diff --git a/hosts/common/polyunfill.nix b/hosts/common/polyunfill.nix
index 9be203a1e..58dac6a70 100644
--- a/hosts/common/polyunfill.nix
+++ b/hosts/common/polyunfill.nix
@@ -6,8 +6,9 @@ let
     # nixpkgs' pam hardcodes unix_chkpwd path to the /run/wrappers one,
     # but i don't want the wrapper, so undo that.
     # ideally i would patch this via an overlay, but pam is in the bootstrap so that forces a full rebuild.
+    # see: <repo:nixos/nixpkgs:pkgs/by-name/li/linux-pam/package.nix>
     postPatch = (upstream.postPatch or "") + ''
-      substituteInPlace modules/pam_unix/Makefile.am --replace-fail \
+      substituteInPlace modules/module-meson.build --replace-fail \
         "/run/wrappers/bin/unix_chkpwd" "$out/bin/unix_chkpwd"
     '';
   });
diff --git a/hosts/common/programs/nwg-panel/default.nix b/hosts/common/programs/nwg-panel/default.nix
index c5712fb04..c1842b900 100644
--- a/hosts/common/programs/nwg-panel/default.nix
+++ b/hosts/common/programs/nwg-panel/default.nix
@@ -11,6 +11,10 @@ let
     type = lib.types.bool;
     inherit default description;
   };
+  i3ipc = pkgs.python3Packages.i3ipc.overridePythonAttrs {
+    # XXX(2025-08-25): tests are broken; remove once fixed
+    doCheck = false;
+  };
   playerctl = pkgs.playerctl.overrideAttrs (upstream: {
     patches = (upstream.patches or []) ++ [
       (pkgs.fetchpatch {
@@ -108,6 +112,9 @@ in
 
     packageUnwrapped = (pkgs.nwg-panel.override {
       inherit playerctl;
+      python3Packages = pkgs.python3Packages // {
+        inherit i3ipc;
+      };
     }).overrideAttrs (base: {
       # patches = (base.patches or []) ++ lib.optionals (!cfg.config.mediaPrevNext) [
       #   ./playerctl-no-prev-next.diff
diff --git a/hosts/common/systemd.nix b/hosts/common/systemd.nix
index 0d14ce66e..df4c7704d 100644
--- a/hosts/common/systemd.nix
+++ b/hosts/common/systemd.nix
@@ -116,9 +116,9 @@ in
   # see: `man logind.conf`
   # don’t shutdown when power button is short-pressed (commonly done an accident, or by cats).
   #   but do on long-press: useful to gracefully power-off server.
-  services.logind.powerKey = "lock";
-  services.logind.powerKeyLongPress = "poweroff";
-  services.logind.lidSwitch = "lock";
+  services.logind.settings.Login.HandlePowerKey = "lock";
+  services.logind.settings.Login.HandlePowerKeyLongPress = "poweroff";
+  services.logind.settings.Login.HandleLidSwitch = "lock";
   # under logind, 'uaccess' tag would grant the logged in user access to a device.
   # outside logind, map uaccess tag -> plugdev group to grant that access.
   services.udev.extraRules = ''
diff --git a/hosts/modules/hal/aarch64.nix b/hosts/modules/hal/aarch64.nix
index 8e7c94552..dd1030e91 100644
--- a/hosts/modules/hal/aarch64.nix
+++ b/hosts/modules/hal/aarch64.nix
@@ -11,6 +11,7 @@ in
   config = lib.mkIf cfg.enable {
     # disable the following non-essential programs which fail to cross compile
     sane.programs.bash-language-server.enableFor = { system = false; user.colin = false; };  # bash neovim LSP: doesn't cross compile (2025-01-05; blocked by ShellCheck)
+    sane.programs.cargo.enableFor = { system = false; user.colin = false; };  #< does not cross compile (2025-08-25)
     sane.programs.fcitx5.enableFor.user.colin = false;  #< does not cross compile (2025-01-05; blocked by qtsvg)
     sane.programs.firefox.config.addons.browserpass-extension.enable = false;  #< does not cross compile
     sane.programs.lua-language-server.enableFor = { system = false; user.colin = false; };  # lua neovim LSP: doesn't cross compile (2025-01-06)
diff --git a/overlays/cross.nix b/overlays/cross.nix
index d12b74371..8d8aece5e 100644
--- a/overlays/cross.nix
+++ b/overlays/cross.nix
@@ -1,39 +1,6 @@
-# outstanding cross-compilation PRs/issues:
-# - all: <https://github.com/NixOS/nixpkgs/labels/6.topic%3A%20cross-compilation>
-# - qtsvg mixed deps: <https://github.com/NixOS/nixpkgs/issues/269756>
-#   - big Qt fix: <https://github.com/NixOS/nixpkgs/pull/267311>
-#
-# outstanding issues:
-# - 2023/10/10: build python3 is pulled in by many things
-#   - nix why-depends --all /nix/store/8g3kd2jxifq10726p6317kh8srkdalf5-nixos-system-moby-23.11.20231011.dirty /nix/store/pzf6dnxg8gf04xazzjdwarm7s03cbrgz-python3-3.10.12/bin/python3.10
-#   - gstreamer-vaapi -> gstreamer-dev -> glib-dev
-#   - portfolio -> {glib,cairo,pygobject}-dev
-#   - komikku -> python3.10-brotlicffi -> python3.10-cffi
-#   - many others. python3.10-cffi seems to be the offender which infects 70% of consumers though
-# - 2023/10/11: build ruby is pulled in by `neovim`:
-#   - nix why-depends --all /nix/store/rhli8vhscv93ikb43639c2ysy3a6dmzp-nixos-system-moby-23.11.20231011.30c7fd8 /nix/store/5xbwwbyjmc1xvjzhghk6r89rn4ylidv8-ruby-3.1.4
-# - 2023/12/19: rustPlatform.cargoSetupHook outside of `buildRustPackage` or python packages is a mess
-#   - it doesn't populate `.cargo/config` with valid cross-compilation config
-#   - something to do with the way it's spliced: `nativeBuildInputs = [ rustPlatform.cargoSetupHook.__spliced.hostHost ]` (or hostTarget) WORKS
-#   - see <https://github.com/NixOS/nixpkgs/pull/260068> -- it's probably wrong.
-#   - WIP fix in `pr-cross-cargo`/`pr-cross-cargo2` nixpkgs branch.
-#     - sanity check by building `pkgsCross.aarch64-multiplatform.rav1e`, and the `fd` program mentioned in PR 260068
-#     - `pkgsCross.musl64.fd`
-#     - `pkgsStatic.fd`
-#   - this is way too tricky to enable cross compilation without breaking the musl stuff.
-#     - i lost a whole day trying to get it to work: don't do it!
-#
-# partially fixed:
-# - 2023/10/11: build coreutils pulled in by rpm 4.18.1, but NOT by 4.19.0
-#   - nix why-depends --all /nix/store/gjwd2x507x7gjycl5q0nydd39d3nkwc5-dtrx-8.5.3-aarch64-unknown-linux-gnu /nix/store/y9gr7abwxvzcpg5g73vhnx1fpssr5frr-coreutils-9.3
-#
-# outstanding issues for software i don't have deployed:
-# - gdk-pixbuf doesn't generate `gdk-pixbuf-thumbnailer` on cross
-#   - been this way since 2018: <https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/20>
-#   - as authored upstream, thumbnailer depends on loader.cache, and neither are built during cross compilation.
-#   - nixos manually builds loader.cache in postInstall (via emulator).
-#   - even though we have loader.cache, ordering means that thumbnailer still can't be built.
-#   - solution is probably to integrate meson's cross_file stuff, and pushing all this emulation upstream.
+# tracking:
+# - all cross compilation PRs: <https://github.com/NixOS/nixpkgs/labels/6.topic%3A%20cross-compilation>
+# - potential idiom to fix cross cargo-inside-meson: <https://github.com/NixOS/nixpkgs/pull/434878>
 
 final: prev:
 let
@@ -232,16 +199,11 @@ in with final; {
   #    };
   # });
 
-  # 2025/07/27: upstreaming is blocked by glycin-loaders
+  # 2025/08/25: upstreaming is unblocked
   fractal = prev.fractal.override {
     cargo = crossCargo;
   };
 
-  # 2025/08/17: upstreaming is unblocked
-  glycin-loaders = prev.glycin-loaders.override {
-    cargo = crossCargo;
-  };
-
   # 2025/07/27: upstreaming is blocked on gnome-shell
   # fixes: "gdbus-codegen not found or executable"
   # gnome-session = mvToNativeInputs [ glib ] super.gnome-session;
diff --git a/pkgs/by-name/nixpkgs-bootstrap/master.nix b/pkgs/by-name/nixpkgs-bootstrap/master.nix
index df2d656c9..4d416360f 100644
--- a/pkgs/by-name/nixpkgs-bootstrap/master.nix
+++ b/pkgs/by-name/nixpkgs-bootstrap/master.nix
@@ -14,8 +14,8 @@
   mkNixpkgs ? import ./mkNixpkgs.nix {},
 }:
 mkNixpkgs {
-  rev = "0efb1f7282c99268fd8be16a41bb87e3adc03511";
-  sha256 = "sha256-jtfZGAQflu5k/xVMOtdgVhKu2TTD1QTrwKjHFbU+xiQ=";
-  version = "unstable-2025-08-18";
+  rev = "4c66df3a815eff7cef4f96057af20bc6d59a4950";
+  sha256 = "sha256-oZXL9UHIBi6omPmre8WSFcHKbAblhEmpxYvaeZGERng=";
+  version = "unstable-2025-08-26";
   branch = "master";
 }
diff --git a/pkgs/by-name/nixpkgs-bootstrap/patches.nix b/pkgs/by-name/nixpkgs-bootstrap/patches.nix
index f341eb7f7..d597e6c35 100644
--- a/pkgs/by-name/nixpkgs-bootstrap/patches.nix
+++ b/pkgs/by-name/nixpkgs-bootstrap/patches.nix
@@ -43,6 +43,13 @@ in
     hash = "sha256-5M6+FQElYRBNmqLdDosM88yaHzS5mTVwECy2wd/fKdo=";
   })
 
+  (fetchpatch' {
+    # 2025-08-25: required for cross compilation
+    name = "qemu: Fix Python deps, the third time";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/436516";
+    hash = "sha256-ZVaSlK3pgCos/96NfmKs9whYYsJroGb5xC33C0349y0=";
+  })
+
   # TODO: enable, once i can tolerate a mass rebuild
   # (fetchpatch' {
   #   # 2025-08-06: merged into staging
@@ -64,32 +71,31 @@ in
   # })
   # XXX(2025-07-25): master & staging have diverged that the above patch doesn't apply correctly;
   # manually recreate the patches against master:
-  (fetchpatch' {
-    name = "nodejs: split destCPU into stdenv.$platform.node";
-    saneCommit = "1fd1d40033deb51bc74ecf11b401cf2ffde5aae3";
-    hash = "sha256-LGp9HzUINI5iTQ3UtggUNWS4zaYhakUI3OqM6rPiYr0=";
-  })
-  (fetchpatch' {
-    name = "treewide: replace node platform mapping with stdenv.hostPlatform.node.{arch,platform}";
-    saneCommit = "57bac5daa19c55a547f60271a7b48c59337ec12f";
-    hash = "sha256-DBenl7O4KuQ1I6jmB66upufYSUdYHRkqRdqRT9stbys=";
-  })
-  (fetchpatch' {
-    name = "buildNpmPackage: push npm_config_* options into npmHooks.npmConfigHook";
-    saneCommit = "f84ef10710b6634f5bcc4c7bc4764ecfd6e8dec5";
-    hash = "sha256-BHwtNvSGaqBRzUj0mP3JqAfygxjiKoX3lh4z9+B4UWk=";
-  })
-  (fetchpatch' {
-    name = "pnpm.configHook: set npm_config_{arch,platform}";
-    saneCommit = "38d2a3d80502ad63686ca886f4438d2942fbddb6";
-    hash = "sha256-0grq9Os9XD+voupAQuB48WBptH5oM/qYX5iEdmuVqMQ=";
-  })
+  # (fetchpatch' {
+  #   name = "nodejs: split destCPU into stdenv.$platform.node";
+  #   saneCommit = "1fd1d40033deb51bc74ecf11b401cf2ffde5aae3";
+  #   hash = "sha256-LGp9HzUINI5iTQ3UtggUNWS4zaYhakUI3OqM6rPiYr0=";
+  # })
+  # (fetchpatch' {
+  #   name = "treewide: replace node platform mapping with stdenv.hostPlatform.node.{arch,platform}";
+  #   saneCommit = "57bac5daa19c55a547f60271a7b48c59337ec12f";
+  #   hash = "sha256-DBenl7O4KuQ1I6jmB66upufYSUdYHRkqRdqRT9stbys=";
+  # })
+  # (fetchpatch' {
+  #   name = "buildNpmPackage: push npm_config_* options into npmHooks.npmConfigHook";
+  #   saneCommit = "f84ef10710b6634f5bcc4c7bc4764ecfd6e8dec5";
+  #   hash = "sha256-BHwtNvSGaqBRzUj0mP3JqAfygxjiKoX3lh4z9+B4UWk=";
+  # })
+  # (fetchpatch' {
+  #   name = "pnpm.configHook: set npm_config_{arch,platform}";
+  #   saneCommit = "38d2a3d80502ad63686ca886f4438d2942fbddb6";
+  #   hash = "sha256-0grq9Os9XD+voupAQuB48WBptH5oM/qYX5iEdmuVqMQ=";
+  # })
 
   (fetchpatch' {
     name = "signal-desktop: fix cross compilation";
     prUrl = "https://github.com/NixOS/nixpkgs/pull/423089";
-    # hash = "sha256-609snDT1Ru69ZTWfzu4PnhY0pj3xghPr8w880j7JZ5k=";
-    hash = "sha256-bVMOanUcYNPf2JbaWS9ga+0jAwuZQSfMKlwtNRp9tYU=";
+    hash = "sha256-4VEKjZsI7XW+/gbq3fn3bjjciPKtd2IU8SH4CsqqJ6Y=";
   })
 
   # (fetchpatch' {
diff --git a/pkgs/by-name/nixpkgs-bootstrap/staging-next.nix b/pkgs/by-name/nixpkgs-bootstrap/staging-next.nix
index 50d206e78..81655376c 100644
--- a/pkgs/by-name/nixpkgs-bootstrap/staging-next.nix
+++ b/pkgs/by-name/nixpkgs-bootstrap/staging-next.nix
@@ -2,8 +2,8 @@
   mkNixpkgs ? import ./mkNixpkgs.nix {},
 }:
 mkNixpkgs {
-  rev = "b5bd89906b29056b93ea93ef01e76197a953e62f";
-  sha256 = "sha256-HOfNmdkwdAOxMZagIWLTMe9lib78cQ4lZ1ResteAiiI=";
-  version = "unstable-2025-08-18";
+  rev = "3c42166989d7763de3bb9e20d5806cc8de7e3f93";
+  sha256 = "sha256-p+b4AvQ9hLqJO9pHxtIJMie0U81LARbuq7kjnPrRm7w=";
+  version = "unstable-2025-08-25";
   branch = "staging-next";
 }
diff --git a/pkgs/by-name/nixpkgs-bootstrap/staging.nix b/pkgs/by-name/nixpkgs-bootstrap/staging.nix
index 48e1fee52..0e67740a6 100644
--- a/pkgs/by-name/nixpkgs-bootstrap/staging.nix
+++ b/pkgs/by-name/nixpkgs-bootstrap/staging.nix
@@ -2,8 +2,8 @@
   mkNixpkgs ? import ./mkNixpkgs.nix {},
 }:
 mkNixpkgs {
-  rev = "8eba1c93fdd7bd96e7243cd517062db299ab4230";
-  sha256 = "sha256-ATJhPDMlqUUUzffVRPnyixid+4RkyllEyOgcebEvf1w=";
-  version = "unstable-2025-08-18";
+  rev = "a6c4b05ff349d7d7f6c097da57d7925c393dc20d";
+  sha256 = "sha256-+tNWLiCaKjsZhbnRajb0yEd15BoQsVDRA8/keFcYToo=";
+  version = "unstable-2025-08-25";
   branch = "staging";
 }