I'm using https://github.com/juliusknorr/nextcloud-docker-dev to test
some changes to a nextcloud plugin, as the plugin needs a more recent
version of Nextcloud than is in nixpkgs.

To be available, I need to set up my hosts file correctly and forward
this over nginx for my other devices.

provokateurin is a GitHub user who works for Nextcloud, so I end up
interacting with her/seeing her commits around sometimes. It'd be nice
to verify them...

I'm doing some development using leptos. There are some recommended
options for rust-analyzer in its book:

https://book.leptos.dev/getting_started/leptos_dx.html

Co-Authored-By: Skyler Grey <sky@a.starrysky.fyi>

deadnix finds unused nix code, some versions were giving us trouble
as we rely on some unused parameters to be introspected by callers...
though not all of them

Previously we were running in to a race condition where OIDC wouldn't
start early enough, so kavita would load without it. As we have turned
off passwords entirely, this would cause the instance to be unusable

I've copied this wait code directly from our oauth2-proxy stuff, which
has the same problem. We should consider if there's a better way to do
this...

Without these, Kavita cannot access files in the library properly

Previously we had our libraries in a subdirectory of /var/lib/copyparty

While that's an OK idea in theory, in practice it'd require us to make
every directory on the way to /var/lib/copyparty/data/groups/library
+rx to kavita. That's something we're unwilling to do. The true fix is
to move this out so we don't have to meddle with permissions except
those which are directly on this directory

Midnight hosts cache.freshlybakedca.ke, so there are problems (errors)
if it tries to use it too.

Since as there's no process to filter out of a list of values without
losing the rest of the list (*except evaluating twice through scalpel
like processes), we need to disable this at the source. That means it's
best to pull this out into an ingredient and detect whether the
ingredient is enabled for turning the cache on/off...

In our ongoing quest to move away from configuration.nix, this commit
moves printing over to redhead (which to-my-knowledge is the only
machine we want to print on). To store printer configurations (and be
useful in the first place) redhead needs the CUPS directory persisted,
so let's do that...

I have my work dock monitors here, but that's not the only place I dock
my laptop at work: there's also a monitor in our conference room. The
auto layout places it at [0, 0] (due to the laptop monitor needing to be
placed further out so there aren't issues with xwayland...). Therefore,
I need to set it up manually or I will not be able to move windows to it
or otherwise use it.

Co-Authored-By: Skyler Grey <sky@a.starrysy.fyi>

Co-Authored-By: Skyler Grey <sky@a.starrysky.fyi>

previously, back(@, 1) == @. That feels very weird, so instead now
back(@, 0) == @. Since as back(@, n) was used in the rangediff script,
I also had to update that script to cope with this (it had the correct
behavior already...)

We've had to do some interesting finagling to get this to happen, since
as AFAICT there is no way to do maths in the revset language (so no
way to add 1). Instead, we've done revision- to go back 1 already, so
our argument operates on a revision already 1 in the past.

Of course, 0 isn't going to bring us forward again so we instead have
to coalesce and return the current revision if we have no changes. Again
the revset language gets in our way since as there isn't a way to tell
if we have 0 as a quantity directly. Fortunately, for 0 we can make
a set that is always guarenteed to have the whole repo as members if
and only if our number was 0, and logically-and that with our current
revision to conditionally return it.

We also replaced our heads call with `ancestors(foo-) & ~ancestors(foo)`
- normally equivalent, but better if we've reached the end of our
commits, for example if we do `fwd(5)` when in reality we only have 2
more commits ontop of us. Previously that would return the last commit,
now it returns nothing

Finally, we've added some aliases to `fwd(n)` which default to using `@`
since as that seems to be a very common case.

I missed some timecodes when I made my initial espanso set. I'd rather
like shortenings for everything I use, so here are some for these

We wrote these initially before metaedit existed. Now that metaedit does
exist, the `jj describe --reset-author --no-edit` command is deprecated
and posts some warnings about it...

This IP was changed in the release and treefmt workflows, but we missed
it in the build workflow

The power to umber turns off at midnight. Therefore, we should shut it
down beforehand to make sure it shuts down cleanly

Bluesky PDS was trying to remove a specific version of atproto. This
meant that as the version was bumped, the build would break. If we use
find to check the right version to remove, this won't break anymore
unless the build does actually need to change

Nix has a behavior where if you provide a hash, even if the recipe for
a derivation changes nix will not recompute the derivation - provided
it's still in the store. This was causing us trouble with our pds
dependencies after the recent npins bump

if midnight is not connected to tailscale then nginx will fail to start,
if we instead point to the direct IP on the local network then so long as
midnight is online it will always start

Previously we were using a subshell to group our commands, which can't
be used to run an async worker as the async worker is tied to a shell.
Instead, we should be using a command group. We also need to silence
errors on the first job invocation or it'll still print out

I'm here all ~~day~~ until we have auto-PRs set up for tangled

Tangled spindle isn't properly tagged, which means there are often
version compatibilities if we aren't on master. Let's upgrade to it

Spindle has an issue where it sometimes (particularly after failures)
leaks docker resources. Therefore, we should prune them. We shouldn't
prune images automatically because these are commonly used between
workflows, so we need to override the autoprune service to only prune
the stuff we want...

Due to a botched copy-paste job, we were accidentally trying to push
PacketMix instead of sprinkles here. Oops

When cloning, we don't have origin/refs/heads/..., instead branches are
directly under origin/...

Our projects section isn't up-to-date with how we handle conventional
commits with Josh, and nor did it have links to the projects themselves
(which are now useful thanks to our work on adding README files to
subdirectories in Tangled). Let's update these things!

When we pushed up, the license was continually getting cloned out into
the main workspace directory. That's no good, we should be able to fix
this by adding the path to our workspace file directly.

We can do this by redefining the function zsh calls to be a no-op...
I haven't decided if we want this on user machines, but we definitely
don't want it on servers

Refs: https://discourse.nixos.org/t/zsh-configuration-for-new-users-keeps-recurring

I want to make booting not need a PIN/security key press, and therefore
I want to make sure that I'm booting only what is explicitly permitted.

Therefore, let's use lanzaboote! I've set it up before, so it's
relatively simple

Previously, due to a failure to reboot into the correct profile, I
didn't realize that this version had broken strings in the output,
making nginx fail to start

firebrick was my private silverbullet instance, now the job falls to
umber. There needs to be a bit of extra stuff here compared to teal
since as this silverbullet instance shouldn't be accessible by anyone
but me (compared to everyone on the Tailscale...)

Most of this is fairly straightforward, there's just a couple of bits of
complication:
- We need to update packetmix to use the new clone URL
- The order filters are applied in really matters, we need to add the
folders first before we then move out from the top of the workspace
- Our README also needs updating

There were various problems with it before - it was only really
half-modified from the tangled.yml workflow we had over on GitHub!

It now works and has been tested to put up a branch with a test push

The footnote.social dev is interested in using our proxy. We're happy to
let them

Speaking of, we haven't run an npins bump in a while... let's do that

This is a nontrivial npins bump, because catppuccin has added a module
that isn't in the version of home-manager we're using so we need to
import it.

There was an update to the record format of spindle which meant adding
new repos was broken. This bump fixes that

Umber is a system that'll be replacing firebrick in the long term. I
need to transfer over the private silverbullet and set up backups on
here for it to fulfil that role...

Previously we were starting swayidle on niri. Unfortunately, this caused
a race condition where niri idle inhibitions were not respected. As niri
gets idle inhibitions from, say, browsers when playing video, this meant
we had to do nasty hacks such as manually systemd-inhibiting via a shell

By moving startup to systemd, we can start swayidle later - and in much
the same way as starting our SSH agent later avoids its race conditions,
starting swayidle later fixes this issue...

deadnix is a package to find unused nix code, we can add it to enforce
that we don't leave let bindings/inputs/etc. around when they are not
needed

We previously had these records, but we lost them when migrating
stuff...

They are internal mirrors of some external mostlyturquoise records

We want to add some patches to our PDS to enable SSO - and those patches
need us to be on a later version. Therefore, let's upgrade!

bluesky-pds is packaged in a rather interesting way
- The vast majority of the code is in a different repo which is normally
fetched with pnpm - we need to twist stuff so that we build it with
nix

This is part of a series of atproto migration patches. Our plan so
far is:
- [x] Set up a tangled.org spindle
- [x] Set up a PDS
- [ ] Pull in upcoming external idp patches for PDS
^ You are here
- [ ] Set up email for our PDS
- [ ] Set up a tangled.org knot
- [ ] Rename tangled.org spindle to spindle.freshly.space

Internally for Freshly we use Tailscale to access hosts, but Collabora
now also use Tailscale to access hosts. For a while, I've been using
'tailscale switch' to move back/forth but this takes some time and
doesn't allow me to use multiple nets at once.

I evaluated what I wanted to use my own personal tailscale for, and it
was the following things:
- https://files.freshly.space (I have a mounted webdav drive which is
only available over tailscale, and the web interface auto-logs-in over
tailscale which is very nice...)
- https://silverbullet.clicks.codes (All of my notes are here. I would
need to switch notetaking app for work stuff if I were to stop using
my own tailnet)
- https://silverbullet.starrysky.fyi (Actually, some work stuff is also
here because I have some things which I am contractually obliged not
to make public - even to my friends. This one does tailscale auth to
check that I am my own tailscale user)
- My own devices (which I could put on to the work tailnet, although I
would either forgo nice device names or manage my own /etc/hosts and I
would need to manage switching back/forth (potentially making any
/etc/hosts editing pretty fraught...))

While some of this could be put on the work tailnet, by no means all of
it could be.

In contrast, I need the work tailnet to access SSH/web interfaces for
several internal services. These can't be used without it, but I only
really need to use them from redhead.

The cleanest solution is to have multiple tailnets at once - and select
which one I'm using such that the collabora tailnet is only used for the
things it's needed for.

Here's how I'm proxying SSH hosts through the tailnet

Host collabora-foo foo
ProxyCommand nc -X 5 -x localhost:1055 %h %p
Hostname <some tailnet hostname>
...

And I'm using the "FoxyProxy" extension in Firefox to do the same for
specific URL matches. I'm hoping this'll be enough to let me neatly
access everything I want to all of the time...

We'd like to move off bluesky's PDS, and the obvious candidate is to set
up our own...

...we've chosen to have our handles *.at.freshlybakedca.ke because they
are technically publicly visible - although we expect to be using custom
domains for most/all accounts on this PDS

...we've chosen to have the pds at pds.freshly.space because, like
files.freshly.space, while *technically* publicly usable (file shares
or accessing our bsky accounts), it is only going to host accounts of
friends and patissiers of freshlybakedca.ke. There is no process to get
an account on our PDS as a general member of the public. It also isn't
generally particularly visible in public UIs. (This criteria also means
that spindle.freshlybakedca.ke should be at spindle.freshly.space, which
we will migrate in the future. Other than that everything we host meets
this criteria)

This is part of a series of atproto migration patches. Our plan so
far is:
- [x] Set up a tangled.org spindle
- [x] Set up a PDS
^ You are here
- [ ] Set up email for our PDS
- [ ] Set up a tangled.org knot
- [ ] Pull in upcoming external idp patches for PDS
- [ ] Rename tangled.org spindle to spindle.freshly.space

While we created the release bookmark fine, we can't push to it unless
we have a non-shallow history...

We just set up a binary cache with nix-serve - let's use it!

We'll keep the old cachix around for now, but it's considered deprecated
:)

Nix-serve is [a cache server](https://github.com/edolstra/nix-serve)
that sets up your nix store to be served as a binary cache. As we're
not going to be using cachix anymore as we are on tangled, we need to do
this to have a cache

I accidentally used the old .sh url when setting this push url. We're
using .org everywhere, let's switch over...