get sane.packages to work better. still needs cleanup

flake.lock

@@ -39,22 +39,22 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-rkVbviFmYYmbbVfvFRtOM95IjETbNu3I517Hrxp8EF4=",
-        "path": "/nix/store/8azr0ivnzf0y1sh2r7alxaxab3w49ggx-source/nixpatches",
+        "narHash": "sha256-arp7Uy7ct5ryTcmSY032eN7hr33i7D2XvjTRLliCFDc=",
+        "path": "/nix/store/jblp2g67p3wid2qarcyd8bzrbs9wg5lb-source/nixpatches",
         "type": "path"
       },
       "original": {
-        "path": "/nix/store/8azr0ivnzf0y1sh2r7alxaxab3w49ggx-source/nixpatches",
+        "path": "/nix/store/jblp2g67p3wid2qarcyd8bzrbs9wg5lb-source/nixpatches",
         "type": "path"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1675265860,
-        "narHash": "sha256-PZNqc4ZnTRT34NsHJYbXn+Yhghh56l8HEXn39SMpGNc=",
+        "lastModified": 1674352297,
+        "narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a3a1400571e3b9ccc270c2e8d36194cf05aab6ce",
+        "rev": "918b760070bb8f48cb511300fcd7e02e13058a2e",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1675273418,
-        "narHash": "sha256-tpYc4TEGvDzh9uRf44QemyQ4TpVuUbxb07b2P99XDbM=",
+        "lastModified": 1674641431,
+        "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4d7c2644dbac9cf8282c0afe68fca8f0f3e7b2db",
+        "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
         "type": "github"
       },
       "original": {
@@ -97,11 +97,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1675288837,
-        "narHash": "sha256-76s8TLENa4PzWDeuIpEF78gqeUrXi6rEJJaKEAaJsXw=",
+        "lastModified": 1674546403,
+        "narHash": "sha256-vkyNv0xzXuEnu9v52TUtRugNmQWIti8c2RhYnbLG71w=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "a81ce6c961480b3b93498507074000c589bd9d60",
+        "rev": "b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -78,9 +78,6 @@
                   self.overlays.passthru
                   self.overlays.pins
                 ];
-                # nixpkgs.crossSystem = target;
-                nixpkgs.hostPlatform = target;
-                nixpkgs.buildPlatform = local;
               }
             ];
           });
@@ -114,8 +111,6 @@
       #   - `nixos-rebuild --flake './#<host>' switch`
       imgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.img) self.nixosConfigurations;
 
-      host-pkgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.pkgs) self.nixosConfigurations;
-
       overlays = rec {
         default = pkgs;
         pkgs = import ./overlays/pkgs.nix;

hosts/by-name/desko/default.nix

@@ -4,6 +4,8 @@
     ./fs.nix
   ];
 
+  # sane.packages.enableDevPkgs = true;
+
   sane.roles.client = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;

hosts/by-name/lappy/default.nix

@@ -8,6 +8,8 @@
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
 
+  # sane.packages.enableDevPkgs = true;
+
   # sane.guest.enable = true;
   sane.gui.sway.enable = true;
   sane.persist.enable = true;

hosts/by-name/moby/default.nix

@@ -10,9 +10,6 @@
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
 
-  # TODO: re-enable once base is cross-compiled
-  sane.programs.guiApps.enableSuggested = false;
-
   # cross-compiled documentation is *slow*.
   # no obvious way to natively compile docs (2022/09/29).
   # entrypoint is nixos/modules/misc/documentation.nix
@@ -44,6 +41,11 @@
     ".config/pulse"  # persist pulseaudio volume
   ];
 
+  # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
+  sane.packages.extraUserPkgs = [
+    pkgs.plasma5Packages.konsole  # terminal
+  ];
+
   sane.nixcache.enable = true;
   sane.persist.enable = true;
   sane.gui.phosh.enable = true;

hosts/by-name/servo/default.nix

@@ -8,13 +8,12 @@
     ./services
   ];
 
-  sane.programs = {
+  sane.packages.extraUserPkgs = with pkgs; [
     # for administering services
-    freshrss.enableFor.user.colin = true;
-    matrix-synapse.enableFor.user.colin = true;
-    signaldctl.enableFor.user.colin = true;
-  };
-
+    freshrss
+    matrix-synapse
+    signaldctl
+  ];
   sane.persist.enable = true;
   sane.services.dyn-dns.enable = true;
   sane.services.wg-home.enable = true;

hosts/common/cross.nix

@@ -1,163 +1,22 @@
-{ config, lib, pkgs, ... }:
+{ config, ... }:
 
 let
-  # these are the overlays which we *also* pass through to the cross and emulated package sets.
-  # TODO: refactor to not specify same overlay in multiple places (here and flake.nix).
-  overlays = [
-    (import ./../../overlays/pkgs.nix)
-    (import ./../../overlays/pins.nix)
-  ];
-  mkCrossFrom = localSystem: pkgs:
-    import pkgs.path {
-      inherit localSystem;  # localSystem is equivalent to buildPlatform
-      crossSystem = pkgs.stdenv.hostPlatform.system;
-      inherit (config.nixpkgs) config;
-      inherit overlays;
-    };
-  mkEmulated = pkgs:
-    import pkgs.path {
-      localSystem = pkgs.stdenv.hostPlatform.system;
-      inherit (config.nixpkgs) config;
-      inherit overlays;
-    };
+  mkCrossFrom = localSystem: pkgs: import pkgs.path {
+    inherit localSystem;
+    crossSystem = pkgs.stdenv.hostPlatform.system;
+    inherit (config.nixpkgs) config overlays;
+  };
 in
 {
-  # options = {
-  #   perlPackageOverrides = lib.mkOption {
-  #   };
-  # };
-
-  config = {
-    # the configuration of which specific package set `pkgs.cross` refers to happens elsewhere;
-    # here we just define them all.
-    nixpkgs.overlays = [
-      (next: prev: rec {
-        # non-emulated packages build *from* local *for* target.
-        # for large packages like the linux kernel which are expensive to build under emulation,
-        # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
-        crossFrom."x86_64-linux" = mkCrossFrom "x86_64-linux" prev;
-        crossFrom."aarch64-linux" = mkCrossFrom "aarch64-linux" prev;
-
-        emulated = mkEmulated prev;
-      })
-      (next: prev:
-        let
-          emulated = prev.emulated;
-        in {
-          # packages which don't cross compile
-          inherit (emulated)
-            # adwaita-qt  # psqlodbc
-            apacheHttpd  # TODO: not properly patched  (we only need mod_dnssd?)
-            appstream
-            blueman
-            brltty
-            cantarell-fonts  # python3.10-skia-pathops
-            cdrtools
-            colord
-            duplicity  # python3.10-s3transfer
-            evince
-            flakpak
-            fuzzel
-            fwupd-efi
-            fwupd
-            gcr
-            gmime
-            # gnome-keyring
-            # gnome-remote-desktop
-            gnome-tour
-            # gnustep-base  # (used by unar)
-            gocryptfs  # gocryptfs-2.3-go-modules
-            # grpc
-            gst_all_1  # gst_all_1.gst-editing-services
-            gupnp
-            gupnp_1_6
-            # gvfs
-            flatpak
-            hdf5
-            http2
-            ibus
-            kitty
-            iio-sensor-proxy
-            libHX
-            libgweather
-            librest
-            librest_1_0
-            libsForQt5  # qtbase
-            libuv
-            mod_dnssd
-            ncftp
-            obex_data_server
-            openfortivpn
-            ostree
-            pam_mount
-            perl  # perl5.36.0-Test-utf8
-            pipewire
-            psqlodbc
-            pulseaudio  # python3.10-defcon
-            # qgnomeplatform
-            # qtbase
-            qt6  # psqlodbc
-            rmlint
-            sequoia
-            # splatmoji
-            squeekboard
-            sysprof
-            tracker-miners  # it just can't run tests
-            twitter-color-emoji  # python3.10-defcon
-            unar  # python3.10-psycopg2
-            visidata  # python3.10-psycopg2
-            vpnc
-            webp-pixbuf-loader
-            xdg-utils  # perl5.36.0-File-BaseDir
-          ;
-          # pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
-          #   (py-next: py-prev: {
-          #     defcon = py-prev.defcon.override { inherit (prev.emulated) stdenv; };
-          #     # psycopg2 = py-prev.psycopg2.override { inherit prev.emulated.stdenv; };
-          #   })
-          # ];
-
-          gnome = prev.gnome.overrideScope' (self: super: {
-            inherit (emulated.gnome)
-              gnome-color-manager
-              gnome-keyring
-              gnome-remote-desktop  # TODO: figure out what's asking for this and remove it
-              gnome-user-share
-              mutter
-            ;
-          });
-
-          # gst_all_1.gst-editing-services = emulated.gst_all_1.gst-editing-services;
-
-          # gst_all_1 = prev.gst_all_1.overrideScope' (self: super: {
-          #   inherit (emulated.gst_all_1)
-          #     gst-editing-services
-          #   ;
-          # });
-
-          # libsForQt5 = prev.libsForQt5.overrideScope' (self: super: {
-          #   inherit (emulated.libsForQt5)
-          #     qtbase
-          #   ;
-          # });
-
-          # apacheHttpdPackagesFor = apacheHttpd: self:
-          #   let
-          #     prevHttpdPkgs = lib.fix (emulated.apacheHttpdPackagesFor apacheHttpd);
-          #   in
-          #     (prev.apacheHttpdPackagesFor apacheHttpd self) // {
-          #       # inherit (prevHttpdPkgs) mod_dnssd;
-          #       mod_dnssd = prevHttpdPkgs.mod_dnssd.override {
-          #         inherit (self) apacheHttpd;
-          #       };
-          #     };
-      })
-    ];
-
-    # perlPackageOverrides = _perl: {
-    #   inherit (pkgs.emulated.perl.pkgs)
-    #     Testutf8
-    #   ;
-    # };
-  };
+  # the configuration of which specific package set `pkgs.cross` refers to happens elsewhere;
+  # here we just define them all.
+  nixpkgs.overlays = [
+    (next: prev: {
+      # non-emulated packages build *from* local *for* target.
+      # for large packages like the linux kernel which are expensive to build under emulation,
+      # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
+      crossFrom."x86_64-linux" = mkCrossFrom "x86_64-linux" next;
+      crossFrom."aarch64-linux" = mkCrossFrom "aarch64-linux" next;
+    })
+  ];
 }

hosts/common/default.nix

@@ -19,8 +19,8 @@
   ];
 
   sane.nixcache.enable-trusted-keys = true;
-  sane.programs.sysadminUtils.enableFor.system = true;
-  sane.programs.consoleUtils.enableFor.user.colin = true;
+  sane.packages.enableConsolePkgs = true;
+  sane.packages.enableSystemPkgs = true;
 
   # some services which use private directories error if the parent (/var/lib/private) isn't 700.
   sane.fs."/var/lib/private".dir.acl.mode = "0700";

hosts/common/home/firefox.nix

@@ -125,11 +125,11 @@ in
         # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
         # browserpass-ce.package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
         browserpass-extension.package = localAddon pkgs.browserpass-extension;
-        bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+325k=";
+        bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-JOj5P7c2JTTReHCRZXm4BscaGr3i+9Y4Ey/y621x8PI=";
         ether-metamask.package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
         i2p-in-private-browsing.package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
         sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
-        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
+        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-d2K3ufvurWnYVzqLbyR//MgejybkY9exitAf9RdLNRo=";
         ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
         ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=";
 
@@ -146,11 +146,6 @@ in
   };
 
   config = {
-    sane.programs.web-browser = {
-      inherit package;
-      # TODO: define the persistence & fs config here
-    };
-    sane.programs.guiApps.suggestedPrograms = [ "web-browser" ];
 
     # uBlock filter list configuration.
     # specifically, enable the GDPR cookie prompt blocker.
@@ -176,6 +171,8 @@ in
       // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
       defaultPref("security.OCSP.require", false);
     '';
+
+    sane.packages.extraGuiPkgs = [ package ];
     # flush the cache to disk to avoid it taking up too much tmp
     sane.user.persist.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
       store = cfg.persistCache;

hosts/common/persist.nix

@@ -12,7 +12,5 @@
     "/var/lib/alsa"                # preserve output levels, default devices
     "/var/lib/colord"              # preserve color calibrations (?)
     "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
-    "/var/lib/systemd/backlight"   # backlight brightness
-    "/var/lib/systemd/coredump"
   ];
 }

hosts/common/programs.nix

@@ -1,332 +1,21 @@
-{ lib, pkgs, ... }:
-
-let
-  inherit (builtins) attrNames concatLists;
-  inherit (lib) mapAttrs mapAttrsToList mkDefault mkMerge optional;
-
-  sysadminPkgs = {
-    inherit (pkgs // {
-      # XXX can't `inherit` a nested attr, so we move them to the toplevel
-      "cacert.unbundled" = pkgs.cacert.unbundled;
-    })
-      btrfs-progs
-      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
-      cryptsetup
-      dig
-      efibootmgr
-      fatresize
-      fd
-      file
-      gawk
-      git
-      gptfdisk
-      hdparm
-      htop
-      iftop
-      inetutils  # for telnet
-      iotop
-      iptables
-      jq
-      killall
-      lsof
-      nano
-      netcat
-      nethogs
-      nmap
-      openssl
-      parted
-      pciutils
-      powertop
-      pstree
-      ripgrep
-      screen
-      smartmontools
-      socat
-      strace
-      tcpdump
-      tree
-      usbutils
-      wget
-    ;
-  };
-
-  # TODO: split these into smaller groups.
-  # - iphone utils (libimobiledevice, ifuse) only wanted on desko, maybe lappy
-  # - transcoders (ffmpeg, imagemagick) only wanted on desko/lappy
-  consolePkgs = {
-    inherit (pkgs)
-      # backblaze-b2  # TODO: put into the same package set as duplicity
-      cdrtools
-      dmidecode
-      # duplicity  # TODO: enable as part of some smaller package set
-      efivar
-      flashrom
-      fwupd
-      ghostscript  # TODO: imagemagick wrapper should add gs to PATH
-      gnupg
-      gocryptfs
-      gopass
-      gopass-jsonapi
-      ifuse
-      imagemagick
-      ipfs
-      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-      libimobiledevice
-      libsecret  # for managing user keyrings
-      lm_sensors  # for sensors-detect
-      lshw
-      ffmpeg
-      memtester
-      networkmanager
-      nixpkgs-review
-      # nixos-generators
-      # nettools
-      nmon
-      oathToolkit  # for oathtool
-      # ponymix
-      pulsemixer
-      python3
-      rsync
-      # python3Packages.eyeD3  # music tagging
-      sane-scripts
-      sequoia
-      snapper
-      sops
-      sox
-      speedtest-cli
-      sqlite  # to debug sqlite3 databases
-      ssh-to-age
-      sudo
-      # tageditor  # music tagging
-      unar
-      visidata
-      w3m
-      wireguard-tools
-      # youtube-dl
-      yt-dlp
-    ;
-  };
-
-  guiPkgs = {
-    inherit (pkgs // (with pkgs; {
-      # XXX can't `inherit` a nested attr, so we move them to the toplevel
-      # TODO: could use some "flatten attrs" helper instead
-      "gnome.cheese" = gnome.cheese;
-      "gnome.dconf-editor" = gnome.dconf-editor;
-      "gnome.file-roller" = gnome.file-roller;
-      "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
-      "gnome.gnome-maps" = gnome.gnome-maps;
-      "gnome.nautilus" = gnome.nautilus;
-      "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
-      "gnome.gnome-terminal" = gnome.gnome-terminal;
-      "gnome.gnome-weather" = gnome.gnome-weather;
-      "libsForQt5.plasmatube" = libsForQt5.plasmatube;
-    }))
-      aerc  # email client
-      audacity
-      celluloid  # mpv frontend
-      chromium
-      clinfo
-      dino
-      electrum
-      element-desktop
-      emote
-      evince  # works on phosh
-
-      # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
-
-      foliate  # e-book reader
-      font-manager
-
-      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
-      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
-      # then reboot (so that libsecret daemon re-loads the keyring...?)
-      # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
-      # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
-
-      gajim  # XMPP client
-      gimp  # broken on phosh
-      "gnome.cheese"
-      "gnome.dconf-editor"
-      gnome-feeds  # RSS reader (with claimed mobile support)
-      "gnome.file-roller"
-      "gnome.gnome-disk-utility"
-      "gnome.gnome-maps"  # works on phosh
-      "gnome.nautilus"
-      # gnome-podcasts
-      "gnome.gnome-system-monitor"
-      "gnome.gnome-terminal"  # works on phosh
-      "gnome.gnome-weather"
-      gpodder-configured
-      gthumb
-      inkscape
-      kdenlive
-      kid3  # audio tagging
-      krita
-      libreoffice-fresh  # XXX colin: maybe don't want this on mobile
-      lollypop
-      mpv
-      networkmanagerapplet
-      newsflash
-      nheko
-      obsidian
-      pavucontrol
-      # picard  # music tagging
-      playerctl
-      "libsForQt5.plasmatube"  # Youtube player
-      soundconverter
-      # sublime music persists any downloaded albums here.
-      # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
-      # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
-      #   possible to pass config as a CLI arg (sublime-music -c config.json)
-      # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
-      sublime-music-mobile
-      tdesktop  # broken on phosh
-      tokodon
-      vlc
-      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
-      # whalebird
-      xdg-utils  # for xdg-open
-      xterm  # broken on phosh
-    ;
-  };
-  x86GuiPkgs = {
-    inherit (pkgs)
-      discord
-
-      # kaiteki  # Pleroma client
-      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
-      # gpt2tc  # XXX: unreliable mirror
-
-      # TODO(unpin): handbrake is broken on aarch64-linux 2023/01/29
-      handbrake
-
-      logseq
-      losslesscut-bin
-      makemkv
-      monero-gui
-      signal-desktop
-      spotify
-      tor-browser-bundle-bin
-      zecwallet-lite
-    ;
-  };
-
-  # define -- but don't enable -- the packages in some attrset.
-  # use `mkDefault` for the package here so we can customize some of them further down this file
-  declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
-    package = mkDefault p;
-  }) pkgsAsAttrs;
-in
+{ pkgs, ... }:
 {
-  config = {
-    sane.programs = mkMerge [
-      (declarePkgs sysadminPkgs)
-      (declarePkgs consolePkgs)
-      (declarePkgs guiPkgs)
-      (declarePkgs x86GuiPkgs)
-      {
-        # link the various package sets into their own meta packages
-        sysadminUtils = {
-          package = null;
-          suggestedPrograms = attrNames sysadminPkgs;
-        };
-        consoleUtils = {
-          package = null;
-          suggestedPrograms = attrNames consolePkgs;
-        };
-        guiApps = {
-          package = null;
-          suggestedPrograms = (attrNames guiPkgs)
-            ++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
-        };
-        x86GuiApps = {
-          package = null;
-          suggestedPrograms = attrNames x86GuiPkgs;
-        };
-      }
-      {
-        # nontrivial package definitions
-        imagemagick.package = pkgs.imagemagick.override {
-          ghostscriptSupport = true;
-        };
+  sane.programs = {
+    btrfs-progs.enableFor.system = true;
+    # "cacert.unbundled".enableFor.system = true;
+    cryptsetup.enableFor.system = true;
+    dig = {
+      enableFor.system = true;
+      suggestedPrograms = [ "efibootmgr" ];
+    };
+    efibootmgr = {};
+    fatresize = {};
 
-        dino.private = [ ".local/share/dino" ];
-
-        # creds, but also 200 MB of node modules, etc
-        discord = {
-          package = pkgs.discord.override {
-            # XXX 2022-07-31: fix to allow links to open in default web-browser:
-            #   https://github.com/NixOS/nixpkgs/issues/78961
-            nss = pkgs.nss_latest;
-          };
-          private = [ ".config/discord" ];
-        };
-
-        # creds/session keys, etc
-        element-desktop.private = [ ".config/Element" ];
-
-        # `emote` will show a first-run dialog based on what's in this directory.
-        # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
-        # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
-        emote.dir = [ ".local/share/Emote" ];
-
-        # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
-        #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
-        gpodder-configured.dir = [ "gPodder" ];
-
-        # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
-        # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
-        monero-gui.dir = [ ".bitmonero" ];
-
-        mpv.dir = [ ".config/mpv/watch_later" ];
-
-        # not strictly necessary, but allows caching articles; offline use, etc.
-        newsflash.dir = [ ".local/share/news-flash" ];
-        nheko.private = [
-          ".config/nheko"  # config file (including client token)
-          ".cache/nheko"  # media cache
-          ".local/share/nheko"  # per-account state database
-        ];
-
-        # settings (electron app)
-        obsidian.dir = [ ".config/obsidian" ];
-
-        # creds, media
-        signal-desktop.private = [ ".config/Signal" ];
-
-
-        # creds, widevine .so download. TODO: could easily manage these statically.
-        spotify.dir = [ ".config/spotify" ];
-
-        # sublime music persists any downloaded albums here.
-        # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
-        # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
-        #   possible to pass config as a CLI arg (sublime-music -c config.json)
-        # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
-        sublime-music-mobile.dir = [ ".local/share/sublime-music" ];
-
-        tdesktop.private = [ ".local/share/TelegramDesktop" ];
-
-        tokodon.private = [ ".cache/KDE/tokodon" ];
-
-        # hardenedMalloc solves a crash at startup
-        # TODO 2023/02/02: is this safe to remove yet?
-        tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
-          useHardenedMalloc = false;
-        };
-
-        # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
-        vlc.dir = [ ".config/vlc" ];
-
-        whalebird.private = [ ".config/Whalebird" ];
-
-        # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
-        zecwallet-lite.private = [ ".zcash" ];
-      }
-    ];
-
-    # XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
-    environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
+    backblaze-b2.enableFor.user.colin = true;
+    cdrtools = {
+      enableFor.user.colin = true;
+      suggestedPrograms = [ "dmidecode" ];
+    };
+    dmidecode = {};
   };
 }

hosts/common/users.nix

@@ -49,6 +49,8 @@ in
 
       shell = pkgs.zsh;
 
+      packages = builtins.map (p: p.pkg) config.sane.packages.enabledUserPkgs;
+
       # mount encrypted stuff at login
       # some other nix pam users:
       # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
@@ -89,9 +91,8 @@ in
 
       ".cache/nix"
       ".cache/nix-index"
-
-      # ".cargo"
-      # ".rustup"
+      ".cargo"
+      ".rustup"
     ];
 
     # convenience

hosts/instantiate.nix

@@ -21,7 +21,7 @@
       # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
       # to explicitly opt into non-emulated cross compilation for any specific package.
       # this is most beneficial for large packages with few pre-requisites -- like Linux.
-      cross = prev.crossFrom."${localSystem}";
+      cross = next.crossFrom."${localSystem}";
     })
   ];
 }

hosts/modules/gui/default.nix

@@ -12,4 +12,24 @@ in
     ./plasma-mobile.nix
     ./sway.nix
   ];
+
+  options = {
+    sane.gui.enable = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        enables config used by any GUI, like display management or select packages.
+        the user should prefer to interact with specific GUIs like `sane.gui.sway`
+        and let those modules auto-set this flag when necessary.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sane.packages.enableGuiPkgs = mkDefault true;
+
+    # preserve backlight brightness across power cycles
+    # see `man systemd-backlight`
+    sane.persist.sys.plaintext = [ "/var/lib/systemd/backlight" ];
+  };
 }

hosts/modules/gui/gnome.nix

@@ -13,7 +13,7 @@ in
   };
 
   config = mkIf cfg.enable {
-    sane.programs.guiApps.enableFor.user.colin = true;
+    sane.gui.enable = true;
 
     # start gnome/gdm on boot
     services.xserver.enable = true;

hosts/modules/gui/phosh.nix

@@ -20,34 +20,9 @@ in
     };
   };
 
-  config = mkMerge [
+  config = mkIf cfg.enable (mkMerge [
     {
-      sane.programs.phoshApps = {
-        package = null;
-        suggestedPrograms = [
-          "guiApps"
-          # TODO: see about removing gnome-bluetooth if the in-built gnome-settings bluetooth manager can work
-          "gnome.gnome-bluetooth"
-          "phosh-mobile-settings"
-          "plasma5Packages.konsole"  # more reliable terminal
-        ];
-      };
-    }
-    {
-      sane.programs = {
-        inherit (pkgs // {
-          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
-          "plasma5Packages.konsole" = pkgs.plasma5Packages.konsole;
-        })
-          phosh-mobile-settings
-          "plasma5Packages.konsole"
-          # "gnome.gnome-bluetooth"
-        ;
-      };
-    }
-
-    (mkIf cfg.enable {
-      sane.programs.phoshApps.enableFor.user.colin = true;
+      sane.gui.enable = true;
 
       # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
       services.xserver.desktopManager.phosh = {
@@ -63,26 +38,6 @@ in
         };
       };
 
-      # phosh enables `services.gnome.{core-os-services, core-shell}`
-      # and this in turn enables some default apps we don't really care about.
-      # see <nixos/modules/services/x11/desktop-managers/gnome.nix>
-      environment.gnome.excludePackages = with pkgs; [
-        # gnome.gnome-menus  # unused outside gnome classic, but probably harmless
-        gnome-tour
-      ];
-      services.dleyna-renderer.enable = false;
-      services.dleyna-server.enable = false;
-      services.gnome.gnome-browser-connector.enable = false;
-      services.gnome.gnome-initial-setup.enable = false;
-      services.gnome.gnome-online-accounts.enable = false;
-      services.gnome.gnome-remote-desktop.enable = false;
-      services.gnome.gnome-user-share.enable = false;
-      services.gnome.rygel.enable = false;
-
-      # gnome doesn't use mkDefault for these -- unclear why not
-      services.gnome.evolution-data-server.enable = mkForce false;
-      services.gnome.gnome-online-miners.enable = mkForce false;
-
       # XXX: phosh enables networkmanager by default; can probably disable these lines
       networking.useDHCP = false;
       networking.networkmanager.enable = true;
@@ -121,9 +76,15 @@ in
           '';
         })
       ];
-    })
 
-    (mkIf (cfg.enable && cfg.useGreeter) {
+      sane.packages.extraUserPkgs = with pkgs; [
+        phosh-mobile-settings
+
+        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
+        gnome.gnome-bluetooth
+      ];
+    }
+    (mkIf cfg.useGreeter {
       services.xserver.enable = true;
       # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
       # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
@@ -149,5 +110,5 @@ in
 
       systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
     })
-  ];
+  ]);
 }

hosts/modules/gui/plasma-mobile.nix

@@ -13,8 +13,7 @@ in
   };
 
   config = mkIf cfg.enable {
-    sane.programs.guiApps.enableFor.user.colin = true;
-
+    sane.gui.enable = true;
     # start plasma-mobile on boot
     services.xserver.enable = true;
     services.xserver.desktopManager.plasma5.mobile.enable = true;

hosts/modules/gui/plasma.nix

@@ -13,7 +13,7 @@ in
   };
 
   config = mkIf cfg.enable {
-    sane.programs.guiApps.enableFor.user.colin = true;
+    sane.gui.enable = true;
 
     # start plasma on boot
     services.xserver.enable = true;

hosts/modules/gui/sway.nix

@@ -120,543 +120,523 @@ in
       type = types.bool;
     };
   };
-  config = mkMerge [
-    {
-      sane.programs.swayApps = {
-        package = null;
-        suggestedPrograms = [
-          "guiApps"
-          "swaylock"
-          "swayidle"
-          "wl-clipboard"
-          "mako"  # notification daemon
-          # # "pavucontrol"
-          "gnome.gnome-bluetooth"
-          "gnome.gnome-control-center"
-        ];
+  config = mkIf cfg.enable {
+    sane.gui.enable = true;
+
+    # swap in these lines to use SDDM instead of `services.greetd`.
+    # services.xserver.displayManager.sddm.enable = true;
+    # services.xserver.enable = true;
+    services.greetd = {
+      # greetd source/docs:
+      # - <https://git.sr.ht/~kennylevinsen/greetd>
+      enable = true;
+      settings = {
+        default_session = if cfg.useGreeter then greeter-session else greeterless-session;
       };
-    }
-    {
-      sane.programs = {
-        inherit (pkgs // {
-          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
-          "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
-        })
-          swaylock
-          swayidle
-          wl-clipboard
-          mako
-          "gnome.gnome-bluetooth"
-          "gnome.gnome-control-center"
-        ;
-      };
-    }
+    };
+    # we need the greeter's command to be on our PATH
+    users.users.colin.packages = [ sway-launcher ];
 
-    (mkIf cfg.enable {
-      sane.programs.swayApps.enableFor.user.colin = true;
+    # some programs (e.g. fractal) **require** a "Secret Service Provider"
+    services.gnome.gnome-keyring.enable = true;
 
-      # swap in these lines to use SDDM instead of `services.greetd`.
-      # services.xserver.displayManager.sddm.enable = true;
-      # services.xserver.enable = true;
-      services.greetd = {
-        # greetd source/docs:
-        # - <https://git.sr.ht/~kennylevinsen/greetd>
-        enable = true;
-        settings = {
-          default_session = if cfg.useGreeter then greeter-session else greeterless-session;
-        };
-      };
-      # we need the greeter's command to be on our PATH
-      users.users.colin.packages = [ sway-launcher ];
+    # unlike other DEs, sway configures no audio stack
+    # administer with pw-cli, pw-mon, pw-top commands
+    services.pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;  # ??
+      pulse.enable = true;
+    };
 
-      # some programs (e.g. fractal) **require** a "Secret Service Provider"
-      services.gnome.gnome-keyring.enable = true;
+    networking.useDHCP = false;
+    networking.networkmanager.enable = true;
+    networking.wireless.enable = lib.mkForce false;
 
-      # unlike other DEs, sway configures no audio stack
-      # administer with pw-cli, pw-mon, pw-top commands
-      services.pipewire = {
-        enable = true;
-        alsa.enable = true;
-        alsa.support32Bit = true;  # ??
-        pulse.enable = true;
-      };
+    hardware.bluetooth.enable = true;
+    services.blueman.enable = true;
+    # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
+    services.gnome.gnome-settings-daemon.enable = true;
+    # start the components of gsd we need at login
+    systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
+    # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
+    # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
+    # it doesn't actually seem to need ANY of them in the first place T_T
+    systemd.user.targets."gnome-session-initialized".enable = false;
+    # bluez can't connect to audio devices unless pipewire is running.
+    # a system service can't depend on a user service, so just launch it at graphical-session
+    systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
 
-      networking.useDHCP = false;
-      networking.networkmanager.enable = true;
-      networking.wireless.enable = lib.mkForce false;
+    programs.sway = {
+      enable = true;
+      wrapperFeatures.gtk = true;
+    };
+    sane.user.fs.".config/sway/config" =
+      let
+        fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
+        sed = "${pkgs.gnused}/bin/sed";
+        wtype = "${pkgs.wtype}/bin/wtype";
+        kitty = "${pkgs.kitty}/bin/kitty";
+        launcher-cmd = fuzzel;
+        terminal-cmd = kitty;
+        lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
+        vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
+        vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
+        mute-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
+        brightness-up-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set +2%";
+        brightness-down-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set 2%-";
+        screenshot-cmd = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
+        # "bookmarking"/snippets inspired by Luke Smith:
+        # - <https://www.youtube.com/watch?v=d_11QaTlf1I>
+        snip-file = ./snippets.txt;
+        # TODO: querying sops here breaks encapsulation
+        list-snips = "cat ${snip-file} ${config.sops.secrets.snippets.path}";
+        strip-comments = "${sed} 's/ #.*$//'";
+        snip-cmd = "${wtype} $(${list-snips} | ${fuzzel} -d -i -w 60 | ${strip-comments})";
+        # TODO: next splatmoji release should allow `-s none` to disable skin tones
+        emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
+      in sane-lib.fs.wantedText ''
+        ### default font
+        font pango:monospace 8
 
-      hardware.bluetooth.enable = true;
-      services.blueman.enable = true;
-      # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
-      services.gnome.gnome-settings-daemon.enable = true;
-      # start the components of gsd we need at login
-      systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
-      # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
-      # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
-      # it doesn't actually seem to need ANY of them in the first place T_T
-      systemd.user.targets."gnome-session-initialized".enable = false;
-      # bluez can't connect to audio devices unless pipewire is running.
-      # a system service can't depend on a user service, so just launch it at graphical-session
-      systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
+        ### pixel boundary between windows
+        default_border pixel 3
+        default_floating_border pixel 2
+        hide_edge_borders smart
 
-      programs.sway = {
-        enable = true;
-        wrapperFeatures.gtk = true;
-      };
-      sane.user.fs.".config/sway/config" =
-        let
-          fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
-          sed = "${pkgs.gnused}/bin/sed";
-          wtype = "${pkgs.wtype}/bin/wtype";
-          kitty = "${pkgs.kitty}/bin/kitty";
-          launcher-cmd = fuzzel;
-          terminal-cmd = kitty;
-          lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
-          vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
-          vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
-          mute-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
-          brightness-up-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set +2%";
-          brightness-down-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set 2%-";
-          screenshot-cmd = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
-          # "bookmarking"/snippets inspired by Luke Smith:
-          # - <https://www.youtube.com/watch?v=d_11QaTlf1I>
-          snip-file = ./snippets.txt;
-          # TODO: querying sops here breaks encapsulation
-          list-snips = "cat ${snip-file} ${config.sops.secrets.snippets.path}";
-          strip-comments = "${sed} 's/ #.*$//'";
-          snip-cmd = "${wtype} $(${list-snips} | ${fuzzel} -d -i -w 60 | ${strip-comments})";
-          # TODO: next splatmoji release should allow `-s none` to disable skin tones
-          emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
-        in sane-lib.fs.wantedText ''
-          ### default font
-          font pango:monospace 8
+        ### defaults
+        focus_wrapping no
+        focus_follows_mouse yes
+        focus_on_window_activation smart
+        mouse_warping output
+        workspace_layout default
+        workspace_auto_back_and_forth no
 
-          ### pixel boundary between windows
-          default_border pixel 3
-          default_floating_border pixel 2
-          hide_edge_borders smart
+        ### default colors (#border #background #text #indicator #childBorder)
+        client.focused #4c7899 #285577 #ffffff #2e9ef4 #285577
+        client.focused_inactive #333333 #5f676a #ffffff #484e50 #5f676a
+        client.unfocused #333333 #222222 #888888 #292d2e #222222
+        client.urgent #2f343a #900000 #ffffff #900000 #900000
+        client.placeholder #000000 #0c0c0c #ffffff #000000 #0c0c0c
+        client.background #ffffff
 
-          ### defaults
-          focus_wrapping no
-          focus_follows_mouse yes
-          focus_on_window_activation smart
-          mouse_warping output
-          workspace_layout default
-          workspace_auto_back_and_forth no
+        ### key bindings
+        floating_modifier Mod1
+        ## media keys
+        bindsym XF86AudioRaiseVolume exec ${vol-up-cmd}
+        bindsym XF86AudioLowerVolume exec ${vol-down-cmd}
+        bindsym Mod1+Page_Up exec ${vol-up-cmd}
+        bindsym Mod1+Page_Down exec ${vol-down-cmd}
+        bindsym XF86AudioMute exec ${mute-cmd}
+        bindsym XF86MonBrightnessUp exec ${brightness-up-cmd}
+        bindsym XF86MonBrightnessDown exec ${brightness-down-cmd}
+        ## special functions
+        bindsym Mod1+Print exec ${screenshot-cmd}
+        bindsym Mod1+l exec ${lock-cmd}
+        bindsym Mod1+s exec ${snip-cmd}
+        bindsym Mod1+slash exec ${emoji-cmd}
+        bindsym Mod1+d exec ${launcher-cmd}
+        bindsym Mod1+Return exec ${terminal-cmd}
+        bindsym Mod1+Shift+q kill
+        bindsym Mod1+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
+        bindsym Mod1+Shift+c reload
+        ## layout
+        bindsym Mod1+b splith
+        bindsym Mod1+v splitv
+        bindsym Mod1+f fullscreen toggle
+        bindsym Mod1+a focus parent
+        bindsym Mod1+w layout tabbed
+        bindsym Mod1+e layout toggle split
+        bindsym Mod1+Shift+space floating toggle
+        bindsym Mod1+space focus mode_toggle
+        bindsym Mod1+r mode resize
+        ## movement
+        bindsym Mod1+Up focus up
+        bindsym Mod1+Down focus down
+        bindsym Mod1+Left focus left
+        bindsym Mod1+Right focus right
+        bindsym Mod1+Shift+Up move up
+        bindsym Mod1+Shift+Down move down
+        bindsym Mod1+Shift+Left move left
+        bindsym Mod1+Shift+Right move right
+        ## workspaces
+        bindsym Mod1+1 workspace number 1
+        bindsym Mod1+2 workspace number 2
+        bindsym Mod1+3 workspace number 3
+        bindsym Mod1+4 workspace number 4
+        bindsym Mod1+5 workspace number 5
+        bindsym Mod1+6 workspace number 6
+        bindsym Mod1+7 workspace number 7
+        bindsym Mod1+8 workspace number 8
+        bindsym Mod1+9 workspace number 9
+        bindsym Mod1+Shift+1 move container to workspace number 1
+        bindsym Mod1+Shift+2 move container to workspace number 2
+        bindsym Mod1+Shift+3 move container to workspace number 3
+        bindsym Mod1+Shift+4 move container to workspace number 4
+        bindsym Mod1+Shift+5 move container to workspace number 5
+        bindsym Mod1+Shift+6 move container to workspace number 6
+        bindsym Mod1+Shift+7 move container to workspace number 7
+        bindsym Mod1+Shift+8 move container to workspace number 8
+        bindsym Mod1+Shift+9 move container to workspace number 9
+        ## "scratchpad" = ??
+        bindsym Mod1+Shift+minus move scratchpad
+        bindsym Mod1+minus scratchpad show
 
-          ### default colors (#border #background #text #indicator #childBorder)
-          client.focused #4c7899 #285577 #ffffff #2e9ef4 #285577
-          client.focused_inactive #333333 #5f676a #ffffff #484e50 #5f676a
-          client.unfocused #333333 #222222 #888888 #292d2e #222222
-          client.urgent #2f343a #900000 #ffffff #900000 #900000
-          client.placeholder #000000 #0c0c0c #ffffff #000000 #0c0c0c
-          client.background #ffffff
-
-          ### key bindings
-          floating_modifier Mod1
-          ## media keys
-          bindsym XF86AudioRaiseVolume exec ${vol-up-cmd}
-          bindsym XF86AudioLowerVolume exec ${vol-down-cmd}
-          bindsym Mod1+Page_Up exec ${vol-up-cmd}
-          bindsym Mod1+Page_Down exec ${vol-down-cmd}
-          bindsym XF86AudioMute exec ${mute-cmd}
-          bindsym XF86MonBrightnessUp exec ${brightness-up-cmd}
-          bindsym XF86MonBrightnessDown exec ${brightness-down-cmd}
-          ## special functions
-          bindsym Mod1+Print exec ${screenshot-cmd}
-          bindsym Mod1+l exec ${lock-cmd}
-          bindsym Mod1+s exec ${snip-cmd}
-          bindsym Mod1+slash exec ${emoji-cmd}
-          bindsym Mod1+d exec ${launcher-cmd}
-          bindsym Mod1+Return exec ${terminal-cmd}
-          bindsym Mod1+Shift+q kill
-          bindsym Mod1+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
-          bindsym Mod1+Shift+c reload
-          ## layout
-          bindsym Mod1+b splith
-          bindsym Mod1+v splitv
-          bindsym Mod1+f fullscreen toggle
-          bindsym Mod1+a focus parent
-          bindsym Mod1+w layout tabbed
-          bindsym Mod1+e layout toggle split
-          bindsym Mod1+Shift+space floating toggle
-          bindsym Mod1+space focus mode_toggle
-          bindsym Mod1+r mode resize
-          ## movement
-          bindsym Mod1+Up focus up
-          bindsym Mod1+Down focus down
-          bindsym Mod1+Left focus left
-          bindsym Mod1+Right focus right
-          bindsym Mod1+Shift+Up move up
-          bindsym Mod1+Shift+Down move down
-          bindsym Mod1+Shift+Left move left
-          bindsym Mod1+Shift+Right move right
-          ## workspaces
-          bindsym Mod1+1 workspace number 1
-          bindsym Mod1+2 workspace number 2
-          bindsym Mod1+3 workspace number 3
-          bindsym Mod1+4 workspace number 4
-          bindsym Mod1+5 workspace number 5
-          bindsym Mod1+6 workspace number 6
-          bindsym Mod1+7 workspace number 7
-          bindsym Mod1+8 workspace number 8
-          bindsym Mod1+9 workspace number 9
-          bindsym Mod1+Shift+1 move container to workspace number 1
-          bindsym Mod1+Shift+2 move container to workspace number 2
-          bindsym Mod1+Shift+3 move container to workspace number 3
-          bindsym Mod1+Shift+4 move container to workspace number 4
-          bindsym Mod1+Shift+5 move container to workspace number 5
-          bindsym Mod1+Shift+6 move container to workspace number 6
-          bindsym Mod1+Shift+7 move container to workspace number 7
-          bindsym Mod1+Shift+8 move container to workspace number 8
-          bindsym Mod1+Shift+9 move container to workspace number 9
-          ## "scratchpad" = ??
-          bindsym Mod1+Shift+minus move scratchpad
-          bindsym Mod1+minus scratchpad show
-
-          ### defaults
-          mode "resize" {
-            bindsym Down resize grow height 10 px
-            bindsym Escape mode default
-            bindsym Left resize shrink width 10 px
-            bindsym Return mode default
-            bindsym Right resize grow width 10 px
-            bindsym Up resize shrink height 10 px
-            bindsym h resize shrink width 10 px
-            bindsym j resize grow height 10 px
-            bindsym k resize shrink height 10 px
-            bindsym l resize grow width 10 px
-          }
-
-          ### lightly modified bars
-          bar {
-            # TODO: fonts was:
-            #   config.fonts.fontconfig.defaultFonts; (monospace ++ emoji)
-            font pango:Hack, Font Awesome 6 Free, Twitter Color Emoji 24.000000
-            mode dock
-            hidden_state hide
-            position top
-            status_command ${pkgs.i3status}/bin/i3status
-            swaybar_command ${pkgs.waybar}/bin/waybar
-            workspace_buttons yes
-            strip_workspace_numbers no
-            tray_output primary
-            colors {
-              background #000000
-              statusline #ffffff
-              separator #666666
-              #  #border #background #text
-              focused_workspace #4c7899 #285577 #ffffff
-              active_workspace #333333 #5f676a #ffffff
-              inactive_workspace #333333 #222222 #888888
-              urgent_workspace #2f343a #900000 #ffffff
-              binding_mode #2f343a #900000 #ffffff
-          }
-          }
-
-          ### displays
-          ## DESKTOP
-          output "Samsung Electric Company S22C300 0x00007F35" {
-          pos 0,0
-          res 1920x1080
-          }
-          output "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" {
-          pos 1920,0
-          res 3440x1440
-          }
-
-          ## LAPTOP
-          # sh/en TV
-          output "Pioneer Electronic Corporation VSX-524 0x00000101" {
-          pos 0,0
-          res 1920x1080
-          }
-          # internal display
-          output "Unknown 0x0637 0x00000000" {
-          pos 1920,0
-          res 1920x1080
-          }
-        '';
-
-      sane.user.fs.".config/waybar/config" = sane-lib.fs.wantedSymlinkTo waybar-config-text;
-
-      # style docs: https://github.com/Alexays/Waybar/wiki/Styling
-      sane.user.fs.".config/waybar/style.css" = sane-lib.fs.wantedText ''
-        * {
-          font-family: monospace;
+        ### defaults
+        mode "resize" {
+          bindsym Down resize grow height 10 px
+          bindsym Escape mode default
+          bindsym Left resize shrink width 10 px
+          bindsym Return mode default
+          bindsym Right resize grow width 10 px
+          bindsym Up resize shrink height 10 px
+          bindsym h resize shrink width 10 px
+          bindsym j resize grow height 10 px
+          bindsym k resize shrink height 10 px
+          bindsym l resize grow width 10 px
         }
 
-        /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
-        window#waybar {
-          background-color: rgba(43, 48, 59, 0.5);
-          border-bottom: 3px solid rgba(100, 114, 125, 0.5);
-          color: #ffffff;
-          transition-property: background-color;
-          transition-duration: .5s;
+        ### lightly modified bars
+        bar {
+          # TODO: fonts was:
+          #   config.fonts.fontconfig.defaultFonts; (monospace ++ emoji)
+          font pango:Hack, Font Awesome 6 Free, Twitter Color Emoji 24.000000
+          mode dock
+          hidden_state hide
+          position top
+          status_command ${pkgs.i3status}/bin/i3status
+          swaybar_command ${pkgs.waybar}/bin/waybar
+          workspace_buttons yes
+          strip_workspace_numbers no
+          tray_output primary
+          colors {
+            background #000000
+            statusline #ffffff
+            separator #666666
+            #  #border #background #text
+            focused_workspace #4c7899 #285577 #ffffff
+            active_workspace #333333 #5f676a #ffffff
+            inactive_workspace #333333 #222222 #888888
+            urgent_workspace #2f343a #900000 #ffffff
+            binding_mode #2f343a #900000 #ffffff
+        }
         }
 
-        window#waybar.hidden {
-          opacity: 0.2;
+        ### displays
+        ## DESKTOP
+        output "Samsung Electric Company S22C300 0x00007F35" {
+        pos 0,0
+        res 1920x1080
+        }
+        output "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" {
+        pos 1920,0
+        res 3440x1440
         }
 
-        /*
-        window#waybar.empty {
-          background-color: transparent;
+        ## LAPTOP
+        # sh/en TV
+        output "Pioneer Electronic Corporation VSX-524 0x00000101" {
+        pos 0,0
+        res 1920x1080
         }
-        window#waybar.solo {
-          background-color: #FFFFFF;
+        # internal display
+        output "Unknown 0x0637 0x00000000" {
+        pos 1920,0
+        res 1920x1080
         }
-        */
+      '';
 
-        window#waybar.termite {
-          background-color: #3F3F3F;
-        }
+    sane.user.fs.".config/waybar/config" = sane-lib.fs.wantedSymlinkTo waybar-config-text;
 
-        window#waybar.chromium {
-          background-color: #000000;
-          border: none;
-        }
+    # style docs: https://github.com/Alexays/Waybar/wiki/Styling
+    sane.user.fs.".config/waybar/style.css" = sane-lib.fs.wantedText ''
+      * {
+        font-family: monospace;
+      }
 
-        #workspaces button {
-          padding: 0 5px;
-          background-color: transparent;
-          color: #ffffff;
-          /* Use box-shadow instead of border so the text isn't offset */
-          box-shadow: inset 0 -3px transparent;
-          /* Avoid rounded borders under each workspace name */
-          border: none;
-          border-radius: 0;
-        }
+      /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
+      window#waybar {
+        background-color: rgba(43, 48, 59, 0.5);
+        border-bottom: 3px solid rgba(100, 114, 125, 0.5);
+        color: #ffffff;
+        transition-property: background-color;
+        transition-duration: .5s;
+      }
 
-        /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
-        #workspaces button:hover {
-          background: rgba(0, 0, 0, 0.2);
-          box-shadow: inset 0 -3px #ffffff;
-        }
+      window#waybar.hidden {
+        opacity: 0.2;
+      }
 
-        #workspaces button.focused {
-          background-color: #64727D;
-          box-shadow: inset 0 -3px #ffffff;
-        }
+      /*
+      window#waybar.empty {
+        background-color: transparent;
+      }
+      window#waybar.solo {
+        background-color: #FFFFFF;
+      }
+      */
 
-        #workspaces button.urgent {
-          background-color: #eb4d4b;
-        }
+      window#waybar.termite {
+        background-color: #3F3F3F;
+      }
 
-        #mode {
-          background-color: #64727D;
-          border-bottom: 3px solid #ffffff;
-        }
+      window#waybar.chromium {
+        background-color: #000000;
+        border: none;
+      }
 
-        #clock,
-        #battery,
-        #cpu,
-        #memory,
-        #disk,
-        #temperature,
-        #backlight,
-        #network,
-        #pulseaudio,
-        #custom-media,
-        #tray,
-        #mode,
-        #idle_inhibitor,
-        #mpd {
-          padding: 0 10px;
-          color: #ffffff;
-        }
+      #workspaces button {
+        padding: 0 5px;
+        background-color: transparent;
+        color: #ffffff;
+        /* Use box-shadow instead of border so the text isn't offset */
+        box-shadow: inset 0 -3px transparent;
+        /* Avoid rounded borders under each workspace name */
+        border: none;
+        border-radius: 0;
+      }
 
-        #window,
-        #workspaces {
-          margin: 0 4px;
-        }
+      /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
+      #workspaces button:hover {
+        background: rgba(0, 0, 0, 0.2);
+        box-shadow: inset 0 -3px #ffffff;
+      }
 
-        /* If workspaces is the leftmost module, omit left margin */
-        .modules-left > widget:first-child > #workspaces {
-          margin-left: 0;
-        }
+      #workspaces button.focused {
+        background-color: #64727D;
+        box-shadow: inset 0 -3px #ffffff;
+      }
 
-        /* If workspaces is the rightmost module, omit right margin */
-        .modules-right > widget:last-child > #workspaces {
-          margin-right: 0;
-        }
+      #workspaces button.urgent {
+        background-color: #eb4d4b;
+      }
 
-        #clock {
-          background-color: #64727D;
-        }
+      #mode {
+        background-color: #64727D;
+        border-bottom: 3px solid #ffffff;
+      }
 
-        #battery {
+      #clock,
+      #battery,
+      #cpu,
+      #memory,
+      #disk,
+      #temperature,
+      #backlight,
+      #network,
+      #pulseaudio,
+      #custom-media,
+      #tray,
+      #mode,
+      #idle_inhibitor,
+      #mpd {
+        padding: 0 10px;
+        color: #ffffff;
+      }
+
+      #window,
+      #workspaces {
+        margin: 0 4px;
+      }
+
+      /* If workspaces is the leftmost module, omit left margin */
+      .modules-left > widget:first-child > #workspaces {
+        margin-left: 0;
+      }
+
+      /* If workspaces is the rightmost module, omit right margin */
+      .modules-right > widget:last-child > #workspaces {
+        margin-right: 0;
+      }
+
+      #clock {
+        background-color: #64727D;
+      }
+
+      #battery {
+        background-color: #ffffff;
+        color: #000000;
+      }
+
+      #battery.charging, #battery.plugged {
+        color: #ffffff;
+        background-color: #26A65B;
+      }
+
+      @keyframes blink {
+        to {
           background-color: #ffffff;
           color: #000000;
         }
+      }
 
-        #battery.charging, #battery.plugged {
-          color: #ffffff;
-          background-color: #26A65B;
-        }
+      #battery.critical:not(.charging) {
+        background-color: #f53c3c;
+        color: #ffffff;
+        animation-name: blink;
+        animation-duration: 0.5s;
+        animation-timing-function: linear;
+        animation-iteration-count: infinite;
+        animation-direction: alternate;
+      }
 
-        @keyframes blink {
-          to {
-            background-color: #ffffff;
-            color: #000000;
-          }
-        }
+      label:focus {
+        background-color: #000000;
+      }
 
-        #battery.critical:not(.charging) {
-          background-color: #f53c3c;
-          color: #ffffff;
-          animation-name: blink;
-          animation-duration: 0.5s;
-          animation-timing-function: linear;
-          animation-iteration-count: infinite;
-          animation-direction: alternate;
-        }
+      #cpu {
+        background-color: #2ecc71;
+        color: #000000;
+      }
 
-        label:focus {
-          background-color: #000000;
-        }
+      #memory {
+        background-color: #9b59b6;
+      }
 
-        #cpu {
-          background-color: #2ecc71;
-          color: #000000;
-        }
+      #disk {
+        background-color: #964B00;
+      }
 
-        #memory {
-          background-color: #9b59b6;
-        }
+      #backlight {
+        background-color: #90b1b1;
+      }
 
-        #disk {
-          background-color: #964B00;
-        }
+      #network {
+        background-color: #2980b9;
+      }
 
-        #backlight {
-          background-color: #90b1b1;
-        }
+      #network.disconnected {
+        background-color: #f53c3c;
+      }
 
-        #network {
-          background-color: #2980b9;
-        }
+      #pulseaudio {
+        background-color: #f1c40f;
+        color: #000000;
+      }
 
-        #network.disconnected {
-          background-color: #f53c3c;
-        }
+      #pulseaudio.muted {
+        background-color: #90b1b1;
+        color: #2a5c45;
+      }
 
-        #pulseaudio {
-          background-color: #f1c40f;
-          color: #000000;
-        }
+      #custom-media {
+        background-color: #66cc99;
+        color: #2a5c45;
+        min-width: 100px;
+      }
 
-        #pulseaudio.muted {
-          background-color: #90b1b1;
-          color: #2a5c45;
-        }
+      #custom-media.custom-spotify {
+        background-color: #66cc99;
+      }
 
-        #custom-media {
-          background-color: #66cc99;
-          color: #2a5c45;
-          min-width: 100px;
-        }
+      #custom-media.custom-vlc {
+        background-color: #ffa000;
+      }
 
-        #custom-media.custom-spotify {
-          background-color: #66cc99;
-        }
+      #temperature {
+        background-color: #f0932b;
+      }
 
-        #custom-media.custom-vlc {
-          background-color: #ffa000;
-        }
+      #temperature.critical {
+        background-color: #eb4d4b;
+      }
 
-        #temperature {
-          background-color: #f0932b;
-        }
+      #tray {
+        background-color: #2980b9;
+      }
 
-        #temperature.critical {
-          background-color: #eb4d4b;
-        }
+      #tray > .passive {
+        -gtk-icon-effect: dim;
+      }
 
-        #tray {
-          background-color: #2980b9;
-        }
+      #tray > .needs-attention {
+        -gtk-icon-effect: highlight;
+        background-color: #eb4d4b;
+      }
 
-        #tray > .passive {
-          -gtk-icon-effect: dim;
-        }
+      #idle_inhibitor {
+        background-color: #2d3436;
+      }
 
-        #tray > .needs-attention {
-          -gtk-icon-effect: highlight;
-          background-color: #eb4d4b;
-        }
+      #idle_inhibitor.activated {
+        background-color: #ecf0f1;
+        color: #2d3436;
+      }
 
-        #idle_inhibitor {
-          background-color: #2d3436;
-        }
+      #mpd {
+        background-color: #66cc99;
+        color: #2a5c45;
+      }
 
-        #idle_inhibitor.activated {
-          background-color: #ecf0f1;
-          color: #2d3436;
-        }
+      #mpd.disconnected {
+        background-color: #f53c3c;
+      }
 
-        #mpd {
-          background-color: #66cc99;
-          color: #2a5c45;
-        }
+      #mpd.stopped {
+        background-color: #90b1b1;
+      }
 
-        #mpd.disconnected {
-          background-color: #f53c3c;
-        }
+      #mpd.paused {
+        background-color: #51a37a;
+      }
 
-        #mpd.stopped {
-          background-color: #90b1b1;
-        }
+      #language {
+        background: #00b093;
+        color: #740864;
+        padding: 0 5px;
+        margin: 0 5px;
+        min-width: 16px;
+      }
 
-        #mpd.paused {
-          background-color: #51a37a;
-        }
+      #keyboard-state {
+        background: #97e1ad;
+        color: #000000;
+        padding: 0 0px;
+        margin: 0 5px;
+        min-width: 16px;
+      }
 
-        #language {
-          background: #00b093;
-          color: #740864;
-          padding: 0 5px;
-          margin: 0 5px;
-          min-width: 16px;
-        }
+      #keyboard-state > label {
+        padding: 0 5px;
+      }
 
-        #keyboard-state {
-          background: #97e1ad;
-          color: #000000;
-          padding: 0 0px;
-          margin: 0 5px;
-          min-width: 16px;
-        }
+      #keyboard-state > label.locked {
+        background: rgba(0, 0, 0, 0.2);
+      }
+    '';
+    # style = ''
+    #   * {
+    #     border: none;
+    #     border-radius: 0;
+    #     font-family: Source Code Pro;
+    #   }
+    #   window#waybar {
+    #     background: #16191C;
+    #     color: #AAB2BF;
+    #   }
+    #   #workspaces button {
+    #     padding: 0 5px;
+    #   }
+    #   .custom-spotify {
+    #     padding: 0 10px;
+    #     margin: 0 4px;
+    #     background-color: #1DB954;
+    #     color: black;
+    #   }
+    # '';
 
-        #keyboard-state > label {
-          padding: 0 5px;
-        }
-
-        #keyboard-state > label.locked {
-          background: rgba(0, 0, 0, 0.2);
-        }
-      '';
-      # style = ''
-      #   * {
-      #     border: none;
-      #     border-radius: 0;
-      #     font-family: Source Code Pro;
-      #   }
-      #   window#waybar {
-      #     background: #16191C;
-      #     color: #AAB2BF;
-      #   }
-      #   #workspaces button {
-      #     padding: 0 5px;
-      #   }
-      #   .custom-spotify {
-      #     padding: 0 10px;
-      #     margin: 0 4px;
-      #     background-color: #1DB954;
-      #     color: black;
-      #   }
-      # '';
-    })
-  ];
+    sane.packages.extraUserPkgs = with pkgs; [
+      swaylock
+      swayidle  # (unused)
+      wl-clipboard
+      mako # notification daemon
+      xdg-utils  # for xdg-open
+      # user stuff
+      # pavucontrol
+      sway-contrib.grimshot
+      gnome.gnome-bluetooth
+      gnome.gnome-control-center
+    ];
+  };
 }
 

modules/default.nix

@@ -5,6 +5,7 @@
     ./feeds.nix
     ./fs
     ./ids.nix
+    ./packages.nix
     ./programs.nix
     ./image.nix
     ./persist

modules/packages.nix

@@ -0,0 +1,331 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+with pkgs;
+let
+  cfg = config.sane.packages;
+
+  imagemagick = pkgs.imagemagick.override {
+    ghostscriptSupport = true;
+  };
+
+  consolePkgs = [
+    backblaze-b2
+    cdrtools
+    dmidecode
+    duplicity
+    efivar
+    flashrom
+    fwupd
+    ghostscript  # TODO: imagemagick wrapper should add gs to PATH
+    gnupg
+    gocryptfs
+    gopass
+    gopass-jsonapi
+    ifuse
+    imagemagick
+    ipfs
+    kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
+    libimobiledevice
+    libsecret  # for managing user keyrings
+    lm_sensors  # for sensors-detect
+    lshw
+    ffmpeg
+    memtester
+    networkmanager
+    nixpkgs-review
+    # nixos-generators
+    # nettools
+    nmon
+    oathToolkit  # for oathtool
+    # ponymix
+    pulsemixer
+    python3
+    rsync
+    # python3Packages.eyeD3  # music tagging
+    sane-scripts
+    sequoia
+    snapper
+    sops
+    sox
+    speedtest-cli
+    sqlite  # to debug sqlite3 databases
+    ssh-to-age
+    sudo
+    # tageditor  # music tagging
+    unar
+    visidata
+    w3m
+    wireguard-tools
+    # youtube-dl
+    yt-dlp
+  ];
+
+  guiPkgs = [
+    # GUI only
+    aerc  # email client
+    audacity
+    celluloid  # mpv frontend
+    chromium
+    clinfo
+    { pkg = dino; private = [ ".local/share/dino" ]; }
+    electrum
+
+    # creds/session keys, etc
+    { pkg = element-desktop; private = [ ".config/Element" ]; }
+    # `emote` will show a first-run dialog based on what's in this directory.
+    # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
+    # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
+    { pkg = emote; dir = [ ".local/share/Emote" ]; }
+    evince  # works on phosh
+
+    # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
+
+    foliate  # e-book reader
+    font-manager
+
+    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
+    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
+    # then reboot (so that libsecret daemon re-loads the keyring...?)
+    # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
+    # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
+
+    gajim  # XMPP client
+    gimp  # broken on phosh
+    gnome.cheese
+    gnome.dconf-editor
+    gnome-feeds  # RSS reader (with claimed mobile support)
+    gnome.file-roller
+    gnome.gnome-disk-utility
+    gnome.gnome-maps  # works on phosh
+    gnome.nautilus
+    # gnome-podcasts
+    gnome.gnome-system-monitor
+    gnome.gnome-terminal  # works on phosh
+    gnome.gnome-weather
+
+    # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
+    #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
+    { pkg = gpodder-configured; dir = [ "gPodder" ]; }
+
+    gthumb
+    inkscape
+
+    kdenlive
+    kid3  # audio tagging
+    krita
+    libreoffice-fresh  # XXX colin: maybe don't want this on mobile
+    lollypop
+
+    { pkg = mpv; dir = [ ".config/mpv/watch_later" ]; }
+
+    networkmanagerapplet
+
+    # not strictly necessary, but allows caching articles; offline use, etc.
+    { pkg = newsflash; dir = [ ".local/share/news-flash" ]; }
+
+    { pkg = nheko; private = [
+      ".config/nheko"  # config file (including client token)
+      ".cache/nheko"  # media cache
+      ".local/share/nheko"  # per-account state database
+    ]; }
+
+    # settings (electron app)
+    { pkg = obsidian; dir = [ ".config/obsidian" ]; }
+
+    pavucontrol
+    # picard  # music tagging
+    playerctl
+
+    libsForQt5.plasmatube  # Youtube player
+
+    soundconverter
+    # sublime music persists any downloaded albums here.
+    # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
+    # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
+    #   possible to pass config as a CLI arg (sublime-music -c config.json)
+    # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
+    { pkg = sublime-music-mobile; dir = [ ".local/share/sublime-music" ]; }
+    { pkg = tdesktop; private = [ ".local/share/TelegramDesktop" ]; }  # broken on phosh
+
+    { pkg = tokodon; private = [ ".cache/KDE/tokodon" ]; }
+
+    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
+    { pkg = vlc; dir = [ ".config/vlc" ]; }
+
+    # pleroma client (Electron). input is broken on phosh.
+    { pkg = whalebird; private = [ ".config/Whalebird" ]; }
+
+    xdg-utils  # for xdg-open
+    xterm  # broken on phosh
+  ]
+  ++ (if pkgs.system == "x86_64-linux" then
+  [
+    # x86_64 only
+
+    # creds, but also 200 MB of node modules, etc
+    (let discord = (pkgs.discord.override {
+      # XXX 2022-07-31: fix to allow links to open in default web-browser:
+      #   https://github.com/NixOS/nixpkgs/issues/78961
+      nss = pkgs.nss_latest;
+    }); in { pkg = discord; private = [ ".config/discord" ]; })
+
+    # kaiteki  # Pleroma client
+    # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
+    # gpt2tc  # XXX: unreliable mirror
+
+    # TODO(unpin): handbrake is broken on aarch64-linux 2023/01/29
+    handbrake
+
+    logseq
+    losslesscut-bin
+    makemkv
+
+    # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
+    { pkg = monero-gui; dir = [ ".bitmonero" ]; }
+
+    # creds, media
+    { pkg = signal-desktop; private = [ ".config/Signal" ]; }
+
+    # creds, widevine .so download. TODO: could easily manage these statically.
+    { pkg = spotify; dir = [ ".config/spotify" ]; }
+
+    # hardenedMalloc solves a crash at startup
+    (tor-browser-bundle-bin.override { useHardenedMalloc = false; })
+
+    # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
+    { pkg = zecwallet-lite; private = [ ".zcash" ]; }
+  ] else []);
+
+  # general-purpose utilities that we want any user to be able to access
+  #   (specifically: root, in case of rescue)
+  systemPkgs = [
+    btrfs-progs
+    cacert.unbundled  # some services require unbundled /etc/ssl/certs
+    cryptsetup
+    dig
+    efibootmgr
+    fatresize
+    fd
+    file
+    gawk
+    git
+    gptfdisk
+    hdparm
+    htop
+    iftop
+    inetutils  # for telnet
+    iotop
+    iptables
+    jq
+    killall
+    lsof
+    nano
+    netcat
+    nethogs
+    nmap
+    openssl
+    parted
+    pciutils
+    powertop
+    pstree
+    ripgrep
+    screen
+    smartmontools
+    socat
+    strace
+    tcpdump
+    tree
+    usbutils
+    wget
+  ];
+
+  # useful devtools:
+  devPkgs = [
+    bison
+    dtc
+    flex
+    gcc
+    gdb
+    # gcc-arm-embedded
+    # gcc_multi
+    gnumake
+    mercurial
+    mix2nix
+    rustup
+    swig
+  ];
+
+  pkgSpec = types.submodule {
+    options = {
+      pkg = mkOption {
+        type = types.package;
+      };
+      dir = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = "list of home-relative paths to persist for this package";
+      };
+      private = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = "list of home-relative paths to persist (in encrypted format) for this package";
+      };
+    };
+  };
+
+  toPkgSpec = types.coercedTo types.package (p: { pkg = p; }) pkgSpec;
+in
+{
+  options = {
+    # packages to deploy to the user's home
+    sane.packages.extraUserPkgs = mkOption {
+      default = [ ];
+      type = types.listOf toPkgSpec;
+    };
+    sane.packages.extraGuiPkgs = mkOption {
+      default = [ ];
+      type = types.listOf toPkgSpec;
+      description = "packages to only ship if gui's enabled";
+    };
+    sane.packages.enableConsolePkgs = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.packages.enableGuiPkgs = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.packages.enableDevPkgs = mkOption {
+      description = ''
+        enable packages that are useful for building other software by hand.
+        you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
+      '';
+      default = false;
+      type = types.bool;
+    };
+    sane.packages.enableSystemPkgs = mkOption {
+      default = false;
+      type = types.bool;
+      description = "enable system-wide packages";
+    };
+
+    sane.packages.enabledUserPkgs = mkOption {
+      default = cfg.extraUserPkgs
+        ++ (if cfg.enableConsolePkgs then consolePkgs else [])
+        ++ (if cfg.enableGuiPkgs then guiPkgs ++ cfg.extraGuiPkgs else [])
+        ++ (if cfg.enableDevPkgs then devPkgs else [])
+      ;
+      type = types.listOf toPkgSpec;
+      description = "generated from other config options";
+    };
+  };
+
+  config = {
+    environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
+    sane.user.persist.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs);
+    sane.user.persist.private = concatLists (map (p: p.private) cfg.enabledUserPkgs);
+    # XXX: this might not be necessary. try removing this and cacert.unbundled?
+    environment.etc."ssl/certs".source = mkIf cfg.enableSystemPkgs "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
+  };
+}

modules/programs.nix

@@ -1,39 +1,13 @@
 { config, lib, pkgs, sane-lib, ... }:
 let
   inherit (builtins) any elem map;
-  inherit (lib)
-    filterAttrs
-    hasAttrByPath
-    getAttrFromPath
-    mapAttrs
-    mapAttrsToList
-    mkDefault
-    mkIf
-    mkMerge
-    mkOption
-    optional
-    optionalAttrs
-    splitString
-    types
-  ;
+  inherit (lib) filterAttrs mapAttrs mapAttrsToList mkDefault mkIf mkMerge mkOption optionalAttrs types;
   inherit (sane-lib) joinAttrsets;
   cfg = config.sane.programs;
   pkgSpec = types.submodule ({ name, ... }: {
     options = {
       package = mkOption {
-        type = types.nullOr types.package;
-        description = ''
-          package, or `null` if the program is some sort of meta set (in which case it much EXPLICITLY be set null).
-        '';
-        default =
-          let
-            pkgPath = splitString "." name;
-          in
-            # package can be inferred by the attr name, allowing shorthand like
-            #   `sane.programs.nano.enable = true;`
-            # this indexing will throw if the package doesn't exist and the user forgets to specify
-            # a valid source explicitly.
-            getAttrFromPath pkgPath pkgs;
+        type = types.package;
       };
       enableFor.system = mkOption {
         type = types.bool;
@@ -50,6 +24,11 @@ let
       };
       enableFor.user = mkOption {
         type = types.attrsOf types.bool;
+        # default = mkMerge (mapAttrsToList (_otherName: otherPkg:
+        #   optionalAttrs
+        #     (otherPkg.enableSuggested && elem name otherPkg.suggestedPrograms)
+        #     otherPkg.enableFor.user
+        # ) cfg);
         default = joinAttrsets (mapAttrsToList (otherName: otherPkg:
            optionalAttrs
              (otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested)
@@ -83,22 +62,30 @@ let
       };
     };
 
+    config = {
+      # package can be inferred by the attr name, allowing shorthand like
+      # sane.packages.nano.enable = true;
+      package = mkIf (pkgs ? "${name}") (mkDefault pkgs."${name}");
+
+      # enableFor = mkIf (name == "btrfs-progs") (mkDefault cfg.cryptsetup.enableFor);
+
+      # enable this package if it's in the `suggestedPrograms` of any other enabled program
+      # enableFor = mkMerge (mapAttrsToList (_otherName: otherPkg:
+      #   optionalAttrs
+      #     (otherPkg.enableSuggested && elem name otherPkg.suggestedPrograms)
+      #     (mkDefault otherPkg.enableFor)
+      # ) cfg);
+    };
+
   });
   toPkgSpec = types.coercedTo types.package (p: { package = p; }) pkgSpec;
 
-  configs = mapAttrsToList (name: p: {
-    assertions = map (sug: {
-      assertion = cfg ? "${sug}";
-      message = ''program "${sug}" referenced by "${name}", but not defined'';
-    }) p.suggestedPrograms;
-
+  configs = mapAttrsToList (_name: p: {
     # conditionally add to system PATH
-    environment.systemPackages = optional
-      (p.package != null && p.enableFor.system)
-      p.package;
+    environment.systemPackages = mkIf p.enableFor.system [ p.package ];
     # conditionally add to user(s) PATH
-    users.users = mapAttrs (user: en: {
-      packages = optional (p.package != null && en) p.package;
+    users.users = mapAttrs (user: en: optionalAttrs en {
+      packages = [ p.package ];
     }) p.enableFor.user;
     # conditionally persist relevant user dirs
     sane.users = mapAttrs (user: en: optionalAttrs en {
@@ -118,7 +105,6 @@ in
   config =
     let
       take = f: {
-        assertions = f.assertions;
         environment.systemPackages = f.environment.systemPackages;
         users.users = f.users.users;
         sane.users = f.sane.users;
@@ -126,8 +112,20 @@ in
     in mkMerge [
       (take (sane-lib.mkTypedMerge take configs))
       {
-        # expose the pkgs -- as available to the system -- as a build target.
-        system.build.pkgs = pkgs;
+        # sane.programs.cryptsetup.enableFor = mkDefault cfg.btrfs-progs.enableFor;
+        # sane.programs.cryptsetup.enableFor = mkMerge (mapAttrsToList (otherName: otherPkg:
+        #   optionalAttrs
+        #   (otherName != "cryptsetup")
+        #   (mkDefault otherPkg.enableFor)
+        # ) cfg);
+
+        # sane.programs = mapAttrs (myName: _me: optionalAttrs (myName == "btrfs-progs") {
+        #   enableFor = mkMerge (mapAttrsToList (otherName: otherPkg:
+        #     optionalAttrs
+        #     (otherName != "cryptsetup")
+        #     (mkDefault otherPkg.enableFor)
+        #   ) cfg);
+        # }) cfg;
       }
     ];
 }

nixpatches/2023-01-30-mesa-cma-leak.patch

@@ -1,22 +0,0 @@
-diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
-index 56fa74e5c0c..3573bb0af49 100644
---- a/pkgs/development/libraries/mesa/default.nix
-+++ b/pkgs/development/libraries/mesa/default.nix
-@@ -88,7 +88,7 @@
- let
-   # Release calendar: https://www.mesa3d.org/release-calendar.html
-   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
--  version = "22.3.4";
-+  version = "22.3.2";
-   branch  = lib.versions.major version;
- 
-   withLibdrm = lib.meta.availableOn stdenv.hostPlatform libdrm;
-@@ -120,7 +120,7 @@ self = stdenv.mkDerivation {
-       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
-       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
-     ];
--    sha256 = "37a1ddaf03f41919ee3c89c97cff41e87de96e00e9d3247959cc8279d8294593";
-+    sha256 = "c15df758a8795f53e57f2a228eb4593c22b16dffd9b38f83901f76cd9533140b";
-   };
- 
-   # TODO:

nixpatches/flake.lock

@@ -2,15 +2,16 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1675123384,
-        "narHash": "sha256-RpU+kboEWlIYwbRMGIPBIcztH63CvmqWN1B8GpJogd4=",
+        "lastModified": 1673163619,
+        "narHash": "sha256-B33PFBL64ZgTWgMnhFL3jgheAN/DjHPsZ1Ih3z0VE5I=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e0fa1ece2f3929726c9b98c539ad14b63ae8e4fd",
+        "rev": "8c54d842d9544361aac5f5b212ba04e4089e8efe",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
+        "ref": "nixos-22.11",
         "type": "indirect"
       }
     },

nixpatches/list.nix

@@ -13,12 +13,19 @@
     hash = "sha256-IvsIcd2wPdz4b/7FMrDrcVlIZjFecCQ9uiL0Umprbx0=";
   })
 
+  # fix libreoffice build by: Revert "mdds: 2.0.3 -> 2.1.0"
+  # merged 2023/01/25
+  (fetchpatch {
+    url = "https://github.com/NixOS/nixpkgs/pull/212583.diff";
+    hash = "sha256-nkXgwQUtxYkJT2OzG6Jc72snizW5wHvR1nmh2KDnaPc=";
+  })
+
   # fix handbrake build by: handbrake: 1.5.1 -> 1.6.1
   # PR opened 2023/01/23
   (fetchpatch {
     # see alternate fix: <https://github.com/NixOS/nixpkgs/pull/211834>
     url = "https://github.com/NixOS/nixpkgs/pull/212306.diff";
-    hash = "sha256-PnPzvJymafa+zjkauQW0LzFsJC7S+7D9JRszTE3in+w=";
+    hash = "sha256-iQX2NaZaCzZVRlCM0pgXt0gecNwhXGeh3kXEiY38ZIM=";
   })
 
   ./2022-12-19-i2p-aarch64.patch
@@ -27,11 +34,6 @@
   # allows to actually run signald
   ./2023-01-25-signald-update.patch
 
-  # fix for CMA memory leak in mesa: <https://gitlab.freedesktop.org/mesa/mesa/-/issues/8198>
-  # only necessary on aarch64.
-  # it's a revert of nixpkgs commit dcf630c172df2a9ecaa47c77f868211e61ae8e52
-  ./2023-01-30-mesa-cma-leak.patch
-
   # # kaiteki: init at 2022-09-03
   # vendorHash changes too frequently (might not be reproducible).
   # using local package defn until stabilized

overlays/pins.nix

@@ -9,15 +9,4 @@
   # so just forward the unstable packages.
   inherit (next.stable or prev)
   ;
-
-  # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
-  gjs = prev.gjs.overrideAttrs (_upstream: {
-    doCheck = false;
-  });
-  libadwaita = prev.libadwaita.overrideAttrs (_upstream: {
-    doCheck = false;
-  });
-  libsecret = prev.libsecret.overrideAttrs (_upstream: {
-    doCheck = false;
-  });
 })