scripts/clean: fix to cleanup more dangling result symlinks

```
• Updated input 'nixpkgs-next-unpatched':
    'github:nixos/nixpkgs/6a217e9b1d39415076c7a6cfc44be5e935e7a839' (2024-05-13)
  → 'github:nixos/nixpkgs/eda36d7cf3391ad06097009b08822fb74acd5e00' (2024-05-13)
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/6bc8c8a7ac13182ee24a5e2caab7ad739f1c55c5' (2024-05-13)
  → 'github:nixos/nixpkgs/0a949cf2618e8eab83aa008f1f8e03db137ed36c' (2024-05-13)
• Updated input 'nixpkgs-wayland':
    'github:nix-community/nixpkgs-wayland/5f7272dff81558143f93e2cb32189a52ef965892' (2024-05-13)
  → 'github:nix-community/nixpkgs-wayland/ed18785b8816fa878bdd9df7f2e8722695401ef8' (2024-05-13)
```

flake.lock

@@ -61,11 +61,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1714910950,
-        "narHash": "sha256-gaq5bphSsY+htEXFDkImOrH3MVCkxFTvCiwdCJj096E=",
+        "lastModified": 1715515815,
+        "narHash": "sha256-yaLScMHNFCH6SbB0HSA/8DWDgK0PyOhCXoFTdHlWkhk=",
         "owner": "nix-community",
         "repo": "lib-aggregate",
-        "rev": "26fabca301e1133abd3d9192b1bcb6fb45b30f1d",
+        "rev": "09883ca828e8cfaacdb09e29190a7b84ad1d9925",
         "type": "github"
       },
       "original": {
@@ -99,11 +99,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1713858845,
-        "narHash": "sha256-StJq7Zy+/iVBUAKFzhHWlsirFucZ3gNtzXhAYXAsNnw=",
+        "lastModified": 1715248291,
+        "narHash": "sha256-npC9Swu4VIlRIiEP0XFGoIukd6vOufS/M3PdHk6rQpc=",
         "owner": "nix-community",
         "repo": "nix-eval-jobs",
-        "rev": "7b6640f2a10701bf0db16aff048070f400e8ea7c",
+        "rev": "63154bdfb22091041b307d17863bdc0e01a32a00",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713805509,
-        "narHash": "sha256-YgSEan4CcrjivCNO5ZNzhg7/8ViLkZ4CB/GrGBVSudo=",
+        "lastModified": 1715037484,
+        "narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1e1dc66fe68972a76679644a5577828b6a7e8be4",
+        "rev": "ad7efee13e0d216bf29992311536fce1d3eefbef",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1714870069,
+        "lastModified": 1715474941,
         "narHash": "sha256-CNCqCGOHdxuiVnVkhTpp2WcqSSmSfeQjubhDOcgwGjU=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "4b620020fd73bdd5104e32c702e65b60b6869426",
+        "rev": "58e03b95f65dfdca21979a081aa62db0eed6b1d8",
         "type": "github"
       },
       "original": {
@@ -167,11 +167,11 @@
     },
     "nixpkgs-next-unpatched": {
       "locked": {
-        "lastModified": 1715148084,
-        "narHash": "sha256-arUW5NSCMy7K8uO+1ODJqyptf71HP69XbJlSuf361rI=",
+        "lastModified": 1715601680,
+        "narHash": "sha256-Gmz6U8NMZVVnP6AGX4sMl4X6RcQBASPl/2Gj9R5k1Pk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c8e3f684443d7c2875ff169f6ef2533534105e7b",
+        "rev": "eda36d7cf3391ad06097009b08822fb74acd5e00",
         "type": "github"
       },
       "original": {
@@ -183,11 +183,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1714858427,
-        "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
+        "lastModified": 1715458492,
+        "narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
+        "rev": "8e47858badee5594292921c2668c11004c3b0142",
         "type": "github"
       },
       "original": {
@@ -199,11 +199,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1715156971,
-        "narHash": "sha256-sEgAH6EkkQf5Aux4JT5HvdKWia0ryePYI0RhioskVS8=",
+        "lastModified": 1715616096,
+        "narHash": "sha256-rxh2XECb5hRzgNR4Xqj3aAjg6821LmNTVRfF6sUW6fI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a751e2faa2fc94c1337c32aaf6a6e417afe90be9",
+        "rev": "0a949cf2618e8eab83aa008f1f8e03db137ed36c",
         "type": "github"
       },
       "original": {
@@ -223,11 +223,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715156333,
-        "narHash": "sha256-8V09AxlIyKh8maX5/fAo8JuijEu9KM1DVlPscxzmKsk=",
+        "lastModified": 1715609745,
+        "narHash": "sha256-z2lQ7G1AxljvYeqrHWjc1ctOI4QZP06vPtvLYJWfZSc=",
         "owner": "nix-community",
         "repo": "nixpkgs-wayland",
-        "rev": "7dc8fb2aa7db995ac1ce2a8f2f8d8784b2af591c",
+        "rev": "ed18785b8816fa878bdd9df7f2e8722695401ef8",
         "type": "github"
       },
       "original": {
@@ -254,11 +254,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1715035358,
-        "narHash": "sha256-RY6kqhpCPa/q3vbqt3iYRyjO3hJz9KZnshMjbpPon8o=",
+        "lastModified": 1715482972,
+        "narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "893e3df091f6838f4f9d71c61ab079d5c5dedbd1",
+        "rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
         "type": "github"
       },
       "original": {

flake.nix

@@ -121,7 +121,7 @@
             nixpkgs.hostPlatform.system = target;
           })
           (optionalAttrs (variant == "light") {
-            sane.maxBuildCost = 1;
+            sane.maxBuildCost = 2;
           })
           (optionalAttrs (variant == "min") {
             sane.maxBuildCost = 0;

hosts/common/programs/animatch.nix

@@ -30,6 +30,8 @@
       });
     };
 
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.whitelistWayland = true;
 

hosts/common/programs/assorted.nix

@@ -215,6 +215,7 @@ in
 
     backblaze-b2 = {};
 
+    blanket.buildCost = 1;
     blanket.sandbox.method = "bwrap";
     blanket.sandbox.whitelistAudio = true;
     # blanket.sandbox.whitelistDbus = [ "user" ];  # TODO: untested
@@ -267,13 +268,14 @@ in
     ddrescue.sandbox.method = "landlock";  # TODO:sandbox: untested
     ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
 
-    # auth token, preferences
+    delfin.buildCost = 1;
     delfin.sandbox.method = "bwrap";
     delfin.sandbox.whitelistAudio = true;
     delfin.sandbox.whitelistDbus = [ "user" ];  # else `mpris` plugin crashes the player
     delfin.sandbox.whitelistDri = true;
     delfin.sandbox.whitelistWayland = true;
     delfin.sandbox.net = "clearnet";
+    # auth token, preferences
     delfin.persist.byStore.private = [ ".config/delfin" ];
 
     dig.sandbox.method = "bwrap";
@@ -314,11 +316,13 @@ in
 
     eg25-control = {};
 
+    electrum.buildCost = 1;
     electrum.sandbox.method = "bwrap";  # TODO:sandbox: untested
     electrum.sandbox.net = "all";  # TODO: probably want to make this run behind a VPN, always
     electrum.sandbox.whitelistWayland = true;
     electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ];  #< TODO: use XDG dirs!
 
+    endless-sky.buildCost = 1;
     endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
     endless-sky.sandbox.method = "bwrap";
     endless-sky.sandbox.whitelistAudio = true;
@@ -357,6 +361,7 @@ in
       ".persist/plaintext"
     ];
 
+    ffmpeg.buildCost = 1;
     ffmpeg.sandbox.method = "bwrap";
     ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent";  # it outputs uncreated files -> parent dir needs mounting
 
@@ -374,6 +379,7 @@ in
 
     fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
 
+    font-manager.buildCost = 1;
     font-manager.sandbox.method = "bwrap";
     font-manager.sandbox.whitelistWayland = true;
     font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
@@ -410,6 +416,7 @@ in
     # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
     gh.persist.byStore.private = [ ".config/gh" ];
 
+    gimp.buildCost = 1;
     gimp.sandbox.method = "bwrap";
     gimp.sandbox.whitelistX = true;
     gimp.sandbox.whitelistWayland = true;
@@ -429,18 +436,22 @@ in
       "/tmp"  # "Cannot open display:" if it can't mount /tmp 👀
     ];
 
+    "gnome.gnome-calculator".buildCost = 1;
     "gnome.gnome-calculator".sandbox.method = "bwrap";
     "gnome.gnome-calculator".sandbox.whitelistWayland = true;
 
+    "gnome.gnome-calendar".buildCost = 1;
     # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
     "gnome.gnome-calendar".sandbox.method = "bwrap";
     "gnome.gnome-calendar".sandbox.whitelistWayland = true;
 
+    "gnome.gnome-clocks".buildCost = 1;
     "gnome.gnome-clocks".sandbox.method = "bwrap";
     "gnome.gnome-clocks".sandbox.whitelistWayland = true;
     "gnome.gnome-clocks".suggestedPrograms = [ "dconf" ];
 
     # gnome-disks
+    "gnome.gnome-disk-utility".buildCost = 1;
     "gnome.gnome-disk-utility".sandbox.method = "bwrap";
     "gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
     "gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
@@ -451,15 +462,18 @@ in
     ];
 
     # seahorse: dump gnome-keyring secrets.
+    "gnome.seahorse".buildCost = 1;
     # N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
     "gnome.seahorse".sandbox.method = "bwrap";
     "gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
     "gnome.seahorse".sandbox.whitelistWayland = true;
 
+    gnome-2048.buildCost = 1;
     gnome-2048.sandbox.method = "bwrap";
     gnome-2048.sandbox.whitelistWayland = true;
     gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
 
+    gnome-frog.buildCost = 1;
     gnome-frog.sandbox.method = "bwrap";
     gnome-frog.sandbox.whitelistWayland = true;
     gnome-frog.sandbox.whitelistDbus = [ "user" ];
@@ -486,6 +500,7 @@ in
     # 1. no number may appear unshaded more than once in the same row/column
     # 2. no two shaded tiles can be direct N/S/E/W neighbors
     # - win once (1) and (2) are satisfied
+    "gnome.hitori".buildCost = 1;
     "gnome.hitori".sandbox.method = "bwrap";
     "gnome.hitori".sandbox.whitelistWayland = true;
 
@@ -515,6 +530,7 @@ in
     grim.sandbox.autodetectCliPaths = "existingOrParent";
     grim.sandbox.whitelistWayland = true;
 
+    hase.buildCost = 1;
     hase.sandbox.method = "bwrap";
     hase.sandbox.net = "clearnet";
     hase.sandbox.whitelistAudio = true;
@@ -535,6 +551,7 @@ in
     # N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
     inetutils.sandbox.method = "landlock";  # want to keep the same netns, at least.
 
+    inkscape.buildCost = 1;
     inkscape.sandbox.method = "bwrap";
     inkscape.sandbox.whitelistWayland = true;
     inkscape.sandbox.extraHomePaths = [
@@ -586,6 +603,7 @@ in
       "/proc"
     ];
 
+    krita.buildCost = 1;
     krita.sandbox.method = "bwrap";
     krita.sandbox.whitelistWayland = true;
     krita.sandbox.autodetectCliPaths = "existing";
@@ -606,6 +624,7 @@ in
     libnotify.sandbox.method = "bwrap";
     libnotify.sandbox.whitelistDbus = [ "user" ];  # notify-send
 
+    losslesscut-bin.buildCost = 1;
     losslesscut-bin.sandbox.method = "bwrap";
     losslesscut-bin.sandbox.extraHomePaths = [
       "Music"
@@ -630,6 +649,7 @@ in
     mercurial.sandbox.whitelistPwd = true;
 
     # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
+    monero-gui.buildCost = 1;
     # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
     monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
     monero-gui.sandbox.method = "bwrap";
@@ -638,6 +658,7 @@ in
       "records/finance/cryptocurrencies/monero"
     ];
 
+    mumble.buildCost = 1;
     mumble.persist.byStore.private = [ ".local/share/Mumble" ];
 
     nano.sandbox.method = "bwrap";
@@ -741,6 +762,7 @@ in
     pulsemixer.sandbox.method = "landlock";
     pulsemixer.sandbox.whitelistAudio = true;
 
+    pwvucontrol.buildCost = 1;
     pwvucontrol.sandbox.method = "bwrap";
     pwvucontrol.sandbox.whitelistAudio = true;
     pwvucontrol.sandbox.whitelistDri = true;  # else perf on moby is unusable
@@ -758,7 +780,7 @@ in
     ];
 
     qemu.sandbox.enable = false;  #< it's a launcher
-    qemu.buildCost = 1;
+    qemu.buildCost = 2;
 
     rsync.sandbox.method = "bwrap";
     rsync.sandbox.net = "clearnet";
@@ -776,6 +798,7 @@ in
     sequoia.sandbox.whitelistPwd = true;
     sequoia.sandbox.autodetectCliPaths = true;
 
+    shattered-pixel-dungeon.buildCost = 1;
     shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
     shattered-pixel-dungeon.sandbox.method = "bwrap";
     shattered-pixel-dungeon.sandbox.whitelistAudio = true;
@@ -783,6 +806,7 @@ in
     shattered-pixel-dungeon.sandbox.whitelistWayland = true;
 
     # printer/filament settings
+    slic3r.buildCost = 1;
     slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
 
     slurp.sandbox.method = "bwrap";
@@ -803,6 +827,7 @@ in
       "knowledge"
     ];
 
+    soundconverter.buildCost = 1;
     soundconverter.sandbox.method = "bwrap";
     soundconverter.sandbox.whitelistWayland = true;
     soundconverter.sandbox.extraHomePaths = [
@@ -820,6 +845,7 @@ in
     sox.sandbox.autodetectCliPaths = "existingFileOrParent";
     sox.sandbox.whitelistAudio = true;
 
+    space-cadet-pinball.buildCost = 1;
     space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
     space-cadet-pinball.sandbox.method = "bwrap";
     space-cadet-pinball.sandbox.whitelistAudio = true;
@@ -840,6 +866,7 @@ in
     subversion.sandbox.whitelistPwd = true;
     sudo.sandbox.enable = false;
 
+    superTux.buildCost = 1;
     superTux.sandbox.method = "bwrap";
     superTux.sandbox.wrapperType = "inplace";  # package Makefile incorrectly installs to $out/games/superTux instead of $out/share/games
     superTux.sandbox.whitelistAudio = true;
@@ -858,12 +885,14 @@ in
 
     tdesktop.persist.byStore.private = [ ".local/share/TelegramDesktop" ];
 
+    tokodon.buildCost = 1;
     tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
 
     tree.sandbox.method = "landlock";
     tree.sandbox.autodetectCliPaths = true;
     tree.sandbox.whitelistPwd = true;
 
+    tumiki-fighters.buildCost = 1;
     tumiki-fighters.sandbox.method = "bwrap";
     tumiki-fighters.sandbox.whitelistAudio = true;
     tumiki-fighters.sandbox.whitelistDri = true;  #< not strictly necessary, but triples CPU perf
@@ -882,6 +911,7 @@ in
       "/sys/bus/usb"
     ];
 
+    valgrind.buildCost = 1;
     valgrind.sandbox.enable = false;  #< it's a launcher: can't sandbox
 
     visidata.sandbox.method = "bwrap";  # TODO:sandbox: untested
@@ -890,6 +920,7 @@ in
     # `vulkaninfo`, `vkcube`
     vulkan-tools.sandbox.method = "landlock";
 
+    vvvvvv.buildCost = 1;
     vvvvvv.sandbox.method = "bwrap";
     vvvvvv.sandbox.whitelistAudio = true;
     vvvvvv.sandbox.whitelistDri = true;  #< playable without, but burns noticably more CPU
@@ -910,6 +941,7 @@ in
     wget.sandbox.net = "all";
     wget.sandbox.whitelistPwd = true;  # saves to pwd by default
 
+    whalebird.buildCost = 1;
     whalebird.persist.byStore.private = [ ".config/Whalebird" ];
 
     # `wg`, `wg-quick`

hosts/common/programs/audacity.nix

@@ -14,6 +14,8 @@
       };
     };
 
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.whitelistWayland = true;

hosts/common/programs/celeste64.nix

@@ -1,6 +1,8 @@
 { ... }:
 {
   sane.programs.celeste64 = {
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;

hosts/common/programs/cozy.nix

@@ -13,6 +13,8 @@
       '';
     });
 
+    buildCost = 1;
+
     sandbox.method = "bwrap";  # landlock gives: _multiprocessing.SemLock: Permission Denied
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # mpris

hosts/common/programs/dialect.nix

@@ -1,15 +1,6 @@
 { pkgs, ... }:
 {
   sane.programs.dialect = {
-    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";  # share/search_providers/ calls back into the binary, weird wrap semantics
-    sandbox.whitelistWayland = true;
-    sandbox.net = "clearnet";
-    sandbox.extraHomePaths = [
-      ".config/dconf"  # won't start without it
-    ];
-    suggestedPrograms = [ "dconf" ];  #< to persist settings
-
     packageUnwrapped = pkgs.dialect.overrideAttrs (upstream: {
       # TODO: send upstream
       # TODO: figure out how to get audio working
@@ -18,5 +9,17 @@
         pkgs.glib-networking  # for TLS
       ];
     });
+
+    suggestedPrograms = [ "dconf" ];  #< to persist settings
+
+    buildCost = 1;
+
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";  # share/search_providers/ calls back into the binary, weird wrap semantics
+    sandbox.whitelistWayland = true;
+    sandbox.net = "clearnet";
+    sandbox.extraHomePaths = [
+      ".config/dconf"  # won't start without it
+    ];
   };
 }

hosts/common/programs/element-desktop.nix

@@ -25,6 +25,8 @@
       "gnome-keyring"
     ];
 
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;

hosts/common/programs/epiphany.nix

@@ -23,7 +23,7 @@
       "tmp"
     ];
 
-    buildCost = 1;
+    buildCost = 2;
 
     # XXX(2023/07/08): running on moby without `WEBKIT_DISABLE_SANDBOX...` fails, with:
     # - `bwrap: Can't make symlink at /var/run: File exists`

hosts/common/programs/evince.nix

@@ -1,6 +1,8 @@
 { ... }:
 {
   sane.programs.evince = {
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.autodetectCliPaths = true;
     sandbox.whitelistWayland = true;

hosts/common/programs/frozen-bubble.nix

@@ -2,11 +2,6 @@
 { pkgs, ... }:
 {
   sane.programs.frozen-bubble = {
-    sandbox.method = "bwrap";
-    sandbox.net = "clearnet";  # net play
-    sandbox.whitelistAudio = true;
-    sandbox.whitelistWayland = true;
-
     packageUnwrapped = pkgs.frozen-bubble.overrideAttrs (upstream: {
       # patch so it stores its dot-files not in root ~.
       postPatch = (upstream.postPatch or "") + ''
@@ -14,6 +9,12 @@
           --replace-fail '$FBHOME   = "$ENV{HOME}/.frozen-bubble"' '$FBHOME   = "$ENV{HOME}/.local/share/frozen-bubble"'
       '';
     });
+    buildCost = 1;
+
+    sandbox.method = "bwrap";
+    sandbox.net = "clearnet";  # net play
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistWayland = true;
 
     persist.byStore.plaintext = [
       ".local/share/frozen-bubble"  # preferences, high scores

hosts/common/programs/g4music.nix

@@ -8,6 +8,8 @@
 { ... }:
 {
   sane.programs.g4music = {
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # mpris

hosts/common/programs/geary.nix

@@ -37,7 +37,7 @@ in
     # fs.".config/geary".dir = {};
     # fs.".local/share/folks".dir = {};
 
-    buildCost = 2;  # uses webkitgtk 4.1
+    buildCost = 3;  # uses webkitgtk 4.1
     persist.byStore.private = [
       # attachments, and email -- contained in a sqlite db
       ".local/share/geary"

hosts/common/programs/gnome-weather.nix

@@ -3,6 +3,8 @@
 { ... }:
 {
   sane.programs."gnome.gnome-weather" = {
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  #< /share/org.gnome.Weather/org.gnome.Weather file refers to bins by full path
     sandbox.whitelistWayland = true;

hosts/common/programs/handbrake.nix

@@ -1,6 +1,8 @@
 { pkgs, ... }:
 {
   sane.programs.handbrake = {
+    buildCost = 1;
+
     sandbox.method = "landlock";  #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistWayland = true;

hosts/common/programs/imagemagick.nix

@@ -1,6 +1,8 @@
 { pkgs, ... }:
 {
   sane.programs.imagemagick = {
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  # /etc/ImageMagick-7/delegates.xml refers to bins by absolute path
     sandbox.whitelistPwd = true;

hosts/common/programs/kdenlive.nix

@@ -1,6 +1,15 @@
 { pkgs, ... }:
 {
   sane.programs.kdenlive = {
+    packageUnwrapped = pkgs.kdenlive.override {
+      ffmpeg-full = pkgs.ffmpeg-full.override {
+        # avoid expensive samba build for a feature i don't use
+        withSamba = false;
+      };
+    };
+
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.extraHomePaths = [
       "Music"
@@ -14,12 +23,5 @@
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
-
-    packageUnwrapped = pkgs.kdenlive.override {
-      ffmpeg-full = pkgs.ffmpeg-full.override {
-        # avoid expensive samba build for a feature i don't use
-        withSamba = false;
-      };
-    };
   };
 }

hosts/common/programs/komikku.nix

@@ -16,7 +16,7 @@
     sandbox.whitelistDri = true;  #< required
     sandbox.whitelistWayland = true;
 
-    buildCost = 1;
+    buildCost = 2;
 
     secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin;
     # downloads end up here, and without the toplevel database komikku doesn't know they exist.

hosts/common/programs/lemoa.nix

@@ -1,6 +1,7 @@
 { ... }:
 {
   sane.programs.lemoa = {
+    buildCost = 1;
     sandbox.method = "bwrap";
     sandbox.net = "clearnet";
     sandbox.whitelistDbus = [ "user" ];  # for clicking links

hosts/common/programs/libreoffice.nix

@@ -16,7 +16,7 @@
       "tmp"
     ];
 
-    buildCost = 2;
+    buildCost = 3;
 
     # disable first-run stuff
     fs.".config/libreoffice/4/user/registrymodifications.xcu".symlink.text = ''

hosts/common/programs/neovim.nix

@@ -103,54 +103,61 @@ in
       # "use"
     ];
 
-    # packageUnwrapped = config.programs.neovim.finalPackage;
-    packageUnwrapped = pkgs.wrapNeovimUnstable pkgs.neovim-unwrapped (pkgs.neovimUtils.makeNeovimConfig {
-      withRuby = false;  #< doesn't cross-compile w/o binfmt
-      viAlias = true;
-      vimAlias = true;
-      plugins = plugin-packages;
-      customRC = ''
-        " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
-        " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
-        set mouse=
+    packageUnwrapped = let
+      configArgs = {
+        withRuby = false;  #< doesn't cross-compile w/o binfmt
+        viAlias = true;
+        vimAlias = true;
+        plugins = plugin-packages;
+        customRC = ''
+          " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
+          " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
+          set mouse=
 
-        " copy/paste to system clipboard
-        set clipboard=unnamedplus
+          " copy/paste to system clipboard
+          set clipboard=unnamedplus
 
-        " screw tabs; always expand them into spaces
-        set expandtab
+          " screw tabs; always expand them into spaces
+          set expandtab
 
-        " at least don't open files with sections folded by default
-        set nofoldenable
+          " at least don't open files with sections folded by default
+          set nofoldenable
 
-        " allow text substitutions for certain glyphs.
-        " higher number = more aggressive substitution (0, 1, 2, 3)
-        " i only make use of this for tex, but it's unclear how to
-        " apply that *just* to tex and retain the SyntaxRange stuff.
-        set conceallevel=2
+          " allow text substitutions for certain glyphs.
+          " higher number = more aggressive substitution (0, 1, 2, 3)
+          " i only make use of this for tex, but it's unclear how to
+          " apply that *just* to tex and retain the SyntaxRange stuff.
+          set conceallevel=2
 
-        " horizontal rule under the active line
-        " set cursorline
+          " horizontal rule under the active line
+          " set cursorline
 
-        " highlight trailing space & related syntax errors (doesn't seem to work??)
-        " let c_space_errors=1
-        " let python_space_errors=1
+          " highlight trailing space & related syntax errors (doesn't seem to work??)
+          " let c_space_errors=1
+          " let python_space_errors=1
 
-        " enable highlighting of leading/trailing spaces,
-        " and especially tabs
-        " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
-        set list
-        set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
+          " enable highlighting of leading/trailing spaces,
+          " and especially tabs
+          " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
+          set list
+          set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
 
-        """"" PLUGIN CONFIG (vim)
-        ${plugin-config-viml}
+          """"" PLUGIN CONFIG (vim)
+          ${plugin-config-viml}
 
-        """"" PLUGIN CONFIG (lua)
-        lua <<EOF
-        ${plugin-config-lua}
-        EOF
-      '';
-    });
+          """"" PLUGIN CONFIG (lua)
+          lua <<EOF
+          ${plugin-config-lua}
+          EOF
+        '';
+      };
+    in pkgs.wrapNeovimUnstable
+      pkgs.neovim-unwrapped
+      # XXX(2024/05/13): manifestRc must be null for cross-compilation to work.
+      #   wrapper invokes `neovim` with all plugins enabled at build time i guess to generate caches and stuff?
+      #   alternative is to emulate `nvim-wrapper` during build.
+      ((pkgs.neovimUtils.makeNeovimConfig configArgs) // { manifestRc = null; })
+    ;
 
     # private because there could be sensitive things in the swap
     persist.byStore.private = [ ".cache/vim-swap" ];

hosts/common/programs/newsflash.nix

@@ -13,7 +13,7 @@ let
   wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
 in {
   sane.programs.newsflash = {
-    buildCost = 1;  # mainly for desktop: webkitgtk-6.0
+    buildCost = 2;  # mainly for desktop: webkitgtk-6.0
     persist.byStore.plaintext = [ ".local/share/news-flash" ];
     fs.".config/newsflashFeeds.opml".symlink.text =
       feeds.feedsToOpml wanted-feeds

hosts/common/programs/planify.nix

@@ -10,6 +10,6 @@
       ".local/share/io.github.alainm23.planify"
     ];
 
-    buildCost = 1;  # webkitgtk-6.0; slow for desktop
+    buildCost = 2;  # webkitgtk-6.0; slow for desktop
   };
 }

hosts/common/programs/spot.nix

@@ -1,6 +1,8 @@
 { ... }:
 {
   sane.programs.spot = {
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;

hosts/common/programs/stepmania.nix

@@ -21,6 +21,8 @@ let
 in
 {
   sane.programs.stepmania = {
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  #< non-standard packaging; binary lives at $out/stepmania-5.1/stepmania  (not even in an /opt dir)
     sandbox.whitelistAudio = true;

hosts/common/programs/supertuxkart.nix

@@ -1,6 +1,8 @@
 { ... }:
 {
   sane.programs.superTuxKart = {
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.net = "clearnet";  # net play
     sandbox.whitelistAudio = true;

hosts/common/programs/tangram.nix

@@ -27,7 +27,7 @@ in
       '' + (upstream.preFixup or "");
     });
 
-    buildCost = 1;
+    buildCost = 2;
 
     sandbox.method = "bwrap";
     sandbox.net = "clearnet";

hosts/common/programs/tuba.nix

@@ -1,6 +1,8 @@
 { ... }:
 {
   sane.programs.tuba = {
+    buildCost = 1;
+
     sandbox.method = "bwrap";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;

hosts/common/programs/wike.nix

@@ -20,7 +20,7 @@
       "/sys/devices"
     ];
 
-    buildCost = 1;
+    buildCost = 2;
 
     # wike probably meant to put everything here in a subdir, but didn't.
     # see: <https://github.com/hugolabe/Wike/issues/176>

hosts/common/programs/wireshark.nix

@@ -13,6 +13,6 @@ in
     ];
 
     fs.".config/wireshark".dir = {};
-    buildCost = 1;
+    buildCost = 2;
   };
 }

hosts/common/programs/xarchiver.nix

@@ -5,6 +5,7 @@
       # unar doesn't cross compile well, so disable support for it
       unar = null;
     };
+    buildCost = 1;
 
     sandbox.method = "bwrap";
     sandbox.whitelistWayland = true;

hosts/common/programs/zathura.nix

@@ -1,6 +1,7 @@
 { ... }:
 {
   sane.programs.zathura = {
+    buildCost = 1;
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  #< wrapper sets ZATHURA_PLUGINS_PATH to $out/lib/...
     sandbox.whitelistDri = true;

hosts/common/programs/zeal.nix

@@ -15,7 +15,7 @@ in {
   sane.programs.zeal = {
     # packageUnwrapped = pkgs.zeal-qt6;  #< TODO: upgrade system to qt6 versions of everything (i.e. jellyfin-media-player, nheko)
     packageUnwrapped = pkgs.zeal-qt5;
-    buildCost = 2;
+    buildCost = 3;
     persist.byStore.plaintext = [
       ".cache/Zeal"
       ".local/share/Zeal"

hosts/modules/gui/default.nix

@@ -79,7 +79,7 @@ in
     # "gnome.gnome-system-monitor"
     # "gnome.gnome-terminal"  # works on phosh
     "gnome.gnome-weather"
-    "gnome.seahorse"  # keyring/secret manager
+    # "gnome.seahorse"  # keyring/secret manager
     "gnome-frog"  # OCR/QR decoder
     "gpodder"
     # "gthumb"
@@ -159,7 +159,7 @@ in
       "libreoffice"  # TODO: replace with an office suite that uses saner packaging?
       "losslesscut-bin"  # x86-only
       # "makemkv"  # x86-only
-      "monero-gui"  # x86-only
+      # "monero-gui"  # x86-only
       # "mumble"
       # "nheko"  # Matrix chat client
       # "nicotine-plus"  # soulseek client. before re-enabling this, get it to run without firejail.
@@ -175,7 +175,7 @@ in
       "wireshark"  # could maybe ship the cli as sysadmin pkg
       # "xterm"  # requires Xwayland
       # "zecwallet-lite"  # x86-only
-      "zulip"
+      # "zulip"
     ]
   );
 

modules/programs/default.nix

@@ -297,11 +297,15 @@ let
         '';
       };
       buildCost = mkOption {
-        type = types.enum [ 0 1 2 ];
+        type = types.enum [ 0 1 2 3 ];
         default = 0;
         description = ''
           whether this package is very slow, or has unique dependencies which are very slow to build.
           marking packages like this can be used to achieve faster, but limited, rebuilds/deploys (by omitting the package).
+          - 0: this package is necessary for baseline usability
+          - 1: this package is a nice-to-have, and not too costly to build
+          - 2: this package is a nice-to-have, but costly to build (e.g. `libreoffice`, some webkitgtk-based things)
+          - 3: this package is costly to build, and could go without (some lesser-used webkitgtk-based things)
         '';
       };
       sandbox.net = mkOption {

modules/services/default.nix

@@ -5,7 +5,6 @@
     ./dyn-dns.nix
     ./eg25-manager.nix
     ./kiwix-serve.nix
-    ./mautrix-signal.nix
     ./nixserve.nix
     ./trust-dns.nix
   ];

modules/services/mautrix-signal.nix

@@ -1,207 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
-  # TODO: upstream these "optional-dependencies"
-  # - search that phrase in <nixpkgs:doc/languages-frameworks/python.section.md>
-  pkg = pkgs.mautrix-signal.overridePythonAttrs (super: {
-    propagatedBuildInputs = super.propagatedBuildInputs ++ (with pkgs.python3.pkgs; [
-      # these optional deps come from mautrix-signal's "optional-requirements.txt"
-
-      # #/e2be
-      # python-olm>=3,<4
-      # pycryptodome>=3,<4
-      # unpaddedbase64>=1,<3
-      # XXX: ^above already included in nixpkgs package
-
-      # #/metrics
-      # prometheus_client>=0.6,<0.17
-      # XXX: ^above already included in nixpkgs package
-
-      # #/formattednumbers
-      # phonenumbers>=8,<9
-      # XXX: ^above already included in nixpkgs package
-
-      # #/qrlink
-      # qrcode>=6,<8
-      # Pillow>=4,<10
-      # XXX: ^above already included in nixpkgs package
-
-      # #/stickers
-      # signalstickers-client>=3,<4
-
-      # #/sqlite
-      # aiosqlite>=0.16,<0.19
-      aiosqlite
-    ]);
-  });
-  dataDir = "/var/lib/mautrix-signal";
-  registrationFile = "${dataDir}/signal-registration.yaml";
-  cfg = config.services.mautrix-signal;
-  settingsFormat = pkgs.formats.json {};
-  settingsFile =
-    settingsFormat.generate "mautrix-signal-config.json" cfg.settings;
-in
-{
-  options = {
-    services.mautrix-signal = {
-      enable = mkEnableOption (lib.mdDoc "Mautrix-Signal, a Matrix-Signal puppeting bridge");
-
-      settings = mkOption rec {
-        apply = recursiveUpdate default;
-        inherit (settingsFormat) type;
-        default = {
-          # defaults based on this upstream example config:
-          # - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
-          homeserver = {
-            address = "http://localhost:8008";
-            software = "standard";
-            # domain = "SETME";
-          };
-
-          appservice = rec {
-            address = "http://${hostname}:${toString port}";
-            hostname = "localhost";
-            port = 29328;
-
-            database = "sqlite:///${dataDir}/mautrix-signal.db";
-            database_opts = {};
-            bot_username = "signalbot";
-          };
-
-          bridge = {
-            username_template = "signal_{userid}";
-            permissions."*" = "relay";
-            double_puppet_server_map = {};
-            login_shared_secret_map = {};
-          };
-
-          logging = {
-            version = 1;
-
-            formatters.precise.format = "[%(levelname)s@%(name)s] %(message)s";
-
-            handlers.console = {
-              class = "logging.StreamHandler";
-              formatter = "precise";
-            };
-
-            # log to console/systemd instead of file
-            root = {
-              level = "INFO";
-              handlers = ["console"];
-            };
-          };
-        };
-        example = literalExpression ''
-          {
-            homeserver = {
-              address = "http://localhost:8008";
-              domain = "mydomain.example";
-            };
-
-            bridge.permissions = {
-              "@admin:mydomain.example" = "admin";
-              "mydomain.example" = "user";
-            };
-          }
-        '';
-        description = lib.mdDoc ''
-          {file}`config.yaml` configuration as a Nix attribute set.
-          Configuration options should match those described in
-          [example-config.yaml](https://github.com/mautrix/signale/blob/master/mautrix_signal/example-config.yaml).
-        '';
-      };
-
-      environmentFile = mkOption {
-        type = types.nullOr types.path;
-        default = null;
-        description = lib.mdDoc ''
-          File containing environment variables to be passed to the mautrix-signal service,
-          in which secret tokens can be specified securely by defining values for e.g.
-          `MAUTRIX_SIGNAL_APPSERVICE_AS_TOKEN`,
-          `MAUTRIX_SIGNAL_APPSERVICE_HS_TOKEN`
-
-          These environment variables can also be used to set other options by
-          replacing hierarchy levels by `.`, converting the name to uppercase
-          and prepending `MAUTRIX_SIGNAL_`.
-          For example, the first value above maps to
-          {option}`settings.appservice.as_token`.
-
-          The environment variable values can be prefixed with `json::` to have
-          them be parsed as JSON. For example, `login_shared_secret_map` can be
-          set as follows:
-          `MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET_MAP=json::{"example.com":"secret"}`.
-        '';
-      };
-
-      serviceDependencies = mkOption {
-        type = with types; listOf str;
-        default = optional config.services.matrix-synapse.enable "matrix-synapse.service";
-        defaultText = literalExpression ''
-          optional config.services.matrix-synapse.enable "matrix-synapse.service"
-        '';
-        description = lib.mdDoc ''
-          List of Systemd services to require and wait for when starting the application service.
-        '';
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users.groups.mautrix-signal = {};
-
-    users.users.mautrix-signal = {
-      group = "mautrix-signal";
-      isSystemUser = true;
-    };
-
-    systemd.services.mautrix-signal = {
-      description = "Mautrix-Signal, a Matrix-Signal puppeting bridge.";
-
-      wantedBy = [ "multi-user.target" ];
-      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
-      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
-      path = [ pkgs.ffmpeg ];  # voice messages need `ffmpeg`
-
-      # environment.HOME = dataDir;
-
-      preStart = ''
-        # generate the appservice's registration file if absent
-        if [ ! -f '${registrationFile}' ]; then
-          ${pkg}/bin/mautrix-signal \
-            --generate-registration \
-            --no-update \
-            --base-config='${pkg}/${pkg.pythonModule.sitePackages}/mautrix_signal/example-config.yaml' \
-            --config='${settingsFile}' \
-            --registration='${registrationFile}'
-        fi
-      '';
-
-      serviceConfig = {
-        Type = "simple";
-        Restart = "always";
-
-        User = "mautrix-signal";
-
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectControlGroups = true;
-
-        PrivateTmp = true;
-        WorkingDirectory = pkg;
-        StateDirectory = baseNameOf dataDir;
-        UMask = "0027";
-        EnvironmentFile = cfg.environmentFile;
-
-        ExecStart = ''
-          ${pkg}/bin/mautrix-signal \
-            --config='${settingsFile}' \
-            --no-update
-        '';
-      };
-    };
-  };
-}

nixpatches/list.nix

@@ -32,11 +32,32 @@ in [
   # etc, where "date" is like "20240228181608"
   # and can be found with `nix-repl  > :lf .  > lastModifiedDate`
 
+  (fetchpatch' {
+    title = "curl-impersonate: fix darwin build and make cross-compilation work";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/310386";
+    hash = "sha256-feMOgQRrY2t7sYMjqXCo2WCe/J+Kr1ah+DznajQZsDM=";
+  })
+
+  (fetchpatch' {
+    title = "hyprland: fix cross compilation";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/311408";
+    hash = "sha256-OU5XT/BEmZu1TPXSLKfEgdkoGXRETvJ9dePCeHrFl6o=";
+  })
+
+  (fetchpatch' {
+    # TODO: send upstream after successful deployment
+    title = "gnome.gnome-keyring: support cross compilation";
+    # prUrl = "https://github.com/uninsane/nixpkgs/pull/new/pr-gnome-keyring-cross";
+    saneCommit = "56bc064c0fa39614dfd1048daae4a59e4131df56";
+    hash = "sha256-LZW3CNhcOU+YPTPt/4Ltxyiqo/6SdlIOQADmni4pDM4=";
+  })
+
   (fetchpatch' {
     # TODO: send upstream
-    title = "python3Packages.dbus-python: fix build when doInstallCheck=false";
-    saneCommit = "4d4d0310402b8a7f9273dff448522f01b722a60c";
-    hash = "sha256-3fAobeHbM/IHZzhfAqSKhPy1l28F6MbQBp8rSVX2Lrg=";
+    title = "python3Packages.dbus-python: fix cross";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/310609";
+    hash = "sha256-QCRCotIlHgJn4lo4Qdrh2cJMqqcVGLAE9WSJ4nCQvyk=";
+    merged.staging = "20240510160000";
   })
 
   # branch: wip-ffado-cross
@@ -55,13 +76,39 @@ in [
     hash = "sha256-53X4ssdp02C8NOUL5mlbhR7qwE9/KWp6iLmz1ljJopE=";
   })
 
-  # 2024/02/25: still outstanding; merge conflicts
+  (fetchpatch' {
+    title = "libgweather: enable introspection on cross builds";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/251956";
+    hash = "sha256-IW+0u5lytIPU3xhgGtYgexXUrS2VFXAV6GC50jJS5ak=";
+  })
+
+  # 2024/02/25: still outstanding
   # (fetchpatch' {
   #   title = "hspell: remove build perl from runtime closure";
   #   prUrl = "https://github.com/NixOS/nixpkgs/pull/263182";
   #   hash = "sha256-Wau+PB+EUQDvWX8Kycw1sNrM3GkPVjKSS4niIDI0sjM=";
   # })
 
+  # (fetchpatch' {
+  #   title = "gthumb: make the webservices feature be optional";
+  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/240602";
+  #   saneCommit = "e83130f2770c314b2a482e1792b010da66cdd5de";
+  #   hash = "sha256-GlYWpOVZvr0oFAs4RdSUf7LJD3FmGsCaTm32GPhbBfc=";
+  # })
+  # (fetchpatch' {
+  #   # TODO: send for review once hspell fix is merged <https://github.com/NixOS/nixpkgs/pull/263182>
+  #   # this patch works as-is, but hspell keeps a ref to build perl and thereby pollutes this closure as well.
+  #   title = "gtkspell2: support cross compilation";
+  #   saneCommit = "56348833b4411e9fe2016c24c7fc4af1e3c1d28a";
+  #   hash = "sha256-RUw88u7CI2C1IpRUhGbdYamHsPT1jBV0ROyVvzLWdv8=";
+  # })
+  # (fetchpatch' {
+  #   # TODO: send for review (it should be unblocked as of 2024/05/08)
+  #   title = "pidgin: support cross compilation";
+  #   saneCommit = "caacbcc54e217f5ee9281422777a7f712765f71a";
+  #   hash = "sha256-UyZaNNp84zKShuo6zu0nfZ2FygHGcmV63Ww4Y4CtCF0=";
+  # })
+
   # (fetchpatch' {
   #   title = "trust-dns: 0.23.0 -> 0.24.0";
   #   prUrl = "https://github.com/NixOS/nixpkgs/pull/262466";
@@ -128,36 +175,10 @@ in [
   #   hash = "sha256-eTwEbVULYjmOW7zUFcTUqvBZqUFjHTKFhvmU2m3XQeo=";
   # })
 
-  (fetchpatch' {
-    title = "gthumb: make the webservices feature be optional";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/240602";
-    saneCommit = "e83130f2770c314b2a482e1792b010da66cdd5de";
-    hash = "sha256-GlYWpOVZvr0oFAs4RdSUf7LJD3FmGsCaTm32GPhbBfc=";
-  })
-  (fetchpatch' {
-    # TODO: send for review once hspell fix is merged <https://github.com/NixOS/nixpkgs/pull/263182>
-    # this patch works as-is, but hspell keeps a ref to build perl and thereby pollutes this closure as well.
-    title = "gtkspell2: support cross compilation";
-    saneCommit = "56348833b4411e9fe2016c24c7fc4af1e3c1d28a";
-    hash = "sha256-RUw88u7CI2C1IpRUhGbdYamHsPT1jBV0ROyVvzLWdv8=";
-  })
-  (fetchpatch' {
-    # TODO: send for review (it should be unblocked as of 2024/05/08)
-    title = "pidgin: support cross compilation";
-    saneCommit = "caacbcc54e217f5ee9281422777a7f712765f71a";
-    hash = "sha256-UyZaNNp84zKShuo6zu0nfZ2FygHGcmV63Ww4Y4CtCF0=";
-  })
-
-  (fetchpatch' {
-    title = "libgweather: enable introspection on cross builds";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/251956";
-    hash = "sha256-IW+0u5lytIPU3xhgGtYgexXUrS2VFXAV6GC50jJS5ak=";
-  })
-
   # for raspberry pi: allow building u-boot for rpi 4{,00}
   # TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
   #   (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
-  ./02-rpi4-uboot.patch
+  # ./02-rpi4-uboot.patch
 
   # (fetchpatch' {
   #   title = "gnustep: remove `rec` to support `overrideScope`";

overlays/cross.nix

@@ -387,7 +387,7 @@ in with final; {
   #     });
   #   };
 
-  # 2024/02/27: upstreaming is unblocked
+  # 2024/05/13: upstreaming is unblocked; out for review: <https://github.com/NixOS/nixpkgs/pull/305241>
   appstream = prev.appstream.overrideAttrs (upstream: {
     # fixes: "Message: Native appstream required for cross-building"
     # error introduced in:
@@ -815,11 +815,12 @@ in with final; {
   });
 
   # 2024/05/08: fix: "meson.build:85:11: ERROR: Dependency "dbus-1" not found, tried pkgconfig".
+  # 2024/05/13: upstreaming is bloked by dbus-python (fixed in staging), appstream (out for PR)
   gnome-online-accounts = mvToBuildInputs [ dbus ] prev.gnome-online-accounts;
 
   gnome = prev.gnome.overrideScope (self: super: {
     evolution-data-server = super.evolution-data-server.overrideAttrs (upstream: {
-      # 2023/12/08: upstreaming is unblocked, but depends on webkitgtk 4.1
+      # 2024/05/13: upstreaming is blocked by appstream (out for PR), libgweather (out for PR)
       cmakeFlags = upstream.cmakeFlags ++ [
         "-DCMAKE_CROSSCOMPILING_EMULATOR=${stdenv.hostPlatform.emulator buildPackages}"
         "-DENABLE_TESTS=no"
@@ -872,12 +873,13 @@ in with final; {
     # fixes "subprojects/gvc/meson.build:30:0: ERROR: Program 'glib-mkenums mkenums' not found or not executable"
     # gnome-control-center = mvToNativeInputs [ glib ] super.gnome-control-center;
 
-    gnome-keyring = super.gnome-keyring.overrideAttrs (orig: {
-      # 2024/02/27: upstreaming is unblocked
-      # this seems to work in practice, but leaves gkr with a reference to the build openssl, sqlite, xz, libxcrypt, glibc
-      # fixes "configure.ac:374: error: possibly undefined macro: AM_PATH_LIBGCRYPT"
-      nativeBuildInputs = orig.nativeBuildInputs ++ [ libgcrypt openssh glib ];
-    });
+    # gnome-keyring = super.gnome-keyring.overrideAttrs (orig: {
+    #   # 2024/02/27: upstreaming is unblocked; implemented but not for PR
+    #   # - <https://github.com/uninsane/nixpkgs/pull/new/pr-gnome-keyring-cross>
+    #   # this seems to work in practice, but leaves gkr with a reference to the build openssl, sqlite, xz, libxcrypt, glibc
+    #   # fixes "configure.ac:374: error: possibly undefined macro: AM_PATH_LIBGCRYPT"
+    #   nativeBuildInputs = orig.nativeBuildInputs ++ [ libgcrypt openssh glib ];
+    # });
     gnome-maps = super.gnome-maps.overrideAttrs (upstream: {
       # 2023/11/21: upstreaming is blocked by libshumate, qtsvg (via pipewire/ffado)
       postPatch = (upstream.postPatch or "") + ''
@@ -997,6 +999,7 @@ in with final; {
   #   '';
   # });
 
+  # hyprland = mvToNativeInputs [ hwdata ] prev.hyprland;
   # hyprland = prev.hyprland.overrideAttrs (_: {
   #   depsBuildBuild = [ pkg-config ];
   # });
@@ -2072,12 +2075,12 @@ in with final; {
 
   # 2024/02/29: upstreaming is blocked on libei (unless Xwayland config option is disabled in nixpkgs)
   #             out for PR: <https://github.com/NixOS/nixpkgs/pull/292415>
-  wlroots = prev.wlroots.overrideAttrs (upstream: {
-    nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
-      # incorrectly specified as `buildInputs` in nixpkgs.
-      hwdata
-    ];
-  });
+  # wlroots = prev.wlroots.overrideAttrs (upstream: {
+  #   nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
+  #     # incorrectly specified as `buildInputs` in nixpkgs.
+  #     hwdata
+  #   ];
+  # });
 
   # wrapFirefox = prev.wrapFirefox.override {
   #   buildPackages = buildPackages // {
@@ -2091,15 +2094,16 @@ in with final; {
   #   };
   # };
 
-  wrapNeovimUnstable = neovim: config: (prev.wrapNeovimUnstable neovim config).overrideAttrs (upstream: {
-    # nvim wrapper has a sanity check that the plugins will load correctly.
-    # this is effectively a check phase and should be rewritten as such
-    postBuild = lib.replaceStrings
-      [ "! $out/bin/nvim-wrapper" ]
-      # [ "${stdenv.hostPlatform.emulator buildPackages} $out/bin/nvim-wrapper" ]
-      [ "false && $out/bin/nvim-wrapper" ]
-      upstream.postBuild;
-  });
+  # fixes `hostPrograms.moby.neovim` (but breaks eval of `hostPkgs.moby.neovim` :o)
+  # wrapNeovimUnstable = neovim: config: (prev.wrapNeovimUnstable neovim config).overrideAttrs (upstream: {
+  #   # nvim wrapper has a sanity check that the plugins will load correctly.
+  #   # this is effectively a check phase and should be rewritten as such
+  #   postBuild = lib.replaceStrings
+  #     [ "! $out/bin/nvim-wrapper" ]
+  #     # [ "${stdenv.hostPlatform.emulator buildPackages} $out/bin/nvim-wrapper" ]
+  #     [ "false && $out/bin/nvim-wrapper" ]
+  #     upstream.postBuild;
+  # });
 
   # 2023/07/30: upstreaming is blocked on unar (gnustep), unless i also make that optional
   xarchiver = mvToNativeInputs [ libxslt ] prev.xarchiver;

scripts/clean

@@ -0,0 +1,23 @@
+#!/bin/sh
+# remove artifacts which i've accidentally left lying around
+# e.g. `result -> /nix/store/...` symlinks
+
+pushd ~/nixos
+
+# if this exists it'll interfere with the search
+rm -f result
+
+for result in $(fd --follow result) $(fd -uuu result); do
+  if [[ "$(readlink "$result")" != /nix/store/* ]]; then
+    # not a build artifact
+    continue
+  fi
+  if [[ "$result" == build/* ]] || [[ "$result" == .working/* ]]; then
+    # intentionally preserved build artifact
+    continue
+  fi
+
+  echo "removing: $result"
+  unlink "$result"
+done
+popd