programs: don't persist mesaCacheDir by default

and explicitly add it to every program that uses mesa. wow, that's a *lot*
2025-01-02 05:32:33 +00:00
parent 863468e402
commit 3fc6571294
55 changed files with 80 additions and 30 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -531,10 +531,10 @@ in
    endless-sky.buildCost = 1;
    endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
    endless-sky.sandbox.mesaCacheDir = ".cache/endless-sky/mesa";
    endless-sky.sandbox.whitelistAudio = true;
    endless-sky.sandbox.whitelistDri = true;
    endless-sky.sandbox.whitelistWayland = true;
    # endless-sky.sandbox.whitelistX = true;
    endless-sky.packageUnwrapped = pkgs.endless-sky.overrideAttrs (base: {
      nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
        pkgs.makeWrapper
@@ -596,6 +596,7 @@ in
    # ];
    font-manager.buildCost = 1;
    font-manager.sandbox.mesaCacheDir = ".cache/font-manager/mesa";
    font-manager.sandbox.whitelistWayland = true;
    font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
      # build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
@@ -646,9 +647,11 @@ in
    gitea = {};
    gnome-calculator.buildCost = 1;
    gnome-calculator.sandbox.mesaCacheDir = ".cache/gnome-calculator/mesa";  # TODO: is this the correct app-id?
    gnome-calculator.sandbox.whitelistWayland = true;
    gnome-calendar.buildCost = 2;  # depends on webkitgtk_6_0 via evolution-data-server
    gnome-calendar.sandbox.mesaCacheDir = ".cache/gnome-calendar/mesa";  # TODO: is this the correct app-id?
    # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
    gnome-calendar.sandbox.whitelistWayland = true;
    gnome-calendar.sandbox.whitelistDbus = [ "user" ];
@@ -697,13 +700,14 @@ in
    gnome-2048.buildCost = 1;
    gnome-2048.sandbox.whitelistWayland = true;
    gnome-2048.sandbox.mesaCacheDir = ".cache/gnome-2048/mesa";
    gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
    gnome-frog.buildCost = 1;
    gnome-frog.sandbox.whitelistWayland = true;
    gnome-frog.sandbox.whitelistDbus = [ "user" ];
    gnome-frog.sandbox.extraPaths = [
-      # needed when processing screenshots
+      # needed when processing screenshots (TODO: can i have it use a custom TMPDIR?)
      "/tmp"
    ];
    gnome-frog.sandbox.extraHomePaths = [
@@ -719,6 +723,7 @@ in
    gnome-frog.persist.byStore.ephemeral = [
      ".local/share/tessdata"  # 15M; dunno what all it is.
    ];
    gnome-frog.sandbox.mesaCacheDir = ".cache/gnome-frog/mesa";  # TODO: is this the correct app-id?
    gnugrep.sandbox.autodetectCliPaths = "existing";
    gnugrep.sandbox.whitelistPwd = true;
@@ -741,7 +746,6 @@ in
    # N.B.: if the user doesn't specify an output path, `grim` will output to ~/Pictures (which isn't included in this sandbox)
    grim.sandbox.autodetectCliPaths = "existingOrParent";
    grim.sandbox.whitelistWayland = true;
    grim.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
    hase.buildCost = 1;
    hase.sandbox.net = "clearnet";
@@ -839,6 +843,7 @@ in
    losslesscut-bin.sandbox.whitelistDri = true;
    losslesscut-bin.sandbox.whitelistWayland = true;
    # losslesscut-bin.sandbox.whitelistX = true;
    losslesscut-bin.sandbox.mesaCacheDir = ".cache/losslesscut/mesa";  # TODO: is this the correct app-id?
    losslesscut-bin.packageUnwrapped = pkgs.losslesscut-bin.overrideAttrs (base: {
      extraMakeWrapperArgs = (base.extraMakeWrapperArgs or []) ++ [
        "--append-flags '--ozone-platform-hint=auto --ozone-platform=wayland --enable-features=WaylandWindowDecorations'"
@@ -965,6 +970,7 @@ in
    pavucontrol.sandbox.whitelistAudio = true;
    pavucontrol.sandbox.whitelistDri = true;  #< to be a little more responsive
    pavucontrol.sandbox.whitelistWayland = true;
    pavucontrol.sandbox.mesaCacheDir = ".cache/pavucontrol/mesa";
    pciutils.sandbox.extraPaths = [
      "/sys/bus/pci"
@@ -1006,6 +1012,7 @@ in
    pwvucontrol.sandbox.whitelistAudio = true;
    pwvucontrol.sandbox.whitelistDri = true;  # else perf on moby is unusable
    pwvucontrol.sandbox.whitelistWayland = true;
    pwvucontrol.sandbox.mesaCacheDir = ".cache/pwvucontrol/mesa";  # TODO: is this the correct app-id?
    pyright.sandbox.whitelistPwd = true;
@@ -1053,6 +1060,7 @@ in
      "wl-clipboard"
      # "zenity"
    ];
    sane-color-picker.sandbox.mesaCacheDir = ".cache/sane-color-picker/mesa";  # TODO: is this the correct app-id?
    sane-die-with-parent.sandbox.enable = false;  #< it's a launcher; can't sandbox
@@ -1075,6 +1083,7 @@ in
    shattered-pixel-dungeon.sandbox.whitelistAudio = true;
    shattered-pixel-dungeon.sandbox.whitelistDri = true;
    shattered-pixel-dungeon.sandbox.whitelistWayland = true;
    shattered-pixel-dungeon.sandbox.mesaCacheDir = ".cache/.shatteredpixel/mesa";
    # printer/filament settings
    slic3r.buildCost = 1;
@@ -1084,7 +1093,6 @@ in
    slic3r.sandbox.autodetectCliPaths = "existingFileOrParent";  # slic3r <my-file>.stl -o <out>.gcode
    slurp.sandbox.whitelistWayland = true;
    slurp.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
    # snapshot camera, based on libcamera
    # TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
@@ -1103,6 +1111,7 @@ in
    space-cadet-pinball.buildCost = 1;
    space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
    space-cadet-pinball.sandbox.mesaCacheDir = ".cache/SpaceCadetPinball/mesa";  # TODO: is this the correct app-id?
    space-cadet-pinball.sandbox.whitelistAudio = true;
    space-cadet-pinball.sandbox.whitelistDri = true;
    space-cadet-pinball.sandbox.whitelistWayland = true;
@@ -1134,6 +1143,7 @@ in
    superTux.sandbox.whitelistDri = true;
    superTux.sandbox.whitelistWayland = true;
    # superTux.sandbox.whitelistX = true;
    superTux.sandbox.mesaCacheDir = ".cache/supertux2/mesa";  # TODO: is this the correct app-id?
    superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
    superTux.packageUnwrapped = pkgs.superTux.overrideAttrs (base: {
      nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
@@ -1175,6 +1185,7 @@ in
    tumiki-fighters.sandbox.whitelistDri = true;  #< not strictly necessary, but triples CPU perf
    tumiki-fighters.sandbox.whitelistWayland = true;
    tumiki-fighters.sandbox.whitelistX = true;
    tumiki-fighters.sandbox.mesaCacheDir = ".cache/tumiki-fighters/mesa";  # TODO: is this the correct app-id?
    tumiki-fighters.suggestedPrograms = [
      "xwayland"  #< XXX(2024-11-10): does not start without X(wayland), not even with SDL_VIDEDRIVER=wayland
    ];
@@ -1205,7 +1216,6 @@ in
    # `vulkaninfo`, `vkcube`
    vulkan-tools.sandbox.whitelistDri = true;
    vulkan-tools.sandbox.whitelistWayland = true;
    vulkan-tools.sandbox.mesaCacheDir = null;  # doesn't use mesa even though it uses wayland
    vulkan-tools.sandbox.whitelistX = true;
    vulkan-tools.sandbox.extraPaths = [
      "/sys/dev/char"
@@ -1216,6 +1226,7 @@ in
    vvvvvv.sandbox.whitelistAudio = true;
    vvvvvv.sandbox.whitelistDri = true;  #< playable without, but burns noticably more CPU
    vvvvvv.sandbox.whitelistWayland = true;
    vvvvvv.sandbox.mesaCacheDir = ".cache/VVVVVV/mesa";
    vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
    w3m.sandbox.net = "all";
@@ -1226,6 +1237,7 @@ in
    watch.sandbox.enable = false;  #< it executes the command it's given
    wdisplays.sandbox.mesaCacheDir = ".cache/wdisplays/mesa";  # TODO: is this the correct app-id?
    wdisplays.sandbox.whitelistWayland = true;
    wget.sandbox.net = "all";
@@ -1246,16 +1258,15 @@ in
    wl-clipboard.sandbox.whitelistWayland = true;
    wl-clipboard.sandbox.keepPids = true;  #< this is needed, but not sure why?
    wl-clipboard.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
    wtype = {};
    wtype.sandbox.whitelistWayland = true;
    wtype.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
    xwayland.sandbox.wrapperType = "inplace";  #< consumers use it as a library (e.g. wlroots)
    xwayland.sandbox.whitelistWayland = true;  #< just assuming this is needed
    xwayland.sandbox.whitelistX = true;
    xwayland.sandbox.whitelistDri = true;  #< would assume this gives better gfx perf
    xwayland.sandbox.mesaCacheDir = ".cache/xwayland/mesa";  # TODO: is this the correct app-id?
    xterm.sandbox.enable = false;  # need to be able to do everything
--- a/hosts/common/programs/brave.nix
+++ b/hosts/common/programs/brave.nix
@@ -22,6 +22,7 @@
    sandbox.extraPaths = [
      "/tmp"  # needed particularly if run from `sane-vpn do`
    ];
    sandbox.mesaCacheDir = ".cache/BraveSoftware/mesa";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
--- a/hosts/common/programs/calls.nix
+++ b/hosts/common/programs/calls.nix
@@ -102,6 +102,7 @@ in
      ];
    }));
    sandbox.mesaCacheDir = ".cache/calls/mesa";
    sandbox.net = "vpn.wg-home";  #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it.
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  # necessary for secrets, at the minimum
--- a/hosts/common/programs/celeste64.nix
+++ b/hosts/common/programs/celeste64.nix
@@ -14,5 +14,6 @@
      # save data, controls map
      ".local/share/Celeste64"
    ];
    sandbox.mesaCacheDir = ".cache/Celeste64/mesa";
  };
 }
--- a/hosts/common/programs/conky/default.nix
+++ b/hosts/common/programs/conky/default.nix
@@ -9,7 +9,6 @@
      # "/sys/devices/system"
    ];
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = null;  # doesn't use mesa even though it uses wayland
    suggestedPrograms = [
      "sane-sysload"
--- a/hosts/common/programs/dialect.nix
+++ b/hosts/common/programs/dialect.nix
@@ -16,5 +16,7 @@
    sandbox.whitelistWayland = true;
    sandbox.net = "clearnet";
    # gsettingsPersist = [ "app/drey/Dialect" ];
    sandbox.mesaCacheDir = ".cache/dialect/mesa";  # TODO: is this the correct app-dir?
  };
 }
--- a/hosts/common/programs/dino.nix
+++ b/hosts/common/programs/dino.nix
@@ -84,6 +84,7 @@ in
    #   ".cache/gstreamer-1.0"  # 1.3 MB  #< TODO: place the gst cache in ~/.cache/dino/gstreamer-1.0
    # ];
    persist.byStore.private = [ ".local/share/dino" ];
    sandbox.mesaCacheDir = ".cache/dino/mesa";
    services.dino = {
      description = "dino XMPP client";
--- a/hosts/common/programs/discord.nix
+++ b/hosts/common/programs/discord.nix
@@ -6,6 +6,7 @@
      installPhase = lib.replaceStrings [ "NIXOS_OZONE_WL" ] [ "WAYLAND_DISPLAY" ] base.installPhase;
    });
    sandbox.mesaCacheDir = ".cache/discord/mesa";
    # creds, but also 200 MB of node modules, etc
    persist.byStore.private = [ ".config/discord" ];
    sandbox.wrapperType = "inplace";  #< package contains broken symlinks that my wrapper can't handle
--- a/hosts/common/programs/element-desktop.nix
+++ b/hosts/common/programs/element-desktop.nix
@@ -49,6 +49,7 @@
      "/dev/snd"  #< needed only when playing embedded audio (not embedded video!)
    ];
    sandbox.mesaCacheDir = ".cache/Element/mesa";
    # creds/session keys, etc
    persist.byStore.private = [ ".config/Element" ];
  };
--- a/hosts/common/programs/firefox/default.nix
+++ b/hosts/common/programs/firefox/default.nix
@@ -230,6 +230,7 @@ in
    ] ++ addonHomePaths;
    sandbox.tmpDir = ".cache/mozilla/tmp";
    sandbox.mesaCacheDir = ".cache/mozilla/mesa";
    mime.associations = let
      desktop = "firefox.desktop";
--- a/hosts/common/programs/foliate.nix
+++ b/hosts/common/programs/foliate.nix
@@ -23,6 +23,8 @@
    ];
    sandbox.autodetectCliPaths = "existing";
    sandbox.mesaCacheDir = ".cache/com.github.johnfactotum.Foliate/mesa";
    persist.byStore.plaintext = [
      ".local/share/com.github.johnfactotum.Foliate"  #< books added, reading position
      ".cache/com.github.johnfactotum.Foliate"  #< webkit cache
--- a/hosts/common/programs/g4music.nix
+++ b/hosts/common/programs/g4music.nix
@@ -17,6 +17,7 @@
      "Music"
    ];
    sandbox.mesaCacheDir = ".cache/com.github.neithern.g4music/mesa";
    persist.byStore.plaintext = [
      # index?
      ".cache/com.github.neithern.g4music"
--- a/hosts/common/programs/geary.nix
+++ b/hosts/common/programs/geary.nix
@@ -49,6 +49,7 @@ in
    # fs.".local/share/folks".dir = {};
    buildCost = 3;  # uses webkitgtk 4.1
    sandbox.mesaCacheDir = ".cache/geary/mesa";
    persist.byStore.private = [
      # attachments, and email -- contained in a sqlite db
      ".local/share/geary"
--- a/hosts/common/programs/gnome-clocks.nix
+++ b/hosts/common/programs/gnome-clocks.nix
@@ -4,6 +4,7 @@
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  #< required for DE notification when alarm rings
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = ".cache/gnome-clocks/mesa";  # TODO: is this the correct app-id?
    gsettingsPersist = [ "org/gnome/clocks" ];
  };
 }
--- a/hosts/common/programs/gnome-contacts.nix
+++ b/hosts/common/programs/gnome-contacts.nix
@@ -33,6 +33,8 @@
    sandbox.whitelistDri = true;  #< speculative, but i'd like it to be responsive on mobile
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = ".cache/gnome-calendar/mesa";  # TODO: is this the correct app-id?
    suggestedPrograms = [
      "evolution-data-server"  #< REQUIRED for saving/loading of any contacts
    ];
--- a/hosts/common/programs/gnome-maps.nix
+++ b/hosts/common/programs/gnome-maps.nix
@@ -41,6 +41,7 @@
    sandbox.whitelistWayland = true;
    sandbox.net = "clearnet";
    sandbox.mesaCacheDir = ".cache/gnome-maps/mesa";
    persist.byStore.plaintext = [ ".cache/shumate" ];
    # ~/.local/share/gnome-maps/places.json (previously: ../maps-places.json); to persist starred locations, recent locations+routes
    # TODO: building in "developer mode" causes gnome-maps to pretty-print the .json instead of minifying it
--- a/hosts/common/programs/gnome-weather.nix
+++ b/hosts/common/programs/gnome-weather.nix
@@ -15,6 +15,8 @@
    sandbox.whitelistWayland = true;
    sandbox.net = "clearnet";
    sandbox.mesaCacheDir = ".cache/gnome-weather/mesa";  # TODO: is this the correct app-id?
    persist.byStore.plaintext = [
      ".cache/libgweather"  # weather data (or maybe a http cache)
    ];
--- a/hosts/common/programs/grimshot.nix
+++ b/hosts/common/programs/grimshot.nix
@@ -17,7 +17,6 @@
    sandbox.keepPids = true;  #< needed by wl-clipboard
    sandbox.whitelistDbus = [ "user" ];
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
    sandbox.extraRuntimePaths = [
      "sway"
    ];
--- a/hosts/common/programs/handbrake.nix
+++ b/hosts/common/programs/handbrake.nix
@@ -3,6 +3,8 @@
  sane.programs.handbrake = {
    buildCost = 1;
    sandbox.mesaCacheDir = ".cache/handbrake/mesa";  # TODO: is this the correct app-id?
    sandbox.whitelistDbus = [ "user" ];  # notifications
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/krita.nix
+++ b/hosts/common/programs/krita.nix
@@ -17,6 +17,7 @@
      "tmp"
    ];
    sandbox.mesaCacheDir = ".cache/krita/mesa";  # TODO: is this the correct app-id?
    suggestedPrograms = [
      "xwayland"  #< XXX(2024-11-10): does not start without X(wayland); not even with QT_QPA_PLATFORM=wayland. see e.g. <https://discuss.kde.org/t/is-there-any-plans-to-add-wayland-support-to-krita/18153>
    ];
--- a/hosts/common/programs/loupe.nix
+++ b/hosts/common/programs/loupe.nix
@@ -21,6 +21,8 @@
      "tmp"
    ];
    sandbox.mesaCacheDir = ".cache/loupe/mesa";  # TODO: is this the correct app-id?
    mime.associations = {
      "image/avif" = "org.gnome.Loupe.desktop";
      "image/gif" = "org.gnome.Loupe.desktop";
--- a/hosts/common/programs/megapixels-next.nix
+++ b/hosts/common/programs/megapixels-next.nix
@@ -55,6 +55,7 @@ in
      "/sys/class/leds"  #< for flash, presumably
    ];
    sandbox.whitelistAvDev = true;
    sandbox.mesaCacheDir = ".cache/megapixels/mesa";  # TODO: is this the correct app-id?
    gsettings."me/gapixels/megapixels" = {
      # **required** for it to find its postprocess script
      postprocessor = "${cfg.package}/share/megapixels/postprocess.sh";
--- a/hosts/common/programs/megapixels.nix
+++ b/hosts/common/programs/megapixels.nix
@@ -40,6 +40,7 @@
      "/sys/class/leds"  #< for flash, presumably
    ];
    sandbox.whitelistAvDev = true;
    sandbox.mesaCacheDir = ".cache/megapixels/mesa";  # TODO: is this the correct app-id?
    gsettingsPersist = [
      "org/postmarketos/megapixels"  #< needs to set `postprocessor` else it will segfault during post-process
    ];
--- a/hosts/common/programs/mepo.nix
+++ b/hosts/common/programs/mepo.nix
@@ -19,6 +19,7 @@
      "system"  # system is required for non-portal location services
      "user"  #< not sure if "user" is necessary?
    ];
    sandbox.mesaCacheDir = ".cache/mepo/mesa";
    persist.byStore.plaintext = [ ".cache/mepo/tiles" ];
    # ~/.cache/mepo/savestate has precise coordinates and pins: keep those private
--- a/hosts/common/programs/mpv/default.nix
+++ b/hosts/common/programs/mpv/default.nix
@@ -208,6 +208,7 @@ in
      "Videos/local"
      "Videos/servo"
    ];
    sandbox.mesaCacheDir = ".cache/mpv/mesa";
    persist.byStore.plaintext = [
      # for `watch_later`
--- a/hosts/common/programs/neovim/default.nix
+++ b/hosts/common/programs/neovim/default.nix
@@ -43,7 +43,6 @@ in
    sandbox.autodetectCliPaths = "existingOrParent";
    sandbox.whitelistWayland = true;  # for system clipboard integration
    sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
    # sandbox.whitelistPwd = true;
    sandbox.extraHomePaths = [
      ".local/share/dasht/docsets"
--- a/hosts/common/programs/newsflash.nix
+++ b/hosts/common/programs/newsflash.nix
@@ -15,6 +15,8 @@ let
  wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
 in {
  sane.programs.newsflash = {
    buildCost = 2;  # mainly for desktop: webkitgtk-6.0
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;  #< for embedded videos
    sandbox.whitelistDbus = [ "user" ];
@@ -29,7 +31,7 @@ in {
      "/sys/class/block/loop7"
    ];
-    buildCost = 2;  # mainly for desktop: webkitgtk-6.0
+    sandbox.mesaCacheDir = ".cache/nesh_flash/mesa";
    persist.byStore.plaintext = [
      ".local/share/news-flash" #< sqlite database, the actually important stuff
      # ".local/share/news_flash"  #< device IDs (?)
--- a/hosts/common/programs/nicotine-plus.nix
+++ b/hosts/common/programs/nicotine-plus.nix
@@ -22,6 +22,7 @@
      # and then update the config on disk. it errors if it can't `mv` it like that.
      ".config/nicotine"
    ];
    # sandbox.mesaCacheDir = ".cache/nicotine/mesa";  # don't persist (privacy); (might want to apply that to downloads too)
    # the config has loooads of options, but the only critical one is auth/creds.
    # run with ~/.config/nicotine in the sandbox and nicotine will derive the whole config
--- a/hosts/common/programs/notejot.nix
+++ b/hosts/common/programs/notejot.nix
@@ -5,6 +5,7 @@
    sandbox.whitelistDri = true;  #< otherwise intolerably slow on moby
    gsettingsPersist = [ "io/github/lainsce/Notejot" ];  #< TODO: probably not needed
    sandbox.mesaCacheDir = ".cache/io.github.lainsce.Notejot/mesa";
    persist.byStore.private = [
      ".local/share/io.github.lainsce.Notejot"
    ];
--- a/hosts/common/programs/papers.nix
+++ b/hosts/common/programs/papers.nix
@@ -11,6 +11,7 @@
    sandbox.whitelistDri = true;  #< speedier
    sandbox.whitelistWayland = true;
    sandbox.autodetectCliPaths = "existingFile";
    sandbox.mesaCacheDir = ".cache/papers/mesa";  # TODO: is this the correct app-id?
    mime.associations."application/pdf" = "org.gnome.Papers.desktop";
    # XXX(2024-10-06): even with `sandbox.net = "all"` and glib-networking, papers can only open *http* URLs and not https
--- a/hosts/common/programs/planify.nix
+++ b/hosts/common/programs/planify.nix
@@ -3,8 +3,9 @@
  sane.programs.planify = {
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = ".cache/io.github.alainm23/mesa";
    persist.byStore.private = [
-      # TODO items as a sqlite database
+      # todo items as a sqlite database
      ".local/share/io.github.alainm23.planify"
    ];
    # TODO: can probably configure gsettings statically?
--- a/hosts/common/programs/portfolio-filemanager.nix
+++ b/hosts/common/programs/portfolio-filemanager.nix
@@ -37,6 +37,7 @@
    #   "gvfs"
    #   "gvfsd"
    # ];
    sandbox.mesaCacheDir = ".cache/portfolio/mesa";  # TODO: is this the correct app-id?
    # suggestedPrograms = [ "gvfs" ];  #< TODO: fix (ftp:// share, USB drive browsing)
--- a/hosts/common/programs/sane-open.nix
+++ b/hosts/common/programs/sane-open.nix
@@ -26,7 +26,6 @@
    # so doesn't need all sandboxing.
    # that might hint that the packages should be split/restructured...
    sandbox.whitelistWayland = true;  #< to access clipboard
    sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
    sandbox.whitelistDbus = [ "user" ];
  };
 }
--- a/hosts/common/programs/sane-screenshot.nix
+++ b/hosts/common/programs/sane-screenshot.nix
@@ -3,7 +3,6 @@
  sane.programs.sane-screenshot = {
    sandbox.whitelistDbus = [ "user" ];  #< to send notifications
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = null;  # doesn't use mesa even though it uses wayland
    sandbox.extraHomePaths = [
      "Pictures/Screenshots"
    ];
--- a/hosts/common/programs/satellite.nix
+++ b/hosts/common/programs/satellite.nix
@@ -54,5 +54,6 @@
      "system"  #< reads NMEA data via ModemManager
    ];
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = ".cache/satellite/mesa";  # TODO: is this the correct app-id?
  };
 }
--- a/hosts/common/programs/schlock.nix
+++ b/hosts/common/programs/schlock.nix
@@ -25,6 +25,7 @@ in
    };
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = ".cache/schlock/mesa";
    secrets.".config/schlock/schlock.pin" = ../../../secrets/common/schlock.pin.bin;
--- a/hosts/common/programs/signal-desktop.nix
+++ b/hosts/common/programs/signal-desktop.nix
@@ -37,8 +37,6 @@ in
    #   ;
    # });
    name = "Signal";  #< it places its files in ~/.config/Signal, etc
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [
@@ -58,6 +56,7 @@ in
      "Videos/servo"
      "tmp"
    ];
    sandbox.mesaCacheDir = ".cache/Signal/mesa";
    sandbox.tmpDir = ".cache/Signal/tmp";  # 60MB+ sqlite database(s)
    # creds, media
--- a/hosts/common/programs/sm64coopdx.nix
+++ b/hosts/common/programs/sm64coopdx.nix
@@ -13,6 +13,7 @@ in
      "/dev/input"  #< for controllers
    ];
    sandbox.mesaCacheDir = ".cache/sm64ex-coop/mesa";
    persist.byStore.plaintext = [
      ".local/share/sm64ex-coop"
    ];
--- a/hosts/common/programs/supertuxkart.nix
+++ b/hosts/common/programs/supertuxkart.nix
@@ -7,6 +7,7 @@
    sandbox.whitelistAudio = true;
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = ".cache/supertuxkart/mesa";
    persist.byStore.plaintext = [
      ".cache/supertuxkart"
--- a/hosts/common/programs/sway/default.nix
+++ b/hosts/common/programs/sway/default.nix
@@ -248,6 +248,7 @@ in
      ".config/sway"
      # it (may) launch xwayland, in which case xwayland needs access to its stuff too
    ] ++ config.sane.programs.xwayland.sandbox.extraHomePaths;
    sandbox.mesaCacheDir = ".cache/sway/mesa";
    fs.".config/xdg-desktop-portal/sway-portals.conf".symlink.text = ''
      # portals.conf docs: <https://flatpak.github.io/xdg-desktop-portal/docs/portals.conf.html>
--- a/hosts/common/programs/swayidle.nix
+++ b/hosts/common/programs/swayidle.nix
@@ -87,7 +87,6 @@ in
    ];
    sandbox.whitelistSystemctl = true;
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
    sandbox.extraRuntimePaths = [ "sway" ];
    services.swayidle = {
--- a/hosts/common/programs/swaylock.nix
+++ b/hosts/common/programs/swaylock.nix
@@ -38,7 +38,6 @@ in
      "/etc/shadow"
    ];
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = null;  # doesn't use mesa even though it uses wayland
    services.swaylock = {
      description = "swaylock screen locker";
--- a/hosts/common/programs/swaynotificationcenter/default.nix
+++ b/hosts/common/programs/swaynotificationcenter/default.nix
@@ -113,7 +113,6 @@ in
    ];
    sandbox.whitelistSystemctl = true;
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = null;  # doesn't use mesa even though it uses wayland
    sandbox.extraPaths = [
      "/sys/class/backlight"
      "/sys/devices"
--- a/hosts/common/programs/switchboard.nix
+++ b/hosts/common/programs/switchboard.nix
@@ -30,5 +30,6 @@
    sandbox.whitelistWayland = true;
    sandbox.whitelistDbus = [ "system" ];  #< to speak with NetworkManager
    sandbox.whitelistAudio = true;  #< even with this, the sound plugin doesn't seem to work...
    sandbox.mesaCacheDir = ".cache/switchboard/mesa";  # TODO: is this the correct app-id?
  };
 }
--- a/hosts/common/programs/syshud.nix
+++ b/hosts/common/programs/syshud.nix
@@ -7,6 +7,7 @@
      "/sys/class/backlight"  #< crashes if unable to access this directory
      # "/sys/devices"  #< only if you want it to actually show when the backlight changes
    ];
    sandbox.mesaCacheDir = ".cache/sys64/hud/mesa";
    fs.".config/sys64/hud/config.conf".symlink.text = ''
      [main]
--- a/hosts/common/programs/tor-browser.nix
+++ b/hosts/common/programs/tor-browser.nix
@@ -13,8 +13,9 @@
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  #< so `tor-browser http://...` can open using an existing instance
    sandbox.whitelistWayland = true;
    # sandbox.mesaCacheDir = ".cache/tor-browser/mesa";  # don't persist mesa dir (privacy)
    persist.byStore.ephemeral = [
-      ".local/share/tor-browser"
+      ".local/share/tor-browser"  # persisted because of downloads, i think??
    ];
    mime.urlAssociations."^https?://.+\.onion$" = "torbrowser.desktop";
  };
--- a/hosts/common/programs/tuba.nix
+++ b/hosts/common/programs/tuba.nix
@@ -19,6 +19,7 @@
      "Videos/servo"
      "tmp"
    ];
    sandbox.mesaCacheDir = ".cache/tuba/mesa";  # TODO: is this the correct app-id?
    suggestedPrograms = [ "gnome-keyring" ];
  };
--- a/hosts/common/programs/video-trimmer.nix
+++ b/hosts/common/programs/video-trimmer.nix
@@ -12,5 +12,6 @@
    sandbox.whitelistAudio = true;
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = ".cache/video-trimmer/mesa";  # TODO: is this the correct app-id?
  };
 }
--- a/hosts/common/programs/wike.nix
+++ b/hosts/common/programs/wike.nix
@@ -1,6 +1,8 @@
 { ... }:
 {
  sane.programs.wike = {
    buildCost = 2;
    sandbox.wrapperType = "inplace";  # share/wike/wike-sp refers back to the binaries and share
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
@@ -18,8 +20,7 @@
      "/sys/dev"
      "/sys/devices"
    ];
-
+    sandbox.mesaCacheDir = ".cache/wike/mesa";  # TODO: is this the correct app-id?
    buildCost = 2;
    # wike probably meant to put everything here in a subdir, but didn't.
    # see: <https://github.com/hugolabe/Wike/issues/176>
--- a/hosts/common/programs/wvkbd.nix
+++ b/hosts/common/programs/wvkbd.nix
@@ -9,6 +9,7 @@
    });
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = ".cache/wvkbd/mesa";  # TODO: is this the correct app-id?
    env.KEYBOARD = "wvkbd-mobintl";
--- a/hosts/common/programs/xarchiver.nix
+++ b/hosts/common/programs/xarchiver.nix
@@ -16,5 +16,6 @@
    ];
    # allow extracting an archive in the rare case it's outside the common directories
    sandbox.autodetectCliPaths = "existing";
    sandbox.mesaCacheDir = ".cache/xarchiver/mesa";  # TODO: is this the correct app-id?
  };
 }
--- a/hosts/common/programs/xdg-desktop-portal-nautilus.nix
+++ b/hosts/common/programs/xdg-desktop-portal-nautilus.nix
@@ -59,6 +59,7 @@
      "/tmp"
      "/var"
    ];
    sandbox.mesaCacheDir = ".cache/xdg-desktop-portal-nautilus/mesa";  # TODO: is this the correct app-id?
    services.xdg-desktop-portal-nautilus = {
      description = "xdg-desktop-portal-nautilus backend (provides file chooser for xdg-desktop-portal)";
--- a/hosts/common/programs/xdg-desktop-portal-wlr.nix
+++ b/hosts/common/programs/xdg-desktop-portal-wlr.nix
@@ -16,6 +16,7 @@ in
      "/sys/dev/char"
      "/sys/devices"
    ];
    sandbox.mesaCacheDir = ".cache/xdg-desktop-portal-wlr/mesa";  # TODO: is this the correct app-id?
    services.xdg-desktop-portal-wlr = {
      description = "xdg-desktop-portal-wlr backend (provides screenshot functionality for xdg-desktop-portal)";
--- a/hosts/common/programs/zathura.nix
+++ b/hosts/common/programs/zathura.nix
@@ -10,6 +10,7 @@
      # history, bookmarks
      ".local/share/zathura"
    ];
    sandbox.mesaCacheDir = ".cache/zathura/mesa";
    mime.priority = 150;  #< default is 100; fallback to more specialized cbz handlers, e.g.
    mime.associations."application/pdf" = "org.pwmt.zathura.desktop";
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -543,18 +543,15 @@ let
      };
      sandbox.mesaCacheDir = mkOption {
        type = types.nullOr types.str;
-        default = if config.sandbox.whitelistWayland then
+        default = null;
          # XXX: mesa will create its *own* directory under here (or file, based on how it's been configured).
          # to locate empty mesa shader cache dirs (and identify apps that aren't using it):
          # - `fd mesa ~/.cache | xargs -n 1 sh -c 'test -d $1/mesa_shader_cache_db || echo $1' -- | sort`
          ".cache/${config.name}/mesa"
        else
          null
        ;
        description = ''
          place the mesa cache in a custom directory.
          generally, most GUI applications should have their mesa cache directory
          persisted to disk to (1) reduce ram consumption and (2) massively improve loading speed.
          mesa will create its *own* directory under here.
          to locate empty mesa shader cache dirs (and identify apps that aren't using it):
          - `fd mesa ~/.cache | xargs -n 1 sh -c 'test -d $1/mesa_shader_cache_db || echo $1' -- | sort`
        '';
      };
      sandbox.tmpDir = mkOption {