sane-vpn: fix to provide bunpen with the gateway address for "sane-vpn do none ..."

previously this only worked when using hickory-dns as the local resolver

TODO.md

@@ -1,5 +1,6 @@
 ## BUGS
-- gnome-calls eats 100% CPU and never renders UI (moby AND lappy, at least)
+- alacritty Ctrl+N frequently fails to `cd` to the previous directory
+- bunpen dbus sandboxing can't be *nested* (likely a problem in xdg-dbus-proxy)
 - dissent has a memory leak (3G+ after 24hr)
   - set a max memory use in the systemd service, to force it to restart as it leaks?
 - `rmDbusServices` may break sandboxing
@@ -8,7 +9,7 @@
 - mpv: audiocast has mpv sending its output to the builtin speakers unless manually changed
 - syshud (volume overlay): when casting with `blast`, syshud doesn't react to volume changes
 - dissent: if i launch it without net connectivity, it gets stuck at the login, and never tries again
-- newflash on moby can't play videos
+- newsflash on moby can't play videos
   - "open in browser" works though -- in mpv
 - gnome-maps can't use geoclue *and* openstreetmap at the same time
   - get gnome-maps to speak xdg-desktop-portal, and this will be fixed
@@ -36,26 +37,16 @@
 - upstream blueprint-compiler cross fixes -> nixpkgs
 - upstream cargo cross fixes -> nixpkgs
 - upstream `gps-share` package -> nixpkgs
-- upstream PinePhonePro device trees -> linux
 
 #### upstreaming to non-nixpkgs repos
+- gnome-calls: retry net connection when DNS is down
 - gtk: build schemas even on cross compilation: <https://github.com/NixOS/nixpkgs/pull/247844>
-- gnome-calls retry net connection when DNS is down
+- linux: upstream PinePhonePro device trees
 - nwg-panel: configurable media controls
 - nwg-panel / playerctl hang fix (i think nwg-panel is what should be patched here)
 
 
 ## IMPROVEMENTS:
-- lack of a mesa shader cache for sandboxed programs DESTROYS PERF
-  - adding ~/.cache/mesa_shader_cache_db to the sandbox massively improves launch time,
-    probably reduces memory use,
-    but has unknown data leak implications.
-  - either (1) pre-populate the shader cache somehow, e.g. <https://gitlab.freedesktop.org/mesa/shader-db>
-    or (2) use a seperate shader cache per-app
-    or (3) disable the mesa cache and see if that actually helps (MESA_SHADER_CACHE_DISABLE=true)
-- tmpfs usage inside bunpen apps is not introspectable/debuggable
-  - app sandboxes could be rooted in, say, `/run/bunpen/$PID`
-    - for a nested sandbox, its vfs could be queried from the root ns at `/run/bunpen/$PID1/run/bunpen/$PID2`
 - sane-deadlines: show day of the week for upcoming items
 - curlftpfs: replace with something better
   - safer (rust? actively maintained? sandboxable?)
@@ -89,12 +80,7 @@
 - port all sane.programs to be sandboxed
   - sandbox `nix`
   - enforce that all `environment.packages` has a sandbox profile (or explicitly opts out)
-  - lock down dbus calls within the sandbox
-    - <https://github.com/flatpak/xdg-dbus-proxy>
-    - stuff on dbus presents too much surface area
-      - ~~for example anyone can `systemd-run --user ...` to potentially escape a sandbox~~
-      - for example, xdg-desktop-portal allows anyone to make arbitrary DNS requests
-        - e.g. `gdbus call --session --timeout 10 --dest org.freedesktop.portal.Desktop --object-path /org/freedesktop/portal/desktop --method org.freedesktop.portal.NetworkMonitor.CanReach 'data1.exfiltrate.uninsane.org' 80`
+  - enforce granular dbus sandboxing (bunpen-dbus-*)
 - make gnome-keyring-daemon less monolithic
   - no reason every application with _a_ secret needs to see _all_ secrets
   - check out oo7-daemon?
@@ -120,7 +106,6 @@
   - offline Wikipedia (or, add to `wike`)
   - some type of games manager/launcher
     - Gnome Highscore (retro games)?: <https://gitlab.gnome.org/World/highscore>
-  - better maps for mobile (Osmin (QtQuick)? Pure Maps (Qt/Kirigami)?)
   - note-taking app: <https://linuxphoneapps.org/categories/note-taking/>
     - Folio is nice, uses standard markdown, though it only supports flat repos
   - OSK overlay specifically for mobile gaming
@@ -152,6 +137,7 @@
 - SwayNC/nwg-panel: add option to change audio output
 - Newsflash: sync OPML on start, same way i do with gpodder
 - better podcasting client?
+- hardware upgrade (OnePlus)?
 
 #### non-moby
 - RSS: integrate a paywall bypass
@@ -160,13 +146,14 @@
   - and strip the ads out using Whisper transcription + asking a LLM where the ad breaks are
 - neovim: integrate ollama
 - neovim: better docsets (e.g. c++, glib)
-- firefox/librewolf: persist history
+- firefox: persist history
   - just not cookies or tabs
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
 - sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
   - maybe just color these "keywords" in all search results?
 - transmission: apply `sane-tag-media` path fix in `torrent-done` script
   - many .mkv files do appear to be tagged: i'd just need to add support in my own tooling
+  - more aggressively cleanup non-media files after DL (ripper logos, info txts)
 - uninsane.org: make URLs relative to allow local use (and as offline homepage)
 - email: fix so that local mail doesn't go to junk
   - git sendmail flow adds the DKIM signatures, but gets delivered locally w/o having the sig checked, so goes into Junk

hosts/by-name/desko/default.nix

@@ -4,7 +4,6 @@
     ./fs.nix
   ];
 
-  sane.services.hickory-dns.asSystemResolver = false;  # TEMPORARY: TODO: re-enable hickory-dns
   # sane.programs.devPkgs.enableFor.user.colin = true;
   # sane.guest.enable = true;
 
@@ -52,20 +51,6 @@
   # needed to use libimobiledevice/ifuse, for iphone sync
   services.usbmuxd.enable = true;
 
-  hardware.amdgpu.opencl.enable = true;  # desktop (AMD's opencl implementation AKA "ROCM"); probably required for ollama
-
-  # TODO: enable snapper (need to make `/nix` or `/nix/persist` a subvolume, somehow).
-  # default config: https://man.archlinux.org/man/snapper-configs.5
-  # defaults to something like:
-  #   - hourly snapshots
-  #   - auto cleanup; keep the last 10 hourlies, last 10 daylies, last 10 monthlys.
-  # to list snapshots: `sudo snapper --config nix list`
-  # to take a snapshot: `sudo snapper --config nix create`
-  # services.snapper.configs.nix = {
-  #   # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
-  #   # but that also requires setting up the persist dir as a subvol
-  #   SUBVOLUME = "/nix";
-  #   # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
-  #   ALLOW_USERS = [ "colin" ];
-  # };
+  # TODO(2025-01-01): re-enable once rocm build is fixed: <https://github.com/NixOS/nixpkgs/pull/367695>
+  # hardware.amdgpu.opencl.enable = true;  # desktop (AMD's opencl implementation AKA "ROCM"); probably required for ollama
 }

hosts/by-name/servo/default.nix

@@ -5,6 +5,7 @@
     ./fs.nix
     ./net
     ./services
+    ./users
   ];
 
   # for administering services

hosts/by-name/servo/services/default.nix

@@ -26,7 +26,7 @@
     ./ntfy
     ./pict-rs.nix
     ./pleroma.nix
-    ./postgres.nix
+    ./postgresql
     ./prosody
     ./slskd.nix
     ./transmission

hosts/by-name/servo/services/gitea.nix

@@ -113,6 +113,11 @@
     ReadWritePaths = [
       "/var/lib/postfix/queue/maildrop"
     ];
+    # rate limit the restarts to prevent systemd from disabling it
+    RestartSec = 5;
+    RestartMaxDelaySec = 30;
+    StartLimitBurst = 120;
+    RestartSteps = 5;
   };
 
   # services.openssh.settings.UsePAM = true;  #< required for `git` user to authenticate

hosts/by-name/servo/services/kiwix-serve.nix

@@ -3,8 +3,23 @@
   sane.services.kiwix-serve = {
     enable = true;
     port = 8013;
-    zimPaths = [
-      "${pkgs.zimPackages.wikipedia_en_all_maxi}/share/zim/wikipedia_en_all_maxi.zim"
+    zimPaths = with pkgs.zimPackages; [
+      alpinelinux_en_all_maxi.zimPath
+      archlinux_en_all_maxi.zimPath
+      bitcoin_en_all_maxi.zimPath
+      devdocs_en_nix.zimPath
+      gentoo_en_all_maxi.zimPath
+      # khanacademy_en_all.zimPath  #< TODO: enable
+      openstreetmap-wiki_en_all_maxi.zimPath
+      psychonautwiki_en_all_maxi.zimPath
+      rationalwiki_en_all_maxi.zimPath
+      # wikipedia_en_100.zimPath
+      wikipedia_en_all_maxi.zimPath
+      # wikipedia_en_all_mini.zimPath
+      zimgit-food-preparation_en.zimPath
+      zimgit-medicine_en.zimPath
+      zimgit-post-disaster_en.zimPath
+      zimgit-water_en.zimPath
     ];
   };
 

hosts/by-name/servo/services/matrix/default.nix

@@ -70,6 +70,12 @@ in
     config.sops.secrets."matrix_synapse_secrets.yaml".path
   ];
 
+  # tune restart settings to ensure systemd doesn't disable it, and we don't overwhelm postgres
+  systemd.services.matrix-synapse.serviceConfig.RestartSec = 5;
+  systemd.services.matrix-synapse.serviceConfig.RestartMaxDelaySec = 20;
+  systemd.services.matrix-synapse.serviceConfig.StartLimitBurst = 120;
+  systemd.services.matrix-synapse.serviceConfig.RestartSteps = 3;
+
   systemd.services.matrix-synapse.postStart = lib.optionalString ntfy ''
     ACCESS_TOKEN=$(${lib.getExe' pkgs.coreutils "cat"} ${config.sops.secrets.matrix_access_token.path})
     TOPIC=$(${lib.getExe' pkgs.coreutils "cat"} ${config.sops.secrets.ntfy-sh-topic.path})

hosts/by-name/servo/services/matrix/irc.nix

@@ -154,6 +154,7 @@ in
           # notable channels:
           # - #sxmo
           # - #sxmo-offtopic
+          # supposedly also available at <irc://37lnq2veifl4kar7.onion:6667/> (unofficial)
         };
         "irc.rizon.net" = ircServer { name = "Rizon"; };
         # "irc.sdf.org" = ircServer {

hosts/by-name/servo/services/postgresql/default.nix

@@ -35,7 +35,6 @@ in
   services.postgresql.package = pkgs.postgresql_16;
 
 
-
   # XXX colin: for a proper deploy, we'd want to include something for Pleroma here too.
   # services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
   #   CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '<password goes here>';
@@ -46,10 +45,10 @@ in
   #     LC_CTYPE = "C";
   # '';
 
-  # perf tuning
-  # - for recommended values see: <https://pgtune.leopard.in.ua/>
-  # - for official docs (sparse), see: <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
   services.postgresql.settings = {
+    # perf tuning
+    # - for recommended values see: <https://pgtune.leopard.in.ua/>
+    # - for official docs (sparse), see: <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
     # DB Version: 16
     # OS Type: linux
     # DB Type: web
@@ -73,8 +72,19 @@ in
     max_parallel_workers_per_gather = 4;
     max_parallel_workers = 12;
     max_parallel_maintenance_workers = 4;
+
+    # DEBUG OPTIONS:
+    log_min_messages = "DEBUG1";
   };
 
+  # regulate the restarts, so that systemd never disables it
+  systemd.services.postgresql.serviceConfig.Restart = "on-failure";
+  systemd.services.postgresql.serviceConfig.RestartSec = 2;
+  systemd.services.postgresql.serviceConfig.RestartMaxDelaySec = 10;
+  systemd.services.postgresql.serviceConfig.RestartSteps = 4;
+  systemd.services.postgresql.serviceConfig.StartLimitBurst = 120;
+  # systemd.services.postgresql.serviceConfig.TimeoutStartSec = "14400s";  #< 14400 = 4 hours; recoveries are long
+
   # daily backups to /var/backup
   services.postgresqlBackup.enable = true;
 

hosts/by-name/servo/services/postgresql/recollate.sh

@@ -0,0 +1,81 @@
+#!/bin/sh
+# source: <https://gist.githubusercontent.com/troykelly/616df024050dd50744dde4a9579e152e/raw/fe84e53cedf0caa6903604894454629a15867439/reindex_and_refresh_collation.sh>
+#
+# run this whenever postgres complains like:
+# > WARNING:  database "gitea" has a collation version mismatch
+# > DETAIL:  The database was created using collation version 2.39, but the operating system provides version 2.40.
+# > HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE gitea REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+#
+# this script checks which databases are in need of a collation update,
+# and re-collates them as appropriate.
+# invoking this script should have low perf impact in the non-upgrade case,
+# so safe to do this as a cron job.
+#
+# invoke as postgres user
+
+log_info() {
+  >&2 echo "$@"
+}
+
+list_databases() {
+  log_info "Retrieving list of databases from the PostgreSQL server..."
+  psql --dbname="postgres" -Atc \
+    "SELECT datname FROM pg_database WHERE datistemplate = false"
+}
+
+refresh_collation_version() {
+  local db=$1
+  log_info "Refreshing collation version for database: $db..."
+  psql --dbname="$db" -c \
+    "ALTER DATABASE \"$db\" REFRESH COLLATION VERSION;"
+}
+
+check_collation_mismatches() {
+  local error=
+  log_info "Checking for collation mismatches in all databases..."
+  # Loop through each database and check for mismatching collations in table columns.
+  while IFS= read -r db; do
+    if [ -n "$db" ]; then
+      log_info "Checking database: $db for collation mismatches..."
+      local mismatches=$(psql --dbname="$db" -Atc \
+        "SELECT 'Mismatch in table ' || table_name || ' column ' || column_name || ' with collation ' || collation_name
+         FROM information_schema.columns
+         WHERE collation_name IS NOT NULL AND collation_name <> 'default' AND table_schema = 'public'
+         EXCEPT
+         SELECT 'No mismatch - default collation of ' || datcollate || ' used.'
+         FROM pg_database WHERE datname = '$db';"
+      )
+      if [ -z "$mismatches" ]; then
+        log_info "No collation mismatches found in database: $db"
+      else
+        # Print an informational message to stderr.
+        log_info "Collation mismatches found in database: $db:"
+        log_info "$mismatches"
+        error=1
+      fi
+    fi
+  done
+
+  if [ -n "$error" ]; then
+    exit 1
+  fi
+}
+
+log_info "Starting the reindexing and collation refresh process for all databases..."
+
+databases=$(list_databases)
+
+if [ -z "$databases" ]; then
+  log_info "No databases found for reindexing or collation refresh. Please check connection details to PostgreSQL server."
+  exit 1
+fi
+
+for db in $databases; do
+  refresh_collation_version "$db"
+done
+
+# Checking for collation mismatches after reindexing and collation refresh.
+# Pass the list of databases to the check_collation_mismatches function through stdin.
+echo "$databases" | check_collation_mismatches
+
+log_info "Reindexing and collation refresh process completed."

hosts/by-name/servo/users/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./shelvacu.nix
+  ];
+}

hosts/by-name/servo/users/shelvacu.nix

@@ -0,0 +1,65 @@
+{ lib, pkgs, ... }:
+{
+  users.users.shelvacu = {
+    isNormalUser = true;
+    home = "/home/shelvacu";
+    subUidRanges = [
+      { startUid=300000; count=1; }
+    ];
+    group = "users";
+    initialPassword = lib.mkDefault "";
+    shell = pkgs.bash;
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug compute-deck"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I compute-deck-root"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C fw"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m fw-root"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOre0FnYDm3arsFj9c/l5H2Q8mdmv7kmvq683pL4heru legtop"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINznGot+L8kYoVQqdLV/R17XCd1ILMoDCILOg+I3s5wC pixel9pro-nod"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX pro1x-nod"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJNFbzt0NHVTaptBI38YtwLG+AsmeNYy0Nr5yX2zZEPE root@vacuInstaller toptop-root"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g triple-dezert"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8 triple-dezert-root"
+    ];
+  };
+
+  security.sudo.extraRules = [
+    {
+      users = [ "shelvacu" ];
+      runAs = "postgres";
+      commands = [
+        {
+          command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+
+  security.polkit.extraConfig = ''
+    // allow:
+    // - systemctl restart|start|stop SERVICE
+    polkit.addRule(function(action, subject) {
+      if (subject.user == "shelvacu" && action.id == "org.freedesktop.systemd1.manage-units") {
+        switch (action.lookup("verb")) {
+          // case "cancel":
+          // case "reenable":
+          case "restart":
+          // case "reload":
+          // case "reload-or-restart":
+          case "start":
+          case "stop":
+          // case "try-reload-or-restart":
+          // case "try-restart":
+            return polkit.Result.YES;
+          default:
+        }
+      }
+    })
+  '';
+
+  sane.persist.sys.byStore.private = [
+    { path = "/home/shelvacu/persist"; user = "shelvacu"; group = "users"; mode = "0700"; }
+  ];
+}

hosts/common/default.nix

@@ -14,6 +14,7 @@
     ./programs
     ./quirks.nix
     ./secrets.nix
+    ./snapper.nix
     ./ssh.nix
     ./systemd.nix
     ./users

hosts/common/feeds.nix

@@ -1,6 +1,8 @@
 # where to find good stuff?
 # - universal search/directory: <https://podcastindex.org>
 #   - the full database is downloadable
+# - find adjacent podcasts: <https://rephonic.com/graph>
+# - charts: <https://rephonic.com/charts/apple/united-states/technology>
 # - list of lists: <https://en.wikipedia.org/wiki/Category:Lists_of_podcasts>
 # - podcasts w/ a community: <https://lemmyverse.net/communities?query=podcast>
 # - podcast recs:
@@ -60,7 +62,7 @@ let
   podcasts = [
     (fromDb "404media.co/the-404-media-podcast" // tech)
     (fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)  # ACQ2 - more "Acquired" episodes
-    (fromDb "allinchamathjason.libsyn.com" // pol)
+    (fromDb "adventofcomputing.com" // tech)  # computing history
     (fromDb "api.oyez.org/podcasts/oral-arguments/2015" // pol)  # Supreme Court Oral Arguments ("2015" in URL means nothing -- it's still updated)
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)  # Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/2da69154/podcast/rss" // tech)  # POD OF JAKE -- https://podofjake.com/
@@ -75,13 +77,16 @@ let
     (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
     (fromDb "feeds.feedburner.com/dancarlin/history" // rat)
     (fromDb "feeds.feedburner.com/radiolab" // pol)  # Radiolab -- also available here, but ONLY OVER HTTP: <http://feeds.wnyc.org/radiolab>
+    (fromDb "feeds.megaphone.fm/CHTAL4990341033" // pol)  # ChinaTalk: https://www.chinatalk.media/podcast
     (fromDb "feeds.megaphone.fm/GLT1412515089" // pol)  # JRE: Joe Rogan Experience
     (fromDb "feeds.megaphone.fm/behindthebastards" // pol)  # also Maggie Killjoy
     (fromDb "feeds.megaphone.fm/cspantheweekly" // pol)
+    (fromDb "feeds.megaphone.fm/econ102")  # Noah Smith + Erik Torenberg <https://www.podpage.com/econ102/>
+    (fromDb "feeds.megaphone.fm/history102")  # <https://www.podpage.com/history-102-with-whatifalthist/>
     (fromDb "feeds.megaphone.fm/recodedecode" // tech)  # The Verge - Decoder
+    (fromDb "feeds.megaphone.fm/thiswontlast" // tech)  # <https://www.podpage.com/thiswontlast/>
     (fromDb "feeds.megaphone.fm/unexplainable")
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)  # Econ Talk
-    (fromDb "feeds.simplecast.com/xKJ93w_w" // uncat)  # Atlas Obscura
     (fromDb "feeds.simplecast.com/whlwDbyc" // tech)  # Tech Lounge: <https://chrischinchilla.com/podcast/techlounge/>
     (fromDb "feeds.transistor.fm/acquired" // tech)
     (fromDb "feeds.transistor.fm/complex-systems-with-patrick-mckenzie-patio11" // tech)  # Patrick Mackenzie (from Bits About Money)
@@ -89,7 +94,6 @@ let
     (fromDb "fulltimenix.com" // tech)
     (fromDb "futureofcoding.org/episodes" // tech)
     (fromDb "hackerpublicradio.org" // tech)
-    (fromDb "lastweekinai.com" // tech)
     (fromDb "lexfridman.com/podcast" // rat)
     (fromDb "linktr.ee/betteroffline" // pol)
     (fromDb "linuxdevtime.com" // tech)
@@ -104,36 +108,42 @@ let
     (fromDb "originstories.libsyn.com" // uncat)
     (fromDb "politicspoliticspolitics.com" // pol)  # don't judge me. Justin Robert Young.
     (fromDb "podcast.ergaster.org/@flintandsilicon" // tech)  # Thib's podcast: public interest tech, gnome, etc: <https://fed.uninsane.org/users/$ALLO9MZ5g5CsQTCBH6>
-    (fromDb "podcast.sustainoss.org" // tech)
     (fromDb "politicalorphanage.libsyn.com" // pol)
     (fromDb "reverseengineering.libsyn.com/rss" // tech)  # UnNamed Reverse Engineering Podcast
-    (fromDb "rss.acast.com/ft-tech-tonic" // tech)
-    (fromDb "rss.art19.com/60-minutes" // pol)
+    (fromDb "rss.acast.com/ft-tech-tonic" // tech)  # Financial Time's: Tech Tonic
     (fromDb "rss.art19.com/the-portal" // rat)  # Eric Weinstein
-    (fromDb "seattlenice.buzzsprout.com" // pol)
+    (fromDb "seattlenice.buzzsprout.com" // pol)  # Seattle Nice
+    (fromDb "speedboatdope.com" // pol)  # Chapo Trap House (premium feed)
     (fromDb "srslywrong.com" // pol)
     (fromDb "sharkbytes.transistor.fm" // tech)  # Wireshark Podcast o_0
-    (fromDb "sharptech.fm/feed/podcast" // tech)
-    (fromDb "sscpodcast.libsyn.com" // rat)  # Astral Codex Ten
+    (fromDb "sharptech.fm/feed/podcast" // tech)  # Ben Thompson
+    (fromDb "sscpodcast.libsyn.com" // rat)  # Astral Codex Ten; Scott Alexander
     (fromDb "talesfromthebridge.buzzsprout.com" // tech)  # Sci-Fi? has Peter Watts; author of No Moods, Ads or Cutesy Fucking Icons (rifters.com)
     (fromDb "techtalesshow.com" // tech)  # Corbin Davenport
     (fromDb "techwontsave.us" // pol)  # rec by Cory Doctorow
-    (fromDb "theamphour.com" // tech)
+    (fromDb "theamphour.com" // tech)  # The Amp Hour
+    (fromDb "the-ben-marc-show.simplecast.com" // tech // pol)  # Ben Horowitz + Marc Andreessen; love to hate em
     (fromDb "timclicks.dev/compose-podcast" // tech)  # Rust-heavy dev interviews
-    (fromDb "werenotwrong.fireside.fm" // pol)
+    (fromDb "werenotwrong.fireside.fm" // pol)  # We're Not Wrong
+    (fromDb "whycast.podcast.audio/@whycast" // tech)  # What Hackers Yearn [for]: <https://why2025.org/>
     (mkPod "https://sfconservancy.org/casts/the-corresponding-source/feeds/ogg/" // tech)
 
+    # (fromDb "allinchamathjason.libsyn.com" // pol)
     # (fromDb "feed.podbean.com/matrixlive/feed.xml" // tech)  # Matrix (chat) Live
     # (fromDb "feeds.libsyn.com/421877" // rat)  # Less Wrong Curated
     # (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)  # Daniel Huberman on sleep
     # (fromDb "feeds.simplecast.com/54nAGcIl" // pol)  # The Daily
     # (fromDb "feeds.simplecast.com/82FI35Px" // pol)  # Ezra Klein Show
     # (fromDb "feeds.simplecast.com/l2i9YnTd" // tech // pol)  # Hard Fork (NYtimes tech)
+    # (fromDb "feeds.simplecast.com/xKJ93w_w" // uncat)  # Atlas Obscura
+    # (fromDb "lastweekinai.com" // tech)  # Last Week in AI
     # (fromDb "mintcast.org" // tech)
     # (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
+    # (fromDb "podcast.sustainoss.org" // tech)  # "Sustainable tech", only... it somehow manages to avoid any tech which is actually sustainable, and most of the time doesn't even talk about Open Source Software (!). normie/surface-level/"feel good"
     # (fromDb "podcast.thelinuxexp.com" // tech)  # low-brow linux/foss PR announcements
     # (fromDb "rss.acast.com/deconstructed")  # The Intercept - Deconstructed
     # (fromDb "rss.acast.com/intercepted-with-jeremy-scahill")  # The Intercept - Intercepted
+    # (fromDb "rss.art19.com/60-minutes" // pol)
     # (fromDb "rss.art19.com/your-welcome" // pol)  # Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
     # (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)  #< possible URL rot
     # (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)  #< possible URL rot

hosts/common/ids.nix

@@ -66,6 +66,7 @@
   sane.ids.plugdev.gid = 2421;
   sane.ids.ollama.uid = 2422;
   sane.ids.ollama.gid = 2422;
+  sane.ids.shelvacu.uid = 5431;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/net/dns/bind.nix

@@ -1,15 +1,108 @@
-{ lib, ... }:
+# debugging:
+# - `man named`
+# - `man named.conf`
+# - `systemctl stop bind`
+# - `sudo /nix/store/0zpdy93sd3fgbxgvf8dsxhn8fbbya8d2-bind-9.18.28/sbin/named -g -u named -4 -c /nix/store/f1mp0myzmfms71h9vinwxpn2i9362a9a-named.conf`
+#   - `-g` = don't fork
+#   - `-u named` = start as superuser (to claim port 53), then drop to user `named`
+{ config, lib, pkgs, ... }:
+let
+  hostCfg = config.sane.hosts.by-name."${config.networking.hostName}";
+  bindCfg = config.services.bind;
+in
 {
-  services.bind.enable = lib.mkDefault true;
-  services.bind.forwarders = [];  #< don't forward queries to upstream resolvers
-  services.bind.cacheNetworks = [
-    "127.0.0.0/24"
-    "::1/128"
-    "10.0.0.0/16"
-  ];
-  services.bind.extraOptions = ''
-    port 953;
-  '';
+  config = lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver) {
+    services.resolved.enable = lib.mkForce false;
 
-  networking.resolvconf.useLocalResolver = false;  #< undo bind making this default true
+    networking.nameservers = [
+      # be compatible with systemd-resolved
+      # "127.0.0.53"
+      # or don't be compatible with systemd-resolved, but with libc and pasta instead
+      #   see <pkgs/by-name/sane-scripts/src/sane-vpn>
+      "127.0.0.1"
+      # enable IPv6, or don't; unbound is spammy when IPv6 is enabled but unroutable
+      # "::1"
+    ];
+
+    networking.resolvconf.extraConfig = ''
+      # DNS serviced by `BIND` recursive resolver
+      name_servers='127.0.0.1'
+    '';
+
+    services.bind.enable = lib.mkDefault true;
+    services.bind.forwarders = [];  #< don't forward queries to upstream resolvers
+    services.bind.cacheNetworks = [
+      "127.0.0.0/24"
+      "::1/128"
+      "10.0.10.0/24"  #< wireguard clients (servo)
+    ];
+    services.bind.listenOn = [
+      "127.0.0.1"
+    ] ++ lib.optionals (hostCfg.wg-home.ip != null) [
+      # allow wireguard clients to use us as a recursive resolver (only needed for servo)
+      hostCfg.wg-home.ip
+    ];
+    services.bind.listenOnIpv6 = [
+      # "::1"
+    ];
+
+    services.bind.ipv4Only = true;  # unbound is spammy when it tries IPv6 without a routable address
+
+    # when testing, deploy on a port other than 53
+    # services.bind.extraOptions = ''
+    #   listen-on port 953 { any; };
+    # '';
+
+    networking.resolvconf.useLocalResolver = false;  #< we manage resolvconf explicitly, above
+
+    # TODO: how to exempt `pool.ntp.org` from DNSSEC checks, as i did when using unbound?
+
+    # allow runtime insertion of zones or other config changes:
+    # add your supplemental config as a toplevel file in /run/named/dhcp-configs/, then `systemctl restart bind`
+    services.bind.extraConfig = ''
+      include "/run/named/dhcp-configs.conf";
+    '';
+    services.bind.extraOptions = ''
+      // we can't guarantee that all forwarders support DNSSEC,
+      // and as of 2025-01-30 BIND9 gives no way to disable DNSSEC per-forwarder/zone,
+      // so just disable it globally
+      dnssec-validation no;
+    '';
+    # re-implement the nixos default bind config, but without `options { forwarders { }; };`,
+    # as having an empty `forwarders` at the top-level prevents me from forwarding the `.` zone in a separate statement
+    # (which i want to do to allow sane-vpn to forward all DNS).
+    services.bind.configFile = pkgs.writeText "named.conf" ''
+      include "/etc/bind/rndc.key";
+      controls {
+        inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
+      };
+
+      acl cachenetworks { ${lib.concatMapStrings (entry: " ${entry}; ") bindCfg.cacheNetworks} };
+      acl badnetworks { ${lib.concatMapStrings (entry: " ${entry}; ") bindCfg.blockedNetworks} };
+
+      options {
+        listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") bindCfg.listenOn} };
+        listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") bindCfg.listenOnIpv6} };
+        allow-query-cache { cachenetworks; };
+        blackhole { badnetworks; };
+        //v disable top-level forwards, so that i can do forwarding more generically in `zone FOO { ... }` directives.
+        // forward ${bindCfg.forward};
+        // forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") bindCfg.forwarders} };
+        directory "${bindCfg.directory}";
+        pid-file "/run/named/named.pid";
+        ${bindCfg.extraOptions}
+      };
+
+      ${bindCfg.extraConfig}
+    '';
+
+    systemd.services.bind.serviceConfig.ExecStartPre = pkgs.writeShellScript "named-generate-config" ''
+      mkdir -p /run/named/dhcp-configs
+      chmod g+w /run/named/dhcp-configs
+      echo "// FILE GENERATED BY bind.service's ExecStartPre: CHANGES TO THIS FILE WILL BE OVERWRITTEN" > /run/named/dhcp-configs.conf
+      for c in $(ls /run/named/dhcp-configs/); do
+        cat "/run/named/dhcp-configs/$c" >> /run/named/dhcp-configs.conf
+      done
+    '';
+  };
 }

hosts/common/net/dns/unbound.nix

@@ -1,7 +1,9 @@
 # `man unbound.conf` for info on settings
 # it's REALLY EASY to combine settings in a way that produce bad effects.
 # generally, prefer to stay close to defaults unless there's a compelling reason to differ.
-{ config, lib, pkgs, ... }: {
+{ config, lib, ... }:
+lib.optionalAttrs false  #< XXX(2024-12-29): unbound caches failed DNS resolutions, just randomly breaks connectivity daily
+{
   config = lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver) {
     services.resolved.enable = lib.mkForce false;
 

hosts/common/polyunfill.nix

@@ -106,6 +106,7 @@ in
       conveniencePackages = [
         config.boot.kernelPackages.cpupower  # <repo:nixos/nixpkgs:nixos/modules/tasks/cpu-freq.nix> places it on PATH for convenience if powerManagement.cpuFreqGovernor is set
         pkgs.kbd  # <repo:nixos/nixpkgs:nixos/modules/config/console.nix>  places it on PATH as part of console/virtual TTYs, but probably not needed unless you want to set console fonts
+        pkgs.nixos-firewall-tool  # <repo:nixos/nixpkgs:nixos/modules/services/networking/firewall.nix>  for end-user management of the firewall? cool but doesn't cross-compile
       ];
     in lib.filter (p: ! builtins.elem p (requiredPackages ++ conveniencePackages));
   };

hosts/common/programs/assorted.nix

@@ -48,6 +48,7 @@ in
       "dtc"  # device tree [de]compiler
       "e2fsprogs"  # resize2fs
       "efibootmgr"
+      "erdtree"  # like normal `tree` but colorful & prints sizes
       "errno"
       "ethtool"
       "evtest"
@@ -88,9 +89,11 @@ in
       "netcat"
       "nethogs"
       "nix"
+      "nix-tree"
       "nmap"
       "nmcli"
       "nmon"
+      "nvimpager"
       "nvme-cli"  # nvme
       # "openssl"
       "parted"
@@ -174,7 +177,7 @@ in
       "sane-secrets-unlock"
       "sane-sysload"
       "sc-im"
-      # "snapper"
+      "snapper"
       "sops"  # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!)
       "speedtest-cli"
       # "ssh-to-age"
@@ -451,18 +454,9 @@ in
 
     blanket.buildCost = 1;
     blanket.sandbox.whitelistAudio = true;
-    # blanket.sandbox.whitelistDbus = [ "user" ];  # TODO: untested
+    # blanket.sandbox.whitelistDbus.user = true;  #< TODO: reduce  # TODO: untested
     blanket.sandbox.whitelistWayland = true;
 
-    blueberry.sandbox.wrapperType = "inplace";  #< it places binaries in /lib and then /etc/xdg/autostart files refer to the /lib paths, and fail to be patched
-    blueberry.sandbox.whitelistWayland = true;
-    blueberry.sandbox.extraPaths = [
-      "/dev/rfkill"
-      "/run/dbus"
-      "/sys/class/rfkill"
-      "/sys/devices"
-    ];
-
     bridge-utils.sandbox.net = "all";
 
     "cacert.unbundled".sandbox.enable = false;  #< data only
@@ -501,7 +495,7 @@ in
 
     delfin.buildCost = 1;
     delfin.sandbox.whitelistAudio = true;
-    delfin.sandbox.whitelistDbus = [ "user" ];  # else `mpris` plugin crashes the player
+    delfin.sandbox.whitelistDbus.user = true;  #< TODO: reduce  # else `mpris` plugin crashes the player
     delfin.sandbox.whitelistDri = true;
     delfin.sandbox.whitelistWayland = true;
     delfin.sandbox.net = "clearnet";
@@ -530,10 +524,10 @@ in
 
     endless-sky.buildCost = 1;
     endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
+    endless-sky.sandbox.mesaCacheDir = ".cache/endless-sky/mesa";
     endless-sky.sandbox.whitelistAudio = true;
     endless-sky.sandbox.whitelistDri = true;
     endless-sky.sandbox.whitelistWayland = true;
-    # endless-sky.sandbox.whitelistX = true;
     endless-sky.packageUnwrapped = pkgs.endless-sky.overrideAttrs (base: {
       nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
         pkgs.makeWrapper
@@ -548,6 +542,10 @@ in
     # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
     emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
 
+    erdtree.sandbox.tryKeepUsers = true;  #< to keep user/group info when running as root
+    erdtree.sandbox.autodetectCliPaths = "existingDir";
+    erdtree.sandbox.whitelistPwd = true;
+
     ethtool.sandbox.capabilities = [ "net_admin" ];
     ethtool.sandbox.net = "all";
     ethtool.sandbox.tryKeepUsers = true;
@@ -563,11 +561,12 @@ in
     eza.sandbox.tryKeepUsers = true;  #< to keep user/group info when running as root
     eza.sandbox.autodetectCliPaths = "existing";
     eza.sandbox.whitelistPwd = true;
-    eza.sandbox.extraHomePaths = [
-      # so that e.g. `eza -l ~` can show which symlink exist
-      ".persist/ephemeral"
-      ".persist/plaintext"
-    ];
+    # eza.sandbox.extraHomePaths = [
+    #   # so that e.g. `eza -l ~` can show which symlink exist
+    #   # hol' up: this is almost like just un-sandboxing it
+    #   ".persist/ephemeral"
+    #   ".persist/plaintext"
+    # ];
 
     fatresize.sandbox.autodetectCliPaths = "parent";  # /dev/sda1 -> needs /dev/sda
     fatresize.sandbox.tryKeepUsers = true;
@@ -595,6 +594,7 @@ in
     # ];
 
     font-manager.buildCost = 1;
+    font-manager.sandbox.mesaCacheDir = ".cache/font-manager/mesa";
     font-manager.sandbox.whitelistWayland = true;
     font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
       # build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
@@ -645,12 +645,14 @@ in
     gitea = {};
 
     gnome-calculator.buildCost = 1;
+    gnome-calculator.sandbox.mesaCacheDir = ".cache/gnome-calculator/mesa";  # TODO: is this the correct app-id?
     gnome-calculator.sandbox.whitelistWayland = true;
 
     gnome-calendar.buildCost = 2;  # depends on webkitgtk_6_0 via evolution-data-server
+    gnome-calendar.sandbox.mesaCacheDir = ".cache/gnome-calendar/mesa";  # TODO: is this the correct app-id?
     # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
     gnome-calendar.sandbox.whitelistWayland = true;
-    gnome-calendar.sandbox.whitelistDbus = [ "user" ];
+    gnome-calendar.sandbox.whitelistDbus.user = true;  #< TODO: reduce
     gnome-calendar.suggestedPrograms = [
       "evolution-data-server"  #< to access/persist calendar events
     ];
@@ -658,7 +660,7 @@ in
     # gnome-disks
     # XXX(2024-09-02): fails to show any disks even when run as `BUNPEN_DISABLE=1 sudo -E gnome-disks`.
     gnome-disk-utility.buildCost = 1;
-    gnome-disk-utility.sandbox.whitelistDbus = [ "system" ];
+    gnome-disk-utility.sandbox.whitelistDbus.system = true;
     gnome-disk-utility.sandbox.whitelistWayland = true;
     gnome-disk-utility.sandbox.extraHomePaths = [
       "tmp"
@@ -691,34 +693,14 @@ in
     # seahorse: dump gnome-keyring secrets.
     seahorse.buildCost = 1;
     # N.B. it can lso manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
-    seahorse.sandbox.whitelistDbus = [ "user" ];
+    seahorse.sandbox.whitelistDbus.user = true;  #< TODO: reduce
     seahorse.sandbox.whitelistWayland = true;
 
     gnome-2048.buildCost = 1;
     gnome-2048.sandbox.whitelistWayland = true;
+    gnome-2048.sandbox.mesaCacheDir = ".cache/gnome-2048/mesa";
     gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
 
-    gnome-frog.buildCost = 1;
-    gnome-frog.sandbox.whitelistWayland = true;
-    gnome-frog.sandbox.whitelistDbus = [ "user" ];
-    gnome-frog.sandbox.extraPaths = [
-      # needed when processing screenshots
-      "/tmp"
-    ];
-    gnome-frog.sandbox.extraHomePaths = [
-      # for OCR'ing photos from disk
-      "tmp"
-      "Pictures/albums"
-      "Pictures/cat"
-      "Pictures/from"
-      "Pictures/Photos"
-      "Pictures/Screenshots"
-      "Pictures/servo-macros"
-    ];
-    gnome-frog.persist.byStore.ephemeral = [
-      ".local/share/tessdata"  # 15M; dunno what all it is.
-    ];
-
     gnugrep.sandbox.autodetectCliPaths = "existing";
     gnugrep.sandbox.whitelistPwd = true;
     gnugrep.sandbox.extraHomePaths = [
@@ -740,7 +722,6 @@ in
     # N.B.: if the user doesn't specify an output path, `grim` will output to ~/Pictures (which isn't included in this sandbox)
     grim.sandbox.autodetectCliPaths = "existingOrParent";
     grim.sandbox.whitelistWayland = true;
-    grim.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
 
     hase.buildCost = 1;
     hase.sandbox.net = "clearnet";
@@ -816,7 +797,7 @@ in
       "/sys/devices"
     ];
 
-    libnotify.sandbox.whitelistDbus = [ "user" ];  # notify-send
+    libnotify.sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notify-send
 
     lightning-cli.packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.clightning "lightning-cli";
     lightning-cli.sandbox.extraHomePaths = [
@@ -838,6 +819,7 @@ in
     losslesscut-bin.sandbox.whitelistDri = true;
     losslesscut-bin.sandbox.whitelistWayland = true;
     # losslesscut-bin.sandbox.whitelistX = true;
+    losslesscut-bin.sandbox.mesaCacheDir = ".cache/losslesscut/mesa";  # TODO: is this the correct app-id?
     losslesscut-bin.packageUnwrapped = pkgs.losslesscut-bin.overrideAttrs (base: {
       extraMakeWrapperArgs = (base.extraMakeWrapperArgs or []) ++ [
         "--append-flags '--ozone-platform-hint=auto --ozone-platform=wayland --enable-features=WaylandWindowDecorations'"
@@ -901,13 +883,17 @@ in
     nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];
 
     networkmanagerapplet.sandbox.whitelistWayland = true;
-    networkmanagerapplet.sandbox.whitelistDbus = [ "system" ];
+    networkmanagerapplet.sandbox.whitelistDbus.system = true;
 
     nil.sandbox.whitelistPwd = true;
     nil.sandbox.keepPids = true;
 
     nixd.sandbox.whitelistPwd = true;
 
+    nix-tree.sandbox.extraPaths = [
+      "/nix/var"
+    ];
+
     nixfmt-rfc-style.sandbox.autodetectCliPaths = "existingDirOrParent";  #< it formats via rename
 
     nixpkgs-hammering.sandbox.whitelistPwd = true;
@@ -964,6 +950,7 @@ in
     pavucontrol.sandbox.whitelistAudio = true;
     pavucontrol.sandbox.whitelistDri = true;  #< to be a little more responsive
     pavucontrol.sandbox.whitelistWayland = true;
+    pavucontrol.sandbox.mesaCacheDir = ".cache/pavucontrol/mesa";
 
     pciutils.sandbox.extraPaths = [
       "/sys/bus/pci"
@@ -1005,14 +992,17 @@ in
     pwvucontrol.sandbox.whitelistAudio = true;
     pwvucontrol.sandbox.whitelistDri = true;  # else perf on moby is unusable
     pwvucontrol.sandbox.whitelistWayland = true;
+    pwvucontrol.sandbox.mesaCacheDir = ".cache/pwvucontrol/mesa";  # TODO: is this the correct app-id?
 
     pyright.sandbox.whitelistPwd = true;
 
     python3-repl.packageUnwrapped = pkgs.python3.withPackages (ps: with ps; [
       libgpiod
+      numpy
       psutil
       pykakasi
       requests
+      scipy
       unidecode
     ]);
     python3-repl.sandbox.net = "clearnet";
@@ -1028,6 +1018,7 @@ in
     rsync.sandbox.autodetectCliPaths = "existingOrParent";
     rsync.sandbox.tryKeepUsers = true;  # if running as root, keep the user namespace so that `-a` can set the correct owners, etc
 
+    rust-analyzer.buildCost = 2;
     rust-analyzer.sandbox.whitelistPwd = true;
     rust-analyzer.suggestedPrograms = [
       "cargo"
@@ -1042,7 +1033,7 @@ in
     sane-cast.sandbox.whitelistAudio = true;  #< for sblast audio casting
     sane-cast.suggestedPrograms = [ "go2tv" "sblast" ];
 
-    sane-color-picker.sandbox.whitelistDbus = [ "user" ];  #< required for eyedropper to work
+    sane-color-picker.sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< required for eyedropper to work
     sane-color-picker.sandbox.whitelistWayland = true;
     sane-color-picker.sandbox.keepPidsAndProc = true;  #< required by wl-clipboard
     sane-color-picker.suggestedPrograms = [
@@ -1050,6 +1041,7 @@ in
       "wl-clipboard"
       # "zenity"
     ];
+    sane-color-picker.sandbox.mesaCacheDir = ".cache/sane-color-picker/mesa";  # TODO: is this the correct app-id?
 
     sane-die-with-parent.sandbox.enable = false;  #< it's a launcher; can't sandbox
 
@@ -1072,6 +1064,7 @@ in
     shattered-pixel-dungeon.sandbox.whitelistAudio = true;
     shattered-pixel-dungeon.sandbox.whitelistDri = true;
     shattered-pixel-dungeon.sandbox.whitelistWayland = true;
+    shattered-pixel-dungeon.sandbox.mesaCacheDir = ".cache/.shatteredpixel/mesa";
 
     # printer/filament settings
     slic3r.buildCost = 1;
@@ -1081,7 +1074,9 @@ in
     slic3r.sandbox.autodetectCliPaths = "existingFileOrParent";  # slic3r <my-file>.stl -o <out>.gcode
 
     slurp.sandbox.whitelistWayland = true;
-    slurp.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
+
+    snapper.sandbox.tryKeepUsers = true;
+    snapper.sandbox.whitelistDbus.system = true;  #< all `snapper` does is speak to the daemon, via dbus
 
     # snapshot camera, based on libcamera
     # TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
@@ -1100,6 +1095,7 @@ in
 
     space-cadet-pinball.buildCost = 1;
     space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
+    space-cadet-pinball.sandbox.mesaCacheDir = ".cache/SpaceCadetPinball/mesa";  # TODO: is this the correct app-id?
     space-cadet-pinball.sandbox.whitelistAudio = true;
     space-cadet-pinball.sandbox.whitelistDri = true;
     space-cadet-pinball.sandbox.whitelistWayland = true;
@@ -1131,6 +1127,7 @@ in
     superTux.sandbox.whitelistDri = true;
     superTux.sandbox.whitelistWayland = true;
     # superTux.sandbox.whitelistX = true;
+    superTux.sandbox.mesaCacheDir = ".cache/supertux2/mesa";  # TODO: is this the correct app-id?
     superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
     superTux.packageUnwrapped = pkgs.superTux.overrideAttrs (base: {
       nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
@@ -1165,6 +1162,7 @@ in
     tree.sandbox.tryKeepUsers = true;
     tree.sandbox.capabilities = [ "dac_read_search" ];
 
+    typescript-language-server.buildCost = 2;
     typescript-language-server.sandbox.whitelistPwd = true;
 
     tumiki-fighters.buildCost = 1;
@@ -1172,6 +1170,7 @@ in
     tumiki-fighters.sandbox.whitelistDri = true;  #< not strictly necessary, but triples CPU perf
     tumiki-fighters.sandbox.whitelistWayland = true;
     tumiki-fighters.sandbox.whitelistX = true;
+    tumiki-fighters.sandbox.mesaCacheDir = ".cache/tumiki-fighters/mesa";  # TODO: is this the correct app-id?
     tumiki-fighters.suggestedPrograms = [
       "xwayland"  #< XXX(2024-11-10): does not start without X(wayland), not even with SDL_VIDEDRIVER=wayland
     ];
@@ -1202,7 +1201,6 @@ in
     # `vulkaninfo`, `vkcube`
     vulkan-tools.sandbox.whitelistDri = true;
     vulkan-tools.sandbox.whitelistWayland = true;
-    vulkan-tools.sandbox.mesaCacheDir = null;  # doesn't use mesa even though it uses wayland
     vulkan-tools.sandbox.whitelistX = true;
     vulkan-tools.sandbox.extraPaths = [
       "/sys/dev/char"
@@ -1213,6 +1211,7 @@ in
     vvvvvv.sandbox.whitelistAudio = true;
     vvvvvv.sandbox.whitelistDri = true;  #< playable without, but burns noticably more CPU
     vvvvvv.sandbox.whitelistWayland = true;
+    vvvvvv.sandbox.mesaCacheDir = ".cache/VVVVVV/mesa";
     vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
 
     w3m.sandbox.net = "all";
@@ -1223,6 +1222,7 @@ in
 
     watch.sandbox.enable = false;  #< it executes the command it's given
 
+    wdisplays.sandbox.mesaCacheDir = ".cache/wdisplays/mesa";  # TODO: is this the correct app-id?
     wdisplays.sandbox.whitelistWayland = true;
 
     wget.sandbox.net = "all";
@@ -1243,16 +1243,15 @@ in
 
     wl-clipboard.sandbox.whitelistWayland = true;
     wl-clipboard.sandbox.keepPids = true;  #< this is needed, but not sure why?
-    wl-clipboard.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
 
     wtype = {};
     wtype.sandbox.whitelistWayland = true;
-    wtype.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
 
     xwayland.sandbox.wrapperType = "inplace";  #< consumers use it as a library (e.g. wlroots)
     xwayland.sandbox.whitelistWayland = true;  #< just assuming this is needed
     xwayland.sandbox.whitelistX = true;
     xwayland.sandbox.whitelistDri = true;  #< would assume this gives better gfx perf
+    xwayland.sandbox.mesaCacheDir = ".cache/xwayland/mesa";  # TODO: is this the correct app-id?
 
     xterm.sandbox.enable = false;  # need to be able to do everything
 

hosts/common/programs/avahi.nix

@@ -28,7 +28,7 @@ in
         pkgs.makeBinaryWrapper
       ];
     });
-    sandbox.whitelistDbus = [ "system" ];
+    sandbox.whitelistDbus.system = true;
     sandbox.net = "all";  #< otherwise it will show 'null' in place of each interface name.
     # sandbox.extraPaths = [ ];  #< may be missing some paths; only tried service discovery, not service advertisement.
   };

hosts/common/programs/bemenu.nix

@@ -88,9 +88,6 @@ in
 {
   sane.programs.bemenu = {
     sandbox.whitelistWayland = true;
-    sandbox.extraHomePaths = [
-      ".cache/fontconfig"  #< else it complains, and is *way* slower
-    ];
 
     packageUnwrapped = pkgs.bemenu.overrideAttrs (upstream: {
       nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [

hosts/common/programs/blueberry.nix

@@ -0,0 +1,24 @@
+{ config, lib, ... }:
+let
+  cfg = config.sane.programs.blueberry;
+in
+{
+  sane.programs.blueberry = {
+    sandbox.wrapperType = "inplace";  #< it places binaries in /lib and then /etc/xdg/autostart files refer to the /lib paths, and fail to be patched
+    sandbox.whitelistWayland = true;
+    sandbox.extraPaths = [
+      "/dev/rfkill"
+      "/run/dbus"
+      "/sys/class/rfkill"
+      "/sys/devices"
+    ];
+    sandbox.keepPids = true;  #< not sure why, but it fails to launch GUI without this
+  };
+
+  # TODO: hardware.bluetooth puts like 100 binaries from `bluez` onto PATH;
+  # i can probably patch this so it's just `bluetoothd`.
+  # see: <repo:nixos/nixpkgs:nixos/modules/services/hardware/bluetooth.nix>
+  hardware.bluetooth = lib.mkIf cfg.enabled {
+    enable = true;
+  };
+}

hosts/common/programs/blueman.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  sane.programs.blueman = {
+    sandbox.method = null;  #< TODO: sandbox
+  };
+}

hosts/common/programs/brave.nix

@@ -22,6 +22,7 @@
     sandbox.extraPaths = [
       "/tmp"  # needed particularly if run from `sane-vpn do`
     ];
+    sandbox.mesaCacheDir = ".cache/BraveSoftware/mesa";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;

hosts/common/programs/brightnessctl.nix

@@ -9,7 +9,7 @@ in
       "/sys/class/leds"
       "/sys/devices"
     ];
-    # sandbox.whitelistDbus = [ "system" ];  #< only necessary if not granting udev perms
+    # sandbox.whitelistDbus.system = true;  #< only necessary if not granting udev perms
   };
 
   services.udev.extraRules = let

hosts/common/programs/btrfs-progs.nix

@@ -4,7 +4,8 @@ let
 in
 {
   sane.programs.btrfs-progs = {
-    sandbox.autodetectCliPaths = "existing";  # e.g. `btrfs filesystem df /my/fs`
+    # sandbox.autodetectCliPaths = "existing";  # e.g. `btrfs filesystem df /my/fs`
+    sandbox.autodetectCliPaths = "parent";  # e.g. `btrfs subvolume create ./my_subvol`
     sandbox.extraPaths = [
       "/dev/btrfs-control"
       #vvv required for `sudo btrfs filesystem show` with no args

hosts/common/programs/callaudiod.nix

@@ -14,7 +14,7 @@
     packageUnwrapped = pkgs.rmDbusServices pkgs.callaudiod;
 
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
 
     services.callaudiod = {
       description = "callaudiod: dbus service to switch audio profiles and mute microphone";

hosts/common/programs/calls.nix

@@ -102,9 +102,15 @@ in
       ];
     }));
 
+    sandbox.mesaCacheDir = ".cache/calls/mesa";
     sandbox.net = "vpn.wg-home";  #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it.
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # necessary for secrets, at the minimum
+    sandbox.whitelistDbus.user.call."org.freedesktop.secrets" = "*";  #< TODO: restrict to a subset of secrets
+    sandbox.whitelistDbus.user.call."org.mobian_project.CallAudio" = "*";
+    sandbox.whitelistDbus.user.call."org.sigxcpu.Feedback" = "*";
+    sandbox.whitelistDbus.user.call."org.gnome.evolution.dataserver.*" = "*";  #< TODO: reduce; only needs address book and maybe sources
+    sandbox.whitelistDbus.user.own = [ "org.gnome.Calls" ];
+    sandbox.whitelistSendNotifications = true;  # for missed calls
     sandbox.whitelistWayland = true;
 
     persist.byStore.private = [

hosts/common/programs/captree.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
   sane.programs.captree = {
-    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree";
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap "captree";
     sandbox.keepPidsAndProc = true;
   };
 }

hosts/common/programs/celeste64.nix

@@ -14,5 +14,6 @@
       # save data, controls map
       ".local/share/Celeste64"
     ];
+    sandbox.mesaCacheDir = ".cache/Celeste64/mesa";
   };
 }

hosts/common/programs/conky/default.nix

@@ -9,7 +9,6 @@
       # "/sys/devices/system"
     ];
     sandbox.whitelistWayland = true;
-    sandbox.mesaCacheDir = null;  # doesn't use mesa even though it uses wayland
 
     suggestedPrograms = [
       "sane-sysload"

hosts/common/programs/cozy.nix

@@ -16,7 +16,7 @@
     buildCost = 1;
 
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # mpris
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Books/Audiobooks"

hosts/common/programs/dconf.nix

@@ -30,7 +30,7 @@ in
 {
   sane.programs.dconf = {
     packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.dconf;
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
     persist.byStore.private = [
       ".config/dconf"
     ];

hosts/common/programs/default.nix

@@ -13,6 +13,8 @@
     ./avahi.nix
     ./bemenu.nix
     ./bitcoin-cli.nix
+    ./blueberry.nix
+    ./blueman.nix
     ./bonsai.nix
     ./brave.nix
     ./brightnessctl.nix
@@ -75,6 +77,7 @@
     ./gnome-clocks.nix
     ./gnome-contacts.nix
     ./gnome-feeds.nix
+    ./gnome-frog.nix
     ./gnome-keyring
     ./gnome-maps.nix
     ./gnome-weather.nix
@@ -133,6 +136,7 @@
     ./nmcli.nix
     ./notejot.nix
     ./ntfy-sh.nix
+    ./nvimpager.nix
     ./nwg-panel
     ./objdump.nix
     ./obsidian.nix

hosts/common/programs/dialect.nix

@@ -16,5 +16,7 @@
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
     # gsettingsPersist = [ "app/drey/Dialect" ];
+
+    sandbox.mesaCacheDir = ".cache/dialect/mesa";  # TODO: is this the correct app-dir?
   };
 }

hosts/common/programs/dino.nix

@@ -58,14 +58,22 @@ in
       webrtc-audio-processing = null;
     };
 
-    suggestedPrograms = [
-      "gnome-keyring"
-    ];
+    # suggestedPrograms = [
+    #   "gnome-keyring"
+    # ];
 
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    # sandbox.whitelistDbus.user.call."org.freedesktop.secrets" = "*";  #< apparently not needed?
+    sandbox.whitelistDbus.user.own = [ "im.dino.Dino" ];
     sandbox.whitelistDri = true;  #< not strictly necessary, but we need all the perf we can get on moby
+    sandbox.whitelistSendNotifications = true;
+    sandbox.whitelistPortal = [
+      # "FileChooser"
+      # "NetworkMonitor"  #< stderr message if omitted, but non-fatal
+      "OpenURI"
+      "ProxyResolver"  #< REQUIRED, else all peers will appear offline & messages can't be sent/received
+    ];
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Music"
@@ -84,6 +92,7 @@ in
     #   ".cache/gstreamer-1.0"  # 1.3 MB  #< TODO: place the gst cache in ~/.cache/dino/gstreamer-1.0
     # ];
     persist.byStore.private = [ ".local/share/dino" ];
+    sandbox.mesaCacheDir = ".cache/dino/mesa";
 
     services.dino = {
       description = "dino XMPP client";

hosts/common/programs/discord.nix

@@ -6,11 +6,16 @@
       installPhase = lib.replaceStrings [ "NIXOS_OZONE_WL" ] [ "WAYLAND_DISPLAY" ] base.installPhase;
     });
 
+    sandbox.mesaCacheDir = ".cache/discord/mesa";
     # creds, but also 200 MB of node modules, etc
     persist.byStore.private = [ ".config/discord" ];
     sandbox.wrapperType = "inplace";  #< package contains broken symlinks that my wrapper can't handle
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # needed for xdg-open
+    # sandbox.whitelistDbus.user.own = [ ":*" ];  #< does not own any well-known name
+    sandbox.whitelistPortal = [
+      # "FileChooser"  #< does not use file chooser
+      "OpenURI"
+    ];
     sandbox.whitelistDri = true;  #< required for even basic graphics (e.g. rendering a window)
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";

hosts/common/programs/dissent.nix

@@ -38,8 +38,14 @@ in
 
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user.call."org.freedesktop.secrets" = "*";  #< TODO: restrict secrets
+    sandbox.whitelistDbus.user.own = [ "so.libdb.dissent" ];
     sandbox.whitelistDri = true;
+    sandbox.whitelistPortal = [
+      "FileChooser"
+      "OpenURI"
+    ];
+    sandbox.whitelistSendNotifications = true;
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Music"
@@ -54,6 +60,8 @@ in
       "tmp"
     ];
 
+    sandbox.mesaCacheDir = ".cache/dissent/mesa";
+
     persist.byStore.private = [
       ".cache/dissent"
       ".config/dissent"  # empty?

hosts/common/programs/eg25-control.nix

@@ -17,9 +17,7 @@ in
       # "/var/lib/eg25-control"
     ];
     sandbox.net = "all";  #< for downloading the almanac
-    sandbox.whitelistDbus = [
-      "system"  #< used by `mmcli`
-    ];
+    sandbox.whitelistDbus.system = true;  #< used by `mmcli`
 
     services.eg25-control-powered = {
       description = "eg25-control-powered: power to the Qualcomm eg25 modem used by PinePhone";

hosts/common/programs/element-desktop.nix

@@ -30,7 +30,7 @@
 
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
@@ -49,6 +49,7 @@
       "/dev/snd"  #< needed only when playing embedded audio (not embedded video!)
     ];
 
+    sandbox.mesaCacheDir = ".cache/Element/mesa";
     # creds/session keys, etc
     persist.byStore.private = [ ".config/Element" ];
   };

hosts/common/programs/epiphany.nix

@@ -11,7 +11,17 @@
     sandbox.wrapperType = "inplace";  # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< silently fails to start without it.
+    sandbox.whitelistDbus.user.own = [ "org.gnome.Epiphany" ];
+    sandbox.whitelistPortal = [
+      # these are all speculative
+      "Camera"
+      "FileChooser"
+      "Location"
+      "OpenURI"
+      "Print"
+      "ProxyResolver"  #< required else it doesn't load websites
+      "ScreenCast"
+    ];
     # default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
     # enabling DRI/DRM (as below) seems to fix that.
     sandbox.whitelistDri = true;

hosts/common/programs/evolution-data-server.nix

@@ -96,7 +96,7 @@ in
       "radicale"
     ];
 
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
     sandbox.net = "localhost";  #< to reach radicale  (TODO: restrict further)
 
     persist.byStore.ephemeral = [

hosts/common/programs/fcitx5.nix

@@ -34,7 +34,7 @@
       ];
     };
 
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
     sandbox.whitelistWayland = true;  # for `fcitx5-configtool, if nothing else`
     sandbox.extraHomePaths = [
       # ".config/fcitx"

hosts/common/programs/feedbackd.nix

@@ -24,7 +24,7 @@ in
       default = {};
     };
 
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user.own = [ "org.sigxcpu.Feedback" ];
     sandbox.whitelistAudio = true;
     sandbox.extraPaths = [
       "/dev/input/by-path/platform-vibrator-event"

hosts/common/programs/firefox-xdg-open.nix

@@ -3,7 +3,9 @@
   sane.programs.firefox-xdg-open = {
     packageUnwrapped = pkgs.firefox-extensions.firefox-xdg-open.systemComponent;
 
-    sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
+    sandbox.whitelistPortal = [
+      "OpenURI"
+    ];
 
     mime.associations."x-scheme-handler/xdg-open" = "xdg-open.desktop";
 

hosts/common/programs/firefox/bookmarks.html

@@ -9,6 +9,7 @@
   <dt><h3 unfiled_bookmarks_folder="true">Other Bookmarks</h3>
   <dl><p>
     <!-- XXX: if you want multiple aliases, declare the link twice WITH A DIFFERENT HREF= else firefox dedupes them (case-insensitively) -->
+    <dt><a href="https://aur.archlinux.org/packages?O=0&K=%s" shortcuturl="aur">Search AUR
     <dt><a href="https://docs.rs/releases/search?query=%s" shortcuturl="docsrs">Search docs.rs
     <dt><a href="https://duckduckgo.com/?t=h_&q=%s" shortcuturl="ddg">Search DuckDuckGo
     <dt><a href="https://en.wikipedia.org/wiki/Special:Search?search=%s" shortcuturl="w">Search Wikipedia

hosts/common/programs/firefox/default.nix

@@ -214,7 +214,17 @@ in
     sandbox.net = "all";
     sandbox.whitelistAudio = true;
     sandbox.whitelistAvDev = true;  #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12)
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user.own = [ "org.mozilla.firefox.*" ];
+    sandbox.whitelistPortal = [
+      "Camera"  # not sure if used
+      # "Email"  # not sure if used
+      "FileChooser"
+      "Location"  # not sure if used
+      "OpenURI"
+      "Print"  # not sure if used
+      "ScreenCast"  # not sure if used
+    ];
+    sandbox.whitelistSendNotifications = true;
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "dev"  # for developing anything web-related
@@ -230,6 +240,7 @@ in
     ] ++ addonHomePaths;
 
     sandbox.tmpDir = ".cache/mozilla/tmp";
+    sandbox.mesaCacheDir = ".cache/mozilla/mesa";
 
     mime.associations = let
       desktop = "firefox.desktop";

hosts/common/programs/flare-signal.nix

@@ -80,8 +80,6 @@
     env.FLARE_DATA_PATH = "$HOME/.local/share/flare/data";
     # sandbox.net = "clearnet";
     # sandbox.whitelistWayland = true;
-    # sandbox.whitelistDbus = [
-    #   "user"  # so i can click on links, at least
-    # ];
+    # sandbox.whitelistDbus.user = true;  # so i can click on links, at least (TODO: reduce!)
   };
 }

hosts/common/programs/foliate.nix

@@ -3,8 +3,12 @@
 {
   sane.programs.foliate = {
     sandbox.net = "clearnet";  #< for dictionary, wikipedia, online book libraries
-    sandbox.whitelistDbus = [ "user" ];  #< when clicking on links
+    sandbox.whitelistDbus.user.own = [ "com.github.johnfactotum.Foliate" ];
     sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time
+    sandbox.whitelistPortal = [
+      "FileChooser"
+      "OpenURI"
+    ];
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Books/Books"
@@ -23,6 +27,8 @@
     ];
     sandbox.autodetectCliPaths = "existing";
 
+    sandbox.mesaCacheDir = ".cache/com.github.johnfactotum.Foliate/mesa";
+
     persist.byStore.plaintext = [
       ".local/share/com.github.johnfactotum.Foliate"  #< books added, reading position
       ".cache/com.github.johnfactotum.Foliate"  #< webkit cache

hosts/common/programs/fontconfig.nix

@@ -58,6 +58,8 @@ in
         # "Font Awesome 6 Brands"
       ];
       monospace = [
+        "Monaspace Argon"  #< thin, slightly handwriting-ish
+        # "Monaspace Neon"  #< typewriter style
         "Hack Nerd Font Propo"
         # "DejaVuSansM Nerd Font Propo"
         "NotoMono Nerd Font Propo"
@@ -88,14 +90,15 @@ in
     packages = with pkgs; [
       # TODO: reduce this font set.
       # - probably need only one of dejavu/freefont/liberation
-      dejavu_fonts  # 10 MiB; DejaVu {Sans,Serif,Sans Mono,Math TeX Gyre}; also available as a NerdFonts (Sans Mono only)
-      # font-awesome  #  2 MiB; Font Awesome 6 {Free,Brands}
-      freefont_ttf  # 11 MiB; Free{Mono,Sans,Serif}
-      gyre-fonts    #  4 MiB; Tex Gyre *; ttf substitutes for standard PostScript fonts
-      # hack-font     #  1 MiB; Hack; also available as a NerdFonts
-      liberation_ttf # 4 MiB; Liberation {Mono,Sans,Serif}; also available as a NerdFonts
+      dejavu_fonts            # 10 MiB; DejaVu {Sans,Serif,Sans Mono,Math TeX Gyre}; also available as a NerdFonts (Sans Mono only)
+      # font-awesome            #  2 MiB; Font Awesome 6 {Free,Brands}
+      freefont_ttf            # 11 MiB; Free{Mono,Sans,Serif}
+      gyre-fonts              #  4 MiB; Tex Gyre *; ttf substitutes for standard PostScript fonts
+      # hack-font               #  1 MiB; Hack; also available as a NerdFonts
+      liberation_ttf          # 4 MiB; Liberation {Mono,Sans,Serif}; also available as a NerdFonts
+      monaspace               # 20 MiB;
       noto-fonts-color-emoji  # 10 Mib; Noto Color Emoji
-      unifont       # 16 MiB; Unifont; provides LOTS of unicode coverage
+      unifont                 # 16 MiB; Unifont; provides LOTS of unicode coverage
 
       # nerdfonts takes popular open fonts and patches them to support a wider range of glyphs, notably emoji.
       # any nerdfonts font includes icons such as these:

hosts/common/programs/fractal.nix

@@ -38,8 +38,15 @@ in
 
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user.own = [ "org.gnome.Fractal" ];
+    sandbox.whitelistDbus.user.call."org.freedesktop.secrets" = "*";  #< TODO: restrict to a subset of secrets
     sandbox.whitelistDri = true;  # otherwise video playback buuuuurns CPU
+    sandbox.whitelistPortal = [
+      "FileChooser"
+      "NetworkMonitor"  # if portals are enabled, but NetworkMonitor *isn't*, then it'll hang on launch
+      "OpenURI"
+    ];
+    sandbox.whitelistSendNotifications = true;
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       # still needs these paths despite it using the portal's file-chooser :?
@@ -54,6 +61,7 @@ in
       "Videos/servo"
       "tmp"
     ];
+    sandbox.mesaCacheDir = ".cache/fractal/mesa";
     sandbox.tmpDir = ".cache/fractal/tmp";  # 10MB+ avatar caches (grows seemingly unbounded during runtime)
 
     persist.byStore.ephemeral = [

hosts/common/programs/g4music.nix

@@ -11,12 +11,13 @@
     buildCost = 1;
 
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # mpris
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Music"
     ];
 
+    sandbox.mesaCacheDir = ".cache/com.github.neithern.g4music/mesa";
     persist.byStore.plaintext = [
       # index?
       ".cache/com.github.neithern.g4music"

hosts/common/programs/gdbus.nix

@@ -3,6 +3,6 @@
   sane.programs.gdbus = {
     packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.glib "gdbus";
 
-    sandbox.whitelistDbus = [ "user" ];  #< XXX: maybe future users will also want system access
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< XXX: maybe future users will also want system access
   };
 }

hosts/common/programs/geary.nix

@@ -25,7 +25,11 @@ in
 
     sandbox.wrapperType = "inplace";  #< XXX(2024-08-20): if executed from a directory different than the configured prefix, it fails to locate its sql migration files
     sandbox.net = "clearnet";
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce (as per below; after xdg-dbus-proxy is made nestable)
+    # sandbox.whitelisDbus.user.call."org.freedesktop.secrets" = "*";  #< TODO: restrict to a subset of secrets
+    # sandbox.whitelistDbus.user.call."org.gnome.evolution.dataserver.*" = "*";
+    # sandbox.whitelistDbus.user.own = [ "org.gnome.Geary" ];
+    # sandbox.whitelistPortal = [ "FileChooser" "OpenURI" "Print" ];  #< unsure if all these are actually used
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       # it shouldn't need these, but portal integration seems incomplete?
@@ -49,6 +53,7 @@ in
     # fs.".local/share/folks".dir = {};
 
     buildCost = 3;  # uses webkitgtk 4.1
+    sandbox.mesaCacheDir = ".cache/geary/mesa";
     persist.byStore.private = [
       # attachments, and email -- contained in a sqlite db
       ".local/share/geary"

hosts/common/programs/geoclue-demo-agent.nix

@@ -7,9 +7,7 @@
       path = "${config.sane.programs.geoclue2.packageUnwrapped}/libexec/geoclue-2.0/demos/agent";
     }];
 
-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;
 
     services.geoclue-agent = {
       description = "geoclue 'demo' agent";

hosts/common/programs/geoclue2.nix

@@ -47,9 +47,7 @@ in
     package = lib.mkForce null;
 
     # experimental sandboxing (2024/07/05)
-    # sandbox.whitelistDbus = [
-    #   "system"
-    # ];
+    # sandbox.whitelistDbus.system = true;
     # sandbox.net = "all";
   };
 

hosts/common/programs/gnome-clocks.nix

@@ -1,9 +1,14 @@
+# TODO(2025-01-09): fix the 'alarm' component
+# - it creates a desktop notification, but no sound, and permanently freezes the app
+# TODO(2025-01-09): inhibit screen-off while focused (for stopwatch function)
 { ... }: {
   sane.programs.gnome-clocks = {
     buildCost = 1;
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< required for DE notification when alarm rings
+    sandbox.whitelistDbus.user.own = [ "org.gnome.clocks" ];
+    sandbox.whitelistSendNotifications = true;
     sandbox.whitelistWayland = true;
+    sandbox.mesaCacheDir = ".cache/gnome-clocks/mesa";  # TODO: is this the correct app-id?
     gsettingsPersist = [ "org/gnome/clocks" ];
   };
 }

hosts/common/programs/gnome-contacts.nix

@@ -29,10 +29,16 @@
       did-initial-setup = true;
     };
 
-    sandbox.whitelistDbus = [ "user" ];  #< for OpenURI, evolution-data-server
+    sandbox.whitelistDbus.user.call."org.gnome.evolution.dataserver.*" = "*";  #< TODO: reduce; only needs address book and maybe sources (probably not calendar, 'cept maybe for birthdays?)
+    sandbox.whitelistDbus.user.own = [ "org.gnome.Contacts" ];
     sandbox.whitelistDri = true;  #< speculative, but i'd like it to be responsive on mobile
+    sandbox.whitelistPortal = [
+      "OpenURI"
+    ];
     sandbox.whitelistWayland = true;
 
+    sandbox.mesaCacheDir = ".cache/gnome-calendar/mesa";  # TODO: is this the correct app-id?
+
     suggestedPrograms = [
       "evolution-data-server"  #< REQUIRED for saving/loading of any contacts
     ];

hosts/common/programs/gnome-frog.nix

@@ -0,0 +1,31 @@
+{ ... }:
+{
+  sane.programs.gnome-frog = {
+    buildCost = 1;
+    sandbox.whitelistWayland = true;
+    sandbox.whitelistDbus.user.own = [
+      "com.github.tenderowl.frog"
+    ];
+    sandbox.whitelistPortal = [
+      "Screenshot"
+    ];
+    sandbox.extraPaths = [
+      # needed when processing screenshots (TODO: can i have it use a custom TMPDIR?)
+      "/tmp"
+    ];
+    sandbox.extraHomePaths = [
+      # for OCR'ing photos from disk
+      "tmp"
+      "Pictures/albums"
+      "Pictures/cat"
+      "Pictures/from"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+      "Pictures/servo-macros"
+    ];
+    persist.byStore.ephemeral = [
+      ".local/share/tessdata"  # 15M; dunno what all it is.
+    ];
+    sandbox.mesaCacheDir = ".cache/gnome-frog/mesa";  # TODO: is this the correct app-id?
+  };
+}

hosts/common/programs/gnome-keyring/default.nix

@@ -3,16 +3,16 @@
 {
   sane.programs.gnome-keyring = {
     packageUnwrapped = pkgs.rmDbusServices pkgs.gnome-keyring;
-    sandbox.whitelistDbus = [ "user" ];
-    sandbox.extraRuntimePaths = [
-      "keyring"  #< only needs keyring/control, but has to *create* that.
-      # "keyring/control"
-    ];
     sandbox.capabilities = [
       # ipc_lock: used to `mlock` the secrets so they don't get swapped out.
       # this is optional, and user namespacing (bwrap) likely doesn't propagate it anyway
       "ipc_lock"
     ];
+    sandbox.extraRuntimePaths = [
+      "keyring"  #< only needs keyring/control, but has to *create* that.
+      # "keyring/control"
+    ];
+    sandbox.whitelistDbus.user.own = [ "org.freedesktop.secrets" "org.gnome.keyring" ];
 
     persist.byStore.private = [
       # N.B.: gnome-keyring-daemon used to remove symlinks and replace them with empty directories, but as of 2024-09-05 that seems no longer the case.

hosts/common/programs/gnome-maps.nix

@@ -34,18 +34,18 @@
 
     sandbox.wrapperType = "inplace";  #< /share directory contains Gir info which references libgnome-maps.so by path
     sandbox.whitelistDri = true;  # for perf
-    sandbox.whitelistDbus = [
-      "system"  # system is required for non-portal location services
-      "user"  #< not sure if "user" is necessary?
-    ];
+    sandbox.whitelistDbus.system = true;  #< system is required for non-portal location services
+    sandbox.whitelistDbus.user = true;  #< TODO: not sure if "user" is necessary?
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
 
+    sandbox.mesaCacheDir = ".cache/gnome-maps/mesa";
     persist.byStore.plaintext = [ ".cache/shumate" ];
     # ~/.local/share/gnome-maps/places.json (previously: ../maps-places.json); to persist starred locations, recent locations+routes
     # TODO: building in "developer mode" causes gnome-maps to pretty-print the .json instead of minifying it
     persist.byStore.private = [ ".local/share/gnome-maps" ];
 
     mime.associations."x-scheme-handler/maps" = "org.gnome.Maps.desktop";  # e.g. `maps:q=1600%20Pennsylvania%20Ave`
+    mime.associations."x-scheme-handler/geo" = "org.gnome.Maps.desktop";  # e.g. `geo:50.812375,4.38073;u=100`
   };
 }

hosts/common/programs/gnome-weather.nix

@@ -15,6 +15,8 @@
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
 
+    sandbox.mesaCacheDir = ".cache/gnome-weather/mesa";  # TODO: is this the correct app-id?
+
     persist.byStore.plaintext = [
       ".cache/libgweather"  # weather data (or maybe a http cache)
     ];

hosts/common/programs/gpodder.nix

@@ -24,8 +24,11 @@ in {
       ];
     });
 
-    sandbox.whitelistDbus = [ "user" ];  # it won't launch without it, dunno exactly why.
-    sandbox.whitelistDri = true;  #< hopefully slightly more bearable speed
+    sandbox.whitelistDbus.user.own = [ "org.gpodder" "org.gpodder.gpodder" ];
+    sandbox.whitelistDri = true;  #< makes the UI way more responsive
+    sandbox.whitelistPortal = [
+      "OpenURI"
+    ];
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
 

hosts/common/programs/gps-share.nix

@@ -28,7 +28,7 @@ in
 
     sandbox.net = "all";
     sandbox.autodetectCliPaths = "existing";  #< N.B.: `test -f /dev/ttyUSB1` fails, we can't use `existingFile`
-    sandbox.whitelistDbus = [ "system" ];  #< to register with Avahi
+    sandbox.whitelistDbus.system = true;  #< to register with Avahi
 
     services.gps-share = {
       description = "gps-share: make local GPS serial readings available over Avahi";

hosts/common/programs/grimshot.nix

@@ -15,9 +15,8 @@
       "wl-clipboard"
     ];
     sandbox.keepPids = true;  #< needed by wl-clipboard
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
     sandbox.whitelistWayland = true;
-    sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
     sandbox.extraRuntimePaths = [
       "sway"
     ];

hosts/common/programs/handbrake.nix

@@ -3,7 +3,9 @@
   sane.programs.handbrake = {
     buildCost = 1;
 
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.mesaCacheDir = ".cache/handbrake/mesa";  # TODO: is this the correct app-id?
+
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Music"

hosts/common/programs/htop/default.nix

@@ -6,7 +6,7 @@
       "/sys/devices"
       "/sys/block"  # for zram usage
     ];
-    sandbox.whitelistDbus = [ "system" ];  #< to show systemd job status
+    sandbox.whitelistDbus.system = true;  #< to show systemd job status
     fs.".config/htop/htoprc".symlink.target = ./htoprc;
   };
 }

hosts/common/programs/iio-sensor-proxy.nix

@@ -41,7 +41,7 @@ in
     });
     enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;  #< for dbus/polkit policies
 
-    sandbox.whitelistDbus = [ "system" ];
+    sandbox.whitelistDbus.system = true;
     sandbox.extraPaths = [
       "/run/udev/data"
       "/sys/bus"

hosts/common/programs/kdenlive.nix

@@ -18,7 +18,7 @@
       "tmp"
     ];
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
     # sandbox.whitelistX = true;  #< or run with `QT_QPA_PLATFORM=wayland`, without X(wayland)

hosts/common/programs/komikku.nix

@@ -11,6 +11,7 @@
     });
 
     sandbox.net = "clearnet";
+    sandbox.whitelistDbus.user.own = [ "info.febvre.Komikku" ];  #< fails to start if it can't connect to dbus
     sandbox.whitelistDri = true;  #< required
     sandbox.whitelistWayland = true;
 

hosts/common/programs/koreader/default.nix

@@ -46,7 +46,7 @@ in {
   sane.programs.koreader = {
     packageUnwrapped = pkgs.koreader-from-src;
     sandbox.net = "clearnet";
-    sandbox.whitelistDbus = [ "user" ];  # for opening the web browser via portal
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for opening the web browser via portal
     sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [

hosts/common/programs/krita.nix

@@ -17,6 +17,7 @@
       "tmp"
     ];
 
+    sandbox.mesaCacheDir = ".cache/krita/mesa";  # TODO: is this the correct app-id?
     suggestedPrograms = [
       "xwayland"  #< XXX(2024-11-10): does not start without X(wayland); not even with QT_QPA_PLATFORM=wayland. see e.g. <https://discuss.kde.org/t/is-there-any-plans-to-add-wayland-support-to-krita/18153>
     ];

hosts/common/programs/lemoa.nix

@@ -3,7 +3,7 @@
   sane.programs.lemoa = {
     buildCost = 1;
     sandbox.net = "clearnet";
-    sandbox.whitelistDbus = [ "user" ];  # for clicking links
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for clicking links
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
     # creds

hosts/common/programs/less.nix

@@ -2,16 +2,24 @@
 {
   sane.programs.less = {
     sandbox.autodetectCliPaths = "existingFile";
-    env.PAGER = "less";
     # LESS flags:
-    # - F = quit if output fits on one screen
-    # - K = exit on ctrl+c
-    # - M = "long prompt"
-    # - R = output raw control characters
-    # - S = chop long lines instead of wrapping
-    # - X = Don't use termcap init/deinit strings (hence, `less` output is visible on the terminal even after exiting)
+    # - --LINE-NUMBERS (N) = render EVERY line with its number in the left column
+    # - --LONG-PROMPT (M) = "long prompt"
+    # - --RAW-CONTROL-CHARS (R) = output raw control characters
+    # - --chop-long-lines (S) = chop long lines instead of wrapping
+    # - --incsearch = start searching immediately as you type `/<search-term>`
+    # - --no-init (X) = Don't use termcap init/deinit strings (hence, `less` output is visible on the terminal even after exiting)
+    # - --quit-if-one-screen (F) = quit if output fits on one screen
+    # - --quit-on-intr (K) = exit on ctrl+c
+    # - --shift=.n = left/right arrow-keys scroll by `n` screen widths
+    # - --use-color = enable color instead of just monochrome (highlights search matches)
     # SYSTEMD_LESS defaults to FRSXMK
-    env.LESS = "FRMK";
-    env.SYSTEMD_LESS = "FRMK";  #< used by journalctl
+    env = rec {
+      # MANPAGER = "less";
+      PAGER = "less";
+      LESS = "--incsearch --LONG-PROMPT --quit-if-one-screen --quit-on-intr --RAW-CONTROL-CHARS --shift=.2 --use-color";
+      SYSTEMD_LESS = LESS;  #< used by journalctl
+    };
+    mime.priority = 200;  # fallback to more specialized pagers where exists
   };
 }

hosts/common/programs/loupe.nix

@@ -21,6 +21,8 @@
       "tmp"
     ];
 
+    sandbox.mesaCacheDir = ".cache/loupe/mesa";  # TODO: is this the correct app-id?
+
     mime.associations = {
       "image/avif" = "org.gnome.Loupe.desktop";
       "image/gif" = "org.gnome.Loupe.desktop";

hosts/common/programs/megapixels-next.nix

@@ -43,7 +43,7 @@ in
     sandbox.wrapperType = "inplace";  #< for share/megapixels/movie.sh
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [ "user" ];  #< so that it can open the image viewer using fdo portal...
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< so that it can open the image viewer using fdo portal...
     sandbox.extraHomePaths = [
       # ".config/megapixels"
       "Pictures/Photos"
@@ -55,6 +55,7 @@ in
       "/sys/class/leds"  #< for flash, presumably
     ];
     sandbox.whitelistAvDev = true;
+    sandbox.mesaCacheDir = ".cache/megapixels/mesa";  # TODO: is this the correct app-id?
     gsettings."me/gapixels/megapixels" = {
       # **required** for it to find its postprocess script
       postprocessor = "${cfg.package}/share/megapixels/postprocess.sh";

hosts/common/programs/megapixels.nix

@@ -28,7 +28,7 @@
     #   "bwrap: failed to make / slave: Operation not permitted"
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [ "user" ];  #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|
     sandbox.extraHomePaths = [
       # ".config/megapixels"
       "Pictures/Photos"
@@ -40,6 +40,7 @@
       "/sys/class/leds"  #< for flash, presumably
     ];
     sandbox.whitelistAvDev = true;
+    sandbox.mesaCacheDir = ".cache/megapixels/mesa";  # TODO: is this the correct app-id?
     gsettingsPersist = [
       "org/postmarketos/megapixels"  #< needs to set `postprocessor` else it will segfault during post-process
     ];

hosts/common/programs/mepo.nix

@@ -15,10 +15,9 @@
     sandbox.net = "all";  # for tiles *and* for localhost comm to gpsd
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [
-      "system"  # system is required for non-portal location services
-      "user"  #< not sure if "user" is necessary?
-    ];
+    sandbox.whitelistDbus.system = true;  # system is required for non-portal location services
+    sandbox.whitelistDbus.user = true;  #< TODO: not sure if "user" is necessary?
+    sandbox.mesaCacheDir = ".cache/mepo/mesa";
 
     persist.byStore.plaintext = [ ".cache/mepo/tiles" ];
     # ~/.cache/mepo/savestate has precise coordinates and pins: keep those private

hosts/common/programs/mmcli.nix

@@ -24,9 +24,7 @@
     });
 
     sandbox.tryKeepUsers = true;
-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;
   };
 }
 

hosts/common/programs/mpv/default.nix

@@ -190,7 +190,7 @@ in
     sandbox.autodetectCliPaths = "parent";  #< especially for subtitle downloader; also nice for viewing albums
     sandbox.net = "all";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< mpris
+    sandbox.whitelistDbus.user.own = [ "org.mpris.MediaPlayer2.mpv" "org.mpris.MediaPlayer2.mpv.*" ];
     sandbox.whitelistDri = true;  #< mpv has excellent fallbacks to non-DRI, but DRI offers a good 30%-50% reduced CPU
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
@@ -208,6 +208,7 @@ in
       "Videos/local"
       "Videos/servo"
     ];
+    sandbox.mesaCacheDir = ".cache/mpv/mesa";
 
     persist.byStore.plaintext = [
       # for `watch_later`

hosts/common/programs/nautilus.nix

@@ -14,7 +14,7 @@
     #   "gvfs"  # browse ftp://, etc  (TODO: fix!)
     # ];
 
-    sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for portals launching apps
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       # grant access to pretty much everything, except for secret keys.

hosts/common/programs/neovim/default.nix

@@ -43,7 +43,6 @@ in
 
     sandbox.autodetectCliPaths = "existingOrParent";
     sandbox.whitelistWayland = true;  # for system clipboard integration
-    sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
     # sandbox.whitelistPwd = true;
     sandbox.extraHomePaths = [
       ".local/share/dasht/docsets"

hosts/common/programs/neovim/vimrc

@@ -29,3 +29,10 @@ set conceallevel=2
 " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
 set list
 set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
+
+" when using vim to view manpages
+"   (`:Man topic` or `MANPAGER='nvim +Man!' man topic` or `vim man://topic`),
+" instruct `man` to output unwrapped buffers, and let vim soft-wrap them.
+" this allows one to resize the terminal and have the manpage be re-rendered.
+" see: <https://github.com/neovim/neovim/issues/11436>
+let g:man_hardwrap=0

hosts/common/programs/networkmanager_dmenu/default.nix

@@ -3,9 +3,7 @@
 {
   sane.programs.networkmanager_dmenu = {
     # sandbox.keepPidsAndProc = true;  #< else it can't connect to NetworkManager (?)
-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       ".cache/rofi"

hosts/common/programs/newsflash.nix

@@ -15,9 +15,11 @@ let
   wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
 in {
   sane.programs.newsflash = {
+    buildCost = 2;  # mainly for desktop: webkitgtk-6.0
+
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;  #< for embedded videos
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
     sandbox.extraPaths = [
@@ -29,7 +31,7 @@ in {
       "/sys/class/block/loop7"
     ];
 
-    buildCost = 2;  # mainly for desktop: webkitgtk-6.0
+    sandbox.mesaCacheDir = ".cache/nesh_flash/mesa";
     persist.byStore.plaintext = [
       ".local/share/news-flash" #< sqlite database, the actually important stuff
       # ".local/share/news_flash"  #< device IDs (?)

hosts/common/programs/nicotine-plus.nix

@@ -22,6 +22,7 @@
       # and then update the config on disk. it errors if it can't `mv` it like that.
       ".config/nicotine"
     ];
+    # sandbox.mesaCacheDir = ".cache/nicotine/mesa";  # don't persist (privacy); (might want to apply that to downloads too)
 
     # the config has loooads of options, but the only critical one is auth/creds.
     # run with ~/.config/nicotine in the sandbox and nicotine will derive the whole config

hosts/common/programs/nmcli.nix

@@ -2,8 +2,6 @@
 {
   sane.programs.nmcli = {
     packageUnwrapped = pkgs.networkmanager-split.nmcli;
-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;
   };
 }

hosts/common/programs/notejot.nix

@@ -5,6 +5,7 @@
     sandbox.whitelistDri = true;  #< otherwise intolerably slow on moby
     gsettingsPersist = [ "io/github/lainsce/Notejot" ];  #< TODO: probably not needed
 
+    sandbox.mesaCacheDir = ".cache/io.github.lainsce.Notejot/mesa";
     persist.byStore.private = [
       ".local/share/io.github.lainsce.Notejot"
     ];

hosts/common/programs/nvimpager.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+{
+  sane.programs.nvimpager = {
+    packageUnwrapped = (pkgs.nvimpager.override {
+      neovim = config.sane.programs.neovim.packageUnwrapped;
+    }).overrideAttrs {
+      # check phase fails, something to do with me enabling plugins not expected by the tester
+      doCheck = false;
+    };
+
+    suggestedPrograms = [ "neovim" ];
+
+    sandbox.whitelistWayland = true;  # for system clipboard integration
+
+    env.MANPAGER = "nvimpager";
+    # env.PAGER = "nvimpager";
+    # `man 2 select` will have `man` render the manpage to plain text, then pipe it into vim for syntax highlighting.
+    # force MANWIDTH=999 to make `man` not hard-wrap any lines, and instead let vim soft-wrap lines.
+    # that allows the document to be responsive to screen-size/windowing changes.
+    # MANROFFOPT = "-c" improves the indentation, but i'm not totally sure what it actually does.
+    env.MANWIDTH = "999";
+    env.MANROFFOPT = "-c";
+  };
+}

hosts/common/programs/nwg-panel/default.nix

@@ -197,9 +197,8 @@ in
     sandbox.whitelistDri = true;
     sandbox.whitelistSystemctl = true;
     sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [
-      "user"  # playerctl, swaync, ...
-    ];
+    sandbox.whitelistMpris.controlPlayers = true;
+    sandbox.whitelistDbus.user.call."org.erikreider.swaync.cc" = "*";
     sandbox.extraPaths = [
       "/sys/class/backlight"
       "/sys/class/leds"  #< for torch/flashlight on moby
@@ -207,7 +206,7 @@ in
       "/sys/devices"
     ];
     sandbox.extraRuntimePaths = [ "sway" ];
-    sandbox.keepPidsAndProc = true;  #< nwg-panel restarts itself on display dis/connect, by killing all other instances.
+    sandbox.keepPidsAndProc = true;  #< nwg-panel restarts itself on display dis/connect, by killing all other instances (TODO: fix to just exit on display attach?)
 
     services.nwg-panel = {
       description = "nwg-panel status/topbar for wayland";

hosts/common/programs/open-in-mpv.nix

@@ -2,7 +2,7 @@
 { pkgs, ... }:
 {
   sane.programs.open-in-mpv = {
-    sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for xdg-open/portals
 
     # taken from <https://github.com/Baldomo/open-in-mpv>
     fs.".config/open-in-mpv/config.yml".symlink.text = ''

hosts/common/programs/papers.nix

@@ -7,10 +7,13 @@
     # });
 
     buildCost = 2;  #< webkitgtk
-    sandbox.whitelistDbus = [ "user" ];  #< for clicking links
+    sandbox.method = null;  #< TODO: enable, after fixing embedded media playback
     sandbox.whitelistDri = true;  #< speedier
     sandbox.whitelistWayland = true;
     sandbox.autodetectCliPaths = "existingFile";
+    sandbox.mesaCacheDir = ".cache/papers/mesa";  # TODO: is this the correct app-id?
+
+    sandbox.whitelistPortal = [ "OpenURI" ];
 
     mime.associations."application/pdf" = "org.gnome.Papers.desktop";
     # XXX(2024-10-06): even with `sandbox.net = "all"` and glib-networking, papers can only open *http* URLs and not https

hosts/common/programs/pipewire/default.nix

@@ -49,16 +49,6 @@ in
       # disabling systemd causes pipewire to be built with direct udev support instead.
       # i added this probably because i don't use system'd logind?
       enableSystemd = false;
-      # XXX(2024-11-29): patch to fix camera support on moby.
-      # see: <https://github.com/NixOS/nixpkgs/pull/353336>
-      # this is identical to the above patch, but less costly than cherry-picking it into nixpkgs-bootstrap,
-      # as that would force mass rebuilds.
-      # **remove once 353336 is merged**.
-      libcamera = pkgs.libcamera.overrideAttrs (upstream: {
-        postFixup = (upstream.postFixup or "") + ''
-          ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so
-        '';
-      });
     };
 
     suggestedPrograms = [
@@ -68,16 +58,14 @@ in
     ];
 
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [
-      # dbus is used for rtkit integration
-      # rtkit runs on the system bus.
-      # xdg-desktop-portal then exposes this to the user bus.
-      # therefore, user bus should be all that's needed, but...
-      # xdg-desktop-portal-wlr depends on pipewire, hence pipewire has to start before xdg-desktop-portal.
-      # then, pipewire has to talk specifically to rtkit (system) and not go through xdp.
-      # "system"  #< not required UNLESS i want rtkit integration
-      "user"  #< required for camera sharing, especially through xdg-desktop-portal, e.g. `snapshot` application
-    ];
+    # dbus is used for rtkit integration
+    # rtkit runs on the system bus.
+    # xdg-desktop-portal then exposes this to the user bus.
+    # therefore, user bus should be all that's needed, but...
+    # xdg-desktop-portal-wlr depends on pipewire, hence pipewire has to start before xdg-desktop-portal.
+    # then, pipewire has to talk specifically to rtkit (system) and not go through xdp.
+    # "system"  #< not required UNLESS i want rtkit integration
+    sandbox.whitelistDbus.user = true;  #< required for camera sharing, especially through xdg-desktop-portal, e.g. `snapshot` application  (TODO: reduce)
     sandbox.wrapperType = "inplace";  #< its config files refer to its binaries by full path
     sandbox.keepPidsAndProc = true;  #< TODO: why?
     sandbox.whitelistAvDev = true;

hosts/common/programs/planify.nix

@@ -3,8 +3,9 @@
   sane.programs.planify = {
     sandbox.whitelistWayland = true;
 
+    sandbox.mesaCacheDir = ".cache/io.github.alainm23/mesa";
     persist.byStore.private = [
-      # TODO items as a sqlite database
+      # todo items as a sqlite database
       ".local/share/io.github.alainm23.planify"
     ];
     # TODO: can probably configure gsettings statically?

hosts/common/programs/playerctl.nix

@@ -2,7 +2,7 @@
 {
   sane.programs.playerctl = {
     sandbox.wrapperType = "inplace";  #< /lib/pkgconfig/playerctl.pc refers to $out by full path
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
 
     services.playerctld = {
       description = "playerctl daemon to keep track of which MPRIS players were recently active";

hosts/common/programs/portfolio-filemanager.nix

@@ -2,7 +2,10 @@
 {
   sane.programs.portfolio-filemanager = {
     # this is all taken pretty directly from nautilus config
-    sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
+    sandbox.whitelistDbus.user.own = [ "dev.tchx84.Portfolio" ];
+    sandbox.whitelistPortal = [
+      "OpenURI"
+    ];
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       # grant access to pretty much everything, except for secret keys.
@@ -37,6 +40,7 @@
     #   "gvfs"
     #   "gvfsd"
     # ];
+    sandbox.mesaCacheDir = ".cache/portfolio/mesa";  # TODO: is this the correct app-id?
 
     # suggestedPrograms = [ "gvfs" ];  #< TODO: fix (ftp:// share, USB drive browsing)
 

hosts/common/programs/radicale.nix

@@ -10,7 +10,7 @@
 # TODO: this setup allows access to *anything* on the machine with net access;
 #   but i don't really want e.g. my web browser to know all my personal contacts:
 #   maybe run this in a net namespace? `JoinsNamespaceOf=evolution` (or vice versa)?
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 let
   cfg = config.sane.programs.radicale;
 in
@@ -23,15 +23,6 @@ in
 
   services.radicale = lib.mkIf cfg.enabled {
     enable = true;
-    package = pkgs.radicale.overrideAttrs (upstream: {
-      version = lib.warnIf (lib.versionOlder "3.3.1" upstream.version) "radicale outdated: remove src override" "3.3.1-unstable-2024-12-14";
-      src = pkgs.fetchFromGitHub {
-        owner = "Kozea";
-        repo = "Radicale";
-        rev = "778f56cc4d7b828af6e2e472f2e7898db72dca22";
-        hash = "sha256-Oy6LDI+gvAqwR5XRz7JmRWI7KrAUYTOzHfvJsBRyVmU=";
-      };
-    });
     settings.storage.type = "multifilesystem_nolock";
     settings.storage.use_cache_subfolder_for_history = true;  #< requires radicale > 3.3.1
     settings.storage.use_cache_subfolder_for_item = true;

hosts/common/programs/rofi/default.nix

@@ -27,12 +27,17 @@ let
   rofi-unwrapped = pkgs.rofi-wayland-unwrapped.overrideAttrs (upstream: {
     patches = (upstream.patches or []) ++ [
       (pkgs.fetchpatch {
-        url = "https://git.uninsane.org/colin/rofi/commit/8e01fcd16f97f4c2a5bc63ade58c894a938f89d9.patch";
+        # so that i can open applications via the xdg-desktop-portal instead of by having rofi launch them directly.
+        # N.B.: since 1.7.6, rofi is able to dbus-activate applications as well
+        url = "https://git.uninsane.org/colin/rofi/commit/395eb111e5e39f819e4642b4b33bb293c3cadb9d.patch";
         name = "run-{shell-,}command: expand `{app_id}` inside the template string";
-        hash = "sha256-DXafvvKrNyDOH11lpRdC2ljydb422ttY68oY5K3fKWo=";
+        hash = "sha256-XH6ytT1nhmQ8YUoBR/CfMhDORsaO/jNYiYF4jpshIX4=";
       })
       (pkgs.fetchpatch {
-        url = "https://git.uninsane.org/colin/rofi/commit/249450a2b58c3cf7ced911cadb8c4c60d3315dd0.patch";
+        # workaround for <https://github.com/davatorium/rofi/issues/1954>
+        # which was only ever fixed for the *recursive* file browser.
+        # maintainer doesn't want to `stat` in non-recursive file browser yet; defer patching until filebrowser is made to be async
+        url = "https://git.uninsane.org/colin/rofi/commit/3016e229e199c04e305c51bbee54892c7b4eb778.patch";
         name = "filebrowser: include entries of d_type DT_UNKNOWN";
         hash = "sha256-gz3N4uo7IWzzqaPHHVhby/e9NbtzcFJRQwgdNYxO/Yw=";
       })
@@ -94,7 +99,11 @@ in
       "rofi-run-command"
     ];
 
-    sandbox.whitelistDbus = [ "user" ];  #< to launch apps via the portal
+    sandbox.whitelistDbus.user = true;  #< TODO: should only need DynamicLauncher / OpenURI  (nested xdg-dbus-proxy issue?)
+    # sandbox.whitelistPortal = [
+    #   "DynamicLauncher"
+    #   "OpenURI"
+    # ];
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       ".local/share/applications"  #< to locate .desktop files
@@ -142,7 +151,10 @@ in
     };
     # sandboxing options cribbed from sane-open
     sandbox.autodetectCliPaths = "existing";  # for when opening a file
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistPortal = [
+      "DynamicLauncher"
+      "OpenURI"
+    ];
     sandbox.keepPidsAndProc = true;
     sandbox.extraHomePaths = [ ".local/share/applications" ];
     sandbox.extraRuntimePaths = [ "sway" ];
@@ -157,11 +169,12 @@ in
     packageUnwrapped = pkgs.static-nix-shell.mkBash {
       pname = "rofi-snippets";
       srcRoot = ./.;
-      pkgs = [
-        "gnused"
-        "rofi"
-        "wtype"
-      ];
+      pkgs = {
+        inherit (pkgs) gnused wtype;
+        rofi-wayland = pkgs.rofi-wayland.override {
+          inherit rofi-unwrapped;
+        };
+      };
       nativeBuildInputs = [
         pkgs.copyDesktopItems
       ];

hosts/common/programs/rofi/rofi-snippets

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p bash -p gnused -p rofi -p wtype
+#!nix-shell -i bash -p bash -p gnused -p rofi-wayland -p wtype
 
 # "bookmarking"/snippets inspired by Luke Smith:
 # - <https://www.youtube.com/watch?v=d_11QaTlf1I>

hosts/common/programs/sane-input-handler/default.nix

@@ -98,7 +98,11 @@ in
       "wvkbd"
     ];
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< to launch applications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< to launch applications
+    # sandbox.whitelistMpris.controlPlayers = true;
+    # sandbox.whitelistPortal = [
+    #   "DynamicLauncher"
+    # ];
     sandbox.whitelistSystemctl = true;  #< to restart bonsaid on failure
     sandbox.extraRuntimePaths = [ "sway" ];
     sandbox.keepPidsAndProc = true;  #< for toggling the keyboard