diff --git a/hosts/common/default.nix b/hosts/common/default.nix
index 809db9d2..47ca262c 100644
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -19,8 +19,8 @@
   ];
 
   sane.nixcache.enable-trusted-keys = true;
-  sane.packages.enableConsolePkgs = true;
   sane.programs.sysadminUtils.enableFor.system = true;
+  sane.programs.consoleUtils.enableFor.user.colin = true;
 
   # some services which use private directories error if the parent (/var/lib/private) isn't 700.
   sane.fs."/var/lib/private".dir.acl.mode = "0700";
diff --git a/hosts/common/programs.nix b/hosts/common/programs.nix
index ca4ba1e4..958c41ba 100644
--- a/hosts/common/programs.nix
+++ b/hosts/common/programs.nix
@@ -2,7 +2,8 @@
 
 let
   inherit (builtins) attrNames concatLists;
-  inherit (lib) mapAttrsToList mkMerge;
+  inherit (lib) mapAttrs mapAttrsToList mkDefault mkMerge;
+
   sysadminPkgs = {
     inherit (pkgs // {
       # XXX can't `inherit` a nested attr, so we move them to the toplevel
@@ -48,23 +49,88 @@ let
       wget
     ;
   };
+
+  consolePkgs = {
+    inherit (pkgs)
+      backblaze-b2
+      cdrtools
+      dmidecode
+      duplicity
+      efivar
+      flashrom
+      fwupd
+      ghostscript  # TODO: imagemagick wrapper should add gs to PATH
+      gnupg
+      gocryptfs
+      gopass
+      gopass-jsonapi
+      ifuse
+      imagemagick
+      ipfs
+      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
+      libimobiledevice
+      libsecret  # for managing user keyrings
+      lm_sensors  # for sensors-detect
+      lshw
+      ffmpeg
+      memtester
+      networkmanager
+      nixpkgs-review
+      # nixos-generators
+      # nettools
+      nmon
+      oathToolkit  # for oathtool
+      # ponymix
+      pulsemixer
+      python3
+      rsync
+      # python3Packages.eyeD3  # music tagging
+      sane-scripts
+      sequoia
+      snapper
+      sops
+      sox
+      speedtest-cli
+      sqlite  # to debug sqlite3 databases
+      ssh-to-age
+      sudo
+      # tageditor  # music tagging
+      unar
+      visidata
+      w3m
+      wireguard-tools
+      # youtube-dl
+      yt-dlp
+    ;
+  };
 in
 {
-  config = mkMerge [
-    {
-      # define -- but don't enable -- the system packages
-      sane.programs = sysadminPkgs;
-    }
-    {
-      # link the system packages into a meta package
-      sane.programs.sysadminUtils = {
-        package = null;  # meta package
-        suggestedPrograms = attrNames sysadminPkgs;
-      };
-    }
-    {
-      # XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
-      environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
-    }
-  ];
+  config = {
+    sane.programs = mkMerge [
+      # define -- but don't enable -- the packages in each group
+      # use `mkDefault` for the package here so we can customize some of them further down this file
+      (mapAttrs (_n: p: { package = mkDefault p; }) sysadminPkgs)
+      (mapAttrs (_n: p: { package = mkDefault p; }) consolePkgs)
+      {
+        # link the various package sets into their own meta packages
+        sysadminUtils = {
+          package = null;
+          suggestedPrograms = attrNames sysadminPkgs;
+        };
+        consoleUtils = {
+          package = null;
+          suggestedPrograms = attrNames consolePkgs;
+        };
+      }
+      {
+        # nontrivial package definitions
+        imagemagick.package = pkgs.imagemagick.override {
+          ghostscriptSupport = true;
+        };
+      }
+    ];
+
+    # XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
+    environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
+  };
 }
diff --git a/modules/packages.nix b/modules/packages.nix
index 622a2d56..f3a1be19 100644
--- a/modules/packages.nix
+++ b/modules/packages.nix
@@ -5,62 +5,6 @@ with pkgs;
 let
   cfg = config.sane.packages;
 
-  imagemagick = pkgs.imagemagick.override {
-    ghostscriptSupport = true;
-  };
-
-  consolePkgs = [
-    backblaze-b2
-    cdrtools
-    dmidecode
-    duplicity
-    efivar
-    flashrom
-    fwupd
-    ghostscript  # TODO: imagemagick wrapper should add gs to PATH
-    gnupg
-    gocryptfs
-    gopass
-    gopass-jsonapi
-    ifuse
-    imagemagick
-    ipfs
-    kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-    libimobiledevice
-    libsecret  # for managing user keyrings
-    lm_sensors  # for sensors-detect
-    lshw
-    ffmpeg
-    memtester
-    networkmanager
-    nixpkgs-review
-    # nixos-generators
-    # nettools
-    nmon
-    oathToolkit  # for oathtool
-    # ponymix
-    pulsemixer
-    python3
-    rsync
-    # python3Packages.eyeD3  # music tagging
-    sane-scripts
-    sequoia
-    snapper
-    sops
-    sox
-    speedtest-cli
-    sqlite  # to debug sqlite3 databases
-    ssh-to-age
-    sudo
-    # tageditor  # music tagging
-    unar
-    visidata
-    w3m
-    wireguard-tools
-    # youtube-dl
-    yt-dlp
-  ];
-
   guiPkgs = [
     # GUI only
     aerc  # email client
@@ -246,10 +190,6 @@ in
       type = types.listOf toPkgSpec;
       description = "packages to only ship if gui's enabled";
     };
-    sane.packages.enableConsolePkgs = mkOption {
-      default = false;
-      type = types.bool;
-    };
     sane.packages.enableGuiPkgs = mkOption {
       default = false;
       type = types.bool;
@@ -265,7 +205,6 @@ in
 
     sane.packages.enabledUserPkgs = mkOption {
       default = cfg.extraUserPkgs
-        ++ (if cfg.enableConsolePkgs then consolePkgs else [])
         ++ (if cfg.enableGuiPkgs then guiPkgs ++ cfg.extraGuiPkgs else [])
         ++ (if cfg.enableDevPkgs then devPkgs else [])
       ;
diff --git a/modules/programs.nix b/modules/programs.nix
index 0b90497b..028f488f 100644
--- a/modules/programs.nix
+++ b/modules/programs.nix
@@ -24,6 +24,15 @@ let
         description = ''
           package, or `null` if the program is some sort of meta set (in which case it much EXPLICITLY be set null).
         '';
+        default =
+          let
+            pkgPath = splitString "." name;
+          in
+            # package can be inferred by the attr name, allowing shorthand like
+            #   `sane.packages.nano.enable = true;`
+            # this indexing will throw if the package doesn't exist and the user forgets to specify
+            # a valid source explicitly.
+            getAttrFromPath pkgPath pkgs;
       };
       enableFor.system = mkOption {
         type = types.bool;
@@ -73,15 +82,6 @@ let
       };
     };
 
-    config =
-      let
-        pkgPath = splitString "." name;
-      in {
-        # package can be inferred by the attr name, allowing shorthand like
-        #   `sane.packages.nano.enable = true;`
-        package = mkIf (hasAttrByPath pkgPath pkgs) (mkDefault (getAttrFromPath pkgPath pkgs));
-      };
-
   });
   toPkgSpec = types.coercedTo types.package (p: { package = p; }) pkgSpec;
 
@@ -91,8 +91,8 @@ let
       (p.package != null && p.enableFor.system)
       p.package;
     # conditionally add to user(s) PATH
-    users.users = mapAttrs (user: en: optionalAttrs en {
-      packages = [ p.package ];
+    users.users = mapAttrs (user: en: {
+      packages = optional (p.package != null && en) p.package;
     }) p.enableFor.user;
     # conditionally persist relevant user dirs
     sane.users = mapAttrs (user: en: optionalAttrs en {