flake/nixpkgs: 2023-05-22 -> 2023-05-24

```
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/7084250df3d7f9735087d3234407f3c1fc2400e3' (2023-05-22)
  → 'github:nixos/nixpkgs/f91ee3065de91a3531329a674a45ddcb3467a650' (2023-05-24)
```

TODO.md

@@ -1,5 +1,6 @@
-## BUGS:
-- fix nur evaluation
+## BUGS
+- why i need to manually restart `wireguard-wg-ovpns` on servo periodically
+	- else DNS fails
 
 ## REFACTORING:
 ### sops/secrets
@@ -12,7 +13,7 @@
     - will make it easier to test new services?
 
 ### upstreaming
-- upstream lemmy nginx integration
+- bump nodejs version in lemmy-ui
 - add updateScripts to all my packages in nixpkgs
 - fix lightdm-mobile-greeter for newer libhandy
 - port zecwallet-lite to a from-source build
@@ -45,6 +46,11 @@
 - auto-mount servo
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
 - `sane.programs`: auto-populate defaults with everything from `pkgs`
+- zsh: disable "command not found" corrections
+- sxmo: allow rotation to the upside-down position
+    - see: <repo:mil/sxmo-utils:scripts/core/sxmo_autorotate.sh>
+    - all orientations *except* upside down are supported
+- sxmo: launch with auto-rotation enabled
 
 ### perf
 - why does nixos-rebuild switch take 5 minutes when net is flakey?

flake.lock

@@ -36,11 +36,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1678202930,
-        "narHash": "sha256-SF82/tTnagdazlETJLzXD9kjZ6lyk38agdLbmMx1UZE=",
+        "lastModified": 1684319086,
+        "narHash": "sha256-5wwlkWqP1cQUPXp/PJsi09FkgAule5yBghngRZZbUQg=",
         "owner": "edolstra",
         "repo": "nix-serve",
-        "rev": "3b6d30016d910a43e0e16f94170440a3e0b8fa8d",
+        "rev": "e6e3d09438e803daa5374ad8edf1271289348456",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1684025543,
-        "narHash": "sha256-hGe7S+i5je+8E/b2mOXVI9nmr038Dw+bV8e1P8xHSe0=",
+        "lastModified": 1684632198,
+        "narHash": "sha256-SdxMPd0WmU9MnDBuuy7ouR++GftrThmSGL7PCQj/uVI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c6d2f3dc0d3efd4285eebe4f8a36a47ba438138e",
+        "rev": "d0dade110dc7072d67ce27826cfe9ab2ab0cf247",
         "type": "github"
       },
       "original": {
@@ -82,11 +82,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1684049129,
-        "narHash": "sha256-7WB9LpnPNAS8oI7hMoHeKLNhRX7k3CI9uWBRSfmOCCE=",
+        "lastModified": 1684935479,
+        "narHash": "sha256-6QMMsXMr2nhmOPHdti2j3KRHt+bai2zw+LJfdCl97Mk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0470f36b02ef01d4f43c641bbf07020bcab71bf1",
+        "rev": "f91ee3065de91a3531329a674a45ddcb3467a650",
         "type": "github"
       },
       "original": {
@@ -113,11 +113,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1684032930,
-        "narHash": "sha256-ueeSYDii2e5bkKrsSdP12JhkW9sqgYrUghLC8aDfYGQ=",
+        "lastModified": 1684637723,
+        "narHash": "sha256-0vAxL7MVMhGbTkAyvzLvleELHjVsaS43p+PR1h9gzNQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "a376127bb5277cd2c337a9458744f370aaf2e08d",
+        "rev": "4ccdfb573f323a108a44c13bb7730e42baf962a9",
         "type": "github"
       },
       "original": {
@@ -134,11 +134,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682850047,
-        "narHash": "sha256-PY042BW4nF+rIM4qTSI+74FoIpvcJJ3kSYwmcEWtO/k=",
+        "lastModified": 1684528780,
+        "narHash": "sha256-QdYxjcTCCLPv++1v9tJBL98nn/AFx0fmzlgzcLK6KRE=",
         "ref": "refs/heads/master",
-        "rev": "257c45a8b7c5f7edc309362097193900c072040a",
-        "revCount": 192,
+        "rev": "f3747a1dad3d34880613821faf26357ba432d3d7",
+        "revCount": 194,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -102,11 +102,8 @@
           self.nixosModules.passthru
           {
             nixpkgs.overlays = [
-              self.overlays.disable-flakey-tests
               self.overlays.passthru
-              self.overlays.pins
-              self.overlays.pkgs
-              # self.overlays.optimizations
+              self.overlays.sane-all
             ];
           }
           ({ lib, ... }: {
@@ -170,11 +167,13 @@
 
       # unofficial output
       host-pkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
+      host-programs = mapAttrValues (host: mapAttrValues (p: p.package) host.config.sane.programs) self.nixosConfigurations;
 
       overlays = {
         # N.B.: `nix flake check` requires every overlay to take `final: prev:` at defn site,
         #   hence the weird redundancy.
         default = final: prev: self.overlays.pkgs final prev;
+        sane-all = final: prev: import ./overlays/all.nix final prev;
         disable-flakey-tests = final: prev: import ./overlays/disable-flakey-tests.nix final prev;
         pkgs = final: prev: import ./overlays/pkgs.nix final prev;
         pins = final: prev: import ./overlays/pins.nix final prev;
@@ -300,6 +299,12 @@
           path = ./templates/pkgs/rust;
           description = "rust package fit to ship in nixpkgs";
         };
+        pkgs.make = {
+          # initialize with:
+          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.make'`
+          path = ./templates/pkgs/make;
+          description = "default Makefile-based derivation";
+        };
       };
     };
 }

hosts/by-name/desko/default.nix

@@ -36,11 +36,9 @@
   services.snapper.configs.nix = {
     # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
     # but that also requires setting up the persist dir as a subvol
-    subvolume = "/nix";
+    SUBVOLUME = "/nix";
     # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
-    extraConfig = ''
-      ALLOW_USERS = "colin";
-    '';
+    ALLOW_USERS = [ "colin" ];
   };
 
   programs.steam = {

hosts/by-name/lappy/default.nix

@@ -2,6 +2,7 @@
 {
   imports = [
     ./fs.nix
+    ./polyfill.nix
   ];
 
   sane.roles.client = true;
@@ -28,7 +29,8 @@
   services.snapper.configs.nix = {
     # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
     # but that also requires setting up the persist dir as a subvol
-    subvolume = "/nix";
+    SUBVOLUME = "/nix";
+    ALLOW_USERS = [ "colin" ];
   };
 
   # TODO: only here for debugging

hosts/by-name/lappy/polyfill.nix

@@ -0,0 +1,32 @@
+# doesn't actually *enable* anything,
+# but sets up any modules such that if they *were* enabled, they'll act as expected.
+{ ... }:
+{
+  sane.gui.sxmo = {
+    greeter = "sway";
+    settings = {
+      # XXX: make sure the user is part of the `input` group!
+      SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-id/usb-Wacom_Co._Ltd._Pen_and_multitouch_sensor-event-if00";
+      # these identifiers are from `swaymsg -t get_inputs`
+      SXMO_VOLUME_BUTTON = "1:1:AT_Translated_Set_2_keyboard";
+      # SXMO_VOLUME_BUTTON = "none";
+      SXMO_POWER_BUTTON = "0:1:Power_Button";
+      # SXMO_POWER_BUTTON = "none";
+      SXMO_DISABLE_LEDS = "1";
+      SXMO_UNLOCK_IDLE_TIME = "120";  # default
+      # sxmo tries to determine device type from /proc/device-tree/compatible,
+      # but that doesn't seem to exist on NixOS?  (or maybe it just doesn't exist
+      # on non-aarch64 builds).
+      # the device type informs (at least):
+      # - SXMO_WIFI_MODULE
+      # - SXMO_RTW_SCAN_INTERVAL
+      # - SXMO_SYS_FILES
+      # - SXMO_TOUCHSCREEN_ID
+      # - SXMO_MONITOR
+      # - SXMO_ALSA_CONTROL_NAME
+      # - SXMO_SWAY_SCALE
+      # see <repo:mil/sxmo-utils:scripts/deviceprofiles>
+      # SXMO_DEVICE_NAME = "pine64,pinephone-1.2";
+    };
+  };
+}

hosts/by-name/moby/default.nix

@@ -4,6 +4,7 @@
     ./firmware.nix
     ./fs.nix
     ./kernel.nix
+    ./polyfill.nix
   ];
 
   sane.roles.client = true;

hosts/by-name/moby/polyfill.nix

@@ -0,0 +1,23 @@
+{ sane-lib, ... }:
+{
+  sane.gui.sxmo = {
+    settings = {
+      # touch screen
+      SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-path/platform-1c2ac00.i2c-event";
+      # vol and power are detected correctly by upstream
+    };
+  };
+  # TODO: only populate this if sxmo is enabled?
+  sane.user.fs.".config/sxmo/profile" = sane-lib.fs.wantedText ''
+    # sourced by sxmo_init.sh
+    . sxmo_common.sh
+
+    export SXMO_SWAY_SCALE=1.5
+    export SXMO_ROTATION_GRAVITY=12800
+
+    export DEFAULT_COUNTRY=US
+    export BROWSER=librewolf
+
+    export SXMO_BG_IMG="$(xdg_data_path sxmo/background.jpg)"
+  '';
+}

hosts/by-name/servo/default.nix

@@ -20,6 +20,7 @@
   sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
   sane.services.dyn-dns.enable = true;
   sane.services.wg-home.enable = true;
+  sane.services.wg-home.enableWan = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
 

hosts/by-name/servo/net.nix

@@ -3,6 +3,8 @@
 {
   networking.domain = "uninsane.org";
 
+  sane.services.wan-ports.openFirewall = true;
+
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
@@ -11,9 +13,6 @@
   # XXX colin: probably don't need this. wlan0 won't be populated unless i touch a value in networking.interfaces.wlan0
   networking.wireless.enable = false;
 
-  # networking.firewall.enable = false;
-  networking.firewall.enable = true;
-
   # this is needed to forward packets from the VPN to the host
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 

hosts/by-name/servo/services/ejabberd.nix

@@ -22,7 +22,7 @@
   sane.persist.sys.plaintext = [
     { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
   ];
-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
     3478  # STUN/TURN
     5222  # XMPP  client -> server
     5223  # XMPPS client -> server (XMPP over TLS)
@@ -33,9 +33,10 @@
     5349  # STUN/TURN (TLS)
     5443  # web services (file uploads, websockets, admin)
   ];
-  networking.firewall.allowedUDPPorts = [
+  sane.services.wan-ports.udp = [
     3478  # STUN/TURN
   ];
+  # TODO: forward these TURN ports!
   networking.firewall.allowedTCPPortRanges = [{
     from = 49152;  # TURN
     to = 49408;

hosts/by-name/servo/services/email/dovecot.nix

@@ -6,7 +6,7 @@
 
 { config, lib, pkgs, ... }:
 {
-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
     # exposed over non-vpn imap.uninsane.org
     143  # IMAP
     993  # IMAPS

hosts/by-name/servo/services/email/postfix.nix

@@ -28,7 +28,7 @@ in
     # "/var/lib/dovecot"
   ];
 
-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
     # exposed over vpn mx.uninsane.org
     25   # SMTP
     465  # SMTPS

hosts/by-name/servo/services/jellyfin.nix

@@ -18,6 +18,7 @@
 {
   # identical to:
   # services.jellyfin.openFirewall = true;
+  # N.B.: these are all for the LAN, so we don't go through `sane.services.wan-ports`.
   networking.firewall.allowedUDPPorts = [
     # https://jellyfin.org/docs/general/networking/index.html
     1900  # UPnP service discovery

hosts/by-name/servo/services/matrix/discord-puppet.nix

@@ -1,4 +1,9 @@
 { lib, ... }:
+
+# XXX mx-discord-puppet uses nodejs_14 which is EOL
+# - mx-discord-puppet is abandoned upstream _and_ in nixpkgs
+# - recommended to use mautrix-discord: <https://github.com/NixOS/nixpkgs/pull/200462>
+lib.mkIf false
 {
   sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }

hosts/by-name/servo/services/matrix/irc.nix

@@ -132,6 +132,12 @@ in
           # notable channels:
           # - #merveilles
         };
+        "irc.libera.chat" = ircServer {
+          name = "libera";
+          sasl = false;
+          # notable channels:
+          # - #hare
+        };
         "irc.myanonamouse.net" = ircServer {
           name = "MyAnonamouse";
           additionalAddresses = [ "irc2.myanonamouse.net" ];

hosts/by-name/servo/services/nginx.nix

@@ -13,7 +13,7 @@ let
 in
 {
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  sane.services.wan-ports.tcp = [ 80 443 ];
 
   services.nginx.enable = true;
   services.nginx.appendConfig = ''

hosts/by-name/servo/services/prosody.nix

@@ -12,7 +12,7 @@ lib.mkIf false
   sane.persist.sys.plaintext = [
     { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
   ];
-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
     5222  # XMPP client -> server
     5269  # XMPP server -> server
     5280  # bosh

hosts/common/default.nix

@@ -1,7 +1,6 @@
 { lib, pkgs, ... }:
 {
   imports = [
-    ./cross
     ./feeds.nix
     ./fs.nix
     ./hardware.nix
@@ -27,6 +26,7 @@
   sane.fs."/var/lib/private".dir.acl.mode = "0700";
 
   nixpkgs.config.allowUnfree = true;
+  nixpkgs.config.allowBroken = true;  # NIXPKGS_ALLOW_BROKEN
 
   # time.timeZone = "America/Los_Angeles";
   time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone

hosts/common/hardware.nix

@@ -28,6 +28,11 @@
   # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
   powerManagement.powertop.enable = false;
 
+  services.logind.extraConfig = ''
+    # don’t shutdown when power button is short-pressed
+    HandlePowerKey=ignore
+  '';
+
   # services.snapper.configs = {
   #   root = {
   #     subvolume = "/";

hosts/common/net.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ lib, ... }:
 
 {
   # the default backend is "wpa_supplicant".
@@ -20,4 +20,8 @@
     General.RoamThreshold = "-52";  # default -70
     General.RoamThreshold5G = "-52";  # default -76
   };
+
+  networking.firewall.allowedUDPPorts = [
+    1900  # to received UPnP advertisements. required by sane-ip-check-upnp
+  ];
 }

hosts/common/programs/default.nix

@@ -42,6 +42,7 @@ let
       jq
       killall
       lsof
+      miniupnpc
       nano
       netcat
       nethogs
@@ -61,6 +62,7 @@ let
       tree
       usbutils
       wget
+      wirelesstools  # iwlist
     ;
   };
   sysadminExtraPkgs = {
@@ -110,7 +112,7 @@ let
       lm_sensors  # for sensors-detect
       lshw
       ffmpeg
-      memtester
+      # memtester
       neovim
       # nettools
       # networkmanager

hosts/common/programs/web-browser.nix

@@ -50,16 +50,32 @@ let
     inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
     inherit (cfg.browser) libName;
 
-    extraNativeMessagingHosts = [ pkgs.browserpass ];
+    extraNativeMessagingHosts = optional cfg.addons.browserpass-extension.enable pkgs.browserpass;
     # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
 
     nixExtensions = concatMap (ext: optional ext.enable ext.package) (attrValues cfg.addons);
 
     extraPolicies = {
+      FirefoxHome = {
+        Search = true;
+        Pocket = false;
+        Snippets = false;
+        TopSites = false;
+        Highlights = false;
+      };
       NoDefaultBookmarks = true;
+      OfferToSaveLogins = false;
+      OfferToSaveLoginsDefault = false;
+      PasswordManagerEnabled = false;
       SearchEngines = {
         Default = "DuckDuckGo";
       };
+      UserMessaging = {
+        ExtensionRecommendations = false;
+        SkipOnboarding = true;
+      };
+
+      # these were taken from Librewolf
       AppUpdateURL = "https://localhost";
       DisableAppUpdate = true;
       OverrideFirstRunPage = "";
@@ -88,6 +104,7 @@ let
       # };
       # NewTabPage = true;
     };
+    # extraPrefs = ...
   };
 
   addonOpts = types.submodule {
@@ -119,30 +136,7 @@ let
       };
       addons = mkOption {
         type = types.attrsOf addonOpts;
-        default = {
-          # get names from:
-          # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
-          # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
-          # browserpass-ce.package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
-          browserpass-extension.package = localAddon pkgs.browserpass-extension;
-          # TODO: build bypass-paywalls from source? it's mysteriously disappeared from the Mozilla store.
-          # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
-          ether-metamask.package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
-          i2p-in-private-browsing.package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
-          sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
-          sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
-          ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
-          ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
-
-          browserpass-extension.enable = lib.mkDefault true;
-          # bypass-paywalls-clean.enable = lib.mkDefault true;
-          ether-metamask.enable = lib.mkDefault true;
-          i2p-in-private-browsing.enable = lib.mkDefault config.services.i2p.enable;
-          sidebery.enable = lib.mkDefault true;
-          sponsorblock.enable = lib.mkDefault true;
-          ublacklist.enable = lib.mkDefault true;
-          ublock-origin.enable = lib.mkDefault true;
-        };
+        default = {};
       };
     };
   };
@@ -154,6 +148,45 @@ in
         type = types.submodule configOpts;
         default = {};
       };
+      sane.programs.web-browser.config.addons = {
+        # get names from:
+        # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
+        # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
+        browserpass-extension = {
+          # package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
+          package = localAddon pkgs.browserpass-extension;
+          enable = lib.mkDefault true;
+        };
+
+        # TODO: build bypass-paywalls from source? it's mysteriously disappeared from the Mozilla store.
+        # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
+        # bypass-paywalls-clean.enable = lib.mkDefault true;
+
+        ether-metamask = {
+          package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
+          enable = lib.mkDefault true;
+        };
+        i2p-in-private-browsing = {
+          package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
+          enable = lib.mkDefault config.services.i2p.enable;
+        };
+        sidebery = {
+          package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
+          enable = lib.mkDefault true;
+        };
+        sponsorblock = {
+          package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
+          enable = lib.mkDefault true;
+        };
+        ublacklist = {
+          package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
+          enable = lib.mkDefault true;
+        };
+        ublock-origin = {
+          package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
+          enable = lib.mkDefault true;
+        };
+      };
     })
     ({
       sane.programs.web-browser = {

hosts/common/users.nix

@@ -35,6 +35,7 @@ in
       extraGroups = [
         "dialout"  # required for modem access (moby)
         "feedbackd"
+        "input"  # for /dev/input/<xyz>: sxmo
         "networkmanager"
         "nixbuild"
         "video"  # phosh/mobile. XXX colin: unsure if necessary

hosts/instantiate.nix

@@ -15,5 +15,4 @@
 
   networking.hostName = hostName;
   nixpkgs.buildPlatform = lib.mkIf (localSystem != null) localSystem;
-  sane.cross.enablePatches = localSystem != null;
 }

hosts/modules/gui/default.nix

@@ -11,5 +11,6 @@ in
     ./plasma.nix
     ./plasma-mobile.nix
     ./sway
+    ./sxmo.nix
   ];
 }

hosts/modules/gui/sxmo.nix

@@ -0,0 +1,280 @@
+# this work derives from noneucat's sxmo service/packages, found via NUR
+# - <repo:nix-community/nur-combined:repos/noneucat/modules/pinephone/sxmo.nix>
+# other nix works:
+# - <https://github.com/wentam/sxmo-nix>
+#   - implements sxmo atop tinydm (also packaged by wentam)
+#   - wentam cleans up sxmo-utils to be sealed. also patches to use systemd poweroff, etc
+#   - packages a handful of anjan and proycon utilities
+#   - packages <https://gitlab.com/kop316/mmsd/>
+#   - packages <https://gitlab.com/kop316/vvmd/>
+# - <https://github.com/chuangzhu/nixpkgs-sxmo>
+#   - implements sxmo as a direct systemd service -- apparently no DM
+#   - packages sxmo-utils
+#     - injects PATH into each script
+# - perhaps sxmo-utils is best packaged via the `resholve` shell solver?
+#
+# sxmo documentation:
+# - <repo:anjan/sxmo-docs-next>
+#
+# sxmo technical overview:
+# - inputs
+#   - dwm: handles vol/power buttons; hardcoded in config.h
+#   - lisgd: handles gestures
+# - startup
+#   - daemon based (lisgsd, idle_locker, statusbar_periodics)
+#   - auto-started at login
+#   - managable by `sxmo_daemons.sh`
+#     - list available daemons: `sxmo_daemons.sh list`
+#     - query if a daemon is active: `sxmo_daemons.sh running <my-daemon>`
+#     - start daemon: `sxmo_daemons.sh start <my-daemon>`
+#   - managable by `superctl`
+#     - `superctl status`
+# - user hooks:
+#   - live in ~/.config/sxmo/hooks/
+# - logs:
+#   - live in ~/.local/state/sxmo.log
+#   - ~/.local/state/superd.log
+#   - ~/.local/state/superd/logs/<daemon>.log
+#   - `journalctl --user --boot`  (lightm redirects the sxmo session stdout => systemd)
+#
+# - default components:
+#   - DE:                  sway (if wayland), dwm (if X)
+#   - menus:               bemenu (if wayland), dmenu (if X)
+#   - gestures:            lisgd
+#   - on-screen keyboard:  wvkbd (if wayland), svkbd (if X)
+#
+{ lib, config, pkgs, sane-lib, ... }:
+
+let
+  cfg = config.sane.gui.sxmo;
+in
+{
+  options = with lib; {
+    sane.gui.sxmo.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.gui.sxmo.greeter = mkOption {
+      type = types.enum [ "lightdm-mobile" "sway" ];
+      default = "lightdm-mobile";
+      description = ''
+        which greeter to use.
+        "lightdm-mobile" => keypad style greeter. can only enter digits 0-9 as password.
+        "sway" => layered sway greeter. behaves as if you booted to swaylock.
+      '';
+    };
+    sane.gui.sxmo.hooks = mkOption {
+      type = types.package;
+      default = pkgs.runCommand "sxmo-hooks" { } ''
+        mkdir -p $out
+        ln -s ${pkgs.sxmo-utils}/share/sxmo/default_hooks $out/bin
+      '';
+      description = ''
+        hooks to make visible to sxmo.
+        a hook is a script generally of the name sxmo_hook_<thing>.sh
+        which is called by sxmo at key moments to proide user programmability.
+      '';
+    };
+    sane.gui.sxmo.deviceHooks = mkOption {
+      type = types.package;
+      default = pkgs.runCommand "sxmo-device-hooks" { } ''
+        mkdir -p $out
+        ln -s ${pkgs.sxmo-utils}/share/sxmo/default_hooks/unknown $out/bin
+      '';
+      description = ''
+        device-specific hooks to make visible to sxmo.
+        this package supplies things like `sxmo_hook_inputhandler.sh`.
+        a hook is a script generally of the name sxmo_hook_<thing>.sh
+        which is called by sxmo at key moments to proide user programmability.
+      '';
+    };
+    sane.gui.sxmo.terminal = mkOption {
+      # type = types.nullOr (types.enum [ "foot" "st" "vte" ]);
+      type = types.nullOr types.string;
+      default = "foot";
+      description = ''
+        name of terminal to use for sxmo_terminal.sh.
+        foot, st, and vte have special integrations in sxmo, but any will work.
+      '';
+    };
+    sane.gui.sxmo.keyboard = mkOption {
+      # type = types.nullOr (types.enum ["wvkbd"])
+      type = types.nullOr types.string;
+      default = "wvkbd";
+      description = ''
+        name of on-screen-keyboard to use for sxmo_keyboard.sh.
+        this sets the KEYBOARD environment variable.
+        see also: KEYBOARD_ARGS.
+      '';
+    };
+    sane.gui.sxmo.settings = mkOption {
+      type = types.attrsOf types.string;
+      default = {};
+      description = ''
+        environment variables used to configure sxmo.
+        e.g. SXMO_UNLOCK_IDLE_TIME or SXMO_VOLUME_BUTTON.
+      '';
+    };
+  };
+
+  config = lib.mkMerge [
+    {
+      sane.programs.sxmoApps = {
+        package = null;
+        suggestedPrograms = [
+          "guiApps"
+        ];
+      };
+    }
+
+    (lib.mkIf cfg.enable {
+      sane.programs.sxmoApps.enableFor.user.colin = true;
+
+      # some programs (e.g. fractal/nheko) **require** a "Secret Service Provider"
+      services.gnome.gnome-keyring.enable = true;
+
+      # TODO: probably need to enable pipewire
+
+      networking.useDHCP = false;
+      networking.networkmanager.enable = true;
+      networking.wireless.enable = lib.mkForce false;
+
+      hardware.bluetooth.enable = true;
+      services.blueman.enable = true;
+
+      # sxmo internally uses doas instead of sudo
+      security.doas.enable = true;
+      security.doas.wheelNeedsPassword = false;
+
+      # TODO: not all of these fonts seem to be mapped to the correct icon
+      fonts.fonts = [ pkgs.nerdfonts ];
+
+      # i believe sxmo recomments a different audio stack
+      # administer with pw-cli, pw-mon, pw-top commands
+      services.pipewire = {
+        enable = true;
+        alsa.enable = true;
+        alsa.support32Bit = true;  # ??
+        pulse.enable = true;
+      };
+      systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
+
+      # TODO: could use `displayManager.sessionPackages`?
+      environment.systemPackages = with pkgs; [
+        bc
+        bemenu
+        bonsai
+        conky
+        gojq
+        inotify-tools
+        jq
+        libnotify
+        lisgd
+        mako
+        superd
+        sway
+        swayidle
+        sxmo-utils
+        wob
+        wvkbd
+        xdg-user-dirs
+
+        # X11 only?
+        xdotool
+
+        cfg.deviceHooks
+        cfg.hooks
+      ] ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
+        ++ lib.optionals (cfg.keyboard != null) [ pkgs."${cfg.keyboard}" ];
+
+      environment.sessionVariables = {
+        XDG_DATA_DIRS = [
+          # TODO: only need the share/sxmo directly linked
+          "${pkgs.sxmo-utils}/share"
+        ];
+      } // lib.optionalAttrs (cfg.terminal != null) {
+        TERMCMD = lib.mkDefault (if cfg.terminal == "vte" then "vte-2.91" else cfg.terminal);
+      } // lib.optionalAttrs (cfg.keyboard != null) {
+        KEYBOARD = lib.mkDefault (if cfg.keyboard == "wvkbd" then "wvkbd-mobintl" else cfg.keyboard);
+      } // cfg.settings;
+
+      sane.user.fs.".cache/sxmo/sxmo.noidle" = sane-lib.fs.wantedText "";
+
+
+      ## greeter
+
+      services.xserver = lib.mkIf (cfg.greeter == "lightdm-mobile") {
+        enable = true;
+
+        displayManager.lightdm.enable = true;
+        displayManager.lightdm.greeters.mobile.enable = true;
+        displayManager.lightdm.extraSeatDefaults = ''
+          user-session = swmo
+        '';
+
+        displayManager.sessionPackages = with pkgs; [
+          sxmo-utils  # this gets share/wayland-sessions/swmo.desktop linked
+        ];
+
+        # taken from gui/phosh:
+        # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
+        # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
+        # lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
+        # this requires the user we want to login as to be cached.
+        displayManager.job.preStart = ''
+          ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
+        '';
+      };
+
+      services.greetd = lib.mkIf (cfg.greeter == "sway") {
+        enable = true;
+        # borrowed from gui/sway
+        settings.default_session.command =
+        let
+          # start sway and have it construct the gtkgreeter
+          sway-as-greeter = pkgs.writeShellScriptBin "sway-as-greeter" ''
+            ${pkgs.sway}/bin/sway --debug --config ${sway-config-into-gtkgreet} > /var/log/sway/sway-as-greeter.log 2>&1
+          '';
+          # (config file for the above)
+          sway-config-into-gtkgreet = pkgs.writeText "greetd-sway-config" ''
+            exec "${gtkgreet-launcher}"
+          '';
+          # gtkgreet which launches a layered sway instance
+          gtkgreet-launcher = pkgs.writeShellScript "gtkgreet-launcher" ''
+            # NB: the "command" field here is run in the user's shell.
+            # so that command must exist on the specific user's path who is logging in. it doesn't need to exist system-wide.
+            ${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command sxmo_winit.sh
+          '';
+        in "${sway-as-greeter}/bin/sway-as-greeter";
+      };
+
+      sane.fs."/var/log/sway" = lib.mkIf (cfg.greeter == "sway") {
+        dir.acl.mode = "0777";
+        wantedBeforeBy = [ "greetd.service" "display-manager.service" ];
+      };
+
+      # lightdm-mobile-greeter: "The name org.a11y.Bus was not provided by any .service files"
+      services.gnome.at-spi2-core.enable = true;
+
+      # services.xserver.windowManager.session = [{
+      #   name = "sxmo";
+      #   desktopNames = [ "sxmo" ];
+      #   start = ''
+      #     ${pkgs.sxmo-utils}/bin/sxmo_xinit.sh &
+      #     waitPID=$!
+      #   '';
+      # }];
+      # services.xserver.enable = true;
+
+      # services.greetd = {
+      #   enable = true;
+      #   settings = {
+      #     default_session = {
+      #       command = "${pkgs.sxmo-utils}/bin/sxmo_winit.sh";
+      #       user = "colin";
+      #     };
+      #   };
+      # };
+    })
+  ];
+}

hosts/modules/roles/ac.nix

@@ -10,7 +10,7 @@
   };
 
   config = lib.mkIf config.sane.roles.ac {
-    sane.yggdrasil.enable = true;
-    services.i2p.enable = true;
+    # sane.yggdrasil.enable = true;
+    # services.i2p.enable = true;
   };
 }

hosts/modules/wg-home.nix

@@ -33,6 +33,11 @@ in
       type = types.bool;
       default = false;
     };
+    sane.services.wg-home.enableWan = mkOption {
+      type = types.bool;
+      default = false;
+      description = "whether to make this port visible on the WAN";
+    };
     sane.services.wg-home.ip = mkOption {
       type = types.str;
     };
@@ -51,6 +56,7 @@ in
 
     # for convenience, have both the server and client use the same port for their wireguard connections.
     networking.firewall.allowedUDPPorts = [ 51820 ];
+    sane.services.wan-ports.udp = lib.mkIf cfg.enableWan [ 51820 ];
     networking.wireguard.interfaces.wg-home = {
       listenPort = 51820;
       privateKeyFile = "/run/wg-home.priv";

integrations/nur/default.nix

@@ -22,6 +22,9 @@
 # ^ source: <https://github.com/nix-community/nur-packages-template/blob/master/.github/workflows/build.yml#L63>
 #   N.B.: nur eval allows only PATH (inherited) and NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM="1" (forced),
 #   hence the erasing of NIX_PATH above (to remove external overlays)
+#
+# if it validates here but not upstream, likely to do with different `nixpkgs` inputs.
+# - CI logs: <https://github.com/nix-community/NUR/actions/workflows/update.yml>
 
 { pkgs ? import <nixpkgs> {} }:
 let

modules/services/default.nix

@@ -6,5 +6,6 @@
     ./mautrix-signal.nix
     ./nixserve.nix
     ./trust-dns.nix
+    ./wan-ports.nix
   ];
 }

modules/services/dyn-dns.nix

@@ -5,7 +5,8 @@ let
   cfg = config.sane.services.dyn-dns;
   getIp = pkgs.writeShellScript "dyn-dns-query-wan" ''
     # preferred method and fallback
-    ${pkgs.sane-scripts}/bin/sane-ip-check-router-wan || \
+    # OPNsense router broadcasts its UPnP endpoint every 30s
+    timeout 60 ${pkgs.sane-scripts}/bin/sane-ip-check-upnp || \
       ${pkgs.sane-scripts}/bin/sane-ip-check
   '';
 in

modules/services/nixserve.nix

@@ -15,7 +15,7 @@ in
     };
     sane.services.nixserve.secretKeyFile = mkOption {
       type = types.path;
-      description = "path to file that contains the nix_serv_privkey secret (should not be in the store)";
+      description = "path to file that contains the nix_serve_privkey secret (should not be in the store)";
     };
   };
 

modules/services/trust-dns.nix

@@ -171,8 +171,8 @@ in
 
   config = mkIf cfg.enable {
     sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones;
-    networking.firewall.allowedTCPPorts = [ 53 ];
-    networking.firewall.allowedUDPPorts = [ 53 ];
+    sane.services.wan-ports.tcp = [ 53 ];
+    sane.services.wan-ports.udp = [ 53 ];
 
     systemd.services.trust-dns = {
       description = "trust-dns DNS server";

modules/services/wan-ports.nix

@@ -0,0 +1,35 @@
+{ config, lib, ... }:
+let
+  cfg = config.sane.services.wan-ports;
+in
+{
+  options = with lib; {
+    sane.services.wan-ports = {
+      openFirewall = mkOption {
+        default = false;
+        type = types.bool;
+      };
+
+      # TODO: openUpnp option
+
+      # TODO: rework this to look like:
+      # ports.53 = {
+      #   protocol = [ "udp" "tcp" ];  # have this be default
+      #   visibility = "wan";  # or "lan"
+      # }
+      tcp = mkOption {
+        type = types.listOf types.int;
+        default = [];
+      };
+      udp = mkOption {
+        type = types.listOf types.int;
+        default = [];
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.openFirewall {
+    networking.firewall.allowedTCPPorts = cfg.tcp;
+    networking.firewall.allowedUDPPorts = cfg.udp;
+  };
+}

nixpatches/10-flutter-arm64.patch

@@ -1,40 +0,0 @@
-diff --git a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
-index 565c44f72e9..f20a3d4e9be 100644
---- a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
-+++ b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
-@@ -4,13 +4,19 @@
- , olm
- , imagemagick
- , makeDesktopItem
-+, stdenv
- }:
- 
-+let vendorHashes = {
-+  x86_64-linux = "sha256-p5EJP2zSvWyRV1uyTHw0EpFsEwAGtX5B9WVjpLmnVew=";
-+  aarch64-linux = "sha256-Ps0HmDI6BFxHrLRq3KWNk4hw0qneq5hqB/Mp99f+hO4=";
-+};
-+in
- flutter.mkFlutterApp rec {
-   pname = "fluffychat";
-   version = "1.6.1";
- 
--  vendorHash = "sha256-SelMRETFYZgTStV90gRoKhazu1NPbcSMO9mYebSQskQ=";
-+  vendorHash = vendorHashes."${stdenv.hostPlatform.system}" or (throw "unsupported system: ${stdenv.hostPlatform.system}");
- 
-   src = fetchFromGitLab {
-     owner = "famedly";
-diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
-index 9eba6773448..e9d352169b2 100644
---- a/pkgs/development/compilers/flutter/default.nix
-+++ b/pkgs/development/compilers/flutter/default.nix
-@@ -19,6 +19,10 @@ let
-         url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
-         sha256 = "sha256-PMY6DCFQC8XrlnFzOEPcwgBAs5/cAvNd78969Z+I1Fk=";
-       };
-+      "${dartVersion}-aarch64-linux" = fetchurl {
-+        url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-arm64-release.zip";
-+        sha256 = "sha256-BIK6kUx+m+/GfR/wBXv8rjVNbP6w1HFvH/RGIwiaJog=";
-+      };
-     };
-   };
- in {

nixpatches/list.nix

@@ -3,7 +3,8 @@ let
   fetchpatch' = {
     saneCommit ? null,
     prUrl ? null,
-    hash ? null
+    hash ? null,
+    title ? null,
   }:
     let
       url = if prUrl != null then
@@ -12,7 +13,11 @@ let
       else
         "https://git.uninsane.org/colin/nixpkgs/commit/${saneCommit}.diff"
       ;
-    in fetchpatch ({ inherit url; } // (if hash != null then { inherit hash; } else {}));
+    in fetchpatch (
+      { inherit url; }
+      // (if hash != null then { inherit hash; } else {})
+      // (if title != null then { name = title; } else {})
+    );
 in [
 
   # splatmoji: init at 1.2.0
@@ -62,27 +67,20 @@ in [
   ./2023-04-29-lemmy.patch
 
   (fetchpatch' {
-    # cargo-docset: init at 0.3.1
+    title = "cargo-docset: init at 0.3.1";
     saneCommit = "5a09e84c6159ce545029483384580708bc04c08f";
     prUrl = "https://github.com/NixOS/nixpkgs/pull/231188";
     hash = "sha256-Z1HOps3w/WvxAiyUAHWszKqwS9EwA6rf4XfgPGp+2sQ=";
   })
 
   (fetchpatch' {
-    # kiwix-tools: 3.4.0 -> 3.5.0
-    saneCommit = "146f2449a19101ee202aa578a2b1d7377779890b";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/232020";
-    hash = "sha256-Tqr8Ri8X2dDljDmWmjAQDRJGNenSFhrY/wr24h2JAh0=";
-  })
-
-  (fetchpatch' {
-    # nixos/lemmy: support nginx
+    title = "nixos/lemmy: support nginx";
     saneCommit = "4c86db6dcb78795ac9bb514d9c779fd591070b23";
     hash = "sha256-G7jGhSPUp9BMxh2yTzo0KUUVabMJeZ28YTA+0iPldRI=";
   })
 
   (fetchpatch' {
-    # feedbackd: 0.1.0 -> 0.2.0
+    title = "feedbackd: 0.1.0 -> 0.2.0";
     saneCommit = "a0186a5782708a640cd6eaad6e9742b9cccebe9d";
     hash = "sha256-f8he7pQow4fZkTVVqU/A5KgovZA7m7MccRQNTnDxw5o=";
   })
@@ -125,22 +123,32 @@ in [
   #   hash = "sha256-MNG8C0OgdPnFQ8SF2loiEhXJuP2z4n9pkXr8Zh4X7QU=";
   # })
 
-  # # kaiteki: init at 2022-09-03
-  # vendorHash changes too frequently (might not be reproducible).
-  # using local package defn until stabilized
-  # (fetchpatch {
-  #   url = "https://git.uninsane.org/colin/nixpkgs/commit/e2c7f5f4870fcb0e5405e9001b39a64c516852d4.diff";
-  #   # url = "https://github.com/NixOS/nixpkgs/pull/193169.diff";
-  #   sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
-  # })
+  (fetchpatch' {
+    title = "conky: 1.13.1 -> 1.18.0";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/217224";
+    hash = "sha256-+g3XhmBt/udhbBDiVyfWnfXKvZTvDurlvPblQ9HYp3s=";
+  })
 
-
-  # Fix mk flutter app
-  # closed (not merged). updates fluffychat 1.2.0 -> 1.6.1, but unstable hashing
-  # (fetchpatch {
-  #   url = "https://github.com/NixOS/nixpkgs/pull/186839.diff";
-  #   sha256 = "sha256-NdIfie+eTy4V1vgqiiRPtWdnxZ5ZHsvCMfkEDUv9SC8=";
+  # (fetchpatch' {
+  #   title = "hare-json: init at unstable-2023-01-31";
+  #   saneCommit = "260f9c6ac4e3564acbceb46aa4b65fbb652f8e23";
+  #   hash = "sha256-bjLKANo0+zaxugJlEk1ObPqRHWOKptD7dXB+/xzsYqA=";
   # })
+  # (fetchpatch' {
+  #   title = "hare-ev: init at unstable-2022-12-29";
+  #   saneCommit = "4058200a407c86c5d963bc49b608aa1a881cbbf2";
+  #   hash = "sha256-wm1aavbCfxBhcOXh4EhFO4u0LrA9tNr0mSczHUK8mQU=";
+  # })
+  # (fetchpatch' {
+  #   title = "bonsai: init at 1.0.0";
+  #   saneCommit = "65d37294d939384e8db400ea82d25ce8b4ad6897";
+  #   hash = "sha256-2easgOtJfzvVcz/3nt3lo1GKLLotrM4CkBRyTgIAhHU=";
+  # })
+  (fetchpatch' {
+    title = "bonsai: init at 1.0.0";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/233892";
+    hash = "sha256-9XKPNg7TewicfbMgiASpYysTs5aduIVP+4onz+noc/0=";
+  })
 
   # for raspberry pi: allow building u-boot for rpi 4{,00}
   # TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
@@ -148,7 +156,4 @@ in [
   ./02-rpi4-uboot.patch
 
   # ./07-duplicity-rich-url.patch
-
-  # enable aarch64 support for flutter's dart package
-  # ./10-flutter-arm64.patch
 ]

overlays/all.nix

@@ -0,0 +1,26 @@
+# this overlay exists specifically to control the order in which other overlays are applied.
+# for example, `pkgs` *must* be added before `cross`, as the latter applies overrides
+# to the packages defined in the former.
+
+final: prev:
+let
+  pins = import ./pins.nix;
+  pkgs = import ./pkgs.nix;
+  disable-flakey-tests = import ./disable-flakey-tests.nix;
+  optimizations = import ./optimizations.nix;
+  cross = import ./cross.nix;
+
+  isCross = prev.stdenv.hostPlatform != prev.stdenv.buildPlatform;
+  ifCross = overlay: if isCross then overlay else (_: _: {});
+  renderOverlays = overlays: builtins.foldl'
+    (acc: thisOverlay: acc // (thisOverlay final acc))
+    prev
+    overlays;
+in
+  renderOverlays [
+    pins
+    pkgs
+    disable-flakey-tests
+    (ifCross optimizations)
+    (ifCross cross)
+  ]

pkgs/additional/bonsai/default.nix

@@ -0,0 +1,47 @@
+{ stdenv
+, lib
+, fetchFromSourcehut
+, gitUpdater
+, hare
+, hare-ev
+, hare-json
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bonsai";
+  version = "1.0.0";
+
+  src = fetchFromSourcehut {
+    owner = "~stacyharper";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-jOtFUpl2/Aa7f8JMZf6g63ayFOi+Ci+i7Ac63k63znc=";
+  };
+
+  nativeBuildInputs = [
+    hare
+    hare-ev
+    hare-json
+  ];
+
+  preConfigure = ''
+    export HARECACHE=$(mktemp -d)
+    # FIX "ar: invalid option -- '/'" bug in older versions of hare.
+    # should be safe to remove once updated past 2023/05/22-ish.
+    # export ARFLAGS="-csr"
+  '';
+
+  installFlags = [ "PREFIX=" "DESTDIR=$(out)" ];
+
+  passthru.updateScript = gitUpdater {
+    rev-prefix = "v";
+  };
+
+  meta = with lib; {
+    description = "Bonsai is a Finite State Machine structured as a tree";
+    homepage = "https://git.sr.ht/~stacyharper/bonsai";
+    license = licenses.agpl3;
+    maintainers = with maintainers; [ colinsane ];
+    platforms = platforms.linux;
+  };
+}

pkgs/additional/hare-ev/default.nix

@@ -0,0 +1,34 @@
+{ stdenv
+, lib
+, fetchFromSourcehut
+, hare
+, unstableGitUpdater
+}:
+
+stdenv.mkDerivation rec {
+  pname = "hare-ev";
+  version = "unstable-2022-12-29";
+
+  src = fetchFromSourcehut {
+    owner = "~sircmpwn";
+    repo = pname;
+    rev = "c585f01f4d13a25edb62477c07fdf32451417fee";
+    hash = "sha256-lB+ZPKGeYASV9oCE5iyDUCCPu2V07hqMXEktIY4fn1E=";
+  };
+
+  nativeBuildInputs = [
+    hare
+  ];
+
+  installFlags = [ "PREFIX=" "DESTDIR=$(out)" ];
+
+  passthru.updateScript = unstableGitUpdater { };
+
+  meta = with lib; {
+    description = "an event loop for Hare programs";
+    homepage = "https://sr.ht/~sircmpwn/hare-ev";
+    license = licenses.mpl20;
+    maintainers = with maintainers; [ colinsane ];
+    platforms = platforms.linux;
+  };
+}

pkgs/additional/hare-json/default.nix

@@ -0,0 +1,34 @@
+{ stdenv
+, lib
+, fetchFromSourcehut
+, hare
+, unstableGitUpdater
+}:
+
+stdenv.mkDerivation rec {
+  pname = "hare-json";
+  version = "unstable-2023-01-31";
+
+  src = fetchFromSourcehut {
+    owner = "~sircmpwn";
+    repo = pname;
+    rev = "99ae40eacc19253495949301000372adf8c3f504";
+    hash = "sha256-H5XKExs7e60PHmIS7TgBwG9e46Hj2M4D245vKag0ANA=";
+  };
+
+  nativeBuildInputs = [
+    hare
+  ];
+
+  installFlags = [ "PREFIX=" "DESTDIR=$(out)" ];
+
+  passthru.updateScript = unstableGitUpdater { };
+
+  meta = with lib; {
+    description = "JSON support for the Hare programming language";
+    homepage = "https://sr.ht/~sircmpwn/hare-json";
+    license = licenses.mpl20;
+    maintainers = with maintainers; [ colinsane ];
+    platforms = platforms.linux;
+  };
+}

pkgs/additional/sane-scripts/default.nix

@@ -27,7 +27,6 @@ let
           "bin"
           coreutils-full
           curl
-          duplicity
           file
           findutils
           git
@@ -49,12 +48,10 @@ let
           sops
           sudo
           systemd
-          transmission
           util-linux
           which
         ];
         keep = {
-          "/run/secrets/duplicity_passphrase" = true;
           # we write here: keep it
           "/tmp/rmlint.sh" = true;
           # intentionally escapes (into user code)
@@ -78,7 +75,6 @@ let
 
         # list of programs which *can* or *cannot* exec their arguments
         execer = with pkgs; [
-          "cannot:${duplicity}/bin/duplicity"
           "cannot:${git}/bin/git"
           "cannot:${gocryptfs}/bin/gocryptfs"
           "cannot:${ifuse}/bin/ifuse"
@@ -90,16 +86,21 @@ let
           "cannot:${sops}/bin/sops"
           "cannot:${ssh-to-age}/bin/ssh-to-age"
           "cannot:${systemd}/bin/systemctl"
-          "cannot:${transmission}/bin/transmission-remote"
         ];
       };
     };
 
-    # remove python scripts  (we package them further below)
-    patchPhase = builtins.concatStringsSep
-      "\n"
-      (lib.mapAttrsToList (name: pkg: "rm ${pkg.pname}") py-scripts)
-    ;
+    patchPhase =
+      let
+        rmPy = builtins.concatStringsSep
+          "\n"
+          (lib.mapAttrsToList (name: pkg: "rm ${pkg.pname}") py-scripts)
+        ;
+      in ''
+        # remove python library files, and python binaries  (those are packaged further below)
+        rm -rf lib/
+        ${rmPy}
+      '';
 
     installPhase = ''
       mkdir -p $out/bin
@@ -108,21 +109,59 @@ let
   };
 
   py-scripts = {
-    # anything added to this attrset gets symlink-joined into into `sane-scripts`
-    bt-search = static-nix-shell.mkPython3Bin {
-      pname = "sane-bt-search";
+    # anything added to this attrset gets symlink-joined into `sane-scripts`
+    backup-ls = static-nix-shell.mkBash {
+      pname = "sane-backup-ls";
       src = ./src;
-      pyPkgs = [ "natsort" "requests" ];
+      pkgs = [ "duplicity" ];
+    };
+    backup-restore = static-nix-shell.mkBash {
+      pname = "sane-backup-restore";
+      src = ./src;
+      pkgs = [ "duplicity" ];
+    };
+    bt-add = static-nix-shell.mkBash {
+      pname = "sane-bt-add";
+      src = ./src;
+      pkgs = [ "transmission" ];
     };
     bt-rm = static-nix-shell.mkBash {
       pname = "sane-bt-rm";
       src = ./src;
       pkgs = [ "transmission" ];
     };
+    bt-search = static-nix-shell.mkPython3Bin {
+      pname = "sane-bt-search";
+      src = ./src;
+      pyPkgs = [ "natsort" "requests" ];
+    };
+    bt-show = static-nix-shell.mkBash {
+      pname = "sane-bt-show";
+      src = ./src;
+      pkgs = [ "transmission" ];
+    };
     date-math = static-nix-shell.mkPython3Bin {
       pname = "sane-date-math";
       src = ./src;
     };
+    ip-check-upnp = static-nix-shell.mkPython3Bin {
+      pname = "sane-ip-check-upnp";
+      src = ./src;
+      pkgs = [ "miniupnpc" ];
+      postInstall = ''
+        mkdir -p $out/bin/lib
+        cp -R lib/* $out/bin/lib/
+      '';
+    };
+    ip-port-forward = static-nix-shell.mkPython3Bin {
+      pname = "sane-ip-port-forward";
+      src = ./src;
+      pkgs = [ "miniupnpc" ];
+      postInstall = ''
+        mkdir -p $out/bin/lib
+        cp -R lib/* $out/bin/lib/
+      '';
+    };
     reclaim-boot-space = static-nix-shell.mkPython3Bin {
       pname = "sane-reclaim-boot-space";
       src = ./src;

pkgs/additional/sane-scripts/src/lib/sane_ssdp.py

@@ -0,0 +1,110 @@
+# based on this minimal SSDP client: <https://gist.github.com/schlamar/2428250>
+
+import logging
+import socket
+import struct
+import subprocess
+
+logger = logging.getLogger(__name__)
+
+
+MCAST_GRP = "239.255.255.250"
+
+class SsdpResponse:
+    def __init__(self, headers: "Dict[str, str]"):
+        self.headers = headers
+
+    @staticmethod
+    def parse(msg: str) -> "Self":
+        headers = {}
+        for line in [m.strip() for m in msg.split("\r\n") if m.strip()]:
+            if ":" not in line: continue
+            sep_idx = line.find(":")
+            header, content = line[:sep_idx].strip(), line[sep_idx+1:].strip()
+            headers[header.upper()] = content
+        if headers:
+            return SsdpResponse(headers)
+
+    def is_rootdevice(self) -> bool:
+        return self.headers.get("NT", "").lower() == "upnp:rootdevice"
+
+    def location(self) -> str:
+        return self.headers.get("LOCATION")
+
+
+def get_root_devices():
+    listener = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
+    listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    listener.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 2)
+
+    listener.bind(("", 1900))
+    logger.info("bound")
+
+    mreq = struct.pack("4sl", socket.inet_aton(MCAST_GRP), socket.INADDR_ANY)
+    listener.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)
+
+    root_descs = set()
+    while True:
+        packet, (host, src_port) = listener.recvfrom(2048)
+        logger.info(f"message from {host}")
+        # if host.endswith(".1"):  # router
+        try:
+            msg = packet.decode("utf-8")
+        except:
+            logger.debug("failed to decode packet to string")
+        else:
+            logger.debug(msg)
+            resp = SsdpResponse.parse(msg)
+            if resp and resp.is_rootdevice():
+                root_desc = resp.location()
+                if root_desc and root_desc not in root_descs:
+                    root_descs.add(root_desc)
+                    logger.info(f"root desc: {root_desc}")
+                    yield root_desc
+
+def get_wan_from_location(location: str):
+    """ location = URI from the Location header, e.g. http://10.78.79.1:2189/rootDesc.xml """
+
+    # get connection [s]tatus
+    res = subprocess.run(["upnpc", "-u", location, "-s"], capture_output=True)
+    res.check_returncode()
+
+    status = res.stdout.decode("utf-8")
+    logger.info(f"got status: {status}")
+
+    for line in [l.strip() for l in status.split("\n")]:
+        sentinel = "ExternalIPAddress ="
+        if line.startswith(sentinel):
+            ip = line[len(sentinel):].strip()
+            return ip
+
+def get_any_wan():
+    """ return (location, WAN IP) for the first device seen which has a WAN IP """
+    for location in get_root_devices():
+        wan = get_wan_from_location(location)
+        if wan:
+            return location, wan
+
+def get_lan_ip() -> str:
+    ips = subprocess.check_output(["hostname", "-i"]).decode("utf-8").strip().split(" ")
+    ips = [i for i in ips if i.startswith("10.") or i.startswith("192.168.")]
+    assert len(ips) == 1, ips
+    return ips[0]
+
+def forward_port(root_device: str, proto: str, port: int, reason: str, duration: int = 86400, lan_ip: str = None):
+    lan_ip = lan_ip or get_lan_ip()
+    args = [
+        "upnpc",
+        "-u", root_device,
+        "-e", reason,
+        "-a", lan_ip,
+        str(port),
+        str(port),
+        proto,
+        str(duration),
+    ]
+
+    logger.debug(f"running: {args!r}")
+    stdout = subprocess.check_output(args).decode("utf-8")
+
+    logger.info(stdout)

pkgs/additional/sane-scripts/src/sane-backup-ls

@@ -1,10 +1,11 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p duplicity
 
 # N.B. must be run as root
 
 set -ex
 
 # source the URL; hack to satisfy resholve
-external_cmd="source /run/secrets/duplicity_passphrase"
+external_cmd="source /run/secrets/duplicity_passphrase.env"
 $external_cmd
 duplicity list-current-files --archive-dir /var/lib/duplicity $DUPLICITY_URL

pkgs/additional/sane-scripts/src/sane-backup-restore

@@ -1,4 +1,5 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p duplicity
 
 # N.B. must be run as root
 
@@ -8,6 +9,6 @@ dest_path="$1"
 source_path="$2"
 
 # source the URL; hack to satisfy resholve
-external_cmd="source /run/secrets/duplicity_passphrase"
+external_cmd="source /run/secrets/duplicity_passphrase.env"
 $external_cmd
 duplicity restore --archive-dir /var/lib/duplicity --file-to-restore "$source_path" $DUPLICITY_URL "$dest_path"

pkgs/additional/sane-scripts/src/sane-bt-add

@@ -1,11 +1,12 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p transmission
 
 set -e
 
 endpoint=https://bt.uninsane.org/transmission/rpc
 PASS=$(sudo cat /run/secrets/transmission_passwd)
 
-options=$(getopt -l prefix:,film,show:,book:,audiobook:,vn:,author: -- "" "${@}")
+options=$(getopt -l help,prefix:,film,show:,book:,audiobook:,vn:,author: -- "" "${@}")
 eval "set -- ${options}"
 
 type=
@@ -14,6 +15,22 @@ author=
 prefix=
 while true; do
   case "$1" in
+    (--help)
+      echo "add a .torrent or magnet:// file to be downloaded by and stored on my server"
+      echo "usage: sane-bt-add [options] <magnet:// URI or path/to.torrent>"
+      echo "options:"
+      echo "  --prefix <PathString>"
+      echo "  --film"
+      echo "  --show <ShowTitle>"
+      echo "  --book <BookTitle>"
+      echo "  --audiobook <BookTitle>"
+      echo "  --vn <VisualNovelTitle>"
+      echo "  --author <Author>"
+      echo ""
+      echo "the above options are used to construct the filesystem path where the torrent data will live"
+      echo "everything is relative to the root media directory (not /)"
+      exit
+    ;;
     (--prefix)
       shift
       prefix="$1"

pkgs/additional/sane-scripts/src/sane-bt-show

@@ -1,4 +1,5 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p transmission
 
 endpoint=https://bt.uninsane.org/transmission/rpc
 PASS=$(sudo cat /run/secrets/transmission_passwd)

pkgs/additional/sane-scripts/src/sane-ip-check-router-wan

@@ -1,18 +0,0 @@
-#!/usr/bin/env bash
-# query the WAN IP address OF MY ROUTER
-# requires creds
-passwd=$(sudo cat /run/secrets/router_passwd)
-cookie=$(mktemp)
-curlflags="curl --silent --insecure --cookie-jar $cookie --connect-timeout 5"
-
-# authenticate
-curl $curlflags \
-  --data "username=admin&password=$passwd" \
-  https://192.168.0.1
-# query the WAN IP
-ip=$(curl $curlflags \
-  -H "X-Requested-With: XMLHttpRequest" \
-  "https://192.168.0.1/cgi/cgi_action?Action=GetConnectionStatus" \
-  | jq -r .wan_status.ipaddr)
-echo "$ip" | grep -P " *^\d+\.\d+\.\d+\.\d+ *$"
-exit $?

pkgs/additional/sane-scripts/src/sane-ip-check-upnp

@@ -0,0 +1,27 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])" -p miniupnpc
+
+# best to run this with an external timeout. e.g.
+# - `timeout 60 sane-ip-check-upnp`
+
+import logging
+import os
+import sys
+
+d = os.path.dirname(__file__)
+sys.path.insert(0, d)
+
+from lib.sane_ssdp import get_any_wan
+
+if __name__ == '__main__':
+    logging.basicConfig()
+
+    for arg in sys.argv[1:]:
+        if arg == "-v":
+            logging.getLogger().setLevel(logging.INFO)
+        elif arg == "-vv":
+            logging.getLogger().setLevel(logging.DEBUG)
+        else:
+            raise RuntimeError(f"invalid CLI argument {arg!r}")
+    _rootdev, wan_ip = get_any_wan()
+    print(wan_ip)

pkgs/additional/sane-scripts/src/sane-ip-port-forward

@@ -0,0 +1,74 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])" -p miniupnpc
+
+'''
+USAGE: sane-ip-port-forward [options] [proto:port]*
+
+options:
+  -v:  verbose (show info messages)
+  -vv: more verbose (show debug messages)
+  -h:  show this help messages
+
+proto:port:
+  proto is `udp` or `tcp` (case insensitive)
+  port is any integer 1-65535 inclusive
+'''
+
+import logging
+import subprocess
+import sys
+
+sys.path.insert(0, ".")
+
+from lib.sane_ssdp import get_any_wan, forward_port
+
+class BadCliArgs(Exception):
+    def __init__(self, msg: str = None):
+        helpstr = __doc__.strip()
+        if msg:
+            super().__init__(f"{msg}\n\n{helpstr}")
+        else:
+            super().__init__(helpstr)
+
+def try_parse_port(s: str):
+    """
+    `udp:53` -> ["udp", 53]
+    `tcp:65535` -> ["tcp", 65535]
+    """
+    try:
+        proto, portstr = s.strip().split(":")
+        proto, port = proto.lower(), int(portstr)
+        assert proto in ["tcp", "udp"]
+        assert 0 < port < 65536
+        return proto, port
+    except Exception:
+        pass
+
+def parse_args(argv: "List[str]") -> "List[('udp'|'tcp', port)]":
+    forwards = []
+    for arg in sys.argv[1:]:
+        if arg == "-h":
+            raise BadCliArgs()
+        if arg == "-v":
+            logging.getLogger().setLevel(logging.INFO)
+        elif arg == "-vv":
+            logging.getLogger().setLevel(logging.DEBUG)
+        elif try_parse_port(arg):
+            forwards.append(try_parse_port(arg))
+        else:
+            raise BadCliArgs(f"invalid CLI argument {arg!r}")
+    return forwards
+
+if __name__ == '__main__':
+    logging.basicConfig()
+
+    try:
+        forwards = parse_args(sys.argv)
+    except BadCliArgs as e:
+        print(e)
+        sys.exit(1)
+
+    root_device, _wan = get_any_wan()
+    hostname = subprocess.check_output(["hostname"]).decode("utf-8").strip()
+    for (proto, port) in forwards:
+        forward_port(root_device, proto, port, f"colin-{hostname}")

pkgs/additional/static-nix-shell/default.nix

@@ -53,6 +53,7 @@ in rec {
       '';
       nativeBuildInputs = [ makeWrapper ];
       installPhase = ''
+        runHook preInstall
         mkdir -p $out/bin
         mv ${srcPath} $out/bin/${srcPath}
 
@@ -62,6 +63,8 @@ in rec {
         # add runtime dependencies to PATH
         wrapProgram $out/bin/${srcPath} \
           --suffix PATH : ${lib.makeBinPath pkgsEnv }
+
+        runHook postInstall
       '';
     } // (removeAttrs attrs [ "interpreter" "interpreterName" "pkgsEnv" "pkgExprs" "srcPath" ])
   );

pkgs/additional/sxmo-utils/0001-group-differs-from-user.patch

@@ -0,0 +1,23 @@
+diff --git a/configs/profile.d/sxmo_init.sh b/configs/profile.d/sxmo_init.sh
+index 55baab3..2d33ea1 100644
+--- a/configs/profile.d/sxmo_init.sh
++++ b/configs/profile.d/sxmo_init.sh
+@@ -158,13 +158,15 @@ _sxmo_grab_session() {
+ }
+ 
+ _sxmo_prepare_dirs() {
++	uid=$(id -u)
++	gid=$(id -g)
+ 	mkdir -p "$XDG_RUNTIME_DIR"
+ 	chmod 700 "$XDG_RUNTIME_DIR"
+-	chown "$USER:$USER" "$XDG_RUNTIME_DIR"
++	chown "$uid:$gid" "$XDG_RUNTIME_DIR"
+ 
+ 	mkdir -p "$XDG_CACHE_HOME/sxmo/"
+ 	chmod 700 "$XDG_CACHE_HOME"
+-	chown "$USER:$USER" "$XDG_CACHE_HOME"
++	chown "$uid:$gid" "$XDG_CACHE_HOME"
+ }
+ 
+ _sxmo_grab_session
+

pkgs/additional/sxmo-utils/0002-ensure-log-dir.patch

@@ -0,0 +1,15 @@
+diff --git a/configs/profile.d/sxmo_init.sh b/configs/profile.d/sxmo_init.sh
+index 2d33ea1..76c4c94 100644
+--- a/configs/profile.d/sxmo_init.sh
++++ b/configs/profile.d/sxmo_init.sh
+@@ -167,6 +167,10 @@ _sxmo_prepare_dirs() {
+ 	mkdir -p "$XDG_CACHE_HOME/sxmo/"
+ 	chmod 700 "$XDG_CACHE_HOME"
+ 	chown "$uid:$gid" "$XDG_CACHE_HOME"
++
++	mkdir -p "$XDG_STATE_HOME"
++	chmod 700 "$XDG_STATE_HOME"
++	chown "$uid:$gid" "$XDG_STATE_HOME"
+ }
+ 
+ _sxmo_grab_session

pkgs/additional/sxmo-utils/0003-fix-xkb-paths.patch

@@ -0,0 +1,19 @@
+diff --git a/scripts/core/sxmo_swayinitconf.sh b/scripts/core/sxmo_swayinitconf.sh
+index c4afcd6..80f593c 100755
+--- a/scripts/core/sxmo_swayinitconf.sh
++++ b/scripts/core/sxmo_swayinitconf.sh
+@@ -60,13 +60,13 @@ focused_name="$(
+ swaymsg -- input type:touch map_to_output "$focused_name"
+ swaymsg -- input type:tablet_tool map_to_output "$focused_name"
+ 
+-swaymsg -- input "$pwr" xkb_file "$(xdg_data_path sxmo/sway/xkb_mobile_normal_buttons)"
++swaymsg -- input "$pwr" xkb_file "$(xdg_data_path sxmo/xkb/xkb_mobile_normal_buttons)"
+ 
+ if ! [ "$vols" = "none" ]; then
+ 	for vol in $vols; do
+ 		swaymsg -- input "$vol" repeat_delay 200
+ 		swaymsg -- input "$vol" repeat_rate 15
+-		swaymsg -- input "$vol" xkb_file "$(xdg_data_path sxmo/sway/xkb_mobile_normal_buttons)"
++		swaymsg -- input "$vol" xkb_file "$(xdg_data_path sxmo/xkb/xkb_mobile_normal_buttons)"
+ 	done
+ fi

pkgs/additional/sxmo-utils/0004-full-auto-rotate.patch

@@ -0,0 +1,13 @@
+diff --git a/scripts/core/sxmo_autorotate.sh b/scripts/core/sxmo_autorotate.sh
+index 58e3f4b..cbf0163 100755
+--- a/scripts/core/sxmo_autorotate.sh
++++ b/scripts/core/sxmo_autorotate.sh
+@@ -18,6 +18,8 @@ while true; do
+ 	x_raw="$(cat "$FILE_X")"
+ 	if  [ "$x_raw" -ge "$RIGHT_SIDE_UP" ] && sxmo_rotate.sh isrotated ; then
+ 		sxmo_rotate.sh rotnormal
++	elif [ "$x_raw" -le "$UPSIDE_DOWN" ] && [ "$(sxmo_rotate.sh isrotated)" != "invert" ]; then
++		sxmo_rotate.sh rotinvert
+ 	elif [ "$y_raw" -le "$UPSIDE_DOWN" ] && [ "$(sxmo_rotate.sh isrotated)" != "right" ]; then
+ 		sxmo_rotate.sh rotright
+ 	elif [ "$y_raw" -ge "$RIGHT_SIDE_UP" ] && [ "$(sxmo_rotate.sh isrotated)" != "left" ]; then

pkgs/additional/sxmo-utils/default.nix

@@ -0,0 +1,55 @@
+{ stdenv
+, fetchgit
+, gitUpdater
+, lib
+}:
+
+stdenv.mkDerivation rec {
+  pname = "sxmo-utils";
+  version = "1.14.1";
+
+  src = fetchgit {
+    url = "https://git.sr.ht/~mil/sxmo-utils";
+    rev = version;
+    hash = "sha256-UcJid1fi3Mgu32dCqlI9RQYnu5d07MMwW3eEYuYVBw4=";
+  };
+
+  patches = [
+    # needed for basic use:
+    ./0001-group-differs-from-user.patch
+    ./0002-ensure-log-dir.patch
+    ./0003-fix-xkb-paths.patch
+
+    # personal preferences:
+    ./0004-full-auto-rotate.patch
+  ];
+
+  postPatch = ''
+    sed -i 's@/usr/lib/udev/rules\.d@/etc/udev/rules.d@' Makefile
+    sed -i "s@/etc/profile\.d/sxmo_init.sh@$out/etc/profile.d/sxmo_init.sh@" scripts/core/*.sh
+    sed -i "s@/usr/bin/@@g" scripts/core/sxmo_version.sh
+    sed -i 's:ExecStart=/usr/bin/:ExecStart=/usr/bin/env :' configs/superd/services/*.service
+
+    # on devices where volume is part of the primary keyboard, we want to avoid overwriting the default map
+    cp ${./en_us_105.xkb} configs/xkb/xkb_mobile_normal_buttons
+  '';
+
+  installFlags = [
+    "OPENRC=0"
+    "DESTDIR=$(out)"
+    "PREFIX="
+  ];
+
+  passthru = {
+    providedSessions = [ "sxmo" "swmo" ];
+    updateScript = gitUpdater { };
+  };
+
+  meta = {
+    homepage = "https://git.sr.ht/~mil/sxmo-utils";
+    description = "Contains the scripts and small C programs that glues the sxmo enviroment together";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ colinsane ];
+    platforms = lib.platforms.linux; 
+  };
+}

pkgs/additional/sxmo-utils/en_us_105.xkb

@@ -0,0 +1,7 @@
+xkb_keymap {
+	xkb_keycodes  { include "evdev+aliases(qwerty)"	};
+	xkb_types     { include "complete"	};
+	xkb_compat    { include "complete"	};
+	xkb_symbols   { include "pc+us+inet(evdev)"	};
+	xkb_geometry  { include "pc(pc105)"	};
+};

pkgs/default.nix

@@ -13,18 +13,21 @@ let
   pythonPackagesOverlay = py-final: py-prev: import ./python-packages {
     inherit (py-final) callPackage;
   };
-  final' = if final != null then final else (pkgs // sane);
+  final' = if final != null then final else pkgs.appendOverlays [(_: _: sane)];
   sane = with final'; {
-    sane-data = import ../modules/data { inherit lib; };
+    sane-data = import ../modules/data { inherit lib sane-lib; };
     sane-lib = import ../modules/lib final';
 
     ### ADDITIONAL PACKAGES
+    bonsai = unpatched.bonsai or (callPackage ./additional/bonsai { });
     bootpart-uefi-x86_64 = callPackage ./additional/bootpart-uefi-x86_64 { };
     browserpass-extension = callPackage ./additional/browserpass-extension { };
     cargoDocsetHook = callPackage ./additional/cargo-docset/hook.nix { };
     feeds = lib.recurseIntoAttrs (callPackage ./additional/feeds { });
     gopass-native-messaging-host = callPackage ./additional/gopass-native-messaging-host { };
     gpodder-configured = callPackage ./additional/gpodder-configured { };
+    hare-ev = unpatched.hare-ev or (callPackage ./additional/hare-ev { });
+    hare-json = unpatched.hare-json or (callPackage ./additional/hare-json { });
     lightdm-mobile-greeter = callPackage ./additional/lightdm-mobile-greeter { };
     linux-megous = callPackage ./additional/linux-megous { };
     mx-sanebot = callPackage ./additional/mx-sanebot { };
@@ -32,6 +35,7 @@ let
     sane-scripts = callPackage ./additional/sane-scripts { };
     static-nix-shell = callPackage ./additional/static-nix-shell { };
     sublime-music-mobile = callPackage ./additional/sublime-music-mobile { };
+    sxmo-utils = callPackage ./additional/sxmo-utils { };
     tow-boot-pinephone = callPackage ./additional/tow-boot-pinephone { };
 
     # packages i haven't used for a while, may or may not still work
@@ -48,8 +52,9 @@ let
     # ubootRaspberryPi4_64bit = callPackage ./additional/ubootRaspberryPi4_64bit { };
 
     # provided by nixpkgs patch or upstream PR
-    # cargo-docset = callPackage ./additional/cargo-docset { };
-    # splatmoji = callPackage ./additional/splatmoji { };
+    # i still conditionally callPackage these to make them available to external consumers (like NUR)
+    cargo-docset = unpatched.cargo-docset or (callPackage ./additional/cargo-docset { });
+    splatmoji = unpatched.splatmoji or (callPackage ./additional/splatmoji { });
 
 
     ### PATCHED PACKAGES
@@ -75,6 +80,7 @@ let
     jackett = callPackage ./patched/jackett { inherit (unpatched) jackett; };
 
     lemmy-server = callPackage ./patched/lemmy-server { inherit (unpatched) lemmy-server; };
+    lemmy-ui = callPackage ./patched/lemmy-ui { inherit (unpatched) lemmy-ui; };
 
     phoc = callPackage ./patched/phoc { inherit (unpatched) phoc; };
 

pkgs/patched/lemmy-ui/default.nix

@@ -0,0 +1,5 @@
+{ lemmy-ui, nodejs }:
+lemmy-ui.override {
+  # build w/ latest nodejs; not 14.x
+  inherit nodejs;
+}

templates/pkgs/make/default.nix

@@ -0,0 +1,35 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, gitUpdater
+}:
+
+stdenv.mkDerivation rec {
+  pname = "TODO";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "TODO";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-TODO";
+  };
+
+  nativeBuildInputs = [
+  ];
+
+  buildInputs = [
+  ];
+
+  passthru.updateScript = gitUpdater {
+    rev-prefix = "v";
+  };
+
+  meta = with lib; {
+    description = "TODO (don't end in period)";
+    homepage = "TODO";
+    license = licenses.TODO;
+    maintainers = with maintainers; [ colinsane ];
+    platforms = platforms.linux;
+  };
+}