persist: harden the "ephemeral" store mount environment

there's only so much this can actually achieve. it's still quite possible for someone who knows what they're doing to do large amounts of damage
gpodder-adaptive: track youtube-dl upstreaming
2024-08-01 22:40:55 +00:00 · 2024-08-01 20:02:47 +00:00 · 2024-08-01 19:59:23 +00:00 · 2024-08-01 19:53:05 +00:00 · 2024-08-01 19:52:22 +00:00 · 2024-08-01 18:58:39 +00:00
338 changed files with 12122 additions and 13149 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -5,17 +5,15 @@
 - when moby wlan is explicitly set down (via ip link set wlan0 down), /var/lib/trust-dns/dhcp-configs doesn't get reset
  - `ip monitor` can detect those manual link state changes (NM-dispatcher it seems cannot)
  - or try dnsmasq?
- trust-dns: can't recursively resolve api.mangadex.org
+- trust-dns can't resolve `abs.twimg.com`
-  - and *sometimes* apple.com fails
+- trust-dns can't resolve `social.kernel.org`
 - sandbox: link cache means that if i update ~/.config/... files inline, sandboxed programs still see the old version
 - mpv: continues to play past the end of some audio files
 - mpv: audiocast has mpv sending its output to the builtin speakers unless manually changed
 - mpv: no way to exit fullscreen video on moby
  - uosc hides controls on FS, and touch doesn't support unhiding
 - Signal restart loop drains battery
  - decrease s6 restart time?
 - `ssh` access doesn't grant same linux capabilities as login
- ringer (i.e. dino incoming call) doesn't prevent moby from sleeping
+- syshud (volume overlay): when casting with `blast`, syshud doesn't react to volume changes
 - sysvol (volume overlay): when casting with `blast`, sysvol doesn't react to volume changes
 - moby: kaslr is effectively disabled
  - `dmesg | grep "KASLR disabled due to lack of seed"`
  - fix by adding `kaslrseed` to uboot script before `booti`
@@ -32,6 +30,7 @@
 - consolidate ~/dev and ~/ref
  - ~/dev becomes a link to ~/ref/cat/mine
 - fold hosts/common/home/ssh.nix -> hosts/common/users/colin.nix
 - don't hardcode IP addresses so much in servo
 ### sops/secrets
 - rework secrets to leverage `sane.fs`
@@ -57,6 +56,10 @@
  - then i can tune the kernels for hardening, without duplicating that work 4 times
 - zfs: replace this with something which doesn't require a custom kernel build
 - mpv: add media looping controls (e.g. loop song, loop playlist)
 - curlftpfs: replace with something better
  - safer (rust? actively maintained? sandboxable?)
  - handles spaces/symbols in filenames
  - has better multi-stream perf (e.g. `sane-sync-music` should be able to copy N items in parallel)
 ### security/resilience
 - validate duplicity backups!
@@ -65,6 +68,9 @@
 - /mnt/desko/home, etc, shouldn't include secrets (~/private)
  - 95% of its use is for remote media access and stuff which isn't in VCS (~/records)
 - port all sane.programs to be sandboxed
  - sandbox `curlftpfs`
  - sandbox `nix`
  - sandbox `sshfs-fuse`
  - enforce that all `environment.packages` has a sandbox profile (or explicitly opts out)
  - revisit "non-sandboxable" apps and check that i'm not actually just missing mountpoints
    - LL_FS_RW=/ isn't enough -- need all mount points like `=/:/proc:/sys:...`.
@@ -73,26 +79,17 @@
  - lock down dbus calls within the sandbox
    - otherwise anyone can `systemd-run --user ...` to potentially escape a sandbox
    - <https://github.com/flatpak/xdg-dbus-proxy>
  - remove `.ssh` access from Firefox!
    - limit access to `~/knowledge/secrets` through an agent that requires GUI approval, so a firefox exploit can't steal all my logins
  - port sanebox to a compiled language (hare?)
    - it adds like 50-70ms launch time _on my laptop_. i'd hate to know how much that is on the pinephone.
 - make dconf stuff less monolithic
  - i.e. per-app dconf profiles for those which need it. possible static config.
  - flatpak/spectrum has some stuff to proxy dconf per-app
 - canaries for important services
  - e.g. daily email checks; daily backup checks
  - integrate `nix check` into Gitea actions?
 ### user experience
 - rofi: sort items case-insensitively
 - xdg-desktop-portal shouldn't kill children on exit
  - *maybe* a job for `setsid -f`?
 - replace starship prompt with something more efficient
  - watch `forkstat`: it does way too much
 - cleanup waybar/nwg-panel so that it's not invoking playerctl every 2 seconds
  - nwg-panel: swaync icon is stuck as the refresh icon
  - nwg-panel: doesn't appear on all desktops
  - nwg-panel: doesn't know that virtual-desktop 10/TV exists
 - install apps:
  - display QR codes for WiFi endpoints: <https://linuxphoneapps.org/apps/noappid.wisperwind.wifi2qr/>
@@ -101,7 +98,7 @@
  - offline docs viewer (gtk): <https://github.com/workbenchdev/Biblioteca>
  - some type of games manager/launcher
    - Gnome Highscore (retro games)?: <https://gitlab.gnome.org/World/highscore>
-  - better maps for mobile (Osmin (QtQuick)? Pure Maps (Qt/Kirigami)?
+  - better maps for mobile (Osmin (QtQuick)? Pure Maps (Qt/Kirigami)?)
  - note-taking app: <https://linuxphoneapps.org/categories/note-taking/>
    - Folio is nice, uses standard markdown, though it only supports flat repos
  - OSK overlay specifically for mobile gaming
@@ -124,13 +121,11 @@
  - don't show MPRIS if no players detected
    - this is a problem of playerctld, i guess
  - add option to change audio output
  - fix colors (red alert) to match overall theme
 - moby: tune GPS
-  - run only geoclue, and not gpsd, to save power?
+  - fix iio-sensor-proxy magnetometer scaling
  - tune QGPS setting in eg25-control, for less jitter?
  - direct mepo to prefer gpsd, with fallback to geoclue, for better accuracy?
  - configure geoclue to do some smoothing?
-  - manually do smoothing, as some layer between mepo and geoclue/gpsd?
+  - manually do smoothing, as some layer between mepo and geoclue?
 - moby: port `freshen-agps` timer service to s6 (maybe i want some `s6-cron` or something)
 - moby: show battery state on ssh login
 - moby: improve gPodder launch time
@@ -153,17 +148,15 @@
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
 - sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
  - maybe just color these "keywords" in all search results?
 - transmission: apply `sane-tag-media` path fix in `torrent-done` script
  - many .mkv files do appear to be tagged: i'd just need to add support in my own tooling
 - uninsane.org: make URLs relative to allow local use (and as offline homepage)
 - email: fix so that local mail doesn't go to junk
  - git sendmail flow adds the DKIM signatures, but gets delivered locally w/o having the sig checked, so goes into Junk
  - could change junk filter from "no DKIM success" to explicit "DKIM failed"
  - add an auto-reply address (e.g. `reply-test@uninsane.org`) which reflects all incoming mail; use this (or a friend running this) for liveness checks
 ### perf
 - debug nixos-rebuild times
  - use `systemctl list-jobs` to show what's being waited on
  - i think it's `systemd-networkd-wait-online.service` that's blocking this?
    - i wonder what interface it's waiting for. i should use `--ignore=...` to ignore interfaces i don't care about.
  - also `wireguard-wg-home.target` when net is offline
 - add `pkgs.impure-cached.<foo>` package set to build things with ccache enabled
  - every package here can be auto-generated, and marked with some env var so that it doesn't pollute the pure package set
  - would be super handy for package prototyping!
--- a/default.nix
+++ b/default.nix
@@ -1,67 +1,5 @@
-# limited, non-flake interface to this repo.
+{ ... }@args:
 # this file exposes the same view into `pkgs` which the flake would see when evaluated.
 #
 # the primary purpose of this file is so i can run `updateScript`s which expect
 # the root to be `default.nix`
 { }:
 let
-  mkPkgs = args: (import ./pkgs/additional/nixpkgs args).extend
+  sane-nix-files = import ./pkgs/additional/sane-nix-files { };
-    (import ./overlays/all.nix);
+in
-  inherit (mkPkgs {}) lib;
+  import "${sane-nix-files}/impure.nix" args
  evalHost = { name, system, branch ? "master", variant ? null }:
  let
    pkgs = mkPkgs { inherit system; variant = branch; };
  in pkgs.nixos (
    [
      (lib.optionalAttrs (variant == "light") {
        sane.maxBuildCost = 2;
      })
      (lib.optionalAttrs (variant == "min") {
        sane.maxBuildCost = 0;
      })
      (import ./hosts/instantiate.nix { hostName = name; })
      (import ./modules)
      pkgs.sops-nix.nixosModules.sops
    ]
  );
  mkFlavoredHost = args: let
    host = evalHost args;
    # expose the toplevel nixos system as the toplevel attribute itself,
    # with nested aliases for other common build targets
  in host.config.system.build.toplevel.overrideAttrs (base: {
    passthru = (base.passthru or {}) // {
      config = host.config;
      fs = host.config.sane.fs;
      img = host.config.system.build.img;
      pkgs = host.config.system.build.pkgs;
      programs = lib.mapAttrs (_: p: p.package) host.config.sane.programs;
      toplevel = host.config.system.build.toplevel;  #< self
    };
  });
  mkHost = args: {
    # TODO: swap order: $host-{next,staging}-{min,light}:
    # then lexicographically-adjacent targets would also have the minimal difference in closure,
    # and the order in which each target should be built is more evident
    "${args.name}" = mkFlavoredHost args;
    "${args.name}-next" = mkFlavoredHost args // { branch = "staging-next"; };
    "${args.name}-staging" = mkFlavoredHost args // { branch = "staging"; };
    "${args.name}-light" = mkFlavoredHost args // { variant = "light"; };
    "${args.name}-light-next" = mkFlavoredHost args // { variant = "light"; branch = "staging-next"; };
    "${args.name}-light-staging" = mkFlavoredHost args // { variant = "light"; branch = "staging"; };
    "${args.name}-min" = mkFlavoredHost args // { variant = "min"; };
    "${args.name}-min-next" = mkFlavoredHost args // { variant = "min"; branch = "staging-next"; };
    "${args.name}-min-staging" = mkFlavoredHost args // { variant = "min"; branch = "staging-staging"; };
  };
  hosts = lib.foldl' (acc: host: acc // (mkHost host)) {} [
    { name = "crappy"; system = "armv7l-linux";  }
    { name = "desko";  system = "x86_64-linux";  }
    { name = "lappy";  system = "x86_64-linux";  }
    { name = "moby";   system = "aarch64-linux"; }
    { name = "rescue"; system = "x86_64-linux";  }
    { name = "servo";  system = "x86_64-linux";  }
  ];
 in {
  inherit hosts;
 } // (mkPkgs {})
--- a/hosts/by-name/crappy/default.nix
+++ b/hosts/by-name/crappy/default.nix
@@ -16,7 +16,7 @@
  sane.programs.calls.enableFor.user.colin = false;
  sane.programs.consoleMediaUtils.enableFor.user.colin = true;
  sane.programs.epiphany.enableFor.user.colin = true;
-  sane.programs."gnome.geary".enableFor.user.colin = false;
+  sane.programs.geary.enableFor.user.colin = false;
  # sane.programs.firefox.enableFor.user.colin = true;
  sane.programs.portfolio-filemanager.enableFor.user.colin = true;
  sane.programs.signal-desktop.enableFor.user.colin = false;
@@ -25,6 +25,7 @@
  sane.programs.dino.config.autostart = false;
  sane.programs.dissent.config.autostart = false;
  sane.programs.fractal.config.autostart = false;
  sane.programs.sway.config.mod = "Mod1";  #< alt key instead of Super
  # sane.programs.guiApps.enableFor.user.colin = false;
--- a/hosts/by-name/desko/default.nix
+++ b/hosts/by-name/desko/default.nix
@@ -10,9 +10,13 @@
  # don't enable wifi by default: it messes with connectivity.
  # systemd.services.iwd.enable = false;
  # networking.wireless.enable = false;
  # systemd.services.wpa_supplicant.enable = false;
-  sane.programs.wpa_supplicant.enableFor.user.colin = lib.mkForce false;
+  # sane.programs.wpa_supplicant.enableFor.user.colin = lib.mkForce false;
-  sane.programs.wpa_supplicant.enableFor.system = lib.mkForce false;
+  # sane.programs.wpa_supplicant.enableFor.system = lib.mkForce false;
  # don't auto-connect to wifi networks
  # see: <https://networkmanager.dev/docs/api/latest/NetworkManager.conf.html#device-spec>
  networking.networkmanager.unmanaged = [ "type:wifi" ];
  sops.secrets.colin-passwd.neededForUsers = true;
@@ -25,14 +29,18 @@
  sane.ovpn.addrV4 = "172.26.55.21";
  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:20c1:a73c";
  sane.services.duplicity.enable = true;
  sane.services.rsync-net.enable = true;
  sane.nixcache.remote-builders.desko = false;
  sane.programs.sane-private-unlock-remote.enableFor.user.colin = true;
  sane.programs.sane-private-unlock-remote.config.hosts = [ "servo" ];
  sane.programs.sway.enableFor.user.colin = true;
  sane.programs.iphoneUtils.enableFor.user.colin = true;
  sane.programs.steam.enableFor.user.colin = true;
-  sane.programs."gnome.geary".config.autostart = true;
+  sane.programs.geary.config.autostart = true;
  sane.programs.signal-desktop.config.autostart = true;
  sane.programs.nwg-panel.config = {
--- a/hosts/by-name/lappy/default.nix
+++ b/hosts/by-name/lappy/default.nix
@@ -15,14 +15,19 @@
  # sane.guest.enable = true;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  sane.programs.sane-private-unlock-remote.enableFor.user.colin = true;
  sane.programs.sane-private-unlock-remote.config.hosts = [ "servo" ];
  sane.programs.stepmania.enableFor.user.colin = true;
  sane.programs.sway.enableFor.user.colin = true;
-  sane.programs."gnome.geary".config.autostart = true;
+  sane.programs.geary.config.autostart = true;
  sane.programs.signal-desktop.config.autostart = true;
  sops.secrets.colin-passwd.neededForUsers = true;
  sane.services.rsync-net.enable = true;
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
  #   - hourly snapshots
--- a/hosts/by-name/moby/default.nix
+++ b/hosts/by-name/moby/default.nix
@@ -10,7 +10,6 @@
 {
  imports = [
    ./fs.nix
    ./gps.nix
  ];
  sane.hal.pine64.enable = true;
@@ -24,11 +23,13 @@
  # XXX colin: phosh doesn't work well with passwordless login,
  # so set this more reliable default password should anything go wrong
  users.users.colin.initialPassword = "147147";
  # services.getty.autologinUser = "root";  # allows for emergency maintenance?
  sops.secrets.colin-passwd.neededForUsers = true;
  sane.services.rsync-net.enable = true;
  sane.programs.sway.enableFor.user.colin = true;
  sane.programs.sway.config.mod = "Mod1";  #< alt key instead of Super
  sane.programs.blueberry.enableFor.user.colin = false;  # bluetooth manager: doesn't cross compile!
  sane.programs.fcitx5.enableFor.user.colin = false;  # does not cross compile
  sane.programs.mercurial.enableFor.user.colin = false;  # does not cross compile
@@ -36,12 +37,12 @@
  # enabled for easier debugging
  sane.programs.eg25-control.enableFor.user.colin = true;
-  sane.programs.rtl8723cs-wowlan.enableFor.user.colin = true;
+  # sane.programs.rtl8723cs-wowlan.enableFor.user.colin = true;
  # sane.programs.ntfy-sh.config.autostart = true;
  sane.programs.dino.config.autostart = true;
-  # sane.programs.signal-desktop.config.autostart = true;  # TODO: enable once electron stops derping.
+  sane.programs.signal-desktop.config.autostart = true;
-  # sane.programs."gnome.geary".config.autostart = true;
+  # sane.programs.geary.config.autostart = true;
  # sane.programs.calls.config.autostart = true;
  sane.programs.pipewire.config = {
--- a/hosts/by-name/moby/gps.nix
+++ b/hosts/by-name/moby/gps.nix
@@ -1,68 +0,0 @@
 # pinephone GPS happens in EG25 modem
 # serial control interface to modem is /dev/ttyUSB2
 # after enabling GPS, readout is /dev/ttyUSB1
 #
 # minimal process to enable modem and GPS:
 # - `echo 1 > /sys/class/modem-power/modem-power/device/powered`
 # - `screen /dev/ttyUSB2 115200`
 #   - `AT+QGPSCFG="nmeasrc",1`
 #   - `AT+QGPS=1`
 # this process is automated by my `eg25-control` program and services (`eg25-control-powered`, `eg25-control-gps`)
 # - see the `modules/` directory further up this repository.
 #
 # now, something like `gpsd` can directly read from /dev/ttyUSB1,
 # or geoclue can query the GPS directly through modem-manager
 #
 # initial GPS fix can take 15+ minutes.
 # meanwhile, services like eg25-manager or eg25-control-freshen-agps can speed this up by uploading assisted GPS data to the modem.
 #
 # support/help:
 # - geoclue, gnome-maps
 #   - irc: #gnome-maps on irc.gimp.org
 #   - Matrix: #gnome-maps:gnome.org  (unclear if bridged to IRC)
 #
 # programs to pair this with:
 # - `satellite-gtk`: <https://codeberg.org/tpikonen/satellite>
 #   - shows/tracks which satellites the GPS is connected to; useful to understand fix characteristics
 # - `gnome-maps`: uses geoclue, has route planning
 # - `mepo`: uses gpsd, minimalist, flaky, and buttons are kinda hard to activate on mobile
 # - puremaps?
 # - osmin?
 #
 # known/outstanding bugs:
 # - `systemctl start eg25-control-gps` can the hang the whole system (2023/10/06)
 #   - i think it's actually `eg25-control-powered` which does this (started by the gps)
 #   - best guess is modem draws so much power at launch that other parts of the system see undervoltage
 #   - workaround is to hard power-cycle the system. the modem may not bring up after reboot: leave unpowered for 60s and boot again.
 #
 # future work:
 # - integrate with [wigle](https://www.wigle.net/) for offline equivalent to Mozilla Location Services
 { config, lib, ... }:
 {
  # test gpsd with `gpspipe -w -n 10 2> /dev/null | grep -m 1 TPV | jq '.lat, .lon' | tr '\n' ' '`
  # ^ should return <lat> <long>
  services.gpsd.enable = true;
  services.gpsd.devices = [ "/dev/ttyUSB1" ];
  # test geoclue2 by building `geoclue2-with-demo-agent`
  # and running "${geoclue2-with-demo-agent}/libexec/geoclue-2.0/demos/where-am-i"
  # note that geoclue is dbus-activated, and auto-stops after 60s with no caller
  services.geoclue2.enable = true;
  services.geoclue2.appConfig.where-am-i = {
    # this is the default "agent", shipped by geoclue package: allow it to use location
    isAllowed = true;
    isSystem = false;
    # XXX: setting users != [] might be causing `where-am-i` to time out
    users = [
      # restrict to only one set of users. empty array (default) means "allow any user to access geolocation".
      (builtins.toString config.users.users.colin.uid)
    ];
  };
  systemd.services.geoclue.after = lib.mkForce [];  #< defaults to network-online, but not all my sources require network
  users.users.geoclue.extraGroups = [
    "dialout"  # TODO: figure out if dialout is required. that's for /dev/ttyUSB1, but geoclue probably doesn't read that?
  ];
  sane.programs.where-am-i.enableFor.user.colin = true;
 }
--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@@ -7,15 +7,14 @@
    ./services
  ];
  sane.programs = {
  # for administering services
-    freshrss.enableFor.user.colin = true;
+  sane.programs.clightning-sane.enableFor.user.colin = true;
-    matrix-synapse.enableFor.user.colin = true;
+  # sane.programs.freshrss.enableFor.user.colin = true;
-    signaldctl.enableFor.user.colin = true;
+  # sane.programs.signaldctl.enableFor.user.colin = true;
-  };
+  # sane.programs.matrix-synapse.enableFor.user.colin = true;
  sane.roles.build-machine.enable = true;
-  sane.programs.zsh.config.showDeadlines = false;  # ~/knowledge doesn't always exist
+  sane.programs.sane-deadlines.config.showOnLogin = false;  # ~/knowledge doesn't always exist
  sane.programs.consoleUtils.suggestedPrograms = [
    "consoleMediaUtils"  # notably, for go2tv / casting
    "pcConsoleUtils"
@@ -33,10 +32,12 @@
  sane.nixcache.remote-builders.desko = false;
  sane.nixcache.remote-builders.servo = false;
  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
  sane.services.rsync-net.enable = true;
  # automatically log in at the virtual consoles.
-  # using root here makes sure we always have an escape hatch
+  # using root here makes sure we always have an escape hatch.
-  services.getty.autologinUser = "root";
+  # XXX(2024-07-27): this is incompatible with my s6-rc stuff, which needs to auto-login as `colin` to start its user services.
  # services.getty.autologinUser = "root";
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
--- a/hosts/by-name/servo/fs.nix
+++ b/hosts/by-name/servo/fs.nix
@@ -14,7 +14,7 @@
 # show zfs datasets: `zfs list` (will be empty if haven't imported)
 # show zfs properties (e.g. compression): `zfs get all pool`
 # set zfs properties: `zfs set compression=on pool`
-{ ... }:
+{ lib, pkgs, ... }:
 {
  # hostId: not used for anything except zfs guardrail?
@@ -54,7 +54,7 @@
    options = [ "acl" ];  #< not sure if this `acl` flag is actually necessary. it mounts without it.
  };
  # services.zfs.zed = ... # TODO: zfs can send me emails when disks fail
-  sane.programs.sysadminUtils.suggestedPrograms = [ "zfs" ];
+  sane.programs.sysadminUtils.suggestedPrograms = [ "zfs-tools" ];
  sane.persist.stores."ext" = {
    origin = "/mnt/pool/persist";
@@ -131,6 +131,20 @@
    the contents should be a subset of what's in ../media/datasets.
  '';
  systemd.services.dedupe-media = {
    description = "transparently de-duplicate /var/media entries by using block-level hardlinks";
    script = ''
      ${lib.getExe' pkgs.util-linux "hardlink"} /var/media --reflink=always --ignore-time --verbose
    '';
  };
  systemd.timers.dedupe-media = {
    wantedBy = [ "multi-user.target" ];
    timerConfig = {
      OnStartupSec = "23min";
      OnUnitActiveSec = "720min";
    };
  };
  # btrfs doesn't easily support swapfiles
  # swapDevices = [
  #   { device = "/nix/persist/swapfile"; size = 4096; }
--- a/hosts/by-name/servo/net.nix
+++ b/hosts/by-name/servo/net.nix
@@ -30,6 +30,14 @@ in
  config = {
    networking.domain = "uninsane.org";
    systemd.network.networks."50-eth0" = {
      matchConfig.Name = "eth0";
      networkConfig.Address = [
        "205.201.63.12/32"
        "10.78.79.51/22"
      ];
      networkConfig.DNS = [ "10.78.79.1" ];
    };
    sane.ports.openFirewall = true;
    sane.ports.openUpnp = true;
--- a/hosts/by-name/servo/services/calibre.nix
+++ b/hosts/by-name/servo/services/calibre.nix
@@ -1,34 +0,0 @@
 { config, lib, ... }:
 let
  cweb-cfg = config.services.calibre-web;
  inherit (cweb-cfg) user group;
  inherit (cweb-cfg.listen) ip port;
  svc-dir = "/var/lib/${cweb-cfg.dataDir}";
 in
 # XXX: disabled because of runtime errors like:
 # > File "/nix/store/c7jqvx980nlg9xhxi065cba61r2ain9y-calibre-web-0.6.19/lib/python3.10/site-packages/calibreweb/cps/db.py", line 926, in speaking_language
 # > languages = self.session.query(Languages) \
 # > AttributeError: 'NoneType' object has no attribute 'query'
 lib.mkIf false
 {
  sane.persist.sys.byStore.plaintext = [
    { inherit user group; mode = "0700"; path = svc-dir; method = "bind"; }
  ];
  services.calibre-web.enable = true;
  services.calibre-web.listen.ip = "127.0.0.1";
  # XXX: externally populate `${svc-dir}/metadata.db` (once) from
  #   <https://github.com/janeczku/calibre-web/blob/master/library/metadata.db>
  # i don't know why you have to do this??
  # services.calibre-web.options.calibreLibrary = svc-dir;
  services.nginx.virtualHosts."calibre.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${ip}:${builtins.toString port}";
    };
  };
  sane.dns.zones."uninsane.org".inet.CNAME."calibre" = "native";
 }
--- a/hosts/by-name/servo/services/coturn.nix
+++ b/hosts/by-name/servo/services/coturn.nix
@@ -36,7 +36,8 @@
 #   - rb = received bytes
 #   - sp = sent packets
 #   - sb = sent bytes
-{ lib, ... }:
+
 { config, lib, ... }:
 let
  # TURN port range (inclusive).
  # default coturn behavior is to use the upper quarter of all ports. i.e. 49152 - 65535.
@@ -130,11 +131,11 @@ in
    "verbose"
    # "Verbose"  #< even MORE verbosity than "verbose"  (it's TOO MUCH verbosity really)
    "no-multicast-peers"  # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3)
-    # "listening-ip=10.0.1.5" "external-ip=185.157.162.178"  #< 2024/04/25: works, if running in root namespace
+    # "listening-ip=${config.sane.netns.ovpns.hostVethIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}"  #< 2024/04/25: works, if running in root namespace
-    "listening-ip=185.157.162.178" "external-ip=185.157.162.178"
+    "listening-ip=${config.sane.netns.ovpns.netnsPubIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}"
    # old attempts:
-    # "external-ip=185.157.162.178/10.0.1.5"
+    # "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}/${config.sane.netns.ovpns.hostVethIpv4}"
    # "listening-ip=10.78.79.51"  # can be specified multiple times; omit for *
    # "external-ip=97.113.128.229/10.78.79.51"
    # "external-ip=97.113.128.229"
--- a/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
@@ -16,14 +16,17 @@
 # - validate with `bitcoin-cli -netinfo`
 { config, lib, pkgs, sane-lib, ... }:
 let
  # bitcoind = config.sane.programs.bitcoind.packageUnwrapped;
  bitcoind = pkgs.bitcoind;
  # wrapper to run bitcoind with the tor onion address as externalip (computed at runtime)
-  _bitcoindWithExternalIp = with pkgs; writeShellScriptBin "bitcoind" ''
+  _bitcoindWithExternalIp = pkgs.writeShellScriptBin "bitcoind" ''
    set -xeu
    externalip="$(cat /var/lib/tor/onion/bitcoind/hostname)"
    exec ${bitcoind}/bin/bitcoind "-externalip=$externalip" "$@"
  '';
  # the package i provide to services.bitcoind ends up on system PATH, and used by other tools like clightning.
  # therefore, even though services.bitcoind only needs `bitcoind` binary, provide all the other bitcoin-related binaries (notably `bitcoin-cli`) as well:
-  bitcoindWithExternalIp = with pkgs; symlinkJoin {
+  bitcoindWithExternalIp = pkgs.symlinkJoin {
    name = "bitcoind-with-external-ip";
    paths = [ _bitcoindWithExternalIp bitcoind ];
  };
@@ -61,23 +64,62 @@ in
      passwordHMAC = "30002c05d82daa210550e17a182db3f3$6071444151281e1aa8a2729f75e3e2d224e9d7cac3974810dab60e7c28ffaae4";
    };
    extraConfig = ''
      # checkblocks: default 6: how many blocks to verify on start
      checkblocks=3
      # don't load the wallet, and disable wallet RPC calls
      disablewallet=1
      # proxy all outbound traffic through Tor
      proxy=127.0.0.1:9050
    '';
    extraCmdlineOptions = [
      # "-debug"
      # "-debug=estimatefee"
      # "-debug=http"
      # "-debug=net"
      "-debug=proxy"
      "-debug=rpc"
      # "-debug=validation"
    ];
  };
  users.users.bitcoind-mainnet.extraGroups = [ "tor" ];
-  systemd.services.bitcoind-mainnet.serviceConfig.RestartSec = "30s";  #< default is 0
+  systemd.services.bitcoind-mainnet = {
    after = [ "tor.service" ];
    requires = [ "tor.service" ];
    serviceConfig.RestartSec = "30s";  #< default is 0
    # hardening (systemd-analyze security bitcoind-mainnet)
    serviceConfig.StateDirectory = "bitcoind-mainnet";
    serviceConfig.LockPersonality = true;
    serviceConfig.MemoryDenyWriteExecute = "true";
    serviceConfig.NoNewPrivileges = "true";
    serviceConfig.PrivateDevices = "true";
    serviceConfig.PrivateMounts = true;
    serviceConfig.PrivateTmp = "true";
    serviceConfig.PrivateUsers = true;
    serviceConfig.ProcSubset = "pid";
    serviceConfig.ProtectControlGroups = true;
    serviceConfig.ProtectHome = true;
    serviceConfig.ProtectHostname = true;
    serviceConfig.ProtectKernelLogs = true;
    serviceConfig.ProtectKernelModules = true;
    serviceConfig.ProtectKernelTunables = true;
    serviceConfig.ProtectProc = "invisible";
    serviceConfig.ProtectSystem = lib.mkForce "strict";
    serviceConfig.RemoveIPC = true;
    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
    serviceConfig.RestrictNamespaces = true;
    serviceConfig.RestrictSUIDSGID = true;
    serviceConfig.SystemCallArchitectures = "native";
    serviceConfig.SystemCallFilter = [ "@system-service" ];
  };
  sane.users.colin.fs.".bitcoin/bitcoin.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets."bitcoin.conf".path;
  sops.secrets."bitcoin.conf" = {
    mode = "0600";
    owner = "colin";
    group = "users";
  };
-  sane.programs.bitcoind.enableFor.user.colin = true;  # for debugging/administration: `bitcoin-cli`
+  sane.programs.bitcoin-cli.enableFor.user.colin = true;  # for debugging/administration: `bitcoin-cli`
 }
--- a/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
@@ -72,13 +72,11 @@
 { config, pkgs, ... }:
 {
-  sane.persist.sys.byStore.ext = [
+  sane.persist.sys.byStore.private = [
    # clightning takes up only a few MB. but then several hundred MB of crash logs that i should probably GC.
    { user = "clightning"; group = "clightning"; mode = "0710"; path = "/var/lib/clightning"; method = "bind"; }
  ];
  # `lightning-cli` finds its RPC file via `~/.lightning/bitcoin/lightning-rpc`, to message the daemon
  sane.user.fs.".lightning".symlink.target = "/var/lib/clightning";
  # see bitcoin.nix for how to generate this
  services.bitcoind.mainnet.rpc.users.clightning.passwordHMAC =
    "befcb82d9821049164db5217beb85439$2c31ac7db3124612e43893ae13b9527dbe464ab2d992e814602e7cb07dc28985";
@@ -105,6 +103,7 @@
  users.users.clightning.extraGroups = [ "tor" ];
  systemd.services.clightning.after = [ "tor.service" ];
  systemd.services.clightning.requires = [ "tor.service" ];
  # lightning-config contains fields from here:
  # - <https://docs.corelightning.org/docs/configuration>
@@ -116,11 +115,16 @@
  # - fee-per-satoshi=<ppm>
  # - feature configs (i.e. experimental-xyz options)
  sane.services.clightning.extraConfig = ''
-    log-level=debug:lightningd
+    # log levels: "io", "debug", "info", "unusual", "broken"
    log-level=info
    # log-level=info:lightningd
    # log-level=debug:lightningd
    # log-level=debug
    # peerswap:
    # - config example: <https://github.com/fort-nix/nix-bitcoin/pull/462/files#diff-b357d832705b8ce8df1f41934d613f79adb77c4cd5cd9e9eb12a163fca3e16c6>
    # XXX: peerswap crashes clightning on launch. stacktrace is useless.
-    # plugin=${pkgs.peerswap}/bin/peerswap
+    # plugin={pkgs.peerswap}/bin/peerswap
    # peerswap-db-path=/var/lib/clightning/peerswap/swaps
    # peerswap-policy-path=...
  '';
@@ -131,5 +135,5 @@
    group = "clightning";
  };
-  sane.programs.clightning.enableFor.user.colin = true;  # for debugging/admin: `lightning-cli`
+  sane.programs.lightning-cli.enableFor.user.colin = true;  # for debugging/admin:
 }
--- a/hosts/by-name/servo/services/cryptocurrencies/i2p.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/i2p.nix
@@ -1,4 +1,5 @@
-{ ... }:
+{ lib, ... }:
 lib.mkIf false  #< 2024/07/27: i don't use it, too much surface-area for me to run it pro-bono (`systemd-analyze security monero`)
 {
  services.i2p.enable = true;
 }
--- a/hosts/by-name/servo/services/cryptocurrencies/monero.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/monero.nix
@@ -1,5 +1,6 @@
 # as of 2023/11/26: complete downloaded blockchain should be 200GiB on disk, give or take.
-{ ... }:
+{ lib, ... }:
 lib.mkIf false  #< 2024/07/27: i don't use it, too much surface-area for me to run it pro-bono (`systemd-analyze security monero`)
 {
  sane.persist.sys.byStore.ext = [
    # /var/lib/monero/lmdb is what consumes most of the space
--- a/hosts/by-name/servo/services/cryptocurrencies/tor.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/tor.nix
@@ -1,9 +1,9 @@
 # tor settings: <https://2019.www.torproject.org/docs/tor-manual.html.en>
 { lib, ... }:
 {
-  # tor hidden service hostnames aren't deterministic, so persist.
+  sane.persist.sys.byStore.ephemeral = [
-  # might be able to get away with just persisting /var/lib/tor/onion, not sure.
+    # N.B.: tor hidden service hostnames aren't deterministic, so if you need them
-  sane.persist.sys.byStore.plaintext = [
+    # to be preserved across reboots then persist /var/lib/tor/onion in "private" store.
   { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; method = "bind"; }
  ];
--- a/hosts/by-name/servo/services/default.nix
+++ b/hosts/by-name/servo/services/default.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  imports = [
    ./calibre.nix
    ./coturn.nix
    ./cryptocurrencies
    ./email
@@ -11,7 +10,7 @@
    ./gitea.nix
    ./goaccess.nix
    ./ipfs.nix
-    ./jackett.nix
+    ./jackett
    ./jellyfin.nix
    ./kiwix-serve.nix
    ./komga.nix
@@ -26,7 +25,7 @@
    ./postgres.nix
    ./prosody
    ./slskd.nix
-    ./transmission.nix
+    ./transmission
    ./trust-dns.nix
    ./wikipedia.nix
  ];
--- a/hosts/by-name/servo/services/ejabberd.nix
+++ b/hosts/by-name/servo/services/ejabberd.nix
@@ -44,61 +44,61 @@ in
 # everything configured below was fine: used ejabberd for several months.
 lib.mkIf false
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; method = "bind"; }
  ];
  sane.ports.ports = lib.mkMerge ([
    {
      "3478" = {
        protocol = [ "tcp" "udp" ];
        visibleTo.doof = true;
        visibleTo.lan = true;
        visibleTo.wan = true;
        description = "colin-xmpp-stun-turn";
      };
      "5222" = {
        protocol = [ "tcp" ];
        visibleTo.doof = true;
        visibleTo.lan = true;
        visibleTo.wan = true;
        description = "colin-xmpp-client-to-server";
      };
      "5223" = {
        protocol = [ "tcp" ];
        visibleTo.doof = true;
        visibleTo.lan = true;
        visibleTo.wan = true;
        description = "colin-xmpps-client-to-server";  # XMPP over TLS
      };
      "5269" = {
        protocol = [ "tcp" ];
-        visibleTo.wan = true;
+        visibleTo.doof = true;
        description = "colin-xmpp-server-to-server";
      };
      "5270" = {
        protocol = [ "tcp" ];
-        visibleTo.wan = true;
+        visibleTo.doof = true;
        description = "colin-xmpps-server-to-server";  # XMPP over TLS
      };
      "5280" = {
        protocol = [ "tcp" ];
        visibleTo.doof = true;
        visibleTo.lan = true;
        visibleTo.wan = true;
        description = "colin-xmpp-bosh";
      };
      "5281" = {
        protocol = [ "tcp" ];
        visibleTo.doof = true;
        visibleTo.lan = true;
        visibleTo.wan = true;
        description = "colin-xmpp-bosh-https";
      };
      "5349" = {
        protocol = [ "tcp" ];
        visibleTo.doof = true;
        visibleTo.lan = true;
        visibleTo.wan = true;
        description = "colin-xmpp-stun-turn-over-tls";
      };
      "5443" = {
        protocol = [ "tcp" ];
        visibleTo.doof = true;
        visibleTo.lan = true;
        visibleTo.wan = true;
        description = "colin-xmpp-web-services";  # file uploads, websockets, admin
      };
    }
@@ -109,8 +109,8 @@ lib.mkIf false
        numPorts = turnPortHigh - turnPortLow + 1;
      in {
        protocol = [ "tcp" "udp" ];
        visibleTo.doof = true;
        visibleTo.lan = true;
        visibleTo.wan = true;
        description = "colin-xmpp-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
      };
    })
--- a/hosts/by-name/servo/services/email/dovecot.nix
+++ b/hosts/by-name/servo/services/email/dovecot.nix
@@ -8,14 +8,14 @@
 {
  sane.ports.ports."143" = {
    protocol = [ "tcp" ];
    visibleTo.doof = true;
    visibleTo.lan = true;
    visibleTo.wan = true;
    description = "colin-imap-imap.uninsane.org";
  };
  sane.ports.ports."993" = {
    protocol = [ "tcp" ];
    visibleTo.doof = true;
    visibleTo.lan = true;
    visibleTo.wan = true;
    description = "colin-imaps-imap.uninsane.org";
  };
@@ -83,8 +83,8 @@
    #   sieve_plugins = sieve_imapsieve
    # }
-    mail_debug = yes
+    # mail_debug = yes
-    auth_debug = yes
+    # auth_debug = yes
    # verbose_ssl = yes
  '';
--- a/hosts/by-name/servo/services/email/postfix.nix
+++ b/hosts/by-name/servo/services/email/postfix.nix
@@ -1,6 +1,6 @@
 # postfix config options: <https://www.postfix.org/postconf.5.html>
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
  submissionOptions = {
@@ -18,10 +18,10 @@ let
  };
 in
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
    # TODO: mode? could be more granular
    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; method = "bind"; }
-    { user = "root"; group = "root"; path = "/var/lib/postfix"; method = "bind"; }
+    { user = "root"; group = "root"; path = "/var/lib/postfix"; method = "bind"; }  #< probably not *all* of postfix needs to actually be persisted (e.g. not the conf dir)
    { user = "root"; group = "root"; path = "/var/spool/mail"; method = "bind"; }
    # *probably* don't need these dirs:
    # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
@@ -56,8 +56,7 @@ in
  sane.dns.zones."uninsane.org".inet = {
    MX."@" = "10 mx.uninsane.org.";
-    # XXX: RFC's specify that the MX record CANNOT BE A CNAME
+    A."mx" = "%AOVPNS%"; #< XXX: RFC's specify that the MX record CANNOT BE A CNAME. TODO: use "%AOVPNS%?
    A."mx" = "185.157.162.178";
    # Sender Policy Framework:
    #   +mx     => mail passes if it originated from the MX
--- a/hosts/by-name/servo/services/export/default.nix
+++ b/hosts/by-name/servo/services/export/default.nix
@@ -37,7 +37,8 @@
    wantedBy = [ "nfs.service" "sftpgo.service" ];
    file.text = ''
      - media/         read-only:  Videos, Music, Books, etc
-      - playground/    read-write: use it to share files with other users of this server
+      - playground/    read-write: use it to share files with other users of this server, inaccessible from the www
      - pub/           read-only:  content made to be shared with the www
    '';
  };
@@ -50,4 +51,11 @@
      - be a friendly troll
    '';
  };
  sane.fs."/var/export/.public_for_test/test" = {
    wantedBy = [ "nfs.service" "sftpgo.service" ];
    file.text = ''
      automated tests read this file to probe connectivity
    '';
  };
 }
--- a/hosts/by-name/servo/services/export/sftpgo/default.nix
+++ b/hosts/by-name/servo/services/export/sftpgo/default.nix
@@ -9,10 +9,10 @@
 { config, lib, pkgs, sane-lib, ... }:
 let
-  external_auth_hook = pkgs.static-nix-shell.mkPython3Bin {
+  external_auth_hook = pkgs.static-nix-shell.mkPython3 {
    pname = "external_auth_hook";
    srcRoot = ./.;
-    pyPkgs = [ "passlib" ];
+    pkgs = [ "python3.pkgs.passlib" ];
  };
  # Client initiates a FTP "control connection" on port 21.
  # - this handles the client -> server commands, and the server -> client status, but not the actual data
@@ -27,13 +27,12 @@ in
    "21" = {
      protocol = [ "tcp" ];
      visibleTo.lan = true;
      # visibleTo.wan = true;
      description = "colin-FTP server";
    };
    "990" = {
      protocol = [ "tcp" ];
      visibleTo.doof = true;
      visibleTo.lan = true;
      visibleTo.wan = true;
      description = "colin-FTPS server";
    };
  } // (sane-lib.mapToAttrs
@@ -41,8 +40,8 @@ in
      name = builtins.toString port;
      value = {
        protocol = [ "tcp" ];
        visibleTo.doof = true;
        visibleTo.lan = true;
        visibleTo.wan = true;
        description = "colin-FTP server data port range";
      };
    })
@@ -81,12 +80,6 @@ in
            port = 21;
            debug = true;
          }
          {
            # binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
            address = "10.78.79.51";
            port = 21;
            debug = true;
          }
          {
            # binding this means any wireguard client can connect
            address = "10.0.10.5";
@@ -97,6 +90,26 @@ in
          {
            # binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
            address = "10.78.79.51";
            port = 21;
            debug = true;
          }
          {
            # binding this means any LAN client can connect (also WAN traffic forwarded from the gateway)
            address = "10.78.79.51";
            port = 990;
            debug = true;
            tls_mode = 2;  # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
          }
          {
            # binding this means any doof client can connect (TLS only)
            address = config.sane.netns.doof.hostVethIpv4;
            port = 990;
            debug = true;
            tls_mode = 2;  # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
          }
          {
            # binding this means any LAN client can connect via `ftp.uninsane.org` (TLS only)
            address = config.sane.netns.doof.netnsPubIpv4;
            port = 990;
            debug = true;
            tls_mode = 2;  # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
@@ -117,7 +130,7 @@ in
        banner = ''
          Welcome, friends, to Colin's FTP server! Also available via NFS on the same host, but LAN-only.
-          Read-only access (LAN-restricted):
+          Read-only access (LAN clients see everything; WAN clients can only see /pub):
          Username: "anonymous"
          Password: "anonymous"
--- a/hosts/by-name/servo/services/export/sftpgo/external_auth_hook
+++ b/hosts/by-name/servo/services/export/sftpgo/external_auth_hook
@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.passlib ])"
+#!nix-shell -i python3 -p python3 -p python3.pkgs.passlib
 # vim: set filetype=python :
 #
 # available environment variables:
@@ -45,6 +45,8 @@ from hmac import compare_digest
 authFail = dict(username="")
 PERM_DENY = []
 PERM_LIST = [ "list" ]
 PERM_RO = [ "list", "download" ]
 PERM_RW = [
  # read-only:
@@ -127,12 +129,14 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
    return mkAuthOk(username, permissions = {
      "/": PERM_RW,
      "/playground": PERM_RW,
      "/.public_for_test": PERM_RO,
    })
  if isWireguard(ip):
    # allow any user from wireguard
    return mkAuthOk(username, permissions = {
      "/": PERM_RW,
      "/playground": PERM_RW,
      "/.public_for_test": PERM_RO,
    })
  if isLan(ip):
    if username == "anonymous":
@@ -140,6 +144,18 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
      return mkAuthOk("anonymous", permissions = {
        "/": PERM_RO,
        "/playground": PERM_RW,
        "/.public_for_test": PERM_RO,
      })
  if username == "anonymous":
    # anonymous users from the www can have even more limited access.
    # mostly because i need an easy way to test WAN connectivity :-)
    return mkAuthOk("anonymous", permissions = {
      # "/": PERM_DENY,
      "/": PERM_LIST,  #< REQUIRED, even for lftp to list a subdir
      "/media": PERM_DENY,
      "/playground": PERM_DENY,
      "/.public_for_test": PERM_RO,
      # "/README.md": PERM_RO,  #< does not work
    })
  return authFail
--- a/hosts/by-name/servo/services/freshrss.nix
+++ b/hosts/by-name/servo/services/freshrss.nix
@@ -10,6 +10,7 @@
 # ```
 { config, lib, pkgs, sane-lib, ... }:
 lib.mkIf false  #< 2024/07/04: i haven't actively used this for months
 {
  sops.secrets."freshrss_passwd" = {
    owner = config.users.users.freshrss.name;
--- a/hosts/by-name/servo/services/gitea.nix
+++ b/hosts/by-name/servo/services/gitea.nix
@@ -2,9 +2,8 @@
 { config, pkgs, lib, ... }:
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
-    # TODO: mode? could be more granular
+    { user = "git"; group = "gitea"; mode = "0750"; path = "/var/lib/gitea"; method = "bind"; }
    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; method = "bind"; }
  ];
  services.gitea.enable = true;
  services.gitea.user = "git";  # default is 'gitea'
@@ -38,12 +37,12 @@
      ROOT_URL = "https://git.uninsane.org/";
    };
    service = {
-      # timeout for email approval. 5760 = 4 days
+      # timeout for email approval. 5760 = 4 days. 10080 = 7 days
-      ACTIVE_CODE_LIVE_MINUTES = 5760;
+      ACTIVE_CODE_LIVE_MINUTES = 10080;
      # REGISTER_EMAIL_CONFIRM = false;
      # REGISTER_MANUAL_CONFIRM = true;
      REGISTER_EMAIL_CONFIRM = true;
-      # not sure what this notified on?
+      # not sure what this notifies *on*...
      ENABLE_NOTIFY_MAIL = true;
      # defaults to image-based captcha.
      # also supports recaptcha (with custom URLs) or hCaptcha.
@@ -64,8 +63,8 @@
      SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
    };
    ui = {
-      # options: "auto", "gitea", "arc-green"
+      # options: "gitea-auto" (adapt to system theme), "gitea-dark", "gitea-light"
-      DEFAULT_THEME = "arc-green";
+      # DEFAULT_THEME = "gitea-auto";
      # cache frontend assets if true
      # USE_SERVICE_WORKER = true;
    };
@@ -74,9 +73,10 @@
      # alternative is to use nixos-level config:
      # services.gitea.mailerPasswordFile = ...
      ENABLED = true;
      MAILER_TYPE = "sendmail";
      FROM = "notify.git@uninsane.org";
      PROTOCOL = "sendmail";
      SENDMAIL_PATH = "${pkgs.postfix}/bin/sendmail";
      SENDMAIL_ARGS = "--";  # most "sendmail" programs take options, "--" will prevent an email address being interpreted as an option.
    };
    time = {
      # options: ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro, StampNano
@@ -108,6 +108,10 @@
    locations."/" = {
      proxyPass = "http://127.0.0.1:3000";
    };
    # fuck you @anthropic
    locations."= /robots.txt".extraConfig = ''
      return 200 "User-agent: *\nDisallow: /\n";
    '';
    # gitea serves all `raw` files as content-type: plain, but i'd like to serve them as their actual content type.
    # or at least, enough to make specific pages viewable (serving unoriginal content as arbitrary content type is dangerous).
    locations."~ ^/colin/phone-case-cq/raw/.*.html" = {
@@ -133,7 +137,7 @@
  sane.ports.ports."22" = {
    protocol = [ "tcp" ];
    visibleTo.lan = true;
-    visibleTo.wan = true;
+    visibleTo.doof = true;
    description = "colin-git@git.uninsane.org";
  };
 }
--- a/hosts/by-name/servo/services/ipfs.nix
+++ b/hosts/by-name/servo/services/ipfs.nix
@@ -10,7 +10,7 @@
 lib.mkIf false # i don't actively use ipfs anymore
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
    # TODO: mode? could be more granular
    { user = "261"; group = "261"; path = "/var/lib/ipfs"; method = "bind"; }
  ];
--- a/hosts/by-name/servo/services/jackett.nix
+++ b/hosts/by-name/servo/services/jackett.nix
@@ -1,36 +0,0 @@
 { lib, pkgs, ... }:
 lib.mkIf false  #< TODO: re-enable once confident of sandboxing
 {
  sane.persist.sys.byStore.plaintext = [
    # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
    { user = "root"; group = "root"; path = "/var/lib/jackett"; method = "bind"; }
  ];
  services.jackett.enable = true;
  systemd.services.jackett.after = [ "wireguard-wg-ovpns.service" ];
  systemd.services.jackett.partOf = [ "wireguard-wg-ovpns.service" ];
  systemd.services.jackett.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
    # patch jackett to listen on the public interfaces
    # ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic";
  };
  # jackett torrent search
  services.nginx.virtualHosts."jackett.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    # inherit kTLS;
    locations."/" = {
      # proxyPass = "http://ovpns.uninsane.org:9117";
      proxyPass = "http://10.0.1.6:9117";
      recommendedProxySettings = true;
    };
  };
  sane.dns.zones."uninsane.org".inet.CNAME."jackett" = "native";
 }
--- a/hosts/by-name/servo/services/jackett/default.nix
+++ b/hosts/by-name/servo/services/jackett/default.nix
@@ -0,0 +1,68 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.jackett;
 in
 {
  sane.persist.sys.byStore.private = [
    # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
    { user = "jackett"; group = "jackett"; path = "/var/lib/jackett"; method = "bind"; }
  ];
  services.jackett.enable = true;
  systemd.services.jackett.after = [ "wireguard-wg-ovpns.service" ];
  systemd.services.jackett.partOf = [ "wireguard-wg-ovpns.service" ];
  systemd.services.jackett = {
    # run this behind the OVPN static VPN
    serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
    serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
    # patch in `--ListenPublic` so that it's reachable from the netns veth.
    # this also makes it reachable from the VPN pub address. oh well.
    serviceConfig.ExecStart = lib.mkForce "${cfg.package}/bin/Jackett --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'";
    serviceConfig.RestartSec = "30s";
    # hardening (systemd-analyze security jackett)
    # TODO: upstream into nixpkgs
    serviceConfig.StateDirectory = "jackett";
    serviceConfig.LockPersonality = true;
    serviceConfig.NoNewPrivileges = true;
    # serviceConfig.MemoryDenyWriteExecute = true;  #< Failed to create CoreCLR, HRESULT: 0x80004005
    serviceConfig.PrivateDevices = true;
    serviceConfig.PrivateMounts = true;
    serviceConfig.PrivateTmp = true;
    serviceConfig.PrivateUsers = true;
    serviceConfig.ProcSubset = "pid";
    serviceConfig.ProtectClock = true;
    serviceConfig.ProtectControlGroups = true;
    serviceConfig.ProtectHome = true;
    serviceConfig.ProtectHostname = true;
    serviceConfig.ProtectKernelLogs = true;
    serviceConfig.ProtectKernelModules = true;
    serviceConfig.ProtectKernelTunables = true;
    serviceConfig.ProtectProc = "invisible";
    serviceConfig.ProtectSystem = "strict";
    serviceConfig.RemoveIPC = true;
    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
    serviceConfig.RestrictNamespaces = true;
    serviceConfig.RestrictSUIDSGID = true;
    serviceConfig.SystemCallArchitectures = "native";
    serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" ];
  };
  # jackett torrent search
  services.nginx.virtualHosts."jackett.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    # inherit kTLS;
    locations."/" = {
      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9117";
      recommendedProxySettings = true;
    };
    locations."= /robots.txt".extraConfig = ''
      return 200 "User-agent: *\nDisallow: /\n";
    '';
  };
  sane.dns.zones."uninsane.org".inet.CNAME."jackett" = "native";
 }
--- a/hosts/by-name/servo/services/kiwix-serve.nix
+++ b/hosts/by-name/servo/services/kiwix-serve.nix
@@ -21,6 +21,9 @@
    enableACME = true;
    # inherit kTLS;
    locations."/".proxyPass = "http://127.0.0.1:8013";
    locations."= /robots.txt".extraConfig = ''
      return 200 "User-agent: *\nDisallow: /\n";
    '';
  };
  sane.dns.zones."uninsane.org".inet.CNAME."w" = "native";
--- a/hosts/by-name/servo/services/komga.nix
+++ b/hosts/by-name/servo/services/komga.nix
@@ -17,6 +17,9 @@ in
    locations."/" = {
      proxyPass = "http://127.0.0.1:${builtins.toString port}";
    };
    locations."= /robots.txt".extraConfig = ''
      return 200 "User-agent: *\nDisallow: /\n";
    '';
  };
  sane.dns.zones."uninsane.org".inet.CNAME."komga" = "native";
 }
--- a/hosts/by-name/servo/services/lemmy.nix
+++ b/hosts/by-name/servo/services/lemmy.nix
@@ -38,14 +38,10 @@ in {
    nginx.enable = true;
  };
  systemd.services.lemmy.serviceConfig = {
    # fix to use a normal user so we can configure perms correctly
    DynamicUser = mkForce false;
    User = "lemmy";
    Group = "lemmy";
  };
  systemd.services.lemmy.environment = {
    RUST_BACKTRACE = "full";
    RUST_LOG = "error";
    # RUST_LOG = "warn";
    # RUST_LOG = "debug";
    # RUST_LOG = "trace";
    # upstream defaults LEMMY_DATABASE_URL = "postgres:///lemmy?host=/run/postgresql";
@@ -72,6 +68,73 @@ in {
  sane.dns.zones."uninsane.org".inet.CNAME."lemmy" = "native";
  systemd.services.lemmy = {
    # fix to use a normal user so we can configure perms correctly
    # XXX(2024-07-28): this hasn't been rigorously tested:
    # possible that i've set something too strict and won't notice right away
    serviceConfig.DynamicUser = mkForce false;
    serviceConfig.User = "lemmy";
    serviceConfig.Group = "lemmy";
    # hardening (systemd-analyze security lemmy)
    # a handful of these are specified in upstream nixpkgs, but mostly not
    serviceConfig.LockPersonality = true;
    serviceConfig.NoNewPrivileges = true;
    serviceConfig.MemoryDenyWriteExecute = true;
    serviceConfig.PrivateDevices = true;
    serviceConfig.PrivateMounts = true;
    serviceConfig.PrivateTmp = true;
    serviceConfig.PrivateUsers = true;
    serviceConfig.ProcSubset = "pid";
    serviceConfig.ProtectClock = true;
    serviceConfig.ProtectControlGroups = true;
    serviceConfig.ProtectHome = true;
    serviceConfig.ProtectHostname = true;
    serviceConfig.ProtectKernelLogs = true;
    serviceConfig.ProtectKernelModules = true;
    serviceConfig.ProtectKernelTunables = true;
    serviceConfig.ProtectProc = "invisible";
    serviceConfig.ProtectSystem = "strict";
    serviceConfig.RemoveIPC = true;
    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
    serviceConfig.RestrictNamespaces = true;
    serviceConfig.RestrictSUIDSGID = true;
    serviceConfig.SystemCallArchitectures = "native";
    serviceConfig.SystemCallFilter = [ "@system-service" ];
  };
  systemd.services.lemmy-ui = {
    # hardening (systemd-analyze security lemmy-ui)
    # TODO: upstream into nixpkgs
    serviceConfig.LockPersonality = true;
    serviceConfig.NoNewPrivileges = true;
    # serviceConfig.MemoryDenyWriteExecute = true;  #< it uses v8, JIT
    serviceConfig.PrivateDevices = true;
    serviceConfig.PrivateMounts = true;
    serviceConfig.PrivateTmp = true;
    serviceConfig.PrivateUsers = true;
    serviceConfig.ProcSubset = "pid";
    serviceConfig.ProtectClock = true;
    serviceConfig.ProtectControlGroups = true;
    serviceConfig.ProtectHome = true;
    serviceConfig.ProtectHostname = true;
    serviceConfig.ProtectKernelLogs = true;
    serviceConfig.ProtectKernelModules = true;
    serviceConfig.ProtectKernelTunables = true;
    serviceConfig.ProtectProc = "invisible";
    serviceConfig.ProtectSystem = "strict";
    serviceConfig.RemoveIPC = true;
    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
    serviceConfig.RestrictNamespaces = true;
    serviceConfig.RestrictSUIDSGID = true;
    serviceConfig.SystemCallArchitectures = "native";
    serviceConfig.SystemCallFilter = [ "@system-service" "@pkey" "@sandbox" ];
  };
  #v DO NOT REMOVE: defaults to 0.3, instead of latest, so always need to explicitly set this.
  services.pict-rs.package = pict-rs;
@@ -81,10 +144,38 @@ in {
  # - via CLI flags (overrides everything above)
  # some of the CLI flags have defaults, making it the only actual way to configure certain things even when docs claim otherwise.
  # CLI args: <https://git.asonix.dog/asonix/pict-rs#user-content-running>
-  systemd.services.pict-rs.serviceConfig.ExecStart = lib.mkForce (lib.concatStringsSep " " [
+  systemd.services.pict-rs = {
    serviceConfig.ExecStart = lib.mkForce (lib.concatStringsSep " " [
      "${lib.getBin pict-rs}/bin/pict-rs run"
      "--media-video-max-frame-count" (builtins.toString (30*60*60))
      "--media-process-timeout 120"
      "--media-video-allow-audio"  # allow audio
    ]);
    # hardening (systemd-analyze security pict-rs)
    # TODO: upstream into nixpkgs
    serviceConfig.LockPersonality = true;
    serviceConfig.NoNewPrivileges = true;
    serviceConfig.MemoryDenyWriteExecute = true;
    serviceConfig.PrivateDevices = true;
    serviceConfig.PrivateMounts = true;
    serviceConfig.PrivateTmp = true;
    serviceConfig.PrivateUsers = true;
    serviceConfig.ProcSubset = "pid";
    serviceConfig.ProtectClock = true;
    serviceConfig.ProtectControlGroups = true;
    serviceConfig.ProtectHome = true;
    serviceConfig.ProtectHostname = true;
    serviceConfig.ProtectKernelLogs = true;
    serviceConfig.ProtectKernelModules = true;
    serviceConfig.ProtectKernelTunables = true;
    serviceConfig.ProtectProc = "invisible";
    serviceConfig.ProtectSystem = "strict";
    serviceConfig.RemoveIPC = true;
    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
    serviceConfig.RestrictNamespaces = true;
    serviceConfig.RestrictSUIDSGID = true;
    serviceConfig.SystemCallArchitectures = "native";
    serviceConfig.SystemCallFilter = [ "@system-service" ];
  };
 }
--- a/hosts/by-name/servo/services/matrix/default.nix
+++ b/hosts/by-name/servo/services/matrix/default.nix
@@ -1,6 +1,6 @@
 # docs: <https://nixos.wiki/wiki/Matrix>
 # docs: <https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse>
-# example config: <https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml>
+# example config: <https://github.com/element-hq/synapse/blob/develop/docs/sample_config.yaml>
 #
 # ENABLING PUSH NOTIFICATIONS (with UnifiedPush/ntfy):
 # - Matrix "pushers" API spec: <https://spec.matrix.org/latest/client-server-api/#post_matrixclientv3pushersset>
@@ -20,14 +20,12 @@
    ./signal.nix
  ];
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; method = "bind"; }
  ];
  services.matrix-synapse.enable = true;
  services.matrix-synapse.log.root.level = "ERROR";  # accepts "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL" (?)
  services.matrix-synapse.settings = {
    # this changes the default log level from INFO to WARN.
    # maybe there's an easier way?
    log_config = ./synapse-log_level.yaml;
    server_name = "uninsane.org";
    # services.matrix-synapse.enable_registration_captcha = true;
--- a/hosts/by-name/servo/services/matrix/discord-puppet.nix
+++ b/hosts/by-name/servo/services/matrix/discord-puppet.nix
@@ -5,7 +5,7 @@
 # - recommended to use mautrix-discord: <https://github.com/NixOS/nixpkgs/pull/200462>
 lib.mkIf false
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; method = "bind"; }
  ];
--- a/hosts/by-name/servo/services/matrix/irc.nix
+++ b/hosts/by-name/servo/services/matrix/irc.nix
@@ -1,15 +1,13 @@
 # config docs:
 # - <https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml>
 #       probably want to remove that.
 { config, lib, ... }:
 let
-  ircServer = { name, additionalAddresses ? [], sasl ? true, port ? 6697 }: let
+  ircServer = { name, additionalAddresses ? [], ssl ? true, sasl ? true, port ? if ssl then 6697 else 6667 }: let
    lowerName = lib.toLower name;
  in {
    # XXX sasl: appservice doesn't support NickServ identification (only SASL, or PASS if sasl = false)
-    inherit name additionalAddresses sasl port;
+    inherit additionalAddresses name port sasl ssl;
    ssl = true;
    botConfig = {
      # bot has no presence in IRC channel; only real Matrix users
      enabled = false;
@@ -101,7 +99,7 @@ in
    })
  ];
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
    # TODO: mode?
    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; method = "bind"; }
  ];
@@ -129,6 +127,7 @@ in
    };
    ircService = {
      logging.level = "warn";  # "error", "warn", "info", "debug"
      servers = {
        "irc.esper.net" = ircServer {
          name = "esper";
@@ -156,6 +155,10 @@ in
          # - #sxmo-offtopic
        };
        "irc.rizon.net" = ircServer { name = "Rizon"; };
        "wigle.net" = ircServer {
          name = "WiGLE";
          ssl = false;
        };
      };
    };
  };
--- a/hosts/by-name/servo/services/matrix/signal.nix
+++ b/hosts/by-name/servo/services/matrix/signal.nix
@@ -4,7 +4,7 @@
 lib.mkIf false  # disabled 2024/01/11: i don't use it, and pkgs.mautrix-signal had some API changes
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; method = "bind"; }
    { user = "signald"; group = "signald"; path = "/var/lib/signald"; method = "bind"; }
  ];
--- a/hosts/by-name/servo/services/matrix/synapse-log_level.yaml
+++ b/hosts/by-name/servo/services/matrix/synapse-log_level.yaml
@@ -1,27 +0,0 @@
 version: 1
 # In systemd's journal, loglevel is implicitly stored, so let's omit it
 # from the message text.
 formatters:
    journal_fmt:
        format: '%(name)s: [%(request)s] %(message)s'
 filters:
    context:
        (): synapse.util.logcontext.LoggingContextFilter
        request: ""
 handlers:
    journal:
        class: systemd.journal.JournalHandler
        formatter: journal_fmt
        filters: [context]
        SYSLOG_IDENTIFIER: synapse
 # default log level: INFO
 root:
    level: WARN
    handlers: [journal]
 disable_existing_loggers: False
--- a/hosts/by-name/servo/services/nginx.nix
+++ b/hosts/by-name/servo/services/nginx.nix
@@ -17,7 +17,6 @@ in
  sane.ports.ports."80" = {
    protocol = [ "tcp" ];
    visibleTo.lan = true;
    visibleTo.wan = true;
    visibleTo.ovpns = true;  # so that letsencrypt can procure a cert for the mx record
    visibleTo.doof = true;
    description = "colin-http-uninsane.org";
@@ -25,12 +24,17 @@ in
  sane.ports.ports."443" = {
    protocol = [ "tcp" ];
    visibleTo.lan = true;
    visibleTo.wan = true;
    visibleTo.doof = true;
    description = "colin-https-uninsane.org";
  };
  services.nginx.enable = true;
  # nginxStable is one release behind nginxMainline.
  # nginx itself recommends running mainline; nixos defaults to stable.
  # services.nginx.package = pkgs.nginxMainline;
  # XXX(2024-07-31): nixos defaults to zlib-ng -- supposedly more performant, but spams log with
  # "gzip filter failed to use preallocated memory: ..."
  services.nginx.package = pkgs.nginxMainline.override { zlib = pkgs.zlib; };
  services.nginx.appendConfig = ''
    # use 1 process per core.
    # may want to increase worker_connections too, but `ulimit -n` must be increased first.
@@ -46,8 +50,10 @@ in
    log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
    access_log /var/log/nginx/private.log vcombined;
  '';
-  # sets gzip_comp_level = 5
+  # enables gzip and sets gzip_comp_level = 5
  services.nginx.recommendedGzipSettings = true;
  # enables zstd and sets zstd_comp_level = 9
  services.nginx.recommendedZstdSettings = true;
  # enables OCSP stapling (so clients don't need contact the OCSP server -- i do instead)
  # - doesn't seem to, actually: <https://www.ssllabs.com/ssltest/analyze.html?d=uninsane.org>
  # caches TLS sessions for 10m
@@ -101,6 +107,16 @@ in
        disable_symlinks on;
      '';
    };
    locations."/share/Ubunchu/" = {
      alias = "/var/media/Books/Visual/HiroshiSeo/Ubunchu/";
      extraConfig = ''
        # autoindex => render directory listings
        autoindex on;
        # don't follow any symlinks when serving files
        # otherwise it allows a directory escape
        disable_symlinks on;
      '';
    };
    # allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
    locations."= /.well-known/matrix/server".extraConfig =
@@ -182,8 +198,15 @@ in
  sane.persist.sys.byStore.plaintext = [
    { user = "acme"; group = "acme"; path = "/var/lib/acme"; method = "bind"; }
  ];
  sane.persist.sys.byStore.private = [
    { user = "colin"; group = "users"; path = "/var/www/sites"; method = "bind"; }
  ];
  sane.persist.sys.byStore.ephemeral = [
    # logs *could* be persisted to private storage, but then there's the issue of
    # "what if servo boots, isn't unlocked, and the whole / tmpfs is consumed by logs"
    { user = "nginx"; group = "nginx"; path = "/var/log/nginx"; method = "bind"; }
  ];
  # let's encrypt default chain looks like:
  # - End-entity certificate ← R3 ← ISRG Root X1 ← DST Root CA X3
--- a/hosts/by-name/servo/services/ntfy/ntfy-sh.nix
+++ b/hosts/by-name/servo/services/ntfy/ntfy-sh.nix
@@ -30,7 +30,7 @@ let
  altPort = 2587;
 in
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
    # not 100% necessary to persist this, but ntfy does keep a 12hr (by default) cache
    # for pushing notifications to users who become offline.
    # ACLs also live here.
@@ -46,7 +46,7 @@ in
    # defaults to 45s.
    # note that the client may still do its own TCP-level keepalives, typically every 30s
    keepalive-interval = "15m";
-    log-level = "trace";  # trace, debug, info (default), warn, error
+    log-level = "info";  # trace, debug, info (default), warn, error
    auth-default-access = "deny-all";
  };
  systemd.services.ntfy-sh.serviceConfig.DynamicUser = lib.mkForce false;
@@ -86,7 +86,7 @@ in
  sane.ports.ports."${builtins.toString altPort}" = {
    protocol = [ "tcp" ];
    visibleTo.lan = true;
-    visibleTo.wan = true;
+    visibleTo.doof = true;
    description = "colin-ntfy.uninsane.org";
  };
 }
--- a/hosts/by-name/servo/services/ntfy/ntfy-waiter
+++ b/hosts/by-name/servo/services/ntfy/ntfy-waiter
@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])" -p ntfy-sh
+#!nix-shell -i python3 -p ntfy-sh -p python3
 import argparse
 import logging
--- a/hosts/by-name/servo/services/ntfy/ntfy-waiter.nix
+++ b/hosts/by-name/servo/services/ntfy/ntfy-waiter.nix
@@ -47,7 +47,7 @@ in
    };
    sane.ntfy-waiter.package = mkOption {
      type = types.package;
-      default = pkgs.static-nix-shell.mkPython3Bin {
+      default = pkgs.static-nix-shell.mkPython3 {
        pname = "ntfy-waiter";
        srcRoot = ./.;
        pkgs = [ "ntfy-sh" ];
@@ -62,8 +62,8 @@ in
    sane.ports.ports = lib.mkMerge (lib.forEach portRange (port: {
      "${builtins.toString port}" = {
        protocol = [ "tcp" ];
        visibleTo.doof = true;
        visibleTo.lan = true;
        visibleTo.wan = true;
        description = "colin-notification-waiter-${builtins.toString (port - portLow + 1)}-of-${builtins.toString numPorts}";
      };
    }));
--- a/hosts/by-name/servo/services/pleroma.nix
+++ b/hosts/by-name/servo/services/pleroma.nix
@@ -7,14 +7,15 @@
 # to run it in a oci-container: <https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix>
 #
 # admin frontend: <https://fed.uninsane.org/pleroma/admin>
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
  logLevel = "warn";
  # logLevel = "debug";
 in
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
    # contains media i've uploaded to the server
    { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; method = "bind"; }
  ];
  services.pleroma.enable = true;
@@ -135,25 +136,52 @@ in
    # something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
    pkgs.bash
    # used by Pleroma to strip geo tags from uploads
-    pkgs.exiftool
+    config.sane.programs.exiftool.package
    # i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
-    pkgs.gawk
+    config.sane.programs.gawk.package
    # needed for email operations like password reset
    pkgs.postfix
  ];
-  systemd.services.pleroma.serviceConfig = {
+  systemd.services.pleroma = {
    # postgres can be slow to service early requests, preventing pleroma from starting on the first try
-    Restart = "on-failure";
+    serviceConfig.Restart = "on-failure";
-    RestartSec = "10s";
+    serviceConfig.RestartSec = "10s";
  };
-  # systemd.services.pleroma.serviceConfig = {
+    # hardening (systemd-analyze security pleroma)
-  #   # required for sendmail. see https://git.pleroma.social/pleroma/pleroma/-/issues/2259
+    # XXX(2024-07-28): this hasn't been rigorously tested:
-  #   NoNewPrivileges = lib.mkForce false;
+    # possible that i've set something too strict and won't notice right away
-  #   PrivateTmp = lib.mkForce false;
+    # make sure to test:
-  #   CapabilityBoundingSet = lib.mkForce "~";
+    # - image/media uploading
-  # };
+    serviceConfig.CapabilityBoundingSet = "~CAP_SYS_ADMIN";  #< TODO: reduce this. try: CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT CAP_SETGID CAP_SETUID
    serviceConfig.LockPersonality = true;
    serviceConfig.NoNewPrivileges = true;
    serviceConfig.MemoryDenyWriteExecute = true;
    serviceConfig.PrivateDevices = lib.mkForce true;  #< dunno why nixpkgs has this set false; it seems to work as true
    serviceConfig.PrivateMounts = true;
    serviceConfig.PrivateTmp = true;
    serviceConfig.PrivateUsers = true;
    serviceConfig.ProtectProc = "invisible";
    serviceConfig.ProcSubset = "all";  #< needs /proc/sys/kernel/overflowuid for bwrap
    serviceConfig.ProtectClock = true;
    serviceConfig.ProtectControlGroups = true;
    serviceConfig.ProtectHome = true;
    serviceConfig.ProtectKernelModules = true;
    serviceConfig.ProtectSystem = lib.mkForce "strict";
    serviceConfig.RemoveIPC = true;
    serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
    serviceConfig.RestrictSUIDSGID = true;
    serviceConfig.SystemCallArchitectures = "native";
    serviceConfig.SystemCallFilter = [ "@system-service" "@mount" "@sandbox" ];  #< "sandbox" might not actually be necessary
    serviceConfig.ProtectHostname = false;  #< else brap can't mount /proc
    serviceConfig.ProtectKernelLogs = false;  #< else breaks exiftool  ("bwrap: Can't mount proc on /newroot/proc: Operation not permitted")
    serviceConfig.ProtectKernelTunables = false;  #< else breaks exiftool
    serviceConfig.RestrictNamespaces = false;  # media uploads require bwrap
  };
  # this is required to allow pleroma to send email.
  # raw `sendmail` works, but i think pleroma's passing it some funny flags or something, idk.
--- a/hosts/by-name/servo/services/postgres.nix
+++ b/hosts/by-name/servo/services/postgres.nix
@@ -6,9 +6,9 @@ let
  KiB = n: 1024*n;
 in
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
-    # TODO: mode?
+    { user = "postgres"; group = "postgres"; mode = "0750"; path = "/var/lib/postgresql"; method = "bind"; }
-    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; method = "bind"; }
+    { user = "postgres"; group = "postgres"; mode = "0750"; path = "/var/backup/postgresql"; method = "bind"; }
  ];
  services.postgresql.enable = true;
--- a/hosts/by-name/servo/services/prosody/default.nix
+++ b/hosts/by-name/servo/services/prosody/default.nix
@@ -56,47 +56,48 @@ let
  enableDebug = false;
 in
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
    # TODO: mode?
    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; method = "bind"; }
  ];
  sane.ports.ports."5000" = {
    protocol = [ "tcp" ];
    visibleTo.doof = true;
    visibleTo.lan = true;
    visibleTo.wan = true;
    description = "colin-xmpp-prosody-fileshare-proxy65";
  };
  sane.ports.ports."5222" = {
    protocol = [ "tcp" ];
    visibleTo.doof = true;
    visibleTo.lan = true;
    visibleTo.wan = true;
    description = "colin-xmpp-client-to-server";
  };
  sane.ports.ports."5223" = {
    protocol = [ "tcp" ];
    visibleTo.doof = true;
    visibleTo.lan = true;
    visibleTo.wan = true;
    description = "colin-xmpps-client-to-server";  # XMPP over TLS
  };
  sane.ports.ports."5269" = {
    protocol = [ "tcp" ];
-    visibleTo.wan = true;
+    visibleTo.doof = true;
    description = "colin-xmpp-server-to-server";
  };
  sane.ports.ports."5270" = {
    protocol = [ "tcp" ];
-    visibleTo.wan = true;
+    visibleTo.doof = true;
    description = "colin-xmpps-server-to-server";  # XMPP over TLS
  };
  sane.ports.ports."5280" = {
    protocol = [ "tcp" ];
    visibleTo.doof = true;
    visibleTo.lan = true;
    visibleTo.wan = true;
    description = "colin-xmpp-bosh";
  };
  sane.ports.ports."5281" = {
    protocol = [ "tcp" ];
    visibleTo.doof = true;
    visibleTo.lan = true;
    visibleTo.wan = true;
    description = "colin-xmpp-prosody-https";  # necessary?
  };
--- a/hosts/by-name/servo/services/slskd.nix
+++ b/hosts/by-name/servo/services/slskd.nix
@@ -10,7 +10,9 @@
 { config, lib, pkgs, ... }:
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.ephemeral = [
    # {data,downloads,incomplete,logs}: contains logs, search history, and downloads
    # so, move the downloaded data to persistent storage regularly, or configure the downloads/incomplete dirs to point to persisted storage (in nixpkgs slskd config)
    { user = "slskd"; group = "media"; path = "/var/lib/slskd"; method = "bind"; }
  ];
  sops.secrets."slskd_env" = {
@@ -32,7 +34,7 @@
    forceSSL = true;
    enableACME = true;
    locations."/" = {
-      proxyPass = "http://10.0.1.6:5030";
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:5030";
      proxyWebsockets = true;
    };
  };
@@ -68,12 +70,20 @@
    # flags.volatile = true;  # store searches and active transfers in RAM (completed transfers still go to disk). rec for btrfs/zfs
  };
-  systemd.services.slskd.serviceConfig = {
+  systemd.services.slskd = {
    # run this behind the OVPN static VPN
-    NetworkNamespacePath = "/run/netns/ovpns";
+    serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
+    serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
-    Restart = lib.mkForce "always";  # exits "success" when it fails to connect to soulseek server
+    serviceConfig.Restart = lib.mkForce "always";  # exits "success" when it fails to connect to soulseek server
-    RestartSec = "60s";
+    serviceConfig.RestartSec = "60s";
    # hardening (systemd-analyze security slskd)
    # upstream nixpkgs specifies moderate defaults; these are supplementary
    # serviceConfig.MemoryDenyWriteExecute = true;
    # serviceConfig.ProcSubset = "pid";
    # serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
    # serviceConfig.SystemCallArchitectures = "native";
    # serviceConfig.SystemCallFilter = [ "@system-service" ];
  };
 }
--- a/hosts/by-name/servo/services/transmission/default.nix
+++ b/hosts/by-name/servo/services/transmission/default.nix
@@ -22,71 +22,23 @@ let
        --replace-fail 'set(TR_USER_AGENT_PREFIX "''${TR_SEMVER}")' 'set(TR_USER_AGENT_PREFIX "3.00")'
    '';
  });
-  download-dir = "/var/media/torrents";
+  download-dir = "/var/media/torrents";  #< keep in sync with consts embedded in `torrent-done`
-  torrent-done = pkgs.writeShellApplication {
+  torrent-done = pkgs.static-nix-shell.mkBash {
-    name = "torrent-done";
+    pname = "torrent-done";
-    runtimeInputs = with pkgs; [
+    srcRoot = ./.;
-      acl
+    pkgs = [
-      coreutils
+      "acl"
-      findutils
+      "coreutils"
-      rsync
+      "findutils"
-      util-linux
+      "rsync"
    ];
    text = ''
      destructive() {
        if [ -n "''${TR_DRY_RUN-}" ]; then
          echo "$*"
        else
          "$@"
        fi
      }
      if [[ "$TR_TORRENT_DIR" =~ ^.*freeleech.*$ ]]; then
        # freeleech torrents have no place in my permanent library
        echo "freeleech: nothing to do"
        exit 0
      fi
      if ! [[ "$TR_TORRENT_DIR" =~ ^${download-dir}/.*$ ]]; then
        echo "unexpected torrent dir, aborting: $TR_TORRENT_DIR"
        exit 0
      fi
      REL_DIR="''${TR_TORRENT_DIR#${download-dir}/}"
      MEDIA_DIR="/var/media/$REL_DIR"
      destructive mkdir -p "$(dirname "$MEDIA_DIR")"
      destructive rsync -arv "$TR_TORRENT_DIR/" "$MEDIA_DIR/"
      # make the media rwx by anyone in the group
      destructive find "$MEDIA_DIR" -type d -exec setfacl --recursive --modify d:g::rwx,o::rx {} \;
      destructive find "$MEDIA_DIR" -type d -exec chmod g+rw,a+rx {} \;
      # if there's a single directory inside the media dir, then inline that
      subdirs=("$MEDIA_DIR"/*)
      if [ ''${#subdirs} -eq 1 ]; then
        dirname="''${subdirs[0]}"
        if [ -d "$dirname" ]; then
          mv "$dirname"/* "$MEDIA_DIR/" && rmdir "$dirname"
        fi
      fi
      # remove noisy files:
      find "$MEDIA_DIR/" -type f \(\
           -iname 'www.YTS.*.jpg' \
        -o -iname 'WWW.YIFY*.COM.jpg' \
        -o -iname 'YIFY*.com.txt' \
        -o -iname 'YTS*.com.txt' \
        \) -exec rm {} \;
      # dedupe the whole media library.
      # yeah, a bit excessive: move this to a cron job if that's problematic.
      destructive hardlink /var/media --reflink=always --ignore-time --verbose
    '';
  };
 in
 lib.mkIf false  #< TODO: re-enable once confident of sandboxing
 {
-  sane.persist.sys.byStore.plaintext = [
+  sane.persist.sys.byStore.private = [
    # TODO: mode? we need this specifically for the stats tracking in .config/
    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; method = "bind"; }
    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/backup/torrents"; method = "bind"; }
  ];
  users.users.transmission.extraGroups = [ "media" ];
@@ -106,8 +58,8 @@ lib.mkIf false  #< TODO: re-enable once confident of sandboxing
    # DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options>
    # message-level = 3;  #< enable for debug logging. 0-3, default is 2.
-    # 10.0.1.6 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
+    # ovpns.netnsVethIpv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
-    rpc-bind-address = "10.0.1.6";
+    rpc-bind-address = config.sane.netns.ovpns.netnsVethIpv4;
    #rpc-host-whitelist = "bt.uninsane.org";
    #rpc-whitelist = "*.*.*.*";
    rpc-authentication-required = true;
@@ -118,7 +70,7 @@ lib.mkIf false  #< TODO: re-enable once confident of sandboxing
    rpc-whitelist-enabled = false;
    # force behind ovpns in case the NetworkNamespace fails somehow
-    bind-address-ipv4 = "185.157.162.178";
+    bind-address-ipv4 = config.sane.netns.ovpns.netnsPubIpv4;
    port-forwarding-enabled = false;
    # hopefully, make the downloads world-readable
@@ -155,16 +107,31 @@ lib.mkIf false  #< TODO: re-enable once confident of sandboxing
    script-torrent-done-filename = "${torrent-done}/bin/torrent-done";
  };
-  systemd.services.transmission.after = [ "wireguard-wg-ovpns.service" ];
+  systemd.services.transmission = {
-  systemd.services.transmission.partOf = [ "wireguard-wg-ovpns.service" ];
+    after = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.transmission.serviceConfig = {
+    partOf = [ "wireguard-wg-ovpns.service" ];
    environment.TR_DEBUG = "1";
    # run this behind the OVPN static VPN
-    NetworkNamespacePath = "/run/netns/ovpns";
+    serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
+    serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
-    Restart = "on-failure";
+    serviceConfig.Restart = "on-failure";
-    RestartSec = "30s";
+    serviceConfig.RestartSec = "30s";
-    BindPaths = [ "/var/media" ];  #< so it can move completed torrents into the media library
+    serviceConfig.BindPaths = [ "/var/media" ];  #< so it can move completed torrents into the media library
    serviceConfig.SystemCallFilter = lib.mkForce [
      # the torrent-done script does stuff which fails the nixos default syscall filter.
      # allow a bunch of stuff, speculatively, to hopefully fix that:
      "@aio"
      "@basic-io"
      "@chown"
      "@file-system"
      "@io-event"
      "@process"
      "@sandbox"
      "@sync"
      "@system-service"
      "quotactl"
    ];
  };
  # service to automatically backup torrents i add to transmission
@@ -190,7 +157,7 @@ lib.mkIf false  #< TODO: re-enable once confident of sandboxing
    # inherit kTLS;
    locations."/" = {
      # proxyPass = "http://ovpns.uninsane.org:9091";
-      proxyPass = "http://10.0.1.6:9091";
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9091";
    };
  };
--- a/hosts/by-name/servo/services/transmission/torrent-done
+++ b/hosts/by-name/servo/services/transmission/torrent-done
@@ -0,0 +1,69 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i bash -p acl -p bash -p coreutils -p findutils -p rsync
 # transmission invokes this with no args, and the following env vars:
 # - TR_TORRENT_DIR: full path to the folder i told transmission to download it to.
 #     e.g. /var/media/torrents/Videos/Film/Jason.Bourne-2016
 # optionally:
 # - TR_DRY_RUN=1
 # - TR_DEBUG=1
 DOWNLOAD_DIR=/var/media/torrents
 destructive() {
  if [ -n "${TR_DRY_RUN-}" ]; then
    echo "[dry-run] $*"
  else
    debug "$@"
    "$@"
  fi
 }
 debug() {
  if [ -n "${TR_DEBUG-}" ]; then
    echo "$@"
  fi
 }
 echo "TR_TORRENT_DIR=$TR_TORRENT_DIR torrent-done $*"
 if [[ "$TR_TORRENT_DIR" =~ ^.*freeleech.*$ ]]; then
  # freeleech torrents have no place in my permanent library
  echo "freeleech: nothing to do"
  exit 0
 fi
 if ! [[ "$TR_TORRENT_DIR" =~ ^$DOWNLOAD_DIR/.*$ ]]; then
  echo "unexpected torrent dir, aborting: $TR_TORRENT_DIR"
  exit 0
 fi
 REL_DIR="${TR_TORRENT_DIR#$DOWNLOAD_DIR/}"
 MEDIA_DIR="/var/media/$REL_DIR"
 destructive mkdir -p "$(dirname "$MEDIA_DIR")"
 destructive rsync -arv "$TR_TORRENT_DIR/" "$MEDIA_DIR/"
 # make the media rwx by anyone in the group
 destructive find "$MEDIA_DIR" -type d -exec setfacl --recursive --modify d:g::rwx,o::rx {} \;
 destructive find "$MEDIA_DIR" -type d -exec chmod g+rw,a+rx {} \;
 # if there's a single directory inside the media dir, then inline that
 subdirs=("$MEDIA_DIR"/*)
 debug "top-level items in torrent dir:" "${subdirs[@]}"
 if [ ${#subdirs[@]} -eq 1 ]; then
  dirname="${subdirs[0]}"
  debug "exactly one top-level item, checking if directory: $dirname"
  if [ -d "$dirname" ]; then
    destructive mv "$dirname"/* "$MEDIA_DIR/" && destructive rmdir "$dirname"
  fi
 fi
 # remove noisy files:
 # -iname means "insensitive", but the syntax is NOT regex -- more similar to shell matching
 destructive find "$MEDIA_DIR/" -type f \(\
     -iname '*downloaded?from*' \
  -o -iname 'source.txt' \
  -o -iname '*upcoming?releases*' \
  -o -iname 'www.YTS*.jpg' \
  -o -iname 'WWW.YIFY*.COM.jpg' \
  -o -iname 'YIFY*.com.txt' \
  -o -iname 'YTS*.com.txt' \
  \) -exec rm {} \;
--- a/hosts/by-name/servo/services/trust-dns.nix
+++ b/hosts/by-name/servo/services/trust-dns.nix
@@ -4,14 +4,12 @@
 let
  dyn-dns = config.sane.services.dyn-dns;
  nativeAddrs = lib.mapAttrs (_name: builtins.head) config.sane.dns.zones."uninsane.org".inet.A;
  bindOvpn = "10.0.1.5";
  bindDoof = "10.0.2.5";
 in
 {
  sane.ports.ports."53" = {
    protocol = [ "udp" "tcp" ];
    visibleTo.lan = true;
-    visibleTo.wan = true;
+    # visibleTo.wan = true;
    visibleTo.ovpns = true;
    visibleTo.doof = true;
    description = "colin-dns-hosting";
@@ -41,6 +39,7 @@ in
    CNAME."native" = "%CNAMENATIVE%";
    A."@" =      "%ANATIVE%";
    A."servo.wan" = "%AWAN%";
    A."servo.doof" = "%ADOOF%";
    A."servo.lan" = config.sane.hosts.by-name."servo".lan-ip;
    A."servo.hn" = config.sane.hosts.by-name."servo".wg-home.ip;
@@ -48,93 +47,71 @@ in
    # it's best that we keep this identical, or a superset of, what org. lists as our NS.
    # so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
    A."ns1" =    "%ANATIVE%";
-    A."ns2" =    "185.157.162.178";
+    A."ns2" =    "%ADOOF%";
-    A."ns3" =    "185.157.162.178";
+    A."ovpns" =  "%AOVPNS%";
    A."ovpns" =  "185.157.162.178";
    NS."@" = [
      "ns1.uninsane.org."
      "ns2.uninsane.org."
      "ns3.uninsane.org."
    ];
  };
  services.trust-dns.settings.zones = [ "uninsane.org" ];
-  networking.nat.enable = true;
+  networking.nat.enable = true;  #< TODO: try removing this?
-  networking.nat.extraCommands = ''
+  # networking.nat.extraCommands = ''
-    # redirect incoming DNS requests from LAN addresses
+  #   # redirect incoming DNS requests from LAN addresses
-    #   to the LAN-specialized DNS service
+  #   #   to the LAN-specialized DNS service
-    # N.B.: use the `nixos-*` chains instead of e.g. PREROUTING
+  #   # N.B.: use the `nixos-*` chains instead of e.g. PREROUTING
-    #   because they get cleanly reset across activations or `systemctl restart firewall`
+  #   #   because they get cleanly reset across activations or `systemctl restart firewall`
-    #   instead of accumulating cruft
+  #   #   instead of accumulating cruft
-    iptables -t nat -A nixos-nat-pre -p udp --dport 53 \
+  #   iptables -t nat -A nixos-nat-pre -p udp --dport 53 \
-      -m iprange --src-range 10.78.76.0-10.78.79.255 \
+  #     -m iprange --src-range 10.78.76.0-10.78.79.255 \
-      -j DNAT --to-destination :1053
+  #     -j DNAT --to-destination :1053
-    iptables -t nat -A nixos-nat-pre -p tcp --dport 53 \
+  #   iptables -t nat -A nixos-nat-pre -p tcp --dport 53 \
-      -m iprange --src-range 10.78.76.0-10.78.79.255 \
+  #     -m iprange --src-range 10.78.76.0-10.78.79.255 \
-      -j DNAT --to-destination :1053
+  #     -j DNAT --to-destination :1053
-  '';
+  # '';
-  sane.ports.ports."1053" = {
+  # sane.ports.ports."1053" = {
-    # because the NAT above redirects in nixos-nat-pre, LAN requests behave as though they arrived on the external interface at the redirected port.
+  #   # because the NAT above redirects in nixos-nat-pre, LAN requests behave as though they arrived on the external interface at the redirected port.
-    # TODO: try nixos-nat-post instead?
+  #   # TODO: try nixos-nat-post instead?
-    # TODO: or, don't NAT from port 53 -> port 1053, but rather nat from LAN addr to a loopback addr.
+  #   # TODO: or, don't NAT from port 53 -> port 1053, but rather nat from LAN addr to a loopback addr.
-    # - this is complicated in that loopback is a different interface than eth0, so rewriting the destination address would cause the packets to just be dropped by the interface
+  #   # - this is complicated in that loopback is a different interface than eth0, so rewriting the destination address would cause the packets to just be dropped by the interface
-    protocol = [ "udp" "tcp" ];
+  #   protocol = [ "udp" "tcp" ];
-    visibleTo.lan = true;
+  #   visibleTo.lan = true;
-    description = "colin-redirected-dns-for-lan-namespace";
+  #   description = "colin-redirected-dns-for-lan-namespace";
-  };
+  # };
  sane.services.trust-dns.enable = true;
  sane.services.trust-dns.instances = let
    mkSubstitutions = flavor: {
      "%ADOOF%" = config.sane.netns.doof.netnsPubIpv4;
      "%ANATIVE%" = nativeAddrs."servo.${flavor}";
      "%AOVPNS%" = config.sane.netns.ovpns.netnsPubIpv4;
      "%AWAN%" = "$(cat '${dyn-dns.ipPath}')";
      "%CNAMENATIVE%" = "servo.${flavor}";
      "%ANATIVE%" = nativeAddrs."servo.${flavor}";
      "%AOVPNS%" = "185.157.162.178";
    };
  in
  {
-    wan = {
+    doof = {
-      substitutions = mkSubstitutions "wan";
+      substitutions = mkSubstitutions "doof";
      listenAddrsIpv4 = [
        config.sane.netns.doof.hostVethIpv4
        config.sane.netns.doof.netnsPubIpv4
        nativeAddrs."servo.lan"
-        bindOvpn
+        # config.sane.netns.ovpns.hostVethIpv4
        bindDoof
      ];
    };
    lan = {
      substitutions = mkSubstitutions "lan";
      listenAddrsIpv4 = [ nativeAddrs."servo.lan" ];
      port = 1053;
    };
    hn = {
      substitutions = mkSubstitutions "hn";
      listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
-      port = 1053;
+      enableRecursiveResolver = true;  #< allow wireguard clients to use this as their DNS resolver
    };
    # hn-resolver = {
    #   # don't need %AWAN% here because we forward to the hn instance.
    #   listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
      # extraConfig = {
      #   zones = [
      #     {
    #         zone = "uninsane.org";
    #         zone_type = "Forward";
    #         stores = {
    #           type = "forward";
    #           name_servers = [
    #             {
    #               socket_addr = "${nativeAddrs."servo.hn"}:1053";
    #               protocol = "udp";
    #               trust_nx_responses = true;
    #             }
    #           ];
    #         };
    #       }
    #       {
      #       # forward the root zone to the local DNS resolver
      #       # to allow wireguard clients to use this as their DNS resolver
      #       zone = ".";
      #       zone_type = "Forward";
      #       stores = {
@@ -150,13 +127,19 @@ in
      #     }
      #   ];
      # };
    };
    # lan = {
    #   substitutions = mkSubstitutions "lan";
    #   listenAddrsIpv4 = [ nativeAddrs."servo.lan" ];
    #   # port = 1053;
    # };
    # wan = {
    #   substitutions = mkSubstitutions "wan";
    #   listenAddrsIpv4 = [
    #     nativeAddrs."servo.lan"
    #   ];
    # };
  };
-  sane.services.dyn-dns.restartOnChange = [
+  sane.services.dyn-dns.restartOnChange = lib.map (c: "${c.service}.service") (builtins.attrValues config.sane.services.trust-dns.instances);
    "trust-dns-wan.service"
    "trust-dns-lan.service"
    "trust-dns-hn.service"
    # "trust-dns-hn-resolver.service"  # doesn't need restart because it doesn't know about WAN IP
  ];
 }
--- a/hosts/common/boot.nix
+++ b/hosts/common/boot.nix
@@ -46,5 +46,6 @@
  # manifests as spurious "No space left on device" when trying to install watches,
  # e.g. in dyn-dns by `systemctl start dyn-dns-watcher.path`.
  # see: <https://askubuntu.com/questions/828779/failed-to-add-run-systemd-ask-password-to-directory-watch-no-space-left-on-dev>
-  boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
+  boot.kernel.sysctl."fs.inotify.max_user_watches" = 4194304;
  boot.kernel.sysctl."fs.inotify.max_user_instances" = 4194304;
 }
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -10,7 +10,6 @@
    ./machine-id.nix
    ./net
    ./nix.nix
    ./persist.nix
    ./polyunfill.nix
    ./programs
    ./quirks.nix
--- a/hosts/common/feeds.nix
+++ b/hosts/common/feeds.nix
@@ -1,14 +1,11 @@
 # where to find good stuff?
 # - universal search/directory: <https://podcastindex.org>
 # - list of lists: <https://en.wikipedia.org/wiki/Category:Lists_of_podcasts>
 # - podcasts w/ a community: <https://lemmyverse.net/communities?query=podcast>
-# - podcast rec thread: <https://lemmy.ml/post/1565858>
+# - podcast recs:
 #   - active lemmy: <https://slrpnk.net/c/podcasts>
 #   - old thread: <https://lemmy.ml/post/1565858>
 #
 # candidates:
 # - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
 #   - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
 # - <https://www.metaculus.com/questions/11102/introducing-the-metaculus-journal-podcast/>
 #   - dead since 2022/10 - 2023/03
 { lib, sane-data, ... }:
 let
  hourly = { freq = "hourly"; };
@@ -75,15 +72,17 @@ let
    (fromDb "feeds.feedburner.com/radiolab" // pol)  # Radiolab -- also available here, but ONLY OVER HTTP: <http://feeds.wnyc.org/radiolab>
    (fromDb "feeds.megaphone.fm/behindthebastards" // pol)  # also Maggie Killjoy
    (fromDb "feeds.megaphone.fm/recodedecode" // tech)  # The Verge - Decoder
    (fromDb "feeds.simplecast.com/54nAGcIl" // pol)  # The Daily
    (fromDb "feeds.simplecast.com/82FI35Px" // pol)  # Ezra Klein Show
    (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)  # Econ Talk
    (fromDb "feeds.simplecast.com/xKJ93w_w" // uncat)  # Atlas Obscura
    (fromDb "feeds.transistor.fm/acquired" // tech)
    (fromDb "feeds.transistor.fm/complex-systems-with-patrick-mckenzie-patio11" // tech)  # Patrick Mackenzie (from Bits About Money)
    (fromDb "feeds.twit.tv/floss.xml" // tech)
    (fromDb "fulltimenix.com" // tech)
    (fromDb "futureofcoding.org/episodes" // tech)
    (fromDb "hackerpublicradio.org" // tech)
    (fromDb "lexfridman.com/podcast" // rat)
    (fromDb "linktr.ee/betteroffline" // pol)
    (fromDb "mapspodcast.libsyn.com" // uncat)  # Multidisciplinary Association for Psychedelic Studies
    (fromDb "microarch.club" // tech)
    (fromDb "mintcast.org" // tech)
@@ -92,7 +91,6 @@ let
    (fromDb "omny.fm/shows/money-stuff-the-podcast")  # Matt Levine
    (fromDb "omny.fm/shows/the-dollop-with-dave-anthony-and-gareth-reynolds")  # The Dollop history/comedy
    (fromDb "originstories.libsyn.com" // uncat)
    (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
    (fromDb "politicalorphanage.libsyn.com" // pol)
    (fromDb "reverseengineering.libsyn.com/rss" // tech)  # UnNamed Reverse Engineering Podcast
    (fromDb "rss.acast.com/deconstructed")  # The Intercept - Deconstructed
@@ -103,6 +101,7 @@ let
    (fromDb "seattlenice.buzzsprout.com" // pol)
    (fromDb "srslywrong.com" // pol)
    (fromDb "sharkbytes.transistor.fm" // tech)  # Wireshark Podcast o_0
    (fromDb "sharptech.fm/feed/podcast" // tech)
    (fromDb "sscpodcast.libsyn.com" // rat)  # Astral Codex Ten
    (fromDb "talesfromthebridge.buzzsprout.com" // tech)  # Sci-Fi? has Peter Watts; author of No Moods, Ads or Cutesy Fucking Icons (rifters.com)
    (fromDb "theamphour.com" // tech)
@@ -114,7 +113,9 @@ let
    # (fromDb "feeds.libsyn.com/421877" // rat)  # Less Wrong Curated
    # (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)  # Daniel Huberman on sleep
    # (fromDb "feeds.simplecast.com/54nAGcIl" // pol)  # The Daily
    # (fromDb "feeds.simplecast.com/l2i9YnTd" // tech // pol)  # Hard Fork (NYtimes tech)
    # (fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
    # (fromDb "podcast.thelinuxexp.com" // tech)  # low-brow linux/foss PR announcements
    # (fromDb "rss.art19.com/your-welcome" // pol)  # Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
    # (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)  #< possible URL rot
@@ -135,6 +136,7 @@ let
    (fromDb "artemis.sh" // tech)
    (fromDb "ascii.textfiles.com" // tech)  # Jason Scott
    (fromDb "austinvernon.site" // tech)
    (fromDb "buttondown.email" // tech)
    (fromDb "ben-evans.com/benedictevans" // pol)
    (fromDb "bitbashing.io" // tech)
    (fromDb "bitsaboutmoney.com" // uncat)
@@ -196,6 +198,7 @@ let
    (fromDb "willow.phantoma.online")  # wizard@xyzzy.link
    (fromDb "xn--gckvb8fzb.com" // tech)
    (fromDb "xorvoid.com" // tech)
    (fromDb "www.thebignewsletter.com" // pol)
    (mkSubstack "astralcodexten" // rat // daily)  # Scott Alexander
    (mkSubstack "eliqian" // rat // weekly)
    (mkSubstack "oversharing" // pol // daily)
@@ -238,9 +241,9 @@ let
    (fromDb "youtube.com/@TheB1M")
    (fromDb "youtube.com/@TomScottGo")
    (fromDb "youtube.com/@Vihart")
    (fromDb "youtube.com/@Vox")
    # (fromDb "youtube.com/@Vsauce")  # they're all like 1-minute long videos now? what happened @Vsauce?
    # (fromDb "youtube.com/@Vox")
    # (fromDb "youtube.com/@Vsauce")  # they're all like 1-minute long videos now? what happened @Vsauce?
    # (fromDb "youtube.com/@rossmanngroup" // pol // tech)  # Louis Rossmann
  ];
--- a/hosts/common/fs.nix
+++ b/hosts/common/fs.nix
@@ -26,10 +26,6 @@ let
    # lazyMount: defer mounting until first access from userspace.
    # see: `man systemd.automount`, `man automount`, `man autofs`
    lazyMount = noauto ++ automount;
    wg = [
      "x-systemd.requires=wireguard-wg-home.service"
      "x-systemd.after=wireguard-wg-home.service"
    ];
    fuse = [
      "allow_other"  # allow users other than the one who mounts it to access it. needed, if systemd is the one mounting this fs (as root)
@@ -125,52 +121,61 @@ let
      dir.acl.mode = "0700";
    };
  };
-  remoteServo = subdir: {
+  remoteServo = subdir: let
    localPath = "/mnt/servo/${subdir}";
    systemdName = utils.escapeSystemdPath localPath;
  in {
    sane.programs.curlftpfs.enableFor.system = true;
-    sane.fs."/mnt/servo/${subdir}" = sane-lib.fs.wanted {
+    sane.fs."${localPath}" = sane-lib.fs.wanted {
      dir.acl.user = "colin";
      dir.acl.group = "users";
      dir.acl.mode = "0750";
    };
-    fileSystems."/mnt/servo/${subdir}" = {
+    fileSystems."${localPath}" = {
      device = "ftp://servo-hn:/${subdir}";
      noCheck = true;
      fsType = "fuse.curlftpfs";
-      options = fsOpts.ftp ++ fsOpts.noauto ++ fsOpts.wg;
+      options = fsOpts.ftp ++ fsOpts.noauto;
      # fsType = "nfs";
-      # options = fsOpts.nfs ++ fsOpts.lazyMount ++ fsOpts.wg;
+      # options = fsOpts.nfs ++ fsOpts.lazyMount;
    };
-    systemd.services."automount-servo-${utils.escapeSystemdPath subdir}" = let
+
-      fs = config.fileSystems."/mnt/servo/${subdir}";
+    systemd.mounts = let
-    in {
+      fsEntry = config.fileSystems."${localPath}";
-      # this is a *flaky* network mount, especially on moby.
+    in [{
-      # if done as a normal autofs mount, access will eternally block when network is dropped.
+      #VVV repeat what systemd would ordinarily scrape from /etc/fstab
-      # notably, this would block *any* sandboxed app which allows media access, whether they actually try to use that media or not.
+      where = localPath;
-      # a practical solution is this: mount as a service -- instead of autofs -- and unmount on timeout error, in a restart loop.
+      what = fsEntry.device;
-      # until the ftp handshake succeeds, nothing is actually mounted to the vfs, so this doesn't slow down any I/O when network is down.
+      type = fsEntry.fsType;
-      description = "automount /mnt/servo/${subdir} in a fault-tolerant and non-blocking manner";
+      options = lib.concatStringsSep "," fsEntry.options;
      after = [ "network-online.target" ];
      requires = [ "network-online.target" ];
-      wantedBy = [ "default.target" ];
+      wantedBy = [ "default.target" ];  #< TODO: move this into nixos fileSystems
-
+      #VVV patch so that when the mount fails, we start a timer to remount it.
-      serviceConfig.Type = "simple";
+      #    and for a disconnection after a good mount (onSuccess), restart the timer to be more aggressive
-      serviceConfig.ExecStart = lib.escapeShellArgs [
+      onFailure = [ "${systemdName}.timer" ];
-        "/usr/bin/env"
+      onSuccess = [ "${systemdName}-restart-timer.target" ];
-        "PATH=/run/current-system/sw/bin"
+    }];
-        "mount.${fs.fsType}"
+    systemd.targets."${systemdName}-restart-timer" = {
-        "-f"  # foreground (i.e. don't daemonize)
+      # hack unit which, when started, stops the timer (if running), and then starts it again.
-        "-s"  # single-threaded (TODO: it's probably ok to disable this?)
+      after = [ "${systemdName}.timer" ];
-        "-o"
+      conflicts = [ "${systemdName}.timer" ];
-        (lib.concatStringsSep "," (lib.filter (o: !lib.hasPrefix "x-systemd." o) fs.options))
+      upholds = [ "${systemdName}.timer" ];
-        fs.device
+      unitConfig.StopWhenUnneeded = true;
-        "/mnt/servo/${subdir}"
+    };
    systemd.timers."${systemdName}" = {
      timerConfig.Unit = "${systemdName}.mount";
      timerConfig.AccuracySec = "2s";
      timerConfig.OnActiveSec = [
        # try to remount at these timestamps, backing off gradually
        # there seems to be an implicit mount attempt at t=0.
        "10s"
        "30s"
        "60s"
        "120s"
      ];
-      # not sure if this configures a linear, or exponential backoff.
+      # cap the backoff to a fixed interval.
-      # but the first restart will be after `RestartSec`, and the n'th restart (n = RestartSteps) will be RestartMaxDelaySec after the n-1'th exit.
+      timerConfig.OnUnitActiveSec = [ "120s" ];
      serviceConfig.Restart = "always";
      serviceConfig.RestartSec = "10s";
      serviceConfig.RestartMaxDelaySec = "120s";
      serviceConfig.RestartSteps = "5";
    };
  };
 in
--- a/hosts/common/home/fs.nix
+++ b/hosts/common/home/fs.nix
@@ -1,21 +1,13 @@
 { config, lib, ... }:
 {
  sane.user.persist.byStore.plaintext = [
-    "archive"
+    # TODO: some of ~/dev should be private too, but maybe not all 800+ GB of it
    # perhaps i ought to rethink how it's organized
    "dev"
    # TODO: records should be private
    "records"
    "ref"
    "tmp"
    "use"
    "Books/local"
    "Music"
    "Pictures/albums"
    "Pictures/cat"
    "Pictures/from"
    "Pictures/Screenshots"  #< XXX: something is case-sensitive about this?
    "Pictures/Photos"
    "Videos/local"
    # these are persisted simply to save on RAM.
    # ~/.cache/nix can become several GB.
@@ -25,7 +17,17 @@
    ".cache/nix"
  ];
  sane.user.persist.byStore.private = [
    "archive"
    "Pictures/albums"
    "Pictures/cat"
    "Pictures/from"
    "Pictures/Screenshots"  #< XXX: something is case-sensitive about this?
    "Pictures/Photos"
    "records"
    "tmp"
    "knowledge"
    "Videos/local"
  ];
  # convenience
@@ -34,7 +36,7 @@
  in {
    ".persist/private" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.private.origin; };
    ".persist/plaintext" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.plaintext.origin; };
-    ".persist/ephemeral" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.cryptClearOnBoot.origin; };
+    ".persist/ephemeral" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.ephemeral.origin; };
    "nixos".symlink.target = "dev/nixos";
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@@ -62,6 +62,7 @@
  sane.ids.clightning.gid = 2419;
  sane.ids.nix-serve.uid = 2420;
  sane.ids.nix-serve.gid = 2420;
  sane.ids.plugdev.gid = 2421;
  sane.ids.colin.uid = 1000;
  sane.ids.guest.uid = 1100;
--- a/hosts/common/net/default.nix
+++ b/hosts/common/net/default.nix
@@ -12,6 +12,7 @@
  systemd.network.enable = true;
  networking.useNetworkd = true;
  networking.usePredictableInterfaceNames = false;  #< set false to get `eth0`, `wlan0`, etc instead of `enp3s0`/etc
  # view refused/dropped packets with: `sudo journalctl -k`
  # networking.firewall.logRefusedPackets = true;
--- a/hosts/common/net/dns.nix
+++ b/hosts/common/net/dns.nix
@@ -20,7 +20,7 @@
 # - each namespace may use a different /etc/resolv.conf to specify different DNS servers
 # - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so directs the guest's DNS requests to the host's servers.
 #   - this is fixed by either removing `/var/run/nscd/socket` from the namespace, or disabling nscd altogether.
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 lib.mkMerge [
 {
  sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver;
@@ -59,15 +59,35 @@ lib.mkMerge [
  # in the netns and we query upstream DNS more often than needed. hm.
  # services.nscd.enableNsncd = true;
-  # disabling nscd LOSES US SOME FUNCTIONALITY. in particular, only the glibc-builtin modules are accessible via /etc/resolv.conf.
+  # disabling nscd LOSES US SOME FUNCTIONALITY. in particular, only the glibc-builtin modules are accessible via /etc/resolv.conf (er, did i mean /etc/nsswitch.conf?).
  # - dns: glibc-bultin
  # - files: glibc-builtin
  # - myhostname: systemd
  # - mymachines: systemd
  # - resolve: systemd
  # in practice, i see no difference with nscd disabled.
  # - the exception is when the system dns resolver doesn't do everything.
  #   for example, systemd-resolved does mDNS. hickory-dns does not. a hickory-dns system won't be mDNS-capable.
  # disabling nscd VASTLY simplifies netns and process isolation. see explainer at top of file.
  services.nscd.enable = false;
-  system.nssModules = lib.mkForce [];
+  # system.nssModules = lib.mkForce [];
  sane.silencedAssertions = [''.*Loading NSS modules from system.nssModules.*requires services.nscd.enable being set to true.*''];
  # add NSS modules into their own subdirectory.
  # then i can add just the NSS modules library path to the global LD_LIBRARY_PATH, rather than ALL of /run/current-system/sw/lib.
  # TODO: i'm doing this so as to achieve mdns DNS resolution (avahi). it would be better to just have trust-dns delegate .local to avahi
  #   (except avahi doesn't act as a local resolver over DNS protocol -- only dbus).
  environment.systemPackages = [(pkgs.symlinkJoin {
    name = "nss-modules";
    paths = config.system.nssModules.list;
    postBuild = ''
      mkdir nss
      mv $out/lib/libnss_* nss
      rm -rf $out
      mkdir -p $out/lib
      mv nss $out/lib
    '';
  })];
  environment.variables.LD_LIBRARY_PATH = [ "/run/current-system/sw/lib/nss" ];
  systemd.globalEnvironment.LD_LIBRARY_PATH = "/run/current-system/sw/lib/nss";  #< specifically for `geoclue.service`
 }
 ]
--- a/hosts/common/net/modemmanager.nix
+++ b/hosts/common/net/modemmanager.nix
@@ -14,7 +14,6 @@
    # after = [ "polkit.service" ];
    # requires = [ "polkit.service" ];
    wantedBy = [ "network.target" ];  #< default is `multi-user.target`, somehow it doesn't auto-start with that...
    # path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
    # serviceConfig.Type = "dbus";
    # serviceConfig.BusName = "org.freedesktop.ModemManager1";
--- a/hosts/common/net/networkmanager.nix
+++ b/hosts/common/net/networkmanager.nix
@@ -2,21 +2,28 @@
 let
  # networkmanager = pkgs.networkmanager;
  networkmanager = pkgs.networkmanager.overrideAttrs (upstream: {
-    src = pkgs.fetchFromGitea {
+    # src = pkgs.fetchFromGitea {
-      domain = "git.uninsane.org";
+    #   domain = "git.uninsane.org";
-      owner = "colin";
+    #   owner = "colin";
-      repo = "NetworkManager";
+    #   repo = "NetworkManager";
-      # patched to fix polkit permissions (with `nmcli`) when NetworkManager runs as user networkmanager
+    #   # patched to fix polkit permissions (with `nmcli`) when NetworkManager runs as user networkmanager
-      rev = "dev-sane-1.48.0";
+    #   rev = "dev-sane-1.48.0";
-      hash = "sha256-vGmOKtwVItxjYioZJlb1og3K6u9s4rcmDnjAPLBC3ao=";
+    #   hash = "sha256-vGmOKtwVItxjYioZJlb1og3K6u9s4rcmDnjAPLBC3ao=";
-    };
+    # };
-    # patches = [];
+    patches = (upstream.patches or []) ++ [
      (pkgs.fetchpatch {
        name = "polkit: add owner annotations to all actions";
        url = "https://git.uninsane.org/colin/NetworkManager/commit/a01293861fa24201ffaeb84c07f1c71136c49759.patch";
        hash = "sha256-th1/M2slo7rjkVBwETZII53Lmhyw8OMS0aT9QYI5Uvk=";
      })
    ];
  });
  # split the package into `daemon` and `nmcli` outputs, because the networkmanager *service*
  # doesn't need `nmcli`/`nmtui` tooling
  networkmanager-split = pkgs.networkmanager-split.override { inherit networkmanager; };
 in {
  networking.networkmanager.enable = true;
  systemd.network.wait-online.enable = false;  # systemd-networkd-wait-online.service reliably fails on lappy. docs don't match behavior. shit software.
  # plugins mostly add support for establishing different VPN connections.
  # the default plugin set includes mostly proprietary VPNs:
  # - fortisslvpn (Fortinet)
@@ -199,6 +206,12 @@ in {
    logging.level = "INFO";
    # main.dhcp = "internal";  #< default
    # main.dns controls what to do when NM gets a DNS server via DHCP
    # - "none"  (populate /run/NetworkManager/resolv.conf with DHCP settings)
    # - "internal" (?)
    # - "systemd-resolved" (tell systemd-resolved about it, and point /run/NetworkManager/resolv.conf -> systemd)
    #   without this, systemd-resolved won't be able to resolve anything (because it has no upstream servers)
    # note that NM's resolv.conf isn't (necessarily) /etc/resolv.conf -- that is managed by nixos (via symlinking)
    main.dns = if config.services.resolved.enable then
      "systemd-resolved"
    else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then
--- a/hosts/common/persist.nix
+++ b/hosts/common/persist.nix
@@ -1,17 +0,0 @@
 { ... }:
 {
  # store /home/colin/a/b in /mnt/persist/private/a/b instead of /mnt/persist/private/home/colin/a/b
  sane.persist.stores.private.prefix = "/home/colin";
  sane.persist.sys.byStore.initrd = [
    "/var/log"
  ];
  sane.persist.sys.byStore.plaintext = [
    # TODO: these should be private.. somehow
    "/var/backup"  # for e.g. postgres dumps
  ];
  sane.persist.sys.byStore.cryptClearOnBoot = [
    "/var/lib/systemd/coredump"
  ];
 }
--- a/hosts/common/polyunfill.nix
+++ b/hosts/common/polyunfill.nix
@@ -1,6 +1,6 @@
 # strictly *decrease* the scope of the default nixos installation/config
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
  suidlessPam = pkgs.pam.overrideAttrs (upstream: {
    # nixpkgs' pam hardcodes unix_chkpwd path to the /run/wrappers one,
@@ -111,7 +111,11 @@ in
        # pkgs.which
        # pkgs.zstd
      ];
-    in lib.filter (p: ! builtins.elem p requiredPackages);
+      conveniencePackages = [
        config.boot.kernelPackages.cpupower  # <repo:nixos/nixpkgs:nixos/modules/tasks/cpu-freq.nix> places it on PATH for convenience if powerManagement.cpuFreqGovernor is set
        pkgs.kbd  # <repo:nixos/nixpkgs:nixos/modules/config/console.nix>  places it on PATH as part of console/virtual TTYs, but probably not needed unless you want to set console fonts
      ];
    in lib.filter (p: ! builtins.elem p (requiredPackages ++ conveniencePackages));
  };
  options.system.fsPackages = lib.mkOption {
@@ -212,5 +216,14 @@ in
    # see: <repo:nixos/nixpkgs:nixos/modules/virtualisation/nixos-containers.nix>
    boot.enableContainers = lib.mkDefault false;
    # see: <repo:nixos/nixpkgs:nixos/modules/tasks/lvm.nix>
    # lvm places `pkgs.lvm2` onto PATH, which has like 100 binaries.
    # it is, actually, needed for some userspace tools (cryptsetup). probably just the udev rules. try to reduce this set?
    services.lvm.enable = lib.mkDefault false;
    services.udev.packages = [ pkgs.lvm2.out ];  #< N.B. `lvm2.out` != `lvm2`
    # systemd.packages = [ pkgs.lvm2 ];
    # systemd.tmpfiles.packages = [ pkgs.lvm2.out ];
    # environment.systemPackages = [ pkgs.lvm2 ];
  };
 }
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -39,6 +39,7 @@ in
      "btrfs-progs"
      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
      "cryptsetup"
      "curl"
      "ddrescue"
      "dig"
      "dtc"  # device tree [de]compiler
@@ -57,6 +58,7 @@ in
      "git"
      "gptfdisk"  # gdisk
      "hdparm"
      "hping"
      "htop"
      "iftop"
      "inetutils"  # for telnet
@@ -78,6 +80,7 @@ in
      "neovim"
      "netcat"
      "nethogs"
      "nix"
      "nmap"
      "nmcli"
      "nvme-cli"  # nvme
@@ -124,6 +127,7 @@ in
      # "dmidecode"
      "dtrx"  # `unar` alternative, "Do The Right eXtraction"
      # "efivar"
      "exiftool"
      "eza"  # a better 'ls'
      # "flashrom"
      "git"  # needed as a user package, for config.
@@ -151,11 +155,16 @@ in
      # "ponymix"
      "pulsemixer"
      "python3-repl"
-      # "python3Packages.eyeD3"  # music tagging
+      # "python3.pkgs.eyeD3"  # music tagging
      "ripgrep"  # needed as a user package so that its user-level config file can be installed
      "rsync"
      "rsyslog"  # KEEP THIS HERE if you want persistent logging
      "sane-deadlines"
      "sane-scripts.bittorrent"
      "sane-scripts.cli"
      "sane-secrets-unlock"
      "sane-sysload"
      "sc-im"
      # "snapper"
      "sops"  # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!)
      "speedtest-cli"
@@ -175,8 +184,12 @@ in
      # "gh"  # MS GitHub cli
      "nix-index"
      "nixpkgs-review"
      "qmk-udev-rules"
      "sane-scripts.dev"
      "sequoia"
      # "via"
      "wally-cli"
      # "zsa-udev-rules"
    ];
    consoleMediaUtils = declPackageSet [
@@ -276,28 +289,28 @@ in
      # "gnome.cheese"
      # "gnome-feeds"  # RSS reader (with claimed mobile support)
      # "gnome.file-roller"
-      "gnome.geary"  # adaptive e-mail client; uses webkitgtk 4.1
+      "geary"  # adaptive e-mail client; uses webkitgtk 4.1
-      "gnome.gnome-calculator"
+      "gnome-calculator"
-      "gnome.gnome-calendar"
+      "gnome-calendar"
      "gnome.gnome-clocks"
      "gnome.gnome-maps"
      # "gnome-podcasts"
      # "gnome.gnome-system-monitor"
      # "gnome.gnome-terminal"  # works on phosh
      "gnome.gnome-weather"
-      # "gnome.seahorse"  # keyring/secret manager
+      # "seahorse"  # keyring/secret manager
      "gnome-frog"  # OCR/QR decoder
      "gpodder"
-      "gst-device-monitor"  # for debugging audio/video
+      # "gst-device-monitor"  # for debugging audio/video
      # "gthumb"
      # "lemoa"  # lemmy app
-      "libcamera"  # for `cam` binary (useful for debugging cameras)
+      # "libcamera"  # for `cam` binary (useful for debugging cameras)
      "libnotify"  # for notify-send; debugging
      # "lollypop"
      "loupe"  # image viewer
      "mate.engrampa"  # archive manager
      "mepo"  # maps viewer
-      "mesa-demos"  # for eglinfo, glxinfo & other testing tools
+      # "mesa-demos"  # for eglinfo, glxinfo & other testing tools
      "mpv"
      "networkmanagerapplet"  # for nm-connection-editor: it's better than not having any gui!
      "ntfy-sh"  # notification service
@@ -307,7 +320,7 @@ in
      # "picard"  # music tagging
      # "libsForQt5.plasmatube"  # Youtube player
      "signal-desktop"
-      "snapshot"  # camera app
+      # "snapshot"  # camera app
      "spot"  # Gnome Spotify client
      # "sublime-music"
      # "tdesktop"  # broken on phosh
@@ -316,17 +329,19 @@ in
      "vulkan-tools"  # vulkaninfo
      # "whalebird"  # pleroma client (Electron). input is broken on phosh.
      "xdg-terminal-exec"
      "youtube-tui"
      "zathura"  # PDF/CBZ/ePUB viewer
    ];
    handheldGuiApps = declPackageSet [
      # "celluloid"  # mpv frontend
      # "chatty"  # matrix/xmpp/irc client  (2023/12/29: disabled because broken cross build)
-      "cozy"  # audiobook player
+      # "cozy"  # audiobook player
      "epiphany"  # gnome's web browser
      # "iotas"  # note taking app
      "komikku"
      "koreader"
      "lgtrombetta-compass"
      "megapixels"  # camera app
      "notejot"  # note taking, e.g. shopping list
      "planify"  # todo-tracker/planner
@@ -348,7 +363,7 @@ in
      # "chromium"  # chromium takes hours to build. brave is chromium-based, distributed in binary form, so prefer it.
      # "cups"
      "discord"  # x86-only
-      "electrum"
+      # "electrum"
      "element-desktop"
      "firefox"
      "font-manager"
@@ -356,13 +371,14 @@ in
      "gimp"  # broken on phosh
      # "gnome.dconf-editor"
      # "gnome.file-roller"
-      "gnome.gnome-disk-utility"
+      "gnome-disk-utility"
-      "gnome.nautilus"  # file browser
+      "nautilus"  # file browser
      # "gnome.totem"  # video player, supposedly supports UPnP
      # "handbrake"  #< TODO: fix build
      "inkscape"
      # "jellyfin-media-player"
      "kdenlive"
      # "keymapp"
      # "kid3"  # audio tagging
      "krita"
      "libreoffice"  # TODO: replace with an office suite that uses saner packaging?
@@ -371,7 +387,7 @@ in
      # "monero-gui"  # x86-only
      # "mumble"
      # "nheko"  # Matrix chat client
-      # "nicotine-plus"  # soulseek client. before re-enabling this make sure it's properly sandboxed!
+      "nicotine-plus"  # soulseek client
      # "obsidian"
      # "openscad"  # 3d modeling
      # "rhythmbox"  # local music player
@@ -422,6 +438,11 @@ in
    clang = {};
    clightning-sane.sandbox.method = "bwrap";
    clightning-sane.sandbox.extraPaths = [
      "/var/lib/clightning/bitcoin/lightning-rpc"
    ];
    # cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
    cryptsetup.sandbox.method = "landlock";
    cryptsetup.sandbox.extraPaths = [
@@ -491,7 +512,7 @@ in
    electrum.sandbox.method = "bwrap";  # TODO:sandbox: untested
    electrum.sandbox.net = "all";  # TODO: probably want to make this run behind a VPN, always
    electrum.sandbox.whitelistWayland = true;
-    electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ];  #< TODO: use XDG dirs!
+    electrum.persist.byStore.ephemeral = [ ".electrum" ];  #< TODO: use XDG dirs!
    endless-sky.buildCost = 1;
    endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
@@ -509,8 +530,10 @@ in
    ethtool.sandbox.capabilities = [ "net_admin" ];
    # eza `ls` replacement
-    # eza.sandbox.method = "landlock";
+    # bwrap causes `/proc` files to be listed differently (e.g. `eza /proc/sys/net/ipv6/conf/`)
-    eza.sandbox.method = "bwrap";  #< note that bwrap causes `/proc` files to be listed differently (e.g. `eza /proc/sys/net/ipv6/conf/`)
+    # bwrap loses group info (so files owned by other users appear as owner "nobody")
    eza.sandbox.method = "landlock";
    # eza.sandbox.method = "bwrap";
    eza.sandbox.autodetectCliPaths = "existing";
    eza.sandbox.whitelistPwd = true;
    eza.sandbox.extraHomePaths = [
@@ -574,10 +597,6 @@ in
    gawk.sandbox.wrapperType = "inplace";  # /share/gawk libraries refer to /libexec
    gawk.sandbox.autodetectCliPaths = "existingFile";
    gdb.sandbox.enable = false;  # gdb doesn't sandbox well. i don't know how you could.
    # gdb.sandbox.method = "landlock";  # permission denied when trying to attach, even as root
    gdb.sandbox.autodetectCliPaths = true;
    geoclue2-with-demo-agent = {};
    # MS GitHub stores auth token in .config
@@ -604,32 +623,37 @@ in
      "/tmp"  # "Cannot open display:" if it can't mount /tmp 👀
    ];
-    "gnome.gnome-calculator".buildCost = 1;
+    gnome-calculator.buildCost = 1;
-    "gnome.gnome-calculator".sandbox.method = "bwrap";
+    gnome-calculator.sandbox.method = "bwrap";
-    "gnome.gnome-calculator".sandbox.whitelistWayland = true;
+    gnome-calculator.sandbox.whitelistWayland = true;
-    "gnome.gnome-calendar".buildCost = 1;
+    gnome-calendar.buildCost = 1;
    # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
-    "gnome.gnome-calendar".sandbox.method = "bwrap";
+    gnome-calendar.sandbox.method = "bwrap";
-    "gnome.gnome-calendar".sandbox.whitelistWayland = true;
+    gnome-calendar.sandbox.whitelistWayland = true;
    # gnome-disks
-    "gnome.gnome-disk-utility".buildCost = 1;
+    gnome-disk-utility.buildCost = 1;
-    "gnome.gnome-disk-utility".sandbox.method = "bwrap";
+    gnome-disk-utility.sandbox.method = "bwrap";
-    "gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
+    gnome-disk-utility.sandbox.whitelistDbus = [ "system" ];
-    "gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
+    gnome-disk-utility.sandbox.whitelistWayland = true;
-    "gnome.gnome-disk-utility".sandbox.extraHomePaths = [
+    gnome-disk-utility.sandbox.extraHomePaths = [
      "tmp"
      "use/iso"
      # TODO: probably need /dev and such
    ];
    hping.sandbox.method = "landlock";
    hping.sandbox.net = "all";
    hping.sandbox.capabilities = [ "net_raw" ];
    hping.sandbox.autodetectCliPaths = "existingFile";  # for sending packet data from file
    # seahorse: dump gnome-keyring secrets.
-    "gnome.seahorse".buildCost = 1;
+    seahorse.buildCost = 1;
-    # N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
+    # N.B. it can lso manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
-    "gnome.seahorse".sandbox.method = "bwrap";
+    seahorse.sandbox.method = "bwrap";
-    "gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
+    seahorse.sandbox.whitelistDbus = [ "user" ];
-    "gnome.seahorse".sandbox.whitelistWayland = true;
+    seahorse.sandbox.whitelistWayland = true;
    gnome-2048.buildCost = 1;
    gnome-2048.sandbox.method = "bwrap";
@@ -654,7 +678,7 @@ in
      "Pictures/Screenshots"
      "Pictures/servo-macros"
    ];
-    gnome-frog.persist.byStore.cryptClearOnBoot = [
+    gnome-frog.persist.byStore.ephemeral = [
      ".local/share/tessdata"  # 15M; dunno what all it is.
    ];
@@ -792,6 +816,14 @@ in
    libnotify.sandbox.method = "bwrap";
    libnotify.sandbox.whitelistDbus = [ "user" ];  # notify-send
    lightning-cli.packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.clightning "lightning-cli";
    lightning-cli.sandbox.method = "bwrap";
    lightning-cli.sandbox.extraHomePaths = [
      ".lightning/bitcoin/lightning-rpc"
    ];
    # `lightning-cli` finds its RPC file via `~/.lightning/bitcoin/lightning-rpc`, to message the daemon
    lightning-cli.fs.".lightning".symlink.target = "/var/lib/clightning";
    losslesscut-bin.buildCost = 1;
    losslesscut-bin.sandbox.method = "bwrap";
    losslesscut-bin.sandbox.extraHomePaths = [
@@ -819,7 +851,10 @@ in
    mercurial.sandbox.net = "clearnet";
    mercurial.sandbox.whitelistPwd = true;
-    mesa-demos = {};
+    mesa-demos.sandbox.method = "bwrap";
    mesa-demos.sandbox.whitelistDri = true;
    mesa-demos.sandbox.whitelistWayland = true;
    mesa-demos.sandbox.whitelistX = true;
    # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
    monero-gui.buildCost = 1;
@@ -865,7 +900,7 @@ in
    nixpkgs-review.sandbox.extraPaths = [
      "/nix"
    ];
-    nixpkgs-review.persist.byStore.cryptClearOnBoot = [
+    nixpkgs-review.persist.byStore.ephemeral = [
      ".cache/nixpkgs-review"  #< help it not exhaust / tmpfs
    ];
@@ -916,7 +951,7 @@ in
      "/sys/devices"
    ];
-    "perlPackages.FileMimeInfo".sandbox.enable = false;  #< TODO: sandbox `mimetype` but not `mimeopen`.
+    "perlPackages.FileMimeInfo" = {};
    powertop.sandbox.method = "landlock";
    powertop.sandbox.capabilities = [ "ipc_lock" "sys_admin" ];
@@ -949,7 +984,9 @@ in
    python3-repl.packageUnwrapped = pkgs.python3.withPackages (ps: with ps; [
      psutil
      pykakasi
      requests
      unidecode
    ]);
    python3-repl.sandbox.method = "bwrap";
    python3-repl.sandbox.net = "clearnet";
@@ -977,9 +1014,17 @@ in
    sane-weather.sandbox.method = "bwrap";
    sane-weather.sandbox.net = "clearnet";
    sc-im.sandbox.method = "bwrap";
    sc-im.sandbox.autodetectCliPaths = "existingFile";
    screen.sandbox.enable = false;  #< tty; needs to run anything
-    sequoia.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    sequoia.packageUnwrapped = pkgs.sequoia.overrideAttrs (_: {
      # XXX(2024-07-30): sq_autocrypt_import test failure: "Warning: 9B7DD433F254904A is expired."
      doCheck = false;
    });
    sequoia.buildCost = 1;
    sequoia.sandbox.method = "bwrap";
    sequoia.sandbox.whitelistPwd = true;
    sequoia.sandbox.autodetectCliPaths = "existingFileOrParent";  # supports `-o <file-to-create>`
@@ -1023,7 +1068,9 @@ in
      "Music"
      "tmp"
      "use"
      ".config/dconf"
    ];
    soundconverter.sandbox.whitelistDbus = [ "user" ];  # for dconf
    soundconverter.sandbox.extraPaths = [
      "/mnt/servo/media/Music"
      "/mnt/servo/media/games"
@@ -1103,9 +1150,6 @@ in
    valgrind.buildCost = 1;
    valgrind.sandbox.enable = false;  #< it's a launcher: can't sandbox
    visidata.sandbox.method = "bwrap";  # TODO:sandbox: untested
    visidata.sandbox.autodetectCliPaths = true;
    # `vulkaninfo`, `vkcube`
    vulkan-tools.sandbox.method = "landlock";
@@ -1137,10 +1181,12 @@ in
    # `wg`, `wg-quick`
    wireguard-tools.sandbox.method = "landlock";
    wireguard-tools.sandbox.net = "all";
    wireguard-tools.sandbox.capabilities = [ "net_admin" ];
    # provides `iwconfig`, `iwlist`, `iwpriv`, ...
    wirelesstools.sandbox.method = "landlock";
    wirelesstools.sandbox.net = "all";
    wirelesstools.sandbox.capabilities = [ "net_admin" ];
    wl-clipboard.sandbox.method = "bwrap";
@@ -1163,8 +1209,6 @@ in
    yt-dlp.sandbox.method = "bwrap";  # TODO:sandbox: untested
    yt-dlp.sandbox.net = "all";
    yt-dlp.sandbox.whitelistPwd = true;  # saves to pwd by default
    zfs = {};
  };
  sane.persist.sys.byStore.plaintext = lib.mkIf config.sane.programs.guiApps.enabled [
@@ -1181,13 +1225,12 @@ in
    ];
  };
-  hardware.opengl = lib.mkIf config.sane.programs.guiApps.enabled ({
+  hardware.graphics = lib.mkIf config.sane.programs.guiApps.enabled ({
    enable = true;
    driSupport = lib.mkDefault true;
  } // (lib.optionalAttrs pkgs.stdenv.isx86_64 {
    # for 32 bit applications
-    # upstream nixpkgs forbids setting driSupport32Bit unless specifically x86_64 (so aarch64 isn't allowed)
+    # upstream nixpkgs forbids setting enable32Bit unless specifically x86_64 (so aarch64 isn't allowed)
-    driSupport32Bit = lib.mkDefault true;
+    enable32Bit = lib.mkDefault true;
  }));
  system.activationScripts.notifyActive = lib.mkIf config.sane.programs.guiApps.enabled {
--- a/hosts/common/programs/ausyscall.nix
+++ b/hosts/common/programs/ausyscall.nix
@@ -2,7 +2,7 @@
 { pkgs, ... }:
 {
  sane.programs.ausyscall = {
-    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.audit "bin/ausyscall";
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.audit "ausyscall";
    sandbox.method = "landlock";
  };
--- a/hosts/common/programs/avahi.nix
+++ b/hosts/common/programs/avahi.nix
@@ -0,0 +1,43 @@
 # Avahi zeroconf (mDNS) implementation.
 # runs as systemd `avahi-daemon.service`
 #
 # - <https://avahi.org/>
 # - code: <https://github.com/avahi/avahi>
 # - IRC: #avahi on irc.libera.chat
 #
 # - `avahi-browse --help` for usage
 # - `man avahi-daemon.conf`
 # - `LD_LIBRARY_PATH=/nix/store/ngwj3jqmxh8k4qji2z0lj7y1f8vzqrn2-nss-mdns-0.15.1/lib getent hosts desko.local`
 #   nss-mdns goes through avahi-daemon, so there IS caching here
 #
 { config, lib, ... }:
 {
  sane.programs.avahi = {
    sandbox.method = "bwrap";
    sandbox.whitelistDbus = [ "system" ];
    sandbox.net = "all";  #< otherwise it will show 'null' in place of each interface name.
    sandbox.extraPaths = [
      "/"  #< else the daemon exits immediately. TODO: decrease this scope.
    ];
  };
  services.avahi = lib.mkIf config.sane.programs.avahi.enabled {
    enable = true;
    package = config.sane.programs.avahi.package;
    publish.enable = true;
    publish.userServices = true;
    nssmdns4 = true;
    nssmdns6 = true;
    # reflector = true;
    allowInterfaces = [
      # particularly, the default config disallows loopback, which is kinda fucking retarded, right?
      "ens1"  #< servo
      "enp5s0"  #< desko
      "eth0"
      "lo"
      "wg-home"
      "wlan0"  #< moby
      "wlp3s0"  #< lappy
      "wlp4s0"  #< desko
    ];
  };
 }
--- a/hosts/common/programs/bemenu.nix
+++ b/hosts/common/programs/bemenu.nix
@@ -95,7 +95,7 @@ in
    packageUnwrapped = pkgs.bemenu.overrideAttrs (upstream: {
      nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
-        pkgs.makeWrapper
+        pkgs.makeBinaryWrapper
      ];
      # can alternatively be specified as CLI flags
      postInstall = (upstream.postInstall or "") + ''
--- a/hosts/common/programs/bitcoin-cli.nix
+++ b/hosts/common/programs/bitcoin-cli.nix
@@ -0,0 +1,13 @@
 { pkgs, ... }:
 {
  sane.programs.bitcoin-cli = {
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.bitcoind "bitcoin-cli";
    sandbox.method = "bwrap";
    sandbox.autodetectCliPaths = "existing";  #< for `bitcoin-cli -datadir=/var/lib/...`
    sandbox.extraHomePaths = [
      ".bitcoin/bitcoin.conf"
    ];
    sandbox.net = "all";  # actually needs only localhost
    secrets.".bitcoin/bitcoin.conf" = ../../../secrets/servo/bitcoin.conf.bin;
  };
 }
--- a/hosts/common/programs/blast-ugjka/blast-to-default
+++ b/hosts/common/programs/blast-ugjka/blast-to-default
@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])" -p blast-ugjka
+#!nix-shell -i python3 -p blast-ugjka -p python3
 # vim: set filetype=python :
 import logging
--- a/hosts/common/programs/blast-ugjka/default.nix
+++ b/hosts/common/programs/blast-ugjka/default.nix
@@ -31,7 +31,7 @@ in
  sane.programs.blast-to-default = {
    # helper to deal with blast's interactive CLI
-    packageUnwrapped = pkgs.static-nix-shell.mkPython3Bin {
+    packageUnwrapped = pkgs.static-nix-shell.mkPython3 {
      pname = "blast-to-default";
      pkgs = [ "blast-ugjka" ];
      srcRoot = ./.;
--- a/hosts/common/programs/bonsai.nix
+++ b/hosts/common/programs/bonsai.nix
@@ -111,7 +111,7 @@ in
      '';
    });
-    fs.".config/bonsai/bonsai_tree.json".symlink.text = builtins.toJSON cfg.config.transitions;
+    fs.".config/bonsai/bonsai_tree.json".symlink.target = pkgs.writers.writeJSON "bonsai_tree.json" cfg.config.transitions;
    sandbox.method = "bwrap";
    sandbox.extraRuntimePaths = [
--- a/hosts/common/programs/brave.nix
+++ b/hosts/common/programs/brave.nix
@@ -21,7 +21,7 @@
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
-    persist.byStore.cryptClearOnBoot = [
+    persist.byStore.ephemeral = [
      ".cache/BraveSoftware"
      ".config/BraveSoftware"
    ];
--- a/hosts/common/programs/callaudiod.nix
+++ b/hosts/common/programs/callaudiod.nix
@@ -13,7 +13,7 @@
  sane.programs.callaudiod = {
    packageUnwrapped = pkgs.rmDbusServices pkgs.callaudiod;
-    # probably more needed once i enable proper sandboxing, but for now this ensures the service isn't started too early!
+    sandbox.method = "bwrap";
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];
--- a/hosts/common/programs/calls.nix
+++ b/hosts/common/programs/calls.nix
@@ -24,7 +24,7 @@ in
      };
    };
-    packageUnwrapped = pkgs.calls.overrideAttrs (upstream: {
+    packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.calls.overrideAttrs (upstream: {
      patches = (upstream.patches or []) ++ [
        (pkgs.fetchpatch {
          # usability improvement... if the UI is visible, then i can receive calls. otherwise, i can't!
@@ -33,10 +33,10 @@ in
          hash = "sha256-NoVQV2TlkCcsBt0uwSyK82hBKySUW4pADrJVfLFvWgU=";
        })
      ];
-    });
+    }));
    sandbox.method = "bwrap";
-    sandbox.net = "clearnet";
+    sandbox.net = "vpn.wg-home";  #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it.
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [ "user" ];  # necessary for secrets, at the minimum
    sandbox.whitelistWayland = true;
--- a/hosts/common/programs/conky/conky.conf
+++ b/hosts/common/programs/conky/conky.conf
@@ -66,6 +66,7 @@ end
 if vars.percent ~= nil then
  bat_args = bat_args .. " --percent-suffix '" .. vars.percent .. "'"
 end
 bat_args = bat_args .. " {bat}"
 -- N.B.: `[[ <text> ]]` is Lua's multiline string literal
 conky.text = [[
@@ -73,8 +74,8 @@ ${color1}${shadecolor 707070}${font sans-serif:size=50:style=Bold}${alignc}${exe
 ${color2}${shadecolor a4d7d0}${font sans-serif:size=20}${alignc}${exec date +"%a %d %b"}${font}
-${color1}${shadecolor}${font sans-serif:size=22:style=Bold}${alignc}${execp @bat@ ]] .. bat_args .. [[ }${font}
+${color1}${shadecolor}${font sans-serif:size=22:style=Bold}${alignc}${execp sane-sysload ]] .. bat_args .. [[ }${font}
-${color1}${shadecolor}${font sans-serif:size=20:style=Bold}${alignc}${texeci 600 @weather@ }${font}
+${color1}${shadecolor}${font sans-serif:size=20:style=Bold}${alignc}${texeci 600 timeout 20 sane-weather }${font}
 ${color2}${shadecolor a4d7d0}${font sans-serif:size=16}${alignc}⇅ ${downspeedf wlan0}]] .. vars.kBps .. [[${font}
--- a/hosts/common/programs/conky/default.nix
+++ b/hosts/common/programs/conky/default.nix
@@ -5,22 +5,18 @@
    sandbox.net = "clearnet";  #< for the scripts it calls (weather)
    sandbox.extraPaths = [
      "/sys/class/power_supply"
-      "/sys/devices"  # needed by sane-sysinfo
+      "/sys/devices"  # needed by sane-sysload
      # "/sys/devices/cpu"
      # "/sys/devices/system"
    ];
    sandbox.whitelistWayland = true;
    suggestedPrograms = [
-      "sane-sysinfo"
+      "sane-sysload"
      "sane-weather"
    ];
-    fs.".config/conky/conky.conf".symlink.target = pkgs.substituteAll {
+    fs.".config/conky/conky.conf".symlink.target = ./conky.conf;
      src = ./conky.conf;
      bat = "sane-sysinfo";
      weather = "timeout 20 sane-weather";
    };
    services.conky = {
      description = "conky dynamic desktop background";
--- a/hosts/common/programs/curl.nix
+++ b/hosts/common/programs/curl.nix
@@ -0,0 +1,8 @@
 { ... }:
 {
  sane.programs.curl = {
    sandbox.method = "bwrap";
    sandbox.net = "all";
    sandbox.autodetectCliPaths = "parent";  #< for `-o` option
  };
 }
--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@@ -10,7 +10,9 @@
    ./assorted.nix
    ./audacity.nix
    ./ausyscall.nix
    ./avahi.nix
    ./bemenu.nix
    ./bitcoin-cli.nix
    ./blast-ugjka
    ./bonsai.nix
    ./brave.nix
@@ -25,6 +27,7 @@
    ./conky
    ./cozy.nix
    ./cups.nix
    ./curl.nix
    ./curlftpfs.nix
    ./dbus.nix
    ./dconf.nix
@@ -39,6 +42,7 @@
    ./epiphany.nix
    ./errno.nix
    ./evince.nix
    ./exiftool.nix
    ./fcitx5.nix
    ./feedbackd.nix
    ./firefox.nix
@@ -50,8 +54,11 @@
    ./fwupd.nix
    ./g4music.nix
    ./gajim.nix
    ./gdb.nix
    ./gdbus.nix
    ./geary.nix
    ./geoclue-demo-agent.nix
    ./geoclue2.nix
    ./git.nix
    ./gnome-clocks.nix
    ./gnome-feeds.nix
@@ -60,6 +67,8 @@
    ./gnome-weather.nix
    ./go2tv.nix
    ./gpodder.nix
    ./gpsd.nix
    ./gps-share.nix
    ./grimshot.nix
    ./gst-device-monitor.nix
    ./gthumb.nix
@@ -67,13 +76,16 @@
    ./handbrake.nix
    ./helix.nix
    ./htop
    ./iio-sensor-proxy.nix
    ./imagemagick.nix
    ./jellyfin-media-player.nix
    ./kdenlive.nix
    ./keymapp.nix
    ./komikku.nix
    ./koreader
    ./less.nix
    ./lftp.nix
    ./lgtrombetta-compass.nix
    ./libreoffice.nix
    ./lemoa.nix
    ./loupe.nix
@@ -81,16 +93,19 @@
    ./megapixels.nix
    ./mepo.nix
    ./mimeo
    ./mimetype.nix
    ./mmcli.nix
    ./mopidy.nix
    ./mpv
    ./msmtp.nix
    ./nautilus.nix
    ./neovim.nix
    ./networkmanager_dmenu
    ./newsflash.nix
    ./nheko.nix
    ./nicotine-plus.nix
    ./nix-index.nix
    ./nix.nix
    ./nmcli.nix
    ./notejot.nix
    ./ntfy-sh.nix
@@ -98,25 +113,34 @@
    ./objdump.nix
    ./obsidian.nix
    ./offlineimap.nix
    ./ols.nix
    ./open-in-mpv.nix
    ./pactl.nix
-    ./pipewire.nix
+    ./pidof.nix
    ./pipewire
    ./pkill.nix
    ./planify.nix
    ./portfolio-filemanager.nix
    ./playerctl.nix
    ./ps.nix
    ./qmk-udev-rules.nix
    ./rhythmbox.nix
    ./ripgrep.nix
    ./rofi
    ./rsyslog
    ./rtkit.nix
    ./s6-rc.nix
    ./sane-deadlines.nix
    ./sane-input-handler
    ./sane-open.nix
    ./sane-private-unlock-remote.nix
    ./sane-screenshot.nix
    ./sane-scripts.nix
-    ./sane-sysinfo.nix
+    ./sane-secrets-unlock.nix
    ./sane-sysload.nix
    ./sane-theme.nix
    ./sanebox.nix
    ./satellite.nix
    ./schlock.nix
    ./seatd.nix
    ./sfeed.nix
@@ -136,14 +160,18 @@
    ./swaylock.nix
    ./swaynotificationcenter
    ./switchboard.nix
-    ./sysvol.nix
+    ./syshud.nix
    ./tangram.nix
    ./tor-browser.nix
    ./tuba.nix
    ./unl0kr
    ./via.nix
    ./visidata.nix
    ./vlc.nix
    ./wally-cli.nix
    ./waybar
    ./waylock.nix
    ./where-am-i.nix
    ./wike.nix
    ./wine.nix
    ./wireplumber.nix
@@ -155,10 +183,13 @@
    ./xdg-desktop-portal-wlr.nix
    ./xdg-terminal-exec.nix
    ./xdg-utils.nix
    ./youtube-tui.nix
    ./zathura.nix
    ./zeal.nix
    ./zecwallet-lite.nix
    ./zulip.nix
    ./zsa-udev-rules.nix
    ./zfs-tools.nix
    ./zsh
  ];
--- a/hosts/common/programs/dino.nix
+++ b/hosts/common/programs/dino.nix
@@ -50,32 +50,13 @@ in
      };
    };
-    packageUnwrapped = (pkgs.dino.override {
+    packageUnwrapped = pkgs.dino.override {
      # XXX(2024/04/24): build without echo cancelation (i.e. force WITH_VOICE_PROCESSOR to be undefined).
      # this means that if the other end of the call is on speaker phone, i'm liable to hear my own voice
      # leave their speaker, enter their mic, and then return to me.
      # the benefit is a >50% reduction in CPU use. insignificant on any modern PC; make-or-break on a low-power Pinephone.
      webrtc-audio-processing = null;
    }).overrideAttrs (upstream: {
      # i'm updating experimentally to see if it improves call performance.
      # i don't *think* this is actually necessary; i don't notice any difference.
      version = "0.4.3-unstable-2024-04-28";
      src = lib.warnIf (lib.versionOlder "0.4.3" upstream.version) "dino update: safe to remove sane patches" pkgs.fetchFromGitHub {
        owner = "dino";
        repo = "dino";
        rev = "657502955567dd538e56f300e075c7db52e25d74";
        hash = "sha256-SApJy9FgxxLOB5A/zGtpdFZtSqSiS03vggRrCte1tFE=";
    };
      # avoid double-application of upstreamed patches
      # https://github.com/NixOS/nixpkgs/pull/309265
      patches = [];
      checkPhase = ''
        runHook preCheck
        ./xmpp-vala-test
        # ./signal-protocol-vala-test  # doesn't exist anymore
        runHook postCheck
      '';
    });
    sandbox.method = "bwrap";
    sandbox.net = "clearnet";
--- a/hosts/common/programs/eg25-control.nix
+++ b/hosts/common/programs/eg25-control.nix
@@ -6,6 +6,17 @@ in
  sane.programs.eg25-control = {
    suggestedPrograms = [ "mmcli" ];
    sandbox.method = "bwrap";
    sandbox.extraPaths = [
      "/sys/class/modem-power"
      "/sys/devices"
      # "/var/lib/eg25-control"
    ];
    sandbox.net = "all";  #< for downloading the almanac
    sandbox.whitelistDbus = [
      "system"  #< used by `mmcli`
    ];
    services.eg25-control-powered = {
      description = "eg25-control-powered: power to the Qualcomm eg25 modem used by PinePhone";
      startCommand = "eg25-control --power-on --verbose";
@@ -21,6 +32,7 @@ in
      startCommand = "eg25-control --enable-gps --dump-debug-info --verbose";
      cleanupCommand = "eg25-control --disable-gps --dump-debug-info --verbose";
      depends = [ "eg25-control-powered" ];
      partOf = [ "gps" ];
    };
    persist.byStore.plaintext = [ ".cache/eg25-control" ];  #< for cached agps data
--- a/hosts/common/programs/element-desktop.nix
+++ b/hosts/common/programs/element-desktop.nix
@@ -45,6 +45,9 @@
      "Videos/servo"
      "tmp"
    ];
    sandbox.extraPaths = [
      "/dev/snd"  #< needed only when playing embedded audio (not embedded video!)
    ];
    # creds/session keys, etc
    persist.byStore.private = [ ".config/Element" ];
--- a/hosts/common/programs/errno.nix
+++ b/hosts/common/programs/errno.nix
@@ -1,19 +1,15 @@
 { pkgs, ... }:
 {
  sane.programs.errno = {
-    # packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.moreutils "bin/errno";
+    # packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.moreutils "errno";
    # actually, don't build all of moreutils because not all of it builds for cross targets.
    # some of this can be simplified after <https://github.com/NixOS/nixpkgs/pull/316446>
    packageUnwrapped = pkgs.moreutils.overrideAttrs (base: {
      makeFlags = (base.makeFlags or []) ++ [
        "BINS=errno"
        "MANS=errno.1"
        "PERLSCRIPTS=errno"  #< Makefile errors if empty, but this works :)
        "INSTALL_BIN=install"
      ];
-      #v disable the perl-specific stuff
+      buildInputs = [];  #< errno has no runtime perl deps, and they don't cross compile, so disable them.
      propagatedBuildInputs = [];
      postInstall = "";
    });
    sandbox.method = "landlock";
--- a/hosts/common/programs/exiftool.nix
+++ b/hosts/common/programs/exiftool.nix
@@ -0,0 +1,7 @@
 { ... }:
 {
  sane.programs.exiftool = {
    sandbox.method = "bwrap";
    sandbox.autodetectCliPaths = "existingFile";
  };
 }
--- a/hosts/common/programs/feedbackd.nix
+++ b/hosts/common/programs/feedbackd.nix
@@ -55,7 +55,7 @@ in
    # - theme-demo
    # - timeout-completed
    # - window-close
-    fs.".config/feedbackd/themes/proxied.json".symlink.text = builtins.toJSON {
+    fs.".config/feedbackd/themes/proxied.json".symlink.target = pkgs.writers.writeJSON "proxied.json" {
      name = "proxied";
      parent-theme = "default";
      profiles = [
--- a/hosts/common/programs/firefox.nix
+++ b/hosts/common/programs/firefox.nix
@@ -105,6 +105,22 @@ let
    };
    # extraPrefs = ...
  }).overrideAttrs (base: {
    nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
      pkgs.copyDesktopItems
    ];
    desktopItems = (base.desktopItems or []) ++ [
      (pkgs.makeDesktopItem {
        name = "${cfg.browser.libName}-in-vpn";
        desktopName = "${cfg.browser.libName} (VPN)";
        genericName = "Web Browser";
        # N.B.: --new-instance ensures we don't reuse an existing non-vpn instance.
        # OTOH, it may error about "only one instance can run at a time": close the non-VPN instance if you see that.
        exec = "${lib.getExe pkgs.sane-scripts.vpn} do - -- ${cfg.browser.libName} --new-instance";
        icon = cfg.browser.libName;
        categories = [ "Network" "WebBrowser" ];
        type = "Application";
      })
    ];
    # de-associate `ctrl+shift+c` from activating the devtools.
    # based on <https://stackoverflow.com/a/54260938>
    # TODO: could use `zip -f` to only update the one changed file, instead of rezipping everything.
@@ -130,7 +146,8 @@ let
      echo "omni.ja AFTER:"
      ls -l $out/lib/${cfg.browser.libName}/browser/omni.ja
-      # runHook postFixup to allow sane.programs sandbox wrappers to wrap the binaries
+      runHook postBuild
      runHook postInstall
      runHook postFixup
    '';
  });
@@ -160,7 +177,7 @@ let
      persistCache = mkOption {
        description = "optional store name to which persist browser cache";
        type = types.nullOr types.str;
-        default = "cryptClearOnBoot";
+        default = "ephemeral";
      };
      addons = mkOption {
        type = types.attrsOf addonOpts;
@@ -263,7 +280,7 @@ in
          # TODO: find a way to not expose ~/.ssh to firefox
          # - unlock sops at login (or before firefox launch)?
          # - see if ssh has a more formal type of subkey system?
-          ".ssh/id_ed25519"
+          # ".ssh/id_ed25519"
          # ".config/sops"
          "knowledge/secrets/accounts"
        ];
@@ -372,14 +389,14 @@ in
          if (cfg.persistData != null) then
            cfg.persistData
          else
-            "cryptClearOnBoot"
+            "ephemeral"
        ;
        persist.byPath."${cfg.browser.dotDir}/default".store =
          if (cfg.persistData != null) then
            cfg.persistData
          else
-            "cryptClearOnBoot"
+            "ephemeral"
        ;
      };
--- a/hosts/common/programs/free.nix
+++ b/hosts/common/programs/free.nix
@@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
  sane.programs.free = {
-    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.procps "bin/free";
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "free";
    sandbox.method = "bwrap";
    sandbox.isolatePids = false;
  };
--- a/hosts/common/programs/gdb.nix
+++ b/hosts/common/programs/gdb.nix
@@ -0,0 +1,13 @@
 { pkgs, ... }:
 {
  sane.programs.gdb = {
    sandbox.enable = false;  # gdb doesn't sandbox well. i don't know how you could.
    # sandbox.method = "landlock";  # permission denied when trying to attach, even as root
    sandbox.autodetectCliPaths = true;
    fs.".config/gdb/gdbinit".symlink.text = ''
      # enable commands like `py-bt`, `py-list`, etc.
      # for usage, see: <https://wiki.python.org/moin/DebuggingWithGdb>
      source ${pkgs.python3}/share/gdb/libpython.py
    '';
  };
 }
--- a/hosts/common/programs/gdbus.nix
+++ b/hosts/common/programs/gdbus.nix
@@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
  sane.programs.gdbus = {
-    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.glib "bin/gdbus";
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.glib "gdbus";
    sandbox.method = "bwrap";
    sandbox.whitelistDbus = [ "user" ];  #< XXX: maybe future users will also want system access
--- a/hosts/common/programs/geary.nix
+++ b/hosts/common/programs/geary.nix
@@ -5,10 +5,10 @@
 #   <https://gitlab.gnome.org/GNOME/geary/-/issues/1212>
 { config, lib, ... }:
 let
-  cfg = config.sane.programs."gnome.geary";
+  cfg = config.sane.programs."geary";
 in
 {
-  sane.programs."gnome.geary" = {
+  sane.programs."geary" = {
    configOption = with lib; mkOption {
      default = {};
      type = types.submodule {
--- a/hosts/common/programs/geoclue-demo-agent.nix
+++ b/hosts/common/programs/geoclue-demo-agent.nix
@@ -0,0 +1,23 @@
 { config, pkgs, ... }:
 {
  sane.programs.geoclue-demo-agent = {
    packageUnwrapped = pkgs.linkFarm "geoclue-demo-agent" [{
      # bring the demo agent into a `bin/` directory so it can be invokable via PATH
      name = "bin/geoclue-demo-agent";
      path = "${config.sane.programs.geoclue2.packageUnwrapped}/libexec/geoclue-2.0/demos/agent";
    }];
    sandbox.method = "bwrap";
    sandbox.whitelistDbus = [
      "system"
    ];
    services.geoclue-agent = {
      description = "geoclue 'demo' agent";
      # XXX: i don't actually understand how this works: upstream dbus rules would appear to restrict
      # the dbus owner to just root/geoclue, but we're neither and this still works (and breaks if i remove the agent service!)
      command = "geoclue-demo-agent";
      partOf = [ "graphical-session" ];
    };
  };
 }
--- a/hosts/common/programs/geoclue2.nix
+++ b/hosts/common/programs/geoclue2.nix
@@ -0,0 +1,76 @@
 # geoclue location services daemon.
 #
 # SUPPORT:
 # - irc: #gnome-maps on irc.gimp.org
 # - Matrix: #gnome-maps:gnome.org  (unclear if bridged to IRC)
 # - forums: <https://discourse.gnome.org/c/platform>
 # - git: <https://gitlab.freedesktop.org/geoclue/geoclue/>
 # - D-Bus API docs: <https://www.freedesktop.org/software/geoclue/docs/>
 #
 # HOW TO TEST:
 # - just invoke `where-am-i`: it should output the current latitude/longitude.
 ## more manual testing:
 # - build `geoclue2-with-demo-agent`
 # - run the service: `systemctl start geoclue` or "${geoclue2-with-demo-agent}/libexec/geoclue"
 # - run "${geoclue2-with-demo-agent}/libexec/geoclue-2.0/demos/agent"
 #   - keep this running in the background
 # - run "${geoclue2-with-demo-agent}/libexec/geoclue-2.0/demos/where-am-i"
 #
 # DATA FLOW:
 # - geoclue2 does http calls into local `ols`, which either hits the local disk or queries https://wigle.net.
 # - geoclue users like gnome-maps somehow depend on an "agent",
 #   a user service which launches the geoclue system service on-demand (via dbus activation).
 #
 { config, lib, pkgs, ... }:
 let
  cfg = config.sane.programs.geoclue2;
 in
 {
  sane.programs.geoclue2 = {
    # packageUnwrapped = pkgs.rmDbusServices pkgs.geoclue2;
    # packageUnwrapped = pkgs.geoclue2.override { withDemoAgent = true; };
    packageUnwrapped = pkgs.geoclue2-with-demo-agent;
    suggestedPrograms = [
      "avahi"  #< to discover LAN gps devices
      "geoclue-demo-agent"
      # "gps-share"
      "iio-sensor-proxy"
      "ols"  #< WiFi SSID -> lat/long lookups
      "satellite"  #< graphical view into GPS fix data
      "where-am-i"  #< handy debugging/testing tool
    ];
    # XXX(2024/07/05): no way to plumb my sandboxed geoclue into `services.geoclue2`.
    # then, the package doesn't get used directly anywhere. but other programs reference `packageUnwrapped`,
    # so keep that part still.
    sandbox.enable = false;
    package = lib.mkForce null;
    # experimental sandboxing (2024/07/05)
    # sandbox.method = "bwrap";
    # sandbox.whitelistDbus = [
    #   "system"
    # ];
    # sandbox.net = "all";
  };
  # sane.programs.geoclue2.enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
  services.geoclue2 = lib.mkIf cfg.enabled {
    enable = true;
    geoProviderUrl = "http://127.0.0.1:8088/v1/geolocate";  #< ols
    # XXX(2024/06/25): when Geoclue uses ModemManager's GPS API, it wants to enable GPS
    # tracking at the start, and disable it at the end. that causes tracking to be lost, regularly.
    # this is not optional behavior: if Geoclue fails to control modem manager (because of a polkit policy, say),
    # then it won't even try to read the data from modem manager.
    # SOLUTION: tell Geoclue to get GPS from gps-share ("enableNmea", i.e. `network-nmea.enable`)
    # and NOT from modem manager.
    enableModemGPS = false;
    enableNmea = true;
  };
  systemd.user.services = lib.mkIf cfg.enabled {
    # nixos services.geoclue2 runs the agent as a user service by default, but i don't use systemd so that doesn't work.
    # i manage the agent myself, in sane.programs.geoclue-demo-agent.
    geoclue-agent.enable = false;
  };
 }
--- a/hosts/common/programs/git.nix
+++ b/hosts/common/programs/git.nix
@@ -40,6 +40,7 @@ in
      alias.amend   = "commit --amend --no-edit";
      alias.br      = "branch";
      alias.co      = "checkout";
      alias.com     = "commit";
      alias.cp      = "cherry-pick";
      alias.d       = "difftool";
      alias.dif     = "diff";  # common typo
--- a/hosts/common/programs/gnome-feeds.nix
+++ b/hosts/common/programs/gnome-feeds.nix
@@ -1,12 +1,12 @@
 # gnome feeds RSS viewer
-{ config, lib, sane-lib, ... }:
+{ config, lib, pkgs, sane-lib, ... }:
 let
  feeds = sane-lib.feeds;
  all-feeds = config.sane.feeds;
  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.programs.gnome-feeds.fs.".config/org.gabmus.gfeeds.json".symlink.text = builtins.toJSON {
+  sane.programs.gnome-feeds.fs.".config/org.gabmus.gfeeds.json".symlink.target = pkgs.writers.writeJSON "org.gabmus.gfeeds.json" {
    # feed format is a map from URL to a dict,
    #   with dict["tags"] a list of string tags.
    feeds = sane-lib.mapToAttrs (feed: {
--- a/hosts/common/programs/gnome-keyring/default.nix
+++ b/hosts/common/programs/gnome-keyring/default.nix
@@ -1,7 +1,7 @@
 { lib, pkgs, ... }:
 {
  sane.programs.gnome-keyring = {
-    packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-keyring;
+    packageUnwrapped = pkgs.rmDbusServices pkgs.gnome-keyring;
    sandbox.method = "bwrap";
    sandbox.whitelistDbus = [ "user" ];
    sandbox.extraRuntimePaths = [
--- a/hosts/common/programs/gnome-maps.nix
+++ b/hosts/common/programs/gnome-maps.nix
@@ -1,7 +1,30 @@
 # SUPPORT:
 # - irc: #gnome-maps on irc.gimp.org
 # - Matrix: #gnome-maps:gnome.org  (unclear if bridged to IRC)
 #
 # INTEGRATIONS:
 # - uses https://graphhopper.com for routing
 #   - <https://github.com/graphhopper/graphhopper>  (not packaged for Nix)
 # - uses https://tile.openstreetmap.org for tiles
 # - uses https://overpass-api.de for ... ?
 # TIPS:
 # - use "Northwest" instead of "NW", and "Street" instead of "St", etc.
 #   otherwise, it might not find your destination!
 { pkgs, ... }:
 {
  sane.programs."gnome.gnome-maps" = {
-    packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-maps;
+    packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.gnome.gnome-maps.overrideAttrs (base: {
      # default .desktop file is trying to do some dbus launch (?) which fails even *if* i install `gapplication` (glib.bin)
      postPatch = (base.postPatch or "") + ''
        substituteInPlace data/org.gnome.Maps.desktop.in.in \
          --replace-fail 'Exec=gapplication launch @app-id@ %U' 'Exec=gnome-maps %U'
      '';
    }));
    suggestedPrograms = [
      "geoclue2"
    ];
    sandbox.wrapperType = "inplace";  #< /share directory contains Gir info which references libgnome-maps.so by path
    sandbox.method = "bwrap";
    sandbox.whitelistDri = true;  # for perf
    sandbox.whitelistDbus = [
--- a/hosts/common/programs/gps-share.nix
+++ b/hosts/common/programs/gps-share.nix
@@ -0,0 +1,57 @@
 # gps-share: <https://github.com/zeenix/gps-share>
 # takes a local GPS device (e.g. /dev/ttyUSB1) and makes it available over TCP/Avahi (multicast DNS).
 #
 # common usecases:
 # 1. make positioning available to any device on a network, even if that device has no local GPS
 #    - e.g. my desktop can use my phone's GPS device, if on the same network.
 # 2. allow multiple clients to share a GPS device.
 #    GPS devices are serial devices, and so only one process can consume the data at a time.
 #    gps-share can camp the serial device, and then allow *multiple* subscribers
 # 3. provide a *read-only* API to clients like Geoclue.
 #    that is, expose the GPS device *output* to a client, but don't let the client write to the device (e.g. enable/disable the GPS).
 #    this is the primary function i derive from gps-share
 #
 # HOW TO TEST:
 # - `nc localhost 10110`
 #   should stream GPS NMEA output to the console
 # - `avahi-browse --resolve _nmea-0183._tcp`: should show hosts on the local network which provide GPS info
 { config, lib, pkgs, ... }:
 let
  cfg = config.sane.programs.gps-share;
 in
 {
  sane.programs.gps-share = {
    suggestedPrograms = [
      "jq"
      # and systemd, for udevadm
    ];
    services.gps-share = {
      description = "gps-share: make local GPS serial readings available over Avahi";
      # usage:
      # gps-share --no-announce  # to disable Avahi
      # gps-share --no-tcp  # only makes sense if using --socket-path
      # gps-share --network-interface lo  # defaults to all interfaces, but firewalling means actually more restrictive
      # gps-share --socket-path $XDG_RUNTIME_DIR/gps-share/gps-share.sock  # share over a unix socket
      command = pkgs.writeShellScript "gps-share" ''
        dev=$(udevadm info --property-match=ID_MM_PORT_TYPE_GPS=1 --json=pretty --export-db | jq -r .DEVNAME)
        if [ -z "$dev" ]; then
          echo "no GPS device found"
          exit 1
        fi
        echo "using $dev for GPS NMEA"
        gps-share "$dev"
      '';
      # N.B.: it fails to launch if the NMEA device doesn't yet exist, so don't launch by default; only launch as part of GPS
      # dependencyOf = [ "geoclue-agent" ];
      partOf = [ "gps" ];
      depends = [ "eg25-control-powered" ];
    };
    sandbox.method = "bwrap";
    sandbox.net = "all";
    sandbox.autodetectCliPaths = "existing";  #< N.B.: `test -f /dev/ttyUSB1` fails, we can't use `existingFile`
  };
  # TODO: restrict this to just LAN devices!!
  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enabled [ 10110 ];
 }
--- a/hosts/common/programs/gpsd.nix
+++ b/hosts/common/programs/gpsd.nix
@@ -0,0 +1,33 @@
 # test gpsd with `gpspipe -w -n 10 2> /dev/null | grep -m 1 TPV | jq '.lat, .lon' | tr '\n' ' '`
 # ^ should return <lat> <long>
 #
 # TODO(2024/06/19): nixpkgs' gpsd service isn't sandboxed at ALL. i should sandbox that, or remove this integration.
 #
 # pinephone GPS happens in EG25 modem
 # serial control interface to modem is /dev/ttyUSB2
 # after enabling GPS, readout is /dev/ttyUSB1
 #
 # minimal process to enable modem and GPS:
 # - `echo 1 > /sys/class/modem-power/modem-power/device/powered`
 # - `screen /dev/ttyUSB2 115200`
 #   - `AT+QGPSCFG="nmeasrc",1`
 #   - `AT+QGPS=1`
 # this process is automated by my `eg25-control` program and services (`eg25-control-powered`, `eg25-control-gps`)
 # - see the `modules/` directory further up this repository.
 #
 # now, something like `gpsd` can directly read from /dev/ttyUSB1,
 # or geoclue can query the GPS directly through modem-manager
 #
 # initial GPS fix can take 15+ minutes.
 # meanwhile, services like eg25-manager or eg25-control-freshen-agps can speed this up by uploading assisted GPS data to the modem.
 { config, lib, ... }:
 let
  cfg = config.sane.programs.gpsd;
 in
 {
  sane.programs.gpsd = {};
  services.gpsd = lib.mkIf cfg.enabled {
    enable = true;
    devices = [ "/dev/ttyUSB1" ];
  };
 }
--- a/hosts/common/programs/gst-device-monitor.nix
+++ b/hosts/common/programs/gst-device-monitor.nix
@@ -5,10 +5,9 @@
 { pkgs, ... }:
 {
  sane.programs.gst-device-monitor = {
-    packageUnwrapped = (pkgs.linkIntoOwnPackage pkgs.gst_all_1.gst-plugins-base [
+    packageUnwrapped = (
-      "bin/gst-device-monitor-1.0"
+      pkgs.linkBinIntoOwnPackage pkgs.gst_all_1.gst-plugins-base "gst-device-monitor-1.0"
-      "share/man/man1/gst-device-monitor-1.0.1.gz"
+    ).overrideAttrs (base: {
    ]).overrideAttrs (base: {
      # XXX the binaries need `GST_PLUGIN_SYSTEM_PATH_1_0` set to function,
      # but nixpkgs doesn't set those (TODO: upstream this!)
      nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
@@ -20,5 +19,14 @@
        pkgs.pipewire  #< required for Video/Source (video4linux)
      ];
    });
    sandbox.method = "bwrap";
    sandbox.whitelistAudio = true;
    sandbox.extraPaths = [
      "/dev"  # tried, but failed to narrow this down (moby)
      "/run/udev/data"
      "/sys/class/video4linux"
      "/sys/devices"
    ];
  };
 }
--- a/hosts/common/programs/iio-sensor-proxy.nix
+++ b/hosts/common/programs/iio-sensor-proxy.nix
@@ -0,0 +1,55 @@
 # chat (Matrix): #iio-sensor-proxy:dylanvanassche.be
 # src: <https://gitlab.freedesktop.org/hadess/iio-sensor-proxy>
 # IIO = "Industrial I/O": <https://www.kernel.org/doc/html/v4.12/driver-api/iio/index.html>
 # iio-sensor-proxy reads IIO data reported by the kernel at /sys/bus/iio/* and makes it available to dbus applications.
 # this includes:
 # - ambient light sensor
 # - compass/magnetometer  (LIMITED)
 # - accelerometer (rotation)
 #
 # use:
 # - show available sensors: `gdbus introspect --system --dest net.hadess.SensorProxy --object-path /net/hadess/SensorProxy`
 # - read sensors: `sudo -u geoclue monitor-sensor --compass`
 #   - default dbus policy only allows geoclue to use the compass
 #   - `sudo monitor-sensor` for light/rotation
 #
 # HARDWARE SUPPORT: PINEPHONE (2024/07/01)
 # - accelerometer and light sensor seem to work
 # - magnetometer (af8133j, different but similar to lis3mdl) IS NOT SUPPORTED
 #   - <https://gitlab.freedesktop.org/hadess/iio-sensor-proxy/-/issues/310>
 #   - exists in sysfs and can be viewed with
 #     `cat /sys/devices/platform/soc/1c2b000.i2c/i2c-1/1-001c/iio:device2/in_magn_x_raw`
 #   - nothing in iio-sensor-proxy reads anything related to "magn".
 #   - WIP PR to support magnetometers: <https://gitlab.freedesktop.org/hadess/iio-sensor-proxy/-/merge_requests/316>
 #     - after rebase, it *functions*, but does not scale the readings correctly
 #       heading changes only over the range of 50 - 70 deg.
 { config, lib, pkgs, ... }:
 let
  cfg = config.sane.programs.iio-sensor-proxy;
 in
 {
  sane.programs.iio-sensor-proxy = {
    packageUnwrapped = pkgs.iio-sensor-proxy.overrideAttrs (upstream: {
      patches = (upstream.patches or []) ++ [
        (pkgs.fetchpatch {
          name = "WIP:compass: Add support for polling uncalibrated devices";
          # url = "https://gitlab.freedesktop.org/hadess/iio-sensor-proxy/-/merge_requests/316.diff";
          url = "https://git.uninsane.org/colin/iio-sensor-proxy/commit/fd21f1f4bf1eadd603b1f24f628b979691d9cf3b.diff";
          hash = "sha256-+GoEPby6q+uSkQlZWFWr5ghx3BKBMGk7uv/DDhGnxDk=";
        })
      ];
    });
    enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;  #< for dbus/polkit policies
    sandbox.method = "bwrap";
    sandbox.whitelistDbus = [ "system" ];
    sandbox.extraPaths = [
      "/run/udev/data"
      "/sys/bus"
      "/sys/devices"
    ];
  };
  services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
  # services.dbus.packages = lib.mkIf cfg.enabled [ cfg.package ];  #< for bus ownership policy
  systemd.packages = lib.mkIf cfg.enabled [ cfg.package ];  #< for iio-sensor-proxy.service
 }
--- a/hosts/common/programs/kdenlive.nix
+++ b/hosts/common/programs/kdenlive.nix
@@ -1,13 +1,6 @@
 { pkgs, ... }:
 {
  sane.programs.kdenlive = {
    packageUnwrapped = pkgs.kdenlive.override {
      ffmpeg-full = pkgs.ffmpeg-full.override {
        # avoid expensive samba build for a feature i don't use
        withSamba = false;
      };
    };
    buildCost = 1;
    sandbox.method = "bwrap";
--- a/hosts/common/programs/keymapp.nix
+++ b/hosts/common/programs/keymapp.nix
@@ -0,0 +1,8 @@
 # ZSA keyboard (Ergodox, Moonlander, ...) firmware flasher and keymap viewer.
 # video: <https://www.zsa.io/flash>
 # displays on launch:
 # - "Error connecting to the keyboard, make sure the layout flashed on your keyboard was recently compiled with Oryx and that the [Live training] option is toggled on in the advanced settings."
 { ... }:
 {
  sane.programs.keymapp = {};
 }
--- a/hosts/common/programs/komikku.nix
+++ b/hosts/common/programs/komikku.nix
@@ -3,10 +3,10 @@
  sane.programs.komikku = {
    packageUnwrapped = pkgs.komikku.overrideAttrs (upstream: {
      preFixup = ''
-        # 2024/02/21: render bug which affects only moby:
+        # 2024/07/25: Komikku uses XDG_SESSION_TYPE in the webkitgtk useragent, and errors if it's empty.
-        #             large images render blank in several gtk applications.
+        #             XDG_SESSION_DESKTOP is used similarly in debug_info.py.
-        #             may resolve itself as gtk or mesa are updated.
+        #             TODO: patch/upstream Komikku
-        gappsWrapperArgs+=(--set GSK_RENDERER cairo)
+        gappsWrapperArgs+=(--set-default XDG_SESSION_TYPE "unknown" --set-default XDG_SESSION_DESKTOP "unknown")
      '' + (upstream.preFixup or "");
    });
@@ -24,5 +24,8 @@
      # also writes to ~/.cache/komikku
      ".local/share/komikku"
    ];
    persist.byStore.ephemeral = [
      ".cache/komikku"
    ];
  };
 }
--- a/hosts/common/programs/koreader/default.nix
+++ b/hosts/common/programs/koreader/default.nix
@@ -17,7 +17,7 @@
 #   - these are stored in `~/.config/koreader/data/dict`
 # - configure defaults:
 #   - edit keys in ~/.config/koreader/settings.reader.lua
-#     - default font size: `["copt_font_size"] = 28,`
+#     - default font size: `["copt_font_size"] = 30,`
 #     - home dir: `["home_dir"] = "/home/colin/Books",`
 { config, lib, pkgs, sane-lib, ... }:
--- a/Show More
+++ b/Show More