I've gotten fed up of Firefox's AI/user unfriendliness and Thunderbird's
broken calendaring, specifically
- Thunderbird, despite being a mail client, cannot seem to send calendar
invites to people. Shockingly, Android's builtin calendar (which is not
a mail client) seems to do a better job at this(!!)
- Firefox seems to be adding more and more AI features which are annoying
to opt out of. I can't be bothered to write the nix config to disable
these as a matter of policy (and I really shouldn't have to). In my
opinion, investing in these features shows that FF is out-of-touch with
its userbase and no longer cares about making a good browsing
experience
- Firefox is behind on important web standards, in my case particularly
WebUSB and Bluetooth (used for some hardware I have)
- Firefox makes decisions which give webmasters the final say rather than
me, the user. Specifically, Firefox has no way to override HSTS
(Chromium lets 'thisisunsafe' override HSTS). This is not only a bad
move on part of user freedom, it's also *really annoying* for
development
- Chromium also makes some of these decisions, *cough ManifestV3*, and
Google attempts to make more, *cough Web Environment Integrity*, but
Vivaldi comes with a built-in Adblocker and I can - more or less -
get everything I need on a Chromium based browser

Vivaldi fixes both of these, at the cost of being proprietary. That means
- We can't build it in CI
- We definitely can't make it default (perhaps it could be an ingredient)

We can't remove the other browsers we have since as we commonly need them
for testing

If anyone has any good FOSS alternatives that I've missed, I'd love to
hear about them... For my purposes, LibreWolf is not a *good* FOSS
alternative (it makes various decisions that break websites), neither is
base Chromium.

In our ongoing quest to move away from configuration.nix, this commit
moves printing over to redhead (which to-my-knowledge is the only
machine we want to print on). To store printer configurations (and be
useful in the first place) redhead needs the CUPS directory persisted,
so let's do that...

I have my work dock monitors here, but that's not the only place I dock
my laptop at work: there's also a monitor in our conference room. The
auto layout places it at [0, 0] (due to the laptop monitor needing to be
placed further out so there aren't issues with xwayland...). Therefore,
I need to set it up manually or I will not be able to move windows to it
or otherwise use it.

Co-Authored-By: Skyler Grey <sky@a.starrysy.fyi>

Co-Authored-By: Skyler Grey <sky@a.starrysky.fyi>

previously, back(@, 1) == @. That feels very weird, so instead now
back(@, 0) == @. Since as back(@, n) was used in the rangediff script,
I also had to update that script to cope with this (it had the correct
behavior already...)

We've had to do some interesting finagling to get this to happen, since
as AFAICT there is no way to do maths in the revset language (so no
way to add 1). Instead, we've done revision- to go back 1 already, so
our argument operates on a revision already 1 in the past.

Of course, 0 isn't going to bring us forward again so we instead have
to coalesce and return the current revision if we have no changes. Again
the revset language gets in our way since as there isn't a way to tell
if we have 0 as a quantity directly. Fortunately, for 0 we can make
a set that is always guarenteed to have the whole repo as members if
and only if our number was 0, and logically-and that with our current
revision to conditionally return it.

We also replaced our heads call with `ancestors(foo-) & ~ancestors(foo)`
- normally equivalent, but better if we've reached the end of our
commits, for example if we do `fwd(5)` when in reality we only have 2
more commits ontop of us. Previously that would return the last commit,
now it returns nothing

Finally, we've added some aliases to `fwd(n)` which default to using `@`
since as that seems to be a very common case.

I missed some timecodes when I made my initial espanso set. I'd rather
like shortenings for everything I use, so here are some for these

We wrote these initially before metaedit existed. Now that metaedit does
exist, the `jj describe --reset-author --no-edit` command is deprecated
and posts some warnings about it...

This IP was changed in the release and treefmt workflows, but we missed
it in the build workflow

The power to umber turns off at midnight. Therefore, we should shut it
down beforehand to make sure it shuts down cleanly

Bluesky PDS was trying to remove a specific version of atproto. This
meant that as the version was bumped, the build would break. If we use
find to check the right version to remove, this won't break anymore
unless the build does actually need to change

Nix has a behavior where if you provide a hash, even if the recipe for
a derivation changes nix will not recompute the derivation - provided
it's still in the store. This was causing us trouble with our pds
dependencies after the recent npins bump

if midnight is not connected to tailscale then nginx will fail to start,
if we instead point to the direct IP on the local network then so long as
midnight is online it will always start

Previously we were using a subshell to group our commands, which can't
be used to run an async worker as the async worker is tied to a shell.
Instead, we should be using a command group. We also need to silence
errors on the first job invocation or it'll still print out

I'm here all ~~day~~ until we have auto-PRs set up for tangled

Tangled spindle isn't properly tagged, which means there are often
version compatibilities if we aren't on master. Let's upgrade to it

Spindle has an issue where it sometimes (particularly after failures)
leaks docker resources. Therefore, we should prune them. We shouldn't
prune images automatically because these are commonly used between
workflows, so we need to override the autoprune service to only prune
the stuff we want...

Due to a botched copy-paste job, we were accidentally trying to push
PacketMix instead of sprinkles here. Oops

When cloning, we don't have origin/refs/heads/..., instead branches are
directly under origin/...

Our projects section isn't up-to-date with how we handle conventional
commits with Josh, and nor did it have links to the projects themselves
(which are now useful thanks to our work on adding README files to
subdirectories in Tangled). Let's update these things!

When we pushed up, the license was continually getting cloned out into
the main workspace directory. That's no good, we should be able to fix
this by adding the path to our workspace file directly.

We can do this by redefining the function zsh calls to be a no-op...
I haven't decided if we want this on user machines, but we definitely
don't want it on servers

Refs: https://discourse.nixos.org/t/zsh-configuration-for-new-users-keeps-recurring

I want to make booting not need a PIN/security key press, and therefore
I want to make sure that I'm booting only what is explicitly permitted.

Therefore, let's use lanzaboote! I've set it up before, so it's
relatively simple

Previously, due to a failure to reboot into the correct profile, I
didn't realize that this version had broken strings in the output,
making nginx fail to start

firebrick was my private silverbullet instance, now the job falls to
umber. There needs to be a bit of extra stuff here compared to teal
since as this silverbullet instance shouldn't be accessible by anyone
but me (compared to everyone on the Tailscale...)

Most of this is fairly straightforward, there's just a couple of bits of
complication:
- We need to update packetmix to use the new clone URL
- The order filters are applied in really matters, we need to add the
folders first before we then move out from the top of the workspace
- Our README also needs updating

There were various problems with it before - it was only really
half-modified from the tangled.yml workflow we had over on GitHub!

It now works and has been tested to put up a branch with a test push

The footnote.social dev is interested in using our proxy. We're happy to
let them

Speaking of, we haven't run an npins bump in a while... let's do that

This is a nontrivial npins bump, because catppuccin has added a module
that isn't in the version of home-manager we're using so we need to
import it.

There was an update to the record format of spindle which meant adding
new repos was broken. This bump fixes that

Umber is a system that'll be replacing firebrick in the long term. I
need to transfer over the private silverbullet and set up backups on
here for it to fulfil that role...

Previously we were starting swayidle on niri. Unfortunately, this caused
a race condition where niri idle inhibitions were not respected. As niri
gets idle inhibitions from, say, browsers when playing video, this meant
we had to do nasty hacks such as manually systemd-inhibiting via a shell

By moving startup to systemd, we can start swayidle later - and in much
the same way as starting our SSH agent later avoids its race conditions,
starting swayidle later fixes this issue...

deadnix is a package to find unused nix code, we can add it to enforce
that we don't leave let bindings/inputs/etc. around when they are not
needed

We previously had these records, but we lost them when migrating
stuff...

They are internal mirrors of some external mostlyturquoise records

We want to add some patches to our PDS to enable SSO - and those patches
need us to be on a later version. Therefore, let's upgrade!

bluesky-pds is packaged in a rather interesting way
- The vast majority of the code is in a different repo which is normally
fetched with pnpm - we need to twist stuff so that we build it with
nix

This is part of a series of atproto migration patches. Our plan so
far is:
- [x] Set up a tangled.org spindle
- [x] Set up a PDS
- [ ] Pull in upcoming external idp patches for PDS
^ You are here
- [ ] Set up email for our PDS
- [ ] Set up a tangled.org knot
- [ ] Rename tangled.org spindle to spindle.freshly.space

Internally for Freshly we use Tailscale to access hosts, but Collabora
now also use Tailscale to access hosts. For a while, I've been using
'tailscale switch' to move back/forth but this takes some time and
doesn't allow me to use multiple nets at once.

I evaluated what I wanted to use my own personal tailscale for, and it
was the following things:
- https://files.freshly.space (I have a mounted webdav drive which is
only available over tailscale, and the web interface auto-logs-in over
tailscale which is very nice...)
- https://silverbullet.clicks.codes (All of my notes are here. I would
need to switch notetaking app for work stuff if I were to stop using
my own tailnet)
- https://silverbullet.starrysky.fyi (Actually, some work stuff is also
here because I have some things which I am contractually obliged not
to make public - even to my friends. This one does tailscale auth to
check that I am my own tailscale user)
- My own devices (which I could put on to the work tailnet, although I
would either forgo nice device names or manage my own /etc/hosts and I
would need to manage switching back/forth (potentially making any
/etc/hosts editing pretty fraught...))

While some of this could be put on the work tailnet, by no means all of
it could be.

In contrast, I need the work tailnet to access SSH/web interfaces for
several internal services. These can't be used without it, but I only
really need to use them from redhead.

The cleanest solution is to have multiple tailnets at once - and select
which one I'm using such that the collabora tailnet is only used for the
things it's needed for.

Here's how I'm proxying SSH hosts through the tailnet

Host collabora-foo foo
ProxyCommand nc -X 5 -x localhost:1055 %h %p
Hostname <some tailnet hostname>
...

And I'm using the "FoxyProxy" extension in Firefox to do the same for
specific URL matches. I'm hoping this'll be enough to let me neatly
access everything I want to all of the time...

We'd like to move off bluesky's PDS, and the obvious candidate is to set
up our own...

...we've chosen to have our handles *.at.freshlybakedca.ke because they
are technically publicly visible - although we expect to be using custom
domains for most/all accounts on this PDS

...we've chosen to have the pds at pds.freshly.space because, like
files.freshly.space, while *technically* publicly usable (file shares
or accessing our bsky accounts), it is only going to host accounts of
friends and patissiers of freshlybakedca.ke. There is no process to get
an account on our PDS as a general member of the public. It also isn't
generally particularly visible in public UIs. (This criteria also means
that spindle.freshlybakedca.ke should be at spindle.freshly.space, which
we will migrate in the future. Other than that everything we host meets
this criteria)

This is part of a series of atproto migration patches. Our plan so
far is:
- [x] Set up a tangled.org spindle
- [x] Set up a PDS
^ You are here
- [ ] Set up email for our PDS
- [ ] Set up a tangled.org knot
- [ ] Pull in upcoming external idp patches for PDS
- [ ] Rename tangled.org spindle to spindle.freshly.space

While we created the release bookmark fine, we can't push to it unless
we have a non-shallow history...

We just set up a binary cache with nix-serve - let's use it!

We'll keep the old cachix around for now, but it's considered deprecated
:)

Nix-serve is [a cache server](https://github.com/edolstra/nix-serve)
that sets up your nix store to be served as a binary cache. As we're
not going to be using cachix anymore as we are on tangled, we need to do
this to have a cache

I accidentally used the old .sh url when setting this push url. We're
using .org everywhere, let's switch over...

I typoed this command - and unfortunately we can't easily test this
without pushing to main...

We're remote building in CI to get around Tangled's limitations for nix
(and to avoid us having to figure out how to make nixery play nice with
a mounted nix daemon...)

Therefore, we'll need a remoteBuilds key that our Spindle can use

There's a race condition here where teal sometimes looks up midnight
when not connected to tailscale. If it does that, it resolves midnight
on the local network. That would be entirely fine if we weren't just
listening on Tailscale.

Further, that lookup can then get cached, bringing down the spindle even
when tailscale comes up

We trust the local network, let's just allow this route too...

Spindles don't really like it when you delete their state every
time they turn on. It tends to lead to lost logs and repulled nixery
containers. Let's fix that...

We've overloading midnight with our CI - let's stop ourselves from
trying to do more things than midnight supports at once...

On GitHub, we had a workflow which released packetmix when we built
successfully on main - avoiding rebases breaking release builds/etc.

Let's do that again here :)

When we push, josh sometimes seems to pull before it pushes. That causes
our SSH key to be used twice, triggering a double pin entry/etc. with a
security key. That's mildly annoying...

Luckily, we should always be able to pull over http, so we can just use
that for all pulls whether we're nominally using SSH or not!

Tangled has renamed from https://tangled.sh to https://tangled.org

https://bsky.app/profile/tangled.org/post/3lz5dmdtl4s2s

We love that for them - but Josh doesn't properly follow the redirects
for http URLs so we'll have to change them...

Jujutsu's templates for this are for how far ahead/behind the remote
branch is than compared to the local branch vs how far ahead/behind we
are from the remote branch... it makes more sense to have this the other
way around (and clarify in the comment...)