koreader-from-src: it runs!

launch doesn't work because it fails to load libSDL.so

README.md

@@ -16,6 +16,8 @@ directly here; even the sources for those packages is often kept here too.
 [uninsane-org]: https://uninsane.org
 
 ## Layout
+- `doc/`
+    - instructions for tasks i find myself doing semi-occasionally in this repo.
 - `hosts/`
     - the bulk of config which isn't factored with external use in mind.
     - that is, if you were to add this repo to a flake.nix for your own use,
@@ -37,9 +39,7 @@ directly here; even the sources for those packages is often kept here too.
     - inline code for wholly custom packages (e.g. `pkgs/additional/sane-scripts/` for CLI tools
       that are highly specific to my setup).
 - `scripts/`
-    - scripts which are referenced by other things in this repo.
-    - these aren't generally user-facing, but they're factored out so that they can
-      be invoked directly when i need to debug.
+    - scripts which aren't reachable on a deployed system, but may aid manual deployments
 - `secrets/`
     - encrypted keys, API tokens, anything which one or more of my machines needs
       read access to but shouldn't be world-readable.
@@ -106,3 +106,6 @@ this repo exists in a few known locations:
 
 if you want to contact me for questions, or collaborate to split something useful into a shared repo, etc,
 you can reach me via any method listed [here](https://uninsane.org/about).
+patches, for this repo or any other i host, will be warmly welcomed in any manner you see fit:
+`git send-email`, DM'ing the patch over Matrix/Lemmy/ActivityPub/etc, even a literal PR where you
+link me to your own clone.

TODO.md

@@ -1,6 +1,7 @@
 ## BUGS
 - why i need to manually restart `wireguard-wg-ovpns` on servo periodically
-	- else DNS fails
+  - else DNS fails
+- fix epiphany URL bar input on moby
 
 ## REFACTORING:
 
@@ -14,8 +15,6 @@
     - will make it easier to test new services?
 
 ### upstreaming
-- split out a trust-dns module
-  - see: <https://github.com/NixOS/nixpkgs/pull/205866#issuecomment-1575753054>
 - split out a sxmo module usable by NUR consumers
 - bump nodejs version in lemmy-ui
 - add updateScripts to all my packages in nixpkgs
@@ -39,25 +38,25 @@
     - flatpak does this, somehow
     - apparmor?  SElinux?  (desktop) "portals"?
     - see Spectrum OS; Alyssa Ross; etc
+    - bubblewrap-based sandboxing: <https://github.com/nixpak/nixpak>
 - canaries for important services
     - e.g. daily email checks; daily backup checks
     - integrate `nix check` into Gitea actions?
 
 ### user experience
 - neovim: set up language server (lsp; rnix-lsp; nvim-lspconfig)
-- firefox/librewolf: don't show browserpass/sponsorblock/metamask "first run" on every boot
+- Helix: make copy-to-system clipboard be the default
+- firefox/librewolf: persist history
+  - just not cookies or tabs
 - moby: improve gPodder launch time
 - moby: theme GTK apps (i.e. non-adwaita styles)
   - especially, make the menubar collapsible
+  - try Gradience tool specifically for theming adwaita? <https://linuxphoneapps.org/apps/com.github.gradienceteam.gradience/>
 - package Nix/NixOS docs for Zeal
     - install [doc-browser](https://github.com/qwfy/doc-browser)
     - this supports both dash (zeal) *and* the datasets from <https://devdocs.io> (which includes nix!)
     - install [devhelp](https://wiki.gnome.org/Apps/Devhelp)  (gnome)
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
-- `sane.programs`: auto-populate defaults with everything from `pkgs`
-- `sane.persist`: auto-create parent dirs in ~/private
-  - currently if the application doesn't autocreate dirs leading to its destination, then ~/private storage fails
-  - this might be why librewolf on mobile is still amnesiac
 - sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
 - uninsane.org: make URLs relative to allow local use (and as offline homepage)
 - email: fix so that local mail doesn't go to junk
@@ -65,19 +64,15 @@
   - could change junk filter from "no DKIM success" to explicit "DKIM failed"
 
 ### perf
-- why does zsh take so long to init?
+- add `pkgs.impure-cached.<foo>` package set to build things with ccache enabled
+    - every package here can be auto-generated, and marked with some env var so that it doesn't pollute the pure package set
+    - would be super handy for package prototyping!
 - why does nixos-rebuild switch take 5 minutes when net is flakey?
     - trying to auto-mount servo?
     - something to do with systemd services restarting/stalling
     - maybe wireguard & its refresh operation, specifically?
-- fix OOM for large builds like webkitgtk
-    - these use significant /tmp space.
-    - either place /tmp on encrypted-cleared-at-boot storage
-        - which probably causes each CPU load for the encryption
-    - or have nix builds use a subdir of /tmp like /tmp/nix/...
-        - and place that on non-encrypted clear-on-boot (with very lax writeback/swappiness to minimize writes)
-    - **or set up encrypted swap**
-        - encrypted swap could remove the need for my encrypted-cleared-at-boot stuff
+- get moby to build without binfmt emulation (i.e. make all emulation explicit)
+  - then i can distribute builds across servo + desko, and also allow servo to pull packages from desko w/o worrying about purity
 
 
 ## NEW FEATURES:

doc/adding-a-program.md

@@ -0,0 +1,13 @@
+to ship `pkgs.foo` on some host, either:
+- add it as an entry in `suggestedPrograms` to the appropriate category in `hosts/common/programs/assorted.nix`, or
+- `sane.programs.foo.enableFor.user.colin = true` in `hosts/by-name/myhost/default.nix`
+
+if the program needs customization (persistence, configs, secrets):
+- add a file for it at `hosts/common/programs/<foo>.nix`
+- set the options, `sane.programs.foo.{fs,persist}`
+
+if it's unclear what fs paths a program uses:
+- run one of these commands, launch the program, run it again, and `diff`:
+  - `du -x --apparent-size ~`
+  - `find ~ -xdev`
+- or, inspect the whole tmpfs root with `ncdu -x /`

flake.lock

@@ -69,11 +69,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1687031877,
-        "narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
+        "lastModified": 1689473667,
+        "narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
+        "rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6",
         "type": "github"
       },
       "original": {
@@ -85,11 +85,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1688049487,
-        "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
+        "lastModified": 1689534811,
+        "narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
+        "rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222",
         "type": "github"
       },
       "original": {
@@ -116,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1687398569,
-        "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
+        "lastModified": 1689534977,
+        "narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "2ff6973350682f8d16371f8c071a304b8067f192",
+        "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687821285,
-        "narHash": "sha256-pw0UYKG8yhW1H3nPgAhVYCzYFXYtamMh2DmF8YhtRec=",
+        "lastModified": 1688265812,
+        "narHash": "sha256-Wkx56Pw7V5+5Gn6B3olDGP+o1qIp8BPFL0MWC2wbKVg=",
         "ref": "refs/heads/master",
-        "rev": "ae27eb61b55b6c6d83c25384fb163df398a80265",
-        "revCount": 201,
+        "rev": "1542323cfb46a8950c17a3afa5f7cd2e62dd9672",
+        "revCount": 202,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -239,10 +239,14 @@
       apps."x86_64-linux" =
         let
           pkgs = self.legacyPackages."x86_64-linux";
-          deployScript = action: pkgs.writeShellScript "deploy-moby" ''
-            nixos-rebuild --flake '.#moby' build $@
-            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
-            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby --use-remote-sudo $@
+          deployScript = host: action: pkgs.writeShellScript "deploy-${host}" ''
+            nix build '.#nixosConfigurations.${host}.config.system.build.toplevel' --out-link ./result-${host} $@
+            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result-${host})
+
+            # XXX: this triggers another config eval & (potentially) build.
+            # if the config changed between these invocations, the above signatures might not apply to the deployed config.
+            # let the user handle that edge case by re-running this whole command
+            nixos-rebuild --flake '.#${host}' ${action} --target-host colin@${host} --use-remote-sudo $@
           '';
         in {
           update-feeds = {
@@ -256,15 +260,25 @@
             program = "${pkgs.feeds.initFeedScript}";
           };
 
+          deploy-lappy = {
+            # `nix run '.#deploy-lappy'`
+            type = "app";
+            program = ''${deployScript "lappy" "switch"}'';
+          };
           deploy-moby-test = {
             # `nix run '.#deploy-moby-test'`
             type = "app";
-            program = ''${deployScript "test"}'';
+            program = ''${deployScript "moby" "test"}'';
           };
           deploy-moby = {
-            # `nix run '.#deploy-moby-switch'`
+            # `nix run '.#deploy-moby'`
             type = "app";
-            program = ''${deployScript "switch"}'';
+            program = ''${deployScript "moby" "switch"}'';
+          };
+          deploy-servo = {
+            # `nix run '.#deploy-servo'`
+            type = "app";
+            program = ''${deployScript "servo" "switch"}'';
           };
 
           check-nur = {

hosts/by-name/desko/default.nix

@@ -4,11 +4,10 @@
     ./fs.nix
   ];
 
-  sane.guest.enable = true;
+  # sane.guest.enable = true;
 
-  # TODO: make sure this plays nice with impermanence
-  services.distccd.enable = true;
-  sane.programs.distcc.enableFor.user.guest = true;
+  # services.distccd.enable = true;
+  # sane.programs.distcc.enableFor.user.guest = true;
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
@@ -23,9 +22,11 @@
 
   sane.gui.sway.enable = true;
   sane.programs.iphoneUtils.enableFor.user.colin = true;
+  sane.programs.steam.enableFor.user.colin = true;
 
   sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
   sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" ];
+  # sane.programs.devPkgs.enableFor.user.colin = true;
 
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
@@ -35,6 +36,7 @@
 
   # don't enable wifi by default: it messes with connectivity.
   systemd.services.iwd.enable = false;
+  systemd.services.wpa_supplicant.enable = false;
 
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
@@ -48,17 +50,6 @@
     ALLOW_USERS = [ "colin" ];
   };
 
-  programs.steam = {
-    enable = true;
-    # not sure if needed: stole this whole snippet from the wiki
-    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
-    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
-  };
-  sane.user.persist.plaintext = [
-    ".steam"
-    ".local/share/Steam"
-  ];
-
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
   system.stateVersion = "21.05";
 }

hosts/by-name/desko/fs.nix

@@ -2,17 +2,10 @@
 
 {
   sane.persist.root-on-tmpfs = true;
-  # we need a /tmp for building large nix things.
+  # increase /tmp space (defaults to 50% of RAM) for building large nix things.
   # a cross-compiled kernel, particularly, will easily use 30+GB of tmp
-  fileSystems."/tmp" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "mode=777"
-      "size=64G"
-      "defaults"
-    ];
-  };
+  fileSystems."/tmp".options = [ "size=64G" ];
+
   fileSystems."/nix" = {
     # device = "/dev/disk/by-uuid/985a0a32-da52-4043-9df7-615adec2e4ff";
     device = "/dev/disk/by-uuid/0ab0770b-7734-4167-88d9-6e4e20bb2a56";

hosts/by-name/lappy/default.nix

@@ -34,9 +34,6 @@
     ALLOW_USERS = [ "colin" ];
   };
 
-  # TODO: only here for debugging
-  # services.ipfs.enable = true;
-
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
   system.stateVersion = "21.05";
 }

hosts/by-name/lappy/fs.nix

@@ -2,15 +2,6 @@
 
 {
   sane.persist.root-on-tmpfs = true;
-  # we need a /tmp of default size (half RAM) for building large nix things
-  fileSystems."/tmp" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "mode=777"
-      "defaults"
-    ];
-  };
 
   fileSystems."/nix" = {
     device = "/dev/disk/by-uuid/75230e56-2c69-4e41-b03e-68475f119980";

hosts/by-name/moby/default.nix

@@ -1,3 +1,14 @@
+# Pinephone
+# other setups to reference:
+# - <https://hamblingreen.gitlab.io/2022/03/02/my-pinephone-setup.html>
+#   - sxmo Arch user. lots of app recommendations
+#
+# wikis, resources, ...:
+# - Linux Phone Apps: <https://linuxphoneapps.org/>
+#   - massive mobile-friendly app database
+# - Mobian wiki: <https://wiki.mobian-project.org/doku.php?id=start>
+#   - recommended apps, chatrooms
+
 { config, pkgs, lib, ... }:
 {
   imports = [
@@ -8,6 +19,7 @@
   ];
 
   sane.roles.client = true;
+  sane.zsh.showDeadlines = false;  # unlikely to act on them when in shell
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
 
@@ -18,35 +30,31 @@
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
-  sane.programs.web-browser.config = {
-    # compromise impermanence for the sake of usability
-    persistCache = "private";
-    persistData = "private";
-
-    # i don't do crypto stuff on moby
-    addons.ether-metamask.enable = false;
-    # addons.sideberry.enable = false;
-  };
-
   sane.user.persist.plaintext = [
     # TODO: make this just generally conditional upon pulse being enabled?
     ".config/pulse"  # persist pulseaudio volume
   ];
 
   sane.gui.sxmo.enable = true;
+  sane.programs.guiApps.suggestedPrograms = [ "handheldGuiApps" ];
   # sane.programs.consoleUtils.enableFor.user.colin = false;
   # sane.programs.guiApps.enableFor.user.colin = false;
   sane.programs.sequoia.enableFor.user.colin = false;
   sane.programs.tuiApps.enableFor.user.colin = false;  # visidata, others, don't compile well
-  # disabled for faster deploys (gthumb depends on webkitgtk, particularly)
+  # disabled for faster deploys
   sane.programs.soundconverter.enableFor.user.colin = false;
-  sane.programs.jellyfin-media-player.enableFor.user.colin = false;
+
+  # sane.programs.firefox.mime.priority = 300;  # prefer other browsers when possible
+  # HACK/TODO: make `programs.P.env.VAR` behave according to `mime.priority`
+  # sane.programs.firefox.env = lib.mkForce {};
+  # sane.programs.epiphany.env.BROWSER = "epiphany";
+  # sane.programs.firefox.enableFor.user.colin = false;  # use epiphany instead
+
   # sane.programs.mpv.enableFor.user.colin = true;
 
   boot.loader.efi.canTouchEfiVariables = false;
   # /boot space is at a premium. default was 20.
   # even 10 can be too much
-  # TODO: compress moby kernels!
   boot.loader.generic-extlinux-compatible.configurationLimit = 8;
   # mobile.bootloader.enable = false;
   # mobile.boot.stage-1.enable = false;
@@ -105,6 +113,50 @@
     services.wireplumber.environment.ALSA_CONFIG_UCM2         = ucm-env;
   };
 
+  services.udev.extraRules = let
+    chmod = "${pkgs.coreutils}/bin/chmod";
+    chown = "${pkgs.coreutils}/bin/chown";
+  in ''
+    # make Pinephone flashlight writable by user.
+    # taken from postmarketOS: <repo:postmarketOS/pmaports:device/main/device-pine64-pinephone/60-flashlight.rules>
+    SUBSYSTEM=="leds", DEVPATH=="*/*:flash", RUN+="${chmod} g+w /sys%p/brightness /sys%p/flash_strobe", RUN+="${chown} :video /sys%p/brightness /sys%p/flash_strobe"
+
+    # make Pinephone front LEDs writable by user.
+    SUBSYSTEM=="leds", DEVPATH=="*/*:indicator", RUN+="${chmod} g+w /sys%p/brightness", RUN+="${chown} :video /sys%p/brightness"
+  '';
 
   hardware.opengl.driSupport = true;
+
+  services.xserver.displayManager.job.preStart = let
+    dmesg = "${pkgs.util-linux}/bin/dmesg";
+    grep = "${pkgs.gnugrep}/bin/grep";
+    modprobe = "${pkgs.kmod}/bin/modprobe";
+  in ''
+    # common boot failure:
+    # blank screen (no backlight even), with the following log:
+    # ```syslog
+    # sun8i-dw-hdmi 1ee0000.hdmi: Couldn't get the HDMI PHY
+    # ...
+    # sun4i-drm display-engine: Couldn't bind all pipelines components
+    # ...
+    # sun8i-dw-hdmi: probe of 1ee0000.hdmi failed with error -17
+    # ```
+    #
+    # in particular, that `probe ... failed` occurs *only* on failed boots
+    # (the other messages might sometimes occur even on successful runs?)
+    #
+    # reloading the sun8i hdmi driver usually gets the screen on, showing boot text.
+    # then restarting display-manager.service gets us to the login.
+    #
+    # NB: the above log is default level. though less specific, there's a `err` level message that also signals this:
+    # sun4i-drm display-engine: failed to bind 1ee0000.hdmi (ops sun8i_dw_hdmi_ops [sun8i_drm_hdmi]): -17
+
+    if (${dmesg} --kernel --level err --color=never --notime | ${grep} -q 'sun4i-drm display-engine: failed to bind 1ee0000.hdmi')
+    then
+      echo "reprobing sun8i_drm_hdmi"
+      # if a command here fails it errors the whole service, so prefer to log instead
+      ${modprobe} -r sun8i_drm_hdmi || echo "failed to unload sun8i_drm_hdmi"
+      ${modprobe} sun8i_drm_hdmi || echo "failed to load sub8i_drm_hdmi"
+    fi
+  '';
 }

hosts/by-name/moby/polyfill.nix

@@ -1,21 +1,86 @@
+# this file configures preferences per program, without actually enabling any programs.
+# the goal is to separate the place where we decide *what* to use (i.e. `sane.programs.firefox.enable = true` -- at the toplevel)
+# from where we specific how that thing should behave *if* it's in use.
+#
+# NixOS backgrounds:
+# - <https://github.com/NixOS/nixos-artwork>
+# - <https://itsfoss.com/content/images/2023/04/nixos-tutorials.png>
+
 { pkgs, sane-lib, ... }:
+let
+  bg-01 = ./nixos-bg-01.png;
+in
 {
+  sane.programs.firefox.config = {
+    # compromise impermanence for the sake of usability
+    persistCache = "private";
+    persistData = "private";
+
+    # i don't do crypto stuff on moby
+    addons.ether-metamask.enable = false;
+    # sidebery UX doesn't make sense on small screen
+    addons.sidebery.enable = false;
+  };
+
   sane.gui.sxmo = {
     settings = {
-      # touch screen
+      ### hardware: touch screen
       SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-path/platform-1c2ac00.i2c-event";
       # vol and power are detected correctly by upstream
 
-      # preferences
-      # N.B. some deviceprofiles explicitly set SXMO_SWAY_SCALE, overwriting what we put here.
-      SXMO_SWAY_SCALE = "1.5";
-      SXMO_ROTATION_GRAVITY = "12800";
-      SXMO_LOCK_IDLE_TIME = "15";  # how long between screenoff -> lock -> back to screenoff
+
+      ### preferences
       DEFAULT_COUNTRY = "US";
-      BROWSWER = "librewolf";
+
+      # BEMENU lines (wayland DMENU):
+      # - camera is 9th entry
+      # - flashlight is 10th entry
+      # - config is 14th entry. inside that:
+      #   - autorotate is 11th entry
+      #   - system menu is 19th entry
+      #   - close is 20th entry
+      # - power is 15th entry
+      # - close is 16th entry
+      SXMO_BEMENU_LANDSCAPE_LINES = "11";  # default 8
+      SXMO_BEMENU_PORTRAIT_LINES = "16";  # default 16
+      SXMO_BG_IMG = "${bg-01}";
+      SXMO_LOCK_IDLE_TIME = "15";  # how long between screenoff -> lock -> back to screenoff (default: 8)
+      # gravity: how far to tilt the device before the screen rotates
+      # for a given setting, normal <-> invert requires more movement then left <-> right
+      # i.e. the settingd doesn't feel completely symmetric
+      # SXMO_ROTATION_GRAVITY default is 16374
+      # SXMO_ROTATION_GRAVITY = "12800";  # uncomfortably high
+      # SXMO_ROTATION_GRAVITY = "12500";    # kinda uncomfortable when walking
+      SXMO_ROTATION_GRAVITY = "12000";
+      SXMO_SCREENSHOT_DIR = "/home/colin/Pictures";  # default: "$HOME"
+      # test new scales by running `swaymsg -- output DSI-1 scale x.y`
+      # SXMO_SWAY_SCALE = "1.5";  # hard to press gPodder icons
+      SXMO_SWAY_SCALE = "1.8";
+      # SXMO_SWAY_SCALE = "2";
+      SXMO_WORKSPACE_WRAPPING = "5";  # how many workspaces. default: 4
+
+      # wvkbd layers:
+      # - full
+      # - landscape
+      # - special  (e.g. coding symbols like ~)
+      # - emoji
+      # - nav
+      # - simple  (like landscape, but no parens/tab/etc; even fewer chars)
+      # - simplegrid  (simple, but grid layout)
+      # - dialer  (digits)
+      # - cyrillic
+      # - arabic
+      # - persian
+      # - greek
+      # - georgian
+      WVKBD_LANDSCAPE_LAYERS = "landscape,special,emoji";
+      WVKBD_LAYERS = "full,special,emoji";
     };
     package = pkgs.sxmo-utils.overrideAttrs (base: {
       postPatch = (base.postPatch or "") + ''
+        # don't enable gestures at launch
+        # sed -i '/superctl start sxmo_hook_lisgd/d' ./configs/default_hooks/sxmo_hook_start.sh
+
         cat <<EOF >> ./configs/default_hooks/sxmo_hook_start.sh
         # rotate UI based on physical display angle by default
         sxmo_daemons.sh start autorotate sxmo_autorotate.sh

hosts/by-name/servo/default.nix

@@ -22,6 +22,8 @@
   sane.services.wg-home.enable = true;
   sane.services.wg-home.enableWan = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
+  sane.nixcache.substituters.servo = false;
+  sane.nixcache.substituters.desko = false;
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
 
   # automatically log in at the virtual consoles.

hosts/by-name/servo/fs.nix

@@ -2,15 +2,6 @@
 
 {
   sane.persist.root-on-tmpfs = true;
-  # we need a /tmp for building large nix things
-  fileSystems."/tmp" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "mode=777"
-      "defaults"
-    ];
-  };
 
   fileSystems."/nix" = {
     device = "/dev/disk/by-uuid/cc81cca0-3cc7-4d82-a00c-6243af3e7776";
@@ -44,7 +35,7 @@
 
   sane.persist.sys.plaintext = [
     # TODO: this is overly broad; only need media and share directories to be persisted
-    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
+    { user = "colin"; group = "users"; path = "/var/lib/uninsane"; }
   ];
   # make sure large media is stored to the HDD
   sane.persist.sys.ext = [
@@ -52,21 +43,22 @@
       user = "colin";
       group = "users";
       mode = "0777";
-      directory = "/var/lib/uninsane/media/Videos";
+      path = "/var/lib/uninsane/media/Videos";
     }
     {
       user = "colin";
       group = "users";
       mode = "0777";
-      directory = "/var/lib/uninsane/media/freeleech";
+      path = "/var/lib/uninsane/media/freeleech";
+    }
+    {
+      user = "colin";
+      group = "users";
+      mode = "0777";
+      path = "/var/lib/uninsane/media/datasets";
     }
   ];
 
-  # in-memory compressed RAM (seems to be dynamically sized)
-  # zramSwap = {
-  #   enable = true;
-  # };
-
   # btrfs doesn't easily support swapfiles
   # swapDevices = [
   #   { device = "/nix/persist/swapfile"; size = 4096; }

hosts/by-name/servo/services/calibre.nix

@@ -13,7 +13,7 @@ in
 lib.mkIf false
 {
   sane.persist.sys.plaintext = [
-    { inherit user group; mode = "0700"; directory = svc-dir; }
+    { inherit user group; mode = "0700"; path = svc-dir; }
   ];
 
   services.calibre-web.enable = true;

hosts/by-name/servo/services/ejabberd.nix

@@ -20,7 +20,7 @@
 # lib.mkIf false
 {
   sane.persist.sys.plaintext = [
-    { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
+    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; }
   ];
   sane.ports.ports."3478" = {
     protocol = [ "tcp" "udp" ];

hosts/by-name/servo/services/email/postfix.nix

@@ -20,9 +20,9 @@ in
 {
   sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
-    { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
-    { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
-    { user = "root"; group = "root"; directory = "/var/spool/mail"; }
+    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; }
+    { user = "root"; group = "root"; path = "/var/lib/postfix"; }
+    { user = "root"; group = "root"; path = "/var/spool/mail"; }
     # *probably* don't need these dirs:
     # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
     # "/var/lib/dovecot"

hosts/by-name/servo/services/freshrss.nix

@@ -16,7 +16,7 @@
     mode = "0400";
   };
   sane.persist.sys.plaintext = [
-    { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
+    { user = "freshrss"; group = "freshrss"; path = "/var/lib/freshrss"; }
   ];
 
   services.freshrss.enable = true;

hosts/by-name/servo/services/gitea.nix

@@ -4,7 +4,7 @@
 {
   sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
-    { user = "git"; group = "gitea"; directory = "/var/lib/gitea"; }
+    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; }
   ];
   services.gitea.enable = true;
   services.gitea.user = "git";  # default is 'gitea'

hosts/by-name/servo/services/ipfs.nix

@@ -12,7 +12,7 @@ lib.mkIf false # i don't actively use ipfs anymore
 {
   sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
-    { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
+    { user = "261"; group = "261"; path = "/var/lib/ipfs"; }
   ];
 
   networking.firewall.allowedTCPPorts = [ 4001 ];

hosts/by-name/servo/services/jackett.nix

@@ -3,7 +3,7 @@
 {
   sane.persist.sys.plaintext = [
     # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
-    { user = "root"; group = "root"; directory = "/var/lib/jackett"; }
+    { user = "root"; group = "root"; path = "/var/lib/jackett"; }
   ];
   services.jackett.enable = true;
 

hosts/by-name/servo/services/jellyfin.nix

@@ -41,7 +41,7 @@
   };
 
   sane.persist.sys.plaintext = [
-    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; directory = "/var/lib/jellyfin"; }
+    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; path = "/var/lib/jellyfin"; }
   ];
   sane.fs."/var/lib/jellyfin/config/logging.json" = {
     # "Emby.Dlna" logging: <https://jellyfin.org/docs/general/networking/dlna>

hosts/by-name/servo/services/komga.nix

@@ -5,7 +5,7 @@ let
 in
 {
   sane.persist.sys.plaintext = [
-    { inherit user group; mode = "0700"; directory = stateDir; }
+    { inherit user group; mode = "0700"; path = stateDir; }
   ];
 
   services.komga.enable = true;

hosts/by-name/servo/services/matrix/default.nix

@@ -11,7 +11,7 @@
   ];
 
   sane.persist.sys.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; }
   ];
   services.matrix-synapse.enable = true;
   # this changes the default log level from INFO to WARN.

hosts/by-name/servo/services/matrix/discord-puppet.nix

@@ -6,7 +6,7 @@
 lib.mkIf false
 {
   sane.persist.sys.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; }
   ];
 
   services.matrix-synapse.settings.app_service_config_files = [

hosts/by-name/servo/services/matrix/irc.nix

@@ -1,6 +1,5 @@
 # config docs:
 # - <https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml>
-# TODO: /quit message for bridged users reveals to IRC users that i'm using a bridge;
 #       probably want to remove that.
 { config, lib, ... }:
 
@@ -104,7 +103,7 @@ in
 
   sane.persist.sys.plaintext = [
     # TODO: mode?
-    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; directory = "/var/lib/matrix-appservice-irc"; }
+    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; }
   ];
 
   # XXX: matrix-appservice-irc PreStart tries to chgrp the registration.yml to matrix-synapse,

hosts/by-name/servo/services/matrix/signal.nix

@@ -3,8 +3,8 @@
 { config, pkgs, ... }:
 {
   sane.persist.sys.plaintext = [
-    { user = "mautrix-signal"; group = "mautrix-signal"; directory = "/var/lib/mautrix-signal"; }
-    { user = "signald"; group = "signald"; directory = "/var/lib/signald"; }
+    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; }
+    { user = "signald"; group = "signald"; path = "/var/lib/signald"; }
   ];
 
   # allow synapse to read the registration file

hosts/by-name/servo/services/navidrome.nix

@@ -2,7 +2,7 @@
 
 {
   sane.persist.sys.plaintext = [
-    { user = "navidrome"; group = "navidrome"; directory = "/var/lib/navidrome"; }
+    { user = "navidrome"; group = "navidrome"; path = "/var/lib/navidrome"; }
   ];
   services.navidrome.enable = true;
   services.navidrome.settings = {

hosts/by-name/servo/services/nginx.nix

@@ -101,7 +101,8 @@ in
     };
 
     # allow ActivityPub clients to discover how to reach @user@uninsane.org
-    # TODO: waiting on https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3361/
+    # see: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3361/
+    # not sure this makes sense while i run multiple AP services (pleroma, lemmy)
     # locations."/.well-known/nodeinfo" = {
     #   proxyPass = "http://127.0.0.1:4000";
     #   extraConfig = pleromaExtraConfig;
@@ -134,8 +135,8 @@ in
 
   sane.persist.sys.plaintext = [
     # TODO: mode?
-    { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
-    { user = "colin"; group = "users"; directory = "/var/www/sites"; }
+    { user = "acme"; group = "acme"; path = "/var/lib/acme"; }
+    { user = "colin"; group = "users"; path = "/var/www/sites"; }
   ];
 
   # let's encrypt default chain looks like:

hosts/by-name/servo/services/pict-rs.nix

@@ -6,7 +6,7 @@ let
 in
 {
   sane.persist.sys.plaintext = lib.mkIf cfg.enable [
-    { user = "pict-rs"; group = "pict-rs"; directory = cfg.dataDir; }
+    { user = "pict-rs"; group = "pict-rs"; path = cfg.dataDir; }
   ];
 
   systemd.services.pict-rs.serviceConfig = {

hosts/by-name/servo/services/pleroma.nix

@@ -1,16 +1,21 @@
 # docs:
-# - https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
-# - https://docs.pleroma.social/backend/configuration/cheatsheet/
+# - <https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix>
+# - <https://docs.pleroma.social/backend/configuration/cheatsheet/>
+# example config:
+# - <https://git.pleroma.social/pleroma/pleroma/-/blob/develop/config/config.exs>
 #
-# to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
+# to run it in a oci-container: <https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix>
 #
 # admin frontend: <https://fed.uninsane.org/pleroma/admin>
 { config, pkgs, ... }:
 
+let
+  logLevel = "warn";
+  # logLevel = "debug";
+in
 {
   sane.persist.sys.plaintext = [
-    # TODO: mode? could be more granular
-    { user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; }
+    { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; }
   ];
   services.pleroma.enable = true;
   services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
@@ -98,8 +103,18 @@
       backends: [{ExSyslogger, :ex_syslogger}]
 
     config :logger, :ex_syslogger,
-      level: :warn
-    #  level: :debug
+      level: :${logLevel}
+
+    # policies => list of message rewriting facilities to be enabled
+    # transparence => whether to publish these rules in node_info (and /about)
+    config :pleroma, :mrf,
+      policies: [Pleroma.Web.ActivityPub.MRF.SimplePolicy],
+      transparency: true
+
+    # reject => { host, reason }
+    config :pleroma, :mrf_simple,
+      reject: [ {"threads.net", "megacorp"}, {"*.threads.net", "megacorp"} ]
+      # reject: [ [host: "threads.net", reason: "megacorp"], [host: "*.threads.net", reason: "megacorp"] ]
 
     # XXX colin: not sure if this actually _does_ anything
     # better to steal emoji from other instances?
@@ -152,6 +167,7 @@
     # inherit kTLS;
     locations."/" = {
       proxyPass = "http://127.0.0.1:4000";
+      recommendedProxySettings = true;
       # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
       extraConfig = ''
         # XXX colin: this block is in the nixos examples: i don't understand all of it
@@ -170,17 +186,18 @@
         add_header Referrer-Policy same-origin;
         add_header X-Download-Options noopen;
 
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        # proxy_set_header Host $http_host;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # proxy_http_version 1.1;
+        # proxy_set_header Upgrade $http_upgrade;
+        # proxy_set_header Connection "upgrade";
+        # # proxy_set_header Host $http_host;
+        # proxy_set_header Host $host;
+        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
         # colin: added this due to Pleroma complaining in its logs
         # proxy_set_header X-Real-IP $remote_addr;
         # proxy_set_header X-Forwarded-Proto $scheme;
 
+        # NB: this defines the maximum upload size
         client_max_body_size 16m;
       '';
     };

hosts/by-name/servo/services/postgres.nix

@@ -3,7 +3,7 @@
 {
   sane.persist.sys.plaintext = [
     # TODO: mode?
-    { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
+    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; }
   ];
   services.postgresql.enable = true;
   # services.postgresql.dataDir = "/opt/postgresql/13";

hosts/by-name/servo/services/prosody.nix

@@ -10,7 +10,7 @@
 lib.mkIf false
 {
   sane.persist.sys.plaintext = [
-    { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
+    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; }
   ];
   sane.ports.ports."5222" = {
     protocol = [ "tcp" ];

hosts/by-name/servo/services/transmission.nix

@@ -3,7 +3,7 @@
 {
   sane.persist.sys.plaintext = [
     # TODO: mode? we need this specifically for the stats tracking in .config/
-    { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
+    { user = "transmission"; group = "transmission"; path = "/var/lib/transmission"; }
   ];
   services.transmission.enable = true;
   services.transmission.settings = {

hosts/by-name/servo/services/trust-dns.nix

@@ -1,16 +1,18 @@
 { config, lib, pkgs, ... }:
 
 {
-  sane.services.trust-dns.enable = true;
+  services.trust-dns.enable = true;
 
-  sane.services.trust-dns.settings.listen_addrs_ipv4 = [
+  services.trust-dns.settings.listen_addrs_ipv4 = [
     # specify each address explicitly, instead of using "*".
     # this ensures responses are sent from the address at which the request was received.
     config.sane.hosts.by-name."servo".lan-ip
     "10.0.1.5"
   ];
-  sane.services.trust-dns.quiet = true;
-  # sane.services.trust-dns.debug = true;
+  # don't bind to IPv6 until i explicitly test that stack
+  services.trust-dns.settings.listen_addrs_ipv6 = [];
+  services.trust-dns.quiet = true;
+  # services.trust-dns.debug = true;
 
   sane.ports.ports."53" = {
     protocol = [ "udp" "tcp" ];
@@ -59,15 +61,9 @@
     ];
   };
 
-  # we need trust-dns to load our zone by relative path instead of /nix/store path
-  # because we generate it at runtime.
-  sane.services.trust-dns.settings.zones = [
-    {
-      zone = "uninsane.org";
-    }
-  ];
+  services.trust-dns.settings.zones = [ "uninsane.org" ];
 
-  sane.services.trust-dns.package =
+  services.trust-dns.package =
     let
       sed = "${pkgs.gnused}/bin/sed";
       zone-dir = "/var/lib/trust-dns";
@@ -104,6 +100,17 @@
       exit 1
     '';
 
+  systemd.services.trust-dns.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "trust-dns";
+    Group = "trust-dns";
+  };
+  users.groups.trust-dns = {};
+  users.users.trust-dns = {
+    group = "trust-dns";
+    isSystemUser = true;
+  };
+
   sane.services.dyn-dns.restartOnChange = [ "trust-dns.service" ];
 
   networking.nat.enable = true;

hosts/common/default.nix

@@ -23,9 +23,6 @@
   sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
   sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;
 
-  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
-  sane.fs."/var/lib/private".dir.acl.mode = "0700";
-
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.allowBroken = true;  # NIXPKGS_ALLOW_BROKEN
 
@@ -60,36 +57,22 @@
     ManagedOOMSwap = "kill";
   };
 
-  # TODO: move this to gui machines only
-  fonts = {
-    enableDefaultFonts = true;
-    fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
-    fontconfig.enable = true;
-    fontconfig.defaultFonts = {
-      emoji = [ "Font Awesome 6 Free" "Noto Color Emoji" ];
-      monospace = [ "Hack" ];
-      serif = [ "DejaVu Serif" ];
-      sansSerif = [ "DejaVu Sans" ];
-    };
-  };
 
-  # XXX: twitter-color-emoji doesn't cross-compile; but not-fonts-emoji does
-  # fonts = {
-  #   enableDefaultFonts = true;
-  #   fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
-  #   fontconfig.enable = true;
-  #   fontconfig.defaultFonts = {
-  #     emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
-  #     monospace = [ "Hack" ];
-  #     serif = [ "DejaVu Serif" ];
-  #     sansSerif = [ "DejaVu Sans" ];
-  #   };
-  # };
+  system.activationScripts.nixClosureDiff = {
+    supportsDryActivation = true;
+    text = ''
+      # show which packages changed versions or are new/removed in this upgrade
+      # source: <https://github.com/luishfonseca/dotfiles/blob/32c10e775d9ec7cc55e44592a060c1c9aadf113e/modules/upgrade-diff.nix>
+      ${pkgs.nvd}/bin/nvd --nix-bin-dir=${pkgs.nix}/bin diff /run/current-system "$systemConfig"
+    '';
+  };
 
   # disable non-required packages like nano, perl, rsync, strace
   environment.defaultPackages = [];
 
   # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
+  # this lets programs temporarily write user-level dconf settings (aka gsettings).
+  # they're written to ~/.config/dconf/user, unless `DCONF_PROFILE` is set to something other than the default of /etc/dconf/profile/user
   # find keys/values with `dconf dump /`
   programs.dconf.enable = true;
   programs.dconf.packages = [
@@ -102,6 +85,7 @@
       '';
     })
   ];
+  # sane.programs.glib.enableFor.user.colin = true;  # for `gsettings`
 
   # link debug symbols into /run/current-system/sw/lib/debug
   # hopefully picked up by gdb automatically?

hosts/common/feeds.nix

@@ -124,7 +124,7 @@ let
   texts = [
     # AGGREGATORS (> 1 post/day)
     (fromDb "lwn.net" // tech)
-    (fromDb "lesswrong.com" // rat)
+    # (fromDb "lesswrong.com" // rat)
     # (fromDb "econlib.org" // pol)
 
     # AGGREGATORS (< 1 post/day)
@@ -166,10 +166,11 @@ let
     (fromDb "ianthehenry.com" // tech)
     (fromDb "bitbashing.io" // tech)
     (fromDb "idiomdrottning.org" // uncat)
+    (mkText "http://boginjr.com/feed" // tech // infrequent)
     (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
     (fromDb "jefftk.com" // tech)
     (fromDb "pomeroyb.com" // tech)
-    (mkText "https://til.simonwillison.net/tils/feed.atom" // tech // weekly)
+    # (mkText "https://til.simonwillison.net/tils/feed.atom" // tech // weekly)
 
     # TECH PROJECTS
     (fromDb "blog.rust-lang.org" // tech)

hosts/common/fs.nix

@@ -57,6 +57,37 @@ let fsOpts = rec {
 };
 in
 {
+  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
+  sane.fs."/var/lib/private".dir.acl.mode = "0700";
+
+  # in-memory compressed RAM
+  # defaults to compressing at most 50% size of RAM
+  # claimed compression ratio is about 2:1
+  # - but on moby w/ zstd default i see 4-7:1  (ratio lowers as it fills)
+  # note that idle overhead is about 0.05% of capacity (e.g. 2B per 4kB page)
+  # docs: <https://www.kernel.org/doc/Documentation/blockdev/zram.txt>
+  #
+  # to query effectiveness:
+  # `cat /sys/block/zram0/mm_stat`. whitespace separated fields:
+  # - *orig_data_size*  (bytes)
+  # - *compr_data_size* (bytes)
+  # - mem_used_total    (bytes)
+  # - mem_limit         (bytes)
+  # - mem_used_max      (bytes)
+  # - *same_pages*  (pages which are e.g. all zeros (consumes no additional mem))
+  # - *pages_compacted*  (pages which have been freed thanks to compression)
+  # - huge_pages  (incompressible)
+  #
+  # see also:
+  # - `man zramctl`
+  zramSwap.enable = true;
+  # how much ram can be swapped into the zram device.
+  # this shouldn't be higher than the observed compression ratio.
+  # the default is 50% (why?)
+  # 100% should be "guaranteed" safe so long as the data is even *slightly* compressible.
+  # but it decreases working memory under the heaviest of loads by however much space the compressed memory occupies (e.g. 50% if 2:1; 25% if 4:1)
+  zramSwap.memoryPercent = 100;
+
   # fileSystems."/mnt/servo-nfs" = {
   #   device = "servo-hn:/";
   #   noCheck = true;
@@ -77,34 +108,6 @@ in
   # };
   sane.fs."/mnt/servo-media" = sane-lib.fs.wantedSymlinkTo "/mnt/servo-nfs/media";
 
-  fileSystems."/mnt/servo-media-wan" = {
-    device = "colin@uninsane.org:/var/lib/uninsane/media";
-    fsType = "fuse.sshfs";
-    options = fsOpts.sshColin ++ fsOpts.noauto;
-    noCheck = true;
-  };
-  sane.fs."/mnt/servo-media-wan" = sane-lib.fs.wantedDir;
-  fileSystems."/mnt/servo-media-lan" = {
-    device = "colin@servo:/var/lib/uninsane/media";
-    fsType = "fuse.sshfs";
-    options = fsOpts.sshColin ++ fsOpts.noauto;
-    noCheck = true;
-  };
-  sane.fs."/mnt/servo-media-lan" = sane-lib.fs.wantedDir;
-  fileSystems."/mnt/servo-root-wan" = {
-    device = "colin@uninsane.org:/";
-    fsType = "fuse.sshfs";
-    options = fsOpts.sshRoot ++ fsOpts.noauto;
-    noCheck = true;
-  };
-  sane.fs."/mnt/servo-root-wan" = sane-lib.fs.wantedDir;
-  fileSystems."/mnt/servo-root-lan" = {
-    device = "colin@servo:/";
-    fsType = "fuse.sshfs";
-    options = fsOpts.sshRoot ++ fsOpts.noauto;
-    noCheck = true;
-  };
-  sane.fs."/mnt/servo-root-lan" = sane-lib.fs.wantedDir;
   fileSystems."/mnt/desko-home" = {
     device = "colin@desko:/home/colin";
     fsType = "fuse.sshfs";

hosts/common/home/default.nix

@@ -1,7 +1,7 @@
 { ... }:
 {
   imports = [
-    ./keyring.nix
+    ./keyring
     ./mime.nix
     ./ssh.nix
     ./xdg-dirs.nix

hosts/common/home/keyring/default.nix

@@ -1,11 +1,16 @@
-{ config, sane-lib, ... }:
+{ config, pkgs, sane-lib, ... }:
 
+let
+  init-keyring = pkgs.static-nix-shell.mkBash {
+    pname = "init-keyring";
+    src = ./.;
+  };
+in
 {
   sane.user.persist.private = [ ".local/share/keyrings" ];
 
   sane.user.fs."private/.local/share/keyrings/default" = {
-    generated.script.script = builtins.readFile ../../../scripts/init-keyring;
-    # TODO: is this `wantedBy` needed? can we inherit it?
+    generated.command = [ "${init-keyring}/bin/init-keyring" ];
     wantedBy = [ config.sane.fs."/home/colin/private".unit ];
     wantedBeforeBy = [ ];  # don't created this as part of `multi-user.target`
   };

hosts/common/home/keyring/init-keyring

@@ -1,4 +1,5 @@
-#!/bin/sh
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
 # initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
 # this initializes it to be plaintext/unencrypted.
 

hosts/common/home/mime.nix

@@ -1,46 +1,28 @@
-{ config, sane-lib, ...}:
+{ config, lib, ...}:
 
 let
-  # TODO: should move all of this into `sane.programs` to not ship broken associations
-  www = config.sane.programs.web-browser.config.browser.desktop;
-  pdf = "org.gnome.Evince.desktop";
-  md = "obsidian.desktop";
-  thumb = "org.gnome.gThumb.desktop";
-  video = "vlc.desktop";
-  # audio = "mpv.desktop";
-  audio = "vlc.desktop";
-  email = "aerc.desktop";
+  # ProgramConfig -> { "<mime-type>" = { priority, desktop }; }
+  weightedMimes = prog: builtins.mapAttrs (_key: desktop: { priority = prog.mime.priority; desktop = desktop; }) prog.mime.associations;
+  # [ { "<mime-type>" = { priority, desktop } ]; } ] -> { "<mime-type>" = [ { priority, desktop } ... ]; }
+  mergeMimes = mimes: lib.foldAttrs (item: acc: [item] ++ acc) [] mimes;
+  # [ { priority, desktop } ... ] -> Self
+  sortOneMimeType = associations: builtins.sort (l: r: assert l.priority != r.priority; l.priority < r.priority) associations;
+  sortMimes = mimes: builtins.mapAttrs (_k: sortOneMimeType) mimes;
+  removePriorities = mimes: builtins.mapAttrs (_k: associations: builtins.map (a: a.desktop) associations) mimes;
+
+  # [ ProgramConfig ]
+  enabledPrograms = builtins.filter (p: p.enabled) (builtins.attrValues config.sane.programs);
+  # [ { "<mime-type>" = { prority, desktop } ]
+  enabledWeightedMimes = builtins.map weightedMimes enabledPrograms;
 in
 {
-
   # the xdg mime type for a file can be found with:
   # - `xdg-mime query filetype path/to/thing.ext`
+  # the default handler for a mime type can be found with:
+  # - `xdg-mime query default <mimetype>`  (e.g. x-scheme-handler/http)
+  #
   # we can have single associations or a list of associations.
   # there's also options to *remove* [non-default] associations from specific apps
   xdg.mime.enable = true;
-  xdg.mime.defaultApplications = {
-    # AUDIO
-    "audio/flac" = audio;
-    "audio/mpeg" = audio;
-    "audio/x-vorbis+ogg" = audio;
-    # IMAGES
-    "image/heif" = thumb;  # apple codec
-    "image/png" = thumb;
-    "image/jpeg" = thumb;
-    # VIDEO
-    "video/mp4" = video;
-    "video/quicktime" = video;
-    "video/webm" = video;
-    "video/x-matroska" = video;
-    # HTML
-    "text/html" = www;
-    "x-scheme-handler/http" = www;
-    "x-scheme-handler/https" = www;
-    "x-scheme-handler/about" = www;
-    "x-scheme-handler/unknown" = www;
-    # RICH-TEXT DOCUMENTS
-    "application/pdf" = pdf;
-    "text/markdown" = md;
-    "x-scheme-handler/mailto" = email;
-  };
+  xdg.mime.defaultApplications = removePriorities (sortMimes (mergeMimes enabledWeightedMimes));
 }

hosts/common/home/ssh.nix

@@ -1,26 +1,29 @@
-{ config, lib, sane-lib, ... }:
+# TODO: this should be moved to users/colin.nix
+{ config, lib, ... }:
 
-with lib;
 let
   host = config.networking.hostName;
   user-pubkey-full = config.sane.ssh.pubkeys."colin@${host}" or {};
   user-pubkey = user-pubkey-full.asUserKey or null;
-  host-keys = filter (k: k.user == "root") (attrValues config.sane.ssh.pubkeys);
-  known-hosts-text = concatStringsSep
+  host-keys = lib.filter (k: k.user == "root") (lib.attrValues config.sane.ssh.pubkeys);
+  known-hosts-text = lib.concatStringsSep
     "\n"
-    (map (k: k.asHostKey) host-keys)
+    (builtins.map (k: k.asHostKey) host-keys)
   ;
 in
 {
   # ssh key is stored in private storage
-  sane.user.persist.private = [ ".ssh/id_ed25519" ];
-  sane.user.fs.".ssh/id_ed25519.pub" =
-    mkIf (user-pubkey != null) (sane-lib.fs.wantedText user-pubkey);
-  sane.user.fs.".ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
+  sane.user.persist.private = [
+    { type = "file"; path = ".ssh/id_ed25519"; }
+  ];
+  sane.user.fs.".ssh/id_ed25519.pub" = lib.mkIf (user-pubkey != null) {
+    symlink.text = user-pubkey;
+  };
+  sane.user.fs.".ssh/known_hosts".symlink.text = known-hosts-text;
 
   users.users.colin.openssh.authorizedKeys.keys =
   let
-    user-keys = filter (k: k.user == "colin") (attrValues config.sane.ssh.pubkeys);
+    user-keys = lib.filter (k: k.user == "colin") (lib.attrValues config.sane.ssh.pubkeys);
   in
-    map (k: k.asUserKey) user-keys;
+    builtins.map (k: k.asUserKey) user-keys;
 }

hosts/common/home/xdg-dirs.nix

@@ -1,9 +1,9 @@
-{ lib, sane-lib, ...}:
+{ ... }:
 
 {
   # XDG defines things like ~/Desktop, ~/Downloads, etc.
   # these clutter the home, so i mostly don't use them.
-  sane.user.fs.".config/user-dirs.dirs" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/user-dirs.dirs".symlink.text = ''
     XDG_DESKTOP_DIR="$HOME/.xdg/Desktop"
     XDG_DOCUMENTS_DIR="$HOME/dev"
     XDG_DOWNLOAD_DIR="$HOME/tmp"
@@ -16,5 +16,5 @@
 
   # prevent `xdg-user-dirs-update` from overriding/updating our config
   # see <https://manpages.ubuntu.com/manpages/bionic/man5/user-dirs.conf.5.html>
-  sane.user.fs.".config/user-dirs.conf" = sane-lib.fs.wantedText "enabled=False";
+  sane.user.fs.".config/user-dirs.conf".symlink.text = "enabled=False";
 }

hosts/common/ids.nix

@@ -42,6 +42,8 @@
   sane.ids.pict-rs.gid = 2409;
   sane.ids.sftpgo.uid = 2410;
   sane.ids.sftpgo.gid = 2410;
+  sane.ids.trust-dns.uid = 2411;
+  sane.ids.trust-dns.gid = 2411;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/net.nix

@@ -11,15 +11,15 @@
   # - `man iwd.config`  for global config
   # - `man iwd.network` for per-SSID config
   # use `iwctl` to control
-  networking.networkmanager.wifi.backend = "iwd";
-  networking.wireless.iwd.enable = true;
-  networking.wireless.iwd.settings = {
-    # auto-connect to a stronger network if signal drops below this value
-    # bedroom -> bedroom connection is -35 to -40 dBm
-    # bedroom -> living room connection is -60 dBm
-    General.RoamThreshold = "-52";  # default -70
-    General.RoamThreshold5G = "-52";  # default -76
-  };
+  # networking.networkmanager.wifi.backend = "iwd";
+  # networking.wireless.iwd.enable = true;
+  # networking.wireless.iwd.settings = {
+  #   # auto-connect to a stronger network if signal drops below this value
+  #   # bedroom -> bedroom connection is -35 to -40 dBm
+  #   # bedroom -> living room connection is -60 dBm
+  #   General.RoamThreshold = "-52";  # default -70
+  #   General.RoamThreshold5G = "-52";  # default -76
+  # };
 
   # plugins mostly add support for establishing different VPN connections.
   # the default plugin set includes mostly proprietary VPNs:
@@ -38,4 +38,10 @@
   networking.firewall.allowedUDPPorts = [
     1900  # to received UPnP advertisements. required by sane-ip-check-upnp
   ];
+
+  # keyfile.path = where networkmanager should look for connection credentials
+  networking.networkmanager.extraConfig = ''
+    [keyfile]
+    path=/var/lib/NetworkManager/system-connections
+  '';
 }

hosts/common/persist.nix

@@ -6,13 +6,11 @@
   sane.persist.stores.private.prefix = "/home/colin";
 
   sane.persist.sys.plaintext = [
+    # TODO: these should be private.. somehow
     "/var/log"
     "/var/backup"  # for e.g. postgres dumps
-    # TODO: move elsewhere
-    "/var/lib/alsa"                # preserve output levels, default devices
-    "/var/lib/colord"              # preserve color calibrations (?)
-    "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
-    "/var/lib/systemd/backlight"   # backlight brightness
+  ];
+  sane.persist.sys.cryptClearOnBoot = [
     "/var/lib/systemd/coredump"
   ];
 }

hosts/common/programs/aerc.nix

@@ -2,5 +2,8 @@
 { ... }:
 
 {
-  sane.programs.aerc.secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
+  sane.programs.aerc = {
+    secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
+    mime.associations."x-scheme-handler/mailto" = "aerc.desktop";
+  };
 }

hosts/common/programs/assorted.nix

@@ -1,392 +1,232 @@
-{ lib, pkgs, ... }:
+{ pkgs, ... }:
 
-let
-  inherit (builtins) attrNames;
-
-  flattenedPkgs = pkgs // (with pkgs; {
-    # XXX can't `inherit` a nested attr, so we move them to the toplevel
-    "cacert.unbundled" = pkgs.cacert.unbundled;
-    "gnome.cheese" = gnome.cheese;
-    "gnome.dconf-editor" = gnome.dconf-editor;
-    "gnome.file-roller" = gnome.file-roller;
-    "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
-    "gnome.gnome-maps" = gnome.gnome-maps;
-    "gnome.nautilus" = gnome.nautilus;
-    "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
-    "gnome.gnome-terminal" = gnome.gnome-terminal;
-    "gnome.gnome-weather" = gnome.gnome-weather;
-    "gnome.totem" = gnome.totem;
-    "libsForQt5.plasmatube" = libsForQt5.plasmatube;
-  });
-
-  sysadminPkgs = {
-    inherit (flattenedPkgs)
-      btrfs-progs
-      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
-      cryptsetup
-      dig
-      efibootmgr
-      fatresize
-      fd
-      file
-      gawk
-      git
-      gptfdisk
-      hdparm
-      htop
-      iftop
-      inetutils  # for telnet
-      iotop
-      iptables
-      jq
-      killall
-      lsof
-      miniupnpc
-      nano
-      neovim
-      netcat
-      nethogs
-      nmap
-      openssl
-      parted
-      pciutils
-      powertop
-      pstree
-      ripgrep
-      screen
-      smartmontools
-      socat
-      strace
-      subversion
-      tcpdump
-      tree
-      usbutils
-      wget
-      wirelesstools  # iwlist
-    ;
-  };
-  sysadminExtraPkgs = {
-    # application-specific packages
-    inherit (pkgs)
-      backblaze-b2
-      duplicity
-      sqlite  # to debug sqlite3 databases
-    ;
-  };
-
-  iphonePkgs = {
-    inherit (pkgs)
-      ifuse
-      ipfs
-      libimobiledevice
-    ;
-  };
-
-  tuiPkgs = {
-    inherit (pkgs)
-      aerc  # email client
-      msmtp  # sendmail
-      offlineimap  # email mailox sync
-      sfeed  # RSS fetcher
-      visidata  # TUI spreadsheet viewer/editor
-      w3m
-    ;
-  };
-
-  consoleMediaPkgs = {
-    inherit (pkgs)
-      ffmpeg
-      imagemagick
-      sox
-      yt-dlp
-    ;
-  };
-  # TODO: split these into smaller groups.
-  # - moby doesn't want a lot of these.
-  # - categories like
-  #   - dev?
-  #   - debugging?
-  consolePkgs = {
-    inherit (pkgs)
-      alsaUtils  # for aplay, speaker-test
-      # cdrtools
-      clinfo
-      dmidecode
-      efivar
-      # flashrom
-      fwupd
-      gh  # MS GitHub cli
-      git  # needed as a user package, for config.
-      # gnupg
-      # gocryptfs
-      # gopass
-      # gopass-jsonapi
-      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-      libsecret  # for managing user keyrings. TODO: what needs this? lift into the consumer
-      lm_sensors  # for sensors-detect. TODO: what needs this? lift into the consumer
-      lshw
-      # memtester
-      neovim  # needed as a user package, for swap persistence
-      # nettools
-      # networkmanager
-      nix-index
-      nixpkgs-review
-      # nixos-generators
-      nmon
-      # node2nix
-      # oathToolkit  # for oathtool
-      # ponymix
-      pulsemixer
-      python3
-      ripgrep  # needed as a user package so that its user-level config file can be installed
-      rsync
-      # python3Packages.eyeD3  # music tagging
-      sane-scripts
-      sequoia
-      snapper
-      sops
-      speedtest-cli
-      # ssh-to-age
-      sudo
-      # tageditor  # music tagging
-      unar
-      wireguard-tools
-      xdg-terminal-exec
-      xdg-utils  # for xdg-open
-      # yarn
-      zsh
-    ;
-  };
-
-  guiPkgs = {
-    inherit (flattenedPkgs)
-      # celluloid  # mpv frontend
-      cozy  # audiobook player
-      # emote
-      evince  # works on phosh
-
-      # { pkg = fluffychat-moby; persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
-
-      # foliate  # e-book reader
-
-      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
-      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
-      # then reboot (so that libsecret daemon re-loads the keyring...?)
-      # { pkg = fractal-latest; persist.private = [ ".local/share/fractal" ]; }
-      # { pkg = fractal-next; persist.private = [ ".local/share/fractal" ]; }
-
-      # "gnome.cheese"
-      # gnome-feeds  # RSS reader (with claimed mobile support)
-      "gnome.file-roller"
-      # "gnome.gnome-maps"  # works on phosh
-      "gnome.nautilus"
-      # gnome-podcasts
-      # "gnome.gnome-system-monitor"
-      # "gnome.gnome-terminal"  # works on phosh
-      # "gnome.gnome-weather"
-      gpodder
-      gthumb
-      jellyfin-media-player
-      komikku
-      koreader
-      lemoa  # lemmy app
-      # lollypop
-      mepo  # maps viewer
-      # mpv
-      # networkmanagerapplet
-      # newsflash
-      nheko
-      pavucontrol
-      # picard  # music tagging
-      # "libsForQt5.plasmatube"  # Youtube player
-      soundconverter
-      # sublime-music
-      # tdesktop  # broken on phosh
-      # tokodon
-      tuba  # mastodon/pleroma client (stores pw in keyring)
-      vlc
-      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
-      # whalebird
-      xterm  # broken on phosh
-    ;
-  };
-  desktopGuiPkgs = {
-    inherit (flattenedPkgs)
-      audacity
-      brave  # for the integrated wallet -- as a backup
-      chromium
-      dino
-      electrum
-      element-desktop
-      # font-manager  #< depends on webkitgtk4_0 (expensive to build)
-      gajim  # XMPP client
-      gimp  # broken on phosh
-      "gnome.dconf-editor"
-      "gnome.gnome-disk-utility"
-      # "gnome.totem"  # video player, supposedly supports UPnP
-      handbrake
-      hase
-      inkscape
-      kdenlive
-      kid3  # audio tagging
-      krita
-      libreoffice-fresh
-      mumble
-      obsidian
-      slic3r
-      steam
-      wireshark  # could maybe ship the cli as sysadmin pkg
-    ;
-  };
-  x86GuiPkgs = {
-    inherit (pkgs)
-      discord
-
-      # kaiteki  # Pleroma client
-      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
-      # gpt2tc  # XXX: unreliable mirror
-
-      # logseq  # Personal Knowledge Management
-      losslesscut-bin
-      makemkv
-      monero-gui
-      signal-desktop
-      spotify
-      tor-browser-bundle-bin
-      zecwallet-lite
-    ;
-  };
-
-  # packages not part of any package set; not enabled by default
-  otherPkgs = {
-    inherit (pkgs)
-      lemmy-server
-      mx-sanebot
-      stepmania
-    ;
-  };
-
-  # define -- but don't enable -- the packages in some attrset.
-  declarePkgs = pkgsAsAttrs: lib.mapAttrs (_n: p: {
-    # no need to actually define the package here: it's defaulted
-    # package = mkDefault p;
-  }) pkgsAsAttrs;
-in
 {
-  sane.programs = lib.mkMerge [
-    (declarePkgs consoleMediaPkgs)
-    (declarePkgs consolePkgs)
-    (declarePkgs desktopGuiPkgs)
-    (declarePkgs guiPkgs)
-    (declarePkgs iphonePkgs)
-    (declarePkgs sysadminPkgs)
-    (declarePkgs sysadminExtraPkgs)
-    (declarePkgs tuiPkgs)
-    (declarePkgs x86GuiPkgs)
-    (declarePkgs otherPkgs)
-    {
-      # link the various package sets into their own meta packages
-      consoleMediaUtils = {
-        package = null;
-        suggestedPrograms = attrNames consoleMediaPkgs;
-      };
-      consoleUtils = {
-        package = null;
-        suggestedPrograms = attrNames consolePkgs;
-      };
-      desktopGuiApps = {
-        package = null;
-        suggestedPrograms = attrNames desktopGuiPkgs;
-      };
-      guiApps = {
-        package = null;
-        suggestedPrograms = (attrNames guiPkgs)
-          ++ [ "web-browser" ]
-          ++ [ "tuiApps" ]
-          ++ lib.optional (pkgs.system == "x86_64-linux") "x86GuiApps";
-      };
-      iphoneUtils = {
-        package = null;
-        suggestedPrograms = attrNames iphonePkgs;
-      };
-      sysadminUtils = {
-        package = null;
-        suggestedPrograms = attrNames sysadminPkgs;
-      };
-      sysadminExtraUtils = {
-        package = null;
-        suggestedPrograms = attrNames sysadminExtraPkgs;
-      };
-      tuiApps = {
-        package = null;
-        suggestedPrograms = attrNames tuiPkgs;
-      };
-      x86GuiApps = {
-        package = null;
-        suggestedPrograms = attrNames x86GuiPkgs;
-      };
-    }
-    {
-      # nontrivial package definitions
-
-      dino.persist.private = [ ".local/share/dino" ];
-
-      # creds, but also 200 MB of node modules, etc
-      discord.persist.private = [ ".config/discord" ];
-
-      # creds/session keys, etc
-      element-desktop.persist.private = [ ".config/Element" ];
-
-      # `emote` will show a first-run dialog based on what's in this directory.
-      # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
-      # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
-      emote.persist.plaintext = [ ".local/share/Emote" ];
-
-      # MS GitHub stores auth token in .config
-      # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
-      gh.persist.private = [ ".config/gh" ];
-
-      # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
-      # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
-      monero-gui.persist.plaintext = [ ".bitmonero" ];
-
-      mumble.persist.private = [ ".local/share/Mumble" ];
-
-      # not strictly necessary, but allows caching articles; offline use, etc.
-      nheko.persist.private = [
-        ".config/nheko"  # config file (including client token)
-        ".cache/nheko"  # media cache
-        ".local/share/nheko"  # per-account state database
+  sane.programs = {
+    # PACKAGE SETS
+    sysadminUtils = {
+      package = null;
+      suggestedPrograms = [
+        "btrfs-progs"
+        "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
+        "cryptsetup"
+        "dig"
+        "efibootmgr"
+        "fatresize"
+        "fd"
+        "file"
+        "gawk"
+        "git"
+        "gptfdisk"
+        "hdparm"
+        "htop"
+        "iftop"
+        "inetutils"  # for telnet
+        "iotop"
+        "iptables"
+        "jq"
+        "killall"
+        "lsof"
+        "miniupnpc"
+        "nano"
+        #  "ncdu"  # ncurses disk usage. doesn't cross compile (zig)
+        "neovim"
+        "netcat"
+        "nethogs"
+        "nmap"
+        "openssl"
+        "parted"
+        "pciutils"
+        "powertop"
+        "pstree"
+        "ripgrep"
+        "screen"
+        "smartmontools"
+        "socat"
+        "strace"
+        "subversion"
+        "tcpdump"
+        "tree"
+        "usbutils"
+        "wget"
+        "wirelesstools"  # iwlist
       ];
+    };
+    sysadminExtraUtils = {
+      package = null;
+      suggestedPrograms = [
+        "backblaze-b2"
+        "duplicity"
+        "sqlite"  # to debug sqlite3 databases
+      ];
+    };
 
-      # settings (electron app)
-      obsidian.persist.plaintext = [ ".config/obsidian" ];
+    # TODO: split these into smaller groups.
+    # - moby doesn't want a lot of these.
+    # - categories like
+    #   - dev?
+    #   - debugging?
+    consoleUtils = {
+      package = null;
+      suggestedPrograms = [
+        "alsaUtils"  # for aplay, speaker-test
+        # "cdrtools"
+        "clinfo"
+        "dmidecode"
+        "efivar"
+        # "flashrom"
+        "fwupd"
+        "gh"  # MS GitHub cli
+        "git"  # needed as a user package, for config.
+        # "gnupg"
+        # "gocryptfs"
+        # "gopass"
+        # "gopass-jsonapi"
+        "helix"  # text editor
+        "kitty"  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
+        "libsecret"  # for managing user keyrings. TODO: what needs this? lift into the consumer
+        "lm_sensors"  # for sensors-detect. TODO: what needs this? lift into the consumer
+        "lshw"
+        # "memtester"
+        "neovim"  # needed as a user package, for swap persistence
+        # "nettools"
+        # "networkmanager"
+        "nix-index"
+        "nixpkgs-review"
+        # "nixos-generators"
+        "nmon"
+        # "node2nix"
+        # "oathToolkit"  # for oathtool
+        # "ponymix"
+        "pulsemixer"
+        "python3"
+        # "python3Packages.eyeD3"  # music tagging
+        "ripgrep"  # needed as a user package so that its user-level config file can be installed
+        "rsync"
+        "sane-scripts"
+        "sequoia"
+        "snapper"
+        "sops"
+        "speedtest-cli"
+        # "ssh-to-age"
+        "sudo"
+        # "tageditor"  # music tagging
+        "unar"
+        "wireguard-tools"
+        "xdg-terminal-exec"
+        "xdg-utils"  # for xdg-open
+        # "yarn"
+        "zsh"
+      ];
+    };
 
-      # creds, media
-      signal-desktop.persist.private = [ ".config/Signal" ];
+    consoleMediaUtils = {
+      package = null;
+      suggestedPrograms = [
+        "ffmpeg"
+        "imagemagick"
+        "sox"
+        "yt-dlp"
+      ];
+    };
 
-      # printer/filament settings
-      slic3r.persist.plaintext = [ ".Slic3r" ];
+    tuiApps = {
+      package = null;
+      suggestedPrograms = [
+        "aerc"  # email client
+        "msmtp"  # sendmail
+        "offlineimap"  # email mailox sync
+        "sfeed"  # RSS fetcher
+        "visidata"  # TUI spreadsheet viewer/editor
+        "w3m"  # web browser
+      ];
+    };
 
-      # creds, widevine .so download. TODO: could easily manage these statically.
-      spotify.persist.plaintext = [ ".config/spotify" ];
+    iphoneUtils = {
+      package = null;
+      suggestedPrograms = [
+        "ifuse"
+        "ipfs"
+        "libimobiledevice"
+      ];
+    };
 
-      tdesktop.persist.private = [ ".local/share/TelegramDesktop" ];
+    devPkgs = {
+      package = null;
+      suggestedPrograms = [
+        "clang"
+        "nodejs"
+        "tree-sitter"
+      ];
+    };
 
-      tokodon.persist.private = [ ".cache/KDE/tokodon" ];
 
-      # hardenedMalloc solves a crash at startup
-      # TODO 2023/02/02: is this safe to remove yet?
-      tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
-        useHardenedMalloc = false;
-      };
+    # INDIVIDUAL PACKAGE DEFINITIONS
 
-      whalebird.persist.private = [ ".config/Whalebird" ];
+    dino.persist.private = [ ".local/share/dino" ];
 
-      yarn.persist.plaintext = [ ".cache/yarn" ];
+    # creds, but also 200 MB of node modules, etc
+    discord.persist.private = [ ".config/discord" ];
 
-      # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
-      zecwallet-lite.persist.private = [ ".zcash" ];
-    }
-  ];
+    # creds/session keys, etc
+    element-desktop.persist.private = [ ".config/Element" ];
+
+    # `emote` will show a first-run dialog based on what's in this directory.
+    # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
+    # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+    emote.persist.plaintext = [ ".local/share/Emote" ];
+
+    fluffychat-moby.persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
+
+    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
+    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
+    # then reboot (so that libsecret daemon re-loads the keyring...?)
+    fractal-latest.persist.private = [ ".local/share/fractal" ];
+    fractal-next.persist.private = [ ".local/share/fractal" ];
+
+    # MS GitHub stores auth token in .config
+    # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
+    gh.persist.private = [ ".config/gh" ];
+
+    # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
+    # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
+    monero-gui.persist.plaintext = [ ".bitmonero" ];
+
+    mumble.persist.private = [ ".local/share/Mumble" ];
+
+    # not strictly necessary, but allows caching articles; offline use, etc.
+    nheko.persist.private = [
+      ".config/nheko"  # config file (including client token)
+      ".cache/nheko"  # media cache
+      ".local/share/nheko"  # per-account state database
+    ];
+
+    # settings (electron app)
+    obsidian.persist.plaintext = [ ".config/obsidian" ];
+
+    # creds, media
+    signal-desktop.persist.private = [ ".config/Signal" ];
+
+    # printer/filament settings
+    slic3r.persist.plaintext = [ ".Slic3r" ];
+
+    # creds, widevine .so download. TODO: could easily manage these statically.
+    spotify.persist.plaintext = [ ".config/spotify" ];
+
+    tdesktop.persist.private = [ ".local/share/TelegramDesktop" ];
+
+    tokodon.persist.private = [ ".cache/KDE/tokodon" ];
+
+    # hardenedMalloc solves an "unable to connect to Tor" error when pressing the "connect" button
+    # - still required as of 2023/07/14
+    tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
+      useHardenedMalloc = false;
+    };
+
+    whalebird.persist.private = [ ".config/Whalebird" ];
+
+    yarn.persist.plaintext = [ ".cache/yarn" ];
+
+    # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
+    zecwallet-lite.persist.private = [ ".zcash" ];
+  };
 }

hosts/common/programs/default.nix

@@ -5,10 +5,15 @@
     ./aerc.nix
     ./assorted.nix
     ./cozy.nix
+    ./epiphany.nix
+    ./evince.nix
+    ./firefox.nix
+    ./fontconfig.nix
     ./git.nix
     ./gnome-feeds.nix
     ./gpodder.nix
     ./gthumb.nix
+    ./helix.nix
     ./imagemagick.nix
     ./jellyfin-media-player.nix
     ./kitty
@@ -22,14 +27,15 @@
     ./neovim.nix
     ./newsflash.nix
     ./nix-index.nix
+    ./obsidian.nix
     ./offlineimap.nix
     ./ripgrep.nix
     ./sfeed.nix
     ./splatmoji.nix
     ./steam.nix
     ./sublime-music.nix
+    ./tangram.nix
     ./vlc.nix
-    ./web-browser.nix
     ./wireshark.nix
     ./zeal.nix
     ./zsh

hosts/common/programs/epiphany.nix

@@ -0,0 +1,45 @@
+# epiphany web browser
+# - GTK4/webkitgtk
+#
+# usability notes:
+# - touch-based scroll works well (for moby)
+# - URL bar constantly resets cursor to the start of the line as i type
+#   - maybe due to the URLbar suggestions getting in the way
+{ pkgs, ... }:
+{
+  sane.programs.epiphany = {
+    # XXX(2023/07/08): running on moby without this hack fails, with:
+    # - `bwrap: Can't make symlink at /var/run: File exists`
+    # this could be due to:
+    # - epiphany is somewhere following a symlink into /var/run instead of /run
+    #   - (nothing in `env` or in this repo touches /var/run)
+    # - no xdg-desktop-portal is installed  (unlikely)
+    #
+    # a few other users have hit this, in different contexts:
+    # - <https://gitlab.gnome.org/GNOME/gnome-builder/-/issues/1164>
+    # - <https://github.com/flatpak/flatpak/issues/3477>
+    # - <https://github.com/NixOS/nixpkgs/issues/197085>
+    package = pkgs.epiphany.overrideAttrs (upstream: {
+      preFixup = ''
+        gappsWrapperArgs+=(
+          --set WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS "1"
+        );
+      '' + (upstream.preFixup or "");
+    });
+    persist.private = [
+      ".cache/epiphany"
+      ".local/share/epiphany"
+      # also .config/epiphany, but appears empty
+    ];
+    mime.priority = 200;  # default priority is 100: install epiphany only as a fallback
+    mime.associations = let
+      desktop = "org.gnome.Epiphany.desktop";
+    in {
+      "text/html" = desktop;
+      "x-scheme-handler/http" = desktop;
+      "x-scheme-handler/https" = desktop;
+      "x-scheme-handler/about" = desktop;
+      "x-scheme-handler/unknown" = desktop;
+    };
+  };
+}

hosts/common/programs/evince.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  sane.programs.evince.mime.associations."application/pdf" = "org.gnome.Evince.desktop";
+}

hosts/common/programs/firefox.nix

@@ -9,11 +9,12 @@
 { config, lib, pkgs, ...}:
 with lib;
 let
-  cfg = config.sane.programs.web-browser.config;
+  cfg = config.sane.programs.firefox.config;
+  mobile-prefs = lib.optionals false pkgs.librewolf-pmos-mobile.extraPrefsFiles;
   # allow easy switching between firefox and librewolf with `defaultSettings`, below
   librewolfSettings = {
     browser = pkgs.librewolf-unwrapped;
-    extraPrefsFiles = pkgs.librewolf-unwrapped.extraPrefsFiles ++ pkgs.librewolf-pmos-mobile.extraPrefsFiles;
+    extraPrefsFiles = pkgs.librewolf-unwrapped.extraPrefsFiles ++ mobile-prefs;
     libName = "librewolf";
     dotDir = ".librewolf";
     cacheDir = ".cache/librewolf";
@@ -21,7 +22,7 @@ let
   };
   firefoxSettings = {
     browser = pkgs.firefox-esr-unwrapped;
-    extraPrefsFiles = pkgs.firefox-pmos-mobile.extraPrefsFiles;
+    extraPrefsFiles = mobile-prefs;
     libName = "firefox";
     dotDir = ".mozilla/firefox";
     cacheDir = ".cache/mozilla";
@@ -144,55 +145,59 @@ in
 {
   config = mkMerge [
     ({
-      sane.programs.web-browser.configOption = mkOption {
+      sane.programs.firefox.configOption = mkOption {
         type = types.submodule configOpts;
         default = {};
       };
-      sane.programs.web-browser.config.addons = {
-        # get names from:
-        # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
-        # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
+      sane.programs.firefox.config.addons = {
         browserpass-extension = {
-          # package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
-          package = localAddon pkgs.browserpass-extension;
+          package = pkgs.firefox-extensions.browserpass-extension;
           enable = lib.mkDefault true;
         };
-
-        # TODO: build bypass-paywalls from source? it's mysteriously disappeared from the Mozilla store.
-        # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
-        # bypass-paywalls-clean.enable = lib.mkDefault true;
-
-        # TODO: give these update scripts, make them reachable via `pkgs`
-        ether-metamask = {
-          package = addon "ether-metamask" "webextension@metamask.io" "sha256-UI83wUUc33OlQYX+olgujeppoo2D2PAUJ+Wma5mH2O0=";
+        bypass-paywalls-clean = {
+          package = pkgs.firefox-extensions.bypass-paywalls-clean;
           enable = lib.mkDefault true;
         };
+        ether-metamask = {
+          package = pkgs.firefox-extensions.ether-metamask;
+          enable = lib.mkDefault false;  # until i can disable the first-run notification
+        };
         i2p-in-private-browsing = {
-          package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
+          package = pkgs.firefox-extensions.i2p-in-private-browsing;
           enable = lib.mkDefault config.services.i2p.enable;
         };
         sidebery = {
-          package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
+          package = pkgs.firefox-extensions.sidebery;
           enable = lib.mkDefault true;
         };
         sponsorblock = {
-          package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-b/OTFmhSEUZ/CYrYCE4rHVMQmY+Y78k8jSGMoR8vsZA=";
+          package = pkgs.firefox-extensions.sponsorblock;
           enable = lib.mkDefault true;
         };
         ublacklist = {
-          package = addon "ublacklist" "@ublacklist" "sha256-NZ2FmgJiYnH7j2Lkn0wOembxaEphmUuUk0Ytmb0rNWo=";
+          package = pkgs.firefox-extensions.ublacklist;
           enable = lib.mkDefault true;
         };
         ublock-origin = {
-          package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-EGGAA+cLUow/F5luNzFG055rFfd3rEyh8hTaL/23pbM=";
+          package = pkgs.firefox-extensions.ublock-origin;
           enable = lib.mkDefault true;
         };
       };
     })
     ({
-      sane.programs.web-browser = {
+      sane.programs.firefox = {
         inherit package;
 
+        mime.associations = let
+          inherit (cfg.browser) desktop;
+        in {
+          "text/html" = desktop;
+          "x-scheme-handler/http" = desktop;
+          "x-scheme-handler/https" = desktop;
+          "x-scheme-handler/about" = desktop;
+          "x-scheme-handler/unknown" = desktop;
+        };
+
         # env.BROWSER = "${package}/bin/${cfg.browser.libName}";
         env.BROWSER = cfg.browser.libName;  # used by misc tools like xdg-email, as fallback
 
@@ -236,16 +241,22 @@ in
         '';
       };
     })
-    (mkIf config.sane.programs.web-browser.enabled {
+    (mkIf config.sane.programs.firefox.enabled {
       # TODO: move the persistence into the sane.programs API (above)
-      # flush the cache to disk to avoid it taking up too much tmp
-      sane.user.persist.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
-        store = cfg.persistCache;
-      };
+      # flush the cache to disk to avoid it taking up too much tmp.
+      sane.user.persist.byPath."${cfg.browser.cacheDir}".store =
+        if (cfg.persistData != null) then
+          cfg.persistData
+        else
+          "cryptClearOnBoot"
+        ;
 
-      sane.user.persist.byPath."${cfg.browser.dotDir}/default" = lib.mkIf (cfg.persistData != null) {
-        store = cfg.persistData;
-      };
+      sane.user.persist.byPath."${cfg.browser.dotDir}/default".store =
+        if (cfg.persistData != null) then
+          cfg.persistData
+        else
+          "cryptClearOnBoot"
+        ;
     })
   ];
 }

hosts/common/programs/fontconfig.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+{
+  fonts = lib.mkIf config.sane.programs.fontconfig.enabled {
+    fontconfig.enable = true;
+    fontconfig.defaultFonts = {
+      emoji = [ "Font Awesome 6 Free" "Noto Color Emoji" ];
+      monospace = [ "Hack" ];
+      serif = [ "DejaVu Serif" ];
+      sansSerif = [ "DejaVu Sans" ];
+    };
+    enableDefaultFonts = true;
+    fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
+  };
+}

hosts/common/programs/git.nix

@@ -1,6 +1,8 @@
 { lib, pkgs, ... }:
 
 let
+  # TODO: use formats.gitIni or lib.generators.toGitINI
+  # - see: <repo:nixos/nixpkgs:pkgs/pkgs-lib/formats.nix>
   mkCfg = lib.generators.toINI { };
 in
 {

hosts/common/programs/gthumb.nix

@@ -1,4 +1,13 @@
 { pkgs, ... }:
 {
-  sane.programs.gthumb.package = pkgs.gthumb.override { withWebservices = false; };
+  sane.programs.gthumb = {
+    # compile without webservices to avoid the expensive webkitgtk dependency
+    package = pkgs.gthumb.override { withWebservices = false; };
+    mime.associations = {
+      "image/heif" = "org.gnome.gThumb.desktop";  # apple codec
+      "image/png" = "org.gnome.gThumb.desktop";
+      "image/jpeg" = "org.gnome.gThumb.desktop";
+      "image/svg+xml" = "org.gnome.gThumb.desktop";
+    };
+  };
 }

hosts/common/programs/helix.nix

@@ -0,0 +1,22 @@
+# Helix text editor
+# debug log: `~/.cache/helix/helix.log`
+# binary name is `hx`
+{ ... }:
+{
+  sane.programs.helix = {
+    # grammars need to be persisted when developing them
+    # - `hx --grammar fetch` and `hx --grammar build`
+    # but otherwise, they ship as part of HELIX_RUNTIME, in the nix store
+    # persist.plaintext = [ ".config/helix/runtime/grammars" ];
+    fs.".config/helix/config.toml".symlink.text = ''
+      # docs: <https://docs.helix-editor.com/configuration.html>
+      [editor.soft-wrap]
+      enable = true
+
+      [editor.whitespace.render]
+      space = "all"
+      tab = "all"
+      newline = "none"
+    '';
+  };
+}

hosts/common/programs/imagemagick.nix

@@ -6,5 +6,4 @@
     };
     suggestedPrograms = [ "ghostscript" ];
   };
-  sane.programs.ghostscript = {};
 }

hosts/common/programs/mepo.nix

@@ -6,7 +6,9 @@
   sane.programs.mepo = {
     persist.plaintext = [ ".cache/mepo/tiles" ];
     # ~/.cache/mepo/savestate has precise coordinates and pins: keep those private
-    persist.private = [ ".cache/mepo/savestate" ];
+    persist.private = [
+      { type = "file"; path = ".cache/mepo/savestate"; }
+    ];
   };
 
   programs.mepo = lib.mkIf config.sane.programs.mepo.enabled {

hosts/common/programs/neovim.nix

@@ -14,7 +14,12 @@ let
       # docs: https://github.com/nvim-treesitter/nvim-treesitter
       # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
       # this is required for tree-sitter to even highlight
-      plugin = nvim-treesitter.withAllGrammars;
+      plugin = nvim-treesitter.withPlugins (_: nvim-treesitter.allGrammars ++ [
+        # XXX: this is apparently not enough to enable syntax highlighting!
+        # nvim-treesitter ships its own queries which may be distinct from e.g. helix.
+        # the queries aren't included when i ship the grammar in this manner
+        pkgs.tree-sitter-nix-shell
+      ]);
       type = "lua";
       config = ''
         require'nvim-treesitter.configs'.setup {
@@ -76,7 +81,7 @@ let
     }
   ];
   plugin-packages = map (p: p.plugin) plugins;
-  plugin-config-tex = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
+  plugin-config-viml = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
   plugin-config-lua = concatMapStrings (p: optionalString (p.type or "" == "lua") p.config) plugins;
 in
 {
@@ -94,7 +99,7 @@ in
     viAlias = true;
     vimAlias = true;
     configure = {
-      packages.myVimPackage = {
+      packages.plugins = {
         start = plugin-packages;
       };
       customRC = ''
@@ -130,8 +135,8 @@ in
         set list
         set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
 
-        """"" PLUGIN CONFIG (tex)
-        ${plugin-config-tex}
+        """"" PLUGIN CONFIG (vim)
+        ${plugin-config-viml}
 
         """"" PLUGIN CONFIG (lua)
         lua <<EOF

hosts/common/programs/obsidian.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  sane.programs.obsidian.mime.associations."text/markdown" = "obsidian.desktop";
+}

hosts/common/programs/splatmoji.nix

@@ -10,13 +10,11 @@
       # XXX doesn't seem to understand ~ as shorthand for `$HOME`
       history_file=/home/colin/.local/state/splatmoji/history
       history_length=5
-      # TODO: wayland equiv
-      paste_command=xdotool key ctrl+v
+      paste_command=${pkgs.wtype}/bin/wtype -M Ctrl -k v
       # rofi_command=${pkgs.wofi}/bin/wofi --dmenu --insensitive --cache-file /dev/null
       rofi_command=${pkgs.fuzzel}/bin/fuzzel -d -i -w 60
       xdotool_command=${pkgs.wtype}/bin/wtype
-      # TODO: wayland equiv
-      xsel_command=xsel -b -i
+      xsel_command=${pkgs.findutils}/bin/xargs ${pkgs.wl-clipboard}/bin/wl-copy
     '';
   };
 }

hosts/common/programs/tangram.nix

@@ -0,0 +1,42 @@
+# Tangram is a GTK/webkit browser
+# it views each tab as a distinct application, persisted, and where the 'home' button action is specific to each tab.
+# it supports ephemeral tabs, but UX is heavily geared to GCing those as early as possible.
+
+{ pkgs, ... }:
+let
+  dconfProfile = pkgs.writeTextFile {
+    name = "dconf-tangram-profile";
+    destination = "/etc/dconf/profile/tangram";
+    text = ''
+      user-db:tangram
+      system-db:site
+    '';
+  };
+in
+{
+  sane.programs.tangram = {
+    # XXX(2023/07/08): running on moby without disabling the webkit sandbox fails, with:
+    # - `bwrap: Can't make symlink at /var/run: File exists`
+    # see epiphany.nix for more info
+    package = pkgs.tangram.overrideAttrs (upstream: {
+      preFixup = ''
+        gappsWrapperArgs+=(
+          --set WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS "1"
+          --set DCONF_PROFILE "${dconfProfile}/etc/dconf/profile/tangram"
+        );
+      '' + (upstream.preFixup or "");
+    });
+
+    persist.private = [
+      ".cache/Tangram"
+      ".local/share/Tangram"
+      # dconf achieves atomic writes via `mv`, so a symlink doesn't work
+      # moreover, i have to persist the *whole* directory:
+      # - `user-db:tangram/user` causes a schema failure
+      # - bind-mounting `~/private/.config/dconf/tangram` causes dconf to try a cross-fs `mv`, which fails
+      # - dconf provides no way to specify an alternate ~/.config/dconf dir, except by overriding XDG_CONFIG_HOME
+      # { type = "file"; path = ".config/dconf/tangram"; method = "bind"; }
+      ".config/dconf"
+    ];
+  };
+}

hosts/common/programs/vlc.nix

@@ -10,8 +10,13 @@ let
 in
 {
   sane.programs.vlc = {
-    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
-    persist.plaintext = [ ".config/vlc" ];
+    persist.private = [
+      # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
+      # filenames are stored in plaintext (unlike mpv, which i think hashes them)
+      ".config/vlc"
+      # vlc caches artwork. i'm not sure where it gets the artwork (internet? embedded metadata?)
+      ".cache/vlc"
+    ];
     fs.".config/vlc/vlcrc".symlink.text = ''
       [podcast]
       podcast-urls=${podcast-urls}
@@ -20,5 +25,13 @@ in
       [qt]
       qt-privacy-ask=0
     '';
+
+    mime.associations."audio/flac" = "vlc.desktop";
+    mime.associations."audio/mpeg" = "vlc.desktop";
+    mime.associations."audio/x-vorbis+ogg" = "vlc.desktop";
+    mime.associations."video/mp4" = "vlc.desktop";
+    mime.associations."video/quicktime" = "vlc.desktop";
+    mime.associations."video/webm" = "vlc.desktop";
+    mime.associations."video/x-matroska" = "vlc.desktop";
   };
 }

hosts/common/programs/wireshark.nix

@@ -1,5 +1,4 @@
 { config, ... }:
 {
-  sane.programs.wireshark = {};
   programs.wireshark.enable = config.sane.programs.wireshark.enabled;
 }

hosts/common/programs/zsh/default.nix

@@ -20,31 +20,12 @@
 let
   inherit (lib) mkIf mkMerge mkOption types;
   cfg = config.sane.zsh;
-  # powerlevel10k prompt config
-  # p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
-  p10k-overrides = ''
-    # powerlevel10k launches a gitstatusd daemon to accelerate git prompt queries.
-    # this keeps open file handles for any git repo i touch for 60 minutes (by default).
-    # that prevents unmounting whatever device the git repo is on -- particularly problematic for ~/private.
-    # i can disable gitstatusd and get slower fallback git queries:
-    # - either universally
-    # - or selectively by path
-    # see: <https://github.com/romkatv/powerlevel10k/issues/246>
-    typeset -g POWERLEVEL9K_VCS_DISABLED_DIR_PATTERN='(/home/colin/private/*|/home/colin/knowledge/*)'
-    # typeset -g POWERLEVEL9K_DISABLE_GITSTATUS=true
-
-    # show user@host also when logged into the current machine.
-    # default behavior is to show it only over ssh.
-    typeset -g POWERLEVEL9K_CONTEXT_{DEFAULT,SUDO}_CONTENT_EXPANSION='$P9K_CONTENT'
-  '';
-
-  prezto-init = ''
-    source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh
-    source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
-    source ${pkgs.zsh-prezto}/share/zsh-prezto/init.zsh
-  '';
 in
 {
+  imports = [
+    ./p10k.nix
+    ./starship.nix
+  ];
   options = {
     sane.zsh = {
       showDeadlines = mkOption {
@@ -52,6 +33,16 @@ in
         default = true;
         description = "show upcoming deadlines (from my PKM) upon shell init";
       };
+      p10k = mkOption {
+        type = types.bool;
+        default = false;
+        description = "enable powerlevel10k prompt and prezto";
+      };
+      starship = mkOption {
+        type = types.bool;
+        default = true;
+        description = "enable starship prompt";
+      };
     };
   };
 
@@ -74,6 +65,9 @@ in
         '' + lib.optionalString cfg.showDeadlines ''
           ${pkgs.sane-scripts.deadlines}/bin/sane-deadlines
         '' + ''
+
+          HISTFILE="$HOME/.local/share/zsh/history"
+
           # auto-cd into any of these dirs by typing them and pressing 'enter':
           hash -d 3rd="/home/colin/dev/3rd"
           hash -d dev="/home/colin/dev"
@@ -86,45 +80,6 @@ in
           hash -d uninsane="/home/colin/dev/uninsane"
           hash -d Videos="/home/colin/Videos"
         '';
-
-        # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
-        # see: https://github.com/sorin-ionescu/prezto
-        # this file is auto-sourced by the prezto init.zsh script.
-        # TODO: i should work to move away from prezto:
-        # - it's FUCKING SLOW to initialize (that might also be powerlevel10k tho)
-        # - it messes with my other `setopt`s
-        fs.".config/zsh/.zpreztorc".symlink.text = ''
-          zstyle ':prezto:*:*' color 'yes'
-          zstyle ':prezto:module:utility' correct 'no'  # prezto: don't setopt CORRECT
-
-          # modules (they ship with prezto):
-          # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
-          # TERMINAL: auto-titles terminal (e.g. based on cwd)
-          # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
-          # HISTORY: `history-stat` alias, setopts for good history defaults
-          # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack. also overrides CLOBBER and some other options
-          # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
-          # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
-          #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
-          # COMPLETION: tab completion. requires `utility` module prior to loading
-          zstyle ':prezto:load' pmodule \
-            'environment' \
-            'terminal' \
-            'editor' \
-            'history' \
-            'spectrum' \
-            'utility' \
-            'completion' \
-            'prompt'
-
-          # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
-          zstyle ':prezto:module:editor' key-bindings 'emacs'
-
-          zstyle ':prezto:module:prompt' theme 'powerlevel10k'
-
-          # disable `mv` confirmation (and `rm`, too, unfortunately)
-          zstyle ':prezto:module:utility' safe-ops 'no'
-        '';
       };
     })
     (mkIf config.sane.programs.zsh.enabled {
@@ -133,7 +88,6 @@ in
 
       programs.zsh = {
         enable = true;
-        histFile = "$HOME/.local/share/zsh/history";
         shellAliases = {
           ":q" = "exit";
           # common typos
@@ -162,16 +116,12 @@ in
         '';
 
         # system-wide .zshrc config:
-        interactiveShellInit =
-          (builtins.readFile ./p10k.zsh)
-        + p10k-overrides
-        + prezto-init
-        + ''
+        interactiveShellInit = ''
           # zmv is a way to do rich moves/renames, with pattern matching/substitution.
           # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
           autoload -Uz zmv
 
-          HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *|nixos-rebuild.* switch)'
+          HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *|nixos-rebuild.* switch|switch)'
 
           # extra aliases
           # TODO: move to `shellAliases` config?
@@ -179,6 +129,10 @@ in
             mkdir -p "$1";
             pushd "$1";
           }
+
+          function switch() {
+            sudo nixos-rebuild --flake . switch --keep-going;
+          }
         '';
 
         syntaxHighlighting.enable = true;

hosts/common/programs/zsh/p10k.nix

@@ -0,0 +1,75 @@
+{ config, lib, pkgs, ...}:
+
+let
+  # powerlevel10k prompt config
+  # p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
+  p10k-overrides = ''
+    # powerlevel10k launches a gitstatusd daemon to accelerate git prompt queries.
+    # this keeps open file handles for any git repo i touch for 60 minutes (by default).
+    # that prevents unmounting whatever device the git repo is on -- particularly problematic for ~/private.
+    # i can disable gitstatusd and get slower fallback git queries:
+    # - either universally
+    # - or selectively by path
+    # see: <https://github.com/romkatv/powerlevel10k/issues/246>
+    typeset -g POWERLEVEL9K_VCS_DISABLED_DIR_PATTERN='(/home/colin/private/*|/home/colin/knowledge/*)'
+    # typeset -g POWERLEVEL9K_DISABLE_GITSTATUS=true
+
+    # show user@host also when logged into the current machine.
+    # default behavior is to show it only over ssh.
+    typeset -g POWERLEVEL9K_CONTEXT_{DEFAULT,SUDO}_CONTENT_EXPANSION='$P9K_CONTENT'
+  '';
+
+  prezto-init = ''
+    source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh
+    source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+    source ${pkgs.zsh-prezto}/share/zsh-prezto/init.zsh
+  '';
+in {
+  config = lib.mkIf config.sane.zsh.p10k {
+    sane.programs.zsh = {
+      # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
+      # see: https://github.com/sorin-ionescu/prezto
+      # this file is auto-sourced by the prezto init.zsh script.
+      # TODO: i should work to move away from prezto:
+      # - it's FUCKING SLOW to initialize (that might also be powerlevel10k tho)
+      # - it messes with my other `setopt`s
+      fs.".config/zsh/.zpreztorc".symlink.text = ''
+        zstyle ':prezto:*:*' color 'yes'
+        zstyle ':prezto:module:utility' correct 'no'  # prezto: don't setopt CORRECT
+
+        # modules (they ship with prezto):
+        # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
+        # TERMINAL: auto-titles terminal (e.g. based on cwd)
+        # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
+        # HISTORY: `history-stat` alias, setopts for good history defaults
+        # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack. also overrides CLOBBER and some other options
+        # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
+        # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
+        #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
+        # COMPLETION: tab completion. requires `utility` module prior to loading
+        zstyle ':prezto:load' pmodule \
+          'environment' \
+          'terminal' \
+          'editor' \
+          'history' \
+          'spectrum' \
+          'utility' \
+          'completion' \
+          'prompt'
+
+        # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
+        zstyle ':prezto:module:editor' key-bindings 'emacs'
+
+        zstyle ':prezto:module:prompt' theme 'powerlevel10k'
+
+        # disable `mv` confirmation (and `rm`, too, unfortunately)
+        zstyle ':prezto:module:utility' safe-ops 'no'
+      '';
+    };
+
+    programs.zsh.interactiveShellInit = (builtins.readFile ./p10k.zsh)
+      + p10k-overrides
+      + prezto-init
+    ;
+  };
+}

hosts/common/programs/zsh/starship.nix

@@ -0,0 +1,101 @@
+# starship prompt: <https://starship.rs/config/#prompt>
+# my own config heavily based off:
+# - <https://starship.rs/presets/pastel-powerline.html>
+{ config, lib, pkgs, ...}:
+
+let
+  enabled = config.sane.zsh.starship;
+  toml = pkgs.formats.toml {};
+  colors = {
+    # colors sorted by the order they appear in the status bar
+    _01_purple = "#9A348E";
+    _02_pink = "#DA627D";
+    _03_orange = "#FCA17D";
+    _04_teal = "#86BBD8";
+    _05_blue = "#06969A";
+    _06_blue = "#33658A";
+  };
+in {
+  config = lib.mkIf config.sane.zsh.starship {
+    sane.programs.zsh = lib.mkIf enabled {
+      fs.".config/zsh/.zshrc".symlink.text = ''
+        eval "$(${pkgs.starship}/bin/starship init zsh)"
+      '';
+      fs.".config/starship.toml".symlink.target = toml.generate "starship.toml" {
+        format = builtins.concatStringsSep "" [
+          "[](${colors._01_purple})"
+          "$os"
+          "$username"
+          "$hostname"
+          "[](bg:${colors._02_pink} fg:${colors._01_purple})"
+          "$directory"
+          "[](fg:${colors._02_pink} bg:${colors._03_orange})"
+          "$git_branch"
+          "$git_status"
+          "[](fg:${colors._03_orange} bg:${colors._04_teal})"
+          "[](fg:${colors._04_teal} bg:${colors._05_blue})"
+          "[](fg:${colors._05_blue} bg:${colors._06_blue})"
+          "$time"
+          "$status"
+          "[ ](fg:${colors._06_blue})"
+        ];
+        add_newline = false;  # no blank line before prompt
+
+        os.style = "bg:${colors._01_purple}";
+        os.format = "[$symbol]($style)";
+        os.disabled = false;
+        # os.symbols.NixOS = "❄️";  # removes the space after logo
+
+        # TODO: tune foreground color of username
+        username.style_user = "bg:${colors._01_purple}";
+        username.style_root = "bold bg:${colors._01_purple}";
+        username.format = "[$user ]($style)";
+
+        hostname.style = "bold bg:${colors._01_purple}";
+        hostname.format = "[$ssh_symbol$hostname ]($style)";
+
+        directory.style = "bg:${colors._02_pink} fg:#ffffff";
+        directory.format = "[ $path ]($style)";
+        directory.truncation_length = 3;
+        directory.truncation_symbol = "…/";
+
+        # git_branch.symbol = "";  # looks good in nerd fonts
+        git_branch.symbol = "";
+        git_branch.style = "bg:${colors._03_orange} fg:#ffffff";
+        # git_branch.style = "bg:#FF8262";
+        git_branch.format = "[ $symbol $branch ]($style)";
+
+        git_status.style = "bold bg:${colors._03_orange} fg:#ffffff";
+        # git_status.style = "bg:#FF8262";
+        git_status.format = "[$all_status$ahead_behind ]($style)";
+        git_status.ahead = "⇡$count";
+        git_status.behind = "⇣$count";
+        # git_status.diverged = "⇣$behind_count⇡$ahead_count";
+        git_status.diverged = "⇡$ahead_count⇣$behind_count";
+        git_status.modified = "*";
+        git_status.stashed = "";
+        git_status.untracked = "";
+
+
+        time.disabled = true;
+        time.time_format = "%R"; # Hour:Minute Format
+        time.style = "bg:${colors._06_blue}";
+        time.format = "[ $time ]($style)";
+
+        status.disabled = false;
+        status.style = "bg:${colors._06_blue}";
+        # status.success_symbol = "♥ ";
+        # status.success_symbol = "💖";
+        # status.success_symbol = "💙";
+        # status.success_symbol = "💚";
+        # status.success_symbol = "💜";
+        # status.success_symbol = "✔️'";
+        status.success_symbol = "";
+        status.symbol = "❌";
+        # status.symbol = "❗️";
+        # status.symbol = "‼️";
+        status.format = "[$symbol]($style)";
+      };
+    };
+  };
+}

hosts/common/secrets.nix

@@ -30,7 +30,7 @@
 let
   inherit (lib.strings) hasSuffix removeSuffix;
   secretsForHost = host: let
-    extraAttrsForPath = path: lib.optionalAttrs (sane-lib.path.isChild "guest" path) {
+    extraAttrsForPath = path: lib.optionalAttrs (sane-lib.path.isChild "guest" path && builtins.hasAttr "guest" config.users.users) {
       owner = "guest";
     };
   in sane-lib.joinAttrsets (
@@ -66,7 +66,6 @@ in
     {
       "jackett_apikey".owner = config.users.users.colin.name;
       "mx-sanebot-env".owner = config.users.users.colin.name;
-      "snippets".owner = config.users.users.colin.name;
       "transmission_passwd".owner = config.users.users.colin.name;
     }
   ];

hosts/common/ssh.nix

@@ -2,7 +2,6 @@
 
 let
   inherit (builtins) attrValues head map mapAttrs tail;
-  inherit (lib) concatStringsSep mkMerge reverseList;
 in
 {
   sane.ssh.pubkeys =
@@ -10,9 +9,9 @@ in
     # path is a DNS-style path like [ "org" "uninsane" "root" ]
     keyNameForPath = path:
       let
-        rev = reverseList path;
+        rev = lib.reverseList path;
         name = head rev;
-        host = concatStringsSep "." (tail rev);
+        host = lib.concatStringsSep "." (tail rev);
       in
       "${name}@${host}";
 
@@ -23,9 +22,10 @@ in
       (name: {
         inherit name;
         value = {
-          colin = hostCfg.ssh.user_pubkey;
           root = hostCfg.ssh.host_pubkey;
-        };
+        } // (lib.optionalAttrs hostCfg.ssh.authorized {
+          colin = hostCfg.ssh.user_pubkey;
+        });
       })
       hostCfg.names
     ;
@@ -34,7 +34,7 @@ in
         map keysForHost (builtins.attrValues config.sane.hosts.by-name)
       )
     );
-  in mkMerge (map
+  in lib.mkMerge (map
     ({ path, value }: {
       "${keyNameForPath path}" = lib.mkIf (value != null) value;
     })

hosts/common/users/colin.nix

@@ -21,7 +21,7 @@
       "networkmanager"
       "nixbuild"
       "transmission"  # servo, to admin /var/lib/uninsane/media
-      "video"  # phosh/mobile. XXX colin: unsure if necessary
+      "video"  # mobile; for LEDs & maybe for camera?
       "wheel"
       "wireshark"
     ];
@@ -52,13 +52,6 @@
 
   sane.users.colin = {
     default = true;
-    # ensure ~ perms are known to sane.fs module.
-    # TODO: this is generic enough to be lifted up into sane.fs itself.
-    fs."/".dir.acl = {
-      user = "colin";
-      group = config.users.users.colin.group;
-      mode = config.users.users.colin.homeMode;
-    };
 
     persist.plaintext = [
       "archive"
@@ -68,10 +61,16 @@
       "ref"
       "tmp"
       "use"
+      "Books"
       "Music"
       "Pictures"
       "Videos"
 
+      # these are persisted simply to save on RAM.
+      # ~/.cache/nix can become several GB.
+      # fontconfig and mesa_shader_cache are < 10 MB.
+      ".cache/fontconfig"
+      ".cache/mesa_shader_cache"
       ".cache/nix"
 
       # ".cargo"

hosts/common/users/default.nix

@@ -4,6 +4,7 @@
   imports = [
     ./colin.nix
     ./guest.nix
+    ./root.nix
   ];
 
   # Users are exactly these specified here;

hosts/common/users/guest.nix

@@ -11,8 +11,8 @@ in
     };
   };
 
-  config = {
-    users.users.guest = lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
+    users.users.guest = {
       isNormalUser = true;
       home = "/home/guest";
       subUidRanges = [
@@ -27,7 +27,7 @@ in
 
     sane.persist.sys.plaintext = lib.mkIf cfg.enable [
       # intentionally allow other users to write to the guest folder
-      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
+      { path = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
     ];
   };
 }

hosts/common/users/root.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+  sane.persist.sys.cryptClearOnBoot = [
+    # when running commands as root, some things may create ~/.cache entries.
+    # notably:
+    # - `/root/.cache/nix/` takes up ~10 MB on lappy/desko/servo
+    # - `/root/.cache/mesa_shader_cache` takes up 1-2 MB on moby
+    { path = "/root"; user = "root"; group = "root"; mode = "0700"; }
+  ];
+}

hosts/modules/default.nix

@@ -2,7 +2,7 @@
 
 {
   imports = [
-    ./derived-secrets.nix
+    ./derived-secrets
     ./gui
     ./hardware
     ./hostnames.nix

hosts/modules/derived-secrets/default.nix

@@ -1,10 +1,14 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 let
-  inherit (builtins) toString;
-  inherit (lib) mapAttrs mkOption types;
+
+  hash-path-with-salt = pkgs.static-nix-shell.mkBash {
+    pname = "hash-path-with-salt";
+    src = ./.;
+  };
+
   cfg = config.sane.derived-secrets;
-  secret = types.submodule {
+  secret = with lib; types.submodule {
     options = {
       len = mkOption {
         type = types.int;
@@ -17,7 +21,7 @@ let
 in
 {
   options = {
-    sane.derived-secrets = mkOption {
+    sane.derived-secrets = with lib; mkOption {
       type = types.attrsOf secret;
       default = {};
       description = ''
@@ -30,17 +34,13 @@ in
   };
 
   config = {
-    sane.fs = mapAttrs (path: c: {
-      generated.script.script = ''
-        echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
-          | sha512sum \
-          | cut -c 1-${toString (c.len * 2)} \
-          | tr a-z A-Z \
-          | basenc -d --base16 \
-          | basenc --${c.encoding} \
-          > "$1"
-      '';
-      generated.script.scriptArgs = [ path ];
+    sane.fs = lib.mapAttrs (path: c: {
+      generated.command = [
+        "${hash-path-with-salt}/bin/hash-path-with-salt"
+        path
+        c.encoding
+        (builtins.toString (c.len * 2))
+      ];
       generated.acl.mode = "0600";
     }) cfg;
   };

hosts/modules/derived-secrets/hash-path-with-salt

@@ -0,0 +1,12 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
+file="$1"
+enc="$2"
+nibbles="$3"
+echo "$file" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
+  | sha512sum \
+  | cut -c "1-$nibbles" \
+  | tr a-z A-Z \
+  | basenc -d --base16 \
+  | basenc "--$enc" \
+  > "$file"

hosts/modules/gui/default.nix

@@ -1,17 +1,121 @@
-{ lib, config, ... }:
-
-let
-  inherit (lib) mkDefault mkIf mkOption types;
-  cfg = config.sane.gui;
-in
+{ config, lib, pkgs, ... }:
 {
   imports = [
     ./gnome.nix
     ./gtk.nix
     ./phosh.nix
-    ./plasma.nix
-    ./plasma-mobile.nix
     ./sway
-    ./sxmo.nix
+    ./sxmo
+  ];
+
+  sane.programs.guiApps = {
+    package = null;
+    suggestedPrograms = [
+      "firefox"
+      "tuiApps"
+    ] ++ lib.optional (pkgs.system == "x86_64-linux") "x86GuiApps"
+    ++ [
+      # "celluloid"  # mpv frontend
+      "cozy"  # audiobook player
+      # "emote"
+      "epiphany"  # gnome's web browser
+      "evince"  # works on phosh
+      # "foliate"  # e-book reader
+      # "gnome.cheese"
+      # "gnome-feeds"  # RSS reader (with claimed mobile support)
+      "gnome.file-roller"
+      # "gnome.gnome-maps"  # works on phosh
+      "gnome.nautilus"
+      # "gnome-podcasts"
+      # "gnome.gnome-system-monitor"
+      # "gnome.gnome-terminal"  # works on phosh
+      # "gnome.gnome-weather"
+      "gpodder"
+      "gthumb"
+      "komikku"
+      "koreader"
+      "lemoa"  # lemmy app
+      # "lollypop"
+      "mepo"  # maps viewer
+      # "mpv"
+      # "networkmanagerapplet"
+      # "newsflash"
+      "nheko"
+      "pavucontrol"
+      # "picard"  # music tagging
+      # "libsForQt5.plasmatube"  # Youtube player
+      "soundconverter"
+      # "sublime-music"
+      "tangram"  # web browser
+      # "tdesktop"  # broken on phosh
+      # "tokodon"
+      "tuba"  # mastodon/pleroma client (stores pw in keyring)
+      "vlc"
+      # "whalebird"  # pleroma client (Electron). input is broken on phosh.
+      "xterm"  # broken on phosh
+    ];
+  };
+
+  sane.programs.desktopGuiApps = {
+    package = null;
+    suggestedPrograms = [
+      "audacity"
+      "blanket"  # ambient noise generator
+      "brave"  # for the integrated wallet -- as a backup
+      "chromium"
+      "dino"
+      "electrum"
+      "element-desktop"
+      # "font-manager"  #< depends on webkitgtk4_0 (expensive to build)
+      "gajim"  # XMPP client
+      "gimp"  # broken on phosh
+      "gnome.dconf-editor"
+      "gnome.gnome-disk-utility"
+      # "gnome.totem"  # video player, supposedly supports UPnP
+      "handbrake"
+      "hase"
+      "inkscape"
+      "jellyfin-media-player"
+      "kdenlive"
+      "kid3"  # audio tagging
+      "krita"
+      "libreoffice-fresh"
+      "mumble"
+      "obsidian"
+      "slic3r"
+      "steam"
+      "wireshark"  # could maybe ship the cli as sysadmin pkg
+    ];
+  };
+
+  sane.programs.handheldGuiApps = {
+    package = null;
+    suggestedPrograms = [
+      "megapixels"  # camera app
+    ];
+  };
+
+  sane.programs.x86GuiApps = {
+    package = null;
+    suggestedPrograms = [
+      "discord"
+      # "gnome.zenity" # for kaiteki (it will use qarma, kdialog, or zenity)
+      # "gpt2tc"  # XXX: unreliable mirror
+      # "kaiteki"  # Pleroma client
+      # "logseq"  # Personal Knowledge Management
+      "losslesscut-bin"
+      "makemkv"
+      "monero-gui"
+      "signal-desktop"
+      "spotify"
+      "tor-browser-bundle-bin"
+      "zecwallet-lite"
+    ];
+  };
+
+  sane.persist.sys.plaintext = lib.mkIf config.sane.programs.guiApps.enabled [
+    "/var/lib/alsa"                # preserve output levels, default devices
+    "/var/lib/colord"              # preserve color calibrations (?)
+    "/var/lib/systemd/backlight"   # backlight brightness
   ];
 }

hosts/modules/gui/gtk.nix

@@ -1,7 +1,17 @@
-{ config, lib, pkgs }:
+# gtk apps search XDG_ICON_DIRS for icons (nixos specific)
+# nixos ships the hi-color icon theme by default, which has *some* icons,
+# but leaves a lot of standard ones unavailable.
+#
+# system-wide theme components live in:
+# - /run/current-system/sw/share/color-schemes/${theme}
+# - /run/current-system/sw/share/icons/${theme}
+# - /run/current-system/sw/share/icons/${theme}/cursors  (cursor-theme)
+# - /run/current-system/sw/share/themes/${theme}/gtk-4.0
+{ config, lib, pkgs, ... }:
 let
   cfg = config.sane.gui.gtk;
-  themes = {
+  unsortedThemes = {
+    # crude assortment of themes in nixpkgs; some might not be gtk themes, some gtk themes might not be in this list
     inherit (pkgs)
       # themes are in <repo:nixos/nixpkgs:pkgs/data/themes>
       adapta-gtk-theme
@@ -105,6 +115,74 @@ let
       yaru-theme
       zuki-themes
     ;
+    inherit (pkgs.gnome)
+      adwaita-icon-theme
+      gnome-themes-extra
+    ;
+  };
+
+  themes = with pkgs; {
+    color-scheme = {
+      default = emptyDirectory;
+      Dracula = dracula-theme;
+      DraculaPurple = dracula-theme;
+      Dracula-cursors = dracula-theme;
+    };
+    cursor-theme = {
+      Adwaita = gnome.adwaita-icon-theme;
+    };
+    gtk-theme = {
+      Adwaita = gnome.gnome-themes-extra;  # gtk-3.0
+      Adwaita-dark = gnome.gnome-themes-extra;  # gtk-3.0
+      Arc = arc-theme;  # gtk-4.0
+      Arc-Dark = arc-theme;  # gtk-4.0
+      Arc-Darker = arc-theme;  # gtk-4.0
+      Arc-Lighter = arc-theme;  # gtk-4.0
+      Dracula = dracula-theme;  # gtk-4.0
+      E17gtk = e17gtk;  # gtk-3.0
+      Fluent = fluent-gtk-theme;  # gtk-4.0
+      Fluent-compact = fluent-gtk-theme;  # gtk-4.0
+      Fluent-Dark = fluent-gtk-theme;  # gtk-4.0
+      Fluent-Dark-compact = fluent-gtk-theme;  # gtk-4.0
+      Fluent-Light = fluent-gtk-theme;  # gtk-4.0
+      Fluent-Light-compact = fluent-gtk-theme;  # gtk-4.0,  NICE!
+      HighContrast = gnome.gnome-themes-extra;  # gtk-3.0
+      Matcha-light-azul = matcha-gtk-theme;  # gtk-4.0,  NICE!
+      Matcha-light-sea = matcha-gtk-theme;  # gtk-4.0,  NICE!
+      # additional Matcha-* omitted
+      Nordic = nordic;  # gtk-4.0
+      Nordic-bluish-accent = nordic;  # gtk-4.0
+      Nordic-darker = nordic;  # gtk-4.0
+      Nordic-Polar = nordic;  # gtk-4.0,  NICE
+      Numix = numix-gtk-theme;  # gtk-3.20, meh
+      NumixSolarizedDarkBlue = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkCyan = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkGreen = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkMagenta = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkOrange = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkRed = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkViolet = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkYellow = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightBlue = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightBlueDarkTop = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightCyan = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightGreen = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightMagenta = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightOrange = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightRed = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightViolet = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightYellow = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixStandard = numix-solarized-gtk-theme;  # gtk-3.20
+      Paper = paper-gtk-theme;  # gtk-4.0
+      Pop = pop-gtk-theme;  # gtk-4.0
+      Pop-dark = pop-gtk-theme;  # gtk-4.0
+      Tokyonight-Light-B = tokyo-night-gtk;  # gtk-4.0, NICE
+      # other Tokyonight-* omitted
+    };
+    icon-theme = {
+      Adwaita = gnome.adwaita-icon-theme;
+      HighContrast = gnome.gnome-themes-extra;  # gtk-3.0
+    };
   };
 in
 {
@@ -114,20 +192,49 @@ in
       type = types.bool;
       description = "apply theme to gtk4 apps";
     };
+    sane.gui.gtk.all = mkOption {
+      default = false;
+      type = types.bool;
+      description = "install all known gtk themes (for testing)";
+    };
+    sane.gui.gtk.color-scheme = mkOption {
+      default = "default";
+      type = types.str;
+    };
+    sane.gui.gtk.cursor-theme = mkOption {
+      default = "Adwaita";
+      type = types.str;
+    };
+    sane.gui.gtk.gtk-theme = mkOption {
+      default = "Adwaita";
+      type = types.str;
+    };
+    sane.gui.gtk.icon-theme = mkOption {
+      default = "Adwaita";
+      type = types.str;
+    };
   };
 
   config = lib.mkIf cfg.enable {
     programs.dconf.packages = [
       (pkgs.writeTextFile {
         name = "dconf-sway-settings";
-        destination = "/etc/dconf/db/site.d/10_sway_settings";
+        destination = "/etc/dconf/db/site.d/10_gtk_settings";
         text = ''
           [org/gnome/desktop/interface]
-          gtk-theme="Dracula"
-          icon-theme="Dracula"
+          color-scheme="${cfg.color-scheme}"
+          cursor-theme="${cfg.cursor-theme}"
+          gtk-theme="${cfg.gtk-theme}"
+          icon-theme="${cfg.icon-theme}"
         '';
       })
     ];
-    environment.systemPackages = lib.attrValues themes;
+    # environment.systemPackages = lib.attrValues themes;
+    environment.systemPackages = [
+      themes.color-scheme."${cfg.color-scheme}"
+      themes.cursor-theme."${cfg.cursor-theme}"
+      themes.gtk-theme."${cfg.gtk-theme}"
+      themes.icon-theme."${cfg.icon-theme}"
+    ] ++ lib.optionals cfg.all (lib.attrValues unsortedThemes);
   };
 }

hosts/modules/gui/phosh.nix

@@ -30,34 +30,13 @@ in
           "gnome.gnome-bluetooth"
           "gnome.gnome-terminal"
           "phosh-mobile-settings"
-          # "plasma5Packages.konsole"  # more reliable terminal
         ];
       };
     }
-    {
-      sane.programs = {
-        inherit (pkgs // {
-          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
-          "gnome.gnome-terminal" = pkgs.gnome.gnome-terminal;
-          "plasma5Packages.konsole" = pkgs.plasma5Packages.konsole;
-        })
-          phosh-mobile-settings
-          "plasma5Packages.konsole"
-          "gnome.gnome-bluetooth"
-          "gnome.gnome-terminal"
-        ;
-      };
-    }
 
     (mkIf cfg.enable {
       sane.programs.phoshApps.enableFor.user.colin = true;
 
-      # TODO(2023/02/28): remove this qt.style = "gtk2" override.
-      # gnome by default tells qt to stylize its apps similar to gnome.
-      # but the package needed for that doesn't cross-compile, hence i disable that here.
-      # qt.platformTheme = "gtk2";
-      # qt.style = "gtk2";
-
       # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
       # docs: <repo:gnome/phosh:src/phoc.ini.example>
       # docs: <repo:gnome/phosh:src/settings.c#config_ini_handler>

hosts/modules/gui/plasma-mobile.nix

@@ -1,29 +0,0 @@
-{ lib, config, ... }:
- 
-with lib;
-let
-  cfg = config.sane.gui.plasma-mobile;
-in
-{
-  options = {
-    sane.gui.plasma-mobile.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    sane.programs.guiApps.enableFor.user.colin = true;
-
-    # start plasma-mobile on boot
-    services.xserver.enable = true;
-    services.xserver.desktopManager.plasma5.mobile.enable = true;
-    services.xserver.desktopManager.plasma5.mobile.installRecommendedSoftware = false;  # not all plasma5-mobile packages build for aarch64
-    services.xserver.displayManager.sddm.enable = true;
-   
-    # Plasma does networking stuff with networkmanager, but nix configures the defaults itself
-    # networking.useDHCP = false;
-    # networking.networkmanager.enable = true;
-    # networking.wireless.enable = lib.mkForce false;
-  };
-}

hosts/modules/gui/plasma.nix

@@ -1,28 +0,0 @@
-{ lib, config, ... }:
-
-with lib;
-let
-  cfg = config.sane.gui.plasma;
-in
-{
-  options = {
-    sane.gui.plasma.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    sane.programs.guiApps.enableFor.user.colin = true;
-
-    # start plasma on boot
-    services.xserver.enable = true;
-    services.xserver.desktopManager.plasma5.enable = true;
-    services.xserver.displayManager.sddm.enable = true;
-
-    # gnome does networking stuff with networkmanager
-    networking.useDHCP = false;
-    networking.networkmanager.enable = true;
-    networking.wireless.enable = lib.mkForce false;
-  };
-}

hosts/modules/gui/snippets.txt

@@ -12,4 +12,4 @@ https://bt.uninsane.org
 https://sci-hub.se
 https://archive.is
 https://news.ycombinator.com
-https://192.168.15.1:60481  # Router/Firewall
+http://10.78.79.1  # Router/Firewall

hosts/modules/gui/sway/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ config, lib, pkgs, ... }:
  
 # docs: https://nixos.wiki/wiki/Sway
 with lib;
@@ -70,31 +70,20 @@ in
           "sway-contrib.grimshot"
           "wdisplays"  # like xrandr
         ];
-      };
-    }
-    {
-      sane.programs = {
-        inherit (pkgs // {
-          # "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
-          # "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
-          "sway-contrib.grimshot" = pkgs.sway-contrib.grimshot;
-        })
-          swaylock
-          swayidle
-          wl-clipboard
-          blueberry
-          mako
-          # "gnome.gnome-bluetooth"
-          # "gnome.gnome-control-center"
-          "sway-contrib.grimshot"
-          wdisplays
-        ;
+
+        secrets.".config/sane-sway/snippets.txt" = ../../../../secrets/common/snippets.txt.bin;
       };
     }
 
     (mkIf cfg.enable {
+      sane.programs.fontconfig.enableFor.system = true;
       sane.programs.swayApps.enableFor.user.colin = true;
+      # we need the greeter's command to be on our PATH
+      users.users.colin.packages = [ sway-launcher ];
+
       sane.gui.gtk.enable = lib.mkDefault true;
+      # sane.gui.gtk.gtk-theme = lib.mkDefault "Fluent-Light-compact";
+      sane.gui.gtk.gtk-theme = lib.mkDefault "Tokyonight-Light-B";
 
       # swap in these lines to use SDDM instead of `services.greetd`.
       # services.xserver.displayManager.sddm.enable = true;
@@ -107,8 +96,6 @@ in
           default_session = if cfg.useGreeter then greeter-session else greeterless-session;
         };
       };
-      # we need the greeter's command to be on our PATH
-      users.users.colin.packages = [ sway-launcher ];
 
       # some programs (e.g. fractal) **require** a "Secret Service Provider"
       services.gnome.gnome-keyring.enable = true;
@@ -149,18 +136,17 @@ in
         enable = true;
         wrapperFeatures.gtk = true;
       };
-      sane.user.fs.".config/sway/config" = sane-lib.fs.wantedText
-        (import ./sway-config.nix { inherit config pkgs; });
+      sane.user.fs.".config/sway/config".symlink.text =
+        import ./sway-config.nix { inherit pkgs; };
 
-      sane.user.fs.".config/waybar/config" =
+      sane.user.fs.".config/waybar/config".symlink.target =
         let
           waybar-config = import ./waybar-config.nix { inherit pkgs; };
-        in sane-lib.fs.wantedSymlinkTo (
-          (pkgs.formats.json {}).generate "waybar-config.json" waybar-config
-        );
+        in
+          (pkgs.formats.json {}).generate "waybar-config.json" waybar-config;
 
-      sane.user.fs.".config/waybar/style.css" = sane-lib.fs.wantedText
-        (builtins.readFile ./waybar-style.css);
+      sane.user.fs.".config/waybar/style.css".symlink.text =
+        builtins.readFile ./waybar-style.css;
     })
   ];
 }

hosts/modules/gui/sway/sway-config.nix

@@ -1,4 +1,4 @@
-{ pkgs, config }:
+{ pkgs }:
 let
   fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
   sed = "${pkgs.gnused}/bin/sed";
@@ -16,12 +16,14 @@ let
   # "bookmarking"/snippets inspired by Luke Smith:
   # - <https://www.youtube.com/watch?v=d_11QaTlf1I>
   snip-file = ../snippets.txt;
-  # TODO: querying sops here breaks encapsulation
-  list-snips = "cat ${snip-file} ${config.sops.secrets.snippets.path}";
+  list-snips = "cat ${snip-file} ~/.config/sane-sway/snippets.txt";
   strip-comments = "${sed} 's/ #.*$//'";
   snip-cmd = "${wtype} $(${list-snips} | ${fuzzel} -d -i -w 60 | ${strip-comments})";
-  # TODO: next splatmoji release should allow `-s none` to disable skin tones
+  # TODO: splatmoji release > 1.2.0 should allow `-s none` to disable skin tones
   emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
+
+  # mod = "Mod1";  # Alt
+  mod = "Mod4";  # Super
 in ''
   ### default font
   font pango:monospace 8
@@ -48,66 +50,66 @@ in ''
   client.background #ffffff
 
   ### key bindings
-  floating_modifier Mod1
+  floating_modifier ${mod}
   ## media keys
   bindsym XF86AudioRaiseVolume exec ${vol-up-cmd}
   bindsym XF86AudioLowerVolume exec ${vol-down-cmd}
-  bindsym Mod1+Page_Up exec ${vol-up-cmd}
-  bindsym Mod1+Page_Down exec ${vol-down-cmd}
+  bindsym ${mod}+Page_Up exec ${vol-up-cmd}
+  bindsym ${mod}+Page_Down exec ${vol-down-cmd}
   bindsym XF86AudioMute exec ${mute-cmd}
   bindsym XF86MonBrightnessUp exec ${brightness-up-cmd}
   bindsym XF86MonBrightnessDown exec ${brightness-down-cmd}
   ## special functions
-  bindsym Mod1+Print exec ${screenshot-cmd}
-  bindsym Mod1+l exec ${lock-cmd}
-  bindsym Mod1+s exec ${snip-cmd}
-  bindsym Mod1+slash exec ${emoji-cmd}
-  bindsym Mod1+d exec ${launcher-cmd}
-  bindsym Mod1+Return exec ${terminal-cmd}
-  bindsym Mod1+Shift+q kill
-  bindsym Mod1+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
-  bindsym Mod1+Shift+c reload
+  bindsym ${mod}+Print exec ${screenshot-cmd}
+  bindsym ${mod}+l exec ${lock-cmd}
+  bindsym ${mod}+s exec ${snip-cmd}
+  bindsym ${mod}+slash exec ${emoji-cmd}
+  bindsym ${mod}+d exec ${launcher-cmd}
+  bindsym ${mod}+Return exec ${terminal-cmd}
+  bindsym ${mod}+Shift+q kill
+  bindsym ${mod}+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
+  bindsym ${mod}+Shift+c reload
   ## layout
-  bindsym Mod1+b splith
-  bindsym Mod1+v splitv
-  bindsym Mod1+f fullscreen toggle
-  bindsym Mod1+a focus parent
-  bindsym Mod1+w layout tabbed
-  bindsym Mod1+e layout toggle split
-  bindsym Mod1+Shift+space floating toggle
-  bindsym Mod1+space focus mode_toggle
-  bindsym Mod1+r mode resize
+  bindsym ${mod}+b splith
+  bindsym ${mod}+v splitv
+  bindsym ${mod}+f fullscreen toggle
+  bindsym ${mod}+a focus parent
+  bindsym ${mod}+w layout tabbed
+  bindsym ${mod}+e layout toggle split
+  bindsym ${mod}+Shift+space floating toggle
+  bindsym ${mod}+space focus mode_toggle
+  bindsym ${mod}+r mode resize
   ## movement
-  bindsym Mod1+Up focus up
-  bindsym Mod1+Down focus down
-  bindsym Mod1+Left focus left
-  bindsym Mod1+Right focus right
-  bindsym Mod1+Shift+Up move up
-  bindsym Mod1+Shift+Down move down
-  bindsym Mod1+Shift+Left move left
-  bindsym Mod1+Shift+Right move right
+  bindsym ${mod}+Up focus up
+  bindsym ${mod}+Down focus down
+  bindsym ${mod}+Left focus left
+  bindsym ${mod}+Right focus right
+  bindsym ${mod}+Shift+Up move up
+  bindsym ${mod}+Shift+Down move down
+  bindsym ${mod}+Shift+Left move left
+  bindsym ${mod}+Shift+Right move right
   ## workspaces
-  bindsym Mod1+1 workspace number 1
-  bindsym Mod1+2 workspace number 2
-  bindsym Mod1+3 workspace number 3
-  bindsym Mod1+4 workspace number 4
-  bindsym Mod1+5 workspace number 5
-  bindsym Mod1+6 workspace number 6
-  bindsym Mod1+7 workspace number 7
-  bindsym Mod1+8 workspace number 8
-  bindsym Mod1+9 workspace number 9
-  bindsym Mod1+Shift+1 move container to workspace number 1
-  bindsym Mod1+Shift+2 move container to workspace number 2
-  bindsym Mod1+Shift+3 move container to workspace number 3
-  bindsym Mod1+Shift+4 move container to workspace number 4
-  bindsym Mod1+Shift+5 move container to workspace number 5
-  bindsym Mod1+Shift+6 move container to workspace number 6
-  bindsym Mod1+Shift+7 move container to workspace number 7
-  bindsym Mod1+Shift+8 move container to workspace number 8
-  bindsym Mod1+Shift+9 move container to workspace number 9
+  bindsym ${mod}+1 workspace number 1
+  bindsym ${mod}+2 workspace number 2
+  bindsym ${mod}+3 workspace number 3
+  bindsym ${mod}+4 workspace number 4
+  bindsym ${mod}+5 workspace number 5
+  bindsym ${mod}+6 workspace number 6
+  bindsym ${mod}+7 workspace number 7
+  bindsym ${mod}+8 workspace number 8
+  bindsym ${mod}+9 workspace number 9
+  bindsym ${mod}+Shift+1 move container to workspace number 1
+  bindsym ${mod}+Shift+2 move container to workspace number 2
+  bindsym ${mod}+Shift+3 move container to workspace number 3
+  bindsym ${mod}+Shift+4 move container to workspace number 4
+  bindsym ${mod}+Shift+5 move container to workspace number 5
+  bindsym ${mod}+Shift+6 move container to workspace number 6
+  bindsym ${mod}+Shift+7 move container to workspace number 7
+  bindsym ${mod}+Shift+8 move container to workspace number 8
+  bindsym ${mod}+Shift+9 move container to workspace number 9
   ## "scratchpad" = ??
-  bindsym Mod1+Shift+minus move scratchpad
-  bindsym Mod1+minus scratchpad show
+  bindsym ${mod}+Shift+minus move scratchpad
+  bindsym ${mod}+minus scratchpad show
 
   ### defaults
   mode "resize" {
@@ -125,9 +127,6 @@ in ''
 
   ### lightly modified bars
   bar {
-    # TODO: fonts was:
-    #   config.fonts.fontconfig.defaultFonts; (monospace ++ emoji)
-    font pango:Hack, Font Awesome 6 Free, Twitter Color Emoji 24.000000
     mode dock
     hidden_state hide
     position top
@@ -146,29 +145,29 @@ in ''
       inactive_workspace #333333 #222222 #888888
       urgent_workspace #2f343a #900000 #ffffff
       binding_mode #2f343a #900000 #ffffff
-  }
+    }
   }
 
   ### displays
   ## DESKTOP
   output "Samsung Electric Company S22C300 0x00007F35" {
-  pos 0,0
-  res 1920x1080
+    pos 0,0
+    res 1920x1080
   }
   output "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" {
-  pos 1920,0
-  res 3440x1440
+    pos 1920,0
+    res 3440x1440
   }
 
   ## LAPTOP
   # sh/en TV
   output "Pioneer Electronic Corporation VSX-524 0x00000101" {
-  pos 0,0
-  res 1920x1080
+    pos 0,0
+    res 1920x1080
   }
   # internal display
   output "Unknown 0x0637 0x00000000" {
-  pos 1920,0
-  res 1920x1080
+    pos 1920,0
+    res 1920x1080
   }
 ''

hosts/modules/gui/sxmo.nix

@@ -1,273 +0,0 @@
-# this work derives from noneucat's sxmo service/packages, found via NUR
-# - <repo:nix-community/nur-combined:repos/noneucat/modules/pinephone/sxmo.nix>
-# other nix works:
-# - <https://github.com/wentam/sxmo-nix>
-#   - implements sxmo atop tinydm (also packaged by wentam)
-#   - wentam cleans up sxmo-utils to be sealed. also patches to use systemd poweroff, etc
-#   - packages a handful of anjan and proycon utilities
-#   - packages <https://gitlab.com/kop316/mmsd/>
-#   - packages <https://gitlab.com/kop316/vvmd/>
-# - <https://github.com/chuangzhu/nixpkgs-sxmo>
-#   - implements sxmo as a direct systemd service -- apparently no DM
-#   - packages sxmo-utils
-#     - injects PATH into each script
-# - perhaps sxmo-utils is best packaged via the `resholve` shell solver?
-#
-# sxmo documentation:
-# - <repo:anjan/sxmo-docs-next>
-#
-# sxmo technical overview:
-# - inputs
-#   - dwm: handles vol/power buttons; hardcoded in config.h
-#   - lisgd: handles gestures
-# - startup
-#   - daemon based (lisgsd, idle_locker, statusbar_periodics)
-#   - auto-started at login
-#   - managable by `sxmo_daemons.sh`
-#     - list available daemons: `sxmo_daemons.sh list`
-#     - query if a daemon is active: `sxmo_daemons.sh running <my-daemon>`
-#     - start daemon: `sxmo_daemons.sh start <my-daemon>`
-#   - managable by `superctl`
-#     - `superctl status`
-# - user hooks:
-#   - live in ~/.config/sxmo/hooks/
-# - logs:
-#   - live in ~/.local/state/sxmo.log
-#   - ~/.local/state/superd.log
-#   - ~/.local/state/superd/logs/<daemon>.log
-#   - `journalctl --user --boot`  (lightm redirects the sxmo session stdout => systemd)
-#
-# - default components:
-#   - DE:                  sway (if wayland), dwm (if X)
-#   - menus:               bemenu (if wayland), dmenu (if X)
-#   - gestures:            lisgd
-#   - on-screen keyboard:  wvkbd (if wayland), svkbd (if X)
-#
-{ lib, config, pkgs, sane-lib, ... }:
-
-let
-  cfg = config.sane.gui.sxmo;
-in
-{
-  options = with lib; {
-    sane.gui.sxmo.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-    sane.gui.sxmo.greeter = mkOption {
-      type = types.enum [ "lightdm-mobile" "sway" ];
-      default = "lightdm-mobile";
-      description = ''
-        which greeter to use.
-        "lightdm-mobile" => keypad style greeter. can only enter digits 0-9 as password.
-        "sway" => layered sway greeter. behaves as if you booted to swaylock.
-      '';
-    };
-    sane.gui.sxmo.package = mkOption {
-      type = types.package;
-      default = pkgs.sxmo-utils;
-      description = ''
-        sxmo base scripts and hooks collection.
-        consider overriding the outputs under /share/sxmo/default_hooks
-        to insert your own user scripts.
-      '';
-    };
-    sane.gui.sxmo.terminal = mkOption {
-      # type = types.nullOr (types.enum [ "foot" "st" "vte" ]);
-      type = types.nullOr types.str;
-      default = "foot";
-      description = ''
-        name of terminal to use for sxmo_terminal.sh.
-        foot, st, and vte have special integrations in sxmo, but any will work.
-      '';
-    };
-    sane.gui.sxmo.keyboard = mkOption {
-      # type = types.nullOr (types.enum ["wvkbd"])
-      type = types.nullOr types.str;
-      default = "wvkbd";
-      description = ''
-        name of on-screen-keyboard to use for sxmo_keyboard.sh.
-        this sets the KEYBOARD environment variable.
-        see also: KEYBOARD_ARGS.
-      '';
-    };
-    sane.gui.sxmo.settings = mkOption {
-      description = ''
-        environment variables used to configure sxmo.
-        e.g. SXMO_UNLOCK_IDLE_TIME or SXMO_VOLUME_BUTTON.
-      '';
-      type = types.submodule {
-        freeformType = types.attrsOf types.str;
-        options =
-          let
-            mkSettingsOpt = default: description: mkOption {
-              inherit default description;
-              type = types.nullOr types.str;
-            };
-          in {
-            SXMO_BAR_SHOW_BAT_PER = mkSettingsOpt "1" "show battery percentage in statusbar";
-            SXMO_UNLOCK_IDLE_TIME = mkSettingsOpt "300" "how many seconds of inactivity before locking the screen";  # lock -> screenoff happens 8s later, not configurable
-          };
-      };
-      default = {};
-    };
-    sane.gui.sxmo.noidle = mkOption {
-      type = types.bool;
-      default = false;
-      description = "inhibit lock-on-idle and screenoff-on-idle";
-    };
-  };
-
-  config = lib.mkMerge [
-    {
-      sane.programs.sxmoApps = {
-        package = null;
-        suggestedPrograms = [
-          "guiApps"
-          "sfeed"  # want this here so that the user's ~/.sfeed/sfeedrc gets created
-        ];
-      };
-    }
-
-    {
-      # TODO: lift to option declaration
-      sane.gui.sxmo.settings.TERMCMD = lib.mkIf (cfg.terminal != null)
-        (lib.mkDefault (if cfg.terminal == "vte" then "vte-2.91" else cfg.terminal));
-      sane.gui.sxmo.settings.KEYBOARD = lib.mkIf (cfg.keyboard != null)
-        (lib.mkDefault (if cfg.keyboard == "wvkbd" then "wvkbd-mobintl" else cfg.keyboard));
-    }
-
-    (lib.mkIf cfg.enable {
-      sane.programs.sxmoApps.enableFor.user.colin = true;
-
-      # some programs (e.g. fractal/nheko) **require** a "Secret Service Provider"
-      services.gnome.gnome-keyring.enable = true;
-
-      networking.useDHCP = false;
-      networking.networkmanager.enable = true;
-      networking.wireless.enable = lib.mkForce false;
-
-      hardware.bluetooth.enable = true;
-      services.blueman.enable = true;
-
-      # sxmo internally uses doas instead of sudo
-      security.doas.enable = true;
-      security.doas.wheelNeedsPassword = false;
-
-      # TODO: nerdfonts is 4GB. it accepts an option to ship only some fonts: probably want to use that.
-      fonts.fonts = [ pkgs.nerdfonts ];
-
-      # sxmo has first-class support only for pulseaudio and alsa -- not pipewire.
-      # however, pipewire can emulate pulseaudio support via `services.pipewire.pulse.enable = true`
-      #   after which the stock pulseaudio binaries magically work
-      # administer with pw-cli, pw-mon, pw-top commands
-      services.pipewire = {
-        enable = true;
-        alsa.enable = true;
-        alsa.support32Bit = true;  # ??
-        pulse.enable = true;
-      };
-      systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
-
-      # TODO: could use `displayManager.sessionPackages`?
-      environment.systemPackages = [
-        cfg.package
-      ] ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
-        ++ lib.optionals (cfg.keyboard != null) [ pkgs."${cfg.keyboard}" ];
-
-      environment.sessionVariables = {
-        XDG_DATA_DIRS = [
-          # TODO: only need the share/sxmo directly linked
-          "${cfg.package}/share"
-        ];
-      } // cfg.settings;
-
-      sane.user.fs.".cache/sxmo/sxmo.noidle" = lib.mkIf cfg.noidle (sane-lib.fs.wantedText "");
-
-
-      ## greeter
-
-      services.xserver = lib.mkIf (cfg.greeter == "lightdm-mobile") {
-        enable = true;
-
-        displayManager.lightdm.enable = true;
-        displayManager.lightdm.greeters.mobile.enable = true;
-        displayManager.lightdm.extraSeatDefaults = ''
-          user-session = swmo
-        '';
-
-        displayManager.sessionPackages = with pkgs; [
-          cfg.package  # this gets share/wayland-sessions/swmo.desktop linked
-        ];
-
-        # taken from gui/phosh:
-        # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
-        # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
-        # lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
-        # this requires the user we want to login as to be cached.
-        displayManager.job.preStart = ''
-          ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
-        '';
-      };
-
-      services.greetd = lib.mkIf (cfg.greeter == "sway") {
-        enable = true;
-        # borrowed from gui/sway
-        settings.default_session.command =
-        let
-          # start sway and have it construct the gtkgreeter
-          sway-as-greeter = pkgs.writeShellScriptBin "sway-as-greeter" ''
-            ${pkgs.sway}/bin/sway --debug --config ${sway-config-into-gtkgreet} > /var/log/sway/sway-as-greeter.log 2>&1
-          '';
-          # (config file for the above)
-          sway-config-into-gtkgreet = pkgs.writeText "greetd-sway-config" ''
-            exec "${gtkgreet-launcher}"
-          '';
-          # gtkgreet which launches a layered sway instance
-          gtkgreet-launcher = pkgs.writeShellScript "gtkgreet-launcher" ''
-            # NB: the "command" field here is run in the user's shell.
-            # so that command must exist on the specific user's path who is logging in. it doesn't need to exist system-wide.
-            ${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command sxmo_winit.sh
-          '';
-        in "${sway-as-greeter}/bin/sway-as-greeter";
-      };
-
-      systemd.services."sxmo-set-permissions" = {
-        description = "configure specific /sys and /dev nodes to be writable by sxmo scripts";
-        serviceConfig = {
-          Type = "oneshot";
-          ExecStart = "${cfg.package}/bin/sxmo_setpermissions.sh";
-        };
-        wantedBy = [ "display-manager.service" ];
-      };
-
-      sane.fs."/var/log/sway" = lib.mkIf (cfg.greeter == "sway") {
-        dir.acl.mode = "0777";
-        wantedBeforeBy = [ "greetd.service" "display-manager.service" ];
-      };
-
-      # lightdm-mobile-greeter: "The name org.a11y.Bus was not provided by any .service files"
-      services.gnome.at-spi2-core.enable = true;
-
-      # services.xserver.windowManager.session = [{
-      #   name = "sxmo";
-      #   desktopNames = [ "sxmo" ];
-      #   start = ''
-      #     ${cfg.package}/bin/sxmo_xinit.sh &
-      #     waitPID=$!
-      #   '';
-      # }];
-      # services.xserver.enable = true;
-
-      # services.greetd = {
-      #   enable = true;
-      #   settings = {
-      #     default_session = {
-      #       command = "${cfg.package}/bin/sxmo_winit.sh";
-      #       user = "colin";
-      #     };
-      #   };
-      # };
-    })
-  ];
-}

hosts/modules/gui/sxmo/battery_estimate

@@ -0,0 +1,32 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
+
+full=$(cat /sys/class/power_supply/axp20x-battery/charge_full_design)
+rate=$(cat /sys/class/power_supply/axp20x-battery/current_now)
+perc=$(cat /sys/class/power_supply/axp20x-battery/capacity)
+perc_left=$((100 - $perc))
+# these icons come from sxmo; they only render in nerdfonts
+bat_dis="󱊢"
+bat_chg="󱊥"
+
+fmt_minutes() {
+  # args: <battery symbol> <text if ludicrous estimate> <estimated minutes to full/empty>
+  if [[ $3 -gt 1440 ]]; then
+    printf "%s %s" "$1" "$2"  # more than 1d
+  else
+    hr=$(($3 / 60))
+    hr_in_min=$(($hr * 60))
+    min=$(($3 - $hr_in_min))
+    printf "%s %dh%02dm" "$1" "$hr" "$min"
+  fi
+}
+
+if [[ $rate -lt 0 ]]; then
+  # discharging
+  fmt_minutes "$bat_dis" '∞' "$(($full * 60 * $perc / (-100 * $rate)))"
+elif [[ $rate -gt 0 ]]; then
+  # charging
+  fmt_minutes "$bat_chg" '100%' "$(($full * 60 * $perc_left / (100 * $rate)))"
+else
+  echo "$bat_dis $perc%"
+fi

hosts/modules/gui/sxmo/conky-config

@@ -0,0 +1,49 @@
+-- configversion: 737cb1de0389cee32a04785691a446a2
+
+-- docs: <https://conky.cc/variables>
+-- color names are X11 colors: <https://en.wikipedia.org/wiki/X11_color_names#Color_name_chart>
+-- - can also use #rrggbb syntax
+-- example configs: <https://forum.manjaro.org/t/conky-showcase-2022/97123>
+-- example configs: <https://www.reddit.com/r/Conkyporn/>
+
+conky.config = {
+    out_to_wayland = true,
+    update_interval = 10,
+
+    alignment = 'middle_middle',
+    own_window_type = 'desktop',
+    -- own_window_argb_value: opacity of the background (0-255)
+    own_window_argb_value = 92,
+    own_window_colour = '#beebe5',  -- beebe5 matches nixos flake bg color
+
+    -- "border" pads the entire conky window
+    -- this can be used to control the extend of the own_window background
+    border_inner_margin = 8,
+    -- optionally, actually draw borders
+    -- draw_borders = true,
+
+    -- shades are drop-shadows, outline is the centered version. both apply to text only
+    draw_shades = true,
+    draw_outline = false,
+    default_shade_color = '#beebe5',
+    default_outline_color = '#beebe5',
+
+    font = 'Sxmo:size=8',
+    use_xft = true,
+
+    default_color = '#ffffff',
+    color1 = '000000',
+    color2 = '404040',
+}
+
+conky.text = [[
+${color1}${shadecolor 707070}${font Sxmo:size=50:style=Bold}${alignc}${exec date +"%H:%M"}${font}
+${color2}${shadecolor a4d7d0}${font Sxmo:size=20}${alignc}${exec date +"%a %d %b"}${font}
+
+
+${color1}${shadecolor}${font Sxmo:size=22:style=Bold}${alignc}${exec @bat@ }${font}
+
+
+${color2}${shadecolor a4d7d0}${font Sxmo:size=16}${alignc}⇅ ${downspeedf wlan0}K/s${font}
+${font Sxmo:size=16}${alignc}☵ $memperc%  $cpu%${font}
+]]

hosts/modules/gui/sxmo/default.nix

@@ -0,0 +1,337 @@
+# this work derives from noneucat's sxmo service/packages, found via NUR
+# - <repo:nix-community/nur-combined:repos/noneucat/modules/pinephone/sxmo.nix>
+# other nix works:
+# - <https://github.com/wentam/sxmo-nix>
+#   - implements sxmo atop tinydm (also packaged by wentam)
+#   - wentam cleans up sxmo-utils to be sealed. also patches to use systemd poweroff, etc
+#   - packages a handful of anjan and proycon utilities
+#   - packages <https://gitlab.com/kop316/mmsd/>
+#   - packages <https://gitlab.com/kop316/vvmd/>
+# - <https://github.com/chuangzhu/nixpkgs-sxmo>
+#   - implements sxmo as a direct systemd service -- apparently no DM
+#   - packages sxmo-utils
+#     - injects PATH into each script
+# - perhaps sxmo-utils is best packaged via the `resholve` shell solver?
+#
+# sxmo upstream links:
+# - docs (rendered): <https://man.sr.ht/~anjan/sxmo-docs-next/>
+# - issue tracker: <https://todo.sr.ht/~mil/sxmo-tickets>
+# - mail list (patches): <https://lists.sr.ht/~mil/sxmo-devel>
+#
+# sxmo technical overview:
+# - inputs
+#   - dwm: handles vol/power buttons; hardcoded in config.h
+#   - lisgd: handles gestures
+# - startup
+#   - daemon based (lisgsd, idle_locker, statusbar_periodics)
+#   - auto-started at login
+#   - managable by `sxmo_daemons.sh`
+#     - list available daemons: `sxmo_daemons.sh list`
+#     - query if a daemon is active: `sxmo_daemons.sh running <my-daemon>`
+#     - start daemon: `sxmo_daemons.sh start <my-daemon>`
+#   - managable by `superctl`
+#     - `superctl status`
+# - user hooks:
+#   - live in ~/.config/sxmo/hooks/
+# - logs:
+#   - live in ~/.local/state/sxmo.log
+#   - ~/.local/state/superd.log
+#   - ~/.local/state/superd/logs/<daemon>.log
+#   - `journalctl --user --boot`  (lightm redirects the sxmo session stdout => systemd)
+#
+# - default components:
+#   - DE:                  sway (if wayland), dwm (if X)
+#   - menus:               bemenu (if wayland), dmenu (if X)
+#   - gestures:            lisgd
+#   - on-screen keyboard:  wvkbd (if wayland), svkbd (if X)
+#
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.sane.gui.sxmo;
+  knownKeyboards = {
+    # map keyboard package name -> name of binary to invoke
+    wvkbd = "wvkbd-mobintl";
+    svkbd = "svkbd-mobile-intl";
+  };
+  knownTerminals = {
+    vte = "vte-2.91";
+  };
+in
+{
+  options = with lib; {
+    sane.gui.sxmo.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.gui.sxmo.greeter = mkOption {
+      type = types.enum [ "lightdm-mobile" "sway" ];
+      default = "lightdm-mobile";
+      description = ''
+        which greeter to use.
+        "lightdm-mobile" => keypad style greeter. can only enter digits 0-9 as password.
+        "sway" => layered sway greeter. behaves as if you booted to swaylock.
+      '';
+    };
+    sane.gui.sxmo.package = mkOption {
+      type = types.package;
+      default = pkgs.sxmo-utils;
+      description = ''
+        sxmo base scripts and hooks collection.
+        consider overriding the outputs under /share/sxmo/default_hooks
+        to insert your own user scripts.
+      '';
+    };
+    sane.gui.sxmo.terminal = mkOption {
+      # type = types.nullOr (types.enum [ "foot" "st" "vte" ]);
+      type = types.nullOr types.str;
+      default = "foot";
+      description = ''
+        name of terminal to use for sxmo_terminal.sh.
+        foot, st, and vte have special integrations in sxmo, but any will work.
+      '';
+    };
+    sane.gui.sxmo.keyboard = mkOption {
+      # type = types.nullOr (types.enum ["wvkbd"])
+      type = types.nullOr types.str;
+      default = "wvkbd";
+      description = ''
+        name of on-screen-keyboard to use for sxmo_keyboard.sh.
+        this sets the KEYBOARD environment variable.
+        see also: KEYBOARD_ARGS.
+      '';
+    };
+    sane.gui.sxmo.settings = mkOption {
+      description = ''
+        environment variables used to configure sxmo.
+        e.g. SXMO_UNLOCK_IDLE_TIME or SXMO_VOLUME_BUTTON.
+      '';
+      type = types.submodule {
+        freeformType = types.attrsOf types.str;
+        options =
+          let
+            mkSettingsOpt = default: description: mkOption {
+              inherit default description;
+              type = types.nullOr types.str;
+            };
+          in {
+            SXMO_BAR_SHOW_BAT_PER = mkSettingsOpt "1" "show battery percentage in statusbar";
+            SXMO_UNLOCK_IDLE_TIME = mkSettingsOpt "300" "how many seconds of inactivity before locking the screen";  # lock -> screenoff happens 8s later, not configurable
+          };
+      };
+      default = {};
+    };
+    sane.gui.sxmo.noidle = mkOption {
+      type = types.bool;
+      default = false;
+      description = "inhibit lock-on-idle and screenoff-on-idle";
+    };
+  };
+
+  config = lib.mkMerge [
+    {
+      sane.programs.sxmoApps = {
+        package = null;
+        suggestedPrograms = [
+          "guiApps"
+          "sfeed"  # want this here so that the user's ~/.sfeed/sfeedrc gets created
+          "superd"  # make superctl (used by sxmo) be on PATH
+        ];
+
+        persist.cryptClearOnBoot = [
+          # builds to be 10's of MB per day
+          ".local/state/superd/logs"
+        ];
+      };
+    }
+
+    {
+      # TODO: lift to option declaration
+      sane.gui.sxmo.settings.TERMCMD = lib.mkIf (cfg.terminal != null)
+        (lib.mkDefault (knownTerminals."${cfg.terminal}" or cfg.terminal));
+      sane.gui.sxmo.settings.KEYBOARD = lib.mkIf (cfg.keyboard != null)
+        (lib.mkDefault (knownKeyboards."${cfg.keyboard}" or cfg.keyboard));
+    }
+
+    (lib.mkIf cfg.enable (lib.mkMerge [
+      {
+        sane.programs.sxmoApps.enableFor.user.colin = true;
+        sane.gui.gtk.enable = lib.mkDefault true;
+
+        # sxmo internally uses doas instead of sudo
+        security.doas.enable = true;
+        security.doas.wheelNeedsPassword = false;
+
+        # TODO: move this further to the host-specific config?
+        networking.useDHCP = false;
+        networking.networkmanager.enable = true;
+        networking.wireless.enable = lib.mkForce false;
+
+        hardware.bluetooth.enable = true;
+        services.blueman.enable = true;
+
+        # TODO: nerdfonts is 4GB. it accepts an option to ship only some fonts: probably want to use that.
+        fonts.fonts = [ pkgs.nerdfonts ];
+
+        # some programs (e.g. fractal/nheko) **require** a "Secret Service Provider"
+        services.gnome.gnome-keyring.enable = true;
+
+        # lightdm-mobile-greeter: "The name org.a11y.Bus was not provided by any .service files"
+        services.gnome.at-spi2-core.enable = true;
+
+        # sxmo has first-class support only for pulseaudio and alsa -- not pipewire.
+        # however, pipewire can emulate pulseaudio support via `services.pipewire.pulse.enable = true`
+        #   after which the stock pulseaudio binaries magically work
+        # administer with pw-cli, pw-mon, pw-top commands
+        services.pipewire = {
+          enable = true;
+          alsa.enable = true;
+          alsa.support32Bit = true;  # ??
+          pulse.enable = true;
+        };
+        systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
+
+        # TODO: could use `displayManager.sessionPackages`?
+        environment.systemPackages = [
+          cfg.package
+        ] ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
+          ++ lib.optionals (cfg.keyboard != null) [ pkgs."${cfg.keyboard}" ];
+
+        environment.sessionVariables = {
+          XDG_DATA_DIRS = [
+            # TODO: only need the share/sxmo directly linked
+            "${cfg.package}/share"
+          ];
+        };
+
+        systemd.services."sxmo-set-permissions" = {
+          description = "configure specific /sys and /dev nodes to be writable by sxmo scripts";
+          serviceConfig = {
+            Type = "oneshot";
+            ExecStart = "${cfg.package}/bin/sxmo_setpermissions.sh";
+          };
+          wantedBy = [ "display-manager.service" ];
+        };
+
+        sane.user.fs.".cache/sxmo/sxmo.noidle" = lib.mkIf cfg.noidle {
+          symlink.text = "";
+        };
+        sane.user.fs.".config/sxmo/profile".symlink.text = let
+          mkKeyValue = key: value: ''export ${key}="${value}"'';
+          userConfig = lib.generators.toKeyValue { inherit mkKeyValue; } cfg.settings;
+        in ''
+          # configversion: 4284f96d91e9550ff8f3b25823e402ad
+          # ^ upstream adds new options every now and then, expects user config file
+          # to include the md5sum of the template it's based on.
+          # see `setup_config_version.sh`
+          ${userConfig}
+        '';
+
+        sane.user.fs.".config/sxmo/sway".symlink.target = pkgs.substituteAll {
+          src = ./sway-config;
+          waybar = "${pkgs.waybar}/bin/waybar";
+        };
+
+        sane.user.fs.".config/waybar/config".symlink.target =
+          let
+            waybar-config = import ./waybar-config.nix { inherit pkgs; };
+          in
+            (pkgs.formats.json {}).generate "waybar-config.json" waybar-config;
+
+        # sane.user.fs.".config/waybar/style.css".symlink.text =
+        #   builtins.readFile ./waybar-style.css;
+
+        sane.user.fs.".config/sxmo/conky.conf".symlink.target = let
+          battery_estimate = pkgs.static-nix-shell.mkBash {
+            pname = "battery_estimate";
+            src = ./.;
+          };
+        in pkgs.substituteAll {
+          src = ./conky-config;
+          bat = "${battery_estimate}/bin/battery_estimate";
+        };
+      }
+
+      (lib.mkIf (cfg.greeter == "lightdm-mobile") {
+        sane.persist.sys.plaintext = [
+          # this takes up 4-5 MB of fontconfig and mesa shader caches.
+          # it could optionally be cleared on boot.
+          { path = "/var/lib/lightdm"; user = "lightdm"; group = "lightdm"; mode = "0770"; }
+        ];
+
+        services.xserver = {
+          enable = true;
+
+          displayManager.lightdm.enable = true;
+          displayManager.lightdm.greeters.mobile.enable = true;
+          displayManager.lightdm.extraSeatDefaults = ''
+            user-session = swmo
+          '';
+
+          displayManager.sessionPackages = with pkgs; [
+            cfg.package  # this gets share/wayland-sessions/swmo.desktop linked
+          ];
+
+          # taken from gui/phosh:
+          # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
+          # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
+          # lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
+          # this requires the user we want to login as to be cached.
+          displayManager.job.preStart = ''
+            ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
+          '';
+        };
+      })
+
+      (lib.mkIf (cfg.greeter == "sway") {
+        services.greetd = {
+          enable = true;
+          # borrowed from gui/sway
+          settings.default_session.command =
+          let
+            # start sway and have it construct the gtkgreeter
+            sway-as-greeter = pkgs.writeShellScriptBin "sway-as-greeter" ''
+              ${pkgs.sway}/bin/sway --debug --config ${sway-config-into-gtkgreet} > /var/log/sway/sway-as-greeter.log 2>&1
+            '';
+            # (config file for the above)
+            sway-config-into-gtkgreet = pkgs.writeText "greetd-sway-config" ''
+              exec "${gtkgreet-launcher}"
+            '';
+            # gtkgreet which launches a layered sway instance
+            gtkgreet-launcher = pkgs.writeShellScript "gtkgreet-launcher" ''
+              # NB: the "command" field here is run in the user's shell.
+              # so that command must exist on the specific user's path who is logging in. it doesn't need to exist system-wide.
+              ${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command sxmo_winit.sh
+            '';
+          in "${sway-as-greeter}/bin/sway-as-greeter";
+        };
+
+        sane.fs."/var/log/sway" = {
+          dir.acl.mode = "0777";
+          wantedBeforeBy = [ "greetd.service" "display-manager.service" ];
+        };
+      })
+
+      # old, greeterless options:
+      # services.xserver.windowManager.session = [{
+      #   name = "sxmo";
+      #   desktopNames = [ "sxmo" ];
+      #   start = ''
+      #     ${cfg.package}/bin/sxmo_xinit.sh &
+      #     waitPID=$!
+      #   '';
+      # }];
+      # services.xserver.enable = true;
+
+      # services.greetd = {
+      #   enable = true;
+      #   settings = {
+      #     default_session = {
+      #       command = "${cfg.package}/bin/sxmo_winit.sh";
+      #       user = "colin";
+      #     };
+      #   };
+      # };
+    ]))
+  ];
+}

hosts/modules/gui/sxmo/sway-config

@@ -0,0 +1,225 @@
+# Default config for sway
+# configversion: 5eff902ecca36b4e75567322335cc81c
+#
+# Copy this to ~/.config/sway/config and edit it to your liking.
+#
+# Read `man 5 sway` for a complete reference.
+
+### Variables
+#
+# Mod4 = Logo key
+# Mod1 = Alt.
+set $mod Mod1
+# Home row direction keys, like vim
+set $left h
+set $down j
+set $up k
+set $right l
+# Your preferred terminal emulator
+set $term sxmo_terminal.sh
+# Your preferred application launcher
+# Note: pass the final command to swaymsg so that the resulting window can be opened
+# on the original workspace that the command was run on.
+set $menu bemenu-run
+
+# xwayland enable|disable|force
+# - enable: lazily launch xwayland on first client connection
+# - disable: never launch xwayland
+# - force: launch xwayland immediately on boot
+# XWayland uses about 35MB RSS even when idle
+xwayland disable
+
+font "Sxmo 10"
+
+exec_always sxmo_swayinitconf.sh
+
+exec_always dbus-update-activation-environment WAYLAND_DISPLAY XDG_CURRENT_DESKTOP
+
+mode "menu" {
+    bindsym --input-device=1:1:1c21800.lradc XF86AudioMute exec nothing # just a placeholder for "menu" mode
+}
+
+### Key bindings
+#
+# Basics:
+#
+    # Start a terminal
+    bindsym $mod+Return exec $term
+
+    # Launch appmenu
+    bindsym $mod+p exec sxmo_appmenu.sh
+
+    # Launch scripts menu
+    bindsym $mod+i exec sxmo_appmenu.sh scripts
+
+    # Kill focused window
+    bindsym $mod+Shift+q kill
+
+    # Start your launcher
+    bindsym $mod+d exec $menu
+
+    # Drag floating windows by holding down $mod and left mouse button.
+    # Resize them with right mouse button + $mod.
+    # Despite the name, also works for non-floating windows.
+    # Change normal to inverse to use left mouse button for resizing and right
+    # mouse button for dragging.
+    floating_modifier $mod normal
+
+    # Reload the configuration file
+    bindsym $mod+Shift+c reload
+
+    # Exit sway (logs you out of your Wayland session)
+    bindsym $mod+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
+#
+# Moving around:
+#
+    # Move your focus around
+    bindsym $mod+$left focus left
+    bindsym $mod+$down focus down
+    bindsym $mod+$up focus up
+    bindsym $mod+$right focus right
+    # Or use $mod+[up|down|left|right]
+    bindsym $mod+Left focus left
+    bindsym $mod+Down focus down
+    bindsym $mod+Up focus up
+    bindsym $mod+Right focus right
+
+    # Move the focused window with the same, but add Shift
+    bindsym $mod+Shift+$left move left
+    bindsym $mod+Shift+$down move down
+    bindsym $mod+Shift+$up move up
+    bindsym $mod+Shift+$right move right
+    # Ditto, with arrow keys
+    bindsym $mod+Shift+Left move left
+    bindsym $mod+Shift+Down move down
+    bindsym $mod+Shift+Up move up
+    bindsym $mod+Shift+Right move right
+
+    # Move the focused workspace to output
+    bindsym $mod+Shift+Ctrl+$left move workspace output left
+    bindsym $mod+Shift+Ctrl+$down move workspace output down
+    bindsym $mod+Shift+Ctrl+$up move workspace output up
+    bindsym $mod+Shift+Ctrl+$right move workspace output right
+#
+# Workspaces:
+#
+    # Switch to workspace
+    bindsym $mod+1 workspace number 1
+    bindsym $mod+2 workspace number 2
+    bindsym $mod+3 workspace number 3
+    bindsym $mod+4 workspace number 4
+    bindsym $mod+5 workspace number 5
+    bindsym $mod+6 workspace number 6
+    bindsym $mod+7 workspace number 7
+    bindsym $mod+8 workspace number 8
+    bindsym $mod+9 workspace number 9
+    bindsym $mod+0 workspace number 10
+    # Move focused container to workspace
+    bindsym $mod+Shift+1 move container to workspace number 1
+    bindsym $mod+Shift+2 move container to workspace number 2
+    bindsym $mod+Shift+3 move container to workspace number 3
+    bindsym $mod+Shift+4 move container to workspace number 4
+    bindsym $mod+Shift+5 move container to workspace number 5
+    bindsym $mod+Shift+6 move container to workspace number 6
+    bindsym $mod+Shift+7 move container to workspace number 7
+    bindsym $mod+Shift+8 move container to workspace number 8
+    bindsym $mod+Shift+9 move container to workspace number 9
+    bindsym $mod+Shift+0 move container to workspace number 10
+    # Note: workspaces can have any name you want, not just numbers.
+    # We just use 1-10 as the default.
+#
+# Layout stuff:
+#
+    # You can "split" the current object of your focus with
+    # $mod+b or $mod+v, for horizontal and vertical splits
+    # respectively.
+    bindsym $mod+b splith
+    bindsym $mod+v splitv
+
+    # Switch the current container between different layout styles
+    bindsym $mod+s layout stacking
+    bindsym $mod+w layout tabbed
+    bindsym $mod+e layout toggle split
+
+    # Make the current focus fullscreen
+    # bindsym $mod+f fullscreen
+
+    # Toggle the current focus between tiling and floating mode
+    bindsym $mod+Shift+space floating toggle
+
+    # Swap focus between the tiling area and the floating area
+    bindsym $mod+space focus mode_toggle
+
+    # Move focus to the parent container
+    bindsym $mod+a focus parent
+#
+# Scratchpad:
+#
+    # Sway has a "scratchpad", which is a bag of holding for windows.
+    # You can send windows there and get them back later.
+
+    # Move the currently focused window to the scratchpad
+    bindsym $mod+Shift+minus move scratchpad
+
+    # Show the next scratchpad window or hide the focused scratchpad window.
+    # If there are multiple scratchpad windows, this command cycles through them.
+    bindsym $mod+minus scratchpad show
+#
+# Resizing containers:
+#
+mode "resize" {
+    # left will shrink the containers width
+    # right will grow the containers width
+    # up will shrink the containers height
+    # down will grow the containers height
+    bindsym $left resize shrink width 10px
+    bindsym $down resize grow height 10px
+    bindsym $up resize shrink height 10px
+    bindsym $right resize grow width 10px
+
+    # Ditto, with arrow keys
+    bindsym Left resize shrink width 10px
+    bindsym Down resize grow height 10px
+    bindsym Up resize shrink height 10px
+    bindsym Right resize grow width 10px
+
+    # Return to default mode
+    bindsym Return mode "default"
+    bindsym Escape mode "default"
+}
+bindsym $mod+r mode "resize"
+
+#
+# Status Bar:
+#
+# Read `man 5 sway-bar` for more information about this section.
+bar {
+    position top
+
+    # When the status_command prints a new line to stdout, swaybar updates.
+    # The default just shows the current date and time.
+    status_command sxmo_status_watch.sh -o pango
+    swaybar_command @waybar@
+
+    pango_markup enabled
+
+    colors {
+        statusline #ffffff
+        background #323232
+        inactive_workspace #32323200 #32323200 #5c5c5c
+        font "Sxmo"
+    }
+}
+
+for_window [app_id="foot" title=".*sxmo/modem/.*/draft.txt.*"] resize set height 25
+for_window [title="megapixels"] inhibit_idle open
+
+default_border pixel 3
+titlebar_border_thickness 3
+hide_edge_borders smart
+
+include /etc/sway/config.d/*
+
+exec 'printf %s "$SWAYSOCK" > "$XDG_RUNTIME_DIR"/sxmo.swaysock'
+
+exec sxmo_hook_start.sh

hosts/modules/gui/sxmo/waybar-config.nix

@@ -0,0 +1,34 @@
+# docs: https://github.com/Alexays/Waybar/wiki/Configuration
+# format specifiers: https://fmt.dev/latest/syntax.html#syntax
+{ pkgs }:
+[
+  { # TOP BAR
+    layer = "top";
+    height = 32;
+
+    modules-left = [ "sway/workspaces" ];
+    modules-center = [ ];
+    modules-right = [ "custom/sxmo" ];
+
+    "sway/workspaces" = {
+      all-outputs = true;
+      # force the bar to always show even empty workspaces
+      persistent_workspaces = {
+        "1" = [];
+        "2" = [];
+        "3" = [];
+        "4" = [];
+        "5" = [];
+      };
+    };
+
+    "custom/sxmo" = {
+      # this gives wifi state, batter, mic/speaker, lockstate, time all as one widget.
+      # a good starting point, but may want to split these apart later to make things configurable.
+      # e.g. distinct vol-up & vol-down buttons next to the speaker?
+      exec = "sxmo_status.sh";
+      interval = 1;
+      format = "{}";
+    };
+  }
+]

hosts/modules/hosts.nix

@@ -26,6 +26,11 @@ let
           e.g. "ssh-ed25519 AAAA<base64>".
         '';
       };
+      ssh.authorized = mkOption {
+        type = types.bool;
+        default = true;
+        description = "make this host's ssh key be an authorized_key for the system being deployed to";
+      };
       wg-home.pubkey = mkOption {
         type = types.nullOr types.str;
         default = null;
@@ -92,6 +97,7 @@ in
     };
 
     sane.hosts.by-name."moby" = {
+      ssh.authorized = lib.mkDefault false;  # moby's too easy to hijack: don't let it ssh places
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
       wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
@@ -100,6 +106,7 @@ in
     };
 
     sane.hosts.by-name."servo" = {
+      ssh.authorized = lib.mkDefault false;  # servo presents too many services to the internet: easy atack vector
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
       wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";

hosts/modules/nixcache.nix

@@ -25,16 +25,16 @@ in
       default = config.sane.nixcache.enable;
       type = types.bool;
     };
-    sane.nixcache.substituters = mkOption {
-      type = types.listOf types.str;
-      default =
-        # TODO: make these blacklisted entries injectable
-        (lib.optional (hostName != "servo") "https://nixcache.uninsane.org")
-        ++ (lib.optional (hostName != "servo" && hostName != "desko") "http://desko:5000")
-        ++ [
-          "https://nix-community.cachix.org"
-          "https://cache.nixos.org/"
-        ];
+    sane.nixcache.substituters = let
+      subOpt = mkOption {
+        default = true;
+        type = types.bool;
+      };
+    in {
+      servo = subOpt;
+      desko = subOpt;
+      nixos = subOpt;
+      cachix = subOpt;
     };
   };
 
@@ -43,7 +43,12 @@ in
     # to explicitly build from a specific cache (in case others are down):
     # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
     # - `nix build ... --substituters http://desko:5000`
-    nix.settings.substituters = mkIf cfg.enable cfg.substituters;
+    nix.settings.substituters = mkIf cfg.enable (lib.flatten [
+      (lib.optional cfg.substituters.servo  "https://nixcache.uninsane.org")
+      (lib.optional cfg.substituters.desko  "http://desko:5000")
+      (lib.optional cfg.substituters.nixos  "https://cache.nixos.org/")
+      (lib.optional cfg.substituters.cachix "https://nix-community.cachix.org")
+    ]);
     # always trust our keys (so one can explicitly use a substituter even if it's not the default
     nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
       "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="

hosts/modules/roles/build-machine.nix

@@ -17,14 +17,11 @@ in
     };
     ccache = mkOption {
       type = types.bool;
-      default = true;
+      default = false;
     };
   };
 
   config = mkMerge [
-    ({
-      sane.programs.qemu = pkgs.qemu;
-    })
     (mkIf cfg.enable {
       # enable opt-in emulation of any package at runtime.
       # i.e. `nix build '.#host-pkgs.moby.bash' ; qemu-aarch64 ./result/bin/bash`.
@@ -77,7 +74,7 @@ in
       programs.ccache.enable = true;
       nix.settings.extra-sandbox-paths = [ cacheDir ];
       sane.persist.sys.plaintext = [
-        { group = "nixbld"; mode = "0775"; directory = config.programs.ccache.cacheDir; }
+        { group = "nixbld"; mode = "0775"; path = config.programs.ccache.cacheDir; }
       ];
       sane.fs."${cacheDir}/ccache.conf" = sane-lib.fs.wantedText ''
         max_size = 50G

hosts/modules/roles/client/bluetooth-pairings.nix

@@ -1,5 +1,12 @@
 { config, lib, pkgs, ... }:
 
+let
+  install-bluetooth = pkgs.static-nix-shell.mkBash {
+    pname = "install-bluetooth";
+    src = ./.;
+    pkgs = [ "gnused" ];
+  };
+in
 {
   config = lib.mkIf config.sane.roles.client {
     # persist external pairings by default
@@ -8,11 +15,12 @@
     sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
     sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
       wantedBeforeBy = [ "bluetooth.service" ];
-      # XXX: install-bluetooth uses sed, but that's part of the default systemd unit path, it seems
-      generated.script.script = builtins.readFile ../../../../scripts/install-bluetooth + ''
-        touch "/var/lib/bluetooth/.secrets.stamp"
-      '';
-      generated.script.scriptArgs = [ "/run/secrets/bt" ];
+      generated.command = [
+        "${install-bluetooth}/bin/install-bluetooth"
+        "/run/secrets/bt"
+        ""
+        "/var/lib/bluetooth/.secrets.stamp"
+      ];
     };
   };
 }

hosts/modules/roles/client/install-bluetooth

@@ -1,4 +1,5 @@
-#!/bin/sh
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p gnused
 # usage: install-bluetooth <source_dir> <destdir>
 # source_dir contains plain-text files of any filename.
 # for each file, this extracts the MAC and creates a symlink in destdir which
@@ -11,6 +12,7 @@
 
 srcdir="$1"
 destdir="$2"
+stamp="$3"
 
 if [ "x$destdir" = "x" ]
 then
@@ -35,3 +37,8 @@ do
     touch "$condir/attributes"
   fi
 done
+
+if [ "x$stamp" != "x" ]
+then
+  touch "$stamp"
+fi

hosts/modules/roles/client/install-nm

@@ -0,0 +1,83 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])"
+
+import argparse
+import json
+import os.path
+
+from dataclasses import dataclass
+
+@dataclass
+class Connection:
+    comment: str | None
+    ssid: str
+    passphrase: str | None
+
+def parse_manifest(manifest_path: str) -> list[Connection]:
+    for entry in json.load(open(manifest_path)):
+        comment = entry.get("comment")
+        ssid = entry["ssid"]
+        passphrase = entry.get("passphrase")
+        if ssid != "<EOF>":
+            yield Connection(comment=comment, ssid=ssid, passphrase=passphrase)
+
+def write_iwd(fh: "file", con: Connection) -> None:
+    fh.write("[Security]\n")
+    if con.passphrase is not None:
+        fh.write(f"Passphrase={con.passphrase}\n")
+
+def write_nm(fh: "file", con: Connection) -> None:
+    fh.write("[connection]\n")
+    fh.write(f"id={con.ssid}\n")
+    fh.write("type=wifi\n")  #< TODO: needed?
+
+    fh.write("\n")
+    fh.write("[wifi]\n")
+    fh.write("mode=infrastructure\n")
+    fh.write(f"ssid={con.ssid}\n")
+
+    fh.write("\n")
+    fh.write("[wifi-security]\n")
+    fh.write("auth-alg=open\n")
+    fh.write("key-mgmt=wpa-psk\n")
+    if con.passphrase is not None:
+        fh.write(f"psk={con.passphrase}\n")
+
+    fh.write("\n")
+    fh.write("[ipv4]\n")
+    fh.write("method=auto\n")
+
+    fh.write("\n")
+    fh.write("[ipv6]\n")
+    fh.write("addr-gen-mode=default\n")
+    fh.write("method=auto\n")
+
+def install_all(manifest: list[Connection], destination: str, flavor: str) -> None:
+    ext, writer = dict(
+        iwd=("psk", write_iwd),
+        nm=("nmconnection", write_nm),
+    )[flavor]
+    for con in manifest:
+        path = os.path.join(destination, f"{con.ssid}.{ext}")
+        with open(path, "w") as fh:
+            writer(fh, con)
+
+def stamp(destination: str, stamp: str) -> None:
+    if stamp:
+        with open(os.path.join(destination, stamp), "w"):
+            pass
+
+def main() -> None:
+    parser = argparse.ArgumentParser(description="create network connection descriptions from a static manifest")
+    parser.add_argument("manifest", help="path to the manifest.json")
+    parser.add_argument("destination", help="directory in which to install files")
+    parser.add_argument("--flavor", help="'nm' or 'iwd' based on which program will read the results", default="iwd")
+    parser.add_argument("--stamp", default=".install-nm.stamp", help="relative path of empty file to touch after completion")
+
+    args = parser.parse_args()
+    manifest = parse_manifest(args.manifest)
+    install_all(manifest, args.destination, flavor=args.flavor)
+    stamp(args.destination, args.stamp)
+
+if __name__ == "__main__":
+    main()

hosts/modules/roles/client/wifi-pairings.nix

@@ -1,23 +1,36 @@
 { config, lib, pkgs, ... }:
 
 let
-  install-iwd = pkgs.static-nix-shell.mkBash {
-    pname = "install-iwd";
-    src = ../../../../scripts;
-    pkgs = [ "gnused" ];
+  install-nm = pkgs.static-nix-shell.mkPython3Bin {
+    pname = "install-nm";
+    src = ./.;
   };
 in
 {
   config = lib.mkIf config.sane.roles.client {
-    sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
+    sane.fs."/var/lib/iwd/.install-nm.stamp" = {
       wantedBeforeBy = [ "iwd.service" ];
       generated.acl.mode = "0600";
-      # XXX: install-iwd uses sed, but that's part of the default systemd unit path, it seems
-      generated.script.script = ''
-        ${install-iwd}/bin/install-iwd $@
-        touch "/var/lib/iwd/.secrets.psk.stamp"
-      '';
-      generated.script.scriptArgs = [ "/run/secrets/net" "/var/lib/iwd" ];
+      generated.command = [
+        "${install-nm}/bin/install-nm"
+        "/run/secrets/net/all.json"
+        "/var/lib/iwd"
+        "--stamp" ".install-nm.stamp"
+        "--flavor" "iwd"
+      ];
+    };
+
+    sane.fs."/var/lib/NetworkManager/system-connections".dir.acl.mode = "0700";
+    sane.fs."/var/lib/NetworkManager/system-connections/.install-nm.stamp" = {
+      wantedBeforeBy = [ "NetworkManager.service" ];
+      generated.acl.mode = "0600";
+      generated.command = [
+        "${install-nm}/bin/install-nm"
+        "/run/secrets/net/all.json"
+        "/var/lib/NetworkManager/system-connections"
+        "--stamp" ".install-nm.stamp"
+        "--flavor" "nm"
+      ];
     };
   };
 }

hosts/modules/roles/default.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ config, lib, ... }:
 {
   imports = [
     ./ac.nix
@@ -6,4 +6,13 @@
     ./client
     ./dev-machine.nix
   ];
+
+  fileSystems."/tmp" = lib.mkIf (config.sane.roles.build-machine.enable || config.sane.roles.dev-machine) {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=777"
+      "defaults"
+    ];
+  };
 }

hosts/modules/roles/dev-machine.nix

@@ -23,6 +23,7 @@ in
     })
     (mkIf cfg {
       sane.programs.docsets.enableFor.system = true;
+      sane.programs.ldd-aarch64.enableFor.user.colin = true;
       # TODO: migrate this to `sane.user.programs.zeal.enable = true`
       sane.programs.zeal.enableFor.user.colin = true;
     })