bootstrap: avoid ever invoking mkNixpkgs without the localSystem argument

apparently importing nixpkgs and then `override`ing with `localSystem`
isn't enough; it needs `localSystem` from the start.

TODO.md

@@ -1,5 +1,6 @@
 ## BUGS
-- gnome-calls eats 100% CPU and never renders UI (moby AND lappy, at least)
+- alacritty Ctrl+N frequently fails to `cd` to the previous directory
+- bunpen dbus sandboxing can't be *nested* (likely a problem in xdg-dbus-proxy)
 - dissent has a memory leak (3G+ after 24hr)
   - set a max memory use in the systemd service, to force it to restart as it leaks?
 - `rmDbusServices` may break sandboxing
@@ -8,7 +9,7 @@
 - mpv: audiocast has mpv sending its output to the builtin speakers unless manually changed
 - syshud (volume overlay): when casting with `blast`, syshud doesn't react to volume changes
 - dissent: if i launch it without net connectivity, it gets stuck at the login, and never tries again
-- newflash on moby can't play videos
+- newsflash on moby can't play videos
   - "open in browser" works though -- in mpv
 - gnome-maps can't use geoclue *and* openstreetmap at the same time
   - get gnome-maps to speak xdg-desktop-portal, and this will be fixed
@@ -36,26 +37,16 @@
 - upstream blueprint-compiler cross fixes -> nixpkgs
 - upstream cargo cross fixes -> nixpkgs
 - upstream `gps-share` package -> nixpkgs
-- upstream PinePhonePro device trees -> linux
 
 #### upstreaming to non-nixpkgs repos
+- gnome-calls: retry net connection when DNS is down
 - gtk: build schemas even on cross compilation: <https://github.com/NixOS/nixpkgs/pull/247844>
-- gnome-calls retry net connection when DNS is down
+- linux: upstream PinePhonePro device trees
 - nwg-panel: configurable media controls
 - nwg-panel / playerctl hang fix (i think nwg-panel is what should be patched here)
 
 
 ## IMPROVEMENTS:
-- lack of a mesa shader cache for sandboxed programs DESTROYS PERF
-  - adding ~/.cache/mesa_shader_cache_db to the sandbox massively improves launch time,
-    probably reduces memory use,
-    but has unknown data leak implications.
-  - either (1) pre-populate the shader cache somehow, e.g. <https://gitlab.freedesktop.org/mesa/shader-db>
-    or (2) use a seperate shader cache per-app
-    or (3) disable the mesa cache and see if that actually helps (MESA_SHADER_CACHE_DISABLE=true)
-- tmpfs usage inside bunpen apps is not introspectable/debuggable
-  - app sandboxes could be rooted in, say, `/run/bunpen/$PID`
-    - for a nested sandbox, its vfs could be queried from the root ns at `/run/bunpen/$PID1/run/bunpen/$PID2`
 - sane-deadlines: show day of the week for upcoming items
 - curlftpfs: replace with something better
   - safer (rust? actively maintained? sandboxable?)
@@ -89,12 +80,7 @@
 - port all sane.programs to be sandboxed
   - sandbox `nix`
   - enforce that all `environment.packages` has a sandbox profile (or explicitly opts out)
-  - lock down dbus calls within the sandbox
-    - <https://github.com/flatpak/xdg-dbus-proxy>
-    - stuff on dbus presents too much surface area
-      - ~~for example anyone can `systemd-run --user ...` to potentially escape a sandbox~~
-      - for example, xdg-desktop-portal allows anyone to make arbitrary DNS requests
-        - e.g. `gdbus call --session --timeout 10 --dest org.freedesktop.portal.Desktop --object-path /org/freedesktop/portal/desktop --method org.freedesktop.portal.NetworkMonitor.CanReach 'data1.exfiltrate.uninsane.org' 80`
+  - enforce granular dbus sandboxing (bunpen-dbus-*)
 - make gnome-keyring-daemon less monolithic
   - no reason every application with _a_ secret needs to see _all_ secrets
   - check out oo7-daemon?
@@ -120,7 +106,6 @@
   - offline Wikipedia (or, add to `wike`)
   - some type of games manager/launcher
     - Gnome Highscore (retro games)?: <https://gitlab.gnome.org/World/highscore>
-  - better maps for mobile (Osmin (QtQuick)? Pure Maps (Qt/Kirigami)?)
   - note-taking app: <https://linuxphoneapps.org/categories/note-taking/>
     - Folio is nice, uses standard markdown, though it only supports flat repos
   - OSK overlay specifically for mobile gaming
@@ -136,6 +121,7 @@
   - blurble (https://linuxphoneapps.org/games/app.drey.blurble/). nix: not as of 2024-02-05
   - Trivia Quiz (https://linuxphoneapps.org/games/io.github.nokse22.trivia-quiz/)
 - sane-sync-music: remove empty dirs
+- soulseek: install a CLI app usable over ssh
 
 #### moby
 - moby: port battery support to something upstreamable
@@ -152,6 +138,7 @@
 - SwayNC/nwg-panel: add option to change audio output
 - Newsflash: sync OPML on start, same way i do with gpodder
 - better podcasting client?
+- hardware upgrade (OnePlus)?
 
 #### non-moby
 - RSS: integrate a paywall bypass
@@ -160,13 +147,14 @@
   - and strip the ads out using Whisper transcription + asking a LLM where the ad breaks are
 - neovim: integrate ollama
 - neovim: better docsets (e.g. c++, glib)
-- firefox/librewolf: persist history
+- firefox: persist history
   - just not cookies or tabs
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
 - sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
   - maybe just color these "keywords" in all search results?
 - transmission: apply `sane-tag-media` path fix in `torrent-done` script
   - many .mkv files do appear to be tagged: i'd just need to add support in my own tooling
+  - more aggressively cleanup non-media files after DL (ripper logos, info txts)
 - uninsane.org: make URLs relative to allow local use (and as offline homepage)
 - email: fix so that local mail doesn't go to junk
   - git sendmail flow adds the DKIM signatures, but gets delivered locally w/o having the sig checked, so goes into Junk

hosts/by-name/desko/default.nix

@@ -4,7 +4,6 @@
     ./fs.nix
   ];
 
-  sane.services.hickory-dns.asSystemResolver = false;  # TEMPORARY: TODO: re-enable hickory-dns
   # sane.programs.devPkgs.enableFor.user.colin = true;
   # sane.guest.enable = true;
 
@@ -52,20 +51,6 @@
   # needed to use libimobiledevice/ifuse, for iphone sync
   services.usbmuxd.enable = true;
 
-  hardware.amdgpu.opencl.enable = true;  # desktop (AMD's opencl implementation AKA "ROCM"); probably required for ollama
-
-  # TODO: enable snapper (need to make `/nix` or `/nix/persist` a subvolume, somehow).
-  # default config: https://man.archlinux.org/man/snapper-configs.5
-  # defaults to something like:
-  #   - hourly snapshots
-  #   - auto cleanup; keep the last 10 hourlies, last 10 daylies, last 10 monthlys.
-  # to list snapshots: `sudo snapper --config nix list`
-  # to take a snapshot: `sudo snapper --config nix create`
-  # services.snapper.configs.nix = {
-  #   # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
-  #   # but that also requires setting up the persist dir as a subvol
-  #   SUBVOLUME = "/nix";
-  #   # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
-  #   ALLOW_USERS = [ "colin" ];
-  # };
+  # TODO(2025-01-01): re-enable once rocm build is fixed: <https://github.com/NixOS/nixpkgs/pull/367695>
+  # hardware.amdgpu.opencl.enable = true;  # desktop (AMD's opencl implementation AKA "ROCM"); probably required for ollama
 }

hosts/by-name/servo/default.nix

@@ -5,6 +5,7 @@
     ./fs.nix
     ./net
     ./services
+    ./users
   ];
 
   # for administering services

hosts/by-name/servo/services/default.nix

@@ -26,7 +26,7 @@
     ./ntfy
     ./pict-rs.nix
     ./pleroma.nix
-    ./postgres.nix
+    ./postgresql
     ./prosody
     ./slskd.nix
     ./transmission

hosts/by-name/servo/services/gitea.nix

@@ -104,7 +104,7 @@
     };
   };
 
-  systemd.services.gitea.requires = [ "postgresql.service" ];
+  systemd.services.gitea.wants = [ "postgresql.service" ];
   systemd.services.gitea.serviceConfig = {
     # nix default is AF_UNIX AF_INET AF_INET6.
     # we need more protos for sendmail to work. i thought it only needed +AF_LOCAL, but that didn't work.
@@ -113,6 +113,11 @@
     ReadWritePaths = [
       "/var/lib/postfix/queue/maildrop"
     ];
+    # rate limit the restarts to prevent systemd from disabling it
+    RestartSec = 5;
+    RestartMaxDelaySec = 30;
+    StartLimitBurst = 120;
+    RestartSteps = 5;
   };
 
   # services.openssh.settings.UsePAM = true;  #< required for `git` user to authenticate

hosts/by-name/servo/services/kiwix-serve.nix

@@ -1,10 +1,35 @@
 { pkgs, ... }:
 {
   sane.services.kiwix-serve = {
+    # XXX(2025-02-24): libzim build failure after nixpkgs changed icu default from icu74 -> icu76.
+    # see: <https://github.com/NixOS/nixpkgs/issues/384684>
+    package = pkgs.kiwix-tools.override {
+      libkiwix = pkgs.libkiwix.override {
+        icu = pkgs.icu75;
+        libzim = pkgs.libzim.override {
+          icu = pkgs.icu75;
+        };
+      };
+    };
     enable = true;
     port = 8013;
-    zimPaths = [
-      "${pkgs.zimPackages.wikipedia_en_all_maxi}/share/zim/wikipedia_en_all_maxi.zim"
+    zimPaths = with pkgs.zimPackages; [
+      alpinelinux_en_all_maxi.zimPath
+      archlinux_en_all_maxi.zimPath
+      bitcoin_en_all_maxi.zimPath
+      devdocs_en_nix.zimPath
+      gentoo_en_all_maxi.zimPath
+      # khanacademy_en_all.zimPath  #< TODO: enable
+      openstreetmap-wiki_en_all_maxi.zimPath
+      psychonautwiki_en_all_maxi.zimPath
+      rationalwiki_en_all_maxi.zimPath
+      # wikipedia_en_100.zimPath
+      wikipedia_en_all_maxi.zimPath
+      # wikipedia_en_all_mini.zimPath
+      zimgit-food-preparation_en.zimPath
+      zimgit-medicine_en.zimPath
+      zimgit-post-disaster_en.zimPath
+      zimgit-water_en.zimPath
     ];
   };
 

hosts/by-name/servo/services/lemmy.nix

@@ -74,6 +74,10 @@ in {
     serviceConfig.User = "lemmy";
     serviceConfig.Group = "lemmy";
 
+    # switch postgres from Requires -> Wants, so that postgres may restart without taking lemmy down with it.
+    requires = lib.mkForce [];
+    wants = [ "postgresql.service" ];
+
     # hardening (systemd-analyze security lemmy)
     # a handful of these are specified in upstream nixpkgs, but mostly not
     serviceConfig.LockPersonality = true;

hosts/by-name/servo/services/matrix/default.nix

@@ -70,6 +70,15 @@ in
     config.sops.secrets."matrix_synapse_secrets.yaml".path
   ];
 
+  # tune restart settings to ensure systemd doesn't disable it, and we don't overwhelm postgres
+  systemd.services.matrix-synapse.serviceConfig.RestartSec = 5;
+  systemd.services.matrix-synapse.serviceConfig.RestartMaxDelaySec = 20;
+  systemd.services.matrix-synapse.serviceConfig.StartLimitBurst = 120;
+  systemd.services.matrix-synapse.serviceConfig.RestartSteps = 3;
+  # switch postgres from Requires -> Wants, so that postgres may restart without taking matrix down with it.
+  systemd.services.matrix-synapse.requires = lib.mkForce [];
+  systemd.services.matrix-synapse.wants = [ "postgresql.service" ];
+
   systemd.services.matrix-synapse.postStart = lib.optionalString ntfy ''
     ACCESS_TOKEN=$(${lib.getExe' pkgs.coreutils "cat"} ${config.sops.secrets.matrix_access_token.path})
     TOPIC=$(${lib.getExe' pkgs.coreutils "cat"} ${config.sops.secrets.ntfy-sh-topic.path})

hosts/by-name/servo/services/matrix/irc.nix

@@ -154,6 +154,7 @@ in
           # notable channels:
           # - #sxmo
           # - #sxmo-offtopic
+          # supposedly also available at <irc://37lnq2veifl4kar7.onion:6667/> (unofficial)
         };
         "irc.rizon.net" = ircServer { name = "Rizon"; };
         # "irc.sdf.org" = ircServer {

hosts/by-name/servo/services/postgresql/default.nix

@@ -35,7 +35,6 @@ in
   services.postgresql.package = pkgs.postgresql_16;
 
 
-
   # XXX colin: for a proper deploy, we'd want to include something for Pleroma here too.
   # services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
   #   CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '<password goes here>';
@@ -46,10 +45,10 @@ in
   #     LC_CTYPE = "C";
   # '';
 
-  # perf tuning
-  # - for recommended values see: <https://pgtune.leopard.in.ua/>
-  # - for official docs (sparse), see: <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
   services.postgresql.settings = {
+    # perf tuning
+    # - for recommended values see: <https://pgtune.leopard.in.ua/>
+    # - for official docs (sparse), see: <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
     # DB Version: 16
     # OS Type: linux
     # DB Type: web
@@ -73,8 +72,19 @@ in
     max_parallel_workers_per_gather = 4;
     max_parallel_workers = 12;
     max_parallel_maintenance_workers = 4;
+
+    # DEBUG OPTIONS:
+    log_min_messages = "DEBUG1";
   };
 
+  # regulate the restarts, so that systemd never disables it
+  systemd.services.postgresql.serviceConfig.Restart = "on-failure";
+  systemd.services.postgresql.serviceConfig.RestartSec = 2;
+  systemd.services.postgresql.serviceConfig.RestartMaxDelaySec = 10;
+  systemd.services.postgresql.serviceConfig.RestartSteps = 4;
+  systemd.services.postgresql.serviceConfig.StartLimitBurst = 120;
+  # systemd.services.postgresql.serviceConfig.TimeoutStartSec = "14400s";  #< 14400 = 4 hours; recoveries are long
+
   # daily backups to /var/backup
   services.postgresqlBackup.enable = true;
 

hosts/by-name/servo/services/postgresql/recollate.sh

@@ -0,0 +1,81 @@
+#!/bin/sh
+# source: <https://gist.githubusercontent.com/troykelly/616df024050dd50744dde4a9579e152e/raw/fe84e53cedf0caa6903604894454629a15867439/reindex_and_refresh_collation.sh>
+#
+# run this whenever postgres complains like:
+# > WARNING:  database "gitea" has a collation version mismatch
+# > DETAIL:  The database was created using collation version 2.39, but the operating system provides version 2.40.
+# > HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE gitea REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+#
+# this script checks which databases are in need of a collation update,
+# and re-collates them as appropriate.
+# invoking this script should have low perf impact in the non-upgrade case,
+# so safe to do this as a cron job.
+#
+# invoke as postgres user
+
+log_info() {
+  >&2 echo "$@"
+}
+
+list_databases() {
+  log_info "Retrieving list of databases from the PostgreSQL server..."
+  psql --dbname="postgres" -Atc \
+    "SELECT datname FROM pg_database WHERE datistemplate = false"
+}
+
+refresh_collation_version() {
+  local db=$1
+  log_info "Refreshing collation version for database: $db..."
+  psql --dbname="$db" -c \
+    "ALTER DATABASE \"$db\" REFRESH COLLATION VERSION;"
+}
+
+check_collation_mismatches() {
+  local error=
+  log_info "Checking for collation mismatches in all databases..."
+  # Loop through each database and check for mismatching collations in table columns.
+  while IFS= read -r db; do
+    if [ -n "$db" ]; then
+      log_info "Checking database: $db for collation mismatches..."
+      local mismatches=$(psql --dbname="$db" -Atc \
+        "SELECT 'Mismatch in table ' || table_name || ' column ' || column_name || ' with collation ' || collation_name
+         FROM information_schema.columns
+         WHERE collation_name IS NOT NULL AND collation_name <> 'default' AND table_schema = 'public'
+         EXCEPT
+         SELECT 'No mismatch - default collation of ' || datcollate || ' used.'
+         FROM pg_database WHERE datname = '$db';"
+      )
+      if [ -z "$mismatches" ]; then
+        log_info "No collation mismatches found in database: $db"
+      else
+        # Print an informational message to stderr.
+        log_info "Collation mismatches found in database: $db:"
+        log_info "$mismatches"
+        error=1
+      fi
+    fi
+  done
+
+  if [ -n "$error" ]; then
+    exit 1
+  fi
+}
+
+log_info "Starting the reindexing and collation refresh process for all databases..."
+
+databases=$(list_databases)
+
+if [ -z "$databases" ]; then
+  log_info "No databases found for reindexing or collation refresh. Please check connection details to PostgreSQL server."
+  exit 1
+fi
+
+for db in $databases; do
+  refresh_collation_version "$db"
+done
+
+# Checking for collation mismatches after reindexing and collation refresh.
+# Pass the list of databases to the check_collation_mismatches function through stdin.
+echo "$databases" | check_collation_mismatches
+
+log_info "Reindexing and collation refresh process completed."

hosts/by-name/servo/users/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./shelvacu.nix
+  ];
+}

hosts/by-name/servo/users/shelvacu.nix

@@ -0,0 +1,65 @@
+{ lib, pkgs, ... }:
+{
+  users.users.shelvacu = {
+    isNormalUser = true;
+    home = "/home/shelvacu";
+    subUidRanges = [
+      { startUid=300000; count=1; }
+    ];
+    group = "users";
+    initialPassword = lib.mkDefault "";
+    shell = pkgs.bash;
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug compute-deck"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I compute-deck-root"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C fw"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m fw-root"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOre0FnYDm3arsFj9c/l5H2Q8mdmv7kmvq683pL4heru legtop"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINznGot+L8kYoVQqdLV/R17XCd1ILMoDCILOg+I3s5wC pixel9pro-nod"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX pro1x-nod"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJNFbzt0NHVTaptBI38YtwLG+AsmeNYy0Nr5yX2zZEPE root@vacuInstaller toptop-root"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g triple-dezert"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8 triple-dezert-root"
+    ];
+  };
+
+  security.sudo.extraRules = [
+    {
+      users = [ "shelvacu" ];
+      runAs = "postgres";
+      commands = [
+        {
+          command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+
+  security.polkit.extraConfig = ''
+    // allow:
+    // - systemctl restart|start|stop SERVICE
+    polkit.addRule(function(action, subject) {
+      if (subject.user == "shelvacu" && action.id == "org.freedesktop.systemd1.manage-units") {
+        switch (action.lookup("verb")) {
+          // case "cancel":
+          // case "reenable":
+          case "restart":
+          // case "reload":
+          // case "reload-or-restart":
+          case "start":
+          case "stop":
+          // case "try-reload-or-restart":
+          // case "try-restart":
+            return polkit.Result.YES;
+          default:
+        }
+      }
+    })
+  '';
+
+  sane.persist.sys.byStore.private = [
+    { path = "/home/shelvacu/persist"; user = "shelvacu"; group = "users"; mode = "0700"; }
+  ];
+}

hosts/common/default.nix

@@ -14,6 +14,7 @@
     ./programs
     ./quirks.nix
     ./secrets.nix
+    ./snapper.nix
     ./ssh.nix
     ./systemd.nix
     ./users

hosts/common/feeds.nix

@@ -1,6 +1,8 @@
 # where to find good stuff?
 # - universal search/directory: <https://podcastindex.org>
 #   - the full database is downloadable
+# - find adjacent podcasts: <https://rephonic.com/graph>
+# - charts: <https://rephonic.com/charts/apple/united-states/technology>
 # - list of lists: <https://en.wikipedia.org/wiki/Category:Lists_of_podcasts>
 # - podcasts w/ a community: <https://lemmyverse.net/communities?query=podcast>
 # - podcast recs:
@@ -60,7 +62,7 @@ let
   podcasts = [
     (fromDb "404media.co/the-404-media-podcast" // tech)
     (fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)  # ACQ2 - more "Acquired" episodes
-    (fromDb "allinchamathjason.libsyn.com" // pol)
+    (fromDb "adventofcomputing.com" // tech)  # computing history
     (fromDb "api.oyez.org/podcasts/oral-arguments/2015" // pol)  # Supreme Court Oral Arguments ("2015" in URL means nothing -- it's still updated)
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)  # Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/2da69154/podcast/rss" // tech)  # POD OF JAKE -- https://podofjake.com/
@@ -70,18 +72,22 @@ let
     (fromDb "darknetdiaries.com" // tech)
     (fromDb "dwarkeshpatel.com" // tech)
     (fromDb "feeds.99percentinvisible.org/99percentinvisible" // pol)  # 99% Invisible -- also available here: <https://feeds.simplecast.com/BqbsxVfO>
+    (fromDb "feeds.acast.com/public/shows/lawfare" // pol)  # <https://www.lawfaremedia.org/podcasts-multimedia/podcast/the-lawfare-podcast>
     (fromDb "feeds.buzzsprout.com/2412334.rss")  # Matt Stoller's _Organized Money_ <https://www.organizedmoney.fm/>
     (fromDb "feeds.eff.org/howtofixtheinternet" // pol)
     (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
     (fromDb "feeds.feedburner.com/dancarlin/history" // rat)
     (fromDb "feeds.feedburner.com/radiolab" // pol)  # Radiolab -- also available here, but ONLY OVER HTTP: <http://feeds.wnyc.org/radiolab>
+    (fromDb "feeds.megaphone.fm/CHTAL4990341033" // pol)  # ChinaTalk: https://www.chinatalk.media/podcast
     (fromDb "feeds.megaphone.fm/GLT1412515089" // pol)  # JRE: Joe Rogan Experience
     (fromDb "feeds.megaphone.fm/behindthebastards" // pol)  # also Maggie Killjoy
     (fromDb "feeds.megaphone.fm/cspantheweekly" // pol)
+    (fromDb "feeds.megaphone.fm/econ102")  # Noah Smith + Erik Torenberg <https://www.podpage.com/econ102/>
+    (fromDb "feeds.megaphone.fm/history102")  # <https://www.podpage.com/history-102-with-whatifalthist/>
     (fromDb "feeds.megaphone.fm/recodedecode" // tech)  # The Verge - Decoder
+    (fromDb "feeds.megaphone.fm/thiswontlast" // tech)  # <https://www.podpage.com/thiswontlast/>
     (fromDb "feeds.megaphone.fm/unexplainable")
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)  # Econ Talk
-    (fromDb "feeds.simplecast.com/xKJ93w_w" // uncat)  # Atlas Obscura
     (fromDb "feeds.simplecast.com/whlwDbyc" // tech)  # Tech Lounge: <https://chrischinchilla.com/podcast/techlounge/>
     (fromDb "feeds.transistor.fm/acquired" // tech)
     (fromDb "feeds.transistor.fm/complex-systems-with-patrick-mckenzie-patio11" // tech)  # Patrick Mackenzie (from Bits About Money)
@@ -89,10 +95,10 @@ let
     (fromDb "fulltimenix.com" // tech)
     (fromDb "futureofcoding.org/episodes" // tech)
     (fromDb "hackerpublicradio.org" // tech)
-    (fromDb "lastweekinai.com" // tech)
     (fromDb "lexfridman.com/podcast" // rat)
     (fromDb "linktr.ee/betteroffline" // pol)
     (fromDb "linuxdevtime.com" // tech)
+    (fromDb "malicious.life" // tech)
     (fromDb "mapspodcast.libsyn.com" // uncat)  # Multidisciplinary Association for Psychedelic Studies
     (fromDb "microarch.club" // tech)
     (fromDb "omegataupodcast.net" // tech)  # 3/4 German; 1/4 eps are English
@@ -102,41 +108,48 @@ let
     (fromDb "omny.fm/shows/the-dollop-with-dave-anthony-and-gareth-reynolds")  # The Dollop history/comedy
     (fromDb "omny.fm/shows/weird-little-guys")  # Cool Zone Media
     (fromDb "originstories.libsyn.com" // uncat)
-    (fromDb "politicspoliticspolitics.com" // pol)  # don't judge me. Justin Robert Young.
     (fromDb "podcast.ergaster.org/@flintandsilicon" // tech)  # Thib's podcast: public interest tech, gnome, etc: <https://fed.uninsane.org/users/$ALLO9MZ5g5CsQTCBH6>
-    (fromDb "podcast.sustainoss.org" // tech)
     (fromDb "politicalorphanage.libsyn.com" // pol)
     (fromDb "reverseengineering.libsyn.com/rss" // tech)  # UnNamed Reverse Engineering Podcast
-    (fromDb "rss.acast.com/ft-tech-tonic" // tech)
-    (fromDb "rss.art19.com/60-minutes" // pol)
+    (fromDb "rss.acast.com/ft-tech-tonic" // tech)  # Financial Time's: Tech Tonic
     (fromDb "rss.art19.com/the-portal" // rat)  # Eric Weinstein
-    (fromDb "seattlenice.buzzsprout.com" // pol)
+    (fromDb "seattlenice.buzzsprout.com" // pol)  # Seattle Nice
+    (fromDb "sites.libsyn.com/438684" // humor)  # Quorators - digging up *weird* Quota questions
+    (fromDb "speedboatdope.com" // pol)  # Chapo Trap House (premium feed)
     (fromDb "srslywrong.com" // pol)
     (fromDb "sharkbytes.transistor.fm" // tech)  # Wireshark Podcast o_0
-    (fromDb "sharptech.fm/feed/podcast" // tech)
-    (fromDb "sscpodcast.libsyn.com" // rat)  # Astral Codex Ten
+    (fromDb "sharptech.fm/feed/podcast" // tech)  # Ben Thompson
+    (fromDb "sscpodcast.libsyn.com" // rat)  # Astral Codex Ten; Scott Alexander
     (fromDb "talesfromthebridge.buzzsprout.com" // tech)  # Sci-Fi? has Peter Watts; author of No Moods, Ads or Cutesy Fucking Icons (rifters.com)
     (fromDb "techtalesshow.com" // tech)  # Corbin Davenport
-    (fromDb "techwontsave.us" // pol)  # rec by Cory Doctorow
-    (fromDb "theamphour.com" // tech)
+    (fromDb "theamphour.com" // tech)  # The Amp Hour
+    (fromDb "the-ben-marc-show.simplecast.com" // tech // pol)  # Ben Horowitz + Marc Andreessen; love to hate em
     (fromDb "timclicks.dev/compose-podcast" // tech)  # Rust-heavy dev interviews
-    (fromDb "werenotwrong.fireside.fm" // pol)
+    (fromDb "werenotwrong.fireside.fm" // pol)  # We're Not Wrong
+    (fromDb "whycast.podcast.audio/@whycast" // tech)  # What Hackers Yearn [for]: <https://why2025.org/>
     (mkPod "https://sfconservancy.org/casts/the-corresponding-source/feeds/ogg/" // tech)
 
+    # (fromDb "allinchamathjason.libsyn.com" // pol)
     # (fromDb "feed.podbean.com/matrixlive/feed.xml" // tech)  # Matrix (chat) Live
     # (fromDb "feeds.libsyn.com/421877" // rat)  # Less Wrong Curated
     # (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)  # Daniel Huberman on sleep
     # (fromDb "feeds.simplecast.com/54nAGcIl" // pol)  # The Daily
     # (fromDb "feeds.simplecast.com/82FI35Px" // pol)  # Ezra Klein Show
     # (fromDb "feeds.simplecast.com/l2i9YnTd" // tech // pol)  # Hard Fork (NYtimes tech)
+    # (fromDb "feeds.simplecast.com/xKJ93w_w" // uncat)  # Atlas Obscura
+    # (fromDb "lastweekinai.com" // tech)  # Last Week in AI
     # (fromDb "mintcast.org" // tech)
+    # (fromDb "politicspoliticspolitics.com" // pol)  # don't judge me. Justin Robert Young.
     # (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
+    # (fromDb "podcast.sustainoss.org" // tech)  # "Sustainable tech", only... it somehow manages to avoid any tech which is actually sustainable, and most of the time doesn't even talk about Open Source Software (!). normie/surface-level/"feel good"
     # (fromDb "podcast.thelinuxexp.com" // tech)  # low-brow linux/foss PR announcements
     # (fromDb "rss.acast.com/deconstructed")  # The Intercept - Deconstructed
     # (fromDb "rss.acast.com/intercepted-with-jeremy-scahill")  # The Intercept - Intercepted
+    # (fromDb "rss.art19.com/60-minutes" // pol)
     # (fromDb "rss.art19.com/your-welcome" // pol)  # Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
     # (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)  #< possible URL rot
     # (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)  #< possible URL rot
+    # (fromDb "techwontsave.us" // pol)  # rec by Cory Doctorow, but way too info-sparse
     # (fromDb "trashfuturepodcast.podbean.com" // pol)  # rec by Cory Doctorow, but way rambly
     # (fromDb "wakingup.libsyn.com" // pol)  # Sam Harris, but he just repeats himself now
     # (mkPod "https://anchor.fm/s/21bc734/podcast/rss" // pol // infrequent)  # Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
@@ -264,7 +277,6 @@ let
     (fromDb "youtube.com/@NativLang")
     (fromDb "youtube.com/@PolyMatter")
     (fromDb "youtube.com/@TechnologyConnections" // tech)
-    (fromDb "youtube.com/@tested" // tech)  # Adam Savage
     (fromDb "youtube.com/@TomScottGo")
     (fromDb "youtube.com/@TVW_Washington" // pol)  # interviews with WA public officials
     (fromDb "youtube.com/@Vihart")
@@ -273,6 +285,7 @@ let
     # (fromDb "youtube.com/@ColdFusion")
     # (fromDb "youtube.com/@rossmanngroup" // pol // tech)  # Louis Rossmann
     # (fromDb "youtube.com/@TheB1M")
+    # (fromDb "youtube.com/@tested" // tech)  # Adam Savage  (uploads too frequently)
     # (fromDb "youtube.com/@Vox")
     # (fromDb "youtube.com/@Vsauce")  # they're all like 1-minute long videos now? what happened @Vsauce?
   ];

hosts/common/ids.nix

@@ -66,6 +66,7 @@
   sane.ids.plugdev.gid = 2421;
   sane.ids.ollama.uid = 2422;
   sane.ids.ollama.gid = 2422;
+  sane.ids.shelvacu.uid = 5431;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/net/dns/bind.nix

@@ -1,15 +1,108 @@
-{ lib, ... }:
+# debugging:
+# - `man named`
+# - `man named.conf`
+# - `systemctl stop bind`
+# - `sudo /nix/store/0zpdy93sd3fgbxgvf8dsxhn8fbbya8d2-bind-9.18.28/sbin/named -g -u named -4 -c /nix/store/f1mp0myzmfms71h9vinwxpn2i9362a9a-named.conf`
+#   - `-g` = don't fork
+#   - `-u named` = start as superuser (to claim port 53), then drop to user `named`
+{ config, lib, pkgs, ... }:
+let
+  hostCfg = config.sane.hosts.by-name."${config.networking.hostName}";
+  bindCfg = config.services.bind;
+in
 {
-  services.bind.enable = lib.mkDefault true;
-  services.bind.forwarders = [];  #< don't forward queries to upstream resolvers
-  services.bind.cacheNetworks = [
-    "127.0.0.0/24"
-    "::1/128"
-    "10.0.0.0/16"
-  ];
-  services.bind.extraOptions = ''
-    port 953;
-  '';
+  config = lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver) {
+    services.resolved.enable = lib.mkForce false;
 
-  networking.resolvconf.useLocalResolver = false;  #< undo bind making this default true
+    networking.nameservers = [
+      # be compatible with systemd-resolved
+      # "127.0.0.53"
+      # or don't be compatible with systemd-resolved, but with libc and pasta instead
+      #   see <pkgs/by-name/sane-scripts/src/sane-vpn>
+      "127.0.0.1"
+      # enable IPv6, or don't; unbound is spammy when IPv6 is enabled but unroutable
+      # "::1"
+    ];
+
+    networking.resolvconf.extraConfig = ''
+      # DNS serviced by `BIND` recursive resolver
+      name_servers='127.0.0.1'
+    '';
+
+    services.bind.enable = lib.mkDefault true;
+    services.bind.forwarders = [];  #< don't forward queries to upstream resolvers
+    services.bind.cacheNetworks = [
+      "127.0.0.0/24"
+      "::1/128"
+      "10.0.10.0/24"  #< wireguard clients (servo)
+    ];
+    services.bind.listenOn = [
+      "127.0.0.1"
+    ] ++ lib.optionals (hostCfg.wg-home.ip != null) [
+      # allow wireguard clients to use us as a recursive resolver (only needed for servo)
+      hostCfg.wg-home.ip
+    ];
+    services.bind.listenOnIpv6 = [
+      # "::1"
+    ];
+
+    services.bind.ipv4Only = true;  # unbound is spammy when it tries IPv6 without a routable address
+
+    # when testing, deploy on a port other than 53
+    # services.bind.extraOptions = ''
+    #   listen-on port 953 { any; };
+    # '';
+
+    networking.resolvconf.useLocalResolver = false;  #< we manage resolvconf explicitly, above
+
+    # TODO: how to exempt `pool.ntp.org` from DNSSEC checks, as i did when using unbound?
+
+    # allow runtime insertion of zones or other config changes:
+    # add your supplemental config as a toplevel file in /run/named/dhcp-configs/, then `systemctl restart bind`
+    services.bind.extraConfig = ''
+      include "/run/named/dhcp-configs.conf";
+    '';
+    services.bind.extraOptions = ''
+      // we can't guarantee that all forwarders support DNSSEC,
+      // and as of 2025-01-30 BIND9 gives no way to disable DNSSEC per-forwarder/zone,
+      // so just disable it globally
+      dnssec-validation no;
+    '';
+    # re-implement the nixos default bind config, but without `options { forwarders { }; };`,
+    # as having an empty `forwarders` at the top-level prevents me from forwarding the `.` zone in a separate statement
+    # (which i want to do to allow sane-vpn to forward all DNS).
+    services.bind.configFile = pkgs.writeText "named.conf" ''
+      include "/etc/bind/rndc.key";
+      controls {
+        inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
+      };
+
+      acl cachenetworks { ${lib.concatMapStrings (entry: " ${entry}; ") bindCfg.cacheNetworks} };
+      acl badnetworks { ${lib.concatMapStrings (entry: " ${entry}; ") bindCfg.blockedNetworks} };
+
+      options {
+        listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") bindCfg.listenOn} };
+        listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") bindCfg.listenOnIpv6} };
+        allow-query-cache { cachenetworks; };
+        blackhole { badnetworks; };
+        //v disable top-level forwards, so that i can do forwarding more generically in `zone FOO { ... }` directives.
+        // forward ${bindCfg.forward};
+        // forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") bindCfg.forwarders} };
+        directory "${bindCfg.directory}";
+        pid-file "/run/named/named.pid";
+        ${bindCfg.extraOptions}
+      };
+
+      ${bindCfg.extraConfig}
+    '';
+
+    systemd.services.bind.serviceConfig.ExecStartPre = pkgs.writeShellScript "named-generate-config" ''
+      mkdir -p /run/named/dhcp-configs
+      chmod g+w /run/named/dhcp-configs
+      echo "// FILE GENERATED BY bind.service's ExecStartPre: CHANGES TO THIS FILE WILL BE OVERWRITTEN" > /run/named/dhcp-configs.conf
+      for c in $(ls /run/named/dhcp-configs/); do
+        cat "/run/named/dhcp-configs/$c" >> /run/named/dhcp-configs.conf
+      done
+    '';
+  };
 }

hosts/common/net/dns/unbound.nix

@@ -1,7 +1,9 @@
 # `man unbound.conf` for info on settings
 # it's REALLY EASY to combine settings in a way that produce bad effects.
 # generally, prefer to stay close to defaults unless there's a compelling reason to differ.
-{ config, lib, pkgs, ... }: {
+{ config, lib, ... }:
+lib.optionalAttrs false  #< XXX(2024-12-29): unbound caches failed DNS resolutions, just randomly breaks connectivity daily
+{
   config = lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver) {
     services.resolved.enable = lib.mkForce false;
 

hosts/common/polyunfill.nix

@@ -106,6 +106,7 @@ in
       conveniencePackages = [
         config.boot.kernelPackages.cpupower  # <repo:nixos/nixpkgs:nixos/modules/tasks/cpu-freq.nix> places it on PATH for convenience if powerManagement.cpuFreqGovernor is set
         pkgs.kbd  # <repo:nixos/nixpkgs:nixos/modules/config/console.nix>  places it on PATH as part of console/virtual TTYs, but probably not needed unless you want to set console fonts
+        pkgs.nixos-firewall-tool  # <repo:nixos/nixpkgs:nixos/modules/services/networking/firewall.nix>  for end-user management of the firewall? cool but doesn't cross-compile
       ];
     in lib.filter (p: ! builtins.elem p (requiredPackages ++ conveniencePackages));
   };

hosts/common/programs/assorted.nix

@@ -48,6 +48,7 @@ in
       "dtc"  # device tree [de]compiler
       "e2fsprogs"  # resize2fs
       "efibootmgr"
+      "erdtree"  # like normal `tree` but colorful & prints sizes
       "errno"
       "ethtool"
       "evtest"
@@ -88,9 +89,11 @@ in
       "netcat"
       "nethogs"
       "nix"
+      "nix-tree"
       "nmap"
       "nmcli"
       "nmon"
+      "nvimpager"
       "nvme-cli"  # nvme
       # "openssl"
       "parted"
@@ -174,7 +177,7 @@ in
       "sane-secrets-unlock"
       "sane-sysload"
       "sc-im"
-      # "snapper"
+      "snapper"
       "sops"  # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!)
       "speedtest-cli"
       # "ssh-to-age"
@@ -250,7 +253,7 @@ in
       "endless-sky"     # space merchantilism/exploration
       # "factorio"
       # "frozen-bubble"   # WAN + LAN + 1P/2P bubble bobble
-      "hase"            # WAN worms game
+      # "hase"            # WAN worms game
       # "hedgewars"     # WAN + LAN worms game (5~10 people online at any moment; <https://hedgewars.org>)
       # "libremines"    # meh: trivial minesweeper; qt6
       # "mario0"        # SMB + portal
@@ -281,7 +284,9 @@ in
     guiBaseApps = declPackageSet [
       # "abaddon"  # discord client
       "alacritty"  # terminal emulator
+      "blanket"  # ambient noise generator
       "calls"  # gnome calls (dialer/handler)
+      "confy"  # conference planning app
       "dbus"
       # "dconf"  # or use `gsettings`, with its keyfile backend
       # "delfin"  # Jellyfin client
@@ -323,7 +328,7 @@ in
       "mepo"  # maps viewer
       # "mesa-demos"  # for eglinfo, glxinfo & other testing tools
       "mpv"
-      # "networkmanagerapplet"  # for nm-connection-editor GUI. XXX(2024-09-03): broken, probably by NetworkManager sandboxing
+      "networkmanagerapplet"
       # "ntfy-sh"  # notification service
       "newsflash"  # RSS viewer
       "papers"  # PDF viewer
@@ -376,11 +381,10 @@ in
       "pcTuiApps"
       ####
       "audacity"
-      # "blanket"  # ambient noise generator
       "brave"  # for the integrated wallet -- as a backup
       # "cantata"  # music player (mpd frontend)
       # "chromium"  # chromium takes hours to build. brave is chromium-based, distributed in binary form, so prefer it.
-      # "cups"
+      "cups"
       "discord"  # x86-only
       # "electrum"
       "element-desktop"
@@ -449,30 +453,10 @@ in
 
     bash-language-server.sandbox.whitelistPwd = true;
 
-    blanket.buildCost = 1;
-    blanket.sandbox.whitelistAudio = true;
-    # blanket.sandbox.whitelistDbus = [ "user" ];  # TODO: untested
-    blanket.sandbox.whitelistWayland = true;
-
-    blueberry.sandbox.wrapperType = "inplace";  #< it places binaries in /lib and then /etc/xdg/autostart files refer to the /lib paths, and fail to be patched
-    blueberry.sandbox.whitelistWayland = true;
-    blueberry.sandbox.extraPaths = [
-      "/dev/rfkill"
-      "/run/dbus"
-      "/sys/class/rfkill"
-      "/sys/devices"
-    ];
-
     bridge-utils.sandbox.net = "all";
 
     "cacert.unbundled".sandbox.enable = false;  #< data only
 
-    cargo.persist.byStore.plaintext = [ ".cargo" ];
-    # probably this sandboxing is too restrictive; i'm sandboxing it for rust-analyzer / neovim LSP
-    cargo.sandbox.whitelistPwd = true;
-    cargo.sandbox.net = "all";
-    cargo.sandbox.extraHomePaths = [ "dev" "ref" ];
-
     clang = {};
 
     clang-tools.sandbox.whitelistPwd = true;
@@ -501,7 +485,7 @@ in
 
     delfin.buildCost = 1;
     delfin.sandbox.whitelistAudio = true;
-    delfin.sandbox.whitelistDbus = [ "user" ];  # else `mpris` plugin crashes the player
+    delfin.sandbox.whitelistDbus.user = true;  #< TODO: reduce  # else `mpris` plugin crashes the player
     delfin.sandbox.whitelistDri = true;
     delfin.sandbox.whitelistWayland = true;
     delfin.sandbox.net = "clearnet";
@@ -530,10 +514,10 @@ in
 
     endless-sky.buildCost = 1;
     endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
+    endless-sky.sandbox.mesaCacheDir = ".cache/endless-sky/mesa";
     endless-sky.sandbox.whitelistAudio = true;
     endless-sky.sandbox.whitelistDri = true;
     endless-sky.sandbox.whitelistWayland = true;
-    # endless-sky.sandbox.whitelistX = true;
     endless-sky.packageUnwrapped = pkgs.endless-sky.overrideAttrs (base: {
       nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
         pkgs.makeWrapper
@@ -548,6 +532,10 @@ in
     # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
     emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
 
+    erdtree.sandbox.tryKeepUsers = true;  #< to keep user/group info when running as root
+    erdtree.sandbox.autodetectCliPaths = "existingDir";
+    erdtree.sandbox.whitelistPwd = true;
+
     ethtool.sandbox.capabilities = [ "net_admin" ];
     ethtool.sandbox.net = "all";
     ethtool.sandbox.tryKeepUsers = true;
@@ -563,11 +551,12 @@ in
     eza.sandbox.tryKeepUsers = true;  #< to keep user/group info when running as root
     eza.sandbox.autodetectCliPaths = "existing";
     eza.sandbox.whitelistPwd = true;
-    eza.sandbox.extraHomePaths = [
-      # so that e.g. `eza -l ~` can show which symlink exist
-      ".persist/ephemeral"
-      ".persist/plaintext"
-    ];
+    # eza.sandbox.extraHomePaths = [
+    #   # so that e.g. `eza -l ~` can show which symlink exist
+    #   # hol' up: this is almost like just un-sandboxing it
+    #   ".persist/ephemeral"
+    #   ".persist/plaintext"
+    # ];
 
     fatresize.sandbox.autodetectCliPaths = "parent";  # /dev/sda1 -> needs /dev/sda
     fatresize.sandbox.tryKeepUsers = true;
@@ -595,6 +584,7 @@ in
     # ];
 
     font-manager.buildCost = 1;
+    font-manager.sandbox.mesaCacheDir = ".cache/font-manager/mesa";
     font-manager.sandbox.whitelistWayland = true;
     font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
       # build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
@@ -645,12 +635,14 @@ in
     gitea = {};
 
     gnome-calculator.buildCost = 1;
+    gnome-calculator.sandbox.mesaCacheDir = ".cache/gnome-calculator/mesa";  # TODO: is this the correct app-id?
     gnome-calculator.sandbox.whitelistWayland = true;
 
     gnome-calendar.buildCost = 2;  # depends on webkitgtk_6_0 via evolution-data-server
+    gnome-calendar.sandbox.mesaCacheDir = ".cache/gnome-calendar/mesa";  # TODO: is this the correct app-id?
     # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
     gnome-calendar.sandbox.whitelistWayland = true;
-    gnome-calendar.sandbox.whitelistDbus = [ "user" ];
+    gnome-calendar.sandbox.whitelistDbus.user = true;  #< TODO: reduce
     gnome-calendar.suggestedPrograms = [
       "evolution-data-server"  #< to access/persist calendar events
     ];
@@ -658,7 +650,7 @@ in
     # gnome-disks
     # XXX(2024-09-02): fails to show any disks even when run as `BUNPEN_DISABLE=1 sudo -E gnome-disks`.
     gnome-disk-utility.buildCost = 1;
-    gnome-disk-utility.sandbox.whitelistDbus = [ "system" ];
+    gnome-disk-utility.sandbox.whitelistDbus.system = true;
     gnome-disk-utility.sandbox.whitelistWayland = true;
     gnome-disk-utility.sandbox.extraHomePaths = [
       "tmp"
@@ -691,34 +683,14 @@ in
     # seahorse: dump gnome-keyring secrets.
     seahorse.buildCost = 1;
     # N.B. it can lso manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
-    seahorse.sandbox.whitelistDbus = [ "user" ];
+    seahorse.sandbox.whitelistDbus.user = true;  #< TODO: reduce
     seahorse.sandbox.whitelistWayland = true;
 
     gnome-2048.buildCost = 1;
     gnome-2048.sandbox.whitelistWayland = true;
+    gnome-2048.sandbox.mesaCacheDir = ".cache/gnome-2048/mesa";
     gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
 
-    gnome-frog.buildCost = 1;
-    gnome-frog.sandbox.whitelistWayland = true;
-    gnome-frog.sandbox.whitelistDbus = [ "user" ];
-    gnome-frog.sandbox.extraPaths = [
-      # needed when processing screenshots
-      "/tmp"
-    ];
-    gnome-frog.sandbox.extraHomePaths = [
-      # for OCR'ing photos from disk
-      "tmp"
-      "Pictures/albums"
-      "Pictures/cat"
-      "Pictures/from"
-      "Pictures/Photos"
-      "Pictures/Screenshots"
-      "Pictures/servo-macros"
-    ];
-    gnome-frog.persist.byStore.ephemeral = [
-      ".local/share/tessdata"  # 15M; dunno what all it is.
-    ];
-
     gnugrep.sandbox.autodetectCliPaths = "existing";
     gnugrep.sandbox.whitelistPwd = true;
     gnugrep.sandbox.extraHomePaths = [
@@ -740,7 +712,6 @@ in
     # N.B.: if the user doesn't specify an output path, `grim` will output to ~/Pictures (which isn't included in this sandbox)
     grim.sandbox.autodetectCliPaths = "existingOrParent";
     grim.sandbox.whitelistWayland = true;
-    grim.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
 
     hase.buildCost = 1;
     hase.sandbox.net = "clearnet";
@@ -816,7 +787,7 @@ in
       "/sys/devices"
     ];
 
-    libnotify.sandbox.whitelistDbus = [ "user" ];  # notify-send
+    libnotify.sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notify-send
 
     lightning-cli.packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.clightning "lightning-cli";
     lightning-cli.sandbox.extraHomePaths = [
@@ -838,6 +809,7 @@ in
     losslesscut-bin.sandbox.whitelistDri = true;
     losslesscut-bin.sandbox.whitelistWayland = true;
     # losslesscut-bin.sandbox.whitelistX = true;
+    losslesscut-bin.sandbox.mesaCacheDir = ".cache/losslesscut/mesa";  # TODO: is this the correct app-id?
     losslesscut-bin.packageUnwrapped = pkgs.losslesscut-bin.overrideAttrs (base: {
       extraMakeWrapperArgs = (base.extraMakeWrapperArgs or []) ++ [
         "--append-flags '--ozone-platform-hint=auto --ozone-platform=wayland --enable-features=WaylandWindowDecorations'"
@@ -901,13 +873,17 @@ in
     nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];
 
     networkmanagerapplet.sandbox.whitelistWayland = true;
-    networkmanagerapplet.sandbox.whitelistDbus = [ "system" ];
+    networkmanagerapplet.sandbox.whitelistDbus.system = true;
 
     nil.sandbox.whitelistPwd = true;
     nil.sandbox.keepPids = true;
 
     nixd.sandbox.whitelistPwd = true;
 
+    nix-tree.sandbox.extraPaths = [
+      "/nix/var"
+    ];
+
     nixfmt-rfc-style.sandbox.autodetectCliPaths = "existingDirOrParent";  #< it formats via rename
 
     nixpkgs-hammering.sandbox.whitelistPwd = true;
@@ -964,6 +940,7 @@ in
     pavucontrol.sandbox.whitelistAudio = true;
     pavucontrol.sandbox.whitelistDri = true;  #< to be a little more responsive
     pavucontrol.sandbox.whitelistWayland = true;
+    pavucontrol.sandbox.mesaCacheDir = ".cache/pavucontrol/mesa";
 
     pciutils.sandbox.extraPaths = [
       "/sys/bus/pci"
@@ -1005,14 +982,17 @@ in
     pwvucontrol.sandbox.whitelistAudio = true;
     pwvucontrol.sandbox.whitelistDri = true;  # else perf on moby is unusable
     pwvucontrol.sandbox.whitelistWayland = true;
+    pwvucontrol.sandbox.mesaCacheDir = ".cache/pwvucontrol/mesa";  # TODO: is this the correct app-id?
 
     pyright.sandbox.whitelistPwd = true;
 
     python3-repl.packageUnwrapped = pkgs.python3.withPackages (ps: with ps; [
       libgpiod
+      numpy
       psutil
       pykakasi
       requests
+      scipy
       unidecode
     ]);
     python3-repl.sandbox.net = "clearnet";
@@ -1028,6 +1008,7 @@ in
     rsync.sandbox.autodetectCliPaths = "existingOrParent";
     rsync.sandbox.tryKeepUsers = true;  # if running as root, keep the user namespace so that `-a` can set the correct owners, etc
 
+    rust-analyzer.buildCost = 2;
     rust-analyzer.sandbox.whitelistPwd = true;
     rust-analyzer.suggestedPrograms = [
       "cargo"
@@ -1042,7 +1023,7 @@ in
     sane-cast.sandbox.whitelistAudio = true;  #< for sblast audio casting
     sane-cast.suggestedPrograms = [ "go2tv" "sblast" ];
 
-    sane-color-picker.sandbox.whitelistDbus = [ "user" ];  #< required for eyedropper to work
+    sane-color-picker.sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< required for eyedropper to work
     sane-color-picker.sandbox.whitelistWayland = true;
     sane-color-picker.sandbox.keepPidsAndProc = true;  #< required by wl-clipboard
     sane-color-picker.suggestedPrograms = [
@@ -1050,6 +1031,7 @@ in
       "wl-clipboard"
       # "zenity"
     ];
+    sane-color-picker.sandbox.mesaCacheDir = ".cache/sane-color-picker/mesa";  # TODO: is this the correct app-id?
 
     sane-die-with-parent.sandbox.enable = false;  #< it's a launcher; can't sandbox
 
@@ -1072,6 +1054,7 @@ in
     shattered-pixel-dungeon.sandbox.whitelistAudio = true;
     shattered-pixel-dungeon.sandbox.whitelistDri = true;
     shattered-pixel-dungeon.sandbox.whitelistWayland = true;
+    shattered-pixel-dungeon.sandbox.mesaCacheDir = ".cache/.shatteredpixel/mesa";
 
     # printer/filament settings
     slic3r.buildCost = 1;
@@ -1081,7 +1064,9 @@ in
     slic3r.sandbox.autodetectCliPaths = "existingFileOrParent";  # slic3r <my-file>.stl -o <out>.gcode
 
     slurp.sandbox.whitelistWayland = true;
-    slurp.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
+
+    snapper.sandbox.tryKeepUsers = true;
+    snapper.sandbox.whitelistDbus.system = true;  #< all `snapper` does is speak to the daemon, via dbus
 
     # snapshot camera, based on libcamera
     # TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
@@ -1100,6 +1085,7 @@ in
 
     space-cadet-pinball.buildCost = 1;
     space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
+    space-cadet-pinball.sandbox.mesaCacheDir = ".cache/SpaceCadetPinball/mesa";  # TODO: is this the correct app-id?
     space-cadet-pinball.sandbox.whitelistAudio = true;
     space-cadet-pinball.sandbox.whitelistDri = true;
     space-cadet-pinball.sandbox.whitelistWayland = true;
@@ -1131,6 +1117,7 @@ in
     superTux.sandbox.whitelistDri = true;
     superTux.sandbox.whitelistWayland = true;
     # superTux.sandbox.whitelistX = true;
+    superTux.sandbox.mesaCacheDir = ".cache/supertux2/mesa";  # TODO: is this the correct app-id?
     superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
     superTux.packageUnwrapped = pkgs.superTux.overrideAttrs (base: {
       nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
@@ -1165,6 +1152,7 @@ in
     tree.sandbox.tryKeepUsers = true;
     tree.sandbox.capabilities = [ "dac_read_search" ];
 
+    typescript-language-server.buildCost = 2;
     typescript-language-server.sandbox.whitelistPwd = true;
 
     tumiki-fighters.buildCost = 1;
@@ -1172,6 +1160,7 @@ in
     tumiki-fighters.sandbox.whitelistDri = true;  #< not strictly necessary, but triples CPU perf
     tumiki-fighters.sandbox.whitelistWayland = true;
     tumiki-fighters.sandbox.whitelistX = true;
+    tumiki-fighters.sandbox.mesaCacheDir = ".cache/tumiki-fighters/mesa";  # TODO: is this the correct app-id?
     tumiki-fighters.suggestedPrograms = [
       "xwayland"  #< XXX(2024-11-10): does not start without X(wayland), not even with SDL_VIDEDRIVER=wayland
     ];
@@ -1202,7 +1191,6 @@ in
     # `vulkaninfo`, `vkcube`
     vulkan-tools.sandbox.whitelistDri = true;
     vulkan-tools.sandbox.whitelistWayland = true;
-    vulkan-tools.sandbox.mesaCacheDir = null;  # doesn't use mesa even though it uses wayland
     vulkan-tools.sandbox.whitelistX = true;
     vulkan-tools.sandbox.extraPaths = [
       "/sys/dev/char"
@@ -1213,6 +1201,7 @@ in
     vvvvvv.sandbox.whitelistAudio = true;
     vvvvvv.sandbox.whitelistDri = true;  #< playable without, but burns noticably more CPU
     vvvvvv.sandbox.whitelistWayland = true;
+    vvvvvv.sandbox.mesaCacheDir = ".cache/VVVVVV/mesa";
     vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
 
     w3m.sandbox.net = "all";
@@ -1223,6 +1212,7 @@ in
 
     watch.sandbox.enable = false;  #< it executes the command it's given
 
+    wdisplays.sandbox.mesaCacheDir = ".cache/wdisplays/mesa";  # TODO: is this the correct app-id?
     wdisplays.sandbox.whitelistWayland = true;
 
     wget.sandbox.net = "all";
@@ -1243,16 +1233,15 @@ in
 
     wl-clipboard.sandbox.whitelistWayland = true;
     wl-clipboard.sandbox.keepPids = true;  #< this is needed, but not sure why?
-    wl-clipboard.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
 
     wtype = {};
     wtype.sandbox.whitelistWayland = true;
-    wtype.sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
 
     xwayland.sandbox.wrapperType = "inplace";  #< consumers use it as a library (e.g. wlroots)
     xwayland.sandbox.whitelistWayland = true;  #< just assuming this is needed
     xwayland.sandbox.whitelistX = true;
     xwayland.sandbox.whitelistDri = true;  #< would assume this gives better gfx perf
+    xwayland.sandbox.mesaCacheDir = ".cache/xwayland/mesa";  # TODO: is this the correct app-id?
 
     xterm.sandbox.enable = false;  # need to be able to do everything
 

hosts/common/programs/avahi.nix

@@ -28,7 +28,7 @@ in
         pkgs.makeBinaryWrapper
       ];
     });
-    sandbox.whitelistDbus = [ "system" ];
+    sandbox.whitelistDbus.system = true;
     sandbox.net = "all";  #< otherwise it will show 'null' in place of each interface name.
     # sandbox.extraPaths = [ ];  #< may be missing some paths; only tried service discovery, not service advertisement.
   };

hosts/common/programs/bemenu.nix

@@ -88,9 +88,6 @@ in
 {
   sane.programs.bemenu = {
     sandbox.whitelistWayland = true;
-    sandbox.extraHomePaths = [
-      ".cache/fontconfig"  #< else it complains, and is *way* slower
-    ];
 
     packageUnwrapped = pkgs.bemenu.overrideAttrs (upstream: {
       nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [

hosts/common/programs/blanket.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  sane.programs.blanket = {
+    # com.rafaelmardojai.Blanket
+    buildCost = 1;
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus.user.own = [
+      "com.rafaelmardojai.Blanket"
+      "org.mpris.MediaPlayer2.Blanket"
+    ];
+    sandbox.whitelistWayland = true;
+  };
+}

hosts/common/programs/blueberry.nix

@@ -0,0 +1,24 @@
+{ config, lib, ... }:
+let
+  cfg = config.sane.programs.blueberry;
+in
+{
+  sane.programs.blueberry = {
+    sandbox.wrapperType = "inplace";  #< it places binaries in /lib and then /etc/xdg/autostart files refer to the /lib paths, and fail to be patched
+    sandbox.whitelistWayland = true;
+    sandbox.extraPaths = [
+      "/dev/rfkill"
+      "/run/dbus"
+      "/sys/class/rfkill"
+      "/sys/devices"
+    ];
+    sandbox.keepPids = true;  #< not sure why, but it fails to launch GUI without this
+  };
+
+  # TODO: hardware.bluetooth puts like 100 binaries from `bluez` onto PATH;
+  # i can probably patch this so it's just `bluetoothd`.
+  # see: <repo:nixos/nixpkgs:nixos/modules/services/hardware/bluetooth.nix>
+  hardware.bluetooth = lib.mkIf cfg.enabled {
+    enable = true;
+  };
+}

hosts/common/programs/blueman.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  sane.programs.blueman = {
+    sandbox.method = null;  #< TODO: sandbox
+  };
+}

hosts/common/programs/bonsai.nix

@@ -50,9 +50,10 @@ in
     };
   };
 
-  # plug into the (proposed) nixpkgs bonsaid service.
+  # plug into the nixpkgs bonsaid service.
   # it's a user service, and since i don't use the service manager it doesn't actually activate:
   # i just steal the config file generation from it :)
+  services.bonsaid.package = config.sane.programs.bonsai.package;
   services.bonsaid.settings = lib.mkIf cfg.enabled (lib.mkMerge [
     cfg.config.transitions
     [{

hosts/common/programs/brave.nix

@@ -22,6 +22,7 @@
     sandbox.extraPaths = [
       "/tmp"  # needed particularly if run from `sane-vpn do`
     ];
+    sandbox.mesaCacheDir = ".cache/BraveSoftware/mesa";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;

hosts/common/programs/brightnessctl.nix

@@ -9,7 +9,7 @@ in
       "/sys/class/leds"
       "/sys/devices"
     ];
-    # sandbox.whitelistDbus = [ "system" ];  #< only necessary if not granting udev perms
+    # sandbox.whitelistDbus.system = true;  #< only necessary if not granting udev perms
   };
 
   services.udev.extraRules = let

hosts/common/programs/btrfs-progs.nix

@@ -4,7 +4,8 @@ let
 in
 {
   sane.programs.btrfs-progs = {
-    sandbox.autodetectCliPaths = "existing";  # e.g. `btrfs filesystem df /my/fs`
+    # sandbox.autodetectCliPaths = "existing";  # e.g. `btrfs filesystem df /my/fs`
+    sandbox.autodetectCliPaths = "parent";  # e.g. `btrfs subvolume create ./my_subvol`
     sandbox.extraPaths = [
       "/dev/btrfs-control"
       #vvv required for `sudo btrfs filesystem show` with no args

hosts/common/programs/bunpen.nix

@@ -7,7 +7,7 @@ in
     packageUnwrapped = pkgs.bunpen.overrideAttrs (base: {
       # create a directory which holds just the `bunpen` so that we
       # can add bunpen as a dependency to binaries via `PATH=/run/current-system/libexec/bunpen` without forcing rebuild every time bunpen changes
-      postInstall = ''
+      postInstall = (base.postInstall or "") + ''
         mkdir -p $out/libexec/bunpen
         ln -s $out/bin/bunpen $out/libexec/bunpen/bunpen
       '';

hosts/common/programs/callaudiod.nix

@@ -14,7 +14,7 @@
     packageUnwrapped = pkgs.rmDbusServices pkgs.callaudiod;
 
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
 
     services.callaudiod = {
       description = "callaudiod: dbus service to switch audio profiles and mute microphone";

hosts/common/programs/calls.nix

@@ -102,9 +102,15 @@ in
       ];
     }));
 
+    sandbox.mesaCacheDir = ".cache/calls/mesa";
     sandbox.net = "vpn.wg-home";  #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it.
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # necessary for secrets, at the minimum
+    sandbox.whitelistDbus.user.call."org.freedesktop.secrets" = "*";  #< TODO: restrict to a subset of secrets
+    sandbox.whitelistDbus.user.call."org.mobian_project.CallAudio" = "*";
+    sandbox.whitelistDbus.user.call."org.sigxcpu.Feedback" = "*";
+    sandbox.whitelistDbus.user.call."org.gnome.evolution.dataserver.*" = "*";  #< TODO: reduce; only needs address book and maybe sources
+    sandbox.whitelistDbus.user.own = [ "org.gnome.Calls" ];
+    sandbox.whitelistSendNotifications = true;  # for missed calls
     sandbox.whitelistWayland = true;
 
     persist.byStore.private = [

hosts/common/programs/captree.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
   sane.programs.captree = {
-    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree";
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap "captree";
     sandbox.keepPidsAndProc = true;
   };
 }

hosts/common/programs/cargo.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  sane.programs.cargo = {
+    #v XXX(2025-02-23): normal `cargo` fails to build for cross (temporarily?). use prebuilt instead.
+    # NOT easy to debug/fix. git bisect pins this between ceba2c6c3b (good) and 62a28e5a3d (bad)
+    packageUnwrapped = pkgs.rust.packages.prebuilt.cargo;
+    persist.byStore.plaintext = [ ".cargo" ];
+    # probably this sandboxing is too restrictive; i'm sandboxing it for rust-analyzer / neovim LSP
+    sandbox.whitelistPwd = true;
+    sandbox.net = "all";
+    sandbox.extraHomePaths = [ "dev" "ref" ];
+  };
+}

hosts/common/programs/celeste64.nix

@@ -14,5 +14,6 @@
       # save data, controls map
       ".local/share/Celeste64"
     ];
+    sandbox.mesaCacheDir = ".cache/Celeste64/mesa";
   };
 }

hosts/common/programs/confy.nix

@@ -0,0 +1,19 @@
+{ ... }:
+{
+  sane.programs.confy = {
+    sandbox.net = "all";
+    sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
+    sandbox.mesaCacheDir = ".cache/net.kirgroup.confy/mesa";
+    sandbox.whitelistDbus.user.own = [ "net.kirgroup.confy" ];
+    sandbox.whitelistPortal = [
+      "NetworkMonitor"
+      "OpenURI"
+    ];
+
+    persist.byStore.private = [
+      ".cache/net.kirgroup.confy"
+      # ".local/share/net.kirgroup.confy"  #< empty
+    ];
+  };
+}

hosts/common/programs/conky/default.nix

@@ -9,7 +9,6 @@
       # "/sys/devices/system"
     ];
     sandbox.whitelistWayland = true;
-    sandbox.mesaCacheDir = null;  # doesn't use mesa even though it uses wayland
 
     suggestedPrograms = [
       "sane-sysload"

hosts/common/programs/cozy.nix

@@ -16,7 +16,7 @@
     buildCost = 1;
 
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # mpris
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Books/Audiobooks"

hosts/common/programs/cups.nix

@@ -11,11 +11,12 @@ let
 in
 {
   sane.programs.cups = {
+    sandbox.method = null;  #< TODO: sandbox
     suggestedPrograms = [
       "system-config-printer"
     ];
   };
-  sane.programs.system-config-printer = {};
+  sane.programs.system-config-printer.sandbox.method = null;  #< TODO: sandbox
 
   services.printing = lib.mkIf cfg.enabled {
     enable = true;

hosts/common/programs/dconf.nix

@@ -30,7 +30,7 @@ in
 {
   sane.programs.dconf = {
     packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.dconf;
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
     persist.byStore.private = [
       ".config/dconf"
     ];

hosts/common/programs/default.nix

@@ -13,6 +13,9 @@
     ./avahi.nix
     ./bemenu.nix
     ./bitcoin-cli.nix
+    ./blanket.nix
+    ./blueberry.nix
+    ./blueman.nix
     ./bonsai.nix
     ./brave.nix
     ./brightnessctl.nix
@@ -24,9 +27,11 @@
     ./cantata.nix
     ./capsh.nix
     ./captree.nix
+    ./cargo.nix
     ./catt.nix
     ./celeste64.nix
     ./chatty.nix
+    ./confy.nix
     ./conky
     ./cozy.nix
     ./cups.nix
@@ -75,6 +80,7 @@
     ./gnome-clocks.nix
     ./gnome-contacts.nix
     ./gnome-feeds.nix
+    ./gnome-frog.nix
     ./gnome-keyring
     ./gnome-maps.nix
     ./gnome-weather.nix
@@ -133,6 +139,7 @@
     ./nmcli.nix
     ./notejot.nix
     ./ntfy-sh.nix
+    ./nvimpager.nix
     ./nwg-panel
     ./objdump.nix
     ./obsidian.nix

hosts/common/programs/dialect.nix

@@ -16,5 +16,7 @@
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
     # gsettingsPersist = [ "app/drey/Dialect" ];
+
+    sandbox.mesaCacheDir = ".cache/dialect/mesa";  # TODO: is this the correct app-dir?
   };
 }

hosts/common/programs/dino.nix

@@ -58,14 +58,22 @@ in
       webrtc-audio-processing = null;
     };
 
-    suggestedPrograms = [
-      "gnome-keyring"
-    ];
+    # suggestedPrograms = [
+    #   "gnome-keyring"
+    # ];
 
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    # sandbox.whitelistDbus.user.call."org.freedesktop.secrets" = "*";  #< apparently not needed?
+    sandbox.whitelistDbus.user.own = [ "im.dino.Dino" ];
     sandbox.whitelistDri = true;  #< not strictly necessary, but we need all the perf we can get on moby
+    sandbox.whitelistSendNotifications = true;
+    sandbox.whitelistPortal = [
+      # "FileChooser"
+      # "NetworkMonitor"  #< stderr message if omitted, but non-fatal
+      "OpenURI"
+      "ProxyResolver"  #< REQUIRED, else all peers will appear offline & messages can't be sent/received
+    ];
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Music"
@@ -84,6 +92,7 @@ in
     #   ".cache/gstreamer-1.0"  # 1.3 MB  #< TODO: place the gst cache in ~/.cache/dino/gstreamer-1.0
     # ];
     persist.byStore.private = [ ".local/share/dino" ];
+    sandbox.mesaCacheDir = ".cache/dino/mesa";
 
     services.dino = {
       description = "dino XMPP client";

hosts/common/programs/discord.nix

@@ -6,11 +6,16 @@
       installPhase = lib.replaceStrings [ "NIXOS_OZONE_WL" ] [ "WAYLAND_DISPLAY" ] base.installPhase;
     });
 
+    sandbox.mesaCacheDir = ".cache/discord/mesa";
     # creds, but also 200 MB of node modules, etc
     persist.byStore.private = [ ".config/discord" ];
     sandbox.wrapperType = "inplace";  #< package contains broken symlinks that my wrapper can't handle
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # needed for xdg-open
+    # sandbox.whitelistDbus.user.own = [ ":*" ];  #< does not own any well-known name
+    sandbox.whitelistPortal = [
+      # "FileChooser"  #< does not use file chooser
+      "OpenURI"
+    ];
     sandbox.whitelistDri = true;  #< required for even basic graphics (e.g. rendering a window)
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";

hosts/common/programs/dissent.nix

@@ -38,8 +38,14 @@ in
 
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user.call."org.freedesktop.secrets" = "*";  #< TODO: restrict secrets
+    sandbox.whitelistDbus.user.own = [ "so.libdb.dissent" ];
     sandbox.whitelistDri = true;
+    sandbox.whitelistPortal = [
+      "FileChooser"
+      "OpenURI"
+    ];
+    sandbox.whitelistSendNotifications = true;
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Music"
@@ -54,6 +60,8 @@ in
       "tmp"
     ];
 
+    sandbox.mesaCacheDir = ".cache/dissent/mesa";
+
     persist.byStore.private = [
       ".cache/dissent"
       ".config/dissent"  # empty?

hosts/common/programs/eg25-control.nix

@@ -17,9 +17,7 @@ in
       # "/var/lib/eg25-control"
     ];
     sandbox.net = "all";  #< for downloading the almanac
-    sandbox.whitelistDbus = [
-      "system"  #< used by `mmcli`
-    ];
+    sandbox.whitelistDbus.system = true;  #< used by `mmcli`
 
     services.eg25-control-powered = {
       description = "eg25-control-powered: power to the Qualcomm eg25 modem used by PinePhone";

hosts/common/programs/element-desktop.nix

@@ -30,7 +30,7 @@
 
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
@@ -49,6 +49,7 @@
       "/dev/snd"  #< needed only when playing embedded audio (not embedded video!)
     ];
 
+    sandbox.mesaCacheDir = ".cache/Element/mesa";
     # creds/session keys, etc
     persist.byStore.private = [ ".config/Element" ];
   };

hosts/common/programs/epiphany.nix

@@ -11,7 +11,17 @@
     sandbox.wrapperType = "inplace";  # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< silently fails to start without it.
+    sandbox.whitelistDbus.user.own = [ "org.gnome.Epiphany" ];
+    sandbox.whitelistPortal = [
+      # these are all speculative
+      "Camera"
+      "FileChooser"
+      "Location"
+      "OpenURI"
+      "Print"
+      "ProxyResolver"  #< required else it doesn't load websites
+      "ScreenCast"
+    ];
     # default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
     # enabling DRI/DRM (as below) seems to fix that.
     sandbox.whitelistDri = true;

hosts/common/programs/evolution-data-server.nix

@@ -96,7 +96,7 @@ in
       "radicale"
     ];
 
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
     sandbox.net = "localhost";  #< to reach radicale  (TODO: restrict further)
 
     persist.byStore.ephemeral = [

hosts/common/programs/fcitx5.nix

@@ -34,7 +34,7 @@
       ];
     };
 
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
     sandbox.whitelistWayland = true;  # for `fcitx5-configtool, if nothing else`
     sandbox.extraHomePaths = [
       # ".config/fcitx"

hosts/common/programs/feedbackd.nix

@@ -24,7 +24,7 @@ in
       default = {};
     };
 
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user.own = [ "org.sigxcpu.Feedback" ];
     sandbox.whitelistAudio = true;
     sandbox.extraPaths = [
       "/dev/input/by-path/platform-vibrator-event"

hosts/common/programs/firefox-xdg-open.nix

@@ -3,7 +3,9 @@
   sane.programs.firefox-xdg-open = {
     packageUnwrapped = pkgs.firefox-extensions.firefox-xdg-open.systemComponent;
 
-    sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
+    sandbox.whitelistPortal = [
+      "OpenURI"
+    ];
 
     mime.associations."x-scheme-handler/xdg-open" = "xdg-open.desktop";
 

hosts/common/programs/firefox/bookmarks.html

@@ -9,6 +9,7 @@
   <dt><h3 unfiled_bookmarks_folder="true">Other Bookmarks</h3>
   <dl><p>
     <!-- XXX: if you want multiple aliases, declare the link twice WITH A DIFFERENT HREF= else firefox dedupes them (case-insensitively) -->
+    <dt><a href="https://aur.archlinux.org/packages?O=0&K=%s" shortcuturl="aur">Search AUR
     <dt><a href="https://docs.rs/releases/search?query=%s" shortcuturl="docsrs">Search docs.rs
     <dt><a href="https://duckduckgo.com/?t=h_&q=%s" shortcuturl="ddg">Search DuckDuckGo
     <dt><a href="https://en.wikipedia.org/wiki/Special:Search?search=%s" shortcuturl="w">Search Wikipedia

hosts/common/programs/firefox/default.nix

@@ -214,7 +214,17 @@ in
     sandbox.net = "all";
     sandbox.whitelistAudio = true;
     sandbox.whitelistAvDev = true;  #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12)
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user.own = [ "org.mozilla.firefox.*" ];
+    sandbox.whitelistPortal = [
+      "Camera"  # not sure if used
+      # "Email"  # not sure if used
+      "FileChooser"
+      "Location"  # not sure if used
+      "OpenURI"
+      "Print"  # not sure if used
+      "ScreenCast"  # not sure if used
+    ];
+    sandbox.whitelistSendNotifications = true;
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "dev"  # for developing anything web-related
@@ -230,6 +240,7 @@ in
     ] ++ addonHomePaths;
 
     sandbox.tmpDir = ".cache/mozilla/tmp";
+    sandbox.mesaCacheDir = ".cache/mozilla/mesa";
 
     mime.associations = let
       desktop = "firefox.desktop";

hosts/common/programs/flare-signal.nix

@@ -80,8 +80,6 @@
     env.FLARE_DATA_PATH = "$HOME/.local/share/flare/data";
     # sandbox.net = "clearnet";
     # sandbox.whitelistWayland = true;
-    # sandbox.whitelistDbus = [
-    #   "user"  # so i can click on links, at least
-    # ];
+    # sandbox.whitelistDbus.user = true;  # so i can click on links, at least (TODO: reduce!)
   };
 }

hosts/common/programs/foliate.nix

@@ -3,8 +3,12 @@
 {
   sane.programs.foliate = {
     sandbox.net = "clearnet";  #< for dictionary, wikipedia, online book libraries
-    sandbox.whitelistDbus = [ "user" ];  #< when clicking on links
+    sandbox.whitelistDbus.user.own = [ "com.github.johnfactotum.Foliate" ];
     sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time
+    sandbox.whitelistPortal = [
+      "FileChooser"
+      "OpenURI"
+    ];
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Books/Books"
@@ -23,6 +27,8 @@
     ];
     sandbox.autodetectCliPaths = "existing";
 
+    sandbox.mesaCacheDir = ".cache/com.github.johnfactotum.Foliate/mesa";
+
     persist.byStore.plaintext = [
       ".local/share/com.github.johnfactotum.Foliate"  #< books added, reading position
       ".cache/com.github.johnfactotum.Foliate"  #< webkit cache

hosts/common/programs/fontconfig.nix

@@ -58,6 +58,8 @@ in
         # "Font Awesome 6 Brands"
       ];
       monospace = [
+        "Monaspace Argon"  #< thin, slightly handwriting-ish
+        # "Monaspace Neon"  #< typewriter style
         "Hack Nerd Font Propo"
         # "DejaVuSansM Nerd Font Propo"
         "NotoMono Nerd Font Propo"
@@ -88,14 +90,15 @@ in
     packages = with pkgs; [
       # TODO: reduce this font set.
       # - probably need only one of dejavu/freefont/liberation
-      dejavu_fonts  # 10 MiB; DejaVu {Sans,Serif,Sans Mono,Math TeX Gyre}; also available as a NerdFonts (Sans Mono only)
-      # font-awesome  #  2 MiB; Font Awesome 6 {Free,Brands}
-      freefont_ttf  # 11 MiB; Free{Mono,Sans,Serif}
-      gyre-fonts    #  4 MiB; Tex Gyre *; ttf substitutes for standard PostScript fonts
-      # hack-font     #  1 MiB; Hack; also available as a NerdFonts
-      liberation_ttf # 4 MiB; Liberation {Mono,Sans,Serif}; also available as a NerdFonts
+      dejavu_fonts            # 10 MiB; DejaVu {Sans,Serif,Sans Mono,Math TeX Gyre}; also available as a NerdFonts (Sans Mono only)
+      # font-awesome            #  2 MiB; Font Awesome 6 {Free,Brands}
+      freefont_ttf            # 11 MiB; Free{Mono,Sans,Serif}
+      gyre-fonts              #  4 MiB; Tex Gyre *; ttf substitutes for standard PostScript fonts
+      # hack-font               #  1 MiB; Hack; also available as a NerdFonts
+      liberation_ttf          # 4 MiB; Liberation {Mono,Sans,Serif}; also available as a NerdFonts
+      monaspace               # 20 MiB;
       noto-fonts-color-emoji  # 10 Mib; Noto Color Emoji
-      unifont       # 16 MiB; Unifont; provides LOTS of unicode coverage
+      unifont                 # 16 MiB; Unifont; provides LOTS of unicode coverage
 
       # nerdfonts takes popular open fonts and patches them to support a wider range of glyphs, notably emoji.
       # any nerdfonts font includes icons such as these:

hosts/common/programs/fractal.nix

@@ -38,8 +38,15 @@ in
 
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user.own = [ "org.gnome.Fractal" ];
+    sandbox.whitelistDbus.user.call."org.freedesktop.secrets" = "*";  #< TODO: restrict to a subset of secrets
     sandbox.whitelistDri = true;  # otherwise video playback buuuuurns CPU
+    sandbox.whitelistPortal = [
+      "FileChooser"
+      "NetworkMonitor"  # if portals are enabled, but NetworkMonitor *isn't*, then it'll hang on launch
+      "OpenURI"
+    ];
+    sandbox.whitelistSendNotifications = true;
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       # still needs these paths despite it using the portal's file-chooser :?
@@ -54,6 +61,7 @@ in
       "Videos/servo"
       "tmp"
     ];
+    sandbox.mesaCacheDir = ".cache/fractal/mesa";
     sandbox.tmpDir = ".cache/fractal/tmp";  # 10MB+ avatar caches (grows seemingly unbounded during runtime)
 
     persist.byStore.ephemeral = [

hosts/common/programs/g4music.nix

@@ -11,12 +11,13 @@
     buildCost = 1;
 
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # mpris
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Music"
     ];
 
+    sandbox.mesaCacheDir = ".cache/com.github.neithern.g4music/mesa";
     persist.byStore.plaintext = [
       # index?
       ".cache/com.github.neithern.g4music"

hosts/common/programs/gdbus.nix

@@ -3,6 +3,6 @@
   sane.programs.gdbus = {
     packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.glib "gdbus";
 
-    sandbox.whitelistDbus = [ "user" ];  #< XXX: maybe future users will also want system access
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< XXX: maybe future users will also want system access
   };
 }

hosts/common/programs/geary.nix

@@ -25,7 +25,11 @@ in
 
     sandbox.wrapperType = "inplace";  #< XXX(2024-08-20): if executed from a directory different than the configured prefix, it fails to locate its sql migration files
     sandbox.net = "clearnet";
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce (as per below; after xdg-dbus-proxy is made nestable)
+    # sandbox.whitelisDbus.user.call."org.freedesktop.secrets" = "*";  #< TODO: restrict to a subset of secrets
+    # sandbox.whitelistDbus.user.call."org.gnome.evolution.dataserver.*" = "*";
+    # sandbox.whitelistDbus.user.own = [ "org.gnome.Geary" ];
+    # sandbox.whitelistPortal = [ "FileChooser" "OpenURI" "Print" ];  #< unsure if all these are actually used
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       # it shouldn't need these, but portal integration seems incomplete?
@@ -49,6 +53,7 @@ in
     # fs.".local/share/folks".dir = {};
 
     buildCost = 3;  # uses webkitgtk 4.1
+    sandbox.mesaCacheDir = ".cache/geary/mesa";
     persist.byStore.private = [
       # attachments, and email -- contained in a sqlite db
       ".local/share/geary"

hosts/common/programs/geoclue-demo-agent.nix

@@ -7,9 +7,7 @@
       path = "${config.sane.programs.geoclue2.packageUnwrapped}/libexec/geoclue-2.0/demos/agent";
     }];
 
-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;
 
     services.geoclue-agent = {
       description = "geoclue 'demo' agent";

hosts/common/programs/geoclue2.nix

@@ -47,9 +47,7 @@ in
     package = lib.mkForce null;
 
     # experimental sandboxing (2024/07/05)
-    # sandbox.whitelistDbus = [
-    #   "system"
-    # ];
+    # sandbox.whitelistDbus.system = true;
     # sandbox.net = "all";
   };
 

hosts/common/programs/gnome-clocks.nix

@@ -1,9 +1,14 @@
+# TODO(2025-01-09): fix the 'alarm' component
+# - it creates a desktop notification, but no sound, and permanently freezes the app
+# TODO(2025-01-09): inhibit screen-off while focused (for stopwatch function)
 { ... }: {
   sane.programs.gnome-clocks = {
     buildCost = 1;
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< required for DE notification when alarm rings
+    sandbox.whitelistDbus.user.own = [ "org.gnome.clocks" ];
+    sandbox.whitelistSendNotifications = true;
     sandbox.whitelistWayland = true;
+    sandbox.mesaCacheDir = ".cache/gnome-clocks/mesa";  # TODO: is this the correct app-id?
     gsettingsPersist = [ "org/gnome/clocks" ];
   };
 }

hosts/common/programs/gnome-contacts.nix

@@ -1,6 +1,19 @@
 { pkgs, ... }: {
   sane.programs.gnome-contacts = {
-    packageUnwrapped = pkgs.gnome-contacts.overrideAttrs (upstream: {
+    packageUnwrapped = (pkgs.gnome-contacts.override {
+      evolution-data-server-gtk4 = pkgs.evolution-data-server-gtk4.override {
+        # drop webkitgtk_6_0 dependency.
+        # it's normally cached, but if modifying low-level deps (e.g. pipewire) it's nice to not have to rebuild it,
+        # especially since `gnome-contacts` is part of `moby-min`.
+        withGtk4 = false;
+      };
+      folks = pkgs.folks.override {
+        evolution-data-server-gtk4 = pkgs.evolution-data-server-gtk4.override {
+          # drop webkitgtk_6_0 dependency.
+          withGtk4 = false;
+        };
+      };
+    }).overrideAttrs (upstream: {
       # patches = (upstream.patches or []) ++ [
       #   # optional danctnix patch to allow clicking on the telephone to open the calls app,
       #   # however it's frequently in need of rebasing
@@ -29,10 +42,16 @@
       did-initial-setup = true;
     };
 
-    sandbox.whitelistDbus = [ "user" ];  #< for OpenURI, evolution-data-server
+    sandbox.whitelistDbus.user.call."org.gnome.evolution.dataserver.*" = "*";  #< TODO: reduce; only needs address book and maybe sources (probably not calendar, 'cept maybe for birthdays?)
+    sandbox.whitelistDbus.user.own = [ "org.gnome.Contacts" ];
     sandbox.whitelistDri = true;  #< speculative, but i'd like it to be responsive on mobile
+    sandbox.whitelistPortal = [
+      "OpenURI"
+    ];
     sandbox.whitelistWayland = true;
 
+    sandbox.mesaCacheDir = ".cache/gnome-calendar/mesa";  # TODO: is this the correct app-id?
+
     suggestedPrograms = [
       "evolution-data-server"  #< REQUIRED for saving/loading of any contacts
     ];

hosts/common/programs/gnome-frog.nix

@@ -0,0 +1,31 @@
+{ ... }:
+{
+  sane.programs.gnome-frog = {
+    buildCost = 1;
+    sandbox.whitelistWayland = true;
+    sandbox.whitelistDbus.user.own = [
+      "com.github.tenderowl.frog"
+    ];
+    sandbox.whitelistPortal = [
+      "Screenshot"
+    ];
+    sandbox.extraPaths = [
+      # needed when processing screenshots (TODO: can i have it use a custom TMPDIR?)
+      "/tmp"
+    ];
+    sandbox.extraHomePaths = [
+      # for OCR'ing photos from disk
+      "tmp"
+      "Pictures/albums"
+      "Pictures/cat"
+      "Pictures/from"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+      "Pictures/servo-macros"
+    ];
+    persist.byStore.ephemeral = [
+      ".local/share/tessdata"  # 15M; dunno what all it is.
+    ];
+    sandbox.mesaCacheDir = ".cache/gnome-frog/mesa";  # TODO: is this the correct app-id?
+  };
+}

hosts/common/programs/gnome-keyring/default.nix

@@ -3,16 +3,16 @@
 {
   sane.programs.gnome-keyring = {
     packageUnwrapped = pkgs.rmDbusServices pkgs.gnome-keyring;
-    sandbox.whitelistDbus = [ "user" ];
-    sandbox.extraRuntimePaths = [
-      "keyring"  #< only needs keyring/control, but has to *create* that.
-      # "keyring/control"
-    ];
     sandbox.capabilities = [
       # ipc_lock: used to `mlock` the secrets so they don't get swapped out.
       # this is optional, and user namespacing (bwrap) likely doesn't propagate it anyway
       "ipc_lock"
     ];
+    sandbox.extraRuntimePaths = [
+      "keyring"  #< only needs keyring/control, but has to *create* that.
+      # "keyring/control"
+    ];
+    sandbox.whitelistDbus.user.own = [ "org.freedesktop.secrets" "org.gnome.keyring" ];
 
     persist.byStore.private = [
       # N.B.: gnome-keyring-daemon used to remove symlinks and replace them with empty directories, but as of 2024-09-05 that seems no longer the case.

hosts/common/programs/gnome-maps.nix

@@ -34,18 +34,18 @@
 
     sandbox.wrapperType = "inplace";  #< /share directory contains Gir info which references libgnome-maps.so by path
     sandbox.whitelistDri = true;  # for perf
-    sandbox.whitelistDbus = [
-      "system"  # system is required for non-portal location services
-      "user"  #< not sure if "user" is necessary?
-    ];
+    sandbox.whitelistDbus.system = true;  #< system is required for non-portal location services
+    sandbox.whitelistDbus.user = true;  #< TODO: not sure if "user" is necessary?
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
 
+    sandbox.mesaCacheDir = ".cache/gnome-maps/mesa";
     persist.byStore.plaintext = [ ".cache/shumate" ];
     # ~/.local/share/gnome-maps/places.json (previously: ../maps-places.json); to persist starred locations, recent locations+routes
     # TODO: building in "developer mode" causes gnome-maps to pretty-print the .json instead of minifying it
     persist.byStore.private = [ ".local/share/gnome-maps" ];
 
     mime.associations."x-scheme-handler/maps" = "org.gnome.Maps.desktop";  # e.g. `maps:q=1600%20Pennsylvania%20Ave`
+    mime.associations."x-scheme-handler/geo" = "org.gnome.Maps.desktop";  # e.g. `geo:50.812375,4.38073;u=100`
   };
 }

hosts/common/programs/gnome-weather.nix

@@ -15,6 +15,8 @@
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
 
+    sandbox.mesaCacheDir = ".cache/gnome-weather/mesa";  # TODO: is this the correct app-id?
+
     persist.byStore.plaintext = [
       ".cache/libgweather"  # weather data (or maybe a http cache)
     ];

hosts/common/programs/gpodder.nix

@@ -24,8 +24,11 @@ in {
       ];
     });
 
-    sandbox.whitelistDbus = [ "user" ];  # it won't launch without it, dunno exactly why.
-    sandbox.whitelistDri = true;  #< hopefully slightly more bearable speed
+    sandbox.whitelistDbus.user.own = [ "org.gpodder" "org.gpodder.gpodder" ];
+    sandbox.whitelistDri = true;  #< makes the UI way more responsive
+    sandbox.whitelistPortal = [
+      "OpenURI"
+    ];
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
 

hosts/common/programs/gps-share.nix

@@ -28,7 +28,7 @@ in
 
     sandbox.net = "all";
     sandbox.autodetectCliPaths = "existing";  #< N.B.: `test -f /dev/ttyUSB1` fails, we can't use `existingFile`
-    sandbox.whitelistDbus = [ "system" ];  #< to register with Avahi
+    sandbox.whitelistDbus.system = true;  #< to register with Avahi
 
     services.gps-share = {
       description = "gps-share: make local GPS serial readings available over Avahi";

hosts/common/programs/grimshot.nix

@@ -15,9 +15,8 @@
       "wl-clipboard"
     ];
     sandbox.keepPids = true;  #< needed by wl-clipboard
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
     sandbox.whitelistWayland = true;
-    sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
     sandbox.extraRuntimePaths = [
       "sway"
     ];

hosts/common/programs/handbrake.nix

@@ -3,7 +3,9 @@
   sane.programs.handbrake = {
     buildCost = 1;
 
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.mesaCacheDir = ".cache/handbrake/mesa";  # TODO: is this the correct app-id?
+
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Music"

hosts/common/programs/haredoc.nix

@@ -3,6 +3,6 @@
 {
   sane.programs.haredoc = {
     sandbox.whitelistPwd = true;  #< search for function documentation below the current directory
-    env.HAREPATH = "${pkgs.hare}/src/hare/stdlib";
+    env.HAREPATH = builtins.toString pkgs.hare.src;
   };
 }

hosts/common/programs/htop/default.nix

@@ -6,7 +6,7 @@
       "/sys/devices"
       "/sys/block"  # for zram usage
     ];
-    sandbox.whitelistDbus = [ "system" ];  #< to show systemd job status
+    sandbox.whitelistDbus.system = true;  #< to show systemd job status
     fs.".config/htop/htoprc".symlink.target = ./htoprc;
   };
 }

hosts/common/programs/iio-sensor-proxy.nix

@@ -41,7 +41,7 @@ in
     });
     enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;  #< for dbus/polkit policies
 
-    sandbox.whitelistDbus = [ "system" ];
+    sandbox.whitelistDbus.system = true;
     sandbox.extraPaths = [
       "/run/udev/data"
       "/sys/bus"

hosts/common/programs/kdenlive.nix

@@ -3,7 +3,7 @@
   sane.programs.kdenlive = {
     buildCost = 1;
 
-    packageUnwrapped = pkgs.kdenlive.overrideAttrs (base: {
+    packageUnwrapped = pkgs.kdePackages.kdenlive.overrideAttrs (base: {
       qtWrapperArgs = base.qtWrapperArgs ++ [
         "--set QP_QPA_PLATFORM wayland"
       ];
@@ -18,7 +18,7 @@
       "tmp"
     ];
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
     # sandbox.whitelistX = true;  #< or run with `QT_QPA_PLATFORM=wayland`, without X(wayland)

hosts/common/programs/komikku.nix

@@ -11,6 +11,7 @@
     });
 
     sandbox.net = "clearnet";
+    sandbox.whitelistDbus.user.own = [ "info.febvre.Komikku" ];  #< fails to start if it can't connect to dbus
     sandbox.whitelistDri = true;  #< required
     sandbox.whitelistWayland = true;
 

hosts/common/programs/koreader/default.nix

@@ -46,7 +46,7 @@ in {
   sane.programs.koreader = {
     packageUnwrapped = pkgs.koreader-from-src;
     sandbox.net = "clearnet";
-    sandbox.whitelistDbus = [ "user" ];  # for opening the web browser via portal
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for opening the web browser via portal
     sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [

hosts/common/programs/krita.nix

@@ -17,6 +17,7 @@
       "tmp"
     ];
 
+    sandbox.mesaCacheDir = ".cache/krita/mesa";  # TODO: is this the correct app-id?
     suggestedPrograms = [
       "xwayland"  #< XXX(2024-11-10): does not start without X(wayland); not even with QT_QPA_PLATFORM=wayland. see e.g. <https://discuss.kde.org/t/is-there-any-plans-to-add-wayland-support-to-krita/18153>
     ];

hosts/common/programs/lemoa.nix

@@ -3,7 +3,7 @@
   sane.programs.lemoa = {
     buildCost = 1;
     sandbox.net = "clearnet";
-    sandbox.whitelistDbus = [ "user" ];  # for clicking links
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for clicking links
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
     # creds

hosts/common/programs/less.nix

@@ -2,16 +2,24 @@
 {
   sane.programs.less = {
     sandbox.autodetectCliPaths = "existingFile";
-    env.PAGER = "less";
     # LESS flags:
-    # - F = quit if output fits on one screen
-    # - K = exit on ctrl+c
-    # - M = "long prompt"
-    # - R = output raw control characters
-    # - S = chop long lines instead of wrapping
-    # - X = Don't use termcap init/deinit strings (hence, `less` output is visible on the terminal even after exiting)
+    # - --LINE-NUMBERS (N) = render EVERY line with its number in the left column
+    # - --LONG-PROMPT (M) = "long prompt"
+    # - --RAW-CONTROL-CHARS (R) = output raw control characters
+    # - --chop-long-lines (S) = chop long lines instead of wrapping
+    # - --incsearch = start searching immediately as you type `/<search-term>`
+    # - --no-init (X) = Don't use termcap init/deinit strings (hence, `less` output is visible on the terminal even after exiting)
+    # - --quit-if-one-screen (F) = quit if output fits on one screen
+    # - --quit-on-intr (K) = exit on ctrl+c
+    # - --shift=.n = left/right arrow-keys scroll by `n` screen widths
+    # - --use-color = enable color instead of just monochrome (highlights search matches)
     # SYSTEMD_LESS defaults to FRSXMK
-    env.LESS = "FRMK";
-    env.SYSTEMD_LESS = "FRMK";  #< used by journalctl
+    env = rec {
+      # MANPAGER = "less";
+      PAGER = "less";
+      LESS = "--incsearch --LONG-PROMPT --quit-if-one-screen --quit-on-intr --RAW-CONTROL-CHARS --shift=.2 --use-color";
+      SYSTEMD_LESS = LESS;  #< used by journalctl
+    };
+    mime.priority = 200;  # fallback to more specialized pagers where exists
   };
 }

hosts/common/programs/loupe.nix

@@ -21,6 +21,8 @@
       "tmp"
     ];
 
+    sandbox.mesaCacheDir = ".cache/loupe/mesa";  # TODO: is this the correct app-id?
+
     mime.associations = {
       "image/avif" = "org.gnome.Loupe.desktop";
       "image/gif" = "org.gnome.Loupe.desktop";

hosts/common/programs/megapixels-next.nix

@@ -43,7 +43,7 @@ in
     sandbox.wrapperType = "inplace";  #< for share/megapixels/movie.sh
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [ "user" ];  #< so that it can open the image viewer using fdo portal...
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< so that it can open the image viewer using fdo portal...
     sandbox.extraHomePaths = [
       # ".config/megapixels"
       "Pictures/Photos"
@@ -55,6 +55,7 @@ in
       "/sys/class/leds"  #< for flash, presumably
     ];
     sandbox.whitelistAvDev = true;
+    sandbox.mesaCacheDir = ".cache/megapixels/mesa";  # TODO: is this the correct app-id?
     gsettings."me/gapixels/megapixels" = {
       # **required** for it to find its postprocess script
       postprocessor = "${cfg.package}/share/megapixels/postprocess.sh";

hosts/common/programs/megapixels.nix

@@ -28,7 +28,7 @@
     #   "bwrap: failed to make / slave: Operation not permitted"
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [ "user" ];  #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|
     sandbox.extraHomePaths = [
       # ".config/megapixels"
       "Pictures/Photos"
@@ -40,6 +40,7 @@
       "/sys/class/leds"  #< for flash, presumably
     ];
     sandbox.whitelistAvDev = true;
+    sandbox.mesaCacheDir = ".cache/megapixels/mesa";  # TODO: is this the correct app-id?
     gsettingsPersist = [
       "org/postmarketos/megapixels"  #< needs to set `postprocessor` else it will segfault during post-process
     ];

hosts/common/programs/mepo.nix

@@ -15,10 +15,9 @@
     sandbox.net = "all";  # for tiles *and* for localhost comm to gpsd
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [
-      "system"  # system is required for non-portal location services
-      "user"  #< not sure if "user" is necessary?
-    ];
+    sandbox.whitelistDbus.system = true;  # system is required for non-portal location services
+    sandbox.whitelistDbus.user = true;  #< TODO: not sure if "user" is necessary?
+    sandbox.mesaCacheDir = ".cache/mepo/mesa";
 
     persist.byStore.plaintext = [ ".cache/mepo/tiles" ];
     # ~/.cache/mepo/savestate has precise coordinates and pins: keep those private

hosts/common/programs/mmcli.nix

@@ -24,9 +24,7 @@
     });
 
     sandbox.tryKeepUsers = true;
-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;
   };
 }
 

hosts/common/programs/mpv/default.nix

@@ -190,7 +190,7 @@ in
     sandbox.autodetectCliPaths = "parent";  #< especially for subtitle downloader; also nice for viewing albums
     sandbox.net = "all";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< mpris
+    sandbox.whitelistDbus.user.own = [ "org.mpris.MediaPlayer2.mpv" "org.mpris.MediaPlayer2.mpv.*" ];
     sandbox.whitelistDri = true;  #< mpv has excellent fallbacks to non-DRI, but DRI offers a good 30%-50% reduced CPU
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
@@ -208,6 +208,7 @@ in
       "Videos/local"
       "Videos/servo"
     ];
+    sandbox.mesaCacheDir = ".cache/mpv/mesa";
 
     persist.byStore.plaintext = [
       # for `watch_later`

hosts/common/programs/nautilus.nix

@@ -14,7 +14,7 @@
     #   "gvfs"  # browse ftp://, etc  (TODO: fix!)
     # ];
 
-    sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for portals launching apps
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       # grant access to pretty much everything, except for secret keys.

hosts/common/programs/neovim/default.nix

@@ -43,7 +43,6 @@ in
 
     sandbox.autodetectCliPaths = "existingOrParent";
     sandbox.whitelistWayland = true;  # for system clipboard integration
-    sandbox.mesaCacheDir = null;  # not a GUI even though it uses wayland
     # sandbox.whitelistPwd = true;
     sandbox.extraHomePaths = [
       ".local/share/dasht/docsets"

hosts/common/programs/neovim/vimrc

@@ -29,3 +29,10 @@ set conceallevel=2
 " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
 set list
 set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
+
+" when using vim to view manpages
+"   (`:Man topic` or `MANPAGER='nvim +Man!' man topic` or `vim man://topic`),
+" instruct `man` to output unwrapped buffers, and let vim soft-wrap them.
+" this allows one to resize the terminal and have the manpage be re-rendered.
+" see: <https://github.com/neovim/neovim/issues/11436>
+let g:man_hardwrap=0

hosts/common/programs/networkmanager_dmenu/default.nix

@@ -3,9 +3,7 @@
 {
   sane.programs.networkmanager_dmenu = {
     # sandbox.keepPidsAndProc = true;  #< else it can't connect to NetworkManager (?)
-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       ".cache/rofi"

hosts/common/programs/newsflash.nix

@@ -15,9 +15,11 @@ let
   wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
 in {
   sane.programs.newsflash = {
+    buildCost = 2;  # mainly for desktop: webkitgtk-6.0
+
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;  #< for embedded videos
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
     sandbox.extraPaths = [
@@ -29,7 +31,7 @@ in {
       "/sys/class/block/loop7"
     ];
 
-    buildCost = 2;  # mainly for desktop: webkitgtk-6.0
+    sandbox.mesaCacheDir = ".cache/nesh_flash/mesa";
     persist.byStore.plaintext = [
       ".local/share/news-flash" #< sqlite database, the actually important stuff
       # ".local/share/news_flash"  #< device IDs (?)

hosts/common/programs/nicotine-plus.nix

@@ -22,6 +22,7 @@
       # and then update the config on disk. it errors if it can't `mv` it like that.
       ".config/nicotine"
     ];
+    # sandbox.mesaCacheDir = ".cache/nicotine/mesa";  # don't persist (privacy); (might want to apply that to downloads too)
 
     # the config has loooads of options, but the only critical one is auth/creds.
     # run with ~/.config/nicotine in the sandbox and nicotine will derive the whole config

hosts/common/programs/nmcli.nix

@@ -2,8 +2,6 @@
 {
   sane.programs.nmcli = {
     packageUnwrapped = pkgs.networkmanager-split.nmcli;
-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;
   };
 }

hosts/common/programs/notejot.nix

@@ -5,6 +5,7 @@
     sandbox.whitelistDri = true;  #< otherwise intolerably slow on moby
     gsettingsPersist = [ "io/github/lainsce/Notejot" ];  #< TODO: probably not needed
 
+    sandbox.mesaCacheDir = ".cache/io.github.lainsce.Notejot/mesa";
     persist.byStore.private = [
       ".local/share/io.github.lainsce.Notejot"
     ];

hosts/common/programs/nvimpager.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+{
+  sane.programs.nvimpager = {
+    packageUnwrapped = (pkgs.nvimpager.override {
+      neovim = config.sane.programs.neovim.packageUnwrapped;
+    }).overrideAttrs {
+      # check phase fails, something to do with me enabling plugins not expected by the tester
+      doCheck = false;
+    };
+
+    suggestedPrograms = [ "neovim" ];
+
+    sandbox.whitelistWayland = true;  # for system clipboard integration
+
+    env.MANPAGER = "nvimpager";
+    # env.PAGER = "nvimpager";
+    # `man 2 select` will have `man` render the manpage to plain text, then pipe it into vim for syntax highlighting.
+    # force MANWIDTH=999 to make `man` not hard-wrap any lines, and instead let vim soft-wrap lines.
+    # that allows the document to be responsive to screen-size/windowing changes.
+    # MANROFFOPT = "-c" improves the indentation, but i'm not totally sure what it actually does.
+    env.MANWIDTH = "999";
+    env.MANROFFOPT = "-c";
+  };
+}

hosts/common/programs/nwg-panel/default.nix

@@ -197,9 +197,8 @@ in
     sandbox.whitelistDri = true;
     sandbox.whitelistSystemctl = true;
     sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [
-      "user"  # playerctl, swaync, ...
-    ];
+    sandbox.whitelistMpris.controlPlayers = true;
+    sandbox.whitelistDbus.user.call."org.erikreider.swaync.cc" = "*";
     sandbox.extraPaths = [
       "/sys/class/backlight"
       "/sys/class/leds"  #< for torch/flashlight on moby
@@ -207,7 +206,7 @@ in
       "/sys/devices"
     ];
     sandbox.extraRuntimePaths = [ "sway" ];
-    sandbox.keepPidsAndProc = true;  #< nwg-panel restarts itself on display dis/connect, by killing all other instances.
+    sandbox.keepPidsAndProc = true;  #< nwg-panel restarts itself on display dis/connect, by killing all other instances (TODO: fix to just exit on display attach?)
 
     services.nwg-panel = {
       description = "nwg-panel status/topbar for wayland";

hosts/common/programs/open-in-mpv.nix

@@ -2,7 +2,7 @@
 { pkgs, ... }:
 {
   sane.programs.open-in-mpv = {
-    sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for xdg-open/portals
 
     # taken from <https://github.com/Baldomo/open-in-mpv>
     fs.".config/open-in-mpv/config.yml".symlink.text = ''

hosts/common/programs/papers.nix

@@ -1,3 +1,4 @@
+# TODO: get printing to work under papers. until then, use evince if you need to print!
 { ... }:
 {
   sane.programs.papers = {
@@ -7,10 +8,13 @@
     # });
 
     buildCost = 2;  #< webkitgtk
-    sandbox.whitelistDbus = [ "user" ];  #< for clicking links
+    sandbox.method = null;  #< TODO: enable, after fixing embedded media playback
     sandbox.whitelistDri = true;  #< speedier
     sandbox.whitelistWayland = true;
     sandbox.autodetectCliPaths = "existingFile";
+    sandbox.mesaCacheDir = ".cache/papers/mesa";  # TODO: is this the correct app-id?
+
+    sandbox.whitelistPortal = [ "OpenURI" ];
 
     mime.associations."application/pdf" = "org.gnome.Papers.desktop";
     # XXX(2024-10-06): even with `sandbox.net = "all"` and glib-networking, papers can only open *http* URLs and not https