flake update: nixpkgs 2023-01-25 -> 2023-02-01; sops-nix

```
• Updated input 'nixpkgs':
    'path:/nix/store/760ff23zl95q4jza8mkg47vs9ff20hq3-source/nixpatches?lastModified=1&narHash=sha256-arp7Uy7ct5ryTcmSY032eN7hr33i7D2XvjTRLliCFDc=' (1970-01-01)
  → 'path:/nix/store/pr622dac2xv2fzxvkfdfzl3sba1m7xkm-source/nixpatches?lastModified=1&narHash=sha256-arp7Uy7ct5ryTcmSY032eN7hr33i7D2XvjTRLliCFDc=' (1970-01-01)
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/9b97ad7b4330aacda9b2343396eb3df8a853b4fc' (2023-01-25)
  → 'github:nixos/nixpkgs/4d7c2644dbac9cf8282c0afe68fca8f0f3e7b2db' (2023-02-01)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c' (2023-01-24)
  → 'github:Mic92/sops-nix/a81ce6c961480b3b93498507074000c589bd9d60' (2023-02-01)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/918b760070bb8f48cb511300fcd7e02e13058a2e' (2023-01-22)
  → 'github:NixOS/nixpkgs/a3a1400571e3b9ccc270c2e8d36194cf05aab6ce' (2023-02-01)
```

flake.lock

@@ -39,22 +39,22 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-arp7Uy7ct5ryTcmSY032eN7hr33i7D2XvjTRLliCFDc=",
-        "path": "/nix/store/jblp2g67p3wid2qarcyd8bzrbs9wg5lb-source/nixpatches",
+        "narHash": "sha256-rkVbviFmYYmbbVfvFRtOM95IjETbNu3I517Hrxp8EF4=",
+        "path": "/nix/store/8azr0ivnzf0y1sh2r7alxaxab3w49ggx-source/nixpatches",
         "type": "path"
       },
       "original": {
-        "path": "/nix/store/jblp2g67p3wid2qarcyd8bzrbs9wg5lb-source/nixpatches",
+        "path": "/nix/store/8azr0ivnzf0y1sh2r7alxaxab3w49ggx-source/nixpatches",
         "type": "path"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1674352297,
-        "narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=",
+        "lastModified": 1675265860,
+        "narHash": "sha256-PZNqc4ZnTRT34NsHJYbXn+Yhghh56l8HEXn39SMpGNc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "918b760070bb8f48cb511300fcd7e02e13058a2e",
+        "rev": "a3a1400571e3b9ccc270c2e8d36194cf05aab6ce",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1674641431,
-        "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
+        "lastModified": 1675273418,
+        "narHash": "sha256-tpYc4TEGvDzh9uRf44QemyQ4TpVuUbxb07b2P99XDbM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
+        "rev": "4d7c2644dbac9cf8282c0afe68fca8f0f3e7b2db",
         "type": "github"
       },
       "original": {
@@ -97,11 +97,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1674546403,
-        "narHash": "sha256-vkyNv0xzXuEnu9v52TUtRugNmQWIti8c2RhYnbLG71w=",
+        "lastModified": 1675288837,
+        "narHash": "sha256-76s8TLENa4PzWDeuIpEF78gqeUrXi6rEJJaKEAaJsXw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c",
+        "rev": "a81ce6c961480b3b93498507074000c589bd9d60",
         "type": "github"
       },
       "original": {

hosts/by-name/desko/default.nix

@@ -4,8 +4,6 @@
     ./fs.nix
   ];
 
-  # sane.packages.enableDevPkgs = true;
-
   sane.roles.client = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;

hosts/by-name/lappy/default.nix

@@ -8,8 +8,6 @@
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
 
-  # sane.packages.enableDevPkgs = true;
-
   # sane.guest.enable = true;
   sane.gui.sway.enable = true;
   sane.persist.enable = true;

hosts/by-name/moby/default.nix

@@ -41,10 +41,12 @@
     ".config/pulse"  # persist pulseaudio volume
   ];
 
-  # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
-  sane.packages.extraUserPkgs = [
-    pkgs.plasma5Packages.konsole  # terminal
-  ];
+  sane.programs."pkgs.plasma5Packages.konsole" = {
+    # more reliable terminal
+    # TODO: move to gui/phosh
+    package = pkgs.plasma5Packages.konsole;
+    enableFor.user.colin = true;
+  };
 
   sane.nixcache.enable = true;
   sane.persist.enable = true;

hosts/by-name/servo/default.nix

@@ -8,12 +8,13 @@
     ./services
   ];
 
-  sane.packages.extraUserPkgs = with pkgs; [
+  sane.programs = {
     # for administering services
-    freshrss
-    matrix-synapse
-    signaldctl
-  ];
+    freshrss.enableFor.user.colin = true;
+    matrix-synapse.enableFor.user.colin = true;
+    signaldctl.enableFor.user.colin = true;
+  };
+
   sane.persist.enable = true;
   sane.services.dyn-dns.enable = true;
   sane.services.wg-home.enable = true;

hosts/common/default.nix

@@ -11,6 +11,7 @@
     ./machine-id.nix
     ./net.nix
     ./persist.nix
+    ./programs.nix
     ./secrets.nix
     ./ssh.nix
     ./users.nix
@@ -18,8 +19,8 @@
   ];
 
   sane.nixcache.enable-trusted-keys = true;
-  sane.packages.enableConsolePkgs = true;
-  sane.packages.enableSystemPkgs = true;
+  sane.programs.sysadminUtils.enableFor.system = true;
+  sane.programs.consoleUtils.enableFor.user.colin = true;
 
   # some services which use private directories error if the parent (/var/lib/private) isn't 700.
   sane.fs."/var/lib/private".dir.acl.mode = "0700";

hosts/common/home/firefox.nix

@@ -125,11 +125,11 @@ in
         # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
         # browserpass-ce.package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
         browserpass-extension.package = localAddon pkgs.browserpass-extension;
-        bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-JOj5P7c2JTTReHCRZXm4BscaGr3i+9Y4Ey/y621x8PI=";
+        bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+325k=";
         ether-metamask.package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
         i2p-in-private-browsing.package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
         sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
-        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-d2K3ufvurWnYVzqLbyR//MgejybkY9exitAf9RdLNRo=";
+        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
         ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
         ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=";
 
@@ -146,6 +146,11 @@ in
   };
 
   config = {
+    sane.programs.web-browser = {
+      inherit package;
+      # TODO: define the persistence & fs config here
+    };
+    sane.programs.guiApps.suggestedPrograms = [ "web-browser" ];
 
     # uBlock filter list configuration.
     # specifically, enable the GDPR cookie prompt blocker.
@@ -171,8 +176,6 @@ in
       // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
       defaultPref("security.OCSP.require", false);
     '';
-
-    sane.packages.extraGuiPkgs = [ package ];
     # flush the cache to disk to avoid it taking up too much tmp
     sane.user.persist.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
       store = cfg.persistCache;

hosts/common/programs.nix

@@ -0,0 +1,329 @@
+{ lib, pkgs, ... }:
+
+let
+  inherit (builtins) attrNames concatLists;
+  inherit (lib) mapAttrs mapAttrsToList mkDefault mkMerge optional;
+
+  sysadminPkgs = {
+    inherit (pkgs // {
+      # XXX can't `inherit` a nested attr, so we move them to the toplevel
+      "cacert.unbundled" = pkgs.cacert.unbundled;
+    })
+      btrfs-progs
+      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
+      cryptsetup
+      dig
+      efibootmgr
+      fatresize
+      fd
+      file
+      gawk
+      git
+      gptfdisk
+      hdparm
+      htop
+      iftop
+      inetutils  # for telnet
+      iotop
+      iptables
+      jq
+      killall
+      lsof
+      nano
+      netcat
+      nethogs
+      nmap
+      openssl
+      parted
+      pciutils
+      powertop
+      pstree
+      ripgrep
+      screen
+      smartmontools
+      socat
+      strace
+      tcpdump
+      tree
+      usbutils
+      wget
+    ;
+  };
+
+  consolePkgs = {
+    inherit (pkgs)
+      backblaze-b2
+      cdrtools
+      dmidecode
+      duplicity
+      efivar
+      flashrom
+      fwupd
+      ghostscript  # TODO: imagemagick wrapper should add gs to PATH
+      gnupg
+      gocryptfs
+      gopass
+      gopass-jsonapi
+      ifuse
+      imagemagick
+      ipfs
+      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
+      libimobiledevice
+      libsecret  # for managing user keyrings
+      lm_sensors  # for sensors-detect
+      lshw
+      ffmpeg
+      memtester
+      networkmanager
+      nixpkgs-review
+      # nixos-generators
+      # nettools
+      nmon
+      oathToolkit  # for oathtool
+      # ponymix
+      pulsemixer
+      python3
+      rsync
+      # python3Packages.eyeD3  # music tagging
+      sane-scripts
+      sequoia
+      snapper
+      sops
+      sox
+      speedtest-cli
+      sqlite  # to debug sqlite3 databases
+      ssh-to-age
+      sudo
+      # tageditor  # music tagging
+      unar
+      visidata
+      w3m
+      wireguard-tools
+      # youtube-dl
+      yt-dlp
+    ;
+  };
+
+  guiPkgs = {
+    inherit (pkgs // (with pkgs; {
+      # XXX can't `inherit` a nested attr, so we move them to the toplevel
+      # TODO: could use some "flatten attrs" helper instead
+      "gnome.cheese" = gnome.cheese;
+      "gnome.dconf-editor" = gnome.dconf-editor;
+      "gnome.file-roller" = gnome.file-roller;
+      "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
+      "gnome.gnome-maps" = gnome.gnome-maps;
+      "gnome.nautilus" = gnome.nautilus;
+      "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
+      "gnome.gnome-terminal" = gnome.gnome-terminal;
+      "gnome.gnome-weather" = gnome.gnome-weather;
+      "libsForQt5.plasmatube" = libsForQt5.plasmatube;
+    }))
+      aerc  # email client
+      audacity
+      celluloid  # mpv frontend
+      chromium
+      clinfo
+      dino
+      electrum
+      element-desktop
+      emote
+      evince  # works on phosh
+
+      # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
+
+      foliate  # e-book reader
+      font-manager
+
+      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
+      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
+      # then reboot (so that libsecret daemon re-loads the keyring...?)
+      # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
+      # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
+
+      gajim  # XMPP client
+      gimp  # broken on phosh
+      "gnome.cheese"
+      "gnome.dconf-editor"
+      gnome-feeds  # RSS reader (with claimed mobile support)
+      "gnome.file-roller"
+      "gnome.gnome-disk-utility"
+      "gnome.gnome-maps"  # works on phosh
+      "gnome.nautilus"
+      # gnome-podcasts
+      "gnome.gnome-system-monitor"
+      "gnome.gnome-terminal"  # works on phosh
+      "gnome.gnome-weather"
+      gpodder-configured
+      gthumb
+      inkscape
+      kdenlive
+      kid3  # audio tagging
+      krita
+      libreoffice-fresh  # XXX colin: maybe don't want this on mobile
+      lollypop
+      mpv
+      networkmanagerapplet
+      newsflash
+      nheko
+      obsidian
+      pavucontrol
+      # picard  # music tagging
+      playerctl
+      "libsForQt5.plasmatube"  # Youtube player
+      soundconverter
+      # sublime music persists any downloaded albums here.
+      # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
+      # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
+      #   possible to pass config as a CLI arg (sublime-music -c config.json)
+      # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
+      sublime-music-mobile
+      tdesktop  # broken on phosh
+      tokodon
+      vlc
+      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
+      # whalebird
+      xdg-utils  # for xdg-open
+      xterm  # broken on phosh
+    ;
+  };
+  x86GuiPkgs = {
+    inherit (pkgs)
+      discord
+
+      # kaiteki  # Pleroma client
+      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
+      # gpt2tc  # XXX: unreliable mirror
+
+      # TODO(unpin): handbrake is broken on aarch64-linux 2023/01/29
+      handbrake
+
+      logseq
+      losslesscut-bin
+      makemkv
+      monero-gui
+      signal-desktop
+      spotify
+      tor-browser-bundle-bin
+      zecwallet-lite
+    ;
+  };
+
+  # define -- but don't enable -- the packages in some attrset.
+  # use `mkDefault` for the package here so we can customize some of them further down this file
+  declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
+    package = mkDefault p;
+  }) pkgsAsAttrs;
+in
+{
+  config = {
+    sane.programs = mkMerge [
+      (declarePkgs sysadminPkgs)
+      (declarePkgs consolePkgs)
+      (declarePkgs guiPkgs)
+      (declarePkgs x86GuiPkgs)
+      {
+        # link the various package sets into their own meta packages
+        sysadminUtils = {
+          package = null;
+          suggestedPrograms = attrNames sysadminPkgs;
+        };
+        consoleUtils = {
+          package = null;
+          suggestedPrograms = attrNames consolePkgs;
+        };
+        guiApps = {
+          package = null;
+          suggestedPrograms = (attrNames guiPkgs)
+            ++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
+        };
+        x86GuiApps = {
+          package = null;
+          suggestedPrograms = attrNames x86GuiPkgs;
+        };
+      }
+      {
+        # nontrivial package definitions
+        imagemagick.package = pkgs.imagemagick.override {
+          ghostscriptSupport = true;
+        };
+
+        dino.private = [ ".local/share/dino" ];
+
+        # creds, but also 200 MB of node modules, etc
+        discord = {
+          package = pkgs.discord.override {
+            # XXX 2022-07-31: fix to allow links to open in default web-browser:
+            #   https://github.com/NixOS/nixpkgs/issues/78961
+            nss = pkgs.nss_latest;
+          };
+          private = [ ".config/discord" ];
+        };
+
+        # creds/session keys, etc
+        element-desktop.private = [ ".config/Element" ];
+
+        # `emote` will show a first-run dialog based on what's in this directory.
+        # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
+        # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+        emote.dir = [ ".local/share/Emote" ];
+
+        # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
+        #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
+        gpodder-configured.dir = [ "gPodder" ];
+
+        # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
+        # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
+        monero-gui.dir = [ ".bitmonero" ];
+
+        mpv.dir = [ ".config/mpv/watch_later" ];
+
+        # not strictly necessary, but allows caching articles; offline use, etc.
+        newsflash.dir = [ ".local/share/news-flash" ];
+        nheko.private = [
+          ".config/nheko"  # config file (including client token)
+          ".cache/nheko"  # media cache
+          ".local/share/nheko"  # per-account state database
+        ];
+
+        # settings (electron app)
+        obsidian.dir = [ ".config/obsidian" ];
+
+        # creds, media
+        signal-desktop.private = [ ".config/Signal" ];
+
+
+        # creds, widevine .so download. TODO: could easily manage these statically.
+        spotify.dir = [ ".config/spotify" ];
+
+        # sublime music persists any downloaded albums here.
+        # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
+        # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
+        #   possible to pass config as a CLI arg (sublime-music -c config.json)
+        # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
+        sublime-music-mobile.dir = [ ".local/share/sublime-music" ];
+
+        tdesktop.private = [ ".local/share/TelegramDesktop" ];
+
+        tokodon.private = [ ".cache/KDE/tokodon" ];
+
+        # hardenedMalloc solves a crash at startup
+        # TODO 2023/02/02: is this safe to remove yet?
+        tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
+          useHardenedMalloc = false;
+        };
+
+        # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
+        vlc.dir = [ ".config/vlc" ];
+
+        whalebird.private = [ ".config/Whalebird" ];
+
+        # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
+        zecwallet-lite.private = [ ".zcash" ];
+      }
+    ];
+
+    # XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
+    environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
+  };
+}

hosts/common/users.nix

@@ -49,8 +49,6 @@ in
 
       shell = pkgs.zsh;
 
-      packages = builtins.map (p: p.pkg) config.sane.packages.enabledUserPkgs;
-
       # mount encrypted stuff at login
       # some other nix pam users:
       # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>

hosts/modules/gui/default.nix

@@ -26,7 +26,7 @@ in
   };
 
   config = mkIf cfg.enable {
-    sane.packages.enableGuiPkgs = mkDefault true;
+    sane.programs.guiApps.enableFor.user.colin = mkDefault true;
 
     # preserve backlight brightness across power cycles
     # see `man systemd-backlight`

hosts/modules/gui/phosh.nix

@@ -77,12 +77,13 @@ in
         })
       ];
 
-      sane.packages.extraUserPkgs = with pkgs; [
-        phosh-mobile-settings
+      # TODO: refactor
+      sane.programs = {
+        phosh-mobile-settings.enableFor.user.colin = true;
 
         # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
-        gnome.gnome-bluetooth
-      ];
+        "gnome.gnome-bluetooth".enableFor.user.colin = true;
+      };
     }
     (mkIf cfg.useGreeter {
       services.xserver.enable = true;

hosts/modules/gui/sway.nix

@@ -625,18 +625,19 @@ in
     #   }
     # '';
 
-    sane.packages.extraUserPkgs = with pkgs; [
-      swaylock
-      swayidle  # (unused)
-      wl-clipboard
-      mako # notification daemon
-      xdg-utils  # for xdg-open
+    # TODO: refactor
+    sane.programs = {
+      swaylock.enableFor.user.colin = true;
+      swayidle.enableFor.user.colin = true;  # (unused)
+      wl-clipboard.enableFor.user.colin = true;
+      mako.enableFor.user.colin = true; # notification daemon
+      xdg-utils.enableFor.user.colin = true;  # for xdg-open
       # user stuff
       # pavucontrol
-      sway-contrib.grimshot
-      gnome.gnome-bluetooth
-      gnome.gnome-control-center
-    ];
+      "sway-contrib.grimshot".enableFor.user.colin = true;
+      "gnome.gnome-bluetooth".enableFor.user.colin = true;
+      "gnome.gnome-control-center".enableFor.user.colin = true;
+    };
   };
 }
 

modules/default.nix

@@ -5,7 +5,7 @@
     ./feeds.nix
     ./fs
     ./ids.nix
-    ./packages.nix
+    ./programs.nix
     ./image.nix
     ./persist
     ./services

modules/packages.nix

@@ -1,330 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-with pkgs;
-let
-  cfg = config.sane.packages;
-
-  imagemagick = pkgs.imagemagick.override {
-    ghostscriptSupport = true;
-  };
-
-  consolePkgs = [
-    backblaze-b2
-    cdrtools
-    dmidecode
-    duplicity
-    efivar
-    flashrom
-    fwupd
-    ghostscript  # TODO: imagemagick wrapper should add gs to PATH
-    gnupg
-    gocryptfs
-    gopass
-    gopass-jsonapi
-    ifuse
-    imagemagick
-    ipfs
-    kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-    libimobiledevice
-    libsecret  # for managing user keyrings
-    lm_sensors  # for sensors-detect
-    lshw
-    ffmpeg
-    memtester
-    networkmanager
-    nixpkgs-review
-    # nixos-generators
-    # nettools
-    nmon
-    oathToolkit  # for oathtool
-    # ponymix
-    pulsemixer
-    python3
-    rsync
-    # python3Packages.eyeD3  # music tagging
-    sane-scripts
-    sequoia
-    snapper
-    sops
-    speedtest-cli
-    sqlite  # to debug sqlite3 databases
-    ssh-to-age
-    sudo
-    # tageditor  # music tagging
-    unar
-    visidata
-    w3m
-    wireguard-tools
-    # youtube-dl
-    yt-dlp
-  ];
-
-  guiPkgs = [
-    # GUI only
-    aerc  # email client
-    audacity
-    celluloid  # mpv frontend
-    chromium
-    clinfo
-    { pkg = dino; private = [ ".local/share/dino" ]; }
-    electrum
-
-    # creds/session keys, etc
-    { pkg = element-desktop; private = [ ".config/Element" ]; }
-    # `emote` will show a first-run dialog based on what's in this directory.
-    # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
-    # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
-    { pkg = emote; dir = [ ".local/share/Emote" ]; }
-    evince  # works on phosh
-
-    # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
-
-    foliate
-    font-manager
-
-    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
-    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
-    # then reboot (so that libsecret daemon re-loads the keyring...?)
-    # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
-    # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
-
-    gajim  # XMPP client
-    gimp  # broken on phosh
-    gnome.cheese
-    gnome.dconf-editor
-    gnome-feeds  # RSS reader (with claimed mobile support)
-    gnome.file-roller
-    gnome.gnome-disk-utility
-    gnome.gnome-maps  # works on phosh
-    gnome.nautilus
-    # gnome-podcasts
-    gnome.gnome-system-monitor
-    gnome.gnome-terminal  # works on phosh
-    gnome.gnome-weather
-
-    # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
-    #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
-    { pkg = gpodder-configured; dir = [ "gPodder" ]; }
-
-    gthumb
-    inkscape
-
-    kdenlive
-    kid3  # audio tagging
-    krita
-    libreoffice-fresh  # XXX colin: maybe don't want this on mobile
-    lollypop
-
-    { pkg = mpv; dir = [ ".config/mpv/watch_later" ]; }
-
-    networkmanagerapplet
-
-    # not strictly necessary, but allows caching articles; offline use, etc.
-    { pkg = newsflash; dir = [ ".local/share/news-flash" ]; }
-
-    { pkg = nheko; private = [
-      ".config/nheko"  # config file (including client token)
-      ".cache/nheko"  # media cache
-      ".local/share/nheko"  # per-account state database
-    ]; }
-
-    # settings (electron app)
-    { pkg = obsidian; dir = [ ".config/obsidian" ]; }
-
-    pavucontrol
-    # picard  # music tagging
-    playerctl
-
-    libsForQt5.plasmatube  # Youtube player
-
-    soundconverter
-    # sublime music persists any downloaded albums here.
-    # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
-    # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
-    #   possible to pass config as a CLI arg (sublime-music -c config.json)
-    # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
-    { pkg = sublime-music-mobile; dir = [ ".local/share/sublime-music" ]; }
-    { pkg = tdesktop; private = [ ".local/share/TelegramDesktop" ]; }  # broken on phosh
-
-    { pkg = tokodon; private = [ ".cache/KDE/tokodon" ]; }
-
-    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
-    { pkg = vlc; dir = [ ".config/vlc" ]; }
-
-    # pleroma client (Electron). input is broken on phosh.
-    { pkg = whalebird; private = [ ".config/Whalebird" ]; }
-
-    xdg-utils  # for xdg-open
-    xterm  # broken on phosh
-  ]
-  ++ (if pkgs.system == "x86_64-linux" then
-  [
-    # x86_64 only
-
-    # creds, but also 200 MB of node modules, etc
-    (let discord = (pkgs.discord.override {
-      # XXX 2022-07-31: fix to allow links to open in default web-browser:
-      #   https://github.com/NixOS/nixpkgs/issues/78961
-      nss = pkgs.nss_latest;
-    }); in { pkg = discord; private = [ ".config/discord" ]; })
-
-    # kaiteki  # Pleroma client
-    # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
-    # gpt2tc  # XXX: unreliable mirror
-
-    # TODO(unpin): handbrake is broken on aarch64-linux 2023/01/29
-    handbrake
-
-    logseq
-    losslesscut-bin
-    makemkv
-
-    # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
-    { pkg = monero-gui; dir = [ ".bitmonero" ]; }
-
-    # creds, media
-    { pkg = signal-desktop; private = [ ".config/Signal" ]; }
-
-    # creds, widevine .so download. TODO: could easily manage these statically.
-    { pkg = spotify; dir = [ ".config/spotify" ]; }
-
-    # hardenedMalloc solves a crash at startup
-    (tor-browser-bundle-bin.override { useHardenedMalloc = false; })
-
-    # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
-    { pkg = zecwallet-lite; private = [ ".zcash" ]; }
-  ] else []);
-
-  # general-purpose utilities that we want any user to be able to access
-  #   (specifically: root, in case of rescue)
-  systemPkgs = [
-    btrfs-progs
-    cacert.unbundled  # some services require unbundled /etc/ssl/certs
-    cryptsetup
-    dig
-    efibootmgr
-    fatresize
-    fd
-    file
-    gawk
-    git
-    gptfdisk
-    hdparm
-    htop
-    iftop
-    inetutils  # for telnet
-    iotop
-    iptables
-    jq
-    killall
-    lsof
-    nano
-    netcat
-    nethogs
-    nmap
-    openssl
-    parted
-    pciutils
-    powertop
-    pstree
-    ripgrep
-    screen
-    smartmontools
-    socat
-    strace
-    tcpdump
-    tree
-    usbutils
-    wget
-  ];
-
-  # useful devtools:
-  devPkgs = [
-    bison
-    dtc
-    flex
-    gcc
-    gdb
-    # gcc-arm-embedded
-    # gcc_multi
-    gnumake
-    mercurial
-    mix2nix
-    rustup
-    swig
-  ];
-
-  pkgSpec = types.submodule {
-    options = {
-      pkg = mkOption {
-        type = types.package;
-      };
-      dir = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = "list of home-relative paths to persist for this package";
-      };
-      private = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = "list of home-relative paths to persist (in encrypted format) for this package";
-      };
-    };
-  };
-
-  toPkgSpec = types.coercedTo types.package (p: { pkg = p; }) pkgSpec;
-in
-{
-  options = {
-    # packages to deploy to the user's home
-    sane.packages.extraUserPkgs = mkOption {
-      default = [ ];
-      type = types.listOf toPkgSpec;
-    };
-    sane.packages.extraGuiPkgs = mkOption {
-      default = [ ];
-      type = types.listOf toPkgSpec;
-      description = "packages to only ship if gui's enabled";
-    };
-    sane.packages.enableConsolePkgs = mkOption {
-      default = false;
-      type = types.bool;
-    };
-    sane.packages.enableGuiPkgs = mkOption {
-      default = false;
-      type = types.bool;
-    };
-    sane.packages.enableDevPkgs = mkOption {
-      description = ''
-        enable packages that are useful for building other software by hand.
-        you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
-      '';
-      default = false;
-      type = types.bool;
-    };
-    sane.packages.enableSystemPkgs = mkOption {
-      default = false;
-      type = types.bool;
-      description = "enable system-wide packages";
-    };
-
-    sane.packages.enabledUserPkgs = mkOption {
-      default = cfg.extraUserPkgs
-        ++ (if cfg.enableConsolePkgs then consolePkgs else [])
-        ++ (if cfg.enableGuiPkgs then guiPkgs ++ cfg.extraGuiPkgs else [])
-        ++ (if cfg.enableDevPkgs then devPkgs else [])
-      ;
-      type = types.listOf toPkgSpec;
-      description = "generated from other config options";
-    };
-  };
-
-  config = {
-    environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
-    sane.user.persist.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs);
-    sane.user.persist.private = concatLists (map (p: p.private) cfg.enabledUserPkgs);
-    # XXX: this might not be necessary. try removing this and cacert.unbundled?
-    environment.etc."ssl/certs".source = mkIf cfg.enableSystemPkgs "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
-  };
-}

modules/programs.nix

@@ -0,0 +1,121 @@
+{ config, lib, pkgs, sane-lib, ... }:
+let
+  inherit (builtins) any elem map;
+  inherit (lib)
+    filterAttrs
+    hasAttrByPath
+    getAttrFromPath
+    mapAttrs
+    mapAttrsToList
+    mkDefault
+    mkIf
+    mkOption
+    optional
+    optionalAttrs
+    splitString
+    types
+  ;
+  inherit (sane-lib) joinAttrsets;
+  cfg = config.sane.programs;
+  pkgSpec = types.submodule ({ name, ... }: {
+    options = {
+      package = mkOption {
+        type = types.nullOr types.package;
+        description = ''
+          package, or `null` if the program is some sort of meta set (in which case it much EXPLICITLY be set null).
+        '';
+        default =
+          let
+            pkgPath = splitString "." name;
+          in
+            # package can be inferred by the attr name, allowing shorthand like
+            #   `sane.programs.nano.enable = true;`
+            # this indexing will throw if the package doesn't exist and the user forgets to specify
+            # a valid source explicitly.
+            getAttrFromPath pkgPath pkgs;
+      };
+      enableFor.system = mkOption {
+        type = types.bool;
+        default = any (en: en) (
+          mapAttrsToList
+            (otherName: otherPkg:
+              otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested && otherPkg.enableFor.system
+            )
+            cfg
+        );
+        description = ''
+          place this program on the system PATH
+        '';
+      };
+      enableFor.user = mkOption {
+        type = types.attrsOf types.bool;
+        default = joinAttrsets (mapAttrsToList (otherName: otherPkg:
+           optionalAttrs
+             (otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested)
+             (filterAttrs (user: en: en) otherPkg.enableFor.user)
+        ) cfg);
+        description = ''
+          place this program on the PATH for some specified user(s).
+        '';
+      };
+      suggestedPrograms = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          list of other programs a user may want to enable alongside this one.
+          for example, the gnome desktop environment would suggest things like its settings app.
+        '';
+      };
+      enableSuggested = mkOption {
+        type = types.bool;
+        default = true;
+      };
+      dir = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = "list of home-relative paths to persist for this package";
+      };
+      private = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = "list of home-relative paths to persist (in encrypted format) for this package";
+      };
+    };
+
+  });
+  toPkgSpec = types.coercedTo types.package (p: { package = p; }) pkgSpec;
+
+  configs = mapAttrsToList (_name: p: {
+    # conditionally add to system PATH
+    environment.systemPackages = optional
+      (p.package != null && p.enableFor.system)
+      p.package;
+    # conditionally add to user(s) PATH
+    users.users = mapAttrs (user: en: {
+      packages = optional (p.package != null && en) p.package;
+    }) p.enableFor.user;
+    # conditionally persist relevant user dirs
+    sane.users = mapAttrs (user: en: optionalAttrs en {
+      persist.plaintext = p.dir;
+      persist.private = p.private;
+    }) p.enableFor.user;
+  }) cfg;
+in
+{
+  options = {
+    sane.programs = mkOption {
+      type = types.attrsOf toPkgSpec;
+      default = {};
+    };
+  };
+
+  config =
+    let
+      take = f: {
+        environment.systemPackages = f.environment.systemPackages;
+        users.users = f.users.users;
+        sane.users = f.sane.users;
+      };
+    in
+      take (sane-lib.mkTypedMerge take configs);
+}

nixpatches/list.nix

@@ -13,13 +13,6 @@
     hash = "sha256-IvsIcd2wPdz4b/7FMrDrcVlIZjFecCQ9uiL0Umprbx0=";
   })
 
-  # fix libreoffice build by: Revert "mdds: 2.0.3 -> 2.1.0"
-  # merged 2023/01/25
-  (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/212583.diff";
-    hash = "sha256-nkXgwQUtxYkJT2OzG6Jc72snizW5wHvR1nmh2KDnaPc=";
-  })
-
   # fix handbrake build by: handbrake: 1.5.1 -> 1.6.1
   # PR opened 2023/01/23
   (fetchpatch {