vanadium/connectivity: use npins to pin dns ai blocklist

Another week another useless abstraction

nix/configurations/vanadium/home/xmobar/xmobar.hs

@@ -77,6 +77,7 @@ config =
               , "--target", "2025-10-13=no teef"
               , "--target", "2025-10-31=dragon book"
               , "--target", "2025-11-29=à deux"
+              , "--target", "2025-12-16=dragon book²"
               , "--target", "2025-12-30=seule"
               ]
               ""

nix/configurations/vanadium/nixos/connectivity.nix

@@ -38,98 +38,134 @@
       secretsFile = config.age.secrets.wpa_password.path;
       scanOnLowSignal = false;
       networks = let
-        properties = lib.flip lib.pipe;
+        # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
-        networks = lib.flip lib.genAttrs (_: {});
+        escapePwdKey = lib.replaceStrings ["="] ["_"];
 
-        # The higher the more preferred
+        privatePriority = 10;
-        setPrio = i: lib.mapAttrs (_: conf: conf // {priority = i;});
+        limitedPriority = -10;
-        private = setPrio 10;
-        limited = setPrio (-10);
 
-        extraConfig = value: conf: conf // {extraConfig = conf.extraConfig or "" + value;};
+        fromList = ns: let
-        randomizeMac = lib.mapAttrs (_: extraConfig "mac_addr=1\n");
+          go = networkArgs @ {
-        roaming = lib.mapAttrs (_: extraConfig "bgscan=\"simple:30:-70:3600\"\n");
+            ssid,
-
+            # Custom fields wrapping nixpkgs module options
-        hasPsk = let
+            hasPassword ? false,
-          # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
+            scanOnLowSignal ? false,
-          escapePwdKey = lib.replaceStrings ["="] ["_"];
+            randomizeMac ? false,
-        in
+            ...
-          lib.mapAttrs (name: conf: conf // {pskRaw = "ext:${escapePwdKey conf.ssid or name}";});
+          }: {
-      in
+            ${ssid} = lib.mkMerge [
-        lib.mkMerge [
+              (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"])
-          (properties [private hasPsk]
+              (lib.optionalAttrs hasPassword {
-            (networks [
+                pskRaw = "ext:${escapePwdKey ssid}";
-              "~"
+              })
-              "Pei’s Wifi"
+              (lib.optionalAttrs scanOnLowSignal {
-              "girlypop-net"
+                extraConfig = ''
-            ]))
+                  bgscan="simple:30:-70:3600"
-          (properties [private roaming hasPsk]
-            (networks [
-              "annapurna"
-              "5526-1"
-            ]))
-
-          #
-          # School
-          #
-          (properties [private roaming]
-            {
-              eduroam = {
-                authProtocols = ["WPA-EAP"];
-                auth = ''
-                  pairwise=CCMP
-                  group=CCMP TKIP
-                  eap=PEAP
-                  ca_cert="${./certs/universite_de_rennes.pem}"
-                  identity="ychiang@etudiant.univ-rennes.fr"
-                  altsubject_match="DNS:radius.univ-rennes1.fr;DNS:radius1.univ-rennes1.fr;DNS:radius2.univ-rennes1.fr;DNS:vmradius-psf1.univ-rennes1.fr;DNS:vmradius-psf2.univ-rennes1.fr"
-                  phase2="auth=MSCHAPV2"
-                  password=ext:EDUROAM
-                  anonymous_identity="anonymous@univ-rennes.fr"
                 '';
-              };
+              })
-            })
+              (lib.optionalAttrs randomizeMac {
+                extraConfig = ''
+                  mac_addr=1
+                '';
+              })
+            ];
+          };
+        in
+          lib.mkMerge (map go ns);
+      in
+        fromList [
+          {
+            ssid = "~";
+            priority = privatePriority;
+            hasPassword = true;
+          }
+          {
+            ssid = "Pei’s Wifi";
+            priority = privatePriority;
+            hasPassword = true;
+          }
+          {
+            ssid = "girlypop-net";
+            priority = privatePriority;
+            hasPassword = true;
+          }
 
-          #
+          {
-          # Cafés
+            ssid = "annapurna";
-          #
+            priority = privatePriority;
-          (properties [private randomizeMac hasPsk]
+            hasPassword = true;
-            (networks [
+            scanOnLowSignal = true;
-              "A-WAY"
+          }
-              "CAT.jpgcafe"
+          {
-              "LOUISA" # 區公所
+            ssid = "5526-1"; # TODO: set bssid preference ?
-              "LouisaCoffee" # 七張
+            priority = privatePriority;
-              "MetroTaipei x Louisa" # 大安
+            hasPassword = true;
-            ]))
+            scanOnLowSignal = true;
+          }
 
-          #
+          {
-          # Open networks
+            ssid = "eduroam";
-          #
+            priority = privatePriority;
-          #
+            scanOnLowSignal = true;
-          # Use this link to do portal login
-          # http://detectportal.firefox.com/canonical.html
-          (properties [randomizeMac]
-            (networks [
-              # Transport
-              "_SNCF_WIFI_INOUI"
-              "_WIFI_LYRIA"
-              "EurostarTrainsWiFi"
-              "SBB-FREE"
-              "AOT Airport Free Wi-Fi by NT"
 
-              # Library
+            authProtocols = ["WPA-EAP"];
-              "NewTaipei"
+            auth = ''
+              pairwise=CCMP
+              group=CCMP TKIP
+              eap=PEAP
+              ca_cert="${./certs/universite_de_rennes.pem}"
+              identity="ychiang@etudiant.univ-rennes.fr"
+              altsubject_match="DNS:radius.univ-rennes1.fr;DNS:radius1.univ-rennes1.fr;DNS:radius2.univ-rennes1.fr;DNS:vmradius-psf1.univ-rennes1.fr;DNS:vmradius-psf2.univ-rennes1.fr"
+              phase2="auth=MSCHAPV2"
+              password=ext:EDUROAM
+              anonymous_identity="anonymous@univ-rennes.fr"
+            '';
+          }
 
-              "Fami-WiFi"
+          {
-            ]))
+            ssid = "A-WAY";
+            priority = privatePriority;
+            hasPassword = true;
+            randomizeMac = true;
+          }
+          {
+            ssid = "CAT.jpgcafe";
+            priority = privatePriority;
+            hasPassword = true;
+            randomizeMac = true;
+          }
+          {
+            ssid = "LOUISA"; # 區公所
+            priority = privatePriority;
+            hasPassword = true;
+            randomizeMac = true;
+          }
+          {
+            ssid = "LouisaCoffee"; # 七張
+            priority = privatePriority;
+            hasPassword = true;
+            randomizeMac = true;
+          }
+          {
+            ssid = "MetroTaipei x Louisa"; # 大安
+            priority = privatePriority;
+            hasPassword = true;
+            randomizeMac = true;
+          }
 
-          #
+          {ssid = "_SNCF_WIFI_INOUI";}
-          # Phones
+          {ssid = "_WIFI_LYRIA";}
-          #
+          {ssid = "EurostarTrainsWiFi";}
-          (properties [limited hasPsk]
+          {ssid = "SBB-FREE";}
-            (networks [
+          {ssid = "AOT Airport Free Wi-Fi by NT";}
-              "iPhone de Léana 江"
+          {ssid = "NewTaipei";}
-            ]))
+          {ssid = "Fami-WiFi";}
+
+          {
+            ssid = "iPhone de Léana 江";
+            priority = limitedPriority;
+            hasPassword = true;
+          }
         ];
     };
   };
@@ -165,6 +201,25 @@
       lb_strategy = "p2";
       lb_estimator = true;
 
+      # Prevent building up reliance on chatbots
+      # Gotta preserve that thinking ability of my smoof bwain
+      blocked_names = {
+        blocked_names_file = let
+          sources = import ../../../../npins;
+          ai-blocklist = sources.ai-blocklist + "/noai_hosts.txt";
+
+          # Blocklists are made of one pattern per line.
+          # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75
+          blocked_names = lib.pipe (builtins.readFile ai-blocklist) [
+            (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case
+            (lib.splitString "\n")
+            (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x)))
+            (builtins.map (x: builtins.elemAt (lib.splitString " " x) 1)) # remove 0.0.0.0
+          ];
+        in
+          pkgs.writeText "no-ai-blocklist" (builtins.concatStringsSep "\n" blocked_names);
+      };
+
       # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests
       # query_log.file = "/var/log/dnscrypt-proxy/query.log";
       sources.public-resolvers = {

nix/configurations/vanadium/nixos/display.nix

@@ -29,8 +29,8 @@
   services.autorandr = {
     enable = true;
     hooks.postswitch = {
-      "10_xmobar" = "pkill xmobar"; # make sure there are no duplicated xmobar
+      "10_xmobar" = "${lib.getExe' pkgs.toybox "pkill"} xmobar"; # make sure there are no duplicated xmobar
-      "20_xmonad" = "xmonad --restart"; # make sure feh keeps up
+      "20_xmonad" = "${lib.getExe pkgs.haskellPackages.xmonad} --restart"; # make sure feh keeps up
     };
 
     profiles = let

nix/nixosModules/common/xscreensaver.nix

@@ -34,6 +34,7 @@ in {
             cfg.hooks;
         in ''
           xscreensaver-command -watch | while read event rest; do
+            echo "The handler script got \"$event\""
             case $event in
               ${handlers}
             esac

npins/sources.json

@@ -16,6 +16,20 @@
       "url": "https://api.github.com/repos/ryantm/agenix/tarball/0.15.0",
       "hash": "01dhrghwa7zw93cybvx4gnrskqk97b004nfxgsys0736823956la"
     },
+    "ai-blocklist": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "laylavish",
+        "repo": "uBlockOrigin-HUGE-AI-Blocklist"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "9bb188e2701138e03f73bacebd6b19b181ca0012",
+      "url": "https://github.com/laylavish/uBlockOrigin-HUGE-AI-Blocklist/archive/9bb188e2701138e03f73bacebd6b19b181ca0012.tar.gz",
+      "hash": "0h318ckx8l89bff1fv4xg6mmhkvpfhyhvzbr0iyaa7q3dx3iyz57",
+      "frozen": true
+    },
     "disko": {
       "type": "GitRelease",
       "repository": {
@@ -207,9 +221,9 @@
       },
       "branch": "master",
       "submodules": false,
-      "revision": "9ed85f8afebf2b7478f25db0a98d0e782c0ed903",
+      "revision": "d6645c340ef7d821602fd2cd199e8d1eed10afbc",
-      "url": "https://github.com/NixOS/nixos-hardware/archive/9ed85f8afebf2b7478f25db0a98d0e782c0ed903.tar.gz",
+      "url": "https://github.com/NixOS/nixos-hardware/archive/d6645c340ef7d821602fd2cd199e8d1eed10afbc.tar.gz",
-      "hash": "19cld3jnzxjw92b91hra3qxx41yhxwl635478rqp0k4nl9ak2snq"
+      "hash": "0m84zxwanfq34j568w4xkvip5hwpwbhsk46xjvnl063y77i54vfs"
     },
     "nixpkgs": {
       "type": "Git",
@@ -220,9 +234,9 @@
       },
       "branch": "nixos-25.05-small",
       "submodules": false,
-      "revision": "f2ee78c4eb601be36a277e1779a7a87655419dad",
+      "revision": "4d9bd66e3ea558621ae800445e9302a2aa1bb687",
-      "url": "https://github.com/NixOS/nixpkgs/archive/f2ee78c4eb601be36a277e1779a7a87655419dad.tar.gz",
+      "url": "https://github.com/NixOS/nixpkgs/archive/4d9bd66e3ea558621ae800445e9302a2aa1bb687.tar.gz",
-      "hash": "0g5m7bhqw01a950xga0w246al2cy11pqd0dq763whw5sbqfadr59"
+      "hash": "0dzq4bp8qamilabyy014qsjivr2ga7348da5fjiqbkp7y7fhbdk0"
     },
     "nur": {
       "type": "Git",
@@ -233,9 +247,9 @@
       },
       "branch": "main",
       "submodules": false,
-      "revision": "68f4e0f40dfafa9bc9ae50b18685befac76ebcd4",
+      "revision": "e68fcda79871132cb42777c15a2c4a3ea563cad6",
-      "url": "https://github.com/nix-community/nur/archive/68f4e0f40dfafa9bc9ae50b18685befac76ebcd4.tar.gz",
+      "url": "https://github.com/nix-community/nur/archive/e68fcda79871132cb42777c15a2c4a3ea563cad6.tar.gz",
-      "hash": "04p7vqixrbyjnr9nnm3p4k37137f5nm6daly2q2yfci1p1a35qjc"
+      "hash": "0qng617rx1b5vifnigrhshlsb7rviwaii2czbpgbi8ljyivw10v0"
     },
     "pin-emacs28": {
       "type": "Git",