python3Packages.listparser: grab from nixpkgs patch instead

nixpkgs-wayland: 2024-06-21 -> 2024-06-23
nixpkgs: 2024-06-21 -> 2024-06-24
2024-06-24 15:07:19 +00:00 · 2024-06-24 14:21:48 +00:00 · 2024-06-24 14:21:19 +00:00 · 2024-06-24 14:20:58 +00:00 · 2024-06-24 14:20:37 +00:00 · 2024-06-24 14:19:14 +00:00
413 changed files with 26666 additions and 17679 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -3,6 +3,7 @@ keys:
  - &user_lappy_colin age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
  - &user_servo_colin age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
  - &user_moby_colin age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9
+  - &host_crappy age1hl50ufuxnqy0jnk8fqeu4tclh4vte2xn2d59pxff0gun20vsmv5sp78chj
  - &host_desko age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v
  - &host_lappy age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn
  - &host_servo age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
@ -15,6 +16,7 @@ creation_rules:
      - *user_lappy_colin
      - *user_servo_colin
      - *user_moby_colin
+      - *host_crappy
      - *host_desko
      - *host_lappy
      - *host_servo
--- a/README.md
+++ b/README.md
@ -2,6 +2,8 @@

 # .❄️≡We|_c0m3 7o m`/ f14k≡❄️.

+(er, it's not a flake anymore. welcome to my nix files.)
+
 ## What's Here

 this is the top-level repo from which i configure/deploy all my NixOS machines:
@ -16,7 +18,6 @@ building [hosts/](./hosts/) will require [sops][sops].

 you might specifically be interested in these files (elaborated further in #key-points-of-interest):
 - ~~[`sxmo-utils`](./pkgs/additional/sxmo-utils/default.nix)~~
-  - ~~[example SXMO deployment](./hosts/modules/gui/sxmo/default.nix)~~
  - these files will remain until my config settles down, but i no longer use or maintain SXMO.
 - [my implementation of impermanence](./modules/persist/default.nix)
 - my way of deploying dotfiles/configuring programs per-user:
@ -30,11 +31,7 @@ you might specifically be interested in these files (elaborated further in #key-

 ## Using This Repo In Your Own Config

-this should be a pretty "standard" flake. just reference it, and import either
- `nixosModules.sane` (for the modules)
- `overlays.pkgs` (for the packages)
-
-or follow the instructions [here][NUR] to use it via the Nix User Repositories.
+follow the instructions [here][NUR] to access my packages through the Nix User Repositories.

 [NUR]: https://nur.nix-community.org/

@ -42,19 +39,15 @@ or follow the instructions [here][NUR] to use it via the Nix User Repositories.
 - `doc/`
  - instructions for tasks i find myself doing semi-occasionally in this repo.
 - `hosts/`
-  - the bulk of config which isn't factored with external use in mind.
+  - configs which aren't factored with external use in mind.
  - that is, if you were to add this repo to a flake.nix for your own use,
    you won't likely be depending on anything in this directory.
 - `integrations/`
-  - code intended for consumption by external tools (e.g. the Nix User Repos)
+  - code intended for consumption by external tools (e.g. the Nix User Repos).
 - `modules/`
-  - config which is gated behind `enable` flags, in similar style to nixpkgs'
-    `nixos/` directory.
-  - if you depend on this repo, it's most likely for something in this directory.
- `nixpatches/`
-  - literally, diffs i apply atop upstream nixpkgs before performing further eval.
+  - config which is gated behind `enable` flags, in similar style to nixpkgs' `nixos/` directory.
+  - if you depend on this repo for anything besides packages, it's most likely for something in this directory.
 - `overlays/`
-  - exposed via the `overlays` output in `flake.nix`.
  - predominantly a list of `callPackage` directives.
 - `pkgs/`
  - derivations for things not yet packaged in nixpkgs.
@ -62,13 +55,12 @@ or follow the instructions [here][NUR] to use it via the Nix User Repositories.
  - inline code for wholly custom packages (e.g. `pkgs/additional/sane-scripts/` for CLI tools
    that are highly specific to my setup).
 - `scripts/`
-  - scripts which aren't reachable on a deployed system, but may aid manual deployments
+  - scripts which aren't reachable on a deployed system, but may aid manual deployments.
 - `secrets/`
  - encrypted keys, API tokens, anything which one or more of my machines needs
    read access to but shouldn't be world-readable.
-  - not much to see here
+  - not much to see here.
 - `templates/`
-  - exposed via the `templates` output in `flake.nix`.
  - used to instantiate short-lived environments.
  - used to auto-fill the boiler-plate portions of new packages.

--- a/TODO.md
+++ b/TODO.md
@ -1,25 +1,39 @@
 ## BUGS
- moby: my mobile ISP is adding spoofed AAAA records that break things like wireguard
-  - it only does this when i use their DNS resolvers though: if i run my own recursive resolver, they won't mess with it.
- moby: mpv uosc always starts at 40% volume
-  - is this just mpv remembering its last-played volume?
- moby: rofi crashes sporadically
+- `rmDbusServices` may break sandboxing
+  - e.g. if the package ships a systemd unit which references $out, then make-sandboxed won't properly update that unit.
+  - `rmDbusServicesInPlace` is not affected
+- when moby wlan is explicitly set down (via ip link set wlan0 down), /var/lib/trust-dns/dhcp-configs doesn't get reset
+  - `ip monitor` can detect those manual link state changes (NM-dispatcher it seems cannot)
+  - or try dnsmasq?
+- trust-dns: can't recursively resolve api.mangadex.org
+  - and *sometimes* apple.com fails
+- sandbox: link cache means that if i update ~/.config/... files inline, sandboxed programs still see the old version
+- mpv: audiocast has mpv sending its output to the builtin speakers unless manually changed
 - mpv: no way to exit fullscreen video on moby
  - uosc hides controls on FS, and touch doesn't support unhiding
- i accidentally create sub-splits in sway all the time
-  - especially on moby => unusable
-  - like toplevel is split L/R, and then the L is a tabbed view and the R is a tabbed view
 - Signal restart loop drains battery
  - decrease s6 restart time?
 - `ssh` access doesn't grant same linux capabilities as login
 - ringer (i.e. dino incoming call) doesn't prevent moby from sleeping
- sway mouse/kb hotplug doesn't work
- `nix` operations from lappy hang when `desko` is unreachable
-  - could at least direct the cache to `http://desko-hn:5001`
- sysvol (volume overlay): when casting with `blast`, sysvol doesn't react to volume changes
+- syshud (volume overlay): when casting with `blast`, syshud doesn't react to volume changes
+- moby: kaslr is effectively disabled
+  - `dmesg | grep "KASLR disabled due to lack of seed"`
+  - fix by adding `kaslrseed` to uboot script before `booti`
+    - <https://github.com/armbian/build/pull/4352>
+    - not sure how that's supposed to work with tow-boot; maybe i should just update tow-boot
+- moby: bpf is effectively disabled?
+  - `dmesg | grep 'systemd[1]: bpf-lsm: Failed to load BPF object: No such process'`
+  - `dmesg | grep 'hid_bpf: error while preloading HID BPF dispatcher: -22'`
+- `s6` is not re-entrant
+  - so if the desktop crashes, the login process from `unl0kr` fails to re-launch the GUI
+- swaync brightness slider does not work
+  - it reads brightness from /sys/class/backlight/....
+  - but to *set* the brightness it assumes systemd logind is running
+    <repo:ErikReider/SwayNotificationCenter:src/controlCenter/widgets/backlight/backlightUtil.vala>
+    no reason i can't just write to that file, or exec brightnessctl (if i learn vala)

 ## REFACTORING:
- REMOVE DEPRECATED `crypt` from sftpgo_auth_hook
+- add import checks to my Python nix-shell scripts
 - consolidate ~/dev and ~/ref
  - ~/dev becomes a link to ~/ref/cat/mine
 - fold hosts/common/home/ssh.nix -> hosts/common/users/colin.nix
@ -36,15 +50,20 @@

 ### upstreaming
 - add updateScripts to all my packages in nixpkgs
- REVIEW/integrate jellyfin dataDir config: <https://github.com/NixOS/nixpkgs/pull/233617>

 #### upstreaming to non-nixpkgs repos
 - gtk: build schemas even on cross compilation: <https://github.com/NixOS/nixpkgs/pull/247844>


 ## IMPROVEMENTS:
+- systemd/journalctl: use a less shit pager
+  - there's an env var for it: SYSTEMD_PAGER? and a flag for journalctl
+- kernels: ship the same kernel on every machine
+  - then i can tune the kernels for hardening, without duplicating that work 4 times
+- zfs: replace this with something which doesn't require a custom kernel build
+- mpv: add media looping controls (e.g. loop song, loop playlist)
+
 ### security/resilience
- add FTPS support for WAN users of uninsane.org (and possibly require it?)
 - validate duplicity backups!
 - encrypt more ~ dirs (~/archives, ~/records, ..?)
  - best to do this after i know for sure i have good backups
@ -61,24 +80,25 @@
    - <https://github.com/flatpak/xdg-dbus-proxy>
  - remove `.ssh` access from Firefox!
    - limit access to `~/knowledge/secrets` through an agent that requires GUI approval, so a firefox exploit can't steal all my logins
-  - port sane-sandboxed to a compiled language (hare?)
+  - port sanebox to a compiled language (hare?)
    - it adds like 50-70ms launch time _on my laptop_. i'd hate to know how much that is on the pinephone.
-  - remove /run/wrappers from the sandbox path
-    - they're mostly useless when using no-new-privs, just an opportunity to forget to specify deps
 - make dconf stuff less monolithic
  - i.e. per-app dconf profiles for those which need it. possible static config.
+  - flatpak/spectrum has some stuff to proxy dconf per-app
 - canaries for important services
  - e.g. daily email checks; daily backup checks
  - integrate `nix check` into Gitea actions?

 ### user experience
 - rofi: sort items case-insensitively
- give `mpv` better `nice`ness?
 - xdg-desktop-portal shouldn't kill children on exit
  - *maybe* a job for `setsid -f`?
 - replace starship prompt with something more efficient
  - watch `forkstat`: it does way too much
- cleanup waybar so that it's not invoking playerctl every 2 seconds
+- cleanup waybar/nwg-panel so that it's not invoking playerctl every 2 seconds
+  - nwg-panel: swaync icon is stuck as the refresh icon
+  - nwg-panel: doesn't appear on all desktops
+  - nwg-panel: doesn't know that virtual-desktop 10/TV exists
 - install apps:
  - display QR codes for WiFi endpoints: <https://linuxphoneapps.org/apps/noappid.wisperwind.wifi2qr/>
  - shopping list (not in nixpkgs): <https://linuxphoneapps.org/apps/ro.hume.cosmin.shoppinglist/>
@ -86,8 +106,9 @@
  - offline docs viewer (gtk): <https://github.com/workbenchdev/Biblioteca>
  - some type of games manager/launcher
    - Gnome Highscore (retro games)?: <https://gitlab.gnome.org/World/highscore>
-  - better maps for mobile (Osmin (QtQuick)? Pure Maps (Qt/Kirigami)? Gnome Maps is improved in 45)
+  - better maps for mobile (Osmin (QtQuick)? Pure Maps (Qt/Kirigami)?
  - note-taking app: <https://linuxphoneapps.org/categories/note-taking/>
+    - Folio is nice, uses standard markdown, though it only supports flat repos
  - OSK overlay specifically for mobile gaming
    - i.e. mock joysticks, for use with SuperTux and SuperTuxKart
 - install mobile-friendly games:
@ -110,11 +131,10 @@
  - add option to change audio output
  - fix colors (red alert) to match overall theme
 - moby: tune GPS
-  - run only geoclue, and not gpsd, to save power?
  - tune QGPS setting in eg25-control, for less jitter?
-  - direct mepo to prefer gpsd, with fallback to geoclue, for better accuracy?
  - configure geoclue to do some smoothing?
-  - manually do smoothing, as some layer between mepo and geoclue/gpsd?
+  - manually do smoothing, as some layer between mepo and geoclue?
+- moby: port `freshen-agps` timer service to s6 (maybe i want some `s6-cron` or something)
 - moby: show battery state on ssh login
 - moby: improve gPodder launch time
 - moby: theme GTK apps (i.e. non-adwaita styles)
@ -143,6 +163,10 @@

 ### perf
 - debug nixos-rebuild times
+  - use `systemctl list-jobs` to show what's being waited on
+  - i think it's `systemd-networkd-wait-online.service` that's blocking this?
+    - i wonder what interface it's waiting for. i should use `--ignore=...` to ignore interfaces i don't care about.
+  - also `wireguard-wg-home.target` when net is offline
 - add `pkgs.impure-cached.<foo>` package set to build things with ccache enabled
  - every package here can be auto-generated, and marked with some env var so that it doesn't pollute the pure package set
  - would be super handy for package prototyping!
--- a/default.nix
+++ b/default.nix
@ -1,9 +1,5 @@
-# limited, non-flake interface to this repo.
-# this file exposes the same view into `pkgs` which the flake would see when evaluated.
-#
-# the primary purpose of this file is so i can run `updateScript`s which expect
-# the root to be `default.nix`
-{ pkgs ? import <nixpkgs> {} }:
-pkgs.appendOverlays [
-  (import ./overlays/all.nix)
-]
+{ ... }@args:
+let
+  sane-nix-files = import ./pkgs/additional/sane-nix-files { };
+in
+  import "${sane-nix-files}/impure.nix" args
--- a/doc/adding-a-host.md
+++ b/doc/adding-a-host.md
@ -0,0 +1,25 @@
+to add a host:
+- create the new nix targets
+  - hosts/by-name/HOST
+  - let the toplevel (flake.nix) know about HOST
+- build and flash an image
+- optionally expand the rootfs
+  - `cfdisk /dev/sda2` -> resize partition
+  - `mount /dev/sda2 boot`
+  - `btrfs filesystem resize max root`
+- setup required persistent directories
+  - `mkdir -p root/persist/private`
+  - `gocryptfs -init root/persist/private`
+  - then boot the device, and for every dangling symlink in ~/.local/share, ~/.cache, do `mkdir -p` on it
+- setup host ssh
+  - `mkdir -p root/persist/plaintext/etc/ssh/host_keys`
+  - boot the machine and let it create its own ssh keys
+  - add the pubkey to `hosts/common/hosts.nix`
+- setup user ssh
+  - `ssh-keygen`. don't enter any password; it's stored in a password-encrypted fs.
+  - add the pubkey to `hosts/common/hosts.nix`
+- allow the new host to view secrets
+  - instructions in hosts/common/secrets.nix
+  - run `ssh-to-age` on user/host pubkeys
+  - add age key to .sops.yaml
+  - update encrypted secrets: `sops updatekeys path/to/secret.yaml`
--- a/doc/recovery.md
+++ b/doc/recovery.md
@ -0,0 +1,12 @@
+## deploying to SD card
+- build a toplevel config: `nix build '.#hostSystems.moby'`
+- mount a system:
+  - `mkdir -p root/{nix,boot}`
+  - `mount /dev/sdX1 root/boot`
+  - `mount /dev/sdX2 root/nix`
+- copy the config:
+  - `sudo nix copy --no-check-sigs --to root/ $(readlink result)`
+    - nix will copy stuff to `root/nix/store`
+- install the boot files:
+  - `sudo /nix/store/sbwpwngjlgw4f736ay9hgi69pj3fdwk5-extlinux-conf-builder.sh -d ./root/boot -t 5 -c $(readlink ./result)`
+    - extlinux-conf-builder can be found in `/run/current-system/bin/switch-to-configuration`
--- a/flake.lock
+++ b/flake.lock
@ -1,330 +0,0 @@
-{
-  "nodes": {
-    "flake-compat": {
-      "locked": {
-        "lastModified": 1688025799,
-        "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1712014858,
-        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "lib-aggregate": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs-lib": "nixpkgs-lib"
-      },
-      "locked": {
-        "lastModified": 1715515815,
-        "narHash": "sha256-yaLScMHNFCH6SbB0HSA/8DWDgK0PyOhCXoFTdHlWkhk=",
-        "owner": "nix-community",
-        "repo": "lib-aggregate",
-        "rev": "09883ca828e8cfaacdb09e29190a7b84ad1d9925",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "lib-aggregate",
-        "type": "github"
-      }
-    },
-    "mobile-nixos": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1694749521,
-        "narHash": "sha256-MiVokKlpcJmfoGuWAMeW1En7gZ5hk0rCQArYm6P9XCc=",
-        "owner": "nixos",
-        "repo": "mobile-nixos",
-        "rev": "d25d3b87e7f300d8066e31d792337d9cd7ecd23b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "d25d3b87e7f300d8066e31d792337d9cd7ecd23b",
-        "repo": "mobile-nixos",
-        "type": "github"
-      }
-    },
-    "nix-eval-jobs": {
-      "inputs": {
-        "flake-parts": "flake-parts",
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": "nixpkgs",
-        "treefmt-nix": "treefmt-nix"
-      },
-      "locked": {
-        "lastModified": 1715248291,
-        "narHash": "sha256-npC9Swu4VIlRIiEP0XFGoIukd6vOufS/M3PdHk6rQpc=",
-        "owner": "nix-community",
-        "repo": "nix-eval-jobs",
-        "rev": "63154bdfb22091041b307d17863bdc0e01a32a00",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-eval-jobs",
-        "type": "github"
-      }
-    },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1703863825,
-        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1715037484,
-        "narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "ad7efee13e0d216bf29992311536fce1d3eefbef",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1715474941,
-        "narHash": "sha256-CNCqCGOHdxuiVnVkhTpp2WcqSSmSfeQjubhDOcgwGjU=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "58e03b95f65dfdca21979a081aa62db0eed6b1d8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
-    "nixpkgs-next-unpatched": {
-      "locked": {
-        "lastModified": 1715601680,
-        "narHash": "sha256-Gmz6U8NMZVVnP6AGX4sMl4X6RcQBASPl/2Gj9R5k1Pk=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "eda36d7cf3391ad06097009b08822fb74acd5e00",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "staging-next",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1715458492,
-        "narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "8e47858badee5594292921c2668c11004c3b0142",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-23.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-unpatched": {
-      "locked": {
-        "lastModified": 1715616096,
-        "narHash": "sha256-rxh2XECb5hRzgNR4Xqj3aAjg6821LmNTVRfF6sUW6fI=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "0a949cf2618e8eab83aa008f1f8e03db137ed36c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "master",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-wayland": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "lib-aggregate": "lib-aggregate",
-        "nix-eval-jobs": "nix-eval-jobs",
-        "nixpkgs": [
-          "nixpkgs-unpatched"
-        ]
-      },
-      "locked": {
-        "lastModified": 1715609745,
-        "narHash": "sha256-z2lQ7G1AxljvYeqrHWjc1ctOI4QZP06vPtvLYJWfZSc=",
-        "owner": "nix-community",
-        "repo": "nixpkgs-wayland",
-        "rev": "ed18785b8816fa878bdd9df7f2e8722695401ef8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs-wayland",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "mobile-nixos": "mobile-nixos",
-        "nixpkgs-next-unpatched": "nixpkgs-next-unpatched",
-        "nixpkgs-unpatched": "nixpkgs-unpatched",
-        "nixpkgs-wayland": "nixpkgs-wayland",
-        "sops-nix": "sops-nix",
-        "uninsane-dot-org": "uninsane-dot-org"
-      }
-    },
-    "sops-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unpatched"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1715482972,
-        "narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
-      }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1711963903,
-        "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
-    "uninsane-dot-org": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unpatched"
-        ]
-      },
-      "locked": {
-        "lastModified": 1713198740,
-        "narHash": "sha256-8SUaqMJdAkMOI9zhvlToL7eCr5Sl+2o2pDQ7nq+HoJU=",
-        "ref": "refs/heads/master",
-        "rev": "af8420d1c256d990b5e24de14ad8592a5d85bf77",
-        "revCount": 239,
-        "type": "git",
-        "url": "https://git.uninsane.org/colin/uninsane"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.uninsane.org/colin/uninsane"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/flake.nix
+++ b/flake.nix
@ -1,659 +0,0 @@
-# FLAKE FEEDBACK:
-# - if flake inputs are meant to be human-readable, a human should be able to easily track them down given the URL.
-#   - this is not the case with registry URLs, like `nixpkgs/nixos-22.11`.
-#   - this is marginally the case with schemes like `github:nixos/nixpkgs`.
-#   - given the *existing* `git+https://` scheme, i propose expressing github URLs similarly:
-#     - `github+https://github.com/nixos/nixpkgs/tree/nixos-22.11`
-#     - this would allow for the same optimizations as today's `github:nixos/nixpkgs`, but without obscuring the source.
-#       a code reader could view the source being referenced simply by clicking the https:// portion of that URI.
-# - need some way to apply local patches to inputs.
-#
-#
-# DEVELOPMENT DOCS:
-# - Flake docs: <https://nixos.wiki/wiki/Flakes>
-# - Flake RFC: <https://github.com/tweag/rfcs/blob/flakes/rfcs/0049-flakes.md>
-#   - Discussion: <https://github.com/NixOS/rfcs/pull/49>
-# - <https://serokell.io/blog/practical-nix-flakes>
-#
-#
-# COMMON OPERATIONS:
-# - update a specific flake input:
-#   - `nix flake lock --update-input nixpkgs`
-
-{
-  # XXX: use the `github:` scheme instead of the more readable git+https: because it's *way* more efficient
-  # preferably, i would rewrite the human-readable https URLs to nix-specific github: URLs with a helper,
-  # but `inputs` is required to be a strict attrset: not an expression.
-  inputs = {
-    # branch workflow:
-    # - daily:
-    #   - nixos-unstable cut from master after enough packages have been built in caches.
-    # - every 6 hours:
-    #   - master auto-merged into staging and staging-next
-    #   - staging-next auto-merged into staging.
-    # - manually, approximately once per month:
-    #   - staging-next is cut from staging.
-    #   - staging-next merged into master.
-    #
-    # which branch to source from?
-    # - nixos-unstable: for everyday development; it provides good caching
-    # - master: temporarily if i'm otherwise cherry-picking lots of already-applied patches
-    # - staging-next: if testing stuff that's been PR'd into staging, i.e. base library updates.
-    # - staging: maybe if no staging-next -> master PR has been cut yet?
-    #
-    # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=master";
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-staging";
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-staging-next";
-    nixpkgs-next-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
-
-    nixpkgs-wayland = {
-      url = "github:nix-community/nixpkgs-wayland";
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
-    };
-
-    mobile-nixos = {
-      # <https://github.com/nixos/mobile-nixos>
-      # only used for building disk images, not relevant after deployment
-      # TODO: replace with something else. commit `0f3ac0bef1aea70254a3bae35e3cc2561623f4c1`
-      # replaces the imageBuilder with a "new implementation from celun" and wildly breaks my use.
-      # pinning to d25d3b... is equivalent to holding at 2023-09-15
-      url = "github:nixos/mobile-nixos?ref=d25d3b87e7f300d8066e31d792337d9cd7ecd23b";
-      flake = false;
-    };
-    sops-nix = {
-      # <https://github.com/Mic92/sops-nix>
-      # used to distribute secrets to my hosts
-      url = "github:Mic92/sops-nix";
-      # inputs.nixpkgs.follows = "nixpkgs";
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
-    };
-    uninsane-dot-org = {
-      # provides the package to deploy <https://uninsane.org>, used only when building the servo host
-      url = "git+https://git.uninsane.org/colin/uninsane";
-      # inputs.nixpkgs.follows = "nixpkgs";
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
-    };
-  };
-
-  outputs = {
-    self,
-    nixpkgs-unpatched,
-    nixpkgs-next-unpatched ? nixpkgs-unpatched,
-    nixpkgs-wayland,
-    mobile-nixos,
-    sops-nix,
-    uninsane-dot-org,
-    ...
-  }@inputs:
-    let
-      inherit (builtins) attrNames elem listToAttrs map mapAttrs;
-      # redefine some nixpkgs `lib` functions to avoid the infinite recursion
-      # of if we tried to use patched `nixpkgs.lib` as part of the patching process.
-      mapAttrs' = f: set:
-        listToAttrs (map (attr: f attr set.${attr}) (attrNames set));
-      optionalAttrs = cond: attrs: if cond then attrs else {};
-      # mapAttrs but without the `name` argument
-      mapAttrValues = f: mapAttrs (_: f);
-
-      # rather than apply our nixpkgs patches as a flake input, do that here instead.
-      # this (temporarily?) resolves the bad UX wherein a subflake residing in the same git
-      # repo as the main flake causes the main flake to have an unstable hash.
-      patchNixpkgs = variant: nixpkgs: (import ./nixpatches/flake.nix).outputs {
-        inherit variant nixpkgs;
-        self = patchNixpkgs variant nixpkgs;
-      };
-
-      nixpkgs' = patchNixpkgs "master" nixpkgs-unpatched;
-      nixpkgsCompiledBy = system: nixpkgs'.legacyPackages."${system}";
-
-      evalHost = { name, local, target, variant ? null, nixpkgs ? nixpkgs' }: nixpkgs.lib.nixosSystem {
-        system = target;
-        modules = [
-          {
-            nixpkgs.buildPlatform.system = local;
-            # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
-          }
-          (optionalAttrs (local != target) {
-            # XXX(2023/12/11): cache.nixos.org uses `system = ...` instead of `hostPlatform.system`, and that choice impacts the closure of every package.
-            # so avoid specifying hostPlatform.system on non-cross builds, so i can use upstream caches.
-            nixpkgs.hostPlatform.system = target;
-          })
-          (optionalAttrs (variant == "light") {
-            sane.maxBuildCost = 2;
-          })
-          (optionalAttrs (variant == "min") {
-            sane.maxBuildCost = 0;
-          })
-          (import ./hosts/instantiate.nix { hostName = name; })
-          self.nixosModules.default
-          self.nixosModules.passthru
-          {
-            nixpkgs.overlays = [
-              self.overlays.passthru
-              self.overlays.sane-all
-            ];
-          }
-        ];
-      };
-    in {
-      nixosConfigurations = let
-        hosts = {
-          servo       = { name = "servo";  local = "x86_64-linux"; target = "x86_64-linux";  };
-          desko       = { name = "desko";  local = "x86_64-linux"; target = "x86_64-linux";  };
-          desko-light = { name = "desko";  local = "x86_64-linux"; target = "x86_64-linux";  variant = "light"; };
-          lappy       = { name = "lappy";  local = "x86_64-linux"; target = "x86_64-linux";  };
-          lappy-light = { name = "lappy";  local = "x86_64-linux"; target = "x86_64-linux";  variant = "light"; };
-          lappy-min =   { name = "lappy";  local = "x86_64-linux"; target = "x86_64-linux";  variant = "min"; };
-          moby        = { name = "moby";   local = "x86_64-linux"; target = "aarch64-linux"; };
-          moby-light  = { name = "moby";   local = "x86_64-linux"; target = "aarch64-linux"; variant = "light"; };
-          moby-min  =   { name = "moby";   local = "x86_64-linux"; target = "aarch64-linux"; variant = "min"; };
-          rescue      = { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux";  };
-        };
-        hostsNext = mapAttrs' (h: v: {
-          name = "${h}-next";
-          value = v // { nixpkgs = patchNixpkgs "staging-next" nixpkgs-next-unpatched; };
-        }) hosts;
-      in mapAttrValues evalHost (
-        hosts // hostsNext
-      );
-
-      # unofficial output
-      # this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
-      # after building this:
-      #   - flash it to a bootable medium (SD card, flash drive, HDD)
-      #   - resize the root partition (use cfdisk)
-      #   - mount the part
-      #      - chown root:nixbld <part>/nix/store
-      #      - chown root:root -R <part>/nix/store/*
-      #      - chown root:root -R <part>/persist  # if using impermanence
-      #      - populate any important things (persist/, home/colin/.ssh, etc)
-      #   - boot
-      #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
-      #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
-      #   - `nixos-rebuild --flake './#<host>' switch`
-      imgs = mapAttrValues (host: host.config.system.build.img) self.nixosConfigurations;
-
-      # unofficial output
-      hostConfigs = mapAttrValues (host: host.config) self.nixosConfigurations;
-      hostSystems = mapAttrValues (host: host.config.system.build.toplevel) self.nixosConfigurations;
-      hostPkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
-      hostPrograms = mapAttrValues (host: mapAttrValues (p: p.package) host.config.sane.programs) self.nixosConfigurations;
-
-      patched.nixpkgs = nixpkgs';
-
-      overlays = {
-        # N.B.: `nix flake check` requires every overlay to take `final: prev:` at defn site,
-        #   hence the weird redundancy.
-        default = final: prev: self.overlays.pkgs final prev;
-        sane-all = final: prev: import ./overlays/all.nix final prev;
-        pkgs = final: prev: import ./overlays/pkgs.nix final prev;
-        pins = final: prev: import ./overlays/pins.nix final prev;
-        preferences = final: prev: import ./overlays/preferences.nix final prev;
-        passthru = final: prev:
-          let
-            mobile = (import "${mobile-nixos}/overlay/overlay.nix");
-            uninsane = uninsane-dot-org.overlays.default;
-            wayland = final: prev: {
-              # default is to dump the packages into `waylandPkgs` *and* the toplevel.
-              # but i just want the `waylandPkgs` set
-              inherit (nixpkgs-wayland.overlays.default final prev)
-                waylandPkgs
-                new-wayland-protocols  #< 2024/03/10: nixpkgs-wayland assumes this will be in the toplevel
-              ;
-            };
-          in
-            (mobile final prev)
-            // (uninsane final prev)
-            // (wayland final prev)
-          ;
-      };
-
-      nixosModules = rec {
-        default = sane;
-        sane = import ./modules;
-        passthru = { ... }: {
-          imports = [
-            sops-nix.nixosModules.sops
-          ];
-        };
-      };
-
-      # this includes both our native packages and all the nixpkgs packages.
-      legacyPackages =
-        let
-          allPkgsFor = sys: (nixpkgsCompiledBy sys).appendOverlays [
-            self.overlays.passthru self.overlays.pkgs
-          ];
-        in {
-          x86_64-linux = allPkgsFor "x86_64-linux";
-          aarch64-linux = allPkgsFor "aarch64-linux";
-        };
-
-      # extract only our own packages from the full set.
-      # because of `nix flake check`, we flatten the package set and only surface x86_64-linux packages.
-      packages = mapAttrs
-        (system: passthruPkgs: passthruPkgs.lib.filterAttrs
-          (name: pkg:
-            # keep only packages which will pass `nix flake check`, i.e. keep only:
-            # - derivations (not package sets)
-            # - packages that build for the given platform
-            (! elem name [ "feeds" "pythonPackagesExtensions" ])
-            && (passthruPkgs.lib.meta.availableOn passthruPkgs.stdenv.hostPlatform pkg)
-          )
-          (
-            # expose sane packages and chosen inputs (uninsane.org)
-            (import ./pkgs { pkgs = passthruPkgs; }) // {
-              inherit (passthruPkgs) uninsane-dot-org;
-            }
-          )
-        )
-        # self.legacyPackages;
-        {
-          x86_64-linux = (nixpkgsCompiledBy "x86_64-linux").appendOverlays [
-            self.overlays.passthru
-          ];
-        }
-      ;
-
-      apps."x86_64-linux" =
-        let
-          pkgs = self.legacyPackages."x86_64-linux";
-          sanePkgs = import ./pkgs { inherit pkgs; };
-          deployScript = host: addr: action: pkgs.writeShellScript "deploy-${host}" ''
-            set -e
-
-            host="${host}"
-            addr="${addr}"
-            action="${if action != null then action else ""}"
-            runOnTarget() {
-              # run the command ($@) on the machine we're deploying to.
-              # if that's a remote machine, then do it via ssh, else local shell.
-              if [ -n "$addr" ]; then
-                ssh "$addr" "$@"
-              else
-                "$@"
-              fi
-            }
-
-            nix build ".#nixosConfigurations.$host.config.system.build.toplevel" --out-link "./build/result-$host" "$@"
-            storePath="$(readlink ./build/result-$host)"
-
-            # mimic `nixos-rebuild --target-host`, in effect:
-            # - nix-copy-closure ...
-            # - nix-env --set ...
-            # - switch-to-configuration <boot|dry-activate|switch|test|>
-            # avoid the actual `nixos-rebuild` for a few reasons:
-            # - fewer nix evals
-            # - more introspectability and debuggability
-            # - sandbox friendliness (especially: `git` doesn't have to be run as root)
-
-            if [ -n "$addr" ]; then
-              sudo nix store sign -r -k /run/secrets/nix_serve_privkey "$storePath"
-              # add more `-v` for more verbosity (up to 5).
-              # builders-use-substitutes false: optimizes so that the remote machine doesn't try to get paths from its substituters.
-              #   we already have all paths here, and the remote substitution is slow to check and SERIOUSLY flaky on moby in particular.
-              nix copy -vv --option builders-use-substitutes false --to "ssh-ng://$addr" "$storePath"
-            fi
-
-            if [ -n "$action" ]; then
-              runOnTarget sudo nix-env -p /nix/var/nix/profiles/system --set "$storePath"
-              runOnTarget sudo "$storePath/bin/switch-to-configuration" "$action"
-            fi
-          '';
-          deployApp = host: addr: action: {
-            type = "app";
-            program = ''${deployScript host addr action}'';
-          };
-
-          # pkg updating.
-          # a cleaner alternative lives here: <https://discourse.nixos.org/t/how-can-i-run-the-updatescript-of-personal-packages/25274/2>
-          # mkUpdater :: [ String ] -> { type = "app"; program = path; }
-          mkUpdater = attrPath: {
-            type = "app";
-            program = let
-              pkg = pkgs.lib.getAttrFromPath attrPath sanePkgs;
-              strAttrPath = pkgs.lib.concatStringsSep "." attrPath;
-              commandArgv = pkg.updateScript.command or pkg.updateScript;
-              command = pkgs.lib.escapeShellArgs commandArgv;
-            in builtins.toString (pkgs.writeShellScript "update-${strAttrPath}" ''
-              export UPDATE_NIX_NAME=${pkg.name}
-              export UPDATE_NIX_PNAME=${pkg.pname}
-              export UPDATE_NIX_OLD_VERSION=${pkg.version}
-              export UPDATE_NIX_ATTR_PATH=${strAttrPath}
-              ${command}
-            '');
-          };
-          mkUpdatersNoAliases = opts: basePath: pkgs.lib.concatMapAttrs
-            (name: pkg:
-              if pkg.recurseForDerivations or false then {
-                "${name}" = mkUpdaters opts (basePath ++ [ name ]);
-              } else if pkg.updateScript or null != null then {
-                "${name}" = mkUpdater (basePath ++ [ name ]);
-              } else {}
-            )
-            (pkgs.lib.getAttrFromPath basePath sanePkgs);
-          mkUpdaters = { ignore ? [], flakePrefix ? [] }@opts: basePath:
-            let
-              updaters = mkUpdatersNoAliases opts basePath;
-              invokeUpdater = name: pkg:
-                let
-                  fullPath = basePath ++ [ name ];
-                  doUpdateByDefault = !builtins.elem fullPath ignore;
-
-                  # in case `name` has a `.` in it, we have to quote it
-                  escapedPath = builtins.map (p: ''"${p}"'') fullPath;
-                  updatePath = builtins.concatStringsSep "." (flakePrefix ++ escapedPath);
-                in pkgs.lib.optionalString doUpdateByDefault (
-                  pkgs.lib.escapeShellArgs [
-                    "nix" "run" ".#${updatePath}"
-                  ]
-                );
-            in {
-              type = "app";
-              # top-level app just invokes the updater of everything one layer below it
-              program = builtins.toString (pkgs.writeShellScript
-                (builtins.concatStringsSep "-" (flakePrefix ++ basePath))
-                (builtins.concatStringsSep
-                  "\n"
-                  (pkgs.lib.mapAttrsToList invokeUpdater updaters)
-                )
-              );
-            } // updaters;
-        in {
-          help = {
-            type = "app";
-            program = let
-              helpMsg = builtins.toFile "nixos-config-help-message" ''
-                commands:
-                - `nix run '.#help'`
-                  - show this message
-                - `nix run '.#update.pkgs'`
-                  - updates every package
-                - `nix run '.#update.feeds'`
-                  - updates metadata for all feeds
-                - `nix run '.#init-feed' <url>`
-                - `nix run '.#deploy.{desko,lappy,moby,servo}[-light|-test]' [nix args ...]`
-                  - build and deploy the host
-                - `nix run '.#preDeploy.{desko,lappy,moby,servo}[-light]' [nix args ...]`
-                  - copy closures to a host, but don't activate it
-                  - or `nix run '.#preDeploy'` to target all hosts
-                - `nix run '.#check'`
-                  - make sure all systems build; NUR evaluates
-                - `nix run '.#bench'`
-                  - benchmark the eval time of common targets this flake provides
-
-                specific build targets of interest:
-                - `nix build '.#imgs.rescue'`
-              '';
-            in builtins.toString (pkgs.writeShellScript "nixos-config-help" ''
-              cat ${helpMsg}
-              echo ""
-              echo "complete flake structure:"
-              nix flake show --option allow-import-from-derivation true
-            '');
-          };
-          # wrangle some names to get package updaters which refer back into the flake, but also conditionally ignore certain paths (e.g. sane.feeds).
-          # TODO: better design
-          update = rec {
-            _impl.pkgs.sane = mkUpdaters { flakePrefix = [ "update" "_impl" "pkgs" ]; ignore = [ [ "sane" "feeds" ] ]; } [ "sane" ];
-            pkgs = _impl.pkgs.sane;
-            _impl.feeds.sane.feeds = mkUpdaters { flakePrefix = [ "update" "_impl" "feeds" ]; } [ "sane" "feeds" ];
-            feeds = _impl.feeds.sane.feeds;
-          };
-
-          init-feed = {
-            type = "app";
-            program = "${pkgs.feeds.init-feed}";
-          };
-
-          deploy = {
-            desko       = deployApp "desko"       "desko" "switch";
-            desko-light = deployApp "desko-light" "desko" "switch";
-            lappy       = deployApp "lappy"       "lappy" "switch";
-            lappy-light = deployApp "lappy-light" "lappy" "switch";
-            lappy-min   = deployApp "lappy-min"   "lappy" "switch";
-            moby        = deployApp "moby"        "moby"  "switch";
-            moby-light  = deployApp "moby-light"  "moby"  "switch";
-            moby-min  =   deployApp "moby-min"    "moby"  "switch";
-            moby-test   = deployApp "moby"        "moby"  "test";
-            servo       = deployApp "servo"       "servo" "switch";
-
-            # like `nixos-rebuild --flake . switch`
-            self        = deployApp "$(hostname)"       "" "switch";
-            self-light  = deployApp "$(hostname)-light" "" "switch";
-            self-min    = deployApp "$(hostname)-min"   "" "switch";
-
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "deploy-all" ''
-              nix run '.#deploy.lappy'
-              nix run '.#deploy.moby'
-              nix run '.#deploy.desko'
-              nix run '.#deploy.servo'
-            '');
-          };
-          preDeploy = {
-            # build the host and copy the runtime closure to that host, but don't activate it.
-            desko       = deployApp "desko"       "desko" null;
-            desko-light = deployApp "desko-light" "desko" null;
-            lappy       = deployApp "lappy"       "lappy" null;
-            lappy-light = deployApp "lappy-light" "lappy" null;
-            lappy-min   = deployApp "lappy-min"   "lappy" null;
-            moby        = deployApp "moby"        "moby"  null;
-            moby-light  = deployApp "moby-light"  "moby"  null;
-            moby-min    = deployApp "moby-min"    "moby"  null;
-            servo       = deployApp "servo"       "servo" null;
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "predeploy-all" ''
-              # copy the -min/-light variants first; this might be run while waiting on a full build. or the full build failed.
-              nix run '.#preDeploy.moby-min' -- "$@"
-              nix run '.#preDeploy.lappy-min' -- "$@"
-              nix run '.#preDeploy.moby-light' -- "$@"
-              nix run '.#preDeploy.lappy-light' -- "$@"
-              nix run '.#preDeploy.desko-light' -- "$@"
-              nix run '.#preDeploy.lappy' -- "$@"
-              nix run '.#preDeploy.servo' -- "$@"
-              nix run '.#preDeploy.moby' -- "$@"
-              nix run '.#preDeploy.desko' -- "$@"
-            '');
-          };
-
-          sync = {
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "sync-all" ''
-              RC_lappy=$(nix run '.#sync.lappy' -- "$@")
-              RC_moby=$(nix run '.#sync.moby' -- "$@")
-              RC_desko=$(nix run '.#sync.desko' -- "$@")
-
-              echo "lappy: $RC_lappy"
-              echo "moby: $RC_moby"
-              echo "desko: $RC_desko"
-            '');
-          };
-
-          sync.desko = {
-            # copy music from servo to desko
-            # can run this from any device that has ssh access to desko and servo
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "sync-to-desko" ''
-              sudo mount /mnt/desko/home
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compat /mnt/servo/media/Music /mnt/desko/home/Music "$@"
-            '');
-          };
-
-          sync.lappy = {
-            # copy music from servo to lappy
-            # can run this from any device that has ssh access to lappy and servo
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "sync-to-lappy" ''
-              sudo mount /mnt/lappy/home
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat /mnt/servo/media/Music /mnt/lappy/home/Music "$@"
-            '');
-          };
-
-          sync.moby = {
-            # copy music from servo to moby
-            # can run this from any device that has ssh access to moby and servo
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "sync-to-moby" ''
-              sudo mount /mnt/moby/home
-              sudo mount /mnt/desko/home
-              ${pkgs.rsync}/bin/rsync -arv --exclude servo-macros /mnt/moby/home/Pictures/ /mnt/desko/home/Pictures/moby/
-              # N.B.: limited by network/disk -> reduce job count to improve pause/resume behavior
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat --jobs 4 /mnt/servo/media/Music /mnt/moby/home/Music "$@"
-            '');
-          };
-
-          check = {
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "check-all" ''
-              nix run '.#check.nur'
-              RC0=$?
-              nix run '.#check.hostConfigs'
-              RC1=$?
-              nix run '.#check.rescue'
-              RC2=$?
-              echo "nur: $RC0"
-              echo "hostConfigs: $RC1"
-              echo "rescue: $RC2"
-              exit $(($RC0 | $RC1 | $RC2))
-            '');
-          };
-
-          check.nur = {
-            # `nix run '.#check-nur'`
-            # validates that my repo can be included in the Nix User Repository
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "check-nur" ''
-              cd ${./.}/integrations/nur
-              NIX_PATH= NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix-env -f . -qa \* --meta --xml \
-                --allowed-uris https://static.rust-lang.org \
-                --option restrict-eval true \
-                --option allow-import-from-derivation true \
-                --drv-path --show-trace \
-                -I nixpkgs=${nixpkgs-unpatched} \
-                -I nixpkgs-overlays=${./.}/hosts/common/nix/overlay \
-                -I ../../ \
-                | tee  # tee to prevent interactive mode
-            '');
-          };
-
-          check.hostConfigs = {
-            type = "app";
-            program = let
-              checkHost = host: let
-                shellHost = pkgs.lib.replaceStrings [ "-" ] [ "_" ] host;
-              in ''
-                nix build -v '.#nixosConfigurations.${host}.config.system.build.toplevel' --out-link ./build/result-${host} -j2 "$@"
-                RC_${shellHost}=$?
-              '';
-            in builtins.toString (pkgs.writeShellScript
-              "check-host-configs"
-              ''
-                # build minimally-usable hosts first, then their full image.
-                # this gives me a minimal image i can deploy or copy over, early.
-                ${checkHost "lappy-min"}
-                ${checkHost "moby-min"}
-
-                ${checkHost "desko-light"}
-                ${checkHost "moby-light"}
-                ${checkHost "lappy-light"}
-
-                ${checkHost "desko"}
-                ${checkHost "lappy"}
-                ${checkHost "servo"}
-                ${checkHost "moby"}
-                ${checkHost "rescue"}
-
-                # still want to build the -light variants first so as to avoid multiple simultaneous webkitgtk builds
-                ${checkHost "desko-light-next"}
-                ${checkHost "moby-light-next"}
-
-                ${checkHost "desko-next"}
-                ${checkHost "lappy-next"}
-                ${checkHost "servo-next"}
-                ${checkHost "moby-next"}
-                ${checkHost "rescue-next"}
-
-                echo "desko: $RC_desko"
-                echo "lappy: $RC_lappy"
-                echo "servo: $RC_servo"
-                echo "moby: $RC_moby"
-                echo "rescue: $RC_rescue"
-
-                echo "desko-next: $RC_desko_next"
-                echo "lappy-next: $RC_lappy_next"
-                echo "servo-next: $RC_servo_next"
-                echo "moby-next: $RC_moby_next"
-                echo "rescue-next: $RC_rescue_next"
-
-                # i don't really care if the -next hosts fail. i build them mostly to keep the cache fresh/ready
-                exit $(($RC_desko | $RC_lappy | $RC_servo | $RC_moby | $RC_rescue))
-              ''
-            );
-          };
-
-          check.rescue = {
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "check-rescue" ''
-              nix build -v '.#imgs.rescue' --out-link ./build/result-rescue-img -j2
-            '');
-          };
-
-          bench = {
-            type = "app";
-            program = builtins.toString (pkgs.writeShellScript "bench" ''
-              doBench() {
-                attrPath="$1"
-                shift
-                echo -n "benchmarking eval of '$attrPath'... "
-                /run/current-system/sw/bin/time -f "%e sec" -o /dev/stdout \
-                  nix eval --no-eval-cache --quiet --raw ".#$attrPath" --apply 'result: if result != null then "" else "unexpected null"' $@ 2> /dev/null
-              }
-
-              if [ -n "$1" ]; then
-                doBench "$@"
-              else
-                doBench hostConfigs
-                doBench hostConfigs.lappy
-                doBench hostConfigs.lappy.sane.programs
-                doBench hostConfigs.lappy.sane.users.colin
-                doBench hostConfigs.lappy.sane.fs
-                doBench hostConfigs.lappy.environment.systemPackages
-              fi
-            '');
-          };
-        };
-
-      templates = {
-        env.python-data = {
-          # initialize with:
-          # - `nix flake init -t '/home/colin/dev/nixos/#env.python-data'`
-          # then enter with:
-          # - `nix develop`
-          path = ./templates/env/python-data;
-          description = "python environment for data processing";
-        };
-        pkgs.rust-inline = {
-          # initialize with:
-          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.rust-inline'`
-          path = ./templates/pkgs/rust-inline;
-          description = "rust package and development environment (inline rust sources)";
-        };
-        pkgs.rust = {
-          # initialize with:
-          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.rust'`
-          path = ./templates/pkgs/rust;
-          description = "rust package fit to ship in nixpkgs";
-        };
-        pkgs.make = {
-          # initialize with:
-          # - `nix flake init -t '/home/colin/dev/nixos/#pkgs.make'`
-          path = ./templates/pkgs/make;
-          description = "default Makefile-based derivation";
-        };
-      };
-    };
-}
-
--- a/hosts/by-name/crappy/default.nix
+++ b/hosts/by-name/crappy/default.nix
@ -0,0 +1,45 @@
+# Samsung chromebook XE303C12
+# - <https://wiki.postmarketos.org/wiki/Samsung_Chromebook_(google-snow)>
+{ ... }:
+{
+  imports = [
+    ./fs.nix
+  ];
+
+  sane.hal.samsung.enable = true;
+  sane.roles.client = true;
+  # sane.roles.pc = true;
+
+  users.users.colin.initialPassword = "147147";
+  sane.programs.sway.enableFor.user.colin = true;
+
+  sane.programs.calls.enableFor.user.colin = false;
+  sane.programs.consoleMediaUtils.enableFor.user.colin = true;
+  sane.programs.epiphany.enableFor.user.colin = true;
+  sane.programs."gnome.geary".enableFor.user.colin = false;
+  # sane.programs.firefox.enableFor.user.colin = true;
+  sane.programs.portfolio-filemanager.enableFor.user.colin = true;
+  sane.programs.signal-desktop.enableFor.user.colin = false;
+  sane.programs.wike.enableFor.user.colin = true;
+
+  sane.programs.dino.config.autostart = false;
+  sane.programs.dissent.config.autostart = false;
+  sane.programs.fractal.config.autostart = false;
+  sane.programs.sway.config.mod = "Mod1";  #< alt key instead of Super
+
+  # sane.programs.guiApps.enableFor.user.colin = false;
+
+  # sane.programs.pcGuiApps.enableFor.user.colin = false;  #< errors!
+
+  sane.programs.blueberry.enableFor.user.colin = false;  # bluetooth manager: doesn't cross compile!
+  # sane.programs.brave.enableFor.user.colin = false;  # 2024/06/03: fails eval if enabled on cross
+  # sane.programs.firefox.enableFor.user.colin = false;  # 2024/06/03: this triggers an eval error in yarn stuff -- i'm doing IFD somewhere!!?
+  sane.programs.mepo.enableFor.user.colin = false;  # 2024/06/04: doesn't cross compile (nodejs)
+  sane.programs.mercurial.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+  sane.programs.nixpkgs-review.enableFor.user.colin = false;  # 2024/06/03: OOMs when cross compiling
+  sane.programs.ntfy-sh.enableFor.user.colin = false;  # 2024/06/04: doesn't cross compile (nodejs)
+  sane.programs.pwvucontrol.enableFor.user.colin = false;  # 2024/06/03: doesn't cross compile (libspa-sys)
+  sane.programs."sane-scripts.bt-search".enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+  sane.programs.sequoia.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+  sane.programs.zathura.enableFor.user.colin = false;  # 2024/06/03: does not cross compile
+}
--- a/hosts/by-name/crappy/fs.nix
+++ b/hosts/by-name/crappy/fs.nix
@ -0,0 +1,16 @@
+{ ... }:
+{
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/55555555-0303-0c12-86df-eda9e9311526";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/303C-5A37";
+    fsType = "vfat";
+  };
+}
--- a/hosts/by-name/desko/default.nix
+++ b/hosts/by-name/desko/default.nix
@ -1,53 +1,50 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
  imports = [
    ./fs.nix
  ];

+  sane.services.trust-dns.asSystemResolver = false;  # TEMPORARY: TODO: re-enable trust-dns
+  # sane.programs.devPkgs.enableFor.user.colin = true;
  # sane.guest.enable = true;

-  # services.distccd.enable = true;
-  # sane.programs.distcc.enableFor.user.guest = true;
-
-  # TODO: remove emulation, but need to fix nixos-rebuild to moby for that.
-  # sane.roles.build-machine.emulation = true;
+  # don't enable wifi by default: it messes with connectivity.
+  # systemd.services.iwd.enable = false;
+  # systemd.services.wpa_supplicant.enable = false;
+  sane.programs.wpa_supplicant.enableFor.user.colin = lib.mkForce false;
+  sane.programs.wpa_supplicant.enableFor.system = lib.mkForce false;

  sops.secrets.colin-passwd.neededForUsers = true;

-  sane.ports.openFirewall = true;  # for e.g. nix-serve
-
  sane.roles.build-machine.enable = true;
  sane.roles.client = true;
  sane.roles.dev-machine = true;
  sane.roles.pc = true;
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
+  sane.ovpn.addrV4 = "172.26.55.21";
+  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:20c1:a73c";
  sane.services.duplicity.enable = true;
-  sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path;

-  sane.nixcache.substituters.desko = false;
  sane.nixcache.remote-builders.desko = false;

-  sane.programs.cups.enableFor.user.colin = true;
  sane.programs.sway.enableFor.user.colin = true;
  sane.programs.iphoneUtils.enableFor.user.colin = true;
  sane.programs.steam.enableFor.user.colin = true;

-  # sane.programs.devPkgs.enableFor.user.colin = true;
-
  sane.programs."gnome.geary".config.autostart = true;
  sane.programs.signal-desktop.config.autostart = true;

-  boot.loader.efi.canTouchEfiVariables = false;
+  sane.programs.nwg-panel.config = {
+    battery = false;
+    brightness = false;
+  };
+
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

  # needed to use libimobiledevice/ifuse, for iphone sync
  services.usbmuxd.enable = true;

-  # don't enable wifi by default: it messes with connectivity.
-  systemd.services.iwd.enable = false;
-  systemd.services.wpa_supplicant.enable = false;
-
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
  #   - hourly snapshots
@ -59,7 +56,4 @@
    # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
    ALLOW_USERS = [ "colin" ];
  };
-
-  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
-  system.stateVersion = "21.05";
 }
--- a/hosts/by-name/lappy/default.nix
+++ b/hosts/by-name/lappy/default.nix
@ -9,12 +9,12 @@
  sane.roles.pc = true;
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
+  sane.ovpn.addrV4 = "172.23.119.72";
+  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:0332:aa96/128";

  # sane.guest.enable = true;
-  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

-  sane.programs.cups.enableFor.user.colin = true;
  sane.programs.stepmania.enableFor.user.colin = true;
  sane.programs.sway.enableFor.user.colin = true;

@ -33,7 +33,4 @@
    SUBVOLUME = "/nix";
    ALLOW_USERS = [ "colin" ];
  };
-
-  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
-  system.stateVersion = "21.05";
 }
--- a/hosts/by-name/lappy/xkb_mobile_normal_buttons
+++ b/hosts/by-name/lappy/xkb_mobile_normal_buttons
@ -1,7 +0,0 @@
-xkb_keymap {
-	xkb_keycodes  { include "evdev+aliases(qwerty)"	};
-	xkb_types     { include "complete"	};
-	xkb_compat    { include "complete"	};
-	xkb_symbols   { include "pc+us+inet(evdev)"	};
-	xkb_geometry  { include "pc(pc105)"	};
-};
--- a/hosts/by-name/moby/bootloader.nix
+++ b/hosts/by-name/moby/bootloader.nix
@ -1,22 +0,0 @@
-# tow-boot: <https://tow-boot.org>
-# docs (pinephone specific): <https://github.com/Tow-Boot/Tow-Boot/tree/development/boards/pine64-pinephoneA64>
-# LED and button behavior is defined here: <https://github.com/Tow-Boot/Tow-Boot/blob/development/modules/tow-boot/phone-ux.nix>
-# - hold VOLDOWN: enter recovery mode
-#   - LED will turn aqua instead of yellow
-#   - recovery mode would ordinarily allow a selection of entries, but for pinephone i guess it doesn't do anything?
-# - hold VOLUP: force it to load the OS from eMMC?
-#   - LED will turn blue instead of yellow
-# boot LEDs:
-# - yellow = entered tow-boot
-# - 10 red flashes => poweroff means tow-boot couldn't boot into the next stage (i.e. distroboot)
-#   - distroboot: <https://source.denx.de/u-boot/u-boot/-/blob/v2022.04/doc/develop/distro.rst>)
-{ config, pkgs, ... }:
-{
-  # we need space in the GPT header to place tow-boot.
-  # only actually need 1 MB, but better to over-allocate than under-allocate
-  sane.image.extraGPTPadding = 16 * 1024 * 1024;
-  sane.image.firstPartGap = 0;
-  sane.image.installBootloader = ''
-    dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out/nixos.img bs=1024 seek=8 conv=notrunc
-  '';
-}
--- a/hosts/by-name/moby/default.nix
+++ b/hosts/by-name/moby/default.nix
@ -1,7 +1,4 @@
 # Pinephone
-# other setups to reference:
-# - <https://hamblingreen.gitlab.io/2022/03/02/my-pinephone-setup.html>
-#   - sxmo Arch user. lots of app recommendations
 #
 # wikis, resources, ...:
 # - Linux Phone Apps: <https://linuxphoneapps.org/>
@ -12,22 +9,16 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
-    ./bootloader.nix
    ./fs.nix
-    ./gps.nix
-    ./kernel.nix
-    ./polyfill.nix
  ];

+  sane.hal.pine64.enable = true;
  sane.roles.client = true;
  sane.roles.handheld = true;
-  sane.zsh.showDeadlines = false;  # unlikely to act on them when in shell
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
-
-  # for some reason desko -> moby deploys are super flaky when desko is also a nixcache (not true of desko -> lappy deploys, though!)
-  # > unable to download 'http://desko:5001/<hash>.narinfo': Server returned nothing (no headers, no data) (52)
-  sane.nixcache.substituters.desko = false;
+  sane.ovpn.addrV4 = "172.24.87.255";
+  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:18cd:a72b";

  # XXX colin: phosh doesn't work well with passwordless login,
  # so set this more reliable default password should anything go wrong
@ -36,13 +27,8 @@

  sops.secrets.colin-passwd.neededForUsers = true;

-  # sane.gui.sxmo.enable = true;
  sane.programs.sway.enableFor.user.colin = true;
-  sane.programs.swaylock.enableFor.user.colin = false;  #< not usable on touch
-  sane.programs.schlock.enableFor.user.colin = true;
-  sane.programs.swayidle.config.actions.screenoff.delay = 300;
-  sane.programs.swayidle.config.actions.screenoff.enable = true;
-  sane.programs.sane-input-handler.enableFor.user.colin = true;
+  sane.programs.sway.config.mod = "Mod1";  #< alt key instead of Super
  sane.programs.blueberry.enableFor.user.colin = false;  # bluetooth manager: doesn't cross compile!
  sane.programs.fcitx5.enableFor.user.colin = false;  # does not cross compile
  sane.programs.mercurial.enableFor.user.colin = false;  # does not cross compile
@ -58,10 +44,6 @@
  # sane.programs."gnome.geary".config.autostart = true;
  # sane.programs.calls.config.autostart = true;

-  sane.programs.firefox.mime.priority = 300;  # prefer other browsers when possible
-  # HACK/TODO: make `programs.P.env.VAR` behave according to `mime.priority`
-  sane.programs.firefox.env = lib.mkForce {};
-  sane.programs.epiphany.env.BROWSER = "epiphany";
  sane.programs.pipewire.config = {
    # tune so Dino doesn't drop audio
    # there's seemingly two buffers for the mic (see: <https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/FAQ#pipewire-buffering-explained>)
@ -78,53 +60,7 @@
    max-quantum = 8192;
  };

-  boot.loader.efi.canTouchEfiVariables = false;
  # /boot space is at a premium. default was 20.
  # even 10 can be too much
  boot.loader.generic-extlinux-compatible.configurationLimit = 8;
-  # mobile.bootloader.enable = false;
-  # mobile.boot.stage-1.enable = false;
-  # boot.initrd.systemd.enable = false;
-  # boot.initrd.services.swraid.enable = false;  # attempt to fix dm_mod stuff
-
-  # hardware.firmware makes the referenced files visible to the kernel, for whenever a driver explicitly asks for them.
-  # these files are visible from userspace by following `/sys/module/firmware_class/parameters/path`
-  #
-  # mobile-nixos' /lib/firmware includes:
-  #   rtl_bt          (bluetooth)
-  #   anx7688-fw.bin  (USB-C chip: power negotiation, HDMI/dock)
-  #   ov5640_af.bin   (camera module)
-  # hardware.firmware = [ config.mobile.device.firmware ];
-  # hardware.firmware = [ pkgs.rtl8723cs-firmware ];
-  hardware.firmware = [
-    (pkgs.linux-firmware-megous.override {
-      # rtl_bt = false probably means no bluetooth connectivity.
-      # N.B.: DON'T RE-ENABLE without first confirming that wake-on-lan works during suspend (rtcwake).
-      # it seems the rtl_bt stuff ("bluetooth coexist") might make wake-on-LAN radically more flaky.
-      rtl_bt = false;
-    })
-  ];
-
-  system.stateVersion = "21.11";
-
-  # defined: https://www.freedesktop.org/software/systemd/man/machine-info.html
-  # XXX colin: not sure which, if any, software makes use of this
-  environment.etc."machine-info".text = ''
-    CHASSIS="handset"
-  '';
-
-  # enable rotation sensor
-  hardware.sensor.iio.enable = true;
-
-  services.udev.extraRules = let
-    chmod = "${pkgs.coreutils}/bin/chmod";
-    chown = "${pkgs.coreutils}/bin/chown";
-  in ''
-    # make Pinephone flashlight writable by user.
-    # taken from postmarketOS: <repo:postmarketOS/pmaports:device/main/device-pine64-pinephone/60-flashlight.rules>
-    SUBSYSTEM=="leds", DEVPATH=="*/*:flash", RUN+="${chmod} g+w /sys%p/brightness /sys%p/flash_strobe", RUN+="${chown} :video /sys%p/brightness /sys%p/flash_strobe"
-
-    # make Pinephone front LEDs writable by user.
-    SUBSYSTEM=="leds", DEVPATH=="*/*:indicator", RUN+="${chmod} g+w /sys%p/brightness", RUN+="${chown} :video /sys%p/brightness"
-  '';
 }
--- a/hosts/by-name/moby/gps.nix
+++ b/hosts/by-name/moby/gps.nix
@ -1,68 +0,0 @@
-# pinephone GPS happens in EG25 modem
-# serial control interface to modem is /dev/ttyUSB2
-# after enabling GPS, readout is /dev/ttyUSB1
-#
-# minimal process to enable modem and GPS:
-# - `echo 1 > /sys/class/modem-power/modem-power/device/powered`
-# - `screen /dev/ttyUSB2 115200`
-#   - `AT+QGPSCFG="nmeasrc",1`
-#   - `AT+QGPS=1`
-# this process is automated by my `eg25-control` program and services (`eg25-control-powered`, `eg25-control-gps`)
-# - see the `modules/` directory further up this repository.
-#
-# now, something like `gpsd` can directly read from /dev/ttyUSB1,
-# or geoclue can query the GPS directly through modem-manager
-#
-# initial GPS fix can take 15+ minutes.
-# meanwhile, services like eg25-manager or eg25-control-freshen-agps can speed this up by uploading assisted GPS data to the modem.
-#
-# support/help:
-# - geoclue, gnome-maps
-#   - irc: #gnome-maps on irc.gimp.org
-#   - Matrix: #gnome-maps:gnome.org  (unclear if bridged to IRC)
-#
-# programs to pair this with:
-# - `satellite-gtk`: <https://codeberg.org/tpikonen/satellite>
-#   - shows/tracks which satellites the GPS is connected to; useful to understand fix characteristics
-# - `gnome-maps`: uses geoclue, has route planning
-# - `mepo`: uses gpsd, minimalist, flaky, and buttons are kinda hard to activate on mobile
-# - puremaps?
-# - osmin?
-#
-# known/outstanding bugs:
-# - `systemctl start eg25-control-gps` can the hang the whole system (2023/10/06)
-#   - i think it's actually `eg25-control-powered` which does this (started by the gps)
-#   - best guess is modem draws so much power at launch that other parts of the system see undervoltage
-#   - workaround is to hard power-cycle the system. the modem may not bring up after reboot: leave unpowered for 60s and boot again.
-#
-# future work:
-# - integrate with [wigle](https://www.wigle.net/) for offline equivalent to Mozilla Location Services
-
-{ config, lib, ... }:
-{
-  # test gpsd with `gpspipe -w -n 10 2> /dev/null | grep -m 1 TPV | jq '.lat, .lon' | tr '\n' ' '`
-  # ^ should return <lat> <long>
-  services.gpsd.enable = true;
-  services.gpsd.devices = [ "/dev/ttyUSB1" ];
-
-  # test geoclue2 by building `geoclue2-with-demo-agent`
-  # and running "${geoclue2-with-demo-agent}/libexec/geoclue-2.0/demos/where-am-i"
-  # note that geoclue is dbus-activated, and auto-stops after 60s with no caller
-  services.geoclue2.enable = true;
-  services.geoclue2.appConfig.where-am-i = {
-    # this is the default "agent", shipped by geoclue package: allow it to use location
-    isAllowed = true;
-    isSystem = false;
-    # XXX: setting users != [] might be causing `where-am-i` to time out
-    users = [
-      # restrict to only one set of users. empty array (default) means "allow any user to access geolocation".
-      (builtins.toString config.users.users.colin.uid)
-    ];
-  };
-  systemd.services.geoclue.after = lib.mkForce [];  #< defaults to network-online, but not all my sources require network
-  users.users.geoclue.extraGroups = [
-    "dialout"  # TODO: figure out if dialout is required. that's for /dev/ttyUSB1, but geoclue probably doesn't read that?
-  ];
-
-  sane.programs.where-am-i.enableFor.user.colin = true;
-}
--- a/hosts/by-name/moby/kernel.nix
+++ b/hosts/by-name/moby/kernel.nix
@ -1,91 +0,0 @@
-{ pkgs, ... }:
-let
-  dmesg = "${pkgs.util-linux}/bin/dmesg";
-  grep = "${pkgs.gnugrep}/bin/grep";
-  modprobe = "${pkgs.kmod}/bin/modprobe";
-  ensureHWReady = ''
-    # common boot failure:
-    # blank screen (no backlight even), with the following log:
-    # ```syslog
-    # sun8i-dw-hdmi 1ee0000.hdmi: Couldn't get the HDMI PHY
-    # ...
-    # sun4i-drm display-engine: Couldn't bind all pipelines components
-    # ...
-    # sun8i-dw-hdmi: probe of 1ee0000.hdmi failed with error -17
-    # ```
-    #
-    # in particular, that `probe ... failed` occurs *only* on failed boots
-    # (the other messages might sometimes occur even on successful runs?)
-    #
-    # reloading the sun8i hdmi driver usually gets the screen on, showing boot text.
-    # then restarting display-manager.service gets us to the login.
-    #
-    # NB: the above log is default level. though less specific, there's a `err` level message that also signals this:
-    # sun4i-drm display-engine: failed to bind 1ee0000.hdmi (ops sun8i_dw_hdmi_ops [sun8i_drm_hdmi]): -17
-    # NB: this is the most common, but not the only, failure mode for `display-manager`.
-    # another error seems characterized by these dmesg logs, in which reprobing sun8i_drm_hdmi does not fix:
-    # ```syslog
-    # sun6i-mipi-dsi 1ca0000.dsi: Couldn't get the MIPI D-PHY
-    # sun4i-drm display-engine: Couldn't bind all pipelines components
-    # sun6i-mipi-dsi 1ca0000.dsi: Couldn't register our component
-    # ```
-
-    if (${dmesg} --kernel --level err --color=never --notime | ${grep} -q 'sun4i-drm display-engine: failed to bind 1ee0000.hdmi')
-    then
-      echo "reprobing sun8i_drm_hdmi"
-      # if a command here fails it errors the whole service, so prefer to log instead
-      ${modprobe} -r sun8i_drm_hdmi || echo "failed to unload sun8i_drm_hdmi"
-      ${modprobe} sun8i_drm_hdmi || echo "failed to load sub8i_drm_hdmi"
-    fi
-  '';
-in
-{
-  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
-  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-manjaro;
-  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
-
-  # alternatively, apply patches directly to stock nixos kernel:
-  # boot.kernelPatches = manjaroPatches ++ [
-  #   (patchDefconfig kernelConfig)
-  # ];
-
-  # configure nixos to build a compressed kernel image, since it doesn't usually do that for aarch64 target.
-  # without this i run out of /boot space in < 10 generations
-  nixpkgs.hostPlatform.linux-kernel = {
-    # defaults:
-    name = "aarch64-multiplatform";
-    baseConfig = "defconfig";
-    DTB = true;
-    autoModules = true;
-    preferBuiltin = true;
-    # extraConfig = ...
-    # ^-- raspberry pi stuff: we don't need it.
-
-    # target = "Image";  # <-- default
-    target = "Image.gz";  # <-- compress the kernel image
-    # target = "zImage";  # <-- confuses other parts of nixos :-(
-  };
-
-  # disable proximity sensor.
-  # the filtering/calibration is bad that it causes the screen to go fully dark at times.
-  boot.blacklistedKernelModules = [ "stk3310" ];
-
-  boot.kernelParams = [
-    # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
-    # this is because they can't allocate enough video ram.
-    # see related nixpkgs issue: <https://github.com/NixOS/nixpkgs/issues/260222>
-    # TODO(2023/12/03): remove once mesa 23.3.1 lands: <https://github.com/NixOS/nixpkgs/pull/265740>
-    #
-    # the default CMA seems to be 32M.
-    # i was running fine with 256MB from 2022/07-ish through 2022/12-ish, but then the phone quit reliably coming back from sleep (phosh): maybe a memory leak?
-    # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
-    "cma=512M"
-    # 2023/10/20: potential fix for the lima (GPU) timeout bugs:
-    # - <https://gitlab.com/postmarketOS/pmaports/-/issues/805#note_890467824>
-    "lima.sched_timeout_ms=2000"
-  ];
-
-  # services.xserver.displayManager.job.preStart = ensureHWReady;
-  # systemd.services.greetd.preStart = ensureHWReady;
-  systemd.services.unl0kr.preStart = ensureHWReady;
-}
--- a/hosts/by-name/moby/polyfill.nix
+++ b/hosts/by-name/moby/polyfill.nix
@ -1,45 +0,0 @@
-# this file configures preferences per program, without actually enabling any programs.
-# the goal is to separate the place where we decide *what* to use (i.e. `sane.programs.firefox.enable = true` -- at the toplevel)
-# from where we specific how that thing should behave *if* it's in use.
-#
-# NixOS backgrounds:
-# - <https://github.com/NixOS/nixos-artwork>
-#   - <https://github.com/NixOS/nixos-artwork/issues/50>  (colorful; unmerged)
-#   - <https://github.com/NixOS/nixos-artwork/pull/60/files>  (desktop-oriented; clean; unmerged)
-# - <https://itsfoss.com/content/images/2023/04/nixos-tutorials.png>
-
-{ lib, pkgs, sane-lib, ... }:
-{
-  sane.programs.firefox.config = {
-    # compromise impermanence for the sake of usability
-    persistCache = "private";
-    persistData = "private";
-
-    # i don't do crypto stuff on moby
-    addons.ether-metamask.enable = false;
-    # sidebery UX doesn't make sense on small screen
-    addons.sidebery.enable = false;
-  };
-  sane.programs.swaynotificationcenter.config = {
-    backlight = "backlight";  # /sys/class/backlight/*backlight*/brightness
-  };
-
-  sane.programs.alacritty.config.fontSize = 9;
-
-  sane.programs.sway.config = {
-    font = "pango:monospace 10";
-    mod = "Mod1";  # prefer Alt
-    workspace_layout = "tabbed";
-  };
-
-  sane.programs.waybar.config = {
-    fontSize = 14;
-    height = 26;
-    persistWorkspaces = [ "1" "2" "3" "4" "5" ];
-    modules.media = false;
-    modules.network = false;
-    modules.perf = false;
-    modules.windowTitle = false;
-    # TODO: show modem state
-  };
-}
--- a/hosts/by-name/rescue/default.nix
+++ b/hosts/by-name/rescue/default.nix
@ -4,7 +4,6 @@
    ./fs.nix
  ];

-  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  sane.persist.enable = false;  # what we mean here is that the image is immutable; `/` is still tmpfs.
  sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
@ -12,7 +11,4 @@
  # auto-login at shell
  services.getty.autologinUser = "colin";
  # users.users.colin.initialPassword = "colin";
-
-  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
-  system.stateVersion = "21.05";
 }
--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@ -15,20 +15,21 @@
  };

  sane.roles.build-machine.enable = true;
-  sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
+  sane.programs.zsh.config.showDeadlines = false;  # ~/knowledge doesn't always exist
  sane.programs.consoleUtils.suggestedPrograms = [
    "consoleMediaUtils"  # notably, for go2tv / casting
    "pcConsoleUtils"
    "sane-scripts.stop-all-servo"
  ];
  sane.services.dyn-dns.enable = true;
+  sane.services.trust-dns.asSystemResolver = false;  # TODO: enable once it's all working well
  sane.services.wg-home.enable = true;
  sane.services.wg-home.visibleToWan = true;
  sane.services.wg-home.forwardToWan = true;
  sane.services.wg-home.routeThroughServo = false;
  sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
-  sane.nixcache.substituters.servo = false;
-  sane.nixcache.substituters.desko = false;
+  sane.ovpn.addrV4 = "172.23.174.114";
+  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:8df3:14b0";
  sane.nixcache.remote-builders.desko = false;
  sane.nixcache.remote-builders.servo = false;
  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
@ -37,7 +38,6 @@
  # using root here makes sure we always have an escape hatch
  services.getty.autologinUser = "root";

-  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

  # both transmission and ipfs try to set different net defaults.
@ -45,13 +45,5 @@
  boot.kernel.sysctl = {
    "net.core.rmem_max" = 4194304;  # 4MB
  };
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11";
 }

--- a/hosts/by-name/servo/net.nix
+++ b/hosts/by-name/servo/net.nix
@ -3,9 +3,19 @@
 let
  portOpts = with lib; types.submodule {
    options = {
-      visibleTo.ovpn = mkOption {
+      visibleTo.ovpns = mkOption {
        type = types.bool;
        default = false;
+        description = ''
+          whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port.
+        '';
+      };
+      visibleTo.doof = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          whether to forward inbound traffic on the doofnet vpn port to the corresponding localhost port.
+        '';
      };
    };
  };
@ -13,7 +23,7 @@ in
 {
  options = with lib; {
    sane.ports.ports = mkOption {
-      # add the `visibleTo.ovpn` option
+      # add the `visibleTo.{doof,ovpns}` options
      type = types.attrsOf portOpts;
    };
  };
@ -38,37 +48,47 @@ in
    #   FallbackDNS=1.1.1.1 9.9.9.9
    # '';

+    # tun-sea config
+    sane.dns.zones."uninsane.org".inet.A."doof.tunnel" = "205.201.63.12";
+    # sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51";  #< TODO: enable IPv6
+    networking.wireguard.interfaces.wg-doof = {
+      privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
+      # wg is active only in this namespace.
+      # run e.g. ip netns exec doof <some command like ping/curl/etc, it'll go through wg>
+      #   sudo ip netns exec doof ping www.google.com
+      interfaceNamespace = "doof";
+      ips = [
+        "205.201.63.12"
+        # "2602:fce8:106::51/128"  #< TODO: enable IPv6
+      ];
+      peers = [
+        {
+          publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
+          # TODO: configure DNS within the doof ns and use tun-sea.doof.net endpoint
+          # endpoint = "tun-sea.doof.net:53263";
+          endpoint = "205.201.63.44:53263";
+          allowedIPs = [ "0.0.0.0/0" "::/0" ];
+          persistentKeepalive = 25; #< keep the NAT alive
+        }
+      ];
+    };
+    sane.netns.doof.hostVethIpv4 = "10.0.2.5";
+    sane.netns.doof.netnsVethIpv4 = "10.0.2.6";
+    sane.netns.doof.netnsPubIpv4 = "205.201.63.12";
+    sane.netns.doof.routeTable = 12;
+
    # OVPN CONFIG (https://www.ovpn.com):
    # DOCS: https://nixos.wiki/wiki/WireGuard
    # if you `systemctl restart wireguard-wg-ovpns`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
    # TODO: why not create the namespace as a seperate operation (nix config for that?)
    networking.wireguard.enable = true;
-    networking.wireguard.interfaces.wg-ovpns = let
-      ip = "${pkgs.iproute2}/bin/ip";
-      in-ns = "${ip} netns exec ovpns";
-      iptables = "${pkgs.iptables}/bin/iptables";
-      veth-host-ip = "10.0.1.5";
-      veth-local-ip = "10.0.1.6";
-      vpn-ip = "185.157.162.178";
-      # DNS = 46.227.67.134, 192.165.9.158, 2a07:a880:4601:10f0:cd45::1, 2001:67c:750:1:cafe:cd45::1
-      vpn-dns = "46.227.67.134";
-      bridgePort = port: proto: ''
-        ${in-ns} ${iptables} -A PREROUTING -t nat -p ${proto} --dport ${port} -m iprange --dst-range ${vpn-ip} \
-          -j DNAT --to-destination ${veth-host-ip}
-      '';
-      bridgeStatements = lib.foldlAttrs
-        (acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol))
-        []
-        config.sane.ports.ports;
-    in {
+    networking.wireguard.interfaces.wg-ovpns = {
      privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
      # wg is active only in this namespace.
      # run e.g. ip netns exec ovpns <some command like ping/curl/etc, it'll go through wg>
      #   sudo ip netns exec ovpns ping www.google.com
      interfaceNamespace = "ovpns";
-      ips = [
-        "185.157.162.178/32"
-      ];
+      ips = [ "185.157.162.178" ];
      peers = [
        {
          publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
@ -86,99 +106,11 @@ in
          # dynamicEndpointRefreshRestartSeconds = 5;
        }
      ];
-      preSetup = ''
-        ${ip} netns add ovpns || (test -e /run/netns/ovpns && echo "ovpns already exists")
-      '';
-      postShutdown = ''
-        ${in-ns} ip link del ovpns-veth-b || echo "couldn't delete ovpns-veth-b"
-        ${ip} link del ovpns-veth-a || echo "couldn't delete ovpns-veth-a"
-        ${ip} netns delete ovpns || echo "couldn't delete ovpns"
-        # restore rules/routes
-        ${ip} rule del from ${veth-host-ip} lookup ovpns pref 50 || echo "couldn't delete init -> ovpns rule"
-        ${ip} route del default via ${veth-local-ip} dev ovpns-veth-a proto kernel src ${veth-host-ip} metric 1002 table ovpns || echo "couldn't delete init -> ovpns route"
-        ${ip} rule add from all lookup local pref 0
-        ${ip} rule del from all lookup local pref 100
-      '';
-      postSetup = ''
-        # DOCS:
-        # - some of this approach is described here: <https://josephmuia.ca/2018-05-16-net-namespaces-veth-nat/>
-        # - iptables primer: <https://danielmiessler.com/study/iptables/>
-        # create veth pair
-        ${ip} link add ovpns-veth-a type veth peer name ovpns-veth-b
-        ${ip} addr add ${veth-host-ip}/24 dev ovpns-veth-a
-        ${ip} link set ovpns-veth-a up
-
-        # mv veth-b into the ovpns namespace
-        ${ip} link set ovpns-veth-b netns ovpns
-        ${in-ns} ip addr add ${veth-local-ip}/24 dev ovpns-veth-b
-        ${in-ns} ip link set ovpns-veth-b up
-
-        # make it so traffic originating from the host side of the veth
-        # is sent over the veth no matter its destination.
-        ${ip} rule add from ${veth-host-ip} lookup ovpns pref 50
-        # for traffic originating at the host veth to the WAN, use the veth as our gateway
-        # not sure if the metric 1002 matters.
-        ${ip} route add default via ${veth-local-ip} dev ovpns-veth-a proto kernel src ${veth-host-ip} metric 1002 table ovpns
-        # give the default route lower priority
-        ${ip} rule add from all lookup local pref 100
-        ${ip} rule del from all lookup local pref 0
-
-        # in order to access DNS in this netns, we need to route it to the VPN's nameservers
-        # - alternatively, we could fix DNS servers like 1.1.1.1.
-        ${in-ns} ${iptables} -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.53 \
-          -j DNAT --to-destination ${vpn-dns}:53
-      '' + (lib.concatStringsSep "\n" bridgeStatements);
    };
-
-    # create a new routing table that we can use to proxy traffic out of the root namespace
-    # through the ovpns namespace, and to the WAN via VPN.
-    networking.iproute2.rttablesExtraConfig = ''
-      5 ovpns
-    '';
-    networking.iproute2.enable = true;
-
-
-    # HURRICANE ELECTRIC CONFIG:
-    # networking.sits = {
-    #   hurricane = {
-    #     remote = "216.218.226.238";
-    #     local = "192.168.0.5";
-    #     # local = "10.0.0.5";
-    #     # remote = "10.0.0.1";
-    #     # local = "10.0.0.22";
-    #     dev = "eth0";
-    #     ttl = 255;
-    #   };
-    # };
-    # networking.interfaces."hurricane".ipv6 = {
-    #   addresses = [
-    #     # mx.uninsane.org (publically routed /64)
-    #     {
-    #       address = "2001:470:b:465::1";
-    #       prefixLength = 128;
-    #     }
-    #     # client addr
-    #     # {
-    #     #   address = "2001:470:a:466::2";
-    #     #   prefixLength = 64;
-    #     # }
-    #   ];
-    #   routes = [
-    #     {
-    #       address = "::";
-    #       prefixLength = 0;
-    #       # via = "2001:470:a:466::1";
-    #     }
-    #   ];
-    # };
-
-    # # after configuration, we want the hurricane device to look like this:
-    # # hurricane: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1480
-    # #            inet6 2001:470:a:450::2  prefixlen 64  scopeid 0x0<global>
-    # #            inet6 fe80::c0a8:16  prefixlen 64  scopeid 0x20<link>
-    # #            sit  txqueuelen 1000  (IPv6-in-IPv4)
-    # # test with:
-    # #   curl --interface hurricane http://[2607:f8b0:400a:80b::2004]
-    # #   ping 2607:f8b0:400a:80b::2004
+    sane.netns.ovpns.hostVethIpv4 = "10.0.1.5";
+    sane.netns.ovpns.netnsVethIpv4 = "10.0.1.6";
+    sane.netns.ovpns.netnsPubIpv4 = "185.157.162.178";
+    sane.netns.ovpns.routeTable = 11;
+    sane.netns.ovpns.dns = "46.227.67.134";  #< DNS requests inside the namespace are forwarded here
  };
 }
--- a/hosts/by-name/servo/services/coturn.nix
+++ b/hosts/by-name/servo/services/coturn.nix
@ -29,7 +29,15 @@
 #   - bind the turn server to the veth connecting it to the VPN namespace (so it sends outgoing traffic to the right place).
 #   - NAT the turn port range from VPN into root namespace (so it receives incomming traffic).
 #   - this approach would fail the prosody conversations.im check, but i didn't notice *obvious* call routing errors.
-{ lib, ... }:
+#
+# debugging:
+# - log messages like 'usage: realm=<turn.uninsane.org>, username=<1715915193>, rp=14, rb=1516, sp=8, sb=684'
+#   - rp = received packets
+#   - rb = received bytes
+#   - sp = sent packets
+#   - sb = sent bytes
+
+{ config, lib, ... }:
 let
  # TURN port range (inclusive).
  # default coturn behavior is to use the upper quarter of all ports. i.e. 49152 - 65535.
@ -48,7 +56,7 @@ in
  #       protocol = [ "tcp" "udp" ];
  #       # visibleTo.lan = true;
  #       # visibleTo.wan = true;
-  #       visibleTo.ovpn = true;  # forward traffic from the VPN to the root NS
+  #       visibleTo.ovpns = true;  # forward traffic from the VPN to the root NS
  #       description = "colin-stun-turn";
  #     };
  #     "5349" = {
@ -56,7 +64,7 @@ in
  #       protocol = [ "tcp" ];
  #       # visibleTo.lan = true;
  #       # visibleTo.wan = true;
-  #       visibleTo.ovpn = true;
+  #       visibleTo.ovpns = true;
  #       description = "colin-stun-turn-over-tls";
  #     };
  #   }
@ -69,7 +77,7 @@ in
  #       protocol = [ "tcp" "udp" ];
  #       # visibleTo.lan = true;
  #       # visibleTo.wan = true;
-  #       visibleTo.ovpn = true;
+  #       visibleTo.ovpns = true;
  #       description = "colin-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
  #     };
  #   })
@ -110,21 +118,24 @@ in
  services.coturn.realm = "turn.uninsane.org";
  services.coturn.cert = "/var/lib/acme/turn.uninsane.org/fullchain.pem";
  services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem";
+
+  #v disable to allow unauthenticated access (or set `services.coturn.no-auth = true`)
  services.coturn.use-auth-secret = true;
  services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin";
-  services.coturn.lt-cred-mech = true;
+  services.coturn.lt-cred-mech = true; #< XXX: use-auth-secret overrides lt-cred-mech
+
  services.coturn.min-port = turnPortLow;
  services.coturn.max-port = turnPortHigh;
  # services.coturn.secure-stun = true;
  services.coturn.extraConfig = lib.concatStringsSep "\n" [
    "verbose"
-    # "Verbose"  #< even MORE verbosity than "verbose"
-    # "no-multicast-peers"  # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3)
-    # "listening-ip=10.0.1.5" "external-ip=185.157.162.178"  #< 2024/04/25: works, if running in root namespace
-    "listening-ip=185.157.162.178" "external-ip=185.157.162.178"
+    # "Verbose"  #< even MORE verbosity than "verbose"  (it's TOO MUCH verbosity really)
+    "no-multicast-peers"  # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3)
+    # "listening-ip=${config.sane.netns.ovpns.hostVethIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}"  #< 2024/04/25: works, if running in root namespace
+    "listening-ip=${config.sane.netns.ovpns.netnsPubIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}"

    # old attempts:
-    # "external-ip=185.157.162.178/10.0.1.5"
+    # "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}/${config.sane.netns.ovpns.hostVethIpv4}"
    # "listening-ip=10.78.79.51"  # can be specified multiple times; omit for *
    # "external-ip=97.113.128.229/10.78.79.51"
    # "external-ip=97.113.128.229"
--- a/hosts/by-name/servo/services/default.nix
+++ b/hosts/by-name/servo/services/default.nix
@ -20,7 +20,6 @@
    ./navidrome.nix
    ./nginx.nix
    ./nixos-prebuild.nix
-    ./nixserve.nix
    ./ntfy
    ./pict-rs.nix
    ./pleroma.nix
--- a/hosts/by-name/servo/services/ejabberd.nix
+++ b/hosts/by-name/servo/services/ejabberd.nix
@ -51,54 +51,54 @@ lib.mkIf false
    {
      "3478" = {
        protocol = [ "tcp" "udp" ];
+        visibleTo.doof = true;
        visibleTo.lan = true;
-        visibleTo.wan = true;
        description = "colin-xmpp-stun-turn";
      };
      "5222" = {
        protocol = [ "tcp" ];
+        visibleTo.doof = true;
        visibleTo.lan = true;
-        visibleTo.wan = true;
        description = "colin-xmpp-client-to-server";
      };
      "5223" = {
        protocol = [ "tcp" ];
+        visibleTo.doof = true;
        visibleTo.lan = true;
-        visibleTo.wan = true;
        description = "colin-xmpps-client-to-server";  # XMPP over TLS
      };
      "5269" = {
        protocol = [ "tcp" ];
-        visibleTo.wan = true;
+        visibleTo.doof = true;
        description = "colin-xmpp-server-to-server";
      };
      "5270" = {
        protocol = [ "tcp" ];
-        visibleTo.wan = true;
+        visibleTo.doof = true;
        description = "colin-xmpps-server-to-server";  # XMPP over TLS
      };
      "5280" = {
        protocol = [ "tcp" ];
+        visibleTo.doof = true;
        visibleTo.lan = true;
-        visibleTo.wan = true;
        description = "colin-xmpp-bosh";
      };
      "5281" = {
        protocol = [ "tcp" ];
+        visibleTo.doof = true;
        visibleTo.lan = true;
-        visibleTo.wan = true;
        description = "colin-xmpp-bosh-https";
      };
      "5349" = {
        protocol = [ "tcp" ];
+        visibleTo.doof = true;
        visibleTo.lan = true;
-        visibleTo.wan = true;
        description = "colin-xmpp-stun-turn-over-tls";
      };
      "5443" = {
        protocol = [ "tcp" ];
+        visibleTo.doof = true;
        visibleTo.lan = true;
-        visibleTo.wan = true;
        description = "colin-xmpp-web-services";  # file uploads, websockets, admin
      };
    }
@ -109,8 +109,8 @@ lib.mkIf false
        numPorts = turnPortHigh - turnPortLow + 1;
      in {
        protocol = [ "tcp" "udp" ];
+        visibleTo.doof = true;
        visibleTo.lan = true;
-        visibleTo.wan = true;
        description = "colin-xmpp-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
      };
    })
--- a/hosts/by-name/servo/services/email/dovecot.nix
+++ b/hosts/by-name/servo/services/email/dovecot.nix
@ -8,14 +8,14 @@
 {
  sane.ports.ports."143" = {
    protocol = [ "tcp" ];
+    visibleTo.doof = true;
    visibleTo.lan = true;
-    visibleTo.wan = true;
    description = "colin-imap-imap.uninsane.org";
  };
  sane.ports.ports."993" = {
    protocol = [ "tcp" ];
+    visibleTo.doof = true;
    visibleTo.lan = true;
-    visibleTo.wan = true;
    description = "colin-imaps-imap.uninsane.org";
  };

--- a/hosts/by-name/servo/services/email/postfix.nix
+++ b/hosts/by-name/servo/services/email/postfix.nix
@ -1,6 +1,6 @@
 # postfix config options: <https://www.postfix.org/postconf.5.html>

-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 let
  submissionOptions = {
@ -56,8 +56,7 @@ in

  sane.dns.zones."uninsane.org".inet = {
    MX."@" = "10 mx.uninsane.org.";
-    # XXX: RFC's specify that the MX record CANNOT BE A CNAME
-    A."mx" = "185.157.162.178";
+    A."mx" = "%AOVPNS%"; #< XXX: RFC's specify that the MX record CANNOT BE A CNAME. TODO: use "%AOVPNS%?

    # Sender Policy Framework:
    #   +mx     => mail passes if it originated from the MX
--- a/hosts/by-name/servo/services/export/default.nix
+++ b/hosts/by-name/servo/services/export/default.nix
@ -12,6 +12,10 @@
    device = "/var/media";
    options = [ "rbind" ];
  };
+  fileSystems."/var/export/pub" = {
+    device = "/var/www/sites/uninsane.org/share";
+    options = [ "rbind" ];
+  };
  # fileSystems."/var/export/playground" = {
  #   device = config.fileSystems."/mnt/persist/ext".device;
  #   fsType = "btrfs";
@ -37,7 +41,8 @@
    wantedBy = [ "nfs.service" "sftpgo.service" ];
    file.text = ''
      - media/         read-only:  Videos, Music, Books, etc
-      - playground/    read-write: use it to share files with other users of this server
+      - playground/    read-write: use it to share files with other users of this server, inaccessible from the www
+      - pub/           read-only:  content made to be shared with the www
    '';
  };

--- a/hosts/by-name/servo/services/export/nfs.nix
+++ b/hosts/by-name/servo/services/export/nfs.nix
@ -15,6 +15,7 @@
 # - could maybe be done with some mount option?

 { config, lib, ... }:
+lib.mkIf false  #< TODO: remove nfs altogether! it's not exactly the most secure
 {
  services.nfs.server.enable = true;

--- a/hosts/by-name/servo/services/export/sftpgo/default.nix
+++ b/hosts/by-name/servo/services/export/sftpgo/default.nix
@ -12,6 +12,7 @@ let
  external_auth_hook = pkgs.static-nix-shell.mkPython3Bin {
    pname = "external_auth_hook";
    srcRoot = ./.;
+    pyPkgs = [ "passlib" ];
  };
  # Client initiates a FTP "control connection" on port 21.
  # - this handles the client -> server commands, and the server -> client status, but not the actual data
@ -26,13 +27,12 @@ in
    "21" = {
      protocol = [ "tcp" ];
      visibleTo.lan = true;
-      # visibleTo.wan = true;
      description = "colin-FTP server";
    };
    "990" = {
      protocol = [ "tcp" ];
+      visibleTo.doof = true;
      visibleTo.lan = true;
-      visibleTo.wan = true;
      description = "colin-FTPS server";
    };
  } // (sane-lib.mapToAttrs
@ -40,8 +40,8 @@ in
      name = builtins.toString port;
      value = {
        protocol = [ "tcp" ];
+        visibleTo.doof = true;
        visibleTo.lan = true;
-        visibleTo.wan = true;
        description = "colin-FTP server data port range";
      };
    })
@ -59,18 +59,8 @@ in
    enable = true;
    group = "export";

-    package = lib.warnIf (lib.versionOlder "2.5.6" pkgs.sftpgo.version) "sftpgo update: safe to use nixpkgs' sftpgo but keep my own `patches`" pkgs.buildGoModule {
-      inherit (pkgs.sftpgo) name ldflags nativeBuildInputs doCheck subPackages postInstall passthru meta;
-      version = "2.5.6-unstable-2024-04-18";
-      src = pkgs.fetchFromGitHub {
-        # need to use > 2.5.6 for sftpgo_safe_fileinfo.patch to apply
-        owner = "drakkan";
-        repo = "sftpgo";
-        rev = "950cf67e4c03a12c7e439802cabbb0b42d4ee5f5";
-        hash = "sha256-UfiFd9NK3DdZ1J+FPGZrM7r2mo9xlKi0dsSlLEinYXM=";
-      };
-      vendorHash = "sha256-n1/9A2em3BCtFX+132ualh4NQwkwewMxYIMOphJEamg=";
-      patches = (pkgs.sftpgo.patches or []) ++ [
+    package = pkgs.sftpgo.overrideAttrs (upstream: {
+      patches = (upstream.patches or []) ++ [
        # fix for compatibility with kodi:
        # ftp LIST operation returns entries over-the-wire like:
        # - dgrwxrwxr-x 1 ftp ftp            9 Apr  9 15:05 Videos
@ -79,7 +69,7 @@ in
        # the full set of bits, from which i filter, is found here: <https://pkg.go.dev/io/fs#FileMode>
        ./safe_fileinfo.patch
      ];
-    };
+    });

    settings = {
      ftpd = {
@ -110,6 +100,13 @@ in
            debug = true;
            tls_mode = 2;  # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
          }
+          {
+            # binding this means any doof client can connect (TLS only)
+            address = config.sane.netns.doof.hostVethIpv4;
+            port = 990;
+            debug = true;
+            tls_mode = 2;  # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
+          }
        ];

        # active mode is susceptible to "bounce attacks", without much benefit over passive mode
@ -126,7 +123,7 @@ in
        banner = ''
          Welcome, friends, to Colin's FTP server! Also available via NFS on the same host, but LAN-only.

-          Read-only access (LAN-restricted):
+          Read-only access (LAN clients see everything; WAN clients can only see /pub):
          Username: "anonymous"
          Password: "anonymous"

--- a/hosts/by-name/servo/services/export/sftpgo/external_auth_hook
+++ b/hosts/by-name/servo/services/export/sftpgo/external_auth_hook
@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])"
+#!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.passlib ])"
 # vim: set filetype=python :
 #
 # available environment variables:
@ -37,14 +37,16 @@
 # - it seems (empirically) that a user can't cd above their home directory.
 #   though i don't have a reference for that in the docs.

-import crypt
 import json
 import os
+import passlib.hosts

 from hmac import compare_digest

 authFail = dict(username="")

+PERM_DENY = []
+PERM_LIST = [ "list" ]
 PERM_RO = [ "list", "download" ]
 PERM_RW = [
  # read-only:
@ -112,10 +114,8 @@ def isWireguard(ip: str) -> bool:

 def isTrustedCred(password: str) -> bool:
  for cred in TRUSTED_CREDS:
-    _, method, salt, hash_ = cred.split("$")
-    # assert method == "6", f"unrecognized crypt entry: {cred}"
-    if crypt.crypt(password, f"${method}${salt}") == cred:
-        return True
+    if passlib.hosts.linux_context.verify(password, cred):
+      return True

  return False

@ -129,12 +129,14 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
    return mkAuthOk(username, permissions = {
      "/": PERM_RW,
      "/playground": PERM_RW,
+      "/pub": PERM_RO,
    })
  if isWireguard(ip):
    # allow any user from wireguard
    return mkAuthOk(username, permissions = {
      "/": PERM_RW,
      "/playground": PERM_RW,
+      "/pub": PERM_RO,
    })
  if isLan(ip):
    if username == "anonymous":
@ -142,7 +144,19 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
      return mkAuthOk("anonymous", permissions = {
        "/": PERM_RO,
        "/playground": PERM_RW,
+        "/pub": PERM_RO,
      })
+  if username == "anonymous":
+    # anonymous users from the www can have even more limited access.
+    # mostly because i need an easy way to test WAN connectivity :-)
+    return mkAuthOk("anonymous", permissions = {
+      # "/": PERM_DENY,
+      "/": PERM_LIST,  #< REQUIRED, even for lftp to list a subdir
+      "/media": PERM_DENY,
+      "/playground": PERM_DENY,
+      "/pub": PERM_RO,
+      # "/README.md": PERM_RO,  #< does not work
+    })

  return authFail

--- a/hosts/by-name/servo/services/gitea.nix
+++ b/hosts/by-name/servo/services/gitea.nix
@ -50,9 +50,15 @@
      ENABLE_CAPTCHA = true;
      NOREPLY_ADDRESS = "noreply.anonymous.git@uninsane.org";
    };
-    session.COOKIE_SECURE = true;
+    session = {
+      COOKIE_SECURE = true;
+      # keep me logged in for 30 days
+      SESSION_LIFE_TIME = 60 * 60 * 24 * 30;
+    };
    repository = {
      DEFAULT_BRANCH = "master";
+      ENABLE_PUSH_CREATE_USER = true;
+      ENABLE_PUSH_CREATE_ORG = true;
    };
    other = {
      SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
@ -90,6 +96,8 @@
    ];
  };

+  services.openssh.settings.UsePAM = true;  #< required for `git` user to authenticate
+
  # hosted git (web view and for `git <cmd>` use
  # TODO: enable publog?
  services.nginx.virtualHosts."git.uninsane.org" = {
@ -125,7 +133,7 @@
  sane.ports.ports."22" = {
    protocol = [ "tcp" ];
    visibleTo.lan = true;
-    visibleTo.wan = true;
+    visibleTo.doof = true;
    description = "colin-git@git.uninsane.org";
  };
 }
--- a/hosts/by-name/servo/services/jackett.nix
+++ b/hosts/by-name/servo/services/jackett.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 {
  sane.persist.sys.byStore.plaintext = [
@ -12,7 +12,7 @@
  systemd.services.jackett.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected

    # patch jackett to listen on the public interfaces
    # ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic";
@ -24,8 +24,7 @@
    enableACME = true;
    # inherit kTLS;
    locations."/" = {
-      # proxyPass = "http://ovpns.uninsane.org:9117";
-      proxyPass = "http://10.0.1.6:9117";
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9117";
      recommendedProxySettings = true;
    };
  };
--- a/hosts/by-name/servo/services/lemmy.nix
+++ b/hosts/by-name/servo/services/lemmy.nix
@ -22,7 +22,7 @@ let
  #   #      "Change commandline flag to allow disabling video, since it is enabled by default"
  #   postPatch = (upstream.postPatch or "") + ''
  #     substituteInPlace src/validate.rs \
-  #       --replace 'if transcode_options.needs_reencode() {' 'if false {'
+  #       --replace-fail 'if transcode_options.needs_reencode() {' 'if false {'
  #   '';
  # });
 in {
--- a/hosts/by-name/servo/services/matrix/irc.nix
+++ b/hosts/by-name/servo/services/matrix/irc.nix
@ -4,12 +4,11 @@
 { config, lib, ... }:

 let
-  ircServer = { name, additionalAddresses ? [], sasl ? true, port ? 6697 }: let
+  ircServer = { name, additionalAddresses ? [], ssl ? true, sasl ? true, port ? if ssl then 6697 else 6667 }: let
    lowerName = lib.toLower name;
  in {
    # XXX sasl: appservice doesn't support NickServ identification (only SASL, or PASS if sasl = false)
-    inherit name additionalAddresses sasl port;
-    ssl = true;
+    inherit additionalAddresses name port sasl ssl;
    botConfig = {
      # bot has no presence in IRC channel; only real Matrix users
      enabled = false;
@ -156,6 +155,10 @@ in
          # - #sxmo-offtopic
        };
        "irc.rizon.net" = ircServer { name = "Rizon"; };
+        "wigle.net" = ircServer {
+          name = "WiGLE";
+          ssl = false;
+        };
      };
    };
  };
--- a/hosts/by-name/servo/services/nginx.nix
+++ b/hosts/by-name/servo/services/nginx.nix
@ -17,14 +17,14 @@ in
  sane.ports.ports."80" = {
    protocol = [ "tcp" ];
    visibleTo.lan = true;
-    visibleTo.wan = true;
-    visibleTo.ovpn = true;  # so that letsencrypt can procure a cert for the mx record
+    visibleTo.ovpns = true;  # so that letsencrypt can procure a cert for the mx record
+    visibleTo.doof = true;
    description = "colin-http-uninsane.org";
  };
  sane.ports.ports."443" = {
    protocol = [ "tcp" ];
    visibleTo.lan = true;
-    visibleTo.wan = true;
+    visibleTo.doof = true;
    description = "colin-https-uninsane.org";
  };

--- a/hosts/by-name/servo/services/nixserve.nix
+++ b/hosts/by-name/servo/services/nixserve.nix
@ -1,21 +0,0 @@
-{ config, ... }:
-
-{
-  services.nginx.virtualHosts."nixcache.uninsane.org" = {
-    addSSL = true;
-    enableACME = true;
-    # inherit kTLS;
-    # serverAliases = [ "nixcache" ];
-    locations."/".extraConfig = ''
-      proxy_pass http://localhost:${toString config.services.nix-serve.port};
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    '';
-  };
-
-  sane.dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
-
-  sane.services.nixserve.enable = true;
-  sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
-}
--- a/hosts/by-name/servo/services/ntfy/ntfy-sh.nix
+++ b/hosts/by-name/servo/services/ntfy/ntfy-sh.nix
@ -86,7 +86,7 @@ in
  sane.ports.ports."${builtins.toString altPort}" = {
    protocol = [ "tcp" ];
    visibleTo.lan = true;
-    visibleTo.wan = true;
+    visibleTo.doof = true;
    description = "colin-ntfy.uninsane.org";
  };
 }
--- a/hosts/by-name/servo/services/ntfy/ntfy-waiter.nix
+++ b/hosts/by-name/servo/services/ntfy/ntfy-waiter.nix
@ -62,8 +62,8 @@ in
    sane.ports.ports = lib.mkMerge (lib.forEach portRange (port: {
      "${builtins.toString port}" = {
        protocol = [ "tcp" ];
+        visibleTo.doof = true;
        visibleTo.lan = true;
-        visibleTo.wan = true;
        description = "colin-notification-waiter-${builtins.toString (port - portLow + 1)}-of-${builtins.toString numPorts}";
      };
    }));
--- a/hosts/by-name/servo/services/prosody/default.nix
+++ b/hosts/by-name/servo/services/prosody/default.nix
@ -61,42 +61,42 @@ in
  ];
  sane.ports.ports."5000" = {
    protocol = [ "tcp" ];
+    visibleTo.doof = true;
    visibleTo.lan = true;
-    visibleTo.wan = true;
    description = "colin-xmpp-prosody-fileshare-proxy65";
  };
  sane.ports.ports."5222" = {
    protocol = [ "tcp" ];
+    visibleTo.doof = true;
    visibleTo.lan = true;
-    visibleTo.wan = true;
    description = "colin-xmpp-client-to-server";
  };
  sane.ports.ports."5223" = {
    protocol = [ "tcp" ];
+    visibleTo.doof = true;
    visibleTo.lan = true;
-    visibleTo.wan = true;
    description = "colin-xmpps-client-to-server";  # XMPP over TLS
  };
  sane.ports.ports."5269" = {
    protocol = [ "tcp" ];
-    visibleTo.wan = true;
+    visibleTo.doof = true;
    description = "colin-xmpp-server-to-server";
  };
  sane.ports.ports."5270" = {
    protocol = [ "tcp" ];
-    visibleTo.wan = true;
+    visibleTo.doof = true;
    description = "colin-xmpps-server-to-server";  # XMPP over TLS
  };
  sane.ports.ports."5280" = {
    protocol = [ "tcp" ];
+    visibleTo.doof = true;
    visibleTo.lan = true;
-    visibleTo.wan = true;
    description = "colin-xmpp-bosh";
  };
  sane.ports.ports."5281" = {
    protocol = [ "tcp" ];
+    visibleTo.doof = true;
    visibleTo.lan = true;
-    visibleTo.wan = true;
    description = "colin-xmpp-prosody-https";  # necessary?
  };

--- a/hosts/by-name/servo/services/slskd.nix
+++ b/hosts/by-name/servo/services/slskd.nix
@ -9,8 +9,6 @@
 #   - "Soulseek.AddressException: Failed to resolve address 'vps.slsknet.org': Resource temporarily unavailable"
 { config, lib, pkgs, ... }:

-# TODO: re-enable once i'm satisfied this isn't escaping the net sandbox
-lib.mkIf false
 {
  sane.persist.sys.byStore.plaintext = [
    { user = "slskd"; group = "media"; path = "/var/lib/slskd"; method = "bind"; }
@ -24,8 +22,7 @@ lib.mkIf false

  sane.ports.ports."50300" = {
    protocol = [ "tcp" ];
-    # not visible to WAN: i run this in a separate netns
-    visibleTo.ovpn = true;
+    # visibleTo.ovpns = true;  #< not needed: it runs in the ovpns namespace
    description = "colin-soulseek";
  };

@ -35,7 +32,7 @@ lib.mkIf false
    forceSSL = true;
    enableACME = true;
    locations."/" = {
-      proxyPass = "http://10.0.1.6:5030";
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:5030";
      proxyWebsockets = true;
    };
  };
@ -74,7 +71,7 @@ lib.mkIf false
  systemd.services.slskd.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected

    Restart = lib.mkForce "always";  # exits "success" when it fails to connect to soulseek server
    RestartSec = "60s";
--- a/hosts/by-name/servo/services/transmission.nix
+++ b/hosts/by-name/servo/services/transmission.nix
@ -105,8 +105,8 @@ in
    # DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options>

    # message-level = 3;  #< enable for debug logging. 0-3, default is 2.
-    # 10.0.1.6 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
-    rpc-bind-address = "10.0.1.6";
+    # ovpns.netnsVethIpv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
+    rpc-bind-address = config.sane.netns.ovpns.netnsVethIpv4;
    #rpc-host-whitelist = "bt.uninsane.org";
    #rpc-whitelist = "*.*.*.*";
    rpc-authentication-required = true;
@ -117,7 +117,7 @@ in
    rpc-whitelist-enabled = false;

    # force behind ovpns in case the NetworkNamespace fails somehow
-    bind-address-ipv4 = "185.157.162.178";
+    bind-address-ipv4 = config.sane.netns.ovpns.netnsPubIpv4;
    port-forwarding-enabled = false;

    # hopefully, make the downloads world-readable
@ -159,7 +159,7 @@ in
  systemd.services.transmission.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected

    Restart = "on-failure";
    RestartSec = "30s";
@ -189,14 +189,14 @@ in
    # inherit kTLS;
    locations."/" = {
      # proxyPass = "http://ovpns.uninsane.org:9091";
-      proxyPass = "http://10.0.1.6:9091";
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9091";
    };
  };

  sane.dns.zones."uninsane.org".inet.CNAME."bt" = "native";
  sane.ports.ports."51413" = {
    protocol = [ "tcp" "udp" ];
-    visibleTo.ovpn = true;
+    # visibleTo.ovpns = true;  #< not needed: it runs in the ovpns namespace
    description = "colin-bittorrent";
  };
 }
--- a/hosts/by-name/servo/services/trust-dns.nix
+++ b/hosts/by-name/servo/services/trust-dns.nix
@ -4,14 +4,14 @@
 let
  dyn-dns = config.sane.services.dyn-dns;
  nativeAddrs = lib.mapAttrs (_name: builtins.head) config.sane.dns.zones."uninsane.org".inet.A;
-  bindOvpn = "10.0.1.5";
 in
 {
  sane.ports.ports."53" = {
    protocol = [ "udp" "tcp" ];
    visibleTo.lan = true;
-    visibleTo.wan = true;
-    visibleTo.ovpn = true;
+    # visibleTo.wan = true;
+    visibleTo.ovpns = true;
+    visibleTo.doof = true;
    description = "colin-dns-hosting";
  };

@ -39,6 +39,7 @@ in
    CNAME."native" = "%CNAMENATIVE%";
    A."@" =      "%ANATIVE%";
    A."servo.wan" = "%AWAN%";
+    A."servo.doof" = "%ADOOF%";
    A."servo.lan" = config.sane.hosts.by-name."servo".lan-ip;
    A."servo.hn" = config.sane.hosts.by-name."servo".wg-home.ip;

@ -46,9 +47,9 @@ in
    # it's best that we keep this identical, or a superset of, what org. lists as our NS.
    # so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
    A."ns1" =    "%ANATIVE%";
-    A."ns2" =    "185.157.162.178";
-    A."ns3" =    "185.157.162.178";
-    A."ovpns" =  "185.157.162.178";
+    A."ns2" =    "%ADOOF%";
+    A."ns3" =    "%AOVPNS%";
+    A."ovpns" =  "%AOVPNS%";
    NS."@" = [
      "ns1.uninsane.org."
      "ns2.uninsane.org."
@ -59,101 +60,108 @@ in
  services.trust-dns.settings.zones = [ "uninsane.org" ];


-  networking.nat.enable = true;
-  networking.nat.extraCommands = ''
-    # redirect incoming DNS requests from LAN addresses
-    #   to the LAN-specialized DNS service
-    # N.B.: use the `nixos-*` chains instead of e.g. PREROUTING
-    #   because they get cleanly reset across activations or `systemctl restart firewall`
-    #   instead of accumulating cruft
-    iptables -t nat -A nixos-nat-pre -p udp --dport 53 \
-      -m iprange --src-range 10.78.76.0-10.78.79.255 \
-      -j DNAT --to-destination :1053
-    iptables -t nat -A nixos-nat-pre -p tcp --dport 53 \
-      -m iprange --src-range 10.78.76.0-10.78.79.255 \
-      -j DNAT --to-destination :1053
-  '';
-  sane.ports.ports."1053" = {
-    # because the NAT above redirects in nixos-nat-pre, LAN requests behave as though they arrived on the external interface at the redirected port.
-    # TODO: try nixos-nat-post instead?
-    # TODO: or, don't NAT from port 53 -> port 1053, but rather nat from LAN addr to a loopback addr.
-    # - this is complicated in that loopback is a different interface than eth0, so rewriting the destination address would cause the packets to just be dropped by the interface
-    protocol = [ "udp" "tcp" ];
-    visibleTo.lan = true;
-    description = "colin-redirected-dns-for-lan-namespace";
-  };
+  networking.nat.enable = true;  #< TODO: try removing this?
+  # networking.nat.extraCommands = ''
+  #   # redirect incoming DNS requests from LAN addresses
+  #   #   to the LAN-specialized DNS service
+  #   # N.B.: use the `nixos-*` chains instead of e.g. PREROUTING
+  #   #   because they get cleanly reset across activations or `systemctl restart firewall`
+  #   #   instead of accumulating cruft
+  #   iptables -t nat -A nixos-nat-pre -p udp --dport 53 \
+  #     -m iprange --src-range 10.78.76.0-10.78.79.255 \
+  #     -j DNAT --to-destination :1053
+  #   iptables -t nat -A nixos-nat-pre -p tcp --dport 53 \
+  #     -m iprange --src-range 10.78.76.0-10.78.79.255 \
+  #     -j DNAT --to-destination :1053
+  # '';
+  # sane.ports.ports."1053" = {
+  #   # because the NAT above redirects in nixos-nat-pre, LAN requests behave as though they arrived on the external interface at the redirected port.
+  #   # TODO: try nixos-nat-post instead?
+  #   # TODO: or, don't NAT from port 53 -> port 1053, but rather nat from LAN addr to a loopback addr.
+  #   # - this is complicated in that loopback is a different interface than eth0, so rewriting the destination address would cause the packets to just be dropped by the interface
+  #   protocol = [ "udp" "tcp" ];
+  #   visibleTo.lan = true;
+  #   description = "colin-redirected-dns-for-lan-namespace";
+  # };


  sane.services.trust-dns.enable = true;
  sane.services.trust-dns.instances = let
    mkSubstitutions = flavor: {
+      "%ADOOF%" = config.sane.netns.doof.netnsPubIpv4;
+      "%ANATIVE%" = nativeAddrs."servo.${flavor}";
+      "%AOVPNS%" = config.sane.netns.ovpns.netnsPubIpv4;
      "%AWAN%" = "$(cat '${dyn-dns.ipPath}')";
      "%CNAMENATIVE%" = "servo.${flavor}";
-      "%ANATIVE%" = nativeAddrs."servo.${flavor}";
-      "%AOVPNS%" = "185.157.162.178";
    };
  in
  {
-    wan = {
-      substitutions = mkSubstitutions "wan";
-      listenAddrs = [
-        nativeAddrs."servo.lan"
-        bindOvpn
+    doof = {
+      substitutions = mkSubstitutions "doof";
+      listenAddrsIpv4 = [
+        config.sane.netns.doof.hostVethIpv4
+        config.sane.netns.ovpns.hostVethIpv4
      ];
    };
-    lan = {
-      substitutions = mkSubstitutions "lan";
-      listenAddrs = [ nativeAddrs."servo.lan" ];
-      port = 1053;
-    };
    hn = {
      substitutions = mkSubstitutions "hn";
-      listenAddrs = [ nativeAddrs."servo.hn" ];
-      port = 1053;
+      listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
    };
-    hn-resolver = {
-      # don't need %AWAN% here because we forward to the hn instance.
-      listenAddrs = [ nativeAddrs."servo.hn" ];
-      extraConfig = {
-        zones = [
-          {
-            zone = "uninsane.org";
-            zone_type = "Forward";
-            stores = {
-              type = "forward";
-              name_servers = [
-                {
-                  socket_addr = "${nativeAddrs."servo.hn"}:1053";
-                  protocol = "udp";
-                  trust_nx_responses = true;
-                }
-              ];
-            };
-          }
-          {
-            # forward the root zone to the local DNS resolver
-            zone = ".";
-            zone_type = "Forward";
-            stores = {
-              type = "forward";
-              name_servers = [
-                {
-                  socket_addr = "127.0.0.53:53";
-                  protocol = "udp";
-                  trust_nx_responses = true;
-                }
-              ];
-            };
-          }
-        ];
-      };
+    lan = {
+      substitutions = mkSubstitutions "lan";
+      listenAddrsIpv4 = [ nativeAddrs."servo.lan" ];
+      # port = 1053;
    };
+    # wan = {
+    #   substitutions = mkSubstitutions "wan";
+    #   listenAddrsIpv4 = [
+    #     nativeAddrs."servo.lan"
+    #   ];
+    # };
+    # hn-resolver = {
+    #   # don't need %AWAN% here because we forward to the hn instance.
+    #   listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
+    #   extraConfig = {
+    #     zones = [
+    #       {
+    #         zone = "uninsane.org";
+    #         zone_type = "Forward";
+    #         stores = {
+    #           type = "forward";
+    #           name_servers = [
+    #             {
+    #               socket_addr = "${nativeAddrs."servo.hn"}:1053";
+    #               protocol = "udp";
+    #               trust_nx_responses = true;
+    #             }
+    #           ];
+    #         };
+    #       }
+    #       {
+    #         # forward the root zone to the local DNS resolver
+    #         zone = ".";
+    #         zone_type = "Forward";
+    #         stores = {
+    #           type = "forward";
+    #           name_servers = [
+    #             {
+    #               socket_addr = "127.0.0.53:53";
+    #               protocol = "udp";
+    #               trust_nx_responses = true;
+    #             }
+    #           ];
+    #         };
+    #       }
+    #     ];
+    #   };
+    # };
  };

  sane.services.dyn-dns.restartOnChange = [
-    "trust-dns-wan.service"
-    "trust-dns-lan.service"
+    "trust-dns-doof.service"
    "trust-dns-hn.service"
+    "trust-dns-lan.service"
+    # "trust-dns-wan.service"
    # "trust-dns-hn-resolver.service"  # doesn't need restart because it doesn't know about WAN IP
  ];
 }
--- a/hosts/common/boot.nix
+++ b/hosts/common/boot.nix
@ -0,0 +1,50 @@
+{ lib, pkgs, ... }:
+{
+  boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
+  # useful emergency utils
+  boot.initrd.extraUtilsCommands = ''
+    copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfstune
+    copy_bin_and_libs ${pkgs.util-linux}/bin/{cfdisk,lsblk,lscpu}
+    copy_bin_and_libs ${pkgs.gptfdisk}/bin/{cgdisk,gdisk}
+    copy_bin_and_libs ${pkgs.smartmontools}/bin/smartctl
+    copy_bin_and_libs ${pkgs.e2fsprogs}/bin/resize2fs
+  '' + lib.optionalString pkgs.stdenv.hostPlatform.isx86_64 ''
+    copy_bin_and_libs ${pkgs.nvme-cli}/bin/nvme  # doesn't cross compile
+  '';
+  boot.kernelParams = [
+    "boot.shell_on_fail"
+    #v experimental full pre-emption for hopefully better call/audio latency on moby.
+    # also toggleable at runtime via /sys/kernel/debug/sched/preempt
+    # defaults to preempt=voluntary
+    # "preempt=full"
+  ];
+  # other kernelParams:
+  #   "boot.trace"
+  #   "systemd.log_level=debug"
+  #   "systemd.log_target=console"
+
+  # moby has to run recent kernels (defined elsewhere).
+  # meanwhile, kernel variation plays some minor role in things like sandboxing (landlock) and capabilities.
+  # simpler to keep near the latest kernel on all devices,
+  # and also makes certain that any weird system-level bugs i see aren't likely to be stale kernel bugs.
+  # servo needs zfs though, which doesn't support every kernel.
+  boot.kernelPackages = lib.mkDefault pkgs.zfs.latestCompatibleLinuxPackages;
+
+  # hack in the `boot.shell_on_fail` arg since that doesn't always seem to work.
+  boot.initrd.preFailCommands = "allowShell=1";
+
+  # default: 4 (warn). 7 is debug
+  boot.consoleLogLevel = 7;
+
+  boot.loader.grub.enable = lib.mkDefault false;
+  boot.loader.generic-extlinux-compatible.enable = lib.mkDefault true;
+
+  hardware.enableAllFirmware = true;  # firmware with licenses that don't allow for redistribution. fuck lawyers, fuck IP, give me the goddamn firmware.
+  # hardware.enableRedistributableFirmware = true;  # proprietary but free-to-distribute firmware (extraneous to `enableAllFirmware` option)
+
+  # default is 252274, which is too low particularly for servo.
+  # manifests as spurious "No space left on device" when trying to install watches,
+  # e.g. in dyn-dns by `systemctl start dyn-dns-watcher.path`.
+  # see: <https://askubuntu.com/questions/828779/failed-to-add-run-systemd-ask-password-to-directory-watch-no-space-left-on-dev>
+  boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
+}
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -1,24 +1,30 @@
 { config, lib, pkgs, ... }:
 {
  imports = [
+    ./boot.nix
    ./feeds.nix
    ./fs.nix
-    ./hardware
    ./home
    ./hosts.nix
    ./ids.nix
    ./machine-id.nix
    ./net
-    ./nix
+    ./nix.nix
    ./persist.nix
    ./polyunfill.nix
    ./programs
+    ./quirks.nix
    ./secrets.nix
    ./ssh.nix
    ./systemd.nix
    ./users
  ];

+
+  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
+  # this affects where nixos modules look for stateful data which might have been migrated across releases.
+  system.stateVersion = "21.11";
+
  sane.nixcache.enable-trusted-keys = true;
  sane.nixcache.enable = lib.mkDefault true;
  sane.persist.enable = lib.mkDefault true;
@ -26,9 +32,6 @@
  sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
  sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;

-  nixpkgs.config.allowUnfree = true;  # NIXPKGS_ALLOW_UNFREE=1
-  nixpkgs.config.allowBroken = true;  # NIXPKGS_ALLOW_BROKEN=1
-
  # time.timeZone = "America/Los_Angeles";
  time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone

--- a/hosts/common/feeds.nix
+++ b/hosts/common/feeds.nix
@ -86,6 +86,7 @@ let
    (fromDb "lexfridman.com/podcast" // rat)
    (fromDb "mapspodcast.libsyn.com" // uncat)  # Multidisciplinary Association for Psychedelic Studies
    (fromDb "microarch.club" // tech)
+    (fromDb "mintcast.org" // tech)
    (fromDb "omegataupodcast.net" // tech)  # 3/4 German; 1/4 eps are English
    (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)  # Maggie Killjoy -- referenced by Cory Doctorow
    (fromDb "omny.fm/shows/money-stuff-the-podcast")  # Matt Levine
@ -191,8 +192,10 @@ let
    (fromDb "uninsane.org" // tech)
    (fromDb "unintendedconsequenc.es" // rat)
    (fromDb "vitalik.eth.limo" // tech)  # Vitalik Buterin
+    (fromDb "weekinethereumnews.com" // tech)
    (fromDb "willow.phantoma.online")  # wizard@xyzzy.link
    (fromDb "xn--gckvb8fzb.com" // tech)
+    (fromDb "xorvoid.com" // tech)
    (mkSubstack "astralcodexten" // rat // daily)  # Scott Alexander
    (mkSubstack "eliqian" // rat // weekly)
    (mkSubstack "oversharing" // pol // daily)
@ -236,7 +239,7 @@ let
    (fromDb "youtube.com/@TomScottGo")
    (fromDb "youtube.com/@Vihart")
    (fromDb "youtube.com/@Vox")
-    (fromDb "youtube.com/@Vsauce")
+    # (fromDb "youtube.com/@Vsauce")  # they're all like 1-minute long videos now? what happened @Vsauce?

    # (fromDb "youtube.com/@rossmanngroup" // pol // tech)  # Louis Rossmann
  ];
@ -244,6 +247,7 @@ let
  images = [
    (fromDb "catandgirl.com" // img // humor)
    (fromDb "davidrevoy.com" // img // art)
+    (fromDb "grumpy.website" // img // humor)
    (fromDb "miniature-calendar.com" // img // art // daily)
    (fromDb "pbfcomics.com" // img // humor)
    (fromDb "poorlydrawnlines.com/feed" // img // humor)
--- a/hosts/common/fs.nix
+++ b/hosts/common/fs.nix
@ -216,6 +216,7 @@ lib.mkMerge [
    programs.fuse.userAllowOther = true;  #< necessary for `allow_other` or `allow_root` options.
  }

+  (remoteHome "crappy")
  (remoteHome "desko")
  (remoteHome "lappy")
  (remoteHome "moby")
--- a/hosts/common/hardware/default.nix
+++ b/hosts/common/hardware/default.nix
@ -1,101 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ./x86_64.nix
-  ];
-
-  boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
-  # useful emergency utils
-  boot.initrd.extraUtilsCommands = ''
-    copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfstune
-    copy_bin_and_libs ${pkgs.util-linux}/bin/{cfdisk,lsblk,lscpu}
-    copy_bin_and_libs ${pkgs.gptfdisk}/bin/{cgdisk,gdisk}
-    copy_bin_and_libs ${pkgs.smartmontools}/bin/smartctl
-    copy_bin_and_libs ${pkgs.e2fsprogs}/bin/resize2fs
-  '' + lib.optionalString pkgs.stdenv.hostPlatform.isx86_64 ''
-    copy_bin_and_libs ${pkgs.nvme-cli}/bin/nvme  # doesn't cross compile
-  '';
-  boot.kernelParams = [
-    "boot.shell_on_fail"
-    #v experimental full pre-emption for hopefully better call/audio latency on moby.
-    # also toggleable at runtime via /sys/kernel/debug/sched/preempt
-    # defaults to preempt=voluntary
-    # "preempt=full"
-  ];
-  # other kernelParams:
-  #   "boot.trace"
-  #   "systemd.log_level=debug"
-  #   "systemd.log_target=console"
-
-  # moby has to run recent kernels (defined elsewhere).
-  # meanwhile, kernel variation plays some minor role in things like sandboxing (landlock) and capabilities.
-  # simpler to keep near the latest kernel on all devices,
-  # and also makes certain that any weird system-level bugs i see aren't likely to be stale kernel bugs.
-  # servo needs zfs though, which doesn't support every kernel.
-  boot.kernelPackages = lib.mkDefault pkgs.zfs.latestCompatibleLinuxPackages;
-
-  # TODO: remove after linux 6.9. see: <https://github.com/axboe/liburing/issues/1113>
-  # - <https://github.com/neovim/neovim/issues/28149>
-  # - <https://git.kernel.dk/cgit/linux/commit/?h=io_uring-6.9&id=e5444baa42e545bb929ba56c497e7f3c73634099>
-  # when removing, try starting and suspending (ctrl+z) two instances of neovim simultaneously.
-  # if the system doesn't freeze, then this is safe to remove.
-  # added 2024-04-04
-  sane.user.fs.".profile".symlink.text = lib.mkBefore ''
-    export UV_USE_IO_URING=0
-  '';
-
-  # hack in the `boot.shell_on_fail` arg since that doesn't always seem to work.
-  boot.initrd.preFailCommands = "allowShell=1";
-
-  # default: 4 (warn). 7 is debug
-  boot.consoleLogLevel = 7;
-
-  boot.loader.grub.enable = lib.mkDefault false;
-  boot.loader.generic-extlinux-compatible.enable = lib.mkDefault true;
-
-  # non-free firmware
-  hardware.enableRedistributableFirmware = true;
-
-  # default is 252274, which is too low particularly for servo.
-  # manifests as spurious "No space left on device" when trying to install watches,
-  # e.g. in dyn-dns by `systemctl start dyn-dns-watcher.path`.
-  # see: <https://askubuntu.com/questions/828779/failed-to-add-run-systemd-ask-password-to-directory-watch-no-space-left-on-dev>
-  boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
-
-  # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
-  powerManagement.powertop.enable = false;
-  # linux CPU governor: <https://www.kernel.org/doc/Documentation/cpu-freq/governors.txt>
-  # - options:
-  #   - "powersave" => force CPU to always run at lowest supported frequency
-  #   - "performance" => force CPU to always run at highest frequency
-  #   - "ondemand" => adjust frequency based on load
-  #   - "conservative"  (ondemand but slower to adjust)
-  #   - "schedutil"
-  #   - "userspace"
-  # - not all options are available for all platforms
-  #   - intel (intel_pstate) appears to manage scaling w/o intervention/control from the OS.
-  #   - AMD (acpi-cpufreq) appears to manage scaling via the OS *or* HW. but the ondemand defaults never put it to max hardware frequency.
-  #   - qualcomm (cpufreq-dt) appears to manage scaling *only* via the OS. ondemand governor exercises the full range.
-  # - query details with `sudo cpupower frequency-info`
-  powerManagement.cpuFreqGovernor = "ondemand";
-
-  services.logind.extraConfig = ''
-    # see: `man logind.conf`
-    # don’t shutdown when power button is short-pressed (commonly done an accident, or by cats).
-    #   but do on long-press: useful to gracefully power-off server.
-    HandlePowerKey=lock
-    HandlePowerKeyLongPress=poweroff
-    HandleLidSwitch=lock
-  '';
-
-  # services.snapper.configs = {
-  #   root = {
-  #     subvolume = "/";
-  #     extraConfig = {
-  #       ALLOW_USERS = "colin";
-  #     };
-  #   };
-  # };
-  # services.snapper.snapshotInterval = "daily";
-}
--- a/hosts/common/hardware/x86_64.nix
+++ b/hosts/common/hardware/x86_64.nix
@ -1,15 +0,0 @@
-{ lib, pkgs, ... }:
-
-{
-  config = lib.mkIf (pkgs.system == "x86_64-linux") {
-    boot.initrd.availableKernelModules = [
-      "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
-      "usb_storage"   # rpi needed this to boot from usb storage, i think.
-      "nvme"  # to boot from nvme devices
-      # efi_pstore evivars
-    ];
-
-    hardware.cpu.amd.updateMicrocode = true;    # desktop
-    hardware.cpu.intel.updateMicrocode = true;  # laptop
-  };
-}
--- a/hosts/common/home/mime.nix
+++ b/hosts/common/home/mime.nix
@ -50,7 +50,7 @@ let
  localShareApplicationsPkg = (pkgs.symlinkJoin {
    name = "user-local-share-applications";
    paths = builtins.map
-      (p: "${p.package}")
+      (p: builtins.toString p.package)
      (enabledProgramsWithPackage ++ [ { package=mimeappsListPkg; } ]);
  }).overrideAttrs (orig: {
    # like normal symlinkJoin, but don't error if the path doesn't exist
--- a/hosts/common/home/xdg-dirs.nix
+++ b/hosts/common/home/xdg-dirs.nix
@ -23,11 +23,5 @@
  # see <https://manpages.ubuntu.com/manpages/bionic/man5/user-dirs.conf.5.html>
  sane.user.fs.".config/user-dirs.conf".symlink.text = "enabled=False";

-  sane.user.fs.".profile".symlink.text = ''
-    # configure XDG_<type>_DIR preferences (e.g. for downloads, screenshots, etc)
-    # surround with `set -o allexport` since user-dirs.dirs doesn't `export` its vars
-    set -a
-    source $HOME/.config/user-dirs.dirs
-    set +a
-  '';
+  sane.user.fs.".config/environment.d/30-user-dirs.conf".symlink.target = "../user-dirs.dirs";
 }
--- a/hosts/common/hosts.nix
+++ b/hosts/common/hosts.nix
@ -2,6 +2,14 @@

 {
  # TODO: this should be populated per-host
+  sane.hosts.by-name."crappy" = {
+    ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIvSQAGKqmymXIL4La9B00LPxBIqWAr5AsJxk3UQeY5";
+    ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMN0cpRAloCBOE5/2wuzgik35iNDv5KLceWMCVaa7DIQ";
+    # wg-home.pubkey = "TODO";
+    # wg-home.ip = "10.0.10.55";
+    lan-ip = "10.78.79.55";
+  };
+
  sane.hosts.by-name."desko" = {
    ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
    ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@ -4,6 +4,9 @@
 { ... }:

 {
+  # partially supported in nixpkgs  <repo:nixos/nixpkgs:nixos/modules/misc/ids.nix>
+  sane.ids.networkmanager.uid = 57;  #< nixpkgs unofficially reserves this, to match networkmanager's gid
+
  # legacy servo users, some are inconvenient to migrate
  sane.ids.dhcpcd.gid = 991;
  sane.ids.dhcpcd.uid = 992;
@ -18,7 +21,7 @@
  sane.ids.matrix-appservice-irc.uid = 993;
  sane.ids.matrix-appservice-irc.gid = 992;

-  # greetd (used by sway)
+  # greetd (legacy)
  sane.ids.greeter.uid = 999;
  sane.ids.greeter.gid = 999;

@ -78,6 +81,7 @@

  # found on graphical hosts
  sane.ids.nm-iodine.uid = 2101;  # desko/moby/lappy
+  sane.ids.seat.gid = 2102;

  # found on desko host
  # from services.usbmuxd
--- a/hosts/common/net/default.nix
+++ b/hosts/common/net/default.nix
@ -4,6 +4,8 @@
  imports = [
    ./dns.nix
    ./hostnames.nix
+    ./modemmanager.nix
+    ./networkmanager.nix
    ./upnp.nix
    ./vpn.nix
  ];
@ -24,41 +26,4 @@
  # this is required separately by servo and by any `sane-vpn` users,
  # however Nix requires this be set centrally, in only one location (i.e. here)
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-
-  # the default backend is "wpa_supplicant".
-  # wpa_supplicant reliably picks weak APs to connect to.
-  # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
-  # iwd is an alternative that shouldn't have this problem
-  # docs:
-  # - <https://nixos.wiki/wiki/Iwd>
-  # - <https://iwd.wiki.kernel.org/networkmanager>
-  # - `man iwd.config`  for global config
-  # - `man iwd.network` for per-SSID config
-  # use `iwctl` to control
-  # networking.networkmanager.wifi.backend = "iwd";
-  # networking.wireless.iwd.enable = true;
-  # networking.wireless.iwd.settings = {
-  #   # auto-connect to a stronger network if signal drops below this value
-  #   # bedroom -> bedroom connection is -35 to -40 dBm
-  #   # bedroom -> living room connection is -60 dBm
-  #   General.RoamThreshold = "-52";  # default -70
-  #   General.RoamThreshold5G = "-52";  # default -76
-  # };
-
-  # plugins mostly add support for establishing different VPN connections.
-  # the default plugin set includes mostly proprietary VPNs:
-  # - fortisslvpn (Fortinet)
-  # - iodine (DNS tunnels)
-  # - l2tp
-  # - openconnect (Cisco Anyconnect / Juniper / ocserv)
-  # - openvpn
-  # - vpnc (Cisco VPN)
-  # - sstp
-  #
-  # i don't use these, and notably they drag in huge dependency sets and don't cross compile well.
-  # e.g. openconnect drags in webkitgtk (for SSO)!
-  networking.networkmanager.plugins = lib.mkForce [];
-
-  # keyfile.path = where networkmanager should look for connection credentials
-  networking.networkmanager.settings.keyfile.path = "/var/lib/NetworkManager/system-connections";
 }
--- a/hosts/common/net/dns.nix
+++ b/hosts/common/net/dns.nix
@ -1,7 +1,6 @@
 # things to consider when changing these parameters:
 # - temporary VPN access (`sane-vpn up ...`)
 # - servo `ovpns` namespace (it *relies* on /etc/resolv.conf mentioning 127.0.0.53)
-# - jails: `firejail --net=br-ovpnd-us --noprofile --dns=46.227.67.134 ping 1.1.1.1`
 #
 # components:
 # - /etc/nsswitch.conf:
@ -18,17 +17,22 @@
 #   - modern implementations hardcodes `127.0.0.53` and then systemd-resolved proxies everything (and caches).
 #
 # namespacing:
-# - each namespace can use a different /etc/resolv.conf to specify different DNS servers (see `firejail --dns=...`)
+# - each namespace may use a different /etc/resolv.conf to specify different DNS servers
 # - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so directs the guest's DNS requests to the host's servers.
-#   - this is fixed by either `firejail --blacklist=/var/run/nscd/socket`, or disabling nscd altogether.
-{ lib, ... }:
+#   - this is fixed by either removing `/var/run/nscd/socket` from the namespace, or disabling nscd altogether.
+{ config, lib, ... }:
+lib.mkMerge [
 {
+  sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver;
+  sane.services.trust-dns.asSystemResolver = lib.mkDefault true;
+}
+(lib.mkIf (!config.sane.services.trust-dns.asSystemResolver) {
  # use systemd's stub resolver.
  # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
  # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
  # in servo's ovnps namespace to use the provider's DNS resolvers.
  # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
-  # TODO: rework servo's netns to use `firejail`, which is capable of spoofing /etc/resolv.conf.
+  # TODO: improve trust-dns recursive resolver and then remove this
  services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
  # without DNSSEC:
  # - dig matrix.org => works
@ -44,7 +48,8 @@
    # stub resolver (just forwards upstream) lives on 127.0.0.54
    "127.0.0.53"
  ];
-
+})
+{
  # nscd -- the Name Service Caching Daemon -- caches DNS query responses
  # in a way that's unaware of my VPN routing, so routes are frequently poor against
  # services which advertise different IPs based on geolocation.
@ -65,3 +70,4 @@
  services.nscd.enable = false;
  system.nssModules = lib.mkForce [];
 }
+]
--- a/hosts/common/net/modemmanager.nix
+++ b/hosts/common/net/modemmanager.nix
@ -0,0 +1,78 @@
+{ config, lib, pkgs, ... }:
+{
+  networking.modemmanager.package = pkgs.modemmanager-split.daemon.overrideAttrs (upstream: {
+    # patch to allow the dbus endpoints to be owned by networkmanager user
+    postInstall = (upstream.postInstall or "") + ''
+      substitute $out/share/dbus-1/system.d/org.freedesktop.ModemManager1.conf \
+        $out/share/dbus-1/system.d/networkmanager-org.freedesktop.ModemManager1.conf \
+        --replace-fail 'user="root"' 'group="networkmanager"'
+    '';
+  });
+
+  systemd.services.ModemManager = {
+    # aliases = [ "dbus-org.freedesktop.ModemManager1.service" ];
+    # after = [ "polkit.service" ];
+    # requires = [ "polkit.service" ];
+    wantedBy = [ "network.target" ];  #< default is `multi-user.target`, somehow it doesn't auto-start with that...
+    # path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
+
+    # serviceConfig.Type = "dbus";
+    # serviceConfig.BusName = "org.freedesktop.ModemManager1";
+
+    # only if started with `--debug` does mmcli let us issue AT commands like
+    # `mmcli --modem any --command=<AT_CMD>`
+    serviceConfig.ExecStart = [
+      ""  # first blank line is to clear the upstream `ExecStart` field.
+      "${lib.getExe' config.networking.modemmanager.package "ModemManager"} --debug"
+    ];
+    # --debug sets DEBUG level logging: so reset
+    serviceConfig.ExecStartPost = "${lib.getExe config.sane.programs.mmcli.package} --set-logging=INFO";
+
+    # v this is what upstream ships
+    # serviceConfig.Restart = "on-abort";
+    # serviceConfig.StandardError = "null";
+    # serviceConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_NET_ADMIN";
+    # serviceConfig.ProtectSystem = true;  # makes empty: /boot, /usr
+    # serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    # serviceConfig.PrivateTmp = true;
+    # serviceConfig.RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR";
+    # serviceConfig.NoNewPrivileges = true;
+
+    serviceConfig.CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];  #< TODO: make sure this is *really* taking effect, and isn't supplemental to upstream's `CAP_SYS_ADMIN` setting
+    serviceConfig.LockPersonality = true;
+    # serviceConfig.PrivateUsers = true;  #< untried, not likely to work since it needs capabilities
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectSystem = "strict";  # makes read-only all but /dev, /proc, /sys
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_NETLINK"
+      "AF_QIPCRTR"
+      "AF_UNIX"
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+
+    # from earlier `landlock` sandboxing, i know it needs these directories:
+    # - # "/"
+    # - "/dev" #v modem-power + net are not enough
+    # - # "/dev/modem-power"
+    # - # "/dev/net"
+    # - "/proc"
+    # - # /run  #v can likely be reduced more
+    # - "/run/dbus"
+    # - "/run/NetworkManager"
+    # - "/run/resolvconf"
+    # - "/run/systemd"
+    # - "/run/udev"
+    # - "/sys"
+  };
+
+  # so that ModemManager can discover when the modem appears
+  # services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
+}
--- a/hosts/common/net/networkmanager.nix
+++ b/hosts/common/net/networkmanager.nix
@ -0,0 +1,268 @@
+{ config, pkgs, ... }:
+let
+  # networkmanager = pkgs.networkmanager;
+  networkmanager = pkgs.networkmanager.overrideAttrs (upstream: {
+    src = pkgs.fetchFromGitea {
+      domain = "git.uninsane.org";
+      owner = "colin";
+      repo = "NetworkManager";
+      # patched to fix polkit permissions (with `nmcli`) when NetworkManager runs as user networkmanager
+      rev = "dev-sane-1.48.0";
+      hash = "sha256-vGmOKtwVItxjYioZJlb1og3K6u9s4rcmDnjAPLBC3ao=";
+    };
+    # patches = [];
+  });
+  # split the package into `daemon` and `nmcli` outputs, because the networkmanager *service*
+  # doesn't need `nmcli`/`nmtui` tooling
+  networkmanager-split = pkgs.networkmanager-split.override { inherit networkmanager; };
+in {
+  networking.networkmanager.enable = true;
+  # plugins mostly add support for establishing different VPN connections.
+  # the default plugin set includes mostly proprietary VPNs:
+  # - fortisslvpn (Fortinet)
+  # - iodine (DNS tunnels)
+  # - l2tp
+  # - openconnect (Cisco Anyconnect / Juniper / ocserv)
+  # - openvpn
+  # - vpnc (Cisco VPN)
+  # - sstp
+  #
+  # i don't use these, and notably they drag in huge dependency sets and don't cross compile well.
+  # e.g. openconnect drags in webkitgtk (for SSO)!
+  # networking.networkmanager.plugins = lib.mkForce [];
+  networking.networkmanager.enableDefaultPlugins = false;
+
+  networking.networkmanager.package = networkmanager-split.daemon.overrideAttrs (upstream: {
+    # postPatch = (upstream.postPatch or "") + ''
+    #   substituteInPlace src/{core/org.freedesktop.NetworkManager,nm-dispatcher/nm-dispatcher}.conf --replace-fail \
+    #     'user="root"' 'user="networkmanager"'
+    # '';
+    postInstall = (upstream.postInstall or "") + ''
+      # allow the bus to owned by either root or networkmanager users
+      # use the group here, that way ordinary users can be elevated to control networkmanager
+      # (via e.g. `nmcli`)
+      for f in org.freedesktop.NetworkManager.conf nm-dispatcher.conf ; do
+        substitute $out/share/dbus-1/system.d/$f \
+          $out/share/dbus-1/system.d/networkmanager-$f \
+          --replace-fail 'user="root"' 'group="networkmanager"'
+      done
+
+      # remove unused services to prevent any unexpected interactions
+      rm $out/etc/systemd/system/{nm-cloud-setup.service,nm-cloud-setup.timer,nm-priv-helper.service}
+    '';
+  });
+
+  # fixup the services to run as `networkmanager` and with less permissions
+  systemd.services.NetworkManager = {
+    serviceConfig.RuntimeDirectory = "NetworkManager";  #< tells systemd to create /run/NetworkManager
+    # serviceConfig.StateDirectory = "NetworkManager";  #< tells systemd to create /var/lib/NetworkManager
+    serviceConfig.User = "networkmanager";
+    serviceConfig.Group = "networkmanager";
+    serviceConfig.AmbientCapabilities = [
+      # "CAP_DAC_OVERRIDE"
+      "CAP_NET_ADMIN"
+      "CAP_NET_RAW"  #< required, else `libndp: ndp_sock_open: Failed to create ICMP6 socket.`
+      "CAP_NET_BIND_SERVICE"  #< this *does* seem to be necessary, though i don't understand why. DHCP?
+      # "CAP_SYS_MODULE"
+      # "CAP_AUDIT_WRITE"  #< allow writing to the audit log (optional)
+      # "CAP_KILL"
+    ];
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
+    # serviceConfig.PrivateUsers = true;  #< BREAKS NetworkManager (presumably, it causes a new user namespace, breaking CAP_NET_ADMIN & others).  "platform-linux: do-change-link[3]: failure 1 (Operation not permitted)"
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # probably not upstreamable: prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls (probably not upstreamable: NM will want to load modules like `ppp`)
+    serviceConfig.ProtectKernelTunables = true;  # but NM might need to write /proc/sys/net/...
+    serviceConfig.ProtectSystem = "strict";  # makes read-only: all but /dev, /proc, /sys.
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_INET"
+      "AF_INET6"
+      "AF_NETLINK"  # breaks near DHCP without this
+      "AF_PACKET"  # for DHCP
+      "AF_UNIX"
+      # AF_ALG ?
+      # AF_BLUETOOTH ?
+      # AF_BRIDGE ?
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+    # from earlier `landlock` sandboxing, i know it needs these directories:
+    # - "/proc/net"
+    # - "/proc/sys/net"
+    # - "/run/NetworkManager"
+    # - "/run/systemd"  # for trust-dns-nmhook
+    # - "/run/udev"
+    # - # "/run/wg-home.priv"
+    # - "/sys/class"
+    # - "/sys/devices"
+    # - "/var/lib/NetworkManager"
+    # - "/var/lib/trust-dns"  #< for trust-dns-nmhook
+    # - "/run/systemd"
+  };
+
+  systemd.services.NetworkManager-wait-online = {
+    serviceConfig.User = "networkmanager";
+    serviceConfig.Group = "networkmanager";
+  };
+
+  # fix NetworkManager-dispatcher to actually run as a daemon,
+  # and sandbox it a bit
+  systemd.services.NetworkManager-dispatcher = {
+    after = [ "trust-dns-localhost.service" ];  #< so that /var/lib/trust-dns will exist
+    # serviceConfig.ExecStart = [
+    #   ""  # first blank line is to clear the upstream `ExecStart` field.
+    #   "${cfg.package}/libexec/nm-dispatcher --persist"  # --persist is needed for it to actually run as a daemon
+    # ];
+    # serviceConfig.Restart = "always";
+    # serviceConfig.RestartSec = "1s";
+
+    # serviceConfig.DynamicUser = true;  #< not possible, else we lose group perms (so can't write to `trust-dns`'s files in the nm hook)
+    serviceConfig.User = "networkmanager";  # TODO: should arguably use `DynamicUser`
+    serviceConfig.Group = "networkmanager";
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # probably not upstreamable: prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. `strict` isn't possible due to trust-dns hook
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_UNIX"  # required, probably for dbus or systemd connectivity
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+  };
+
+  # harden wpa_supplicant (used by NetworkManager)
+  systemd.services.wpa_supplicant = {
+    serviceConfig.User = "networkmanager";
+    serviceConfig.Group = "networkmanager";
+    serviceConfig.AmbientCapabilities = [
+      "CAP_NET_ADMIN"
+      "CAP_NET_RAW"
+    ];
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    # serviceConfig.PrivateDevices = true;  # untried, not likely to work. remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
+    # serviceConfig.PrivateUsers = true;  #< untried, not likely to work
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    serviceConfig.ProtectKernelTunables = true;  #< N.B.: i think this makes certain /proc writes fail
+    serviceConfig.ProtectSystem = "strict";  # makes read-only: all but /dev, /proc, /sys.
+    serviceConfig.RestrictAddressFamilies = [
+      "AF_INET"  #< required
+      "AF_INET6"
+      "AF_NETLINK"  #< required
+      "AF_PACKET"  #< required
+      "AF_UNIX"  #< required (wpa_supplicant wants to use dbus)
+    ];
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
+
+    # from earlier `landlock` sandboxing, i know it needs only these paths:
+    # - "/dev/net"
+    # - "/dev/rfkill"
+    # - "/proc/sys/net"
+    # - "/sys/class/net"
+    # - "/sys/devices"
+    # - "/run/systemd"
+  };
+
+  networking.networkmanager.settings = {
+    # keyfile.path = where networkmanager should look for connection credentials
+    keyfile.path = "/var/lib/NetworkManager/system-connections";
+
+    # wifi.backend = "wpa_supplicant";  #< default
+    # wifi.scan-rand-mac-address = true;  #< default
+
+    # logging.audit = false;  #< default
+    logging.level = "INFO";
+
+    # main.dhcp = "internal";  #< default
+    main.dns = if config.services.resolved.enable then
+      "systemd-resolved"
+    else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then
+      "none"
+    else
+      "internal"
+    ;
+    main.systemd-resolved = false;
+  };
+  environment.etc."NetworkManager/system-connections".source = "/var/lib/NetworkManager/system-connections";
+
+  # the default backend is "wpa_supplicant".
+  # wpa_supplicant reliably picks weak APs to connect to.
+  # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
+  # iwd is an alternative that shouldn't have this problem
+  # docs:
+  # - <https://nixos.wiki/wiki/Iwd>
+  # - <https://iwd.wiki.kernel.org/networkmanager>
+  # - `man iwd.config`  for global config
+  # - `man iwd.network` for per-SSID config
+  # use `iwctl` to control
+  # networking.networkmanager.wifi.backend = "iwd";
+  # networking.wireless.iwd.enable = true;
+  # networking.wireless.iwd.settings = {
+  #   # auto-connect to a stronger network if signal drops below this value
+  #   # bedroom -> bedroom connection is -35 to -40 dBm
+  #   # bedroom -> living room connection is -60 dBm
+  #   General.RoamThreshold = "-52";  # default -70
+  #   General.RoamThreshold5G = "-52";  # default -76
+  # };
+
+  # allow networkmanager to control systemd-resolved,
+  # which it needs to do to apply new DNS settings when using systemd-resolved.
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.resolve1.") == 0) {
+        return polkit.Result.YES;
+      }
+    });
+  '';
+
+  users.users.networkmanager = {
+    isSystemUser = true;
+    group = "networkmanager";
+    extraGroups = [ "trust-dns" ];
+  };
+
+  # there is, unfortunately, no proper interface by which to plumb wpa_supplicant into the NixOS service, except by overlay.
+  nixpkgs.overlays = [(self: super: {
+    wpa_supplicant = super.wpa_supplicant.overrideAttrs (upstream: {
+      # postPatch = (upstream.postPatch or "") + ''
+      #   substituteInPlace wpa_supplicant/dbus/dbus-wpa_supplicant.conf --replace-fail \
+      #     'user="root"' 'user="networkmanager"'
+      # '';
+      postInstall = (upstream.postInstall or "") + ''
+        substitute $out/share/dbus-1/system.d/dbus-wpa_supplicant.conf \
+          $out/share/dbus-1/system.d/networkmanager-wpa_supplicant.conf \
+          --replace-fail 'user="root"' 'group="networkmanager"'
+      '';
+
+      postFixup = (upstream.postFixup or "") + ''
+        # remove unused services to avoid unexpected interactions
+        rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
+      '';
+    });
+  })];
+}
--- a/hosts/common/net/vpn.nix
+++ b/hosts/common/net/vpn.nix
@ -7,50 +7,62 @@

 { config, lib, pkgs, ... }:
 let
-  def-ovpn = name: { endpoint, publicKey, addrV4, id }: {
-    sane.vpn."ovpnd-${name}" = {
-      inherit endpoint publicKey addrV4 id;
-      privateKeyFile = config.sops.secrets."wg/ovpnd_${name}_privkey".path;
+  # N.B.: OVPN issues each key (i.e. device) a different IP (addrV4), and requires you use it.
+  # the IP it issues can be used to connect to any of their VPNs.
+  # effectively the IP and key map 1-to-1.
+  # it seems to still be possible to keep two active tunnels on one device, using the same key/IP address, though.
+  def-ovpn = name: { endpoint, publicKey, id }: let
+    inherit (config.sane.ovpn) addrV4;
+  in {
+    sane.vpn."ovpnd-${name}" = lib.mkIf (addrV4 != null) {
+      inherit addrV4 endpoint publicKey id;
+      privateKeyFile = config.sops.secrets."ovpn_privkey".path;
      dns = [
        "46.227.67.134"
        "192.165.9.158"
+        # "2a07:a880:4601:10f0:cd45::1"
+        # "2001:67c:750:1:cafe:cd45::1"
      ];
    };

-    sops.secrets."wg/ovpnd_${name}_privkey" = {
+    sops.secrets."ovpn_privkey" = lib.mkIf (addrV4 != null) {
      # needs to be readable by systemd-network or else it says "Ignoring network device" and doesn't expose it to networkctl.
      owner = "systemd-network";
    };
  };
-in lib.mkMerge [
-  (def-ovpn "us" {
-    endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
-    publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
-    id = 1;
-    addrV4 = "172.27.237.218";
-    # addrV6 = "fd00:0000:1337:cafe:1111:1111:ab00:4c8f";
-  })
-  # TODO: us-atl disabled until i can give it a different link-local address and wireguard key than us-mi
-  # (def-ovpn "us-atl" {
-  #   endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
-  #   publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
-  #   address = [
-  #     "172.21.182.178/32"
-  #     "fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
-  #   ];
-  # })
-  (def-ovpn "us-mi" {
-    endpoint = "vpn34.prd.miami.ovpn.com:9929";
-    publicKey = "VtJz2irbu8mdkIQvzlsYhU+k9d55or9mx4A2a14t0V0=";
-    id = 2;
-    addrV4 = "172.21.182.178";
-    # addrV6 = "fd00:0000:1337:cafe:1111:1111:cfcb:27e3";
-  })
-  (def-ovpn "ukr" {
-    endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
-    publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
-    id = 3;
-    addrV4 = "172.18.180.159";
-    # addrV6 = "fd00:0000:1337:cafe:1111:1111:ec5c:add3";
-  })
-]
+in {
+  options = with lib; {
+    sane.ovpn.addrV4 = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = ''
+        ovpn issues one IP address per device.
+        set `null` to disable OVPN for this host.
+      '';
+    };
+  };
+
+  config = lib.mkMerge [
+    (def-ovpn "us" {
+      endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
+      publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
+      id = 1;
+    })
+    (def-ovpn "us-mi" {
+      endpoint = "vpn34.prd.miami.ovpn.com:9929";
+      publicKey = "VtJz2irbu8mdkIQvzlsYhU+k9d55or9mx4A2a14t0V0=";
+      id = 2;
+    })
+    (def-ovpn "ukr" {
+      endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
+      publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
+      id = 3;
+    })
+    # TODO: us-atl disabled until i need it again, i guess.
+    # (def-ovpn "us-atl" {
+    #   endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
+    #   publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
+    #   id = 4;
+    # })
+  ];
+}
--- a/hosts/common/nix/default.nix
+++ b/hosts/common/nix/default.nix
@ -59,16 +59,20 @@
    # note the import starts at repo root: this allows `./overlay/default.nix` to access the stuff at the root
    # "nixpkgs-overlays=${../../..}/hosts/common/nix-path/overlay"
    # as long as my system itself doesn't rely on NIXPKGS at runtime, we can point the overlays to git
-    # to avoid switching so much during development
-    "nixpkgs-overlays=/home/colin/dev/nixos/hosts/common/nix/overlay"
+    # to avoid `switch`ing so much during development.
+    # TODO: it would be nice to remove this someday!
+    # it's an impurity that touches way more than i need and tends to cause hard-to-debug eval issues
+    # when it goes wrong. should i port my `nix-shell` scripts to something more tailored to my uses
+    # and then delete `nixpkgs-overlays`?
+    "nixpkgs-overlays=/home/colin/dev/nixos/integrations/nixpkgs/nixpkgs-overlays.nix"
  ];

  # ensure new deployments have a source of this repo with which they can bootstrap.
  # this however changes on every commit and can be slow to copy for e.g. `moby`.
-  environment.etc."nixos" = lib.mkIf (config.sane.maxBuildCost >= 2) {
-    source = ../../..;
+  environment.etc."nixos" = lib.mkIf (config.sane.maxBuildCost >= 3) {
+    source = pkgs.sane-nix-files;
  };
-  environment.etc."nix/registry.json" = lib.mkIf (config.sane.maxBuildCost < 2) {
+  environment.etc."nix/registry.json" = lib.mkIf (config.sane.maxBuildCost < 3) {
    enable = false;
  };

--- a/hosts/common/nix/overlay/default.nix
+++ b/hosts/common/nix/overlay/default.nix
@ -1,4 +0,0 @@
-# XXX: NIX_PATH=...:nixpkgs-overlays=... will import every overlay in the directory
-# so we prefer to give it a directory with just this *one* overlay, otherwise it imports conflicting overlays
-# and gets stuck in a loop until it OOMs
-import ../../../../overlays/all.nix
--- a/hosts/common/polyunfill.nix
+++ b/hosts/common/polyunfill.nix
@ -1,72 +1,216 @@
 # strictly *decrease* the scope of the default nixos installation/config

-{ lib, ... }:
+{ lib, pkgs, ... }:
+let
+  suidlessPam = pkgs.pam.overrideAttrs (upstream: {
+    # nixpkgs' pam hardcodes unix_chkpwd path to the /run/wrappers one,
+    # but i don't want the wrapper, so undo that.
+    # ideally i would patch this via an overlay, but pam is in the bootstrap so that forces a full rebuild.
+    # TODO: add a `package` option to the nixos' pam module and substitute it that way.
+    postPatch = (if upstream.postPatch != null then upstream.postPatch else "") + ''
+      substituteInPlace modules/pam_unix/Makefile.am --replace-fail \
+        "/run/wrappers/bin/unix_chkpwd" "$out/bin/unix_chkpwd"
+    '';
+  });
+in
 {
-  # disable non-required packages like nano, perl, rsync, strace
-  environment.defaultPackages = [];
+  # remove a few items from /run/wrappers we don't need.
+  options.security.wrappers = lib.mkOption {
+    apply = lib.filterAttrs (name: _: !(builtins.elem name [
+      # from <repo:nixos/nixpkgs:nixos/modules/security/polkit.nix>
+      "pkexec"
+      "polkit-agent-helper-1"  #< used by systemd; without this you'll have to `sudo systemctl daemon-reload` instead of unauth'd `systemctl daemon-reload`
+      # from <repo:nixos/nixpkgs:nixos/modules/services/system/dbus.nix>
+      "dbus-daemon-launch-helper"
+      # from <repo:nixos/nixpkgs:nixos/modules/security/wrappers/default.nix>
+      "fusermount"  #< only needed if you want to mount entries declared in /etc/fstab or mtab as unprivileged user
+      "fusermount3"
+      "mount"  #< only needed if you want to mount entries declared in /etc/fstab or mtab as unprivileged user
+      "umount"
+      # from <repo:nixos/nixpkgs:nixos/modules/programs/shadow.nix>
+      "newgidmap"
+      "newgrp"
+      "newuidmap"
+      "sg"
+      "su"
+      # from: <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
+      # requires associated `pam` patch to not hardcode unix_chkpwd path
+      "unix_chkpwd"
+    ]));
+  };
+  options.security.pam.services = lib.mkOption {
+    apply = services: let
+      filtered = lib.filterAttrs (name: _: !(builtins.elem name [
+        # from <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
+        "i3lock"
+        "i3lock-color"
+        "vlock"
+        "xlock"
+        "xscreensaver"
+        "runuser"
+        "runuser-l"
+        # from ??
+        "chfn"
+        "chpasswd"
+        "chsh"
+        "groupadd"
+        "groupdel"
+        "groupmems"
+        "groupmod"
+        "useradd"
+        "userdel"
+        "usermod"
+        # from <repo:nixos/nixpkgs:nixos/modules/system/boot/systemd/user.nix>
+        "systemd-user"  #< N.B.: this causes the `systemd --user` service manager to not be started!
+      ])) services;
+    in lib.mapAttrs (_serviceName: service: service // {
+      # replace references with the old pam_unix, which calls into /run/wrappers/bin/unix_chkpwd,
+      # with a pam_unix that calls into unix_chkpwd via the nix store.
+      # TODO: use `security.pam.package` instead once <https://github.com/NixOS/nixpkgs/pull/314791> lands.
+      text = lib.replaceStrings [" pam_unix.so" ] [ " ${suidlessPam}/lib/security/pam_unix.so" ] service.text;
+    }) filtered;
+  };

-  # remove all the non-existent default directories from XDG_DATA_DIRS, XDG_CONFIG_DIRS to simplify debugging.
-  # this is defaulted in <repo:nixos/nixpkgs:nixos/modules/programs/environment.nix>,
-  # without being gated by any higher config.
-  environment.profiles = lib.mkForce [
-    "/etc/profiles/per-user/$USER"
-    "/run/current-system/sw"
-  ];
+  options.environment.systemPackages = lib.mkOption {
+    # see: <repo:nixos/nixpkgs:nixos/modules/config/system-path.nix>
+    # it's 31 "requiredPackages", with no explanation of why they're "required"...
+    # most of these can be safely removed without breaking the *boot*,
+    # but some core system services DO implicitly depend on them.
+    # TODO: see which more of these i can remove (or shadow/sandbox)
+    apply = let
+      requiredPackages = builtins.map (pkg: lib.setPrio ((pkg.meta.priority or 5) + 3) pkg) [
+        # pkgs.acl
+        # pkgs.attr
+        # pkgs.bashInteractive
+        # pkgs.bzip2
+        # pkgs.coreutils-full
+        # pkgs.cpio
+        # pkgs.curl
+        # pkgs.diffutils
+        # pkgs.findutils
+        # pkgs.gawk
+        # pkgs.stdenv.cc.libc
+        # pkgs.getent
+        # pkgs.getconf
+        # pkgs.gnugrep
+        # pkgs.gnupatch
+        # pkgs.gnused
+        # pkgs.gnutar
+        # pkgs.gzip
+        # pkgs.xz
+        pkgs.less
+        # pkgs.libcap  #< implicitly required by NetworkManager/wpa_supplicant!
+        # pkgs.ncurses
+        pkgs.netcat
+        # config.programs.ssh.package
+        # pkgs.mkpasswd
+        pkgs.procps
+        # pkgs.su
+        # pkgs.time
+        # pkgs.util-linux
+        # pkgs.which
+        # pkgs.zstd
+      ];
+    in lib.filter (p: ! builtins.elem p requiredPackages);
+  };

-  # NIXPKGS_CONFIG defaults to "/etc/nix/nixpkgs-config.nix" in <nixos/modules/programs/environment.nix>.
-  # that's never existed on my system and everything does fine without it set empty (no nixpkgs API to forcibly *unset* it).
-  environment.variables.NIXPKGS_CONFIG = lib.mkForce "";
-  # XDG_CONFIG_DIRS defaults to "/etc/xdg", which doesn't exist.
-  # in practice, pam appends the values i want to XDG_CONFIG_DIRS, though this approach causes an extra leading `:`
-  environment.sessionVariables.XDG_CONFIG_DIRS = lib.mkForce [];
-  # XCURSOR_PATH: defaults to `[ "$HOME/.icons" "$HOME/.local/share/icons" ]`, neither of which i use, just adding noise.
-  # see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/icons.nix>
-  environment.sessionVariables.XCURSOR_PATH = lib.mkForce [];
+  options.system.fsPackages = lib.mkOption {
+    # <repo:nixos/nixpkgs:nixos/modules/tasks/filesystems/vfat.nix>  adds `mtools` and `dosfstools`
+    # dosfstools actually makes its way into the initrd (`fsck.vfat`).
+    # mtools is like "MS-DOS for Linux", ancient functionality i'll never use.
+    apply = lib.filter (p: p != pkgs.mtools);
+  };

-  # disable nixos' portal module, otherwise /share/applications gets linked into the system and complicates things (sandboxing).
-  # instead, i manage portals myself via the sane.programs API (e.g. sane.programs.xdg-desktop-portal).
-  xdg.portal.enable = false;
-  xdg.menus.enable = false;  #< links /share/applications, and a bunch of other empty (i.e. unused) dirs
+  config = {
+    # disable non-required packages like nano, perl, rsync, strace
+    environment.defaultPackages = [];

-  # xdg.autostart.enable defaults to true, and links /etc/xdg/autostart into the environment, populated with .desktop files.
-  # see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/autostart.nix>
-  # .desktop files are a questionable way to autostart things: i generally prefer a service manager for that.
-  xdg.autostart.enable = false;
+    # remove all the non-existent default directories from XDG_DATA_DIRS, XDG_CONFIG_DIRS to simplify debugging.
+    # this is defaulted in <repo:nixos/nixpkgs:nixos/modules/programs/environment.nix>,
+    # without being gated by any higher config.
+    environment.profiles = lib.mkForce [
+      "/etc/profiles/per-user/$USER"
+      "/run/current-system/sw"
+    ];

-  # nix.channel.enable: populates `/nix/var/nix/profiles/per-user/root/channels`, `/root/.nix-channels`, `$HOME/.nix-defexpr/channels`
-  #   <repo:nixos/nixpkgs:nixos/modules/config/nix-channel.nix>
-  # TODO: may want to recreate NIX_PATH, nix.settings.nix-path
-  nix.channel.enable = false;
+    # NIXPKGS_CONFIG defaults to "/etc/nix/nixpkgs-config.nix" in <nixos/modules/programs/environment.nix>.
+    # that's never existed on my system and everything does fine without it set empty (no nixpkgs API to forcibly *unset* it).
+    environment.variables.NIXPKGS_CONFIG = lib.mkForce "";
+    # XDG_CONFIG_DIRS defaults to "/etc/xdg", which doesn't exist.
+    # in practice, pam appends the values i want to XDG_CONFIG_DIRS, though this approach causes an extra leading `:`
+    environment.sessionVariables.XDG_CONFIG_DIRS = lib.mkForce [];
+    # XCURSOR_PATH: defaults to `[ "$HOME/.icons" "$HOME/.local/share/icons" ]`, neither of which i use, just adding noise.
+    # see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/icons.nix>
+    environment.sessionVariables.XCURSOR_PATH = lib.mkForce [];

-  # environment.stub-ld: populate /lib/ld-linux.so with an object that unconditionally errors on launch,
-  # so as to inform when trying to run a non-nixos binary?
-  # IMO that's confusing: i thought /lib/ld-linux.so was some file actually required by nix.
-  environment.stub-ld.enable = false;
+    # disable nixos' portal module, otherwise /share/applications gets linked into the system and complicates things (sandboxing).
+    # instead, i manage portals myself via the sane.programs API (e.g. sane.programs.xdg-desktop-portal).
+    xdg.portal.enable = false;
+    xdg.menus.enable = false;  #< links /share/applications, and a bunch of other empty (i.e. unused) dirs

-  # `less.enable` sets LESSKEYIN_SYSTEM, LESSOPEN, LESSCLOSE env vars, which does confusing "lesspipe" things, so disable that.
-  # it's enabled by default from `<nixos/modules/programs/environment.nix>`, who also sets `PAGER="less"` and `EDITOR="nano"` (keep).
-  programs.less.enable = lib.mkForce false;
-  environment.variables.PAGER = lib.mkOverride 900 "";  # mkDefault sets 1000. non-override is 100. 900 will beat the nixpkgs `mkDefault` but not anyone else.
-  environment.variables.EDITOR = lib.mkOverride 900 "";
+    # xdg.autostart.enable defaults to true, and links /etc/xdg/autostart into the environment, populated with .desktop files.
+    # see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/autostart.nix>
+    # .desktop files are a questionable way to autostart things: i generally prefer a service manager for that.
+    xdg.autostart.enable = false;

-  # several packages (dconf, modemmanager, networkmanager, gvfs, polkit, udisks, bluez/blueman, feedbackd, etc)
-  # will add themselves to the dbus search path.
-  # i prefer dbus to only search XDG paths (/share/dbus-1) for service files, as that's more introspectable.
-  # see: <repo:nixos/nixpkgs:nixos/modules/services/system/dbus.nix>
-  # TODO: sandbox dbus? i pretty explicitly don't want to use it as a launcher.
-  services.dbus.packages = lib.mkForce [
-    "/run/current-system/sw"
-    # config.system.path
-    # pkgs.dbus
-    # pkgs.polkit.out
-    # pkgs.modemmanager
-    # pkgs.networkmanager
-    # pkgs.udisks
-    # pkgs.wpa_supplicant
-  ];
+    # nix.channel.enable: populates `/nix/var/nix/profiles/per-user/root/channels`, `/root/.nix-channels`, `$HOME/.nix-defexpr/channels`
+    #   <repo:nixos/nixpkgs:nixos/modules/config/nix-channel.nix>
+    # TODO: may want to recreate NIX_PATH, nix.settings.nix-path
+    nix.channel.enable = false;

-  # systemd by default forces shitty defaults for e.g. /tmp/.X11-unix.
-  # nixos propagates those in: <nixos/modules/system/boot/systemd/tmpfiles.nix>
-  # by overwriting this with an empty file, we can effectively remove it.
-  environment.etc."tmpfiles.d/x11.conf".text = "# (removed by Colin)";
+    # environment.stub-ld: populate /lib/ld-linux.so with an object that unconditionally errors on launch,
+    # so as to inform when trying to run a non-nixos binary?
+    # IMO that's confusing: i thought /lib/ld-linux.so was some file actually required by nix.
+    environment.stub-ld.enable = false;
+
+    # `less.enable` sets LESSKEYIN_SYSTEM, LESSOPEN, LESSCLOSE env vars, which does confusing "lesspipe" things, so disable that.
+    # it's enabled by default from `<nixos/modules/programs/environment.nix>`, who also sets `PAGER="less"` and `EDITOR="nano"` (keep).
+    programs.less.enable = lib.mkForce false;
+    environment.variables.PAGER = lib.mkOverride 900 "";  # mkDefault sets 1000. non-override is 100. 900 will beat the nixpkgs `mkDefault` but not anyone else.
+    environment.variables.EDITOR = lib.mkOverride 900 "";
+
+    # several packages (dconf, modemmanager, networkmanager, gvfs, polkit, udisks, bluez/blueman, feedbackd, etc)
+    # will add themselves to the dbus search path.
+    # i prefer dbus to only search XDG paths (/share/dbus-1) for service files, as that's more introspectable.
+    # see: <repo:nixos/nixpkgs:nixos/modules/services/system/dbus.nix>
+    # TODO: sandbox dbus? i pretty explicitly don't want to use it as a launcher.
+    services.dbus.packages = lib.mkForce [
+      "/run/current-system/sw"
+      # config.system.path
+      # pkgs.dbus
+      # pkgs.polkit.out
+      # pkgs.modemmanager
+      # pkgs.networkmanager
+      # pkgs.udisks
+      # pkgs.wpa_supplicant
+    ];
+
+    # systemd by default forces shitty defaults for e.g. /tmp/.X11-unix.
+    # nixos propagates those in: <nixos/modules/system/boot/systemd/tmpfiles.nix>
+    # by overwriting this with an empty file, we can effectively remove it.
+    environment.etc."tmpfiles.d/x11.conf".text = "# (removed by Colin)";
+
+    # see: <nixos/modules/tasks/swraid.nix>
+    # it was enabled by default before 23.11
+    boot.swraid.enable = lib.mkDefault false;
+
+    # see: <nixos/modules/tasks/bcache.nix>
+    # these allow you to use the Linux block cache (cool! doesn't need to be a default though)
+    boot.bcache.enable = lib.mkDefault false;
+
+    # see: <nixos/modules/system/boot/kernel.nix>
+    # by default, it adds to boot.initrd.availableKernelModules:
+    # - SATA: "ahci" "sata_nv" "sata_via" "sata_sis" "sata_uli" "ata_piix" "pata_marvell"
+    # - "nvme"
+    # - scsi: "sd_mod" "sr_mod"
+    # - SD/eMMC: "mmc_block"
+    # - USB keyboards: "uhci_hcd" "ehci_hcd" "ehci_pci" "ohci_hcd" "ohci_pci" "xhci_hcd" "xhci_pci" "usbhid" "hid_generic" "hid_lenovo" "hid_apple" "hid_roccat" "hid_logitech_hidpp" "hid_logitech_dj" "hid_microsoft" "hid_cherry" "hid_corsair"
+    # - LVM: "dm_mod"
+    # - on x86 only: more keyboard stuff: "pcips2" "atkbd" "i8042"
+
+    boot.initrd.includeDefaultModules = lib.mkDefault false;
+
+    # see: <repo:nixos/nixpkgs:nixos/modules/virtualisation/nixos-containers.nix>
+    boot.enableContainers = lib.mkDefault false;
+  };
 }
--- a/hosts/common/programs/alsa-ucm-conf/default.nix
+++ b/hosts/common/programs/alsa-ucm-conf/default.nix
@ -15,39 +15,33 @@ in
    };

    # upstream alsa ships with PinePhone audio configs, but they don't actually produce sound.
-    # see: <https://github.com/alsa-project/alsa-ucm-conf/pull/134>
-    # these audio files come from some revision of:
-    # - <https://gitlab.manjaro.org/manjaro-arm/packages/community/phosh/alsa-ucm-pinephone>
+    # - still true as of 2024-05-26
+    # - see: <https://github.com/alsa-project/alsa-ucm-conf/pull/134>
    #
-    # alternative to patching is to plumb `ALSA_CONFIG_UCM2 = "${./ucm2}"` environment variable into the relevant places
-    # e.g. `systemd.services.pulseaudio.environment`.
-    # that leaves more opportunity for gaps (i.e. missing a service),
-    # on the other hand this method causes about 500 packages to be rebuilt (including qt5 and webkitgtk).
+    # we can substitute working UCM conf in two ways:
+    # 1. nixpkgs' override for the `alsa-ucm-conf` package
+    #   - that forces a rebuild of ~500 packages (including webkitgtk).
+    # 2. set ALSA_CONFIG_UCM2 = /path/to/ucm2 in the relevant places
+    #   - e.g. pulsewire service.
+    #   - easy to miss places, though.
    #
-    # note that with these files, the following audio device support:
-    # - headphones work.
-    # - "internal earpiece" works.
-    # - "internal speaker" doesn't work (but that's probably because i broke the ribbon cable)
-    # - "analog output" doesn't work.
-    packageUnwrapped = pkgs.alsa-ucm-conf.overrideAttrs (upstream: {
-      postPatch = (upstream.postPatch or "") + ''
-        cp ${./ucm2/PinePhone}/* ucm2/Allwinner/A64/PinePhone/
+    # alsa-ucm-pinephone-manjaro (2024-05-26):
+    # - headphones work
+    # - "internal earpiece" works
+    # - "internal speaker" is silent (maybe hardware issue)
+    # - 3.5mm connection is flapping when playing to my car, which eventually breaks audio and requires restarting wireplumber
+    # packageUnwrapped = pkgs.alsa-ucm-pinephone-manjaro.override {
+    #   inherit (cfg.config) preferEarpiece;
+    # };
+    # alsa-ucm-pinephone-pmos (2024-05-26):
+    # - headphones work
+    # - "internal earpiece" works
+    # - "internal speaker" is silent (maybe hardware issue)
+    packageUnwrapped = pkgs.alsa-ucm-pinephone-pmos.override {
+      inherit (cfg.config) preferEarpiece;
+    };

-        # fix the self-contained ucm files i source from to have correct path within the alsa-ucm-conf source tree
-        substituteInPlace ucm2/Allwinner/A64/PinePhone/PinePhone.conf \
-          --replace-fail 'HiFi.conf' '/Allwinner/A64/PinePhone/HiFi.conf'
-        substituteInPlace ucm2/Allwinner/A64/PinePhone/PinePhone.conf \
-          --replace-fail 'VoiceCall.conf' '/Allwinner/A64/PinePhone/VoiceCall.conf'
-      '' + lib.optionalString cfg.config.preferEarpiece ''
-        # decrease the priority of the internal speaker so that sounds are routed
-        # to the earpiece by default.
-        # this is just personal preference.
-        substituteInPlace ucm2/Allwinner/A64/PinePhone/{HiFi.conf,VoiceCall.conf} \
-          --replace-fail 'PlaybackPriority 300' 'PlaybackPriority 100'
-      '';
-    });
-
-    sandbox.enable = false;  #< only provides #out/share/alsa
+    sandbox.enable = false;  #< only provides $out/share/alsa

    # alsa-lib package only looks in its $out/share/alsa to find runtime config data, by default.
    # but ALSA_CONFIG_UCM2 is an env var that can override that.
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -34,6 +34,7 @@ in
    ];

    sysadminUtils = declPackageSet [
+      "ausyscall"
      "bridge-utils"  # for brctl; debug linux "bridge" inet devices
      "btrfs-progs"
      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
@ -43,11 +44,13 @@ in
      "dtc"  # device tree [de]compiler
      "e2fsprogs"  # resize2fs
      "efibootmgr"
+      "errno"
      "ethtool"
      "fatresize"
      "fd"
      "file"
      "forkstat"  # monitor every spawned/forked process
+      "free"
      # "fwupd"
      "gawk"
      "gdb"  # to debug segfaults
@ -66,18 +69,23 @@ in
      "lftp"
      # "libcap_ng"  # for `netcap`
      "lsof"
+      "man-pages"
+      "man-pages-posix"
      # "miniupnpc"
+      "mmcli"
      "nano"
      #  "ncdu"  # ncurses disk usage. doesn't cross compile (zig)
      "neovim"
      "netcat"
      "nethogs"
      "nmap"
+      "nmcli"
      "nvme-cli"  # nvme
      # "openssl"
      "parted"
      "pciutils"
      "powertop"
+      "ps"
      "pstree"
      "ripgrep"
      "s6-rc"  # service manager
@ -91,6 +99,7 @@ in
      "usbutils"  # lsusb
      "util-linux"  # lsblk, lscpu, etc
      "valgrind"
+      "watch"
      "wget"
      "wirelesstools"  # iwlist
      # "xq"  # jq for XML
@ -207,6 +216,176 @@ in
      # "tree-sitter"
    ];

+    gameApps = declPackageSet [
+      "animatch"
+      "gnome-2048"
+      "gnome.hitori"  # like sudoku
+    ];
+
+    pcGameApps = declPackageSet [
+      # "andyetitmoves" # TODO: fix build!
+      # "armagetronad"  # tron/lightcycles; WAN and LAN multiplayer
+      "celeste64"
+      # "cutemaze"      # meh: trivial maze game; qt6 and keyboard-only
+      # "cuyo"          # trivial puyo-puyo clone
+      "endless-sky"     # space merchantilism/exploration
+      # "factorio"
+      "frozen-bubble"   # WAN + LAN + 1P/2P bubble bobble
+      "hase"            # WAN worms game
+      # "hedgewars"     # WAN + LAN worms game (5~10 people online at any moment; <https://hedgewars.org>)
+      # "libremines"    # meh: trivial minesweeper; qt6
+      # "mario0"        # SMB + portal
+      # "mindustry"
+      # "minesweep-rs"  # CLI minesweeper
+      # "nethack"
+      # "osu-lazer"
+      # "pinball"       # 3d pinball; kb/mouse. old sourceforge project
+      # "powermanga"    # STYLISH space invaders derivative (keyboard-only)
+      "shattered-pixel-dungeon"  # doesn't cross compile
+      "space-cadet-pinball"  # LMB/RMB controls (bindable though. volume buttons?)
+      "steam"
+      "superTux"  # keyboard-only controls
+      "superTuxKart"  # poor FPS on pinephone
+      "tumiki-fighters" # keyboard-only
+      "vvvvvv"  # keyboard-only controls
+      # "wine"
+    ];
+
+    guiApps = declPackageSet [
+      # package sets
+      "gameApps"
+      "guiBaseApps"
+    ];
+
+    guiBaseApps = declPackageSet [
+      # "abaddon"  # discord client
+      "alacritty"  # terminal emulator
+      "calls"  # gnome calls (dialer/handler)
+      "dbus"
+      "dconf"  # required by many packages, but not well-documented :(
+      # "delfin"  # Jellyfin client
+      "dialect"  # language translation
+      "dino"  # XMPP client
+      "dissent"  # Discord client (formerly known as: gtkcord4)
+      # "emote"
+      # "evince"  # PDF viewer
+      # "flare-signal"  # gtk4 signal client
+      # "foliate"  # e-book reader
+      "fractal"  # matrix client
+      "g4music"  # local music player
+      # "gnome.cheese"
+      # "gnome-feeds"  # RSS reader (with claimed mobile support)
+      # "gnome.file-roller"
+      "gnome.geary"  # adaptive e-mail client; uses webkitgtk 4.1
+      "gnome.gnome-calculator"
+      "gnome.gnome-calendar"
+      "gnome.gnome-clocks"
+      "gnome.gnome-maps"
+      # "gnome-podcasts"
+      # "gnome.gnome-system-monitor"
+      # "gnome.gnome-terminal"  # works on phosh
+      "gnome.gnome-weather"
+      # "gnome.seahorse"  # keyring/secret manager
+      "gnome-frog"  # OCR/QR decoder
+      "gpodder"
+      "gst-device-monitor"  # for debugging audio/video
+      # "gthumb"
+      # "lemoa"  # lemmy app
+      "libcamera"  # for `cam` binary (useful for debugging cameras)
+      "libnotify"  # for notify-send; debugging
+      # "lollypop"
+      "loupe"  # image viewer
+      "mate.engrampa"  # archive manager
+      "mepo"  # maps viewer
+      "mesa-demos"  # for eglinfo, glxinfo & other testing tools
+      "mpv"
+      "networkmanagerapplet"  # for nm-connection-editor: it's better than not having any gui!
+      "ntfy-sh"  # notification service
+      # "newsflash"  # RSS viewer
+      "pavucontrol"
+      "pwvucontrol"  # pipewire version of pavu
+      # "picard"  # music tagging
+      # "libsForQt5.plasmatube"  # Youtube player
+      "signal-desktop"
+      "snapshot"  # camera app
+      "spot"  # Gnome Spotify client
+      # "sublime-music"
+      # "tdesktop"  # broken on phosh
+      # "tokodon"
+      "tuba"  # mastodon/pleroma client (stores pw in keyring)
+      "vulkan-tools"  # vulkaninfo
+      # "whalebird"  # pleroma client (Electron). input is broken on phosh.
+      "xdg-terminal-exec"
+      "zathura"  # PDF/CBZ/ePUB viewer
+    ];
+
+    handheldGuiApps = declPackageSet [
+      # "celluloid"  # mpv frontend
+      # "chatty"  # matrix/xmpp/irc client  (2023/12/29: disabled because broken cross build)
+      "cozy"  # audiobook player
+      "epiphany"  # gnome's web browser
+      # "iotas"  # note taking app
+      "komikku"
+      "koreader"
+      "megapixels"  # camera app
+      "notejot"  # note taking, e.g. shopping list
+      "planify"  # todo-tracker/planner
+      "portfolio-filemanager"
+      "tangram"  # web browser
+      "wike"  # Wikipedia Reader
+      "xarchiver"  # archiver, backup option for when engrampa UI overflows screen and is unusale (xarchiver UI fails in different ways)
+    ];
+
+    pcGuiApps = declPackageSet [
+      # package sets
+      "pcGameApps"
+      "pcTuiApps"
+      ####
+      "audacity"
+      # "blanket"  # ambient noise generator
+      "brave"  # for the integrated wallet -- as a backup
+      # "cantata"  # music player (mpd frontend)
+      # "chromium"  # chromium takes hours to build. brave is chromium-based, distributed in binary form, so prefer it.
+      # "cups"
+      "discord"  # x86-only
+      "electrum"
+      "element-desktop"
+      "firefox"
+      "font-manager"
+      # "gajim"  # XMPP client. cross build tries to import host gobject-introspection types (2023/09/01)
+      "gimp"  # broken on phosh
+      # "gnome.dconf-editor"
+      # "gnome.file-roller"
+      "gnome.gnome-disk-utility"
+      "gnome.nautilus"  # file browser
+      # "gnome.totem"  # video player, supposedly supports UPnP
+      # "handbrake"  #< TODO: fix build
+      "inkscape"
+      # "jellyfin-media-player"
+      "kdenlive"
+      # "kid3"  # audio tagging
+      "krita"
+      "libreoffice"  # TODO: replace with an office suite that uses saner packaging?
+      "losslesscut-bin"  # x86-only
+      # "makemkv"  # x86-only
+      # "monero-gui"  # x86-only
+      # "mumble"
+      # "nheko"  # Matrix chat client
+      # "nicotine-plus"  # soulseek client. before re-enabling this make sure it's properly sandboxed!
+      # "obsidian"
+      # "openscad"  # 3d modeling
+      # "rhythmbox"  # local music player
+      # "slic3r"
+      "soundconverter"
+      "spotify"  # x86-only
+      "tor-browser"  # x86-only
+      # "vlc"
+      "wireshark"  # could maybe ship the cli as sysadmin pkg
+      # "xterm"  # requires Xwayland
+      # "zecwallet-lite"  # x86-only
+      # "zulip"
+    ];
+

    # INDIVIDUAL PACKAGE DEFINITIONS

@ -234,14 +413,6 @@ in
    bridge-utils.sandbox.method = "bwrap";  #< bwrap, landlock: both work
    bridge-utils.sandbox.net = "all";

-    brightnessctl.sandbox.method = "landlock";  # also bwrap, but landlock is more responsive
-    brightnessctl.sandbox.extraPaths = [
-      "/sys/class/backlight"
-      "/sys/class/leds"
-      "/sys/devices"
-    ];
-    brightnessctl.sandbox.whitelistDbus = [ "system" ];
-
    btrfs-progs.sandbox.method = "bwrap";  #< bwrap, landlock: both work
    btrfs-progs.sandbox.autodetectCliPaths = "existing";  # e.g. `btrfs filesystem df /my/fs`

@ -302,7 +473,7 @@ in
    ];

    dtc.sandbox.method = "bwrap";
-    dtc.sandbox.autodetectCliPaths = true;  # TODO:sandbox: untested
+    dtc.sandbox.autodetectCliPaths = "existingFile";  # TODO:sandbox: untested

    duplicity = {};

@ -338,10 +509,9 @@ in
    ethtool.sandbox.capabilities = [ "net_admin" ];

    # eza `ls` replacement
-    # landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
    # eza.sandbox.method = "landlock";
-    eza.sandbox.method = "bwrap";
-    eza.sandbox.autodetectCliPaths = true;
+    eza.sandbox.method = "bwrap";  #< note that bwrap causes `/proc` files to be listed differently (e.g. `eza /proc/sys/net/ipv6/conf/`)
+    eza.sandbox.autodetectCliPaths = "existing";
    eza.sandbox.whitelistPwd = true;
    eza.sandbox.extraHomePaths = [
      # so that e.g. `eza -l ~` can show which symlink exist
@ -353,7 +523,7 @@ in
    fatresize.sandbox.autodetectCliPaths = "parent";  # /dev/sda1 -> needs /dev/sda

    fd.sandbox.method = "landlock";
-    fd.sandbox.autodetectCliPaths = true;
+    fd.sandbox.autodetectCliPaths = "existing";
    fd.sandbox.whitelistPwd = true;
    fd.sandbox.extraHomePaths = [
      # let it follow symlinks to non-sensitive data
@ -366,10 +536,10 @@ in
    ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent";  # it outputs uncreated files -> parent dir needs mounting

    file.sandbox.method = "bwrap";
-    file.sandbox.autodetectCliPaths = true;
+    file.sandbox.autodetectCliPaths = "existing";  #< file OR directory, yes

    findutils.sandbox.method = "bwrap";
-    findutils.sandbox.autodetectCliPaths = true;
+    findutils.sandbox.autodetectCliPaths = "existing";
    findutils.sandbox.whitelistPwd = true;
    findutils.sandbox.extraHomePaths = [
      # let it follow symlinks to non-sensitive data
@ -388,9 +558,7 @@ in
    });

    forkstat.sandbox.method = "landlock";  #< doesn't seem to support bwrap
-    forkstat.sandbox.extraConfig = [
-      "--sane-sandbox-keep-namespace" "pid"
-    ];
+    forkstat.sandbox.isolatePids = false;
    forkstat.sandbox.extraPaths = [
      "/proc"
    ];
@ -404,11 +572,7 @@ in

    gawk.sandbox.method = "bwrap";  # TODO:sandbox: untested
    gawk.sandbox.wrapperType = "inplace";  # /share/gawk libraries refer to /libexec
-    gawk.sandbox.autodetectCliPaths = true;
-
-    gdb.sandbox.enable = false;  # gdb doesn't sandbox well. i don't know how you could.
-    # gdb.sandbox.method = "landlock";  # permission denied when trying to attach, even as root
-    gdb.sandbox.autodetectCliPaths = true;
+    gawk.sandbox.autodetectCliPaths = "existingFile";

    geoclue2-with-demo-agent = {};

@ -445,11 +609,6 @@ in
    "gnome.gnome-calendar".sandbox.method = "bwrap";
    "gnome.gnome-calendar".sandbox.whitelistWayland = true;

-    "gnome.gnome-clocks".buildCost = 1;
-    "gnome.gnome-clocks".sandbox.method = "bwrap";
-    "gnome.gnome-clocks".sandbox.whitelistWayland = true;
-    "gnome.gnome-clocks".suggestedPrograms = [ "dconf" ];
-
    # gnome-disks
    "gnome.gnome-disk-utility".buildCost = 1;
    "gnome.gnome-disk-utility".sandbox.method = "bwrap";
@ -505,7 +664,7 @@ in
    "gnome.hitori".sandbox.whitelistWayland = true;

    gnugrep.sandbox.method = "bwrap";
-    gnugrep.sandbox.autodetectCliPaths = true;
+    gnugrep.sandbox.autodetectCliPaths = "existing";
    gnugrep.sandbox.whitelistPwd = true;
    gnugrep.sandbox.extraHomePaths = [
      # let it follow symlinks to non-sensitive data
@ -513,7 +672,6 @@ in
      ".persist/plaintext"
    ];

-    # sed: there is an edgecase of `--file=<foo>`, wherein `foo` won't be whitelisted.
    gnused.sandbox.method = "bwrap";
    gnused.sandbox.autodetectCliPaths = "existingFile";
    gnused.sandbox.whitelistPwd = true;  #< `-i` flag creates a temporary file in pwd (?) and then moves it.
@ -539,7 +697,7 @@ in

    # hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
    hdparm.sandbox.method = "bwrap";
-    hdparm.sandbox.autodetectCliPaths = true;
+    hdparm.sandbox.autodetectCliPaths = "existingFile";

    host.sandbox.method = "landlock";
    host.sandbox.net = "all";  #< technically, only needs to contact localhost's DNS server
@ -573,14 +731,17 @@ in
    ];
    iotop.sandbox.capabilities = [ "net_admin" ];

-    # provides `ip`, `routel`, others
-    iproute2.sandbox.method = "landlock";
-    iproute2.sandbox.net = "all";
-    iproute2.sandbox.capabilities = [ "net_admin" ];
-    iproute2.sandbox.extraPaths = [
-      "/run/netns"  # for `ip netns ...` to work
-      "/var/run/netns"
-    ];
+    # provides `ip`, `routel`, `bridge`, others.
+    # landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace
+    # and that means we can't use ANY sandboxer for it.
+    iproute2.sandbox.enable = false;
+    # iproute2.sandbox.net = "all";
+    # iproute2.sandbox.capabilities = [ "net_admin" ];
+    # iproute2.sandbox.extraPaths = [
+    #   "/run/netns"  # for `ip netns ...` to work, but maybe not needed anymore?
+    #   "/sys/class/net"  # for `ip netns ...` to work
+    #   "/var/run/netns"
+    # ];

    iptables.sandbox.method = "landlock";
    iptables.sandbox.net = "all";
@ -619,6 +780,9 @@ in
      "tmp"
    ];

+    libcamera = {};
+
+    libcap.sandbox.enable = false;  #< for `capsh`, which i use as a sandboxer
    libcap_ng.sandbox.enable = false;  # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)

    libnotify.sandbox.method = "bwrap";
@ -644,10 +808,15 @@ in

    lua = {};

+    man-pages.sandbox.enable = false;
+    man-pages-posix.sandbox.enable = false;
+
    mercurial.sandbox.method = "bwrap";  # TODO:sandbox: untested
    mercurial.sandbox.net = "clearnet";
    mercurial.sandbox.whitelistPwd = true;

+    mesa-demos = {};
+
    # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
    monero-gui.buildCost = 1;
    # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
@ -686,9 +855,15 @@ in
    nixpkgs-review.sandbox.wrapperType = "inplace";  #< shell completions use full paths
    nixpkgs-review.sandbox.net = "clearnet";
    nixpkgs-review.sandbox.whitelistPwd = true;
+    nixpkgs-review.sandbox.extraHomePaths = [
+      ".config/git"  #< it needs to know commiter name/email, even if not posting
+    ];
    nixpkgs-review.sandbox.extraPaths = [
      "/nix"
    ];
+    nixpkgs-review.persist.byStore.cryptClearOnBoot = [
+      ".cache/nixpkgs-review"  #< help it not exhaust / tmpfs
+    ];

    nmap.sandbox.method = "bwrap";
    nmap.sandbox.net = "all";  # clearnet and lan
@ -717,6 +892,8 @@ in
    # settings (electron app)
    obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];

+    passt.sandbox.enable = false;  #< sandbox helper (netns specifically)
+
    parted.sandbox.method = "landlock";
    parted.sandbox.extraPaths = [
      "/dev"
@ -748,9 +925,7 @@ in

    # procps: free, pgrep, pidof, pkill, ps, pwait, top, uptime, couple others
    procps.sandbox.method = "bwrap";
-    procps.sandbox.extraConfig = [
-      "--sane-sandbox-keep-namespace" "pid"
-    ];
+    procps.sandbox.isolatePids = false;

    pstree.sandbox.method = "landlock";
    pstree.sandbox.extraPaths = [
@ -788,15 +963,21 @@ in

    rustc = {};

-    sane-cast = {};  #< TODO: sandbox this the same way i sandbox go2tv
+    sane-cast.sandbox.method = "bwrap";
+    sane-cast.sandbox.net = "clearnet";
+    sane-cast.sandbox.autodetectCliPaths = "existingFile";
+    sane-cast.suggestedPrograms = [ "go2tv" ];

    sane-die-with-parent.sandbox.enable = false;  #< it's a launcher; can't sandbox

+    sane-weather.sandbox.method = "bwrap";
+    sane-weather.sandbox.net = "clearnet";
+
    screen.sandbox.enable = false;  #< tty; needs to run anything

    sequoia.sandbox.method = "bwrap";  # TODO:sandbox: untested
    sequoia.sandbox.whitelistPwd = true;
-    sequoia.sandbox.autodetectCliPaths = true;
+    sequoia.sandbox.autodetectCliPaths = "existingFileOrParent";  # supports `-o <file-to-create>`

    shattered-pixel-dungeon.buildCost = 1;
    shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
@ -818,6 +999,10 @@ in
    smartmontools.sandbox.autodetectCliPaths = "existing";
    smartmontools.sandbox.capabilities = [ "sys_rawio" ];

+    # snapshot camera, based on libcamera
+    # TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
+    snapshot = {};
+
    sops.sandbox.method = "bwrap";  # TODO:sandbox: untested
    sops.sandbox.extraHomePaths = [
      ".config/sops"
@ -889,7 +1074,7 @@ in
    tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];

    tree.sandbox.method = "landlock";
-    tree.sandbox.autodetectCliPaths = true;
+    tree.sandbox.autodetectCliPaths = "existing";
    tree.sandbox.whitelistPwd = true;

    tumiki-fighters.buildCost = 1;
@ -934,6 +1119,8 @@ in
      "tmp"
    ];

+    watch.sandbox.enable = false;  #< it executes the command it's given
+
    wdisplays.sandbox.method = "bwrap";
    wdisplays.sandbox.whitelistWayland = true;

@ -956,6 +1143,8 @@ in
    wl-clipboard.sandbox.whitelistWayland = true;

    wtype = {};
+    wtype.sandbox.method = "bwrap";
+    wtype.sandbox.whitelistWayland = true;

    xwayland.sandbox.method = "bwrap";
    xwayland.sandbox.wrapperType = "inplace";  #< consumers use it as a library (e.g. wlroots)
@ -974,7 +1163,43 @@ in
    zfs = {};
  };

-  programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {
+  sane.persist.sys.byStore.plaintext = lib.mkIf config.sane.programs.guiApps.enabled [
+    # "/var/lib/alsa"                # preserve output levels, default devices
+    { path = "/var/lib/systemd/backlight"; method = "bind"; }   # backlight brightness; bind because systemd T_T
+  ];
+
+  systemd.services."systemd-backlight@" = lib.mkIf config.sane.programs.guiApps.enabled {
+    after = [
+      "ensure-var-lib-systemd-backlight.service"
+    ];
+    wants = [
+      "ensure-var-lib-systemd-backlight.service"
+    ];
+  };
+
+  hardware.graphics = lib.mkIf config.sane.programs.guiApps.enabled ({
    enable = true;
+  } // (lib.optionalAttrs pkgs.stdenv.isx86_64 {
+    # for 32 bit applications
+    # upstream nixpkgs forbids setting enable32Bit unless specifically x86_64 (so aarch64 isn't allowed)
+    enable32Bit = lib.mkDefault true;
+  }));
+
+  system.activationScripts.notifyActive = lib.mkIf config.sane.programs.guiApps.enabled {
+    text = lib.concatStringsSep "\n" ([
+        ''
+          tryNotifyUser() {
+            local user="$1"
+            local new_path="$PATH:${pkgs.sudo}/bin:${pkgs.libnotify}/bin"
+            local version="$(cat $systemConfig/nixos-version)"
+            PATH="$new_path" sudo -u "$user" \
+              env PATH="$new_path" NIXOS_VERSION="$version" /bin/sh -c \
+              '. $HOME/.profile; dbus_file="$XDG_RUNTIME_DIR/bus"; if [ -z "$DBUS_SESSION_BUS_ADDRESS" ] && [ -e "$dbus_file" ]; then export DBUS_SESSION_BUS_ADDRESS="unix:path=$dbus_file"; fi ; if [ -n "$DBUS_SESSION_BUS_ADDRESS" ]; then notify-send "nixos activated" "version: $NIXOS_VERSION" ; fi'
+          }
+        ''
+      ] ++ lib.mapAttrsToList
+        (user: en: lib.optionalString en "tryNotifyUser ${user}")
+        config.sane.programs.guiApps.enableFor.user
+    );
  };
 }
--- a/hosts/common/programs/audacity.nix
+++ b/hosts/common/programs/audacity.nix
@ -19,7 +19,7 @@
    sandbox.method = "bwrap";
    sandbox.whitelistAudio = true;
    sandbox.whitelistWayland = true;
-    sandbox.autodetectCliPaths = true;
+    sandbox.autodetectCliPaths = "existingFile";
    sandbox.extraHomePaths = [
      # support media imports via file->open dir to some common media directories
      "tmp"
--- a/hosts/common/programs/ausyscall.nix
+++ b/hosts/common/programs/ausyscall.nix
@ -0,0 +1,10 @@
+# `ausyscall --dump`: lists all syscalls by number and name
+{ pkgs, ... }:
+{
+  sane.programs.ausyscall = {
+    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.audit "bin/ausyscall";
+
+    sandbox.method = "landlock";
+  };
+}
+
--- a/hosts/common/programs/bemenu.nix
+++ b/hosts/common/programs/bemenu.nix
@ -87,7 +87,7 @@ let
 in
 {
  sane.programs.bemenu = {
-    sandbox.method = "bwrap";  # landlock works, but requires *all* of /run/user/$ID to be granted.
+    sandbox.method = "bwrap";  # landlock works, but requires *all* of $XDG_RUNTIME_DIR to be granted.
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      ".cache/fontconfig"  #< else it complains, and is *way* slower
--- a/hosts/common/programs/blast-ugjka/blast-to-default
+++ b/hosts/common/programs/blast-ugjka/blast-to-default
@ -13,7 +13,7 @@ logger = logging.getLogger(__name__)
 # map from known devices -> required flags
 DEVICE_MAP = {
  "Theater TV": [],
-  "[LG] webOS TV OLED55C9PUA": [ "-usewav" ],
+  "Cuddlevision": [ "-usewav" ],
 }

 def get_ranked_ip_addrs():
--- a/hosts/common/programs/blast-ugjka/default.nix
+++ b/hosts/common/programs/blast-ugjka/default.nix
@ -39,11 +39,9 @@ in
    sandbox.method = "bwrap";
    sandbox.whitelistAudio = true;
    sandbox.net = "clearnet";
-    sandbox.extraConfig = [
-      # else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?)
-      # might be possible to remove this, but kinda hard to see a clean way.
-      "--sane-sandbox-keep-namespace" "pid"
-    ];
+    #v  else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?)
+    #v  might be possible to remove this, but kinda hard to see a clean way.
+    sandbox.isolatePids = false;
    suggestedPrograms = [ "blast-ugjka" "sane-die-with-parent" ];
  };

--- a/hosts/common/programs/bonsai.nix
+++ b/hosts/common/programs/bonsai.nix
@ -103,19 +103,37 @@ in
      };
    };

-    fs.".config/bonsai/bonsai_tree.json".symlink.text = builtins.toJSON cfg.config.transitions;
+    packageUnwrapped = pkgs.bonsai.overrideAttrs (upstream: {
+      # patch to place the socket in a subdirectory where it can be sandboxed
+      postPatch = (upstream.postPatch or "") + ''
+        substituteInPlace cmd/{bonsaictl,bonsaid}/main.ha \
+          --replace-fail 'path::set(&buf, statedir, "bonsai")' 'path::set(&buf, statedir, "bonsai/bonsai")'
+      '';
+    });
+
+    fs.".config/bonsai/bonsai_tree.json".symlink.target = pkgs.writers.writeJSON "bonsai_tree.json" cfg.config.transitions;

    sandbox.method = "bwrap";
    sandbox.extraRuntimePaths = [
-      "/"  #< just needs "bonsai", but needs to create it first...
+      "bonsai"
    ];

    services.bonsaid = {
      description = "bonsai: programmable input dispatcher";
+      dependencyOf = [ "sway" ];  # to ensure `$XDG_RUNTIME_DIR/bonsai` exists before sway binds it
      partOf = [ "graphical-session" ];
      # nice -n -11 chosen arbitrarily. i hope this will allow for faster response to inputs, but without audio underruns (pipewire is -21, dino -15-ish)
-      command = "nice -n -11 bonsaid -t $HOME/.config/bonsai/bonsai_tree.json";
-      cleanupCommand = "rm -f $XDG_RUNTIME_DIR/bonsai";
+      command = pkgs.writeShellScript "bonsai-start" ''
+        # TODO: don't create the sway directory here!
+        # i do it for now because sway and bonsai call into eachother; circular dependency:
+        # - sway -> bonsai -> sane-input-handler -> swaymsg
+        mkdir -p $XDG_RUNTIME_DIR/{bonsai,sway}
+        exec nice -n -11 bonsaid -t $HOME/.config/bonsai/bonsai_tree.json
+      '';
+      cleanupCommand = "rm -f $XDG_RUNTIME_DIR/bonsai/bonsai";
+      readiness.waitExists = [
+        "$XDG_RUNTIME_DIR/bonsai/bonsai"
+      ];
    };
  };
 }
--- a/hosts/common/programs/brave.nix
+++ b/hosts/common/programs/brave.nix
@ -1,6 +1,12 @@
-{ ... }:
+{ pkgs, ... }:
 {
  sane.programs.brave = {
+    # convert eval error to build failure
+    packageUnwrapped = if (builtins.tryEval pkgs.brave).success then
+      pkgs.brave
+    else
+      pkgs.runCommandLocal "brave-not-supported" {} "false"
+    ;
    sandbox.method = "bwrap";
    sandbox.wrapperType = "inplace";  # /opt/share/brave.com vendor-style packaging
    sandbox.net = "all";
@ -8,6 +14,9 @@
      "dev"  # for developing anything web-related
      "tmp"
    ];
+    sandbox.extraPaths = [
+      "/tmp"  # needed particularly if run from `sane-vpn do`
+    ];
    sandbox.whitelistAudio = true;
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
--- a/hosts/common/programs/brightnessctl.nix
+++ b/hosts/common/programs/brightnessctl.nix
@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.programs.brightnessctl;
+in
+{
+  sane.programs.brightnessctl = {
+    sandbox.method = "landlock";  # also bwrap, but landlock is more responsive
+    sandbox.extraPaths = [
+      "/sys/class/backlight"
+      "/sys/class/leds"
+      "/sys/devices"
+    ];
+    # sandbox.whitelistDbus = [ "system" ];  #< only necessary if not granting udev perms
+  };
+
+  services.udev.extraRules = let
+    chmod = "${pkgs.coreutils}/bin/chmod";
+    chown = "${pkgs.coreutils}/bin/chown";
+  in lib.mkIf cfg.enabled ''
+    # make backlight controllable by members of `video`
+    SUBSYSTEM=="backlight", RUN+="${chown} :video $sys$devpath/brightness", RUN+="${chmod} g+w $sys$devpath/brightness"
+  '';
+}
--- a/hosts/common/programs/callaudiod.nix
+++ b/hosts/common/programs/callaudiod.nix
@ -0,0 +1,26 @@
+# https://gitlab.com/mobian1/callaudiod
+# device support:
+# - moby:
+#   - mic muting works fine
+#   - speaker seems to have zero volume (maybe it's my alsa profiles?)
+#   - shows some failures when only the modem is online (no wifi)
+#     - gnome-calls doesn't even create an output audio stream, for example; and the other end of the call can't hear any mic.
+# - desko: unsupported. no mic muting, etc.
+#   - "Card 'alsa_card.pci-0000_0b_00.1' lacks speaker and/or earpiece port, skipping"
+#   - "callaudiod-pulse-CRITICAL **: 07:45:48.092: No suitable card found, stopping here..."
+{ pkgs, ... }:
+{
+  sane.programs.callaudiod = {
+    packageUnwrapped = pkgs.rmDbusServices pkgs.callaudiod;
+
+    # probably more needed once i enable proper sandboxing, but for now this ensures the service isn't started too early!
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];
+
+    services.callaudiod = {
+      description = "callaudiod: dbus service to switch audio profiles and mute microphone";
+      partOf = [ "default" ];
+      command = "callaudiod";
+    };
+  };
+}
--- a/hosts/common/programs/calls.nix
+++ b/hosts/common/programs/calls.nix
@ -1,20 +1,14 @@
 # GNOME calls
 # - <https://gitlab.gnome.org/GNOME/calls>
 # - both a dialer and a call handler.
-# - uses callaudiod dbus package.
+# - uses callaudiod dbus service.
 #
 # initial JMP.chat configuration:
 # - message @cheogram.com "reset sip account"  (this is not destructive, despite the name)
 # - the bot will reply with auto-generated username/password plus a SIP server endpoint.
 #   just copy those into gnome-calls' GUI configurator
-# - now gnome-calls can do outbound calls. inbound calls requires more chatting with the help bot
-#
-# my setup here is still very WIP.
-# open questions:
-# - can i receive calls even with GUI closed?
-#   - e.g. activated by callaudiod?
-#   - looks like `gnome-calls --daemon` does that?
-{ config, lib, ... }:
+# - now gnome-calls can do outbound calls. inbound calls can be routed by messaging the bot: "configure calls"
+{ config, lib, pkgs, ... }:
 let
  cfg = config.sane.programs.calls;
 in
@ -25,31 +19,52 @@ in
      type = types.submodule {
        options.autostart = mkOption {
          type = types.bool;
-          default = false;
+          default = true;
        };
      };
    };

+    packageUnwrapped = pkgs.calls.overrideAttrs (upstream: {
+      patches = (upstream.patches or []) ++ [
+        (pkgs.fetchpatch {
+          # usability improvement... if the UI is visible, then i can receive calls. otherwise, i can't!
+          url = "https://git.uninsane.org/colin/gnome-calls/commit/a19166d85927e59662fae189a780eed18bf876ce.patch";
+          name = "exit on close (i.e. never daemonize)";
+          hash = "sha256-NoVQV2TlkCcsBt0uwSyK82hBKySUW4pADrJVfLFvWgU=";
+        })
+      ];
+    });
+
+    sandbox.method = "bwrap";
+    sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # necessary for secrets, at the minimum
+    sandbox.whitelistWayland = true;
+
    persist.byStore.private = [
      # ".cache/folks"      # contact avatars?
      # ".config/calls"
      ".local/share/calls"  # call "records"
      # .local/share/folks  # contacts?
    ];
+    # this is only the username/endpoint: the actual password appears to be stored in gnome-keyring
    secrets.".config/calls/sip-account.cfg" = ../../../secrets/common/gnome_calls_sip-account.cfg.bin;
    suggestedPrograms = [
+      "callaudiod"  # runtime dependency (optional, but probably needed for mic muting?)
      "feedbackd"  # needs `phone-incoming-call`, in particular
+      "gnome-keyring"  # to remember the password
    ];

    services.gnome-calls = {
-      # TODO: prevent gnome-calls from daemonizing when started manually
      description = "gnome-calls daemon to monitor incoming SIP calls";
      partOf = lib.mkIf cfg.config.autostart [ "graphical-session" ];
      # add --verbose for more debugging
-      command = "env G_MESSAGES_DEBUG=all gnome-calls --daemon";
+      # add --daemon to avoid showing UI on launch.
+      #   note that no matter the flags, it returns to being a daemon whenever the UI is manually closed,
+      #   revealed when launched.
+      # default latency is 10ms, which is too low and i get underruns on moby.
+      # 50ms is copied from dino, not at all tuned.
+      command = "env G_MESSAGES_DEBUG=all PULSE_LATENCY_MSEC=50 gnome-calls";
    };
  };
-  programs.calls = lib.mkIf cfg.enabled {
-    enable = true;
-  };
 }
--- a/hosts/common/programs/conky/battery_estimate
+++ b/hosts/common/programs/conky/battery_estimate
@ -1,184 +0,0 @@
-#!/bin/sh
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash
-
-usage() {
-  echo "usage: battery_estimate [options...]"
-  echo
-  echo "pretty-prints a battery estimate (icon to indicate state, and a duration estimate)"
-  echo
-  echo "options:"
-  echo "  --debug: output additional information, to stderr"
-  echo "  --minute-suffix <string>:  use the provided string as a minutes suffix"
-  echo "  --hour-suffix <string>:  use the provided string as an hours suffix"
-  echo "  --icon-suffix <string>:  use the provided string as an icon suffix"
-  echo "  --percent-suffix <string>:  use the provided string when displaying percents"
-}
-
-# these icons come from sxmo; they only render in nerdfonts
-icon_bat_chg=("󰢟" "󱊤" "󱊥" "󰂅")
-icon_bat_dis=("󰂎" "󱊡" "󱊢" "󱊣")
-suffix_icon=" "  # thin space
-suffix_percent="%"
-# suffix_icon=" "
-
-# render time like: 2ʰ08ᵐ
-# unicode sub/super-scripts: <https://en.wikipedia.org/wiki/Unicode_subscripts_and_superscripts>
-# symbol_hr="ʰ"
-# symbol_min="ᵐ"
-
-# render time like: 2ₕ08ₘ
-# symbol_hr="ₕ"
-# symbol_min="ₘ"
-
-# render time like: 2h08m
-# symbol_hr="h"
-# symbol_min="m"
-
-# render time like: 2:08
-# symbol_hr=":"
-# symbol_min=
-
-# render time like: 2꞉08⧗
-symbol_hr="꞉"
-symbol_min="⧗"
-# variants:
-# symbol_hr=":"
-# symbol_min="⧖"
-# symbol_min="⌛"
-
-# render time like: 2'08"
-# symbol_hr="'"
-# symbol_min='"'
-
-log() {
-  if [ "$BATTERY_ESTIMATE_DEBUG" = "1" ]; then
-    printf "$@" >&2
-    echo >&2
-  fi
-}
-
-render_icon() {
-  # args:
-  # 1: "chg" or "dis"
-  # 2: current battery percentage
-  level=$(($2 / 25))
-  level=$(($level > 3 ? 3 : $level))
-  level=$(($level < 0 ? 0 : $level))
-  log "icon: %s %d" "$1" "$level"
-  if [ "$1" = "dis" ]; then
-    printf "%s" "${icon_bat_dis[$level]}"
-  elif [ "$1" = "chg" ]; then
-    printf "%s" "${icon_bat_chg[$level]}"
-  fi
-}
-
-try_path() {
-  # assigns output variables:
-  # - perc, perc_from_full  (0-100)
-  # - full, rate (pos means charging)
-  if [ -f "$1/capacity" ]; then
-    log "perc, perc_from_full from %s" "$1/capacity"
-    perc=$(cat "$1/capacity")
-    perc_from_full=$((100 - $perc))
-  fi
-
-  if [ -f "$1/charge_full_design" ] && [ -f "$1/current_now" ]; then
-    log "full, rate from %s and %s" "$1/charge_full_design" "$1/current_now"
-    # current is positive when charging
-    full=$(cat "$1/charge_full_design")
-    rate=$(cat "$1/current_now")
-  elif [ -f "$1/energy_full" ] && [ -f "$1/power_now" ]; then
-    log "full, rate from %s and %s" "$1/energy_full" "$1/power_now"
-    # power_now is positive when discharging
-    full=$(cat "$1/energy_full")
-    rate=-$(cat "$1/power_now")
-  elif [ -f "$1/energy_full" ] && [ -f "$1/energy_now" ]; then
-    log "full, rate from %s and %s" "$1/energy_full" "$1/energy_now"
-    log "  this is a compatibility path for legacy Thinkpad batteries which do not populate the 'power_now' field, and incorrectly populate 'energy_now' with power info"
-    # energy_now is positive when discharging
-    full=$(cat "$1/energy_full")
-    rate=-$(cat "$1/energy_now")
-  fi
-}
-
-try_all_paths() {
-  try_path "/sys/class/power_supply/axp20x-battery"  # Pinephone
-  try_path "/sys/class/power_supply/BAT0"  # Thinkpad
-  log "perc: %d, perc_from_full: %d" "$perc" "$perc_from_full"
-  log "full: %f, rate: %f" "$full" "$rate"
-  log "  rate > 0 means charging, else discharging"
-}
-
-fmt_minutes() {
-  # args:
-  # 1: icon to render
-  # 2: string to show if charge/discharge time is indefinite
-  # 3: minutes to stable state (i.e. to full charge or full discharge)
-  #    - we work in minutes instead of hours for precision: bash math is integer-only
-  log "charge/discharge time: %f min" "$3"
-  # args: <battery symbol> <text if ludicrous estimate> <estimated minutes to full/empty>
-  if [ -n "$3" ] && [ "$3" -lt 1440 ]; then
-    hr=$(($3 / 60))
-    hr_in_min=$(($hr * 60))
-    min=$(($3 - $hr_in_min))
-    printf "%s%s%d%s%02d%s" "$1" "$suffix_icon" "$hr" "$symbol_hr" "$min" "$symbol_min"
-  else
-    log "charge/discharge duration > 1d"
-    printf "%s%s%s" "$1" "$suffix_icon" "$2"  # more than 1d
-  fi
-}
-
-pretty_output() {
-  if [ -n "$perc" ]; then
-    duration=""
-    if [ "$rate" -gt 0 ]; then
-      log "charging"
-      icon="$(render_icon chg $perc)"
-      duration="$(($full * 60 * $perc_from_full / (100 * $rate)))"
-    else
-      log "discharging"
-      icon="$(render_icon dis $perc)"
-      if [ "$rate" -lt 0 ]; then
-        duration="$(($full * 60 * $perc / (-100 * $rate)))"
-      fi
-    fi
-    fmt_minutes "$icon" "$perc$suffix_percent" "$duration"
-  fi
-}
-
-while [ "$#" -gt 0 ]; do
-  case "$1" in
-    "--debug")
-      shift
-      BATTERY_ESTIMATE_DEBUG=1
-      ;;
-    "--icon-suffix")
-      shift
-      suffix_icon="$1"
-      shift
-      ;;
-    "--hour-suffix")
-      shift
-      symbol_hr="$1"
-      shift
-      ;;
-    "--minute-suffix")
-      shift
-      symbol_min="$1"
-      shift
-      ;;
-    "--percent-suffix")
-      shift
-      suffix_percent="$1"
-      shift
-      ;;
-    *)
-      usage
-      exit 1
-      ;;
-  esac
-done
-
-try_all_paths
-pretty_output
--- a/hosts/common/programs/conky/conky.conf
+++ b/hosts/common/programs/conky/conky.conf
@ -66,6 +66,7 @@ end
 if vars.percent ~= nil then
  bat_args = bat_args .. " --percent-suffix '" .. vars.percent .. "'"
 end
+bat_args = bat_args .. " {bat}"

 -- N.B.: `[[ <text> ]]` is Lua's multiline string literal
 conky.text = [[
@ -73,8 +74,8 @@ ${color1}${shadecolor 707070}${font sans-serif:size=50:style=Bold}${alignc}${exe
 ${color2}${shadecolor a4d7d0}${font sans-serif:size=20}${alignc}${exec date +"%a %d %b"}${font}


-${color1}${shadecolor}${font sans-serif:size=22:style=Bold}${alignc}${execp @bat@ ]] .. bat_args .. [[ }${font}
-${color1}${shadecolor}${font sans-serif:size=20:style=Bold}${alignc}${texeci 600 @weather@ }${font}
+${color1}${shadecolor}${font sans-serif:size=22:style=Bold}${alignc}${execp sane-sysload ]] .. bat_args .. [[ }${font}
+${color1}${shadecolor}${font sans-serif:size=20:style=Bold}${alignc}${texeci 600 timeout 20 sane-weather }${font}


 ${color2}${shadecolor a4d7d0}${font sans-serif:size=16}${alignc}⇅ ${downspeedf wlan0}]] .. vars.kBps .. [[${font}
--- a/hosts/common/programs/conky/default.nix
+++ b/hosts/common/programs/conky/default.nix
@ -1,29 +1,22 @@
 { pkgs, ... }:
 {
  sane.programs.conky = {
-    # TODO: non-sandboxed `conky` still ships via `sxmo-utils`, but unused
    sandbox.method = "bwrap";
    sandbox.net = "clearnet";  #< for the scripts it calls (weather)
    sandbox.extraPaths = [
      "/sys/class/power_supply"
-      "/sys/devices"  # needed by battery_estimate
+      "/sys/devices"  # needed by sane-sysload
      # "/sys/devices/cpu"
      # "/sys/devices/system"
    ];
    sandbox.whitelistWayland = true;

-    fs.".config/conky/conky.conf".symlink.target =
-      let
-        # TODO: make this just another `suggestedPrograms`!
-        battery_estimate = pkgs.static-nix-shell.mkBash {
-          pname = "battery_estimate";
-          srcRoot = ./.;
-        };
-      in pkgs.substituteAll {
-        src = ./conky.conf;
-        bat = "${battery_estimate}/bin/battery_estimate";
-        weather = "timeout 20 ${pkgs.sane-weather}/bin/sane-weather";
-      };
+    suggestedPrograms = [
+      "sane-sysload"
+      "sane-weather"
+    ];
+
+    fs.".config/conky/conky.conf".symlink.target = ./conky.conf;

    services.conky = {
      description = "conky dynamic desktop background";
--- a/hosts/common/programs/dbus.nix
+++ b/hosts/common/programs/dbus.nix
@ -0,0 +1,54 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.programs.dissent;
+in
+{
+  sane.programs.dbus = {
+    configOption = with lib; mkOption {
+      default = {};
+      type = types.submodule {
+        options.autostart = mkOption {
+          type = types.bool;
+          default = true;
+        };
+      };
+    };
+
+    packageUnwrapped = (pkgs.dbus.override {
+      # remove features i don't want. mostly to avoid undesired interactions, but also it reduces the closure by 55 MB :)
+      enableSystemd = false;
+      x11Support = false;
+    }).overrideAttrs (upstream: {
+      postFixup = (upstream.postFixup or "") + ''
+        # the XML docs have a URI field which points to self,
+        # and that breaks the sandbox checker
+        substituteInPlace $out/share/xml/dbus-1/catalog.xml \
+          --replace-fail "$out" "/run/current-system/sw"
+
+        # conf file points to dbus-daemon-launch-helper by absolute path,
+        # which breaks sandboxing. i don't want dbus auto-launching stuff anyway though.
+        substituteInPlace $out/share/dbus-1/system.conf \
+          --replace-fail "$out/libexec/dbus-daemon-launch-helper" "false"
+      '';
+    });
+
+    sandbox.method = "bwrap";
+    sandbox.extraRuntimePaths = [
+      "/"  #< it needs to create a file in the root. TODO: move the bus handle into a sandboxable subdirectory
+    ];
+    sandbox.isolatePids = false;   #< not actually sure *why* this is necessary, but it is
+
+    env.DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/bus";
+
+    # normally systemd would create a dbus session for us, but if you configure it not to do that
+    # then we can create our own. not sure if there's a dependency ordering issue here: lots
+    # of things depend on dbus but i don't do anything special to guarantee this is initialized
+    # before them.
+    services.dbus = {
+      description = "dbus user session";
+      partOf = lib.mkIf cfg.config.autostart [ "default" ];
+      command = "dbus-daemon --session --nofork --address=$DBUS_SESSION_BUS_ADDRESS";
+      readiness.waitExists = [ "$XDG_RUNTIME_DIR/bus" ];
+    };
+  };
+}
--- a/hosts/common/programs/dconf.nix
+++ b/hosts/common/programs/dconf.nix
@ -34,7 +34,7 @@ in

    services.dconf = {
      description = "dconf configuration database/server";
-      partOf = [ "graphical-session" ];
+      partOf = [ "default" ];
      command = "${lib.getLib cfg.package}/libexec/dconf-service";
    };

--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@ -9,11 +9,14 @@
    ./animatch.nix
    ./assorted.nix
    ./audacity.nix
+    ./ausyscall.nix
    ./bemenu.nix
    ./blast-ugjka
    ./bonsai.nix
    ./brave.nix
+    ./brightnessctl.nix
    ./bubblewrap.nix
+    ./callaudiod.nix
    ./calls.nix
    ./cantata.nix
    ./catt.nix
@ -23,6 +26,7 @@
    ./cozy.nix
    ./cups.nix
    ./curlftpfs.nix
+    ./dbus.nix
    ./dconf.nix
    ./deadd-notification-center
    ./dialect.nix
@ -33,28 +37,35 @@
    ./element-desktop.nix
    ./engrampa.nix
    ./epiphany.nix
+    ./errno.nix
    ./evince.nix
    ./fcitx5.nix
    ./feedbackd.nix
    ./firefox.nix
-    ./firejail.nix
    ./flare-signal.nix
    ./fontconfig.nix
    ./fractal.nix
+    ./free.nix
    ./frozen-bubble.nix
    ./fwupd.nix
    ./g4music.nix
    ./gajim.nix
+    ./gdb.nix
    ./gdbus.nix
    ./geary.nix
+    ./geoclue-demo-agent.nix
+    ./geoclue2.nix
    ./git.nix
+    ./gnome-clocks.nix
    ./gnome-feeds.nix
    ./gnome-keyring
    ./gnome-maps.nix
    ./gnome-weather.nix
    ./go2tv.nix
    ./gpodder.nix
+    ./gpsd.nix
    ./grimshot.nix
+    ./gst-device-monitor.nix
    ./gthumb.nix
    ./gvfs.nix
    ./handbrake.nix
@ -74,27 +85,33 @@
    ./megapixels.nix
    ./mepo.nix
    ./mimeo
-    ./modemmanager.nix
+    ./mmcli.nix
    ./mopidy.nix
    ./mpv
    ./msmtp.nix
    ./nautilus.nix
    ./neovim.nix
-    ./networkmanager.nix
+    ./networkmanager_dmenu
    ./newsflash.nix
    ./nheko.nix
    ./nicotine-plus.nix
    ./nix-index.nix
+    ./nmcli.nix
    ./notejot.nix
    ./ntfy-sh.nix
+    ./nwg-panel
    ./objdump.nix
    ./obsidian.nix
    ./offlineimap.nix
+    ./ols.nix
    ./open-in-mpv.nix
+    ./pactl.nix
+    ./pidof.nix
    ./pipewire.nix
    ./planify.nix
    ./portfolio-filemanager.nix
    ./playerctl.nix
+    ./ps.nix
    ./rhythmbox.nix
    ./ripgrep.nix
    ./rofi
@ -102,11 +119,16 @@
    ./s6-rc.nix
    ./sane-input-handler
    ./sane-open.nix
-    ./sane-sandboxed.nix
    ./sane-screenshot.nix
    ./sane-scripts.nix
+    ./sane-sysload.nix
+    ./sane-theme.nix
+    ./sanebox.nix
+    ./satellite.nix
    ./schlock.nix
+    ./seatd.nix
    ./sfeed.nix
+    ./shadow.nix
    ./signal-desktop.nix
    ./splatmoji.nix
    ./spot.nix
@ -121,7 +143,8 @@
    ./swayidle.nix
    ./swaylock.nix
    ./swaynotificationcenter
-    ./sysvol.nix
+    ./switchboard.nix
+    ./syshud.nix
    ./tangram.nix
    ./tor-browser.nix
    ./tuba.nix
@ -129,11 +152,11 @@
    ./vlc.nix
    ./waybar
    ./waylock.nix
+    ./where-am-i.nix
    ./wike.nix
    ./wine.nix
    ./wireplumber.nix
    ./wireshark.nix
-    ./wpa_supplicant.nix
    ./wvkbd.nix
    ./xarchiver.nix
    ./xdg-desktop-portal.nix
--- a/hosts/common/programs/eg25-control.nix
+++ b/hosts/common/programs/eg25-control.nix
@ -4,7 +4,7 @@ let
 in
 {
  sane.programs.eg25-control = {
-    suggestedPrograms = [ "modemmanager" ];
+    suggestedPrograms = [ "mmcli" ];

    services.eg25-control-powered = {
      description = "eg25-control-powered: power to the Qualcomm eg25 modem used by PinePhone";
@ -22,6 +22,8 @@ in
      cleanupCommand = "eg25-control --disable-gps --dump-debug-info --verbose";
      depends = [ "eg25-control-powered" ];
    };
+
+    persist.byStore.plaintext = [ ".cache/eg25-control" ];  #< for cached agps data
  };

  # TODO: port to s6
@ -38,9 +40,7 @@ in
      ExecStart = "${cfg.package}/bin/eg25-control --ensure-agps-cache --verbose";
      Restart = "no";

-      User = "eg25-control";
-      WorkingDirectory = "/var/lib/eg25-control";
-      StateDirectory = "eg25-control";
+      User = "colin";
    };
    startAt = "hourly";  # this is a bit more than necessary, but idk systemd calendar syntax
    after = [ "network-online.target" "nss-lookup.target" ];
@ -48,26 +48,10 @@ in
    # wantedBy = [ "network-online.target" ]; # auto-start immediately after boot
  };

-  users = lib.mkIf cfg.enabled {
-    groups.eg25-control = {};
-    users.eg25-control = {
-      group = "eg25-control";
-      isSystemUser = true;
-      home = "/var/lib/eg25-control";
-      extraGroups = [
-        "dialout"  # required to read /dev/ttyUSB1
-        "networkmanager"  # required to authenticate with mmcli
-      ];
-    };
-  };
-  sane.persist.sys.byStore.plaintext = lib.mkIf cfg.enabled [
-    # to persist agps data, i think.
-    { user = "eg25-control"; group = "eg25-control"; path = "/var/lib/eg25-control"; }
-  ];
  services.udev.extraRules = let
    chmod = "${pkgs.coreutils}/bin/chmod";
    chown = "${pkgs.coreutils}/bin/chown";
-  in ''
+  in lib.optionalString cfg.enabled ''
    # make Modem controllable by user
    DRIVER=="modem-power", RUN+="${chmod} g+w /sys%p/powered", RUN+="${chown} :networkmanager /sys%p/powered"
  '';
--- a/hosts/common/programs/element-desktop.nix
+++ b/hosts/common/programs/element-desktop.nix
@ -9,7 +9,7 @@
  sane.programs.element-desktop = {
    packageUnwrapped = (pkgs.element-desktop.override {
      # use pre-built electron because otherwise it takes 4 hrs to build from source.
-      electron = pkgs.electron_28-bin;
+      electron = pkgs.electron-bin;
    }).overrideAttrs (upstream: {
      # fix to use wayland instead of Xwayland:
      # - replace `NIXOS_OZONE_WL` non-empty check with `WAYLAND_DISPLAY`
--- a/hosts/common/programs/errno.nix
+++ b/hosts/common/programs/errno.nix
@ -0,0 +1,21 @@
+{ pkgs, ... }:
+{
+  sane.programs.errno = {
+    # packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.moreutils "bin/errno";
+    # actually, don't build all of moreutils because not all of it builds for cross targets.
+    # some of this can be simplified after <https://github.com/NixOS/nixpkgs/pull/316446>
+    packageUnwrapped = pkgs.moreutils.overrideAttrs (base: {
+      makeFlags = (base.makeFlags or []) ++ [
+        "BINS=errno"
+        "MANS=errno.1"
+        "PERLSCRIPTS=errno"  #< Makefile errors if empty, but this works :)
+        "INSTALL_BIN=install"
+      ];
+      #v disable the perl-specific stuff
+      propagatedBuildInputs = [];
+      postInstall = "";
+    });
+
+    sandbox.method = "landlock";
+  };
+}
--- a/hosts/common/programs/evince.nix
+++ b/hosts/common/programs/evince.nix
@ -4,7 +4,7 @@
    buildCost = 1;

    sandbox.method = "bwrap";
-    sandbox.autodetectCliPaths = true;
+    sandbox.autodetectCliPaths = "existingFile";
    sandbox.whitelistWayland = true;

    mime.associations."application/pdf" = "org.gnome.Evince.desktop";
--- a/hosts/common/programs/feedbackd.nix
+++ b/hosts/common/programs/feedbackd.nix
@ -55,7 +55,7 @@ in
    # - theme-demo
    # - timeout-completed
    # - window-close
-    fs.".config/feedbackd/themes/proxied.json".symlink.text = builtins.toJSON {
+    fs.".config/feedbackd/themes/proxied.json".symlink.target = pkgs.writers.writeJSON "proxied.json" {
      name = "proxied";
      parent-theme = "default";
      profiles = [
--- a/hosts/common/programs/firefox.nix
+++ b/hosts/common/programs/firefox.nix
@ -209,7 +209,7 @@ in
        };
        i-still-dont-care-about-cookies = {
          package = pkgs.firefox-extensions.i-still-dont-care-about-cookies;
-          enable = lib.mkDefault true;
+          enable = lib.mkDefault false;  #< obsoleted by uBlock Origin annoyances/cookies lists
        };
        open-in-mpv = {
          # test: `open-in-mpv 'mpv:///open?url=https://www.youtube.com/watch?v=dQw4w9WgXcQ'`
@ -226,7 +226,7 @@ in
        };
        ublacklist = {
          package = pkgs.firefox-extensions.ublacklist;
-          enable = lib.mkDefault true;
+          enable = lib.mkDefault false;
        };
        ublock-origin = {
          package = pkgs.firefox-extensions.ublock-origin;
@ -286,24 +286,35 @@ in
        # env.BROWSER = "${package}/bin/${cfg.browser.libName}";
        env.BROWSER = cfg.browser.libName;  # used by misc tools like xdg-email, as fallback

-        # uBlock filter list configuration.
-        # specifically, enable the GDPR cookie prompt blocker.
-        # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
-        # this configuration method is documented here:
-        # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
-        # the specific attribute path is found via scraping ublock code here:
-        # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
-        # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-        fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json".symlink.text = ''
-          {
-           "name": "uBlock0@raymondhill.net",
-           "description": "ignored",
-           "type": "storage",
-           "data": {
-              "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
-           }
-          }
-        '';
+        # uBlock configuration:
+        fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json".symlink.target = cfg.addons.ublock-origin.package.makeConfig {
+          # more filter lists are available here:
+          # - <https://easylist.to>
+          #   - <https://github.com/easylist/easylist.git>
+          # - <https://github.com/yokoffing/filterlists>
+          filterFiles = let
+            getUasset = n: "${pkgs.uassets}/share/filters/${n}.txt";
+          in [
+            # default ublock filters:
+            (getUasset "ublock-filters")
+            (getUasset "ublock-badware")
+            (getUasset "ublock-privacy")
+            (getUasset "ublock-quick-fixes")
+            (getUasset "ublock-unbreak")
+            (getUasset "easylist")
+            (getUasset "easyprivacy")
+            # (getUasset "urlhaus-1")  #< TODO: i think this is the same as urlhaus-filter-online
+            (getUasset "urlhaus-filter-online")
+            # (getUasset "plowe-0")   #< TODO: where does this come from?
+            # (getUasset "ublock-cookies-adguard")  #< TODO: where does this come from?
+            # filters i've added:
+            (getUasset "easylist-annoyances")  #< blocks in-page popups, "social media content" (e.g. FB like button; improves loading time)
+            (getUasset "easylist-cookies")  #< blocks GDPR cookie consent popovers (e.g. at stackoverflow.com)
+            # (getUasset "ublock-annoyances-others")
+            # (getUasset "ublock-annoyances-cookies")
+          ];
+        };
+
        # TODO: this is better suited in `extraPrefs` during `wrapFirefox` call
        fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg".symlink.text = ''
          // if we can't query the revocation status of a SSL cert because the issuer is offline,
@ -327,6 +338,8 @@ in
          defaultPref("widget.use-xdg-desktop-portal.open-uri", 1);

          defaultPref("browser.toolbars.bookmarks.visibility", "never");
+          // configure which extensions are visible by default (TODO: requires a lot of trial and error)
+          // defaultPref("browser.uiCustomization.state", ...);

          // auto-open mpv:// URIs without prompting.
          // can do this with other protocols too (e.g. matrix?). see about:config for common handlers.
@ -351,7 +364,7 @@ in

        # TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
        env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
-        # alternative to PASSWORD_STORE_DIR, but firejail doesn't handle this symlink well
+        # alternative to PASSWORD_STORE_DIR:
        # fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "knowledge/secrets/accounts";

        # flush the cache to disk to avoid it taking up too much tmp.
--- a/hosts/common/programs/firejail.nix
+++ b/hosts/common/programs/firejail.nix
@ -1,8 +0,0 @@
-{ lib, config, ... }:
-{
-  sane.programs.firejail = {};
-
-  programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
-    enable = true;  #< install the suid binary
-  };
-}
--- a/hosts/common/programs/fontconfig.nix
+++ b/hosts/common/programs/fontconfig.nix
@ -16,13 +16,11 @@ let
  # - 󰍦 (message bubble)
  # - 󰏲 (phone)
  # -  (weather/sun-behind-clouds)
-  # used particularly by sxmo utilities, but also a few of my own (e.g. conky)
+  # i use these icons mostly in conky, swaync.
  #
  # nerdfonts is very heavy. each font is 20-900 MiB (2 MiB per "variation")
  # lots of redundant data inside there, but no deduplication except whatever nix or the fs does implicitly.
  wantedNerdfonts = [
-    # used explicitly by SXMO
-    # "DejaVuSansMono"  # 25 MiB
    # good terminal/coding font. grab via nerdfonts for more emoji/unicode support
    "Hack"  # 26 MiB
    "Noto"  # 861 MiB
--- a/hosts/common/programs/fractal.nix
+++ b/hosts/common/programs/fractal.nix
@ -24,8 +24,7 @@ in
 {
  sane.programs.fractal = {
    packageUnwrapped = pkgs.fractal-nixified.optimized;
-    # packageUnwrapped = pkgs.fractal-latest;
-    # packageUnwrapped = pkgs.fractal-next;
+    # packageUnwrapped = pkgs.fractal;

    sandbox.method = "bwrap";
    sandbox.net = "clearnet";
--- a/hosts/common/programs/free.nix
+++ b/hosts/common/programs/free.nix
@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  sane.programs.free = {
+    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.procps "bin/free";
+    sandbox.method = "bwrap";
+    sandbox.isolatePids = false;
+  };
+}
+
--- a/hosts/common/programs/gdb.nix
+++ b/hosts/common/programs/gdb.nix
@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  sane.programs.gdb = {
+    sandbox.enable = false;  # gdb doesn't sandbox well. i don't know how you could.
+    # sandbox.method = "landlock";  # permission denied when trying to attach, even as root
+    sandbox.autodetectCliPaths = true;
+    fs.".config/gdb/gdbinit".symlink.text = ''
+      # enable commands like `py-bt`, `py-list`, etc.
+      # for usage, see: <https://wiki.python.org/moin/DebuggingWithGdb>
+      source ${pkgs.python3}/share/gdb/libpython.py
+    '';
+  };
+}
--- a/hosts/common/programs/geoclue-demo-agent.nix
+++ b/hosts/common/programs/geoclue-demo-agent.nix
@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+{
+  sane.programs.geoclue-demo-agent = {
+    packageUnwrapped = pkgs.linkFarm "geoclue-demo-agent" [{
+      # bring the demo agent into a `bin/` directory so it can be invokable via PATH
+      name = "bin/geoclue-demo-agent";
+      path = "${config.sane.programs.geoclue2.packageUnwrapped}/libexec/geoclue-2.0/demos/agent";
+    }];
+
+    services.geoclue-agent = {
+      description = "geoclue 'demo' agent";
+      command = "geoclue-demo-agent";
+      partOf = [ "graphical-session" ];
+    };
+  };
+}
--- a/hosts/common/programs/geoclue2.nix
+++ b/hosts/common/programs/geoclue2.nix
@ -0,0 +1,52 @@
+# geoclue location services daemon.
+#
+# SUPPORT:
+# - irc: #gnome-maps on irc.gimp.org
+# - Matrix: #gnome-maps:gnome.org  (unclear if bridged to IRC)
+# - forums: <https://discourse.gnome.org/c/platform>
+# - git: <https://gitlab.freedesktop.org/geoclue/geoclue/>
+# - D-Bus API docs: <https://www.freedesktop.org/software/geoclue/docs/>
+#
+# HOW TO TEST:
+# - just invoke `where-am-i`: it should output the current latitude/longitude.
+## more manual testing:
+# - build `geoclue2-with-demo-agent`
+# - run the service: `systemctl start geoclue` or "${geoclue2-with-demo-agent}/libexec/geoclue"
+# - run "${geoclue2-with-demo-agent}/libexec/geoclue-2.0/demos/agent"
+#   - keep this running in the background
+# - run "${geoclue2-with-demo-agent}/libexec/geoclue-2.0/demos/where-am-i"
+#
+# DATA FLOW:
+# - geoclue2 does http calls into local `ols`, which either hits the local disk or queries https://wigle.net.
+# - geoclue users like gnome-maps somehow depend on an "agent",
+#   a user service which launches the geoclue system service on-demand (via dbus activation).
+#
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.programs.geoclue2;
+in
+{
+  sane.programs.geoclue2 = {
+    # packageUnwrapped = pkgs.rmDbusServices pkgs.geoclue2;
+    # packageUnwrapped = pkgs.geoclue2.override { withDemoAgent = true; };
+    packageUnwrapped = pkgs.geoclue2-with-demo-agent;
+    suggestedPrograms = [
+      "geoclue-demo-agent"
+      "ols"  #< WiFi SSID -> lat/long lookups
+      "satellite"  #< graphical view into GPS fix data
+      "where-am-i"  #< handy debugging/testing tool
+    ];
+  };
+
+  # sane.programs.geoclue2.enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
+
+  services.geoclue2 = lib.mkIf cfg.enabled {
+    enable = true;
+    geoProviderUrl = "http://127.0.0.1:8088/v1/geolocate";  #< ols
+  };
+  systemd.user.services = lib.mkIf cfg.enabled {
+    # nixos services.geoclue2 runs the agent as a user service by default, but i don't use systemd so that doesn't work.
+    # i manage the agent myself, in sane.programs.geoclue-demo-agent.
+    geoclue-agent.enable = false;
+  };
+}
--- a/hosts/common/programs/git.nix
+++ b/hosts/common/programs/git.nix
@ -40,6 +40,7 @@ in
      alias.amend   = "commit --amend --no-edit";
      alias.br      = "branch";
      alias.co      = "checkout";
+      alias.com     = "commit";
      alias.cp      = "cherry-pick";
      alias.d       = "difftool";
      alias.dif     = "diff";  # common typo
--- a/hosts/common/programs/gnome-clocks.nix
+++ b/hosts/common/programs/gnome-clocks.nix
@ -0,0 +1,24 @@
+{ pkgs, ... }: {
+  sane.programs."gnome.gnome-clocks" = {
+    packageUnwrapped = pkgs.gnome.gnome-clocks.overrideAttrs (upstream: {
+      # TODO: upstream this
+      buildInputs = upstream.buildInputs ++ (with pkgs; [
+        # gnome-clocks needs `playbin` (gst-plugins-base) and `scaletempo` (gst-plugins-good)
+        # to play the alarm when a timer expires
+        gst_all_1.gstreamer
+        gst_all_1.gst-plugins-base
+        gst_all_1.gst-plugins-good
+      ]);
+    });
+
+    buildCost = 1;
+    sandbox.method = "bwrap";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  #< required (alongside .config/dconf) to remember timers
+    sandbox.whitelistWayland = true;
+    sandbox.extraPaths = [
+      ".config/dconf"  # required (alongside dbus) to remember timers
+    ];
+    suggestedPrograms = [ "dconf" ];
+  };
+}
--- a/hosts/common/programs/gnome-feeds.nix
+++ b/hosts/common/programs/gnome-feeds.nix
@ -1,12 +1,12 @@
 # gnome feeds RSS viewer
-{ config, lib, sane-lib, ... }:
+{ config, lib, pkgs, sane-lib, ... }:

 let
  feeds = sane-lib.feeds;
  all-feeds = config.sane.feeds;
  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.programs.gnome-feeds.fs.".config/org.gabmus.gfeeds.json".symlink.text = builtins.toJSON {
+  sane.programs.gnome-feeds.fs.".config/org.gabmus.gfeeds.json".symlink.target = pkgs.writers.writeJSON "org.gabmus.gfeeds.json" {
    # feed format is a map from URL to a dict,
    #   with dict["tags"] a list of string tags.
    feeds = sane-lib.mapToAttrs (feed: {
--- a/hosts/common/programs/gnome-maps.nix
+++ b/hosts/common/programs/gnome-maps.nix
@ -1,7 +1,14 @@
+# SUPPORT:
+# - irc: #gnome-maps on irc.gimp.org
+# - Matrix: #gnome-maps:gnome.org  (unclear if bridged to IRC)
 { pkgs, ... }:
 {
  sane.programs."gnome.gnome-maps" = {
    packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-maps;
+    suggestedPrograms = [
+      "geoclue2"
+    ];
+
    sandbox.method = "bwrap";
    sandbox.whitelistDri = true;  # for perf
    sandbox.whitelistDbus = [
--- a/hosts/common/programs/go2tv.nix
+++ b/hosts/common/programs/go2tv.nix
@ -50,7 +50,7 @@ in
  sane.programs.go2tv = {
    sandbox.method = "bwrap";
    sandbox.net = "clearnet";
-    sandbox.autodetectCliPaths = true;
+    sandbox.autodetectCliPaths = "existingFile";
    # for GUI invocation, allow the common media directories
    sandbox.extraHomePaths = [
      "Music"
--- a/hosts/common/programs/gpsd.nix
+++ b/hosts/common/programs/gpsd.nix
@ -0,0 +1,33 @@
+# test gpsd with `gpspipe -w -n 10 2> /dev/null | grep -m 1 TPV | jq '.lat, .lon' | tr '\n' ' '`
+# ^ should return <lat> <long>
+#
+# TODO(2024/06/19): nixpkgs' gpsd service isn't sandboxed at ALL. i should sandbox that, or remove this integration.
+#
+# pinephone GPS happens in EG25 modem
+# serial control interface to modem is /dev/ttyUSB2
+# after enabling GPS, readout is /dev/ttyUSB1
+#
+# minimal process to enable modem and GPS:
+# - `echo 1 > /sys/class/modem-power/modem-power/device/powered`
+# - `screen /dev/ttyUSB2 115200`
+#   - `AT+QGPSCFG="nmeasrc",1`
+#   - `AT+QGPS=1`
+# this process is automated by my `eg25-control` program and services (`eg25-control-powered`, `eg25-control-gps`)
+# - see the `modules/` directory further up this repository.
+#
+# now, something like `gpsd` can directly read from /dev/ttyUSB1,
+# or geoclue can query the GPS directly through modem-manager
+#
+# initial GPS fix can take 15+ minutes.
+# meanwhile, services like eg25-manager or eg25-control-freshen-agps can speed this up by uploading assisted GPS data to the modem.
+{ config, lib, ... }:
+let
+  cfg = config.sane.programs.gpsd;
+in
+{
+  sane.programs.gpsd = {};
+  services.gpsd = lib.mkIf cfg.enabled {
+    enable = true;
+    devices = [ "/dev/ttyUSB1" ];
+  };
+}
--- a/hosts/common/programs/gst-device-monitor.nix
+++ b/hosts/common/programs/gst-device-monitor.nix
@ -0,0 +1,24 @@
+# gst-device-monitor: gstreamer debugging tool.
+# - `gst-device-monitor-1.0 Audio/Sink`  #< show all audio sinks
+# - `gst-device-monitor-1.0 Audio/Source`  #< show all audio sources (microphones)
+# - `gst-device-monitor-1.0 Video/Source`  #< show all video sources (cameras)
+{ pkgs, ... }:
+{
+  sane.programs.gst-device-monitor = {
+    packageUnwrapped = (pkgs.linkIntoOwnPackage pkgs.gst_all_1.gst-plugins-base [
+      "bin/gst-device-monitor-1.0"
+      "share/man/man1/gst-device-monitor-1.0.1.gz"
+    ]).overrideAttrs (base: {
+      # XXX the binaries need `GST_PLUGIN_SYSTEM_PATH_1_0` set to function,
+      # but nixpkgs doesn't set those (TODO: upstream this!)
+      nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
+        pkgs.wrapGAppsNoGuiHook
+      ];
+      buildInputs = (base.buildInputs or []) ++ [
+        pkgs.gst_all_1.gst-plugins-base  #< required to find Audio/Sink
+        pkgs.gst_all_1.gst-plugins-good  #< required to find Audio/Source and Video/Source
+        pkgs.pipewire  #< required for Video/Source (video4linux)
+      ];
+    });
+  };
+}
--- a/hosts/common/programs/handbrake.nix
+++ b/hosts/common/programs/handbrake.nix
@ -17,7 +17,7 @@

    # disable expensive sambda dependency; i don't use it.
    packageUnwrapped = pkgs.handbrake.override {
-      ffmpeg-full = pkgs.ffmpeg-full.override {
+      ffmpeg_7-full = pkgs.ffmpeg_7-full.override {
        withSamba = false;
      };
    };
--- a/hosts/common/programs/libreoffice.nix
+++ b/hosts/common/programs/libreoffice.nix
@ -8,7 +8,7 @@
    packageUnwrapped = pkgs.libreoffice-fresh;
    sandbox.method = "bwrap";
    sandbox.whitelistWayland = true;
-    sandbox.autodetectCliPaths = true;
+    sandbox.autodetectCliPaths = "existingFile";
    sandbox.extraHomePaths = [
      # allow a spot to save files.
      # with bwrap sandboxing, saving to e.g. ~/ succeeds but the data is inaccessible outside the sandbox,
--- a/Show More
+++ b/Show More