modules/programs: require manual definition; don't auto-populate attrset

this greatly decreases nix eval time

flake.lock

@@ -1,5 +1,23 @@
 {
   "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1698882062,
+        "narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "8c9fa2545007b49a5db5f650ae91f227672c3877",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "mobile-nixos": {
       "flake": false,
       "locked": {
@@ -17,6 +35,60 @@
         "type": "github"
       }
     },
+    "nix-fast-build": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": "nixpkgs",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1703607026,
+        "narHash": "sha256-Emh0BPoqlS4ntp2UJrwydXfIP4qIMF0VBB2FUE3/M/E=",
+        "owner": "Mic92",
+        "repo": "nix-fast-build",
+        "rev": "4376b8a33b217ee2f78ba3dcff01a3e464d13a46",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "nix-fast-build",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1698890957,
+        "narHash": "sha256-DJ+SppjpPBoJr0Aro9TAcP3sxApCSieY6BYBCoWGUX8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c082856b850ec60cda9f0a0db2bc7bd8900d708c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1698611440,
+        "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-next-unpatched": {
       "locked": {
         "lastModified": 1708992120,
@@ -68,6 +140,7 @@
     "root": {
       "inputs": {
         "mobile-nixos": "mobile-nixos",
+        "nix-fast-build": "nix-fast-build",
         "nixpkgs-next-unpatched": "nixpkgs-next-unpatched",
         "nixpkgs-unpatched": "nixpkgs-unpatched",
         "sops-nix": "sops-nix",
@@ -95,6 +168,27 @@
         "type": "github"
       }
     },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-fast-build",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1698438538,
+        "narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
     "uninsane-dot-org": {
       "inputs": {
         "nixpkgs": [

flake.nix

@@ -57,6 +57,10 @@
       url = "github:nixos/mobile-nixos?ref=d25d3b87e7f300d8066e31d792337d9cd7ecd23b";
       flake = false;
     };
+    nix-fast-build = {
+      # https://github.com/Mic92/nix-fast-build
+      url = "github:Mic92/nix-fast-build";
+    };
     sops-nix = {
       # <https://github.com/Mic92/sops-nix>
       # used to distribute secrets to my hosts
@@ -77,6 +81,7 @@
     nixpkgs-unpatched,
     nixpkgs-next-unpatched ? nixpkgs-unpatched,
     mobile-nixos,
+    nix-fast-build,
     sops-nix,
     uninsane-dot-org,
     ...
@@ -207,8 +212,11 @@
           let
             mobile = (import "${mobile-nixos}/overlay/overlay.nix");
             uninsane = uninsane-dot-org.overlays.default;
+            # TODO: why do i have to use `self.inputs.nix-fast-build` instead of just `nix-fast-build` here?
+            nix-fast-build = (_: prev: self.inputs.nix-fast-build.packages."${prev.stdenv.system}" or {});
           in
             (mobile final prev)
+            // (nix-fast-build final prev)
             // (uninsane final prev)
           ;
       };

hosts/common/programs/assorted.nix

@@ -206,6 +206,8 @@ in
     alsaUtils.sandbox.wrapperType = "wrappedDerivation";
     alsaUtils.sandbox.whitelistAudio = true;  #< not strictly necessary?
 
+    backblaze-b2 = {};
+
     blanket.sandbox.method = "bwrap";
     blanket.sandbox.wrapperType = "wrappedDerivation";
     blanket.sandbox.whitelistAudio = true;
@@ -243,6 +245,8 @@ in
 
     cargo.persist.byStore.plaintext = [ ".cargo" ];
 
+    clang = {};
+
     # cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
     cryptsetup.sandbox.method = "landlock";
     cryptsetup.sandbox.wrapperType = "wrappedDerivation";
@@ -293,6 +297,8 @@ in
     dtrx.sandbox.whitelistPwd = true;
     dtrx.sandbox.autodetectCliPaths = "existing";  #< for the archive
 
+    duplicity = {};
+
     e2fsprogs.sandbox.method = "landlock";
     e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
     e2fsprogs.sandbox.autodetectCliPaths = "existing";
@@ -303,6 +309,8 @@ in
       "/sys/firmware/efi"
     ];
 
+    eg25-control = {};
+
     electrum.sandbox.method = "bwrap";  # TODO:sandbox: untested
     electrum.sandbox.wrapperType = "wrappedDerivation";
     electrum.sandbox.net = "all";  # TODO: probably want to make this run behind a VPN, always
@@ -409,6 +417,8 @@ in
     gdb.sandbox.wrapperType = "wrappedDerivation";
     gdb.sandbox.autodetectCliPaths = true;
 
+    geoclue2-with-demo-agent = {};
+
     # MS GitHub stores auth token in .config
     # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
     gh.persist.byStore.private = [ ".config/gh" ];
@@ -505,6 +515,9 @@ in
       ".persist/plaintext"
     ];
 
+    gnused = {};
+    gpsd = {};
+
     gptfdisk.sandbox.method = "landlock";
     gptfdisk.sandbox.wrapperType = "wrappedDerivation";
     gptfdisk.sandbox.extraPaths = [
@@ -512,6 +525,8 @@ in
     ];
     gptfdisk.sandbox.autodetectCliPaths = "existing";  #< sometimes you'll use gdisk on a device file.
 
+    grim = {};
+
     hase.sandbox.method = "bwrap";
     hase.sandbox.wrapperType = "wrappedDerivation";
     hase.sandbox.net = "clearnet";
@@ -643,6 +658,8 @@ in
     lsof.sandbox.method = "capshonly";  # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
     lsof.sandbox.wrapperType = "wrappedDerivation";
 
+    lua = {};
+
     "mate.engrampa".sandbox.method = "bwrap";  # TODO:sandbox: untested
     "mate.engrampa".sandbox.wrapperType = "inplace";
     "mate.engrampa".sandbox.whitelistWayland = true;
@@ -717,6 +734,8 @@ in
       "/proc"
     ];
 
+    nodejs = {};
+
     # `nvme list` only shows results when run as root.
     nvme-cli.sandbox.method = "landlock";
     nvme-cli.sandbox.wrapperType = "wrappedDerivation";
@@ -743,6 +762,8 @@ in
     ];
     parted.sandbox.autodetectCliPaths = "existing";  #< sometimes you'll use parted on a device file.
 
+    patchelf = {};
+
     pavucontrol.sandbox.method = "bwrap";
     pavucontrol.sandbox.wrapperType = "wrappedDerivation";
     pavucontrol.sandbox.whitelistAudio = true;
@@ -801,6 +822,8 @@ in
     rsync.sandbox.net = "clearnet";
     rsync.sandbox.autodetectCliPaths = "existingOrParent";
 
+    rustc = {};
+
     screen.sandbox.enable = false;  #< tty; needs to run anything
 
     sequoia.sandbox.method = "bwrap";  # TODO:sandbox: untested
@@ -818,6 +841,8 @@ in
     # printer/filament settings
     slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
 
+    slurp = {};
+
     # use like `sudo smartctl /dev/sda -a`
     smartmontools.sandbox.method = "landlock";
     smartmontools.sandbox.wrapperType = "inplace";  # ships a script in /etc that calls into its bin
@@ -864,6 +889,8 @@ in
     speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
     speedtest-cli.sandbox.net = "all";
 
+    sqlite = {};
+
     strace.sandbox.enable = false;  #< needs to `exec` its args, and therefore support *anything*
 
     subversion.sandbox.method = "bwrap";
@@ -963,6 +990,8 @@ in
     wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
     wl-clipboard.sandbox.whitelistWayland = true;
 
+    wtype = {};
+
     xwayland.sandbox.method = "bwrap";
     xwayland.sandbox.wrapperType = "inplace";  #< consumers use it as a library (e.g. wlroots)
     xwayland.sandbox.whitelistWayland = true;  #< just assuming this is needed
@@ -978,13 +1007,11 @@ in
     yt-dlp.sandbox.wrapperType = "wrappedDerivation";
     yt-dlp.sandbox.net = "all";
     yt-dlp.sandbox.whitelistPwd = true;  # saves to pwd by default
+
+    zfs = {};
   };
 
   programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {
     enable = true;
   };
-
-  programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
-    enable = true;  #< install the suid binary
-  };
 }

hosts/common/programs/default.nix

@@ -26,6 +26,7 @@
     ./evince.nix
     ./feedbackd.nix
     ./firefox.nix
+    ./firejail.nix
     ./flare-signal.nix
     ./fontconfig.nix
     ./fractal.nix

hosts/common/programs/firejail.nix

@@ -0,0 +1,8 @@
+{ lib, config, ... }:
+{
+  sane.programs.firejail = {};
+
+  programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
+    enable = true;  #< install the suid binary
+  };
+}

hosts/common/programs/fwupd.nix

@@ -1,5 +1,6 @@
 { config, lib, ... }:
 {
+  sane.programs.fwupd = {};
   services.fwupd = lib.mkIf config.sane.programs.fwupd.enabled {
     # enables the dbus service, which i think the frontend speaks to.
     enable = true;

hosts/common/programs/sane-scripts.nix

@@ -49,6 +49,9 @@ in
       "sane-scripts.sync-music"
     ];
 
+    "sane-scripts.backup-ls" = {};
+    "sane-scripts.backup-restore" = {};
+
     "sane-scripts.bt-add".sandbox = {
       method = "bwrap";
       wrapperType = "wrappedDerivation";
@@ -121,6 +124,8 @@ in
       net = "all";
     };
 
+    "sane-scripts.ip-port-forward" = {};
+
     "sane-scripts.private-change-passwd".sandbox = {
       method = "bwrap";
       wrapperType = "wrappedDerivation";
@@ -216,9 +221,14 @@ in
       ];
     };
 
+    "sane-scripts.stop-all-servo" = {};
+
     # if `tee` isn't trustworthy we have bigger problems
     "sane-scripts.sudo-redirect".sandbox.enable = false;
 
+    "sane-scripts.sync-music" = {};
+    "sane-scripts.sync-from-iphone" = {};
+
     "sane-scripts.tag-music".sandbox = {
       method = "bwrap";
       wrapperType = "wrappedDerivation";

hosts/modules/gui/default.nix

@@ -10,7 +10,6 @@ in
     ./gnome.nix
     ./greetd.nix
     ./gtk.nix
-    ./phosh.nix
     ./sxmo
     ./theme
   ];

hosts/modules/gui/phosh.nix

@@ -1,159 +0,0 @@
-{ lib, config, pkgs, ... }:
-
-with lib;
-let
-  cfg = config.sane.gui.phosh;
-in
-{
-  options = {
-    sane.gui.phosh.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-    sane.gui.phosh.useGreeter = mkOption {
-      description = ''
-        launch phosh via a greeter (like lightdm-mobile-greeter).
-        phosh is usable without a greeter, but skipping the greeter means no PAM session.
-      '';
-      default = true;
-      type = types.bool;
-    };
-  };
-
-  config = mkMerge [
-    {
-      sane.programs.phoshApps = {
-        packageUnwrapped = null;
-        suggestedPrograms = [
-          "guiApps"
-          # TODO: see about removing gnome-bluetooth if the in-built gnome-settings bluetooth manager can work
-          "gnome.gnome-bluetooth"
-          "gnome.gnome-terminal"
-          "phosh-mobile-settings"
-        ];
-      };
-    }
-
-    (mkIf cfg.enable {
-      sane.programs.phoshApps.enableFor.user.colin = true;
-
-      # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
-      # docs: <repo:gnome/phosh:src/phoc.ini.example>
-      # docs: <repo:gnome/phosh:src/settings.c#config_ini_handler>
-      services.xserver.desktopManager.phosh = {
-        enable = true;
-        user = "colin";
-        group = "users";
-        phocConfig = {
-          # xwayland = "true";
-          # find default outputs by catting /etc/phosh/phoc.ini
-          outputs.DSI-1 = {
-            scale = 1.5;
-          };
-        };
-      };
-
-      # phosh enables `services.gnome.{core-os-services, core-shell}`
-      # and this in turn enables some default apps we don't really care about.
-      # see <nixos/modules/services/x11/desktop-managers/gnome.nix>
-      environment.gnome.excludePackages = with pkgs; [
-        # gnome.gnome-menus  # unused outside gnome classic, but probably harmless
-        gnome-tour
-      ];
-      services.dleyna-renderer.enable = false;
-      services.dleyna-server.enable = false;
-      services.gnome.gnome-browser-connector.enable = false;
-      services.gnome.gnome-initial-setup.enable = false;
-      services.gnome.gnome-online-accounts.enable = false;
-      services.gnome.gnome-remote-desktop.enable = false;
-      services.gnome.gnome-user-share.enable = false;
-      services.gnome.rygel.enable = false;
-
-      # gnome doesn't use mkDefault for these -- unclear why not
-      services.gnome.evolution-data-server.enable = mkForce false;
-      services.gnome.gnome-online-miners.enable = mkForce false;
-
-      # XXX: phosh enables networkmanager by default; can probably disable these lines
-      networking.networkmanager.enable = true;
-      networking.wireless.enable = lib.mkForce false;
-
-      # XXX: not clear if these are actually needed?
-      hardware.bluetooth.enable = true;
-      services.blueman.enable = true;
-
-      hardware.opengl.enable = true;
-      hardware.opengl.driSupport = true;
-
-      environment.variables = {
-        # Qt apps won't always start unless this env var is set
-        QT_QPA_PLATFORM = "wayland";
-        # electron apps (e.g. Element) should use the wayland backend
-        # toggle this to have electron apps (e.g. Element) use the wayland backend.
-        # phocConfig.xwayland should be disabled if you do this
-        NIXOS_OZONE_WL = "1";
-      };
-
-      systemd.services.phosh.environment = {
-        # PHOC_DEBUG: comma-separated list of:
-        # - ``auto-maximize``: Maximize toplevels
-        # - ``damage-tracking``: Debug damage tracking
-        # - ``no-quit``: Don't quit when session ends
-        # - ``touch-points``: Debug touch points
-        # - ``layer-shell``: Debug layer shell
-        # - ``cutouts``: Debug display cutouts and notches
-        PHOC_DEBUG = "layer-shell";
-        # G_DEBUG, G_MESSAGE_DEBUG for glib debugging: <https://docs.gtk.org/glib/running.html>
-      };
-
-      programs.dconf.packages = [
-        # org.kde.konsole.desktop
-        (pkgs.writeTextFile {
-          name = "dconf-phosh-settings";
-          destination = "/etc/dconf/db/site.d/00_phosh_settings";
-          text = ''
-            [org/gnome/desktop/interface]
-            show-battery-percentage=true
-
-            [org/gnome/settings-daemon/plugins/power]
-            sleep-inactive-ac-timeout=5400
-            sleep-inactive-battery-timeout=5400
-
-            [sm/puri/phosh]
-            favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.gnome.Terminal.desktop']
-          '';
-        })
-      ];
-    })
-
-    (mkIf (cfg.enable && cfg.useGreeter) {
-      services.xserver.enable = true;
-      # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
-      # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
-      # lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
-      # this requires the user we want to login as to be cached.
-      services.xserver.displayManager.job.preStart = ''
-        ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
-      '';
-      # XXX for some reason specifying defaultSession = "sm.puri.Phosh" breaks cross-compiled display-manager startup
-      # - causes an attempt to load x86-64 glib-2.76.2/lib/libglib-2.0.so.0
-      # - likely <repo:nixpkgs:nixos/modules/services/x11/display-managers/account-service-util.nix>
-      # - but i believe some variant of this issue existed even during emulated compilation
-      # services.xserver.displayManager.defaultSession = "sm.puri.Phosh";
-      services.xserver.displayManager.lightdm.extraSeatDefaults = ''
-        user-session = phosh
-      '';
-      # services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
-      # services.xserver.displayManager.lightdm.greeter = {
-      #   enable = true;
-      #   package = pkgs.lightdm-mobile-greeter.xgreeters;
-      #   name = "lightdm-mobile-greeter";
-      # };
-      # # services.xserver.displayManager.lightdm.enable = true;
-
-      services.xserver.displayManager.lightdm.enable = true;
-      services.xserver.displayManager.lightdm.greeters.mobile.enable = true;
-
-      systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
-    })
-  ];
-}

modules/programs/default.nix

@@ -652,26 +652,8 @@ in
       {
         environment.pathsToLink = [ "/share/sane-sandboxed" ];
         environment.systemPackages = [ config.sane.sandboxHelper ];
-      }
-      {
         # expose the pkgs -- as available to the system -- as a build target.
         system.build.pkgs = pkgs;
-
-        sane.programs = lib.mkMerge [
-          # make a program for every (toplevel) package
-          (lib.mapAttrs (_pkgName: _pkg: {}) pkgs)
-
-          # do the same for programs in known groups
-          (lib.mapAttrs' (pkgName: _pkg: { name = "cacert.${pkgName}"; value = {}; }) pkgs.cacert)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "gnome.${pkgName}"; value = {}; }) pkgs.gnome)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "libsForQt5.${pkgName}"; value = {}; }) pkgs.libsForQt5)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "mate.${pkgName}"; value = {}; }) pkgs.mate)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "perlPackages.${pkgName}"; value = {}; }) pkgs.perlPackages)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "plasma5Packages.${pkgName}"; value = {}; }) pkgs.plasma5Packages)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "python3Packages.${pkgName}"; value = {}; }) pkgs.python3Packages)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "sane-scripts.${pkgName}"; value = {}; }) pkgs.sane-scripts)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "sway-contrib.${pkgName}"; value = {}; }) pkgs.sway-contrib)
-        ];
       }
     ];
 }

pkgs/additional/sane-scripts/src/sane-wipe

@@ -28,10 +28,10 @@ wipe_browser() {
     || true  # in case no matches
 
   # browsers like to stick around in the background so they can load faster
-  sudo pkill brave || true
-  sudo pkill epiphany || true
-  sudo pkill firefox || true
-  sudo pkill librewolf || true
+  pkill brave || true
+  pkill epiphany || true
+  pkill firefox || true
+  pkill librewolf || true
 }
 
 wipe_dino() {