u-boot-pinephone-pro: tune UART & memory addresses

now that i'm building a size-optimized image, this WORKS

README.md

@@ -17,8 +17,6 @@ the only hard dependency for my exported pkgs/modules should be [nixpkgs][nixpkg
 building [hosts/](./hosts/) will require [sops][sops].
 
 you might specifically be interested in these files (elaborated further in #key-points-of-interest):
-- ~~[`sxmo-utils`](./pkgs/additional/sxmo-utils/default.nix)~~
-  - these files will remain until my config settles down, but i no longer use or maintain SXMO.
 - [my implementation of impermanence](./modules/persist/default.nix)
 - my way of deploying dotfiles/configuring programs per-user:
   - [modules/fs/](./modules/fs/default.nix)

TODO.md

@@ -1,4 +1,6 @@
 ## BUGS
+- nmcli and networkmanager_dmenu don't have the right perms to adjust networking details
+  - i think the error is in my sandboxing of the NetworkManager service
 - `rmDbusServices` may break sandboxing
   - e.g. if the package ships a systemd unit which references $out, then make-sandboxed won't properly update that unit.
   - `rmDbusServicesInPlace` is not affected
@@ -10,19 +12,19 @@
 - hickory-dns can't resolve `pe.usps.com`
 - hickory-dns can't resolve `social.seattle.wa.us`
 - hickory-dns can't resolve `support.mozilla.org`
-- sandbox: link cache means that if i update ~/.config/... files inline, sandboxed programs still see the old version
+- hickory-dns can't resolve `shows.acast.com`
 - mpv: continues to play past the end of some audio files
 - mpv: audiocast has mpv sending its output to the builtin speakers unless manually changed
 - `ssh` access doesn't grant same linux capabilities as login
 - syshud (volume overlay): when casting with `blast`, syshud doesn't react to volume changes
 - moby: after bringing the modem up, powering it down loses *complete* net connectivity (i.e. wlan is gone as well)
 - dissent: if i launch it without net connectivity, it gets stuck at the login, and never tries again
-- calls: seems that it starts before net access, and then is forever disconnected (until i manually restart it)
 - moby: kaslr is effectively disabled
   - `dmesg | grep "KASLR disabled due to lack of seed"`
   - fix by adding `kaslrseed` to uboot script before `booti`
     - <https://github.com/armbian/build/pull/4352>
     - not sure how that's supposed to work with tow-boot; maybe i should just update tow-boot
+  - i think there's a kernel config option for early entropy also
 - moby: bpf is effectively disabled?
   - `dmesg | grep 'systemd[1]: bpf-lsm: Failed to load BPF object: No such process'`
   - `dmesg | grep 'hid_bpf: error while preloading HID BPF dispatcher: -22'`
@@ -38,6 +40,7 @@
   - works when sandbox is disabled
 
 ## REFACTORING:
+- define moby kernel via the nixpkgs options instead of `linux-armbian` package.
 - add import checks to my Python nix-shell scripts
 - consolidate ~/dev and ~/ref
   - ~/dev becomes a link to ~/ref/cat/mine
@@ -59,12 +62,10 @@
 
 #### upstreaming to non-nixpkgs repos
 - gtk: build schemas even on cross compilation: <https://github.com/NixOS/nixpkgs/pull/247844>
+- gnome-calls retry net connection when DNS is down
 
 
 ## IMPROVEMENTS:
-- kernels: ship the same kernel on every machine
-  - then i can tune the kernels for hardening, without duplicating that work 4 times
-- zfs: replace this with something which doesn't require a custom kernel build
 - mpv: add media looping controls (e.g. loop song, loop playlist)
 - curlftpfs: replace with something better
   - safer (rust? actively maintained? sandboxable?)
@@ -83,15 +84,9 @@
 - port all sane.programs to be sandboxed
   - sandbox `nix`
   - enforce that all `environment.packages` has a sandbox profile (or explicitly opts out)
-  - revisit "non-sandboxable" apps and check that i'm not actually just missing mountpoints
-    - LL_FS_RW=/ isn't enough -- need all mount points like `=/:/proc:/sys:...`.
-  - ensure non-bin package outputs are linked for sandboxed apps
-    - i.e. `outputs.man`, `outputs.debug`, `outputs.doc`, ...
   - lock down dbus calls within the sandbox
     - otherwise anyone can `systemd-run --user ...` to potentially escape a sandbox
     - <https://github.com/flatpak/xdg-dbus-proxy>
-  - port sanebox to a compiled language (hare?)
-    - it adds like 50-70ms launch time _on my laptop_. i'd hate to know how much that is on the pinephone.
 - make dconf stuff less monolithic
   - i.e. per-app dconf profiles for those which need it. possible static config.
   - flatpak/spectrum has some stuff to proxy dconf per-app
@@ -114,6 +109,7 @@
     - Folio is nice, uses standard markdown, though it only supports flat repos
   - OSK overlay specifically for mobile gaming
     - i.e. mock joysticks, for use with SuperTux and SuperTuxKart
+  - game: Hedgewar
 - install mobile-friendly games:
   - Shattered Pixel Dungeon (nixpkgs `shattered-pixel-dungeon`; doesn't cross-compile b/c openjdk/libIDL) <https://github.com/ebolalex/shattered-pixel-dungeon>
   - UnCiv (Civ V clone; nixpkgs `unciv`; doesn't cross-compile):  <https://github.com/yairm210/UnCiv>
@@ -148,7 +144,6 @@
   - e.g. self-hosted [ladder](https://github.com/everywall/ladder) (like 12ft.io)
 - RSS: have podcasts get downloaded straight into ~/Videos/...
   - and strip the ads out using Whisper transcription + asking a LLM where the ad breaks are
-- neovim: set up language server (lsp; rnix-lsp; nvim-lspconfig)
 - neovim: integrate LLMs
 - Helix: make copy-to-system clipboard be the default
 - firefox/librewolf: persist history

hosts/by-name/crappy/default.nix

@@ -30,16 +30,4 @@
   # sane.programs.guiApps.enableFor.user.colin = false;
 
   # sane.programs.pcGuiApps.enableFor.user.colin = false;  #< errors!
-
-  sane.programs.blueberry.enableFor.user.colin = false;  # bluetooth manager: doesn't cross compile!
-  # sane.programs.brave.enableFor.user.colin = false;  # 2024/06/03: fails eval if enabled on cross
-  # sane.programs.firefox.enableFor.user.colin = false;  # 2024/06/03: this triggers an eval error in yarn stuff -- i'm doing IFD somewhere!!?
-  sane.programs.mepo.enableFor.user.colin = false;  # 2024/06/04: doesn't cross compile (nodejs)
-  sane.programs.mercurial.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
-  sane.programs.nixpkgs-review.enableFor.user.colin = false;  # 2024/06/03: OOMs when cross compiling
-  sane.programs.ntfy-sh.enableFor.user.colin = false;  # 2024/06/04: doesn't cross compile (nodejs)
-  sane.programs.pwvucontrol.enableFor.user.colin = false;  # 2024/06/03: doesn't cross compile (libspa-sys)
-  sane.programs."sane-scripts.bt-search".enableFor.user.colin = false;  # 2024/06/03: does not cross compile
-  sane.programs.sequoia.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
-  sane.programs.zathura.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
 }

hosts/by-name/desko/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
 {
   imports = [
     ./fs.nix
@@ -39,14 +39,13 @@
   sane.programs.iphoneUtils.enableFor.user.colin = true;
   sane.programs.steam.enableFor.user.colin = true;
 
-  sane.programs.geary.config.autostart = true;
-  sane.programs.signal-desktop.config.autostart = true;
-
   sane.programs.nwg-panel.config = {
     battery = false;
     brightness = false;
   };
 
+  sane.programs.mpv.config.defaultProfile = "high-quality";
+
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   # needed to use libimobiledevice/ifuse, for iphone sync

hosts/by-name/lappy/default.nix

@@ -21,9 +21,6 @@
   sane.programs.stepmania.enableFor.user.colin = true;
   sane.programs.sway.enableFor.user.colin = true;
 
-  sane.programs.geary.config.autostart = true;
-  sane.programs.signal-desktop.config.autostart = true;
-
   sops.secrets.colin-passwd.neededForUsers = true;
 
   sane.services.rsync-net.enable = true;

hosts/by-name/moby/default.nix

@@ -6,13 +6,13 @@
 # - Mobian wiki: <https://wiki.mobian-project.org/doku.php?id=start>
 #   - recommended apps, chatrooms
 
-{ config, pkgs, lib, ... }:
+{ config, ... }:
 {
   imports = [
     ./fs.nix
   ];
 
-  sane.hal.pine64.enable = true;
+  sane.hal.pine64-pinephone-pro.enable = true;
   sane.roles.client = true;
   sane.roles.handheld = true;
   sane.services.wg-home.enable = true;
@@ -30,20 +30,17 @@
 
   sane.programs.sway.enableFor.user.colin = true;
   sane.programs.sway.config.mod = "Mod1";  #< alt key instead of Super
-  sane.programs.blueberry.enableFor.user.colin = false;  # bluetooth manager: doesn't cross compile!
-  sane.programs.fcitx5.enableFor.user.colin = false;  # does not cross compile
-  sane.programs.mercurial.enableFor.user.colin = false;  # does not cross compile
-  sane.programs.nvme-cli.enableFor.system = false;  # does not cross compile (libhugetlbfs)
 
   # enabled for easier debugging
   sane.programs.eg25-control.enableFor.user.colin = true;
   # sane.programs.rtl8723cs-wowlan.enableFor.user.colin = true;
 
+  sane.programs.eg25-manager.enableFor.user.colin = true;
+
   # sane.programs.ntfy-sh.config.autostart = true;
   sane.programs.dino.config.autostart = true;
-  sane.programs.signal-desktop.config.autostart = true;
-  # sane.programs.geary.config.autostart = true;
-  # sane.programs.calls.config.autostart = true;
+  sane.programs.signal-desktop.config.autostart = false;
+  sane.programs.geary.config.autostart = false;
 
   sane.programs.pipewire.config = {
     # tune so Dino doesn't drop audio
@@ -61,6 +58,8 @@
     max-quantum = 8192;
   };
 
+  sane.programs.mpv.config.defaultProfile = "fast";
+
   # /boot space is at a premium. default was 20.
   # even 10 can be too much
   boot.loader.generic-extlinux-compatible.configurationLimit = 8;

hosts/by-name/servo/fs.nix

@@ -1,60 +1,9 @@
-# zfs docs:
-# - <https://nixos.wiki/wiki/ZFS>
-# - <repo:nixos/nixpkgs:nixos/modules/tasks/filesystems/zfs.nix>
-#
-# zfs check health: `zpool status`
-#
-# zfs pool creation (requires `boot.supportedFilesystems = [ "zfs" ];`
-# - 1. identify disk IDs: `ls -l /dev/disk/by-id`
-# - 2. pool these disks: `zpool create -f -m legacy pool raidz ata-ST4000VN008-2DR166_WDH0VB45 ata-ST4000VN008-2DR166_WDH17616 ata-ST4000VN008-2DR166_WDH0VC8Q ata-ST4000VN008-2DR166_WDH17680`
-#   - legacy documented: <https://superuser.com/questions/790036/what-is-a-zfs-legacy-mount-point>
-# - 3. enable acl support: `zfs set acltype=posixacl pool`
-#
-# import pools: `zpool import pool`
-# show zfs datasets: `zfs list` (will be empty if haven't imported)
-# show zfs properties (e.g. compression): `zfs get all pool`
-# set zfs properties: `zfs set compression=on pool`
 { lib, pkgs, ... }:
 
 {
   # hostId: not used for anything except zfs guardrail?
   #   [hex(ord(x)) for x in 'serv']
   networking.hostId = "73657276";
-  boot.supportedFilesystems = [ "zfs" ];
-  # boot.zfs.enabled = true;
-  boot.zfs.forceImportRoot = false;
-  # scrub all zfs pools weekly:
-  services.zfs.autoScrub.enable = true;
-  boot.extraModprobeConfig = ''
-    ### zfs_arc_max tunable:
-    # ZFS likes to use half the ram for its own cache and let the kernel push everything else to swap.
-    # so, reduce its cache size
-    # see: <https://askubuntu.com/a/1290387>
-    # see: <https://serverfault.com/a/1119083>
-    # see: <https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Module%20Parameters.html#zfs-arc-max>
-    # for all tunables, see: `man 4 zfs`
-    # to update these parameters without rebooting:
-    # - `echo '4294967296' | sane-sudo-redirect /sys/module/zfs/parameters/zfs_arc_max`
-    ### zfs_bclone_enabled tunable
-    # this allows `cp --reflink=always FOO BAR` to work. i.e. shallow copies.
-    # it's unstable as of 2.2.3. led to *actual* corruption in 2.2.1, but hopefully better by now.
-    # - <https://github.com/openzfs/zfs/issues/405>
-    # note that `du -h` won't *always* show the reduced size for reflink'd files (?).
-    # `zpool get all | grep clone` seems to be the way to *actually* see how much data is being deduped
-    options zfs zfs_arc_max=4294967296 zfs_bclone_enabled=1
-  '';
-  # to be able to mount the pool like this, make sure to tell zfs to NOT manage it itself.
-  # otherwise local-fs.target will FAIL and you will be dropped into a rescue shell.
-  # - `zfs set mountpoint=legacy pool`
-  # if done correctly, the pool can be mounted before this `fileSystems` entry is created:
-  # - `sudo mount -t zfs pool /mnt/persist/pool`
-  fileSystems."/mnt/pool" = {
-    device = "pool";
-    fsType = "zfs";
-    options = [ "acl" ];  #< not sure if this `acl` flag is actually necessary. it mounts without it.
-  };
-  # services.zfs.zed = ... # TODO: zfs can send me emails when disks fail
-  sane.programs.sysadminUtils.suggestedPrograms = [ "zfs-tools" ];
 
   sane.persist.stores."ext" = {
     origin = "/mnt/pool/persist";
@@ -80,16 +29,18 @@
     fsType = "vfat";
   };
 
-  # slow, external storage (for archiving, etc)
-  fileSystems."/mnt/usb-hdd" = {
-    device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b";
+  fileSystems."/mnt/pool" = {
+    device = "/dev/disk/by-partuuid/14a7d00a-be53-2b4e-96f9-7e2c964674ec";
     fsType = "btrfs";
     options = [
-      "compress=zstd"
+      # "compress=zstd"  #< not much point in compressing... mostly videos and music; media.
       "defaults"
+      # "device=/dev/disk/by-partuuid/14a7d00a-be53-2b4e-96f9-7e2c964674ec"
+      "device=/dev/disk/by-partuuid/6b86cc10-c3cc-ec4d-b20d-b6688f0959a6"
+      "device=/dev/disk/by-partuuid/7fd85cac-b6f3-8248-af4e-68e703d11020"
+      "device=/dev/disk/by-partuuid/ef0e5c7b-fccf-f444-bac4-534424326159"
     ];
   };
-  sane.fs."/mnt/usb-hdd".mount = {};
 
   # FIRST TIME SETUP FOR MEDIA DIRECTORY:
   # - set the group stick bit: `sudo find /var/media -type d -exec chmod g+s {} +`

hosts/by-name/servo/services/export/default.nix

@@ -37,15 +37,15 @@
     wantedBy = [ "nfs.service" "sftpgo.service" ];
     file.text = ''
       - media/         read-only:  Videos, Music, Books, etc
-      - playground/    read-write: use it to share files with other users of this server, inaccessible from the www
-      - pub/           read-only:  content made to be shared with the www
+      - playground/    read-write*: use it to share files with other users of this server, inaccessible from the www
+                                    *if you can't write to it, make sure you're connected to the WiFi and not mobile.
     '';
   };
 
   sane.fs."/var/export/playground/README.md" = {
     wantedBy = [ "nfs.service" "sftpgo.service" ];
     file.text = ''
-      this directory is intentionally read+write by anyone with access (i.e. on the LAN).
+      this directory is intentionally read+write by anyone with access.
       - share files
       - write poetry
       - be a friendly troll

hosts/by-name/servo/services/export/sftpgo/external_auth_hook

@@ -69,8 +69,12 @@ TRUSTED_CREDS = [
   # /etc/shadow style creds.
   # mkpasswd -m sha-512
   # $<method>$<salt>$<hash>
-  "$6$Zq3c2u4ghUH4S6EP$pOuRt13sEKfX31OqPbbd1LuhS21C9MICMc94iRdTAgdAcJ9h95gQH/6Jf6Ie4Obb0oxQtojRJ1Pd/9QHOlFMW."  #< m. rocket boy
+  "$6$Zq3c2u4ghUH4S6EP$pOuRt13sEKfX31OqPbbd1LuhS21C9MICMc94iRdTAgdAcJ9h95gQH/6Jf6Ie4Obb0oxQtojRJ1Pd/9QHOlFMW.",  #< m. rocket boy
+  "$6$B0NLGNdCL51PNse1$46G.aA1ATWIv5v.jUsKf4F3NS7emV2jB2gkZ3MytZtMvw2pjniHmRl0fywRjKW9TuXTeK9T50v.H0f2BaQ4PT1",  #< v. telephony
 ]
+TRUSTED_VIEWING_OR_PLAYGROUND_CREDS = [
+  "$6$iikDajz5b.YH1.on$tfSzzBEtX8IeDiJJXCasOTxRTd7cFDKXU6dhlWYVhK6xDeJhV2fh6bmm1WIHItjIth9Eh9zNgUB8xibMIWCm/."
+];
 
 def mkAuthOk(username: str, permissions: dict[str, list[str]]) -> dict:
   return dict(
@@ -112,8 +116,8 @@ def isLan(ip: str) -> bool:
 def isWireguard(ip: str) -> bool:
   return ip.startswith("10.0.10.")
 
-def isTrustedCred(password: str) -> bool:
-  for cred in TRUSTED_CREDS:
+def isTrustedCred(password: str, credlist: list[str] = TRUSTED_CREDS) -> bool:
+  for cred in credlist:
     if passlib.hosts.linux_context.verify(password, cred):
       return True
 
@@ -130,6 +134,22 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
       "/": PERM_RW,
       "/playground": PERM_RW,
       "/.public_for_test": PERM_RO,
+      "/media/Music": PERM_RO,  #< i am too picky about Music organization
+    })
+  if isTrustedCred(password, TRUSTED_VIEWING_OR_PLAYGROUND_CREDS) and username != "colin":
+    return mkAuthOk(username, permissions = {
+      # error prone, but... not the worst if i miss something
+      "/": PERM_LIST,
+      "/media/archive": PERM_DENY,
+      "/media/Books": PERM_RO,
+      "/media/collections": PERM_DENY,
+      "/media/games": PERM_RO,
+      "/media/Music": PERM_RO,
+      "/media/Pictures": PERM_RO,
+      "/media/torrents": PERM_DENY,
+      "/media/Videos": PERM_RO,
+      "/playground": PERM_RW,
+      "/.public_for_test": PERM_RO,
     })
   if isWireguard(ip):
     # allow any user from wireguard

hosts/by-name/servo/services/matrix/default.nix

@@ -11,7 +11,7 @@
 #   - `curl --header "Authorization: Bearer <your_access_token>" --data '{ "app_display_name": "<topic>", "app_id": "ntfy.uninsane.org", "data": { "url": "https://ntfy.uninsane.org/_matrix/push/v1/notify", "format": "event_id_only" }, "device_display_name": "<topic>", "kind": "http", "lang": "en-US", "profile_tag": "", "pushkey": "<topic>" }' localhost:8008/_matrix/client/v3/pushers/set`
 # - delete a notification destination by setting `kind` to `null` (otherwise, request is identical to above)
 #
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   imports = [

hosts/by-name/servo/services/matrix/irc.nix

@@ -1,6 +1,6 @@
 # config docs:
 # - <https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml>
-{ config, lib, ... }:
+{ lib, ... }:
 
 let
   ircServer = { name, additionalAddresses ? [], ssl ? true, sasl ? true, port ? if ssl then 6697 else 6667 }: let
@@ -128,6 +128,7 @@ in
 
     ircService = {
       logging.level = "warn";  # "error", "warn", "info", "debug"
+      mediaProxy.publicUrl = "https://irc.matrix.uninsane.org/media";
       servers = {
         "irc.esper.net" = ircServer {
           name = "esper";
@@ -168,4 +169,16 @@ in
     # the service actively uses at least one of these, and both of them are fairly innocuous
     SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @setuid @swap";
   };
+
+  services.nginx.virtualHosts."irc.matrix.uninsane.org" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/media" = {
+      proxyPass = "http://127.0.0.1:11111";
+    };
+  };
+
+  sane.dns.zones."uninsane.org".inet = {
+    CNAME."irc.matrix" = "native";
+  };
 }

hosts/common/boot.nix

@@ -25,10 +25,10 @@
 
   # moby has to run recent kernels (defined elsewhere).
   # meanwhile, kernel variation plays some minor role in things like sandboxing (landlock) and capabilities.
+  # - as of 2024/08/xx, my boot fails on 6.6, but works on 6.9 and (probably; recently) 6.8.
   # simpler to keep near the latest kernel on all devices,
   # and also makes certain that any weird system-level bugs i see aren't likely to be stale kernel bugs.
-  # servo needs zfs though, which doesn't support every kernel.
-  boot.kernelPackages = lib.mkDefault pkgs.zfs.latestCompatibleLinuxPackages;
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
 
   # hack in the `boot.shell_on_fail` arg since that doesn't always seem to work.
   boot.initrd.preFailCommands = "allowShell=1";

hosts/common/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ lib, pkgs, ... }:
 {
   imports = [
     ./boot.nix

hosts/common/feeds.nix

@@ -57,6 +57,7 @@ let
     };
 
   podcasts = [
+    (fromDb "404media.co/the-404-media-podcast" // tech)
     (fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)  # ACQ2 - more "Acquired" episodes
     (fromDb "allinchamathjason.libsyn.com" // pol)
     (fromDb "api.oyez.org/podcasts/oral-arguments/2015" // pol)  # Supreme Court Oral Arguments ("2015" in URL means nothing -- it's still updated)
@@ -71,7 +72,9 @@ let
     (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
     (fromDb "feeds.feedburner.com/dancarlin/history" // rat)
     (fromDb "feeds.feedburner.com/radiolab" // pol)  # Radiolab -- also available here, but ONLY OVER HTTP: <http://feeds.wnyc.org/radiolab>
+    (fromDb "feeds.megaphone.fm/GLT1412515089" // pol)  # JRE: Joe Rogan Experience
     (fromDb "feeds.megaphone.fm/behindthebastards" // pol)  # also Maggie Killjoy
+    (fromDb "feeds.megaphone.fm/cspantheweekly" // pol)
     (fromDb "feeds.megaphone.fm/recodedecode" // tech)  # The Verge - Decoder
     (fromDb "feeds.simplecast.com/82FI35Px" // pol)  # Ezra Klein Show
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)  # Econ Talk
@@ -84,6 +87,7 @@ let
     (fromDb "hackerpublicradio.org" // tech)
     (fromDb "lexfridman.com/podcast" // rat)
     (fromDb "linktr.ee/betteroffline" // pol)
+    (fromDb "linuxdevtime.com" // tech)
     (fromDb "mapspodcast.libsyn.com" // uncat)  # Multidisciplinary Association for Psychedelic Studies
     (fromDb "microarch.club" // tech)
     (fromDb "mintcast.org" // tech)
@@ -109,7 +113,6 @@ let
     (fromDb "theamphour.com" // tech)
     (fromDb "techtalesshow.com" // tech)  # Corbin Davenport
     (fromDb "techwontsave.us" // pol)  # rec by Cory Doctorow
-    (fromDb "wakingup.libsyn.com" // pol)  # Sam Harris
     (fromDb "werenotwrong.fireside.fm" // pol)
     (mkPod "https://sfconservancy.org/casts/the-corresponding-source/feeds/ogg/" // tech)
 
@@ -123,6 +126,7 @@ let
     # (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)  #< possible URL rot
     # (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)  #< possible URL rot
     # (fromDb "trashfuturepodcast.podbean.com" // pol)  # rec by Cory Doctorow, but way rambly
+    # (fromDb "wakingup.libsyn.com" // pol)  # Sam Harris, but he just repeats himself now
     # (mkPod "https://anchor.fm/s/21bc734/podcast/rss" // pol // infrequent)  # Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
     # (mkPod "https://audioboom.com/channels/5097784.rss" // tech)  # Lateral with Tom Scott
     # (mkPod "https://feeds.megaphone.fm/RUNMED9919162779" // pol // infrequent)  # The Witch Trials of J.K. Rowling: <https://www.thefp.com/witchtrials>
@@ -133,6 +137,7 @@ let
     (fromDb "acoup.blog/feed")  # history, states. author: <https://historians.social/@bretdevereaux/following>
     (fromDb "amosbbatto.wordpress.com" // tech)
     (fromDb "anish.lakhwara.com" // tech)
+    (fromDb "antipope.org")  # Charles Stross
     (fromDb "apenwarr.ca/log/rss.php" // tech)  # CEO of tailscale
     (fromDb "applieddivinitystudies.com" // rat)
     (fromDb "artemis.sh" // tech)
@@ -147,6 +152,7 @@ let
     (fromDb "blog.jmp.chat" // tech)
     (fromDb "blog.rust-lang.org" // tech)
     (fromDb "blog.thalheim.io" // tech)  # Mic92
+    (fromDb "blog.brixit.nl" // tech)  # Martijn Braam
     (fromDb "bunniestudios.com" // tech)  # Bunnie Juang
     (fromDb "capitolhillseattle.com" // pol)
     (fromDb "edwardsnowden.substack.com" // pol // text)
@@ -159,6 +165,7 @@ let
     (fromDb "interconnected.org/home/feed" // rat)  # Matt Webb -- engineering-ish, but dreamy
     (fromDb "jeffgeerling.com" // tech)
     (fromDb "jefftk.com" // tech)
+    (fromDb "justine.lol" // tech)
     (fromDb "jwz.org/blog" // tech // pol)  # DNA lounge guy, loooong-time blogger
     (fromDb "kill-the-newsletter.com/feeds/joh91bv7am2pnznv.xml" // pol)  # Matt Levine - Money Stuff
     (fromDb "kosmosghost.github.io/index.xml" // tech)
@@ -237,6 +244,7 @@ let
     (fromDb "youtube.com/@Exurb1a")
     (fromDb "youtube.com/@hbomberguy")
     (fromDb "youtube.com/@JackStauber")
+    (fromDb "youtube.com/@mii_beta" // tech)  # Baby Wogue / gnome reviewer
     (fromDb "youtube.com/@NativLang")
     (fromDb "youtube.com/@PolyMatter")
     (fromDb "youtube.com/@TechnologyConnections" // tech)

hosts/common/fs.nix

@@ -2,7 +2,7 @@
 # - x-systemd options: <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
 # - fuse options: `man mount.fuse`
 
-{ config, lib, pkgs, sane-lib, utils, ... }:
+{ config, lib, utils, ... }:
 
 let
   fsOpts = rec {
@@ -64,39 +64,6 @@ let
     #   # we don't transform_symlinks because that breaks the validity of remote /nix stores
     #   "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
     # ];
-    # in the event of hunt NFS mounts, consider:
-    # - <https://unix.stackexchange.com/questions/31979/stop-broken-nfs-mounts-from-locking-a-directory>
-
-    # NFS options: <https://linux.die.net/man/5/nfs>
-    # actimeo=n  = how long (in seconds) to cache file/dir attributes (default: 3-60s)
-    # bg         = retry failed mounts in the background
-    # retry=n    = for how many minutes `mount` will retry NFS mount operation
-    # intr       = allow Ctrl+C to abort I/O (it will error with `EINTR`)
-    # soft       = on "major timeout", report I/O error to userspace
-    # softreval  = on "major timeout", service the request using known-stale cache results instead of erroring -- if such cache data exists
-    # retrans=n  = how many times to retry a NFS request before giving userspace a "server not responding" error (default: 3)
-    # timeo=n    = number of *deciseconds* to wait for a response before retrying it (default: 600)
-    #              note: client uses a linear backup, so the second request will have double this timeout, then triple, etc.
-    # proto=udp  = encapsulate protocol ops inside UDP packets instead of a TCP session.
-    #              requires `nfsvers=3` and a kernel compiled with `NFS_DISABLE_UDP_SUPPORT=n`.
-    #              UDP might be preferable to TCP because the latter is liable to hang for ~100s (kernel TCP timeout) after a link drop.
-    #              however, even UDP has issues with `umount` hanging.
-    #
-    # N.B.: don't change these without first testing the behavior of sandboxed apps on a flaky network.
-    nfs = common ++ [
-      # "actimeo=5"
-      # "bg"
-      "retrans=1"
-      "retry=0"
-      # "intr"
-      "soft"
-      "softreval"
-      "timeo=30"
-      "nofail"  # don't fail remote-fs.target when this mount fails  (not an option for sshfs else would be common)
-      # "proto=udp"  # default kernel config doesn't support NFS over UDP: <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1964093> (see comment 11).
-      # "nfsvers=3"  # NFSv4+ doesn't support UDP at *all*. it's ok to omit nfsvers -- server + client will negotiate v3 based on udp requirement. but omitting causes confusing mount errors when the server is *offline*, because the client defaults to v4 and thinks the udp option is a config error.
-      # "x-systemd.idle-timeout=10"  # auto-unmount after this much inactivity
-    ];
 
     # manually perform a ftp mount via e.g.
     #   curlftpfs -o ftpfs_debug=2,user=anonymous:anonymous,connect_timeout=10 -f -s ftp://servo-hn /mnt/my-ftp
@@ -110,12 +77,12 @@ let
 
   ifSshAuthorized = lib.mkIf config.sane.hosts.by-name."${config.networking.hostName}".ssh.authorized;
 
-  remoteHome = host: {
+  remoteHome = name: { host ? name }: {
     sane.programs.sshfs-fuse.enableFor.system = true;
     system.fsPackages = [
       config.sane.programs.sshfs-fuse.package
     ];
-    fileSystems."/mnt/${host}/home" = {
+    fileSystems."/mnt/${name}/home" = {
       device = "sshfs#colin@${host}:/home/colin";
       fsType = "fuse3";
       options = fsOpts.sshColin ++ fsOpts.lazyMount ++ [
@@ -125,7 +92,7 @@ let
       ];
       noCheck = true;
     };
-    sane.fs."/mnt/${host}/home" = {
+    sane.fs."/mnt/${name}/home" = {
       dir.acl.user = "colin";
       dir.acl.group = "users";
       dir.acl.mode = "0700";
@@ -184,8 +151,6 @@ let
         "drop_privileges"
         "auto_unmount"  #< ensures that when the fs exits, it releases its mountpoint. then systemd can recognize it as failed.
       ];
-      # fsType = "nfs";
-      # options = fsOpts.nfs ++ fsOpts.lazyMount;
     };
     sane.fs."${localPath}" = {
       dir.acl.user = "colin";
@@ -240,7 +205,9 @@ let
         "ftp://servo-hn:/${subdir}"
         "/dev/null"
         "-o"
-        (lib.concatStringsSep "," ([ "exit_after_connect" ] ++ config.fileSystems."${localPath}".options))
+        (lib.concatStringsSep "," ([
+          "exit_after_connect"
+        ] ++ config.fileSystems."${localPath}".options))
       ];
       serviceConfig.RemainAfterExit = true;
       serviceConfig.Type = "oneshot";
@@ -344,20 +311,14 @@ lib.mkMerge [
     # but it decreases working memory under the heaviest of loads by however much space the compressed memory occupies (e.g. 50% if 2:1; 25% if 4:1)
     zramSwap.memoryPercent = 100;
 
-    # environment.pathsToLink = [
-    #   # needed to achieve superuser access for user-mounted filesystems (see sshRoot above)
-    #   # we can only link whole directories here, even though we're only interested in pkgs.openssh
-    #   "/libexec"
-    # ];
-
     programs.fuse.userAllowOther = true;  #< necessary for `allow_other` or `allow_root` options.
   }
 
-  (ifSshAuthorized (remoteHome "crappy"))
-  (ifSshAuthorized (remoteHome "desko"))
-  (ifSshAuthorized (remoteHome "lappy"))
-  (ifSshAuthorized (remoteHome "moby"))
-  (ifSshAuthorized (remoteHome "servo"))
+  (ifSshAuthorized (remoteHome "crappy" {}))
+  (ifSshAuthorized (remoteHome "desko" {}))
+  (ifSshAuthorized (remoteHome "lappy" {}))
+  (ifSshAuthorized (remoteHome "moby" { host = "moby-hn"; }))
+  (ifSshAuthorized (remoteHome "servo" {}))
   # this granularity of servo media mounts is necessary to support sandboxing:
   # for flaky mounts, we can only bind the mountpoint itself into the sandbox,
   # so it's either this or unconditionally bind all of media/.

hosts/common/home/fs.nix

@@ -9,9 +9,10 @@
     "Books/local"
     "Music"
 
-    # this is persisted simply to save on RAM. mesa_shader_cache is < 10 MB.
+    # this is persisted simply to save on RAM. mesa_shader_cache is < 10 MB per boot.
     # TODO: integrate with sane.programs.sandbox?
     ".cache/mesa_shader_cache"
+    ".cache/mesa_shader_cache_db"
   ];
   sane.user.persist.byStore.private = [
     "archive"

hosts/common/net/default.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ ... }:
 
 {
   imports = [

hosts/common/net/networkmanager.nix

@@ -48,7 +48,9 @@ in {
       # allow the bus to owned by either root or networkmanager users
       # use the group here, that way ordinary users can be elevated to control networkmanager
       # (via e.g. `nmcli`)
-      for f in org.freedesktop.NetworkManager.conf nm-dispatcher.conf ; do
+      confs=(nm-dispatcher.conf)
+      confs+=(org.freedesktop.NetworkManager.conf)
+      for f in "''${confs[@]}" ; do
         substitute $out/share/dbus-1/system.d/$f \
           $out/share/dbus-1/system.d/networkmanager-$f \
           --replace-fail 'user="root"' 'group="networkmanager"'
@@ -92,9 +94,9 @@ in {
     serviceConfig.ProtectHostname = true;  # probably not upstreamable: prevents changing hostname
     serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
     serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls (probably not upstreamable: NM will want to load modules like `ppp`)
-    serviceConfig.ProtectKernelTunables = true;  # but NM might need to write /proc/sys/net/...
+    # serviceConfig.ProtectKernelTunables = true;  # causes errors/warnings when opening files in /proc/sys/net/...; also breaks IPv6 SLAAC / link-local address creation!
     serviceConfig.ProtectProc = "invisible";
-    serviceConfig.ProcSubset = "pid";
+    serviceConfig.ProcSubset = "all";
     serviceConfig.ProtectSystem = "strict";  # makes read-only: all but /dev, /proc, /sys.
     serviceConfig.RemoveIPC = true;
     serviceConfig.RestrictAddressFamilies = [

hosts/common/net/upnp.nix

@@ -16,5 +16,9 @@
     ${ipset}/bin/ipset create -! upnp hash:ip,port timeout 10
     ${iptables}/bin/iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
     ${iptables}/bin/iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
+    # IPv6 ruleset. ff02::/16 means *any* link-local multicast group (so this is probably more broad than it needs to be)
+    ${ipset}/bin/ipset create -! upnp6 hash:ip,port timeout 10 family inet6
+    ${iptables}/bin/ip6tables -A OUTPUT -d ff02::/16 -p udp -m udp --dport 1900 -j SET --add-set upnp6 src,src --exist
+    ${iptables}/bin/ip6tables -A INPUT -p udp -m set --match-set upnp6 dst,dst -j ACCEPT
   '';
 }

hosts/common/net/vpn.nix

@@ -5,7 +5,7 @@
 # - generate config @ OVPN.com
 # - copy the Address, PublicKey, Endpoint from OVPN's config
 
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 let
   # N.B.: OVPN issues each key (i.e. device) a different IP (addrV4), and requires you use it.
   # the IP it issues can be used to connect to any of their VPNs.

hosts/common/nix.nix

@@ -64,7 +64,12 @@
     # it's an impurity that touches way more than i need and tends to cause hard-to-debug eval issues
     # when it goes wrong. should i port my `nix-shell` scripts to something more tailored to my uses
     # and then delete `nixpkgs-overlays`?
-    "nixpkgs-overlays=/home/colin/dev/nixos/integrations/nixpkgs/nixpkgs-overlays.nix"
+    # "nixpkgs-overlays=/home/colin/dev/nixos/integrations/nixpkgs/nixpkgs-overlays.nix"
+    # XXX(2024-09-02): nix 2.24.4 errors when nixpkgs-overlays includes a symlink component:
+    # "error: path '/home/colin/dev' is a symlink"
+    # apparently nix has to explicitly handle symlinks in every place it might encounter them,
+    # so the fixes inside nix for this are manual and fragile. dereference it ourselves:
+    "nixpkgs-overlays=${config.sane.fs."/home/colin/dev".symlink.target}/nixos/integrations/nixpkgs/nixpkgs-overlays.nix"
   ];
 
   # ensure new deployments have a source of this repo with which they can bootstrap.

hosts/common/programs/aerc.nix

@@ -3,8 +3,7 @@
 
 {
   sane.programs.aerc = {
-    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";  #< /share/aerc/aerc.conf refers to other /share files by absolute path
+    sandbox.wrapperType = "inplace";  #< /share/aerc/aerc.conf mentions (in comments) other (non-sandboxed) /share files by absolute path
     sandbox.net = "clearnet";
     secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
     mime.associations."x-scheme-handler/mailto" = "aerc.desktop";

hosts/common/programs/alsa-ucm-conf/default.nix

@@ -15,8 +15,9 @@ in
     };
 
     # upstream alsa ships with PinePhone audio configs, but they don't actually produce sound.
-    # - still true as of 2024-05-26
+    # - still true as of 2024-08-20
     # - see: <https://github.com/alsa-project/alsa-ucm-conf/pull/134>
+    # - see: <https://gitlab.com/postmarketOS/pmaports/-/issues/2115>
     #
     # we can substitute working UCM conf in two ways:
     # 1. nixpkgs' override for the `alsa-ucm-conf` package

hosts/common/programs/animatch.nix

@@ -32,7 +32,6 @@
 
     buildCost = 1;
 
-    sandbox.method = "bwrap";
     sandbox.whitelistWayland = true;
 
     persist.byStore.plaintext = [

hosts/common/programs/audacity.nix

@@ -16,7 +16,6 @@
 
     buildCost = 1;
 
-    sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.whitelistWayland = true;
     sandbox.autodetectCliPaths = "existingFile";

hosts/common/programs/ausyscall.nix

@@ -4,7 +4,6 @@
   sane.programs.ausyscall = {
     packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.audit "ausyscall";
 
-    sandbox.method = "landlock";
   };
 }
 

hosts/common/programs/avahi.nix

@@ -11,12 +11,15 @@
 #   nss-mdns goes through avahi-daemon, so there IS caching here
 #
 { config, lib, pkgs, ... }:
+let
+  cfg = config.sane.programs.avahi;
+in
 {
   sane.programs.avahi = {
     packageUnwrapped = pkgs.avahi.overrideAttrs (upstream: {
       # avahi wants to do its own sandboxing opaque to systemd & maybe in conflict with my bwrap.
       # --no-drop-root disables that, so that i can e.g. run it as User=avahi, etc.
-      # do this here, because the service isn't so easily patched.
+      # do this here, because the nixos service isn't so easily patched.
       postInstall = (upstream.postInstall or "") + ''
         wrapProgram "$out/sbin/avahi-daemon" \
           --add-flags --no-drop-root
@@ -25,16 +28,14 @@
         pkgs.makeBinaryWrapper
       ];
     });
-    sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "system" ];
     sandbox.net = "all";  #< otherwise it will show 'null' in place of each interface name.
-    sandbox.extraPaths = [
-      "/"  #< TODO: decrease this, but be weary that the daemon might exit immediately
-    ];
+    # sandbox.extraPaths = [ ];  #< may be missing some paths; only tried service discovery, not service advertisement.
   };
-  services.avahi = lib.mkIf config.sane.programs.avahi.enabled {
+
+  services.avahi = lib.mkIf cfg.enabled {
     enable = true;
-    package = config.sane.programs.avahi.package;
+    package = cfg.packageUnwrapped;  #< use systemd sandboxing... not my own
     publish.enable = true;
     publish.userServices = true;
     nssmdns4 = true;
@@ -53,7 +54,21 @@
     ];
   };
 
-  systemd.services.avahi-daemon = lib.mkIf config.sane.programs.avahi.enabled {
+  # fix "rpfilter drop ..." dmesg logspam.
+  # this might not be necessary?
+  networking.firewall.extraCommands = lib.mkIf cfg.enabled (with pkgs; ''
+    # after an outgoing mDNS query to the multicast address, open FW for incoming responses.
+    # ipset -! means "don't fail if set already exists"
+    ${ipset}/bin/ipset create -! mdns hash:ip,port timeout 10
+    ${iptables}/bin/iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 5353 -j SET --add-set mdns src,src --exist
+    ${iptables}/bin/iptables -A INPUT -p udp -m set --match-set mdns dst,dst -j ACCEPT
+    # IPv6 ruleset. ff02::/16 means *any* link-local multicast group (so this is probably more broad than it needs to be)
+    ${ipset}/bin/ipset create -! mdns6 hash:ip,port timeout 10 family inet6
+    ${iptables}/bin/ip6tables -A OUTPUT -d ff02::/16 -p udp -m udp --dport 5353 -j SET --add-set mdns6 src,src --exist
+    ${iptables}/bin/ip6tables -A INPUT -p udp -m set --match-set mdns6 dst,dst -j ACCEPT
+  '');
+
+  systemd.services.avahi-daemon = lib.mkIf cfg.enabled {
     # hardening: see `systemd-analyze security avahi-daemon`
     serviceConfig.User = "avahi";
     serviceConfig.Group = "avahi";

hosts/common/programs/bemenu.nix

@@ -87,7 +87,6 @@ let
 in
 {
   sane.programs.bemenu = {
-    sandbox.method = "bwrap";  # landlock works, but requires *all* of $XDG_RUNTIME_DIR to be granted.
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       ".cache/fontconfig"  #< else it complains, and is *way* slower

hosts/common/programs/bitcoin-cli.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.bitcoin-cli = {
     packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.bitcoind "bitcoin-cli";
-    sandbox.method = "bwrap";
     sandbox.autodetectCliPaths = "existing";  #< for `bitcoin-cli -datadir=/var/lib/...`
     sandbox.extraHomePaths = [
       ".bitcoin/bitcoin.conf"

hosts/common/programs/blast-ugjka/default.nix

@@ -24,7 +24,6 @@ let
 in
 {
   sane.programs.blast-ugjka = {
-    sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.net = "clearnet";
   };
@@ -36,12 +35,11 @@ in
       pkgs = [ "blast-ugjka" ];
       srcRoot = ./.;
     };
-    sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.net = "clearnet";
     #v  else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?)
     #v  might be possible to remove this, but kinda hard to see a clean way.
-    sandbox.isolatePids = false;
+    sandbox.keepPidsAndProc = true;
     suggestedPrograms = [ "blast-ugjka" "sane-die-with-parent" ];
   };
 

hosts/common/programs/bonsai.nix

@@ -113,7 +113,6 @@ in
 
     fs.".config/bonsai/bonsai_tree.json".symlink.target = pkgs.writers.writeJSON "bonsai_tree.json" cfg.config.transitions;
 
-    sandbox.method = "bwrap";
     sandbox.extraRuntimePaths = [
       "bonsai"
     ];

hosts/common/programs/brave.nix

@@ -3,12 +3,17 @@
   sane.programs.brave = {
     # convert eval error to build failure
     packageUnwrapped = if (builtins.tryEval pkgs.brave).success then
-      pkgs.brave
+      pkgs.brave.overrideAttrs (upstream: {
+        # brave does crimes with `$0` which break under transparent wrapping
+        preFixup = (upstream.preFixup or "") + ''
+          substituteInPlace $out/opt/brave.com/brave/brave-browser \
+            --replace '$0' "$out/opt/brave.com/brave/brave-browser"
+        '';
+      })
     else
       pkgs.runCommandLocal "brave-not-supported" {} "false"
     ;
-    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";  # /opt/share/brave.com vendor-style packaging
+    sandbox.wrapperType = "inplace";  #< package contains dangling symlinks which my wrapper doesn't understand
     sandbox.net = "all";
     sandbox.extraHomePaths = [
       "dev"  # for developing anything web-related

hosts/common/programs/brightnessctl.nix

@@ -4,7 +4,6 @@ let
 in
 {
   sane.programs.brightnessctl = {
-    sandbox.method = "landlock";  # also bwrap, but landlock is more responsive
     sandbox.extraPaths = [
       "/sys/class/backlight"
       "/sys/class/leds"

hosts/common/programs/bunpen.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.programs.bunpen;
+in
+{
+  sane.programs.bunpen = {
+    packageUnwrapped = pkgs.bunpen.overrideAttrs (base: {
+      # create a directory which holds just the `bunpen` so that we
+      # can add bunpen as a dependency to binaries via `PATH=/run/current-system/libexec/bunpen` without forcing rebuild every time bunpen changes
+      postInstall = ''
+        mkdir -p $out/libexec/bunpen
+        ln -s $out/bin/bunpen $out/libexec/bunpen/bunpen
+      '';
+    });
+    sandbox.enable = false;
+    sandbox.method = null;  #< TODO: avoids infinite recursion in the sane.programs system
+  };
+
+  environment.pathsToLink = lib.mkIf cfg.enabled [ "/libexec/bunpen" ];
+}

hosts/common/programs/callaudiod.nix

@@ -13,7 +13,6 @@
   sane.programs.callaudiod = {
     packageUnwrapped = pkgs.rmDbusServices pkgs.callaudiod;
 
-    sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];
 

hosts/common/programs/calls.nix

@@ -12,6 +12,19 @@
 # user guide:
 # - "Use for Calls" means, "when i click a tel: URI, use this account": <https://gitlab.gnome.org/GNOME/calls/-/issues/513>
 # - `calls -vvv` for verbosity
+# - `SOFIA_DEBUG=9 NEA_DEBUG=9 NUA_DEBUG=9 NTA_DEBUG=9 SU_DEBUG=8 gnome-calls` to debug SIP related stuff
+#
+# LIMITATIONS, COMPATIBILITY (as of 2024-08-20):
+# - when switching from wifi -> wwan (4g), may experience about a minute of audio loss.
+#   the call stays alive, but no sound in either direction.
+#   this appears to be ~40s of general net loss to servo-hn (NetworkManager being slow to switch the default device? wireguard being slow to refresh?),
+#   unknown how much time is lost in the upper layers (e.g. dns being refreshed)
+# - wwan -> wifi switching is (near) flawless. prefer to keep modem powered until end of call, because of audio routing, but OK to power it off.
+# - audio is not always routed to a good device when the modem is powered.
+#   solve by opening `pavucontrol`, go to "configuration" tab, change "Built-in audio" to anything and then back to "Make a phone call (Earpiece, Mic)".
+#   i expect my eg25-control-powered script messes with the audio routing.
+# - `gnome-calls` takes about 2 minutes after launch until it shows the UI.
+#   seems to be sandbox related.
 { config, lib, pkgs, ... }:
 let
   cfg = config.sane.programs.calls;
@@ -32,6 +45,19 @@ in
       gtk3 = pkgs.gtk4;
       libpeas = pkgs.libpeas2;
       wrapGAppsHook3 = pkgs.wrapGAppsHook4;
+      sofia_sip = pkgs.sofia_sip.overrideAttrs (upstream: {
+        # use linphone's sofia_sip.
+        # Freeswitch sofia_sip has a bug where a failed DNS query will never return to the caller.
+        # see `outgoing_answer_a`: in linphone's this already calls the user's callback; in Freeswitch there's a branch which leaves the caller hanging.
+        version = "1.13.45bc-unstable-2024-08-05";
+        src = pkgs.fetchFromGitLab {
+          domain = "gitlab.linphone.org";
+          owner = "BC/public/external";
+          repo = "sofia-sip";
+          rev = "b924a57e8eeb24e8b9afc5fd0fb9b51d5993fe5d";
+          hash = "sha256-1VbKV+eAJ80IMlubNl7774B7QvLv4hE8SXANDSD9sRU=";
+        };
+      });
     }).overrideAttrs (upstream: {
       # XXX(2024-08-08): v46.3 has a bug where if it has no network connection on launch, it forever stays disconnected & never retries
       version = "47_beta.0-unstable-2024-08-08";
@@ -47,11 +73,18 @@ in
 
       patches = (upstream.patches or []) ++ [
         (pkgs.fetchpatch {
-          # usability improvement... if the UI is visible, then i can receive calls. otherwise, i can't!
+          # usability improvement... ties the UI visibility to the connection state, so if the UI is gone, then i can't receive calls (and will hopefully notice that more easily!)
           url = "https://git.uninsane.org/colin/gnome-calls/commit/a19166d85927e59662fae189a780eed18bf876ce.patch";
           name = "exit on close (i.e. never daemonize)";
           hash = "sha256-NoVQV2TlkCcsBt0uwSyK82hBKySUW4pADrJVfLFvWgU=";
         })
+        (pkgs.fetchpatch {
+          # solves the issue where flakey DNS (especially at boot) could take down call connectivity indefinitely.
+          # see: <https://gitlab.gnome.org/GNOME/calls/-/issues/659>
+          url = "https://git.uninsane.org/colin/gnome-calls/commit/db9192a69cff2b20b5e8870e34a9b1e694a81c7f.patch";
+          name = "sip: attempt reconnection anytime network is routable, not just when routability changes";
+          hash = "sha256-agPM3XKXiP5Rxrl26DNA+pnhEPTBEBQBxZe3CoptgII=";
+        })
       ];
 
       nativeBuildInputs = upstream.nativeBuildInputs ++ [
@@ -63,7 +96,6 @@ in
       ];
     }));
 
-    sandbox.method = "bwrap";
     sandbox.net = "vpn.wg-home";  #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it.
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # necessary for secrets, at the minimum

hosts/common/programs/captree.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.captree = {
     packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree";
-    sandbox.method = "bwrap";
-    sandbox.isolatePids = false;
+    sandbox.keepPidsAndProc = true;
   };
 }

hosts/common/programs/celeste64.nix

@@ -3,7 +3,6 @@
   sane.programs.celeste64 = {
     buildCost = 1;
 
-    sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;

hosts/common/programs/conky/default.nix

@@ -1,7 +1,6 @@
-{ pkgs, ... }:
+{ ... }:
 {
   sane.programs.conky = {
-    sandbox.method = "bwrap";
     sandbox.net = "clearnet";  #< for the scripts it calls (weather)
     sandbox.extraPaths = [
       "/sys/class/power_supply"

hosts/common/programs/cozy.nix

@@ -15,7 +15,6 @@
 
     buildCost = 1;
 
-    sandbox.method = "bwrap";  # landlock gives: _multiprocessing.SemLock: Permission Denied
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # mpris
     sandbox.whitelistWayland = true;

hosts/common/programs/curl.nix

@@ -1,7 +1,6 @@
 { ... }:
 {
   sane.programs.curl = {
-    sandbox.method = "bwrap";
     sandbox.net = "all";
     sandbox.autodetectCliPaths = "parent";  #< for `-o` option
   };

hosts/common/programs/curlftpfs.nix

@@ -2,7 +2,8 @@
 {
   sane.programs.curlftpfs = {
     packageUnwrapped = pkgs.curlftpfs-sane;
-    sandbox.method = "bwrap";
     sandbox.net = "all";
+    sandbox.autodetectCliPaths = "existing";
+    sandbox.keepPids = true;
   };
 }

hosts/common/programs/dbus.nix

@@ -32,13 +32,12 @@ in
       '';
     });
 
-    sandbox.method = "bwrap";
     sandbox.extraRuntimePaths = [
-      "/"  #< it needs to create a file in the root. TODO: move the bus handle into a sandboxable subdirectory
+      "dbus"
     ];
-    sandbox.isolatePids = false;   #< not actually sure *why* this is necessary, but it is
+    sandbox.keepPids = true;   #< not actually sure *why* this is necessary, but it is
 
-    env.DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/bus";
+    env.DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/dbus/bus";
 
     # normally systemd would create a dbus session for us, but if you configure it not to do that
     # then we can create our own. not sure if there's a dependency ordering issue here: lots
@@ -47,8 +46,12 @@ in
     services.dbus = {
       description = "dbus user session";
       partOf = lib.mkIf cfg.config.autostart [ "default" ];
-      command = "dbus-daemon --session --nofork --address=$DBUS_SESSION_BUS_ADDRESS";
-      readiness.waitExists = [ "$XDG_RUNTIME_DIR/bus" ];
+      command = pkgs.writeShellScript "dbus-start" ''
+        # have to create the dbus directory before launching so that it's available in the sandbox
+        mkdir -p "$XDG_RUNTIME_DIR/dbus"
+        dbus-daemon --session --nofork --address="$DBUS_SESSION_BUS_ADDRESS"
+      '';
+      readiness.waitExists = [ "$XDG_RUNTIME_DIR/dbus/bus" ];
     };
   };
 }

hosts/common/programs/dconf.nix

@@ -25,8 +25,6 @@ in
     };
 
     packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.dconf;
-    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";  #< dbus/systemd services live in `.out` but point to `.lib` data.
     sandbox.whitelistDbus = [ "user" ];
     persist.byStore.private = [
       ".config/dconf"

hosts/common/programs/default.nix

@@ -18,6 +18,7 @@
     ./brave.nix
     ./brightnessctl.nix
     ./bubblewrap.nix
+    ./bunpen.nix
     ./callaudiod.nix
     ./calls.nix
     ./cantata.nix
@@ -39,6 +40,7 @@
     ./dissent.nix
     ./dtrx.nix
     ./eg25-control.nix
+    ./eg25-manager.nix
     ./element-desktop.nix
     ./engrampa.nix
     ./epiphany.nix
@@ -47,7 +49,7 @@
     ./exiftool.nix
     ./fcitx5.nix
     ./feedbackd.nix
-    ./firefox.nix
+    ./firefox
     ./firefox-xdg-open.nix
     ./flare-signal.nix
     ./foliate.nix
@@ -76,26 +78,32 @@
     ./gps-share.nix
     ./grimshot.nix
     ./gst-device-monitor.nix
+    ./gst-launch.nix
     ./gthumb.nix
     ./gvfs.nix
     ./handbrake.nix
+    ./haredoc.nix
     ./helix.nix
     ./htop
     ./iio-sensor-proxy.nix
     ./imagemagick.nix
+    ./inkscape.nix
     ./jellyfin-media-player.nix
     ./kdenlive.nix
     ./keymapp.nix
     ./komikku.nix
     ./koreader
+    ./krita.nix
     ./less.nix
     ./lftp.nix
     ./lgtrombetta-compass.nix
+    ./libcamera.nix
     ./libreoffice.nix
     ./lemoa.nix
     ./loupe.nix
     ./mako.nix
     ./megapixels.nix
+    ./megapixels-next.nix
     ./mepo.nix
     ./mimeo
     ./mimetype.nix
@@ -104,7 +112,7 @@
     ./mpv
     ./msmtp.nix
     ./nautilus.nix
-    ./neovim.nix
+    ./neovim
     ./networkmanager_dmenu
     ./newsflash.nix
     ./nheko.nix
@@ -121,6 +129,7 @@
     ./ols.nix
     ./open-in-mpv.nix
     ./pactl.nix
+    ./papers.nix
     ./pidof.nix
     ./pipewire
     ./pkill.nix
@@ -151,6 +160,9 @@
     ./sfeed.nix
     ./shadow.nix
     ./signal-desktop.nix
+    ./sm64ex-coop.nix
+    ./sm64ex-coop-deluxe.nix
+    ./soundconverter.nix
     ./splatmoji.nix
     ./spot.nix
     ./spotify.nix
@@ -170,6 +182,7 @@
     ./tor-browser.nix
     ./tuba.nix
     ./unl0kr
+    ./v4l-utils.nix
     ./via.nix
     ./visidata.nix
     ./vlc.nix
@@ -190,6 +203,7 @@
     ./xdg-terminal-exec.nix
     ./xdg-utils.nix
     ./youtube-tui.nix
+    ./yt-dlp.nix
     ./zathura.nix
     ./zeal.nix
     ./zecwallet-lite.nix

hosts/common/programs/dialect.nix

@@ -14,7 +14,6 @@
 
     buildCost = 1;
 
-    sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  # share/search_providers/ calls back into the binary, weird wrap semantics
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";

hosts/common/programs/dino.nix

@@ -58,7 +58,6 @@ in
       webrtc-audio-processing = null;
     };
 
-    sandbox.method = "bwrap";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications

hosts/common/programs/dissent.nix

@@ -31,7 +31,6 @@ in
           --replace-fail '"login"' '"Default_keyring"'
       '';
     });
-    sandbox.method = "bwrap";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications

hosts/common/programs/dtrx.nix

@@ -9,7 +9,6 @@
       # build without rpm support, since `rpm` package doesn't cross-compile.
       rpm = null;
     };
-    sandbox.method = "bwrap";
     sandbox.whitelistPwd = true;
     sandbox.autodetectCliPaths = "existing";  #< for the archive
   };

hosts/common/programs/eg25-control.nix

@@ -6,8 +6,8 @@ in
   sane.programs.eg25-control = {
     suggestedPrograms = [ "mmcli" ];
 
-    sandbox.method = "bwrap";
     sandbox.extraPaths = [
+      "/dev/gpiochip1"
       "/sys/class/modem-power"
       "/sys/devices"
       # "/var/lib/eg25-control"

hosts/common/programs/eg25-manager.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+let
+  cfg = config.sane.programs.eg25-manager;
+in
+{
+  sane.programs.eg25-manager = {
+    # it has to be enabled system-wide for its udev rules to make it into /run/current-system/sw/lib/udev/rules.d.
+    enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
+  };
+
+  # not sure if this is required or if it's enough that eg25-manager is on system.packages.
+  services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
+}

hosts/common/programs/element-desktop.nix

@@ -27,7 +27,6 @@
 
     buildCost = 1;
 
-    sandbox.method = "bwrap";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications

hosts/common/programs/engrampa.nix

@@ -2,7 +2,6 @@
 {
   sane.programs."mate.engrampa" = {
     packageUnwrapped = pkgs.rmDbusServices pkgs.mate.engrampa;
-    sandbox.method = "bwrap";  # TODO:sandbox: untested
     sandbox.whitelistWayland = true;
     sandbox.autodetectCliPaths = "existingOrParent";
     sandbox.extraHomePaths = [

hosts/common/programs/epiphany.nix

@@ -8,7 +8,6 @@
 { pkgs, ... }:
 {
   sane.programs.epiphany = {
-    sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;

hosts/common/programs/errno.nix

@@ -12,6 +12,5 @@
       buildInputs = [];  #< errno has no runtime perl deps, and they don't cross compile, so disable them.
     });
 
-    sandbox.method = "landlock";
   };
 }

hosts/common/programs/evince.nix

@@ -3,7 +3,6 @@
   sane.programs.evince = {
     buildCost = 1;
 
-    sandbox.method = "bwrap";
     sandbox.autodetectCliPaths = "existingFile";
     sandbox.whitelistWayland = true;
 

hosts/common/programs/exiftool.nix

@@ -1,7 +1,6 @@
 { ... }:
 {
   sane.programs.exiftool = {
-    sandbox.method = "bwrap";
     sandbox.autodetectCliPaths = "existingFile";
   };
 }

hosts/common/programs/fcitx5.nix

@@ -24,7 +24,7 @@
 #   - nixpkgs has a few themes: `fcitx5-{material-color,nord,rose-pine}`
 #   - NUR has a few themes
 #   - <https://github.com/catppuccin/fcitx5>
-{ lib, pkgs, ... }:
+{ pkgs, ... }:
 {
   sane.programs.fcitx5 = {
     packageUnwrapped = pkgs.fcitx5-with-addons.override {
@@ -34,7 +34,6 @@
       ];
     };
 
-    sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "user" ];
     sandbox.whitelistWayland = true;  # for `fcitx5-configtool, if nothing else`
     sandbox.extraHomePaths = [

hosts/common/programs/feedbackd.nix

@@ -24,7 +24,6 @@ in
       default = {};
     };
 
-    sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "user" ];
     sandbox.whitelistAudio = true;
 

hosts/common/programs/firefox-xdg-open.nix

@@ -3,7 +3,6 @@
   sane.programs.firefox-xdg-open = {
     packageUnwrapped = pkgs.firefox-extensions.firefox-xdg-open.systemComponent;
 
-    sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
 
     mime.associations."x-scheme-handler/xdg-open" = "xdg-open.desktop";

hosts/common/programs/firefox.nix

@@ -1,421 +0,0 @@
-# common settings to toggle (at runtime, in about:config):
-#   > security.ssl.require_safe_negotiation
-
-# librewolf is a forked firefox which patches firefox to allow more things
-# (like default search engines) to be configurable at runtime.
-# many of the settings below won't have effect without those patches.
-# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
-
-{ config, lib, pkgs, ...}:
-with lib;
-let
-  cfg = config.sane.programs.firefox.config;
-  mobile-prefs = lib.optionals false pkgs.librewolf-pmos-mobile.extraPrefsFiles;
-  # allow easy switching between firefox and librewolf with `defaultSettings`, below
-  librewolfSettings = {
-    browser = pkgs.librewolf-unwrapped.overrideAttrs (upstream: {
-      # TEMP(2023/11/21): fix eval bug in wrapFirefox
-      # see: <https://github.com/NixOS/nixpkgs/pull/244591>
-      passthru = upstream.passthru // {
-        requireSigning = false;
-        allowAddonSideload = true;
-      };
-    });
-    extraPrefsFiles = pkgs.librewolf-unwrapped.extraPrefsFiles ++ mobile-prefs;
-    libName = "librewolf";
-    dotDir = ".librewolf";
-    cacheDir = ".cache/librewolf";
-    desktop = "librewolf.desktop";
-  };
-  firefoxSettings = {
-    browser = pkgs.firefox-esr-unwrapped;
-    extraPrefsFiles = mobile-prefs;
-    libName = "firefox";
-    dotDir = ".mozilla/firefox";
-    cacheDir = ".cache/mozilla";
-    desktop = "firefox.desktop";
-  };
-  # defaultSettings = firefoxSettings;
-  defaultSettings = librewolfSettings;
-
-  packageUnwrapped = (pkgs.wrapFirefox cfg.browser.browser {
-    # inherit the default librewolf.cfg
-    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
-    inherit (cfg.browser) extraPrefsFiles libName;
-
-    nativeMessagingHosts = lib.optionals cfg.addons.browserpass-extension.enable [
-      pkgs.browserpass
-    ] ++ lib.optionals cfg.addons.fxCast.enable [
-      pkgs.fx-cast-bridge
-    ];
-
-    nixExtensions = concatMap (ext: optional ext.enable ext.package) (attrValues cfg.addons);
-
-    extraPolicies = {
-      FirefoxHome = {
-        Search = true;
-        Pocket = false;
-        Snippets = false;
-        TopSites = false;
-        Highlights = false;
-      };
-      NoDefaultBookmarks = true;
-      OfferToSaveLogins = false;
-      OfferToSaveLoginsDefault = false;
-      PasswordManagerEnabled = false;
-      SearchEngines = {
-        Default = "DuckDuckGo";
-      };
-      UserMessaging = {
-        ExtensionRecommendations = false;
-        FeatureRecommendations = false;
-        SkipOnboarding = true;
-        UrlbarInterventions = false;
-        WhatsNew = false;
-      };
-
-      # these were taken from Librewolf
-      AppUpdateURL = "https://localhost";
-      DisableAppUpdate = true;
-      OverrideFirstRunPage = "";
-      OverridePostUpdatePage = "";
-      DisableSystemAddonUpdate = true;
-      DisableFirefoxStudies = true;
-      DisableTelemetry = true;
-      DisableFeedbackCommands = true;
-      DisablePocket = true;
-      DisableSetDesktopBackground = false;
-
-      # remove many default search providers
-      # XXX this seems to prevent the `nixExtensions` from taking effect
-      # Extensions.Uninstall = [
-      #   "google@search.mozilla.org"
-      #   "bing@search.mozilla.org"
-      #   "amazondotcom@search.mozilla.org"
-      #   "ebay@search.mozilla.org"
-      #   "twitter@search.mozilla.org"
-      # ];
-      # XXX doesn't seem to have any effect...
-      # docs: https://github.com/mozilla/policy-templates#homepage
-      # Homepage = {
-      #   HomepageURL = "https://uninsane.org/";
-      #   StartPage = "homepage";
-      # };
-      # NewTabPage = true;
-    };
-    # extraPrefs = ...
-  }).overrideAttrs (base: {
-    nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
-      pkgs.copyDesktopItems
-    ];
-    desktopItems = (base.desktopItems or []) ++ [
-      (pkgs.makeDesktopItem {
-        name = "${cfg.browser.libName}-in-vpn";
-        desktopName = "${cfg.browser.libName} (VPN)";
-        genericName = "Web Browser";
-        # N.B.: --new-instance ensures we don't reuse an existing differenty-namespaced instance.
-        # OTOH, it may error about "only one instance can run at a time": close the other instance if you see that.
-        exec = "${lib.getExe pkgs.sane-scripts.vpn} do default -- ${cfg.browser.libName} --new-instance";
-        icon = cfg.browser.libName;
-        categories = [ "Network" "WebBrowser" ];
-        type = "Application";
-      })
-      (pkgs.makeDesktopItem {
-        name = "${cfg.browser.libName}-stub-dns";
-        desktopName = "${cfg.browser.libName} (stub DNS)";
-        genericName = "Web Browser";
-        # N.B.: --new-instance ensures we don't reuse an existing differently-namespaced instance.
-        # OTOH, it may error about "only one instance can run at a time": close the other instance if you see that.
-        exec = "${lib.getExe pkgs.sane-scripts.vpn} do none -- ${cfg.browser.libName} --new-instance";
-        icon = cfg.browser.libName;
-        categories = [ "Network" "WebBrowser" ];
-        type = "Application";
-      })
-    ];
-    # de-associate `ctrl+shift+c` from activating the devtools.
-    # based on <https://stackoverflow.com/a/54260938>
-    # TODO: could use `zip -f` to only update the one changed file, instead of rezipping everything.
-    buildCommand = (base.buildCommand or "") + ''
-      mkdir omni
-
-      echo "omni.ja BEFORE:"
-      ls -l $(readlink $out/lib/${cfg.browser.libName}/browser/omni.ja)
-
-      echo "unzipping omni.ja"
-      # N.B. `zip` exits non-zero even on successful extraction, if the file didn't 100% obey spec
-      ${pkgs.buildPackages.unzip}/bin/unzip $out/lib/${cfg.browser.libName}/browser/omni.ja -d omni || true
-
-      echo "removing old omni.ja"
-      rm $out/lib/${cfg.browser.libName}/browser/omni.ja
-
-      echo "patching omni.ja"
-      ${pkgs.buildPackages.gnused}/bin/sed -i s'/devtools-commandkey-inspector = C/devtools-commandkey-inspector = VK_F12/' omni/localization/en-US/devtools/startup/key-shortcuts.ftl
-
-      echo "re-zipping omni.ja"
-      pushd omni; ${pkgs.buildPackages.zip}/bin/zip $out/lib/${cfg.browser.libName}/browser/omni.ja -r ./*; popd
-
-      echo "omni.ja AFTER:"
-      ls -l $out/lib/${cfg.browser.libName}/browser/omni.ja
-
-      runHook postBuild
-      runHook postInstall
-      runHook postFixup
-    '';
-  });
-
-  addonOpts = types.submodule {
-    options = {
-      package = mkOption {
-        type = types.package;
-      };
-      enable = mkOption {
-        type = types.bool;
-      };
-    };
-  };
-
-  configOpts = {
-    options = {
-      browser = mkOption {
-        default = defaultSettings;
-        type = types.anything;
-      };
-      persistData = mkOption {
-        description = "optional store name to which persist browsing data (like history)";
-        type = types.nullOr types.str;
-        default = null;
-      };
-      persistCache = mkOption {
-        description = "optional store name to which persist browser cache";
-        type = types.nullOr types.str;
-        default = "ephemeral";
-      };
-      addons = mkOption {
-        type = types.attrsOf addonOpts;
-        default = {};
-      };
-    };
-  };
-in
-{
-  config = mkMerge [
-    ({
-      sane.programs.firefox.configOption = mkOption {
-        type = types.submodule configOpts;
-        default = {};
-      };
-      sane.programs.firefox.config.addons = {
-        fxCast = {
-          # add a menu to cast to chromecast devices, but it doesn't seem to work very well.
-          # right click (or shift+rc) a video, then select "cast".
-          # - asciinema.org: icon appears, but glitches when clicked.
-          # - youtube.com: no icon appears, even when site is whitelisted.
-          # future: maybe better to have browser open all videos in mpv, and then use mpv for casting.
-          # see e.g. `ff2mpv`, `open-in-mpv` (both are packaged in nixpkgs)
-          package = pkgs.firefox-extensions.fx_cast;
-          enable = lib.mkDefault false;
-        };
-        browserpass-extension = {
-          package = pkgs.firefox-extensions.browserpass-extension;
-          enable = lib.mkDefault true;
-        };
-        bypass-paywalls-clean = {
-          package = pkgs.firefox-extensions.bypass-paywalls-clean;
-          enable = lib.mkDefault true;
-        };
-        ctrl-shift-c-should-copy = {
-          package = pkgs.firefox-extensions.ctrl-shift-c-should-copy;
-          enable = lib.mkDefault false;  # prefer patching firefox source code, so it works in more places
-        };
-        ether-metamask = {
-          package = pkgs.firefox-extensions.ether-metamask;
-          enable = lib.mkDefault false;  # until i can disable the first-run notification
-        };
-        firefox-xdg-open = {
-          # test: `xdg-open xdg-open:https://uninsane.org`
-          package = pkgs.firefox-extensions.firefox-xdg-open;
-          enable = lib.mkDefault true;
-        };
-        i2p-in-private-browsing = {
-          package = pkgs.firefox-extensions.i2p-in-private-browsing;
-          enable = lib.mkDefault config.services.i2p.enable;
-        };
-        i-still-dont-care-about-cookies = {
-          package = pkgs.firefox-extensions.i-still-dont-care-about-cookies;
-          enable = lib.mkDefault false;  #< obsoleted by uBlock Origin annoyances/cookies lists
-        };
-        open-in-mpv = {
-          # test: `open-in-mpv 'mpv:///open?url=https://www.youtube.com/watch?v=dQw4w9WgXcQ'`
-          package = pkgs.firefox-extensions.open-in-mpv;
-          enable = lib.mkDefault false;
-        };
-        sidebery = {
-          package = pkgs.firefox-extensions.sidebery;
-          enable = lib.mkDefault true;
-        };
-        sponsorblock = {
-          package = pkgs.firefox-extensions.sponsorblock;
-          enable = lib.mkDefault true;
-        };
-        ublacklist = {
-          package = pkgs.firefox-extensions.ublacklist;
-          enable = lib.mkDefault false;
-        };
-        ublock-origin = {
-          package = pkgs.firefox-extensions.ublock-origin;
-          enable = lib.mkDefault true;
-        };
-      };
-    })
-    ({
-      sane.programs.firefox = {
-        inherit packageUnwrapped;
-        sandbox.method = "bwrap";  # landlock works, but requires all of /proc to be linked
-        sandbox.wrapperType = "inplace";  # trivial package; cheap enough to wrap inplace
-        sandbox.net = "all";
-        sandbox.whitelistAudio = true;
-        sandbox.whitelistDbus = [ "user" ];  # mpris
-        sandbox.whitelistWayland = true;
-        sandbox.extraHomePaths = [
-          "dev"  # for developing anything web-related
-          # for uploads/downloads.
-          # it still needs these paths despite using the portal's file-chooser :?
-          "tmp"
-          "Pictures/albums"
-          "Pictures/cat"
-          "Pictures/from"
-          "Pictures/Photos"
-          "Pictures/Screenshots"
-          "Pictures/servo-macros"
-        ] ++ lib.optionals cfg.addons.browserpass-extension.enable [
-          # browserpass needs these paths:
-          # - knowledge/secrets/accounts: where the encrypted account secrets live
-          # at least one of:
-          # - .config/sops: for the sops key which can decrypt account secrets
-          # - .ssh: to unlock the sops key, if not unlocked (`sane-secrets-unlock`)
-          # TODO: find a way to not expose ~/.ssh to firefox
-          # - unlock sops at login (or before firefox launch)?
-          # - see if ssh has a more formal type of subkey system?
-          # ".ssh/id_ed25519"
-          # ".config/sops"
-          "knowledge/secrets/accounts"
-        ];
-        fs.".config/sops".dir = lib.mkIf cfg.addons.browserpass-extension.enable {};  #< needs to be created, not *just* added to the sandbox
-
-        suggestedPrograms = lib.optionals cfg.addons.firefox-xdg-open.enable [
-          "firefox-xdg-open"
-        ] ++ lib.optionals cfg.addons.open-in-mpv.enable [
-          "open-in-mpv"
-        ];
-
-        mime.associations = let
-          inherit (cfg.browser) desktop;
-        in {
-          "text/html" = desktop;
-          "x-scheme-handler/http" = desktop;
-          "x-scheme-handler/https" = desktop;
-          "x-scheme-handler/about" = desktop;
-          "x-scheme-handler/unknown" = desktop;
-        };
-
-        # env.BROWSER = "${package}/bin/${cfg.browser.libName}";
-        env.BROWSER = cfg.browser.libName;  # used by misc tools like xdg-email, as fallback
-
-        # uBlock configuration:
-        fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json".symlink.target = cfg.addons.ublock-origin.package.makeConfig {
-          # more filter lists are available here:
-          # - <https://easylist.to>
-          #   - <https://github.com/easylist/easylist.git>
-          # - <https://github.com/yokoffing/filterlists>
-          filterFiles = let
-            getUasset = n: "${pkgs.uassets}/share/filters/${n}.txt";
-          in [
-            # default ublock filters:
-            (getUasset "ublock-filters")
-            (getUasset "ublock-badware")
-            (getUasset "ublock-privacy")
-            (getUasset "ublock-quick-fixes")
-            (getUasset "ublock-unbreak")
-            (getUasset "easylist")
-            (getUasset "easyprivacy")
-            # (getUasset "urlhaus-1")  #< TODO: i think this is the same as urlhaus-filter-online
-            (getUasset "urlhaus-filter-online")
-            # (getUasset "plowe-0")   #< TODO: where does this come from?
-            # (getUasset "ublock-cookies-adguard")  #< TODO: where does this come from?
-            # filters i've added:
-            (getUasset "easylist-annoyances")  #< blocks in-page popups, "social media content" (e.g. FB like button; improves loading time)
-            (getUasset "easylist-cookies")  #< blocks GDPR cookie consent popovers (e.g. at stackoverflow.com)
-            # (getUasset "ublock-annoyances-others")
-            # (getUasset "ublock-annoyances-cookies")
-          ];
-        };
-
-        # TODO: this is better suited in `extraPrefs` during `wrapFirefox` call
-        fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg".symlink.text = ''
-          // if we can't query the revocation status of a SSL cert because the issuer is offline,
-          // treat it as unrevoked.
-          // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
-          defaultPref("security.OCSP.require", false);
-
-          // scrollbar configuration, see: <https://artemis.sh/2023/10/12/scrollbars.html>
-          // style=4 gives rectangular scrollbars
-          // could also enable "always show scrollbars" in about:preferences -- not sure what the actual pref name for that is
-          // note that too-large scrollbars (like 50px wide, even 20px) tend to obscure content (and make buttons unclickable)
-          defaultPref("widget.non-native-theme.scrollbar.size.override", 14);
-          defaultPref("widget.non-native-theme.scrollbar.style", 4);
-
-          // disable inertial/kinetic/momentum scrolling because it just gets in the way on touchpads
-          // source: <https://kparal.wordpress.com/2019/10/31/disabling-kinetic-scrolling-in-firefox/>
-          defaultPref("apz.gtk.kinetic_scroll.enabled", false);
-
-          // open external URIs/files via xdg-desktop-portal.
-          defaultPref("widget.use-xdg-desktop-portal.mime-handler", 1);
-          defaultPref("widget.use-xdg-desktop-portal.open-uri", 1);
-
-          defaultPref("browser.toolbars.bookmarks.visibility", "never");
-          // configure which extensions are visible by default (TODO: requires a lot of trial and error)
-          // defaultPref("browser.uiCustomization.state", ...);
-
-          // auto-open specific URI schemes without prompting:
-          defaultPref("network.protocol-handler.external.xdg-open", true); // for firefox-xdg-open extension
-          defaultPref("network.protocol-handler.external.mpv", true); // for open-in-mpv extension
-          defaultPref("network.protocol-handler.external.element", true); // for Element matrix client
-          defaultPref("network.protocol-handler.external.matrix", true); // for Nheko matrix client
-        '';
-        # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
-        # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
-        fs."${cfg.browser.dotDir}/profiles.ini".symlink.text = ''
-          [Profile0]
-          Name=default
-          IsRelative=1
-          Path=default
-          Default=1
-
-          [General]
-          StartWithLastProfile=1
-        '';
-
-        # TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
-        env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
-        # alternative to PASSWORD_STORE_DIR:
-        # fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "knowledge/secrets/accounts";
-
-        # flush the cache to disk to avoid it taking up too much tmp.
-        persist.byPath."${cfg.browser.cacheDir}".store =
-          if (cfg.persistData != null) then
-            cfg.persistData
-          else
-            "ephemeral"
-        ;
-
-        persist.byPath."${cfg.browser.dotDir}/default".store =
-          if (cfg.persistData != null) then
-            cfg.persistData
-          else
-            "ephemeral"
-        ;
-      };
-
-    })
-  ];
-}

hosts/common/programs/firefox/addons.nix

@@ -0,0 +1,128 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.programs.firefox.config;
+in
+{
+  sane.programs.firefox = {
+    config.addons = {
+      fxCast = {
+        # add a menu to cast to chromecast devices, but it doesn't seem to work very well.
+        # right click (or shift+rc) a video, then select "cast".
+        # - asciinema.org: icon appears, but glitches when clicked.
+        # - youtube.com: no icon appears, even when site is whitelisted.
+        # future: maybe better to have browser open all videos in mpv, and then use mpv for casting.
+        # see e.g. `ff2mpv`, `open-in-mpv` (both are packaged in nixpkgs)
+        package = pkgs.firefox-extensions.fx_cast;
+        enable = lib.mkDefault false;
+      };
+      browserpass-extension = {
+        package = pkgs.firefox-extensions.browserpass-extension;
+        enable = lib.mkDefault true;
+      };
+      bypass-paywalls-clean = {
+        package = pkgs.firefox-extensions.bypass-paywalls-clean;
+        enable = lib.mkDefault true;
+      };
+      ctrl-shift-c-should-copy = {
+        package = pkgs.firefox-extensions.ctrl-shift-c-should-copy;
+        enable = lib.mkDefault false;  # prefer patching firefox source code, so it works in more places
+      };
+      ether-metamask = {
+        package = pkgs.firefox-extensions.ether-metamask;
+        enable = lib.mkDefault false;  # until i can disable the first-run notification
+      };
+      firefox-xdg-open = {
+        # test: `xdg-open xdg-open:https://uninsane.org`
+        package = pkgs.firefox-extensions.firefox-xdg-open;
+        enable = lib.mkDefault true;
+      };
+      i2p-in-private-browsing = {
+        package = pkgs.firefox-extensions.i2p-in-private-browsing;
+        enable = lib.mkDefault config.services.i2p.enable;
+      };
+      i-still-dont-care-about-cookies = {
+        package = pkgs.firefox-extensions.i-still-dont-care-about-cookies;
+        enable = lib.mkDefault false;  #< obsoleted by uBlock Origin annoyances/cookies lists
+      };
+      open-in-mpv = {
+        # test: `open-in-mpv 'mpv:///open?url=https://www.youtube.com/watch?v=dQw4w9WgXcQ'`
+        package = pkgs.firefox-extensions.open-in-mpv;
+        enable = lib.mkDefault false;
+      };
+      sidebery = {
+        package = pkgs.firefox-extensions.sidebery;
+        enable = lib.mkDefault true;
+      };
+      sponsorblock = {
+        package = pkgs.firefox-extensions.sponsorblock;
+        enable = lib.mkDefault true;
+      };
+      ublacklist = {
+        package = pkgs.firefox-extensions.ublacklist;
+        enable = lib.mkDefault false;
+      };
+      ublock-origin = {
+        package = pkgs.firefox-extensions.ublock-origin;
+        enable = lib.mkDefault true;
+      };
+    };
+
+    suggestedPrograms = lib.optionals cfg.addons.firefox-xdg-open.enable [
+      "firefox-xdg-open"
+    ] ++ lib.optionals cfg.addons.open-in-mpv.enable [
+      "open-in-mpv"
+    ];
+
+    sandbox.extraHomePaths = lib.optionals cfg.addons.browserpass-extension.enable [
+      # browserpass needs these paths:
+      # - knowledge/secrets/accounts: where the encrypted account secrets live
+      # at least one of:
+      # - .config/sops: for the sops key which can decrypt account secrets
+      # - .ssh: to unlock the sops key, if not unlocked (`sane-secrets-unlock`)
+      # TODO: find a way to not expose ~/.ssh to firefox
+      # - unlock sops at login (or before firefox launch)?
+      # - see if ssh has a more formal type of subkey system?
+      # ".ssh/id_ed25519"
+      # ".config/sops"
+      "knowledge/secrets/accounts"
+    ];
+
+    fs.".config/sops".dir = lib.mkIf cfg.addons.browserpass-extension.enable {};  #< needs to be created, not *just* added to the sandbox
+
+    # uBlock configuration:
+    fs.".mozilla/firefox/managed-storage/uBlock0@raymondhill.net.json".symlink.target = cfg.addons.ublock-origin.package.makeConfig {
+      # more filter lists are available here:
+      # - <https://easylist.to>
+      #   - <https://github.com/easylist/easylist.git>
+      # - <https://github.com/yokoffing/filterlists>
+      filterFiles = let
+        getUasset = n: "${pkgs.uassets}/share/filters/${n}.txt";
+      in [
+        # default ublock filters:
+        (getUasset "ublock-filters")
+        (getUasset "ublock-badware")
+        (getUasset "ublock-privacy")
+        (getUasset "ublock-quick-fixes")
+        (getUasset "ublock-unbreak")
+        (getUasset "easylist")
+        (getUasset "easyprivacy")
+        # (getUasset "urlhaus-1")  #< TODO: i think this is the same as urlhaus-filter-online
+        (getUasset "urlhaus-filter-online")
+        # (getUasset "plowe-0")   #< TODO: where does this come from?
+        # (getUasset "ublock-cookies-adguard")  #< TODO: where does this come from?
+        # filters i've added:
+        (getUasset "easylist-annoyances")  #< blocks in-page popups, "social media content" (e.g. FB like button; improves loading time)
+        (getUasset "easylist-cookies")  #< blocks GDPR cookie consent popovers (e.g. at stackoverflow.com)
+        # (getUasset "ublock-annoyances-others")
+        # (getUasset "ublock-annoyances-cookies")
+      ];
+    };
+
+    env = lib.mkIf cfg.addons.browserpass-extension.enable {
+      # TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
+      # alternative to PASSWORD_STORE_DIR:
+      # fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "knowledge/secrets/accounts";
+      PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
+    };
+  };
+}

hosts/common/programs/firefox/bookmarks.html

@@ -0,0 +1,25 @@
+<!DOCTYPE NETSCAPE-Bookmark-file-1>
+<!-- This is an automatically generated file.
+     It will be read and overwritten.
+     DO NOT EDIT! -->
+<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
+<meta http-equiv="Content-Security-Policy"
+      content="default-src 'self'; script-src 'none'; img-src data: *; object-src 'none'"></meta>
+<TITLE>Bookmarks</TITLE>
+<H1>Bookmarks Menu</H1>
+
+<DL><p>
+    <DT><H3 ADD_DATE="1" LAST_MODIFIED="1" UNFILED_BOOKMARKS_FOLDER="true">Other Bookmarks</H3>
+    <DL><p>
+        <DT><A HREF="https://en.wikipedia.org/wiki/Special:Search?search=%s" ADD_DATE="1" LAST_MODIFIED="1" SHORTCUTURL="w">Search Wikipedia</A>
+        <DT><A HREF="https://duckduckgo.com/?t=h_&q=%s" ADD_DATE="1" LAST_MODIFIED="1" SHORTCUTURL="ddg">Search DuckDuckGo</A>
+        <DT><A HREF="https://www.youtube.com/results?search_query=%s" ADD_DATE="1" LAST_MODIFIED="1" SHORTCUTURL="yt">Search YouTube</A>
+        <DT><A HREF="https://search.nixos.org/options?channel=unstable&query=%s" ADD_DATE="1" LAST_MODIFIED="1" SHORTCUTURL="opt">Search NixOS Options</A>
+        <DT><A HREF="https://wiki.archlinux.org/index.php?title=Special%3ASearch&search=%s" ADD_DATE="1" LAST_MODIFIED="1" SHORTCUTURL="arch">Search ArchWiki</A>
+        <DT><A HREF="https://www.amazon.com/s/?url=search-alias%3Daps&field-keywords=%s" ADD_DATE="1" LAST_MODIFIED="1" SHORTCUTURL="am">Search Amazon.com</A>
+        <DT><A HREF="https://www.ebay.com/sch/i.html?_sacat=0&_nkw=%s" ADD_DATE="1" LAST_MODIFIED="1" SHORTCUTURL="ebay">Search eBay</A>
+        <DT><A HREF="https://github.com/nixos/nixpkgs/pulls?q=%s" ADD_DATE="1" LAST_MODIFIED="1" SHORTCUTURL="pr">Search nixpkgs PRs</A>
+        <DT><A HREF="https://repology.org/projects/?maintainer=&category=&inrepo=&notinrepo=&repos=&families=&repos_newest=&families_newest=&search=%s" ADD_DATE="1" LAST_MODIFIED="1" SHORTCUTURL="repo">Search Repology - packages</A>
+        <DT><A HREF="https://myanimelist.net/?type=all&topkeyword=%s" ADD_DATE="1" LAST_MODIFIED="1" SHORTCUTURL="mal">Search MyAnimeList.net</A>
+    </DL><p>
+</DL>

hosts/common/programs/firefox/default.nix

@@ -0,0 +1,318 @@
+# common settings to toggle (at runtime, in about:config):
+#   > security.ssl.require_safe_negotiation
+
+# librewolf is a forked firefox which patches firefox to allow more things
+# (like default search engines) to be configurable at runtime.
+# many of the settings below won't have effect without those patches.
+# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
+
+{ config, lib, pkgs, ...}:
+with lib;
+let
+  cfg = config.sane.programs.firefox.config;
+  mobile-prefs = lib.optionals false pkgs.librewolf-pmos-mobile.extraPrefsFiles;
+  # allow easy switching between firefox and librewolf with `defaultSettings`, below
+  librewolfSettings = {
+    browser = pkgs.librewolf-unwrapped;
+    extraPrefsFiles = pkgs.librewolf-unwrapped.extraPrefsFiles ++ mobile-prefs;
+    libName = "librewolf";
+    dotDir = ".librewolf";
+    cacheDir = ".cache/librewolf";
+    desktop = "librewolf.desktop";
+  };
+  firefoxSettings = {
+    browser = pkgs.firefox-esr-unwrapped;
+    extraPrefsFiles = mobile-prefs;
+    libName = "firefox";
+    dotDir = ".mozilla/firefox";
+    cacheDir = ".cache/mozilla";
+    desktop = "firefox.desktop";
+  };
+  # defaultSettings = firefoxSettings;
+  defaultSettings = librewolfSettings;
+
+  packageUnwrapped = (pkgs.wrapFirefox cfg.browser.browser {
+    # inherit the default librewolf.cfg
+    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
+    inherit (cfg.browser) extraPrefsFiles libName;
+
+    nativeMessagingHosts = lib.optionals cfg.addons.browserpass-extension.enable [
+      pkgs.browserpass
+    ] ++ lib.optionals cfg.addons.fxCast.enable [
+      pkgs.fx-cast-bridge
+    ];
+
+    nixExtensions = concatMap (ext: optional ext.enable ext.package) (attrValues cfg.addons);
+
+    # extraPolicies: only really required if using firefox; else, easier to configure this via overrides.cfg.
+    # extraPolicies = {
+    #   FirefoxHome = {
+    #     Search = true;
+    #     Pocket = false;
+    #     Snippets = false;
+    #     TopSites = false;
+    #     Highlights = false;
+    #   };
+    #   NoDefaultBookmarks = true;
+    #   OfferToSaveLogins = false;
+    #   OfferToSaveLoginsDefault = false;
+    #   PasswordManagerEnabled = false;
+    #   SearchEngines = {
+    #     Default = "DuckDuckGo";
+    #   };
+    #   UserMessaging = {
+    #     ExtensionRecommendations = false;
+    #     FeatureRecommendations = false;
+    #     SkipOnboarding = true;
+    #     UrlbarInterventions = false;
+    #     WhatsNew = false;
+    #   };
+
+    #   # these were taken from Librewolf
+    #   AppUpdateURL = "https://localhost";
+    #   DisableAppUpdate = true;
+    #   OverrideFirstRunPage = "";
+    #   OverridePostUpdatePage = "";
+    #   DisableSystemAddonUpdate = true;
+    #   DisableFirefoxStudies = true;
+    #   DisableTelemetry = true;
+    #   DisableFeedbackCommands = true;
+    #   DisablePocket = true;
+    #   DisableSetDesktopBackground = false;
+
+    #   # remove many default search providers
+    #   # XXX this seems to prevent the `nixExtensions` from taking effect
+    #   # Extensions.Uninstall = [
+    #   #   "google@search.mozilla.org"
+    #   #   "bing@search.mozilla.org"
+    #   #   "amazondotcom@search.mozilla.org"
+    #   #   "ebay@search.mozilla.org"
+    #   #   "twitter@search.mozilla.org"
+    #   # ];
+    #   # XXX doesn't seem to have any effect...
+    #   # docs: https://github.com/mozilla/policy-templates#homepage
+    #   # Homepage = {
+    #   #   HomepageURL = "https://uninsane.org/";
+    #   #   StartPage = "homepage";
+    #   # };
+    #   # NewTabPage = true;
+    # };
+    # extraPrefs = ...
+  }).overrideAttrs (base: {
+    nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
+      pkgs.copyDesktopItems
+    ];
+    desktopItems = (base.desktopItems or []) ++ [
+      (pkgs.makeDesktopItem {
+        name = "${cfg.browser.libName}-in-vpn";
+        desktopName = "${cfg.browser.libName} (VPN)";
+        genericName = "Web Browser";
+        # N.B.: --new-instance ensures we don't reuse an existing differenty-namespaced instance.
+        # OTOH, it may error about "only one instance can run at a time": close the other instance if you see that.
+        exec = "${lib.getExe pkgs.sane-scripts.vpn} do default -- ${cfg.browser.libName} --new-instance";
+        icon = cfg.browser.libName;
+        categories = [ "Network" "WebBrowser" ];
+        type = "Application";
+      })
+      (pkgs.makeDesktopItem {
+        name = "${cfg.browser.libName}-stub-dns";
+        desktopName = "${cfg.browser.libName} (stub DNS)";
+        genericName = "Web Browser";
+        # N.B.: --new-instance ensures we don't reuse an existing differently-namespaced instance.
+        # OTOH, it may error about "only one instance can run at a time": close the other instance if you see that.
+        exec = "${lib.getExe pkgs.sane-scripts.vpn} do none -- ${cfg.browser.libName} --new-instance";
+        icon = cfg.browser.libName;
+        categories = [ "Network" "WebBrowser" ];
+        type = "Application";
+      })
+    ];
+
+    # TODO: could use `zip -f` to only update the one changed file, instead of rezipping everything.
+    buildCommand = (base.buildCommand or "") + ''
+      mkdir omni
+
+      echo "omni.ja BEFORE:"
+      ls -l $(readlink $out/lib/${cfg.browser.libName}/browser/omni.ja)
+
+      echo "unzipping omni.ja"
+      # N.B. `zip` exits non-zero even on successful extraction, if the file didn't 100% obey spec
+      ${pkgs.buildPackages.unzip}/bin/unzip $out/lib/${cfg.browser.libName}/browser/omni.ja -d omni || true
+
+      echo "removing old omni.ja"
+      rm $out/lib/${cfg.browser.libName}/browser/omni.ja
+
+      echo "patching omni.ja"
+      # de-associate `ctrl+shift+c` from activating the devtools.
+      # see: <https://stackoverflow.com/a/54260938>
+      ${lib.getExe pkgs.buildPackages.gnused} -i s'/devtools-commandkey-inspector = C/devtools-commandkey-inspector = VK_F12/' omni/localization/en-US/devtools/startup/key-shortcuts.ftl
+      # remap Close Tab shortcut from Ctrl+W to Ctrl+Shift+W
+      # see: <https://www.math.cmu.edu/~gautam/sj/blog/20220329-firefox-disable-ctrl-w.html>
+      ${lib.getExe pkgs.buildPackages.gnused} -i s'/command="cmd_close" modifiers="accel"/command="cmd_close" modifiers="accel,shift"/' omni/chrome/browser/content/browser/browser.xhtml
+
+      echo "re-zipping omni.ja"
+      pushd omni; ${pkgs.buildPackages.zip}/bin/zip $out/lib/${cfg.browser.libName}/browser/omni.ja -r ./*; popd
+
+      echo "omni.ja AFTER:"
+      ls -l $out/lib/${cfg.browser.libName}/browser/omni.ja
+
+      runHook postBuild
+      runHook postInstall
+      runHook postFixup
+    '';
+  });
+in
+{
+  imports = [
+    ./addons.nix
+  ];
+
+  sane.programs.firefox = {
+    configOption = mkOption {
+      default = {};
+      type = types.submodule {
+        options = {
+          browser = mkOption {
+            default = defaultSettings;
+            type = types.anything;
+          };
+          persistData = mkOption {
+            description = "optional store name to which persist browsing data (like history)";
+            type = types.nullOr types.str;
+            default = null;
+          };
+          persistCache = mkOption {
+            description = "optional store name to which persist browser cache";
+            type = types.nullOr types.str;
+            default = "ephemeral";
+          };
+          addons = mkOption {
+            default = {};
+            type = types.attrsOf (types.submodule {
+              options = {
+                package = mkOption {
+                  type = types.package;
+                };
+                enable = mkOption {
+                  type = types.bool;
+                };
+              };
+            });
+          };
+        };
+      };
+    };
+
+    inherit packageUnwrapped;
+
+    sandbox.net = "all";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistAvDev = true;  #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12)
+    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "dev"  # for developing anything web-related
+      # for uploads/downloads.
+      # it still needs these paths despite using the portal's file-chooser :?
+      "tmp"
+      "Pictures/albums"
+      "Pictures/cat"
+      "Pictures/from"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+      "Pictures/servo-macros"
+    ];
+
+    mime.associations = let
+      inherit (cfg.browser) desktop;
+    in {
+      "text/html" = desktop;
+      "x-scheme-handler/http" = desktop;
+      "x-scheme-handler/https" = desktop;
+      "x-scheme-handler/about" = desktop;
+      "x-scheme-handler/unknown" = desktop;
+    };
+
+    env.BROWSER = cfg.browser.libName;  # used by misc tools like xdg-email, as fallback
+
+    # redirect librewolf configs to the firefox configs; this way addons don't have to care about the firefox/librewolf distinction.
+    fs.".librewolf/librewolf.overrides.cfg".symlink.target = "../.mozilla/firefox/firefox.overrides.cfg";
+    fs.".librewolf/profiles.ini".symlink.target = "../.mozilla/firefox/profiles.ini";
+    fs.".librewolf/managed-storage".symlink.target = "../.mozilla/firefox/managed-storage";
+
+    # N.B.: `overrides.cfg` might be librewolf-specific -- not supported by mainline firefox.
+    # firefox does support per-profile `user.js` files which have similar functionality.
+    fs.".mozilla/firefox/firefox.overrides.cfg".symlink.text = ''
+      // use `pref(...)` to force a preference
+      // use `defaultPref(...)` to allow runtime reconfiguration
+      // discover preference names via the `about:config` page
+      //
+      // if we can't query the revocation status of a SSL cert because the issuer is offline,
+      // treat it as unrevoked.
+      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
+      defaultPref("security.OCSP.require", false);
+
+      // scrollbar configuration, see: <https://artemis.sh/2023/10/12/scrollbars.html>
+      // style=4 gives rectangular scrollbars
+      // could also enable "always show scrollbars" in about:preferences -- not sure what the actual pref name for that is
+      // note that too-large scrollbars (like 50px wide, even 20px) tend to obscure content (and make buttons unclickable)
+      defaultPref("widget.non-native-theme.scrollbar.size.override", 14);
+      defaultPref("widget.non-native-theme.scrollbar.style", 4);
+
+      // disable inertial/kinetic/momentum scrolling because it just gets in the way on touchpads
+      // source: <https://kparal.wordpress.com/2019/10/31/disabling-kinetic-scrolling-in-firefox/>
+      defaultPref("apz.gtk.kinetic_scroll.enabled", false);
+
+      // open external URIs/files via xdg-desktop-portal.
+      defaultPref("widget.use-xdg-desktop-portal.mime-handler", 1);
+      defaultPref("widget.use-xdg-desktop-portal.open-uri", 1);
+
+      defaultPref("browser.toolbars.bookmarks.visibility", "never");
+      // configure which extensions are visible by default (TODO: requires a lot of trial and error)
+      // defaultPref("browser.uiCustomization.state", ...);
+
+      // auto-open specific URI schemes without prompting:
+      defaultPref("network.protocol-handler.external.xdg-open", true); // for firefox-xdg-open extension
+      defaultPref("network.protocol-handler.external.mpv", true); // for open-in-mpv extension
+      defaultPref("network.protocol-handler.external.element", true); // for Element matrix client
+      defaultPref("network.protocol-handler.external.matrix", true); // for Nheko matrix client
+
+      // statically configure bookmarks.
+      // notably, these bookmarks have "shortcut url" fields:
+      // - type `w thing` into the URL bar to search "thing" on Wikipedia.
+      // - to add a search shortcut: right-click any search box => "Add a keyword for this search".
+      // - to update the static bookmarks, export via Hamburger => bookmarks => manage bookmarks => Import and Backup => Export Bookmarks To HTML
+      defaultPref("browser.places.importBookmarksHTML", true);
+      defaultPref("browser.bookmarks.file", "${./bookmarks.html}");
+
+      defaultPref("browser.startup.homepage", "https://uninsane.org/places");
+    '';
+
+    # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
+    # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
+    fs.".mozilla/firefox/profiles.ini".symlink.text = ''
+      [Profile0]
+      Name=default
+      IsRelative=1
+      Path=default
+      Default=1
+
+      [General]
+      StartWithLastProfile=1
+    '';
+
+    # flush the cache to disk to avoid it taking up too much tmp.
+    persist.byPath."${cfg.browser.cacheDir}".store =
+      if (cfg.persistData != null) then
+        cfg.persistData
+      else
+        "ephemeral"
+    ;
+
+    persist.byPath."${cfg.browser.dotDir}/default".store =
+      if (cfg.persistData != null) then
+        cfg.persistData
+      else
+        "ephemeral"
+    ;
+  };
+}

hosts/common/programs/flare-signal.nix

@@ -79,7 +79,6 @@
     ];
     #VVV flare complains if its data directory is a symlink, so put it in a subdirectory behind my persistence symlink.
     env.FLARE_DATA_PATH = "$HOME/.local/share/flare/data";
-    # sandbox.method = "bwrap";
     # sandbox.net = "clearnet";
     # sandbox.whitelistWayland = true;
     # sandbox.whitelistDbus = [

hosts/common/programs/foliate.nix

@@ -2,7 +2,6 @@
 { ... }:
 {
   sane.programs.foliate = {
-    sandbox.method = "bwrap";
     sandbox.net = "clearnet";  #< for dictionary, wikipedia, online book libraries
     sandbox.whitelistDbus = [ "user" ];  #< when clicking on links
     sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time

hosts/common/programs/fontconfig.nix

@@ -55,7 +55,6 @@ let
 in
 {
   sane.programs.fontconfig = {
-    sandbox.method = "bwrap";  # TODO:sandbox: untested
     sandbox.autodetectCliPaths = "existingOrParent";  #< this might be overkill; or, how many programs reference fontconfig internally?
 
     # persist.byStore.plaintext = [

hosts/common/programs/fractal.nix

@@ -26,7 +26,6 @@ in
     packageUnwrapped = pkgs.fractal-nixified.optimized;
     # packageUnwrapped = pkgs.fractal;
 
-    sandbox.method = "bwrap";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications

hosts/common/programs/free.nix

@@ -2,8 +2,6 @@
 {
   sane.programs.free = {
     packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "free";
-    sandbox.method = "bwrap";
-    sandbox.isolatePids = false;
+    sandbox.extraPaths = [ "/proc/meminfo" ];
   };
 }
-

hosts/common/programs/frozen-bubble.nix

@@ -11,7 +11,6 @@
     });
     buildCost = 1;
 
-    sandbox.method = "bwrap";
     sandbox.net = "clearnet";  # net play
     sandbox.whitelistAudio = true;
     sandbox.whitelistWayland = true;

hosts/common/programs/g4music.nix

@@ -10,7 +10,6 @@
   sane.programs.g4music = {
     buildCost = 1;
 
-    sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # mpris
     sandbox.whitelistWayland = true;

hosts/common/programs/gdb.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.gdb = {
     sandbox.enable = false;  # gdb doesn't sandbox well. i don't know how you could.
-    # sandbox.method = "landlock";  # permission denied when trying to attach, even as root
     sandbox.autodetectCliPaths = true;
     fs.".config/gdb/gdbinit".symlink.text = ''
       # enable commands like `py-bt`, `py-list`, etc.

hosts/common/programs/gdbus.nix

@@ -3,8 +3,6 @@
   sane.programs.gdbus = {
     packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.glib "gdbus";
 
-    sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "user" ];  #< XXX: maybe future users will also want system access
   };
 }
-

hosts/common/programs/geary.nix

@@ -14,12 +14,12 @@ in
       type = types.submodule {
         options.autostart = mkOption {
           type = types.bool;
-          default = false;
+          default = true;
         };
       };
     };
 
-    sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";  #< XXX(2024-08-20): if executed from a directory different than the configured prefix, it fails to locate its sql migration files
     sandbox.net = "clearnet";
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistWayland = true;

hosts/common/programs/geoclue-demo-agent.nix

@@ -7,7 +7,6 @@
       path = "${config.sane.programs.geoclue2.packageUnwrapped}/libexec/geoclue-2.0/demos/agent";
     }];
 
-    sandbox.method = "bwrap";
     sandbox.whitelistDbus = [
       "system"
     ];

hosts/common/programs/geoclue2.nix

@@ -47,7 +47,6 @@ in
     package = lib.mkForce null;
 
     # experimental sandboxing (2024/07/05)
-    # sandbox.method = "bwrap";
     # sandbox.whitelistDbus = [
     #   "system"
     # ];

hosts/common/programs/git.nix

@@ -18,7 +18,6 @@ in
         rm "$out/bin/git-jump"
       '';
     });
-    sandbox.method = "bwrap";
     sandbox.net = "clearnet";
     sandbox.whitelistPwd = true;
     sandbox.autodetectCliPaths = true;  # necessary for git-upload-pack

hosts/common/programs/gnome-clocks.nix

@@ -1,6 +1,6 @@
 { pkgs, ... }: {
-  sane.programs."gnome.gnome-clocks" = {
-    packageUnwrapped = pkgs.gnome.gnome-clocks.overrideAttrs (upstream: {
+  sane.programs.gnome-clocks = {
+    packageUnwrapped = pkgs.gnome-clocks.overrideAttrs (upstream: {
       # TODO: upstream this
       buildInputs = upstream.buildInputs ++ (with pkgs; [
         # gnome-clocks needs `playbin` (gst-plugins-base) and `scaletempo` (gst-plugins-good)
@@ -12,7 +12,6 @@
     });
 
     buildCost = 1;
-    sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  #< required (alongside .config/dconf) to remember timers
     sandbox.whitelistWayland = true;

hosts/common/programs/gnome-keyring/default.nix

@@ -1,8 +1,8 @@
-{ lib, pkgs, ... }:
+# TODO: gnome-keyring has portal integration? ($out/share/xdg-desktop-portal)
+{ pkgs, ... }:
 {
   sane.programs.gnome-keyring = {
     packageUnwrapped = pkgs.rmDbusServices pkgs.gnome-keyring;
-    sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "user" ];
     sandbox.extraRuntimePaths = [
       "keyring"  #< only needs keyring/control, but has to *create* that.
@@ -15,11 +15,7 @@
     ];
 
     persist.byStore.private = [
-      # N.B.: BE CAREFUL WITH THIS.
-      # gnome-keyring-daemon likes to turn symlinks into dirs. i.e. if it detects that `~/.local/share/keyrings` is a symlink
-      # it WILL try to `unlink` it and recreate it as an empty directory.
-      # the only reason i can get away with a symlink here is because gkd is sandboxed... with ~/.local/share/keyrings as an explicit mountpoint instead of as a symlink.
-      # remove the sandbox, and this breaks.
+      # N.B.: gnome-keyring-daemon used to remove symlinks and replace them with empty directories, but as of 2024-09-05 that seems no longer the case.
       ".local/share/keyrings"
     ];
 
@@ -51,6 +47,9 @@
       partOf = [ "graphical-session" ];
       command = let
         gkr-start = pkgs.writeShellScriptBin "gnome-keyring-daemon-start" ''
+          set -eu
+          # XXX(2024-09-05): this service races with the creation of the keyrings directory, so wait for it to appear
+          test -e ~/.local/share/keyrings
           mkdir -m 0700 -p $XDG_RUNTIME_DIR/keyring
           exec gnome-keyring-daemon --start --foreground --components=secrets
         '';

hosts/common/programs/gnome-maps.nix

@@ -18,20 +18,25 @@
 #   even temporarily enabling the portal for OSM doesn't work *after* the portal has been disabled -- because then gnome-maps can't access its passwords (?)
 { pkgs, ... }:
 {
-  sane.programs."gnome.gnome-maps" = {
-    packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.gnome.gnome-maps.overrideAttrs (base: {
+  sane.programs.gnome-maps = {
+    packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.gnome-maps.overrideAttrs (base: {
       # default .desktop file is trying to do some dbus launch (?) which fails even *if* i install `gapplication` (glib.bin)
       postPatch = (base.postPatch or "") + ''
         substituteInPlace data/org.gnome.Maps.desktop.in.in \
           --replace-fail 'Exec=gapplication launch @app-id@ %U' 'Exec=gnome-maps %U'
       '';
+      # TODO: set up portal-based location services, but until that works, explicitly disable portals here.
+      preFixup = (base.preFixup or "") + ''
+        gappsWrapperArgs+=(
+          --unset GIO_USE_PORTALS
+        )
+      '';
     }));
     suggestedPrograms = [
       "geoclue2"
     ];
 
     sandbox.wrapperType = "inplace";  #< /share directory contains Gir info which references libgnome-maps.so by path
-    sandbox.method = "bwrap";
     sandbox.whitelistDri = true;  # for perf
     sandbox.whitelistDbus = [
       "system"  # system is required for non-portal location services
@@ -39,11 +44,10 @@
     ];
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
-    sandbox.usePortal = false;  # TODO: set up portal-based location services
 
     persist.byStore.plaintext = [ ".cache/shumate" ];
     persist.byStore.private = [
-      ({ path = ".local/share/maps-places.json"; type = "file"; })
+      { path = ".local/share/maps-places.json"; type = "file"; }
     ];
   };
 }

hosts/common/programs/gnome-weather.nix

@@ -2,10 +2,9 @@
 # cache dir is just for weather data (or maybe a http cache)
 { ... }:
 {
-  sane.programs."gnome.gnome-weather" = {
+  sane.programs.gnome-weather = {
     buildCost = 1;
 
-    sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  #< /share/org.gnome.Weather/org.gnome.Weather file refers to bins by full path
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";

hosts/common/programs/go2tv.nix

@@ -42,13 +42,12 @@
 # - mkv container + H.265 video + E-AC-3/48k stereo audio:
 #   - LGTV: no transcoding needed
 #
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 let
   cfg = config.sane.programs.go2tv;
 in
 {
   sane.programs.go2tv = {
-    sandbox.method = "bwrap";
     sandbox.net = "clearnet";
     sandbox.autodetectCliPaths = "existingFile";
     # for GUI invocation, allow the common media directories

hosts/common/programs/gocryptfs.nix

@@ -1,11 +1,12 @@
 { ... }:
 {
   sane.programs.gocryptfs = {
-    sandbox.method = "landlock";
     sandbox.autodetectCliPaths = "existing";
     sandbox.capabilities = [
-      # CAP_SYS_ADMIN is only required if directly invoking gocryptfs
-      # i.e. not leverage a mount helper like `mount.fuse3-sane`.
+      # CAP_SYS_ADMIN is only required if directly invoking gocryptfs.
+      # it's not *necessarily* required if using a mount helper like `mount.fuse3-sane`
+      # however if using a namespace-based sandbox method (bunpen, bwrap), and you wish
+      # to preserve user mappings, it's still required.
       "sys_admin"
       "chown"
       "dac_override"
@@ -16,8 +17,10 @@
       "setgid"
       "setuid"
     ];
+    sandbox.tryKeepUsers = true;
+    sandbox.keepPids = true;
     suggestedPrograms = [
-      "util-linux"  #< gocryptfs complains that it can't exec `logger`, otherwise
+      "util-linux"  #< gocryptfs complains that it can't exec `logger`, otherwise. TODO(2024-09-09): is this still needed?
     ];
   };
 }

hosts/common/programs/gpodder.nix

@@ -22,7 +22,6 @@ in {
       ];
     });
 
-    sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "user" ];  # it won't launch without it, dunno exactly why.
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";

hosts/common/programs/gps-share.nix

@@ -26,7 +26,6 @@ in
       # and systemd, for udevadm
     ];
 
-    sandbox.method = "bwrap";
     sandbox.net = "all";
     sandbox.autodetectCliPaths = "existing";  #< N.B.: `test -f /dev/ttyUSB1` fails, we can't use `existingFile`
     sandbox.whitelistDbus = [ "system" ];  #< to register with Avahi

hosts/common/programs/grimshot.nix

@@ -3,7 +3,7 @@
   sane.programs."sway-contrib.grimshot" = {
     packageUnwrapped = pkgs.sway-contrib.grimshot.override {
       # my `sway` is heavily patched to be cross compatible
-      sway-unwrapped = config.sane.programs.sway.package.sway-unwrapped;
+      sway-unwrapped = config.sane.programs.sway.package;
     };
     suggestedPrograms = [
       # runtime dependencies (grimshot is just a trivial shell script)
@@ -14,7 +14,7 @@
       # "sway"
       "wl-clipboard"
     ];
-    sandbox.method = "bwrap";
+    sandbox.keepPids = true;  #< needed by wl-clipboard
     sandbox.whitelistWayland = true;
     sandbox.whitelistDbus = [ "user" ];
     sandbox.autodetectCliPaths = "existingFileOrParent";

hosts/common/programs/gst-device-monitor.nix

@@ -2,6 +2,9 @@
 # - `gst-device-monitor-1.0 Audio/Sink`  #< show all audio sinks
 # - `gst-device-monitor-1.0 Audio/Source`  #< show all audio sources (microphones)
 # - `gst-device-monitor-1.0 Video/Source`  #< show all video sources (cameras)
+# the output will include things like
+#   `gst-launch-1.0 pipewiresrc target-object=90 ! ...`
+# in which case, view it like (for a camera): `gst-launch-1.0 pipewiresrc target-object=90 ! glimagesink`
 { pkgs, ... }:
 {
   sane.programs.gst-device-monitor = {
@@ -20,7 +23,6 @@
       ];
     });
 
-    sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.extraPaths = [
       "/dev"  # tried, but failed to narrow this down (moby)

hosts/common/programs/gst-launch.nix

@@ -0,0 +1,25 @@
+# basic environment tests:
+# - `gst-launch-1.0 audiotestsrc ! autoaudiosink`
+# - `gst-launch-1.0 videotestsrc ! videoconvert ! autovideosink`
+# more usage here: <https://github.com/matthew1000/gstreamer-cheat-sheet>
+{ pkgs, ... }:
+{
+  sane.programs.gst-launch = {
+    packageUnwrapped = (
+      pkgs.linkBinIntoOwnPackage pkgs.gst_all_1.gstreamer "gst-launch-1.0"
+    ).overrideAttrs (base: {
+      # XXX the binaries need `GST_PLUGIN_SYSTEM_PATH_1_0` set to function,
+      # but nixpkgs doesn't set those.
+      nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
+        pkgs.wrapGAppsNoGuiHook
+      ];
+      buildInputs = (base.buildInputs or []) ++ (with pkgs; [
+        gst_all_1.gst-plugins-base
+        gst_all_1.gst-plugins-good
+        gst_all_1.gst-libav  # for H.264 decoding
+        pipewire
+      ]);
+    });
+    sandbox.method = null;  #< TODO: sandbox
+  };
+}

hosts/common/programs/handbrake.nix

@@ -3,7 +3,6 @@
   sane.programs.handbrake = {
     buildCost = 1;
 
-    sandbox.method = "landlock";  #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [

hosts/common/programs/haredoc.nix

@@ -0,0 +1,8 @@
+# use like `haredoc bufio::read_line`
+{ pkgs, ... }:
+{
+  sane.programs.haredoc = {
+    sandbox.whitelistPwd = true;  #< search for function documentation below the current directory
+    env.HAREPATH = "${pkgs.hare}/src/hare/stdlib";
+  };
+}

hosts/common/programs/htop/default.nix

@@ -1,9 +1,8 @@
 { ... }:
 {
   sane.programs.htop = {
-    sandbox.method = "landlock";
+    sandbox.keepPidsAndProc = true;
     sandbox.extraPaths = [
-      "/proc"
       "/sys/devices"
     ];
     fs.".config/htop/htoprc".symlink.target = ./htoprc;

hosts/common/programs/iio-sensor-proxy.nix

@@ -41,7 +41,6 @@ in
     });
     enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;  #< for dbus/polkit policies
 
-    sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "system" ];
     sandbox.extraPaths = [
       "/run/udev/data"

hosts/common/programs/imagemagick.nix

@@ -3,7 +3,6 @@
   sane.programs.imagemagick = {
     buildCost = 1;
 
-    sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  # /etc/ImageMagick-7/delegates.xml refers to bins by absolute path
     sandbox.whitelistPwd = true;
     sandbox.autodetectCliPaths = "existingOrParent";  #< arg formatting is complicated enough that this won't always work.

hosts/common/programs/inkscape.nix

@@ -0,0 +1,20 @@
+{ ... }:
+{
+  sane.programs.inkscape = {
+    buildCost = 1;
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      ".config/dconf"  #< else opening images fails
+      "Pictures/albums"
+      "Pictures/cat"
+      "Pictures/from"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+      "Pictures/servo-macros"
+      "dev"
+      "ref"
+      "tmp"
+    ];
+    sandbox.autodetectCliPaths = true;
+  };
+}

hosts/common/programs/kdenlive.nix

@@ -1,9 +1,8 @@
-{ pkgs, ... }:
+{ ... }:
 {
   sane.programs.kdenlive = {
     buildCost = 1;
 
-    sandbox.method = "bwrap";
     sandbox.extraHomePaths = [
       "Music"
       "Pictures/from"  # e.g. Videos taken from my phone
@@ -16,5 +15,6 @@
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
+    sandbox.whitelistX = true;
   };
 }

hosts/common/programs/komikku.nix

@@ -10,7 +10,6 @@
       '' + (upstream.preFixup or "");
     });
 
-    sandbox.method = "bwrap";  # TODO:sandbox untested
     sandbox.net = "clearnet";
     sandbox.whitelistDbus = [ "user" ];  # needs to connect to dconf via dbus
     sandbox.whitelistDri = true;  #< required

hosts/common/programs/koreader/default.nix

@@ -45,7 +45,6 @@ let
 in {
   sane.programs.koreader = {
     packageUnwrapped = pkgs.koreader-from-src;
-    sandbox.method = "bwrap";  # sandboxes fine under landlock too, except for FTP
     sandbox.net = "clearnet";
     sandbox.whitelistDbus = [ "user" ];  # for opening the web browser via portal
     sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time

hosts/common/programs/krita.nix

@@ -0,0 +1,20 @@
+{ ... }:
+{
+  sane.programs.krita = {
+    buildCost = 1;
+    sandbox.whitelistWayland = true;
+    sandbox.whitelistX = true;
+    sandbox.autodetectCliPaths = "existing";
+    sandbox.extraHomePaths = [
+      "dev"
+      "Pictures/albums"
+      "Pictures/cat"
+      "Pictures/from"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+      "Pictures/servo-macros"
+      "ref"
+      "tmp"
+    ];
+  };
+}

hosts/common/programs/lemoa.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.lemoa = {
     buildCost = 1;
-    sandbox.method = "bwrap";
     sandbox.net = "clearnet";
     sandbox.whitelistDbus = [ "user" ];  # for clicking links
     sandbox.whitelistDri = true;