refactor: programs: sort

hosts/common/programs/assorted.nix

@@ -409,23 +409,6 @@ in
     gdb.sandbox.wrapperType = "wrappedDerivation";
     gdb.sandbox.autodetectCliPaths = true;
 
-    gnugrep.sandbox.method = "bwrap";
-    gnugrep.sandbox.wrapperType = "wrappedDerivation";
-    gnugrep.sandbox.autodetectCliPaths = true;
-    gnugrep.sandbox.whitelistPwd = true;
-    gnugrep.sandbox.extraHomePaths = [
-      # let it follow symlinks to non-sensitive data
-      ".persist/ephemeral"
-      ".persist/plaintext"
-    ];
-
-    gptfdisk.sandbox.method = "landlock";
-    gptfdisk.sandbox.wrapperType = "wrappedDerivation";
-    gptfdisk.sandbox.extraPaths = [
-      "/dev"
-    ];
-    gptfdisk.sandbox.autodetectCliPaths = "existing";  #< sometimes you'll use gdisk on a device file.
-
     # MS GitHub stores auth token in .config
     # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
     gh.persist.byStore.private = [ ".config/gh" ];
@@ -496,6 +479,23 @@ in
     "gnome.hitori".sandbox.wrapperType = "wrappedDerivation";
     "gnome.hitori".sandbox.whitelistWayland = true;
 
+    gnugrep.sandbox.method = "bwrap";
+    gnugrep.sandbox.wrapperType = "wrappedDerivation";
+    gnugrep.sandbox.autodetectCliPaths = true;
+    gnugrep.sandbox.whitelistPwd = true;
+    gnugrep.sandbox.extraHomePaths = [
+      # let it follow symlinks to non-sensitive data
+      ".persist/ephemeral"
+      ".persist/plaintext"
+    ];
+
+    gptfdisk.sandbox.method = "landlock";
+    gptfdisk.sandbox.wrapperType = "wrappedDerivation";
+    gptfdisk.sandbox.extraPaths = [
+      "/dev"
+    ];
+    gptfdisk.sandbox.autodetectCliPaths = "existing";  #< sometimes you'll use gdisk on a device file.
+
     hase.sandbox.method = "bwrap";
     hase.sandbox.wrapperType = "wrappedDerivation";
     hase.sandbox.net = "clearnet";