WIP: make-sandboxed: handle /opt-style packaging, with toplevels linked into /bin, a bit better

nixpkgs: fix hashes
gnome-calls: associate with tel:, sip:, sips: URIs
2024-08-15 03:05:49 +00:00 · 2024-08-14 23:20:31 +00:00 · 2024-08-14 08:27:27 +00:00 · 2024-08-14 07:53:47 +00:00 · 2024-08-13 22:02:37 +00:00 · 2024-08-13 22:02:27 +00:00
52 changed files with 790 additions and 582 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -2,13 +2,14 @@
 - `rmDbusServices` may break sandboxing
  - e.g. if the package ships a systemd unit which references $out, then make-sandboxed won't properly update that unit.
  - `rmDbusServicesInPlace` is not affected
- when moby wlan is explicitly set down (via ip link set wlan0 down), /var/lib/trust-dns/dhcp-configs doesn't get reset
+- when moby wlan is explicitly set down (via ip link set wlan0 down), /var/lib/hickory-dns/dhcp-configs doesn't get reset
  - `ip monitor` can detect those manual link state changes (NM-dispatcher it seems cannot)
  - or try dnsmasq?
- trust-dns can't resolve `abs.twimg.com`
- trust-dns can't resolve `social.kernel.org`
- trust-dns can't resolve `pe.usps.com`
- trust-dns can't resolve `social.seattle.wa.us`
+- hickory-dns can't resolve `abs.twimg.com`
+- hickory-dns can't resolve `social.kernel.org`
+- hickory-dns can't resolve `pe.usps.com`
+- hickory-dns can't resolve `social.seattle.wa.us`
+- hickory-dns can't resolve `support.mozilla.org`
 - sandbox: link cache means that if i update ~/.config/... files inline, sandboxed programs still see the old version
 - mpv: continues to play past the end of some audio files
 - mpv: audiocast has mpv sending its output to the builtin speakers unless manually changed
@@ -27,6 +28,14 @@
  - `dmesg | grep 'hid_bpf: error while preloading HID BPF dispatcher: -22'`
 - `s6` is not re-entrant
  - so if the desktop crashes, the login process from `unl0kr` fails to re-launch the GUI
+- newflash on moby can't play videos
+  - "open in browser" works though -- in mpv
+- gnome-maps can't use geoclue *and* openstreetmap at the same time
+  - get gnome-maps to speak xdg-desktop-portal, and this will be fixed
+- epiphany can't save cookies
+  - see under "preferences", cookies are disabled
+  - prevents logging into websites (OpenStreetMap)
+  - works when sandbox is disabled

 ## REFACTORING:
 - add import checks to my Python nix-shell scripts
@@ -61,6 +70,11 @@
  - safer (rust? actively maintained? sandboxable?)
  - handles spaces/symbols in filenames
  - has better multi-stream perf (e.g. `sane-sync-music` should be able to copy N items in parallel)
+- firefox: open *all* links (http, https, ...) with system handler
+  - removes the need for open-in-mpv, firefox-xdg-open, etc.
+  - matrix room links *just work*.
+  - `network.protocol-handler.external.https = true` in about:config *seems* to do this,
+    but breaks some webpages (e.g. Pleroma)

 ### security/resilience
 - enable `snapper` btrfs snapshots (`services.snapper`)
--- a/hosts/by-name/desko/default.nix
+++ b/hosts/by-name/desko/default.nix
@@ -4,7 +4,7 @@
    ./fs.nix
  ];

-  sane.services.trust-dns.asSystemResolver = false;  # TEMPORARY: TODO: re-enable trust-dns
+  sane.services.hickory-dns.asSystemResolver = false;  # TEMPORARY: TODO: re-enable hickory-dns
  # sane.programs.devPkgs.enableFor.user.colin = true;
  # sane.guest.enable = true;

--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@@ -21,7 +21,7 @@
    "sane-scripts.stop-all-servo"
  ];
  sane.services.dyn-dns.enable = true;
-  sane.services.trust-dns.asSystemResolver = false;  # TODO: enable once it's all working well
+  sane.services.hickory-dns.asSystemResolver = false;  # TODO: enable once it's all working well
  sane.services.wg-home.enable = true;
  sane.services.wg-home.visibleToWan = true;
  sane.services.wg-home.forwardToWan = true;
--- a/hosts/by-name/servo/services/default.nix
+++ b/hosts/by-name/servo/services/default.nix
@@ -7,6 +7,7 @@
    ./ejabberd.nix
    ./freshrss.nix
    ./export
+    ./hickory-dns.nix
    ./gitea.nix
    ./goaccess.nix
    ./ipfs.nix
@@ -27,7 +28,6 @@
    ./prosody
    ./slskd.nix
    ./transmission
-    ./trust-dns.nix
    ./wikipedia.nix
  ];
 }
--- a/hosts/by-name/servo/services/hickory-dns.nix
+++ b/hosts/by-name/servo/services/hickory-dns.nix
@@ -55,7 +55,7 @@ in
    ];
  };

-  services.trust-dns.settings.zones = [ "uninsane.org" ];
+  services.hickory-dns.settings.zones = [ "uninsane.org" ];


  networking.nat.enable = true;  #< TODO: try removing this?
@@ -83,8 +83,8 @@ in
  # };


-  sane.services.trust-dns.enable = true;
-  sane.services.trust-dns.instances = let
+  sane.services.hickory-dns.enable = true;
+  sane.services.hickory-dns.instances = let
    mkSubstitutions = flavor: {
      "%ADOOF%" = config.sane.netns.doof.netnsPubIpv4;
      "%ANATIVE%" = nativeAddrs."servo.${flavor}";
@@ -141,5 +141,5 @@ in
    # };
  };

-  sane.services.dyn-dns.restartOnChange = lib.map (c: "${c.service}.service") (builtins.attrValues config.sane.services.trust-dns.instances);
+  sane.services.dyn-dns.restartOnChange = lib.map (c: "${c.service}.service") (builtins.attrValues config.sane.services.hickory-dns.instances);
 }
--- a/hosts/common/feeds.nix
+++ b/hosts/common/feeds.nix
@@ -91,6 +91,7 @@ let
    (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)  # Maggie Killjoy -- referenced by Cory Doctorow
    (fromDb "omny.fm/shows/money-stuff-the-podcast")  # Matt Levine
    (fromDb "omny.fm/shows/the-dollop-with-dave-anthony-and-gareth-reynolds")  # The Dollop history/comedy
+    (fromDb "omny.fm/shows/weird-little-guys")  # Cool Zone Media
    (fromDb "originstories.libsyn.com" // uncat)
    (fromDb "politicalorphanage.libsyn.com" // pol)
    (fromDb "reverseengineering.libsyn.com/rss" // tech)  # UnNamed Reverse Engineering Podcast
--- a/hosts/common/home/fs.nix
+++ b/hosts/common/home/fs.nix
@@ -9,12 +9,9 @@
    "Books/local"
    "Music"

-    # these are persisted simply to save on RAM.
-    # ~/.cache/nix can become several GB.
-    # mesa_shader_cache is < 10 MB.
+    # this is persisted simply to save on RAM. mesa_shader_cache is < 10 MB.
    # TODO: integrate with sane.programs.sandbox?
    ".cache/mesa_shader_cache"
-    ".cache/nix"
  ];
  sane.user.persist.byStore.private = [
    "archive"
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@@ -45,8 +45,8 @@
  sane.ids.pict-rs.gid = 2409;
  sane.ids.sftpgo.uid = 2410;
  sane.ids.sftpgo.gid = 2410;
-  sane.ids.trust-dns.uid = 2411;
-  sane.ids.trust-dns.gid = 2411;
+  sane.ids.hickory-dns.uid = 2411;  #< previously "trust-dns"
+  sane.ids.hickory-dns.gid = 2411;  #< previously "trust-dns"
  sane.ids.export.gid = 2412;
  sane.ids.nfsuser.uid = 2413;
  sane.ids.media.gid = 2414;
--- a/hosts/common/net/dns.nix
+++ b/hosts/common/net/dns.nix
@@ -23,16 +23,16 @@
 { config, lib, pkgs, ... }:
 lib.mkMerge [
 {
-  sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver;
-  sane.services.trust-dns.asSystemResolver = lib.mkDefault true;
+  sane.services.hickory-dns.enable = lib.mkDefault config.sane.services.hickory-dns.asSystemResolver;
+  sane.services.hickory-dns.asSystemResolver = lib.mkDefault true;
 }
-(lib.mkIf (!config.sane.services.trust-dns.asSystemResolver) {
+(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver) {
  # use systemd's stub resolver.
  # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
  # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
  # in servo's ovnps namespace to use the provider's DNS resolvers.
  # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
-  # TODO: improve trust-dns recursive resolver and then remove this
+  # TODO: improve hickory-dns recursive resolver and then remove this
  services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
  # without DNSSEC:
  # - dig matrix.org => works
@@ -40,7 +40,7 @@ lib.mkMerge [
  # with default DNSSEC:
  # - dig matrix.org => works
  # - curl https://matrix.org => fails
-  # i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
+  # i don't know why. this might somehow be interfering with the DNS run on this device (hickory-dns)
  services.resolved.dnssec = "false";
  networking.nameservers = [
    # use systemd-resolved resolver
@@ -74,7 +74,7 @@ lib.mkMerge [
  sane.silencedAssertions = [''.*Loading NSS modules from system.nssModules.*requires services.nscd.enable being set to true.*''];
  # add NSS modules into their own subdirectory.
  # then i can add just the NSS modules library path to the global LD_LIBRARY_PATH, rather than ALL of /run/current-system/sw/lib.
-  # TODO: i'm doing this so as to achieve mdns DNS resolution (avahi). it would be better to just have trust-dns delegate .local to avahi
+  # TODO: i'm doing this so as to achieve mdns DNS resolution (avahi). it would be better to just have hickory-dns delegate .local to avahi
  #   (except avahi doesn't act as a local resolver over DNS protocol -- only dbus).
  environment.systemPackages = [(pkgs.symlinkJoin {
    name = "nss-modules";
--- a/hosts/common/net/modemmanager.nix
+++ b/hosts/common/net/modemmanager.nix
@@ -37,7 +37,11 @@
    # serviceConfig.RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR";
    # serviceConfig.NoNewPrivileges = true;

-    serviceConfig.CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];  #< TODO: make sure this is *really* taking effect, and isn't supplemental to upstream's `CAP_SYS_ADMIN` setting
+    serviceConfig.CapabilityBoundingSet = [
+      ""  #< reset upstream capabilities
+      "CAP_NET_ADMIN"
+      "CAP_SYS_ADMIN"  #< TODO: remove CAP_SYS_ADMIN!
+    ];
    serviceConfig.LockPersonality = true;
    # serviceConfig.PrivateUsers = true;  #< untried, not likely to work since it needs capabilities
    serviceConfig.PrivateTmp = true;
--- a/hosts/common/net/networkmanager.nix
+++ b/hosts/common/net/networkmanager.nix
@@ -66,6 +66,11 @@ in {
    serviceConfig.User = "networkmanager";
    serviceConfig.Group = "networkmanager";
    serviceConfig.AmbientCapabilities = [
+      "CAP_NET_ADMIN"
+      "CAP_NET_RAW"
+      "CAP_NET_BIND_SERVICE"
+    ];
+    serviceConfig.CapabilityBoundingSet = [
      # "CAP_DAC_OVERRIDE"
      "CAP_NET_ADMIN"
      "CAP_NET_RAW"  #< required, else `libndp: ndp_sock_open: Failed to create ICMP6 socket.`
@@ -76,6 +81,7 @@ in {
    ];
    serviceConfig.LockPersonality = true;
    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.MemoryDenyWriteExecute = true;
    serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
    serviceConfig.PrivateIPC = true;
    serviceConfig.PrivateTmp = true;
@@ -87,7 +93,10 @@ in {
    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls (probably not upstreamable: NM will want to load modules like `ppp`)
    serviceConfig.ProtectKernelTunables = true;  # but NM might need to write /proc/sys/net/...
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.ProcSubset = "pid";
    serviceConfig.ProtectSystem = "strict";  # makes read-only: all but /dev, /proc, /sys.
+    serviceConfig.RemoveIPC = true;
    serviceConfig.RestrictAddressFamilies = [
      "AF_INET"
      "AF_INET6"
@@ -98,19 +107,25 @@ in {
      # AF_BLUETOOTH ?
      # AF_BRIDGE ?
    ];
+    serviceConfig.RestrictNamespaces = true;
    serviceConfig.RestrictSUIDSGID = true;
    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+    serviceConfig.SystemCallFilter = [
+      "@system-service"
+      # TODO: restrict SystemCallFilter more aggressively
+    ];
+    # TODO: restrict `DeviceAllow`
    # from earlier `landlock` sandboxing, i know it needs these directories:
    # - "/proc/net"
    # - "/proc/sys/net"
    # - "/run/NetworkManager"
-    # - "/run/systemd"  # for trust-dns-nmhook
+    # - "/run/systemd"  # for hickory-dns-nmhook
    # - "/run/udev"
    # - # "/run/wg-home.priv"
    # - "/sys/class"
    # - "/sys/devices"
    # - "/var/lib/NetworkManager"
-    # - "/var/lib/trust-dns"  #< for trust-dns-nmhook
+    # - "/var/lib/hickory-dns"  #< for hickory-dns-nmhook
    # - "/run/systemd"
  };

@@ -122,12 +137,12 @@ in {
  # fix NetworkManager-dispatcher to actually run as a daemon,
  # and sandbox it a bit
  systemd.services.NetworkManager-dispatcher = {
-    #VVV so that /var/lib/trust-dns will exist (the hook needs to write here).
-    # but this creates a cycle: trust-dns-localhost > network.target > NetworkManager-dispatcher > trust-dns-localhost.
+    #VVV so that /var/lib/hickory-dns will exist (the hook needs to write here).
+    # but this creates a cycle: hickory-dns-localhost > network.target > NetworkManager-dispatcher > hickory-dns-localhost.
    # (seemingly) impossible to remove the network.target dep on NetworkManager-dispatcher.
-    # beffore would be to have the dispatcher not write trust-dns files
-    # but rather just its own, and create a .path unit which restarts trust-dns appropriately.
-    # after = [ "trust-dns-localhost.service" ];
+    # beffore would be to have the dispatcher not write hickory-dns files
+    # but rather just its own, and create a .path unit which restarts hickory-dns appropriately.
+    # after = [ "hickory-dns-localhost.service" ];
    # serviceConfig.ExecStart = [
    #   ""  # first blank line is to clear the upstream `ExecStart` field.
    #   "${cfg.package}/libexec/nm-dispatcher --persist"  # --persist is needed for it to actually run as a daemon
@@ -135,7 +150,7 @@ in {
    # serviceConfig.Restart = "always";
    # serviceConfig.RestartSec = "1s";

-    # serviceConfig.DynamicUser = true;  #< not possible, else we lose group perms (so can't write to `trust-dns`'s files in the nm hook)
+    # serviceConfig.DynamicUser = true;  #< not possible, else we lose group perms (so can't write to `hickory-dns`'s files in the nm hook)
    serviceConfig.User = "networkmanager";  # TODO: should arguably use `DynamicUser`
    serviceConfig.Group = "networkmanager";
    serviceConfig.LockPersonality = true;
@@ -151,7 +166,7 @@ in {
    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
    serviceConfig.ProtectKernelTunables = true;
-    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. `strict` isn't possible due to trust-dns hook
+    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. `strict` isn't possible due to hickory-dns hook
    serviceConfig.RestrictAddressFamilies = [
      "AF_UNIX"  # required, probably for dbus or systemd connectivity
    ];
@@ -219,7 +234,7 @@ in {
    # note that NM's resolv.conf isn't (necessarily) /etc/resolv.conf -- that is managed by nixos (via symlinking)
    main.dns = if config.services.resolved.enable then
      "systemd-resolved"
-    else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then
+    else if config.sane.services.hickory-dns.enable && config.sane.services.hickory-dns.asSystemResolver then
      "none"
    else
      "internal"
@@ -261,7 +276,7 @@ in {
  users.users.networkmanager = {
    isSystemUser = true;
    group = "networkmanager";
-    extraGroups = [ "trust-dns" ];
+    extraGroups = [ "hickory-dns" ];
  };

  # there is, unfortunately, no proper interface by which to plumb wpa_supplicant into the NixOS service, except by overlay.
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -38,6 +38,7 @@ in
      "bridge-utils"  # for brctl; debug linux "bridge" inet devices
      "btrfs-progs"
      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
+      "captree"
      "cryptsetup"
      "curl"
      "ddrescue"
@@ -430,7 +431,7 @@ in
    btrfs-progs.sandbox.method = "bwrap";  #< bwrap, landlock: both work
    btrfs-progs.sandbox.autodetectCliPaths = "existing";  # e.g. `btrfs filesystem df /my/fs`

-    "cacert.unbundled".sandbox.enable = false;
+    "cacert.unbundled".sandbox.enable = false;  #< data only

    cargo.persist.byStore.plaintext = [ ".cargo" ];

@@ -766,7 +767,7 @@ in
    iotop.sandbox.capabilities = [ "net_admin" ];

    # provides `ip`, `routel`, `bridge`, others.
-    # landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace
+    # landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace (which requires sudo)
    # and that means we can't use ANY sandboxer for it.
    iproute2.sandbox.enable = false;
    # iproute2.sandbox.net = "all";
@@ -818,8 +819,7 @@ in

    libcamera = {};

-    libcap.sandbox.enable = false;  #< for `capsh`, which i use as a sandboxer
-    libcap_ng.sandbox.enable = false;  # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
+    libcap_ng.sandbox.enable = false;  # TODO: `pscap` can sandbox with bwrap, `captest` and `netcap` with landlock

    libnotify.sandbox.method = "bwrap";
    libnotify.sandbox.whitelistDbus = [ "user" ];  # notify-send
@@ -852,8 +852,8 @@ in

    lua = {};

-    man-pages.sandbox.enable = false;
-    man-pages-posix.sandbox.enable = false;
+    man-pages.sandbox.enable = false;  #< data only
+    man-pages-posix.sandbox.enable = false;  #< data only

    mercurial.sandbox.method = "bwrap";  # TODO:sandbox: untested
    mercurial.sandbox.net = "clearnet";
@@ -1060,7 +1060,7 @@ in
    # TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
    snapshot = {};

-    sops.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    sops.sandbox.method = "bwrap";
    sops.sandbox.extraHomePaths = [
      ".config/sops"
      "nixos"
@@ -1101,7 +1101,6 @@ in

    sqlite = {};

-    sshfs-fuse.sandbox.enable = true;  # used by fs.nix
    sshfs-fuse.sandbox.method = "bwrap";  #< N.B. if you call this from the CLI -- without `mount.fuse` -- set this to `none`
    sshfs-fuse.sandbox.net = "all";
    sshfs-fuse.sandbox.autodetectCliPaths = "parent";
@@ -1153,7 +1152,7 @@ in
    tumiki-fighters.sandbox.whitelistWayland = true;
    tumiki-fighters.sandbox.whitelistX = true;

-    util-linux.sandbox.enable = false;  #< TODO: possible to sandbox if i specific a different profile for each of its ~50 binaries
+    util-linux.sandbox.enable = false;  #< TODO: possible to sandbox if i specify a different profile for each of its ~50 binaries

    unzip.sandbox.method = "bwrap";
    unzip.sandbox.autodetectCliPaths = "existingOrParent";
@@ -1224,7 +1223,7 @@ in

    yarn.persist.byStore.plaintext = [ ".cache/yarn" ];

-    yt-dlp.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    yt-dlp.sandbox.method = "bwrap";
    yt-dlp.sandbox.net = "all";
    yt-dlp.sandbox.whitelistPwd = true;  # saves to pwd by default
  };
--- a/hosts/common/programs/calls.nix
+++ b/hosts/common/programs/calls.nix
@@ -8,6 +8,10 @@
 # - the bot will reply with auto-generated username/password plus a SIP server endpoint.
 #   just copy those into gnome-calls' GUI configurator
 # - now gnome-calls can do outbound calls. inbound calls can be routed by messaging the bot: "configure calls"
+#
+# user guide:
+# - "Use for Calls" means, "when i click a tel: URI, use this account": <https://gitlab.gnome.org/GNOME/calls/-/issues/513>
+# - `calls -vvv` for verbosity
 { config, lib, pkgs, ... }:
 let
  cfg = config.sane.programs.calls;
@@ -79,6 +83,10 @@ in
      "gnome-keyring"  # to remember the password
    ];

+    mime.associations."x-scheme-handler/tel" = "org.gnome.Calls.desktop";
+    mime.associations."x-scheme-handler/sip" = "org.gnome.Calls.desktop";
+    mime.associations."x-scheme-handler/sips" = "org.gnome.Calls.desktop";
+
    services.gnome-calls = {
      description = "gnome-calls daemon to monitor incoming SIP calls";
      partOf = lib.mkIf cfg.config.autostart [ "graphical-session" ];
--- a/hosts/common/programs/capsh.nix
+++ b/hosts/common/programs/capsh.nix
@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  sane.programs.capsh = {
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap "capsh";
+    sandbox.enable = false;  #< i use `capsh` as a sandboxer.
+  };
+}
--- a/hosts/common/programs/captree.nix
+++ b/hosts/common/programs/captree.nix
@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  sane.programs.captree = {
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree";
+    sandbox.method = "bwrap";
+    sandbox.isolatePids = false;
+  };
+}
--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@@ -21,6 +21,8 @@
    ./callaudiod.nix
    ./calls.nix
    ./cantata.nix
+    ./capsh.nix
+    ./captree.nix
    ./catt.nix
    ./celeste64.nix
    ./chatty.nix
@@ -46,6 +48,7 @@
    ./fcitx5.nix
    ./feedbackd.nix
    ./firefox.nix
+    ./firefox-xdg-open.nix
    ./flare-signal.nix
    ./foliate.nix
    ./fontconfig.nix
--- a/hosts/common/programs/firefox-xdg-open.nix
+++ b/hosts/common/programs/firefox-xdg-open.nix
@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  sane.programs.firefox-xdg-open = {
+    packageUnwrapped = pkgs.firefox-extensions.firefox-xdg-open.systemComponent;
+
+    sandbox.method = "bwrap";
+    sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
+
+    mime.associations."x-scheme-handler/xdg-open" = "xdg-open.desktop";
+
+    suggestedPrograms = [ "xdg-utils" ];
+  };
+}
--- a/hosts/common/programs/firefox.nix
+++ b/hosts/common/programs/firefox.nix
@@ -231,6 +231,11 @@ in
          package = pkgs.firefox-extensions.ether-metamask;
          enable = lib.mkDefault false;  # until i can disable the first-run notification
        };
+        firefox-xdg-open = {
+          # test: `xdg-open xdg-open:https://uninsane.org`
+          package = pkgs.firefox-extensions.firefox-xdg-open;
+          enable = lib.mkDefault true;
+        };
        i2p-in-private-browsing = {
          package = pkgs.firefox-extensions.i2p-in-private-browsing;
          enable = lib.mkDefault config.services.i2p.enable;
@@ -242,7 +247,7 @@ in
        open-in-mpv = {
          # test: `open-in-mpv 'mpv:///open?url=https://www.youtube.com/watch?v=dQw4w9WgXcQ'`
          package = pkgs.firefox-extensions.open-in-mpv;
-          enable = lib.mkDefault config.sane.programs.open-in-mpv.enabled;
+          enable = lib.mkDefault false;
        };
        sidebery = {
          package = pkgs.firefox-extensions.sidebery;
@@ -297,7 +302,9 @@ in
        ];
        fs.".config/sops".dir = lib.mkIf cfg.addons.browserpass-extension.enable {};  #< needs to be created, not *just* added to the sandbox

-        suggestedPrograms = [
+        suggestedPrograms = lib.optionals cfg.addons.firefox-xdg-open.enable [
+          "firefox-xdg-open"
+        ] ++ lib.optionals cfg.addons.open-in-mpv.enable [
          "open-in-mpv"
        ];

@@ -369,13 +376,11 @@ in
          // configure which extensions are visible by default (TODO: requires a lot of trial and error)
          // defaultPref("browser.uiCustomization.state", ...);

-          // auto-open mpv:// URIs without prompting.
-          // can do this with other protocols too (e.g. matrix?). see about:config for common handlers.
-          defaultPref("network.protocol-handler.external.mpv", true);
-          // element:// for Element matrix client
-          defaultPref("network.protocol-handler.external.element", true);
-          // matrix: for Nheko matrix client
-          defaultPref("network.protocol-handler.external.matrix", true);
+          // auto-open specific URI schemes without prompting:
+          defaultPref("network.protocol-handler.external.xdg-open", true); // for firefox-xdg-open extension
+          defaultPref("network.protocol-handler.external.mpv", true); // for open-in-mpv extension
+          defaultPref("network.protocol-handler.external.element", true); // for Element matrix client
+          defaultPref("network.protocol-handler.external.matrix", true); // for Nheko matrix client
        '';
        # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
        # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
--- a/hosts/common/programs/geary.nix
+++ b/hosts/common/programs/geary.nix
@@ -23,6 +23,13 @@ in
    sandbox.net = "clearnet";
    sandbox.whitelistDbus = [ "user" ];  # notifications
    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      # it shouldn't need these, but portal integration seems incomplete?
+      "tmp"
+      "Pictures/from"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+    ];
    sandbox.extraPaths = [
      # geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
      # TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy.
--- a/hosts/common/programs/gnome-maps.nix
+++ b/hosts/common/programs/gnome-maps.nix
@@ -10,6 +10,12 @@
 # TIPS:
 # - use "Northwest" instead of "NW", and "Street" instead of "St", etc.
 #   otherwise, it might not find your destination!
+#
+# TODO:
+# - get gnome-maps to access location services via the xdg-desktop-portal.
+#   with it not using the portal, it can't open links via the web browser.
+#   additionally, that prevents OpenStreetMap sign-in.
+#   even temporarily enabling the portal for OSM doesn't work *after* the portal has been disabled -- because then gnome-maps can't access its passwords (?)
 { pkgs, ... }:
 {
  sane.programs."gnome.gnome-maps" = {
--- a/hosts/common/programs/nautilus.nix
+++ b/hosts/common/programs/nautilus.nix
@@ -22,8 +22,17 @@
      "/"
      ".persist/ephemeral"
      ".persist/plaintext"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+      "Pictures/albums"
+      "Pictures/cat"
+      "Pictures/from"
+      "Videos/local"
+      "archive"
      "knowledge"
      "nixos"
+      "records"
+      "tmp"
    ];
    sandbox.extraPaths = [
      "/boot"
--- a/hosts/common/programs/nix.nix
+++ b/hosts/common/programs/nix.nix
@@ -2,5 +2,9 @@
 {
  sane.programs.nix = {
    env.NIXPKGS_ALLOW_UNFREE = "1";  #< FUCK OFF YOU'RE SO ANNOYING
+    persist.byStore.plaintext = [
+      # ~/.cache/nix can become several GB; persisted to save RAM
+      ".cache/nix"
+    ];
  };
 }
--- a/hosts/common/programs/sanebox.nix
+++ b/hosts/common/programs/sanebox.nix
@@ -20,7 +20,7 @@ in
      bubblewrap = cfg.bubblewrap.package;
      iproute2 = cfg.iproute2.package;
      iptables = cfg.iptables.package;
-      libcap = cfg.libcap.package;
+      libcap = cfg.capsh.package;  #< the sandboxer doesn't use any other libcap binaries
      passt = cfg.passt.package;
      landlock-sandboxer = cfg.landlock-sandboxer.package;
      # landlock-sandboxer = pkgs.landlock-sandboxer.override {
--- a/hosts/common/programs/sway/default.nix
+++ b/hosts/common/programs/sway/default.nix
@@ -16,7 +16,10 @@ let

      # delete DISPLAY-related vars from env before launch, else sway will try to connect to a remote display.
      # (consider: nested sway sessions, where sway actually has a reason to read these)
-      exec env -u DISPLAY -u WAYLAND_DISPLAY "DESIRED_WAYLAND_DISPLAY=$WAYLAND_DISPLAY" ${configuredSway}/bin/sway 2>&1
+      exec env -u DISPLAY -u WAYLAND_DISPLAY \
+        "DESIRED_WAYLAND_DISPLAY=$WAYLAND_DISPLAY" \
+        ${configuredSway}/bin/sway \
+        2>&1
    '';
  in
    pkgs.symlinkJoin {
@@ -38,7 +41,7 @@ let
    # - test: run dino, receive a message while tabbed away, click the desktop notification.
    #   - if sway activates the dino window (i.e. colors the workspace and tab), then all good
    #   - do all of this with only a touchscreen (e.g. on mobile phone) -- NOT a mouse/pointer
-    # 2023/12/17: this patch is still necessary
+    # 2024/08/12: this patch is still necessary (for moby)
    ## what this patch does:
    # - allows any wayland window to request activation, at any time.
    # - traditionally, wayland only allows windows to request activation if
--- a/hosts/common/programs/xdg-desktop-portal-gnome/default.nix
+++ b/hosts/common/programs/xdg-desktop-portal-gnome/default.nix
@@ -13,6 +13,32 @@ in
      ];
    });

+    sandbox.method = "bwrap";
+    sandbox.whitelistDbus = [ "user" ];  # speak to main xdg-desktop-portal
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      ".local/share/applications"  # file opener needs to find .desktop files, for their icon/name.
+      # for file-chooser portal users (fractal, firefox, ...), need to provide anything they might want.
+      # i think (?) portal users can only access the files here interactively, i.e. by me interacting with the portal's visual filechooser,
+      # so shoving stuff here is trusting the portal but not granting any trust to the portal user.
+      "Books/local"
+      "Books/servo"
+      "Music"
+      "Pictures/albums"
+      "Pictures/cat"
+      "Pictures/from"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+      "Pictures/servo-macros"
+      "Videos/local"
+      "Videos/servo"
+      "archive"
+      "dev"
+      "ref"
+      "tmp"
+      "use"
+    ];
+
    fs.".config/xdg-desktop-portal/portals/gnome.portal".symlink.target =
      "${cfg.packageUnwrapped}/share/xdg-desktop-portal/portals/gnome.portal";
    # XXX: overcome bug when manually setting `$XDG_DESKTOP_PORTAL_DIR`
--- a/integrations/nixpkgs/nixpkgs-overlays.nix
+++ b/integrations/nixpkgs/nixpkgs-overlays.nix
@@ -2,4 +2,7 @@
 # it works by using stock upstream `nixpkgs`
 # and putting NIX_PATH=nixpkgs-overlays=/path/to/here on the nixbld environment.
 #
-[(import ../../overlays/all.nix)]
+# XXX(2024-08-12): DON'T import `all.nix`, as that makes upstreaming cross patches more difficult (impurity)!
+# i only really need to grant access to my additional packages, here.
+# [(import ../../overlays/all.nix)]
+[(import ../../overlays/pkgs.nix)]
--- a/modules/data/feeds/sources/omny.fm/shows/weird-little-guys/default.json
+++ b/modules/data/feeds/sources/omny.fm/shows/weird-little-guys/default.json
@@ -0,0 +1,9 @@
+{
+  "description": "<p>Weird Little Guys is a weekly show about the worst people you\u2019ve never heard of, taking you beyond the headlines to get to know the race warriors and aspiring terrorists trying to unravel the fabric of our society. Weaving together the origin stories of modern American white supremacist groups and the crimes that land their members in court, independent journalist Molly Conger exposes the monsters for what they really are - some weird guy. Whether they\u2019re conspiring to build bombs or serving swastika shaped cookies at a dinner party, the weird little guys trying to destroy America are a little less scary with their masks off.\u00a0</p>",
+  "is_podcast": true,
+  "site_name": "",
+  "site_url": "",
+  "title": "Weird Little Guys",
+  "url": "https://www.omnycontent.com/d/playlist/e73c998e-6e60-432f-8610-ae210140c5b1/62ce32da-c3ea-45e9-a31c-b1b00134dbcd/9543cfef-9641-4bf0-9ce1-b1b001351bbe/podcast.rss",
+  "velocity": 0.259
+}
--- a/modules/dns.nix
+++ b/modules/dns.nix
@@ -11,7 +11,7 @@ let
    # - any character may be encoded by `\DDD`, where `DDD` represents its ascii value in base 8.
    # - any non-digit `X` may be encoded by `\X`.
    # - stated in: <https://www.ietf.org/rfc/rfc1035.txt>: 5.1 Format
-    # - visible in <trust-dns:crates/proto/src/serialize/txt/zone_lex.rs:escape_seq>
+    # - visible in <hickory-dns:crates/proto/src/serialize/txt/zone_lex.rs:escape_seq>
    # for us, we can just replace `\` => `\\ and `"` -> `\"`
    TXT = value: "\"" + (lib.escape [ "\\" "\"" ] value) + "\"";
  };
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -480,11 +480,11 @@ let
      suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [
        "bubblewrap" "passt" "iproute2" "iptables"
      ] ++ lib.optionals (config.sandbox.method == "landlock") [
-        "landlock-sandboxer" "libcap"
+        "landlock-sandboxer" "capsh"
      ] ++ lib.optionals (config.sandbox.method == "pastaonly") [
-        "passt" "iproute2" "iptables" "libcap"
+        "passt" "iproute2" "iptables" "capsh"
      ] ++ lib.optionals (config.sandbox.method == "capshonly") [
-        "libcap"
+        "capsh"
      ];
      # declare a fs dependency for each secret, but don't specify how to populate it yet.
      #   can't populate it here because it varies per-user.
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@@ -4,6 +4,7 @@
  buildPackages,
  file,
  gnugrep,
+  gnused,
  makeBinaryWrapper,
  runCommandLocal,
  runtimeShell,
@@ -11,6 +12,7 @@
  symlinkJoin,
  writeShellScriptBin,
  writeTextFile,
+  xorg,
 }:
 let
  fakeSaneSandboxed = writeShellScriptBin "sanebox" ''
@@ -60,6 +62,7 @@ let
      # the ordering here is specific: inject our deps BEFORE the unwrapped program's
      # so that the unwrapped's take precendence and we limit interference (e.g. makeWrapper impl)
      fakeSaneSandboxed
+      gnugrep
      makeBinaryWrapper
    ] ++ (unwrapped.nativeBuildInputs or []);
    disallowedReferences = (unwrapped.disallowedReferences or []) ++ [
@@ -70,8 +73,7 @@ let

    postFixup = (unwrapped.postFixup or "") + ''
      assertExecutable() {
-        # my programs refer to sanebox by name, not path, which triggers an over-eager assertion in nixpkgs (so, mask that)
-        :
+        :  # my programs refer to sanebox by name, not path, which triggers an over-eager assertion in nixpkgs (so, mask that)
      }
      makeDocumentedCWrapper() {
        # this is identical to nixpkgs' implementation, only replace execv with execvp, the latter which looks for the executable on PATH.
@@ -93,26 +95,68 @@ let
        # if desired, makeWrapper-style naming could be achieved by leveraging `exec -a <original_name>`
        # or `make-wrapper --inherit-argv0`
        mkdir -p "$_dir/.sandboxed"
-        if [[ "$(readlink $_dir/$_name)" =~ ^\.\./ ]]; then
-          # relative links which ascend a directory (into a non-bin/ directory)
-          # won't point to the right place if we naively move them
-          ln -s "../$(readlink $_dir/$_name)" "$_dir/.sandboxed/$_name"
-          rm "$_dir/$_name"
-        else
-          mv "$_dir/$_name" "$_dir/.sandboxed/"
-        fi
+        mv "$_dir/$_name" "$_dir/.sandboxed/"
        makeBinaryWrapper ${sanebox'} "$_dir/$_name" --suffix PATH : /run/current-system/sw/libexec/sanebox ${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" f ]) extraSandboxArgs))} --add-flags "$_dir/.sandboxed/$_name"
      }

-      crawlAndWrap() {
-        local _dir="$1"
-        for _p in $(ls "$_dir/"); do
-          if [ -x "$_dir/$_p" ] && ! [ -d "$_dir/$_p" ]; then
-            sandboxWrap "$_dir" "$_p"
-          elif [ -d "$_dir/$_p" ]; then
-            crawlAndWrap "$_dir/$_p"
+      derefWhileInSameOutput() {
+        local output="$1"
+        local item="$2"
+        if [ -L "$item" ]; then
+          local target=$(readlink "$item")
+          if [[ "$target" =~ ^"$output"/ ]]; then
+            # absolute link back into the same package
+            item=$(derefWhileInSameOutput "$output" "$target")
+          elif [[ "$target" =~ ^/nix/store/ ]]; then
+            : # absolute link to another package: we're done
+          else
+            # relative link
+            local parent=$(dirname "$item")
+            target="$parent/$target"
+            item=$(derefWhileInSameOutput "$output" "$target")
+          fi
+        fi
+        echo "$item"
+      }
+      findUnwrapped() {
+        if [ -L "$1" ]; then
+          echo "$1"
+        else
+          local dir_=$(dirname "$1")
+          local file_=$(basename "$1")
+          local sandboxed="$dir_/.sandboxed/$file_"
+          local unwrapped="$dir_/.''${file_}-unwrapped"
+          if grep -q "$sandboxed" "$1"; then
+            echo "/dev/null"  #< already sandboxed
+          elif grep -q "$unwrapped" "$1"; then
+            echo $(findUnwrapped "$unwrapped")
+          else
+            echo "$1"
+          fi
+        fi
+      }
+
+      crawlAndWrap() {
+        local output="$1"
+        local _dir="$2"
+        local item
+        for item in $(ls -a "$_dir/"); do
+          if [ "$item" != . ] && [ "$item" != .. ]; then
+            local target="$_dir/$item"
+            if [ -x "$target" ] && ! [ -d "$target" ]; then
+              # in the case of symlinks, deref until we find the real file, or the symlink points outside the package
+              target=$(derefWhileInSameOutput "$output" "$target")
+              target=$(findUnwrapped "$target")
+              if [ "$target" != /dev/null ]; then
+                local parent=$(dirname "$target")
+                local bin=$(basename "$target")
+                sandboxWrap "$parent" "$bin"
+              fi
+            elif [ -d "$_dir/$item" ]; then
+              crawlAndWrap "$_dir/$item"
+            fi
+            # ignore all non-binaries
          fi
-          # ignore all non-binaries
        done
      }

@@ -120,10 +164,10 @@ let
        local outdir=''${!output}
        echo "scanning output '$output' at $outdir for binaries to sandbox"
        if [ -e "$outdir/bin" ]; then
-          crawlAndWrap "$outdir/bin"
+          crawlAndWrap "$outdir" "$outdir/bin"
        fi
        if [ -e "$outdir/libexec" ]; then
-          crawlAndWrap "$outdir/libexec"
+          crawlAndWrap "$outdir" "$outdir/libexec"
        fi
      done
    '';
@@ -139,20 +183,57 @@ let
  ;

  # helper used for `wrapperType == "wrappedDerivation"` which simply symlinks all a package's binaries into a new derivation
-  symlinkBinaries = pkgName: package: (runCommandLocal "${pkgName}-bin-only" {} ''
+  symlinkBinaries = pkgName: package: (runCommandLocal "${pkgName}-bin-only" {
+    nativeBuildInputs = [ gnused ];
+  } ''
    set -e
-    if [ -e "${package}/bin" ]; then
-      mkdir -p "$out/bin"
-      ${buildPackages.xorg.lndir}/bin/lndir "${package}/bin" "$out/bin"
-    fi
-    if [ "$(readlink ${package}/sbin)" == "bin" ]; then
-      # weird packages like wpa_supplicant depend on a sbin/ -> bin symlink in their service files
-      ln -s bin "$out/sbin"
-    fi
-    if [ -e "${package}/libexec" ]; then
-      mkdir -p "$out/libexec"
-      ${buildPackages.xorg.lndir}/bin/lndir "${package}/libexec" "$out/libexec"
-    fi
+    symlinkPath() {
+      if [ -e "$out/$1" ]; then
+        :  # already linked. may happen when e.g. the package has bin/foo, and sbin -> bin.
+      elif ! [ -x "${package}/$1" ]; then
+        :  # not a binary, nor a directory (-x) which could contain binaries
+      elif [ -L "${package}/$1" ]; then
+        local target=$(readlink "${package}/$1")
+        if [[ "$target" =~ ^${package}/ ]]; then
+          # absolute link back into the same package
+          echo "handling $1: descending into absolute symlink to same package: $target"
+          target=$(echo "$target" | sed 's:${package}/::')
+          ln -s "$out/$target" "$out/$1"
+          # create/link the backing path
+          # N.B.: if some leading component of the backing path is also a symlink... this might not work as expected.
+          local parent=$(dirname "$out/$target")
+          mkdir -p "$parent"
+          symlinkPath "$target"
+        elif [[ "$target" =~ ^/nix/store/ ]]; then
+          # absolute link to another package
+          echo "handling $1: symlinking absolute store path: $target"
+          ln -s "$target" "$out/$1"
+        else
+          # relative link
+          echo "handling $1: descending into relative symlink: $target"
+          ln -s "$target" "$out/$1"
+          local parent=$(dirname "$1")
+          local derefParent=$(dirname "$out/$parent/$target")
+          $(set -x && mkdir -p "$derefParent")
+          symlinkPath "$parent/$target"
+        fi
+      elif [ -d "${package}/$1" ]; then
+        echo "handling $1: descending into directory"
+        mkdir -p "$out/$1"
+        items=($(ls -a "${package}/$1"))
+        for item in "''${items[@]}"; do
+          if [ "$item" != . ] && [ "$item" != .. ]; then
+            symlinkPath "$1/$item"
+          fi
+        done
+      elif [ -e "${package}/$1" ]; then
+        echo "handling $1: symlinking ordinary file"
+        ln -s "${package}/$1" "$out/$1"
+      fi
+    }
+    symlinkPath bin
+    symlinkPath sbin
+    symlinkPath libexec
    # allow downstream wrapping to hook this (and thereby actually wrap the binaries)
    runHook postFixup
  '').overrideAttrs (_: {
@@ -185,6 +266,28 @@ let
          mv ./substituteResult "$_outPath"
        fi
      }
+
+      # remove any files which exist in sandoxedBin (makes it possible to sandbox /opt-style packages)
+      # also remove any files which would be "hidden". mostly useful for /opt-style packages which contain nix-wrapped binaries.
+      removeUnwanted() {
+        local file_=$(basename "$1")
+        if [[ "$file_" == .* ]]; then
+          rm -r "$out/$1"
+        elif [ -f "$out/$1" ] || [ -L "$out/$1" ]; then
+          if [ -e "${sandboxedBin}/$1" ]; then
+            rm "$out/$1"
+          fi
+        elif [ -d "$out/$1" ]; then
+          local files=($(ls -a "$out/$1"))
+          for item in "''${files[@]}"; do
+            if [ "$item" != . ] && [ "$item" != .. ]; then
+              removeUnwanted "$1/$item"
+            fi
+          done
+        fi
+      }
+      removeUnwanted ""
+
      # fixup a few files i understand well enough
      for d in \
        $out/etc/xdg/autostart/*.desktop \
@@ -207,13 +310,15 @@ let
      # further, since the sandboxed binaries intentionally reference the unsandboxed binaries,
      # we have to patch those out as a way to whitelist them.
      checkSandboxed = let
-        sandboxedNonBin = fixHardcodedRefs unsandboxed "/dev/null" unsandboxedNonBin;
+        sandboxedNonBin = fixHardcodedRefs unsandboxed sandboxedBin unsandboxedNonBin;
      in runCommandLocal "${sandboxedNonBin.name}-check-sandboxed"
        { disallowedReferences = [ unsandboxed ]; }
+        # dereference every symlink, ensuring that whatever data is behind it does not reference non-sandboxed binaries.
+        # the dereference *can* fail, in case it's a relative symlink that refers to a part of the non-binaries we don't patch.
+        # in such case, this could lead to weird brokenness (e.g. no icons/images), so failing is reasonable.
+        # N.B.: this `checkSandboxed` protects against accidentally referencing unsandboxed binaries from data files (.deskop, .service, etc).
+        # there's an *additional* `checkSandboxed` further below which invokes every executable in the final package to make sure the binaries are truly sandboxed.
        ''
-          # dereference every symlink, ensuring that whatever data is behind it does not reference non-sandboxed binaries.
-          # the dereference *can* fail, in case it's a relative symlink that refers to a part of the non-binaries we don't patch.
-          # in such case, this could lead to weird brokenness (e.g. no icons/images), so failing is reasonable.
          cp -R --dereference "${sandboxedNonBin}" "$out"  # IF YOUR BUILD FAILS HERE, TRY SANDBOXING WITH "inplace"
        ''
      ;
@@ -224,7 +329,9 @@ let
  # patch them to use the sandboxed binaries,
  # and add some passthru metadata to enforce no lingering references to the unsandboxed binaries.
  sandboxNonBinaries = pkgName: unsandboxed: sandboxedBin: let
-    sandboxedWithoutFixedRefs = (runCommandLocal "${pkgName}-sandboxed-non-binary" {} ''
+    sandboxedWithoutFixedRefs = (runCommandLocal "${pkgName}-sandboxed-non-binary" {
+      nativeBuildInputs = [ xorg.lndir ];
+    } ''
      set -e
      mkdir "$out"
      # link in a limited subset of the directories.
@@ -233,7 +340,7 @@ let
      for dir in etc share; do
        if [ -e "${unsandboxed}/$dir" ]; then
          mkdir "$out/$dir"
-          ${buildPackages.xorg.lndir}/bin/lndir "${unsandboxed}/$dir" "$out/$dir"
+          lndir "${unsandboxed}/$dir" "$out/$dir"
        fi
      done
      runHook postInstall
@@ -243,7 +350,7 @@ let
    });
  in fixHardcodedRefs unsandboxed sandboxedBin sandboxedWithoutFixedRefs;

-  # take the nearly-final sandboxed package, with binaries and and else, and
+  # take the nearly-final sandboxed package, with binaries and all else, and
  # populate passthru attributes the caller expects, like `checkSandboxed`.
  fixupMetaAndPassthru = pkgName: pkg: extraPassthru: pkg.overrideAttrs (finalAttrs: prevAttrs: let
    nonBin = (prevAttrs.passthru or {}).sandboxedNonBin or {};
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -5,7 +5,7 @@
    ./clightning.nix
    ./dyn-dns.nix
    ./eg25-manager.nix
+    ./hickory-dns
    ./kiwix-serve.nix
-    ./trust-dns
  ];
 }
--- a/modules/services/hickory-dns/default.nix
+++ b/modules/services/hickory-dns/default.nix
@@ -1,20 +1,20 @@
 { config, lib, pkgs, ... }:
 let
-  trust-dns-nmhook = pkgs.static-nix-shell.mkPython3 {
-    pname = "trust-dns-nmhook";
+  hickory-dns-nmhook = pkgs.static-nix-shell.mkPython3 {
+    pname = "hickory-dns-nmhook";
    srcRoot = ./.;
    pkgs = [
      "systemd"
    ];
  };
-  cfg = config.sane.services.trust-dns;
+  cfg = config.sane.services.hickory-dns;
  dns = config.sane.dns;
  toml = pkgs.formats.toml { };
  instanceModule = with lib; types.submodule ({ config, name, ...}: {
    options = {
      service = mkOption {
        type = types.str;
-        default = "trust-dns-${name}";
+        default = "hickory-dns-${name}";
        description = ''
          systemd service name corresponding to this instance (used internally and automatically set).
        '';
@@ -41,7 +41,7 @@ let
        type = types.attrsOf types.str;
        default = {};
        description = ''
-          text substitutions to make on the config and zone file before starting trust-dns.
+          text substitutions to make on the config and zone file before starting hickory-dns.
        '';
        example = {
          "%CNAMESELF%" = "lappy";
@@ -98,12 +98,12 @@ let
  mkSystemdService = flavor: { includes, listenAddrsIpv4, listenAddrsIpv6, port, substitutions, extraConfig, ... }: let
    sed = "${pkgs.gnused}/bin/sed";
    baseConfig = (
-      lib.filterAttrsRecursive (_: v: v != null) config.services.trust-dns.settings
+      lib.filterAttrsRecursive (_: v: v != null) config.services.hickory-dns.settings
    ) // {
      listen_addrs_ipv4 = listenAddrsIpv4;
      listen_addrs_ipv6 = listenAddrsIpv6;
    };
-    configTemplate = toml.generate "trust-dns-${flavor}.toml" (baseConfig //
+    configTemplate = toml.generate "hickory-dns-${flavor}.toml" (baseConfig //
      (lib.mapAttrs (k: v:
        if k == "zones" then
          # append to the baseConfig instead of overriding it
@@ -113,7 +113,7 @@ let
      )
      extraConfig
    ));
-    configPath = "/var/lib/trust-dns/${flavor}-config.toml";
+    configPath = "/var/lib/hickory-dns/${flavor}-config.toml";
    sedArgs = builtins.map (key: ''-e "s/${key}/${substitutions."${key}"}/g"'') (
      # HACK: %ANATIVE% often expands to one of the other subtitutions (e.g. %AWAN%)
      # so we must expand it *first*.
@@ -123,34 +123,34 @@ let
    );
    subs = lib.concatStringsSep " " sedArgs;
  in {
-    description = "trust-dns Domain Name Server (serving ${flavor})";
-    unitConfig.Documentation = "https://trust-dns.org/";
+    description = "hickory-dns Domain Name Server (serving ${flavor})";
+    unitConfig.Documentation = "https://hickory-dns.org/";
    after = [ "network.target" ];
    before = [ "network-online.target" ];  # most things assume they'll have DNS services alongside routability
    wantedBy = [ "network.target" ];

    preStart = lib.concatStringsSep "\n" (
      [''
-        mkdir -p "/var/lib/trust-dns/${flavor}"
+        mkdir -p "/var/lib/hickory-dns/${flavor}"
        ${sed} ${subs} -e "" "${configTemplate}" \
          | cat - \
            ${lib.concatStringsSep " " includes} \
            > "${configPath}" || true
      ''] ++ lib.mapAttrsToList (zone: { rendered, ... }: ''
        ${sed} ${subs} -e "" ${pkgs.writeText "${zone}.zone.in" rendered} \
-          > "/var/lib/trust-dns/${flavor}/${zone}.zone"
+          > "/var/lib/hickory-dns/${flavor}/${zone}.zone"
      '') dns.zones
    );

-    serviceConfig = (config.systemd.services.hickory-dns or config.systemd.services.trust-dns).serviceConfig // {
+    serviceConfig = config.systemd.services.hickory-dns.serviceConfig // {
      ExecStart = lib.escapeShellArgs ([
-        "${lib.getExe config.services.trust-dns.package}"
+        "${lib.getExe config.services.hickory-dns.package}"
        "--port"     (builtins.toString port)
-        "--zonedir"  "/var/lib/trust-dns/${flavor}"
+        "--zonedir"  "/var/lib/hickory-dns/${flavor}"
        "--config"   "${configPath}"
-      ] ++ lib.optionals config.services.trust-dns.debug [
+      ] ++ lib.optionals config.services.hickory-dns.debug [
        "--debug"
-      ] ++ lib.optionals config.services.trust-dns.quiet [
+      ] ++ lib.optionals config.services.hickory-dns.quiet [
        "--quiet"
      ]);
      # servo/dyn-dns needs /var/lib/uninsane/wan.txt.
@@ -158,14 +158,14 @@ let
      # so just bind the deepest path which is guaranteed to exist.
      ReadOnlyPaths = [ "/var/lib" ];  #< TODO: scope this down!
    } // lib.optionalAttrs cfg.asSystemResolver {
-      # allow the group to write trust-dns state (needed by NetworkManager hook)
+      # allow the group to write hickory-dns state (needed by NetworkManager hook)
      StateDirectoryMode = "775";
    };
  };
 in
 {
  options = with lib; {
-    sane.services.trust-dns = {
+    sane.services.hickory-dns = {
      enable = mkOption {
        default = false;
        type = types.bool;
@@ -182,19 +182,19 @@ in
  };

  config = lib.mkIf cfg.enable {
-    # enable nixpkgs' trust-dns so that i get its config generation
+    # enable nixpkgs' hickory-dns so that i get its config generation
    # but don't actually enable the systemd service... i'll instantiate *multiple* instances per interface further below
-    services.trust-dns.enable = true;
-    services.trust-dns.settings.zones = [];  #< TODO: remove once upstreamed (bad default)
+    services.hickory-dns.enable = true;
+    services.hickory-dns.settings.zones = [];  #< TODO: remove once upstreamed (bad default)

    # don't bind to IPv6 until i explicitly test that stack
-    services.trust-dns.settings.listen_addrs_ipv6 = [];
-    services.trust-dns.quiet = true;
-    # FIXME(2023/11/26): services.trust-dns.debug doesn't log requests: use RUST_LOG=debug env for that.
+    services.hickory-dns.settings.listen_addrs_ipv6 = [];
+    services.hickory-dns.quiet = true;
+    # FIXME(2023/11/26): services.hickory-dns.debug doesn't log requests: use RUST_LOG=debug env for that.
    # - see: <https://github.com/hickory-dns/hickory-dns/issues/2082>
-    # services.trust-dns.debug = true;
+    # services.hickory-dns.debug = true;

-    services.trust-dns.package = pkgs.trust-dns.override {
+    services.hickory-dns.package = pkgs.hickory-dns.override {
      rustPlatform.buildRustPackage = args: pkgs.rustPlatform.buildRustPackage (args // {
        buildFeatures = [
          "recursor"
@@ -214,11 +214,11 @@ in
        cargoHash = "sha256-6Es5/gRqgsteWUHICdgcNlujJE9vrdr3tj/EKKyFsrY=";
      });
    };
-    services.trust-dns.settings.directory = "/var/lib/trust-dns";
+    services.hickory-dns.settings.directory = "/var/lib/hickory-dns";

-    users.groups.trust-dns = {};
-    users.users.trust-dns = {
-      group = "trust-dns";
+    users.groups.hickory-dns = {};
+    users.users.hickory-dns = {
+      group = "hickory-dns";
      isSystemUser = true;
    };

@@ -227,27 +227,15 @@ in
        hickory-dns.enable = false;
        hickory-dns.serviceConfig = {
          DynamicUser = lib.mkForce false;
-          User = "trust-dns";
-          Group = "trust-dns";
+          User = "hickory-dns";
+          Group = "hickory-dns";
          wantedBy = lib.mkForce [];
          # there can be a lot of restarts as interfaces toggle,
          # particularly around the DHCP/NetworkManager stuff.
          StartLimitBurst = 60;
-          StateDirectory = lib.mkForce "trust-dns";
+          StateDirectory = lib.mkForce "hickory-dns";
        };
-
-        trust-dns.enable = false;
-        trust-dns.serviceConfig = {
-          DynamicUser = lib.mkForce false;
-          User = "trust-dns";
-          Group = "trust-dns";
-          wantedBy = lib.mkForce [];
-          # there can be a lot of restarts as interfaces toggle,
-          # particularly around the DHCP/NetworkManager stuff.
-          StartLimitBurst = 60;
-          StateDirectory = lib.mkForce "trust-dns";
-        };
-        # trust-dns.unitConfig.StartLimitIntervalSec = 60;
+        # hickory-dns.unitConfig.StartLimitIntervalSec = 60;
      }
      (lib.mapAttrs'
        (flavor: instanceConfig: {
@@ -259,28 +247,28 @@ in
    ];

    # run a hook whenever networking details change, so the DNS zone can be updated to reflect this
-    environment.etc."NetworkManager/dispatcher.d/60-trust-dns-nmhook" = lib.mkIf cfg.asSystemResolver {
-      source = "${trust-dns-nmhook}/bin/trust-dns-nmhook";
+    environment.etc."NetworkManager/dispatcher.d/60-hickory-dns-nmhook" = lib.mkIf cfg.asSystemResolver {
+      source = "${hickory-dns-nmhook}/bin/hickory-dns-nmhook";
    };

-    # allow NetworkManager (via trust-dns-nmhook) to restart trust-dns when necessary
+    # allow NetworkManager (via hickory-dns-nmhook) to restart hickory-dns when necessary
    # - source: <https://stackoverflow.com/questions/61480914/using-policykit-to-allow-non-root-users-to-start-and-stop-a-service>
    security.polkit.extraConfig = lib.mkIf cfg.asSystemResolver ''
      polkit.addRule(function(action, subject) {
-        if (subject.isInGroup("trust-dns") &&
+        if (subject.isInGroup("hickory-dns") &&
            action.id == "org.freedesktop.systemd1.manage-units" &&
-            action.lookup("unit") == "trust-dns-localhost.service") {
+            action.lookup("unit") == "hickory-dns-localhost.service") {
          return polkit.Result.YES;
        }
      });
    '';

-    sane.services.trust-dns.instances.localhost = lib.mkIf cfg.asSystemResolver {
+    sane.services.hickory-dns.instances.localhost = lib.mkIf cfg.asSystemResolver {
      listenAddrsIpv4 = [ "127.0.0.1" ];
      listenAddrsIpv6 = [ "::1" ];
      enableRecursiveResolver = true;
      # append zones discovered via DHCP to the resolver config.
-      includes = [ "/var/lib/trust-dns/dhcp-configs/*" ];
+      includes = [ "/var/lib/hickory-dns/dhcp-configs/*" ];
    };
    networking.nameservers = lib.mkIf cfg.asSystemResolver [
      "127.0.0.1"
--- a/modules/services/hickory-dns/hickory-dns-nmhook
+++ b/modules/services/hickory-dns/hickory-dns-nmhook
@@ -2,7 +2,7 @@
 #!nix-shell -i python3 -p python3 -p systemd
 # vim: set filetype=python :

-# /etc/NetworkManager/dispatcher.d/trust-dns-nmhook:
+# /etc/NetworkManager/dispatcher.d/hickory-dns-nmhook:
 # NetworkManager-dispatcher.service calls this script whenever any network changes state.
 # this includes when we activate a new network and receive DHCP info.
 # specifically, this script propagates DHCP info to my DNS setup,
@@ -23,7 +23,7 @@ import subprocess

 logger = logging.getLogger(__name__)

-DNS_DIR = "/var/lib/trust-dns"
+DNS_DIR = "/var/lib/hickory-dns"
 DHCP_CONFIGS = "dhcp-configs"

 class Ops:
@@ -103,11 +103,11 @@ stores = {{ type = "forward", name_servers = [
    return lines

 def apply_zone(nm_config: NmConfig, ops: Ops) -> None:
-    # if we want to write /var/lib/trust-dns here, then we have to make sure the service is started, so systemd can create the directory.
+    # if we want to write /var/lib/hickory-dns here, then we have to make sure the service is started, so systemd can create the directory.
    # ops.exec_([
    #     "systemctl",
    #     "start",
-    #     "trust-dns-localhost",
+    #     "hickory-dns-localhost",
    # ])
    specialized_config = ""
    for domain in nm_config.search_domains:
@@ -125,7 +125,7 @@ def apply_zone(nm_config: NmConfig, ops: Ops) -> None:
    ops.exec_([
        "systemctl",
        "restart",
-        "trust-dns-localhost",
+        "hickory-dns-localhost",
    ])

 def main():
@@ -134,7 +134,7 @@ def main():

    logger.info('invoked')

-    parser = argparse.ArgumentParser(description='update trust-dns config in response to NetworkManager event')
+    parser = argparse.ArgumentParser(description='update hickory-dns config in response to NetworkManager event')
    parser.add_argument('--dns-dir', default=DNS_DIR)
    parser.add_argument('--verbose', action='store_true')
    parser.add_argument('--dry-run', action='store_true')
--- a/overlays/cross.nix
+++ b/overlays/cross.nix
@@ -115,21 +115,6 @@ in with final; {
  #     });
  #   };

-  # 2024/05/13: upstreaming is unblocked; out for review: <https://github.com/NixOS/nixpkgs/pull/305241>
-  appstream = prev.appstream.overrideAttrs (upstream: {
-    # fixes: "Message: Native appstream required for cross-building"
-    # error introduced in:
-    # - <https://github.com/ximion/appstream/pull/510>
-    # - <https://github.com/NixOS/nixpkgs/pull/273297>
-    postPatch = (upstream.postPatch or "") + ''
-      substituteInPlace data/meson.build \
-        --replace-fail 'meson.is_cross_build()' 'false'
-    '';
-    # nativeBuildInputs = upstream.nativeBuildInputs ++ [
-    #   prev.appstream
-    # ];
-  });
-
  # bamf: required via pantheon.switchboard -> wingpanel -> gala
  # bamf = prev.bamf.overrideAttrs (upstream: {
  #   # "You must have gtk-doc >= 1.0 installed to build documentation"
@@ -186,7 +171,7 @@ in with final; {
  #   shell = runtimeShell;
  # };

-  # 2024/05/31: upstreaming blocked by appstream, qtsvg
+  # 2024/08/12: upstreaming is blocked on libgweather, via evolution-data-server
  # fixes: "Exec format error: './calls-scan'"
  calls = prev.calls.overrideAttrs (upstream: {
    # TODO: try building with mesonEmulatorHook when i upstream this
@@ -197,16 +182,7 @@ in with final; {
    mesonFlags = lib.remove "-Dgtk_doc=true" upstream.mesonFlags;
  });

-  # 2024/05/31: upstreaming is blocked by qtsvg, appstream
-  # clapper = prev.clapper.overrideAttrs (upstream: {
-  #   # use the host gjs (meson's find_program expects it to be executable)
-  #   postPatch = (upstream.postPatch or "") + ''
-  #     substituteInPlace bin/meson.build \
-  #       --replace "find_program('gjs').path()" "'${gjs}/bin/gjs'"
-  #   '';
-  # });
-
-  # 2024/05/31: upstreaming is blocked by qtsvg, appstream
+  # 2024/08/12: upstreaming is unblocked
  delfin = prev.delfin.overrideAttrs (upstream: {
    nativeBuildInputs = upstream.nativeBuildInputs ++ [
      # fixes: loaders/meson.build:72:7: ERROR: Program 'msgfmt' not found or not executable
@@ -219,7 +195,7 @@ in with final; {
    '';
  });

-  # 2024/05/31: upstreaming is blocked by qtsvg, appstream
+  # 2024/08/12: upstreaming is unblocked
  dialect = prev.dialect.overrideAttrs (upstream: {
    # blueprint-compiler runs on the build machine, but tries to load gobject-introspection types meant for the host.
    postPatch = (upstream.postPatch or "") + ''
@@ -253,6 +229,7 @@ in with final; {
  #   binutils = binutils-unwrapped;
  # };

+  # 2024/08/12: upstreaming is unblocked
  # emacs = prev.emacs.override {
  #   nativeComp = false;  # will be renamed to `withNativeCompilation` in future
  #   # future: we can specify 'action-if-cross-compiling' to actually invoke the test programs:
@@ -292,15 +269,11 @@ in with final; {
    # ];
  });

-  fd = prev.fd.overrideAttrs (base: {
-    # fix that shell completion installation wants to run host fd
-    postInstall = lib.replaceStrings
-      [ "$out/bin/fd" ]
-      [ "${stdenv.hostPlatform.emulator buildPackages} $out/bin/fd" ]
-      base.postInstall;
-  });
+  # 2024/08/12: upstreaming is blocked on gnome-user-share (apache-httpd)
+  # fixes: "src/meson.build:106:0: ERROR: Program 'glib-compile-resources' not found or not executable"
+  # file-roller = mvToNativeInputs [ glib ] prev.file-roller;

-  # 2024/05/31: upstreaming is unblocked
+  # 2024/08/12: upstreaming is unblocked
  # firejail = prev.firejail.overrideAttrs (upstream: {
  #   # firejail executes its build outputs to produce the default filter list.
  #   # i think we *could* copy the default filters from pkgsBuildBuild, but that doesn't seem future proof
@@ -314,33 +287,40 @@ in with final; {
  #   '');
  # });

-  # 2024/05/31: upstreaming is blocked by qtsvg, appstream
-  flare-signal = prev.flare-signal.overrideAttrs (upstream: {
-    # blueprint-compiler runs on the build machine, but tries to load gobject-introspection types meant for the host.
-    postPatch = (upstream.postPatch or "") + ''
-      substituteInPlace data/resources/meson.build --replace-fail \
-        "find_program('blueprint-compiler')" \
-        "'env', 'GI_TYPELIB_PATH=${buildPackages.gdk-pixbuf.out}/lib/girepository-1.0:${buildPackages.harfbuzz.out}/lib/girepository-1.0:${buildPackages.gtk4.out}/lib/girepository-1.0:${buildPackages.graphene}/lib/girepository-1.0:${buildPackages.libadwaita}/lib/girepository-1.0:${buildPackages.pango.out}/lib/girepository-1.0', find_program('blueprint-compiler')"
-    '';
-     env = let
-       inherit buildPackages stdenv rust;
-       ccForBuild = "${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}cc";
-       cxxForBuild = "${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}c++";
-       ccForHost = "${stdenv.cc}/bin/${stdenv.cc.targetPrefix}cc";
-       cxxForHost = "${stdenv.cc}/bin/${stdenv.cc.targetPrefix}c++";
-       rustBuildPlatform = rust.toRustTarget stdenv.buildPlatform;
-       rustTargetPlatform = rust.toRustTarget stdenv.hostPlatform;
-       rustTargetPlatformSpec = rust.toRustTargetSpec stdenv.hostPlatform;
-     in {
-       # taken from <pkgs/build-support/rust/hooks/default.nix>
-       # fixes "cargo:warning=aarch64-unknown-linux-gnu-gcc: error: unrecognized command-line option ‘-m64’"
-       # XXX: these aren't necessarily valid environment variables: the referenced nix file is more clever to get them to work.
-       "CC_${rustBuildPlatform}" = "${ccForBuild}";
-       "CXX_${rustBuildPlatform}" = "${cxxForBuild}";
-       "CC_${rustTargetPlatform}" = "${ccForHost}";
-       "CXX_${rustTargetPlatform}" = "${cxxForHost}";
-     };
-  });
+  # 2024/08/12: upstreaming is unblocked
+  # flare-signal = prev.flare-signal.overrideAttrs (upstream: {
+  #   # blueprint-compiler runs on the build machine, but tries to load gobject-introspection types meant for the host.
+  #   postPatch = (upstream.postPatch or "") + ''
+  #     substituteInPlace data/resources/meson.build --replace-fail \
+  #       "find_program('blueprint-compiler')" \
+  #       "'env', 'GI_TYPELIB_PATH=${typelibPath [
+  #         buildPackages.gdk-pixbuf
+  #         buildPackages.harfbuzz
+  #         buildPackages.gtk4
+  #         buildPackages.libadwaita
+  #         buildPackages.pango
+  #         buildPackages.graphene
+  #       ]}', find_program('blueprint-compiler')"
+  #   '';
+  #    env = let
+  #      inherit buildPackages stdenv rust;
+  #      ccForBuild = "${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}cc";
+  #      cxxForBuild = "${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}c++";
+  #      ccForHost = "${stdenv.cc}/bin/${stdenv.cc.targetPrefix}cc";
+  #      cxxForHost = "${stdenv.cc}/bin/${stdenv.cc.targetPrefix}c++";
+  #      rustBuildPlatform = rust.toRustTarget stdenv.buildPlatform;
+  #      rustTargetPlatform = rust.toRustTarget stdenv.hostPlatform;
+  #      rustTargetPlatformSpec = rust.toRustTargetSpec stdenv.hostPlatform;
+  #    in {
+  #      # taken from <pkgs/build-support/rust/hooks/default.nix>
+  #      # fixes "cargo:warning=aarch64-unknown-linux-gnu-gcc: error: unrecognized command-line option ‘-m64’"
+  #      # XXX: these aren't necessarily valid environment variables: the referenced nix file is more clever to get them to work.
+  #      "CC_${rustBuildPlatform}" = "${ccForBuild}";
+  #      "CXX_${rustBuildPlatform}" = "${cxxForBuild}";
+  #      "CC_${rustTargetPlatform}" = "${ccForHost}";
+  #      "CXX_${rustTargetPlatform}" = "${cxxForHost}";
+  #    };
+  # });

  flare-signal-nixified = prev.flare-signal-nixified.overrideAttrs (upstream: {
    # blueprint-compiler runs on the build machine, but tries to load gobject-introspection types meant for the host.
@@ -359,31 +339,31 @@ in with final; {
    '';
  });

-  # 2024/05/31: upstreaming is blocked on appstream
-  flatpak = prev.flatpak.overrideAttrs (upstream: {
-    # fixes "No package 'libxml-2.0' found"
-    buildInputs = upstream.buildInputs ++ [ libxml2 ];
-    configureFlags = upstream.configureFlags ++ [
-      "--enable-selinux-module=no"  # fixes "checking for /usr/share/selinux/devel/Makefile... configure: error: cannot check for file existence when cross compiling"
-      "--disable-gtk-doc"  # fixes "You must have gtk-doc >= 1.20 installed to build documentation for Flatpak"
-    ];
+  # 2024/08/12: upstreaming is unblocked, implemented on `pr-flatpak-cross`, out for PR: <https://github.com/NixOS/nixpkgs/pull/334324>
+  # flatpak = prev.flatpak.overrideAttrs (upstream: {
+  #   # fixes "No package 'libxml-2.0' found"
+  #   buildInputs = upstream.buildInputs ++ [ libxml2 ];
+  #   configureFlags = upstream.configureFlags ++ [
+  #     "--enable-selinux-module=no"  # fixes "checking for /usr/share/selinux/devel/Makefile... configure: error: cannot check for file existence when cross compiling"
+  #     "--disable-gtk-doc"  # fixes "You must have gtk-doc >= 1.20 installed to build documentation for Flatpak"
+  #   ];

-    postPatch = let
-      # copied from nixpkgs flatpak and modified to use buildPackages python
-      vsc-py = buildPackages.python3.withPackages (pp: [
-        pp.pyparsing
-      ]);
-    in ''
-      patchShebangs buildutil
-      patchShebangs tests
-      PATH=${lib.makeBinPath [vsc-py]}:$PATH patchShebangs --build subprojects/variant-schema-compiler/variant-schema-compiler
-    '' + ''
-      sed -i s:'\$BWRAP --version:${stdenv.hostPlatform.emulator buildPackages} \$BWRAP --version:' configure.ac
-      sed -i s:'\$DBUS_PROXY --version:${stdenv.hostPlatform.emulator buildPackages} \$DBUS_PROXY --version:' configure.ac
-    '';
-  });
+  #   postPatch = let
+  #     # copied from nixpkgs flatpak and modified to use buildPackages python
+  #     vsc-py = buildPackages.python3.withPackages (pp: [
+  #       pp.pyparsing
+  #     ]);
+  #   in ''
+  #     patchShebangs buildutil
+  #     patchShebangs tests
+  #     PATH=${lib.makeBinPath [vsc-py]}:$PATH patchShebangs --build subprojects/variant-schema-compiler/variant-schema-compiler
+  #   '' + ''
+  #     sed -i s:'\$BWRAP --version:${stdenv.hostPlatform.emulator buildPackages} \$BWRAP --version:' configure.ac
+  #     sed -i s:'\$DBUS_PROXY --version:${stdenv.hostPlatform.emulator buildPackages} \$DBUS_PROXY --version:' configure.ac
+  #   '';
+  # });

-  # 2024/05/31: upstreaming is blocked by qtsvg, appstream
+  # 2024/08/12: upstreaming is blocked by xdg-desktop-portal
  fractal = prev.fractal.overrideAttrs (upstream: {
    postPatch = (upstream.postPatch or "") + ''
      substituteInPlace src/meson.build \
@@ -393,7 +373,7 @@ in with final; {
  });

  # solves (meson) "Run-time dependency libgcab-1.0 found: NO (tried pkgconfig and cmake)", and others.
-  # 2024/05/31: upstreaming is unblocked
+  # 2024/08/12: upstreaming is unblocked
  # fwupd = (addBuildInputs
  #   [ gcab ]
  #   (mvToBuildInputs [ gnutls ] prev.fwupd)
@@ -405,17 +385,7 @@ in with final; {
  #   outputs = lib.remove "devdoc" upstream.outputs;
  # });

-  # 2024/05/31: upstreaming is blocked on qtsvg (via pipewire)
-  # required by epiphany, gnome-settings-daemon
-  # N.B.: should be able to remove gnupg/ssh from {native}buildInputs when upstreaming
-  gcr_4 = prev.gcr_4.overrideAttrs (upstream: {
-    # fixes (meson): "ERROR: Program 'gpg2 gpg' not found or not executable"
-    mesonFlags = (upstream.mesonFlags or []) ++ [
-      "-Dgpg_path=${gnupg}/bin/gpg"
-    ];
-  });
-
-  # 2024/05/31: upstreaming is blocked by qtsvg, appstream (out for review), libgweather (out for review)
+  # 2024/08/12: upstreaming is blocked by libgweather (out for review) via evolution-data-server
  geary = prev.geary.overrideAttrs (upstream: {
    buildInputs = upstream.buildInputs ++ [
      # glib
@@ -465,27 +435,34 @@ in with final; {
    '';
  });

+  # 2024/08/12: upstreaming is blocked on gnome-user-share (apache-httpd)
+  # gnome-terminal = prev.gnome-terminal.overrideAttrs (orig: {
+  #   # fixes "meson.build:343:0: ERROR: Dependency "libpcre2-8" not found, tried pkgconfig"
+  #   buildInputs = orig.buildInputs ++ [ pcre2 ];
+  # });
+
  # 2024/05/08: fix: "meson.build:85:11: ERROR: Dependency "dbus-1" not found, tried pkgconfig".
-  # 2024/05/31: upstreaming is blocked by qtsvg, appstream
+  # 2024/08/12: upstreaming is unblocked
  gnome-online-accounts = mvToBuildInputs [ dbus ] prev.gnome-online-accounts;

-  gnome = prev.gnome.overrideScope (self: super: {
-    # 2024/05/31: upstreaming is blocked on appstream (out for review), gnome-user-share (apache-httpd, webp-pixbuf-loader), qtsvg
-    # fixes: "src/meson.build:106:0: ERROR: Program 'glib-compile-resources' not found or not executable"
-    # file-roller = mvToNativeInputs [ glib ] super.file-roller;
+  # 2024/08/12: upstreaming is blocked on apache-httpd (via mod_dnssd)
+  # fixes: meson.build:111:6: ERROR: Program 'glib-compile-schemas' not found or not executable
+  # gnome-user-share = addNativeInputs [ glib ] prev.gnome-user-share;

+  gnome = prev.gnome.overrideScope (self: super: {
    # 2024/05/31: upstreaming is blocked by a LOT: qtbase, qtsvg, webp-pixbuf-loader, libgweather, gnome-color-manager, appstream, apache-httpd, ibus
    # fixes "subprojects/gvc/meson.build:30:0: ERROR: Program 'glib-mkenums mkenums' not found or not executable"
    # gnome-control-center = mvToNativeInputs [ glib ] super.gnome-control-center;

    gnome-maps = super.gnome-maps.overrideAttrs (upstream: {
-      # 2024/05/31: upstreaming is blocked by libgweather, appstream, qtsvg (via pipewire/ffado)
+      # 2024/08/12: upstreaming is blocked by libgweather (direct dependency)
      postPatch = (upstream.postPatch or "") + ''
        # fixes: "ERROR: Program 'gjs' not found or not executable"
        substituteInPlace meson.build \
          --replace-fail "find_program('gjs')" "find_program('${gjs}/bin/gjs')"
      '';
    });
+    # 2024/08/12: upstreaming is blocked on ibus, libgweather
    # gnome-shell = super.gnome-shell.overrideAttrs (orig: {
    #   # fixes "meson.build:128:0: ERROR: Program 'gjs' not found or not executable"
    #   # does not fix "_giscanner.cpython-310-x86_64-linux-gnu.so: cannot open shared object file: No such file or directory"  (python import failure)
@@ -505,13 +482,12 @@ in with final; {
    #   # ];
    # });
    # gnome-shell = super.gnome-shell.overrideAttrs (upstream: {
-    #   # 2024/05/31: upstreaming is blocked on qtsvg, appstream, webp-pixbuf-loader, libgweather, ibus
    #   nativeBuildInputs = upstream.nativeBuildInputs ++ [
    #     gjs  # fixes "meson.build:128:0: ERROR: Program 'gjs' not found or not executable"
    #   ];
    # });
    gnome-settings-daemon = super.gnome-settings-daemon.overrideAttrs (orig: {
-      # 2024/05/31: upstreaming is blocked on qtsvg (ffado), libgweather
+      # 2024/08/11: upstreaming is blocked on libgweather
      #   gsd is required by xdg-desktop-portal-gtk
      # pkg-config solves: "plugins/power/meson.build:22:0: ERROR: Dependency lookup for glib-2.0 with method 'pkgconfig' failed: Pkg-config binary for machine build machine not found."
      # stdenv.cc fixes: "plugins/power/meson.build:60:0: ERROR: No build machine compiler for 'plugins/power/gsd-power-enums-update.c'"
@@ -530,20 +506,12 @@ in with final; {
    #   '';
    # });

-    # 2023/08/01: upstreaming is blocked on argyllcms, gnome-keyring, gnome-clocks, ibus, libavif, webp-pixbuf-loader (gnome-shell)
+    # 2024/08/12: upstreaming is blocked on gnome-shell (ibus, libgweather)
    # fixes: "gdbus-codegen not found or executable"
    # gnome-session = mvToNativeInputs [ glib ] super.gnome-session;
-    # gnome-terminal = super.gnome-terminal.overrideAttrs (orig: {
-    #   # 2023/07/31: upstreaming is blocked on argyllcms, apache-httpd, gnome-keyring, libavif, gnome-clocks, ibus, webp-pixbuf-loader
-    #   # fixes "meson.build:343:0: ERROR: Dependency "libpcre2-8" not found, tried pkgconfig"
-    #   buildInputs = orig.buildInputs ++ [ pcre2 ];
-    # });
-    # 2023/07/31: upstreaming is blocked on apache-httpd
-    # fixes: meson.build:111:6: ERROR: Program 'glib-compile-schemas' not found or not executable
-    # gnome-user-share = addNativeInputs [ glib ] super.gnome-user-share;

    # mutter = super.mutter.overrideAttrs (orig: {
-    #   # 2024/02/27: upstreaming is blocked on appstream, possibly others
+    #   # 2024/08/12: upstreaming is blocked on libgweather (via gnome-settings-daemon)
    #   # N.B.: not all of this suitable to upstreaming, as-is.
    #   # mesa and xorgserver are removed here because they *themselves* don't build for `buildPackages` (temporarily: 2023/10/26)
    #   nativeBuildInputs = lib.subtractLists [ mesa xorg.xorgserver ] orig.nativeBuildInputs;
@@ -556,15 +524,6 @@ in with final; {
    #   outputs = lib.remove "devdoc" orig.outputs;
    #   postInstall = lib.replaceStrings [ "${glib.dev}" ] [ "${buildPackages.glib.dev}" ] orig.postInstall;
    # });
-    # nautilus = (
-    #   # 2023/11/21: upstreaming is blocked on apache-httpd, webp-pixbuf-loader, qtsvg
-    #   addInputs {
-    #     # fixes: "meson.build:123:0: ERROR: Dependency "libxml-2.0" not found, tried pkgconfig"
-    #     buildInputs = [ libxml2 ];
-    #     # fixes: "meson.build:226:6: ERROR: Program 'gtk-update-icon-cache' not found or not executable"
-    #     nativeBuildInputs = [ gtk4 ];
-    #   }
-    # );
  });

  # gnome2 = prev.gnome2.overrideScope (self: super: {
@@ -576,9 +535,6 @@ in with final; {
  #   # );
  # });

-  # 2024-07-28: out for PR: <https://github.com/NixOS/nixpkgs/pull/330681>
-  hiredis = mvToBuildInputs [ openssl ] prev.hiredis;
-
  # out for PR: <https://github.com/NixOS/nixpkgs/pull/263182>
  # hspell = prev.hspell.overrideAttrs (upstream: {
  #   # build perl is needed by the Makefile,
@@ -589,7 +545,7 @@ in with final; {
  #   '';
  # });

-  # 2024/05/31: upstreaming is unblocked
+  # 2024/08/12: upstreaming is unblocked
  # hyprland = mvToNativeInputs [ hwdata ] prev.hyprland;
  # hyprland = prev.hyprland.overrideAttrs (_: {
  #   depsBuildBuild = [ pkg-config ];
@@ -599,7 +555,7 @@ in with final; {
  # "setup: line 1595: ant: command not found"
  # i2p = mvToNativeInputs [ ant gettext ] prev.i2p;

-  # 2024/05/31: upstreaming is unblocked (see `pkgs/patched/ibus`)
+  # 2024/08/12: upstreaming is unblocked (see `pkgs/patched/ibus`)
  # ibus = prev.ibus.overrideAttrs (upstream: {
  #   nativeBuildInputs = upstream.nativeBuildInputs or [] ++ [
  #     glib  # fixes: ImportError: /nix/store/fi1rsalr11xg00dqwgzbf91jpl3zwygi-gobject-introspection-aarch64-unknown-linux-gnu-1.74.0/lib/gobject-introspection/giscanner/_giscanner.cpython-310-x86_64-linux-gnu.so: cannot open shared object file: No such file or directory
@@ -610,7 +566,7 @@ in with final; {
  #   ];
  # });

-  # 2024/05/31: upstreaming is blocked on appstream, qtsvg, lua, unicode-collation, etc
+  # 2024/08/12: upstreaming is blocked on lua, lpeg, pandoc, unicode-collation, etc
  iotas = prev.iotas.overrideAttrs (_: {
    # error: "<iotas> is not allowed to refer to the following paths: <build python>"
    # disallowedReferences = [];
@@ -638,7 +594,7 @@ in with final; {
  #   nativeBuildInputs = lib.remove [ qt6.wrapQtAppsHook ] upstream.nativeBuildInputs;
  # });

-  # 2024/05/31: upstreaming is blocked by qtsvg, appstream
+  # 2024/08/12: upstreaming is unblocked
  komikku = prev.komikku.overrideAttrs (upstream: {
    # blueprint-compiler runs on the build machine, but tries to load gobject-introspection types meant for the host.
    postPatch = (upstream.postPatch or "") + ''
@@ -656,26 +612,20 @@ in with final; {
    '';
  });

+  # 2024/08/12: upstreaming is unblocked -- but is this necessary?
  # koreader = prev.koreader.overrideAttrs (upstream: {
  #   nativeBuildInputs = upstream.nativeBuildInputs ++ [
  #     autoPatchelfHook
  #   ];
  # });

-  lemoa = prev.lemoa.overrideAttrs (upstream:
+  lemoa = (prev.lemoa.override { cargo = crossCargo; }).overrideAttrs (upstream:
    let
      rustTargetPlatform = rust.toRustTarget stdenv.hostPlatform;
    in {
-      # nixpkgs sets CARGO_BUILD_TARGET to the build platform target, so correct that.
-      buildPhase = ''
-        runHook preBuild
-
+      preBuild = ''
        mkdir -p target/release
        ln -s ../${rustTargetPlatform}/release/lemoa target/release/lemoa
-
-        ${rust.envVars.setEnv} "CARGO_BUILD_TARGET=${rustTargetPlatform}" ninja -j$NIX_BUILD_CORES
-
-        runHook postBuild
      '';
    }
  );
@@ -711,23 +661,7 @@ in with final; {
  #   '';
  # });

-  # 2024/05/31: upstreaming is blocked on appstream
-  # libpanel = prev.libpanel.overrideAttrs (upstream: {
-  #   doCheck = false;
-  #   # depsBuildBuild = (upstream.depsBuildBuild or []) ++ [
-  #   #   # fixes "Build-time dependency gi-docgen found: NO (tried pkgconfig and cmake)"
-  #   #   pkg-config
-  #   # ];
-  #   nativeBuildInputs = upstream.nativeBuildInputs ++ [
-  #     buildPackages.gtk4  # fixes "ERROR: Program 'gtk-update-icon-cache' not found or not executable"
-  #   ];
-  #   # it can't figure out where gi-docgen lives
-  #   mesonFlags = (upstream.mesonFlags or []) ++ [
-  #     "-Ddocs=disabled"
-  #   ];
-  #   outputs = lib.remove "devdoc" upstream.outputs;
-  # });
-
+  # 2024/08/12: upstreaming is unblocked
  libpeas2 = prev.libpeas2.overrideAttrs (upstream: {
    mesonFlags = upstream.mesonFlags ++ [
      "-Dlua51=false"  #< fails to find lua (probably it incorrectly checks the build machine)
@@ -747,33 +681,7 @@ in with final; {
  #   callPackage = self.newScope { inherit (self) qtCompatVersion qtModule srcs; inherit stdenv; };
  # });

-  # 2024/05/31: better fix is to use CMAKE_CROSSCOMPILING_EMULATOR
-  # - <https://github.com/uninsane/nixpkgs/pull/new/pr-libphonenumber-cross>
-  # libphonenumber = prev.libphonenumber.overrideAttrs (upstream: {
-  #   # fix that phone number geolocation binary doesn't cross compile.
-  #   # it's CMAKE, and a google project, so the fix to cross compile is unlikely to *ever* make it upstream.
-  #   # see: <https://github.com/google/libphonenumber/pull/2604>
-  #   #
-  #   # the main (only?) user of this library is evolution-data-server,
-  #   # which is consumed by gnome-calender, calls, planify.
-  #   # maybe i can purge EDS from my system somehow.
-  #   # - geary: package doesn't even have EDS as an input; it speaks to it over dbus.
-  #   # - calls: package has EDS as input (unused?); speaks to it over dbus.
-  #   #   - it actually needs EDS though, for its `libebook-contacts` library: <https://gnome.pages.gitlab.gnome.org/evolution-data-server/libebook-contacts/>
-  #   # - gnome-calendar: package has EDS as input (unused?); speaks to it over dbus.
-  #   #   - it actually needs EDS though, for its `libedataserverui4` library: <https://gnome.pages.gitlab.gnome.org/evolution-data-server/libedataserverui4/>
-  #   # - planify: package has EDS as input (unused?); speaks to it over dbus.
-  #   #   - it actually needs EDS though, for its `libecal` library: <https://gnome.pages.gitlab.gnome.org/evolution-data-server/libecal/>
-  #   #   - it could be using evolution-data-server-gtk4 instead of EDS gtk3 though
-  #   #
-  #   # or build EDS with  `-DWITH_PHONENUMBER=OFF`
-  #   cmakeFlags = (upstream.cmakeFlags or []) ++ [
-  #     "-DPROTOC_BIN=${lib.getExe buildPackages.protobuf}"
-  #     "-DBUILD_GEOCODER=OFF"
-  #   ];
-  # });
-
-  # 2024/05/31: upstreaming blocked on qtsvg, libgweather, appstream, glycin-loaders
+  # 2024/08/12: upstreaming blocked on libgweather
  loupe = prev.loupe.overrideAttrs (upstream: {
    postPatch = (upstream.postPatch or "") + ''
      substituteInPlace src/meson.build \
@@ -782,7 +690,7 @@ in with final; {
    '';
  });

-  # 2024/05/31: upstreaming blocked on qtsvg, appstream, maybe others
+  # 2024/08/12: upstreaming is unblocked
  mepo = (prev.mepo.override {
    # nixpkgs mepo correctly puts `zig_0_12.hook` in nativeBuildInputs,
    # but for some reason that tries to use the host zig instead of the build zig.
@@ -818,6 +726,16 @@ in with final; {
    zigBuildFlags = [ "-Dtarget=aarch64-linux-gnu" ];
  });

+  # nautilus = (
+  #   # 2024/08/12: upstreaming is blocked on apache-httpd (via gnome-user-share)
+  #   addInputs {
+  #     # fixes: "meson.build:123:0: ERROR: Dependency "libxml-2.0" not found, tried pkgconfig"
+  #     buildInputs = [ libxml2 ];
+  #     # fixes: "meson.build:226:6: ERROR: Program 'gtk-update-icon-cache' not found or not executable"
+  #     nativeBuildInputs = [ gtk4 ];
+  #   }
+  # );
+
  # fixes: "ar: command not found"
  # `ar` is provided by bintools
  # 2024/05/31: upstreaming is unblocked by deps; but turns out to not be this simple
@@ -864,6 +782,7 @@ in with final; {
  # 2023/07/31: upstreaming is blocked on vpnc cross compilation
  # networkmanager-vpnc = mvToNativeInputs [ glib ] prev.networkmanager-vpnc;

+  # 2024/08/12: upstreaming is unblocked
  newsflash = (prev.newsflash.override {
    blueprint-compiler = buildPackages.writeShellScriptBin "blueprint-compiler" ''
      export GI_TYPELIB_PATH=${typelibPath [
@@ -880,6 +799,7 @@ in with final; {
      ]}
      exec ${lib.getExe buildPackages.blueprint-compiler} "$@"
    '';
+    cargo = crossCargo;  #< fixes openssl not being able to find its library
  }).overrideAttrs (upstream: {
    postPatch = (upstream.postPatch or "") + ''
      substituteInPlace src/meson.build --replace-fail \
@@ -899,16 +819,6 @@ in with final; {
      glib-compile-resources --sourcedir=data/resources --target=appdata.gresource data/resources/appdata.gresource.xml
    '';

-    # nixpkgs sets CARGO_BUILD_TARGET to the build platform target, so correct that.
-    # fixes openssl not being able to find its library
-    buildPhase = ''
-      runHook preBuild
-
-      ${rust.envVars.setEnv} "CARGO_BUILD_TARGET=${rust.toRustTarget stdenv.hostPlatform}" ninja -j$NIX_BUILD_CORES
-
-      runHook postBuild
-    '';
-
    env = let
      inherit buildPackages stdenv rust;
      ccForBuild = "${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}cc";
@@ -1003,7 +913,7 @@ in with final; {
  # });

  pantheon = prev.pantheon.overrideScope (self: super: {
-    # 2024/06/13: upstreaming is blocked by qtsvg/ffado
+    # 2024/08/11: upstreaming is unblocked
    switchboard-plug-network = super.switchboard-plug-network.overrideAttrs (upstream: {
      nativeBuildInputs = upstream.nativeBuildInputs ++ [
        buildPackages.gettext  # <for msgfmt
@@ -1027,8 +937,9 @@ in with final; {
  });

  # fixes (meson) "Program 'glib-mkenums mkenums' not found or not executable"
-  # 2024/05/31: upstreaming is blocked on appstream, libgweather, qtsvg
+  # 2024/08/12: upstreaming is unblocked
  # phoc = mvToNativeInputs [ wayland-scanner glib ] prev.phoc;
+  # 2024/08/12: upstreaming is blocked on gnome-control-center, evolution-data-server, , ibus, libgweather, gnom-user-share, others
  # phosh = prev.phosh.overrideAttrs (upstream: {
  #   buildInputs = upstream.buildInputs ++ [
  #     libadwaita  # "plugins/meson.build:41:2: ERROR: Dependency "libadwaita-1" not found, tried pkgconfig"
@@ -1055,7 +966,9 @@ in with final; {
  # } prev.phosh-mobile-settings;

  # 2024/05/31: upstreaming is blocked on qtsvg, appstream
-  pwvucontrol = prev.pwvucontrol.overrideAttrs (upstream:
+  pwvucontrol = (prev.pwvucontrol.override {
+    cargo = crossCargo;
+  }).overrideAttrs (upstream:
  let
    rustTargetPlatform = rust.toRustTarget stdenv.hostPlatform;
  in {
@@ -1064,21 +977,8 @@ in with final; {
        "'src' / rust_target" \
        "'src' / '${rustTargetPlatform}' / rust_target"
    '';
-    # nixpkgs sets CARGO_BUILD_TARGET to the build platform target, so correct that.
-    buildPhase = ''
-      runHook preBuild
-
-      ${rust.envVars.setEnv} "CARGO_BUILD_TARGET=${rustTargetPlatform}" ninja -j$NIX_BUILD_CORES
-
-      runHook postBuild
-    '';
  });

-  # libsForQt5 = prev.libsForQt5.overrideScope (self: super: {
-  #   inherit stdenv;
-  #   inherit (self.stdenv) mkderivation;
-  # });
-
  # qt6 = prev.qt6.overrideScope (self: super: {
  #   # qtbase = super.qtbase.overrideAttrs (upstream: {
  #   #   # cmakeFlags = upstream.cmakeFlags ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
@@ -1180,7 +1080,7 @@ in with final; {
  #   };
  # });

-  # 2024/05/31: upstreaming is blocked by qtsvg, appstream
+  # 2024/08/12: upstreaming is unblocked
  snapshot = prev.snapshot.overrideAttrs (upstream: {
    # fixes "error: linker `cc` not found"
    postPatch = (upstream.postPatch or "") + ''
@@ -1190,41 +1090,29 @@ in with final; {
    '';
  });

-  # 2024/05/31: upstreaming is blocked by qtsvg, appstream
-  spot = prev.spot.overrideAttrs (upstream:
-    let
-      rustTargetPlatform = rust.toRustTarget stdenv.hostPlatform;
-    in {
-      # blueprint-compiler runs on the build machine, but tries to load gobject-introspection types meant for the host.
-      postPatch = (upstream.postPatch or "") + ''
-        substituteInPlace src/meson.build \
-          --replace-fail \
-            "find_program('blueprint-compiler')" \
-            "'env', 'GI_TYPELIB_PATH=${typelibPath [
-              buildPackages.gdk-pixbuf
-              buildPackages.glib
-              buildPackages.graphene
-              buildPackages.gtk4
-              buildPackages.harfbuzz
-              buildPackages.libadwaita
-              buildPackages.pango
-            ]}', find_program('blueprint-compiler')" \
-          --replace-fail \
-            "meson.project_build_root() / cargo_output" \
-            "meson.project_build_root() / 'src' / '${rust.envVars.rustHostPlatformSpec}' / rust_target / meson.project_name()"
-      '';
-      # nixpkgs sets CARGO_BUILD_TARGET to the build platform target, so correct that.
-      buildPhase = ''
-        runHook preBuild
+  # 2024/08/12: upstreaming is unblocked
+  spot = (prev.spot.override { cargo = crossCargo; }).overrideAttrs (upstream: {
+    # blueprint-compiler runs on the build machine, but tries to load gobject-introspection types meant for the host.
+    postPatch = (upstream.postPatch or "") + ''
+      substituteInPlace src/meson.build \
+        --replace-fail \
+          "find_program('blueprint-compiler')" \
+          "'env', 'GI_TYPELIB_PATH=${typelibPath [
+            buildPackages.gdk-pixbuf
+            buildPackages.glib
+            buildPackages.graphene
+            buildPackages.gtk4
+            buildPackages.harfbuzz
+            buildPackages.libadwaita
+            buildPackages.pango
+          ]}', find_program('blueprint-compiler')" \
+        --replace-fail \
+          "meson.project_build_root() / cargo_output" \
+          "meson.project_build_root() / 'src' / '${rust.envVars.rustHostPlatformSpec}' / rust_target / meson.project_name()"
+    '';
+  });

-        ${rust.envVars.setEnv} "CARGO_BUILD_TARGET=${rustTargetPlatform}" ninja -j$NIX_BUILD_CORES
-
-        runHook postBuild
-      '';
-    }
-  );
-
-  # 2024/05/31: upstreaming is unblocked
+  # 2024/08/12: upstreaming is unblocked
  # squeekboard = prev.squeekboard.overrideAttrs (upstream: {
  #   # fixes: "meson.build:1:0: ERROR: 'rust' compiler binary not defined in cross or native file"
  #   # new error: "meson.build:1:0: ERROR: Rust compiler rustc --target aarch64-unknown-linux-gnu -C linker=aarch64-unknown-linux-gnu-gcc can not compile programs."
@@ -1268,15 +1156,7 @@ in with final; {
  #   ];
  # });

-  starship = prev.starship.overrideAttrs (base: {
-    # fix that shell completion installation wants to run host starship
-    postInstall = lib.replaceStrings
-      [ "$out/bin/starship" ]
-      [ "${stdenv.hostPlatform.emulator buildPackages} $out/bin/starship" ]
-      base.postInstall;
-  });
-
-  # 2024/05/31: upstreaming is blocked by qtsvg, appstream
+  # 2024/08/12: upstreaming is unblocked
  tangram = prev.tangram.overrideAttrs (upstream: {
    # blueprint-compiler runs on the build machine, but tries to load gobject-introspection types meant for the host.
    # additionally, gsjpack has a shebang for the host gjs. patchShebangs --build doesn't fix that: just manually specify the build gjs
@@ -1313,13 +1193,13 @@ in with final; {
  #   });
  # };

-  # 2024/05/31: upstreaming is blocked on hdf5, thrift, others
+  # 2024/08/12: upstreaming is blocked on arrow-cpp, python-pyarrow, python-contourpy, python-matplotlib, python-hypy, etc
  # visidata = prev.visidata.override {
  #   # hdf5 / h5py don't cross-compile, but i don't use that file format anyway.
  #   # setting this to null means visidata will work as normal but not be able to load hdf files.
  #   h5py = null;
  # };
-  # 2024/05/31: upstreaming is blocked on qtsvg, qtx11extras
+  # 2024/08/12: upstreaming is blocked on qtsvg, qtx11extras, samba
  # vlc = prev.vlc.overrideAttrs (orig: {
  #   # fixes: "configure: error: could not find the LUA byte compiler"
  #   # fixes: "configure: error: protoc compiler needed for chromecast was not found"
@@ -1332,11 +1212,11 @@ in with final; {
  # });

  # fixes "perl: command not found"
-  # 2024/05/31: upstreaming is unblocked, but requires alternative fix
+  # 2024/08/12: upstreaming is unblocked, but requires alternative fix
  # - i think the build script tries to run the generated binary?
  # vpnc = mvToNativeInputs [ perl ] prev.vpnc;

-  # 2024/05/31: upstreaming is blocked on appstream
+  # 2024/08/12: upstreaming is blocked on flatpak
  xdg-desktop-portal = prev.xdg-desktop-portal.overrideAttrs (upstream: {
    nativeBuildInputs = upstream.nativeBuildInputs ++ [
      # fixes "meson.build:117:8: ERROR: Program 'bwrap' not found or not executable"
@@ -1348,13 +1228,10 @@ in with final; {
      "-Dpytest=disabled"
    ];
  });
-  # fixes "No package 'xdg-desktop-portal' found"
-  # 2023/12/08: upstreaming is blocked on argyllcms, flatpak, qtsvg (via pipewire/ffado)
-  xdg-desktop-portal-gtk = mvToBuildInputs [ xdg-desktop-portal ] prev.xdg-desktop-portal-gtk;

  # fixes: "data/meson.build:33:5: ERROR: Program 'msgfmt' not found or not executable"
  # fixes: "src/meson.build:25:0: ERROR: Program 'gdbus-codegen' not found or not executable"
-  # 2023/07/27: upstreaming is blocked on p11-kit cross compilation
+  # 2024/08/12: upstreaming is blocked on xdg-desktop-portal
  # xdg-desktop-portal-gnome = (
  #   addNativeInputs [ wayland-scanner ] (
  #     mvToNativeInputs [ gettext glib ] prev.xdg-desktop-portal-gnome
@@ -1369,7 +1246,7 @@ in with final; {
    libjxl = webp-pixbuf-loader;
  };

-  # 2024/02/27: upstreaming is blocked on hyprland
+  # 2024/08/12: upstreaming is blocked on hyprland
  # waybar = (prev.waybar.override {
  #   runTests = false;  #< upstream expects `catch2_3` as a runtime requirement
  #   hyprlandSupport = false;  # doesn't cross compile
@@ -1396,17 +1273,6 @@ in with final; {
  #   strictDeps = true;
  # });

-  # 2024/05/31: upstreaming is unblocked
-  # implemented: <https://github.com/NixOS/nixpkgs/pull/315119>
-  webp-pixbuf-loader = prev.webp-pixbuf-loader.overrideAttrs (upstream: {
-    # fixes: "Builder called die: Cannot wrap '/nix/store/kpp8qhzdjqgvw73llka5gpnsj0l4jlg8-gdk-pixbuf-aarch64-unknown-linux-gnu-2.42.10/bin/gdk-pixbuf-thumbnailer' because it is not an executable file"
-    # gdk-pixbuf doesn't create a `bin/` directory when cross-compiling, breaks some thumbnailing stuff.
-    # - gnome's gdk-pixbuf *explicitly* doesn't build thumbnailer on cross builds
-    # see `librsvg` for a more bullet-proof cross-compilation approach
-    postInstall = "";
-  });
-  # XXX: aarch64 webp-pixbuf-loader wanted by gdk-pixbuf-loaders.cache.drv, wanted by aarch64 gnome-control-center
-
  # 2024/05/31: upstreaming is blocked by qtsvg, appstream
  wike = prev.wike.overrideAttrs (upstream: {
    # error: "<wike> is not allowed to refer to the following paths: <build python>"
@@ -1417,19 +1283,7 @@ in with final; {
    '';
  });

-  # wrapFirefox = prev.wrapFirefox.override {
-  #   buildPackages = buildPackages // {
-  #     # fixes "extract-binary-wrapper-cmd: line 2: strings: command not found"
-  #     # ^- in the `nix log` output of cross-compiled `firefox` (it's non-fatal)
-  #     makeBinaryWrapper = bpkgs.makeBinaryWrapper.overrideAttrs (upstream: {
-  #       passthru.extractCmd = bpkgs.writeShellScript "extract-binary-wrapper-cmd" ''
-  #         ${stdenv.cc.targetPrefix}strings -dw "$1" | sed -n '/^makeCWrapper/,/^$/ p'
-  #       '';
-  #     });
-  #   };
-  # };
-
-  # 2024/05/31: upstreaming is unblocked
+  # 2024/08/12: upstreaming is unblocked
  # fixes `hostPrograms.moby.neovim` (but breaks eval of `hostPkgs.moby.neovim` :o)
  # wrapNeovimUnstable = neovim: config: (prev.wrapNeovimUnstable neovim config).overrideAttrs (upstream: {
  #   # nvim wrapper has a sanity check that the plugins will load correctly.
--- a/pkgs/additional/firefox-extensions/default.nix
+++ b/pkgs/additional/firefox-extensions/default.nix
@@ -34,10 +34,7 @@ let
    extid = addon.passthru.extid;
    # merge our requirements into the derivation args
    args' = args // {
-      passthru = {
-        inherit extid;
-        original = addon;
-      } // (args.passthru or {});
+      passthru = addon.passthru // (args.passthru or {});
      nativeBuildInputs = [
        jq
        strip-nondeterminism
@@ -137,6 +134,7 @@ in (lib.makeScope newScope (self: with self; {
    browserpass-extension = callPackage ./browserpass-extension { };
    bypass-paywalls-clean = callPackage ./bypass-paywalls-clean { };
    ctrl-shift-c-should-copy = callPackage ./ctrl-shift-c-should-copy { };
+    firefox-xdg-open = callPackage ./firefox-xdg-open { };
    i-still-dont-care-about-cookies = callPackage ./i-still-dont-care-about-cookies { };
    open-in-mpv = callPackage ./open-in-mpv { };
    sidebery = callPackage ./sidebery { };
--- a/pkgs/additional/firefox-extensions/firefox-xdg-open/background.html
+++ b/pkgs/additional/firefox-extensions/firefox-xdg-open/background.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta http-equiv="X-UA-Compatible" content="ie=edge">
+  <title>Document</title>
+  <script src="background.js" type="module"></script>
+</head>
+
+<body>
+</body>
+
+</html>
+
--- a/pkgs/additional/firefox-extensions/firefox-xdg-open/background.js
+++ b/pkgs/additional/firefox-extensions/firefox-xdg-open/background.js
@@ -0,0 +1,22 @@
+//! largely copied from OpenInMPV browser extension
+
+function xdgOpen(tabId, url) {
+  const code = `
+    var link = document.createElement('a')
+    link.href='xdg-open:${url}'
+    document.body.appendChild(link)
+    link.click()`
+  console.log(code)
+  chrome.tabs.executeScript(tabId, { code })
+}
+
+[["page", "pageUrl"], ["link", "linkUrl"], ["video", "srcUrl"], ["audio", "srcUrl"]].forEach(([item, linkType]) => {
+  chrome.contextMenus.create({
+    title: "xdg-open",
+    id: `open${item}inmpv`,
+    contexts: [item],
+    onclick: (info, tab) => {
+      xdgOpen(tab.id, info[linkType]);
+    },
+  });
+});
--- a/pkgs/additional/firefox-extensions/firefox-xdg-open/default.nix
+++ b/pkgs/additional/firefox-extensions/firefox-xdg-open/default.nix
@@ -0,0 +1,47 @@
+{
+  copyDesktopItems,
+  makeDesktopItem,
+  static-nix-shell,
+  stdenvNoCC,
+  zip,
+}:
+stdenvNoCC.mkDerivation {
+  pname = "firefox-xdg-open";
+  version = "0.1";
+  src = ./.;
+
+  nativeBuildInputs = [ zip ];
+
+  buildPhase = ''
+    runHook preBuild
+    zip -j firefox.zip \
+      background.html background.js manifest.json
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    install firefox.zip $out
+    runHook postInstall
+  '';
+
+  passthru.extid = "@firefox-xdg-open";
+  passthru.systemComponent = static-nix-shell.mkBash {
+    pname = "xdg-open-scheme-handler";
+    src = ./.;
+    pkgs = [ "xdg-utils" ];
+
+    nativeBuildInputs = [
+      copyDesktopItems
+    ];
+    desktopItems = [
+      (makeDesktopItem {
+        name = "xdg-open";
+        exec = "xdg-open-scheme-handler %U";
+        desktopName = "xdg-open";
+        comment = "Decodes xdg-open:... URIs, used to force applications to open links via the system handler";
+        noDisplay = true;
+      })
+    ];
+  };
+}
--- a/pkgs/additional/firefox-extensions/firefox-xdg-open/manifest.json
+++ b/pkgs/additional/firefox-extensions/firefox-xdg-open/manifest.json
@@ -0,0 +1,19 @@
+{
+  "manifest_version": 2,
+  "browser_specific_settings": {
+    "gecko": {
+      "id": "@firefox-xdg-open"
+    }
+  },
+  "name": "Firefox XDG Open",
+  "description": "Open URIs with the system handler.",
+  "version": "0.1.0",
+  "background": {
+    "page": "background.html"
+  },
+  "permissions": [
+    "tabs",
+    "activeTab",
+    "contextMenus"
+  ]
+}
--- a/pkgs/additional/firefox-extensions/firefox-xdg-open/xdg-open-scheme-handler
+++ b/pkgs/additional/firefox-extensions/firefox-xdg-open/xdg-open-scheme-handler
@@ -0,0 +1,9 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash -p xdg-utils
+
+uris=()
+for u in "$@"; do
+  uris+=("${u/xdg-open:/}")
+done
+
+xdg-open "${uris[@]}"
--- a/pkgs/additional/libcap-with-captree/default.nix
+++ b/pkgs/additional/libcap-with-captree/default.nix
@@ -0,0 +1,22 @@
+# libcap nix package should eventually ship `captree`, but until then, patch it.
+# this is a re-implementation of an outstanding PR, but in a way that doesn't force mass-rebuilds:
+# - <https://github.com/NixOS/nixpkgs/pull/332399>
+{
+  libcap,
+  go,
+}: libcap.overrideAttrs (base: {
+  depsBuildBuild = base.depsBuildBuild ++ [ go ];
+
+  makeFlags = base.makeFlags ++ [
+    "GOLANG=yes"
+    ''GOCACHE=''${TMPDIR}/go-cache''
+    "GOARCH=${go.GOARCH}"
+    "GOOS=${go.GOOS}"
+  ];
+
+  postPatch = base.postPatch + ''
+    # disable cross compilation for artifacts which are run as part of the build
+    substituteInPlace go/Makefile \
+      --replace-fail '$(GO) run' 'GOOS= GOARCH= $(GO) run'
+  '';
+})
--- a/pkgs/additional/nixpkgs-wayland/default.nix
+++ b/pkgs/additional/nixpkgs-wayland/default.nix
@@ -7,8 +7,8 @@ let
  src = fetchFromGitHub {
    owner = "nix-community";
    repo = "nixpkgs-wayland";
-    rev = "423d21c157c2a7b384ae9c766e25759576dceb87";
-    hash = "sha256-2BAfUaRzrhHwT/JodTq++DUf/nljgoFEc5A79SS8ydU=";
+    rev = "21a4a9425b00f476c6ba656bae3da54eeb05c10a";
+    hash = "sha256-Th5U0PbID2ifs6GFn29QoIJmWMfZCIqYB/Ice1pe7pc=";
  };
  flake = import "${src}/flake.nix";
  evaluated = flake.outputs {
@@ -25,7 +25,7 @@ let
 in src.overrideAttrs (base: {
  # attributes required by update scripts
  pname = "nixpkgs-wayland";
-  version = "0-unstable-2024-08-06";
+  version = "0-unstable-2024-08-13";
  src = src;

  # passthru only nixpkgs-wayland's own packages -- not the whole nixpkgs-with-nixpkgs-wayland-as-overlay:
--- a/pkgs/additional/nixpkgs/default.nix
+++ b/pkgs/additional/nixpkgs/default.nix
@@ -27,12 +27,12 @@
 }:
 let
  lock = {
-    master.rev = "0048951e7a3eba3dce8bf6ba893390d29375c5d0";
-    master.sha256 = "sha256-NSvqhZYv0LY2eh0a3yoAvJjGlWeOLSjmPpivSnY9pXg=";
-    staging.rev = "0048951e7a3eba3dce8bf6ba893390d29375c5d0";
-    staging.sha256 = "sha256-NSvqhZYv0LY2eh0a3yoAvJjGlWeOLSjmPpivSnY9pXg=";
-    staging-next.rev = "0048951e7a3eba3dce8bf6ba893390d29375c5d0";
-    staging-next.sha256 = "sha256-NSvqhZYv0LY2eh0a3yoAvJjGlWeOLSjmPpivSnY9pXg=";
+    master.rev = "02a8f81ccbc8fee8f0be9daf1b1e56830e78382c";
+    master.sha256 = "sha256:0mcjiyp818vldkdg223bln7mwzsgdffnpgl6sg3cf5mfvh8hk0v3";
+    staging.rev = "558b07002999a26ed9bc67f372dd19f6a37b892e";
+    staging.sha256 = "sha256-xP/h4X4ms/gxugNFRxl4q0D1+RwrZA4RsI7okgVVS7E=";
+    staging-next.rev = "d353e29271bcbaab945b7c1c13208950590da9d3";
+    staging-next.sha256 = "sha256-0DdUd/mIqEe5JSWhLYQ1PHMvvrdmnYuVe7l4hWbGTm8=";
  };
  lock' = lock."${variant}";
  unpatchedSrc = fetchzip {
@@ -81,7 +81,7 @@ in
    src.overrideAttrs (base: {
      # attributes needed for update scripts
      pname = "nixpkgs";
-      version = "24.05-unstable-2024-08-09";
+      version = "0-unstable-2024-08-13";
      passthru = (base.passthru or {}) // nixpkgs // {
        src = unpatchedSrc // {
          inherit (lock') rev;
--- a/pkgs/additional/nixpkgs/list.nix
+++ b/pkgs/additional/nixpkgs/list.nix
@@ -39,19 +39,36 @@ in
    hash = "sha256-9UrJB/ijXL07H/SESquCCqI1boVoYpDcYqxD+Mx2Mwc=";
  })

+  (fetchpatch' {
+    # branch: pr-flatpak-cross
+    title = "flatpak: support cross compilation";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/334324";
+    saneCommit = "0656837e8bb3aae72245145ea8b2250eadad653d";
+    hash = "sha256-etogClsQ8USoBzfx8eYXUYp+C5VQ0wJs/1LumjtE+9E=";
+    # hash = "sha256-Jo37TmzEbqZQVlFtLQ/hI1AAPXS0dnkXh58eHpuwT5M=";
+    # hash = "sha256-/N3FQ0CZ8IOxEYci2UKOG0POYuTyCTH/ZWTRyjIOlEc=";
+  })
+
+  (fetchpatch' {
+    title = "syshud: 0-unstable-2024-07-29 -> 0-unstable-2024-08-10";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/333975";
+    hash = "sha256-DMV9rnigWUGW6kcV5Ve151OEArMWroLcuoK6PdFjTHk=";
+  })
+
  (fetchpatch' {
    title = "hare-ev: 2024-07-11 -> 2024-08-06";
    prUrl = "https://github.com/NixOS/nixpkgs/pull/333378";
    hash = "sha256-3RnqId/Rk0A5YyvsixLvKyLFOiFuvlThKdT00D6hjWI=";
  })

-  (fetchpatch' {
-    # this causes a rebuild of systemd and everything above it:
-    # PR against staging is live: <https://github.com/NixOS/nixpkgs/pull/332399>
-    title = "libcap: ship the optional 'captree' component";
-    saneCommit = "30d6d5d6e86c490978b9615a9c685ffd92c81116";
-    hash = "sha256-n8EERqqegrE+4Ogl7AuXkcRW9sgQhe5xyugZJrVr19Y=";
-  })
+  # (fetchpatch' {
+  #   # this causes a rebuild of systemd and everything above it:
+  #   # PR against staging is live: <https://github.com/NixOS/nixpkgs/pull/332399>
+  #   title = "libcap: ship the optional 'captree' component";
+  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/332399";
+  #   saneCommit = "30d6d5d6e86c490978b9615a9c685ffd92c81116";
+  #   hash = "sha256-hEcpS7r1K6yb5dcj2evbWajwIQaaSHKdLPQVg1LlCYE=";
+  # })

  (fetchpatch' {
    # merged into staging 2024-07-25
@@ -81,28 +98,20 @@ in
    # hash = "sha256-cn6ihwO3MyzdpVoJoQNKAHyo8GuGvFP6vr//7r9pzjE=";
  })

-  (fetchpatch' {
-    title = "hickory-dns: rename from trust-dns";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/316466";
-    hash = "sha256-0A43xaBrROJUAENNZNTCB8HLeECVy4n6oMwZluRNBZ8=";
-  })
-
  (fetchpatch' {
    title = "passt: support cross compilation";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/334097";
    saneCommit = "3ef36d3aa139f94e8716b0721856c5808937c9f2";
-    hash = "sha256-hAaFHlJdx1GjQIJG5zxTBHm+CbmR/zlKUB9eyxPQbOg=";
+    hash = "sha256-w50SLYDgMqNAfq4bgjrd6ugxHbb0VjvHdzhuJl0lzs4=";
  })

-  # branch: wip-ffado-cross / wip-ffado-cross2
-  (fetchpatch' {
-    # TODO: send out for review (after next staging -> master merge, so that it has jtojnar's changes)
-    # - <https://github.com/NixOS/nixpkgs/pull/306407>
-    # wait until python3 is fixed on cross, also: <https://github.com/NixOS/nixpkgs/pull/325218>
-    title = "ffado: support cross compilation";
-    saneCommit = "e58b053bff32ba825dc8783c2725fcefb37a3e14";
-    hash = "sha256-YMX+99HOvMpk+hVPIe+ThixEbK8JNxiyEhqxSkASZ2Q=";
-    # saneCommit = "001fe13a735cb9c6fad80525531e863f949e1495";
-  })
+  # (fetchpatch' {
+  #   # branch: 2024-08-11-wip-ffado-cross / pr-ffado-cross-2
+  #   title = "ffado: support cross compilation";
+  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/334096";
+  #   saneCommit = "cd316aaa667b6758d6866b356f4040343ffb6f80";
+  #   hash = "sha256-r0jKr65dRkVU/LPfgZqNJArs2XWEudsgyYXs5bJpgj4=";
+  # })

  (fetchpatch' {
    # required for gpodder to build
@@ -122,7 +131,7 @@ in
  (fetchpatch' {
    title = "libgweather: enable introspection on cross builds";
    prUrl = "https://github.com/NixOS/nixpkgs/pull/251956";
-    hash = "sha256-ovWXFX6gMXM+E9yhX7GnDOB9f2HAZSjZRwGAVLTvFC0=";
+    hash = "sha256-sFuuZpq/DlgFESJhvKj8UaZiA8JGsGpVmyx1s/0OKT8=";
  })

  # (fetchpatch' {
@@ -132,12 +141,6 @@ in
  #   hash = "sha256-Wau+PB+EUQDvWX8Kycw1sNrM3GkPVjKSS4niIDI0sjM=";
  # })

-  # (fetchpatch' {
-  #   title = "gthumb: make the webservices feature be optional";
-  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/240602";
-  #   saneCommit = "e83130f2770c314b2a482e1792b010da66cdd5de";
-  #   hash = "sha256-GlYWpOVZvr0oFAs4RdSUf7LJD3FmGsCaTm32GPhbBfc=";
-  # })
  # (fetchpatch' {
  #   # TODO: send for review once hspell fix is merged <https://github.com/NixOS/nixpkgs/pull/263182>
  #   # this patch works as-is, but hspell keeps a ref to build perl and thereby pollutes this closure as well.
@@ -152,16 +155,6 @@ in
  #   hash = "sha256-UyZaNNp84zKShuo6zu0nfZ2FygHGcmV63Ww4Y4CtCF0=";
  # })

-  # (fetchpatch' {
-  #   title = "trust-dns: 0.23.0 -> 0.24.0";
-  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/262466";
-  #   hash = "sha256-s8ra/tbD/xAfU3HI3wv+aQ0dip1kKQcVrJvLG6DNctY=";
-  # })
-  # (fetchpatch' {
-  #   title = "trust-dns: rebrand as hickory-dns";
-  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/262268";
-  #   hash = "sha256-TxQiR+OS4YriLNViTg4H78Z3f3IjBVodiFAkOUCeNic=";
-  # })
  # (fetchpatch' {
  #   title = "rpm: 4.18.1 -> 4.19.0";
  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/260558";
@@ -217,12 +210,6 @@ in
  #   hash = "sha256-rD0es4uUbaLMrI9ZB2HzPmRLyu/ixNBLAFyDJtFHNko=";
  # })

-  # (fetchpatch' {
-  #   # 2023/11/14: deps don't cross compile (e.g. pipewire; qtsvg)
-  #   title = "clapper: support cross compilation";
-  #   saneCommit = "8a171b49aca406f8220f016e56964b3fae53a3df";
-  #   hash = "sha256-R11IYatGhSXxZnJxJid519Oc9Kh56D9NT2/cxf2CLuM=";
-  # })
  # these probably work, but i don't use them
  # (fetchpatch' {
  #   title = "networkmanager-openvpn: support cross compilation";
--- a/pkgs/additional/sane-scripts/src/sane-stop-all-servo
+++ b/pkgs/additional/sane-scripts/src/sane-stop-all-servo
@@ -9,6 +9,11 @@ systemctl stop \
  ejabberd \
  gitea \
  goaccess \
+  hickory-dns-doof \
+  hickory-dns-hn \
+  hickory-dns-hn-resolver \
+  hickory-dns-lan \
+  hickory-dns-wan \
  i2p \
  jackett \
  jellyfin \
@@ -38,11 +43,6 @@ systemctl stop \
  systemctl \
  tor \
  transmission \
-  trust-dns-doof \
-  trust-dns-hn \
-  trust-dns-hn-resolver \
-  trust-dns-lan \
-  trust-dns-wan \
  wireguard-wg-ovpns \
  ntfy-waiter-0 \
  ntfy-waiter-1 \
--- a/pkgs/additional/sane-scripts/src/sane-tag-media
+++ b/pkgs/additional/sane-scripts/src/sane-tag-media
@@ -730,7 +730,49 @@ class TagFieldNames:
    tracknumber = "tracknumber"

 class MediaFile:
-    def __init__(self, path_: str, meta: MetadataImpl, tag_field_names: TagFieldNames):
+    def __init__(self, path_: str):
+        path_ = os.path.normpath(path_)  #< transform "./artist/album/file" -> "artist/album/file", so that path-based parsing doesn't have to care
+        ext = os.path.splitext(path_)[1][1:].lower()
+        tag_field_names = TagFieldNames()
+        meta = None
+
+        if ext == "aac":
+            tag_field_names.producer = "grouping"
+            meta = MutagenMetadata.new(path_, mutagen.easyid3.EasyID3)
+        elif ext == "flac":
+            meta = MutagenMetadata.new(path_, mutagen.flac.Open)
+        elif ext == "mp3":
+            tag_field_names.producer = "grouping"
+            meta = MutagenMetadata.new(path_, mutagen.mp3.EasyMP3)
+        elif ext in [ "m4a", "mp4" ]:
+            tag_field_names.producer = "grouping"
+            meta = MutagenMetadata.new(path_, mutagen.easymp4.EasyMP4)
+        elif ext in "ogg":
+            meta = MutagenMetadata.new(path_, mutagen.oggvorbis.OggVorbis) \
+                or MutagenMetadata.new(path_, mutagen.oggopus.OggOpus)
+        elif ext == "opus":
+            meta = MutagenMetadata.new(path_, mutagen.oggopus.OggOpus)
+        elif ext in [ "gif", "pdf" ]:
+            tag_field_names.album = "XMP:Album"
+            tag_field_names.albumartist = "XMP:Author"
+            tag_field_names.artist = "Artist"
+            tag_field_names.producer = "XMP:Producer"
+            tag_field_names.title = "Title"
+            meta = ExiftoolMetadata.new(path_)
+        elif ext in [ "jpg", "jpeg", "png" ]:
+            tag_field_names.album = "XMP:Album"
+            tag_field_names.artist = "Photographer"
+            tag_field_names.albumartist = "Artist"
+            tag_field_names.producer = "XMP:Producer"
+            tag_field_names.title = "Title"
+            tag_field_names.tracknumber = "ImageNumber"
+            meta = ExiftoolMetadata.new(path_)
+        else:
+            logger.debug(f"no metadata handler for {path_}")
+
+        if meta is None:
+            meta = InMemoryMetadata(path_)
+
        self.path_ = path_
        self.meta = meta
        self.tag_field_names = tag_field_names
@@ -742,52 +784,6 @@ class MediaFile:
    def ext(self):
        return os.path.splitext(self.path_)[1][1:].lower()

-    @staticmethod
-    def new(f: str) -> 'MediaFile':
-        f = os.path.normpath(f)  #< transform "./artist/album/file" -> "artist/album/file", so that path-based parsing doesn't have to care
-        ext = os.path.splitext(f)[1][1:].lower()
-        tag_field_names = TagFieldNames()
-        meta = None
-
-        if ext == "aac":
-            tag_field_names.producer = "grouping"
-            meta = MutagenMetadata.new(f, mutagen.easyid3.EasyID3)
-        elif ext == "flac":
-            meta = MutagenMetadata.new(f, mutagen.flac.Open)
-        elif ext == "mp3":
-            tag_field_names.producer = "grouping"
-            meta = MutagenMetadata.new(f, mutagen.mp3.EasyMP3)
-        elif ext in [ "m4a", "mp4" ]:
-            tag_field_names.producer = "grouping"
-            meta = MutagenMetadata.new(f, mutagen.easymp4.EasyMP4)
-        elif ext in "ogg":
-            meta = MutagenMetadata.new(f, mutagen.oggvorbis.OggVorbis) \
-                or MutagenMetadata.new(f, mutagen.oggopus.OggOpus)
-        elif ext == "opus":
-            meta = MutagenMetadata.new(f, mutagen.oggopus.OggOpus)
-        elif ext in [ "gif", "pdf" ]:
-            tag_field_names.album = "XMP:Album"
-            tag_field_names.albumartist = "XMP:Author"
-            tag_field_names.artist = "Artist"
-            tag_field_names.producer = "XMP:Producer"
-            tag_field_names.title = "Title"
-            meta = ExiftoolMetadata.new(f)
-        elif ext in [ "jpg", "jpeg", "png" ]:
-            tag_field_names.album = "XMP:Album"
-            tag_field_names.artist = "Photographer"
-            tag_field_names.albumartist = "Artist"
-            tag_field_names.producer = "XMP:Producer"
-            tag_field_names.title = "Title"
-            tag_field_names.tracknumber = "ImageNumber"
-            meta = ExiftoolMetadata.new(f)
-        else:
-            logger.debug(f"no metadata handler for {f}")
-
-        if meta is None:
-            meta = InMemoryMetadata(f)
-
-        return MediaFile(f, meta, tag_field_names)
-
    def is_type(self, ty: MediaType) -> bool:
        is_audio = self.ext in AUDIO_EXTENSIONS
        is_image = self.ext in IMAGE_EXTENSIONS
@@ -855,7 +851,7 @@ class TagsProvider:
        if not isinstance(file_, MediaFileWithNeighbors):
            return my_derived_tags

-        neighbor_tags = file_.neighbor_tags
+        neighbor_tags = getattr(file_, "neighbor_tags", Tags())
        if self.override_existing:
            # our derived tags overrule anything generalized from our neighbors
            return my_derived_tags.or_(neighbor_tags)
@@ -982,7 +978,7 @@ class Gatherer:
        """
        if not os.path.isdir(root):
            # single file
-            file_ = MediaFileWithNeighbors.new(root)
+            file_ = MediaFileWithNeighbors(root)
            return self.tags_provider.on_disk(file_), [ file_ ]

        if not self.tags_provider.can_derive_from_neighbors():
--- a/pkgs/additional/sane-scripts/src/sane-vpn
+++ b/pkgs/additional/sane-scripts/src/sane-vpn
@@ -296,9 +296,9 @@ stores = {{ type = "forward", name_servers = [
 '''
    elif dir_ == ToggleDir.Down:
        text = ""
-    with open("/var/lib/trust-dns/dhcp-configs/sane-vpn.toml", "w") as f:
+    with open("/var/lib/hickory-dns/dhcp-configs/sane-vpn.toml", "w") as f:
        f.write(text)
-    subprocess.check_call([ "systemctl", "restart", "trust-dns-localhost" ])
+    subprocess.check_call([ "systemctl", "restart", "hickory-dns-localhost" ])

 def main():
    logging.basicConfig()
--- a/pkgs/additional/sops-nix/default.nix
+++ b/pkgs/additional/sops-nix/default.nix
@@ -6,8 +6,8 @@ let
  src = fetchFromGitHub {
    owner = "Mic92";
    repo = "sops-nix";
-    rev = "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9";
-    hash = "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=";
+    rev = "be0eec2d27563590194a9206f551a6f73d52fa34";
+    hash = "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=";
  };
  flake = import "${src}/flake.nix";
  evaluated = flake.outputs {
@@ -21,7 +21,7 @@ in src.overrideAttrs (base: {
  # attributes required by update scripts
  pname = "sops-nix";
  # nix-update-script insists on this weird `assets-` version format
-  version = "assets-unstable-2024-08-05";
+  version = "assets-unstable-2024-08-12";
  src = src;

  passthru = base.passthru
--- a/pkgs/additional/syshud/default.nix
+++ b/pkgs/additional/syshud/default.nix
@@ -9,13 +9,13 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
  pname = "syshud";
-  version = "0-unstable-2024-08-03";
+  version = "0-unstable-2024-08-10";

  src = fetchFromGitHub {
    owner = "System64fumo";
    repo = "syshud";
-    rev = "ea0b6a52e110d18783a418013c1be82ff32709a7";
-    hash = "sha256-MLVjdPcnSHCxQ9KbmM1V/jnmh7NrzZZAg13D3a240Q0=";
+    rev = "c7165dc7e28752b49be4ca81ab5db35019d6fcd0";
+    hash = "sha256-P8NgWooRMFl1iuFKQlWDJwMlZ/CIwvf2ctkqvRXt6SA=";
  };
  postPatch = ''
    substituteInPlace Makefile \
--- a/pkgs/additional/uassets/default.nix
+++ b/pkgs/additional/uassets/default.nix
@@ -5,12 +5,12 @@
 }:
 stdenv.mkDerivation {
  pname = "uassets";
-  version = "0-unstable-2024-08-09";
+  version = "0-unstable-2024-08-13";
  src = fetchFromGitHub {
    owner = "uBlockOrigin";
    repo = "uAssets";
-    rev = "bc41ce0623aedbdbbca0197efbc1b89ee4c7c546";
-    hash = "sha256-wF99LsD0KHO6TXTN2SrW3RsagWoP9vAuYN291CNjGqQ=";
+    rev = "dbd7c4dd0cd3840cc1705f6707d05d6ce10a1870";
+    hash = "sha256-XMXorzdbHv504I+u+2QWXk2YyykdlDGx8GK3meIkI0s=";
  };

  dontBuild = true;
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -52,6 +52,7 @@ let
    lemoa = callPackage ./additional/lemoa { };
    lemmy-lemonade = callPackage ./additional/lemonade { };  # XXX: nixpkgs already has a `lemonade` pkg
    lgtrombetta-compass = callPackage ./additional/lgtrombetta-compass { };
+    libcap-with-captree = callPackage ./additional/libcap-with-captree { };
    libdng = callPackage ./additional/libdng { };
    libfuse-sane = callPackage ./additional/libfuse-sane { };
    libmegapixels = callPackage ./additional/libmegapixels { };
--- a/scripts/deploy
+++ b/scripts/deploy
@@ -8,7 +8,9 @@ usage() {
  echo ""
  echo "usage: deploy [options] [host] [host2 ...]"
  echo "options:"
-  echo "- --action copy|switch|test   (default: 'switch')"
+  echo "- --copy: only build + copy files, nothing more"
+  echo "- --switch  (default)"
+  echo "- --test: switch to the new configuration, but do not make it bootable"
  echo "- --dry-run: show what would be done without actually doing it"
  echo "- --pre: alias for --action copy --variant all all"
  echo "- --reboot: reboot the target machine after deploying (if deployed with no errors)"
@@ -57,9 +59,8 @@ parseArgs() {
    local arg=$1
    shift
    case "$arg" in
-      (--action)
-        action=$1
-        shift
+      (--copy|--switch|--test)
+        action=${arg/--/}
        ;;
      (--dry-run)
        dryRun=1
Author	SHA1	Message	Date
Colin	d2f3a066fb	WIP: make-sandboxed: handle /opt-style packaging, with toplevels linked into /bin, a bit better	2024-08-15 03:05:49 +00:00
Colin	50b1d82b38	nixpkgs: fix hashes	2024-08-14 23:20:31 +00:00
Colin	60a4eb0bde	gnome-calls: associate with tel:, sip:, sips: URIs	2024-08-14 08:27:27 +00:00
Colin	a96e83f4e1	doc: gnome-calls: document some UI elements	2024-08-14 07:53:47 +00:00
Colin	0d685f406e	uassets: 2024-08-09 -> 2024-08-13	2024-08-13 22:02:37 +00:00
Colin	a16e33d7a6	sops-nix: 2024-08-05 -> 2024-08-12	2024-08-13 22:02:27 +00:00
Colin	f38d351869	syshud: 2024-08-03 -> 2024-08-10	2024-08-13 22:01:57 +00:00
Colin	e245164da3	nixpkgs-wayland: 2024-08-12 -> 2024-08-13	2024-08-13 22:01:31 +00:00
Colin	7df8f45e97	nixpkgs: 2024-08-12 -> 2024-08-13	2024-08-13 22:00:49 +00:00
Colin	e1ba371838	cross: flatpak: fix via nixpkgs patch instead of overlay	2024-08-13 07:20:24 +00:00
Colin	467283989f	todo.md: fix Epiphany to persist cookies	2024-08-13 03:41:08 +00:00
Colin	db39dc209f	xdg-desktop-portal-gnome: sandbox	2024-08-13 03:34:09 +00:00
Colin	7cf860a071	nixpkgs: update passt hash	2024-08-13 03:33:48 +00:00
Colin	77a753b0d6	gnome-maps: todo: better portal integration	2024-08-13 02:50:59 +00:00
Colin	e2a4f4d63e	todo.md: newsflash and gnome-maps bugs to tackle	2024-08-13 02:48:08 +00:00
Colin	31fc072bce	nixpkgs-overlays: try to be a little more pure	2024-08-12 21:56:30 +00:00
Colin	144afd8171	sway: fix wlroots drmSync bug via upstream patch	2024-08-12 21:52:44 +00:00
Colin	7d97355d2a	overlays/cross: remove no-longer-necessary overrides	2024-08-12 21:20:16 +00:00
Colin	7827f6c584	sway: note that the activation patch is still necessary	2024-08-12 18:28:16 +00:00
Colin	e1899495a0	nixpkgs-wayland: 0-unstable-2024-08-06 -> 0-unstable-2024-08-12	2024-08-12 18:05:32 +00:00
Colin	a56ad56a4f	refactor: move ~/.cache/nix persistence to hosts/common/programs/nix.nix	2024-08-12 16:06:26 +00:00
Colin	da551b8b97	geary: grant access to more files	2024-08-12 16:04:20 +00:00
Colin	ca412d08bd	nautilus: grant access to more files	2024-08-12 16:04:11 +00:00
Colin	e7a1bb6ec0	nixpkgs: 2024-08-11 -> 2024-08-12	2024-08-12 10:30:04 +00:00
Colin	74acfeadd5	programs/assorted: clarify `sandbox.enable = false` situation	2024-08-12 10:27:41 +00:00
Colin	e7d5a61014	libcap: split into separate `capsh` and `captree` programs, and sandbox the latter	2024-08-12 10:13:50 +00:00
Colin	6f47708624	nixpkgs patches: send a few upstream; dont apply ffado patch here because my system doesnt use it	2024-08-12 10:10:06 +00:00
Colin	fc826a3503	libcap: patch in captree locally rather than via a nixpkgs patch that would force mass rebuilds	2024-08-12 09:39:43 +00:00
Colin	ccb2b7b8b6	nixpkgs: update libcap patch to grab from the PR	2024-08-12 09:18:50 +00:00
Colin	78169d50f2	overlays/cross: remove upstreamed patches; simplify rust things	2024-08-12 09:14:42 +00:00
Colin	33a7d3536d	nixpkgs: update patches	2024-08-12 09:14:00 +00:00
Colin	7899c8d033	syshud: 0-unstable-2024-07-29 -> 0-unstable-2024-08-10	2024-08-12 02:37:03 +00:00
Colin	82b662a733	nixpkgs: remove dead (upstreamed) patches	2024-08-12 02:13:07 +00:00
Colin	d4290588bf	rename: trust-dns -> hickory-dns	2024-08-12 01:23:39 +00:00
Colin	bd97fb9ec9	nixpkgs: 24.05-unstable-2024-08-09 -> 24.05-unstable-2024-08-11	2024-08-12 01:08:03 +00:00
Colin	4dbff9c18f	scripts/deploy: shorten "--action copy" to just "--copy"	2024-08-12 01:07:50 +00:00
Colin	bfe278c17a	feeds: subscribe to Weird Little Guys	2024-08-12 00:35:34 +00:00
Colin	295e07d535	sane-tag-media: fix lingering crashes around `--derive` behavior	2024-08-12 00:13:42 +00:00
Colin	d39459d8b5	NetworkManager: tighten the systemd sandboxing	2024-08-11 22:54:47 +00:00
Colin	4d5e60756b	modemmanager: make its capabilities more obvious	2024-08-11 22:54:41 +00:00
Colin	119afcf393	firefox: remove open-in-mpv (obsoleted by firefox-xdg-open)	2024-08-11 22:37:12 +00:00
Colin	d3d970eb3e	firefox: dont require approval to open xdg-open: URIs	2024-08-11 22:32:26 +00:00
Colin	c0d5004926	firefox: add a right-click context menu to open any URI with the system handler it still prompts the user to allow it, but i'll fix that later i guess	2024-08-11 22:26:23 +00:00