sxmo: have sway launch sxmo -- not the other way around

this lets me treat sxmo as just some nice scripts which run atop an existing DE (sway), rather than the opposite

can share more code with my desktop/laptop

TODO.md

@@ -1,7 +1,10 @@
 ## BUGS
+- mpv UI is sometimes blank for audio/podcasts?
+  - i think it's when the audio file has no thumbnail?
 - why i need to manually restart `wireguard-wg-ovpns` on servo periodically
   - else DNS fails
 - fix epiphany URL bar input on moby
+- sxmo: wvkbd: missing font for icons on the 3rd page
 
 ## REFACTORING:
 
@@ -12,7 +15,7 @@
 
 ### roles
 - allow any host to take the role of `uninsane.org`
-    - will make it easier to test new services?
+  - will make it easier to test new services?
 
 ### upstreaming
 - split out a sxmo module usable by NUR consumers
@@ -23,27 +26,38 @@
 - REVIEW/integrate jellyfin dataDir config: <https://github.com/NixOS/nixpkgs/pull/233617>
 - remove `libsForQt5.callPackage` broadly: <https://github.com/NixOS/nixpkgs/issues/180841>
 
+#### upstreaming to non-nixpkgs repos
+- gtk: build schemas even on cross compilation: <https://github.com/NixOS/nixpkgs/pull/247844>
+- sxmo: add new app entries
+
 
 ## IMPROVEMENTS:
 ### security/resilience
 - validate duplicity backups!
 - encrypt more ~ dirs (~/archives, ~/records, ..?)
-    - best to do this after i know for sure i have good backups
+  - best to do this after i know for sure i have good backups
 - have `sane.programs` be wrapped such that they run in a cgroup?
-    - at least, only give them access to the portion of the fs they *need*.
-    - Android takes approach of giving each app its own user: could hack that in here.
-    - **systemd-run** takes a command and runs it in a temporary scope (cgroup)
-      - presumably uses the same options as systemd services
-      - see e.g. <https://github.com/NixOS/nixpkgs/issues/113903#issuecomment-857296349>
-    - flatpak does this, somehow
-    - apparmor?  SElinux?  (desktop) "portals"?
-    - see Spectrum OS; Alyssa Ross; etc
-    - bubblewrap-based sandboxing: <https://github.com/nixpak/nixpak>
+  - at least, only give them access to the portion of the fs they *need*.
+  - Android takes approach of giving each app its own user: could hack that in here.
+  - **systemd-run** takes a command and runs it in a temporary scope (cgroup)
+    - presumably uses the same options as systemd services
+    - see e.g. <https://github.com/NixOS/nixpkgs/issues/113903#issuecomment-857296349>
+  - flatpak does this, somehow
+  - apparmor?  SElinux?  (desktop) "portals"?
+  - see Spectrum OS; Alyssa Ross; etc
+  - bubblewrap-based sandboxing: <https://github.com/nixpak/nixpak>
 - canaries for important services
-    - e.g. daily email checks; daily backup checks
-    - integrate `nix check` into Gitea actions?
+  - e.g. daily email checks; daily backup checks
+  - integrate `nix check` into Gitea actions?
 
 ### user experience
+- moby: sxmo: fix youtube scripts (package youtube-cli)
+- moby: tune GPS
+  - run only geoclue, and not gpsd, to save power?
+  - tune QGPS setting in eg25-control, for less jitter?
+  - direct mepo to prefer gpsd, with fallback to geoclue, for better accuracy?
+  - configure geoclue to do some smoothing?
+  - manually do smoothing, as some layer between mepo and geoclue/gpsd?
 - neovim: set up language server (lsp; rnix-lsp; nvim-lspconfig)
 - Helix: make copy-to-system clipboard be the default
 - firefox/librewolf: persist history
@@ -53,29 +67,37 @@
   - especially, make the menubar collapsible
   - try Gradience tool specifically for theming adwaita? <https://linuxphoneapps.org/apps/com.github.gradienceteam.gradience/>
 - package Nix/NixOS docs for Zeal
-    - install [doc-browser](https://github.com/qwfy/doc-browser)
-    - this supports both dash (zeal) *and* the datasets from <https://devdocs.io> (which includes nix!)
-    - install [devhelp](https://wiki.gnome.org/Apps/Devhelp)  (gnome)
+  - install [doc-browser](https://github.com/qwfy/doc-browser)
+  - this supports both dash (zeal) *and* the datasets from <https://devdocs.io> (which includes nix!)
+  - install [devhelp](https://wiki.gnome.org/Apps/Devhelp)  (gnome)
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
 - sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
 - uninsane.org: make URLs relative to allow local use (and as offline homepage)
 - email: fix so that local mail doesn't go to junk
   - git sendmail flow adds the DKIM signatures, but gets delivered locally w/o having the sig checked, so goes into Junk
   - could change junk filter from "no DKIM success" to explicit "DKIM failed"
+- sxmo: don't put all deps on PATH
+  - maybe: use resholve to hard-code them
+    - this is the most "correct", but least patchable
+  - maybe: express each invocation as a function in sxmo_common.sh
+    - this will require some patching to handle `exec <foo>` style
+  - maybe: save original PATH and reset it before invoking user files
 
 ### perf
 - add `pkgs.impure-cached.<foo>` package set to build things with ccache enabled
-    - every package here can be auto-generated, and marked with some env var so that it doesn't pollute the pure package set
-    - would be super handy for package prototyping!
+  - every package here can be auto-generated, and marked with some env var so that it doesn't pollute the pure package set
+  - would be super handy for package prototyping!
 - why does nixos-rebuild switch take 5 minutes when net is flakey?
-    - trying to auto-mount servo?
-    - something to do with systemd services restarting/stalling
-    - maybe wireguard & its refresh operation, specifically?
+  - trying to auto-mount servo?
+  - something to do with systemd services restarting/stalling
+  - maybe wireguard & its refresh operation, specifically?
 - get moby to build without binfmt emulation (i.e. make all emulation explicit)
   - then i can distribute builds across servo + desko, and also allow servo to pull packages from desko w/o worrying about purity
 
 
 ## NEW FEATURES:
 - migrate MAME cabinet to nix
-    - boot it from PXE from servo?
+  - boot it from PXE from servo?
+- deploy to new server, and use it as a remote builder
 - enable IPv6
+- package lemonade lemmy app: <https://linuxphoneapps.org/apps/ml.mdwalters.lemonade/>

flake.lock

@@ -21,11 +21,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1683422260,
-        "narHash": "sha256-79zaClbubRkBNlJ04OSADILuLQHH48N5fu296hEWYlw=",
+        "lastModified": 1690059310,
+        "narHash": "sha256-4zcoDp8wwZVfGSzXltC5x+eH4kDWC/eJpyQNgr7shAA=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "ba4638836e94a8f16d1d1f9e8c0530b86078029c",
+        "rev": "56fc9f9619f305f0865354975a98d22410eed127",
         "type": "github"
       },
       "original": {
@@ -69,11 +69,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1689473667,
-        "narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=",
+        "lastModified": 1693097136,
+        "narHash": "sha256-fBZSMdBaoZ0INFbyZ5s0DOF7zDNcLsLxgkwdDh3l9Pc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6",
+        "rev": "9117c4e9dc117a6cd0319cca40f2349ed333669d",
         "type": "github"
       },
       "original": {
@@ -85,11 +85,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1689534811,
-        "narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=",
+        "lastModified": 1693663421,
+        "narHash": "sha256-ImMIlWE/idjcZAfxKK8sQA7A1Gi/O58u5/CJA+mxvl8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222",
+        "rev": "e56990880811a451abd32515698c712788be5720",
         "type": "github"
       },
       "original": {
@@ -116,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1689534977,
-        "narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=",
+        "lastModified": 1693404499,
+        "narHash": "sha256-cx/7yvM/AP+o/3wPJmA9W9F+WHemJk5t+Xcr+Qwkqhg=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81",
+        "rev": "d9c5dc41c4b1f74c77f0dbffd0f3a4ebde447b7a",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688265812,
-        "narHash": "sha256-Wkx56Pw7V5+5Gn6B3olDGP+o1qIp8BPFL0MWC2wbKVg=",
+        "lastModified": 1691106178,
+        "narHash": "sha256-3mZ9gTvMpbZA9ea9ovoQpn2wKuQY0QZ7MDdEjArYdAQ=",
         "ref": "refs/heads/master",
-        "rev": "1542323cfb46a8950c17a3afa5f7cd2e62dd9672",
-        "revCount": 202,
+        "rev": "f4d91aa201b6e49af690f250d4786bd1d8b4dcfd",
+        "revCount": 205,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -94,7 +94,17 @@
       evalHost = { name, local, target }: nixpkgs.lib.nixosSystem {
         system = target;
         modules = [
-          (import ./hosts/instantiate.nix { localSystem = local; hostName = name; })
+          {
+            nixpkgs = (if (local != null) then {
+              buildPlatform = local;
+            } else {}) // {
+              # TODO: does the earlier `system` arg to nixosSystem make its way here?
+              hostPlatform.system = target;
+            };
+            # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
+            # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
+          }
+          (import ./hosts/instantiate.nix { hostName = name; })
           self.nixosModules.default
           self.nixosModules.passthru
           {
@@ -103,12 +113,6 @@
               self.overlays.sane-all
             ];
           }
-          ({ lib, ... }: {
-            # TODO: does the earlier `system` arg to nixosSystem make its way here?
-            nixpkgs.hostPlatform.system = target;
-            # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
-            # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
-          })
         ];
       };
     in {
@@ -174,6 +178,7 @@
         disable-flakey-tests = final: prev: import ./overlays/disable-flakey-tests.nix final prev;
         pkgs = final: prev: import ./overlays/pkgs.nix final prev;
         pins = final: prev: import ./overlays/pins.nix final prev;
+        preferences = final: prev: import ./overlays/preferences.nix final prev;
         optimizations = final: prev: import ./overlays/optimizations.nix final prev;
         passthru = final: prev:
           let
@@ -239,46 +244,78 @@
       apps."x86_64-linux" =
         let
           pkgs = self.legacyPackages."x86_64-linux";
-          deployScript = host: action: pkgs.writeShellScript "deploy-${host}" ''
+          deployScript = host: addr: action: pkgs.writeShellScript "deploy-${host}" ''
             nix build '.#nixosConfigurations.${host}.config.system.build.toplevel' --out-link ./result-${host} $@
             sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result-${host})
 
             # XXX: this triggers another config eval & (potentially) build.
             # if the config changed between these invocations, the above signatures might not apply to the deployed config.
             # let the user handle that edge case by re-running this whole command
-            nixos-rebuild --flake '.#${host}' ${action} --target-host colin@${host} --use-remote-sudo $@
+            nixos-rebuild --flake '.#${host}' ${action} --target-host colin@${addr} --use-remote-sudo $@
           '';
         in {
+          help = {
+            type = "app";
+            program = let
+              helpMsg = builtins.toFile "nixos-config-help-message" ''
+                commands:
+                - `nix run '.#help'`
+                  - show this message
+                - `nix run '.#update-feeds'`
+                  - updates metadata for all feeds
+                - `nix run '.#init-feed' <url>`
+                - `nix run '.#deploy-{lappy,moby,moby-test,servo}' [nixos-rebuild args ...]`
+                - `nix run '.#check-nur'`
+              '';
+            in builtins.toString (pkgs.writeShellScript "nixos-config-help" ''
+              cat ${helpMsg}
+            '');
+          };
           update-feeds = {
             type = "app";
             program = "${pkgs.feeds.updateScript}";
           };
 
           init-feed = {
-            # use like `nix run '.#init-feed' uninsane.org`
             type = "app";
             program = "${pkgs.feeds.initFeedScript}";
           };
 
           deploy-lappy = {
-            # `nix run '.#deploy-lappy'`
             type = "app";
-            program = ''${deployScript "lappy" "switch"}'';
+            program = ''${deployScript "lappy" "lappy" "switch"}'';
           };
           deploy-moby-test = {
-            # `nix run '.#deploy-moby-test'`
             type = "app";
-            program = ''${deployScript "moby" "test"}'';
+            program = ''${deployScript "moby" "moby-hn" "test"}'';
           };
           deploy-moby = {
-            # `nix run '.#deploy-moby'`
             type = "app";
-            program = ''${deployScript "moby" "switch"}'';
+            program = ''${deployScript "moby" "moby-hn" "switch"}'';
           };
           deploy-servo = {
-            # `nix run '.#deploy-servo'`
             type = "app";
-            program = ''${deployScript "servo" "switch"}'';
+            program = ''${deployScript "servo" "servo" "switch"}'';
+          };
+
+          sync-moby = {
+            # copy music from the current device to moby
+            # TODO: should i actually sync from /mnt/servo-media/Music instead of the local drive?
+            type = "app";
+            program = builtins.toString (pkgs.writeShellScript "sync-to-moby" ''
+              sudo mount /mnt/moby-home
+              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music ~/Music /mnt/moby-home/Music
+            '');
+          };
+
+          sync-lappy = {
+            # copy music from servo to lappy
+            # can run this from any device that has ssh access to lappy
+            type = "app";
+            program = builtins.toString (pkgs.writeShellScript "sync-to-lappy" ''
+              sudo mount /mnt/lappy-home
+              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music /mnt/servo-media/Music /mnt/lappy-home/Music
+            '');
           };
 
           check-nur = {
@@ -296,6 +333,19 @@
                 -I ../../
             '');
           };
+
+          check-host-configs = {
+            type = "app";
+            program = builtins.toString (pkgs.writeShellScript
+              "check-host-configs"
+              (builtins.concatStringsSep "\n" (builtins.map
+                (host: "nix build '.#nixosConfigurations.${host}.config.system.build.toplevel' --out-link ./result-${host} -j1 $@ &")
+                [ "desko" "lappy" "servo" "moby" "rescue" ]
+                # not part of the `map`. wait for all builds to complete
+                ++ [ "wait" ]
+              ))
+            );
+          };
         };
 
       templates = {

hosts/by-name/desko/default.nix

@@ -25,7 +25,7 @@
   sane.programs.steam.enableFor.user.colin = true;
 
   sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
-  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" ];
+  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" "desktopConsoleUtils" ];
   # sane.programs.devPkgs.enableFor.user.colin = true;
 
   boot.loader.efi.canTouchEfiVariables = false;

hosts/by-name/lappy/default.nix

@@ -11,7 +11,7 @@
   sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
 
   # sane.guest.enable = true;
-  sane.gui.sway.enable = true;
+  sane.gui.sxmo.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
@@ -19,7 +19,7 @@
     "desktopGuiApps"
     "stepmania"
   ];
-  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" ];
+  sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" "desktopConsoleUtils" ];
 
   sops.secrets.colin-passwd.neededForUsers = true;
 

hosts/by-name/lappy/polyfill.nix

@@ -3,7 +3,7 @@
 { pkgs, ... }:
 {
   sane.gui.sxmo = {
-    greeter = "sway";
+    greeter = "greetd-sway-gtkgreet";
     settings = {
       # XXX: make sure the user is part of the `input` group!
       SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-id/usb-Wacom_Co._Ltd._Pen_and_multitouch_sensor-event-if00";
@@ -27,8 +27,11 @@
       # - SXMO_SWAY_SCALE
       # see <repo:mil/sxmo-utils:scripts/deviceprofiles>
       # SXMO_DEVICE_NAME = "pine64,pinephone-1.2";
+      # if sxmo doesn't know the device, it can't decide whether to use one_button or three_button mode
+      #   and so it just wouldn't handle any button inputs (sxmo_hook_inputhandler.sh not on path)
+      SXMO_DEVICE_NAME = "three_button_touchscreen";
     };
-    package = pkgs.sxmo-utils.overrideAttrs (base: {
+    package = pkgs.sxmo-utils-latest.overrideAttrs (base: {
       postPatch = (base.postPatch or "") + ''
         # after volume-button navigation mode, restore full keyboard functionality
         cp ${./xkb_mobile_normal_buttons} ./configs/xkb/xkb_mobile_normal_buttons

hosts/by-name/moby/default.nix

@@ -12,8 +12,9 @@
 { config, pkgs, lib, ... }:
 {
   imports = [
-    ./firmware.nix
+    ./bootloader.nix
     ./fs.nix
+    ./gps.nix
     ./kernel.nix
     ./polyfill.nix
   ];
@@ -43,6 +44,7 @@
   sane.programs.tuiApps.enableFor.user.colin = false;  # visidata, others, don't compile well
   # disabled for faster deploys
   sane.programs.soundconverter.enableFor.user.colin = false;
+  sane.programs.eg25-control.enableFor.user.colin = true;
 
   # sane.programs.firefox.mime.priority = 300;  # prefer other browsers when possible
   # HACK/TODO: make `programs.P.env.VAR` behave according to `mime.priority`
@@ -111,6 +113,15 @@
     services.pipewire.environment.ALSA_CONFIG_UCM2            = ucm-env;
     services.pipewire-pulse.environment.ALSA_CONFIG_UCM2      = ucm-env;
     services.wireplumber.environment.ALSA_CONFIG_UCM2         = ucm-env;
+
+
+    # TODO: move elsewhere...
+    services.ModemManager.serviceConfig = {
+      # N.B.: the extra "" in ExecStart serves to force upstream ExecStart to be ignored
+      ExecStart = [ "" "${pkgs.modemmanager}/bin/ModemManager --debug" ];
+      # --debug sets DEBUG level logging: so reset
+      ExecStartPost = [ "${pkgs.modemmanager}/bin/mmcli --set-logging=INFO" ];
+    };
   };
 
   services.udev.extraRules = let
@@ -126,37 +137,4 @@
   '';
 
   hardware.opengl.driSupport = true;
-
-  services.xserver.displayManager.job.preStart = let
-    dmesg = "${pkgs.util-linux}/bin/dmesg";
-    grep = "${pkgs.gnugrep}/bin/grep";
-    modprobe = "${pkgs.kmod}/bin/modprobe";
-  in ''
-    # common boot failure:
-    # blank screen (no backlight even), with the following log:
-    # ```syslog
-    # sun8i-dw-hdmi 1ee0000.hdmi: Couldn't get the HDMI PHY
-    # ...
-    # sun4i-drm display-engine: Couldn't bind all pipelines components
-    # ...
-    # sun8i-dw-hdmi: probe of 1ee0000.hdmi failed with error -17
-    # ```
-    #
-    # in particular, that `probe ... failed` occurs *only* on failed boots
-    # (the other messages might sometimes occur even on successful runs?)
-    #
-    # reloading the sun8i hdmi driver usually gets the screen on, showing boot text.
-    # then restarting display-manager.service gets us to the login.
-    #
-    # NB: the above log is default level. though less specific, there's a `err` level message that also signals this:
-    # sun4i-drm display-engine: failed to bind 1ee0000.hdmi (ops sun8i_dw_hdmi_ops [sun8i_drm_hdmi]): -17
-
-    if (${dmesg} --kernel --level err --color=never --notime | ${grep} -q 'sun4i-drm display-engine: failed to bind 1ee0000.hdmi')
-    then
-      echo "reprobing sun8i_drm_hdmi"
-      # if a command here fails it errors the whole service, so prefer to log instead
-      ${modprobe} -r sun8i_drm_hdmi || echo "failed to unload sun8i_drm_hdmi"
-      ${modprobe} sun8i_drm_hdmi || echo "failed to load sub8i_drm_hdmi"
-    fi
-  '';
 }

hosts/by-name/moby/gps.nix

@@ -0,0 +1,42 @@
+# pinephone GPS happens in EG25 modem
+# serial control interface to modem is /dev/ttyUSB2
+# after enabling GPS, readout is /dev/ttyUSB1
+#
+# minimal process to enable modem and GPS:
+# - `echo 1 > /sys/class/modem-power/modem-power/device/powered`
+# - `screen /dev/ttyUSB2 115200`
+#   - `AT+QGPSCFG="nmeasrc",1`
+#   - `AT+QGPS=1`
+#
+# now, something like `gpsd` can directly read from /dev/ttyUSB1.
+#
+# initial GPS fix can take 15+ minutes.
+# meanwhile, services like eg25-manager can speed this up by uploading assisted GPS data to the modem.
+#
+# geoclue somehow fits in here as a geospatial provider that leverages GPS and also other sources like radio towers
+
+{ lib, ... }:
+{
+  # test gpsd with `gpspipe -w -n 10 2> /dev/null | grep -m 1 TPV | jq '.lat, .lon' | tr '\n' ' '`
+  # ^ should return <lat> <long>
+  services.gpsd.enable = true;
+  services.gpsd.devices = [ "/dev/ttyUSB1" ];
+
+  # test geoclue2 by building `geoclue2-with-demo-agent`
+  # and running "${geoclue2-with-demo-agent}/libexec/geoclue-2/demos/where-am-i"
+  services.geoclue2.enable = true;
+  services.geoclue2.appConfig.where-am-i = {
+    # this is the default "agent", shipped by geoclue package: allow it to use location
+    isAllowed = true;
+    isSystem = false;
+    # XXX: setting users != [] might be causing `where-am-i` to time out
+    # users = [
+    #   # restrict to only one set of users. empty array (default) means "allow any user to access geolocation".
+    #   (builtins.toString config.users.users.colin.uid)
+    # ];
+  };
+  systemd.services.geoclue.after = lib.mkForce [];  #< defaults to network-online, but not all my sources require network
+
+
+  sane.services.eg25-control.enable = true;
+}

hosts/by-name/moby/kernel.nix

@@ -1,71 +1,56 @@
-{ lib, pkgs, ... }:
+{ pkgs, ... }:
 let
-  # use the last commit on the 5.18 branch (5.18.14)
-  # manjaro's changes between kernel patch versions tend to be minimal if any.
-  manjaroBase = "https://gitlab.manjaro.org/manjaro-arm/packages/core/linux/-/raw/25bd828cd47b1c6e09fcbcf394a649b89d2876dd";
-  manjaroPatch = name: sha256: {
-    inherit name;
-    patch = pkgs.fetchpatch {
-      inherit name;
-      url = "${manjaroBase}/${name}?inline=false";
-      inherit sha256;
-    };
-  };
+  dmesg = "${pkgs.util-linux}/bin/dmesg";
+  grep = "${pkgs.gnugrep}/bin/grep";
+  modprobe = "${pkgs.kmod}/bin/modprobe";
+  ensureHWReady = ''
+    # common boot failure:
+    # blank screen (no backlight even), with the following log:
+    # ```syslog
+    # sun8i-dw-hdmi 1ee0000.hdmi: Couldn't get the HDMI PHY
+    # ...
+    # sun4i-drm display-engine: Couldn't bind all pipelines components
+    # ...
+    # sun8i-dw-hdmi: probe of 1ee0000.hdmi failed with error -17
+    # ```
+    #
+    # in particular, that `probe ... failed` occurs *only* on failed boots
+    # (the other messages might sometimes occur even on successful runs?)
+    #
+    # reloading the sun8i hdmi driver usually gets the screen on, showing boot text.
+    # then restarting display-manager.service gets us to the login.
+    #
+    # NB: the above log is default level. though less specific, there's a `err` level message that also signals this:
+    # sun4i-drm display-engine: failed to bind 1ee0000.hdmi (ops sun8i_dw_hdmi_ops [sun8i_drm_hdmi]): -17
+    # NB: this is the most common, but not the only, failure mode for `display-manager`.
+    # another error seems characterized by these dmesg logs, in which reprobing sun8i_drm_hdmi does not fix:
+    # ```syslog
+    # sun6i-mipi-dsi 1ca0000.dsi: Couldn't get the MIPI D-PHY
+    # sun4i-drm display-engine: Couldn't bind all pipelines components
+    # sun6i-mipi-dsi 1ca0000.dsi: Couldn't register our component
+    # ```
 
-  # the idea for patching off Manjaro's kernel comes from jakewaksbaum:
-  # - https://git.sr.ht/~jakewaksbaum/pi/tree/af20aae5653545d6e67a459b59ee3e1ca8a680b0/item/kernel/default.nix
-  # - he later abandoned this, i think because he's using the Pinephone Pro which received mainline support.
-  manjaroPatches = [
-    (manjaroPatch
-      "1001-arm64-dts-allwinner-add-hdmi-sound-to-pine-devices.patch"
-      "sha256-DApd791A+AxB28Ven/MVAyuyVphdo8KQDx8O7oxVPnc="
-    )
-    # these patches below are critical to enable wifi (RTL8723CS)
-    # - the alternative is a wholly forked kernel by megi/megous:
-    #   - https://xnux.eu/howtos/build-pinephone-kernel.html#toc-how-to-build-megi-s-pinehpone-kernel
-    # - i don't know if these patches are based on megi's or original
-    (manjaroPatch
-      "2001-Bluetooth-Add-new-quirk-for-broken-local-ext-features.patch"
-      "sha256-CExhJuUWivegxPdnzKINEsKrMFx/m/1kOZFmlZ2SEOc="
-    )
-    (manjaroPatch
-      "2002-Bluetooth-btrtl-add-support-for-the-RTL8723CS.patch"
-      "sha256-dDdvOphTcP/Aog93HyH+L9m55laTgtjndPSE4/rnzUA="
-    )
-    (manjaroPatch
-      "2004-arm64-dts-allwinner-enable-bluetooth-pinetab-pinepho.patch"
-      "sha256-o43P3WzXyHK1PF+Kdter4asuyGAEKO6wf5ixcco2kCQ="
-    )
-    # XXX: this one has a Makefile, which hardcodes /sbin/depmod:
-    # - drivers/staging/rtl8723cs/Makefile
-    # - not sure if this is problematic?
-    (manjaroPatch
-      "2005-staging-add-rtl8723cs-driver.patch"
-      "sha256-6ywm3dQQ5JYl60CLKarxlSUukwi4QzqctCj3tVgzFbo="
-    )
-  ];
+    if (${dmesg} --kernel --level err --color=never --notime | ${grep} -q 'sun4i-drm display-engine: failed to bind 1ee0000.hdmi')
+    then
+      echo "reprobing sun8i_drm_hdmi"
+      # if a command here fails it errors the whole service, so prefer to log instead
+      ${modprobe} -r sun8i_drm_hdmi || echo "failed to unload sun8i_drm_hdmi"
+      ${modprobe} sun8i_drm_hdmi || echo "failed to load sub8i_drm_hdmi"
+    fi
+  '';
 in
 {
-  # use Megi's kernel:
-  # even with the Manjaro patches, stock 5.18 has a few issues on Pinephone:
-  # - no battery charging
-  # - phone rotation sensor is off by 90 degrees
-  # - ambient light sensor causes screen brightness to be shakey
-  # - phosh greeter may not appear after wake from sleep
   boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
+  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-manjaro;
+  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
 
-  # alternatively, use nixos' kernel and add the stuff we want:
-  # # cross-compilation optimization:
-  # boot.kernelPackages =
-  #   let p = (import nixpkgs { localSystem = "x86_64-linux"; });
-  #   in p.pkgsCross.aarch64-multiplatform.linuxPackages_5_18;
-  # # non-cross:
-  # # boot.kernelPackages = pkgs.linuxPackages_5_18;
-
+  # alternatively, apply patches directly to stock nixos kernel:
   # boot.kernelPatches = manjaroPatches ++ [
   #   (patchDefconfig kernelConfig)
   # ];
 
+  # configure nixos to build a compressed kernel image, since it doesn't usually do that for aarch64 target.
+  # without this i run out of /boot space in < 10 generations
   nixpkgs.hostPlatform.linux-kernel = {
     # defaults:
     name = "aarch64-multiplatform";
@@ -80,4 +65,7 @@ in
     target = "Image.gz";  # <-- compress the kernel image
     # target = "zImage";  # <-- confuses other parts of nixos :-(
   };
+
+  services.xserver.displayManager.job.preStart = ensureHWReady;
+  systemd.services.greetd.preStart = ensureHWReady;
 }

hosts/by-name/moby/polyfill.nix

@@ -4,11 +4,17 @@
 #
 # NixOS backgrounds:
 # - <https://github.com/NixOS/nixos-artwork>
+#   - <https://github.com/NixOS/nixos-artwork/issues/50>  (colorful; unmerged)
+#   - <https://github.com/NixOS/nixos-artwork/pull/60/files>  (desktop-oriented; clean; unmerged)
 # - <https://itsfoss.com/content/images/2023/04/nixos-tutorials.png>
 
-{ pkgs, sane-lib, ... }:
+{ lib, pkgs, sane-lib, ... }:
 let
-  bg-01 = ./nixos-bg-01.png;
+  # TODO: generate this from the .svg
+  # bg = ./nixos-bg-02.png;
+  bg = pkgs.runCommand "nixos-bg.png" { nativeBuildInputs = [ pkgs.inkscape ]; } ''
+    inkscape ${./nixos-bg-02.svg} -o $out
+  '';
 in
 {
   sane.programs.firefox.config = {
@@ -23,6 +29,7 @@ in
   };
 
   sane.gui.sxmo = {
+    nogesture = true;
     settings = {
       ### hardware: touch screen
       SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-path/platform-1c2ac00.i2c-event";
@@ -30,6 +37,90 @@ in
 
 
       ### preferences
+      # notable bemenu options:
+      #   - see `bemenu --help` for all
+      #   -P, --prefix          text to show before highlighted item.
+      #   --scrollbar           display scrollbar. (none (default), always, autohide)
+      #   -H, --line-height     defines the height to make each menu line (0 = default height). (wx)
+      #   -M, --margin          defines the empty space on either side of the menu. (wx)
+      #   -W, --width-factor    defines the relative width factor of the menu (from 0 to 1). (wx)
+      #   -B, --border          defines the width of the border in pixels around the menu. (wx)
+      #   -R  --border-radius   defines the radius of the border around the menu (0 = no curved borders).
+      #   --ch                  defines the height of the cursor (0 = scales with line height). (wx)
+      #   --cw                  defines the width of the cursor. (wx)
+      #   --hp                  defines the horizontal padding for the entries in single line mode. (wx)
+      #   --fn                  defines the font to be used ('name [size]'). (wx)
+      #   --tb                  defines the title background color. (wx)
+      #   --tf                  defines the title foreground color. (wx)
+      #   --fb                  defines the filter background color. (wx)
+      #   --ff                  defines the filter foreground color. (wx)
+      #   --nb                  defines the normal background color. (wx)
+      #   --nf                  defines the normal foreground color. (wx)
+      #   --hb                  defines the highlighted background color. (wx)
+      #   --hf                  defines the highlighted foreground color. (wx)
+      #   --fbb                 defines the feedback background color. (wx)
+      #   --fbf                 defines the feedback foreground color. (wx)
+      #   --sb                  defines the selected background color. (wx)
+      #   --sf                  defines the selected foreground color. (wx)
+      #   --ab                  defines the alternating background color. (wx)
+      #   --af                  defines the alternating foreground color. (wx)
+      #   --scb                 defines the scrollbar background color. (wx)
+      #   --scf                 defines the scrollbar foreground color. (wx)
+      #   --bdr                 defines the border color. (wx)
+      #
+      # colors are specified as `#RRGGBB`
+      # defaults:
+      # --ab "#222222"
+      # --af "#bbbbbb"
+      # --bdr "#005577"
+      # --border 3
+      # --cb "#222222"
+      # --center
+      # --cf "#bbbbbb"
+      # --fb "#222222"
+      # --fbb "#eeeeee"
+      # --fbf "#222222"
+      # --ff "#bbbbbb"
+      # --fixed-height
+      # --fn 'Sxmo 14'
+      # --hb "#005577"
+      # --hf "#eeeeee"
+      # --line-height 20
+      # --list 16
+      # --margin 40
+      # --nb "#222222"
+      # --nf "#bbbbbb"
+      # --no-overlap
+      # --no-spacing
+      # --sb "#323232"
+      # --scb "#005577"
+      # --scf "#eeeeee"
+      # --scrollbar autohide
+      # --tb "#005577"
+      # --tf "#eeeeee"
+      # --wrap
+      BEMENU_OPTS = let
+        bg = "#1d1721";       # slight purple
+        fg0 = "#d8d8d8";      # inactive text (light grey)
+        fg1 = "#ffffff";      # active text   (white)
+        accent0 = "#1f5e54";  # darker but saturated teal
+        accent1 = "#418379";  # teal (matches nixos-bg)
+        accent2 = "#5b938a";  # brighter but muted teal
+      in lib.concatStringsSep " " [
+        "--wrap --scrollbar autohide --fixed-height"
+        "--center --margin 45"
+        "--no-spacing"
+        # XXX: font size doesn't seem to take effect (would prefer larger)
+        "--fn 'Sxmo 14' --line-height 22 --border 3"
+        "--bdr '${accent0}'"                     # border
+        "--scf '${accent2}' --scb '${accent0}'"  # scrollbar
+        "--tb '${accent0}' --tf '${fg0}'"        # title
+        "--fb '${accent0}' --ff '${fg1}'"        # filter (i.e. text that's been entered)
+        "--hb '${accent1}' --hf '${fg1}'"        # selected item
+        "--nb '${bg}' --nf '${fg0}'"             # normal lines (even)
+        "--ab '${bg}' --af '${fg0}'"             # alternated lines (odd)
+        "--cf '${accent0}' --cb '${accent0}'"    # cursor (not very useful)
+      ];
       DEFAULT_COUNTRY = "US";
 
       # BEMENU lines (wayland DMENU):
@@ -43,7 +134,7 @@ in
       # - close is 16th entry
       SXMO_BEMENU_LANDSCAPE_LINES = "11";  # default 8
       SXMO_BEMENU_PORTRAIT_LINES = "16";  # default 16
-      SXMO_BG_IMG = "${bg-01}";
+      SXMO_BG_IMG = "${bg}";
       SXMO_LOCK_IDLE_TIME = "15";  # how long between screenoff -> lock -> back to screenoff (default: 8)
       # gravity: how far to tilt the device before the screen rotates
       # for a given setting, normal <-> invert requires more movement then left <-> right
@@ -76,11 +167,8 @@ in
       WVKBD_LANDSCAPE_LAYERS = "landscape,special,emoji";
       WVKBD_LAYERS = "full,special,emoji";
     };
-    package = pkgs.sxmo-utils.overrideAttrs (base: {
+    package = pkgs.sxmo-utils-latest.overrideAttrs (base: {
       postPatch = (base.postPatch or "") + ''
-        # don't enable gestures at launch
-        # sed -i '/superctl start sxmo_hook_lisgd/d' ./configs/default_hooks/sxmo_hook_start.sh
-
         cat <<EOF >> ./configs/default_hooks/sxmo_hook_start.sh
         # rotate UI based on physical display angle by default
         sxmo_daemons.sh start autorotate sxmo_autorotate.sh

hosts/by-name/servo/default.nix

@@ -18,6 +18,10 @@
   sane.roles.build-machine.enable = true;
   sane.roles.build-machine.emulation = false;
   sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
+  sane.programs.consoleUtils.suggestedPrograms = [
+    "desktopConsoleUtils"
+    "sane-scripts.stop-all-servo"
+  ];
   sane.services.dyn-dns.enable = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.enableWan = true;

hosts/by-name/servo/fs.nix

@@ -2,6 +2,9 @@
 
 {
   sane.persist.root-on-tmpfs = true;
+  # increase /tmp space (defaults to 50% of RAM) for building large nix things.
+  # even the stock `nixpkgs.linux` consumes > 16 GB of tmp
+  fileSystems."/tmp".options = [ "size=32G" ];
 
   fileSystems."/nix" = {
     device = "/dev/disk/by-uuid/cc81cca0-3cc7-4d82-a00c-6243af3e7776";

hosts/by-name/servo/services/default.nix

@@ -7,7 +7,7 @@
     ./email
     ./ejabberd.nix
     ./freshrss.nix
-    ./ftp
+    ./export
     ./gitea.nix
     ./goaccess.nix
     ./ipfs.nix
@@ -18,7 +18,6 @@
     ./lemmy.nix
     ./matrix
     ./navidrome.nix
-    ./nfs.nix
     ./nixserve.nix
     ./nginx.nix
     ./pict-rs.nix

hosts/by-name/servo/services/ejabberd.nix

@@ -14,76 +14,105 @@
 #
 # compliance tests:
 # - <https://compliance.conversations.im/server/uninsane.org/#xep0352>
+#
+# administration:
+# - `sudo -u ejabberd ejabberdctl help`
+#
+# federation/support matrix:
+# - avatars
+#   - nixnet.services + dino: works in MUCs but not DMs  (as of 2023 H1)
+#   - movim.eu + dino: works in DMs, MUCs untested  (as of 2023/08/29)
+# - calls
+#   - local + dino: audio, video, works in DMs  (as of 2023/08/29)
+#   - movim.eu + dino: audio, video, works in DMs, no matter which side initiates  (as of 2023/08/30)
+#   - +native-cell-number@cheogram.com + dino: audio works in DMs, no matter which side initiates  (as of 2023/09/01)
+#     - can receive calls even if sender isn't in my roster
+#     - this is presumably using JMP.chat's SIP servers, which then convert it to XMPP call
+#
+# bugs:
+# - 2023/09/01: will randomly stop federating. `systemctl restart ejabberd` fixes, but takes 10 minutes.
 { config, lib, pkgs, ... }:
 
-# XXX: avatar support works in MUCs but not DMs
-# lib.mkIf false
+let
+  # TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward
+  # TURN port range (inclusive)
+  turnPortLow = 49152;
+  turnPortHigh = 49167;
+  turnPortRange = lib.range turnPortLow turnPortHigh;
+in
 {
   sane.persist.sys.plaintext = [
     { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; }
   ];
-  sane.ports.ports."3478" = {
-    protocol = [ "tcp" "udp" ];
-    visibleTo.lan = true;
-    visibleTo.wan = true;
-    description = "colin-xmpp-stun-turn";
-  };
-  sane.ports.ports."5222" = {
-    protocol = [ "tcp" ];
-    visibleTo.lan = true;
-    visibleTo.wan = true;
-    description = "colin-xmpp-client-to-server";
-  };
-  sane.ports.ports."5223" = {
-    protocol = [ "tcp" ];
-    visibleTo.lan = true;
-    visibleTo.wan = true;
-    description = "colin-xmpps-client-to-server";  # XMPP over TLS
-  };
-  sane.ports.ports."5269" = {
-    protocol = [ "tcp" ];
-    visibleTo.wan = true;
-    description = "colin-xmpp-server-to-server";
-  };
-  sane.ports.ports."5270" = {
-    protocol = [ "tcp" ];
-    visibleTo.wan = true;
-    description = "colin-xmpps-server-to-server";  # XMPP over TLS
-  };
-  sane.ports.ports."5280" = {
-    protocol = [ "tcp" ];
-    visibleTo.lan = true;
-    visibleTo.wan = true;
-    description = "colin-xmpp-bosh";
-  };
-  sane.ports.ports."5281" = {
-    protocol = [ "tcp" ];
-    visibleTo.lan = true;
-    visibleTo.wan = true;
-    description = "colin-xmpp-bosh-https";
-  };
-  sane.ports.ports."5349" = {
-    protocol = [ "tcp" ];
-    visibleTo.lan = true;
-    visibleTo.wan = true;
-    description = "colin-xmpp-stun-turn-over-tls";
-  };
-  sane.ports.ports."5443" = {
-    protocol = [ "tcp" ];
-    visibleTo.lan = true;
-    visibleTo.wan = true;
-    description = "colin-xmpp-web-services";  # file uploads, websockets, admin
-  };
-
-  # TODO: forward these TURN ports!
-  networking.firewall.allowedTCPPortRanges = [{
-    from = 49152;  # TURN
-    to = 49408;
-  }];
-  networking.firewall.allowedUDPPortRanges = [{
-    from = 49152;  # TURN
-    to = 49408;
-  }];
+  sane.ports.ports = lib.mkMerge ([
+    {
+      "3478" = {
+        protocol = [ "tcp" "udp" ];
+        visibleTo.lan = true;
+        visibleTo.wan = true;
+        description = "colin-xmpp-stun-turn";
+      };
+      "5222" = {
+        protocol = [ "tcp" ];
+        visibleTo.lan = true;
+        visibleTo.wan = true;
+        description = "colin-xmpp-client-to-server";
+      };
+      "5223" = {
+        protocol = [ "tcp" ];
+        visibleTo.lan = true;
+        visibleTo.wan = true;
+        description = "colin-xmpps-client-to-server";  # XMPP over TLS
+      };
+      "5269" = {
+        protocol = [ "tcp" ];
+        visibleTo.wan = true;
+        description = "colin-xmpp-server-to-server";
+      };
+      "5270" = {
+        protocol = [ "tcp" ];
+        visibleTo.wan = true;
+        description = "colin-xmpps-server-to-server";  # XMPP over TLS
+      };
+      "5280" = {
+        protocol = [ "tcp" ];
+        visibleTo.lan = true;
+        visibleTo.wan = true;
+        description = "colin-xmpp-bosh";
+      };
+      "5281" = {
+        protocol = [ "tcp" ];
+        visibleTo.lan = true;
+        visibleTo.wan = true;
+        description = "colin-xmpp-bosh-https";
+      };
+      "5349" = {
+        protocol = [ "tcp" ];
+        visibleTo.lan = true;
+        visibleTo.wan = true;
+        description = "colin-xmpp-stun-turn-over-tls";
+      };
+      "5443" = {
+        protocol = [ "tcp" ];
+        visibleTo.lan = true;
+        visibleTo.wan = true;
+        description = "colin-xmpp-web-services";  # file uploads, websockets, admin
+      };
+    }
+  ] ++ (builtins.map
+    (port: {
+      "${builtins.toString port}" = let
+        count = port - turnPortLow + 1;
+        numPorts = turnPortHigh - turnPortLow + 1;
+      in {
+        protocol = [ "tcp" "udp" ];
+        visibleTo.lan = true;
+        visibleTo.wan = true;
+        description = "colin-xmpp-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
+      };
+    })
+    turnPortRange
+  ));
 
   # provide access to certs
   # TODO: this should just be `acme`. then we also add nginx to the `acme` group.
@@ -272,8 +301,8 @@
             module: ejabberd_stun
             transport: tcp
             use_turn: true
-            turn_min_port: 49152
-            turn_max_port: 65535
+            turn_min_port: ${builtins.toString turnPortLow}
+            turn_max_port: ${builtins.toString turnPortHigh}
             turn_ipv4_address: %ANATIVE%
           -
             # STUN+TURN UDP
@@ -281,8 +310,8 @@
             module: ejabberd_stun
             transport: udp
             use_turn: true
-            turn_min_port: 49152
-            turn_max_port: 65535
+            turn_min_port: ${builtins.toString turnPortLow}
+            turn_max_port: ${builtins.toString turnPortHigh}
             turn_ipv4_address: %ANATIVE%
           -
             # STUN+TURN TLS over TCP
@@ -292,8 +321,8 @@
             tls: true
             certfile: /var/lib/acme/uninsane.org/full.pem
             use_turn: true
-            turn_min_port: 49152
-            turn_max_port: 65535
+            turn_min_port: ${builtins.toString turnPortLow}
+            turn_max_port: ${builtins.toString turnPortHigh}
             turn_ipv4_address: %ANATIVE%
 
         # TODO: enable mod_fail2ban

hosts/by-name/servo/services/export/default.nix

@@ -0,0 +1,53 @@
+{ config, ... }:
+{
+  imports = [
+    ./nfs.nix
+    ./sftpgo.nix
+  ];
+
+  users.groups.export = {};
+
+  fileSystems."/var/export/media" = {
+    # everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
+    device = "/var/lib/uninsane/media";
+    options = [ "rbind" ];
+  };
+  # fileSystems."/var/export/playground" = {
+  #   device = config.fileSystems."/mnt/persist/ext".device;
+  #   fsType = "btrfs";
+  #   options = [
+  #     "subvol=export-playground"
+  #     "compress=zstd"
+  #     "defaults"
+  #   ];
+  # };
+  # N.B.: the backing directory should be manually created here **as a btrfs subvolume** and with a quota.
+  # - `sudo btrfs subvolume create /mnt/persist/ext/persist/var/export/playground`
+  # - `sudo btrfs quota enable /mnt/persist/ext/persist/var/export/playground`
+  # - `sudo btrfs quota rescan -sw /mnt/persist/ext/persist/var/export/playground`
+  # to adjust the limits (which apply at the block layer, i.e. post-compression):
+  # - `sudo btrfs qgroup limit 20G /mnt/persist/ext/persist/var/export/playground`
+  # to query the quota/status:
+  # - `sudo btrfs qgroup show -re /var/export/playground`
+  sane.persist.sys.ext = [
+    { user = "root"; group = "export"; mode = "0775"; path = "/var/export/playground"; }
+  ];
+
+  sane.fs."/var/export/README.md" = {
+    wantedBy = [ "nfs.service" "sftpgo.service" ];
+    file.text = ''
+      - media/         read-only:  Videos, Music, Books, etc
+      - playground/    read-write: use it to share files with other users of this server
+    '';
+  };
+
+  sane.fs."/var/export/playground/README.md" = {
+    wantedBy = [ "nfs.service" "sftpgo.service" ];
+    file.text = ''
+      this directory is intentionally read+write by anyone with access (i.e. on the LAN).
+      - share files
+      - write poetry
+      - be a friendly troll
+    '';
+  };
+}

hosts/by-name/servo/services/export/nfs.nix

@@ -0,0 +1,110 @@
+# docs:
+# - <https://nixos.wiki/wiki/NFS>
+# - <https://wiki.gentoo.org/wiki/Nfs-utils>
+# system files:
+# - /etc/exports
+# system services:
+# - nfs-server.service
+# - nfs-idmapd.service
+# - nfs-mountd.service
+# - nfsdcld.service
+# - rpc-statd.service
+# - rpcbind.service
+#
+# TODO: force files to be 755, or 750.
+# - could maybe be done with some mount option?
+
+{ config, lib, ... }:
+{
+  services.nfs.server.enable = true;
+
+  # see which ports NFS uses with:
+  # - `rpcinfo -p`
+  sane.ports.ports."111" = {
+    protocol = [ "tcp" "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server portmapper";
+  };
+  sane.ports.ports."2049" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    description = "NFS server";
+  };
+  sane.ports.ports."4000" = {
+    protocol = [ "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server status daemon";
+  };
+  sane.ports.ports."4001" = {
+    protocol = [ "tcp" "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server lock daemon";
+  };
+  sane.ports.ports."4002" = {
+    protocol = [ "tcp" "udp" ];
+    visibleTo.lan = true;
+    description = "NFS server mount daemon";
+  };
+
+  # NFS4 allows these to float, but NFS3 mandates specific ports, so fix them for backwards compat.
+  services.nfs.server.lockdPort = 4001;
+  services.nfs.server.mountdPort = 4002;
+  services.nfs.server.statdPort = 4000;
+
+  # format:
+  #   fspoint	visibility(options)
+  # options:
+  # - see: <https://wiki.gentoo.org/wiki/Nfs-utils#Exports>
+  # - see [man 5 exports](https://linux.die.net/man/5/exports)
+  # - insecure:  require clients use src port > 1024
+  # - rw, ro (default)
+  # - async, sync (default)
+  # - no_subtree_check (default), subtree_check: verify not just that files requested by the client live
+  #     in the expected fs, but also that they live under whatever subdirectory of that fs is exported.
+  # - no_root_squash, root_squash (default): map requests from uid 0 to user `nobody`.
+  # - crossmnt:  reveal filesystems that are mounted under this endpoint
+  # - fsid:  must be zero for the root export
+  #   - fsid=root  is alias for fsid=0
+  # - mountpoint[=/path]:  only export the directory if it's a mountpoint. used to avoid exporting failed mounts.
+  # - all_squash: rewrite all client requests such that they come from anonuid/anongid
+  #   - any files a user creates are owned by local anonuid/anongid.
+  #   - users can read any local file which anonuid/anongid would be able to read.
+  #   - users can't chown to/away from anonuid/anongid.
+  #   - users can chmod files they own, to anything (making them unreadable to non-`nfsuser` export users, like FTP).
+  #   - `stat` remains unchanged, returning the real UIDs/GIDs to the client.
+  #     - thus programs which check `uid` or `gid` before trying an operation may incorrectly conclude they can't perform some op.
+  #
+  # 10.0.0.0/8 to export both to LAN (readonly, unencrypted) and wg vpn (read-write, encrypted)
+  services.nfs.server.exports =
+  let
+    fmtExport = { export, baseOpts, extraLanOpts ? [], extraVpnOpts ? [] }:
+      let
+        always = [ "subtree_check" ];
+        lanOpts = always ++ baseOpts ++ extraLanOpts;
+        vpnOpts = always ++ baseOpts ++ extraVpnOpts;
+      in "${export} 10.78.79.0/22(${lib.concatStringsSep "," lanOpts}) 10.0.10.0/24(${lib.concatStringsSep "," vpnOpts})";
+  in lib.concatStringsSep "\n" [
+    (fmtExport {
+      export = "/var/export";
+      baseOpts = [ "crossmnt" "fsid=root" ];
+      extraLanOpts = [ "ro" ];
+      extraVpnOpts = [ "rw" "no_root_squash" ];
+    })
+    (fmtExport {
+      export = "/var/export/playground";
+      baseOpts = [
+        "mountpoint"
+        "all_squash"
+        "rw"
+        "anonuid=${builtins.toString config.users.users.nfsuser.uid}"
+        "anongid=${builtins.toString config.users.groups.export.gid}"
+      ];
+    })
+  ];
+
+  users.users.nfsuser = {
+    description = "virtual user for anonymous NFS operations";
+    group = "export";
+    isSystemUser = true;
+  };
+}

hosts/by-name/servo/services/export/sftpgo.nix

@@ -0,0 +1,179 @@
+# docs:
+# - <https://github.com/drakkan/sftpgo>
+# - config options: <https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md>
+# - config defaults: <https://github.com/drakkan/sftpgo/blob/main/sftpgo.json>
+# - nixos options: <repo:nixos/nixpkgs:nixos/modules/services/web-apps/sftpgo.nix>
+# - nixos example: <repo:nixos/nixpkgs:nixos/tests/sftpgo.nix>
+#
+# sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients.
+#
+# TODO: change umask so sftpgo-created files default to 644.
+# - it does indeed appear that the 600 is not something sftpgo is explicitly doing.
+
+
+{ config, lib, pkgs, sane-lib, ... }:
+let
+  # user permissions:
+  # - see <repo:drakkan/sftpgo:internal/dataprovider/user.go>
+  # - "*" = grant all permissions
+  # - read-only perms:
+  #   - "list" = list files and directories
+  #   - "download"
+  # - rw perms:
+  #   - "upload"
+  #   - "overwrite" = allow uploads to replace existing files
+  #   - "delete" = delete files and directories
+  #     - "delete_files"
+  #     - "delete_dirs"
+  #   - "rename" = rename files and directories
+  #     - "rename_files"
+  #     - "rename_dirs"
+  #   - "create_dirs"
+  #   - "create_symlinks"
+  #   - "chmod"
+  #   - "chown"
+  #   - "chtimes" = change atime/mtime (access and modification times)
+  #
+  # home_dir:
+  # - it seems (empirically) that a user can't cd above their home directory.
+  #   though i don't have a reference for that in the docs.
+  authResponseSuccess = {
+    status = 1;
+    username = "anonymous";
+    expiration_date = 0;
+    home_dir = "/var/export";
+    # uid/gid 0 means to inherit sftpgo uid.
+    # - i.e. users can't read files which Linux user `sftpgo` can't read
+    # - uploaded files belong to Linux user `sftpgo`
+    # other uid/gid values aren't possible for localfs backend, unless i let sftpgo use `sudo`.
+    uid = 0;
+    gid = 0;
+    # uid = 65534;
+    # gid = 65534;
+    max_sessions = 0;
+    # quota_*: 0 means to not use SFTP's quota system
+    quota_size = 0;
+    quota_files = 0;
+    permissions = {
+      "/" = [ "list" "download" ];
+      "/playground" = [
+        # read-only:
+        "list"
+        "download"
+        # write:
+        "upload"
+        "overwrite"
+        "delete"
+        "rename"
+        "create_dirs"
+        "create_symlinks"
+        # intentionally omitted:
+        # "chmod"
+        # "chown"
+        # "chtimes"
+      ];
+    };
+    upload_bandwidth = 0;
+    download_bandwidth = 0;
+    filters = {
+      allowed_ip = [];
+      denied_ip = [];
+    };
+    public_keys = [];
+    # other fields:
+    # ? groups
+    # ? virtual_folders
+  };
+  authResponseFail = {
+    username = "";
+  };
+  authSuccessJson = pkgs.writeText "sftp-auth-success.json" (builtins.toJSON authResponseSuccess);
+  authFailJson = pkgs.writeText "sftp-auth-fail.json" (builtins.toJSON authResponseFail);
+  unwrappedAuthProgram = pkgs.static-nix-shell.mkBash {
+    pname = "sftpgo_external_auth_hook";
+    src = ./.;
+    pkgs = [ "coreutils" ];
+  };
+  authProgram = pkgs.writeShellScript "sftpgo-auth-hook" ''
+    ${unwrappedAuthProgram}/bin/sftpgo_external_auth_hook ${authFailJson} ${authSuccessJson}
+  '';
+in
+{
+  # Client initiates a FTP "control connection" on port 21.
+  # - this handles the client -> server commands, and the server -> client status, but not the actual data
+  # - file data, directory listings, etc need to be transferred on an ephemeral "data port".
+  # - 50000-50100 is a common port range for this.
+  sane.ports.ports = {
+    "21" = {
+      protocol = [ "tcp" ];
+      visibleTo.lan = true;
+      description = "colin-FTP server";
+    };
+  } // (sane-lib.mapToAttrs
+    (port: {
+      name = builtins.toString port;
+      value = {
+        protocol = [ "tcp" ];
+        visibleTo.lan = true;
+        description = "colin-FTP server data port range";
+      };
+    })
+    (lib.range 50000 50100)
+  );
+
+  services.sftpgo = {
+    enable = true;
+    group = "export";
+    settings = {
+      ftpd = {
+        bindings = [
+          {
+            # binding this means any wireguard client can connect
+            address = "10.0.10.5";
+            port = 21;
+            debug = true;
+          }
+          {
+            # binding this means any LAN client can connect
+            address = "10.78.79.51";
+            port = 21;
+            debug = true;
+          }
+        ];
+
+        # active mode is susceptible to "bounce attacks", without much benefit over passive mode
+        disable_active_mode = true;
+        hash_support = true;
+        passive_port_range = {
+          start = 50000;
+          end = 50100;
+        };
+
+        banner = ''
+          Welcome, friends, to Colin's read-only FTP server! Also available via NFS on the same host.
+          Username: "anonymous"
+          Password: "anonymous"
+          CONFIGURE YOUR CLIENT FOR "PASSIVE" mode, e.g. `ftp --passive uninsane.org`
+          Please let me know if anything's broken or not as it should be. Otherwise, browse and DL freely :)
+        '';
+
+      };
+      data_provider = {
+        driver = "memory";
+        external_auth_hook = "${authProgram}";
+        # track_quota:
+        # - 0: disable quota tracking
+        # - 1: quota is updated on every upload/delete, even if user has no quota restriction
+        # - 2: quota is updated on every upload/delete, but only if user/folder has a quota restriction  (default, i think)
+        # track_quota = 2;
+      };
+    };
+  };
+
+  users.users.sftpgo.extraGroups = [ "export" ];
+
+  systemd.services.sftpgo.serviceConfig = {
+    ReadOnlyPaths = [ "/var/export" ];
+    ReadWritePaths = [ "/var/export/playground" ];
+  };
+}

hosts/by-name/servo/services/export/sftpgo_external_auth_hook

@@ -0,0 +1,23 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p coreutils
+# vim: set filetype=bash :
+#
+# available environment variables:
+# - SFTPGO_AUTHD_USERNAME
+# - SFTPGO_AUTHD_USER
+# - SFTPGO_AUTHD_IP
+# - SFTPGO_AUTHD_PROTOCOL  = { "DAV", "FTP", "HTTP", "SSH" }
+# - SFTPGO_AUTHD_PASSWORD
+# - SFTPGO_AUTHD_PUBLIC_KEY
+# - SFTPGO_AUTHD_KEYBOARD_INTERACTIVE
+# - SFTPGO_AUTHD_TLS_CERT
+#
+#
+# call with <script_name> /path/to/fail/response.json /path/to/success/response.json
+
+
+if [ "$SFTPGO_AUTHD_USERNAME" = "anonymous" ]; then
+  cat "$2"
+else
+  cat "$1"
+fi

hosts/by-name/servo/services/ftp/default.nix

@@ -1,70 +0,0 @@
-# docs:
-# - <https://github.com/drakkan/sftpgo>
-# - config options: <https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md>
-# - config defaults: <https://github.com/drakkan/sftpgo/blob/main/sftpgo.json>
-# - nixos options: <repo:nixos/nixpkgs:nixos/modules/services/web-apps/sftpgo.nix>
-#
-# sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients.
-
-
-{ lib, pkgs, sane-lib, ... }:
-let
-  authProgram = pkgs.static-nix-shell.mkBash {
-    pname = "sftpgo_external_auth_hook";
-    src = ./.;
-  };
-in
-{
-  # Client initiates a FTP "control connection" on port 21.
-  # - this handles the client -> server commands, and the server -> client status, but not the actual data
-  # - file data, directory listings, etc need to be transferred on an ephemeral "data port".
-  # - 50000-50100 is a common port range for this.
-  sane.ports.ports = {
-    "21" = {
-      protocol = [ "tcp" ];
-      visibleTo.lan = true;
-      description = "colin-FTP server";
-    };
-  } // (sane-lib.mapToAttrs
-    (port: {
-      name = builtins.toString port;
-      value = {
-        protocol = [ "tcp" ];
-        visibleTo.lan = true;
-        description = "colin-FTP server data port range";
-      };
-    })
-    (lib.range 50000 50100)
-  );
-
-  services.sftpgo = {
-    enable = true;
-    settings = {
-      ftpd = {
-        bindings = [{
-          address = "10.0.10.5";
-          port = 21;
-          debug = true;
-        }];
-
-        # active mode is susceptible to "bounce attacks", without much benefit over passive mode
-        disable_active_mode = true;
-        hash_support = true;
-        passive_port_range = {
-          start = 50000;
-          end = 50100;
-        };
-
-        banner = ''
-          Welcome, friends, to Colin's read-only FTP server! Also available via NFS on the same host.
-          Please let me know if anything's broken or not as it should be. Otherwise, browse and DL freely :)
-        '';
-
-      };
-      data_provider = {
-        driver = "memory";
-        external_auth_hook = "${authProgram}/bin/sftpgo_external_auth_hook";
-      };
-    };
-  };
-}

hosts/by-name/servo/services/ftp/sftpgo_external_auth_hook

@@ -1,55 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash
-# vim: set filetype=bash :
-#
-# available environment variables:
-# - SFTPGO_AUTHD_USERNAME
-# - SFTPGO_AUTHD_USER
-# - SFTPGO_AUTHD_IP
-# - SFTPGO_AUTHD_PROTOCOL  = { "DAV", "FTP", "HTTP", "SSH" }
-# - SFTPGO_AUTHD_PASSWORD
-# - SFTPGO_AUTHD_PUBLIC_KEY
-# - SFTPGO_AUTHD_KEYBOARD_INTERACTIVE
-# - SFTPGO_AUTHD_TLS_CERT
-#
-# user permissions:
-# - see <repo:drakkan/sftpgo:internal/dataprovider/user.go>
-# - "*" = grant all permissions
-# - read-only perms:
-#   - "list" = list files and directories
-#   - "download"
-# - rw perms:
-#   - "upload"
-#   - "overwrite" = allow uploads to replace existing files
-#   - "delete" = delete files and directories
-#     - "delete_files"
-#     - "delete_dirs"
-#   - "rename" = rename files and directories
-#     - "rename_files"
-#     - "rename_dirs"
-#   - "create_dirs"
-#   - "create_symlinks"
-#   - "chmod"
-#   - "chown"
-#   - "chtimes" = change atime/mtime (access and modification times)
-#
-# home_dir:
-# - it seems (empirically) that a user can't cd above their home directory.
-#   though i don't have a reference for that in the docs.
-# TODO: don't reuse /var/nfs/export here. formalize this some other way.
-
-
-if [ "$SFTPGO_AUTHD_USERNAME" = "anonymous" ]; then
-  echo '{'
-  echo '  "status":1,'
-  echo '  "username":"anonymous","expiration_date":0,'
-  echo '  "home_dir":"/var/nfs/export","uid":65534,"gid":65534,"max_sessions":0,"quota_size":0,"quota_files":100000,'
-  echo '  "permissions":{'
-  echo '    "/":["list", "download"]'
-  echo '  },'
-  echo '  "upload_bandwidth":0,"download_bandwidth":0,'
-  echo '  "filters":{"allowed_ip":[],"denied_ip":[]},"public_keys":[]'
-  echo '}'
-else
-  echo '{"username":""}'
-fi

hosts/by-name/servo/services/lemmy.nix

@@ -3,13 +3,23 @@
 # - <repo:LemmyNet/lemmy:docker/nginx.conf>
 # - <repo:LemmyNet/lemmy-ansible:templates/nginx.conf>
 
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   inherit (builtins) toString;
   inherit (lib) mkForce;
   uiPort = 1234;  # default ui port is 1234
   backendPort = 8536; # default backend port is 8536
-  # - i guess the "backend" port is used for federation?
+  #^ i guess the "backend" port is used for federation?
+  pict-rs = pkgs.pict-rs.overrideAttrs (upstream: {
+    # as of v 0.4.2, all non-GIF video is forcibly transcoded.
+    # that breaks lemmy, because of the request latency.
+    # and it eats up hella CPU.
+    # pict-rs is iffy around video altogether: mp4 seems the best supported.
+    postPatch = (upstream.postPatch or "") + ''
+      substituteInPlace src/validate.rs \
+        --replace 'if transcode_options.needs_reencode() {' 'if false {'
+    '';
+  });
 in {
   services.lemmy = {
     enable = true;
@@ -56,4 +66,20 @@ in {
   };
 
   sane.dns.zones."uninsane.org".inet.CNAME."lemmy" = "native";
+
+  #v DO NOT REMOVE: defaults to 0.3, instead of latest, so always need to explicitly set this.
+  services.pict-rs.package = pict-rs;
+
+  # pict-rs configuration is applied in this order:
+  # - via toml
+  # - via env vars (overrides everything above)
+  # - via CLI flags (overrides everything above)
+  # some of the CLI flags have defaults, making it the only actual way to configure certain things even when docs claim otherwise.
+  # CLI args: <https://git.asonix.dog/asonix/pict-rs#user-content-running>
+  systemd.services.pict-rs.serviceConfig.ExecStart = lib.mkForce (lib.concatStringsSep " " [
+    "${lib.getBin pict-rs}/bin/pict-rs run"
+    "--media-max-frame-count" (builtins.toString (30*60*60))
+    "--media-process-timeout 120"
+    "--media-enable-full-video true"  # allow audio
+  ]);
 }

hosts/by-name/servo/services/nfs.nix

@@ -1,67 +0,0 @@
-# docs:
-# - <https://nixos.wiki/wiki/NFS>
-# - <https://wiki.gentoo.org/wiki/Nfs-utils>
-
-{ ... }:
-{
-  services.nfs.server.enable = true;
-
-  # see which ports NFS uses with:
-  # - `rpcinfo -p`
-  sane.ports.ports."111" = {
-    protocol = [ "tcp" "udp" ];
-    visibleTo.lan = true;
-    description = "NFS server portmapper";
-  };
-  sane.ports.ports."2049" = {
-    protocol = [ "tcp" ];
-    visibleTo.lan = true;
-    description = "NFS server";
-  };
-  sane.ports.ports."4000" = {
-    protocol = [ "udp" ];
-    visibleTo.lan = true;
-    description = "NFS server status daemon";
-  };
-  sane.ports.ports."4001" = {
-    protocol = [ "tcp" "udp" ];
-    visibleTo.lan = true;
-    description = "NFS server lock daemon";
-  };
-  sane.ports.ports."4002" = {
-    protocol = [ "tcp" "udp" ];
-    visibleTo.lan = true;
-    description = "NFS server mount daemon";
-  };
-
-  # NFS4 allows these to float, but NFS3 mandates specific ports, so fix them for backwards compat.
-  services.nfs.server.lockdPort = 4001;
-  services.nfs.server.mountdPort = 4002;
-  services.nfs.server.statdPort = 4000;
-
-  # format:
-  #   fspoint	visibility(options)
-  # options:
-  # - see: <https://wiki.gentoo.org/wiki/Nfs-utils#Exports>
-  # - see [man 5 exports](https://linux.die.net/man/5/exports)
-  # - insecure:  require clients use src port > 1024
-  # - rw, ro (default)
-  # - async, sync (default)
-  # - no_subtree_check (default), subtree_check: verify not just that files requested by the client live
-  #     in the expected fs, but also that they live under whatever subdirectory of that fs is exported.
-  # - no_root_squash, root_squash (default): map requests from uid 0 to user `nobody`.
-  # - crossmnt:  reveal filesystems that are mounted under this endpoint
-  # - fsid:  must be zero for the root export
-  # - mountpoint[=/path]:  only export the directory if it's a mountpoint. used to avoid exporting failed mounts.
-  #
-  # 10.0.0.0/8 to export (readonly) both to LAN (unencrypted) and wg vpn (encrypted)
-  services.nfs.server.exports = ''
-    /var/nfs/export 10.78.79.0/22(ro,crossmnt,fsid=0,subtree_check) 10.0.10.0/24(rw,no_root_squash,crossmnt,fsid=0,subtree_check)
-  '';
-
-  fileSystems."/var/nfs/export/media" = {
-    # everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
-    device = "/var/lib/uninsane/media";
-    options = [ "rbind" ];
-  };
-}

hosts/by-name/servo/services/pleroma.nix

@@ -63,6 +63,7 @@ in
       database: "pleroma",
       hostname: "localhost",
       pool_size: 10,
+      prepare: :named,
       parameters: [
           plan_cache_mode: "force_custom_plan"
       ]

hosts/by-name/servo/services/postgres.nix

@@ -1,12 +1,39 @@
-{ ... }:
+{ pkgs, ... }:
 
+let
+  GiB = n: MiB 1024*n;
+  MiB = n: KiB 1024*n;
+  KiB = n: 1024*n;
+in
 {
   sane.persist.sys.plaintext = [
     # TODO: mode?
     { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; }
   ];
   services.postgresql.enable = true;
-  # services.postgresql.dataDir = "/opt/postgresql/13";
+
+  # HOW TO UPDATE:
+  # postgres version updates are manual and require intervention.
+  # - `sane-stop-all-servo`
+  # - `systemctl start postgresql`
+  # - as `sudo su postgres`:
+  #   - `cd /var/log/postgresql`
+  #   - `pg_dumpall > state.sql`
+  #   - `echo placeholder > <new_version>`  # to prevent state from being created earlier than we want
+  # - then, atomically:
+  #   - update the `services.postgresql.package` here
+  #   - `dataDir` is atomically updated to match package; don't touch
+  #   - `nixos-rebuild --flake . switch ; sane-stop-all-servo`
+  # - `sudo rm -rf /var/lib/postgresql/<new_version>`
+  # - `systemctl start postgresql`
+  # - as `sudo su postgres`:
+  #   - `cd /var/lib/postgreql`
+  #   - `psql -f state.sql`
+  # - restart dependent services (maybe test one at a time)
+
+  services.postgresql.package = pkgs.postgresql_15;
+
+
   # XXX colin: for a proper deploy, we'd want to include something for Pleroma here too.
   # services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
   #   CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '<password goes here>';
@@ -17,10 +44,33 @@
   #     LC_CTYPE = "C";
   # '';
 
-  # TODO: perf tuning
+  # perf tuning
   # - for recommended values see: <https://pgtune.leopard.in.ua/>
   # - for official docs (sparse), see: <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
-  # services.postgresql.settings = { ... }
+  services.postgresql.settings = {
+    # DB Version: 15
+    # OS Type: linux
+    # DB Type: web
+    # Total Memory (RAM): 32 GB
+    # CPUs num: 12
+    # Data Storage: ssd
+    max_connections = 200;
+    shared_buffers = "8GB";
+    effective_cache_size = "24GB";
+    maintenance_work_mem = "2GB";
+    checkpoint_completion_target = 0.9;
+    wal_buffers = "16MB";
+    default_statistics_target = 100;
+    random_page_cost = 1.1;
+    effective_io_concurrency = 200;
+    work_mem = "10485kB";
+    min_wal_size = "1GB";
+    max_wal_size = "4GB";
+    max_worker_processes = 12;
+    max_parallel_workers_per_gather = 4;
+    max_parallel_workers = 12;
+    max_parallel_maintenance_workers = 4;
+  };
 
   # daily backups to /var/backup
   services.postgresqlBackup.enable = true;

hosts/common/feeds.nix

@@ -1,4 +1,5 @@
 # where to find good stuff?
+# - podcasts w/ a community: <https://lemmyverse.net/communities?query=podcast>
 # - podcast rec thread: <https://lemmy.ml/post/1565858>
 #
 # candidates:
@@ -67,7 +68,12 @@ let
     (fromDb "craphound.com" // pol)
     ## Maggie Killjoy -- referenced by Cory Doctorow
     (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)
+    ## also Maggie Killjoy
+    (fromDb "feeds.megaphone.fm/behindthebastards" // pol)
+    ## Jennifer Briney
     (fromDb "congressionaldish.libsyn.com" // pol)
+    (fromDb "werenotwrong.fireside.fm" // pol)
+    (fromDb "usefulidiots.substack.com" // pol)
     # (mkPod "https://podcasts.la.utexas.edu/this-is-democracy/feed/podcast/" // pol // weekly)
     ## Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
@@ -119,6 +125,16 @@ let
     ## The Witch Trials of J.K. Rowling
     ## - <https://www.thefp.com/witchtrials>
     (mkPod "https://feeds.megaphone.fm/RUNMED9919162779" // pol // infrequent)
+    ## Atlas Obscura
+    (fromDb "feeds.simplecast.com/xKJ93w_w" // uncat)
+    ## Ezra Klein Show
+    (fromDb "feeds.simplecast.com/82FI35Px" // pol)
+    ## Wireshark Podcast o_0
+    (fromDb "sharkbytes.transistor.fm" // tech)
+    ## 3/4 German; 1/4 eps are English
+    (fromDb "omegataupodcast.net" // tech)
+    ## Lateral with Tom Scott
+    (mkPod "https://audioboom.com/channels/5097784.rss" // tech)
   ];
 
   texts = [
@@ -220,6 +236,7 @@ let
     (fromDb "preposterousuniverse.com" // rat)
     (mkSubstack "eliqian" // rat // weekly)
     (mkText "https://acoup.blog/feed" // rat // weekly)
+    (fromDb "mindingourway.com" // rat)
 
     ## mostly dating topics. not advice, or humor, but looking through a social lens
     (fromDb "putanumonit.com" // rat)

hosts/common/fs.nix

@@ -1,136 +1,143 @@
 # docs
 # - x-systemd options: <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
 
-{ pkgs, sane-lib, ... }:
+{ lib, pkgs, sane-lib, ... }:
 
-let fsOpts = rec {
-  common = [
-    "_netdev"
-    "noatime"
-    "user"  # allow any user with access to the device to mount the fs
-    "x-systemd.requires=network-online.target"
-    "x-systemd.after=network-online.target"
-    "x-systemd.mount-timeout=10s"  # how long to wait for mount **and** how long to wait for unmount
-  ];
-  auto = [ "x-systemd.automount" ];
-  noauto = [ "noauto" ];  # don't mount as part of remote-fs.target
-  wg = [
-    "x-systemd.requires=wireguard-wg-home.service"
-    "x-systemd.after=wireguard-wg-home.service"
-  ];
+let
+  fsOpts = rec {
+    common = [
+      "_netdev"
+      "noatime"
+      "user"  # allow any user with access to the device to mount the fs
+      "x-systemd.requires=network-online.target"
+      "x-systemd.after=network-online.target"
+      "x-systemd.mount-timeout=10s"  # how long to wait for mount **and** how long to wait for unmount
+    ];
+    auto = [ "x-systemd.automount" ];
+    noauto = [ "noauto" ];  # don't mount as part of remote-fs.target
+    wg = [
+      "x-systemd.requires=wireguard-wg-home.service"
+      "x-systemd.after=wireguard-wg-home.service"
+    ];
 
-  ssh = common ++ [
-    "identityfile=/home/colin/.ssh/id_ed25519"
-    "allow_other"
-    "default_permissions"
-  ];
-  sshColin = ssh ++ [
-    "transform_symlinks"
-    "idmap=user"
-    "uid=1000"
-    "gid=100"
-  ];
-  sshRoot = ssh ++ [
-    # we don't transform_symlinks because that breaks the validity of remote /nix stores
-    "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
-  ];
-  # in the event of hunt NFS mounts, consider:
-  # - <https://unix.stackexchange.com/questions/31979/stop-broken-nfs-mounts-from-locking-a-directory>
+    ssh = common ++ [
+      "identityfile=/home/colin/.ssh/id_ed25519"
+      "allow_other"
+      "default_permissions"
+    ];
+    sshColin = ssh ++ [
+      "transform_symlinks"
+      "idmap=user"
+      "uid=1000"
+      "gid=100"
+    ];
+    sshRoot = ssh ++ [
+      # we don't transform_symlinks because that breaks the validity of remote /nix stores
+      "sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
+    ];
+    # in the event of hunt NFS mounts, consider:
+    # - <https://unix.stackexchange.com/questions/31979/stop-broken-nfs-mounts-from-locking-a-directory>
 
-  # NFS options: <https://linux.die.net/man/5/nfs>
-  # actimeo=n  = how long (in seconds) to cache file/dir attributes (default: 3-60s)
-  # bg         = retry failed mounts in the background
-  # retry=n    = for how many minutes `mount` will retry NFS mount operation
-  # soft       = on "major timeout", report I/O error to userspace
-  # retrans=n  = how many times to retry a NFS request before giving userspace a "server not responding" error (default: 3)
-  # timeo=n    = number of *deciseconds* to wait for a response before retrying it (default: 600)
-  #              note: client uses a linear backup, so the second request will have double this timeout, then triple, etc.
-  nfs = common ++ [
-    # "actimeo=10"
-    "bg"
-    "retrans=4"
-    "retry=0"
-    "soft"
-    "timeo=15"
-    "nofail"  # don't fail remote-fs.target when this mount fails  (not an option for sshfs else would be common)
-  ];
-};
+    # NFS options: <https://linux.die.net/man/5/nfs>
+    # actimeo=n  = how long (in seconds) to cache file/dir attributes (default: 3-60s)
+    # bg         = retry failed mounts in the background
+    # retry=n    = for how many minutes `mount` will retry NFS mount operation
+    # soft       = on "major timeout", report I/O error to userspace
+    # retrans=n  = how many times to retry a NFS request before giving userspace a "server not responding" error (default: 3)
+    # timeo=n    = number of *deciseconds* to wait for a response before retrying it (default: 600)
+    #              note: client uses a linear backup, so the second request will have double this timeout, then triple, etc.
+    nfs = common ++ [
+      # "actimeo=10"
+      "bg"
+      "retrans=4"
+      "retry=0"
+      "soft"
+      "timeo=15"
+      "nofail"  # don't fail remote-fs.target when this mount fails  (not an option for sshfs else would be common)
+    ];
+  };
+  remoteHome = host: {
+    fileSystems."/mnt/${host}-home" = {
+      device = "colin@${host}:/home/colin";
+      fsType = "fuse.sshfs";
+      options = fsOpts.sshColin ++ fsOpts.noauto;
+      noCheck = true;
+    };
+    sane.fs."/mnt/${host}-home" = sane-lib.fs.wantedDir;
+  };
 in
-{
-  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
-  sane.fs."/var/lib/private".dir.acl.mode = "0700";
+lib.mkMerge [
+  {
+    # some services which use private directories error if the parent (/var/lib/private) isn't 700.
+    sane.fs."/var/lib/private".dir.acl.mode = "0700";
 
-  # in-memory compressed RAM
-  # defaults to compressing at most 50% size of RAM
-  # claimed compression ratio is about 2:1
-  # - but on moby w/ zstd default i see 4-7:1  (ratio lowers as it fills)
-  # note that idle overhead is about 0.05% of capacity (e.g. 2B per 4kB page)
-  # docs: <https://www.kernel.org/doc/Documentation/blockdev/zram.txt>
-  #
-  # to query effectiveness:
-  # `cat /sys/block/zram0/mm_stat`. whitespace separated fields:
-  # - *orig_data_size*  (bytes)
-  # - *compr_data_size* (bytes)
-  # - mem_used_total    (bytes)
-  # - mem_limit         (bytes)
-  # - mem_used_max      (bytes)
-  # - *same_pages*  (pages which are e.g. all zeros (consumes no additional mem))
-  # - *pages_compacted*  (pages which have been freed thanks to compression)
-  # - huge_pages  (incompressible)
-  #
-  # see also:
-  # - `man zramctl`
-  zramSwap.enable = true;
-  # how much ram can be swapped into the zram device.
-  # this shouldn't be higher than the observed compression ratio.
-  # the default is 50% (why?)
-  # 100% should be "guaranteed" safe so long as the data is even *slightly* compressible.
-  # but it decreases working memory under the heaviest of loads by however much space the compressed memory occupies (e.g. 50% if 2:1; 25% if 4:1)
-  zramSwap.memoryPercent = 100;
+    # in-memory compressed RAM
+    # defaults to compressing at most 50% size of RAM
+    # claimed compression ratio is about 2:1
+    # - but on moby w/ zstd default i see 4-7:1  (ratio lowers as it fills)
+    # note that idle overhead is about 0.05% of capacity (e.g. 2B per 4kB page)
+    # docs: <https://www.kernel.org/doc/Documentation/blockdev/zram.txt>
+    #
+    # to query effectiveness:
+    # `cat /sys/block/zram0/mm_stat`. whitespace separated fields:
+    # - *orig_data_size*  (bytes)
+    # - *compr_data_size* (bytes)
+    # - mem_used_total    (bytes)
+    # - mem_limit         (bytes)
+    # - mem_used_max      (bytes)
+    # - *same_pages*  (pages which are e.g. all zeros (consumes no additional mem))
+    # - *pages_compacted*  (pages which have been freed thanks to compression)
+    # - huge_pages  (incompressible)
+    #
+    # see also:
+    # - `man zramctl`
+    zramSwap.enable = true;
+    # how much ram can be swapped into the zram device.
+    # this shouldn't be higher than the observed compression ratio.
+    # the default is 50% (why?)
+    # 100% should be "guaranteed" safe so long as the data is even *slightly* compressible.
+    # but it decreases working memory under the heaviest of loads by however much space the compressed memory occupies (e.g. 50% if 2:1; 25% if 4:1)
+    zramSwap.memoryPercent = 100;
 
-  # fileSystems."/mnt/servo-nfs" = {
-  #   device = "servo-hn:/";
-  #   noCheck = true;
-  #   fsType = "nfs";
-  #   options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
-  # };
-  fileSystems."/mnt/servo-nfs/media" = {
-    device = "servo-hn:/media";
-    noCheck = true;
-    fsType = "nfs";
-    options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
-  };
-  # fileSystems."/mnt/servo-media-nfs" = {
-  #   device = "servo-hn:/media";
-  #   noCheck = true;
-  #   fsType = "nfs";
-  #   options = fsOpts.common ++ fsOpts.auto;
-  # };
-  sane.fs."/mnt/servo-media" = sane-lib.fs.wantedSymlinkTo "/mnt/servo-nfs/media";
+    # fileSystems."/mnt/servo-nfs" = {
+    #   device = "servo-hn:/";
+    #   noCheck = true;
+    #   fsType = "nfs";
+    #   options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
+    # };
+    fileSystems."/mnt/servo-nfs/media" = {
+      device = "servo-hn:/media";
+      noCheck = true;
+      fsType = "nfs";
+      options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
+    };
+    fileSystems."/mnt/servo-nfs/playground" = {
+      device = "servo-hn:/playground";
+      noCheck = true;
+      fsType = "nfs";
+      options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
+    };
+    # fileSystems."/mnt/servo-media-nfs" = {
+    #   device = "servo-hn:/media";
+    #   noCheck = true;
+    #   fsType = "nfs";
+    #   options = fsOpts.common ++ fsOpts.auto;
+    # };
+    sane.fs."/mnt/servo-media" = sane-lib.fs.wantedSymlinkTo "/mnt/servo-nfs/media";
 
-  fileSystems."/mnt/desko-home" = {
-    device = "colin@desko:/home/colin";
-    fsType = "fuse.sshfs";
-    options = fsOpts.sshColin ++ fsOpts.noauto;
-    noCheck = true;
-  };
-  sane.fs."/mnt/desko-home" = sane-lib.fs.wantedDir;
-  fileSystems."/mnt/desko-root" = {
-    device = "colin@desko:/";
-    fsType = "fuse.sshfs";
-    options = fsOpts.sshRoot ++ fsOpts.noauto;
-    noCheck = true;
-  };
-  sane.fs."/mnt/desko-root" = sane-lib.fs.wantedDir;
+    environment.pathsToLink = [
+      # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
+      # we can only link whole directories here, even though we're only interested in pkgs.openssh
+      "/libexec"
+    ];
 
-  environment.pathsToLink = [
-    # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
-    # we can only link whole directories here, even though we're only interested in pkgs.openssh
-    "/libexec"
-  ];
+    environment.systemPackages = [
+      pkgs.sshfs-fuse
+    ];
+  }
 
-  environment.systemPackages = [
-    pkgs.sshfs-fuse
-  ];
-}
+  (remoteHome "desko")
+  (remoteHome "lappy")
+  (remoteHome "moby")
+]
 

hosts/common/hardware.nix

@@ -23,7 +23,6 @@
 
   # non-free firmware
   hardware.enableRedistributableFirmware = true;
-  services.fwupd.enable = true;
 
   # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
   powerManagement.powertop.enable = false;

hosts/common/ids.nix

@@ -44,6 +44,8 @@
   sane.ids.sftpgo.gid = 2410;
   sane.ids.trust-dns.uid = 2411;
   sane.ids.trust-dns.gid = 2411;
+  sane.ids.export.gid = 2412;
+  sane.ids.nfsuser.uid = 2413;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;

hosts/common/programs/alacritty.nix

@@ -0,0 +1,24 @@
+# alacritty terminal emulator
+# - config options: <https://github.com/alacritty/alacritty/blob/master/extra/man/alacritty.5.scd>
+#   - `man 5 alacritty`
+#   - defaults: <https://github.com/alacritty/alacritty/releases>  -> alacritty.yml
+# - irc: #alacritty on libera.chat
+{ lib, ... }:
+{
+  sane.programs.alacritty = {
+    env.TERMINAL = lib.mkDefault "alacritty";
+    # note: alacritty will switch to .toml config in 13.0 release
+    # - run `alacritty migrate` to convert the yaml to toml
+    fs.".config/alacritty/alacritty.yml".symlink.text = ''
+      font:
+        size: 14
+
+      key_bindings:
+        - { key: N,         mods: Control,        action: CreateNewWindow }
+        - { key: PageUp,    mods: Control,        action: ScrollPageUp }
+        - { key: PageDown,  mods: Control,        action: ScrollPageDown }
+        - { key: PageUp,    mods: Control|Shift,  action: ScrollPageUp }
+        - { key: PageDown,  mods: Control|Shift,  action: ScrollPageDown }
+    '';
+  };
+}

hosts/common/programs/assorted.nix

@@ -1,175 +1,209 @@
 { pkgs, ... }:
 
+let
+  declPackageSet = pkgs: {
+    package = null;
+    suggestedPrograms = pkgs;
+  };
+in
 {
   sane.programs = {
     # PACKAGE SETS
-    sysadminUtils = {
-      package = null;
-      suggestedPrograms = [
-        "btrfs-progs"
-        "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
-        "cryptsetup"
-        "dig"
-        "efibootmgr"
-        "fatresize"
-        "fd"
-        "file"
-        "gawk"
-        "git"
-        "gptfdisk"
-        "hdparm"
-        "htop"
-        "iftop"
-        "inetutils"  # for telnet
-        "iotop"
-        "iptables"
-        "jq"
-        "killall"
-        "lsof"
-        "miniupnpc"
-        "nano"
-        #  "ncdu"  # ncurses disk usage. doesn't cross compile (zig)
-        "neovim"
-        "netcat"
-        "nethogs"
-        "nmap"
-        "openssl"
-        "parted"
-        "pciutils"
-        "powertop"
-        "pstree"
-        "ripgrep"
-        "screen"
-        "smartmontools"
-        "socat"
-        "strace"
-        "subversion"
-        "tcpdump"
-        "tree"
-        "usbutils"
-        "wget"
-        "wirelesstools"  # iwlist
-      ];
-    };
-    sysadminExtraUtils = {
-      package = null;
-      suggestedPrograms = [
-        "backblaze-b2"
-        "duplicity"
-        "sqlite"  # to debug sqlite3 databases
-      ];
-    };
+    "sane-scripts.backup" = declPackageSet [
+      "sane-scripts.backup-ls"
+      "sane-scripts.backup-restore"
+    ];
+    "sane-scripts.bittorrent" = declPackageSet [
+      "sane-scripts.bt-add"
+      "sane-scripts.bt-rm"
+      "sane-scripts.bt-search"
+      "sane-scripts.bt-show"
+    ];
+    "sane-scripts.dev" = declPackageSet [
+      "sane-scripts.dev-cargo-loop"
+      "sane-scripts.git-init"
+    ];
+    "sane-scripts.cli" = declPackageSet [
+      "sane-scripts.deadlines"
+      "sane-scripts.find-dotfiles"
+      "sane-scripts.ip-check"
+      "sane-scripts.ip-reconnect"
+      "sane-scripts.private-change-passwd"
+      "sane-scripts.private-do"
+      "sane-scripts.private-init"
+      "sane-scripts.private-lock"
+      "sane-scripts.private-unlock"
+      "sane-scripts.rcp"
+      "sane-scripts.reboot"
+      "sane-scripts.reclaim-boot-space"
+      "sane-scripts.reclaim-disk-space"
+      "sane-scripts.secrets-dump"
+      "sane-scripts.secrets-unlock"
+      "sane-scripts.secrets-update-keys"
+      "sane-scripts.shutdown"
+      "sane-scripts.ssl-dump"
+      "sane-scripts.sudo-redirect"
+      "sane-scripts.sync-from-servo"
+      "sane-scripts.vpn-down"
+      "sane-scripts.vpn-up"
+      "sane-scripts.which"
+      "sane-scripts.wipe-browser"
+    ];
+    "sane-scripts.sys-utils" = declPackageSet [
+      "sane-scripts.ip-port-forward"
+      "sane-scripts.sync-music"
+    ];
+
+
+    sysadminUtils = declPackageSet [
+      "btrfs-progs"
+      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
+      "cryptsetup"
+      "dig"
+      "efibootmgr"
+      "fatresize"
+      "fd"
+      "file"
+      # "fwupd"
+      "gawk"
+      "git"
+      "gptfdisk"
+      "hdparm"
+      "htop"
+      "iftop"
+      "inetutils"  # for telnet
+      "iotop"
+      "iptables"
+      "jq"
+      "killall"
+      "lsof"
+      "miniupnpc"
+      "nano"
+      #  "ncdu"  # ncurses disk usage. doesn't cross compile (zig)
+      "neovim"
+      "netcat"
+      "nethogs"
+      "nmap"
+      "openssl"
+      "parted"
+      "pciutils"
+      "powertop"
+      "pstree"
+      "ripgrep"
+      "screen"
+      "smartmontools"
+      "socat"
+      "strace"
+      "subversion"
+      "tcpdump"
+      "tree"
+      "usbutils"
+      "wget"
+      "wirelesstools"  # iwlist
+    ];
+    sysadminExtraUtils = declPackageSet [
+      "backblaze-b2"
+      "duplicity"
+      "sane-scripts.backup"
+      "sqlite"  # to debug sqlite3 databases
+    ];
 
     # TODO: split these into smaller groups.
     # - moby doesn't want a lot of these.
     # - categories like
     #   - dev?
     #   - debugging?
-    consoleUtils = {
-      package = null;
-      suggestedPrograms = [
-        "alsaUtils"  # for aplay, speaker-test
-        # "cdrtools"
-        "clinfo"
-        "dmidecode"
-        "efivar"
-        # "flashrom"
-        "fwupd"
-        "gh"  # MS GitHub cli
-        "git"  # needed as a user package, for config.
-        # "gnupg"
-        # "gocryptfs"
-        # "gopass"
-        # "gopass-jsonapi"
-        "helix"  # text editor
-        "kitty"  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-        "libsecret"  # for managing user keyrings. TODO: what needs this? lift into the consumer
-        "lm_sensors"  # for sensors-detect. TODO: what needs this? lift into the consumer
-        "lshw"
-        # "memtester"
-        "neovim"  # needed as a user package, for swap persistence
-        # "nettools"
-        # "networkmanager"
-        "nix-index"
-        "nixpkgs-review"
-        # "nixos-generators"
-        "nmon"
-        # "node2nix"
-        # "oathToolkit"  # for oathtool
-        # "ponymix"
-        "pulsemixer"
-        "python3"
-        # "python3Packages.eyeD3"  # music tagging
-        "ripgrep"  # needed as a user package so that its user-level config file can be installed
-        "rsync"
-        "sane-scripts"
-        "sequoia"
-        "snapper"
-        "sops"
-        "speedtest-cli"
-        # "ssh-to-age"
-        "sudo"
-        # "tageditor"  # music tagging
-        "unar"
-        "wireguard-tools"
-        "xdg-terminal-exec"
-        "xdg-utils"  # for xdg-open
-        # "yarn"
-        "zsh"
-      ];
-    };
+    consoleUtils = declPackageSet [
+      "alsaUtils"  # for aplay, speaker-test
+      # "cdrtools"
+      "clinfo"
+      "dmidecode"
+      "dtrx"  # `unar` alternative, "Do The Right eXtraction"
+      "efivar"
+      # "flashrom"
+      "git"  # needed as a user package, for config.
+      # "gnupg"
+      # "gocryptfs"
+      # "gopass"
+      # "gopass-jsonapi"
+      "helix"  # text editor
+      # "kitty"  # XXX needs to be in consolueUtils because `ssh servo` from kitty sets `TERM=xterm-kitty` in the remote and breaks things
+      "libsecret"  # for managing user keyrings. TODO: what needs this? lift into the consumer
+      "lm_sensors"  # for sensors-detect. TODO: what needs this? lift into the consumer
+      "lshw"
+      # "memtester"
+      "neovim"  # needed as a user package, for swap persistence
+      # "nettools"
+      # "networkmanager"
+      # "nixos-generators"
+      "nmon"
+      # "node2nix"
+      # "oathToolkit"  # for oathtool
+      # "ponymix"
+      "pulsemixer"
+      "python3"
+      # "python3Packages.eyeD3"  # music tagging
+      "ripgrep"  # needed as a user package so that its user-level config file can be installed
+      "rsync"
+      "sane-scripts.bittorrent"
+      "sane-scripts.cli"
+      "snapper"
+      "sops"
+      "speedtest-cli"
+      # "ssh-to-age"
+      "sudo"
+      # "tageditor"  # music tagging
+      # "unar"
+      "wireguard-tools"
+      "xdg-terminal-exec"
+      "xdg-utils"  # for xdg-open
+      # "yarn"
+      "zsh"
+    ];
 
-    consoleMediaUtils = {
-      package = null;
-      suggestedPrograms = [
-        "ffmpeg"
-        "imagemagick"
-        "sox"
-        "yt-dlp"
-      ];
-    };
+    desktopConsoleUtils = declPackageSet [
+      "gh"  # MS GitHub cli
+      "nix-index"
+      "nixpkgs-review"
+      "sane-scripts.dev"
+      "sequoia"
+    ];
 
-    tuiApps = {
-      package = null;
-      suggestedPrograms = [
-        "aerc"  # email client
-        "msmtp"  # sendmail
-        "offlineimap"  # email mailox sync
-        "sfeed"  # RSS fetcher
-        "visidata"  # TUI spreadsheet viewer/editor
-        "w3m"  # web browser
-      ];
-    };
+    consoleMediaUtils = declPackageSet [
+      "ffmpeg"
+      "imagemagick"
+      "sox"
+      "yt-dlp"
+    ];
 
-    iphoneUtils = {
-      package = null;
-      suggestedPrograms = [
-        "ifuse"
-        "ipfs"
-        "libimobiledevice"
-      ];
-    };
+    tuiApps = declPackageSet [
+      "aerc"  # email client
+      "msmtp"  # sendmail
+      "offlineimap"  # email mailbox sync
+      "sfeed"  # RSS fetcher
+      "visidata"  # TUI spreadsheet viewer/editor
+      "w3m"  # web browser
+    ];
 
-    devPkgs = {
-      package = null;
-      suggestedPrograms = [
-        "clang"
-        "nodejs"
-        "tree-sitter"
-      ];
-    };
+    iphoneUtils = declPackageSet [
+      "ifuse"
+      "ipfs"
+      "libimobiledevice"
+      "sane-scripts.sync-from-iphone"
+    ];
+
+    devPkgs = declPackageSet [
+      "clang"
+      "nodejs"
+      "tree-sitter"
+    ];
 
 
     # INDIVIDUAL PACKAGE DEFINITIONS
 
-    dino.persist.private = [ ".local/share/dino" ];
-
     # creds, but also 200 MB of node modules, etc
     discord.persist.private = [ ".config/discord" ];
 
-    # creds/session keys, etc
-    element-desktop.persist.private = [ ".config/Element" ];
-
     # `emote` will show a first-run dialog based on what's in this directory.
     # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
     # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
@@ -177,12 +211,6 @@
 
     fluffychat-moby.persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
 
-    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
-    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
-    # then reboot (so that libsecret daemon re-loads the keyring...?)
-    fractal-latest.persist.private = [ ".local/share/fractal" ];
-    fractal-next.persist.private = [ ".local/share/fractal" ];
-
     # MS GitHub stores auth token in .config
     # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
     gh.persist.private = [ ".config/gh" ];
@@ -193,13 +221,6 @@
 
     mumble.persist.private = [ ".local/share/Mumble" ];
 
-    # not strictly necessary, but allows caching articles; offline use, etc.
-    nheko.persist.private = [
-      ".config/nheko"  # config file (including client token)
-      ".cache/nheko"  # media cache
-      ".local/share/nheko"  # per-account state database
-    ];
-
     # settings (electron app)
     obsidian.persist.plaintext = [ ".config/obsidian" ];
 

hosts/common/programs/cantata.nix

@@ -0,0 +1,36 @@
+# cantata is a mpd frontend.
+# before launching it, run `mopidy` in some tab
+# TODO: auto-launch mopidy when cantata launches?
+{ ... }:
+{
+  sane.programs.cantata = {
+    persist.plaintext = [
+      ".cache/cantata"  # album art
+      ".local/share/cantata/library"  # library index (?)
+    ];
+    fs.".config/cantata/cantata.conf".symlink.text = ''
+      [General]
+      fetchCovers=true
+      storeCoversInMpdDir=false
+      version=2.5.0
+
+      [Connection]
+      allowLocalStreaming=true
+      applyReplayGain=true
+      autoUpdate=false
+      dir=~/Music
+      host=localhost
+      partition=
+      passwd=
+      port=6600
+      replayGain=off
+      streamUrl=
+
+      [LibraryPage]
+      artist\gridZoom=100
+      artist\searchActive=false
+      artist\viewMode=detailedtree
+    '';
+    suggestedPrograms = [ "mopidy" ];
+  };
+}

hosts/common/programs/chatty.nix

@@ -0,0 +1,46 @@
+{ pkgs, ... }:
+let
+  chattyNoOauth = pkgs.chatty.override {
+    # the OAuth feature (presumably used for web-based logins) pulls a full webkitgtk.
+    # especially when using the gtk3 version of evolution-data-server, it's an ancient webkitgtk_4_1.
+    # disable OAuth for a faster build & smaller closure
+    evolution-data-server = pkgs.evolution-data-server.override {
+      enableOAuth2 = false;
+      gnome-online-accounts = pkgs.gnome-online-accounts.override {
+        # disables the upstream "goabackend" feature -- presumably "Gnome Online Accounts Backend"
+        # frees us from webkit_4_1, in turn.
+        enableBackend = false;
+        gvfs = pkgs.gvfs.override {
+          # saves 20 minutes of build time, for unused feature
+          samba = null;
+        };
+      };
+    };
+  };
+  chatty-latest = pkgs.chatty-latest.override {
+    evolution-data-server-gtk4 = pkgs.evolution-data-server-gtk4.override {
+      gnome-online-accounts = pkgs.gnome-online-accounts.override {
+        # disables the upstream "goabackend" feature -- presumably "Gnome Online Accounts Backend"
+        # frees us from webkit_4_1, in turn.
+        enableBackend = false;
+        gvfs = pkgs.gvfs.override {
+          # saves 20 minutes of build time, for unused feature
+          samba = null;
+        };
+      };
+    };
+  };
+in
+{
+  sane.programs.chatty = {
+    # package = chattyNoOauth;
+    package = chatty-latest;
+    suggestedPrograms = [ "gnome-keyring" ];
+    persist.private = [
+      ".local/share/chatty"  # matrix avatars and files
+      # not just XMPP; without this Chatty will regenerate its device-id every boot.
+      # .purple/ contains XMPP *and* Matrix auth, logs, avatar cache, and a bit more
+      ".purple"
+    ];
+  };
+}

hosts/common/programs/default.nix

@@ -3,14 +3,25 @@
 {
   imports = [
     ./aerc.nix
+    ./alacritty.nix
     ./assorted.nix
+    ./cantata.nix
+    ./chatty.nix
     ./cozy.nix
+    ./dino.nix
+    ./element-desktop.nix
     ./epiphany.nix
     ./evince.nix
     ./firefox.nix
     ./fontconfig.nix
+    ./fractal.nix
+    ./fwupd.nix
+    ./g4music.nix
+    ./gajim.nix
     ./git.nix
     ./gnome-feeds.nix
+    ./gnome-keyring.nix
+    ./gnome-weather.nix
     ./gpodder.nix
     ./gthumb.nix
     ./helix.nix
@@ -21,22 +32,28 @@
     ./koreader
     ./libreoffice.nix
     ./lemoa.nix
+    ./megapixels.nix
     ./mepo.nix
+    ./mopidy.nix
     ./mpv.nix
     ./msmtp.nix
     ./neovim.nix
     ./newsflash.nix
+    ./nheko.nix
     ./nix-index.nix
     ./obsidian.nix
     ./offlineimap.nix
+    ./rhythmbox.nix
     ./ripgrep.nix
     ./sfeed.nix
     ./splatmoji.nix
     ./steam.nix
     ./sublime-music.nix
     ./tangram.nix
+    ./tuba.nix
     ./vlc.nix
     ./wireshark.nix
+    ./xarchiver.nix
     ./zeal.nix
     ./zsh
   ];

hosts/common/programs/dino.nix

@@ -0,0 +1,15 @@
+# usage:
+# - start a DM with a rando via
+#   - '+' -> 'start conversation'
+# - add a user to your roster via
+#   - '+' -> 'start conversation' -> '+'  (opens the "add contact" dialog)
+#   - this triggers a popup on the remote side asking them for confirmation
+#   - after the remote's confirmation there will be a local popup for you to allow them to add you to their roster
+# - to make a call:
+#   - ensure the other party is in your roster
+#   - open a DM with the party
+#   - click the phone icon at top (only visible if other party is in your roster)
+{ ... }:
+{
+  sane.programs.dino.persist.private = [ ".local/share/dino" ];
+}

hosts/common/programs/element-desktop.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  sane.programs.element-desktop = {
+    # creds/session keys, etc
+    persist.private = [ ".config/Element" ];
+
+    suggestedPrograms = [ "gnome-keyring" ];
+  };
+}

hosts/common/programs/fontconfig.nix

@@ -8,7 +8,8 @@
       serif = [ "DejaVu Serif" ];
       sansSerif = [ "DejaVu Sans" ];
     };
-    enableDefaultFonts = true;
-    fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
+    #vvv enables dejavu_fonts, freefont_ttf, gyre-fonts, liberation_ttf, unifont, noto-fonts-emoji
+    enableDefaultPackages = true;
+    packages = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
   };
 }

hosts/common/programs/fractal.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+  sane.programs.fractal = {
+    # package = pkgs.fractal-latest;
+    package = pkgs.fractal-next;
+
+    # XXX by default fractal stores its state in ~/.local/share/stable/<UUID>.
+    persist.private = [ ".local/share/stable" ];
+
+    suggestedPrograms = [ "gnome-keyring" ];
+  };
+}

hosts/common/programs/fwupd.nix

@@ -0,0 +1,7 @@
+{ config, lib, ... }:
+{
+  services.fwupd = lib.mkIf config.sane.programs.fwupd.enabled {
+    # enables the dbus service, which i think the frontend speaks to.
+    enable = true;
+  };
+}

hosts/common/programs/g4music.nix

@@ -0,0 +1,16 @@
+# N.B.: requires first-run setup on moby:
+# - UI will render transparent
+# - click the hamburger (top-right: immediately left from close button)
+#   > Preferences
+#     > Background-blur mode: change from "Always" to "Never"
+#
+# the background blur is probably some dconf setting somewhere.
+{ ... }:
+{
+  sane.programs.g4music = {
+    persist.plaintext = [
+      # index?
+      ".cache/com.github.neithern.g4music"
+    ];
+  };
+}

hosts/common/programs/gajim.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  sane.programs.gajim = {
+    persist.private = [
+      # avatars, thumbnails...
+      ".cache/gajim"
+      # sqlite database labeled "settings". definitely includes UI theming
+      ".config/gajim"
+      # omemo keys, downloads, logs
+      ".local/share/gajim"
+    ];
+  };
+}

hosts/common/programs/gnome-keyring.nix

@@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+{
+  sane.programs.gnome-keyring = {
+    package = pkgs.gnome.gnome-keyring;
+  };
+  # adds gnome-keyring as a xdg-data-portal (xdg.portal)
+  services.gnome.gnome-keyring = lib.mkIf config.sane.programs.gnome-keyring.enabled {
+    enable = true;
+  };
+}

hosts/common/programs/gnome-weather.nix

@@ -0,0 +1,10 @@
+# preferences are saved via dconf; see `dconf dump /`
+# cache dir is just for weather data (or maybe a http cache)
+{ ... }:
+{
+  sane.programs.gnome-weather = {
+    persist.plaintext = [
+      ".cache/libgweather"
+    ];
+  };
+}

hosts/common/programs/gthumb.nix

@@ -4,10 +4,12 @@
     # compile without webservices to avoid the expensive webkitgtk dependency
     package = pkgs.gthumb.override { withWebservices = false; };
     mime.associations = {
+      "image/gif" = "org.gnome.gThumb.desktop";
       "image/heif" = "org.gnome.gThumb.desktop";  # apple codec
       "image/png" = "org.gnome.gThumb.desktop";
       "image/jpeg" = "org.gnome.gThumb.desktop";
       "image/svg+xml" = "org.gnome.gThumb.desktop";
+      "image/webp" = "org.gnome.gThumb.desktop";
     };
   };
 }

hosts/common/programs/jellyfin-media-player.nix

@@ -3,7 +3,9 @@
 {
   sane.programs.jellyfin-media-player = {
     # package = pkgs.jellyfin-media-player;
-    package = pkgs.jellyfin-media-player-qt6;
+    # qt6 version is slightly buggy, but also most qtwebengine apps (e.g. zeal) are on qt5
+    #   so using qt6 would force yet *another* qtwebengine compile.
+    # package = pkgs.jellyfin-media-player-qt6;
 
     # jellyfin stores things in a bunch of directories: this one persists auth info.
     # it *might* be possible to populate this externally (it's Qt stuff), but likely to

hosts/common/programs/koreader/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, sane-lib, ... }:
+{ config, lib, pkgs, sane-lib, ... }:
 
 let
   feeds = sane-lib.feeds;
@@ -10,11 +10,12 @@ let
     # limit = 0                    => download and keep *all* articles
     # download_full_article = true => populate feed by downloading the webpage -- not just what's encoded in the RSS <article> tags
     # - use this for articles where the RSS only encodes content previews
+    # - in practice, most articles don't work with download_full_article = false
     # enable_filter         = true => only render content that matches the filter_element css selector.
     let fields = [
       (lib.escapeShellArg feed.url)
       "limit = 5"
-      "download_full_article = false"
+      "download_full_article = true"
       "include_images = true"
       "enable_filter = false"
       "filter_element = \"\""
@@ -22,6 +23,7 @@ let
   ) wantedFeeds;
 in {
   sane.programs.koreader = {
+    package = pkgs.koreader-from-src;
     # koreader applies these lua "patches" at boot:
     # - <https://github.com/koreader/koreader/wiki/User-patches>
     # - TODO: upstream this patch to koreader

hosts/common/programs/libreoffice.nix

@@ -1,14 +1,20 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
-  # libreoffice: disable first-run stuff
-  sane.programs.libreoffice-fresh.fs.".config/libreoffice/4/user/registrymodifications.xcu".symlink.text = ''
-    <?xml version="1.0" encoding="UTF-8"?>
-    <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-      <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
-      <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="ShowTipOfTheDay" oor:op="fuse"><value>false</value></prop></item>
-    </oor:items>
-  '';
-  # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeDonateShown" oor:op="fuse"><value>1667693880</value></prop></item>
-  # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
+  sane.programs.libreoffice = {
+    # package = pkgs.libreoffice-bin;
+    # package = pkgs.libreoffice-still;
+    package = pkgs.libreoffice-fresh;
+
+    # disable first-run stuff
+    fs.".config/libreoffice/4/user/registrymodifications.xcu".symlink.text = ''
+      <?xml version="1.0" encoding="UTF-8"?>
+      <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+        <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
+        <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="ShowTipOfTheDay" oor:op="fuse"><value>false</value></prop></item>
+      </oor:items>
+    '';
+    # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeDonateShown" oor:op="fuse"><value>1667693880</value></prop></item>
+    # <item oor:path="/org.openoffice.Setup/Product"><prop oor:name="LastTimeGetInvolvedShown" oor:op="fuse"><value>1667693880</value></prop></item>
+  };
 }

hosts/common/programs/megapixels.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+  sane.programs.megapixels.package = pkgs.megapixels.override {
+    # megapixels uses zbar to read barcodes.
+    # zbar by default ships zbarcam-gtk and zbarcam-qt, neither of which megapixels needs.
+    # but the latter takes a dep on qt, which bloats the closure and the build, so disable this feature.
+    zbar = pkgs.zbar.override {
+      enableVideo = false;
+    };
+  };
+}

hosts/common/programs/mepo.nix

@@ -9,12 +9,18 @@
     persist.private = [
       { type = "file"; path = ".cache/mepo/savestate"; }
     ];
+
+    # give mepo access to gpsd for location data, if that's enabled.
+    # same with geoclue2.
+    suggestedPrograms = lib.optional config.services.gpsd.enable "gpsd"
+      ++ lib.optional config.services.geoclue2.enable "geoclue2-with-demo-agent"
+    ;
   };
 
-  programs.mepo = lib.mkIf config.sane.programs.mepo.enabled {
-    # enable location services (via geoclue)
-    enable = true;
-    # more precise, via gpsd ("may require additional config")
-    # programs.mepo.gpsd.enable = true
-  };
+  # programs.mepo = lib.mkIf config.sane.programs.mepo.enabled {
+  #   # enable location services (via geoclue)
+  #   enable = true;
+  #   # more precise, via gpsd ("may require additional config")
+  #   # programs.mepo.gpsd.enable = true
+  # };
 }

hosts/common/programs/mopidy.nix

@@ -0,0 +1,56 @@
+# chat: <https://mopidy.zulipchat.com/>
+# config docs: <https://docs.mopidy.com/en/latest/config/>
+# web client: <http://localhost:6680>
+# mpd: hosted on `localhost:6600`, no password`
+#
+# dump config:
+# - `mopidy config`
+# update local file index with
+# - `mopidy local scan`
+#
+# if running as service, those commands are `mopidy --config ... <command>`
+# and config path is found by `systemctl cat mopidy`
+{ config, lib, pkgs, ... }:
+
+let
+  # TODO: upstream this as `mopidy.withExtensions`
+  # this is borrowed from the nixos mopidy service
+  mopidyWithExtensions = extensions: with pkgs; buildEnv {
+    name = "mopidy-with-extensions-${mopidy.version}";
+
+    paths = lib.closePropagation extensions;
+    pathsToLink = [ "/${mopidyPackages.python.sitePackages}" ];
+    nativeBuildInputs = [ makeWrapper ];
+    postBuild = ''
+      makeWrapper ${mopidy}/bin/mopidy $out/bin/mopidy \
+        --prefix PYTHONPATH : $out/${mopidyPackages.python.sitePackages}
+    '';
+  };
+in
+{
+  sane.programs.mopidy = {
+    package = mopidyWithExtensions (with pkgs; [
+      mopidy-iris  # web client: <https://github.com/jaedb/Iris>
+      mopidy-jellyfin
+      mopidy-local
+      mopidy-mpd
+      mopidy-mpris
+      mopidy-spotify
+      # TODO: mopidy-podcast, mopidy-youtube
+
+      # alternate web clients:
+      # mopidy-moped: <https://github.com/martijnboland/moped>
+      # mopidy-muse: <https://github.com/cristianpb/muse>
+    ]);
+    persist.plaintext = [
+      ".local/share/mopidy/local"  # thumbs, library db
+    ];
+    persist.private = [
+      ".local/share/mopidy/http"  # cookie
+    ];
+    secrets.".config/mopidy/mopidy.conf" = ../../../secrets/common/mopidy.conf.bin;
+    # other folders:
+    # - .cache/mopidy
+    # - .config/mopidy
+  };
+}

hosts/common/programs/mpv.nix

@@ -1,13 +1,109 @@
-{ ... }:
+# mpv docs:
+# - <https://mpv.io/manual/master>
+# - <https://github.com/mpv-player/mpv/wiki>
+# curated mpv mods/scripts/users:
+# - <https://github.com/stax76/awesome-mpv>
+{ pkgs, ... }:
 
 {
   sane.programs.mpv = {
+    package = pkgs.wrapMpv pkgs.mpv-unwrapped {
+      youtubeSupport = false;  #< XXX(2023/08/03): doesn't cross compile until next staging -> master merge
+      scripts = with pkgs.mpvScripts; [
+        mpris
+        # uosc
+        pkgs.mpv-uosc-latest
+      ];
+      extraMakeWrapperArgs = [
+        # 2023/08/29: fixes an error where mpv on moby launches with the message
+        #   "DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory"
+        #   audio still works, and controls, screenshotting, etc -- just not the actual rendering
+        # this is likely a regression for mpv 0.36.0.
+        # the actual error message *appears* to come from the mesa library, but it's tough to trace.
+        # run with `--vo=help` to see a list of all output options.
+        # non-exhaustive (F=fails, W=works)
+        # ? libmpv           render API for libmpv
+        # ? gpu              Shader-based GPU Renderer
+        # ? gpu-next         Video output based on libplacebo
+        # ? vdpau            VDPAU with X11
+        # ? wlshm            Wayland SHM video output (software scaling)
+        # ? xv               X11/Xv
+        # W sdl              SDL 2.0 Renderer
+        # F dmabuf-wayland   Wayland dmabuf video output
+        # ? vaapi            VA API with X11
+        # ? x11              X11 (software scaling)
+        # ? null             Null video output
+        # ? caca             libcaca
+        # F drm              Direct Rendering Manager (software scaling)
+        "--add-flags" "--vo=sdl"
+      ];
+    };
     persist.plaintext = [ ".config/mpv/watch_later" ];
-    # format is <key>=%<length>%<value>
-    fs.".config/mpv/mpv.conf".symlink.text = ''
-      save-position-on-quit=%3%yes
-      keep-open=%3%yes
+    fs.".config/mpv/input.conf".symlink.text = ''
+      # let volume keys be interpreted by the system.
+      # this is important for sxmo.
+      VOLUME_UP ignore
+      VOLUME_DOWN ignore
     '';
+    fs.".config/mpv/mpv.conf".symlink.text = ''
+      save-position-on-quit=yes
+      keep-open=yes
+
+      # force GUI, even for tracks w/o album art
+      # see: <https://www.reddit.com/r/mpv/comments/rvrrpt/oscosdgui_and_arch_linux/>
+      player-operation-mode=pseudo-gui
+
+      # use uosc instead (for On Screen Controls)
+      osc=no
+      # uosc provides its own seeking/volume indicators, so you also don't need this
+      osd-bar=no
+      # uosc will draw its own window controls if you disable window border
+      border=no
+    '';
+    fs.".config/mpv/script-opts/osc.conf".symlink.text = ''
+      # make the on-screen controls *always* visible
+      # unfortunately, this applies to full-screen as well
+      # - docs: <https://mpv.io/manual/master/#on-screen-controller-visibility>
+      # if uosc is installed, this file is unused
+      visibility=always
+    '';
+    fs.".config/mpv/script-opts/uosc.conf".symlink.text = let
+      play_pause_btn = "cycle:play_arrow:pause:no=pause/yes=play_arrow";
+      rev_btn = "command:replay_10:seek -10";
+      fwd_btn = "command:forward_30:seek 30";
+    in ''
+      # docs:
+      # - <https://github.com/tomasklaen/uosc>
+      # - <https://superuser.com/questions/1775550/add-new-buttons-to-mpv-uosc-ui>
+      timeline_style=bar
+      timeline_persistency=paused,audio
+      controls_persistency=paused,audio
+      volume_persistency=audio
+      volume_opacity=0.75
+
+      # speed_persistency=paused,audio
+      # vvv  want a close button?
+      top_bar=always
+      top_bar_persistency=paused
+
+      controls=menu,<video>subtitles,<has_many_audio>audio,<has_many_video>video,<has_many_edition>editions,<stream>stream-quality,space,${rev_btn},${play_pause_btn},${fwd_btn},space,speed:1.0,gap,<video>fullscreen
+
+      text_border=6.0
+      font_bold=yes
+      background_text=ff8080
+      foreground=ff8080
+
+      ui_scale=1.0
+    '';
+
+    mime.priority = 200;  # default = 100; 200 means to yield to other apps
+    mime.associations."audio/flac" = "mpv.desktop";
+    mime.associations."audio/mpeg" = "mpv.desktop";
+    mime.associations."audio/x-vorbis+ogg" = "mpv.desktop";
+    mime.associations."video/mp4" = "mpv.desktop";
+    mime.associations."video/quicktime" = "mpv.desktop";
+    mime.associations."video/webm" = "mpv.desktop";
+    mime.associations."video/x-matroska" = "mpv.desktop";
   };
 }
 

hosts/common/programs/nheko.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  # not strictly necessary, but allows caching articles; offline use, etc.
+  sane.programs.nheko.persist.private = [
+    ".config/nheko"  # config file (including client token)
+    ".cache/nheko"  # media cache
+    ".local/share/nheko"  # per-account state database
+  ];
+}

hosts/common/programs/rhythmbox.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  sane.programs.rhythmbox = {
+    persist.plaintext = [
+      # playlists; index
+      ".local/share/rhythmbox"
+      # album art
+      ".cache/rhythmbox"
+    ];
+  };
+}

hosts/common/programs/tuba.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  sane.programs.tuba.suggestedPrograms = [ "gnome-keyring" ];
+}

hosts/common/programs/xarchiver.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  sane.programs.xarchiver.package = pkgs.xarchiver.override {
+    # unar doesn't cross compile well, so disable support for it
+    unar = null;
+  };
+}

hosts/common/programs/zeal.nix

@@ -13,6 +13,7 @@ let
   };
 in {
   sane.programs.zeal = {
+    # package = pkgs.zeal-qt6;  #< TODO: upgrade system to qt6 versions of everything (i.e. jellyfin-media-player, nheko)
     package = pkgs.zeal-qt5;
     persist.plaintext = [
       ".cache/Zeal"

hosts/common/programs/zsh/default.nix

@@ -7,6 +7,7 @@
 #   - $ZDOTDIR/.zprofile
 # - if interactive:
 #   - /etc/zshrc
+#     -> /etc/zinputrc
 #   - $ZDOTDIR/.zshrc
 # - if login (again):
 #   - /etc/zlogin
@@ -79,6 +80,18 @@ in
           hash -d tmp="/home/colin/tmp"
           hash -d uninsane="/home/colin/dev/uninsane"
           hash -d Videos="/home/colin/Videos"
+
+          # emulate bash keybindings
+          bindkey -e
+
+          # or manually recreate what i care about...
+          # key[Left]=''${terminfo[kcub1]}
+          # key[Right]=''${terminfo[kcuf1]}
+          # bindkey '^R'               history-incremental-search-backward
+          # bindkey '^A'               beginning-of-line
+          # bindkey '^E'               end-of-line
+          # bindkey "^''${key[Left]}"  backward-word
+          # bindkey "^''${key[Right]}" forward-word
         '';
       };
     })

hosts/common/secrets.nix

@@ -28,21 +28,26 @@
 { config, lib, sane-lib, ... }:
 
 let
-  inherit (lib.strings) hasSuffix removeSuffix;
   secretsForHost = host: let
     extraAttrsForPath = path: lib.optionalAttrs (sane-lib.path.isChild "guest" path && builtins.hasAttr "guest" config.users.users) {
       owner = "guest";
     };
+    secretsInSrc = (
+      if builtins.pathExists ../../secrets/${host} then
+        sane-lib.enumerateFilePaths ../../secrets/${host}
+      else
+        []
+    );
   in sane-lib.joinAttrsets (
     map
-      (path: lib.optionalAttrs (hasSuffix ".bin" path) (sane-lib.nameValueToAttrs {
-        name = removeSuffix ".bin" path;
+      (path: lib.optionalAttrs (lib.hasSuffix ".bin" path) (sane-lib.nameValueToAttrs {
+        name = lib.removeSuffix ".bin" path;
         value = {
           sopsFile = ../../secrets/${host}/${path};
           format = "binary";
         } // (extraAttrsForPath path);
       }))
-      (sane-lib.enumerateFilePaths ../../secrets/${host})
+      secretsInSrc
   );
 in
 {

hosts/common/users/colin.nix

@@ -16,6 +16,7 @@
     group = "users";
     extraGroups = [
       "dialout"  # required for modem access (moby)
+      "export"  # to read filesystem exports (servo)
       "feedbackd"
       "input"  # for /dev/input/<xyz>: sxmo
       "networkmanager"
@@ -83,7 +84,7 @@
     fs."Books/servo".symlink.target = "/mnt/servo-media/Books";
     fs."Videos/servo".symlink.target = "/mnt/servo-media/Videos";
     fs."Videos/servo-incomplete".symlink.target = "/mnt/servo-media/incomplete";
-    fs."Music/servo".symlink.target = "/mnt/servo-media/Music";
+    # fs."Music/servo".symlink.target = "/mnt/servo-media/Music";
     fs."Pictures/servo-macros".symlink.target = "/mnt/servo-media/Pictures/macros";
 
     # used by password managers, e.g. unix `pass`

hosts/instantiate.nix

@@ -1,10 +1,10 @@
 # trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
 
 # args from flake-level `import`
-{ hostName, localSystem }:
+{ hostName }:
 
 # module args
-{ lib, ... }:
+{ ... }:
 
 {
   imports = [
@@ -14,5 +14,4 @@
   ];
 
   networking.hostName = hostName;
-  nixpkgs.buildPlatform = lib.mkIf (localSystem != null) localSystem;
 }

hosts/modules/gui/default.nix

@@ -2,6 +2,7 @@
 {
   imports = [
     ./gnome.nix
+    ./greetd.nix
     ./gtk.nix
     ./phosh.nix
     ./sway
@@ -10,37 +11,43 @@
 
   sane.programs.guiApps = {
     package = null;
-    suggestedPrograms = [
-      "firefox"
+    suggestedPrograms = lib.optionals (pkgs.system == "x86_64-linux") [
+      "x86GuiApps"
+    ] ++ [
+      # package sets
       "tuiApps"
-    ] ++ lib.optional (pkgs.system == "x86_64-linux") "x86GuiApps"
-    ++ [
+    ] ++ [
+      "alacritty"  # terminal emulator
       # "celluloid"  # mpv frontend
+      "chatty"  # matrix/xmpp/irc client
       "cozy"  # audiobook player
+      "dino"  # XMPP client
       # "emote"
       "epiphany"  # gnome's web browser
       "evince"  # works on phosh
+      "firefox"
       # "foliate"  # e-book reader
+      # "fractal"  # matrix client
+      "g4music"  # local music player
       # "gnome.cheese"
       # "gnome-feeds"  # RSS reader (with claimed mobile support)
-      "gnome.file-roller"
+      # "gnome.file-roller"
       # "gnome.gnome-maps"  # works on phosh
-      "gnome.nautilus"
       # "gnome-podcasts"
       # "gnome.gnome-system-monitor"
       # "gnome.gnome-terminal"  # works on phosh
-      # "gnome.gnome-weather"
+      "gnome.gnome-weather"
       "gpodder"
       "gthumb"
       "komikku"
       "koreader"
       "lemoa"  # lemmy app
       # "lollypop"
+      "mate.engrampa"  # archive manager
       "mepo"  # maps viewer
-      # "mpv"
+      "mpv"
       # "networkmanagerapplet"
       # "newsflash"
-      "nheko"
       "pavucontrol"
       # "picard"  # music tagging
       # "libsForQt5.plasmatube"  # Youtube player
@@ -50,7 +57,6 @@
       # "tdesktop"  # broken on phosh
       # "tokodon"
       "tuba"  # mastodon/pleroma client (stores pw in keyring)
-      "vlc"
       # "whalebird"  # pleroma client (Electron). input is broken on phosh.
       "xterm"  # broken on phosh
     ];
@@ -62,28 +68,33 @@
       "audacity"
       "blanket"  # ambient noise generator
       "brave"  # for the integrated wallet -- as a backup
-      "chromium"
-      "dino"
+      "cantata"  # music player (mpd frontend)
+      # "chromium"  # chromium takes hours to build. brave is chromium-based, distributed in binary form, so prefer it.
       "electrum"
       "element-desktop"
       # "font-manager"  #< depends on webkitgtk4_0 (expensive to build)
-      "gajim"  # XMPP client
+      "gajim"  # XMPP client. cross build tries to import host gobject-introspection types (2023/09/01)
       "gimp"  # broken on phosh
       "gnome.dconf-editor"
+      # "gnome.file-roller"
       "gnome.gnome-disk-utility"
+      "gnome.nautilus"  # file browser
       # "gnome.totem"  # video player, supposedly supports UPnP
       "handbrake"
       "hase"
       "inkscape"
-      "jellyfin-media-player"
+      # "jellyfin-media-player"
       "kdenlive"
       "kid3"  # audio tagging
       "krita"
-      "libreoffice-fresh"
+      "libreoffice"  # TODO: replace with an office suite that uses saner packaging?
       "mumble"
+      "nheko"
       "obsidian"
+      "rhythmbox"  # local music player
       "slic3r"
       "steam"
+      "vlc"
       "wireshark"  # could maybe ship the cli as sysadmin pkg
     ];
   };
@@ -92,6 +103,8 @@
     package = null;
     suggestedPrograms = [
       "megapixels"  # camera app
+      "portfolio-filemanager"
+      "xarchiver"
     ];
   };
 

hosts/modules/gui/greetd.nix

@@ -0,0 +1,128 @@
+# greetd source/docs:
+# - <https://git.sr.ht/~kennylevinsen/greetd>
+{ config, lib, pkgs, ... }:
+
+let
+  systemd-cat = "${pkgs.systemd}/bin/systemd-cat";
+  runWithLogger = identifier: cmd: pkgs.writeShellScriptBin identifier ''
+    echo "launching ${identifier}..." | ${systemd-cat} --identifier=${identifier}
+    ${cmd} 2>&1 | ${systemd-cat} --identifier=${identifier}
+  '';
+  cfg = config.sane.gui.greetd;
+in
+{
+  options = with lib; {
+    sane.gui.greetd.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.gui.greetd.session.command = mkOption {
+      type = types.str;
+      description = ''
+        name to use for the default session in syslog.
+      '';
+    };
+    sane.gui.greetd.session.name = mkOption {
+      default = "greetd-session";
+      type = types.str;
+      description = "name of session to use in logger";
+    };
+    sane.gui.greetd.session.user = mkOption {
+      default = null;
+      type = types.nullOr types.str;
+    };
+
+    # helpers for common things to layer on top of greetd
+    sane.gui.greetd.sway.enable = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        use sway as a wayland compositor in which to host a graphical greeter like gtkgreet, phog, etc.
+      '';
+    };
+    sane.gui.greetd.sway.greeterCmd = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = ''
+        command for sway to `exec` that provides the actual graphical greeter.
+      '';
+    };
+    sane.gui.greetd.sway.gtkgreet.enable = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        have sway launch gtkgreet instead of directly presenting a desktop.
+      '';
+    };
+    sane.gui.greetd.sway.gtkgreet.session.command = mkOption {
+      type = types.str;
+      description = ''
+        command for gtkgreet to execute on successful authentication.
+      '';
+    };
+    sane.gui.greetd.sway.gtkgreet.session.name = mkOption {
+      type = types.str;
+      description = ''
+        name to use for the default session in syslog and in the gtkgreet menu.
+        note that this `sessionName` will become a binary on the user's PATH.
+      '';
+    };
+    sane.gui.greetd.sway.gtkgreet.session.user = mkOption {
+      type = types.str;
+      default = "colin";
+      description = ''
+        name of user which one expects to login as.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    (lib.mkIf cfg.sway.enable {
+      sane.gui.greetd.session = if cfg.sway.greeterCmd != null then {
+        name = "sway-as-greeter";
+        command = let
+          swayAsGreeterConfig = pkgs.writeText "sway-as-greeter-config" ''
+            exec ${cfg.sway.greeterCmd}
+          '';
+        in "${pkgs.sway}/bin/sway --debug --config ${swayAsGreeterConfig}";
+      } else {
+        name = "sway";
+        user = lib.mkDefault "colin";
+        command = "${pkgs.sway}/bin/sway --debug";
+      };
+    })
+    (lib.mkIf cfg.sway.gtkgreet.enable (
+      let
+        inherit (cfg.sway.gtkgreet) session;
+        sessionProvider = runWithLogger session.name session.command;
+      in {
+        # gtkgreet shows the --command argument in the UI
+        # - so we want it to look nice (not a /nix/store/... path)
+        # - to do that we put it in the user's PATH.
+        sane.gui.greetd.sway.greeterCmd = "${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command ${session.name}";
+        users.users.${session.user}.packages = [ sessionProvider ];
+      }
+    ))
+
+    {
+      services.greetd = {
+        enable = true;
+
+        # i could have gtkgreet launch the session directly: but stdout/stderr gets dropped
+        # settings.default_session.command = cfg.session.command;
+
+        # wrapper to launch with stdout/stderr redirected to system journal.
+        settings.default_session.command = let
+          launchWithLogger = runWithLogger cfg.session.name cfg.session.command;
+        in "${launchWithLogger}/bin/${cfg.session.name}";
+      };
+
+      # persisting fontconfig & mesa_shader_cache improves start time by ~5x
+      users.users.greeter.home = "/var/lib/greeter";
+      sane.persist.sys.plaintext = [
+        { user = "greeter"; group = "greeter"; path = "/var/lib/greeter/.cache/fontconfig"; }
+        { user = "greeter"; group = "greeter"; path = "/var/lib/greeter/.cache/mesa_shader_cache"; }
+      ];
+    }
+  ]);
+}

hosts/modules/gui/snippets.txt

@@ -5,11 +5,15 @@ https://nixos.org/manual/nix/stable/language/builtins.html
 https://github.com/nixos/nixpkgs/pulls?q=
 https://nur.nix-community.org/
 https://nix-community.github.io/home-manager/options.html
+https://lists.sr.ht/~mil/sxmo-devel
 https://w.uninsane.org/viewer#search?books.name=wikipedia_en_all_maxi_2022-05&pattern=
 https://jackett.uninsane.org/UI/Dashboard#search=
+https://lemmy.uninsane.org
 https://fed.uninsane.org
+https://jelly.uninsane.org
 https://bt.uninsane.org
 https://sci-hub.se
 https://archive.is
 https://news.ycombinator.com
-http://10.78.79.1  # Router/Firewall
+http://10.78.79.1  # router/firewall
+https://jochen-hoenicke.de/queue  # johoe's mempool (bitcoin/ethereum)

hosts/modules/gui/sway/default.nix

@@ -1,44 +1,12 @@
 { config, lib, pkgs, ... }:
- 
+
 # docs: https://nixos.wiki/wiki/Sway
-with lib;
+# sway-config docs: `man 5 sway`
 let
   cfg = config.sane.gui.sway;
-
-  # bare sway launcher
-  sway-launcher = pkgs.writeShellScriptBin "sway-launcher" ''
-    ${pkgs.sway}/bin/sway --debug > /var/log/sway/sway.log 2>&1
-  '';
-  # start sway and have it construct the gtkgreeter
-  sway-as-greeter = pkgs.writeShellScriptBin "sway-as-greeter" ''
-    ${pkgs.sway}/bin/sway --debug --config ${sway-config-into-gtkgreet} > /var/log/sway/sway-as-greeter.log 2>&1
-  '';
-  # (config file for the above)
-  sway-config-into-gtkgreet = pkgs.writeText "greetd-sway-config" ''
-    exec "${gtkgreet-launcher}"
-  '';
-  # gtkgreet which launches a layered sway instance
-  gtkgreet-launcher = pkgs.writeShellScript "gtkgreet-launcher" ''
-    # NB: the "command" field here is run in the user's shell.
-    # so that command must exist on the specific user's path who is logging in. it doesn't need to exist system-wide.
-    ${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command sway-launcher
-  '';
-  greeter-session = {
-    # greeter session config
-    command = "${sway-as-greeter}/bin/sway-as-greeter";
-    # alternatives:
-    # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
-    # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
-    # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
-  };
-  greeterless-session = {
-    # no greeter
-    command = "${sway-launcher}/bin/sway-launcher";
-    user = "colin";
-  };
 in
 {
-  options = {
+  options = with lib; {
     sane.gui.sway.enable = mkOption {
       default = false;
       type = types.bool;
@@ -51,8 +19,16 @@ in
       default = true;
       type = types.bool;
     };
+    sane.gui.sway.installConfigs = mkOption {
+      default = true;
+      type = types.bool;
+      description = ''
+        populate ~/.config/sway/config & co with defaults provided by this module.
+      '';
+    };
   };
-  config = mkMerge [
+
+  config = lib.mkMerge [
     {
       sane.programs.swayApps = {
         package = null;
@@ -75,11 +51,9 @@ in
       };
     }
 
-    (mkIf cfg.enable {
+    (lib.mkIf cfg.enable {
       sane.programs.fontconfig.enableFor.system = true;
       sane.programs.swayApps.enableFor.user.colin = true;
-      # we need the greeter's command to be on our PATH
-      users.users.colin.packages = [ sway-launcher ];
 
       sane.gui.gtk.enable = lib.mkDefault true;
       # sane.gui.gtk.gtk-theme = lib.mkDefault "Fluent-Light-compact";
@@ -88,24 +62,21 @@ in
       # swap in these lines to use SDDM instead of `services.greetd`.
       # services.xserver.displayManager.sddm.enable = true;
       # services.xserver.enable = true;
-      services.greetd = {
-        # greetd source/docs:
-        # - <https://git.sr.ht/~kennylevinsen/greetd>
+      sane.gui.greetd.enable = true;
+      sane.gui.greetd.sway.enable = true;  # have greetd launch a sway compositor in which we host a greeter
+      sane.gui.greetd.sway.gtkgreet = lib.mkIf cfg.useGreeter {
         enable = true;
-        settings = {
-          default_session = if cfg.useGreeter then greeter-session else greeterless-session;
-        };
+        session.name = "sway-on-gtkgreet";
+        session.command = "${pkgs.sway}/bin/sway --debug";
       };
 
-      # some programs (e.g. fractal) **require** a "Secret Service Provider"
-      services.gnome.gnome-keyring.enable = true;
-
       # unlike other DEs, sway configures no audio stack
       # administer with pw-cli, pw-mon, pw-top commands
       services.pipewire = {
         enable = true;
         alsa.enable = true;
         alsa.support32Bit = true;  # ??
+        # emulate pulseaudio for legacy apps (e.g. sxmo-utils)
         pulse.enable = true;
       };
 
@@ -127,26 +98,52 @@ in
       # a system service can't depend on a user service, so just launch it at graphical-session
       systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
 
-      sane.fs."/var/log/sway" = {
-        dir.acl.mode = "0777";
-        wantedBeforeBy = [ "greetd.service" "display-manager.service" ];
-      };
-
       programs.sway = {
+        # provides xdg-desktop-portal-wlr, which exposes on dbus:
+        # - org.freedesktop.impl.portal.ScreenCast
+        # - org.freedesktop.impl.portal.Screenshot
         enable = true;
+        extraPackages = [];  # nixos adds swaylock, swayidle, foot, dmenu by default
+        # "wrapGAppsHook wrapper to execute sway with required environment variables for GTK applications."
         wrapperFeatures.gtk = true;
       };
-      sane.user.fs.".config/sway/config".symlink.text =
-        import ./sway-config.nix { inherit pkgs; };
+      # provide portals for:
+      # - org.freedesktop.impl.portal.Access
+      # - org.freedesktop.impl.portal.Account
+      # - org.freedesktop.impl.portal.DynamicLauncher
+      # - org.freedesktop.impl.portal.Email
+      # - org.freedesktop.impl.portal.FileChooser
+      # - org.freedesktop.impl.portal.Inhibit
+      # - org.freedesktop.impl.portal.Notification
+      # - org.freedesktop.impl.portal.Print
+      # and conditionally (i.e. unless buildPortalsInGnome = false) for:
+      # - org.freedesktop.impl.portal.AppChooser (@appchooser_iface@)
+      # - org.freedesktop.impl.portal.Background (@background_iface@)
+      # - org.freedesktop.impl.portal.Lockdown (@lockdown_iface@)
+      # - org.freedesktop.impl.portal.RemoteDesktop (@remotedesktop_iface@)
+      # - org.freedesktop.impl.portal.ScreenCast (@screencast_iface@)
+      # - org.freedesktop.impl.portal.Screenshot (@screenshot_iface@)
+      # - org.freedesktop.impl.portal.Settings (@settings_iface@)
+      # - org.freedesktop.impl.portal.Wallpaper (@wallpaper_iface@)
+      xdg.portal.extraPortals = [
+        (pkgs.xdg-desktop-portal-gtk.override {
+          buildPortalsInGnome = false;
+        })
+      ];
 
-      sane.user.fs.".config/waybar/config".symlink.target =
-        let
-          waybar-config = import ./waybar-config.nix { inherit pkgs; };
-        in
-          (pkgs.formats.json {}).generate "waybar-config.json" waybar-config;
+      sane.user.fs = lib.mkIf cfg.installConfigs {
+        ".config/sway/config".symlink.text =
+          import ./sway-config.nix { inherit pkgs; };
 
-      sane.user.fs.".config/waybar/style.css".symlink.text =
-        builtins.readFile ./waybar-style.css;
+        ".config/waybar/config".symlink.target =
+          let
+            waybar-config = import ./waybar-config.nix { inherit pkgs; };
+          in
+            (pkgs.formats.json {}).generate "waybar-config.json" waybar-config;
+
+        ".config/waybar/style.css".symlink.text =
+          builtins.readFile ./waybar-style.css;
+      };
     })
   ];
 }

hosts/modules/gui/sway/sway-config.nix

@@ -3,9 +3,8 @@ let
   fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
   sed = "${pkgs.gnused}/bin/sed";
   wtype = "${pkgs.wtype}/bin/wtype";
-  kitty = "${pkgs.kitty}/bin/kitty";
   launcher-cmd = fuzzel;
-  terminal-cmd = kitty;
+  terminal-cmd = "${pkgs.xdg-terminal-exec}/bin/xdg-terminal-exec";
   lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
   vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
   vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
@@ -25,6 +24,8 @@ let
   # mod = "Mod1";  # Alt
   mod = "Mod4";  # Super
 in ''
+  # xwayland disable
+
   ### default font
   font pango:monospace 8
 
@@ -33,13 +34,12 @@ in ''
   default_floating_border pixel 2
   hide_edge_borders smart
 
-  ### defaults
+  #### focus_wrapping: behavior when trying to focus past the edge of a container
+  ####   no  => preserve last focus. helpful mostly when `focus_follows_mouse yes`
   focus_wrapping no
   focus_follows_mouse yes
-  focus_on_window_activation smart
-  mouse_warping output
+  #### workspace_layout default  => workspaces use splits by default (as opposed to e.g. tabbed)
   workspace_layout default
-  workspace_auto_back_and_forth no
 
   ### default colors (#border #background #text #indicator #childBorder)
   client.focused #4c7899 #285577 #ffffff #2e9ef4 #285577
@@ -170,4 +170,13 @@ in ''
     pos 1920,0
     res 1920x1080
   }
+
+  # XXX: needed for xdg-desktop-portal-* to work.
+  # this is how we expose these env vars to user dbus services:
+  # - DISPLAY
+  # - WAYLAND_DISPLAY
+  # - SWAYSOCK
+  # - XDG_CURRENT_DESKTOP
+  # for more, see: <repo:nixos/nixpkgs:nixos/modules/programs/wayland/sway.nix>
+  include /etc/sway/config.d/*
 ''

hosts/modules/gui/sxmo/conky-config

@@ -1,5 +1,3 @@
--- configversion: 737cb1de0389cee32a04785691a446a2
-
 -- docs: <https://conky.cc/variables>
 -- color names are X11 colors: <https://en.wikipedia.org/wiki/X11_color_names#Color_name_chart>
 -- - can also use #rrggbb syntax
@@ -13,11 +11,12 @@ conky.config = {
     alignment = 'middle_middle',
     own_window_type = 'desktop',
     -- own_window_argb_value: opacity of the background (0-255)
-    own_window_argb_value = 92,
-    own_window_colour = '#beebe5',  -- beebe5 matches nixos flake bg color
+    own_window_argb_value = 0,
+    -- own_window_argb_value = 92,
+    -- own_window_colour = '#beebe5',  -- beebe5 matches nixos flake bg color
 
     -- "border" pads the entire conky window
-    -- this can be used to control the extend of the own_window background
+    -- this can be used to control the extent of the own_window background
     border_inner_margin = 8,
     -- optionally, actually draw borders
     -- draw_borders = true,
@@ -36,12 +35,14 @@ conky.config = {
     color2 = '404040',
 }
 
+-- texeci <interval_sec> <cmd>: run the command periodically, _in a separate thread_ so as not to block rendering
 conky.text = [[
 ${color1}${shadecolor 707070}${font Sxmo:size=50:style=Bold}${alignc}${exec date +"%H:%M"}${font}
 ${color2}${shadecolor a4d7d0}${font Sxmo:size=20}${alignc}${exec date +"%a %d %b"}${font}
 
 
 ${color1}${shadecolor}${font Sxmo:size=22:style=Bold}${alignc}${exec @bat@ }${font}
+${color1}${shadecolor}${font Sxmo:size=20:style=Bold}${alignc}${texeci 600 @weather@ }${font}
 
 
 ${color2}${shadecolor a4d7d0}${font Sxmo:size=16}${alignc}⇅ ${downspeedf wlan0}K/s${font}

hosts/modules/gui/sxmo/default.nix

@@ -37,7 +37,7 @@
 #   - live in ~/.local/state/sxmo.log
 #   - ~/.local/state/superd.log
 #   - ~/.local/state/superd/logs/<daemon>.log
-#   - `journalctl --user --boot`  (lightm redirects the sxmo session stdout => systemd)
+#   - `journalctl --user --boot`  (lightdm redirects the sxmo session stdout => systemd)
 #
 # - default components:
 #   - DE:                  sway (if wayland), dwm (if X)
@@ -45,6 +45,10 @@
 #   - gestures:            lisgd
 #   - on-screen keyboard:  wvkbd (if wayland), svkbd (if X)
 #
+# TODO:
+# - don't duplicate so much of hosts/modules/gui/sway
+#   - might help if i bring more under my control, and launch sxmo via sway instead of the opposite
+# - theme `mako` notifications
 { config, lib, pkgs, ... }:
 
 let
@@ -57,6 +61,12 @@ let
   knownTerminals = {
     vte = "vte-2.91";
   };
+
+  systemd-cat = "${pkgs.systemd}/bin/systemd-cat";
+  runWithLogger = identifier: cmd: pkgs.writeShellScript identifier ''
+    echo "launching ${identifier}..." | ${systemd-cat} --identifier=${identifier}
+    ${cmd} 2>&1 | ${systemd-cat} --identifier=${identifier}
+  '';
 in
 {
   options = with lib; {
@@ -65,17 +75,29 @@ in
       type = types.bool;
     };
     sane.gui.sxmo.greeter = mkOption {
-      type = types.enum [ "lightdm-mobile" "sway" ];
-      default = "lightdm-mobile";
+      type = types.enum [
+        "greetd-phog"
+        "greetd-sway-gtkgreet"
+        "greetd-sway-phog"
+        "greetd-sxmo"
+        "lightdm-mobile"
+      ];
+      # default = "lightdm-mobile";
+      default = "greetd-sway-phog";
       description = ''
         which greeter to use.
-        "lightdm-mobile" => keypad style greeter. can only enter digits 0-9 as password.
-        "sway" => layered sway greeter. behaves as if you booted to swaylock.
+        "greetd-phog"          => phosh-based greeter. keypad (0-9) with option to open an on-screen keyboard.
+        "greetd-sway-phog"     => phog, but uses sway as the compositor instead of phoc.
+                              requires a patched phog, since sway doesn't provide the Wayland global "zphoc_layer_shell_effects_v1".
+        "greetd-sxmo"          => launch sxmo directly from greetd, no auth.
+                                  this means no keychain unlocked or encrypted home mounted.
+        "lightdm-mobile"       => keypad style greeter. can only enter digits 0-9 as password.
+        "greetd-sway-gtkgreet" => layered sway greeter. keyboard-only user/pass input; impractical on mobile.
       '';
     };
     sane.gui.sxmo.package = mkOption {
       type = types.package;
-      default = pkgs.sxmo-utils;
+      default = pkgs.sxmo-utils-latest;
       description = ''
         sxmo base scripts and hooks collection.
         consider overriding the outputs under /share/sxmo/default_hooks
@@ -116,7 +138,9 @@ in
             };
           in {
             SXMO_BAR_SHOW_BAT_PER = mkSettingsOpt "1" "show battery percentage in statusbar";
+            SXMO_DISABLE_CONFIGVERSION_CHECK = mkSettingsOpt "1" "allow omitting the configversion line from user-provided sxmo dotfiles";
             SXMO_UNLOCK_IDLE_TIME = mkSettingsOpt "300" "how many seconds of inactivity before locking the screen";  # lock -> screenoff happens 8s later, not configurable
+            # SXMO_WM = mkSettingsOpt "sway" "sway or dwm. ordinarily initialized by sxmo_{x,w}init.sh";
           };
       };
       default = {};
@@ -126,6 +150,11 @@ in
       default = false;
       description = "inhibit lock-on-idle and screenoff-on-idle";
     };
+    sane.gui.sxmo.nogesture = mkOption {
+      type = types.bool;
+      default = false;
+      description = "don't start lisgd gesture daemon by default";
+    };
   };
 
   config = lib.mkMerge [
@@ -134,8 +163,11 @@ in
         package = null;
         suggestedPrograms = [
           "guiApps"
-          "sfeed"  # want this here so that the user's ~/.sfeed/sfeedrc gets created
-          "superd"  # make superctl (used by sxmo) be on PATH
+          "mako"       # notification daemon
+          "sfeed"      # want this here so that the user's ~/.sfeed/sfeedrc gets created
+          "superd"     # make superctl (used by sxmo) be on PATH
+          "sway-contrib.grimshot"
+          "wdisplays"  # like xrandr
         ];
 
         persist.cryptClearOnBoot = [
@@ -155,45 +187,32 @@ in
 
     (lib.mkIf cfg.enable (lib.mkMerge [
       {
+        sane.gui.sway = {
+          enable = true;
+          # we manage these ourselves  (TODO: merge these into sway config as well)
+          useGreeter = false;
+          installConfigs = false;
+        };
+
         sane.programs.sxmoApps.enableFor.user.colin = true;
-        sane.gui.gtk.enable = lib.mkDefault true;
 
         # sxmo internally uses doas instead of sudo
         security.doas.enable = true;
         security.doas.wheelNeedsPassword = false;
 
-        # TODO: move this further to the host-specific config?
-        networking.useDHCP = false;
-        networking.networkmanager.enable = true;
-        networking.wireless.enable = lib.mkForce false;
-
-        hardware.bluetooth.enable = true;
-        services.blueman.enable = true;
+        hardware.opengl.enable = true;
 
         # TODO: nerdfonts is 4GB. it accepts an option to ship only some fonts: probably want to use that.
-        fonts.fonts = [ pkgs.nerdfonts ];
-
-        # some programs (e.g. fractal/nheko) **require** a "Secret Service Provider"
-        services.gnome.gnome-keyring.enable = true;
+        fonts.packages = [ pkgs.nerdfonts ];
 
         # lightdm-mobile-greeter: "The name org.a11y.Bus was not provided by any .service files"
         services.gnome.at-spi2-core.enable = true;
 
-        # sxmo has first-class support only for pulseaudio and alsa -- not pipewire.
-        # however, pipewire can emulate pulseaudio support via `services.pipewire.pulse.enable = true`
-        #   after which the stock pulseaudio binaries magically work
-        # administer with pw-cli, pw-mon, pw-top commands
-        services.pipewire = {
-          enable = true;
-          alsa.enable = true;
-          alsa.support32Bit = true;  # ??
-          pulse.enable = true;
-        };
-        systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
 
         # TODO: could use `displayManager.sessionPackages`?
         environment.systemPackages = [
           cfg.package
+          pkgs.bonsai  # sway (not sxmo) needs to exec `bonsaictl` by name (sxmo_swayinitconf.sh)
         ] ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
           ++ lib.optionals (cfg.keyboard != null) [ pkgs."${cfg.keyboard}" ];
 
@@ -202,7 +221,17 @@ in
             # TODO: only need the share/sxmo directly linked
             "${cfg.package}/share"
           ];
-        };
+        } // (lib.filterAttrs  # certain settings are read before the `profile` is sourced
+          (k: v: k == "SXMO_DISABLE_CONFIGVERSION_CHECK")
+          cfg.settings
+        );
+
+        # sxmo puts in /share/sxmo:
+        # - profile.d/sxmo_init.sh
+        # - appcfg/
+        # - default_hooks/
+        # - and more
+        # environment.pathsToLink = [ "/share/sxmo" ];
 
         systemd.services."sxmo-set-permissions" = {
           description = "configure specific /sys and /dev nodes to be writable by sxmo scripts";
@@ -210,26 +239,79 @@ in
             Type = "oneshot";
             ExecStart = "${cfg.package}/bin/sxmo_setpermissions.sh";
           };
-          wantedBy = [ "display-manager.service" ];
+          wantedBy = [ "multi-user.service" ];
+        };
+
+        # if superd fails to start a service within 100ms, it'll try to start again
+        # the fallout of this is that during intense lag (e.g. OOM or swapping) it can
+        # start the service many times.
+        # see <repo:craftyguy/superd:internal/cmd/cmd.go>
+        # TODO: better fix may be to patch `sxmo_hook_lisgdstart.sh` and force it to behave as a singleton
+        systemd.services."dedupe-sxmo-lisgd" = {
+          description = "kill duplicate lisgd processes started by superd";
+          serviceConfig = {
+            Type = "oneshot";
+          };
+          script = ''
+            if [ "$(${pkgs.procps}/bin/pgrep -c lisgd)" -gt 1 ]; then
+              echo 'killing duplicated lisgd daemons'
+              ${pkgs.psmisc}/bin/killall lisgd  # let superd restart it
+            fi
+          '';
+          wantedBy = [ "multi-user.target" ];
+        };
+        systemd.timers."dedupe-sxmo-lisgd" = {
+          wantedBy = [ "dedupe-sxmo-lisgd.service" ];
+          timerConfig = {
+            OnUnitActiveSec = "2min";
+          };
         };
 
         sane.user.fs.".cache/sxmo/sxmo.noidle" = lib.mkIf cfg.noidle {
           symlink.text = "";
         };
+        sane.user.fs.".cache/sxmo/sxmo.nogesture" = lib.mkIf cfg.nogesture {
+          symlink.text = "";
+        };
         sane.user.fs.".config/sxmo/profile".symlink.text = let
           mkKeyValue = key: value: ''export ${key}="${value}"'';
-          userConfig = lib.generators.toKeyValue { inherit mkKeyValue; } cfg.settings;
-        in ''
-          # configversion: 4284f96d91e9550ff8f3b25823e402ad
-          # ^ upstream adds new options every now and then, expects user config file
-          # to include the md5sum of the template it's based on.
-          # see `setup_config_version.sh`
-          ${userConfig}
-        '';
+        in
+          lib.generators.toKeyValue { inherit mkKeyValue; } cfg.settings;
 
-        sane.user.fs.".config/sxmo/sway".symlink.target = pkgs.substituteAll {
+        sane.user.fs.".config/sway/config".symlink.target = pkgs.substituteAll {
           src = ./sway-config;
           waybar = "${pkgs.waybar}/bin/waybar";
+          bemenu_run = "${pkgs.bemenu}/bin/bemenu-run";
+          term = "${pkgs.xdg-terminal-exec}/bin/xdg-terminal-exec";
+          sxmo_init = pkgs.writeShellScript "sxmo_init.sh" ''
+            # perform the same behavior as sxmo_{x,w}init.sh -- but without actually launching wayland/X11
+            # this amounts to:
+            # - setting env vars (e.g. getting the hooks onto PATH)
+            # - placing default configs in ~ for sxmo-launched services (sxmo_migrate.sh)
+            # - launching sxmo_hook_start.sh
+            source ${cfg.package}/etc/profile.d/sxmo_init.sh
+            # XXX: upstream sources `profile` later (after sxmo_migrate)
+            #      but _sxmo_load_environments uses `SXMO_DEVICE_NAME`,
+            #      and i ship that via the profile, so order it such
+            source "$XDG_CONFIG_HOME/sxmo/profile"
+            _sxmo_load_environments
+            _sxmo_prepare_dirs
+            sxmo_migrate.sh sync
+
+            # kill anything leftover from the previous sxmo run. this way we can (try to) be reentrant
+            echo "sxmo_init: killing stale daemons (if active)"
+            sxmo_daemons.sh stop all
+            pkill bemenu
+            pkill wvkbd
+            pkill superd
+
+            # configure vol/power-button input mapping (upstream SXMO has this in sway config)
+            sxmo_swayinitconf.sh
+
+            echo "sxmo_init: invoking sxmo_hook_start.sh with:"
+            echo "PATH: $PATH"
+            sxmo_hook_start.sh
+          '';
         };
 
         sane.user.fs.".config/waybar/config".symlink.target =
@@ -238,8 +320,8 @@ in
           in
             (pkgs.formats.json {}).generate "waybar-config.json" waybar-config;
 
-        # sane.user.fs.".config/waybar/style.css".symlink.text =
-        #   builtins.readFile ./waybar-style.css;
+        sane.user.fs.".config/waybar/style.css".symlink.text =
+          builtins.readFile ./waybar-style.css;
 
         sane.user.fs.".config/sxmo/conky.conf".symlink.target = let
           battery_estimate = pkgs.static-nix-shell.mkBash {
@@ -249,6 +331,7 @@ in
         in pkgs.substituteAll {
           src = ./conky-config;
           bat = "${battery_estimate}/bin/battery_estimate";
+          weather = "timeout 20 ${pkgs.sane-weather}/bin/sane-weather";
         };
       }
 
@@ -283,32 +366,44 @@ in
         };
       })
 
-      (lib.mkIf (cfg.greeter == "sway") {
-        services.greetd = {
+      (lib.mkIf (cfg.greeter == "greetd-sway-gtkgreet") {
+        sane.gui.greetd = {
           enable = true;
-          # borrowed from gui/sway
-          settings.default_session.command =
-          let
-            # start sway and have it construct the gtkgreeter
-            sway-as-greeter = pkgs.writeShellScriptBin "sway-as-greeter" ''
-              ${pkgs.sway}/bin/sway --debug --config ${sway-config-into-gtkgreet} > /var/log/sway/sway-as-greeter.log 2>&1
-            '';
-            # (config file for the above)
-            sway-config-into-gtkgreet = pkgs.writeText "greetd-sway-config" ''
-              exec "${gtkgreet-launcher}"
-            '';
-            # gtkgreet which launches a layered sway instance
-            gtkgreet-launcher = pkgs.writeShellScript "gtkgreet-launcher" ''
-              # NB: the "command" field here is run in the user's shell.
-              # so that command must exist on the specific user's path who is logging in. it doesn't need to exist system-wide.
-              ${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command sxmo_winit.sh
-            '';
-          in "${sway-as-greeter}/bin/sway-as-greeter";
+          sway.enable = true;
+          sway.gtkgreet.enable = true;
+          sway.gtkgreet.session.name = "sxmo-on-gtkgreet";
+          # sway.gtkgreet.session.command = "${cfg.package}/bin/sxmo_winit.sh";
+          sway.gtkgreet.session.command = "${pkgs.sway}/bin/sway --debug";
         };
+      })
 
-        sane.fs."/var/log/sway" = {
-          dir.acl.mode = "0777";
-          wantedBeforeBy = [ "greetd.service" "display-manager.service" ];
+      (lib.mkIf (cfg.greeter == "greetd-sway-phog") {
+        sane.gui.greetd = {
+          enable = true;
+          sway.enable = true;
+          sway.greeterCmd = "${pkgs.phog}/libexec/phog";
+        };
+        # phog locates sxmo_winit.sh via <env>/share/wayland-sessions
+        environment.pathsToLink = [ "/share/wayland-sessions" ];
+      })
+
+      (lib.mkIf (cfg.greeter == "greetd-phog") {
+        sane.gui.greetd = {
+          enable = true;
+          session.name = "phog";
+          session.command = "${pkgs.phog}/bin/phog";
+        };
+        # phog locates sxmo_winit.sh via <env>/share/wayland-sessions
+        environment.pathsToLink = [ "/share/wayland-sessions" ];
+      })
+
+      (lib.mkIf (cfg.greeter == "greetd-sxmo") {
+        sane.gui.greetd = {
+          enable = true;
+          session.name = "sxmo";
+          # session.command = "${cfg.package}/bin/sxmo_winit.sh";
+          session.command = "${pkgs.sway}/bin/sway --debug";
+          session.user = "colin";
         };
       })
 
@@ -322,16 +417,6 @@ in
       #   '';
       # }];
       # services.xserver.enable = true;
-
-      # services.greetd = {
-      #   enable = true;
-      #   settings = {
-      #     default_session = {
-      #       command = "${cfg.package}/bin/sxmo_winit.sh";
-      #       user = "colin";
-      #     };
-      #   };
-      # };
     ]))
   ];
 }

hosts/modules/gui/sxmo/sway-config

@@ -1,10 +1,8 @@
-# Default config for sway
-# configversion: 5eff902ecca36b4e75567322335cc81c
-#
-# Copy this to ~/.config/sway/config and edit it to your liking.
-#
 # Read `man 5 sway` for a complete reference.
 
+# TODO: use stock sxmo config & override via /etc/sway/config.d/*
+# especially, this will let me avoid issues around `configversion`
+
 ### Variables
 #
 # Mod4 = Logo key
@@ -16,11 +14,13 @@ set $down j
 set $up k
 set $right l
 # Your preferred terminal emulator
-set $term sxmo_terminal.sh
+# set $term sxmo_terminal.sh
+set $term @term@
 # Your preferred application launcher
 # Note: pass the final command to swaymsg so that the resulting window can be opened
 # on the original workspace that the command was run on.
-set $menu bemenu-run
+# N.B. bemenu-run relies on BEMENU_OPTS being set: without this it won't even be visible.
+set $menu @bemenu_run@
 
 # xwayland enable|disable|force
 # - enable: lazily launch xwayland on first client connection
@@ -31,7 +31,9 @@ xwayland disable
 
 font "Sxmo 10"
 
-exec_always sxmo_swayinitconf.sh
+# configure vol/power-button input maps
+# XXX: this references env vars like SXMO_VOLUME_BUTTON => needs to happen after sourcing profile
+# exec_always sxmo_swayinitconf.sh
 
 exec_always dbus-update-activation-environment WAYLAND_DISPLAY XDG_CURRENT_DESKTOP
 
@@ -39,18 +41,41 @@ mode "menu" {
     bindsym --input-device=1:1:1c21800.lradc XF86AudioMute exec nothing # just a placeholder for "menu" mode
 }
 
+hide_edge_borders smart
+default_border pixel 1
+titlebar_border_thickness 1
+# XX YY distance from edge of window title to edge of text
+# the YY distance here determines the heigh of the overall title
+titlebar_padding 12 1
+title_align center
+
+# tabbed windows by default
+workspace_layout tabbed
+
+### tab colors (#border #background #text [#indicator #childBorder])
+# focused & unfocused are the main interest
+# urgent is used when an inactive window wants attention (e.g. terminal rings a bell)
+# colors are synchronized with waybar and mpv
+client.focused          #1f5e54 #418379 #ffffff
+client.focused_inactive #1f5e54 #5f676a #ffffff
+client.unfocused        #1f5e54 #1f554c #b4b4b4
+client.urgent           #ff8080 #ff8080 #ffffff
+
 ### Key bindings
 #
 # Basics:
 #
+    input * xkb_options compose:ralt
+
     # Start a terminal
     bindsym $mod+Return exec $term
 
     # Launch appmenu
     bindsym $mod+p exec sxmo_appmenu.sh
+    bindsym $mod+Shift+p exec sxmo_appmenu.sh sys
 
-    # Launch scripts menu
-    bindsym $mod+i exec sxmo_appmenu.sh scripts
+    # Wm menu switcher
+    bindsym $mod+i exec sxmo_wmmenu.sh windowswitcher
 
     # Kill focused window
     bindsym $mod+Shift+q kill
@@ -142,7 +167,7 @@ mode "menu" {
     bindsym $mod+e layout toggle split
 
     # Make the current focus fullscreen
-    # bindsym $mod+f fullscreen
+    bindsym $mod+f fullscreen
 
     # Toggle the current focus between tiling and floating mode
     bindsym $mod+Shift+space floating toggle
@@ -152,6 +177,12 @@ mode "menu" {
 
     # Move focus to the parent container
     bindsym $mod+a focus parent
+
+    # Manual locker
+    bindsym $mod+g exec sxmo_hook_locker.sh
+
+    # Shutdown
+    bindsym $mod+t exec sxmo_appmenu.sh power
 #
 # Scratchpad:
 #
@@ -172,16 +203,16 @@ mode "resize" {
     # right will grow the containers width
     # up will shrink the containers height
     # down will grow the containers height
-    bindsym $left resize shrink width 10px
-    bindsym $down resize grow height 10px
-    bindsym $up resize shrink height 10px
-    bindsym $right resize grow width 10px
+    bindsym $left resize shrink width 30px
+    bindsym $down resize grow height 30px
+    bindsym $up resize shrink height 30px
+    bindsym $right resize grow width 30px
 
     # Ditto, with arrow keys
-    bindsym Left resize shrink width 10px
-    bindsym Down resize grow height 10px
-    bindsym Up resize shrink height 10px
-    bindsym Right resize grow width 10px
+    bindsym Left resize shrink width 30px
+    bindsym Down resize grow height 30px
+    bindsym Up resize shrink height 30px
+    bindsym Right resize grow width 30px
 
     # Return to default mode
     bindsym Return mode "default"
@@ -207,19 +238,33 @@ bar {
         statusline #ffffff
         background #323232
         inactive_workspace #32323200 #32323200 #5c5c5c
-        font "Sxmo"
+        font "Sxmo 10"
     }
 }
 
+for_window [app_id="pinentry-.*"] floating true
 for_window [app_id="foot" title=".*sxmo/modem/.*/draft.txt.*"] resize set height 25
 for_window [title="megapixels"] inhibit_idle open
 
-default_border pixel 3
-titlebar_border_thickness 3
-hide_edge_borders smart
+# Need playerctl installed and running
+bindsym XF86AudioPlay exec playerctl play-pause
+bindsym XF86AudioStop exec playerctl stop
+bindsym XF86AudioNext exec playerctl next
+bindsym XF86AudioPrev exec playerctl previous
+
+bindsym XF86MonBrightnessUp exec sxmo_brightness.sh up
+bindsym XF86MonBrightnessDown exec sxmo_brightness.sh down
+
+bindsym Print exec sxmo_screenshot.sh
+
+bindsym button2 kill
+
+bindswitch lid:on exec sxmo_wm.sh dpms on
+bindswitch lid:off exec sxmo_wm.sh dpms off
+
 
 include /etc/sway/config.d/*
 
 exec 'printf %s "$SWAYSOCK" > "$XDG_RUNTIME_DIR"/sxmo.swaysock'
 
-exec sxmo_hook_start.sh
+exec_always @sxmo_init@

hosts/modules/gui/sxmo/waybar-config.nix

@@ -4,7 +4,7 @@
 [
   { # TOP BAR
     layer = "top";
-    height = 32;
+    height = 26;
 
     modules-left = [ "sway/workspaces" ];
     modules-center = [ ];

hosts/modules/gui/sxmo/waybar-style.css

@@ -0,0 +1,64 @@
+/* style docs: https://github.com/Alexays/Waybar/wiki/Styling */
+/* defaults: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
+
+window#waybar {
+  background-color: #418379;
+  border-bottom: 0px solid #1f5e54;
+  color: #ffffff;
+  transition-property: background-color;
+  transition-duration: .2s;
+}
+
+.modules-right {
+  /* workspace buttons (LHS) get padding between it and the screen edge */
+  /* replicate that same padding for whatever's on the RHS (i.e. the clock) */
+  margin-right: 5px;
+}
+
+#workspaces button {
+  padding: 0 5px;
+  background-color: #418379;
+  color: #ffffff;
+  /* Use box-shadow instead of border so the text isn't offset */
+  box-shadow: inset 0 0px #1f5e54;
+  /* Avoid rounded borders under each workspace name */
+  border: none;
+  border-radius: 0;
+}
+
+#workspaces button:hover {
+  /* i don't want hover effects, so reset this styling to be the same as default button */
+  /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
+  background: inherit;
+  box-shadow: inherit;
+  text-shadow: inherit;
+}
+
+#workspaces button.focused {
+  background-color: #63a89c;
+  box-shadow: inset 0 0px #2c8274;
+}
+
+#workspaces button.urgent {
+  background-color: #e64291;
+}
+
+@keyframes blink {
+  to {
+    background-color: #ffffff;
+    color: #000000;
+  }
+}
+
+#tray {
+  background-color: #418379;
+}
+
+#tray > .passive {
+  -gtk-icon-effect: dim;
+}
+ 
+#tray > .needs-attention {
+  -gtk-icon-effect: highlight;
+  background-color: #e64291;
+}

hosts/modules/roles/dev-machine.nix

@@ -24,8 +24,7 @@ in
     (mkIf cfg {
       sane.programs.docsets.enableFor.system = true;
       sane.programs.ldd-aarch64.enableFor.user.colin = true;
-      # TODO: migrate this to `sane.user.programs.zeal.enable = true`
-      sane.programs.zeal.enableFor.user.colin = true;
+      # sane.programs.zeal.enableFor.user.colin = true;
     })
   ];
 }

modules/data/feeds/sources/feeds.megaphone.fm/behindthebastards/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 3520653,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "There\u2019s a reason the History Channel has produced hundreds of documentaries about Hitler but only a few about Dwight D. Eisenhower. Bad guys (and gals) are eternally fascinating. Behind the Bastards dives in past the Cliffs Notes of the worst humans in history and exposes the bizarre realities of their lives. Listeners will learn about the young adult novels that helped Hitler form his monstrous ideology, the founder of Blackwater\u2019s insane quest to build his own Air Force, the bizarre lives of the sons and daughters of dictators and Saddam Hussein\u2019s side career as a trashy romance novelist.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 689,
+  "last_updated": "2023-08-15T04:00:00+00:00",
+  "score": 8,
+  "self_url": "https://www.omnycontent.com/d/playlist/e73c998e-6e60-432f-8610-ae210140c5b1/e5f91208-cc7e-4726-a312-ae280140ad11/d64f756d-6d5e-4fae-b24f-ae280140ad36/podcast.rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "Behind the Bastards",
+  "url": "https://omnycontent.com/d/playlist/e73c998e-6e60-432f-8610-ae210140c5b1/E5F91208-CC7E-4726-A312-AE280140AD11/D64F756D-6D5E-4FAE-B24F-AE280140AD36/podcast.rss",
+  "velocity": 0.35,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.simplecast.com/82FI35Px/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 3673943,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "*** Named a best podcast of 2021 by Time, Vulture, Esquire and The Atlantic. ***\nEach Tuesday and Friday, Ezra Klein invites you into a conversation on something that matters. How do we address climate change if the political system fails to act? Has the logic of markets infiltrated too many aspects of our lives? What is the future of the Republican Party? What do psychedelics teach us about consciousness? What does sci-fi understand about our present that we miss? Can our food system be just to humans and animals alike?\n\nListen to this podcast in New York Times Audio, our new iOS app for news subscribers. Download now at nytimes.com/audioapp",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [
+    "https://simplecast.superfeedr.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 255,
+  "last_updated": "2023-07-25T09:00:00+00:00",
+  "score": 24,
+  "self_url": "https://feeds.simplecast.com/82FI35Px",
+  "site_name": "",
+  "site_url": "",
+  "title": "The Ezra Klein Show",
+  "url": "https://feeds.simplecast.com/82FI35Px",
+  "velocity": 0.275,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.simplecast.com/xKJ93w_w/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 1410917,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "An audio guide to the world\u2019s strange, incredible, and wondrous places. Co-founder Dylan Thuras and a neighborhood of Atlas Obscura reporters explore a new wonder every day, Monday through Thursday. In under 15 minutes, they\u2019ll take you to an incredible place, and along the way, you\u2019ll meet some fascinating people and hear their stories. Our theme and end credit music is composed by Sam Tyndall.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [
+    "https://simplecast.superfeedr.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 571,
+  "last_updated": "2023-07-27T04:05:00+00:00",
+  "score": 24,
+  "self_url": "https://feeds.simplecast.com/xKJ93w_w",
+  "site_name": "",
+  "site_url": "",
+  "title": "The Atlas Obscura Podcast",
+  "url": "https://feeds.simplecast.com/xKJ93w_w",
+  "velocity": 0.647,
+  "version": "rss20"
+}

modules/data/feeds/sources/mindingourway.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 133561,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "to the heavens",
+  "favicon": "https://mindingourway.com/favicon.png",
+  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAYAAADDPmHLAAAACXBIWXMAAAAnAAAAJwEqCZFPAAAE2klEQVR42u2dSasUVxxHW4zGiFmbrxHliU8NKMaF+AWcn34IcQIFA4pK4rAJZKcrNyKIOOCnUBwS5wnUlaIicbaXVYfC/7td1dXV3nPh7N6rvsNp+NH3f2/1et95m5iYmAJfAjYW6dkUwKYANgWwjcuCzwS3QCTAv6D0PGdYAWwKYFMAW2cF2AS4wDfBf4B/v6GIM6wANgWwKYCtMwv+A2CI++YPPdMQxlCoAAqgAAqgAArQTQE2Ay4gQ97MAEOhAiiAAiiAAijAeIS+aLMnqcDDUKgACqAACqAACtBZAaIiz9ugJMw0nm8oVAAFUAAFUAAF6MaCpxZ5lkJcA5+fWmBiKFQABVAABVAABWhGABZwtLoAAwhoKFQABVAABVCAsRCg38lFRTrQn1kgqcizhf5FBSidDoX9PkwWUQAFUAAFUICsBfgADoGfirTQwS2AE8wQ1uoEdz0Ucr36HAYfiyiAAiiAAihA1gJ8BFGBxW9FhjChUQFGo5s9DfR/pEWk/WcsBgyh7E/pC68ACqAACqAAWQvAdgXwAZ/AUTC3SAObPd883NkBAVIFTj2oMgcwpEdf4Gug1BRAARRAARQgXwEqPpCHL7eD/wE/8AH4HfD5dwCft65Ir+ON/a0YD8fL+VgB7gE+7x3geiUdjFEABVAABVCAfAWYxgB/Bamh8TIYq9A3hFB4AUSh7jpot6BHARRAARRAAbIVoGLAs8E+8B5EL23aW6Q35q0/hl0gGj8FOAhKPwx1YYAKoAAKoAAKkKcAQ5gAhsYjIGmzqYXx/QgOABbdRuPfXaSX4TdAARRAARRAAcZTgIofQqLNnnMgCo08iLGsSAvjY2PBRRTqLoLv6zJqBVAABVAABchZgFpFnn0WgNTNplqhsSLU7QdRqOPBDB7cGGoRqQIogAIogAIoQIsLnlrkubbIAM9vukh1ObgLUoswS5dcTWN8tYpIFUABFEABFEABRihAdEHCE9DoACpC41UQhcYo1PGHmfJFi/X7z4sxn4Juh0IFUAAFUAAFyEaAAX7IIPfBHjC/yAD9mwRvQdQ/bkatKjJAf34BewFDatS/0W4WKYACKIACKEDOAkQvTHgEUgVhKDsLVoM/QBTq2J/U0PgXWAPY39SiUC7wYzDaUKgACqAACqAA2QhQsRkTvSBhPZgBVoIzIHXCIk4BvlCBh1v/AXU/n+PheDkfnK+RXkatAAqgAAqgAFkLMAXYgc+AFxqwAGMe4AL8DeouAEPceUBBUi+0iDgJKODPgPPFy6E538MNhQqgAAqgAAqQjQAVoY8vjWo6FD0D0f+fACyqfAXq9vc1WAtShX0BKGjd/tYLhQqgAAqgAAqQswDRy5tvAG7OHAPR5cepMASlhjZurjwEqQUjUSirG1qPA853s4dLFUABFEABFCAbAeoe7qwowoxeXhwN+EvLNL2AqZdBR3/PBV4K6m0WKYACKIACKEDOAmwFfAB/CPoTNB3yJO0LwyLV6KBJORQqgAIogAIoQM4CRJcijTqkRbwBl8BOsAQsArz0iS925ObQuAlUCoUKoAAKoAAKkLUAo+7QS8AXSOwAXMCkixmHcFCGP4SxvxwPxzvS+VcABVAABVAABajBc3AabAO82HG8XorU/CVbCwHni/PJ+VYABVAABVAABRiEr4mwVmPpPyoAAAAAAElFTkSuQmCC",
+  "hubs": [],
+  "is_podcast": false,
+  "is_push": false,
+  "item_count": 15,
+  "last_updated": "2019-12-21T19:28:00+00:00",
+  "score": 16,
+  "self_url": "https://mindingourway.com/rss/",
+  "site_name": "Minding our way",
+  "site_url": "https://mindingourway.com",
+  "title": "Minding our way",
+  "url": "https://mindingourway.com/rss/",
+  "velocity": 0.01,
+  "version": "rss20"
+}

modules/data/feeds/sources/omegataupodcast.net/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 805006,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Wissenschaft und Technik im Kopfhoerer / Science and Engineering in your Headphones",
+  "favicon": "http://omegataupodcast.net/omegatau_fav.png",
+  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAAsTAAALEwEAmpwYAAACC2lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOlJlc29sdXRpb25Vbml0PjI8L3RpZmY6UmVzb2x1dGlvblVuaXQ+CiAgICAgICAgIDx0aWZmOkNvbXByZXNzaW9uPjE8L3RpZmY6Q29tcHJlc3Npb24+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgICAgIDx0aWZmOlBob3RvbWV0cmljSW50ZXJwcmV0YXRpb24+MjwvdGlmZjpQaG90b21ldHJpY0ludGVycHJldGF0aW9uPgogICAgICA8L3JkZjpEZXNjcmlwdGlvbj4KICAgPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4KD0UqkwAAB2BJREFUWAmdV1tvVFUU/ubMmQud0k6vUzrTUsq1twSMmKI+idBIJJFECPAACS9NTLzwYkzwof/BoC8QE30xITHSSIgQVEyEUsDUVkRgqC200HtnmPvd9e1hD6cNmOpuTvc+a6+9Lt9ea501tmPHjhXwH4dpmpiamsKePXvQ29urThcKBdhsNqRSKfT19WF8fBzl5eXIZrOKblVBXj6GYcCMRqPWvZIwLihQP1Ymp9OJJ0+eKOFWul7TiFgsBrvdrnieKbQhny/A6XDA5XYrGeKMqayhIu0FaXzP5/PI5XKKroVog2gEPXjeoGLK4JwXT52yRiaFnKBBmeUuD1ZXVWFmdhYGBXNwQx8KhUJ4/PgxpqenEQ6HkUgkkE6nlTfJZFLRL1y4gOehR1lzc3O4desWJh89wq3hYeSEFqnyYcTmxl1HOUYNF/I0LpeH7dChQ2JDAQ6BhbBR6IYNG9Dc3Iza2lp1j/RWI0WvGhsbkclkUFFRgS1btlBnCT0iNjIyogxWCBFZ4U390o9CLAyBDXaHC8OOOlz+MwiTyik8Eomgrq4OBw4cQCAQQFlZmaITcj2IksvlwubNmzWpNGs+Grh169YSXS0EfvxwAkj8KIFVB5S14nb4FXzz+z2YPECIGxoacPDgQdTU1Kh7pzLCrq+IgkjjO73XiDwvDsjHUZDZEOfSiSRs6RQcCaEZcu/2ekQliDEVgknL4/E4enp6FOQ0hkN7pGetiDNpmq6Yl/3TvMKkdvhuFMQICTdFKcRRyGaAcBomoec9NjU1qRzWwukpD2pP6RX3iBhpKxmS7aJQYkDOpau3wXRWSww4YXdXoMzux47dEvj0eP369WCgEXIqoXIq4vudO3cwMTGhgpMBxthgkdm+fbtCjLxWNHjm9OnTWFhYUPGSkfcKrxfhRBOiERamnFxxAe4KJ1o8Lpj0sr6+XjlEYRwUSGXnz5/HuXPnlCLSNP3UqVPo7OzEyZMnVcASHQ07ZQwNDWFwcFBly/z8PDo6OpCX85NT07gZnESDtxId6/w4c+ZnmPSI6aSV0wCm5NjYGC5fvqwOc08HFo1obW3FwMAALl26hKNHj5ZQ00YykDdu3IjKykr1VFdXIytIzEjet3jc8NdXoVz0dnYGiga4pSxSCQXoMStViilHxSyt1j2WYaasLkTcszrALOHVrlq1Ss38HsSkgN2fmGHaIZnJKoQTKQlCMtFjqwCuqcTqtdUAwr3cKG04Z/JqfvJyHQpFpfJJbDnkvcgEQ+gGvWTAWQcNYGqSbjXMykOhL9pbzheNxZFKZ+AwjSVnGHGSUaYKIKswrgmjDiyrwJWuKYMOhMIROJxSVe2G+jAtcVUsEB1FiLRg7RmzQK/13kpnrTyZTCH49xRsRhEt0vnHoaNNVcKVCl4pH51KC+ShyDyyTFFbsaCtckveC+LsB5RzYkzpc7xcOBk49Lx8/9/eGbx/BSeQSWfhcrAnyKsClErJV1HSMSNZQTSowSTUfNGDa3pAS3UW6L2VzDw/vxDG9GIMgUafKJdT8kzNzOL2H9eViGTbS6ivqynqYbBRkdVTrlma/48BPMOo95a7lRNj98bx7jtv4dMTn5TaM5dcRX//9/j6qy9hMp9ZKJiOetAAVsjlhul9PVuN1jQioM4JwS6RD4SkqfGgvb1Ns6j515orajZYsZanHAWvXr16ydUsOS0vvKYXIcQ+oKi8eEo7x+vmx4gjK9WQw2AbxqJDpdZYYD2nAtKYz1TIh3x8Zxn2eDxKiPUcy7rf34gH92eV52RobgoovuLZYiNL1DkMNpksu9bBzTVr1qC7uxtj8lGiMvYN+mGz6vP5sGnTptIxCqfBNHL3rp1Cn8J3315U+907upfw8SX+tPFRPSEFtre3K++0IGbB3r171VdtcnJSNaxUQDj5IWJf6JXvPK9Pf0t4lqOnZzfOnu3H3XtB7HpzJ1rXrVNI6n3KmZ6eEc5y2Pbt21fw+/04cuSIgpZwkpEzvWE2EBHeHwdpOkWJXltbWyle9DmtSB2Qf1omf5QYUhUXFxfxxq63izr48ykYDKouh/dH6/hQCGcGKQ3gu6ZRsb7DmRl6UmxY9Tkq5FrP+lwuV7z3gYFrGLp5RRCsgL2rq6uPHrHtamlpQVVVtSh6JpDCtSAtVNOIBtOYGUPjqUgXNrFBzhW7Y/KTl8E7OjqK3vc+gm9Nk/BKtki71Mc7ZCASCfYHjG4K5H1zjw+N1Gtei14TiRs3bmJOWq/GRr/iozLrQ8PYK167NogPj3+MB5OzqK/1Ii3xYzt8+DCbVnUwGo1JMxlCTW2dtF3r0BTww1vlRZkYZYoR/KgQBQpjZkwL/MHgKC7+dAXjwWG8/8FxvP7aq/AHGuVMsZBFohE8fDiBq1ev4YvPP0NTaxfWBnyIxhOwi6G2/fv3F5LSGsXjKdU0RGIJzMzJb8OHIbmHuIDnRlmtBxVl8vNMIMxIIVmIJJGRDgfyq89d48XmtT4F72/Xh4W2NKWF8HRUY9vLbYKqU1IwqbohbvwDi4As2ZCohrEAAAAASUVORK5CYII=",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 100,
+  "last_updated": "2023-06-16T09:08:08+00:00",
+  "score": 10,
+  "self_url": "https://omegataupodcast.net/feed/mp3/",
+  "site_name": "omega tau science & engineering podcast",
+  "site_url": "https://omegataupodcast.net",
+  "title": "omega tau science & engineering podcast",
+  "url": "https://omegataupodcast.net/feed/mp3/",
+  "velocity": 0.062,
+  "version": "rss20"
+}

modules/data/feeds/sources/sharkbytes.transistor.fm/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 26554,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Welcome to the SharkBytes Podcast. We will discuss all things Wireshark, as well as topics from the world of Packet Analysis and SharkFest, our packet analysis and developer conference. We'll be hanging out with interesting people from diverse backgrounds in the industry and we'll also learn why the truth is always in the packets. Support this podcast: <a href=\"https://podcasters.spotify.com/pod/show/sharkbytes/support\" rel=\"payment\">https://podcasters.spotify.com/pod/show/sharkbytes/support</a>",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [
+    "https://pubsubhubbub.appspot.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 8,
+  "last_updated": "2023-06-29T15:00:00+00:00",
+  "score": 2,
+  "self_url": "https://anchor.fm/s/d4b7d750/podcast/rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "SharkBytes Podcast",
+  "url": "https://anchor.fm/s/d4b7d750/podcast/rss",
+  "velocity": 0.025,
+  "version": "rss20"
+}

modules/data/feeds/sources/usefulidiots.substack.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 87719,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "Useful Idiots is an informative and irreverent politics podcast.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 20,
+  "last_updated": "2023-08-15T14:54:32+00:00",
+  "score": 14,
+  "self_url": "https://usefulidiots.substack.com/feed",
+  "site_name": "Useful Idiots  | Substack",
+  "site_url": "https://usefulidiots.substack.com",
+  "title": "Useful Idiots",
+  "url": "https://usefulidiots.substack.com/feed",
+  "velocity": 0.655,
+  "version": "rss20"
+}

modules/data/feeds/sources/werenotwrong.fireside.fm/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 232527,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "Not wrong political opinions.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 67,
+  "last_updated": "2023-08-09T21:26:55+00:00",
+  "score": -10,
+  "self_url": "https://feeds.acast.com/public/shows/6490a2ce7ded6b001126fa5b",
+  "site_name": "",
+  "site_url": "",
+  "title": "We're Not Wrong",
+  "url": "https://feeds.acast.com/public/shows/6490a2ce7ded6b001126fa5b",
+  "velocity": 0.145,
+  "version": "rss20"
+}

modules/fs/default.nix

@@ -9,6 +9,10 @@ let
     pname = "ensure-dir";
     src = ./.;
   };
+  ensure-file = pkgs.static-nix-shell.mkBash {
+    pname = "ensure-file";
+    src = ./.;
+  };
   ensure-symlink = pkgs.static-nix-shell.mkBash {
     pname = "ensure-symlink";
     src = ./.;
@@ -33,6 +37,10 @@ let
         type = types.nullOr dirEntry;
         default = null;
       };
+      file = mkOption {
+        type = types.nullOr (fileEntryFor name);
+        default = null;
+      };
       symlink = mkOption {
         type = types.nullOr (symlinkEntryFor name);
         default = null;
@@ -81,6 +89,8 @@ let
         default-acl
         (lib.mkIf (config.dir != null)
           (sane-lib.filterNonNull config.dir.acl))
+        (lib.mkIf (config.file != null)
+          (sane-lib.filterNonNull config.file.acl))
         (lib.mkIf (config.symlink != null)
           (sane-lib.filterNonNull config.symlink.acl))
       ];
@@ -88,6 +98,7 @@ let
       # actually generate the item
       generated.command = lib.mkMerge [
         (lib.mkIf (config.dir != null) [ "${ensure-dir}/bin/ensure-dir" name ])
+        (lib.mkIf (config.file != null) [ "${ensure-file}/bin/ensure-file" name config.file.copyFrom ])
         (lib.mkIf (config.symlink != null) [ "${ensure-symlink}/bin/ensure-symlink" name config.symlink.target ])
       ];
 
@@ -124,7 +135,27 @@ let
   # takes no special options
   dirEntry = types.submodule propagatedGenerateMod;
 
-  symlinkEntryFor = path: types.submodule ({ config, ...}: {
+  fileEntryFor = path: types.submodule ({ config, ... }: {
+    options = {
+      inherit (propagatedGenerateMod.options) acl;
+      text = mkOption {
+        type = types.nullOr types.lines;
+        default = null;
+        description = "create a file with this text, overwriting anything that was there before.";
+      };
+      copyFrom = mkOption {
+        type = types.coercedTo types.package toString types.str;
+        description = "populate the file based on the content at this provided path";
+      };
+    };
+    config = {
+      copyFrom = lib.mkIf (config.text != null) (
+        pkgs.writeText (path-lib.leaf path) config.text
+      );
+    };
+  });
+
+  symlinkEntryFor = path: types.submodule ({ config, ... }: {
     options = {
       inherit (propagatedGenerateMod.options) acl;
       target = mkOption {

modules/fs/ensure-file

@@ -0,0 +1,16 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
+
+set -e
+
+cpto="$1"
+cpfrom="$2"
+
+# -f flag in case the destination perms were set to 000
+# --no-dereference in case the destination already exists as a symlink
+# however, "no-dereference" has the edge case of copying `cpfrom` to `cpto`
+#   when `cpto` already exists as a symlink to `cpfom`:
+#   "cp: <cpto> and <cpfrom> are the same file"
+# use `--remove-destination` for that
+cp --no-dereference -f "$cpfrom" "$cpto" \
+  || cp --no-dereference --remove-destination "$cpfrom" "$cpto"

modules/ports.nix

@@ -46,13 +46,15 @@ let
   upnpServiceForPort = port: portCfg:
     lib.mkIf portCfg.visibleTo.wan {
       "upnp-forward-${port}" = {
-        description = "forward port ${port} from upstream gateway to this host";
-        serviceConfig.Type = "oneshot";
+        description = "forward port ${port} (${portCfg.description}) from upstream gateway to this host";
         restartTriggers = [(builtins.toJSON portCfg)];
 
-        after = [ "network.target" ];
-        wantedBy = [ "upnp-forwards.target" ];
-        script =
+        serviceConfig = {
+          Type = "oneshot";
+          TimeoutSec = "6min";
+          Restart = "on-failure";
+          RestartSec = "3min";
+          ExecStart =
           let
             portFwd = "${pkgs.sane-scripts.ip-port-forward}/bin/sane-ip-port-forward";
             forwards = lib.flatten [
@@ -63,6 +65,10 @@ let
             ${portFwd} -v -d ${builtins.toString cfg.upnpLeaseDuration} \
               ${lib.escapeShellArgs forwards}
           '';
+        };
+
+        after = [ "network.target" ];
+        wantedBy = [ "upnp-forwards.target" ];
       };
     };
 in
@@ -120,9 +126,9 @@ in
       systemd.timers.upnp-forwards = {
         wantedBy = [ "network.target" ];
         timerConfig = {
-          OnStartupSec = "1min";
+          OnStartupSec = "75s";
           OnCalendar = cfg.upnpRenewInterval;
-          RandomizeDelaySec = "2min";
+          RandomizeDelaySec = "30s";
           Unit = "upnp-forwards.target";
         };
       };

modules/programs.nix

@@ -231,8 +231,10 @@ in
           (lib.mapAttrs' (pkgName: _pkg: { name = "cacert.${pkgName}"; value = {}; }) pkgs.cacert)
           (lib.mapAttrs' (pkgName: _pkg: { name = "gnome.${pkgName}"; value = {}; }) pkgs.gnome)
           (lib.mapAttrs' (pkgName: _pkg: { name = "libsForQt5.${pkgName}"; value = {}; }) pkgs.libsForQt5)
+          (lib.mapAttrs' (pkgName: _pkg: { name = "mate.${pkgName}"; value = {}; }) pkgs.mate)
           (lib.mapAttrs' (pkgName: _pkg: { name = "plasma5Packages.${pkgName}"; value = {}; }) pkgs.plasma5Packages)
           (lib.mapAttrs' (pkgName: _pkg: { name = "python3Packages.${pkgName}"; value = {}; }) pkgs.python3Packages)
+          (lib.mapAttrs' (pkgName: _pkg: { name = "sane-scripts.${pkgName}"; value = {}; }) pkgs.sane-scripts)
           (lib.mapAttrs' (pkgName: _pkg: { name = "sway-contrib.${pkgName}"; value = {}; }) pkgs.sway-contrib)
         ];
       }

modules/services/default.nix

@@ -2,6 +2,8 @@
 {
   imports = [
     ./dyn-dns.nix
+    ./eg25-control.nix
+    ./eg25-manager.nix
     ./kiwix-serve.nix
     ./mautrix-signal.nix
     ./nixserve.nix

modules/services/eg25-control.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.services.eg25-control;
+in
+{
+  options.sane.services.eg25-control = with lib; {
+    enable = mkEnableOption "Quectel EG25 modem configuration scripts. alternative to eg25-manager";
+    package = mkOption {
+      type = types.package;
+      default = pkgs.eg25-control;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.eg25-control = {
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${cfg.package}/bin/eg25-control --power-on --enable-gps --dump-debug-info --verbose";
+        Restart = "on-failure";
+        RestartSec = "60s";
+      };
+      after = [ "ModemManager.service" ];
+      wants = [ "ModemManager.service" ];
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+}

modules/services/eg25-manager.nix

@@ -0,0 +1,69 @@
+# eg25-manager: <https://gitlab.com/mobian1/eg25-manager>
+# - used by sxmo, in <configs/default_hooks/sxmo_hook_restart_modem_daemons.sh>
+# - requires modemmanager (ModemManager.service)
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.services.eg25-manager;
+  eg25-config-toml = pkgs.writeText "eg25-manager-config.toml" ''
+    # config here is applied *on top of* the per-device configs shipped by eg25-manager.
+    # these values take precedence, but there's no need to redefine things if we don't want them changed
+    [at]
+    uart = "/dev/ttyUSB2"
+  '';
+in
+{
+  options.sane.services.eg25-manager = with lib; {
+    enable = mkEnableOption "Quectel EG25 modem manager service";
+    package = mkOption {
+      type = types.package;
+      default = pkgs.eg25-manager;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    # eg25-manager package ships udev rules *and* a systemd service.
+    # for that reason, i think it needs to be on the system path for the systemd service to be enabled.
+    services.udev.packages = [ cfg.package ];
+
+    # but actually, let's define our own systemd service so that we can control config
+    systemd.services.eg25-manager = {
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${cfg.package}/bin/eg25-manager --config ${eg25-config-toml}";
+        ExecStartPre = pkgs.writeShellScript "unload-modem-power" ''
+          # see issue: <https://gitlab.com/mobian1/eg25-manager/-/issues/38>
+          ${pkgs.kmod}/bin/modprobe -r modem_power && echo "WARNING: kernel configured with CONFIG_MODEM_POWER=y, may be incompatible with eg25-manager" || true
+        '';
+
+        Restart = "on-failure";
+        RestartSec = "60s";  # can make this more frequent once stable?
+
+        # sandboxing (taken from the service file shipped by eg25-manager):
+        # TODO: this is too strict and breaks access to e.g. /dev/ttyUSB2!
+        # ProtectControlGroups = true;
+        # ProtectHome = true;
+        # ProtectSystem = "strict";
+        # RestrictSUIDSGID = true;
+        # PrivateTmp = true;
+        # MemoryDenyWriteExecute = true;
+        # PrivateMounts = true;
+        # NoNewPrivileges = true;
+        # CapabilityBoundingSet = [ "" ];
+        # LockPersonality = true;
+      };
+      before = [ "ModemManager.service" ];
+      wantedBy = [ "multi-user.target" ];
+    };
+
+    # systemd.packages = [ pkgs.eg25-manager ];
+    # systemd.services.eg25-manager.wantedBy = [ "multi-user.target" ];
+    # systemd.services.prepare-eg25-manager = {
+    #   description = "unload megi's modem_power module to provide gpio access to eg25-manager";
+    #   serviceConfig.Type = "oneshot";
+    #   wantedBy = [ "eg25-manager.service" ];
+    #   before = [ "eg25-manager.service" ];
+    #   script = ''
+    #     ${pkgs.kmod}/bin/modprobe -r modem_power && echo "WARNING: kernel configured with CONFIG_MODEM_POWER=y, may be incompatible with eg25-manager" || true
+    #   '';
+    # };
+  };
+}

nixpatches/2023-05-31-toplevel-alsa.patch

@@ -1,14 +0,0 @@
-diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
-index d188ecdda55..69174ba7dc7 100644
---- a/pkgs/top-level/all-packages.nix
-+++ b/pkgs/top-level/all-packages.nix
-@@ -26607,7 +26607,8 @@ with pkgs;
- 
-   tinyalsa = callPackage ../os-specific/linux/tinyalsa { };
- 
--  inherit (callPackage ../os-specific/linux/alsa-project { })
-+  alsa-project = callPackage ../os-specific/linux/alsa-project { };
-+  inherit (alsa-project)
-     alsa-firmware
-     alsa-lib
-     alsa-oss

nixpatches/flake.nix

@@ -15,9 +15,15 @@
       patchedFlakeFor = system: import "${patchedPkgsFor system}/flake.nix";
       patchedFlakeOutputsFor = system:
         (patchedFlakeFor system).outputs { inherit self; };
+
+      extractBuildPlatform = nixosSystemArgs:
+        let
+          firstMod = builtins.head nixosSystemArgs.modules;
+        in
+          firstMod.nixpkgs.buildPlatform or nixosSystemArgs.system;
     in
     {
-      lib.nixosSystem = args: (patchedFlakeOutputsFor args.system).lib.nixosSystem args;
+      lib.nixosSystem = args: (patchedFlakeOutputsFor (extractBuildPlatform args)).lib.nixosSystem args;
 
       legacyPackages = builtins.mapAttrs
         (system: _:

nixpatches/list.nix

@@ -19,6 +19,26 @@ let
       // (if title != null then { name = title; } else {})
     );
 in [
+  # (fetchpatch' {
+  #   # disabled, at least until the PR is updated to use `pkg-config` instead of `pkgconfig`.
+  #   # the latter is an alias, which breaks nix-index
+  #   title = "phog: init at 0.1.3";
+  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/251249";
+  #   hash = "sha256-e38Z7sO7xDQHzE9UOfbptc6vJuONE5eP9JFp2Nzx53E=";
+  # })
+
+  (fetchpatch' {
+    title = "nixos/update-users-groups: fix cross compilation";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/251850";
+    hash = "sha256-uqx9sJ1zkwys9Ur35iXY3gZKVb52wlnBGkhBB5sc6WQ=";
+  })
+
+  # (fetchpatch' {
+  #   # TODO: check back in on this around 2023-10-01
+  #   title = "libkiwix: 12.0.0 -> 12.1.0";
+  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/246700";
+  #   hash = "sha256-LyTkWNgG1mynCdckKm3Hj9ifzLemyrhJ9BFVaPppwgw=";
+  # })
 
   # (fetchpatch' {
   #   # XXX: doesn't cleanly apply; fetch `firefox-pmos-mobile` branch from my git instead
@@ -58,15 +78,15 @@ in [
   #   hash = "sha256-oQEM3EZfAOmfZzDu9faCqyOFZsdHYGn1mVBgkxt68Zg=";
   # })
   (fetchpatch' {
-    saneCommit = "c3becd7cdf144d85d12e2e76663e9549a0536efd";
     title = "firefox-pmos-mobile: init at 4.0.2";
+    saneCommit = "c3becd7cdf144d85d12e2e76663e9549a0536efd";
     hash = "sha256-NRh2INUMA2K7q8zioqKA7xwoqg7v6sxpuJRpTG5IP1Q=";
   })
 
-  # splatmoji: init at 1.2.0
   (fetchpatch' {
-    saneCommit = "75149039b6eaf57d8a92164e90aab20eb5d89196";
+    title = "splatmoji: init at 1.2.0";
     prUrl = "https://github.com/NixOS/nixpkgs/pull/211874";
+    saneCommit = "75149039b6eaf57d8a92164e90aab20eb5d89196";
     hash = "sha256-jDXYLlXaEBKMrZ2dgxc6ucrcX/5dtqoIIKw+Ay19vlc=";
   })
 
@@ -77,7 +97,7 @@ in [
   #   hash = "sha256-eTwEbVULYjmOW7zUFcTUqvBZqUFjHTKFhvmU2m3XQeo=";
   # })
 
-  ./2022-12-19-i2p-aarch64.patch
+  # ./2022-12-19-i2p-aarch64.patch
 
   # fix for CMA memory leak in mesa: <https://gitlab.freedesktop.org/mesa/mesa/-/issues/8198>
   # fixed in mesa 22.3.6: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21330/diffs>
@@ -87,18 +107,15 @@ in [
   # upgrade to 22.3.6 instead
   # ./2023-02-28-mesa-22.3.6.patch
 
-  # fix qt6.qtbase and qt6.qtModule to cross-compile.
-  # unfortunately there's some tangle that makes that difficult to do via the normal `override` facilities
-  ./2023-03-03-qtbase-cross-compile.patch
 
   # let ccache cross-compile
   # TODO: why doesn't this apply?
   # ./2023-03-04-ccache-cross-fix.patch
 
-  # 2023-04-11: bambu-studio: init at 01.06.02.04
   (fetchpatch' {
+    title = "bambu-studio: init at 01.06.02.04";
     prUrl = "https://github.com/NixOS/nixpkgs/pull/206495";
-    hash = "sha256-XG4hvHXmP/wgiKuNRCAfttaGLrg/6mAOr+YvAVmycKQ=";
+    hash = "sha256-Z+IOzd+bnxjg6neF1YcrRDTzz9GhJfbbj0Wa8yTXsa4=";
   })
 
   # (fetchpatch' {
@@ -140,44 +157,76 @@ in [
   #   hash = "sha256-MNG8C0OgdPnFQ8SF2loiEhXJuP2z4n9pkXr8Zh4X7QU=";
   # })
 
+  # 2023-08-06: conky wayland + cross compilation patches.
+  # nix path-info shows clean
+  # branch is wip-conky-cross2 on servo
+  # factoring out those feature abstractions was possibly overkill.
+  # the manual wayland-scanner patching is unfortunate, but within
+  #   acceptable norms of the existing package.
   (fetchpatch' {
-    title = "conky: support wayland";
-    # saneCommit = "82978099c3a0d5fb4925351da1b0e2598503dc6c";
-    # hash = "sha256-lnDGEDhmeOIXfFnizEIVUiUzI7nMvpoCERbdjhR+Bto=";
-    saneCommit = "3ad928e20b498444e3a106b182e09317cea9a11f";
-    hash = "sha256-lvIASvQWVFbjHsQwO2EhEBUTSq1UkHvriaZZ2iS0ulU=";
+    title = "conky: factor out an abstraction for feature flags";
+    saneCommit = "3ddf13038d6df90ad0db36a41d55e4077818a3e9";
+    hash = "sha256-CjLzndFEH1Ng9CqKX8gxCJ6n/wFv5U/sHnQE0FMYILc=";
+  })
+  (fetchpatch' {
+    title = "conky: simplify the features even more";
+    saneCommit = "1c4aa404743f1ae7d5b95f18a96c4057ca251a96";
+    hash = "sha256-0zhiw9siIkFgFW4sow+X88NBEa3ggCe1t1HJ5xFH4ac=";
+  })
+  (fetchpatch' {
+    title = "conky: support cross compilation";
+    saneCommit = "01e607e11c7e5bbbfe6ad132fb72394ec29dab0a";
+    hash = "sha256-Bm/XFLvE7gEyLPlBWNSAcU3qwwqKLIRdpoe0/1aHUho=";
+  })
+  (fetchpatch' {
+    title = "conky: add wayland support";
+    saneCommit = "84c51f67e02ebc7f118fd3171bd10f1978d4f1e6";
+    hash = "sha256-gRYbkzCe3q1R7X/FeOcz/haURQkeAfmED1/ZQlCCdWE=";
+  })
+  (fetchpatch' {
+    title = "conky: remove no-op sed patch";
+    saneCommit = "e8b19984a2858ca24b7e8f5acd20be8b7dfe1af0";
+    hash = "sha256-K3mG1kcyB7sQZ7ZRCdlinNsV6mCcl3eIUI2ldSmcbJE=";
   })
 
   # (fetchpatch' {
-  #   title = "hare-json: init at unstable-2023-01-31";
-  #   saneCommit = "260f9c6ac4e3564acbceb46aa4b65fbb652f8e23";
-  #   hash = "sha256-bjLKANo0+zaxugJlEk1ObPqRHWOKptD7dXB+/xzsYqA=";
+  #   title = "gtk3: compile schemas even when cross compiling";
+  #   saneCommit = "5ee69670071f583bdffe2718dc46763fa1698f92";
+  #   hash = "sha256-ZX3lY63qUW2XuwCoxffbLYoFxckDImKy+S8mqlYJcvk=";
+  # })
+  # (fetchpatch' {
+  #   title = "gtk4: compile schemas even when cross compiling";
+  #   saneCommit = "7a1c5e3a5d1ff82c8afa659c7f903d5309d5de6a";
+  #   hash = "sha256-Tz8NBcIqGE9rCqbOrixgbvApYDEAHWCg4lZbklL/xXc=";
+  # })
+  (fetchpatch' {
+    title = "gtk{3,4}: compile schemas even when cross compiling";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/247844";
+    hash = "sha256-1CsjLgMvX0Lx500UDzal5HZi78hb7zBcb+AlNPF6NvA=";
+  })
+
+  # (fetchpatch' {
+  #   title = "hare-json: init at unstable-2023-02-25";
+  #   saneCommit = "6c88c2b087755e8f60c9f61c6361dec2f7a38155";
+  #   hash = "sha256-9TTlhwLDZESaFC02k4+YER+NvoNVPz9wFYV79+Dmuxs=";
   # })
   # (fetchpatch' {
   #   title = "hare-ev: init at unstable-2022-12-29";
-  #   saneCommit = "4058200a407c86c5d963bc49b608aa1a881cbbf2";
-  #   hash = "sha256-wm1aavbCfxBhcOXh4EhFO4u0LrA9tNr0mSczHUK8mQU=";
+  #   saneCommit = "1761049e9b8620091f29bf864ecbbf204b0c56b4";
+  #   hash = "sha256-H2ekBJx/iRX8E4uVmdEyaAZVhqeM25QbwvQ9Ki7fMQ0=";
   # })
   # (fetchpatch' {
   #   title = "bonsai: init at 1.0.0";
-  #   saneCommit = "65d37294d939384e8db400ea82d25ce8b4ad6897";
-  #   hash = "sha256-2easgOtJfzvVcz/3nt3lo1GKLLotrM4CkBRyTgIAhHU=";
+  #   saneCommit = "507252828934c73c7cffe255dae237c041676c27";
+  #   hash = "sha256-HwycOd3v4IifdQqQmMP6w14g0E/T9RAjAw41AsUZQoc=";
   # })
   (fetchpatch' {
+    # includes hare-json and hare-ev as pre-reqs
     title = "bonsai: init at 1.0.0";
     prUrl = "https://github.com/NixOS/nixpkgs/pull/233892";
-    hash = "sha256-HqtDgisbR0xOUY4AxhzEv+2JJMPyQMawKo6nbd9pxhE=";
+    hash = "sha256-HaTr7GBCfK1I2e7K4k2dUGZ6hZf4PwtEFobLaSz262M=";
   })
 
-  # make alsa-project members overridable
-  ./2023-05-31-toplevel-alsa.patch
-
-  # qt6 qtwebengine: specify `python` as buildPackages
-  ./2023-06-02-qt6-qtwebengine-cross.patch
-
-  # Jellyfin: don't build via `libsForQt5.callPackage`
-  ./2023-06-06-jellyfin-no-libsForQt5-callPackage.patch
-
   # pin to a pre-0.17.3 release
   # removing this and using stock 0.17.3 (also 0.17.4) causes:
   #   INFO lemmy_server::code_migrations: No Local Site found, creating it.
@@ -189,24 +238,18 @@ in [
   # related: <https://github.com/NixOS/nixpkgs/issues/236890#issuecomment-1585030861>
   # ./2023-06-10-lemmy-downgrade.patch
 
-  # (fetchpatch' {
-  #   title = "gpodder: wrap with missing `xdg-utils` path";
-  #   saneCommit = "10d0ac11bc083cbcf0d6340950079b3888095abf";
-  #   hash = "sha256-cu8L30ZiUJnWFGRR/SK917TC7TalzpGkurGkUAAxl54=";
-  # })
-
   (fetchpatch' {
     title = "koreader: 2023.04 -> 2023.05.1";
     saneCommit = "a5c471bd263abe93e291239e0078ac4255a94262";
     hash = "sha256-38sND/UNRj5WAYYKpzdrRBIOK4UAT14RzbIv49KmNNw=";
   })
 
-  (fetchpatch' {
-    # TODO: send this upstream!
-    title = "mepo: 1.1 -> 1.1.2";
-    saneCommit = "eee68d7146a6cd985481cdd8bca52ffb204de423";
-    hash = "sha256-uNerTwyFzivTU+o9bEKmNMFceOmy2AKONfKJWI5qkzo=";
-  })
+  # (fetchpatch' {
+  #   title = "mepo: 1.1 -> 1.1.2";
+  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/247866";
+  #   saneCommit = "eee68d7146a6cd985481cdd8bca52ffb204de423";
+  #   hash = "sha256-uNerTwyFzivTU+o9bEKmNMFceOmy2AKONfKJWI5qkzo=";
+  # })
 
   (fetchpatch' {
     title = "gthumb: make the webservices feature be optional";
@@ -221,6 +264,107 @@ in [
     hash = "sha256-rD0es4uUbaLMrI9ZB2HzPmRLyu/ixNBLAFyDJtFHNko=";
   })
 
+  # (fetchpatch' {
+  #   title = "perlPackages.FileBaseDir: 0.08 -> 0.09";
+  #   saneCommit = "acc990b04bbe8c99587eadccc65f100c326ec204";
+  #   hash = "sha256-8s789GGARJH1i088OGBjGGnL2l5m8Q+iBPS213QsS6A=";
+  # })
+  # (fetchpatch' {
+  #   title = "perlPackages.TestFile: 1.443 -> 1.993";
+  #   saneCommit = "6cf080fb51d034f9c2ddd60cef7dee7d041afd3e";
+  #   hash = "sha256-fAZpduh3JZeFixJ4yX0wkh/GRp0gYKsTT+XkNdpK7CU=";
+  # })
+  (fetchpatch' {
+    # TODO: split this apart for easier reviewing:
+    # - perlPackages.TestFile 1.443 -> 1.993
+    # - perlPackages.FileBaseDir 0.08 -> 0.09
+    title = "xdg-utils: enable cross compilation";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/246954";
+    saneCommit = "b7aa5e0c1ec06723cf1594de192703a65be21497";
+    hash = "sha256-5iYzyjVlye7mhwhlZOHucVod/aPT3OrXolC9jAnB544=";
+  })
+  # (fetchpatch' {
+  #   # N.B.: duplicates outstanding, merged PR: <https://github.com/NixOS/nixpkgs/pull/246362>
+  #   # - also a stale, approved PR: <https://github.com/NixOS/nixpkgs/pull/245761>
+  #   title = "libgudev: support cross compilation";
+  #   saneCommit = "4dc30718fe01e9dbed4ffc2ff375148da218e86b";
+  #   hash = "sha256-Nb2LphSyv8Dayqfwqfua0eKtNzsnaf7PC/KYUhIvnT8=";
+  # })
+  (fetchpatch' {
+    title = "blueman: support cross compilation";
+    saneCommit = "e070195bdf213dffb0164574397b6a7417f81c9e";
+    hash = "sha256-6JnIJCVBbV4tmFinX7Qv2wO2AThrgxrnyb9T4Ov6p5w=";
+  })
+  (fetchpatch' {
+    title = "tracker-miners: support cross compilation";
+    saneCommit = "24b062309ea8baa2d8303c0610c9ec7b8c399e8b";
+    hash = "sha256-Jj+1z2DeCEY+DqI1J4vYjYJwDDMRcA93CqpZSXzG0wE=";
+  })
+  (fetchpatch' {
+    title = "clapper: support cross compilation";
+    saneCommit = "8a171b49aca406f8220f016e56964b3fae53a3df";
+    hash = "sha256-R11IYatGhSXxZnJxJid519Oc9Kh56D9NT2/cxf2CLuM=";
+  })
+  (fetchpatch' {
+    title = "gcr_4: support cross compilation";
+    saneCommit = "a8c3d69236fa67382a8c18cc1ef0f34610fd3275";
+    hash = "sha256-UnLqkkpXxBKaqlsoD1jUIigZkxgLtNpjmMHOx10HpfE=";
+  })
+  (fetchpatch' {
+    title = "networkmanager-openvpn: support cross compilation";
+    saneCommit = "6f53c267fbeb2ff543f075032a7e73af2d4bcb9e";
+    hash = "sha256-gq9AyKH7/k2ZVSZ3jpPJPt3uAM+CllXQnaiC1tE1r/8=";
+  })
+  (fetchpatch' {
+    title = "WIP: networkmanager-sstp: support cross compilation";
+    saneCommit = "6de63fe320406ec9a509db721c52b3894a93bda2";
+    hash = "sha256-EY3bQuv/80JbpquUJhc89CcYAgN9A9KkpsSitw/684I=";
+  })
+  (fetchpatch' {
+    title = "WIP: networkmanager-l2tp: support cross compilation";
+    saneCommit = "7a4191c570b0e5a1ab257222c26a4a2ecb945037";
+    hash = "sha256-FiPJhHGqZ8MFwLY+1t6HgbK6ndomFSYUKvApvrikRHE=";
+  })
+  (fetchpatch' {
+    title = "gtkspell2: support cross compilation";
+    saneCommit = "56348833b4411e9fe2016c24c7fc4af1e3c1d28a";
+    hash = "sha256-0RMxouOBw7SUmQDLB2qGey714DaM0AOvZlZ5nB+Lkc4=";
+  })
+  (fetchpatch' {
+    title = "libgnt: 2.14.1 -> 2.14.3";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/246937";
+    saneCommit = "ecd423195d72036a209912868ad02742cb4b6fcd";
+    # hash = "sha256-u4V/UHNtd2c3+FppuJ5LeLNSV8ZaLe8cqj8HmcW2a/0=";
+    hash = "sha256-cGhJSby0K+e1hKPdPZjLFRKvwjGaTbq/kb6Fxj2v8g8=";
+  })
+  (fetchpatch' {
+    # TODO: send for review once thie libgnt patch above is merged
+    title = "pidgin: support cross compilation";
+    saneCommit = "caacbcc54e217f5ee9281422777a7f712765f71a";
+    hash = "sha256-PDCp4GOm6hWcRob4kz7qXZfxAF6YbYrESx9idoS3e/s=";
+  })
+
+  # (fetchpatch' {
+  #   # doesn't cleanly apply. TODO: see if this cross compiles now, thanks to <https://github.com/NixOS/nixpkgs/pull/234615>
+  #   title = "nixos/dconf: support cross compilation";
+  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/249093";
+  #   saneCommit = "08f7cdebc58eeaa62cb349dab57db3be7a0c073d";
+  #   hash = "sha256-gqHUGeTQnr0f99gqEdd+VANLkWO+joLxz5I0RSarznE=";
+  # })
+
+  (fetchpatch' {
+    title = "playerctl: support cross compilation";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/249512";
+    saneCommit = "67df31a8984ab3067af5b65446d2808b0aedadc6";
+    hash = "sha256-qY0bjMoFneC5VJ467TeiuOycLYNaVO7Xo/0fCauDZAM=";
+  })
+  (fetchpatch' {
+    title = "libgweather: enable introspection on cross builds";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/251956";
+    saneCommit = "7a2d0a90cc558ea71dfc78356e61b0675b995634";
+    hash = "sha256-tjO19dXVUrD+V+YpD7z3iWSgNyOirG70HuQ+c+0fZYA=";
+  })
+
   # (fetchpatch' {
   #   # N.B.: compiles, but runtime error on launch suggestive of some module not being shipped
   #   title = "matrix-appservice-irc: 0.38.0 -> 1.0.0";
@@ -234,4 +378,14 @@ in [
   ./02-rpi4-uboot.patch
 
   # ./07-duplicity-rich-url.patch
+
+  # fix qt6.qtbase and qt6.qtModule to cross-compile.
+  # unfortunately there's some tangle that makes that difficult to do via the normal `override` facilities
+  # ./2023-03-03-qtbase-cross-compile.patch
+
+  # qt6 qtwebengine: specify `python` as buildPackages
+  # ./2023-06-02-qt6-qtwebengine-cross.patch
+
+  # Jellyfin: don't build via `libsForQt5.callPackage`
+  # ./2023-06-06-jellyfin-no-libsForQt5-callPackage.patch
 ]

overlays/all.nix

@@ -5,6 +5,7 @@
 final: prev:
 let
   pkgs = import ./pkgs.nix;
+  preferences = import ./preferences.nix;
   disable-flakey-tests = import ./disable-flakey-tests.nix;
   optimizations = import ./optimizations.nix;
   cross = import ./cross.nix;
@@ -18,6 +19,7 @@ let
 in
   renderOverlays [
     pkgs
+    preferences
     disable-flakey-tests
     (ifCross optimizations)
     (ifCross cross)

overlays/disable-flakey-tests.nix

@@ -4,200 +4,87 @@
 # - they assume a particular architecture (e.g. x86) whereas i compile on multiple archs.
 # - they assume too much about their environment and fail under qemu.
 #
-(next: prev: {
-  ell = prev.ell.overrideAttrs (_upstream: {
-    # 2023/02/11
-    # fixes "TEST FAILED in get_random_return_callback at unit/test-dbus-message-fds.c:278: !l_dbus_message_get_error(message, ((void *)0), ((void *)0))"
-    # 2023/04/06
-    # fixes "test-cipher: unit/test-cipher.c:102: test_aes_ctr: Assertion `!r' failed."
-    # unclear *why* this test fails.
+(next: prev:
+let
+  dontCheck = p: p.overrideAttrs (_: {
+    doCheck = false;
+    doInstallCheck = false;
+  });
+  aarch64Only = f: p: p.overrideAttrs (upstream:
+    next.lib.optionalAttrs
+      (p.stdenv.targetPlatform.system == "aarch64-linux")
+      (f upstream)
+  );
+  emulatedOnly = f: p: p.overrideAttrs (upstream:
+    next.lib.optionalAttrs
+      (p.stdenv.targetPlatform.system == "aarch64-linux" && p.stdenv.buildPlatform.system == "aarch64-linux")
+      (f upstream)
+  );
+  dontCheckAarch64 = aarch64Only (_: {
+    # only `dontCheck` if the package is being built for aarch64
+    doCheck = false;
+    doInstallCheck = false;
+  });
+  dontCheckEmulated = emulatedOnly (_: {
     doCheck = false;
   });
-  # fish = prev.fish.overrideAttrs (_upstream: {
-  #   # 2023/02/28
-  #   # The following tests FAILED:
-  #   #     177 - sigint.fish (Failed)
-  #   #     241 - torn_escapes.py (Failed)
-  #   doCheck = false;
-  # });
-  # gjs = prev.gjs.overrideAttrs (_upstream: {
-  #   # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
-  #   doCheck = false;
-  # });
-  # gssdp = prev.gssdp.overrideAttrs (_upstream: {
-  #   # 2023/02/11
-  #   # fixes "ERROR:../tests/test-regression.c:429:test_ggo_7: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-error, 1)"
-  #   doCheck = false;
-  # });
-  # gupnp = prev.gupnp.overrideAttrs (_upstream: {
-  #   # 2023/02/22
-  #   # fixes "Bail out! ERROR:../tests/test-bugs.c:205:test_bgo_696762: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-erro>"
-  #   doCheck = false;
-  # });
-  # json-glib = prev.json-glib.overrideAttrs (_upstream: {
-  #   # 2023/02/11
-  #   # fixes: "15/15 json-glib:docs / doc-check    TIMEOUT        30.52s   killed by signal 15 SIGTERM"
-  #   doCheck = false;
-  # });
-  # lapack-reference = prev.lapack-reference.overrideAttrs (_upstream: {
-  #   # 2023/02/11: test timeouts
-  #   # > The following tests FAILED:
-  #   # >       93 - LAPACK-xlintstz_ztest_in (Timeout)
-  #   # >        98 - LAPACK-xeigtstz_svd_in (Timeout)
-  #   # >          99 - LAPACK-xeigtstz_zec_in (Timeout)
-  #   doCheck = false;
-  # });
-  # libadwaita = prev.libadwaita.overrideAttrs (_upstream: {
-  #   # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
-  #   doCheck = false;
-  # });
-  # libsecret = prev.libsecret.overrideAttrs (_upstream: {
-  #   # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
-  #   doCheck = false;
-  # });
-  # libuv = prev.libuv.overrideAttrs (_upstream: {
-  #   # 2023/02/11
-  #   # 2 tests fail:
-  #   # - not ok 261 - tcp_bind6_error_addrinuse
-  #   # - not ok 267 - tcp_bind_error_addrinuse_listen
-  #   doCheck = false;
-  # });
-  libwacom = prev.libwacom.overrideAttrs (_upstream: {
-    # 2023/03/30
-    # "libwacom:all / pytest TIMEOUT"
+in {
+  # 2023/07/27
+  # 4 tests fail when building `host-pkgs.moby.emulated.elfutils`
+  # it might be enough to only disable checks when targeting aarch64, which could reduce rebuilds?
+  elfutils = dontCheckAarch64 prev.elfutils;
+
+  # 2023/07/31
+  # tests just hang after mini-record-2
+  # only for binfmt-emulated aarch64 -> aarch64 build
+  gnutls = dontCheckEmulated prev.gnutls;
+
+  # 2023/07/31
+  # tests fail (not timeout), but only when cross compiling, and not on servo (so, due to binfmt?)
+  gupnp = dontCheck prev.gupnp;
+
+  # hangs during checkPhase (or maybe it just takes 20-30 minutes)
+  # libqmi = dontCheckEmulated prev.libqmi;
+
+  # 2023/07/28
+  # "7/7 libwacom:all / pytest                               TIMEOUT        30.36s   killed by signal 15 SIGTERM"
+  # N.B.: it passes on x86_64, but only if it's not CPU starved (i.e. nix build with -j1 if it fails)
+  libwacom = aarch64Only (_: {
     doCheck = false;
     mesonFlags = [ "-Dtests=disabled" ];
-  });
-
-  # llvmPackages_12 =
-  #   let
-  #     tools = prev.llvmPackages_12.tools.extend (self: super: {
-  #       libllvm = super.libllvm.overrideAttrs (upstream: {
-  #         # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITTest.return_global (2857 of 42084)"
-  #         # - nix log /nix/store/6vydavlxh1gvs0vmrkcx9qp67g3h7kcz-llvm-12.0.1.drv
-  #         # - wanted by sequoia, rav1e, rustc-1.66.1  (is this right?)
-  #         doCheck = false;
-  #         # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
-  #         cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
-  #       });
-  #     });
-  #   in
-  #     # see <nixpkgs:pkgs/development/compilers/llvm/12/default.nix>
-  #     # - we copy their strategy / attrset mutilation
-  #     prev.llvmPackages_12 // { inherit tools; } // tools;
-
-  # llvmPackages_14 =
-  #   let
-  #     tools = prev.llvmPackages_14.tools.extend (self: super: {
-  #       libllvm = super.libllvm.overrideAttrs (upstream: {
-  #         # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITMultipleModuleTest.two_module_global_variables_case (43769 of 46988)"
-  #         # - nix log /nix/store/ib2yw6sajnhlmibxkrn7lj7chllbr85h-llvm-14.0.6.drv
-  #         # - wanted by clang-11-12-LLVMgold-path, compiler-rt-libc-12.0.1, clang-wrapper-12.0.1  (is this right?)
-  #         doCheck = false;
-  #         # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
-  #         cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
-  #       });
-  #     });
-  #   in
-  #     # see <nixpkgs:pkgs/development/compilers/llvm/14/default.nix>
-  #     # - we copy their strategy / attrset mutilation
-  #     prev.llvmPackages_14 // { inherit tools; } // tools;
-
-  # llvmPackages_15 =
-  #   let
-  #     tools = prev.llvmPackages_15.tools.extend (self: super: {
-  #       libllvm = super.libllvm.override {
-  #         # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/..."
-  #         # llvm15 passes doCheck as a call arg, so we don't need to set cmakeFlags explicitly as in previous versions
-  #         doCheck = false;
-  #       };
-  #     });
-  #   in
-  #     prev.llvmPackages_15 // { inherit tools; } // tools;
-
-  # modemmanager = prev.modemmanager.overrideAttrs (_upstream: {
-  #   # 2023/02/25
-  #   # "ERROR:test-modem-helpers.c:257:test_cmgl_response: assertion failed: (list != NULL)"
-  #   doCheck = false;
-  #   doInstallCheck = false;  # tests are run during install check??
-  # });
+  }) prev.libwacom;
 
   pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
     (py-next: py-prev: {
-      # ipython = py-prev.ipython.overridePythonAttrs (upstream: {
-      #   # > FAILED IPython/core/tests/test_debugger.py::test_xmode_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-      #   # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-      #   # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_disabled - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-      #   # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_with_breakpoint - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-      #   # > FAILED IPython/core/tests/test_debugger.py::test_where_erase_value - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-      #   # > FAILED IPython/terminal/tests/test_debug_magic.py::test_debug_magic_passes_through_generators - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-      #   # > FAILED IPython/terminal/tests/test_embed.py::test_nest_embed - pexpect.exceptions.TIMEOUT: Timeout exceeded.
-      #   disabledTestPaths = upstream.disabledTestPaths or [] ++ [
-      #     "IPython/core/tests/test_debugger.py"
-      #     "IPython/terminal/tests/test_debug_magic.py"
-      #     "IPython/terminal/tests/test_embed.py"
-      #   ];
-      # });
       pyarrow = py-prev.pyarrow.overridePythonAttrs (upstream: {
         # 2023/04/02
         # disabledTests = upstream.disabledTests ++ [ "test_generic_options" ];
-        disabledTestPaths = upstream.disabledTestPaths or [] ++ [
+        disabledTestPaths = (upstream.disabledTestPaths or []) ++ [
           "pyarrow/tests/test_flight.py"
         ];
       });
-      # pytest-xdist = py-prev.pytest-xdist.overridePythonAttrs (upstream: {
-      #   # 2023/02/19
-      #   # 4 tests fail:
-      #   # - FAILED: testing/test_remote.py::TestWorkInteractor::* - execnet.gateway_base.TimeoutError: no item after 10.0 seconds
-      #   # doCheck = false;
-      #   disabledTestPaths = upstream.disabledTestPaths or [] ++ [
-      #     "testing/test_remote.py"
-      #   ];
-      #   # disabledTests = upstream.disabledTests or [] ++ [
-      #   #   "test_basic_collect_and_runtests"
-      #   #   "test_remote_collect_fail"
-      #   #   "test_remote_collect_skip"
-      #   #   "test_runtests_all"
-      #   # ];
-      # });
-      # twisted = py-prev.twisted.overridePythonAttrs (upstream: {
-      #   # 2023/02/25
-      #   # ```
-      #   # [ERROR]
-      #   # Traceback (most recent call last):
-      #   #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/test/test_udp.py", line 645, in test_interface
-      #   #     self.assertEqual(self.client.transport.getOutgoingInterface(), "0.0.0.0")
-      #   #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/internet/udp.py", line 449, in getOutgoingInterface
-      #   #     i = self.socket.getsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_IF)
-      #   # builtins.OSError: [Errno 92] Protocol not available
-      #   #
-      #   # twisted.test.test_udp.MulticastTests.test_interface
-      #   # ```
-      #   postPatch = upstream.postPatch + ''
-      #     echo 'MulticastTests.test_interface.skip = "Protocol not available"'>> src/twisted/test/test_udp.py
-      #   '';
-      # });
+
+      # 2023/08/09: unclear why it fails; probably can remove after next nixpkgs update
+      pillow = py-prev.pillow.overridePythonAttrs (_upstream: {
+        format = "setuptools";
+      });
+
+      seaborn = py-prev.seaborn.overridePythonAttrs (upstream: {
+        # 2023/08/09
+        disabledTestPaths = (upstream.disabledTestPaths or []) ++ [
+          "tests/test_categorical.py"
+          "tests/test_core.py"
+        ];
+      });
     })
   ];
 
-  # strp = prev.srtp.overrideAttrs (_upstream: {
-  #   # 2023/02/11
-  #   # roc_driver test times out after 30s
-  #   doCheck = false;
-  # });
-  tracker = prev.tracker.overrideAttrs (_upstream: {
-    # 2023/02/22
-    # "27/37 tracker:core / service                          TIMEOUT         60.37s   killed by signal 15 SIGTERM"
-    doCheck = false;
-  });
-  # udisks2 = prev.udisks2.overrideAttrs (_upstream: {
-  #   # 2023/02/25
-  #   # "udisks-test:ERROR:test.c:61:on_completed_expect_failure: assertion failed (message == expected_message): ("Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11):\nstdout: `OK, deliberately causing a segfault\n'\nstderr: `qemu: uncaught target signal 11 (Segmentation fault) - core dumped\n'" == "Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11): OK, deliberately causing a segfault\n")"
-  #   doCheck = false;
-  # });
-  # upower = prev.upower.overrideAttrs (_upstream: {
-  #   # 2023/02/25
-  #   # "Tests.test_battery_state_guessing                          TIMEOUT        60.80s   killed by signal 15 SIGTERM"
-  #   doCheck = false;
-  # });
+  # 2023/02/22
+  # "27/37 tracker:core / service                          TIMEOUT         60.37s   killed by signal 15 SIGTERM"
+  tracker = dontCheck prev.tracker;
+
+  # 2023/07/31
+  # fails a test (didn't see which one)
+  # only for binfmt-emulated aarch64 -> aarch64 build
+  umockdev = dontCheckEmulated prev.umockdev;
 })

overlays/preferences.nix

@@ -0,0 +1,47 @@
+# personal preferences
+# prefer to encode these in `sane.programs`
+# resort to this method for e.g. system dependencies, or things which are referenced from too many places.
+(self: super: with self; {
+  gnome = super.gnome.overrideScope' (gself: gsuper: with gself; {
+    evolution-data-server = gsuper.evolution-data-server.override {
+      # OAuth depends on webkitgtk_4_1: old, forces an annoying recompilation
+      enableOAuth2 = false;
+      gnome-online-accounts = gnome-online-accounts.override {
+        # avoid webkitgtk_4_1 build
+        enableBackend = false;
+      };
+    };
+    # gnome-shell = gsuper.gnome-shell.override {
+    #   evolution-data-server-gtk4 = evolution-data-server-gtk4.override {
+    #     # avoid webkitgtk_6_0 build. lol.
+    #     withGtk4 = false;
+    #   };
+    # };
+  });
+
+  phog = super.phog.override {
+    # disable squeekboard because it takes 20 minutes to compile when emulated
+    squeekboard = null;
+  };
+
+  pipewire = super.pipewire.override {
+    # avoid a dep on python3.10-PyQt5, which has mixed qt5 versions.
+    # this means we lose firewire support (oh well..?)
+    ffadoSupport = false;
+  };
+
+  pythonPackagesExtensions = super.pythonPackagesExtensions ++ [
+    (pySelf: pySuper: {
+      keyring = (pySuper.keyring.override {
+        # jaraco-classes doesn't cross compile, but it looks like `keyring`
+        # has some _temporary_ fallback logic for when jaraco-classes isn't
+        # installed (i.e. may break in future).
+        jaraco-classes = null;
+      }).overrideAttrs (upstream: {
+        postPatch = (upstream.postPatch or "") + ''
+          sed -i /jaraco.classes/d setup.cfg
+        '';
+      });
+    })
+  ];
+})

pkgs/additional/bonsai/default.nix

@@ -18,6 +18,21 @@ stdenv.mkDerivation rec {
     hash = "sha256-jOtFUpl2/Aa7f8JMZf6g63ayFOi+Ci+i7Ac63k63znc=";
   };
 
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace 'hare build' 'hare build $(HARE_TARGET_FLAGS)'
+  '';
+
+  env.HARE_TARGET_FLAGS =
+    if stdenv.hostPlatform.isAarch64 then
+      "-t aarch64"
+    else if stdenv.hostPlatform.isRiscV64 then
+      "-t riscv64"
+    else if stdenv.hostPlatform.isx86_64 then
+      "-t x86_64"
+    else
+      "";
+
   nativeBuildInputs = [
     hare
     hare-ev
@@ -31,7 +46,7 @@ stdenv.mkDerivation rec {
     # export ARFLAGS="-csr"
   '';
 
-  installFlags = [ "PREFIX=" "DESTDIR=$(out)" ];
+  installFlags = [ "PREFIX=$(out)" ];
 
   passthru.updateScript = gitUpdater {
     rev-prefix = "v";

pkgs/additional/chatty-latest/default.nix

@@ -0,0 +1,87 @@
+{ chatty
+, fetchFromGitLab
+, appstream-glib
+, desktop-file-utils
+, itstool
+, meson
+, ninja
+, pkg-config
+, python3
+# , wrapGAppsHook
+# , evolution-data-server
+, feedbackd
+, glibmm
+, gnome-desktop
+, gspell
+# , gtk3
+, json-glib
+, libgcrypt
+, libhandy
+, libphonenumber
+, modemmanager
+, olm
+, pidgin
+, protobuf
+, sqlite
+# NEW
+, evolution-data-server-gtk4
+, glib-networking
+, gtk4
+, libadwaita
+, wrapGAppsHook4
+}:
+chatty.overrideAttrs (upstream: {
+  pname = "chatty-latest";
+  version = "unstable-2023-08-01";
+  src = fetchFromGitLab {
+    domain = "source.puri.sm";
+    owner = "Librem5";
+    repo = "chatty";
+    rev = "ca556b7df539b37e08ed2c73e2beb2b6cc7b91f3";
+    hash = "sha256-Tzdai2VU9wh/HW52uB+9uzpQymZmTqwiGqB6N20IvxE=";
+    fetchSubmodules = true;
+  };
+
+  postPatch = (upstream.postPatch or "") + ''
+    substituteInPlace build-aux/meson/postinstall.py \
+      --replace 'gtk-update-icon-cache' 'gtk4-update-icon-cache'
+  '';
+
+  nativeBuildInputs = [
+    appstream-glib
+    desktop-file-utils
+    itstool
+    meson
+    ninja
+    pkg-config
+    python3
+    #wrapGAppsHook
+
+    # NEW
+    wrapGAppsHook4
+  ];
+
+  buildInputs = [
+    # evolution-data-server
+    feedbackd
+    glib-networking  # for TLS
+    glibmm
+    gnome-desktop
+    gspell
+    # gtk3
+    json-glib
+    libgcrypt
+    libhandy
+    libphonenumber
+    modemmanager
+    olm
+    pidgin
+    protobuf
+    sqlite
+
+    # NEW
+    libadwaita
+    gtk4
+    evolution-data-server-gtk4
+  ];
+})

pkgs/additional/eg25-control/default.nix

@@ -0,0 +1,6 @@
+{ static-nix-shell }:
+static-nix-shell.mkPython3Bin {
+  pname = "eg25-control";
+  src = ./.;
+  pkgs = [ "curl" "modemmanager" ];
+}

pkgs/additional/eg25-control/eg25-control

@@ -0,0 +1,429 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages (ps: [  ])" -p curl -p modemmanager
+
+# this script should run after ModemManager.service is started.
+# typical invocation is `eg25_gps_init.py --enable-power --enable-gps`.
+# after running, the user may `cat /dev/ttyUSB1` to view NMEA-encoded GPS information.
+# the script attempts to be idempotent, such that it may be run multiple times per boot.
+#
+# this script downloads assisted GPS (AGPS) data via the system's default gateway (i.e. WiFi)
+# and shares that with the modem. this quickens the process of acquiring a GPS fix.
+#
+# the script may also configure other parts of the modem as `eg25-manager` does.
+# these options are less tested: see `--help` for more.
+#
+# PREREQUISITES/DEPENDENCIES:
+# this script expects to run on megi's kernel, with `CONFIG_MODEM_POWER=y`.
+# ModemManager must be launched with the `--debug` flag, so that `mmcli --command=...` works.
+#
+# ModemManager, and by extension this script, REQUIRES A SIM CARD IN YOUR PHONE.
+# the sim doesn't need to be "activated". you can buy a $1 SIM and never purchase
+# service and that works; it's just needed for ModemManager to boot the modem.
+# this isn't a fundamental requirement; if one did everything via serial instead of
+# ModemManager the SIM would not be necessary for GPS.
+#
+# EXPECTATIONS/TIPS:
+# - with the right environment, you may get a GPS fix in < 30s.
+#   - the fix is likely to have a *lot* of jitter, like 10+ meters.
+# - indoors, you shouldn't expect to *ever* get a cold-start GPS fix.
+#   - maybe you'll track 1 satellite if lucky: enough to receive GPS time but not for a GPS fix.
+#   - get a fix outdoors, then walk indoors: GPS is smart enough to maintain a spotty fix.
+# - outdoors in suburbia, a fix might take 10-20 minutes.
+#   - i have better luck *placing my phone on the roof of my car* than holding it in the air with my hand.
+#   - maybe a big metal plate opposite the sky acts as a dish/antenna?
+# - in Seattle, i track several GLONASS and GPS sats: about an even split.
+#   - the GPS sats have better SNR.
+#   - modem seems to not show any BeiDou or Galileo sats even if i enable them.
+#
+# eg25 modem/GPS docs:
+# [GNSS-AP-Note]: https://wiki.pine64.org/images/0/09/Quectel_EC2x%26EG9x%26EG2x-G%26EM05_Series_GNSS_Application_Note_V1.3.pdf
+#
+# most acronyms are defined inline, particularly near variable/class declarations.
+# glossary, for those which aren't:
+#
+# Global Navigation Satellite Systems (GNSS):
+# - GPS (US)
+# - GLONASS (RU)
+# - Galileo (EU)
+# - BeiDou (CN)
+# ^ these are all global systems, usable outside the country that owns them
+
+
+import argparse
+import datetime
+import logging
+import subprocess
+import sys
+import time
+
+POWER_ENDPOINT = "/sys/class/modem-power/modem-power/device/powered"
+# GNSS-AP-Note 1.4:
+# also at xtrapath5 and xtrapath6 subdomains.
+# the AGPS data here is an almanac good for 7 days.
+AGPS_DATA_URI_BASE = "https://xtrapath4.izatcloud.net"
+
+class AgpsDataVariant:
+    # GNSS-AP-Note 1.4:
+    gps_glonass = "xtra2.bin"
+    gps_glonass_beidou = "xtra3grc.bin"
+    # N.B.: not supported by all Quectel modems
+    # on stock Pinephone, ModemManager gives "LOC service: general failure"
+    gps_glonass_beidou_galileo = "xtra3grcej.bin"
+
+logger = logging.getLogger(__name__)
+
+def destructive(fn: callable = None, return_ = None):
+    """ decorate `fn` so that it becomes a no-op when --dry-run is active """
+    def wrapped(self, *args, **kwargs):
+        if self.dry_run:
+            fmt_args = ", ".join(
+                [repr(a) for a in args] +
+                [f"{k}={v}" for k,v in kwargs.items()]
+            )
+            logger.info(f"[dry run] {fn.__name__}({fmt_args})")
+            return return_
+        else:
+            return fn(self, *args, **kwargs)
+    if fn:
+        return wrapped
+    else:
+        return lambda fn: destructive(fn, return_=return_)
+
+def log_scope(at_enter: str, at_exit: str):
+    """ decorate a function so that it logs at start and end """
+    def decorator(fn: callable):
+        def wrapped(*args, **kwargs):
+            logger.info(at_enter)
+            ret = fn(*args, **kwargs)
+            logger.info(at_exit)
+            return ret
+        return wrapped
+    return decorator
+
+class Executor:
+    def __init__(self, dry_run: bool = False):
+        self.dry_run = dry_run
+
+    @destructive
+    def write_file(self, path: str, data: bytes) -> None:
+        logger.debug(f"echo {data!r} > {path}")
+        with open(path, 'wb') as f:
+            f.write(data)
+
+    @destructive(return_=b'')
+    def exec(self, cmd: list[str], check: bool = True) -> bytes:
+        logger.debug(" ".join(cmd))
+        res = subprocess.run(cmd, capture_output=True)
+        logger.debug(res.stdout)
+        if res.stderr:
+            logger.warning(res.stderr)
+        if check:
+            res.check_returncode()
+        return res.stdout
+
+class GNSSConfig:
+    # GNSS-AP-Note 2.2.7
+    #   Supported GNSS constellations. GPS is always ON
+    #   0 GLONASS OFF/BeiDou OFF/Galileo OFF
+    #   1 GLONASS ON/BeiDou ON/Galileo ON
+    #   2 GLONASS ON/BeiDou ON/Galileo OFF
+    #   3 GLONASS ON/BeiDou OFF/Galileo ON
+    #   4 GLONASS ON/BeiDou OFF/Galileo OFF
+    #   5 GLONASS OFF/BeiDou ON/Galileo ON
+    #   6 GLONASS OFF/BeiDou OFF/Galileo ON
+    #   7 GLONASS OFF/BeiDou ON/Galileo OFF
+    gps = "0"
+    gps_glonass_beidou_galileo = "1"
+    gps_glonass_beidou = "2"
+    gps_glonass_galilego = "3"
+    gps_glonass = "4"
+    gps_beidou_galileo = "5"
+    gps_galileo = "6"
+    gps_beidou = "7"
+
+class ODPControl:
+    # GNSS-AP-Note 2.2.8
+    #   0 Disable ODP
+    #   1 Low power mode
+    #   2 Ready mode
+    #
+    # ODP = "On-Demand Positioning"
+    # Low power mode:
+    # - low-frequency background GNSS tracking session
+    # - adjusts interval between 10m (when signal is good) - 60m (when signal is bad)
+    # Ready mode:
+    # - 1 Hz positioning
+    # - keeps GNSS ready so that when application demands position it's immediately ready
+    # - automatically stops positioning after 60s??
+    disable = "0"
+    lower_power_mode = "1"
+    ready_mode = "2"
+
+class DPOEnable:
+    # GNSS-AP-Note 2.2.9
+    #   0 Disable DPO
+    #   1 Enable the DPO with dynamic duty cycle
+    #
+    # DPO = "Dynamic Power Optimization"
+    # automatically shuts off radio under certain conditions
+    # more info: <https://sixfab.com/wp-content/uploads/2018/09/Quectel_UC20_GNSS_AT_Commands_Manual_V1.1.pdf> 1.4.1
+    disable = "0"
+    enable = "1"
+
+class GPSNMEAType:
+    # GNSS-AP-Note 2.2.3
+    #   Output type of GPS NMEA sentences in ORed.
+    disable = 0
+    gpgga = 1
+    gprmc = 2
+    gpgsv = 4
+    gpgsa = 8
+    gpvtg = 16
+    all = 31
+
+class GlonassNmeaType:
+    # GNSS-AP-Note 2.2.4
+    #   Configure output type of GLONASS NMEA sentences in ORed
+    disable = 0
+    glgsv = 1
+    gngsa = 2
+    gngns = 4
+    all = 7
+
+class GalileoNmeaType:
+    # GNSS-AP-Note 2.2.5
+    disable = 0
+    gagsv = 1
+    all = 1
+
+class BeiDouNmeaType:
+    # GNSS-AP-Note 2.2.6
+    disable = 0
+    pqgsa = 1
+    pqgsv = 2
+    all = 3
+
+class AutoGps:
+    # GNSS-AP-Note 2.2.12
+    #    Enable/disable GNSS to run automatically after the module is powered on.
+    disable = "0"
+    enable = "1"
+
+class Sequencer:
+    AGPS_DATA_URI_BASE = AGPS_DATA_URI_BASE
+    def __init__(self, executor: Executor, modem: str, power_endpoint: str):
+        self.executor = executor
+        self.modem = modem
+        self.power_endpoint = power_endpoint
+
+    def _mmcli(self, args: list[str], check: bool = True) -> str:
+        return self.executor.exec(
+            ["mmcli", "--modem", self.modem] + args,
+            check=check
+        ).decode('utf-8')
+
+    def _try_mmcli(self, args: list[str]) -> str:
+        try:
+            return self._mmcli(args)
+        except subprocess.CalledProcessError:
+            return None
+
+    def _at_cmd(self, cmd: str, check: bool = True) -> str:
+        # this returns the mmcli output, which looks like:
+        # response: 'blah'
+        # i.e., quoted, and with a `response: ` prefix
+        return self._mmcli([f"--command=+{cmd}"], check=check)
+
+    def _at_structured_cmd(self, cmd: str, subcmd: str | None = None, value: str | None = None, check: bool = True) -> str:
+        if not subcmd and not value:
+            return self._at_cmd(cmd, check=check)
+        elif not subcmd and value:
+            return self._at_cmd(f"{cmd}={value}", check=check)
+        elif subcmd and not value:
+            return self._at_cmd(f"{cmd}=\"{subcmd}\"", check=check)
+        else:
+            return self._at_cmd(f"{cmd}=\"{subcmd}\",{value}", check=check)
+
+    def _at_gnssconfig(self, cfg: GNSSConfig) -> str:
+        return self._at_structured_cmd("QGPSCFG", "gnssconfig", cfg)
+
+    def _at_odpcontrol(self, control: ODPControl) -> str:
+        return self._at_structured_cmd("QGPSCFG", "odpcontrol", control)
+
+    def _at_dpoenable(self, enable: DPOEnable) -> str:
+        return self._at_structured_cmd("QGPSCFG", "dpoenable", enable)
+
+    def _at_gpsnmeatype(self, ty: GPSNMEAType) -> str:
+        return self._at_structured_cmd("QGPSCFG", "gpsnmeatype", str(ty))
+
+    def _at_glonassnmeatype(self, ty: GlonassNmeaType) -> str:
+        return self._at_structured_cmd("QGPSCFG", "glonassnmeatype", str(ty))
+
+    def _at_galileonmeatype(self, ty: GalileoNmeaType) -> str:
+        return self._at_structured_cmd("QGPSCFG", "galileonmeatype", str(ty))
+
+    def _at_beidounmeatype(self, ty: BeiDouNmeaType) -> str:
+        self._at_structured_cmd("QGPSCFG", "beidounmeatype", str(ty))
+
+    def _at_autogps(self, enable: AutoGps) -> str:
+        return self._at_structured_cmd("QGPSCFG", "autogps", enable)
+
+    def _get_assistance_data(self, variant: AgpsDataVariant) -> str | None:
+        try:
+            self.executor.exec(["curl", f"{self.AGPS_DATA_URI_BASE}/{variant}", "-o", variant])
+            return variant
+        except subprocess.CalledProcessError as e:
+            logger.warning(f"AGPS data download failed: {e}")
+            return None  # TODO: could be smarter: return cached AGPS data?
+
+    @log_scope("powering modem...", "modem powered")
+    def power_on(self) -> None:
+        self.executor.write_file(self.power_endpoint, b'1')
+        while self._try_mmcli([]) is None:
+            logger.info("modem hasn't appeared: sleeping for 1s")
+            time.sleep(1)  # wait for modem to appear
+
+    def at_check(self) -> None:
+        """ sanity check that the modem is listening for AT commands and responding reasonably """
+        hw = self._at_cmd("QGMR")
+        assert 'EG25GGBR07A08M2G' in hw or self.executor.dry_run, hw
+
+    def dump_debug_info(self) -> None:
+        logger.debug('checking if AGPS is enabled (1) or not (0)')
+        self._at_structured_cmd('QGPSXTRA?')
+        # see if the GPS assistance data is still within valid range
+        logger.debug('QGPSXTRADATA: <valid_duration_minutes>,<start_time_of_agps_data>')
+        self._at_structured_cmd('QGPSXTRADATA?')
+        logger.debug('checking what time the modem last synchronized with the network')
+        self._at_structured_cmd('QLTS')
+        logger.debug('checking what time the modem thinks it is (extrapolated from sync)')
+        self._at_structured_cmd('QLTS', value=1)
+        logger.debug('checking what time the modem thinks it is (from RTC)')
+        self._at_structured_cmd('CCLK?')
+        logger.debug('checking if nmea GPS source is enabled')
+        self._at_structured_cmd('QGPSCFG', 'nmeasrc')
+        logger.debug('checking if GPS is enabled (1) or not (0)')
+        self._at_structured_cmd('QGPS?')
+        logger.debug('checking if GPS has a fix. Error 516 if not')
+        self._at_structured_cmd('QGPSLOC', value='0', check=False)
+        logger.debug('dumping AGPS positioning mode bitfield')
+        self._at_structured_cmd('QGPSCFG', 'agpsposmode')
+
+    @log_scope("configuring audio...", "audio configured")
+    def enable_audio(self) -> None:
+        # cribbed from eg25-manager; i don't understand these
+        # QDAI call shouldn't be necessary if using Megi's FW:
+        # - <https://xnux.eu/devices/feature/modem-pp.html>
+        self._at_structured_cmd("QDAI", value="1,1,0,1,0,0,1,1")
+        # RI signaling using physical RI pin
+        self._at_structured_cmd("QCFG", "risignaltype", "\"physical\"")
+        # Enable VoLTE support
+        self._at_structured_cmd("QCFG", "ims", "1")
+        # Enable APREADY for PP 1.2
+        self._at_structured_cmd("QCFG", "apready", "1,0,500")
+
+    @log_scope("configuring urc...", "urc configured")
+    def enable_urc(self) -> None:
+        # cribbed from eg25-manager; i don't even know what URC is
+        # URC configuration for PP 1.2 (APREADY pin connected):
+        #   * RING URC: normal pulse length
+        #   * Incoming SMS URC: default pulse length
+        #   * Other URC: default length
+        #   * Report URCs on all ports (serial and USB) for FOSS firmware
+        #   * Reporting of URCs without any delay
+        #   * Configure URC pin to UART Ring Indicator
+        self._at_structured_cmd("QCFG", "urc/ri/ring", "\"pulse\",120,1000,5000,\"off\",1")
+        self._at_structured_cmd("QCFG", "urc/ri/smsincoming", "\"pulse\",120,1")
+        self._at_structured_cmd("QCFG", "urc/ri/other", "\"off\",1,1")
+        self._at_structured_cmd("QCFG", "urc/delay", "0")
+        self._at_structured_cmd("QCFG", "urc/cache", "0")
+        self._at_structured_cmd("QCFG", "urc/ri/pin", "uart_ri")
+        self._at_structured_cmd("QURCCFG", "urcport", "\"all\"")
+
+    @log_scope("configuring gps...", "gps configured")
+    def enable_gps(self) -> None:
+        # set modem to use UTC time instead of local time.
+        # modemmanager sends CTZU=3 during init and that causes `AT+CCLK?` to return a timestamp that's off by 600+ days
+        # see: <https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/360>
+        self._at_structured_cmd("CTZU", value="1")
+
+        # disable GNSS, because it's only configurable while offline
+        self._at_structured_cmd("QGPSEND", check=False)
+        # self._at_structured_cmd("QGPS", value="0")
+
+        # XXX: ModemManager plugin sets QGPSXTRA=1
+        # self._at_structured_cmd("QGPSXTRA", value="1")
+
+        # now = datetime.datetime.now().strftime('%Y/%m/%d,%H:%M:%S')  # UTC
+        # self._at_structured_cmd("QGPSXTRATIME", value=f"0,\"{now}\"")
+        locdata = self._get_assistance_data(AgpsDataVariant.gps_glonass_beidou)
+        if locdata:
+            self._mmcli([f"--location-inject-assistance-data={locdata}"])
+
+        self._at_gnssconfig(GNSSConfig.gps_glonass_beidou_galileo)
+        self._at_odpcontrol(ODPControl.disable)
+        self._at_dpoenable(DPOEnable.disable)  # N.B.: eg25-manager uses `DPOEnable.enable`
+        self._at_gpsnmeatype(GPSNMEAType.all)
+        self._at_glonassnmeatype(GlonassNmeaType.all)
+        self._at_galileonmeatype(GalileoNmeaType.all)
+        self._at_beidounmeatype(BeiDouNmeaType.all)
+        self._at_autogps(AutoGps.disable)  #< don't start GPS on modem boot
+        # configure so GPS output is readable via /dev/ttyUSB1
+        # self._mmcli(["--location-enable-gps-unmanaged"])
+        # TODO: tune/document these QGPS values; a smarter setting here might reduce jitter?
+        self._at_structured_cmd("QGPS", value="1,255,1000,0,1")
+
+    @log_scope("configuring powersave...", "powersave configured")
+    def enable_powersave(self) -> None:
+        # Allow sleeping for power saving
+        self._at_structured_cmd("QSCLK", value="1")
+        # Disable fast poweroff for stability
+        self._at_structured_cmd("QCFG", "fast/poweroff", "0")
+        # Configure sleep and wake up pin levels to active low
+        self._at_structured_cmd("QCFG", "sleepind/level", "0")
+        self._at_structured_cmd("QCFG", "wakeupin/level", "0,0")
+        # Do not enter RAMDUMP mode, auto-reset instead
+        self._at_structured_cmd("QCFG", "ApRstLevel", "1")
+        self._at_structured_cmd("QCFG", "ModemRstLevel", "1")
+
+
+def main():
+    logging.basicConfig()
+    logging.getLogger().setLevel(logging.INFO)
+
+    parser = argparse.ArgumentParser(description="initialize the eg25 Pinephone modem for GPS tracking")
+    parser.add_argument('--modem', default='any', help='name of modem to configure (see mmcli --list-modems)')
+    parser.add_argument('--power-endpoint', default='/sys/class/modem-power/modem-power/device/powered', help='sysfs endpoint that can turn the modem on/off')
+
+    parser.add_argument("--dry-run", action='store_true', help="print commands instead of executing them")
+    parser.add_argument("--verbose", action='store_true', help="log each command before executing")
+
+    parser.add_argument('--power-on', action='store_true', help="enable power to the modem")
+    parser.add_argument('--enable-audio', action='store_true', help="configure audio for calling (?)")
+    parser.add_argument('--enable-urc', action='store_true', help="enable support for Unsolicited Return Codes (?)")
+    parser.add_argument('--enable-gps', action='store_true', help="enable the GPS and acquire tracking until asked to stop")
+    parser.add_argument('--enable-powersave', action='store_true', help="configure modem to sleep when possible")
+    parser.add_argument('--dump-debug-info', action='store_true', help="don't initialize anything, just dump debugging data")
+
+    args = parser.parse_args()
+    if args.verbose or args.dump_debug_info:
+        logging.getLogger().setLevel(logging.DEBUG)
+
+    executor = Executor(args.dry_run)
+    sequencer = Sequencer(executor, modem=args.modem, power_endpoint=args.power_endpoint)
+
+    if args.power_on:
+        sequencer.power_on()
+    if args.enable_audio:
+        sequencer.enable_audio()
+    if args.enable_urc:
+        sequencer.enable_urc()
+    if args.enable_gps:
+        sequencer.enable_gps()
+    if args.enable_powersave:
+        sequencer.enable_powersave()
+    if args.dump_debug_info:
+        sequencer.dump_debug_info()
+
+if __name__ == '__main__':
+    main()

pkgs/additional/eg25-manager/default.nix

@@ -0,0 +1,77 @@
+# package based on:
+# - <https://github.com/NixOS/mobile-nixos/pull/573>
+
+{ lib
+, stdenv
+, callPackage
+, fetchFromGitLab
+, gnugrep
+, meson
+, ninja
+, pkg-config
+, scdoc
+, curl
+, glib
+, libgudev
+, libusb1
+# if true, build with MMGLIB. if false, eg25-manager won't speak to modemmanager and will be usable standalone
+, withModemManager ? true, modemmanager
+}:
+
+let
+  # eg25-manager needs to be made compatible with libgpiod 2.0 API. see:
+  # - <https://github.com/NixOS/mobile-nixos/pull/573#issuecomment-1666739462>
+  # - <https://gitlab.com/mobian1/eg25-manager/-/issues/45>
+  # nixpkgs libgpiod was bumped 2023-07-29:
+  # - <https://github.com/NixOS/nixpkgs/pull/246018>
+  libgpiod1 = callPackage ./libgpiod1.nix { };
+in
+stdenv.mkDerivation rec {
+  pname = "eg25-manager";
+  version = "0.4.6";
+
+  src = fetchFromGitLab {
+    owner = "mobian1";
+    repo = "eg25-manager";
+    rev = version;
+    hash = "sha256-2JsdwK1ZOr7ljNHyuUMzVCpl+HV0C5sA5LAOkmELqag=";
+  };
+
+  postPatch = ''
+    substituteInPlace 'udev/80-modem-eg25.rules' \
+      --replace '/bin/grep' '${gnugrep}/bin/grep'
+  '';
+
+  depsBuildBuild = [
+    pkg-config
+  ];
+
+  nativeBuildInputs = [
+    glib # Contains gdbus-codegen program
+    meson
+    ninja
+    pkg-config
+    scdoc
+  ];
+
+  buildInputs = [
+    curl
+    glib
+    libgpiod1
+    libgudev
+    libusb1
+  ] ++ lib.optionals withModemManager [
+    modemmanager
+  ];
+
+  passthru = {
+    inherit libgpiod1;
+  };
+
+  meta = with lib; {
+    description = "Manager daemon for the Quectel EG25 mobile broadband modem";
+    homepage = "https://gitlab.com/mobian1/eg25-manager";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+  };
+}