modules/programs: require manual definition; don't auto-populate attrset

this greatly decreases nix eval time

README.md

@@ -1,3 +1,7 @@
+![hello](doc/hello.gif)
+
+# .❄️≡We|_c0m3 7o m`/ f14k≡❄️.
+
 ## What's Here
 
 this is the top-level repo from which i configure/deploy all my NixOS machines:
@@ -6,18 +10,18 @@ this is the top-level repo from which i configure/deploy all my NixOS machines:
 - server
 - mobile phone (Pinephone)
 
-everything outside of <./hosts/> and <./secrets/> is intended for export, to be importable for use by 3rd parties.
+everything outside of [hosts/](./hosts/) and [secrets/](./secrets/) is intended for export, to be importable for use by 3rd parties.
 the only hard dependency for my exported pkgs/modules should be [nixpkgs][nixpkgs].
-building <./hosts/> will require [sops][sops].
+building [hosts/](./hosts/) will require [sops][sops].
 
 you might specifically be interested in these files (elaborated further in #key-points-of-interest):
 - [`sxmo-utils`](./pkgs/additional/sxmo-utils/default.nix)
   - [example SXMO deployment](./hosts/modules/gui/sxmo/default.nix)
 - [my implementation of impermanence](./modules/persist/default.nix)
 - my way of deploying dotfiles/configuring programs per-user:
-  - <./modules/fs/default.nix>
+  - [modules/fs/](./modules/fs/default.nix)
-  - <./modules/programs.nix>
+  - [modules/programs/](./modules/programs/default.nix)
-  - <./modules/users.nix>
+  - [modules/users.nix](./modules/users.nix)
 
 [nixpkgs]: https://github.com/NixOS/nixpkgs
 [sops]: https://github.com/Mic92/sops-nix
@@ -94,11 +98,16 @@ i.e. you might find value in using these in your own config:
     - persist things to encrypted storage which is unlocked at login time (pam_mount).
     - "persist" cache directories -- to free up RAM -- but auto-wipe them on mount
       and encrypt them to ephemeral keys so they're unreadable post shutdown/unmount.
-- `modules/programs.nix`
+- `modules/programs/`
   - like nixpkgs' `programs` options, but allows both system-wide or per-user deployment.
   - allows `fs` and `persist` config values to be gated behind program deployment:
     - e.g. `/home/<user>/.mozilla/firefox` is persisted only for users who
       `sane.programs.firefox.enableFor.user."<user>" = true;`
+  - allows aggressive sandboxing any program:
+    - `sane.programs.firefox.sandbox.method = "bwrap";  # sandbox with bubblewrap`
+    - `sane.programs.firefox.sandbox.whitelistWayland = true;  # allow it to render a wayland window`
+    - `sane.programs.firefox.sandbox.extraHomePaths = [ "Downloads" ];  # allow it read/write access to ~/Downloads`
+    - integrated with `fs` and `persist` modules so that programs' config files and persisted data stores are linked into the sandbox w/o any extra involvement.
 - `modules/users.nix`
   - convenience layer atop the above modules so that you can just write
     `fs.".config/git"` instead of `fs."/home/colin/.config/git"`

TODO.md

@@ -1,15 +1,14 @@
 ## BUGS
-- nixpkgs date is incorrect (1970.01.01...)
 - ringer (i.e. dino incoming call) doesn't prevent moby from sleeping
 - `nix` operations from lappy hang when `desko` is unreachable
   - could at least direct the cache to `http://desko-hn:5001`
 
 ## REFACTORING:
-
+- consolidate ~/dev and ~/ref
+  - ~/dev becomes a link to ~/ref/cat/mine
 - fold hosts/common/home/ssh.nix -> hosts/common/users/colin.nix
 
 ### sops/secrets
-- attach secrets to the thing they're used by (sane.programs)
 - rework secrets to leverage `sane.fs`
 - remove sops activation script as it's covered by my systemd sane.fs impl
 
@@ -22,7 +21,6 @@
 - bump nodejs version in lemmy-ui
 - add updateScripts to all my packages in nixpkgs
 - fix lightdm-mobile-greeter for newer libhandy
-- port zecwallet-lite to a from-source build
 - REVIEW/integrate jellyfin dataDir config: <https://github.com/NixOS/nixpkgs/pull/233617>
 
 #### upstreaming to non-nixpkgs repos
@@ -34,23 +32,27 @@
 - validate duplicity backups!
 - encrypt more ~ dirs (~/archives, ~/records, ..?)
   - best to do this after i know for sure i have good backups
-- have `sane.programs` be wrapped such that they run in a cgroup?
+- /mnt/desko/home, etc, shouldn't include secrets (~/private)
-  - at least, only give them access to the portion of the fs they *need*.
+  - 95% of its use is for remote media access and stuff which isn't in VCS (~/records)
-  - Android takes approach of giving each app its own user: could hack that in here.
+- port all sane.programs to be sandboxed
-  - **systemd-run** takes a command and runs it in a temporary scope (cgroup)
+  - enforce that all `environment.packages` has a sandbox profile (or explicitly opts out)
-    - presumably uses the same options as systemd services
+  - revisit "non-sandboxable" apps and check that i'm not actually just missing mountpoints
-    - see e.g. <https://github.com/NixOS/nixpkgs/issues/113903#issuecomment-857296349>
+    - LL_FS_RW=/ isn't enough -- need all mount points like `=/:/proc:/sys:...`.
-  - flatpak does this, somehow
+  - ensure non-bin package outputs are linked for sandboxed apps
-  - apparmor?  SElinux?  (desktop) "portals"?
+    - i.e. `outputs.man`, `outputs.debug`, `outputs.doc`, ...
-  - see Spectrum OS; Alyssa Ross; etc
+  - lock down dbus calls within the sandbox
-  - bubblewrap-based sandboxing: <https://github.com/nixpak/nixpak>
+    - otherwise anyone can `systemd-run --user ...` to potentially escape a sandbox
+    - <https://github.com/flatpak/xdg-dbus-proxy>
+  - remove `.ssh` access from Firefox!
+    - limit access to `~/knowledge/secrets` through an agent that requires GUI approval, so a firefox exploit can't steal all my logins
+  - port sane-sandboxed to a compiled language (hare?)
+    - it adds like 50-70ms launch time _on my laptop_. i'd hate to know how much that is on the pinephone.
+- make dconf stuff less monolithic
+  - i.e. per-app dconf profiles for those which need it. possible static config.
 - canaries for important services
   - e.g. daily email checks; daily backup checks
   - integrate `nix check` into Gitea actions?
 
-### faster/better deployments
-- remove audacity's dependency on webkitgtk (via wxwidgets)
-
 ### user experience
 - install apps:
   - display QR codes for WiFi endpoints: <https://linuxphoneapps.org/apps/noappid.wisperwind.wifi2qr/>
@@ -70,6 +72,7 @@
   - Shootin Stars  (Godot; not in nixpkgs) <https://gitlab.com/greenbeast/shootin-stars>
   - numberlink (generic name for Flow Free). not packaged in Nix
   - Neverball (https://neverball.org/screenshots.php). nix: as `neverball`
+  - blurble (https://linuxphoneapps.org/games/app.drey.blurble/). nix: not as of 2024-02-05
 
 #### moby
 - fix cpuidle (gets better power consumption): <https://xnux.eu/log/077.html>
@@ -89,7 +92,6 @@
 - moby: theme GTK apps (i.e. non-adwaita styles)
   - especially, make the menubar collapsible
   - try Gradience tool specifically for theming adwaita? <https://linuxphoneapps.org/apps/com.github.gradienceteam.gradience/>
-- phog: remove the gnome-shell runtime dependency to save hella closure size
 
 #### non-moby
 - RSS: integrate a paywall bypass
@@ -111,13 +113,13 @@
   - could change junk filter from "no DKIM success" to explicit "DKIM failed"
 
 ### perf
+- debug nixos-rebuild times
+  - i bet sane.programs adds a LOT of time, with how it automatically creates an attrs for EVERY package in nixpkgs.
 - add `pkgs.impure-cached.<foo>` package set to build things with ccache enabled
   - every package here can be auto-generated, and marked with some env var so that it doesn't pollute the pure package set
   - would be super handy for package prototyping!
-- fix desko so it doesn't dispatch so many build jobs to servo by default
 
 ## NEW FEATURES:
 - migrate MAME cabinet to nix
   - boot it from PXE from servo?
 - enable IPv6
-- package lemonade lemmy app: <https://linuxphoneapps.org/apps/ml.mdwalters.lemonade/>

flake.lock

@@ -1,5 +1,23 @@
 {
   "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1698882062,
+        "narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "8c9fa2545007b49a5db5f650ae91f227672c3877",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "mobile-nixos": {
       "flake": false,
       "locked": {
@@ -17,13 +35,67 @@
         "type": "github"
       }
     },
+    "nix-fast-build": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": "nixpkgs",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1703607026,
+        "narHash": "sha256-Emh0BPoqlS4ntp2UJrwydXfIP4qIMF0VBB2FUE3/M/E=",
+        "owner": "Mic92",
+        "repo": "nix-fast-build",
+        "rev": "4376b8a33b217ee2f78ba3dcff01a3e464d13a46",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "nix-fast-build",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1698890957,
+        "narHash": "sha256-DJ+SppjpPBoJr0Aro9TAcP3sxApCSieY6BYBCoWGUX8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c082856b850ec60cda9f0a0db2bc7bd8900d708c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1698611440,
+        "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-next-unpatched": {
       "locked": {
-        "lastModified": 1705233677,
+        "lastModified": 1708992120,
-        "narHash": "sha256-eq3VE8QGJsunqqF/BlLslWE1gASp4Hlgp0c78coxat0=",
+        "narHash": "sha256-t/8QV+lEroW5fK44w5oEUalIM0eYYVGs833AHDCIl4s=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "724e39ebb9b8eda97f17d423f66fbc5a991f4f8d",
+        "rev": "6daf4de0662e1d895d220a4a4ddb356eb000abe9",
         "type": "github"
       },
       "original": {
@@ -35,27 +107,27 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1705033721,
+        "lastModified": 1708819810,
-        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
+        "narHash": "sha256-1KosU+ZFXf31GPeCBNxobZWMgHsSOJcrSFA6F2jhzdE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
+        "rev": "89a2a12e6c8c6a56c72eb3589982c8e2f89c70ea",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1705254014,
+        "lastModified": 1708995544,
-        "narHash": "sha256-4RrVNEqxeji4vqDgzSl7JoCD6a0ag5LF9zXFndtqrpE=",
+        "narHash": "sha256-YJgLopKOKVTggnKzjX4OiAS22hx/vNv397DcsAyTZgY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6c08fe3ccf437d8b26bec010fd925ddd6bb0d0d5",
+        "rev": "5bd8df40204f47a12263f3614c72cd5b6832a9a0",
         "type": "github"
       },
       "original": {
@@ -68,6 +140,7 @@
     "root": {
       "inputs": {
         "mobile-nixos": "mobile-nixos",
+        "nix-fast-build": "nix-fast-build",
         "nixpkgs-next-unpatched": "nixpkgs-next-unpatched",
         "nixpkgs-unpatched": "nixpkgs-unpatched",
         "sops-nix": "sops-nix",
@@ -82,11 +155,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1705201153,
+        "lastModified": 1708987867,
-        "narHash": "sha256-y0/a4IMDZrc7lAkR7Gcm5R3W2iCBiARHnYZe6vkmiNE=",
+        "narHash": "sha256-k2lDaDWNTU5sBVHanYzjDKVDmk29RHIgdbbXu5sdzBA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "70dd0d521f7849338e487a219c1a07c429a66d77",
+        "rev": "a1c8de14f60924fafe13aea66b46157f0150f4cf",
         "type": "github"
       },
       "original": {
@@ -95,6 +168,27 @@
         "type": "github"
       }
     },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-fast-build",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1698438538,
+        "narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
     "uninsane-dot-org": {
       "inputs": {
         "nixpkgs": [
@@ -102,11 +196,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704082841,
+        "lastModified": 1707981105,
-        "narHash": "sha256-4g3lePnUALb8B1m3rEDD6rrZAq2pTN4qaSnStbd676U=",
+        "narHash": "sha256-YCU1eNslBHabjP+OCY+BxPycEFO9SRUts10MrN9QORE=",
         "ref": "refs/heads/master",
-        "rev": "4a1fa488e64e6c87c6c951e3fafb2684692f64d3",
+        "rev": "bb10cd8853d05191e4d62947d93687c462e92c30",
-        "revCount": 234,
+        "revCount": 235,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -57,6 +57,10 @@
       url = "github:nixos/mobile-nixos?ref=d25d3b87e7f300d8066e31d792337d9cd7ecd23b";
       flake = false;
     };
+    nix-fast-build = {
+      # https://github.com/Mic92/nix-fast-build
+      url = "github:Mic92/nix-fast-build";
+    };
     sops-nix = {
       # <https://github.com/Mic92/sops-nix>
       # used to distribute secrets to my hosts
@@ -77,6 +81,7 @@
     nixpkgs-unpatched,
     nixpkgs-next-unpatched ? nixpkgs-unpatched,
     mobile-nixos,
+    nix-fast-build,
     sops-nix,
     uninsane-dot-org,
     ...
@@ -98,19 +103,29 @@
         inherit variant nixpkgs;
         self = patchNixpkgs variant nixpkgs;
       } // {
-        # provide values that nixpkgs ordinarily sources from the flake.lock file,
+        # sourceInfo includes fields (square brackets for the ones which are not always present):
-        # inaccessible to it here because of the import-from-derivation.
+        # - [dirtyRev]
-        # rev and shortRev seem to not always exist (e.g. if the working tree is dirty),
+        # - [dirtyShortRev]
-        # so those are made conditional.
+        # - lastModified
+        # - lastModifiedDate
+        # - narHash
+        # - outPath
+        # - [rev]
+        # - [revCount]
+        # - [shortRev]
+        # - submodules
         #
-        # these values impact the name of a produced nixos system. having date/rev in the
+        # these values are used within nixpkgs:
-        # `readlink /run/current-system` store path helps debuggability.
+        # - to give a friendly name to the nixos system (`readlink /run/current-system` -> `...nixos-system-desko-24.05.20240227.dirty`)
-        inherit (self) lastModifiedDate lastModified;
+        # - to alias `import <nixpkgs>` so that nix uses the system's nixpkgs when called externally (supposedly).
-      } // optionalAttrs (self ? rev) {
+        #
-        inherit (self) rev;
+        # these values seem to exist both within the `sourceInfo` attrset and at the top-level.
-      } // optionalAttrs (self ? shortRev) {
+        # for a list of all implicit flake outputs (which is what these seem to be):
-        inherit (self) shortRev;
+        # $ nix-repl
-      };
+        # > lf .
+        # > <tab>
+        inherit (self) sourceInfo;
+      } // self.sourceInfo;
 
       nixpkgs' = patchNixpkgs "master" nixpkgs-unpatched;
       nixpkgsCompiledBy = system: nixpkgs'.legacyPackages."${system}";
@@ -190,17 +205,18 @@
         #   hence the weird redundancy.
         default = final: prev: self.overlays.pkgs final prev;
         sane-all = final: prev: import ./overlays/all.nix final prev;
-        disable-flakey-tests = final: prev: import ./overlays/disable-flakey-tests.nix final prev;
         pkgs = final: prev: import ./overlays/pkgs.nix final prev;
         pins = final: prev: import ./overlays/pins.nix final prev;
         preferences = final: prev: import ./overlays/preferences.nix final prev;
-        optimizations = final: prev: import ./overlays/optimizations.nix final prev;
         passthru = final: prev:
           let
             mobile = (import "${mobile-nixos}/overlay/overlay.nix");
             uninsane = uninsane-dot-org.overlays.default;
+            # TODO: why do i have to use `self.inputs.nix-fast-build` instead of just `nix-fast-build` here?
+            nix-fast-build = (_: prev: self.inputs.nix-fast-build.packages."${prev.stdenv.system}" or {});
           in
             (mobile final prev)
+            // (nix-fast-build final prev)
             // (uninsane final prev)
           ;
       };
@@ -257,18 +273,43 @@
           pkgs = self.legacyPackages."x86_64-linux";
           sanePkgs = import ./pkgs { inherit pkgs; };
           deployScript = host: addr: action: pkgs.writeShellScript "deploy-${host}" ''
-            nix build '.#nixosConfigurations.${host}.config.system.build.toplevel' --out-link ./result-${host} "$@"
+            host="${host}"
-            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result-${host})
+            addr="${addr}"
+            action="${if action != null then action else ""}"
+            runOnTarget() {
+              # run the command ($@) on the machine we're deploying to.
+              # if that's a remote machine, then do it via ssh, else local shell.
+              if [ -n "$addr" ]; then
+                ssh "$addr" "$@"
+              else
+                "$@"
+              fi
+            }
 
-            # XXX: this triggers another config eval & (potentially) build.
+            nix build ".#nixosConfigurations.$host.config.system.build.toplevel" --out-link "./result-$host" "$@"
-            # if the config changed between these invocations, the above signatures might not apply to the deployed config.
+            storePath="$(readlink ./result-$host)"
-            # let the user handle that edge case by re-running this whole command.
+
-            # N.B.: `--fast` option here is critical to cross-compiled deployments: without it the build machine will try to invoke the host machine's `nix` binary.
+            # mimic `nixos-rebuild --target-host`, in effect:
-            # TODO: solve this by replacing the nixos-build invocation with:
+            # - nix-copy-closure ...
-            # - nix-copy-closure --to $host $result
+            # - nix-env --set ...
-            # - on target: nix-env set -p /nix/var/nix/profiles/system $result
+            # - switch-to-configuration <boot|dry-activate|switch|test|>
-            # - on target: $result/bin/switch-to-configuration
+            # avoid the actual `nixos-rebuild` for a few reasons:
-            nixos-rebuild --flake '.#${host}' ${action} --target-host colin@${addr} --use-remote-sudo "$@" --fast
+            # - fewer nix evals
+            # - more introspectability and debuggability
+            # - sandbox friendliness (especially: `git` doesn't have to be run as root)
+
+            if [ -n "$addr" ]; then
+              sudo nix store sign -r -k /run/secrets/nix_serve_privkey "$storePath"
+              # add more `-v` for more verbosity (up to 5).
+              # builders-use-substitutes false: optimizes so that the remote machine doesn't try to get paths from its substituters.
+              #   we already have all paths here, and the remote substitution is slow to check and SERIOUSLY flaky on moby in particular.
+              nix copy -vv --option builders-use-substitutes false --to "ssh-ng://$addr" "$storePath"
+            fi
+
+            if [ -n "$action" ]; then
+              runOnTarget sudo nix-env -p /nix/var/nix/profiles/system --set "$storePath"
+              runOnTarget sudo "$storePath/bin/switch-to-configuration" "$action"
+            fi
           '';
           deployApp = host: addr: action: {
             type = "app";
@@ -342,7 +383,11 @@
                 - `nix run '.#update.feeds'`
                   - updates metadata for all feeds
                 - `nix run '.#init-feed' <url>`
-                - `nix run '.#deploy.{desko,lappy,moby,servo}[-light][.test]' [nixos-rebuild args ...]`
+                - `nix run '.#deploy.{desko,lappy,moby,servo}[-light|-test]' [nix args ...]`
+                  - build and deploy the host
+                - `nix run '.#preDeploy.{desko,lappy,moby,servo}[-light]' [nix args ...]`
+                  - copy closures to a host, but don't activate it
+                  - or `nix run '.#preDeploy'` to target all hosts
                 - `nix run '.#check'`
                   - make sure all systems build; NUR evaluates
 
@@ -371,12 +416,47 @@
           };
 
           deploy = {
+            desko       = deployApp "desko"       "desko" "switch";
+            desko-light = deployApp "desko-light" "desko" "switch";
             lappy       = deployApp "lappy"       "lappy" "switch";
             lappy-light = deployApp "lappy-light" "lappy" "switch";
             moby        = deployApp "moby"        "moby"  "switch";
             moby-light  = deployApp "moby-light"  "moby"  "switch";
             moby-test   = deployApp "moby"        "moby"  "test";
             servo       = deployApp "servo"       "servo" "switch";
+
+            # like `nixos-rebuild --flake . switch`
+            self        = deployApp "$(hostname)"       ""      "switch";
+            self-light  = deployApp "$(hostname)-light" ""      "switch";
+
+            type = "app";
+            program = builtins.toString (pkgs.writeShellScript "deploy-all" ''
+              nix run '.#deploy.lappy'
+              nix run '.#deploy.moby'
+              nix run '.#deploy.desko'
+              nix run '.#deploy.servo'
+            '');
+          };
+          preDeploy = {
+            # build the host and copy the runtime closure to that host, but don't activate it.
+            desko       = deployApp "desko"       "desko" null;
+            desko-light = deployApp "desko-light" "desko" null;
+            lappy       = deployApp "lappy"       "lappy" null;
+            lappy-light = deployApp "lappy-light" "lappy" null;
+            moby        = deployApp "moby"        "moby"  null;
+            moby-light  = deployApp "moby-light"  "moby"  null;
+            servo       = deployApp "servo"       "servo" null;
+            type = "app";
+            program = builtins.toString (pkgs.writeShellScript "predeploy-all" ''
+              # copy the -light variants first; this might be run while waiting on a full build. or the full build failed.
+              nix run '.#preDeploy.moby-light' -- "$@"
+              nix run '.#preDeploy.lappy-light' -- "$@"
+              nix run '.#preDeploy.desko-light' -- "$@"
+              nix run '.#preDeploy.lappy' -- "$@"
+              nix run '.#preDeploy.servo' -- "$@"
+              nix run '.#preDeploy.moby' -- "$@"
+              nix run '.#preDeploy.desko' -- "$@"
+            '');
           };
 
           sync = {
@@ -397,8 +477,8 @@
             # can run this from any device that has ssh access to desko and servo
             type = "app";
             program = builtins.toString (pkgs.writeShellScript "sync-to-desko" ''
-              sudo mount /mnt/desko-home
+              sudo mount /mnt/desko/home
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compat /mnt/servo-media/Music /mnt/desko-home/Music "$@"
+              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compat /mnt/servo/media/Music /mnt/desko/home/Music "$@"
             '');
           };
 
@@ -407,8 +487,8 @@
             # can run this from any device that has ssh access to lappy and servo
             type = "app";
             program = builtins.toString (pkgs.writeShellScript "sync-to-lappy" ''
-              sudo mount /mnt/lappy-home
+              sudo mount /mnt/lappy/home
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat /mnt/servo-media/Music /mnt/lappy-home/Music "$@"
+              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat /mnt/servo/media/Music /mnt/lappy/home/Music "$@"
             '');
           };
 
@@ -417,9 +497,11 @@
             # can run this from any device that has ssh access to moby and servo
             type = "app";
             program = builtins.toString (pkgs.writeShellScript "sync-to-moby" ''
-              sudo mount /mnt/moby-home
+              sudo mount /mnt/moby/home
+              sudo mount /mnt/desko/home
+              ${pkgs.rsync}/bin/rsync -arv --exclude servo-macros /mnt/moby/home/Pictures/ /mnt/desko/home/Pictures/moby/
               # N.B.: limited by network/disk -> reduce job count to improve pause/resume behavior
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat --jobs 4 /mnt/servo-media/Music /mnt/moby-home/Music "$@"
+              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat --jobs 4 /mnt/servo/media/Music /mnt/moby/home/Music "$@"
             '');
           };
 

hosts/by-name/desko/default.nix

@@ -28,14 +28,14 @@
   sane.nixcache.substituters.desko = false;
   sane.nixcache.remote-builders.desko = false;
 
-  sane.gui.sway.enable = true;
+  sane.programs.sway.enableFor.user.colin = true;
   sane.programs.iphoneUtils.enableFor.user.colin = true;
   sane.programs.steam.enableFor.user.colin = true;
 
   # sane.programs.devPkgs.enableFor.user.colin = true;
 
-  sane.programs.signal-desktop.config.autostart = true;
   sane.programs."gnome.geary".config.autostart = true;
+  sane.programs.signal-desktop.config.autostart = true;
 
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

hosts/by-name/desko/fs.nix

@@ -6,7 +6,6 @@
   fileSystems."/tmp".options = [ "size=64G" ];
 
   fileSystems."/nix" = {
-    # device = "/dev/disk/by-uuid/0ab0770b-7734-4167-88d9-6e4e20bb2a56";
     device = "/dev/disk/by-uuid/845d85bf-761d-431b-a406-e6f20909154f";
     fsType = "btrfs";
     options = [
@@ -16,7 +15,6 @@
   };
 
   fileSystems."/boot" = {
-    # device = "/dev/disk/by-uuid/41B6-BAEF";
     device = "/dev/disk/by-uuid/5049-9AFD";
     fsType = "vfat";
   };

hosts/by-name/lappy/default.nix

@@ -12,10 +12,12 @@
   sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
 
   # sane.guest.enable = true;
-  sane.gui.sway.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
+  sane.programs.sway.enableFor.user.colin = true;
+  sane.programs."gnome.geary".config.autostart = true;
+  sane.programs.signal-desktop.config.autostart = true;
   sane.programs.stepmania.enableFor.user.colin = true;
 
   sops.secrets.colin-passwd.neededForUsers = true;

hosts/by-name/lappy/fs.nix

@@ -14,24 +14,4 @@
     device = "/dev/disk/by-uuid/BD79-D6BB";
     fsType = "vfat";
   };
-
-  # fileSystems."/nix" = {
-  #   device = "/dev/disk/by-uuid/5a7fa69c-9394-8144-a74c-6726048b129f";
-  #   fsType = "btrfs";
-  # };
-
-  # fileSystems."/boot" = {
-  #   device = "/dev/disk/by-uuid/4302-1685";
-  #   fsType = "vfat";
-  # };
-
-  # fileSystems."/" = {
-  #   device = "none";
-  #   fsType = "tmpfs";
-  #   options = [
-  #     "mode=755"
-  #     "size=1G"
-  #     "defaults"
-  #   ];
-  # };
 }

hosts/by-name/lappy/polyfill.nix

@@ -3,7 +3,6 @@
 { pkgs, ... }:
 {
   sane.gui.sxmo = {
-    greeter = "greetd-sway-gtkgreet";
     noidle = true;  #< power button requires 1s hold, which makes it impractical to be dealing with.
     settings = {
       # XXX: make sure the user is part of the `input` group!

hosts/by-name/moby/default.nix

@@ -25,10 +25,14 @@
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
 
+  # for some reason desko -> moby deploys are super flaky when desko is also a nixcache (not true of desko -> lappy deploys, though!)
+  # > unable to download 'http://desko:5001/<hash>.narinfo': Server returned nothing (no headers, no data) (52)
+  sane.nixcache.substituters.desko = false;
+
   # XXX colin: phosh doesn't work well with passwordless login,
   # so set this more reliable default password should anything go wrong
   users.users.colin.initialPassword = "147147";
-  services.getty.autologinUser = "root";  # allows for emergency maintenance?
+  # services.getty.autologinUser = "root";  # allows for emergency maintenance?
 
   sops.secrets.colin-passwd.neededForUsers = true;
 
@@ -45,7 +49,7 @@
 
   # sane.programs.ntfy-sh.config.autostart = true;
   sane.programs.dino.config.autostart = true;
-  sane.programs.signal-desktop.config.autostart = true;
+  # sane.programs.signal-desktop.config.autostart = true;  # TODO: enable once electron stops derping.
   # sane.programs."gnome.geary".config.autostart = true;
   # sane.programs.calls.config.autostart = true;
   sane.programs.mpv.config.vo = "wlshm";  #< see hosts/common/programs/mpv.nix for details

hosts/by-name/servo/fs.nix

@@ -50,6 +50,7 @@
   sane.persist.stores."ext" = {
     origin = "/mnt/pool/persist";
     storeDescription = "external HDD storage";
+    defaultMethod = "bind";  #< TODO: change to "symlink"?
   };
 
   # increase /tmp space (defaults to 50% of RAM) for building large nix things.
@@ -83,13 +84,14 @@
 
   sane.persist.sys.byStore.plaintext = [
     # TODO: this is overly broad; only need media and share directories to be persisted
-    { user = "colin"; group = "users"; path = "/var/lib/uninsane"; }
+    { user = "colin"; group = "users"; path = "/var/lib/uninsane"; method = "bind"; }
   ];
   # force some problematic directories to always get correct permissions:
   sane.fs."/var/lib/uninsane/media".dir.acl = {
     user = "colin"; group = "media"; mode = "0775";
   };
   sane.fs."/var/lib/uninsane/media/archive".dir = {};
+  # this is file.text instead of symlink.text so that it may be read over a remote mount (where consumers might not have any /nix/store/.../README.md path)
   sane.fs."/var/lib/uninsane/media/archive/README.md".file.text = ''
     this directory is for media i wish to remove from my library,
     but keep for a short time in case i reverse my decision.
@@ -108,6 +110,7 @@
   sane.fs."/var/lib/uninsane/media/Videos/Film".dir = {};
   sane.fs."/var/lib/uninsane/media/Videos/Shows".dir = {};
   sane.fs."/var/lib/uninsane/media/Videos/Talks".dir = {};
+  # this is file.text instead of symlink.text so that it may be read over a remote mount (where consumers might not have any /nix/store/.../README.md path)
   sane.fs."/var/lib/uninsane/datasets/README.md".file.text = ''
     this directory may seem redundant with ../media/datasets. it isn't.
     this directory exists on SSD, allowing for speedy access to specific datasets when necessary.

hosts/by-name/servo/net.nix

@@ -24,18 +24,6 @@ in
     sane.ports.openFirewall = true;
     sane.ports.openUpnp = true;
 
-    # view refused packets with: `sudo journalctl -k`
-    # networking.firewall.logRefusedPackets = true;
-
-    # these useDHCP lines are legacy from the auto-generated config. might be safe to remove now?
-    networking.useDHCP = false;
-    networking.interfaces.eth0.useDHCP = true;
-    # XXX colin: probably don't need this. wlan0 won't be populated unless i touch a value in networking.interfaces.wlan0
-    networking.wireless.enable = false;
-
-    # this is needed to forward packets from the VPN to the host
-    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-
     # unless we add interface-specific settings for each VPN, we have to define nameservers globally.
     # networking.nameservers = [
     #   "1.1.1.1"

hosts/by-name/servo/services/calibre.nix

@@ -13,7 +13,7 @@ in
 lib.mkIf false
 {
   sane.persist.sys.byStore.plaintext = [
-    { inherit user group; mode = "0700"; path = svc-dir; }
+    { inherit user group; mode = "0700"; path = svc-dir; method = "bind"; }
   ];
 
   services.calibre-web.enable = true;

hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix

@@ -30,8 +30,7 @@ let
 in
 {
   sane.persist.sys.byStore.ext = [
-    # /var/lib/monero/lmdb is what consumes most of the space
+    { user = "bitcoind-mainnet"; group = "bitcoind-mainnet"; path = "/var/lib/bitcoind-mainnet"; method = "bind"; }
-    { user = "bitcoind-mainnet"; group = "bitcoind-mainnet"; path = "/var/lib/bitcoind-mainnet"; }
   ];
 
   # sane.ports.ports."8333" = {

hosts/by-name/servo/services/cryptocurrencies/clightning.nix

@@ -73,7 +73,7 @@
 { config, pkgs, ... }:
 {
   sane.persist.sys.byStore.ext = [
-    { user = "clightning"; group = "clightning"; mode = "0710"; path = "/var/lib/clightning"; }
+    { user = "clightning"; group = "clightning"; mode = "0710"; path = "/var/lib/clightning"; method = "bind"; }
   ];
 
   # `lightning-cli` finds its RPC file via `~/.lightning/bitcoin/lightning-rpc`, to message the daemon

hosts/by-name/servo/services/cryptocurrencies/monero.nix

@@ -3,7 +3,7 @@
 {
   sane.persist.sys.byStore.ext = [
     # /var/lib/monero/lmdb is what consumes most of the space
-    { user = "monero"; group = "monero"; path = "/var/lib/monero"; }
+    { user = "monero"; group = "monero"; path = "/var/lib/monero"; method = "bind"; }
   ];
 
   services.monero.enable = true;

hosts/by-name/servo/services/cryptocurrencies/tor.nix

@@ -4,7 +4,7 @@
   # tor hidden service hostnames aren't deterministic, so persist.
   # might be able to get away with just persisting /var/lib/tor/onion, not sure.
   sane.persist.sys.byStore.plaintext = [
-    { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; }
+    { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; method = "bind"; }
   ];
 
   # tor: `tor.enable` doesn't start a relay, exit node, proxy, etc. it's minimal.

hosts/by-name/servo/services/ejabberd.nix

@@ -45,7 +45,7 @@ in
 lib.mkIf false
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; }
+    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; method = "bind"; }
   ];
   sane.ports.ports = lib.mkMerge ([
     {

hosts/by-name/servo/services/email/dovecot.nix

@@ -127,10 +127,11 @@
   services.dovecot2.modules = [
     pkgs.dovecot_pigeonhole  # enables sieve execution (?)
   ];
-  services.dovecot2.sieveScripts = {
+  services.dovecot2.sieve = {
+    extensions = [ "fileinto" ];
     # if any messages fail to pass (or lack) DKIM, move them to Junk
     # XXX the key name ("after") is only used to order sieve execution/ordering
-    after = builtins.toFile "ensuredkim.sieve" ''
+    scripts.after = builtins.toFile "ensuredkim.sieve" ''
       require "fileinto";
 
       if not header :contains "Authentication-Results" "dkim=pass" {
@@ -139,4 +140,6 @@
       }
     '';
   };
+
+  systemd.services.dovecot2.serviceConfig.RestartSec = lib.mkForce "15s";  # nixos defaults this to 1s
 }

hosts/by-name/servo/services/email/postfix.nix

@@ -20,9 +20,9 @@ in
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? could be more granular
-    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; }
+    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; method = "bind"; }
-    { user = "root"; group = "root"; path = "/var/lib/postfix"; }
+    { user = "root"; group = "root"; path = "/var/lib/postfix"; method = "bind"; }
-    { user = "root"; group = "root"; path = "/var/spool/mail"; }
+    { user = "root"; group = "root"; path = "/var/spool/mail"; method = "bind"; }
     # *probably* don't need these dirs:
     # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
     # "/var/lib/dovecot"

hosts/by-name/servo/services/export/default.nix

@@ -30,7 +30,7 @@
   # to query the quota/status:
   # - `sudo btrfs qgroup show -re /var/export/playground`
   sane.persist.sys.byStore.ext = [
-    { user = "root"; group = "export"; mode = "0775"; path = "/var/export/playground"; }
+    { user = "root"; group = "export"; mode = "0775"; path = "/var/export/playground"; method = "bind"; }
   ];
 
   sane.fs."/var/export/README.md" = {

hosts/by-name/servo/services/export/sftpgo.nix

@@ -91,7 +91,7 @@ let
   authFailJson = pkgs.writeText "sftp-auth-fail.json" (builtins.toJSON authResponseFail);
   unwrappedAuthProgram = pkgs.static-nix-shell.mkBash {
     pname = "sftpgo_external_auth_hook";
-    src = ./.;
+    srcRoot = ./.;
     pkgs = [ "coreutils" ];
   };
   authProgram = pkgs.writeShellScript "sftpgo-auth-hook" ''

hosts/by-name/servo/services/freshrss.nix

@@ -16,7 +16,7 @@
     mode = "0400";
   };
   sane.persist.sys.byStore.plaintext = [
-    { user = "freshrss"; group = "freshrss"; path = "/var/lib/freshrss"; }
+    { user = "freshrss"; group = "freshrss"; path = "/var/lib/freshrss"; method = "bind"; }
   ];
 
   services.freshrss.enable = true;

hosts/by-name/servo/services/gitea.nix

@@ -4,7 +4,7 @@
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? could be more granular
-    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; }
+    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; method = "bind"; }
   ];
   services.gitea.enable = true;
   services.gitea.user = "git";  # default is 'gitea'
@@ -100,6 +100,24 @@
     locations."/" = {
       proxyPass = "http://127.0.0.1:3000";
     };
+    # gitea serves all `raw` files as content-type: plain, but i'd like to serve them as their actual content type.
+    # or at least, enough to make specific pages viewable (serving unoriginal content as arbitrary content type is dangerous).
+    locations."~ ^/colin/phone-case-cq/raw/.*.html" = {
+      proxyPass = "http://127.0.0.1:3000";
+      extraConfig = ''
+        proxy_hide_header Content-Type;
+        default_type text/html;
+        add_header Content-Type text/html;
+      '';
+    };
+    locations."~ ^/colin/phone-case-cq/raw/.*.js" = {
+      proxyPass = "http://127.0.0.1:3000";
+      extraConfig = ''
+        proxy_hide_header Content-Type;
+        default_type text/html;
+        add_header Content-Type text/javascript;
+      '';
+    };
   };
 
   sane.dns.zones."uninsane.org".inet.CNAME."git" = "native";

hosts/by-name/servo/services/ipfs.nix

@@ -12,7 +12,7 @@ lib.mkIf false # i don't actively use ipfs anymore
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? could be more granular
-    { user = "261"; group = "261"; path = "/var/lib/ipfs"; }
+    { user = "261"; group = "261"; path = "/var/lib/ipfs"; method = "bind"; }
   ];
 
   networking.firewall.allowedTCPPorts = [ 4001 ];

hosts/by-name/servo/services/jackett.nix

@@ -3,7 +3,7 @@
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
-    { user = "root"; group = "root"; path = "/var/lib/jackett"; }
+    { user = "root"; group = "root"; path = "/var/lib/jackett"; method = "bind"; }
   ];
   services.jackett.enable = true;
 

hosts/by-name/servo/services/jellyfin.nix

@@ -41,7 +41,7 @@
   };
 
   sane.persist.sys.byStore.plaintext = [
-    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; path = "/var/lib/jellyfin"; }
+    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; path = "/var/lib/jellyfin"; method = "bind"; }
   ];
   sane.fs."/var/lib/jellyfin/config/logging.json" = {
     # "Emby.Dlna" logging: <https://jellyfin.org/docs/general/networking/dlna>

hosts/by-name/servo/services/kiwix-serve.nix

@@ -7,7 +7,7 @@
 { ... }:
 {
   sane.persist.sys.byStore.ext = [
-    { user = "colin"; group = "users"; path = "/var/lib/kiwix"; }
+    { user = "colin"; group = "users"; path = "/var/lib/kiwix"; method = "bind"; }
   ];
 
   sane.services.kiwix-serve = {

hosts/by-name/servo/services/komga.nix

@@ -5,7 +5,7 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = [
-    { inherit user group; mode = "0700"; path = stateDir; }
+    { inherit user group; mode = "0700"; path = stateDir; method = "bind"; }
   ];
 
   services.komga.enable = true;

hosts/by-name/servo/services/lemmy.nix

@@ -78,8 +78,8 @@ in {
   # CLI args: <https://git.asonix.dog/asonix/pict-rs#user-content-running>
   systemd.services.pict-rs.serviceConfig.ExecStart = lib.mkForce (lib.concatStringsSep " " [
     "${lib.getBin pict-rs}/bin/pict-rs run"
-    "--media-max-frame-count" (builtins.toString (30*60*60))
+    "--media-video-max-frame-count" (builtins.toString (30*60*60))
     "--media-process-timeout 120"
-    "--media-enable-full-video true"  # allow audio
+    "--media-video-allow-audio"  # allow audio
   ]);
 }

hosts/by-name/servo/services/matrix/default.nix

@@ -21,7 +21,7 @@
   ];
 
   sane.persist.sys.byStore.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; method = "bind"; }
   ];
   services.matrix-synapse.enable = true;
   services.matrix-synapse.settings = {

hosts/by-name/servo/services/matrix/discord-puppet.nix

@@ -6,7 +6,7 @@
 lib.mkIf false
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; method = "bind"; }
   ];
 
   services.matrix-synapse.settings.app_service_config_files = [

hosts/by-name/servo/services/matrix/irc.nix

@@ -103,7 +103,7 @@ in
 
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode?
-    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; }
+    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; method = "bind"; }
   ];
 
   # XXX: matrix-appservice-irc PreStart tries to chgrp the registration.yml to matrix-synapse,

hosts/by-name/servo/services/matrix/signal.nix

@@ -5,8 +5,8 @@
 lib.mkIf false  # disabled 2024/01/11: i don't use it, and pkgs.mautrix-signal had some API changes
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; }
+    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; method = "bind"; }
-    { user = "signald"; group = "signald"; path = "/var/lib/signald"; }
+    { user = "signald"; group = "signald"; path = "/var/lib/signald"; method = "bind"; }
   ];
 
   # allow synapse to read the registration file

hosts/by-name/servo/services/navidrome.nix

@@ -2,7 +2,7 @@
 
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "navidrome"; group = "navidrome"; path = "/var/lib/navidrome"; }
+    { user = "navidrome"; group = "navidrome"; path = "/var/lib/navidrome"; method = "bind"; }
   ];
   services.navidrome.enable = true;
   services.navidrome.settings = {

hosts/by-name/servo/services/nginx.nix

@@ -169,8 +169,8 @@ in
   security.acme.defaults.email = "admin.acme@uninsane.org";
 
   sane.persist.sys.byStore.plaintext = [
-    { user = "acme"; group = "acme"; path = "/var/lib/acme"; }
+    { user = "acme"; group = "acme"; path = "/var/lib/acme"; method = "bind"; }
-    { user = "colin"; group = "users"; path = "/var/www/sites"; }
+    { user = "colin"; group = "users"; path = "/var/www/sites"; method = "bind"; }
   ];
 
   # let's encrypt default chain looks like:

hosts/by-name/servo/services/ntfy/ntfy-sh.nix

@@ -34,7 +34,7 @@ in
     # not 100% necessary to persist this, but ntfy does keep a 12hr (by default) cache
     # for pushing notifications to users who become offline.
     # ACLs also live here.
-    { user = "ntfy-sh"; group ="ntfy-sh"; path = "/var/lib/ntfy-sh"; }
+    { user = "ntfy-sh"; group ="ntfy-sh"; path = "/var/lib/ntfy-sh"; method = "bind"; }
   ];
 
   services.ntfy-sh.enable = true;

hosts/by-name/servo/services/ntfy/ntfy-waiter.nix

@@ -49,7 +49,7 @@ in
       type = types.package;
       default = pkgs.static-nix-shell.mkPython3Bin {
         pname = "ntfy-waiter";
-        src = ./.;
+        srcRoot = ./.;
         pkgs = [ "ntfy-sh" ];
       };
       description = ''

hosts/by-name/servo/services/pict-rs.nix

@@ -6,7 +6,7 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = lib.mkIf cfg.enable [
-    { user = "pict-rs"; group = "pict-rs"; path = cfg.dataDir; }
+    { user = "pict-rs"; group = "pict-rs"; path = cfg.dataDir; method = "bind"; }
   ];
 
   systemd.services.pict-rs.serviceConfig = {

hosts/by-name/servo/services/pleroma.nix

@@ -15,7 +15,7 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; }
+    { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; method = "bind"; }
   ];
   services.pleroma.enable = true;
   services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;

hosts/by-name/servo/services/postgres.nix

@@ -8,7 +8,7 @@ in
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode?
-    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; }
+    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; method = "bind"; }
   ];
   services.postgresql.enable = true;
 

hosts/by-name/servo/services/prosody/default.nix

@@ -57,7 +57,7 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; }
+    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; method = "bind"; }
   ];
   sane.ports.ports."5000" = {
     protocol = [ "tcp" ];

hosts/by-name/servo/services/slskd.nix

@@ -6,7 +6,7 @@
 { config, lib, ... }:
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "slskd"; group = "slskd"; path = "/var/lib/slskd"; }
+    { user = "slskd"; group = "slskd"; path = "/var/lib/slskd"; method = "bind"; }
   ];
   sops.secrets."slskd_env" = {
     owner = config.users.users.slskd.name;

hosts/by-name/servo/services/transmission.nix

@@ -1,14 +1,37 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
+let
+  # 2023/09/06: nixpkgs `transmission` defaults to old 3.00
+  # 2024/02/15: some torrent trackers whitelist clients; everyone is still on 3.00 for some reason :|
+  #             some do this via peer-id (e.g. baka); others via user-agent (e.g. MAM).
+  #             peer-id format is essentially the same between 3.00 and 4.x (just swap the MAJOR/MINOR/PATCH numbers).
+  #             user-agent format has changed. `Transmission/3.00` (old) v.s. `TRANSMISSION/MAJ.MIN.PATCH` (new).
+  realTransmission = pkgs.transmission_4;
+  realVersion = {
+    major = lib.versions.major realTransmission.version;
+    minor = lib.versions.minor realTransmission.version;
+    patch = lib.versions.patch realTransmission.version;
+  };
+  package = realTransmission.overrideAttrs (upstream: {
+    # `cmakeFlags = [ "-DTR_VERSION_MAJOR=3" ]`, etc, doesn't seem to take effect.
+    postPatch = (upstream.postPatch or "") + ''
+      substituteInPlace CMakeLists.txt \
+        --replace-fail 'TR_VERSION_MAJOR "${realVersion.major}"' 'TR_VERSION_MAJOR "3"' \
+        --replace-fail 'TR_VERSION_MINOR "${realVersion.minor}"' 'TR_VERSION_MINOR "0"' \
+        --replace-fail 'TR_VERSION_PATCH "${realVersion.patch}"' 'TR_VERSION_PATCH "0"' \
+        --replace-fail 'set(TR_USER_AGENT_PREFIX "''${TR_SEMVER}")' 'set(TR_USER_AGENT_PREFIX "3.00")'
+    '';
+  });
+in
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? we need this specifically for the stats tracking in .config/
-    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; }
+    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; method = "bind"; }
   ];
   users.users.transmission.extraGroups = [ "media" ];
 
   services.transmission.enable = true;
-  services.transmission.package = pkgs.transmission_4;  #< 2023/09/06: nixpkgs `transmission` defaults to old 3.00
+  services.transmission.package = package;
   #v setting `group` this way doesn't tell transmission to `chown` the files it creates
   #  it's a nixpkgs setting which just runs the transmission daemon as this group
   services.transmission.group = "media";
@@ -20,6 +43,8 @@
   ];
 
   services.transmission.settings = {
+    # DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options>
+
     # message-level = 3;  #< enable for debug logging. 0-3, default is 2.
     # 0.0.0.0 => allow rpc from any host: we gate it via firewall and auth requirement
     rpc-bind-address = "0.0.0.0";

hosts/common/default.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
   imports = [
     ./feeds.nix
@@ -9,11 +9,13 @@
     ./ids.nix
     ./machine-id.nix
     ./net
-    ./nix-path
+    ./nix
     ./persist.nix
+    ./polyunfill.nix
     ./programs
     ./secrets.nix
     ./ssh.nix
+    ./systemd.nix
     ./users
   ];
 
@@ -30,63 +32,6 @@
   # time.timeZone = "America/Los_Angeles";
   time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
 
-  nix.extraOptions = ''
-    # see: `man nix.conf`
-    # useful when a remote builder has a faster internet connection than me
-    builders-use-substitutes = true  # default: false
-    # maximum seconds to wait when connecting to binary substituter
-    connect-timeout = 3  # default: 0
-    # download-attempts = 5  # default: 5
-    # allow `nix flake ...` command
-    experimental-features = nix-command flakes
-    # whether to build from source when binary substitution fails
-    fallback = true  # default: false
-    # whether to keep building dependencies if any other one fails
-    keep-going = true  # default: false
-    # whether to keep build-only dependencies of GC roots (e.g. C compiler) when doing GC
-    keep-outputs = true  # default: false
-    # how many lines to show from failed build
-    log-lines = 30  # default: 10
-    # narinfo-cache-negative-ttl = 3600  # default: 3600
-    # whether to use ~/.local/state/nix/profile instead of ~/.nix-profile, etc
-    use-xdg-base-directories = true  # default: false
-    # whether to warn if repository has uncommited changes
-    warn-dirty = false  # default: true
-  '';
-  # hardlinks identical files in the nix store to save 25-35% disk space.
-  # unclear _when_ this occurs. it's not a service.
-  # does the daemon continually scan the nix store?
-  # does the builder use some content-addressed db to efficiently dedupe?
-  nix.settings.auto-optimise-store = true;
-  # TODO: see if i can remove this?
-  nix.settings.trusted-users = [ "root" ];
-
-  services.journald.extraConfig = ''
-    # docs: `man journald.conf`
-    # merged journald config is deployed to /etc/systemd/journald.conf
-    [Journal]
-    # disable journal compression because the underlying fs is compressed
-    Compress=no
-  '';
-
-  systemd.services.nix-daemon.serviceConfig = {
-    # the nix-daemon manages nix builders
-    # kill nix-daemon subprocesses when systemd-oomd detects an out-of-memory condition
-    # see:
-    # - nixos PR that enabled systemd-oomd: <https://github.com/NixOS/nixpkgs/pull/169613>
-    # - systemd's docs on these properties: <https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill>
-    #
-    # systemd's docs warn that without swap, systemd-oomd might not be able to react quick enough to save the system.
-    # see `man oomd.conf` for further tunables that may help.
-    #
-    # alternatively, apply this more broadly with `systemd.oomd.enableSystemSlice = true` or `enableRootSlice`
-    # TODO: also apply this to the guest user's slice (user-1100.slice)
-    # TODO: also apply this to distccd
-    ManagedOOMMemoryPressure = "kill";
-    ManagedOOMSwap = "kill";
-  };
-
-
   system.activationScripts.nixClosureDiff = {
     supportsDryActivation = true;
     text = ''
@@ -102,34 +47,14 @@
     text = ''
       # send a notification to any sway users logged in, that the system has been activated/upgraded.
       # this probably doesn't work if more than one sway session exists on the system.
-      _notifyActiveSwaySock="$(echo /run/user/*/sway-ipc.*.sock)"
+      _notifyActiveSwaySock="$(echo /run/user/*/sway-ipc*.sock)"
       if [ -e "$_notifyActiveSwaySock" ]; then
-        SWAYSOCK="$_notifyActiveSwaySock" ${pkgs.sway}/bin/swaymsg -- exec \
+        SWAYSOCK="$_notifyActiveSwaySock" ${config.sane.programs.sway.packageUnwrapped}/bin/swaymsg -- exec \
           "${pkgs.libnotify}/bin/notify-send 'nixos activated' 'version: $(cat $systemConfig/nixos-version)'"
       fi
     '';
   };
 
-  # disable non-required packages like nano, perl, rsync, strace
-  environment.defaultPackages = [];
-
-  # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
-  # this lets programs temporarily write user-level dconf settings (aka gsettings).
-  # they're written to ~/.config/dconf/user, unless `DCONF_PROFILE` is set to something other than the default of /etc/dconf/profile/user
-  # find keys/values with `dconf dump /`
-  programs.dconf.enable = true;
-  programs.dconf.packages = [
-    (pkgs.writeTextFile {
-      name = "dconf-user-profile";
-      destination = "/etc/dconf/profile/user";
-      text = ''
-        user-db:user
-        system-db:site
-      '';
-    })
-  ];
-  # sane.programs.glib.enableFor.user.colin = true;  # for `gsettings`
-
   # link debug symbols into /run/current-system/sw/lib/debug
   # hopefully picked up by gdb automatically?
   environment.enableDebugInfo = true;

hosts/common/feeds.nix

@@ -1,4 +1,5 @@
 # where to find good stuff?
+# - universal search/directory: <https://podcastindex.org>
 # - podcasts w/ a community: <https://lemmyverse.net/communities?query=podcast>
 # - podcast rec thread: <https://lemmy.ml/post/1565858>
 #
@@ -72,16 +73,14 @@ let
     (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
     (fromDb "feeds.feedburner.com/dancarlin/history" // rat)
     (fromDb "feeds.feedburner.com/radiolab" // pol)  # Radiolab -- also available here, but ONLY OVER HTTP: <http://feeds.wnyc.org/radiolab>
-    (fromDb "feeds.libsyn.com/421877" // rat)  # Less Wrong Curated
     (fromDb "feeds.megaphone.fm/behindthebastards" // pol)  # also Maggie Killjoy
-    # (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)  # Daniel Huberman on sleep
     (fromDb "feeds.megaphone.fm/recodedecode" // tech)  # The Verge - Decoder
     (fromDb "feeds.simplecast.com/54nAGcIl" // pol)  # The Daily
     (fromDb "feeds.simplecast.com/82FI35Px" // pol)  # Ezra Klein Show
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)  # Econ Talk
     (fromDb "feeds.simplecast.com/xKJ93w_w" // uncat)  # Atlas Obscura
-    # (fromDb "feeds.simplecast.com/l2i9YnTd" // tech // pol)  # Hard Fork (NYtimes tech)
     (fromDb "feeds.transistor.fm/acquired" // tech)
+    (fromDb "fulltimenix.com" // tech)
     (fromDb "lexfridman.com/podcast" // rat)
     (fromDb "mapspodcast.libsyn.com" // uncat)  # Multidisciplinary Association for Psychedelic Studies
     (fromDb "omegataupodcast.net" // tech)  # 3/4 German; 1/4 eps are English
@@ -89,7 +88,6 @@ let
     (fromDb "omny.fm/shows/the-dollop-with-dave-anthony-and-gareth-reynolds")  # The Dollop history/comedy
     (fromDb "originstories.libsyn.com" // uncat)
     (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
-    # (fromDb "podcast.thelinuxexp.com" // tech)  # low-brow linux/foss PR announcements
     (fromDb "politicalorphanage.libsyn.com" // pol)
     (fromDb "reverseengineering.libsyn.com/rss" // tech)  # UnNamed Reverse Engineering Podcast
     (fromDb "rss.acast.com/deconstructed")  # The Intercept - Deconstructed
@@ -103,13 +101,17 @@ let
     (fromDb "sscpodcast.libsyn.com" // rat)  # Astral Codex Ten
     (fromDb "talesfromthebridge.buzzsprout.com" // tech)  # Sci-Fi? has Peter Watts; author of No Moods, Ads or Cutesy Fucking Icons (rifters.com)
     (fromDb "techwontsave.us" // pol)  # rec by Cory Doctorow
-    # (fromDb "trashfuturepodcast.podbean.com" // pol)  # rec by Cory Doctorow, but way rambly
     (fromDb "wakingup.libsyn.com" // pol)  # Sam Harris
     (fromDb "werenotwrong.fireside.fm" // pol)
 
+    # (fromDb "feeds.libsyn.com/421877" // rat)  # Less Wrong Curated
+    # (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)  # Daniel Huberman on sleep
+    # (fromDb "feeds.simplecast.com/l2i9YnTd" // tech // pol)  # Hard Fork (NYtimes tech)
+    # (fromDb "podcast.thelinuxexp.com" // tech)  # low-brow linux/foss PR announcements
     # (fromDb "rss.art19.com/your-welcome" // pol)  # Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
     # (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)  #< possible URL rot
     # (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)  #< possible URL rot
+    # (fromDb "trashfuturepodcast.podbean.com" // pol)  # rec by Cory Doctorow, but way rambly
     # (mkPod "https://anchor.fm/s/21bc734/podcast/rss" // pol // infrequent)  # Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
     # (mkPod "https://audioboom.com/channels/5097784.rss" // tech)  # Lateral with Tom Scott
     # (mkPod "https://feeds.megaphone.fm/RUNMED9919162779" // pol // infrequent)  # The Witch Trials of J.K. Rowling: <https://www.thefp.com/witchtrials>
@@ -117,12 +119,13 @@ let
   ];
 
   texts = [
+    (fromDb "acoup.blog/feed")  # history, states. author: <https://historians.social/@bretdevereaux/following>
     (fromDb "amosbbatto.wordpress.com" // tech)
     (fromDb "applieddivinitystudies.com" // rat)
     (fromDb "artemis.sh" // tech)
     (fromDb "ascii.textfiles.com" // tech)  # Jason Scott
     (fromDb "austinvernon.site" // tech)
-    (fromDb "balajis.com" // pol)  # Balaji
+    # (fromDb "balajis.com" // pol)  # Balaji
     (fromDb "ben-evans.com/benedictevans" // pol)
     (fromDb "bitbashing.io" // tech)
     (fromDb "bitsaboutmoney.com" // uncat)
@@ -144,6 +147,7 @@ let
     (fromDb "interconnected.org/home/feed" // rat)  # Matt Webb -- engineering-ish, but dreamy
     (fromDb "jeffgeerling.com" // tech)
     (fromDb "jefftk.com" // tech)
+    (fromDb "kill-the-newsletter.com/feeds/joh91bv7am2pnznv.xml" // pol)  # Matt Levine - Money Stuff
     (fromDb "kosmosghost.github.io/index.xml" // tech)
     # (fromDb "lesswrong.com" // rat)
     (fromDb "linmob.net" // tech)
@@ -188,7 +192,6 @@ let
     (mkSubstack "samkriss" // humor // infrequent)
     (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
     (mkText "http://boginjr.com/feed" // tech // infrequent)
-    (mkText "https://acoup.blog/feed" // rat // weekly)
     (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
     (mkText "https://forum.merveilles.town/rss.xml" // pol // infrequent)  #quality RSS list here: <https://forum.merveilles.town/thread/57/share-your-rss-feeds%21-6/>
     # (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
@@ -197,7 +200,7 @@ let
     (mkText "https://nixos.org/blog/announcements-rss.xml" // tech // infrequent)  # more nixos stuff here, but unclear how to subscribe: <https://nixos.org/blog/categories.html>
     (mkText "https://nixos.org/blog/stories-rss.xml" // tech // weekly)
     # (mkText "https://til.simonwillison.net/tils/feed.atom" // tech // weekly)
-    (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)  # Matt Levine
+    # (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)  # Matt Levine (preview/paywalled)
     (mkText "https://www.stratechery.com/rss" // pol // weekly)  # Ben Thompson
   ];
 
@@ -219,6 +222,7 @@ let
   ];
 
   images = [
+    (fromDb "catandgirl.com" // img // humor)
     (fromDb "miniature-calendar.com" // img // art // daily)
     (fromDb "pbfcomics.com" // img // humor)
     (fromDb "poorlydrawnlines.com/feed" // img // humor)

hosts/common/fs.nix

@@ -1,5 +1,6 @@
 # docs
 # - x-systemd options: <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
+# - fuse options: `man mount.fuse`
 
 { lib, pkgs, sane-lib, ... }:
 
@@ -8,13 +9,22 @@ let
     common = [
       "_netdev"
       "noatime"
-      "user"  # allow any user with access to the device to mount the fs
+      # user: allow any user with access to the device to mount the fs.
+      #       note that this requires a suid `mount` binary; see: <https://zameermanji.com/blog/2022/8/5/using-fuse-without-root-on-linux/>
+      "user"
       "x-systemd.requires=network-online.target"
       "x-systemd.after=network-online.target"
       "x-systemd.mount-timeout=10s"  # how long to wait for mount **and** how long to wait for unmount
     ];
-    auto = [ "x-systemd.automount" ];
+    # x-systemd.automount: mount the fs automatically *on first access*.
-    noauto = [ "noauto" ];  # don't mount as part of remote-fs.target
+    # creates a `path-to-mount.automount` systemd unit.
+    automount = [ "x-systemd.automount" ];
+    # noauto: don't mount as part of remote-fs.target.
+    # N.B.: `remote-fs.target` is a dependency of multi-user.target, itself of graphical.target.
+    # hence, omitting `noauto` can slow down boots.
+    noauto = [ "noauto" ];
+    # lazyMount: defer mounting until first access from userspace
+    lazyMount = noauto ++ automount;
     wg = [
       "x-systemd.requires=wireguard-wg-home.service"
       "x-systemd.after=wireguard-wg-home.service"
@@ -22,19 +32,34 @@ let
 
     ssh = common ++ [
       "identityfile=/home/colin/.ssh/id_ed25519"
-      "allow_other"
+      "allow_other"  # allow users other than the one who mounts it to access it. needed, if systemd is the one mounting this fs (as root)
+      # allow_root: allow root to access files on this fs (if mounted by non-root, else it can always access them).
+      #             N.B.: if both allow_root and allow_other are specified, then only allow_root takes effect.
+      # "allow_root"
+      # default_permissions: enforce local permissions check. CRUCIAL if using `allow_other`.
+      # w/o this, permissions mode of sshfs is like:
+      # - sshfs runs all remote commands as the remote user.
+      # - if a local user has local permissions to the sshfs mount, then their file ops are sent blindly across the tunnel.
+      # - `allow_other` allows *any* local user to access the mount, and hence any local user can now freely become the remote mapped user.
+      # with default_permissions, sshfs doesn't tunnel file ops from users until checking that said user could perform said op on an equivalent local fs.
       "default_permissions"
     ];
     sshColin = ssh ++ [
+      # follow_symlinks: remote files which are symlinks are presented to the local system as ordinary files (as the target of the symlink).
+      #                  if the symlink target does not exist, the presentation is unspecified.
+      #                  symlinks which point outside the mount ARE followed. so this is more capable than `transform_symlinks`
+      "follow_symlinks"
+      # symlinks on the remote fs which are absolute paths are presented to the local system as relative symlinks pointing to the expected data on the remote fs.
+      # only symlinks which would point inside the mountpoint are translated.
       "transform_symlinks"
       "idmap=user"
       "uid=1000"
       "gid=100"
     ];
-    sshRoot = ssh ++ [
+    # sshRoot = ssh ++ [
-      # we don't transform_symlinks because that breaks the validity of remote /nix stores
+    #   # we don't transform_symlinks because that breaks the validity of remote /nix stores
-      "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
+    #   "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
-    ];
+    # ];
     # in the event of hunt NFS mounts, consider:
     # - <https://unix.stackexchange.com/questions/31979/stop-broken-nfs-mounts-from-locking-a-directory>
 
@@ -57,13 +82,17 @@ let
     ];
   };
   remoteHome = host: {
-    fileSystems."/mnt/${host}-home" = {
+    fileSystems."/mnt/${host}/home" = {
       device = "colin@${host}:/home/colin";
       fsType = "fuse.sshfs";
-      options = fsOpts.sshColin ++ fsOpts.noauto;
+      options = fsOpts.sshColin ++ fsOpts.lazyMount;
       noCheck = true;
     };
-    sane.fs."/mnt/${host}-home" = sane-lib.fs.wantedDir;
+    sane.fs."/mnt/${host}/home" = sane-lib.fs.wanted {
+      dir.acl.user = "colin";
+      dir.acl.group = "users";
+      dir.acl.mode = "0700";
+    };
   };
 in
 lib.mkMerge [
@@ -103,34 +132,38 @@ lib.mkMerge [
     #   device = "servo-hn:/";
     #   noCheck = true;
     #   fsType = "nfs";
-    #   options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
+    #   options = fsOpts.nfs ++ fsOpts.automount ++ fsOpts.wg;
     # };
-    fileSystems."/mnt/servo-nfs/media" = {
+    fileSystems."/mnt/servo/media" = {
       device = "servo-hn:/media";
       noCheck = true;
       fsType = "nfs";
-      options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
+      options = fsOpts.nfs ++ fsOpts.lazyMount ++ fsOpts.wg;
     };
-    fileSystems."/mnt/servo-nfs/playground" = {
+    sane.fs."/mnt/servo/media" = sane-lib.fs.wanted {
+      dir.acl.user = "colin";
+      dir.acl.group = "users";
+      dir.acl.mode = "0750";
+    };
+    fileSystems."/mnt/servo/playground" = {
       device = "servo-hn:/playground";
       noCheck = true;
       fsType = "nfs";
-      options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
+      options = fsOpts.nfs ++ fsOpts.lazyMount ++ fsOpts.wg;
+    };
+    sane.fs."/mnt/servo/playground" = sane-lib.fs.wanted {
+      dir.acl.user = "colin";
+      dir.acl.group = "users";
+      dir.acl.mode = "0750";
     };
-    # fileSystems."/mnt/servo-media-nfs" = {
-    #   device = "servo-hn:/media";
-    #   noCheck = true;
-    #   fsType = "nfs";
-    #   options = fsOpts.common ++ fsOpts.auto;
-    # };
-    sane.fs."/mnt/servo-media" = sane-lib.fs.wantedSymlinkTo "/mnt/servo-nfs/media";
 
-    environment.pathsToLink = [
+    # environment.pathsToLink = [
-      # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
+    #   # needed to achieve superuser access for user-mounted filesystems (see sshRoot above)
-      # we can only link whole directories here, even though we're only interested in pkgs.openssh
+    #   # we can only link whole directories here, even though we're only interested in pkgs.openssh
-      "/libexec"
+    #   "/libexec"
-    ];
+    # ];
 
+    programs.fuse.userAllowOther = true;  #< necessary for `allow_other` or `allow_root` options.
     environment.systemPackages = [
       pkgs.sshfs-fuse
     ];

hosts/common/hardware/default.nix

@@ -28,6 +28,13 @@
   #   "systemd.log_level=debug"
   #   "systemd.log_target=console"
 
+  # moby has to run recent kernels (defined elsewhere).
+  # meanwhile, kernel variation plays some minor role in things like sandboxing (landlock) and capabilities.
+  # simpler to keep near the latest kernel on all devices,
+  # and also makes certain that any weird system-level bugs i see aren't likely to be stale kernel bugs.
+  # servo needs zfs though, which doesn't support every kernel.
+  boot.kernelPackages = lib.mkDefault pkgs.zfs.latestCompatibleLinuxPackages;
+
   # hack in the `boot.shell_on_fail` arg since that doesn't always seem to work.
   boot.initrd.preFailCommands = "allowShell=1";
 

hosts/common/home/default.nix

@@ -1,7 +1,7 @@
 { ... }:
 {
   imports = [
-    ./keyring
+    ./fs.nix
     ./mime.nix
     ./ssh.nix
     ./xdg-dirs.nix

hosts/common/home/fs.nix

@@ -0,0 +1,42 @@
+{ config, ... }:
+{
+  sane.user.persist.byStore.plaintext = [
+    "archive"
+    "dev"
+    # TODO: records should be private
+    "records"
+    "ref"
+    "tmp"
+    "use"
+    "Books/local"
+    "Music"
+    "Pictures/albums"
+    "Pictures/cat"
+    "Pictures/from"
+    "Pictures/Screenshots"  #< XXX: something is case-sensitive about this?
+    "Pictures/Photos"
+    "Videos/local"
+
+    # these are persisted simply to save on RAM.
+    # ~/.cache/nix can become several GB.
+    # mesa_shader_cache is < 10 MB.
+    # TODO: integrate with sane.programs.sandbox?
+    ".cache/mesa_shader_cache"
+    ".cache/nix"
+  ];
+  sane.user.persist.byStore.private = [
+    "knowledge"
+  ];
+
+  # convenience
+  sane.user.fs.".persist/private".symlink.target = config.sane.persist.stores.private.origin;
+  sane.user.fs.".persist/plaintext".symlink.target = config.sane.persist.stores.plaintext.origin;
+  sane.user.fs.".persist/ephemeral".symlink.target = config.sane.persist.stores.cryptClearOnBoot.origin;
+
+  sane.user.fs."nixos".symlink.target = "dev/nixos";
+
+  sane.user.fs."Books/servo".symlink.target = "/mnt/servo/media/Books";
+  sane.user.fs."Videos/servo".symlink.target = "/mnt/servo/media/Videos";
+  # sane.user.fs."Music/servo".symlink.target = "/mnt/servo/media/Music";
+  sane.user.fs."Pictures/servo-macros".symlink.target = "/mnt/servo/media/Pictures/macros";
+}

hosts/common/home/keyring/default.nix

@@ -1,17 +0,0 @@
-{ config, pkgs, sane-lib, ... }:
-
-let
-  init-keyring = pkgs.static-nix-shell.mkBash {
-    pname = "init-keyring";
-    src = ./.;
-  };
-in
-{
-  sane.user.persist.byStore.private = [ ".local/share/keyrings" ];
-
-  sane.user.fs."private/.local/share/keyrings/default" = {
-    generated.command = [ "${init-keyring}/bin/init-keyring" ];
-    wantedBy = [ config.sane.fs."/home/colin/private".unit ];
-    wantedBeforeBy = [ ];  # don't created this as part of `multi-user.target`
-  };
-}

hosts/common/home/keyring/init-keyring

@@ -1,21 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash
-# initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
-# this initializes it to be plaintext/unencrypted.
-
-ringdir=/home/colin/private/.local/share/keyrings
-if test -f "$ringdir/default"
-then
-  echo 'keyring already initialized: not doing anything'
-else
-  keyring="$ringdir/Default_keyring.keyring"
-
-  echo 'initializing default user keyring:' "$keyring.new"
-  echo '[keyring]' > "$keyring.new"
-  echo 'display-name=Default keyring' >> "$keyring.new"
-  echo 'lock-on-idle=false' >> "$keyring.new"
-  echo 'lock-after=false' >> "$keyring.new"
-  chown colin:users "$keyring.new"
-  # closest to an atomic update we can achieve
-  mv "$keyring.new" "$keyring" && echo -n "Default_keyring" > "$ringdir/default"
-fi

hosts/common/home/mime.nix

@@ -1,4 +1,5 @@
-{ config, lib, ...}:
+# TODO: move into modules/users.nix
+{ config, lib, pkgs, ...}:
 
 let
   # [ ProgramConfig ]
@@ -6,6 +7,9 @@ let
     (p: p.enabled)
     (builtins.attrValues config.sane.programs);
 
+  # [ ProgramConfig ]
+  enabledProgramsWithPackage = builtins.filter (p: p.package != null) enabledPrograms;
+
   # [ { "<mime-type>" = { prority, desktop } ]
   enabledWeightedMimes = builtins.map weightedMimes enabledPrograms;
 
@@ -21,23 +25,70 @@ let
 
   # [ { priority, desktop } ... ] -> Self
   sortOneMimeType = associations: builtins.sort
-    (l: r: assert l.priority != r.priority; l.priority < r.priority)
+    (l: r: lib.throwIf
+      (l.priority == r.priority)
+      "${l.desktop} and ${r.desktop} share a preferred mime type with identical priority ${builtins.toString l.priority} (and so the desired association is ambiguous)"
+      (l.priority < r.priority)
+    )
     associations;
   sortMimes = mimes: builtins.mapAttrs (_k: sortOneMimeType) mimes;
+  # { "<mime-type>"} = [ { priority, desktop } ... ]; } -> { "<mime-type>" = [ "<desktop>" ... ]; }
   removePriorities = mimes: builtins.mapAttrs
     (_k: associations: builtins.map (a: a.desktop) associations)
     mimes;
+  # { "<mime-type>" = [ "<desktop>" ... ]; } -> { "<mime-type>" = "<desktop1>;<desktop2>;..."; }
+  formatDesktopLists = mimes: builtins.mapAttrs
+    (_k: desktops: lib.concatStringsSep ";" desktops)
+    mimes;
+
+  mimeappsListPkg = pkgs.writeTextDir "share/applications/mimeapps.list" (
+    lib.generators.toINI { } {
+      "Default Applications" = formatDesktopLists (removePriorities (sortMimes (mergeMimes enabledWeightedMimes)));
+    }
+  );
+
+  localShareApplicationsPkg = (pkgs.symlinkJoin {
+    name = "user-local-share-applications";
+    paths = builtins.map
+      (p: "${p.package}")
+      (enabledProgramsWithPackage ++ [ { package=mimeappsListPkg; } ]);
+  }).overrideAttrs (orig: {
+    # like normal symlinkJoin, but don't error if the path doesn't exist
+    buildCommand = ''
+      mkdir -p $out/share/applications
+      for i in $(cat $pathsPath); do
+        if [ -e "$i/share/applications" ]; then
+          ${pkgs.buildPackages.xorg.lndir}/bin/lndir -silent $i/share/applications $out/share/applications
+        fi
+      done
+      runHook postBuild
+    '';
+    postBuild = ''
+      # rebuild `mimeinfo.cache`, used by file openers to show the list of *all* apps, not just the user's defaults.
+      ${pkgs.buildPackages.desktop-file-utils}/bin/update-desktop-database $out/share/applications
+    '';
+  });
+
 in
 {
   # the xdg mime type for a file can be found with:
   # - `xdg-mime query filetype path/to/thing.ext`
   # the default handler for a mime type can be found with:
   # - `xdg-mime query default <mimetype>`  (e.g. x-scheme-handler/http)
+  # the nix-configured handler can be found `nix-repl > :lf . > hostConfigs.desko.xdg.mime.defaultApplications`
+  #
+  # glib/gio is queried via glib.bin output:
+  # - `gio mime x-scheme-handler/https`
+  # - `gio open <path_or_url>`
+  # - `gio launch </path/to/app.desktop>`
   #
   # we can have single associations or a list of associations.
   # there's also options to *remove* [non-default] associations from specific apps
-  xdg.mime.enable = true;
+  # N.B.: don't use nixos' `xdg.mime` option becaue that caues `/share/applications` to be linked into the whole system,
-  xdg.mime.defaultApplications = removePriorities (sortMimes (mergeMimes enabledWeightedMimes));
+  # which limits what i can do around sandboxing. getting the default associations to live in ~/ makes it easier to expose
-
+  # the associations to apps selectively.
+  # xdg.mime.enable = true;
+  # xdg.mime.defaultApplications = removePriorities (sortMimes (mergeMimes enabledWeightedMimes));
 
+  sane.user.fs.".local/share/applications".symlink.target = "${localShareApplicationsPkg}/share/applications";
 }

hosts/common/hosts.nix

@@ -36,10 +36,4 @@
     wg-home.endpoint = "uninsane.org:51820";
     lan-ip = "10.78.79.51";
   };
-
-  sane.hosts.by-name."supercap" = {
-    ssh.authorized = false;
-    ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHf/mqqkX45EWAcquV04MC3SUljTApdclH1gjI19F+PA";
-    lan-ip = "10.78.79.232";
-  };
 }

hosts/common/ids.nix

@@ -57,6 +57,8 @@
   sane.ids.bitcoind-mainnet.gid = 2418;
   sane.ids.clightning.uid = 2419;
   sane.ids.clightning.gid = 2419;
+  sane.ids.nix-serve.uid = 2420;
+  sane.ids.nix-serve.gid = 2420;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/net/default.nix

@@ -7,6 +7,24 @@
     ./upnp.nix
     ./vpn.nix
   ];
+
+  systemd.network.enable = true;
+  networking.useNetworkd = true;
+
+  # view refused/dropped packets with: `sudo journalctl -k`
+  # networking.firewall.logRefusedPackets = true;
+  # networking.firewall.logRefusedUnicastsOnly = false;
+  networking.firewall.logReversePathDrops = true;
+  # linux will drop inbound packets if it thinks a reply to that packet wouldn't exit via the same interface (rpfilter).
+  #   that heuristic fails for complicated VPN-style routing, especially with SNAT.
+  # networking.firewall.checkReversePath = false;  # or "loose" to keep it partially.
+  # networking.firewall.enable = false;  #< set false to debug
+
+  # this is needed to forward packets from the VPN to the host.
+  # this is required separately by servo and by any `sane-vpn` users,
+  # however Nix requires this be set centrally, in only one location (i.e. here)
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
   # the default backend is "wpa_supplicant".
   # wpa_supplicant reliably picks weak APs to connect to.
   # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>

hosts/common/net/dns.nix

@@ -1,15 +1,35 @@
-{ ... }:
+# things to consider when changing these parameters:
+# - temporary VPN access (`sane-vpn up ...`)
+# - servo `ovpns` namespace (it *relies* on /etc/resolv.conf mentioning 127.0.0.53)
+# - jails: `firejail --net=br-ovpnd-us --noprofile --dns=46.227.67.134 ping 1.1.1.1`
+#
+# components:
+# - /etc/nsswitch.conf:
+#   - glibc uses this to provide `getaddrinfo`, i.e. host -> ip address lookup
+#     call directly with `getent ahostsv4 www.google.com`
+#   - `nss` (a component of glibc) is modular: names mentioned in that file are `dlopen`'d (i think that's the mechanism)
+#     in NixOS, that means _they have to be on LDPATH_.
+#   - `nscd` is used by NixOS simply to proxy nss requests.
+#      here, /etc/nsswitch.conf consumers contact nscd via /var/run/nscd/socket.
+#      in this way, only `nscd` needs to have the nss modules on LDPATH.
+# - /etc/resolv.conf
+#   - contains the DNS servers for a system.
+#   - historically, NetworkManager would update this file as you switch networks.
+#   - modern implementations hardcodes `127.0.0.53` and then systemd-resolved proxies everything (and caches).
+#
+# namespacing:
+# - each namespace can use a different /etc/resolv.conf to specify different DNS servers (see `firejail --dns=...`)
+# - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so direct's the guest's DNS requests to the host's servers.
+#   - this is fixed by either `firejail --blacklist=/var/run/nscd/socket`, or disabling nscd altogether.
+{ lib, ... }:
 {
   # use systemd's stub resolver.
   # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
   # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
-  # in the ovnps namespace to use the provider's DNS resolvers.
+  # in servo's ovnps namespace to use the provider's DNS resolvers.
   # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
-  # there also seems to be some cache somewhere that's shared between the two namespaces.
+  # TODO: rework servo's netns to use `firejail`, which is capable of spoofing /etc/resolv.conf.
-  # i think this is a libc thing. might need to leverage proper cgroups to _really_ kill it.
+  services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
-  # - getent ahostsv4 www.google.com
-  # - try fix: <https://serverfault.com/questions/765989/connect-to-3rd-party-vpn-server-but-dont-use-it-as-the-default-route/766290#766290>
-  services.resolved.enable = true;
   # without DNSSEC:
   # - dig matrix.org => works
   # - curl https://matrix.org => works
@@ -32,6 +52,16 @@
   # nsncd is the Name Service NON-Caching Daemon. it's a drop-in that doesn't cache;
   # this is OK on the host -- because systemd-resolved caches. it's probably sub-optimal
   # in the netns and we query upstream DNS more often than needed. hm.
-  # TODO: run a separate recursive resolver in each namespace.
+  # services.nscd.enableNsncd = true;
-  services.nscd.enableNsncd = true;
+
+  # disabling nscd LOSES US SOME FUNCTIONALITY. in particular, only the glibc-builtin modules are accessible via /etc/resolv.conf.
+  # - dns: glibc-bultin
+  # - files: glibc-builtin
+  # - myhostname: systemd
+  # - mymachines: systemd
+  # - resolve: systemd
+  # in practice, i see no difference with nscd disabled.
+  # disabling nscd VASTLY simplifies netns and process isolation. see explainer at top of file.
+  services.nscd.enable = false;
+  system.nssModules = lib.mkForce [];
 }

hosts/common/net/vpn.nix

@@ -1,89 +1,56 @@
-{ config, lib, pkgs, ... }:
-
 # to add a new OVPN VPN:
 # - generate a privkey `wg genkey`
 # - add this key to `sops secrets/universal.yaml`
-# - upload pubkey to OVPN.com
+# - upload pubkey to OVPN.com (`cat wg.priv | wg pubkey`)
 # - generate config @ OVPN.com
 # - copy the Address, PublicKey, Endpoint from OVPN's config
-# N.B.: maximum interface name in Linux is 15 characters.
+
+{ config, lib, pkgs, ... }:
 let
-  def-wg-vpn = name: { endpoint, publicKey, address, dns, privateKeyFile }: {
+  def-ovpn = name: { endpoint, publicKey, addrV4, id }: {
-    # networking.wg-quick.interfaces."${name}" = {
+    sane.vpn."ovpnd-${name}" = {
-    #   inherit address privateKeyFile dns;
+      inherit endpoint publicKey addrV4 id;
-    #   peers = [
-    #     {
-    #       allowedIPs = [
-    #         "0.0.0.0/0"
-    #         "::/0"
-    #       ];
-    #       inherit endpoint publicKey;
-    #     }
-    #   ];
-    #   # to start: `systemctl start wg-quick-${name}`
-    #   autostart = false;
-    # };
-    systemd.network.netdevs."${name}" = {
-      # see: `man 5 systemd.netdev`
-      wireguardConfig = {
-        PrivateKeyFile = privateKeyFile;
-      };
-      wireguardPeers = [{
-        AllowedIPs = [
-          "0.0.0.0/0"
-          "::/0"
-        ];
-        Endpoint = endpoint;
-        PublicKey = publicKey;
-      }];
-    };
-    systemd.network.networks."${name}" = {
-      # see: `man 5 systemd.network`
-      matchConfig.Name = name;
-      networkConfig.Address = address;
-      networkConfig.DNS = dns;
-    };
-  };
-  def-ovpn = name: { endpoint, publicKey, address }: def-wg-vpn "ovpnd-${name}" {
-    inherit endpoint publicKey address;
       privateKeyFile = config.sops.secrets."wg/ovpnd_${name}_privkey".path;
       dns = [
         "46.227.67.134"
         "192.165.9.158"
       ];
     };
+
+    sops.secrets."wg/ovpnd_${name}_privkey" = {
+      # needs to be readable by systemd-network or else it says "Ignoring network device" and doesn't expose it to networkctl.
+      owner = "systemd-network";
+    };
+  };
 in lib.mkMerge [
   (def-ovpn "us" {
     endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
     publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
-    address = [
+    id = 1;
-      "172.27.237.218/32"
+    addrV4 = "172.27.237.218";
-      "fd00:0000:1337:cafe:1111:1111:ab00:4c8f/128"
+    # addrV6 = "fd00:0000:1337:cafe:1111:1111:ab00:4c8f";
-    ];
-  })
-  # NB: us-* share the same wg key and link-local addrs, but distinct public addresses
-  (def-ovpn "us-atl" {
-    endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
-    publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
-    address = [
-      "172.21.182.178/32"
-      "fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
-    ];
   })
+  # TODO: us-atl disabled until i can give it a different link-local address and wireguard key than us-mi
+  # (def-ovpn "us-atl" {
+  #   endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
+  #   publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
+  #   address = [
+  #     "172.21.182.178/32"
+  #     "fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
+  #   ];
+  # })
   (def-ovpn "us-mi" {
     endpoint = "vpn34.prd.miami.ovpn.com:9929";
     publicKey = "VtJz2irbu8mdkIQvzlsYhU+k9d55or9mx4A2a14t0V0=";
-    address = [
+    id = 2;
-      "172.21.182.178/32"
+    addrV4 = "172.21.182.178";
-      "fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
+    # addrV6 = "fd00:0000:1337:cafe:1111:1111:cfcb:27e3";
-    ];
   })
   (def-ovpn "ukr" {
     endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
     publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
-    address = [
+    id = 3;
-      "172.18.180.159/32"
+    addrV4 = "172.18.180.159";
-      "fd00:0000:1337:cafe:1111:1111:ec5c:add3/128"
+    # addrV6 = "fd00:0000:1337:cafe:1111:1111:ec5c:add3";
-    ];
   })
 ]

hosts/common/nix-path/default.nix

@@ -1,16 +0,0 @@
-{ pkgs, sane-lib, ... }:
-
-{
-  # allow `nix-shell` (and probably nix-index?) to locate our patched and custom packages
-  nix.nixPath = [
-    "nixpkgs=${pkgs.path}"
-    # note the import starts at repo root: this allows `./overlay/default.nix` to access the stuff at the root
-    # "nixpkgs-overlays=${../../..}/hosts/common/nix-path/overlay"
-    # as long as my system itself doesn't rely on NIXPKGS at runtime, we can point the overlays to git
-    # to avoid switching so much during development
-    "nixpkgs-overlays=/home/colin/dev/nixos/hosts/common/nix-path/overlay"
-  ];
-
-  # ensure new deployments have a source of this repo with which they can bootstrap.
-  environment.etc."nixos".source = ../../..;
-}

hosts/common/nix/default.nix

@@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+
+{
+  nix.settings = {
+    # see: `man nix.conf`
+
+    # useful when a remote builder has a faster internet connection than me.
+    # note that this also applies to `nix copy --to`, though.
+    # i think any time a remote machine wants a path, this means we ask them to try getting it themselves before we supply it.
+    builders-use-substitutes = true;  # default: false
+
+    # maximum seconds to wait when connecting to binary substituter
+    connect-timeout = 3;  # default: 0
+
+    # download-attempts = 5;  # default: 5
+
+    # allow `nix flake ...` command
+    experimental-features = [ "nix-command" "flakes "];
+
+    # whether to build from source when binary substitution fails
+    fallback = true;  # default: false
+
+    # whether to keep building dependencies if any other one fails
+    keep-going = true;  # default: false
+
+    # whether to keep build-only dependencies of GC roots (e.g. C compiler) when doing GC
+    keep-outputs = true;  # default: false
+
+    # how many lines to show from failed build
+    log-lines = 30;  # default: 10
+
+    # how many substitution downloads to perform in parallel.
+    # i wonder if parallelism is causing moby's substitutions to fail?
+    max-substitution-jobs = 6;  # default: 16
+
+    # narinfo-cache-negative-ttl = 3600  # default: 3600
+    # whether to use ~/.local/state/nix/profile instead of ~/.nix-profile, etc
+    use-xdg-base-directories = true;  # default: false
+
+    # whether to warn if repository has uncommited changes
+    warn-dirty = false;  # default: true
+
+    # hardlinks identical files in the nix store to save 25-35% disk space.
+    # unclear _when_ this occurs. it's not a service.
+    # does the daemon continually scan the nix store?
+    # does the builder use some content-addressed db to efficiently dedupe?
+    auto-optimise-store = true;
+
+    # allow #!nix-shell scripts to locate my patched nixpkgs & custom packages.
+    # this line might become unnecessary: see <https://github.com/NixOS/nixpkgs/pull/273170>
+    nix-path = config.nix.nixPath;
+  };
+
+  # allow `nix-shell` (and probably nix-index?) to locate our patched and custom packages.
+  # this is actually a no-op, and the real action happens in assigning `nix.settings.nix-path`.
+  nix.nixPath = [
+    "nixpkgs=${pkgs.path}"
+    # note the import starts at repo root: this allows `./overlay/default.nix` to access the stuff at the root
+    # "nixpkgs-overlays=${../../..}/hosts/common/nix-path/overlay"
+    # as long as my system itself doesn't rely on NIXPKGS at runtime, we can point the overlays to git
+    # to avoid switching so much during development
+    "nixpkgs-overlays=/home/colin/dev/nixos/hosts/common/nix/overlay"
+  ];
+
+  # ensure new deployments have a source of this repo with which they can bootstrap.
+  environment.etc."nixos".source = ../../..;
+
+  systemd.services.nix-daemon.serviceConfig = {
+    # the nix-daemon manages nix builders
+    # kill nix-daemon subprocesses when systemd-oomd detects an out-of-memory condition
+    # see:
+    # - nixos PR that enabled systemd-oomd: <https://github.com/NixOS/nixpkgs/pull/169613>
+    # - systemd's docs on these properties: <https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill>
+    #
+    # systemd's docs warn that without swap, systemd-oomd might not be able to react quick enough to save the system.
+    # see `man oomd.conf` for further tunables that may help.
+    #
+    # alternatively, apply this more broadly with `systemd.oomd.enableSystemSlice = true` or `enableRootSlice`
+    # TODO: also apply this to the guest user's slice (user-1100.slice)
+    # TODO: also apply this to distccd
+    ManagedOOMMemoryPressure = "kill";
+    ManagedOOMSwap = "kill";
+  };
+}

hosts/common/persist.nix

@@ -1,13 +1,14 @@
 { ... }:
 
 {
-  sane.persist.stores.private.origin = "/home/colin/private";
+  # store /home/colin/a/b in /mnt/persist/private/a/b instead of /mnt/persist/private/home/colin/a/b
-  # store /home/colin/a/b in /home/private/a/b instead of /home/private/home/colin/a/b
   sane.persist.stores.private.prefix = "/home/colin";
 
+  sane.persist.sys.byStore.initrd = [
+    "/var/log"
+  ];
   sane.persist.sys.byStore.plaintext = [
     # TODO: these should be private.. somehow
-    "/var/log"
     "/var/backup"  # for e.g. postgres dumps
   ];
   sane.persist.sys.byStore.cryptClearOnBoot = [

hosts/common/polyunfill.nix

@@ -0,0 +1,45 @@
+# strictly *decrease* the scope of the default nixos installation/config
+
+{ lib, ... }:
+{
+  # disable non-required packages like nano, perl, rsync, strace
+  environment.defaultPackages = [];
+
+  # remove all the non-existent default directories from XDG_DATA_DIRS, XDG_CONFIG_DIRS to simplify debugging.
+  # this is defaulted in <repo:nixos/nixpkgs:nixos/modules/programs/environment.nix>,
+  # without being gated by any higher config.
+  environment.profiles = lib.mkForce [
+    "/etc/profiles/per-user/$USER"
+    "/run/current-system/sw"
+  ];
+
+  # NIXPKGS_CONFIG defaults to "/etc/nix/nixpkgs-config.nix", for idfk why.
+  # that's never existed on my system and everything does fine without it set empty (no nixpkgs API to forcibly *unset* it).
+  environment.variables.NIXPKGS_CONFIG = lib.mkForce "";
+  # XDG_CONFIG_DIRS defaults to "/etc/xdg", which doesn't exist.
+  # in practice, pam appends the values i want to XDG_CONFIG_DIRS, though this approach causes an extra leading `:`
+  environment.sessionVariables.XDG_CONFIG_DIRS = lib.mkForce [];
+  # XCURSOR_PATH: defaults to `[ "$HOME/.icons" "$HOME/.local/share/icons" ]`, neither of which i use, just adding noise.
+  # see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/icons.nix>
+  environment.sessionVariables.XCURSOR_PATH = lib.mkForce [];
+
+  # disable nixos' portal module, otherwise /share/applications gets linked into the system and complicates things (sandboxing).
+  # instead, i manage portals myself via the sane.programs API (e.g. sane.programs.xdg-desktop-portal).
+  xdg.portal.enable = false;
+  xdg.menus.enable = false;  #< links /share/applications, and a bunch of other empty (i.e. unused) dirs
+
+  # xdg.autostart.enable defaults to true, and links /etc/xdg/autostart into the environment, populated with .desktop files.
+  # see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/autostart.nix>
+  # .desktop files are a questionable way to autostart things: i generally prefer a service manager for that.
+  xdg.autostart.enable = false;
+
+  # nix.channel.enable: populates `/nix/var/nix/profiles/per-user/root/channels`, `/root/.nix-channels`, `$HOME/.nix-defexpr/channels`
+  #   <repo:nixos/nixpkgs:nixos/modules/config/nix-channel.nix>
+  # TODO: may want to recreate NIX_PATH, nix.settings.nix-path
+  nix.channel.enable = false;
+
+  # environment.stub-ld: populate /lib/ld-linux.so with an object that unconditionally errors on launch,
+  # so as to inform when trying to run a non-nixos binary?
+  # IMO that's confusing: i thought /lib/ld-linux.so was some file actually required by nix.
+  environment.stub-ld.enable = false;
+}

hosts/common/programs/abaddon.nix

@@ -15,7 +15,7 @@ in
       };
     };
 
-    package = pkgs.abaddon.overrideAttrs (upstream: {
+    packageUnwrapped = pkgs.abaddon.overrideAttrs (upstream: {
       patches = (upstream.patches or []) ++ [
         (pkgs.fetchpatch {
           url = "https://git.uninsane.org/colin/abaddon/commit/eb551f188d34679f75adcbc83cb8d5beb4d19fd6.patch";
@@ -87,7 +87,7 @@ in
 
     services.abaddon = {
       description = "unofficial Discord chat client";
-      wantedBy = lib.mkIf cfg.config.autostart [ "default.target" ];
+      wantedBy = lib.mkIf cfg.config.autostart [ "graphical-session.target" ];
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/abaddon";
         Type = "simple";

hosts/common/programs/aerc.nix

@@ -3,6 +3,9 @@
 
 {
   sane.programs.aerc = {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";
+    sandbox.net = "clearnet";
     secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
     mime.associations."x-scheme-handler/mailto" = "aerc.desktop";
   };

hosts/common/programs/alacritty.nix

@@ -6,6 +6,7 @@
 { lib, ... }:
 {
   sane.programs.alacritty = {
+    sandbox.enable = false;
     env.TERMINAL = lib.mkDefault "alacritty";
     fs.".config/alacritty/alacritty.toml".symlink.text = ''
       [font]

hosts/common/programs/animatch.nix

@@ -1,10 +1,42 @@
-{ ... }:
+# debug with:
+# - `animatch --debug`
+# - `gdb animatch`
+# try:
+# - `animatch --fullscreen`
+# - `animatch --windowed`
+# the other config options (e.g. verbose logging -- which doesn't seem to do anything) have to be configured via .ini file
+# ```ini
+# # ~/.config/Holy Pangolin/Animatch/SuperDerpy.ini
+# [SuperDerpy]
+# debug=1
+# disableTouch=1
+# [game]
+# verbose=1
+# ```
+{ pkgs, ... }:
 {
   sane.programs.animatch = {
+    packageUnwrapped = with pkgs; animatch.override {
+      # allegro has no native wayland support, and so by default crashes when run without Xwayland.
+      # enable the allegro SDL backend, and achieve Wayland support via SDL's Wayland support.
+      # TODO: see about upstreaming this to nixpkgs?
+      allegro5 = allegro5.overrideAttrs (upstream: {
+        buildInputs = upstream.buildInputs ++ [
+          SDL2
+        ];
+        cmakeFlags = upstream.cmakeFlags ++ [
+          "-DALLEGRO_SDL=on"
+        ];
+      });
+    };
+
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistWayland = true;
+
     persist.byStore.plaintext = [
-      # game progress
+      # ".config/Holy Pangolin/Animatch"  #< used for SuperDerpy config (e.g. debug, disableTouch, fullscreen, enable sound, etc). SuperDerpy.ini
-      ".config/Holy Pangolin/Animatch"
+      ".local/share/Holy Pangolin/Animatch"  #< used for game state (level clears). SuperDerpy.ini
-      ".local/share/Holy Pangolin/Animatch"  # i think this one might be wrong
     ];
   };
 }

hosts/common/programs/audacity.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
   sane.programs.audacity = {
-    package = pkgs.audacity.override {
+    packageUnwrapped = pkgs.audacity.override {
       # wxGTK32 uses webkitgtk-4.0.
       # audacity doesn't actually need webkit though, so diable to reduce closure
       wxGTK32 = pkgs.wxGTK32.override {
@@ -9,6 +9,19 @@
       };
     };
 
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistWayland = true;
+    sandbox.autodetectCliPaths = true;
+    sandbox.extraHomePaths = [
+      # support media imports via file->open dir to some common media directories
+      "tmp"
+      "Music"
+      # audacity needs the entire config dir mounted if running in a sandbox
+      ".config/audacity"
+    ];
+
     # disable first-run splash screen
     fs.".config/audacity/audacity.cfg".file.text = ''
       PrefsVersion=1.1.1r1

hosts/common/programs/bemenu.nix

@@ -87,7 +87,14 @@ let
 in
 {
   sane.programs.bemenu = {
-    package = pkgs.bemenu.overrideAttrs (upstream: {
+    sandbox.method = "bwrap";  # landlock works, but requires *all* of /run/user/$ID to be granted.
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      ".cache/fontconfig"  #< else it complains, and is *way* slower
+    ];
+
+    packageUnwrapped = pkgs.bemenu.overrideAttrs (upstream: {
       nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
         pkgs.makeWrapper
       ];

hosts/common/programs/bonsai.nix

@@ -1,7 +1,7 @@
 # bonsai docs: <https://sr.ht/~stacyharper/bonsai/>
 { config, lib, pkgs, ... }:
 let
-  cfg = config.sane.gui.sxmo.bonsaid;
+  cfg = config.sane.programs.bonsai;
 
   delayType = with lib; types.submodule {
     options = {
@@ -88,74 +88,43 @@ let
         mergeOneOption loc defs
     ;
   };
-
-  # transitionType = with lib; types.submodule {
-  #   options = {
-  #     type = mkOption {
-  #       type = types.enum [ "delay" "event" "exec" ];
-  #     };
-  #     delay_duration = mkOption {
-  #       type = types.nullOr types.int;
-  #       default = null;
-  #       description = ''
-  #         used for "delay" types only.
-  #         nanoseconds until the event is finalized.
-  #       '';
-  #     };
-  #     event_name = mkOption {
-  #       type = types.nullOr types.str;
-  #       default = null;
-  #       description = ''
-  #         name of event which this transition applies to.
-  #       '';
-  #     };
-  #     transitions = mkOption {
-  #       type = types.nullOr (types.listOf transitionType);
-  #       default = null;
-  #       description = ''
-  #         list of transitions out of this state.
-  #       '';
-  #     };
-  #     command = mkOption {
-  #       type = types.nullOr (types.listOf types.str);
-  #       default = null;
-  #       description = ''
-  #         used for "exec" types only.
-  #         command to run when the event is triggered.
-  #       '';
-  #     };
-  #   };
-  # };
 in
 {
-  options = with lib; {
+  sane.programs.bonsai = {
-    sane.gui.sxmo.bonsaid.package = mkOption {
+    configOption = with lib; mkOption {
-      type = types.package;
+      default = {};
-      default = pkgs.bonsai;
+      type = types.submodule {
-    };
+        options = {
-    sane.gui.sxmo.bonsaid.transitions = mkOption {
+          transitions = mkOption {
             type = types.listOf transitionType;
             default = [];
           };
-    sane.gui.sxmo.bonsaid.configFile = mkOption {
+          configFile = mkOption {
             type = types.path;
-      default = pkgs.writeText "bonsai_tree.json" (builtins.toJSON cfg.transitions);
+            default = pkgs.writeText "bonsai_tree.json" (builtins.toJSON cfg.config.transitions);
             description = ''
               configuration file to pass to bonsai.
               usually auto-generated from the sibling options; exposed mainly for debugging or convenience.
             '';
           };
         };
-  config = lib.mkIf config.sane.gui.sxmo.enable {
+      };
-    sane.user.services.bonsaid = {
+    };
-      description = "programmable input dispatcher";
+
+    services.bonsaid = {
+      description = "bonsai: programmable input dispatcher";
+      after = [ "graphical-session.target" ];
+      wantedBy = [ "graphical-session.target" ];
+
       script = ''
         ${pkgs.coreutils}/bin/rm -f $XDG_RUNTIME_DIR/bonsai
-        exec ${cfg.package}/bin/bonsaid -t ${cfg.configFile}
+        exec ${cfg.package}/bin/bonsaid -t ${cfg.config.configFile}
       '';
-      serviceConfig.Type = "simple";
+      serviceConfig = {
-      serviceConfig.Restart = "always";
+        Type = "simple";
-      serviceConfig.RestartSec = "5s";
+        Restart = "always";
+        RestartSec = "5s";
+      };
     };
   };
 }

hosts/common/programs/brave.nix

@@ -1,6 +1,17 @@
 { ... }:
 {
   sane.programs.brave = {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";  # /opt/share/brave.com vendor-style packaging
+    sandbox.net = "all";
+    sandbox.extraHomePaths = [
+      "dev"  # for developing anything web-related
+      "tmp"
+    ];
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
+
     persist.byStore.cryptClearOnBoot = [
       ".cache/BraveSoftware"
       ".config/BraveSoftware"

hosts/common/programs/bubblewrap.nix

@@ -0,0 +1,35 @@
+{ pkgs, ... }:
+{
+  sane.programs.bubblewrap = {
+    sandbox.enable = false;  # don't sandbox the sandboxer :)
+    packageUnwrapped = pkgs.bubblewrap.overrideAttrs (base: {
+      # patches = (base.patches or []) ++ [
+      #   (pkgs.fetchpatch {
+      #     url = "https://git.uninsane.org/colin/bubblewrap/commit/9843f9b2b5f086563fd37250658d69350a2939be.patch";
+      #     name = "enable debug logging and add a bunch more tracing";
+      #     hash = "sha256-AlDsqddaBahhqGibZlCjgmChuK7mmxDt0aYHNgY05OI=";
+      #   })
+      # ];
+      postPatch = (base.postPatch or "") + ''
+        # bwrap doesn't like to be invoked with any capabilities, which is troublesome if i
+        # want to do things like ship CAP_NET_ADMIN,CAP_NET_RAW in the ambient set for tools like Wireshark.
+        # but this limitation of bwrap is artificial and at first look is just a scenario the author probably
+        # never expected: patch out the guard check.
+        #
+        # see: <https://github.com/containers/bubblewrap/issues/397>
+        #
+        # note that invoking bwrap with capabilities in the 'init' namespace does NOT grant the sandboxed process
+        # capabilities in the 'init' namespace. it's a limitation of namespaces that namespaced processes can
+        # never receive capabilities in their parent namespace.
+        substituteInPlace bubblewrap.c --replace \
+          'die ("Unexpected capabilities but not setuid, old file caps config?");' \
+          '// die ("Unexpected capabilities but not setuid, old file caps config?");'
+
+        # enable debug printing
+        # substituteInPlace utils.h --replace \
+        #   '#define __debug__(x)' \
+        #   '#define __debug__(x) printf x'
+      '';
+    });
+  };
+}

hosts/common/programs/calls.nix

@@ -44,7 +44,7 @@ in
     services.gnome-calls = {
       # TODO: prevent gnome-calls from daemonizing when started manually
       description = "gnome-calls daemon to monitor incoming SIP calls";
-      wantedBy = lib.mkIf cfg.config.autostart [ "default.target" ];
+      wantedBy = lib.mkIf cfg.config.autostart [ "graphical-session.target" ];
       serviceConfig = {
         # add --verbose for more debugging
         ExecStart = "${cfg.package}/bin/gnome-calls --daemon";

hosts/common/programs/chatty.nix

@@ -1,8 +1,8 @@
 { pkgs, ... }:
 {
   sane.programs.chatty = {
-    # package = chattyNoOauth;
+    # packageUnwrapped = chattyNoOauth;
-    package = pkgs.chatty-latest;
+    packageUnwrapped = pkgs.chatty-latest;
     suggestedPrograms = [ "gnome-keyring" ];
     persist.byStore.private = [
       ".local/share/chatty"  # matrix avatars and files

hosts/common/programs/conky/default.nix

@@ -1,11 +1,22 @@
 { config, pkgs, ... }:
 {
   sane.programs.conky = {
+    # TODO: non-sandboxed `conky` still ships via `sxmo-utils`, but unused
+    sandbox.method = "bwrap";
+    sandbox.net = "clearnet";  #< for the scripts it calls (weather)
+    sandbox.extraPaths = [
+      "/sys/class/power_supply"
+      "/sys/devices"  # needed by battery_estimate
+      # "/sys/devices/cpu"
+      # "/sys/devices/system"
+    ];
+    sandbox.whitelistWayland = true;
+
     fs.".config/conky/conky.conf".symlink.target =
       let
         battery_estimate = pkgs.static-nix-shell.mkBash {
           pname = "battery_estimate";
-          src = ./.;
+          srcRoot = ./.;
         };
       in pkgs.substituteAll {
         src = ./conky.conf;
@@ -15,20 +26,14 @@
 
     services.conky = {
       description = "conky dynamic desktop background";
-      wantedBy = [ "default.target" ];
+      after = [ "graphical-session.target" ];
-      # XXX: should be part of graphical-session.target, but whatever mix of greetd/sway
+      # partOf = [ "graphical-session.target" ];  # propagate stop/restart signal from graphical-session to this unit
-      # i'm using means that target's never reached...
+      wantedBy = [ "graphical-session.target" ];
-      # wantedBy = [ "graphical-session.target" ];
-      # partOf = [ "graphical-session.target" ];
 
       serviceConfig.ExecStart = "${config.sane.programs.conky.package}/bin/conky";
       serviceConfig.Type = "simple";
       serviceConfig.Restart = "on-failure";
       serviceConfig.RestartSec = "10s";
-      # serviceConfig.Slice = "session.slice";
-
-      # don't start conky until after sway
-      preStart = ''test -n "$SWAYSOCK"'';
     };
   };
 }

hosts/common/programs/cozy.nix

@@ -2,6 +2,16 @@
 
 {
   sane.programs.cozy = {
+    sandbox.method = "bwrap";  # landlock gives: _multiprocessing.SemLock: Permission Denied
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "Books/local"
+      "Books/servo"
+    ];
+
     # cozy uses a sqlite db for its config and exposes no CLI options other than --help and --debug
     persist.byStore.plaintext = [
       ".local/share/cozy"  # sqlite db (config & index?)

hosts/common/programs/dconf.nix

@@ -0,0 +1,33 @@
+# dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
+# this lets programs temporarily write user-level dconf settings (aka gsettings).
+# they're written to ~/.config/dconf/user, unless `DCONF_PROFILE` is set to something other than the default of /etc/dconf/profile/user
+# find keys/values with `dconf dump /`
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.sane.programs.dconf;
+in
+{
+  sane.programs.dconf = {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    persist.byStore.private = [
+      ".config/dconf"
+    ];
+  };
+
+  programs.dconf = lib.mkIf cfg.enabled {
+    # note that `programs.dconf` doesn't allow specifying the dconf package.
+    enable = true;
+    packages = [
+      (pkgs.writeTextFile {
+        name = "dconf-user-profile";
+        destination = "/etc/dconf/profile/user";
+        text = ''
+          user-db:user
+          system-db:site
+        '';
+      })
+    ];
+  };
+}

hosts/common/programs/default.nix

@@ -9,13 +9,16 @@
     ./assorted.nix
     ./audacity.nix
     ./bemenu.nix
+    ./bonsai.nix
     ./brave.nix
+    ./bubblewrap.nix
     ./calls.nix
     ./cantata.nix
     ./catt.nix
     ./chatty.nix
     ./conky
     ./cozy.nix
+    ./dconf.nix
     ./dialect.nix
     ./dino.nix
     ./element-desktop.nix
@@ -23,30 +26,38 @@
     ./evince.nix
     ./feedbackd.nix
     ./firefox.nix
+    ./firejail.nix
     ./flare-signal.nix
     ./fontconfig.nix
     ./fractal.nix
+    ./frozen-bubble.nix
     ./fwupd.nix
     ./g4music.nix
     ./gajim.nix
+    ./gdbus.nix
     ./geary.nix
     ./git.nix
     ./gnome-feeds.nix
-    ./gnome-keyring.nix
+    ./gnome-keyring
+    ./gnome-maps.nix
     ./gnome-weather.nix
     ./go2tv.nix
     ./gpodder.nix
+    ./grimshot.nix
     ./gthumb.nix
     ./gtkcord4.nix
+    ./handbrake.nix
     ./helix.nix
     ./imagemagick.nix
     ./jellyfin-media-player.nix
+    ./kdenlive.nix
     ./komikku.nix
     ./koreader
     ./libreoffice.nix
     ./lemoa.nix
     ./loupe.nix
     ./mako.nix
+    ./megapixels.nix
     ./mepo.nix
     ./mimeo
     ./mopidy.nix
@@ -56,16 +67,21 @@
     ./neovim.nix
     ./newsflash.nix
     ./nheko.nix
+    ./nicotine-plus.nix
     ./nix-index.nix
     ./notejot.nix
     ./ntfy-sh.nix
     ./obsidian.nix
     ./offlineimap.nix
     ./open-in-mpv.nix
+    ./pipewire.nix
     ./planify.nix
+    ./portfolio-filemanager.nix
     ./playerctl.nix
     ./rhythmbox.nix
     ./ripgrep.nix
+    ./rofi
+    ./sane-scripts.nix
     ./sfeed.nix
     ./signal-desktop.nix
     ./splatmoji.nix
@@ -73,19 +89,30 @@
     ./spotify.nix
     ./steam.nix
     ./stepmania.nix
+    ./strings.nix
     ./sublime-music.nix
     ./supertuxkart.nix
+    ./sway
     ./sway-autoscaler
+    ./swaylock.nix
     ./swaynotificationcenter.nix
     ./tangram.nix
-    ./tor-browser-bundle-bin.nix
+    ./tor-browser.nix
     ./tuba.nix
+    ./unl0kr
     ./vlc.nix
+    ./waybar
+    ./waylock.nix
     ./wike.nix
     ./wine.nix
+    ./wireplumber.nix
     ./wireshark.nix
-    ./wob.nix
+    ./wob
     ./xarchiver.nix
+    ./xdg-desktop-portal.nix
+    ./xdg-desktop-portal-gtk.nix
+    ./xdg-desktop-portal-wlr.nix
+    ./xdg-utils.nix
     ./zeal.nix
     ./zecwallet-lite.nix
     ./zsh

hosts/common/programs/dialect.nix

@@ -1,7 +1,13 @@
 { pkgs, ... }:
 {
   sane.programs.dialect = {
-    package = pkgs.dialect.overrideAttrs (upstream: {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";  # share/search_providers/ calls back into the binary, weird wrap semantics
+    sandbox.whitelistWayland = true;
+    sandbox.net = "clearnet";
+    suggestedPrograms = [ "dconf" ];  #< to persist settings
+
+    packageUnwrapped = pkgs.dialect.overrideAttrs (upstream: {
       # TODO: send upstream
       # TODO: figure out how to get audio working
       # TODO: move to runtimeDependencies?

hosts/common/programs/dino.nix

@@ -45,11 +45,34 @@ in
       };
     };
 
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDri = true;  #< not strictly necessary, but we need all the perf we can get on moby
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "Music"
+      "Pictures/albums"
+      "Pictures/cat"
+      "Pictures/from"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+      "Pictures/servo-macros"
+      "Videos/local"
+      "Videos/servo"
+      "tmp"
+    ];
+
     persist.byStore.private = [ ".local/share/dino" ];
 
     services.dino = {
       description = "dino XMPP client";
-      wantedBy = lib.mkIf cfg.config.autostart [ "default.target" ];
+      after = [ "graphical-session.target" ];
+      # partOf = [ "graphical-session.target" ];
+      wantedBy = lib.mkIf cfg.config.autostart [ "graphical-session.target" ];
+
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/dino";
         Type = "simple";

hosts/common/programs/element-desktop.nix

@@ -7,14 +7,36 @@
 { pkgs, ... }:
 {
   sane.programs.element-desktop = {
-    package = pkgs.element-desktop.override {
+    packageUnwrapped = pkgs.element-desktop.override {
       # use pre-build electron because otherwise it takes 4 hrs to build from source.
       electron = pkgs.electron-bin;
     };
+    suggestedPrograms = [
+      "gnome-keyring"
+      "xwayland"
+    ];
+
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "Music"
+      "Pictures/albums"
+      "Pictures/cat"
+      "Pictures/from"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+      "Pictures/servo-macros"
+      "Videos/local"
+      "Videos/servo"
+      "tmp"
+    ];
 
     # creds/session keys, etc
     persist.byStore.private = [ ".config/Element" ];
-
-    suggestedPrograms = [ "gnome-keyring" ];
   };
 }

hosts/common/programs/epiphany.nix

@@ -8,6 +8,19 @@
 { pkgs, ... }:
 {
   sane.programs.epiphany = {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";  # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec
+    sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
+    # default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
+    # enabling DRI/DRM (as below) seems to fix that.
+    sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      ".config/epiphany"  #< else it gets angry at launch
+      "tmp"
+    ];
+
     # XXX(2023/07/08): running on moby without `WEBKIT_DISABLE_SANDBOX...` fails, with:
     # - `bwrap: Can't make symlink at /var/run: File exists`
     # this could be due to:
@@ -22,13 +35,14 @@
     #
     # TODO: consider `WEBKIT_USE_SINGLE_WEB_PROCESS=1` for better perf
     # - this runs all tabs in 1 process. which is fine, if i'm not a heavy multi-tabber
-    package = pkgs.epiphany.overrideAttrs (upstream: {
+    packageUnwrapped = pkgs.epiphany.overrideAttrs (upstream: {
       preFixup = ''
         gappsWrapperArgs+=(
           --set WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS "1"
         );
       '' + (upstream.preFixup or "");
     });
+    suggestedPrograms = [ "dconf" ];  #< for persisting e.g. "Set as Default Browser" prompt question
     persist.byStore.private = [
       ".cache/epiphany"
       ".local/share/epiphany"

hosts/common/programs/evince.nix

@@ -1,4 +1,10 @@
 { ... }:
 {
-  sane.programs.evince.mime.associations."application/pdf" = "org.gnome.Evince.desktop";
+  sane.programs.evince = {
+    sandbox.method = "bwrap";
+    sandbox.autodetectCliPaths = true;
+    sandbox.whitelistWayland = true;
+
+    mime.associations."application/pdf" = "org.gnome.Evince.desktop";
+  };
 }

hosts/common/programs/feedbackd.nix

@@ -7,7 +7,7 @@ let
 in
 {
   sane.programs.feedbackd = {
-    package = pkgs.rmDbusServices pkgs.feedbackd;
+    packageUnwrapped = pkgs.rmDbusServices pkgs.feedbackd;
 
     configOption = with lib; mkOption {
       type = types.submodule {
@@ -24,6 +24,11 @@ in
       default = {};
     };
 
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistAudio = true;
+
     # N.B.: feedbackd will load ~/.config/feedbackd/themes/default.json by default
     # - but using that would forbid `parent-theme = "default"`
     # the default theme ships support for these events:
@@ -92,7 +97,7 @@ in
 
     services.feedbackd = {
       description = "feedbackd audio/vibration/led controller";
-      wantedBy = [ "default.target" ];
+      wantedBy = [ "default.target" ];  #< should technically be `sound.target`, but that doesn't seem to get auto-started?
       serviceConfig = {
         ExecStart = "${cfg.package}/libexec/feedbackd";
         Type = "simple";

hosts/common/programs/firefox.nix

@@ -38,7 +38,7 @@ let
   # defaultSettings = firefoxSettings;
   defaultSettings = librewolfSettings;
 
-  package = (pkgs.wrapFirefox cfg.browser.browser {
+  packageUnwrapped = (pkgs.wrapFirefox cfg.browser.browser {
     # inherit the default librewolf.cfg
     # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
     inherit (cfg.browser) extraPrefsFiles libName;
@@ -107,12 +107,31 @@ let
   }).overrideAttrs (base: {
     # de-associate `ctrl+shift+c` from activating the devtools.
     # based on <https://stackoverflow.com/a/54260938>
+    # TODO: could use `zip -f` to only update the one changed file, instead of rezipping everything.
     buildCommand = (base.buildCommand or "") + ''
       mkdir omni
-      ${pkgs.buildPackages.unzip}/bin/unzip $out/lib/${cfg.browser.libName}/browser/omni.ja -d omni
+
+      echo "omni.ja BEFORE:"
+      ls -l $(readlink $out/lib/${cfg.browser.libName}/browser/omni.ja)
+
+      echo "unzipping omni.ja"
+      # N.B. `zip` exits non-zero even on successful extraction, if the file didn't 100% obey spec
+      ${pkgs.buildPackages.unzip}/bin/unzip $out/lib/${cfg.browser.libName}/browser/omni.ja -d omni || true
+
+      echo "removing old omni.ja"
       rm $out/lib/${cfg.browser.libName}/browser/omni.ja
+
+      echo "patching omni.ja"
       ${pkgs.buildPackages.gnused}/bin/sed -i s'/devtools-commandkey-inspector = C/devtools-commandkey-inspector = VK_F12/' omni/localization/en-US/devtools/startup/key-shortcuts.ftl
+
+      echo "re-zipping omni.ja"
       pushd omni; ${pkgs.buildPackages.zip}/bin/zip $out/lib/${cfg.browser.libName}/browser/omni.ja -r ./*; popd
+
+      echo "omni.ja AFTER:"
+      ls -l $out/lib/${cfg.browser.libName}/browser/omni.ja
+
+      # runHook postFixup to allow sane.programs sandbox wrappers to wrap the binaries
+      runHook postFixup
     '';
   });
 
@@ -189,6 +208,7 @@ in
           enable = lib.mkDefault config.services.i2p.enable;
         };
         open-in-mpv = {
+          # test: `open-in-mpv 'mpv:///open?url=https://www.youtube.com/watch?v=dQw4w9WgXcQ'`
           package = pkgs.firefox-extensions.open-in-mpv;
           enable = lib.mkDefault config.sane.programs.open-in-mpv.enabled;
         };
@@ -212,7 +232,38 @@ in
     })
     ({
       sane.programs.firefox = {
-        inherit package;
+        inherit packageUnwrapped;
+        sandbox.method = "bwrap";  # landlock works, but requires all of /proc to be linked
+        sandbox.wrapperType = "inplace";  # probably wrappedDerivation could work too.
+        sandbox.net = "all";
+        sandbox.whitelistAudio = true;
+        sandbox.whitelistDbus = [ "user" ];  # mpris
+        sandbox.whitelistWayland = true;
+        sandbox.extraHomePaths = [
+          "dev"  # for developing anything web-related
+          # for uploads/downloads.
+          # it still needs these paths despite using the portal's file-chooser :?
+          "tmp"
+          "Pictures/albums"
+          "Pictures/cat"
+          "Pictures/from"
+          "Pictures/Photos"
+          "Pictures/Screenshots"
+          "Pictures/servo-macros"
+        ] ++ lib.optionals cfg.addons.browserpass-extension.enable [
+          # browserpass needs these paths:
+          # - knowledge/secrets/accounts: where the encrypted account secrets live
+          # at least one of:
+          # - .config/sops: for the sops key which can decrypt account secrets
+          # - .ssh: to unlock the sops key, if not unlocked (`sane-secrets-unlock`)
+          # TODO: find a way to not expose ~/.ssh to firefox
+          # - unlock sops at login (or before firefox launch)?
+          # - see if ssh has a more formal type of subkey system?
+          ".ssh/id_ed25519"
+          # ".config/sops"
+          "knowledge/secrets/accounts"
+        ];
+        fs.".config/sops".dir = lib.mkIf cfg.addons.browserpass-extension.enable {};  #< needs to be created, not *just* added to the sandbox
 
         suggestedPrograms = [
           "open-in-mpv"
@@ -267,7 +318,11 @@ in
           // source: <https://kparal.wordpress.com/2019/10/31/disabling-kinetic-scrolling-in-firefox/>
           defaultPref("apz.gtk.kinetic_scroll.enabled", false);
 
-          // auto-dispatch mpv:// URIs to xdg-open without prompting.
+          // open external URIs/files via xdg-desktop-portal.
+          defaultPref("widget.use-xdg-desktop-portal.mime-handler", 1);
+          defaultPref("widget.use-xdg-desktop-portal.open-uri", 1);
+
+          // auto-open mpv:// URIs without prompting.
           // can do this with other protocols too (e.g. matrix?). see about:config for common handlers.
           defaultPref("network.protocol-handler.external.mpv", true);
           // element:// for Element matrix client
@@ -275,7 +330,6 @@ in
           // matrix: for Nheko matrix client
           defaultPref("network.protocol-handler.external.matrix", true);
         '';
-        fs."${cfg.browser.dotDir}/default".dir = {};
         # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
         # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
         fs."${cfg.browser.dotDir}/profiles.ini".symlink.text = ''
@@ -288,24 +342,28 @@ in
           [General]
           StartWithLastProfile=1
         '';
-      };
+
-    })
+        # TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
-    (mkIf config.sane.programs.firefox.enabled {
+        env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
-      # TODO: move the persistence into the sane.programs API (above)
+        # alternative to PASSWORD_STORE_DIR, but firejail doesn't handle this symlink well
+        # fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "knowledge/secrets/accounts";
+
         # flush the cache to disk to avoid it taking up too much tmp.
-      sane.user.persist.byPath."${cfg.browser.cacheDir}".store =
+        persist.byPath."${cfg.browser.cacheDir}".store =
           if (cfg.persistData != null) then
             cfg.persistData
           else
             "cryptClearOnBoot"
         ;
 
-      sane.user.persist.byPath."${cfg.browser.dotDir}/default".store =
+        persist.byPath."${cfg.browser.dotDir}/default".store =
           if (cfg.persistData != null) then
             cfg.persistData
           else
             "cryptClearOnBoot"
         ;
+      };
+
     })
   ];
 }

hosts/common/programs/firejail.nix

@@ -0,0 +1,8 @@
+{ lib, config, ... }:
+{
+  sane.programs.firejail = {};
+
+  programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
+    enable = true;  #< install the suid binary
+  };
+}

hosts/common/programs/flare-signal.nix

@@ -62,8 +62,8 @@
 { pkgs, ... }:
 {
   sane.programs.flare-signal = {
-    package = pkgs.flare-signal-nixified;
+    packageUnwrapped = pkgs.flare-signal-nixified;
-    # package = pkgs.flare-signal;
+    # packageUnwrapped = pkgs.flare-signal;
     persist.byStore.private = [
       # everything: conf, state, files, all opaque
       ".local/share/flare"

hosts/common/programs/fontconfig.nix

@@ -28,6 +28,17 @@ let
     wantedNerdfonts;
 in
 {
+  sane.programs.fontconfig = {
+    sandbox.method = "bwrap";  # TODO:sandbox: untested
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.autodetectCliPaths = "existingOrParent";  #< this might be overkill; or, how many programs reference fontconfig internally?
+
+    persist.byStore.plaintext = [
+      # < 10 MiB
+      ".cache/fontconfig"
+    ];
+  };
+
   fonts = lib.mkIf config.sane.programs.fontconfig.enabled {
     fontconfig.enable = true;
     fontconfig.defaultFonts = {

hosts/common/programs/fractal.nix

@@ -23,9 +23,30 @@ let
 in
 {
   sane.programs.fractal = {
-    package = pkgs.fractal-nixified.optimized;
+    packageUnwrapped = pkgs.fractal-nixified.optimized;
-    # package = pkgs.fractal-latest;
+    # packageUnwrapped = pkgs.fractal-latest;
-    # package = pkgs.fractal-next;
+    # packageUnwrapped = pkgs.fractal-next;
+
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDri = true;  # otherwise video playback buuuuurns CPU
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      # still needs these paths despite it using the portal's file-chooser :?
+      "Music"
+      "Pictures/albums"
+      "Pictures/cat"
+      "Pictures/from"
+      "Pictures/Photos"
+      "Pictures/Screenshots"
+      "Pictures/servo-macros"
+      "Videos/local"
+      "Videos/servo"
+      "tmp"
+    ];
 
     configOption = with lib; mkOption {
       default = {};
@@ -47,8 +68,11 @@ in
     suggestedPrograms = [ "gnome-keyring" ];
 
     services.fractal = {
-      description = "auto-start and maintain fractal Matrix connection";
+      description = "fractal Matrix client";
-      wantedBy = lib.mkIf cfg.config.autostart [ "default.target" ];
+      after = [ "graphical-session.target" ];
+      # partOf = [ "graphical-session.target" ];
+      wantedBy = lib.mkIf cfg.config.autostart [ "graphical-session.target" ];
+
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/fractal";
         Type = "simple";

hosts/common/programs/frozen-bubble.nix

@@ -0,0 +1,23 @@
+# source code: <https://github.com/kthakore/frozen-bubble>
+{ pkgs, ... }:
+{
+  sane.programs.frozen-bubble = {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.net = "clearnet";  # net play
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistWayland = true;
+
+    packageUnwrapped = pkgs.frozen-bubble.overrideAttrs (upstream: {
+      # patch so it stores its dot-files not in root ~.
+      postPatch = (upstream.postPatch or "") + ''
+        substituteInPlace lib/Games/FrozenBubble/Stuff.pm \
+          --replace-fail '$FBHOME   = "$ENV{HOME}/.frozen-bubble"' '$FBHOME   = "$ENV{HOME}/.local/share/frozen-bubble"'
+      '';
+    });
+
+    persist.byStore.plaintext = [
+      ".local/share/frozen-bubble"  # preferences, high scores
+    ];
+  };
+}

hosts/common/programs/fwupd.nix

@@ -1,5 +1,6 @@
 { config, lib, ... }:
 {
+  sane.programs.fwupd = {};
   services.fwupd = lib.mkIf config.sane.programs.fwupd.enabled {
     # enables the dbus service, which i think the frontend speaks to.
     enable = true;

hosts/common/programs/g4music.nix

@@ -8,6 +8,15 @@
 { ... }:
 {
   sane.programs.g4music = {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "Music"
+    ];
+
     persist.byStore.plaintext = [
       # index?
       ".cache/com.github.neithern.g4music"

hosts/common/programs/gdbus.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+  sane.programs.gdbus = {
+    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.glib "bin/gdbus";
+
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistDbus = [ "user" ];  #< XXX: maybe future users will also want system access
+  };
+}
+

hosts/common/programs/geary.nix

@@ -19,6 +19,25 @@ in
       };
     };
 
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.net = "clearnet";
+    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistWayland = true;
+    sandbox.extraPaths = [
+      # geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
+      # TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy.
+      "/sys/block"
+      "/sys/bus"
+      "/sys/class"
+      "/sys/dev"
+      "/sys/devices"
+      "/sys/fs"
+    ];
+    # if sandbox.method == "landlock", then these dirs must exist in the sandbox, even if empty.
+    # fs.".config/geary".dir = {};
+    # fs.".local/share/folks".dir = {};
+
     slowToBuild = true;  # uses webkitgtk 4.1
     persist.byStore.private = [
       # attachments, and email -- contained in a sqlite db
@@ -68,8 +87,11 @@ in
     secrets.".config/geary/account_02/geary.ini" = ../../../secrets/common/geary_account_02.ini.bin;
 
     services.geary = {
-      description = "Geary email client";
+      description = "geary email client";
-      wantedBy = lib.mkIf cfg.config.autostart [ "default.target" ];
+      after = [ "graphical-session.target" ];
+      # partOf = [ "graphical-session.target" ];
+      wantedBy = lib.mkIf cfg.config.autostart [ "graphical-session.target" ];
+
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/geary";
         Type = "simple";

hosts/common/programs/git.nix

@@ -6,7 +6,32 @@ let
   mkCfg = lib.generators.toINI { };
 in
 {
-  sane.programs.git.fs.".config/git/config".symlink.text = mkCfg {
+  sane.programs.git = {
+    packageUnwrapped = (pkgs.git.override {
+      # build without gitweb support, as that installs to share/git,
+      # which causes trouble trying to make the sandboxer
+      perlSupport = false;
+    }).overrideAttrs (upstream: {
+      postInstall = upstream.postInstall + ''
+        # git-jump is a symlink from bin/git-jump -> share/contrib/git-jump,
+        # which causes trouble trying to make the sandboxer
+        rm "$out/bin/git-jump"
+      '';
+    });
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.net = "clearnet";
+    sandbox.whitelistPwd = true;
+    sandbox.autodetectCliPaths = true;  # necessary for git-upload-pack
+    sandbox.extraHomePaths = [
+      # even with `whitelistPwd`, git has to crawl *up* the path -- which isn't necessarily in the sandbox -- to locate parent .git files
+      "dev"
+      "knowledge"
+      "nixos"
+      "ref"
+      ".ssh/id_ed25519"  # for ssh-auth'd remotes
+    ];
+    fs.".config/git/config".symlink.text = mkCfg {
       # top-level options documented:
       # - <https://git-scm.com/docs/git-config#_variables>
 
@@ -40,4 +65,5 @@ in
 
       stash.showPatch = true;
     };
+  };
 }

hosts/common/programs/gnome-keyring.nix

@@ -1,10 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  sane.programs.gnome-keyring = {
-    package = pkgs.gnome.gnome-keyring;
-  };
-  # adds gnome-keyring as a xdg-data-portal (xdg.portal)
-  services.gnome.gnome-keyring = lib.mkIf config.sane.programs.gnome-keyring.enabled {
-    enable = true;
-  };
-}

hosts/common/programs/gnome-keyring/default.nix

@@ -0,0 +1,64 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.programs.gnome-keyring;
+in
+{
+  sane.programs.gnome-keyring = {
+    packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-keyring;
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistDbus = [ "user" ];
+    sandbox.extraRuntimePaths = [
+      "keyring/control"
+    ];
+    sandbox.capabilities = [
+      # ipc_lock: used to `mlock` the secrets so they don't get swapped out.
+      # this is optional, and systemd likely doesn't propagate it anyway
+      "ipc_lock"
+    ];
+
+    persist.byStore.private = [
+      # N.B.: BE CAREFUL WITH THIS.
+      # gnome-keyring-daemon likes to turn symlinks into dirs. i.e. if it detects that `~/.local/share/keyrings` is a symlink
+      # it WILL try to `unlink` it and recreate it as an empty directory.
+      # the only reason i can get away with a symlink here is because gkd is sandboxed... with ~/.local/share/keyrings as an explicit mountpoint instead of as a symlink.
+      # remove the sandbox, and this breaks.
+      ".local/share/keyrings"
+    ];
+
+    fs.".local/share/keyrings/default" = {
+      file.text = "Default_keyring.keyring";  #< no trailing newline
+      wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
+      wantedBeforeBy = [  #< don't create this as part of `multi-user.target`
+        "gnome-keyring.service"  # TODO: sane.programs should declare this dependency for us
+      ];
+    };
+    # N.B.: certain keyring names have special significance
+    # `login.keyring` is forcibly encrypted to the user's password, so that pam gnome-keyring can unlock it on login.
+    # - it does this re-encryption forcibly, any time it wants to write to the keyring.
+    fs.".local/share/keyrings/Default_keyring.keyring" = {
+      file.text = ''
+        [keyring]
+        display-name=Default keyring
+        lock-on-idle=false
+        lock-after=false
+      '';
+      wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
+      wantedBeforeBy = [  #< don't create this as part of `multi-user.target`
+        "gnome-keyring.service"
+      ];
+    };
+
+    services.gnome-keyring = {
+      description = "gnome-keyring-daemon: secret provider";
+      after = [ "graphical-session.target" ];
+      wantedBy = [ "graphical-session.target" ];
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/gnome-keyring-daemon --start --foreground --components=secrets";
+        Type = "simple";
+        Restart = "always";
+        RestartSec = "20s";
+      };
+    };
+  };
+}

hosts/common/programs/gnome-maps.nix

@@ -0,0 +1,20 @@
+{ ... }:
+{
+  sane.programs."gnome.gnome-maps" = {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";  #< dbus files
+    sandbox.whitelistDri = true;  # for perf
+    sandbox.whitelistDbus = [
+      "system"  # system is required for non-portal location services
+      "user"  #< not sure if "user" is necessary?
+    ];
+    sandbox.whitelistWayland = true;
+    sandbox.net = "clearnet";
+    sandbox.usePortal = false;  # TODO: set up portal-based location services
+
+    persist.byStore.plaintext = [ ".cache/shumate" ];
+    persist.byStore.private = [
+      ({ path = ".local/share/maps-places.json"; type = "file"; })
+    ];
+  };
+}