formatting changes

enable nix's auto-optimise-store
enable i2p
2023-04-06 06:24:01 +00:00 · 2023-04-06 06:23:45 +00:00 · 2023-04-06 06:22:47 +00:00 · 2023-04-06 06:22:19 +00:00 · 2023-04-04 23:31:50 +00:00 · 2023-04-04 23:20:54 +00:00
197 changed files with 6946 additions and 4293 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
  "nodes": {
    "flake-utils": {
      "locked": {
-        "lastModified": 1659877975,
+        "lastModified": 1678901627,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
        "type": "github"
      },
      "original": {
@@ -15,35 +15,14 @@
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1667907331,
        "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-22.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1670131242,
+        "lastModified": 1679516998,
-        "narHash": "sha256-T/o1/3gffr010fsqgNshs1NJJjsnUYvQnUZgm6hilsY=",
+        "narHash": "sha256-w4baQlS84X8Lf0E5RN0nGkx03luDuV1X0+jWMAXm6fs=",
        "owner": "nixos",
        "repo": "mobile-nixos",
-        "rev": "5ee45cc1f8e43f4af14ee17ccef9156b0db8cd77",
+        "rev": "7a6e97e3af73c4cca87e12c83abcb4913dac7dbc",
        "type": "github"
      },
      "original": {
@@ -52,46 +31,46 @@
        "type": "github"
      }
    },
    "nix-serve": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1678202930,
        "narHash": "sha256-SF82/tTnagdazlETJLzXD9kjZ6lyk38agdLbmMx1UZE=",
        "owner": "edolstra",
        "repo": "nix-serve",
        "rev": "3b6d30016d910a43e0e16f94170440a3e0b8fa8d",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "nix-serve",
        "type": "github"
      }
    },
    "nixpkgs": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-unpatched"
        ]
      },
      "locked": {
-        "lastModified": 1,
+        "lastModified": 1606086654,
-        "narHash": "sha256-5zCxdHGOS0OOP7vbgTA1iwv9GVr5JSiths7QmgUsU84=",
+        "narHash": "sha256-VFl+3eGIMqNp7cyOMJ6TjM/+UcsLKtodKoYexrlTJMI=",
-        "path": "/nix/store/9a5k9pfawxzz1sng17si26sc9af39jr1-source/nixpatches",
+        "owner": "NixOS",
-        "type": "path"
+        "repo": "nixpkgs",
        "rev": "19db3e5ea2777daa874563b5986288151f502e27",
        "type": "github"
      },
      "original": {
-        "path": "/nix/store/9a5k9pfawxzz1sng17si26sc9af39jr1-source/nixpatches",
+        "id": "nixpkgs",
-        "type": "path"
+        "ref": "nixos-20.09",
        "type": "indirect"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1673800717,
+        "lastModified": 1680390120,
-        "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=",
+        "narHash": "sha256-RyDJcG/7mfimadlo8vO0QjW22mvYH1+cCqMuigUntr8=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-22.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable_2": {
      "locked": {
        "lastModified": 1673740915,
        "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2",
+        "rev": "c1e2efaca8d8a3db6a36f652765d6c6ba7bb8fae",
        "type": "github"
      },
      "original": {
@@ -103,26 +82,24 @@
    },
    "nixpkgs-unpatched": {
      "locked": {
-        "lastModified": 1673796341,
+        "lastModified": 1680415272,
-        "narHash": "sha256-1kZi9OkukpNmOaPY7S5/+SlCDOuYnP3HkXHvNDyLQcc=",
+        "narHash": "sha256-S2J9n+sSeAAdXWHrz/s9pyS5fhbQilfNqYrs6RCUyN8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "6dccdc458512abce8d19f74195bb20fdb067df50",
+        "rev": "66f60deb8aa348ca81d60d0639ae420c667ff92a",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "staging-next",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "mobile-nixos": "mobile-nixos",
-        "nixpkgs": "nixpkgs",
+        "nix-serve": "nix-serve",
        "nixpkgs-stable": "nixpkgs-stable",
        "nixpkgs-unpatched": "nixpkgs-unpatched",
        "sops-nix": "sops-nix",
        "uninsane-dot-org": "uninsane-dot-org"
@@ -131,16 +108,16 @@
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unpatched"
        ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
+        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1673752321,
+        "lastModified": 1680404136,
-        "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=",
+        "narHash": "sha256-06D8HJmRv4DdpEQGblMhx2Vm81SBWM61XBBIx7QQfo0=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "e18eefd2b133a58309475298052c341c08470717",
+        "rev": "b93eb910f768f9788737bfed596a598557e5625d",
        "type": "github"
      },
      "original": {
@@ -153,15 +130,15 @@
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unpatched"
        ]
      },
      "locked": {
-        "lastModified": 1666870107,
+        "lastModified": 1680086409,
-        "narHash": "sha256-b9eXZxSwhzdJI5uQgfrMhu4SY2POrPkinUg7F5gQVYo=",
+        "narHash": "sha256-Q2QcVgKvTj/LLuZX9dP8ImySWD5sTn8DDI5+EggRn2c=",
        "ref": "refs/heads/master",
-        "rev": "80c6ec95bd430e29d231cf745f19279bb76fb382",
+        "rev": "068f176a64f0e26dc8c1f0eccf28cbd05be4909b",
-        "revCount": 164,
+        "revCount": 182,
        "type": "git",
        "url": "https://git.uninsane.org/colin/uninsane"
      },
--- a/flake.nix
+++ b/flake.nix
@@ -12,6 +12,11 @@
 # - Flake RFC: <https://github.com/tweag/rfcs/blob/flakes/rfcs/0049-flakes.md>
 #   - Discussion: <https://github.com/NixOS/rfcs/pull/49>
 # - <https://serokell.io/blog/practical-nix-flakes>
 #
 #
 # COMMON OPERATIONS:
 # - update a specific flake input:
 #   - `nix flake lock --update-input nixpkgs`
 {
  # XXX: use the `github:` scheme instead of the more readable git+https: because it's *way* more efficient
@@ -19,46 +24,62 @@
  # but `inputs` is required to be a strict attrset: not an expression.
  inputs = {
    # <https://github.com/nixos/nixpkgs/tree/nixos-22.11>
-    nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
+    # nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
    # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
-    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    nixpkgs = {
+    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
-      url = "./nixpatches";
+
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
+    # nixpkgs = {
-    };
+    #   url = "./nixpatches";
    #   inputs.nixpkgs.follows = "nixpkgs-unpatched";
    # };
    mobile-nixos = {
      # <https://github.com/nixos/mobile-nixos>
      url = "github:nixos/mobile-nixos";
      flake = false;
    };
    home-manager = {
      # <https://github.com/nix-community/home-manager/tree/release-22.05>
      url = "github:nix-community/home-manager?ref=release-22.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
      # <https://github.com/Mic92/sops-nix>
      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
+      # inputs.nixpkgs.follows = "nixpkgs";
      inputs.nixpkgs.follows = "nixpkgs-unpatched";
    };
    uninsane-dot-org = {
      url = "git+https://git.uninsane.org/colin/uninsane";
-      inputs.nixpkgs.follows = "nixpkgs";
+      # inputs.nixpkgs.follows = "nixpkgs";
      inputs.nixpkgs.follows = "nixpkgs-unpatched";
    };
    nix-serve = {
      # <https://github.com/edolstra/nix-serve>
      url = "github:edolstra/nix-serve";
    };
  };
  outputs = {
    self,
    nixpkgs,
    nixpkgs-stable,
    nixpkgs-unpatched,
    mobile-nixos,
    home-manager,
    sops-nix,
-    uninsane-dot-org
+    uninsane-dot-org,
-  }:
+    nix-serve,
    ...
  }@inputs:
    let
      inherit (builtins) attrNames elem listToAttrs map mapAttrs;
      mapAttrs' = f: set:
        listToAttrs (map (attr: f attr set.${attr}) (attrNames set));
      # mapAttrs but without the `name` argument
      mapAttrValues = f: mapAttrs (_: f);
      # rather than apply our nixpkgs patches as a flake input, do that here instead.
      # this (temporarily?) resolves the bad UX wherein a subflake residing in the same git
      # repo as the main flake causes the main flake to have an unstable hash.
      nixpkgs = (import ./nixpatches/flake.nix).outputs {
        self = nixpkgs;
        nixpkgs = nixpkgs-unpatched;
      };
      nixpkgsCompiledBy = local: nixpkgs.legacyPackages."${local}";
      evalHost = { name, local, target }:
@@ -71,34 +92,57 @@
          nixosSystem = import ((nixpkgsCompiledBy target).path + "/nixos/lib/eval-config.nix");
        in
          (nixosSystem {
            # we use pkgs built for and *by* the target, i.e. emulation, by default.
            # cross compilation only happens on explicit access to `pkgs.cross`
            system = target;
            modules = [
              (import ./hosts/instantiate.nix { localSystem = local; hostName = name; })
              self.nixosModules.default
              self.nixosModules.passthru
              {
                nixpkgs.overlays = [
-                  self.overlays.default
+                  self.overlays.disable-flakey-tests
                  self.overlays.passthru
                  self.overlays.pins
                  self.overlays.pkgs
                  # self.overlays.optimizations
                ];
                nixpkgs.hostPlatform = target;
                # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
                # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
              }
            ];
          });
    in {
-      nixosConfigurations = {
+      nixosConfigurations =
-        servo = evalHost { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
+        let
-        desko = evalHost { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
+          hosts = {
-        lappy = evalHost { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
+            servo =  { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        moby = evalHost { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
+            desko =  { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
+            lappy =  { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        # note that these *do* produce different store paths, because the closure for the tools used to cross compile
+            moby  =  { name = "moby";  local = "x86_64-linux"; target = "aarch64-linux"; };
-        # v.s. emulate differ.
+            rescue = { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        # so deploying foo-cross and then foo incurs some rebuilding.
+          };
-        moby-cross = evalHost { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
+          # cross-compiled builds: instead of emulating the host, build using a cross-compiler.
-        rescue = evalHost { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
+          # - these are faster to *build* than the emulated variants (useful when tweaking packages),
          # - but fewer of their packages can be found in upstream caches.
          cross = mapAttrValues evalHost hosts;
          emulated = mapAttrValues
            ({name, local, target}: evalHost {
              inherit name target;
              local = null;
            })
            hosts;
          prefixAttrs = prefix: attrs: mapAttrs'
            (name: value: {
              name = prefix + name;
              inherit value;
            })
            attrs;
        in
          (prefixAttrs "cross-" cross) //
          (prefixAttrs "emulated-" emulated) // {
            # prefer native builds for these machines:
            inherit (emulated) servo desko lappy rescue;
            # prefer cross-compiled builds for these machines:
            inherit (cross) moby;
          };
      # unofficial output
@@ -115,22 +159,42 @@
      #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
      #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
      #   - `nixos-rebuild --flake './#<host>' switch`
-      imgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.img) self.nixosConfigurations;
+      imgs = mapAttrValues (host: host.config.system.build.img) self.nixosConfigurations;
-      overlays = rec {
+      # unofficial output
-        default = pkgs;
+      host-pkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
-        pkgs = import ./overlays/pkgs.nix;
+
-        pins = import ./overlays/pins.nix;  # TODO: move to `nixpatches/` input
+      overlays = {
-        passthru =
+        # N.B.: `nix flake check` requires every overlay to take `final: prev:` at defn site,
        #   hence the weird redundancy.
        default = final: prev: self.overlays.pkgs final prev;
        disable-flakey-tests = final: prev: import ./overlays/disable-flakey-tests.nix final prev;
        pkgs = final: prev: import ./overlays/pkgs.nix final prev;
        pins = final: prev: import ./overlays/pins.nix final prev;
        optimizations = final: prev: import ./overlays/optimizations.nix final prev;
        passthru = final: prev:
          let
-            stable = next: prev: {
+            stable =
-              stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+              if inputs ? "nixpkgs-stable" then (
-            };
+                final': prev': {
                  stable = inputs.nixpkgs-stable.legacyPackages."${prev'.stdenv.hostPlatform.system}";
                }
              ) else (final': prev': {});
            mobile = (import "${mobile-nixos}/overlay/overlay.nix");
            uninsane = uninsane-dot-org.overlay;
            # nix-serve' = nix-serve.overlay;
            nix-serve' = next: prev: {
              # XXX(2023/03/02): upstream isn't compatible with modern `nix`. probably the perl bindings.
              # - we use the package built against `nixpkgs` specified in its flake rather than use its overlay,
              #   to get around this.
              inherit (nix-serve.packages."${next.system}") nix-serve;
            };
          in
-            next: prev:
+              (stable final prev)
-              (stable next prev) // (mobile next prev) // (uninsane next prev);
+              // (mobile final prev)
              // (uninsane final prev)
              // (nix-serve' final prev)
            ;
      };
      nixosModules = rec {
@@ -138,7 +202,6 @@
        sane = import ./modules;
        passthru = { ... }: {
          imports = [
            home-manager.nixosModule
            sops-nix.nixosModules.sops
          ];
        };
@@ -155,14 +218,33 @@
          aarch64-linux = allPkgsFor "aarch64-linux";
        };
-      # extract only our own packages from the full set
+      # extract only our own packages from the full set.
-      packages = builtins.mapAttrs
+      # because of `nix flake check`, we flatten the package set and only surface x86_64-linux packages.
-        (_: full: full.sane // { inherit (full) sane uninsane-dot-org; })
+      packages = mapAttrs
-        self.legacyPackages;
+        (system: allPkgs:
          allPkgs.lib.filterAttrs (name: pkg:
            # keep only packages which will pass `nix flake check`, i.e. keep only:
            # - derivations (not package sets)
            # - packages that build for the given platform
            (! elem name [ "feeds" "pythonPackagesExtensions" ])
            && (allPkgs.lib.meta.availableOn allPkgs.stdenv.hostPlatform pkg)
          )
          (allPkgs.sane // {
            inherit (allPkgs) uninsane-dot-org;
          })
        )
        # self.legacyPackages;
        { inherit (self.legacyPackages) x86_64-linux; }
      ;
      apps."x86_64-linux" =
        let
          pkgs = self.legacyPackages."x86_64-linux";
          deployScript = action: pkgs.writeShellScript "deploy-moby" ''
            nixos-rebuild --flake '.#cross-moby' build
            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
            nixos-rebuild --flake '.#cross-moby' ${action} --target-host colin@moby --use-remote-sudo
          '';
        in {
          update-feeds = {
            type = "app";
@@ -170,9 +252,21 @@
          };
          init-feed = {
            # use like `nix run '.#init-feed' uninsane.org`
            type = "app";
            program = "${pkgs.feeds.passthru.initFeedScript}";
          };
          deploy-moby-test = {
            # `nix run '.#deploy-moby-test'`
            type = "app";
            program = ''${deployScript "test"}'';
          };
          deploy-moby-switch = {
            # `nix run '.#deploy-moby-switch'`
            type = "app";
            program = ''${deployScript "switch"}'';
          };
        };
      templates = {
--- a/hosts/by-name/desko/default.nix
+++ b/hosts/by-name/desko/default.nix
@@ -4,17 +4,17 @@
    ./fs.nix
  ];
-  # sane.packages.enableDevPkgs = true;
+  sane.roles.build-machine.enable = true;
  sane.roles.client = true;
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
  sane.services.duplicity.enable = true;
  sane.services.nixserve.enable = true;
  sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
  sane.persist.enable = true;
  sane.gui.sway.enable = true;
  sane.programs.iphoneUtils.enableFor.user.colin = true;
  sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
@@ -54,7 +54,7 @@
    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
  };
-  sane.persist.home.plaintext = [
+  sane.user.persist.plaintext = [
    ".steam"
    ".local/share/Steam"
  ];
--- a/hosts/by-name/lappy/default.nix
+++ b/hosts/by-name/lappy/default.nix
@@ -4,19 +4,22 @@
    ./fs.nix
  ];
  sane.yggdrasil.enable = true;
  sane.roles.client = true;
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
-  # sane.packages.enableDevPkgs = true;
+  # sane.guest.enable = true;
  # sane.users.guest.enable = true;
  sane.gui.sway.enable = true;
  sane.persist.enable = true;
  sane.nixcache.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  sane.programs.guiApps.suggestedPrograms = [
    "desktopGuiApps"
    "stepmania"
  ];
  sops.secrets.colin-passwd = {
    sopsFile = ../../../secrets/lappy.yaml;
    neededForUsers = true;
--- a/hosts/by-name/moby/default.nix
+++ b/hosts/by-name/moby/default.nix
@@ -7,16 +7,8 @@
  ];
  sane.roles.client = true;
-  # TODO
+  sane.services.wg-home.enable = true;
-  # sane.services.wg-home.enable = true;
+  sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
  # sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
  # cross-compiled documentation is *slow*.
  # no obvious way to natively compile docs (2022/09/29).
  # entrypoint is nixos/modules/misc/documentation.nix
  # doc building happens in nixos/doc/manual/default.nix
  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
  documentation.nixos.enable = false;
  # XXX colin: phosh doesn't work well with passwordless login,
  # so set this more reliable default password should anything go wrong
@@ -28,21 +20,25 @@
    neededForUsers = true;
  };
-  # usability compromises
+  sane.web-browser = {
-  sane.web-browser.persistCache = "private";
+    # compromise impermanence for the sake of usability
-  sane.web-browser.persistData = "private";
+    persistCache = "private";
-  sane.persist.home.plaintext = [
+    persistData = "private";
    # i don't do crypto stuff on moby
    addons.ether-metamask.enable = false;
    # addons.sideberry.enable = false;
  };
  sane.user.persist.plaintext = [
    ".config/pulse"  # persist pulseaudio volume
  ];
  # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
  sane.packages.extraUserPkgs = [
    pkgs.plasma5Packages.konsole  # terminal
  ];
  sane.nixcache.enable = true;
  sane.persist.enable = true;
  sane.gui.phosh.enable = true;
  # sane.programs.consoleUtils.enableFor.user.colin = false;
  # sane.programs.guiApps.enableFor.user.colin = false;
  sane.programs.sequoia.enableFor.user.colin = false;
  sane.programs.tuiApps.enableFor.user.colin = false;  # visidata, others, don't compile well
  boot.loader.efi.canTouchEfiVariables = false;
  # /boot space is at a premium. default was 20.
@@ -59,9 +55,10 @@
  # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
  # this is because they can't allocate enough video ram.
-  # the default CMA seems to be 32M. we could probably get by with as little as 64M, and safely with 128M.
+  # the default CMA seems to be 32M.
  # i was running fine with 256MB from 2022/07-ish through 2022/12-ish, but then the phone quit reliably coming back from sleep: maybe a memory leak?
  # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
-  boot.kernelParams = [ "cma=256M" ];
+  boot.kernelParams = [ "cma=512M" ];
  # mobile-nixos' /lib/firmware includes:
  #   rtl_bt          (bluetooth)
--- a/hosts/by-name/moby/kernel.nix
+++ b/hosts/by-name/moby/kernel.nix
@@ -114,7 +114,7 @@ in
  # - phone rotation sensor is off by 90 degrees
  # - ambient light sensor causes screen brightness to be shakey
  # - phosh greeter may not appear after wake from sleep
-  boot.kernelPackages = pkgs.cross.linuxPackagesFor pkgs.cross.linux-megous;
+  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
  boot.kernelPatches = [
    (patchDefconfig (kernelConfig //
--- a/hosts/by-name/rescue/default.nix
+++ b/hosts/by-name/rescue/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
  imports = [
    ./fs.nix
@@ -7,6 +7,8 @@
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  # sane.persist.enable = false;  # TODO: disable (but run `nix flake check` to ensure it works!)
  sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
  system.stateVersion = "21.05";
--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@@ -4,23 +4,29 @@
  imports = [
    ./fs.nix
    ./net.nix
    ./users.nix
    ./secrets.nix
    ./services
  ];
-  sane.packages.extraUserPkgs = with pkgs; [
+  sane.programs = {
    # for administering services
-    freshrss
+    freshrss.enableFor.user.colin = true;
-    matrix-synapse
+    matrix-synapse.enableFor.user.colin = true;
-    signaldctl
+    signaldctl.enableFor.user.colin = true;
-  ];
+  };
-  sane.persist.enable = true;
+
  sane.roles.build-machine.enable = true;
  sane.roles.build-machine.emulation = false;
  sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
  sane.services.dyn-dns.enable = true;
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
  # automatically log in at the virtual consoles.
  # using root here makes sure we always have an escape hatch
  services.getty.autologinUser = "root";
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
--- a/hosts/by-name/servo/secrets.nix
+++ b/hosts/by-name/servo/secrets.nix
@@ -25,6 +25,7 @@
  };
  sops.secrets."mautrix_signal_env" = {
    sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
    format = "binary";
  };
  sops.secrets."mediawiki_pw" = {
--- a/hosts/by-name/servo/services/ejabberd.nix
+++ b/hosts/by-name/servo/services/ejabberd.nix
@@ -38,11 +38,11 @@
  ];
  networking.firewall.allowedTCPPortRanges = [{
    from = 49152;  # TURN
-    to = 65535;
+    to = 49408;
  }];
  networking.firewall.allowedUDPPortRanges = [{
    from = 49152;  # TURN
-    to = 65535;
+    to = 49408;
  }];
  # provide access to certs
--- a/hosts/by-name/servo/services/freshrss.nix
+++ b/hosts/by-name/servo/services/freshrss.nix
@@ -41,7 +41,10 @@
    description = "import sane RSS feed list";
    after = [ "freshrss-config.service" ];
    script = ''
-      ${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
+      # easiest way to preserve feeds: delete the user, recreate it, import feeds
      ${pkgs.freshrss}/cli/delete-user.php --user colin || true
      ${pkgs.freshrss}/cli/create-user.php --user colin --password "$(cat ${config.services.freshrss.passwordFile})" || true
      ${pkgs.freshrss}/cli/import-for-user.php --user colin --filename ${opml}
    '';
  };
--- a/hosts/by-name/servo/services/gitea.nix
+++ b/hosts/by-name/servo/services/gitea.nix
@@ -15,6 +15,17 @@
  services.gitea.settings.session.COOKIE_SECURE = true;
  # services.gitea.disableRegistration = true;
  # gitea doesn't create the git user
  users.users.git = {
    description = "Gitea Service";
    home = "/var/lib/gitea";
    useDefaultShell = true;
    group = "gitea";
    isSystemUser = true;
    # sendmail access (not 100% sure if this is necessary)
    extraGroups = [ "postdrop" ];
  };
  services.gitea.settings = {
    server = {
      # options: "home", "explore", "organizations", "login" or URL fragment (or full URL)
--- a/hosts/by-name/servo/services/jellyfin.nix
+++ b/hosts/by-name/servo/services/jellyfin.nix
@@ -1,16 +1,63 @@
 # configuration options (today i don't store my config in nix):
 #
 # - jellyfin-web can be statically configured (result/share/jellyfin-web/config.json)
 #   - <https://jellyfin.org/docs/general/clients/web-config>
 #   - configure server list, plugins, "menuLinks", colors
 #
 # - jellfyin server is configured in /var/lib/jellfin/
 #   - root/default/<LibraryType>/
 #     - <LibraryName>.mblink: contains the directory name where this library lives
 #     - options.xml: contains preferences which were defined in the web UI during import
 #       - e.g. `EnablePhotos`, `EnableChapterImageExtraction`, etc.
 #   - config/encoding.xml: transcoder settings
 #   - config/system.xml: misc preferences like log file duration, audiobook resume settings, etc.
 #   - data/jellyfin.db: maybe account definitions? internal state?
 { config, lib, ... }:
 # TODO: re-enable after migrating media dir to /var/lib/uninsane/media
 # else it's too spammy
 lib.mkIf false
 {
  # identical to:
  # services.jellyfin.openFirewall = true;
  networking.firewall.allowedUDPPorts = [
-    1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
+    # https://jellyfin.org/docs/general/networking/index.html
    1900  # UPnP service discovery
    7359  # Jellyfin-specific (?) client discovery
  ];
  networking.firewall.allowedTCPPorts = [
    8096  # HTTP (for the LAN)
    8920  # HTTPS (for the LAN)
  ];
  sane.persist.sys.plaintext = [
-    # TODO: mode? could be more granular
+    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; directory = "/var/lib/jellyfin"; }
    { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
  ];
  sane.fs."/var/lib/jellyfin/config/logging.json" = {
    # "Emby.Dlna" logging: <https://jellyfin.org/docs/general/networking/dlna>
    symlink.text = ''
      {
        "Serilog": {
          "MinimumLevel": {
            "Default": "Information",
            "Override": {
              "Microsoft": "Warning",
              "System": "Warning",
              "Emby.Dlna": "Debug",
              "Emby.Dlna.Eventing": "Debug"
            }
          },
          "WriteTo": [
            {
              "Name": "Console",
              "Args": {
                "outputTemplate": "[{Timestamp:HH:mm:ss}] [{Level:u3}] [{ThreadId}] {SourceContext}: {Message:lj}{NewLine}{Exception}"
              }
            }
          ],
          "Enrich": [ "FromLogContext", "WithThreadId" ]
        }
      }
    '';
    wantedBeforeBy = [ "jellyfin.service" ];
  };
  # Jellyfin multimedia server
  # this is mostly taken from the official jellfin.org docs
--- a/hosts/by-name/servo/services/matrix/default.nix
+++ b/hosts/by-name/servo/services/matrix/default.nix
@@ -6,16 +6,16 @@
  imports = [
    ./discord-puppet.nix
    # ./irc.nix
-    ./signal.nix
+    # TODO(2023/03/10): disabled because it's not bridging and mautrix_signal is hogging CPU
    # ./signal.nix
  ];
  # allow synapse to read the registration files of its appservices
  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
  sane.persist.sys.plaintext = [
    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
  ];
  services.matrix-synapse.enable = true;
  # this changes the default log level from INFO to WARN.
  # maybe there's an easier way?
  services.matrix-synapse.settings.log_config = ./synapse-log_level.yaml;
  services.matrix-synapse.settings.server_name = "uninsane.org";
--- a/hosts/by-name/servo/services/matrix/signal.nix
+++ b/hosts/by-name/servo/services/matrix/signal.nix
@@ -2,6 +2,14 @@
 # - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
 { config, pkgs, ... }:
 {
  sane.persist.sys.plaintext = [
    { user = "mautrix-signal"; group = "mautrix-signal"; directory = "/var/lib/mautrix-signal"; }
    { user = "signald"; group = "signald"; directory = "/var/lib/signald"; }
  ];
  # allow synapse to read the registration file
  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
  services.signald.enable = true;
  services.mautrix-signal.enable = true;
  services.mautrix-signal.environmentFile =
@@ -21,12 +29,7 @@
    ReadWritePaths = [ "/run/signald" ];
  };
  sane.persist.sys.plaintext = [
    { user = "mautrix-signal"; group = "mautrix-signal"; directory = "/var/lib/mautrix-signal"; }
  ];
  sops.secrets."mautrix_signal_env" = {
    format = "binary";
    mode = "0440";
    owner = config.users.users.mautrix-signal.name;
    group = config.users.users.matrix-synapse.name;
--- a/hosts/by-name/servo/services/navidrome.nix
+++ b/hosts/by-name/servo/services/navidrome.nix
@@ -1,11 +1,8 @@
-{ ... }:
+{ lib, ... }:
 {
  sane.persist.sys.plaintext = [
-    # TODO: we don't have a static user allocated for navidrome!
+    { user = "navidrome"; group = "navidrome"; directory = "/var/lib/navidrome"; }
    # the chown would happen too early for us to set static perms
    "/var/lib/private/navidrome"
    # { user = "navidrome"; group = "navidrome"; directory = "/var/lib/private/navidrome"; }
  ];
  services.navidrome.enable = true;
  services.navidrome.settings = {
@@ -18,6 +15,20 @@
    ScanSchedule = "@every 1h";
  };
  systemd.services.navidrome.serviceConfig = {
    # fix to use a normal user so we can configure perms correctly
    DynamicUser = lib.mkForce false;
    User = "navidrome";
    Group = "navidrome";
  };
  users.groups.navidrome = {};
  users.users.navidrome = {
    group = "navidrome";
    isSystemUser = true;
  };
  services.nginx.virtualHosts."music.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
--- a/hosts/by-name/servo/services/pleroma.nix
+++ b/hosts/by-name/servo/services/pleroma.nix
@@ -135,6 +135,11 @@
  #   CapabilityBoundingSet = lib.mkForce "~";
  # };
  # this is required to allow pleroma to send email.
  # raw `sendmail` works, but i think pleroma's passing it some funny flags or something, idk.
  # hack to fix that.
  users.users.pleroma.extraGroups = [ "postdrop" ];
  # Pleroma server and web interface
  # TODO: enable publog?
  services.nginx.virtualHosts."fed.uninsane.org" = {
--- a/hosts/by-name/servo/services/postfix.nix
+++ b/hosts/by-name/servo/services/postfix.nix
@@ -1,3 +1,6 @@
 # DOCS:
 # - dovecot config: <https://doc.dovecot.org/configuration_manual/>
 { config, lib, ... }:
 let
@@ -27,11 +30,14 @@ in
  ];
  networking.firewall.allowedTCPPorts = [
-    25   # SMTP
+    # exposed over non-vpn imap.uninsane.org
    143  # IMAP
    993  # IMAPS
    # exposed over vpn mx.uninsane.org
    25   # SMTP
    465  # SMTPS
    587  # SMTPS/submission
    993  # IMAPS
  ];
  # exists only to manage certs for dovecot
@@ -143,6 +149,25 @@ in
  # inspired by https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/
  services.dovecot2.enable = true;
  services.dovecot2.mailboxes = {
    # special-purpose mailboxes: "All" "Archive" "Drafts" "Flagged" "Junk" "Sent" "Trash"
    # RFC6154 describes these special mailboxes: https://www.ietf.org/rfc/rfc6154.html
    # how these boxes are treated is 100% up to the client and server to decide.
    # client behavior:
    # iOS
    #   - Drafts: ?
    #   - Sent: works
    #   - Trash: works
    # aerc
    #   - Drafts: works
    #   - Sent: works
    #   - Trash: no; deleted messages are actually deleted
    #       use `:move trash` instead
    # Sent mailbox: all sent messages are copied to it. unclear if this happens server-side or client-side.
    Drafts = { specialUse = "Drafts"; auto = "create"; };
    Sent = { specialUse = "Sent"; auto = "create"; };
    Trash = { specialUse = "Trash"; auto = "create"; };
  };
  services.dovecot2.sslServerCert = "/var/lib/acme/imap.uninsane.org/fullchain.pem";
  services.dovecot2.sslServerKey = "/var/lib/acme/imap.uninsane.org/key.pem";
  services.dovecot2.enablePAM = false;
--- a/hosts/by-name/servo/services/trust-dns.nix
+++ b/hosts/by-name/servo/services/trust-dns.nix
@@ -6,9 +6,10 @@
  sane.services.trust-dns.listenAddrsIPv4 = [
    # specify each address explicitly, instead of using "*".
    # this ensures responses are sent from the address at which the request was received.
-    "192.168.0.5"
+    config.sane.hosts.by-name."servo".lan-ip
    "10.0.1.5"
  ];
  sane.services.trust-dns.quiet = true;
  sane.services.trust-dns.zones."uninsane.org".TTL = 900;
--- a/hosts/by-name/servo/users.nix
+++ b/hosts/by-name/servo/users.nix
@@ -1,24 +0,0 @@
 { config, ... }:
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 {
  # automatically log in at the virtual consoles.
  # using root here makes sure we always have an escape hatch
  services.getty.autologinUser = "root";
  # gitea doesn't create the git user
  users.users.git = {
    description = "Gitea Service";
    home = "/var/lib/gitea";
    useDefaultShell = true;
    group = "gitea";
    isSystemUser = true;
    # sendmail access (not 100% sure if this is necessary)
    extraGroups = [ "postdrop" ];
  };
  # this is required to allow pleroma to send email.
  # raw `sendmail` works, but i think pleroma's passing it some funny flags or something, idk.
  # hack to fix that.
  users.users.pleroma.extraGroups = [ "postdrop" ];
 }
--- a/hosts/common/cross.nix
+++ b/hosts/common/cross.nix
@@ -1,22 +0,0 @@
 { config, ... }:
 let
  mkCrossFrom = localSystem: pkgs: import pkgs.path {
    inherit localSystem;
    crossSystem = pkgs.stdenv.hostPlatform.system;
    inherit (config.nixpkgs) config overlays;
  };
 in
 {
  # the configuration of which specific package set `pkgs.cross` refers to happens elsewhere;
  # here we just define them all.
  nixpkgs.overlays = [
    (next: prev: {
      # non-emulated packages build *from* local *for* target.
      # for large packages like the linux kernel which are expensive to build under emulation,
      # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
      crossFrom."x86_64-linux" = mkCrossFrom "x86_64-linux" next;
      crossFrom."aarch64-linux" = mkCrossFrom "aarch64-linux" next;
    })
  ];
 }
--- a/hosts/common/cross/default.nix
+++ b/hosts/common/cross/default.nix
--- a/hosts/common/cross/kitty-no-docs.patch
+++ b/hosts/common/cross/kitty-no-docs.patch
@@ -0,0 +1,22 @@
 diff --git a/setup.py b/setup.py
 index 2b9d240e..770bc5e7 100755
 --- a/setup.py
 +++ b/setup.py
@@ -1092,11 +1092,12 @@ def c(base_path: str, **kw: object) -> None:
 def create_linux_bundle_gunk(ddir: str, libdir_name: str) -> None:
 -    if not os.path.exists('docs/_build/html'):
 -        make = 'gmake' if is_freebsd else 'make'
 -        run_tool([make, 'docs'])
 -    copy_man_pages(ddir)
 -    copy_html_docs(ddir)
 +    if not os.getenv('KITTY_NO_DOCS'):
 +        if not os.path.exists('docs/_build/html'):
 +            make = 'gmake' if is_freebsd else 'make'
 +            run_tool([make, 'docs'])
 +        copy_man_pages(ddir)
 +        copy_html_docs(ddir)
     for (icdir, ext) in {'256x256': 'png', 'scalable': 'svg'}.items():
         icdir = os.path.join(ddir, 'share', 'icons', 'hicolor', icdir, 'apps')
         safe_makedirs(icdir)
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -1,33 +1,28 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
 {
  imports = [
-    ./cross.nix
+    ./cross
    ./feeds.nix
    ./fs.nix
    ./hardware.nix
    ./home
    ./i2p.nix
    ./ids.nix
    ./machine-id.nix
    ./net.nix
    ./persist.nix
    ./programs.nix
    ./secrets.nix
    ./ssh.nix
    ./users.nix
    ./vpn.nix
  ];
  sane.home-manager.enable = true;
  sane.nixcache.enable-trusted-keys = true;
-  sane.packages.enableConsolePkgs = true;
+  sane.nixcache.enable = lib.mkDefault true;
-  sane.packages.enableSystemPkgs = true;
+  sane.persist.enable = lib.mkDefault true;
-
+  sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
-  sane.persist.sys.plaintext = [
+  sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;
    "/var/log"
    "/var/backup"  # for e.g. postgres dumps
    # TODO: move elsewhere
    "/var/lib/alsa"                # preserve output levels, default devices
    "/var/lib/colord"              # preserve color calibrations (?)
    "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
  ];
  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
  sane.fs."/var/lib/private".dir.acl.mode = "0700";
@@ -38,6 +33,7 @@
  time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
  # allow `nix flake ...` command
  # TODO: is this still required?
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
@@ -46,20 +42,37 @@
    "nixpkgs=${pkgs.path}"
    "nixpkgs-overlays=${../..}/overlays"
  ];
  # hardlinks identical files in the nix store to save 25-35% disk space.
  # unclear _when_ this occurs. it's not a service.
  # does the daemon continually scan the nix store?
  # does the builder use some content-addressed db to efficiently dedupe?
  nix.settings.auto-optimise-store = true;
  # TODO: move this into home-manager?
  fonts = {
    enableDefaultFonts = true;
-    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
+    fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
    fontconfig.enable = true;
    fontconfig.defaultFonts = {
-      emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
+      emoji = [ "Font Awesome 6 Free" "Noto Color Emoji" ];
      monospace = [ "Hack" ];
      serif = [ "DejaVu Serif" ];
      sansSerif = [ "DejaVu Sans" ];
    };
  };
  # XXX: twitter-color-emoji doesn't cross-compile; but not-fonts-emoji does
  # fonts = {
  #   enableDefaultFonts = true;
  #   fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
  #   fontconfig.enable = true;
  #   fontconfig.defaultFonts = {
  #     emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
  #     monospace = [ "Hack" ];
  #     serif = [ "DejaVu Serif" ];
  #     sansSerif = [ "DejaVu Sans" ];
  #   };
  # };
  # disable non-required packages like nano, perl, rsync, strace
  environment.defaultPackages = [];
@@ -75,8 +88,20 @@
    # NIXOS_OZONE_WL = "1";
    # LIBGL_ALWAYS_SOFTWARE = "1";
  };
-  # enable zsh completions
+
-  environment.pathsToLink = [ "/share/zsh" ];
+  # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
  # find keys/values with `dconf dump /`
  programs.dconf.enable = true;
  programs.dconf.packages = [
    (pkgs.writeTextFile {
      name = "dconf-user-profile";
      destination = "/etc/dconf/profile/user";
      text = ''
        user-db:user
        system-db:site
      '';
    })
  ];
  # link debug symbols into /run/current-system/sw/lib/debug
  # hopefully picked up by gdb automatically?
--- a/hosts/common/feeds.nix
+++ b/hosts/common/feeds.nix
@@ -1,3 +1,9 @@
 # candidates:
 # - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
 #   - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
 # - <https://www.metaculus.com/questions/11102/introducing-the-metaculus-journal-podcast/>
 #   - dead since 2022/10 - 2023/03
 { lib, sane-data, ... }:
 let
  hourly = { freq = "hourly"; };
@@ -13,6 +19,7 @@ let
  uncat = { cat = "uncat"; };
  text = { format = "text"; };
  img = { format = "image"; };
  mkRss = format: url: { inherit url format; } // uncat // infrequent;
  # format-specific helpers
@@ -29,16 +36,16 @@ let
    in {
      url = raw.url;
      # not sure the exact mapping with velocity here: entries per day?
-      freq = lib.mkDefault (
+      freq = lib.mkIf (raw.velocity or 0 != 0) (lib.mkDefault (
-        if raw.velocity or 0 > 2 then
+        if raw.velocity > 2 then
          "hourly"
-        else if raw.velocity or 0 > 0.5 then
+        else if raw.velocity > 0.5 then
          "daily"
-        else if raw.velocity or 0 > 0.1 then
+        else if raw.velocity > 0.1 then
          "weekly"
        else
          "infrequent"
-      );
+      ));
    } // lib.optionalAttrs (raw.is_podcast or false) {
      format = "podcast";
    } // lib.optionalAttrs (raw.title or "" != "") {
@@ -47,19 +54,31 @@ let
  podcasts = [
    (fromDb "lexfridman.com/podcast" // rat)
    # (mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
    ## Astral Codex Ten
    (fromDb "sscpodcast.libsyn.com" // rat)
    ## Less Wrong Curated
    (fromDb "feeds.libsyn.com/421877" // rat)
    ## Econ Talk
    (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)
    ## Cory Doctorow -- both podcast & text entries
    (fromDb "craphound.com" // pol)
-    (mkPod "https://congressionaldish.libsyn.com/rss" // pol // infrequent)
+    ## Maggie Killjoy -- referenced by Cory Doctorow
    (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)
    (fromDb "congressionaldish.libsyn.com" // pol)
    (mkPod "https://podcasts.la.utexas.edu/this-is-democracy/feed/podcast/" // pol // weekly)
    ## Civboot -- https://anchor.fm/civboot
    (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
    ## Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
    (mkPod "https://anchor.fm/s/21bc734/podcast/rss" // pol // infrequent)
    (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
    ## Daniel Huberman on sleep
    (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)
    ## Multidisciplinary Association for Psychedelic Studies
    (fromDb "mapspodcast.libsyn.com" // uncat)
    (fromDb "allinchamathjason.libsyn.com" // pol)
    (fromDb "acquired.libsyn.com" // tech)
    ## ACQ2 - more "Acquired" episodes
    (fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)
    # The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
    (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)
    ## The Daily
@@ -85,93 +104,122 @@ let
    (fromDb "feed.podbean.com/matrixlive/feed.xml" // tech)
    ## Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
    (fromDb "rss.art19.com/your-welcome" // pol)
    (fromDb "seattlenice.buzzsprout.com" // pol)
    ## Sci-Fi? has Peter Watts; author of No Moods, Ads or Cutesy Fucking Icons (rifters.com)
    (fromDb "talesfromthebridge.buzzsprout.com" // tech)
    ## UnNamed Reverse Engineering Podcast
    (fromDb "reverseengineering.libsyn.com/rss" // tech)
  ];
  texts = [
    # AGGREGATORS (> 1 post/day)
    (fromDb "lwn.net" // tech)
    (fromDb "lesswrong.com" // rat)
    (fromDb "econlib.org" // pol)
    # AGGREGATORS (< 1 post/day)
-    (mkText "https://palladiummag.com/feed" // uncat // weekly)
+    (fromDb "palladiummag.com" // uncat)
-    (mkText "https://profectusmag.com/feed" // uncat // weekly)
+    (fromDb "profectusmag.com" // uncat)
-    (mkText "https://semiaccurate.com/feed" // tech // weekly)
+    (fromDb "semiaccurate.com" // tech)
    (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
-    (mkText "https://spectrum.ieee.org/rss" // tech // weekly)
+    (fromDb "spectrum.ieee.org" // tech)
    (fromDb "thisweek.gnome.org" // tech)
    # more nixos stuff here, but unclear how to subscribe: <https://nixos.org/blog/categories.html>
    (mkText "https://nixos.org/blog/announcements-rss.xml" // tech // infrequent)
    (mkText "https://nixos.org/blog/stories-rss.xml" // tech // weekly)
    ## n.b.: quality RSS list here: <https://forum.merveilles.town/thread/57/share-your-rss-feeds%21-6/>
    (mkText "https://forum.merveilles.town/rss.xml" // pol // infrequent)
    ## No Moods, Ads or Cutesy Fucking Icons
-    (mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
+    (fromDb "rifters.com/crawl" // uncat)
    # DEVELOPERS
    (fromDb "uninsane.org" // tech)
    (fromDb "ascii.textfiles.com" // tech)  # Jason Scott
    (fromDb "xn--gckvb8fzb.com" // tech)
    (fromDb "mg.lol" // tech)
    (fromDb "drewdevault.com" // tech)
    ## Ken Shirriff
    (fromDb "righto.com" // tech)
    ## shared blog by a few NixOS devs, notably onny
    (fromDb "project-insanity.org" // tech)
    ## Vitalik Buterin
-    (mkText "https://vitalik.ca/feed.xml" // tech // infrequent)
+    (fromDb "vitalik.ca" // tech)
    ## ian (Sanctuary)
-    (mkText "https://sagacioussuricata.com/feed.xml" // tech // infrequent)
+    (fromDb "sagacioussuricata.com" // tech)
    ## Bunnie Juang
-    (mkText "https://www.bunniestudios.com/blog/?feed=rss2" // tech // infrequent)
+    (fromDb "bunniestudios.com" // tech)
-    (mkText "https://blog.danieljanus.pl/atom.xml" // tech // infrequent)
+    (fromDb "blog.danieljanus.pl" // tech)
-    (mkText "https://ianthehenry.com/feed.xml" // tech // infrequent)
+    (fromDb "ianthehenry.com" // tech)
-    (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
+    (fromDb "bitbashing.io" // tech)
-    (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
+    (fromDb "idiomdrottning.org" // uncat)
    (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
-    (mkText "https://www.jefftk.com/news.rss" // tech // daily)
+    (fromDb "jefftk.com" // tech)
-    (mkText "https://pomeroyb.com/feed.xml" // tech // infrequent)
+    (fromDb "pomeroyb.com" // tech)
    (mkText "https://til.simonwillison.net/tils/feed.atom" // tech // weekly)
    # TECH PROJECTS
    (fromDb "blog.rust-lang.org" // tech)
    # (TECH; POL) COMMENTATORS
    ## Matt Webb -- engineering-ish, but dreamy
    (fromDb "interconnected.org/home/feed" // rat)
    (fromDb "edwardsnowden.substack.com" // pol // text)
    ## Julia Evans
    (mkText "https://jvns.ca/atom.xml" // tech // weekly)
    (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
    ## Ben Thompson
    (mkText "https://www.stratechery.com/rss" // pol // weekly)
    ## Balaji
-    (mkText "https://balajis.com/rss" // pol // weekly)
+    (fromDb "balajis.com" // pol)
-    (mkText "https://www.ben-evans.com/benedictevans/rss.xml" // pol // weekly)
+    (fromDb "ben-evans.com/benedictevans" // pol)
-    (mkText "https://www.lynalden.com/feed" // pol // infrequent)
+    (fromDb "lynalden.com" // pol)
-    (mkText "https://austinvernon.site/rss.xml" // tech // infrequent)
+    (fromDb "austinvernon.site" // tech)
    (mkSubstack "oversharing" // pol // daily)
-    (mkSubstack "doomberg" // tech // weekly)
+    (mkSubstack "byrnehobart" // pol // infrequent)
    # (mkSubstack "doomberg" // tech // weekly)  # articles are all pay-walled
    ## David Rosenthal
-    (mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
+    (fromDb "blog.dshr.org" // pol)
    ## Matt Levine
    (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
-    (mkText "https://stpeter.im/atom.xml" // pol // weekly)
+    (fromDb "stpeter.im/atom.xml" // pol)
    ## Peter Saint-Andre -- side project of stpeter.im
    (fromDb "philosopher.coach" // rat)
    # RATIONALITY/PHILOSOPHY/ETC
    (mkSubstack "samkriss" // humor // infrequent)
-    (mkText "https://unintendedconsequenc.es/feed" // rat // infrequent)
+    (fromDb "unintendedconsequenc.es" // rat)
-    (mkText "https://applieddivinitystudies.com/atom.xml" // rat // weekly)
+    (fromDb "applieddivinitystudies.com" // rat)
-    (mkText "https://slimemoldtimemold.com/feed.xml" // rat // weekly)
+    (fromDb "slimemoldtimemold.com" // rat)
-    (mkText "https://www.richardcarrier.info/feed" // rat // weekly)
+    (fromDb "richardcarrier.info" // rat)
-    (mkText "https://www.gwern.net/feed.xml" // uncat // infrequent)
+    (fromDb "gwern.net" // rat)
    ## Jason Crawford
-    (mkText "https://rootsofprogress.org/feed.xml" // rat // weekly)
+    (fromDb "rootsofprogress.org" // rat)
    ## Robin Hanson
-    (mkText "https://www.overcomingbias.com/feed" // rat // daily)
+    (fromDb "overcomingbias.com" // rat)
    ## Scott Alexander
    (mkSubstack "astralcodexten" // rat // daily)
    ## Paul Christiano
-    (mkText "https://sideways-view.com/feed" // rat // infrequent)
+    (fromDb "sideways-view.com" // rat)
    ## Sean Carroll
-    (mkText "https://www.preposterousuniverse.com/rss" // rat // infrequent)
+    (fromDb "preposterousuniverse.com" // rat)
    ## mostly dating topics. not advice, or humor, but looking through a social lens
-    (mkText "https://putanumonit.com/feed" // rat // infrequent)
+    (fromDb "putanumonit.com" // rat)
    # CODE
    # (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
  ];
  images = [
-    (mkImg "https://www.smbc-comics.com/comic/rss" // humor // daily)
+    (fromDb "smbc-comics.com" // img // humor)
-    (mkImg "https://xkcd.com/atom.xml" // humor // daily)
+    (fromDb "xkcd.com" // img // humor)
-    (mkImg "https://pbfcomics.com/feed" // humor // infrequent)
+    (fromDb "pbfcomics.com" // img // humor)
    # (mkImg "http://dilbert.com/feed" // humor // daily)
    (fromDb "poorlydrawnlines.com/feed" // img // humor)
    # ART
-    (mkImg "https://miniature-calendar.com/feed" // art // daily)
+    (fromDb "miniature-calendar.com" // img // art // daily)
  ];
 in
 {
--- a/hosts/common/home/aerc.nix
+++ b/hosts/common/home/aerc.nix
@@ -0,0 +1,11 @@
 # Terminal UI mail client
 { config, sane-lib, ... }:
 {
  sops.secrets."aerc_accounts" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../../secrets/universal/aerc_accounts.conf;
    format = "binary";
  };
  sane.user.fs.".config/aerc/accounts.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.aerc_accounts.path;
 }
--- a/hosts/common/home/default.nix
+++ b/hosts/common/home/default.nix
@@ -0,0 +1,25 @@
 { ... }:
 {
  imports = [
    ./aerc.nix
    ./firefox.nix
    ./gfeeds.nix
    ./git.nix
    ./gpodder.nix
    ./keyring.nix
    ./kitty
    ./libreoffice.nix
    ./mime.nix
    ./mpv.nix
    ./neovim.nix
    ./newsflash.nix
    ./offlineimap.nix
    ./ripgrep.nix
    ./splatmoji.nix
    ./ssh.nix
    ./sublime-music.nix
    ./vlc.nix
    ./xdg-dirs.nix
    ./zsh
  ];
 }
--- a/modules/home-manager/firefox.nix
+++ b/modules/home-manager/firefox.nix
@@ -32,16 +32,6 @@ let
  defaultSettings = firefoxSettings;
  # defaultSettings = librewolfSettings;
  package = pkgs.wrapFirefox cfg.browser.browser {
    # inherit the default librewolf.cfg
    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
    inherit (cfg.browser) libName;
    extraNativeMessagingHosts = [ pkgs.browserpass ];
    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
    nixExtensions = let
  addon = name: extid: hash: pkgs.fetchFirefoxAddon {
    inherit name hash;
    url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
@@ -53,20 +43,17 @@ let
    src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";
    fixedExtid = pkg.extid;
  };
-    in [
+
-      # get names from:
+  package = pkgs.wrapFirefox cfg.browser.browser {
-      # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
+    # inherit the default librewolf.cfg
-      # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
+    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
-      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=")
+    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
-      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-d2K3ufvurWnYVzqLbyR//MgejybkY9exitAf9RdLNRo=")
+    inherit (cfg.browser) libName;
-      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-JOj5P7c2JTTReHCRZXm4BscaGr3i+9Y4Ey/y621x8PI=")
+
-      (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
+    extraNativeMessagingHosts = [ pkgs.browserpass ];
-      (addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=")
+    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
-      (addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=")
+
-      (addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=")
+    nixExtensions = concatMap (ext: optional ext.enable ext.package) (attrValues cfg.addons);
      # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
      (localAddon pkgs.browserpass-extension)
    ];
    extraPolicies = {
      NoDefaultBookmarks = true;
@@ -102,6 +89,17 @@ let
      # NewTabPage = true;
    };
  };
  addonOpts = types.submodule {
    options = {
      package = mkOption {
        type = types.package;
      };
      enable = mkOption {
        type = types.bool;
      };
    };
  };
 in
 {
  options = {
@@ -119,9 +117,41 @@ in
      type = types.nullOr types.str;
      default = "cryptClearOnBoot";
    };
    sane.web-browser.addons = mkOption {
      type = types.attrsOf addonOpts;
      default = {
        # get names from:
        # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
        # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
        # browserpass-ce.package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
        browserpass-extension.package = localAddon pkgs.browserpass-extension;
        # TODO: build bypass-paywalls from source? it's mysteriously disappeared from the Mozilla store.
        # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
        ether-metamask.package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
        i2p-in-private-browsing.package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
        sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
        ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
        browserpass-extension.enable = lib.mkDefault true;
        # bypass-paywalls-clean.enable = lib.mkDefault true;
        ether-metamask.enable = lib.mkDefault true;
        i2p-in-private-browsing.enable = lib.mkDefault config.services.i2p.enable;
        sidebery.enable = lib.mkDefault true;
        sponsorblock.enable = lib.mkDefault true;
        ublacklist.enable = lib.mkDefault true;
        ublock-origin.enable = lib.mkDefault true;
      };
    };
  };
-  config = lib.mkIf config.sane.home-manager.enable {
+  config = {
    sane.programs.web-browser = {
      inherit package;
      # TODO: define the persistence & fs config here
    };
    sane.programs.guiApps.suggestedPrograms = [ "web-browser" ];
    # uBlock filter list configuration.
    # specifically, enable the GDPR cookie prompt blocker.
@@ -131,7 +161,7 @@ in
    # the specific attribute path is found via scraping ublock code here:
    # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
    # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-    sane.fs."/home/colin/${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
+    sane.user.fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
      {
       "name": "uBlock0@raymondhill.net",
       "description": "ignored",
@@ -141,21 +171,33 @@ in
       }
      }
    '';
-    sane.fs."/home/colin/${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
+    sane.user.fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
      // if we can't query the revocation status of a SSL cert because the issuer is offline,
      // treat it as unrevoked.
      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
      defaultPref("security.OCSP.require", false);
    '';
-
+    # flush the cache to disk to avoid it taking up too much tmp
-    sane.packages.extraGuiPkgs = [ package ];
+    sane.user.persist.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
    # flood the cache to disk to avoid it taking up too much tmp
    sane.persist.home.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
      store = cfg.persistCache;
    };
-    sane.persist.home.byPath."${cfg.browser.dotDir}" = lib.mkIf (cfg.persistData != null) {
+    sane.user.persist.byPath."${cfg.browser.dotDir}/default" = lib.mkIf (cfg.persistData != null) {
      store = cfg.persistData;
    };
    sane.user.fs."${cfg.browser.dotDir}/default" = sane-lib.fs.wantedDir;
    # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
    # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
    sane.user.fs."${cfg.browser.dotDir}/profiles.ini" = sane-lib.fs.wantedText ''
      [Profile0]
      Name=default
      IsRelative=1
      Path=default
      Default=1
      [General]
      StartWithLastProfile=1
    '';
  };
 }
--- a/modules/home-manager/gfeeds.nix
+++ b/modules/home-manager/gfeeds.nix
@@ -6,7 +6,7 @@ let
  all-feeds = config.sane.feeds;
  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
    builtins.toJSON {
      # feed format is a map from URL to a dict,
      #   with dict["tags"] a list of string tags.
--- a/hosts/common/home/git.nix
+++ b/hosts/common/home/git.nix
@@ -0,0 +1,18 @@
 { lib, pkgs, sane-lib, ... }:
 let
  mkCfg = lib.generators.toINI { };
 in
 {
  sane.user.fs.".config/git/config" = sane-lib.fs.wantedText (mkCfg {
    user.name = "Colin";
    user.email = "colin@uninsane.org";
    alias.co = "checkout";
    # difftastic docs:
    # - <https://difftastic.wilfred.me.uk/git.html>
    diff.tool = "difftastic";
    difftool.prompt = false;
    "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
    # now run `git difftool` to use difftastic git
  });
 }
--- a/modules/home-manager/gpodder.nix
+++ b/modules/home-manager/gpodder.nix
@@ -6,7 +6,7 @@ let
  all-feeds = config.sane.feeds;
  wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
    feeds.feedsToOpml wanted-feeds
  );
 }
--- a/hosts/common/home/keyring.nix
+++ b/hosts/common/home/keyring.nix
@@ -0,0 +1,11 @@
 { config, sane-lib, ... }:
 {
  sane.user.persist.private = [ ".local/share/keyrings" ];
  sane.user.fs."private/.local/share/keyrings/default" = {
    generated.script.script = builtins.readFile ../../../scripts/init-keyring;
    # TODO: is this `wantedBy` needed? can we inherit it?
    wantedBy = [ config.sane.fs."/home/colin/private".unit ];
  };
 }
--- a/hosts/common/home/kitty/PaperColor_dark.conf
+++ b/hosts/common/home/kitty/PaperColor_dark.conf
@@ -0,0 +1,47 @@
 # vim:ft=kitty
 ## name: PaperColor Dark
 ## author: Nikyle Nguyen
 ## license: MIT
 ## blurb: Dark color scheme inspired by Google's Material Design 
 # special
 foreground		#d0d0d0
 background		#1c1c1c
 cursor			#d0d0d0
 cursor_text_color	background
 # black
 color0			#1c1c1c
 color8			#585858
 # red
 color1			#af005f
 color9			#5faf5f
 # green
 # "color2" is the green color used by ls to indicate executability
 #   both as text color
 #   or as bg color when the text is blue (color4)
 color2			#246a28
 color10			#2df200
 # yellow
 color3			#d7af5f
 color11			#af87d7
 # blue
 color4			#78c6ef
 color12			#ffaf00
 # magenta
 color5			#808080
 color13			#ff5faf
 # cyan
 color6			#d7875f
 color14			#00afaf
 # white
 color7			#d0d0d0
 color15			#5f8787
--- a/hosts/common/home/kitty/default.nix
+++ b/hosts/common/home/kitty/default.nix
@@ -0,0 +1,70 @@
 { pkgs, sane-lib, ... }:
 {
  sane.user.fs.".config/kitty/kitty.conf" = sane-lib.fs.wantedText ''
    # docs: https://sw.kovidgoyal.net/kitty/conf/
    # disable terminal bell (when e.g. you backspace too many times)
    enable_audio_bell no
    map ctrl+n new_os_window_with_cwd
    include ${./PaperColor_dark.conf}
  '';
  #  include ${pkgs.kitty-themes}/themes/PaperColor_dark.conf
  # THEME CHOICES:
  #   docs: https://github.com/kovidgoyal/kitty-themes
  # theme = "1984 Light";  # dislike: awful, harsh blues/teals
  # theme = "Adventure Time";  # dislike: harsh (dark)
  # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
  # theme = "Belafonte Day";  # dislike: too low contrast for text colors
  # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
  # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
  # theme = "Desert";  # mediocre: colors are harsh
  # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
  # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
  # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
  # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
  # theme = "kanagawabones";  # better: dark theme. colors are too background-y
  # theme = "Kaolin Dark";  # dislike: too dark
  # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
  # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
  # theme = "Material"; # decent: light theme, few colors.
  # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
  # theme = "Nord";  # mediocre: pale background, low contrast
  # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
  # theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
  # theme = "Parasio Dark";  # dislike: too low contrast
  # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
  # theme = "Pnevma";  # dislike: too low contrast
  # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
  # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
  # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
  # theme = "Sea Shells";  # mediocre. not all color combos are readable
  # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
  # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
  # theme = "Sourcerer";  # mediocre: ugly colors
  # theme = "Space Gray";  # mediocre: too muted
  # theme = "Space Gray Eighties";  # better: all readable, decent colors
  # theme = "Spacemacs";  # mediocre: too muted
  # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
  # theme = "Srcery";  # better: highly readable. colors are ehhh
  # theme = "Substrata";  # decent: nice colors, but a bit flat.
  # theme = "Sundried";  # mediocre: the solar text makes me squint
  # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
  # theme = "Tango Light";  # dislike: teal is too grating
  # theme = "Tokyo Night Day";  # medicore: too muted
  # theme = "Tokyo Night";  # better: tasteful. a bit flat
  # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
  # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
  # theme = "Urple";  # dislike: weird palette
  # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
  # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
  # theme = "Xcodedark";  # dislike: bad palette
  # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
  # theme = "neobones_light"; # better light theme. the background is maybe too muted
  # theme = "vimbones";
  # theme = "zenbones_dark";  # mediocre: readable, but meh colors
  # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
  # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
 }
--- a/hosts/common/home/libreoffice.nix
+++ b/hosts/common/home/libreoffice.nix
@@ -0,0 +1,14 @@
 { sane-lib, ... }:
 {
  # libreoffice: disable first-run stuff
  sane.user.fs.".config/libreoffice/4/user/registrymodifications.xcu" = sane-lib.fs.wantedText ''
    <?xml version="1.0" encoding="UTF-8"?>
    <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
      <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="ShowTipOfTheDay" oor:op="fuse"><value>false</value></prop></item>
    </oor:items>
  '';
  # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeDonateShown" oor:op="fuse"><value>1667693880</value></prop></item>
  # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
 }
--- a/hosts/common/home/mime.nix
+++ b/hosts/common/home/mime.nix
@@ -0,0 +1,42 @@
 { config, sane-lib, ...}:
 let
  www = config.sane.web-browser.browser.desktop;
  pdf = "org.gnome.Evince.desktop";
  md = "obsidian.desktop";
  thumb = "org.gnome.gThumb.desktop";
  video = "vlc.desktop";
  # audio = "mpv.desktop";
  audio = "vlc.desktop";
 in
 {
  # the xdg mime type for a file can be found with:
  # - `xdg-mime query filetype path/to/thing.ext`
  # we can have single associations or a list of associations.
  # there's also options to *remove* [non-default] associations from specific apps
  xdg.mime.enable = true;
  xdg.mime.defaultApplications = {
    # AUDIO
    "audio/flac" = audio;
    "audio/mpeg" = audio;
    "audio/x-vorbis+ogg" = audio;
    # IMAGES
    "image/heif" = thumb;  # apple codec
    "image/png" = thumb;
    "image/jpeg" = thumb;
    # VIDEO
    "video/mp4" = video;
    "video/quicktime" = video;
    "video/x-matroska" = video;
    # HTML
    "text/html" = www;
    "x-scheme-handler/http" = www;
    "x-scheme-handler/https" = www;
    "x-scheme-handler/about" = www;
    "x-scheme-handler/unknown" = www;
    # RICH-TEXT DOCUMENTS
    "application/pdf" = pdf;
    "text/markdown" = md;
  };
 }
--- a/hosts/common/home/mpv.nix
+++ b/hosts/common/home/mpv.nix
@@ -0,0 +1,10 @@
 { sane-lib, ... }:
 {
  # format is <key>=%<length>%<value>
  sane.user.fs.".config/mpv/mpv.conf" = sane-lib.fs.wantedText ''
    save-position-on-quit=%3%yes
    keep-open=%3%yes
  '';
 }
--- a/hosts/common/home/neovim.nix
+++ b/hosts/common/home/neovim.nix
@@ -0,0 +1,129 @@
 { lib, pkgs, ... }:
 let
  inherit (builtins) map;
  inherit (lib) concatMapStrings optionalString;
  # this structure roughly mirrors home-manager's `programs.neovim.plugins` option
  plugins = with pkgs.vimPlugins; [
    # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
    # docs: vim-surround: https://github.com/tpope/vim-surround
    { plugin = vim-surround; }
    # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
    { plugin = fzf-vim; }
    ({
      # docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
      plugin = tex-conceal-vim;
      type = "viml";
      config = ''
        " present prettier fractions
        let g:tex_conceal_frac=1
      '';
    })
    ({
      plugin = vim-SyntaxRange;
      type = "viml";
      config = ''
        " enable markdown-style codeblock highlighting for tex code
        autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
        " autocmd Syntax tex set conceallevel=2
      '';
    })
    ({
      # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
      # docs: https://github.com/nvim-treesitter/nvim-treesitter
      # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
      # this is required for tree-sitter to even highlight
      plugin = nvim-treesitter.withAllGrammars;
      type = "lua";
      config = ''
        require'nvim-treesitter.configs'.setup {
          highlight = {
            enable = true,
            -- disable treesitter on Rust so that we can use SyntaxRange
            -- and leverage TeX rendering in rust projects
            disable = { "rust", "tex", "latex" },
            -- disable = { "tex", "latex" },
            -- true to also use builtin vim syntax highlighting when treesitter fails
            additional_vim_regex_highlighting = false
          },
          incremental_selection = {
            enable = true,
            keymaps = {
              init_selection = "gnn",
              node_incremental = "grn",
              mcope_incremental = "grc",
              node_decremental = "grm"
            }
          },
          indent = {
            enable = true,
            disable = {}
          }
        }
        vim.o.foldmethod = 'expr'
        vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
      '';
    })
  ];
  plugin-packages = map (p: p.plugin) plugins;
  plugin-config-tex = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
  plugin-config-lua = concatMapStrings (p: optionalString (p.type or "" == "lua") p.config) plugins;
 in
 {
  # private because there could be sensitive things in the swap
  sane.user.persist.private = [ ".cache/vim-swap" ];
  programs.neovim = {
    # neovim: https://github.com/neovim/neovim
    enable = true;
    viAlias = true;
    vimAlias = true;
    configure = {
      packages.myVimPackage = {
        start = plugin-packages;
      };
      customRC = ''
        " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
        " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
        set mouse=
        " copy/paste to system clipboard
        set clipboard=unnamedplus
        " screw tabs; always expand them into spaces
        set expandtab
        " at least don't open files with sections folded by default
        set nofoldenable
        " allow text substitutions for certain glyphs.
        " higher number = more aggressive substitution (0, 1, 2, 3)
        " i only make use of this for tex, but it's unclear how to
        " apply that *just* to tex and retain the SyntaxRange stuff.
        set conceallevel=2
        " horizontal rule under the active line
        " set cursorline
        " highlight trailing space & related syntax errors (doesn't seem to work??)
        " let c_space_errors=1
        " let python_space_errors=1
        " enable highlighting of leading/trailing spaces,
        " and especially tabs
        " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
        set list
        set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
        """"" PLUGIN CONFIG (tex)
        ${plugin-config-tex}
        """"" PLUGIN CONFIG (lua)
        lua <<EOF
        ${plugin-config-lua}
        EOF
      '';
    };
  };
 }
--- a/modules/home-manager/newsflash.nix
+++ b/modules/home-manager/newsflash.nix
@@ -6,7 +6,7 @@ let
  all-feeds = config.sane.feeds;
  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
    feeds.feedsToOpml wanted-feeds
  );
 }
--- a/hosts/common/home/offlineimap.nix
+++ b/hosts/common/home/offlineimap.nix
@@ -0,0 +1,17 @@
 # mail archiving/synchronization tool.
 #
 # manually download all emails for an account with
 # - `offlineimap -a <accountname>`
 #
 # view account names inside the secrets file, listed below.
 { config, sane-lib, ... }:
 {
  sops.secrets."offlineimaprc" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../../secrets/universal/offlineimaprc.bin;
    format = "binary";
  };
  sane.user.fs.".config/offlineimap/config" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.offlineimaprc.path;
 }
--- a/hosts/common/home/ripgrep.nix
+++ b/hosts/common/home/ripgrep.nix
@@ -0,0 +1,9 @@
 { sane-lib, ... }:
 {
  # .ignore file is read by ripgrep (rg), silver searcher (ag), maybe others.
  # ignore translation files by default when searching, as they tend to have
  # a LOT of duplicate text.
  sane.user.fs.".ignore" = sane-lib.fs.wantedText ''
    po/
  '';
 }
--- a/modules/home-manager/splatmoji.nix
+++ b/modules/home-manager/splatmoji.nix
@@ -4,8 +4,9 @@
 { pkgs, sane-lib, ... }:
 {
-  sane.persist.home.plaintext = [ ".local/state/splatmoji" ];
+  sane.user.persist.plaintext = [ ".local/state/splatmoji" ];
-  sane.fs."/home/colin/.config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
    # XXX doesn't seem to understand ~ as shorthand for `$HOME`
    history_file=/home/colin/.local/state/splatmoji/history
    history_length=5
    # TODO: wayland equiv
--- a/modules/home-manager/ssh.nix
+++ b/modules/home-manager/ssh.nix
@@ -1,19 +1,22 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ config, lib, sane-lib, ... }:
 with lib;
 let
  host = config.networking.hostName;
-  user-pubkey = config.sane.ssh.pubkeys."colin@${host}".asUserKey;
+  user-pubkey-full = config.sane.ssh.pubkeys."colin@${host}" or {};
  user-pubkey = user-pubkey-full.asUserKey or null;
  host-keys = filter (k: k.user == "root") (attrValues config.sane.ssh.pubkeys);
  known-hosts-text = concatStringsSep
    "\n"
    (map (k: k.asHostKey) host-keys)
  ;
-in lib.mkIf config.sane.home-manager.enable {
+in
 {
  # ssh key is stored in private storage
-  sane.persist.home.private = [ ".ssh/id_ed25519" ];
+  sane.user.persist.private = [ ".ssh/id_ed25519" ];
-  sane.fs."/home/colin/.ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
+  sane.user.fs.".ssh/id_ed25519.pub" =
-  sane.fs."/home/colin/.ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
+    mkIf (user-pubkey != null) (sane-lib.fs.wantedText user-pubkey);
  sane.user.fs.".ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
  users.users.colin.openssh.authorizedKeys.keys =
  let
--- a/hosts/common/home/sublime-music.nix
+++ b/hosts/common/home/sublime-music.nix
@@ -0,0 +1,11 @@
 { config, sane-lib, ... }:
 {
  # TODO: this should only be shipped on gui platforms
  sops.secrets."sublime_music_config" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
    format = "binary";
  };
  sane.user.fs.".config/sublime-music/config.json" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.sublime_music_config.path;
 }
--- a/modules/home-manager/vlc.nix
+++ b/modules/home-manager/vlc.nix
@@ -8,9 +8,8 @@ let
    builtins.map (feed: feed.url) wanted-feeds
  );
 in
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.fs."/home/colin/.config/vlc/vlcrc" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/vlc/vlcrc" = sane-lib.fs.wantedText ''
    [podcast]
    podcast-urls=${podcast-urls}
    [core]
--- a/hosts/common/home/xdg-dirs.nix
+++ b/hosts/common/home/xdg-dirs.nix
@@ -0,0 +1,20 @@
 { lib, sane-lib, ...}:
 {
  # XDG defines things like ~/Desktop, ~/Downloads, etc.
  # these clutter the home, so i mostly don't use them.
  sane.user.fs.".config/user-dirs.dirs" = sane-lib.fs.wantedText ''
    XDG_DESKTOP_DIR="$HOME/.xdg/Desktop"
    XDG_DOCUMENTS_DIR="$HOME/dev"
    XDG_DOWNLOAD_DIR="$HOME/tmp"
    XDG_MUSIC_DIR="$HOME/Music"
    XDG_PICTURES_DIR="$HOME/Pictures"
    XDG_PUBLICSHARE_DIR="$HOME/.xdg/Public"
    XDG_TEMPLATES_DIR="$HOME/.xdg/Templates"
    XDG_VIDEOS_DIR="$HOME/Videos"
  '';
  # prevent `xdg-user-dirs-update` from overriding/updating our config
  # see <https://manpages.ubuntu.com/manpages/bionic/man5/user-dirs.conf.5.html>
  sane.user.fs.".config/user-dirs.conf" = sane-lib.fs.wantedText "enabled=False";
 }
--- a/hosts/common/home/zsh/default.nix
+++ b/hosts/common/home/zsh/default.nix
@@ -0,0 +1,161 @@
 { config, lib, pkgs, sane-lib, ... }:
 let
  inherit (lib) mkOption types;
  cfg = config.sane.zsh;
  # powerlevel10k prompt config
  # p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
  p10k-overrides = ''
    # powerlevel10k launches a gitstatusd daemon to accelerate git prompt queries.
    # this keeps open file handles for any git repo i touch for 60 minutes (by default).
    # that prevents unmounting whatever device the git repo is on -- particularly problematic for ~/private.
    # i can disable gitstatusd and get slower fallback git queries:
    # - either universally
    # - or selectively by path
    # see: <https://github.com/romkatv/powerlevel10k/issues/246>
    typeset -g POWERLEVEL9K_VCS_DISABLED_DIR_PATTERN='(/home/colin/private/*|/home/colin/knowledge/*)'
    # typeset -g POWERLEVEL9K_DISABLE_GITSTATUS=true
    # show user@host also when logged into the current machine.
    # default behavior is to show it only over ssh.
    typeset -g POWERLEVEL9K_CONTEXT_{DEFAULT,SUDO}_CONTENT_EXPANSION='$P9K_CONTENT'
  '';
  prezto-init = ''
    source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh
    source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
    source ${pkgs.zsh-prezto}/share/zsh-prezto/init.zsh
  '';
 in
 {
  options = {
    sane.zsh = {
      showDeadlines = mkOption {
        type = types.bool;
        default = true;
        description = "show upcoming deadlines (frommy PKM) upon shell init";
      };
    };
  };
  config = {
    sane.user.persist.plaintext = [
      # we don't need to full zsh dir -- just the history file --
      # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
      # TODO: should be private?
      ".local/share/zsh"
      # cache gitstatus otherwise p10k fetched it from the net EVERY BOOT
      ".cache/gitstatus"
    ];
    # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
    sane.user.fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
    # enable zsh completions
    environment.pathsToLink = [ "/share/zsh" ];
    programs.zsh = {
      enable = true;
      histFile = "$HOME/.local/share/zsh/history";
      shellAliases = {
        ":q" = "exit";
        # common typos
        "cd.." = "cd ..";
        "cd../" = "cd ../";
      };
      setOptions = [
        # defaults:
        "HIST_IGNORE_DUPS"
        "SHARE_HISTORY"
        "HIST_FCNTL_LOCK"
        # disable `rm *` confirmations
        "rmstarsilent"
      ];
      # .zshenv config:
      shellInit = ''
        ZDOTDIR=$HOME/.config/zsh
      '';
      # .zshrc config:
      interactiveShellInit =
        (builtins.readFile ./p10k.zsh)
      + p10k-overrides
      + prezto-init
      + ''
        # zmv is a way to do rich moves/renames, with pattern matching/substitution.
        # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
        autoload -Uz zmv
        HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *|nixos-rebuild.* switch)'
        # extra aliases
        # TODO: move to `shellAliases` config?
        function nd() {
          mkdir -p "$1";
          pushd "$1";
        }
      ''
      + lib.optionalString cfg.showDeadlines ''
        ${pkgs.sane-scripts}/bin/sane-deadlines
      ''
      + ''
        # auto-cd into any of these dirs by typing them and pressing 'enter':
        hash -d 3rd="/home/colin/dev/3rd"
        hash -d dev="/home/colin/dev"
        hash -d knowledge="/home/colin/knowledge"
        hash -d nixos="/home/colin/nixos"
        hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
        hash -d ref="/home/colin/ref"
        hash -d secrets="/home/colin/knowledge/secrets"
        hash -d tmp="/home/colin/tmp"
        hash -d uninsane="/home/colin/dev/uninsane"
        hash -d Videos="/home/colin/Videos"
      '';
      syntaxHighlighting.enable = true;
      vteIntegration = true;
    };
    # enable a command-not-found hook to show nix packages that might provide the binary typed.
    programs.nix-index.enable = true;
    programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
    # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
    # see: https://github.com/sorin-ionescu/prezto
    # i believe this file is auto-sourced by the prezto init.zsh script.
    sane.user.fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
      zstyle ':prezto:*:*' color 'yes'
      # modules (they ship with prezto):
      # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
      # TERMINAL: auto-titles terminal (e.g. based on cwd)
      # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
      # HISTORY: `history-stat` alias, setopts for good history defaults
      # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
      # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
      # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
      #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
      # COMPLETION: tab completion. requires `utility` module prior to loading
      # TODO: enable AUTO_PARAM_SLASH
      zstyle ':prezto:load' pmodule \
        'environment' \
        'terminal' \
        'editor' \
        'history' \
        'directory' \
        'spectrum' \
        'utility' \
        'completion' \
        'prompt'
      # default keymap. try also `vicmd` (vim normal mode, AKA "cmd mode") or `vi`.
      zstyle ':prezto:module:editor' key-bindings 'emacs'
      zstyle ':prezto:module:prompt' theme 'powerlevel10k'
      # disable `mv` confirmation (and `rm`, too, unfortunately)
      zstyle ':prezto:module:utility' safe-ops 'no'
    '';
  };
 }
--- a/modules/home-manager/zsh/p10k.zsh
+++ b/modules/home-manager/zsh/p10k.zsh
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@@ -1,3 +1,6 @@
 # TODO: migrate to nixpkgs `config.ids.uids`
 # - note that nixpkgs' `config.ids.uids` is strictly a database: it doesn't set anything by default
 #   whereas our impl sets the gid/uid of the user/group specified if they exist.
 { ... }:
 {
@@ -25,6 +28,8 @@
  sane.ids.signald.gid = 2403;
  sane.ids.mautrix-signal.uid = 2404;
  sane.ids.mautrix-signal.gid = 2404;
  sane.ids.navidrome.uid = 2405;
  sane.ids.navidrome.gid = 2405;
  sane.ids.colin.uid = 1000;
  sane.ids.guest.uid = 1100;
@@ -33,7 +38,7 @@
  sane.ids.sshd.uid = 2001;  # 997
  sane.ids.sshd.gid = 2001;  # 997
  sane.ids.polkituser.gid = 2002;  # 998
-  sane.ids.systemd-coredump.gid = 2003;  # 996
+  sane.ids.systemd-coredump.gid = 2003;  # 996  # 2023/02/12-2023/02/28: upstream temporarily specified this as 151
  sane.ids.nscd.uid = 2004;
  sane.ids.nscd.gid = 2004;
  sane.ids.systemd-oom.uid = 2005;
--- a/hosts/common/persist.nix
+++ b/hosts/common/persist.nix
@@ -0,0 +1,18 @@
 { ... }:
 {
  sane.persist.stores.private.origin = "/home/colin/private";
  # store /home/colin/a/b in /home/private/a/b instead of /home/private/home/colin/a/b
  sane.persist.stores.private.prefix = "/home/colin";
  sane.persist.sys.plaintext = [
    "/var/log"
    "/var/backup"  # for e.g. postgres dumps
    # TODO: move elsewhere
    "/var/lib/alsa"                # preserve output levels, default devices
    "/var/lib/colord"              # preserve color calibrations (?)
    "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
    "/var/lib/systemd/backlight"   # backlight brightness
    "/var/lib/systemd/coredump"
  ];
 }
--- a/hosts/common/programs.nix
+++ b/hosts/common/programs.nix
@@ -0,0 +1,384 @@
 { lib, pkgs, ... }:
 let
  inherit (builtins) attrNames concatLists;
  inherit (lib) mapAttrs mapAttrsToList mkDefault mkMerge optional;
  flattenedPkgs = pkgs // (with pkgs; {
    # XXX can't `inherit` a nested attr, so we move them to the toplevel
    "cacert.unbundled" = pkgs.cacert.unbundled;
    "gnome.cheese" = gnome.cheese;
    "gnome.dconf-editor" = gnome.dconf-editor;
    "gnome.file-roller" = gnome.file-roller;
    "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
    "gnome.gnome-maps" = gnome.gnome-maps;
    "gnome.nautilus" = gnome.nautilus;
    "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
    "gnome.gnome-terminal" = gnome.gnome-terminal;
    "gnome.gnome-weather" = gnome.gnome-weather;
    "gnome.totem" = gnome.totem;
    "libsForQt5.plasmatube" = libsForQt5.plasmatube;
  });
  sysadminPkgs = {
    inherit (flattenedPkgs)
      btrfs-progs
      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
      cryptsetup
      dig
      efibootmgr
      fatresize
      fd
      file
      gawk
      git
      gptfdisk
      hdparm
      htop
      iftop
      inetutils  # for telnet
      iotop
      iptables
      jq
      killall
      lsof
      nano
      netcat
      nethogs
      nmap
      openssl
      parted
      pciutils
      powertop
      pstree
      ripgrep
      screen
      smartmontools
      socat
      strace
      subversion
      tcpdump
      tree
      usbutils
      wget
    ;
  };
  sysadminExtraPkgs = {
    # application-specific packages
    inherit (pkgs)
      backblaze-b2
      duplicity
      sqlite  # to debug sqlite3 databases
    ;
  };
  iphonePkgs = {
    inherit (pkgs)
      ifuse
      ipfs
      libimobiledevice
    ;
  };
  tuiPkgs = {
    inherit (pkgs)
      aerc  # email client
      offlineimap  # email mailox sync
      visidata  # TUI spreadsheet viewer/editor
      w3m
    ;
  };
  # TODO: split these into smaller groups.
  # - transcoders (ffmpeg, imagemagick) only wanted on desko/lappy ("powerutils"?)
  consolePkgs = {
    inherit (pkgs)
      cdrtools
      dmidecode
      efivar
      flashrom
      fwupd
      ghostscript  # TODO: imagemagick wrapper should add gs to PATH
      gnupg
      gocryptfs
      gopass
      gopass-jsonapi
      imagemagick
      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
      libsecret  # for managing user keyrings
      lm_sensors  # for sensors-detect
      lshw
      ffmpeg
      memtester
      # networkmanager
      nixpkgs-review
      # nixos-generators
      # nettools
      nmon
      oathToolkit  # for oathtool
      # ponymix
      pulsemixer
      python3
      rsync
      # python3Packages.eyeD3  # music tagging
      sane-scripts
      sequoia
      snapper
      sops
      sox
      speedtest-cli
      ssh-to-age
      sudo
      # tageditor  # music tagging
      unar
      wireguard-tools
      xdg-utils  # for xdg-open
      # youtube-dl
      yt-dlp
    ;
  };
  guiPkgs = {
    inherit (flattenedPkgs)
      celluloid  # mpv frontend
      clinfo
      emote
      evince  # works on phosh
      # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
      # foliate  # e-book reader
      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
      # then reboot (so that libsecret daemon re-loads the keyring...?)
      # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
      # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
      # "gnome.cheese"
      "gnome.dconf-editor"
      gnome-feeds  # RSS reader (with claimed mobile support)
      "gnome.file-roller"
      # "gnome.gnome-maps"  # works on phosh
      "gnome.nautilus"
      # gnome-podcasts
      "gnome.gnome-system-monitor"
      # "gnome.gnome-terminal"  # works on phosh
      "gnome.gnome-weather"
      gpodder-configured
      gthumb
      # lollypop
      mpv
      networkmanagerapplet
      # newsflash
      nheko
      pavucontrol
      # picard  # music tagging
      playerctl
      # "libsForQt5.plasmatube"  # Youtube player
      soundconverter
      # sublime music persists any downloaded albums here.
      # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
      # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
      #   possible to pass config as a CLI arg (sublime-music -c config.json)
      # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
      sublime-music-mobile
      # tdesktop  # broken on phosh
      # tokodon
      vlc
      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
      # whalebird
      xterm  # broken on phosh
    ;
  };
  desktopGuiPkgs = {
    inherit (flattenedPkgs)
      audacity
      brave  # for the integrated wallet -- as a backup
      chromium
      dino
      electrum
      element-desktop
      font-manager
      gajim  # XMPP client
      gimp  # broken on phosh
      "gnome.gnome-disk-utility"
      # "gnome.totem"  # video player, supposedly supports UPnP
      handbrake
      hase
      inkscape
      jellyfin-media-player  # TODO: try on moby!
      kdenlive
      kid3  # audio tagging
      krita
      libreoffice-fresh  # XXX colin: maybe don't want this on mobile
      mumble
      obsidian
    ;
  };
  x86GuiPkgs = {
    inherit (pkgs)
      discord
      # kaiteki  # Pleroma client
      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
      # gpt2tc  # XXX: unreliable mirror
      logseq
      losslesscut-bin
      makemkv
      monero-gui
      signal-desktop
      spotify
      tor-browser-bundle-bin
      zecwallet-lite
    ;
  };
  # packages not part of any package set
  otherPkgs = {
    inherit (pkgs)
      stepmania
    ;
  };
  # define -- but don't enable -- the packages in some attrset.
  # use `mkDefault` for the package here so we can customize some of them further down this file
  declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
    package = mkDefault p;
  }) pkgsAsAttrs;
 in
 {
  config = {
    sane.programs = mkMerge [
      (declarePkgs consolePkgs)
      (declarePkgs desktopGuiPkgs)
      (declarePkgs guiPkgs)
      (declarePkgs iphonePkgs)
      (declarePkgs sysadminPkgs)
      (declarePkgs sysadminExtraPkgs)
      (declarePkgs tuiPkgs)
      (declarePkgs x86GuiPkgs)
      (declarePkgs otherPkgs)
      {
        # link the various package sets into their own meta packages
        consoleUtils = {
          package = null;
          suggestedPrograms = attrNames consolePkgs;
        };
        desktopGuiApps = {
          package = null;
          suggestedPrograms = attrNames desktopGuiPkgs;
        };
        guiApps = {
          package = null;
          suggestedPrograms = (attrNames guiPkgs)
            ++ [ "tuiApps" ]
            ++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
        };
        iphoneUtils = {
          package = null;
          suggestedPrograms = attrNames iphonePkgs;
        };
        sysadminUtils = {
          package = null;
          suggestedPrograms = attrNames sysadminPkgs;
        };
        sysadminExtraUtils = {
          package = null;
          suggestedPrograms = attrNames sysadminExtraPkgs;
        };
        tuiApps = {
          package = null;
          suggestedPrograms = attrNames tuiPkgs;
        };
        x86GuiApps = {
          package = null;
          suggestedPrograms = attrNames x86GuiPkgs;
        };
      }
      {
        # nontrivial package definitions
        imagemagick.package = pkgs.imagemagick.override {
          ghostscriptSupport = true;
        };
        dino.private = [ ".local/share/dino" ];
        # creds, but also 200 MB of node modules, etc
        discord.private = [ ".config/discord" ];
        # creds/session keys, etc
        element-desktop.private = [ ".config/Element" ];
        # `emote` will show a first-run dialog based on what's in this directory.
        # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
        # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
        emote.dir = [ ".local/share/Emote" ];
        # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
        #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
        gpodder-configured.dir = [ "gPodder" ];
        # jellyfin stores things in a bunch of directories: this one persists auth info.
        # it *might* be possible to populate this externally (it's Qt stuff), but likely to
        # be fragile and take an hour+ to figure out.
        jellyfin-media-player.dir = [ ".local/share/Jellyfin Media Player" ];
        # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
        # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
        monero-gui.dir = [ ".bitmonero" ];
        mpv.dir = [ ".config/mpv/watch_later" ];
        mumble.private = [ ".local/share/Mumble" ];
        # not strictly necessary, but allows caching articles; offline use, etc.
        newsflash.dir = [ ".local/share/news-flash" ];
        nheko.private = [
          ".config/nheko"  # config file (including client token)
          ".cache/nheko"  # media cache
          ".local/share/nheko"  # per-account state database
        ];
        # settings (electron app)
        obsidian.dir = [ ".config/obsidian" ];
        # creds, media
        signal-desktop.private = [ ".config/Signal" ];
        # creds, widevine .so download. TODO: could easily manage these statically.
        spotify.dir = [ ".config/spotify" ];
        # sublime music persists any downloaded albums here.
        # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
        # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
        #   possible to pass config as a CLI arg (sublime-music -c config.json)
        # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
        sublime-music-mobile.dir = [ ".local/share/sublime-music" ];
        tdesktop.private = [ ".local/share/TelegramDesktop" ];
        tokodon.private = [ ".cache/KDE/tokodon" ];
        # hardenedMalloc solves a crash at startup
        # TODO 2023/02/02: is this safe to remove yet?
        tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
          useHardenedMalloc = false;
        };
        # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
        vlc.dir = [ ".config/vlc" ];
        whalebird.private = [ ".config/Whalebird" ];
        # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
        zecwallet-lite.private = [ ".zcash" ];
      }
    ];
    # XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
    environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
  };
 }
--- a/hosts/common/secrets.nix
+++ b/hosts/common/secrets.nix
@@ -55,6 +55,9 @@
  sops.secrets."router_passwd" = {
    sopsFile = ../../secrets/universal.yaml;
  };
  sops.secrets."transmission_passwd" = {
    sopsFile = ../../secrets/universal.yaml;
  };
  sops.secrets."wg_ovpnd_us_privkey" = {
    sopsFile = ../../secrets/universal.yaml;
  };
@@ -99,18 +102,26 @@
    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-bedroom.psk" = {
    sopsFile = ../../secrets/universal/net/home-bedroom.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared-24G.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared-24G.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/makespace-south.psk" = {
    sopsFile = ../../secrets/universal/net/makespace-south.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/archive-2023-02-home-bedroom.psk" = {
    sopsFile = ../../secrets/universal/net/archive/2023-02-home-bedroom.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/archive-2023-02-home-shared-24G.psk" = {
    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/archive-2023-02-home-shared.psk" = {
    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/iphone" = {
    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
    format = "binary";
--- a/hosts/common/users.nix
+++ b/hosts/common/users.nix
@@ -3,12 +3,12 @@
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 with lib;
 let
-  cfg = config.sane.users;
+  cfg = config.sane.guest;
  fs = sane-lib.fs;
 in
 {
  options = {
-    sane.users.guest.enable = mkOption {
+    sane.guest.enable = mkOption {
      default = false;
      type = types.bool;
    };
@@ -66,6 +66,7 @@ in
    security.pam.mount.enable = true;
    sane.users.colin.default = true;
    # ensure ~ perms are known to sane.fs module.
    # TODO: this is generic enough to be lifted up into sane.fs itself.
    sane.fs."/home/colin".dir.acl = {
@@ -74,7 +75,7 @@ in
      mode = config.users.users.colin.homeMode;
    };
-    sane.persist.home.plaintext = [
+    sane.user.persist.plaintext = [
      "archive"
      "dev"
      # TODO: records should be private
@@ -87,25 +88,28 @@ in
      "Videos"
      ".cache/nix"
-      ".cargo"
+      ".cache/nix-index"
-      ".rustup"
+
      # ".cargo"
      # ".rustup"
    ];
    # convenience
-    sane.fs."/home/colin/knowledge" = fs.wantedSymlinkTo "/home/colin/private/knowledge";
+    sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
-    sane.fs."/home/colin/nixos" = fs.wantedSymlinkTo "/home/colin/dev/nixos";
+    sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
-    sane.fs."/home/colin/Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
+    sane.user.fs."Books/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Books";
-    sane.fs."/home/colin/Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
+    sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
-    sane.fs."/home/colin/Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
+    sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
    sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
    # used by password managers, e.g. unix `pass`
-    sane.fs."/home/colin/.password-store" = fs.wantedSymlinkTo "/home/colin/knowledge/secrets/accounts";
+    sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";
-    sane.persist.sys.plaintext = mkIf cfg.guest.enable [
+    sane.persist.sys.plaintext = mkIf cfg.enable [
      # intentionally allow other users to write to the guest folder
      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
    ];
-    users.users.guest = mkIf cfg.guest.enable {
+    users.users.guest = mkIf cfg.enable {
      isNormalUser = true;
      home = "/home/guest";
      subUidRanges = [
@@ -126,8 +130,8 @@ in
    services.openssh = {
      enable = true;
-      permitRootLogin = "no";
+      settings.PermitRootLogin = "no";
-      passwordAuthentication = false;
+      settings.PasswordAuthentication = false;
    };
  };
 }
--- a/hosts/instantiate.nix
+++ b/hosts/instantiate.nix
@@ -4,7 +4,7 @@
 { hostName, localSystem }:
 # module args
-{ config, ... }:
+{ config, lib, ... }:
 {
  imports = [
@@ -14,14 +14,16 @@
  ];
  networking.hostName = hostName;
  nixpkgs.buildPlatform = lib.mkIf (localSystem != null) localSystem;
  sane.cross.enablePatches = localSystem != null;
-  nixpkgs.overlays = [
+  # nixpkgs.overlays = [
-    (next: prev: {
+  #   (next: prev: {
-      # for local != target we by default just emulate the target while building.
+  #     # for local != target we by default just emulate the target while building.
-      # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
+  #     # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
-      # to explicitly opt into non-emulated cross compilation for any specific package.
+  #     # to explicitly opt into non-emulated cross compilation for any specific package.
-      # this is most beneficial for large packages with few pre-requisites -- like Linux.
+  #     # this is most beneficial for large packages with few pre-requisites -- like Linux.
-      cross = next.crossFrom."${localSystem}";
+  #     cross = prev.crossFrom."${localSystem}";
-    })
+  #   })
-  ];
+  # ];
 }
--- a/hosts/modules/default.nix
+++ b/hosts/modules/default.nix
@@ -3,10 +3,14 @@
 {
  imports = [
    ./derived-secrets.nix
    ./gui
    ./hardware
    ./hostnames.nix
    ./hosts.nix
    ./nixcache.nix
    ./roles
    ./services
    ./wg-home.nix
    ./yggdrasil.nix
  ];
 }
--- a/hosts/modules/gui/default.nix
+++ b/hosts/modules/gui/default.nix
@@ -0,0 +1,15 @@
 { lib, config, ... }:
 let
  inherit (lib) mkDefault mkIf mkOption types;
  cfg = config.sane.gui;
 in
 {
  imports = [
    ./gnome.nix
    ./phosh.nix
    ./plasma.nix
    ./plasma-mobile.nix
    ./sway.nix
  ];
 }
--- a/hosts/modules/gui/gnome.nix
+++ b/hosts/modules/gui/gnome.nix
@@ -13,7 +13,7 @@ in
  };
  config = mkIf cfg.enable {
-    sane.gui.enable = true;
+    sane.programs.guiApps.enableFor.user.colin = true;
    # start gnome/gdm on boot
    services.xserver.enable = true;
@@ -25,7 +25,7 @@ in
    networking.networkmanager.enable = true;
    networking.wireless.enable = lib.mkForce false;
  };
-  # home-mananger.users.colin extras
+  # user extras:
  # obtain these by running `dconf dump /` after manually customizing gnome
  # TODO: fix "is not of type `GVariant value'"
  # dconf.settings = lib.mkIf (gui == "gnome") {
--- a/hosts/modules/gui/phosh.nix
+++ b/hosts/modules/gui/phosh.nix
@@ -20,9 +20,43 @@ in
    };
  };
-  config = mkIf cfg.enable (mkMerge [
+  config = mkMerge [
    {
-      sane.gui.enable = true;
+      sane.programs.phoshApps = {
        package = null;
        suggestedPrograms = [
          "guiApps"
          # TODO: see about removing gnome-bluetooth if the in-built gnome-settings bluetooth manager can work
          "gnome.gnome-bluetooth"
          "gnome.gnome-terminal"
          "phosh-mobile-settings"
          # "plasma5Packages.konsole"  # more reliable terminal
        ];
      };
    }
    {
      sane.programs = {
        inherit (pkgs // {
          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
          "gnome.gnome-terminal" = pkgs.gnome.gnome-terminal;
          "plasma5Packages.konsole" = pkgs.plasma5Packages.konsole;
        })
          phosh-mobile-settings
          "plasma5Packages.konsole"
          # "gnome.gnome-bluetooth"
          "gnome.gnome-terminal"
        ;
      };
    }
    (mkIf cfg.enable {
      sane.programs.phoshApps.enableFor.user.colin = true;
      # TODO(2023/02/28): remove this qt.style = "gtk2" override.
      # gnome by default tells qt to stylize its apps similar to gnome.
      # but the package needed for that doesn't cross-compile, hence i disable that here.
      # qt.platformTheme = "gtk2";
      # qt.style = "gtk2";
      # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
      services.xserver.desktopManager.phosh = {
@@ -38,6 +72,26 @@ in
        };
      };
      # phosh enables `services.gnome.{core-os-services, core-shell}`
      # and this in turn enables some default apps we don't really care about.
      # see <nixos/modules/services/x11/desktop-managers/gnome.nix>
      environment.gnome.excludePackages = with pkgs; [
        # gnome.gnome-menus  # unused outside gnome classic, but probably harmless
        gnome-tour
      ];
      services.dleyna-renderer.enable = false;
      services.dleyna-server.enable = false;
      services.gnome.gnome-browser-connector.enable = false;
      services.gnome.gnome-initial-setup.enable = false;
      services.gnome.gnome-online-accounts.enable = false;
      services.gnome.gnome-remote-desktop.enable = false;
      services.gnome.gnome-user-share.enable = false;
      services.gnome.rygel.enable = false;
      # gnome doesn't use mkDefault for these -- unclear why not
      services.gnome.evolution-data-server.enable = mkForce false;
      services.gnome.gnome-online-miners.enable = mkForce false;
      # XXX: phosh enables networkmanager by default; can probably disable these lines
      networking.useDHCP = false;
      networking.networkmanager.enable = true;
@@ -59,14 +113,27 @@ in
        NIXOS_OZONE_WL = "1";
      };
-      sane.packages.extraUserPkgs = with pkgs; [
+      programs.dconf.packages = [
-        phosh-mobile-settings
+        # org.kde.konsole.desktop
        (pkgs.writeTextFile {
          name = "dconf-phosh-settings";
          destination = "/etc/dconf/db/site.d/00_phosh_settings";
          text = ''
            [org/gnome/desktop/interface]
            show-battery-percentage=true
-        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
+            [org/gnome/settings-daemon/plugins/power]
-        gnome.gnome-bluetooth
+            sleep-inactive-ac-timeout=5400
            sleep-inactive-battery-timeout=5400
            [sm/puri/phosh]
            favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.gnome.Terminal.desktop']
          '';
        })
      ];
-    }
+    })
-    (mkIf cfg.useGreeter {
+
    (mkIf (cfg.enable && cfg.useGreeter) {
      services.xserver.enable = true;
      # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
      # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
@@ -92,5 +159,5 @@ in
      systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
    })
-  ]);
+  ];
 }
--- a/hosts/modules/gui/plasma-mobile.nix
+++ b/hosts/modules/gui/plasma-mobile.nix
@@ -13,7 +13,8 @@ in
  };
  config = mkIf cfg.enable {
-    sane.gui.enable = true;
+    sane.programs.guiApps.enableFor.user.colin = true;
    # start plasma-mobile on boot
    services.xserver.enable = true;
    services.xserver.desktopManager.plasma5.mobile.enable = true;
--- a/hosts/modules/gui/plasma.nix
+++ b/hosts/modules/gui/plasma.nix
@@ -13,7 +13,7 @@ in
  };
  config = mkIf cfg.enable {
-    sane.gui.enable = true;
+    sane.programs.guiApps.enableFor.user.colin = true;
    # start plasma on boot
    services.xserver.enable = true;
--- a/hosts/modules/gui/snippets.txt
+++ b/hosts/modules/gui/snippets.txt
--- a/hosts/modules/gui/sway.nix
+++ b/hosts/modules/gui/sway.nix
@@ -0,0 +1,665 @@
 { config, lib, pkgs, sane-lib, ... }:
 # docs: https://nixos.wiki/wiki/Sway
 with lib;
 let
  cfg = config.sane.gui.sway;
  # docs: https://github.com/Alexays/Waybar/wiki/Configuration
  # format specifiers: https://fmt.dev/latest/syntax.html#syntax
  waybar-config = [
    { # TOP BAR
      layer = "top";
      height = 40;
      modules-left = ["sway/workspaces" "sway/mode"];
      modules-center = ["sway/window"];
      modules-right = ["custom/mediaplayer" "clock" "battery" "cpu" "network"];
      "sway/window" = {
        max-length = 50;
      };
      # include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
      "custom/mediaplayer" = {
        exec = pkgs.writeShellScript "waybar-mediaplayer" ''
          player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
          if [ "$player_status" = "Playing" ]; then
            echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
          elif [ "$player_status" = "Paused" ]; then
            echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
          fi
        '';
        interval = 2;
        format = "{}  ";
        # return-type = "json";
        on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
        on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
        on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
      };
      network = {
        # docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
        interval = 2;
        max-length = 40;
        # custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
        format-ethernet = "  {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        format-disconnected = "";
      };
      cpu = {
        format = " {usage:2}%";
        tooltip = false;
      };
      battery = {
        states = {
          good = 95;
          warning = 30;
          critical = 10;
        };
        format = "{icon} {capacity}%";
        format-icons = [
          ""
          ""
          ""
          ""
          ""
        ];
      };
      clock = {
        format-alt = "{:%a, %d. %b  %H:%M}";
      };
    }
  ];
  # waybar-config-text = lib.generators.toJSON {} waybar-config;
  waybar-config-text = (pkgs.formats.json {}).generate "waybar-config.json" waybar-config;
  # bare sway launcher
  sway-launcher = pkgs.writeShellScriptBin "sway-launcher" ''
    ${pkgs.sway}/bin/sway --debug > /tmp/sway.log 2>&1
  '';
  # start sway and have it construct the gtkgreeter
  sway-as-greeter = pkgs.writeShellScriptBin "sway-as-greeter" ''
    ${pkgs.sway}/bin/sway --debug --config ${sway-config-into-gtkgreet} > /tmp/sway-as-greeter.log 2>&1
  '';
  # (config file for the above)
  sway-config-into-gtkgreet = pkgs.writeText "greetd-sway-config" ''
    exec "${gtkgreet-launcher}"
  '';
  # gtkgreet which launches a layered sway instance
  gtkgreet-launcher = pkgs.writeShellScript "gtkgreet-launcher" ''
    # NB: the "command" field here is run in the user's shell.
    # so that command must exist on the specific user's path who is logging in. it doesn't need to exist system-wide.
    ${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command sway-launcher
  '';
  greeter-session = {
    # greeter session config
    command = "${sway-as-greeter}/bin/sway-as-greeter";
    # alternatives:
    # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
    # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
    # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
  };
  greeterless-session = {
    # no greeter
    command = "${sway-launcher}/bin/sway-launcher";
    user = "colin";
  };
 in
 {
  options = {
    sane.gui.sway.enable = mkOption {
      default = false;
      type = types.bool;
    };
    sane.gui.sway.useGreeter = mkOption {
      description = ''
        launch sway via a greeter (like greetd's gtkgreet).
        sway is usable without a greeter, but skipping the greeter means no PAM session.
      '';
      default = true;
      type = types.bool;
    };
  };
  config = mkMerge [
    {
      sane.programs.swayApps = {
        package = null;
        suggestedPrograms = [
          "guiApps"
          "swaylock"
          "swayidle"
          "wl-clipboard"
          "mako"  # notification daemon
          # # "pavucontrol"
          "gnome.gnome-bluetooth"
          "gnome.gnome-control-center"
          "sway-contrib.grimshot"
        ];
      };
    }
    {
      sane.programs = {
        inherit (pkgs // {
          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
          "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
          "sway-contrib.grimshot" = pkgs.sway-contrib.grimshot;
        })
          swaylock
          swayidle
          wl-clipboard
          mako
          "gnome.gnome-bluetooth"
          "gnome.gnome-control-center"
          "sway-contrib.grimshot"
        ;
      };
    }
    (mkIf cfg.enable {
      sane.programs.swayApps.enableFor.user.colin = true;
      # swap in these lines to use SDDM instead of `services.greetd`.
      # services.xserver.displayManager.sddm.enable = true;
      # services.xserver.enable = true;
      services.greetd = {
        # greetd source/docs:
        # - <https://git.sr.ht/~kennylevinsen/greetd>
        enable = true;
        settings = {
          default_session = if cfg.useGreeter then greeter-session else greeterless-session;
        };
      };
      # we need the greeter's command to be on our PATH
      users.users.colin.packages = [ sway-launcher ];
      # some programs (e.g. fractal) **require** a "Secret Service Provider"
      services.gnome.gnome-keyring.enable = true;
      # unlike other DEs, sway configures no audio stack
      # administer with pw-cli, pw-mon, pw-top commands
      services.pipewire = {
        enable = true;
        alsa.enable = true;
        alsa.support32Bit = true;  # ??
        pulse.enable = true;
      };
      networking.useDHCP = false;
      networking.networkmanager.enable = true;
      networking.wireless.enable = lib.mkForce false;
      hardware.bluetooth.enable = true;
      services.blueman.enable = true;
      # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
      services.gnome.gnome-settings-daemon.enable = true;
      # start the components of gsd we need at login
      systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
      # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
      # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
      # it doesn't actually seem to need ANY of them in the first place T_T
      systemd.user.targets."gnome-session-initialized".enable = false;
      # bluez can't connect to audio devices unless pipewire is running.
      # a system service can't depend on a user service, so just launch it at graphical-session
      systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
      programs.sway = {
        enable = true;
        wrapperFeatures.gtk = true;
      };
      sane.user.fs.".config/sway/config" =
        let
          fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
          sed = "${pkgs.gnused}/bin/sed";
          wtype = "${pkgs.wtype}/bin/wtype";
          kitty = "${pkgs.kitty}/bin/kitty";
          launcher-cmd = fuzzel;
          terminal-cmd = kitty;
          lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
          vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
          vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
          mute-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
          brightness-up-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set +2%";
          brightness-down-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set 2%-";
          screenshot-cmd = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
          # "bookmarking"/snippets inspired by Luke Smith:
          # - <https://www.youtube.com/watch?v=d_11QaTlf1I>
          snip-file = ./snippets.txt;
          # TODO: querying sops here breaks encapsulation
          list-snips = "cat ${snip-file} ${config.sops.secrets.snippets.path}";
          strip-comments = "${sed} 's/ #.*$//'";
          snip-cmd = "${wtype} $(${list-snips} | ${fuzzel} -d -i -w 60 | ${strip-comments})";
          # TODO: next splatmoji release should allow `-s none` to disable skin tones
          emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
        in sane-lib.fs.wantedText ''
          ### default font
          font pango:monospace 8
          ### pixel boundary between windows
          default_border pixel 3
          default_floating_border pixel 2
          hide_edge_borders smart
          ### defaults
          focus_wrapping no
          focus_follows_mouse yes
          focus_on_window_activation smart
          mouse_warping output
          workspace_layout default
          workspace_auto_back_and_forth no
          ### default colors (#border #background #text #indicator #childBorder)
          client.focused #4c7899 #285577 #ffffff #2e9ef4 #285577
          client.focused_inactive #333333 #5f676a #ffffff #484e50 #5f676a
          client.unfocused #333333 #222222 #888888 #292d2e #222222
          client.urgent #2f343a #900000 #ffffff #900000 #900000
          client.placeholder #000000 #0c0c0c #ffffff #000000 #0c0c0c
          client.background #ffffff
          ### key bindings
          floating_modifier Mod1
          ## media keys
          bindsym XF86AudioRaiseVolume exec ${vol-up-cmd}
          bindsym XF86AudioLowerVolume exec ${vol-down-cmd}
          bindsym Mod1+Page_Up exec ${vol-up-cmd}
          bindsym Mod1+Page_Down exec ${vol-down-cmd}
          bindsym XF86AudioMute exec ${mute-cmd}
          bindsym XF86MonBrightnessUp exec ${brightness-up-cmd}
          bindsym XF86MonBrightnessDown exec ${brightness-down-cmd}
          ## special functions
          bindsym Mod1+Print exec ${screenshot-cmd}
          bindsym Mod1+l exec ${lock-cmd}
          bindsym Mod1+s exec ${snip-cmd}
          bindsym Mod1+slash exec ${emoji-cmd}
          bindsym Mod1+d exec ${launcher-cmd}
          bindsym Mod1+Return exec ${terminal-cmd}
          bindsym Mod1+Shift+q kill
          bindsym Mod1+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
          bindsym Mod1+Shift+c reload
          ## layout
          bindsym Mod1+b splith
          bindsym Mod1+v splitv
          bindsym Mod1+f fullscreen toggle
          bindsym Mod1+a focus parent
          bindsym Mod1+w layout tabbed
          bindsym Mod1+e layout toggle split
          bindsym Mod1+Shift+space floating toggle
          bindsym Mod1+space focus mode_toggle
          bindsym Mod1+r mode resize
          ## movement
          bindsym Mod1+Up focus up
          bindsym Mod1+Down focus down
          bindsym Mod1+Left focus left
          bindsym Mod1+Right focus right
          bindsym Mod1+Shift+Up move up
          bindsym Mod1+Shift+Down move down
          bindsym Mod1+Shift+Left move left
          bindsym Mod1+Shift+Right move right
          ## workspaces
          bindsym Mod1+1 workspace number 1
          bindsym Mod1+2 workspace number 2
          bindsym Mod1+3 workspace number 3
          bindsym Mod1+4 workspace number 4
          bindsym Mod1+5 workspace number 5
          bindsym Mod1+6 workspace number 6
          bindsym Mod1+7 workspace number 7
          bindsym Mod1+8 workspace number 8
          bindsym Mod1+9 workspace number 9
          bindsym Mod1+Shift+1 move container to workspace number 1
          bindsym Mod1+Shift+2 move container to workspace number 2
          bindsym Mod1+Shift+3 move container to workspace number 3
          bindsym Mod1+Shift+4 move container to workspace number 4
          bindsym Mod1+Shift+5 move container to workspace number 5
          bindsym Mod1+Shift+6 move container to workspace number 6
          bindsym Mod1+Shift+7 move container to workspace number 7
          bindsym Mod1+Shift+8 move container to workspace number 8
          bindsym Mod1+Shift+9 move container to workspace number 9
          ## "scratchpad" = ??
          bindsym Mod1+Shift+minus move scratchpad
          bindsym Mod1+minus scratchpad show
          ### defaults
          mode "resize" {
            bindsym Down resize grow height 10 px
            bindsym Escape mode default
            bindsym Left resize shrink width 10 px
            bindsym Return mode default
            bindsym Right resize grow width 10 px
            bindsym Up resize shrink height 10 px
            bindsym h resize shrink width 10 px
            bindsym j resize grow height 10 px
            bindsym k resize shrink height 10 px
            bindsym l resize grow width 10 px
          }
          ### lightly modified bars
          bar {
            # TODO: fonts was:
            #   config.fonts.fontconfig.defaultFonts; (monospace ++ emoji)
            font pango:Hack, Font Awesome 6 Free, Twitter Color Emoji 24.000000
            mode dock
            hidden_state hide
            position top
            status_command ${pkgs.i3status}/bin/i3status
            swaybar_command ${pkgs.waybar}/bin/waybar
            workspace_buttons yes
            strip_workspace_numbers no
            tray_output primary
            colors {
              background #000000
              statusline #ffffff
              separator #666666
              #  #border #background #text
              focused_workspace #4c7899 #285577 #ffffff
              active_workspace #333333 #5f676a #ffffff
              inactive_workspace #333333 #222222 #888888
              urgent_workspace #2f343a #900000 #ffffff
              binding_mode #2f343a #900000 #ffffff
          }
          }
          ### displays
          ## DESKTOP
          output "Samsung Electric Company S22C300 0x00007F35" {
          pos 0,0
          res 1920x1080
          }
          output "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" {
          pos 1920,0
          res 3440x1440
          }
          ## LAPTOP
          # sh/en TV
          output "Pioneer Electronic Corporation VSX-524 0x00000101" {
          pos 0,0
          res 1920x1080
          }
          # internal display
          output "Unknown 0x0637 0x00000000" {
          pos 1920,0
          res 1920x1080
          }
        '';
      sane.user.fs.".config/waybar/config" = sane-lib.fs.wantedSymlinkTo waybar-config-text;
      # style docs: https://github.com/Alexays/Waybar/wiki/Styling
      sane.user.fs.".config/waybar/style.css" = sane-lib.fs.wantedText ''
        * {
          font-family: monospace;
        }
        /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
        window#waybar {
          background-color: rgba(43, 48, 59, 0.5);
          border-bottom: 3px solid rgba(100, 114, 125, 0.5);
          color: #ffffff;
          transition-property: background-color;
          transition-duration: .5s;
        }
        window#waybar.hidden {
          opacity: 0.2;
        }
        /*
        window#waybar.empty {
          background-color: transparent;
        }
        window#waybar.solo {
          background-color: #FFFFFF;
        }
        */
        window#waybar.termite {
          background-color: #3F3F3F;
        }
        window#waybar.chromium {
          background-color: #000000;
          border: none;
        }
        #workspaces button {
          padding: 0 5px;
          background-color: transparent;
          color: #ffffff;
          /* Use box-shadow instead of border so the text isn't offset */
          box-shadow: inset 0 -3px transparent;
          /* Avoid rounded borders under each workspace name */
          border: none;
          border-radius: 0;
        }
        /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
        #workspaces button:hover {
          background: rgba(0, 0, 0, 0.2);
          box-shadow: inset 0 -3px #ffffff;
        }
        #workspaces button.focused {
          background-color: #64727D;
          box-shadow: inset 0 -3px #ffffff;
        }
        #workspaces button.urgent {
          background-color: #eb4d4b;
        }
        #mode {
          background-color: #64727D;
          border-bottom: 3px solid #ffffff;
        }
        #clock,
        #battery,
        #cpu,
        #memory,
        #disk,
        #temperature,
        #backlight,
        #network,
        #pulseaudio,
        #custom-media,
        #tray,
        #mode,
        #idle_inhibitor,
        #mpd {
          padding: 0 10px;
          color: #ffffff;
        }
        #window,
        #workspaces {
          margin: 0 4px;
        }
        /* If workspaces is the leftmost module, omit left margin */
        .modules-left > widget:first-child > #workspaces {
          margin-left: 0;
        }
        /* If workspaces is the rightmost module, omit right margin */
        .modules-right > widget:last-child > #workspaces {
          margin-right: 0;
        }
        #clock {
          background-color: #64727D;
        }
        #battery {
          background-color: #ffffff;
          color: #000000;
        }
        #battery.charging, #battery.plugged {
          color: #ffffff;
          background-color: #26A65B;
        }
        @keyframes blink {
          to {
            background-color: #ffffff;
            color: #000000;
          }
        }
        #battery.critical:not(.charging) {
          background-color: #f53c3c;
          color: #ffffff;
          animation-name: blink;
          animation-duration: 0.5s;
          animation-timing-function: linear;
          animation-iteration-count: infinite;
          animation-direction: alternate;
        }
        label:focus {
          background-color: #000000;
        }
        #cpu {
          background-color: #2ecc71;
          color: #000000;
        }
        #memory {
          background-color: #9b59b6;
        }
        #disk {
          background-color: #964B00;
        }
        #backlight {
          background-color: #90b1b1;
        }
        #network {
          background-color: #2980b9;
        }
        #network.disconnected {
          background-color: #f53c3c;
        }
        #pulseaudio {
          background-color: #f1c40f;
          color: #000000;
        }
        #pulseaudio.muted {
          background-color: #90b1b1;
          color: #2a5c45;
        }
        #custom-media {
          background-color: #66cc99;
          color: #2a5c45;
          min-width: 100px;
        }
        #custom-media.custom-spotify {
          background-color: #66cc99;
        }
        #custom-media.custom-vlc {
          background-color: #ffa000;
        }
        #temperature {
          background-color: #f0932b;
        }
        #temperature.critical {
          background-color: #eb4d4b;
        }
        #tray {
          background-color: #2980b9;
        }
        #tray > .passive {
          -gtk-icon-effect: dim;
        }
        #tray > .needs-attention {
          -gtk-icon-effect: highlight;
          background-color: #eb4d4b;
        }
        #idle_inhibitor {
          background-color: #2d3436;
        }
        #idle_inhibitor.activated {
          background-color: #ecf0f1;
          color: #2d3436;
        }
        #mpd {
          background-color: #66cc99;
          color: #2a5c45;
        }
        #mpd.disconnected {
          background-color: #f53c3c;
        }
        #mpd.stopped {
          background-color: #90b1b1;
        }
        #mpd.paused {
          background-color: #51a37a;
        }
        #language {
          background: #00b093;
          color: #740864;
          padding: 0 5px;
          margin: 0 5px;
          min-width: 16px;
        }
        #keyboard-state {
          background: #97e1ad;
          color: #000000;
          padding: 0 0px;
          margin: 0 5px;
          min-width: 16px;
        }
        #keyboard-state > label {
          padding: 0 5px;
        }
        #keyboard-state > label.locked {
          background: rgba(0, 0, 0, 0.2);
        }
      '';
      # style = ''
      #   * {
      #     border: none;
      #     border-radius: 0;
      #     font-family: Source Code Pro;
      #   }
      #   window#waybar {
      #     background: #16191C;
      #     color: #AAB2BF;
      #   }
      #   #workspaces button {
      #     padding: 0 5px;
      #   }
      #   .custom-spotify {
      #     padding: 0 10px;
      #     margin: 0 4px;
      #     background-color: #1DB954;
      #     color: black;
      #   }
      # '';
    })
  ];
 }
--- a/hosts/modules/hardware/x86_64.nix
+++ b/hosts/modules/hardware/x86_64.nix
@@ -9,11 +9,6 @@
      # efi_pstore evivars
    ];
    # enable cross compilation
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    # nixpkgs.config.allowUnsupportedSystem = true;
    # nixpkgs.crossSystem.system = "aarch64-linux";
    powerManagement.cpuFreqGovernor = "powersave";
    hardware.cpu.amd.updateMicrocode = true;    # desktop
    hardware.cpu.intel.updateMicrocode = true;  # laptop
--- a/hosts/modules/hostnames.nix
+++ b/hosts/modules/hostnames.nix
@@ -1,11 +1,21 @@
 { config, lib, ... }:
 {
  # give each host a shortname that all the other hosts know, to allow easy comms.
  networking.hosts = lib.mkMerge [
    (lib.mapAttrs' (host: cfg: {
      # bare-name for LAN addresses
      # if using router's DNS, these mappings will already exist.
      # if using a different DNS provider (which servo does), then we need to explicity provide them.
      # ugly hack. would be better to get servo to somehow use the router's DNS
  networking.hosts = lib.mapAttrs' (host: cfg: {
      name = cfg.lan-ip;
      value = [ host ];
-  }) config.sane.hosts.by-name;
+    }) config.sane.hosts.by-name)
    (lib.mapAttrs' (host: cfg: {
      # -hn suffixed name for communication over my wg-home VPN.
      # hn = "home network"
      name = cfg.wg-home.ip;
      value = [ "${host}-hn" ];
    }) config.sane.hosts.by-name)
  ];
 }
--- a/hosts/modules/hosts.nix
+++ b/hosts/modules/hosts.nix
@@ -69,7 +69,7 @@ in
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
      wg-home.pubkey = "17PMZssYi0D4t2d0vbmhjBKe1sGsE8kT8/dod0Q2CXc=";
      wg-home.ip = "10.0.10.22";
-      lan-ip = "192.168.0.22";
+      lan-ip = "192.168.15.25";
    };
    sane.hosts.by-name."lappy" = {
@@ -77,13 +77,15 @@ in
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
      wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
      wg-home.ip = "10.0.10.20";
-      lan-ip = "192.168.0.20";
+      lan-ip = "192.168.15.13";
    };
    sane.hosts.by-name."moby" = {
      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
-      lan-ip = "192.168.0.48";
+      wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
      wg-home.ip = "10.0.10.48";
      lan-ip = "192.168.15.28";
    };
    sane.hosts.by-name."servo" = {
@@ -92,7 +94,7 @@ in
      wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
      wg-home.ip = "10.0.10.5";
      wg-home.endpoint = "uninsane.org:51820";
-      lan-ip = "192.168.0.5";
+      lan-ip = "192.168.15.24";
    };
  };
 }
--- a/hosts/modules/nixcache.nix
+++ b/hosts/modules/nixcache.nix
@@ -13,6 +13,7 @@
 with lib;
 let
  cfg = config.sane.nixcache;
  hostName = config.networking.hostName;
 in
 {
  options = {
@@ -24,6 +25,17 @@ in
      default = config.sane.nixcache.enable;
      type = types.bool;
    };
    sane.nixcache.substituters = mkOption {
      type = types.listOf types.string;
      default =
        # TODO: make these blacklisted entries injectable
        (lib.optional (hostName != "servo") "https://nixcache.uninsane.org")
        ++ (lib.optional (hostName != "servo" && hostName != "desko") "http://desko:5000")
        ++ [
          "https://nix-community.cachix.org"
          "https://cache.nixos.org/"
        ];
    };
  };
  config = {
@@ -31,12 +43,7 @@ in
    # to explicitly build from a specific cache (in case others are down):
    # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
    # - `nix build ... --substituters http://desko:5000`
-    nix.settings.substituters = mkIf cfg.enable [
+    nix.settings.substituters = mkIf cfg.enable cfg.substituters;
      "https://nixcache.uninsane.org"
      "http://desko:5000"
      "https://nix-community.cachix.org"
      "https://cache.nixos.org/"
    ];
    # always trust our keys (so one can explicitly use a substituter even if it's not the default
    nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
      "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
--- a/hosts/modules/roles/build-machine.nix
+++ b/hosts/modules/roles/build-machine.nix
@@ -0,0 +1,82 @@
 { config, lib, pkgs, sane-lib, ... }:
 let
  inherit (lib) mkIf mkMerge mkOption types;
  inherit (config.programs.ccache) cacheDir;
  cfg = config.sane.roles.build-machine;
 in
 {
  options.sane.roles.build-machine = {
    enable = mkOption {
      type = types.bool;
      default = false;
    };
    emulation = mkOption {
      type = types.bool;
      default = true;
    };
    ccache = mkOption {
      type = types.bool;
      default = true;
    };
  };
  config = mkMerge [
    ({
      sane.programs.qemu = pkgs.qemu;
    })
    (mkIf cfg.enable {
      # enable opt-in emulation of any package at runtime.
      # i.e. `nix build '.#host-pkgs.moby.bash' ; qemu-aarch64 ./result/bin/bash`.
      sane.programs.qemu.enableFor.user.colin = true;
      # serve packages to other machines that ask for them
      sane.services.nixserve.enable = true;
      # enable cross compilation
      # TODO: do this via stdenv injection, linking into /run/binfmt the stuff in <nixpkgs:nixos/modules/system/boot/binfmt.nix>
      boot.binfmt.emulatedSystems = lib.optionals cfg.emulation [
        "aarch64-linux"
        # "aarch64-darwin"  # not supported
        # "x86_64-darwin"   # not supported
      ];
      # corresponds to env var: NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1
      # nixpkgs.config.allowUnsupportedSystem = true;
    })
    (mkIf (cfg.enable && cfg.ccache) {
      # programs.ccache.cacheDir = "/var/cache/ccache";  # nixos default
      # programs.ccache.cacheDir = "/homeless-shelter/.ccache";  # ccache default (~/.ccache)
      # if the cache doesn't reside at ~/.ccache, then CCACHE_DIR has to be set.
      # we can do that manually as commented out below, or let nixos do it for us by telling it to use ccache on a dummy package:
      programs.ccache.packageNames = [ "dummy-pkg-to-force-ccache-config" ];
      # nixpkgs.overlays = [
      #   (self: super: {
      #     # XXX: if the cache resides not at ~/.ccache (i.e. /homeless-shelter/.ccache)
      #     # then we need to explicitly tell ccache where that is.
      #     ccacheWrapper = super.ccacheWrapper.override {
      #       extraConfig = ''
      #         export CCACHE_DIR="${cacheDir}"
      #       '';
      #     };
      #   })
      # ];
      # granular compilation cache
      # docs: <https://nixos.wiki/wiki/CCache>
      # investigate the cache with:
      # - `nix-ccache --show-stats`
      # - `build '.#ccache'
      #   - `sudo CCACHE_DIR=/var/cache/ccache ./result/bin/ccache --show-stats -v`
      # TODO: whitelist `--verbose` in <nixpkgs:nixos/modules/programs/ccache.nix>
      # TODO: configure without compression (leverage fs-level compression), and enable file-clone (i.e. hardlinks)
      programs.ccache.enable = true;
      nix.settings.extra-sandbox-paths = [ cacheDir ];
      sane.persist.sys.plaintext = [
        { group = "nixbld"; mode = "0775"; directory = config.programs.ccache.cacheDir; }
      ];
      sane.fs."${cacheDir}/ccache.conf" = sane-lib.fs.wantedText ''
        max_size = 50G
      '';
    })
  ];
 }
--- a/hosts/modules/roles/default.nix
+++ b/hosts/modules/roles/default.nix
@@ -1,6 +1,7 @@
 { ... }:
 {
  imports = [
    ./build-machine.nix
    ./client
  ];
 }
--- a/hosts/modules/services/default.nix
+++ b/hosts/modules/services/default.nix
@@ -0,0 +1,6 @@
 { ... }:
 {
  imports = [
    ./duplicity.nix
  ];
 }
--- a/hosts/modules/services/duplicity.nix
+++ b/hosts/modules/services/duplicity.nix
--- a/hosts/modules/yggdrasil.nix
+++ b/hosts/modules/yggdrasil.nix
@@ -0,0 +1,30 @@
 # docs: <nixpkgs:nixos/modules/services/networking/yggdrasil.md>
 # - or message CW/0x00
 { config, lib, ... }:
 let
  inherit (lib) mkIf mkOption types;
  cfg = config.sane.yggdrasil;
 in
 {
  options.sane.yggdrasil = {
    enable = mkOption {
      type = types.bool;
      default = false;
    };
  };
  config = mkIf cfg.enable {
    services.yggdrasil = {
      enable = true;
      persistentKeys = true;
      config = {
        IFName = "ygg0";
        Peers = [
          "tls://longseason.1200bps.xyz:13122"
        ];
      };
    };
  };
 }
--- a/modules/data/feeds/sources/acquiredlpbonussecretsecret.libsyn.com/default.json
+++ b/modules/data/feeds/sources/acquiredlpbonussecretsecret.libsyn.com/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 443732,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "Ben and David are joined by expert founders and investors \u2014 writing the next generation of great company stories in real-time.\n\nWe go behind the scenes on their journeys and bring back emerging insights and lessons that are useful for anyone in the tech and investing ecosystems.\n\nAcquired covers yesterday. ACQ2 covers tomorrow.",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": true,
  "is_push": false,
  "item_count": 92,
  "last_updated": "2023-03-02T17:03:15+00:00",
  "score": 10,
  "self_url": "https://acquiredlpbonussecretsecret.libsyn.com/",
  "site_name": "ACQ2 by Acquired",
  "site_url": "https://acquiredlpbonussecretsecret.libsyn.com",
  "title": "ACQ2 by Acquired",
  "url": "https://acquiredlpbonussecretsecret.libsyn.com",
  "velocity": 0.057,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/applieddivinitystudies.com/default.json
+++ b/modules/data/feeds/sources/applieddivinitystudies.com/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 208377,
  "content_type": "application/xml; charset=utf-8",
  "description": "applieddivinitystudies@gmail.com",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 20,
  "last_updated": "2022-12-20T01:23:44.546000+00:00",
  "score": 26,
  "self_url": "https://applieddivinitystudies.com/atom.xml",
  "site_name": "Applied Divinity Studies",
  "site_url": "https://applieddivinitystudies.com",
  "title": "Applied Divinity Studies",
  "url": "https://applieddivinitystudies.com/atom.xml",
  "velocity": 0.079,
  "version": "atom10"
 }
--- a/modules/data/feeds/sources/ascii.textfiles.com/default.json
+++ b/modules/data/feeds/sources/ascii.textfiles.com/default.json
--- a/modules/data/feeds/sources/austinvernon.site/default.json
+++ b/modules/data/feeds/sources/austinvernon.site/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 19245,
  "content_type": "text/xml; charset=utf-8",
  "description": "Austin Vernon's Blog",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 42,
  "last_updated": "2023-01-05T00:00:00+00:00",
  "score": 24,
  "self_url": "",
  "site_name": "Austin Vernon - Austin Vernon's Blog",
  "site_url": "https://austinvernon.site",
  "title": "Austin Vernon",
  "url": "https://austinvernon.site/rss.xml",
  "velocity": 0.063,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/balajis.com/default.json
+++ b/modules/data/feeds/sources/balajis.com/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 453506,
  "content_type": "text/xml; charset=utf-8",
  "description": "Balaji Srinivasan's personal blog. Formerly CTO of Coinbase and General Partner at a16z, @balajis is an investor and founder.",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 15,
  "last_updated": "2022-04-28T18:22:11+00:00",
  "score": 16,
  "self_url": "https://balajis.com/rss/",
  "site_name": "Balaji Srinivasan",
  "site_url": "https://balajis.com",
  "title": "Balaji Srinivasan",
  "url": "https://balajis.com/rss/",
  "velocity": 0.01,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/ben-evans.com/benedictevans/default.json
+++ b/modules/data/feeds/sources/ben-evans.com/benedictevans/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 213052,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "",
  "favicon": "https://images.squarespace-cdn.com/content/v1/50363cf324ac8e905e7df861/ebdb4645-db93-4967-881d-db698ee59c2c/favicon.ico?format=100w",
  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAMAAABHPGVmAAAB4FBMVEUAAADmRjIBAADmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjLmRjL///8mIgRMAAAAnnRSTlMAAAA6W1pZTTESpvnryogzAeaCFKwboQv38vP6X449P0FPe8b8vw5mhe02aAif/VhCZx/h4PVD1xwEmQVt3i1uBwwWPpv0Ybu8vtLx7m/JSf5IniT28DWLOTxAUX3EzSgXaXJxc0URa+elCjSdnKLWGewykUv4VSB87zgmHs8iKbZlCbFXhLfHGOpKY9VTjaOuUDAG2tvLGidGL+iWJUyE2tMAAAJwSURBVHja7df5U1JRGMZxnxItw6Q0FdTCoowyWiSJMLXQrMAyU9ojWxQFc8+MijYL23db+VsbTsCZC9xkbu9JnTnfH58Z+MywvAN5MplMJpPJFjuoRoqszNelVVC4ajUpAxTFMlqjL15bYgAEIbx160sBUQivbAMgCuGVVwCkSKUxmakq9dZUEyM1GzclMtdu3mKJsbZuo0XqAF7p9ko2WnfQIjvBJ6B+FxttuwUgfNxjYuteeoSHfQ1srRaL2OPj/kaBCGA2xkfHAXEI4DzIxhoDNQKeq4m974eaQYu0tFYkOnzE3dYen0xHqW+Xo+NYouMnPGzxdjqFH8iTpwzCT31Xx+lWiD/1pu4zAEiRnt5UqVtf7Esh+Fs5I2fPnU924eKly3+cK/7kM+Bq37XrWbtxE9pOPfoHAmwdHEoiQW9MpRA0fuMBnYcdr0IggVjVkGFNCFtdt9hc7hSA8LnAEp9HRjlC9XLxYGbna2xcgdh6rel5JjQjwORUfDa6FcjY7fFgWr7pf0DusHnmrgIJhJGZVgS4d5/N9gdKJAK6Xyvo746xHg5RIo8A3mP3ExtbbX2gREJPdYny62afJT+vz6NkiGpzL5ghFLG+NAhHXr1mhkik4U0YzFAgfmSWC/K2q0rZVLve8a4lYmCPVyI9ZW3DikIT0zkhJe9rlU02fhj9CE5wJEseXy5ItriwIGINIk97SwmZ8ZEjFvsnZZ+/NJMjc+7ovLKoixwJfEVGlIj6N14iEllGSBhZIkY8swNN6XV+o0TUKlrxH5DBZYZ4xb9c+D7yI5A9/U8ypP6XX6XIPAWw8P94mUwmk8lki95vmJ/g9Xmlv3QAAAAASUVORK5CYII=",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 20,
  "last_updated": "2022-12-14T09:43:49+00:00",
  "score": 8,
  "self_url": "",
  "site_name": "Benedict Evans",
  "site_url": "https://www.ben-evans.com",
  "title": "Essays - Benedict Evans",
  "url": "https://www.ben-evans.com/benedictevans?format=rss",
  "velocity": 0.033,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/benjaminrosshoffman.com/default.json
+++ b/modules/data/feeds/sources/benjaminrosshoffman.com/default.json
@@ -1,21 +0,0 @@
 {
  "bozo": 0,
  "content_length": 12669,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "The territory is a map of the map.",
  "favicon": "http://benjaminrosshoffman.com/favicon.ico",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 10,
  "last_seen": "2023-01-11T12:32:52.176940+00:00",
  "last_updated": "2023-01-09T04:33:31+00:00",
  "score": -15,
  "self_url": "http://benjaminrosshoffman.com/comments/feed/",
  "site_name": "Compass Rose",
  "site_url": "http://benjaminrosshoffman.com",
  "title": "Comments for Compass Rose",
  "url": "http://benjaminrosshoffman.com/comments/feed/",
  "velocity": 0.312,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/bitbashing.io/default.json
+++ b/modules/data/feeds/sources/bitbashing.io/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 339384,
  "content_type": "application/xml; charset=utf-8",
  "description": "Yet another programming blog. Thoughts on software and related misadventures.",
  "favicon": "https://bitbashing.io/favicon.ico",
  "favicon_data_uri": "data:image/png;base64,AAABAAEAEBACAAEAAQCwAAAAFgAAACgAAAAQAAAAIAAAAAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUFBQAAAAAAP//AAD//wAA7/8AAO//AADv/wAA7/8AAO//AADvAwAA7/8AAO8DAADv/wAA7/8AAO//AADv/wAA//8AAP//AAD//wAA//8AAO//AADv/wAA7/8AAO//AADv/wAA7wMAAO//AADvAwAA7/8AAO//AADv/wAA7/8AAP//AAD//wAA",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 10,
  "last_updated": "2022-11-22T00:00:00+00:00",
  "score": 20,
  "self_url": "https://bitbashing.io/feed.xml",
  "site_name": "Bit Bashing",
  "site_url": "https://bitbashing.io",
  "title": "Bit Bashing",
  "url": "https://bitbashing.io/feed.xml",
  "velocity": 0.003,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/blog.danieljanus.pl/default.json
+++ b/modules/data/feeds/sources/blog.danieljanus.pl/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 1,
  "content_length": 343256,
  "content_type": "text/xml; charset=utf-8",
  "description": null,
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 60,
  "last_updated": "2022-11-07T00:00:00+00:00",
  "score": -4,
  "self_url": "",
  "site_name": "Daniel Janus \u2013 blog",
  "site_url": "https://blog.danieljanus.pl",
  "title": "code \u00b7 words \u00b7 emotions: Daniel Janus\u2019s blog",
  "url": "https://blog.danieljanus.pl/atom.xml",
  "velocity": 0.011,
  "version": "atom10"
 }
--- a/modules/data/feeds/sources/blog.dshr.org/default.json
+++ b/modules/data/feeds/sources/blog.dshr.org/default.json
@@ -0,0 +1,23 @@
 {
  "bozo": 0,
  "content_length": 623592,
  "content_type": "application/atom+xml; charset=utf-8",
  "description": "I'm David Rosenthal, and this is a place to discuss the work I'm doing in Digital Preservation.",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [
    "http://pubsubhubbub.appspot.com/"
  ],
  "is_podcast": false,
  "is_push": true,
  "item_count": 25,
  "last_updated": "2023-01-10T17:59:42.157000+00:00",
  "score": 20,
  "self_url": "https://www.blogger.com/feeds/4503292949532760618/posts/default",
  "site_name": "DSHR's Blog",
  "site_url": "https://blog.dshr.org",
  "title": "DSHR's Blog",
  "url": "https://blog.dshr.org/feeds/posts/default",
  "velocity": 0.35,
  "version": "atom10"
 }
--- a/modules/data/feeds/sources/blog.rust-lang.org/default.json
+++ b/modules/data/feeds/sources/blog.rust-lang.org/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 76362,
  "content_type": "application/xml; charset=utf-8",
  "description": "Empowering everyone to build reliable and efficient software.",
  "favicon": "https://blog.rust-lang.org/images/favicon-16x16.png",
  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAA3XAAAN1wFCKJt4AAAAB3RJTUUH4gseBBkAzEcAUAAAAWlJREFUOMul079L1WEUBvCPdhPUzbhC3JYQwn6MLTU4CA5C/QMJimQS2NDiZpM0NDoZ0iK4+SdIV5ykpgKtIYyiqCBSuKBBibflufBiVxt64eV73uc855z3fb7ndPh7daMPU/gR7ByeYRc/nbJGMI8GjvAKb2M34hspA84U9jgeYAIv8Bi9+IxFnMcYLqCJ12WiYTzHL0wee05Xcb6H3+EOt8CeXK0Z526b/R1ruIL74c4nVi3v+4BvOAxhHzv4lHMTb3A1WAO1zqjdhRU8SjWpOIBBvAx2hFEsRZ8pmEn28ZC+FhXLvY9L4UwHm+ksBNo79kvf4QlWC61uxR5qkSqoJttkROqN7wDvk+Q6LuIh+nEnMdVSxOYJ+zKetsEbqFVy9QXMpYE28TE3gC+YxXaKDeFGYvYqIa7jZppjI/2w1GZGzia4npiDSpz1tCjcjg5VbAW7hrtpqjqW8/3nMLXee+IwdfzvOP8BuzB3onylpecAAAAASUVORK5CYII=",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 10,
  "last_updated": "2023-03-09T00:00:00+00:00",
  "score": 20,
  "self_url": "https://blog.rust-lang.org/feed.xml",
  "site_name": "The Rust Programming Language Blog",
  "site_url": "https://blog.rust-lang.org",
  "title": "Rust Blog",
  "url": "https://blog.rust-lang.org/feed.xml",
  "velocity": 0.096,
  "version": "atom10"
 }
--- a/modules/data/feeds/sources/bunniestudios.com/default.json
+++ b/modules/data/feeds/sources/bunniestudios.com/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 45559,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "bunnie's blog",
  "favicon": "https://www.bunniestudios.com/favicon.ico",
  "favicon_data_uri": "data:image/png;base64,AAABAAEAEBAAAAAAAABoBQAAFgAAACgAAAAQAAAAIAAAAAEACAAAAAAAAAEAAAAAAAAAAAAAAAEAAAAAAAAAAAAAFBQUADU1NQBdXV0AoKCgACYmJgBpaWkATk5OAIODgwAKCgoAfHx8ALi4uACxsbEAAgICAKOjowA+Pj4AAQEBAERERADy8vIABwcHABsbGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAASAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAAHAAAAAAAAAAAAAAYAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAALAAAAAAAAAAAAABMAAAAAAAAAAAAAAAAABQAACgAAAAAPAAAAAAAAAAkAAAAAAAAOAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADCQAAAAAAAAAAAAAAAAAAABANAAAAAAAAAAAAAAAAAP//AADAfQAAwTgAAMeZAADPnwAAz88AAM/PAADPzwAAz58AAMefAADDHwAAyD8AAM//AADP/wAAD/8AAA//AAA=",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 5,
  "last_updated": "2023-01-04T15:49:57+00:00",
  "score": 20,
  "self_url": "https://www.bunniestudios.com/blog/?feed=rss2",
  "site_name": " bunnie's blog",
  "site_url": "https://www.bunniestudios.com",
  "title": "bunnie's blog",
  "url": "https://www.bunniestudios.com/blog/?feed=rss2",
  "velocity": 0.114,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/congressionaldish.libsyn.com/default.json
+++ b/modules/data/feeds/sources/congressionaldish.libsyn.com/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 15076852,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "Congressional Dish is a twice-monthly podcast that aims to draw attention to where the American people truly have power: Congress. From the perspective of a fed up taxpayer with no allegiance to any political party, Jennifer Briney will fill you in on the must-know information about what our representatives do AFTER the elections and how their actions can and will affect our day to day lives. \nHosted by @JenBriney. \n\nLinks to information sources available at www.congressionaldish.com",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": true,
  "is_push": false,
  "item_count": 269,
  "last_updated": "2023-01-06T18:13:57+00:00",
  "score": 0,
  "self_url": "https://feeds.libsyn.com/39908/rss",
  "site_name": "",
  "site_url": "",
  "title": "Congressional Dish",
  "url": "https://feeds.libsyn.com/39908/rss",
  "velocity": 0.071,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/drewdevault.com/default.json
+++ b/modules/data/feeds/sources/drewdevault.com/default.json
--- a/modules/data/feeds/sources/feeds.libsyn.com/421877/default.json
+++ b/modules/data/feeds/sources/feeds.libsyn.com/421877/default.json
@@ -0,0 +1,23 @@
 {
  "bozo": 0,
  "content_length": 272569,
  "content_type": "text/xml; charset=utf-8",
  "description": "Audio version of the posts shared in the LessWrong Curated newsletter.",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [
    "https://pubsubhubbub.appspot.com/"
  ],
  "is_podcast": true,
  "is_push": true,
  "item_count": 56,
  "last_updated": "2023-03-08T08:00:00+00:00",
  "score": 32,
  "self_url": "https://feeds.buzzsprout.com/2037297.rss",
  "site_name": "",
  "site_url": "",
  "title": "LessWrong Curated Podcast",
  "url": "https://feeds.buzzsprout.com/2037297.rss",
  "velocity": 0.192,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/feeds.megaphone.fm/hubermanlab/default.json
+++ b/modules/data/feeds/sources/feeds.megaphone.fm/hubermanlab/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 1377252,
  "content_type": "application/xml; charset=utf-8",
  "description": "Andrew Huberman, Ph.D.",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": true,
  "is_push": false,
  "item_count": 129,
  "last_updated": "2023-03-06T09:00:00+00:00",
  "score": 14,
  "self_url": "https://feeds.megaphone.fm/hubermanlab",
  "site_name": "",
  "site_url": "",
  "title": "Huberman Lab",
  "url": "https://feeds.megaphone.fm/hubermanlab",
  "velocity": 0.159,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/gwern.net/default.json
+++ b/modules/data/feeds/sources/gwern.net/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 140827,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "Latest gwern.net updates, interesting links, and reviews",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 14,
  "last_updated": "2021-06-11T14:16:22+00:00",
  "score": -6,
  "self_url": "https://gwern.substack.com/feed",
  "site_name": "",
  "site_url": "",
  "title": "Gwern.net Newsletter",
  "url": "https://gwern.substack.com/feed",
  "velocity": 0.032,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/ianthehenry.com/default.json
+++ b/modules/data/feeds/sources/ianthehenry.com/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 359714,
  "content_type": "text/xml; charset=utf-8",
  "description": "Ian Henry's blog.",
  "favicon": "https://ianthehenry.com/favicon.ico",
  "favicon_data_uri": "data:image/png;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAHH1uIDShg/xEsZv8GFk3/CSJb/wgZT/8IGU//CBlP/wkiW/8HGE7/CBlP/wkiW/8HIFX/BxhO/wcgVf8OK2t7JDhz/wcfW/8NNn7/CSpq/wkjYf8MJGP/DCJg/w02ef9SqdX/TKHJ/1my2f9Moc3/UqzV/1Cr1v9Pocf/Ditr/xk2cf8KJGL/CjR8/wwva/8RK2r/Cido/w8qa/8LLW//TqjT/1Gnz/9bsNf/Sp/K/1Wt2f9Wrtj/UKjQ/w8xc/8gPHj/Di5w/xk4ef8TL27/Dy5u/xU3fv8QLGv/Ditr/1qy3f9dttv/Yrje/0ecx/9Knsz/U6fQ/1m13f8YN3n/JjZx/wszdv8YOXz/Eilm/xc3e/8dSZT/GDJz/xk/hv9hu+P/WbHZ/1mv1v9Kn8z/WLHd/1212v9ds9n/Eipr/xcqYv8SOX3/GzRz/xQrZ/8aM3D/HEuU/xc0df8fPYD/Yrre/1603P9dt9z/VKvY/1iz4v9etNr/Y73m/xk5fP8cMm3/JEWK/xc0dP8eO3v/Hjd4/ydRnP8WM3P/Gjd3/2bA5/9dtd//Ybng/2K95v9ct+P/Ybnf/2K95/8oS5L/GChg/xxBh/8lSIz/GC5s/yM5ev8hRoz/HTp7/yE6e/9Zsdz/YLzn/2jF7v9ryfL/YLzn/1qu1f9htdz/GDyD/y0/ev9qx/X/acDn/1235v9euun/Yb3r/1665v9owu7/GUOL/yhGh/8nUJL/MkmI/yBFiP8jOHb/MVag/yM+gv8VMGv/acXx/27G7/9szv3/bMb1/2zD6/9vy/X/edf5/yBHjv8yS47/JEuO/zVLiv8nS5D/LkOB/yRXpP8lQoT/H0WI/3fS+P910Pf/b8/8/2bB7/991Pn/eNb+/3nT+P8pS5L/O1GS/ytUnP86UJH/NF2k/zNLjP8sXKv/JkCB/x4+ff+B2/3/etT9/4He//922f//fNf//3TT//991/7/NU6N/zZSkP86Zav/PlWR/zFepv88ZKb/MF2n/yQ/gf8bNXH/fd3//3/b//+K6P//ft///3vV//993f//gdz//0hWlf9FZKX/RmOj/0JXlv9IeMP/QXKz/0Jsuf8eO3z/Hjt2/3vd//+C3v//ju3//3zg//+H4v//guL//4nj//9HXp3/UGur/ztgqf9JYqP/S3G4/05ur/9EbLT/Hjt7/zNJhf+G4///heT//4rq//+E5///iOT//4jr//+G4///UXO0/09iov9EX6H/SWWn/1V5wP9Kaa7/RGSp/ydLj/8NKGCfDShg/x8+d/8RLGb/CBlP/wYWTf8GFEj/CBNH/wooZP8JIlv/CCJd/woWSf8HGE7/ByBV/wwgU/8fO3mfAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 10,
  "last_updated": "2022-07-11T00:00:00+00:00",
  "score": 20,
  "self_url": "https://ianthehenry.com/feed.xml",
  "site_name": "Ian Henry",
  "site_url": "https://ianthehenry.com",
  "title": "Ian Henry",
  "url": "https://ianthehenry.com/feed.xml",
  "velocity": 0.027,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/idiomdrottning.org/default.json
+++ b/modules/data/feeds/sources/idiomdrottning.org/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 88585,
  "content_type": "text/xml; charset=utf-8",
  "description": "<p>The most unruly and least considered, most shameful among various Idiomdrottning components and libraries can be found here.</p>\n          <p>To contact me, <a href=\"mailto:sandra.snan@idiomdrottning.org\">send mail to sandra.snan@idiomdrottning.org</a></p>",
  "favicon": "https://idiomdrottning.org/favicon.png",
  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9kKHQ8EITJ/4sMAAAUJSURBVFjD7ZZ5bFRVGMV/983W6d5KoS21gFKWqpWEQkqCoCxqRHCBKEhcE8SYGsRgSEREoyaEJZgQETFBggpxRSBUlrBoF8rSlrZpQUqhsRVIO53SbabzZt69/jF06NBOW8ofxIT710vefe+ce853vvsJpZTiDi6NO7zuErhL4P9NoDPB0qsz0DTfFgEhBABV328OPIciGYrgbVvgaWqkeuc3PYIopRBCcHbL+pAEtb5llr2+d9dfobWmmst/7u8GIoSgsfQUjpLCgVvQ4aincvPakDIaHS7M9nDK1q5ESRl0er3lGrmL5xKRnDpwAvaERJqrKih492W8Lde6EfG5XSAEerMTj9OBUiogfeWXqwGIHD5y4ASUUmQs/YSGk3nsn5VJ2z8XEULcKC7DACGQus7V3IMIIRBC0FxVwYUdXwMQO/rBbkWptzSjlOpfEUakDCN2VDrS6+HIghlczT8S8NtksYJSIAQ1v+/wx9IwOP1hNuaIKITJRHji0ACwEIILO7ZQvmEVQohgAm21l0JGLeuL7wCBkgZ5b83l38P7/BJabf59ECg2R1EBrZeq/GpoJmxxgxBCoDc3kZ89n7J1Kxm3fHV3C1qr/2bXhGTy336RuoN78Lna/RIDtth4hj37EkopLJHRFC57nabKUky2sIACmtmCs7yIguwFoGkoKYkenoYlKhpnRQn7pqXTcCqf1FnzMIWF+Yl3DiSdhdNYdorcRc+jpIHJFkZ4cipDpz/N2MXLMLw6u7NS0SxWv/y2MB7dnsOB2ROxREQhvV6GTHqM+pN/ITQNX4ebR776GUdJIVXbN6GUQnq9zMmrxhRm9yvUdSLqJNF84SzHl75CR/1VhKYhvTrCbOGBd1ZgCY+gdM2KQI+IHZNBU+UZNJM56B8AZnsEKU8+R/WPWzFZrSilyPx0Iykzn7lhcaiRzPB0cHTh47TVXkJoN5wSZjNCCAxdD9ndekyTlETdN4rpOw8H11hfM+H5bRspW7cSc2R0UPx6Be/8Y5ct9iHJzPglF81s7p2A3tyEz9WOr8OF8hmYrDYaio9Tvv4jpM/bK7AKxgxYYrKFMXXbPqKGj+zern1ul7p8LIe6A3toPHMCZRgoKf13gOpyFCWD/L0VEjN/yyc8KSVEJ9Q0rDHxRKaOwBafgKfJgc/djjJ8fgJKwfULqRNchdBcoQLgSkqscfcw/adjIcEDFnQ9mbetlZrdP3D5cA7u+it421owXO2dXQmEQABKCIS6DirEdXARAI9Lf5gpW/f2WS89xjCQBN2D4Xbha2/l2rlynOXF1B3ajaexIajYpJBoaH4NpCRj2WeMmPdqv1LSZwo8Tgd1h/bgKCqgoagAX1urX4WAHQoUSN1DQuZknBXFzMmtDopuvwl0KqCUwtPYQPmGVdTm/IpmsyGE1uOopZkt2BOTmfD5JmJHP8TRhU9gT0oma923Pap68zLffPEooPC912g4nYfUdUxh9qAPpM+H1D2EJ6Uw6o0lJE6eQUTyvYH3LRfP0VJzHr25CUtUTJ9KBBVh7f5dFH28JHABKWmgDANLZBThyalEjUgjPiOTwROnEJM2tpsiTRUlWGPiKV3zAW01VYx5832GzX6hfxbkZ8/HUVyI0EyEJ6UQlz6OQeOzGDxpGvaEIYQq1J4GGMPdzt6paUzbeZTo+0f30TWVUobXqzqcDuV1u1RPS0qpbmX5PB3qj6fGqxPLF/W59z/I3vExRaQkUAAAAABJRU5ErkJggg==",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 20,
  "last_updated": "2023-01-25T13:06:38+00:00",
  "score": 10,
  "self_url": "https://idiomdrottning.org/blog",
  "site_name": "Idiomdrottning",
  "site_url": "https://idiomdrottning.org",
  "title": "Idiomdrottning",
  "url": "https://idiomdrottning.org/blog",
  "velocity": 0.441,
  "version": "atom10"
 }
--- a/modules/data/feeds/sources/interconnected.org/default.json
+++ b/modules/data/feeds/sources/interconnected.org/default.json
@@ -0,0 +1 @@
 {}
--- a/modules/data/feeds/sources/interconnected.org/home/feed/default.json
+++ b/modules/data/feeds/sources/interconnected.org/home/feed/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 80033,
  "content_type": "application/xml; charset=utf-8",
  "description": "A blog by Matt Webb. My notebook and space for thinking out loud since February 2000.",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 8,
  "last_updated": "2023-01-24T20:48:00+00:00",
  "score": 22,
  "self_url": "",
  "site_name": "Matt Webb",
  "site_url": "https://interconnected.org",
  "title": "Interconnected",
  "url": "https://interconnected.org/home/feed",
  "velocity": 0.279,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/jefftk.com/default.json
+++ b/modules/data/feeds/sources/jefftk.com/default.json
--- a/modules/data/feeds/sources/lwn.net/default.json
+++ b/modules/data/feeds/sources/lwn.net/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 14068,
  "content_type": "application/xml; charset=utf-8",
  "description": "LWN.net is a comprehensive source of news and opinions from\n        and about the Linux community.  This is the main LWN.net feed,\n        listing all articles which are posted to the site front page.",
  "favicon": "https://static.lwn.net/images/favicon.png",
  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAAlwSFlzAAAN1wAADdcBQiibeAAAAAd0SU1FB9oMHRALH2oogOQAAAdtSURBVFjDvZd7cFT1Fcc/v9+9d3N3N9nNxg3ZhCS8CYgpQnjYqaZQpaI1QMTxAbb2ga0dZ7T4oNOhY9FxHKtjp1Y7lo6tODqOtk5hSgdHBJwq1ALDIITwSgIhPEISNmRDdrP3+esfCxkYCE1G2t/MnfuY8zvne875nvM7F4a/JgKvAkeA7vP3PwAV/B/WNCANqAuXGQyqhx9brqqqq21g5nAVymHKvwSELv5gmiYBzWBEcYkBvAfk/a+814D+i70f5Fo8XKVDXWHgmSUPPsT462/g8P5G4vE4r61+m0hRjERlJS2HDgL0AX8fqlJ9qII/euGDqXF1mrr588hmLTZ9vJHNX+yl9WgLP37kcTZt2czmf6xH6sY4x+rnmgMYMarq7m9PqGbdhk/At3ngZ89jux6/fullZn7jZuoXP8j2A6fp6Tge2/7RO9ceQJ4RPLrm/b+pWyYrMSJ0homjjnFwdzMvrxhNe7KX/qzF1rWrSaeSwyKWGI7wfbUlmTUvRoIBQyC0SqAPIYt478NWbpkpqFzYCGDdf/8Px9bX181y3Uzr0qVLv7xmAF54aMK564oK8pc90I/v+rz5vuBcWjHteo1wvs57B2+nYmQZNdNr7IL8cMDzXP9sT8+WbqG+993589u/MoBJU6p7nr8nHD2b7sWxFWNHa3x9us2h4zNwJz5JqifJdfE4BxobaWs7Rn393QCcPHXqj7fPu+0nX7UR3blo8b3RW5dvJDFmJpPGhdHDU8i7aR+h6SuRQqFrGmv+/Cdc16WhoYFAIIBpmhRGo9OGTMINGzbkZbPecj1PnyZ8lcpY1sePPfrU5x0dLW+sfPoJ8vND3LzkNSzLpqgoyr7GRnRdZ+tn/6SpqYmOzg5mzZQkEgm6u7uJx+MoIdSQAKxa9anueNmPRlYk5oZDIRSQzdoPv/3Oaid5NmVc0FNYWIDjuOzZ0wD4rFu3llmzZrNj5w7C4TAliQR1dQtI9fTQfuokpeUVQyvDaTXZlWVlJXMjBQVIKfE8j7xIHoXRiFHuODTsO4AZDFJZMZJDTU3s27+fb9XW0tvbi5XNUlNTw8JF9TQ2NGBZ2RzJhGDbtn9FgFKg/aocKIrHRkQjEVzXxbIspJQIIVBKoUtJLBbF0DXajjTjWf3EzTZaPnuO9vac3u/cVYenFKZpEo8XM2HCRLZs+ZS33nqrqnRkxaP/NQLKsVfZtv19XddDAEqpAS8uvGuaxJIaBXkdzB77CVogQNms15FCIoRC+Yqx48blvBOCxsZGlK9ELB4vbT95/OpVUFtb2+U47l8uNujYNplMBt/3UUrh+z5SN4j1bkHhczDvdXRNglAIIdCkAKWQQuD7Pr999XdMqhrftX/P7meH1AfGTZrUKly3ctmyZaJuwUK6u7vxPI+CggjBoJkzomlomQ4ssxgJeJ6Hrml4/gWyK5RSCCmRCE53nN4755u1U4fUB0ZXjm3r7OoSe/fuxfc8zvWl6T3Xx8lTp+hLZwbkXNdH+j7K95FS4rhuzqjI+SV1PZc6IQgEAtkhT0SbN25YMLK8Yv+TT61ANwzKSkuIRiNomkY2m8X3fVzXJUOQsMzgK1AKpJRImQuoPJ+GHBSFrhvucE7Dnmd/9czXKs8stZOqXsqy+ygqLKSkuBiVIwYK8NBAOblc4yOFBAVSk/i+j57ezxj35yAVnzfXTRvWYZT9YqIfMEcJVIbDJ6L4E15BiJzigY1CI+h0kdaL8F2Xzs5Okskz3DD1RiSCUWfuwsyvAsB3jrJrl55qbmGO8DMnlrxy+MygEdi+uropECgUiBCIEOMTh2jrP0S/WYVhGKAUnu8jpcDL+qTOneXEieN4nneefwrfasIMhgcmPqmXM316S3RGjbFbKUFponr13KcbHrkkAsfWVjvxuKXrhsIwJwLGeYUWdn8zLbH1aEKi8AGBJiU4faS6kzSf6CISjVIcL+ZUZ5I5+Y8TKRwNBAeq4qL4cqDxtDVl6R7zkgiUlwtd6FXkaHxRZkSAgDmS0vZ6tBnbyWQypNNp+vv70aRJNBajJjGKolgM0wyxYdPvufNWHwgMkmmX0oQVuCwFrp/FEPIKtBAgo0QLujj2758yZt67ADiOQzLZTZ5ZSqwwCkBfX4Zx1hvoRslVBu4QBfmeGKQM1aBcFXqCsvydZFKnATAMg0SiZMB4Nmtxxx3zqb9NBxkaRI8LXs9Aa78EQO7Bu+j/4rKxFE1T7HrnDizLwbZtspZFT6qXD9euJxg02bVjG7oOKOcKhjuw+w/Tk+qkqSnkXJYCXymwm5BCIGQQRCG5SjiPUaWwHRAKTDNwRf8WzB6BbQmMQC9Ci+Qc8rvpS5/laGuIk23B1o6m1OQfrDmUvQzA5i35I8DbHApRZQYxCsIpES/uJBTKNRvbFhw/kc+BI9le4JfAGSAJ58sCxjS29dUebS1dWl6exgwexnOhvT1EU7PZmtnz5fh7/4o3rKH03Sem35Qf9d4MBf3JAiVSfcbWe57bXXu1PR/84sYVRYXei3lBIfrOkbGTeZMW/Wbn8cHk/wNEUBaFSM2AYgAAAABJRU5ErkJggg==",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 15,
  "last_updated": "2023-01-22T15:53:01+00:00",
  "score": 18,
  "self_url": "",
  "site_name": "Welcome to LWN.net [LWN.net]",
  "site_url": "https://lwn.net",
  "title": "LWN.net",
  "url": "https://lwn.net/headlines/newrss",
  "velocity": 2.78,
  "version": "rss10"
 }
--- a/modules/data/feeds/sources/lynalden.com/default.json
+++ b/modules/data/feeds/sources/lynalden.com/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 10608,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "Investment Strategy",
  "favicon": "https://www.lynalden.com/wp-content/plugins/genesis-favicon-uploader/favicons/favicon.ico",
  "favicon_data_uri": "data:image/png;base64,AAABAAEAEBAQAAEABAAoAQAAFgAAACgAAAAQAAAAIAAAAAEABAAAAAAAgAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAA6KIAAFc9AAAfFgAAHRQHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQRERERETAABBERERERMAAEEREREREwAAQRESIiIgAABBERAAAAAAAEEREAAAAAAAQREQAAAAAABBERAAAAAAAEEREAAAAAAAQREQAAAAAABBERAAAAAAAEEREAAAAAAAQREQAAAAAABBERAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 10,
  "last_updated": "2022-12-10T19:36:37+00:00",
  "score": 12,
  "self_url": "https://www.lynalden.com/feed/",
  "site_name": "Lyn Alden",
  "site_url": "https://www.lynalden.com",
  "title": "Lyn Alden",
  "url": "https://www.lynalden.com/feed/",
  "velocity": 0.031,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/mapspodcast.libsyn.com/default.json
+++ b/modules/data/feeds/sources/mapspodcast.libsyn.com/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 256360,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "Hosted by Zach Leary, the intent of the podcast is to bring you the listener an easily accessible resource for a variety of topics all related to psychedelic research. There is a lot to learn about new research into the therapeutic potential of psychedelics and marijuana. Over the years, the Multidisciplinary Association for Psychedelic Studies (MAPS) has amassed an incredible treasure trove of audio archives sourced from the amazing talks, presentations and panels that have taken place at past Psychedelic Science conferences and other unique events. By selecting some of that content and then bringing it to you in a podcast we hope to create a centralized location for the greater MAPS community. If you're a researcher, scientist, medical professional or just a curiosity seeker we hope that you'll find this content a valuable resource tool.\n\nPlease visit the MAPS website at https://maps.org",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": true,
  "is_push": false,
  "item_count": 62,
  "last_updated": "2023-03-06T20:20:00+00:00",
  "score": 0,
  "self_url": "https://feeds.libsyn.com/95610/rss",
  "site_name": "",
  "site_url": "",
  "title": "MAPS Podcast",
  "url": "https://feeds.libsyn.com/95610/rss",
  "velocity": 0.028,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/miniature-calendar.com/default.json
+++ b/modules/data/feeds/sources/miniature-calendar.com/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 1990,
  "content_type": "application/atom+xml; charset=utf-8",
  "description": "\u65e5\u7528\u54c1\u3092\u5225\u306e\u3082\u306e\u306b\u898b\u7acb\u3066\u305f\u3001\u30df\u30cb\u30c1\u30e5\u30a2\u30a2\u30fc\u30c8\u3092\u6bce\u65e5\u66f4\u65b0\u4e2d",
  "favicon": "https://www.miniature-calendar.com/images/favicon.ico",
  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAABPlBMVEXdzb3ezbng0b7f0r/h0L7h0r/h0MDi0sLn18fg0MDh0cHk08Pm1cXn18jl2MfezbvdzLjf0L3f0Lvj08Tfzr7i08Dm1sbf0cTcz7w+Ny3k1MTe0sLl1cbczLU/OS1AOi7g0bzby7TayrPbyrjezb3fzrzcy7fZyLTbyrY+Oi7dzLxAOizczbrdy7XdzbbbzLnez7zdzLrezr7WxLDZx7NBOjBAOS/ezLbczbjaxbDYxrDZx7HcyrTayLLcy7s/OzBBOy/Ww7LZybI/OzLYybY+Oi/czLzXxbHYyLFAOTHZxLPZx6/aybXazLLayLDcyLDcyrbczLPbybPXxLVCOzHbybXXxLPayLTZxrfaya/bxbDZybDVw63axK3axK/cx7LayrHYx7PezLTUwq7UwqzXwq/Vw6/Xw6vWx7DbxbcPDeShAAABAUlEQVQYlT2IizfCUByAf27LVGRXC8Pt2pY9PDLVHTbZKsxjIqYxyavC//8P4DjHd853znc+gAmU4tKTPD+VyeamZ/IwK2A0hzMFMZsr8vP5BQBhEUsYSxyW0oWl5RUgpPQPRUX+Z9Df/HMVpUFWqEzU8ppWTnEUIQy6YSpUM7XS+sYmFRECZcvUiVIh25YAdKdahVqd6bZmy0ylu2zPAth3bNeVDxqHtuczlVjQdJjjtdoG9Y6OTwwRIDg9O78ILztXfvs6NEgXbm4jFkU+i9ida3SJCkHQi+8fGklceQxjRTGgX+slfSd5Gjy/uB3t9Q3eh8PBaDwefTTrn+FXGHwDcrgsthZvWMkAAAAASUVORK5CYII=",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 1,
  "last_updated": "2023-01-25T22:00:38+00:00",
  "score": 20,
  "self_url": "https://miniature-calendar.com/feed/atom/",
  "site_name": "MINIATURE CALENDAR",
  "site_url": "https://miniature-calendar.com",
  "title": "MINIATURE CALENDAR",
  "url": "https://miniature-calendar.com/feed/atom/",
  "velocity": 0,
  "version": "atom10"
 }
--- a/modules/data/feeds/sources/omny.fm/shows/cool-people-who-did-cool-stuff/default.json
+++ b/modules/data/feeds/sources/omny.fm/shows/cool-people-who-did-cool-stuff/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 242702,
  "content_type": "application/xml; charset=utf-8",
  "description": "<p>As long as there&rsquo;s been oppression, there&rsquo;ve been people fighting it. This weekly podcast dives into history to drag up the wildest rebels, the most beautiful revolts, and all the people who long to be&mdash;and fight to be&mdash;free. It explores complex stories of resistance that offer lessons and inspiration for us today, focusing on the ensemble casts that make up each act of history. That is to say, this podcast focuses on Cool People Who Did Cool Stuff.</p>",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": true,
  "is_push": false,
  "item_count": 86,
  "last_updated": "2023-03-20T04:01:00+00:00",
  "score": -12,
  "self_url": "https://www.omnycontent.com/d/playlist/e73c998e-6e60-432f-8610-ae210140c5b1/45bcda9a-4724-45c0-82ca-ae7f00e1dd18/f21245f2-a297-42f7-a016-ae7f00e390c4/podcast.rss",
  "site_name": "",
  "site_url": "",
  "title": "Cool People Who Did Cool Stuff",
  "url": "https://www.omnycontent.com/d/playlist/e73c998e-6e60-432f-8610-ae210140c5b1/45bcda9a-4724-45c0-82ca-ae7f00e1dd18/f21245f2-a297-42f7-a016-ae7f00e390c4/podcast.rss",
  "velocity": 0.256,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/overcomingbias.com/default.json
+++ b/modules/data/feeds/sources/overcomingbias.com/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 0,
  "content_length": 26528028,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "This is a blog on why we believe and do what we do, why we pretend otherwise, how we might do better, and what our descendants might do, if they don't all die.",
  "favicon": "https://www.overcomingbias.com/favicon.ico",
  "favicon_data_uri": "data:image/png;base64,AAABAAEAEBAAAAEACABoBQAAFgAAACgAAAAQAAAAIAAAAAEACAAAAAAAAAAAABMLAAATCwAAAAEAAAAAAAAAAAAALgAAAC0mFQAAEysAFCozACoqKgBMMysAWVUiABI0RgACRk4AEk5uAABrcgBKSkwAbUZEAG5sTwBxcXEAkXJQAKuMbQDSklcAFXCPABWWnwAAq9cAAO7zAI6QkQCusLAAzq6XAPO0jwD7y5gAzM3NAOnS0gD7+/sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHh4eHh4eHh4eHh4eDwUcHh4eHh4eHh4eHh4eHhcHBQ8eHh4eHh4eHh4eHh4MEhsRHh4eHh4eHhgXHh4YBRsbGx4eHh4eHh4XBAQFABEbGxseHh4eHhwdDxUWFgkNGxsbHh4eHh4FCQsWFhYWABEOBx4eHh4dBBYWFhYWFggFBwceHh4eDwkWFhYWFhYIEhsbBQ8XDAAUFhYWFhYVABsbGxENDREQABUWFhYWBAARGxsbGxEGBhAACRMKAw4SAA4bDQACERsbBg4HBwIbGxkBBgAQGxsbEQIbGxsAEhsbGgIbGxsbGwUQGxsbBgcbGxsbGxsbGxECGhsbGxEAGxsbGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 4476,
  "last_updated": "2023-01-24T19:20:26+00:00",
  "score": 14,
  "self_url": "https://www.overcomingbias.com/feed",
  "site_name": "Overcoming Bias",
  "site_url": "https://www.overcomingbias.com",
  "title": "Overcoming Bias",
  "url": "https://www.overcomingbias.com/feed",
  "velocity": 0.757,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/palladiummag.com/default.json
+++ b/modules/data/feeds/sources/palladiummag.com/default.json
@@ -0,0 +1,21 @@
 {
  "bozo": 1,
  "content_length": 617003,
  "content_type": "text/xml; charset=utf-8",
  "description": "Governance Futurism",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 18,
  "last_updated": "2023-01-20T19:45:09+00:00",
  "score": 28,
  "self_url": "https://www.palladiummag.com/feed/",
  "site_name": "Palladium Magazine",
  "site_url": "https://www.palladiummag.com",
  "title": "Palladium",
  "url": "https://www.palladiummag.com/feed/index.xml",
  "velocity": 0.167,
  "version": "rss20"
 }
--- a/Show More
+++ b/Show More