          exit 1
+        fi
+        touch $out
+      '';
+    }
+    {
+      vacu.units.lines = lib.concatStringsSep "\n" (
+        lib.mapAttrsToList (name: value: "+${name}	${value}") config.vacu.units.extraUnits
+      );
+    }
+  ];
+}

common/verify-system/default.nix

@@ -0,0 +1,61 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkOption mkEnableOption types;
+  cfg = config.vacu.verifySystem;
+in
+{
+  imports = [ ./nixos.nix ];
+  options.vacu.verifySystem = {
+    enable = (mkEnableOption "verify system is what is expected") // {
+      default = false;
+    };
+    verifiers = mkOption {
+      default = { };
+      type = types.attrsOf (
+        types.submodule (
+          { name, config, ... }:
+          {
+            options = {
+              enable = mkEnableOption "Enable system ident check ${name}";
+              name = mkOption {
+                type = types.str;
+                default = name;
+              };
+              script = mkOption {
+                type = types.lines;
+                default = "## system ident check ${config.name}";
+              };
+            };
+          }
+        )
+      );
+    };
+
+    verifyAllScript =
+      let
+        verifiers = (builtins.attrValues cfg.verifiers);
+        enabled = builtins.filter (s: s.enable) verifiers;
+        files = map (s: pkgs.writeText "vacu-verify-system-${s.name}.sh" s.script) enabled;
+        script = ''
+                  ## vacu verify-system
+          	for f in ${lib.concatStringsSep " " files}; do
+          	  echo "verifying system with $f"
+          	  if ! source $f; then
+          	    echo "ERR: $f failed" >&2
+          	    return 1
+          	  fi
+          	done
+        '';
+        scriptFile = pkgs.writeText "vacu-verify-system-all.sh" script;
+      in
+      mkOption {
+        readOnly = true;
+        default = scriptFile;
+      };
+  };
+}

common/verify-system/nixos.nix

@@ -0,0 +1,66 @@
+{
+  lib,
+  config,
+  pkgs,
+  vacuModuleType,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+in
+lib.optionalAttrs (vacuModuleType == "nixos") {
+  options.vacu.verifySystem.expectedMac = mkOption {
+    type = types.nullOr (types.strMatching "[A-Fa-f0-9]{2}(:[A-Fa-f0-9]{2}){5}");
+    default = null;
+  };
+  config = lib.mkIf config.vacu.verifySystem.enable {
+    # system.activationScripts."00-verify-system" = {
+    #   text = "if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit $?; fi";
+    #   supportsDryActivation = true;
+    # };
+
+    system.extraSystemBuilderCmds = ''
+      mv $out/bin/switch-to-configuration $out/bin/.switch-to-configuration-unverified
+      cat <<EOF > $out/bin/switch-to-configuration
+      #!${pkgs.bash}/bin/bash
+      oldpath="$PATH"
+      export PATH="${pkgs.coreutils}/bin"
+      if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit \$?; fi
+      export PATH="$oldpath"
+      exec $out/bin/.switch-to-configuration-unverified "\$@"
+      EOF
+
+      ${pkgs.coreutils}/bin/chmod a+x $out/bin/switch-to-configuration
+    '';
+
+    vacu.verifySystem.verifiers = {
+      hostname = {
+        enable = lib.mkDefault config.vacu.verifySystem.expectedMac == null;
+        script = ''
+          expected=${config.networking.hostName}
+          actual=$(cat /proc/sys/kernel/hostname)
+          if [[ "$expected" != "$actual" ]]; then
+            echo "ERR: unexpected hostname; Trying to deploy to $expected but this is $actual" >&2
+            return 1
+          fi
+        '';
+      };
+      expectedMac = {
+        enable = config.vacu.verifySystem.expectedMac != null;
+        script = ''
+          	   expected=${lib.toUpper config.vacu.verifySystem.expectedMac}
+          	   declare -a actual=($(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten | join("\n")' -r))
+          	   for ifMac in "''${actual[@]}"; do
+                       if [[ "$ifMac" == "$expected" ]]; then
+          	       # all is well
+          	       return 0
+          	      fi
+          	   done
+          	   echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
+          	   echo "     Found MAC addresses: ''${actual[*]}" >&2
+          	   return 1
+          	 '';
+      };
+    };
+  };
+}

compute-deck/bluetooth.nix

@@ -1,6 +1,7 @@
-{ ... }: {
-hardware.bluetooth.enable = true;
-hardware.bluetooth.powerOnBoot = true;
+{ ... }:
+{
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
 
-services.blueman.enable = true;
+  services.blueman.enable = true;
 }

compute-deck/default.nix

@@ -1,18 +1,19 @@
-{ config, pkgs, lib, jovian, inputs, ... }:
-
+{
+  pkgs,
+  inputs,
+  ...
+}:
 {
   imports = [
     inputs.jovian.nixosModules.jovian
-    inputs.disko.nixosModules.default
-    inputs.homeManager.nixosModules.default
+    # inputs.disko.nixosModules.default
+    inputs.home-manager.nixosModules.default
     ./hardware.nix
-    ./partitioning.nix
     ./home.nix
     ./bluetooth.nix
+    ./partitioning.nix
     ./padtype.nix
-    ../common-nixos-config.nix
   ];
-  system.nixos.tags = [ "host-${config.networking.hostName}" ];
 
   boot.loader.systemd-boot.enable = false;
   boot.loader.efi.efiSysMountPoint = "/boot/EFI";
@@ -23,7 +24,10 @@
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
-  networking.hostName = "compute-deck";
+  vacu.hostName = "compute-deck";
+  vacu.shortHostName = "cd";
+  vacu.shell.color = "blue";
+  vacu.systemKind = "desktop";
   networking.hostId = "e595d9b0";
 
   boot.supportedFilesystems = [ "zfs" ];
@@ -37,40 +41,35 @@
 
   services.xserver.enable = true;
   services.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.plasma5.enable = true;
+  services.desktopManager.plasma6.enable = true;
 
   services.openssh.enable = true;
 
-  environment.systemPackages = with pkgs; [
+  vacu.packages = with pkgs; [
     audacity
     librewolf
+    brave
     jupiter-hw-support
     steamdeck-firmware
     steamdeck-bios-fwupd
-    cargo
-    clippy
-    rust-analyzer
-    rustc
-    rustfmt
-    rustup
   ];
 
-  boot.kernelPatches = [
-    {
-      name = "gadget";
-      patch = null;
-      extraStructuredConfig = with lib.kernel; {
-        USB_ETH=module;
-        USB_GADGET=yes;
-        USB_LIBCOMPOSITE=yes;
-        USB_CONFIGFS=yes;
-        USB_DWC3=module;
-        USB_DWC3_PCI=module;
-        USB_DWC3_DUAL_ROLE=yes;
-        USB_DWC3_HOST=no;
-        USB_DWC3_GADGET=no;
-        USB_ROLE_SWITCH=yes;
-      };
-    }
-  ];
+  # boot.kernelPatches = [
+  #   {
+  #     name = "gadget";
+  #     patch = null;
+  #     extraStructuredConfig = with lib.kernel; {
+  #       USB_ETH=module;
+  #       USB_GADGET=yes;
+  #       USB_LIBCOMPOSITE=yes;
+  #       USB_CONFIGFS=yes;
+  #       USB_DWC3=module;
+  #       USB_DWC3_PCI=module;
+  #       USB_DWC3_DUAL_ROLE=yes;
+  #       USB_DWC3_HOST=no;
+  #       USB_DWC3_GADGET=no;
+  #       USB_ROLE_SWITCH=yes;
+  #     };
+  #   }
+  # ];
 }

compute-deck/hardware.nix

@@ -1,51 +1,61 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
 
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules = [ "nvme" "usbhid" "sdhci_pci" ];
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "usbhid"
+    "sdhci_pci"
+    "dwc3_pci"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-/*
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-      fsType = "btrfs";
-      options = [ "subvol=root" ];
-    };
+  /*
+    fileSystems."/" =
+      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+        fsType = "btrfs";
+        options = [ "subvol=root" ];
+      };
 
-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-      fsType = "btrfs";
-      options = [ "subvol=home" ];
-    };
+    fileSystems."/home" =
+      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+        fsType = "btrfs";
+        options = [ "subvol=home" ];
+      };
 
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-      fsType = "btrfs";
-      options = [ "subvol=nix" ];
-    };
+    fileSystems."/nix" =
+      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+        fsType = "btrfs";
+        options = [ "subvol=nix" ];
+      };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-      fsType = "btrfs";
-      options = [ "subvol=boot" ];
-    };
-*/
+    fileSystems."/boot" =
+      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+        fsType = "btrfs";
+        options = [ "subvol=boot" ];
+      };
+  */
 
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
+    fsType = "ext4";
+    options = [ "nofail" ];
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot/EFI" =
-    { device = "/dev/disk/by-uuid/C268-79C8";
-      fsType = "vfat";
-    };
+  fileSystems."/boot/EFI" = {
+    device = "/dev/disk/by-uuid/C268-79C8";
+    fsType = "vfat";
+    options = [ "nofail" ];
+  };
 
   swapDevices = [ ];
 

compute-deck/home.nix

@@ -2,17 +2,15 @@
 {
   home-manager.users.shelvacu = {
     # these make vscode-remote work
-    imports = [
-      inputs.vscode-server.homeModules.default
-    ];
+    imports = [ inputs.vscode-server.homeModules.default ];
     services.vscode-server.enable = true;
 
     home.stateVersion = "23.11";
-    programs.git = {
-      enable = true;
-      userName = "Shelvacu";
-      userEmail = "git@shelvacu.com";
-    };
+    # programs.git = {
+    #   enable = true;
+    #   userName = "Shelvacu";
+    #   userEmail = "git@shelvacu.com";
+    # };
     programs.librewolf = {
       enable = true;
 

compute-deck/padtype.nix

@@ -1,8 +1,10 @@
-{ inputs, ... }: let
+{ inputs, ... }:
+let
   padtype-pkg = inputs.padtype.packages."x86_64-linux".default;
-in {
+in
+{
   environment.systemPackages = [ padtype-pkg ];
-  
+
   systemd.services."padtype" = {
     wantedBy = [ "multi-user.target" ];
     script = "${padtype-pkg}/bin/padtype";

compute-deck/partitioning.nix

@@ -1,5 +1,6 @@
-{ ... }:
+{ inputs, ... }:
 {
+  imports = [ inputs.disko.nixosModules.default ];
   disko.devices.disk.blarg = {
     device = "/dev/disk/by-id/nvme-Micron_2400_MTFDKBK2T0QFM_230341951668_1-part11";
     content = {
@@ -13,20 +14,29 @@
         subvolumes = {
           "/root" = {
             mountpoint = "/";
-            mountOptions = [ "compress=zstd" "noatime" ];
+            mountOptions = [
+              "compress=zstd"
+              "noatime"
+            ];
           };
           "/home" = {
             mountpoint = "/home";
-            mountOptions = [ "compress=zstd" "noatime" ];
+            mountOptions = [
+              "compress=zstd"
+              "noatime"
+            ];
           };
           "/nix" = {
             mountpoint = "/nix";
-            mountOptions = [ "compress=zstd" "noatime" ];
+            mountOptions = [
+              "compress=zstd"
+              "noatime"
+            ];
           };
-#           "/swap" = {
-#             mountpoint = "/.swapvol";
-#             swap.swapfile.size = "20M";
-#           };
+          #           "/swap" = {
+          #             mountpoint = "/.swapvol";
+          #             swap.swapfile.size = "20M";
+          #           };
         };
       };
     };

dcd

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo $@
+git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo "$@"

deterministic-certs.nix

@@ -0,0 +1,88 @@
+{
+  nixpkgs ? import <nixpkgs>,
+}:
+let
+  pkgs = nixpkgs;
+  lib = nixpkgs.lib;
+  defaultCertTemplate = {
+    serial = 1;
+    activation_date = "1970-01-01 00:00:00 UTC";
+    expiration_date = "2500-01-01 00:00:00 UTC";
+  };
+  keyValToConfigLines = (
+    key: value:
+    if (builtins.isString value) || (builtins.isPath value) then
+      ''${key} = "${value}"''
+    else if builtins.isInt value then
+      "${key} = ${builtins.toString value}"
+    else if builtins.isList value then
+      map (innerValue: keyValToConfigLines key innerValue)
+    else if builtins.isBool value then
+      (if value then "${key}" else "# no ${key}")
+    else
+      throw "don't know how to handle ${builtins.typeOf value}"
+  );
+  mkTemplateConfig =
+    config:
+    lib.concatStringsSep "\n" (
+      lib.lists.flatten (lib.attrsets.mapAttrsToList keyValToConfigLines config)
+    );
+  privKeyFile =
+    name:
+    let
+      keySizeBits = 256;
+      keySizeHex = builtins.toString (keySizeBits / 4);
+    in
+    pkgs.runCommand "deterministic-privkey-${name}.pem" { } ''
+      seed=$(echo ${lib.escapeShellArg (builtins.toJSON name)} | ${pkgs.ruby_3_2}/bin/ruby -rjson -e 'name = JSON.parse(STDIN.gets); print name.unpack("H*")[0].ljust(${keySizeHex}, "0")')
+      ${pkgs.gnutls}/bin/certtool --generate-privkey --outfile=$out --key-type=rsa --sec-param=high --seed=$seed
+    '';
+  generateCert =
+    {
+      name,
+      config,
+      args,
+      preCommands ? "",
+    }:
+    let
+      deriv = pkgs.runCommand "deterministic-cert-${name}" { } ''
+        mkdir -p $out
+        cd $out
+        ln -s ${privKeyFile name} privkey.pem
+        ln -s ${
+          pkgs.writeText "${name}-template.cfg" (mkTemplateConfig (defaultCertTemplate // config))
+        } template.cfg
+        ${preCommands}
+        ${pkgs.gnutls}/bin/certtool ${lib.escapeShellArgs args} --load-privkey=privkey.pem --outfile=cert.pem --template=template.cfg
+      '';
+    in
+    deriv
+    // {
+      privateKeyPath = "${deriv}/privkey.pem";
+      certificatePath = "${deriv}/cert.pem";
+    };
+
+in
+{
+  inherit privKeyFile;
+  selfSigned =
+    name: config:
+    generateCert {
+      inherit name config;
+      args = [ "--generate-self-signed" ];
+    };
+  caSigned =
+    name: ca: config:
+    generateCert {
+      inherit name config;
+      preCommands = ''
+        ln -s ${ca.privateKeyPath} ca-privkey.pem
+        ln -s ${ca.certificatePath} ca-cert.pem
+      '';
+      args = [
+        "--generate-certificate"
+        "--load-ca-certificate=ca-cert.pem"
+        "--load-ca-privkey=ca-privkey.pem"
+      ];
+    };
+}

devver/default.nix

@@ -1,36 +0,0 @@
-{ config, pkgs, lib, inputs, ... }:
-
-{
-  imports = [
-    inputs.homeManager.nixosModules.default
-    # inputs.microvm.nixosModules.microvm
-    ../common-nixos-config.nix
-  ];
-  system.nixos.tags = [ "host-${config.networking.hostName}" ];
-  networking.hostName = "devver";
-  boot.loader.external.enable = true;
-  boot.loader.external.installHook = pkgs.writeScript "vacuDirectBootInstaller" ''
-    #TODO: probably copy kernel/initrd to root
-    (echo "vacuDirectBootInstaller"; for a in "$@";do echo "$a";done) 1>&2
-    exit 0
-  '';
-
-  fileSystems."/" = {
-    fsType = "9p";
-    device = "root";
-    options = [
-      "trans=virtio"
-      "msize=104857600"
-      "access=any"
-      "version=9p2000.L"
-      "posixacl"
-      "cache=mmap"
-    ];
-  };
-
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-
-  services.openssh.enable = true;
-
-  system.stateVersion = "23.11";
-}

dliam

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo $@
+git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo "$@"

dmmm

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+git add . && nixos-rebuild --flake .#mmm --build-host trip --target-host mmm --use-remote-sudo "$@"

dns/default.nix

@@ -0,0 +1,71 @@
+{
+  dns,
+  lib,
+  vaculib,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkOption types singleton;
+  inherit (vaculib) mkOutOption;
+  inherit (dns.lib.combinators)
+    spf
+    mx
+    ttl
+    ns
+    ;
+  cfg = config.vacu.dnsData;
+in
+{
+  imports = [
+    ./jean-luc.org.nix
+    ./pwrhs.win.nix
+    ./shelvacu.miras.pet.nix
+    ./for.miras.pet.nix
+  ];
+  options.vacu.dns = mkOption {
+    default = { };
+    type = types.attrsOf dns.lib.types.zone;
+  };
+  options.vacu.dnsData = {
+    tripPublicV4 = mkOutOption "172.83.159.53";
+    cloudnsNameServers = mkOutOption [
+      "ns1.shelvacu.com."
+      "ns2.shelvacu.com."
+      "ns3.shelvacu.com."
+      "ns4.shelvacu.com."
+    ];
+    cloudnsSoa = mkOutOption (
+      ttl (60 * 60) {
+        nameServer = lib.head cfg.cloudnsNameServers;
+        adminEmail = "support@cloudns.net";
+        serial = 2025013101;
+        refresh = 7200;
+        retry = 1800;
+        expire = 1209600;
+        minimum = 3600;
+      }
+    );
+    dkimKeys.liam = mkOutOption {
+      name = "2024-03-liam";
+      content = "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==";
+    };
+    modules.cloudns = mkOutOption {
+      SOA = cfg.cloudnsSoa;
+      NS = map (s: ttl (60 * 60) (ns s)) cfg.cloudnsNameServers;
+      TTL = lib.mkDefault 300;
+    };
+    modules.liamMail = mkOutOption {
+      MX = singleton (mx.mx 0 "liam.dis8.net.");
+      TXT = singleton (
+        spf.strict [
+          "mx"
+          "include:outbound.mailhop.org"
+          "include:_spf.mailersend.net"
+          "a:relay.dynu.com"
+        ]
+      );
+      subdomains."${cfg.dkimKeys.liam.name}._domainkey".TXT = singleton cfg.dkimKeys.liam.content;
+    };
+  };
+}

dns/for.miras.pet.nix

@@ -0,0 +1,21 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."for.miras.pet" =
+    { ... }:
+    {
+      imports = [ dnsData.modules.cloudns ];
+      SOA.minimum = lib.mkForce 30;
+      subdomains = {
+        "git".A = singleton dnsData.tripPublicV4;
+        "auth".A = singleton dnsData.tripPublicV4;
+        "wisdom".A = singleton dnsData.tripPublicV4;
+        "chat".A = singleton dnsData.tripPublicV4;
+        "gabriel-dropout".A = singleton dnsData.tripPublicV4;
+        "_acme-challenge".CNAME = singleton "199b8aa4-bc9f-4f43-88bf-3f613f62b663.auwwth.dis8.net.";
+      };
+    };
+}

dns/jean-luc.org.nix

@@ -0,0 +1,30 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+  main_ips = singleton dnsData.tripPublicV4;
+in
+{
+  vacu.dns."jean-luc.org" =
+    { ... }:
+    {
+      imports = [
+        dnsData.modules.cloudns
+        dnsData.modules.liamMail
+      ];
+      A = main_ips;
+      subdomains = {
+        "in" =
+          { ... }:
+          {
+            imports = [ dnsData.modules.liamMail ];
+          };
+        "*".A = main_ips;
+        "_acme-challenge".CNAME = singleton "8cc7a174-c4a6-40f5-9fff-dfb271c5ce0b.auwwth.dis8.net.";
+        "stats".A = main_ips;
+        "tdi-readings".CNAME = singleton "d20l6bh1gp7s8.cloudfront.net.";
+        "_a908498ee692a9729bf12e161ae1887d.tdi-readings".CNAME =
+          singleton "_1f055e4fc0f439e67304a33945d09002.hkvuiqjoua.acm-validations.aws.";
+      };
+    };
+}

dns/pwrhs.win.nix

@@ -0,0 +1,15 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."pwrhs.win" =
+    { ... }:
+    {
+      imports = [ dnsData.modules.cloudns ];
+      A = singleton dnsData.tripPublicV4;
+      subdomains.habitat.A = singleton dnsData.tripPublicV4;
+      subdomains._acme-challenge.CNAME = singleton "73697955-1c51-48ba-ba1e-b3398850f59f.auwwth.dis8.net.";
+    };
+}

dns/shelvacu.miras.pet.nix

@@ -0,0 +1,18 @@
+{ lib, config, ... }:
+let
+  inherit (lib) singleton;
+  inherit (config.vacu) dnsData;
+in
+{
+  vacu.dns."shelvacu.miras.pet" =
+    { ... }:
+    {
+      imports = [
+        dnsData.modules.cloudns
+        dnsData.modules.liamMail
+      ];
+      A = singleton dnsData.tripPublicV4;
+      subdomains."_acme-challenge".CNAME =
+        singleton "65e44f64-3c65-46f6-b15f-4ad6363b21eb.auwwth.dis8.net.";
+    };
+}

dtrip

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo $@
+git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo "$@"

flake.nix

@@ -1,134 +1,495 @@
 {
-  description = "Config for triple-dezert server";
+  description = "Configs for shelvacu's nix things";
 
   inputs = {
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
-    nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs.url = "nixpkgs/nixos-24.11-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
+
+    flake-utils.url = "github:numtide/flake-utils";
+    nixvim = {
+      url = "github:nix-community/nixvim/nixos-24.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+    nixvim-unstable = {
+      url = "github:nix-community/nixvim";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
     nix-inspect = {
       url = "github:bluskript/nix-inspect";
-      #inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nix-inspect-unstable = {
+      url = "github:bluskript/nix-inspect";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    vscode-server-unstable = {
+      url = "github:nix-community/nixos-vscode-server";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.flake-utils.follows = "flake-utils";
     };
     vscode-server = {
       url = "github:nix-community/nixos-vscode-server";
       inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
     };
     nix-on-droid = {
-      url = "github:nix-community/nix-on-droid/release-23.05";
+      url = "github:nix-community/nix-on-droid";
       inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
     };
-    jovian = {
+    jovian-unstable = {
+      # there is no stable jovian :cry:
       url = "github:Jovian-Experiments/Jovian-NixOS";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
     disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    disko-unstable = {
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    homeManager = {
-      url = "github:nix-community/home-manager/master";
+    home-manager = {
+      url = "github:nix-community/home-manager/release-24.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    home-manager-unstable = {
+      url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
+    nix-search-cli-unstable = {
+      url = "github:peterldowns/nix-search-cli";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.flake-utils.follows = "flake-utils";
+    };
     nix-search-cli = {
       url = "github:peterldowns/nix-search-cli";
       inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
     };
-    padtype = {
-      url = "gitlab:shelvacu/padtype";
-      inputs.nixpkgs.follows = "nixpkgs";
+    padtype-unstable = {
+      url = "git+https://git.uninsane.org/shelvacu/padtype.git";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    microvm = {
-      url = "github:astro/microvm.nix";
+    nixos-hardware.url = "github:nixos/nixos-hardware";
+    most-winningest = {
+      url = "github:captain-jean-luc/most-winningest";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
+    nixos-apple-silicon-unstable = {
+      url = "github:tpwrules/nixos-apple-silicon";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    sm64baserom.url = "git+https://git.uninsane.org/shelvacu/sm64baserom.git";
+    dns = {
+      url = "github:nix-community/dns.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
+    treefmt-nix = {
+      url = "github:numtide/treefmt-nix";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    determinate-nix = {
+      url = "https://flakehub.com/f/DeterminateSystems/nix-src/3.0.0";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    determinate-nix-unstable = {
+      url = "https://flakehub.com/f/DeterminateSystems/nix-src/3.0.0";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
   };
 
-  outputs = { self, nixpkgs, nix-on-droid, ... }@inputs: {
-    debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); });
-    nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
-      system =  "x86_64-linux";
-      modules = [ ./triple-dezert ];
-      specialArgs = { inherit inputs; };
-    };
-
-    nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [ ./compute-deck ];
-      specialArgs = { inherit inputs; };
-    };
-
-    nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
-      system =  "x86_64-linux";
-      modules = [ ./liam ];
-      specialArgs = { inherit inputs; };
-    };
-
-    nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [ ./lp0 ];
-      specialArgs = { inherit inputs; };
-    };
-    
-    nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [ ./installer.nix ];
-      specialArgs = { inherit inputs; };
-    };
-
-    nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
-      system =  "x86_64-linux";
-      modules = [ ./devver ];
-      specialArgs = { inherit inputs; };
-    };
-
-    nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
-      modules = [ ./nix-on-droid.nix ];
-      extraSpecialArgs = { inherit inputs; };
-    };
-
-    diskoConfigurations.compute-deck = import ./compute-deck/partitioning.nix;
-
-    checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system:
-      let
-        pkgs = nixpkgs.legacyPackages.${system};
-        config = {
-          node.pkgs = pkgs;
-          node.pkgsReadOnly = false;
-          node.specialArgs.selfPackages = self.packages.${system};
-          node.specialArgs.inputs = inputs;
+  outputs =
+    {
+      self,
+      nixpkgs,
+      nix-on-droid,
+      ...
+    }@inputs:
+    let
+      x86 = "x86_64-linux";
+      arm = "aarch64-linux";
+      lib = import "${nixpkgs}/lib";
+      overlays = import ./overlays;
+      mkPlainInner =
+        pkgs:
+        lib.evalModules {
+          modules = [
+            ./common
+            { vacu.systemKind = "server"; }
+          ];
+          specialArgs = {
+            inherit pkgs;
+            inherit lib;
+            inherit (inputs) dns;
+            vacuModuleType = "plain";
+            inherit inputs;
+          };
         };
+      mkPlain =
+        pkgs:
+        let
+          inner = mkPlainInner pkgs;
+        in
+        inner.config.vacu.withAsserts inner;
+      mkPkgs =
+        arg:
+        let
+          argAttrAll = if builtins.isString arg then { system = arg; } else arg;
+          useUnstable = argAttrAll.useUnstable or false;
+          whichpkgs = if useUnstable then inputs.nixpkgs-unstable else inputs.nixpkgs;
+          argAttr = lib.removeAttrs argAttrAll [ "useUnstable" ];
+          config = {
+            allowUnfree = true;
+            permittedInsecurePackages = [ "olm-3.2.16" ];
+          } // (argAttr.config or { });
+        in
+        import whichpkgs (
+          argAttr // { inherit config; } // { overlays = (argAttr.overlays or [ ]) ++ overlays; }
+        );
+      pkgs = mkPkgs x86;
+      defaultInputs = [
+        "nix-search-cli"
+        "nix-inspect"
+        "nixvim"
+        "determinate-nix"
+      ];
+      mkInputs =
+        {
+          unstable ? false,
+          inp ? [ ],
+        }:
+        let
+          suffix = if unstable then "-unstable" else "";
+          nixpkgs = inputs.${"nixpkgs" + suffix};
+          inp' = inp ++ defaultInputs;
+          thisInputsA = builtins.listToAttrs (
+            map (name: lib.nameValuePair name inputs.${name + suffix}) inp'
+          );
+        in
+          thisInputsA // {
+            inherit nixpkgs;
+            inherit (inputs) self;
+          };
+      mkNixosConfig =
+        {
+          unstable ? false,
+          module,
+          system ? "x86_64-linux",
+          inp ? [ ],
+        }:
+        let
+          inputs = mkInputs { inherit unstable inp; };
+        in
+        inputs.nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            inherit inputs;
+            inherit (inputs) dns;
+            vacuModuleType = "nixos";
+          };
+          inherit system;
+          modules = [
+            ./common
+            module
+          ];
+        };
+    in
+    {
+      debug.isoDeriv = (
+        import "${inputs.nixpkgs}/nixos/release-small.nix" {
+          nixpkgs = ({ revCount = 0; } // inputs.nixpkgs);
+        }
+      );
+      nixosConfigurations = {
+        triple-dezert = mkNixosConfig {
+          module = ./triple-dezert;
+          inp = [ "most-winningest" "sops-nix" ];
+        };
+        compute-deck = mkNixosConfig {
+          module = ./compute-deck;
+          inp = [
+            "jovian"
+            "home-manager"
+            "vscode-server"
+            "disko"
+            "padtype"
+          ];
+          unstable = true;
+        };
+        liam = mkNixosConfig {
+          module = ./liam;
+          inp = [ "sops-nix" ];
+        };
+        lp0 = mkNixosConfig { module = ./lp0; };
+        shel-installer = mkNixosConfig { module = ./installer.nix; };
+        fw = mkNixosConfig {
+          module = ./fw;
+          inp = [
+            "nixos-hardware"
+            "sops-nix"
+          ];
+        };
+        legtop = mkNixosConfig {
+          module = ./legtop;
+          inp = [ "nixos-hardware" ];
+        };
+        mmm = mkNixosConfig {
+          module = ./mmm;
+          inp = [ "nixos-apple-silicon" ];
+          system = "aarch64-linux";
+          unstable = true;
+        };
+        toptop = mkNixosConfig {
+          module = ./toptop;
+          system = "x86_64-linux";
+        };
+      };
+
+      nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
+        modules = [
+          ./common
+          ./nix-on-droid
+        ];
+        extraSpecialArgs = {
+          inputs = mkInputs { };
+          inherit (inputs) dns;
+          vacuModuleType = "nix-on-droid";
+        };
+        pkgs = mkPkgs {
+          system = arm;
+        };
+      };
+
+      checks = nixpkgs.lib.genAttrs [ x86 ] (
+        system:
+        let
+          pkgs = mkPkgs system;
+          plain = mkPlain pkgs;
+          config = {
+            node.pkgs = pkgs;
+            node.pkgsReadOnly = false;
+            node.specialArgs.selfPackages = self.packages.${system};
+            node.specialArgs.vacuModuleType = "nixos";
+          };
+          checksFromConfig = plain.config.vacu.checks;
+        in
+        assert !(checksFromConfig ? liam) && !(checksFromConfig ? trip);
+        checksFromConfig
+        // {
+          liam = nixpkgs.lib.nixos.runTest {
+            hostPkgs = pkgs;
+            imports = [
+              config
+              ./tests/liam.nix
+              { node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; }
+            ];
+          };
+          trip = nixpkgs.lib.nixos.runTest {
+            hostPkgs = pkgs;
+            imports = [
+              config
+              ./tests/triple-dezert.nix
+              { node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; }
+            ];
+          };
+        }
+      );
+
+      qb = # qb is "quick build"
+        let
+          toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
+          deterministicCerts = import ./deterministic-certs.nix { nixpkgs = mkPkgs x86; };
+          renamedAarchPackages = lib.mapAttrs' (
+            name: value: lib.nameValuePair (name + "-aarch64") value
+          ) self.packages.aarch64-linux;
+          packages = self.packages.x86_64-linux // renamedAarchPackages;
+        in
+        rec {
+          fw = toplevelOf "fw";
+          triple-dezert = toplevelOf "triple-dezert";
+          trip = triple-dezert;
+          compute-deck = toplevelOf "compute-deck";
+          cd = compute-deck;
+          liam = toplevelOf "liam";
+          lp0 = toplevelOf "lp0";
+          legtop = toplevelOf "legtop";
+          lt = legtop;
+          mmm = toplevelOf "mmm";
+          shel-installer = toplevelOf "shel-installer";
+          toptop = toplevelOf "toptop";
+          tt = toptop;
+          iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
+          check-triple-dezert = self.checks.x86_64-linux.trip.driver;
+          check-trip = check-triple-dezert;
+          check-liam = self.checks.x86_64-linux.liam.driver;
+
+          nix-on-droid = self.nixOnDroidConfigurations.default.activationPackage;
+          nod = nix-on-droid;
+
+          nod-bootstrap-x86_64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
+          nod-bootstrap-aarch64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
+
+          dc-priv = deterministicCerts.privKeyFile "test";
+          dc-cert = deterministicCerts.selfSigned "test" { };
+
+          # sm64 = packages.sm64coopdx;
+          ak = packages.authorizedKeys;
+          my-sops = packages.wrappedSops;
+
+          inherit (inputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
+            m1n1
+            uboot-asahi
+            installer-bootstrap
+            ;
+          installer-bootstrap-cross =
+            inputs.nixos-apple-silicon-unstable.packages.x86_64-linux.installer-bootstrap;
+        }
+        // packages;
+
+      brokenBuilds = [
+        "sm64coopdx-aarch64"
+        "installer-bootstrap"
+      ];
+
+      all =
+        let
+          linksNoContext = removeAttrs self.qb self.brokenBuilds;
+          links = builtins.mapAttrs (
+            name: val: builtins.addErrorContext "while evaluating link ${name}" val
+          ) linksNoContext;
+        in
+        pkgs.runCommand "nix-stuff-all"
+          {
+            __structuredAttrs = true;
+            inherit links;
+          }
+          ''
+            mkdir $out
+            cd $out
+            eval "$(${pkgs.jq}/bin/jq '.links | to_entries | map("ln -s "+.value+" "+.key) | join("\n")' /build/.attrs.json -r)"
+          '';
+
+      impureBuilds = [
+        "nix-on-droid"
+        "nod"
+        "nod-bootstrap-x86_64"
+        "nod-bootstrap-aarch64"
+      ];
+
+      allPure = self.all.overrideAttrs (prev: {
+        links = removeAttrs prev.links self.impureBuilds;
+      });
+
+      archiveSmall =
+        let
+          # We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
+          isoContents = lib.concatStringsSep "\n" (
+            map (
+              c: "${c.source} => ${c.target}"
+            ) self.nixosConfigurations.shel-installer.config.isoImage.contents
+          );
+          isoContentsPkg = pkgs.writeText "iso-contents" isoContents;
+          allButImgs = self.all.overrideAttrs (prev: {
+            links = (removeAttrs prev.links [ "iso" ]) // {
+              iso-contents = isoContentsPkg;
+            };
+          });
+        in
+        allButImgs;
+
+      archive =
+        let
+          inherit (self) archiveSmall;
+        in
+        archiveSmall.overrideAttrs (prev: {
+          links = prev.links // {
+            build-deps = pkgs.closureInfo { rootPaths = [ archiveSmall.drvPath ]; };
+          };
+        });
+    }
+    // (inputs.flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        nixpkgs-args = {
+          inherit system;
+          config.allowUnfree = true;
+          overlays = [ inputs.sm64baserom.overlays.default ];
+        };
+        pkgs-unstable = mkPkgs nixpkgs-args // {
+          useUnstable = true;
+        };
+        pkgs-stable = mkPkgs nixpkgs-args // {
+          useUnstable = false;
+        };
+        _plain = mkPlain pkgs-unstable;
+        plain = _plain.config.vacu.withAsserts _plain;
+        treefmtEval = inputs.treefmt-nix.lib.evalModule pkgs-unstable ./treefmt.nix;
       in
       {
-        liam = nixpkgs.lib.nixos.runTest {
-          hostPkgs = pkgs;
-          imports = [ config ./tests/liam.nix ];
+        formatter = treefmtEval.config.build.wrapper;
+        apps.sops = {
+          type = "app";
+          program = lib.getExe self.packages.${system}.wrappedSops;
         };
-        trip = nixpkgs.lib.nixos.runTest {
-          hostPkgs = pkgs;
-          imports = [ config ./tests/triple-dezert.nix ];
+        vacuconfig = plain.config;
+        legacyPackages = {
+          unstable = pkgs-unstable;
+          stable = pkgs-stable;
+        };
+        packages = rec {
+          authorizedKeys = pkgs-stable.writeText "authorizedKeys" (
+            lib.concatStringsSep "\n" (
+              lib.mapAttrsToList (k: v: "${v} ${k}") plain.config.vacu.ssh.authorizedKeys
+            )
+          );
+          bandcamp-collection-downloader = pkgs-unstable.callPackage ./packages/bcd { };
+          bcd = bandcamp-collection-downloader;
+          dnix = inputs.determinate-nix.packages.${system}.nix;
+          dns = import ./scripts/dns {
+            inherit pkgs lib inputs;
+            inherit (plain) config;
+          };
+          haproxy-auth-request = pkgs.callPackage ./packages/haproxy-auth-request.nix {
+            inherit haproxy-lua-http;
+          };
+          haproxy-lua-http = pkgs.callPackage ./packages/haproxy-lua-http.nix { };
+          liam-sieve-script = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
+          nixvim = inputs.nixvim.legacyPackages.${system}.makeNixvimWithModule {
+            extraSpecialArgs = {
+              inputs = { };
+            };
+            module = {
+              imports = [ ./nixvim ];
+            };
+          };
+          nix-inspect = inputs.nix-inspect.packages.${system}.default;
+          nix-search-cli = inputs.nix-search-cli.packages.${system}.default;
+          openterface-qt = pkgs.callPackage ./packages/openterface-qt.nix { };
+          rg-cubexx-v1-0-1 = pkgs.fetchurlWithWetransfer {
+            url = "https://we.tl/t-nwhCNkgXwG";
+            name = "cxm_rgcubexx-v1-0-1-en32gb-2401018_2024-10-19_0631.zip";
+            recursiveHash = true;
+            hash = "sha256-kQds0/BdlEA10LJozOvpQ65TemTx6CxjO8rANi4o5K0=";
+          };
+          sopsConfig = plain.config.vacu.sopsConfigFile;
+          sourceTree = plain.config.vacu.sourceTree;
+          transferwee = pkgs.callPackage ./packages/transferwee.nix { };
+          units = plain.config.vacu.units.finalPackage;
+          update-git-keys = pkgs-stable.callPackage ./scripts/update-git-keys.nix { inherit (plain) config; };
+          vnopnCA = pkgs-stable.writeText "vnopnCA.cert" plain.config.vacu.vnopnCA;
+          wrappedSops = plain.config.vacu.wrappedSops;
+          z3 = pkgs-unstable.callPackage ./packages/z3 { };
+          # mycoopdx = pkgs-unstable.callPackage ./packages/sm64coopdx.nix { };
+          # zulip-server = pkgs.python312Packages.callPackage ./packages/zulip.nix { };
         };
-        # trip_haproxy_config = let
-        #   hacfg = self.nixosConfigurations.triple-dezert.config.containers.frontproxy.config.services.haproxy;
-        # in pkgs.stdenvNoCC.mkDerivation {
-        #   name = "trip-haproxy-config-check";
-        #   script = ''
-        #     mkdir -p certs/shelvacu.com/
-        #     touch certs/shelvacu.com/full.pem
-        #     ${hacfg.package}/bin/haproxy \
-        #       -f ${pkgs.writeText "haproxy-config" hacfg.config} \
-        #       -c \
-        #       -dW \
-        #       -dD \
-        #       -C $PWD
-        #   '';
-        # };
       }
-    );
-
-    nixosModules.common = import ./common-config.nix;
-    packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
-  };
+    ));
 }

fw/android.nix

@@ -0,0 +1,5 @@
+{ pkgs, ... }:
+{
+  vacu.packages = pkgs.androidStudioPackages.stable.all;
+  users.users.shelvacu.extraGroups = [ "kvm" ];
+}

fw/apex.nix

@@ -0,0 +1,69 @@
+# everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
+{ pkgs, config, ... }:
+let
+  # to match package used in config.services.pcscd, unfortunately not exposed like usual
+  pcsclite-pkg = if config.security.polkit.enable then pkgs.pcscliteWithPolkit else pkgs.pcsclite;
+in
+{
+  # apparently this is already enabled??
+  # nixpkgs.overlays = [ ( final: prev: {
+  #   libfido2 = prev.libfido2.override { withPcsclite = true; };
+  # } ) ];
+  vacu.packages =
+    (with pkgs; [
+      libfido2
+      pcsc-tools
+      scmccid
+      opensc
+    ])
+    ++ [ pcsclite-pkg ];
+
+  services.pcscd.enable = true;
+  # conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
+  boot.blacklistedKernelModules = [
+    "pn533_usb"
+    "pn533"
+    "nfc"
+  ];
+
+  # bunch of stuff from https://wiki.nixos.org/wiki/Web_eID
+
+  # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
+  # (PIN1 for authentication/decryption, PIN2 for signing).
+  # environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
+  #   module: ${pkgs.opensc}/lib/opensc-pkcs11.so
+  # '';
+
+  # environment.etc."opensc.conf".text = ''
+  #   app default {
+  #     reader_driver pcsc {
+  #       enable_pinpad = false;
+  #     }
+  #   }
+  # '';
+
+  environment.systemPackages = [
+    # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
+    # security devices, so they can be used for TLS client auth.
+    # Each user needs to run this themselves, it does not work on a system level
+    # due to a bug in Chromium:
+    #
+    # https://bugs.chromium.org/p/chromium/issues/detail?id=16387
+    (pkgs.writeShellScriptBin "setup-browser-eid" ''
+      NSSDB="''${HOME}/.pki/nssdb"
+      mkdir -p ''${NSSDB}
+
+      ${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
+        -libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
+    '')
+  ];
+
+  programs.firefox.enable = true;
+  #programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
+
+  # trying CTAP-bridge
+  services.udev.extraRules = ''
+    KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE+="0666", TAG+="uaccess"
+    KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE+="0666", TAG+="uaccess"
+  '';
+}

fw/default.nix

@@ -0,0 +1,185 @@
+{ inputs, pkgs, ... }:
+{
+  imports = [
+    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
+    ./apex.nix
+    ./android.nix
+    ./thunderbolt.nix
+    ./fwupd.nix
+    ./zfs.nix
+    ./virtualbox.nix
+    ./sops.nix
+    ./radicle.nix
+    ./orca-slicer.nix
+    ./tpm-fido.nix
+  ];
+
+  vacu.hostName = "fw";
+  vacu.shell.color = "magenta";
+  vacu.verifySystem.expectedMac = "e8:65:38:52:5c:59";
+  vacu.systemKind = "desktop";
+
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  networking.networkmanager.enable = true;
+  # boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
+
+  services.fprintd.enable = false; # kinda broken
+
+  users.users.shelvacu.extraGroups = [ "dialout" ];
+
+  programs.steam.extraCompatPackages = [ pkgs.proton-ge-bin ];
+
+  vacu.packages =
+    (with pkgs; [
+      bitwarden-desktop
+      nheko
+      librewolf
+      brave
+      thunderbird
+      wl-clipboard
+      nextcloud-client
+      signal-desktop
+      fw-ectool
+      framework-tool
+      iio-sensor-proxy
+      power-profiles-daemon
+      acpi
+      jellyfin-media-player
+      vlc
+      dmidecode
+      prismlauncher
+      "ffmpeg-allvrything"
+      wireshark
+      obsidian
+      dino
+      aircrack-ng
+      libreoffice-qt6-fresh
+      gimp
+      # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
+      (inkscape-with-extensions.override { inkscapeExtensions = null; })
+      libsmi
+      net-snmp
+      android-tools
+      ghidra
+      wineWowPackages.stableFull
+      wineWowPackages.fonts
+      winetricks
+      tremotesf
+      smartmontools
+      nvme-cli
+      arduino-ide
+      headsetcontrol
+      OSCAR
+      # makemkv
+      mkvtoolnix-cli
+      flac
+      imagemagickBig
+      anki
+      openshot-qt
+      kdePackages.kdenlive
+      shotcut
+      radicle-node
+      josm
+      merkaartor
+      kaffeine
+      kdePackages.elisa
+      haruna
+      kdePackages.dragon
+      wev
+      svp
+      filezilla
+      mercurial
+    ])
+    ++ [ ];
+
+  networking.firewall.enable = false;
+
+  services.xserver.enable = true;
+  services.displayManager.sddm.enable = true;
+  services.desktopManager.plasma6.enable = true;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.grub.memtest86.enable = true;
+
+  boot.loader.grub.mirroredBoots = [
+    {
+      devices = [ "nodev" ];
+      path = "/boot0";
+    }
+    {
+      devices = [ "nodev" ];
+      path = "/boot1";
+    }
+  ];
+
+  networking.hostId = "c6e309d5";
+
+  services.openssh.enable = true;
+  system.stateVersion = "23.11"; # Did you read the comment?
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
+  #boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  #boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "fw/root";
+    fsType = "zfs";
+  };
+
+  fileSystems."/boot0" = {
+    device = "/dev/disk/by-label/BOOT0";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+      "nofail"
+    ];
+  };
+
+  fileSystems."/boot1" = {
+    device = "/dev/disk/by-label/BOOT1";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+      "nofail"
+    ];
+  };
+
+  hardware.cpu.amd.updateMicrocode = true;
+  hardware.enableAllFirmware = true;
+  hardware.graphics = {
+    extraPackages = [
+      pkgs.rocmPackages.clr.icd
+      pkgs.amdvlk
+    ];
+  };
+  programs.nix-ld.enable = true;
+  programs.steam = {
+    enable = true;
+    remotePlay.openFirewall = true;
+  };
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+  services.blueman.enable = true;
+
+  services.postgresql.enable = true; # for development
+
+  virtualisation.waydroid.enable = true;
+}

fw/experiment.nix

@@ -0,0 +1,43 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  version = "6.10.4";
+  hash = "sha256:1y2m2pqrvsgr9ng72nnh4yvsprkvkznhnmn4p8g78350bzyrvip2";
+  customKernel = pkgs.linux_6_10.override {
+    inherit version;
+    src = pkgs.fetchurl {
+      url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz";
+      inherit hash;
+    };
+    modDirVersion = lib.versions.pad 3 version;
+  };
+  customKernelPackages = pkgs.linuxPackagesFor customKernel;
+in
+{
+  system.nixos.tags = [
+    "EXPERIMENT"
+    "kernel-${config.boot.kernelPackages.kernel.version}"
+  ];
+
+  boot.kernelPackages = lib.mkForce customKernelPackages;
+  # boot.zfs.extraPools = lib.mkForce [];
+  # fileSystems."/".fsType = lib.mkForce "ext4";
+
+  vacu.packages.sm64coopdx.enable = false;
+  vacu.verifySystem.expectedMac = lib.mkForce null;
+}
+
+# good:
+#  Linux fw 6.6.50 #1-NixOS SMP PREEMPT_DYNAMIC Sun Sep  8 05:54:49 UTC 2024 x86_64 GNU/Linux
+#  Linux fw 6.8.12 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:49:53 UTC 2024 x86_64 GNU/Linux
+#  linux-6.9.12
+#  6.10.4 (maybe?? sus)
+# Linux fw 6.10.10 #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024 x86_64 GNU/Linux (but this was supposed to be 6.10.4....)
+
+# bad:
+# Linux fw 6.10.10-gnu #1-NixOS SMP PREEMPT_DYNAMIC Tue Jan  1 00:00:00 UTC 1980 x86_64 GNU/Linux
+#  linux linux-6.10.10

fw/fwupd.nix

@@ -0,0 +1,8 @@
+{ config, lib, ... }:
+{
+  vacu.packages = [ config.services.fwupd.package ];
+  services.fwupd.enable = true;
+  #fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
+  #update: it didn't work, I dunno why. Leaving this here anyways
+  services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
+}

fw/orca-slicer.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+{
+  vacu.packages.orca-slicer = {
+    enable = true;
+    package = pkgs.orca-slicer.overrideAttrs (prev: {
+      patches = (prev.patches or [ ]) ++ [
+        (pkgs.fetchpatch {
+          name = "pr-7650-configurable-update-check.patch";
+          url = "https://github.com/SoftFever/OrcaSlicer/pull/7650.patch";
+          hash = "sha256-t4own5AwPsLYBsGA15id5IH1ngM0NSuWdFsrxMRXmTk=";
+        })
+      ];
+      cmakeFlags = (prev.cmakeFlags or [ ]) ++ [ "-DORCA_VERSION_CHECK_DEFAULT=OFF" ];
+    });
+  };
+}

fw/radicle.nix

@@ -0,0 +1,16 @@
+{ config, ... }:
+{
+  sops.secrets.radicle-key = {
+    sopsFile = ../secrets/radicle-private.key;
+    format = "binary"; # its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine
+  };
+  services.radicle = {
+    enable = false;
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2HqXfjT4vPEqqM5Pty7EuswzeO80IgG6MtCvDAqOkD";
+    privateKeyFile = config.sops.secrets.radicle-key.path;
+    settings = {
+      node.alias = "shelvacu-fw";
+      seedingPolicy.default = "block";
+    };
+  };
+}

fw/sops.nix

@@ -0,0 +1,19 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+
+  options.vacu.secretsFolder = lib.mkOption {
+    type = lib.types.path;
+    default = ../secrets;
+  };
+
+  config = {
+    # sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
+    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+}

fw/thunderbolt.nix

@@ -0,0 +1,10 @@
+{ pkgs, config, ... }:
+{
+  services.hardware.bolt.enable = true;
+
+  vacu.packages = [
+    pkgs.thunderbolt
+    config.services.hardware.bolt.package
+    pkgs.kdePackages.plasma-thunderbolt
+  ];
+}

fw/tpm-fido.nix

@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  vacu.packages = [ "tpm-fido" ];
+  users.groups.uhid = {};
+  users.users.shelvacu.extraGroups = [ config.security.tpm2.tssGroup config.users.groups.uhid.name ];
+  security.tpm2.enable = true;
+  security.tpm2.applyUdevRules = true;
+  services.udev.extraRules = ''
+    KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="${config.users.groups.uhid.name}", MODE="0660"
+  '';
+}

fw/virtualbox.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  virtualisation.virtualbox.host = {
+    enable = true;
+    enableExtensionPack = true;
+  };
+  users.extraGroups.vboxusers.members = [ "shelvacu" ];
+}

fw/zfs.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  boot.zfs.extraPools = [ "fw" ];
+  # config.boot.zfs.package.latestCompatibleLinuxPackages is fucked, if there are multiple compatible linuxes of the same version, it picks effectively an arbitrary one
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_6;
+  systemd.services.zfs-mount.enable = false;
+
+  # see also fileSystems."/"
+}

generic-digitalocean-nixos.nix

@@ -1,10 +0,0 @@
-{ inputs, system ? "x86_64-linux" }:
-let
-pkgs = inputs.nixpkgs.legacyPackages.${system};
-config = { config, ... }: {
-  imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix" ];
-
-  system.stateVersion = config.system.nixos.release;
-};
-in
-(pkgs.nixos config).digitalOceanImage

home/nix-on-droid.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [ ../common/home.nix ];
+  home.stateVersion = "24.05";
+  home.homeDirectory = "/data/data/com.termux.nix/files/home";
+  home.username = "nix-on-droid";
+}

installer.nix

@@ -1,18 +1,16 @@
-{ config, inputs, modulesPath, lib, ... }: {
-  imports = [
-    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
-    ./common-nixos-config.nix
-  ];
+{
+  config,
+  modulesPath,
+  lib,
+  ...
+}:
+{
+  imports = [ "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" ];
   # this is an installer image, created anew every time. There's no state we need to worry about messing up
-  system.stateVersion = config.system.nixos.version; 
+  system.stateVersion = config.system.nixos.version;
   isoImage.isoBaseName = "nixos-shel-installer";
   services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
-  # boot.kernelPatches = [{
-  #   name = "foo";
-  #   patch = null;
-  #   extraStructuredConfig = {
-  #     VIRTIO = lib.kernel.yes;
-  #     VIRTIO_BLK = lib.kernel.yes;
-  #   };
-  # }];
+  vacu.hostName = "vacuInstaller";
+  vacu.shell.color = "red";
+  vacu.systemKind = "server";
 }

jobs/public/index.html

@@ -0,0 +1,92 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Hire Shelvacu today!</title>
+    <style>
+      /* with thanks to http://bettermotherfuckingwebsite.com/ */
+      body {
+        margin: 40px auto;
+        max-width: 650px;
+        line-height: 1.6;
+        font-size: 18px;
+        color: #444;
+        background: #eee;
+        padding: 0 10px;
+      }
+      h1,h2,h3 { line-height: 1.2; }
+      
+
+      form {
+        padding: 5px;
+        border: 1px solid black;
+        border-radius: 3px;
+        margin: 5px;
+      }
+      form label { display: block; }
+    </style>
+  </head>
+  <body>
+    <h1>Jobs info</h1>
+    <p>Hi! I am currently looking to find a Software Engineering job. I am a professional developer specializing in Ruby on Rails and Rust, with over 10 years of experience.</p>
+
+    <p>
+      What I want in a job:
+
+      <ul>
+        <li><b>Fully Remote</b> - that means 1 visit to an office per month or less. Strongly preferred; non-remote jobs will have to be very tempting in every other category.</li>
+        <li>Prefer direct hire, but not required.</li>
+        <li>W2 employment preferred, but also open to C2C/1099.</li>
+        <li>While I could be productive in nearly any language, I would most like to work with Rust.</li>
+      </ul>
+    </p>
+
+    <p>
+      Things you probably want to know:
+
+      <ul>
+        <li>I am a US citizen (USC), for work authorization purposes I can work anywhere in the US.</li>
+        <li>Open to both contract and permanent positions.</li>
+        <li>I can start within a week.</li>
+        <li>I do not have a formal degree, but more than enough experience to make up for it.</li>
+      </ul>
+    </p>
+
+    <h2>Resume</h2>
+
+    <p>
+      <a href="/shelvacu-resume.pdf">You can see my latest, up-to-date resume here</a>.
+    </p>
+
+    <h2>To send me job offers</h2>
+
+    <p>Unfortunately I get a lot of bad job offers if I just give out my email to anyone. As such, I will only accept job offers sent using this form.</b>
+
+    <p>Each time you want to send me an email about a new job offer, you must return to this page. The process may change from time to time. If you have multiple jobs you think I am a good fit for, please combine them in one email.</p>
+
+    <form method="get" action="/email">
+      <label>
+        <input type="checkbox" name="confirm_fully_remote_or_exceptional" value="yes" required>
+        <span>This is a fully remote job, or you will give an exceptional reason why the offer should be considered despite not being fully remote.</span>
+      </label>
+      <label>
+        <input type="checkbox" name="confirm_i_read_the_above" value="yes" required>
+        <span>You have read the above and will not ask about work authorization status, earliest date to start, or formal education because you already have that information.</span>
+      </label>
+      <label>
+        <input type="checkbox" name="confirm_include_pay" value="yes" required>
+        <span>You will include an estimated pay range. No "depends on experience", my resume clearly shows how much experience I have.</span>
+      </label>
+      <label>
+        <input type="checkbox" name="confirm_no_ask_resume" value="yes" required>
+        <span>You will not ask for an updated resume. The latest resume is always available on this page.</span>
+      </label>
+      <label>
+        <div>Your email:</div>
+        <input type="email" name="email" required>
+      </label>
+      <button type="submit">Submit</button>
+    </form>
+
+    <p>I apologize for the hassle. I promise that if you follow everything here before sending a job offer to me, I <i>will</i> respond, and I will make every effort to respond within 1 week.</p>
+  </body>
+</html>

legtop/bluetooth.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+
+  # services.blueman.enable = true;
+}

legtop/default.nix

@@ -0,0 +1,83 @@
+{ pkgs, inputs, ... }:
+{
+  imports = [
+    ../common/nixos.nix
+    inputs.nixos-hardware.nixosModules.gpd-micropc
+    ./hardware.nix
+    ./bluetooth.nix
+  ];
+
+  vacu.hostName = "legtop";
+  vacu.shortHostName = "lt";
+  vacu.shell.color = "blue";
+  vacu.verifySystem.expectedMac = "30:9e:90:33:01:07";
+  vacu.systemKind = "desktop";
+
+  system.stateVersion = "24.05";
+
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  networking.networkmanager.enable = true;
+  vacu.packages =
+    (with pkgs; [
+      bitwarden-desktop
+      nheko
+      # librewolf
+      brave
+      thunderbird
+      wl-clipboard
+      nextcloud-client
+      signal-desktop
+      iio-sensor-proxy
+      power-profiles-daemon
+      acpi
+      jellyfin-media-player
+      vlc
+      dmidecode
+      prismlauncher
+      ffmpeg_7-full
+      wireshark
+      obsidian
+      dino
+      aircrack-ng
+      libreoffice-qt6-fresh
+      gimp
+      # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
+      (inkscape-with-extensions.override { inkscapeExtensions = null; })
+      libsmi
+      net-snmp
+      android-tools
+      ghidra
+      wineWowPackages.stableFull
+      wineWowPackages.fonts
+      winetricks
+      lutris
+      radicle-node
+      proxmark3
+    ])
+    ++ [ ];
+
+  services.openssh.enable = true;
+
+  services.xserver.enable = true;
+  services.displayManager.sddm.enable = true;
+  services.displayManager.sddm.wayland.enable = true;
+  services.desktopManager.plasma6.enable = true;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.device = "nodev";
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  hardware.cpu.intel.updateMicrocode = true;
+  hardware.enableAllFirmware = true;
+
+  services.fwupd.enable = true;
+
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  programs.steam.enable = true;
+}

legtop/hardware.nix

@@ -0,0 +1,33 @@
+{ ... }:
+{
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/e3aebf24-be76-4064-a9f5-3930c8cd1382";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/7fd2ca2d-7faf-4d40-8cde-ce531fa679b5";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/4C47-D9A3";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+      "nofail"
+    ];
+  };
+  nixpkgs.hostPlatform = "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+}

liam/default.nix

@@ -1,57 +1,71 @@
-{ modulesPath, config, lib, ... }: {
+{
+  modulesPath,
+  config,
+  vaculib,
+  ...
+}:
+let
+  inherit (vaculib) mkOutOption;
+in
+{
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
     (modulesPath + "/virtualisation/digital-ocean-config.nix")
-    ../common-nixos-config.nix
     ./nginx.nix
     ./sops.nix
     ./dovecot.nix
     ./mail.nix
     ./dkim.nix
     ./sieve.nix
+    ./network.nix
   ];
 
-  options = let
-    mkReadOnly = val: lib.options.mkOption { default = val; readOnly = true; };
-  in {
+  options = {
     vacu.liam = {
-      shel_domains = mkReadOnly [
+      shel_domains = mkOutOption [
         "shelvacu.com"
         "dis8.net"
         "mail.dis8.net"
         "jean-luc.org"
         "in.jean-luc.org"
         "vacu.store"
+        "shelvacu.miras.pet"
       ];
-      julie_domains = mkReadOnly [
+      julie_domains = mkOutOption [
         "violingifts.com"
         "theviolincase.com"
         "shop.theviolincase.com"
       ];
-      domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
-      reservedIpLocal = mkReadOnly "10.46.0.7";
+      domains = mkOutOption (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
+      relayhosts = {
+        allDomains = (mkOutOption "[outbound.mailhop.org]:587") // {
+          readOnly = false;
+        };
+        shelvacuAlt = (mkOutOption "[relay.dynu.com]:587") // {
+          readOnly = false;
+        };
+      };
+      reservedIpLocal = mkOutOption "10.46.0.7";
     };
   };
 
   config = {
-    system.nixos.tags = [ "host-${config.networking.hostName}" ];
-    networking.hostName = "liam";
+    vacu.hostName = "liam";
+    vacu.shell.color = "cyan";
     networking.domain = "dis8.net";
+    vacu.systemKind = "minimal";
+
+    hardware.enableAllFirmware = false;
+    hardware.enableRedistributableFirmware = false;
 
     # networking.interfaces."ens3".useDHCP = false;
-    # from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
-    # {
-    #   "ip_address": "10.46.0.7",
-    #   "netmask": "255.255.0.0",
-    #   "gateway": "10.46.0.1"
-    # }
-
     services.openssh.enable = true;
 
     virtualisation.digitalOcean.setSshKeys = false;
 
-    users.users.root.openssh.authorizedKeys.keys = config.users.users.shelvacu.openssh.authorizedKeys.keys;
+    users.users.root.openssh.authorizedKeys.keys =
+      config.users.users.shelvacu.openssh.authorizedKeys.keys;
 
     system.stateVersion = "23.11";
   };
-}
+}

liam/dkim.nix

@@ -1,7 +1,13 @@
-{ config, pkgs, lib, ... }: 
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
-inherit (config.vacu.liam) domains;
-in {
+  inherit (config.vacu.liam) domains;
+in
+{
   services.opendkim = {
     enable = true;
     keyPath = "/run/secrets/dkimkeys";
@@ -15,4 +21,4 @@ in {
   systemd.services.postfix.after = [ "opendkim.service" ];
 }
 # 2024-03-liam._domainkey
-# v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==
+# v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==

liam/dovecot.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:
 {
   networking.firewall.allowedTCPPorts = [ 993 ];
   systemd.tmpfiles.settings.whatever."/var/lib/mail".d = {
@@ -17,8 +17,11 @@
     sslServerKey = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
     sslServerCert = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
     enablePAM = false;
-    protocols = lib.mkForce [ "imap" "lmtp" "sieve" ];
-    modules = [ pkgs.dovecot_pigeonhole ];
+    protocols = lib.mkForce [
+      "imap"
+      "lmtp"
+      "sieve"
+    ];
     mailUser = "vmail";
     mailGroup = "vmail";
     createMailUser = true;
@@ -75,22 +78,33 @@
 
       userdb {
         driver = passwd-file
-        args = username_format=%n /run/secrets/dovecot-passwd
+        args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
         override_fields = uid=${config.services.dovecot2.mailUser} gid=${config.services.dovecot2.mailGroup} user=%n
       }
 
       passdb {
         driver = passwd-file
-        args = username_format=%n /run/secrets/dovecot-passwd
+        args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
         override_fields = user=%n
       }
 
       namespace {
         separator = .
         inbox = yes
+        
+        mailbox MagicRefilter {
+          auto = create
+        }
       }
 
       # mail_debug = yes
+      mail_plugins = $mail_plugins notify mail_log
+
+      plugin {
+        # sieve_trace_debug = yes
+        mail_log_events = delete undelete expunge save copy mailbox_create mailbox_delete mailbox_rename flag_change
+        mail_log_fields = uid box msgid size from
+      }
     '';
   };
-}
+}

liam/mail.nix

@@ -1,10 +1,46 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
-inherit (config.vacu.liam) shel_domains julie_domains domains;
-fqdn = config.networking.fqdn;
-dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
-in {
-  networking.firewall.allowedTCPPorts = [ 25 465 ];
+  inherit (config.vacu.liam)
+    shel_domains
+    julie_domains
+    domains
+    relayhosts
+    ;
+  mapLines = f: lis: lib.concatStringsSep "\n" (map f lis);
+  debug = false;
+  fqdn = config.networking.fqdn;
+  relayable_domains = [
+    "shelvacu.com"
+    "vacu.store"
+  ];
+  dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
+  reject_spam_sources = [
+    "reject-spam-test@example.com"
+    "buyerservice@made-in-china.com"
+    "upgrade-plans@asuswebstorage.com"
+    "info@rfidlabel.com"
+  ];
+  banned_ips = [
+    "45.192.103.243/32"
+    "165.154.207.0/24"
+    "165.154.226.0/24"
+    "210.242.134.0/26"
+    "137.220.198.0/24"
+    "122.96.0.0/15"
+  ];
+  # must be bigger than gmail's 25MB "attachment limit" which after base64 encoding (x 1.33) is ~33MB
+  mailSizeLimit = 35 * 1024 * 1024;
+in
+{
+  networking.firewall.allowedTCPPorts = [
+    25
+    465
+  ];
 
   vacu.acmeCertDependencies."liam.dis8.net" = [ "postfix.service" ];
   services.postfix = {
@@ -13,12 +49,15 @@ in {
 
     # this goes into virtual_alias_maps
     # "Note: for historical reasons, virtual_alias_maps apply to recipients in all domain classes, not only the virtual alias domain class."
-    virtual = ''
-      julie@shelvacu.com julie
-      mom@shelvacu.com julie
-      psv@shelvacu.com psv
-    '' + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains) + "\n"
-    + (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains);
+    virtual =
+      ''
+        julie@shelvacu.com julie
+        mom@shelvacu.com julie
+        psv@shelvacu.com psv
+      ''
+      + (mapLines (d: "@${d} shelvacu") shel_domains)
+      + "\n"
+      + (mapLines (d: "@${d} julie") julie_domains);
 
     transport = ''
       shelvacu@${fqdn} ${dovecot_transport}
@@ -33,19 +72,54 @@ in {
     rootAlias = "shelvacu";
     enableSubmission = false;
     enableSubmissions = true;
-    mapFiles.header_checks = pkgs.writeText "header-checks" ("/./ INFO checker headers\n" + (lib.concatMapStringsSep "\n" (d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT") domains));
-    mapFiles.sender_access = pkgs.writeText "sender-access" (lib.concatMapStringsSep "\n" (d: "${d} REJECT") domains);
+    mapFiles.header_checks = pkgs.writeText "header-checks" (
+      ''
+        /./ INFO checker headers
+      ''
+      + (mapLines (
+        d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT"
+      ) domains)
+    );
+    mapFiles.sender_access = pkgs.writeText "sender-access" (
+      mapLines (pattern: "${pattern} REJECT spam") (domains ++ reject_spam_sources)
+    );
+    mapFiles.banned_ips = pkgs.writeText "banned-ips" (mapLines (ip: "${ip} REJECT spam") banned_ips);
     # hack to get postfix to add a X-Original-To header
     mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
+    # mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
+    mapFiles.sender_transport = pkgs.writeText "sender-transport" (
+      mapLines (d: "@${d} relayservice") relayable_domains
+    );
+    mapFiles.sender_relay = pkgs.writeText "sender-relay" (
+      ''
+        @shelvacu.com ${relayhosts.allDomains} ${relayhosts.shelvacuAlt} 
+      ''
+      + (mapLines (d: "@${d} ${relayhosts.allDomains}") relayable_domains)
+    );
+    mapFiles.extra_login_maps = pkgs.writeText "extra-login-maps" (
+      ''
+        robot@vacu.store vacustore
+      ''
+      + config.services.postfix.virtual
+    );
 
     # verbatim appended to main.cf
     extraConfig = ''
+      smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+      inet_protocols = ipv4
       virtual_alias_domains =
         ${lib.concatStringsSep ",\n  " domains}
 
+      message_size_limit = ${toString mailSizeLimit}
+
+      sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
+      sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
+
       header_checks = pcre:/etc/postfix/header_checks
-      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
-      smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to
+      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access permit
+      smtpd_client_restrictions = check_client_access cidr:/etc/postfix/banned_ips permit
+      smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to permit
+      recipient_delimiter = +
 
       #we should never use these transport methods unless thru transport map
       # RFC3463:
@@ -53,8 +127,8 @@ in {
       # X.3.X = mail system failure
       # X.3.5 = System incorrectly configured
       # I would've never thought there'd be a standard way to specifically say "you found an error in my config"
-      local_transport   = error:5.3.5 how did this even hapenn??
-      virtual_transport = error:5.3.5 how did this even happenn??
+      local_transport   = error:5.3.5 how did this even happen?? (e-local)
+      virtual_transport = error:5.3.5 how did this even happen?? (e-virtual)
       # X.7.1 = Delivery not authorized, message refused
       relay_transport = error:5.7.1 relay is so very disabled
 
@@ -66,13 +140,37 @@ in {
       smtpd_tls_dh1024_param_file = ${lib.optionalString config.services.dovecot2.enableDHE config.security.dhparams.params.dovecot2.path}
 
       # smtp_bind_address = 10.46.0.7
-
-      ${lib.optionalString config.services.opendkim.enable (assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock"); ''
-        smtpd_milters = unix:/run/opendkim/opendkim.sock
-        non_smtpd_milters = unix:/run/opendkim/opendkim.sock
-      '')}
+      # inet_interfaces = all
+      # inet_protocols = ipv4
+      ${lib.optionalString config.services.opendkim.enable (
+        assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock");
+        ''
+          smtpd_milters = unix:/run/opendkim/opendkim.sock
+          non_smtpd_milters = unix:/run/opendkim/opendkim.sock
+        ''
+      )}
     '';
 
+    masterConfig."relayservice" = {
+      command = "smtp";
+      type = "unix";
+      args = [
+        "-o"
+        "smtp_sasl_auth_enable=yes"
+        "-o"
+        "smtp_sasl_security_options=noanonymous"
+        "-o"
+        "smtp_tls_security_level=secure"
+        "-o"
+        "smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
+        "-o"
+        "smtp_tls_wrappermode=no"
+      ] ++ (if debug then [ "-v" ] else [ ]);
+    };
+
+    masterConfig.qmgr = lib.mkIf debug { args = [ "-v" ]; };
+    masterConfig.cleanup = lib.mkIf debug { args = [ "-v" ]; };
+    masterConfig.smtpd = lib.mkIf debug { args = [ "-v" ]; };
     submissionsOptions = {
       smtpd_tls_key_file = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
       smtpd_tls_cert_file = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
@@ -86,7 +184,7 @@ in {
       smtpd_sasl_type = "dovecot";
       smtpd_sasl_path = "private/dovecot-auth";
       message_size_limit = "100000000";
-      smtpd_sender_login_maps = "hash:/etc/postfix/virtual";
+      smtpd_sender_login_maps = "hash:/etc/postfix/extra_login_maps";
       smtpd_sender_restrictions = "reject_authenticated_sender_login_mismatch";
       header_checks = "";
 
@@ -99,6 +197,5 @@ in {
       tls_preempt_cipherlist = "no";
     };
 
-
   };
-}
+}

liam/network.nix

@@ -0,0 +1,32 @@
+{ lib, config, ... }:
+let
+  # from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
+  # {
+  #   "ip_address": "10.46.0.7",
+  #   "netmask": "255.255.0.0",
+  #   "gateway": "10.46.0.1"
+  # }
+  interface_conf = {
+    useDHCP = true;
+    ipv4.addresses = [
+      {
+        address = "10.46.0.7";
+        prefixLength = 24;
+      }
+    ];
+    ipv4.routes = [
+      {
+        address = "0.0.0.0";
+        prefixLength = 0;
+        via = "10.46.0.1";
+        options.scope = "global";
+        options.src = "10.46.0.7";
+        options.metric = "1200";
+      }
+    ];
+  };
+in
+{
+  networking.interfaces."ens3" = lib.mkIf (!config.vacu.underTest) interface_conf;
+  networking.interfaces."eth0" = lib.mkIf (config.vacu.underTest) interface_conf;
+}

liam/nginx.nix

@@ -1,16 +1,19 @@
-{ config, ... }:
+{ ... }:
 let
-domains = [
-  "smtp.shelvacu.com"
-  "imap.shelvacu.com"
-  "mail.shelvacu.com"
-  "autoconfig.shelvacu.com"
-  "mail.dis8.net"
-  "liam.dis8.net"
-];
+  domains = [
+    "smtp.shelvacu.com"
+    "imap.shelvacu.com"
+    "mail.shelvacu.com"
+    "autoconfig.shelvacu.com"
+    "mail.dis8.net"
+    "liam.dis8.net"
+  ];
 in
 {
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
   security.acme.acceptTerms = true;
   security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
   security.acme.defaults.email = "shelvacu@gmail.com";
@@ -31,4 +34,4 @@ in
       default = true;
     };
   };
-}
+}

liam/sieve.nix

@@ -1,4 +1,18 @@
-{ config, pkgs, lib, ... }: with lib.strings; with lib.lists; let
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib.strings)
+    concatStringsSep
+    splitString
+    match
+    replaceStrings
+    concatStrings
+    ;
+  inherit (lib.lists) reverseList length elemAt;
   email_folders = [
     "24nm-domain@shelvacu.com"
     "agora@shelvacu.com"
@@ -7,6 +21,7 @@
     "paxful@shelvacu.com"
     "postgres-lists@shelvacu.com"
     "cpapsupplies@shelvacu.com"
+    "jork@shelvacu.com"
 
     "bob@dis8.net"
     "fresh.avocado@dis8.net"
@@ -18,7 +33,7 @@
     "jean-luc@jean-luc.org"
     "mariceayukawa@jean-luc.org"
     "snow@jean-luc.org"
-  
+
     "capt@in.jean-luc.org"
   ];
   domain_folders = [
@@ -26,48 +41,388 @@
     "shelvacu.com"
     "jean-luc.org"
     "in.jean-luc.org"
+    "mail.dis8.net"
+    "liam.dis8.net"
     # no longer used:
     "tulpaudcast.info"
     "tulpae.info"
     "xn--tulp-yoa.info"
   ];
   valid_ish_domain = domain: match "[a-z0-9][a-z0-9-]*(\\.[a-z0-9][a-z0-9-]*)+" domain != null;
-  mk_domain_folder_name = domain: assert valid_ish_domain domain; concatStringsSep "." (reverseList (splitString "." domain));
-  mk_email_folder_name = email: let
-    parts = splitString "@" email;
-    domain_part = assert (length parts) == 2; elemAt parts 1;
-    user_part = assert (length parts) == 2; elemAt parts 0;
-    domain_folder = mk_domain_folder_name domain_part;
-    folder_name = domain_folder + ".@" + user_part;
-  in folder_name;
-  is_quoteable = s: match "[ -~]*" s != null;
-  sieve_quote_string = s: assert is_quoteable s; "\"" + (replaceStrings ["\"" "\\"] ["\\\"" "\\\\"] s) + "\"";
-  email_filters = map (e: 
-    ''
-      elsif header :is "X-Envelope-To" ${sieve_quote_string e} {
-        fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
-      }
-    ''
-  ) email_folders;
-  domain_filters = map (d:
-    ''
-      elsif header :matches "X-Envelope-To" ${sieve_quote_string ("*@" + d)} {
-        fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
-      }
-    ''
-  ) domain_folders;
-  sieve_text = ''
-    require ["fileinto", "mailbox"];
-
-    if header :is "X-Envelope-To" "brandcrowd@shelvacu.com" {
-      discard;
+  mk_domain_folder_name =
+    domain:
+    assert valid_ish_domain domain;
+    concatStringsSep "." (reverseList (splitString "." domain));
+  mk_email_folder_name =
+    email:
+    let
+      parts = splitString "@" email;
+      domain_part =
+        assert (length parts) == 2;
+        elemAt parts 1;
+      user_part =
+        assert (length parts) == 2;
+        elemAt parts 0;
+      domain_folder = mk_domain_folder_name domain_part;
+      folder_name = domain_folder + ".@" + user_part;
+    in
+    folder_name;
+  is_match = regex: s: (match regex s) != null;
+  is_not_match = regex: s: !(is_match regex s);
+  is_quoteable = s: (is_match "[ -~]*" s) && (is_not_match ("\\$" + "\\{") s);
+  sieve_quote_string_bare =
+    s:
+    assert is_quoteable s;
+    replaceStrings [ ''"'' "\\" ] [ ''\"'' "\\\\" ] s;
+  sieve_quote_string = s: ''"'' + (sieve_quote_string_bare s) + ''"'';
+  interp = ident: "$" + "{${ident}}";
+  dest = "envelope_to";
+  dest_domain = "envelope_to_domain";
+  set_envelope = ''
+    #set_envelope START
+    if header :index 1 :matches "X-Envelope-To" "*" {
+      set ${sieve_quote_string dest} "''${1}";
     }
-    elsif header :is "X-Envelope-To" "gmailfwd-fc2e10bec8b2@shelvacu.com" {
-      fileinto :create "gmail";
+    if header :index 1 :matches "X-Envelope-To" "*@*" {
+      set ${sieve_quote_string dest_domain} "''${2}";
     }
-    ${concatStrings email_filters}
-    ${concatStrings domain_filters}
+    #set_envelope END
   '';
-in {
-  services.dovecot2.sieveScripts.before = pkgs.writeText "blargsieve" sieve_text;
-}
+  envelope_is = key: ''string :is "${interp dest}" ${sieve_quote_string key}'';
+  envelope_domain_is = key: ''string :is "${interp dest_domain}" ${sieve_quote_string key}'';
+  email_filters = map (e: ''
+    elsif ${envelope_is e} { # item of email_filters
+      addheader "X-Vacu-Action" "email_filters fileinto ${sieve_quote_string_bare (mk_email_folder_name e)}";
+      fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
+    }
+  '') email_folders;
+  domain_filters = map (d: ''
+    elsif ${envelope_domain_is d} { # item of domain_filters
+      addheader "X-Vacu-Action" "domain_filters fileinto ${sieve_quote_string_bare (mk_domain_folder_name d)}";
+      fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
+    }
+  '') domain_folders;
+  set_from =
+    {
+      condition,
+      var,
+      default ? "-",
+      warn_if_unset ? false,
+    }:
+    ''
+      # set_from { condition = ${sieve_quote_string condition}; var = ${sieve_quote_string var}; default = ${sieve_quote_string default}; warn_if_unset = ${toString warn_if_unset}; }
+      if ${condition} {
+        set ${sieve_quote_string var} "''${1}";
+      }
+      else {
+        ${lib.optionalString warn_if_unset ''
+          if ihave "vnd.dovecot.debug" {
+            debug_log "info: Could not set ${sieve_quote_string_bare var} from condition ${sieve_quote_string_bare condition}, setting to default(${sieve_quote_string_bare default})";
+          }
+        ''}
+        set ${sieve_quote_string var} ${sieve_quote_string default};
+      }
+      # set_from END
+    '';
+  set_var_from_environment =
+    item: var:
+    ''
+      # set_var_from_environment
+    ''
+    + set_from {
+      condition = ''environment :matches ${sieve_quote_string item} "*"'';
+      inherit var;
+    };
+  sieve_text = ''
+    require [
+      "fileinto",
+      "mailbox",
+      "imap4flags",
+      "editheader",
+      "environment",
+      "variables",
+      "date",
+      "index",
+      "ihave"
+    ];
+    # if ihave "vnd.dovecot.debug" {
+    #   debug_log "debug log is available";
+    #   if environment :matches "location" "*" {
+    #     debug_log "environment ''${1}";
+    #   }
+    #   if environment :matches "phase" "*" {
+    #     debug_log "phase ''${1}";
+    #   }
+    # }
+
+    if allof(
+      ihave "imapsieve",
+      environment :matches "imap.user" "*",
+      environment :matches "location" "MS",
+      environment :matches "phase" "post"
+    ) {
+      set "in_imap" "1";
+    } else {
+      set "in_imap" "0";
+    }
+
+    if string "''${in_imap}" "1" {
+      if not allof(
+        environment :is "imap.cause" ["APPEND", "COPY", ""],
+        environment :is "imap.mailbox" ["MagicRefilter", ""]
+      ) {
+        if ihave "vnd.dovecot.debug" {
+          debug_log "NOT doing anything cuz imap.cause and/or imap.mailbox isn't right";
+        }
+        stop;
+      }
+    }
+
+    ${set_envelope}
+    ${set_var_from_environment "location" "env_location"}
+    ${set_var_from_environment "phase" "env_phase"}
+    ${set_var_from_environment "imap.user" "env_imap_user"}
+    ${set_var_from_environment "imap.email" "env_imap_email"}
+    ${set_var_from_environment "imap.cause" "env_imap_cause"}
+    ${set_var_from_environment "imap.mailbox" "env_imap_mailbox"}
+    ${set_var_from_environment "imap.changedflags" "env_imap_changedflags"}
+    ${set_from {
+      condition = ''currentdate :matches "iso8601" "*"'';
+      var = "datetime";
+    }}
+    set "sieved_message" "at ''${datetime} by ${config.vacu.versionId} loc ''${env_location} phase ''${env_phase} user ''${env_imap_user} email ''${env_imap_email} cause ''${env_imap_cause} mailbox ''${env_imap_mailbox} changedflags ''${env_imap_changedflags} envelope ${interp dest}";
+    if ihave "vnd.dovecot.debug" {
+      debug_log "X-Vacu-Sieved: ''${sieved_message}";
+    }
+
+    if ihave "envelope" {
+      if envelope :all :matches "to" "*@*" {
+        set "userfor" "''${1}";
+      } else {
+        error "i dunno what to do, theres no envelope";
+      }
+    }
+    elsif string "''${in_imap}" "1" {
+      set "userfor" "''${env_imap_user}";
+    }
+    else {
+      error "dont have envelope or imapsieve, dunno what to do";
+    }
+
+    if string :is "''${userfor}" "shelvacu" {
+      addheader "X-Vacu-Sieved" "''${sieved_message}";
+      removeflag "auto-amazon-ignore";
+      if allof(
+        ${envelope_is "amznbsns@shelvacu.com"},
+        header :matches "Subject" ["Your Amazon.com order has shipped*", "Your Amazon.com order of * has shipped!"]
+      ) {
+        addheader "X-Vacu-Action" "amazon-ignore";
+        addflag "auto-amazon-ignore";
+      }
+      removeflag "auto-bandcamp-ignore";
+      if allof(
+          ${envelope_is "bandcamp@shelvacu.com"},
+          header :matches "Subject" ["* just announced a listening party on Bandcamp", "New items from *", "Starting in *", "New from *"]
+      ) {
+        addheader "X-Vacu-Action" "bandcamp-ignore";
+        addflag "auto-bandcamp-ignore";
+      }
+      removeflag "auto-ika-ignore";
+      if ${envelope_is "ika@dis8.net"} {
+        addheader "X-Vacu-Action" "ika-ignore";
+        addflag "auto-ika-ignore";
+      }
+      removeflag "bloomberg";
+      if ${envelope_is "bloomberg@shelvacu.com"} {
+        addheader "X-Vacu-Action" "flag-bloomberg";
+        addflag "bloomberg";
+      }
+      removeflag "money-stuff";
+      if allof (
+        ${envelope_is "bloomberg@shelvacu.com"},
+        header :matches "From" "\"Matt Levine\" *"
+      ) {
+        addheader "X-Vacu-Action" "flag-money-stuff";
+        addflag "money-stuff";
+      }
+      removeflag "git-uninsane";
+      removeflag "git";
+      if ${envelope_is "git-uninsane@shelvacu.com"} {
+        addheader "X-Vacu-Action" "flag-git-uninsane";
+        addflag "git-uninsane";
+        addheader "X-Vacu-Action" "flag-git";
+        addflag "git";
+      } elsif anyof (
+        exists "X-GitHub-Reason",
+        exists "X-GitLab-Project"
+      ) {
+        addheader "X-Vacu-Action" "flag-git";
+        addflag "git";
+      }
+      removeflag "discourse";
+      if exists "X-Discourse-Post-Id" {
+        addheader "X-Vacu-Action" "flag-discourse";
+        addflag "discourse";
+      }
+      removeflag "agora";
+      if ${envelope_is "agora@shelvacu.com"} {
+        addheader "X-Vacu-Action" "flag-agora";
+        addflag "agora";
+      }
+      removeflag "postgres-list";
+      if header :matches "List-Id" "<*.lists.postgresql.org>" {
+        addheader "X-Vacu-Action" "flag-postgres-list";
+        addflag "postgres-list";
+      }
+      removeflag "gmail-fwd";
+      if ${envelope_is "gmailfwd-fc2e10bec8b2@shelvacu.com"} {
+        addheader "X-Vacu-Action" "gmail-fwd";
+        addflag "gmail-fwd";
+      }
+      removeflag "aliexpress";
+      if header :matches "From" [ "*<transaction@notice.aliexpress.com>", "*<aliexpress@notice.aliexpress.com>" ] {
+        addheader "X-Vacu-Action" "aliexpress";
+        addflag "aliexpress";
+      }
+      removeflag "secureaccesswa";
+      if header :is "From" "help@secureaccess.wa.gov" {
+        addheader "X-Vacu-Action" "secureaccesswa";
+        addflag "secureaccesswa";
+      }
+      removeflag "letsencrypt-mailing-list";
+      if ${envelope_is "lets-encrypt-mailing-list@shelvacu.com"} {
+        addheader "X-Vacu-Action" "letsencrypt-mailing-list";
+        addflag "letsencrypt-mailing-list";
+      }
+      removeflag "jmp-news";
+      if header :matches "List-Id" "*<jmp-news.soprani.ca>" {
+        addheader "X-Vacu-Action" "jmp-news";
+        addflag "jmp-news";
+      }
+      removeflag "ally-statement";
+      if allof(
+        ${envelope_is "ally@shelvacu.com"},
+        header :is "Subject" "Your latest statement is ready to view."
+      ) {
+        addheader "X-Vacu-Action" "ally-statement";
+        addflag "ally-statement";
+      }
+
+      removeflag "auto-marked-read";
+      if hasflag ["auto-amazon-ignore", "auto-bandcamp-ignore", "auto-ika-ignore", "ally-statement"] {
+        addheader "X-Vacu-Action" "auto-mark-read";
+        addflag "\\Seen";
+        addflag "auto-marked-read";
+      }
+      removeflag "spamish";
+      if allof (
+        anyof (
+          header :is "Precedence" "bulk",
+          exists "List-Unsubscribe",
+          exists "List-Unsubscribe-Post"
+        ),
+        not hasflag "agora",
+        not hasflag "git",
+        not hasflag "money-stuff",
+        not hasflag "discourse",
+        not hasflag "postgres-list",
+        not hasflag "letsencrypt-mailing-list",
+        not hasflag "secureaccesswa",
+        not hasflag "jmp-news"
+      ) {
+        addheader "X-Vacu-Action" "spamish";
+        addflag "spamish";
+      }
+
+      if ${envelope_is "brandcrowd@shelvacu.com"} {
+        discard;
+      }
+      elsif allof (
+        ${envelope_domain_is "shelvacu.com"},
+        hasflag "spamish"
+      ) {
+        addheader "X-Vacu-Action" "fileinto com.shelvacu.#spamish";
+        fileinto :create "com.shelvacu.#spamish";
+      }
+      elsif hasflag "gmail-fwd" {
+        addheader "X-Vacu-Action" "fileinto gmail";
+        fileinto :create "gmail";
+      }
+      elsif hasflag "money-stuff" {
+        addheader "X-Vacu-Action" "fileinto com.shelvacu.#money-stuff";
+        fileinto :create "com.shelvacu.#money-stuff";
+      }
+      elsif hasflag "aliexpress" {
+        addheader "X-Vacu-Action" "aliexpress fileinto";
+        fileinto :create "aliexpress";
+      }
+      ${concatStrings email_filters}
+      ${concatStrings domain_filters}
+      else {
+        keep;
+      }
+    }
+    # disable any sieve scripts that might want to run after this one
+    stop;
+  '';
+  pigeonhole_pkg = pkgs.dovecot_pigeonhole;
+in
+{
+  imports = [
+    # Allow running a sieve filter when a message gets moved to another folder in imap
+    # see https://doc.dovecot.org/2.3/configuration_manual/sieve/plugins/imapsieve/
+    {
+      services.dovecot2 = {
+        sieve.plugins = [ "sieve_imapsieve" ];
+        mailPlugins.perProtocol.imap.enable = [ "imap_sieve" ];
+      };
+    }
+  ];
+  options.vacu.checkSieve = lib.mkOption {
+    readOnly = true;
+    default = pkgs.writeScriptBin "check-liam-sieve" ''
+      set -xev
+      ${lib.escapeShellArgs [
+        (lib.getExe' pigeonhole_pkg "sieve-test")
+        "-c"
+        config.services.dovecot2.configFile
+        "-C" # force compilation
+        "-D" # enable sieve debugging
+        "-f"
+        "some-rando@example.com"
+        "-a"
+        "shelvacu@liam.dis8.net"
+        config.services.dovecot2.sieve.scripts.before
+        "/dev/null"
+      ]}
+    '';
+  };
+  options.vacu.liam-sieve-script = lib.mkOption {
+    readOnly = true;
+    default = pkgs.writeText "mainsieve" sieve_text;
+  };
+  config = {
+    services.dovecot2.modules = [ pigeonhole_pkg ];
+    services.dovecot2.sieve = {
+      extensions = [
+        "fileinto"
+        "mailbox"
+        "editheader"
+        "vnd.dovecot.debug"
+      ];
+      scripts.before = config.vacu.liam-sieve-script;
+    };
+    services.dovecot2.imapsieve.mailbox = [
+      {
+        name = "*";
+        causes = [
+          "APPEND"
+          "COPY"
+          "FLAG"
+        ];
+        before = config.vacu.liam-sieve-script;
+      }
+    ];
+    # services.dovecot2.mailboxes."magic-refilter".auto = "create";
+  };
+}

liam/sops.nix

@@ -1,17 +1,10 @@
-{ inputs, lib, config, ... }:
 {
-  imports = [
-    inputs.sops-nix.nixosModules.sops
-  ];
-
-  options.vacu.secretsFolder = lib.mkOption {
-    type = lib.types.path;
-    default = ../secrets;
-  };
-
+  config,
+  ...
+}:
+{
+  imports = [ ../common/sops-integrate.nix ];
   config = {
-    sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
-    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
     sops.secrets.dovecot-passwd = {
       restartUnits = [ "dovecot2.service" ];
     };
@@ -20,5 +13,9 @@
       restartUnits = [ "opendkim.service" ];
       owner = config.services.opendkim.user;
     };
+    sops.secrets.relay_creds = {
+      restartUnits = [ "postfix.service" ];
+      owner = config.services.postfix.user;
+    };
   };
-}
+}

lp0/default.nix

@@ -1,15 +1,15 @@
 { config, pkgs, ... }:
 {
-  imports = [
-    ../common-nixos-config.nix
-    ./hardware-config.nix
-  ];
+  imports = [ ./hardware-config.nix ];
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  networking.hostName = "lp0onfire"; # Define your hostname.
+  vacu.hostName = "lp0onfire"; # Define your hostname.
+  vacu.shortHostName = "lp0";
+  vacu.shell.color = "green";
+  vacu.systemKind = "server";
 
   # Set your time zone.
   time.timeZone = "America/Los_Angeles";
@@ -37,7 +37,6 @@
     pciutils
     ncdu
     nix-index
-    git
   ];
 
   # This value determines the NixOS release from which the default
@@ -53,7 +52,7 @@
   # system.autoUpgrade.enable = true;
   # system.autoUpgrade.allowReboot = true;
   # system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05-small;
-  
+
   nixpkgs.config.allowUnfree = true;
   services.zerotierone = {
     enable = true;
@@ -73,4 +72,3 @@
   #   internalInterfaces = [ "ztrf26rjvk" ];
   # };
 }
-

lp0/hardware-config.nix

@@ -1,27 +1,32 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, modulesPath, ... }:
 
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
+    fsType = "ext4";
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/36B4-78A2";
-      fsType = "vfat";
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/36B4-78A2";
+    fsType = "vfat";
+    options = [ "nofail" ];
+  };
 
   swapDevices = [ ];
 

mmm/default.nix

@@ -0,0 +1,23 @@
+{ inputs, ... }:
+{
+  imports = [
+    ../common/nixos.nix
+    inputs.nixos-apple-silicon.nixosModules.default
+    ./hardware.nix
+  ];
+
+  vacu.hostName = "mmm";
+  vacu.shell.color = "red";
+  vacu.verifySystem.enable = false;
+  vacu.verifySystem.expectedMac = "14:98:77:3f:b8:2e";
+  vacu.systemKind = "server";
+
+  # asahi recommends systemd-boot
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = false;
+  hardware.asahi.peripheralFirmwareDirectory = ./firmware;
+
+  services.openssh.enable = true;
+
+  system.stateVersion = "24.05";
+}

mmm/hardware.nix

@@ -0,0 +1,69 @@
+{ lib, ... }:
+let
+  btrfsopts = [
+    "noatime"
+    "compress=zstd"
+  ];
+in
+{
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "usbhid"
+    "usb_storage"
+    "xhci_hcd"
+    "uas"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
+    fsType = "btrfs";
+    options = [ "subvol=root" ] ++ btrfsopts;
+  };
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/4e75b9ed-ac4f-48a2-b38c-c5026723171f";
+    # note: creation requires --new-key-file-size not --key-file-size
+    keyFileSize = 2048;
+    keyFile = "/dev/disk/by-partuuid/9d171b52-329e-4e21-9399-dcc66ff572cd";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/4407-1EF3";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+      "nofail"
+    ];
+  };
+
+  fileSystems."/nix/store" = {
+    device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
+    fsType = "btrfs";
+    options = [ "subvol=nix-store" ] ++ btrfsopts;
+  };
+
+  fileSystems."/btrfs-root" = {
+    device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
+    fsType = "btrfs";
+    options = [
+      "subvol=/"
+      "noauto"
+    ] ++ btrfsopts;
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

nix-on-droid/default.nix

@@ -1,19 +1,19 @@
-{ config, lib, pkgs, inputs, ... }:
+{ lib, ... }:
 
 {
-  imports = [ ./common-config.nix ];
-  environment.packages = config.vacu.packageList;
+  imports = [ ./flake-registry.nix ];
+
+  vacu.shell.color = "white";
+  vacu.systemKind = "server";
 
   environment.etc."resolv.conf".text = lib.mkForce ''
-    nameserver 10.78.79.1
+    # nameserver 10.78.79.1
     nameserver 9.9.9.10
     nameserver 149.112.112.10
 
     options timeout:1 attempts:5
   '';
 
-  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
-
   # Backup etc files instead of failing to activate generation if a file already exists in /etc
   environment.etcBackupExtension = ".bak";
 
@@ -24,14 +24,13 @@
   nix.extraOptions = ''
     experimental-features = nix-command flakes
   '';
-  nix.substituters = config.vacu.nix.extraSubstituters;
-  nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
-
-  environment.sessionVariables."PS1" = "\\w $ ";
 
   # Set your time zone
   time.timeZone = "America/Los_Angeles";
 
+  vacu.packages.yt-dlp.enable = true;
+  vacu.packages.radicle-node.enable = true;
+
   #specific to the particular install; avoids impurity
   #user.gid = 10287;
   #user.uid = 10287;

nix-on-droid/flake-registry.nix

@@ -0,0 +1,9 @@
+# To make `nix run nixpkgs#hello` and such use the same nixpkgs used to build this, so that it doesn't take forever
+{ inputs, ... }:
+{
+  nix.registry.nixpkgs.to = {
+    type = "path";
+    path = inputs.nixpkgs.outPath;
+  };
+  nix.nixPath = [ "nixpkgs=flake:nixpkgs" ];
+}

nixvim/default.nix

@@ -0,0 +1,33 @@
+{ ... }:
+{
+  opts = {
+    smartindent = true;
+    expandtab = true;
+    shiftwidth = 2;
+    softtabstop = -1;
+  };
+  plugins.comment.enable = true;
+  plugins.vim-surround.enable = true;
+  plugins.lsp = {
+    enable = true;
+    # onAttach = builtins.readFile ./nixd-init.lua;
+    servers = {
+      bashls.enable = true;
+      jsonls.enable = true;
+      # nil-ls.enable = true;
+      nixd = {
+        enable = true;
+      };
+      pyright.enable = true;
+      ts_ls.enable = true;
+      lua_ls.enable = true;
+      rust_analyzer = {
+        enable = true;
+        installCargo = false;
+        installRustc = false;
+      };
+      html.enable = true;
+      yamlls.enable = true;
+    };
+  };
+}