lemmy: more debugging

```
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/381e92a35e2d196fdd6077680dca0cd0197e75cb' (2023-06-07)
  → 'github:nixos/nixpkgs/21951114383770f96ae528d0ae68824557768e81' (2023-06-10)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/a522e12ee35e50fa7d902a164a9796e420e6e75b' (2023-06-04)
  → 'github:Mic92/sops-nix/cb85e297937af1bd1434cf5f85a3f86a21dc8207' (2023-06-11)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/eaf03591711b46d21abc7082a8ebee4681f9dbeb' (2023-06-03)
  → 'github:NixOS/nixpkgs/ef24b2fa0c5f290a35064b847bc211f25cb85c88' (2023-06-10)
```

TODO.md

@@ -43,6 +43,8 @@
     - allows (maybe) to cache media for offline use
     - "newer" jellyfin client
     - not packaged for nix
+- moby/sxmo: display numerical vol percentage in topbar
+- moby/sxmo: include librewolf, jellyfin in `apps` menu
 - find a nice desktop ActivityPub client
 - package Nix/NixOS docs for Zeal
     - install [doc-browser](https://github.com/qwfy/doc-browser)
@@ -52,10 +54,6 @@
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
 - `sane.programs`: auto-populate defaults with everything from `pkgs`
 - zsh: disable "command not found" corrections
-- sxmo: allow rotation to the upside-down position
-    - see: <repo:mil/sxmo-utils:scripts/core/sxmo_autorotate.sh>
-    - all orientations *except* upside down are supported
-- sxmo: launch with auto-rotation enabled
 - sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
 
 ### perf

flake.lock

@@ -66,11 +66,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1684632198,
-        "narHash": "sha256-SdxMPd0WmU9MnDBuuy7ouR++GftrThmSGL7PCQj/uVI=",
+        "lastModified": 1686392259,
+        "narHash": "sha256-hqSS9hKhWldIZr1bBp9xKhIznnGPICGKzuehd2LH0UA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d0dade110dc7072d67ce27826cfe9ab2ab0cf247",
+        "rev": "ef24b2fa0c5f290a35064b847bc211f25cb85c88",
         "type": "github"
       },
       "original": {
@@ -82,11 +82,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1684935479,
-        "narHash": "sha256-6QMMsXMr2nhmOPHdti2j3KRHt+bai2zw+LJfdCl97Mk=",
+        "lastModified": 1686412476,
+        "narHash": "sha256-inl9SVk6o5h75XKC79qrDCAobTD1Jxh6kVYTZKHzewA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f91ee3065de91a3531329a674a45ddcb3467a650",
+        "rev": "21951114383770f96ae528d0ae68824557768e81",
         "type": "github"
       },
       "original": {
@@ -113,11 +113,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1684637723,
-        "narHash": "sha256-0vAxL7MVMhGbTkAyvzLvleELHjVsaS43p+PR1h9gzNQ=",
+        "lastModified": 1686453485,
+        "narHash": "sha256-75iPAcS6xuw4SNfqLmFCi9wWG1JmDNKaC8l3WJUkmDk=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "4ccdfb573f323a108a44c13bb7730e42baf962a9",
+        "rev": "cb85e297937af1bd1434cf5f85a3f86a21dc8207",
         "type": "github"
       },
       "original": {

hosts/by-name/desko/default.nix

@@ -19,6 +19,7 @@
   sane.programs.iphoneUtils.enableFor.user.colin = true;
 
   sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
+  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" ];
 
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

hosts/by-name/lappy/default.nix

@@ -19,6 +19,7 @@
     "desktopGuiApps"
     "stepmania"
   ];
+  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" ];
 
   sops.secrets.colin-passwd.neededForUsers = true;
 

hosts/by-name/moby/default.nix

@@ -33,11 +33,14 @@
     ".config/pulse"  # persist pulseaudio volume
   ];
 
-  sane.gui.phosh.enable = true;
+  sane.gui.sxmo.enable = true;
   # sane.programs.consoleUtils.enableFor.user.colin = false;
   # sane.programs.guiApps.enableFor.user.colin = false;
   sane.programs.sequoia.enableFor.user.colin = false;
   sane.programs.tuiApps.enableFor.user.colin = false;  # visidata, others, don't compile well
+  # disabled for faster deploys (gthumb depends on webkitgtk, particularly)
+  sane.programs.soundconverter.enableFor.user.colin = false;
+  sane.programs.gthumb.enableFor.user.colin = false;
 
   boot.loader.efi.canTouchEfiVariables = false;
   # /boot space is at a premium. default was 20.

hosts/by-name/servo/services/lemmy.nix

@@ -32,6 +32,7 @@ in {
   systemd.services.lemmy.environment = {
     RUST_BACKTRACE = "full";
     # RUST_LOG = "debug";
+    # RUST_LOG = "trace";
     # upstream defaults LEMMY_DATABASE_URL = "postgres:///lemmy?host=/run/postgresql";
     # - Postgres complains that we didn't specify a user
     # lemmy formats the url as:

hosts/common/feeds.nix

@@ -79,12 +79,14 @@ let
     (fromDb "feeds.transistor.fm/acquired" // tech)
     ## ACQ2 - more "Acquired" episodes
     (fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)
-    # The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
-    (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)
+    # The Intercept - Deconstructed
+    (fromDb "rss.acast.com/deconstructed")
+    # (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)  #< possible URL rot
     ## The Daily
     (mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
-    # The Intercept - Intercepted; also available: <https://rss.acast.com/intercepted-with-jeremy-scahill>
-    (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)
+    # The Intercept - Intercepted
+    (fromDb "rss.acast.com/intercepted-with-jeremy-scahill")
+    # (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)  #< possible URL rot
     (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
     ## Eric Weinstein
     (fromDb "rss.art19.com/the-portal" // rat)

hosts/common/programs/assorted.nix

@@ -0,0 +1,381 @@
+{ lib, pkgs, ... }:
+
+let
+  inherit (builtins) attrNames;
+
+  flattenedPkgs = pkgs // (with pkgs; {
+    # XXX can't `inherit` a nested attr, so we move them to the toplevel
+    "cacert.unbundled" = pkgs.cacert.unbundled;
+    "gnome.cheese" = gnome.cheese;
+    "gnome.dconf-editor" = gnome.dconf-editor;
+    "gnome.file-roller" = gnome.file-roller;
+    "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
+    "gnome.gnome-maps" = gnome.gnome-maps;
+    "gnome.nautilus" = gnome.nautilus;
+    "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
+    "gnome.gnome-terminal" = gnome.gnome-terminal;
+    "gnome.gnome-weather" = gnome.gnome-weather;
+    "gnome.totem" = gnome.totem;
+    "libsForQt5.plasmatube" = libsForQt5.plasmatube;
+  });
+
+  sysadminPkgs = {
+    inherit (flattenedPkgs)
+      btrfs-progs
+      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
+      cryptsetup
+      dig
+      efibootmgr
+      fatresize
+      fd
+      file
+      gawk
+      git
+      gptfdisk
+      hdparm
+      htop
+      iftop
+      inetutils  # for telnet
+      iotop
+      iptables
+      jq
+      killall
+      lsof
+      miniupnpc
+      nano
+      netcat
+      nethogs
+      nmap
+      openssl
+      parted
+      pciutils
+      powertop
+      pstree
+      ripgrep
+      screen
+      smartmontools
+      socat
+      strace
+      subversion
+      tcpdump
+      tree
+      usbutils
+      wget
+      wirelesstools  # iwlist
+    ;
+  };
+  sysadminExtraPkgs = {
+    # application-specific packages
+    inherit (pkgs)
+      backblaze-b2
+      duplicity
+      sqlite  # to debug sqlite3 databases
+    ;
+  };
+
+  iphonePkgs = {
+    inherit (pkgs)
+      ifuse
+      ipfs
+      libimobiledevice
+    ;
+  };
+
+  tuiPkgs = {
+    inherit (pkgs)
+      aerc  # email client
+      offlineimap  # email mailox sync
+      visidata  # TUI spreadsheet viewer/editor
+      w3m
+    ;
+  };
+
+  consoleMediaPkgs = {
+    inherit (pkgs)
+      ffmpeg
+      imagemagick
+      sox
+      yt-dlp
+    ;
+  };
+  # TODO: split these into smaller groups.
+  # - moby doesn't want a lot of these.
+  # - categories like
+  #   - dev?
+  #   - debugging?
+  consolePkgs = {
+    inherit (pkgs)
+      alsaUtils  # for aplay, speaker-test
+      cdrtools
+      clinfo
+      dmidecode
+      efivar
+      flashrom
+      fwupd
+      gh  # MS GitHub cli
+      git  # needed as a user package, for config.
+      gnupg
+      gocryptfs
+      gopass  # TODO: shouldn't be needed here
+      gopass-jsonapi
+      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
+      libsecret  # for managing user keyrings
+      lm_sensors  # for sensors-detect
+      lshw
+      # memtester
+      neovim
+      # nettools
+      # networkmanager
+      nixpkgs-review
+      # nixos-generators
+      nmon
+      # node2nix
+      # oathToolkit  # for oathtool
+      # ponymix
+      pulsemixer
+      python3
+      ripgrep  # needed as a user package so that its user-level config file can be installed
+      rsync
+      # python3Packages.eyeD3  # music tagging
+      sane-scripts
+      sequoia
+      snapper
+      sops
+      speedtest-cli
+      # ssh-to-age
+      sudo
+      # tageditor  # music tagging
+      unar
+      wireguard-tools
+      xdg-utils  # for xdg-open
+      # yarn
+      zsh
+    ;
+  };
+
+  guiPkgs = {
+    inherit (flattenedPkgs)
+      # celluloid  # mpv frontend
+      # emote
+      evince  # works on phosh
+
+      # { pkg = fluffychat-moby; persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
+
+      # foliate  # e-book reader
+
+      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
+      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
+      # then reboot (so that libsecret daemon re-loads the keyring...?)
+      # { pkg = fractal-latest; persist.private = [ ".local/share/fractal" ]; }
+      # { pkg = fractal-next; persist.private = [ ".local/share/fractal" ]; }
+
+      # "gnome.cheese"
+      # gnome-feeds  # RSS reader (with claimed mobile support)
+      "gnome.file-roller"
+      # "gnome.gnome-maps"  # works on phosh
+      "gnome.nautilus"
+      # gnome-podcasts
+      # "gnome.gnome-system-monitor"
+      # "gnome.gnome-terminal"  # works on phosh
+      # "gnome.gnome-weather"
+      gpodder
+      gthumb
+      jellyfin-media-player
+      # lollypop
+      # mpv
+      # networkmanagerapplet
+      # newsflash
+      nheko
+      pavucontrol
+      # picard  # music tagging
+      # "libsForQt5.plasmatube"  # Youtube player
+      soundconverter
+      # sublime-music
+      # tdesktop  # broken on phosh
+      # tokodon
+      vlc
+      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
+      # whalebird
+      xterm  # broken on phosh
+    ;
+  };
+  desktopGuiPkgs = {
+    inherit (flattenedPkgs)
+      audacity
+      brave  # for the integrated wallet -- as a backup
+      chromium
+      dino
+      electrum
+      element-desktop
+      font-manager
+      gajim  # XMPP client
+      gimp  # broken on phosh
+      "gnome.dconf-editor"
+      "gnome.gnome-disk-utility"
+      # "gnome.totem"  # video player, supposedly supports UPnP
+      handbrake
+      hase
+      inkscape
+      kdenlive
+      kid3  # audio tagging
+      krita
+      libreoffice-fresh
+      mumble
+      obsidian
+      slic3r
+      steam
+      wireshark  # could maybe ship the cli as sysadmin pkg
+    ;
+  };
+  x86GuiPkgs = {
+    inherit (pkgs)
+      discord
+
+      # kaiteki  # Pleroma client
+      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
+      # gpt2tc  # XXX: unreliable mirror
+
+      # logseq  # Personal Knowledge Management
+      losslesscut-bin
+      makemkv
+      monero-gui
+      signal-desktop
+      spotify
+      tor-browser-bundle-bin
+      zecwallet-lite
+    ;
+  };
+
+  # packages not part of any package set; not enabled by default
+  otherPkgs = {
+    inherit (pkgs)
+      lemmy-server
+      mx-sanebot
+      stepmania
+    ;
+  };
+
+  # define -- but don't enable -- the packages in some attrset.
+  declarePkgs = pkgsAsAttrs: lib.mapAttrs (_n: p: {
+    # no need to actually define the package here: it's defaulted
+    # package = mkDefault p;
+  }) pkgsAsAttrs;
+in
+{
+  sane.programs = lib.mkMerge [
+    (declarePkgs consoleMediaPkgs)
+    (declarePkgs consolePkgs)
+    (declarePkgs desktopGuiPkgs)
+    (declarePkgs guiPkgs)
+    (declarePkgs iphonePkgs)
+    (declarePkgs sysadminPkgs)
+    (declarePkgs sysadminExtraPkgs)
+    (declarePkgs tuiPkgs)
+    (declarePkgs x86GuiPkgs)
+    (declarePkgs otherPkgs)
+    {
+      # link the various package sets into their own meta packages
+      consoleMediaUtils = {
+        package = null;
+        suggestedPrograms = attrNames consoleMediaPkgs;
+      };
+      consoleUtils = {
+        package = null;
+        suggestedPrograms = attrNames consolePkgs;
+      };
+      desktopGuiApps = {
+        package = null;
+        suggestedPrograms = attrNames desktopGuiPkgs;
+      };
+      guiApps = {
+        package = null;
+        suggestedPrograms = (attrNames guiPkgs)
+          ++ [ "web-browser" ]
+          ++ [ "tuiApps" ]
+          ++ lib.optional (pkgs.system == "x86_64-linux") "x86GuiApps";
+      };
+      iphoneUtils = {
+        package = null;
+        suggestedPrograms = attrNames iphonePkgs;
+      };
+      sysadminUtils = {
+        package = null;
+        suggestedPrograms = attrNames sysadminPkgs;
+      };
+      sysadminExtraUtils = {
+        package = null;
+        suggestedPrograms = attrNames sysadminExtraPkgs;
+      };
+      tuiApps = {
+        package = null;
+        suggestedPrograms = attrNames tuiPkgs;
+      };
+      x86GuiApps = {
+        package = null;
+        suggestedPrograms = attrNames x86GuiPkgs;
+      };
+    }
+    {
+      # nontrivial package definitions
+
+      dino.persist.private = [ ".local/share/dino" ];
+
+      # creds, but also 200 MB of node modules, etc
+      discord.persist.private = [ ".config/discord" ];
+
+      # creds/session keys, etc
+      element-desktop.persist.private = [ ".config/Element" ];
+
+      # `emote` will show a first-run dialog based on what's in this directory.
+      # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
+      # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+      emote.persist.plaintext = [ ".local/share/Emote" ];
+
+      # MS GitHub stores auth token in .config
+      # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
+      gh.persist.private = [ ".config/gh" ];
+
+      # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
+      # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
+      monero-gui.persist.plaintext = [ ".bitmonero" ];
+
+      mumble.persist.private = [ ".local/share/Mumble" ];
+
+      # not strictly necessary, but allows caching articles; offline use, etc.
+      nheko.persist.private = [
+        ".config/nheko"  # config file (including client token)
+        ".cache/nheko"  # media cache
+        ".local/share/nheko"  # per-account state database
+      ];
+
+      # settings (electron app)
+      obsidian.persist.plaintext = [ ".config/obsidian" ];
+
+      # creds, media
+      signal-desktop.persist.private = [ ".config/Signal" ];
+
+      # printer/filament settings
+      slic3r.persist.plaintext = [ ".Slic3r" ];
+
+      # creds, widevine .so download. TODO: could easily manage these statically.
+      spotify.persist.plaintext = [ ".config/spotify" ];
+
+      tdesktop.persist.private = [ ".local/share/TelegramDesktop" ];
+
+      tokodon.persist.private = [ ".cache/KDE/tokodon" ];
+
+      # hardenedMalloc solves a crash at startup
+      # TODO 2023/02/02: is this safe to remove yet?
+      tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
+        useHardenedMalloc = false;
+      };
+
+      whalebird.persist.private = [ ".config/Whalebird" ];
+
+      yarn.persist.plaintext = [ ".cache/yarn" ];
+
+      # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
+      zecwallet-lite.persist.private = [ ".zcash" ];
+    }
+  ];
+}

hosts/common/programs/default.nix

@@ -1,269 +1,13 @@
-{ config, lib, pkgs, ... }:
+{ pkgs, ... }:
 
-let
-  inherit (builtins) attrNames concatLists;
-  inherit (lib) mapAttrs mapAttrsToList mkDefault mkIf mkMerge optional;
-
-  flattenedPkgs = pkgs // (with pkgs; {
-    # XXX can't `inherit` a nested attr, so we move them to the toplevel
-    "cacert.unbundled" = pkgs.cacert.unbundled;
-    "gnome.cheese" = gnome.cheese;
-    "gnome.dconf-editor" = gnome.dconf-editor;
-    "gnome.file-roller" = gnome.file-roller;
-    "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
-    "gnome.gnome-maps" = gnome.gnome-maps;
-    "gnome.nautilus" = gnome.nautilus;
-    "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
-    "gnome.gnome-terminal" = gnome.gnome-terminal;
-    "gnome.gnome-weather" = gnome.gnome-weather;
-    "gnome.totem" = gnome.totem;
-    "libsForQt5.plasmatube" = libsForQt5.plasmatube;
-  });
-
-  sysadminPkgs = {
-    inherit (flattenedPkgs)
-      btrfs-progs
-      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
-      cryptsetup
-      dig
-      efibootmgr
-      fatresize
-      fd
-      file
-      gawk
-      git
-      gptfdisk
-      hdparm
-      htop
-      iftop
-      inetutils  # for telnet
-      iotop
-      iptables
-      jq
-      killall
-      lsof
-      miniupnpc
-      nano
-      netcat
-      nethogs
-      nmap
-      openssl
-      parted
-      pciutils
-      powertop
-      pstree
-      ripgrep
-      screen
-      smartmontools
-      socat
-      strace
-      subversion
-      tcpdump
-      tree
-      usbutils
-      wget
-      wirelesstools  # iwlist
-    ;
-  };
-  sysadminExtraPkgs = {
-    # application-specific packages
-    inherit (pkgs)
-      backblaze-b2
-      duplicity
-      sqlite  # to debug sqlite3 databases
-    ;
-  };
-
-  iphonePkgs = {
-    inherit (pkgs)
-      ifuse
-      ipfs
-      libimobiledevice
-    ;
-  };
-
-  tuiPkgs = {
-    inherit (pkgs)
-      aerc  # email client
-      offlineimap  # email mailox sync
-      visidata  # TUI spreadsheet viewer/editor
-      w3m
-    ;
-  };
-
-  # TODO: split these into smaller groups.
-  # - transcoders (ffmpeg, imagemagick) only wanted on desko/lappy ("powerutils"?)
-  consolePkgs = {
-    inherit (pkgs)
-      alsaUtils  # for aplay, speaker-test
-      cdrtools
-      dmidecode
-      efivar
-      flashrom
-      fwupd
-      gh  # MS GitHub cli
-      git  # needed as a user package, for config.
-      gnupg
-      gocryptfs
-      gopass  # TODO: shouldn't be needed here
-      gopass-jsonapi
-      imagemagick
-      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-      libsecret  # for managing user keyrings
-      lm_sensors  # for sensors-detect
-      lshw
-      ffmpeg
-      # memtester
-      neovim
-      # nettools
-      # networkmanager
-      nixpkgs-review
-      # nixos-generators
-      nmon
-      # node2nix
-      # oathToolkit  # for oathtool
-      # ponymix
-      pulsemixer
-      python3
-      ripgrep  # needed as a user package, for config.
-      rsync
-      # python3Packages.eyeD3  # music tagging
-      sane-scripts
-      sequoia
-      snapper
-      sops
-      sox
-      speedtest-cli
-      # ssh-to-age
-      sudo
-      # tageditor  # music tagging
-      unar
-      wireguard-tools
-      xdg-utils  # for xdg-open
-      # yarn
-      # youtube-dl
-      yt-dlp
-      zsh
-    ;
-  };
-
-  guiPkgs = {
-    inherit (flattenedPkgs)
-      # celluloid  # mpv frontend
-      clinfo
-      emote
-      evince  # works on phosh
-
-      # { pkg = fluffychat-moby; persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
-
-      # foliate  # e-book reader
-
-      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
-      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
-      # then reboot (so that libsecret daemon re-loads the keyring...?)
-      # { pkg = fractal-latest; persist.private = [ ".local/share/fractal" ]; }
-      # { pkg = fractal-next; persist.private = [ ".local/share/fractal" ]; }
-
-      # "gnome.cheese"
-      "gnome.dconf-editor"
-      # gnome-feeds  # RSS reader (with claimed mobile support)
-      "gnome.file-roller"
-      # "gnome.gnome-maps"  # works on phosh
-      "gnome.nautilus"
-      # gnome-podcasts
-      "gnome.gnome-system-monitor"
-      # "gnome.gnome-terminal"  # works on phosh
-      # "gnome.gnome-weather"
-      gpodder
-      gthumb
-      jellyfin-media-player
-      # lollypop
-      # mpv
-      networkmanagerapplet
-      # newsflash
-      nheko
-      pavucontrol
-      # picard  # music tagging
-      playerctl
-      # "libsForQt5.plasmatube"  # Youtube player
-      soundconverter
-      sublime-music
-      # tdesktop  # broken on phosh
-      # tokodon
-      vlc
-      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
-      # whalebird
-      xterm  # broken on phosh
-    ;
-  };
-  desktopGuiPkgs = {
-    inherit (flattenedPkgs)
-      audacity
-      brave  # for the integrated wallet -- as a backup
-      chromium
-      dino
-      electrum
-      element-desktop
-      font-manager
-      gajim  # XMPP client
-      gimp  # broken on phosh
-      "gnome.gnome-disk-utility"
-      # "gnome.totem"  # video player, supposedly supports UPnP
-      handbrake
-      hase
-      inkscape
-      kdenlive
-      kid3  # audio tagging
-      krita
-      libreoffice-fresh
-      mumble
-      obsidian
-      slic3r
-      steam
-      wireshark  # could maybe ship the cli as sysadmin pkg
-    ;
-  };
-  x86GuiPkgs = {
-    inherit (pkgs)
-      discord
-
-      # kaiteki  # Pleroma client
-      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
-      # gpt2tc  # XXX: unreliable mirror
-
-      # logseq  # Personal Knowledge Management
-      losslesscut-bin
-      makemkv
-      monero-gui
-      signal-desktop
-      spotify
-      tor-browser-bundle-bin
-      zecwallet-lite
-    ;
-  };
-
-  # packages not part of any package set; not enabled by default
-  otherPkgs = {
-    inherit (pkgs)
-      lemmy-server
-      mx-sanebot
-      stepmania
-    ;
-  };
-
-  # define -- but don't enable -- the packages in some attrset.
-  declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
-    # no need to actually define the package here: it's defaulted
-    # package = mkDefault p;
-  }) pkgsAsAttrs;
-in
 {
-
   imports = [
     ./aerc.nix
+    ./assorted.nix
     ./git.nix
     ./gnome-feeds.nix
     ./gpodder.nix
+    ./imagemagick.nix
     ./jellyfin-media-player.nix
     ./kitty
     ./libreoffice.nix
@@ -273,6 +17,7 @@ in
     ./offlineimap.nix
     ./ripgrep.nix
     ./splatmoji.nix
+    ./steam.nix
     ./sublime-music.nix
     ./vlc.nix
     ./web-browser.nix
@@ -282,141 +27,8 @@ in
   ];
 
   config = {
-    sane.programs = mkMerge [
-      (declarePkgs consolePkgs)
-      (declarePkgs desktopGuiPkgs)
-      (declarePkgs guiPkgs)
-      (declarePkgs iphonePkgs)
-      (declarePkgs sysadminPkgs)
-      (declarePkgs sysadminExtraPkgs)
-      (declarePkgs tuiPkgs)
-      (declarePkgs x86GuiPkgs)
-      (declarePkgs otherPkgs)
-      {
-        # link the various package sets into their own meta packages
-        consoleUtils = {
-          package = null;
-          suggestedPrograms = attrNames consolePkgs;
-        };
-        desktopGuiApps = {
-          package = null;
-          suggestedPrograms = attrNames desktopGuiPkgs;
-        };
-        guiApps = {
-          package = null;
-          suggestedPrograms = (attrNames guiPkgs)
-            ++ [ "web-browser" ]
-            ++ [ "tuiApps" ]
-            ++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
-        };
-        iphoneUtils = {
-          package = null;
-          suggestedPrograms = attrNames iphonePkgs;
-        };
-        sysadminUtils = {
-          package = null;
-          suggestedPrograms = attrNames sysadminPkgs;
-        };
-        sysadminExtraUtils = {
-          package = null;
-          suggestedPrograms = attrNames sysadminExtraPkgs;
-        };
-        tuiApps = {
-          package = null;
-          suggestedPrograms = attrNames tuiPkgs;
-        };
-        x86GuiApps = {
-          package = null;
-          suggestedPrograms = attrNames x86GuiPkgs;
-        };
-      }
-      {
-        # nontrivial package definitions
-
-        dino.persist.private = [ ".local/share/dino" ];
-
-        # creds, but also 200 MB of node modules, etc
-        discord.persist.private = [ ".config/discord" ];
-
-        # creds/session keys, etc
-        element-desktop.persist.private = [ ".config/Element" ];
-
-        # `emote` will show a first-run dialog based on what's in this directory.
-        # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
-        # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
-        emote.persist.plaintext = [ ".local/share/Emote" ];
-
-        # MS GitHub stores auth token in .config
-        # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
-        gh.persist.private = [ ".config/gh" ];
-
-        ghostscript = {};  # used by imagemagick
-
-        imagemagick = {
-          package = pkgs.imagemagick.override {
-            ghostscriptSupport = true;
-          };
-          suggestedPrograms = [ "ghostscript" ];
-        };
-
-        # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
-        # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
-        monero-gui.persist.plaintext = [ ".bitmonero" ];
-
-        mumble.persist.private = [ ".local/share/Mumble" ];
-
-        # not strictly necessary, but allows caching articles; offline use, etc.
-        nheko.persist.private = [
-          ".config/nheko"  # config file (including client token)
-          ".cache/nheko"  # media cache
-          ".local/share/nheko"  # per-account state database
-        ];
-
-        # settings (electron app)
-        obsidian.persist.plaintext = [ ".config/obsidian" ];
-
-        # creds, media
-        signal-desktop.persist.private = [ ".config/Signal" ];
-
-        # printer/filament settings
-        slic3r.persist.plaintext = [ ".Slic3r" ];
-
-        # creds, widevine .so download. TODO: could easily manage these statically.
-        spotify.persist.plaintext = [ ".config/spotify" ];
-
-        steam.persist.plaintext = [
-          ".steam"
-          ".local/share/Steam"
-        ];
-
-        tdesktop.persist.private = [ ".local/share/TelegramDesktop" ];
-
-        tokodon.persist.private = [ ".cache/KDE/tokodon" ];
-
-        # hardenedMalloc solves a crash at startup
-        # TODO 2023/02/02: is this safe to remove yet?
-        tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
-          useHardenedMalloc = false;
-        };
-
-        whalebird.persist.private = [ ".config/Whalebird" ];
-
-        yarn.persist.plaintext = [ ".cache/yarn" ];
-
-        # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
-        zecwallet-lite.persist.private = [ ".zcash" ];
-      }
-    ];
-
     # XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
     environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
 
-    # steam requires system-level config for e.g. firewall or controller support
-    programs.steam = mkIf config.sane.programs.steam.enabled {
-      enable = true;
-      # not sure if needed: stole this whole snippet from the wiki
-      remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
-      dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
-    };
   };
 }

hosts/common/programs/imagemagick.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+{
+  sane.programs.imagemagick = {
+    package = pkgs.imagemagick.override {
+      ghostscriptSupport = true;
+    };
+    suggestedPrograms = [ "ghostscript" ];
+  };
+  sane.programs.ghostscript = {};
+}

hosts/common/programs/jellyfin-media-player.nix

@@ -2,8 +2,8 @@
 
 {
   sane.programs.jellyfin-media-player = {
-    package = pkgs.jellyfin-media-player;
-    # package = pkgs.jellyfin-media-player-qt6;
+    # package = pkgs.jellyfin-media-player;
+    package = pkgs.jellyfin-media-player-qt6;
 
     # jellyfin stores things in a bunch of directories: this one persists auth info.
     # it *might* be possible to populate this externally (it's Qt stuff), but likely to

hosts/common/programs/steam.nix

@@ -0,0 +1,16 @@
+{ config, lib, ...}:
+{
+  sane.programs.steam = {
+    persist.plaintext = [
+      ".steam"
+      ".local/share/Steam"
+    ];
+  };
+  # steam requires system-level config for e.g. firewall or controller support
+  programs.steam = lib.mkIf config.sane.programs.steam.enabled {
+    enable = true;
+    # not sure if needed: stole this whole snippet from the wiki
+    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
+    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
+  };
+}

hosts/modules/gui/sxmo.nix

@@ -133,8 +133,6 @@ in
       # some programs (e.g. fractal/nheko) **require** a "Secret Service Provider"
       services.gnome.gnome-keyring.enable = true;
 
-      # TODO: probably need to enable pipewire
-
       networking.useDHCP = false;
       networking.networkmanager.enable = true;
       networking.wireless.enable = lib.mkForce false;
@@ -149,7 +147,9 @@ in
       # TODO: not all of these fonts seem to be mapped to the correct icon
       fonts.fonts = [ pkgs.nerdfonts ];
 
-      # i believe sxmo recomments a different audio stack
+      # sxmo has first-class support only for pulseaudio and alsa -- not pipewire.
+      # however, pipewire can emulate pulseaudio support via `services.pipewire.pulse.enable = true`
+      #   after which the stock pulseaudio binaries magically work
       # administer with pw-cli, pw-mon, pw-top commands
       services.pipewire = {
         enable = true;
@@ -184,7 +184,8 @@ in
 
         cfg.deviceHooks
         cfg.hooks
-      ] ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
+      ] ++ lib.optionals (config.services.pipewire.pulse.enable) [ pulseaudio ]  # for pactl
+        ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
         ++ lib.optionals (cfg.keyboard != null) [ pkgs."${cfg.keyboard}" ];
 
       environment.sessionVariables = {

hosts/modules/roles/dev-machine.nix

@@ -17,7 +17,7 @@ in
   config = mkMerge [
     ({
       sane.programs.docsets.config.rustPkgs = [
-        "lemmy-server"
+        # "lemmy-server"
         "mx-sanebot"
       ];
     })

modules/data/feeds/sources/rss.acast.com/deconstructed/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 918085,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "A show that cuts through all the political drivel and media misinformation to give you a straight take on one big news story of the week.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 238,
+  "last_updated": "2023-06-06T16:03:38+00:00",
+  "score": 10,
+  "self_url": "https://feeds.acast.com/public/shows/1d1223a2-9d05-473b-9e79-c2b65b71d676",
+  "site_name": "",
+  "site_url": "",
+  "title": "Deconstructed",
+  "url": "https://feeds.acast.com/public/shows/1d1223a2-9d05-473b-9e79-c2b65b71d676",
+  "velocity": 0.123,
+  "version": "rss20"
+}

modules/data/feeds/sources/rss.acast.com/intercepted-with-jeremy-scahill/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1131706,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "The people behind The Intercept\u2019s fearless reporting and incisive commentary discuss the crucial issues of our time.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 261,
+  "last_updated": "2023-06-07T09:30:43+00:00",
+  "score": 10,
+  "self_url": "https://feeds.acast.com/public/shows/f5b64019-68c3-57d4-b70b-043e63e5cbf6",
+  "site_name": "",
+  "site_url": "",
+  "title": "Intercepted",
+  "url": "https://feeds.acast.com/public/shows/f5b64019-68c3-57d4-b70b-043e63e5cbf6",
+  "velocity": 0.111,
+  "version": "rss20"
+}

modules/data/feeds/sources/rss.prod.firstlook.media/deconstructed/podcast.rss/default.json

@@ -1,21 +0,0 @@
-{
-  "bozo": 0,
-  "content_length": 809084,
-  "content_type": "application/xml+rss; charset=utf-8",
-  "description": "A show that cuts through all the political drivel and media misinformation to give you a straight take on one big news story of the week.",
-  "favicon": null,
-  "hubs": [],
-  "is_podcast": true,
-  "is_push": false,
-  "item_count": 217,
-  "last_seen": "2023-01-11T13:40:50.240217+00:00",
-  "last_updated": "2023-01-06T10:37:50+00:00",
-  "score": 16,
-  "self_url": "https://feeds.acast.com/public/shows/1d1223a2-9d05-473b-9e79-c2b65b71d676",
-  "site_name": null,
-  "site_url": null,
-  "title": "Deconstructed",
-  "url": "https://rss.prod.firstlook.media/deconstructed/podcast.rss",
-  "velocity": 0.122,
-  "version": "rss20"
-}

modules/data/feeds/sources/rss.prod.firstlook.media/intercepted/podcast.rss/default.json

@@ -1,21 +0,0 @@
-{
-  "bozo": 0,
-  "content_length": 1034995,
-  "content_type": "application/xml+rss; charset=utf-8",
-  "description": "The people behind The Intercept’s fearless reporting and incisive commentary discuss the crucial issues of our time.",
-  "favicon": null,
-  "hubs": [],
-  "is_podcast": true,
-  "is_push": false,
-  "item_count": 243,
-  "last_seen": "2023-01-11T14:04:41.283509+00:00",
-  "last_updated": "2022-12-21T10:30:43+00:00",
-  "score": 16,
-  "self_url": "https://feeds.acast.com/public/shows/f5b64019-68c3-57d4-b70b-043e63e5cbf6",
-  "site_name": null,
-  "site_url": null,
-  "title": "Intercepted",
-  "url": "https://rss.prod.firstlook.media/intercepted/podcast.rss",
-  "velocity": 0.112,
-  "version": "rss20"
-}

modules/persist/stores/crypt.nix

@@ -25,7 +25,7 @@ lib.mkIf config.sane.persist.enable
       "nosuid"
       "allow_other"
       "passfile=${key}"
-      "defaults"
+      # "defaults"  # "unknown flag: --defaults. Try 'gocryptfs -help'"
     ];
     noCheck = true;
   };

modules/persist/stores/private.nix

@@ -35,7 +35,7 @@ lib.mkIf config.sane.persist.enable
       "nodev"
       "nosuid"
       "quiet"
-      "defaults"
+      # "defaults"  # "unknown flag: --defaults. Try 'gocryptfs -help'"
     ];
     noCheck = true;
   };

nixpatches/2023-04-29-lemmy.patch

@@ -1,15 +0,0 @@
-diff --git a/pkgs/servers/web-apps/lemmy/pin.json b/pkgs/servers/web-apps/lemmy/pin.json
-index b2a1f1923ce..621b5945b6b 100644
---- a/pkgs/servers/web-apps/lemmy/pin.json
-+++ b/pkgs/servers/web-apps/lemmy/pin.json
-@@ -1,7 +1,7 @@
- {
--  "version": "0.17.2",
--  "serverSha256": "sha256-fkpMVm52XLyrk9RfzJpthT8fctIilawAIgfK+4TXHvU=",
--  "serverCargoSha256": "sha256-AC6EP612uaeGfqHbrHrz89h0tsNlMceEg6GxEsm1QMA=",
-+  "version": "88a0d2feec3f9b4a06f2d8d090894111afcbd9e2",
-+  "serverSha256": "sha256-jVa7SckpH21TG+i1yjJOkhEgjnZ0Zgk2IUP7sCdtv1Y=",
-+  "serverCargoSha256": "sha256-trp/TCGtAtZlKdZk2CaJ3E9Lj95cq797PLWUF/DD6/M=",
-   "uiSha256": "sha256-0Zhm6Jgc6rlN4c7ryRnR45+fZEdzQhuOXSwU8Wz0D5g=",
-   "uiYarnDepsSha256": "sha256-aZAclSaFZJvuK+FpCBWboGaVEOEJTxq2jnWk0A6iAFw="
- }

nixpatches/list.nix

@@ -52,20 +52,12 @@ in [
   # TODO: why doesn't this apply?
   # ./2023-03-04-ccache-cross-fix.patch
 
-  # 2023-04-11: bambu-studio: init at unstable-2023-01-11
+  # 2023-04-11: bambu-studio: init at 01.06.02.04
   (fetchpatch' {
     prUrl = "https://github.com/NixOS/nixpkgs/pull/206495";
-    hash = "sha256-RbQzAtFTr7Nrk2YBcHpKQMYoPlFMVSXNl96B/lkKluQ=";
+    hash = "sha256-jl6SZwSDhQTlpM5FyGaFU/svwTb1ySdKtvWMgsneq3A=";
   })
 
-  # update to newer lemmy-server.
-  # should be removable when > 0.17.2 releases?
-  # removing this now causes:
-  #   INFO lemmy_server::code_migrations: No Local Site found, creating it.
-  #   Error: LemmyError { message: None, inner: duplicate key value violates unique constraint "local_site_site_id_key", context: "SpanTrace" }
-  # though perhaps this error doesn't occur on fresh databases (idk).
-  ./2023-04-29-lemmy.patch
-
   (fetchpatch' {
     title = "cargo-docset: init at 0.3.1";
     saneCommit = "5a09e84c6159ce545029483384580708bc04c08f";
@@ -75,8 +67,9 @@ in [
 
   (fetchpatch' {
     title = "nixos/lemmy: support nginx";
-    saneCommit = "4c86db6dcb78795ac9bb514d9c779fd591070b23";
-    hash = "sha256-G7jGhSPUp9BMxh2yTzo0KUUVabMJeZ28YTA+0iPldRI=";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/232536";
+    saneCommit = "02a9f9de49923f14fd6c2b069d73e167cdc86078";
+    hash = "sha256-nnZ+95LmZ2nGZxK7yNLs4moovhPX2wFux5JwNjM4Lys=";
   })
 
   (fetchpatch' {

pkgs/default.nix

@@ -89,7 +89,6 @@ let
     jackett = callPackage ./patched/jackett { inherit (unpatched) jackett; };
 
     lemmy-server = callPackage ./patched/lemmy-server { inherit (unpatched) lemmy-server; };
-    lemmy-ui = callPackage ./patched/lemmy-ui { inherit (unpatched) lemmy-ui; };
 
     phoc = callPackage ./patched/phoc { inherit (unpatched) phoc; };
 

pkgs/patched/lemmy-server/debug-db-migrations.patch

@@ -0,0 +1,24 @@
+diff --git a/src/code_migrations.rs b/src/code_migrations.rs
+index c69ce591..b416a299 100644
+--- a/src/code_migrations.rs
++++ b/src/code_migrations.rs
+@@ -36,7 +36,7 @@ use lemmy_db_schema::{
+   utils::{get_conn, naive_now, DbPool},
+ };
+ use lemmy_utils::{error::LemmyError, settings::structs::Settings};
+-use tracing::info;
++use tracing::{debug, info};
+ use url::Url;
+ 
+ pub async fn run_advanced_migrations(pool: &DbPool, settings: &Settings) -> Result<(), LemmyError> {
+@@ -419,7 +419,9 @@ async fn initialize_local_site_2022_10_10(
+   info!("Running initialize_local_site_2022_10_10");
+ 
+   // Check to see if local_site exists
+-  if LocalSite::read(pool).await.is_ok() {
++  let local_site = LocalSite::read(pool).await;
++  debug!("local_site: {local_site:?}");
++  if local_site.is_ok() {
+     return Ok(());
+   }
+   info!("No Local Site found, creating it.");

pkgs/patched/lemmy-server/default.nix

@@ -6,5 +6,7 @@ lemmy-server.overrideAttrs (upstream: {
     ./fix-db-migrations.patch
     # log the database connection events, for debugging
     # ./log-startup.patch
+    # print more debug info about specific problem paths i've encountered
+    # ./debug-db-migrations.patch
   ];
 })

pkgs/patched/lemmy-ui/default.nix

@@ -1,5 +0,0 @@
-{ lemmy-ui, nodejs }:
-lemmy-ui.override {
-  # build w/ latest nodejs; not 14.x
-  inherit nodejs;
-}