WIP: make-sandboxed: handle /opt-style packaging, with toplevels linked into /bin, a bit better

it still prompts the user to allow it, but i'll fix that later i guess

TODO.md

@@ -2,18 +2,22 @@
 - `rmDbusServices` may break sandboxing
   - e.g. if the package ships a systemd unit which references $out, then make-sandboxed won't properly update that unit.
   - `rmDbusServicesInPlace` is not affected
-- when moby wlan is explicitly set down (via ip link set wlan0 down), /var/lib/trust-dns/dhcp-configs doesn't get reset
+- when moby wlan is explicitly set down (via ip link set wlan0 down), /var/lib/hickory-dns/dhcp-configs doesn't get reset
   - `ip monitor` can detect those manual link state changes (NM-dispatcher it seems cannot)
   - or try dnsmasq?
-- trust-dns: can't recursively resolve api.mangadex.org
+- hickory-dns can't resolve `abs.twimg.com`
-  - nor `m.wikipedia.org` (`dyna.wikipedia.org`)
+- hickory-dns can't resolve `social.kernel.org`
-  - and *sometimes* apple.com fails
+- hickory-dns can't resolve `pe.usps.com`
+- hickory-dns can't resolve `social.seattle.wa.us`
+- hickory-dns can't resolve `support.mozilla.org`
 - sandbox: link cache means that if i update ~/.config/... files inline, sandboxed programs still see the old version
+- mpv: continues to play past the end of some audio files
 - mpv: audiocast has mpv sending its output to the builtin speakers unless manually changed
-- mpv: no way to exit fullscreen video on moby
-  - uosc hides controls on FS, and touch doesn't support unhiding
 - `ssh` access doesn't grant same linux capabilities as login
 - syshud (volume overlay): when casting with `blast`, syshud doesn't react to volume changes
+- moby: after bringing the modem up, powering it down loses *complete* net connectivity (i.e. wlan is gone as well)
+- dissent: if i launch it without net connectivity, it gets stuck at the login, and never tries again
+- calls: seems that it starts before net access, and then is forever disconnected (until i manually restart it)
 - moby: kaslr is effectively disabled
   - `dmesg | grep "KASLR disabled due to lack of seed"`
   - fix by adding `kaslrseed` to uboot script before `booti`
@@ -24,16 +28,21 @@
   - `dmesg | grep 'hid_bpf: error while preloading HID BPF dispatcher: -22'`
 - `s6` is not re-entrant
   - so if the desktop crashes, the login process from `unl0kr` fails to re-launch the GUI
-- nwg-panel will sometimes create nested bars (happens maybe when i turn an external display off, then on?)
+- newflash on moby can't play videos
-- wg-home is unreachable for a couple minutes when switching between LAN/WAN/3G
+  - "open in browser" works though -- in mpv
-  - because the endpoint DNS changes.
+- gnome-maps can't use geoclue *and* openstreetmap at the same time
-  - causes calls to not transfer from WiFi -> cellular.
+  - get gnome-maps to speak xdg-desktop-portal, and this will be fixed
+- epiphany can't save cookies
+  - see under "preferences", cookies are disabled
+  - prevents logging into websites (OpenStreetMap)
+  - works when sandbox is disabled
 
 ## REFACTORING:
 - add import checks to my Python nix-shell scripts
 - consolidate ~/dev and ~/ref
   - ~/dev becomes a link to ~/ref/cat/mine
 - fold hosts/common/home/ssh.nix -> hosts/common/users/colin.nix
+- don't hardcode IP addresses so much in servo
 
 ### sops/secrets
 - rework secrets to leverage `sane.fs`
@@ -53,22 +62,26 @@
 
 
 ## IMPROVEMENTS:
-- systemd/journalctl: use a less shit pager
-  - there's an env var for it: SYSTEMD_PAGER? and a flag for journalctl
 - kernels: ship the same kernel on every machine
   - then i can tune the kernels for hardening, without duplicating that work 4 times
 - zfs: replace this with something which doesn't require a custom kernel build
 - mpv: add media looping controls (e.g. loop song, loop playlist)
+- curlftpfs: replace with something better
+  - safer (rust? actively maintained? sandboxable?)
+  - handles spaces/symbols in filenames
+  - has better multi-stream perf (e.g. `sane-sync-music` should be able to copy N items in parallel)
+- firefox: open *all* links (http, https, ...) with system handler
+  - removes the need for open-in-mpv, firefox-xdg-open, etc.
+  - matrix room links *just work*.
+  - `network.protocol-handler.external.https = true` in about:config *seems* to do this,
+    but breaks some webpages (e.g. Pleroma)
 
 ### security/resilience
-- validate duplicity backups!
+- enable `snapper` btrfs snapshots (`services.snapper`)
-- encrypt more ~ dirs (~/archives, ~/records, ..?)
-  - best to do this after i know for sure i have good backups
 - /mnt/desko/home, etc, shouldn't include secrets (~/private)
   - 95% of its use is for remote media access and stuff which isn't in VCS (~/records)
 - port all sane.programs to be sandboxed
-  - sandbox `curlftpfs`
+  - sandbox `nix`
-  - sandbox `sshfs-fuse`
   - enforce that all `environment.packages` has a sandbox profile (or explicitly opts out)
   - revisit "non-sandboxable" apps and check that i'm not actually just missing mountpoints
     - LL_FS_RW=/ isn't enough -- need all mount points like `=/:/proc:/sys:...`.
@@ -77,8 +90,6 @@
   - lock down dbus calls within the sandbox
     - otherwise anyone can `systemd-run --user ...` to potentially escape a sandbox
     - <https://github.com/flatpak/xdg-dbus-proxy>
-  - remove `.ssh` access from Firefox!
-    - limit access to `~/knowledge/secrets` through an agent that requires GUI approval, so a firefox exploit can't steal all my logins
   - port sanebox to a compiled language (hare?)
     - it adds like 50-70ms launch time _on my laptop_. i'd hate to know how much that is on the pinephone.
 - make dconf stuff less monolithic
@@ -92,14 +103,13 @@
 - cleanup waybar/nwg-panel so that it's not invoking playerctl every 2 seconds
   - nwg-panel: doesn't know that virtual-desktop 10/TV exists
 - install apps:
-  - compass viewer (moby)
   - display QR codes for WiFi endpoints: <https://linuxphoneapps.org/apps/noappid.wisperwind.wifi2qr/>
   - shopping list (not in nixpkgs): <https://linuxphoneapps.org/apps/ro.hume.cosmin.shoppinglist/>
   - offline Wikipedia (or, add to `wike`)
   - offline docs viewer (gtk): <https://github.com/workbenchdev/Biblioteca>
   - some type of games manager/launcher
     - Gnome Highscore (retro games)?: <https://gitlab.gnome.org/World/highscore>
-  - better maps for mobile (Osmin (QtQuick)? Pure Maps (Qt/Kirigami)?
+  - better maps for mobile (Osmin (QtQuick)? Pure Maps (Qt/Kirigami)?)
   - note-taking app: <https://linuxphoneapps.org/categories/note-taking/>
     - Folio is nice, uses standard markdown, though it only supports flat repos
   - OSK overlay specifically for mobile gaming
@@ -117,18 +127,17 @@
 
 #### moby
 - fix cpuidle (gets better power consumption): <https://xnux.eu/log/077.html>
+- fix cpupower for better power/perf
+  - `journalctl -u cpupower --boot` (problem is present on lappy, at least)
 - moby: tune keyboard layout
-- SwayNC:
+- SwayNC: add option to change audio output
-  - don't show MPRIS if no players detected
-    - this is a problem of playerctld, i guess
-  - add option to change audio output
 - moby: tune GPS
   - fix iio-sensor-proxy magnetometer scaling
   - tune QGPS setting in eg25-control, for less jitter?
   - configure geoclue to do some smoothing?
   - manually do smoothing, as some layer between mepo and geoclue?
+  - email wigle.net people to unlock API access
 - moby: port `freshen-agps` timer service to s6 (maybe i want some `s6-cron` or something)
-- moby: show battery state on ssh login
 - moby: improve gPodder launch time
 - moby: theme GTK apps (i.e. non-adwaita styles)
   - especially, make the menubar collapsible
@@ -137,6 +146,8 @@
 #### non-moby
 - RSS: integrate a paywall bypass
   - e.g. self-hosted [ladder](https://github.com/everywall/ladder) (like 12ft.io)
+- RSS: have podcasts get downloaded straight into ~/Videos/...
+  - and strip the ads out using Whisper transcription + asking a LLM where the ad breaks are
 - neovim: set up language server (lsp; rnix-lsp; nvim-lspconfig)
 - neovim: integrate LLMs
 - Helix: make copy-to-system clipboard be the default
@@ -149,6 +160,8 @@
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
 - sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
   - maybe just color these "keywords" in all search results?
+- transmission: apply `sane-tag-media` path fix in `torrent-done` script
+  - many .mkv files do appear to be tagged: i'd just need to add support in my own tooling
 - uninsane.org: make URLs relative to allow local use (and as offline homepage)
 - email: fix so that local mail doesn't go to junk
   - git sendmail flow adds the DKIM signatures, but gets delivered locally w/o having the sig checked, so goes into Junk

hosts/by-name/desko/default.nix

@@ -4,15 +4,19 @@
     ./fs.nix
   ];
 
-  sane.services.trust-dns.asSystemResolver = false;  # TEMPORARY: TODO: re-enable trust-dns
+  sane.services.hickory-dns.asSystemResolver = false;  # TEMPORARY: TODO: re-enable hickory-dns
   # sane.programs.devPkgs.enableFor.user.colin = true;
   # sane.guest.enable = true;
 
   # don't enable wifi by default: it messes with connectivity.
   # systemd.services.iwd.enable = false;
+  # networking.wireless.enable = false;
   # systemd.services.wpa_supplicant.enable = false;
-  sane.programs.wpa_supplicant.enableFor.user.colin = lib.mkForce false;
+  # sane.programs.wpa_supplicant.enableFor.user.colin = lib.mkForce false;
-  sane.programs.wpa_supplicant.enableFor.system = lib.mkForce false;
+  # sane.programs.wpa_supplicant.enableFor.system = lib.mkForce false;
+  # don't auto-connect to wifi networks
+  # see: <https://networkmanager.dev/docs/api/latest/NetworkManager.conf.html#device-spec>
+  networking.networkmanager.unmanaged = [ "type:wifi" ];
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
@@ -24,10 +28,13 @@
   sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
   sane.ovpn.addrV4 = "172.26.55.21";
   # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:20c1:a73c";
-  sane.services.duplicity.enable = true;
+  sane.services.rsync-net.enable = true;
 
   sane.nixcache.remote-builders.desko = false;
 
+  sane.programs.sane-private-unlock-remote.enableFor.user.colin = true;
+  sane.programs.sane-private-unlock-remote.config.hosts = [ "servo" ];
+
   sane.programs.sway.enableFor.user.colin = true;
   sane.programs.iphoneUtils.enableFor.user.colin = true;
   sane.programs.steam.enableFor.user.colin = true;
@@ -45,15 +52,18 @@
   # needed to use libimobiledevice/ifuse, for iphone sync
   services.usbmuxd.enable = true;
 
+  # TODO: enable snapper (need to make `/nix` or `/nix/persist` a subvolume, somehow).
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
   #   - hourly snapshots
   #   - auto cleanup; keep the last 10 hourlies, last 10 daylies, last 10 monthlys.
-  services.snapper.configs.nix = {
+  # to list snapshots: `sudo snapper --config nix list`
-    # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
+  # to take a snapshot: `sudo snapper --config nix create`
-    # but that also requires setting up the persist dir as a subvol
+  # services.snapper.configs.nix = {
-    SUBVOLUME = "/nix";
+  #   # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
-    # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
+  #   # but that also requires setting up the persist dir as a subvol
-    ALLOW_USERS = [ "colin" ];
+  #   SUBVOLUME = "/nix";
-  };
+  #   # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
+  #   ALLOW_USERS = [ "colin" ];
+  # };
 }

hosts/by-name/lappy/default.nix

@@ -15,6 +15,9 @@
   # sane.guest.enable = true;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
+  sane.programs.sane-private-unlock-remote.enableFor.user.colin = true;
+  sane.programs.sane-private-unlock-remote.config.hosts = [ "servo" ];
+
   sane.programs.stepmania.enableFor.user.colin = true;
   sane.programs.sway.enableFor.user.colin = true;
 
@@ -23,14 +26,20 @@
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
+  sane.services.rsync-net.enable = true;
+
+  # TODO: enable snapper (need to make `/nix` or `/nix/persist` a subvolume, somehow).
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
   #   - hourly snapshots
   #   - auto cleanup; keep the last 10 hourlies, last 10 daylies, last 10 monthlys.
-  services.snapper.configs.nix = {
+  # to list snapshots: `sudo snapper --config nix list`
-    # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
+  # to take a snapshot: `sudo snapper --config nix create`
-    # but that also requires setting up the persist dir as a subvol
+  # services.snapper.configs.nix = {
-    SUBVOLUME = "/nix";
+  #   # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
-    ALLOW_USERS = [ "colin" ];
+  #   # but that also requires setting up the persist dir as a subvol
-  };
+  #   SUBVOLUME = "/nix";
+  #   # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
+  #   ALLOW_USERS = [ "colin" ];
+  # };
 }

hosts/by-name/moby/default.nix

@@ -23,10 +23,11 @@
   # XXX colin: phosh doesn't work well with passwordless login,
   # so set this more reliable default password should anything go wrong
   users.users.colin.initialPassword = "147147";
-  # services.getty.autologinUser = "root";  # allows for emergency maintenance?
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
+  sane.services.rsync-net.enable = true;
+
   sane.programs.sway.enableFor.user.colin = true;
   sane.programs.sway.config.mod = "Mod1";  #< alt key instead of Super
   sane.programs.blueberry.enableFor.user.colin = false;  # bluetooth manager: doesn't cross compile!

hosts/by-name/servo/default.nix

@@ -14,14 +14,14 @@
   # sane.programs.matrix-synapse.enableFor.user.colin = true;
 
   sane.roles.build-machine.enable = true;
-  sane.programs.zsh.config.showDeadlines = false;  # ~/knowledge doesn't always exist
+  sane.programs.sane-deadlines.config.showOnLogin = false;  # ~/knowledge doesn't always exist
   sane.programs.consoleUtils.suggestedPrograms = [
     "consoleMediaUtils"  # notably, for go2tv / casting
     "pcConsoleUtils"
     "sane-scripts.stop-all-servo"
   ];
   sane.services.dyn-dns.enable = true;
-  sane.services.trust-dns.asSystemResolver = false;  # TODO: enable once it's all working well
+  sane.services.hickory-dns.asSystemResolver = false;  # TODO: enable once it's all working well
   sane.services.wg-home.enable = true;
   sane.services.wg-home.visibleToWan = true;
   sane.services.wg-home.forwardToWan = true;
@@ -31,11 +31,12 @@
   # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:8df3:14b0";
   sane.nixcache.remote-builders.desko = false;
   sane.nixcache.remote-builders.servo = false;
-  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
+  sane.services.rsync-net.enable = true;
 
   # automatically log in at the virtual consoles.
-  # using root here makes sure we always have an escape hatch
+  # using root here makes sure we always have an escape hatch.
-  services.getty.autologinUser = "root";
+  # XXX(2024-07-27): this is incompatible with my s6-rc stuff, which needs to auto-login as `colin` to start its user services.
+  # services.getty.autologinUser = "root";
 
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 

hosts/by-name/servo/fs.nix

@@ -14,7 +14,7 @@
 # show zfs datasets: `zfs list` (will be empty if haven't imported)
 # show zfs properties (e.g. compression): `zfs get all pool`
 # set zfs properties: `zfs set compression=on pool`
-{ ... }:
+{ lib, pkgs, ... }:
 
 {
   # hostId: not used for anything except zfs guardrail?
@@ -131,6 +131,20 @@
     the contents should be a subset of what's in ../media/datasets.
   '';
 
+  systemd.services.dedupe-media = {
+    description = "transparently de-duplicate /var/media entries by using block-level hardlinks";
+    script = ''
+      ${lib.getExe' pkgs.util-linux "hardlink"} /var/media --reflink=always --ignore-time --verbose
+    '';
+  };
+  systemd.timers.dedupe-media = {
+    wantedBy = [ "multi-user.target" ];
+    timerConfig = {
+      OnStartupSec = "23min";
+      OnUnitActiveSec = "720min";
+    };
+  };
+
   # btrfs doesn't easily support swapfiles
   # swapDevices = [
   #   { device = "/nix/persist/swapfile"; size = 4096; }

hosts/by-name/servo/net.nix

@@ -30,6 +30,14 @@ in
 
   config = {
     networking.domain = "uninsane.org";
+    systemd.network.networks."50-eth0" = {
+      matchConfig.Name = "eth0";
+      networkConfig.Address = [
+        "205.201.63.12/32"
+        "10.78.79.51/22"
+      ];
+      networkConfig.DNS = [ "10.78.79.1" ];
+    };
 
     sane.ports.openFirewall = true;
     sane.ports.openUpnp = true;

hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix

@@ -20,6 +20,7 @@ let
   bitcoind = pkgs.bitcoind;
   # wrapper to run bitcoind with the tor onion address as externalip (computed at runtime)
   _bitcoindWithExternalIp = pkgs.writeShellScriptBin "bitcoind" ''
+    set -xeu
     externalip="$(cat /var/lib/tor/onion/bitcoind/hostname)"
     exec ${bitcoind}/bin/bitcoind "-externalip=$externalip" "$@"
   '';
@@ -63,23 +64,62 @@ in
       passwordHMAC = "30002c05d82daa210550e17a182db3f3$6071444151281e1aa8a2729f75e3e2d224e9d7cac3974810dab60e7c28ffaae4";
     };
     extraConfig = ''
+      # checkblocks: default 6: how many blocks to verify on start
+      checkblocks=3
       # don't load the wallet, and disable wallet RPC calls
       disablewallet=1
       # proxy all outbound traffic through Tor
       proxy=127.0.0.1:9050
     '';
+    extraCmdlineOptions = [
+      # "-debug"
+      # "-debug=estimatefee"
+      # "-debug=http"
+      # "-debug=net"
+      "-debug=proxy"
+      "-debug=rpc"
+      # "-debug=validation"
+    ];
   };
 
   users.users.bitcoind-mainnet.extraGroups = [ "tor" ];
 
-  systemd.services.bitcoind-mainnet.serviceConfig.RestartSec = "30s";  #< default is 0
+  systemd.services.bitcoind-mainnet = {
+    after = [ "tor.service" ];
+    requires = [ "tor.service" ];
+    serviceConfig.RestartSec = "30s";  #< default is 0
+
+    # hardening (systemd-analyze security bitcoind-mainnet)
+    serviceConfig.StateDirectory = "bitcoind-mainnet";
+    serviceConfig.LockPersonality = true;
+    serviceConfig.MemoryDenyWriteExecute = "true";
+    serviceConfig.NoNewPrivileges = "true";
+    serviceConfig.PrivateDevices = "true";
+    serviceConfig.PrivateMounts = true;
+    serviceConfig.PrivateTmp = "true";
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProcSubset = "pid";
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;
+    serviceConfig.ProtectHostname = true;
+    serviceConfig.ProtectKernelLogs = true;
+    serviceConfig.ProtectKernelModules = true;
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.ProtectSystem = lib.mkForce "strict";
+    serviceConfig.RemoveIPC = true;
+    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+    serviceConfig.RestrictNamespaces = true;
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";
+    serviceConfig.SystemCallFilter = [ "@system-service" ];
+  };
 
-  sane.users.colin.fs.".bitcoin/bitcoin.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets."bitcoin.conf".path;
   sops.secrets."bitcoin.conf" = {
     mode = "0600";
     owner = "colin";
     group = "users";
   };
 
-  sane.programs.bitcoind.enableFor.user.colin = true;  # for debugging/administration: `bitcoin-cli`
+  sane.programs.bitcoin-cli.enableFor.user.colin = true;  # for debugging/administration: `bitcoin-cli`
 }

hosts/by-name/servo/services/cryptocurrencies/clightning.nix

@@ -72,13 +72,11 @@
 
 { config, pkgs, ... }:
 {
-  sane.persist.sys.byStore.ext = [
+  sane.persist.sys.byStore.private = [
+    # clightning takes up only a few MB. but then several hundred MB of crash logs that i should probably GC.
     { user = "clightning"; group = "clightning"; mode = "0710"; path = "/var/lib/clightning"; method = "bind"; }
   ];
 
-  # `lightning-cli` finds its RPC file via `~/.lightning/bitcoin/lightning-rpc`, to message the daemon
-  sane.user.fs.".lightning".symlink.target = "/var/lib/clightning";
-
   # see bitcoin.nix for how to generate this
   services.bitcoind.mainnet.rpc.users.clightning.passwordHMAC =
     "befcb82d9821049164db5217beb85439$2c31ac7db3124612e43893ae13b9527dbe464ab2d992e814602e7cb07dc28985";
@@ -105,6 +103,7 @@
   users.users.clightning.extraGroups = [ "tor" ];
 
   systemd.services.clightning.after = [ "tor.service" ];
+  systemd.services.clightning.requires = [ "tor.service" ];
 
   # lightning-config contains fields from here:
   # - <https://docs.corelightning.org/docs/configuration>
@@ -117,13 +116,15 @@
   # - feature configs (i.e. experimental-xyz options)
   sane.services.clightning.extraConfig = ''
     # log levels: "io", "debug", "info", "unusual", "broken"
-    log-level=info:lightningd
+    log-level=info
+    # log-level=info:lightningd
     # log-level=debug:lightningd
+    # log-level=debug
 
     # peerswap:
     # - config example: <https://github.com/fort-nix/nix-bitcoin/pull/462/files#diff-b357d832705b8ce8df1f41934d613f79adb77c4cd5cd9e9eb12a163fca3e16c6>
     # XXX: peerswap crashes clightning on launch. stacktrace is useless.
-    # plugin=${pkgs.peerswap}/bin/peerswap
+    # plugin={pkgs.peerswap}/bin/peerswap
     # peerswap-db-path=/var/lib/clightning/peerswap/swaps
     # peerswap-policy-path=...
   '';
@@ -134,6 +135,5 @@
     group = "clightning";
   };
 
-  sane.programs.clightning.enableFor.user.colin = true;  # for debugging/admin: `lightning-cli`
+  sane.programs.lightning-cli.enableFor.user.colin = true;  # for debugging/admin:
-  sane.programs.clightning.packageUnwrapped = config.sane.services.clightning.package;
 }

hosts/by-name/servo/services/cryptocurrencies/i2p.nix

@@ -1,4 +1,5 @@
-{ ... }:
+{ lib, ... }:
+lib.mkIf false  #< 2024/07/27: i don't use it, too much surface-area for me to run it pro-bono (`systemd-analyze security monero`)
 {
   services.i2p.enable = true;
 }

hosts/by-name/servo/services/cryptocurrencies/monero.nix

@@ -1,5 +1,6 @@
 # as of 2023/11/26: complete downloaded blockchain should be 200GiB on disk, give or take.
-{ ... }:
+{ lib, ... }:
+lib.mkIf false  #< 2024/07/27: i don't use it, too much surface-area for me to run it pro-bono (`systemd-analyze security monero`)
 {
   sane.persist.sys.byStore.ext = [
     # /var/lib/monero/lmdb is what consumes most of the space

hosts/by-name/servo/services/cryptocurrencies/tor.nix

@@ -1,9 +1,9 @@
 # tor settings: <https://2019.www.torproject.org/docs/tor-manual.html.en>
 { lib, ... }:
 {
-  # tor hidden service hostnames aren't deterministic, so persist.
+  sane.persist.sys.byStore.ephemeral = [
-  # might be able to get away with just persisting /var/lib/tor/onion, not sure.
+    # N.B.: tor hidden service hostnames aren't deterministic, so if you need them
-  sane.persist.sys.byStore.plaintext = [
+    # to be preserved across reboots then persist /var/lib/tor/onion in "private" store.
    { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; method = "bind"; }
   ];
 

hosts/by-name/servo/services/default.nix

@@ -7,10 +7,11 @@
     ./ejabberd.nix
     ./freshrss.nix
     ./export
+    ./hickory-dns.nix
     ./gitea.nix
     ./goaccess.nix
     ./ipfs.nix
-    ./jackett.nix
+    ./jackett
     ./jellyfin.nix
     ./kiwix-serve.nix
     ./komga.nix
@@ -20,13 +21,13 @@
     ./nginx.nix
     ./nixos-prebuild.nix
     ./ntfy
+    ./ollama.nix
     ./pict-rs.nix
     ./pleroma.nix
     ./postgres.nix
     ./prosody
     ./slskd.nix
     ./transmission
-    ./trust-dns.nix
     ./wikipedia.nix
   ];
 }

hosts/by-name/servo/services/ejabberd.nix

@@ -44,7 +44,7 @@ in
 # everything configured below was fine: used ejabberd for several months.
 lib.mkIf false
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
     { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; method = "bind"; }
   ];
   sane.ports.ports = lib.mkMerge ([

hosts/by-name/servo/services/email/dovecot.nix

@@ -83,8 +83,8 @@
     #   sieve_plugins = sieve_imapsieve
     # }
 
-    mail_debug = yes
+    # mail_debug = yes
-    auth_debug = yes
+    # auth_debug = yes
     # verbose_ssl = yes
   '';
 

hosts/by-name/servo/services/email/postfix.nix

@@ -1,4 +1,11 @@
 # postfix config options: <https://www.postfix.org/postconf.5.html>
+# config files:
+# - /etc/postfix/main.cf
+# - /etc/postfix/master.cf
+#
+# logs:
+# - postfix logs directly to *syslog*,
+#   so check e.g. ~/.local/share/rsyslog
 
 { config, lib, pkgs, ... }:
 
@@ -18,14 +25,14 @@ let
   };
 in
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
     # TODO: mode? could be more granular
-    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; method = "bind"; }
+    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; method = "bind"; }  #< TODO: migrate to secrets
-    { user = "root"; group = "root"; path = "/var/lib/postfix"; method = "bind"; }
     { user = "root"; group = "root"; path = "/var/spool/mail"; method = "bind"; }
     # *probably* don't need these dirs:
     # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
     # "/var/lib/dovecot"
+    # "/var/lib/postfix"
   ];
 
   # XXX(2023/10/20): opening these ports in the firewall has the OPPOSITE effect as intended.
@@ -95,6 +102,7 @@ in
   services.postfix.sslCert = "/var/lib/acme/mx.uninsane.org/fullchain.pem";
   services.postfix.sslKey = "/var/lib/acme/mx.uninsane.org/key.pem";
 
+  # see: `man 5 virtual`
   services.postfix.virtual = ''
     notify.matrix@uninsane.org matrix-synapse
     @uninsane.org colin
@@ -135,6 +143,20 @@ in
     # smtpd_sender_restrictions = reject_unknown_sender_domain
   };
 
+  # debugging options:
+  # services.postfix.masterConfig = {
+  #   "proxymap".args = [ "-v" ];
+  #   "proxywrite".args = [ "-v" ];
+  #   "relay".args = [ "-v" ];
+  #   "smtp".args = [ "-v" ];
+  #   "smtp_inet".args = [ "-v" ];
+  #   "submission".args = [ "-v" ];
+  #   "submissions".args = [ "-v" ];
+  #   "submissions".chroot = false;
+  #   "submissions".private = false;
+  #   "submissions".privileged = true;
+  # };
+
   services.postfix.enableSubmission = true;
   services.postfix.submissionOptions = submissionOptions;
   services.postfix.enableSubmissions = true;
@@ -142,6 +164,10 @@ in
 
   systemd.services.postfix.after = [ "wireguard-wg-ovpns.service" ];
   systemd.services.postfix.partOf = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.postfix.unitConfig.RequiresMountsFor = [
+    "/var/spool/mail"  # spooky errors when postfix is run w/o this: `warning: connect #1 to subsystem private/proxymap: Connection refused`
+    "/var/lib/opendkim"
+  ];
   systemd.services.postfix.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
@@ -175,23 +201,30 @@ in
 
 
   #### OUTGOING MESSAGE REWRITING:
-  services.postfix.enableHeaderChecks = true;
+  # - `man 5 header_checks`
-  services.postfix.headerChecks = [
+  #   - <https://www.postfix.org/header_checks.5.html>
-    # intercept gitea registration confirmations and manually screen them
+  # - populates `/var/lib/postfix/conf/header_checks`
-    {
+  # XXX(2024-08-06): registration gating via email matches is AWFUL:
-      # headerChecks are somehow ignorant of alias rules: have to redirect to a real user
+  # 1. bypassed if the service offers localization.
-      action = "REDIRECT colin@uninsane.org";
+  # 2. if i try to forward the registration request, it may match the filter again and get sent back to my inbox.
-      pattern = "/^Subject: Please activate your account/";
+  # 3. header checks are possibly under-used in the ecosystem, and may break postfix config.
-    }
+  # services.postfix.enableHeaderChecks = true;
-    # intercept Matrix registration confirmations
+  # services.postfix.headerChecks = [
-    {
+  #   # intercept gitea registration confirmations and manually screen them
-      action = "REDIRECT colin@uninsane.org";
-      pattern = "/^Subject:.*Validate your email/";
-    }
-    # XXX postfix only supports performing ONE action per header.
   #   {
-    #   action = "REPLACE Subject: git application: Please activate your account";
+  #     # headerChecks are somehow ignorant of alias rules: have to redirect to a real user
-    #   pattern = "/^Subject:.*activate your account/";
+  #     action = "REDIRECT colin@uninsane.org";
+  #     pattern = "/^Subject: Please activate your account/";
   #   }
-  ];
+  #   # intercept Matrix registration confirmations
+  #   {
+  #     action = "REDIRECT colin@uninsane.org";
+  #     pattern = "/^Subject:.*Validate your email/";
+  #   }
+  #   # XXX postfix only supports performing ONE action per header.
+  #   # {
+  #   #   action = "REPLACE Subject: git application: Please activate your account";
+  #   #   pattern = "/^Subject:.*activate your account/";
+  #   # }
+  # ];
 }

hosts/by-name/servo/services/export/default.nix

@@ -12,10 +12,6 @@
     device = "/var/media";
     options = [ "rbind" ];
   };
-  fileSystems."/var/export/pub" = {
-    device = "/var/www/sites/uninsane.org/share";
-    options = [ "rbind" ];
-  };
   # fileSystems."/var/export/playground" = {
   #   device = config.fileSystems."/mnt/persist/ext".device;
   #   fsType = "btrfs";
@@ -55,4 +51,11 @@
       - be a friendly troll
     '';
   };
+
+  sane.fs."/var/export/.public_for_test/test" = {
+    wantedBy = [ "nfs.service" "sftpgo.service" ];
+    file.text = ''
+      automated tests read this file to probe connectivity
+    '';
+  };
 }

hosts/by-name/servo/services/export/sftpgo/default.nix

@@ -80,12 +80,6 @@ in
             port = 21;
             debug = true;
           }
-          {
-            # binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
-            address = "10.78.79.51";
-            port = 21;
-            debug = true;
-          }
           {
             # binding this means any wireguard client can connect
             address = "10.0.10.5";
@@ -93,6 +87,12 @@ in
             debug = true;
             tls_mode = 2;  # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
           }
+          {
+            # binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
+            address = "10.78.79.51";
+            port = 21;
+            debug = true;
+          }
           {
             # binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
             address = "10.78.79.51";
@@ -107,6 +107,13 @@ in
             debug = true;
             tls_mode = 2;  # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
           }
+          {
+            # binding this means any LAN client can connect via `ftp.uninsane.org` (TLS only)
+            address = config.sane.netns.doof.netnsPubIpv4;
+            port = 990;
+            debug = true;
+            tls_mode = 2;  # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
+          }
         ];
 
         # active mode is susceptible to "bounce attacks", without much benefit over passive mode

hosts/by-name/servo/services/export/sftpgo/external_auth_hook

@@ -129,14 +129,14 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
     return mkAuthOk(username, permissions = {
       "/": PERM_RW,
       "/playground": PERM_RW,
-      "/pub": PERM_RO,
+      "/.public_for_test": PERM_RO,
     })
   if isWireguard(ip):
     # allow any user from wireguard
     return mkAuthOk(username, permissions = {
       "/": PERM_RW,
       "/playground": PERM_RW,
-      "/pub": PERM_RO,
+      "/.public_for_test": PERM_RO,
     })
   if isLan(ip):
     if username == "anonymous":
@@ -144,7 +144,7 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
       return mkAuthOk("anonymous", permissions = {
         "/": PERM_RO,
         "/playground": PERM_RW,
-        "/pub": PERM_RO,
+        "/.public_for_test": PERM_RO,
       })
   if username == "anonymous":
     # anonymous users from the www can have even more limited access.
@@ -154,7 +154,7 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
       "/": PERM_LIST,  #< REQUIRED, even for lftp to list a subdir
       "/media": PERM_DENY,
       "/playground": PERM_DENY,
-      "/pub": PERM_RO,
+      "/.public_for_test": PERM_RO,
       # "/README.md": PERM_RO,  #< does not work
     })
 

hosts/by-name/servo/services/gitea.nix

@@ -1,11 +1,14 @@
 # config options: <https://docs.gitea.io/en-us/administration/config-cheat-sheet/>
+# TODO: service shouldn't run as `git` user, but as `gitea`
 { config, pkgs, lib, ... }:
 
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
-    # TODO: mode? could be more granular
+    { user = "git"; group = "gitea"; mode = "0750"; path = "/var/lib/gitea"; method = "bind"; }
-    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; method = "bind"; }
   ];
+
+  sane.programs.gitea.enableFor.user.colin = true;  # for admin, and monitoring
+
   services.gitea.enable = true;
   services.gitea.user = "git";  # default is 'gitea'
   services.gitea.database.type = "postgres";
@@ -41,14 +44,21 @@
       # timeout for email approval. 5760 = 4 days. 10080 = 7 days
       ACTIVE_CODE_LIVE_MINUTES = 10080;
       # REGISTER_EMAIL_CONFIRM = false;
-      # REGISTER_MANUAL_CONFIRM = true;
+      # REGISTER_EMAIL_CONFIRM = true;  #< override REGISTER_MANUAL_CONFIRM
-      REGISTER_EMAIL_CONFIRM = true;
+      REGISTER_MANUAL_CONFIRM = true;
       # not sure what this notifies *on*...
       ENABLE_NOTIFY_MAIL = true;
       # defaults to image-based captcha.
       # also supports recaptcha (with custom URLs) or hCaptcha.
       ENABLE_CAPTCHA = true;
       NOREPLY_ADDRESS = "noreply.anonymous.git@uninsane.org";
+      EMAIL_DOMAIN_BLOCKLIST = lib.concatStringsSep ", " [
+        "*.claychoen.top"
+        "*.gemmasmith.co.uk"
+        "*.jenniferlawrence.uk"
+        "*.sarahconnor.co.uk"
+        "*.marymarshall.co.uk"
+      ];
     };
     session = {
       COOKIE_SECURE = true;
@@ -109,6 +119,10 @@
     locations."/" = {
       proxyPass = "http://127.0.0.1:3000";
     };
+    # fuck you @anthropic
+    locations."= /robots.txt".extraConfig = ''
+      return 200 "User-agent: *\nDisallow: /\n";
+    '';
     # gitea serves all `raw` files as content-type: plain, but i'd like to serve them as their actual content type.
     # or at least, enough to make specific pages viewable (serving unoriginal content as arbitrary content type is dangerous).
     locations."~ ^/colin/phone-case-cq/raw/.*.html" = {

hosts/by-name/servo/services/hickory-dns.nix

@@ -48,16 +48,14 @@ in
     # so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
     A."ns1" =    "%ANATIVE%";
     A."ns2" =    "%ADOOF%";
-    A."ns3" =    "%AOVPNS%";
     A."ovpns" =  "%AOVPNS%";
     NS."@" = [
       "ns1.uninsane.org."
       "ns2.uninsane.org."
-      "ns3.uninsane.org."
     ];
   };
 
-  services.trust-dns.settings.zones = [ "uninsane.org" ];
+  services.hickory-dns.settings.zones = [ "uninsane.org" ];
 
 
   networking.nat.enable = true;  #< TODO: try removing this?
@@ -85,8 +83,8 @@ in
   # };
 
 
-  sane.services.trust-dns.enable = true;
+  sane.services.hickory-dns.enable = true;
-  sane.services.trust-dns.instances = let
+  sane.services.hickory-dns.instances = let
     mkSubstitutions = flavor: {
       "%ADOOF%" = config.sane.netns.doof.netnsPubIpv4;
       "%ANATIVE%" = nativeAddrs."servo.${flavor}";
@@ -100,7 +98,9 @@ in
       substitutions = mkSubstitutions "doof";
       listenAddrsIpv4 = [
         config.sane.netns.doof.hostVethIpv4
-        config.sane.netns.ovpns.hostVethIpv4
+        config.sane.netns.doof.netnsPubIpv4
+        nativeAddrs."servo.lan"
+        # config.sane.netns.ovpns.hostVethIpv4
       ];
     };
     hn = {
@@ -128,11 +128,11 @@ in
       #   ];
       # };
     };
-    lan = {
+    # lan = {
-      substitutions = mkSubstitutions "lan";
+    #   substitutions = mkSubstitutions "lan";
-      listenAddrsIpv4 = [ nativeAddrs."servo.lan" ];
+    #   listenAddrsIpv4 = [ nativeAddrs."servo.lan" ];
-      # port = 1053;
+    #   # port = 1053;
-    };
+    # };
     # wan = {
     #   substitutions = mkSubstitutions "wan";
     #   listenAddrsIpv4 = [
@@ -141,10 +141,5 @@ in
     # };
   };
 
-  sane.services.dyn-dns.restartOnChange = [
+  sane.services.dyn-dns.restartOnChange = lib.map (c: "${c.service}.service") (builtins.attrValues config.sane.services.hickory-dns.instances);
-    "trust-dns-doof.service"
-    "trust-dns-hn.service"
-    "trust-dns-lan.service"
-    # "trust-dns-wan.service"
-  ];
 }

hosts/by-name/servo/services/ipfs.nix

@@ -10,7 +10,7 @@
 
 lib.mkIf false # i don't actively use ipfs anymore
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
     # TODO: mode? could be more granular
     { user = "261"; group = "261"; path = "/var/lib/ipfs"; method = "bind"; }
   ];

hosts/by-name/servo/services/jackett.nix

@@ -1,34 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  sane.persist.sys.byStore.plaintext = [
-    # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
-    { user = "root"; group = "root"; path = "/var/lib/jackett"; method = "bind"; }
-  ];
-  services.jackett.enable = true;
-
-  systemd.services.jackett.after = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.jackett.partOf = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.jackett.serviceConfig = {
-    # run this behind the OVPN static VPN
-    NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
-
-    # patch jackett to listen on the public interfaces
-    # ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic";
-  };
-
-  # jackett torrent search
-  services.nginx.virtualHosts."jackett.uninsane.org" = {
-    forceSSL = true;
-    enableACME = true;
-    # inherit kTLS;
-    locations."/" = {
-      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9117";
-      recommendedProxySettings = true;
-    };
-  };
-
-  sane.dns.zones."uninsane.org".inet.CNAME."jackett" = "native";
-}
-

hosts/by-name/servo/services/jackett/default.nix

@@ -0,0 +1,68 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.jackett;
+in
+{
+  sane.persist.sys.byStore.private = [
+    # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
+    { user = "jackett"; group = "jackett"; path = "/var/lib/jackett"; method = "bind"; }
+  ];
+  services.jackett.enable = true;
+
+  systemd.services.jackett.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.jackett.partOf = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.jackett = {
+    # run this behind the OVPN static VPN
+    serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
+    serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
+    # patch in `--ListenPublic` so that it's reachable from the netns veth.
+    # this also makes it reachable from the VPN pub address. oh well.
+    serviceConfig.ExecStart = lib.mkForce "${cfg.package}/bin/Jackett --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'";
+    serviceConfig.RestartSec = "30s";
+
+    # hardening (systemd-analyze security jackett)
+    # TODO: upstream into nixpkgs
+    serviceConfig.StateDirectory = "jackett";
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    # serviceConfig.MemoryDenyWriteExecute = true;  #< Failed to create CoreCLR, HRESULT: 0x80004005
+    serviceConfig.PrivateDevices = true;
+    serviceConfig.PrivateMounts = true;
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProcSubset = "pid";
+    serviceConfig.ProtectClock = true;
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;
+    serviceConfig.ProtectHostname = true;
+    serviceConfig.ProtectKernelLogs = true;
+    serviceConfig.ProtectKernelModules = true;
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.ProtectSystem = "strict";
+    serviceConfig.RemoveIPC = true;
+    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+    serviceConfig.RestrictNamespaces = true;
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";
+    serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" ];
+  };
+
+  # jackett torrent search
+  services.nginx.virtualHosts."jackett.uninsane.org" = {
+    forceSSL = true;
+    enableACME = true;
+    # inherit kTLS;
+    locations."/" = {
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9117";
+      recommendedProxySettings = true;
+    };
+    locations."= /robots.txt".extraConfig = ''
+      return 200 "User-agent: *\nDisallow: /\n";
+    '';
+  };
+
+  sane.dns.zones."uninsane.org".inet.CNAME."jackett" = "native";
+}
+

hosts/by-name/servo/services/kiwix-serve.nix

@@ -21,6 +21,9 @@
     enableACME = true;
     # inherit kTLS;
     locations."/".proxyPass = "http://127.0.0.1:8013";
+    locations."= /robots.txt".extraConfig = ''
+      return 200 "User-agent: *\nDisallow: /\n";
+    '';
   };
 
   sane.dns.zones."uninsane.org".inet.CNAME."w" = "native";

hosts/by-name/servo/services/komga.nix

@@ -17,6 +17,9 @@ in
     locations."/" = {
       proxyPass = "http://127.0.0.1:${builtins.toString port}";
     };
+    locations."= /robots.txt".extraConfig = ''
+      return 200 "User-agent: *\nDisallow: /\n";
+    '';
   };
   sane.dns.zones."uninsane.org".inet.CNAME."komga" = "native";
 }

hosts/by-name/servo/services/lemmy.nix

@@ -38,15 +38,10 @@ in {
     nginx.enable = true;
   };
 
-  systemd.services.lemmy.serviceConfig = {
-    # fix to use a normal user so we can configure perms correctly
-    DynamicUser = mkForce false;
-    User = "lemmy";
-    Group = "lemmy";
-  };
   systemd.services.lemmy.environment = {
     RUST_BACKTRACE = "full";
-    RUST_LOG = "warn";
+    RUST_LOG = "error";
+    # RUST_LOG = "warn";
     # RUST_LOG = "debug";
     # RUST_LOG = "trace";
     # upstream defaults LEMMY_DATABASE_URL = "postgres:///lemmy?host=/run/postgresql";
@@ -73,6 +68,73 @@ in {
 
   sane.dns.zones."uninsane.org".inet.CNAME."lemmy" = "native";
 
+  systemd.services.lemmy = {
+    # fix to use a normal user so we can configure perms correctly
+    # XXX(2024-07-28): this hasn't been rigorously tested:
+    # possible that i've set something too strict and won't notice right away
+    serviceConfig.DynamicUser = mkForce false;
+    serviceConfig.User = "lemmy";
+    serviceConfig.Group = "lemmy";
+
+    # hardening (systemd-analyze security lemmy)
+    # a handful of these are specified in upstream nixpkgs, but mostly not
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.MemoryDenyWriteExecute = true;
+    serviceConfig.PrivateDevices = true;
+    serviceConfig.PrivateMounts = true;
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProcSubset = "pid";
+
+    serviceConfig.ProtectClock = true;
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;
+    serviceConfig.ProtectHostname = true;
+    serviceConfig.ProtectKernelLogs = true;
+    serviceConfig.ProtectKernelModules = true;
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.ProtectSystem = "strict";
+    serviceConfig.RemoveIPC = true;
+    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+
+    serviceConfig.RestrictNamespaces = true;
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";
+    serviceConfig.SystemCallFilter = [ "@system-service" ];
+  };
+
+  systemd.services.lemmy-ui = {
+    # hardening (systemd-analyze security lemmy-ui)
+    # TODO: upstream into nixpkgs
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    # serviceConfig.MemoryDenyWriteExecute = true;  #< it uses v8, JIT
+    serviceConfig.PrivateDevices = true;
+    serviceConfig.PrivateMounts = true;
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProcSubset = "pid";
+
+    serviceConfig.ProtectClock = true;
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;
+    serviceConfig.ProtectHostname = true;
+    serviceConfig.ProtectKernelLogs = true;
+    serviceConfig.ProtectKernelModules = true;
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.ProtectSystem = "strict";
+    serviceConfig.RemoveIPC = true;
+    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+
+    serviceConfig.RestrictNamespaces = true;
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";
+    serviceConfig.SystemCallFilter = [ "@system-service" "@pkey" "@sandbox" ];
+  };
+
   #v DO NOT REMOVE: defaults to 0.3, instead of latest, so always need to explicitly set this.
   services.pict-rs.package = pict-rs;
 
@@ -82,10 +144,38 @@ in {
   # - via CLI flags (overrides everything above)
   # some of the CLI flags have defaults, making it the only actual way to configure certain things even when docs claim otherwise.
   # CLI args: <https://git.asonix.dog/asonix/pict-rs#user-content-running>
-  systemd.services.pict-rs.serviceConfig.ExecStart = lib.mkForce (lib.concatStringsSep " " [
+  systemd.services.pict-rs = {
+    serviceConfig.ExecStart = lib.mkForce (lib.concatStringsSep " " [
       "${lib.getBin pict-rs}/bin/pict-rs run"
       "--media-video-max-frame-count" (builtins.toString (30*60*60))
       "--media-process-timeout 120"
       "--media-video-allow-audio"  # allow audio
     ]);
+
+    # hardening (systemd-analyze security pict-rs)
+    # TODO: upstream into nixpkgs
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.MemoryDenyWriteExecute = true;
+    serviceConfig.PrivateDevices = true;
+    serviceConfig.PrivateMounts = true;
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProcSubset = "pid";
+    serviceConfig.ProtectClock = true;
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;
+    serviceConfig.ProtectHostname = true;
+    serviceConfig.ProtectKernelLogs = true;
+    serviceConfig.ProtectKernelModules = true;
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.ProtectSystem = "strict";
+    serviceConfig.RemoveIPC = true;
+    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+    serviceConfig.RestrictNamespaces = true;
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";
+    serviceConfig.SystemCallFilter = [ "@system-service" ];
+  };
 }

hosts/by-name/servo/services/matrix/default.nix

@@ -20,17 +20,17 @@
     ./signal.nix
   ];
 
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
     { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; method = "bind"; }
   ];
   services.matrix-synapse.enable = true;
-  services.matrix-synapse.log.root.level = "WARNING";  # accepts "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" (?)
+  services.matrix-synapse.log.root.level = "ERROR";  # accepts "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" (?)
   services.matrix-synapse.settings = {
     server_name = "uninsane.org";
 
     # services.matrix-synapse.enable_registration_captcha = true;
     # services.matrix-synapse.enable_registration_without_verification = true;
-    enable_registration = true;
+    # enable_registration = true;
     # services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
 
     # default for listeners is port = 8448, tls = true, x_forwarded = false.

hosts/by-name/servo/services/matrix/discord-puppet.nix

@@ -5,7 +5,7 @@
 # - recommended to use mautrix-discord: <https://github.com/NixOS/nixpkgs/pull/200462>
 lib.mkIf false
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
     { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; method = "bind"; }
   ];
 

hosts/by-name/servo/services/matrix/irc.nix

@@ -99,7 +99,7 @@ in
     })
   ];
 
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
     # TODO: mode?
     { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; method = "bind"; }
   ];

hosts/by-name/servo/services/matrix/signal.nix

@@ -4,7 +4,7 @@
 
 lib.mkIf false  # disabled 2024/01/11: i don't use it, and pkgs.mautrix-signal had some API changes
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
     { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; method = "bind"; }
     { user = "signald"; group = "signald"; path = "/var/lib/signald"; method = "bind"; }
   ];

hosts/by-name/servo/services/nginx.nix

@@ -29,6 +29,12 @@ in
   };
 
   services.nginx.enable = true;
+  # nginxStable is one release behind nginxMainline.
+  # nginx itself recommends running mainline; nixos defaults to stable.
+  # services.nginx.package = pkgs.nginxMainline;
+  # XXX(2024-07-31): nixos defaults to zlib-ng -- supposedly more performant, but spams log with
+  # "gzip filter failed to use preallocated memory: ..."
+  services.nginx.package = pkgs.nginxMainline.override { zlib = pkgs.zlib; };
   services.nginx.appendConfig = ''
     # use 1 process per core.
     # may want to increase worker_connections too, but `ulimit -n` must be increased first.
@@ -44,8 +50,10 @@ in
     log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
     access_log /var/log/nginx/private.log vcombined;
   '';
-  # sets gzip_comp_level = 5
+  # enables gzip and sets gzip_comp_level = 5
   services.nginx.recommendedGzipSettings = true;
+  # enables zstd and sets zstd_comp_level = 9
+  services.nginx.recommendedZstdSettings = true;
   # enables OCSP stapling (so clients don't need contact the OCSP server -- i do instead)
   # - doesn't seem to, actually: <https://www.ssllabs.com/ssltest/analyze.html?d=uninsane.org>
   # caches TLS sessions for 10m
@@ -99,6 +107,16 @@ in
         disable_symlinks on;
       '';
     };
+    locations."/share/Ubunchu/" = {
+      alias = "/var/media/Books/Visual/HiroshiSeo/Ubunchu/";
+      extraConfig = ''
+        # autoindex => render directory listings
+        autoindex on;
+        # don't follow any symlinks when serving files
+        # otherwise it allows a directory escape
+        disable_symlinks on;
+      '';
+    };
 
     # allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
     locations."= /.well-known/matrix/server".extraConfig =
@@ -180,8 +198,15 @@ in
 
   sane.persist.sys.byStore.plaintext = [
     { user = "acme"; group = "acme"; path = "/var/lib/acme"; method = "bind"; }
+  ];
+  sane.persist.sys.byStore.private = [
     { user = "colin"; group = "users"; path = "/var/www/sites"; method = "bind"; }
   ];
+  sane.persist.sys.byStore.ephemeral = [
+    # logs *could* be persisted to private storage, but then there's the issue of
+    # "what if servo boots, isn't unlocked, and the whole / tmpfs is consumed by logs"
+    { user = "nginx"; group = "nginx"; path = "/var/log/nginx"; method = "bind"; }
+  ];
 
   # let's encrypt default chain looks like:
   # - End-entity certificate ← R3 ← ISRG Root X1 ← DST Root CA X3

hosts/by-name/servo/services/ntfy/ntfy-sh.nix

@@ -30,7 +30,7 @@ let
   altPort = 2587;
 in
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
     # not 100% necessary to persist this, but ntfy does keep a 12hr (by default) cache
     # for pushing notifications to users who become offline.
     # ACLs also live here.
@@ -46,7 +46,7 @@ in
     # defaults to 45s.
     # note that the client may still do its own TCP-level keepalives, typically every 30s
     keepalive-interval = "15m";
-    log-level = "trace";  # trace, debug, info (default), warn, error
+    log-level = "info";  # trace, debug, info (default), warn, error
     auth-default-access = "deny-all";
   };
   systemd.services.ntfy-sh.serviceConfig.DynamicUser = lib.mkForce false;

hosts/by-name/servo/services/ollama.nix

@@ -0,0 +1,23 @@
+# ollama: <https://github.com/ollama/ollama>
+# use: `ollama run llama3.1`
+# or: `ollama run llama3.1:70b`
+# or use a remote session: <https://github.com/ggozad/oterm>
+{ lib, ... }:
+lib.mkIf false  #< WIP
+{
+  sane.persist.sys.byStore.plaintext = [
+    { user = "ollama"; group = "ollama"; path = "/var/lib/ollama"; method = "bind"; }
+  ];
+  services.ollama.enable = true;
+  services.ollama.user = "ollama";
+  services.ollama.group = "ollama";
+
+  users.groups.ollama = {};
+
+  users.users.ollama = {
+    group = "ollama";
+    isSystemUser = true;
+  };
+
+  systemd.services.ollama.serviceConfig.DynamicUser = lib.mkForce false;
+}

hosts/by-name/servo/services/pleroma.nix

@@ -7,14 +7,15 @@
 # to run it in a oci-container: <https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix>
 #
 # admin frontend: <https://fed.uninsane.org/pleroma/admin>
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   logLevel = "warn";
   # logLevel = "debug";
 in
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
+    # contains media i've uploaded to the server
     { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; method = "bind"; }
   ];
   services.pleroma.enable = true;
@@ -135,25 +136,52 @@ in
     # something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
     pkgs.bash
     # used by Pleroma to strip geo tags from uploads
-    pkgs.exiftool
+    config.sane.programs.exiftool.package
     # i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
-    pkgs.gawk
+    config.sane.programs.gawk.package
     # needed for email operations like password reset
     pkgs.postfix
   ];
 
-  systemd.services.pleroma.serviceConfig = {
+  systemd.services.pleroma = {
     # postgres can be slow to service early requests, preventing pleroma from starting on the first try
-    Restart = "on-failure";
+    serviceConfig.Restart = "on-failure";
-    RestartSec = "10s";
+    serviceConfig.RestartSec = "10s";
-  };
 
-  # systemd.services.pleroma.serviceConfig = {
+    # hardening (systemd-analyze security pleroma)
-  #   # required for sendmail. see https://git.pleroma.social/pleroma/pleroma/-/issues/2259
+    # XXX(2024-07-28): this hasn't been rigorously tested:
-  #   NoNewPrivileges = lib.mkForce false;
+    # possible that i've set something too strict and won't notice right away
-  #   PrivateTmp = lib.mkForce false;
+    # make sure to test:
-  #   CapabilityBoundingSet = lib.mkForce "~";
+    # - image/media uploading
-  # };
+    serviceConfig.CapabilityBoundingSet = "~CAP_SYS_ADMIN";  #< TODO: reduce this. try: CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT CAP_SETGID CAP_SETUID
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.MemoryDenyWriteExecute = true;
+    serviceConfig.PrivateDevices = lib.mkForce true;  #< dunno why nixpkgs has this set false; it seems to work as true
+    serviceConfig.PrivateMounts = true;
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.PrivateUsers = true;
+
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.ProcSubset = "all";  #< needs /proc/sys/kernel/overflowuid for bwrap
+
+    serviceConfig.ProtectClock = true;
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;
+    serviceConfig.ProtectKernelModules = true;
+    serviceConfig.ProtectSystem = lib.mkForce "strict";
+    serviceConfig.RemoveIPC = true;
+    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";
+    serviceConfig.SystemCallFilter = [ "@system-service" "@mount" "@sandbox" ];  #< "sandbox" might not actually be necessary
+
+    serviceConfig.ProtectHostname = false;  #< else brap can't mount /proc
+    serviceConfig.ProtectKernelLogs = false;  #< else breaks exiftool  ("bwrap: Can't mount proc on /newroot/proc: Operation not permitted")
+    serviceConfig.ProtectKernelTunables = false;  #< else breaks exiftool
+    serviceConfig.RestrictNamespaces = false;  # media uploads require bwrap
+  };
 
   # this is required to allow pleroma to send email.
   # raw `sendmail` works, but i think pleroma's passing it some funny flags or something, idk.

hosts/by-name/servo/services/postgres.nix

@@ -6,9 +6,9 @@ let
   KiB = n: 1024*n;
 in
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
-    # TODO: mode?
+    { user = "postgres"; group = "postgres"; mode = "0750"; path = "/var/lib/postgresql"; method = "bind"; }
-    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; method = "bind"; }
+    { user = "postgres"; group = "postgres"; mode = "0750"; path = "/var/backup/postgresql"; method = "bind"; }
   ];
   services.postgresql.enable = true;
 

hosts/by-name/servo/services/prosody/default.nix

@@ -56,7 +56,8 @@ let
   enableDebug = false;
 in
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
+    # TODO: mode?
     { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; method = "bind"; }
   ];
   sane.ports.ports."5000" = {

hosts/by-name/servo/services/slskd.nix

@@ -10,7 +10,9 @@
 { config, lib, pkgs, ... }:
 
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.ephemeral = [
+    # {data,downloads,incomplete,logs}: contains logs, search history, and downloads
+    # so, move the downloaded data to persistent storage regularly, or configure the downloads/incomplete dirs to point to persisted storage (in nixpkgs slskd config)
     { user = "slskd"; group = "media"; path = "/var/lib/slskd"; method = "bind"; }
   ];
   sops.secrets."slskd_env" = {
@@ -68,12 +70,20 @@
     # flags.volatile = true;  # store searches and active transfers in RAM (completed transfers still go to disk). rec for btrfs/zfs
   };
 
-  systemd.services.slskd.serviceConfig = {
+  systemd.services.slskd = {
     # run this behind the OVPN static VPN
-    NetworkNamespacePath = "/run/netns/ovpns";
+    serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
+    serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
 
-    Restart = lib.mkForce "always";  # exits "success" when it fails to connect to soulseek server
+    serviceConfig.Restart = lib.mkForce "always";  # exits "success" when it fails to connect to soulseek server
-    RestartSec = "60s";
+    serviceConfig.RestartSec = "60s";
+
+    # hardening (systemd-analyze security slskd)
+    # upstream nixpkgs specifies moderate defaults; these are supplementary
+    # serviceConfig.MemoryDenyWriteExecute = true;
+    # serviceConfig.ProcSubset = "pid";
+    # serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+    # serviceConfig.SystemCallArchitectures = "native";
+    # serviceConfig.SystemCallFilter = [ "@system-service" ];
   };
 }

hosts/by-name/servo/services/transmission/default.nix

@@ -31,14 +31,14 @@ let
       "coreutils"
       "findutils"
       "rsync"
-      "util-linux"
     ];
   };
 in
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
     # TODO: mode? we need this specifically for the stats tracking in .config/
     { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; method = "bind"; }
+    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/backup/torrents"; method = "bind"; }
   ];
   users.users.transmission.extraGroups = [ "media" ];
 
@@ -107,16 +107,31 @@ in
     script-torrent-done-filename = "${torrent-done}/bin/torrent-done";
   };
 
-  systemd.services.transmission.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.transmission = {
-  systemd.services.transmission.partOf = [ "wireguard-wg-ovpns.service" ];
+    after = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.transmission.serviceConfig = {
+    partOf = [ "wireguard-wg-ovpns.service" ];
+    environment.TR_DEBUG = "1";
     # run this behind the OVPN static VPN
-    NetworkNamespacePath = "/run/netns/ovpns";
+    serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
+    serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
 
-    Restart = "on-failure";
+    serviceConfig.Restart = "on-failure";
-    RestartSec = "30s";
+    serviceConfig.RestartSec = "30s";
-    BindPaths = [ "/var/media" ];  #< so it can move completed torrents into the media library
+    serviceConfig.BindPaths = [ "/var/media" ];  #< so it can move completed torrents into the media library
+    serviceConfig.SystemCallFilter = lib.mkForce [
+      # the torrent-done script does stuff which fails the nixos default syscall filter.
+      # allow a bunch of stuff, speculatively, to hopefully fix that:
+      "@aio"
+      "@basic-io"
+      "@chown"
+      "@file-system"
+      "@io-event"
+      "@process"
+      "@sandbox"
+      "@sync"
+      "@system-service"
+      "quotactl"
+    ];
   };
 
   # service to automatically backup torrents i add to transmission

hosts/by-name/servo/services/transmission/torrent-done

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p acl -p bash -p coreutils -p findutils -p rsync -p util-linux
+#!nix-shell -i bash -p acl -p bash -p coreutils -p findutils -p rsync
 
 # transmission invokes this with no args, and the following env vars:
 # - TR_TORRENT_DIR: full path to the folder i told transmission to download it to.
@@ -7,7 +7,6 @@
 # optionally:
 # - TR_DRY_RUN=1
 # - TR_DEBUG=1
-# - TR_NO_HARDLINK=1
 
 DOWNLOAD_DIR=/var/media/torrents
 
@@ -41,10 +40,11 @@ REL_DIR="${TR_TORRENT_DIR#$DOWNLOAD_DIR/}"
 MEDIA_DIR="/var/media/$REL_DIR"
 
 destructive mkdir -p "$(dirname "$MEDIA_DIR")"
-destructive rsync -arv "$TR_TORRENT_DIR/" "$MEDIA_DIR/"
+destructive rsync -rlv "$TR_TORRENT_DIR/" "$MEDIA_DIR/"
 # make the media rwx by anyone in the group
 destructive find "$MEDIA_DIR" -type d -exec setfacl --recursive --modify d:g::rwx,o::rx {} \;
 destructive find "$MEDIA_DIR" -type d -exec chmod g+rw,a+rx {} \;
+destructive find "$MEDIA_DIR" -type f -exec chmod g+rw,a+r {} \;
 
 # if there's a single directory inside the media dir, then inline that
 subdirs=("$MEDIA_DIR"/*)
@@ -58,19 +58,13 @@ if [ ${#subdirs[@]} -eq 1 ]; then
 fi
 
 # remove noisy files:
+# -iname means "insensitive", but the syntax is NOT regex -- more similar to shell matching
 destructive find "$MEDIA_DIR/" -type f \(\
-     -iname '.*downloaded.?from.*' \
+     -iname '*downloaded?from*' \
   -o -iname 'source.txt' \
-  -o -iname 'upcoming.?releases.*' \
+  -o -iname '*upcoming?releases*' \
-  -o -iname 'www.YTS.*.jpg' \
+  -o -iname 'www.YTS*.jpg' \
   -o -iname 'WWW.YIFY*.COM.jpg' \
   -o -iname 'YIFY*.com.txt' \
   -o -iname 'YTS*.com.txt' \
   \) -exec rm {} \;
-
-if ! [ -n "${TR_NO_HARDLINK}" ]; then
-  # dedupe the whole media library.
-  # yeah, a bit excessive: move this to a cron job if that's problematic
-  #   or make it run with only 1/N probability, etc.
-  destructive hardlink /var/media --reflink=always --ignore-time --verbose
-fi

hosts/common/boot.nix

@@ -46,5 +46,6 @@
   # manifests as spurious "No space left on device" when trying to install watches,
   # e.g. in dyn-dns by `systemctl start dyn-dns-watcher.path`.
   # see: <https://askubuntu.com/questions/828779/failed-to-add-run-systemd-ask-password-to-directory-watch-no-space-left-on-dev>
-  boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
+  boot.kernel.sysctl."fs.inotify.max_user_watches" = 4194304;
+  boot.kernel.sysctl."fs.inotify.max_user_instances" = 4194304;
 }

hosts/common/default.nix

@@ -10,7 +10,6 @@
     ./machine-id.nix
     ./net
     ./nix.nix
-    ./persist.nix
     ./polyunfill.nix
     ./programs
     ./quirks.nix

hosts/common/feeds.nix

@@ -2,7 +2,9 @@
 # - universal search/directory: <https://podcastindex.org>
 # - list of lists: <https://en.wikipedia.org/wiki/Category:Lists_of_podcasts>
 # - podcasts w/ a community: <https://lemmyverse.net/communities?query=podcast>
-# - podcast rec thread: <https://lemmy.ml/post/1565858>
+# - podcast recs:
+#   - active lemmy: <https://slrpnk.net/c/podcasts>
+#   - old thread: <https://lemmy.ml/post/1565858>
 #
 { lib, sane-data, ... }:
 let
@@ -57,6 +59,7 @@ let
   podcasts = [
     (fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)  # ACQ2 - more "Acquired" episodes
     (fromDb "allinchamathjason.libsyn.com" // pol)
+    (fromDb "api.oyez.org/podcasts/oral-arguments/2015" // pol)  # Supreme Court Oral Arguments ("2015" in URL means nothing -- it's still updated)
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)  # Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/2da69154/podcast/rss" // tech)  # POD OF JAKE -- https://podofjake.com/
     (fromDb "cast.postmarketos.org" // tech)
@@ -70,16 +73,17 @@ let
     (fromDb "feeds.feedburner.com/radiolab" // pol)  # Radiolab -- also available here, but ONLY OVER HTTP: <http://feeds.wnyc.org/radiolab>
     (fromDb "feeds.megaphone.fm/behindthebastards" // pol)  # also Maggie Killjoy
     (fromDb "feeds.megaphone.fm/recodedecode" // tech)  # The Verge - Decoder
-    (fromDb "feeds.simplecast.com/54nAGcIl" // pol)  # The Daily
     (fromDb "feeds.simplecast.com/82FI35Px" // pol)  # Ezra Klein Show
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)  # Econ Talk
     (fromDb "feeds.simplecast.com/xKJ93w_w" // uncat)  # Atlas Obscura
     (fromDb "feeds.transistor.fm/acquired" // tech)
+    (fromDb "feeds.transistor.fm/complex-systems-with-patrick-mckenzie-patio11" // tech)  # Patrick Mackenzie (from Bits About Money)
     (fromDb "feeds.twit.tv/floss.xml" // tech)
     (fromDb "fulltimenix.com" // tech)
     (fromDb "futureofcoding.org/episodes" // tech)
     (fromDb "hackerpublicradio.org" // tech)
     (fromDb "lexfridman.com/podcast" // rat)
+    (fromDb "linktr.ee/betteroffline" // pol)
     (fromDb "mapspodcast.libsyn.com" // uncat)  # Multidisciplinary Association for Psychedelic Studies
     (fromDb "microarch.club" // tech)
     (fromDb "mintcast.org" // tech)
@@ -87,8 +91,8 @@ let
     (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)  # Maggie Killjoy -- referenced by Cory Doctorow
     (fromDb "omny.fm/shows/money-stuff-the-podcast")  # Matt Levine
     (fromDb "omny.fm/shows/the-dollop-with-dave-anthony-and-gareth-reynolds")  # The Dollop history/comedy
+    (fromDb "omny.fm/shows/weird-little-guys")  # Cool Zone Media
     (fromDb "originstories.libsyn.com" // uncat)
-    (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
     (fromDb "politicalorphanage.libsyn.com" // pol)
     (fromDb "reverseengineering.libsyn.com/rss" // tech)  # UnNamed Reverse Engineering Podcast
     (fromDb "rss.acast.com/deconstructed")  # The Intercept - Deconstructed
@@ -111,7 +115,9 @@ let
 
     # (fromDb "feeds.libsyn.com/421877" // rat)  # Less Wrong Curated
     # (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)  # Daniel Huberman on sleep
+    # (fromDb "feeds.simplecast.com/54nAGcIl" // pol)  # The Daily
     # (fromDb "feeds.simplecast.com/l2i9YnTd" // tech // pol)  # Hard Fork (NYtimes tech)
+    # (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
     # (fromDb "podcast.thelinuxexp.com" // tech)  # low-brow linux/foss PR announcements
     # (fromDb "rss.art19.com/your-welcome" // pol)  # Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
     # (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)  #< possible URL rot
@@ -237,9 +243,9 @@ let
     (fromDb "youtube.com/@TheB1M")
     (fromDb "youtube.com/@TomScottGo")
     (fromDb "youtube.com/@Vihart")
-    (fromDb "youtube.com/@Vox")
-    # (fromDb "youtube.com/@Vsauce")  # they're all like 1-minute long videos now? what happened @Vsauce?
 
+    # (fromDb "youtube.com/@Vox")
+    # (fromDb "youtube.com/@Vsauce")  # they're all like 1-minute long videos now? what happened @Vsauce?
     # (fromDb "youtube.com/@rossmanngroup" // pol // tech)  # Louis Rossmann
   ];
 

hosts/common/fs.nix

@@ -45,7 +45,7 @@ let
       "gid=100"
     ];
 
-    ssh = common ++ fuse ++ [
+    ssh = common ++ fuseColin ++ [
       "identityfile=/home/colin/.ssh/id_ed25519"
       # i *think* idmap=user means that `colin` on `localhost` and `colin` on the remote are actually treated as the same user, even if their uid/gid differs?
       # i.e., local colin's id is translated to/from remote colin's id on every operation?
@@ -107,66 +107,207 @@ let
       "connect_timeout=20"
     ];
   };
+
+  ifSshAuthorized = lib.mkIf config.sane.hosts.by-name."${config.networking.hostName}".ssh.authorized;
+
   remoteHome = host: {
     sane.programs.sshfs-fuse.enableFor.system = true;
+    system.fsPackages = [
+      config.sane.programs.sshfs-fuse.package
+    ];
     fileSystems."/mnt/${host}/home" = {
-      device = "colin@${host}:/home/colin";
+      device = "sshfs#colin@${host}:/home/colin";
-      fsType = "fuse.sshfs";
+      fsType = "fuse3";
-      options = fsOpts.sshColin ++ fsOpts.lazyMount;
+      options = fsOpts.sshColin ++ fsOpts.lazyMount ++ [
+        # drop_privileges: after `mount.fuse3` opens /dev/fuse, it will drop all capabilities before invoking sshfs
+        "drop_privileges"
+        "auto_unmount"  #< ensures that when the fs exits, it releases its mountpoint. then systemd can recognize it as failed.
+      ];
       noCheck = true;
     };
-    sane.fs."/mnt/${host}/home" = sane-lib.fs.wanted {
+    sane.fs."/mnt/${host}/home" = {
       dir.acl.user = "colin";
       dir.acl.group = "users";
       dir.acl.mode = "0700";
+      wantedBy = [ "default.target" ];
+      mount.depends = [ "network-online.target" ];
+      mount.mountConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
+      mount.mountConfig.User = "colin";
+      mount.mountConfig.AmbientCapabilities = "CAP_SETPCAP CAP_SYS_ADMIN";
+      # hardening (systemd-analyze security mnt-desko-home.mount):
+      # TODO: i can't use ProtectSystem=full here, because i can't create a new mount space; but...
+      # with drop_privileges, i *could* sandbox the actual `sshfs` program using e.g. bwrap
+      mount.mountConfig.CapabilityBoundingSet = "CAP_SETPCAP CAP_SYS_ADMIN";
+      mount.mountConfig.LockPersonality = true;
+      mount.mountConfig.MemoryDenyWriteExecute = true;
+      mount.mountConfig.NoNewPrivileges = true;
+      mount.mountConfig.ProtectClock = true;
+      mount.mountConfig.ProtectHostname = true;
+      mount.mountConfig.RemoveIPC = true;
+      mount.mountConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+      #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
+      # see `systemd-analyze filesystems` for a full list
+      mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse";
+      mount.mountConfig.RestrictRealtime = true;
+      mount.mountConfig.RestrictSUIDSGID = true;
+      mount.mountConfig.SystemCallArchitectures = "native";
+      mount.mountConfig.SystemCallFilter = [
+        "@system-service"
+        "@mount"
+        "~@chown"
+        "~@cpu-emulation"
+        "~@keyring"
+        # could remove almost all io calls, however one has to keep `open`, and `write`, to communicate with the fuse device.
+        # so that's pretty useless as a way to prevent write access
+      ];
+      mount.mountConfig.IPAddressDeny = "any";
+      mount.mountConfig.IPAddressAllow = "10.0.0.0/8";
+      mount.mountConfig.DevicePolicy = "closed";  # only allow /dev/{null,zero,full,random,urandom}
+      mount.mountConfig.DeviceAllow = "/dev/fuse";
+      # mount.mountConfig.RestrictNamespaces = true;  #< my sshfs sandboxing uses bwrap
     };
   };
-  remoteServo = subdir: {
+  remoteServo = subdir: let
+    localPath = "/mnt/servo/${subdir}";
+    systemdName = utils.escapeSystemdPath localPath;
+  in {
     sane.programs.curlftpfs.enableFor.system = true;
-    sane.fs."/mnt/servo/${subdir}" = sane-lib.fs.wanted {
+    system.fsPackages = [
-      dir.acl.user = "colin";
+      config.sane.programs.curlftpfs.package
-      dir.acl.group = "users";
+    ];
-      dir.acl.mode = "0750";
+    fileSystems."${localPath}" = {
-    };
+      device = "curlftpfs#ftp://servo-hn:/${subdir}";
-    fileSystems."/mnt/servo/${subdir}" = {
-      device = "ftp://servo-hn:/${subdir}";
       noCheck = true;
-      fsType = "fuse.curlftpfs";
+      fsType = "fuse3";
-      options = fsOpts.ftp ++ fsOpts.noauto;
+      options = fsOpts.ftp ++ fsOpts.noauto ++ [
+        # drop_privileges: after `mount.fuse3` opens /dev/fuse, it will drop all capabilities before invoking sshfs
+        "drop_privileges"
+        "auto_unmount"  #< ensures that when the fs exits, it releases its mountpoint. then systemd can recognize it as failed.
+      ];
       # fsType = "nfs";
       # options = fsOpts.nfs ++ fsOpts.lazyMount;
     };
-    systemd.services."automount-servo-${utils.escapeSystemdPath subdir}" = let
+    sane.fs."${localPath}" = {
-      fs = config.fileSystems."/mnt/servo/${subdir}";
+      dir.acl.user = "colin";
-    in {
+      dir.acl.group = "users";
-      # this is a *flaky* network mount, especially on moby.
+      dir.acl.mode = "0750";
-      # if done as a normal autofs mount, access will eternally block when network is dropped.
-      # notably, this would block *any* sandboxed app which allows media access, whether they actually try to use that media or not.
-      # a practical solution is this: mount as a service -- instead of autofs -- and unmount on timeout error, in a restart loop.
-      # until the ftp handshake succeeds, nothing is actually mounted to the vfs, so this doesn't slow down any I/O when network is down.
-      description = "automount /mnt/servo/${subdir} in a fault-tolerant and non-blocking manner";
-      after = [ "network-online.target" ];
-      requires = [ "network-online.target" ];
       wantedBy = [ "default.target" ];
+      mount.depends = [ "network-online.target" "${systemdName}-reachable.service" ];
+      #VVV patch so that when the mount fails, we start a timer to remount it.
+      #    and for a disconnection after a good mount (onSuccess), restart the timer to be more aggressive
+      mount.unitConfig.OnFailure = [ "${systemdName}.timer" ];
+      mount.unitConfig.OnSuccess = [ "${systemdName}-restart-timer.target" ];
 
-      serviceConfig.Type = "simple";
+      mount.mountConfig.TimeoutSec = "10s";
-      serviceConfig.ExecStart = lib.escapeShellArgs [
+      mount.mountConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
-        "/usr/bin/env"
+      mount.mountConfig.User = "colin";
-        "PATH=/run/current-system/sw/bin"
+      mount.mountConfig.AmbientCapabilities = "CAP_SETPCAP CAP_SYS_ADMIN";
-        "mount.${fs.fsType}"
+      # hardening (systemd-analyze security mnt-servo-playground.mount)
-        "-f"  # foreground (i.e. don't daemonize)
+      mount.mountConfig.CapabilityBoundingSet = "CAP_SETPCAP CAP_SYS_ADMIN";
-        "-s"  # single-threaded (TODO: it's probably ok to disable this?)
+      mount.mountConfig.LockPersonality = true;
-        "-o"
+      mount.mountConfig.MemoryDenyWriteExecute = true;
-        (lib.concatStringsSep "," (lib.filter (o: !lib.hasPrefix "x-systemd." o) fs.options))
+      mount.mountConfig.NoNewPrivileges = true;
-        fs.device
+      mount.mountConfig.ProtectClock = true;
-        "/mnt/servo/${subdir}"
+      mount.mountConfig.ProtectHostname = true;
+      mount.mountConfig.RemoveIPC = true;
+      mount.mountConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+      #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
+      # see `systemd-analyze filesystems` for a full list
+      mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse";
+      mount.mountConfig.RestrictRealtime = true;
+      mount.mountConfig.RestrictSUIDSGID = true;
+      mount.mountConfig.SystemCallArchitectures = "native";
+      mount.mountConfig.SystemCallFilter = [
+        "@system-service"
+        "@mount"
+        "~@chown"
+        "~@cpu-emulation"
+        "~@keyring"
+        # could remove almost all io calls, however one has to keep `open`, and `write`, to communicate with the fuse device.
+        # so that's pretty useless as a way to prevent write access
       ];
-      # not sure if this configures a linear, or exponential backoff.
+      mount.mountConfig.IPAddressDeny = "any";
-      # but the first restart will be after `RestartSec`, and the n'th restart (n = RestartSteps) will be RestartMaxDelaySec after the n-1'th exit.
+      mount.mountConfig.IPAddressAllow = "10.0.10.5";
-      serviceConfig.Restart = "always";
+      mount.mountConfig.DevicePolicy = "closed";  # only allow /dev/{null,zero,full,random,urandom}
-      serviceConfig.RestartSec = "10s";
+      mount.mountConfig.DeviceAllow = "/dev/fuse";
-      serviceConfig.RestartMaxDelaySec = "120s";
+      # mount.mountConfig.RestrictNamespaces = true;
-      serviceConfig.RestartSteps = "5";
+    };
+
+    systemd.services."${systemdName}-reachable" = {
+      serviceConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
+      serviceConfig.ExecStart = lib.escapeShellArgs [
+        "curlftpfs"
+        "ftp://servo-hn:/${subdir}"
+        "/dev/null"
+        "-o"
+        (lib.concatStringsSep "," ([ "exit_after_connect" ] ++ config.fileSystems."${localPath}".options))
+      ];
+      serviceConfig.RemainAfterExit = true;
+      serviceConfig.Type = "oneshot";
+      unitConfig.BindsTo = [ "${systemdName}.mount" ];
+      # hardening (systemd-analyze security mnt-servo-playground-reachable.service)
+      serviceConfig.AmbientCapabilities = "";
+      serviceConfig.CapabilityBoundingSet = "";
+      serviceConfig.DynamicUser = true;
+      serviceConfig.LockPersonality = true;
+      serviceConfig.MemoryDenyWriteExecute = true;
+      serviceConfig.NoNewPrivileges = true;
+      serviceConfig.PrivateDevices = true;
+      serviceConfig.PrivateMounts = true;
+      serviceConfig.PrivateTmp = true;
+      serviceConfig.PrivateUsers = true;
+      serviceConfig.ProcSubset = "all";
+      serviceConfig.ProtectClock = true;
+      serviceConfig.ProtectControlGroups = true;
+      serviceConfig.ProtectHome = true;
+      serviceConfig.ProtectKernelModules = true;
+      serviceConfig.ProtectProc = "invisible";
+      serviceConfig.ProtectSystem = "strict";
+      serviceConfig.RemoveIPC = true;
+      serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+      # serviceConfig.RestrictFileSystems = "@common-block @basic-api";  #< NOPE
+      serviceConfig.RestrictRealtime = true;
+      serviceConfig.RestrictSUIDSGID = true;
+      serviceConfig.SystemCallArchitectures = "native";
+      serviceConfig.SystemCallFilter = [
+        "@system-service"
+        "@mount"
+        "~@chown"
+        "~@cpu-emulation"
+        "~@keyring"
+        # "~@privileged"  #< NOPE
+        "~@resources"
+        # could remove some more probably
+      ];
+      serviceConfig.IPAddressDeny = "any";
+      serviceConfig.IPAddressAllow = "10.0.10.5";
+      serviceConfig.DevicePolicy = "closed";
+      # exceptions
+      serviceConfig.ProtectHostname = false;
+      serviceConfig.ProtectKernelLogs = false;
+      serviceConfig.ProtectKernelTunables = false;
+    };
+
+    systemd.targets."${systemdName}-restart-timer" = {
+      # hack unit which, when started, stops the timer (if running), and then starts it again.
+      after = [ "${systemdName}.timer" ];
+      conflicts = [ "${systemdName}.timer" ];
+      upholds = [ "${systemdName}.timer" ];
+      unitConfig.StopWhenUnneeded = true;
+    };
+    systemd.timers."${systemdName}" = {
+      timerConfig.Unit = "${systemdName}.mount";
+      timerConfig.AccuracySec = "2s";
+      timerConfig.OnActiveSec = [
+        # try to remount at these timestamps, backing off gradually
+        # there seems to be an implicit mount attempt at t=0.
+        "10s"
+        "30s"
+        "60s"
+        "120s"
+      ];
+      # cap the backoff to a fixed interval.
+      timerConfig.OnUnitActiveSec = [ "120s" ];
     };
   };
 in
@@ -212,10 +353,11 @@ lib.mkMerge [
     programs.fuse.userAllowOther = true;  #< necessary for `allow_other` or `allow_root` options.
   }
 
-  (remoteHome "crappy")
+  (ifSshAuthorized (remoteHome "crappy"))
-  (remoteHome "desko")
+  (ifSshAuthorized (remoteHome "desko"))
-  (remoteHome "lappy")
+  (ifSshAuthorized (remoteHome "lappy"))
-  (remoteHome "moby")
+  (ifSshAuthorized (remoteHome "moby"))
+  (ifSshAuthorized (remoteHome "servo"))
   # this granularity of servo media mounts is necessary to support sandboxing:
   # for flaky mounts, we can only bind the mountpoint itself into the sandbox,
   # so it's either this or unconditionally bind all of media/.

hosts/common/home/fs.nix

@@ -1,31 +1,30 @@
 { config, lib, ... }:
 {
   sane.user.persist.byStore.plaintext = [
-    "archive"
+    # TODO: some of ~/dev should be private too, but maybe not all 800+ GB of it
+    # perhaps i ought to rethink how it's organized
     "dev"
-    # TODO: records should be private
-    "records"
     "ref"
-    "tmp"
     "use"
     "Books/local"
     "Music"
+
+    # this is persisted simply to save on RAM. mesa_shader_cache is < 10 MB.
+    # TODO: integrate with sane.programs.sandbox?
+    ".cache/mesa_shader_cache"
+  ];
+  sane.user.persist.byStore.private = [
+    "archive"
     "Pictures/albums"
     "Pictures/cat"
     "Pictures/from"
     "Pictures/Screenshots"  #< XXX: something is case-sensitive about this?
     "Pictures/Photos"
-    "Videos/local"
+    "records"
+    "tmp"
 
-    # these are persisted simply to save on RAM.
-    # ~/.cache/nix can become several GB.
-    # mesa_shader_cache is < 10 MB.
-    # TODO: integrate with sane.programs.sandbox?
-    ".cache/mesa_shader_cache"
-    ".cache/nix"
-  ];
-  sane.user.persist.byStore.private = [
     "knowledge"
+    "Videos/local"
   ];
 
   # convenience
@@ -34,7 +33,7 @@
   in {
     ".persist/private" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.private.origin; };
     ".persist/plaintext" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.plaintext.origin; };
-    ".persist/ephemeral" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.cryptClearOnBoot.origin; };
+    ".persist/ephemeral" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.ephemeral.origin; };
 
     "nixos".symlink.target = "dev/nixos";
 

hosts/common/ids.nix

@@ -45,8 +45,8 @@
   sane.ids.pict-rs.gid = 2409;
   sane.ids.sftpgo.uid = 2410;
   sane.ids.sftpgo.gid = 2410;
-  sane.ids.trust-dns.uid = 2411;
+  sane.ids.hickory-dns.uid = 2411;  #< previously "trust-dns"
-  sane.ids.trust-dns.gid = 2411;
+  sane.ids.hickory-dns.gid = 2411;  #< previously "trust-dns"
   sane.ids.export.gid = 2412;
   sane.ids.nfsuser.uid = 2413;
   sane.ids.media.gid = 2414;
@@ -63,6 +63,8 @@
   sane.ids.nix-serve.uid = 2420;
   sane.ids.nix-serve.gid = 2420;
   sane.ids.plugdev.gid = 2421;
+  sane.ids.ollama.uid = 2422;
+  sane.ids.ollama.gid = 2422;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/net/default.nix

@@ -12,6 +12,7 @@
 
   systemd.network.enable = true;
   networking.useNetworkd = true;
+  networking.usePredictableInterfaceNames = false;  #< set false to get `eth0`, `wlan0`, etc instead of `enp3s0`/etc
 
   # view refused/dropped packets with: `sudo journalctl -k`
   # networking.firewall.logRefusedPackets = true;

hosts/common/net/dns.nix

@@ -23,16 +23,16 @@
 { config, lib, pkgs, ... }:
 lib.mkMerge [
 {
-  sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver;
+  sane.services.hickory-dns.enable = lib.mkDefault config.sane.services.hickory-dns.asSystemResolver;
-  sane.services.trust-dns.asSystemResolver = lib.mkDefault true;
+  sane.services.hickory-dns.asSystemResolver = lib.mkDefault true;
 }
-(lib.mkIf (!config.sane.services.trust-dns.asSystemResolver) {
+(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver) {
   # use systemd's stub resolver.
   # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
   # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
   # in servo's ovnps namespace to use the provider's DNS resolvers.
   # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
-  # TODO: improve trust-dns recursive resolver and then remove this
+  # TODO: improve hickory-dns recursive resolver and then remove this
   services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
   # without DNSSEC:
   # - dig matrix.org => works
@@ -40,7 +40,7 @@ lib.mkMerge [
   # with default DNSSEC:
   # - dig matrix.org => works
   # - curl https://matrix.org => fails
-  # i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
+  # i don't know why. this might somehow be interfering with the DNS run on this device (hickory-dns)
   services.resolved.dnssec = "false";
   networking.nameservers = [
     # use systemd-resolved resolver
@@ -74,7 +74,7 @@ lib.mkMerge [
   sane.silencedAssertions = [''.*Loading NSS modules from system.nssModules.*requires services.nscd.enable being set to true.*''];
   # add NSS modules into their own subdirectory.
   # then i can add just the NSS modules library path to the global LD_LIBRARY_PATH, rather than ALL of /run/current-system/sw/lib.
-  # TODO: i'm doing this so as to achieve mdns DNS resolution (avahi). it would be better to just have trust-dns delegate .local to avahi
+  # TODO: i'm doing this so as to achieve mdns DNS resolution (avahi). it would be better to just have hickory-dns delegate .local to avahi
   #   (except avahi doesn't act as a local resolver over DNS protocol -- only dbus).
   environment.systemPackages = [(pkgs.symlinkJoin {
     name = "nss-modules";

hosts/common/net/modemmanager.nix

@@ -14,7 +14,6 @@
     # after = [ "polkit.service" ];
     # requires = [ "polkit.service" ];
     wantedBy = [ "network.target" ];  #< default is `multi-user.target`, somehow it doesn't auto-start with that...
-    path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
 
     # serviceConfig.Type = "dbus";
     # serviceConfig.BusName = "org.freedesktop.ModemManager1";
@@ -38,7 +37,11 @@
     # serviceConfig.RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR";
     # serviceConfig.NoNewPrivileges = true;
 
-    serviceConfig.CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];  #< TODO: make sure this is *really* taking effect, and isn't supplemental to upstream's `CAP_SYS_ADMIN` setting
+    serviceConfig.CapabilityBoundingSet = [
+      ""  #< reset upstream capabilities
+      "CAP_NET_ADMIN"
+      "CAP_SYS_ADMIN"  #< TODO: remove CAP_SYS_ADMIN!
+    ];
     serviceConfig.LockPersonality = true;
     # serviceConfig.PrivateUsers = true;  #< untried, not likely to work since it needs capabilities
     serviceConfig.PrivateTmp = true;

hosts/common/net/networkmanager.nix

@@ -2,21 +2,28 @@
 let
   # networkmanager = pkgs.networkmanager;
   networkmanager = pkgs.networkmanager.overrideAttrs (upstream: {
-    src = pkgs.fetchFromGitea {
+    # src = pkgs.fetchFromGitea {
-      domain = "git.uninsane.org";
+    #   domain = "git.uninsane.org";
-      owner = "colin";
+    #   owner = "colin";
-      repo = "NetworkManager";
+    #   repo = "NetworkManager";
-      # patched to fix polkit permissions (with `nmcli`) when NetworkManager runs as user networkmanager
+    #   # patched to fix polkit permissions (with `nmcli`) when NetworkManager runs as user networkmanager
-      rev = "dev-sane-1.48.0";
+    #   rev = "dev-sane-1.48.0";
-      hash = "sha256-vGmOKtwVItxjYioZJlb1og3K6u9s4rcmDnjAPLBC3ao=";
+    #   hash = "sha256-vGmOKtwVItxjYioZJlb1og3K6u9s4rcmDnjAPLBC3ao=";
-    };
+    # };
-    # patches = [];
+    patches = (upstream.patches or []) ++ [
+      (pkgs.fetchpatch {
+        name = "polkit: add owner annotations to all actions";
+        url = "https://git.uninsane.org/colin/NetworkManager/commit/a01293861fa24201ffaeb84c07f1c71136c49759.patch";
+        hash = "sha256-th1/M2slo7rjkVBwETZII53Lmhyw8OMS0aT9QYI5Uvk=";
+      })
+    ];
   });
   # split the package into `daemon` and `nmcli` outputs, because the networkmanager *service*
   # doesn't need `nmcli`/`nmtui` tooling
   networkmanager-split = pkgs.networkmanager-split.override { inherit networkmanager; };
 in {
   networking.networkmanager.enable = true;
+  systemd.network.wait-online.enable = false;  # systemd-networkd-wait-online.service reliably fails on lappy. docs don't match behavior. shit software.
   # plugins mostly add support for establishing different VPN connections.
   # the default plugin set includes mostly proprietary VPNs:
   # - fortisslvpn (Fortinet)
@@ -59,6 +66,11 @@ in {
     serviceConfig.User = "networkmanager";
     serviceConfig.Group = "networkmanager";
     serviceConfig.AmbientCapabilities = [
+      "CAP_NET_ADMIN"
+      "CAP_NET_RAW"
+      "CAP_NET_BIND_SERVICE"
+    ];
+    serviceConfig.CapabilityBoundingSet = [
       # "CAP_DAC_OVERRIDE"
       "CAP_NET_ADMIN"
       "CAP_NET_RAW"  #< required, else `libndp: ndp_sock_open: Failed to create ICMP6 socket.`
@@ -69,6 +81,7 @@ in {
     ];
     serviceConfig.LockPersonality = true;
     serviceConfig.NoNewPrivileges = true;
+    serviceConfig.MemoryDenyWriteExecute = true;
     serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
     serviceConfig.PrivateIPC = true;
     serviceConfig.PrivateTmp = true;
@@ -80,7 +93,10 @@ in {
     serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
     serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls (probably not upstreamable: NM will want to load modules like `ppp`)
     serviceConfig.ProtectKernelTunables = true;  # but NM might need to write /proc/sys/net/...
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.ProcSubset = "pid";
     serviceConfig.ProtectSystem = "strict";  # makes read-only: all but /dev, /proc, /sys.
+    serviceConfig.RemoveIPC = true;
     serviceConfig.RestrictAddressFamilies = [
       "AF_INET"
       "AF_INET6"
@@ -91,19 +107,25 @@ in {
       # AF_BLUETOOTH ?
       # AF_BRIDGE ?
     ];
+    serviceConfig.RestrictNamespaces = true;
     serviceConfig.RestrictSUIDSGID = true;
     serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+    serviceConfig.SystemCallFilter = [
+      "@system-service"
+      # TODO: restrict SystemCallFilter more aggressively
+    ];
+    # TODO: restrict `DeviceAllow`
     # from earlier `landlock` sandboxing, i know it needs these directories:
     # - "/proc/net"
     # - "/proc/sys/net"
     # - "/run/NetworkManager"
-    # - "/run/systemd"  # for trust-dns-nmhook
+    # - "/run/systemd"  # for hickory-dns-nmhook
     # - "/run/udev"
     # - # "/run/wg-home.priv"
     # - "/sys/class"
     # - "/sys/devices"
     # - "/var/lib/NetworkManager"
-    # - "/var/lib/trust-dns"  #< for trust-dns-nmhook
+    # - "/var/lib/hickory-dns"  #< for hickory-dns-nmhook
     # - "/run/systemd"
   };
 
@@ -115,7 +137,12 @@ in {
   # fix NetworkManager-dispatcher to actually run as a daemon,
   # and sandbox it a bit
   systemd.services.NetworkManager-dispatcher = {
-    after = [ "trust-dns-localhost.service" ];  #< so that /var/lib/trust-dns will exist
+    #VVV so that /var/lib/hickory-dns will exist (the hook needs to write here).
+    # but this creates a cycle: hickory-dns-localhost > network.target > NetworkManager-dispatcher > hickory-dns-localhost.
+    # (seemingly) impossible to remove the network.target dep on NetworkManager-dispatcher.
+    # beffore would be to have the dispatcher not write hickory-dns files
+    # but rather just its own, and create a .path unit which restarts hickory-dns appropriately.
+    # after = [ "hickory-dns-localhost.service" ];
     # serviceConfig.ExecStart = [
     #   ""  # first blank line is to clear the upstream `ExecStart` field.
     #   "${cfg.package}/libexec/nm-dispatcher --persist"  # --persist is needed for it to actually run as a daemon
@@ -123,7 +150,7 @@ in {
     # serviceConfig.Restart = "always";
     # serviceConfig.RestartSec = "1s";
 
-    # serviceConfig.DynamicUser = true;  #< not possible, else we lose group perms (so can't write to `trust-dns`'s files in the nm hook)
+    # serviceConfig.DynamicUser = true;  #< not possible, else we lose group perms (so can't write to `hickory-dns`'s files in the nm hook)
     serviceConfig.User = "networkmanager";  # TODO: should arguably use `DynamicUser`
     serviceConfig.Group = "networkmanager";
     serviceConfig.LockPersonality = true;
@@ -139,7 +166,7 @@ in {
     serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
     serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
     serviceConfig.ProtectKernelTunables = true;
-    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. `strict` isn't possible due to trust-dns hook
+    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. `strict` isn't possible due to hickory-dns hook
     serviceConfig.RestrictAddressFamilies = [
       "AF_UNIX"  # required, probably for dbus or systemd connectivity
     ];
@@ -199,9 +226,15 @@ in {
     logging.level = "INFO";
 
     # main.dhcp = "internal";  #< default
+    # main.dns controls what to do when NM gets a DNS server via DHCP
+    # - "none"  (populate /run/NetworkManager/resolv.conf with DHCP settings)
+    # - "internal" (?)
+    # - "systemd-resolved" (tell systemd-resolved about it, and point /run/NetworkManager/resolv.conf -> systemd)
+    #   without this, systemd-resolved won't be able to resolve anything (because it has no upstream servers)
+    # note that NM's resolv.conf isn't (necessarily) /etc/resolv.conf -- that is managed by nixos (via symlinking)
     main.dns = if config.services.resolved.enable then
       "systemd-resolved"
-    else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then
+    else if config.sane.services.hickory-dns.enable && config.sane.services.hickory-dns.asSystemResolver then
       "none"
     else
       "internal"
@@ -243,7 +276,7 @@ in {
   users.users.networkmanager = {
     isSystemUser = true;
     group = "networkmanager";
-    extraGroups = [ "trust-dns" ];
+    extraGroups = [ "hickory-dns" ];
   };
 
   # there is, unfortunately, no proper interface by which to plumb wpa_supplicant into the NixOS service, except by overlay.

hosts/common/persist.nix

@@ -1,17 +0,0 @@
-{ ... }:
-
-{
-  # store /home/colin/a/b in /mnt/persist/private/a/b instead of /mnt/persist/private/home/colin/a/b
-  sane.persist.stores.private.prefix = "/home/colin";
-
-  sane.persist.sys.byStore.initrd = [
-    "/var/log"
-  ];
-  sane.persist.sys.byStore.plaintext = [
-    # TODO: these should be private.. somehow
-    "/var/backup"  # for e.g. postgres dumps
-  ];
-  sane.persist.sys.byStore.cryptClearOnBoot = [
-    "/var/lib/systemd/coredump"
-  ];
-}

hosts/common/polyunfill.nix

@@ -1,12 +1,11 @@
 # strictly *decrease* the scope of the default nixos installation/config
 
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
   suidlessPam = pkgs.pam.overrideAttrs (upstream: {
     # nixpkgs' pam hardcodes unix_chkpwd path to the /run/wrappers one,
     # but i don't want the wrapper, so undo that.
     # ideally i would patch this via an overlay, but pam is in the bootstrap so that forces a full rebuild.
-    # TODO: add a `package` option to the nixos' pam module and substitute it that way.
     postPatch = (if upstream.postPatch != null then upstream.postPatch else "") + ''
       substituteInPlace modules/pam_unix/Makefile.am --replace-fail \
         "/run/wrappers/bin/unix_chkpwd" "$out/bin/unix_chkpwd"
@@ -39,8 +38,7 @@ in
     ]));
   };
   options.security.pam.services = lib.mkOption {
-    apply = services: let
+    apply = lib.filterAttrs (name: _: !(builtins.elem name [
-      filtered = lib.filterAttrs (name: _: !(builtins.elem name [
       # from <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
       "i3lock"
       "i3lock-color"
@@ -62,13 +60,7 @@ in
       "usermod"
       # from <repo:nixos/nixpkgs:nixos/modules/system/boot/systemd/user.nix>
       "systemd-user"  #< N.B.: this causes the `systemd --user` service manager to not be started!
-      ])) services;
+    ]));
-    in lib.mapAttrs (_serviceName: service: service // {
-      # replace references with the old pam_unix, which calls into /run/wrappers/bin/unix_chkpwd,
-      # with a pam_unix that calls into unix_chkpwd via the nix store.
-      # TODO: use `security.pam.package` instead once <https://github.com/NixOS/nixpkgs/pull/314791> lands.
-      text = lib.replaceStrings [" pam_unix.so" ] [ " ${suidlessPam}/lib/security/pam_unix.so" ] service.text;
-    }) filtered;
   };
 
   options.environment.systemPackages = lib.mkOption {
@@ -111,7 +103,11 @@ in
         # pkgs.which
         # pkgs.zstd
       ];
-    in lib.filter (p: ! builtins.elem p requiredPackages);
+      conveniencePackages = [
+        config.boot.kernelPackages.cpupower  # <repo:nixos/nixpkgs:nixos/modules/tasks/cpu-freq.nix> places it on PATH for convenience if powerManagement.cpuFreqGovernor is set
+        pkgs.kbd  # <repo:nixos/nixpkgs:nixos/modules/config/console.nix>  places it on PATH as part of console/virtual TTYs, but probably not needed unless you want to set console fonts
+      ];
+    in lib.filter (p: ! builtins.elem p (requiredPackages ++ conveniencePackages));
   };
 
   options.system.fsPackages = lib.mkOption {
@@ -212,5 +208,16 @@ in
 
     # see: <repo:nixos/nixpkgs:nixos/modules/virtualisation/nixos-containers.nix>
     boot.enableContainers = lib.mkDefault false;
+
+    # see: <repo:nixos/nixpkgs:nixos/modules/tasks/lvm.nix>
+    # lvm places `pkgs.lvm2` onto PATH, which has like 100 binaries.
+    # it is, actually, needed for some userspace tools (cryptsetup). probably just the udev rules. try to reduce this set?
+    services.lvm.enable = lib.mkDefault false;
+    services.udev.packages = [ pkgs.lvm2.out ];  #< N.B. `lvm2.out` != `lvm2`
+    # systemd.packages = [ pkgs.lvm2 ];
+    # systemd.tmpfiles.packages = [ pkgs.lvm2.out ];
+    # environment.systemPackages = [ pkgs.lvm2 ];
+
+    security.pam.package = suidlessPam;
   };
 }

hosts/common/programs/assorted.nix

@@ -38,7 +38,9 @@ in
       "bridge-utils"  # for brctl; debug linux "bridge" inet devices
       "btrfs-progs"
       "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
+      "captree"
       "cryptsetup"
+      "curl"
       "ddrescue"
       "dig"
       "dtc"  # device tree [de]compiler
@@ -46,6 +48,7 @@ in
       "efibootmgr"
       "errno"
       "ethtool"
+      "evtest"
       "fatresize"
       "fd"
       "file"
@@ -68,7 +71,7 @@ in
       "killall"
       "less"
       "lftp"
-      # "libcap_ng"  # for `netcap`
+      "libcap_ng"  # for `netcap`, `pscap`, `captest`
       "lsof"
       "man-pages"
       "man-pages-posix"
@@ -79,6 +82,7 @@ in
       "neovim"
       "netcat"
       "nethogs"
+      "nix"
       "nmap"
       "nmcli"
       "nvme-cli"  # nvme
@@ -107,9 +111,6 @@ in
       # "zfs"  # doesn't cross-compile (requires samba)
     ];
     sysadminExtraUtils = declPackageSet [
-      "backblaze-b2"
-      "duplicity"
-      "sane-scripts.backup"
       "sqlite"  # to debug sqlite3 databases
     ];
 
@@ -125,6 +126,7 @@ in
       # "dmidecode"
       "dtrx"  # `unar` alternative, "Do The Right eXtraction"
       # "efivar"
+      "exiftool"
       "eza"  # a better 'ls'
       # "flashrom"
       "git"  # needed as a user package, for config.
@@ -155,8 +157,13 @@ in
       # "python3.pkgs.eyeD3"  # music tagging
       "ripgrep"  # needed as a user package so that its user-level config file can be installed
       "rsync"
+      # "rsyslog"  # KEEP THIS HERE if you want persistent logging (TODO: port to systemd, store in /var/log/...)
+      "sane-deadlines"
       "sane-scripts.bittorrent"
       "sane-scripts.cli"
+      "sane-secrets-unlock"
+      "sane-sysload"
+      "sc-im"
       # "snapper"
       "sops"  # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!)
       "speedtest-cli"
@@ -275,7 +282,6 @@ in
       # "emote"
       # "evince"  # PDF viewer
       # "flare-signal"  # gtk4 signal client
-      # "foliate"  # e-book reader
       "fractal"  # matrix client
       "g4music"  # local music player
       # "gnome.cheese"
@@ -306,14 +312,14 @@ in
       "mpv"
       "networkmanagerapplet"  # for nm-connection-editor: it's better than not having any gui!
       "ntfy-sh"  # notification service
-      # "newsflash"  # RSS viewer
+      "newsflash"  # RSS viewer
       "pavucontrol"
       "pwvucontrol"  # pipewire version of pavu
       # "picard"  # music tagging
       # "libsForQt5.plasmatube"  # Youtube player
       "signal-desktop"
       # "snapshot"  # camera app
-      "spot"  # Gnome Spotify client
+      # "spot"  # Gnome Spotify client
       # "sublime-music"
       # "tdesktop"  # broken on phosh
       # "tokodon"
@@ -321,6 +327,7 @@ in
       "vulkan-tools"  # vulkaninfo
       # "whalebird"  # pleroma client (Electron). input is broken on phosh.
       "xdg-terminal-exec"
+      "youtube-tui"
       "zathura"  # PDF/CBZ/ePUB viewer
     ];
 
@@ -329,9 +336,11 @@ in
       # "chatty"  # matrix/xmpp/irc client  (2023/12/29: disabled because broken cross build)
       # "cozy"  # audiobook player
       "epiphany"  # gnome's web browser
+      "foliate"  # e-book reader
       # "iotas"  # note taking app
       "komikku"
       "koreader"
+      "lgtrombetta-compass"
       "megapixels"  # camera app
       "notejot"  # note taking, e.g. shopping list
       "planify"  # todo-tracker/planner
@@ -377,13 +386,13 @@ in
       # "monero-gui"  # x86-only
       # "mumble"
       # "nheko"  # Matrix chat client
-      # "nicotine-plus"  # soulseek client. before re-enabling this make sure it's properly sandboxed!
+      "nicotine-plus"  # soulseek client
       # "obsidian"
       # "openscad"  # 3d modeling
       # "rhythmbox"  # local music player
       # "slic3r"
       "soundconverter"
-      "spotify"  # x86-only
+      # "spotify"  # x86-only
       "tor-browser"  # x86-only
       # "vlc"
       "wireshark"  # could maybe ship the cli as sysadmin pkg
@@ -400,12 +409,6 @@ in
 
     backblaze-b2 = {};
 
-    bitcoind.sandbox.method = "bwrap";
-    bitcoind.sandbox.extraHomePaths = [
-      ".config/bitcoin/bitcoin.conf"
-    ];
-    bitcoind.sandbox.net = "all";  # actually needs only localhost
-
     blanket.buildCost = 1;
     blanket.sandbox.method = "bwrap";
     blanket.sandbox.whitelistAudio = true;
@@ -428,17 +431,12 @@ in
     btrfs-progs.sandbox.method = "bwrap";  #< bwrap, landlock: both work
     btrfs-progs.sandbox.autodetectCliPaths = "existing";  # e.g. `btrfs filesystem df /my/fs`
 
-    "cacert.unbundled".sandbox.enable = false;
+    "cacert.unbundled".sandbox.enable = false;  #< data only
 
     cargo.persist.byStore.plaintext = [ ".cargo" ];
 
     clang = {};
 
-    clightning.sandbox.method = "bwrap";
-    clightning.sandbox.extraHomePaths = [
-      ".lightning/bitcoin/lightning-rpc"
-    ];
-
     clightning-sane.sandbox.method = "bwrap";
     clightning-sane.sandbox.extraPaths = [
       "/var/lib/clightning/bitcoin/lightning-rpc"
@@ -513,7 +511,7 @@ in
     electrum.sandbox.method = "bwrap";  # TODO:sandbox: untested
     electrum.sandbox.net = "all";  # TODO: probably want to make this run behind a VPN, always
     electrum.sandbox.whitelistWayland = true;
-    electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ];  #< TODO: use XDG dirs!
+    electrum.persist.byStore.ephemeral = [ ".electrum" ];  #< TODO: use XDG dirs!
 
     endless-sky.buildCost = 1;
     endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
@@ -530,9 +528,17 @@ in
     ethtool.sandbox.method = "landlock";
     ethtool.sandbox.capabilities = [ "net_admin" ];
 
+    evtest.sandbox.method = "bwrap";
+    evtest.sandbox.autodetectCliPaths = "existingFile";  # `evtest /dev/foo` to monitor events for a specific device
+    evtest.sandbox.extraPaths = [
+      "/dev/input"
+    ];
+
     # eza `ls` replacement
-    # eza.sandbox.method = "landlock";
+    # bwrap causes `/proc` files to be listed differently (e.g. `eza /proc/sys/net/ipv6/conf/`)
-    eza.sandbox.method = "bwrap";  #< note that bwrap causes `/proc` files to be listed differently (e.g. `eza /proc/sys/net/ipv6/conf/`)
+    # bwrap loses group info (so files owned by other users appear as owner "nobody")
+    eza.sandbox.method = "landlock";
+    # eza.sandbox.method = "bwrap";
     eza.sandbox.autodetectCliPaths = "existing";
     eza.sandbox.whitelistPwd = true;
     eza.sandbox.extraHomePaths = [
@@ -622,6 +628,8 @@ in
       "/tmp"  # "Cannot open display:" if it can't mount /tmp 👀
     ];
 
+    gitea = {};
+
     gnome-calculator.buildCost = 1;
     gnome-calculator.sandbox.method = "bwrap";
     gnome-calculator.sandbox.whitelistWayland = true;
@@ -677,7 +685,7 @@ in
       "Pictures/Screenshots"
       "Pictures/servo-macros"
     ];
-    gnome-frog.persist.byStore.cryptClearOnBoot = [
+    gnome-frog.persist.byStore.ephemeral = [
       ".local/share/tessdata"  # 15M; dunno what all it is.
     ];
 
@@ -759,7 +767,7 @@ in
     iotop.sandbox.capabilities = [ "net_admin" ];
 
     # provides `ip`, `routel`, `bridge`, others.
-    # landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace
+    # landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace (which requires sudo)
     # and that means we can't use ANY sandboxer for it.
     iproute2.sandbox.enable = false;
     # iproute2.sandbox.net = "all";
@@ -807,14 +815,23 @@ in
       "tmp"
     ];
 
+    landlock-sandboxer.sandbox.enable = false;  #< sandbox helper
+
     libcamera = {};
 
-    libcap.sandbox.enable = false;  #< for `capsh`, which i use as a sandboxer
+    libcap_ng.sandbox.enable = false;  # TODO: `pscap` can sandbox with bwrap, `captest` and `netcap` with landlock
-    libcap_ng.sandbox.enable = false;  # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
 
     libnotify.sandbox.method = "bwrap";
     libnotify.sandbox.whitelistDbus = [ "user" ];  # notify-send
 
+    lightning-cli.packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.clightning "lightning-cli";
+    lightning-cli.sandbox.method = "bwrap";
+    lightning-cli.sandbox.extraHomePaths = [
+      ".lightning/bitcoin/lightning-rpc"
+    ];
+    # `lightning-cli` finds its RPC file via `~/.lightning/bitcoin/lightning-rpc`, to message the daemon
+    lightning-cli.fs.".lightning".symlink.target = "/var/lib/clightning";
+
     losslesscut-bin.buildCost = 1;
     losslesscut-bin.sandbox.method = "bwrap";
     losslesscut-bin.sandbox.extraHomePaths = [
@@ -835,8 +852,8 @@ in
 
     lua = {};
 
-    man-pages.sandbox.enable = false;
+    man-pages.sandbox.enable = false;  #< data only
-    man-pages-posix.sandbox.enable = false;
+    man-pages-posix.sandbox.enable = false;  #< data only
 
     mercurial.sandbox.method = "bwrap";  # TODO:sandbox: untested
     mercurial.sandbox.net = "clearnet";
@@ -891,7 +908,7 @@ in
     nixpkgs-review.sandbox.extraPaths = [
       "/nix"
     ];
-    nixpkgs-review.persist.byStore.cryptClearOnBoot = [
+    nixpkgs-review.persist.byStore.ephemeral = [
       ".cache/nixpkgs-review"  #< help it not exhaust / tmpfs
     ];
 
@@ -942,7 +959,7 @@ in
       "/sys/devices"
     ];
 
-    "perlPackages.FileMimeInfo".sandbox.enable = false;  #< TODO: sandbox `mimetype` but not `mimeopen`.
+    "perlPackages.FileMimeInfo" = {};
 
     powertop.sandbox.method = "landlock";
     powertop.sandbox.capabilities = [ "ipc_lock" "sys_admin" ];
@@ -1005,9 +1022,17 @@ in
     sane-weather.sandbox.method = "bwrap";
     sane-weather.sandbox.net = "clearnet";
 
+    sc-im.sandbox.method = "bwrap";
+    sc-im.sandbox.autodetectCliPaths = "existingFile";
+
     screen.sandbox.enable = false;  #< tty; needs to run anything
 
-    sequoia.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    sequoia.packageUnwrapped = pkgs.sequoia.overrideAttrs (_: {
+      # XXX(2024-07-30): sq_autocrypt_import test failure: "Warning: 9B7DD433F254904A is expired."
+      doCheck = false;
+    });
+    sequoia.buildCost = 1;
+    sequoia.sandbox.method = "bwrap";
     sequoia.sandbox.whitelistPwd = true;
     sequoia.sandbox.autodetectCliPaths = "existingFileOrParent";  # supports `-o <file-to-create>`
 
@@ -1035,7 +1060,7 @@ in
     # TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
     snapshot = {};
 
-    sops.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    sops.sandbox.method = "bwrap";
     sops.sandbox.extraHomePaths = [
       ".config/sops"
       "nixos"
@@ -1076,7 +1101,16 @@ in
 
     sqlite = {};
 
-    sshfs-fuse = {};  # used by fs.nix
+    sshfs-fuse.sandbox.method = "bwrap";  #< N.B. if you call this from the CLI -- without `mount.fuse` -- set this to `none`
+    sshfs-fuse.sandbox.net = "all";
+    sshfs-fuse.sandbox.autodetectCliPaths = "parent";
+    # sshfs-fuse.sandbox.extraPaths = [
+    #   "/dev/fd"  # fuse.mount3 -o drop_privileges passes us data over /dev/fd/3
+    #   "/mnt"  # XXX: not sure why i need all this, instead of just /mnt/desko, or /mnt/desko/home, etc
+    # ];
+    sshfs-fuse.sandbox.extraHomePaths = [
+      ".ssh/id_ed25519"  #< TODO: add -o foo,bar=path/to/thing style arguments to autodetection
+    ];
 
     strace.sandbox.enable = false;  #< needs to `exec` its args, and therefore support *anything*
 
@@ -1118,7 +1152,7 @@ in
     tumiki-fighters.sandbox.whitelistWayland = true;
     tumiki-fighters.sandbox.whitelistX = true;
 
-    util-linux.sandbox.enable = false;  #< TODO: possible to sandbox if i specific a different profile for each of its ~50 binaries
+    util-linux.sandbox.enable = false;  #< TODO: possible to sandbox if i specify a different profile for each of its ~50 binaries
 
     unzip.sandbox.method = "bwrap";
     unzip.sandbox.autodetectCliPaths = "existingOrParent";
@@ -1164,10 +1198,12 @@ in
 
     # `wg`, `wg-quick`
     wireguard-tools.sandbox.method = "landlock";
+    wireguard-tools.sandbox.net = "all";
     wireguard-tools.sandbox.capabilities = [ "net_admin" ];
 
     # provides `iwconfig`, `iwlist`, `iwpriv`, ...
     wirelesstools.sandbox.method = "landlock";
+    wirelesstools.sandbox.net = "all";
     wirelesstools.sandbox.capabilities = [ "net_admin" ];
 
     wl-clipboard.sandbox.method = "bwrap";
@@ -1187,7 +1223,7 @@ in
 
     yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
 
-    yt-dlp.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    yt-dlp.sandbox.method = "bwrap";
     yt-dlp.sandbox.net = "all";
     yt-dlp.sandbox.whitelistPwd = true;  # saves to pwd by default
   };
@@ -1219,7 +1255,7 @@ in
         ''
           tryNotifyUser() {
             local user="$1"
-            local new_path="$PATH:${pkgs.sudo}/bin:${pkgs.libnotify}/bin"
+            local new_path="$PATH:/etc/profiles/per-user/$user/bin:${pkgs.sudo}/bin:${pkgs.libnotify}/bin"
             local version="$(cat $systemConfig/nixos-version)"
             PATH="$new_path" sudo -u "$user" \
               env PATH="$new_path" NIXOS_VERSION="$version" /bin/sh -c \
@@ -1227,7 +1263,7 @@ in
           }
         ''
       ] ++ lib.mapAttrsToList
-        (user: en: lib.optionalString en "tryNotifyUser ${user}")
+        (user: en: lib.optionalString en "tryNotifyUser ${user} > /dev/null")
         config.sane.programs.guiApps.enableFor.user
     );
   };

hosts/common/programs/ausyscall.nix

@@ -2,7 +2,7 @@
 { pkgs, ... }:
 {
   sane.programs.ausyscall = {
-    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.audit "bin/ausyscall";
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.audit "ausyscall";
 
     sandbox.method = "landlock";
   };

hosts/common/programs/avahi.nix

@@ -10,14 +10,26 @@
 # - `LD_LIBRARY_PATH=/nix/store/ngwj3jqmxh8k4qji2z0lj7y1f8vzqrn2-nss-mdns-0.15.1/lib getent hosts desko.local`
 #   nss-mdns goes through avahi-daemon, so there IS caching here
 #
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 {
   sane.programs.avahi = {
+    packageUnwrapped = pkgs.avahi.overrideAttrs (upstream: {
+      # avahi wants to do its own sandboxing opaque to systemd & maybe in conflict with my bwrap.
+      # --no-drop-root disables that, so that i can e.g. run it as User=avahi, etc.
+      # do this here, because the service isn't so easily patched.
+      postInstall = (upstream.postInstall or "") + ''
+        wrapProgram "$out/sbin/avahi-daemon" \
+          --add-flags --no-drop-root
+      '';
+      nativeBuildInputs = upstream.nativeBuildInputs ++ [
+        pkgs.makeBinaryWrapper
+      ];
+    });
     sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "system" ];
     sandbox.net = "all";  #< otherwise it will show 'null' in place of each interface name.
     sandbox.extraPaths = [
-      "/"  #< else the daemon exits immediately. TODO: decrease this scope.
+      "/"  #< TODO: decrease this, but be weary that the daemon might exit immediately
     ];
   };
   services.avahi = lib.mkIf config.sane.programs.avahi.enabled {
@@ -32,6 +44,7 @@
       # particularly, the default config disallows loopback, which is kinda fucking retarded, right?
       "ens1"  #< servo
       "enp5s0"  #< desko
+      "eth0"
       "lo"
       "wg-home"
       "wlan0"  #< moby
@@ -39,4 +52,40 @@
       "wlp4s0"  #< desko
     ];
   };
+
+  systemd.services.avahi-daemon = lib.mkIf config.sane.programs.avahi.enabled {
+    # hardening: see `systemd-analyze security avahi-daemon`
+    serviceConfig.User = "avahi";
+    serviceConfig.Group = "avahi";
+    serviceConfig.AmbientCapabilities = "";
+    serviceConfig.CapabilityBoundingSet = "";
+    serviceConfig.LockPersonality = true;
+    serviceConfig.MemoryDenyWriteExecute = true;
+    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.PrivateDevices = true;
+    serviceConfig.PrivateMounts = true;
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProcSubset = "all";
+    serviceConfig.ProtectClock = true;
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;
+    serviceConfig.ProtectHostname = true;
+    serviceConfig.ProtectKernelLogs = true;
+    serviceConfig.ProtectKernelModules = true;
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectProc = "noaccess";
+    serviceConfig.ProtectSystem = "strict";
+    serviceConfig.RemoveIPC = true;  #< this *might* slow down the initial connection?
+    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+    serviceConfig.RestrictRealtime = true;
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";
+    serviceConfig.SystemCallFilter = [
+      "@system-service"
+      "@mount"
+      "~@resources"
+      # "~@privileged"
+    ];
+  };
 }

hosts/common/programs/bitcoin-cli.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  sane.programs.bitcoin-cli = {
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.bitcoind "bitcoin-cli";
+    sandbox.method = "bwrap";
+    sandbox.autodetectCliPaths = "existing";  #< for `bitcoin-cli -datadir=/var/lib/...`
+    sandbox.extraHomePaths = [
+      ".bitcoin/bitcoin.conf"
+    ];
+    sandbox.net = "all";  # actually needs only localhost
+    secrets.".bitcoin/bitcoin.conf" = ../../../secrets/servo/bitcoin.conf.bin;
+  };
+}

hosts/common/programs/brave.nix

@@ -21,7 +21,7 @@
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
 
-    persist.byStore.cryptClearOnBoot = [
+    persist.byStore.ephemeral = [
       ".cache/BraveSoftware"
       ".config/BraveSoftware"
     ];

hosts/common/programs/calls.nix

@@ -8,6 +8,10 @@
 # - the bot will reply with auto-generated username/password plus a SIP server endpoint.
 #   just copy those into gnome-calls' GUI configurator
 # - now gnome-calls can do outbound calls. inbound calls can be routed by messaging the bot: "configure calls"
+#
+# user guide:
+# - "Use for Calls" means, "when i click a tel: URI, use this account": <https://gitlab.gnome.org/GNOME/calls/-/issues/513>
+# - `calls -vvv` for verbosity
 { config, lib, pkgs, ... }:
 let
   cfg = config.sane.programs.calls;
@@ -24,7 +28,23 @@ in
       };
     };
 
-    packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.calls.overrideAttrs (upstream: {
+    packageUnwrapped = pkgs.rmDbusServicesInPlace ((pkgs.calls.override {
+      gtk3 = pkgs.gtk4;
+      libpeas = pkgs.libpeas2;
+      wrapGAppsHook3 = pkgs.wrapGAppsHook4;
+    }).overrideAttrs (upstream: {
+      # XXX(2024-08-08): v46.3 has a bug where if it has no network connection on launch, it forever stays disconnected & never retries
+      version = "47_beta.0-unstable-2024-08-08";
+      src = lib.warnIf (lib.versionOlder "47.0" upstream.version) "gnome-calls outdated; remove src override? (keep UI patches though!)" pkgs.fetchFromGitLab {
+        domain = "gitlab.gnome.org";
+        owner = "GNOME";
+        repo = "calls";
+        fetchSubmodules = true;
+        # rev = "main";
+        rev = "ff213579a52222e7c95e585843d97b5b817b2a8b";
+        hash = "sha256-0QYC8FJpfg/X2lIjBDooba2idUfpJNQhcpv8Z5I/B4k=";
+      };
+
       patches = (upstream.patches or []) ++ [
         (pkgs.fetchpatch {
           # usability improvement... if the UI is visible, then i can receive calls. otherwise, i can't!
@@ -33,6 +53,14 @@ in
           hash = "sha256-NoVQV2TlkCcsBt0uwSyK82hBKySUW4pADrJVfLFvWgU=";
         })
       ];
+
+      nativeBuildInputs = upstream.nativeBuildInputs ++ [
+        pkgs.dbus  #< for dbus-run-session (should be test only, but it's not)
+      ];
+
+      buildInputs = upstream.buildInputs ++ [
+        pkgs.libadwaita
+      ];
     }));
 
     sandbox.method = "bwrap";
@@ -55,6 +83,10 @@ in
       "gnome-keyring"  # to remember the password
     ];
 
+    mime.associations."x-scheme-handler/tel" = "org.gnome.Calls.desktop";
+    mime.associations."x-scheme-handler/sip" = "org.gnome.Calls.desktop";
+    mime.associations."x-scheme-handler/sips" = "org.gnome.Calls.desktop";
+
     services.gnome-calls = {
       description = "gnome-calls daemon to monitor incoming SIP calls";
       partOf = lib.mkIf cfg.config.autostart [ "graphical-session" ];

hosts/common/programs/capsh.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  sane.programs.capsh = {
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap "capsh";
+    sandbox.enable = false;  #< i use `capsh` as a sandboxer.
+  };
+}

hosts/common/programs/captree.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  sane.programs.captree = {
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree";
+    sandbox.method = "bwrap";
+    sandbox.isolatePids = false;
+  };
+}

hosts/common/programs/curl.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  sane.programs.curl = {
+    sandbox.method = "bwrap";
+    sandbox.net = "all";
+    sandbox.autodetectCliPaths = "parent";  #< for `-o` option
+  };
+}

hosts/common/programs/curlftpfs.nix

@@ -1,35 +1,8 @@
 { pkgs, ... }:
 {
   sane.programs.curlftpfs = {
-    packageUnwrapped = pkgs.curlftpfs.overrideAttrs (upstream: {
+    packageUnwrapped = pkgs.curlftpfs-sane;
-      # my fork includes:
+    sandbox.method = "bwrap";
-      # - per-operation timeouts (CURLOPT_TIMEOUT; would use CURLOPT_LOW_SPEED_TIME/CURLOPT_LOW_SPEED_LIMIT but they don't apply)
+    sandbox.net = "all";
-      #   - exit on timeout (so that one knows to abort the mount, instead of waiting indefinitely)
-      # - support for "meta" keys found in /etc/fstab
-      src = pkgs.fetchFromGitea {
-        domain = "git.uninsane.org";
-        owner = "colin";
-        repo = "curlftpfs";
-        rev = "0890d32e709b5a01153f00d29ed4c00299744f5d";
-        hash = "sha256-M28PzHqEAkezQdtPeL16z56prwl3BfMZqry0dlpXJls=";
-      };
-      # `mount` clears PATH before calling the mount helper (see util-linux/lib/env.c),
-      # so the traditional /etc/fstab approach of fstype=fuse and device = curlftpfs#URI doesn't work.
-      # instead, install a `mount.curlftpfs` mount helper. this is what programs like `gocryptfs` do.
-      postInstall = (upstream.postInstall or "") + ''
-        ln -s curlftpfs $out/bin/mount.fuse.curlftpfs
-        ln -s curlftpfs $out/bin/mount.curlftpfs
-      '';
-    });
-
-    # TODO: try to sandbox this better? maybe i can have fuse (unsandboxed) invoke curlftpfs (sandboxed)?
-    # - landlock gives EPERM
-    # - bwrap just silently doesn't mount it, maybe because of setuid stuff around fuse?
-    # sandbox.method = "capshonly";
-    # sandbox.net = "all";
-    # sandbox.capabilities = [
-    #   "sys_admin"
-    #   "sys_module"
-    # ];
   };
 }

hosts/common/programs/default.nix

@@ -12,6 +12,7 @@
     ./ausyscall.nix
     ./avahi.nix
     ./bemenu.nix
+    ./bitcoin-cli.nix
     ./blast-ugjka
     ./bonsai.nix
     ./brave.nix
@@ -20,12 +21,15 @@
     ./callaudiod.nix
     ./calls.nix
     ./cantata.nix
+    ./capsh.nix
+    ./captree.nix
     ./catt.nix
     ./celeste64.nix
     ./chatty.nix
     ./conky
     ./cozy.nix
     ./cups.nix
+    ./curl.nix
     ./curlftpfs.nix
     ./dbus.nix
     ./dconf.nix
@@ -40,10 +44,13 @@
     ./epiphany.nix
     ./errno.nix
     ./evince.nix
+    ./exiftool.nix
     ./fcitx5.nix
     ./feedbackd.nix
     ./firefox.nix
+    ./firefox-xdg-open.nix
     ./flare-signal.nix
+    ./foliate.nix
     ./fontconfig.nix
     ./fractal.nix
     ./free.nix
@@ -63,6 +70,7 @@
     ./gnome-maps.nix
     ./gnome-weather.nix
     ./go2tv.nix
+    ./gocryptfs.nix
     ./gpodder.nix
     ./gpsd.nix
     ./gps-share.nix
@@ -82,6 +90,7 @@
     ./koreader
     ./less.nix
     ./lftp.nix
+    ./lgtrombetta-compass.nix
     ./libreoffice.nix
     ./lemoa.nix
     ./loupe.nix
@@ -89,6 +98,7 @@
     ./megapixels.nix
     ./mepo.nix
     ./mimeo
+    ./mimetype.nix
     ./mmcli.nix
     ./mopidy.nix
     ./mpv
@@ -100,6 +110,7 @@
     ./nheko.nix
     ./nicotine-plus.nix
     ./nix-index.nix
+    ./nix.nix
     ./nmcli.nix
     ./notejot.nix
     ./ntfy-sh.nix
@@ -111,7 +122,7 @@
     ./open-in-mpv.nix
     ./pactl.nix
     ./pidof.nix
-    ./pipewire.nix
+    ./pipewire
     ./pkill.nix
     ./planify.nix
     ./portfolio-filemanager.nix
@@ -121,12 +132,16 @@
     ./rhythmbox.nix
     ./ripgrep.nix
     ./rofi
+    ./rsyslog
     ./rtkit.nix
     ./s6-rc.nix
+    ./sane-deadlines.nix
     ./sane-input-handler
     ./sane-open.nix
+    ./sane-private-unlock-remote.nix
     ./sane-screenshot.nix
     ./sane-scripts.nix
+    ./sane-secrets-unlock.nix
     ./sane-sysload.nix
     ./sane-theme.nix
     ./sanebox.nix
@@ -169,10 +184,12 @@
     ./wvkbd.nix
     ./xarchiver.nix
     ./xdg-desktop-portal.nix
+    ./xdg-desktop-portal-gnome
     ./xdg-desktop-portal-gtk.nix
     ./xdg-desktop-portal-wlr.nix
     ./xdg-terminal-exec.nix
     ./xdg-utils.nix
+    ./youtube-tui.nix
     ./zathura.nix
     ./zeal.nix
     ./zecwallet-lite.nix

hosts/common/programs/eg25-control.nix

@@ -32,6 +32,7 @@ in
       startCommand = "eg25-control --enable-gps --dump-debug-info --verbose";
       cleanupCommand = "eg25-control --disable-gps --dump-debug-info --verbose";
       depends = [ "eg25-control-powered" ];
+      partOf = [ "gps" ];
     };
 
     persist.byStore.plaintext = [ ".cache/eg25-control" ];  #< for cached agps data

hosts/common/programs/element-desktop.nix

@@ -45,6 +45,9 @@
       "Videos/servo"
       "tmp"
     ];
+    sandbox.extraPaths = [
+      "/dev/snd"  #< needed only when playing embedded audio (not embedded video!)
+    ];
 
     # creds/session keys, etc
     persist.byStore.private = [ ".config/Element" ];

hosts/common/programs/errno.nix

@@ -1,19 +1,15 @@
 { pkgs, ... }:
 {
   sane.programs.errno = {
-    # packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.moreutils "bin/errno";
+    # packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.moreutils "errno";
     # actually, don't build all of moreutils because not all of it builds for cross targets.
-    # some of this can be simplified after <https://github.com/NixOS/nixpkgs/pull/316446>
     packageUnwrapped = pkgs.moreutils.overrideAttrs (base: {
       makeFlags = (base.makeFlags or []) ++ [
         "BINS=errno"
         "MANS=errno.1"
         "PERLSCRIPTS=errno"  #< Makefile errors if empty, but this works :)
-        "INSTALL_BIN=install"
       ];
-      #v disable the perl-specific stuff
+      buildInputs = [];  #< errno has no runtime perl deps, and they don't cross compile, so disable them.
-      propagatedBuildInputs = [];
-      postInstall = "";
     });
 
     sandbox.method = "landlock";

hosts/common/programs/exiftool.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  sane.programs.exiftool = {
+    sandbox.method = "bwrap";
+    sandbox.autodetectCliPaths = "existingFile";
+  };
+}

hosts/common/programs/firefox-xdg-open.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  sane.programs.firefox-xdg-open = {
+    packageUnwrapped = pkgs.firefox-extensions.firefox-xdg-open.systemComponent;
+
+    sandbox.method = "bwrap";
+    sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
+
+    mime.associations."x-scheme-handler/xdg-open" = "xdg-open.desktop";
+
+    suggestedPrograms = [ "xdg-utils" ];
+  };
+}

hosts/common/programs/firefox.nix

@@ -105,6 +105,33 @@ let
     };
     # extraPrefs = ...
   }).overrideAttrs (base: {
+    nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
+      pkgs.copyDesktopItems
+    ];
+    desktopItems = (base.desktopItems or []) ++ [
+      (pkgs.makeDesktopItem {
+        name = "${cfg.browser.libName}-in-vpn";
+        desktopName = "${cfg.browser.libName} (VPN)";
+        genericName = "Web Browser";
+        # N.B.: --new-instance ensures we don't reuse an existing differenty-namespaced instance.
+        # OTOH, it may error about "only one instance can run at a time": close the other instance if you see that.
+        exec = "${lib.getExe pkgs.sane-scripts.vpn} do default -- ${cfg.browser.libName} --new-instance";
+        icon = cfg.browser.libName;
+        categories = [ "Network" "WebBrowser" ];
+        type = "Application";
+      })
+      (pkgs.makeDesktopItem {
+        name = "${cfg.browser.libName}-stub-dns";
+        desktopName = "${cfg.browser.libName} (stub DNS)";
+        genericName = "Web Browser";
+        # N.B.: --new-instance ensures we don't reuse an existing differently-namespaced instance.
+        # OTOH, it may error about "only one instance can run at a time": close the other instance if you see that.
+        exec = "${lib.getExe pkgs.sane-scripts.vpn} do none -- ${cfg.browser.libName} --new-instance";
+        icon = cfg.browser.libName;
+        categories = [ "Network" "WebBrowser" ];
+        type = "Application";
+      })
+    ];
     # de-associate `ctrl+shift+c` from activating the devtools.
     # based on <https://stackoverflow.com/a/54260938>
     # TODO: could use `zip -f` to only update the one changed file, instead of rezipping everything.
@@ -130,7 +157,8 @@ let
       echo "omni.ja AFTER:"
       ls -l $out/lib/${cfg.browser.libName}/browser/omni.ja
 
-      # runHook postFixup to allow sane.programs sandbox wrappers to wrap the binaries
+      runHook postBuild
+      runHook postInstall
       runHook postFixup
     '';
   });
@@ -160,7 +188,7 @@ let
       persistCache = mkOption {
         description = "optional store name to which persist browser cache";
         type = types.nullOr types.str;
-        default = "cryptClearOnBoot";
+        default = "ephemeral";
       };
       addons = mkOption {
         type = types.attrsOf addonOpts;
@@ -203,6 +231,11 @@ in
           package = pkgs.firefox-extensions.ether-metamask;
           enable = lib.mkDefault false;  # until i can disable the first-run notification
         };
+        firefox-xdg-open = {
+          # test: `xdg-open xdg-open:https://uninsane.org`
+          package = pkgs.firefox-extensions.firefox-xdg-open;
+          enable = lib.mkDefault true;
+        };
         i2p-in-private-browsing = {
           package = pkgs.firefox-extensions.i2p-in-private-browsing;
           enable = lib.mkDefault config.services.i2p.enable;
@@ -214,7 +247,7 @@ in
         open-in-mpv = {
           # test: `open-in-mpv 'mpv:///open?url=https://www.youtube.com/watch?v=dQw4w9WgXcQ'`
           package = pkgs.firefox-extensions.open-in-mpv;
-          enable = lib.mkDefault config.sane.programs.open-in-mpv.enabled;
+          enable = lib.mkDefault false;
         };
         sidebery = {
           package = pkgs.firefox-extensions.sidebery;
@@ -263,13 +296,15 @@ in
           # TODO: find a way to not expose ~/.ssh to firefox
           # - unlock sops at login (or before firefox launch)?
           # - see if ssh has a more formal type of subkey system?
-          ".ssh/id_ed25519"
+          # ".ssh/id_ed25519"
           # ".config/sops"
           "knowledge/secrets/accounts"
         ];
         fs.".config/sops".dir = lib.mkIf cfg.addons.browserpass-extension.enable {};  #< needs to be created, not *just* added to the sandbox
 
-        suggestedPrograms = [
+        suggestedPrograms = lib.optionals cfg.addons.firefox-xdg-open.enable [
+          "firefox-xdg-open"
+        ] ++ lib.optionals cfg.addons.open-in-mpv.enable [
           "open-in-mpv"
         ];
 
@@ -341,13 +376,11 @@ in
           // configure which extensions are visible by default (TODO: requires a lot of trial and error)
           // defaultPref("browser.uiCustomization.state", ...);
 
-          // auto-open mpv:// URIs without prompting.
+          // auto-open specific URI schemes without prompting:
-          // can do this with other protocols too (e.g. matrix?). see about:config for common handlers.
+          defaultPref("network.protocol-handler.external.xdg-open", true); // for firefox-xdg-open extension
-          defaultPref("network.protocol-handler.external.mpv", true);
+          defaultPref("network.protocol-handler.external.mpv", true); // for open-in-mpv extension
-          // element:// for Element matrix client
+          defaultPref("network.protocol-handler.external.element", true); // for Element matrix client
-          defaultPref("network.protocol-handler.external.element", true);
+          defaultPref("network.protocol-handler.external.matrix", true); // for Nheko matrix client
-          // matrix: for Nheko matrix client
-          defaultPref("network.protocol-handler.external.matrix", true);
         '';
         # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
         # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
@@ -372,14 +405,14 @@ in
           if (cfg.persistData != null) then
             cfg.persistData
           else
-            "cryptClearOnBoot"
+            "ephemeral"
         ;
 
         persist.byPath."${cfg.browser.dotDir}/default".store =
           if (cfg.persistData != null) then
             cfg.persistData
           else
-            "cryptClearOnBoot"
+            "ephemeral"
         ;
       };
 

hosts/common/programs/flare-signal.nix

@@ -1,12 +1,16 @@
 # Flare is a 3rd-party GTK4 Signal app.
 # UI is effectively a clone of Fractal.
 #
-### compatibility:
+### compatibility (2023-10-30):
 # - desko: works fine. pairs, and exchanges contact list (but not message history) with the paired device. exchanges future messages fine.
 # - moby (cross compiled flare-signal-nixified): nope. it pairs, but can only *receive* messages and never *send* them.
 #   - even `rsync`ing the data and keyrings from desko -> moby, still fails in that same manner.
 #   - console shows error messages. quite possibly an endianness mismatch somewhere
 # - moby (partially-emulated flare-signal): works! pairs and can send/receive messages, same as desko.
+### compatibility (2024-08-07):
+# - linking flare to iOS signal "works", but neither side can exchange messages nor contacts
+#   in iOS i see "A message from Colin could not be delivered"
+# - registering as primary device does not work ("you are not authorized", or some such)
 #
 ### debugging:
 # - `RUST_LOG=flare=trace flare`
@@ -18,7 +22,7 @@
 #   ERROR presage::manager] Error opening envelope: ProtobufDecodeError(DecodeError { description: "invalid tag value: 0", stack: [("Content", "data_message")] }), message will be skipped!
 #   ERROR presage::manager] Error opening envelope: ProtobufDecodeError(DecodeError { description: "invalid tag value: 0", stack: [("Content", "data_message")] }), message will be skipped!
 #   ```
-# - this occurs on moby, desko, `flare-signal` and `flare-signal-nixified`
+# - this occurs on moby, desko, `flare-signal` and `flare-signal-nixified` (2023-12-14)
 # - the Websocket error seems to be unrelated, occurs during normal/good operation
 # - related issues: <https://github.com/whisperfish/presage/issues/152>
 #
@@ -28,7 +32,7 @@
 #       No current session
 #   ERROR presage::manager] Error opening envelope: SignalProtocolError(InvalidKyberPreKeyId), message will be skipped!
 #   ```
-# - but signal iOS will still read it.
+# - but signal iOS will still read it (2023-12-14).
 #
 #### HTTP 405 when linking flare to iOS signal:
 # [DEBUG libsignal_service_hyper::push_service] HTTP request PUT https://chat.signal.org/v1/devices/{uuid}.{timestamp?}:{b64-string}
@@ -43,7 +47,7 @@
 #             ),
 #         ),
 #     )
-# flare matrix suggests the signal endpoint has changed:
+# flare matrix suggests the signal endpoint has changed (2023-12-14):
 # - "/v1/device/link instead of confirming via /v1/devices/{I'd}"
 # - this endpoint is declared in libsignal-service-rs (used both by flare and presage)
 #   - libsignal-service/src/provisioning/manager.rs
@@ -73,5 +77,13 @@
       # and it persists some dconf settings (e.g. device name). reset with:
       # - `dconf reset -f /de/schmidhuberj/Flare/`.
     ];
+    #VVV flare complains if its data directory is a symlink, so put it in a subdirectory behind my persistence symlink.
+    env.FLARE_DATA_PATH = "$HOME/.local/share/flare/data";
+    # sandbox.method = "bwrap";
+    # sandbox.net = "clearnet";
+    # sandbox.whitelistWayland = true;
+    # sandbox.whitelistDbus = [
+    #   "user"  # so i can click on links, at least
+    # ];
   };
 }

hosts/common/programs/foliate.nix

@@ -0,0 +1,42 @@
+# foliate: <https://johnfactotum.github.io/foliate/>
+{ ... }:
+{
+  sane.programs.foliate = {
+    sandbox.method = "bwrap";
+    sandbox.net = "clearnet";  #< for dictionary, wikipedia, online book libraries
+    sandbox.whitelistDbus = [ "user" ];  #< when clicking on links
+    sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "Books/local"
+      "Books/servo"
+      "tmp"  #< for downloaded files
+    ];
+    sandbox.extraPaths = [
+      # foliate sandboxes itself with bwrap, which needs these.
+      #   but it actually only cares that /sys/{block,bus,class/block} *exist*: it doesn't care if there's anything in them.
+      #   so bind empty (sub)directories
+      # and it looks like i might need to keep IPC namespace if i want TTS.
+      "/sys/block/loop7"
+      "/sys/bus/container/devices"
+      "/sys/class/block/loop7"
+    ];
+    sandbox.autodetectCliPaths = "existing";
+
+    persist.byStore.plaintext = [
+      ".local/share/com.github.johnfactotum.Foliate"  #< books added, reading position
+      ".cache/com.github.johnfactotum.Foliate"  #< webkit cache
+    ];
+
+    buildCost = 2;  #< webkitgtk 6.0
+    # these associations were taken from its .desktop file
+    mime.associations."application/epub+zip" = "com.github.johnfactotum.Foliate.desktop";
+    mime.associations."application/x-mobipocket-ebook" = "com.github.johnfactotum.Foliate.desktop";
+    mime.associations."application/vnd.amazon.mobi8-ebook" = "com.github.johnfactotum.Foliate.desktop";
+    mime.associations."application/x-fictionbook+xml" = "com.github.johnfactotum.Foliate.desktop";
+    mime.associations."application/x-zip-compressed-fb2" = "com.github.johnfactotum.Foliate.desktop";
+    mime.associations."application/vnd.comicbook+zip" = "com.github.johnfactotum.Foliate.desktop";  # .cbz
+    mime.associations."x-scheme-handler/opds" = "com.github.johnfactotum.Foliate.desktop";
+    mime.priority = 120;  #< default is 100; fallback to more specialized cbz handlers, e.g., but keep specializations for epub
+  };
+}

hosts/common/programs/fractal.nix

@@ -65,6 +65,9 @@ in
 
     suggestedPrograms = [ "gnome-keyring" ];
 
+    # direct room links opened from other programs, to fractal.
+    mime.urlAssociations."^https?://matrix.to/#/.+$" = "org.gnome.Fractal.desktop";
+
     services.fractal = {
       description = "fractal Matrix client";
       partOf = lib.mkIf cfg.config.autostart [ "graphical-session" ];

hosts/common/programs/free.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
   sane.programs.free = {
-    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.procps "bin/free";
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "free";
     sandbox.method = "bwrap";
     sandbox.isolatePids = false;
   };

hosts/common/programs/gdbus.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
   sane.programs.gdbus = {
-    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.glib "bin/gdbus";
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.glib "gdbus";
 
     sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "user" ];  #< XXX: maybe future users will also want system access

hosts/common/programs/geary.nix

@@ -23,6 +23,13 @@ in
     sandbox.net = "clearnet";
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      # it shouldn't need these, but portal integration seems incomplete?
+      "tmp"
+      "Pictures/from"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+    ];
     sandbox.extraPaths = [
       # geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
       # TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy.

hosts/common/programs/gnome-keyring/default.nix

@@ -10,7 +10,7 @@
     ];
     sandbox.capabilities = [
       # ipc_lock: used to `mlock` the secrets so they don't get swapped out.
-      # this is optional, and systemd likely doesn't propagate it anyway
+      # this is optional, and user namespacing (bwrap) likely doesn't propagate it anyway
       "ipc_lock"
     ];
 

hosts/common/programs/gnome-maps.nix

@@ -10,6 +10,12 @@
 # TIPS:
 # - use "Northwest" instead of "NW", and "Street" instead of "St", etc.
 #   otherwise, it might not find your destination!
+#
+# TODO:
+# - get gnome-maps to access location services via the xdg-desktop-portal.
+#   with it not using the portal, it can't open links via the web browser.
+#   additionally, that prevents OpenStreetMap sign-in.
+#   even temporarily enabling the portal for OSM doesn't work *after* the portal has been disabled -- because then gnome-maps can't access its passwords (?)
 { pkgs, ... }:
 {
   sane.programs."gnome.gnome-maps" = {

hosts/common/programs/gocryptfs.nix

@@ -0,0 +1,23 @@
+{ ... }:
+{
+  sane.programs.gocryptfs = {
+    sandbox.method = "landlock";
+    sandbox.autodetectCliPaths = "existing";
+    sandbox.capabilities = [
+      # CAP_SYS_ADMIN is only required if directly invoking gocryptfs
+      # i.e. not leverage a mount helper like `mount.fuse3-sane`.
+      "sys_admin"
+      "chown"
+      "dac_override"
+      "dac_read_search"
+      "fowner"
+      "lease"
+      "mknod"
+      "setgid"
+      "setuid"
+    ];
+    suggestedPrograms = [
+      "util-linux"  #< gocryptfs complains that it can't exec `logger`, otherwise
+    ];
+  };
+}

hosts/common/programs/gps-share.nix

@@ -25,6 +25,12 @@ in
       "jq"
       # and systemd, for udevadm
     ];
+
+    sandbox.method = "bwrap";
+    sandbox.net = "all";
+    sandbox.autodetectCliPaths = "existing";  #< N.B.: `test -f /dev/ttyUSB1` fails, we can't use `existingFile`
+    sandbox.whitelistDbus = [ "system" ];  #< to register with Avahi
+
     services.gps-share = {
       description = "gps-share: make local GPS serial readings available over Avahi";
       # usage:
@@ -41,14 +47,11 @@ in
         echo "using $dev for GPS NMEA"
         gps-share "$dev"
       '';
-      # TODO: this should be `partOf = [ "gps" ]`:
+      # N.B.: it fails to launch if the NMEA device doesn't yet exist, so don't launch by default; only launch as part of GPS
-      #   it fails to launch if the NMEA device doesn't yet exist, and so restart loop when modem is not booted
+      # dependencyOf = [ "geoclue-agent" ];
-      dependencyOf = [ "geoclue-agent" ];
+      partOf = [ "gps" ];
+      depends = [ "eg25-control-powered" ];
     };
-
-    sandbox.method = "bwrap";
-    sandbox.net = "all";
-    sandbox.autodetectCliPaths = "existingFile";
   };
 
   # TODO: restrict this to just LAN devices!!

hosts/common/programs/gst-device-monitor.nix

@@ -5,10 +5,9 @@
 { pkgs, ... }:
 {
   sane.programs.gst-device-monitor = {
-    packageUnwrapped = (pkgs.linkIntoOwnPackage pkgs.gst_all_1.gst-plugins-base [
+    packageUnwrapped = (
-      "bin/gst-device-monitor-1.0"
+      pkgs.linkBinIntoOwnPackage pkgs.gst_all_1.gst-plugins-base "gst-device-monitor-1.0"
-      "share/man/man1/gst-device-monitor-1.0.1.gz"
+    ).overrideAttrs (base: {
-    ]).overrideAttrs (base: {
       # XXX the binaries need `GST_PLUGIN_SYSTEM_PATH_1_0` set to function,
       # but nixpkgs doesn't set those (TODO: upstream this!)
       nativeBuildInputs = (base.nativeBuildInputs or []) ++ [

hosts/common/programs/kdenlive.nix

@@ -1,13 +1,6 @@
 { pkgs, ... }:
 {
   sane.programs.kdenlive = {
-    packageUnwrapped = pkgs.kdenlive.override {
-      ffmpeg-full = pkgs.ffmpeg-full.override {
-        # avoid expensive samba build for a feature i don't use
-        withSamba = false;
-      };
-    };
-
     buildCost = 1;
 
     sandbox.method = "bwrap";

hosts/common/programs/komikku.nix

@@ -3,10 +3,10 @@
   sane.programs.komikku = {
     packageUnwrapped = pkgs.komikku.overrideAttrs (upstream: {
       preFixup = ''
-        # 2024/02/21: render bug which affects only moby:
+        # 2024/07/25: Komikku uses XDG_SESSION_TYPE in the webkitgtk useragent, and errors if it's empty.
-        #             large images render blank in several gtk applications.
+        #             XDG_SESSION_DESKTOP is used similarly in debug_info.py.
-        #             may resolve itself as gtk or mesa are updated.
+        #             TODO: patch/upstream Komikku
-        gappsWrapperArgs+=(--set GSK_RENDERER cairo)
+        gappsWrapperArgs+=(--set-default XDG_SESSION_TYPE "unknown" --set-default XDG_SESSION_DESKTOP "unknown")
       '' + (upstream.preFixup or "");
     });
 
@@ -16,7 +16,7 @@
     sandbox.whitelistDri = true;  #< required
     sandbox.whitelistWayland = true;
 
-    buildCost = 2;
+    buildCost = 2;  # webkitgtk
 
     secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin;
     # downloads end up here, and without the toplevel database komikku doesn't know they exist.
@@ -24,5 +24,11 @@
       # also writes to ~/.cache/komikku
       ".local/share/komikku"
     ];
+    persist.byStore.ephemeral = [
+      ".cache/komikku"
+    ];
+
+    # XXX(2024-08-08): komikku can handle URLs from sources it understands (maybe), but not files (even if encoded as file:// URI)
+    # mime.associations."application/vnd.comicbook+zip" = "info.febvre.Komikku.desktop";  # .cbz
   };
 }

hosts/common/programs/less.nix

@@ -4,5 +4,15 @@
     sandbox.method = "bwrap";
     sandbox.autodetectCliPaths = "existingFile";
     env.PAGER = "less";
+    # LESS flags:
+    # - F = quit if output fits on one screen
+    # - K = exit on ctrl+c
+    # - M = "long prompt"
+    # - R = output raw control characters
+    # - S = chop long lines instead of wrapping
+    # - X = Don't use termcap init/deinit strings (hence, `less` output is visible on the terminal even after exiting)
+    # SYSTEMD_LESS defaults to FRSXMK
+    env.LESS = "FRMK";
+    env.SYSTEMD_LESS = "FRMK";  #< used by journalctl
   };
 }

hosts/common/programs/lftp.nix

@@ -9,5 +9,6 @@
       "Videos/servo"
       "tmp"
     ];
+    sandbox.whitelistPwd = true;  #< it's very common to upload/DL to/from the current folder
   };
 }

hosts/common/programs/lgtrombetta-compass.nix

@@ -0,0 +1,26 @@
+{ ... }:
+{
+  sane.programs.lgtrombetta-compass = {
+    # example compass.conf, calibrated well
+    # [settings]
+    # version = 0.4.0
+    # theme = dark
+    #
+    # [device]
+    # name = AF8133J
+    # magn_x_offset = 281
+    # magn_y_offset = -35
+    # magn_z_offset = 537
+    #
+    persist.byStore.plaintext = [
+      ".config/compass"
+    ];
+    fs.".config/compass.conf".symlink.target = "compass/compass.conf";
+
+    sandbox.method = "bwrap";
+    sandbox.extraPaths = [
+      "/sys/bus/iio/devices"
+      "/sys/devices"
+    ];
+  };
+}

hosts/common/programs/loupe.nix

@@ -2,14 +2,15 @@
 {
   sane.programs.loupe = {
     # loupe is marked "dbus activatable", which does not seem to actually work (at least when launching from Firefox or Nautilus)
-    packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.loupe.overrideAttrs (upstream: {
+    packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.loupe;
-      preFixup = (upstream.preFixup or "") + ''
+    # .overrideAttrs (upstream: {
-        # 2024/02/21: render bug which affects only moby:
+    #   preFixup = (upstream.preFixup or "") + ''
-        #             large images render blank in several gtk applications.
+    #     # 2024/02/21: render bug which affects only moby:
-        #             may resolve itself as gtk or mesa are updated.
+    #     #             large images render blank in several gtk applications.
-        gappsWrapperArgs+=(--set GSK_RENDERER cairo)
+    #     #             may resolve itself as gtk or mesa are updated.
-      '';
+    #     gappsWrapperArgs+=(--set GSK_RENDERER cairo)
-    }));
+    #   '';
+    # }));
 
     sandbox.method = "bwrap";
     sandbox.whitelistWayland = true;

hosts/common/programs/mimetype.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  sane.programs.mimetype = {
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.perlPackages.FileMimeInfo "mimetype";
+    sandbox.method = "bwrap";
+    sandbox.autodetectCliPaths = "existing";
+  };
+}

hosts/common/programs/mpv/default.nix

@@ -149,8 +149,9 @@ in
         pkgs.mpvScripts.mpris
         pkgs.mpvScripts.mpv-playlistmanager
         pkgs.mpvScripts.mpv-webm
+        pkgs.mpvScripts.sponsorblock
         uosc
-        visualizer
+        # visualizer  #< XXX(2024-07-23): `visualizer` breaks auto-play-next-track (only when visualizations are disabled)
         # pkgs.mpv-uosc-latest
       ];
       # extraMakeWrapperArgs = lib.optionals (cfg.config.vo != null) [
@@ -223,12 +224,13 @@ in
     fs.".config/mpv/scripts/sane_sysvol/non_blocking_popen.lua".symlink.target = ./sane_sysvol/non_blocking_popen.lua;
     fs.".config/mpv/input.conf".symlink.target = ./input.conf;
     fs.".config/mpv/mpv.conf".symlink.target = ./mpv.conf;
-    fs.".config/mpv/script-opts/osc.conf".symlink.target = ./osc.conf;
     fs.".config/mpv/script-opts/console.conf".symlink.target = ./console.conf;
-    fs.".config/mpv/script-opts/uosc.conf".symlink.target = ./uosc.conf;
+    fs.".config/mpv/script-opts/osc.conf".symlink.target = ./osc.conf;
     fs.".config/mpv/script-opts/playlistmanager.conf".symlink.target = ./playlistmanager.conf;
-    fs.".config/mpv/script-opts/webm.conf".symlink.target = ./webm.conf;
+    fs.".config/mpv/script-opts/sponsorblock.conf".symlink.target = ./sponsorblock.conf;
+    fs.".config/mpv/script-opts/uosc.conf".symlink.target = ./uosc.conf;
     fs.".config/mpv/script-opts/visualizer.conf".symlink.target = ./visualizer.conf;
+    fs.".config/mpv/script-opts/webm.conf".symlink.target = ./webm.conf;
 
     # mime.priority = 200;  # default = 100; 200 means to yield to other apps
     mime.priority = 50;  # default = 100; 50 in order to take precedence over vlc.
@@ -241,10 +243,16 @@ in
     mime.associations."video/webm" = "mpv.desktop";
     mime.associations."video/x-flv" = "mpv.desktop";
     mime.associations."video/x-matroska" = "mpv.desktop";
-    mime.urlAssociations."^https?://(m\.)?(www\.)?youtu.be/.+" = "mpv.desktop";
+    #v be the opener for YouTube videos
-    mime.urlAssociations."^https?://(m\.)?(www\.)?youtube.com/shorts/.+" = "mpv.desktop";
+    mime.urlAssociations."^https?://(m\.)?(www\.)?youtu.be/.+$" = "mpv.desktop";
-    mime.urlAssociations."^https?://(m\.)?(www\.)?youtube.com/v/" = "mpv.desktop";
+    mime.urlAssociations."^https?://(m\.)?(www\.)?youtube.com/embed/.+$" = "mpv.desktop";
-    mime.urlAssociations."^https?://(m\.)?(www\.)?youtube.com/watch\?.*v=" = "mpv.desktop";
+    mime.urlAssociations."^https?://(m\.)?(www\.)?youtube.com/playlist\?.*list=.+$" = "mpv.desktop";
+    mime.urlAssociations."^https?://(m\.)?(www\.)?youtube.com/shorts/.+$" = "mpv.desktop";
+    mime.urlAssociations."^https?://(m\.)?(www\.)?youtube.com/v/.+$" = "mpv.desktop";
+    mime.urlAssociations."^https?://(m\.)?(www\.)?youtube.com/watch\?.*v=.+$" = "mpv.desktop";
+    #v be the opener for A/V, generally. useful for e.g. feed readers like News Flash which open content through the portal
+    mime.urlAssociations."^https?://.*\.(mp3|mp4|ogg|ogv|opus|webm)(\\?.*)?$" = "mpv.desktop";
+    #v Loupe image viewer can't open URIs, so use mpv instead
+    mime.urlAssociations."^https?://i\.imgur.com/.+$" = "mpv.desktop";
   };
 }
-

hosts/common/programs/mpv/input.conf

@@ -16,25 +16,27 @@ MBTN_LEFT_DBL ignore
 # text after the shebang is parsed by uosc to construct the menu and names
 menu        script-binding uosc/menu
 s           script-binding uosc/subtitles          #! Subtitles
-a           script-binding uosc/audio              #! Audio tracks
+a           script-binding uosc/audio              #! Audio track
 q           script-binding uosc/stream-quality     #! Stream quality
-p           script-binding uosc/items              #! Playlist
+#           script-binding uosc/audio-device       #! Audio device
-# c           script-binding uosc/chapters           #! Chapters
->           script-binding uosc/next               #! Navigation > Next
-<           script-binding uosc/prev               #! Navigation > Prev
-o           script-binding uosc/open-file          #! Navigation > Open file
-#           set video-aspect-override "-1"         #! Utils > Aspect ratio > Default
-#           set video-aspect-override "16:9"       #! Utils > Aspect ratio > 16:9
-#           set video-aspect-override "4:3"        #! Utils > Aspect ratio > 4:3
-#           set video-aspect-override "2.35:1"     #! Utils > Aspect ratio > 2.35:1
-#           script-binding uosc/audio-device       #! Utils > Audio devices
-#           script-binding uosc/editions           #! Utils > Editions
-ctrl+s      async screenshot                       #! Utils > Screenshot
-alt+i       script-binding uosc/keybinds           #! Utils > Key bindings
-O           script-binding uosc/show-in-directory  #! Utils > Show in directory
-#           script-binding uosc/open-config-directory #! Utils > Open config directory
 ctrl+r      script-binding sane_cast/blast         #! Audiocast
 ctrl+t      script-binding sane_cast/sane-cast     #! Cast
+ctrl+s      async screenshot                       #! Screenshot
+O           script-binding uosc/show-in-directory  #! Open folder
 
-# reserved: it uses this internally, isn't externally callable
+# uosc defaults, kept here but unused
+p           script-binding uosc/items              # Playlist
+#           script-binding uosc/chapters           # Chapters
+>           script-binding uosc/next               # Navigation > Next
+<           script-binding uosc/prev               # Navigation > Prev
+o           script-binding uosc/open-file          # Navigation > Open file
+#           set video-aspect-override "-1"         # Utils > Aspect ratio > Default
+#           set video-aspect-override "16:9"       # Utils > Aspect ratio > 16:9
+#           set video-aspect-override "4:3"        # Utils > Aspect ratio > 4:3
+#           set video-aspect-override "2.35:1"     # Utils > Aspect ratio > 2.35:1
+#           script-binding uosc/editions           # Utils > Editions
+#           script-binding uosc/open-config-directory # Utils > Open config directory
+alt+i       script-binding uosc/keybinds           # Utils > Key bindings
+#
+# mpv-visualizer: reserved: it uses this internally, isn't externally callable
 # v           script-binding cycle-visualizer

hosts/common/programs/mpv/sponsorblock.conf

@@ -0,0 +1,19 @@
+## options: <https://github.com/po5/mpv_sponsorblock/blob/master/sponsorblock.lua#L8>
+audio_fade=yes
+### audio_fade_step: 0 - 100
+### how rapidly to fade the volume into/out of sponsor segments (%/100ms).
+### note that this doesn't impact the time at which the fade starts: that's fixed to 1.0s before the transitions
+# audio_fade_step=2
+# local_pattern uses lua's string matching, an excepts to yield a 11 character ID: <https://www.lua.org/manual/5.3/manual.html#6.4.1>
+# local_pattern=-([%w-_]+)%.[mw][kpe][v4b]m?$  #< default; broken
+# local_pattern=%[([%w-_]+)%]%..*  #< described by tomasklaen <https://github.com/po5/mpv_sponsorblock/issues/67>
+# local_pattern=[ %p]([%w-_]+)%p.webm$  #< works; only webm
+# local_pattern=[ %p]([%w-_]+)%p.[mw][kpe][v4b]m?$  #< works, by merging the above
+local_pattern=%[([%w-_]+)%]%..*
+min_duration=10
+report_views=no
+# XXX(2024-07-22) local_database/server_fallback are unmaintained <https://github.com/po5/mpv_sponsorblock/commit/d05c6e7a5675ef6582e60abe853e9aec535c3ea3>
+# local_database=yes
+# server_fallback=no
+# skip_categories=sponsor,intro,outro,interaction,selfpromo,filler
+skip_categories=sponsor,intro

hosts/common/programs/mpv/uosc.conf

@@ -5,14 +5,15 @@
 timeline_style=bar
 timeline_line_width=4
 timeline_size=36
-timeline_persistency=paused,audio
+# persistency options (comma-separated): paused, audio, image, video, idle, windowed, fullscreen
-controls_persistency=paused,audio
+timeline_persistency=audio,paused
+controls_persistency=audio,paused,windowed
 volume_persistency=audio
 
 # speed_persistency=paused,audio
 # vvv  want a close button?
 top_bar=always
-top_bar_persistency=paused,audio
+top_bar_persistency=paused,audio,windowed
 
 controls=menu,<video>subtitles,<has_many_audio>audio,<has_many_video>video,<has_many_edition>editions,<stream>stream-quality,space,command:replay_10:seek -10,cycle:play_arrow:pause:no=pause/yes=play_arrow,command:forward_30:seek 30,space,speed:1.0,gap,<video>fullscreen
 
@@ -30,3 +31,6 @@ color=foreground=ff968b,background_text=ff968b
 opacity=timeline=0.8,position=1,chapters=0.8,slider=0.8,slider_gauge=0.8,controls=0,speed=0.8,menu=1,submenu=0.4,border=1,title=0.8,tooltip=1,thumbnail=1,curtain=0.8,idle_indicator=0.8,audio_indicator=0.5,buffering_indicator=0.3,playlist_position=0.8
 
 stream_quality_options=1440,1080,720,480,360,240,144
+
+# default open-file menu directory
+default_directory=~/Music

hosts/common/programs/nautilus.nix

@@ -22,8 +22,17 @@
       "/"
       ".persist/ephemeral"
       ".persist/plaintext"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+      "Pictures/albums"
+      "Pictures/cat"
+      "Pictures/from"
+      "Videos/local"
+      "archive"
       "knowledge"
       "nixos"
+      "records"
+      "tmp"
     ];
     sandbox.extraPaths = [
       "/boot"

hosts/common/programs/newsflash.nix

@@ -1,8 +1,10 @@
-# news-flash RSS viewer
+# news-flash RSS viewer  (exe: `io.gitlab.news_flash.NewsFlash`)
 # - feeds have to be manually imported:
 #   - Local RSS -> Import OPML -> ~/.config/newsflashFeeds.opml
-# - clicking article-embedded links doesn't work because of xdg portal stuff
+#     option may be greyed out on first run: just restart it.
-#   - need to either run unsandboxed, or install a org.freedesktop.portal.OpenURI handler
+#     takes about 20 minutes to import results from scratch.
+# TODO: auto-import feeds
+# - `newsflash -s` might allow importing individual feeds; not removing them, though
 { config, sane-lib, ... }:
 
 let
@@ -13,8 +15,31 @@ let
   wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
 in {
   sane.programs.newsflash = {
+    sandbox.method = "bwrap";
+    sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;  #< for embedded videos
+    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
+    sandbox.extraPaths = [
+      # the app sandboxes itself with bwrap, which needs these.
+      #   but it actually only cares that /sys/{block,bus,class/block} *exist*: it doesn't care if there's anything in them.
+      #   so bind empty (sub)directories
+      "/sys/block/loop7"
+      "/sys/bus/container/devices"
+      "/sys/class/block/loop7"
+    ];
+
     buildCost = 2;  # mainly for desktop: webkitgtk-6.0
-    persist.byStore.plaintext = [ ".local/share/news-flash" ];
+    persist.byStore.plaintext = [
+      ".local/share/news-flash" #< sqlite database, the actually important stuff
+      # ".local/share/news_flash"  #< device IDs (?)
+      ".config/news-flash"  #< includes `"backend": "local_rss"`
+    ];
+    persist.byStore.ephemeral = [
+      ".cache/news_flash"  #< WebKit cache
+    ];
+    #v for *manual* use:
     fs.".config/newsflashFeeds.opml".symlink.text =
       feeds.feedsToOpml wanted-feeds
     ;

hosts/common/programs/nicotine-plus.nix

@@ -1,13 +1,35 @@
-# soulseek filesharing GUI app
+# soulseek music sharing GUI app
 { pkgs, ... }:
 {
   sane.programs.nicotine-plus = {
+    packageUnwrapped = pkgs.nicotine-plus.overrideAttrs (upstream: {
+      # nicotine gets confused by permissions. it needs a *writeable* config or config.old to use either.
+      # but the secrets are not writable.
+      # so, copy config (the secret) to config.old on launch & make it writeable.
+      postInstall = ''
+        wrapProgramShell $out/bin/nicotine \
+          --run "cp --update=none ~/.config/nicotine/config ~/.config/nicotine/config.old" \
+          --run "chmod u+w ~/.config/nicotine/config.old"
+        ${upstream.postInstall}
+      '';
+    });
     sandbox.method = "bwrap";
+    sandbox.whitelistDri = true;  #< required, else it fails to launch the gui
     sandbox.whitelistWayland = true;
     sandbox.net = "vpn";
+    sandbox.extraHomePaths = [
+      "Music"
+      # on run, nicotine will try to move the initial config to `config.old`
+      # and then update the config on disk. it errors if it can't `mv` it like that.
+      ".config/nicotine"
+    ];
 
-    # ".config/nicotine": contains the config file, with plaintext creds.
+    # the config has loooads of options, but the only critical one is auth/creds.
-    # TODO: define this as a secret instead of persisting it.
+    # run with ~/.config/nicotine in the sandbox and nicotine will derive the whole config
-    persist.byStore.private = [ ".config/nicotine" ];
+    # and write back *all* options for you to then edit further.
+    secrets.".config/nicotine/config" = ../../../secrets/common/nicotine-config.bin;
+    persist.byStore.plaintext = [
+      ".local/share/nicotine/downloads"
+    ];
   };
 }

hosts/common/programs/nix.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+  sane.programs.nix = {
+    env.NIXPKGS_ALLOW_UNFREE = "1";  #< FUCK OFF YOU'RE SO ANNOYING
+    persist.byStore.plaintext = [
+      # ~/.cache/nix can become several GB; persisted to save RAM
+      ".cache/nix"
+    ];
+  };
+}

hosts/common/programs/nwg-panel/default.nix

@@ -147,7 +147,6 @@ in
     suggestedPrograms = [
       "brightnessctl"
       "pactl"  # pactl required by `per-app-volume` component.
-      "sane-die-with-parent"
     ] ++ lib.optionals (cfg.config.torch != null) [
       "torch-toggle"
     ];
@@ -205,6 +204,7 @@ in
       "/sys/devices"
     ];
     sandbox.extraRuntimePaths = [ "sway" ];
+    sandbox.isolatePids = false;  #< nwg-panel restarts itself on display dis/connect, by killing all other instances.
 
     services.nwg-panel = {
       description = "nwg-panel status/topbar for wayland";
@@ -214,7 +214,7 @@ in
       # N.B.: G_MESSAGES_DEBUG=all causes the swaync icon to not render
       # command = "env G_MESSAGES_DEBUG=all nwg-panel";
       # XXX: try `nwg-panel & ; kill $$`. the inner nwg-panel doesn't die (without sane-die-with-parent), and hence the service would be prone to maintaining _multiple_ bars.
-      command = "sane-die-with-parent --descendants --signal SIGKILL nwg-panel";
+      command = "nwg-panel";
     };
   };
 }

hosts/common/programs/objdump.nix

@@ -3,7 +3,7 @@
   sane.programs.objdump = {
     # binutils-unwrapped is like 80 MiB, just for this one binary;
     # dynamic linking means copying the binary doesn't reduce the closure much at all compared to just symlinking it.
-    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.binutils-unwrapped "bin/objdump";
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.binutils-unwrapped "objdump";
     sandbox.method = "bwrap";
     sandbox.autodetectCliPaths = "existingFile";
   };

hosts/common/programs/pactl.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
   sane.programs.pactl = {
-    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.pulseaudio "bin/pactl";
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.pulseaudio "pactl";
     sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
   };

hosts/common/programs/pidof.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
   sane.programs.pidof = {
-    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.procps "bin/pidof";
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "pidof";
     sandbox.method = "bwrap";
     sandbox.isolatePids = false;
   };

hosts/common/programs/pipewire/20-spatializer-7.1.conf

@@ -0,0 +1,191 @@
+# Headphone surround sink
+#
+# source: <repo:pipewire/pipewire:src/daemon/filter-chain/spatializer-7.1.conf>
+# but modified:
+# - applied a gain to the mixer.
+context.modules = [
+  { name = libpipewire-module-filter-chain
+    flags = [ nofail ]
+    args = {
+      node.description = "Spatial Sink"
+      media.name       = "Spatial Sink"
+      filter.graph = {
+        nodes = [
+          {
+            type = sofa
+            label = spatializer
+            name = spFL
+            config = {
+              filename = "/etc/profiles/per-user/colin/share/libmysofa/default.sofa"
+            }
+            control = {
+              "Azimuth"   =  30.0
+              "Elevation" =   0.0
+              "Radius"    =   3.0
+            }
+          }
+          {
+            type = sofa
+            label = spatializer
+            name = spFR
+            config = {
+              filename = "/etc/profiles/per-user/colin/share/libmysofa/default.sofa"
+            }
+            control = {
+              "Azimuth"   = 330.0
+              "Elevation" =   0.0
+              "Radius"    =   3.0
+            }
+          }
+          {
+            type = sofa
+            label = spatializer
+            name = spFC
+            config = {
+              filename = "/etc/profiles/per-user/colin/share/libmysofa/default.sofa"
+            }
+            control = {
+              "Azimuth"   =   0.0
+              "Elevation" =   0.0
+              "Radius"    =   3.0
+            }
+          }
+          {
+            type = sofa
+            label = spatializer
+            name = spRL
+            config = {
+              filename = "/etc/profiles/per-user/colin/share/libmysofa/default.sofa"
+            }
+            control = {
+              "Azimuth"   = 150.0
+              "Elevation" =   0.0
+              "Radius"    =   3.0
+            }
+          }
+          {
+            type = sofa
+            label = spatializer
+            name = spRR
+            config = {
+              filename = "/etc/profiles/per-user/colin/share/libmysofa/default.sofa"
+            }
+            control = {
+              "Azimuth"   = 210.0
+              "Elevation" =   0.0
+              "Radius"    =   3.0
+            }
+          }
+          {
+            type = sofa
+            label = spatializer
+            name = spSL
+            config = {
+              filename = "/etc/profiles/per-user/colin/share/libmysofa/default.sofa"
+            }
+            control = {
+              "Azimuth"   =  90.0
+              "Elevation" =   0.0
+              "Radius"    =   3.0
+            }
+          }
+          {
+            type = sofa
+            label = spatializer
+            name = spSR
+            config = {
+              filename = "/etc/profiles/per-user/colin/share/libmysofa/default.sofa"
+            }
+            control = {
+              "Azimuth"   = 270.0
+              "Elevation" =   0.0
+              "Radius"    =   3.0
+            }
+          }
+          {
+            type = sofa
+            label = spatializer
+            name = spLFE
+            config = {
+              filename = "/etc/profiles/per-user/colin/share/libmysofa/default.sofa"
+            }
+            control = {
+              "Azimuth"   =   0.0
+              "Elevation" = -60.0
+              "Radius"    =   3.0
+            }
+          }
+
+          {
+            type = builtin
+            label = mixer
+            name = mixL
+            control = {
+              # gains are derived experimentally:
+              # - find a source mixed for stereo, and also 5.1
+              # - tune these gains until the mix sounds about equally loud
+              # i expect this gain should actually be lower (e.g. 0.33 instead of 0.50), since i define a 7.1 stage here
+              # so my 5.1 test probably left 1/3 of the virtual speakers "silent"
+              "Gain 1" = 0.50
+              "Gain 2" = 0.50
+              "Gain 3" = 0.50
+              "Gain 4" = 0.50
+              "Gain 5" = 0.50
+              "Gain 6" = 0.50
+              "Gain 7" = 0.50
+              "Gain 8" = 0.50
+            }
+          }
+          {
+            type = builtin
+            label = mixer
+            name = mixR
+            control = {
+              "Gain 1" = 0.50
+              "Gain 2" = 0.50
+              "Gain 3" = 0.50
+              "Gain 4" = 0.50
+              "Gain 5" = 0.50
+              "Gain 6" = 0.50
+              "Gain 7" = 0.50
+              "Gain 8" = 0.50
+            }
+          }
+        ]
+        links = [
+          # output
+          { output = "spFL:Out L"  input="mixL:In 1" }
+          { output = "spFL:Out R"  input="mixR:In 1" }
+          { output = "spFR:Out L"  input="mixL:In 2" }
+          { output = "spFR:Out R"  input="mixR:In 2" }
+          { output = "spFC:Out L"  input="mixL:In 3" }
+          { output = "spFC:Out R"  input="mixR:In 3" }
+          { output = "spRL:Out L"  input="mixL:In 4" }
+          { output = "spRL:Out R"  input="mixR:In 4" }
+          { output = "spRR:Out L"  input="mixL:In 5" }
+          { output = "spRR:Out R"  input="mixR:In 5" }
+          { output = "spSL:Out L"  input="mixL:In 6" }
+          { output = "spSL:Out R"  input="mixR:In 6" }
+          { output = "spSR:Out L"  input="mixL:In 7" }
+          { output = "spSR:Out R"  input="mixR:In 7" }
+          { output = "spLFE:Out L" input="mixL:In 8" }
+          { output = "spLFE:Out R" input="mixR:In 8" }
+        ]
+        inputs  = [ "spFL:In" "spFR:In" "spFC:In" "spLFE:In" "spRL:In" "spRR:In", "spSL:In", "spSR:In" ]
+        outputs = [ "mixL:Out" "mixR:Out" ]
+      }
+      capture.props = {
+        node.name    = "effect_input.spatializer"
+        media.class  = Audio/Sink
+        audio.channels = 8
+        audio.position = [ FL FR FC LFE RL RR SL SR ]
+      }
+      playback.props = {
+        node.name    = "effect_output.spatializer"
+        node.passive   = true
+        audio.channels = 2
+        audio.position = [ FL FR ]
+      }
+    }
+  }
+]