lemmy: redirect to the simpler patch i plan to upstream

especially this means i no longer run them on moby, improving battery life & such

.sops.yaml

@@ -8,7 +8,7 @@ keys:
   - &host_servo age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
   - &host_moby age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt
 creation_rules:
-  - path_regex: secrets/universal*
+  - path_regex: secrets/common*
     key_groups:
     - age:
       - *user_desko_colin
@@ -26,19 +26,19 @@ creation_rules:
       - *user_lappy_colin
       - *user_servo_colin
       - *host_servo
-  - path_regex: secrets/desko.yaml$
+  - path_regex: secrets/desko*
     key_groups:
     - age:
       - *user_desko_colin
       - *user_lappy_colin
       - *host_desko
-  - path_regex: secrets/lappy.yaml$
+  - path_regex: secrets/lappy*
     key_groups:
     - age:
       - *user_lappy_colin
       - *user_desko_colin
       - *host_lappy
-  - path_regex: secrets/moby.yaml$
+  - path_regex: secrets/moby*
     key_groups:
     - age:
       - *user_desko_colin

README.md

@@ -20,6 +20,8 @@ directly here; even the sources for those packages is often kept here too.
     - the bulk of config which isn't factored with external use in mind.
     - that is, if you were to add this repo to a flake.nix for your own use,
       you won't likely be depending on anything in this directory.
+- `integrations/`
+    - code intended for consumption by external tools (e.g. the Nix User Repos)
 - `modules/`
     - config which is gated behind `enable` flags, in similar style to nixpkgs'
       `nixos/` directory.
@@ -32,7 +34,7 @@ directly here; even the sources for those packages is often kept here too.
 - `pkgs/`
     - derivations for things not yet packaged in nixpkgs.
     - derivations for things from nixpkgs which i need to `override` for some reason.
-    - inline code for wholly custom packages (e.g. `pkgs/sane-scripts/` for CLI tools
+    - inline code for wholly custom packages (e.g. `pkgs/additional/sane-scripts/` for CLI tools
       that are highly specific to my setup).
 - `scripts/`
     - scripts which are referenced by other things in this repo.
@@ -94,6 +96,12 @@ this should be a pretty "standard" flake. just reference it, and import either
 - `nixosModules.sane` (for the modules)
 - `overlays.pkgs` (for the packages)
 
+## Mirrors
+
+this repo exists in a few known locations:
+- primary: <https://git.uninsane.org/colin/nix-files>
+- mirror: <https://github.com/nix-community/nur-combined/tree/master/repos/colinsane>
+
 ## Contact
 
 if you want to contact me for questions, or collaborate to split something useful into a shared repo, etc,

TODO.md

@@ -0,0 +1,67 @@
+## BUGS:
+- fix nur evaluation
+
+## REFACTORING:
+### sops/secrets
+- attach secrets to the thing they're used by (sane.programs)
+- rework secrets to leverage `sane.fs`
+- remove sops activation script as it's covered by my systemd sane.fs impl
+
+### roles
+- allow any host to take the role of `uninsane.org`
+    - will make it easier to test new services?
+
+### upstreaming
+- upstream lemmy nginx integration
+- add updateScripts to all my packages in nixpkgs
+- fix lightdm-mobile-greeter for newer libhandy
+- port zecwallet-lite to a from-source build
+- fix or abandon Whalebird
+
+
+## IMPROVEMENTS:
+### security/resilience
+- validate duplicity backups!
+- encrypt more ~ dirs (~/archives, ~/records, ..?)
+    - best to do this after i know for sure i have good backups
+- have `sane.programs` be wrapped such that they run in a cgroup?
+    - at least, only give them access to the portion of the fs they *need*.
+    - Android takes approach of giving each app its own user: could hack that in here.
+- canaries for important services
+    - e.g. daily email checks; daily backup checks
+
+### user experience
+- firefox/librewolf: don't show browserpass/sponsorblock/metamask "first run" on every boot
+- moby: improve gPodder launch time
+- moby: replace jellyfin-desktop with jellyfin-vue?
+    - allows (maybe) to cache media for offline use
+    - "newer" jellyfin client
+    - not packaged for nix
+- find a nice desktop ActivityPub client
+- package Nix/NixOS docs for Zeal
+    - install [doc-browser](https://github.com/qwfy/doc-browser)
+    - this supports both dash (zeal) *and* the datasets from <https://devdocs.io> (which includes nix!)
+    - install [devhelp](https://wiki.gnome.org/Apps/Devhelp)  (gnome)
+- auto-mount servo
+- have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
+- `sane.programs`: auto-populate defaults with everything from `pkgs`
+
+### perf
+- why does nixos-rebuild switch take 5 minutes when net is flakey?
+    - trying to auto-mount servo?
+    - something to do with systemd services restarting/stalling
+    - maybe wireguard & its refresh operation, specifically?
+- fix OOM for large builds like webkitgtk
+    - these use significant /tmp space.
+    - either place /tmp on encrypted-cleared-at-boot storage
+        - which probably causes each CPU load for the encryption
+    - **or set up encrypted swap**
+        - encrypted swap could remove the need for my encrypted-cleared-at-boot stuff
+
+
+## NEW FEATURES:
+- add a FTP-accessible file share to servo
+    - just /var/www?
+- migrate MAME cabinet to nix
+    - boot it from PXE from servo?
+- enable IPv6

flake.lock

@@ -18,11 +18,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1680563603,
-        "narHash": "sha256-gxSci3NTlzgkAOhaC93Q4lReX/Pjd7++imD85JOAlps=",
+        "lastModified": 1683422260,
+        "narHash": "sha256-79zaClbubRkBNlJ04OSADILuLQHH48N5fu296hEWYlw=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "4aa0afd84005b79be4d5361b56a60df9e9bd4ea3",
+        "rev": "ba4638836e94a8f16d1d1f9e8c0530b86078029c",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1682173319,
-        "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=",
+        "lastModified": 1684025543,
+        "narHash": "sha256-hGe7S+i5je+8E/b2mOXVI9nmr038Dw+bV8e1P8xHSe0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c",
+        "rev": "c6d2f3dc0d3efd4285eebe4f8a36a47ba438138e",
         "type": "github"
       },
       "original": {
@@ -82,16 +82,16 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1682404149,
-        "narHash": "sha256-vilYNldFXiu56HGD0lPcWsiED7EmjGMViCLZoQsv7Jk=",
+        "lastModified": 1684049129,
+        "narHash": "sha256-7WB9LpnPNAS8oI7hMoHeKLNhRX7k3CI9uWBRSfmOCCE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d0ea36ece469a71a909ebff90777c2f7a49478bb",
+        "rev": "0470f36b02ef01d4f43c641bbf07020bcab71bf1",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "staging-next",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -113,11 +113,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1682338428,
-        "narHash": "sha256-T7AL/Us6ecxowjMAlO77GETTQO2SO+1XX2+Y/OSfHk8=",
+        "lastModified": 1684032930,
+        "narHash": "sha256-ueeSYDii2e5bkKrsSdP12JhkW9sqgYrUghLC8aDfYGQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "7c8e9727a2ecf9994d4a63d577ad5327e933b6a4",
+        "rev": "a376127bb5277cd2c337a9458744f370aaf2e08d",
         "type": "github"
       },
       "original": {
@@ -134,11 +134,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682815555,
-        "narHash": "sha256-mu4axnbR6cSgnNBGrSydxmKlKWrnHLKlpNmmbqD2V9E=",
+        "lastModified": 1682850047,
+        "narHash": "sha256-PY042BW4nF+rIM4qTSI+74FoIpvcJJ3kSYwmcEWtO/k=",
         "ref": "refs/heads/master",
-        "rev": "da209f34ce34eb6b8c4d2b3256a02eb23ad9f655",
-        "revCount": 191,
+        "rev": "257c45a8b7c5f7edc309362097193900c072040a",
+        "revCount": 192,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -43,8 +43,8 @@
     #   - use `staging` if no staging-next branch has been cut.
     #
     # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
+    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
     # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging";
 
     mobile-nixos = {
@@ -92,36 +92,31 @@
         nixpkgs = nixpkgs-unpatched;
       };
 
-      nixpkgsCompiledBy = local: nixpkgs.legacyPackages."${local}";
+      nixpkgsCompiledBy = system: nixpkgs.legacyPackages."${system}";
 
-      evalHost = { name, local, target }:
-        let
-          # XXX: we'd prefer to use `nixosSystem = (nixpkgsCompiledBy target).nixos`
-          # but it doesn't propagate config to the underlying pkgs, meaning it doesn't let you use
-          # non-free packages even after setting nixpkgs.allowUnfree.
-          # XXX: patch using the target -- not local -- otherwise the target will
-          # need to emulate the host in order to rebuild!
-          nixosSystem = import ((nixpkgsCompiledBy target).path + "/nixos/lib/eval-config.nix");
-        in
-          (nixosSystem {
-            modules = [
-              (import ./hosts/instantiate.nix { localSystem = local; hostName = name; })
-              self.nixosModules.default
-              self.nixosModules.passthru
-              {
-                nixpkgs.overlays = [
-                  self.overlays.disable-flakey-tests
-                  self.overlays.passthru
-                  self.overlays.pins
-                  self.overlays.pkgs
-                  # self.overlays.optimizations
-                ];
-                nixpkgs.hostPlatform = target;
-                # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
-                # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
-              }
+      evalHost = { name, local, target }: nixpkgs.lib.nixosSystem {
+        system = target;
+        modules = [
+          (import ./hosts/instantiate.nix { localSystem = local; hostName = name; })
+          self.nixosModules.default
+          self.nixosModules.passthru
+          {
+            nixpkgs.overlays = [
+              self.overlays.disable-flakey-tests
+              self.overlays.passthru
+              self.overlays.pins
+              self.overlays.pkgs
+              # self.overlays.optimizations
             ];
-          });
+          }
+          ({ lib, ... }: {
+            # TODO: does the earlier `system` arg to nixosSystem make its way here?
+            nixpkgs.hostPlatform.system = target;
+            # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
+            # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
+          })
+        ];
+      };
     in {
       nixosConfigurations =
         let

hosts/README.md

@@ -0,0 +1,7 @@
+## directory structure
+- by-name/<hostname>: configuration which is evaluated _only_ for the given hostname
+- common/: configuration which applies to all hosts
+- modules/: nixpkgs-style modules which may be used by multiple hosts, but configured separately per host.
+    - ideally no module here has effect unless `enable`d
+        - however, `enable` may default to true
+        - and in practice some of these modules surely aren't fully "disableable"

hosts/by-name/desko/default.nix

@@ -4,12 +4,16 @@
     ./fs.nix
   ];
 
+  sops.secrets.colin-passwd.neededForUsers = true;
+
   sane.roles.build-machine.enable = true;
+  sane.roles.ac = true;
   sane.roles.client = true;
+  sane.roles.dev-machine = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
   sane.services.duplicity.enable = true;
-  sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
+  sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
 
   sane.gui.sway.enable = true;
   sane.programs.iphoneUtils.enableFor.user.colin = true;
@@ -22,11 +26,6 @@
   # needed to use libimobiledevice/ifuse, for iphone sync
   services.usbmuxd.enable = true;
 
-  sops.secrets.colin-passwd = {
-    sopsFile = ../../../secrets/desko.yaml;
-    neededForUsers = true;
-  };
-
   # don't enable wifi by default: it messes with connectivity.
   systemd.services.iwd.enable = false;
 
@@ -44,10 +43,6 @@
     '';
   };
 
-  sops.secrets.duplicity_passphrase = {
-    sopsFile = ../../../secrets/desko.yaml;
-  };
-
   programs.steam = {
     enable = true;
     # not sure if needed: stole this whole snippet from the wiki

hosts/by-name/lappy/default.nix

@@ -4,9 +4,8 @@
     ./fs.nix
   ];
 
-  sane.yggdrasil.enable = true;
-
   sane.roles.client = true;
+  sane.roles.dev-machine = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
 
@@ -19,12 +18,8 @@
     "desktopGuiApps"
     "stepmania"
   ];
-  sane.programs.mx-sanebot.enableFor.system = true;  # for the docs
 
-  sops.secrets.colin-passwd = {
-    sopsFile = ../../../secrets/lappy.yaml;
-    neededForUsers = true;
-  };
+  sops.secrets.colin-passwd.neededForUsers = true;
 
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:

hosts/by-name/moby/default.nix

@@ -15,12 +15,9 @@
   users.users.colin.initialPassword = "147147";
   services.getty.autologinUser = "root";  # allows for emergency maintenance?
 
-  sops.secrets.colin-passwd = {
-    sopsFile = ../../../secrets/moby.yaml;
-    neededForUsers = true;
-  };
+  sops.secrets.colin-passwd.neededForUsers = true;
 
-  sane.web-browser = {
+  sane.programs.web-browser.config = {
     # compromise impermanence for the sake of usability
     persistCache = "private";
     persistData = "private";
@@ -31,6 +28,7 @@
   };
 
   sane.user.persist.plaintext = [
+    # TODO: make this just generally conditional upon pulse being enabled?
     ".config/pulse"  # persist pulseaudio volume
   ];
 

hosts/by-name/moby/kernel.nix

@@ -44,68 +44,6 @@ let
       "sha256-6ywm3dQQ5JYl60CLKarxlSUukwi4QzqctCj3tVgzFbo="
     )
   ];
-
-  # pinephone uses the linux dtb at arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi
-  # - this includes sun50i-a64.dtsi
-  # - and sun50i-a64-cpu-opp.dtsi
-  # - no need to touch the allwinner-h6 stuff: that's the SBC pine product
-  # - i think it's safe to ignore sun9i stuff, but i don't know what it is
-  kernelConfig = with lib.kernel; {
-    # NB: nix adds the CONFIG_ prefix to each of these.
-    # if you add the prefix yourself nix will IGNORE YOUR CONFIG.
-    RTL8723CS = module;
-    BT_HCIUART_3WIRE = yes;
-    BT_HCIUART_RTL = yes;
-    RTL8XXXU_UNTESTED = yes;
-    BT_BNEP_MC_FILTER = yes;
-    BT_BNEP_PROTO_FILTER = yes;
-    BT_HS = yes;
-    BT_LE = yes;
-    # relevant configs inherited from nixos defaults (or above additions):
-    # CONFIG_BT=m
-    # CONFIG_BT_BREDR=y
-    # CONFIG_BT_RFCOMM=m
-    # CONFIG_BT_RFCOMM_TTY=y
-    # CONFIG_BT_BNEP=m
-    # CONFIG_BT_HIDP=m
-    # CONFIG_BT_RTL=m
-    # CONFIG_BT_HCIBTUSB=m
-    # CONFIG_BT_HCIBTUSB_BCM=y
-    # CONFIG_BT_HCIBTUSB_RTL=y
-    # CONFIG_BT_HCIUART=m
-    # CONFIG_BT_HCIUART_SERDEV=y
-    # CONFIG_BT_HCIUART_H4=y
-    # CONFIG_BT_HCIUART_LL=y
-    # CONFIG_RTL_CARDS=m
-    # CONFIG_RTLWIFI=m
-    # CONFIG_RTLWIFI_PCI=m
-    # CONFIG_RTLWIFI_USB=m
-    # CONFIG_RTLWIFI_DEBUG=y
-    # CONFIG_RTL8723_COMMON=m
-    # CONFIG_RTLBTCOEXIST=m
-    # CONFIG_RTL8XXXU=m
-    # CONFIG_RTLLIB=m
-    # consider adding (from mobile-nixos):
-    # maybe: CONFIG_BT_HCIUART_3WIRE=y
-    # maybe: CONFIG_BT_HCIUART_RTL=y
-    # maybe: CONFIG_RTL8XXXU_UNTESTED=y
-    # consider adding (from manjaro):
-    # CONFIG_BT_6LOWPAN=m  (not listed as option in nixos kernel)
-    # these are referenced in the rtl8723 source, but not known to config (and not in mobile-nixos config
-    # maybe: CONFIG_RTL_ODM_WLAN_DRIVER
-    # maybe: CONFIG_RTL_TRIBAND_SUPPORT
-    # maybe: CONFIG_SDIO_HCI
-    # maybe: CONFIG_USB_HCI
-  };
-
-  # create a kernelPatch which overrides nixos' defconfig with extra options
-  patchDefconfig = config: {
-    # defconfig options. this method comes from here:
-    # - https://discourse.nixos.org/t/the-correct-way-to-override-the-latest-kernel-config/533/9
-    name = "sane-moby-defconfig";
-    patch = null;
-    extraStructuredConfig = config;
-  };
 in
 {
   # use Megi's kernel:
@@ -116,22 +54,6 @@ in
   # - phosh greeter may not appear after wake from sleep
   boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
 
-  boot.kernelPatches = [
-    (patchDefconfig (kernelConfig //
-      (with lib.kernel; {
-        # disabling the sun5i_eink driver avoids this compilation error:
-        # CC [M]  drivers/video/fbdev/sun5i-eink-neon.o
-        # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfloat-abi=softfp'
-        # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfpu=neon'
-        # make[3]: *** [../scripts/Makefile.build:289: drivers/video/fbdev/sun5i-eink-neon.o] Error 1
-        FB_SUN5I_EINK = no;
-        # used by the pinephone pro, but fails to compile with:
-        # ../drivers/media/i2c/ov8858.c:1834:27: error: implicit declaration of function 'compat_ptr'
-        VIDEO_OV8858 = no;
-      })
-    ))
-  ];
-
   # alternatively, use nixos' kernel and add the stuff we want:
   # # cross-compilation optimization:
   # boot.kernelPackages =
@@ -143,4 +65,19 @@ in
   # boot.kernelPatches = manjaroPatches ++ [
   #   (patchDefconfig kernelConfig)
   # ];
+
+  nixpkgs.hostPlatform.linux-kernel = {
+    # defaults:
+    name = "aarch64-multiplatform";
+    baseConfig = "defconfig";
+    DTB = true;
+    autoModules = true;
+    preferBuiltin = true;
+    # extraConfig = ...
+    # ^-- raspberry pi stuff: we don't need it.
+
+    # target = "Image";  # <-- default
+    target = "Image.gz";  # <-- compress the kernel image
+    # target = "zImage";  # <-- confuses other parts of nixos :-(
+  };
 }

hosts/by-name/servo/default.nix

@@ -4,7 +4,6 @@
   imports = [
     ./fs.nix
     ./net.nix
-    ./secrets.nix
     ./services
   ];
 
@@ -15,6 +14,7 @@
     signaldctl.enableFor.user.colin = true;
   };
 
+  sane.roles.ac = true;
   sane.roles.build-machine.enable = true;
   sane.roles.build-machine.emulation = false;
   sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist

hosts/by-name/servo/net.nix

@@ -33,6 +33,14 @@
   # - getent ahostsv4 www.google.com
   # - try fix: <https://serverfault.com/questions/765989/connect-to-3rd-party-vpn-server-but-dont-use-it-as-the-default-route/766290#766290>
   services.resolved.enable = true;
+  # without DNSSEC:
+  # - dig matrix.org => works
+  # - curl https://matrix.org => works
+  # with default DNSSEC:
+  # - dig matrix.org => works
+  # - curl https://matrix.org => fails
+  # i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
+  services.resolved.dnssec = "false";
   networking.nameservers = [
     # use systemd-resolved resolver
     # full resolver (which understands /etc/hosts) lives on 127.0.0.53

hosts/by-name/servo/secrets.nix

@@ -1,42 +0,0 @@
-{ ... }:
-
-{
-  sops.secrets."ddns_afraid" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-  sops.secrets."ddns_he" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."dovecot_passwd" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."duplicity_passphrase" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."freshrss_passwd" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."matrix_synapse_secrets" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-  sops.secrets."mautrix_signal_env" = {
-    sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
-    format = "binary";
-  };
-
-  sops.secrets."mediawiki_pw" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."pleroma_secrets" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-
-  sops.secrets."wg_ovpns_privkey" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
-}

hosts/by-name/servo/services/ddns-afraid.nix

@@ -6,7 +6,7 @@ lib.mkIf false
   systemd.services.ddns-afraid = {
     description = "update dynamic DNS entries for freedns.afraid.org";
     serviceConfig = {
-      EnvironmentFile = config.sops.secrets.ddns_afraid.path;
+      EnvironmentFile = config.sops.secrets."ddns_afraid.env".path;
       # TODO: ProtectSystem = "strict";
       # TODO: ProtectHome = "full";
       # TODO: PrivateTmp = true;

hosts/by-name/servo/services/ddns-he.nix

@@ -6,7 +6,7 @@ lib.mkIf false
   systemd.services.ddns-he = {
     description = "update dynamic DNS entries for HurricaneElectric";
     serviceConfig = {
-      EnvironmentFile = config.sops.secrets.ddns_he.path;
+      EnvironmentFile = config.sops.secrets."ddns_he.env".path;
       # TODO: ProtectSystem = "strict";
       # TODO: ProtectHome = "full";
       # TODO: PrivateTmp = true;

hosts/by-name/servo/services/default.nix

@@ -19,6 +19,7 @@
     ./navidrome.nix
     ./nixserve.nix
     ./nginx.nix
+    ./pict-rs.nix
     ./pleroma.nix
     ./postgres.nix
     ./prosody.nix

hosts/by-name/servo/services/gitea.nix

@@ -1,3 +1,4 @@
+# config options: <https://docs.gitea.io/en-us/administration/config-cheat-sheet/>
 { config, pkgs, lib, ... }:
 
 {
@@ -10,9 +11,6 @@
   services.gitea.database.type = "postgres";
   services.gitea.database.user = "git";
   services.gitea.appName = "Perfectly Sane Git";
-  services.gitea.domain = "git.uninsane.org";
-  services.gitea.rootUrl = "https://git.uninsane.org/";
-  services.gitea.settings.session.COOKIE_SECURE = true;
   # services.gitea.disableRegistration = true;
 
   # gitea doesn't create the git user
@@ -27,9 +25,13 @@
   };
 
   services.gitea.settings = {
+    # options: "Trace", "Debug", "Info", "Warn", "Error", "Critical"
+    log.LEVEL = "Warn";
     server = {
       # options: "home", "explore", "organizations", "login" or URL fragment (or full URL)
       LANDING_PAGE = "explore";
+      DOMAIN = "git.uninsane.org";
+      ROOT_URL = "https://git.uninsane.org/";
     };
     service = {
       # timeout for email approval. 5760 = 4 days
@@ -44,6 +46,7 @@
       ENABLE_CAPTCHA = true;
       NOREPLY_ADDRESS = "noreply.anonymous.git@uninsane.org";
     };
+    session.COOKIE_SECURE = true;
     repository = {
       DEFAULT_BRANCH = "master";
     };
@@ -58,6 +61,8 @@
     };
     #"ui.meta" = ... to customize html author/description/etc
     mailer = {
+      # alternative is to use nixos-level config:
+      # services.gitea.mailerPasswordFile = ...
       ENABLED = true;
       MAILER_TYPE = "sendmail";
       FROM = "notify.git@uninsane.org";
@@ -69,8 +74,6 @@
       FORMAT = "RFC3339";
     };
   };
-  # options: "Trace", "Debug", "Info", "Warn", "Error", "Critical"
-  services.gitea.settings.log.LEVEL = "Warn";
 
   systemd.services.gitea.serviceConfig = {
     # nix default is AF_UNIX AF_INET AF_INET6.

hosts/by-name/servo/services/lemmy.nix

@@ -1,3 +1,8 @@
+# docs:
+# - <repo:LemmyNet/lemmy:docker/federation/nginx.conf>
+# - <repo:LemmyNet/lemmy:docker/nginx.conf>
+# - <repo:LemmyNet/lemmy-ansible:templates/nginx.conf>
+
 { config, lib, ... }:
 let
   inherit (builtins) toString;
@@ -9,11 +14,13 @@ in {
   services.lemmy = {
     enable = true;
     settings.hostname = "lemmy.uninsane.org";
-    settings.options.federation.enabled = true;
-    settings.options.port = backendPort;
-    # settings.database.host = "localhost";
+    settings.federation.enabled = true;
+    # federation.debug forces outbound federation queries to be run synchronously
+    # settings.federation.debug = true;
+    settings.port = backendPort;
     ui.port = uiPort;
     database.createLocally = true;
+    nginx.enable = true;
   };
 
   systemd.services.lemmy.serviceConfig = {
@@ -21,7 +28,20 @@ in {
     DynamicUser = mkForce false;
     User = "lemmy";
     Group = "lemmy";
-    Environment = [ "RUST_BACKTRACE=full" ];
+  };
+  systemd.services.lemmy.environment = {
+    RUST_BACKTRACE = "full";
+    # RUST_LOG = "debug";
+    # upstream defaults LEMMY_DATABASE_URL = "postgres:///lemmy?host=/run/postgresql";
+    # - Postgres complains that we didn't specify a user
+    # lemmy formats the url as:
+    # - postgres://{user}:{password}@{host}:{port}/{database}
+    # SO suggests (https://stackoverflow.com/questions/3582552/what-is-the-format-for-the-postgresql-connection-string-url):
+    # - postgresql://[user[:password]@][netloc][:port][/dbname][?param1=value1&...]
+    # LEMMY_DATABASE_URL = "postgres://lemmy@/run/postgresql";  # connection to server on socket "/run/postgresql/.s.PGSQL.5432" failed: FATAL:  database "run/postgresql" does not exist
+    # LEMMY_DATABASE_URL = "postgres://lemmy?host=/run/postgresql";  # no PostgreSQL user name specified in startup packet
+    # LEMMY_DATABASE_URL = mkForce "postgres://lemmy@?host=/run/postgresql";  # WORKS
+    LEMMY_DATABASE_URL = mkForce "postgres://lemmy@/lemmy?host=/run/postgresql";
   };
   users.groups.lemmy = {};
   users.users.lemmy = {
@@ -32,28 +52,6 @@ in {
   services.nginx.virtualHosts."lemmy.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
-    locations = let
-      ui = "http://127.0.0.1:${toString uiPort}";
-      backend = "http://127.0.0.1:${toString backendPort}";
-    in {
-      # see <LemmyNet/lemmy:docker/federation/nginx.conf>
-      "~ ^/(api|pictrs|feeds|nodeinfo|.well-known)" = {
-        extraConfig = ''
-          set $proxpass ${ui};
-          if ($http_accept = "application/activity+json") {
-            set $proxpass ${backend};
-          }
-          if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
-            set $proxpass ${backend};
-          }
-
-          # Cuts off the trailing slash on URLs to make them valid
-          rewrite ^(.+)/+$ $1 permanent;
-        '';
-        proxyPass = "$proxpass";
-      };
-      "/".proxyPass = ui;
-    };
   };
 
   sane.services.trust-dns.zones."uninsane.org".inet.CNAME."lemmy" = "native";

hosts/by-name/servo/services/matrix/default.nix

@@ -1,5 +1,6 @@
-# docs: https://nixos.wiki/wiki/Matrix
-# docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
+# docs: <https://nixos.wiki/wiki/Matrix>
+# docs: <https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse>
+# example config: <https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml>
 { config, lib, pkgs, ... }:
 
 {
@@ -41,11 +42,14 @@
     }
   ];
 
+  services.matrix-synapse.settings.x_forwarded = true;  # because we proxy matrix behind nginx
+  services.matrix-synapse.settings.max_upload_size = "100M";  # default is "50M"
+
   services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
   services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
 
   services.matrix-synapse.extraConfigFiles = [
-    config.sops.secrets.matrix_synapse_secrets.path
+    config.sops.secrets."matrix_synapse_secrets.yaml".path
   ];
 
   # services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
@@ -94,6 +98,10 @@
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:8008";
+      extraConfig = ''
+        # allow uploading large files (matrix enforces a separate limit, downstream)
+        client_max_body_size  512m;
+      '';
     };
     # redirect browsers to the web client.
     # i don't think native matrix clients ever fetch the root.
@@ -130,7 +138,7 @@
   };
 
 
-  sops.secrets."matrix_synapse_secrets" = {
+  sops.secrets."matrix_synapse_secrets.yaml" = {
     owner = config.users.users.matrix-synapse.name;
   };
 }

hosts/by-name/servo/services/matrix/irc.nix

@@ -112,7 +112,6 @@ in
     "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
   ];
 
-  # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
   services.matrix-appservice-irc.enable = true;
   services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
   services.matrix-appservice-irc.settings = {
@@ -127,12 +126,24 @@ in
 
     ircService = {
       servers = {
-        "irc.rizon.net" = ircServer { name = "Rizon"; };
+        "irc.esper.net" = ircServer {
+          name = "esper";
+          sasl = false;
+          # notable channels:
+          # - #merveilles
+        };
         "irc.myanonamouse.net" = ircServer {
           name = "MyAnonamouse";
           additionalAddresses = [ "irc2.myanonamouse.net" ];
           sasl = false;
         };
+        "irc.oftc.net" = ircServer {
+          name = "oftc";
+          # notable channels:
+          # - #sxmo
+          # - #sxmo-offtopic
+        };
+        "irc.rizon.net" = ircServer { name = "Rizon"; };
       };
     };
   };

hosts/by-name/servo/services/nixserve.nix

@@ -17,5 +17,5 @@
   sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
 
   sane.services.nixserve.enable = true;
-  sane.services.nixserve.sopsFile = ../../../../secrets/servo.yaml;
+  sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
 }

hosts/by-name/servo/services/pict-rs.nix

@@ -0,0 +1,23 @@
+# pict-rs is an image database/store used by Lemmy.
+# i don't explicitly activate it here -- just adjust its defaults to be a bit friendlier
+{ config, lib, ... }:
+let
+  cfg = config.services.pict-rs;
+in
+{
+  sane.persist.sys.plaintext = lib.mkIf cfg.enable [
+    { user = "pict-rs"; group = "pict-rs"; directory = cfg.dataDir; }
+  ];
+
+  systemd.services.pict-rs.serviceConfig = {
+    # fix to use a normal user so we can configure perms correctly
+    DynamicUser = lib.mkForce false;
+    User = "pict-rs";
+    Group = "pict-rs";
+  };
+  users.groups.pict-rs = {};
+  users.users.pict-rs = {
+    group = "pict-rs";
+    isSystemUser = true;
+  };
+}

hosts/by-name/servo/services/transmission.nix

@@ -27,7 +27,7 @@
     # units in kBps
     speed-limit-down = 3000;
     speed-limit-down-enabled = true;
-    speed-limit-up = 300;
+    speed-limit-up = 600;
     speed-limit-up-enabled = true;
 
     # see: https://git.zknt.org/mirror/transmission/commit/cfce6e2e3a9b9d31a9dafedd0bdc8bf2cdb6e876?lang=bg-BG

hosts/common/cross/default.nix

@@ -25,6 +25,7 @@
 # - scoped:   `nix build '.#host-pkgs.moby-cross.gnome.mutter'`
 # - python:   `nix build '.#host-pkgs.moby-cross.python310Packages.pandas'`
 # - perl:     `nix build '.#host-pkgs.moby-cross.perl536Packages.ModuleBuild'`
+# - haskell:  `nix build '.#host-pkgs.moby-cross.haskellPackages.xml-conduit`
 # - qt:       `nix build '.#host-pkgs.moby-cross.qt5.qtbase'`
 # - qt:       `nix build '.#host-pkgs.moby-cross.libsForQt5.phonon'`
 # most of these can be built in a nixpkgs source root like:
@@ -246,6 +247,7 @@ let
     buildInputs = lib.subtractLists buildInputs (upstream.buildInputs or []);
     nativeBuildInputs = lib.subtractLists nativeBuildInputs (upstream.nativeBuildInputs or []);
   });
+  rmNativeBuildInputs = nativeBuildInputs: rmInputs { inherit nativeBuildInputs; };
   # move items from buildInputs into nativeBuildInputs, or vice-versa.
   # arguments represent the final location of specific inputs.
   mvInputs = { buildInputs ? [], nativeBuildInputs ? [] }: pkg:
@@ -412,7 +414,7 @@ in
             # nixpkgs hdf5 is at commit 3e847e003632bdd5fdc189ccbffe25ad2661e16f
             # hdf5  # configure: error: cannot run test program while cross compiling
             # http2
-            ibus
+            ibus  # "error: cannot run test program while cross compiling"
             jellyfin-web  # in node-dependencies-jellyfin-web: "node: command not found"  (nodePackages don't cross compile)
             # libgccjit  # "../../gcc-9.5.0/gcc/jit/jit-result.c:52:3: error: 'dlclose' was not declared in this scope"  (needed by emacs!)
             # libsForQt5  # qtbase  # make: g++: No such file or directory
@@ -511,15 +513,6 @@ in
           #       };
           #     };
 
-          # TODO(REMOVE AFTER MERGE): https://github.com/NixOS/nixpkgs/pull/225977
-          aprutil = prev.aprutil.overrideAttrs (upstream: {
-            # nixpkgs patches the ldb version only for the package itself, but derivative packages (serf -> subversion) inherit the wrong -ldb-6.9 flag.
-            postConfigure = upstream.postConfigure + lib.optionalString (next.stdenv.buildPlatform != next.stdenv.hostPlatform) ''
-              substituteInPlace apu-1-config \
-                --replace "-ldb-6.9" "-ldb"
-            '';
-          });
-
           blueman = prev.blueman.overrideAttrs (orig: {
             # configure: error: ifconfig or ip not found, install net-tools or iproute2
             nativeBuildInputs = orig.nativeBuildInputs ++ [ next.iproute2 ];
@@ -833,22 +826,6 @@ in
             };
           });
 
-          gocryptfs = prev.gocryptfs.override {
-            # fixes "error: hash mismatch in fixed-output derivation" (vendorSha256)
-            inherit (emulated) buildGoModule;  # equivalent to stdenv
-          };
-          # gocryptfs = prev.gocryptfs.override {
-          #   # fixes "error: hash mismatch in fixed-output derivation" (vendorSha256)
-          #   # new error: "go: inconsistent vendoring in /build/source:"
-          #   # - "github.com/hanwen/go-fuse/v2@v2.1.1-0.20211219085202-934a183ed914: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt"
-          #   # - ...
-          #   buildGoModule = args: next.buildGoModule (args // {
-          #     vendorSha256 = {
-          #       x86_64-linux = args.vendorSha256;
-          #       aarch64-linux = "sha256-9famtUjkeAtzxfXzmWVum/pyaNp89Aqnfd+mWE7KjaI=";
-          #     }."${next.stdenv.system}";
-          #   });
-          # };
           gpodder = prev.gpodder.overridePythonAttrs (upstream: {
             # fix gobject-introspection overrides import that otherwise fails on launch
             nativeBuildInputs = upstream.nativeBuildInputs ++ [
@@ -883,6 +860,20 @@ in
             buildInputs = upstream.buildInputs ++ [ next.libxml2 ];
           });
 
+          haskell = prev.haskell // {
+            packageOverrides = self: super:
+            let
+              super' = super // (prev.haskell.packageOverrides self super);
+            in
+              {
+                xml-conduit = super'.xml-conduit.overrideAttrs (upstream: {
+                  # fails even when compiles on build platform:
+                  # - `nix build '.#host-pkgs.moby.buildPackages.haskellPackages.xml-conduit'`
+                  doCheck = false;
+                });
+              };
+          };
+
           # hdf5 = prev.hdf5.override {
           #   inherit (emulated) stdenv;
           # };
@@ -960,7 +951,7 @@ in
               ./kitty-no-docs.patch
             ];
           });
-          libgweather = (prev.libgweather.override {
+          libgweather = rmNativeBuildInputs [ next.glib ] (prev.libgweather.override {
             # alternative to emulating python3 is to specify it in `buildInputs` instead of `nativeBuildInputs` (upstream),
             #   but presumably that's just a different way to emulate it.
             # the python gobject-introspection stuff is a tangled mess that's impossible to debug:
@@ -979,14 +970,6 @@ in
           #   buildInputs = upstream.buildInputs ++ [ next.vala ];
           # });
 
-          # TODO(REMOVE AFTER MERGE): https://github.com/NixOS/nixpkgs/pull/225977
-          libqmi = prev.libqmi.overrideAttrs (upstream: {
-            # fixes "failed to produce output devdoc"; nixpkgs only builds that output conditionally
-            outputs = [ "out" "dev" ] ++ lib.optionals (prev.stdenv.buildPlatform == prev.stdenv.hostPlatform) [
-              "devdoc"
-            ];
-          });
-
           libsForQt5 = prev.libsForQt5.overrideScope' (self: super: {
             qgpgme = super.qgpgme.overrideAttrs (orig: {
               # fix so it can find the MOC compiler
@@ -1032,8 +1015,13 @@ in
           # fixes "properties/gresource.xml: Permission denied"
           #   - by providing glib-compile-resources
           networkmanager-openvpn = mvToNativeInputs [ next.glib ] prev.networkmanager-openvpn;
-          # fixes "gdbus-codegen: command not found"
-          networkmanager-sstp = mvToNativeInputs [ next.glib ] prev.networkmanager-sstp;
+          networkmanager-sstp = (
+            # fixes "gdbus-codegen: command not found"
+            mvToNativeInputs [ next.glib ] (
+              # fixes gtk4-builder-tool wrong format
+              addNativeInputs [ next.gtk4.dev ] prev.networkmanager-sstp
+            )
+          );
           networkmanager-vpnc = mvToNativeInputs [ next.glib ] prev.networkmanager-vpnc;
           # fixes "properties/gresource.xml: Permission denied"
           #   - by providing glib-compile-resources
@@ -1128,10 +1116,6 @@ in
           #   nativeBuildInputs = upstream.nativeBuildInputs ++ [ next.gpgme ];
           # });
 
-          # TODO(REMOVE AFTER MERGE): https://github.com/NixOS/nixpkgs/pull/225977
-          # fixes: "perl: command not found"
-          pam_mount = mvToNativeInputs [ next.perl ] prev.pam_mount;
-
           # phoc = prev.phoc.override {
           #   # fixes "Program wayland-scanner found: NO"
           #   inherit (emulated) stdenv;
@@ -1181,7 +1165,7 @@ in
               });
 
               cryptography = py-prev.cryptography.override {
-                inherit (emulated) rustPlatform;  # "cargo:warning=aarch64-unknown-linux-gnu-gcc: error: unrecognized command-line option ‘-m64’"
+                inherit (emulated) cargo rustc rustPlatform;  # "cargo:warning=aarch64-unknown-linux-gnu-gcc: error: unrecognized command-line option ‘-m64’"
               };
 
               defcon = py-prev.defcon.overridePythonAttrs (orig: {
@@ -1302,24 +1286,20 @@ in
             # rmlint is scons; it reads the CC environment variable, though, so *may* be cross compilable
             inherit (emulated) stdenv;
           };
-          samba = prev.samba.overrideAttrs (_upstream: {
-            # we get "cannot find C preprocessor: aarch64-unknown-linux-gnu-cpp", but ONLY when building with the ccache stdenv.
-            # this solves that, but `CPP` must be a *single* path -- not an expression.
-            # i do not understand how the original error arises, as my ccacheStdenv should match the API of the base stdenv (except for cpp being a symlink??).
-            # but oh well, this fixes it.
-            CPP = next.buildPackages.writeShellScript "cpp" ''
-              exec ${lib.getBin next.stdenv.cc}/bin/${next.stdenv.cc.targetPrefix}cc -E $@;
-            '';
-          });
+          # samba = prev.samba.overrideAttrs (_upstream: {
+          #   # we get "cannot find C preprocessor: aarch64-unknown-linux-gnu-cpp", but ONLY when building with the ccache stdenv.
+          #   # this solves that, but `CPP` must be a *single* path -- not an expression.
+          #   # i do not understand how the original error arises, as my ccacheStdenv should match the API of the base stdenv (except for cpp being a symlink??).
+          #   # but oh well, this fixes it.
+          #   CPP = next.buildPackages.writeShellScript "cpp" ''
+          #     exec ${lib.getBin next.stdenv.cc}/bin/${next.stdenv.cc.targetPrefix}cc -E $@;
+          #   '';
+          # });
           # sequoia = prev.sequoia.override {
           #   # fails to fix original error
           #   inherit (emulated) stdenv;
           # };
 
-          # TODO(REMOVE AFTER MERGE): https://github.com/NixOS/nixpkgs/pull/225977
-          # fixes "sh: line 1: ar: command not found"
-          serf = addNativeInputs [ next.bintools ] prev.serf;
-
           spandsp = prev.spandsp.overrideAttrs (upstream: {
             configureFlags = upstream.configureFlags or [] ++ [
               # fixes runtime error: "undefined symbol: rpl_realloc"
@@ -1374,6 +1354,8 @@ in
           squeekboard = prev.squeekboard.override {
             inherit (emulated)
               rustPlatform  # fixes original "'rust' compiler binary not defined in cross or native file"
+              rustc
+              cargo
               stdenv  # fixes "gcc: error: unrecognized command line option '-m64'"
               glib  # fixes error when linking src/squeekboard: "/nix/store/3c0dqm093ylw8ks7myzxdaif0m16rgcl-binutils-2.40/bin/ld: /nix/store/jzh15bi6zablx3d9s928w3lgqy6and91-glib-2.74.3/lib/libgio-2.0.so"
               wayland  # fixes error when linking src/squeekboard: "/nix/store/3c0dqm093ylw8ks7myzxdaif0m16rgcl-binutils-2.40/bin/ld: /nix/store/ni0vb1pnaznx85378i3h9xhw9cay68g5-wayland-1.21.0/lib/libwayland-client.so: error adding symbols: file in wrong format"
@@ -1381,14 +1363,6 @@ in
               wrapGAppsHook  # introduces a competing gtk3 at link-time, unless emulated
             ;
           };
-          # TODO(REMOVE AFTER MERGE): https://github.com/NixOS/nixpkgs/pull/225977
-          subversion = prev.subversion.overrideAttrs (upstream: {
-            configureFlags = upstream.configureFlags ++ [
-              # configure can't find APR and APR-util, unclear why (are they not placed on PATH?)
-              "--with-apr=${next.apr.dev}/bin/apr-1-config"
-              "--with-apr-util=${next.aprutil.dev}/bin/apu-1-config"
-            ];
-          });
 
           # fixes: "src/meson.build:12:2: ERROR: Program 'gdbus-codegen' not found or not executable"
           sysprof = mvToNativeInputs [ next.glib ] (

hosts/common/default.nix

@@ -6,7 +6,6 @@
     ./fs.nix
     ./hardware.nix
     ./home
-    ./i2p.nix
     ./ids.nix
     ./machine-id.nix
     ./net.nix

hosts/common/feeds.nix

@@ -65,7 +65,7 @@ let
     ## Maggie Killjoy -- referenced by Cory Doctorow
     (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)
     (fromDb "congressionaldish.libsyn.com" // pol)
-    (mkPod "https://podcasts.la.utexas.edu/this-is-democracy/feed/podcast/" // pol // weekly)
+    # (mkPod "https://podcasts.la.utexas.edu/this-is-democracy/feed/podcast/" // pol // weekly)
     ## Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
     ## Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
@@ -125,7 +125,9 @@ let
     (fromDb "profectusmag.com" // uncat)
     (fromDb "semiaccurate.com" // tech)
     (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
+    (fromDb "tuxphones.com" // tech)
     (fromDb "spectrum.ieee.org" // tech)
+    (fromDb "theregister.com" // tech)
     (fromDb "thisweek.gnome.org" // tech)
     # more nixos stuff here, but unclear how to subscribe: <https://nixos.org/blog/categories.html>
     (mkText "https://nixos.org/blog/announcements-rss.xml" // tech // infrequent)
@@ -142,7 +144,7 @@ let
     (fromDb "ascii.textfiles.com" // tech)  # Jason Scott
     (fromDb "xn--gckvb8fzb.com" // tech)
     (fromDb "mg.lol" // tech)
-    (fromDb "drewdevault.com" // tech)
+    # (fromDb "drewdevault.com" // tech)
     ## Ken Shirriff
     (fromDb "righto.com" // tech)
     ## shared blog by a few NixOS devs, notably onny
@@ -189,6 +191,7 @@ let
     (fromDb "stpeter.im/atom.xml" // pol)
     ## Peter Saint-Andre -- side project of stpeter.im
     (fromDb "philosopher.coach" // rat)
+    (fromDb "morningbrew.com/feed" // pol)
 
     # RATIONALITY/PHILOSOPHY/ETC
     (mkSubstack "samkriss" // humor // infrequent)
@@ -207,6 +210,8 @@ let
     (fromDb "sideways-view.com" // rat)
     ## Sean Carroll
     (fromDb "preposterousuniverse.com" // rat)
+    (mkSubstack "eliqian" // rat // weekly)
+    (mkText "https://acoup.blog/feed" // rat // weekly)
 
     ## mostly dating topics. not advice, or humor, but looking through a social lens
     (fromDb "putanumonit.com" // rat)

hosts/common/home/mime.nix

@@ -1,7 +1,7 @@
 { config, sane-lib, ...}:
 
 let
-  www = config.sane.web-browser.browser.desktop;
+  www = config.sane.programs.web-browser.config.browser.desktop;
   pdf = "org.gnome.Evince.desktop";
   md = "obsidian.desktop";
   thumb = "org.gnome.gThumb.desktop";
@@ -28,6 +28,7 @@ in
     # VIDEO
     "video/mp4" = video;
     "video/quicktime" = video;
+    "video/webm" = video;
     "video/x-matroska" = video;
     # HTML
     "text/html" = www;

hosts/common/i2p.nix

@@ -1,4 +0,0 @@
-{ ... }:
-{
-  services.i2p.enable = true;
-}

hosts/common/ids.nix

@@ -38,6 +38,8 @@
   sane.ids.komga.gid = 2407;
   sane.ids.lemmy.uid = 2408;
   sane.ids.lemmy.gid = 2408;
+  sane.ids.pict-rs.uid = 2409;
+  sane.ids.pict-rs.gid = 2409;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;
@@ -51,6 +53,7 @@
   sane.ids.nscd.gid = 2004;
   sane.ids.systemd-oom.uid = 2005;
   sane.ids.systemd-oom.gid = 2005;
+  sane.ids.wireshark.gid = 2006;
 
   # found on graphical hosts
   sane.ids.nm-iodine.uid = 2101;  # desko/moby/lappy

hosts/common/programs/aerc.nix

@@ -1,6 +1,6 @@
 # Terminal UI mail client
-{ config, sane-lib, ... }:
+{ ... }:
 
 {
-  sane.programs.aerc.secrets.".config/aerc/accounts.conf" = ../../../secrets/universal/aerc_accounts.conf.bin;
+  sane.programs.aerc.secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
 }

hosts/common/programs/default.nix

@@ -102,7 +102,7 @@ let
       git  # needed as a user package, for config.
       gnupg
       gocryptfs
-      gopass
+      gopass  # TODO: shouldn't be needed here
       gopass-jsonapi
       imagemagick
       kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
@@ -118,7 +118,7 @@ let
       # nixos-generators
       nmon
       # node2nix
-      oathToolkit  # for oathtool
+      # oathToolkit  # for oathtool
       # ponymix
       pulsemixer
       python3
@@ -131,7 +131,7 @@ let
       sops
       sox
       speedtest-cli
-      ssh-to-age
+      # ssh-to-age
       sudo
       # tageditor  # music tagging
       unar
@@ -146,7 +146,7 @@ let
 
   guiPkgs = {
     inherit (flattenedPkgs)
-      celluloid  # mpv frontend
+      # celluloid  # mpv frontend
       clinfo
       emote
       evince  # works on phosh
@@ -163,19 +163,19 @@ let
 
       # "gnome.cheese"
       "gnome.dconf-editor"
-      gnome-feeds  # RSS reader (with claimed mobile support)
+      # gnome-feeds  # RSS reader (with claimed mobile support)
       "gnome.file-roller"
       # "gnome.gnome-maps"  # works on phosh
       "gnome.nautilus"
       # gnome-podcasts
       "gnome.gnome-system-monitor"
       # "gnome.gnome-terminal"  # works on phosh
-      "gnome.gnome-weather"
-      gpodder-configured
+      # "gnome.gnome-weather"
+      gpodder
       gthumb
       jellyfin-media-player
       # lollypop
-      mpv
+      # mpv
       networkmanagerapplet
       # newsflash
       nheko
@@ -212,11 +212,12 @@ let
       kdenlive
       kid3  # audio tagging
       krita
-      libreoffice-fresh  # XXX colin: maybe don't want this on mobile
+      libreoffice-fresh
       mumble
       obsidian
       slic3r
       steam
+      wireshark  # could maybe ship the cli as sysadmin pkg
     ;
   };
   x86GuiPkgs = {
@@ -227,21 +228,21 @@ let
       # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
       # gpt2tc  # XXX: unreliable mirror
 
-      logseq
+      # logseq  # Personal Knowledge Management
       losslesscut-bin
       makemkv
       monero-gui
       signal-desktop
       spotify
       tor-browser-bundle-bin
-      zeal-qt5  # programming docs viewer. TODO: switch to zeal-qt6
       zecwallet-lite
     ;
   };
 
-  # packages not part of any package set
+  # packages not part of any package set; not enabled by default
   otherPkgs = {
     inherit (pkgs)
+      lemmy-server
       mx-sanebot
       stepmania
     ;
@@ -271,6 +272,7 @@ in
     ./sublime-music.nix
     ./vlc.nix
     ./web-browser.nix
+    ./wireshark.nix
     ./zeal.nix
     ./zsh
   ];
@@ -299,6 +301,7 @@ in
         guiApps = {
           package = null;
           suggestedPrograms = (attrNames guiPkgs)
+            ++ [ "web-browser" ]
             ++ [ "tuiApps" ]
             ++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
         };
@@ -345,10 +348,6 @@ in
 
         ghostscript = {};  # used by imagemagick
 
-        # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
-        #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
-        gpodder-configured.persist.plaintext = [ "gPodder" ];
-
         imagemagick = {
           package = pkgs.imagemagick.override {
             ghostscriptSupport = true;

hosts/common/programs/git.nix

@@ -1,18 +1,26 @@
-{ lib, pkgs, sane-lib, ... }:
+{ lib, pkgs, ... }:
 
 let
   mkCfg = lib.generators.toINI { };
 in
 {
-  sane.programs.git.fs.".config/git/config" = sane-lib.fs.wantedText (mkCfg {
+  sane.programs.git.fs.".config/git/config".symlink.text = mkCfg {
+    # top-level options documented:
+    # - <https://git-scm.com/docs/git-config#_variables>
+
     user.name = "Colin";
     user.email = "colin@uninsane.org";
+
     alias.co = "checkout";
+
     # difftastic docs:
     # - <https://difftastic.wilfred.me.uk/git.html>
     diff.tool = "difftastic";
     difftool.prompt = false;
     "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
     # now run `git difftool` to use difftastic git
-  });
+
+    # render dates as YYYY-MM-DD HH:MM:SS +TZ
+    log.date = "iso";
+  };
 }

hosts/common/programs/gnome-feeds.nix

@@ -6,37 +6,35 @@ let
   all-feeds = config.sane.feeds;
   wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.programs.gnome-feeds.fs.".config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
-    builtins.toJSON {
-      # feed format is a map from URL to a dict,
-      #   with dict["tags"] a list of string tags.
-      feeds = sane-lib.mapToAttrs (feed: {
-        name = feed.url;
-        value.tags = [ feed.cat feed.freq ];
-      }) wanted-feeds;
-      dark_reader = false;
-      new_first = true;
-      # windowsize = {
-      #   width = 350;
-      #   height = 650;
-      # };
-      max_article_age_days = 90;
-      enable_js = false;
-      max_refresh_threads = 3;
-      # saved_items = {};
-      # read_items = [];
-      show_read_items = true;
-      full_article_title = true;
-      # views: "webview", "reader", "rsscont"
-      default_view = "rsscont";
-      open_links_externally = true;
-      full_feed_name = false;
-      refresh_on_startup = true;
-      tags = lib.unique (
-        (builtins.catAttrs "cat" wanted-feeds) ++ (builtins.catAttrs "freq" wanted-feeds)
-      );
-      open_youtube_externally = false;
-      media_player = "vlc";  # default: mpv
-    }
-  );
+  sane.programs.gnome-feeds.fs.".config/org.gabmus.gfeeds.json".symlink.text = builtins.toJSON {
+    # feed format is a map from URL to a dict,
+    #   with dict["tags"] a list of string tags.
+    feeds = sane-lib.mapToAttrs (feed: {
+      name = feed.url;
+      value.tags = [ feed.cat feed.freq ];
+    }) wanted-feeds;
+    dark_reader = false;
+    new_first = true;
+    # windowsize = {
+    #   width = 350;
+    #   height = 650;
+    # };
+    max_article_age_days = 90;
+    enable_js = false;
+    max_refresh_threads = 3;
+    # saved_items = {};
+    # read_items = [];
+    show_read_items = true;
+    full_article_title = true;
+    # views: "webview", "reader", "rsscont"
+    default_view = "rsscont";
+    open_links_externally = true;
+    full_feed_name = false;
+    refresh_on_startup = true;
+    tags = lib.unique (
+      (builtins.catAttrs "cat" wanted-feeds) ++ (builtins.catAttrs "freq" wanted-feeds)
+    );
+    open_youtube_externally = false;
+    media_player = "vlc";  # default: mpv
+  };
 }

hosts/common/programs/gpodder.nix

@@ -1,12 +1,17 @@
 # gnome feeds RSS viewer
-{ config, sane-lib, ... }:
+{ config, pkgs, sane-lib, ... }:
 
 let
   feeds = sane-lib.feeds;
   all-feeds = config.sane.feeds;
   wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
 in {
-  sane.programs.gpodder.fs.".config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
-    feeds.feedsToOpml wanted-feeds
-  );
+  sane.programs.gpodder = {
+    package = pkgs.gpodder-configured;
+    fs.".config/gpodderFeeds.opml".symlink.text = feeds.feedsToOpml wanted-feeds;
+
+    # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
+    #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
+    persist.plaintext = [ "gPodder" ];
+  };
 }

hosts/common/programs/kitty/default.nix

@@ -1,7 +1,7 @@
-{ pkgs, sane-lib, ... }:
+{ ... }:
 
 {
-  sane.programs.kitty.fs.".config/kitty/kitty.conf" = sane-lib.fs.wantedText ''
+  sane.programs.kitty.fs.".config/kitty/kitty.conf".symlink.text = ''
     # docs: https://sw.kovidgoyal.net/kitty/conf/
     # disable terminal bell (when e.g. you backspace too many times)
     enable_audio_bell no

hosts/common/programs/libreoffice.nix

@@ -1,8 +1,8 @@
-{ sane-lib, ... }:
+{ ... }:
 
 {
   # libreoffice: disable first-run stuff
-  sane.programs.libreoffice-fresh.fs.".config/libreoffice/4/user/registrymodifications.xcu" = sane-lib.fs.wantedText ''
+  sane.programs.libreoffice-fresh.fs.".config/libreoffice/4/user/registrymodifications.xcu".symlink.text = ''
     <?xml version="1.0" encoding="UTF-8"?>
     <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>

hosts/common/programs/mpv.nix

@@ -1,10 +1,10 @@
-{ sane-lib, ... }:
+{ ... }:
 
 {
   sane.programs.mpv = {
     persist.plaintext = [ ".config/mpv/watch_later" ];
     # format is <key>=%<length>%<value>
-    fs.".config/mpv/mpv.conf" = sane-lib.fs.wantedText ''
+    fs.".config/mpv/mpv.conf".symlink.text = ''
       save-position-on-quit=%3%yes
       keep-open=%3%yes
     '';

hosts/common/programs/newsflash.nix

@@ -8,8 +8,8 @@ let
 in {
   sane.programs.newsflash = {
     persist.plaintext = [ ".local/share/news-flash" ];
-    fs.".config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
+    fs.".config/newsflashFeeds.opml".symlink.text =
       feeds.feedsToOpml wanted-feeds
-    );
+    ;
   };
 }

hosts/common/programs/offlineimap.nix

@@ -7,6 +7,6 @@
 { ... }:
 
 {
-  sane.programs.offlineimap.secrets.".config/offlineimap/config" = ../../../secrets/universal/offlineimaprc.bin;
+  sane.programs.offlineimap.secrets.".config/offlineimap/config" = ../../../secrets/common/offlineimaprc.bin;
 }
 

hosts/common/programs/ripgrep.nix

@@ -1,9 +1,9 @@
-{ sane-lib, ... }:
+{ ... }:
 {
   # .ignore file is read by ripgrep (rg), silver searcher (ag), maybe others.
   # ignore translation files by default when searching, as they tend to have
   # a LOT of duplicate text.
-  sane.programs.ripgrep.fs.".ignore" = sane-lib.fs.wantedText ''
+  sane.programs.ripgrep.fs.".ignore".symlink.text = ''
     po/
   '';
 }

hosts/common/programs/splatmoji.nix

@@ -1,12 +1,12 @@
 # borrows from:
 # - default config: <https://github.com/cspeterson/splatmoji/blob/master/splatmoji.config>
 # - wayland: <https://github.com/cspeterson/splatmoji/issues/32#issuecomment-830862566>
-{ pkgs, sane-lib, ... }:
+{ pkgs, ... }:
 
 {
   sane.programs.splatmoji = {
     persist.plaintext = [ ".local/state/splatmoji" ];
-    fs.".config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
+    fs.".config/splatmoji/splatmoji.config".symlink.text = ''
       # XXX doesn't seem to understand ~ as shorthand for `$HOME`
       history_file=/home/colin/.local/state/splatmoji/history
       history_length=5

hosts/common/programs/sublime-music.nix

@@ -9,6 +9,6 @@
     #   possible to pass config as a CLI arg (sublime-music -c config.json)
     persist.plaintext = [ ".local/share/sublime-music" ];
 
-    secrets.".config/sublime-music/config.json" = ../../../secrets/universal/sublime_music_config.json.bin;
+    secrets.".config/sublime-music/config.json" = ../../../secrets/common/sublime_music_config.json.bin;
   };
 }

hosts/common/programs/vlc.nix

@@ -12,7 +12,7 @@ in
   sane.programs.vlc = {
     # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
     persist.plaintext = [ ".config/vlc" ];
-    fs.".config/vlc/vlcrc" = sane-lib.fs.wantedText ''
+    fs.".config/vlc/vlcrc".symlink.text = ''
       [podcast]
       podcast-urls=${podcast-urls}
       [core]

hosts/common/programs/web-browser.nix

@@ -6,10 +6,10 @@
 # many of the settings below won't have effect without those patches.
 # see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
 
-{ config, lib, pkgs, sane-lib, ...}:
+{ config, lib, pkgs, ...}:
 with lib;
 let
-  cfg = config.sane.web-browser;
+  cfg = config.sane.programs.web-browser.config;
   # allow easy switching between firefox and librewolf with `defaultSettings`, below
   librewolfSettings = {
     browser = pkgs.librewolf-unwrapped;
@@ -100,55 +100,62 @@ let
       };
     };
   };
-in
-{
-  options = {
-    sane.web-browser.browser = mkOption {
-      default = defaultSettings;
-      type = types.attrs;
-    };
-    sane.web-browser.persistData = mkOption {
-      description = "optional store name to which persist browsing data (like history)";
-      type = types.nullOr types.str;
-      default = null;
-    };
-    sane.web-browser.persistCache = mkOption {
-      description = "optional store name to which persist browser cache";
-      type = types.nullOr types.str;
-      default = "cryptClearOnBoot";
-    };
-    sane.web-browser.addons = mkOption {
-      type = types.attrsOf addonOpts;
-      default = {
-        # get names from:
-        # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
-        # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
-        # browserpass-ce.package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
-        browserpass-extension.package = localAddon pkgs.browserpass-extension;
-        # TODO: build bypass-paywalls from source? it's mysteriously disappeared from the Mozilla store.
-        # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
-        ether-metamask.package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
-        i2p-in-private-browsing.package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
-        sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
-        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
-        ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
-        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
 
-        browserpass-extension.enable = lib.mkDefault true;
-        # bypass-paywalls-clean.enable = lib.mkDefault true;
-        ether-metamask.enable = lib.mkDefault true;
-        i2p-in-private-browsing.enable = lib.mkDefault config.services.i2p.enable;
-        sidebery.enable = lib.mkDefault true;
-        sponsorblock.enable = lib.mkDefault true;
-        ublacklist.enable = lib.mkDefault true;
-        ublock-origin.enable = lib.mkDefault true;
+  configOpts = {
+    options = {
+      browser = mkOption {
+        default = defaultSettings;
+        type = types.anything;
+      };
+      persistData = mkOption {
+        description = "optional store name to which persist browsing data (like history)";
+        type = types.nullOr types.str;
+        default = null;
+      };
+      persistCache = mkOption {
+        description = "optional store name to which persist browser cache";
+        type = types.nullOr types.str;
+        default = "cryptClearOnBoot";
+      };
+      addons = mkOption {
+        type = types.attrsOf addonOpts;
+        default = {
+          # get names from:
+          # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
+          # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
+          # browserpass-ce.package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
+          browserpass-extension.package = localAddon pkgs.browserpass-extension;
+          # TODO: build bypass-paywalls from source? it's mysteriously disappeared from the Mozilla store.
+          # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
+          ether-metamask.package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
+          i2p-in-private-browsing.package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
+          sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
+          sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
+          ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
+          ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
+
+          browserpass-extension.enable = lib.mkDefault true;
+          # bypass-paywalls-clean.enable = lib.mkDefault true;
+          ether-metamask.enable = lib.mkDefault true;
+          i2p-in-private-browsing.enable = lib.mkDefault config.services.i2p.enable;
+          sidebery.enable = lib.mkDefault true;
+          sponsorblock.enable = lib.mkDefault true;
+          ublacklist.enable = lib.mkDefault true;
+          ublock-origin.enable = lib.mkDefault true;
+        };
       };
     };
   };
-
+in
+{
   config = mkMerge [
     ({
-      sane.programs.guiApps.suggestedPrograms = [ "web-browser" ];
+      sane.programs.web-browser.configOption = mkOption {
+        type = types.submodule configOpts;
+        default = {};
+      };
+    })
+    ({
       sane.programs.web-browser = {
         inherit package;
 
@@ -160,7 +167,7 @@ in
         # the specific attribute path is found via scraping ublock code here:
         # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
         # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-        fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
+        fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json".symlink.text = ''
           {
            "name": "uBlock0@raymondhill.net",
            "description": "ignored",
@@ -170,16 +177,16 @@ in
            }
           }
         '';
-        fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
+        fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg".symlink.text = ''
           // if we can't query the revocation status of a SSL cert because the issuer is offline,
           // treat it as unrevoked.
           // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
           defaultPref("security.OCSP.require", false);
         '';
-        fs."${cfg.browser.dotDir}/default" = sane-lib.fs.wantedDir;
+        fs."${cfg.browser.dotDir}/default".dir = {};
         # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
         # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
-        fs."${cfg.browser.dotDir}/profiles.ini" = sane-lib.fs.wantedText ''
+        fs."${cfg.browser.dotDir}/profiles.ini".symlink.text = ''
           [Profile0]
           Name=default
           IsRelative=1

hosts/common/programs/wireshark.nix

@@ -0,0 +1,5 @@
+{ config, ... }:
+{
+  sane.programs.wireshark = {};
+  programs.wireshark.enable = config.sane.programs.wireshark.enabled;
+}

hosts/common/programs/zeal.nix

@@ -1,16 +1,55 @@
-{ config, lib, sane-lib, ... }:
+{ config, lib, pkgs, ... }:
 let
-  inherit (lib) mkIf;
+  inherit (builtins) map;
+  inherit (lib) mkIf mkOption optionalString types;
+  cfg = config.sane.programs.docsets.config;
+  configOpts = types.submodule {
+    options = {
+      rustPkgs = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+      };
+    };
+  };
 in {
-  sane.programs.zeal-qt5 = {
+  sane.programs.zeal = {
+    package = pkgs.zeal-qt5;
     persist.plaintext = [
       ".cache/Zeal"
       ".local/share/Zeal"
     ];
-    fs.".local/share/Zeal/Zeal/system" = sane-lib.fs.wantedSymlinkTo "/run/current-system/sw/share/docset";
+    fs.".local/share/Zeal/Zeal/docsets/system".symlink.target = "/run/current-system/sw/share/docset";
+    suggestedPrograms = [ "docsets" ];
   };
 
-  environment.pathsToLink = mkIf config.sane.programs.zeal-qt5.enabled [
+  sane.programs.docsets = {
+    configOption = mkOption {
+      type = configOpts;
+      default = {};
+    };
+    package = pkgs.symlinkJoin {
+      name = "docsets";
+      # build each package with rust docs
+      paths = map (name:
+        let
+          orig = pkgs."${name}";
+          withDocs = orig.overrideAttrs (upstream: {
+            nativeBuildInputs = upstream.nativeBuildInputs or [] ++ [
+              pkgs.cargoDocsetHook
+            ];
+          });
+        in
+        "${toString withDocs}/share/docset"
+      ) cfg.rustPkgs;
+      # link only the docs (not any binaries)
+      postBuild = optionalString (cfg.rustPkgs != []) ''
+        mkdir -p $out/share/docset
+        mv $out/*.docset $out/share/docset
+      '';
+    };
+  };
+
+  environment.pathsToLink = mkIf config.sane.programs.zeal.enabled [
     "/share/docset"
   ];
 }

hosts/common/programs/zsh/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   inherit (lib) mkIf mkMerge mkOption types;
@@ -51,12 +51,12 @@ in
         ];
 
         # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
-        fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
+        fs.".config/zsh/.zshrc".symlink.text = "# ";
 
         # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
         # see: https://github.com/sorin-ionescu/prezto
         # i believe this file is auto-sourced by the prezto init.zsh script.
-        fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
+        fs.".config/zsh/.zpreztorc".symlink.text = ''
           zstyle ':prezto:*:*' color 'yes'
 
           # modules (they ship with prezto):

hosts/common/secrets.nix

@@ -1,38 +1,49 @@
-{ config, ... }:
+# SOPS configuration:
+#   docs: https://github.com/Mic92/sops-nix
+#
+# for each new user you want to edit sops files:
+# create a private age key from ssh key:
+#   $ mkdir -p ~/.config/sops/age; ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt; chmod 600 ~/.config/sops/age/keys.txt
+#   if the private key was password protected, then first decrypt it:
+#     $ cp ~/.ssh/id_ed25519 /tmp/id_ed25519
+#     $ ssh-keygen -p -N "" -f /tmp/id_ed25519
+#
+# for each user you want to decrypt secrets:
+#   $ cat ~/.ssh/id_ed25519.pub | ssh-to-age
+#   add the result to .sops.yaml
+#   since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
+#
+# for each host you want to decrypt secrets:
+#   $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
+#   add the result to .sops.yaml
+#   $ sops updatekeys secrets/example.yaml
+#
+# to create a new secret:
+#   $ sops secrets/example.yaml
+#   control access below (sops.secret.<x>.owner = ...)
+#
+# to read a secret:
+#   $ cat /run/secrets/example_key
 
+{ config, lib, sane-lib, ... }:
+
+let
+  inherit (lib.strings) hasSuffix removeSuffix;
+  secretsForHost = host: sane-lib.joinAttrsets (
+    map
+      (path: lib.optionalAttrs (hasSuffix ".bin" path) (sane-lib.nameValueToAttrs {
+        name = removeSuffix ".bin" path;
+        value = {
+          sopsFile = ../../secrets/${host}/${path};
+          format = "binary";
+        };
+      }))
+      (sane-lib.enumerateFilePaths ../../secrets/${host})
+  );
+in
 {
-  # SOPS configuration:
-  #   docs: https://github.com/Mic92/sops-nix
-  #
-  # for each new user you want to edit sops files:
-  # create a private age key from ssh key:
-  #   $ mkdir -p ~/.config/sops/age; ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt; chmod 600 ~/.config/sops/age/keys.txt
-  #   if the private key was password protected, then first decrypt it:
-  #     $ cp ~/.ssh/id_ed25519 /tmp/id_ed25519
-  #     $ ssh-keygen -p -N "" -f /tmp/id_ed25519
-  #
-  # for each user you want to decrypt secrets:
-  #   $ cat ~/.ssh/id_ed25519.pub | ssh-to-age
-  #   add the result to .sops.yaml
-  #   since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
-  #
-  # for each host you want to decrypt secrets:
-  #   $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
-  #   add the result to .sops.yaml
-  #   $ sops updatekeys secrets/example.yaml
-  #
-  # to create a new secret:
-  #   $ sops secrets/example.yaml
-  #   control access below (sops.secret.<x>.owner = ...)
-  #
-  # to read a secret:
-  #   $ cat /run/secrets/example_key
 
   # sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
-  # This will add secrets.yaml to the nix store
-  # You can avoid this by adding a string to the full path instead, i.e.
-  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ../../secrets/universal.yaml;
   sops.gnupg.sshKeyPaths = [];  # disable RSA key import
   # This is using an age key that is expected to already be in the filesystem
   # sops.age.keyFile = "/home/colin/.ssh/age.pub";
@@ -45,96 +56,15 @@
   # };
   # sops.secrets."myservice/my_subdir/my_secret" = {};
 
-  ## universal secrets
-  # TODO: glob these?
-
-  sops.secrets."jackett_apikey" = {
-    sopsFile = ../../secrets/universal.yaml;
-    owner = config.users.users.colin.name;
-  };
-  sops.secrets."mx-sanebot-env" = {
-    sopsFile = ../../secrets/universal/mx-sanebot-env.bin;
-    format = "binary";
-    owner = config.users.users.colin.name;
-  };
-  sops.secrets."router_passwd" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-  sops.secrets."transmission_passwd" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-  sops.secrets."wg_ovpnd_us_privkey" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-  sops.secrets."wg_ovpnd_us-atl_privkey" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-  sops.secrets."wg_ovpnd_us-mi_privkey" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-  sops.secrets."wg_ovpnd_ukr_privkey" = {
-    sopsFile = ../../secrets/universal.yaml;
-  };
-
-  sops.secrets."snippets" = {
-    sopsFile = ../../secrets/universal/snippets.bin;
-    format = "binary";
-    owner = config.users.users.colin.name;
-  };
-
-  sops.secrets."bt/car" = {
-    sopsFile = ../../secrets/universal/bt/car.bin;
-    format = "binary";
-  };
-  sops.secrets."bt/earbuds" = {
-    sopsFile = ../../secrets/universal/bt/earbuds.bin;
-    format = "binary";
-  };
-  sops.secrets."bt/portable-speaker" = {
-    sopsFile = ../../secrets/universal/bt/portable-speaker.bin;
-    format = "binary";
-  };
-
-  sops.secrets."iwd/community-university.psk" = {
-    sopsFile = ../../secrets/universal/net/community-university.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/friend-libertarian-dod.psk" = {
-    sopsFile = ../../secrets/universal/net/friend-libertarian-dod.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/friend-rationalist-empathist.psk" = {
-    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/home-shared.psk" = {
-    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/makespace-south.psk" = {
-    sopsFile = ../../secrets/universal/net/makespace-south.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/archive-2023-02-home-bedroom.psk" = {
-    sopsFile = ../../secrets/universal/net/archive/2023-02-home-bedroom.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/archive-2023-02-home-shared-24G.psk" = {
-    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/archive-2023-02-home-shared.psk" = {
-    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/iphone" = {
-    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/parents" = {
-    sopsFile = ../../secrets/universal/net/parents.psk.bin;
-    format = "binary";
-  };
+  sops.secrets = lib.mkMerge [
+    (secretsForHost "common")
+    (secretsForHost config.networking.hostName)
+    {
+      "jackett_apikey".owner = config.users.users.colin.name;
+      "mx-sanebot-env".owner = config.users.users.colin.name;
+      "snippets".owner = config.users.users.colin.name;
+    }
+  ];
 }
 
 

hosts/common/users.nix

@@ -33,13 +33,13 @@ in
       ];
       group = "users";
       extraGroups = [
-        "wheel"
-        "nixbuild"
-        "networkmanager"
-        # phosh/mobile. XXX colin: unsure if necessary
-        "video"
+        "dialout"  # required for modem access (moby)
         "feedbackd"
-        "dialout" # required for modem access
+        "networkmanager"
+        "nixbuild"
+        "video"  # phosh/mobile. XXX colin: unsure if necessary
+        "wheel"
+        "wireshark"
       ];
 
       # initial password is empty, in case anything goes wrong.

hosts/common/vpn.nix

@@ -11,7 +11,7 @@ let
   def-ovpn = name: { endpoint, publicKey, address }: {
     networking.wg-quick.interfaces."ovpnd-${name}" = {
       inherit address;
-      privateKeyFile = config.sops.secrets."wg_ovpnd_${name}_privkey".path;
+      privateKeyFile = config.sops.secrets."wg/ovpnd_${name}_privkey".path;
       dns = [
         "46.227.67.134"
         "192.165.9.158"

hosts/instantiate.nix

@@ -4,7 +4,7 @@
 { hostName, localSystem }:
 
 # module args
-{ config, lib, ... }:
+{ lib, ... }:
 
 {
   imports = [
@@ -16,14 +16,4 @@
   networking.hostName = hostName;
   nixpkgs.buildPlatform = lib.mkIf (localSystem != null) localSystem;
   sane.cross.enablePatches = localSystem != null;
-
-  # nixpkgs.overlays = [
-  #   (next: prev: {
-  #     # for local != target we by default just emulate the target while building.
-  #     # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
-  #     # to explicitly opt into non-emulated cross compilation for any specific package.
-  #     # this is most beneficial for large packages with few pre-requisites -- like Linux.
-  #     cross = prev.crossFrom."${localSystem}";
-  #   })
-  # ];
 }

hosts/modules/gui/default.nix

@@ -10,6 +10,6 @@ in
     ./phosh.nix
     ./plasma.nix
     ./plasma-mobile.nix
-    ./sway.nix
+    ./sway
   ];
 }

hosts/modules/gui/phosh.nix

@@ -59,6 +59,8 @@ in
       # qt.style = "gtk2";
 
       # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
+      # docs: <repo:gnome/phosh:src/phoc.ini.example>
+      # docs: <repo:gnome/phosh:src/settings.c#config_ini_handler>
       services.xserver.desktopManager.phosh = {
         enable = true;
         user = "colin";
@@ -113,6 +115,18 @@ in
         NIXOS_OZONE_WL = "1";
       };
 
+      systemd.services.phosh.environment = {
+        # PHOC_DEBUG: comma-separated list of:
+        # - ``auto-maximize``: Maximize toplevels
+        # - ``damage-tracking``: Debug damage tracking
+        # - ``no-quit``: Don't quit when session ends
+        # - ``touch-points``: Debug touch points
+        # - ``layer-shell``: Debug layer shell
+        # - ``cutouts``: Debug display cutouts and notches
+        PHOC_DEBUG = "layer-shell";
+        # G_DEBUG, G_MESSAGE_DEBUG for glib debugging: <https://docs.gtk.org/glib/running.html>
+      };
+
       programs.dconf.packages = [
         # org.kde.konsole.desktop
         (pkgs.writeTextFile {
@@ -142,7 +156,11 @@ in
       services.xserver.displayManager.job.preStart = ''
         ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
       '';
-      # services.xserver.displayManager.defaultSession = "sm.puri.Phosh";  # XXX: not sure why this doesn't propagate correctly.
+      # XXX for some reason specifying defaultSession = "sm.puri.Phosh" breaks cross-compiled display-manager startup
+      # - causes an attempt to load x86-64 glib-2.76.2/lib/libglib-2.0.so.0
+      # - likely <repo:nixpkgs:nixos/modules/services/x11/display-managers/account-service-util.nix>
+      # - but i believe some variant of this issue existed even during emulated compilation
+      # services.xserver.displayManager.defaultSession = "sm.puri.Phosh";
       services.xserver.displayManager.lightdm.extraSeatDefaults = ''
         user-session = phosh
       '';

hosts/modules/gui/snippets.txt

@@ -10,4 +10,6 @@ https://jackett.uninsane.org/UI/Dashboard#search=
 https://fed.uninsane.org
 https://bt.uninsane.org
 https://sci-hub.se
+https://archive.is
 https://news.ycombinator.com
+https://192.168.15.1:60481  # Router/Firewall

hosts/modules/gui/sway.nix

@@ -1,666 +0,0 @@
-{ config, lib, pkgs, sane-lib, ... }:
- 
-# docs: https://nixos.wiki/wiki/Sway
-with lib;
-let
-  cfg = config.sane.gui.sway;
-  # docs: https://github.com/Alexays/Waybar/wiki/Configuration
-  # format specifiers: https://fmt.dev/latest/syntax.html#syntax
-  waybar-config = [
-    { # TOP BAR
-      layer = "top";
-      height = 40;
-      modules-left = ["sway/workspaces" "sway/mode"];
-      modules-center = ["sway/window"];
-      modules-right = ["custom/mediaplayer" "clock" "battery" "cpu" "network"];
-      "sway/window" = {
-        max-length = 50;
-      };
-      # include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
-      "custom/mediaplayer" = {
-        exec = pkgs.writeShellScript "waybar-mediaplayer" ''
-          player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
-          if [ "$player_status" = "Playing" ]; then
-            echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
-          elif [ "$player_status" = "Paused" ]; then
-            echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
-          fi
-        '';
-        interval = 2;
-        format = "{}  ";
-        # return-type = "json";
-        on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
-        on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
-        on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
-      };
-      network = {
-        # docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
-        interval = 2;
-        max-length = 40;
-        # custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
-        format-ethernet = "  {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
-        tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
-
-        format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
-        tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
-
-        format-disconnected = "";
-      };
-      cpu = {
-        format = " {usage:2}%";
-        tooltip = false;
-      };
-      battery = {
-        states = {
-          good = 95;
-          warning = 30;
-          critical = 10;
-        };
-        format = "{icon} {capacity}%";
-        format-icons = [
-          ""
-          ""
-          ""
-          ""
-          ""
-        ];
-      };
-      clock = {
-        format-alt = "{:%a, %d. %b  %H:%M}";
-      };
-    }
-  ];
-  # waybar-config-text = lib.generators.toJSON {} waybar-config;
-  waybar-config-text = (pkgs.formats.json {}).generate "waybar-config.json" waybar-config;
-
-  # bare sway launcher
-  sway-launcher = pkgs.writeShellScriptBin "sway-launcher" ''
-    ${pkgs.sway}/bin/sway --debug > /tmp/sway.log 2>&1
-  '';
-  # start sway and have it construct the gtkgreeter
-  sway-as-greeter = pkgs.writeShellScriptBin "sway-as-greeter" ''
-    ${pkgs.sway}/bin/sway --debug --config ${sway-config-into-gtkgreet} > /tmp/sway-as-greeter.log 2>&1
-  '';
-  # (config file for the above)
-  sway-config-into-gtkgreet = pkgs.writeText "greetd-sway-config" ''
-    exec "${gtkgreet-launcher}"
-  '';
-  # gtkgreet which launches a layered sway instance
-  gtkgreet-launcher = pkgs.writeShellScript "gtkgreet-launcher" ''
-    # NB: the "command" field here is run in the user's shell.
-    # so that command must exist on the specific user's path who is logging in. it doesn't need to exist system-wide.
-    ${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command sway-launcher
-  '';
-  greeter-session = {
-    # greeter session config
-    command = "${sway-as-greeter}/bin/sway-as-greeter";
-    # alternatives:
-    # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
-    # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
-    # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
-  };
-  greeterless-session = {
-    # no greeter
-    command = "${sway-launcher}/bin/sway-launcher";
-    user = "colin";
-  };
-in
-{
-  options = {
-    sane.gui.sway.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-    sane.gui.sway.useGreeter = mkOption {
-      description = ''
-        launch sway via a greeter (like greetd's gtkgreet).
-        sway is usable without a greeter, but skipping the greeter means no PAM session.
-      '';
-      default = true;
-      type = types.bool;
-    };
-  };
-  config = mkMerge [
-    {
-      sane.programs.swayApps = {
-        package = null;
-        suggestedPrograms = [
-          "guiApps"
-          "splatmoji"  # used by us, but 'enabling' it gets us persistence & cfg
-          "swaylock"
-          "swayidle"
-          "wl-clipboard"
-          "mako"  # notification daemon
-          # # "pavucontrol"
-          "gnome.gnome-bluetooth"
-          "gnome.gnome-control-center"
-          "sway-contrib.grimshot"
-        ];
-      };
-    }
-    {
-      sane.programs = {
-        inherit (pkgs // {
-          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
-          "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
-          "sway-contrib.grimshot" = pkgs.sway-contrib.grimshot;
-        })
-          swaylock
-          swayidle
-          wl-clipboard
-          mako
-          "gnome.gnome-bluetooth"
-          "gnome.gnome-control-center"
-          "sway-contrib.grimshot"
-        ;
-      };
-    }
-
-    (mkIf cfg.enable {
-      sane.programs.swayApps.enableFor.user.colin = true;
-
-      # swap in these lines to use SDDM instead of `services.greetd`.
-      # services.xserver.displayManager.sddm.enable = true;
-      # services.xserver.enable = true;
-      services.greetd = {
-        # greetd source/docs:
-        # - <https://git.sr.ht/~kennylevinsen/greetd>
-        enable = true;
-        settings = {
-          default_session = if cfg.useGreeter then greeter-session else greeterless-session;
-        };
-      };
-      # we need the greeter's command to be on our PATH
-      users.users.colin.packages = [ sway-launcher ];
-
-      # some programs (e.g. fractal) **require** a "Secret Service Provider"
-      services.gnome.gnome-keyring.enable = true;
-
-      # unlike other DEs, sway configures no audio stack
-      # administer with pw-cli, pw-mon, pw-top commands
-      services.pipewire = {
-        enable = true;
-        alsa.enable = true;
-        alsa.support32Bit = true;  # ??
-        pulse.enable = true;
-      };
-
-      networking.useDHCP = false;
-      networking.networkmanager.enable = true;
-      networking.wireless.enable = lib.mkForce false;
-
-      hardware.bluetooth.enable = true;
-      services.blueman.enable = true;
-      # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
-      services.gnome.gnome-settings-daemon.enable = true;
-      # start the components of gsd we need at login
-      systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
-      # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
-      # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
-      # it doesn't actually seem to need ANY of them in the first place T_T
-      systemd.user.targets."gnome-session-initialized".enable = false;
-      # bluez can't connect to audio devices unless pipewire is running.
-      # a system service can't depend on a user service, so just launch it at graphical-session
-      systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
-
-      programs.sway = {
-        enable = true;
-        wrapperFeatures.gtk = true;
-      };
-      sane.user.fs.".config/sway/config" =
-        let
-          fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
-          sed = "${pkgs.gnused}/bin/sed";
-          wtype = "${pkgs.wtype}/bin/wtype";
-          kitty = "${pkgs.kitty}/bin/kitty";
-          launcher-cmd = fuzzel;
-          terminal-cmd = kitty;
-          lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
-          vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
-          vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
-          mute-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
-          brightness-up-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set +2%";
-          brightness-down-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set 2%-";
-          screenshot-cmd = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
-          # "bookmarking"/snippets inspired by Luke Smith:
-          # - <https://www.youtube.com/watch?v=d_11QaTlf1I>
-          snip-file = ./snippets.txt;
-          # TODO: querying sops here breaks encapsulation
-          list-snips = "cat ${snip-file} ${config.sops.secrets.snippets.path}";
-          strip-comments = "${sed} 's/ #.*$//'";
-          snip-cmd = "${wtype} $(${list-snips} | ${fuzzel} -d -i -w 60 | ${strip-comments})";
-          # TODO: next splatmoji release should allow `-s none` to disable skin tones
-          emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
-        in sane-lib.fs.wantedText ''
-          ### default font
-          font pango:monospace 8
-
-          ### pixel boundary between windows
-          default_border pixel 3
-          default_floating_border pixel 2
-          hide_edge_borders smart
-
-          ### defaults
-          focus_wrapping no
-          focus_follows_mouse yes
-          focus_on_window_activation smart
-          mouse_warping output
-          workspace_layout default
-          workspace_auto_back_and_forth no
-
-          ### default colors (#border #background #text #indicator #childBorder)
-          client.focused #4c7899 #285577 #ffffff #2e9ef4 #285577
-          client.focused_inactive #333333 #5f676a #ffffff #484e50 #5f676a
-          client.unfocused #333333 #222222 #888888 #292d2e #222222
-          client.urgent #2f343a #900000 #ffffff #900000 #900000
-          client.placeholder #000000 #0c0c0c #ffffff #000000 #0c0c0c
-          client.background #ffffff
-
-          ### key bindings
-          floating_modifier Mod1
-          ## media keys
-          bindsym XF86AudioRaiseVolume exec ${vol-up-cmd}
-          bindsym XF86AudioLowerVolume exec ${vol-down-cmd}
-          bindsym Mod1+Page_Up exec ${vol-up-cmd}
-          bindsym Mod1+Page_Down exec ${vol-down-cmd}
-          bindsym XF86AudioMute exec ${mute-cmd}
-          bindsym XF86MonBrightnessUp exec ${brightness-up-cmd}
-          bindsym XF86MonBrightnessDown exec ${brightness-down-cmd}
-          ## special functions
-          bindsym Mod1+Print exec ${screenshot-cmd}
-          bindsym Mod1+l exec ${lock-cmd}
-          bindsym Mod1+s exec ${snip-cmd}
-          bindsym Mod1+slash exec ${emoji-cmd}
-          bindsym Mod1+d exec ${launcher-cmd}
-          bindsym Mod1+Return exec ${terminal-cmd}
-          bindsym Mod1+Shift+q kill
-          bindsym Mod1+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
-          bindsym Mod1+Shift+c reload
-          ## layout
-          bindsym Mod1+b splith
-          bindsym Mod1+v splitv
-          bindsym Mod1+f fullscreen toggle
-          bindsym Mod1+a focus parent
-          bindsym Mod1+w layout tabbed
-          bindsym Mod1+e layout toggle split
-          bindsym Mod1+Shift+space floating toggle
-          bindsym Mod1+space focus mode_toggle
-          bindsym Mod1+r mode resize
-          ## movement
-          bindsym Mod1+Up focus up
-          bindsym Mod1+Down focus down
-          bindsym Mod1+Left focus left
-          bindsym Mod1+Right focus right
-          bindsym Mod1+Shift+Up move up
-          bindsym Mod1+Shift+Down move down
-          bindsym Mod1+Shift+Left move left
-          bindsym Mod1+Shift+Right move right
-          ## workspaces
-          bindsym Mod1+1 workspace number 1
-          bindsym Mod1+2 workspace number 2
-          bindsym Mod1+3 workspace number 3
-          bindsym Mod1+4 workspace number 4
-          bindsym Mod1+5 workspace number 5
-          bindsym Mod1+6 workspace number 6
-          bindsym Mod1+7 workspace number 7
-          bindsym Mod1+8 workspace number 8
-          bindsym Mod1+9 workspace number 9
-          bindsym Mod1+Shift+1 move container to workspace number 1
-          bindsym Mod1+Shift+2 move container to workspace number 2
-          bindsym Mod1+Shift+3 move container to workspace number 3
-          bindsym Mod1+Shift+4 move container to workspace number 4
-          bindsym Mod1+Shift+5 move container to workspace number 5
-          bindsym Mod1+Shift+6 move container to workspace number 6
-          bindsym Mod1+Shift+7 move container to workspace number 7
-          bindsym Mod1+Shift+8 move container to workspace number 8
-          bindsym Mod1+Shift+9 move container to workspace number 9
-          ## "scratchpad" = ??
-          bindsym Mod1+Shift+minus move scratchpad
-          bindsym Mod1+minus scratchpad show
-
-          ### defaults
-          mode "resize" {
-            bindsym Down resize grow height 10 px
-            bindsym Escape mode default
-            bindsym Left resize shrink width 10 px
-            bindsym Return mode default
-            bindsym Right resize grow width 10 px
-            bindsym Up resize shrink height 10 px
-            bindsym h resize shrink width 10 px
-            bindsym j resize grow height 10 px
-            bindsym k resize shrink height 10 px
-            bindsym l resize grow width 10 px
-          }
-
-          ### lightly modified bars
-          bar {
-            # TODO: fonts was:
-            #   config.fonts.fontconfig.defaultFonts; (monospace ++ emoji)
-            font pango:Hack, Font Awesome 6 Free, Twitter Color Emoji 24.000000
-            mode dock
-            hidden_state hide
-            position top
-            status_command ${pkgs.i3status}/bin/i3status
-            swaybar_command ${pkgs.waybar}/bin/waybar
-            workspace_buttons yes
-            strip_workspace_numbers no
-            tray_output primary
-            colors {
-              background #000000
-              statusline #ffffff
-              separator #666666
-              #  #border #background #text
-              focused_workspace #4c7899 #285577 #ffffff
-              active_workspace #333333 #5f676a #ffffff
-              inactive_workspace #333333 #222222 #888888
-              urgent_workspace #2f343a #900000 #ffffff
-              binding_mode #2f343a #900000 #ffffff
-          }
-          }
-
-          ### displays
-          ## DESKTOP
-          output "Samsung Electric Company S22C300 0x00007F35" {
-          pos 0,0
-          res 1920x1080
-          }
-          output "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" {
-          pos 1920,0
-          res 3440x1440
-          }
-
-          ## LAPTOP
-          # sh/en TV
-          output "Pioneer Electronic Corporation VSX-524 0x00000101" {
-          pos 0,0
-          res 1920x1080
-          }
-          # internal display
-          output "Unknown 0x0637 0x00000000" {
-          pos 1920,0
-          res 1920x1080
-          }
-        '';
-
-      sane.user.fs.".config/waybar/config" = sane-lib.fs.wantedSymlinkTo waybar-config-text;
-
-      # style docs: https://github.com/Alexays/Waybar/wiki/Styling
-      sane.user.fs.".config/waybar/style.css" = sane-lib.fs.wantedText ''
-        * {
-          font-family: monospace;
-        }
-
-        /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
-        window#waybar {
-          background-color: rgba(43, 48, 59, 0.5);
-          border-bottom: 3px solid rgba(100, 114, 125, 0.5);
-          color: #ffffff;
-          transition-property: background-color;
-          transition-duration: .5s;
-        }
-
-        window#waybar.hidden {
-          opacity: 0.2;
-        }
-
-        /*
-        window#waybar.empty {
-          background-color: transparent;
-        }
-        window#waybar.solo {
-          background-color: #FFFFFF;
-        }
-        */
-
-        window#waybar.termite {
-          background-color: #3F3F3F;
-        }
-
-        window#waybar.chromium {
-          background-color: #000000;
-          border: none;
-        }
-
-        #workspaces button {
-          padding: 0 5px;
-          background-color: transparent;
-          color: #ffffff;
-          /* Use box-shadow instead of border so the text isn't offset */
-          box-shadow: inset 0 -3px transparent;
-          /* Avoid rounded borders under each workspace name */
-          border: none;
-          border-radius: 0;
-        }
-
-        /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
-        #workspaces button:hover {
-          background: rgba(0, 0, 0, 0.2);
-          box-shadow: inset 0 -3px #ffffff;
-        }
-
-        #workspaces button.focused {
-          background-color: #64727D;
-          box-shadow: inset 0 -3px #ffffff;
-        }
-
-        #workspaces button.urgent {
-          background-color: #eb4d4b;
-        }
-
-        #mode {
-          background-color: #64727D;
-          border-bottom: 3px solid #ffffff;
-        }
-
-        #clock,
-        #battery,
-        #cpu,
-        #memory,
-        #disk,
-        #temperature,
-        #backlight,
-        #network,
-        #pulseaudio,
-        #custom-media,
-        #tray,
-        #mode,
-        #idle_inhibitor,
-        #mpd {
-          padding: 0 10px;
-          color: #ffffff;
-        }
-
-        #window,
-        #workspaces {
-          margin: 0 4px;
-        }
-
-        /* If workspaces is the leftmost module, omit left margin */
-        .modules-left > widget:first-child > #workspaces {
-          margin-left: 0;
-        }
-
-        /* If workspaces is the rightmost module, omit right margin */
-        .modules-right > widget:last-child > #workspaces {
-          margin-right: 0;
-        }
-
-        #clock {
-          background-color: #64727D;
-        }
-
-        #battery {
-          background-color: #ffffff;
-          color: #000000;
-        }
-
-        #battery.charging, #battery.plugged {
-          color: #ffffff;
-          background-color: #26A65B;
-        }
-
-        @keyframes blink {
-          to {
-            background-color: #ffffff;
-            color: #000000;
-          }
-        }
-
-        #battery.critical:not(.charging) {
-          background-color: #f53c3c;
-          color: #ffffff;
-          animation-name: blink;
-          animation-duration: 0.5s;
-          animation-timing-function: linear;
-          animation-iteration-count: infinite;
-          animation-direction: alternate;
-        }
-
-        label:focus {
-          background-color: #000000;
-        }
-
-        #cpu {
-          background-color: #2ecc71;
-          color: #000000;
-        }
-
-        #memory {
-          background-color: #9b59b6;
-        }
-
-        #disk {
-          background-color: #964B00;
-        }
-
-        #backlight {
-          background-color: #90b1b1;
-        }
-
-        #network {
-          background-color: #2980b9;
-        }
-
-        #network.disconnected {
-          background-color: #f53c3c;
-        }
-
-        #pulseaudio {
-          background-color: #f1c40f;
-          color: #000000;
-        }
-
-        #pulseaudio.muted {
-          background-color: #90b1b1;
-          color: #2a5c45;
-        }
-
-        #custom-media {
-          background-color: #66cc99;
-          color: #2a5c45;
-          min-width: 100px;
-        }
-
-        #custom-media.custom-spotify {
-          background-color: #66cc99;
-        }
-
-        #custom-media.custom-vlc {
-          background-color: #ffa000;
-        }
-
-        #temperature {
-          background-color: #f0932b;
-        }
-
-        #temperature.critical {
-          background-color: #eb4d4b;
-        }
-
-        #tray {
-          background-color: #2980b9;
-        }
-
-        #tray > .passive {
-          -gtk-icon-effect: dim;
-        }
-
-        #tray > .needs-attention {
-          -gtk-icon-effect: highlight;
-          background-color: #eb4d4b;
-        }
-
-        #idle_inhibitor {
-          background-color: #2d3436;
-        }
-
-        #idle_inhibitor.activated {
-          background-color: #ecf0f1;
-          color: #2d3436;
-        }
-
-        #mpd {
-          background-color: #66cc99;
-          color: #2a5c45;
-        }
-
-        #mpd.disconnected {
-          background-color: #f53c3c;
-        }
-
-        #mpd.stopped {
-          background-color: #90b1b1;
-        }
-
-        #mpd.paused {
-          background-color: #51a37a;
-        }
-
-        #language {
-          background: #00b093;
-          color: #740864;
-          padding: 0 5px;
-          margin: 0 5px;
-          min-width: 16px;
-        }
-
-        #keyboard-state {
-          background: #97e1ad;
-          color: #000000;
-          padding: 0 0px;
-          margin: 0 5px;
-          min-width: 16px;
-        }
-
-        #keyboard-state > label {
-          padding: 0 5px;
-        }
-
-        #keyboard-state > label.locked {
-          background: rgba(0, 0, 0, 0.2);
-        }
-      '';
-      # style = ''
-      #   * {
-      #     border: none;
-      #     border-radius: 0;
-      #     font-family: Source Code Pro;
-      #   }
-      #   window#waybar {
-      #     background: #16191C;
-      #     color: #AAB2BF;
-      #   }
-      #   #workspaces button {
-      #     padding: 0 5px;
-      #   }
-      #   .custom-spotify {
-      #     padding: 0 10px;
-      #     margin: 0 4px;
-      #     background-color: #1DB954;
-      #     color: black;
-      #   }
-      # '';
-    })
-  ];
-}
-

hosts/modules/gui/sway/default.nix

@@ -0,0 +1,164 @@
+{ config, lib, pkgs, sane-lib, ... }:
+ 
+# docs: https://nixos.wiki/wiki/Sway
+with lib;
+let
+  cfg = config.sane.gui.sway;
+
+  # bare sway launcher
+  sway-launcher = pkgs.writeShellScriptBin "sway-launcher" ''
+    ${pkgs.sway}/bin/sway --debug > /var/log/sway/sway.log 2>&1
+  '';
+  # start sway and have it construct the gtkgreeter
+  sway-as-greeter = pkgs.writeShellScriptBin "sway-as-greeter" ''
+    ${pkgs.sway}/bin/sway --debug --config ${sway-config-into-gtkgreet} > /var/log/sway/sway-as-greeter.log 2>&1
+  '';
+  # (config file for the above)
+  sway-config-into-gtkgreet = pkgs.writeText "greetd-sway-config" ''
+    exec "${gtkgreet-launcher}"
+  '';
+  # gtkgreet which launches a layered sway instance
+  gtkgreet-launcher = pkgs.writeShellScript "gtkgreet-launcher" ''
+    # NB: the "command" field here is run in the user's shell.
+    # so that command must exist on the specific user's path who is logging in. it doesn't need to exist system-wide.
+    ${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command sway-launcher
+  '';
+  greeter-session = {
+    # greeter session config
+    command = "${sway-as-greeter}/bin/sway-as-greeter";
+    # alternatives:
+    # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
+    # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
+    # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
+  };
+  greeterless-session = {
+    # no greeter
+    command = "${sway-launcher}/bin/sway-launcher";
+    user = "colin";
+  };
+in
+{
+  options = {
+    sane.gui.sway.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.gui.sway.useGreeter = mkOption {
+      description = ''
+        launch sway via a greeter (like greetd's gtkgreet).
+        sway is usable without a greeter, but skipping the greeter means no PAM session.
+      '';
+      default = true;
+      type = types.bool;
+    };
+  };
+  config = mkMerge [
+    {
+      sane.programs.swayApps = {
+        package = null;
+        suggestedPrograms = [
+          "guiApps"
+          "splatmoji"  # used by us, but 'enabling' it gets us persistence & cfg
+          "swaylock"
+          "swayidle"
+          "wl-clipboard"
+          "blueberry"  # GUI bluetooth manager
+          "mako"  # notification daemon
+          # # "pavucontrol"
+          # "gnome.gnome-bluetooth"  # XXX(2023/05/14): broken
+          "gnome.gnome-control-center"
+          "sway-contrib.grimshot"
+        ];
+      };
+    }
+    {
+      sane.programs = {
+        inherit (pkgs // {
+          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
+          "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
+          "sway-contrib.grimshot" = pkgs.sway-contrib.grimshot;
+        })
+          swaylock
+          swayidle
+          wl-clipboard
+          blueberry
+          mako
+          "gnome.gnome-bluetooth"
+          "gnome.gnome-control-center"
+          "sway-contrib.grimshot"
+        ;
+      };
+    }
+
+    (mkIf cfg.enable {
+      sane.programs.swayApps.enableFor.user.colin = true;
+
+      # swap in these lines to use SDDM instead of `services.greetd`.
+      # services.xserver.displayManager.sddm.enable = true;
+      # services.xserver.enable = true;
+      services.greetd = {
+        # greetd source/docs:
+        # - <https://git.sr.ht/~kennylevinsen/greetd>
+        enable = true;
+        settings = {
+          default_session = if cfg.useGreeter then greeter-session else greeterless-session;
+        };
+      };
+      # we need the greeter's command to be on our PATH
+      users.users.colin.packages = [ sway-launcher ];
+
+      # some programs (e.g. fractal) **require** a "Secret Service Provider"
+      services.gnome.gnome-keyring.enable = true;
+
+      # unlike other DEs, sway configures no audio stack
+      # administer with pw-cli, pw-mon, pw-top commands
+      services.pipewire = {
+        enable = true;
+        alsa.enable = true;
+        alsa.support32Bit = true;  # ??
+        pulse.enable = true;
+      };
+
+      networking.useDHCP = false;
+      networking.networkmanager.enable = true;
+      networking.wireless.enable = lib.mkForce false;
+
+      hardware.bluetooth.enable = true;
+      services.blueman.enable = true;
+      # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
+      services.gnome.gnome-settings-daemon.enable = true;
+      # start the components of gsd we need at login
+      systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
+      # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
+      # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
+      # it doesn't actually seem to need ANY of them in the first place T_T
+      systemd.user.targets."gnome-session-initialized".enable = false;
+      # bluez can't connect to audio devices unless pipewire is running.
+      # a system service can't depend on a user service, so just launch it at graphical-session
+      systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
+
+      sane.fs."/var/log/sway" = {
+        dir.acl.mode = "0777";
+        wantedBeforeBy = [ "greetd.service" "display-manager.service" ];
+      };
+
+      programs.sway = {
+        enable = true;
+        wrapperFeatures.gtk = true;
+      };
+      sane.user.fs.".config/sway/config" = sane-lib.fs.wantedText
+        (import ./sway-config.nix { inherit config pkgs; });
+
+      sane.user.fs.".config/waybar/config" =
+        let
+          waybar-config = import ./waybar-config.nix { inherit pkgs; };
+        in sane-lib.fs.wantedSymlinkTo (
+          (pkgs.formats.json {}).generate "waybar-config.json" waybar-config
+        );
+
+      sane.user.fs.".config/waybar/style.css" = sane-lib.fs.wantedText
+        (builtins.readFile ./waybar-style.css);
+    })
+  ];
+}
+

hosts/modules/gui/sway/sway-config.nix

@@ -0,0 +1,174 @@
+{ pkgs, config }:
+let
+  fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
+  sed = "${pkgs.gnused}/bin/sed";
+  wtype = "${pkgs.wtype}/bin/wtype";
+  kitty = "${pkgs.kitty}/bin/kitty";
+  launcher-cmd = fuzzel;
+  terminal-cmd = kitty;
+  lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
+  vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
+  vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
+  mute-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
+  brightness-up-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set +2%";
+  brightness-down-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set 2%-";
+  screenshot-cmd = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
+  # "bookmarking"/snippets inspired by Luke Smith:
+  # - <https://www.youtube.com/watch?v=d_11QaTlf1I>
+  snip-file = ../snippets.txt;
+  # TODO: querying sops here breaks encapsulation
+  list-snips = "cat ${snip-file} ${config.sops.secrets.snippets.path}";
+  strip-comments = "${sed} 's/ #.*$//'";
+  snip-cmd = "${wtype} $(${list-snips} | ${fuzzel} -d -i -w 60 | ${strip-comments})";
+  # TODO: next splatmoji release should allow `-s none` to disable skin tones
+  emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
+in ''
+  ### default font
+  font pango:monospace 8
+
+  ### pixel boundary between windows
+  default_border pixel 3
+  default_floating_border pixel 2
+  hide_edge_borders smart
+
+  ### defaults
+  focus_wrapping no
+  focus_follows_mouse yes
+  focus_on_window_activation smart
+  mouse_warping output
+  workspace_layout default
+  workspace_auto_back_and_forth no
+
+  ### default colors (#border #background #text #indicator #childBorder)
+  client.focused #4c7899 #285577 #ffffff #2e9ef4 #285577
+  client.focused_inactive #333333 #5f676a #ffffff #484e50 #5f676a
+  client.unfocused #333333 #222222 #888888 #292d2e #222222
+  client.urgent #2f343a #900000 #ffffff #900000 #900000
+  client.placeholder #000000 #0c0c0c #ffffff #000000 #0c0c0c
+  client.background #ffffff
+
+  ### key bindings
+  floating_modifier Mod1
+  ## media keys
+  bindsym XF86AudioRaiseVolume exec ${vol-up-cmd}
+  bindsym XF86AudioLowerVolume exec ${vol-down-cmd}
+  bindsym Mod1+Page_Up exec ${vol-up-cmd}
+  bindsym Mod1+Page_Down exec ${vol-down-cmd}
+  bindsym XF86AudioMute exec ${mute-cmd}
+  bindsym XF86MonBrightnessUp exec ${brightness-up-cmd}
+  bindsym XF86MonBrightnessDown exec ${brightness-down-cmd}
+  ## special functions
+  bindsym Mod1+Print exec ${screenshot-cmd}
+  bindsym Mod1+l exec ${lock-cmd}
+  bindsym Mod1+s exec ${snip-cmd}
+  bindsym Mod1+slash exec ${emoji-cmd}
+  bindsym Mod1+d exec ${launcher-cmd}
+  bindsym Mod1+Return exec ${terminal-cmd}
+  bindsym Mod1+Shift+q kill
+  bindsym Mod1+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
+  bindsym Mod1+Shift+c reload
+  ## layout
+  bindsym Mod1+b splith
+  bindsym Mod1+v splitv
+  bindsym Mod1+f fullscreen toggle
+  bindsym Mod1+a focus parent
+  bindsym Mod1+w layout tabbed
+  bindsym Mod1+e layout toggle split
+  bindsym Mod1+Shift+space floating toggle
+  bindsym Mod1+space focus mode_toggle
+  bindsym Mod1+r mode resize
+  ## movement
+  bindsym Mod1+Up focus up
+  bindsym Mod1+Down focus down
+  bindsym Mod1+Left focus left
+  bindsym Mod1+Right focus right
+  bindsym Mod1+Shift+Up move up
+  bindsym Mod1+Shift+Down move down
+  bindsym Mod1+Shift+Left move left
+  bindsym Mod1+Shift+Right move right
+  ## workspaces
+  bindsym Mod1+1 workspace number 1
+  bindsym Mod1+2 workspace number 2
+  bindsym Mod1+3 workspace number 3
+  bindsym Mod1+4 workspace number 4
+  bindsym Mod1+5 workspace number 5
+  bindsym Mod1+6 workspace number 6
+  bindsym Mod1+7 workspace number 7
+  bindsym Mod1+8 workspace number 8
+  bindsym Mod1+9 workspace number 9
+  bindsym Mod1+Shift+1 move container to workspace number 1
+  bindsym Mod1+Shift+2 move container to workspace number 2
+  bindsym Mod1+Shift+3 move container to workspace number 3
+  bindsym Mod1+Shift+4 move container to workspace number 4
+  bindsym Mod1+Shift+5 move container to workspace number 5
+  bindsym Mod1+Shift+6 move container to workspace number 6
+  bindsym Mod1+Shift+7 move container to workspace number 7
+  bindsym Mod1+Shift+8 move container to workspace number 8
+  bindsym Mod1+Shift+9 move container to workspace number 9
+  ## "scratchpad" = ??
+  bindsym Mod1+Shift+minus move scratchpad
+  bindsym Mod1+minus scratchpad show
+
+  ### defaults
+  mode "resize" {
+    bindsym Down resize grow height 10 px
+    bindsym Escape mode default
+    bindsym Left resize shrink width 10 px
+    bindsym Return mode default
+    bindsym Right resize grow width 10 px
+    bindsym Up resize shrink height 10 px
+    bindsym h resize shrink width 10 px
+    bindsym j resize grow height 10 px
+    bindsym k resize shrink height 10 px
+    bindsym l resize grow width 10 px
+  }
+
+  ### lightly modified bars
+  bar {
+    # TODO: fonts was:
+    #   config.fonts.fontconfig.defaultFonts; (monospace ++ emoji)
+    font pango:Hack, Font Awesome 6 Free, Twitter Color Emoji 24.000000
+    mode dock
+    hidden_state hide
+    position top
+    status_command ${pkgs.i3status}/bin/i3status
+    swaybar_command ${pkgs.waybar}/bin/waybar
+    workspace_buttons yes
+    strip_workspace_numbers no
+    tray_output primary
+    colors {
+      background #000000
+      statusline #ffffff
+      separator #666666
+      #  #border #background #text
+      focused_workspace #4c7899 #285577 #ffffff
+      active_workspace #333333 #5f676a #ffffff
+      inactive_workspace #333333 #222222 #888888
+      urgent_workspace #2f343a #900000 #ffffff
+      binding_mode #2f343a #900000 #ffffff
+  }
+  }
+
+  ### displays
+  ## DESKTOP
+  output "Samsung Electric Company S22C300 0x00007F35" {
+  pos 0,0
+  res 1920x1080
+  }
+  output "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" {
+  pos 1920,0
+  res 3440x1440
+  }
+
+  ## LAPTOP
+  # sh/en TV
+  output "Pioneer Electronic Corporation VSX-524 0x00000101" {
+  pos 0,0
+  res 1920x1080
+  }
+  # internal display
+  output "Unknown 0x0637 0x00000000" {
+  pos 1920,0
+  res 1920x1080
+  }
+''

hosts/modules/gui/sway/waybar-config.nix

@@ -0,0 +1,67 @@
+# docs: https://github.com/Alexays/Waybar/wiki/Configuration
+# format specifiers: https://fmt.dev/latest/syntax.html#syntax
+{ pkgs }:
+[
+  { # TOP BAR
+    layer = "top";
+    height = 40;
+    modules-left = ["sway/workspaces" "sway/mode"];
+    modules-center = ["sway/window"];
+    modules-right = ["custom/mediaplayer" "clock" "battery" "cpu" "network"];
+    "sway/window" = {
+      max-length = 50;
+    };
+    # include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
+    "custom/mediaplayer" = {
+      exec = pkgs.writeShellScript "waybar-mediaplayer" ''
+        player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
+        if [ "$player_status" = "Playing" ]; then
+          echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
+        elif [ "$player_status" = "Paused" ]; then
+          echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
+        fi
+      '';
+      interval = 2;
+      format = "{}  ";
+      # return-type = "json";
+      on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
+      on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
+      on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
+    };
+    network = {
+      # docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
+      interval = 2;
+      max-length = 40;
+      # custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
+      format-ethernet = "  {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+      tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+
+      format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+      tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
+
+      format-disconnected = "";
+    };
+    cpu = {
+      format = " {usage:2}%";
+      tooltip = false;
+    };
+    battery = {
+      states = {
+        good = 95;
+        warning = 30;
+        critical = 10;
+      };
+      format = "{icon} {capacity}%";
+      format-icons = [
+        ""
+        ""
+        ""
+        ""
+        ""
+      ];
+    };
+    clock = {
+      format-alt = "{:%a, %d. %b  %H:%M}";
+    };
+  }
+]

hosts/modules/gui/sway/waybar-style.css

@@ -0,0 +1,256 @@
+/* style docs: https://github.com/Alexays/Waybar/wiki/Styling */
+
+* {
+  font-family: monospace;
+}
+
+/* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
+window#waybar {
+  background-color: rgba(43, 48, 59, 0.5);
+  border-bottom: 3px solid rgba(100, 114, 125, 0.5);
+  color: #ffffff;
+  transition-property: background-color;
+  transition-duration: .5s;
+}
+
+window#waybar.hidden {
+  opacity: 0.2;
+}
+
+/*
+window#waybar.empty {
+  background-color: transparent;
+}
+window#waybar.solo {
+  background-color: #FFFFFF;
+}
+*/
+
+window#waybar.termite {
+  background-color: #3F3F3F;
+}
+
+window#waybar.chromium {
+  background-color: #000000;
+  border: none;
+}
+
+#workspaces button {
+  padding: 0 5px;
+  background-color: transparent;
+  color: #ffffff;
+  /* Use box-shadow instead of border so the text isn't offset */
+  box-shadow: inset 0 -3px transparent;
+  /* Avoid rounded borders under each workspace name */
+  border: none;
+  border-radius: 0;
+}
+
+/* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
+#workspaces button:hover {
+  background: rgba(0, 0, 0, 0.2);
+  box-shadow: inset 0 -3px #ffffff;
+}
+
+#workspaces button.focused {
+  background-color: #64727D;
+  box-shadow: inset 0 -3px #ffffff;
+}
+
+#workspaces button.urgent {
+  background-color: #eb4d4b;
+}
+
+#mode {
+  background-color: #64727D;
+  border-bottom: 3px solid #ffffff;
+}
+
+#clock,
+#battery,
+#cpu,
+#memory,
+#disk,
+#temperature,
+#backlight,
+#network,
+#pulseaudio,
+#custom-media,
+#tray,
+#mode,
+#idle_inhibitor,
+#mpd {
+  padding: 0 10px;
+  color: #ffffff;
+}
+
+#window,
+#workspaces {
+  margin: 0 4px;
+}
+
+/* If workspaces is the leftmost module, omit left margin */
+.modules-left > widget:first-child > #workspaces {
+  margin-left: 0;
+}
+
+/* If workspaces is the rightmost module, omit right margin */
+.modules-right > widget:last-child > #workspaces {
+  margin-right: 0;
+}
+
+#clock {
+  background-color: #64727D;
+}
+
+#battery {
+  background-color: #ffffff;
+  color: #000000;
+}
+
+#battery.charging, #battery.plugged {
+  color: #ffffff;
+  background-color: #26A65B;
+}
+
+@keyframes blink {
+  to {
+    background-color: #ffffff;
+    color: #000000;
+  }
+}
+
+#battery.critical:not(.charging) {
+  background-color: #f53c3c;
+  color: #ffffff;
+  animation-name: blink;
+  animation-duration: 0.5s;
+  animation-timing-function: linear;
+  animation-iteration-count: infinite;
+  animation-direction: alternate;
+}
+
+label:focus {
+  background-color: #000000;
+}
+
+#cpu {
+  background-color: #2ecc71;
+  color: #000000;
+}
+
+#memory {
+  background-color: #9b59b6;
+}
+
+#disk {
+  background-color: #964B00;
+}
+
+#backlight {
+  background-color: #90b1b1;
+}
+
+#network {
+  background-color: #2980b9;
+}
+
+#network.disconnected {
+  background-color: #f53c3c;
+}
+
+#pulseaudio {
+  background-color: #f1c40f;
+  color: #000000;
+}
+
+#pulseaudio.muted {
+  background-color: #90b1b1;
+  color: #2a5c45;
+}
+
+#custom-media {
+  background-color: #66cc99;
+  color: #2a5c45;
+  min-width: 100px;
+}
+
+#custom-media.custom-spotify {
+  background-color: #66cc99;
+}
+
+#custom-media.custom-vlc {
+  background-color: #ffa000;
+}
+
+#temperature {
+  background-color: #f0932b;
+}
+
+#temperature.critical {
+  background-color: #eb4d4b;
+}
+
+#tray {
+  background-color: #2980b9;
+}
+
+#tray > .passive {
+  -gtk-icon-effect: dim;
+}
+
+#tray > .needs-attention {
+  -gtk-icon-effect: highlight;
+  background-color: #eb4d4b;
+}
+
+#idle_inhibitor {
+  background-color: #2d3436;
+}
+
+#idle_inhibitor.activated {
+  background-color: #ecf0f1;
+  color: #2d3436;
+}
+
+#mpd {
+  background-color: #66cc99;
+  color: #2a5c45;
+}
+
+#mpd.disconnected {
+  background-color: #f53c3c;
+}
+
+#mpd.stopped {
+  background-color: #90b1b1;
+}
+
+#mpd.paused {
+  background-color: #51a37a;
+}
+
+#language {
+  background: #00b093;
+  color: #740864;
+  padding: 0 5px;
+  margin: 0 5px;
+  min-width: 16px;
+}
+
+#keyboard-state {
+  background: #97e1ad;
+  color: #000000;
+  padding: 0 0px;
+  margin: 0 5px;
+  min-width: 16px;
+}
+
+#keyboard-state > label {
+  padding: 0 5px;
+}
+
+#keyboard-state > label.locked {
+  background: rgba(0, 0, 0, 0.2);
+}
+

hosts/modules/hosts.nix

@@ -69,7 +69,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
       wg-home.pubkey = "17PMZssYi0D4t2d0vbmhjBKe1sGsE8kT8/dod0Q2CXc=";
       wg-home.ip = "10.0.10.22";
-      lan-ip = "192.168.15.25";
+      lan-ip = "10.78.79.52";
     };
 
     sane.hosts.by-name."lappy" = {
@@ -77,7 +77,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
       wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
       wg-home.ip = "10.0.10.20";
-      lan-ip = "192.168.15.13";
+      lan-ip = "10.78.79.53";
     };
 
     sane.hosts.by-name."moby" = {
@@ -85,7 +85,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
       wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
       wg-home.ip = "10.0.10.48";
-      lan-ip = "192.168.15.28";
+      lan-ip = "10.78.79.54";
     };
 
     sane.hosts.by-name."servo" = {
@@ -94,7 +94,7 @@ in
       wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
       wg-home.ip = "10.0.10.5";
       wg-home.endpoint = "uninsane.org:51820";
-      lan-ip = "192.168.15.24";
+      lan-ip = "10.78.79.51";
     };
   };
 }

hosts/modules/roles/ac.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+{
+  options.sane.roles.ac = with lib; mkOption {
+    type = types.bool;
+    default = false;
+    description = ''
+      services which you probably only want to use with AC power.
+      specifically because they drain resources like power or bandwidth.
+    '';
+  };
+
+  config = lib.mkIf config.sane.roles.ac {
+    sane.yggdrasil.enable = true;
+    services.i2p.enable = true;
+  };
+}

hosts/modules/roles/client/wifi-pairings.nix

@@ -1,15 +1,23 @@
 { config, lib, pkgs, ... }:
 
+let
+  install-iwd = pkgs.static-nix-shell.mkBash {
+    pname = "install-iwd";
+    src = ../../../../scripts;
+    pkgs = [ "gnused" ];
+  };
+in
 {
   config = lib.mkIf config.sane.roles.client {
     sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
       wantedBeforeBy = [ "iwd.service" ];
       generated.acl.mode = "0600";
       # XXX: install-iwd uses sed, but that's part of the default systemd unit path, it seems
-      generated.script.script = builtins.readFile ../../../../scripts/install-iwd + ''
+      generated.script.script = ''
+        ${install-iwd}/bin/install-iwd $@
         touch "/var/lib/iwd/.secrets.psk.stamp"
       '';
-      generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
+      generated.script.scriptArgs = [ "/run/secrets/net" "/var/lib/iwd" ];
     };
   };
 }

hosts/modules/roles/default.nix

@@ -1,7 +1,9 @@
 { ... }:
 {
   imports = [
+    ./ac.nix
     ./build-machine.nix
     ./client
+    ./dev-machine.nix
   ];
 }

hosts/modules/roles/dev-machine.nix

@@ -0,0 +1,30 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) mkIf mkMerge mkOption types;
+  cfg = config.sane.roles.dev-machine;
+in
+{
+  options.sane.roles.dev-machine = mkOption {
+    type = types.bool;
+    default = false;
+    description = ''
+      enable if this machine is used generally for "development"
+      and you want tools to support that (e.g. docs).
+    '';
+  };
+
+  config = mkMerge [
+    ({
+      sane.programs.docsets.config.rustPkgs = [
+        "lemmy-server"
+        "mx-sanebot"
+      ];
+    })
+    (mkIf cfg {
+      sane.programs.docsets.enableFor.system = true;
+      # TODO: migrate this to `sane.user.programs.zeal.enable = true`
+      sane.programs.zeal.enableFor.user.colin = true;
+    })
+  ];
+}

hosts/modules/services/duplicity.nix

@@ -29,7 +29,7 @@ in
     #   web-created keys are allowed to delete files, which you probably don't want for an incremental backup program
     #   you need to create a new application key from the web in order to first get a key which can create new keys (use env vars in the above command)
     # TODO: s/duplicity_passphrase/duplicity_env/
-    services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path;
+    services.duplicity.secretFile = config.sops.secrets."duplicity_passphrase.env".path;
     # NB: manually trigger with `systemctl start duplicity`
     services.duplicity.frequency = "daily";
 

hosts/modules/yggdrasil.nix

@@ -18,7 +18,7 @@ in
     services.yggdrasil = {
       enable = true;
       persistentKeys = true;
-      config = {
+      settings = {
         IFName = "ygg0";
         Peers = [
           "tls://longseason.1200bps.xyz:13122"

modules/data/feeds/default.nix

@@ -1,8 +1,9 @@
-{ lib, ... }:
+{ lib, sane-lib, ... }:
 
 let
   inherit (builtins) concatLists concatStringsSep foldl' fromJSON map readDir readFile;
   inherit (lib) hasSuffix listToAttrs mapAttrsToList removeSuffix splitString;
+  inherit (sane-lib) enumerateFilePaths;
 
   # given a path to a .json file relative to sources, construct the best feed object we can.
   # the .json file could be empty, in which case we make assumptions about the feed based
@@ -32,20 +33,5 @@ let
         fromJSON as-str;
 
   sources = enumerateFilePaths ./sources;
-
-  # like `lib.listFilesRecursive` but does not mangle paths.
-  # Type: enumerateFilePaths :: path -> [String]
-  enumerateFilePaths = base:
-    concatLists (
-      mapAttrsToList
-        (name: type:
-          if type == "directory" then
-            # enumerate this directory and then prefix each result with the directory's name
-            map (e: "${name}/${e}") (enumerateFilePaths (base + "/${name}"))
-          else
-            [ name ]
-        )
-        (readDir base)
-    );
 in
   listToAttrs (map feedFromSourcePath sources)

modules/data/feeds/sources/morningbrew.com/feed/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 151072,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "The daily email newsletter covering the latest news from Wall St. to Silicon Valley. Informative, witty, and everything you need to start your day.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 40,
+  "last_updated": "2023-05-08T19:26:29+00:00",
+  "score": 23,
+  "self_url": "https://www.morningbrew.com/feed.xml",
+  "site_name": "Morning Brew",
+  "site_url": "https://www.morningbrew.com",
+  "title": "Morning Brew",
+  "url": "https://www.morningbrew.com/feed.xml",
+  "velocity": 3.931,
+  "version": "rss20"
+}

modules/default.nix

@@ -14,8 +14,8 @@
     ./users.nix
   ];
 
-  _module.args =  {
+  _module.args =  rec {
     sane-lib = import ./lib { inherit lib; };
-    sane-data = import ./data { inherit lib; };
+    sane-data = import ./data { inherit lib sane-lib; };
   };
 }

modules/fs/default.nix

@@ -341,6 +341,8 @@ in {
   options = {
     sane.fs = mkOption {
       # type = types.attrsOf fsEntry;
+      # TODO: can we use `types.lazyAttrsOf fsEntry`??
+      # - this exists specifically to let attrs reference eachother
       type = fsTree;
       default = {};
     };

modules/lib/default.nix

@@ -72,5 +72,22 @@ sane-lib = rec {
       inherit path value;
     }
   ];
+
+
+  # like `lib.listFilesRecursive` but does not mangle paths.
+  #
+  # Type: enumerateFilePaths :: path -> [String]
+  enumerateFilePaths = base:
+    builtins.concatLists (
+      lib.mapAttrsToList
+        (name: type:
+          if type == "directory" then
+            # enumerate this directory and then prefix each result with the directory's name
+            builtins.map (e: "${name}/${e}") (enumerateFilePaths (base + "/${name}"))
+          else
+            [ name ]
+        )
+        (builtins.readDir base)
+    );
 };
 in sane-lib

modules/programs.nix

@@ -104,6 +104,19 @@ let
           the secret will have same owner as the user under which the program is enabled.
         '';
       };
+      configOption = mkOption {
+        type = types.raw;
+        default = mkOption {
+          type = types.submodule {};
+          default = {};
+        };
+        description = ''
+          declare any other options the program may be configured with.
+          you probably want this to be a submodule.
+          the option *definitions* can be set with `sane.programs."foo".config = ...`.
+        '';
+      };
+      config = config.configOption;
     };
 
     config = {
@@ -132,9 +145,10 @@ let
     sane.users = mapAttrs (user: en: optionalAttrs en {
       inherit (p) persist;
       fs = mkMerge [
-        p.fs
+        # make every fs entry wanted by system boot:
+        (mapAttrs (_path: sane-lib.fs.wanted) p.fs)
+        # link every secret into the fs:
         (mapAttrs
-          # link every secret into the fs
           # TODO: user the user's *actual* home directory, don't guess.
           (homePath: _src: sane-lib.fs.wantedSymlinkTo "/run/secrets/home/${user}/${homePath}")
           p.secrets

modules/services/nixserve.nix

@@ -13,21 +13,17 @@ in
       default = false;
       type = types.bool;
     };
-    sane.services.nixserve.sopsFile = mkOption {
+    sane.services.nixserve.secretKeyFile = mkOption {
       type = types.path;
-      description = "path to file that contains the nix_serv_privkey secret (can be in VCS)";
+      description = "path to file that contains the nix_serv_privkey secret (should not be in the store)";
     };
   };
 
   config = mkIf cfg.enable {
     services.nix-serve = {
       enable = true;
-      secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
+      inherit (cfg) secretKeyFile;
       openFirewall = true;  # not needed for servo; only desko
     };
-
-    sops.secrets.nix_serve_privkey = {
-      sopsFile = cfg.sopsFile;
-    };
   };
 }

nixpatches/flake.nix

@@ -1,5 +1,6 @@
 {
   inputs = {
+    # user is expected to define this from their flake via `inputs.nixpkgs.follows = ...`
     nixpkgs = {};
   };
   outputs = { self, nixpkgs }@inputs:
@@ -16,6 +17,8 @@
         (patchedFlakeFor system).outputs { inherit self; };
     in
     {
+      lib.nixosSystem = args: (patchedFlakeOutputsFor args.system).lib.nixosSystem args;
+
       legacyPackages = builtins.mapAttrs
         (system: _:
           (patchedFlakeOutputsFor system).legacyPackages."${system}"

nixpatches/list.nix

@@ -1,10 +1,25 @@
-{ fetchpatch, fetchurl }: [
+{ fetchpatch, fetchurl }:
+let
+  fetchpatch' = {
+    saneCommit ? null,
+    prUrl ? null,
+    hash ? null
+  }:
+    let
+      url = if prUrl != null then
+        # prUrl takes precedence over any specific commit
+        "${prUrl}.diff"
+      else
+        "https://git.uninsane.org/colin/nixpkgs/commit/${saneCommit}.diff"
+      ;
+    in fetchpatch ({ inherit url; } // (if hash != null then { inherit hash; } else {}));
+in [
 
   # splatmoji: init at 1.2.0
-  (fetchpatch {
-    # https://github.com/NixOS/nixpkgs/pull/211874
-    url = "https://git.uninsane.org/colin/nixpkgs/commit/75149039b6eaf57d8a92164e90aab20eb5d89196.diff";
-    hash = "sha256-IvsIcd2wPdz4b/7FMrDrcVlIZjFecCQ9uiL0Umprbx0=";
+  (fetchpatch' {
+    saneCommit = "75149039b6eaf57d8a92164e90aab20eb5d89196";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/211874";
+    hash = "sha256-fftctCx1N/P7yLTRxsHYLHbX+gV/lFpWrWCTtZ2L1Cw=";
   })
 
   # (fetchpatch {
@@ -33,13 +48,77 @@
   # ./2023-03-04-ccache-cross-fix.patch
 
   # 2023-04-11: bambu-studio: init at unstable-2023-01-11
-  (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/206495.diff";
+  (fetchpatch' {
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/206495";
     hash = "sha256-RbQzAtFTr7Nrk2YBcHpKQMYoPlFMVSXNl96B/lkKluQ=";
   })
 
+  # update to newer lemmy-server.
+  # should be removable when > 0.17.2 releases?
+  # removing this now causes:
+  #   INFO lemmy_server::code_migrations: No Local Site found, creating it.
+  #   Error: LemmyError { message: None, inner: duplicate key value violates unique constraint "local_site_site_id_key", context: "SpanTrace" }
+  # though perhaps this error doesn't occur on fresh databases (idk).
   ./2023-04-29-lemmy.patch
 
+  (fetchpatch' {
+    # cargo-docset: init at 0.3.1
+    saneCommit = "5a09e84c6159ce545029483384580708bc04c08f";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/231188";
+    hash = "sha256-Z1HOps3w/WvxAiyUAHWszKqwS9EwA6rf4XfgPGp+2sQ=";
+  })
+
+  (fetchpatch' {
+    # kiwix-tools: 3.4.0 -> 3.5.0
+    saneCommit = "146f2449a19101ee202aa578a2b1d7377779890b";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/232020";
+    hash = "sha256-Tqr8Ri8X2dDljDmWmjAQDRJGNenSFhrY/wr24h2JAh0=";
+  })
+
+  (fetchpatch' {
+    # nixos/lemmy: support nginx
+    saneCommit = "f716a40d5d08e89d3760bee0ccc3a20017f4fecb";
+    hash = "sha256-G+k5ObeFm7ZVLVbhu6MAHX6MeOgzJuMcKiTN3rnCPDs=";
+  })
+
+  (fetchpatch' {
+    # feedbackd: 0.1.0 -> 0.2.0
+    saneCommit = "a0186a5782708a640cd6eaad6e9742b9cccebe9d";
+    hash = "sha256-f8he7pQow4fZkTVVqU/A5KgovZA7m7MccRQNTnDxw5o=";
+  })
+  # (fetchpatch' {
+  #   # phoc: 0.25.0 -> 0.27.0
+  #   # TODO: move wayland-scanner & glib to nativeBuildInputs
+  #   # TODO: once i press power button to screen blank, power doesn't reactivate phoc
+  #   # sus commits:
+  #   # - all lie between 0.25.0 .. 0.26.0
+  #   # - 25d65b9e6ebde26087be6414e41cf516599c3469  2023/03/12 phosh-private: Forward key release as well
+  #   # idle inhibit 2023/03/14
+  #   #   - 20e7b26af16e9d9c22cba4550f922b90b80b6df6
+  #   #   - b081ef963154c7c94a6ab33376a712b3efe17545
+  #   # screen blank fix  (NOPE: this one is OK)
+  #   #   - 37542bb80be8a7746d2ccda0c02048dd92fac7af  2023/03/11
+  #   saneCommit = "12e89c9d26b7a1a79f6b8b2f11fce0dd8f4d5197";
+  #   hash = "sha256-IJNBVr2xAwQW4SAJvq4XQYW4D5tevvd9zRrgXYmm38g=";
+  # })
+  # (fetchpatch' {
+  #   # phosh: 0.25.1 -> 0.27.0
+  #   # TODO: fix Calls:
+  #   # > Failed to get emergency contacts: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.Calls was not provided by any .service files
+  #   saneCommit = "c8fa213c7cb357c0ca0d5bea66278362a47caeb8";
+  #   hash = "sha256-I8IZ8fjJstmcIXEN622/A1w2uHDACwXFl1WbXTWOyi4=";
+  # })
+
+  # (fetchpatch' {
+  #   # phosh-mobile-settings: 0.23.1 -> 0.27.0
+  #   # branch: pr/sane/phosh-mobile-settings-0.27.0
+  #   # TODO: fix feedback section
+  #   # > Settings schema 'org.gtk.gtk4.Settings.FileChooser' is not installed
+  #   # ^ is that provided by nautilus?
+  #   saneCommit = "8952f79699d3b0d72d9f6efb022e826175b143a6";
+  #   hash = "sha256-myKKMt5cZhC0mfPhEsNjwKjaIYICj5LBJqV01HghYUg=";
+  # })
+
   # 2023-04-20: perl: fix modules for compatibility with miniperl
   # (fetchpatch {
   #   url = "https://github.com/NixOS/nixpkgs/pull/225640.diff";

overlays/pkgs.nix

@@ -3,6 +3,5 @@
   # - `additional` packages
   # - `patched` versions of nixpkgs (which necessarily shadow their nixpkgs version)
   # - `pythonPackagesExtensions`
-  import ../pkgs
-    { pkgs = next; lib = prev.lib; unpatched = prev; }
+  import ../pkgs { pkgs = prev; final = next; }
 )

pkgs/additional/browserpass-extension/default.nix

@@ -27,8 +27,13 @@ let
   };
   browserpass-extension-yarn-modules = mkYarnModules {
     inherit pname version;
-    packageJSON = "${src}/src/package.json";
-    yarnLock = "${src}/src/yarn.lock";
+    packageJSON = ./package.json;
+    yarnLock = ./yarn.lock;
+    # yarnNix is auto-generated. to update: leave unset, then query the package deps and copy it out of the store.
+    yarnNix = ./yarn.nix;
+    # the following also works, but because it's IFD it's not allowed by some users, like NUR.
+    # packageJSON = "${src}/src/package.json";
+    # yarnLock = "${src}/src/yarn.lock";
   };
   extid = "browserpass@maximbaz.com";
 in stdenv.mkDerivation {

pkgs/additional/browserpass-extension/package.json

@@ -0,0 +1,34 @@
+{
+    "name": "browserpass-extension",
+    "version": "3.7.2",
+    "description": "Browser extension for zx2c4's pass (password manager) - Community Edition.",
+    "homepage": "https://github.com/browserpass/browserpass-extension",
+    "license": "ISC",
+    "author": [
+        {
+            "name": "Maxim Baz",
+            "email": "browserpass@maximbaz.com"
+        },
+        {
+            "name": "Steve Gilberd",
+            "email": "steve@erayd.net"
+        }
+    ],
+    "dependencies": {
+        "@browserpass/url": "^1.1.6",
+        "chrome-extension-async": "^3.4.1",
+        "fuzzysort": "^1.1.4",
+        "hash.js": "^1.1.7",
+        "idb": "^4.0.5",
+        "ignore": "^5.1.8",
+        "mithril": "^1.1.7",
+        "moment": "^2.27.0",
+        "otplib": "^11.0.0",
+        "sha1": "^1.1.1"
+    },
+    "devDependencies": {
+        "browserify": "^16.5.2",
+        "less": "^3.12.2",
+        "prettier": "^2.0.5"
+    }
+}

pkgs/additional/cargo-docset/hook.nix

@@ -0,0 +1,10 @@
+{ makeSetupHook
+, cargo
+, cargo-docset
+}:
+makeSetupHook {
+  name = "cargo-docset-hook";
+  propagatedBuildInputs = [
+    cargo cargo-docset
+  ];
+} ./hook.sh

pkgs/additional/cargo-docset/hook.sh

@@ -0,0 +1,11 @@
+postBuildHooks+=(_cargoDocset)
+postInstallHooks+=(_cargoDocsetInstall)
+
+_cargoDocset() {
+  cargo docset
+}
+
+_cargoDocsetInstall() {
+  mkdir -p $out/share/docset
+  cp -R target/docset/* $out/share/docset/
+}

pkgs/additional/lightdm-mobile-greeter/Cargo.lock

@@ -0,0 +1,780 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "anyhow"
+version = "1.0.66"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "216261ddc8289130e551ddcd5ce8a064710c0d064a4d2895c67151c92b5443f6"
+
+[[package]]
+name = "atk"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c3d816ce6f0e2909a96830d6911c2aff044370b1ef92d7f267b43bae5addedd"
+dependencies = [
+ "atk-sys",
+ "bitflags",
+ "glib 0.15.12",
+ "libc",
+]
+
+[[package]]
+name = "atk-sys"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "58aeb089fb698e06db8089971c7ee317ab9644bade33383f63631437b03aafb6"
+dependencies = [
+ "glib-sys 0.15.10",
+ "gobject-sys 0.15.10",
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "autocfg"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+
+[[package]]
+name = "bitflags"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+
+[[package]]
+name = "cairo-rs"
+version = "0.15.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c76ee391b03d35510d9fa917357c7f1855bd9a6659c95a1b392e33f49b3369bc"
+dependencies = [
+ "bitflags",
+ "cairo-sys-rs",
+ "glib 0.15.12",
+ "libc",
+ "thiserror",
+]
+
+[[package]]
+name = "cairo-sys-rs"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c55d429bef56ac9172d25fecb85dc8068307d17acd74b377866b7a1ef25d3c8"
+dependencies = [
+ "glib-sys 0.15.10",
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "cfg-expr"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b0357a6402b295ca3a86bc148e84df46c02e41f41fef186bda662557ef6328aa"
+dependencies = [
+ "smallvec",
+]
+
+[[package]]
+name = "field-offset"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e1c54951450cbd39f3dbcf1005ac413b49487dabf18a720ad2383eccfeffb92"
+dependencies = [
+ "memoffset",
+ "rustc_version",
+]
+
+[[package]]
+name = "futures-channel"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "52ba265a92256105f45b719605a571ffe2d1f0fea3807304b522c1d778f79eed"
+dependencies = [
+ "futures-core",
+]
+
+[[package]]
+name = "futures-core"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04909a7a7e4633ae6c4a9ab280aeb86da1236243a77b694a49eacd659a4bd3ac"
+
+[[package]]
+name = "futures-executor"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7acc85df6714c176ab5edf386123fafe217be88c0840ec11f199441134a074e2"
+dependencies = [
+ "futures-core",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-io"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00f5fb52a06bdcadeb54e8d3671f8888a39697dcb0b81b23b55174030427f4eb"
+
+[[package]]
+name = "futures-macro"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bdfb8ce053d86b91919aad980c220b1fb8401a9394410e1c289ed7e66b61835d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "futures-task"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2ffb393ac5d9a6eaa9d3fdf37ae2776656b706e200c8e16b1bdb227f5198e6ea"
+
+[[package]]
+name = "futures-util"
+version = "0.3.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "197676987abd2f9cadff84926f410af1c183608d36641465df73ae8211dc65d6"
+dependencies = [
+ "futures-core",
+ "futures-macro",
+ "futures-task",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+]
+
+[[package]]
+name = "gdk"
+version = "0.15.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6e05c1f572ab0e1f15be94217f0dc29088c248b14f792a5ff0af0d84bcda9e8"
+dependencies = [
+ "bitflags",
+ "cairo-rs",
+ "gdk-pixbuf",
+ "gdk-sys",
+ "gio 0.15.12",
+ "glib 0.15.12",
+ "libc",
+ "pango",
+]
+
+[[package]]
+name = "gdk-pixbuf"
+version = "0.15.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ad38dd9cc8b099cceecdf41375bb6d481b1b5a7cd5cd603e10a69a9383f8619a"
+dependencies = [
+ "bitflags",
+ "gdk-pixbuf-sys",
+ "gio 0.15.12",
+ "glib 0.15.12",
+ "libc",
+]
+
+[[package]]
+name = "gdk-pixbuf-sys"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "140b2f5378256527150350a8346dbdb08fadc13453a7a2d73aecd5fab3c402a7"
+dependencies = [
+ "gio-sys 0.15.10",
+ "glib-sys 0.15.10",
+ "gobject-sys 0.15.10",
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "gdk-sys"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32e7a08c1e8f06f4177fb7e51a777b8c1689f743a7bc11ea91d44d2226073a88"
+dependencies = [
+ "cairo-sys-rs",
+ "gdk-pixbuf-sys",
+ "gio-sys 0.15.10",
+ "glib-sys 0.15.10",
+ "gobject-sys 0.15.10",
+ "libc",
+ "pango-sys",
+ "pkg-config",
+ "system-deps",
+]
+
+[[package]]
+name = "gio"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0cd10f9415cce39b53f8024bf39a21f84f8157afa52da53837b102e585a296a5"
+dependencies = [
+ "bitflags",
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-util",
+ "gio-sys 0.9.1",
+ "glib 0.9.3",
+ "glib-sys 0.9.1",
+ "gobject-sys 0.9.1",
+ "lazy_static",
+ "libc",
+]
+
+[[package]]
+name = "gio"
+version = "0.15.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68fdbc90312d462781a395f7a16d96a2b379bb6ef8cd6310a2df272771c4283b"
+dependencies = [
+ "bitflags",
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "gio-sys 0.15.10",
+ "glib 0.15.12",
+ "libc",
+ "once_cell",
+ "thiserror",
+]
+
+[[package]]
+name = "gio-sys"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fad225242b9eae7ec8a063bb86974aca56885014672375e5775dc0ea3533911"
+dependencies = [
+ "glib-sys 0.9.1",
+ "gobject-sys 0.9.1",
+ "libc",
+ "pkg-config",
+]
+
+[[package]]
+name = "gio-sys"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32157a475271e2c4a023382e9cab31c4584ee30a97da41d3c4e9fdd605abcf8d"
+dependencies = [
+ "glib-sys 0.15.10",
+ "gobject-sys 0.15.10",
+ "libc",
+ "system-deps",
+ "winapi",
+]
+
+[[package]]
+name = "glib"
+version = "0.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40fb573a09841b6386ddf15fd4bc6655b4f5b106ca962f57ecaecde32a0061c0"
+dependencies = [
+ "bitflags",
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-task",
+ "futures-util",
+ "glib-sys 0.9.1",
+ "gobject-sys 0.9.1",
+ "lazy_static",
+ "libc",
+]
+
+[[package]]
+name = "glib"
+version = "0.15.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "edb0306fbad0ab5428b0ca674a23893db909a98582969c9b537be4ced78c505d"
+dependencies = [
+ "bitflags",
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-task",
+ "glib-macros",
+ "glib-sys 0.15.10",
+ "gobject-sys 0.15.10",
+ "libc",
+ "once_cell",
+ "smallvec",
+ "thiserror",
+]
+
+[[package]]
+name = "glib-macros"
+version = "0.15.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "25a68131a662b04931e71891fb14aaf65ee4b44d08e8abc10f49e77418c86c64"
+dependencies = [
+ "anyhow",
+ "heck",
+ "proc-macro-crate",
+ "proc-macro-error",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "glib-sys"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "95856f3802f446c05feffa5e24859fe6a183a7cb849c8449afc35c86b1e316e2"
+dependencies = [
+ "libc",
+ "pkg-config",
+]
+
+[[package]]
+name = "glib-sys"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef4b192f8e65e9cf76cbf4ea71fa8e3be4a0e18ffe3d68b8da6836974cc5bad4"
+dependencies = [
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "gobject-sys"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "31d1a804f62034eccf370006ccaef3708a71c31d561fee88564abe71177553d9"
+dependencies = [
+ "glib-sys 0.9.1",
+ "libc",
+ "pkg-config",
+]
+
+[[package]]
+name = "gobject-sys"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d57ce44246becd17153bd035ab4d32cfee096a657fc01f2231c9278378d1e0a"
+dependencies = [
+ "glib-sys 0.15.10",
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "gtk"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92e3004a2d5d6d8b5057d2b57b3712c9529b62e82c77f25c1fecde1fd5c23bd0"
+dependencies = [
+ "atk",
+ "bitflags",
+ "cairo-rs",
+ "field-offset",
+ "futures-channel",
+ "gdk",
+ "gdk-pixbuf",
+ "gio 0.15.12",
+ "glib 0.15.12",
+ "gtk-sys",
+ "gtk3-macros",
+ "libc",
+ "once_cell",
+ "pango",
+ "pkg-config",
+]
+
+[[package]]
+name = "gtk-sys"
+version = "0.15.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d5bc2f0587cba247f60246a0ca11fe25fb733eabc3de12d1965fc07efab87c84"
+dependencies = [
+ "atk-sys",
+ "cairo-sys-rs",
+ "gdk-pixbuf-sys",
+ "gdk-sys",
+ "gio-sys 0.15.10",
+ "glib-sys 0.15.10",
+ "gobject-sys 0.15.10",
+ "libc",
+ "pango-sys",
+ "system-deps",
+]
+
+[[package]]
+name = "gtk3-macros"
+version = "0.15.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24f518afe90c23fba585b2d7697856f9e6a7bbc62f65588035e66f6afb01a2e9"
+dependencies = [
+ "anyhow",
+ "proc-macro-crate",
+ "proc-macro-error",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "heck"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2540771e65fc8cb83cd6e8a237f70c319bd5c29f78ed1084ba5d50eeac86f7f9"
+
+[[package]]
+name = "lazy_static"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+
+[[package]]
+name = "libc"
+version = "0.2.137"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc7fcc620a3bff7cdd7a365be3376c97191aeaccc2a603e600951e452615bf89"
+
+[[package]]
+name = "libhandy"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c4a9a0bc88fb8ba74c1cc8ff6b8c34dfb6dc0e97bc62cd96cc2fdc9a47aebe2"
+dependencies = [
+ "bitflags",
+ "gdk",
+ "gdk-pixbuf",
+ "gio 0.15.12",
+ "glib 0.15.12",
+ "gtk",
+ "lazy_static",
+ "libc",
+ "libhandy-sys",
+ "pango",
+]
+
+[[package]]
+name = "libhandy-sys"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcb7c1c11d53e8a2a0c19742f23f36ff0ccf39d9a1e96c7f44054db217adc609"
+dependencies = [
+ "gdk-pixbuf-sys",
+ "gdk-sys",
+ "gio-sys 0.15.10",
+ "glib-sys 0.15.10",
+ "gobject-sys 0.15.10",
+ "gtk-sys",
+ "libc",
+ "pango-sys",
+ "pkg-config",
+ "system-deps",
+]
+
+[[package]]
+name = "light-dm-sys"
+version = "0.0.1"
+source = "git+https://git.raatty.club/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
+dependencies = [
+ "gio-sys 0.9.1",
+ "glib-sys 0.9.1",
+ "gobject-sys 0.9.1",
+ "libc",
+ "pkg-config",
+]
+
+[[package]]
+name = "lightdm"
+version = "0.1.0"
+source = "git+https://git.raatty.club/raatty/lightdm-rs.git#a3c669583bb932e2b25372048b1e9dbda1f10e11"
+dependencies = [
+ "gio 0.8.1",
+ "gio-sys 0.9.1",
+ "glib 0.9.3",
+ "glib-sys 0.9.1",
+ "gobject-sys 0.9.1",
+ "libc",
+ "light-dm-sys",
+ "once_cell",
+]
+
+[[package]]
+name = "lightdm-mobile-greeter"
+version = "0.1.0"
+dependencies = [
+ "gdk",
+ "gtk",
+ "libhandy",
+ "lightdm",
+]
+
+[[package]]
+name = "memoffset"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5aa361d4faea93603064a027415f07bd8e1d5c88c9fbf68bf56a285428fd79ce"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "86f0b0d4bf799edbc74508c1e8bf170ff5f41238e5f8225603ca7caaae2b7860"
+
+[[package]]
+name = "pango"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22e4045548659aee5313bde6c582b0d83a627b7904dd20dc2d9ef0895d414e4f"
+dependencies = [
+ "bitflags",
+ "glib 0.15.12",
+ "libc",
+ "once_cell",
+ "pango-sys",
+]
+
+[[package]]
+name = "pango-sys"
+version = "0.15.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d2a00081cde4661982ed91d80ef437c20eacaf6aa1a5962c0279ae194662c3aa"
+dependencies = [
+ "glib-sys 0.15.10",
+ "gobject-sys 0.15.10",
+ "libc",
+ "system-deps",
+]
+
+[[package]]
+name = "pest"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a528564cc62c19a7acac4d81e01f39e53e25e17b934878f4c6d25cc2836e62f8"
+dependencies = [
+ "thiserror",
+ "ucd-trie",
+]
+
+[[package]]
+name = "pin-project-lite"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
+[[package]]
+name = "pkg-config"
+version = "0.3.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ac9a59f73473f1b8d852421e59e64809f025994837ef743615c6d0c5b305160"
+
+[[package]]
+name = "proc-macro-crate"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eda0fc3b0fb7c975631757e14d9049da17374063edb6ebbcbc54d880d4fe94e9"
+dependencies = [
+ "once_cell",
+ "thiserror",
+ "toml",
+]
+
+[[package]]
+name = "proc-macro-error"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
+dependencies = [
+ "proc-macro-error-attr",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "version_check",
+]
+
+[[package]]
+name = "proc-macro-error-attr"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "version_check",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.47"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5ea3d908b0e36316caf9e9e2c4625cdde190a7e6f440d794667ed17a1855e725"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbe448f377a7d6961e30f5955f9b8d106c3f5e449d493ee1b125c1d43c2b5179"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "rustc_version"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0dfe2087c51c460008730de8b57e6a320782fbfb312e1f4d520e6c6fae155ee"
+dependencies = [
+ "semver",
+]
+
+[[package]]
+name = "semver"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f301af10236f6df4160f7c3f04eec6dbc70ace82d23326abad5edee88801c6b6"
+dependencies = [
+ "semver-parser",
+]
+
+[[package]]
+name = "semver-parser"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0bef5b7f9e0df16536d3961cfb6e84331c065b4066afb39768d0e319411f7"
+dependencies = [
+ "pest",
+]
+
+[[package]]
+name = "serde"
+version = "1.0.147"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d193d69bae983fc11a79df82342761dfbf28a99fc8d203dca4c3c1b590948965"
+
+[[package]]
+name = "slab"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4614a76b2a8be0058caa9dbbaf66d988527d86d003c11a94fbd335d7661edcef"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "smallvec"
+version = "1.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a507befe795404456341dfab10cef66ead4c041f62b8b11bbb92bffe5d0953e0"
+
+[[package]]
+name = "syn"
+version = "1.0.103"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a864042229133ada95abf3b54fdc62ef5ccabe9515b64717bcb9a1919e59445d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "system-deps"
+version = "6.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2955b1fe31e1fa2fbd1976b71cc69a606d7d4da16f6de3333d0c92d51419aeff"
+dependencies = [
+ "cfg-expr",
+ "heck",
+ "pkg-config",
+ "toml",
+ "version-compare",
+]
+
+[[package]]
+name = "thiserror"
+version = "1.0.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10deb33631e3c9018b9baf9dcbbc4f737320d2b576bac10f6aefa048fa407e3e"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "982d17546b47146b28f7c22e3d08465f6b8903d0ea13c1660d9d84a6e7adcdbb"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "toml"
+version = "0.5.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8d82e1a7758622a465f8cee077614c73484dac5b836c02ff6a40d5d1010324d7"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "ucd-trie"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e79c4d996edb816c91e4308506774452e55e95c3c9de07b6729e17e15a5ef81"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ceab39d59e4c9499d4e5a8ee0e2735b891bb7308ac83dfb4e80cad195c9f6f3"
+
+[[package]]
+name = "version-compare"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fe88247b92c1df6b6de80ddc290f3976dbdf2f5f5d3fd049a9fb598c6dd5ca73"
+
+[[package]]
+name = "version_check"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"

pkgs/additional/lightdm-mobile-greeter/default.nix

@@ -35,7 +35,8 @@ rustPlatform.buildRustPackage rec {
   };
   # cargoHash = "sha256-2NMXR+D/CnDhUToQmMwK2Cb2l+4/N9BrCz/lt1NZ6Wk=";
   cargoLock = {
-    lockFile = "${src}/Cargo.lock";
+    lockFile = ./Cargo.lock;
+    # lockFile = "${src}/Cargo.lock";
     outputHashes = {
       "light-dm-sys-0.0.1" = "sha256-91MZhbO/Or0QOt0yVAUhtorpMBBzElFg6U59mF7WB0k=";
     };

pkgs/additional/linux-megous/default.nix

@@ -2,44 +2,131 @@
 , buildLinux
 , buildPackages
 , fetchFromGitHub
-, kernelPatches
 , modDirVersionArg ? null
 , nixosTests
 , perl
+, pkgs
 , ...
 } @ args:
 
 with lib;
 
 let
-  kernelPatches' = kernelPatches;
-  base = "6.2.0";
-  # set to empty if not a release candidate
-  rc = "-rc5";
-in buildLinux (args // rec {
-  version = base + rc;
+  # HOW TO UPDATE:
+  # - `git fetch` from megous' repo (https://github.com/megous/linux.git).
+  # - there should be some new tag, like `orange-pi-6.1-blah`. use that.
+  # - grab VERSION/PATCHLEVEL/SUBLEVEL/EXTRAVERSION from Makefile.
+  # - megi publishes release notes as the most recent commit on any stable branch, so just `git log`.
+  # - orange-pi is listed as the "main integration branch".
+  #   - specific branches like `pp` (pinephone) are dev branches, and probably less stable.
+  rev = "orange-pi-6.3-20230426-1041";
+  hash = "sha256-hfnBVtWyn6FAAOXnizE4jRaf6b9KYEwlJu3NOD7DMGM=";
+  base = "6.3.0";
+  # set to empty if not a release candidate, else `-rc<N>`
+  rc = "";
 
-  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
-  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) + rc else modDirVersionArg;
+  # pinephone uses the linux dtb at arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi
+  # - this includes sun50i-a64.dtsi
+  # - and sun50i-a64-cpu-opp.dtsi
+  # - no need to touch the allwinner-h6 stuff: that's the SBC pine product
+  # - i think it's safe to ignore sun9i stuff, but i don't know what it is
+  kernelConfig = with lib.kernel; {
+    # NB: nix adds the CONFIG_ prefix to each of these.
+    # if you add the prefix yourself nix will IGNORE YOUR CONFIG.
+    RTL8723CS = module;
+    BT_HCIUART_3WIRE = yes;
+    BT_HCIUART_RTL = yes;
+    RTL8XXXU_UNTESTED = yes;
+    BT_BNEP_MC_FILTER = yes;
+    BT_BNEP_PROTO_FILTER = yes;
+    BT_HS = yes;
+    BT_LE = yes;
+    #
+    ### BUILD FIXES, NOT SPECIFIC TO MY PREFERENCES
+    #
+    # disabling the sun5i_eink driver avoids this compilation error:
+    # CC [M]  drivers/video/fbdev/sun5i-eink-neon.o
+    # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfloat-abi=softfp'
+    # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfpu=neon'
+    # make[3]: *** [../scripts/Makefile.build:289: drivers/video/fbdev/sun5i-eink-neon.o] Error 1
+    FB_SUN5I_EINK = no;
+    # used by the pinephone pro, but fails to compile with:
+    # ../drivers/media/i2c/ov8858.c:1834:27: error: implicit declaration of function 'compat_ptr'
+    VIDEO_OV8858 = no;
+    #
+    ### RELEVANT CONFIGS INHERITED FROM NIXOS DEFAULTS (OR ABOVE ADDITIONS):
+    #
+    # CONFIG_BT=m
+    # CONFIG_BT_BREDR=y
+    # CONFIG_BT_RFCOMM=m
+    # CONFIG_BT_RFCOMM_TTY=y
+    # CONFIG_BT_BNEP=m
+    # CONFIG_BT_HIDP=m
+    # CONFIG_BT_RTL=m
+    # CONFIG_BT_HCIBTUSB=m
+    # CONFIG_BT_HCIBTUSB_BCM=y
+    # CONFIG_BT_HCIBTUSB_RTL=y
+    # CONFIG_BT_HCIUART=m
+    # CONFIG_BT_HCIUART_SERDEV=y
+    # CONFIG_BT_HCIUART_H4=y
+    # CONFIG_BT_HCIUART_LL=y
+    # CONFIG_RTL_CARDS=m
+    # CONFIG_RTLWIFI=m
+    # CONFIG_RTLWIFI_PCI=m
+    # CONFIG_RTLWIFI_USB=m
+    # CONFIG_RTLWIFI_DEBUG=y
+    # CONFIG_RTL8723_COMMON=m
+    # CONFIG_RTLBTCOEXIST=m
+    # CONFIG_RTL8XXXU=m
+    # CONFIG_RTLLIB=m
+    # consider adding (from mobile-nixos):
+    # maybe: CONFIG_BT_HCIUART_3WIRE=y
+    # maybe: CONFIG_BT_HCIUART_RTL=y
+    # maybe: CONFIG_RTL8XXXU_UNTESTED=y
+    # consider adding (from manjaro):
+    # CONFIG_BT_6LOWPAN=m  (not listed as option in nixos kernel)
+    # these are referenced in the rtl8723 source, but not known to config (and not in mobile-nixos config
+    # maybe: CONFIG_RTL_ODM_WLAN_DRIVER
+    # maybe: CONFIG_RTL_TRIBAND_SUPPORT
+    # maybe: CONFIG_SDIO_HCI
+    # maybe: CONFIG_USB_HCI
+  };
 
-  # branchVersion needs to be x.y
-  extraMeta.branch = versions.majorMinor version;
-
-  kernelPatches = [
-    kernelPatches'.bridge_stp_helper
-    kernelPatches'.request_key_helper
+  # `pkgs.kernelPatches` is a set of common patches
+  # while `kernelPatches` callarg is a list.
+  # weird idiom, means we have to access pkgs.kernelPatches to access the actual patch directory:
+  extraKernelPatches = [
+    pkgs.kernelPatches.bridge_stp_helper
+    pkgs.kernelPatches.request_key_helper
+    (patchDefconfig kernelConfig)
   ];
 
-  src = fetchFromGitHub {
-    # HOW TO UPDATE:
-    # - `git fetch` from megous' github.
-    # - there should be some new tag, like `orange-pi-6.1-blah`. use that.
-    # - megi publishes release notes as the most recent commit on any stable branch, so just `git log`.
-    # - orange-pi is listed as the "main integration branch".
-    #   - specific branches like `pp` (pinephone) are dev branches, and probably less stable.
-    owner = "megous";
-    repo = "linux";
-    rev = "orange-pi-6.2-20230122-1624";
-    hash = "sha256-Yma9LwlMEnP0QkUZpEl+UkTGvOWOMANBoDsmcTrPb1s=";
+
+  # create a kernelPatch which overrides nixos' defconfig with extra options
+  patchDefconfig = config: {
+    # defconfig options. this method comes from here:
+    # - https://discourse.nixos.org/t/the-correct-way-to-override-the-latest-kernel-config/533/9
+    name = "linux-megous-defconfig";
+    patch = null;
+    extraStructuredConfig = config;
   };
-} // (args.argsOverride or { }))
+
+  overridenArgs = args // rec {
+    version = base + rc;
+
+    # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+    modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) + rc else modDirVersionArg;
+
+    # branchVersion needs to be x.y
+    extraMeta.branch = versions.majorMinor version;
+
+    src = fetchFromGitHub {
+      owner = "megous";
+      repo = "linux";
+      inherit rev hash;
+    };
+  } // (args.argsOverride or { });
+  finalArgs = overridenArgs // {
+    kernelPatches = overridenArgs.kernelPatches or [] ++ extraKernelPatches;
+  };
+in buildLinux finalArgs

pkgs/additional/mx-sanebot/default.nix

@@ -1,5 +1,5 @@
 { lib
-, cargo-docset ? null
+, emptyDirectory
 , openssl
 , pkg-config
 , rustPlatform
@@ -11,18 +11,9 @@ rustPlatform.buildRustPackage {
   src = ./.;
   cargoLock.lockFile = ./Cargo.lock;
 
-  nativeBuildInputs = [ pkg-config ] ++ lib.optional (cargo-docset != null) cargo-docset;
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ openssl ];
 
-  postBuild = ''
-    cargo-docset docset
-  '';
-
-  postInstall = ''
-    mkdir -p $out/share/docset
-    cp -R target/docset/* $out/share/docset/
-  '';
-
   # enables debug builds, if we want: https://github.com/NixOS/nixpkgs/issues/60919.
   hardeningDisable = [ "fortify" ];
 }

pkgs/additional/sane-scripts/default.nix

@@ -108,11 +108,17 @@ let
   };
 
   py-scripts = {
+    # anything added to this attrset gets symlink-joined into into `sane-scripts`
     bt-search = static-nix-shell.mkPython3Bin {
       pname = "sane-bt-search";
       src = ./src;
       pyPkgs = [ "natsort" "requests" ];
     };
+    bt-rm = static-nix-shell.mkBash {
+      pname = "sane-bt-rm";
+      src = ./src;
+      pkgs = [ "transmission" ];
+    };
     date-math = static-nix-shell.mkPython3Bin {
       pname = "sane-date-math";
       src = ./src;

pkgs/additional/sane-scripts/src/sane-bt-rm

@@ -0,0 +1,11 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p transmission
+
+# removes a torrent and trashes its data
+# usage: sane-bt-rm <torrent>
+# where <torrent> is a magnet URL, or an identifier from sane-bt-show (e.g. 132)
+
+endpoint=https://bt.uninsane.org/transmission/rpc
+PASS=$(sudo cat /run/secrets/transmission_passwd)
+
+transmission-remote "$endpoint" --auth "colin:$PASS" --torrent "$1" --remove-and-delete

pkgs/additional/sane-scripts/src/sane-bt-search

@@ -21,6 +21,22 @@ ENDPOINTS = dict(
     results="api/v2.0/indexers/all/results"
 )
 
+epoch = datetime(1970, 1, 1)
+
+def try_parse_time(t: str):
+    try:
+        return datetime.fromisoformat(t)
+    except ValueError: pass
+
+    if len(t) > len('YYYY-MM-DD'):
+        # sometimes these timestamps are encoded with e.g. too many digits in the milliseconds field.
+        # so just keep chomping until we get something that parses as a timestamp
+        return try_parse_time(t[:-1])
+
+def parse_time(t: str) -> datetime:
+    return try_parse_time(t).astimezone() or epoch
+
+
 @dataclass(eq=True, order=True, unsafe_hash=True)
 class Torrent:
     seeders: int
@@ -46,7 +62,7 @@ class Torrent:
         title = d.get("Title")
         magnet = d.get("MagnetUri")
         if seeders is not None and pub_date is not None and title is not None and magnet is not None:
-            pub_date = datetime.fromisoformat(pub_date).astimezone()
+            pub_date = parse_time(pub_date)
             return Torrent(seeders, pub_date, size, tracker, title, magnet)
 
     def to_dict(self) -> dict:
@@ -61,7 +77,7 @@ class Torrent:
 
 class Client:
     def __init__(self):
-        self.apikey = open("/run/secrets/jackett_apikey").read()
+        self.apikey = open("/run/secrets/jackett_apikey").read().strip()
 
     def api_call(self, method: str, params: dict) -> dict:
         endpoint = ENDPOINTS[method]

pkgs/additional/sane-scripts/src/sane-wipe-browser

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# remove firefox/librewolf/chromium artifacts
+rm -rf \
+  ~/.librewolf/default/* \
+  ~/.cache/librewolf/* \
+  ~/.config/chromium \
+  ~/.cache/chromium \
+  || true  # in case no matches

pkgs/additional/static-nix-shell/default.nix

@@ -9,28 +9,79 @@ let
   inherit (builtins) attrNames attrValues concatStringsSep foldl' map typeOf;
   inherit (lib) concatMapAttrs;
   pkgs' = pkgs;
-in {
-  # transform a file which uses `#!/usr/bin/env nix-shell` shebang with a `python3` interpreter
+  # create an attrset of
+  #   <name> = expected string in the nix-shell invocation
+  #   <value> = package to provide
+  pkgsToAttrs = prefix: pkgSet: expr: ({
+    "lambda" = expr: pkgsToAttrs prefix pkgSet (expr pkgSet);
+    "list" = expr: foldl' (acc: pname: acc // {
+      "${prefix + pname}" = pkgSet."${pname}";
+    }) {} expr;
+    "set" = expr: expr;
+  })."${typeOf expr}" expr;
+in rec {
+  # transform a file which uses `#!/usr/bin/env nix-shell` shebang
   # into a derivation that can be built statically.
   #
-  # pkgs and pyPkgs may take the following form:
+  # pkgs may take the following form:
   # - [ "pkgNameA" "pkgNameB" ... ]
   # - { pkgNameA = pkgValueA; pkgNameB = pkgValueB; ... }
   # - ps: <evaluate to one of the above exprs>
-  #
-  # for pyPkgs, names are assumed to be relative to `"ps"` if specified in list form.
+  mkShell = {
+    pname,
+    interpreter,
+    interpreterName ? lib.last (builtins.split "/" interpreter),
+    pkgsEnv,
+    pkgExprs,
+    srcPath ? pname,
+    ...
+  }@attrs:
+  let
+    pkgsStr = concatStringsSep "" (map
+      (pname: " -p ${pname}")
+      pkgExprs
+    );
+  in
+    stdenv.mkDerivation ({
+      version = "0.1.0";  # default version
+      patchPhase = ''
+        substituteInPlace ${srcPath} \
+          --replace '#!/usr/bin/env nix-shell' '#!${interpreter}' \
+          --replace \
+            '#!nix-shell -i ${interpreterName}${pkgsStr}' \
+            '# nix deps evaluated statically'
+      '';
+      nativeBuildInputs = [ makeWrapper ];
+      installPhase = ''
+        mkdir -p $out/bin
+        mv ${srcPath} $out/bin/${srcPath}
+
+        # ensure that all nix-shell references were substituted
+        (! grep nix-shell $out/bin/${srcPath}) || exit 1
+
+        # add runtime dependencies to PATH
+        wrapProgram $out/bin/${srcPath} \
+          --suffix PATH : ${lib.makeBinPath pkgsEnv }
+      '';
+    } // (removeAttrs attrs [ "interpreter" "interpreterName" "pkgsEnv" "pkgExprs" "srcPath" ])
+  );
+
+  # `mkShell` specialization for `nix-shell -i bash` scripts.
+  mkBash = { pname, pkgs ? {}, srcPath ? pname, ...}@attrs:
+    let
+      pkgsAsAttrs = pkgsToAttrs "" pkgs' pkgs;
+      pkgsEnv = attrValues pkgsAsAttrs;
+      pkgExprs = attrNames pkgsAsAttrs;
+    in mkShell ({
+      inherit pkgsEnv pkgExprs;
+      interpreter = "${pkgs'.bash}/bin/bash";
+    } // (removeAttrs attrs [ "pkgs" ])
+  );
+
+  # `mkShell` specialization for invocations of `nix-shell -p "python3.withPackages (...)"`
+  # pyPkgs argument is parsed the same as pkgs, except that names are assumed to be relative to `"ps"` if specified in list form.
   mkPython3Bin = { pname, pkgs ? {}, pyPkgs ? {}, srcPath ? pname, ... }@attrs:
     let
-      # create an attrset of
-      #   <name> = expected string in the nix-shell invocation
-      #   <value> = package to provide
-      pkgsToAttrs = prefix: pkgSet: expr: ({
-        "lambda" = expr: pkgsToAttrs prefix pkgSet (expr pkgSet);
-        "list" = expr: foldl' (acc: pname: acc // {
-          "${prefix + pname}" = pkgSet."${pname}";
-        }) {} expr;
-        "set" = expr: expr;
-      })."${typeOf expr}" expr;
       pyEnv = python3.withPackages (ps: attrValues (
         pkgsToAttrs "ps." ps pyPkgs
       ));
@@ -40,31 +91,13 @@ in {
 
       pkgsAsAttrs = pkgsToAttrs "" pkgs' pkgs;
       pkgsEnv = attrValues pkgsAsAttrs;
-      pkgsStr = concatStringsSep "" (map
-        (pname: " -p ${pname}")
-        (attrNames pkgsAsAttrs)
-      );
-    in stdenv.mkDerivation ({
-      version = "0.1.0";  # default version
-      patchPhase = ''
-        substituteInPlace ${srcPath} \
-          --replace '#!/usr/bin/env nix-shell' '#!${pyEnv.interpreter}' \
-          --replace \
-            '#!nix-shell -i python3 -p "python3.withPackages (ps: [ ${pyPkgsStr} ])"${pkgsStr}' \
-            '# nix deps evaluated statically'
-      '';
-      nativeBuildInputs = [ makeWrapper ];
-      installPhase = ''
-        mkdir -p $out/bin
-        mv ${srcPath} $out/bin/${srcPath}
-
-        # ensure that all nix-shell references were substituted
-        ! grep nix-shell $out/bin/${srcPath}
-
-        # add runtime dependencies to PATH
-        wrapProgram $out/bin/${srcPath} \
-          --suffix PATH : ${lib.makeBinPath pkgsEnv }
-      '';
-    } // (removeAttrs attrs [ "pkgs" "pyPkgs" "srcPath" ])
+      pkgExprs = [
+        "\"python3.withPackages (ps: [ ${pyPkgsStr} ])\""
+      ] ++ (attrNames pkgsAsAttrs);
+    in mkShell ({
+      inherit pkgsEnv pkgExprs;
+      interpreter = pyEnv.interpreter;
+      interpreterName = "python3";
+    } // (removeAttrs attrs [ "pkgs" "pyPkgs" ])
   );
 }

pkgs/additional/sublime-music-mobile/default.nix

@@ -48,7 +48,8 @@
 , gtk-doc
 , lib
 , libhandy
-, python3Packages
+, fetchFromGitHub
+, python3
 , gobject-introspection
 , gtk3
 , pango
@@ -61,7 +62,22 @@
 , networkSupport ? true, networkmanager
 }:
 
-python3Packages.buildPythonApplication rec {
+let
+  python = python3.override {
+    packageOverrides = self: super: {
+      semver = super.semver.overridePythonAttrs (oldAttrs: rec {
+        version = "2.13.0";
+        src = fetchFromGitHub {
+          owner = "python-semver";
+          repo = "python-semver";
+          rev = "refs/tags/${version}";
+          hash = "sha256-IWTo/P9JRxBQlhtcH3JMJZZrwAA8EALF4dtHajWUc4w=";
+        };
+      });
+    };
+  };
+in
+python.pkgs.buildPythonApplication rec {
   pname = "sublime-music-mobile";
   version = "0.11.16";
   format = "pyproject";
@@ -82,16 +98,17 @@ python3Packages.buildPythonApplication rec {
     domain = "git.uninsane.org";
     owner = "colin";
     repo = "sublime-music";
-    rev = "5d8eb1f15c946a43dcf15266ce109f6bec810ce3";
-    sha256 = "sha256-qMCyRNPtmd29dQKKcPi+Jy5gr39crZUBizprdOZlmY4=";
+    rev = "b64498960147c705f530f3d8f91c6217ed66a8f8";
+    sha256 = "sha256-jyC3Fh+b+MBLjHlFr3nOOM7eT/3PPF7dynHsPJaIzLU=";
   };
 
   nativeBuildInputs = [
     gobject-introspection
-    python3Packages.poetry-core
-    python3Packages.pythonRelaxDepsHook
     wrapGAppsHook
-  ];
+  ] ++ (with python.pkgs; [
+   poetry-core
+   pythonRelaxDepsHook
+ ]);
 
   # Can be removed in later versions (probably > 0.11.16)
   pythonRelaxDeps = [
@@ -122,7 +139,7 @@ python3Packages.buildPythonApplication rec {
    ++ lib.optional networkSupport networkmanager
   ;
 
-  propagatedBuildInputs = with python3Packages; [
+  propagatedBuildInputs = with python.pkgs; [
     bleach
     dataclasses-json
     deepdiff
@@ -135,7 +152,7 @@ python3Packages.buildPythonApplication rec {
     requests
     semver
   ]
-   ++ lib.optional chromecastSupport PyChromecast
+   ++ lib.optional chromecastSupport pychromecast
    ++ lib.optional keyringSupport keyring
    ++ lib.optional serverSupport bottle
   ;
@@ -152,7 +169,7 @@ python3Packages.buildPythonApplication rec {
   # https://github.com/NixOS/nixpkgs/issues/56943
   strictDeps = false;
 
-  checkInputs = with python3Packages; [
+  checkInputs = with python.pkgs; [
     pytest
   ];
 

pkgs/default.nix

@@ -1,19 +1,27 @@
-{ pkgs ? import <nixpkgs> {}, lib ? pkgs.lib, unpatched ? pkgs }:
+# this supports being used as an overlay or in a standalone context
+# - if overlay, invoke as `(final: prev: import ./. { inherit final; pkgs = prev; })`
+# - if standalone: `import ./. { inherit pkgs; }`
+#
+# using the correct invocation is critical if any packages mentioned here are
+# additionally patched elsewhere
+#
+{ pkgs ? import <nixpkgs> {}, final ? null }:
 let
+  lib = pkgs.lib;
+  unpatched = pkgs;
 
   pythonPackagesOverlay = py-final: py-prev: import ./python-packages {
     inherit (py-final) callPackage;
   };
-  # this scope ensures that my packages can all take each other as inputs,
-  # even when evaluated bare (i.e. outside of an overlay)
-  sane = lib.makeScope pkgs.newScope (self: with self; {
+  final' = if final != null then final else (pkgs // sane);
+  sane = with final'; {
     sane-data = import ../modules/data { inherit lib; };
-    sane-lib = import ../modules/lib pkgs;
+    sane-lib = import ../modules/lib final';
 
     ### ADDITIONAL PACKAGES
     bootpart-uefi-x86_64 = callPackage ./additional/bootpart-uefi-x86_64 { };
     browserpass-extension = callPackage ./additional/browserpass-extension { };
-    cargo-docset = callPackage ./additional/cargo-docset { };
+    cargoDocsetHook = callPackage ./additional/cargo-docset/hook.nix { };
     feeds = lib.recurseIntoAttrs (callPackage ./additional/feeds { });
     gopass-native-messaging-host = callPackage ./additional/gopass-native-messaging-host { };
     gpodder-configured = callPackage ./additional/gpodder-configured { };
@@ -40,6 +48,7 @@ let
     # ubootRaspberryPi4_64bit = callPackage ./additional/ubootRaspberryPi4_64bit { };
 
     # provided by nixpkgs patch or upstream PR
+    # cargo-docset = callPackage ./additional/cargo-docset { };
     # splatmoji = callPackage ./additional/splatmoji { };
 
 
@@ -54,11 +63,21 @@ let
     # mozilla keeps nerfing itself and removing configuration options
     firefox-unwrapped = callPackage ./patched/firefox-unwrapped { inherit (unpatched) firefox-unwrapped; };
 
+    gnome = unpatched.gnome.overrideScope' (gself: gsuper: {
+      gnome-control-center = gself.callPackage ./patched/gnome-control-center {
+        inherit (gsuper) gnome-control-center;
+      };
+    });
+
     gocryptfs = callPackage ./patched/gocryptfs { inherit (unpatched) gocryptfs; };
 
     # jackett doesn't allow customization of the bind address: this will probably always be here.
     jackett = callPackage ./patched/jackett { inherit (unpatched) jackett; };
 
+    lemmy-server = callPackage ./patched/lemmy-server { inherit (unpatched) lemmy-server; };
+
+    phoc = callPackage ./patched/phoc { inherit (unpatched) phoc; };
+
 
     ### PYTHON PACKAGES
     pythonPackagesExtensions = (unpatched.pythonPackagesExtensions or []) ++ [
@@ -69,5 +88,5 @@ let
     python3 = unpatched.python3.override {
       packageOverrides = pythonPackagesOverlay;
     };
-  });
-in sane.packages sane
+  };
+in sane

pkgs/patched/gnome-control-center/default.nix

@@ -0,0 +1,15 @@
+{ gnome-control-center }:
+
+(gnome-control-center.overrideAttrs (upstream: {
+  # gnome-control-center does not start without XDG_CURRENT_DESKTOP=gnome
+  # see: <https://github.com/NixOS/nixpkgs/issues/230493>
+  # see: <https://gitlab.gnome.org/GNOME/gnome-control-center/-/merge_requests/736>
+  #
+  # non-gnome DEs (e.g. sway) already set XDG_CURRENT_DESKTOP to something different,
+  # so changing this system-wide probably isn't a good idea.
+  preFixup = ''
+    gappsWrapperArgs+=(
+      --set XDG_CURRENT_DESKTOP "gnome"
+    );
+  '' + upstream.preFixup;
+}))

pkgs/patched/lemmy-server/default.nix

@@ -0,0 +1,10 @@
+{ lemmy-server }:
+
+lemmy-server.overrideAttrs (upstream: {
+  patches = upstream.patches or [] ++ [
+    # "thread 'main' panicked at 'Couldn't run DB Migrations: Failed to run 2022-07-07-182650_comment_ltrees with: permission denied: "RI_ConstraintTrigger_a_647340" is a system trigger', crates/db_schema/src/utils.rs:165:25"
+    ./fix-db-migrations.patch
+    # log the database connection events, for debugging
+    # ./log-startup.patch
+  ];
+})

pkgs/patched/lemmy-server/fix-db-migrations.patch

@@ -0,0 +1,19 @@
+diff --git a/migrations/2022-07-07-182650_comment_ltrees/up.sql b/migrations/2022-07-07-182650_comment_ltrees/up.sql
+index fde9e1b3..55b96dac 100644
+--- a/migrations/2022-07-07-182650_comment_ltrees/up.sql
++++ b/migrations/2022-07-07-182650_comment_ltrees/up.sql
+@@ -60,7 +60,7 @@ ORDER BY
+        breadcrumb;
+
+ -- Remove indexes and foreign key constraints, and disable triggers for faster updates
+-alter table comment disable trigger all;
++-- alter table comment disable trigger all;
+
+ alter table comment drop constraint if exists comment_creator_id_fkey;
+ alter table comment drop constraint if exists comment_parent_id_fkey;
+@@ -115,4 +115,4 @@ create index idx_path_gist on comment using gist (path);
+ -- Drop the parent_id column
+ alter table comment drop column parent_id cascade;
+
+-alter table comment enable trigger all;
++-- alter table comment enable trigger all;

pkgs/patched/lemmy-server/log-startup.patch

@@ -0,0 +1,56 @@
+diff --git a/crates/db_schema/src/utils.rs b/crates/db_schema/src/utils.rs
+index acedab97..4b62b5bb 100644
+--- a/crates/db_schema/src/utils.rs
++++ b/crates/db_schema/src/utils.rs
+@@ -134,9 +134,12 @@ pub fn diesel_option_overwrite_to_url_create(
+ }
+ 
+ async fn build_db_pool_settings_opt(settings: Option<&Settings>) -> Result<DbPool, LemmyError> {
++  println!("build_db_pool_settings_opt");
+   let db_url = get_database_url(settings);
++  println!("  db_url: {db_url}");
+   let pool_size = settings.map(|s| s.database.pool_size).unwrap_or(5);
+   let manager = AsyncDieselConnectionManager::<AsyncPgConnection>::new(&db_url);
++  println!("  built manager");
+   let pool = Pool::builder(manager)
+     .max_size(pool_size)
+     .wait_timeout(POOL_TIMEOUT)
+@@ -144,12 +147,15 @@ async fn build_db_pool_settings_opt(settings: Option<&Settings>) -> Result<DbPoo
+     .recycle_timeout(POOL_TIMEOUT)
+     .runtime(Runtime::Tokio1)
+     .build()?;
++  println!("  built pool");
+ 
+   // If there's no settings, that means its a unit test, and migrations need to be run
+   if settings.is_none() {
++    println!("  running migrations");
+     run_migrations(&db_url);
+   }
+ 
++  println!("  complete");
+   Ok(pool)
+ }
+ 
+diff --git a/src/code_migrations.rs b/src/code_migrations.rs
+index c69ce591..0914677d 100644
+--- a/src/code_migrations.rs
++++ b/src/code_migrations.rs
+@@ -40,7 +40,9 @@ use tracing::info;
+ use url::Url;
+ 
+ pub async fn run_advanced_migrations(pool: &DbPool, settings: &Settings) -> Result<(), LemmyError> {
++  println!("run_advanced_migrations");
+   let protocol_and_hostname = &settings.get_protocol_and_hostname();
++  println!("  conn: {protocol_and_hostname}");
+   user_updates_2020_04_02(pool, protocol_and_hostname).await?;
+   community_updates_2020_04_02(pool, protocol_and_hostname).await?;
+   post_updates_2020_04_03(pool, protocol_and_hostname).await?;
+@@ -52,6 +54,8 @@ pub async fn run_advanced_migrations(pool: &DbPool, settings: &Settings) -> Resu
+   regenerate_public_keys_2022_07_05(pool).await?;
+   initialize_local_site_2022_10_10(pool, settings).await?;
+ 
++  println!("  complete");
++
+   Ok(())
+ }
+ 

pkgs/patched/phoc/default.nix

@@ -0,0 +1,11 @@
+{ fetchpatch, phoc }:
+phoc.overrideAttrs (super: {
+  patches = super.patches or [] ++ [
+    (fetchpatch {
+      # this patch fixes some screen-blanking issues.
+      # not 100% necessary, but does give a better experience.
+      url = "https://gitlab.gnome.org/World/Phosh/phoc/-/merge_requests/428.diff";
+      hash = "sha256-XaSpcjtAFbGpqSLOUvjFU84TRmjKhL0NPIDvEK4VUD4=";
+    })
+  ];
+})