nixpkgs: 2023-06-26 -> 2023-06-27

```
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/6b3d1b1cf13f407fef5e634b224d575eb7211975' (2023-06-26)
  → 'github:nixos/nixpkgs/e18dc963075ed115afb3e312b64643bf8fd4b474' (2023-06-27)
```

TODO.md

@@ -3,6 +3,9 @@
 	- else DNS fails
 
 ## REFACTORING:
+
+- remove unused `overlays/pins.nix`
+
 ### sops/secrets
 - attach secrets to the thing they're used by (sane.programs)
 - rework secrets to leverage `sane.fs`
@@ -19,8 +22,6 @@
 - add updateScripts to all my packages in nixpkgs
 - fix lightdm-mobile-greeter for newer libhandy
 - port zecwallet-lite to a from-source build
-- fix or abandon Whalebird
-- FIX failed CI on bonsai PR: <https://github.com/NixOS/nixpkgs/pull/233892>
 - REVIEW/integrate jellyfin dataDir config: <https://github.com/NixOS/nixpkgs/pull/233617>
 - remove `libsForQt5.callPackage` broadly: <https://github.com/NixOS/nixpkgs/issues/180841>
 
@@ -33,29 +34,31 @@
 - have `sane.programs` be wrapped such that they run in a cgroup?
     - at least, only give them access to the portion of the fs they *need*.
     - Android takes approach of giving each app its own user: could hack that in here.
+    - flatpak does this, somehow
+    - apparmor?  SElinux?  (desktop) "portals"?
+    - see Spectrum OS; Alyssa Ross; etc
 - canaries for important services
     - e.g. daily email checks; daily backup checks
+    - integrate `nix check` into Gitea actions?
 
 ### user experience
+- neovim: set up language server (lsp; rnix-lsp; nvim-lspconfig)
 - firefox/librewolf: don't show browserpass/sponsorblock/metamask "first run" on every boot
 - moby: improve gPodder launch time
 - moby: replace jellyfin-desktop with jellyfin-vue?
     - allows (maybe) to cache media for offline use
     - "newer" jellyfin client
     - not packaged for nix
-- find a nice desktop ActivityPub client
+- moby/sxmo: display numerical vol percentage in topbar
 - package Nix/NixOS docs for Zeal
     - install [doc-browser](https://github.com/qwfy/doc-browser)
     - this supports both dash (zeal) *and* the datasets from <https://devdocs.io> (which includes nix!)
     - install [devhelp](https://wiki.gnome.org/Apps/Devhelp)  (gnome)
-- auto-mount servo
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
 - `sane.programs`: auto-populate defaults with everything from `pkgs`
-- zsh: disable "command not found" corrections
-- sxmo: allow rotation to the upside-down position
-    - see: <repo:mil/sxmo-utils:scripts/core/sxmo_autorotate.sh>
-    - all orientations *except* upside down are supported
-- sxmo: launch with auto-rotation enabled
+- `sane.persist`: auto-create parent dirs in ~/private
+  - currently if the application doesn't autocreate dirs leading to its destination, then ~/private storage fails
+  - this might be why librewolf on mobile is still amnesiac
 - sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
 
 ### perf
@@ -67,13 +70,13 @@
     - these use significant /tmp space.
     - either place /tmp on encrypted-cleared-at-boot storage
         - which probably causes each CPU load for the encryption
+    - or have nix builds use a subdir of /tmp like /tmp/nix/...
+        - and place that on non-encrypted clear-on-boot (with very lax writeback/swappiness to minimize writes)
     - **or set up encrypted swap**
         - encrypted swap could remove the need for my encrypted-cleared-at-boot stuff
 
 
 ## NEW FEATURES:
-- add a FTP-accessible file share to servo
-    - just /var/www?
 - migrate MAME cabinet to nix
     - boot it from PXE from servo?
 - enable IPv6

flake.lock

@@ -1,12 +1,15 @@
 {
   "nodes": {
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1687709756,
+        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
         "type": "github"
       },
       "original": {
@@ -36,11 +39,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1684319086,
-        "narHash": "sha256-5wwlkWqP1cQUPXp/PJsi09FkgAule5yBghngRZZbUQg=",
+        "lastModified": 1687251388,
+        "narHash": "sha256-E9cVlgeCvzPbA/G3mCDCzz8TdRwXyGYzIjmwcvIfghg=",
         "owner": "edolstra",
         "repo": "nix-serve",
-        "rev": "e6e3d09438e803daa5374ad8edf1271289348456",
+        "rev": "d6df5bd8584f37e22cff627db2fc4058a4aab5ee",
         "type": "github"
       },
       "original": {
@@ -66,27 +69,27 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1685758009,
-        "narHash": "sha256-IT4Z5WGhafrq+xbDTyuKrRPRQ1f+kVOtE+4JU1CHFeo=",
+        "lastModified": 1687031877,
+        "narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "eaf03591711b46d21abc7082a8ebee4681f9dbeb",
+        "rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1686135559,
-        "narHash": "sha256-pY8waAV8K/sbHBdLn5diPFnQKpNg0YS9w03MrD2lUGE=",
+        "lastModified": 1687898314,
+        "narHash": "sha256-B4BHon3uMXQw8ZdbwxRK1BmxVOGBV4viipKpGaIlGwk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "381e92a35e2d196fdd6077680dca0cd0197e75cb",
+        "rev": "e18dc963075ed115afb3e312b64643bf8fd4b474",
         "type": "github"
       },
       "original": {
@@ -113,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1685848844,
-        "narHash": "sha256-Iury+/SVbAwLES76QJSiKFiQDzmf/8Hsq8j54WF2qyw=",
+        "lastModified": 1687398569,
+        "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "a522e12ee35e50fa7d902a164a9796e420e6e75b",
+        "rev": "2ff6973350682f8d16371f8c071a304b8067f192",
         "type": "github"
       },
       "original": {
@@ -126,6 +129,21 @@
         "type": "github"
       }
     },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "uninsane-dot-org": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -134,11 +152,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1684528780,
-        "narHash": "sha256-QdYxjcTCCLPv++1v9tJBL98nn/AFx0fmzlgzcLK6KRE=",
+        "lastModified": 1687821285,
+        "narHash": "sha256-pw0UYKG8yhW1H3nPgAhVYCzYFXYtamMh2DmF8YhtRec=",
         "ref": "refs/heads/master",
-        "rev": "f3747a1dad3d34880613821faf26357ba432d3d7",
-        "revCount": 194,
+        "rev": "ae27eb61b55b6c6d83c25384fb163df398a80265",
+        "revCount": 201,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -252,7 +252,7 @@
           deployScript = action: pkgs.writeShellScript "deploy-moby" ''
             nixos-rebuild --flake '.#moby' build $@
             sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
-            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby-hn --use-remote-sudo $@
+            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby --use-remote-sudo $@
           '';
         in {
           update-feeds = {
@@ -276,6 +276,22 @@
             type = "app";
             program = ''${deployScript "switch"}'';
           };
+
+          check-nur = {
+            # `nix run '.#check-nur'`
+            # validates that my repo can be included in the Nix User Repository
+            type = "app";
+            program = builtins.toString (pkgs.writeShellScript "check-nur" ''
+              cd ${./.}/integrations/nur
+              NIX_PATH= NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix-env -f . -qa \* --meta --xml \
+                --allowed-uris https://static.rust-lang.org \
+                --option restrict-eval true \
+                --option allow-import-from-derivation true \
+                --drv-path --show-trace \
+                -I nixpkgs=$(nix-instantiate --find-file nixpkgs) \
+                -I ../../
+            '');
+          };
         };
 
       templates = {

hosts/by-name/desko/default.nix

@@ -4,6 +4,10 @@
     ./fs.nix
   ];
 
+  # TODO: make sure this plays nice with impermanence
+  services.distccd.enable = true;
+  sane.programs.distcc.enableFor.user.guest = true;
+
   sops.secrets.colin-passwd.neededForUsers = true;
 
   sane.roles.build-machine.enable = true;

hosts/by-name/lappy/polyfill.nix

@@ -1,6 +1,6 @@
 # doesn't actually *enable* anything,
 # but sets up any modules such that if they *were* enabled, they'll act as expected.
-{ ... }:
+{ pkgs, ... }:
 {
   sane.gui.sxmo = {
     greeter = "sway";
@@ -28,5 +28,11 @@
       # see <repo:mil/sxmo-utils:scripts/deviceprofiles>
       # SXMO_DEVICE_NAME = "pine64,pinephone-1.2";
     };
+    package = pkgs.sxmo-utils.overrideAttrs (base: {
+      postPatch = (base.postPatch or "") + ''
+        # after volume-button navigation mode, restore full keyboard functionality
+        cp ${./xkb_mobile_normal_buttons} ./configs/xkb/xkb_mobile_normal_buttons
+      '';
+    });
   };
 }

hosts/by-name/moby/default.nix

@@ -40,8 +40,9 @@
   sane.programs.tuiApps.enableFor.user.colin = false;  # visidata, others, don't compile well
   # disabled for faster deploys (gthumb depends on webkitgtk, particularly)
   sane.programs.soundconverter.enableFor.user.colin = false;
-  sane.programs."gnome.nautilus".enableFor.user.colin = false;
   sane.programs.gthumb.enableFor.user.colin = false;
+  sane.programs.jellyfin-media-player.enableFor.user.colin = false;
+  # sane.programs.mpv.enableFor.user.colin = true;
 
   boot.loader.efi.canTouchEfiVariables = false;
   # /boot space is at a premium. default was 20.

hosts/by-name/moby/polyfill.nix

@@ -1,23 +1,26 @@
-{ sane-lib, ... }:
+{ pkgs, sane-lib, ... }:
 {
   sane.gui.sxmo = {
     settings = {
       # touch screen
       SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-path/platform-1c2ac00.i2c-event";
       # vol and power are detected correctly by upstream
+
+      # preferences
+      # N.B. some deviceprofiles explicitly set SXMO_SWAY_SCALE, overwriting what we put here.
+      SXMO_SWAY_SCALE = "1.5";
+      SXMO_ROTATION_GRAVITY = "12800";
+      SXMO_LOCK_IDLE_TIME = "15";  # how long between screenoff -> lock -> back to screenoff
+      DEFAULT_COUNTRY = "US";
+      BROWSWER = "librewolf";
     };
+    package = pkgs.sxmo-utils.overrideAttrs (base: {
+      postPatch = (base.postPatch or "") + ''
+        cat <<EOF >> ./configs/default_hooks/sxmo_hook_start.sh
+        # rotate UI based on physical display angle by default
+        sxmo_daemons.sh start autorotate sxmo_autorotate.sh
+        EOF
+      '';
+    });
   };
-  # TODO: only populate this if sxmo is enabled?
-  sane.user.fs.".config/sxmo/profile" = sane-lib.fs.wantedText ''
-    # sourced by sxmo_init.sh
-    . sxmo_common.sh
-
-    export SXMO_SWAY_SCALE=1.5
-    export SXMO_ROTATION_GRAVITY=12800
-
-    export DEFAULT_COUNTRY=US
-    export BROWSER=librewolf
-
-    export SXMO_BG_IMG="$(xdg_data_path sxmo/background.jpg)"
-  '';
 }

hosts/by-name/servo/services/default.nix

@@ -7,6 +7,7 @@
     ./email
     ./ejabberd.nix
     ./freshrss.nix
+    ./ftp
     ./gitea.nix
     ./goaccess.nix
     ./ipfs.nix
@@ -17,6 +18,7 @@
     ./lemmy.nix
     ./matrix
     ./navidrome.nix
+    ./nfs.nix
     ./nixserve.nix
     ./nginx.nix
     ./pict-rs.nix

hosts/by-name/servo/services/ftp/default.nix

@@ -0,0 +1,70 @@
+# docs:
+# - <https://github.com/drakkan/sftpgo>
+# - config options: <https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md>
+# - config defaults: <https://github.com/drakkan/sftpgo/blob/main/sftpgo.json>
+# - nixos options: <repo:nixos/nixpkgs:nixos/modules/services/web-apps/sftpgo.nix>
+#
+# sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients.
+
+
+{ lib, pkgs, sane-lib, ... }:
+let
+  authProgram = pkgs.static-nix-shell.mkBash {
+    pname = "sftpgo_external_auth_hook";
+    src = ./.;
+  };
+in
+{
+  # Client initiates a FTP "control connection" on port 21.
+  # - this handles the client -> server commands, and the server -> client status, but not the actual data
+  # - file data, directory listings, etc need to be transferred on an ephemeral "data port".
+  # - 50000-50100 is a common port range for this.
+  sane.ports.ports = {
+    "21" = {
+      protocol = [ "tcp" ];
+      visibleTo.lan = true;
+      description = "colin-FTP server";
+    };
+  } // (sane-lib.mapToAttrs
+    (port: {
+      name = builtins.toString port;
+      value = {
+        protocol = [ "tcp" ];
+        visibleTo.lan = true;
+        description = "colin-FTP server data port range";
+      };
+    })
+    (lib.range 50000 50100)
+  );
+
+  services.sftpgo = {
+    enable = true;
+    settings = {
+      ftpd = {
+        bindings = [{
+          address = "10.0.10.5";
+          port = 21;
+          debug = true;
+        }];
+
+        # active mode is susceptible to "bounce attacks", without much benefit over passive mode
+        disable_active_mode = true;
+        hash_support = true;
+        passive_port_range = {
+          start = 50000;
+          end = 50100;
+        };
+
+        banner = ''
+          Welcome, friends, to Colin's read-only FTP server! Also available via NFS on the same host.
+          Please let me know if anything's broken or not as it should be. Otherwise, browse and DL freely :)
+        '';
+
+      };
+      data_provider = {
+        driver = "memory";
+        external_auth_hook = "${authProgram}/bin/sftpgo_external_auth_hook";
+      };
+    };
+  };
+}

hosts/by-name/servo/services/ftp/sftpgo_external_auth_hook

@@ -0,0 +1,55 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
+# vim: set filetype=bash :
+#
+# available environment variables:
+# - SFTPGO_AUTHD_USERNAME
+# - SFTPGO_AUTHD_USER
+# - SFTPGO_AUTHD_IP
+# - SFTPGO_AUTHD_PROTOCOL  = { "DAV", "FTP", "HTTP", "SSH" }
+# - SFTPGO_AUTHD_PASSWORD
+# - SFTPGO_AUTHD_PUBLIC_KEY
+# - SFTPGO_AUTHD_KEYBOARD_INTERACTIVE
+# - SFTPGO_AUTHD_TLS_CERT
+#
+# user permissions:
+# - see <repo:drakkan/sftpgo:internal/dataprovider/user.go>
+# - "*" = grant all permissions
+# - read-only perms:
+#   - "list" = list files and directories
+#   - "download"
+# - rw perms:
+#   - "upload"
+#   - "overwrite" = allow uploads to replace existing files
+#   - "delete" = delete files and directories
+#     - "delete_files"
+#     - "delete_dirs"
+#   - "rename" = rename files and directories
+#     - "rename_files"
+#     - "rename_dirs"
+#   - "create_dirs"
+#   - "create_symlinks"
+#   - "chmod"
+#   - "chown"
+#   - "chtimes" = change atime/mtime (access and modification times)
+#
+# home_dir:
+# - it seems (empirically) that a user can't cd above their home directory.
+#   though i don't have a reference for that in the docs.
+# TODO: don't reuse /var/nfs/export here. formalize this some other way.
+
+
+if [ "$SFTPGO_AUTHD_USERNAME" = "anonymous" ]; then
+  echo '{'
+  echo '  "status":1,'
+  echo '  "username":"anonymous","expiration_date":0,'
+  echo '  "home_dir":"/var/nfs/export","uid":65534,"gid":65534,"max_sessions":0,"quota_size":0,"quota_files":100000,'
+  echo '  "permissions":{'
+  echo '    "/":["list", "download"]'
+  echo '  },'
+  echo '  "upload_bandwidth":0,"download_bandwidth":0,'
+  echo '  "filters":{"allowed_ip":[],"denied_ip":[]},"public_keys":[]'
+  echo '}'
+else
+  echo '{"username":""}'
+fi

hosts/by-name/servo/services/jackett.nix

@@ -24,6 +24,7 @@
     locations."/" = {
       # proxyPass = "http://ovpns.uninsane.org:9117";
       proxyPass = "http://10.0.1.6:9117";
+      recommendedProxySettings = true;
     };
   };
 

hosts/by-name/servo/services/lemmy.nix

@@ -14,8 +14,8 @@ in {
   services.lemmy = {
     enable = true;
     settings.hostname = "lemmy.uninsane.org";
-    settings.federation.enabled = true;
     # federation.debug forces outbound federation queries to be run synchronously
+    # N.B.: this option might not be read for 0.17.0+? <https://github.com/LemmyNet/lemmy/blob/c32585b03429f0f76d1e4ff738786321a0a9df98/RELEASES.md#upgrade-instructions>
     # settings.federation.debug = true;
     settings.port = backendPort;
     ui.port = uiPort;
@@ -32,6 +32,7 @@ in {
   systemd.services.lemmy.environment = {
     RUST_BACKTRACE = "full";
     # RUST_LOG = "debug";
+    # RUST_LOG = "trace";
     # upstream defaults LEMMY_DATABASE_URL = "postgres:///lemmy?host=/run/postgresql";
     # - Postgres complains that we didn't specify a user
     # lemmy formats the url as:

hosts/by-name/servo/services/matrix/irc.nix

@@ -5,12 +5,11 @@
 { config, lib, ... }:
 
 let
-  ircServer = { name, additionalAddresses ? [], sasl ? true }: let
+  ircServer = { name, additionalAddresses ? [], sasl ? true, port ? 6697 }: let
     lowerName = lib.toLower name;
   in {
     # XXX sasl: appservice doesn't support NickServ identification (only SASL, or PASS if sasl = false)
-    inherit name additionalAddresses sasl;
-    port = 6697;
+    inherit name additionalAddresses sasl port;
     ssl = true;
     botConfig = {
       # bot has no presence in IRC channel; only real Matrix users
@@ -108,6 +107,12 @@ in
     { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; directory = "/var/lib/matrix-appservice-irc"; }
   ];
 
+  # XXX: matrix-appservice-irc PreStart tries to chgrp the registration.yml to matrix-synapse,
+  # which requires matrix-appservice-irc to be of that group
+  users.users.matrix-appservice-irc.extraGroups = [ "matrix-synapse" ];
+  # weird race conditions around registration.yml mean we want matrix-synapse to be of matrix-appservice-irc group too.
+  users.users.matrix-synapse.extraGroups = [ "matrix-appservice-irc" ];
+
   services.matrix-synapse.settings.app_service_config_files = [
     "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
   ];
@@ -145,6 +150,7 @@ in
         };
         "irc.oftc.net" = ircServer {
           name = "oftc";
+          sasl = false;
           # notable channels:
           # - #sxmo
           # - #sxmo-offtopic
@@ -153,4 +159,10 @@ in
       };
     };
   };
+
+  systemd.services.matrix-appservice-irc.serviceConfig = {
+    # XXX 2023/06/20: nixos specifies this + @aio and @memlock as forbidden
+    # the service actively uses at least one of these, and both of them are fairly innocuous
+    SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @setuid @swap";
+  };
 }

hosts/by-name/servo/services/nfs.nix

@@ -0,0 +1,67 @@
+# docs:
+# - <https://nixos.wiki/wiki/NFS>
+# - <https://wiki.gentoo.org/wiki/Nfs-utils>
+
+{ ... }:
+{
+  services.nfs.server.enable = true;
+
+  # see which ports NFS uses with:
+  # - `rpcinfo -p`
+  sane.ports.ports."111" = {
+    protocol = [ "tcp" "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server portmapper";
+  };
+  sane.ports.ports."2049" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    description = "NFS server";
+  };
+  sane.ports.ports."4000" = {
+    protocol = [ "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server status daemon";
+  };
+  sane.ports.ports."4001" = {
+    protocol = [ "tcp" "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server lock daemon";
+  };
+  sane.ports.ports."4002" = {
+    protocol = [ "tcp" "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server mount daemon";
+  };
+
+  # NFS4 allows these to float, but NFS3 mandates specific ports, so fix them for backwards compat.
+  services.nfs.server.lockdPort = 4001;
+  services.nfs.server.mountdPort = 4002;
+  services.nfs.server.statdPort = 4000;
+
+  # format:
+  #   fspoint	visibility(options)
+  # options:
+  # - see: <https://wiki.gentoo.org/wiki/Nfs-utils#Exports>
+  # - see [man 5 exports](https://linux.die.net/man/5/exports)
+  # - insecure:  require clients use src port > 1024
+  # - rw, ro (default)
+  # - async, sync (default)
+  # - no_subtree_check (default), subtree_check: verify not just that files requested by the client live
+  #     in the expected fs, but also that they live under whatever subdirectory of that fs is exported.
+  # - no_root_squash, root_squash (default): map requests from uid 0 to user `nobody`.
+  # - crossmnt:  reveal filesystems that are mounted under this endpoint
+  # - fsid:  must be zero for the root export
+  # - mountpoint[=/path]:  only export the directory if it's a mountpoint. used to avoid exporting failed mounts.
+  #
+  # 10.0.0.0/8 to export (readonly) both to LAN (unencrypted) and wg vpn (encrypted)
+  services.nfs.server.exports = ''
+    /var/nfs/export 10.78.79.0/22(ro,crossmnt,fsid=0,subtree_check) 10.0.10.0/24(rw,no_root_squash,crossmnt,fsid=0,subtree_check)
+  '';
+
+  fileSystems."/var/nfs/export/media" = {
+    # everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
+    device = "/var/lib/uninsane/media";
+    options = [ "rbind" ];
+  };
+}

hosts/common/default.nix

@@ -13,7 +13,7 @@
     ./programs
     ./secrets.nix
     ./ssh.nix
-    ./users.nix
+    ./users
     ./vpn.nix
   ];
 
@@ -71,19 +71,6 @@
   # disable non-required packages like nano, perl, rsync, strace
   environment.defaultPackages = [];
 
-  # programs.vim.defaultEditor = true;
-  environment.variables = {
-    EDITOR = "vim";
-    # git claims it should use EDITOR, but it doesn't!
-    GIT_EDITOR = "vim";
-    # TODO: these should be moved to `home.sessionVariables` (home-manager)
-    # Electron apps should use native wayland backend:
-    #   https://nixos.wiki/wiki/Slack#Wayland
-    # Discord under sway crashes with this.
-    # NIXOS_OZONE_WL = "1";
-    # LIBGL_ALWAYS_SOFTWARE = "1";
-  };
-
   # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
   # find keys/values with `dconf dump /`
   programs.dconf.enable = true;

hosts/common/feeds.nix

@@ -1,3 +1,6 @@
+# where to find good stuff?
+# - podcast rec thread: <https://lemmy.ml/post/1565858>
+#
 # candidates:
 # - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
 #   - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
@@ -79,12 +82,14 @@ let
     (fromDb "feeds.transistor.fm/acquired" // tech)
     ## ACQ2 - more "Acquired" episodes
     (fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)
-    # The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
-    (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)
+    # The Intercept - Deconstructed
+    (fromDb "rss.acast.com/deconstructed")
+    # (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)  #< possible URL rot
     ## The Daily
     (mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
-    # The Intercept - Intercepted; also available: <https://rss.acast.com/intercepted-with-jeremy-scahill>
-    (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)
+    # The Intercept - Intercepted
+    (fromDb "rss.acast.com/intercepted-with-jeremy-scahill")
+    # (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)  #< possible URL rot
     (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
     ## Eric Weinstein
     (fromDb "rss.art19.com/the-portal" // rat)
@@ -102,6 +107,8 @@ let
     (fromDb "feeds.megaphone.fm/recodedecode" // tech)
     ## Matrix (chat) Live
     (fromDb "feed.podbean.com/matrixlive/feed.xml" // tech)
+    (fromDb "cast.postmarketos.org" // tech)
+    (fromDb "podcast.thelinuxexp.com" // tech)
     ## Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
     (fromDb "rss.art19.com/your-welcome" // pol)
     (fromDb "seattlenice.buzzsprout.com" // pol)

hosts/common/fs.nix

@@ -1,72 +1,131 @@
-{ pkgs, ... }:
+# docs
+# - x-systemd options: <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
 
-let sshOpts = rec {
-  fsType = "fuse.sshfs";
-  optionsBase = [
-    "x-systemd.automount"
+{ pkgs, sane-lib, ... }:
+
+let fsOpts = rec {
+  common = [
     "_netdev"
+    "noatime"
+    "x-systemd.requires=network-online.target"
+    "x-systemd.after=network-online.target"
+    "x-systemd.mount-timeout=10s"  # how long to wait for mount **and** how long to wait for unmount
+  ];
+  auto = [ "x-systemd.automount" ];
+  noauto = [ "noauto" ];  # don't mount as part of remote-fs.target
+  wg = [
+    "x-systemd.requires=wireguard-wg-home.service"
+    "x-systemd.after=wireguard-wg-home.service"
+  ];
+
+  ssh = common ++ [
     "user"
     "identityfile=/home/colin/.ssh/id_ed25519"
     "allow_other"
     "default_permissions"
   ];
-  optionsColin = optionsBase ++ [
+  sshColin = ssh ++ [
     "transform_symlinks"
     "idmap=user"
     "uid=1000"
     "gid=100"
   ];
-
-  optionsRoot = optionsBase ++ [
+  sshRoot = ssh ++ [
     # we don't transform_symlinks because that breaks the validity of remote /nix stores
     "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
   ];
+  # in the event of hunt NFS mounts, consider:
+  # - <https://unix.stackexchange.com/questions/31979/stop-broken-nfs-mounts-from-locking-a-directory>
+
+  # NFS options: <https://linux.die.net/man/5/nfs>
+  # actimeo=n  = how long (in seconds) to cache file/dir attributes (default: 3-60s)
+  # bg         = retry failed mounts in the background
+  # retry=n    = for how many minutes `mount` will retry NFS mount operation
+  # soft       = on "major timeout", report I/O error to userspace
+  # retrans=n  = how many times to retry a NFS request before giving userspace a "server not responding" error (default: 3)
+  # timeo=n    = number of *deciseconds* to wait for a response before retrying it (default: 600)
+  #              note: client uses a linear backup, so the second request will have double this timeout, then triple, etc.
+  nfs = common ++ [
+    # "actimeo=10"
+    "bg"
+    "retrans=4"
+    "retry=0"
+    "soft"
+    "timeo=15"
+    "nofail"  # don't fail remote-fs.target when this mount fails  (not an option for sshfs else would be common)
+  ];
 };
 in
 {
+  # fileSystems."/mnt/servo-nfs" = {
+  #   device = "servo-hn:/";
+  #   noCheck = true;
+  #   fsType = "nfs";
+  #   options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
+  # };
+  fileSystems."/mnt/servo-nfs/media" = {
+    device = "servo-hn:/media";
+    noCheck = true;
+    fsType = "nfs";
+    options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
+  };
+  # fileSystems."/mnt/servo-media-nfs" = {
+  #   device = "servo-hn:/media";
+  #   noCheck = true;
+  #   fsType = "nfs";
+  #   options = fsOpts.common ++ fsOpts.auto;
+  # };
+  sane.fs."/mnt/servo-media" = sane-lib.fs.wantedSymlinkTo "/mnt/servo-nfs/media";
+
+  fileSystems."/mnt/servo-media-wan" = {
+    device = "colin@uninsane.org:/var/lib/uninsane/media";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshColin ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/servo-media-wan" = sane-lib.fs.wantedDir;
+  fileSystems."/mnt/servo-media-lan" = {
+    device = "colin@servo:/var/lib/uninsane/media";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshColin ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/servo-media-lan" = sane-lib.fs.wantedDir;
+  fileSystems."/mnt/servo-root-wan" = {
+    device = "colin@uninsane.org:/";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshRoot ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/servo-root-wan" = sane-lib.fs.wantedDir;
+  fileSystems."/mnt/servo-root-lan" = {
+    device = "colin@servo:/";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshRoot ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/servo-root-lan" = sane-lib.fs.wantedDir;
+  fileSystems."/mnt/desko-home" = {
+    device = "colin@desko:/home/colin";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshColin ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/desko-home" = sane-lib.fs.wantedDir;
+  fileSystems."/mnt/desko-root" = {
+    device = "colin@desko:/";
+    fsType = "fuse.sshfs";
+    options = fsOpts.sshRoot ++ fsOpts.noauto;
+    noCheck = true;
+  };
+  sane.fs."/mnt/desko-root" = sane-lib.fs.wantedDir;
+
   environment.pathsToLink = [
     # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
     # we can only link whole directories here, even though we're only interested in pkgs.openssh
     "/libexec"
   ];
 
-  fileSystems."/mnt/servo-media-wan" = {
-    device = "colin@uninsane.org:/var/lib/uninsane/media";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsColin;
-    noCheck = true;
-  };
-  fileSystems."/mnt/servo-media-lan" = {
-    device = "colin@servo:/var/lib/uninsane/media";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsColin;
-    noCheck = true;
-  };
-  fileSystems."/mnt/servo-root-wan" = {
-    device = "colin@uninsane.org:/";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsRoot;
-    noCheck = true;
-  };
-  fileSystems."/mnt/servo-root-lan" = {
-    device = "colin@servo:/";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsRoot;
-    noCheck = true;
-  };
-  fileSystems."/mnt/desko-home" = {
-    device = "colin@desko:/home/colin";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsColin;
-    noCheck = true;
-  };
-  fileSystems."/mnt/desko-root" = {
-    device = "colin@desko:/";
-    inherit (sshOpts) fsType;
-    options = sshOpts.optionsRoot;
-    noCheck = true;
-  };
-
   environment.systemPackages = [
     pkgs.sshfs-fuse
   ];

hosts/common/ids.nix

@@ -40,6 +40,8 @@
   sane.ids.lemmy.gid = 2408;
   sane.ids.pict-rs.uid = 2409;
   sane.ids.pict-rs.gid = 2409;
+  sane.ids.sftpgo.uid = 2410;
+  sane.ids.sftpgo.gid = 2410;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/nix-path/default.nix

@@ -5,6 +5,9 @@
   nix.nixPath = [
     "nixpkgs=${pkgs.path}"
     # note the import starts at repo root: this allows `./overlay/default.nix` to access the stuff at the root
-    "nixpkgs-overlays=${../../..}/hosts/common/nix-path/overlay"
+    # "nixpkgs-overlays=${../../..}/hosts/common/nix-path/overlay"
+    # as long as my system itself doesn't rely on NIXPKGS at runtime, we can point the overlays to git
+    # to avoid switching so much during development
+    "nixpkgs-overlays=/home/colin/dev/nixos/hosts/common/nix-path/overlay"
   ];
 }

hosts/common/programs/assorted.nix

@@ -43,6 +43,7 @@ let
       lsof
       miniupnpc
       nano
+      neovim
       netcat
       nethogs
       nmap
@@ -85,6 +86,7 @@ let
     inherit (pkgs)
       aerc  # email client
       offlineimap  # email mailox sync
+      sfeed  # RSS fetcher
       visidata  # TUI spreadsheet viewer/editor
       w3m
     ;
@@ -106,24 +108,24 @@ let
   consolePkgs = {
     inherit (pkgs)
       alsaUtils  # for aplay, speaker-test
-      cdrtools
+      # cdrtools
       clinfo
       dmidecode
       efivar
-      flashrom
+      # flashrom
       fwupd
       gh  # MS GitHub cli
       git  # needed as a user package, for config.
-      gnupg
-      gocryptfs
-      gopass  # TODO: shouldn't be needed here
-      gopass-jsonapi
+      # gnupg
+      # gocryptfs
+      # gopass
+      # gopass-jsonapi
       kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-      libsecret  # for managing user keyrings
-      lm_sensors  # for sensors-detect
+      libsecret  # for managing user keyrings. TODO: what needs this? lift into the consumer
+      lm_sensors  # for sensors-detect. TODO: what needs this? lift into the consumer
       lshw
       # memtester
-      neovim
+      neovim  # needed as a user package, for swap persistence
       # nettools
       # networkmanager
       nixpkgs-review
@@ -156,6 +158,7 @@ let
   guiPkgs = {
     inherit (flattenedPkgs)
       # celluloid  # mpv frontend
+      cozy  # audiobook player
       # emote
       evince  # works on phosh
 
@@ -181,7 +184,10 @@ let
       gpodder
       gthumb
       jellyfin-media-player
+      komikku
+      koreader
       # lollypop
+      mepo  # maps viewer
       # mpv
       # networkmanagerapplet
       # newsflash
@@ -193,6 +199,7 @@ let
       # sublime-music
       # tdesktop  # broken on phosh
       # tokodon
+      tuba  # mastodon/pleroma client (stores pw in keyring)
       vlc
       # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
       # whalebird

hosts/common/programs/cozy.nix

@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  sane.programs.cozy = {
+    # cozy uses a sqlite db for its config and exposes no CLI options other than --help and --debug
+    persist.plaintext = [
+      ".local/share/cozy"  # sqlite db (config & index?)
+      ".cache/cozy"  # offline cache
+    ];
+  };
+}

hosts/common/programs/default.nix

@@ -4,18 +4,23 @@
   imports = [
     ./aerc.nix
     ./assorted.nix
+    ./cozy.nix
     ./git.nix
     ./gnome-feeds.nix
     ./gpodder.nix
     ./imagemagick.nix
     ./jellyfin-media-player.nix
     ./kitty
+    ./komikku.nix
+    ./koreader
     ./libreoffice.nix
+    ./mepo.nix
     ./mpv.nix
     ./neovim.nix
     ./newsflash.nix
     ./offlineimap.nix
     ./ripgrep.nix
+    ./sfeed.nix
     ./splatmoji.nix
     ./steam.nix
     ./sublime-music.nix

hosts/common/programs/git.nix

@@ -11,7 +11,13 @@ in
     user.name = "Colin";
     user.email = "colin@uninsane.org";
 
-    alias.co = "checkout";
+    alias.co      = "checkout";
+    alias.cp      = "cherry-pick";
+    alias.d       = "difftool";
+    alias.difsum  = "diff --compact-summary";  #< show only the list of files which changed, not contents
+    alias.rb      = "rebase";
+    alias.st      = "status";
+    alias.stat    = "status";
 
     # difftastic docs:
     # - <https://difftastic.wilfred.me.uk/git.html>
@@ -22,5 +28,7 @@ in
 
     # render dates as YYYY-MM-DD HH:MM:SS +TZ
     log.date = "iso";
+
+    stash.showPatch = true;
   };
 }

hosts/common/programs/gpodder.nix

@@ -7,7 +7,8 @@ let
   wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
 in {
   sane.programs.gpodder = {
-    package = pkgs.gpodder-configured;
+    package = pkgs.gpodder-adaptive-configured;
+    # package = pkgs.gpodder-configured;
     fs.".config/gpodderFeeds.opml".symlink.text = feeds.feedsToOpml wanted-feeds;
 
     # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads

hosts/common/programs/komikku.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  sane.programs.komikku = {
+    secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin;
+    # downloads end up here, and without the toplevel database komikku doesn't know they exist.
+    persist.plaintext = [ ".local/share/komikku" ];
+  };
+}

hosts/common/programs/koreader/2-colin-NetworkManager-isConnected.lua

@@ -0,0 +1,42 @@
+-- as of 2023.05.1, koreader FTP browser always fails to load.
+-- it's convinced that it's offline, and asks to connect to wifi.
+-- this seems to be because of the following in <frontend/device/sdl/device.lua>:
+--
+-- function Device:initNetworkManager(NetworkMgr)
+--     function NetworkMgr:isWifiOn() return true end
+--     function NetworkMgr:isConnected()
+--         -- Pull the default gateway first, so we don't even try to ping anything if there isn't one...
+--         local default_gw = Device:getDefaultRoute()
+--         if not default_gw then
+--             return false
+--         end
+--         return 0 == os.execute("ping -c1 -w2 " .. default_gw .. " > /dev/null")
+--     end
+-- end
+--
+-- specifically, `os.execute` is not *expected* to return 0. it returns `true` on success:
+-- <https://www.lua.org/manual/5.3/manual.html#pdf-os.execute>
+-- this apparently changed from 5.1 -> 5.2
+--
+-- XXX: this same bug likely applies to `isCommand` and `runCommand` in <frontend/device/sdl/device.lua>
+-- - that would manifest as wikipedia links failing to open in external application (xdg-open)
+
+local logger = require("logger")
+logger.info("applying colin patch")
+
+local Device = require("device")
+logger.info("Device:" .. tostring(Device))
+
+local orig_initNetworkManager = Device.initNetworkManager
+Device.initNetworkManager = function(self, NetworkMgr)
+  logger.info("Device:initNetworkManager")
+  orig_initNetworkManager(self, NetworkMgr)
+  function NetworkMgr:isConnected()
+    logger.info("mocked `NetworkMgr:isConnected` to return true")
+    return true
+    -- unpatch to show that the boolean form works
+    -- local rc = os.execute("ping -c1 -w2 10.78.79.1 > /dev/null")
+    -- logger.info("ping rc: " .. tostring(rc))
+    -- return rc
+  end
+end

hosts/common/programs/koreader/default.nix

@@ -0,0 +1,46 @@
+{ config, lib, sane-lib, ... }:
+
+let
+  feeds = sane-lib.feeds;
+  allFeeds = config.sane.feeds;
+  wantedFeeds = feeds.filterByFormat [ "image" "text" ] allFeeds;
+  koreaderRssEntries = builtins.map (feed:
+    # format:
+    # { "<rss/atom url>", limit = <int>, download_full_article=<bool>, include_images=<bool>, enable_filter=<bool>, filter_element = "<css selector>"},
+    # limit = 0                    => download and keep *all* articles
+    # download_full_article = true => populate feed by downloading the webpage -- not just what's encoded in the RSS <article> tags
+    # - use this for articles where the RSS only encodes content previews
+    # enable_filter         = true => only render content that matches the filter_element css selector.
+    let fields = [
+      (lib.escapeShellArg feed.url)
+      "limit = 5"
+      "download_full_article = false"
+      "include_images = true"
+      "enable_filter = false"
+      "filter_element = \"\""
+    ]; in "{ ${lib.concatStringsSep ", " fields } }"
+  ) wantedFeeds;
+in {
+  sane.programs.koreader = {
+    # koreader applies these lua "patches" at boot:
+    # - <https://github.com/koreader/koreader/wiki/User-patches>
+    # - TODO: upstream this patch to koreader
+    # fs.".config/koreader/patches".symlink.target = "${./.}";
+    fs.".config/koreader/patches/2-colin-NetworkManager-isConnected.lua".symlink.target = "${./2-colin-NetworkManager-isConnected.lua}";
+
+    # koreader news plugin, enabled by default. file format described here:
+    # - <repo:koreader/koreader:plugins/newsdownloader.koplugin/feed_config.lua>
+    fs.".config/koreader/news/feed_config.lua".symlink.text = ''
+      return {--do NOT change this line
+        ${lib.concatStringsSep ",\n  " koreaderRssEntries}
+      }--do NOT change this line
+    '';
+
+    # koreader on aarch64 errors if there's no fonts directory (sandboxing thing, i guess)
+    fs.".local/share/fonts".dir = {};
+
+    # history, cache, dictionaries...
+    # could be more explicit if i symlinked the history.lua file to somewhere it can persist better.
+    persist.plaintext = [ ".config/koreader" ];
+  };
+}

hosts/common/programs/mepo.nix

@@ -0,0 +1,18 @@
+# docs: <https://git.sr.ht/~mil/mepo>
+# irc #mepo:irc.oftc.net
+{ config, lib, ... }:
+
+{
+  sane.programs.mepo = {
+    persist.plaintext = [ ".cache/mepo/tiles" ];
+    # ~/.cache/mepo/savestate has precise coordinates and pins: keep those private
+    persist.private = [ ".cache/mepo/savestate" ];
+  };
+
+  programs.mepo = lib.mkIf config.sane.programs.mepo.enabled {
+    # enable location services (via geoclue)
+    enable = true;
+    # more precise, via gpsd ("may require additional config")
+    # programs.mepo.gpsd.enable = true
+  };
+}

hosts/common/programs/neovim.nix

@@ -5,30 +5,11 @@ let
   inherit (lib) concatMapStrings mkIf optionalString;
   # this structure roughly mirrors home-manager's `programs.neovim.plugins` option
   plugins = with pkgs.vimPlugins; [
-    # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
-    # docs: vim-surround: https://github.com/tpope/vim-surround
-    { plugin = vim-surround; }
-    # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
-    { plugin = fzf-vim; }
-    ({
-      # docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
-      plugin = tex-conceal-vim;
-      type = "viml";
-      config = ''
-        " present prettier fractions
-        let g:tex_conceal_frac=1
-      '';
-    })
-    ({
-      plugin = vim-SyntaxRange;
-      type = "viml";
-      config = ''
-        " enable markdown-style codeblock highlighting for tex code
-        autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
-        " autocmd Syntax tex set conceallevel=2
-      '';
-    })
-    ({
+    {
+      # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
+      plugin = fzf-vim;
+    }
+    {
       # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
       # docs: https://github.com/nvim-treesitter/nvim-treesitter
       # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
@@ -64,7 +45,35 @@ let
         vim.o.foldmethod = 'expr'
         vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
       '';
-    })
+    }
+    {
+      # docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
+      plugin = tex-conceal-vim;
+      type = "viml";
+      config = ''
+        " present prettier fractions
+        let g:tex_conceal_frac=1
+      '';
+    }
+    {
+      # source: <https://github.com/LnL7/vim-nix>
+      # fixes auto-indent (incl tab size) when editing .nix files
+      plugin = vim-nix;
+    }
+    {
+      # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
+      # docs: vim-surround: https://github.com/tpope/vim-surround
+      plugin = vim-surround;
+    }
+    {
+      plugin = vim-SyntaxRange;
+      type = "viml";
+      config = ''
+        " enable markdown-style codeblock highlighting for tex code
+        autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
+        " autocmd Syntax tex set conceallevel=2
+      '';
+    }
   ];
   plugin-packages = map (p: p.plugin) plugins;
   plugin-config-tex = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
@@ -72,7 +81,12 @@ let
 in
 {
   # private because there could be sensitive things in the swap
-  sane.programs.neovim.persist.private = [ ".cache/vim-swap" ];
+  sane.programs.neovim = {
+    persist.private = [ ".cache/vim-swap" ];
+    env.EDITOR = "vim";
+    # git claims it should use EDITOR, but it doesn't!
+    env.GIT_EDITOR = "vim";
+  };
 
   programs.neovim = mkIf config.sane.programs.neovim.enabled {
     # neovim: https://github.com/neovim/neovim

hosts/common/programs/sfeed.nix

@@ -0,0 +1,28 @@
+# simple RSS and Atom parser
+# - <https://codemadness.org/sfeed-simple-feed-parser.html>
+# - used by sxmo
+# - man 5 sfeedrc
+#
+# call `sfeed_update` to query each feed and populate entries in ~/.sfeed/feeds
+{ lib, config, sane-lib, ... }:
+let
+  feeds = sane-lib.feeds;
+  allFeeds = config.sane.feeds;
+  wantedFeeds = feeds.filterByFormat ["text"] allFeeds;
+  sfeedEntries = builtins.map (feed:
+    # format:
+    # feed <name> <feedurl> [basesiteurl] [encoding]
+    lib.escapeShellArgs [ "feed" (if feed.title != null then feed.title else feed.url) feed.url ]
+  ) wantedFeeds;
+in {
+  sane.programs.sfeed = {
+    fs.".sfeed/sfeedrc".symlink.text = ''
+      feeds() {
+        ${lib.concatStringsSep "\n  " sfeedEntries}
+      }
+    '';
+
+    # this is where the parsed feed items go
+    persist.plaintext = [ ".sfeed/feeds" ];
+  };
+}

hosts/common/programs/web-browser.nix

@@ -13,17 +13,15 @@ let
   # allow easy switching between firefox and librewolf with `defaultSettings`, below
   librewolfSettings = {
     browser = pkgs.librewolf-unwrapped;
-    # browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
-    #   # this allows side-loading unsigned addons
-    #   MOZ_REQUIRE_SIGNING = false;
-    # });
+    extraPrefsFiles = pkgs.librewolf-unwrapped.extraPrefsFiles ++ pkgs.librewolf-pmos-mobile.extraPrefsFiles;
     libName = "librewolf";
     dotDir = ".librewolf";
-    cacheDir = ".cache/librewolf";  # TODO: is it?
+    cacheDir = ".cache/librewolf";
     desktop = "librewolf.desktop";
   };
   firefoxSettings = {
     browser = pkgs.firefox-esr-unwrapped;
+    extraPrefsFiles = pkgs.firefox-pmos-mobile.extraPrefsFiles;
     libName = "firefox";
     dotDir = ".mozilla/firefox";
     cacheDir = ".cache/mozilla";
@@ -47,8 +45,7 @@ let
   package = pkgs.wrapFirefox cfg.browser.browser {
     # inherit the default librewolf.cfg
     # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
-    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
-    inherit (cfg.browser) libName;
+    inherit (cfg.browser) extraPrefsFiles libName;
 
     extraNativeMessagingHosts = optional cfg.addons.browserpass-extension.enable pkgs.browserpass;
     # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
@@ -72,7 +69,10 @@ let
       };
       UserMessaging = {
         ExtensionRecommendations = false;
+        FeatureRecommendations = false;
         SkipOnboarding = true;
+        UrlbarInterventions = false;
+        WhatsNew = false;
       };
 
       # these were taken from Librewolf
@@ -162,8 +162,9 @@ in
         # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
         # bypass-paywalls-clean.enable = lib.mkDefault true;
 
+        # TODO: give these update scripts, make them reachable via `pkgs`
         ether-metamask = {
-          package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
+          package = addon "ether-metamask" "webextension@metamask.io" "sha256-UI83wUUc33OlQYX+olgujeppoo2D2PAUJ+Wma5mH2O0=";
           enable = lib.mkDefault true;
         };
         i2p-in-private-browsing = {
@@ -175,15 +176,15 @@ in
           enable = lib.mkDefault true;
         };
         sponsorblock = {
-          package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
+          package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-b/OTFmhSEUZ/CYrYCE4rHVMQmY+Y78k8jSGMoR8vsZA=";
           enable = lib.mkDefault true;
         };
         ublacklist = {
-          package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
+          package = addon "ublacklist" "@ublacklist" "sha256-NZ2FmgJiYnH7j2Lkn0wOembxaEphmUuUk0Ytmb0rNWo=";
           enable = lib.mkDefault true;
         };
         ublock-origin = {
-          package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
+          package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-EGGAA+cLUow/F5luNzFG055rFfd3rEyh8hTaL/23pbM=";
           enable = lib.mkDefault true;
         };
       };
@@ -210,6 +211,7 @@ in
            }
           }
         '';
+        # TODO: this is better suited in `extraPrefs` during `wrapFirefox` call
         fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg".symlink.text = ''
           // if we can't query the revocation status of a SSL cert because the issuer is offline,
           // treat it as unrevoked.

hosts/common/programs/zsh/default.nix

@@ -159,8 +159,8 @@ in
       };
 
       # enable a command-not-found hook to show nix packages that might provide the binary typed.
-      programs.nix-index.enable = true;
-      programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
+      # programs.nix-index.enable = true;
+      # programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
     })
   ];
 }

hosts/common/secrets.nix

@@ -63,6 +63,7 @@ in
       "jackett_apikey".owner = config.users.users.colin.name;
       "mx-sanebot-env".owner = config.users.users.colin.name;
       "snippets".owner = config.users.users.colin.name;
+      "transmission_passwd".owner = config.users.users.colin.name;
     }
   ];
 }

hosts/common/ssh.nix

@@ -1,7 +1,7 @@
 { config, lib, sane-data, sane-lib, ... }:
 
 let
-  inherit (builtins) head map mapAttrs tail;
+  inherit (builtins) attrValues head map mapAttrs tail;
   inherit (lib) concatStringsSep mkMerge reverseList;
 in
 {
@@ -18,11 +18,21 @@ in
 
     # [{ path :: [String], value :: String }] for the keys we want to install
     globalKeys = sane-lib.flattenAttrs sane-data.keys;
+
+    keysForHost = hostCfg: sane-lib.mapToAttrs
+      (name: {
+        inherit name;
+        value = {
+          colin = hostCfg.ssh.user_pubkey;
+          root = hostCfg.ssh.host_pubkey;
+        };
+      })
+      hostCfg.names
+    ;
     domainKeys = sane-lib.flattenAttrs (
-      mapAttrs (host: cfg: {
-        colin = cfg.ssh.user_pubkey;
-        root = cfg.ssh.host_pubkey;
-      }) config.sane.hosts.by-name
+      sane-lib.joinAttrsets (
+        map keysForHost (builtins.attrValues config.sane.hosts.by-name)
+      )
     );
   in mkMerge (map
     ({ path, value }: {

hosts/common/users.nix

@@ -1,133 +0,0 @@
-{ config, pkgs, lib, sane-lib, ... }:
-
-# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
-with lib;
-let
-  cfg = config.sane.guest;
-  fs = sane-lib.fs;
-in
-{
-  options = {
-    sane.guest.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-  };
-
-  config = {
-    # Users are exactly these specified here;
-    # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
-    users.mutableUsers = false;
-
-    # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
-    users.users.colin = {
-      # sets group to "users" (?)
-      isNormalUser = true;
-      home = "/home/colin";
-      createHome = true;
-      homeMode = "0700";
-      # i don't get exactly what this is, but nixos defaults to this non-deterministically
-      # in /var/lib/nixos/auto-subuid-map and i don't want that.
-      subUidRanges = [
-        { startUid=100000; count=1; }
-      ];
-      group = "users";
-      extraGroups = [
-        "dialout"  # required for modem access (moby)
-        "feedbackd"
-        "input"  # for /dev/input/<xyz>: sxmo
-        "networkmanager"
-        "nixbuild"
-        "video"  # phosh/mobile. XXX colin: unsure if necessary
-        "wheel"
-        "wireshark"
-      ];
-
-      # initial password is empty, in case anything goes wrong.
-      # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
-      initialPassword = lib.mkDefault "";
-      passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
-
-      shell = pkgs.zsh;
-
-      # mount encrypted stuff at login
-      # some other nix pam users:
-      # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
-      # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
-      # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
-      pamMount = let
-        priv = config.fileSystems."/home/colin/private";
-      in {
-        fstype = priv.fsType;
-        path = priv.device;
-        mountpoint = priv.mountPoint;
-        options = builtins.concatStringsSep "," priv.options;
-      };
-    };
-
-    security.pam.mount.enable = true;
-
-    sane.users.colin.default = true;
-    # ensure ~ perms are known to sane.fs module.
-    # TODO: this is generic enough to be lifted up into sane.fs itself.
-    sane.fs."/home/colin".dir.acl = {
-      user = "colin";
-      group = config.users.users.colin.group;
-      mode = config.users.users.colin.homeMode;
-    };
-
-    sane.user.persist.plaintext = [
-      "archive"
-      "dev"
-      # TODO: records should be private
-      "records"
-      "ref"
-      "tmp"
-      "use"
-      "Music"
-      "Pictures"
-      "Videos"
-
-      ".cache/nix"
-      ".cache/nix-index"
-
-      # ".cargo"
-      # ".rustup"
-    ];
-
-    # convenience
-    sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
-    sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
-    sane.user.fs."Books/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Books";
-    sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
-    sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
-    sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
-    sane.user.fs."Pictures/servo-macros" = fs.wantedSymlinkTo "/mnt/servo-media/Pictures/macros";
-
-    # used by password managers, e.g. unix `pass`
-    sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";
-
-    sane.persist.sys.plaintext = mkIf cfg.enable [
-      # intentionally allow other users to write to the guest folder
-      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
-    ];
-    users.users.guest = mkIf cfg.enable {
-      isNormalUser = true;
-      home = "/home/guest";
-      subUidRanges = [
-        { startUid=200000; count=1; }
-      ];
-      group = "users";
-      initialPassword = lib.mkDefault "";
-      shell = pkgs.zsh;
-      openssh.authorizedKeys.keys = [
-        # TODO: insert pubkeys that should be allowed in
-      ];
-    };
-
-    security.sudo = {
-      enable = true;
-      wheelNeedsPassword = false;
-    };
-  };
-}

hosts/common/users/colin.nix

@@ -0,0 +1,94 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
+  users.users.colin = {
+    # sets group to "users" (?)
+    isNormalUser = true;
+    home = "/home/colin";
+    createHome = true;
+    homeMode = "0700";
+    # i don't get exactly what this is, but nixos defaults to this non-deterministically
+    # in /var/lib/nixos/auto-subuid-map and i don't want that.
+    subUidRanges = [
+      { startUid=100000; count=1; }
+    ];
+    group = "users";
+    extraGroups = [
+      "dialout"  # required for modem access (moby)
+      "feedbackd"
+      "input"  # for /dev/input/<xyz>: sxmo
+      "networkmanager"
+      "nixbuild"
+      "transmission"  # servo, to admin /var/lib/uninsane/media
+      "video"  # phosh/mobile. XXX colin: unsure if necessary
+      "wheel"
+      "wireshark"
+    ];
+
+    # initial password is empty, in case anything goes wrong.
+    # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
+    initialPassword = lib.mkDefault "";
+    passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
+
+    shell = pkgs.zsh;
+
+    # mount encrypted stuff at login
+    # some other nix pam users:
+    # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
+    # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
+    # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
+    pamMount = let
+      priv = config.fileSystems."/home/colin/private";
+    in {
+      fstype = priv.fsType;
+      path = priv.device;
+      mountpoint = priv.mountPoint;
+      options = builtins.concatStringsSep "," priv.options;
+    };
+  };
+
+  security.pam.mount.enable = true;
+
+  sane.users.colin = {
+    default = true;
+    # ensure ~ perms are known to sane.fs module.
+    # TODO: this is generic enough to be lifted up into sane.fs itself.
+    fs."/".dir.acl = {
+      user = "colin";
+      group = config.users.users.colin.group;
+      mode = config.users.users.colin.homeMode;
+    };
+
+    persist.plaintext = [
+      "archive"
+      "dev"
+      # TODO: records should be private
+      "records"
+      "ref"
+      "tmp"
+      "use"
+      "Music"
+      "Pictures"
+      "Videos"
+
+      ".cache/nix"
+      ".cache/nix-index"
+
+      # ".cargo"
+      # ".rustup"
+    ];
+
+    # convenience
+    fs."knowledge".symlink.target = "private/knowledge";
+    fs."nixos".symlink.target = "dev/nixos";
+    fs."Books/servo".symlink.target = "/mnt/servo-media/Books";
+    fs."Videos/servo".symlink.target = "/mnt/servo-media/Videos";
+    fs."Videos/servo-incomplete".symlink.target = "/mnt/servo-media/incomplete";
+    fs."Music/servo".symlink.target = "/mnt/servo-media/Music";
+    fs."Pictures/servo-macros".symlink.target = "/mnt/servo-media/Pictures/macros";
+
+    # used by password managers, e.g. unix `pass`
+    fs.".password-store".symlink.target = "knowledge/secrets/accounts";
+  };
+}

hosts/common/users/default.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, lib, sane-lib, ... }:
+
+{
+  imports = [
+    ./colin.nix
+    ./guest.nix
+  ];
+
+  # Users are exactly these specified here;
+  # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
+  users.mutableUsers = false;
+
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+}

hosts/common/users/guest.nix

@@ -0,0 +1,41 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.sane.guest;
+in
+{
+  options = with lib; {
+    sane.guest.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.guest.authorizedKeys = mkOption {
+      default = [];
+      type = types.listOf types.str;
+      description = ''
+      list of "<key-type> <pubkey> <hostname>" keys.
+      e.g.
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko
+      '';
+    };
+  };
+
+  config = {
+    users.users.guest = lib.mkIf cfg.enable {
+      isNormalUser = true;
+      home = "/home/guest";
+      subUidRanges = [
+        { startUid=200000; count=1; }
+      ];
+      group = "users";
+      initialPassword = lib.mkDefault "";
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = cfg.authorizedKeys;
+    };
+
+    sane.persist.sys.plaintext = lib.mkIf cfg.enable [
+      # intentionally allow other users to write to the guest folder
+      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
+    ];
+  };
+}

hosts/modules/gui/sxmo.nix

@@ -63,29 +63,13 @@ in
         "sway" => layered sway greeter. behaves as if you booted to swaylock.
       '';
     };
-    sane.gui.sxmo.hooks = mkOption {
+    sane.gui.sxmo.package = mkOption {
       type = types.package;
-      default = pkgs.runCommand "sxmo-hooks" { } ''
-        mkdir -p $out
-        ln -s ${pkgs.sxmo-utils}/share/sxmo/default_hooks $out/bin
-      '';
+      default = pkgs.sxmo-utils;
       description = ''
-        hooks to make visible to sxmo.
-        a hook is a script generally of the name sxmo_hook_<thing>.sh
-        which is called by sxmo at key moments to proide user programmability.
-      '';
-    };
-    sane.gui.sxmo.deviceHooks = mkOption {
-      type = types.package;
-      default = pkgs.runCommand "sxmo-device-hooks" { } ''
-        mkdir -p $out
-        ln -s ${pkgs.sxmo-utils}/share/sxmo/default_hooks/unknown $out/bin
-      '';
-      description = ''
-        device-specific hooks to make visible to sxmo.
-        this package supplies things like `sxmo_hook_inputhandler.sh`.
-        a hook is a script generally of the name sxmo_hook_<thing>.sh
-        which is called by sxmo at key moments to proide user programmability.
+        sxmo base scripts and hooks collection.
+        consider overriding the outputs under /share/sxmo/default_hooks
+        to insert your own user scripts.
       '';
     };
     sane.gui.sxmo.terminal = mkOption {
@@ -108,12 +92,29 @@ in
       '';
     };
     sane.gui.sxmo.settings = mkOption {
-      type = types.attrsOf types.str;
-      default = {};
       description = ''
         environment variables used to configure sxmo.
         e.g. SXMO_UNLOCK_IDLE_TIME or SXMO_VOLUME_BUTTON.
       '';
+      type = types.submodule {
+        freeformType = types.attrsOf types.str;
+        options =
+          let
+            mkSettingsOpt = default: description: mkOption {
+              inherit default description;
+              type = types.nullOr types.str;
+            };
+          in {
+            SXMO_BAR_SHOW_BAT_PER = mkSettingsOpt "1" "show battery percentage in statusbar";
+            SXMO_UNLOCK_IDLE_TIME = mkSettingsOpt "300" "how many seconds of inactivity before locking the screen";  # lock -> screenoff happens 8s later, not configurable
+          };
+      };
+      default = {};
+    };
+    sane.gui.sxmo.noidle = mkOption {
+      type = types.bool;
+      default = false;
+      description = "inhibit lock-on-idle and screenoff-on-idle";
     };
   };
 
@@ -123,18 +124,25 @@ in
         package = null;
         suggestedPrograms = [
           "guiApps"
+          "sfeed"  # want this here so that the user's ~/.sfeed/sfeedrc gets created
         ];
       };
     }
 
+    {
+      # TODO: lift to option declaration
+      sane.gui.sxmo.settings.TERMCMD = lib.mkIf (cfg.terminal != null)
+        (lib.mkDefault (if cfg.terminal == "vte" then "vte-2.91" else cfg.terminal));
+      sane.gui.sxmo.settings.KEYBOARD = lib.mkIf (cfg.keyboard != null)
+        (lib.mkDefault (if cfg.keyboard == "wvkbd" then "wvkbd-mobintl" else cfg.keyboard));
+    }
+
     (lib.mkIf cfg.enable {
       sane.programs.sxmoApps.enableFor.user.colin = true;
 
       # some programs (e.g. fractal/nheko) **require** a "Secret Service Provider"
       services.gnome.gnome-keyring.enable = true;
 
-      # TODO: probably need to enable pipewire
-
       networking.useDHCP = false;
       networking.networkmanager.enable = true;
       networking.wireless.enable = lib.mkForce false;
@@ -146,10 +154,12 @@ in
       security.doas.enable = true;
       security.doas.wheelNeedsPassword = false;
 
-      # TODO: not all of these fonts seem to be mapped to the correct icon
+      # TODO: nerdfonts is 4GB. it accepts an option to ship only some fonts: probably want to use that.
       fonts.fonts = [ pkgs.nerdfonts ];
 
-      # i believe sxmo recomments a different audio stack
+      # sxmo has first-class support only for pulseaudio and alsa -- not pipewire.
+      # however, pipewire can emulate pulseaudio support via `services.pipewire.pulse.enable = true`
+      #   after which the stock pulseaudio binaries magically work
       # administer with pw-cli, pw-mon, pw-top commands
       services.pipewire = {
         enable = true;
@@ -160,45 +170,19 @@ in
       systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
 
       # TODO: could use `displayManager.sessionPackages`?
-      environment.systemPackages = with pkgs; [
-        bc
-        bemenu
-        bonsai
-        conky
-        gojq
-        inotify-tools
-        jq
-        libnotify
-        lisgd
-        mako
-        superd
-        sway
-        swayidle
-        sxmo-utils
-        wob
-        wvkbd
-        xdg-user-dirs
-
-        # X11 only?
-        xdotool
-
-        cfg.deviceHooks
-        cfg.hooks
+      environment.systemPackages = [
+        cfg.package
       ] ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
         ++ lib.optionals (cfg.keyboard != null) [ pkgs."${cfg.keyboard}" ];
 
       environment.sessionVariables = {
         XDG_DATA_DIRS = [
           # TODO: only need the share/sxmo directly linked
-          "${pkgs.sxmo-utils}/share"
+          "${cfg.package}/share"
         ];
-      } // lib.optionalAttrs (cfg.terminal != null) {
-        TERMCMD = lib.mkDefault (if cfg.terminal == "vte" then "vte-2.91" else cfg.terminal);
-      } // lib.optionalAttrs (cfg.keyboard != null) {
-        KEYBOARD = lib.mkDefault (if cfg.keyboard == "wvkbd" then "wvkbd-mobintl" else cfg.keyboard);
       } // cfg.settings;
 
-      sane.user.fs.".cache/sxmo/sxmo.noidle" = sane-lib.fs.wantedText "";
+      sane.user.fs.".cache/sxmo/sxmo.noidle" = lib.mkIf cfg.noidle (sane-lib.fs.wantedText "");
 
 
       ## greeter
@@ -213,7 +197,7 @@ in
         '';
 
         displayManager.sessionPackages = with pkgs; [
-          sxmo-utils  # this gets share/wayland-sessions/swmo.desktop linked
+          cfg.package  # this gets share/wayland-sessions/swmo.desktop linked
         ];
 
         # taken from gui/phosh:
@@ -248,6 +232,15 @@ in
         in "${sway-as-greeter}/bin/sway-as-greeter";
       };
 
+      systemd.services."sxmo-set-permissions" = {
+        description = "configure specific /sys and /dev nodes to be writable by sxmo scripts";
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${cfg.package}/bin/sxmo_setpermissions.sh";
+        };
+        wantedBy = [ "display-manager.service" ];
+      };
+
       sane.fs."/var/log/sway" = lib.mkIf (cfg.greeter == "sway") {
         dir.acl.mode = "0777";
         wantedBeforeBy = [ "greetd.service" "display-manager.service" ];
@@ -260,7 +253,7 @@ in
       #   name = "sxmo";
       #   desktopNames = [ "sxmo" ];
       #   start = ''
-      #     ${pkgs.sxmo-utils}/bin/sxmo_xinit.sh &
+      #     ${cfg.package}/bin/sxmo_xinit.sh &
       #     waitPID=$!
       #   '';
       # }];
@@ -270,7 +263,7 @@ in
       #   enable = true;
       #   settings = {
       #     default_session = {
-      #       command = "${pkgs.sxmo-utils}/bin/sxmo_winit.sh";
+      #       command = "${cfg.package}/bin/sxmo_winit.sh";
       #       user = "colin";
       #     };
       #   };

hosts/modules/hostnames.nix

@@ -11,6 +11,7 @@
       name = cfg.lan-ip;
       value = [ host ];
     }) config.sane.hosts.by-name)
+
     (lib.mapAttrs' (host: cfg: {
       # -hn suffixed name for communication over my wg-home VPN.
       # hn = "home network"

hosts/modules/hosts.nix

@@ -4,8 +4,14 @@ let
   inherit (lib) attrValues filterAttrs mkMerge mkOption types;
   cfg = config.sane.hosts;
 
-  host = types.submodule ({ config, ... }: {
+  host = types.submodule ({ config, name, ... }: {
     options = {
+      names = mkOption {
+        type = types.listOf types.str;
+        description = ''
+          all names by which this host is reachable
+        '';
+      };
       ssh.user_pubkey = mkOption {
         type = types.str;
         description = ''
@@ -48,6 +54,11 @@ let
         '';
       };
     };
+
+    config = {
+      names = [ name ]
+        ++ lib.optional (config.wg-home.ip != null) "${name}-hn";
+    };
   });
 in
 {

hosts/modules/roles/build-machine.nix

@@ -32,6 +32,11 @@ in
       # serve packages to other machines that ask for them
       sane.services.nixserve.enable = true;
 
+      # each concurrent derivation realization uses a different nix build user.
+      # default is 32 build users, limiting us to that many concurrent jobs.
+      # it's nice to not be limited in that way, so increase this a bit.
+      nix.nrBuildUsers = 64;
+
       # enable cross compilation
       # TODO: do this via stdenv injection, linking into /run/binfmt the stuff in <nixpkgs:nixos/modules/system/boot/binfmt.nix>
       boot.binfmt.emulatedSystems = lib.optionals cfg.emulation [

hosts/modules/roles/dev-machine.nix

@@ -17,8 +17,8 @@ in
   config = mkMerge [
     ({
       sane.programs.docsets.config.rustPkgs = [
-        "lemmy-server"
-        "mx-sanebot"
+        # "lemmy-server"
+        # "mx-sanebot"
       ];
     })
     (mkIf cfg {

integrations/nur/default.nix

@@ -22,6 +22,7 @@
 # ^ source: <https://github.com/nix-community/nur-packages-template/blob/master/.github/workflows/build.yml#L63>
 #   N.B.: nur eval allows only PATH (inherited) and NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM="1" (forced),
 #   hence the erasing of NIX_PATH above (to remove external overlays)
+# - or do: `nix run '.#check-nur'` via the toplevel flake.nix in this repo
 #
 # if it validates here but not upstream, likely to do with different `nixpkgs` inputs.
 # - CI logs: <https://github.com/nix-community/NUR/actions/workflows/update.yml>

modules/data/feeds/sources/rss.acast.com/deconstructed/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 918085,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "A show that cuts through all the political drivel and media misinformation to give you a straight take on one big news story of the week.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 238,
+  "last_updated": "2023-06-06T16:03:38+00:00",
+  "score": 10,
+  "self_url": "https://feeds.acast.com/public/shows/1d1223a2-9d05-473b-9e79-c2b65b71d676",
+  "site_name": "",
+  "site_url": "",
+  "title": "Deconstructed",
+  "url": "https://feeds.acast.com/public/shows/1d1223a2-9d05-473b-9e79-c2b65b71d676",
+  "velocity": 0.123,
+  "version": "rss20"
+}

modules/data/feeds/sources/rss.acast.com/intercepted-with-jeremy-scahill/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1131706,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "The people behind The Intercept\u2019s fearless reporting and incisive commentary discuss the crucial issues of our time.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 261,
+  "last_updated": "2023-06-07T09:30:43+00:00",
+  "score": 10,
+  "self_url": "https://feeds.acast.com/public/shows/f5b64019-68c3-57d4-b70b-043e63e5cbf6",
+  "site_name": "",
+  "site_url": "",
+  "title": "Intercepted",
+  "url": "https://feeds.acast.com/public/shows/f5b64019-68c3-57d4-b70b-043e63e5cbf6",
+  "velocity": 0.111,
+  "version": "rss20"
+}

modules/data/feeds/sources/rss.prod.firstlook.media/deconstructed/podcast.rss/default.json

@@ -1,21 +0,0 @@
-{
-  "bozo": 0,
-  "content_length": 809084,
-  "content_type": "application/xml+rss; charset=utf-8",
-  "description": "A show that cuts through all the political drivel and media misinformation to give you a straight take on one big news story of the week.",
-  "favicon": null,
-  "hubs": [],
-  "is_podcast": true,
-  "is_push": false,
-  "item_count": 217,
-  "last_seen": "2023-01-11T13:40:50.240217+00:00",
-  "last_updated": "2023-01-06T10:37:50+00:00",
-  "score": 16,
-  "self_url": "https://feeds.acast.com/public/shows/1d1223a2-9d05-473b-9e79-c2b65b71d676",
-  "site_name": null,
-  "site_url": null,
-  "title": "Deconstructed",
-  "url": "https://rss.prod.firstlook.media/deconstructed/podcast.rss",
-  "velocity": 0.122,
-  "version": "rss20"
-}

modules/data/feeds/sources/rss.prod.firstlook.media/intercepted/podcast.rss/default.json

@@ -1,21 +0,0 @@
-{
-  "bozo": 0,
-  "content_length": 1034995,
-  "content_type": "application/xml+rss; charset=utf-8",
-  "description": "The people behind The Intercept’s fearless reporting and incisive commentary discuss the crucial issues of our time.",
-  "favicon": null,
-  "hubs": [],
-  "is_podcast": true,
-  "is_push": false,
-  "item_count": 243,
-  "last_seen": "2023-01-11T14:04:41.283509+00:00",
-  "last_updated": "2022-12-21T10:30:43+00:00",
-  "score": 16,
-  "self_url": "https://feeds.acast.com/public/shows/f5b64019-68c3-57d4-b70b-043e63e5cbf6",
-  "site_name": null,
-  "site_url": null,
-  "title": "Intercepted",
-  "url": "https://rss.prod.firstlook.media/intercepted/podcast.rss",
-  "velocity": 0.112,
-  "version": "rss20"
-}

modules/persist/stores/crypt.nix

@@ -25,7 +25,7 @@ lib.mkIf config.sane.persist.enable
       "nosuid"
       "allow_other"
       "passfile=${key}"
-      "defaults"
+      # "defaults"  # "unknown flag: --defaults. Try 'gocryptfs -help'"
     ];
     noCheck = true;
   };

modules/persist/stores/private.nix

@@ -35,7 +35,7 @@ lib.mkIf config.sane.persist.enable
       "nodev"
       "nosuid"
       "quiet"
-      "defaults"
+      # "defaults"  # "unknown flag: --defaults. Try 'gocryptfs -help'"
     ];
     noCheck = true;
   };

modules/programs.nix

@@ -52,11 +52,17 @@ let
       };
       enableFor.user = mkOption {
         type = types.attrsOf types.bool;
-        default = joinAttrsets (mapAttrsToList (otherName: otherPkg:
-           optionalAttrs
-             (otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested)
-             (filterAttrs (user: en: en) otherPkg.enableFor.user)
-        ) cfg);
+        default =
+          let
+            suggestedBy = mapAttrsToList (otherName: otherPkg:
+              optionalAttrs
+                (otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested)
+                (filterAttrs (user: en: en) otherPkg.enableFor.user)
+            ) cfg;
+          in
+            # we can just // the attrs since each set is flat and the only value
+            # each attr can have here is `true`, never `false`
+            lib.foldl' (prev: next: prev // next) {} suggestedBy;
         description = ''
           place this program on the PATH for some specified user(s).
         '';
@@ -104,6 +110,11 @@ let
           the secret will have same owner as the user under which the program is enabled.
         '';
       };
+      env = mkOption {
+        type = types.attrsOf types.str;
+        default = {};
+        description = "environment variables to set when this program is enabled";
+      };
       configOption = mkOption {
         type = types.raw;
         default = mkOption {
@@ -131,10 +142,11 @@ let
       message = ''program "${sug}" referenced by "${name}", but not defined'';
     }) p.suggestedPrograms;
 
-    # conditionally add to system PATH
-    environment.systemPackages = optional
-      (p.package != null && p.enableFor.system)
-      p.package;
+    # conditionally add to system PATH and env
+    environment = lib.optionalAttrs p.enableFor.system {
+      systemPackages = lib.optional (p.package != null) p.package;
+      variables = p.env;
+    };
 
     # conditionally add to user(s) PATH
     users.users = mapAttrs (user: en: {
@@ -190,6 +202,7 @@ in
       take = f: {
         assertions = f.assertions;
         environment.systemPackages = f.environment.systemPackages;
+        environment.variables = f.environment.variables;
         users.users = f.users.users;
         sane.users = f.sane.users;
         sops.secrets = f.sops.secrets;

modules/users.nix

@@ -12,9 +12,13 @@ let
         type = types.attrs;
         default = {};
         description = ''
-          entries to pass onto `sane.fs` after prepending the user's home-dir to the path.
+        entries to pass onto `sane.fs` after prepending the user's home-dir to the path
+        and marking them as wanted.
           e.g. `sane.users.colin.fs."/.config/aerc" = X`
-            => `sane.fs."/home/colin/.config/aerc" = X;
+          => `sane.fs."/home/colin/.config/aerc" = { wantedBy = [ "multi-user.target"]; } // X;
+
+          conventions are similar as to toplevel `sane.fs`. so `sane.users.foo.fs."/"` represents the home directory,
+          whereas every other entry is expected to *not* have a trailing slash.
         '';
       };
 
@@ -55,9 +59,13 @@ let
         name = path-lib.concat [ defn.home path ];
         inherit value;
       });
+      makeWanted = lib.mapAttrs (n: v: {
+        # default if not otherwise provided
+        wantedBeforeBy = [ "multi-user.target" ];
+      } // v);
     in
     {
-      sane.fs = prefixWithHome defn.fs;
+      sane.fs = makeWanted (prefixWithHome defn.fs);
 
       # `byPath` is the actual output here, computed from the other keys.
       sane.persist.sys.byPath = prefixWithHome defn.persist.byPath;

nixpatches/2023-06-10-lemmy-downgrade.patch

@@ -1,15 +1,15 @@
 diff --git a/pkgs/servers/web-apps/lemmy/pin.json b/pkgs/servers/web-apps/lemmy/pin.json
-index b2a1f1923ce..621b5945b6b 100644
+index 5b7b9aa49a5..6cd30d294d8 100644
 --- a/pkgs/servers/web-apps/lemmy/pin.json
 +++ b/pkgs/servers/web-apps/lemmy/pin.json
 @@ -1,7 +1,7 @@
  {
--  "version": "0.17.2",
--  "serverSha256": "sha256-fkpMVm52XLyrk9RfzJpthT8fctIilawAIgfK+4TXHvU=",
--  "serverCargoSha256": "sha256-AC6EP612uaeGfqHbrHrz89h0tsNlMceEg6GxEsm1QMA=",
+-  "version": "0.17.4",
+-  "serverSha256": "sha256-nztT6o5Tur64dMWII+wf5CBVJBJ59MGXKdS5OJO0SSc=",
+-  "serverCargoSha256": "sha256-3In2W+cSVtMkaKrn1hWOVL/V/qkKlH30qGPi3rNdpQI=",
 +  "version": "88a0d2feec3f9b4a06f2d8d090894111afcbd9e2",
 +  "serverSha256": "sha256-jVa7SckpH21TG+i1yjJOkhEgjnZ0Zgk2IUP7sCdtv1Y=",
 +  "serverCargoSha256": "sha256-trp/TCGtAtZlKdZk2CaJ3E9Lj95cq797PLWUF/DD6/M=",
-   "uiSha256": "sha256-0Zhm6Jgc6rlN4c7ryRnR45+fZEdzQhuOXSwU8Wz0D5g=",
+   "uiSha256": "sha256-Ebc4VzuCJhPoO16qCgSVyYFXH7YcymxcGcN/Sgyg5Gs=",
    "uiYarnDepsSha256": "sha256-aZAclSaFZJvuK+FpCBWboGaVEOEJTxq2jnWk0A6iAFw="
  }

nixpatches/flake.nix

@@ -9,7 +9,7 @@
         name = "nixpkgs-patched-uninsane";
         src = nixpkgs;
         patches = import ./list.nix {
-          inherit (nixpkgs.legacyPackages.${system}) fetchpatch fetchurl;
+          inherit (nixpkgs.legacyPackages.${system}) fetchpatch2 fetchurl;
         };
       };
       patchedFlakeFor = system: import "${patchedPkgsFor system}/flake.nix";

nixpatches/list.nix

@@ -1,4 +1,4 @@
-{ fetchpatch, fetchurl }:
+{ fetchpatch2, fetchurl }:
 let
   fetchpatch' = {
     saneCommit ? null,
@@ -13,13 +13,56 @@ let
       else
         "https://git.uninsane.org/colin/nixpkgs/commit/${saneCommit}.diff"
       ;
-    in fetchpatch (
+    in fetchpatch2 (
       { inherit url; }
       // (if hash != null then { inherit hash; } else {})
       // (if title != null then { name = title; } else {})
     );
 in [
 
+  # (fetchpatch' {
+  #   # XXX: doesn't cleanly apply; fetch `firefox-pmos-mobile` branch from my git instead
+  #   title = "firefox-pmos-mobile: init at -pmos-2.2.0";
+  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/121356";
+  #   hash = "sha256-eDsR1cJC/IMmhJl5wERpTB1VGawcnMw/gck9sI64GtQ=";
+  # })
+
+  # (fetchpatch' {
+  #   saneCommit = "70c12451b783d6310ab90229728d63e8a903c8cb";
+  #   title = "firefox-pmos-mobile: init at -pmos-2.2.0";
+  #   hash = "sha256-mA22g3ZIERVctq8Uk5nuEsS1JprxA+3DvukJMDTOyso=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "ee19a28aa188bb87df836a4edc7b73355b8766eb";
+  #   title = "firefox-pmos-mobile: format the generated policies.nix file";
+  #   hash = "sha256-K8b3QpyVEjajilB5w4F1UHGDRGlmN7i66lP7SwLZpWI=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "c068439c701c160ba15b6ed5abe9cf09b159d584";
+  #   title = "firefox-pmos-mobile: implement an updateScript";
+  #   hash = "sha256-afiGDHbZIVR3kJuWABox2dakyiRb/8EgDr39esqwcEk=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "865c9849a9f7bd048e066c2efd8068ecddd48e33";
+  #   title = "firefox-pmos-mobile: 2.2.0 -> 4.0.2";
+  #   hash = "sha256-WjWSW0qE+cypvUkDRfK7d9Te8m5zQXwF33z8nEhbvrE=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "eb6aae632c55ce7b0a76bca549c09da5e1f7761b";
+  #   title = "firefox-pmos-mobile: refactor and populate `passthru` to aid external consumers";
+  #   hash = "sha256-/LhbwXjC8vuKzIuGQ3/FGplbLllsz57nR5y+PeDjGuA=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "c9b90ef1e17ea21ac779a86994e5d9079a2057b9";
+  #   title = "librewolf-pmos-mobile: init";
+  #   hash = "sha256-oQEM3EZfAOmfZzDu9faCqyOFZsdHYGn1mVBgkxt68Zg=";
+  # })
+  (fetchpatch' {
+    saneCommit = "c3becd7cdf144d85d12e2e76663e9549a0536efd";
+    title = "firefox-pmos-mobile: init at 4.0.2";
+    hash = "sha256-NRh2INUMA2K7q8zioqKA7xwoqg7v6sxpuJRpTG5IP1Q=";
+  })
+
   # splatmoji: init at 1.2.0
   (fetchpatch' {
     saneCommit = "75149039b6eaf57d8a92164e90aab20eb5d89196";
@@ -58,32 +101,6 @@ in [
     hash = "sha256-jl6SZwSDhQTlpM5FyGaFU/svwTb1ySdKtvWMgsneq3A=";
   })
 
-  # update to newer lemmy-server.
-  # should be removable when > 0.17.2 releases?
-  # removing this now causes:
-  #   INFO lemmy_server::code_migrations: No Local Site found, creating it.
-  #   Error: LemmyError { message: None, inner: duplicate key value violates unique constraint "local_site_site_id_key", context: "SpanTrace" }
-  # though perhaps this error doesn't occur on fresh databases (idk).
-  ./2023-04-29-lemmy.patch
-
-  (fetchpatch' {
-    title = "cargo-docset: init at 0.3.1";
-    saneCommit = "5a09e84c6159ce545029483384580708bc04c08f";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/231188";
-    hash = "sha256-Z1HOps3w/WvxAiyUAHWszKqwS9EwA6rf4XfgPGp+2sQ=";
-  })
-
-  (fetchpatch' {
-    title = "nixos/lemmy: support nginx";
-    saneCommit = "4c86db6dcb78795ac9bb514d9c779fd591070b23";
-    hash = "sha256-G7jGhSPUp9BMxh2yTzo0KUUVabMJeZ28YTA+0iPldRI=";
-  })
-
-  (fetchpatch' {
-    title = "feedbackd: 0.1.0 -> 0.2.0";
-    saneCommit = "a0186a5782708a640cd6eaad6e9742b9cccebe9d";
-    hash = "sha256-f8he7pQow4fZkTVVqU/A5KgovZA7m7MccRQNTnDxw5o=";
-  })
   # (fetchpatch' {
   #   # phoc: 0.25.0 -> 0.27.0
   #   # TODO: move wayland-scanner & glib to nativeBuildInputs
@@ -159,6 +176,55 @@ in [
   # Jellyfin: don't build via `libsForQt5.callPackage`
   ./2023-06-06-jellyfin-no-libsForQt5-callPackage.patch
 
+  # pin to a pre-0.17.3 release
+  # removing this and using stock 0.17.3 (also 0.17.4) causes:
+  #   INFO lemmy_server::code_migrations: No Local Site found, creating it.
+  #   Error: LemmyError { message: None, inner: duplicate key value violates unique constraint "local_site_site_id_key", context: "SpanTrace" }
+  # more specifically, lemmy can't find the site because it receives an error from diesel:
+  #   Err(DeserializationError("Unrecognized enum variant"))
+  # this is likely some mis-ordered db migrations
+  # or perhaps the whole set of migrations here isn't being running right.
+  # related: <https://github.com/NixOS/nixpkgs/issues/236890#issuecomment-1585030861>
+  # ./2023-06-10-lemmy-downgrade.patch
+
+  # (fetchpatch' {
+  #   title = "gpodder: wrap with missing `xdg-utils` path";
+  #   saneCommit = "10d0ac11bc083cbcf0d6340950079b3888095abf";
+  #   hash = "sha256-cu8L30ZiUJnWFGRR/SK917TC7TalzpGkurGkUAAxl54=";
+  # })
+
+  (fetchpatch' {
+    title = "koreader: 2023.04 -> 2023.05.1";
+    saneCommit = "a5c471bd263abe93e291239e0078ac4255a94262";
+    hash = "sha256-m++Vv/FK7cxONCz6n0MLO3CiKNrRH0ttFmoC1Xmba+A=";
+  })
+
+  (fetchpatch' {
+    title = "mepo: 1.1 -> 1.1.2";
+    saneCommit = "eee68d7146a6cd985481cdd8bca52ffb204de423";
+    hash = "sha256-uNerTwyFzivTU+o9bEKmNMFceOmy2AKONfKJWI5qkzo=";
+  })
+
+  (fetchpatch' {
+    title = "spdlog: use fmt 9";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/240270";
+    hash = "sha256-f0QCnrtPN7XwWk0cHSUW7/XlWPFu6XnuoQL6vARYILM=";
+  })
+
+  (fetchpatch' {
+    title = "nmap: lua5_3 -> lua5_4";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/240440";
+    saneCommit = "a2a5c711e7c0ff43143fc58ec08853ec063f35b3";
+    hash = "sha256-YZycbNJfRFD/8bpnS/28ac1x1wWkEhjB3QaGBGAJkUM=";
+  })
+
+  # (fetchpatch' {
+  #   # N.B.: compiles, but runtime error on launch suggestive of some module not being shipped
+  #   title = "matrix-appservice-irc: 0.38.0 -> 1.0.0";
+  #   saneCommit = "b168bf862d53535151b9142a15fbd53e18e688c5";
+  #   hash = "sha256-dDa2mrCJ416PIYsDH9ya/4aQdqtp4BwzIisa8HdVFxo=";
+  # })
+
   # for raspberry pi: allow building u-boot for rpi 4{,00}
   # TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
   #   (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )

overlays/cross.nix

@@ -83,6 +83,7 @@ in {
     jellyfin-web  # in node-dependencies-jellyfin-web: "node: command not found"  (nodePackages don't cross compile)
     # libgccjit  # "../../gcc-9.5.0/gcc/jit/jit-result.c:52:3: error: 'dlclose' was not declared in this scope"  (needed by emacs!)
     # libsForQt5  # if we emulate qt5, we're better off emulating libsForQt5 else qt complains about multiple versions of qtbase
+    mepo  # /build/source/src/sdlshim.zig:1:20: error: C import failed
     perlInterpreters  # perl5.36.0-Module-Build perl5.36.0-Test-utf8 (see tracking issues ^)
     # qgnomeplatform
     # qtbase
@@ -247,6 +248,14 @@ in {
     nativeBuildInputs = upstream.nativeBuildInputs ++ [ final.git ];
   });
 
+  cozy = prev.cozy.override {
+    cozy = prev.cozy.upstream.cozy.override {
+      # fixes runtime error: "Settings schema 'org.gtk.Settings.FileChooser' is not installed"
+      # otherwise gtk3+ schemas aren't added to XDG_DATA_DIRS
+      inherit (emulated) wrapGAppsHook;
+    };
+  };
+
   dante = prev.dante.override {
     # fixes: "configure: error: error: getaddrinfo() error value count too low"
     inherit (emulated) stdenv;
@@ -508,6 +517,13 @@ in {
       }
       super.nautilus
     ).override {
+      # fixes -msse2, -mfpmath=sse flags
+      # wrapGAppsHook4 = final.wrapGAppsHook;
+      # fixes -msse2, -mfpmath=ssh flags AND "Settings schema 'org.gtk.gtk4.Settings.FileChooser' is not installed"
+      wrapGAppsHook4 = emulated.wrapGAppsHook4;
+    };
+
+    zenity = super.zenity.override {
       # fixes -msse2, -mfpmath=sse flags
       wrapGAppsHook4 = final.wrapGAppsHook;
     };
@@ -656,9 +672,13 @@ in {
         ];
       };
     }));
-  jellyfin-media-player-qt6 = mvToBuildInputs
-    [ final.qt6.wrapQtAppsHook ]  # otherwise the result targets x86.  TODO: fix the hook in qt6 itself?
-    prev.jellyfin-media-player-qt6;
+  jellyfin-media-player-qt6 = prev.jellyfin-media-player-qt6.overrideAttrs (upstream: {
+    # nativeBuildInputs => result targets x86.
+    # buildInputs => result targets correct platform, but doesn't wrap the runtime deps
+    # TODO: fix the hook in qt6 itself?
+    depsHostHost = upstream.depsHostHost or [] ++ [ final.qt6.wrapQtAppsHook ];
+    nativeBuildInputs = lib.remove [ final.qt6.wrapQtAppsHook ] upstream.nativeBuildInputs;
+  });
   # jellyfin-web = prev.jellyfin-web.override {
   #   # in node-dependencies-jellyfin-web: "node: command not found"
   #   inherit (emulated) stdenv;
@@ -675,6 +695,18 @@ in {
       ./kitty-no-docs.patch
     ];
   });
+  komikku = prev.komikku.override {
+    # GI_TYPELIB_PATH points to x86_64 types in the default build, only when using wrapGAppsHook4
+    wrapGAppsHook4 = final.wrapGAppsHook;
+  };
+  koreader = (prev.koreader.override {
+    # fixes runtime error: luajit: ./ffi/util.lua:757: attempt to call field 'pack' (a nil value)
+    inherit (emulated) luajit;
+  }).overrideAttrs (upstream: {
+    nativeBuildInputs = upstream.nativeBuildInputs ++ [
+      final.autoPatchelfHook
+    ];
+  });
   libgweather = rmNativeBuildInputs [ final.glib ] (prev.libgweather.override {
     # alternative to emulating python3 is to specify it in `buildInputs` instead of `nativeBuildInputs` (upstream),
     #   but presumably that's just a different way to emulate it.
@@ -713,6 +745,33 @@ in {
   #   callPackage = self.newScope { inherit (self) qtCompatVersion qtModule srcs; inherit (final) stdenv; };
   # });
 
+  # mepo = (prev.mepo.override {
+  #   inherit (emulated)
+  #     stdenv
+  #     SDL2
+  #     SDL2_gfx
+  #     SDL2_image
+  #     SDL2_ttf
+  #     zig
+  #   ;
+  # }).overrideAttrs (_upstream: {
+  #   doCheck = false;
+  #   # dontConfigure = true;
+  #   # dontBuild = true;
+  #   # preInstall = ''
+  #   #   export HOME=$TMPDIR
+  #   # '';
+  #   # installPhase = ''
+  #   #   runHook preInstall
+
+  #   #   zig build -Drelease-safe=true -Dtarget=aarch64-linux-gnu -Dcpu=baseline --prefix $out
+  #   #   install -d $out/share/man/man1
+  #   #   $out/bin/mepo -docman > $out/share/man/man1/mepo.1
+
+  #   #   runHook postInstall
+  #   # '';
+  # });
+
   # fixes: "ar: command not found"
   # `ar` is provided by bintools
   ncftp = addNativeInputs [ final.bintools ] prev.ncftp;
@@ -1177,6 +1236,13 @@ in {
     # fixes "meson.build:183:0: ERROR: Can not run test applications in this cross environment."
     inherit (emulated) stdenv;
   };
+  tuba = (prev.tuba.override {
+    # fixes -msse2, -mfpmath=sse flags
+    wrapGAppsHook4 = final.wrapGAppsHook;
+  }).overrideAttrs (upstream: {
+    # error: Package `{libadwaita-1,gtksourceview-5,libsecret-1,gee-0.8}' not found in specified Vala API directories or GObject-Introspection GIR directories
+    buildInputs = upstream.buildInputs ++ [ final.vala ];
+  });
   # twitter-color-emoji = prev.twitter-color-emoji.override {
   #   # fails to fix original error
   #   inherit (emulated) stdenv;
@@ -1252,9 +1318,19 @@ in {
   });
   # XXX: aarch64 webp-pixbuf-loader wanted by gdk-pixbuf-loaders.cache.drv, wanted by aarch64 gnome-control-center
 
-  # "extract-binary-wrapper-cmd: line 2: strings: command not found"
-  # XXX: technically this belongs in pkgs/build-support/setup-hooks/make-binary-wrapper/default.nix ?
-  wrapFirefox = browser: args: addNativeInputs [ final.bintools-unwrapped ] (prev.wrapFirefox browser args);
+  wrapFirefox = prev.wrapFirefox.override {
+    buildPackages = let
+      bpkgs = final.buildPackages;
+    in bpkgs // {
+      # fixes "extract-binary-wrapper-cmd: line 2: strings: command not found"
+      # ^- in the `nix log` output of cross-compiled `firefox` (it's non-fatal)
+      makeBinaryWrapper = bpkgs.makeBinaryWrapper.overrideAttrs (upstream: {
+        passthru.extractCmd = bpkgs.writeShellScript "extract-binary-wrapper-cmd" ''
+          ${final.stdenv.cc.targetPrefix}strings -dw "$1" | sed -n '/^makeCWrapper/,/^$/ p'
+        '';
+      });
+    };
+  };
 
   wvkbd = (
     # "wayland-scanner: no such program"

pkgs/additional/cargo-docset/default.nix

@@ -1,30 +0,0 @@
-{ lib
-, fetchFromGitHub
-, rustPlatform
-, sqlite
-}:
-
-rustPlatform.buildRustPackage rec {
-  pname = "cargo-docset";
-  version = "0.3.1";
-
-  src = fetchFromGitHub {
-    owner = "Robzz";
-    repo = pname;
-    rev = "v${version}";
-    hash = "sha256-o2CSQiU9fEoS3eRmwphtYGZTwn3mstRm2Tlvval83+U=";
-  };
-
-  cargoHash = "sha256-YHrSvfHfQ7kbVeCOgggYf3E7gHq+RhVKZrzP8LqX5I0=";
-
-  buildInputs = [
-    sqlite
-  ];
-
-  meta = with lib; {
-    description = "Cargo subcommand to generate a Dash/Zeal docset for your Rust packages. ";
-    homepage = "https://github.com/Robzz/cargo-docset";
-    license = licenses.asl20;
-    maintainers = with maintainers; [ colinsane ];
-  };
-}

pkgs/additional/gpodder-adaptive/default.nix

@@ -0,0 +1,18 @@
+{ gpodder
+, fetchFromGitHub
+, libhandy
+}:
+gpodder.overrideAttrs (upstream: rec {
+  pname = "gpodder-adaptive";
+  version = "3.11.1+1";
+  src = fetchFromGitHub {
+    owner = "gpodder";
+    repo = "gpodder";
+    rev = "adaptive/${version}";
+    hash = "sha256-pn5sh8CLV2Civ26PL3rrkkUdoobu7SIHXmWKCZucBhw=";
+  };
+
+  buildInputs = upstream.buildInputs ++ [
+    libhandy
+  ];
+})

pkgs/additional/gpodder-configured/default.nix

@@ -15,13 +15,14 @@ let
       "gnome-feeds.listparser" = gnome-feeds.listparser;
     };
     pkgs = {
+      # important for this to explicitly use `gpodder` here, because it may be overriden/different from the toplevel `gpodder`!
       inherit gpodder;
     };
   };
 in
 # we use a symlinkJoin so that we can inherit the .desktop and icon files from the original gPodder
 (symlinkJoin {
-  name = "gpodder-configured";
+  name = "${gpodder.pname}-configured";
   paths = [ gpodder remove-extra ];
   nativeBuildInputs = [ makeWrapper ];
 
@@ -30,7 +31,7 @@ in
   # a feedlist every time we run it.
   # repeat imports are deduplicated by url, even when offline.
   postBuild = ''
-    makeWrapper $out/bin/gpodder $out/bin/gpodder-configured \
+    wrapProgram $out/bin/gpodder \
       --run "$out/bin/gpodder-remove-extra ~/.config/gpodderFeeds.opml || true" \
       --run "$out/bin/gpo import ~/.config/gpodderFeeds.opml || true" \
 
@@ -41,6 +42,6 @@ in
   '';
 
   passthru = {
-    remove-extra = remove-extra;
+    inherit gpodder remove-extra;
   };
 })

pkgs/additional/jellyfin-media-player-qt6/default.nix

@@ -20,14 +20,14 @@
     owner = "jellyfin";
     repo = "jellyfin-media-player";
     rev = "qt6";
-    hash = "sha256-saR/P2daqjF0G8N7BX6Rtsb1dWGjdf5MPDx1lhoioEw=";
+    hash = "sha256-CXuK6PLGOiBDbnLqXcr5sUtQmXksMc6X6GKVMEzmu30=";
   };
   # nixos ships two patches:
   # - the first fixes "web paths" and has *mostly* been upstreamed  (so skip and manually tweak a bit)
   # - the second disables auto-update notifications  (keep)
   patches = (builtins.tail upstream.patches) ++ [
     ./0001-fix-web-path.patch
-    ./0002-qt6-build-fixes.patch
+    # ./0002-qt6-build-fixes.patch
     # ./0003-qt6-components-webengine.patch
   ];
   buildInputs = [
@@ -51,7 +51,6 @@
     ninja
     pkg-config
     python3
-
     qt6.wrapQtAppsHook  #< new: libsForQt5.callPackage implicitly adds the qt5 wrapQtAppsHook
   ];
 

pkgs/additional/lemoa/default.nix

@@ -0,0 +1,45 @@
+{ lib
+, fetchFromGitHub
+, gdk-pixbuf
+, glib
+, graphene
+, gtk4
+, libadwaita
+, openssl
+, pango
+, pkg-config
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "lemoa";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "lemmy-gtk";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-7tq9XP79GXnIoibrZugdir79P14qJevTzY44fC3R7cA=";
+  };
+
+  cargoLock = {
+    lockFile = ./Cargo.lock;
+    outputHashes = {
+      "lemmy_api_common-0.18.0" = "sha256-l4UNO5Obx73nOiVnl6dc+sw2tekDLn2ixTs1GwqdE8I=";
+    };
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    gtk4
+    libadwaita
+    openssl
+  ];
+
+  meta = with lib; {
+    description = "Native Gtk client for Lemmy";
+    homepage = "https://github.com/lemmy-gtk/lemoa";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ colinsane ];
+  };
+}

pkgs/additional/linux-megous/default.nix

@@ -18,12 +18,13 @@ let
   # - grab VERSION/PATCHLEVEL/SUBLEVEL/EXTRAVERSION from Makefile.
   # - megi publishes release notes as the most recent commit on any stable branch, so just `git log`.
   # - orange-pi is listed as the "main integration branch".
+  #   - this suggests it's NOT a stable branch, only `orange-pi-X.YY-YYYYMMDD-NNNN` branches are "formal" releases
   #   - specific branches like `pp` (pinephone) are dev branches, and probably less stable.
-  rev = "orange-pi-6.3-20230426-1041";
-  hash = "sha256-hfnBVtWyn6FAAOXnizE4jRaf6b9KYEwlJu3NOD7DMGM=";
-  base = "6.3.0";
+  rev = "orange-pi-6.4-20230619-0323";
+  hash = "sha256-il32UQM/8Fc7VHft3+M4TLMxk5+h28C9Suu1kRdZj2M=";
+  base = "6.4.0";
   # set to empty if not a release candidate, else `-rc<N>`
-  rc = "";
+  rc = "-rc7";
 
   # pinephone uses the linux dtb at arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi
   # - this includes sun50i-a64.dtsi

pkgs/additional/sane-scripts/default.nix

@@ -1,11 +1,36 @@
 { lib
-, pkgs
+, python3Packages
 , static-nix-shell
 , symlinkJoin
+, transmission
 }:
 
 let
-  nix-shell-scripts = {
+  sane-lib = {
+    # TODO: we could simplify the lib/ folder structure
+    # by auto-generating the setup.py files in `postPatch`, below
+    bt = python3Packages.buildPythonPackage {
+      pname = "sane-lib-bt";
+      version = "0.1.0";
+      format = "setuptools";
+      src = ./src/lib/bt;
+      propagatedBuildInputs = [ transmission ];
+      pythonImportChecks = [
+        "sane_bt"
+      ];
+    };
+    ssdp = python3Packages.buildPythonPackage {
+      pname = "sane-lib-ssdp";
+      version = "0.1.0";
+      format = "setuptools";
+      src = ./src/lib/ssdp;
+      pythonImportChecks = [
+        "sane_ssdp"
+      ];
+    };
+  };
+
+  sane-bin = {
     # anything added to this attrset gets symlink-joined into `sane-scripts`
     # and is made available through `sane-scripts.passthru`
     backup-ls = static-nix-shell.mkBash {
@@ -18,25 +43,28 @@ let
       src = ./src;
       pkgs = [ "duplicity" ];
     };
-    bt-add = static-nix-shell.mkBash {
+    bt-add = static-nix-shell.mkPython3Bin {
       pname = "sane-bt-add";
       src = ./src;
-      pkgs = [ "transmission" ];
+      pyPkgs = [ "sane-lib.bt" ];
+      pkgs = [ "sane-scripts.lib.bt.propagatedBuildInputs" ];
     };
-    bt-rm = static-nix-shell.mkBash {
+    bt-rm = static-nix-shell.mkPython3Bin {
       pname = "sane-bt-rm";
       src = ./src;
-      pkgs = [ "transmission" ];
+      pyPkgs = [ "sane-lib.bt" ];
+      pkgs = [ "sane-scripts.lib.bt.propagatedBuildInputs" ];
     };
     bt-search = static-nix-shell.mkPython3Bin {
       pname = "sane-bt-search";
       src = ./src;
       pyPkgs = [ "natsort" "requests" ];
     };
-    bt-show = static-nix-shell.mkBash {
+    bt-show = static-nix-shell.mkPython3Bin {
       pname = "sane-bt-show";
       src = ./src;
-      pkgs = [ "transmission" ];
+      pyPkgs = [ "sane-lib.bt" ];
+      pkgs = [ "sane-scripts.lib.bt.propagatedBuildInputs" ];
     };
     deadlines = static-nix-shell.mkBash {
       pname = "sane-deadlines";
@@ -67,19 +95,13 @@ let
       pname = "sane-ip-check-upnp";
       src = ./src;
       pkgs = [ "miniupnpc" ];
-      postInstall = ''
-        mkdir -p $out/bin/lib
-        cp -R lib/* $out/bin/lib/
-      '';
+      pyPkgs = [ "sane-lib.ssdp" ];
     };
     ip-port-forward = static-nix-shell.mkPython3Bin {
       pname = "sane-ip-port-forward";
       src = ./src;
       pkgs = [ "inetutils" "miniupnpc" ];
-      postInstall = ''
-        mkdir -p $out/bin/lib
-        cp -R lib/* $out/bin/lib/
-      '';
+      pyPkgs = [ "sane-lib.ssdp" ];
     };
     ip-reconnect = static-nix-shell.mkPython3Bin {
       pname = "sane-ip-reconnect";
@@ -206,8 +228,10 @@ let
 in
 symlinkJoin {
   name = "sane-scripts";
-  paths = lib.attrValues nix-shell-scripts;
-  passthru = nix-shell-scripts;
+  paths = lib.attrValues sane-bin;
+  passthru = sane-bin // {
+    lib = sane-lib;
+  };
   meta = {
     description = "collection of scripts associated with sane systems";
     homepage = "https://git.uninsane.org";

pkgs/additional/sane-scripts/resholve-prologue

@@ -1,3 +0,0 @@
-# sudo, umount, others, are located here.
-# resholve can't inline their path, since it's not a store path
-PATH=$PATH:/run/wrappers/bin

pkgs/additional/sane-scripts/src/lib/bt/sane_bt.py

@@ -0,0 +1,163 @@
+from __future__ import annotations
+
+from argparse import ArgumentParser, Namespace
+from dataclasses import dataclass
+
+import logging
+import os.path
+import subprocess
+
+logger = logging.getLogger(__name__)
+
+@dataclass
+class MediaMeta:
+    title: str | None
+    prefix: str | None
+    author: str | None
+    type_: "film" | "show" | "book" | "audiobook" | "vn"  # TODO: use enumeration
+    freeleech: bool
+    archive: bool
+
+    @classmethod
+    def add_arguments(self, parser: ArgumentParser):
+        parser.add_argument("--prefix", help="additional path component before anything implied by the other options (but after the base media dir")
+        parser.add_argument("--film", action="store_true")
+        parser.add_argument("--show", help="ShowTitle")
+        parser.add_argument("--book", help="BookTitle")
+        parser.add_argument("--audiobook", help="AudiobookTitle")
+        parser.add_argument("--vn", help="VisualNovelTitle  (for comics/manga)")
+        parser.add_argument("--author", help="FirstnameLastname")
+        parser.add_argument("--freeleech", action="store_true", help="not interested in the data, only in seeding")
+        parser.add_argument("--archive", action="store_true", help="not interested in the data, except for archival")
+
+    @classmethod
+    def from_arguments(self, args: Namespace) -> Self:
+        title = None
+        type_ = None
+        if args.film:
+            type_ = "film"
+        if args.show != None:
+            type_ = "show"
+            title = args.show
+        if args.book != None:
+            type_ = "book"
+            title = args.book
+        if args.audiobook != None:
+            type_ = "audiobook"
+            title = args.audiobook
+        if args.vn != None:
+            type_ = "vn"
+            title = args.vn
+        assert type_ is not None, "no torrent type specified!"
+        assert not (args.freeleech and args.archive), "--freeleech and --archive are mutually exclusive"
+        return MediaMeta(
+            title=title,
+            prefix=args.prefix,
+            author=args.author,
+            type_=type_,
+            freeleech=args.freeleech,
+            archive=args.archive,
+        )
+
+    @property
+    def type_path(self) -> str:
+        return dict(
+            film="Videos/Film/",
+            show="Videos/Shows/",
+            book="Books/Books/",
+            audiobook="Books/Audiobooks/",
+            vn="Books/Visual/",
+        )[self.type_]
+
+    def fs_path(self, base: str="/var/lib/uninsane/media/"):
+        return os.path.join(
+            base,
+            self.prefix or "",
+            "archive" if self.archive else "",
+            "freeleech" if self.freeleech else "",
+            self.type_path,
+            self.author or "",
+            self.title or "",
+        )
+
+
+def dry_check_output(args: list[str]) -> bytes:
+    print("not invoking because dry run: " + ' '.join(args))
+    return b""
+
+class TransmissionApi:
+    ENDPOINT="https://bt.uninsane.org/transmission/rpc"
+    PASSFILE="/run/secrets/transmission_passwd"
+
+    def __init__(self, check_output = subprocess.check_output):
+        self.check_output = check_output
+
+    @staticmethod
+    def add_arguments(parser: ArgumentParser):
+        parser.add_argument("--dry-run", action="store_true", help="only show what would be done; don't invoke transmission")
+
+    @staticmethod
+    def from_arguments(args: Namespace) -> Self:
+        return TransmissionApi(check_output = dry_check_output if args.dry_run else subprocess.check_output)
+
+    @property
+    def auth(self) -> str:
+        return open(self.PASSFILE, "r").read().strip()
+
+    def add_torrent(self, meta: MediaMeta, torrent: str):
+        self.call_transmission(
+            description=f"saving to {meta.fs_path()}",
+            args=[
+                "--download-dir", meta.fs_path(),
+                "--add", torrent,
+            ]
+        )
+
+    def move_torrent(self, meta: MediaMeta, torrent: str):
+        self.call_transmission(
+            description=f"moving {torrent} to {meta.fs_path()}",
+            args=[
+                "--torrent", torrent,
+                "--move", meta.fs_path()
+            ]
+        )
+
+    def add_or_move_torrent(self, meta: MediaMeta, torrent: str):
+        """
+        if "torrent" represents a magnet or file URI, then add else
+        else assume it's a transmission identifier and move it to the location specified by @p meta.
+        """
+        if torrent.isdigit():
+            self.move_torrent(meta, torrent)
+        else:
+            self.add_torrent(meta, torrent)
+
+    def rm_torrent(self, torrent: str | int):
+        self.call_transmission(
+            description=f"deleting {torrent}",
+            args=[
+                "--torrent", torrent,
+                "--remove-and-delete"
+            ]
+        )
+
+    def list_(self) -> str:
+        return self.call_transmission([
+            "--list"
+        ])
+
+    def info(self, torrent: str) -> str:
+        return self.call_transmission([
+            "--torrent", torrent,
+            "--info"
+        ])
+
+    def call_transmission(self, args: list[str], description: str | None = None) -> str:
+        if description is not None:
+            logger.info(description)
+
+        return self.check_output([
+            "transmission-remote",
+            self.ENDPOINT,
+            "--auth", f"colin:{self.auth}",
+        ] + args).decode("utf-8")

pkgs/additional/sane-scripts/src/lib/bt/setup.py

@@ -0,0 +1,9 @@
+#!/usr/bin/env python
+
+from distutils.core import setup
+
+setup(
+    name='sane-lib-bt',
+    version='0.1.0',
+    description='utilities for sane-scripts',
+)

pkgs/additional/sane-scripts/src/lib/ssdp/sane_ssdp.py

@@ -73,7 +73,7 @@ def get_ips_from_location(location: str):
     res = subprocess.run(cmd, capture_output=True)
     if res.returncode != 0:
         logger.info(f"get_wan_from_location failed: {cmd!r}\n{res.stderr}")
-        return None
+        return None, None
 
     status = res.stdout.decode("utf-8")
     logger.debug(f"got status: {status}")

pkgs/additional/sane-scripts/src/lib/ssdp/setup.py

@@ -0,0 +1,9 @@
+#!/usr/bin/env python
+
+from distutils.core import setup
+
+setup(
+    name='sane-lib-ssdp',
+    version='0.1.0',
+    description='utilities for sane-scripts',
+)

pkgs/additional/sane-scripts/src/sane-bt-add

@@ -1,94 +1,28 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p transmission
+#!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.sane-lib.bt ])" -p sane-scripts.lib.bt.propagatedBuildInputs
+# vim: set filetype=python :
 
-set -e
+import argparse
+import logging
 
-endpoint=https://bt.uninsane.org/transmission/rpc
-PASS=$(sudo cat /run/secrets/transmission_passwd)
+from sane_bt import MediaMeta, TransmissionApi
 
-options=$(getopt -l help,prefix:,film,show:,book:,audiobook:,vn:,author: -- "" "${@}")
-eval "set -- ${options}"
 
-type=
-title=
-author=
-prefix=
-while true; do
-  case "$1" in
-    (--help)
-      echo "add a .torrent or magnet:// file to be downloaded by and stored on my server"
-      echo "usage: sane-bt-add [options] <magnet:// URI or path/to.torrent>"
-      echo "options:"
-      echo "  --prefix <PathString>"
-      echo "  --film"
-      echo "  --show <ShowTitle>"
-      echo "  --book <BookTitle>"
-      echo "  --audiobook <BookTitle>"
-      echo "  --vn <VisualNovelTitle>"
-      echo "  --author <Author>"
-      echo ""
-      echo "the above options are used to construct the filesystem path where the torrent data will live"
-      echo "everything is relative to the root media directory (not /)"
-      exit
-    ;;
-    (--prefix)
-      shift
-      prefix="$1"
-      shift
-    ;;
-    (--film)
-      type=Videos/Film/
-      shift
-    ;;
-    (--show)
-      type=Videos/Shows/
-      shift
-      title="$1"/
-      shift
-    ;;
-    (--book)
-      type=Books/Books/
-      shift
-      title="$1"/
-      shift
-    ;;
-    (--audiobook)
-      type=Books/Audiobooks/
-      shift
-      title="$1"/
-      shift
-    ;;
-    (--vn)
-      type=Books/Visual/
-      shift
-      title="$1"/
-      shift
-    ;;
-    (--author)
-      shift
-      author="$1"/
-      shift
-    ;;
-    (--)
-      shift
-      if [ $# -eq 1 ]; then
-        break
-      fi
-    ;;
-    (*)
-      echo "invalid arguments"
-      exit 1
-    ;;
-  esac
-done
+def main():
+    logging.basicConfig()
+    logging.getLogger().setLevel(logging.INFO)
 
-prefix=$prefix$type$author$title
-# positional ("non-option") parameters
-torrent="$1"
+    parser = argparse.ArgumentParser(description="instruct servo to download some torrent")
+    TransmissionApi.add_arguments(parser)
+    MediaMeta.add_arguments(parser)
+    parser.add_argument("torrent", help="magnet: URI or file path to torrent")
 
-echo "saving to $prefix"
+    args = parser.parse_args()
+    meta = MediaMeta.from_arguments(args)
+    bt_api = TransmissionApi.from_arguments(args)
+    torrent = args.torrent
 
-transmission-remote "$endpoint" \
-  --auth "colin:$PASS" \
-  --download-dir "/var/lib/uninsane/media/$prefix" \
-  --add "$torrent"
+    bt_api.add_or_move_torrent(meta, torrent)
+
+if __name__ == "__main__":
+    main()

pkgs/additional/sane-scripts/src/sane-bt-rm

@@ -1,11 +1,26 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p transmission
+#!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.sane-lib.bt ])" -p sane-scripts.lib.bt.propagatedBuildInputs
+# vim: set filetype=python :
 
-# removes a torrent and trashes its data
-# usage: sane-bt-rm <torrent>
-# where <torrent> is a magnet URL, or an identifier from sane-bt-show (e.g. 132)
+import argparse
+import logging
 
-endpoint=https://bt.uninsane.org/transmission/rpc
-PASS=$(sudo cat /run/secrets/transmission_passwd)
+from sane_bt import TransmissionApi
 
-transmission-remote "$endpoint" --auth "colin:$PASS" --torrent "$1" --remove-and-delete
+
+def main():
+    logging.basicConfig()
+    logging.getLogger().setLevel(logging.INFO)
+
+    parser = argparse.ArgumentParser(description="remove a torrent and trash its data")
+    TransmissionApi.add_arguments(parser)
+    parser.add_argument("torrent", help="numerical ID of the torrent in the transmission list (see sane-bt-show)")
+
+    args = parser.parse_args()
+    bt_api = TransmissionApi.from_arguments(args)
+    torrent = args.torrent
+
+    bt_api.rm_torrent(torrent)
+
+if __name__ == "__main__":
+    main()

pkgs/additional/sane-scripts/src/sane-bt-search

@@ -2,12 +2,26 @@
 #!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.natsort ps.requests ])"
 # vim: set filetype=python :
 """
-usage: sane-bt-search <query_string>
+usage: sane-bt-search [options] <query_string>
 
 searches Jackett for torrent files matching the title.
-returns select results and magnet links
+returns select results and magnet links.
+
+options:
+  --full     display all results
+  --help     show this help message and exit
+  --json     output one json document instead of a human-readable table
+  --top <n>  show the <n> top rated torrents (default: 5)
+  --verbose  show more information, useful for debugging/development
 """
 
+# about Jackett
+# - source: <https://github.com/Jackett/Jackett>
+# - can be queried via APIs:
+#   - Torznab: <https://torznab.github.io/spec-1.3-draft/index.html>
+#   - TorrentPotato: <https://github.com/RuudBurger/CouchPotatoServer/wiki/Couchpotato-torrent-provider>
+#   - its own JSON-based API
+
 from dataclasses import dataclass
 from datetime import datetime
 import logging
@@ -20,12 +34,22 @@ import time
 SERVICE = "https://jackett.uninsane.org"
 ENDPOINTS = dict(
     results="api/v2.0/indexers/all/results"
+    # results_torznab="api/v2.0/indexers/all/results/torznab"
 )
 
 epoch = datetime(1970, 1, 1)
 
 logger = logging.getLogger(__name__)
 
+class BadCliArgs(Exception):
+    def __init__(self, msg: str = None):
+        helpstr = __doc__
+        if msg:
+            super().__init__(f"{msg}\n\n{helpstr}")
+        else:
+            super().__init__(helpstr)
+
+
 def try_parse_time(t: str):
     try:
         return datetime.fromisoformat(t)
@@ -49,9 +73,15 @@ class Torrent:
     title: str
     magnet: "Optional[str]"
     http_dl_uri: "Optional[str]"  # probably a .torrent file but it COULD be a referral to a magnet:// URI
+    tracker_uri: "Optional[str]"
 
     def __str__(self) -> str:
-        return f"{self.seeders}[S]\t{self.pub_date}\t{self.mib}M\t{self.tracker}\t{self.title}\n\t{self.dl_uri}"
+        rows = []
+        rows.append(f"{self.seeders}[S]\t{self.pub_date}\t{self.mib}M\t{self.tracker}\t{self.title}")
+        if self.tracker_uri:
+            rows.append(f"\t{self.tracker_uri}")
+        rows.append(f"\t{self.dl_uri}")
+        return "\n".join(rows)
 
     @property
     def dl_uri(self) -> str:
@@ -76,21 +106,18 @@ class Torrent:
         title = d.get("Title")
         magnet = d.get("MagnetUri") or d.get("Guid")
         http_dl_uri = d.get("Link")
+        tracker_uri = d.get("Details")
 
         if magnet and not magnet.startswith("magnet:"):
             logger.info(f"invalid magnet: {magnet}")
             magnet = None
 
-        # jackett returns bad DL URIs because it doesn't know its public URI
-        firewalled_host = "http://10.0.1.6:9117/"
-        if http_dl_uri and http_dl_uri.startswith(firewalled_host):
-            http_dl_uri = SERVICE + "/" + http_dl_uri[len(firewalled_host):]
-
         if seeders is not None and pub_date is not None and title is not None and (magnet is not None or http_dl_uri is not None):
             pub_date = parse_time(pub_date)
-            return Torrent(seeders, pub_date, size, tracker, title, magnet, http_dl_uri)
+            return Torrent(seeders, pub_date, size, tracker, title, magnet, http_dl_uri, tracker_uri)
 
     def to_dict(self) -> dict:
+        # N.B.: not all fields: needs to be kept in sync with consumers like mx-sanebot
         return dict(
             seeders=self.seeders,
             pub_date=self.pub_date.strftime("%Y-%m-%d"),
@@ -124,10 +151,11 @@ class Client:
 
 def parse_args(args: list) -> dict:
     options = dict(
-        top="5",
         full=False,
-        query="",
+        help=False,
         json=False,
+        query="",
+        top="5",
         verbose=False,
     )
     while args:
@@ -148,15 +176,25 @@ def parse_args(args: list) -> dict:
 def main(args: list):
     logging.basicConfig()
     options = parse_args(args)
+    full = options.pop("full")
+    help = options.pop("help")
+    json = options.pop("json")
+    query = options.pop("query")
+    top = options.pop("top")
+    verbose = options.pop("verbose")
 
-    if options["verbose"]:
+    if options != {}:
+        raise BadCliArgs(f"unexpected options: {options}")
+    if help:
+        raise BadCliArgs()
+
+    if verbose:
         logging.getLogger().setLevel(logging.DEBUG)
 
-    query = options["query"]
-    num_listings = 1000 if options["full"] else int(options["top"])
+    num_listings = 1000 if full else int(top)
     client = Client()
     res = client.query(query)
-    if options["json"]:
+    if json:
         dumpable = [t.to_dict() for t in res[:num_listings]]
         print(json.dumps(dumpable))
     else:

pkgs/additional/sane-scripts/src/sane-bt-show

@@ -1,16 +1,29 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p transmission
+#!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.sane-lib.bt ])" -p sane-scripts.lib.bt.propagatedBuildInputs
+# vim: set filetype=python :
 
-endpoint=https://bt.uninsane.org/transmission/rpc
-PASS=$(sudo cat /run/secrets/transmission_passwd)
+import argparse
+import logging
 
+from sane_bt import MediaMeta, TransmissionApi
 
-if [ "$#" -eq 0 ]; then
-  # no specific torrents we want to show, so show all of them.
-  # to query specific torrents, note the index and re-invoke this script with that.
-  transmission-remote "$endpoint" --auth "colin:$PASS" --list
-else
-  for id in $@; do
-    transmission-remote "$endpoint" --auth "colin:$PASS" -t "$id" -i
-  done
-fi
+def main():
+    logging.basicConfig()
+    logging.getLogger().setLevel(logging.INFO)
+
+    parser = argparse.ArgumentParser(description="show information about one or more torrents on servo")
+    TransmissionApi.add_arguments(parser)
+    parser.add_argument("torrents", nargs="*", help="torrent id to show (acquire by first calling with no args)")
+
+    args = parser.parse_args()
+    bt_api = TransmissionApi.from_arguments(args)
+    torrents = args.torrents
+
+    if torrents:
+        for t in torrents:
+            print(bt_api.info(t))
+    else:
+        print(bt_api.list_())
+
+if __name__ == "__main__":
+    main()

pkgs/additional/sane-scripts/src/sane-ip-check-upnp

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])" -p miniupnpc
+#!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.sane-lib.ssdp ])" -p miniupnpc
 
 # best to run this with an external timeout. e.g.
 # - `timeout 60 sane-ip-check-upnp`

pkgs/additional/sane-scripts/src/sane-ip-port-forward

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])" -p inetutils -p miniupnpc
+#!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.sane-lib.ssdp ])" -p inetutils -p miniupnpc
 
 '''
 USAGE: sane-ip-port-forward [options] [proto:port[:desc]]*
@@ -22,9 +22,7 @@ import logging
 import subprocess
 import sys
 
-sys.path.insert(0, ".")
-
-from lib.sane_ssdp import get_any_wan, forward_port
+from sane_ssdp import get_any_wan, forward_port
 
 class BadCliArgs(Exception):
     def __init__(self, msg: str = None):

pkgs/additional/sane-scripts/src/sane-ip-reconnect

@@ -1,10 +1,17 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i python3 -p "python3.withPackages (ps: [  ])"
+# vim: set filetype=python :
 
 import re
 import subprocess
+import sys
 import time
 
+import logging
+
+
+logger = logging.getLogger(__name__)
+
 def rm_color(stdout: str) -> str:
     " remove terminal control codes -- used by iwctl to colorize the output "
     return re.sub("\\[[0-9;]*m", "", stdout)
@@ -27,6 +34,8 @@ def extract_columns(stdout: str) -> list:
             # the `>` is formatting, indicating that it's the active network
             first = first[2:].strip()
         items.append((first, second))
+
+    logger.debug(f"parsed iwctl output: {items!r}")
     return items
 
 def iwctl(args: list, sudo: bool = False) -> str:
@@ -47,12 +56,14 @@ def get_known() -> list:
     stdout = iwctl(["known-networks", "list"])
     stdout = rm_color(stdout)
     stdout = rm_heading(stdout)
+    logging.debug(f"iwctl known-networks list: got: {stdout}")
     return [name for (name, date) in extract_columns(stdout)]
 
 def get_visible() -> list:
     stdout = iwctl(["station", "wlan0", "get-networks", "rssi-dbms"])
     stdout = rm_color(stdout)
     stdout = rm_heading(stdout)
+    logging.debug(f"iwctl station wlan0 get-networks rssi-dbms: got: {stdout}")
     return [(name, int(strength)) for (name, strength) in extract_columns(stdout)]
 
 def choose_best(visible: list, known: list) -> str:
@@ -71,26 +82,40 @@ def restart() -> str:
         "iwd",
     ])
 
-print("scanning for networks... ", end="", flush=True)
-scan()
-print("done")
-print()
+def main():
+    print("scanning for networks... ", end="", flush=True)
+    scan()
+    print("done")
+    print()
 
-known = get_known()
-print("known networks:", "".join(f"\n\t{name}" for name in known))
-print()
+    known = get_known()
+    print("known networks:", "".join(f"\n\t{name}" for name in known))
+    print()
 
-visible = get_visible()
-print("visible networks:", "".join(f"\n\t{name}: {rss}" for (name, rss) in visible))
-print()
+    visible = get_visible()
+    print("visible networks:", "".join(f"\n\t{name}: {rss}" for (name, rss) in visible))
+    print()
 
-best = choose_best(visible, known)
+    best = choose_best(visible, known)
 
-try:
-    print(f"connecting to {best}")
-    result = connect(best)
-except subprocess.CalledProcessError as e:
-    print("restarting iwd daemon")
-    restart()
-else:
-    print("success", result)
+    try:
+        print(f"connecting to {best}")
+        result = connect(best)
+    except subprocess.CalledProcessError as e:
+        print("restarting iwd daemon")
+        restart()
+    else:
+        print("success", result)
+
+def parse_args(args: list):
+    for a in args:
+        if a in ("-v", "--verbose"):
+            logging.getLogger().setLevel(logging.DEBUG)
+        else:
+            raise ValueError(f"unexpected arg: {a}")
+
+
+if __name__ == '__main__':
+    logging.basicConfig()
+    parse_args(sys.argv[1:])
+    main()

pkgs/additional/sane-scripts/src/sane-wipe-browser

@@ -4,6 +4,8 @@
 rm -rf \
   ~/.librewolf/default/* \
   ~/.cache/librewolf/* \
+  ~/.mozilla/* \
+  ~/.cache/mozilla/firefox/* \
   ~/.config/chromium \
   ~/.cache/chromium \
   || true  # in case no matches

pkgs/additional/static-nix-shell/default.nix

@@ -42,6 +42,9 @@ in rec {
       (pname: " -p ${pname}")
       pkgExprs
     );
+    # allow any package to be a list of packages, to support things like
+    # -p python3Packages.foo.propagatedBuildInputs
+    pkgsEnv' = lib.flatten pkgsEnv;
   in
     stdenv.mkDerivation ({
       version = "0.1.0";  # default version
@@ -63,7 +66,7 @@ in rec {
 
         # add runtime dependencies to PATH
         wrapProgram $out/bin/${srcPath} \
-          --suffix PATH : ${lib.makeBinPath pkgsEnv }
+          --suffix PATH : ${lib.makeBinPath pkgsEnv' }
 
         runHook postInstall
       '';

pkgs/additional/sxmo-utils/0005-system-audio.patch

@@ -0,0 +1,21 @@
+diff --git a/configs/default_hooks/sxmo_hook_start.sh b/configs/default_hooks/sxmo_hook_start.sh
+index 194814d..beb9232 100755
+--- a/configs/default_hooks/sxmo_hook_start.sh
++++ b/configs/default_hooks/sxmo_hook_start.sh
+@@ -16,16 +16,6 @@ while ! superctl status > /dev/null 2>&1; do
+ 	sleep 0.5
+ done
+ 
+-# Load our sound daemons
+-
+-if [ "$(command -v pulseaudio)" ]; then
+-	superctl start pulseaudio
+-elif [ "$(command -v pipewire)" ]; then
+-	# pipewire-pulse will start pipewire
+-	superctl start pipewire-pulse
+-	superctl start wireplumber
+-fi
+-
+ # Periodically update some status bar components
+ sxmo_hook_statusbar.sh all
+ sxmo_daemons.sh start statusbar_periodics sxmo_run_aligned.sh 60 \

pkgs/additional/sxmo-utils/0006-block-suspend-any-mpris.patch

@@ -0,0 +1,13 @@
+diff --git a/configs/default_hooks/sxmo_hook_block_suspend.sh b/configs/default_hooks/sxmo_hook_block_suspend.sh
+index f394575..873b7b2 100755
+--- a/configs/default_hooks/sxmo_hook_block_suspend.sh
++++ b/configs/default_hooks/sxmo_hook_block_suspend.sh
+@@ -68,7 +68,7 @@ playing_mpc() {
+ }
+ 
+ playing_mpris() {
+-	command -v playerctl && [ "$(playerctl status)" = "Playing" ]
++	command -v playerctl && playerctl --all-players status | grep -q "Playing"
+ }
+ 
+ photos_processing() {

pkgs/additional/sxmo-utils/0105-more-apps.patch

@@ -0,0 +1,46 @@
+diff --git a/configs/default_hooks/sxmo_hook_apps.sh b/configs/default_hooks/sxmo_hook_apps.sh
+index ba70a31..085ef7d 100755
+--- a/configs/default_hooks/sxmo_hook_apps.sh
++++ b/configs/default_hooks/sxmo_hook_apps.sh
+@@ -31,6 +31,7 @@ write_line_app audacity "$icon_mic Audacity" "audacity"
+ write_line_app gnome-calculator "$icon_clc Calculator" "gnome-calculator"
+ write_line_app calcurse "$icon_clk Calcurse" "sxmo_terminal.sh calcurse"
+ write_line_app cmus "$icon_mus Cmus" "sxmo_terminal.sh cmus"
++write_line_app cozy "$icon_mus Cozy" "cozy"
+ write_line_app dino "$icon_msg Dino" "GDK_SCALE=1 dino"
+ write_line_app dolphin "$icon_dir Dolphin" "dolphin"
+ write_line_app emacs "$icon_edt Emacs (Terminal)" "sxmo_terminal.sh emacs -nw"
+@@ -60,13 +61,17 @@ write_line_app htop "$icon_cfg Htop" "sxmo_terminal.sh htop"
+ write_line_app irssi "$icon_msg Irssi" "sxmo_terminal.sh irssi"
+ write_line_app ii "$icon_msg Ii" "sxmo_terminal.sh ii"
+ write_line_app ipython "$icon_trm IPython" "sxmo_terminal.sh ipython"
++write_line_app jellyfinmediaplayer "$icon_mvi Jellyfin" "jellyfinmediaplayer"
+ write_line_app kasts "$icon_rss Kasts" "kasts"
+ write_line_app kmail "$icon_eml KMail" "kmail"
++write_line_app komikku "$icon_bok Komikku" "komikku"
+ write_line_app kontact "$icon_msg Kontact" "kontact"
+ write_line_app konversation "$icon_msg Konversation" "konversation"
++write_line_app koreader "$icon_bok KOReader" "koreader"
+ write_line_app kwrite "$icon_edt Kwrite" "kwrite"
+ write_line_app lagrange "$icon_glb Lagrange" "lagrange"
+ write_line_app lf "$icon_dir Lf" "sxmo_terminal.sh lf"
++write_line_app librewolf "$icon_glb Librewolf" "librewolf"
+ write_line_app lollypop "$icon_mus Lollypop" "lollypop"
+ write_line_app luakit "$icon_glb Luakit" "luakit"
+ write_line_app marble "$icon_map Marble" "marble"
+@@ -97,6 +102,7 @@ write_line_app senpai "$icon_msg Senpai" "sxmo_terminal.sh senpai"
+ write_line_app sic "$icon_msg Sic" "sxmo_terminal.sh sic"
+ ([ "$SXMO_WM" = dwm ] && command -v st >/dev/null) && \
+ 	write_line "$icon_trm St" "st -e $SHELL"
++write_line_app sublime-music "$icon_mus Sublime Music" "sublime-music"
+ write_line_app surf "$icon_glb Surf" "surf"
+ write_line_app syncthing "$icon_rld Syncthing" "syncthing"
+ write_line_app telegram-desktop "$icon_tgm Telegram" "telegram-desktop"
+@@ -105,6 +111,7 @@ write_line_app thunar "$icon_dir Thunar" "sxmo_terminal.sh thunar"
+ write_line_app thunderbird "$icon_eml Thunderbird" "thunderbird"
+ write_line_app com.github.bleakgrey.tootle "$icon_msg Tootle" "com.github.bleakgrey.tootle"
+ write_line_app totem "$icon_mvi Totem" "totem"
++write_line_app dev.geopjr.Tuba "$icon_msg Tuba" "dev.geopjr.Tuba"
+ write_line_app tuir "$icon_red Tuir" "sxmo_terminal.sh tuir"
+ write_line_app tut "$icon_msg Tut" "sxmo_terminal.sh tut"
+ write_line_app waydroid "$icon_and Waydroid" "waydroid show-full-ui"

pkgs/additional/sxmo-utils/0106-configurable-auto-screenoff.patch

@@ -0,0 +1,13 @@
+diff --git a/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh b/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh
+index c9c4263..4c0fccf 100755
+--- a/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh
++++ b/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh
+@@ -37,7 +37,7 @@ sxmo_daemons.sh stop periodic_wakelock_check
+ # Go to screenoff after 8 seconds of inactivity
+ if ! [ -e "$XDG_CACHE_HOME/sxmo/sxmo.noidle" ]; then
+ 	sxmo_daemons.sh start idle_locker sxmo_idle.sh -w \
+-		timeout 8 "sxmo_hook_screenoff.sh"
++		timeout "${SXMO_LOCK_IDLE_TIME:-8}" "sxmo_hook_screenoff.sh"
+ fi
+ 
+ wait

pkgs/additional/sxmo-utils/customization/configs/default_hooks/sxmo_hook_start.sh

@@ -1,57 +0,0 @@
-#!/bin/sh
-
-# include common definitions
-# shellcheck source=scripts/core/sxmo_common.sh
-. sxmo_common.sh
-
-# Create xdg user directories, such as ~/Pictures
-xdg-user-dirs-update
-
-sxmo_daemons.sh start daemon_manager superd -v
-
-# let time to superd to start correctly
-while ! superctl status > /dev/null 2>&1; do
-	sleep 0.5
-done
-
-# Periodically update some status bar components
-sxmo_hook_statusbar.sh all
-sxmo_daemons.sh start statusbar_periodics sxmo_run_aligned.sh 60 \
-	sxmo_hook_statusbar.sh periodics
-
-# mako/dunst are required for warnings.
-# load some other little things here too.
-superctl start mako
-superctl start sxmo_wob
-superctl start sxmo_menumode_toggler
-superctl start bonsaid
-swaymsg output '*' bg "$SXMO_BG_IMG" fill
-
-# To setup initial lock state
-sxmo_hook_unlock.sh
-
-# Turn on auto-suspend
-if [ -w "/sys/power/wakeup_count" ] && [ -f "/sys/power/wake_lock" ]; then
-	superctl start sxmo_autosuspend
-fi
-
-# Turn on lisgd
-superctl start sxmo_hook_lisgd
-
-# Start the desktop widget (e.g. clock)
-superctl start sxmo_conky
-
-# Monitor the battery
-superctl start sxmo_battery_monitor
-
-# It watch network changes and update the status bar icon by example
-superctl start sxmo_networkmonitor
-
-# The daemon that display notifications popup messages
-superctl start sxmo_notificationmonitor
-
-# monitor for headphone for statusbar
-superctl start sxmo_soundmonitor
-
-# rotate UI based on physical display angle by default
-sxmo_daemons.sh start autorotate sxmo_autorotate.sh

pkgs/additional/sxmo-utils/default.nix

@@ -1,18 +1,82 @@
 { stdenv
+, bc
+, bemenu
+, bonsai
+, conky
+, dbus
 , fetchgit
 , gitUpdater
+, gnugrep
+, gojq
+, inotify-tools
+, j4-dmenu-desktop
+, jq
 , lib
+, libnotify
+, lisgd
+, makeWrapper
+, mako
+, mepo
+, modemmanager
+, nettools
+, playerctl
+, procps
+, pulseaudio
 , rsync
+, scdoc
+, sfeed
+, superd
+, sway
+, swayidle
+, wob
+, wvkbd
+, xdg-user-dirs
+, xdotool
 }:
 
+let
+  # anything which any sxmo script or default hook in this package might invoke
+  runtimeDeps = [
+    bc
+    bemenu
+    bonsai
+    conky
+    dbus
+    # dmenu  # or dmenu-wayland? only used on x11?
+    gnugrep
+    gojq
+    inotify-tools
+    j4-dmenu-desktop
+    jq
+    libnotify
+    lisgd
+    mako
+    mepo  # mepo_ui_central_menu.sh
+    modemmanager  # mmcli
+    nettools  # netstat
+    playerctl
+    procps  # pgrep
+    pulseaudio  # pactl
+    sfeed
+    superd
+    sway
+    swayidle
+    wob
+    wvkbd
+    xdg-user-dirs
+
+    # X11 only?
+    xdotool
+  ];
+in
 stdenv.mkDerivation rec {
   pname = "sxmo-utils";
-  version = "1.14.1";
+  version = "1.14.2";
 
   src = fetchgit {
     url = "https://git.sr.ht/~mil/sxmo-utils";
     rev = version;
-    hash = "sha256-UcJid1fi3Mgu32dCqlI9RQYnu5d07MMwW3eEYuYVBw4=";
+    hash = "sha256-1bGCUhf/bt9I8BjG/G7sjYBzLh28iZSC20ml647a3J4=";
   };
 
   patches = [
@@ -21,9 +85,14 @@ stdenv.mkDerivation rec {
     ./0002-ensure-log-dir.patch
     ./0003-fix-xkb-paths.patch
     ./0004-no-busybox.patch
+    # wanted to fix/silence some non-fatal errors
+    ./0005-system-audio.patch
+    ./0006-block-suspend-any-mpris.patch
 
-    # personal preferences:
+    # personal (but upstreamable) preferences:
     ./0104-full-auto-rotate.patch
+    ./0105-more-apps.patch
+    ./0106-configurable-auto-screenoff.patch
   ];
 
   postPatch = ''
@@ -31,20 +100,42 @@ stdenv.mkDerivation rec {
     sed -i "s@/etc/profile\.d/sxmo_init.sh@$out/etc/profile.d/sxmo_init.sh@" scripts/core/*.sh
     sed -i "s@/usr/bin/@@g" scripts/core/sxmo_version.sh
     sed -i 's:ExecStart=/usr/bin/:ExecStart=/usr/bin/env :' configs/superd/services/*.service
-
-    # apply customizations
-    # - xkb_mobile_normal_buttons:
-    #   - on devices where volume is part of the primary keyboard (e.g. thinkpad), we want to avoid overwriting the default map
-    #   - this provided map is the en_US 105 key map
-    ${rsync}/bin/rsync -rlv ${./customization}/ ./
   '';
 
+  nativeBuildInputs = [
+    makeWrapper
+    scdoc
+  ];
+
   installFlags = [
     "OPENRC=0"
     "DESTDIR=$(out)"
     "PREFIX="
   ];
 
+  # we don't wrap sxmo_common.sh or sxmo_init.sh
+  # which is unfortunate, for non-sxmo-utils files that might source though.
+  # if that's a problem, could inject a PATH=... line into them with sed.
+  postInstall = ''
+    for f in \
+      $out/bin/*.sh \
+      $out/share/sxmo/default_hooks/desktop/sxmo_hook_*.sh \
+      $out/share/sxmo/default_hooks/one_button_e_reader/sxmo_hook_*.sh \
+      $out/share/sxmo/default_hooks/three_button_touchscreen/sxmo_hook_*.sh \
+      $out/share/sxmo/default_hooks/sxmo_hook_*.sh \
+    ; do
+      case $(basename $f) in
+        (sxmo_common.sh|sxmo_deviceprofile_*.sh|sxmo_hook_icons.sh|sxmo_init.sh)
+          # these are sourced by other scripts: don't wrap them else the `exec` in the wrapper breaks the outer script
+        ;;
+        (*)
+          wrapProgram "$f" \
+            --prefix PATH : "${lib.makeBinPath runtimeDeps}"
+        ;;
+      esac
+    done
+  '';
+
   passthru = {
     providedSessions = [ "sxmo" "swmo" ];
     updateScript = gitUpdater { };

pkgs/additional/unftp/default.nix

@@ -0,0 +1,25 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "unftp";
+  version = "0.14.3";
+
+  src = fetchFromGitHub {
+    owner = "bolcom";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-+UL8xflnumOiWL5b9/azH9OW+X+6hRcxjiyWhCSWQRg=";
+  };
+
+  cargoHash = "sha256-rXCDPVi3JZrC4iqgqAirigDa3fNIbkVgSo0qWHXEnvQ=";
+
+  meta = with lib; {
+    description = "unFTP is an open-source FTP(S) (not SFTP) server aimed at the Cloud that allows bespoke extension through its pluggable authenticator, storage back-end and user detail store architectures.";
+    homepage = "https://unftp.rs/";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ colinsane ];
+  };
+}

pkgs/additional/zecwallet-light-cli/default.nix

@@ -0,0 +1,38 @@
+{ lib
+, buildPackages
+, fetchFromGitHub
+, rustfmt
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "zecwallet-light-cli";
+  version = "1.7.7";
+
+  src = fetchFromGitHub {
+    owner = "adityapk00";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-8qr6GIldJcybQwXbdZxFVGvFPJErLpqCEIuGJw1z0qQ=";
+  };
+
+  cargoLock = {
+    lockFile = ./Cargo.lock;
+    outputHashes = {
+      "equihash-0.1.0" = "sha256-/QJoQKBJajNofD71e5rNVzYSw3WqXlIXPVE1BIaKGmE=";
+    };
+  };
+
+  nativeBuildInputs = [
+    rustfmt
+  ];
+
+  env.PROTOC = lib.getExe buildPackages.protobuf;
+
+  meta = with lib; {
+    description = "Zecwallet-Lite is z-Addr first lightwallet for Zcash";
+    homepage = "https://github.com/adityapk00/zecwallet-light-cli";
+    license = licenses.mit;
+    maintainers = with maintainers; [ colinsane ];
+  };
+}

pkgs/default.nix

@@ -10,8 +10,9 @@ let
   lib = pkgs.lib;
   unpatched = pkgs;
 
-  pythonPackagesOverlay = py-final: py-prev: import ./python-packages {
+  pythonPackagesOverlayFor = pkgs: py-final: py-prev: import ./python-packages {
     inherit (py-final) callPackage;
+    inherit pkgs;
   };
   final' = if final != null then final else pkgs.appendOverlays [(_: _: sane)];
   sane = with final'; {
@@ -25,8 +26,13 @@ let
     browserpass-extension = callPackage ./additional/browserpass-extension { };
     cargoDocsetHook = callPackage ./additional/cargo-docset/hook.nix { };
     feeds = lib.recurseIntoAttrs (callPackage ./additional/feeds { });
+    lemoa = callPackage ./additional/lemoa { };
     jellyfin-media-player-qt6 = callPackage ./additional/jellyfin-media-player-qt6 { };
     gopass-native-messaging-host = callPackage ./additional/gopass-native-messaging-host { };
+    gpodder-adaptive = callPackage ./additional/gpodder-adaptive { };
+    gpodder-adaptive-configured = callPackage ./additional/gpodder-configured {
+      gpodder = final'.gpodder-adaptive;
+    };
     gpodder-configured = callPackage ./additional/gpodder-configured { };
     hare-ev = unpatched.hare-ev or (callPackage ./additional/hare-ev { });
     hare-json = unpatched.hare-json or (callPackage ./additional/hare-json { });
@@ -34,11 +40,14 @@ let
     linux-megous = callPackage ./additional/linux-megous { };
     mx-sanebot = callPackage ./additional/mx-sanebot { };
     rtl8723cs-firmware = callPackage ./additional/rtl8723cs-firmware { };
+    # TODO: use `recurseIntoAttrs` ?
     sane-scripts = callPackage ./additional/sane-scripts { };
     static-nix-shell = callPackage ./additional/static-nix-shell { };
     sublime-music-mobile = callPackage ./additional/sublime-music-mobile { };
     sxmo-utils = callPackage ./additional/sxmo-utils { };
     tow-boot-pinephone = callPackage ./additional/tow-boot-pinephone { };
+    unftp = callPackage ./additional/unftp { };
+    zecwallet-light-cli = callPackage ./additional/zecwallet-light-cli { };
 
     # packages i haven't used for a while, may or may not still work
     # fluffychat-moby = callPackage ./additional/fluffychat-moby { };
@@ -55,7 +64,6 @@ let
 
     # provided by nixpkgs patch or upstream PR
     # i still conditionally callPackage these to make them available to external consumers (like NUR)
-    cargo-docset = unpatched.cargo-docset or (callPackage ./additional/cargo-docset { });
     splatmoji = unpatched.splatmoji or (callPackage ./additional/splatmoji { });
 
 
@@ -74,6 +82,8 @@ let
 
     browserpass = callPackage ./patched/browserpass { inherit (unpatched) browserpass; };
 
+    cozy = callPackage ./patched/cozy { inherit (unpatched) cozy; };
+
     # mozilla keeps nerfing itself and removing configuration options
     firefox-unwrapped = callPackage ./patched/firefox-unwrapped { inherit (unpatched) firefox-unwrapped; };
 
@@ -89,19 +99,18 @@ let
     jackett = callPackage ./patched/jackett { inherit (unpatched) jackett; };
 
     lemmy-server = callPackage ./patched/lemmy-server { inherit (unpatched) lemmy-server; };
-    lemmy-ui = callPackage ./patched/lemmy-ui { inherit (unpatched) lemmy-ui; };
 
     phoc = callPackage ./patched/phoc { inherit (unpatched) phoc; };
 
 
     ### PYTHON PACKAGES
     pythonPackagesExtensions = (unpatched.pythonPackagesExtensions or []) ++ [
-      pythonPackagesOverlay
+      (pythonPackagesOverlayFor final')
     ];
     # when this scope's applied as an overlay pythonPackagesExtensions is propagated as desired.
     # but when freestanding (e.g. NUR), it never gets plumbed into the outer pkgs, so we have to do that explicitly.
     python3 = unpatched.python3.override {
-      packageOverrides = pythonPackagesOverlay;
+      packageOverrides = pythonPackagesOverlayFor final';
     };
   };
 in sane

pkgs/patched/cozy/default.nix

@@ -0,0 +1,10 @@
+{ cozy, fetchpatch }: cozy.overrideAttrs (upstream: {
+  patches = upstream.patches or [] ++ [
+    (fetchpatch {
+      # 2023/03/29: Fix "invalid version" crash on startup
+      url = "https://github.com/geigi/cozy/pull/762.diff";
+      hash = "sha256-Wk03NGVU7OsQu3AGILtRsQX2r+wPOt5U85cOWu4q6Uo=";
+    })
+  ];
+  passthru = (upstream.passthru or {}) // { upstream.cozy = cozy; };
+})

pkgs/patched/lemmy-server/debug-db-migrations.patch

@@ -0,0 +1,24 @@
+diff --git a/src/code_migrations.rs b/src/code_migrations.rs
+index c69ce591..b416a299 100644
+--- a/src/code_migrations.rs
++++ b/src/code_migrations.rs
+@@ -36,7 +36,7 @@ use lemmy_db_schema::{
+   utils::{get_conn, naive_now, DbPool},
+ };
+ use lemmy_utils::{error::LemmyError, settings::structs::Settings};
+-use tracing::info;
++use tracing::{debug, info};
+ use url::Url;
+ 
+ pub async fn run_advanced_migrations(pool: &DbPool, settings: &Settings) -> Result<(), LemmyError> {
+@@ -419,7 +419,9 @@ async fn initialize_local_site_2022_10_10(
+   info!("Running initialize_local_site_2022_10_10");
+ 
+   // Check to see if local_site exists
+-  if LocalSite::read(pool).await.is_ok() {
++  let local_site = LocalSite::read(pool).await;
++  debug!("local_site: {local_site:?}");
++  if local_site.is_ok() {
+     return Ok(());
+   }
+   info!("No Local Site found, creating it.");

pkgs/patched/lemmy-server/default.nix

@@ -6,5 +6,7 @@ lemmy-server.overrideAttrs (upstream: {
     ./fix-db-migrations.patch
     # log the database connection events, for debugging
     # ./log-startup.patch
+    # print more debug info about specific problem paths i've encountered
+    # ./debug-db-migrations.patch
   ];
 })

pkgs/patched/lemmy-ui/default.nix

@@ -1,5 +0,0 @@
-{ lemmy-ui, nodejs }:
-lemmy-ui.override {
-  # build w/ latest nodejs; not 14.x
-  inherit nodejs;
-}

pkgs/python-packages/default.nix

@@ -1,4 +1,5 @@
-{ callPackage }:
+{ callPackage, pkgs }:
 {
   feedsearch-crawler = callPackage ./feedsearch-crawler { };
+  sane-lib = pkgs.sane-scripts.lib;
 }

secrets/common/komikku_accounts.json.bin

@@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:I5aFFEqFRGgSl10ERRws9ZfUCycYK/ZqJOKYv6EzrQvSouX8r3K8xvUrSllMVDEBIKE3uEDWOull0718kwElotTBnjI5ue6ZT8+MZm9YWn5XNiykPlnMgF0CO+YpsD+3Yy83th81YjiThc/ICLQJK2KJPZfk/ruPLqCfk2uOppquHyOr+7fIw3+A4c/Y,iv:cWYK9dqGxQixA50zhIOhlff1AhhIQajpz4iEDEAGe8c=,tag:TR2OabJEhILsrCGG0AOgvg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTY1loeFVEYkRYclRuMVZl\nVjVKTE53ZUZUV29wci9hZU9acG1EVVhZOHhvCnR5RGo3OE5CN0Q4R2FOV0ZaMXYr\nOFVTYTVmbkxxbmZqajlGaFR5cm9VSlEKLS0tIDk4VVVkVjVxci8xakN0R1Q3TEpn\nd3hwbk4zUDlmK3lERWkzajc2Sk1zT2MKstjQeXTdt7HJlhAeHInk+yPxcOmPv+zE\nQ8tB8do8lvSpDGVA8tWzCE0dXiX8AGXp2eW9Vu8dDLkToT9V7MDVeA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFeGdTV2FzS0pMZkFWRjVG\nbkxhL2pOdG9peUJZbXR1TGhOSWtoRzlvS2pBCm1LRXpqV3BqekVQejk4ZzcydEFs\nRk5tM1dLYS93dmRWMkMxR3R4T0dRM1UKLS0tIHN5U2ZwaVBCcmZSa09GSTlTZmxI\naEZ6SE1KODd5SUU4bDQzbXlldmRMOG8Kw3VGUaRVi/rdo7PsVDS8+TELqZYuQ91u\nknpWJyliPG+Yhst1FmxDTZGksRZcYBiwt3gYuHuBKm1WTwYVUevWEw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM0NVS1V0MEVrSzFkc0Q3\nb3dSUzcwVDNWVmFyVEVKdkdEZGdoY0lHSVNFCmZqVjRiSFZrb3N6NndFTG8rMXJS\nbkdzeXlOTE1qUFBtM05uMjJsakdKcFEKLS0tIHJPQTFwdVlWTlVYTEM4bmc3eHQ5\nSHVYeFZ3ZVAvUW8reHBjMkVVY25acVEKY9XbOaFURubHh4fTpVVkuTpQnYoABgxy\n/XyA79WpjRlzvXa52ac9K9QgE8R/HSIeIH1j2M3yRWXs+Jw2TtGaGg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZC9SWGhUdzlYNWdLc21w\nbkVlUVZvbjJCL3pPOEJ5Rk5pQVVLRUN6clFrCkphUVUvOHc0OCtIRnNWWVRaWlNV\nQ20xSGo0b3htd1NlUXJQa2E3bFZSZFEKLS0tIHJhTkNoeC90RlRyUWlCNGtReTl6\nanNjV1NQeG1PempPOVNaMjJ0S3FLTTgK0EcUFCHfm47HEBHiEvs3TbylsSxAJ15p\nNOwgCIMFeaTNgkLuXDEYurNN0H6ioXaBNV2ecy7aHNLLgOyayW/jew==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1THg4QlVXQ2dFSG0zL29h\ndW1ubnpzeWt4cE8xMkVQbTU3QU9wQlkyWmk0Cm02VmlVTGRnVmhDdytuQ3VxdGRS\nTWh6UkpKajRiUnJxU0YvaWdhMmN3akEKLS0tIHJvYVAvMjl6eDltSWZsNjFvOHNX\nbzQweHc1d3FRK2VaVmQ1UjN1R0pEbFEKU/nabtnnzwoTjrJ7Rib44Fwfcce52Obl\nsoz5ZSOSGJSn4h/usUg/WoEJYe7Ill7skxlUXExAdnvIpMrBpQlcbQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUkE5L2RPRG4weUVBVGcr\nam9FVm0vYSt1NFZJVjV1ZStNRi8zUFZsSURRClRkY1d4R0xLaUw3ZWpZdnZUUFM1\nVmF3cFF5OWY3enR6TVNiOVhwOGRNVTgKLS0tIFhXdzZzTlN3VCt6UHVncTB1bHZK\nRkY4YjU4QVpFTU16VENMVnR0ZVl0QjAKMbnsrwvGcAVVpMMVmKR1XANWoI3ZmuCI\nXHQh+XzKcCOQ1tRG071RthuptK8ALxxXuGzNfXYqAhjF02v6U5SBmA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvQ2tTSHJiV3FreXFnTGdn\nM2xsWHdEeTY0U1VwaERzTlM0UlhkZ3RERXdZCmFHdFRrTC9wOHdLazNBVDhHcVM1\ndkZFdnZIV3VUZWtXbjFkNkF6SjhLWTAKLS0tIFppaUxZM3ZSamFrR3RCSlJsWXRy\nYmtPa0UyK3JlbHZ2VVUyeUE5VEJDdW8KO6AE2G7E08C+TAhEa0F25kD4fm/VLftT\nFrkA5KoAwv5tbtrLbRN7hS1JPoh2zktuH/v4o+bXhoKBOcftcbTa2w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMUGZJckY2Q3VqSXZYQWp5\nNEc0WkFsSitmWEwvaTFWUW82YUlYMm40eW5zClBOeDBsb3Z3a1I3OHFMT1RxTHZ1\nbnNBRUZlaE5jcnVvQjQxaktkaTZkT1kKLS0tIEcvK0tieTZvdjEyTHVVckFZUERj\nQkFxc3dLQWd4dERiZGhza2NMM3JoSTAKkm3T5FYSo4DU7Pw4wjVoDtMk3WognNH0\niJ8f6kW907ypotbAH0NZffQtikzhO63F0cPI3zQxbx2/7Bf8lw6QjA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-06-13T04:08:00Z",
+		"mac": "ENC[AES256_GCM,data:hHm37lhU+Y3gZmlJBfX0gBrCjMBEpd3xCV1Zw9lY3npOghMzLVRT3TROKRss73ydGpebYAZpNTinf7f47Z1Is/kdDRVQUwcaujEj8/uMkL6Lbe2/Ic9gzfu5Hn/CJkFeKzGwdeQ1nv+6PPP+fFsgIB7qaqcTajbkWWhL5O9sdeg=,iv:tK7hTYGvjHWNTbyiqB2lG6mKHOAl1HQoGBYjd8bhpI0=,tag:qKFeFt+0SNRt1T1COkPr9w==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

secrets/common/snippets.bin

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:xyD4tqHo7IUxPvJnZi0tiFXeTXVCnFJlCTtz1YUxcDh6pXYhUmsxudDM9/V/1FsUQHCrq/TtccdjPrPWChv+ty1/dIdUeGNyEZ73nOUamahmvfEtvXuTP0KOLy68BQHRImkomXlqaYRamEyPkMwaqUABQ3XD5UwwFZWZ+mhdbQsOPxUHpgFz2kL1nYPlueQG1XzSy+ZhWH5GPfu3GRN2XNOMeTlKhy9q,iv:yrwtQz+K9UHIvPT099uyJFrnAvfVzqYrT8mTEYUaJPQ=,tag:fYd4b7wwbfKEylISUsyajQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:Xb7ciXubOq0HV5BUeOzWSsZuHll8qye/2EmxQeFAMjVcH8v2fKkO3CBrXuXo+YgBvzxqQGjF5EyZb4S8aAC2fBg/iXEb7DFrx8U7FE17gnzhrprz3lKEuT1eTTgr55wwY2Ep6etEBMLpamVJGtYh9Z8jMlCsMnRhKHo0r7LTDMr7SrlIcB2wncLhxhpfU4QcKJAJmTVm1uPPng7hWZpeaGTdysNq5QZGPNU7PDxMf3AQPHVyNQeaC+kFkPFYtY4e3QRpT1wIV4i5QfyepzkXZIw9e+7Cmelip6UAtTb4KIshPjA9H3n+95O9Jf7TvYB6yQm5kQ7Npbv8KMc5e8YNA9A1XhtKZUWhIY6tBfbjJzDhx/OKp1V6si6NLJbCRRVO6V27tvPsQCrMVfeN8h2o0qYGl6gB,iv:cgHsvkqK55ewPv703vkNQpPBIaLm2KGEUvYu+y1nj/U=,tag:M3ISprl6B+1ELwHTJM6vUg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -39,8 +39,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTXlSVVhxczNIRGIwZEdW\nSm14aFYzTEFoSGt2SzZKc21OaVpTVmNrSXd3Cis5UTRQMzJSaVdwTkdrQmxLSlRp\nUXBGZ0huUUJnVHVHaUtyUGI4cXdrTVkKLS0tIHVWeEVsOXRRTFRZalI4bWdwcy9a\nV1EwTHhqemRFVHlZR3N4SGRibDhWZzAKVfqqfrKPWtxnIgdvgo7yTe24dleOZAIZ\nZKFCZ3NqibMaRI324E2PrJSAij0lNJyulxpLx4chA7yN84v4vuQToA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2023-01-02T12:37:44Z",
-		"mac": "ENC[AES256_GCM,data:VXycD0JG1nPGFefI6gsG2zQh7NjG+bKCyMjyfWkRJyjomJlGaLMDF/8iUAhRHGgBuAmhZuu8nyZHky8F9CEgtktpY4/b/b3eH4NVuWlQ04MrpO24RrRgwyN+WrtG4FWEnbA4QtOLu64pTMQlQgRseL30u+RNQ6eT+ycx71/6r6A=,iv:YtRe37O4Zht148zbjplIKbUfVvghYDH2ErDbKJN2qdc=,tag:AKjzatu7Iy49Dg8lkwiWpA==,type:str]",
+		"lastmodified": "2023-06-14T02:30:17Z",
+		"mac": "ENC[AES256_GCM,data:whfz1cnhbvu6fJC2J6cFpKXJjxFJDjpMDHyZ9oeZYiiS91zR0kq/szIvt//VwVgXNZCjOtk/44VQPwRCuHmINFV509q1jnzsQ999EcYnqMO0+fSxuEhlNHflyy7i/F+Ideofmvg6OFh4sOoD1hfsDhSZ32h/J0ZdS/kCbMGyHrk=,iv:/msAx0fF75YWb67BlP2NwvZJPlCsnxhxO/xcRukH9Ek=,tag:ttJYyYwtvH61/RI+Uo57gg==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"