get sane.packages to work better. still needs cleanup

programs: enable persistence
modules: add a sane.programs interface which i can use going forward in place of sane.packages
2023-02-03 01:05:58 +00:00 · 2023-02-02 12:35:42 +00:00 · 2023-02-02 12:31:13 +00:00
103 changed files with 1494 additions and 4784 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
  "nodes": {
    "flake-utils": {
      "locked": {
-        "lastModified": 1678901627,
+        "lastModified": 1659877975,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
        "type": "github"
      },
      "original": {
@@ -18,11 +18,11 @@
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1679516998,
+        "lastModified": 1674880620,
-        "narHash": "sha256-w4baQlS84X8Lf0E5RN0nGkx03luDuV1X0+jWMAXm6fs=",
+        "narHash": "sha256-JMALuC7xcoH/T66sKTVLuItHfOJBCWsNKpE49Qrvs80=",
        "owner": "nixos",
        "repo": "mobile-nixos",
-        "rev": "7a6e97e3af73c4cca87e12c83abcb4913dac7dbc",
+        "rev": "7478a9ffad737486951186b66f6c5535dc5802e2",
        "type": "github"
      },
      "original": {
@@ -31,46 +31,30 @@
        "type": "github"
      }
    },
    "nix-serve": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1678202930,
        "narHash": "sha256-SF82/tTnagdazlETJLzXD9kjZ6lyk38agdLbmMx1UZE=",
        "owner": "edolstra",
        "repo": "nix-serve",
        "rev": "3b6d30016d910a43e0e16f94170440a3e0b8fa8d",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "nix-serve",
        "type": "github"
      }
    },
    "nixpkgs": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-unpatched"
        ]
      },
      "locked": {
-        "lastModified": 1606086654,
+        "lastModified": 1,
-        "narHash": "sha256-VFl+3eGIMqNp7cyOMJ6TjM/+UcsLKtodKoYexrlTJMI=",
+        "narHash": "sha256-arp7Uy7ct5ryTcmSY032eN7hr33i7D2XvjTRLliCFDc=",
-        "owner": "NixOS",
+        "path": "/nix/store/jblp2g67p3wid2qarcyd8bzrbs9wg5lb-source/nixpatches",
-        "repo": "nixpkgs",
+        "type": "path"
        "rev": "19db3e5ea2777daa874563b5986288151f502e27",
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
+        "path": "/nix/store/jblp2g67p3wid2qarcyd8bzrbs9wg5lb-source/nixpatches",
-        "ref": "nixos-20.09",
+        "type": "path"
        "type": "indirect"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1680390120,
+        "lastModified": 1674352297,
-        "narHash": "sha256-RyDJcG/7mfimadlo8vO0QjW22mvYH1+cCqMuigUntr8=",
+        "narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c1e2efaca8d8a3db6a36f652765d6c6ba7bb8fae",
+        "rev": "918b760070bb8f48cb511300fcd7e02e13058a2e",
        "type": "github"
      },
      "original": {
@@ -82,16 +66,16 @@
    },
    "nixpkgs-unpatched": {
      "locked": {
-        "lastModified": 1680415272,
+        "lastModified": 1674641431,
-        "narHash": "sha256-S2J9n+sSeAAdXWHrz/s9pyS5fhbQilfNqYrs6RCUyN8=",
+        "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "66f60deb8aa348ca81d60d0639ae420c667ff92a",
+        "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "staging-next",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -99,7 +83,7 @@
    "root": {
      "inputs": {
        "mobile-nixos": "mobile-nixos",
-        "nix-serve": "nix-serve",
+        "nixpkgs": "nixpkgs",
        "nixpkgs-unpatched": "nixpkgs-unpatched",
        "sops-nix": "sops-nix",
        "uninsane-dot-org": "uninsane-dot-org"
@@ -108,16 +92,16 @@
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs-unpatched"
+          "nixpkgs"
        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1680404136,
+        "lastModified": 1674546403,
-        "narHash": "sha256-06D8HJmRv4DdpEQGblMhx2Vm81SBWM61XBBIx7QQfo0=",
+        "narHash": "sha256-vkyNv0xzXuEnu9v52TUtRugNmQWIti8c2RhYnbLG71w=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "b93eb910f768f9788737bfed596a598557e5625d",
+        "rev": "b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c",
        "type": "github"
      },
      "original": {
@@ -130,15 +114,15 @@
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
-          "nixpkgs-unpatched"
+          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1680086409,
+        "lastModified": 1675131883,
-        "narHash": "sha256-Q2QcVgKvTj/LLuZX9dP8ImySWD5sTn8DDI5+EggRn2c=",
+        "narHash": "sha256-yBgJDG72YqIr1bltasqHD1E/kHc9uRFgDjxDmy6kI8M=",
        "ref": "refs/heads/master",
-        "rev": "068f176a64f0e26dc8c1f0eccf28cbd05be4909b",
+        "rev": "b099c24091cc192abf3997b94342d4b31cc5757b",
-        "revCount": 182,
+        "revCount": 170,
        "type": "git",
        "url": "https://git.uninsane.org/colin/uninsane"
      },
--- a/flake.nix
+++ b/flake.nix
@@ -12,11 +12,6 @@
 # - Flake RFC: <https://github.com/tweag/rfcs/blob/flakes/rfcs/0049-flakes.md>
 #   - Discussion: <https://github.com/NixOS/rfcs/pull/49>
 # - <https://serokell.io/blog/practical-nix-flakes>
 #
 #
 # COMMON OPERATIONS:
 # - update a specific flake input:
 #   - `nix flake lock --update-input nixpkgs`
 {
  # XXX: use the `github:` scheme instead of the more readable git+https: because it's *way* more efficient
@@ -27,14 +22,11 @@
    # nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
    # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
-    # nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=staging-next";
+    nixpkgs = {
-
+      url = "./nixpatches";
-    # nixpkgs = {
+      inputs.nixpkgs.follows = "nixpkgs-unpatched";
-    #   url = "./nixpatches";
+    };
    #   inputs.nixpkgs.follows = "nixpkgs-unpatched";
    # };
    mobile-nixos = {
      # <https://github.com/nixos/mobile-nixos>
      url = "github:nixos/mobile-nixos";
@@ -43,43 +35,24 @@
    sops-nix = {
      # <https://github.com/Mic92/sops-nix>
      url = "github:Mic92/sops-nix";
-      # inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
      inputs.nixpkgs.follows = "nixpkgs-unpatched";
    };
    uninsane-dot-org = {
      url = "git+https://git.uninsane.org/colin/uninsane";
-      # inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
      inputs.nixpkgs.follows = "nixpkgs-unpatched";
    };
    nix-serve = {
      # <https://github.com/edolstra/nix-serve>
      url = "github:edolstra/nix-serve";
    };
  };
  outputs = {
    self,
    nixpkgs,
    nixpkgs-unpatched,
    mobile-nixos,
    sops-nix,
    uninsane-dot-org,
    nix-serve,
    ...
  }@inputs:
    let
      inherit (builtins) attrNames elem listToAttrs map mapAttrs;
      mapAttrs' = f: set:
        listToAttrs (map (attr: f attr set.${attr}) (attrNames set));
      # mapAttrs but without the `name` argument
      mapAttrValues = f: mapAttrs (_: f);
      # rather than apply our nixpkgs patches as a flake input, do that here instead.
      # this (temporarily?) resolves the bad UX wherein a subflake residing in the same git
      # repo as the main flake causes the main flake to have an unstable hash.
      nixpkgs = (import ./nixpatches/flake.nix).outputs {
        self = nixpkgs;
        nixpkgs = nixpkgs-unpatched;
      };
      nixpkgsCompiledBy = local: nixpkgs.legacyPackages."${local}";
      evalHost = { name, local, target }:
@@ -92,57 +65,34 @@
          nixosSystem = import ((nixpkgsCompiledBy target).path + "/nixos/lib/eval-config.nix");
        in
          (nixosSystem {
            # we use pkgs built for and *by* the target, i.e. emulation, by default.
            # cross compilation only happens on explicit access to `pkgs.cross`
            system = target;
            modules = [
              (import ./hosts/instantiate.nix { localSystem = local; hostName = name; })
              self.nixosModules.default
              self.nixosModules.passthru
              {
                nixpkgs.overlays = [
-                  self.overlays.disable-flakey-tests
+                  self.overlays.default
                  self.overlays.passthru
                  self.overlays.pins
                  self.overlays.pkgs
                  # self.overlays.optimizations
                ];
                nixpkgs.hostPlatform = target;
                # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
                # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
              }
            ];
          });
    in {
-      nixosConfigurations =
+      nixosConfigurations = {
-        let
+        servo = evalHost { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
-          hosts = {
+        desko = evalHost { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
-            servo =  { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
+        lappy = evalHost { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
-            desko =  { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
+        moby = evalHost { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
-            lappy =  { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
+        # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
-            moby  =  { name = "moby";  local = "x86_64-linux"; target = "aarch64-linux"; };
+        # note that these *do* produce different store paths, because the closure for the tools used to cross compile
-            rescue = { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
+        # v.s. emulate differ.
-          };
+        # so deploying foo-cross and then foo incurs some rebuilding.
-          # cross-compiled builds: instead of emulating the host, build using a cross-compiler.
+        moby-cross = evalHost { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
-          # - these are faster to *build* than the emulated variants (useful when tweaking packages),
+        rescue = evalHost { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
          # - but fewer of their packages can be found in upstream caches.
          cross = mapAttrValues evalHost hosts;
          emulated = mapAttrValues
            ({name, local, target}: evalHost {
              inherit name target;
              local = null;
            })
            hosts;
          prefixAttrs = prefix: attrs: mapAttrs'
            (name: value: {
              name = prefix + name;
              inherit value;
            })
            attrs;
        in
          (prefixAttrs "cross-" cross) //
          (prefixAttrs "emulated-" emulated) // {
            # prefer native builds for these machines:
            inherit (emulated) servo desko lappy rescue;
            # prefer cross-compiled builds for these machines:
            inherit (cross) moby;
      };
      # unofficial output
@@ -159,42 +109,25 @@
      #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
      #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
      #   - `nixos-rebuild --flake './#<host>' switch`
-      imgs = mapAttrValues (host: host.config.system.build.img) self.nixosConfigurations;
+      imgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.img) self.nixosConfigurations;
-      # unofficial output
+      overlays = rec {
-      host-pkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
+        default = pkgs;
-
+        pkgs = import ./overlays/pkgs.nix;
-      overlays = {
+        pins = import ./overlays/pins.nix;  # TODO: move to `nixpatches/` input
-        # N.B.: `nix flake check` requires every overlay to take `final: prev:` at defn site,
+        passthru =
        #   hence the weird redundancy.
        default = final: prev: self.overlays.pkgs final prev;
        disable-flakey-tests = final: prev: import ./overlays/disable-flakey-tests.nix final prev;
        pkgs = final: prev: import ./overlays/pkgs.nix final prev;
        pins = final: prev: import ./overlays/pins.nix final prev;
        optimizations = final: prev: import ./overlays/optimizations.nix final prev;
        passthru = final: prev:
          let
            stable =
              if inputs ? "nixpkgs-stable" then (
-                final': prev': {
+                next: prev: {
-                  stable = inputs.nixpkgs-stable.legacyPackages."${prev'.stdenv.hostPlatform.system}";
+                  stable = inputs.nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
                }
-              ) else (final': prev': {});
+              ) else (next: prev: {});
            mobile = (import "${mobile-nixos}/overlay/overlay.nix");
            uninsane = uninsane-dot-org.overlay;
            # nix-serve' = nix-serve.overlay;
            nix-serve' = next: prev: {
              # XXX(2023/03/02): upstream isn't compatible with modern `nix`. probably the perl bindings.
              # - we use the package built against `nixpkgs` specified in its flake rather than use its overlay,
              #   to get around this.
              inherit (nix-serve.packages."${next.system}") nix-serve;
            };
          in
-              (stable final prev)
+            next: prev:
-              // (mobile final prev)
+              (stable next prev) // (mobile next prev) // (uninsane next prev);
              // (uninsane final prev)
              // (nix-serve' final prev)
            ;
      };
      nixosModules = rec {
@@ -218,33 +151,14 @@
          aarch64-linux = allPkgsFor "aarch64-linux";
        };
-      # extract only our own packages from the full set.
+      # extract only our own packages from the full set
-      # because of `nix flake check`, we flatten the package set and only surface x86_64-linux packages.
+      packages = builtins.mapAttrs
-      packages = mapAttrs
+        (_: full: full.sane // { inherit (full) sane uninsane-dot-org; })
-        (system: allPkgs:
+        self.legacyPackages;
          allPkgs.lib.filterAttrs (name: pkg:
            # keep only packages which will pass `nix flake check`, i.e. keep only:
            # - derivations (not package sets)
            # - packages that build for the given platform
            (! elem name [ "feeds" "pythonPackagesExtensions" ])
            && (allPkgs.lib.meta.availableOn allPkgs.stdenv.hostPlatform pkg)
          )
          (allPkgs.sane // {
            inherit (allPkgs) uninsane-dot-org;
          })
        )
        # self.legacyPackages;
        { inherit (self.legacyPackages) x86_64-linux; }
      ;
      apps."x86_64-linux" =
        let
          pkgs = self.legacyPackages."x86_64-linux";
          deployScript = action: pkgs.writeShellScript "deploy-moby" ''
            nixos-rebuild --flake '.#cross-moby' build
            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
            nixos-rebuild --flake '.#cross-moby' ${action} --target-host colin@moby --use-remote-sudo
          '';
        in {
          update-feeds = {
            type = "app";
@@ -256,17 +170,6 @@
            type = "app";
            program = "${pkgs.feeds.passthru.initFeedScript}";
          };
          deploy-moby-test = {
            # `nix run '.#deploy-moby-test'`
            type = "app";
            program = ''${deployScript "test"}'';
          };
          deploy-moby-switch = {
            # `nix run '.#deploy-moby-switch'`
            type = "app";
            program = ''${deployScript "switch"}'';
          };
        };
      templates = {
--- a/hosts/by-name/desko/default.nix
+++ b/hosts/by-name/desko/default.nix
@@ -4,17 +4,17 @@
    ./fs.nix
  ];
-  sane.roles.build-machine.enable = true;
+  # sane.packages.enableDevPkgs = true;
  sane.roles.client = true;
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
  sane.services.duplicity.enable = true;
  sane.services.nixserve.enable = true;
  sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
  sane.persist.enable = true;
  sane.gui.sway.enable = true;
  sane.programs.iphoneUtils.enableFor.user.colin = true;
  sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
--- a/hosts/by-name/lappy/default.nix
+++ b/hosts/by-name/lappy/default.nix
@@ -4,22 +4,19 @@
    ./fs.nix
  ];
  sane.yggdrasil.enable = true;
  sane.roles.client = true;
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
  # sane.packages.enableDevPkgs = true;
  # sane.guest.enable = true;
  sane.gui.sway.enable = true;
  sane.persist.enable = true;
  sane.nixcache.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  sane.programs.guiApps.suggestedPrograms = [
    "desktopGuiApps"
    "stepmania"
  ];
  sops.secrets.colin-passwd = {
    sopsFile = ../../../secrets/lappy.yaml;
    neededForUsers = true;
--- a/hosts/by-name/moby/default.nix
+++ b/hosts/by-name/moby/default.nix
@@ -10,6 +10,13 @@
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
  # cross-compiled documentation is *slow*.
  # no obvious way to natively compile docs (2022/09/29).
  # entrypoint is nixos/modules/misc/documentation.nix
  # doc building happens in nixos/doc/manual/default.nix
  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
  documentation.nixos.enable = false;
  # XXX colin: phosh doesn't work well with passwordless login,
  # so set this more reliable default password should anything go wrong
  users.users.colin.initialPassword = "147147";
@@ -34,11 +41,14 @@
    ".config/pulse"  # persist pulseaudio volume
  ];
  # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
  sane.packages.extraUserPkgs = [
    pkgs.plasma5Packages.konsole  # terminal
  ];
  sane.nixcache.enable = true;
  sane.persist.enable = true;
  sane.gui.phosh.enable = true;
  # sane.programs.consoleUtils.enableFor.user.colin = false;
  # sane.programs.guiApps.enableFor.user.colin = false;
  sane.programs.sequoia.enableFor.user.colin = false;
  sane.programs.tuiApps.enableFor.user.colin = false;  # visidata, others, don't compile well
  boot.loader.efi.canTouchEfiVariables = false;
  # /boot space is at a premium. default was 20.
--- a/hosts/by-name/moby/kernel.nix
+++ b/hosts/by-name/moby/kernel.nix
@@ -114,7 +114,7 @@ in
  # - phone rotation sensor is off by 90 degrees
  # - ambient light sensor causes screen brightness to be shakey
  # - phosh greeter may not appear after wake from sleep
-  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
+  boot.kernelPackages = pkgs.cross.linuxPackagesFor pkgs.cross.linux-megous;
  boot.kernelPatches = [
    (patchDefconfig (kernelConfig //
--- a/hosts/by-name/rescue/default.nix
+++ b/hosts/by-name/rescue/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
  imports = [
    ./fs.nix
@@ -7,8 +7,6 @@
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  # sane.persist.enable = false;  # TODO: disable (but run `nix flake check` to ensure it works!)
  sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
  system.stateVersion = "21.05";
--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@@ -8,16 +8,13 @@
    ./services
  ];
-  sane.programs = {
+  sane.packages.extraUserPkgs = with pkgs; [
    # for administering services
-    freshrss.enableFor.user.colin = true;
+    freshrss
-    matrix-synapse.enableFor.user.colin = true;
+    matrix-synapse
-    signaldctl.enableFor.user.colin = true;
+    signaldctl
-  };
+  ];
-
+  sane.persist.enable = true;
  sane.roles.build-machine.enable = true;
  sane.roles.build-machine.emulation = false;
  sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
  sane.services.dyn-dns.enable = true;
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
--- a/hosts/by-name/servo/secrets.nix
+++ b/hosts/by-name/servo/secrets.nix
@@ -25,7 +25,6 @@
  };
  sops.secrets."mautrix_signal_env" = {
    sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
    format = "binary";
  };
  sops.secrets."mediawiki_pw" = {
--- a/hosts/by-name/servo/services/ejabberd.nix
+++ b/hosts/by-name/servo/services/ejabberd.nix
@@ -38,11 +38,11 @@
  ];
  networking.firewall.allowedTCPPortRanges = [{
    from = 49152;  # TURN
-    to = 49408;
+    to = 65535;
  }];
  networking.firewall.allowedUDPPortRanges = [{
    from = 49152;  # TURN
-    to = 49408;
+    to = 65535;
  }];
  # provide access to certs
--- a/hosts/by-name/servo/services/jellyfin.nix
+++ b/hosts/by-name/servo/services/jellyfin.nix
@@ -1,63 +1,16 @@
 # configuration options (today i don't store my config in nix):
 #
 # - jellyfin-web can be statically configured (result/share/jellyfin-web/config.json)
 #   - <https://jellyfin.org/docs/general/clients/web-config>
 #   - configure server list, plugins, "menuLinks", colors
 #
 # - jellfyin server is configured in /var/lib/jellfin/
 #   - root/default/<LibraryType>/
 #     - <LibraryName>.mblink: contains the directory name where this library lives
 #     - options.xml: contains preferences which were defined in the web UI during import
 #       - e.g. `EnablePhotos`, `EnableChapterImageExtraction`, etc.
 #   - config/encoding.xml: transcoder settings
 #   - config/system.xml: misc preferences like log file duration, audiobook resume settings, etc.
 #   - data/jellyfin.db: maybe account definitions? internal state?
 { config, lib, ... }:
 # TODO: re-enable after migrating media dir to /var/lib/uninsane/media
 # else it's too spammy
 lib.mkIf false
 {
  # identical to:
  # services.jellyfin.openFirewall = true;
  networking.firewall.allowedUDPPorts = [
-    # https://jellyfin.org/docs/general/networking/index.html
+    1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
    1900  # UPnP service discovery
    7359  # Jellyfin-specific (?) client discovery
  ];
  networking.firewall.allowedTCPPorts = [
    8096  # HTTP (for the LAN)
    8920  # HTTPS (for the LAN)
  ];
  sane.persist.sys.plaintext = [
-    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; directory = "/var/lib/jellyfin"; }
+    # TODO: mode? could be more granular
    { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
  ];
  sane.fs."/var/lib/jellyfin/config/logging.json" = {
    # "Emby.Dlna" logging: <https://jellyfin.org/docs/general/networking/dlna>
    symlink.text = ''
      {
        "Serilog": {
          "MinimumLevel": {
            "Default": "Information",
            "Override": {
              "Microsoft": "Warning",
              "System": "Warning",
              "Emby.Dlna": "Debug",
              "Emby.Dlna.Eventing": "Debug"
            }
          },
          "WriteTo": [
            {
              "Name": "Console",
              "Args": {
                "outputTemplate": "[{Timestamp:HH:mm:ss}] [{Level:u3}] [{ThreadId}] {SourceContext}: {Message:lj}{NewLine}{Exception}"
              }
            }
          ],
          "Enrich": [ "FromLogContext", "WithThreadId" ]
        }
      }
    '';
    wantedBeforeBy = [ "jellyfin.service" ];
  };
  # Jellyfin multimedia server
  # this is mostly taken from the official jellfin.org docs
--- a/hosts/by-name/servo/services/matrix/default.nix
+++ b/hosts/by-name/servo/services/matrix/default.nix
@@ -6,10 +6,12 @@
  imports = [
    ./discord-puppet.nix
    # ./irc.nix
-    # TODO(2023/03/10): disabled because it's not bridging and mautrix_signal is hogging CPU
+    ./signal.nix
    # ./signal.nix
  ];
  # allow synapse to read the registration files of its appservices
  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
  sane.persist.sys.plaintext = [
    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
  ];
--- a/hosts/by-name/servo/services/matrix/signal.nix
+++ b/hosts/by-name/servo/services/matrix/signal.nix
@@ -7,9 +7,6 @@
    { user = "signald"; group = "signald"; directory = "/var/lib/signald"; }
  ];
  # allow synapse to read the registration file
  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
  services.signald.enable = true;
  services.mautrix-signal.enable = true;
  services.mautrix-signal.environmentFile =
@@ -30,6 +27,7 @@
  };
  sops.secrets."mautrix_signal_env" = {
    format = "binary";
    mode = "0440";
    owner = config.users.users.mautrix-signal.name;
    group = config.users.users.matrix-synapse.name;
--- a/hosts/by-name/servo/services/postfix.nix
+++ b/hosts/by-name/servo/services/postfix.nix
@@ -30,14 +30,11 @@ in
  ];
  networking.firewall.allowedTCPPorts = [
    # exposed over non-vpn imap.uninsane.org
    143  # IMAP
    993  # IMAPS
    # exposed over vpn mx.uninsane.org
    25   # SMTP
    143  # IMAP
    465  # SMTPS
    587  # SMTPS/submission
    993  # IMAPS
  ];
  # exists only to manage certs for dovecot
@@ -65,7 +62,7 @@ in
    # DKIM public key:
    TXT."mx._domainkey" =
-      "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
+      "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
    ;
    # DMARC fields <https://datatracker.ietf.org/doc/html/rfc7489>:
--- a/hosts/by-name/servo/services/trust-dns.nix
+++ b/hosts/by-name/servo/services/trust-dns.nix
@@ -6,7 +6,7 @@
  sane.services.trust-dns.listenAddrsIPv4 = [
    # specify each address explicitly, instead of using "*".
    # this ensures responses are sent from the address at which the request was received.
-    config.sane.hosts.by-name."servo".lan-ip
+    "192.168.0.5"
    "10.0.1.5"
  ];
  sane.services.trust-dns.quiet = true;
--- a/hosts/common/cross.nix
+++ b/hosts/common/cross.nix
@@ -0,0 +1,22 @@
 { config, ... }:
 let
  mkCrossFrom = localSystem: pkgs: import pkgs.path {
    inherit localSystem;
    crossSystem = pkgs.stdenv.hostPlatform.system;
    inherit (config.nixpkgs) config overlays;
  };
 in
 {
  # the configuration of which specific package set `pkgs.cross` refers to happens elsewhere;
  # here we just define them all.
  nixpkgs.overlays = [
    (next: prev: {
      # non-emulated packages build *from* local *for* target.
      # for large packages like the linux kernel which are expensive to build under emulation,
      # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
      crossFrom."x86_64-linux" = mkCrossFrom "x86_64-linux" next;
      crossFrom."aarch64-linux" = mkCrossFrom "aarch64-linux" next;
    })
  ];
 }
--- a/hosts/common/cross/default.nix
+++ b/hosts/common/cross/default.nix
--- a/hosts/common/cross/kitty-no-docs.patch
+++ b/hosts/common/cross/kitty-no-docs.patch
@@ -1,22 +0,0 @@
 diff --git a/setup.py b/setup.py
 index 2b9d240e..770bc5e7 100755
 --- a/setup.py
 +++ b/setup.py
@@ -1092,11 +1092,12 @@ def c(base_path: str, **kw: object) -> None:
 def create_linux_bundle_gunk(ddir: str, libdir_name: str) -> None:
 -    if not os.path.exists('docs/_build/html'):
 -        make = 'gmake' if is_freebsd else 'make'
 -        run_tool([make, 'docs'])
 -    copy_man_pages(ddir)
 -    copy_html_docs(ddir)
 +    if not os.getenv('KITTY_NO_DOCS'):
 +        if not os.path.exists('docs/_build/html'):
 +            make = 'gmake' if is_freebsd else 'make'
 +            run_tool([make, 'docs'])
 +        copy_man_pages(ddir)
 +        copy_html_docs(ddir)
     for (icdir, ext) in {'256x256': 'png', 'scalable': 'svg'}.items():
         icdir = os.path.join(ddir, 'share', 'icons', 'hicolor', icdir, 'apps')
         safe_makedirs(icdir)
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -1,7 +1,7 @@
-{ lib, pkgs, ... }:
+{ pkgs, ... }:
 {
  imports = [
-    ./cross
+    ./cross.nix
    ./feeds.nix
    ./fs.nix
    ./hardware.nix
@@ -19,10 +19,8 @@
  ];
  sane.nixcache.enable-trusted-keys = true;
-  sane.nixcache.enable = lib.mkDefault true;
+  sane.packages.enableConsolePkgs = true;
-  sane.persist.enable = lib.mkDefault true;
+  sane.packages.enableSystemPkgs = true;
  sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
  sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;
  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
  sane.fs."/var/lib/private".dir.acl.mode = "0700";
@@ -33,7 +31,6 @@
  time.timeZone = "Etc/UTC";  # DST is too confusing for me => use a stable timezone
  # allow `nix flake ...` command
  # TODO: is this still required?
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
@@ -42,37 +39,19 @@
    "nixpkgs=${pkgs.path}"
    "nixpkgs-overlays=${../..}/overlays"
  ];
  # hardlinks identical files in the nix store to save 25-35% disk space.
  # unclear _when_ this occurs. it's not a service.
  # does the daemon continually scan the nix store?
  # does the builder use some content-addressed db to efficiently dedupe?
  nix.settings.auto-optimise-store = true;
  fonts = {
    enableDefaultFonts = true;
-    fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
+    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
    fontconfig.enable = true;
    fontconfig.defaultFonts = {
-      emoji = [ "Font Awesome 6 Free" "Noto Color Emoji" ];
+      emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
      monospace = [ "Hack" ];
      serif = [ "DejaVu Serif" ];
      sansSerif = [ "DejaVu Sans" ];
    };
  };
  # XXX: twitter-color-emoji doesn't cross-compile; but not-fonts-emoji does
  # fonts = {
  #   enableDefaultFonts = true;
  #   fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
  #   fontconfig.enable = true;
  #   fontconfig.defaultFonts = {
  #     emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
  #     monospace = [ "Hack" ];
  #     serif = [ "DejaVu Serif" ];
  #     sansSerif = [ "DejaVu Sans" ];
  #   };
  # };
  # disable non-required packages like nano, perl, rsync, strace
  environment.defaultPackages = [];
--- a/hosts/common/feeds.nix
+++ b/hosts/common/feeds.nix
@@ -1,9 +1,3 @@
 # candidates:
 # - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
 #   - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
 # - <https://www.metaculus.com/questions/11102/introducing-the-metaculus-journal-podcast/>
 #   - dead since 2022/10 - 2023/03
 { lib, sane-data, ... }:
 let
  hourly = { freq = "hourly"; };
@@ -56,29 +50,18 @@ let
    (fromDb "lexfridman.com/podcast" // rat)
    ## Astral Codex Ten
    (fromDb "sscpodcast.libsyn.com" // rat)
    ## Less Wrong Curated
    (fromDb "feeds.libsyn.com/421877" // rat)
    ## Econ Talk
    (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)
    ## Cory Doctorow -- both podcast & text entries
    (fromDb "craphound.com" // pol)
    ## Maggie Killjoy -- referenced by Cory Doctorow
    (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)
    (fromDb "congressionaldish.libsyn.com" // pol)
    (mkPod "https://podcasts.la.utexas.edu/this-is-democracy/feed/podcast/" // pol // weekly)
    ## Civboot -- https://anchor.fm/civboot
    (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
    ## Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
    (mkPod "https://anchor.fm/s/21bc734/podcast/rss" // pol // infrequent)
    (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
    ## Daniel Huberman on sleep
    (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)
    ## Multidisciplinary Association for Psychedelic Studies
    (fromDb "mapspodcast.libsyn.com" // uncat)
    (fromDb "allinchamathjason.libsyn.com" // pol)
    (fromDb "acquired.libsyn.com" // tech)
    ## ACQ2 - more "Acquired" episodes
    (fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)
    # The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
    (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)
    ## The Daily
@@ -107,8 +90,6 @@ let
    (fromDb "seattlenice.buzzsprout.com" // pol)
    ## Sci-Fi? has Peter Watts; author of No Moods, Ads or Cutesy Fucking Icons (rifters.com)
    (fromDb "talesfromthebridge.buzzsprout.com" // tech)
    ## UnNamed Reverse Engineering Podcast
    (fromDb "reverseengineering.libsyn.com/rss" // tech)
  ];
  texts = [
@@ -123,10 +104,6 @@ let
    (fromDb "semiaccurate.com" // tech)
    (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
    (fromDb "spectrum.ieee.org" // tech)
    (fromDb "thisweek.gnome.org" // tech)
    # more nixos stuff here, but unclear how to subscribe: <https://nixos.org/blog/categories.html>
    (mkText "https://nixos.org/blog/announcements-rss.xml" // tech // infrequent)
    (mkText "https://nixos.org/blog/stories-rss.xml" // tech // weekly)
    ## n.b.: quality RSS list here: <https://forum.merveilles.town/thread/57/share-your-rss-feeds%21-6/>
    (mkText "https://forum.merveilles.town/rss.xml" // pol // infrequent)
@@ -135,8 +112,6 @@ let
    # DEVELOPERS
    (fromDb "uninsane.org" // tech)
    (fromDb "ascii.textfiles.com" // tech)  # Jason Scott
    (fromDb "xn--gckvb8fzb.com" // tech)
    (fromDb "mg.lol" // tech)
    (fromDb "drewdevault.com" // tech)
    ## Ken Shirriff
@@ -156,10 +131,6 @@ let
    (mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
    (fromDb "jefftk.com" // tech)
    (fromDb "pomeroyb.com" // tech)
    (mkText "https://til.simonwillison.net/tils/feed.atom" // tech // weekly)
    # TECH PROJECTS
    (fromDb "blog.rust-lang.org" // tech)
    # (TECH; POL) COMMENTATORS
    ## Matt Webb -- engineering-ish, but dreamy
@@ -176,8 +147,7 @@ let
    (fromDb "lynalden.com" // pol)
    (fromDb "austinvernon.site" // tech)
    (mkSubstack "oversharing" // pol // daily)
-    (mkSubstack "byrnehobart" // pol // infrequent)
+    (mkSubstack "doomberg" // tech // weekly)
    # (mkSubstack "doomberg" // tech // weekly)  # articles are all pay-walled
    ## David Rosenthal
    (fromDb "blog.dshr.org" // pol)
    ## Matt Levine
@@ -216,7 +186,6 @@ let
    (fromDb "xkcd.com" // img // humor)
    (fromDb "pbfcomics.com" // img // humor)
    # (mkImg "http://dilbert.com/feed" // humor // daily)
    (fromDb "poorlydrawnlines.com/feed" // img // humor)
    # ART
    (fromDb "miniature-calendar.com" // img // art // daily)
--- a/hosts/common/home/default.nix
+++ b/hosts/common/home/default.nix
@@ -7,14 +7,12 @@
    ./git.nix
    ./gpodder.nix
    ./keyring.nix
-    ./kitty
+    ./kitty.nix
    ./libreoffice.nix
    ./mime.nix
    ./mpv.nix
    ./neovim.nix
    ./newsflash.nix
    ./offlineimap.nix
    ./ripgrep.nix
    ./splatmoji.nix
    ./ssh.nix
    ./sublime-music.nix
--- a/hosts/common/home/firefox.nix
+++ b/hosts/common/home/firefox.nix
@@ -125,17 +125,16 @@ in
        # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
        # browserpass-ce.package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
        browserpass-extension.package = localAddon pkgs.browserpass-extension;
-        # TODO: build bypass-paywalls from source? it's mysteriously disappeared from the Mozilla store.
+        bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-JOj5P7c2JTTReHCRZXm4BscaGr3i+9Y4Ey/y621x8PI=";
        # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
        ether-metamask.package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
        i2p-in-private-browsing.package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
        sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
-        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
+        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-d2K3ufvurWnYVzqLbyR//MgejybkY9exitAf9RdLNRo=";
        ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
-        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
+        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=";
        browserpass-extension.enable = lib.mkDefault true;
-        # bypass-paywalls-clean.enable = lib.mkDefault true;
+        bypass-paywalls-clean.enable = lib.mkDefault true;
        ether-metamask.enable = lib.mkDefault true;
        i2p-in-private-browsing.enable = lib.mkDefault config.services.i2p.enable;
        sidebery.enable = lib.mkDefault true;
@@ -147,11 +146,6 @@ in
  };
  config = {
    sane.programs.web-browser = {
      inherit package;
      # TODO: define the persistence & fs config here
    };
    sane.programs.guiApps.suggestedPrograms = [ "web-browser" ];
    # uBlock filter list configuration.
    # specifically, enable the GDPR cookie prompt blocker.
@@ -177,6 +171,8 @@ in
      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
      defaultPref("security.OCSP.require", false);
    '';
    sane.packages.extraGuiPkgs = [ package ];
    # flush the cache to disk to avoid it taking up too much tmp
    sane.user.persist.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
      store = cfg.persistCache;
--- a/hosts/common/home/kitty/default.nix
+++ b/hosts/common/home/kitty/default.nix
@@ -7,11 +7,9 @@
    enable_audio_bell no
    map ctrl+n new_os_window_with_cwd
-    include ${./PaperColor_dark.conf}
+
    include ${pkgs.kitty-themes}/themes/PaperColor_dark.conf
  '';
  #  include ${pkgs.kitty-themes}/themes/PaperColor_dark.conf
  # THEME CHOICES:
  #   docs: https://github.com/kovidgoyal/kitty-themes
  # theme = "1984 Light";  # dislike: awful, harsh blues/teals
--- a/hosts/common/home/kitty/PaperColor_dark.conf
+++ b/hosts/common/home/kitty/PaperColor_dark.conf
@@ -1,47 +0,0 @@
 # vim:ft=kitty
 ## name: PaperColor Dark
 ## author: Nikyle Nguyen
 ## license: MIT
 ## blurb: Dark color scheme inspired by Google's Material Design 
 # special
 foreground		#d0d0d0
 background		#1c1c1c
 cursor			#d0d0d0
 cursor_text_color	background
 # black
 color0			#1c1c1c
 color8			#585858
 # red
 color1			#af005f
 color9			#5faf5f
 # green
 # "color2" is the green color used by ls to indicate executability
 #   both as text color
 #   or as bg color when the text is blue (color4)
 color2			#246a28
 color10			#2df200
 # yellow
 color3			#d7af5f
 color11			#af87d7
 # blue
 color4			#78c6ef
 color12			#ffaf00
 # magenta
 color5			#808080
 color13			#ff5faf
 # cyan
 color6			#d7875f
 color14			#00afaf
 # white
 color7			#d0d0d0
 color15			#5f8787
--- a/hosts/common/home/offlineimap.nix
+++ b/hosts/common/home/offlineimap.nix
@@ -1,17 +0,0 @@
 # mail archiving/synchronization tool.
 #
 # manually download all emails for an account with
 # - `offlineimap -a <accountname>`
 #
 # view account names inside the secrets file, listed below.
 { config, sane-lib, ... }:
 {
  sops.secrets."offlineimaprc" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../../secrets/universal/offlineimaprc.bin;
    format = "binary";
  };
  sane.user.fs.".config/offlineimap/config" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.offlineimaprc.path;
 }
--- a/hosts/common/home/ripgrep.nix
+++ b/hosts/common/home/ripgrep.nix
@@ -1,9 +0,0 @@
 { sane-lib, ... }:
 {
  # .ignore file is read by ripgrep (rg), silver searcher (ag), maybe others.
  # ignore translation files by default when searching, as they tend to have
  # a LOT of duplicate text.
  sane.user.fs.".ignore" = sane-lib.fs.wantedText ''
    po/
  '';
 }
--- a/hosts/common/home/splatmoji.nix
+++ b/hosts/common/home/splatmoji.nix
@@ -6,8 +6,7 @@
 {
  sane.user.persist.plaintext = [ ".local/state/splatmoji" ];
  sane.user.fs.".config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
-    # XXX doesn't seem to understand ~ as shorthand for `$HOME`
+    history_file=~/.local/state/splatmoji/history
    history_file=/home/colin/.local/state/splatmoji/history
    history_length=5
    # TODO: wayland equiv
    paste_command=xdotool key ctrl+v
--- a/hosts/common/home/ssh.nix
+++ b/hosts/common/home/ssh.nix
@@ -3,8 +3,7 @@
 with lib;
 let
  host = config.networking.hostName;
-  user-pubkey-full = config.sane.ssh.pubkeys."colin@${host}" or {};
+  user-pubkey = config.sane.ssh.pubkeys."colin@${host}".asUserKey;
  user-pubkey = user-pubkey-full.asUserKey or null;
  host-keys = filter (k: k.user == "root") (attrValues config.sane.ssh.pubkeys);
  known-hosts-text = concatStringsSep
    "\n"
@@ -14,8 +13,7 @@ in
 {
  # ssh key is stored in private storage
  sane.user.persist.private = [ ".ssh/id_ed25519" ];
-  sane.user.fs.".ssh/id_ed25519.pub" =
+  sane.user.fs.".ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
    mkIf (user-pubkey != null) (sane-lib.fs.wantedText user-pubkey);
  sane.user.fs.".ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
  users.users.colin.openssh.authorizedKeys.keys =
--- a/hosts/common/home/zsh/default.nix
+++ b/hosts/common/home/zsh/default.nix
@@ -1,8 +1,6 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ pkgs, sane-lib, ... }:
 let
  inherit (lib) mkOption types;
  cfg = config.sane.zsh;
  # powerlevel10k prompt config
  # p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
  p10k-overrides = ''
@@ -28,17 +26,6 @@ let
  '';
 in
 {
  options = {
    sane.zsh = {
      showDeadlines = mkOption {
        type = types.bool;
        default = true;
        description = "show upcoming deadlines (frommy PKM) upon shell init";
      };
    };
  };
  config = {
  sane.user.persist.plaintext = [
    # we don't need to full zsh dir -- just the history file --
    # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
@@ -87,7 +74,7 @@ in
      # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
      autoload -Uz zmv
-        HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *|nixos-rebuild.* switch)'
+      HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *)'
      # extra aliases
      # TODO: move to `shellAliases` config?
@@ -95,11 +82,7 @@ in
        mkdir -p "$1";
        pushd "$1";
      }
-      ''
+
      + lib.optionalString cfg.showDeadlines ''
        ${pkgs.sane-scripts}/bin/sane-deadlines
      ''
      + ''
      # auto-cd into any of these dirs by typing them and pressing 'enter':
      hash -d 3rd="/home/colin/dev/3rd"
      hash -d dev="/home/colin/dev"
@@ -157,5 +140,4 @@ in
    # disable `mv` confirmation (and `rm`, too, unfortunately)
    zstyle ':prezto:module:utility' safe-ops 'no'
  '';
  };
 }
--- a/hosts/common/i2p.nix
+++ b/hosts/common/i2p.nix
@@ -1,4 +1,4 @@
 { ... }:
 {
-  services.i2p.enable = true;
+  # services.i2p.enable = true;
 }
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@@ -1,6 +1,3 @@
 # TODO: migrate to nixpkgs `config.ids.uids`
 # - note that nixpkgs' `config.ids.uids` is strictly a database: it doesn't set anything by default
 #   whereas our impl sets the gid/uid of the user/group specified if they exist.
 { ... }:
 {
@@ -38,7 +35,7 @@
  sane.ids.sshd.uid = 2001;  # 997
  sane.ids.sshd.gid = 2001;  # 997
  sane.ids.polkituser.gid = 2002;  # 998
-  sane.ids.systemd-coredump.gid = 2003;  # 996  # 2023/02/12-2023/02/28: upstream temporarily specified this as 151
+  sane.ids.systemd-coredump.gid = 2003;  # 996
  sane.ids.nscd.uid = 2004;
  sane.ids.nscd.gid = 2004;
  sane.ids.systemd-oom.uid = 2005;
--- a/hosts/common/persist.nix
+++ b/hosts/common/persist.nix
@@ -12,7 +12,5 @@
    "/var/lib/alsa"                # preserve output levels, default devices
    "/var/lib/colord"              # preserve color calibrations (?)
    "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
    "/var/lib/systemd/backlight"   # backlight brightness
    "/var/lib/systemd/coredump"
  ];
 }
--- a/hosts/common/programs.nix
+++ b/hosts/common/programs.nix
@@ -1,384 +1,21 @@
-{ lib, pkgs, ... }:
+{ pkgs, ... }:
 let
  inherit (builtins) attrNames concatLists;
  inherit (lib) mapAttrs mapAttrsToList mkDefault mkMerge optional;
  flattenedPkgs = pkgs // (with pkgs; {
    # XXX can't `inherit` a nested attr, so we move them to the toplevel
    "cacert.unbundled" = pkgs.cacert.unbundled;
    "gnome.cheese" = gnome.cheese;
    "gnome.dconf-editor" = gnome.dconf-editor;
    "gnome.file-roller" = gnome.file-roller;
    "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
    "gnome.gnome-maps" = gnome.gnome-maps;
    "gnome.nautilus" = gnome.nautilus;
    "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
    "gnome.gnome-terminal" = gnome.gnome-terminal;
    "gnome.gnome-weather" = gnome.gnome-weather;
    "gnome.totem" = gnome.totem;
    "libsForQt5.plasmatube" = libsForQt5.plasmatube;
  });
  sysadminPkgs = {
    inherit (flattenedPkgs)
      btrfs-progs
      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
      cryptsetup
      dig
      efibootmgr
      fatresize
      fd
      file
      gawk
      git
      gptfdisk
      hdparm
      htop
      iftop
      inetutils  # for telnet
      iotop
      iptables
      jq
      killall
      lsof
      nano
      netcat
      nethogs
      nmap
      openssl
      parted
      pciutils
      powertop
      pstree
      ripgrep
      screen
      smartmontools
      socat
      strace
      subversion
      tcpdump
      tree
      usbutils
      wget
    ;
  };
  sysadminExtraPkgs = {
    # application-specific packages
    inherit (pkgs)
      backblaze-b2
      duplicity
      sqlite  # to debug sqlite3 databases
    ;
  };
  iphonePkgs = {
    inherit (pkgs)
      ifuse
      ipfs
      libimobiledevice
    ;
  };
  tuiPkgs = {
    inherit (pkgs)
      aerc  # email client
      offlineimap  # email mailox sync
      visidata  # TUI spreadsheet viewer/editor
      w3m
    ;
  };
  # TODO: split these into smaller groups.
  # - transcoders (ffmpeg, imagemagick) only wanted on desko/lappy ("powerutils"?)
  consolePkgs = {
    inherit (pkgs)
      cdrtools
      dmidecode
      efivar
      flashrom
      fwupd
      ghostscript  # TODO: imagemagick wrapper should add gs to PATH
      gnupg
      gocryptfs
      gopass
      gopass-jsonapi
      imagemagick
      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
      libsecret  # for managing user keyrings
      lm_sensors  # for sensors-detect
      lshw
      ffmpeg
      memtester
      # networkmanager
      nixpkgs-review
      # nixos-generators
      # nettools
      nmon
      oathToolkit  # for oathtool
      # ponymix
      pulsemixer
      python3
      rsync
      # python3Packages.eyeD3  # music tagging
      sane-scripts
      sequoia
      snapper
      sops
      sox
      speedtest-cli
      ssh-to-age
      sudo
      # tageditor  # music tagging
      unar
      wireguard-tools
      xdg-utils  # for xdg-open
      # youtube-dl
      yt-dlp
    ;
  };
  guiPkgs = {
    inherit (flattenedPkgs)
      celluloid  # mpv frontend
      clinfo
      emote
      evince  # works on phosh
      # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
      # foliate  # e-book reader
      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
      # then reboot (so that libsecret daemon re-loads the keyring...?)
      # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
      # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
      # "gnome.cheese"
      "gnome.dconf-editor"
      gnome-feeds  # RSS reader (with claimed mobile support)
      "gnome.file-roller"
      # "gnome.gnome-maps"  # works on phosh
      "gnome.nautilus"
      # gnome-podcasts
      "gnome.gnome-system-monitor"
      # "gnome.gnome-terminal"  # works on phosh
      "gnome.gnome-weather"
      gpodder-configured
      gthumb
      # lollypop
      mpv
      networkmanagerapplet
      # newsflash
      nheko
      pavucontrol
      # picard  # music tagging
      playerctl
      # "libsForQt5.plasmatube"  # Youtube player
      soundconverter
      # sublime music persists any downloaded albums here.
      # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
      # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
      #   possible to pass config as a CLI arg (sublime-music -c config.json)
      # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
      sublime-music-mobile
      # tdesktop  # broken on phosh
      # tokodon
      vlc
      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
      # whalebird
      xterm  # broken on phosh
    ;
  };
  desktopGuiPkgs = {
    inherit (flattenedPkgs)
      audacity
      brave  # for the integrated wallet -- as a backup
      chromium
      dino
      electrum
      element-desktop
      font-manager
      gajim  # XMPP client
      gimp  # broken on phosh
      "gnome.gnome-disk-utility"
      # "gnome.totem"  # video player, supposedly supports UPnP
      handbrake
      hase
      inkscape
      jellyfin-media-player  # TODO: try on moby!
      kdenlive
      kid3  # audio tagging
      krita
      libreoffice-fresh  # XXX colin: maybe don't want this on mobile
      mumble
      obsidian
    ;
  };
  x86GuiPkgs = {
    inherit (pkgs)
      discord
      # kaiteki  # Pleroma client
      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
      # gpt2tc  # XXX: unreliable mirror
      logseq
      losslesscut-bin
      makemkv
      monero-gui
      signal-desktop
      spotify
      tor-browser-bundle-bin
      zecwallet-lite
    ;
  };
  # packages not part of any package set
  otherPkgs = {
    inherit (pkgs)
      stepmania
    ;
  };
  # define -- but don't enable -- the packages in some attrset.
  # use `mkDefault` for the package here so we can customize some of them further down this file
  declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
    package = mkDefault p;
  }) pkgsAsAttrs;
 in
 {
-  config = {
+  sane.programs = {
-    sane.programs = mkMerge [
+    btrfs-progs.enableFor.system = true;
-      (declarePkgs consolePkgs)
+    # "cacert.unbundled".enableFor.system = true;
-      (declarePkgs desktopGuiPkgs)
+    cryptsetup.enableFor.system = true;
-      (declarePkgs guiPkgs)
+    dig = {
-      (declarePkgs iphonePkgs)
+      enableFor.system = true;
-      (declarePkgs sysadminPkgs)
+      suggestedPrograms = [ "efibootmgr" ];
      (declarePkgs sysadminExtraPkgs)
      (declarePkgs tuiPkgs)
      (declarePkgs x86GuiPkgs)
      (declarePkgs otherPkgs)
      {
        # link the various package sets into their own meta packages
        consoleUtils = {
          package = null;
          suggestedPrograms = attrNames consolePkgs;
    };
-        desktopGuiApps = {
+    efibootmgr = {};
-          package = null;
+    fatresize = {};
-          suggestedPrograms = attrNames desktopGuiPkgs;
+
    backblaze-b2.enableFor.user.colin = true;
    cdrtools = {
      enableFor.user.colin = true;
      suggestedPrograms = [ "dmidecode" ];
    };
-        guiApps = {
+    dmidecode = {};
          package = null;
          suggestedPrograms = (attrNames guiPkgs)
            ++ [ "tuiApps" ]
            ++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
        };
        iphoneUtils = {
          package = null;
          suggestedPrograms = attrNames iphonePkgs;
        };
        sysadminUtils = {
          package = null;
          suggestedPrograms = attrNames sysadminPkgs;
        };
        sysadminExtraUtils = {
          package = null;
          suggestedPrograms = attrNames sysadminExtraPkgs;
        };
        tuiApps = {
          package = null;
          suggestedPrograms = attrNames tuiPkgs;
        };
        x86GuiApps = {
          package = null;
          suggestedPrograms = attrNames x86GuiPkgs;
        };
      }
      {
        # nontrivial package definitions
        imagemagick.package = pkgs.imagemagick.override {
          ghostscriptSupport = true;
        };
        dino.private = [ ".local/share/dino" ];
        # creds, but also 200 MB of node modules, etc
        discord.private = [ ".config/discord" ];
        # creds/session keys, etc
        element-desktop.private = [ ".config/Element" ];
        # `emote` will show a first-run dialog based on what's in this directory.
        # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
        # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
        emote.dir = [ ".local/share/Emote" ];
        # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
        #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
        gpodder-configured.dir = [ "gPodder" ];
        # jellyfin stores things in a bunch of directories: this one persists auth info.
        # it *might* be possible to populate this externally (it's Qt stuff), but likely to
        # be fragile and take an hour+ to figure out.
        jellyfin-media-player.dir = [ ".local/share/Jellyfin Media Player" ];
        # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
        # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
        monero-gui.dir = [ ".bitmonero" ];
        mpv.dir = [ ".config/mpv/watch_later" ];
        mumble.private = [ ".local/share/Mumble" ];
        # not strictly necessary, but allows caching articles; offline use, etc.
        newsflash.dir = [ ".local/share/news-flash" ];
        nheko.private = [
          ".config/nheko"  # config file (including client token)
          ".cache/nheko"  # media cache
          ".local/share/nheko"  # per-account state database
        ];
        # settings (electron app)
        obsidian.dir = [ ".config/obsidian" ];
        # creds, media
        signal-desktop.private = [ ".config/Signal" ];
        # creds, widevine .so download. TODO: could easily manage these statically.
        spotify.dir = [ ".config/spotify" ];
        # sublime music persists any downloaded albums here.
        # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
        # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
        #   possible to pass config as a CLI arg (sublime-music -c config.json)
        # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
        sublime-music-mobile.dir = [ ".local/share/sublime-music" ];
        tdesktop.private = [ ".local/share/TelegramDesktop" ];
        tokodon.private = [ ".cache/KDE/tokodon" ];
        # hardenedMalloc solves a crash at startup
        # TODO 2023/02/02: is this safe to remove yet?
        tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
          useHardenedMalloc = false;
        };
        # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
        vlc.dir = [ ".config/vlc" ];
        whalebird.private = [ ".config/Whalebird" ];
        # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
        zecwallet-lite.private = [ ".zcash" ];
      }
    ];
    # XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
    environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
  };
 }
--- a/hosts/common/secrets.nix
+++ b/hosts/common/secrets.nix
@@ -55,9 +55,6 @@
  sops.secrets."router_passwd" = {
    sopsFile = ../../secrets/universal.yaml;
  };
  sops.secrets."transmission_passwd" = {
    sopsFile = ../../secrets/universal.yaml;
  };
  sops.secrets."wg_ovpnd_us_privkey" = {
    sopsFile = ../../secrets/universal.yaml;
  };
@@ -102,26 +99,18 @@
    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-bedroom.psk" = {
    sopsFile = ../../secrets/universal/net/home-bedroom.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared-24G.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared-24G.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/makespace-south.psk" = {
    sopsFile = ../../secrets/universal/net/makespace-south.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/archive-2023-02-home-bedroom.psk" = {
    sopsFile = ../../secrets/universal/net/archive/2023-02-home-bedroom.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/archive-2023-02-home-shared-24G.psk" = {
    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/archive-2023-02-home-shared.psk" = {
    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/iphone" = {
    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
    format = "binary";
--- a/hosts/common/users.nix
+++ b/hosts/common/users.nix
@@ -49,6 +49,8 @@ in
      shell = pkgs.zsh;
      packages = builtins.map (p: p.pkg) config.sane.packages.enabledUserPkgs;
      # mount encrypted stuff at login
      # some other nix pam users:
      # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
@@ -89,15 +91,13 @@ in
      ".cache/nix"
      ".cache/nix-index"
-
+      ".cargo"
-      # ".cargo"
+      ".rustup"
      # ".rustup"
    ];
    # convenience
    sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
    sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
    sane.user.fs."Books/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Books";
    sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
    sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
    sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
--- a/hosts/instantiate.nix
+++ b/hosts/instantiate.nix
@@ -4,7 +4,7 @@
 { hostName, localSystem }:
 # module args
-{ config, lib, ... }:
+{ config, ... }:
 {
  imports = [
@@ -14,16 +14,14 @@
  ];
  networking.hostName = hostName;
  nixpkgs.buildPlatform = lib.mkIf (localSystem != null) localSystem;
  sane.cross.enablePatches = localSystem != null;
-  # nixpkgs.overlays = [
+  nixpkgs.overlays = [
-  #   (next: prev: {
+    (next: prev: {
-  #     # for local != target we by default just emulate the target while building.
+      # for local != target we by default just emulate the target while building.
-  #     # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
+      # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
-  #     # to explicitly opt into non-emulated cross compilation for any specific package.
+      # to explicitly opt into non-emulated cross compilation for any specific package.
-  #     # this is most beneficial for large packages with few pre-requisites -- like Linux.
+      # this is most beneficial for large packages with few pre-requisites -- like Linux.
-  #     cross = prev.crossFrom."${localSystem}";
+      cross = next.crossFrom."${localSystem}";
-  #   })
+    })
-  # ];
+  ];
 }
--- a/hosts/modules/default.nix
+++ b/hosts/modules/default.nix
@@ -11,6 +11,5 @@
    ./roles
    ./services
    ./wg-home.nix
    ./yggdrasil.nix
  ];
 }
--- a/hosts/modules/gui/default.nix
+++ b/hosts/modules/gui/default.nix
@@ -12,4 +12,24 @@ in
    ./plasma-mobile.nix
    ./sway.nix
  ];
  options = {
    sane.gui.enable = mkOption {
      default = false;
      type = types.bool;
      description = ''
        enables config used by any GUI, like display management or select packages.
        the user should prefer to interact with specific GUIs like `sane.gui.sway`
        and let those modules auto-set this flag when necessary.
      '';
    };
  };
  config = mkIf cfg.enable {
    sane.packages.enableGuiPkgs = mkDefault true;
    # preserve backlight brightness across power cycles
    # see `man systemd-backlight`
    sane.persist.sys.plaintext = [ "/var/lib/systemd/backlight" ];
  };
 }
--- a/hosts/modules/gui/gnome.nix
+++ b/hosts/modules/gui/gnome.nix
@@ -13,7 +13,7 @@ in
  };
  config = mkIf cfg.enable {
-    sane.programs.guiApps.enableFor.user.colin = true;
+    sane.gui.enable = true;
    # start gnome/gdm on boot
    services.xserver.enable = true;
--- a/hosts/modules/gui/phosh.nix
+++ b/hosts/modules/gui/phosh.nix
@@ -20,43 +20,9 @@ in
    };
  };
-  config = mkMerge [
+  config = mkIf cfg.enable (mkMerge [
    {
-      sane.programs.phoshApps = {
+      sane.gui.enable = true;
        package = null;
        suggestedPrograms = [
          "guiApps"
          # TODO: see about removing gnome-bluetooth if the in-built gnome-settings bluetooth manager can work
          "gnome.gnome-bluetooth"
          "gnome.gnome-terminal"
          "phosh-mobile-settings"
          # "plasma5Packages.konsole"  # more reliable terminal
        ];
      };
    }
    {
      sane.programs = {
        inherit (pkgs // {
          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
          "gnome.gnome-terminal" = pkgs.gnome.gnome-terminal;
          "plasma5Packages.konsole" = pkgs.plasma5Packages.konsole;
        })
          phosh-mobile-settings
          "plasma5Packages.konsole"
          # "gnome.gnome-bluetooth"
          "gnome.gnome-terminal"
        ;
      };
    }
    (mkIf cfg.enable {
      sane.programs.phoshApps.enableFor.user.colin = true;
      # TODO(2023/02/28): remove this qt.style = "gtk2" override.
      # gnome by default tells qt to stylize its apps similar to gnome.
      # but the package needed for that doesn't cross-compile, hence i disable that here.
      # qt.platformTheme = "gtk2";
      # qt.style = "gtk2";
      # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
      services.xserver.desktopManager.phosh = {
@@ -72,26 +38,6 @@ in
        };
      };
      # phosh enables `services.gnome.{core-os-services, core-shell}`
      # and this in turn enables some default apps we don't really care about.
      # see <nixos/modules/services/x11/desktop-managers/gnome.nix>
      environment.gnome.excludePackages = with pkgs; [
        # gnome.gnome-menus  # unused outside gnome classic, but probably harmless
        gnome-tour
      ];
      services.dleyna-renderer.enable = false;
      services.dleyna-server.enable = false;
      services.gnome.gnome-browser-connector.enable = false;
      services.gnome.gnome-initial-setup.enable = false;
      services.gnome.gnome-online-accounts.enable = false;
      services.gnome.gnome-remote-desktop.enable = false;
      services.gnome.gnome-user-share.enable = false;
      services.gnome.rygel.enable = false;
      # gnome doesn't use mkDefault for these -- unclear why not
      services.gnome.evolution-data-server.enable = mkForce false;
      services.gnome.gnome-online-miners.enable = mkForce false;
      # XXX: phosh enables networkmanager by default; can probably disable these lines
      networking.useDHCP = false;
      networking.networkmanager.enable = true;
@@ -114,7 +60,6 @@ in
      };
      programs.dconf.packages = [
        # org.kde.konsole.desktop
        (pkgs.writeTextFile {
          name = "dconf-phosh-settings";
          destination = "/etc/dconf/db/site.d/00_phosh_settings";
@@ -127,13 +72,19 @@ in
            sleep-inactive-battery-timeout=5400
            [sm/puri/phosh]
-            favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.gnome.Terminal.desktop']
+            favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.kde.konsole.desktop']
          '';
        })
      ];
    })
-    (mkIf (cfg.enable && cfg.useGreeter) {
+      sane.packages.extraUserPkgs = with pkgs; [
        phosh-mobile-settings
        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
        gnome.gnome-bluetooth
      ];
    }
    (mkIf cfg.useGreeter {
      services.xserver.enable = true;
      # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
      # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
@@ -159,5 +110,5 @@ in
      systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
    })
-  ];
+  ]);
 }
--- a/hosts/modules/gui/plasma-mobile.nix
+++ b/hosts/modules/gui/plasma-mobile.nix
@@ -13,8 +13,7 @@ in
  };
  config = mkIf cfg.enable {
-    sane.programs.guiApps.enableFor.user.colin = true;
+    sane.gui.enable = true;
    # start plasma-mobile on boot
    services.xserver.enable = true;
    services.xserver.desktopManager.plasma5.mobile.enable = true;
--- a/hosts/modules/gui/plasma.nix
+++ b/hosts/modules/gui/plasma.nix
@@ -13,7 +13,7 @@ in
  };
  config = mkIf cfg.enable {
-    sane.programs.guiApps.enableFor.user.colin = true;
+    sane.gui.enable = true;
    # start plasma on boot
    services.xserver.enable = true;
--- a/hosts/modules/gui/sway.nix
+++ b/hosts/modules/gui/sway.nix
@@ -120,43 +120,8 @@ in
      type = types.bool;
    };
  };
-  config = mkMerge [
+  config = mkIf cfg.enable {
-    {
+    sane.gui.enable = true;
      sane.programs.swayApps = {
        package = null;
        suggestedPrograms = [
          "guiApps"
          "swaylock"
          "swayidle"
          "wl-clipboard"
          "mako"  # notification daemon
          # # "pavucontrol"
          "gnome.gnome-bluetooth"
          "gnome.gnome-control-center"
          "sway-contrib.grimshot"
        ];
      };
    }
    {
      sane.programs = {
        inherit (pkgs // {
          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
          "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
          "sway-contrib.grimshot" = pkgs.sway-contrib.grimshot;
        })
          swaylock
          swayidle
          wl-clipboard
          mako
          "gnome.gnome-bluetooth"
          "gnome.gnome-control-center"
          "sway-contrib.grimshot"
        ;
      };
    }
    (mkIf cfg.enable {
      sane.programs.swayApps.enableFor.user.colin = true;
    # swap in these lines to use SDDM instead of `services.greetd`.
    # services.xserver.displayManager.sddm.enable = true;
@@ -659,7 +624,19 @@ in
    #     color: black;
    #   }
    # '';
-    })
+
    sane.packages.extraUserPkgs = with pkgs; [
      swaylock
      swayidle  # (unused)
      wl-clipboard
      mako # notification daemon
      xdg-utils  # for xdg-open
      # user stuff
      # pavucontrol
      sway-contrib.grimshot
      gnome.gnome-bluetooth
      gnome.gnome-control-center
    ];
  };
 }
--- a/hosts/modules/hardware/x86_64.nix
+++ b/hosts/modules/hardware/x86_64.nix
@@ -9,6 +9,11 @@
      # efi_pstore evivars
    ];
    # enable cross compilation
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    # nixpkgs.config.allowUnsupportedSystem = true;
    # nixpkgs.crossSystem.system = "aarch64-linux";
    powerManagement.cpuFreqGovernor = "powersave";
    hardware.cpu.amd.updateMicrocode = true;    # desktop
    hardware.cpu.intel.updateMicrocode = true;  # laptop
--- a/hosts/modules/hosts.nix
+++ b/hosts/modules/hosts.nix
@@ -69,7 +69,7 @@ in
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
      wg-home.pubkey = "17PMZssYi0D4t2d0vbmhjBKe1sGsE8kT8/dod0Q2CXc=";
      wg-home.ip = "10.0.10.22";
-      lan-ip = "192.168.15.25";
+      lan-ip = "192.168.0.22";
    };
    sane.hosts.by-name."lappy" = {
@@ -77,7 +77,7 @@ in
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
      wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
      wg-home.ip = "10.0.10.20";
-      lan-ip = "192.168.15.13";
+      lan-ip = "192.168.0.20";
    };
    sane.hosts.by-name."moby" = {
@@ -85,7 +85,7 @@ in
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
      wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
      wg-home.ip = "10.0.10.48";
-      lan-ip = "192.168.15.28";
+      lan-ip = "192.168.0.48";
    };
    sane.hosts.by-name."servo" = {
@@ -94,7 +94,7 @@ in
      wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
      wg-home.ip = "10.0.10.5";
      wg-home.endpoint = "uninsane.org:51820";
-      lan-ip = "192.168.15.24";
+      lan-ip = "192.168.0.5";
    };
  };
 }
--- a/hosts/modules/nixcache.nix
+++ b/hosts/modules/nixcache.nix
@@ -13,7 +13,6 @@
 with lib;
 let
  cfg = config.sane.nixcache;
  hostName = config.networking.hostName;
 in
 {
  options = {
@@ -25,17 +24,6 @@ in
      default = config.sane.nixcache.enable;
      type = types.bool;
    };
    sane.nixcache.substituters = mkOption {
      type = types.listOf types.string;
      default =
        # TODO: make these blacklisted entries injectable
        (lib.optional (hostName != "servo") "https://nixcache.uninsane.org")
        ++ (lib.optional (hostName != "servo" && hostName != "desko") "http://desko:5000")
        ++ [
          "https://nix-community.cachix.org"
          "https://cache.nixos.org/"
        ];
    };
  };
  config = {
@@ -43,7 +31,12 @@ in
    # to explicitly build from a specific cache (in case others are down):
    # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
    # - `nix build ... --substituters http://desko:5000`
-    nix.settings.substituters = mkIf cfg.enable cfg.substituters;
+    nix.settings.substituters = mkIf cfg.enable [
      "https://nixcache.uninsane.org"
      "http://desko:5000"
      "https://nix-community.cachix.org"
      "https://cache.nixos.org/"
    ];
    # always trust our keys (so one can explicitly use a substituter even if it's not the default
    nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
      "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
--- a/hosts/modules/roles/build-machine.nix
+++ b/hosts/modules/roles/build-machine.nix
@@ -1,82 +0,0 @@
 { config, lib, pkgs, sane-lib, ... }:
 let
  inherit (lib) mkIf mkMerge mkOption types;
  inherit (config.programs.ccache) cacheDir;
  cfg = config.sane.roles.build-machine;
 in
 {
  options.sane.roles.build-machine = {
    enable = mkOption {
      type = types.bool;
      default = false;
    };
    emulation = mkOption {
      type = types.bool;
      default = true;
    };
    ccache = mkOption {
      type = types.bool;
      default = true;
    };
  };
  config = mkMerge [
    ({
      sane.programs.qemu = pkgs.qemu;
    })
    (mkIf cfg.enable {
      # enable opt-in emulation of any package at runtime.
      # i.e. `nix build '.#host-pkgs.moby.bash' ; qemu-aarch64 ./result/bin/bash`.
      sane.programs.qemu.enableFor.user.colin = true;
      # serve packages to other machines that ask for them
      sane.services.nixserve.enable = true;
      # enable cross compilation
      # TODO: do this via stdenv injection, linking into /run/binfmt the stuff in <nixpkgs:nixos/modules/system/boot/binfmt.nix>
      boot.binfmt.emulatedSystems = lib.optionals cfg.emulation [
        "aarch64-linux"
        # "aarch64-darwin"  # not supported
        # "x86_64-darwin"   # not supported
      ];
      # corresponds to env var: NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1
      # nixpkgs.config.allowUnsupportedSystem = true;
    })
    (mkIf (cfg.enable && cfg.ccache) {
      # programs.ccache.cacheDir = "/var/cache/ccache";  # nixos default
      # programs.ccache.cacheDir = "/homeless-shelter/.ccache";  # ccache default (~/.ccache)
      # if the cache doesn't reside at ~/.ccache, then CCACHE_DIR has to be set.
      # we can do that manually as commented out below, or let nixos do it for us by telling it to use ccache on a dummy package:
      programs.ccache.packageNames = [ "dummy-pkg-to-force-ccache-config" ];
      # nixpkgs.overlays = [
      #   (self: super: {
      #     # XXX: if the cache resides not at ~/.ccache (i.e. /homeless-shelter/.ccache)
      #     # then we need to explicitly tell ccache where that is.
      #     ccacheWrapper = super.ccacheWrapper.override {
      #       extraConfig = ''
      #         export CCACHE_DIR="${cacheDir}"
      #       '';
      #     };
      #   })
      # ];
      # granular compilation cache
      # docs: <https://nixos.wiki/wiki/CCache>
      # investigate the cache with:
      # - `nix-ccache --show-stats`
      # - `build '.#ccache'
      #   - `sudo CCACHE_DIR=/var/cache/ccache ./result/bin/ccache --show-stats -v`
      # TODO: whitelist `--verbose` in <nixpkgs:nixos/modules/programs/ccache.nix>
      # TODO: configure without compression (leverage fs-level compression), and enable file-clone (i.e. hardlinks)
      programs.ccache.enable = true;
      nix.settings.extra-sandbox-paths = [ cacheDir ];
      sane.persist.sys.plaintext = [
        { group = "nixbld"; mode = "0775"; directory = config.programs.ccache.cacheDir; }
      ];
      sane.fs."${cacheDir}/ccache.conf" = sane-lib.fs.wantedText ''
        max_size = 50G
      '';
    })
  ];
 }
--- a/hosts/modules/roles/default.nix
+++ b/hosts/modules/roles/default.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  imports = [
    ./build-machine.nix
    ./client
  ];
 }
--- a/hosts/modules/yggdrasil.nix
+++ b/hosts/modules/yggdrasil.nix
@@ -1,30 +0,0 @@
 # docs: <nixpkgs:nixos/modules/services/networking/yggdrasil.md>
 # - or message CW/0x00
 { config, lib, ... }:
 let
  inherit (lib) mkIf mkOption types;
  cfg = config.sane.yggdrasil;
 in
 {
  options.sane.yggdrasil = {
    enable = mkOption {
      type = types.bool;
      default = false;
    };
  };
  config = mkIf cfg.enable {
    services.yggdrasil = {
      enable = true;
      persistentKeys = true;
      config = {
        IFName = "ygg0";
        Peers = [
          "tls://longseason.1200bps.xyz:13122"
        ];
      };
    };
  };
 }
--- a/modules/data/feeds/sources/acquiredlpbonussecretsecret.libsyn.com/default.json
+++ b/modules/data/feeds/sources/acquiredlpbonussecretsecret.libsyn.com/default.json
@@ -1,21 +0,0 @@
 {
  "bozo": 0,
  "content_length": 443732,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "Ben and David are joined by expert founders and investors \u2014 writing the next generation of great company stories in real-time.\n\nWe go behind the scenes on their journeys and bring back emerging insights and lessons that are useful for anyone in the tech and investing ecosystems.\n\nAcquired covers yesterday. ACQ2 covers tomorrow.",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": true,
  "is_push": false,
  "item_count": 92,
  "last_updated": "2023-03-02T17:03:15+00:00",
  "score": 10,
  "self_url": "https://acquiredlpbonussecretsecret.libsyn.com/",
  "site_name": "ACQ2 by Acquired",
  "site_url": "https://acquiredlpbonussecretsecret.libsyn.com",
  "title": "ACQ2 by Acquired",
  "url": "https://acquiredlpbonussecretsecret.libsyn.com",
  "velocity": 0.057,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/ascii.textfiles.com/default.json
+++ b/modules/data/feeds/sources/ascii.textfiles.com/default.json
--- a/modules/data/feeds/sources/blog.rust-lang.org/default.json
+++ b/modules/data/feeds/sources/blog.rust-lang.org/default.json
@@ -1,21 +0,0 @@
 {
  "bozo": 0,
  "content_length": 76362,
  "content_type": "application/xml; charset=utf-8",
  "description": "Empowering everyone to build reliable and efficient software.",
  "favicon": "https://blog.rust-lang.org/images/favicon-16x16.png",
  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAA3XAAAN1wFCKJt4AAAAB3RJTUUH4gseBBkAzEcAUAAAAWlJREFUOMul079L1WEUBvCPdhPUzbhC3JYQwn6MLTU4CA5C/QMJimQS2NDiZpM0NDoZ0iK4+SdIV5ykpgKtIYyiqCBSuKBBibflufBiVxt64eV73uc855z3fb7ndPh7daMPU/gR7ByeYRc/nbJGMI8GjvAKb2M34hspA84U9jgeYAIv8Bi9+IxFnMcYLqCJ12WiYTzHL0wee05Xcb6H3+EOt8CeXK0Z526b/R1ruIL74c4nVi3v+4BvOAxhHzv4lHMTb3A1WAO1zqjdhRU8SjWpOIBBvAx2hFEsRZ8pmEn28ZC+FhXLvY9L4UwHm+ksBNo79kvf4QlWC61uxR5qkSqoJttkROqN7wDvk+Q6LuIh+nEnMdVSxOYJ+zKetsEbqFVy9QXMpYE28TE3gC+YxXaKDeFGYvYqIa7jZppjI/2w1GZGzia4npiDSpz1tCjcjg5VbAW7hrtpqjqW8/3nMLXee+IwdfzvOP8BuzB3onylpecAAAAASUVORK5CYII=",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 10,
  "last_updated": "2023-03-09T00:00:00+00:00",
  "score": 20,
  "self_url": "https://blog.rust-lang.org/feed.xml",
  "site_name": "The Rust Programming Language Blog",
  "site_url": "https://blog.rust-lang.org",
  "title": "Rust Blog",
  "url": "https://blog.rust-lang.org/feed.xml",
  "velocity": 0.096,
  "version": "atom10"
 }
--- a/modules/data/feeds/sources/feeds.libsyn.com/421877/default.json
+++ b/modules/data/feeds/sources/feeds.libsyn.com/421877/default.json
@@ -1,23 +0,0 @@
 {
  "bozo": 0,
  "content_length": 272569,
  "content_type": "text/xml; charset=utf-8",
  "description": "Audio version of the posts shared in the LessWrong Curated newsletter.",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [
    "https://pubsubhubbub.appspot.com/"
  ],
  "is_podcast": true,
  "is_push": true,
  "item_count": 56,
  "last_updated": "2023-03-08T08:00:00+00:00",
  "score": 32,
  "self_url": "https://feeds.buzzsprout.com/2037297.rss",
  "site_name": "",
  "site_url": "",
  "title": "LessWrong Curated Podcast",
  "url": "https://feeds.buzzsprout.com/2037297.rss",
  "velocity": 0.192,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/feeds.megaphone.fm/hubermanlab/default.json
+++ b/modules/data/feeds/sources/feeds.megaphone.fm/hubermanlab/default.json
@@ -1,21 +0,0 @@
 {
  "bozo": 0,
  "content_length": 1377252,
  "content_type": "application/xml; charset=utf-8",
  "description": "Andrew Huberman, Ph.D.",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": true,
  "is_push": false,
  "item_count": 129,
  "last_updated": "2023-03-06T09:00:00+00:00",
  "score": 14,
  "self_url": "https://feeds.megaphone.fm/hubermanlab",
  "site_name": "",
  "site_url": "",
  "title": "Huberman Lab",
  "url": "https://feeds.megaphone.fm/hubermanlab",
  "velocity": 0.159,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/mapspodcast.libsyn.com/default.json
+++ b/modules/data/feeds/sources/mapspodcast.libsyn.com/default.json
@@ -1,21 +0,0 @@
 {
  "bozo": 0,
  "content_length": 256360,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "Hosted by Zach Leary, the intent of the podcast is to bring you the listener an easily accessible resource for a variety of topics all related to psychedelic research. There is a lot to learn about new research into the therapeutic potential of psychedelics and marijuana. Over the years, the Multidisciplinary Association for Psychedelic Studies (MAPS) has amassed an incredible treasure trove of audio archives sourced from the amazing talks, presentations and panels that have taken place at past Psychedelic Science conferences and other unique events. By selecting some of that content and then bringing it to you in a podcast we hope to create a centralized location for the greater MAPS community. If you're a researcher, scientist, medical professional or just a curiosity seeker we hope that you'll find this content a valuable resource tool.\n\nPlease visit the MAPS website at https://maps.org",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": true,
  "is_push": false,
  "item_count": 62,
  "last_updated": "2023-03-06T20:20:00+00:00",
  "score": 0,
  "self_url": "https://feeds.libsyn.com/95610/rss",
  "site_name": "",
  "site_url": "",
  "title": "MAPS Podcast",
  "url": "https://feeds.libsyn.com/95610/rss",
  "velocity": 0.028,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/omny.fm/shows/cool-people-who-did-cool-stuff/default.json
+++ b/modules/data/feeds/sources/omny.fm/shows/cool-people-who-did-cool-stuff/default.json
@@ -1,21 +0,0 @@
 {
  "bozo": 0,
  "content_length": 242702,
  "content_type": "application/xml; charset=utf-8",
  "description": "<p>As long as there&rsquo;s been oppression, there&rsquo;ve been people fighting it. This weekly podcast dives into history to drag up the wildest rebels, the most beautiful revolts, and all the people who long to be&mdash;and fight to be&mdash;free. It explores complex stories of resistance that offer lessons and inspiration for us today, focusing on the ensemble casts that make up each act of history. That is to say, this podcast focuses on Cool People Who Did Cool Stuff.</p>",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": true,
  "is_push": false,
  "item_count": 86,
  "last_updated": "2023-03-20T04:01:00+00:00",
  "score": -12,
  "self_url": "https://www.omnycontent.com/d/playlist/e73c998e-6e60-432f-8610-ae210140c5b1/45bcda9a-4724-45c0-82ca-ae7f00e1dd18/f21245f2-a297-42f7-a016-ae7f00e390c4/podcast.rss",
  "site_name": "",
  "site_url": "",
  "title": "Cool People Who Did Cool Stuff",
  "url": "https://www.omnycontent.com/d/playlist/e73c998e-6e60-432f-8610-ae210140c5b1/45bcda9a-4724-45c0-82ca-ae7f00e1dd18/f21245f2-a297-42f7-a016-ae7f00e390c4/podcast.rss",
  "velocity": 0.256,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/poorlydrawnlines.com/feed/default.json
+++ b/modules/data/feeds/sources/poorlydrawnlines.com/feed/default.json
@@ -1,21 +0,0 @@
 {
  "bozo": 0,
  "content_length": 13524,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "A Comic",
  "favicon": "http://www.poorlydrawnlines.com/wp-content/themes/PoorlyDrawnLines/images/favicon.ico",
  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAK6wAACusBgosNWgAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtzIENTNXG14zYAAAE+SURBVDiNnZO9rgFRFIW/Yy4KCldDN4VCQ63STTyAR0BU3kEy8SQeYiIRKq+gkFytZAo/0VBZtxC5Y85McFdymr2Sb6+z9zlG0g/wTUyHwwGAcrkct6I6IumsiHa7nTqdjkqlknK5nBqNhsbjsU6nkxJ0RtI+WgmCQICMMWq323JdV4BarZbCMIwD9hZgNpsJ0Gg0kiRdr1f1+30B6vV6FiATv5TjOABUKhUA8vk8w+EQgPV6bQ3BAki6G5k/KwxDADzPswBfaYDNZsNyuWS73TKZTCgWiwwGA3sP8RnM53MBT6dQKGg6nSZtYW8leER3XZd6vY7neXS7XWq1mt09KcFisRAg3/eTOr7ewkO32y3Nek6cZjyG+W/Au0p9B58kyEYLxpi7kXkrXNYo9p0vlwur1Ypms0m1Wn0FOP4CBWA38rLJ0EUAAAAASUVORK5CYII=",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 10,
  "last_updated": "2023-03-22T17:51:01+00:00",
  "score": 12,
  "self_url": "https://poorlydrawnlines.com/feed/",
  "site_name": "Poorly Drawn Lines",
  "site_url": "https://poorlydrawnlines.com",
  "title": "Poorly Drawn Lines",
  "url": "https://poorlydrawnlines.com/feed/",
  "velocity": 0.272,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/reverseengineering.libsyn.com/rss/default.json
+++ b/modules/data/feeds/sources/reverseengineering.libsyn.com/rss/default.json
@@ -1,21 +0,0 @@
 {
  "bozo": 0,
  "content_length": 560867,
  "content_type": "application/rss+xml; charset=utf-8",
  "description": "Listen and learn about different reverse engineering hardware projects and methods as Alvaro (@alvaroprieto) and Jen(@rebelbotjen) talk with guests about their work.",
  "favicon": "",
  "favicon_data_uri": "",
  "hubs": [],
  "is_podcast": true,
  "is_push": false,
  "item_count": 63,
  "last_updated": "2022-12-30T15:42:48+00:00",
  "score": 18,
  "self_url": "https://reverseengineering.libsyn.com/rss",
  "site_name": "",
  "site_url": "",
  "title": "Unnamed Reverse Engineering Podcast",
  "url": "https://reverseengineering.libsyn.com/rss",
  "velocity": 0.032,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/thisweek.gnome.org/default.json
+++ b/modules/data/feeds/sources/thisweek.gnome.org/default.json
@@ -1,21 +0,0 @@
 {
  "bozo": 0,
  "content_length": 1250267,
  "content_type": "text/xml; charset=utf-8",
  "description": "Recent content on This Week in GNOME",
  "favicon": "https://thisweek.gnome.org/images/favicon-32x32.png",
  "favicon_data_uri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAABYAAAAWABINkT2gAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAI5SURBVFiFvdZPiE1RHAfwz/xBxhSTISxYaJSiJAklioWNjYWVhYWUtYRMslEWSv7WkPybsbHSGMmGDUmhyEKihMgsjMQsnjEW597emdt7z7vvvplvnTr3d3/n9/3ec8/vd35MHVqnkAu0YR+eoYQxPMWyZhEswH0M43DmXTuGMF5hXGyWgMEo6A8Tt/h0FfJxnGmEbA160ZU8twvbGgeenrxbgj81BKzNS746IhtIbB2ZoJ8j/6M1yIfyksORKMB3tCT2T5H9cuR/qwr5NyzMBq8nNYaj+Zxonu5GSfjnKdoqxBjBdnypg08XruFA8jwfv5W/IkUH+rAzs77XxC9/g1X1EKc4Fy3enNj2Cnl8qY71nejHk0TMzDzkcCUScCGy92BG3mD/Q3sF2w3sTuZLI/vbaN6NbVgnpN28xFYSDudjYRfiNblwTNiBqxn7VtxRO8/TUcL+RgXACsxN5otxtw7S7PiLlUVEwAbh9OclT8euIuTLheLTKPm4cE4aQgseFSR/qFw5c2NjQfJ3WNQoOZwoQH5PSMtCGGiAeBSHNKn96stJ/kAT2y3YUyfxLxw0CU1nj1BIapG/EErxpCHu+7Ljo3KlTNGNs/iQ+PzE8SIC1qu+C6cq+Fcq1yNFBMDJKgKeY1rG93UFv9tFBUwXrtdKIgaV832T0LRkfbYUFQCzVS/Lo3il8hXd3wzyFJ24WUVEtXtgVjMFpNiB9zWIx4RWLncvmAetQkt2XTh4X/ES5zWhAZlS/AMHdE5EpHwlOQAAAABJRU5ErkJggg==",
  "hubs": [],
  "is_podcast": false,
  "is_push": false,
  "item_count": 86,
  "last_updated": "2023-03-10T00:00:00+00:00",
  "score": 46,
  "self_url": "https://thisweek.gnome.org/index.xml",
  "site_name": "This Week in GNOME",
  "site_url": "https://thisweek.gnome.org",
  "title": "This Week in GNOME",
  "url": "https://thisweek.gnome.org/index.xml",
  "velocity": 0.141,
  "version": "rss20"
 }
--- a/modules/data/feeds/sources/xn--gckvb8fzb.com/default.json
+++ b/modules/data/feeds/sources/xn--gckvb8fzb.com/default.json
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -5,6 +5,7 @@
    ./feeds.nix
    ./fs
    ./ids.nix
    ./packages.nix
    ./programs.nix
    ./image.nix
    ./persist
--- a/modules/fs/default.nix
+++ b/modules/fs/default.nix
@@ -189,7 +189,7 @@ let
      serviceConfig.Type = "oneshot";
      script = wrapper.script;
-      scriptArgs = escapeShellArgs wrapper.scriptArgs;
+      scriptArgs = builtins.concatStringsSep " " wrapper.scriptArgs;
      after = gen-opt.depends;
      wants = gen-opt.depends;
--- a/modules/packages.nix
+++ b/modules/packages.nix
@@ -0,0 +1,331 @@
 { config, lib, pkgs, ... }:
 with lib;
 with pkgs;
 let
  cfg = config.sane.packages;
  imagemagick = pkgs.imagemagick.override {
    ghostscriptSupport = true;
  };
  consolePkgs = [
    backblaze-b2
    cdrtools
    dmidecode
    duplicity
    efivar
    flashrom
    fwupd
    ghostscript  # TODO: imagemagick wrapper should add gs to PATH
    gnupg
    gocryptfs
    gopass
    gopass-jsonapi
    ifuse
    imagemagick
    ipfs
    kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
    libimobiledevice
    libsecret  # for managing user keyrings
    lm_sensors  # for sensors-detect
    lshw
    ffmpeg
    memtester
    networkmanager
    nixpkgs-review
    # nixos-generators
    # nettools
    nmon
    oathToolkit  # for oathtool
    # ponymix
    pulsemixer
    python3
    rsync
    # python3Packages.eyeD3  # music tagging
    sane-scripts
    sequoia
    snapper
    sops
    sox
    speedtest-cli
    sqlite  # to debug sqlite3 databases
    ssh-to-age
    sudo
    # tageditor  # music tagging
    unar
    visidata
    w3m
    wireguard-tools
    # youtube-dl
    yt-dlp
  ];
  guiPkgs = [
    # GUI only
    aerc  # email client
    audacity
    celluloid  # mpv frontend
    chromium
    clinfo
    { pkg = dino; private = [ ".local/share/dino" ]; }
    electrum
    # creds/session keys, etc
    { pkg = element-desktop; private = [ ".config/Element" ]; }
    # `emote` will show a first-run dialog based on what's in this directory.
    # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
    # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
    { pkg = emote; dir = [ ".local/share/Emote" ]; }
    evince  # works on phosh
    # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
    foliate  # e-book reader
    font-manager
    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
    # then reboot (so that libsecret daemon re-loads the keyring...?)
    # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
    # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
    gajim  # XMPP client
    gimp  # broken on phosh
    gnome.cheese
    gnome.dconf-editor
    gnome-feeds  # RSS reader (with claimed mobile support)
    gnome.file-roller
    gnome.gnome-disk-utility
    gnome.gnome-maps  # works on phosh
    gnome.nautilus
    # gnome-podcasts
    gnome.gnome-system-monitor
    gnome.gnome-terminal  # works on phosh
    gnome.gnome-weather
    # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
    #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
    { pkg = gpodder-configured; dir = [ "gPodder" ]; }
    gthumb
    inkscape
    kdenlive
    kid3  # audio tagging
    krita
    libreoffice-fresh  # XXX colin: maybe don't want this on mobile
    lollypop
    { pkg = mpv; dir = [ ".config/mpv/watch_later" ]; }
    networkmanagerapplet
    # not strictly necessary, but allows caching articles; offline use, etc.
    { pkg = newsflash; dir = [ ".local/share/news-flash" ]; }
    { pkg = nheko; private = [
      ".config/nheko"  # config file (including client token)
      ".cache/nheko"  # media cache
      ".local/share/nheko"  # per-account state database
    ]; }
    # settings (electron app)
    { pkg = obsidian; dir = [ ".config/obsidian" ]; }
    pavucontrol
    # picard  # music tagging
    playerctl
    libsForQt5.plasmatube  # Youtube player
    soundconverter
    # sublime music persists any downloaded albums here.
    # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
    # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
    #   possible to pass config as a CLI arg (sublime-music -c config.json)
    # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
    { pkg = sublime-music-mobile; dir = [ ".local/share/sublime-music" ]; }
    { pkg = tdesktop; private = [ ".local/share/TelegramDesktop" ]; }  # broken on phosh
    { pkg = tokodon; private = [ ".cache/KDE/tokodon" ]; }
    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
    { pkg = vlc; dir = [ ".config/vlc" ]; }
    # pleroma client (Electron). input is broken on phosh.
    { pkg = whalebird; private = [ ".config/Whalebird" ]; }
    xdg-utils  # for xdg-open
    xterm  # broken on phosh
  ]
  ++ (if pkgs.system == "x86_64-linux" then
  [
    # x86_64 only
    # creds, but also 200 MB of node modules, etc
    (let discord = (pkgs.discord.override {
      # XXX 2022-07-31: fix to allow links to open in default web-browser:
      #   https://github.com/NixOS/nixpkgs/issues/78961
      nss = pkgs.nss_latest;
    }); in { pkg = discord; private = [ ".config/discord" ]; })
    # kaiteki  # Pleroma client
    # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
    # gpt2tc  # XXX: unreliable mirror
    # TODO(unpin): handbrake is broken on aarch64-linux 2023/01/29
    handbrake
    logseq
    losslesscut-bin
    makemkv
    # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
    { pkg = monero-gui; dir = [ ".bitmonero" ]; }
    # creds, media
    { pkg = signal-desktop; private = [ ".config/Signal" ]; }
    # creds, widevine .so download. TODO: could easily manage these statically.
    { pkg = spotify; dir = [ ".config/spotify" ]; }
    # hardenedMalloc solves a crash at startup
    (tor-browser-bundle-bin.override { useHardenedMalloc = false; })
    # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
    { pkg = zecwallet-lite; private = [ ".zcash" ]; }
  ] else []);
  # general-purpose utilities that we want any user to be able to access
  #   (specifically: root, in case of rescue)
  systemPkgs = [
    btrfs-progs
    cacert.unbundled  # some services require unbundled /etc/ssl/certs
    cryptsetup
    dig
    efibootmgr
    fatresize
    fd
    file
    gawk
    git
    gptfdisk
    hdparm
    htop
    iftop
    inetutils  # for telnet
    iotop
    iptables
    jq
    killall
    lsof
    nano
    netcat
    nethogs
    nmap
    openssl
    parted
    pciutils
    powertop
    pstree
    ripgrep
    screen
    smartmontools
    socat
    strace
    tcpdump
    tree
    usbutils
    wget
  ];
  # useful devtools:
  devPkgs = [
    bison
    dtc
    flex
    gcc
    gdb
    # gcc-arm-embedded
    # gcc_multi
    gnumake
    mercurial
    mix2nix
    rustup
    swig
  ];
  pkgSpec = types.submodule {
    options = {
      pkg = mkOption {
        type = types.package;
      };
      dir = mkOption {
        type = types.listOf types.str;
        default = [];
        description = "list of home-relative paths to persist for this package";
      };
      private = mkOption {
        type = types.listOf types.str;
        default = [];
        description = "list of home-relative paths to persist (in encrypted format) for this package";
      };
    };
  };
  toPkgSpec = types.coercedTo types.package (p: { pkg = p; }) pkgSpec;
 in
 {
  options = {
    # packages to deploy to the user's home
    sane.packages.extraUserPkgs = mkOption {
      default = [ ];
      type = types.listOf toPkgSpec;
    };
    sane.packages.extraGuiPkgs = mkOption {
      default = [ ];
      type = types.listOf toPkgSpec;
      description = "packages to only ship if gui's enabled";
    };
    sane.packages.enableConsolePkgs = mkOption {
      default = false;
      type = types.bool;
    };
    sane.packages.enableGuiPkgs = mkOption {
      default = false;
      type = types.bool;
    };
    sane.packages.enableDevPkgs = mkOption {
      description = ''
        enable packages that are useful for building other software by hand.
        you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
      '';
      default = false;
      type = types.bool;
    };
    sane.packages.enableSystemPkgs = mkOption {
      default = false;
      type = types.bool;
      description = "enable system-wide packages";
    };
    sane.packages.enabledUserPkgs = mkOption {
      default = cfg.extraUserPkgs
        ++ (if cfg.enableConsolePkgs then consolePkgs else [])
        ++ (if cfg.enableGuiPkgs then guiPkgs ++ cfg.extraGuiPkgs else [])
        ++ (if cfg.enableDevPkgs then devPkgs else [])
      ;
      type = types.listOf toPkgSpec;
      description = "generated from other config options";
    };
  };
  config = {
    environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
    sane.user.persist.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs);
    sane.user.persist.private = concatLists (map (p: p.private) cfg.enabledUserPkgs);
    # XXX: this might not be necessary. try removing this and cacert.unbundled?
    environment.etc."ssl/certs".source = mkIf cfg.enableSystemPkgs "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
  };
 }
--- a/modules/persist/default.nix
+++ b/modules/persist/default.nix
@@ -124,9 +124,6 @@ let
  #   <option>.private.".cache/vim" = { mode = "0700"; };
  # to place ".cache/vim" into the private store and create with the appropriate mode
  dirsSubModule = types.submodule ({ config, ... }: {
    # TODO: this should be a plain-old `attrsOf (convertInlineAcl entryInStoreOrShorthand)` with downstream checks,
    #   rather than being filled in based on *other* settings.
    #   otherwise, it behaves poorly when `sane.persist.enable = false`
    options = lib.attrsets.unionOfDisjoint
      (mapAttrs (store: store-cfg: mkOption {
        default = [];
--- a/modules/programs.nix
+++ b/modules/programs.nix
@@ -1,39 +1,13 @@
 { config, lib, pkgs, sane-lib, ... }:
 let
  inherit (builtins) any elem map;
-  inherit (lib)
+  inherit (lib) filterAttrs mapAttrs mapAttrsToList mkDefault mkIf mkMerge mkOption optionalAttrs types;
    filterAttrs
    hasAttrByPath
    getAttrFromPath
    mapAttrs
    mapAttrsToList
    mkDefault
    mkIf
    mkMerge
    mkOption
    optional
    optionalAttrs
    splitString
    types
  ;
  inherit (sane-lib) joinAttrsets;
  cfg = config.sane.programs;
  pkgSpec = types.submodule ({ name, ... }: {
    options = {
      package = mkOption {
-        type = types.nullOr types.package;
+        type = types.package;
        description = ''
          package, or `null` if the program is some sort of meta set (in which case it much EXPLICITLY be set null).
        '';
        default =
          let
            pkgPath = splitString "." name;
          in
            # package can be inferred by the attr name, allowing shorthand like
            #   `sane.programs.nano.enable = true;`
            # this indexing will throw if the package doesn't exist and the user forgets to specify
            # a valid source explicitly.
            getAttrFromPath pkgPath pkgs;
      };
      enableFor.system = mkOption {
        type = types.bool;
@@ -50,6 +24,11 @@ let
      };
      enableFor.user = mkOption {
        type = types.attrsOf types.bool;
        # default = mkMerge (mapAttrsToList (_otherName: otherPkg:
        #   optionalAttrs
        #     (otherPkg.enableSuggested && elem name otherPkg.suggestedPrograms)
        #     otherPkg.enableFor.user
        # ) cfg);
        default = joinAttrsets (mapAttrsToList (otherName: otherPkg:
           optionalAttrs
             (otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested)
@@ -83,22 +62,30 @@ let
      };
    };
    config = {
      # package can be inferred by the attr name, allowing shorthand like
      # sane.packages.nano.enable = true;
      package = mkIf (pkgs ? "${name}") (mkDefault pkgs."${name}");
      # enableFor = mkIf (name == "btrfs-progs") (mkDefault cfg.cryptsetup.enableFor);
      # enable this package if it's in the `suggestedPrograms` of any other enabled program
      # enableFor = mkMerge (mapAttrsToList (_otherName: otherPkg:
      #   optionalAttrs
      #     (otherPkg.enableSuggested && elem name otherPkg.suggestedPrograms)
      #     (mkDefault otherPkg.enableFor)
      # ) cfg);
    };
  });
  toPkgSpec = types.coercedTo types.package (p: { package = p; }) pkgSpec;
-  configs = mapAttrsToList (name: p: {
+  configs = mapAttrsToList (_name: p: {
    assertions = map (sug: {
      assertion = cfg ? "${sug}";
      message = ''program "${sug}" referenced by "${name}", but not defined'';
    }) p.suggestedPrograms;
    # conditionally add to system PATH
-    environment.systemPackages = optional
+    environment.systemPackages = mkIf p.enableFor.system [ p.package ];
      (p.package != null && p.enableFor.system)
      p.package;
    # conditionally add to user(s) PATH
-    users.users = mapAttrs (user: en: {
+    users.users = mapAttrs (user: en: optionalAttrs en {
-      packages = optional (p.package != null && en) p.package;
+      packages = [ p.package ];
    }) p.enableFor.user;
    # conditionally persist relevant user dirs
    sane.users = mapAttrs (user: en: optionalAttrs en {
@@ -118,7 +105,6 @@ in
  config =
    let
      take = f: {
        assertions = f.assertions;
        environment.systemPackages = f.environment.systemPackages;
        users.users = f.users.users;
        sane.users = f.sane.users;
@@ -126,8 +112,20 @@ in
    in mkMerge [
      (take (sane-lib.mkTypedMerge take configs))
      {
-        # expose the pkgs -- as available to the system -- as a build target.
+        # sane.programs.cryptsetup.enableFor = mkDefault cfg.btrfs-progs.enableFor;
-        system.build.pkgs = pkgs;
+        # sane.programs.cryptsetup.enableFor = mkMerge (mapAttrsToList (otherName: otherPkg:
        #   optionalAttrs
        #   (otherName != "cryptsetup")
        #   (mkDefault otherPkg.enableFor)
        # ) cfg);
        # sane.programs = mapAttrs (myName: _me: optionalAttrs (myName == "btrfs-progs") {
        #   enableFor = mkMerge (mapAttrsToList (otherName: otherPkg:
        #     optionalAttrs
        #     (otherName != "cryptsetup")
        #     (mkDefault otherPkg.enableFor)
        #   ) cfg);
        # }) cfg;
      }
    ];
 }
--- a/modules/services/dyn-dns.nix
+++ b/modules/services/dyn-dns.nix
@@ -3,11 +3,6 @@
 with lib;
 let
  cfg = config.sane.services.dyn-dns;
  getIp = pkgs.writeShellScript "dyn-dns-query-wan" ''
    # preferred method and fallback
    ${pkgs.sane-scripts}/bin/sane-ip-check-router-wan || \
      ${pkgs.sane-scripts}/bin/sane-ip-check
  '';
 in
 {
  options = {
@@ -24,7 +19,7 @@ in
      };
      ipCmd = mkOption {
-        default = "${getIp}";
+        default = "${pkgs.sane-scripts}/bin/sane-ip-check-router-wan";
        type = types.path;
        description = "command to run to query the current WAN IP";
      };
--- a/modules/services/trust-dns.nix
+++ b/modules/services/trust-dns.nix
@@ -7,20 +7,7 @@ with lib;
 let
  cfg = config.sane.services.trust-dns;
  toml = pkgs.formats.toml { };
-  recordFormatters = {
+  fmtRecord = proto: rrtype: name: value: "${name}\t${proto}\t${rrtype}\t${value}";
    # quote rules for zone files:
    # - any character may be encoded by `\DDD`, where `DDD` represents its ascii value in base 8.
    # - any non-digit `X` may be encoded by `\X`.
    # - stated in: <https://www.ietf.org/rfc/rfc1035.txt>: 5.1 Format
    # - visible in <trust-dns:crates/proto/src/serialize/txt/zone_lex.rs:escape_seq>
    # for us, we can just replace `\` => `\\ and `"` -> `\"`
    TXT = value: "\"" + (lib.escape [ "\\" "\"" ] value) + "\"";
  };
  fmtRecord = proto: rrtype: name: value:
    let
      formatter = recordFormatters."${rrtype}" or lib.id;
    in
      "${name}\t${proto}\t${rrtype}\t${formatter value}";
  fmtRecordList = proto: rrtype: name: values: concatStringsSep
    "\n"
    (map (fmtRecord proto rrtype name) values)
--- a/nixpatches/2023-01-25-signald-update.patch
+++ b/nixpatches/2023-01-25-signald-update.patch
@@ -0,0 +1,78 @@
 diff --git a/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch b/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
 index 1d9ca8d838d..d2cf9dd4315 100644
 --- a/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
 +++ b/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
@@ -11,25 +11,15 @@ diff --git a/build.gradle b/build.gradle
 index 799e782..caceaac 100644
 --- a/build.gradle
 +++ b/build.gradle
 -@@ -83,6 +83,9 @@ static String getVersion() {
 - 
 - repositories {
 -     maven {url "https://gitlab.com/api/v4/groups/6853927/-/packages/maven"} // https://gitlab.com/groups/signald/-/packages
 -+    maven {
 -+      url "https://plugins.gradle.org/m2/"
 -+    }
 -     mavenCentral()
 - }
 - 
 -@@ -104,6 +107,8 @@ dependencies {
 -     implementation 'io.prometheus:simpleclient_httpserver:0.16.0'
 -     implementation 'com.squareup.okhttp3:logging-interceptor:4.9.3'
 -     implementation 'io.sentry:sentry:6.4.0'
 -+    implementation 'com.github.gmazzo.buildconfig:com.github.gmazzo.buildconfig.gradle.plugin:3.1.0'
 -+    implementation 'org.jetbrains.kotlin:kotlin-scripting-jvm:1.7.10'
 -     testImplementation 'org.junit.jupiter:junit-jupiter:5.8.2'
 +@@ -87,7 +86,7 @@ repositories {
  }
 + dependencies {
 +-    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_1'
 ++    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_2'
 +     implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
 +     implementation 'com.kohlschutter.junixsocket:junixsocket-common:2.6.1'
 +     implementation 'com.kohlschutter.junixsocket:junixsocket-native-common:2.6.1'
 @@ -171,4 +176,4 @@ allprojects {
  runtime {
      options = ['--strip-java-debug-attributes', '--compress', '2', '--no-header-files', '--no-man-pages']
 diff --git a/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch b/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
 index 96a7d6d2ef3..2f0f6e73159 100644
 --- a/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
 +++ b/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
@@ -47,15 +47,15 @@ index 799e782..6ecef3e 100644
  }
  dependencies {
 -@@ -104,6 +117,8 @@ dependencies {
 -     implementation 'io.prometheus:simpleclient_httpserver:0.16.0'
 -     implementation 'com.squareup.okhttp3:logging-interceptor:4.9.3'
 -     implementation 'io.sentry:sentry:6.4.0'
 -+    implementation 'com.github.gmazzo.buildconfig:com.github.gmazzo.buildconfig.gradle.plugin:3.1.0'
 -+    implementation 'org.jetbrains.kotlin:kotlin-scripting-jvm:1.7.10'
 -     testImplementation 'org.junit.jupiter:junit-jupiter:5.8.2'
 +@@ -87,7 +86,7 @@ repositories {
  }
 + dependencies {
 +-    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_1'
 ++    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_2'
 +     implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
 +     implementation 'com.kohlschutter.junixsocket:junixsocket-common:2.6.1'
 +     implementation 'com.kohlschutter.junixsocket:junixsocket-native-common:2.6.1'
 @@ -167,8 +182,3 @@ allprojects {
          }
      }
 diff --git a/pkgs/applications/networking/instant-messengers/signald/default.nix b/pkgs/applications/networking/instant-messengers/signald/default.nix
 index a9e023cdf63..8847707e137 100644
 --- a/pkgs/applications/networking/instant-messengers/signald/default.nix
 +++ b/pkgs/applications/networking/instant-messengers/signald/default.nix
@@ -54,8 +54,8 @@ let
     outputHashMode = "recursive";
     # Downloaded jars differ by platform
     outputHash = {
 -      x86_64-linux = "sha256-ANiNDdTuCuDEH5zUPsrVF6Uegdq3zVsMv+uMtYRX0jE=";
 -      aarch64-linux = "sha256-V9zn4v/ZeLELAwFJ5y7OVAeJwZp4DmHm4KWxE6KpwGs=";
 +      x86_64-linux = "sha256-B2T8bM8xdob5507oS1CVO+sszEg9VWL8QKUEanIlXvk=";
 +      aarch64-linux = "sha256-I314eLUQP8HPbwc+10ZDKzcn9WsqLGuBtfoiCEYZRck=";
     }.${stdenv.system} or (throw "Unsupported platform");
   };
--- a/nixpatches/2023-01-30-mesa-cma-leak.patch
+++ b/nixpatches/2023-01-30-mesa-cma-leak.patch
@@ -1,22 +0,0 @@
 diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
 index 56fa74e5c0c..3573bb0af49 100644
 --- a/pkgs/development/libraries/mesa/default.nix
 +++ b/pkgs/development/libraries/mesa/default.nix
@@ -88,7 +88,7 @@
 let
   # Release calendar: https://www.mesa3d.org/release-calendar.html
   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
 -  version = "22.3.4";
 +  version = "22.3.2";
   branch  = lib.versions.major version;
   withLibdrm = lib.meta.availableOn stdenv.hostPlatform libdrm;
@@ -120,7 +120,7 @@ self = stdenv.mkDerivation {
       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
     ];
 -    sha256 = "37a1ddaf03f41919ee3c89c97cff41e87de96e00e9d3247959cc8279d8294593";
 +    sha256 = "c15df758a8795f53e57f2a228eb4593c22b16dffd9b38f83901f76cd9533140b";
   };
   # TODO:
--- a/nixpatches/2023-02-28-mesa-22.3.6.patch
+++ b/nixpatches/2023-02-28-mesa-22.3.6.patch
@@ -1,23 +0,0 @@
 diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
 index 52633a6d21649..20d839b74c2ea 100644
 --- a/pkgs/development/libraries/mesa/default.nix
 +++ b/pkgs/development/libraries/mesa/default.nix
@@ -88,7 +88,7 @@
 let
   # Release calendar: https://www.mesa3d.org/release-calendar.html
   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
 -  version = "22.3.5";
 +  version = "22.3.6";
   branch  = lib.versions.major version;
   withLibdrm = lib.meta.availableOn stdenv.hostPlatform libdrm;
@@ -120,7 +120,7 @@ self = stdenv.mkDerivation {
       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
     ];
 -    sha256 = "3eed2ecae2bc674494566faab9fcc9beb21cd804c7ba2b59a1694f3d7236e6a9";
 +    hash = "sha256-TsjsZdvbHulETbpylwiQEooZVDpYzwWTG9b1TxJOEX8=";
   };
   # TODO:
--- a/nixpatches/2023-03-03-qtbase-cross-compile.patch
+++ b/nixpatches/2023-03-03-qtbase-cross-compile.patch
@@ -1,34 +0,0 @@
 diff --git a/pkgs/development/libraries/qt-6/modules/qtbase.nix b/pkgs/development/libraries/qt-6/modules/qtbase.nix
 index e71b0a7613d..72779ac57a5 100644
 --- a/pkgs/development/libraries/qt-6/modules/qtbase.nix
 +++ b/pkgs/development/libraries/qt-6/modules/qtbase.nix
@@ -5,6 +5,7 @@
 , version
 , coreutils
 , bison
 +, buildPackages
 , flex
 , gdb
 , gperf
@@ -224,6 +225,8 @@ stdenv.mkDerivation rec {
   ] ++ lib.optionals stdenv.isDarwin [
     # error: 'path' is unavailable: introduced in macOS 10.15
     "-DQT_FEATURE_cxx17_filesystem=OFF"
 +  ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
 +    "-DQT_HOST_PATH=${buildPackages.qt6.full}"
   ];
   NIX_LDFLAGS = toString (lib.optionals stdenv.isDarwin [
 diff --git a/pkgs/development/libraries/qt-6/qtModule.nix b/pkgs/development/libraries/qt-6/qtModule.nix
 index 28180d3b0ca..f14c73b10ee 100644
 --- a/pkgs/development/libraries/qt-6/qtModule.nix
 +++ b/pkgs/development/libraries/qt-6/qtModule.nix
@@ -61,7 +61,7 @@ stdenv.mkDerivation (args // {
       if [[ -z "$dontSyncQt" && -f sync.profile ]]; then
         # FIXME: this probably breaks crosscompiling as it's not from nativeBuildInputs
         # I don't know how to get /libexec from nativeBuildInputs to work, it's not under /bin
 -        ${lib.getDev self.qtbase}/libexec/syncqt.pl -version "''${version%%-*}"
 +        perl ${lib.getDev self.qtbase}/libexec/syncqt.pl -version "''${version%%-*}"
       fi
     '';
--- a/nixpatches/2023-03-04-ccache-cross-fix.patch
+++ b/nixpatches/2023-03-04-ccache-cross-fix.patch
@@ -1,65 +0,0 @@
 diff --git a/pkgs/development/tools/misc/ccache/default.nix b/pkgs/development/tools/misc/ccache/default.nix
 index cad25a942d6..9130097ab07 100644
 --- a/pkgs/development/tools/misc/ccache/default.nix
 +++ b/pkgs/development/tools/misc/ccache/default.nix
@@ -2,7 +2,7 @@
 , stdenv
 , fetchFromGitHub
 , substituteAll
 -, binutils
 +, buildPackages
 , asciidoctor
 , cmake
 , perl
@@ -33,7 +33,7 @@ let ccache = stdenv.mkDerivation rec {
     # Darwin.
     (substituteAll {
       src = ./force-objdump-on-darwin.patch;
 -      objdump = "${binutils.bintools}/bin/objdump";
 +      objdump = "${buildPackages.binutils.bintools}/bin/objdump";
     })
   ];
@@ -71,11 +71,12 @@ let ccache = stdenv.mkDerivation rec {
   passthru = {
     # A derivation that provides gcc and g++ commands, but that
     # will end up calling ccache for the given cacheDir
 -    links = {unwrappedCC, extraConfig}: stdenv.mkDerivation {
 +    links = {unwrappedCC, extraConfig, targetPrefix ? ""}: stdenv.mkDerivation {
       name = "ccache-links";
       passthru = {
         isClang = unwrappedCC.isClang or false;
         isGNU = unwrappedCC.isGNU or false;
 +        cc = unwrappedCC;
       };
       inherit (unwrappedCC) lib;
       nativeBuildInputs = [ makeWrapper ];
@@ -83,7 +84,7 @@ let ccache = stdenv.mkDerivation rec {
         mkdir -p $out/bin
         wrap() {
 -          local cname="$1"
 +          local cname="${targetPrefix}$1"
           if [ -x "${unwrappedCC}/bin/$cname" ]; then
             makeWrapper ${ccache}/bin/ccache $out/bin/$cname \
               --run ${lib.escapeShellArg extraConfig} \
 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
 index cb6fd2f0c4d..da4aadff3cb 100644
 --- a/pkgs/top-level/all-packages.nix
 +++ b/pkgs/top-level/all-packages.nix
@@ -17383,10 +17383,12 @@ with pkgs;
   # should be owned by user root, group nixbld with permissions 0770.
   ccacheWrapper = makeOverridable ({ extraConfig, cc }:
     cc.override {
 -      cc = ccache.links {
 +      cc = ccache.links ({
         inherit extraConfig;
         unwrappedCC = cc.cc;
 -      };
 +      } // lib.optionalAttrs (cc ? targetPrefix) {
 +        inherit (cc) targetPrefix;
 +      });
     }) {
       extraConfig = "";
       inherit (stdenv) cc;
--- a/nixpatches/2023-03-10-hase.patch
+++ b/nixpatches/2023-03-10-hase.patch
@@ -1,178 +0,0 @@
 diff --git a/pkgs/development/libraries/sparrow3d/default.nix b/pkgs/development/libraries/sparrow3d/default.nix
 new file mode 100644
 index 00000000000..331a02efc5f
 --- /dev/null
 +++ b/pkgs/development/libraries/sparrow3d/default.nix
@@ -0,0 +1,53 @@
 +{ lib
 +, fetchFromGitHub
 +, pkg-config
 +, SDL
 +, SDL_image
 +, SDL_mixer
 +, SDL_net
 +, SDL_ttf
 +, stdenv
 +}:
 +
 +stdenv.mkDerivation (finalAttrs: {
 +  pname = "sparrow3d";
 +  version = "2020-10-06";
 +
 +  src = fetchFromGitHub {
 +    owner = "theZiz";
 +    repo = "sparrow3d";
 +    rev = "2033349d7adeba34bda2c442e1fec22377471134";
 +    hash = "sha256-28j5nbTYBrMN8BQ6XrTlO1D8Viw+RiT3MAl99BAbhR4=";
 +  };
 +
 +  nativeBuildInputs = [
 +    pkg-config
 +  ];
 +
 +  propagatedBuildInputs = [
 +    SDL.dev
 +    SDL_image
 +    SDL_ttf
 +    SDL_mixer
 +    SDL_net
 +  ];
 +
 +  postConfigure = ''
 +    NIX_CFLAGS_COMPILE=$(pkg-config --cflags SDL_image SDL_ttf SDL_mixer SDL_net)
 +  '';
 +
 +  installPhase = ''
 +    mkdir -p $out/{include,lib/pkgconfig}
 +    cp sparrow*.h $out/include
 +    cp libsparrow{3d,Net,Sound}.so $out/lib
 +    substituteAll ${./sparrow3d.pc.in} $out/lib/pkgconfig/sparrow3d.pc
 +  '';
 +
 +  meta = with lib; {
 +    description = "a software renderer for different open handhelds like the gp2x, wiz, caanoo and pandora";
 +    homepage = "https://github.com/theZiz/sparrow3d";
 +    license = licenses.lgpl21;
 +    maintainers = with maintainers; [ colinsane ];
 +    platforms = [ "x86_64-linux" ];
 +  };
 +})
 diff --git a/pkgs/development/libraries/sparrow3d/sparrow3d.pc.in b/pkgs/development/libraries/sparrow3d/sparrow3d.pc.in
 new file mode 100644
 index 00000000000..046e174ea97
 --- /dev/null
 +++ b/pkgs/development/libraries/sparrow3d/sparrow3d.pc.in
@@ -0,0 +1,17 @@
 +prefix=@out@
 +includedir=${prefix}/include
 +libdir=${prefix}/lib
 +
 +Name: sparrow3d
 +Description: a software renderer for different open handhelds like the gp2x, wiz, caanoo and pandora
 +URL: https://github.com/theZiz/sparrow3d
 +Version: @version@
 +Requires: \
 +  sdl \
 +  SDL_image \
 +  SDL_ttf \
 +  SDL_mixer \
 +  SDL_net
 +Cflags: -isystem${includedir}
 +Libs: -L${libdir} -lsparrow3d -lsparrowNet -lsparrowSound
 +
 diff --git a/pkgs/games/hase/default.nix b/pkgs/games/hase/default.nix
 new file mode 100644
 index 00000000000..794b6d017ae
 --- /dev/null
 +++ b/pkgs/games/hase/default.nix
@@ -0,0 +1,49 @@
 +{ lib
 +, fetchFromGitHub
 +, pkg-config
 +, stdenv
 +, sparrow3d
 +, zlib
 +}:
 +
 +stdenv.mkDerivation {
 +  pname = "hase";
 +  version = "2020-10-06";
 +
 +  src = fetchFromGitHub {
 +    owner = "theZiz";
 +    repo = "hase";
 +    rev = "31d6840cdf0c72fc459f10402dae7726096b2974";
 +    hash = "sha256-d9So3E8nCQJ1/BdlwMkGbaFPT9mkX1VzlDGKp71ptEE=";
 +  };
 +  patches = [ ./prefer-dynamic.patch ];
 +
 +  nativeBuildInputs = [
 +    pkg-config
 +  ];
 +
 +  buildInputs = [
 +    sparrow3d
 +    zlib
 +  ];
 +
 +  buildPhase = ''
 +    NIX_CFLAGS_COMPILE=$(pkg-config --cflags sparrow3d zlib)
 +    mkdir -p $out/{bin,share/applications,share/pixmaps}
 +    # build and install are one step, and inseparable without patching
 +    ./install.sh $out
 +  '';
 +
 +  postFixup = ''
 +    substituteInPlace "$out/share/applications/hase.desktop" \
 +      --replace "Exec=hase" "Exec=$out/bin/hase"
 +  '';
 +
 +  meta = with lib; {
 +    description = "Hase is an open source gravity based artillery shooter. It is similar to Worms, Hedgewars or artillery, but the gravity force and direction depends on the mass nearby. It is optimized for mobile game consoles like the GP2X, Open Pandora or GCW Zero";
 +    homepage = "http://ziz.gp2x.de/hase/";
 +    license = licenses.gpl3;
 +    maintainers = with maintainers; [ colinsane ];
 +    platforms = [ "x86_64-linux" ];
 +  };
 +}
 diff --git a/pkgs/games/hase/prefer-dynamic.patch b/pkgs/games/hase/prefer-dynamic.patch
 new file mode 100644
 index 00000000000..ab36e6b2b3d
 --- /dev/null
 +++ b/pkgs/games/hase/prefer-dynamic.patch
@@ -0,0 +1,13 @@
 +diff --git a/Makefile b/Makefile
 +index 95d894e..3c561c1 100644
 +--- a/Makefile
 ++++ b/Makefile
 +@@ -35,7 +35,7 @@ endif
 + LIB += -L$(SPARROW_LIB)
 + INCLUDE += -I$(SPARROW_FOLDER)
 + 
 +-HASE_STATIC = $(SPARROW_LIB)/$(SPARROW3D_STATIC_LIB) $(SPARROW_LIB)/$(SPARROWSOUND_STATIC_LIB) $(SPARROW_LIB)/$(SPARROWNET_STATIC_LIB) $(STATIC)
 ++DYNAMIC += -lsparrow3d -lsparrowSound -lsparrowNet
 + 
 + ifneq ($(TARGET),win32)
 + DYNAMIC += -lz
 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
 index 521b00eb5f5..31052251314 100644
 --- a/pkgs/top-level/all-packages.nix
 +++ b/pkgs/top-level/all-packages.nix
@@ -23550,6 +23550,8 @@ with pkgs;
   spaceship-prompt = callPackage ../shells/zsh/spaceship-prompt {};
 +  sparrow3d = callPackage ../development/libraries/sparrow3d {};
 +
   spdk = callPackage ../development/libraries/spdk { };
   speechd = callPackage ../development/libraries/speechd { };
@@ -35570,6 +35572,8 @@ with pkgs;
   harmonist = callPackage ../games/harmonist { };
 +  hase = callPackage ../games/hase { };
 +
   hedgewars = libsForQt5.callPackage ../games/hedgewars {
     inherit (haskellPackages) ghcWithPackages;
   };
--- a/nixpatches/flake.lock
+++ b/nixpatches/flake.lock
@@ -2,15 +2,16 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1675123384,
+        "lastModified": 1673163619,
-        "narHash": "sha256-RpU+kboEWlIYwbRMGIPBIcztH63CvmqWN1B8GpJogd4=",
+        "narHash": "sha256-B33PFBL64ZgTWgMnhFL3jgheAN/DjHPsZ1Ih3z0VE5I=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e0fa1ece2f3929726c9b98c539ad14b63ae8e4fd",
+        "rev": "8c54d842d9544361aac5f5b212ba04e4089e8efe",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-22.11",
        "type": "indirect"
      }
    },
--- a/nixpatches/list.nix
+++ b/nixpatches/list.nix
@@ -13,40 +13,26 @@
    hash = "sha256-IvsIcd2wPdz4b/7FMrDrcVlIZjFecCQ9uiL0Umprbx0=";
  })
-  # (fetchpatch {
+  # fix libreoffice build by: Revert "mdds: 2.0.3 -> 2.1.0"
-  #   # stdenv: fix cc for pseudo-crosscompilation
+  # merged 2023/01/25
-  #   # closed because it breaks pkgsStatic (as of 2023/02/12)
+  (fetchpatch {
-  #   url = "https://github.com/NixOS/nixpkgs/pull/196497.diff";
+    url = "https://github.com/NixOS/nixpkgs/pull/212583.diff";
-  #   hash = "sha256-eTwEbVULYjmOW7zUFcTUqvBZqUFjHTKFhvmU2m3XQeo=";
+    hash = "sha256-nkXgwQUtxYkJT2OzG6Jc72snizW5wHvR1nmh2KDnaPc=";
-  # })
+  })
  # fix handbrake build by: handbrake: 1.5.1 -> 1.6.1
  # PR opened 2023/01/23
  (fetchpatch {
    # see alternate fix: <https://github.com/NixOS/nixpkgs/pull/211834>
    url = "https://github.com/NixOS/nixpkgs/pull/212306.diff";
    hash = "sha256-iQX2NaZaCzZVRlCM0pgXt0gecNwhXGeh3kXEiY38ZIM=";
  })
  ./2022-12-19-i2p-aarch64.patch
-  # fix for CMA memory leak in mesa: <https://gitlab.freedesktop.org/mesa/mesa/-/issues/8198>
+  # fix for <https://gitlab.com/signald/signald/-/issues/345>
-  # fixed in mesa 22.3.6: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21330/diffs>
+  # allows to actually run signald
-  # only necessary on aarch64.
+  ./2023-01-25-signald-update.patch
  # it's a revert of nixpkgs commit dcf630c172df2a9ecaa47c77f868211e61ae8e52
  # ./2023-01-30-mesa-cma-leak.patch
  # upgrade to 22.3.6 instead
  # ./2023-02-28-mesa-22.3.6.patch
  # fix qt6.qtbase and qt6.qtModule to cross-compile.
  # unfortunately there's some tangle that makes that difficult to do via the normal `override` facilities
  ./2023-03-03-qtbase-cross-compile.patch
  # let ccache cross-compile
  # TODO: why doesn't this apply?
  # ./2023-03-04-ccache-cross-fix.patch
  # TODO: point to upstream PR
  ./2023-03-10-hase.patch
  # 2023-03-28: jellyfin-media-player: 1.8.1 -> 1.9.0
  # TODO: i should review/approve this PR if it works
  (fetchpatch {
    url = "https://github.com/NixOS/nixpkgs/pull/220974.diff";
    hash = "sha256-AK/l0vteCEg/ae4E0dS1oWnlLI4xyeyLFJcqMgCQ4RI=";
  })
  # # kaiteki: init at 2022-09-03
  # vendorHash changes too frequently (might not be reproducible).
--- a/overlays/disable-flakey-tests.nix
+++ b/overlays/disable-flakey-tests.nix
@@ -1,201 +0,0 @@
 # disable tests for packages which flake.
 # tests will fail for a variety of reasons:
 # - they were coded with timeouts that aren't reliable under heavy load.
 # - they assume a particular architecture (e.g. x86) whereas i compile on multiple archs.
 # - they assume too much about their environment and fail under qemu.
 #
 (next: prev: {
  # ell = prev.ell.overrideAttrs (_upstream: {
  #   # 2023/02/11
  #   # fixes "TEST FAILED in get_random_return_callback at unit/test-dbus-message-fds.c:278: !l_dbus_message_get_error(message, ((void *)0), ((void *)0))"
  #   # unclear *why* this test fails.
  #   doCheck = false;
  # });
  # fish = prev.fish.overrideAttrs (_upstream: {
  #   # 2023/02/28
  #   # The following tests FAILED:
  #   #     177 - sigint.fish (Failed)
  #   #     241 - torn_escapes.py (Failed)
  #   doCheck = false;
  # });
  # gjs = prev.gjs.overrideAttrs (_upstream: {
  #   # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
  #   doCheck = false;
  # });
  # gssdp = prev.gssdp.overrideAttrs (_upstream: {
  #   # 2023/02/11
  #   # fixes "ERROR:../tests/test-regression.c:429:test_ggo_7: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-error, 1)"
  #   doCheck = false;
  # });
  # gupnp = prev.gupnp.overrideAttrs (_upstream: {
  #   # 2023/02/22
  #   # fixes "Bail out! ERROR:../tests/test-bugs.c:205:test_bgo_696762: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-erro>"
  #   doCheck = false;
  # });
  # json-glib = prev.json-glib.overrideAttrs (_upstream: {
  #   # 2023/02/11
  #   # fixes: "15/15 json-glib:docs / doc-check    TIMEOUT        30.52s   killed by signal 15 SIGTERM"
  #   doCheck = false;
  # });
  # lapack-reference = prev.lapack-reference.overrideAttrs (_upstream: {
  #   # 2023/02/11: test timeouts
  #   # > The following tests FAILED:
  #   # >       93 - LAPACK-xlintstz_ztest_in (Timeout)
  #   # >        98 - LAPACK-xeigtstz_svd_in (Timeout)
  #   # >          99 - LAPACK-xeigtstz_zec_in (Timeout)
  #   doCheck = false;
  # });
  # libadwaita = prev.libadwaita.overrideAttrs (_upstream: {
  #   # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
  #   doCheck = false;
  # });
  # libsecret = prev.libsecret.overrideAttrs (_upstream: {
  #   # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
  #   doCheck = false;
  # });
  # libuv = prev.libuv.overrideAttrs (_upstream: {
  #   # 2023/02/11
  #   # 2 tests fail:
  #   # - not ok 261 - tcp_bind6_error_addrinuse
  #   # - not ok 267 - tcp_bind_error_addrinuse_listen
  #   doCheck = false;
  # });
  libwacom = prev.libwacom.overrideAttrs (_upstream: {
    # 2023/03/30
    # "libwacom:all / pytest TIMEOUT"
    doCheck = false;
    mesonFlags = [ "-Dtests=disabled" ];
  });
  # llvmPackages_12 =
  #   let
  #     tools = prev.llvmPackages_12.tools.extend (self: super: {
  #       libllvm = super.libllvm.overrideAttrs (upstream: {
  #         # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITTest.return_global (2857 of 42084)"
  #         # - nix log /nix/store/6vydavlxh1gvs0vmrkcx9qp67g3h7kcz-llvm-12.0.1.drv
  #         # - wanted by sequoia, rav1e, rustc-1.66.1  (is this right?)
  #         doCheck = false;
  #         # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
  #         cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
  #       });
  #     });
  #   in
  #     # see <nixpkgs:pkgs/development/compilers/llvm/12/default.nix>
  #     # - we copy their strategy / attrset mutilation
  #     prev.llvmPackages_12 // { inherit tools; } // tools;
  # llvmPackages_14 =
  #   let
  #     tools = prev.llvmPackages_14.tools.extend (self: super: {
  #       libllvm = super.libllvm.overrideAttrs (upstream: {
  #         # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITMultipleModuleTest.two_module_global_variables_case (43769 of 46988)"
  #         # - nix log /nix/store/ib2yw6sajnhlmibxkrn7lj7chllbr85h-llvm-14.0.6.drv
  #         # - wanted by clang-11-12-LLVMgold-path, compiler-rt-libc-12.0.1, clang-wrapper-12.0.1  (is this right?)
  #         doCheck = false;
  #         # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
  #         cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
  #       });
  #     });
  #   in
  #     # see <nixpkgs:pkgs/development/compilers/llvm/14/default.nix>
  #     # - we copy their strategy / attrset mutilation
  #     prev.llvmPackages_14 // { inherit tools; } // tools;
  # llvmPackages_15 =
  #   let
  #     tools = prev.llvmPackages_15.tools.extend (self: super: {
  #       libllvm = super.libllvm.override {
  #         # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/..."
  #         # llvm15 passes doCheck as a call arg, so we don't need to set cmakeFlags explicitly as in previous versions
  #         doCheck = false;
  #       };
  #     });
  #   in
  #     prev.llvmPackages_15 // { inherit tools; } // tools;
  # modemmanager = prev.modemmanager.overrideAttrs (_upstream: {
  #   # 2023/02/25
  #   # "ERROR:test-modem-helpers.c:257:test_cmgl_response: assertion failed: (list != NULL)"
  #   doCheck = false;
  #   doInstallCheck = false;  # tests are run during install check??
  # });
  pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
    (py-next: py-prev: {
      # ipython = py-prev.ipython.overridePythonAttrs (upstream: {
      #   # > FAILED IPython/core/tests/test_debugger.py::test_xmode_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
      #   # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
      #   # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_disabled - pexpect.exceptions.TIMEOUT: Timeout exceeded.
      #   # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_with_breakpoint - pexpect.exceptions.TIMEOUT: Timeout exceeded.
      #   # > FAILED IPython/core/tests/test_debugger.py::test_where_erase_value - pexpect.exceptions.TIMEOUT: Timeout exceeded.
      #   # > FAILED IPython/terminal/tests/test_debug_magic.py::test_debug_magic_passes_through_generators - pexpect.exceptions.TIMEOUT: Timeout exceeded.
      #   # > FAILED IPython/terminal/tests/test_embed.py::test_nest_embed - pexpect.exceptions.TIMEOUT: Timeout exceeded.
      #   disabledTestPaths = upstream.disabledTestPaths or [] ++ [
      #     "IPython/core/tests/test_debugger.py"
      #     "IPython/terminal/tests/test_debug_magic.py"
      #     "IPython/terminal/tests/test_embed.py"
      #   ];
      # });
      pyarrow = py-prev.pyarrow.overridePythonAttrs (upstream: {
        # 2023/04/02
        # disabledTests = upstream.disabledTests ++ [ "test_generic_options" ];
        disabledTestPaths = upstream.disabledTestPaths or [] ++ [
          "pyarrow/tests/test_flight.py"
        ];
      });
      # pytest-xdist = py-prev.pytest-xdist.overridePythonAttrs (upstream: {
      #   # 2023/02/19
      #   # 4 tests fail:
      #   # - FAILED: testing/test_remote.py::TestWorkInteractor::* - execnet.gateway_base.TimeoutError: no item after 10.0 seconds
      #   # doCheck = false;
      #   disabledTestPaths = upstream.disabledTestPaths or [] ++ [
      #     "testing/test_remote.py"
      #   ];
      #   # disabledTests = upstream.disabledTests or [] ++ [
      #   #   "test_basic_collect_and_runtests"
      #   #   "test_remote_collect_fail"
      #   #   "test_remote_collect_skip"
      #   #   "test_runtests_all"
      #   # ];
      # });
      # twisted = py-prev.twisted.overridePythonAttrs (upstream: {
      #   # 2023/02/25
      #   # ```
      #   # [ERROR]
      #   # Traceback (most recent call last):
      #   #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/test/test_udp.py", line 645, in test_interface
      #   #     self.assertEqual(self.client.transport.getOutgoingInterface(), "0.0.0.0")
      #   #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/internet/udp.py", line 449, in getOutgoingInterface
      #   #     i = self.socket.getsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_IF)
      #   # builtins.OSError: [Errno 92] Protocol not available
      #   #
      #   # twisted.test.test_udp.MulticastTests.test_interface
      #   # ```
      #   postPatch = upstream.postPatch + ''
      #     echo 'MulticastTests.test_interface.skip = "Protocol not available"'>> src/twisted/test/test_udp.py
      #   '';
      # });
    })
  ];
  # strp = prev.srtp.overrideAttrs (_upstream: {
  #   # 2023/02/11
  #   # roc_driver test times out after 30s
  #   doCheck = false;
  # });
  tracker = prev.tracker.overrideAttrs (_upstream: {
    # 2023/02/22
    # "27/37 tracker:core / service                          TIMEOUT         60.37s   killed by signal 15 SIGTERM"
    doCheck = false;
  });
  # udisks2 = prev.udisks2.overrideAttrs (_upstream: {
  #   # 2023/02/25
  #   # "udisks-test:ERROR:test.c:61:on_completed_expect_failure: assertion failed (message == expected_message): ("Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11):\nstdout: `OK, deliberately causing a segfault\n'\nstderr: `qemu: uncaught target signal 11 (Segmentation fault) - core dumped\n'" == "Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11): OK, deliberately causing a segfault\n")"
  #   doCheck = false;
  # });
  # upower = prev.upower.overrideAttrs (_upstream: {
  #   # 2023/02/25
  #   # "Tests.test_battery_state_guessing                          TIMEOUT        60.80s   killed by signal 15 SIGTERM"
  #   doCheck = false;
  # });
 })
--- a/overlays/optimizations.nix
+++ b/overlays/optimizations.nix
@@ -1,32 +0,0 @@
 (self: super:
 with self;
 let
  # ccache-able = drv: drv.override { stdenv = builtins.trace "with ccache ${drv.name}" ccacheStdenv; };
  ccache-able = drv: drv.override { stdenv = builtins.trace "with ccache: ${drv.name}" ccacheStdenv; };
 in {
  # TODO: if we link /homeless-shelter/.ccache into the nix environment,
  # then maybe we get better use of upstream caches?
  # ccacheWrapper = super.ccacheWrapper.override {
  #   extraConfig = ''
  #     export CCACHE_DIR="/var/cache/ccache"
  #   '';
  # };
  # ccacheStdenv = super.ccacheStdenv.override {
  #   extraConfig = ''
  #     export CCACHE_DIR="/homeless-shelter/.ccache"
  #   '';
  # };
  # firefox-esr = ccache-able super.firefox-esr;
  # firefox/librewolf distribution is wacky: it grabs the stdenv off of `rustc.llvmPackages`, and really wants those to match.
  # buildMozillaMach = opts: ccache-able (super.buildMozillaMach opts);
  # webkitgtk = ccache-able super.webkitgtk;
  # mesa = ccache-able super.mesa;
  webkitgtk = super.webkitgtk.overrideAttrs (_upstream: {
    # means we drop debug info when linking.
    # this is a trade-off to require less memory when linking, since
    # building `webkitgtk` otherwise requires about 40G+ of RAM.
    # <https://github.com/NixOS/nixpkgs/issues/153528>
    separateDebugInfo = false;
  });
 })
--- a/overlays/pins.nix
+++ b/overlays/pins.nix
@@ -4,18 +4,9 @@
 # - if it's broken by that upstream builder, then pin it: somebody will come along and fix the package.
 # - otherwise, search github issues/PRs for knowledge of it before pinning.
 # - if nobody's said anything about it yet, probably want to root cause it or hold off on updating.
 #
 # note that these pins apply to *all* platforms:
 # - natively compiled packages
 # - cross compiled packages
 # - qemu-emulated packages
 (next: prev: {
  # XXX: when invoked outside our flake (e.g. via NIX_PATH) there is no `next.stable`,
  # so just forward the unstable packages.
  inherit (next.stable or prev)
  ;
  # chromium can take 4 hours to build from source, with no signs of progress.
  # disable it if you're in a rush.
  # chromium = next.emptyDirectory;
 })
--- a/overlays/pkgs.nix
+++ b/overlays/pkgs.nix
@@ -1,42 +1,46 @@
 (next: prev:
  with next;
  let
    sane = rec {
      #### my own, non-upstreamable packages:
-      static-nix-shell = callPackages ../pkgs/static-nix-shell { };
+      sane-scripts = prev.callPackage ../pkgs/sane-scripts { };
-      sane-scripts = callPackage ../pkgs/sane-scripts { };
+      feeds = prev.callPackage ../pkgs/feeds { };
-      feeds = recurseIntoAttrs (callPackage ../pkgs/feeds { });
+      tow-boot-pinephone = prev.callPackage ../pkgs/tow-boot-pinephone { };
-      tow-boot-pinephone = callPackage ../pkgs/tow-boot-pinephone { };
+      tow-boot-rpi4 = prev.callPackage ../pkgs/tow-boot-rpi4 { };
-      tow-boot-rpi4 = callPackage ../pkgs/tow-boot-rpi4 { };
+      bootpart-uefi-x86_64 = prev.callPackage ../pkgs/bootpart-uefi-x86_64 { };
-      bootpart-uefi-x86_64 = callPackage ../pkgs/bootpart-uefi-x86_64 { };
+      bootpart-tow-boot-rpi-aarch64 = prev.callPackage ../pkgs/bootpart-tow-boot-rpi-aarch64 {
-      bootpart-tow-boot-rpi-aarch64 = callPackage ../pkgs/bootpart-tow-boot-rpi-aarch64 { };
+        # not sure why i can't just do `next.callPackage` instead
-      bootpart-u-boot-rpi-aarch64 = callPackage ../pkgs/bootpart-u-boot-rpi-aarch64 { };
+        inherit tow-boot-rpi4;
-      rtl8723cs-firmware = callPackage ../pkgs/rtl8723cs-firmware { };
+      };
-      linux-megous = callPackage ../pkgs/linux-megous {
+      bootpart-u-boot-rpi-aarch64 = prev.callPackage ../pkgs/bootpart-u-boot-rpi-aarch64 {
        # not sure why i can't just do `next.callPackage` instead
        inherit ubootRaspberryPi4_64bit;
      };
      rtl8723cs-firmware = prev.callPackage ../pkgs/rtl8723cs-firmware { };
      linux-megous = prev.callPackage ../pkgs/linux-megous {
        kernelPatches = [
          prev.kernelPatches.bridge_stp_helper
          prev.kernelPatches.request_key_helper
        ];
      };
-      sublime-music-mobile = callPackage ../pkgs/sublime-music-mobile { };
+      sublime-music-mobile = prev.callPackage ../pkgs/sublime-music-mobile { };
      #### customized packages
-      fluffychat-moby = callPackage ../pkgs/fluffychat-moby { };
+      fluffychat-moby = prev.callPackage ../pkgs/fluffychat-moby { };
-      gpodder-configured = callPackage ../pkgs/gpodder-configured { };
+      gpodder-configured = prev.callPackage ../pkgs/gpodder-configured { };
      # jackett doesn't allow customization of the bind address: this will probably always be here.
-      jackett = callPackage ../pkgs/jackett { inherit (prev) jackett; };
+      jackett = prev.callPackage ../pkgs/jackett { inherit (prev) jackett; };
      # mozilla keeps nerfing itself and removing configuration options
-      firefox-unwrapped = callPackage ../pkgs/firefox-unwrapped { inherit (prev) firefox-unwrapped; };
+      firefox-unwrapped = next.callPackage ../pkgs/firefox-unwrapped { inherit (prev) firefox-unwrapped; };
      # patch rpi uboot with something that fixes USB HDD boot
-      ubootRaspberryPi4_64bit = callPackage ../pkgs/ubootRaspberryPi4_64bit { };
+      ubootRaspberryPi4_64bit = prev.callPackage ../pkgs/ubootRaspberryPi4_64bit { };
-      gocryptfs = callPackage ../pkgs/gocryptfs { inherit (prev) gocryptfs; };
+      gocryptfs = prev.callPackage ../pkgs/gocryptfs { inherit (prev) gocryptfs; };
-      browserpass = callPackage ../pkgs/browserpass { inherit (prev) browserpass; };
+      browserpass = prev.callPackage ../pkgs/browserpass { inherit (prev) browserpass; inherit sane-scripts; };
-      fractal-latest = callPackage ../pkgs/fractal-latest { };
+      fractal-latest = prev.callPackage ../pkgs/fractal-latest { };
      #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
@@ -46,14 +50,14 @@
        })
      ];
-      kaiteki = callPackage ../pkgs/kaiteki { };
+      kaiteki = prev.callPackage ../pkgs/kaiteki { };
-      lightdm-mobile-greeter = callPackage ../pkgs/lightdm-mobile-greeter { };
+      lightdm-mobile-greeter = prev.callPackage ../pkgs/lightdm-mobile-greeter { };
-      browserpass-extension = callPackage ../pkgs/browserpass-extension { };
+      browserpass-extension = prev.callPackage ../pkgs/browserpass-extension { };
-      gopass-native-messaging-host = callPackage ../pkgs/gopass-native-messaging-host { };
+      gopass-native-messaging-host = prev.callPackage ../pkgs/gopass-native-messaging-host { };
      tokodon = prev.libsForQt5.callPackage ../pkgs/tokodon { };
      # provided by nixpkgs patch or upstream preview
-      # splatmoji = callPackage ../pkgs/splatmoji { };
+      # splatmoji = prev.callPackage ../pkgs/splatmoji { };
    };
  in sane // { inherit sane; }
 )
--- a/pkgs/browserpass/default.nix
+++ b/pkgs/browserpass/default.nix
@@ -32,8 +32,8 @@ in
    owner = "colin";
    repo = "browserpass-native";
    # don't forcibly append '.gpg'
-    rev = "d3ef88e12cb127914fb0ead762b7baee6913592f";
+    rev = "85bdb08379c03297c1236f66e8764160c922d397";
-    hash = "sha256-FRnFmCJI/1f92DOI1VXSPivSBzIR372gmgLUfLLiuPc=";
+    hash = "sha256-SEfihU+GreWhYfLVr7tTnMCo6Iq20a78F8iVbycOQUQ=";
  };
  installPhase = ''
    make install
--- a/pkgs/feeds/default.nix
+++ b/pkgs/feeds/default.nix
@@ -1,14 +1,12 @@
 { lib
-, callPackage
+, pkgs
 , python3
 , static-nix-shell
 , writeShellScript
 }:
-let
+(lib.makeScope pkgs.newScope (self:
  let
    # TODO: dependency-inject this.
    sane-data = import ../../modules/data { inherit lib; };
-  template = callPackage ./template.nix;
+    template = self.callPackage ./template.nix;
    feed-pkgs = lib.mapAttrs
      (name: feed-details: template {
        feedName = name;
@@ -19,40 +17,26 @@ let
    update-scripts = lib.mapAttrsToList
      (name: feed: builtins.concatStringsSep " " feed.passthru.updateScript)
      feed-pkgs;
-in rec {  # TODO: make this a scope
+  in
-  inherit feed-pkgs;
+    feed-pkgs // {
-  update = static-nix-shell.mkPython3Bin {
+      passthru.updateScript = pkgs.writeShellScript
-    pname = "update";
+        "feeds-update"
-    src = ./.;
+        (builtins.concatStringsSep "\n" update-scripts);
-    pyPkgs = [ "feedsearch-crawler" ];
+
-    srcPath = "update.py";
+      passthru.initFeedScript = pkgs.writeShellScript
  };
  init-feed = writeShellScript
        "init-feed"
        ''
      # this is the `nix run '.#init-feed' <url>` script`
          sources_dir=modules/data/feeds/sources
-      # prettify the URL, by default
+          name="$1"
-      name=$( \
+          url="https://$name"
        echo "$1" \
        | sed 's|^https://||' \
        | sed 's|^http://||' \
        | sed 's|^www\.||' \
        | sed 's|/+$||' \
      )
          json_path="$sources_dir/$name/default.json"
          # the name could have slashes in it, so we want to mkdir -p that
          # but in a way where the least could go wrong.
          pushd "$sources_dir"; mkdir -p "$name"; popd
-      ${update}/bin/update.py "$name" "$json_path"
+          ${./update.py} "$url" "$json_path"
          cat "$json_path"
        '';
-  passthru = {
+    }
-    updateScript = writeShellScript
+))
      "feeds-update"
      (builtins.concatStringsSep "\n" update-scripts);
    initFeedScript = init-feed;
  };
 }
--- a/pkgs/feeds/update.py
+++ b/pkgs/feeds/update.py
@@ -13,13 +13,9 @@ logging.getLogger().setLevel(logging.DEBUG)
 logging.getLogger().addHandler(logging.StreamHandler(sys.stdout))
 logging.getLogger(__name__).debug("logging enabled")
-def try_scheme(url: str, scheme: str):
+url = coerce_url(url, default_scheme="https")
-    url = coerce_url(url, default_scheme=scheme)
+items = search(url, total_timeout=180, request_timeout=90, max_content_length=100*1024*1024)
-    print(f"trying {url}")
+items = sort_urls(items)
    items = search(url, total_timeout=180, request_timeout=90, max_content_length=100*1024*1024)
    return sort_urls(items)
 items = try_scheme(url, "https") or try_scheme(url, "http")
 # print all results
 serialized = [item.serialize() for item in items]
--- a/pkgs/gpodder-configured/default.nix
+++ b/pkgs/gpodder-configured/default.nix
@@ -1,35 +1,19 @@
-{ stdenv
+{ makeWrapper
 , gnome-feeds
 , gpodder
-, makeWrapper
+, linkFarm
 , python3
 , symlinkJoin
 }:
 let
-  pyEnv = python3.withPackages (_ps: [ gnome-feeds.listparser ]);
+  remove-extra = linkFarm "gpodder-remove-extra" [
-  remove-extra = stdenv.mkDerivation {
+    { name = "bin/gpodder-remove-extra"; path = ./remove_extra.py; }
-    pname = "gpodder-remove-extra";
+  ];
    version = "0.1.0";
    src = ./.;
    patchPhase = ''
      substituteInPlace ./remove_extra.py \
        --replace "#!/usr/bin/env nix-shell" "#!${pyEnv.interpreter}"
    '';
    installPhase = ''
      mkdir -p $out/bin
      mv remove_extra.py $out/bin/gpodder-remove-extra
    '';
  };
 in
 # we use a symlinkJoin so that we can inherit the .desktop and icon files from the original gPodder
 (symlinkJoin {
  name = "gpodder-configured";
  paths = [ gpodder remove-extra ];
-  nativeBuildInputs = [ makeWrapper ];
+  buildInputs = [ makeWrapper ];
  # gpodder keeps all its feeds in a sqlite3 database.
  # we can configure the feeds externally by wrapping gpodder and just instructing it to import
@@ -45,8 +29,4 @@ in
    unlink $out/share/applications/gpodder.desktop
    sed "s:Exec=.*:Exec=$out/bin/gpodder-configured:" $orig_desktop > $out/share/applications/gpodder.desktop
  '';
  passthru = {
    remove-extra = remove-extra;
  };
 })
--- a/pkgs/sane-scripts/default.nix
+++ b/pkgs/sane-scripts/default.nix
@@ -1,15 +1,12 @@
 { lib
 , pkgs
 , resholve
 , static-nix-shell
 , symlinkJoin
 }:
-let
+# resholve documentation:
-  shell-scripts = resholve.mkDerivation {
+# - nix: https://github.com/nixos/nixpkgs/blob/master/pkgs/development/misc/resholve/README.md
-    # resholve documentation:
+# - generic: https://github.com/abathur/resholve
-    # - nix: https://github.com/nixos/nixpkgs/blob/master/pkgs/development/misc/resholve/README.md
+resholve.mkDerivation {
    # - generic: https://github.com/abathur/resholve
  pname = "sane-scripts";
  version = "0.1.0";
@@ -49,7 +46,6 @@ let
        sops
        sudo
        systemd
          transmission
        util-linux
        which
      ];
@@ -90,13 +86,13 @@ let
        "cannot:${sops}/bin/sops"
        "cannot:${ssh-to-age}/bin/ssh-to-age"
        "cannot:${systemd}/bin/systemctl"
          "cannot:${transmission}/bin/transmission-remote"
      ];
    };
  };
  patchPhase = ''
-      # remove python scripts  (we package them further below)
+    # remove python scripts
    # TODO: figure out how to make resholve process only shell scripts
    rm sane-bt-search
    rm sane-date-math
    rm sane-reclaim-boot-space
@@ -106,26 +102,7 @@ let
    mkdir -p $out/bin
    cp -R * $out/bin/
  '';
  };
  bt-search = static-nix-shell.mkPython3Bin {
    pname = "sane-bt-search";
    src = ./src;
    pyPkgs = [ "natsort" "requests" ];
  };
  date-math = static-nix-shell.mkPython3Bin {
    pname = "sane-date-math";
    src = ./src;
  };
  reclaim-boot-space = static-nix-shell.mkPython3Bin {
    pname = "sane-reclaim-boot-space";
    src = ./src;
  };
 in
 symlinkJoin {
  name = "sane-scripts";
  paths = [ shell-scripts bt-search date-math reclaim-boot-space ];
  meta = {
    description = "collection of scripts associated with uninsane systems";
    homepage = "https://git.uninsane.org";
--- a/pkgs/sane-scripts/src/sane-bt-add
+++ b/pkgs/sane-scripts/src/sane-bt-add
@@ -1,46 +0,0 @@
 #!/usr/bin/env bash
 set -e
 endpoint=https://bt.uninsane.org/transmission/rpc
 PASS=$(sudo cat /run/secrets/transmission_passwd)
 options=$(getopt -l film,series:,prefix: -- "" "${@}")
 eval "set -- ${options}"
 prefix=
 while true; do
  case "$1" in
    (--prefix)
      shift
      prefix="$1"
      shift
    ;;
    (--film)
      prefix=Videos/Film/
      shift
    ;;
    (--series)
      shift
      prefix=Videos/Shows/"$1"/
      shift
    ;;
    (--)
      shift
      if [ $# -eq 1 ]; then
        break
      fi
    ;;
    (*)
      echo "invalid arguments"
      exit 1
    ;;
  esac
 done
 # positional ("non-option") parameters
 torrent="$1"
 transmission-remote "$endpoint" \
  --auth "colin:$PASS" \
  --download-dir "/var/lib/uninsane/media/$prefix" \
  --add "$torrent"
--- a/pkgs/sane-scripts/src/sane-bt-search
+++ b/pkgs/sane-scripts/src/sane-bt-search
@@ -1,6 +1,5 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.natsort ps.requests ])"
 # vim: set filetype=python :
 """
 usage: sane-bt-search <query_string>
@@ -20,7 +19,7 @@ ENDPOINTS = dict(
    results="api/v2.0/indexers/all/results"
 )
-@dataclass(eq=True, order=True, unsafe_hash=True)
+@dataclass(eq=True, order=True)
 class Torrent:
    seeders: int
    pub_date: datetime
@@ -64,12 +63,12 @@ class Client:
        return resp.json()
    def query(self, q: str) -> list:
-        torrents = set()
+        torrents = []
        api_res = self.api_call("results", dict(Query=q))
        for r in api_res["Results"]:
            t = Torrent.from_dict(r)
            if t is not None:
-                torrents.add(t)
+                torrents.append(t)
        return sorted(torrents, reverse=True)
--- a/pkgs/sane-scripts/src/sane-bt-show
+++ b/pkgs/sane-scripts/src/sane-bt-show
@@ -1,15 +0,0 @@
 #!/usr/bin/env bash
 endpoint=https://bt.uninsane.org/transmission/rpc
 PASS=$(sudo cat /run/secrets/transmission_passwd)
 if [ "$#" -eq 0 ]; then
  # no specific torrents we want to show, so show all of them.
  # to query specific torrents, note the index and re-invoke this script with that.
  transmission-remote "$endpoint" --auth "colin:$PASS" --list
 else
  for id in $@; do
    transmission-remote "$endpoint" --auth "colin:$PASS" -t "$id" -i
  done
 fi
--- a/pkgs/sane-scripts/src/sane-date-math
+++ b/pkgs/sane-scripts/src/sane-date-math
@@ -1,5 +1,4 @@
-#!/usr/bin/env nix-shell
+#!/usr/bin/env python3
 #!nix-shell -i python3 -p "python3.withPackages (ps: [  ])"
 # i just went overboard playing around with parsers, is all.
 # use this like `./sane-date-math 'today - 5d'`
--- a/pkgs/sane-scripts/src/sane-deadlines
+++ b/pkgs/sane-scripts/src/sane-deadlines
@@ -1,43 +0,0 @@
 #!/usr/bin/env bash
 # processes a tab-separated "deadlines" file and alerts for any upcoming events.
 #
 # deadlines.tsv file format:
 # - <date>\t<reminder-interval>\t<event>
 # - no header
 # - one line per entry
 # - <event> may contain any non-newline and non-tab characters
 # - <notice-interval> is the number of days before the event to start alerting, followed by 'd', e.g. `14d`
 # - <date> should be lexicographically orderable and machine-parsable, e.g. `2023-03-14`
 #
 # example `deadlines.tsv`
 # 2023-03-14	1d	celebrate pi day!
 # 2023-04-18	14d	taxes due
 # 2023-04-01	7d	the other pie day :o
 # configurables:
 deadlines=~/knowledge/planner/deadlines.tsv
 if ! test -f "$deadlines"; then
        echo "WARNING: $deadlines sane-deadlines file not found"
        exit 1
 fi
 now=$(date +%s)
 sort "$deadlines" | while read line; do
        # parse line
        deadline_field=$(echo "$line" | cut -f 1)
        threshold_field=$(echo "$line" | cut -f 2)
        description_field=$(echo "$line" | cut -f 3)
        # normalize dates into seconds since unix epoch
        deadline=$(date -d "$deadline_field" +%s)
        threshold=$(echo "$threshold_field" | sed 's/d/day /g')
        birthtime=$(date -d "$deadline_field - ($threshold)" +%s)
        # show the event iff it's near
        if test "$now" -ge "$birthtime"; then
                days_until=$(( ($deadline - $now) / (24*60*60) ))
                echo "in $days_until day(s): $description_field"
        fi
 done
--- a/pkgs/sane-scripts/src/sane-ip-check
+++ b/pkgs/sane-scripts/src/sane-ip-check
@@ -1,4 +1,3 @@
 #!/usr/bin/env bash
-ip=$(curl --silent https://ipinfo.io/ip)
+curl https://ipinfo.io/ip
-echo "$ip" | grep -P " *^\d+\.\d+\.\d+\.\d+ *$"
+echo
 exit $?
--- a/pkgs/sane-scripts/src/sane-ip-check-router-wan
+++ b/pkgs/sane-scripts/src/sane-ip-check-router-wan
@@ -3,16 +3,13 @@
 # requires creds
 passwd=$(sudo cat /run/secrets/router_passwd)
 cookie=$(mktemp)
 curlflags="curl --silent --insecure --cookie-jar $cookie --connect-timeout 5"
 # authenticate
-curl $curlflags \
+curl -s --insecure --cookie-jar $cookie \
  --data "username=admin&password=$passwd" \
  https://192.168.0.1
 # query the WAN IP
-ip=$(curl $curlflags \
+curl -s --insecure --cookie $cookie \
  -H "X-Requested-With: XMLHttpRequest" \
  "https://192.168.0.1/cgi/cgi_action?Action=GetConnectionStatus" \
-  | jq -r .wan_status.ipaddr)
+  | jq -r .wan_status.ipaddr
 echo "$ip" | grep -P " *^\d+\.\d+\.\d+\.\d+ *$"
 exit $?
--- a/pkgs/sane-scripts/src/sane-reclaim-boot-space
+++ b/pkgs/sane-scripts/src/sane-reclaim-boot-space
@@ -1,5 +1,4 @@
-#!/usr/bin/env nix-shell
+#!/usr/bin/env python3
 #!nix-shell -i python3 -p "python3.withPackages (ps: [  ])"
 import os
 import os.path
--- a/pkgs/sane-scripts/src/sane-reclaim-disk-space
+++ b/pkgs/sane-scripts/src/sane-reclaim-disk-space
@@ -1,52 +1,23 @@
 #!/usr/bin/env bash
 # script to reclaim some hard drive space
 # some of this is documented here:
 # - <https://nixos.wiki/wiki/Storage_optimization>
 set -e
-options=$(getopt -l "gc,rmlint,all" -- "" "$@")
+options=$(getopt -l "fast" -o "f" -- "$@")
-eval "set -- ${options}"
+do_rmlint=true
-do_rmlint=false
+for arg in $options; do
-do_gc=false
+  case $arg in
-while true; do
+    -f|--fast)
-  case "$1" in
+      do_rmlint=false
    (--all)
      shift
      do_gc=true
      do_rmlint=true
      ;;
-    (--gc)
+    --)
      shift
      do_gc=true
    ;;
    (--rmlint)
      shift
      do_rmlint=true
    ;;
    (--)
      shift
      if [ $# -eq 0 ]; then
        break
      fi
    ;;
    (*)
      echo "invalid arguments"
      exit 1
      ;;
  esac
 done
 set -x
-# scan the store and hard-link identical files
+# always claim nix garbage
-# nix-store --optimise
+sudo nix-collect-garbage
 if [ $do_gc = true ]
 then
  # TODO: do we need `sudo` here?
  # TODO: `nix-store --gc`?
  sudo nix-collect-garbage
 fi
 if [ $do_rmlint = true ]
 then
--- a/pkgs/static-nix-shell/default.nix
+++ b/pkgs/static-nix-shell/default.nix
@@ -1,30 +0,0 @@
 { stdenv
 , python3
 }:
 {
  # transform a file which uses `#!/usr/bin/env nix-shell` shebang with a `python3` interpreter
  # into a derivation that can be built statically
  mkPython3Bin = { pname, pyPkgs ? [], srcPath ? pname, ... }@attrs: stdenv.mkDerivation (
    let
      evalPyPkgs = ps: builtins.map (name: ps."${name}") pyPkgs;
      pyEnv = python3.withPackages evalPyPkgs;
      pyPkgsStr = builtins.concatStringsSep " " (builtins.map (p: "ps.${p}") pyPkgs);
    in {
      version = "0.1.0";  # default version
      patchPhase = ''
        substituteInPlace ${srcPath} \
          --replace '#!/usr/bin/env nix-shell' '#!${pyEnv.interpreter}' \
          --replace \
            '#!nix-shell -i python3 -p "python3.withPackages (ps: [ ${pyPkgsStr} ])"' \
            '# nix deps evaluated statically'
      '';
      installPhase = ''
        mkdir -p $out/bin
        mv ${srcPath} $out/bin/${srcPath}
        # ensure that all nix-shell references were substituted
        ! grep nix-shell $out/bin/${srcPath}
      '';
    } // attrs
  );
 }
--- a/readme.md
+++ b/readme.md
@@ -32,13 +32,6 @@ this can then be `dd`'d onto a disk and directly booted from a EFI system.
 there's some post-processing to do before running a rebuild on the deployed system (deploying ssh keys, optionally changing fs UUIDs, etc).
 refer to flake.nix for more details.
 ## remote deployment
 some of my systems support cross compilation (i.e. building from x86-64 for an aarch64 host without using emulation).
 - `nixos-rebuild --flake '.#cross-moby' build`
 - `sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)`
 - `nixos-rebuild --flake '.#cross-moby' switch --target-host colin@moby --use-remote-sudo`
 ## building packages
 build anything with
@@ -52,15 +45,11 @@ on the other hand the `packages` output contains only my own packages.
 in addition, my packages are placed into both the global scope and a `sane` scope.
 so use the scoped path when you want to be explicit.
 ```
 nix build sane.linux-megous
 ```
 to build a package precisely how a specific host would see it (in case the host's config customizes it):
 ```
 nix build '.#host-pkgs.moby-cross.xdg-utils'
 ```
 ## using this repo in your own config
 this should be a pretty "standard" flake. just reference it, and import either
--- a/secrets/universal.yaml
+++ b/secrets/universal.yaml
@@ -12,7 +12,6 @@ wg_ovpnd_ukr_privkey: ENC[AES256_GCM,data:5zfhsZnBk0Kb9Nb/3igsV/fN0ZDjwTAGTKyMLM
 #ENC[AES256_GCM,data:qlF8rpSMUv6Z/YrOTp7WYs0lcpmSIi/r+gCuiw==,iv:cneNp/0av/ttQvnW4JVX9mj3261QFAzkLIzEMwiKwE8=,tag:FFsPUQBsSeImtymawY4eSg==,type:comment]
 router_passwd: ENC[AES256_GCM,data:Tya3Pd75Yu4=,iv:lqi7SavFnymL+uOQXDEzGxgikB6/ckNOBifjhyjXn1Q=,tag:HG3kf6e2g53uNUGI9FXyqQ==,type:str]
 jackett_apikey: ENC[AES256_GCM,data:2oGczau3f/w/5iCx3aft0V/t0tO5zsr5Xi/HQ1koTTo=,iv:33VPT8GYCPPJ2RUBP6yuLep9YX/VMW9Kt3MyQPmZuO0=,tag:TUIbutJKV5e3Kc9INk5VUA==,type:str]
 transmission_passwd: ENC[AES256_GCM,data:wY9kBcfJCvoPc5YXMgrFxBM=,iv:kjHK30mtcJ8O82Ve1Y4YIFVxaNIoWBWUYB2Zmm0fNMY=,tag:5HjjXP2az22PfkahoMEVwA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -91,8 +90,8 @@ sops:
            YmhsY0FaSW5oWVNJMlhUSDRCeWQ4KzAKaQp321XYtAZ98f4QMl5PxivAYm6VMF43
            wCThiQgvYAP59jvVDTZngvfWAD5PyWVVvMNbjHGvAzK5WnsTPmxlsg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-22T22:24:25Z"
+    lastmodified: "2023-01-20T06:57:29Z"
-    mac: ENC[AES256_GCM,data:JJiPwkMCchOAgQ8p6Xnkpov/SJWDuhIzbHCxhEkqQeiFqpTzGPb9RayWElnGyMeyPpM/CVFfqiRhX96RX2q8+8Bp9uPMfKbt+xt521Wo/JnC3QiwChV72gswjNLYzwZx0kNhjCkoVhjITsv7S02XHV8ky1WpBA/JuvBtQcfZZbg=,iv:QwLN4ZNJIyt0XbvbuqB227WgrfkyX3u/gqdNuUYhbq0=,tag:+vwDS62V+GRrw4nDRBgoWA==,type:str]
+    mac: ENC[AES256_GCM,data:J/yLlcmlX6st/d6c8eL/6DKZiHAELb0/zj+5qOjoE2uAgTTFnojaP4ssrmt7BaLQF1MQNnvkchvuwRv+dAVTXkuYPuDWS3YriAKQIXUx9sHIEoY6Aqa37eBwUNUBuxoR6FvfOGtXrIZuS0f7hZr+ddBZgCSBBE54yeH68Va1tZk=,iv:Y/T8qykrqRVQ8eMkNH2DZa6XoGd5nL18h/2SJucVAD8=,tag:OwZfOyLc29c1bJJIA9IW3Q==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/universal/net/README.md
+++ b/secrets/universal/net/README.md
@@ -1,5 +0,0 @@
 ## to add a new network
 - connect to it (via GUI or `iwctl` TUI)
 - find it under `/var/lib/iwd`
 - `sops ./<NETWORK_NICKNAME>.psk.bin` and paste the contents from `/var/lib/iwd/SSID.psk`
        - in same file: add `# SSID=UNQUOTED_NETWORK_NAME` to the top
--- a/secrets/universal/net/archive/2023-02-home-shared.psk.bin
+++ b/secrets/universal/net/archive/2023-02-home-shared.psk.bin
@@ -1,48 +0,0 @@
 {
 	"data": "ENC[AES256_GCM,data:OaFr+OOaBxi0PaApOYLUjJ0NgD5ABBQOaf6KpR9rheE2d1pQNa0jqnD4/ttqJrq8JjZT2Y6GDSwM5gPM,iv:TuyQPPDXM8cJU/GhJpdvxwB8+v6JavHcA+vmLHA3/74=,tag:V6RTKw6Cot4B4sK1JcRGmA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNzNHZWcvTmVVaGFabUU3\ndnZwVFdVcFBXZkoxTFA5WEZMMnRvUDBsS1NrCnRKUTNDZExFL1drSjBTakw1VmZW\nYWJzTUtVN0lrWXdiRk9QaVNmZmRqSjAKLS0tIGtHTzNUUnlnU2duNDF6UUlzUUJa\nSXhxQmRXZEZKK2htenF6N1kzV1VvancKP8jZotJe9188kId6cwVzITNwtELegpzi\nOKrWPWuIveSdMGmMsRDAcQbL0xVN0qd+Y4qsZ9l6e+cVAT3cHb1vDg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLemhLZUwzSVJLNUhYQXQ3\nY3ExU1BJUzY4a24vUjRmazhtc1RIcVpyem1jCmFEVzlIZkxjSUc0RTdqQWRLTGNS\nL3FaRFhjdnZqNFk0WDFSY0xOTENxMkEKLS0tIDVzK1lPM1FlWmZLZFA0ZDlPKzla\naXRqTk90aVNTRHlNZ2FmcVY3b1JKbEkKTu8tiEKyab1bOsgdsRlEWeG9wzdg/d/s\nPfh7rnvf7Ex8Jl6qSq6xMPkv+19EbSpfSq0FRtCue/Wcce3cUmGToA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZUY4OW5UNXFjOXQrUklu\nK3poU3RNVnBtc251TmRtMGJ6Z0ordDFhUGhjCms2a1o1Z1plNlpwSlYrUEEzRDZm\naHdEVVIzRnExNVhzci8vN0ZIODh3QzgKLS0tIGUxZ2gvbGM3YnMwVXU1RnNOSlBO\nVE94UFdKaDkwbmV5YjlBWm9ZZkk4Q0UK6CaPAtRrXKUzR29ZfXV8MvqszTu8LkT2\nQPlNJ4ckgTyivyseukR8X5fPKrrXIVtE+C6Xk5mJ6nGKD+oLprhpag==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUk1yL3dLUnBpNWNxMzQw\ncDdVa0szNjBVNnNXdmZwNVNEK1RwUzJTMlhZCm9oV3NaZ3k0SERKMEZCQTRtRUI2\nVmdzWndQT1c4UUh2MzQyMEErdm96NG8KLS0tIG1aUElzK2VjUTNYOGRpbkpZTDVz\ncG9jR0VzNi9jYmdCTU1qMmJtNFNUaU0KkrIx2BKjj7l+52Kk/L8rNZYAsa87z9UH\nDtxhLTnQu8DPtm5o2sbGdEZgt9qKPJiylLNKVne3EyscMaehdB17RA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSUtONWlzZ0JQbDB0L1FU\nWlhCL0p4d3lpamg3YWdIUVhDc1hVRWR1MVhFCkdZbEhnUG0vYTJVZnphdTZNSXBW\nVGdpemc5Q3hSenN4V09ZbTFOK3kzK0UKLS0tIG9ZWkdSMHhzTGJleFF5L2RsdUxK\nSEdtSlB0L2d4TTVWcDJWaE13NjFiTkkKWgfem58/ZKqVaXiL0UGVTjA7AhSkD8Fq\ne/i5HKN1Pvgv8TVPnZ9mtGP2gwwkoFYgxM8/0jBjJUm4QDbTkocVJw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNR05jQnJZZDNndmZnOVNO\nRFhVU3pLUzBxeC9rQlRoVWFCN1Y0bjhBM25VCmJKSzhkMjF1L3pGRjZmOURNeUZE\nTU8vN2pYVmZzdWdpaVdqcXloNGhTSlUKLS0tIGovSG84amhyTFZHZ2FNdTl3SzJj\nN1dObkd6K2J0Y2Q5bG5DR0VaUk1uSlUKxShDW7BD6sENlFjqp7/wFbV4g4gD7u5d\npidF9F+vXhpoBIwLlhruzvwyNXG4hQcKfWCnliXhVvNYbgaooDDhRw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MkJ1RkVBeHJnR1FGeDVi\nN0htdHZ3cVNCcTJabnlkSUQ4aHUxRndvbVhZClk2d2ZRTlJIVTg1T3dkKzdMRXJt\nNXh5OWtud3gvNWNkRWI1UE1kSytYOUUKLS0tIHhhQVpmRWtTYVFjSUN5aEVYWDJx\nS3hDMlFkVGQyM2U5QjlJMko4OGRWdkEKG98s0QVSs1o4MQ9937okXDS4WH41S1Aq\nUSL8idmlPUJzgdHshuLv2Ic2RXVjJu8V508trO8bTymrqkNAQ0miMA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraXJQOHR6ZzE5TjNQYmpB\nSStEQS9mcUpMSXlFQ05DcllFSjNOT1pWdVJZCmtSL3FkZ2Q1cU1Fc1dZbG13eXJC\nTXJkN0NzWTlDOEFMRGNQUG5HQUNUVDgKLS0tIGRwcmVxS0lNQ09GdmxKY2pkQ2Yz\nSkpZam1ZQUN1L1FZZ010ZlhUV1N4VlkKqsFAE+xZ24IMzIFjbsgANdjiGwVZk5rq\n66y00bjw+uj6WOwQuE1I9WcYDhCXEUQB9u4Q+hzejaFzCJ90N/WF4w==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2023-01-07T03:06:02Z",
 		"mac": "ENC[AES256_GCM,data:L3wY2ZdR1ASbLbKXiipWfBiQ5cumItuiL1+TwTJhU5ZtxLe6SMUyhckvuX8hczlFPUlJQJDCwpgVBs9C6GRAU45jzHYmpcfF30auiRT2dF/2doH9yiYZoF7JtbTas0Kvt1yxlPfuTi5mFuJGAKDOw6+a5ayQHYlK3/RxAUn0yPc=,iv:U/vlmvI1l4u92eUDXRphS0tscLOlWorOdmT7wDwGbAM=,tag:bQayboRgsMKT6akDq+rzQw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/archive/2023-02-home-bedroom.psk.bin
+++ b/secrets/universal/net/archive/2023-02-home-bedroom.psk.bin
--- a/secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin
+++ b/secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Colin	09cb75319f	get sane.packages to work better. still needs cleanup	2023-02-03 01:05:58 +00:00
Colin	4ed0a9127c	programs: enable persistence	2023-02-02 12:35:42 +00:00
Colin	d0dca651be	modules: add a `sane.programs` interface which i can use going forward in place of `sane.packages`	2023-02-02 12:31:13 +00:00