From 2e74a2172c3309592e220f887609db3bc2cd671c Mon Sep 17 00:00:00 2001
From: Stefan Junker <mail@stefanjunker.de>
Date: Sat, 15 Jan 2022 20:34:30 +0100
Subject: [PATCH] use niv and add device elias-e525

---
 .envrc                                        |   8 +-
 .../configuration/graphical-fullblown.nix     |   4 +-
 .../configuration/graphical-gnome3.nix        | 129 +++++++++++++
 .../configuration/graphical-removable.nix     |   2 +-
 nix/home-manager/profiles/dotfiles.nix        |   7 +-
 nix/home-manager/programs/neovim.nix          |   2 +-
 nix/os/devices/elias-e525/boot.nix            |   8 +
 nix/os/devices/elias-e525/configuration.nix   |  14 ++
 nix/os/devices/elias-e525/hw.nix              |  14 ++
 nix/os/devices/elias-e525/pkg.nix             |  59 ++++++
 nix/os/devices/elias-e525/system.nix          |  57 ++++++
 nix/os/devices/elias-e525/user.nix            |  16 ++
 nix/os/devices/elias-e525/versions.nix        |  30 +++
 nix/os/devices/elias-e525/versions.tmpl.nix   |  30 +++
 nix/os/devices/fwhost1/user.nix               |   4 -
 nix/os/profiles/common/system.nix             |   1 +
 nix/os/profiles/graphical/system.nix          |   1 +
 nix/pkgs/default.nix                          |   4 +-
 nix/sources.json                              |  14 ++
 nix/sources.nix                               | 174 ++++++++++++++++++
 nix/variables/passwords.crypt.nix             | Bin 1450 -> 1645 bytes
 shell.nix                                     |  14 +-
 22 files changed, 572 insertions(+), 20 deletions(-)
 create mode 100644 nix/home-manager/configuration/graphical-gnome3.nix
 create mode 100644 nix/os/devices/elias-e525/boot.nix
 create mode 100644 nix/os/devices/elias-e525/configuration.nix
 create mode 100644 nix/os/devices/elias-e525/hw.nix
 create mode 100644 nix/os/devices/elias-e525/pkg.nix
 create mode 100644 nix/os/devices/elias-e525/system.nix
 create mode 100644 nix/os/devices/elias-e525/user.nix
 create mode 100644 nix/os/devices/elias-e525/versions.nix
 create mode 100644 nix/os/devices/elias-e525/versions.tmpl.nix
 create mode 100644 nix/sources.json
 create mode 100644 nix/sources.nix

diff --git a/.envrc b/.envrc
index 051d09d..64034fb 100644
--- a/.envrc
+++ b/.envrc
@@ -1 +1,7 @@
-eval "$(lorri direnv)"
+# if ! has nix_direnv_version || ! nix_direnv_version 1.5.1; then
+#   source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/1.5.1/direnvrc" "sha256-p4CDMJjuBmEh9pkn2aoJrZqr0DlPZHPU7eXOSDzzcuo="
+# fi
+# use_flake . --impure
+
+use nix
+
diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix
index cb64984..95636d8 100644
--- a/nix/home-manager/configuration/graphical-fullblown.nix
+++ b/nix/home-manager/configuration/graphical-fullblown.nix
@@ -145,7 +145,7 @@ in {
       vlc
       audacity
       spotify
-      pythonPackages.youtube-dl-light
+      youtube-dl-light
       libwebcam
 
       # Network Tools
@@ -252,7 +252,7 @@ in {
       pcmanfm
       hdparm
       testdisk
-      pythonPackages.binwalk
+      binwalk
       gptfdisk
       gparted
       smartmontools
diff --git a/nix/home-manager/configuration/graphical-gnome3.nix b/nix/home-manager/configuration/graphical-gnome3.nix
new file mode 100644
index 0000000..18ca755
--- /dev/null
+++ b/nix/home-manager/configuration/graphical-gnome3.nix
@@ -0,0 +1,129 @@
+{ pkgs }:
+
+let
+  zshCurried = import ../programs/zsh.nix { inherit pkgs; };
+in
+
+{ pkgs
+, config,
+... }:
+
+let
+  unstablepkgs = import <channels-nixos-unstable> { config = config.nixpkgs.config; };
+
+in {
+  imports = [
+    ../profiles/common.nix
+    ../programs/firefox.nix
+    # ../programs/chromium.nix
+    # FIXME: fix homeshick when no WAN connection is available
+    # ../programs/homeshick.nix
+    ../programs/libreoffice.nix
+    ../programs/neovim.nix
+    ../programs/pass.nix
+    zshCurried
+  ];
+
+  nixpkgs.config = {
+    pidgin = {
+      openssl = true;
+      gnutls = true;
+    };
+
+    packageOverrides = pkgs: with pkgs; {
+    };
+  };
+
+  home.sessionVariables = {
+  };
+
+
+  home.packages =
+    [] ++ (with pkgs; [
+      # Nix package related tools
+      patchelf
+      nix-index
+      nix-prefetch-scripts
+
+      # Version Control Systems
+      gitless
+
+      # Process/System Administration
+      htop
+      gnome3.gnome-tweak-tool
+      xorg.xhost
+      dmidecode
+      evtest
+
+      # Archive Managers
+      sshfsFuse
+      xarchive
+      p7zip
+      zip
+      unzip
+      gzip
+      lzop
+
+      # Password Management
+      gnome3.gnome_keyring
+      gnome3.seahorse
+
+      # Remote Control Tools
+      remmina
+      freerdp
+
+      # Network Tools
+      openvpn
+      tcpdump
+      iftop
+      iperf
+      bind
+      socat
+
+      # samba
+      iptables
+      nftables
+      wireshark
+
+      # Code Editors
+      xclip
+      xsel
+      unstablepkgs.vscode
+
+      # Image/Graphic/Design Tools
+      gnome3.eog
+      gimp
+      inkscape
+
+      # Misc Development Tools
+      qrcode
+      jq
+      cdrtools
+
+      # Document Processing and Management
+      zathura
+
+      # File Synchronzation
+      rsync
+
+      # Filesystem Tools
+      ntfs3g
+      ddrescue
+      ncdu
+      unstablepkgs.woeusb
+      unetbootin
+      pcmanfm
+      hdparm
+      testdisk
+      python38Packages.binwalk
+      gptfdisk
+
+      ## Python
+      myPython
+
+      busyboxStatic
+
+      # Virtualization
+      virtmanager
+  ]);
+}
diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix
index cd62667..ac52b36 100644
--- a/nix/home-manager/configuration/graphical-removable.nix
+++ b/nix/home-manager/configuration/graphical-removable.nix
@@ -117,7 +117,7 @@ in {
       pcmanfm
       hdparm
       testdisk
-      python38Packages.binwalk
+      binwalk
       gptfdisk
 
       ## Python
diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix
index 2609ee2..6b5f114 100644
--- a/nix/home-manager/profiles/dotfiles.nix
+++ b/nix/home-manager/profiles/dotfiles.nix
@@ -7,7 +7,8 @@ let
   vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {};
 
 in {
-  home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
-    $DRY_RUN_CMD ${vcshActivationScript}
-  '';
+  # TODO: fix the dotfiles
+  # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
+  #   $DRY_RUN_CMD ${vcshActivationScript}
+  # '';
 }
diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix
index 1dd0d92..92dfd17 100644
--- a/nix/home-manager/programs/neovim.nix
+++ b/nix/home-manager/programs/neovim.nix
@@ -10,7 +10,7 @@ in {
   };
 
   programs.neovim = {
-    enable = false;
+    enable = true;
 
     extraPython3Packages = (ps: with ps; [ ]);
 
diff --git a/nix/os/devices/elias-e525/boot.nix b/nix/os/devices/elias-e525/boot.nix
new file mode 100644
index 0000000..2f5f8ea
--- /dev/null
+++ b/nix/os/devices/elias-e525/boot.nix
@@ -0,0 +1,8 @@
+{ lib
+, ...
+}:
+
+{
+  boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
+  boot.loader.efi.canTouchEfiVariables = lib.mkForce false; 
+}
diff --git a/nix/os/devices/elias-e525/configuration.nix b/nix/os/devices/elias-e525/configuration.nix
new file mode 100644
index 0000000..b78c268
--- /dev/null
+++ b/nix/os/devices/elias-e525/configuration.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+  imports = [
+    ../../profiles/common/configuration.nix
+    ../../profiles/graphical/configuration.nix
+    ../../modules/opinionatedDisk.nix
+
+    ./system.nix
+    ./hw.nix
+    ./pkg.nix
+    ./user.nix
+  ];
+}
diff --git a/nix/os/devices/elias-e525/hw.nix b/nix/os/devices/elias-e525/hw.nix
new file mode 100644
index 0000000..b47e571
--- /dev/null
+++ b/nix/os/devices/elias-e525/hw.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+  # TASK: new device
+  hardware.opinionatedDisk = {
+    enable = true;
+    encrypted = false;
+    diskId = "ata-KINGSTON_SV100S2128G_08BAB0020855";
+  };
+
+  # boot.initrd.availableKernelModules = stage1Modules;
+  boot.extraModprobeConfig = ''
+  '';
+}
diff --git a/nix/os/devices/elias-e525/pkg.nix b/nix/os/devices/elias-e525/pkg.nix
new file mode 100644
index 0000000..29a494b
--- /dev/null
+++ b/nix/os/devices/elias-e525/pkg.nix
@@ -0,0 +1,59 @@
+{ pkgs
+, lib
+, ...
+}:
+
+let
+  homeEnv = keyboard: 
+    {
+      imports = [
+        (import ../../../home-manager/configuration/graphical-gnome3.nix { inherit pkgs; })
+      ];
+
+      home.keyboard = keyboard;
+
+      home.packages = with pkgs; [
+        rhythmbox
+        lollypop
+        dia
+        kotatogram-desktop
+        jitsi
+      ];
+    };
+in
+
+{
+  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
+    nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath;
+  };
+
+  services.gnome = 
+    builtins.mapAttrs
+    (attr: value: lib.mkForce value)
+    {
+      games.enable = true;
+      gnome-remote-desktop.enable = true;
+      gnome-user-share.enable = true;
+      rygel.enable = true;
+      sushi.enable = true;
+      tracker.enable = true;
+      tracker-miners.enable = true;
+    }
+    ;
+
+  home-manager.users.steveej = homeEnv {
+    layout = "en";
+    options = [ "nodeadkey" ];
+    variant = "altgr-intl";
+  };
+
+  home-manager.users.elias = homeEnv {
+    layout = "de";
+    options = [];
+    variant = "";
+  };
+
+
+  services.teamviewer.enable = true;
+  system.stateVersion = "21.11";
+}
diff --git a/nix/os/devices/elias-e525/system.nix b/nix/os/devices/elias-e525/system.nix
new file mode 100644
index 0000000..3c209e3
--- /dev/null
+++ b/nix/os/devices/elias-e525/system.nix
@@ -0,0 +1,57 @@
+{ pkgs
+, lib
+, config
+, ... }:
+
+
+let
+
+in
+{
+  # TASK: new device
+  networking.hostName = "elias-e525"; # Define your hostname.
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [
+    # iperf3
+    5201
+  ];
+
+  networking.firewall.logRefusedConnections = false;
+  networking.usePredictableInterfaceNames = false;
+
+  services.printing = {
+    enable = true;
+    drivers = with pkgs; [
+      mfcl3770cdw.driver
+      mfcl3770cdw.cupswrapper
+    ];
+  };
+
+  services.fprintd.enable = true;
+  security.pam.services = {
+    login.fprintAuth = true;
+    sudo.fprintAuth = true;
+  };
+
+  services = {
+    xserver = {
+      layout = lib.mkForce "de";
+      xkbVariant = lib.mkForce "";
+      xkbOptions = lib.mkForce "";
+      displayManager.autoLogin.enable = lib.mkForce false;
+      desktopManager.gnome.enable = true;
+    };
+
+    # dbus.packages = [ pkgs.gnome3.dconf ];
+    # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
+  };
+
+  security.pki.certificateFiles = [
+    "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+  ];
+
+  services.xserver.videoDrivers = [ "modesetting" ];
+
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+}
diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix
new file mode 100644
index 0000000..46d9714
--- /dev/null
+++ b/nix/os/devices/elias-e525/user.nix
@@ -0,0 +1,16 @@
+{ config
+, pkgs
+, ... }:
+
+let
+  passwords = import ../../../variables/passwords.crypt.nix;
+  keys = import ../../../variables/keys.nix;
+  inherit (import ../../lib/default.nix { }) mkUser;
+
+in {
+  users.extraUsers.elias = mkUser {
+    uid = 1001;
+    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+    hashedPassword = passwords.users.elias;
+  };
+}
diff --git a/nix/os/devices/elias-e525/versions.nix b/nix/os/devices/elias-e525/versions.nix
new file mode 100644
index 0000000..90ba115
--- /dev/null
+++ b/nix/os/devices/elias-e525/versions.nix
@@ -0,0 +1,30 @@
+let
+  nixpkgs = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-21.11";
+    rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
+  };
+in
+
+{
+  inherit nixpkgs;
+  nixos = nixpkgs // {
+    suffix = "/nixos";
+  };
+  "channels-nixos-stable" = nixpkgs;
+  "channels-nixos-unstable" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-unstable";
+    rev = "5aaed40d22f0d9376330b6fa413223435ad6fee5";
+  };
+  "nixpkgs-master" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "master";
+    rev = "c4d1eff44eb12cb5500fb2ab05a1a7303711254e";
+  };
+  "home-manager-module" = {
+    url = "https://github.com/nix-community/home-manager";
+    ref = "release-21.11";
+    rev = "697cc8c68ed6a606296efbbe9614c32537078756";
+  };
+}
diff --git a/nix/os/devices/elias-e525/versions.tmpl.nix b/nix/os/devices/elias-e525/versions.tmpl.nix
new file mode 100644
index 0000000..f90cf31
--- /dev/null
+++ b/nix/os/devices/elias-e525/versions.tmpl.nix
@@ -0,0 +1,30 @@
+let
+  nixpkgs = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-21.11";
+    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+in
+
+{
+  inherit nixpkgs;
+  nixos = nixpkgs // {
+    suffix = "/nixos";
+  };
+  "channels-nixos-stable" = nixpkgs;
+  "channels-nixos-unstable" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-unstable";
+    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+  "nixpkgs-master" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "master";
+    rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+  "home-manager-module" = {
+    url = "https://github.com/nix-community/home-manager";
+    ref = "release-21.11";
+    rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-21.11 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+}
diff --git a/nix/os/devices/fwhost1/user.nix b/nix/os/devices/fwhost1/user.nix
index 1c33f83..ab7656d 100644
--- a/nix/os/devices/fwhost1/user.nix
+++ b/nix/os/devices/fwhost1/user.nix
@@ -8,8 +8,4 @@ let
   inherit (import ../../lib/default.nix { }) mkUser;
 
 in {
-  # users.extraUsers.steveej2 = mkUser {
-  #   uid = 1001;
-  #   openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-  # };
 }
diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix
index 82ea2e1..f07f618 100644
--- a/nix/os/profiles/common/system.nix
+++ b/nix/os/profiles/common/system.nix
@@ -77,4 +77,5 @@
   programs.zsh.enable = true;
   users.defaultUserShell = pkgs.zsh;
   environment.pathsToLink = [ "/share/zsh" ];
+  programs.fuse.userAllowOther = true;
 }
diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix
index 9b2469b..4b5faed 100644
--- a/nix/os/profiles/graphical/system.nix
+++ b/nix/os/profiles/graphical/system.nix
@@ -41,6 +41,7 @@
     libinput.touchpad.naturalScrolling = true;
 
     videoDrivers = [ "qxl" "modesetting" "ati" "cirrus" "intel" "vesa" "vmware" "modesetting" ];
+    layout = "en";
     xkbVariant = "altgr-intl";
     xkbOptions = "nodeadkeys";
 
diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix
index 8200fbc..3ea7ba6 100644
--- a/nix/pkgs/default.nix
+++ b/nix/pkgs/default.nix
@@ -87,8 +87,8 @@ in rec {
   mfcl3770cdw = pkgs.callPackage ../pkgs/mfcl3770cdw.nix {};
   staruml = pkgs.callPackage ../pkgs/staruml.nix { inherit (pkgs.gnome2) GConf; libgcrypt = pkgs.libgcrypt_1_5; };
 
-  pythonPackages = pkgs.python38Packages;
-  myPython = pkgs.python38Full.withPackages (ps: with ps; [
+  pythonPackages = myPython;
+  myPython = pkgs.python39.withPackages (ps: with ps; [
     pep8 yapf flake8
     # autopep8 (broken)
     # pylint (broken)
diff --git a/nix/sources.json b/nix/sources.json
new file mode 100644
index 0000000..58a92f1
--- /dev/null
+++ b/nix/sources.json
@@ -0,0 +1,14 @@
+{
+    "nixpkgs": {
+        "branch": "release-21.11",
+        "description": "DEPRECATED! Use NixOS/nixpkgs repository instead.",
+        "homepage": "https://github.com/NixOS/nixpkgs",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "00d17d8ddc4c12bae0cd750eb2bb51ee813a5301",
+        "sha256": "1n0dqvvjzq5iswdrn6hs3fsczy2cyd8d2riphnh8vsdkipc2nxxs",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/00d17d8ddc4c12bae0cd750eb2bb51ee813a5301.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    }
+}
diff --git a/nix/sources.nix b/nix/sources.nix
new file mode 100644
index 0000000..1938409
--- /dev/null
+++ b/nix/sources.nix
@@ -0,0 +1,174 @@
+# This file has been generated by Niv.
+
+let
+
+  #
+  # The fetchers. fetch_<type> fetches specs of type <type>.
+  #
+
+  fetch_file = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchurl { inherit (spec) url sha256; name = name'; }
+      else
+        pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
+
+  fetch_tarball = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
+      else
+        pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
+
+  fetch_git = name: spec:
+    let
+      ref =
+        if spec ? ref then spec.ref else
+          if spec ? branch then "refs/heads/${spec.branch}" else
+            if spec ? tag then "refs/tags/${spec.tag}" else
+              abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
+    in
+      builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
+
+  fetch_local = spec: spec.path;
+
+  fetch_builtin-tarball = name: throw
+    ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=tarball -a builtin=true'';
+
+  fetch_builtin-url = name: throw
+    ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=file -a builtin=true'';
+
+  #
+  # Various helpers
+  #
+
+  # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
+  sanitizeName = name:
+    (
+      concatMapStrings (s: if builtins.isList s then "-" else s)
+        (
+          builtins.split "[^[:alnum:]+._?=-]+"
+            ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
+        )
+    );
+
+  # The set of packages used when specs are fetched using non-builtins.
+  mkPkgs = sources: system:
+    let
+      sourcesNixpkgs =
+        import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
+      hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
+      hasThisAsNixpkgsPath = <nixpkgs> == ./.;
+    in
+      if builtins.hasAttr "nixpkgs" sources
+      then sourcesNixpkgs
+      else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
+        import <nixpkgs> {}
+      else
+        abort
+          ''
+            Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+            add a package called "nixpkgs" to your sources.json.
+          '';
+
+  # The actual fetching function.
+  fetch = pkgs: name: spec:
+
+    if ! builtins.hasAttr "type" spec then
+      abort "ERROR: niv spec ${name} does not have a 'type' attribute"
+    else if spec.type == "file" then fetch_file pkgs name spec
+    else if spec.type == "tarball" then fetch_tarball pkgs name spec
+    else if spec.type == "git" then fetch_git name spec
+    else if spec.type == "local" then fetch_local spec
+    else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
+    else if spec.type == "builtin-url" then fetch_builtin-url name
+    else
+      abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
+
+  # If the environment variable NIV_OVERRIDE_${name} is set, then use
+  # the path directly as opposed to the fetched source.
+  replace = name: drv:
+    let
+      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
+      ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
+    in
+      if ersatz == "" then drv else
+        # this turns the string into an actual Nix path (for both absolute and
+        # relative paths)
+        if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
+
+  # Ports of functions for older nix versions
+
+  # a Nix version of mapAttrs if the built-in doesn't exist
+  mapAttrs = builtins.mapAttrs or (
+    f: set: with builtins;
+    listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
+  );
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
+  range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
+  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
+  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
+  concatMapStrings = f: list: concatStrings (map f list);
+  concatStrings = builtins.concatStringsSep "";
+
+  # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
+  optionalAttrs = cond: as: if cond then as else {};
+
+  # fetchTarball version that is compatible between all the versions of Nix
+  builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchTarball;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchTarball attrs;
+
+  # fetchurl version that is compatible between all the versions of Nix
+  builtins_fetchurl = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchurl;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchurl attrs;
+
+  # Create the final "sources" from the config
+  mkSources = config:
+    mapAttrs (
+      name: spec:
+        if builtins.hasAttr "outPath" spec
+        then abort
+          "The values in sources.json should not have an 'outPath' attribute"
+        else
+          spec // { outPath = replace name (fetch config.pkgs name spec); }
+    ) config.sources;
+
+  # The "config" used by the fetchers
+  mkConfig =
+    { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
+    , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
+    , system ? builtins.currentSystem
+    , pkgs ? mkPkgs sources system
+    }: rec {
+      # The sources, i.e. the attribute set of spec name to spec
+      inherit sources;
+
+      # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
+      inherit pkgs;
+    };
+
+in
+mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix
index 404dea4cf3e93eeea79d4473006606202cbf3b77..5d18460463fe367175d414044daa7ace23886a6d 100644
GIT binary patch
literal 1645
zcmZQ@_Y83kiVO&0nD5!Y`|h=R0q>e0OdaYKZ#9c|KD+myiNEf%LDaO$ily}z=f5&N
z!nt!Vht7<edroYR^7ZuIN6vV2Qq;eCf5ftcSLdRX*;MabGg+a#A!o+9V;na$RQi@)
z{nEgFhKo~es|{O%g??q1w6afoiW$cb%TF)1IeK24ecWbCb-~hpZJRSH-;Is#x8~m6
z^L<O1l*fv=;=MgFUp5!mMn7u{KDf5^>cr(wr$?JF+_>JcFPS^qs9sc$bv6TI>3NQA
zzvA74k6ms0(l~pI`s0v~DI)vJint@PFa1ahZ}}0Tyfayj!RAlI)IgRiu4N~GyUMv(
zbc*rMX@0}P@lUw#t$%;)ZH*IQ7M|OmOewv!tGn<`%~2li<2e^BE;ZhH!K0HWcJapR
zL*|z|8&<i`lRdHK`sE|xQ!*}^ufFm#<w!YabMW-DYi|h|#Yop*%QBAFPkZ%2s;B?g
z^@OP_g9UnzCs>rQT<e>4sYcm<J{wcHJUioikF)X`mBu;$4<1?FmnN|8yYa$@%byl#
zzb({1#IwD+Zc|yk)_k|Et5=k~=x?7h_qa~X;mH?HH27{(NO{M3HZdT*RPzes8?U~M
z-G}3>J(=`xhUv`r-8lVZ%Ol0kZ8lA1+`JVB9?T21ZSXgUUMMLfvaWH~wQ5yo*VkWm
zE!rG8@32hghWJz!9uD7|wVUk2-6za!N^9RBDYsYa!Hke(|3@-~r4x!iriw}5_Bc><
zv_JOAJ<DHAOBahT`809MjFvfv-%ovQ<r|%5>+|pPgH>U6ZWdeXn+`CQRUOe>ILU}R
z{2;#--{(-tXy-U<`MTOCduwH$C2!g`;aXwV*BLG@J<_iO+?0&J*;T1N{cy?b+~u9A
zth#5XJT&4Ct5j=0VsS1<s^M~y)Fl_WX+jPR+G{Q5)=hZczhmCDV~#7NP0mPOxwrJa
z?9~HP-S|$`23_FSxOA+;Qh%PqLH*ypyI#%QoxJM&*S<CFrutc*6TYZ3m_@gXZNGFb
zIP>O9)rxeDDSb&*&-Uz>tZ)jR6eA{b_(QVX(Tz(MeU6lC72T-p`eXf?x7UukN89E^
zhMc+-@qBXIPu}gbGB+!}E>T;_pyHXhq;{R_z3N!UYCooHPut6#FU!kJU-kIF=jHi)
z<tduJGvB`m&p6sTL;6xz){LX&mwhJ$-qP=RY8KHp>7(_%2TChC`gciI^@?-kZ;$xC
z@{;b$xv|$7Tdt`7O}B}?$}To{`Q6gjpI1&x5&yLP6G!CT4*4~P{wu<`nDwrePh2g{
z)L{O2=hWm0qCfk!j(g~R`#VK<f`ew}B+1+J1i!5IeqI;%p(Ey-$A6XRgbgJN+TF#z
zPFB1i?LWP`Lb^(vOYcpRQoqrZrw#9&W^b4Fdr;iFRecS=R`K#c<*M_0*HpfgdhKv>
z*ExmP;ikt<ew_BvC??SLR-7--!G>QpYJ7*R@)n3+@(hpOB4ca0Y<=*|Pl7*{-5Y+*
z=jckYb9_4SpX8KhKVJXnGn=yO&m(uw1N`diLROtMlh)kz#7$YDVt1&ecF~0iRw*kC
zEf2OitIhO!(9v;b+YM9BfDOB6MV)Lbc_VFCw4L|zi|^qJi{rl@I&s5Uo$ZRPs73h)
zyN36te@&dbYqJFB&-(>(O2+r5hc^Uu+iY_?*6q4GJ-GbD@#gsl_-bYpFFkqfOma=%
z@<+>$x_c@x-`#sLiuux4MVFQf)i%s#m*aBf<K}--xMN_WH8JDA)-Bh0D$=v=>)CtM
z9?Wumxh&>mq*$W-q(hS1Ri8cIRJkU8LW0ZMeMeTld>?d>|C!Y6i&25$MwQd-7?@^>
zZggYFdsD=H>%rrlYMZ+md1CXUzg%_t=F=Jc^|6J?o*kN;ZWA|TST}yL&~A$k%d%d0
zu+z7+`oR3;rYFX({!;a8B^F*T?uu*dym9Khik-zD*0<^#+nUZ!J-V-D!Hmb5*7~K>
zrr8|5t^UP7q|j8@FG8PVn~vO_&8u954727fZ1bAB>F2kVhwP7@UAH`9<<13)H^X);
z7gKG1<+e;=%by3g+U~v8b!yu!X`sbXX|Snv;kI9?zVpI1$ZUGQ?DU+Z#dibwwlQ(P
z<hk@9B1TSb{l(V3E4;4FZ3$WV_;vP5bCoo)+#6oZ8_fH+TsPjsy85nxzsCR7i=x7}
zm8M*t^Fef~P;;We@9C?Hyv*N8Tb*E?|L$GY{3UiRd-mR`I3KrbpW8>Jj!8BD76}US
Z>+fE$&rxhqM3D3H`-W#UTuf&j1puusEeZet

literal 1450
zcmZQ@_Y83kiVO&0c%o*PW+@YY=y-78R|Y-KBSO}$kAsa)ZE^dX5*QWOuCOiO<=2i)
zdjemV{R);^*gj3b*}i-4wL?bR-YD%;U#UN3`J>bICT=_0wVU3v?s)L~cbb23|DBsF
z!r2oX?p}DE&hg1+XWC*XA(i`&PO(3~Ki$JF%<H@G&6#^97Vdv8_T-$&P3PM$<oOq!
z)<6C<@fF+4oZGeqzeSkhUmcugzR}OeSIxZ1$+rIeW6hv@4AYKU{SjXC*v9#c@|3>$
zLIQjV=1OuiJa6r3Ez@Vex4^bEVV1zj^v}~mBu{=8opmNWfL&y&b<wP8PKxa|8sTy0
z|EABE-fnl;u4bXDp(FDigM^}Z!&}1pgqwY?2ug}=J+-fX>MGH-+cFCrgCpuLUx--V
zCiCKt{g%(sKU^1Yk36Q%d6Ye@@$M{>pIaG%*1eCLYcoMN@9&9QIZD=-oln-bq$hBh
z^qL)bTzdJ+Gu7G|`^-CI0!+`aM}_|V);Qll|Nbur$N1hIp@uRlb>+w6rc9~WA*psI
zv(;tM386C21;@Ur_r8)pVbbr!lYZ5{Z`)?Ay%`f5rcDn1eOkpkZmQ>*&TkU+zo#8?
zWAWa->8XvNfSgUu+05*x2lMZXsuZ6pmcOy~ix=;w^th6Re;RK;kj(Ron0M{r?GtD6
z`5E?3>3I6+VW+ye>NL-dbJ$ZD&NBQy^&vCgvSrQUCw{&2QdM@m+$Nb+XFG=>{G>(s
zHvLn|Q+BD89n?xPdzNYBV-~n#!KqoFYp1r!91dNZbXGy7iZ%6QV%d#w-7XGmrqzG^
zw$D7}v-qOM3U!A420PbZj#|Pw*D;altE8CK+Iats_a_Sb?Ol=Z@&3z@2H!7>15SKS
z|0*--LT^ci(R63sN70@S?!RBll(s3y{KTuErg^iPKkVE2r>4q!+M&mc3yR;(ICrMu
zfJ3yBjgC-}gvb1cufFH~OH(+x@X9NV4jJX;eiBR@<)%hI<7;eP>+^#z`NVeZmbRZC
zCSBRioW>UVh|x)_BX7Rn(=XQ#i2T>CJKBA*qP=ZTY3fOCj}n)4ZzX0IO?uX%w8cPg
z>Z7H$m$%0+?G<-BP{&&)A#ytWZXV|n5tfT4)8Z#RVXhYy?!CJpR>zn{^<hIPZ;I*3
zUq?=Uw!J8O=(?u;yy^q9l)7ea<$dy8OfX0BqV(?B6XkWZrp2|&e3>)DSnWpB{5i)t
zW;LaAf8N&lR`uV4_@9bWZtFvYW(40qGDrIUwMjN>rXTznn0qtiujl<p)r^O}$LISz
zSh>W<qAvMCsJ~XX!OC)lS4jnSd>qP)DnqLeScLSx;c)ls@mRrARkV2TZsnf0r`E1>
zezEs+igCj`+sKyGlHK{a`&Ud(SvL9B+i7J26BoRfFAR`q@wIKu`N6jMMOA>1g6J`;
zO)qqkc6Q#|^6z`iO!Xf-CLX@LH$nQzTGNuxa`|WKB0J7H%l^`^kO--e;hZ`*TX*|s
zeLd0S$_J+#)s)WuOM7%E^rheBxyNF<8wEDqwa$64J@CoW!}aSgeLE?q&izE_N=)s~
zXTs<H_{N^x7sSZQC+9F-^t_El?4JVZ<nB-1UzQ1a&9qdzW`8B**GV0{k6Ksr-74O#
z+;i!&{EKbhls_^aE`Of0jv@YR*DG0RhYeD{uWorSX>;<<!yIO{BkgC7o>Z?iIBfiI
z{U?Q3v8Q*RJY2i@<C^MAa#62)!tcFSIR9MaeM*RK=RC&MfA?ps-l`rZtmVLd@s@#m
zYnIVp1;4L)yDn&JZm|0M{o1C^yDX+EYpyQllxTaO_*8R`am=O{HoyBkJJ)|ZE0Jq5
z|49{73ww!c)`DyM_RllkmsdQuj(xI+#4U~Dhb}sPtZm<?oKug|dm7;t(|7b*vg-aO
zi>B2T+l`Fv&nxqoR3w;Mwm%b^H_h$t<>jmysjH8l$T)brD!%um;}2CkPT9-%8KwxI
cZ~AflU(ux*dnPqo@GdQ4jG4Aa+Ng^Y0RD*2I{*Lx

diff --git a/shell.nix b/shell.nix
index c1e6a13..ba25b0d 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,21 +1,23 @@
 { ... }:
 
 let
-  channels-nixos-stable-path = (builtins.fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/dbacfa172f9a6399f180bcd0aef7998fdec0d55a.tar.gz);
-  channels-nixos-stable = import channels-nixos-stable-path { overlays = builtins.attrValues (import ./nix/overlays); };
+  pkgsPath = (import ./nix/sources.nix).nixpkgs;
+  pkgs = import pkgsPath { overlays = builtins.attrValues (import ./nix/overlays); };
 
 in
-with channels-nixos-stable;
-stdenv.mkDerivation {
+
+pkgs.stdenv.mkDerivation {
   name = "infra-env";
   buildInputs = [
-    (with import (channels-nixos-stable-path+"/nixos") { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ])
+    (with import (pkgsPath+"/nixos") { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ])
+    ] ++ (with pkgs; [
     just
     git-crypt
     vcsh
     gnupg
     git
     nixUnstable
+    niv
 
     vncdo
     tesseract
@@ -28,7 +30,7 @@ stdenv.mkDerivation {
     sysstat
     lshw
     xxHash
-  ];
+  ]);
 
   # Set Environment Variables
   RUST_BACKTRACE = 1;