sysvol: remove unused finalAttrs

it's in nixpkgs now, and the co-maintainer is doing a very good job with it

flake.lock

@@ -1,329 +1,6 @@
 {
   "nodes": {
-    "flake-compat": {
-      "locked": {
-        "lastModified": 1688025799,
-        "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1712014858,
-        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "lib-aggregate": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs-lib": "nixpkgs-lib"
-      },
-      "locked": {
-        "lastModified": 1716725378,
-        "narHash": "sha256-bNTVDAVBLFSSTU+q54cJnntmFKBi+F/D8sSqlZwBGiM=",
-        "owner": "nix-community",
-        "repo": "lib-aggregate",
-        "rev": "dbc9130fe1455e0f6ee4d8f5f799f9be551f866b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "lib-aggregate",
-        "type": "github"
-      }
-    },
-    "mobile-nixos": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1694749521,
-        "narHash": "sha256-MiVokKlpcJmfoGuWAMeW1En7gZ5hk0rCQArYm6P9XCc=",
-        "owner": "nixos",
-        "repo": "mobile-nixos",
-        "rev": "d25d3b87e7f300d8066e31d792337d9cd7ecd23b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "d25d3b87e7f300d8066e31d792337d9cd7ecd23b",
-        "repo": "mobile-nixos",
-        "type": "github"
-      }
-    },
-    "nix-eval-jobs": {
-      "inputs": {
-        "flake-parts": "flake-parts",
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": "nixpkgs",
-        "treefmt-nix": "treefmt-nix"
-      },
-      "locked": {
-        "lastModified": 1715804156,
-        "narHash": "sha256-GtIHP86Cz1kD9xZO/cKbNQACHKdoT9WFbLJAq6W2EDY=",
-        "owner": "nix-community",
-        "repo": "nix-eval-jobs",
-        "rev": "bb95091f6c6f38f6cfc215a1797a2dd466312c8b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-eval-jobs",
-        "type": "github"
-      }
-    },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1703863825,
-        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1715037484,
-        "narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "ad7efee13e0d216bf29992311536fce1d3eefbef",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1716684580,
-        "narHash": "sha256-sIbMJWJr4hl2PWd9/iWlh89QfVzBn1NJ3u5RjeZADuM=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "d0d27192931680482081aa1c38389da2af84a651",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
-    "nixpkgs-next-unpatched": {
-      "locked": {
-        "lastModified": 1717372940,
-        "narHash": "sha256-fK1PJqC8kQOy8rD7B+qmJOTx9IV8AOmFtH5Z/ip7340=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "c987c730bbf2121264ebd68921b443db5bb28543",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "staging-next",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1717265169,
-        "narHash": "sha256-IITcGd6xpNoyq9SZBigCkv4+qMHSqot0RDPR4xsZ2CA=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "3b1b4895b2c5f9f5544d02132896aeb9ceea77bc",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-23.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-unpatched": {
-      "locked": {
-        "lastModified": 1717392304,
-        "narHash": "sha256-i9Kh2ty++/xMj4GPTMI7vQrpH4jopjT4BUq2GKX1zug=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "77a51024c0f953d503eb3ed364aa4bff378649f8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "master",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-wayland": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "lib-aggregate": "lib-aggregate",
-        "nix-eval-jobs": "nix-eval-jobs",
-        "nixpkgs": [
-          "nixpkgs-unpatched"
-        ]
-      },
-      "locked": {
-        "lastModified": 1717175759,
-        "narHash": "sha256-KiM5ue/UNQt8ktoqCV4yFqhHxM31U94Mf/piKW9dZ4c=",
-        "owner": "nix-community",
-        "repo": "nixpkgs-wayland",
-        "rev": "93b225ddba91179248b378913a91defbc6aeb899",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs-wayland",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "mobile-nixos": "mobile-nixos",
-        "nixpkgs-next-unpatched": "nixpkgs-next-unpatched",
-        "nixpkgs-unpatched": "nixpkgs-unpatched",
-        "nixpkgs-wayland": "nixpkgs-wayland",
-        "sops-nix": "sops-nix",
-        "uninsane-dot-org": "uninsane-dot-org"
-      }
-    },
-    "sops-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unpatched"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1717297459,
-        "narHash": "sha256-cZC2f68w5UrJ1f+2NWGV9Gx0dEYmxwomWN2B0lx0QRA=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "ab2a43b0d21d1d37d4d5726a892f714eaeb4b075",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
-      }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1711963903,
-        "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
-    "uninsane-dot-org": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unpatched"
-        ]
-      },
-      "locked": {
-        "lastModified": 1715894399,
-        "narHash": "sha256-h1EdA/h74zgNPNEYbH+0mgOMlJgLVcxuZ8/ewsZlgEc=",
-        "ref": "refs/heads/master",
-        "rev": "e6f88f563bdd1700c04018951de4f69862646dd1",
-        "revCount": 240,
-        "type": "git",
-        "url": "https://git.uninsane.org/colin/uninsane"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.uninsane.org/colin/uninsane"
-      }
-    }
+    "root": {}
   },
   "root": "root",
   "version": 7

flake.nix

@@ -21,71 +21,8 @@
 #   - `nix flake lock --update-input nixpkgs`
 
 {
-  # XXX: use the `github:` scheme instead of the more readable git+https: because it's *way* more efficient
-  # preferably, i would rewrite the human-readable https URLs to nix-specific github: URLs with a helper,
-  # but `inputs` is required to be a strict attrset: not an expression.
-  inputs = {
-    # branch workflow:
-    # - daily:
-    #   - nixos-unstable cut from master after enough packages have been built in caches.
-    # - every 6 hours:
-    #   - master auto-merged into staging and staging-next
-    #   - staging-next auto-merged into staging.
-    # - manually, approximately once per month:
-    #   - staging-next is cut from staging.
-    #   - staging-next merged into master.
-    #
-    # which branch to source from?
-    # - nixos-unstable: for everyday development; it provides good caching
-    # - master: temporarily if i'm otherwise cherry-picking lots of already-applied patches
-    # - staging-next: if testing stuff that's been PR'd into staging, i.e. base library updates.
-    # - staging: maybe if no staging-next -> master PR has been cut yet?
-    #
-    # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=master";
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-staging";
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-staging-next";
-    nixpkgs-next-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
-
-    nixpkgs-wayland = {
-      url = "github:nix-community/nixpkgs-wayland";
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
-    };
-
-    mobile-nixos = {
-      # <https://github.com/nixos/mobile-nixos>
-      # only used for building disk images, not relevant after deployment
-      # TODO: replace with something else. commit `0f3ac0bef1aea70254a3bae35e3cc2561623f4c1`
-      # replaces the imageBuilder with a "new implementation from celun" and wildly breaks my use.
-      # pinning to d25d3b... is equivalent to holding at 2023-09-15
-      url = "github:nixos/mobile-nixos?ref=d25d3b87e7f300d8066e31d792337d9cd7ecd23b";
-      flake = false;
-    };
-    sops-nix = {
-      # <https://github.com/Mic92/sops-nix>
-      # used to distribute secrets to my hosts
-      url = "github:Mic92/sops-nix";
-      # inputs.nixpkgs.follows = "nixpkgs";
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
-    };
-    uninsane-dot-org = {
-      # provides the package to deploy <https://uninsane.org>, used only when building the servo host
-      url = "git+https://git.uninsane.org/colin/uninsane";
-      # inputs.nixpkgs.follows = "nixpkgs";
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
-    };
-  };
-
   outputs = {
     self,
-    nixpkgs-unpatched,
-    nixpkgs-next-unpatched ? nixpkgs-unpatched,
-    nixpkgs-wayland,
-    mobile-nixos,
-    sops-nix,
-    uninsane-dot-org,
-    ...
   }@inputs:
     let
       inherit (builtins) attrNames elem listToAttrs map mapAttrs;
@@ -97,28 +34,13 @@
       # mapAttrs but without the `name` argument
       mapAttrValues = f: mapAttrs (_: f);
 
-      # rather than apply our nixpkgs patches as a flake input, do that here instead.
-      # this (temporarily?) resolves the bad UX wherein a subflake residing in the same git
-      # repo as the main flake causes the main flake to have an unstable hash.
-      patchNixpkgs = variant: nixpkgs: (import ./nixpatches/flake.nix).outputs {
-        inherit variant nixpkgs;
-        self = patchNixpkgs variant nixpkgs;
-      };
+      nixpkgs' = import ./pkgs/additional/nixpkgs;
+      nixpkgsUnpatched = nixpkgs' { doPatch = false; localSystem = "x86_64-linux"; };
+      nixpkgsCompiledBy = { system, variant ? "master" }:
+        (nixpkgs' { inherit variant system; }).legacyPackages."${system}";
 
-      nixpkgs' = patchNixpkgs "master" nixpkgs-unpatched;
-      nixpkgsCompiledBy = system: nixpkgs'.legacyPackages."${system}";
-
-      evalHost = { name, local, target, variant ? null, nixpkgs ? nixpkgs' }: nixpkgs.lib.nixosSystem {
-        system = target;
-        modules = [
-          {
-            nixpkgs.buildPlatform.system = local;
-          }
-          (optionalAttrs (local != target) {
-            # XXX(2023/12/11): cache.nixos.org uses `system = ...` instead of `hostPlatform.system`, and that choice impacts the closure of every package.
-            # so avoid specifying hostPlatform.system on non-cross builds, so i can use upstream caches.
-            nixpkgs.hostPlatform.system = target;
-          })
+      evalHost = { name, local, target, variant ? null, nixpkgs ? nixpkgs' { localSystem = local; system = target;} }: nixpkgs.nixos (
+        [
           (optionalAttrs (variant == "light") {
             sane.maxBuildCost = 2;
           })
@@ -126,16 +48,15 @@
             sane.maxBuildCost = 0;
           })
           (import ./hosts/instantiate.nix { hostName = name; })
-          self.nixosModules.default
-          self.nixosModules.passthru
+          (import ./modules)
+          (nixpkgs.appendOverlays [ self.overlays.pkgs ]).sops-nix.nixosModules.sops
           {
             nixpkgs.overlays = [
-              self.overlays.passthru
               self.overlays.sane-all
             ];
           }
-        ];
-      };
+        ]
+      );
     in {
       nixosConfigurations = let
         hosts = {
@@ -144,18 +65,39 @@
           desko-light = { name = "desko";  local = "x86_64-linux"; target = "x86_64-linux";  variant = "light"; };
           lappy       = { name = "lappy";  local = "x86_64-linux"; target = "x86_64-linux";  };
           lappy-light = { name = "lappy";  local = "x86_64-linux"; target = "x86_64-linux";  variant = "light"; };
-          lappy-min =   { name = "lappy";  local = "x86_64-linux"; target = "x86_64-linux";  variant = "min"; };
+          lappy-min   = { name = "lappy";  local = "x86_64-linux"; target = "x86_64-linux";  variant = "min"; };
           moby        = { name = "moby";   local = "x86_64-linux"; target = "aarch64-linux"; };
           moby-light  = { name = "moby";   local = "x86_64-linux"; target = "aarch64-linux"; variant = "light"; };
-          moby-min  =   { name = "moby";   local = "x86_64-linux"; target = "aarch64-linux"; variant = "min"; };
+          moby-min    = { name = "moby";   local = "x86_64-linux"; target = "aarch64-linux"; variant = "min"; };
+          # crappy is technically armv7a, and armv7l uses only a _subset_ of the available ISA.
+          # but it's not as widely cached.
+          crappy      = { name = "crappy"; local = "x86_64-linux"; target = "armv7l-linux"; };
+          crappy-min  = { name = "crappy"; local = "x86_64-linux"; target = "armv7l-linux"; variant = "min"; };
+          crappy-7a   = { name = "crappy"; local = "x86_64-linux"; target = "armv7a-linux"; variant = "min"; };
           rescue      = { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux";  };
         };
         hostsNext = mapAttrs' (h: v: {
           name = "${h}-next";
-          value = v // { nixpkgs = patchNixpkgs "staging-next" nixpkgs-next-unpatched; };
+          value = v // {
+            nixpkgs = nixpkgs' {
+              localSystem = v.local;
+              system = v.target;
+              variant = "staging-next";
+            };
+          };
+        }) hosts;
+        hostsStaging = mapAttrs' (h: v: {
+          name = "${h}-staging";
+          value = v // {
+            nixpkgs = nixpkgs' {
+              localSystem = v.local;
+              system = v.target;
+              variant = "staging";
+            };
+          };
         }) hosts;
       in mapAttrValues evalHost (
-        hosts // hostsNext
+        hosts // hostsNext // hostsStaging
       );
 
       # unofficial output
@@ -180,54 +122,37 @@
       hostPkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
       hostPrograms = mapAttrValues (host: mapAttrValues (p: p.package) host.config.sane.programs) self.nixosConfigurations;
 
-      patched.nixpkgs = nixpkgs';
-
       overlays = {
         # N.B.: `nix flake check` requires every overlay to take `final: prev:` at defn site,
         #   hence the weird redundancy.
         default = final: prev: self.overlays.pkgs final prev;
         sane-all = final: prev: import ./overlays/all.nix final prev;
         pkgs = final: prev: import ./overlays/pkgs.nix final prev;
-        pins = final: prev: import ./overlays/pins.nix final prev;
         preferences = final: prev: import ./overlays/preferences.nix final prev;
-        passthru = final: prev:
-          let
-            mobile = (import "${mobile-nixos}/overlay/overlay.nix");
-            uninsane = uninsane-dot-org.overlays.default;
-            wayland = final: prev: {
-              # default is to dump the packages into `waylandPkgs` *and* the toplevel.
-              # but i just want the `waylandPkgs` set
-              inherit (nixpkgs-wayland.overlays.default final prev)
-                waylandPkgs
-                new-wayland-protocols  #< 2024/03/10: nixpkgs-wayland assumes this will be in the toplevel
-              ;
-            };
-          in
-            (mobile final prev)
-            // (uninsane final prev)
-            // (wayland final prev)
-          ;
-      };
-
-      nixosModules = rec {
-        default = sane;
-        sane = import ./modules;
-        passthru = { ... }: {
-          imports = [
-            sops-nix.nixosModules.sops
-          ];
-        };
       };
 
       # this includes both our native packages and all the nixpkgs packages.
       legacyPackages =
         let
-          allPkgsFor = sys: (nixpkgsCompiledBy sys).appendOverlays [
-            self.overlays.passthru self.overlays.pkgs
-          ];
+          allPkgsFor = variant: additionalOverlays: system:
+            (nixpkgs' { inherit system variant; localSystem = "x86_64-linux"; })
+            .appendOverlays (
+              [
+                self.overlays.pkgs
+              ] ++ additionalOverlays
+            );
+          allPkgsFor' = system: allPkgsFor
+            "master"
+            [(self: super: {
+              # build `pkgsNext.FOO` to build the package FOO from nixpkgs staging-next branch
+              pkgsNext = allPkgsFor "staging-next" [] system;
+              pkgsStaging = allPkgsFor "staging" [] system;
+            })]
+            system
+          ;
         in {
-          x86_64-linux = allPkgsFor "x86_64-linux";
-          aarch64-linux = allPkgsFor "aarch64-linux";
+          x86_64-linux = allPkgsFor' "x86_64-linux";
+          aarch64-linux = allPkgsFor' "aarch64-linux";
         };
 
       # extract only our own packages from the full set.
@@ -242,17 +167,12 @@
             && (passthruPkgs.lib.meta.availableOn passthruPkgs.stdenv.hostPlatform pkg)
           )
           (
-            # expose sane packages and chosen inputs (uninsane.org)
-            (import ./pkgs { pkgs = passthruPkgs; }) // {
-              inherit (passthruPkgs) uninsane-dot-org;
-            }
+            import ./pkgs { pkgs = passthruPkgs; }
           )
         )
         # self.legacyPackages;
         {
-          x86_64-linux = (nixpkgsCompiledBy "x86_64-linux").appendOverlays [
-            self.overlays.passthru
-          ];
+          x86_64-linux = nixpkgs' { localSystem = "x86_64-linux"; };
         }
       ;
 
@@ -495,7 +415,11 @@
             program = builtins.toString (pkgs.writeShellScript "sync-to-moby" ''
               sudo mount /mnt/moby/home
               sudo mount /mnt/desko/home
+              sudo mount /mnt/servo/media/Books
+              # copy photos/screenshots from moby to desko:
               ${pkgs.rsync}/bin/rsync -arv --exclude servo-macros /mnt/moby/home/Pictures/ /mnt/desko/home/Pictures/moby/
+              # copy books from servo to moby; delete old/untracked ones, but keep KOreader state files (sdr)
+              ${pkgs.rsync}/bin/rsync -arv --delete --exclude unprocessed --exclude '*.sdr' /mnt/servo/media/Books/ /mnt/moby/home/Books/local/servo/
               # N.B.: limited by network/disk -> reduce job count to improve pause/resume behavior
               ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat --jobs 4 /mnt/servo/media/Music /mnt/moby/home/Music "$@"
             '');
@@ -528,7 +452,7 @@
                 --option restrict-eval true \
                 --option allow-import-from-derivation true \
                 --drv-path --show-trace \
-                -I nixpkgs=${nixpkgs-unpatched} \
+                -I nixpkgs=${nixpkgsUnpatched} \
                 -I nixpkgs-overlays=${./.}/hosts/common/nix/overlay \
                 -I ../../ \
                 | tee  # tee to prevent interactive mode
@@ -631,6 +555,19 @@
           path = ./templates/env/python-data;
           description = "python environment for data processing";
         };
+
+        pkgs.make = {
+          # initialize with:
+          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.make'`
+          path = ./templates/pkgs/make;
+          description = "default Makefile-based derivation";
+        };
+        pkgs.python = {
+          # initialize with:
+          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.python'`
+          path = ./templates/pkgs/python;
+          description = "python package";
+        };
         pkgs.rust-inline = {
           # initialize with:
           # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.rust-inline'`
@@ -643,12 +580,6 @@
           path = ./templates/pkgs/rust;
           description = "rust package fit to ship in nixpkgs";
         };
-        pkgs.make = {
-          # initialize with:
-          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.make'`
-          path = ./templates/pkgs/make;
-          description = "default Makefile-based derivation";
-        };
       };
     };
 }

hosts/by-name/crappy/default.nix

@@ -0,0 +1,37 @@
+# Samsung chromebook XE303C12
+# - <https://wiki.postmarketos.org/wiki/Samsung_Chromebook_(google-snow)>
+{ ... }:
+{
+  imports = [
+    ./fs.nix
+  ];
+
+  sane.hal.samsung.enable = true;
+  sane.roles.client = true;
+  # sane.roles.pc = true;
+
+  users.users.colin.initialPassword = "147147";
+  sane.programs.sway.enableFor.user.colin = true;
+  sane.programs.calls.enableFor.user.colin = false;
+  sane.programs.consoleMediaUtils.enableFor.user.colin = true;
+  sane.programs.epiphany.enableFor.user.colin = true;
+  sane.programs."gnome.geary".enableFor.user.colin = false;
+  # sane.programs.firefox.enableFor.user.colin = true;
+  sane.programs.portfolio-filemanager.enableFor.user.colin = true;
+  sane.programs.signal-desktop.enableFor.user.colin = false;
+  sane.programs.wike.enableFor.user.colin = true;
+
+  # sane.programs.pcGuiApps.enableFor.user.colin = false;  #< errors!
+
+  sane.programs.blueberry.enableFor.user.colin = false;  # bluetooth manager: doesn't cross compile!
+  # sane.programs.brave.enableFor.user.colin = false;  # 2024/06/03: fails eval if enabled on cross
+  # sane.programs.firefox.enableFor.user.colin = false;  # 2024/06/03: this triggers an eval error in yarn stuff -- i'm doing IFD somewhere!!?
+  sane.programs.mepo.enableFor.user.colin = false;  # 2024/06/04: doesn't cross compile (nodejs)
+  sane.programs.mercurial.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+  sane.programs.nixpkgs-review.enableFor.user.colin = false;  # 2024/06/03: OOMs when cross compiling
+  sane.programs.ntfy-sh.enableFor.user.colin = false;  # 2024/06/04: doesn't cross compile (nodejs)
+  sane.programs.pwvucontrol.enableFor.user.colin = false;  # 2024/06/03: doesn't cross compile (libspa-sys)
+  sane.programs."sane-scripts.bt-search".enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+  sane.programs.sequoia.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+  sane.programs.zathura.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+}

hosts/by-name/crappy/fs.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/55555555-0303-0c12-86df-eda9e9311526";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/303C-5A37";
+    fsType = "vfat";
+  };
+}

hosts/by-name/desko/default.nix

@@ -35,7 +35,6 @@
   sane.programs."gnome.geary".config.autostart = true;
   sane.programs.signal-desktop.config.autostart = true;
 
-  boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   # needed to use libimobiledevice/ifuse, for iphone sync
@@ -52,7 +51,4 @@
     # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
     ALLOW_USERS = [ "colin" ];
   };
-
-  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
-  system.stateVersion = "21.05";
 }

hosts/by-name/lappy/default.nix

@@ -13,7 +13,6 @@
   # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:0332:aa96/128";
 
   # sane.guest.enable = true;
-  boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   sane.programs.stepmania.enableFor.user.colin = true;
@@ -34,7 +33,4 @@
     SUBVOLUME = "/nix";
     ALLOW_USERS = [ "colin" ];
   };
-
-  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
-  system.stateVersion = "21.05";
 }

hosts/by-name/lappy/xkb_mobile_normal_buttons

@@ -1,7 +0,0 @@
-xkb_keymap {
-	xkb_keycodes  { include "evdev+aliases(qwerty)"	};
-	xkb_types     { include "complete"	};
-	xkb_compat    { include "complete"	};
-	xkb_symbols   { include "pc+us+inet(evdev)"	};
-	xkb_geometry  { include "pc(pc105)"	};
-};

hosts/by-name/moby/bootloader.nix

@@ -1,22 +0,0 @@
-# tow-boot: <https://tow-boot.org>
-# docs (pinephone specific): <https://github.com/Tow-Boot/Tow-Boot/tree/development/boards/pine64-pinephoneA64>
-# LED and button behavior is defined here: <https://github.com/Tow-Boot/Tow-Boot/blob/development/modules/tow-boot/phone-ux.nix>
-# - hold VOLDOWN: enter recovery mode
-#   - LED will turn aqua instead of yellow
-#   - recovery mode would ordinarily allow a selection of entries, but for pinephone i guess it doesn't do anything?
-# - hold VOLUP: force it to load the OS from eMMC?
-#   - LED will turn blue instead of yellow
-# boot LEDs:
-# - yellow = entered tow-boot
-# - 10 red flashes => poweroff means tow-boot couldn't boot into the next stage (i.e. distroboot)
-#   - distroboot: <https://source.denx.de/u-boot/u-boot/-/blob/v2022.04/doc/develop/distro.rst>)
-{ config, pkgs, ... }:
-{
-  # we need space in the GPT header to place tow-boot.
-  # only actually need 1 MB, but better to over-allocate than under-allocate
-  sane.image.extraGPTPadding = 16 * 1024 * 1024;
-  sane.image.firstPartGap = 0;
-  sane.image.installBootloader = ''
-    dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out/nixos.img bs=1024 seek=8 conv=notrunc
-  '';
-}

hosts/by-name/moby/default.nix

@@ -9,16 +9,13 @@
 { config, pkgs, lib, ... }:
 {
   imports = [
-    ./bootloader.nix
     ./fs.nix
     ./gps.nix
-    ./kernel.nix
-    ./polyfill.nix
   ];
 
+  sane.hal.pine64.enable = true;
   sane.roles.client = true;
   sane.roles.handheld = true;
-  sane.programs.zsh.config.showDeadlines = false;  # unlikely to act on them when in shell
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
   sane.ovpn.addrV4 = "172.24.87.255";
@@ -32,11 +29,6 @@
   sops.secrets.colin-passwd.neededForUsers = true;
 
   sane.programs.sway.enableFor.user.colin = true;
-  sane.programs.swaylock.enableFor.user.colin = false;  #< not usable on touch
-  sane.programs.schlock.enableFor.user.colin = true;
-  sane.programs.swayidle.config.actions.screenoff.delay = 300;
-  sane.programs.swayidle.config.actions.screenoff.enable = true;
-  sane.programs.sane-input-handler.enableFor.user.colin = true;
   sane.programs.blueberry.enableFor.user.colin = false;  # bluetooth manager: doesn't cross compile!
   sane.programs.fcitx5.enableFor.user.colin = false;  # does not cross compile
   sane.programs.mercurial.enableFor.user.colin = false;  # does not cross compile
@@ -52,10 +44,6 @@
   # sane.programs."gnome.geary".config.autostart = true;
   # sane.programs.calls.config.autostart = true;
 
-  sane.programs.firefox.mime.priority = 300;  # prefer other browsers when possible
-  # HACK/TODO: make `programs.P.env.VAR` behave according to `mime.priority`
-  sane.programs.firefox.env = lib.mkForce {};
-  sane.programs.epiphany.env.BROWSER = "epiphany";
   sane.programs.pipewire.config = {
     # tune so Dino doesn't drop audio
     # there's seemingly two buffers for the mic (see: <https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/FAQ#pipewire-buffering-explained>)
@@ -72,53 +60,7 @@
     max-quantum = 8192;
   };
 
-  boot.loader.efi.canTouchEfiVariables = false;
   # /boot space is at a premium. default was 20.
   # even 10 can be too much
   boot.loader.generic-extlinux-compatible.configurationLimit = 8;
-  # mobile.bootloader.enable = false;
-  # mobile.boot.stage-1.enable = false;
-  # boot.initrd.systemd.enable = false;
-  # boot.initrd.services.swraid.enable = false;  # attempt to fix dm_mod stuff
-
-  # hardware.firmware makes the referenced files visible to the kernel, for whenever a driver explicitly asks for them.
-  # these files are visible from userspace by following `/sys/module/firmware_class/parameters/path`
-  #
-  # mobile-nixos' /lib/firmware includes:
-  #   rtl_bt          (bluetooth)
-  #   anx7688-fw.bin  (USB-C chip: power negotiation, HDMI/dock)
-  #   ov5640_af.bin   (camera module)
-  # hardware.firmware = [ config.mobile.device.firmware ];
-  # hardware.firmware = [ pkgs.rtl8723cs-firmware ];
-  hardware.firmware = [
-    (pkgs.linux-firmware-megous.override {
-      # rtl_bt = false probably means no bluetooth connectivity.
-      # N.B.: DON'T RE-ENABLE without first confirming that wake-on-lan works during suspend (rtcwake).
-      # it seems the rtl_bt stuff ("bluetooth coexist") might make wake-on-LAN radically more flaky.
-      rtl_bt = false;
-    })
-  ];
-
-  system.stateVersion = "21.11";
-
-  # defined: https://www.freedesktop.org/software/systemd/man/machine-info.html
-  # XXX colin: not sure which, if any, software makes use of this
-  environment.etc."machine-info".text = ''
-    CHASSIS="handset"
-  '';
-
-  # enable rotation sensor
-  # hardware.sensor.iio.enable = true;
-
-  services.udev.extraRules = let
-    chmod = "${pkgs.coreutils}/bin/chmod";
-    chown = "${pkgs.coreutils}/bin/chown";
-  in ''
-    # make Pinephone flashlight writable by user.
-    # taken from postmarketOS: <repo:postmarketOS/pmaports:device/main/device-pine64-pinephone/60-flashlight.rules>
-    SUBSYSTEM=="leds", DEVPATH=="*/*:flash", RUN+="${chmod} g+w /sys%p/brightness /sys%p/flash_strobe", RUN+="${chown} :video /sys%p/brightness /sys%p/flash_strobe"
-
-    # make Pinephone front LEDs writable by user.
-    SUBSYSTEM=="leds", DEVPATH=="*/*:indicator", RUN+="${chmod} g+w /sys%p/brightness", RUN+="${chown} :video /sys%p/brightness"
-  '';
 }

hosts/by-name/moby/kernel.nix

@@ -1,271 +0,0 @@
-{ pkgs, ... }:
-let
-  dmesg = "${pkgs.util-linux}/bin/dmesg";
-  grep = "${pkgs.gnugrep}/bin/grep";
-  modprobe = "${pkgs.kmod}/bin/modprobe";
-  ensureHWReady = ''
-    # common boot failure:
-    # blank screen (no backlight even), with the following log:
-    # ```syslog
-    # sun8i-dw-hdmi 1ee0000.hdmi: Couldn't get the HDMI PHY
-    # ...
-    # sun4i-drm display-engine: Couldn't bind all pipelines components
-    # ...
-    # sun8i-dw-hdmi: probe of 1ee0000.hdmi failed with error -17
-    # ```
-    #
-    # in particular, that `probe ... failed` occurs *only* on failed boots
-    # (the other messages might sometimes occur even on successful runs?)
-    #
-    # reloading the sun8i hdmi driver usually gets the screen on, showing boot text.
-    # then restarting display-manager.service gets us to the login.
-    #
-    # NB: the above log is default level. though less specific, there's a `err` level message that also signals this:
-    # sun4i-drm display-engine: failed to bind 1ee0000.hdmi (ops sun8i_dw_hdmi_ops [sun8i_drm_hdmi]): -17
-    # NB: this is the most common, but not the only, failure mode for `display-manager`.
-    # another error seems characterized by these dmesg logs, in which reprobing sun8i_drm_hdmi does not fix:
-    # ```syslog
-    # sun6i-mipi-dsi 1ca0000.dsi: Couldn't get the MIPI D-PHY
-    # sun4i-drm display-engine: Couldn't bind all pipelines components
-    # sun6i-mipi-dsi 1ca0000.dsi: Couldn't register our component
-    # ```
-
-    if (${dmesg} --kernel --level err --color=never --notime | ${grep} -q 'sun4i-drm display-engine: failed to bind 1ee0000.hdmi')
-    then
-      echo "reprobing sun8i_drm_hdmi"
-      # if a command here fails it errors the whole service, so prefer to log instead
-      ${modprobe} -r sun8i_drm_hdmi || echo "failed to unload sun8i_drm_hdmi"
-      ${modprobe} sun8i_drm_hdmi || echo "failed to load sub8i_drm_hdmi"
-    fi
-  '';
-in
-{
-  # kernel compatibility (2024/05/22: 03dab630)
-  # - linux-megous: boots to ssh, desktop
-  #   - camera apps: megapixels (no cameras found), snapshot (no cameras found)
-  # - linux-postmarketos: boots to ssh. desktop ONLY if "anx7688" is in the initrd.availableKernelModules.
-  #   - camera apps: megapixels (both rear and front cameras work), `cam -l` (finds only the rear camera), snapshot (no cameras found)
-  # - linux-megous.override { withMegiPinephoneConfig = true; }: NO SSH, NO SIGNS OF LIFE
-  # - linux-megous.override { withFullConfig = false; }: boots to ssh, no desktop
-  #
-  boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux-postmarketos.override {
-    withModemPower = true;
-  });
-  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
-  # boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux-megous.override {
-  #   withFullConfig = false;
-  # });
-  # boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux-megous.override {
-  #   withMegiPinephoneConfig = true;  #< N.B.: does not boot as of 2024/05/22!
-  # });
-  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-manjaro;
-  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
-
-  # nixpkgs.hostPlatform.linux-kernel becomes stdenv.hostPlatform.linux-kernel
-  nixpkgs.hostPlatform.linux-kernel = {
-    # defaults:
-    name = "aarch64-multiplatform";
-    # baseConfig: defaults to "defconfig";
-    # baseConfig = "pinephone_defconfig";  #< N.B.: ignored by `pkgs.linux-megous`
-    DTB = true;  #< DTB: compile device tree blobs
-    # autoModules (default: true): for config options not manually specified, answer `m` to anything which supports it.
-    # - this effectively builds EVERY MODULE SUPPORTED.
-    autoModules = true;  #< N.B.: ignored by `pkgs.linux-megous`
-    # preferBuiltin (default: false; true for rpi): for config options which default to `Y` upstream, build them as `Y` (overriding `autoModules`)
-    # preferBuiltin = false;
-
-    # build a compressed kernel image: without this i run out of /boot space in < 10 generations
-    # target = "Image";  # <-- default
-    target = "Image.gz";  # <-- compress the kernel image
-    # target = "zImage";  # <-- confuses other parts of nixos :-(
-  };
-
-  # boot.initrd.kernelModules = [
-  #   "drm"  #< force drm to be plugged
-  # ];
-  boot.initrd.availableKernelModules = [
-    # see <repo:postmarketOS/pmaports:device/main/device-pine64-pinephone/modules-initfs>
-    # - they include sun6i_mipi_dsi sun4i_drm pwm_sun4i sun8i_mixer anx7688 gpio_vibra pinephone_keyboard
-    "anx7688" #< required for display initialization and functional cameras
-    # full list of modules active post-boot with the linux-megous kernel + autoModules=true:
-    # - `lsmod | sort | cut -d ' ' -f 1`
-    # "8723cs"
-    # "axp20x_adc"  #< NOT FOUND in megous-no-autoModules
-    # "axp20x_battery"
-    # "axp20x_pek"
-    # "axp20x_usb_power"
-    # "backlight"
-    # "blake2b_generic"
-    # "bluetooth"
-    # "bridge"
-    # "btbcm"
-    # "btqca"
-    # "btrfs"
-    # "btrtl"
-    # "cec"
-    # "cfg80211"
-    # "chacha_neon"
-    # "crc_ccitt"
-    # "crct10dif_ce"
-    # "crypto_engine"
-    # "display_connector"  #< NOT FOUND in pmos
-    # "drm"
-    # "drm_display_helper"
-    # "drm_dma_helper"
-    # "drm_kms_helper"
-    # "drm_shmem_helper"
-    # "dw_hdmi"
-    # "dw_hdmi_cec"  #< NOT FOUND in pmos
-    # "dw_hdmi_i2s_audio"
-    # "ecc"
-    # "ecdh_generic"
-    # "fuse"
-    # "gc2145"  #< NOT FOUND in megous-no-autoModules
-    # "goodix_ts"
-    # "gpio_vibra"  #< NOT FOUND in megous-no-autoModules
-    # "gpu_sched"
-    # "hci_uart"
-    # "i2c_gpio"
-    # "inv_mpu6050"  #< NOT FOUND in megous-no-autoModules
-    # "inv_mpu6050_i2c"  #< NOT FOUND in megous-no-autoModules
-    # "inv_sensors_timestamp"  #< NOT FOUND in megous-no-autoModules
-    # "ip6t_rpfilter"
-    # "ip6_udp_tunnel"
-    # "ip_set"
-    # "ip_set_hash_ipport"
-    # "ip_tables"
-    # "ipt_rpfilter"
-    # "joydev"
-    # "led_class_flash"  #< NOT FOUND in megous-no-autoModules
-    # "leds_sgm3140"  #< NOT FOUND in megous-no-autoModules
-    # "ledtrig_pattern"  #< NOT FOUND in megous-no-autoModules
-    # "libarc4"
-    # "libchacha"
-    # "libchacha20poly1305"
-    # "libcrc32c"
-    # "libcurve25519_generic"
-    # "lima"
-    # "llc"
-    # "mac80211"
-    # "macvlan"
-    # "mc"
-    # "modem_power"
-    # "mousedev"
-    # "nf_conntrack"
-    # "nf_defrag_ipv4"
-    # "nf_defrag_ipv6"
-    # "nf_log_syslog"
-    # "nf_nat"
-    # "nfnetlink"
-    # "nf_tables"
-    # "nft_chain_nat"
-    # "nft_compat"
-    # "nls_cp437"
-    # "nls_iso8859_1"
-    # "nvmem_reboot_mode"
-    # "ov5640"
-    # "panel_sitronix_st7703"
-    # "phy_sun6i_mipi_dphy"
-    # "pinctrl_axp209"  #< NOT FOUND in pmos
-    # "pinephone_keyboard"  #< NOT FOUND in megous-no-autoModules
-    # "poly1305_neon"
-    # "polyval_ce"
-    # "polyval_generic"
-    # "ppkb_manager"  #< NOT FOUND in megous-no-autoModules
-    # "pwm_bl"
-    # "pwm_sun4i"
-    # "qrtr"
-    # "raid6_pq"
-    # "rfkill"
-    # "rtw88_8703b"
-    # "rtw88_8723cs"
-    # "rtw88_8723x"
-    # "rtw88_core"
-    # "rtw88_sdio"
-    # "sch_fq_codel"
-    # "sm4"
-    # "snd_soc_bt_sco"
-    # "snd_soc_ec25"  #< NOT FOUND in megous-no-autoModules
-    # "snd_soc_hdmi_codec"
-    # "snd_soc_simple_amplifier"
-    # "snd_soc_simple_card"
-    # "snd_soc_simple_card_utils"
-    # "stk3310"  #< NOT FOUND in megous-no-autoModules
-    # "st_magn"
-    # "st_magn_i2c"
-    # "st_magn_spi"  #< NOT FOUND in pmos
-    # "stp"
-    # "st_sensors"
-    # "st_sensors_i2c"
-    # "st_sensors_spi"  #< NOT FOUND in pmos
-    # "sun4i_drm"
-    # "sun4i_i2s"
-    # "sun4i_lradc_keys"  #< NOT FOUND in megous-no-autoModules
-    # "sun4i_tcon"
-    # "sun50i_codec_analog"
-    # "sun6i_csi"
-    # "sun6i_dma"
-    # "sun6i_mipi_dsi"
-    # "sun8i_a33_mbus"  #< NOT FOUND in megous-no-autoModules
-    # "sun8i_adda_pr_regmap"
-    # "sun8i_ce"  #< NOT FOUND in pmos
-    # "sun8i_codec"  #< NOT FOUND in megous-no-autoModules
-    # "sun8i_di"  #< NOT FOUND in megous-no-autoModules
-    # "sun8i_drm_hdmi"
-    # "sun8i_mixer"
-    # "sun8i_rotate"  #< NOT FOUND in megous-no-autoModules
-    # "sun8i_tcon_top"
-    # "sun9i_hdmi_audio"  #< NOT FOUND in megous-no-autoModules
-    # "sunxi_wdt"  #< NOT FOUND in pmos
-    # "tap"
-    # "typec"  #< NOT FOUND in pmos
-    # "udp_tunnel"
-    # "uio"  #< NOT FOUND in pmos
-    # "uio_pdrv_genirq"
-    # "v4l2_async"
-    # "v4l2_cci" #< NOT FOUND in pmos
-    # "v4l2_flash_led_class"  #< NOT FOUND in megous-no-autoModules
-    # "v4l2_fwnode"
-    # "v4l2_mem2mem"
-    # "videobuf2_common"
-    # "videobuf2_dma_contig"
-    # "videobuf2_memops"
-    # "videobuf2_v4l2"
-    # "videodev"
-    # "wireguard"
-    # "xor"
-    # "x_tables"
-    # "xt_conntrack"
-    # "xt_LOG"
-    # "xt_nat"
-    # "xt_pkttype"
-    # "xt_set"
-    # "xt_tcpudp"
-    # "zram"
-  ];
-
-  # disable proximity sensor.
-  # the filtering/calibration is bad that it causes the screen to go fully dark at times.
-  # boot.blacklistedKernelModules = [ "stk3310" ];
-
-  boot.kernelParams = [
-    # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
-    # this is because they can't allocate enough video ram.
-    # see related nixpkgs issue: <https://github.com/NixOS/nixpkgs/issues/260222>
-    # TODO(2023/12/03): remove once mesa 23.3.1 lands: <https://github.com/NixOS/nixpkgs/pull/265740>
-    #
-    # the default CMA seems to be 32M.
-    # i was running fine with 256MB from 2022/07-ish through 2022/12-ish, but then the phone quit reliably coming back from sleep (phosh): maybe a memory leak?
-    # bumped to 512M on 2023/01
-    # bumped to 1536M on 2024/05
-    # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
-    # kernel param mentioned here: <https://cateee.net/lkddb/web-lkddb/CMA_SIZE_PERCENTAGE.html>
-    # i think cma mem isn't exclusive -- it can be used as ordinary `malloc`, still. i heard someone suggest the OS default should just be 50% memory to CMA.
-    "cma=1536M"
-    # 2023/10/20: potential fix for the lima (GPU) timeout bugs:
-    # - <https://gitlab.com/postmarketOS/pmaports/-/issues/805#note_890467824>
-    "lima.sched_timeout_ms=2000"
-  ];
-
-  systemd.services.unl0kr.preStart = ensureHWReady;
-}

hosts/by-name/moby/polyfill.nix

@@ -1,45 +0,0 @@
-# this file configures preferences per program, without actually enabling any programs.
-# the goal is to separate the place where we decide *what* to use (i.e. `sane.programs.firefox.enable = true` -- at the toplevel)
-# from where we specific how that thing should behave *if* it's in use.
-#
-# NixOS backgrounds:
-# - <https://github.com/NixOS/nixos-artwork>
-#   - <https://github.com/NixOS/nixos-artwork/issues/50>  (colorful; unmerged)
-#   - <https://github.com/NixOS/nixos-artwork/pull/60/files>  (desktop-oriented; clean; unmerged)
-# - <https://itsfoss.com/content/images/2023/04/nixos-tutorials.png>
-
-{ lib, pkgs, sane-lib, ... }:
-{
-  sane.programs.firefox.config = {
-    # compromise impermanence for the sake of usability
-    persistCache = "private";
-    persistData = "private";
-
-    # i don't do crypto stuff on moby
-    addons.ether-metamask.enable = false;
-    # sidebery UX doesn't make sense on small screen
-    addons.sidebery.enable = false;
-  };
-  sane.programs.swaynotificationcenter.config = {
-    backlight = "backlight";  # /sys/class/backlight/*backlight*/brightness
-  };
-
-  sane.programs.alacritty.config.fontSize = 9;
-
-  sane.programs.sway.config = {
-    font = "pango:monospace 10";
-    mod = "Mod1";  # prefer Alt
-    workspace_layout = "tabbed";
-  };
-
-  sane.programs.waybar.config = {
-    fontSize = 14;
-    height = 26;
-    persistWorkspaces = [ "1" "2" "3" "4" "5" ];
-    modules.media = false;
-    modules.network = false;
-    modules.perf = false;
-    modules.windowTitle = false;
-    # TODO: show modem state
-  };
-}

hosts/by-name/rescue/default.nix

@@ -4,7 +4,6 @@
     ./fs.nix
   ];
 
-  boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
   sane.persist.enable = false;  # what we mean here is that the image is immutable; `/` is still tmpfs.
   sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
@@ -12,7 +11,4 @@
   # auto-login at shell
   services.getty.autologinUser = "colin";
   # users.users.colin.initialPassword = "colin";
-
-  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
-  system.stateVersion = "21.05";
 }

hosts/by-name/servo/default.nix

@@ -38,7 +38,6 @@
   # using root here makes sure we always have an escape hatch
   services.getty.autologinUser = "root";
 
-  boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   # both transmission and ipfs try to set different net defaults.
@@ -46,13 +45,5 @@
   boot.kernel.sysctl = {
     "net.core.rmem_max" = 4194304;  # 4MB
   };
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11";
 }
 

hosts/by-name/servo/services/gitea.nix

@@ -53,6 +53,8 @@
     session.COOKIE_SECURE = true;
     repository = {
       DEFAULT_BRANCH = "master";
+      ENABLE_PUSH_CREATE_USER = true;
+      ENABLE_PUSH_CREATE_ORG = true;
     };
     other = {
       SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;

hosts/common/boot.nix

@@ -1,10 +1,5 @@
-{ config, lib, pkgs, ... }:
-
+{ lib, pkgs, ... }:
 {
-  imports = [
-    ./x86_64.nix
-  ];
-
   boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
   # useful emergency utils
   boot.initrd.extraUtilsCommands = ''
@@ -35,16 +30,6 @@
   # servo needs zfs though, which doesn't support every kernel.
   boot.kernelPackages = lib.mkDefault pkgs.zfs.latestCompatibleLinuxPackages;
 
-  # TODO: remove after linux 6.9. see: <https://github.com/axboe/liburing/issues/1113>
-  # - <https://github.com/neovim/neovim/issues/28149>
-  # - <https://git.kernel.dk/cgit/linux/commit/?h=io_uring-6.9&id=e5444baa42e545bb929ba56c497e7f3c73634099>
-  # when removing, try starting and suspending (ctrl+z) two instances of neovim simultaneously.
-  # if the system doesn't freeze, then this is safe to remove.
-  # added 2024-04-04
-  sane.user.fs.".profile".symlink.text = lib.mkBefore ''
-    export UV_USE_IO_URING=0
-  '';
-
   # hack in the `boot.shell_on_fail` arg since that doesn't always seem to work.
   boot.initrd.preFailCommands = "allowShell=1";
 
@@ -62,38 +47,4 @@
   # e.g. in dyn-dns by `systemctl start dyn-dns-watcher.path`.
   # see: <https://askubuntu.com/questions/828779/failed-to-add-run-systemd-ask-password-to-directory-watch-no-space-left-on-dev>
   boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
-
-  # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
-  powerManagement.powertop.enable = false;
-  # linux CPU governor: <https://www.kernel.org/doc/Documentation/cpu-freq/governors.txt>
-  # - options:
-  #   - "powersave" => force CPU to always run at lowest supported frequency
-  #   - "performance" => force CPU to always run at highest frequency
-  #   - "ondemand" => adjust frequency based on load
-  #   - "conservative"  (ondemand but slower to adjust)
-  #   - "schedutil"
-  #   - "userspace"
-  # - not all options are available for all platforms
-  #   - intel (intel_pstate) appears to manage scaling w/o intervention/control from the OS.
-  #   - AMD (acpi-cpufreq) appears to manage scaling via the OS *or* HW. but the ondemand defaults never put it to max hardware frequency.
-  #   - qualcomm (cpufreq-dt) appears to manage scaling *only* via the OS. ondemand governor exercises the full range.
-  # - query details with `sudo cpupower frequency-info`
-  powerManagement.cpuFreqGovernor = "ondemand";
-
-  # see: `man logind.conf`
-  # don’t shutdown when power button is short-pressed (commonly done an accident, or by cats).
-  #   but do on long-press: useful to gracefully power-off server.
-  services.logind.powerKey = "lock";
-  services.logind.powerKeyLongPress = "poweroff";
-  services.logind.lidSwitch = "lock";
-
-  # services.snapper.configs = {
-  #   root = {
-  #     subvolume = "/";
-  #     extraConfig = {
-  #       ALLOW_USERS = "colin";
-  #     };
-  #   };
-  # };
-  # services.snapper.snapshotInterval = "daily";
 }

hosts/common/default.nix

@@ -1,9 +1,9 @@
 { config, lib, pkgs, ... }:
 {
   imports = [
+    ./boot.nix
     ./feeds.nix
     ./fs.nix
-    ./hardware
     ./home
     ./hosts.nix
     ./ids.nix
@@ -13,12 +13,18 @@
     ./persist.nix
     ./polyunfill.nix
     ./programs
+    ./quirks.nix
     ./secrets.nix
     ./ssh.nix
     ./systemd.nix
     ./users
   ];
 
+
+  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
+  # this affects where nixos modules look for stateful data which might have been migrated across releases.
+  system.stateVersion = "21.11";
+
   sane.nixcache.enable-trusted-keys = true;
   sane.nixcache.enable = lib.mkDefault true;
   sane.persist.enable = lib.mkDefault true;
@@ -26,9 +32,6 @@
   sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
   sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;
 
-  nixpkgs.config.allowUnfree = true;  # NIXPKGS_ALLOW_UNFREE=1
-  nixpkgs.config.allowBroken = true;  # NIXPKGS_ALLOW_BROKEN=1
-
   # time.timeZone = "America/Los_Angeles";
   time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
 

hosts/common/net/modemmanager.nix

@@ -32,15 +32,33 @@
     # serviceConfig.Restart = "on-abort";
     # serviceConfig.StandardError = "null";
     # serviceConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_NET_ADMIN";
-    # serviceConfig.ProtectSystem = true;
-    # serviceConfig.ProtectHome = true;
+    # serviceConfig.ProtectSystem = true;  # makes empty: /boot, /usr
+    # serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
     # serviceConfig.PrivateTmp = true;
     # serviceConfig.RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR";
     # serviceConfig.NoNewPrivileges = true;
 
-    # TODO: sandbox more aggressively
-    # - CAP_NET_ADMIN *only*?
-    # it needs these paths:
+    serviceConfig.CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];  #< TODO: make sure this is *really* taking effect, and isn't supplemental to upstream's `CAP_SYS_ADMIN` setting
+    serviceConfig.LockPersonality = true;
+    # serviceConfig.PrivateUsers = true;  #< untried, not likely to work since it needs capabilities
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectSystem = "strict";  # makes read-only all but /dev, /proc, /sys
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_NETLINK"
+      "AF_QIPCRTR"
+      "AF_UNIX"
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+
+    # from earlier `landlock` sandboxing, i know it needs these directories:
     # - # "/"
     # - "/dev" #v modem-power + net are not enough
     # - # "/dev/modem-power"

hosts/common/net/networkmanager.nix

@@ -61,20 +61,46 @@ in {
     serviceConfig.AmbientCapabilities = [
       # "CAP_DAC_OVERRIDE"
       "CAP_NET_ADMIN"
-      "CAP_NET_RAW"
+      "CAP_NET_RAW"  #< required, else `libndp: ndp_sock_open: Failed to create ICMP6 socket.`
       "CAP_NET_BIND_SERVICE"  #< this *does* seem to be necessary, though i don't understand why. DHCP?
       # "CAP_SYS_MODULE"
-      "CAP_AUDIT_WRITE"  #< allow writing to the audit log
+      # "CAP_AUDIT_WRITE"  #< allow writing to the audit log (optional)
       # "CAP_KILL"
     ];
-    # TODO: it needs these directories:
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
+    # serviceConfig.PrivateUsers = true;  #< BREAKS NetworkManager (presumably, it causes a new user namespace, breaking CAP_NET_ADMIN & others).  "platform-linux: do-change-link[3]: failure 1 (Operation not permitted)"
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # probably not upstreamable: prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls (probably not upstreamable: NM will want to load modules like `ppp`)
+    serviceConfig.ProtectKernelTunables = true;  # but NM might need to write /proc/sys/net/...
+    serviceConfig.ProtectSystem = "strict";  # makes read-only: all but /dev, /proc, /sys.
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_INET"
+      "AF_INET6"
+      "AF_NETLINK"  # breaks near DHCP without this
+      "AF_PACKET"  # for DHCP
+      "AF_UNIX"
+      # AF_ALG ?
+      # AF_BLUETOOTH ?
+      # AF_BRIDGE ?
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+    # from earlier `landlock` sandboxing, i know it needs these directories:
     # - "/proc/net"
     # - "/proc/sys/net"
     # - "/run/NetworkManager"
     # - "/run/systemd"  # for trust-dns-nmhook
     # - "/run/udev"
     # - # "/run/wg-home.priv"
-    # - "/sys/class"  #< TODO: specify this more precisely
+    # - "/sys/class"
     # - "/sys/devices"
     # - "/var/lib/NetworkManager"
     # - "/var/lib/trust-dns"  #< for trust-dns-nmhook
@@ -96,9 +122,29 @@ in {
     # ];
     # serviceConfig.Restart = "always";
     # serviceConfig.RestartSec = "1s";
-    serviceConfig.User = "networkmanager";
+
+    # serviceConfig.DynamicUser = true;  #< not possible, else we lose group perms (so can't write to `trust-dns`'s files in the nm hook)
+    serviceConfig.User = "networkmanager";  # TODO: should arguably use `DynamicUser`
     serviceConfig.Group = "networkmanager";
-    # TODO: it needs access only to the above mentioned directories
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # probably not upstreamable: prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. `strict` isn't possible due to trust-dns hook
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_UNIX"  # required, probably for dbus or systemd connectivity
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
   };
 
   # harden wpa_supplicant (used by NetworkManager)
@@ -109,7 +155,31 @@ in {
       "CAP_NET_ADMIN"
       "CAP_NET_RAW"
     ];
-    # TODO: it needs only these paths:
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    # serviceConfig.PrivateDevices = true;  # untried, not likely to work. remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
+    # serviceConfig.PrivateUsers = true;  #< untried, not likely to work
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    serviceConfig.ProtectKernelTunables = true;  #< N.B.: i think this makes certain /proc writes fail
+    serviceConfig.ProtectSystem = "strict";  # makes read-only: all but /dev, /proc, /sys.
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_INET"  #< required
+      "AF_INET6"
+      "AF_NETLINK"  #< required
+      "AF_PACKET"  #< required
+      "AF_UNIX"  #< required (wpa_supplicant wants to use dbus)
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+
+    # from earlier `landlock` sandboxing, i know it needs only these paths:
     # - "/dev/net"
     # - "/dev/rfkill"
     # - "/proc/sys/net"

hosts/common/programs/assorted.nix

@@ -240,6 +240,7 @@ in
       # "powermanga"    # STYLISH space invaders derivative (keyboard-only)
       "shattered-pixel-dungeon"  # doesn't cross compile
       "space-cadet-pinball"  # LMB/RMB controls (bindable though. volume buttons?)
+      "steam"
       "superTux"  # keyboard-only controls
       "superTuxKart"  # poor FPS on pinephone
       "tumiki-fighters" # keyboard-only
@@ -373,7 +374,6 @@ in
       # "slic3r"
       "soundconverter"
       "spotify"  # x86-only
-      "steam"
       "tor-browser"  # x86-only
       # "vlc"
       "wireshark"  # could maybe ship the cli as sysadmin pkg

hosts/common/programs/brave.nix

@@ -1,6 +1,12 @@
-{ ... }:
+{ pkgs, ... }:
 {
   sane.programs.brave = {
+    # convert eval error to build failure
+    packageUnwrapped = if (builtins.tryEval pkgs.brave).success then
+      pkgs.brave
+    else
+      pkgs.runCommandLocal "brave-not-supported" {} "false"
+    ;
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  # /opt/share/brave.com vendor-style packaging
     sandbox.net = "all";

hosts/common/programs/mpv/default.nix

@@ -148,52 +148,51 @@ let
 in
 {
   sane.programs.mpv = {
-    packageUnwrapped = pkgs.wrapMpv
-      (mpv-unwrapped.override rec {
+    packageUnwrapped = mpv-unwrapped.wrapper {
+      mpv = mpv-unwrapped.override rec {
         # N.B.: populating `self` to `luajit` is necessary for the resulting `lua.withPackages` function to preserve my override.
         # i use enable52Compat in order to get `table.unpack`.
         # i think using `luajit` here instead of `lua` is optional, just i get better perf with it :)
         lua = pkgs.luajit.override { enable52Compat = true; self = lua; };
-      })
-      {
-        scripts = [
-          pkgs.mpvScripts.mpris
-          pkgs.mpvScripts.mpv-playlistmanager
-          pkgs.mpvScripts.mpv-webm
-          uosc
-          visualizer
-          # pkgs.mpv-uosc-latest
-        ];
-        # extraMakeWrapperArgs = lib.optionals (cfg.config.vo != null) [
-        #   # 2023/08/29: fixes an error where mpv on moby launches with the message
-        #   #   "DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory"
-        #   #   audio still works, and controls, screenshotting, etc -- just not the actual rendering
-        #   #
-        #   #   this is likely a regression for mpv 0.36.0.
-        #   #   the actual error message *appears* to come from the mesa library, but it's tough to trace.
-        #   #
-        #   # 2024/03/02: no longer necessary, with mesa 23.3.1: <https://github.com/NixOS/nixpkgs/pull/265740>
-        #   #
-        #   # backend compatibility (2023/10/22):
-        #   # run with `--vo=help` to see a list of all output options.
-        #   # non-exhaustive (W=works, F=fails, A=audio-only, U=audio+ui only (no video))
-        #   # ? null             Null video output
-        #   # A (default)
-        #   # A dmabuf-wayland   Wayland dmabuf video output
-        #   # A libmpv           render API for libmpv  (mpv plays the audio, but doesn't even render a window)
-        #   # A vdpau            VDPAU with X11
-        #   # F drm              Direct Rendering Manager (software scaling)
-        #   # F gpu-next         Video output based on libplacebo
-        #   # F vaapi            VA API with X11
-        #   # F x11              X11 (software scaling)
-        #   # F xv               X11/Xv
-        #   # U gpu              Shader-based GPU Renderer
-        #   # W caca             libcaca  (terminal rendering)
-        #   # W sdl              SDL 2.0 Renderer
-        #   # W wlshm            Wayland SHM video output (software scaling)
-        #   "--add-flags" "--vo=${cfg.config.vo}"
-        # ];
       };
+      scripts = [
+        pkgs.mpvScripts.mpris
+        pkgs.mpvScripts.mpv-playlistmanager
+        pkgs.mpvScripts.mpv-webm
+        uosc
+        visualizer
+        # pkgs.mpv-uosc-latest
+      ];
+      # extraMakeWrapperArgs = lib.optionals (cfg.config.vo != null) [
+      #   # 2023/08/29: fixes an error where mpv on moby launches with the message
+      #   #   "DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory"
+      #   #   audio still works, and controls, screenshotting, etc -- just not the actual rendering
+      #   #
+      #   #   this is likely a regression for mpv 0.36.0.
+      #   #   the actual error message *appears* to come from the mesa library, but it's tough to trace.
+      #   #
+      #   # 2024/03/02: no longer necessary, with mesa 23.3.1: <https://github.com/NixOS/nixpkgs/pull/265740>
+      #   #
+      #   # backend compatibility (2023/10/22):
+      #   # run with `--vo=help` to see a list of all output options.
+      #   # non-exhaustive (W=works, F=fails, A=audio-only, U=audio+ui only (no video))
+      #   # ? null             Null video output
+      #   # A (default)
+      #   # A dmabuf-wayland   Wayland dmabuf video output
+      #   # A libmpv           render API for libmpv  (mpv plays the audio, but doesn't even render a window)
+      #   # A vdpau            VDPAU with X11
+      #   # F drm              Direct Rendering Manager (software scaling)
+      #   # F gpu-next         Video output based on libplacebo
+      #   # F vaapi            VA API with X11
+      #   # F x11              X11 (software scaling)
+      #   # F xv               X11/Xv
+      #   # U gpu              Shader-based GPU Renderer
+      #   # W caca             libcaca  (terminal rendering)
+      #   # W sdl              SDL 2.0 Renderer
+      #   # W wlshm            Wayland SHM video output (software scaling)
+      #   "--add-flags" "--vo=${cfg.config.vo}"
+      # ];
+    };
 
     suggestedPrograms = [
       "blast-to-default"

hosts/common/programs/neovim.nix

@@ -14,7 +14,8 @@ let
       # docs: https://github.com/nvim-treesitter/nvim-treesitter
       # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
       # this is required for tree-sitter to even highlight
-      plugin = nvim-treesitter.withPlugins (_: nvim-treesitter.allGrammars ++ [
+      # XXX(2024/06/03): `unison` removed because it doesn't cross compile
+      plugin = nvim-treesitter.withPlugins (_: (lib.filter (p: p.pname != "unison-grammar") nvim-treesitter.allGrammars) ++ [
         # XXX: this is apparently not enough to enable syntax highlighting!
         # nvim-treesitter ships its own queries which may be distinct from e.g. helix.
         # the queries aren't included when i ship the grammar in this manner
@@ -167,9 +168,27 @@ in
               vim.mpack.decode = vim.mpack.unpack
               vim.lpeg = require 'lpeg'
             "
-        '' + lib.optionalString (!stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
-          substituteInPlace runtime/CMakeLists.txt --replace-fail \
-            'COMMAND $<TARGET_FILE:nvim_bin>' 'COMMAND ${pkgs.stdenv.hostPlatform.emulator pkgs.buildPackages} $<TARGET_FILE:nvim_bin>'
+        ''
+        # + lib.optionalString (!stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
+        #   # required for x86_64 -> aarch64 (and probably armv7l too)
+        #   substituteInPlace runtime/CMakeLists.txt --replace-fail \
+        #     'COMMAND $<TARGET_FILE:nvim_bin>' 'COMMAND ${pkgs.stdenv.hostPlatform.emulator pkgs.buildPackages} $<TARGET_FILE:nvim_bin>'
+        # ''
+        + ''
+          # disable translations and syntax highlighting of .vim files because they don't cross x86_64 -> armv7l
+          substituteInPlace src/nvim/CMakeLists.txt --replace-fail \
+            'add_subdirectory(po)' '# add_subdirectory(po)'
+          # substituteInPlace src/nvim/po/CMakeLists.txt --replace-fail \
+          #   'add_dependencies(nvim nvim_translations)' '# add_dependencies(nvim nvim_translations)'
+          substituteInPlace runtime/CMakeLists.txt \
+            --replace-fail '    ''${GENERATED_SYN_VIM}' '    # ''${GENERATED_SYN_VIM}' \
+            --replace-fail '    ''${GENERATED_HELP_TAGS}' '    # ''${GENERATED_HELP_TAGS}' \
+            --replace-fail 'FILES ''${GENERATED_HELP_TAGS} ''${BUILDDOCFILES}'  'FILES ''${CMAKE_CURRENT_SOURCE_DIR}/nvim.desktop' \
+            --replace-fail 'FILES ''${GENERATED_SYN_VIM}'  'FILES ''${CMAKE_CURRENT_SOURCE_DIR}/nvim.desktop' \
+            --replace-fail 'if(''${PACKNAME}_DOC_FILES)' 'if(false)'
+          # --replace-fail '    ''${GENERATED_PACKAGE_TAGS}' '     # ''${GENERATED_PACKAGE_TAGS}' \
+          # --replace-fail 'list(APPEND BUILDDOCFILES' '# list(APPEND BUILDDOCFILES'
+          # --replace-fail '  FILES ''${GENERATED_HELP_TAGS} ' '  FILES ' \
         '';
       });
     in pkgs.wrapNeovimUnstable

hosts/common/programs/sane-input-handler/default.nix

@@ -85,7 +85,7 @@ in
       "playerctl"
       "procps"
       "sane-open"
-      "sway"
+      # "sway"  #< TODO: circular dependency :-(
       "wireplumber"
       # optional integrations:
       "megapixels"

hosts/common/programs/sway/default.nix

@@ -28,7 +28,7 @@ let
       passthru.sway-unwrapped = configuredSway;
     };
 
-  wlroots = (pkgs.waylandPkgs.wlroots.override {
+  wlroots = (pkgs.nixpkgs-wayland.wlroots.override {
     # wlroots seems to launch Xwayland itself, and i can't easily just do that myself externally.
     # so in order for the Xwayland it launches to be sandboxed, i need to patch the sandboxed version in here.
     xwayland = config.sane.programs.xwayland.package;
@@ -60,7 +60,7 @@ let
     '';
   });
   swayPackage = wrapSway (
-    (pkgs.waylandPkgs.sway-unwrapped.override {
+    (pkgs.nixpkgs-wayland.sway-unwrapped.override {
       inherit wlroots;
       # about xwayland:
       # - required by many electron apps, though some electron apps support NIXOS_OZONE_WL=1 for native wayland.
@@ -107,6 +107,14 @@ in
               default font (for e.g. window titles)
             '';
           };
+          locker = mkOption {
+            type = types.str;
+            default = "swaylock";
+            description = ''
+              name of program to use as the screenlocker
+            '';
+            example = "schlock";
+          };
           mod = mkOption {
             type = types.str;
             default = "Mod4";
@@ -152,7 +160,6 @@ in
       # "splatmoji"  # used by sway config
       "sway-contrib.grimshot"  # used by sway config
       "swayidle"  # enable if you need it
-      "swaylock"  # used by sway config
       "swaynotificationcenter"  # notification daemon
       "sysvol"  # volume notifier
       "unl0kr"  # greeter
@@ -179,6 +186,8 @@ in
       # xdg-desktop-portal-wlr provides portals for screenshots/screen sharing
       "xdg-desktop-portal-wlr"
       "xdg-terminal-exec"  # used by sway config
+    ] ++ [
+      cfg.config.locker
     ];
 
     sandbox.method = "bwrap";
@@ -220,6 +229,7 @@ in
       inherit (cfg.config)
         extra_lines
         font
+        locker
         mod
         workspace_layout
       ;

hosts/common/programs/sway/sway-config

@@ -16,6 +16,7 @@ set $volume_up wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+
 set $volume_down wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-
 set $mute wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle
 set $default_workspace_layout @workspace_layout@
+set $locker @locker@
 
 set $out_tv "LG Electronics LG TV 0x01010101"
 set $out_projector "MS Telematica TV 0x00000001"
@@ -79,7 +80,7 @@ bindsym --locked XF86MonBrightnessDown exec brightnessctl set 5%-
 #### special functions
 bindsym Print exec sane-open --application sane-screenshot.desktop
 bindsym $mod+Print exec sane-open --application sane-screenshot.desktop
-bindsym $mod+l exec s6-rc -b start swaylock
+bindsym $mod+l exec s6-rc -b start $locker
 bindsym $mod+s exec sane-open --application rofi-snippets.desktop
 # bindsym $mod+slash exec sane-open splatmoji.desktop
 bindsym $mod+d exec sane-open --application rofi.desktop

hosts/common/quirks.nix

@@ -0,0 +1,30 @@
+# quirks: temporary patches with the goal of eventually removing them
+{ lib, ... }:
+{
+  # TODO: remove after linux 6.9. see: <https://github.com/axboe/liburing/issues/1113>
+  # - <https://github.com/neovim/neovim/issues/28149>
+  # - <https://git.kernel.dk/cgit/linux/commit/?h=io_uring-6.9&id=e5444baa42e545bb929ba56c497e7f3c73634099>
+  # when removing, try starting and suspending (ctrl+z) two instances of neovim simultaneously.
+  # if the system doesn't freeze, then this is safe to remove.
+  # added 2024-04-04
+  sane.user.fs.".profile".symlink.text = lib.mkBefore ''
+    export UV_USE_IO_URING=0
+  '';
+
+  # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
+  powerManagement.powertop.enable = false;
+  # linux CPU governor: <https://www.kernel.org/doc/Documentation/cpu-freq/governors.txt>
+  # - options:
+  #   - "powersave" => force CPU to always run at lowest supported frequency
+  #   - "performance" => force CPU to always run at highest frequency
+  #   - "ondemand" => adjust frequency based on load
+  #   - "conservative"  (ondemand but slower to adjust)
+  #   - "schedutil"
+  #   - "userspace"
+  # - not all options are available for all platforms
+  #   - intel (intel_pstate) appears to manage scaling w/o intervention/control from the OS.
+  #   - AMD (acpi-cpufreq) appears to manage scaling via the OS *or* HW. but the ondemand defaults never put it to max hardware frequency.
+  #   - qualcomm (cpufreq-dt) appears to manage scaling *only* via the OS. ondemand governor exercises the full range.
+  # - query details with `sudo cpupower frequency-info`
+  powerManagement.cpuFreqGovernor = "ondemand";
+}

hosts/common/systemd.nix

@@ -7,19 +7,6 @@ let
   haltTimeout = 10;
 in
 {
-  systemd.extraConfig = ''
-    # DefaultTimeoutStopSec defaults to 90s, and frequently blocks overall system shutdown.
-    DefaultTimeoutStopSec=${builtins.toString haltTimeout}
-  '';
-
-  services.journald.extraConfig = ''
-    # docs: `man journald.conf`
-    # merged journald config is deployed to /etc/systemd/journald.conf
-    [Journal]
-    # disable journal compression because the underlying fs is compressed
-    Compress=no
-  '';
-
   # allow ordinary users to `reboot` or `shutdown`.
   # source: <https://nixos.wiki/wiki/Polkit>
   security.polkit.extraConfig = ''
@@ -38,4 +25,24 @@ in
       }
     })
   '';
+
+  services.journald.extraConfig = ''
+    # docs: `man journald.conf`
+    # merged journald config is deployed to /etc/systemd/journald.conf
+    [Journal]
+    # disable journal compression because the underlying fs is compressed
+    Compress=no
+  '';
+
+  # see: `man logind.conf`
+  # don’t shutdown when power button is short-pressed (commonly done an accident, or by cats).
+  #   but do on long-press: useful to gracefully power-off server.
+  services.logind.powerKey = "lock";
+  services.logind.powerKeyLongPress = "poweroff";
+  services.logind.lidSwitch = "lock";
+
+  systemd.extraConfig = ''
+    # DefaultTimeoutStopSec defaults to 90s, and frequently blocks overall system shutdown.
+    DefaultTimeoutStopSec=${builtins.toString haltTimeout}
+  '';
 }

hosts/modules/default.nix

@@ -3,11 +3,11 @@
 {
   imports = [
     ./derived-secrets
+    ./hal
     ./hosts.nix
     ./nixcache.nix
     ./roles
     ./services
     ./wg-home.nix
-    ./yggdrasil.nix
   ];
 }

hosts/modules/hal/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./pine64.nix
+    ./samsung
+    ./x86_64.nix
+  ];
+}

hosts/modules/hal/pine64.nix

@@ -0,0 +1,343 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.hal.pine64;
+in
+{
+  options = {
+    sane.hal.pine64.enable = lib.mkEnableOption "pine64-specific hardware support";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # kernel compatibility (2024/05/22: 03dab630)
+    # - linux-megous: boots to ssh, desktop
+    #   - camera apps: megapixels (no cameras found), snapshot (no cameras found)
+    # - linux-postmarketos: boots to ssh. desktop ONLY if "anx7688" is in the initrd.availableKernelModules.
+    #   - camera apps: megapixels (both rear and front cameras work), `cam -l` (finds only the rear camera), snapshot (no cameras found)
+    # - linux-megous.override { withMegiPinephoneConfig = true; }: NO SSH, NO SIGNS OF LIFE
+    # - linux-megous.override { withFullConfig = false; }: boots to ssh, no desktop
+    #
+    boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux-postmarketos.override {
+      withModemPower = true;
+    });
+    # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
+    # boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux-megous.override {
+    #   withFullConfig = false;
+    # });
+    # boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux-megous.override {
+    #   withMegiPinephoneConfig = true;  #< N.B.: does not boot as of 2024/05/22!
+    # });
+    # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-manjaro;
+    # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
+
+    # nixpkgs.hostPlatform.linux-kernel becomes stdenv.hostPlatform.linux-kernel
+    # ^ but only if using flakes (or rather, if *not* using `nixpkgs.nixos` to construct the host config)
+    # nixpkgs.hostPlatform.linux-kernel = {
+    #   # defaults:
+    #   name = "aarch64-multiplatform";
+    #   # baseConfig: defaults to "defconfig";
+    #   # baseConfig = "pinephone_defconfig";  #< N.B.: ignored by `pkgs.linux-megous`
+    #   DTB = true;  #< DTB: compile device tree blobs
+    #   # autoModules (default: true): for config options not manually specified, answer `m` to anything which supports it.
+    #   # - this effectively builds EVERY MODULE SUPPORTED.
+    #   autoModules = true;  #< N.B.: ignored by `pkgs.linux-megous`
+    #   # preferBuiltin (default: false; true for rpi): for config options which default to `Y` upstream, build them as `Y` (overriding `autoModules`)
+    #   # preferBuiltin = false;
+
+    #   # build a compressed kernel image: without this i run out of /boot space in < 10 generations
+    #   # target = "Image";  # <-- default
+    #   target = "Image.gz";  # <-- compress the kernel image
+    #   # target = "zImage";  # <-- confuses other parts of nixos :-(
+    # };
+
+    # boot.initrd.kernelModules = [
+    #   "drm"  #< force drm to be plugged
+    # ];
+    boot.initrd.availableKernelModules = [
+      # see <repo:postmarketOS/pmaports:device/main/device-pine64-pinephone/modules-initfs>
+      # - they include sun6i_mipi_dsi sun4i_drm pwm_sun4i sun8i_mixer anx7688 gpio_vibra pinephone_keyboard
+      "anx7688" #< required for display initialization and functional cameras
+      # full list of modules active post-boot with the linux-megous kernel + autoModules=true:
+      # - `lsmod | sort | cut -d ' ' -f 1`
+      # "8723cs"
+      # "axp20x_adc"  #< NOT FOUND in megous-no-autoModules
+      # "axp20x_battery"
+      # "axp20x_pek"
+      # "axp20x_usb_power"
+      # "backlight"
+      # "blake2b_generic"
+      # "bluetooth"
+      # "bridge"
+      # "btbcm"
+      # "btqca"
+      # "btrfs"
+      # "btrtl"
+      # "cec"
+      # "cfg80211"
+      # "chacha_neon"
+      # "crc_ccitt"
+      # "crct10dif_ce"
+      # "crypto_engine"
+      # "display_connector"  #< NOT FOUND in pmos
+      # "drm"
+      # "drm_display_helper"
+      # "drm_dma_helper"
+      # "drm_kms_helper"
+      # "drm_shmem_helper"
+      # "dw_hdmi"
+      # "dw_hdmi_cec"  #< NOT FOUND in pmos
+      # "dw_hdmi_i2s_audio"
+      # "ecc"
+      # "ecdh_generic"
+      # "fuse"
+      # "gc2145"  #< NOT FOUND in megous-no-autoModules
+      # "goodix_ts"
+      # "gpio_vibra"  #< NOT FOUND in megous-no-autoModules
+      # "gpu_sched"
+      # "hci_uart"
+      # "i2c_gpio"
+      # "inv_mpu6050"  #< NOT FOUND in megous-no-autoModules
+      # "inv_mpu6050_i2c"  #< NOT FOUND in megous-no-autoModules
+      # "inv_sensors_timestamp"  #< NOT FOUND in megous-no-autoModules
+      # "ip6t_rpfilter"
+      # "ip6_udp_tunnel"
+      # "ip_set"
+      # "ip_set_hash_ipport"
+      # "ip_tables"
+      # "ipt_rpfilter"
+      # "joydev"
+      # "led_class_flash"  #< NOT FOUND in megous-no-autoModules
+      # "leds_sgm3140"  #< NOT FOUND in megous-no-autoModules
+      # "ledtrig_pattern"  #< NOT FOUND in megous-no-autoModules
+      # "libarc4"
+      # "libchacha"
+      # "libchacha20poly1305"
+      # "libcrc32c"
+      # "libcurve25519_generic"
+      # "lima"
+      # "llc"
+      # "mac80211"
+      # "macvlan"
+      # "mc"
+      # "modem_power"
+      # "mousedev"
+      # "nf_conntrack"
+      # "nf_defrag_ipv4"
+      # "nf_defrag_ipv6"
+      # "nf_log_syslog"
+      # "nf_nat"
+      # "nfnetlink"
+      # "nf_tables"
+      # "nft_chain_nat"
+      # "nft_compat"
+      # "nls_cp437"
+      # "nls_iso8859_1"
+      # "nvmem_reboot_mode"
+      # "ov5640"
+      # "panel_sitronix_st7703"
+      # "phy_sun6i_mipi_dphy"
+      # "pinctrl_axp209"  #< NOT FOUND in pmos
+      # "pinephone_keyboard"  #< NOT FOUND in megous-no-autoModules
+      # "poly1305_neon"
+      # "polyval_ce"
+      # "polyval_generic"
+      # "ppkb_manager"  #< NOT FOUND in megous-no-autoModules
+      # "pwm_bl"
+      # "pwm_sun4i"
+      # "qrtr"
+      # "raid6_pq"
+      # "rfkill"
+      # "rtw88_8703b"
+      # "rtw88_8723cs"
+      # "rtw88_8723x"
+      # "rtw88_core"
+      # "rtw88_sdio"
+      # "sch_fq_codel"
+      # "sm4"
+      # "snd_soc_bt_sco"
+      # "snd_soc_ec25"  #< NOT FOUND in megous-no-autoModules
+      # "snd_soc_hdmi_codec"
+      # "snd_soc_simple_amplifier"
+      # "snd_soc_simple_card"
+      # "snd_soc_simple_card_utils"
+      # "stk3310"  #< NOT FOUND in megous-no-autoModules
+      # "st_magn"
+      # "st_magn_i2c"
+      # "st_magn_spi"  #< NOT FOUND in pmos
+      # "stp"
+      # "st_sensors"
+      # "st_sensors_i2c"
+      # "st_sensors_spi"  #< NOT FOUND in pmos
+      # "sun4i_drm"
+      # "sun4i_i2s"
+      # "sun4i_lradc_keys"  #< NOT FOUND in megous-no-autoModules
+      # "sun4i_tcon"
+      # "sun50i_codec_analog"
+      # "sun6i_csi"
+      # "sun6i_dma"
+      # "sun6i_mipi_dsi"
+      # "sun8i_a33_mbus"  #< NOT FOUND in megous-no-autoModules
+      # "sun8i_adda_pr_regmap"
+      # "sun8i_ce"  #< NOT FOUND in pmos
+      # "sun8i_codec"  #< NOT FOUND in megous-no-autoModules
+      # "sun8i_di"  #< NOT FOUND in megous-no-autoModules
+      # "sun8i_drm_hdmi"
+      # "sun8i_mixer"
+      # "sun8i_rotate"  #< NOT FOUND in megous-no-autoModules
+      # "sun8i_tcon_top"
+      # "sun9i_hdmi_audio"  #< NOT FOUND in megous-no-autoModules
+      # "sunxi_wdt"  #< NOT FOUND in pmos
+      # "tap"
+      # "typec"  #< NOT FOUND in pmos
+      # "udp_tunnel"
+      # "uio"  #< NOT FOUND in pmos
+      # "uio_pdrv_genirq"
+      # "v4l2_async"
+      # "v4l2_cci" #< NOT FOUND in pmos
+      # "v4l2_flash_led_class"  #< NOT FOUND in megous-no-autoModules
+      # "v4l2_fwnode"
+      # "v4l2_mem2mem"
+      # "videobuf2_common"
+      # "videobuf2_dma_contig"
+      # "videobuf2_memops"
+      # "videobuf2_v4l2"
+      # "videodev"
+      # "wireguard"
+      # "xor"
+      # "x_tables"
+      # "xt_conntrack"
+      # "xt_LOG"
+      # "xt_nat"
+      # "xt_pkttype"
+      # "xt_set"
+      # "xt_tcpudp"
+      # "zram"
+    ];
+
+    # disable proximity sensor.
+    # the filtering/calibration is bad that it causes the screen to go fully dark at times.
+    # boot.blacklistedKernelModules = [ "stk3310" ];
+
+    boot.kernelParams = [
+      # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
+      # this is because they can't allocate enough video ram.
+      # see related nixpkgs issue: <https://github.com/NixOS/nixpkgs/issues/260222>
+      # TODO(2023/12/03): remove once mesa 23.3.1 lands: <https://github.com/NixOS/nixpkgs/pull/265740>
+      #
+      # the default CMA seems to be 32M.
+      # i was running fine with 256MB from 2022/07-ish through 2022/12-ish, but then the phone quit reliably coming back from sleep (phosh): maybe a memory leak?
+      # bumped to 512M on 2023/01
+      # bumped to 1536M on 2024/05
+      # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
+      # kernel param mentioned here: <https://cateee.net/lkddb/web-lkddb/CMA_SIZE_PERCENTAGE.html>
+      # i think cma mem isn't exclusive -- it can be used as ordinary `malloc`, still. i heard someone suggest the OS default should just be 50% memory to CMA.
+      "cma=1536M"
+      # 2023/10/20: potential fix for the lima (GPU) timeout bugs:
+      # - <https://gitlab.com/postmarketOS/pmaports/-/issues/805#note_890467824>
+      "lima.sched_timeout_ms=2000"
+    ];
+
+    # defined: https://www.freedesktop.org/software/systemd/man/machine-info.html
+    # XXX colin: diabled until/unless it's actually needed.
+    # environment.etc."machine-info".text = ''
+    #   CHASSIS="handset"
+    # '';
+
+    # hardware.firmware makes the referenced files visible to the kernel, for whenever a driver explicitly asks for them.
+    # these files are visible from userspace by following `/sys/module/firmware_class/parameters/path`
+    #
+    # mobile-nixos' /lib/firmware includes:
+    #   rtl_bt          (bluetooth)
+    #   anx7688-fw.bin  (USB-C chip: power negotiation, HDMI/dock)
+    #   ov5640_af.bin   (camera module)
+    # hardware.firmware = [ config.mobile.device.firmware ];
+    # hardware.firmware = [ pkgs.rtl8723cs-firmware ];
+    hardware.firmware = [
+      (pkgs.linux-firmware-megous.override {
+        # rtl_bt = false probably means no bluetooth connectivity.
+        # N.B.: DON'T RE-ENABLE without first confirming that wake-on-lan works during suspend (rtcwake).
+        # it seems the rtl_bt stuff ("bluetooth coexist") might make wake-on-LAN radically more flaky.
+        rtl_bt = false;
+      })
+    ];
+
+    # enable rotation sensor
+    # hardware.sensor.iio.enable = true;
+
+    ## TOW-BOOT: <https://tow-boot.org>
+    # docs (pinephone specific): <https://github.com/Tow-Boot/Tow-Boot/tree/development/boards/pine64-pinephoneA64>
+    # LED and button behavior is defined here: <https://github.com/Tow-Boot/Tow-Boot/blob/development/modules/tow-boot/phone-ux.nix>
+    # - hold VOLDOWN: enter recovery mode
+    #   - LED will turn aqua instead of yellow
+    #   - recovery mode would ordinarily allow a selection of entries, but for pinephone i guess it doesn't do anything?
+    # - hold VOLUP: force it to load the OS from eMMC?
+    #   - LED will turn blue instead of yellow
+    # boot LEDs:
+    # - yellow = entered tow-boot
+    # - 10 red flashes => poweroff means tow-boot couldn't boot into the next stage (i.e. distroboot)
+    #   - distroboot: <https://source.denx.de/u-boot/u-boot/-/blob/v2022.04/doc/develop/distro.rst>)
+    # we need space in the GPT header to place tow-boot.
+    # only actually need 1 MB, but better to over-allocate than under-allocate
+    sane.image.extraGPTPadding = 16 * 1024 * 1024;
+    sane.image.firstPartGap = 0;
+    sane.image.installBootloader = ''
+      dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out bs=1024 seek=8 conv=notrunc
+    '';
+
+    sane.programs.swaynotificationcenter.config = {
+      backlight = "backlight";  # /sys/class/backlight/*backlight*/brightness
+    };
+
+    services.udev.extraRules = let
+      chmod = "${pkgs.coreutils}/bin/chmod";
+      chown = "${pkgs.coreutils}/bin/chown";
+    in ''
+      # make Pinephone flashlight writable by user.
+      # taken from postmarketOS: <repo:postmarketOS/pmaports:device/main/device-pine64-pinephone/60-flashlight.rules>
+      SUBSYSTEM=="leds", DEVPATH=="*/*:flash", RUN+="${chmod} g+w /sys%p/brightness /sys%p/flash_strobe", RUN+="${chown} :video /sys%p/brightness /sys%p/flash_strobe"
+
+      # make Pinephone front LEDs writable by user.
+      SUBSYSTEM=="leds", DEVPATH=="*/*:indicator", RUN+="${chmod} g+w /sys%p/brightness", RUN+="${chown} :video /sys%p/brightness"
+    '';
+
+    systemd.services.unl0kr.preStart = let
+      dmesg = "${pkgs.util-linux}/bin/dmesg";
+      grep = "${pkgs.gnugrep}/bin/grep";
+      modprobe = "${pkgs.kmod}/bin/modprobe";
+    in ''
+      # common boot failure:
+      # blank screen (no backlight even), with the following log:
+      # ```syslog
+      # sun8i-dw-hdmi 1ee0000.hdmi: Couldn't get the HDMI PHY
+      # ...
+      # sun4i-drm display-engine: Couldn't bind all pipelines components
+      # ...
+      # sun8i-dw-hdmi: probe of 1ee0000.hdmi failed with error -17
+      # ```
+      #
+      # in particular, that `probe ... failed` occurs *only* on failed boots
+      # (the other messages might sometimes occur even on successful runs?)
+      #
+      # reloading the sun8i hdmi driver usually gets the screen on, showing boot text.
+      # then restarting display-manager.service gets us to the login.
+      #
+      # NB: the above log is default level. though less specific, there's a `err` level message that also signals this:
+      # sun4i-drm display-engine: failed to bind 1ee0000.hdmi (ops sun8i_dw_hdmi_ops [sun8i_drm_hdmi]): -17
+      # NB: this is the most common, but not the only, failure mode for `display-manager`.
+      # another error seems characterized by these dmesg logs, in which reprobing sun8i_drm_hdmi does not fix:
+      # ```syslog
+      # sun6i-mipi-dsi 1ca0000.dsi: Couldn't get the MIPI D-PHY
+      # sun4i-drm display-engine: Couldn't bind all pipelines components
+      # sun6i-mipi-dsi 1ca0000.dsi: Couldn't register our component
+      # ```
+
+      if (${dmesg} --kernel --level err --color=never --notime | ${grep} -q 'sun4i-drm display-engine: failed to bind 1ee0000.hdmi')
+      then
+        echo "reprobing sun8i_drm_hdmi"
+        # if a command here fails it errors the whole service, so prefer to log instead
+        ${modprobe} -r sun8i_drm_hdmi || echo "failed to unload sun8i_drm_hdmi"
+        ${modprobe} sun8i_drm_hdmi || echo "failed to load sub8i_drm_hdmi"
+      fi
+    '';
+  };
+}
+

hosts/modules/hal/samsung/default.nix

@@ -0,0 +1,171 @@
+# device support for samsung XE303C12 "google-snow" model, specifically.
+# see: <https://wiki.postmarketos.org/wiki/Samsung_Chromebook_(google-snow)>
+# - build logs: <https://images.postmarketos.org/bpo/edge/google-snow/console/>
+# see: <https://github.com/thefloweringash/kevin-nix>
+# - related "depthcharge" chromebook, built with nix
+# see: <https://mobile.nixos.org/devices/lenovo-wormdingler.html>
+# - above module, integrated into an image builder
+# - implementation in modules/system-types/depthcharge
+# see: <https://web.archive.org/web/20191103000916/http://www.chromium.org/chromium-os/firmware-porting-guide/using-nv-u-boot-on-the-samsung-arm-chromebook>
+# - referenced from u-boot `doc/` directory
+# - <https://web.archive.org/web/20220813062811/https://www.chromium.org/chromium-os/how-tos-and-troubleshooting/using-an-upstream-kernel-on-snow/>
+# - <https://web.archive.org/web/20240119111314/https://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices/custom-firmware/>
+# - google exynos5_defconfig: <https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/%2B/HEAD/eclass/cros-kernel>
+# see: <repo:postmarketOS/pmaports:device/community/device-google-snow>
+# - <https://gitlab.com/postmarketOS/boot-deploy/-/blob/5f08ebb05a520d0e6bccfcda324f12e4aac1623f/boot-deploy-functions.sh#L872>
+# - deviceinfo:
+#   - deviceinfo_flash_method="none"
+#   - deviceinfo_cgpt_kpart="/boot/vmlinuz.kpart"
+#   - deviceinfo_cgpt_kpart_start="8192"
+#   - deviceinfo_cgpt_kpart_size="16384"
+#   - deviceinfo_kernel_cmdline="console=null"
+#   - deviceinfo_depthcharge_board="snow"
+#   - deviceinfo_generate_depthcharge_image="true"
+#   - deviceinfo_generate_extlinux_config="true"
+# - modules-initfs:
+#   - drm-dp-aux-bus
+#   - panel-edp
+#   - drm-kms-helper
+#   - cros-ec-keyb
+#   - sbs-battery
+#   - tps65090-charger
+#   - uas
+#   - sd-mod
+# - pmOS also uses a custom alsa UCM config
+# - pmOS kernel package: linux-postmarketos-exynos5
+# - pmOS firmware packages (for WiFi/Bluetooth): linux-firmware-mrvl linux-firmware-s5p-mfc
+#
+# pmOS image has disk layout:
+# /dev/sdb1    8192    24575    16384    8M ChromeOS kernel
+# /dev/sdb2   24576   548863   524288  256M EFI System
+# /dev/sdb3  548864 31336414 30787551 14.7G Microsoft basic data
+# - built using `depthcharge-tools`: <https://github.com/alpernebbi/depthcharge-tools>
+# - expected chromeos disk layout documented: <https://www.chromium.org/chromium-os/developer-library/reference/device/disk-format/>
+#
+# typical boot process:
+# - BIOS searches for a partition `ChromeOS Kernel Type GUID (fe3a2a5d-4f32-41a7-b725-accc3285a309)`
+# - first 64K are reserved for sigantures (when verified boot is active)
+# - then kernel, some datastructures (i.e. config.txt, the command line passed to the kernel), bootloader stub
+# - BIOS loads kernel blob into RAM, then invokes the bootstub
+# - bootloader stub is an EFI application. it setups up tables and jumps into the kernel.
+#   - so potentially i could put any EFI application here, and load the kernel myself from somewhere else?
+# - partitions are all 2MiB-aligned
+# according to depthcharge-tools, max image size is 8 MiB, though i don't know how strict that is.
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.hal.samsung;
+in
+{
+  options = {
+    sane.hal.samsung.enable = lib.mkEnableOption "samsung-specific hardware support";
+  };
+
+  config = lib.mkIf cfg.enable {
+    boot.initrd.compressor = "gzip";
+    # boot.initrd.compressorArgs = [ "--ultra" "-22" ];
+
+    boot.initrd.availableKernelModules = [
+    # boot.initrd.kernelModules = [
+      # from postmarketOS
+      "drm-dp-aux-bus"
+      "panel-edp"
+      "drm-kms-helper"
+      "cros-ec-keyb"
+      "sbs-battery"
+      "tps65090-charger"
+      "uas"
+      "sd-mod"
+    ];
+    # N.B: mobile-nixos says these modules break udev, if builtin or run before udev:
+    #  "sbs-battery"
+    #  "sbs-charger"
+    #  "sbs-manager"
+
+
+    boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-postmarketos-exynos5;
+    # boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_latest.override {
+    #   structuredExtraConfig = with lib.kernel; {
+    #     CC_OPTIMIZE_FOR_SIZE = lib.mkForce yes;
+    #   };
+    # });
+
+    system.build.u-boot = pkgs.buildUBoot {
+      defconfig = "snow_defconfig";
+      extraMeta.platforms = [ "armv7l-linux" ];
+      filesToInstall = [
+        "u-boot"  #< ELF file
+        "u-boot.bin"  #< raw binary, load it into RAM and jump toit
+        "u-boot.cfg"  #< copy of Kconfig which this u-boot was compiled with
+        "u-boot.dtb"
+        "u-boot.map"
+        "u-boot-nodtb.bin"
+        "u-boot.sym"
+      ];
+    };
+
+    system.build.platformPartition = pkgs.runCommandLocal "kernel-partition" {
+      nativeBuildInputs = with pkgs; [
+        vboot_reference
+        dtc
+        ubootTools
+      ];
+    } ''
+      # according to depthcharge-tools, bootloader.bin is legacy, was used by the earliest
+      # chromebooks (H2C) *only*.
+      dd if=/dev/zero of=dummy_bootloader.bin bs=512 count=1
+      echo auto > dummy_config.txt
+
+      # from uboot snow_defconfig, also == CONFIG_SYS_LOAD_ADDR
+      CONFIG_TEXT_BASE=0x43e00000
+
+      cp ${config.system.build.u-boot}/u-boot.bin .
+      ubootFlags=(
+        -A arm         # architecture
+        -O linux       # operating system
+        -T kernel      # image type
+        -C none        # compression
+        -a $CONFIG_TEXT_BASE  # load address (CONFIG_TEXT_BASE)
+        -e $CONFIG_TEXT_BASE  # entry point (CONFIG_SYS_LOAD_ADDR), i.e. where u-boot `bootm` should jump to to execute the kernel
+        -n nixos-uboot # image name
+        -d u-boot.bin  # image data
+        u-boot.fit     # output
+      )
+      mkimage "''${ubootFlags[@]}"
+
+      futility \
+        --debug \
+      vbutil_kernel \
+        --version 1 \
+        --bootloader ./dummy_bootloader.bin \
+        --vmlinuz u-boot.fit \
+        --arch arm \
+        --keyblock ${pkgs.buildPackages.vboot_reference}/share/vboot/devkeys/kernel.keyblock \
+        --signprivate ${pkgs.buildPackages.vboot_reference}/share/vboot/devkeys/kernel_data_key.vbprivk \
+        --config ./dummy_config.txt \
+        --pack $out
+    '';
+
+    # the platform partition presently only holds u-boot,
+    # and it seems possibly a limitation of depthcharge that it can't launch anything > 8 MiB (?)
+    # still, give a little extra room so i'm free to rearrange stuff if i find a way how.
+    sane.image.platformPartSize = 256 * 1024 * 1024;
+
+    # depthcharge firmware is designed for an A/B partition style,
+    # where partition A holds a kernel and partion B holds a different kernel.
+    # an update is to flash the currently inactive partition and then mark that one as active,
+    # either switching the default boot from partition A to partition B, or from B to A.
+    # anyway, this relies on the partitions having some extra metadata, which we add here.
+    # i believe this metadata is stored in a depthcharge-specific format, not anything
+    # which can be generalized.
+    sane.image.installBootloader = ''
+      ${lib.getExe' pkgs.buildPackages.vboot_reference "cgpt"} add ${lib.concatStringsSep " " [
+        "-i 1"  # work on the first partition (instead of adding)
+        "-S 1"  # mark as successful (so it'll be booted from)
+        "-T 5"  # tries remaining
+        "-P 10" # priority
+        "$out"
+      ]}
+    '';
+  };
+}
+

hosts/modules/hal/x86_64.nix

@@ -1,7 +1,14 @@
-{ lib, pkgs, ... }:
-
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.hal.x86_64;
+in
 {
-  config = lib.mkIf (pkgs.system == "x86_64-linux") {
+  options = {
+    sane.hal.x86_64.enable = (lib.mkEnableOption "x86_64-specific hardware support") // {
+      default = pkgs.system == "x86_64-linux";
+    };
+  };
+  config = lib.mkIf cfg.enable {
     boot.initrd.availableKernelModules = [
       "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
       "usb_storage"   # rpi needed this to boot from usb storage, i think.

hosts/modules/roles/handheld.nix

@@ -13,6 +13,51 @@
       "consoleMediaUtils"  # overbroad, but handy on very rare occasion
       "handheldGuiApps"
     ];
+    sane.programs.sway.suggestedPrograms = [
+      "sane-input-handler"
+    ];
+
+    sane.programs.alacritty.config.fontSize = 9;
+
+    sane.programs.firefox.config = {
+      # compromise impermanence for the sake of usability
+      persistCache = "private";
+      persistData = "private";
+
+      # i don't do crypto stuff on moby
+      addons.ether-metamask.enable = false;
+      # sidebery UX doesn't make sense on small screen
+      addons.sidebery.enable = false;
+    };
+    sane.programs.firefox.mime.priority = 300;  # prefer other browsers when possible
+    # HACK/TODO: make `programs.P.env.VAR` behave according to `mime.priority`
+    sane.programs.firefox.env = lib.mkForce {};
+    sane.programs.epiphany.env.BROWSER = "epiphany";
+
+    sane.programs.sway.config = {
+      font = "pango:monospace 10";
+      locker = "schlock";
+      mod = "Mod1";  # prefer Alt
+      workspace_layout = "tabbed";
+    };
+
+    sane.programs.swayidle.config = {
+      actions.screenoff.delay = 300;
+      actions.screenoff.enable = true;
+    };
+
+    sane.programs.waybar.config = {
+      fontSize = 14;
+      height = 26;
+      persistWorkspaces = [ "1" "2" "3" "4" "5" ];
+      modules.media = false;
+      modules.network = false;
+      modules.perf = false;
+      modules.windowTitle = false;
+      # TODO: show modem state
+    };
+
+    sane.programs.zsh.config.showDeadlines = false;  # unlikely to act on them when in shell
   };
 }
 

hosts/modules/yggdrasil.nix

@@ -1,30 +0,0 @@
-# docs: <nixpkgs:nixos/modules/services/networking/yggdrasil.md>
-# - or message CW/0x00
-
-{ config, lib, ... }:
-
-let
-  inherit (lib) mkIf mkOption types;
-  cfg = config.sane.yggdrasil;
-in
-{
-  options.sane.yggdrasil = {
-    enable = mkOption {
-      type = types.bool;
-      default = false;
-    };
-  };
-  config = mkIf cfg.enable {
-    services.yggdrasil = {
-      enable = true;
-      persistentKeys = true;
-      settings = {
-        IFName = "ygg0";
-        Peers = [
-          "tls://longseason.1200bps.xyz:13122"
-        ];
-      };
-    };
-  };
-}
-

modules/image.nix

@@ -17,11 +17,6 @@ let
 in
 {
   options = {
-    sane.image.enable = mkOption {
-      default = true;
-      type = types.bool;
-      description = "whether to enable image targets. even so they won't be built unless you specifically reference the `system.build.img` target.";
-    };
     # packages whose contents should be copied directly into the /boot partition.
     # e.g. EFI loaders, u-boot bootloader, etc.
     sane.image.extraBootFiles = mkOption {
@@ -57,9 +52,23 @@ in
       default = (16 * 1024 * 1024 - 34 * 512) * 1024 * 1024 - 1;
       type = types.nullOr types.int;
     };
+    sane.image.platformPartSize = mkOption {
+      default = null;
+      type = types.nullOr types.int;
+      description = ''
+        size of the platform firmware (or, bootloader) partition, in bytes.
+        most platforms don't need this. the primary user is "depthcharge" chromebooks.
+        the partition contents is taken from `config.system.build.platformPartition`.
+      '';
+    };
     sane.image.bootPartSize = mkOption {
-      default = 512 * 1024 * 1024;
+      default = 1024 * 1024 * 1024;
       type = types.int;
+      description = ''
+        size of the boot partition, in bytes.
+        don't skimp on this. nixos kernels are by default HUGE, and restricting this
+        will make kernel tweaking extra painful.
+      '';
     };
     sane.image.sectorSize = mkOption {
       default = 512;
@@ -102,11 +111,11 @@ in
     vfatUuidFromFs = fs: builtins.replaceStrings ["-"] [""] (uuidFromFs fs);
 
     fsBuilderMapBoot = {
-      "vfat" = pkgs.imageBuilder.fileSystem.makeESP;
+      "vfat" = pkgs.mobile-nixos.imageBuilder.fileSystem.makeESP;
     };
     fsBuilderMapNix = {
-      "ext4" = pkgs.imageBuilder.fileSystem.makeExt4;
-      "btrfs" = pkgs.imageBuilder.fileSystem.makeBtrfs;
+      "ext4" = pkgs.mobile-nixos.imageBuilder.fileSystem.makeExt4;
+      "btrfs" = pkgs.mobile-nixos.imageBuilder.fileSystem.makeBtrfs;
     };
 
     bootFsImg = fsBuilderMapBoot."${bootFs.fsType}" {
@@ -153,7 +162,7 @@ in
         cp -v ${closureInfo}/registration ./nix-path-registration
       '';
     };
-    img = (pkgs.imageBuilder.diskImage.makeGPT {
+    img = (pkgs.mobile-nixos.imageBuilder.diskImage.makeGPT {
       name = "nixos";
       diskID = vfatUuidFromFs bootFs;
       # leave some space for firmware
@@ -161,7 +170,16 @@ in
       # Tow-Boot manages to do that; not sure how.
       headerHole = cfg.extraGPTPadding;
       partitions = [
-        (pkgs.imageBuilder.gap cfg.firstPartGap)
+        (pkgs.mobile-nixos.imageBuilder.gap cfg.firstPartGap)
+      ] ++ lib.optionals (cfg.platformPartSize != null) [
+        {
+          name = "kernel";  #< TODO: is it safe to rename this?
+          filename = "${config.system.build.platformPartition}";
+          # from: <https://www.chromium.org/chromium-os/chromiumos-design-docs/disk-format>
+          partitionType = "FE3A2A5D-4F32-41A7-B725-ACCC3285A309";
+          length = cfg.platformPartSize;
+        }
+      ] ++ [
         bootFsImg
         nixFsImg
       ];
@@ -171,19 +189,21 @@ in
       };
     };
   in
-  lib.mkIf cfg.enable
   {
-    system.build.img = (if cfg.installBootloader == null then
-      img
-    else pkgs.runCommand "nixos-with-bootloader" {} ''
-      cp -vR ${img} $out
-      chmod -R +w $out
-      ${cfg.installBootloader}
-    '') // {
+    system.build.img = pkgs.runCommandLocal "nixos-with-bootloader" {
       passthru = {
         inherit bootFsImg nixFsImg;
-        withoutBootloader = img;
+        withoutBootloader = img;  #< XXX: this derivation places the image at $out/nixos.img
       };
-    };
+    } (
+      if cfg.installBootloader == null then ''
+        ln -s ${img}/nixos.img $out
+      '' else ''
+        cp ${img}/nixos.img $out
+        chmod +w $out
+        ${cfg.installBootloader}
+        chmod -w $out
+      ''
+    );
   };
 }

modules/programs/default.nix

@@ -529,24 +529,24 @@ let
       "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false."
     ];
 
-    system.checks = lib.optionals (p.enabled && p.sandbox.enable && p.sandbox.method != null && p.package != null) [
+    system.checks = lib.mkIf (p.enabled && p.sandbox.enable && p.sandbox.method != null && p.package != null) [
       p.package.passthru.checkSandboxed
     ];
 
     # conditionally add to system PATH and env
     environment = lib.optionalAttrs (p.enabled && p.enableFor.system) {
-      systemPackages = lib.optionals (p.package != null) [ p.package ];
+      systemPackages = lib.mkIf (p.package != null) [ p.package ];
       # sessionVariables are set by PAM, as opposed to environment.variables which goes in /etc/profile
       sessionVariables = p.env;
     };
 
     # conditionally add to user(s) PATH
     users.users = lib.mapAttrs (userName: en: {
-      packages = lib.optionals (p.package != null && en && p.enabled) [ p.package ];
+      packages = lib.mkIf (p.package != null && en && p.enabled) [ p.package ];
     }) p.enableFor.user;
 
     # conditionally persist relevant user dirs and create files
-    sane.users = lib.mapAttrs (user: en: lib.optionalAttrs (en && p.enabled) {
+    sane.users = lib.mapAttrs (user: en: lib.mkIf (en && p.enabled) {
       inherit (p) persist services;
       environment = p.env;
       fs = lib.mkMerge [
@@ -578,7 +578,7 @@ let
 
     # make secrets available for each user
     sops.secrets = lib.concatMapAttrs
-      (user: en: lib.optionalAttrs (en && p.enabled) (
+      (user: en: lib.mkIf (en && p.enabled) (
         lib.mapAttrs'
           (homePath: src: {
             # TODO: use the user's *actual* home directory, don't guess.

nixpatches/02-rpi4-uboot.patch

@@ -1,16 +0,0 @@
-diff --git a/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix b/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix
-index a4352ab9a24..8a191e0f694 100644
---- a/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix
-+++ b/nixos/modules/system/boot/loader/raspberrypi/uboot-builder.nix
-@@ -16,7 +16,10 @@ let
-       else
-         pkgs.ubootRaspberryPi3_32bit
-     else
--      throw "U-Boot is not yet supported on the raspberry pi 4.";
-+      if isAarch64 then
-+        pkgs.ubootRaspberryPi4_64bit
-+      else
-+        pkgs.ubootRaspberryPi4_32bit;
- 
-   extlinuxConfBuilder =
-     import ../generic-extlinux-compatible/extlinux-conf-builder.nix {

nixpatches/2023-03-03-qtbase-cross-compile.patch

@@ -1,21 +0,0 @@
-diff --git a/pkgs/development/libraries/qt-6/modules/qtbase.nix b/pkgs/development/libraries/qt-6/modules/qtbase.nix
-index e71b0a7613d..72779ac57a5 100644
---- a/pkgs/development/libraries/qt-6/modules/qtbase.nix
-+++ b/pkgs/development/libraries/qt-6/modules/qtbase.nix
-@@ -5,6 +5,7 @@
- , version
- , coreutils
- , bison
-+, buildPackages
- , flex
- , gdb
- , gperf
-@@ -224,6 +225,8 @@ stdenv.mkDerivation rec {
-   ] ++ lib.optionals stdenv.isDarwin [
-     # error: 'path' is unavailable: introduced in macOS 10.15
-     "-DQT_FEATURE_cxx17_filesystem=OFF"
-+  ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
-+    "-DQT_HOST_PATH=${buildPackages.qt6.full}"
-   ];
- 
-   NIX_LDFLAGS = toString (lib.optionals stdenv.isDarwin [

nixpatches/2023-06-02-qt6-qtwebengine-cross.patch

@@ -1,31 +0,0 @@
-diff --git a/pkgs/development/libraries/qt-6/modules/qtwebengine.nix b/pkgs/development/libraries/qt-6/modules/qtwebengine.nix
-index fadbc5d2bfa..e4f2aec5a32 100644
---- a/pkgs/development/libraries/qt-6/modules/qtwebengine.nix
-+++ b/pkgs/development/libraries/qt-6/modules/qtwebengine.nix
-@@ -97,6 +97,9 @@
- , xnu
- }:
- 
-+let
-+  buildPython = buildPackages.python3.withPackages (ps: with ps; [ html5lib ]);
-+in
- qtModule {
-   pname = "qtwebengine";
-   qtInputs = [ qtdeclarative qtwebchannel qtwebsockets qtpositioning ];
-@@ -108,7 +111,7 @@ qtModule {
-     gperf
-     ninja
-     pkg-config
--    (python3.withPackages (ps: with ps; [ html5lib ]))
-+    buildPython
-     which
-     gn
-     nodejs
-@@ -304,6 +307,7 @@ qtModule {
- 
-   preConfigure = ''
-     export NINJAFLAGS="-j$NIX_BUILD_CORES"
-+    export CMAKE_PREFIX_PATH="${buildPython}/bin:$CMAKE_PREFIX_PATH"
-   '';
- 
-   meta = with lib; {

nixpatches/2023-06-06-jellyfin-no-libsForQt5-callPackage.patch

@@ -1,60 +0,0 @@
-diff --git a/pkgs/applications/video/jellyfin-media-player/default.nix b/pkgs/applications/video/jellyfin-media-player/default.nix
-index e781f80e455..d1990294141 100644
---- a/pkgs/applications/video/jellyfin-media-player/default.nix
-+++ b/pkgs/applications/video/jellyfin-media-player/default.nix
-@@ -1,7 +1,6 @@
- { lib
- , fetchFromGitHub
- , fetchzip
--, mkDerivation
- , stdenv
- , Cocoa
- , CoreAudio
-@@ -12,21 +11,20 @@
- , libGL
- , libX11
- , libXrandr
-+, libsForQt5
- , libvdpau
- , mpv
- , ninja
- , pkg-config
- , python3
--, qtbase
--, qtwayland
--, qtwebchannel
--, qtwebengine
--, qtx11extras
- , jellyfin-web
- , withDbus ? stdenv.isLinux, dbus
- }:
- 
--mkDerivation rec {
-+let
-+  inherit (libsForQt5) qtbase qtwayland qtwebchannel qtwebengine qtx11extras wrapQtAppsHook;
-+in
-+stdenv.mkDerivation rec {
-   pname = "jellyfin-media-player";
-   version = "1.9.1";
- 
-@@ -69,6 +67,7 @@ mkDerivation rec {
-     ninja
-     pkg-config
-     python3
-+    wrapQtAppsHook
-   ];
- 
-   cmakeFlags = [
-diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
-index eb309c9b283..d8a718db698 100644
---- a/pkgs/top-level/all-packages.nix
-+++ b/pkgs/top-level/all-packages.nix
-@@ -5289,7 +5289,7 @@ with pkgs;
- 
-   jellyfin-ffmpeg = callPackage ../development/libraries/jellyfin-ffmpeg { };
- 
--  jellyfin-media-player = libsForQt5.callPackage ../applications/video/jellyfin-media-player {
-+  jellyfin-media-player = callPackage ../applications/video/jellyfin-media-player {
-     inherit (darwin.apple_sdk.frameworks) CoreFoundation Cocoa CoreAudio MediaPlayer;
-     # Disable pipewire to avoid segfault, see https://github.com/jellyfin/jellyfin-media-player/issues/341
-     mpv = wrapMpv (mpv-unwrapped.override { pipewireSupport = false; }) { };

nixpatches/flake.lock

@@ -1,25 +0,0 @@
-{
-  "nodes": {
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1675123384,
-        "narHash": "sha256-RpU+kboEWlIYwbRMGIPBIcztH63CvmqWN1B8GpJogd4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "e0fa1ece2f3929726c9b98c539ad14b63ae8e4fd",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
-      }
-    },
-    "root": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}

nixpatches/flake.nix

@@ -1,72 +0,0 @@
-{
-  inputs = {
-    # user is expected to define this from their flake via `inputs.nixpkgs.follows = ...`
-    nixpkgs = {};
-  };
-  outputs = { self, nixpkgs, variant ? "master" }@inputs:
-    let
-      patchedPkgsFor = system: nixpkgs.legacyPackages.${system}.applyPatches {
-        name = "nixpkgs-patched-uninsane";
-        version = nixpkgs.sourceInfo.lastModifiedDate;
-        src = nixpkgs;
-        patches = builtins.filter (p: p != null) (
-          nixpkgs.legacyPackages."${system}".callPackage ./list.nix { } variant nixpkgs.lastModifiedDate
-        );
-      };
-      patchedFlakeFor = system: import "${patchedPkgsFor system}/flake.nix";
-      patchedFlakeOutputsFor = system: (patchedFlakeFor system).outputs {
-        self = self // self._forSystem system;
-      };
-
-      extractBuildPlatform = nixosSystemArgs:
-        builtins.foldl'
-          (acc: mod: ((mod.nixpkgs or {}).buildPlatform or {}).system or acc)
-          (nixosSystemArgs.system or null)
-          (nixosSystemArgs.modules or []);
-    in
-    {
-      # i attempt to mirror the non-patched nixpkgs flake outputs,
-      # however the act of patching is dependent on the build system (can't be done in pure nix),
-      # hence a 100% compatible interface has to be segmented by `system`:
-      _forSystem = system: {
-        inherit (patchedFlakeOutputsFor system) lib;
-        legacyPackages = builtins.mapAttrs
-          (system': _:
-            (patchedFlakeOutputsFor (if system != null then system else system'))
-              .legacyPackages."${system'}"
-          )
-          nixpkgs.legacyPackages;
-      };
-
-      # although i can't expose all of the patched nixpkgs outputs without knowing the `system` to use for patching,
-      # several outputs learn about the system implicitly, so i can expose those:
-      lib.nixosSystem = args: (
-        self._forSystem (extractBuildPlatform args)
-      ).lib.nixosSystem args;
-
-      legacyPackages = (self._forSystem null).legacyPackages;
-
-      # sourceInfo includes fields (square brackets for the ones which are not always present):
-      # - [dirtyRev]
-      # - [dirtyShortRev]
-      # - lastModified
-      # - lastModifiedDate
-      # - narHash
-      # - outPath
-      # - [rev]
-      # - [revCount]
-      # - [shortRev]
-      # - submodules
-      #
-      # these values are used within nixpkgs:
-      # - to give a friendly name to the nixos system (`readlink /run/current-system` -> `...nixos-system-desko-24.05.20240227.dirty`)
-      # - to alias `import <nixpkgs>` so that nix uses the system's nixpkgs when called externally (supposedly).
-      #
-      # these values seem to exist both within the `sourceInfo` attrset and at the top-level.
-      # for a list of all implicit flake outputs (which is what these seem to be):
-      # $ nix-repl
-      # > lf .
-      # > <tab>
-      inherit (nixpkgs) sourceInfo;
-    } // nixpkgs.sourceInfo;
-}

overlays/cross.nix

@@ -698,6 +698,12 @@ in with final; {
   #   ];
   # });
 
+  # upstreaming: <https://github.com/NixOS/nixpkgs/pull/317477>
+  libvpx = prev.libvpx.overrideAttrs (upstream: {
+    # fails building neon extensions for armv7l; see <https://github.com/NixOS/nixpkgs/issues/208746>
+    configureFlags = builtins.map (lib.replaceStrings [ "armv7l-linux-gcc" ] [ "armv7-linux-gcc" ]) upstream.configureFlags;
+  });
+
   # 2024/05/31: upstreaming blocked on qtsvg, libgweather, appstream, glycin-loaders
   loupe = prev.loupe.overrideAttrs (upstream: {
     postPatch = (upstream.postPatch or "") + ''
@@ -709,9 +715,9 @@ in with final; {
 
   # 2024/05/31: upstreaming blocked on qtsvg, appstream, maybe others
   mepo = (prev.mepo.override {
-    # nixpkgs mepo correctly puts `zig_0_11.hook` in nativeBuildInputs,
+    # nixpkgs mepo correctly puts `zig_0_12.hook` in nativeBuildInputs,
     # but for some reason that tries to use the host zig instead of the build zig.
-    zig_0_11 = buildPackages.zig_0_11;
+    zig_0_12 = buildPackages.zig_0_12;
   }).overrideAttrs (upstream: {
     dontUseZigCheck = true;
     nativeBuildInputs = upstream.nativeBuildInputs ++ [
@@ -1223,6 +1229,7 @@ in with final; {
   # });
 
   # 2024/05/31: upstreaming is unblocked
+  # implemented: <https://github.com/NixOS/nixpkgs/pull/315119>
   webp-pixbuf-loader = prev.webp-pixbuf-loader.overrideAttrs (upstream: {
     # fixes: "Builder called die: Cannot wrap '/nix/store/kpp8qhzdjqgvw73llka5gpnsj0l4jlg8-gdk-pixbuf-aarch64-unknown-linux-gnu-2.42.10/bin/gdk-pixbuf-thumbnailer' because it is not an executable file"
     # gdk-pixbuf doesn't create a `bin/` directory when cross-compiling, breaks some thumbnailing stuff.

pkgs/additional/delfin/default.nix

@@ -1,84 +0,0 @@
-{ lib
-, stdenv
-, appstream
-, cargo
-, desktop-file-utils
-, fetchFromGitea
-, gitUpdater
-, gtk4
-, libadwaita
-, libglvnd
-, libepoxy
-, meson
-, mpv-unwrapped
-, ninja
-, openssl
-, pkg-config
-, rustc
-, rustPlatform
-, wrapGAppsHook4
-, devBuild ? false, git
-}:
-
-stdenv.mkDerivation rec {
-  pname = "delfin";
-  version = "0.4.4";
-
-  src = if devBuild then fetchFromGitea {
-    domain = "git.uninsane.org";
-    owner = "colin";
-    repo = "delfin";
-    rev = "dev-sane";
-    hash = "sha256-l/Lm9dUtYfWbf8BoqNodF/5s0FzxhI/dyPevcaeyPME=";
-  } else fetchFromGitea {
-    domain = "codeberg.org";
-    owner = "avery42";
-    repo = "delfin";
-    rev = "v${version}";
-    hash = "sha256-qbl0PvGKI3S845xLr0aXf/uk2uuOXMjvu9S3BOPzxa0=";
-  };
-
-  cargoDeps = rustPlatform.fetchCargoTarball {
-    inherit src;
-    name = "${pname}-${version}";
-    hash = "sha256-Js1mIotSOayYDjDVQMqXwaeSC2a1g1DeqD6QmeWwztk=";
-  };
-
-  nativeBuildInputs = [
-    appstream
-    desktop-file-utils
-    meson
-    ninja
-    pkg-config
-    rustPlatform.cargoSetupHook
-    cargo
-    rustc
-    wrapGAppsHook4
-  ] ++ lib.optionals devBuild [
-    git
-  ];
-
-  buildInputs = [
-    gtk4
-    libadwaita
-    libglvnd
-    libepoxy
-    mpv-unwrapped
-    openssl
-  ];
-
-  mesonFlags = lib.optionals (!devBuild) [
-    "-Dprofile=release"
-  ];
-
-  passthru.updateScript = gitUpdater {
-    rev-prefix = "v";
-  };
-
-  meta = with lib; {
-    description = "stream movies and TV shows from Jellyfin";
-    homepage = "https://www.delfin.avery.cafe/";
-    license = licenses.gpl3Only;
-    maintainers = with maintainers; [ colinsane ];
-  };
-}

pkgs/additional/firefox-extensions/bypass-paywalls-clean/default.nix

@@ -38,9 +38,10 @@ stdenv.mkDerivation rec {
 
   passthru = {
     extid = "magnolia@12.34";
-    updateScript = gitUpdater {
-      rev-prefix = "v";
-    };
+    # XXX: disabled because the upstream repo has disappeared, and gitlab auth hangs the updater
+    # updateScript = gitUpdater {
+    #   rev-prefix = "v";
+    # };
   };
 
   meta = {

pkgs/additional/firefox-extensions/default.nix

@@ -1,11 +1,13 @@
 { stdenv
 , callPackage
 , concatTextFile
+, fetchpatch
 , fetchurl
 , gnused
 , jq
 , lib
 , newScope
+, nix-update
 , nix-update-script
 , runCommandLocal
 , strip-nondeterminism
@@ -15,6 +17,18 @@
 , zip
 }:
 let
+  nix-update' = nix-update.overrideAttrs (upstream: {
+    patches = (upstream.patches or []) ++ [
+      (fetchpatch {
+        # u-block releases betas, and worse, deletes them later.
+        # i don't know how to ignore them through the nix-update-script API,
+        # but this patch handles that.
+        name = "github: Use API to properly tag prereleases";
+        url = "https://github.com/Mic92/nix-update/pull/246.patch";
+        hash = "sha256-cwajliS1YMEcS2MtrKtpNn64rWHjwNDLI49LKhnlQYM=";
+      })
+    ];
+  });
   wrapAddon = addon: args:
   let
     extid = addon.passthru.extid;
@@ -111,15 +125,7 @@ let
       cp $src $out
     '';
 
-    passthru.updateScript = nix-update-script {
-      extraArgs = [
-        # uBlock mixes X.YY.ZbN and X.YY.ZrcN style.
-        # default nix-update accepts the former but rejects the later as unstable.
-        # that's problematic because beta releases later get pulled.
-        # ideally i'd reject both, but i don't know how.
-        "--version=unstable"
-      ];
-    };
+    passthru.updateScript = (nix-update-script.override { nix-update = nix-update'; }) { };
     passthru.extid = extid;
   };
 
@@ -139,8 +145,8 @@ in (lib.makeScope newScope (self: with self; {
       extid = "webextension@metamask.io";
       pname = "ether-metamask";
       url = "https://github.com/MetaMask/metamask-extension/releases/download/v${version}/metamask-firefox-${version}.zip";
-      version = "11.16.0";
-      hash = "sha256-GqogHIqPneZ/Ngpf5ICm/LSMB3PIC2OjdZYZ5FSKJrk=";
+      version = "11.16.8";
+      hash = "sha256-32KkO72afC9Cm0siiobkCZKmfZqm8/Z6SJK8KwNdeTw=";
     };
     fx_cast = fetchVersionedAddon rec {
       extid = "fx_cast@matt.tf";
@@ -160,15 +166,15 @@ in (lib.makeScope newScope (self: with self; {
       extid = "sponsorBlocker@ajay.app";
       pname = "sponsorblock";
       url = "https://github.com/ajayyy/SponsorBlock/releases/download/${version}/FirefoxSignedInstaller.xpi";
-      version = "5.6";
-      hash = "sha256-7HnWgGxDtkr0LXIGec+V1ACV/hhKAa3zII+SgMC7GSo=";
+      version = "5.6.1";
+      hash = "sha256-b2FIVcOaRyJjWOTtXT9XrLWzcptcuxKJltDGFjpWPRQ=";
     };
     ublacklist = fetchVersionedAddon rec {
       extid = "@ublacklist";
       pname = "ublacklist";
       url = "https://github.com/iorate/ublacklist/releases/download/v${version}/ublacklist-v${version}-firefox.zip";
-      version = "8.7.0";
-      hash = "sha256-70hdLWU8kfu7VO//aXeBi6HO6LvY20vT61zDw/pdQIg=";
+      version = "8.7.1";
+      hash = "sha256-FvZ2IFlvoAYMmZFXTkGtCZ+44MmXioA271DXvNY96j8=";
     };
     ublock-origin = fetchVersionedAddon rec {
       extid = "uBlock0@raymondhill.net";

pkgs/additional/fractal-nixified/default.nix

@@ -347,6 +347,15 @@ let
         }
       ];
     };
+    matrix-sdk-ui = crates.matrix-sdk-ui // {
+      dependencies = lib.forEach crates.matrix-sdk-ui.dependencies (d:
+        if d.name == "matrix-sdk" then d // {
+          # XXX(2024/06/04): experimental-oidc feature drags in p384, which fails armv7l cross
+          features = lib.remove "experimental-oidc" d.features;
+        } else
+          d
+      );
+    };
   };
 
   cargoNix = import ./Cargo.nix {

pkgs/additional/linux-postmarketos-exynos5/default.nix

@@ -0,0 +1,77 @@
+{ lib
+, linux_6_1
+, linuxManualConfig
+, writeTextFile
+#v nixpkgs calls `.override` on the kernel to configure additional things
+, features ? []
+, randstructSeed ? ""
+, ...
+}@args:
+
+let
+  # TODO: lift to shared module
+  parseKconfigLine = line: let
+    pieces = lib.splitString "=" line;
+  in
+    if lib.hasPrefix "#" (lib.head pieces) then [
+      # this line is a comment.
+      # N.B.: this could be like `# CONFIG_FOO is not set`, which i might want to report as `n`
+    ] else if lib.length pieces == 1 then [
+      # no equals sign: this is probably a blank line
+    ] else [{
+      name = lib.head pieces;
+      # value = parseKconfigValue (lib.concatStringsSep "=" (lib.tail pieces));
+      # nixpkgs kernel config is some real fucking bullshit: it wants a plain string here instead of the structured config it demands eeeeeeverywhere else.
+      value = lib.concatStringsSep "=" (lib.tail pieces);
+    }]
+  ;
+  parseKconfig = wholeStr: let
+    lines = lib.splitString "\n" wholeStr;
+    parsedItems = lib.concatMap parseKconfigLine lines;
+  in
+    lib.listToAttrs parsedItems;
+
+  # remove CONFIG_LOCALVERSION else nixpkgs complains about mismatched modDirVersion
+  KconfigStr = lib.replaceStrings
+    [
+      ''CONFIG_LOCALVERSION="-postmarketos-exynos5"''
+      ''CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y''
+      ''CONFIG_BATTERY_SBS=y''
+    ]
+    [
+      ''CONFIG_LOCALVERSION=''
+      # XXX(2024/06/06): if the bzImage is too large, it fails to boot.
+      # probably an issue with the uboot relocations; not sure exactly what the size limit is.
+      ''CONFIG_CC_OPTIMIZE_FOR_SIZE=y''
+      # XXX(2024/06/06): if this module is loaded before udev, then kernel panic.
+      # see: <repo:NixOS/mobile-nixos:devices/families/mainline-chromeos/default.nix>
+      ''CONFIG_BATTERY_SBS=m''
+    ]
+    (builtins.readFile ./config-postmarketos-exynos5.arm7)
+  + ''
+    #
+    # Extra nixpkgs-specific options
+    # nixos/modules/system/boot/systemd.nix wants CONFIG_DMIID
+    #
+    CONFIG_DMIID=y
+
+    #
+    # Extra sane-specific options
+    #
+    CONFIG_SECURITY_LANDLOCK=y
+    CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf";
+
+  '';
+in linuxManualConfig {
+  inherit (linux_6_1) extraMakeFlags modDirVersion src version;
+  inherit features randstructSeed;
+  kernelPatches = args.kernelPatches or [];
+
+  configfile = writeTextFile {
+    name = "config-postmarketos-exynos5.arm7";
+    text = KconfigStr;
+  };
+  # nixpkgs requires to know the config as an attrset, to do various eval-time assertions.
+  # this forces me to include the Kconfig inline, instead of fetching it the way i do all the other pmOS kernel stuff.
+  config = parseKconfig KconfigStr;
+}

pkgs/additional/mobile-nixos/default.nix

@@ -0,0 +1,19 @@
+{ pkgs
+, fetchFromGitHub
+}:
+let
+  src = fetchFromGitHub {
+    owner = "nixos";
+    repo = "mobile-nixos";
+    # XXX: commit `0f3ac0bef1aea70254a3bae35e3cc2561623f4c1`
+    # replaces the imageBuilder with a "new implementation from celun" and wildly breaks my use.
+    # pinning to d25d3b... is equivalent to holding at 2023-09-15
+    rev = "d25d3b87e7f300d8066e31d792337d9cd7ecd23b";
+    hash = "sha256-MiVokKlpcJmfoGuWAMeW1En7gZ5hk0rCQArYm6P9XCc=";
+  };
+  overlay = import "${src}/overlay/overlay.nix";
+  final = pkgs.appendOverlays [ overlay ];
+in src.overrideAttrs (base: {
+  # passthru only mobile-nixos' own packages -- not the whole nixpkgs-with-mobile-nixos-as-overlay:
+  passthru = base.passthru // (overlay final pkgs);
+})

pkgs/additional/nixpkgs-wayland/default.nix

@@ -0,0 +1,37 @@
+{ pkgs
+, fetchFromGitHub
+, lib
+, nix-update-script
+}:
+let
+  src = fetchFromGitHub {
+    owner = "nix-community";
+    repo = "nixpkgs-wayland";
+    rev = "021a0a37c336730956f5ce741c2a5c0e5c113b40";
+    hash = "sha256-NiBJ7EgvGmDmXy1MG1r++afIzFJBmir2PQ4wmMNIaWw=";
+  };
+  flake = import "${src}/flake.nix";
+  evaluated = flake.outputs {
+    self = evaluated;
+    lib-aggregate.lib = lib // {
+      # mock out flake-utils, which it uses to construct flavored package sets.
+      # we only need the overlay (unflavored)
+      flake-utils.eachSystem = sys: fn: {};
+    };
+  };
+  overlay = evaluated.overlay;
+
+  final = pkgs.appendOverlays [ overlay ];
+in src.overrideAttrs (base: {
+  # attributes required by update scripts
+  pname = "nixpkgs-wayland";
+  version = "0-unstable-2024-06-08";
+  src = src;
+
+  # passthru only nixpkgs-wayland's own packages -- not the whole nixpkgs-with-nixpkgs-wayland-as-overlay:
+  passthru = base.passthru // (overlay final pkgs) // {
+    updateScript = nix-update-script {
+      extraArgs = [ "--version" "branch" ];
+    };
+  };
+})

pkgs/additional/nixpkgs/default.nix

@@ -0,0 +1,90 @@
+# XXX: this is in the bootstrap path;
+# this means it has to be evaluatable using only builtins,
+# though i'm free to include optional functionality (e.g. update scripts) so long as i gate it behind availability checks.
+#
+# branch workflow:
+# - daily:
+#   - nixos-unstable cut from master after enough packages have been built in caches.
+# - every 6 hours:
+#   - master auto-merged into staging and staging-next
+#   - staging-next auto-merged into staging.
+# - manually, approximately once per month:
+#   - staging-next is cut from staging.
+#   - staging-next merged into master.
+#
+# which branch to source from?
+# - nixos-unstable: for everyday development; it provides good caching
+# - master: temporarily if i'm otherwise cherry-picking lots of already-applied patches
+# - staging-next: if testing stuff that's been PR'd into staging, i.e. base library updates.
+# - staging: maybe if no staging-next -> master PR has been cut yet?
+{ variant ? "master"
+, doPatch ? true
+, localSystem ? builtins.currentSystem  #< not available in pure mode
+, system ? localSystem
+#VVV these may or may not be available when called VVV
+, fetchzip ? builtins.fetchTarball
+, nix-update-script ? null
+}:
+let
+  lock = {
+    master.rev = "33605cdf028a6bfb96ce5d6e6e87d4779555f35f";
+    master.sha256 = "sha256-Lp669vFtN0vaCyOmXiA1UWrBXyyTlxYu2cZhaD10gn4=";
+    staging.rev = "33605cdf028a6bfb96ce5d6e6e87d4779555f35f";
+    staging.sha256 = "sha256-Lp669vFtN0vaCyOmXiA1UWrBXyyTlxYu2cZhaD10gn4=";
+    staging-next.rev = "33605cdf028a6bfb96ce5d6e6e87d4779555f35f";
+    staging-next.sha256 = "sha256-Lp669vFtN0vaCyOmXiA1UWrBXyyTlxYu2cZhaD10gn4=";
+  };
+  lock' = lock."${variant}";
+  unpatchedSrc = fetchzip {
+    url = "https://github.com/NixOS/nixpkgs/archive/${lock'.rev}.tar.gz";
+    inherit (lock') sha256;
+  };
+  unpatchedNixpkgs = import unpatchedSrc { inherit localSystem; };
+
+  patchedSrc = unpatchedNixpkgs.applyPatches {
+    name = "nixpkgs-patched-uninsane";
+    # version = ...
+    src = unpatchedSrc;
+    patches = unpatchedNixpkgs.callPackage ./list.nix { };
+    # skip applied patches
+    prePatch = ''
+      realpatch=$(command -v patch)
+      patch() {
+         OUT=$($realpatch "$@") || echo "$OUT" | grep "Skipping patch" -q
+      }
+    '';
+  };
+
+  src = if doPatch then patchedSrc else { outPath = unpatchedSrc; };
+  args = {
+    inherit localSystem;
+    config = {
+      allowUnfree = true;  # NIXPKGS_ALLOW_UNFREE=1
+      allowBroken = true;  # NIXPKGS_ALLOW_BROKEN=1
+    };
+  } // (if (system != localSystem) then {
+    # XXX(2023/12/11): cache.nixos.org uses `system = ...` instead of `hostPlatform.system`, and that choice impacts the closure of every package.
+    # so avoid specifying hostPlatform.system on non-cross builds, so i can use upstream caches.
+    crossSystem = system;
+  } else {});
+
+  nixpkgs = import "${src}" args;
+in
+  # N.B.: this is crafted to allow `nixpkgs.FOO` from other nix code
+  # AND `nix-build -A nixpkgs`
+  if src ? overrideAttrs then
+    src.overrideAttrs (base: {
+      # attributes needed for update scripts
+      pname = "nixpkgs";
+      version = "24.05-unstable-2024-06-08";
+      passthru = (base.passthru or {}) // nixpkgs // {
+        src = unpatchedSrc // {
+          inherit (lock') rev;
+        };
+        updateScript = nix-update-script {
+          extraArgs = [ "--version" "branch" ];
+        };
+      };
+    })
+  else
+    nixpkgs

pkgs/additional/nixpkgs/list.nix

@@ -1,5 +1,4 @@
 { fetchpatch2, fetchurl, lib }:
-variant: date:
 let
   fetchpatch' = {
     saneCommit ? null,
@@ -8,7 +7,6 @@ let
     hash ? null,
     title ? null,
     revert ? false,
-    merged ? {},
   }:
     let
       url = if prUrl != null then
@@ -19,24 +17,19 @@ let
       else
         "https://github.com/NixOS/nixpkgs/commit/${nixpkgsCommit}.patch"
       ;
-      isMerged = merged ? "${variant}" && lib.versionAtLeast date merged."${variant}";
-    in if !isMerged then fetchpatch2 (
+    in fetchpatch2 (
       { inherit revert url; }
       // (if hash != null then { inherit hash; } else {})
       // (if title != null then { name = title; } else {})
-    ) else null;
-in [
-  # if a patch has been merged, use
-  #   merged.staging = "<date>";
-  #   merged.master = "<date>";
-  # etc, where "date" is like "20240228181608"
-  # and can be found with `nix-repl  > :lf .  > lastModifiedDate`
-
-  (fetchpatch' {
-    title = "networkmanager: 1.46.0 → 1.48.0";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/316417";
-    hash = "sha256-LfQyB3tzQa3UNyZl9HWCuoyBznIhinodlTL6TnPn0Uk=";
-  })
+    );
+in
+[
+  # TODO: apply this once it's fixed for aarch64
+  # (fetchpatch' {
+  #   title = "libvpx: fix cross compiling for armv7";
+  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/317477";
+  #   hash = "sha256-5W/5/u2CXJJEgTjPx/do6SRZ6WEfhlAi/qXYS/Lsb14=";
+  # })
 
   (fetchpatch' {
     title = "nixos/networkmanager: split ModemManager bits into own module";
@@ -60,7 +53,8 @@ in [
 
   # branch: wip-ffado-cross
   (fetchpatch' {
-    # TODO: send out for review (after jtolnar's stuff is merged)
+    # TODO: send out for review (after jtojnar's stuff is merged)
+    # - <https://github.com/NixOS/nixpkgs/pull/306407>
     title = "ffado: support cross compilation";
     saneCommit = "001fe13a735cb9c6fad80525531e863f949e1495";
     hash = "sha256-rVsFR8vRTHqFJgDQFHI/E0LtllqKr79FyR92HPeLUb8=";
@@ -80,8 +74,8 @@ in [
     hash = "sha256-IW+0u5lytIPU3xhgGtYgexXUrS2VFXAV6GC50jJS5ak=";
   })
 
-  # 2024/02/25: still outstanding
   # (fetchpatch' {
+  #   # 2024/06/08: still outstanding
   #   title = "hspell: remove build perl from runtime closure";
   #   prUrl = "https://github.com/NixOS/nixpkgs/pull/263182";
   #   hash = "sha256-Wau+PB+EUQDvWX8Kycw1sNrM3GkPVjKSS4niIDI0sjM=";
@@ -166,18 +160,6 @@ in [
   #   hash = "sha256-oQEM3EZfAOmfZzDu9faCqyOFZsdHYGn1mVBgkxt68Zg=";
   # })
 
-  # (fetchpatch {
-  #   # stdenv: fix cc for pseudo-crosscompilation
-  #   # closed because it breaks pkgsStatic (as of 2023/02/12)
-  #   url = "https://github.com/NixOS/nixpkgs/pull/196497.diff";
-  #   hash = "sha256-eTwEbVULYjmOW7zUFcTUqvBZqUFjHTKFhvmU2m3XQeo=";
-  # })
-
-  # for raspberry pi: allow building u-boot for rpi 4{,00}
-  # TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
-  #   (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
-  # ./02-rpi4-uboot.patch
-
   # (fetchpatch' {
   #   title = "gnustep: remove `rec` to support `overrideScope`";
   #   saneCommit = "69162cbf727264e50fc9d7222a03789d12644705";
@@ -206,28 +188,4 @@ in [
   #   saneCommit = "7a4191c570b0e5a1ab257222c26a4a2ecb945037";
   #   hash = "sha256-FiPJhHGqZ8MFwLY+1t6HgbK6ndomFSYUKvApvrikRHE=";
   # })
-
-  # (fetchpatch' {
-  #   # doesn't apply cleanly. use build result in <working/zcash>
-  #   title = "zcash: 5.4.2 -> 5.7.0";
-  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/229810";
-  #   hash = "sha256-ProoPJ10rUtOZh2PzpegviG6Ip1zSuWC92BpP+ux9ZQ=";
-  # })
-  # (fetchpatch' {
-  #   # disabled, at least until the PR is updated to use `pkg-config` instead of `pkgconfig`.
-  #   # the latter is an alias, which breaks nix-index
-  #   title = "phog: init at 0.1.3";
-  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/251249";
-  #   hash = "sha256-e38Z7sO7xDQHzE9UOfbptc6vJuONE5eP9JFp2Nzx53E=";
-  # })
-
-  # fix qt6.qtbase and qt6.qtModule to cross-compile.
-  # unfortunately there's some tangle that makes that difficult to do via the normal `override` facilities
-  # ./2023-03-03-qtbase-cross-compile.patch
-
-  # qt6 qtwebengine: specify `python` as buildPackages
-  # ./2023-06-02-qt6-qtwebengine-cross.patch
-
-  # Jellyfin: don't build via `libsForQt5.callPackage`
-  # ./2023-06-06-jellyfin-no-libsForQt5-callPackage.patch
 ]

pkgs/additional/sane-backgrounds/default.nix

@@ -1,3 +1,8 @@
+# NixOS backgrounds:
+# - <https://github.com/NixOS/nixos-artwork>
+#   - <https://github.com/NixOS/nixos-artwork/issues/50>  (colorful; unmerged)
+#   - <https://github.com/NixOS/nixos-artwork/pull/60/files>  (desktop-oriented; clean; unmerged)
+# - <https://itsfoss.com/content/images/2023/04/nixos-tutorials.png>
 { stdenv
 , inkscape
 }:

pkgs/additional/signal-desktop-from-src/default.nix

@@ -118,7 +118,7 @@
 , yarn
 }:
 let
-  version = "7.8.0";
+  version = "7.11.1";
 
   ringrtcPrebuild = fetchurl {
     # version is found in signal-desktop's package.json as "@signalapp/ringrtc"
@@ -165,11 +165,11 @@ let
     repo = "Signal-Desktop";
     leaveDotGit = true;  # signal calculates the release date via `git`
     rev = "v${version}";
-    hash = "sha256-CBcLk54cu4PGGZbQsPeYjjWnRFmFPxM9+mxLdQKCPP0=";
+    hash = "sha256-A+VcVo+avtIg7IbO1NWaG2nitnFG5mRfB55wgSiDsbA=";
   };
   yarnOfflineCache = fetchYarnDeps {
     yarnLock = "${src}/yarn.lock";
-    hash = "sha256-ImkJyphN0YfXOUuU14HII/3798kbQ4iwgXr600k4PHU=";
+    hash = "sha256-q9kBoGXti37sgNhhYTqw+w8NHO35zp+v77mxKQTqv7g=";
   };
 
   nodejs' = mkNodeJs pkgs;
@@ -400,8 +400,8 @@ stdenv.mkDerivation rec {
   passthru = {
     # inherit bettersqlitePatch signal-fts5-extension;
     updateScript = gitUpdater {
-      # TODO: prevent update to betas
       rev-prefix = "v";
+      ignoredVersions = "beta";
     };
     nodejs = nodejs';
     buildYarn = buildYarn;

pkgs/additional/sops-nix/default.nix

@@ -0,0 +1,36 @@
+{ pkgs
+, fetchFromGitHub
+, nix-update-script
+}:
+let
+  src = fetchFromGitHub {
+    owner = "Mic92";
+    repo = "sops-nix";
+    rev = "d4555e80d80d2fa77f0a44201ca299f9602492a0";
+    hash = "sha256-8Q6mKSsto8gaGczXd4G0lvawdAYLa5Dlh3/g4hl5CaM=";
+  };
+  flake = import "${src}/flake.nix";
+  evaluated = flake.outputs {
+    self = evaluated;
+    nixpkgs = pkgs;
+    nixpkgs-stable = pkgs;  #< shameless lie :)
+  };
+  overlay = evaluated.overlays.default;
+  final = pkgs.appendOverlays [ overlay ];
+in src.overrideAttrs (base: {
+  # attributes required by update scripts
+  pname = "sops-nix";
+  # nix-update-script insists on this weird `assets-` version format
+  version = "assets-unstable-2024-06-03";
+  src = src;
+
+  passthru = base.passthru
+    // (overlay final pkgs)
+    // { inherit (evaluated) nixosModules; }
+    // {
+      updateScript = nix-update-script {
+        extraArgs = [ "--version" "branch" ];
+      };
+    }
+  ;
+})

pkgs/additional/sysvol/default.nix

@@ -3,49 +3,47 @@
 , gtk4-layer-shell
 , gtkmm4
 , pkg-config
-, pulseaudio
+, nix-update-script
+, wireplumber
 , wrapGAppsHook4
 }:
-stdenv.mkDerivation (finalAttrs: {
+stdenv.mkDerivation {
   pname = "sysvol";
-  version = "0-unstable-2024-04-11";
+  version = "0-unstable-2024-06-07";
 
   src = fetchFromGitHub {
-    owner = "AmirDahan";
+    owner = "System64fumo";
     repo = "sysvol";
-    rev = "a26809de285ee194436bc55ef701476765c5b15e";
-    hash = "sha256-WiFm5SRQV2up9EBCR9oF0p9F+DQHDQZhxsaUuvpbMw8=";
+    rev = "56d7dcda4b246e71b2c6d29cbb2315bddf446032";
+    hash = "sha256-WOcy2R0El1vl57Zimb7Hoh9XYTnH/zJS1n+gcaTU4V8=";
   };
-  postPatch = let
-    # i don't know how else to escape this
-    var = v: lib.concatStrings [ "$" "{" v "}" ];
-  in ''
+  postPatch = ''
     substituteInPlace Makefile \
-      --replace-fail 'pkg-config' '${var "PKG_CONFIG"}' \
-      --replace-fail 'g++' '${var "CXX"}' \
-      --replace-fail 'strip sysvol' ""
+      --replace-fail 'pkg-config' ''${PKG_CONFIG}
   '';
 
   nativeBuildInputs = [
     pkg-config
     wrapGAppsHook4  #< to plumb `GDK_PIXBUF_MODULE_FILE` through, and get not-blurry icons
   ];
+
   buildInputs = [
     gtk4-layer-shell
     gtkmm4
-    pulseaudio
+    wireplumber
   ];
 
-  installPhase = ''
-    mkdir -p $out/bin
-    install -m755 sysvol $out/bin/sysvol
-  '';
+  makeFlags = [ "DESTDIR=${placeholder "out"}" ];
+
+  passthru.updateScript = nix-update-script {
+    extraArgs = [ "--version" "branch" ];
+  };
 
   meta = {
     description = "A basic GTK4 volume indicator";
-    inherit (finalAttrs.src.meta) homepage;
+    homepage = "https://github.com/System64fumo/sysvol";
     mainProgram = "sysvol";
     platforms = lib.platforms.linux;
     maintainers = with lib.maintainers; [ colinsane ];
   };
-})
+}

pkgs/additional/uassets/default.nix

@@ -5,12 +5,12 @@
 }:
 stdenv.mkDerivation {
   pname = "uassets";
-  version = "0-unstable-2024-05-27";
+  version = "0-unstable-2024-06-08";
   src = fetchFromGitHub {
     owner = "uBlockOrigin";
     repo = "uAssets";
-    rev = "deb1f47b49461e1c2f307931fc6a02c76137168b";
-    hash = "sha256-IhzNUSkGnGuY9YBq9rN7l2rwxHzRMQTp3aPJ6xF46lU=";
+    rev = "e79260cc653865b9b562e1153d0b7c5e2b93a0a9";
+    hash = "sha256-2qnrB+GV5LXlA5TgstbOc/YRewuExYtAQakfrE1XuuQ=";
   };
 
   dontBuild = true;

pkgs/additional/uninsane-dot-org/default.nix

@@ -0,0 +1,12 @@
+{ callPackage
+, fetchFromGitea
+}:
+let
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
+    repo = "uninsane";
+    rev = "e6f88f563bdd1700c04018951de4f69862646dd1";
+    hash = "sha256-h1EdA/h74zgNPNEYbH+0mgOMlJgLVcxuZ8/ewsZlgEc=";
+  };
+in callPackage "${src}/default.nix" { }

pkgs/default.nix

@@ -5,7 +5,7 @@
 # using the correct invocation is critical if any packages mentioned here are
 # additionally patched elsewhere
 #
-{ pkgs ? import <nixpkgs> {}, final ? null }:
+{ pkgs ? import ./additional/nixpkgs { }, final ? null }:
 let
   lib = pkgs.lib;
   unpatched = pkgs;
@@ -28,7 +28,6 @@ let
     chatty-latest = callPackage ./additional/chatty-latest { };
     codemadness-frontends = callPackage ./additional/codemadness-frontends { };
     codemadness-frontends_0_6 = codemadness-frontends.v0_6;
-    delfin = callPackage ./additional/delfin { };
     eg25-control = callPackage ./additional/eg25-control { };
     eg25-manager = callPackage ./additional/eg25-manager { };
     feeds = lib.recurseIntoAttrs (callPackage ./additional/feeds { });
@@ -56,12 +55,21 @@ let
     # XXX: eval error: need to port past linux_6_4
     # linux-manjaro = callPackage ./additional/linux-manjaro { };
     linux-megous = callPackage ./additional/linux-megous { };
-    linux-postmarketos = callPackage ./additional/linux-postmarketos { };
+    linux-postmarketos = callPackage ./additional/linux-postmarketos { };  #< TODO: rename -> linux-postmarketos-allwinner
+    linux-postmarketos-exynos5 = callPackage ./additional/linux-postmarketos-exynos5 { };
     mcg = callPackage ./additional/mcg { };
     megapixels-next = callPackage ./additional/megapixels-next { };
+    mobile-nixos = callPackage ./additional/mobile-nixos { };
     modemmanager-split = callPackage ./additional/modemmanager-split { };
     mx-sanebot = callPackage ./additional/mx-sanebot { };
     networkmanager-split = callPackage ./additional/networkmanager-split { };
+    nixpkgs = callPackage ./additional/nixpkgs {
+      localSystem = stdenv.buildPlatform.system;
+      system = stdenv.hostPlatform.system;
+    };
+    nixpkgs-staging = nixpkgs.override { variant = "staging"; };
+    nixpkgs-next = nixpkgs.override { variant = "staging-next"; };
+    nixpkgs-wayland = callPackage ./additional/nixpkgs-wayland { };
     peerswap = callPackage ./additional/peerswap { };
     phog = callPackage ./additional/phog { };
     pipeline = callPackage ./additional/pipeline { };
@@ -77,6 +85,7 @@ let
     sanebox = callPackage ./additional/sanebox { };
     schlock = callPackage ./additional/schlock { };
     signal-desktop-from-src = callPackage ./additional/signal-desktop-from-src { };
+    sops-nix = callPackage ./additional/sops-nix { };
     static-nix-shell = callPackage ./additional/static-nix-shell { };
     sublime-music-mobile = callPackage ./additional/sublime-music-mobile { };
     swaylock-mobile = callPackage ./additional/swaylock-mobile { };
@@ -89,6 +98,7 @@ let
     tree-sitter-nix-shell = callPackage ./additional/tree-sitter-nix-shell { };
     trivial-builders = lib.recurseIntoAttrs (callPackage ./additional/trivial-builders { });
     uassets = callPackage ./additional/uassets { };
+    uninsane-dot-org = callPackage ./additional/uninsane-dot-org { };
     wvkbd-mk = callPackage ./additional/wvkbd-mk { };
     inherit (trivial-builders)
       copyIntoOwnPackage

pkgs/python-packages/default.nix

@@ -1,5 +1,6 @@
 { callPackage, pkgs }:
 {
+  depthcharge-tools = callPackage ./depthcharge-tools { };
   feedsearch-crawler = callPackage ./feedsearch-crawler { };
   pa-dlna = callPackage ./pa-dlna { };
   pyln-bolt7 = callPackage ./pyln-bolt7 { };

pkgs/python-packages/depthcharge-tools/default.nix

@@ -0,0 +1,30 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, setuptools
+}: buildPythonPackage rec {
+  pname = "depthcharge-tools";
+  version = "0.6.2";
+  format = "setuptools";
+
+  src = fetchFromGitHub {
+    owner = "alpernebbi";
+    repo = "depthcharge-tools";
+    rev = "v${version}";
+    hash = "sha256-3xPRNDUXLOwYy8quMfYSiBfzQl4peauTloqtZBGbvlw=";
+  };
+
+  propagatedBuildInputs = [
+    setuptools  #< needs `pkg_resources` at runtime
+  ];
+
+  pythonImportsCheck = [
+    "depthcharge_tools"
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/alpernebbi/depthcharge-tools";
+    description = "Tools to manage the Chrome OS bootloader";
+    maintainers = with maintainers; [ colinsane ];
+  };
+}

scripts/update

@@ -1,14 +1,68 @@
 #!/bin/sh
 
+showHelp() {
+  echo "update: updates flake inputs"
+  echo "usage: update [flags] [input [input ...]]"
+  echo ""
+  echo "flags:"
+  echo "  --help"
+  echo "  --dry-run"
+  echo "inputs:"
+  echo "  all: update every input"
+  echo "  safe: update inputs which rarely break the build, or are trivial to patch"
+  echo "  unsafe: update inputs which may be annoying to patch if they break the build"
+  echo "  nixpkgs"
+  echo "  next"
+}
+
 inputs=()
+dryRun=
+
+parseArgs() {
+  for arg in "$@"; do
+    case $arg in
+      (--help)
+        showHelp
+        exit 1
+        ;;
+      (--dry-run)
+        dryRun=1
+        ;;
+      (*)
+        addInputs "$arg"
+        ;;
+    esac
+  done
+  # if no inputs were specified, assume "all"
+  if [ ${#inputs} -eq 0 ]; then
+    addInputs all
+  fi
+}
+
+# add $1 to `inputs` array, after parsing it
 addInputs() {
   case $1 in
+    (all)
+      addInputs safe
+      addInputs unsafe
+      ;;
+    (next)
+      addInputs nixpkgs-next-unpatched
+      addInputs nixpkgs-staging-unpatched
+      ;;
     (safe)
-      inputs+=(uninsane-dot-org nixpkgs-unpatched nixpkgs-next-unpatched sops-nix)
+      addInputs next
+      addInputs nixpkgs-unpatched
+      addInputs sops-nix
+      addInputs uninsane-dot-org
       ;;
     (unsafe)
       # these tend to break more frequently
-      inputs+=(mobile-nixos nixpkgs-wayland)
+      addInputs mobile-nixos
+      addInputs nixpkgs-wayland
+      ;;
+    (mobile-nixos|nixpkgs-next-unpatched|nixpkgs-staging-unpatched|nixpkgs-unpatched|nixpkgs-wayland|sops-nix|uninsane-dot-org)
+      inputs+=("$1")
       ;;
     (*)
       echo "unknown input '$1'"
@@ -17,19 +71,21 @@ addInputs() {
   esac
 }
 
-case "$1" in
-  (all|"")
-    addInputs "safe"
-    addInputs "unsafe"
-    ;;
-  (*)
-    addInputs "$1"
-    ;;
-esac
+# exec $@, unless we're in a dry-run in which case just print what would be done
+doEffect() {
+  if [ -n "$dryRun" ]; then
+    echo "dry-run: $*"
+  else
+    "$@"
+  fi
+}
+
+parseArgs "$@"
 
 echo "updating:" "${inputs[@]}"
 nixFlags=()
 for i in "${inputs[@]}"; do
   nixFlags+=("--update-input" "$i")
 done
-nix flake lock "${nixFlags[@]}"
+
+doEffect nix flake lock "${nixFlags[@]}"

templates/pkgs/python/default.nix

@@ -0,0 +1,28 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+}: buildPythonPackage {
+  pname = "mypackage";
+  version = "0.1-unstable-2024-06-04";
+  format = "pyproject";  # or setuptools
+
+  src = fetchFromGitHub {
+    owner = "owner";
+    repo = "repo";
+    rev = "${version}";
+  };
+
+  propagatedBuildInputs = [
+    # other python modules this depends on, if this package is supposed to be importable
+  ];
+
+  pythonImportsCheck = [
+    "mymodule"
+  ];
+
+  meta = with lib; {
+    homepage = "https://example.com";
+    description = "python template project";
+    maintainers = with maintainers; [ colinsane ];
+  };
+}