cross: fix enableParallelBuilding to work

```
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/9e1960bc196baf6881340d53dccb203a951745a2' (2023-08-01)
  → 'github:nixos/nixpkgs/66aedfd010204949cb225cf749be08cb13ce1813' (2023-08-02)
```

README.md

@@ -16,6 +16,8 @@ directly here; even the sources for those packages is often kept here too.
 [uninsane-org]: https://uninsane.org
 
 ## Layout
+- `doc/`
+    - instructions for tasks i find myself doing semi-occasionally in this repo.
 - `hosts/`
     - the bulk of config which isn't factored with external use in mind.
     - that is, if you were to add this repo to a flake.nix for your own use,
@@ -37,9 +39,7 @@ directly here; even the sources for those packages is often kept here too.
     - inline code for wholly custom packages (e.g. `pkgs/additional/sane-scripts/` for CLI tools
       that are highly specific to my setup).
 - `scripts/`
-    - scripts which are referenced by other things in this repo.
-    - these aren't generally user-facing, but they're factored out so that they can
-      be invoked directly when i need to debug.
+    - scripts which aren't reachable on a deployed system, but may aid manual deployments
 - `secrets/`
     - encrypted keys, API tokens, anything which one or more of my machines needs
       read access to but shouldn't be world-readable.
@@ -106,3 +106,6 @@ this repo exists in a few known locations:
 
 if you want to contact me for questions, or collaborate to split something useful into a shared repo, etc,
 you can reach me via any method listed [here](https://uninsane.org/about).
+patches, for this repo or any other i host, will be warmly welcomed in any manner you see fit:
+`git send-email`, DM'ing the patch over Matrix/Lemmy/ActivityPub/etc, even a literal PR where you
+link me to your own clone.

TODO.md

@@ -1,6 +1,7 @@
 ## BUGS
 - why i need to manually restart `wireguard-wg-ovpns` on servo periodically
-	- else DNS fails
+  - else DNS fails
+- fix epiphany URL bar input on moby
 
 ## REFACTORING:
 
@@ -14,8 +15,6 @@
     - will make it easier to test new services?
 
 ### upstreaming
-- split out a trust-dns module
-  - see: <https://github.com/NixOS/nixpkgs/pull/205866#issuecomment-1575753054>
 - split out a sxmo module usable by NUR consumers
 - bump nodejs version in lemmy-ui
 - add updateScripts to all my packages in nixpkgs
@@ -39,25 +38,25 @@
     - flatpak does this, somehow
     - apparmor?  SElinux?  (desktop) "portals"?
     - see Spectrum OS; Alyssa Ross; etc
+    - bubblewrap-based sandboxing: <https://github.com/nixpak/nixpak>
 - canaries for important services
     - e.g. daily email checks; daily backup checks
     - integrate `nix check` into Gitea actions?
 
 ### user experience
 - neovim: set up language server (lsp; rnix-lsp; nvim-lspconfig)
-- firefox/librewolf: don't show browserpass/sponsorblock/metamask "first run" on every boot
+- Helix: make copy-to-system clipboard be the default
+- firefox/librewolf: persist history
+  - just not cookies or tabs
 - moby: improve gPodder launch time
 - moby: theme GTK apps (i.e. non-adwaita styles)
   - especially, make the menubar collapsible
+  - try Gradience tool specifically for theming adwaita? <https://linuxphoneapps.org/apps/com.github.gradienceteam.gradience/>
 - package Nix/NixOS docs for Zeal
     - install [doc-browser](https://github.com/qwfy/doc-browser)
     - this supports both dash (zeal) *and* the datasets from <https://devdocs.io> (which includes nix!)
     - install [devhelp](https://wiki.gnome.org/Apps/Devhelp)  (gnome)
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
-- `sane.programs`: auto-populate defaults with everything from `pkgs`
-- `sane.persist`: auto-create parent dirs in ~/private
-  - currently if the application doesn't autocreate dirs leading to its destination, then ~/private storage fails
-  - this might be why librewolf on mobile is still amnesiac
 - sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
 - uninsane.org: make URLs relative to allow local use (and as offline homepage)
 - email: fix so that local mail doesn't go to junk
@@ -65,19 +64,15 @@
   - could change junk filter from "no DKIM success" to explicit "DKIM failed"
 
 ### perf
-- why does zsh take so long to init?
+- add `pkgs.impure-cached.<foo>` package set to build things with ccache enabled
+    - every package here can be auto-generated, and marked with some env var so that it doesn't pollute the pure package set
+    - would be super handy for package prototyping!
 - why does nixos-rebuild switch take 5 minutes when net is flakey?
     - trying to auto-mount servo?
     - something to do with systemd services restarting/stalling
     - maybe wireguard & its refresh operation, specifically?
-- fix OOM for large builds like webkitgtk
-    - these use significant /tmp space.
-    - either place /tmp on encrypted-cleared-at-boot storage
-        - which probably causes each CPU load for the encryption
-    - or have nix builds use a subdir of /tmp like /tmp/nix/...
-        - and place that on non-encrypted clear-on-boot (with very lax writeback/swappiness to minimize writes)
-    - **or set up encrypted swap**
-        - encrypted swap could remove the need for my encrypted-cleared-at-boot stuff
+- get moby to build without binfmt emulation (i.e. make all emulation explicit)
+  - then i can distribute builds across servo + desko, and also allow servo to pull packages from desko w/o worrying about purity
 
 
 ## NEW FEATURES:

doc/adding-a-program.md

@@ -0,0 +1,13 @@
+to ship `pkgs.foo` on some host, either:
+- add it as an entry in `suggestedPrograms` to the appropriate category in `hosts/common/programs/assorted.nix`, or
+- `sane.programs.foo.enableFor.user.colin = true` in `hosts/by-name/myhost/default.nix`
+
+if the program needs customization (persistence, configs, secrets):
+- add a file for it at `hosts/common/programs/<foo>.nix`
+- set the options, `sane.programs.foo.{fs,persist}`
+
+if it's unclear what fs paths a program uses:
+- run one of these commands, launch the program, run it again, and `diff`:
+  - `du -x --apparent-size ~`
+  - `find ~ -xdev`
+- or, inspect the whole tmpfs root with `ncdu -x /`

flake.lock

@@ -21,11 +21,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1683422260,
-        "narHash": "sha256-79zaClbubRkBNlJ04OSADILuLQHH48N5fu296hEWYlw=",
+        "lastModified": 1690059310,
+        "narHash": "sha256-4zcoDp8wwZVfGSzXltC5x+eH4kDWC/eJpyQNgr7shAA=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "ba4638836e94a8f16d1d1f9e8c0530b86078029c",
+        "rev": "56fc9f9619f305f0865354975a98d22410eed127",
         "type": "github"
       },
       "original": {
@@ -69,11 +69,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1687031877,
-        "narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
+        "lastModified": 1690066826,
+        "narHash": "sha256-6L2qb+Zc0BFkh72OS9uuX637gniOjzU6qCDBpjB2LGY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
+        "rev": "ce45b591975d070044ca24e3003c830d26fea1c8",
         "type": "github"
       },
       "original": {
@@ -85,11 +85,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1688049487,
-        "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
+        "lastModified": 1691006197,
+        "narHash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
+        "rev": "66aedfd010204949cb225cf749be08cb13ce1813",
         "type": "github"
       },
       "original": {
@@ -116,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1687398569,
-        "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
+        "lastModified": 1690199016,
+        "narHash": "sha256-yTLL72q6aqGmzHq+C3rDp3rIjno7EJZkFLof6Ika7cE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "2ff6973350682f8d16371f8c071a304b8067f192",
+        "rev": "c36df4fe4bf4bb87759b1891cab21e7a05219500",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687821285,
-        "narHash": "sha256-pw0UYKG8yhW1H3nPgAhVYCzYFXYtamMh2DmF8YhtRec=",
+        "lastModified": 1691106178,
+        "narHash": "sha256-3mZ9gTvMpbZA9ea9ovoQpn2wKuQY0QZ7MDdEjArYdAQ=",
         "ref": "refs/heads/master",
-        "rev": "ae27eb61b55b6c6d83c25384fb163df398a80265",
-        "revCount": 201,
+        "rev": "f4d91aa201b6e49af690f250d4786bd1d8b4dcfd",
+        "revCount": 205,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -174,6 +174,7 @@
         disable-flakey-tests = final: prev: import ./overlays/disable-flakey-tests.nix final prev;
         pkgs = final: prev: import ./overlays/pkgs.nix final prev;
         pins = final: prev: import ./overlays/pins.nix final prev;
+        preferences = final: prev: import ./overlays/preferences.nix final prev;
         optimizations = final: prev: import ./overlays/optimizations.nix final prev;
         passthru = final: prev:
           let
@@ -239,32 +240,58 @@
       apps."x86_64-linux" =
         let
           pkgs = self.legacyPackages."x86_64-linux";
-          deployScript = action: pkgs.writeShellScript "deploy-moby" ''
-            nixos-rebuild --flake '.#moby' build $@
-            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
-            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby --use-remote-sudo $@
+          deployScript = host: addr: action: pkgs.writeShellScript "deploy-${host}" ''
+            nix build '.#nixosConfigurations.${host}.config.system.build.toplevel' --out-link ./result-${host} $@
+            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result-${host})
+
+            # XXX: this triggers another config eval & (potentially) build.
+            # if the config changed between these invocations, the above signatures might not apply to the deployed config.
+            # let the user handle that edge case by re-running this whole command
+            nixos-rebuild --flake '.#${host}' ${action} --target-host colin@${addr} --use-remote-sudo $@
           '';
         in {
+          help = {
+            type = "app";
+            program = let
+              helpMsg = builtins.toFile "nixos-config-help-message" ''
+                commands:
+                - `nix run '.#help'`
+                  - show this message
+                - `nix run '.#update-feeds'`
+                  - updates metadata for all feeds
+                - `nix run '.#init-feed' <url>`
+                - `nix run '.#deploy-{lappy,moby,moby-test,servo}' [nixos-rebuild args ...]`
+                - `nix run '.#check-nur'`
+              '';
+            in builtins.toString (pkgs.writeShellScript "nixos-config-help" ''
+              cat ${helpMsg}
+            '');
+          };
           update-feeds = {
             type = "app";
             program = "${pkgs.feeds.updateScript}";
           };
 
           init-feed = {
-            # use like `nix run '.#init-feed' uninsane.org`
             type = "app";
             program = "${pkgs.feeds.initFeedScript}";
           };
 
-          deploy-moby-test = {
-            # `nix run '.#deploy-moby-test'`
+          deploy-lappy = {
             type = "app";
-            program = ''${deployScript "test"}'';
+            program = ''${deployScript "lappy" "lappy" "switch"}'';
+          };
+          deploy-moby-test = {
+            type = "app";
+            program = ''${deployScript "moby" "moby-hn" "test"}'';
           };
           deploy-moby = {
-            # `nix run '.#deploy-moby-switch'`
             type = "app";
-            program = ''${deployScript "switch"}'';
+            program = ''${deployScript "moby" "moby-hn" "switch"}'';
+          };
+          deploy-servo = {
+            type = "app";
+            program = ''${deployScript "servo" "servo" "switch"}'';
           };
 
           check-nur = {

hosts/by-name/desko/default.nix

@@ -4,11 +4,10 @@
     ./fs.nix
   ];
 
-  sane.guest.enable = true;
+  # sane.guest.enable = true;
 
-  # TODO: make sure this plays nice with impermanence
-  services.distccd.enable = true;
-  sane.programs.distcc.enableFor.user.guest = true;
+  # services.distccd.enable = true;
+  # sane.programs.distcc.enableFor.user.guest = true;
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
@@ -23,9 +22,11 @@
 
   sane.gui.sway.enable = true;
   sane.programs.iphoneUtils.enableFor.user.colin = true;
+  sane.programs.steam.enableFor.user.colin = true;
 
   sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
-  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" ];
+  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" "desktopConsoleUtils" ];
+  # sane.programs.devPkgs.enableFor.user.colin = true;
 
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
@@ -35,6 +36,7 @@
 
   # don't enable wifi by default: it messes with connectivity.
   systemd.services.iwd.enable = false;
+  systemd.services.wpa_supplicant.enable = false;
 
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
@@ -48,17 +50,6 @@
     ALLOW_USERS = [ "colin" ];
   };
 
-  programs.steam = {
-    enable = true;
-    # not sure if needed: stole this whole snippet from the wiki
-    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
-    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
-  };
-  sane.user.persist.plaintext = [
-    ".steam"
-    ".local/share/Steam"
-  ];
-
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
   system.stateVersion = "21.05";
 }

hosts/by-name/desko/fs.nix

@@ -2,17 +2,10 @@
 
 {
   sane.persist.root-on-tmpfs = true;
-  # we need a /tmp for building large nix things.
+  # increase /tmp space (defaults to 50% of RAM) for building large nix things.
   # a cross-compiled kernel, particularly, will easily use 30+GB of tmp
-  fileSystems."/tmp" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "mode=777"
-      "size=64G"
-      "defaults"
-    ];
-  };
+  fileSystems."/tmp".options = [ "size=64G" ];
+
   fileSystems."/nix" = {
     # device = "/dev/disk/by-uuid/985a0a32-da52-4043-9df7-615adec2e4ff";
     device = "/dev/disk/by-uuid/0ab0770b-7734-4167-88d9-6e4e20bb2a56";

hosts/by-name/lappy/default.nix

@@ -19,7 +19,7 @@
     "desktopGuiApps"
     "stepmania"
   ];
-  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" ];
+  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" "desktopConsoleUtils" ];
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
@@ -34,9 +34,6 @@
     ALLOW_USERS = [ "colin" ];
   };
 
-  # TODO: only here for debugging
-  # services.ipfs.enable = true;
-
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
   system.stateVersion = "21.05";
 }

hosts/by-name/lappy/fs.nix

@@ -2,15 +2,6 @@
 
 {
   sane.persist.root-on-tmpfs = true;
-  # we need a /tmp of default size (half RAM) for building large nix things
-  fileSystems."/tmp" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "mode=777"
-      "defaults"
-    ];
-  };
 
   fileSystems."/nix" = {
     device = "/dev/disk/by-uuid/75230e56-2c69-4e41-b03e-68475f119980";

hosts/by-name/moby/default.nix

@@ -1,13 +1,26 @@
+# Pinephone
+# other setups to reference:
+# - <https://hamblingreen.gitlab.io/2022/03/02/my-pinephone-setup.html>
+#   - sxmo Arch user. lots of app recommendations
+#
+# wikis, resources, ...:
+# - Linux Phone Apps: <https://linuxphoneapps.org/>
+#   - massive mobile-friendly app database
+# - Mobian wiki: <https://wiki.mobian-project.org/doku.php?id=start>
+#   - recommended apps, chatrooms
+
 { config, pkgs, lib, ... }:
 {
   imports = [
-    ./firmware.nix
+    ./bootloader.nix
     ./fs.nix
+    ./gps.nix
     ./kernel.nix
     ./polyfill.nix
   ];
 
   sane.roles.client = true;
+  sane.zsh.showDeadlines = false;  # unlikely to act on them when in shell
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
 
@@ -18,35 +31,31 @@
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
-  sane.programs.web-browser.config = {
-    # compromise impermanence for the sake of usability
-    persistCache = "private";
-    persistData = "private";
-
-    # i don't do crypto stuff on moby
-    addons.ether-metamask.enable = false;
-    # addons.sideberry.enable = false;
-  };
-
   sane.user.persist.plaintext = [
     # TODO: make this just generally conditional upon pulse being enabled?
     ".config/pulse"  # persist pulseaudio volume
   ];
 
   sane.gui.sxmo.enable = true;
+  sane.programs.guiApps.suggestedPrograms = [ "handheldGuiApps" ];
   # sane.programs.consoleUtils.enableFor.user.colin = false;
   # sane.programs.guiApps.enableFor.user.colin = false;
   sane.programs.sequoia.enableFor.user.colin = false;
   sane.programs.tuiApps.enableFor.user.colin = false;  # visidata, others, don't compile well
-  # disabled for faster deploys (gthumb depends on webkitgtk, particularly)
+  # disabled for faster deploys
   sane.programs.soundconverter.enableFor.user.colin = false;
-  sane.programs.jellyfin-media-player.enableFor.user.colin = false;
+
+  # sane.programs.firefox.mime.priority = 300;  # prefer other browsers when possible
+  # HACK/TODO: make `programs.P.env.VAR` behave according to `mime.priority`
+  # sane.programs.firefox.env = lib.mkForce {};
+  # sane.programs.epiphany.env.BROWSER = "epiphany";
+  # sane.programs.firefox.enableFor.user.colin = false;  # use epiphany instead
+
   # sane.programs.mpv.enableFor.user.colin = true;
 
   boot.loader.efi.canTouchEfiVariables = false;
   # /boot space is at a premium. default was 20.
   # even 10 can be too much
-  # TODO: compress moby kernels!
   boot.loader.generic-extlinux-compatible.configurationLimit = 8;
   # mobile.bootloader.enable = false;
   # mobile.boot.stage-1.enable = false;
@@ -105,6 +114,50 @@
     services.wireplumber.environment.ALSA_CONFIG_UCM2         = ucm-env;
   };
 
+  services.udev.extraRules = let
+    chmod = "${pkgs.coreutils}/bin/chmod";
+    chown = "${pkgs.coreutils}/bin/chown";
+  in ''
+    # make Pinephone flashlight writable by user.
+    # taken from postmarketOS: <repo:postmarketOS/pmaports:device/main/device-pine64-pinephone/60-flashlight.rules>
+    SUBSYSTEM=="leds", DEVPATH=="*/*:flash", RUN+="${chmod} g+w /sys%p/brightness /sys%p/flash_strobe", RUN+="${chown} :video /sys%p/brightness /sys%p/flash_strobe"
+
+    # make Pinephone front LEDs writable by user.
+    SUBSYSTEM=="leds", DEVPATH=="*/*:indicator", RUN+="${chmod} g+w /sys%p/brightness", RUN+="${chown} :video /sys%p/brightness"
+  '';
 
   hardware.opengl.driSupport = true;
+
+  services.xserver.displayManager.job.preStart = let
+    dmesg = "${pkgs.util-linux}/bin/dmesg";
+    grep = "${pkgs.gnugrep}/bin/grep";
+    modprobe = "${pkgs.kmod}/bin/modprobe";
+  in ''
+    # common boot failure:
+    # blank screen (no backlight even), with the following log:
+    # ```syslog
+    # sun8i-dw-hdmi 1ee0000.hdmi: Couldn't get the HDMI PHY
+    # ...
+    # sun4i-drm display-engine: Couldn't bind all pipelines components
+    # ...
+    # sun8i-dw-hdmi: probe of 1ee0000.hdmi failed with error -17
+    # ```
+    #
+    # in particular, that `probe ... failed` occurs *only* on failed boots
+    # (the other messages might sometimes occur even on successful runs?)
+    #
+    # reloading the sun8i hdmi driver usually gets the screen on, showing boot text.
+    # then restarting display-manager.service gets us to the login.
+    #
+    # NB: the above log is default level. though less specific, there's a `err` level message that also signals this:
+    # sun4i-drm display-engine: failed to bind 1ee0000.hdmi (ops sun8i_dw_hdmi_ops [sun8i_drm_hdmi]): -17
+
+    if (${dmesg} --kernel --level err --color=never --notime | ${grep} -q 'sun4i-drm display-engine: failed to bind 1ee0000.hdmi')
+    then
+      echo "reprobing sun8i_drm_hdmi"
+      # if a command here fails it errors the whole service, so prefer to log instead
+      ${modprobe} -r sun8i_drm_hdmi || echo "failed to unload sun8i_drm_hdmi"
+      ${modprobe} sun8i_drm_hdmi || echo "failed to load sub8i_drm_hdmi"
+    fi
+  '';
 }

hosts/by-name/moby/gps.nix

@@ -0,0 +1,24 @@
+# pinephone GPS happens in EG25 modem
+# serial control interface to modem is /dev/ttyUSB2
+# after enabling GPS, readout is /dev/ttyUSB1
+#
+# minimal process to enable modem and GPS:
+# - `echo 1 > /sys/class/modem-power/modem-power/device/powered`
+# - `screen /dev/ttyUSB2 115200`
+#   - `AT+QGPSCFG="nmeasrc",1`
+#   - `AT+QGPS=1`
+#
+# now, something like `gpsd` can directly read from /dev/ttyUSB1.
+#
+# initial GPS fix can take 15+ minutes.
+# meanwhile, services like eg25-manager can speed this up by uploading assisted GPS data to the modem.
+#
+# geoclue somehow fits in here as a geospatial provider that leverages GPS and also other sources like radio towers
+
+{ ... }:
+{
+  services.gpsd.enable = true;
+  services.gpsd.devices = [ "/dev/ttyUSB1" ];
+
+  # TODO: enable eg25-manager, and bring online both the modem and GPS on boot
+}

hosts/by-name/moby/polyfill.nix

@@ -1,18 +1,171 @@
-{ pkgs, sane-lib, ... }:
+# this file configures preferences per program, without actually enabling any programs.
+# the goal is to separate the place where we decide *what* to use (i.e. `sane.programs.firefox.enable = true` -- at the toplevel)
+# from where we specific how that thing should behave *if* it's in use.
+#
+# NixOS backgrounds:
+# - <https://github.com/NixOS/nixos-artwork>
+#   - <https://github.com/NixOS/nixos-artwork/issues/50>  (colorful; unmerged)
+#   - <https://github.com/NixOS/nixos-artwork/pull/60/files>  (desktop-oriented; clean; unmerged)
+# - <https://itsfoss.com/content/images/2023/04/nixos-tutorials.png>
+
+{ lib, pkgs, sane-lib, ... }:
+let
+  # TODO: generate this from the .svg
+  # bg = ./nixos-bg-02.png;
+  bg = pkgs.runCommand "nixos-bg.png" { nativeBuildInputs = [ pkgs.inkscape ]; } ''
+    inkscape ${./nixos-bg-02.svg} -o $out
+  '';
+in
 {
+  sane.programs.firefox.config = {
+    # compromise impermanence for the sake of usability
+    persistCache = "private";
+    persistData = "private";
+
+    # i don't do crypto stuff on moby
+    addons.ether-metamask.enable = false;
+    # sidebery UX doesn't make sense on small screen
+    addons.sidebery.enable = false;
+  };
+
   sane.gui.sxmo = {
+    nogesture = true;
     settings = {
-      # touch screen
+      ### hardware: touch screen
       SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-path/platform-1c2ac00.i2c-event";
       # vol and power are detected correctly by upstream
 
-      # preferences
-      # N.B. some deviceprofiles explicitly set SXMO_SWAY_SCALE, overwriting what we put here.
-      SXMO_SWAY_SCALE = "1.5";
-      SXMO_ROTATION_GRAVITY = "12800";
-      SXMO_LOCK_IDLE_TIME = "15";  # how long between screenoff -> lock -> back to screenoff
+
+      ### preferences
+      # notable bemenu options:
+      #   - see `bemenu --help` for all
+      #   -P, --prefix          text to show before highlighted item.
+      #   --scrollbar           display scrollbar. (none (default), always, autohide)
+      #   -H, --line-height     defines the height to make each menu line (0 = default height). (wx)
+      #   -M, --margin          defines the empty space on either side of the menu. (wx)
+      #   -W, --width-factor    defines the relative width factor of the menu (from 0 to 1). (wx)
+      #   -B, --border          defines the width of the border in pixels around the menu. (wx)
+      #   -R  --border-radius   defines the radius of the border around the menu (0 = no curved borders).
+      #   --ch                  defines the height of the cursor (0 = scales with line height). (wx)
+      #   --cw                  defines the width of the cursor. (wx)
+      #   --hp                  defines the horizontal padding for the entries in single line mode. (wx)
+      #   --fn                  defines the font to be used ('name [size]'). (wx)
+      #   --tb                  defines the title background color. (wx)
+      #   --tf                  defines the title foreground color. (wx)
+      #   --fb                  defines the filter background color. (wx)
+      #   --ff                  defines the filter foreground color. (wx)
+      #   --nb                  defines the normal background color. (wx)
+      #   --nf                  defines the normal foreground color. (wx)
+      #   --hb                  defines the highlighted background color. (wx)
+      #   --hf                  defines the highlighted foreground color. (wx)
+      #   --fbb                 defines the feedback background color. (wx)
+      #   --fbf                 defines the feedback foreground color. (wx)
+      #   --sb                  defines the selected background color. (wx)
+      #   --sf                  defines the selected foreground color. (wx)
+      #   --ab                  defines the alternating background color. (wx)
+      #   --af                  defines the alternating foreground color. (wx)
+      #   --scb                 defines the scrollbar background color. (wx)
+      #   --scf                 defines the scrollbar foreground color. (wx)
+      #   --bdr                 defines the border color. (wx)
+      #
+      # colors are specified as `#RRGGBB`
+      # defaults:
+      # --ab "#222222"
+      # --af "#bbbbbb"
+      # --bdr "#005577"
+      # --border 3
+      # --cb "#222222"
+      # --center
+      # --cf "#bbbbbb"
+      # --fb "#222222"
+      # --fbb "#eeeeee"
+      # --fbf "#222222"
+      # --ff "#bbbbbb"
+      # --fixed-height
+      # --fn 'Sxmo 14'
+      # --hb "#005577"
+      # --hf "#eeeeee"
+      # --line-height 20
+      # --list 16
+      # --margin 40
+      # --nb "#222222"
+      # --nf "#bbbbbb"
+      # --no-overlap
+      # --no-spacing
+      # --sb "#323232"
+      # --scb "#005577"
+      # --scf "#eeeeee"
+      # --scrollbar autohide
+      # --tb "#005577"
+      # --tf "#eeeeee"
+      # --wrap
+      BEMENU_OPTS = let
+        bg = "#1d1721";       # slight purple
+        fg0 = "#d8d8d8";      # inactive text (light grey)
+        fg1 = "#ffffff";      # active text   (white)
+        accent0 = "#1f5e54";  # darker but saturated teal
+        accent1 = "#418379";  # teal (matches nixos-bg)
+        accent2 = "#5b938a";  # brighter but muted teal
+      in lib.concatStringsSep " " [
+        "--wrap --scrollbar autohide --fixed-height"
+        "--center --margin 45"
+        "--no-spacing"
+        # XXX: font size doesn't seem to take effect (would prefer larger)
+        "--fn 'Sxmo 14' --line-height 22 --border 3"
+        "--bdr '${accent0}'"                     # border
+        "--scf '${accent2}' --scb '${accent0}'"  # scrollbar
+        "--tb '${accent0}' --tf '${fg0}'"        # title
+        "--fb '${accent0}' --ff '${fg1}'"        # filter (i.e. text that's been entered)
+        "--hb '${accent1}' --hf '${fg1}'"        # selected item
+        "--nb '${bg}' --nf '${fg0}'"             # normal lines (even)
+        "--ab '${bg}' --af '${fg0}'"             # alternated lines (odd)
+        "--cf '${accent0}' --cb '${accent0}'"    # cursor (not very useful)
+      ];
       DEFAULT_COUNTRY = "US";
-      BROWSWER = "librewolf";
+
+      # BEMENU lines (wayland DMENU):
+      # - camera is 9th entry
+      # - flashlight is 10th entry
+      # - config is 14th entry. inside that:
+      #   - autorotate is 11th entry
+      #   - system menu is 19th entry
+      #   - close is 20th entry
+      # - power is 15th entry
+      # - close is 16th entry
+      SXMO_BEMENU_LANDSCAPE_LINES = "11";  # default 8
+      SXMO_BEMENU_PORTRAIT_LINES = "16";  # default 16
+      SXMO_BG_IMG = "${bg}";
+      SXMO_LOCK_IDLE_TIME = "15";  # how long between screenoff -> lock -> back to screenoff (default: 8)
+      # gravity: how far to tilt the device before the screen rotates
+      # for a given setting, normal <-> invert requires more movement then left <-> right
+      # i.e. the settingd doesn't feel completely symmetric
+      # SXMO_ROTATION_GRAVITY default is 16374
+      # SXMO_ROTATION_GRAVITY = "12800";  # uncomfortably high
+      # SXMO_ROTATION_GRAVITY = "12500";    # kinda uncomfortable when walking
+      SXMO_ROTATION_GRAVITY = "12000";
+      SXMO_SCREENSHOT_DIR = "/home/colin/Pictures";  # default: "$HOME"
+      # test new scales by running `swaymsg -- output DSI-1 scale x.y`
+      # SXMO_SWAY_SCALE = "1.5";  # hard to press gPodder icons
+      SXMO_SWAY_SCALE = "1.8";
+      # SXMO_SWAY_SCALE = "2";
+      SXMO_WORKSPACE_WRAPPING = "5";  # how many workspaces. default: 4
+
+      # wvkbd layers:
+      # - full
+      # - landscape
+      # - special  (e.g. coding symbols like ~)
+      # - emoji
+      # - nav
+      # - simple  (like landscape, but no parens/tab/etc; even fewer chars)
+      # - simplegrid  (simple, but grid layout)
+      # - dialer  (digits)
+      # - cyrillic
+      # - arabic
+      # - persian
+      # - greek
+      # - georgian
+      WVKBD_LANDSCAPE_LAYERS = "landscape,special,emoji";
+      WVKBD_LAYERS = "full,special,emoji";
     };
     package = pkgs.sxmo-utils.overrideAttrs (base: {
       postPatch = (base.postPatch or "") + ''

hosts/by-name/servo/default.nix

@@ -18,10 +18,16 @@
   sane.roles.build-machine.enable = true;
   sane.roles.build-machine.emulation = false;
   sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
+  sane.programs.consoleUtils.suggestedPrograms = [
+    "desktopConsoleUtils"
+    "sane-scripts.stop-all-servo"
+  ];
   sane.services.dyn-dns.enable = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.enableWan = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
+  sane.nixcache.substituters.servo = false;
+  sane.nixcache.substituters.desko = false;
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
 
   # automatically log in at the virtual consoles.

hosts/by-name/servo/fs.nix

@@ -2,15 +2,6 @@
 
 {
   sane.persist.root-on-tmpfs = true;
-  # we need a /tmp for building large nix things
-  fileSystems."/tmp" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = [
-      "mode=777"
-      "defaults"
-    ];
-  };
 
   fileSystems."/nix" = {
     device = "/dev/disk/by-uuid/cc81cca0-3cc7-4d82-a00c-6243af3e7776";
@@ -44,7 +35,7 @@
 
   sane.persist.sys.plaintext = [
     # TODO: this is overly broad; only need media and share directories to be persisted
-    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
+    { user = "colin"; group = "users"; path = "/var/lib/uninsane"; }
   ];
   # make sure large media is stored to the HDD
   sane.persist.sys.ext = [
@@ -52,21 +43,22 @@
       user = "colin";
       group = "users";
       mode = "0777";
-      directory = "/var/lib/uninsane/media/Videos";
+      path = "/var/lib/uninsane/media/Videos";
     }
     {
       user = "colin";
       group = "users";
       mode = "0777";
-      directory = "/var/lib/uninsane/media/freeleech";
+      path = "/var/lib/uninsane/media/freeleech";
+    }
+    {
+      user = "colin";
+      group = "users";
+      mode = "0777";
+      path = "/var/lib/uninsane/media/datasets";
     }
   ];
 
-  # in-memory compressed RAM (seems to be dynamically sized)
-  # zramSwap = {
-  #   enable = true;
-  # };
-
   # btrfs doesn't easily support swapfiles
   # swapDevices = [
   #   { device = "/nix/persist/swapfile"; size = 4096; }

hosts/by-name/servo/services/calibre.nix

@@ -13,7 +13,7 @@ in
 lib.mkIf false
 {
   sane.persist.sys.plaintext = [
-    { inherit user group; mode = "0700"; directory = svc-dir; }
+    { inherit user group; mode = "0700"; path = svc-dir; }
   ];
 
   services.calibre-web.enable = true;

hosts/by-name/servo/services/ejabberd.nix

@@ -20,7 +20,7 @@
 # lib.mkIf false
 {
   sane.persist.sys.plaintext = [
-    { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
+    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; }
   ];
   sane.ports.ports."3478" = {
     protocol = [ "tcp" "udp" ];

hosts/by-name/servo/services/email/postfix.nix

@@ -20,9 +20,9 @@ in
 {
   sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
-    { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
-    { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
-    { user = "root"; group = "root"; directory = "/var/spool/mail"; }
+    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; }
+    { user = "root"; group = "root"; path = "/var/lib/postfix"; }
+    { user = "root"; group = "root"; path = "/var/spool/mail"; }
     # *probably* don't need these dirs:
     # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
     # "/var/lib/dovecot"

hosts/by-name/servo/services/freshrss.nix

@@ -16,7 +16,7 @@
     mode = "0400";
   };
   sane.persist.sys.plaintext = [
-    { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
+    { user = "freshrss"; group = "freshrss"; path = "/var/lib/freshrss"; }
   ];
 
   services.freshrss.enable = true;

hosts/by-name/servo/services/gitea.nix

@@ -4,7 +4,7 @@
 {
   sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
-    { user = "git"; group = "gitea"; directory = "/var/lib/gitea"; }
+    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; }
   ];
   services.gitea.enable = true;
   services.gitea.user = "git";  # default is 'gitea'

hosts/by-name/servo/services/ipfs.nix

@@ -12,7 +12,7 @@ lib.mkIf false # i don't actively use ipfs anymore
 {
   sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
-    { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
+    { user = "261"; group = "261"; path = "/var/lib/ipfs"; }
   ];
 
   networking.firewall.allowedTCPPorts = [ 4001 ];

hosts/by-name/servo/services/jackett.nix

@@ -3,7 +3,7 @@
 {
   sane.persist.sys.plaintext = [
     # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
-    { user = "root"; group = "root"; directory = "/var/lib/jackett"; }
+    { user = "root"; group = "root"; path = "/var/lib/jackett"; }
   ];
   services.jackett.enable = true;
 

hosts/by-name/servo/services/jellyfin.nix

@@ -41,7 +41,7 @@
   };
 
   sane.persist.sys.plaintext = [
-    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; directory = "/var/lib/jellyfin"; }
+    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; path = "/var/lib/jellyfin"; }
   ];
   sane.fs."/var/lib/jellyfin/config/logging.json" = {
     # "Emby.Dlna" logging: <https://jellyfin.org/docs/general/networking/dlna>

hosts/by-name/servo/services/komga.nix

@@ -5,7 +5,7 @@ let
 in
 {
   sane.persist.sys.plaintext = [
-    { inherit user group; mode = "0700"; directory = stateDir; }
+    { inherit user group; mode = "0700"; path = stateDir; }
   ];
 
   services.komga.enable = true;

hosts/by-name/servo/services/matrix/default.nix

@@ -11,7 +11,7 @@
   ];
 
   sane.persist.sys.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; }
   ];
   services.matrix-synapse.enable = true;
   # this changes the default log level from INFO to WARN.

hosts/by-name/servo/services/matrix/discord-puppet.nix

@@ -6,7 +6,7 @@
 lib.mkIf false
 {
   sane.persist.sys.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; }
   ];
 
   services.matrix-synapse.settings.app_service_config_files = [

hosts/by-name/servo/services/matrix/irc.nix

@@ -1,6 +1,5 @@
 # config docs:
 # - <https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml>
-# TODO: /quit message for bridged users reveals to IRC users that i'm using a bridge;
 #       probably want to remove that.
 { config, lib, ... }:
 
@@ -104,7 +103,7 @@ in
 
   sane.persist.sys.plaintext = [
     # TODO: mode?
-    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; directory = "/var/lib/matrix-appservice-irc"; }
+    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; }
   ];
 
   # XXX: matrix-appservice-irc PreStart tries to chgrp the registration.yml to matrix-synapse,

hosts/by-name/servo/services/matrix/signal.nix

@@ -3,8 +3,8 @@
 { config, pkgs, ... }:
 {
   sane.persist.sys.plaintext = [
-    { user = "mautrix-signal"; group = "mautrix-signal"; directory = "/var/lib/mautrix-signal"; }
-    { user = "signald"; group = "signald"; directory = "/var/lib/signald"; }
+    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; }
+    { user = "signald"; group = "signald"; path = "/var/lib/signald"; }
   ];
 
   # allow synapse to read the registration file

hosts/by-name/servo/services/navidrome.nix

@@ -2,7 +2,7 @@
 
 {
   sane.persist.sys.plaintext = [
-    { user = "navidrome"; group = "navidrome"; directory = "/var/lib/navidrome"; }
+    { user = "navidrome"; group = "navidrome"; path = "/var/lib/navidrome"; }
   ];
   services.navidrome.enable = true;
   services.navidrome.settings = {

hosts/by-name/servo/services/nginx.nix

@@ -101,7 +101,8 @@ in
     };
 
     # allow ActivityPub clients to discover how to reach @user@uninsane.org
-    # TODO: waiting on https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3361/
+    # see: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3361/
+    # not sure this makes sense while i run multiple AP services (pleroma, lemmy)
     # locations."/.well-known/nodeinfo" = {
     #   proxyPass = "http://127.0.0.1:4000";
     #   extraConfig = pleromaExtraConfig;
@@ -134,8 +135,8 @@ in
 
   sane.persist.sys.plaintext = [
     # TODO: mode?
-    { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
-    { user = "colin"; group = "users"; directory = "/var/www/sites"; }
+    { user = "acme"; group = "acme"; path = "/var/lib/acme"; }
+    { user = "colin"; group = "users"; path = "/var/www/sites"; }
   ];
 
   # let's encrypt default chain looks like:

hosts/by-name/servo/services/pict-rs.nix

@@ -6,7 +6,7 @@ let
 in
 {
   sane.persist.sys.plaintext = lib.mkIf cfg.enable [
-    { user = "pict-rs"; group = "pict-rs"; directory = cfg.dataDir; }
+    { user = "pict-rs"; group = "pict-rs"; path = cfg.dataDir; }
   ];
 
   systemd.services.pict-rs.serviceConfig = {

hosts/by-name/servo/services/pleroma.nix

@@ -1,16 +1,21 @@
 # docs:
-# - https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
-# - https://docs.pleroma.social/backend/configuration/cheatsheet/
+# - <https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix>
+# - <https://docs.pleroma.social/backend/configuration/cheatsheet/>
+# example config:
+# - <https://git.pleroma.social/pleroma/pleroma/-/blob/develop/config/config.exs>
 #
-# to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
+# to run it in a oci-container: <https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix>
 #
 # admin frontend: <https://fed.uninsane.org/pleroma/admin>
 { config, pkgs, ... }:
 
+let
+  logLevel = "warn";
+  # logLevel = "debug";
+in
 {
   sane.persist.sys.plaintext = [
-    # TODO: mode? could be more granular
-    { user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; }
+    { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; }
   ];
   services.pleroma.enable = true;
   services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
@@ -98,8 +103,18 @@
       backends: [{ExSyslogger, :ex_syslogger}]
 
     config :logger, :ex_syslogger,
-      level: :warn
-    #  level: :debug
+      level: :${logLevel}
+
+    # policies => list of message rewriting facilities to be enabled
+    # transparence => whether to publish these rules in node_info (and /about)
+    config :pleroma, :mrf,
+      policies: [Pleroma.Web.ActivityPub.MRF.SimplePolicy],
+      transparency: true
+
+    # reject => { host, reason }
+    config :pleroma, :mrf_simple,
+      reject: [ {"threads.net", "megacorp"}, {"*.threads.net", "megacorp"} ]
+      # reject: [ [host: "threads.net", reason: "megacorp"], [host: "*.threads.net", reason: "megacorp"] ]
 
     # XXX colin: not sure if this actually _does_ anything
     # better to steal emoji from other instances?
@@ -152,6 +167,7 @@
     # inherit kTLS;
     locations."/" = {
       proxyPass = "http://127.0.0.1:4000";
+      recommendedProxySettings = true;
       # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
       extraConfig = ''
         # XXX colin: this block is in the nixos examples: i don't understand all of it
@@ -170,17 +186,18 @@
         add_header Referrer-Policy same-origin;
         add_header X-Download-Options noopen;
 
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        # proxy_set_header Host $http_host;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # proxy_http_version 1.1;
+        # proxy_set_header Upgrade $http_upgrade;
+        # proxy_set_header Connection "upgrade";
+        # # proxy_set_header Host $http_host;
+        # proxy_set_header Host $host;
+        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
         # colin: added this due to Pleroma complaining in its logs
         # proxy_set_header X-Real-IP $remote_addr;
         # proxy_set_header X-Forwarded-Proto $scheme;
 
+        # NB: this defines the maximum upload size
         client_max_body_size 16m;
       '';
     };

hosts/by-name/servo/services/postgres.nix

@@ -3,7 +3,7 @@
 {
   sane.persist.sys.plaintext = [
     # TODO: mode?
-    { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
+    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; }
   ];
   services.postgresql.enable = true;
   # services.postgresql.dataDir = "/opt/postgresql/13";

hosts/by-name/servo/services/prosody.nix

@@ -10,7 +10,7 @@
 lib.mkIf false
 {
   sane.persist.sys.plaintext = [
-    { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
+    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; }
   ];
   sane.ports.ports."5222" = {
     protocol = [ "tcp" ];

hosts/by-name/servo/services/transmission.nix

@@ -3,7 +3,7 @@
 {
   sane.persist.sys.plaintext = [
     # TODO: mode? we need this specifically for the stats tracking in .config/
-    { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
+    { user = "transmission"; group = "transmission"; path = "/var/lib/transmission"; }
   ];
   services.transmission.enable = true;
   services.transmission.settings = {

hosts/by-name/servo/services/trust-dns.nix

@@ -1,16 +1,18 @@
 { config, lib, pkgs, ... }:
 
 {
-  sane.services.trust-dns.enable = true;
+  services.trust-dns.enable = true;
 
-  sane.services.trust-dns.settings.listen_addrs_ipv4 = [
+  services.trust-dns.settings.listen_addrs_ipv4 = [
     # specify each address explicitly, instead of using "*".
     # this ensures responses are sent from the address at which the request was received.
     config.sane.hosts.by-name."servo".lan-ip
     "10.0.1.5"
   ];
-  sane.services.trust-dns.quiet = true;
-  # sane.services.trust-dns.debug = true;
+  # don't bind to IPv6 until i explicitly test that stack
+  services.trust-dns.settings.listen_addrs_ipv6 = [];
+  services.trust-dns.quiet = true;
+  # services.trust-dns.debug = true;
 
   sane.ports.ports."53" = {
     protocol = [ "udp" "tcp" ];
@@ -59,15 +61,9 @@
     ];
   };
 
-  # we need trust-dns to load our zone by relative path instead of /nix/store path
-  # because we generate it at runtime.
-  sane.services.trust-dns.settings.zones = [
-    {
-      zone = "uninsane.org";
-    }
-  ];
+  services.trust-dns.settings.zones = [ "uninsane.org" ];
 
-  sane.services.trust-dns.package =
+  services.trust-dns.package =
     let
       sed = "${pkgs.gnused}/bin/sed";
       zone-dir = "/var/lib/trust-dns";
@@ -104,6 +100,17 @@
       exit 1
     '';
 
+  systemd.services.trust-dns.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "trust-dns";
+    Group = "trust-dns";
+  };
+  users.groups.trust-dns = {};
+  users.users.trust-dns = {
+    group = "trust-dns";
+    isSystemUser = true;
+  };
+
   sane.services.dyn-dns.restartOnChange = [ "trust-dns.service" ];
 
   networking.nat.enable = true;

hosts/common/default.nix

@@ -23,9 +23,6 @@
   sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
   sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;
 
-  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
-  sane.fs."/var/lib/private".dir.acl.mode = "0700";
-
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.allowBroken = true;  # NIXPKGS_ALLOW_BROKEN
 
@@ -60,36 +57,22 @@
     ManagedOOMSwap = "kill";
   };
 
-  # TODO: move this to gui machines only
-  fonts = {
-    enableDefaultFonts = true;
-    fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
-    fontconfig.enable = true;
-    fontconfig.defaultFonts = {
-      emoji = [ "Font Awesome 6 Free" "Noto Color Emoji" ];
-      monospace = [ "Hack" ];
-      serif = [ "DejaVu Serif" ];
-      sansSerif = [ "DejaVu Sans" ];
-    };
-  };
 
-  # XXX: twitter-color-emoji doesn't cross-compile; but not-fonts-emoji does
-  # fonts = {
-  #   enableDefaultFonts = true;
-  #   fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
-  #   fontconfig.enable = true;
-  #   fontconfig.defaultFonts = {
-  #     emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
-  #     monospace = [ "Hack" ];
-  #     serif = [ "DejaVu Serif" ];
-  #     sansSerif = [ "DejaVu Sans" ];
-  #   };
-  # };
+  system.activationScripts.nixClosureDiff = {
+    supportsDryActivation = true;
+    text = ''
+      # show which packages changed versions or are new/removed in this upgrade
+      # source: <https://github.com/luishfonseca/dotfiles/blob/32c10e775d9ec7cc55e44592a060c1c9aadf113e/modules/upgrade-diff.nix>
+      ${pkgs.nvd}/bin/nvd --nix-bin-dir=${pkgs.nix}/bin diff /run/current-system "$systemConfig"
+    '';
+  };
 
   # disable non-required packages like nano, perl, rsync, strace
   environment.defaultPackages = [];
 
   # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
+  # this lets programs temporarily write user-level dconf settings (aka gsettings).
+  # they're written to ~/.config/dconf/user, unless `DCONF_PROFILE` is set to something other than the default of /etc/dconf/profile/user
   # find keys/values with `dconf dump /`
   programs.dconf.enable = true;
   programs.dconf.packages = [
@@ -102,6 +85,7 @@
       '';
     })
   ];
+  # sane.programs.glib.enableFor.user.colin = true;  # for `gsettings`
 
   # link debug symbols into /run/current-system/sw/lib/debug
   # hopefully picked up by gdb automatically?

hosts/common/feeds.nix

@@ -119,12 +119,18 @@ let
     ## The Witch Trials of J.K. Rowling
     ## - <https://www.thefp.com/witchtrials>
     (mkPod "https://feeds.megaphone.fm/RUNMED9919162779" // pol // infrequent)
+    ## Atlas Obscura
+    (fromDb "feeds.simplecast.com/xKJ93w_w" // uncat)
+    ## Ezra Klein Show
+    (fromDb "feeds.simplecast.com/82FI35Px" // pol)
+    ## Wireshark Podcast o_0
+    (fromDb "sharkbytes.transistor.fm" // tech)
   ];
 
   texts = [
     # AGGREGATORS (> 1 post/day)
     (fromDb "lwn.net" // tech)
-    (fromDb "lesswrong.com" // rat)
+    # (fromDb "lesswrong.com" // rat)
     # (fromDb "econlib.org" // pol)
 
     # AGGREGATORS (< 1 post/day)
@@ -166,10 +172,11 @@ let
     (fromDb "ianthehenry.com" // tech)
     (fromDb "bitbashing.io" // tech)
     (fromDb "idiomdrottning.org" // uncat)
+    (mkText "http://boginjr.com/feed" // tech // infrequent)
     (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
     (fromDb "jefftk.com" // tech)
     (fromDb "pomeroyb.com" // tech)
-    (mkText "https://til.simonwillison.net/tils/feed.atom" // tech // weekly)
+    # (mkText "https://til.simonwillison.net/tils/feed.atom" // tech // weekly)
 
     # TECH PROJECTS
     (fromDb "blog.rust-lang.org" // tech)
@@ -219,6 +226,7 @@ let
     (fromDb "preposterousuniverse.com" // rat)
     (mkSubstack "eliqian" // rat // weekly)
     (mkText "https://acoup.blog/feed" // rat // weekly)
+    (fromDb "mindingourway.com" // rat)
 
     ## mostly dating topics. not advice, or humor, but looking through a social lens
     (fromDb "putanumonit.com" // rat)

hosts/common/fs.nix

@@ -57,6 +57,37 @@ let fsOpts = rec {
 };
 in
 {
+  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
+  sane.fs."/var/lib/private".dir.acl.mode = "0700";
+
+  # in-memory compressed RAM
+  # defaults to compressing at most 50% size of RAM
+  # claimed compression ratio is about 2:1
+  # - but on moby w/ zstd default i see 4-7:1  (ratio lowers as it fills)
+  # note that idle overhead is about 0.05% of capacity (e.g. 2B per 4kB page)
+  # docs: <https://www.kernel.org/doc/Documentation/blockdev/zram.txt>
+  #
+  # to query effectiveness:
+  # `cat /sys/block/zram0/mm_stat`. whitespace separated fields:
+  # - *orig_data_size*  (bytes)
+  # - *compr_data_size* (bytes)
+  # - mem_used_total    (bytes)
+  # - mem_limit         (bytes)
+  # - mem_used_max      (bytes)
+  # - *same_pages*  (pages which are e.g. all zeros (consumes no additional mem))
+  # - *pages_compacted*  (pages which have been freed thanks to compression)
+  # - huge_pages  (incompressible)
+  #
+  # see also:
+  # - `man zramctl`
+  zramSwap.enable = true;
+  # how much ram can be swapped into the zram device.
+  # this shouldn't be higher than the observed compression ratio.
+  # the default is 50% (why?)
+  # 100% should be "guaranteed" safe so long as the data is even *slightly* compressible.
+  # but it decreases working memory under the heaviest of loads by however much space the compressed memory occupies (e.g. 50% if 2:1; 25% if 4:1)
+  zramSwap.memoryPercent = 100;
+
   # fileSystems."/mnt/servo-nfs" = {
   #   device = "servo-hn:/";
   #   noCheck = true;
@@ -77,34 +108,6 @@ in
   # };
   sane.fs."/mnt/servo-media" = sane-lib.fs.wantedSymlinkTo "/mnt/servo-nfs/media";
 
-  fileSystems."/mnt/servo-media-wan" = {
-    device = "colin@uninsane.org:/var/lib/uninsane/media";
-    fsType = "fuse.sshfs";
-    options = fsOpts.sshColin ++ fsOpts.noauto;
-    noCheck = true;
-  };
-  sane.fs."/mnt/servo-media-wan" = sane-lib.fs.wantedDir;
-  fileSystems."/mnt/servo-media-lan" = {
-    device = "colin@servo:/var/lib/uninsane/media";
-    fsType = "fuse.sshfs";
-    options = fsOpts.sshColin ++ fsOpts.noauto;
-    noCheck = true;
-  };
-  sane.fs."/mnt/servo-media-lan" = sane-lib.fs.wantedDir;
-  fileSystems."/mnt/servo-root-wan" = {
-    device = "colin@uninsane.org:/";
-    fsType = "fuse.sshfs";
-    options = fsOpts.sshRoot ++ fsOpts.noauto;
-    noCheck = true;
-  };
-  sane.fs."/mnt/servo-root-wan" = sane-lib.fs.wantedDir;
-  fileSystems."/mnt/servo-root-lan" = {
-    device = "colin@servo:/";
-    fsType = "fuse.sshfs";
-    options = fsOpts.sshRoot ++ fsOpts.noauto;
-    noCheck = true;
-  };
-  sane.fs."/mnt/servo-root-lan" = sane-lib.fs.wantedDir;
   fileSystems."/mnt/desko-home" = {
     device = "colin@desko:/home/colin";
     fsType = "fuse.sshfs";

hosts/common/hardware.nix

@@ -23,7 +23,6 @@
 
   # non-free firmware
   hardware.enableRedistributableFirmware = true;
-  services.fwupd.enable = true;
 
   # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
   powerManagement.powertop.enable = false;

hosts/common/home/default.nix

@@ -1,7 +1,7 @@
 { ... }:
 {
   imports = [
-    ./keyring.nix
+    ./keyring
     ./mime.nix
     ./ssh.nix
     ./xdg-dirs.nix

hosts/common/home/keyring/default.nix

@@ -1,11 +1,16 @@
-{ config, sane-lib, ... }:
+{ config, pkgs, sane-lib, ... }:
 
+let
+  init-keyring = pkgs.static-nix-shell.mkBash {
+    pname = "init-keyring";
+    src = ./.;
+  };
+in
 {
   sane.user.persist.private = [ ".local/share/keyrings" ];
 
   sane.user.fs."private/.local/share/keyrings/default" = {
-    generated.script.script = builtins.readFile ../../../scripts/init-keyring;
-    # TODO: is this `wantedBy` needed? can we inherit it?
+    generated.command = [ "${init-keyring}/bin/init-keyring" ];
     wantedBy = [ config.sane.fs."/home/colin/private".unit ];
     wantedBeforeBy = [ ];  # don't created this as part of `multi-user.target`
   };

hosts/common/home/keyring/init-keyring

@@ -1,4 +1,5 @@
-#!/bin/sh
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
 # initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
 # this initializes it to be plaintext/unencrypted.
 

hosts/common/home/mime.nix

@@ -1,46 +1,28 @@
-{ config, sane-lib, ...}:
+{ config, lib, ...}:
 
 let
-  # TODO: should move all of this into `sane.programs` to not ship broken associations
-  www = config.sane.programs.web-browser.config.browser.desktop;
-  pdf = "org.gnome.Evince.desktop";
-  md = "obsidian.desktop";
-  thumb = "org.gnome.gThumb.desktop";
-  video = "vlc.desktop";
-  # audio = "mpv.desktop";
-  audio = "vlc.desktop";
-  email = "aerc.desktop";
+  # ProgramConfig -> { "<mime-type>" = { priority, desktop }; }
+  weightedMimes = prog: builtins.mapAttrs (_key: desktop: { priority = prog.mime.priority; desktop = desktop; }) prog.mime.associations;
+  # [ { "<mime-type>" = { priority, desktop } ]; } ] -> { "<mime-type>" = [ { priority, desktop } ... ]; }
+  mergeMimes = mimes: lib.foldAttrs (item: acc: [item] ++ acc) [] mimes;
+  # [ { priority, desktop } ... ] -> Self
+  sortOneMimeType = associations: builtins.sort (l: r: assert l.priority != r.priority; l.priority < r.priority) associations;
+  sortMimes = mimes: builtins.mapAttrs (_k: sortOneMimeType) mimes;
+  removePriorities = mimes: builtins.mapAttrs (_k: associations: builtins.map (a: a.desktop) associations) mimes;
+
+  # [ ProgramConfig ]
+  enabledPrograms = builtins.filter (p: p.enabled) (builtins.attrValues config.sane.programs);
+  # [ { "<mime-type>" = { prority, desktop } ]
+  enabledWeightedMimes = builtins.map weightedMimes enabledPrograms;
 in
 {
-
   # the xdg mime type for a file can be found with:
   # - `xdg-mime query filetype path/to/thing.ext`
+  # the default handler for a mime type can be found with:
+  # - `xdg-mime query default <mimetype>`  (e.g. x-scheme-handler/http)
+  #
   # we can have single associations or a list of associations.
   # there's also options to *remove* [non-default] associations from specific apps
   xdg.mime.enable = true;
-  xdg.mime.defaultApplications = {
-    # AUDIO
-    "audio/flac" = audio;
-    "audio/mpeg" = audio;
-    "audio/x-vorbis+ogg" = audio;
-    # IMAGES
-    "image/heif" = thumb;  # apple codec
-    "image/png" = thumb;
-    "image/jpeg" = thumb;
-    # VIDEO
-    "video/mp4" = video;
-    "video/quicktime" = video;
-    "video/webm" = video;
-    "video/x-matroska" = video;
-    # HTML
-    "text/html" = www;
-    "x-scheme-handler/http" = www;
-    "x-scheme-handler/https" = www;
-    "x-scheme-handler/about" = www;
-    "x-scheme-handler/unknown" = www;
-    # RICH-TEXT DOCUMENTS
-    "application/pdf" = pdf;
-    "text/markdown" = md;
-    "x-scheme-handler/mailto" = email;
-  };
+  xdg.mime.defaultApplications = removePriorities (sortMimes (mergeMimes enabledWeightedMimes));
 }

hosts/common/home/ssh.nix

@@ -1,26 +1,29 @@
-{ config, lib, sane-lib, ... }:
+# TODO: this should be moved to users/colin.nix
+{ config, lib, ... }:
 
-with lib;
 let
   host = config.networking.hostName;
   user-pubkey-full = config.sane.ssh.pubkeys."colin@${host}" or {};
   user-pubkey = user-pubkey-full.asUserKey or null;
-  host-keys = filter (k: k.user == "root") (attrValues config.sane.ssh.pubkeys);
-  known-hosts-text = concatStringsSep
+  host-keys = lib.filter (k: k.user == "root") (lib.attrValues config.sane.ssh.pubkeys);
+  known-hosts-text = lib.concatStringsSep
     "\n"
-    (map (k: k.asHostKey) host-keys)
+    (builtins.map (k: k.asHostKey) host-keys)
   ;
 in
 {
   # ssh key is stored in private storage
-  sane.user.persist.private = [ ".ssh/id_ed25519" ];
-  sane.user.fs.".ssh/id_ed25519.pub" =
-    mkIf (user-pubkey != null) (sane-lib.fs.wantedText user-pubkey);
-  sane.user.fs.".ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
+  sane.user.persist.private = [
+    { type = "file"; path = ".ssh/id_ed25519"; }
+  ];
+  sane.user.fs.".ssh/id_ed25519.pub" = lib.mkIf (user-pubkey != null) {
+    symlink.text = user-pubkey;
+  };
+  sane.user.fs.".ssh/known_hosts".symlink.text = known-hosts-text;
 
   users.users.colin.openssh.authorizedKeys.keys =
   let
-    user-keys = filter (k: k.user == "colin") (attrValues config.sane.ssh.pubkeys);
+    user-keys = lib.filter (k: k.user == "colin") (lib.attrValues config.sane.ssh.pubkeys);
   in
-    map (k: k.asUserKey) user-keys;
+    builtins.map (k: k.asUserKey) user-keys;
 }

hosts/common/home/xdg-dirs.nix

@@ -1,9 +1,9 @@
-{ lib, sane-lib, ...}:
+{ ... }:
 
 {
   # XDG defines things like ~/Desktop, ~/Downloads, etc.
   # these clutter the home, so i mostly don't use them.
-  sane.user.fs.".config/user-dirs.dirs" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/user-dirs.dirs".symlink.text = ''
     XDG_DESKTOP_DIR="$HOME/.xdg/Desktop"
     XDG_DOCUMENTS_DIR="$HOME/dev"
     XDG_DOWNLOAD_DIR="$HOME/tmp"
@@ -16,5 +16,5 @@
 
   # prevent `xdg-user-dirs-update` from overriding/updating our config
   # see <https://manpages.ubuntu.com/manpages/bionic/man5/user-dirs.conf.5.html>
-  sane.user.fs.".config/user-dirs.conf" = sane-lib.fs.wantedText "enabled=False";
+  sane.user.fs.".config/user-dirs.conf".symlink.text = "enabled=False";
 }

hosts/common/ids.nix

@@ -42,6 +42,8 @@
   sane.ids.pict-rs.gid = 2409;
   sane.ids.sftpgo.uid = 2410;
   sane.ids.sftpgo.gid = 2410;
+  sane.ids.trust-dns.uid = 2411;
+  sane.ids.trust-dns.gid = 2411;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/net.nix

@@ -11,15 +11,15 @@
   # - `man iwd.config`  for global config
   # - `man iwd.network` for per-SSID config
   # use `iwctl` to control
-  networking.networkmanager.wifi.backend = "iwd";
-  networking.wireless.iwd.enable = true;
-  networking.wireless.iwd.settings = {
-    # auto-connect to a stronger network if signal drops below this value
-    # bedroom -> bedroom connection is -35 to -40 dBm
-    # bedroom -> living room connection is -60 dBm
-    General.RoamThreshold = "-52";  # default -70
-    General.RoamThreshold5G = "-52";  # default -76
-  };
+  # networking.networkmanager.wifi.backend = "iwd";
+  # networking.wireless.iwd.enable = true;
+  # networking.wireless.iwd.settings = {
+  #   # auto-connect to a stronger network if signal drops below this value
+  #   # bedroom -> bedroom connection is -35 to -40 dBm
+  #   # bedroom -> living room connection is -60 dBm
+  #   General.RoamThreshold = "-52";  # default -70
+  #   General.RoamThreshold5G = "-52";  # default -76
+  # };
 
   # plugins mostly add support for establishing different VPN connections.
   # the default plugin set includes mostly proprietary VPNs:
@@ -38,4 +38,10 @@
   networking.firewall.allowedUDPPorts = [
     1900  # to received UPnP advertisements. required by sane-ip-check-upnp
   ];
+
+  # keyfile.path = where networkmanager should look for connection credentials
+  networking.networkmanager.extraConfig = ''
+    [keyfile]
+    path=/var/lib/NetworkManager/system-connections
+  '';
 }

hosts/common/persist.nix

@@ -6,13 +6,11 @@
   sane.persist.stores.private.prefix = "/home/colin";
 
   sane.persist.sys.plaintext = [
+    # TODO: these should be private.. somehow
     "/var/log"
     "/var/backup"  # for e.g. postgres dumps
-    # TODO: move elsewhere
-    "/var/lib/alsa"                # preserve output levels, default devices
-    "/var/lib/colord"              # preserve color calibrations (?)
-    "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
-    "/var/lib/systemd/backlight"   # backlight brightness
+  ];
+  sane.persist.sys.cryptClearOnBoot = [
     "/var/lib/systemd/coredump"
   ];
 }

hosts/common/programs/aerc.nix

@@ -2,5 +2,8 @@
 { ... }:
 
 {
-  sane.programs.aerc.secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
+  sane.programs.aerc = {
+    secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
+    mime.associations."x-scheme-handler/mailto" = "aerc.desktop";
+  };
 }

hosts/common/programs/assorted.nix

@@ -1,392 +1,254 @@
-{ lib, pkgs, ... }:
+{ pkgs, ... }:
 
 let
-  inherit (builtins) attrNames;
-
-  flattenedPkgs = pkgs // (with pkgs; {
-    # XXX can't `inherit` a nested attr, so we move them to the toplevel
-    "cacert.unbundled" = pkgs.cacert.unbundled;
-    "gnome.cheese" = gnome.cheese;
-    "gnome.dconf-editor" = gnome.dconf-editor;
-    "gnome.file-roller" = gnome.file-roller;
-    "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
-    "gnome.gnome-maps" = gnome.gnome-maps;
-    "gnome.nautilus" = gnome.nautilus;
-    "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
-    "gnome.gnome-terminal" = gnome.gnome-terminal;
-    "gnome.gnome-weather" = gnome.gnome-weather;
-    "gnome.totem" = gnome.totem;
-    "libsForQt5.plasmatube" = libsForQt5.plasmatube;
-  });
-
-  sysadminPkgs = {
-    inherit (flattenedPkgs)
-      btrfs-progs
-      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
-      cryptsetup
-      dig
-      efibootmgr
-      fatresize
-      fd
-      file
-      gawk
-      git
-      gptfdisk
-      hdparm
-      htop
-      iftop
-      inetutils  # for telnet
-      iotop
-      iptables
-      jq
-      killall
-      lsof
-      miniupnpc
-      nano
-      neovim
-      netcat
-      nethogs
-      nmap
-      openssl
-      parted
-      pciutils
-      powertop
-      pstree
-      ripgrep
-      screen
-      smartmontools
-      socat
-      strace
-      subversion
-      tcpdump
-      tree
-      usbutils
-      wget
-      wirelesstools  # iwlist
-    ;
+  declPackageSet = pkgs: {
+    package = null;
+    suggestedPrograms = pkgs;
   };
-  sysadminExtraPkgs = {
-    # application-specific packages
-    inherit (pkgs)
-      backblaze-b2
-      duplicity
-      sqlite  # to debug sqlite3 databases
-    ;
-  };
-
-  iphonePkgs = {
-    inherit (pkgs)
-      ifuse
-      ipfs
-      libimobiledevice
-    ;
-  };
-
-  tuiPkgs = {
-    inherit (pkgs)
-      aerc  # email client
-      msmtp  # sendmail
-      offlineimap  # email mailox sync
-      sfeed  # RSS fetcher
-      visidata  # TUI spreadsheet viewer/editor
-      w3m
-    ;
-  };
-
-  consoleMediaPkgs = {
-    inherit (pkgs)
-      ffmpeg
-      imagemagick
-      sox
-      yt-dlp
-    ;
-  };
-  # TODO: split these into smaller groups.
-  # - moby doesn't want a lot of these.
-  # - categories like
-  #   - dev?
-  #   - debugging?
-  consolePkgs = {
-    inherit (pkgs)
-      alsaUtils  # for aplay, speaker-test
-      # cdrtools
-      clinfo
-      dmidecode
-      efivar
-      # flashrom
-      fwupd
-      gh  # MS GitHub cli
-      git  # needed as a user package, for config.
-      # gnupg
-      # gocryptfs
-      # gopass
-      # gopass-jsonapi
-      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-      libsecret  # for managing user keyrings. TODO: what needs this? lift into the consumer
-      lm_sensors  # for sensors-detect. TODO: what needs this? lift into the consumer
-      lshw
-      # memtester
-      neovim  # needed as a user package, for swap persistence
-      # nettools
-      # networkmanager
-      nix-index
-      nixpkgs-review
-      # nixos-generators
-      nmon
-      # node2nix
-      # oathToolkit  # for oathtool
-      # ponymix
-      pulsemixer
-      python3
-      ripgrep  # needed as a user package so that its user-level config file can be installed
-      rsync
-      # python3Packages.eyeD3  # music tagging
-      sane-scripts
-      sequoia
-      snapper
-      sops
-      speedtest-cli
-      # ssh-to-age
-      sudo
-      # tageditor  # music tagging
-      unar
-      wireguard-tools
-      xdg-terminal-exec
-      xdg-utils  # for xdg-open
-      # yarn
-      zsh
-    ;
-  };
-
-  guiPkgs = {
-    inherit (flattenedPkgs)
-      # celluloid  # mpv frontend
-      cozy  # audiobook player
-      # emote
-      evince  # works on phosh
-
-      # { pkg = fluffychat-moby; persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
-
-      # foliate  # e-book reader
-
-      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
-      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
-      # then reboot (so that libsecret daemon re-loads the keyring...?)
-      # { pkg = fractal-latest; persist.private = [ ".local/share/fractal" ]; }
-      # { pkg = fractal-next; persist.private = [ ".local/share/fractal" ]; }
-
-      # "gnome.cheese"
-      # gnome-feeds  # RSS reader (with claimed mobile support)
-      "gnome.file-roller"
-      # "gnome.gnome-maps"  # works on phosh
-      "gnome.nautilus"
-      # gnome-podcasts
-      # "gnome.gnome-system-monitor"
-      # "gnome.gnome-terminal"  # works on phosh
-      # "gnome.gnome-weather"
-      gpodder
-      gthumb
-      jellyfin-media-player
-      komikku
-      koreader
-      lemoa  # lemmy app
-      # lollypop
-      mepo  # maps viewer
-      # mpv
-      # networkmanagerapplet
-      # newsflash
-      nheko
-      pavucontrol
-      # picard  # music tagging
-      # "libsForQt5.plasmatube"  # Youtube player
-      soundconverter
-      # sublime-music
-      # tdesktop  # broken on phosh
-      # tokodon
-      tuba  # mastodon/pleroma client (stores pw in keyring)
-      vlc
-      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
-      # whalebird
-      xterm  # broken on phosh
-    ;
-  };
-  desktopGuiPkgs = {
-    inherit (flattenedPkgs)
-      audacity
-      brave  # for the integrated wallet -- as a backup
-      chromium
-      dino
-      electrum
-      element-desktop
-      # font-manager  #< depends on webkitgtk4_0 (expensive to build)
-      gajim  # XMPP client
-      gimp  # broken on phosh
-      "gnome.dconf-editor"
-      "gnome.gnome-disk-utility"
-      # "gnome.totem"  # video player, supposedly supports UPnP
-      handbrake
-      hase
-      inkscape
-      kdenlive
-      kid3  # audio tagging
-      krita
-      libreoffice-fresh
-      mumble
-      obsidian
-      slic3r
-      steam
-      wireshark  # could maybe ship the cli as sysadmin pkg
-    ;
-  };
-  x86GuiPkgs = {
-    inherit (pkgs)
-      discord
-
-      # kaiteki  # Pleroma client
-      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
-      # gpt2tc  # XXX: unreliable mirror
-
-      # logseq  # Personal Knowledge Management
-      losslesscut-bin
-      makemkv
-      monero-gui
-      signal-desktop
-      spotify
-      tor-browser-bundle-bin
-      zecwallet-lite
-    ;
-  };
-
-  # packages not part of any package set; not enabled by default
-  otherPkgs = {
-    inherit (pkgs)
-      lemmy-server
-      mx-sanebot
-      stepmania
-    ;
-  };
-
-  # define -- but don't enable -- the packages in some attrset.
-  declarePkgs = pkgsAsAttrs: lib.mapAttrs (_n: p: {
-    # no need to actually define the package here: it's defaulted
-    # package = mkDefault p;
-  }) pkgsAsAttrs;
 in
 {
-  sane.programs = lib.mkMerge [
-    (declarePkgs consoleMediaPkgs)
-    (declarePkgs consolePkgs)
-    (declarePkgs desktopGuiPkgs)
-    (declarePkgs guiPkgs)
-    (declarePkgs iphonePkgs)
-    (declarePkgs sysadminPkgs)
-    (declarePkgs sysadminExtraPkgs)
-    (declarePkgs tuiPkgs)
-    (declarePkgs x86GuiPkgs)
-    (declarePkgs otherPkgs)
-    {
-      # link the various package sets into their own meta packages
-      consoleMediaUtils = {
-        package = null;
-        suggestedPrograms = attrNames consoleMediaPkgs;
-      };
-      consoleUtils = {
-        package = null;
-        suggestedPrograms = attrNames consolePkgs;
-      };
-      desktopGuiApps = {
-        package = null;
-        suggestedPrograms = attrNames desktopGuiPkgs;
-      };
-      guiApps = {
-        package = null;
-        suggestedPrograms = (attrNames guiPkgs)
-          ++ [ "web-browser" ]
-          ++ [ "tuiApps" ]
-          ++ lib.optional (pkgs.system == "x86_64-linux") "x86GuiApps";
-      };
-      iphoneUtils = {
-        package = null;
-        suggestedPrograms = attrNames iphonePkgs;
-      };
-      sysadminUtils = {
-        package = null;
-        suggestedPrograms = attrNames sysadminPkgs;
-      };
-      sysadminExtraUtils = {
-        package = null;
-        suggestedPrograms = attrNames sysadminExtraPkgs;
-      };
-      tuiApps = {
-        package = null;
-        suggestedPrograms = attrNames tuiPkgs;
-      };
-      x86GuiApps = {
-        package = null;
-        suggestedPrograms = attrNames x86GuiPkgs;
-      };
-    }
-    {
-      # nontrivial package definitions
+  sane.programs = {
+    # PACKAGE SETS
+    "sane-scripts.backup" = declPackageSet [
+      "sane-scripts.backup-ls"
+      "sane-scripts.backup-restore"
+    ];
+    "sane-scripts.bittorrent" = declPackageSet [
+      "sane-scripts.bt-add"
+      "sane-scripts.bt-rm"
+      "sane-scripts.bt-search"
+      "sane-scripts.bt-show"
+    ];
+    "sane-scripts.dev" = declPackageSet [
+      "sane-scripts.dev-cargo-loop"
+      "sane-scripts.git-init"
+    ];
+    "sane-scripts.cli" = declPackageSet [
+      "sane-scripts.deadlines"
+      "sane-scripts.find-dotfiles"
+      "sane-scripts.ip-check"
+      "sane-scripts.ip-reconnect"
+      "sane-scripts.private-change-passwd"
+      "sane-scripts.private-do"
+      "sane-scripts.private-init"
+      "sane-scripts.private-lock"
+      "sane-scripts.private-unlock"
+      "sane-scripts.rcp"
+      "sane-scripts.reboot"
+      "sane-scripts.reclaim-boot-space"
+      "sane-scripts.reclaim-disk-space"
+      "sane-scripts.secrets-dump"
+      "sane-scripts.secrets-unlock"
+      "sane-scripts.secrets-update-keys"
+      "sane-scripts.shutdown"
+      "sane-scripts.ssl-dump"
+      "sane-scripts.sudo-redirect"
+      "sane-scripts.sync-from-servo"
+      "sane-scripts.vpn-down"
+      "sane-scripts.vpn-up"
+      "sane-scripts.which"
+      "sane-scripts.wipe-browser"
+    ];
+    "sane-scripts.sys-utils" = declPackageSet [
+      "sane-scripts.ip-port-forward"
+    ];
 
-      dino.persist.private = [ ".local/share/dino" ];
 
-      # creds, but also 200 MB of node modules, etc
-      discord.persist.private = [ ".config/discord" ];
+    sysadminUtils = declPackageSet [
+      "btrfs-progs"
+      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
+      "cryptsetup"
+      "dig"
+      "efibootmgr"
+      "fatresize"
+      "fd"
+      "file"
+      # "fwupd"
+      "gawk"
+      "git"
+      "gptfdisk"
+      "hdparm"
+      "htop"
+      "iftop"
+      "inetutils"  # for telnet
+      "iotop"
+      "iptables"
+      "jq"
+      "killall"
+      "lsof"
+      "miniupnpc"
+      "nano"
+      #  "ncdu"  # ncurses disk usage. doesn't cross compile (zig)
+      "neovim"
+      "netcat"
+      "nethogs"
+      "nmap"
+      "openssl"
+      "parted"
+      "pciutils"
+      "powertop"
+      "pstree"
+      "ripgrep"
+      "screen"
+      "smartmontools"
+      "socat"
+      "strace"
+      "subversion"
+      "tcpdump"
+      "tree"
+      "usbutils"
+      "wget"
+      "wirelesstools"  # iwlist
+    ];
+    sysadminExtraUtils = declPackageSet [
+      "backblaze-b2"
+      "duplicity"
+      "sane-scripts.backup"
+      "sqlite"  # to debug sqlite3 databases
+    ];
 
-      # creds/session keys, etc
-      element-desktop.persist.private = [ ".config/Element" ];
+    # TODO: split these into smaller groups.
+    # - moby doesn't want a lot of these.
+    # - categories like
+    #   - dev?
+    #   - debugging?
+    consoleUtils = declPackageSet [
+      "alsaUtils"  # for aplay, speaker-test
+      # "cdrtools"
+      "clinfo"
+      "dmidecode"
+      "dtrx"  # `unar` alternative, "Do The Right eXtraction"
+      "efivar"
+      # "flashrom"
+      "git"  # needed as a user package, for config.
+      # "gnupg"
+      # "gocryptfs"
+      # "gopass"
+      # "gopass-jsonapi"
+      "helix"  # text editor
+      "kitty"  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
+      "libsecret"  # for managing user keyrings. TODO: what needs this? lift into the consumer
+      "lm_sensors"  # for sensors-detect. TODO: what needs this? lift into the consumer
+      "lshw"
+      # "memtester"
+      "neovim"  # needed as a user package, for swap persistence
+      # "nettools"
+      # "networkmanager"
+      # "nixos-generators"
+      "nmon"
+      # "node2nix"
+      # "oathToolkit"  # for oathtool
+      # "ponymix"
+      "pulsemixer"
+      "python3"
+      # "python3Packages.eyeD3"  # music tagging
+      "ripgrep"  # needed as a user package so that its user-level config file can be installed
+      "rsync"
+      "sane-scripts.bittorrent"
+      "sane-scripts.cli"
+      "snapper"
+      "sops"
+      "speedtest-cli"
+      # "ssh-to-age"
+      "sudo"
+      # "tageditor"  # music tagging
+      # "unar"
+      "wireguard-tools"
+      "xdg-terminal-exec"
+      "xdg-utils"  # for xdg-open
+      # "yarn"
+      "zsh"
+    ];
 
-      # `emote` will show a first-run dialog based on what's in this directory.
-      # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
-      # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
-      emote.persist.plaintext = [ ".local/share/Emote" ];
+    desktopConsoleUtils = declPackageSet [
+      "gh"  # MS GitHub cli
+      "nix-index"
+      "nixpkgs-review"
+      "sane-scripts.dev"
+      "sequoia"
+    ];
 
-      # MS GitHub stores auth token in .config
-      # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
-      gh.persist.private = [ ".config/gh" ];
+    consoleMediaUtils = declPackageSet [
+      "ffmpeg"
+      "imagemagick"
+      "sox"
+      "yt-dlp"
+    ];
 
-      # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
-      # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
-      monero-gui.persist.plaintext = [ ".bitmonero" ];
+    tuiApps = declPackageSet [
+      "aerc"  # email client
+      "msmtp"  # sendmail
+      "offlineimap"  # email mailbox sync
+      "sfeed"  # RSS fetcher
+      "visidata"  # TUI spreadsheet viewer/editor
+      "w3m"  # web browser
+    ];
 
-      mumble.persist.private = [ ".local/share/Mumble" ];
+    iphoneUtils = declPackageSet [
+      "ifuse"
+      "ipfs"
+      "libimobiledevice"
+      "sane-scripts.sync-from-iphone"
+    ];
 
-      # not strictly necessary, but allows caching articles; offline use, etc.
-      nheko.persist.private = [
-        ".config/nheko"  # config file (including client token)
-        ".cache/nheko"  # media cache
-        ".local/share/nheko"  # per-account state database
-      ];
+    devPkgs = declPackageSet [
+      "clang"
+      "nodejs"
+      "tree-sitter"
+    ];
 
-      # settings (electron app)
-      obsidian.persist.plaintext = [ ".config/obsidian" ];
 
-      # creds, media
-      signal-desktop.persist.private = [ ".config/Signal" ];
+    # INDIVIDUAL PACKAGE DEFINITIONS
 
-      # printer/filament settings
-      slic3r.persist.plaintext = [ ".Slic3r" ];
+    dino.persist.private = [ ".local/share/dino" ];
 
-      # creds, widevine .so download. TODO: could easily manage these statically.
-      spotify.persist.plaintext = [ ".config/spotify" ];
+    # creds, but also 200 MB of node modules, etc
+    discord.persist.private = [ ".config/discord" ];
 
-      tdesktop.persist.private = [ ".local/share/TelegramDesktop" ];
+    # `emote` will show a first-run dialog based on what's in this directory.
+    # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
+    # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+    emote.persist.plaintext = [ ".local/share/Emote" ];
 
-      tokodon.persist.private = [ ".cache/KDE/tokodon" ];
+    fluffychat-moby.persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
 
-      # hardenedMalloc solves a crash at startup
-      # TODO 2023/02/02: is this safe to remove yet?
-      tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
-        useHardenedMalloc = false;
-      };
+    # MS GitHub stores auth token in .config
+    # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
+    gh.persist.private = [ ".config/gh" ];
 
-      whalebird.persist.private = [ ".config/Whalebird" ];
+    # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
+    # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
+    monero-gui.persist.plaintext = [ ".bitmonero" ];
 
-      yarn.persist.plaintext = [ ".cache/yarn" ];
+    mumble.persist.private = [ ".local/share/Mumble" ];
 
-      # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
-      zecwallet-lite.persist.private = [ ".zcash" ];
-    }
-  ];
+    # settings (electron app)
+    obsidian.persist.plaintext = [ ".config/obsidian" ];
+
+    # creds, media
+    signal-desktop.persist.private = [ ".config/Signal" ];
+
+    # printer/filament settings
+    slic3r.persist.plaintext = [ ".Slic3r" ];
+
+    # creds, widevine .so download. TODO: could easily manage these statically.
+    spotify.persist.plaintext = [ ".config/spotify" ];
+
+    tdesktop.persist.private = [ ".local/share/TelegramDesktop" ];
+
+    tokodon.persist.private = [ ".cache/KDE/tokodon" ];
+
+    # hardenedMalloc solves an "unable to connect to Tor" error when pressing the "connect" button
+    # - still required as of 2023/07/14
+    tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
+      useHardenedMalloc = false;
+    };
+
+    whalebird.persist.private = [ ".config/Whalebird" ];
+
+    yarn.persist.plaintext = [ ".cache/yarn" ];
+
+    # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
+    zecwallet-lite.persist.private = [ ".zcash" ];
+  };
 }

hosts/common/programs/chatty.nix

@@ -0,0 +1,44 @@
+{ pkgs, ... }:
+let
+  chattyNoOauth = pkgs.chatty.override {
+    # the OAuth feature (presumably used for web-based logins) pulls a full webkitgtk.
+    # especially when using the gtk3 version of evolution-data-server, it's an ancient webkitgtk_4_1.
+    # disable OAuth for a faster build & smaller closure
+    evolution-data-server = pkgs.evolution-data-server.override {
+      enableOAuth2 = false;
+      gnome-online-accounts = pkgs.gnome-online-accounts.override {
+        # disables the upstream "goabackend" feature -- presumably "Gnome Online Accounts Backend"
+        # frees us from webkit_4_1, in turn.
+        enableBackend = false;
+        gvfs = pkgs.gvfs.override {
+          # saves 20 minutes of build time, for unused feature
+          samba = null;
+        };
+      };
+    };
+  };
+  chatty-latest = pkgs.chatty-latest.override {
+    evolution-data-server-gtk4 = pkgs.evolution-data-server-gtk4.override {
+      gnome-online-accounts = pkgs.gnome-online-accounts.override {
+        # disables the upstream "goabackend" feature -- presumably "Gnome Online Accounts Backend"
+        # frees us from webkit_4_1, in turn.
+        enableBackend = false;
+        gvfs = pkgs.gvfs.override {
+          # saves 20 minutes of build time, for unused feature
+          samba = null;
+        };
+      };
+    };
+  };
+in
+{
+  sane.programs.chatty = {
+    # package = chattyNoOauth;
+    package = chatty-latest;
+    suggestedPrograms = [ "gnome-keyring" ];
+    persist.private = [
+      ".local/share/chatty"  # matrix avatars and files
+      # ".purple"  # XMPP stuff
+    ];
+  };
+}

hosts/common/programs/default.nix

@@ -4,11 +4,21 @@
   imports = [
     ./aerc.nix
     ./assorted.nix
+    ./chatty.nix
     ./cozy.nix
+    ./element-desktop.nix
+    ./epiphany.nix
+    ./evince.nix
+    ./firefox.nix
+    ./fontconfig.nix
+    ./fractal.nix
+    ./fwupd.nix
     ./git.nix
     ./gnome-feeds.nix
+    ./gnome-keyring.nix
     ./gpodder.nix
     ./gthumb.nix
+    ./helix.nix
     ./imagemagick.nix
     ./jellyfin-media-player.nix
     ./kitty
@@ -16,21 +26,26 @@
     ./koreader
     ./libreoffice.nix
     ./lemoa.nix
+    ./megapixels.nix
     ./mepo.nix
     ./mpv.nix
     ./msmtp.nix
     ./neovim.nix
     ./newsflash.nix
+    ./nheko.nix
     ./nix-index.nix
+    ./obsidian.nix
     ./offlineimap.nix
     ./ripgrep.nix
     ./sfeed.nix
     ./splatmoji.nix
     ./steam.nix
     ./sublime-music.nix
+    ./tangram.nix
+    ./tuba.nix
     ./vlc.nix
-    ./web-browser.nix
     ./wireshark.nix
+    ./xarchiver.nix
     ./zeal.nix
     ./zsh
   ];

hosts/common/programs/element-desktop.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  sane.programs.element-desktop = {
+    # creds/session keys, etc
+    persist.private = [ ".config/Element" ];
+
+    suggestedPrograms = [ "gnome-keyring" ];
+  };
+}

hosts/common/programs/epiphany.nix

@@ -0,0 +1,45 @@
+# epiphany web browser
+# - GTK4/webkitgtk
+#
+# usability notes:
+# - touch-based scroll works well (for moby)
+# - URL bar constantly resets cursor to the start of the line as i type
+#   - maybe due to the URLbar suggestions getting in the way
+{ pkgs, ... }:
+{
+  sane.programs.epiphany = {
+    # XXX(2023/07/08): running on moby without this hack fails, with:
+    # - `bwrap: Can't make symlink at /var/run: File exists`
+    # this could be due to:
+    # - epiphany is somewhere following a symlink into /var/run instead of /run
+    #   - (nothing in `env` or in this repo touches /var/run)
+    # - no xdg-desktop-portal is installed  (unlikely)
+    #
+    # a few other users have hit this, in different contexts:
+    # - <https://gitlab.gnome.org/GNOME/gnome-builder/-/issues/1164>
+    # - <https://github.com/flatpak/flatpak/issues/3477>
+    # - <https://github.com/NixOS/nixpkgs/issues/197085>
+    package = pkgs.epiphany.overrideAttrs (upstream: {
+      preFixup = ''
+        gappsWrapperArgs+=(
+          --set WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS "1"
+        );
+      '' + (upstream.preFixup or "");
+    });
+    persist.private = [
+      ".cache/epiphany"
+      ".local/share/epiphany"
+      # also .config/epiphany, but appears empty
+    ];
+    mime.priority = 200;  # default priority is 100: install epiphany only as a fallback
+    mime.associations = let
+      desktop = "org.gnome.Epiphany.desktop";
+    in {
+      "text/html" = desktop;
+      "x-scheme-handler/http" = desktop;
+      "x-scheme-handler/https" = desktop;
+      "x-scheme-handler/about" = desktop;
+      "x-scheme-handler/unknown" = desktop;
+    };
+  };
+}

hosts/common/programs/evince.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  sane.programs.evince.mime.associations."application/pdf" = "org.gnome.Evince.desktop";
+}

hosts/common/programs/firefox.nix

@@ -9,11 +9,12 @@
 { config, lib, pkgs, ...}:
 with lib;
 let
-  cfg = config.sane.programs.web-browser.config;
+  cfg = config.sane.programs.firefox.config;
+  mobile-prefs = lib.optionals false pkgs.librewolf-pmos-mobile.extraPrefsFiles;
   # allow easy switching between firefox and librewolf with `defaultSettings`, below
   librewolfSettings = {
     browser = pkgs.librewolf-unwrapped;
-    extraPrefsFiles = pkgs.librewolf-unwrapped.extraPrefsFiles ++ pkgs.librewolf-pmos-mobile.extraPrefsFiles;
+    extraPrefsFiles = pkgs.librewolf-unwrapped.extraPrefsFiles ++ mobile-prefs;
     libName = "librewolf";
     dotDir = ".librewolf";
     cacheDir = ".cache/librewolf";
@@ -21,7 +22,7 @@ let
   };
   firefoxSettings = {
     browser = pkgs.firefox-esr-unwrapped;
-    extraPrefsFiles = pkgs.firefox-pmos-mobile.extraPrefsFiles;
+    extraPrefsFiles = mobile-prefs;
     libName = "firefox";
     dotDir = ".mozilla/firefox";
     cacheDir = ".cache/mozilla";
@@ -144,55 +145,59 @@ in
 {
   config = mkMerge [
     ({
-      sane.programs.web-browser.configOption = mkOption {
+      sane.programs.firefox.configOption = mkOption {
         type = types.submodule configOpts;
         default = {};
       };
-      sane.programs.web-browser.config.addons = {
-        # get names from:
-        # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
-        # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
+      sane.programs.firefox.config.addons = {
         browserpass-extension = {
-          # package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
-          package = localAddon pkgs.browserpass-extension;
+          package = pkgs.firefox-extensions.browserpass-extension;
           enable = lib.mkDefault true;
         };
-
-        # TODO: build bypass-paywalls from source? it's mysteriously disappeared from the Mozilla store.
-        # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
-        # bypass-paywalls-clean.enable = lib.mkDefault true;
-
-        # TODO: give these update scripts, make them reachable via `pkgs`
-        ether-metamask = {
-          package = addon "ether-metamask" "webextension@metamask.io" "sha256-UI83wUUc33OlQYX+olgujeppoo2D2PAUJ+Wma5mH2O0=";
+        bypass-paywalls-clean = {
+          package = pkgs.firefox-extensions.bypass-paywalls-clean;
           enable = lib.mkDefault true;
         };
+        ether-metamask = {
+          package = pkgs.firefox-extensions.ether-metamask;
+          enable = lib.mkDefault false;  # until i can disable the first-run notification
+        };
         i2p-in-private-browsing = {
-          package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
+          package = pkgs.firefox-extensions.i2p-in-private-browsing;
           enable = lib.mkDefault config.services.i2p.enable;
         };
         sidebery = {
-          package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
+          package = pkgs.firefox-extensions.sidebery;
           enable = lib.mkDefault true;
         };
         sponsorblock = {
-          package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-b/OTFmhSEUZ/CYrYCE4rHVMQmY+Y78k8jSGMoR8vsZA=";
+          package = pkgs.firefox-extensions.sponsorblock;
           enable = lib.mkDefault true;
         };
         ublacklist = {
-          package = addon "ublacklist" "@ublacklist" "sha256-NZ2FmgJiYnH7j2Lkn0wOembxaEphmUuUk0Ytmb0rNWo=";
+          package = pkgs.firefox-extensions.ublacklist;
           enable = lib.mkDefault true;
         };
         ublock-origin = {
-          package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-EGGAA+cLUow/F5luNzFG055rFfd3rEyh8hTaL/23pbM=";
+          package = pkgs.firefox-extensions.ublock-origin;
           enable = lib.mkDefault true;
         };
       };
     })
     ({
-      sane.programs.web-browser = {
+      sane.programs.firefox = {
         inherit package;
 
+        mime.associations = let
+          inherit (cfg.browser) desktop;
+        in {
+          "text/html" = desktop;
+          "x-scheme-handler/http" = desktop;
+          "x-scheme-handler/https" = desktop;
+          "x-scheme-handler/about" = desktop;
+          "x-scheme-handler/unknown" = desktop;
+        };
+
         # env.BROWSER = "${package}/bin/${cfg.browser.libName}";
         env.BROWSER = cfg.browser.libName;  # used by misc tools like xdg-email, as fallback
 
@@ -236,16 +241,22 @@ in
         '';
       };
     })
-    (mkIf config.sane.programs.web-browser.enabled {
+    (mkIf config.sane.programs.firefox.enabled {
       # TODO: move the persistence into the sane.programs API (above)
-      # flush the cache to disk to avoid it taking up too much tmp
-      sane.user.persist.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
-        store = cfg.persistCache;
-      };
+      # flush the cache to disk to avoid it taking up too much tmp.
+      sane.user.persist.byPath."${cfg.browser.cacheDir}".store =
+        if (cfg.persistData != null) then
+          cfg.persistData
+        else
+          "cryptClearOnBoot"
+        ;
 
-      sane.user.persist.byPath."${cfg.browser.dotDir}/default" = lib.mkIf (cfg.persistData != null) {
-        store = cfg.persistData;
-      };
+      sane.user.persist.byPath."${cfg.browser.dotDir}/default".store =
+        if (cfg.persistData != null) then
+          cfg.persistData
+        else
+          "cryptClearOnBoot"
+        ;
     })
   ];
 }

hosts/common/programs/fontconfig.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+{
+  fonts = lib.mkIf config.sane.programs.fontconfig.enabled {
+    fontconfig.enable = true;
+    fontconfig.defaultFonts = {
+      emoji = [ "Font Awesome 6 Free" "Noto Color Emoji" ];
+      monospace = [ "Hack" ];
+      serif = [ "DejaVu Serif" ];
+      sansSerif = [ "DejaVu Sans" ];
+    };
+    #vvv enables dejavu_fonts, freefont_ttf, gyre-fonts, liberation_ttf, unifont, noto-fonts-emoji
+    enableDefaultPackages = true;
+    packages = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
+  };
+}

hosts/common/programs/fractal.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+  sane.programs.fractal = {
+    # package = pkgs.fractal-latest;
+    package = pkgs.fractal-next;
+
+    # XXX by default fractal stores its state in ~/.local/share/stable/<UUID>.
+    persist.private = [ ".local/share/stable" ];
+
+    suggestedPrograms = [ "gnome-keyring" ];
+  };
+}

hosts/common/programs/fwupd.nix

@@ -0,0 +1,7 @@
+{ config, lib, ... }:
+{
+  services.fwupd = lib.mkIf config.sane.programs.fwupd.enabled {
+    # enables the dbus service, which i think the frontend speaks to.
+    enable = true;
+  };
+}

hosts/common/programs/git.nix

@@ -1,6 +1,8 @@
 { lib, pkgs, ... }:
 
 let
+  # TODO: use formats.gitIni or lib.generators.toGitINI
+  # - see: <repo:nixos/nixpkgs:pkgs/pkgs-lib/formats.nix>
   mkCfg = lib.generators.toINI { };
 in
 {

hosts/common/programs/gnome-keyring.nix

@@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+{
+  sane.programs.gnome-keyring = {
+    package = pkgs.gnome.gnome-keyring;
+  };
+  # adds gnome-keyring as a xdg-data-portal (xdg.portal)
+  services.gnome.gnome-keyring = lib.mkIf config.sane.programs.gnome-keyring.enabled {
+    enable = true;
+  };
+}

hosts/common/programs/gthumb.nix

@@ -1,4 +1,13 @@
 { pkgs, ... }:
 {
-  sane.programs.gthumb.package = pkgs.gthumb.override { withWebservices = false; };
+  sane.programs.gthumb = {
+    # compile without webservices to avoid the expensive webkitgtk dependency
+    package = pkgs.gthumb.override { withWebservices = false; };
+    mime.associations = {
+      "image/heif" = "org.gnome.gThumb.desktop";  # apple codec
+      "image/png" = "org.gnome.gThumb.desktop";
+      "image/jpeg" = "org.gnome.gThumb.desktop";
+      "image/svg+xml" = "org.gnome.gThumb.desktop";
+    };
+  };
 }

hosts/common/programs/helix.nix

@@ -0,0 +1,22 @@
+# Helix text editor
+# debug log: `~/.cache/helix/helix.log`
+# binary name is `hx`
+{ ... }:
+{
+  sane.programs.helix = {
+    # grammars need to be persisted when developing them
+    # - `hx --grammar fetch` and `hx --grammar build`
+    # but otherwise, they ship as part of HELIX_RUNTIME, in the nix store
+    # persist.plaintext = [ ".config/helix/runtime/grammars" ];
+    fs.".config/helix/config.toml".symlink.text = ''
+      # docs: <https://docs.helix-editor.com/configuration.html>
+      [editor.soft-wrap]
+      enable = true
+
+      [editor.whitespace.render]
+      space = "all"
+      tab = "all"
+      newline = "none"
+    '';
+  };
+}

hosts/common/programs/imagemagick.nix

@@ -6,5 +6,4 @@
     };
     suggestedPrograms = [ "ghostscript" ];
   };
-  sane.programs.ghostscript = {};
 }

hosts/common/programs/jellyfin-media-player.nix

@@ -3,7 +3,9 @@
 {
   sane.programs.jellyfin-media-player = {
     # package = pkgs.jellyfin-media-player;
-    package = pkgs.jellyfin-media-player-qt6;
+    # qt6 version is slightly buggy, but also most qtwebengine apps (e.g. zeal) are on qt5
+    #   so using qt6 would force yet *another* qtwebengine compile.
+    # package = pkgs.jellyfin-media-player-qt6;
 
     # jellyfin stores things in a bunch of directories: this one persists auth info.
     # it *might* be possible to populate this externally (it's Qt stuff), but likely to

hosts/common/programs/koreader/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, sane-lib, ... }:
+{ config, lib, pkgs, sane-lib, ... }:
 
 let
   feeds = sane-lib.feeds;
@@ -10,11 +10,12 @@ let
     # limit = 0                    => download and keep *all* articles
     # download_full_article = true => populate feed by downloading the webpage -- not just what's encoded in the RSS <article> tags
     # - use this for articles where the RSS only encodes content previews
+    # - in practice, most articles don't work with download_full_article = false
     # enable_filter         = true => only render content that matches the filter_element css selector.
     let fields = [
       (lib.escapeShellArg feed.url)
       "limit = 5"
-      "download_full_article = false"
+      "download_full_article = true"
       "include_images = true"
       "enable_filter = false"
       "filter_element = \"\""
@@ -22,6 +23,7 @@ let
   ) wantedFeeds;
 in {
   sane.programs.koreader = {
+    package = pkgs.koreader-from-src;
     # koreader applies these lua "patches" at boot:
     # - <https://github.com/koreader/koreader/wiki/User-patches>
     # - TODO: upstream this patch to koreader

hosts/common/programs/libreoffice.nix

@@ -1,14 +1,20 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
-  # libreoffice: disable first-run stuff
-  sane.programs.libreoffice-fresh.fs.".config/libreoffice/4/user/registrymodifications.xcu".symlink.text = ''
-    <?xml version="1.0" encoding="UTF-8"?>
-    <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-      <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
-      <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="ShowTipOfTheDay" oor:op="fuse"><value>false</value></prop></item>
-    </oor:items>
-  '';
-  # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeDonateShown" oor:op="fuse"><value>1667693880</value></prop></item>
-  # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
+  sane.programs.libreoffice = {
+    # package = pkgs.libreoffice-bin;
+    # package = pkgs.libreoffice-still;
+    package = pkgs.libreoffice-fresh;
+
+    # disable first-run stuff
+    fs.".config/libreoffice/4/user/registrymodifications.xcu".symlink.text = ''
+      <?xml version="1.0" encoding="UTF-8"?>
+      <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+        <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
+        <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="ShowTipOfTheDay" oor:op="fuse"><value>false</value></prop></item>
+      </oor:items>
+    '';
+    # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeDonateShown" oor:op="fuse"><value>1667693880</value></prop></item>
+    # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
+  };
 }

hosts/common/programs/megapixels.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+  sane.programs.megapixels.package = pkgs.megapixels.override {
+    # megapixels uses zbar to read barcodes.
+    # zbar by default ships zbarcam-gtk and zbarcam-qt, neither of which megapixels needs.
+    # but the latter takes a dep on qt, which bloats the closure and the build, so disable this feature.
+    zbar = pkgs.zbar.override {
+      enableVideo = false;
+    };
+  };
+}

hosts/common/programs/mepo.nix

@@ -6,13 +6,21 @@
   sane.programs.mepo = {
     persist.plaintext = [ ".cache/mepo/tiles" ];
     # ~/.cache/mepo/savestate has precise coordinates and pins: keep those private
-    persist.private = [ ".cache/mepo/savestate" ];
+    persist.private = [
+      { type = "file"; path = ".cache/mepo/savestate"; }
+    ];
+
+    # give mepo access to gpsd for location data, if that's enabled.
+    # same with geoclue2.
+    suggestedPrograms = lib.optional config.services.gpsd.enable "gpsd"
+      ++ lib.optional config.services.geoclue2.enable "geoclue2-with-demo-agent"
+    ;
   };
 
-  programs.mepo = lib.mkIf config.sane.programs.mepo.enabled {
-    # enable location services (via geoclue)
-    enable = true;
-    # more precise, via gpsd ("may require additional config")
-    # programs.mepo.gpsd.enable = true
-  };
+  # programs.mepo = lib.mkIf config.sane.programs.mepo.enabled {
+  #   # enable location services (via geoclue)
+  #   enable = true;
+  #   # more precise, via gpsd ("may require additional config")
+  #   # programs.mepo.gpsd.enable = true
+  # };
 }

hosts/common/programs/mpv.nix

@@ -1,13 +1,82 @@
-{ ... }:
+# mpv docs:
+# - <https://mpv.io/manual/master>
+# - <https://github.com/mpv-player/mpv/wiki>
+# curated mpv mods/scripts/users:
+# - <https://github.com/stax76/awesome-mpv>
+{ pkgs, ... }:
 
 {
   sane.programs.mpv = {
+    package = pkgs.wrapMpv pkgs.mpv-unwrapped {
+      youtubeSupport = false;  #< XXX(2023/08/03): doesn't cross compile until next staging -> master merge
+      scripts = with pkgs.mpvScripts; [
+        mpris
+        # uosc
+        pkgs.mpv-uosc-latest
+      ];
+    };
     persist.plaintext = [ ".config/mpv/watch_later" ];
-    # format is <key>=%<length>%<value>
-    fs.".config/mpv/mpv.conf".symlink.text = ''
-      save-position-on-quit=%3%yes
-      keep-open=%3%yes
+    fs.".config/mpv/input.conf".symlink.text = ''
+      # let volume keys be interpreted by the system.
+      # this is important for sxmo.
+      VOLUME_UP ignore
+      VOLUME_DOWN ignore
     '';
+    fs.".config/mpv/mpv.conf".symlink.text = ''
+      save-position-on-quit=yes
+      keep-open=yes
+
+      # use uosc instead (for On Screen Controls)
+      osc=no
+      # uosc provides its own seeking/volume indicators, so you also don't need this
+      osd-bar=no
+      # uosc will draw its own window controls if you disable window border
+      border=no
+    '';
+    fs.".config/mpv/script-opts/osc.conf".symlink.text = ''
+      # make the on-screen controls *always* visible
+      # unfortunately, this applies to full-screen as well
+      # - docs: <https://mpv.io/manual/master/#on-screen-controller-visibility>
+      # if uosc is installed, this file is unused
+      visibility=always
+    '';
+    fs.".config/mpv/script-opts/uosc.conf".symlink.text = let
+      play_pause_btn = "cycle:play_arrow:pause:no=pause/yes=play_arrow";
+      rev_btn = "command:replay_10:seek -10";
+      fwd_btn = "command:forward_30:seek 30";
+    in ''
+      # docs:
+      # - <https://github.com/tomasklaen/uosc>
+      # - <https://superuser.com/questions/1775550/add-new-buttons-to-mpv-uosc-ui>
+      timeline_style=bar
+      timeline_persistency=paused,audio
+      controls_persistency=paused,audio
+      volume_persistency=audio
+      volume_opacity=0.75
+
+      # speed_persistency=paused,audio
+      # vvv  want a close button?
+      top_bar=always
+      top_bar_persistency=paused
+
+      controls=menu,<video>subtitles,<has_many_audio>audio,<has_many_video>video,<has_many_edition>editions,<stream>stream-quality,space,${rev_btn},${play_pause_btn},${fwd_btn},space,speed:1.0,gap,<video>fullscreen
+
+      text_border=6.0
+      font_bold=yes
+      background_text=ff8080
+      foreground=ff8080
+
+      ui_scale=1.0
+    '';
+
+    mime.priority = 200;  # default = 100; 200 means to yield to other apps
+    mime.associations."audio/flac" = "mpv.desktop";
+    mime.associations."audio/mpeg" = "mpv.desktop";
+    mime.associations."audio/x-vorbis+ogg" = "mpv.desktop";
+    mime.associations."video/mp4" = "mpv.desktop";
+    mime.associations."video/quicktime" = "mpv.desktop";
+    mime.associations."video/webm" = "mpv.desktop";
+    mime.associations."video/x-matroska" = "mpv.desktop";
   };
 }
 

hosts/common/programs/neovim.nix

@@ -14,7 +14,12 @@ let
       # docs: https://github.com/nvim-treesitter/nvim-treesitter
       # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
       # this is required for tree-sitter to even highlight
-      plugin = nvim-treesitter.withAllGrammars;
+      plugin = nvim-treesitter.withPlugins (_: nvim-treesitter.allGrammars ++ [
+        # XXX: this is apparently not enough to enable syntax highlighting!
+        # nvim-treesitter ships its own queries which may be distinct from e.g. helix.
+        # the queries aren't included when i ship the grammar in this manner
+        pkgs.tree-sitter-nix-shell
+      ]);
       type = "lua";
       config = ''
         require'nvim-treesitter.configs'.setup {
@@ -76,7 +81,7 @@ let
     }
   ];
   plugin-packages = map (p: p.plugin) plugins;
-  plugin-config-tex = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
+  plugin-config-viml = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
   plugin-config-lua = concatMapStrings (p: optionalString (p.type or "" == "lua") p.config) plugins;
 in
 {
@@ -94,7 +99,7 @@ in
     viAlias = true;
     vimAlias = true;
     configure = {
-      packages.myVimPackage = {
+      packages.plugins = {
         start = plugin-packages;
       };
       customRC = ''
@@ -130,8 +135,8 @@ in
         set list
         set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
 
-        """"" PLUGIN CONFIG (tex)
-        ${plugin-config-tex}
+        """"" PLUGIN CONFIG (vim)
+        ${plugin-config-viml}
 
         """"" PLUGIN CONFIG (lua)
         lua <<EOF

hosts/common/programs/nheko.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  # not strictly necessary, but allows caching articles; offline use, etc.
+  sane.programs.nheko.persist.private = [
+    ".config/nheko"  # config file (including client token)
+    ".cache/nheko"  # media cache
+    ".local/share/nheko"  # per-account state database
+  ];
+}

hosts/common/programs/obsidian.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  sane.programs.obsidian.mime.associations."text/markdown" = "obsidian.desktop";
+}

hosts/common/programs/splatmoji.nix

@@ -10,13 +10,11 @@
       # XXX doesn't seem to understand ~ as shorthand for `$HOME`
       history_file=/home/colin/.local/state/splatmoji/history
       history_length=5
-      # TODO: wayland equiv
-      paste_command=xdotool key ctrl+v
+      paste_command=${pkgs.wtype}/bin/wtype -M Ctrl -k v
       # rofi_command=${pkgs.wofi}/bin/wofi --dmenu --insensitive --cache-file /dev/null
       rofi_command=${pkgs.fuzzel}/bin/fuzzel -d -i -w 60
       xdotool_command=${pkgs.wtype}/bin/wtype
-      # TODO: wayland equiv
-      xsel_command=xsel -b -i
+      xsel_command=${pkgs.findutils}/bin/xargs ${pkgs.wl-clipboard}/bin/wl-copy
     '';
   };
 }

hosts/common/programs/tangram.nix

@@ -0,0 +1,42 @@
+# Tangram is a GTK/webkit browser
+# it views each tab as a distinct application, persisted, and where the 'home' button action is specific to each tab.
+# it supports ephemeral tabs, but UX is heavily geared to GCing those as early as possible.
+
+{ pkgs, ... }:
+let
+  dconfProfile = pkgs.writeTextFile {
+    name = "dconf-tangram-profile";
+    destination = "/etc/dconf/profile/tangram";
+    text = ''
+      user-db:tangram
+      system-db:site
+    '';
+  };
+in
+{
+  sane.programs.tangram = {
+    # XXX(2023/07/08): running on moby without disabling the webkit sandbox fails, with:
+    # - `bwrap: Can't make symlink at /var/run: File exists`
+    # see epiphany.nix for more info
+    package = pkgs.tangram.overrideAttrs (upstream: {
+      preFixup = ''
+        gappsWrapperArgs+=(
+          --set WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS "1"
+          --set DCONF_PROFILE "${dconfProfile}/etc/dconf/profile/tangram"
+        );
+      '' + (upstream.preFixup or "");
+    });
+
+    persist.private = [
+      ".cache/Tangram"
+      ".local/share/Tangram"
+      # dconf achieves atomic writes via `mv`, so a symlink doesn't work
+      # moreover, i have to persist the *whole* directory:
+      # - `user-db:tangram/user` causes a schema failure
+      # - bind-mounting `~/private/.config/dconf/tangram` causes dconf to try a cross-fs `mv`, which fails
+      # - dconf provides no way to specify an alternate ~/.config/dconf dir, except by overriding XDG_CONFIG_HOME
+      # { type = "file"; path = ".config/dconf/tangram"; method = "bind"; }
+      ".config/dconf"
+    ];
+  };
+}

hosts/common/programs/tuba.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  sane.programs.tuba.suggestedPrograms = [ "gnome-keyring" ];
+}

hosts/common/programs/vlc.nix

@@ -10,8 +10,13 @@ let
 in
 {
   sane.programs.vlc = {
-    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
-    persist.plaintext = [ ".config/vlc" ];
+    persist.private = [
+      # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
+      # filenames are stored in plaintext (unlike mpv, which i think hashes them)
+      ".config/vlc"
+      # vlc caches artwork. i'm not sure where it gets the artwork (internet? embedded metadata?)
+      ".cache/vlc"
+    ];
     fs.".config/vlc/vlcrc".symlink.text = ''
       [podcast]
       podcast-urls=${podcast-urls}
@@ -20,5 +25,13 @@ in
       [qt]
       qt-privacy-ask=0
     '';
+
+    mime.associations."audio/flac" = "vlc.desktop";
+    mime.associations."audio/mpeg" = "vlc.desktop";
+    mime.associations."audio/x-vorbis+ogg" = "vlc.desktop";
+    mime.associations."video/mp4" = "vlc.desktop";
+    mime.associations."video/quicktime" = "vlc.desktop";
+    mime.associations."video/webm" = "vlc.desktop";
+    mime.associations."video/x-matroska" = "vlc.desktop";
   };
 }

hosts/common/programs/wireshark.nix

@@ -1,5 +1,4 @@
 { config, ... }:
 {
-  sane.programs.wireshark = {};
   programs.wireshark.enable = config.sane.programs.wireshark.enabled;
 }

hosts/common/programs/xarchiver.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  sane.programs.xarchiver.package = pkgs.xarchiver.override {
+    # unar doesn't cross compile well, so disable support for it
+    unar = null;
+  };
+}

hosts/common/programs/zeal.nix

@@ -13,6 +13,7 @@ let
   };
 in {
   sane.programs.zeal = {
+    # package = pkgs.zeal-qt6;  #< TODO: upgrade system to qt6 versions of everything (i.e. jellyfin-media-player, nheko)
     package = pkgs.zeal-qt5;
     persist.plaintext = [
       ".cache/Zeal"

hosts/common/programs/zsh/default.nix

@@ -20,31 +20,12 @@
 let
   inherit (lib) mkIf mkMerge mkOption types;
   cfg = config.sane.zsh;
-  # powerlevel10k prompt config
-  # p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
-  p10k-overrides = ''
-    # powerlevel10k launches a gitstatusd daemon to accelerate git prompt queries.
-    # this keeps open file handles for any git repo i touch for 60 minutes (by default).
-    # that prevents unmounting whatever device the git repo is on -- particularly problematic for ~/private.
-    # i can disable gitstatusd and get slower fallback git queries:
-    # - either universally
-    # - or selectively by path
-    # see: <https://github.com/romkatv/powerlevel10k/issues/246>
-    typeset -g POWERLEVEL9K_VCS_DISABLED_DIR_PATTERN='(/home/colin/private/*|/home/colin/knowledge/*)'
-    # typeset -g POWERLEVEL9K_DISABLE_GITSTATUS=true
-
-    # show user@host also when logged into the current machine.
-    # default behavior is to show it only over ssh.
-    typeset -g POWERLEVEL9K_CONTEXT_{DEFAULT,SUDO}_CONTENT_EXPANSION='$P9K_CONTENT'
-  '';
-
-  prezto-init = ''
-    source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh
-    source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
-    source ${pkgs.zsh-prezto}/share/zsh-prezto/init.zsh
-  '';
 in
 {
+  imports = [
+    ./p10k.nix
+    ./starship.nix
+  ];
   options = {
     sane.zsh = {
       showDeadlines = mkOption {
@@ -52,6 +33,16 @@ in
         default = true;
         description = "show upcoming deadlines (from my PKM) upon shell init";
       };
+      p10k = mkOption {
+        type = types.bool;
+        default = false;
+        description = "enable powerlevel10k prompt and prezto";
+      };
+      starship = mkOption {
+        type = types.bool;
+        default = true;
+        description = "enable starship prompt";
+      };
     };
   };
 
@@ -74,6 +65,9 @@ in
         '' + lib.optionalString cfg.showDeadlines ''
           ${pkgs.sane-scripts.deadlines}/bin/sane-deadlines
         '' + ''
+
+          HISTFILE="$HOME/.local/share/zsh/history"
+
           # auto-cd into any of these dirs by typing them and pressing 'enter':
           hash -d 3rd="/home/colin/dev/3rd"
           hash -d dev="/home/colin/dev"
@@ -86,45 +80,6 @@ in
           hash -d uninsane="/home/colin/dev/uninsane"
           hash -d Videos="/home/colin/Videos"
         '';
-
-        # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
-        # see: https://github.com/sorin-ionescu/prezto
-        # this file is auto-sourced by the prezto init.zsh script.
-        # TODO: i should work to move away from prezto:
-        # - it's FUCKING SLOW to initialize (that might also be powerlevel10k tho)
-        # - it messes with my other `setopt`s
-        fs.".config/zsh/.zpreztorc".symlink.text = ''
-          zstyle ':prezto:*:*' color 'yes'
-          zstyle ':prezto:module:utility' correct 'no'  # prezto: don't setopt CORRECT
-
-          # modules (they ship with prezto):
-          # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
-          # TERMINAL: auto-titles terminal (e.g. based on cwd)
-          # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
-          # HISTORY: `history-stat` alias, setopts for good history defaults
-          # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack. also overrides CLOBBER and some other options
-          # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
-          # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
-          #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
-          # COMPLETION: tab completion. requires `utility` module prior to loading
-          zstyle ':prezto:load' pmodule \
-            'environment' \
-            'terminal' \
-            'editor' \
-            'history' \
-            'spectrum' \
-            'utility' \
-            'completion' \
-            'prompt'
-
-          # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
-          zstyle ':prezto:module:editor' key-bindings 'emacs'
-
-          zstyle ':prezto:module:prompt' theme 'powerlevel10k'
-
-          # disable `mv` confirmation (and `rm`, too, unfortunately)
-          zstyle ':prezto:module:utility' safe-ops 'no'
-        '';
       };
     })
     (mkIf config.sane.programs.zsh.enabled {
@@ -133,7 +88,6 @@ in
 
       programs.zsh = {
         enable = true;
-        histFile = "$HOME/.local/share/zsh/history";
         shellAliases = {
           ":q" = "exit";
           # common typos
@@ -162,16 +116,12 @@ in
         '';
 
         # system-wide .zshrc config:
-        interactiveShellInit =
-          (builtins.readFile ./p10k.zsh)
-        + p10k-overrides
-        + prezto-init
-        + ''
+        interactiveShellInit = ''
           # zmv is a way to do rich moves/renames, with pattern matching/substitution.
           # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
           autoload -Uz zmv
 
-          HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *|nixos-rebuild.* switch)'
+          HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *|nixos-rebuild.* switch|switch)'
 
           # extra aliases
           # TODO: move to `shellAliases` config?
@@ -179,6 +129,10 @@ in
             mkdir -p "$1";
             pushd "$1";
           }
+
+          function switch() {
+            sudo nixos-rebuild --flake . switch --keep-going;
+          }
         '';
 
         syntaxHighlighting.enable = true;

hosts/common/programs/zsh/p10k.nix

@@ -0,0 +1,75 @@
+{ config, lib, pkgs, ...}:
+
+let
+  # powerlevel10k prompt config
+  # p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
+  p10k-overrides = ''
+    # powerlevel10k launches a gitstatusd daemon to accelerate git prompt queries.
+    # this keeps open file handles for any git repo i touch for 60 minutes (by default).
+    # that prevents unmounting whatever device the git repo is on -- particularly problematic for ~/private.
+    # i can disable gitstatusd and get slower fallback git queries:
+    # - either universally
+    # - or selectively by path
+    # see: <https://github.com/romkatv/powerlevel10k/issues/246>
+    typeset -g POWERLEVEL9K_VCS_DISABLED_DIR_PATTERN='(/home/colin/private/*|/home/colin/knowledge/*)'
+    # typeset -g POWERLEVEL9K_DISABLE_GITSTATUS=true
+
+    # show user@host also when logged into the current machine.
+    # default behavior is to show it only over ssh.
+    typeset -g POWERLEVEL9K_CONTEXT_{DEFAULT,SUDO}_CONTENT_EXPANSION='$P9K_CONTENT'
+  '';
+
+  prezto-init = ''
+    source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh
+    source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+    source ${pkgs.zsh-prezto}/share/zsh-prezto/init.zsh
+  '';
+in {
+  config = lib.mkIf config.sane.zsh.p10k {
+    sane.programs.zsh = {
+      # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
+      # see: https://github.com/sorin-ionescu/prezto
+      # this file is auto-sourced by the prezto init.zsh script.
+      # TODO: i should work to move away from prezto:
+      # - it's FUCKING SLOW to initialize (that might also be powerlevel10k tho)
+      # - it messes with my other `setopt`s
+      fs.".config/zsh/.zpreztorc".symlink.text = ''
+        zstyle ':prezto:*:*' color 'yes'
+        zstyle ':prezto:module:utility' correct 'no'  # prezto: don't setopt CORRECT
+
+        # modules (they ship with prezto):
+        # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
+        # TERMINAL: auto-titles terminal (e.g. based on cwd)
+        # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
+        # HISTORY: `history-stat` alias, setopts for good history defaults
+        # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack. also overrides CLOBBER and some other options
+        # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
+        # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
+        #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
+        # COMPLETION: tab completion. requires `utility` module prior to loading
+        zstyle ':prezto:load' pmodule \
+          'environment' \
+          'terminal' \
+          'editor' \
+          'history' \
+          'spectrum' \
+          'utility' \
+          'completion' \
+          'prompt'
+
+        # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
+        zstyle ':prezto:module:editor' key-bindings 'emacs'
+
+        zstyle ':prezto:module:prompt' theme 'powerlevel10k'
+
+        # disable `mv` confirmation (and `rm`, too, unfortunately)
+        zstyle ':prezto:module:utility' safe-ops 'no'
+      '';
+    };
+
+    programs.zsh.interactiveShellInit = (builtins.readFile ./p10k.zsh)
+      + p10k-overrides
+      + prezto-init
+    ;
+  };
+}

hosts/common/programs/zsh/starship.nix

@@ -0,0 +1,101 @@
+# starship prompt: <https://starship.rs/config/#prompt>
+# my own config heavily based off:
+# - <https://starship.rs/presets/pastel-powerline.html>
+{ config, lib, pkgs, ...}:
+
+let
+  enabled = config.sane.zsh.starship;
+  toml = pkgs.formats.toml {};
+  colors = {
+    # colors sorted by the order they appear in the status bar
+    _01_purple = "#9A348E";
+    _02_pink = "#DA627D";
+    _03_orange = "#FCA17D";
+    _04_teal = "#86BBD8";
+    _05_blue = "#06969A";
+    _06_blue = "#33658A";
+  };
+in {
+  config = lib.mkIf config.sane.zsh.starship {
+    sane.programs.zsh = lib.mkIf enabled {
+      fs.".config/zsh/.zshrc".symlink.text = ''
+        eval "$(${pkgs.starship}/bin/starship init zsh)"
+      '';
+      fs.".config/starship.toml".symlink.target = toml.generate "starship.toml" {
+        format = builtins.concatStringsSep "" [
+          "[](${colors._01_purple})"
+          "$os"
+          "$username"
+          "$hostname"
+          "[](bg:${colors._02_pink} fg:${colors._01_purple})"
+          "$directory"
+          "[](fg:${colors._02_pink} bg:${colors._03_orange})"
+          "$git_branch"
+          "$git_status"
+          "[](fg:${colors._03_orange} bg:${colors._04_teal})"
+          "[](fg:${colors._04_teal} bg:${colors._05_blue})"
+          "[](fg:${colors._05_blue} bg:${colors._06_blue})"
+          "$time"
+          "$status"
+          "[ ](fg:${colors._06_blue})"
+        ];
+        add_newline = false;  # no blank line before prompt
+
+        os.style = "bg:${colors._01_purple}";
+        os.format = "[$symbol]($style)";
+        os.disabled = false;
+        # os.symbols.NixOS = "❄️";  # removes the space after logo
+
+        # TODO: tune foreground color of username
+        username.style_user = "bg:${colors._01_purple}";
+        username.style_root = "bold bg:${colors._01_purple}";
+        username.format = "[$user ]($style)";
+
+        hostname.style = "bold bg:${colors._01_purple}";
+        hostname.format = "[$ssh_symbol$hostname ]($style)";
+
+        directory.style = "bg:${colors._02_pink} fg:#ffffff";
+        directory.format = "[ $path ]($style)";
+        directory.truncation_length = 3;
+        directory.truncation_symbol = "…/";
+
+        # git_branch.symbol = "";  # looks good in nerd fonts
+        git_branch.symbol = "";
+        git_branch.style = "bg:${colors._03_orange} fg:#ffffff";
+        # git_branch.style = "bg:#FF8262";
+        git_branch.format = "[ $symbol $branch ]($style)";
+
+        git_status.style = "bold bg:${colors._03_orange} fg:#ffffff";
+        # git_status.style = "bg:#FF8262";
+        git_status.format = "[$all_status$ahead_behind ]($style)";
+        git_status.ahead = "⇡$count";
+        git_status.behind = "⇣$count";
+        # git_status.diverged = "⇣$behind_count⇡$ahead_count";
+        git_status.diverged = "⇡$ahead_count⇣$behind_count";
+        git_status.modified = "*";
+        git_status.stashed = "";
+        git_status.untracked = "";
+
+
+        time.disabled = true;
+        time.time_format = "%R"; # Hour:Minute Format
+        time.style = "bg:${colors._06_blue}";
+        time.format = "[ $time ]($style)";
+
+        status.disabled = false;
+        status.style = "bg:${colors._06_blue}";
+        # status.success_symbol = "♥ ";
+        # status.success_symbol = "💖";
+        # status.success_symbol = "💙";
+        # status.success_symbol = "💚";
+        # status.success_symbol = "💜";
+        # status.success_symbol = "✔️'";
+        status.success_symbol = "";
+        status.symbol = "❌";
+        # status.symbol = "❗️";
+        # status.symbol = "‼️";
+        status.format = "[$symbol]($style)";
+      };
+    };
+  };
+}

hosts/common/secrets.nix

@@ -30,7 +30,7 @@
 let
   inherit (lib.strings) hasSuffix removeSuffix;
   secretsForHost = host: let
-    extraAttrsForPath = path: lib.optionalAttrs (sane-lib.path.isChild "guest" path) {
+    extraAttrsForPath = path: lib.optionalAttrs (sane-lib.path.isChild "guest" path && builtins.hasAttr "guest" config.users.users) {
       owner = "guest";
     };
   in sane-lib.joinAttrsets (
@@ -66,7 +66,6 @@ in
     {
       "jackett_apikey".owner = config.users.users.colin.name;
       "mx-sanebot-env".owner = config.users.users.colin.name;
-      "snippets".owner = config.users.users.colin.name;
       "transmission_passwd".owner = config.users.users.colin.name;
     }
   ];

hosts/common/ssh.nix

@@ -2,7 +2,6 @@
 
 let
   inherit (builtins) attrValues head map mapAttrs tail;
-  inherit (lib) concatStringsSep mkMerge reverseList;
 in
 {
   sane.ssh.pubkeys =
@@ -10,9 +9,9 @@ in
     # path is a DNS-style path like [ "org" "uninsane" "root" ]
     keyNameForPath = path:
       let
-        rev = reverseList path;
+        rev = lib.reverseList path;
         name = head rev;
-        host = concatStringsSep "." (tail rev);
+        host = lib.concatStringsSep "." (tail rev);
       in
       "${name}@${host}";
 
@@ -23,9 +22,10 @@ in
       (name: {
         inherit name;
         value = {
-          colin = hostCfg.ssh.user_pubkey;
           root = hostCfg.ssh.host_pubkey;
-        };
+        } // (lib.optionalAttrs hostCfg.ssh.authorized {
+          colin = hostCfg.ssh.user_pubkey;
+        });
       })
       hostCfg.names
     ;
@@ -34,7 +34,7 @@ in
         map keysForHost (builtins.attrValues config.sane.hosts.by-name)
       )
     );
-  in mkMerge (map
+  in lib.mkMerge (map
     ({ path, value }: {
       "${keyNameForPath path}" = lib.mkIf (value != null) value;
     })

hosts/common/users/colin.nix

@@ -21,7 +21,7 @@
       "networkmanager"
       "nixbuild"
       "transmission"  # servo, to admin /var/lib/uninsane/media
-      "video"  # phosh/mobile. XXX colin: unsure if necessary
+      "video"  # mobile; for LEDs & maybe for camera?
       "wheel"
       "wireshark"
     ];
@@ -52,13 +52,6 @@
 
   sane.users.colin = {
     default = true;
-    # ensure ~ perms are known to sane.fs module.
-    # TODO: this is generic enough to be lifted up into sane.fs itself.
-    fs."/".dir.acl = {
-      user = "colin";
-      group = config.users.users.colin.group;
-      mode = config.users.users.colin.homeMode;
-    };
 
     persist.plaintext = [
       "archive"
@@ -68,10 +61,16 @@
       "ref"
       "tmp"
       "use"
+      "Books"
       "Music"
       "Pictures"
       "Videos"
 
+      # these are persisted simply to save on RAM.
+      # ~/.cache/nix can become several GB.
+      # fontconfig and mesa_shader_cache are < 10 MB.
+      ".cache/fontconfig"
+      ".cache/mesa_shader_cache"
       ".cache/nix"
 
       # ".cargo"

hosts/common/users/default.nix

@@ -4,6 +4,7 @@
   imports = [
     ./colin.nix
     ./guest.nix
+    ./root.nix
   ];
 
   # Users are exactly these specified here;

hosts/common/users/guest.nix

@@ -11,8 +11,8 @@ in
     };
   };
 
-  config = {
-    users.users.guest = lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
+    users.users.guest = {
       isNormalUser = true;
       home = "/home/guest";
       subUidRanges = [
@@ -27,7 +27,7 @@ in
 
     sane.persist.sys.plaintext = lib.mkIf cfg.enable [
       # intentionally allow other users to write to the guest folder
-      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
+      { path = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
     ];
   };
 }

hosts/common/users/root.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+  sane.persist.sys.cryptClearOnBoot = [
+    # when running commands as root, some things may create ~/.cache entries.
+    # notably:
+    # - `/root/.cache/nix/` takes up ~10 MB on lappy/desko/servo
+    # - `/root/.cache/mesa_shader_cache` takes up 1-2 MB on moby
+    { path = "/root"; user = "root"; group = "root"; mode = "0700"; }
+  ];
+}

hosts/modules/default.nix

@@ -2,7 +2,7 @@
 
 {
   imports = [
-    ./derived-secrets.nix
+    ./derived-secrets
     ./gui
     ./hardware
     ./hostnames.nix

hosts/modules/derived-secrets/default.nix

@@ -1,10 +1,14 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 let
-  inherit (builtins) toString;
-  inherit (lib) mapAttrs mkOption types;
+
+  hash-path-with-salt = pkgs.static-nix-shell.mkBash {
+    pname = "hash-path-with-salt";
+    src = ./.;
+  };
+
   cfg = config.sane.derived-secrets;
-  secret = types.submodule {
+  secret = with lib; types.submodule {
     options = {
       len = mkOption {
         type = types.int;
@@ -17,7 +21,7 @@ let
 in
 {
   options = {
-    sane.derived-secrets = mkOption {
+    sane.derived-secrets = with lib; mkOption {
       type = types.attrsOf secret;
       default = {};
       description = ''
@@ -30,17 +34,13 @@ in
   };
 
   config = {
-    sane.fs = mapAttrs (path: c: {
-      generated.script.script = ''
-        echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
-          | sha512sum \
-          | cut -c 1-${toString (c.len * 2)} \
-          | tr a-z A-Z \
-          | basenc -d --base16 \
-          | basenc --${c.encoding} \
-          > "$1"
-      '';
-      generated.script.scriptArgs = [ path ];
+    sane.fs = lib.mapAttrs (path: c: {
+      generated.command = [
+        "${hash-path-with-salt}/bin/hash-path-with-salt"
+        path
+        c.encoding
+        (builtins.toString (c.len * 2))
+      ];
       generated.acl.mode = "0600";
     }) cfg;
   };

hosts/modules/derived-secrets/hash-path-with-salt

@@ -0,0 +1,12 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
+file="$1"
+enc="$2"
+nibbles="$3"
+echo "$file" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
+  | sha512sum \
+  | cut -c "1-$nibbles" \
+  | tr a-z A-Z \
+  | basenc -d --base16 \
+  | basenc "--$enc" \
+  > "$file"

hosts/modules/gui/default.nix

@@ -1,17 +1,128 @@
-{ lib, config, ... }:
-
-let
-  inherit (lib) mkDefault mkIf mkOption types;
-  cfg = config.sane.gui;
-in
+{ config, lib, pkgs, ... }:
 {
   imports = [
     ./gnome.nix
     ./gtk.nix
     ./phosh.nix
-    ./plasma.nix
-    ./plasma-mobile.nix
     ./sway
-    ./sxmo.nix
+    ./sxmo
+  ];
+
+  sane.programs.guiApps = {
+    package = null;
+    suggestedPrograms = lib.optionals (pkgs.system == "x86_64-linux") [
+      "x86GuiApps"
+    ] ++ [
+      # package sets
+      "tuiApps"
+    ] ++ [
+      # "celluloid"  # mpv frontend
+      "chatty"  # matrix/xmpp/irc client
+      "cozy"  # audiobook player
+      # "emote"
+      "epiphany"  # gnome's web browser
+      "evince"  # works on phosh
+      "firefox"
+      # "foliate"  # e-book reader
+      # "fractal"  # matrix client
+      # "gnome.cheese"
+      # "gnome-feeds"  # RSS reader (with claimed mobile support)
+      # "gnome.file-roller"
+      # "gnome.gnome-maps"  # works on phosh
+      # "gnome-podcasts"
+      # "gnome.gnome-system-monitor"
+      # "gnome.gnome-terminal"  # works on phosh
+      # "gnome.gnome-weather"
+      "gpodder"
+      "gthumb"
+      "komikku"
+      "koreader"
+      "lemoa"  # lemmy app
+      # "lollypop"
+      "mepo"  # maps viewer
+      "mpv"
+      "nheko"
+      # "networkmanagerapplet"
+      # "newsflash"
+      "pavucontrol"
+      # "picard"  # music tagging
+      # "libsForQt5.plasmatube"  # Youtube player
+      "soundconverter"
+      # "sublime-music"
+      "tangram"  # web browser
+      # "tdesktop"  # broken on phosh
+      # "tokodon"
+      "tuba"  # mastodon/pleroma client (stores pw in keyring)
+      # "whalebird"  # pleroma client (Electron). input is broken on phosh.
+      "xterm"  # broken on phosh
+    ];
+  };
+
+  sane.programs.desktopGuiApps = {
+    package = null;
+    suggestedPrograms = [
+      "audacity"
+      "blanket"  # ambient noise generator
+      "brave"  # for the integrated wallet -- as a backup
+      # "chromium"  # chromium takes hours to build. brave is chromium-based, distributed in binary form, so prefer it.
+      # "dino"  # XMPP client
+      "electrum"
+      "element-desktop"
+      # "font-manager"  #< depends on webkitgtk4_0 (expensive to build)
+      # "gajim"  # XMPP client
+      "gimp"  # broken on phosh
+      "gnome.dconf-editor"
+      "gnome.file-roller"
+      "gnome.gnome-disk-utility"
+      "gnome.nautilus"  # file browser
+      # "gnome.totem"  # video player, supposedly supports UPnP
+      "handbrake"
+      "hase"
+      "inkscape"
+      "jellyfin-media-player"
+      "kdenlive"
+      "kid3"  # audio tagging
+      "krita"
+      "libreoffice"  # TODO: replace with an office suite that uses saner packaging?
+      "mumble"
+      "obsidian"
+      "slic3r"
+      "steam"
+      "vlc"
+      "wireshark"  # could maybe ship the cli as sysadmin pkg
+    ];
+  };
+
+  sane.programs.handheldGuiApps = {
+    package = null;
+    suggestedPrograms = [
+      "megapixels"  # camera app
+      "portfolio-filemanager"
+      "xarchiver"
+    ];
+  };
+
+  sane.programs.x86GuiApps = {
+    package = null;
+    suggestedPrograms = [
+      "discord"
+      # "gnome.zenity" # for kaiteki (it will use qarma, kdialog, or zenity)
+      # "gpt2tc"  # XXX: unreliable mirror
+      # "kaiteki"  # Pleroma client
+      # "logseq"  # Personal Knowledge Management
+      "losslesscut-bin"
+      "makemkv"
+      "monero-gui"
+      "signal-desktop"
+      "spotify"
+      "tor-browser-bundle-bin"
+      "zecwallet-lite"
+    ];
+  };
+
+  sane.persist.sys.plaintext = lib.mkIf config.sane.programs.guiApps.enabled [
+    "/var/lib/alsa"                # preserve output levels, default devices
+    "/var/lib/colord"              # preserve color calibrations (?)
+    "/var/lib/systemd/backlight"   # backlight brightness
   ];
 }

hosts/modules/gui/gtk.nix

@@ -1,7 +1,17 @@
-{ config, lib, pkgs }:
+# gtk apps search XDG_ICON_DIRS for icons (nixos specific)
+# nixos ships the hi-color icon theme by default, which has *some* icons,
+# but leaves a lot of standard ones unavailable.
+#
+# system-wide theme components live in:
+# - /run/current-system/sw/share/color-schemes/${theme}
+# - /run/current-system/sw/share/icons/${theme}
+# - /run/current-system/sw/share/icons/${theme}/cursors  (cursor-theme)
+# - /run/current-system/sw/share/themes/${theme}/gtk-4.0
+{ config, lib, pkgs, ... }:
 let
   cfg = config.sane.gui.gtk;
-  themes = {
+  unsortedThemes = {
+    # crude assortment of themes in nixpkgs; some might not be gtk themes, some gtk themes might not be in this list
     inherit (pkgs)
       # themes are in <repo:nixos/nixpkgs:pkgs/data/themes>
       adapta-gtk-theme
@@ -105,6 +115,74 @@ let
       yaru-theme
       zuki-themes
     ;
+    inherit (pkgs.gnome)
+      adwaita-icon-theme
+      gnome-themes-extra
+    ;
+  };
+
+  themes = with pkgs; {
+    color-scheme = {
+      default = emptyDirectory;
+      Dracula = dracula-theme;
+      DraculaPurple = dracula-theme;
+      Dracula-cursors = dracula-theme;
+    };
+    cursor-theme = {
+      Adwaita = gnome.adwaita-icon-theme;
+    };
+    gtk-theme = {
+      Adwaita = gnome.gnome-themes-extra;  # gtk-3.0
+      Adwaita-dark = gnome.gnome-themes-extra;  # gtk-3.0
+      Arc = arc-theme;  # gtk-4.0
+      Arc-Dark = arc-theme;  # gtk-4.0
+      Arc-Darker = arc-theme;  # gtk-4.0
+      Arc-Lighter = arc-theme;  # gtk-4.0
+      Dracula = dracula-theme;  # gtk-4.0
+      E17gtk = e17gtk;  # gtk-3.0
+      Fluent = fluent-gtk-theme;  # gtk-4.0
+      Fluent-compact = fluent-gtk-theme;  # gtk-4.0
+      Fluent-Dark = fluent-gtk-theme;  # gtk-4.0
+      Fluent-Dark-compact = fluent-gtk-theme;  # gtk-4.0
+      Fluent-Light = fluent-gtk-theme;  # gtk-4.0
+      Fluent-Light-compact = fluent-gtk-theme;  # gtk-4.0,  NICE!
+      HighContrast = gnome.gnome-themes-extra;  # gtk-3.0
+      Matcha-light-azul = matcha-gtk-theme;  # gtk-4.0,  NICE!
+      Matcha-light-sea = matcha-gtk-theme;  # gtk-4.0,  NICE!
+      # additional Matcha-* omitted
+      Nordic = nordic;  # gtk-4.0
+      Nordic-bluish-accent = nordic;  # gtk-4.0
+      Nordic-darker = nordic;  # gtk-4.0
+      Nordic-Polar = nordic;  # gtk-4.0,  NICE
+      Numix = numix-gtk-theme;  # gtk-3.20, meh
+      NumixSolarizedDarkBlue = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkCyan = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkGreen = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkMagenta = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkOrange = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkRed = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkViolet = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedDarkYellow = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightBlue = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightBlueDarkTop = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightCyan = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightGreen = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightMagenta = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightOrange = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightRed = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightViolet = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixSolarizedLightYellow = numix-solarized-gtk-theme;  # gtk-3.20
+      NumixStandard = numix-solarized-gtk-theme;  # gtk-3.20
+      Paper = paper-gtk-theme;  # gtk-4.0
+      Pop = pop-gtk-theme;  # gtk-4.0
+      Pop-dark = pop-gtk-theme;  # gtk-4.0
+      Tokyonight-Light-B = tokyo-night-gtk;  # gtk-4.0, NICE
+      # other Tokyonight-* omitted
+    };
+    icon-theme = {
+      Adwaita = gnome.adwaita-icon-theme;
+      HighContrast = gnome.gnome-themes-extra;  # gtk-3.0
+    };
   };
 in
 {
@@ -114,20 +192,49 @@ in
       type = types.bool;
       description = "apply theme to gtk4 apps";
     };
+    sane.gui.gtk.all = mkOption {
+      default = false;
+      type = types.bool;
+      description = "install all known gtk themes (for testing)";
+    };
+    sane.gui.gtk.color-scheme = mkOption {
+      default = "default";
+      type = types.str;
+    };
+    sane.gui.gtk.cursor-theme = mkOption {
+      default = "Adwaita";
+      type = types.str;
+    };
+    sane.gui.gtk.gtk-theme = mkOption {
+      default = "Adwaita";
+      type = types.str;
+    };
+    sane.gui.gtk.icon-theme = mkOption {
+      default = "Adwaita";
+      type = types.str;
+    };
   };
 
   config = lib.mkIf cfg.enable {
     programs.dconf.packages = [
       (pkgs.writeTextFile {
         name = "dconf-sway-settings";
-        destination = "/etc/dconf/db/site.d/10_sway_settings";
+        destination = "/etc/dconf/db/site.d/10_gtk_settings";
         text = ''
           [org/gnome/desktop/interface]
-          gtk-theme="Dracula"
-          icon-theme="Dracula"
+          color-scheme="${cfg.color-scheme}"
+          cursor-theme="${cfg.cursor-theme}"
+          gtk-theme="${cfg.gtk-theme}"
+          icon-theme="${cfg.icon-theme}"
         '';
       })
     ];
-    environment.systemPackages = lib.attrValues themes;
+    # environment.systemPackages = lib.attrValues themes;
+    environment.systemPackages = [
+      themes.color-scheme."${cfg.color-scheme}"
+      themes.cursor-theme."${cfg.cursor-theme}"
+      themes.gtk-theme."${cfg.gtk-theme}"
+      themes.icon-theme."${cfg.icon-theme}"
+    ] ++ lib.optionals cfg.all (lib.attrValues unsortedThemes);
   };
 }

hosts/modules/gui/phosh.nix

@@ -30,34 +30,13 @@ in
           "gnome.gnome-bluetooth"
           "gnome.gnome-terminal"
           "phosh-mobile-settings"
-          # "plasma5Packages.konsole"  # more reliable terminal
         ];
       };
     }
-    {
-      sane.programs = {
-        inherit (pkgs // {
-          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
-          "gnome.gnome-terminal" = pkgs.gnome.gnome-terminal;
-          "plasma5Packages.konsole" = pkgs.plasma5Packages.konsole;
-        })
-          phosh-mobile-settings
-          "plasma5Packages.konsole"
-          "gnome.gnome-bluetooth"
-          "gnome.gnome-terminal"
-        ;
-      };
-    }
 
     (mkIf cfg.enable {
       sane.programs.phoshApps.enableFor.user.colin = true;
 
-      # TODO(2023/02/28): remove this qt.style = "gtk2" override.
-      # gnome by default tells qt to stylize its apps similar to gnome.
-      # but the package needed for that doesn't cross-compile, hence i disable that here.
-      # qt.platformTheme = "gtk2";
-      # qt.style = "gtk2";
-
       # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
       # docs: <repo:gnome/phosh:src/phoc.ini.example>
       # docs: <repo:gnome/phosh:src/settings.c#config_ini_handler>

hosts/modules/gui/plasma-mobile.nix

@@ -1,29 +0,0 @@
-{ lib, config, ... }:
- 
-with lib;
-let
-  cfg = config.sane.gui.plasma-mobile;
-in
-{
-  options = {
-    sane.gui.plasma-mobile.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    sane.programs.guiApps.enableFor.user.colin = true;
-
-    # start plasma-mobile on boot
-    services.xserver.enable = true;
-    services.xserver.desktopManager.plasma5.mobile.enable = true;
-    services.xserver.desktopManager.plasma5.mobile.installRecommendedSoftware = false;  # not all plasma5-mobile packages build for aarch64
-    services.xserver.displayManager.sddm.enable = true;
-   
-    # Plasma does networking stuff with networkmanager, but nix configures the defaults itself
-    # networking.useDHCP = false;
-    # networking.networkmanager.enable = true;
-    # networking.wireless.enable = lib.mkForce false;
-  };
-}

hosts/modules/gui/plasma.nix

@@ -1,28 +0,0 @@
-{ lib, config, ... }:
-
-with lib;
-let
-  cfg = config.sane.gui.plasma;
-in
-{
-  options = {
-    sane.gui.plasma.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    sane.programs.guiApps.enableFor.user.colin = true;
-
-    # start plasma on boot
-    services.xserver.enable = true;
-    services.xserver.desktopManager.plasma5.enable = true;
-    services.xserver.displayManager.sddm.enable = true;
-
-    # gnome does networking stuff with networkmanager
-    networking.useDHCP = false;
-    networking.networkmanager.enable = true;
-    networking.wireless.enable = lib.mkForce false;
-  };
-}

hosts/modules/gui/snippets.txt

@@ -12,4 +12,4 @@ https://bt.uninsane.org
 https://sci-hub.se
 https://archive.is
 https://news.ycombinator.com
-https://192.168.15.1:60481  # Router/Firewall
+http://10.78.79.1  # Router/Firewall