cross compilation: push ccache into every build -> host package

get moby packages to selectively use ccache
this is a liiittle bit weird: we might want to just apply it to everything.
2023-03-06 11:20:24 +00:00 · 2023-03-05 09:25:03 +00:00 · 2023-03-05 07:20:38 +00:00 · 2023-03-05 03:50:04 +00:00 · 2023-03-05 03:13:43 +00:00 · 2023-03-05 03:13:11 +00:00
93 changed files with 3900 additions and 1566 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -15,35 +15,14 @@
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1667907331,
        "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-22.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1674779092,
+        "lastModified": 1677431790,
-        "narHash": "sha256-mFBD0Dvjf8tuxWtJhsCQ+8VYqI4fQeWjd/vfWsZiRRo=",
+        "narHash": "sha256-diCr0inBOSQYehHSxYQ2Wb5dYSrLfJYqbH2gJYmSL/c=",
        "owner": "nixos",
        "repo": "mobile-nixos",
-        "rev": "80ece5a61738fbf3b96fdda402ab2dfc74ee5cee",
+        "rev": "c252e7bd9122704f0e0303c638f8b8412c2521c2",
        "type": "github"
      },
      "original": {
@@ -52,46 +31,46 @@
        "type": "github"
      }
    },
    "nix-serve": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1675958846,
        "narHash": "sha256-/nf09eM2vey9GrAXoqagccJrBo/fGyVKP7oNSxPqwdo=",
        "owner": "edolstra",
        "repo": "nix-serve",
        "rev": "7089565e260267c9c234a81292c841958737cef6",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "nix-serve",
        "type": "github"
      }
    },
    "nixpkgs": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-unpatched"
        ]
      },
      "locked": {
-        "lastModified": 1,
+        "lastModified": 1606086654,
-        "narHash": "sha256-5pNu9Ph1LIBj5q9RWLV3r7daANjmd4u5y+MVq8vlfS4=",
+        "narHash": "sha256-VFl+3eGIMqNp7cyOMJ6TjM/+UcsLKtodKoYexrlTJMI=",
-        "path": "/nix/store/bjzsgw8zn4av0dv4sqyj7vxhi43na16y-source/nixpatches",
+        "owner": "NixOS",
-        "type": "path"
+        "repo": "nixpkgs",
        "rev": "19db3e5ea2777daa874563b5986288151f502e27",
        "type": "github"
      },
      "original": {
-        "path": "/nix/store/bjzsgw8zn4av0dv4sqyj7vxhi43na16y-source/nixpatches",
+        "id": "nixpkgs",
-        "type": "path"
+        "ref": "nixos-20.09",
        "type": "indirect"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1674692158,
+        "lastModified": 1677367679,
-        "narHash": "sha256-oqGpwVg4D+eMSgF7Th5Ve1ysCiH3H3g85vGJ3nvJsZQ=",
+        "narHash": "sha256-pOMXi7F9tcHls06Qv+7XCPASTJeXu47Jhd0Pk9du8T4=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "def9e420d27c951026d57dc96ce0218c3131f412",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-22.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable_2": {
      "locked": {
        "lastModified": 1674352297,
        "narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "918b760070bb8f48cb511300fcd7e02e13058a2e",
+        "rev": "ea736343e4d4a052e023d54b23334cf685de479c",
        "type": "github"
      },
      "original": {
@@ -103,11 +82,11 @@
    },
    "nixpkgs-unpatched": {
      "locked": {
-        "lastModified": 1674641431,
+        "lastModified": 1676569297,
-        "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
+        "narHash": "sha256-2n4C4H3/U+3YbDrQB6xIw7AaLdFISCCFwOkcETAigqU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
+        "rev": "ac1f5b72a9e95873d1de0233fddcb56f99884b37",
        "type": "github"
      },
      "original": {
@@ -119,10 +98,8 @@
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "mobile-nixos": "mobile-nixos",
-        "nixpkgs": "nixpkgs",
+        "nix-serve": "nix-serve",
        "nixpkgs-stable": "nixpkgs-stable",
        "nixpkgs-unpatched": "nixpkgs-unpatched",
        "sops-nix": "sops-nix",
        "uninsane-dot-org": "uninsane-dot-org"
@@ -131,16 +108,16 @@
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unpatched"
        ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
+        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1674546403,
+        "lastModified": 1677381477,
-        "narHash": "sha256-vkyNv0xzXuEnu9v52TUtRugNmQWIti8c2RhYnbLG71w=",
+        "narHash": "sha256-NLzWgll+Q0Af8gI1ha34OHt7Y1GtOMYhCWQWV9LXE9Y=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c",
+        "rev": "83fe25c8019db8216f5c6ffc65b394707784b4f3",
        "type": "github"
      },
      "original": {
@@ -153,15 +130,15 @@
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unpatched"
        ]
      },
      "locked": {
-        "lastModified": 1666870107,
+        "lastModified": 1675131883,
-        "narHash": "sha256-b9eXZxSwhzdJI5uQgfrMhu4SY2POrPkinUg7F5gQVYo=",
+        "narHash": "sha256-yBgJDG72YqIr1bltasqHD1E/kHc9uRFgDjxDmy6kI8M=",
        "ref": "refs/heads/master",
-        "rev": "80c6ec95bd430e29d231cf745f19279bb76fb382",
+        "rev": "b099c24091cc192abf3997b94342d4b31cc5757b",
-        "revCount": 164,
+        "revCount": 170,
        "type": "git",
        "url": "https://git.uninsane.org/colin/uninsane"
      },
--- a/flake.nix
+++ b/flake.nix
@@ -19,46 +19,61 @@
  # but `inputs` is required to be a strict attrset: not an expression.
  inputs = {
    # <https://github.com/nixos/nixpkgs/tree/nixos-22.11>
-    nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
+    # nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
    # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    nixpkgs = {
+
-      url = "./nixpatches";
+    # nixpkgs = {
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
+    #   url = "./nixpatches";
-    };
+    #   inputs.nixpkgs.follows = "nixpkgs-unpatched";
    # };
    mobile-nixos = {
      # <https://github.com/nixos/mobile-nixos>
      url = "github:nixos/mobile-nixos";
      flake = false;
    };
    home-manager = {
      # <https://github.com/nix-community/home-manager/tree/release-22.05>
      url = "github:nix-community/home-manager?ref=release-22.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
      # <https://github.com/Mic92/sops-nix>
      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
+      # inputs.nixpkgs.follows = "nixpkgs";
      inputs.nixpkgs.follows = "nixpkgs-unpatched";
    };
    uninsane-dot-org = {
      url = "git+https://git.uninsane.org/colin/uninsane";
-      inputs.nixpkgs.follows = "nixpkgs";
+      # inputs.nixpkgs.follows = "nixpkgs";
      inputs.nixpkgs.follows = "nixpkgs-unpatched";
    };
    nix-serve = {
      # <https://github.com/edolstra/nix-serve>
      url = "github:edolstra/nix-serve";
    };
  };
  outputs = {
    self,
    nixpkgs,
    nixpkgs-stable,
    nixpkgs-unpatched,
    mobile-nixos,
    home-manager,
    sops-nix,
-    uninsane-dot-org
+    uninsane-dot-org,
-  }:
+    nix-serve,
    ...
  }@inputs:
    let
      inherit (builtins) attrNames listToAttrs map mapAttrs;
      mapAttrs' = f: set:
        listToAttrs (map (attr: f attr set.${attr}) (attrNames set));
      # mapAttrs but without the `name` argument
      mapAttrValues = f: mapAttrs (_: f);
      # rather than apply our nixpkgs patches as a flake input, do that here instead.
      # this (temporarily?) resolves the bad UX wherein a subflake residing in the same git
      # repo as the main flake causes the main flake to have an unstable hash.
      nixpkgs = (import ./nixpatches/flake.nix).outputs {
        self = nixpkgs;
        nixpkgs = nixpkgs-unpatched;
      };
      nixpkgsCompiledBy = local: nixpkgs.legacyPackages."${local}";
      evalHost = { name, local, target }:
@@ -71,9 +86,6 @@
          nixosSystem = import ((nixpkgsCompiledBy target).path + "/nixos/lib/eval-config.nix");
        in
          (nixosSystem {
            # we use pkgs built for and *by* the target, i.e. emulation, by default.
            # cross compilation only happens on explicit access to `pkgs.cross`
            system = target;
            modules = [
              (import ./hosts/instantiate.nix { localSystem = local; hostName = name; })
              self.nixosModules.default
@@ -83,22 +95,47 @@
                  self.overlays.default
                  self.overlays.passthru
                  self.overlays.pins
                  # self.overlays.optimizations
                ];
                nixpkgs.hostPlatform = target;
                # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
                # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
              }
            ];
          });
    in {
-      nixosConfigurations = {
+      nixosConfigurations =
-        servo = evalHost { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
+        let
-        desko = evalHost { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
+          hosts = {
-        lappy = evalHost { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
+            servo =  { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        moby = evalHost { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
+            desko =  { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
+            lappy =  { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        # note that these *do* produce different store paths, because the closure for the tools used to cross compile
+            moby  =  { name = "moby";  local = "x86_64-linux"; target = "aarch64-linux"; };
-        # v.s. emulate differ.
+            rescue = { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        # so deploying foo-cross and then foo incurs some rebuilding.
+          };
-        moby-cross = evalHost { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
+          # cross-compiled builds: instead of emulating the host, build using a cross-compiler.
-        rescue = evalHost { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
+          # - these are faster to *build* than the emulated variants (useful when tweaking packages),
          # - but fewer of their packages can be found in upstream caches.
          cross = mapAttrValues evalHost hosts;
          emulated = mapAttrValues
            ({name, local, target}: evalHost {
              inherit name target;
              local = null;
            })
            hosts;
          prefixAttrs = prefix: attrs: mapAttrs'
            (name: value: {
              name = prefix + name;
              inherit value;
            })
            attrs;
        in
          (prefixAttrs "cross-" cross) //
          (prefixAttrs "emulated-" emulated) // {
            # prefer native builds for these machines:
            inherit (emulated) servo desko lappy rescue;
            # prefer cross-compiled builds for these machines:
            inherit (cross) moby;
          };
      # unofficial output
@@ -115,22 +152,40 @@
      #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
      #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
      #   - `nixos-rebuild --flake './#<host>' switch`
-      imgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.img) self.nixosConfigurations;
+      imgs = mapAttrValues (host: host.config.system.build.img) self.nixosConfigurations;
      # unofficial output
      host-pkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
      overlays = rec {
        default = pkgs;
        pkgs = import ./overlays/pkgs.nix;
        pins = import ./overlays/pins.nix;  # TODO: move to `nixpatches/` input
        optimizations = import ./overlays/optimizations.nix;
        passthru =
          let
-            stable = next: prev: {
+            stable =
-              stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+              if inputs ? "nixpkgs-stable" then (
-            };
+                next: prev: {
                  stable = inputs.nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
                }
              ) else (next: prev: {});
            mobile = (import "${mobile-nixos}/overlay/overlay.nix");
            uninsane = uninsane-dot-org.overlay;
            # nix-serve' = nix-serve.overlay;
            nix-serve' = next: prev: {
              # XXX(2023/03/02): upstream isn't compatible with modern `nix`. probably the perl bindings.
              # - we use the package built against `nixpkgs` specified in its flake rather than use its overlay,
              #   to get around this.
              inherit (nix-serve.packages."${next.system}") nix-serve;
            };
          in
            next: prev:
-              (stable next prev) // (mobile next prev) // (uninsane next prev);
+              (stable next prev)
              // (mobile next prev)
              // (uninsane next prev)
              // (nix-serve' next prev)
            ;
      };
      nixosModules = rec {
@@ -138,7 +193,6 @@
        sane = import ./modules;
        passthru = { ... }: {
          imports = [
            home-manager.nixosModule
            sops-nix.nixosModules.sops
          ];
        };
@@ -156,13 +210,18 @@
        };
      # extract only our own packages from the full set
-      packages = builtins.mapAttrs
+      packages = mapAttrValues
-        (_: full: full.sane // { inherit (full) sane uninsane-dot-org; })
+        (full: full.sane // { inherit (full) sane uninsane-dot-org; })
        self.legacyPackages;
      apps."x86_64-linux" =
        let
          pkgs = self.legacyPackages."x86_64-linux";
          deployScript = action: pkgs.writeShellScript "deploy-moby" ''
            nixos-rebuild --flake '.#cross-moby' build
            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
            nixos-rebuild --flake '.#cross-moby' ${action} --target-host colin@moby --use-remote-sudo
          '';
        in {
          update-feeds = {
            type = "app";
@@ -174,6 +233,17 @@
            type = "app";
            program = "${pkgs.feeds.passthru.initFeedScript}";
          };
          deploy-moby-test = {
            # `nix run '.#deploy-moby-test'`
            type = "app";
            program = ''${deployScript "test"}'';
          };
          deploy-moby-switch = {
            # `nix run '.#deploy-moby-switch'`
            type = "app";
            program = ''${deployScript "switch"}'';
          };
        };
      templates = {
--- a/hosts/by-name/desko/default.nix
+++ b/hosts/by-name/desko/default.nix
@@ -4,17 +4,18 @@
    ./fs.nix
  ];
-  # sane.packages.enableDevPkgs = true;
+  sane.roles.build-machine = true;
  sane.roles.client = true;
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
  sane.services.duplicity.enable = true;
  sane.services.nixserve.enable = true;
  sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
  sane.persist.enable = true;
  sane.gui.sway.enable = true;
  sane.programs.iphoneUtils.enableFor.user.colin = true;
  sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
@@ -54,7 +55,7 @@
    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
  };
-  sane.persist.home.plaintext = [
+  sane.user.persist.plaintext = [
    ".steam"
    ".local/share/Steam"
  ];
--- a/hosts/by-name/lappy/default.nix
+++ b/hosts/by-name/lappy/default.nix
@@ -8,15 +8,17 @@
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
-  # sane.packages.enableDevPkgs = true;
+  # sane.guest.enable = true;
  # sane.users.guest.enable = true;
  sane.gui.sway.enable = true;
  sane.persist.enable = true;
  sane.nixcache.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  sane.programs.guiApps.suggestedPrograms = [
    "desktopGuiApps"
    "stepmania"
  ];
  sops.secrets.colin-passwd = {
    sopsFile = ../../../secrets/lappy.yaml;
    neededForUsers = true;
--- a/hosts/by-name/moby/default.nix
+++ b/hosts/by-name/moby/default.nix
@@ -10,13 +10,6 @@
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
  # cross-compiled documentation is *slow*.
  # no obvious way to natively compile docs (2022/09/29).
  # entrypoint is nixos/modules/misc/documentation.nix
  # doc building happens in nixos/doc/manual/default.nix
  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
  documentation.nixos.enable = false;
  # XXX colin: phosh doesn't work well with passwordless login,
  # so set this more reliable default password should anything go wrong
  users.users.colin.initialPassword = "147147";
@@ -37,18 +30,15 @@
    # addons.sideberry.enable = false;
  };
-  sane.persist.home.plaintext = [
+  sane.user.persist.plaintext = [
    ".config/pulse"  # persist pulseaudio volume
  ];
  # sane.packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
  sane.packages.extraUserPkgs = [
    pkgs.plasma5Packages.konsole  # terminal
  ];
  sane.nixcache.enable = true;
  sane.persist.enable = true;
  sane.gui.phosh.enable = true;
  # sane.programs.consoleUtils.enableFor.user.colin = false;
  # sane.programs.guiApps.enableFor.user.colin = false;
  sane.programs.sequoia.enableFor.user.colin = false;
  boot.loader.efi.canTouchEfiVariables = false;
  # /boot space is at a premium. default was 20.
--- a/hosts/by-name/moby/kernel.nix
+++ b/hosts/by-name/moby/kernel.nix
@@ -114,7 +114,7 @@ in
  # - phone rotation sensor is off by 90 degrees
  # - ambient light sensor causes screen brightness to be shakey
  # - phosh greeter may not appear after wake from sleep
-  boot.kernelPackages = pkgs.cross.linuxPackagesFor pkgs.cross.linux-megous;
+  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
  boot.kernelPatches = [
    (patchDefconfig (kernelConfig //
--- a/hosts/by-name/rescue/default.nix
+++ b/hosts/by-name/rescue/default.nix
@@ -7,6 +7,7 @@
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
  system.stateVersion = "21.05";
--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@@ -8,12 +8,14 @@
    ./services
  ];
-  sane.packages.extraUserPkgs = with pkgs; [
+  sane.programs = {
    # for administering services
-    freshrss
+    freshrss.enableFor.user.colin = true;
-    matrix-synapse
+    matrix-synapse.enableFor.user.colin = true;
-    signaldctl
+    signaldctl.enableFor.user.colin = true;
-  ];
+  };
  sane.roles.build-machine = true;
  sane.persist.enable = true;
  sane.services.dyn-dns.enable = true;
  sane.services.wg-home.enable = true;
--- a/hosts/by-name/servo/services/ejabberd.nix
+++ b/hosts/by-name/servo/services/ejabberd.nix
@@ -38,11 +38,11 @@
  ];
  networking.firewall.allowedTCPPortRanges = [{
    from = 49152;  # TURN
-    to = 65535;
+    to = 49408;
  }];
  networking.firewall.allowedUDPPortRanges = [{
    from = 49152;  # TURN
-    to = 65535;
+    to = 49408;
  }];
  # provide access to certs
--- a/hosts/by-name/servo/services/postfix.nix
+++ b/hosts/by-name/servo/services/postfix.nix
@@ -1,3 +1,6 @@
 # DOCS:
 # - dovecot config: <https://doc.dovecot.org/configuration_manual/>
 { config, lib, ... }:
 let
@@ -143,6 +146,25 @@ in
  # inspired by https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/
  services.dovecot2.enable = true;
  services.dovecot2.mailboxes = {
    # special-purpose mailboxes: "All" "Archive" "Drafts" "Flagged" "Junk" "Sent" "Trash"
    # RFC6154 describes these special mailboxes: https://www.ietf.org/rfc/rfc6154.html
    # how these boxes are treated is 100% up to the client and server to decide.
    # client behavior:
    # iOS
    #   - Drafts: ?
    #   - Sent: works
    #   - Trash: works
    # aerc
    #   - Drafts: works
    #   - Sent: works
    #   - Trash: no; deleted messages are actually deleted
    #       use `:move trash` instead
    # Sent mailbox: all sent messages are copied to it. unclear if this happens server-side or client-side.
    Drafts = { specialUse = "Drafts"; auto = "create"; };
    Sent = { specialUse = "Sent"; auto = "create"; };
    Trash = { specialUse = "Trash"; auto = "create"; };
  };
  services.dovecot2.sslServerCert = "/var/lib/acme/imap.uninsane.org/fullchain.pem";
  services.dovecot2.sslServerKey = "/var/lib/acme/imap.uninsane.org/key.pem";
  services.dovecot2.enablePAM = false;
--- a/hosts/by-name/servo/services/trust-dns.nix
+++ b/hosts/by-name/servo/services/trust-dns.nix
@@ -6,7 +6,7 @@
  sane.services.trust-dns.listenAddrsIPv4 = [
    # specify each address explicitly, instead of using "*".
    # this ensures responses are sent from the address at which the request was received.
-    "192.168.0.5"
+    config.sane.hosts.by-name."servo".lan-ip
    "10.0.1.5"
  ];
  sane.services.trust-dns.quiet = true;
--- a/hosts/common/cross.nix
+++ b/hosts/common/cross.nix
@@ -1,22 +0,0 @@
 { config, ... }:
 let
  mkCrossFrom = localSystem: pkgs: import pkgs.path {
    inherit localSystem;
    crossSystem = pkgs.stdenv.hostPlatform.system;
    inherit (config.nixpkgs) config overlays;
  };
 in
 {
  # the configuration of which specific package set `pkgs.cross` refers to happens elsewhere;
  # here we just define them all.
  nixpkgs.overlays = [
    (next: prev: {
      # non-emulated packages build *from* local *for* target.
      # for large packages like the linux kernel which are expensive to build under emulation,
      # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
      crossFrom."x86_64-linux" = mkCrossFrom "x86_64-linux" next;
      crossFrom."aarch64-linux" = mkCrossFrom "aarch64-linux" next;
    })
  ];
 }
--- a/hosts/common/cross/default.nix
+++ b/hosts/common/cross/default.nix
--- a/hosts/common/cross/kitty-no-docs.patch
+++ b/hosts/common/cross/kitty-no-docs.patch
@@ -0,0 +1,22 @@
 diff --git a/setup.py b/setup.py
 index 2b9d240e..770bc5e7 100755
 --- a/setup.py
 +++ b/setup.py
@@ -1092,11 +1092,12 @@ def c(base_path: str, **kw: object) -> None:
 def create_linux_bundle_gunk(ddir: str, libdir_name: str) -> None:
 -    if not os.path.exists('docs/_build/html'):
 -        make = 'gmake' if is_freebsd else 'make'
 -        run_tool([make, 'docs'])
 -    copy_man_pages(ddir)
 -    copy_html_docs(ddir)
 +    if not os.getenv('KITTY_NO_DOCS'):
 +        if not os.path.exists('docs/_build/html'):
 +            make = 'gmake' if is_freebsd else 'make'
 +            run_tool([make, 'docs'])
 +        copy_man_pages(ddir)
 +        copy_html_docs(ddir)
     for (icdir, ext) in {'256x256': 'png', 'scalable': 'svg'}.items():
         icdir = os.path.join(ddir, 'share', 'icons', 'hicolor', icdir, 'apps')
         safe_makedirs(icdir)
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -1,7 +1,7 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
 {
  imports = [
-    ./cross.nix
+    ./cross
    ./feeds.nix
    ./fs.nix
    ./hardware.nix
@@ -10,25 +10,18 @@
    ./ids.nix
    ./machine-id.nix
    ./net.nix
    ./persist.nix
    ./programs.nix
    ./secrets.nix
    ./ssh.nix
    ./users.nix
    ./vpn.nix
  ];
  sane.home-manager.enable = true;
  sane.nixcache.enable-trusted-keys = true;
-  sane.packages.enableConsolePkgs = true;
+  sane.nixcache.enable = lib.mkDefault true;
-  sane.packages.enableSystemPkgs = true;
+  sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
-
+  sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;
  sane.persist.sys.plaintext = [
    "/var/log"
    "/var/backup"  # for e.g. postgres dumps
    # TODO: move elsewhere
    "/var/lib/alsa"                # preserve output levels, default devices
    "/var/lib/colord"              # preserve color calibrations (?)
    "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
  ];
  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
  sane.fs."/var/lib/private".dir.acl.mode = "0700";
@@ -50,16 +43,29 @@
  fonts = {
    enableDefaultFonts = true;
-    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
+    fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
    fontconfig.enable = true;
    fontconfig.defaultFonts = {
-      emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
+      emoji = [ "Font Awesome 6 Free" "Noto Color Emoji" ];
      monospace = [ "Hack" ];
      serif = [ "DejaVu Serif" ];
      sansSerif = [ "DejaVu Sans" ];
    };
  };
  # XXX: twitter-color-emoji doesn't cross-compile; but not-fonts-emoji does
  # fonts = {
  #   enableDefaultFonts = true;
  #   fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
  #   fontconfig.enable = true;
  #   fontconfig.defaultFonts = {
  #     emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
  #     monospace = [ "Hack" ];
  #     serif = [ "DejaVu Serif" ];
  #     sansSerif = [ "DejaVu Sans" ];
  #   };
  # };
  # disable non-required packages like nano, perl, rsync, strace
  environment.defaultPackages = [];
@@ -75,8 +81,20 @@
    # NIXOS_OZONE_WL = "1";
    # LIBGL_ALWAYS_SOFTWARE = "1";
  };
-  # enable zsh completions
+
-  environment.pathsToLink = [ "/share/zsh" ];
+  # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
  # find keys/values with `dconf dump /`
  programs.dconf.enable = true;
  programs.dconf.packages = [
    (pkgs.writeTextFile {
      name = "dconf-user-profile";
      destination = "/etc/dconf/profile/user";
      text = ''
        user-db:user
        system-db:site
      '';
    })
  ];
  # link debug symbols into /run/current-system/sw/lib/debug
  # hopefully picked up by gdb automatically?
--- a/hosts/common/home/aerc.nix
+++ b/hosts/common/home/aerc.nix
@@ -1,12 +1,11 @@
 # Terminal UI mail client
-{ config, lib, sane-lib, ... }:
+{ config, sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  sops.secrets."aerc_accounts" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../../secrets/universal/aerc_accounts.conf;
    format = "binary";
  };
-  sane.fs."/home/colin/.config/aerc/accounts.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.aerc_accounts.path;
+  sane.user.fs.".config/aerc/accounts.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.aerc_accounts.path;
 }
--- a/hosts/common/home/default.nix
+++ b/hosts/common/home/default.nix
@@ -13,6 +13,8 @@
    ./mpv.nix
    ./neovim.nix
    ./newsflash.nix
    ./offlineimap.nix
    ./ripgrep.nix
    ./splatmoji.nix
    ./ssh.nix
    ./sublime-music.nix
--- a/hosts/common/home/firefox.nix
+++ b/hosts/common/home/firefox.nix
@@ -125,16 +125,17 @@ in
        # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
        # browserpass-ce.package = addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=";
        browserpass-extension.package = localAddon pkgs.browserpass-extension;
-        bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-JOj5P7c2JTTReHCRZXm4BscaGr3i+9Y4Ey/y621x8PI=";
+        # TODO: build bypass-paywalls from source? it's mysteriously disappeared from the Mozilla store.
        # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
        ether-metamask.package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
        i2p-in-private-browsing.package = addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=";
        sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
-        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-d2K3ufvurWnYVzqLbyR//MgejybkY9exitAf9RdLNRo=";
+        sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
        ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
-        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=";
+        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-52lYqMjrS3GVTaybDrH1p6VF90YVkifguCGxobI/fNQ=";
        browserpass-extension.enable = lib.mkDefault true;
-        bypass-paywalls-clean.enable = lib.mkDefault true;
+        # bypass-paywalls-clean.enable = lib.mkDefault true;
        ether-metamask.enable = lib.mkDefault true;
        i2p-in-private-browsing.enable = lib.mkDefault config.services.i2p.enable;
        sidebery.enable = lib.mkDefault true;
@@ -145,7 +146,12 @@ in
    };
  };
-  config = lib.mkIf config.sane.home-manager.enable {
+  config = {
    sane.programs.web-browser = {
      inherit package;
      # TODO: define the persistence & fs config here
    };
    sane.programs.guiApps.suggestedPrograms = [ "web-browser" ];
    # uBlock filter list configuration.
    # specifically, enable the GDPR cookie prompt blocker.
@@ -155,7 +161,7 @@ in
    # the specific attribute path is found via scraping ublock code here:
    # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
    # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-    sane.fs."/home/colin/${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
+    sane.user.fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
      {
       "name": "uBlock0@raymondhill.net",
       "description": "ignored",
@@ -165,26 +171,24 @@ in
       }
      }
    '';
-    sane.fs."/home/colin/${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
+    sane.user.fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
      // if we can't query the revocation status of a SSL cert because the issuer is offline,
      // treat it as unrevoked.
      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
      defaultPref("security.OCSP.require", false);
    '';
    sane.packages.extraGuiPkgs = [ package ];
    # flush the cache to disk to avoid it taking up too much tmp
-    sane.persist.home.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
+    sane.user.persist.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
      store = cfg.persistCache;
    };
-    sane.persist.home.byPath."${cfg.browser.dotDir}/default" = lib.mkIf (cfg.persistData != null) {
+    sane.user.persist.byPath."${cfg.browser.dotDir}/default" = lib.mkIf (cfg.persistData != null) {
      store = cfg.persistData;
    };
-    sane.fs."/home/colin/${cfg.browser.dotDir}/default" = sane-lib.fs.wantedDir;
+    sane.user.fs."${cfg.browser.dotDir}/default" = sane-lib.fs.wantedDir;
    # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
    # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
-    sane.fs."/home/colin/${cfg.browser.dotDir}/profiles.ini" = sane-lib.fs.wantedText ''
+    sane.user.fs."${cfg.browser.dotDir}/profiles.ini" = sane-lib.fs.wantedText ''
      [Profile0]
      Name=default
      IsRelative=1
--- a/hosts/common/home/gfeeds.nix
+++ b/hosts/common/home/gfeeds.nix
@@ -6,7 +6,7 @@ let
  all-feeds = config.sane.feeds;
  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
    builtins.toJSON {
      # feed format is a map from URL to a dict,
      #   with dict["tags"] a list of string tags.
--- a/hosts/common/home/git.nix
+++ b/hosts/common/home/git.nix
@@ -1,11 +1,10 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ lib, pkgs, sane-lib, ... }:
 let
  mkCfg = lib.generators.toINI { };
 in
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.fs."/home/colin/.config/git/config" = sane-lib.fs.wantedText (mkCfg {
+  sane.user.fs.".config/git/config" = sane-lib.fs.wantedText (mkCfg {
    user.name = "Colin";
    user.email = "colin@uninsane.org";
    alias.co = "checkout";
--- a/hosts/common/home/gpodder.nix
+++ b/hosts/common/home/gpodder.nix
@@ -6,7 +6,7 @@ let
  all-feeds = config.sane.feeds;
  wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
    feeds.feedsToOpml wanted-feeds
  );
 }
--- a/hosts/common/home/keyring.nix
+++ b/hosts/common/home/keyring.nix
@@ -1,11 +1,11 @@
-{ config, lib, sane-lib, ... }:
+{ config, sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.persist.home.private = [ ".local/share/keyrings" ];
+  sane.user.persist.private = [ ".local/share/keyrings" ];
-  sane.fs."/home/colin/private/.local/share/keyrings/default" = {
+  sane.user.fs."private/.local/share/keyrings/default" = {
    generated.script.script = builtins.readFile ../../../scripts/init-keyring;
    # TODO: is this `wantedBy` needed? can we inherit it?
    wantedBy = [ config.sane.fs."/home/colin/private".unit ];
  };
 }
--- a/hosts/common/home/kitty.nix
+++ b/hosts/common/home/kitty.nix
@@ -1,8 +1,7 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ pkgs, sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.fs."/home/colin/.config/kitty/kitty.conf" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/kitty/kitty.conf" = sane-lib.fs.wantedText ''
    # docs: https://sw.kovidgoyal.net/kitty/conf/
    # disable terminal bell (when e.g. you backspace too many times)
    enable_audio_bell no
--- a/hosts/common/home/libreoffice.nix
+++ b/hosts/common/home/libreoffice.nix
@@ -1,9 +1,8 @@
-{ config, lib, sane-lib, ... }:
+{ sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  # libreoffice: disable first-run stuff
-  sane.fs."/home/colin/.config/libreoffice/4/user/registrymodifications.xcu" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/libreoffice/4/user/registrymodifications.xcu" = sane-lib.fs.wantedText ''
    <?xml version="1.0" encoding="UTF-8"?>
    <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
--- a/hosts/common/home/mime.nix
+++ b/hosts/common/home/mime.nix
@@ -1,4 +1,4 @@
-{ config, lib, sane-lib, ...}:
+{ config, sane-lib, ...}:
 let
  www = config.sane.web-browser.browser.desktop;
@@ -9,7 +9,6 @@ let
  # audio = "mpv.desktop";
  audio = "vlc.desktop";
 in
 lib.mkIf config.sane.home-manager.enable
 {
  # the xdg mime type for a file can be found with:
--- a/hosts/common/home/mpv.nix
+++ b/hosts/common/home/mpv.nix
@@ -1,9 +1,8 @@
-{ config, lib, sane-lib, ... }:
+{ sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  # format is <key>=%<length>%<value>
-  sane.fs."/home/colin/.config/mpv/mpv.conf" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/mpv/mpv.conf" = sane-lib.fs.wantedText ''
    save-position-on-quit=%3%yes
    keep-open=%3%yes
  '';
--- a/hosts/common/home/neovim.nix
+++ b/hosts/common/home/neovim.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ lib, pkgs, ... }:
 let
  inherit (builtins) map;
@@ -70,10 +70,9 @@ let
  plugin-config-tex = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
  plugin-config-lua = concatMapStrings (p: optionalString (p.type or "" == "lua") p.config) plugins;
 in
 lib.mkIf config.sane.home-manager.enable
 {
  # private because there could be sensitive things in the swap
-  sane.persist.home.private = [ ".cache/vim-swap" ];
+  sane.user.persist.private = [ ".cache/vim-swap" ];
  programs.neovim = {
    # neovim: https://github.com/neovim/neovim
--- a/hosts/common/home/newsflash.nix
+++ b/hosts/common/home/newsflash.nix
@@ -6,7 +6,7 @@ let
  all-feeds = config.sane.feeds;
  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
    feeds.feedsToOpml wanted-feeds
  );
 }
--- a/hosts/common/home/offlineimap.nix
+++ b/hosts/common/home/offlineimap.nix
@@ -0,0 +1,17 @@
 # mail archiving/synchronization tool.
 #
 # manually download all emails for an account with
 # - `offlineimap -a <accountname>`
 #
 # view account names inside the secrets file, listed below.
 { config, sane-lib, ... }:
 {
  sops.secrets."offlineimaprc" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../../secrets/universal/offlineimaprc.bin;
    format = "binary";
  };
  sane.user.fs.".config/offlineimap/config" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.offlineimaprc.path;
 }
--- a/hosts/common/home/ripgrep.nix
+++ b/hosts/common/home/ripgrep.nix
@@ -0,0 +1,9 @@
 { sane-lib, ... }:
 {
  # .ignore file is read by ripgrep (rg), silver searcher (ag), maybe others.
  # ignore translation files by default when searching, as they tend to have
  # a LOT of duplicate text.
  sane.user.fs.".ignore" = sane-lib.fs.wantedText ''
    po/
  '';
 }
--- a/hosts/common/home/splatmoji.nix
+++ b/hosts/common/home/splatmoji.nix
@@ -4,9 +4,9 @@
 { pkgs, sane-lib, ... }:
 {
-  sane.persist.home.plaintext = [ ".local/state/splatmoji" ];
+  sane.user.persist.plaintext = [ ".local/state/splatmoji" ];
-  sane.fs."/home/colin/.config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
-    history_file=/home/colin/.local/state/splatmoji/history
+    history_file=~/.local/state/splatmoji/history
    history_length=5
    # TODO: wayland equiv
    paste_command=xdotool key ctrl+v
--- a/hosts/common/home/ssh.nix
+++ b/hosts/common/home/ssh.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ config, lib, sane-lib, ... }:
 with lib;
 let
@@ -9,11 +9,12 @@ let
    "\n"
    (map (k: k.asHostKey) host-keys)
  ;
-in lib.mkIf config.sane.home-manager.enable {
+in
 {
  # ssh key is stored in private storage
-  sane.persist.home.private = [ ".ssh/id_ed25519" ];
+  sane.user.persist.private = [ ".ssh/id_ed25519" ];
-  sane.fs."/home/colin/.ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
+  sane.user.fs.".ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
-  sane.fs."/home/colin/.ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
+  sane.user.fs.".ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
  users.users.colin.openssh.authorizedKeys.keys =
  let
--- a/hosts/common/home/sublime-music.nix
+++ b/hosts/common/home/sublime-music.nix
@@ -1,6 +1,5 @@
-{ config, lib, sane-lib, ... }:
+{ config, sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  # TODO: this should only be shipped on gui platforms
  sops.secrets."sublime_music_config" = {
@@ -8,5 +7,5 @@ lib.mkIf config.sane.home-manager.enable
    sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
    format = "binary";
  };
-  sane.fs."/home/colin/.config/sublime-music/config.json" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.sublime_music_config.path;
+  sane.user.fs.".config/sublime-music/config.json" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.sublime_music_config.path;
 }
--- a/hosts/common/home/vlc.nix
+++ b/hosts/common/home/vlc.nix
@@ -8,9 +8,8 @@ let
    builtins.map (feed: feed.url) wanted-feeds
  );
 in
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.fs."/home/colin/.config/vlc/vlcrc" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/vlc/vlcrc" = sane-lib.fs.wantedText ''
    [podcast]
    podcast-urls=${podcast-urls}
    [core]
--- a/hosts/common/home/xdg-dirs.nix
+++ b/hosts/common/home/xdg-dirs.nix
@@ -1,10 +1,9 @@
-{ config, lib, sane-lib, ...}:
+{ lib, sane-lib, ...}:
 lib.mkIf config.sane.home-manager.enable
 {
  # XDG defines things like ~/Desktop, ~/Downloads, etc.
  # these clutter the home, so i mostly don't use them.
-  sane.fs."/home/colin/.config/user-dirs.dirs" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/user-dirs.dirs" = sane-lib.fs.wantedText ''
    XDG_DESKTOP_DIR="$HOME/.xdg/Desktop"
    XDG_DOCUMENTS_DIR="$HOME/dev"
    XDG_DOWNLOAD_DIR="$HOME/tmp"
@@ -17,5 +16,5 @@ lib.mkIf config.sane.home-manager.enable
  # prevent `xdg-user-dirs-update` from overriding/updating our config
  # see <https://manpages.ubuntu.com/manpages/bionic/man5/user-dirs.conf.5.html>
-  sane.fs."/home/colin/.config/user-dirs.conf" = sane-lib.fs.wantedText "enabled=False";
+  sane.user.fs.".config/user-dirs.conf" = sane-lib.fs.wantedText "enabled=False";
 }
--- a/hosts/common/home/zsh/default.nix
+++ b/hosts/common/home/zsh/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ pkgs, sane-lib, ... }:
 let
  # powerlevel10k prompt config
@@ -25,9 +25,8 @@ let
    source ${pkgs.zsh-prezto}/share/zsh-prezto/init.zsh
  '';
 in
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.persist.home.plaintext = [
+  sane.user.persist.plaintext = [
    # we don't need to full zsh dir -- just the history file --
    # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
    # TODO: should be private?
@@ -37,7 +36,10 @@ lib.mkIf config.sane.home-manager.enable
  ];
  # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
-  sane.fs."/home/colin/.config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
+  sane.user.fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
  # enable zsh completions
  environment.pathsToLink = [ "/share/zsh" ];
  programs.zsh = {
    enable = true;
@@ -81,6 +83,11 @@ lib.mkIf config.sane.home-manager.enable
        pushd "$1";
      }
      expiration=$(date -d "6 Mar" +%s)
      today=$(date +%s)
      days_until=$(( ($expiration - $today) / (24*60*60) ))
      echo "You have $days_until days to renew your driver's license"
      # auto-cd into any of these dirs by typing them and pressing 'enter':
      hash -d 3rd="/home/colin/dev/3rd"
      hash -d dev="/home/colin/dev"
@@ -105,7 +112,7 @@ lib.mkIf config.sane.home-manager.enable
  # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
  # see: https://github.com/sorin-ionescu/prezto
  # i believe this file is auto-sourced by the prezto init.zsh script.
-  sane.fs."/home/colin/.config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
    zstyle ':prezto:*:*' color 'yes'
    # modules (they ship with prezto):
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@@ -1,3 +1,6 @@
 # TODO: migrate to nixpkgs `config.ids.uids`
 # - note that nixpkgs' `config.ids.uids` is strictly a database: it doesn't set anything by default
 #   whereas our impl sets the gid/uid of the user/group specified if they exist.
 { ... }:
 {
@@ -35,7 +38,7 @@
  sane.ids.sshd.uid = 2001;  # 997
  sane.ids.sshd.gid = 2001;  # 997
  sane.ids.polkituser.gid = 2002;  # 998
-  sane.ids.systemd-coredump.gid = 2003;  # 996
+  # sane.ids.systemd-coredump.gid = 2003;  # 996  # 2023/02/12: upstream now specifies this as 151
  sane.ids.nscd.uid = 2004;
  sane.ids.nscd.gid = 2004;
  sane.ids.systemd-oom.uid = 2005;
--- a/hosts/common/persist.nix
+++ b/hosts/common/persist.nix
@@ -0,0 +1,18 @@
 { ... }:
 {
  sane.persist.stores.private.origin = "/home/colin/private";
  # store /home/colin/a/b in /home/private/a/b instead of /home/private/home/colin/a/b
  sane.persist.stores.private.prefix = "/home/colin";
  sane.persist.sys.plaintext = [
    "/var/log"
    "/var/backup"  # for e.g. postgres dumps
    # TODO: move elsewhere
    "/var/lib/alsa"                # preserve output levels, default devices
    "/var/lib/colord"              # preserve color calibrations (?)
    "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
    "/var/lib/systemd/backlight"   # backlight brightness
    "/var/lib/systemd/coredump"
  ];
 }
--- a/hosts/common/programs.nix
+++ b/hosts/common/programs.nix
@@ -0,0 +1,378 @@
 { lib, pkgs, ... }:
 let
  inherit (builtins) attrNames concatLists;
  inherit (lib) mapAttrs mapAttrsToList mkDefault mkMerge optional;
  flattenedPkgs = pkgs // (with pkgs; {
    # XXX can't `inherit` a nested attr, so we move them to the toplevel
    "cacert.unbundled" = pkgs.cacert.unbundled;
    "gnome.cheese" = gnome.cheese;
    "gnome.dconf-editor" = gnome.dconf-editor;
    "gnome.file-roller" = gnome.file-roller;
    "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
    "gnome.gnome-maps" = gnome.gnome-maps;
    "gnome.nautilus" = gnome.nautilus;
    "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
    "gnome.gnome-terminal" = gnome.gnome-terminal;
    "gnome.gnome-weather" = gnome.gnome-weather;
    "libsForQt5.plasmatube" = libsForQt5.plasmatube;
  });
  sysadminPkgs = {
    inherit (flattenedPkgs)
      btrfs-progs
      "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
      cryptsetup
      dig
      efibootmgr
      fatresize
      fd
      file
      gawk
      git
      gptfdisk
      hdparm
      htop
      iftop
      inetutils  # for telnet
      iotop
      iptables
      jq
      killall
      lsof
      nano
      netcat
      nethogs
      nmap
      openssl
      parted
      pciutils
      powertop
      pstree
      ripgrep
      screen
      smartmontools
      socat
      strace
      subversion
      tcpdump
      tree
      usbutils
      wget
    ;
  };
  sysadminExtraPkgs = {
    # application-specific packages
    inherit (pkgs)
      backblaze-b2
      duplicity
      sqlite  # to debug sqlite3 databases
    ;
  };
  iphonePkgs = {
    inherit (pkgs)
      ifuse
      ipfs
      libimobiledevice
    ;
  };
  tuiPkgs = {
    inherit (pkgs)
      aerc  # email client
      offlineimap  # email mailox sync
      visidata  # TUI spreadsheet viewer/editor
      w3m
    ;
  };
  # TODO: split these into smaller groups.
  # - transcoders (ffmpeg, imagemagick) only wanted on desko/lappy ("powerutils"?)
  consolePkgs = {
    inherit (pkgs)
      cdrtools
      dmidecode
      efivar
      flashrom
      fwupd
      ghostscript  # TODO: imagemagick wrapper should add gs to PATH
      gnupg
      gocryptfs
      gopass
      gopass-jsonapi
      imagemagick
      kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
      libsecret  # for managing user keyrings
      lm_sensors  # for sensors-detect
      lshw
      ffmpeg
      memtester
      # networkmanager
      nixpkgs-review
      # nixos-generators
      # nettools
      nmon
      oathToolkit  # for oathtool
      # ponymix
      pulsemixer
      python3
      rsync
      # python3Packages.eyeD3  # music tagging
      sane-scripts
      sequoia
      snapper
      sops
      sox
      speedtest-cli
      ssh-to-age
      sudo
      # tageditor  # music tagging
      unar
      wireguard-tools
      xdg-utils  # for xdg-open
      # youtube-dl
      yt-dlp
    ;
  };
  guiPkgs = {
    inherit (flattenedPkgs)
      celluloid  # mpv frontend
      clinfo
      emote
      evince  # works on phosh
      # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
      # foliate  # e-book reader
      # XXX by default fractal stores its state in ~/.local/share/<UUID>.
      # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
      # then reboot (so that libsecret daemon re-loads the keyring...?)
      # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
      # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
      # "gnome.cheese"
      "gnome.dconf-editor"
      gnome-feeds  # RSS reader (with claimed mobile support)
      "gnome.file-roller"
      # "gnome.gnome-maps"  # works on phosh
      "gnome.nautilus"
      # gnome-podcasts
      "gnome.gnome-system-monitor"
      "gnome.gnome-terminal"  # works on phosh
      "gnome.gnome-weather"
      gpodder-configured
      gthumb
      # lollypop
      mpv
      networkmanagerapplet
      # newsflash
      nheko
      pavucontrol
      # picard  # music tagging
      playerctl
      # "libsForQt5.plasmatube"  # Youtube player
      soundconverter
      # sublime music persists any downloaded albums here.
      # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
      # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
      #   possible to pass config as a CLI arg (sublime-music -c config.json)
      # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
      sublime-music-mobile
      # tdesktop  # broken on phosh
      # tokodon
      vlc
      # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
      # whalebird
      xterm  # broken on phosh
    ;
  };
  desktopGuiPkgs = {
    inherit (flattenedPkgs)
      audacity
      chromium
      dino
      electrum
      element-desktop
      font-manager
      gajim  # XMPP client
      gimp  # broken on phosh
      "gnome.gnome-disk-utility"
      handbrake
      inkscape
      kdenlive
      kid3  # audio tagging
      krita
      libreoffice-fresh  # XXX colin: maybe don't want this on mobile
      obsidian
    ;
  };
  x86GuiPkgs = {
    inherit (pkgs)
      discord
      # kaiteki  # Pleroma client
      # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
      # gpt2tc  # XXX: unreliable mirror
      logseq
      losslesscut-bin
      makemkv
      monero-gui
      signal-desktop
      spotify
      tor-browser-bundle-bin
      zecwallet-lite
    ;
  };
  # packages not part of any package set
  otherPkgs = {
    inherit (pkgs)
      stepmania
    ;
  };
  # define -- but don't enable -- the packages in some attrset.
  # use `mkDefault` for the package here so we can customize some of them further down this file
  declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
    package = mkDefault p;
  }) pkgsAsAttrs;
 in
 {
  config = {
    sane.programs = mkMerge [
      (declarePkgs consolePkgs)
      (declarePkgs desktopGuiPkgs)
      (declarePkgs guiPkgs)
      (declarePkgs iphonePkgs)
      (declarePkgs sysadminPkgs)
      (declarePkgs sysadminExtraPkgs)
      (declarePkgs tuiPkgs)
      (declarePkgs x86GuiPkgs)
      (declarePkgs otherPkgs)
      {
        # link the various package sets into their own meta packages
        consoleUtils = {
          package = null;
          suggestedPrograms = attrNames consolePkgs;
        };
        desktopGuiApps = {
          package = null;
          suggestedPrograms = attrNames desktopGuiPkgs;
        };
        guiApps = {
          package = null;
          suggestedPrograms = (attrNames guiPkgs)
            ++ [ "tuiApps" ]
            ++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
        };
        iphoneUtils = {
          package = null;
          suggestedPrograms = attrNames iphonePkgs;
        };
        sysadminUtils = {
          package = null;
          suggestedPrograms = attrNames sysadminPkgs;
        };
        sysadminExtraUtils = {
          package = null;
          suggestedPrograms = attrNames sysadminExtraPkgs;
        };
        tuiApps = {
          package = null;
          suggestedPrograms = attrNames tuiPkgs;
        };
        x86GuiApps = {
          package = null;
          suggestedPrograms = attrNames x86GuiPkgs;
        };
      }
      {
        # nontrivial package definitions
        imagemagick.package = pkgs.imagemagick.override {
          ghostscriptSupport = true;
        };
        dino.private = [ ".local/share/dino" ];
        # creds, but also 200 MB of node modules, etc
        discord = {
          package = pkgs.discord.override {
            # XXX 2022-07-31: fix to allow links to open in default web-browser:
            #   https://github.com/NixOS/nixpkgs/issues/78961
            nss = pkgs.nss_latest;
          };
          private = [ ".config/discord" ];
        };
        # creds/session keys, etc
        element-desktop.private = [ ".config/Element" ];
        # `emote` will show a first-run dialog based on what's in this directory.
        # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
        # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
        emote.dir = [ ".local/share/Emote" ];
        # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
        #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
        gpodder-configured.dir = [ "gPodder" ];
        # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
        # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
        monero-gui.dir = [ ".bitmonero" ];
        mpv.dir = [ ".config/mpv/watch_later" ];
        # not strictly necessary, but allows caching articles; offline use, etc.
        newsflash.dir = [ ".local/share/news-flash" ];
        nheko.private = [
          ".config/nheko"  # config file (including client token)
          ".cache/nheko"  # media cache
          ".local/share/nheko"  # per-account state database
        ];
        # settings (electron app)
        obsidian.dir = [ ".config/obsidian" ];
        # creds, media
        signal-desktop.private = [ ".config/Signal" ];
        # creds, widevine .so download. TODO: could easily manage these statically.
        spotify.dir = [ ".config/spotify" ];
        # sublime music persists any downloaded albums here.
        # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
        # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
        #   possible to pass config as a CLI arg (sublime-music -c config.json)
        # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
        sublime-music-mobile.dir = [ ".local/share/sublime-music" ];
        tdesktop.private = [ ".local/share/TelegramDesktop" ];
        tokodon.private = [ ".cache/KDE/tokodon" ];
        # hardenedMalloc solves a crash at startup
        # TODO 2023/02/02: is this safe to remove yet?
        tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
          useHardenedMalloc = false;
        };
        # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
        vlc.dir = [ ".config/vlc" ];
        whalebird.private = [ ".config/Whalebird" ];
        # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
        zecwallet-lite.private = [ ".zcash" ];
      }
    ];
    # XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
    environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
  };
 }
--- a/hosts/common/secrets.nix
+++ b/hosts/common/secrets.nix
@@ -99,18 +99,26 @@
    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-bedroom.psk" = {
    sopsFile = ../../secrets/universal/net/home-bedroom.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared-24G.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared-24G.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/makespace-south.psk" = {
    sopsFile = ../../secrets/universal/net/makespace-south.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/archive-2023-02-home-bedroom.psk" = {
    sopsFile = ../../secrets/universal/net/archive/2023-02-home-bedroom.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/archive-2023-02-home-shared-24G.psk" = {
    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/archive-2023-02-home-shared.psk" = {
    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/iphone" = {
    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
    format = "binary";
--- a/hosts/common/users.nix
+++ b/hosts/common/users.nix
@@ -3,12 +3,12 @@
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 with lib;
 let
-  cfg = config.sane.users;
+  cfg = config.sane.guest;
  fs = sane-lib.fs;
 in
 {
  options = {
-    sane.users.guest.enable = mkOption {
+    sane.guest.enable = mkOption {
      default = false;
      type = types.bool;
    };
@@ -66,6 +66,7 @@ in
    security.pam.mount.enable = true;
    sane.users.colin.default = true;
    # ensure ~ perms are known to sane.fs module.
    # TODO: this is generic enough to be lifted up into sane.fs itself.
    sane.fs."/home/colin".dir.acl = {
@@ -74,7 +75,7 @@ in
      mode = config.users.users.colin.homeMode;
    };
-    sane.persist.home.plaintext = [
+    sane.user.persist.plaintext = [
      "archive"
      "dev"
      # TODO: records should be private
@@ -88,25 +89,26 @@ in
      ".cache/nix"
      ".cache/nix-index"
-      ".cargo"
+
-      ".rustup"
+      # ".cargo"
      # ".rustup"
    ];
    # convenience
-    sane.fs."/home/colin/knowledge" = fs.wantedSymlinkTo "/home/colin/private/knowledge";
+    sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
-    sane.fs."/home/colin/nixos" = fs.wantedSymlinkTo "/home/colin/dev/nixos";
+    sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
-    sane.fs."/home/colin/Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
+    sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
-    sane.fs."/home/colin/Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
+    sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
-    sane.fs."/home/colin/Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
+    sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
    # used by password managers, e.g. unix `pass`
-    sane.fs."/home/colin/.password-store" = fs.wantedSymlinkTo "/home/colin/knowledge/secrets/accounts";
+    sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";
-    sane.persist.sys.plaintext = mkIf cfg.guest.enable [
+    sane.persist.sys.plaintext = mkIf cfg.enable [
      # intentionally allow other users to write to the guest folder
      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
    ];
-    users.users.guest = mkIf cfg.guest.enable {
+    users.users.guest = mkIf cfg.enable {
      isNormalUser = true;
      home = "/home/guest";
      subUidRanges = [
--- a/hosts/instantiate.nix
+++ b/hosts/instantiate.nix
@@ -4,7 +4,7 @@
 { hostName, localSystem }:
 # module args
-{ config, ... }:
+{ config, lib, ... }:
 {
  imports = [
@@ -14,14 +14,16 @@
  ];
  networking.hostName = hostName;
  nixpkgs.buildPlatform = lib.mkIf (localSystem != null) localSystem;
  sane.cross.enablePatches = localSystem != null;
-  nixpkgs.overlays = [
+  # nixpkgs.overlays = [
-    (next: prev: {
+  #   (next: prev: {
-      # for local != target we by default just emulate the target while building.
+  #     # for local != target we by default just emulate the target while building.
-      # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
+  #     # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
-      # to explicitly opt into non-emulated cross compilation for any specific package.
+  #     # to explicitly opt into non-emulated cross compilation for any specific package.
-      # this is most beneficial for large packages with few pre-requisites -- like Linux.
+  #     # this is most beneficial for large packages with few pre-requisites -- like Linux.
-      cross = next.crossFrom."${localSystem}";
+  #     cross = prev.crossFrom."${localSystem}";
-    })
+  #   })
-  ];
+  # ];
 }
--- a/hosts/modules/default.nix
+++ b/hosts/modules/default.nix
@@ -3,10 +3,13 @@
 {
  imports = [
    ./derived-secrets.nix
    ./gui
    ./hardware
    ./hostnames.nix
    ./hosts.nix
    ./nixcache.nix
    ./roles
    ./services
    ./wg-home.nix
  ];
 }
--- a/hosts/modules/gui/default.nix
+++ b/hosts/modules/gui/default.nix
@@ -0,0 +1,15 @@
 { lib, config, ... }:
 let
  inherit (lib) mkDefault mkIf mkOption types;
  cfg = config.sane.gui;
 in
 {
  imports = [
    ./gnome.nix
    ./phosh.nix
    ./plasma.nix
    ./plasma-mobile.nix
    ./sway.nix
  ];
 }
--- a/hosts/modules/gui/gnome.nix
+++ b/hosts/modules/gui/gnome.nix
@@ -13,7 +13,7 @@ in
  };
  config = mkIf cfg.enable {
-    sane.gui.enable = true;
+    sane.programs.guiApps.enableFor.user.colin = true;
    # start gnome/gdm on boot
    services.xserver.enable = true;
@@ -25,7 +25,7 @@ in
    networking.networkmanager.enable = true;
    networking.wireless.enable = lib.mkForce false;
  };
-  # home-mananger.users.colin extras
+  # user extras:
  # obtain these by running `dconf dump /` after manually customizing gnome
  # TODO: fix "is not of type `GVariant value'"
  # dconf.settings = lib.mkIf (gui == "gnome") {
--- a/hosts/modules/gui/phosh.nix
+++ b/hosts/modules/gui/phosh.nix
@@ -20,9 +20,40 @@ in
    };
  };
-  config = mkIf cfg.enable (mkMerge [
+  config = mkMerge [
    {
-      sane.gui.enable = true;
+      sane.programs.phoshApps = {
        package = null;
        suggestedPrograms = [
          "guiApps"
          # TODO: see about removing gnome-bluetooth if the in-built gnome-settings bluetooth manager can work
          "gnome.gnome-bluetooth"
          "phosh-mobile-settings"
          # "plasma5Packages.konsole"  # more reliable terminal
        ];
      };
    }
    {
      sane.programs = {
        inherit (pkgs // {
          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
          "plasma5Packages.konsole" = pkgs.plasma5Packages.konsole;
        })
          phosh-mobile-settings
          "plasma5Packages.konsole"
          # "gnome.gnome-bluetooth"
        ;
      };
    }
    (mkIf cfg.enable {
      sane.programs.phoshApps.enableFor.user.colin = true;
      # TODO(2023/02/28): remove this qt.style = "gtk2" override.
      # gnome by default tells qt to stylize its apps similar to gnome.
      # but the package needed for that doesn't cross-compile, hence i disable that here.
      # qt.platformTheme = "gtk2";
      # qt.style = "gtk2";
      # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
      services.xserver.desktopManager.phosh = {
@@ -38,6 +69,26 @@ in
        };
      };
      # phosh enables `services.gnome.{core-os-services, core-shell}`
      # and this in turn enables some default apps we don't really care about.
      # see <nixos/modules/services/x11/desktop-managers/gnome.nix>
      environment.gnome.excludePackages = with pkgs; [
        # gnome.gnome-menus  # unused outside gnome classic, but probably harmless
        gnome-tour
      ];
      services.dleyna-renderer.enable = false;
      services.dleyna-server.enable = false;
      services.gnome.gnome-browser-connector.enable = false;
      services.gnome.gnome-initial-setup.enable = false;
      services.gnome.gnome-online-accounts.enable = false;
      services.gnome.gnome-remote-desktop.enable = false;
      services.gnome.gnome-user-share.enable = false;
      services.gnome.rygel.enable = false;
      # gnome doesn't use mkDefault for these -- unclear why not
      services.gnome.evolution-data-server.enable = mkForce false;
      services.gnome.gnome-online-miners.enable = mkForce false;
      # XXX: phosh enables networkmanager by default; can probably disable these lines
      networking.useDHCP = false;
      networking.networkmanager.enable = true;
@@ -59,14 +110,27 @@ in
        NIXOS_OZONE_WL = "1";
      };
-      sane.packages.extraUserPkgs = with pkgs; [
+      programs.dconf.packages = [
-        phosh-mobile-settings
+        # org.kde.konsole.desktop
        (pkgs.writeTextFile {
          name = "dconf-phosh-settings";
          destination = "/etc/dconf/db/site.d/00_phosh_settings";
          text = ''
            [org/gnome/desktop/interface]
            show-battery-percentage=true
-        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
+            [org/gnome/settings-daemon/plugins/power]
-        gnome.gnome-bluetooth
+            sleep-inactive-ac-timeout=5400
            sleep-inactive-battery-timeout=5400
            [sm/puri/phosh]
            favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.gnome.Terminal.desktop']
          '';
        })
      ];
-    }
+    })
-    (mkIf cfg.useGreeter {
+
    (mkIf (cfg.enable && cfg.useGreeter) {
      services.xserver.enable = true;
      # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
      # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
@@ -92,5 +156,5 @@ in
      systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
    })
-  ]);
+  ];
 }
--- a/hosts/modules/gui/plasma-mobile.nix
+++ b/hosts/modules/gui/plasma-mobile.nix
@@ -13,7 +13,8 @@ in
  };
  config = mkIf cfg.enable {
-    sane.gui.enable = true;
+    sane.programs.guiApps.enableFor.user.colin = true;
    # start plasma-mobile on boot
    services.xserver.enable = true;
    services.xserver.desktopManager.plasma5.mobile.enable = true;
--- a/hosts/modules/gui/plasma.nix
+++ b/hosts/modules/gui/plasma.nix
@@ -13,7 +13,7 @@ in
  };
  config = mkIf cfg.enable {
-    sane.gui.enable = true;
+    sane.programs.guiApps.enableFor.user.colin = true;
    # start plasma on boot
    services.xserver.enable = true;
--- a/hosts/modules/gui/snippets.txt
+++ b/hosts/modules/gui/snippets.txt
--- a/hosts/modules/gui/sway.nix
+++ b/hosts/modules/gui/sway.nix
@@ -0,0 +1,665 @@
 { config, lib, pkgs, sane-lib, ... }:
 # docs: https://nixos.wiki/wiki/Sway
 with lib;
 let
  cfg = config.sane.gui.sway;
  # docs: https://github.com/Alexays/Waybar/wiki/Configuration
  # format specifiers: https://fmt.dev/latest/syntax.html#syntax
  waybar-config = [
    { # TOP BAR
      layer = "top";
      height = 40;
      modules-left = ["sway/workspaces" "sway/mode"];
      modules-center = ["sway/window"];
      modules-right = ["custom/mediaplayer" "clock" "battery" "cpu" "network"];
      "sway/window" = {
        max-length = 50;
      };
      # include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
      "custom/mediaplayer" = {
        exec = pkgs.writeShellScript "waybar-mediaplayer" ''
          player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
          if [ "$player_status" = "Playing" ]; then
            echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
          elif [ "$player_status" = "Paused" ]; then
            echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
          fi
        '';
        interval = 2;
        format = "{}  ";
        # return-type = "json";
        on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
        on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
        on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
      };
      network = {
        # docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
        interval = 2;
        max-length = 40;
        # custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
        format-ethernet = "  {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        format-disconnected = "";
      };
      cpu = {
        format = " {usage:2}%";
        tooltip = false;
      };
      battery = {
        states = {
          good = 95;
          warning = 30;
          critical = 10;
        };
        format = "{icon} {capacity}%";
        format-icons = [
          ""
          ""
          ""
          ""
          ""
        ];
      };
      clock = {
        format-alt = "{:%a, %d. %b  %H:%M}";
      };
    }
  ];
  # waybar-config-text = lib.generators.toJSON {} waybar-config;
  waybar-config-text = (pkgs.formats.json {}).generate "waybar-config.json" waybar-config;
  # bare sway launcher
  sway-launcher = pkgs.writeShellScriptBin "sway-launcher" ''
    ${pkgs.sway}/bin/sway --debug > /tmp/sway.log 2>&1
  '';
  # start sway and have it construct the gtkgreeter
  sway-as-greeter = pkgs.writeShellScriptBin "sway-as-greeter" ''
    ${pkgs.sway}/bin/sway --debug --config ${sway-config-into-gtkgreet} > /tmp/sway-as-greeter.log 2>&1
  '';
  # (config file for the above)
  sway-config-into-gtkgreet = pkgs.writeText "greetd-sway-config" ''
    exec "${gtkgreet-launcher}"
  '';
  # gtkgreet which launches a layered sway instance
  gtkgreet-launcher = pkgs.writeShellScript "gtkgreet-launcher" ''
    # NB: the "command" field here is run in the user's shell.
    # so that command must exist on the specific user's path who is logging in. it doesn't need to exist system-wide.
    ${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command sway-launcher
  '';
  greeter-session = {
    # greeter session config
    command = "${sway-as-greeter}/bin/sway-as-greeter";
    # alternatives:
    # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
    # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
    # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
  };
  greeterless-session = {
    # no greeter
    command = "${sway-launcher}/bin/sway-launcher";
    user = "colin";
  };
 in
 {
  options = {
    sane.gui.sway.enable = mkOption {
      default = false;
      type = types.bool;
    };
    sane.gui.sway.useGreeter = mkOption {
      description = ''
        launch sway via a greeter (like greetd's gtkgreet).
        sway is usable without a greeter, but skipping the greeter means no PAM session.
      '';
      default = true;
      type = types.bool;
    };
  };
  config = mkMerge [
    {
      sane.programs.swayApps = {
        package = null;
        suggestedPrograms = [
          "guiApps"
          "swaylock"
          "swayidle"
          "wl-clipboard"
          "mako"  # notification daemon
          # # "pavucontrol"
          "gnome.gnome-bluetooth"
          "gnome.gnome-control-center"
          "sway-contrib.grimshot"
        ];
      };
    }
    {
      sane.programs = {
        inherit (pkgs // {
          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
          "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
          "sway-contrib.grimshot" = pkgs.sway-contrib.grimshot;
        })
          swaylock
          swayidle
          wl-clipboard
          mako
          "gnome.gnome-bluetooth"
          "gnome.gnome-control-center"
          "sway-contrib.grimshot"
        ;
      };
    }
    (mkIf cfg.enable {
      sane.programs.swayApps.enableFor.user.colin = true;
      # swap in these lines to use SDDM instead of `services.greetd`.
      # services.xserver.displayManager.sddm.enable = true;
      # services.xserver.enable = true;
      services.greetd = {
        # greetd source/docs:
        # - <https://git.sr.ht/~kennylevinsen/greetd>
        enable = true;
        settings = {
          default_session = if cfg.useGreeter then greeter-session else greeterless-session;
        };
      };
      # we need the greeter's command to be on our PATH
      users.users.colin.packages = [ sway-launcher ];
      # some programs (e.g. fractal) **require** a "Secret Service Provider"
      services.gnome.gnome-keyring.enable = true;
      # unlike other DEs, sway configures no audio stack
      # administer with pw-cli, pw-mon, pw-top commands
      services.pipewire = {
        enable = true;
        alsa.enable = true;
        alsa.support32Bit = true;  # ??
        pulse.enable = true;
      };
      networking.useDHCP = false;
      networking.networkmanager.enable = true;
      networking.wireless.enable = lib.mkForce false;
      hardware.bluetooth.enable = true;
      services.blueman.enable = true;
      # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
      services.gnome.gnome-settings-daemon.enable = true;
      # start the components of gsd we need at login
      systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
      # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
      # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
      # it doesn't actually seem to need ANY of them in the first place T_T
      systemd.user.targets."gnome-session-initialized".enable = false;
      # bluez can't connect to audio devices unless pipewire is running.
      # a system service can't depend on a user service, so just launch it at graphical-session
      systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
      programs.sway = {
        enable = true;
        wrapperFeatures.gtk = true;
      };
      sane.user.fs.".config/sway/config" =
        let
          fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
          sed = "${pkgs.gnused}/bin/sed";
          wtype = "${pkgs.wtype}/bin/wtype";
          kitty = "${pkgs.kitty}/bin/kitty";
          launcher-cmd = fuzzel;
          terminal-cmd = kitty;
          lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
          vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
          vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
          mute-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
          brightness-up-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set +2%";
          brightness-down-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set 2%-";
          screenshot-cmd = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
          # "bookmarking"/snippets inspired by Luke Smith:
          # - <https://www.youtube.com/watch?v=d_11QaTlf1I>
          snip-file = ./snippets.txt;
          # TODO: querying sops here breaks encapsulation
          list-snips = "cat ${snip-file} ${config.sops.secrets.snippets.path}";
          strip-comments = "${sed} 's/ #.*$//'";
          snip-cmd = "${wtype} $(${list-snips} | ${fuzzel} -d -i -w 60 | ${strip-comments})";
          # TODO: next splatmoji release should allow `-s none` to disable skin tones
          emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
        in sane-lib.fs.wantedText ''
          ### default font
          font pango:monospace 8
          ### pixel boundary between windows
          default_border pixel 3
          default_floating_border pixel 2
          hide_edge_borders smart
          ### defaults
          focus_wrapping no
          focus_follows_mouse yes
          focus_on_window_activation smart
          mouse_warping output
          workspace_layout default
          workspace_auto_back_and_forth no
          ### default colors (#border #background #text #indicator #childBorder)
          client.focused #4c7899 #285577 #ffffff #2e9ef4 #285577
          client.focused_inactive #333333 #5f676a #ffffff #484e50 #5f676a
          client.unfocused #333333 #222222 #888888 #292d2e #222222
          client.urgent #2f343a #900000 #ffffff #900000 #900000
          client.placeholder #000000 #0c0c0c #ffffff #000000 #0c0c0c
          client.background #ffffff
          ### key bindings
          floating_modifier Mod1
          ## media keys
          bindsym XF86AudioRaiseVolume exec ${vol-up-cmd}
          bindsym XF86AudioLowerVolume exec ${vol-down-cmd}
          bindsym Mod1+Page_Up exec ${vol-up-cmd}
          bindsym Mod1+Page_Down exec ${vol-down-cmd}
          bindsym XF86AudioMute exec ${mute-cmd}
          bindsym XF86MonBrightnessUp exec ${brightness-up-cmd}
          bindsym XF86MonBrightnessDown exec ${brightness-down-cmd}
          ## special functions
          bindsym Mod1+Print exec ${screenshot-cmd}
          bindsym Mod1+l exec ${lock-cmd}
          bindsym Mod1+s exec ${snip-cmd}
          bindsym Mod1+slash exec ${emoji-cmd}
          bindsym Mod1+d exec ${launcher-cmd}
          bindsym Mod1+Return exec ${terminal-cmd}
          bindsym Mod1+Shift+q kill
          bindsym Mod1+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
          bindsym Mod1+Shift+c reload
          ## layout
          bindsym Mod1+b splith
          bindsym Mod1+v splitv
          bindsym Mod1+f fullscreen toggle
          bindsym Mod1+a focus parent
          bindsym Mod1+w layout tabbed
          bindsym Mod1+e layout toggle split
          bindsym Mod1+Shift+space floating toggle
          bindsym Mod1+space focus mode_toggle
          bindsym Mod1+r mode resize
          ## movement
          bindsym Mod1+Up focus up
          bindsym Mod1+Down focus down
          bindsym Mod1+Left focus left
          bindsym Mod1+Right focus right
          bindsym Mod1+Shift+Up move up
          bindsym Mod1+Shift+Down move down
          bindsym Mod1+Shift+Left move left
          bindsym Mod1+Shift+Right move right
          ## workspaces
          bindsym Mod1+1 workspace number 1
          bindsym Mod1+2 workspace number 2
          bindsym Mod1+3 workspace number 3
          bindsym Mod1+4 workspace number 4
          bindsym Mod1+5 workspace number 5
          bindsym Mod1+6 workspace number 6
          bindsym Mod1+7 workspace number 7
          bindsym Mod1+8 workspace number 8
          bindsym Mod1+9 workspace number 9
          bindsym Mod1+Shift+1 move container to workspace number 1
          bindsym Mod1+Shift+2 move container to workspace number 2
          bindsym Mod1+Shift+3 move container to workspace number 3
          bindsym Mod1+Shift+4 move container to workspace number 4
          bindsym Mod1+Shift+5 move container to workspace number 5
          bindsym Mod1+Shift+6 move container to workspace number 6
          bindsym Mod1+Shift+7 move container to workspace number 7
          bindsym Mod1+Shift+8 move container to workspace number 8
          bindsym Mod1+Shift+9 move container to workspace number 9
          ## "scratchpad" = ??
          bindsym Mod1+Shift+minus move scratchpad
          bindsym Mod1+minus scratchpad show
          ### defaults
          mode "resize" {
            bindsym Down resize grow height 10 px
            bindsym Escape mode default
            bindsym Left resize shrink width 10 px
            bindsym Return mode default
            bindsym Right resize grow width 10 px
            bindsym Up resize shrink height 10 px
            bindsym h resize shrink width 10 px
            bindsym j resize grow height 10 px
            bindsym k resize shrink height 10 px
            bindsym l resize grow width 10 px
          }
          ### lightly modified bars
          bar {
            # TODO: fonts was:
            #   config.fonts.fontconfig.defaultFonts; (monospace ++ emoji)
            font pango:Hack, Font Awesome 6 Free, Twitter Color Emoji 24.000000
            mode dock
            hidden_state hide
            position top
            status_command ${pkgs.i3status}/bin/i3status
            swaybar_command ${pkgs.waybar}/bin/waybar
            workspace_buttons yes
            strip_workspace_numbers no
            tray_output primary
            colors {
              background #000000
              statusline #ffffff
              separator #666666
              #  #border #background #text
              focused_workspace #4c7899 #285577 #ffffff
              active_workspace #333333 #5f676a #ffffff
              inactive_workspace #333333 #222222 #888888
              urgent_workspace #2f343a #900000 #ffffff
              binding_mode #2f343a #900000 #ffffff
          }
          }
          ### displays
          ## DESKTOP
          output "Samsung Electric Company S22C300 0x00007F35" {
          pos 0,0
          res 1920x1080
          }
          output "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" {
          pos 1920,0
          res 3440x1440
          }
          ## LAPTOP
          # sh/en TV
          output "Pioneer Electronic Corporation VSX-524 0x00000101" {
          pos 0,0
          res 1920x1080
          }
          # internal display
          output "Unknown 0x0637 0x00000000" {
          pos 1920,0
          res 1920x1080
          }
        '';
      sane.user.fs.".config/waybar/config" = sane-lib.fs.wantedSymlinkTo waybar-config-text;
      # style docs: https://github.com/Alexays/Waybar/wiki/Styling
      sane.user.fs.".config/waybar/style.css" = sane-lib.fs.wantedText ''
        * {
          font-family: monospace;
        }
        /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
        window#waybar {
          background-color: rgba(43, 48, 59, 0.5);
          border-bottom: 3px solid rgba(100, 114, 125, 0.5);
          color: #ffffff;
          transition-property: background-color;
          transition-duration: .5s;
        }
        window#waybar.hidden {
          opacity: 0.2;
        }
        /*
        window#waybar.empty {
          background-color: transparent;
        }
        window#waybar.solo {
          background-color: #FFFFFF;
        }
        */
        window#waybar.termite {
          background-color: #3F3F3F;
        }
        window#waybar.chromium {
          background-color: #000000;
          border: none;
        }
        #workspaces button {
          padding: 0 5px;
          background-color: transparent;
          color: #ffffff;
          /* Use box-shadow instead of border so the text isn't offset */
          box-shadow: inset 0 -3px transparent;
          /* Avoid rounded borders under each workspace name */
          border: none;
          border-radius: 0;
        }
        /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
        #workspaces button:hover {
          background: rgba(0, 0, 0, 0.2);
          box-shadow: inset 0 -3px #ffffff;
        }
        #workspaces button.focused {
          background-color: #64727D;
          box-shadow: inset 0 -3px #ffffff;
        }
        #workspaces button.urgent {
          background-color: #eb4d4b;
        }
        #mode {
          background-color: #64727D;
          border-bottom: 3px solid #ffffff;
        }
        #clock,
        #battery,
        #cpu,
        #memory,
        #disk,
        #temperature,
        #backlight,
        #network,
        #pulseaudio,
        #custom-media,
        #tray,
        #mode,
        #idle_inhibitor,
        #mpd {
          padding: 0 10px;
          color: #ffffff;
        }
        #window,
        #workspaces {
          margin: 0 4px;
        }
        /* If workspaces is the leftmost module, omit left margin */
        .modules-left > widget:first-child > #workspaces {
          margin-left: 0;
        }
        /* If workspaces is the rightmost module, omit right margin */
        .modules-right > widget:last-child > #workspaces {
          margin-right: 0;
        }
        #clock {
          background-color: #64727D;
        }
        #battery {
          background-color: #ffffff;
          color: #000000;
        }
        #battery.charging, #battery.plugged {
          color: #ffffff;
          background-color: #26A65B;
        }
        @keyframes blink {
          to {
            background-color: #ffffff;
            color: #000000;
          }
        }
        #battery.critical:not(.charging) {
          background-color: #f53c3c;
          color: #ffffff;
          animation-name: blink;
          animation-duration: 0.5s;
          animation-timing-function: linear;
          animation-iteration-count: infinite;
          animation-direction: alternate;
        }
        label:focus {
          background-color: #000000;
        }
        #cpu {
          background-color: #2ecc71;
          color: #000000;
        }
        #memory {
          background-color: #9b59b6;
        }
        #disk {
          background-color: #964B00;
        }
        #backlight {
          background-color: #90b1b1;
        }
        #network {
          background-color: #2980b9;
        }
        #network.disconnected {
          background-color: #f53c3c;
        }
        #pulseaudio {
          background-color: #f1c40f;
          color: #000000;
        }
        #pulseaudio.muted {
          background-color: #90b1b1;
          color: #2a5c45;
        }
        #custom-media {
          background-color: #66cc99;
          color: #2a5c45;
          min-width: 100px;
        }
        #custom-media.custom-spotify {
          background-color: #66cc99;
        }
        #custom-media.custom-vlc {
          background-color: #ffa000;
        }
        #temperature {
          background-color: #f0932b;
        }
        #temperature.critical {
          background-color: #eb4d4b;
        }
        #tray {
          background-color: #2980b9;
        }
        #tray > .passive {
          -gtk-icon-effect: dim;
        }
        #tray > .needs-attention {
          -gtk-icon-effect: highlight;
          background-color: #eb4d4b;
        }
        #idle_inhibitor {
          background-color: #2d3436;
        }
        #idle_inhibitor.activated {
          background-color: #ecf0f1;
          color: #2d3436;
        }
        #mpd {
          background-color: #66cc99;
          color: #2a5c45;
        }
        #mpd.disconnected {
          background-color: #f53c3c;
        }
        #mpd.stopped {
          background-color: #90b1b1;
        }
        #mpd.paused {
          background-color: #51a37a;
        }
        #language {
          background: #00b093;
          color: #740864;
          padding: 0 5px;
          margin: 0 5px;
          min-width: 16px;
        }
        #keyboard-state {
          background: #97e1ad;
          color: #000000;
          padding: 0 0px;
          margin: 0 5px;
          min-width: 16px;
        }
        #keyboard-state > label {
          padding: 0 5px;
        }
        #keyboard-state > label.locked {
          background: rgba(0, 0, 0, 0.2);
        }
      '';
      # style = ''
      #   * {
      #     border: none;
      #     border-radius: 0;
      #     font-family: Source Code Pro;
      #   }
      #   window#waybar {
      #     background: #16191C;
      #     color: #AAB2BF;
      #   }
      #   #workspaces button {
      #     padding: 0 5px;
      #   }
      #   .custom-spotify {
      #     padding: 0 10px;
      #     margin: 0 4px;
      #     background-color: #1DB954;
      #     color: black;
      #   }
      # '';
    })
  ];
 }
--- a/hosts/modules/hardware/x86_64.nix
+++ b/hosts/modules/hardware/x86_64.nix
@@ -9,11 +9,6 @@
      # efi_pstore evivars
    ];
    # enable cross compilation
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    # nixpkgs.config.allowUnsupportedSystem = true;
    # nixpkgs.crossSystem.system = "aarch64-linux";
    powerManagement.cpuFreqGovernor = "powersave";
    hardware.cpu.amd.updateMicrocode = true;    # desktop
    hardware.cpu.intel.updateMicrocode = true;  # laptop
--- a/hosts/modules/hosts.nix
+++ b/hosts/modules/hosts.nix
@@ -69,7 +69,7 @@ in
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
      wg-home.pubkey = "17PMZssYi0D4t2d0vbmhjBKe1sGsE8kT8/dod0Q2CXc=";
      wg-home.ip = "10.0.10.22";
-      lan-ip = "192.168.0.22";
+      lan-ip = "192.168.15.16";
    };
    sane.hosts.by-name."lappy" = {
@@ -77,7 +77,7 @@ in
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
      wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
      wg-home.ip = "10.0.10.20";
-      lan-ip = "192.168.0.20";
+      lan-ip = "192.168.15.11";
    };
    sane.hosts.by-name."moby" = {
@@ -85,7 +85,7 @@ in
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
      wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
      wg-home.ip = "10.0.10.48";
-      lan-ip = "192.168.0.48";
+      lan-ip = "192.168.15.17";
    };
    sane.hosts.by-name."servo" = {
@@ -94,7 +94,7 @@ in
      wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
      wg-home.ip = "10.0.10.5";
      wg-home.endpoint = "uninsane.org:51820";
-      lan-ip = "192.168.0.5";
+      lan-ip = "192.168.15.28";
    };
  };
 }
--- a/hosts/modules/nixcache.nix
+++ b/hosts/modules/nixcache.nix
@@ -13,6 +13,7 @@
 with lib;
 let
  cfg = config.sane.nixcache;
  hostName = config.networking.hostName;
 in
 {
  options = {
@@ -24,6 +25,16 @@ in
      default = config.sane.nixcache.enable;
      type = types.bool;
    };
    sane.nixcache.substituters = mkOption {
      type = types.listOf types.string;
      default =
        (lib.optional (hostName != "servo") "https://nixcache.uninsane.org")
        ++ (lib.optional (hostName != "desko") "http://desko:5000")
        ++ [
          "https://nix-community.cachix.org"
          "https://cache.nixos.org/"
        ];
    };
  };
  config = {
@@ -31,12 +42,7 @@ in
    # to explicitly build from a specific cache (in case others are down):
    # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
    # - `nix build ... --substituters http://desko:5000`
-    nix.settings.substituters = mkIf cfg.enable [
+    nix.settings.substituters = mkIf cfg.enable cfg.substituters;
      "https://nixcache.uninsane.org"
      "http://desko:5000"
      "https://nix-community.cachix.org"
      "https://cache.nixos.org/"
    ];
    # always trust our keys (so one can explicitly use a substituter even if it's not the default
    nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
      "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
--- a/hosts/modules/roles/build-machine.nix
+++ b/hosts/modules/roles/build-machine.nix
@@ -0,0 +1,59 @@
 { config, lib, sane-lib, ... }:
 let
  inherit (lib) mkIf mkMerge mkOption types;
  inherit (config.programs.ccache) cacheDir;
 in
 {
  options.sane.roles.build-machine = mkOption {
    type = types.bool;
    default = false;
  };
  config = mkMerge [
    {
      # programs.ccache.cacheDir = "/var/cache/ccache";  # nixos default
      # programs.ccache.cacheDir = "/homeless-shelter/.ccache";  # ccache default (~/.ccache)
      # if the cache doesn't reside at ~/.ccache, then CCACHE_DIR has to be set.
      # we can do that manually as commented out below, or let nixos do it for us by telling it to use ccache on a dummy package:
      programs.ccache.packageNames = [ "dummy-pkg-to-force-ccache-config" ];
      # nixpkgs.overlays = [
      #   (self: super: {
      #     # XXX: if the cache resides not at ~/.ccache (i.e. /homeless-shelter/.ccache)
      #     # then we need to explicitly tell ccache where that is.
      #     ccacheWrapper = super.ccacheWrapper.override {
      #       extraConfig = ''
      #         export CCACHE_DIR="${cacheDir}"
      #       '';
      #     };
      #   })
      # ];
    }
    (mkIf config.sane.roles.build-machine {
      # serve packages to other machines that ask for them
      sane.services.nixserve.enable = true;
      # enable cross compilation
      boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
      # nixpkgs.config.allowUnsupportedSystem = true;
      # granular compilation cache
      # docs: <https://nixos.wiki/wiki/CCache>
      # investigate the cache with:
      # - `nix-ccache --show-stats`
      # - `build '.#ccache'
      #   - `sudo CCACHE_DIR=/var/cache/ccache ./result/bin/ccache --show-stats -v`
      # TODO: whitelist `--verbose` in <nixpkgs:nixos/modules/programs/ccache.nix>
      # TODO: configure without compression (leverage fs-level compression), and enable file-clone (i.e. hardlinks)
      programs.ccache.enable = true;
      nix.settings.extra-sandbox-paths = [ cacheDir ];
      sane.persist.sys.plaintext = [
        { group = "nixbld"; mode = "0775"; directory = config.programs.ccache.cacheDir; }
      ];
      sane.fs."${cacheDir}/ccache.conf" = sane-lib.fs.wantedText ''
        max_size = 50G
      '';
    })
  ];
 }
--- a/hosts/modules/roles/default.nix
+++ b/hosts/modules/roles/default.nix
@@ -1,6 +1,7 @@
 { ... }:
 {
  imports = [
    ./build-machine.nix
    ./client
  ];
 }
--- a/hosts/modules/services/default.nix
+++ b/hosts/modules/services/default.nix
@@ -0,0 +1,6 @@
 { ... }:
 {
  imports = [
    ./duplicity.nix
  ];
 }
--- a/hosts/modules/services/duplicity.nix
+++ b/hosts/modules/services/duplicity.nix
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -4,16 +4,14 @@
  imports = [
    ./feeds.nix
    ./fs
    ./gui
    ./home-manager
    ./ids.nix
-    ./packages.nix
+    ./programs.nix
    ./image.nix
    ./nixcache.nix
    ./persist
    ./services
    ./sops.nix
    ./ssh.nix
    ./users.nix
  ];
  _module.args =  {
--- a/modules/gui/default.nix
+++ b/modules/gui/default.nix
@@ -1,31 +0,0 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.sane.gui;
 in
 {
  imports = [
    ./gnome.nix
    ./phosh.nix
    ./plasma.nix
    ./plasma-mobile.nix
    ./sway.nix
  ];
  options = {
    # doesn't directly create outputs. consumed by e.g. home-manager.nix module
    sane.gui.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = lib.mkIf cfg.enable {
    sane.packages.enableGuiPkgs = lib.mkDefault true;
    # preserve backlight brightness across power cycles
    # see `man systemd-backlight`
    sane.persist.sys.plaintext = [ "/var/lib/systemd/backlight" ];
  };
 }
--- a/modules/gui/sway.nix
+++ b/modules/gui/sway.nix
@@ -1,631 +0,0 @@
 { config, lib, pkgs, sane-lib, ... }:
 # docs: https://nixos.wiki/wiki/Sway
 with lib;
 let
  cfg = config.sane.gui.sway;
  # docs: https://github.com/Alexays/Waybar/wiki/Configuration
  # format specifiers: https://fmt.dev/latest/syntax.html#syntax
  waybar-config = {
    mainBar = {
      layer = "top";
      height = 40;
      modules-left = ["sway/workspaces" "sway/mode"];
      modules-center = ["sway/window"];
      modules-right = ["custom/mediaplayer" "clock" "battery" "cpu" "network"];
      "sway/window" = {
        max-length = 50;
      };
      # include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
      "custom/mediaplayer" = {
        exec = pkgs.writeShellScript "waybar-mediaplayer" ''
          player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
          if [ "$player_status" = "Playing" ]; then
            echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
          elif [ "$player_status" = "Paused" ]; then
            echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
          fi
        '';
        interval = 2;
        format = "{}  ";
        # return-type = "json";
        on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
        on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
        on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
      };
      network = {
        # docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
        interval = 2;
        max-length = 40;
        # custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
        format-ethernet = "  {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        format-disconnected = "";
      };
      cpu = {
        format = " {usage:2}%";
        tooltip = false;
      };
      battery = {
        states = {
          good = 95;
          warning = 30;
          critical = 10;
        };
        format = "{icon} {capacity}%";
        format-icons = [
          ""
          ""
          ""
          ""
          ""
        ];
      };
      clock = {
        format-alt = "{:%a, %d. %b  %H:%M}";
      };
    };
  };
  # waybar-config-text = lib.generators.toJSON {} waybar-config;
  waybar-config-text = (pkgs.formats.json {}).generate "waybar-config.json" waybar-config;
 in
 {
  options = {
    sane.gui.sway.enable = mkOption {
      default = false;
      type = types.bool;
    };
    sane.gui.sway.useGreeter = mkOption {
      description = ''
        launch sway via a greeter (like greetd's gtkgreet).
        sway is usable without a greeter, but skipping the greeter means no PAM session.
      '';
      default = false;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
    sane.gui.enable = true;
    # instead of using `services.greetd`, can instead use SDDM by swapping in these lines.
    # services.xserver.displayManager.sddm.enable = true;
    # services.xserver.enable = true;
    services.greetd = let
      swayConfig-greeter = pkgs.writeText "greetd-sway-config" ''
        # `-l` activates layer-shell mode.
        exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
      '';
      sway-launcher = pkgs.writeShellScript "sway-launcher" ''
        ${pkgs.sway}/bin/sway --debug > /home/colin/.sway.log 2>&1
      '';
      default_session = {
        "01" = {
          # greeter session config
          command = "${pkgs.sway}/bin/sway --config ${swayConfig-greeter}";
          # alternatives:
          # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
          # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
          # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
        };
        "0" = {
          # no greeter
          command = sway-launcher;
          user = "colin";
        };
      };
    in {
      # greetd source/docs:
      # - <https://git.sr.ht/~kennylevinsen/greetd>
      enable = true;
      settings = {
        default_session = default_session."0${builtins.toString cfg.useGreeter}";
      };
    };
    # some programs (e.g. fractal) **require** a "Secret Service Provider"
    services.gnome.gnome-keyring.enable = true;
    # unlike other DEs, sway configures no audio stack
    # administer with pw-cli, pw-mon, pw-top commands
    services.pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;  # ??
      pulse.enable = true;
    };
    networking.useDHCP = false;
    networking.networkmanager.enable = true;
    networking.wireless.enable = lib.mkForce false;
    hardware.bluetooth.enable = true;
    services.blueman.enable = true;
    # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
    services.gnome.gnome-settings-daemon.enable = true;
    # start the components of gsd we need at login
    systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
    # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
    # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
    # it doesn't actually seem to need ANY of them in the first place T_T
    systemd.user.targets."gnome-session-initialized".enable = false;
    # bluez can't connect to audio devices unless pipewire is running.
    # a system service can't depend on a user service, so just launch it at graphical-session
    systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
    programs.sway = {
      enable = true;
      wrapperFeatures.gtk = true;
    };
    sane.fs."/home/colin/.config/sway/config" =
      let
        fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
        sed = "${pkgs.gnused}/bin/sed";
        wtype = "${pkgs.wtype}/bin/wtype";
        kitty = "${pkgs.kitty}/bin/kitty";
        launcher-cmd = fuzzel;
        terminal-cmd = kitty;
        lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
        vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
        vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
        mute-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
        brightness-up-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set +2%";
        brightness-down-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set 2%-";
        screenshot-cmd = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
        # "bookmarking"/snippets inspired by Luke Smith:
        # - <https://www.youtube.com/watch?v=d_11QaTlf1I>
        snip-file = ./snippets.txt;
        # TODO: querying sops here breaks encapsulation
        list-snips = "cat ${snip-file} ${config.sops.secrets.snippets.path}";
        strip-comments = "${sed} 's/ #.*$//'";
        snip-cmd = "${wtype} $(${list-snips} | ${fuzzel} -d -i -w 60 | ${strip-comments})";
        # TODO: next splatmoji release should allow `-s none` to disable skin tones
        emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
      in sane-lib.fs.wantedText ''
        ### default font
        font pango:monospace 8
        ### pixel boundary between windows
        default_border pixel 3
        default_floating_border pixel 2
        hide_edge_borders smart
        ### defaults
        focus_wrapping no
        focus_follows_mouse yes
        focus_on_window_activation smart
        mouse_warping output
        workspace_layout default
        workspace_auto_back_and_forth no
        ### default colors (#border #background #text #indicator #childBorder)
        client.focused #4c7899 #285577 #ffffff #2e9ef4 #285577
        client.focused_inactive #333333 #5f676a #ffffff #484e50 #5f676a
        client.unfocused #333333 #222222 #888888 #292d2e #222222
        client.urgent #2f343a #900000 #ffffff #900000 #900000
        client.placeholder #000000 #0c0c0c #ffffff #000000 #0c0c0c
        client.background #ffffff
        ### key bindings
        floating_modifier Mod1
        ## media keys
        bindsym XF86AudioRaiseVolume exec ${vol-up-cmd}
        bindsym XF86AudioLowerVolume exec ${vol-down-cmd}
        bindsym Mod1+Page_Up exec ${vol-up-cmd}
        bindsym Mod1+Page_Down exec ${vol-down-cmd}
        bindsym XF86AudioMute exec ${mute-cmd}
        bindsym XF86MonBrightnessUp exec ${brightness-up-cmd}
        bindsym XF86MonBrightnessDown exec ${brightness-down-cmd}
        ## special functions
        bindsym Mod1+Print exec ${screenshot-cmd}
        bindsym Mod1+l exec ${lock-cmd}
        bindsym Mod1+s exec ${snip-cmd}
        bindsym Mod1+slash exec ${emoji-cmd}
        bindsym Mod1+d exec ${launcher-cmd}
        bindsym Mod1+Return exec ${terminal-cmd}
        bindsym Mod1+Shift+q kill
        bindsym Mod1+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
        bindsym Mod1+Shift+c reload
        ## layout
        bindsym Mod1+b splith
        bindsym Mod1+v splitv
        bindsym Mod1+f fullscreen toggle
        bindsym Mod1+a focus parent
        bindsym Mod1+w layout tabbed
        bindsym Mod1+e layout toggle split
        bindsym Mod1+Shift+space floating toggle
        bindsym Mod1+space focus mode_toggle
        bindsym Mod1+r mode resize
        ## movement
        bindsym Mod1+Up focus up
        bindsym Mod1+Down focus down
        bindsym Mod1+Left focus left
        bindsym Mod1+Right focus right
        bindsym Mod1+Shift+Up move up
        bindsym Mod1+Shift+Down move down
        bindsym Mod1+Shift+Left move left
        bindsym Mod1+Shift+Right move right
        ## workspaces
        bindsym Mod1+1 workspace number 1
        bindsym Mod1+2 workspace number 2
        bindsym Mod1+3 workspace number 3
        bindsym Mod1+4 workspace number 4
        bindsym Mod1+5 workspace number 5
        bindsym Mod1+6 workspace number 6
        bindsym Mod1+7 workspace number 7
        bindsym Mod1+8 workspace number 8
        bindsym Mod1+9 workspace number 9
        bindsym Mod1+Shift+1 move container to workspace number 1
        bindsym Mod1+Shift+2 move container to workspace number 2
        bindsym Mod1+Shift+3 move container to workspace number 3
        bindsym Mod1+Shift+4 move container to workspace number 4
        bindsym Mod1+Shift+5 move container to workspace number 5
        bindsym Mod1+Shift+6 move container to workspace number 6
        bindsym Mod1+Shift+7 move container to workspace number 7
        bindsym Mod1+Shift+8 move container to workspace number 8
        bindsym Mod1+Shift+9 move container to workspace number 9
        ## "scratchpad" = ??
        bindsym Mod1+Shift+minus move scratchpad
        bindsym Mod1+minus scratchpad show
        ### defaults
        mode "resize" {
          bindsym Down resize grow height 10 px
          bindsym Escape mode default
          bindsym Left resize shrink width 10 px
          bindsym Return mode default
          bindsym Right resize grow width 10 px
          bindsym Up resize shrink height 10 px
          bindsym h resize shrink width 10 px
          bindsym j resize grow height 10 px
          bindsym k resize shrink height 10 px
          bindsym l resize grow width 10 px
        }
        ### lightly modified bars
        bar {
          # TODO: fonts was:
          #   config.fonts.fontconfig.defaultFonts; (monospace ++ emoji)
          font pango:Hack, Font Awesome 6 Free, Twitter Color Emoji 24.000000
          mode dock
          hidden_state hide
          position top
          status_command ${pkgs.i3status}/bin/i3status
          swaybar_command ${pkgs.waybar}/bin/waybar
          workspace_buttons yes
          strip_workspace_numbers no
          tray_output primary
          colors {
            background #000000
            statusline #ffffff
            separator #666666
            #  #border #background #text
            focused_workspace #4c7899 #285577 #ffffff
            active_workspace #333333 #5f676a #ffffff
            inactive_workspace #333333 #222222 #888888
            urgent_workspace #2f343a #900000 #ffffff
            binding_mode #2f343a #900000 #ffffff
        }
        }
        ### displays
        ## DESKTOP
        output "Samsung Electric Company S22C300 0x00007F35" {
        pos 0,0
        res 1920x1080
        }
        output "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" {
        pos 1920,0
        res 3440x1440
        }
        ## LAPTOP
        # sh/en TV
        output "Pioneer Electronic Corporation VSX-524 0x00000101" {
        pos 0,0
        res 1920x1080
        }
        # internal display
        output "Unknown 0x0637 0x00000000" {
        pos 1920,0
        res 1920x1080
        }
      '';
    sane.fs."/home/colin/.config/waybar/config" = sane-lib.fs.wantedSymlinkTo waybar-config-text;
    # style docs: https://github.com/Alexays/Waybar/wiki/Styling
    sane.fs."/home/colin/.config/waybar/style.css" = sane-lib.fs.wantedText ''
      * {
        font-family: monospace;
      }
      /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
      window#waybar {
        background-color: rgba(43, 48, 59, 0.5);
        border-bottom: 3px solid rgba(100, 114, 125, 0.5);
        color: #ffffff;
        transition-property: background-color;
        transition-duration: .5s;
      }
      window#waybar.hidden {
        opacity: 0.2;
      }
      /*
      window#waybar.empty {
        background-color: transparent;
      }
      window#waybar.solo {
        background-color: #FFFFFF;
      }
      */
      window#waybar.termite {
        background-color: #3F3F3F;
      }
      window#waybar.chromium {
        background-color: #000000;
        border: none;
      }
      #workspaces button {
        padding: 0 5px;
        background-color: transparent;
        color: #ffffff;
        /* Use box-shadow instead of border so the text isn't offset */
        box-shadow: inset 0 -3px transparent;
        /* Avoid rounded borders under each workspace name */
        border: none;
        border-radius: 0;
      }
      /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
      #workspaces button:hover {
        background: rgba(0, 0, 0, 0.2);
        box-shadow: inset 0 -3px #ffffff;
      }
      #workspaces button.focused {
        background-color: #64727D;
        box-shadow: inset 0 -3px #ffffff;
      }
      #workspaces button.urgent {
        background-color: #eb4d4b;
      }
      #mode {
        background-color: #64727D;
        border-bottom: 3px solid #ffffff;
      }
      #clock,
      #battery,
      #cpu,
      #memory,
      #disk,
      #temperature,
      #backlight,
      #network,
      #pulseaudio,
      #custom-media,
      #tray,
      #mode,
      #idle_inhibitor,
      #mpd {
        padding: 0 10px;
        color: #ffffff;
      }
      #window,
      #workspaces {
        margin: 0 4px;
      }
      /* If workspaces is the leftmost module, omit left margin */
      .modules-left > widget:first-child > #workspaces {
        margin-left: 0;
      }
      /* If workspaces is the rightmost module, omit right margin */
      .modules-right > widget:last-child > #workspaces {
        margin-right: 0;
      }
      #clock {
        background-color: #64727D;
      }
      #battery {
        background-color: #ffffff;
        color: #000000;
      }
      #battery.charging, #battery.plugged {
        color: #ffffff;
        background-color: #26A65B;
      }
      @keyframes blink {
        to {
          background-color: #ffffff;
          color: #000000;
        }
      }
      #battery.critical:not(.charging) {
        background-color: #f53c3c;
        color: #ffffff;
        animation-name: blink;
        animation-duration: 0.5s;
        animation-timing-function: linear;
        animation-iteration-count: infinite;
        animation-direction: alternate;
      }
      label:focus {
        background-color: #000000;
      }
      #cpu {
        background-color: #2ecc71;
        color: #000000;
      }
      #memory {
        background-color: #9b59b6;
      }
      #disk {
        background-color: #964B00;
      }
      #backlight {
        background-color: #90b1b1;
      }
      #network {
        background-color: #2980b9;
      }
      #network.disconnected {
        background-color: #f53c3c;
      }
      #pulseaudio {
        background-color: #f1c40f;
        color: #000000;
      }
      #pulseaudio.muted {
        background-color: #90b1b1;
        color: #2a5c45;
      }
      #custom-media {
        background-color: #66cc99;
        color: #2a5c45;
        min-width: 100px;
      }
      #custom-media.custom-spotify {
        background-color: #66cc99;
      }
      #custom-media.custom-vlc {
        background-color: #ffa000;
      }
      #temperature {
        background-color: #f0932b;
      }
      #temperature.critical {
        background-color: #eb4d4b;
      }
      #tray {
        background-color: #2980b9;
      }
      #tray > .passive {
        -gtk-icon-effect: dim;
      }
      #tray > .needs-attention {
        -gtk-icon-effect: highlight;
        background-color: #eb4d4b;
      }
      #idle_inhibitor {
        background-color: #2d3436;
      }
      #idle_inhibitor.activated {
        background-color: #ecf0f1;
        color: #2d3436;
      }
      #mpd {
        background-color: #66cc99;
        color: #2a5c45;
      }
      #mpd.disconnected {
        background-color: #f53c3c;
      }
      #mpd.stopped {
        background-color: #90b1b1;
      }
      #mpd.paused {
        background-color: #51a37a;
      }
      #language {
        background: #00b093;
        color: #740864;
        padding: 0 5px;
        margin: 0 5px;
        min-width: 16px;
      }
      #keyboard-state {
        background: #97e1ad;
        color: #000000;
        padding: 0 0px;
        margin: 0 5px;
        min-width: 16px;
      }
      #keyboard-state > label {
        padding: 0 5px;
      }
      #keyboard-state > label.locked {
        background: rgba(0, 0, 0, 0.2);
      }
    '';
    # style = ''
    #   * {
    #     border: none;
    #     border-radius: 0;
    #     font-family: Source Code Pro;
    #   }
    #   window#waybar {
    #     background: #16191C;
    #     color: #AAB2BF;
    #   }
    #   #workspaces button {
    #     padding: 0 5px;
    #   }
    #   .custom-spotify {
    #     padding: 0 10px;
    #     margin: 0 4px;
    #     background-color: #1DB954;
    #     color: black;
    #   }
    # '';
    sane.packages.extraUserPkgs = with pkgs; [
      swaylock
      swayidle  # (unused)
      wl-clipboard
      mako # notification daemon
      xdg-utils  # for xdg-open
      # user stuff
      # pavucontrol
      sway-contrib.grimshot
      gnome.gnome-bluetooth
      gnome.gnome-control-center
    ];
  };
 }
--- a/modules/home-manager/default.nix
+++ b/modules/home-manager/default.nix
@@ -1,52 +0,0 @@
 # docs:
 #   https://rycee.gitlab.io/home-manager/
 #   https://rycee.gitlab.io/home-manager/options.html
 #   man home-configuration.nix
 #
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.sane.home-manager;
  # extract `pkg` from `sane.packages.enabledUserPkgs`
  pkg-list = pkgspec: builtins.map (e: e.pkg) pkgspec;
 in
 {
  options = {
    sane.home-manager.enable = mkOption {
      default = false;
      type = types.bool;
    };
    # attributes to copy directly to home-manager's `wayland.windowManager` option
    sane.home-manager.windowManager = mkOption {
      default = {};
      type = types.attrs;
    };
  };
  config = lib.mkIf cfg.enable {
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
    home-manager.users.colin = {
      # run `home-manager-help` to access manpages
      # or `man home-configuration.nix`
      manual.html.enable = false;  # TODO: set to true later (build failure)
      manual.manpages.enable = false;  # TODO: enable after https://github.com/nix-community/home-manager/issues/3344
      home.packages = pkg-list config.sane.packages.enabledUserPkgs;
      wayland.windowManager = cfg.windowManager;
      home.stateVersion = "21.11";
      home.username = "colin";
      home.homeDirectory = "/home/colin";
      programs = {
        # XXX: unsure what this does?
        home-manager.enable = true;
      };
    };
  };
 }
--- a/modules/lib/default.nix
+++ b/modules/lib/default.nix
@@ -20,9 +20,13 @@ sane-lib = rec {
  isPrefixOfList = p: l: (lib.sublist 0 (lib.length p) l) == p;
  # merges N attrsets
-  # Type: flattenAttrsList :: [AttrSet] -> AttrSet
+  # Type: joinAttrsets :: [AttrSet] -> AttrSet
  joinAttrsets = l: lib.foldl' lib.attrsets.unionOfDisjoint {} l;
  # merges N attrsets, recursively
  # Type: joinAttrsetsRecursive :: [AttrSet] -> AttrSet
  joinAttrsetsRecursive = l: lib.foldl' (lib.attrsets.recursiveUpdateUntil (path: lhs: rhs: false)) {} l;
  # evaluate a `{ name, value }` pair in the same way that `listToAttrs` does.
  # Type: nameValueToAttrs :: { name :: String, value :: Any } -> Any
  nameValueToAttrs = { name, value }: {
--- a/modules/lib/merge.nix
+++ b/modules/lib/merge.nix
@@ -17,7 +17,7 @@ rec {
      merged = builtins.map (p: lib.setAttrByPath p (mergeAtPath p discharged)) pathsToMerge;
    in
      assert builtins.all (assertNoExtraPaths pathsToMerge) discharged;
-      sane-lib.joinAttrsets merged;
+      sane-lib.joinAttrsetsRecursive merged;
  # `take` is as in mkTypedMerge. this function queries which items `take` is interested in.
  # for example:
--- a/modules/packages.nix
+++ b/modules/packages.nix
@@ -1,328 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 with pkgs;
 let
  cfg = config.sane.packages;
  imagemagick = pkgs.imagemagick.override {
    ghostscriptSupport = true;
  };
  consolePkgs = [
    backblaze-b2
    cdrtools
    dmidecode
    duplicity
    efivar
    flashrom
    fwupd
    ghostscript  # TODO: imagemagick wrapper should add gs to PATH
    gnupg
    gocryptfs
    gopass
    gopass-jsonapi
    ifuse
    imagemagick
    ipfs
    libimobiledevice
    libsecret  # for managing user keyrings
    lm_sensors  # for sensors-detect
    lshw
    ffmpeg
    memtester
    networkmanager
    nixpkgs-review
    # nixos-generators
    # nettools
    nmon
    oathToolkit  # for oathtool
    # ponymix
    pulsemixer
    python3
    rsync
    # python3Packages.eyeD3  # music tagging
    sane-scripts
    sequoia
    snapper
    sops
    speedtest-cli
    sqlite  # to debug sqlite3 databases
    ssh-to-age
    sudo
    # tageditor  # music tagging
    unar
    visidata
    w3m
    wireguard-tools
    # youtube-dl
    yt-dlp
  ];
  guiPkgs = [
    # GUI only
    aerc  # email client
    audacity
    celluloid  # mpv frontend
    chromium
    clinfo
    { pkg = dino; private = [ ".local/share/dino" ]; }
    electrum
    # creds/session keys, etc
    { pkg = element-desktop; private = [ ".config/Element" ]; }
    # `emote` will show a first-run dialog based on what's in this directory.
    # mostly, it just keeps a LRU of previously-used emotes to optimize display order.
    # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
    { pkg = emote; dir = [ ".local/share/Emote" ]; }
    evince  # works on phosh
    # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
    foliate
    font-manager
    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
    # then reboot (so that libsecret daemon re-loads the keyring...?)
    # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
    # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
    gajim  # XMPP client
    gimp  # broken on phosh
    gnome.cheese
    gnome.dconf-editor
    gnome-feeds  # RSS reader (with claimed mobile support)
    gnome.file-roller
    gnome.gnome-disk-utility
    gnome.gnome-maps  # works on phosh
    gnome.nautilus
    # gnome-podcasts
    gnome.gnome-system-monitor
    gnome.gnome-terminal  # works on phosh
    gnome.gnome-weather
    # XXX: we preserve the whole thing because if we only preserve gPodder/Downloads
    #   then startup is SLOW during feed import, and we might end up with zombie eps in the dl dir.
    { pkg = gpodder-configured; dir = [ "gPodder" ]; }
    gthumb
    handbrake
    inkscape
    kdenlive
    kid3  # audio tagging
    kitty
    krita
    libreoffice-fresh  # XXX colin: maybe don't want this on mobile
    lollypop
    { pkg = mpv; dir = [ ".config/mpv/watch_later" ]; }
    networkmanagerapplet
    # not strictly necessary, but allows caching articles; offline use, etc.
    { pkg = newsflash; dir = [ ".local/share/news-flash" ]; }
    { pkg = nheko; private = [
      ".config/nheko"  # config file (including client token)
      ".cache/nheko"  # media cache
      ".local/share/nheko"  # per-account state database
    ]; }
    # settings (electron app). TODO: can i manage these settings with home-manager?
    { pkg = obsidian; dir = [ ".config/obsidian" ]; }
    pavucontrol
    # picard  # music tagging
    playerctl
    libsForQt5.plasmatube  # Youtube player
    soundconverter
    # sublime music persists any downloaded albums here.
    # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
    # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
    #   possible to pass config as a CLI arg (sublime-music -c config.json)
    # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
    { pkg = sublime-music-mobile; dir = [ ".local/share/sublime-music" ]; }
    { pkg = tdesktop; private = [ ".local/share/TelegramDesktop" ]; }  # broken on phosh
    { pkg = tokodon; private = [ ".cache/KDE/tokodon" ]; }
    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
    { pkg = vlc; dir = [ ".config/vlc" ]; }
    # pleroma client (Electron). input is broken on phosh.
    { pkg = whalebird; private = [ ".config/Whalebird" ]; }
    xdg-utils  # for xdg-open
    xterm  # broken on phosh
  ]
  ++ (if pkgs.system == "x86_64-linux" then
  [
    # x86_64 only
    # creds, but also 200 MB of node modules, etc
    (let discord = (pkgs.discord.override {
      # XXX 2022-07-31: fix to allow links to open in default web-browser:
      #   https://github.com/NixOS/nixpkgs/issues/78961
      nss = pkgs.nss_latest;
    }); in { pkg = discord; private = [ ".config/discord" ]; })
    # kaiteki  # Pleroma client
    # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
    # gpt2tc  # XXX: unreliable mirror
    logseq
    losslesscut-bin
    makemkv
    # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
    { pkg = monero-gui; dir = [ ".bitmonero" ]; }
    # creds, media
    { pkg = signal-desktop; private = [ ".config/Signal" ]; }
    # creds. TODO: can i manage this with home-manager?
    { pkg = spotify; dir = [ ".config/spotify" ]; }
    # hardenedMalloc solves a crash at startup
    (tor-browser-bundle-bin.override { useHardenedMalloc = false; })
    # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
    { pkg = zecwallet-lite; private = [ ".zcash" ]; }
  ] else []);
  # general-purpose utilities that we want any user to be able to access
  #   (specifically: root, in case of rescue)
  systemPkgs = [
    btrfs-progs
    cacert.unbundled  # some services require unbundled /etc/ssl/certs
    cryptsetup
    dig
    efibootmgr
    fatresize
    fd
    file
    gawk
    git
    gptfdisk
    hdparm
    htop
    iftop
    inetutils  # for telnet
    iotop
    iptables
    jq
    killall
    lsof
    nano
    netcat
    nethogs
    nmap
    openssl
    parted
    pciutils
    powertop
    pstree
    ripgrep
    screen
    smartmontools
    socat
    strace
    tcpdump
    tree
    usbutils
    wget
  ];
  # useful devtools:
  devPkgs = [
    bison
    dtc
    flex
    gcc
    gdb
    # gcc-arm-embedded
    # gcc_multi
    gnumake
    mercurial
    mix2nix
    rustup
    swig
  ];
  pkgSpec = types.submodule {
    options = {
      pkg = mkOption {
        type = types.package;
      };
      dir = mkOption {
        type = types.listOf types.str;
        default = [];
        description = "list of home-relative paths to persist for this package";
      };
      private = mkOption {
        type = types.listOf types.str;
        default = [];
        description = "list of home-relative paths to persist (in encrypted format) for this package";
      };
    };
  };
  toPkgSpec = types.coercedTo types.package (p: { pkg = p; }) pkgSpec;
 in
 {
  options = {
    # packages to deploy to the user's home
    sane.packages.extraUserPkgs = mkOption {
      default = [ ];
      type = types.listOf toPkgSpec;
    };
    sane.packages.extraGuiPkgs = mkOption {
      default = [ ];
      type = types.listOf toPkgSpec;
      description = "packages to only ship if gui's enabled";
    };
    sane.packages.enableConsolePkgs = mkOption {
      default = false;
      type = types.bool;
    };
    sane.packages.enableGuiPkgs = mkOption {
      default = false;
      type = types.bool;
    };
    sane.packages.enableDevPkgs = mkOption {
      description = ''
        enable packages that are useful for building other software by hand.
        you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
      '';
      default = false;
      type = types.bool;
    };
    sane.packages.enableSystemPkgs = mkOption {
      default = false;
      type = types.bool;
      description = "enable system-wide packages";
    };
    sane.packages.enabledUserPkgs = mkOption {
      default = cfg.extraUserPkgs
        ++ (if cfg.enableConsolePkgs then consolePkgs else [])
        ++ (if cfg.enableGuiPkgs then guiPkgs ++ cfg.extraGuiPkgs else [])
        ++ (if cfg.enableDevPkgs then devPkgs else [])
      ;
      type = types.listOf toPkgSpec;
      description = "generated from other config options";
    };
  };
  config = {
    environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
    sane.persist.home.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs);
    sane.persist.home.private = concatLists (map (p: p.private) cfg.enabledUserPkgs);
    # XXX: this might not be necessary. try removing this and cacert.unbundled?
    environment.etc."ssl/certs".source = mkIf cfg.enableSystemPkgs "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
  };
 }
--- a/modules/persist/computed.nix
+++ b/modules/persist/computed.nix
@@ -1,18 +0,0 @@
 { config, lib, sane-lib, ... }:
 let
  path = sane-lib.path;
  cfg = config.sane.persist;
  withPrefix = relativeTo: entries: lib.mapAttrs' (fspath: value: {
    name = path.concat [ relativeTo fspath ];
    inherit value;
  }) entries;
 in
 {
  # merge the `byPath` mappings from both `home` and `sys` into one namespace
  sane.persist.byPath = lib.mkMerge [
    (withPrefix "/home/colin" cfg.home.byPath)
    (withPrefix "/" cfg.sys.byPath)
  ];
 }
--- a/modules/persist/default.nix
+++ b/modules/persist/default.nix
@@ -179,23 +179,11 @@ in
      type = types.bool;
      description = "define / fs root to be a tmpfs. make sure to mount some other device to /nix";
    };
    sane.persist.home = mkOption {
      description = "directories to persist to disk, relative to a user's home ~";
      default = {};
      type = dirsSubModule;
    };
    sane.persist.sys = mkOption {
      description = "directories to persist to disk, relative to the fs root /";
      default = {};
      type = dirsSubModule;
    };
    sane.persist.byPath = mkOption {
      type = types.attrsOf (convertInlineAcl entryAtPath);
      description = ''
        map of <path> => <path config> for all paths to be persisted.
        this is computed from the other options, but users can also set it explicitly (useful for overriding)
      '';
    };
    sane.persist.stores = mkOption {
      type = types.attrsOf storeType;
      default = {};
@@ -206,7 +194,6 @@ in
  };
  imports = [
    ./computed.nix
    ./root-on-tmpfs.nix
    ./stores
  ];
@@ -247,7 +234,7 @@ in
          );
        }
      ];
-    configs = lib.mapAttrsToList cfgFor cfg.byPath;
+    configs = lib.mapAttrsToList cfgFor cfg.sys.byPath;
    take = f: { sane.fs = f.sane.fs; };
  in mkIf cfg.enable (
    take (sane-lib.mkTypedMerge take configs)
--- a/modules/persist/stores/crypt.nix
+++ b/modules/persist/stores/crypt.nix
@@ -1,14 +1,10 @@
-{ config, lib, pkgs, utils, ... }:
+{ config, lib, pkgs, sane-lib, utils, ... }:
 let
-  store = rec {
+  persist-base = config.sane.persist.stores."plaintext".origin;
-    device = "/mnt/persist/crypt/clearedonboot";
+  device = config.sane.persist.stores."cryptClearOnBoot".origin;
-    underlying = {
+  key = "${device}.key";
-      path = "/nix/persist/crypt/clearedonboot";
+  underlying = sane-lib.path.concat [ persist-base "crypt/clearedonboot" ];
      # TODO: consider moving this to /tmp, but that requires tmp be mounted first?
      key = "/mnt/persist/crypt/clearedonboot.key";
    };
  };
 in
 lib.mkIf config.sane.persist.enable
 {
@@ -17,35 +13,35 @@ lib.mkIf config.sane.persist.enable
      stored to disk, but encrypted to an in-memory key and cleared on every boot
      so that it's unreadable after power-off
    '';
-    origin = store.device;
+    origin = lib.mkDefault "/mnt/persist/crypt/clearedonboot";
  };
-  fileSystems."${store.device}" = {
+  fileSystems."${device}" = {
-    device = store.underlying.path;
+    device = underlying;
    fsType = "fuse.gocryptfs";
    options = [
      "nodev"
      "nosuid"
      "allow_other"
-      "passfile=${store.underlying.key}"
+      "passfile=${key}"
      "defaults"
    ];
    noCheck = true;
  };
  # let sane.fs know about our fileSystem and automatically add the appropriate dependencies
-  sane.fs."${store.device}".mount = {
+  sane.fs."${device}".mount = {
    # technically the dependency on the keyfile is extraneous because that *happens* to
    # be needed to init the store.
    depends = let
-      cryptfile = config.sane.fs."${store.underlying.path}/gocryptfs.conf";
+      cryptfile = config.sane.fs."${underlying}/gocryptfs.conf";
-      keyfile = config.sane.fs."${store.underlying.key}";
+      keyfile = config.sane.fs."${key}";
    in [ keyfile.unit cryptfile.unit ];
  };
  # let sane.fs know how to initialize the gocryptfs store,
  # and that it MUST do so
-  sane.fs."${store.underlying.path}/gocryptfs.conf".generated = {
+  sane.fs."${underlying}/gocryptfs.conf".generated = {
    script.script = ''
      backing="$1"
      passfile="$2"
@@ -54,17 +50,17 @@ lib.mkIf config.sane.persist.enable
      rm -rf "''${backing:?}"/*
      ${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing"
    '';
-    script.scriptArgs = [ store.underlying.path store.underlying.key ];
+    script.scriptArgs = [ underlying key ];
    # we need the key in order to initialize the store
-    depends = [ config.sane.fs."${store.underlying.key}".unit ];
+    depends = [ config.sane.fs."${key}".unit ];
  };
  # let sane.fs know how to generate the key for gocryptfs
-  sane.fs."${store.underlying.key}".generated = {
+  sane.fs."${key}".generated = {
    script.script = ''
      dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1"
    '';
-    script.scriptArgs = [ store.underlying.key ];
+    script.scriptArgs = [ key ];
    # no need for anyone else to be able to read the key
    acl.mode = "0400";
  };
--- a/modules/persist/stores/plaintext.nix
+++ b/modules/persist/stores/plaintext.nix
@@ -3,7 +3,7 @@
 let
  cfg = config.sane.persist;
 in lib.mkIf cfg.enable {
-  sane.persist.stores."plaintext" = {
+  sane.persist.stores."plaintext" = lib.mkDefault {
    origin = "/nix/persist";
  };
  # TODO: needed?
--- a/modules/persist/stores/private.nix
+++ b/modules/persist/stores/private.nix
@@ -1,21 +1,23 @@
-{ config, lib, pkgs, utils, ... }:
+{ config, lib, pkgs, sane-lib, utils, ... }:
 let
  persist-base = config.sane.persist.stores."plaintext".origin;
  private-dir = config.sane.persist.stores."private".origin;
  private-backing-dir = sane-lib.path.concat [ persist-base private-dir ];
 in
 lib.mkIf config.sane.persist.enable
 {
  sane.persist.stores."private" = {
    storeDescription = ''
-      encrypted to the user's password and auto-unlocked at login
+      encrypted store which persists across boots.
      typical use case is for the user to encrypt this store using their login password so that it
      can be auto-unlocked at login.
    '';
-    origin = "/home/colin/private";
+    origin = lib.mkDefault "/mnt/private";
    # files stored under here *must* have the /home/colin prefix.
    # internally, this prefix is removed so that e.g.
    # /home/colin/foo/bar when stored in `private` is visible at
    # /home/colin/private/foo/bar
    prefix = "/home/colin";
    defaultOrdering = let
-      private-unit = config.sane.fs."/home/colin/private".unit;
+      private-unit = config.sane.fs."${private-dir}".unit;
    in {
-      # auto create only after ~/private is mounted
+      # auto create only after the store is mounted
      wantedBy = [ private-unit ];
      # we can't create things in private before local-fs.target
      wantedBeforeBy = [ ];
@@ -23,13 +25,13 @@ lib.mkIf config.sane.persist.enable
    defaultMethod = "symlink";
  };
-  fileSystems."/home/colin/private" = {
+  fileSystems."${private-dir}" = {
-    device = "/nix/persist/home/colin/private";
+    device = private-backing-dir;
    fsType = "fuse.gocryptfs";
    options = [
      "noauto"  # don't try to mount, until the user logs in!
      "nofail"
-      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to `colin`.
+      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to other users.
      "nodev"
      "nosuid"
      "quiet"
@@ -39,9 +41,9 @@ lib.mkIf config.sane.persist.enable
  };
  # let sane.fs know about the mount
-  sane.fs."/home/colin/private".mount = {};
+  sane.fs."${private-dir}".mount = {};
  # it also needs to know that the underlying device is an ordinary folder
-  sane.fs."/nix/persist/home/colin/private".dir = {};
+  sane.fs."${private-backing-dir}".dir = {};
  # TODO: could add this *specifically* to the .mount file for the encrypted fs?
  system.fsPackages = [ pkgs.gocryptfs ];  # fuse needs to find gocryptfs
--- a/modules/programs.nix
+++ b/modules/programs.nix
@@ -0,0 +1,133 @@
 { config, lib, pkgs, sane-lib, ... }:
 let
  inherit (builtins) any elem map;
  inherit (lib)
    filterAttrs
    hasAttrByPath
    getAttrFromPath
    mapAttrs
    mapAttrsToList
    mkDefault
    mkIf
    mkMerge
    mkOption
    optional
    optionalAttrs
    splitString
    types
  ;
  inherit (sane-lib) joinAttrsets;
  cfg = config.sane.programs;
  pkgSpec = types.submodule ({ name, ... }: {
    options = {
      package = mkOption {
        type = types.nullOr types.package;
        description = ''
          package, or `null` if the program is some sort of meta set (in which case it much EXPLICITLY be set null).
        '';
        default =
          let
            pkgPath = splitString "." name;
          in
            # package can be inferred by the attr name, allowing shorthand like
            #   `sane.programs.nano.enable = true;`
            # this indexing will throw if the package doesn't exist and the user forgets to specify
            # a valid source explicitly.
            getAttrFromPath pkgPath pkgs;
      };
      enableFor.system = mkOption {
        type = types.bool;
        default = any (en: en) (
          mapAttrsToList
            (otherName: otherPkg:
              otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested && otherPkg.enableFor.system
            )
            cfg
        );
        description = ''
          place this program on the system PATH
        '';
      };
      enableFor.user = mkOption {
        type = types.attrsOf types.bool;
        default = joinAttrsets (mapAttrsToList (otherName: otherPkg:
           optionalAttrs
             (otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested)
             (filterAttrs (user: en: en) otherPkg.enableFor.user)
        ) cfg);
        description = ''
          place this program on the PATH for some specified user(s).
        '';
      };
      suggestedPrograms = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
          list of other programs a user may want to enable alongside this one.
          for example, the gnome desktop environment would suggest things like its settings app.
        '';
      };
      enableSuggested = mkOption {
        type = types.bool;
        default = true;
      };
      dir = mkOption {
        type = types.listOf types.str;
        default = [];
        description = "list of home-relative paths to persist for this package";
      };
      private = mkOption {
        type = types.listOf types.str;
        default = [];
        description = "list of home-relative paths to persist (in encrypted format) for this package";
      };
    };
  });
  toPkgSpec = types.coercedTo types.package (p: { package = p; }) pkgSpec;
  configs = mapAttrsToList (name: p: {
    assertions = map (sug: {
      assertion = cfg ? "${sug}";
      message = ''program "${sug}" referenced by "${name}", but not defined'';
    }) p.suggestedPrograms;
    # conditionally add to system PATH
    environment.systemPackages = optional
      (p.package != null && p.enableFor.system)
      p.package;
    # conditionally add to user(s) PATH
    users.users = mapAttrs (user: en: {
      packages = optional (p.package != null && en) p.package;
    }) p.enableFor.user;
    # conditionally persist relevant user dirs
    sane.users = mapAttrs (user: en: optionalAttrs en {
      persist.plaintext = p.dir;
      persist.private = p.private;
    }) p.enableFor.user;
  }) cfg;
 in
 {
  options = {
    sane.programs = mkOption {
      type = types.attrsOf toPkgSpec;
      default = {};
    };
  };
  config =
    let
      take = f: {
        assertions = f.assertions;
        environment.systemPackages = f.environment.systemPackages;
        users.users = f.users.users;
        sane.users = f.sane.users;
      };
    in mkMerge [
      (take (sane-lib.mkTypedMerge take configs))
      {
        # expose the pkgs -- as available to the system -- as a build target.
        system.build.pkgs = pkgs;
      }
    ];
 }
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  imports = [
    ./duplicity.nix
    ./dyn-dns.nix
    ./kiwix-serve.nix
    ./mautrix-signal.nix
--- a/modules/services/dyn-dns.nix
+++ b/modules/services/dyn-dns.nix
@@ -3,6 +3,11 @@
 with lib;
 let
  cfg = config.sane.services.dyn-dns;
  getIp = pkgs.writeShellScript "dyn-dns-query-wan" ''
    # preferred method and fallback
    ${pkgs.sane-scripts}/bin/sane-ip-check-router-wan || \
      ${pkgs.sane-scripts}/bin/sane-ip-check
  '';
 in
 {
  options = {
@@ -19,7 +24,7 @@ in
      };
      ipCmd = mkOption {
-        default = "${pkgs.sane-scripts}/bin/sane-ip-check-router-wan";
+        default = "${getIp}";
        type = types.path;
        description = "command to run to query the current WAN IP";
      };
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -0,0 +1,110 @@
 { config, lib, options, sane-lib, ... }:
 let
  inherit (builtins) attrValues;
  inherit (lib) count mapAttrs' mapAttrsToList mkIf mkMerge mkOption types;
  sane-user-cfg = config.sane.user;
  cfg = config.sane.users;
  path-lib = sane-lib.path;
  userOptions = {
    options = {
      fs = mkOption {
        type = types.attrs;
        default = {};
        description = ''
          entries to pass onto `sane.fs` after prepending the user's home-dir to the path.
          e.g. `sane.users.colin.fs."/.config/aerc" = X`
            => `sane.fs."/home/colin/.config/aerc" = X;
        '';
      };
      persist = mkOption {
        type = options.sane.persist.sys.type;
        default = {};
        description = ''
          entries to pass onto `sane.persist.sys` after prepending the user's home-dir to the path.
        '';
      };
    };
  };
  userModule = types.submodule ({ name, config, ... }: {
    options = userOptions.options // {
      default = mkOption {
        type = types.bool;
        default = false;
        description = ''
          only one default user may exist.
          this option determines what the `sane.user` shorthand evaluates to.
        '';
      };
      home = mkOption {
        type = types.str;
        # XXX: we'd prefer to set this to `config.users.users.home`, but that causes infinite recursion...
        # TODO: maybe assert that this matches the actual home?
        default = "/home/${name}";
      };
    };
    # if we're the default user, inherit whatever settings were routed to the default user
    config = mkIf config.default sane-user-cfg;
  });
  processUser = user: defn:
    let
      prefixWithHome = mapAttrs' (path: value: {
        name = path-lib.concat [ defn.home path ];
        inherit value;
      });
    in
    {
      sane.fs = prefixWithHome defn.fs;
      # `byPath` is the actual output here, computed from the other keys.
      sane.persist.sys.byPath = prefixWithHome defn.persist.byPath;
    };
 in
 {
  options = {
    sane.users = mkOption {
      type = types.attrsOf userModule;
      default = {};
      description = ''
        options to apply to the given user.
        the user is expected to be created externally.
        configs applied at this level are simply transformed and then merged
        into the toplevel `sane` options. it's merely a shorthand.
      '';
    };
    sane.user = mkOption {
      type = types.nullOr (types.submodule userOptions);
      default = null;
      description = ''
        options to pass down to the default user
      '';
    };
  };
  config =
    let
      configs = mapAttrsToList processUser cfg;
      num-default-users = count (u: u.default) (attrValues cfg);
      take = f: {
        sane.fs = f.sane.fs;
        sane.persist.sys.byPath = f.sane.persist.sys.byPath;
      };
    in mkMerge [
      (take (sane-lib.mkTypedMerge take configs))
      {
        assertions = [
          {
            assertion = sane-user-cfg == null || num-default-users != 0;
            message = "cannot set `sane.user` without first setting `sane.users.<user>.default = true` for some user";
          }
          {
            assertion = num-default-users <= 1;
            message = "cannot set more than one default user";
          }
        ];
      }
    ];
 }
--- a/nixpatches/2023-01-25-signald-update.patch
+++ b/nixpatches/2023-01-25-signald-update.patch
@@ -1,78 +0,0 @@
 diff --git a/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch b/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
 index 1d9ca8d838d..d2cf9dd4315 100644
 --- a/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
 +++ b/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
@@ -11,25 +11,15 @@ diff --git a/build.gradle b/build.gradle
 index 799e782..caceaac 100644
 --- a/build.gradle
 +++ b/build.gradle
 -@@ -83,6 +83,9 @@ static String getVersion() {
 - 
 - repositories {
 -     maven {url "https://gitlab.com/api/v4/groups/6853927/-/packages/maven"} // https://gitlab.com/groups/signald/-/packages
 -+    maven {
 -+      url "https://plugins.gradle.org/m2/"
 -+    }
 -     mavenCentral()
 - }
 - 
 -@@ -104,6 +107,8 @@ dependencies {
 -     implementation 'io.prometheus:simpleclient_httpserver:0.16.0'
 -     implementation 'com.squareup.okhttp3:logging-interceptor:4.9.3'
 -     implementation 'io.sentry:sentry:6.4.0'
 -+    implementation 'com.github.gmazzo.buildconfig:com.github.gmazzo.buildconfig.gradle.plugin:3.1.0'
 -+    implementation 'org.jetbrains.kotlin:kotlin-scripting-jvm:1.7.10'
 -     testImplementation 'org.junit.jupiter:junit-jupiter:5.8.2'
 +@@ -87,7 +86,7 @@ repositories {
  }
 + dependencies {
 +-    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_1'
 ++    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_2'
 +     implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
 +     implementation 'com.kohlschutter.junixsocket:junixsocket-common:2.6.1'
 +     implementation 'com.kohlschutter.junixsocket:junixsocket-native-common:2.6.1'
 @@ -171,4 +176,4 @@ allprojects {
  runtime {
      options = ['--strip-java-debug-attributes', '--compress', '2', '--no-header-files', '--no-man-pages']
 diff --git a/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch b/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
 index 96a7d6d2ef3..2f0f6e73159 100644
 --- a/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
 +++ b/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
@@ -47,15 +47,15 @@ index 799e782..6ecef3e 100644
  }
  dependencies {
 -@@ -104,6 +117,8 @@ dependencies {
 -     implementation 'io.prometheus:simpleclient_httpserver:0.16.0'
 -     implementation 'com.squareup.okhttp3:logging-interceptor:4.9.3'
 -     implementation 'io.sentry:sentry:6.4.0'
 -+    implementation 'com.github.gmazzo.buildconfig:com.github.gmazzo.buildconfig.gradle.plugin:3.1.0'
 -+    implementation 'org.jetbrains.kotlin:kotlin-scripting-jvm:1.7.10'
 -     testImplementation 'org.junit.jupiter:junit-jupiter:5.8.2'
 +@@ -87,7 +86,7 @@ repositories {
  }
 + dependencies {
 +-    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_1'
 ++    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_2'
 +     implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
 +     implementation 'com.kohlschutter.junixsocket:junixsocket-common:2.6.1'
 +     implementation 'com.kohlschutter.junixsocket:junixsocket-native-common:2.6.1'
 @@ -167,8 +182,3 @@ allprojects {
          }
      }
 diff --git a/pkgs/applications/networking/instant-messengers/signald/default.nix b/pkgs/applications/networking/instant-messengers/signald/default.nix
 index a9e023cdf63..8847707e137 100644
 --- a/pkgs/applications/networking/instant-messengers/signald/default.nix
 +++ b/pkgs/applications/networking/instant-messengers/signald/default.nix
@@ -54,8 +54,8 @@ let
     outputHashMode = "recursive";
     # Downloaded jars differ by platform
     outputHash = {
 -      x86_64-linux = "sha256-ANiNDdTuCuDEH5zUPsrVF6Uegdq3zVsMv+uMtYRX0jE=";
 -      aarch64-linux = "sha256-V9zn4v/ZeLELAwFJ5y7OVAeJwZp4DmHm4KWxE6KpwGs=";
 +      x86_64-linux = "sha256-B2T8bM8xdob5507oS1CVO+sszEg9VWL8QKUEanIlXvk=";
 +      aarch64-linux = "sha256-I314eLUQP8HPbwc+10ZDKzcn9WsqLGuBtfoiCEYZRck=";
     }.${stdenv.system} or (throw "Unsupported platform");
   };
--- a/nixpatches/2023-01-30-mesa-cma-leak.patch
+++ b/nixpatches/2023-01-30-mesa-cma-leak.patch
@@ -0,0 +1,22 @@
 diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
 index 56fa74e5c0c..3573bb0af49 100644
 --- a/pkgs/development/libraries/mesa/default.nix
 +++ b/pkgs/development/libraries/mesa/default.nix
@@ -88,7 +88,7 @@
 let
   # Release calendar: https://www.mesa3d.org/release-calendar.html
   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
 -  version = "22.3.4";
 +  version = "22.3.2";
   branch  = lib.versions.major version;
   withLibdrm = lib.meta.availableOn stdenv.hostPlatform libdrm;
@@ -120,7 +120,7 @@ self = stdenv.mkDerivation {
       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
     ];
 -    sha256 = "37a1ddaf03f41919ee3c89c97cff41e87de96e00e9d3247959cc8279d8294593";
 +    sha256 = "c15df758a8795f53e57f2a228eb4593c22b16dffd9b38f83901f76cd9533140b";
   };
   # TODO:
--- a/nixpatches/2023-03-03-qtbase-cross-compile.patch
+++ b/nixpatches/2023-03-03-qtbase-cross-compile.patch
@@ -0,0 +1,34 @@
 diff --git a/pkgs/development/libraries/qt-6/modules/qtbase.nix b/pkgs/development/libraries/qt-6/modules/qtbase.nix
 index e71b0a7613d..72779ac57a5 100644
 --- a/pkgs/development/libraries/qt-6/modules/qtbase.nix
 +++ b/pkgs/development/libraries/qt-6/modules/qtbase.nix
@@ -5,6 +5,7 @@
 , version
 , coreutils
 , bison
 +, buildPackages
 , flex
 , gdb
 , gperf
@@ -224,6 +225,8 @@ stdenv.mkDerivation rec {
   ] ++ lib.optionals stdenv.isDarwin [
     # error: 'path' is unavailable: introduced in macOS 10.15
     "-DQT_FEATURE_cxx17_filesystem=OFF"
 +  ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
 +    "-DQT_HOST_PATH=${buildPackages.qt6.full}"
   ];
   NIX_LDFLAGS = toString (lib.optionals stdenv.isDarwin [
 diff --git a/pkgs/development/libraries/qt-6/qtModule.nix b/pkgs/development/libraries/qt-6/qtModule.nix
 index 28180d3b0ca..f14c73b10ee 100644
 --- a/pkgs/development/libraries/qt-6/qtModule.nix
 +++ b/pkgs/development/libraries/qt-6/qtModule.nix
@@ -61,7 +61,7 @@ stdenv.mkDerivation (args // {
       if [[ -z "$dontSyncQt" && -f sync.profile ]]; then
         # FIXME: this probably breaks crosscompiling as it's not from nativeBuildInputs
         # I don't know how to get /libexec from nativeBuildInputs to work, it's not under /bin
 -        ${lib.getDev self.qtbase}/libexec/syncqt.pl -version "''${version%%-*}"
 +        perl ${lib.getDev self.qtbase}/libexec/syncqt.pl -version "''${version%%-*}"
       fi
     '';
--- a/nixpatches/2023-03-04-ccache-cross-fix.patch
+++ b/nixpatches/2023-03-04-ccache-cross-fix.patch
@@ -0,0 +1,65 @@
 diff --git a/pkgs/development/tools/misc/ccache/default.nix b/pkgs/development/tools/misc/ccache/default.nix
 index cad25a942d6..9130097ab07 100644
 --- a/pkgs/development/tools/misc/ccache/default.nix
 +++ b/pkgs/development/tools/misc/ccache/default.nix
@@ -2,7 +2,7 @@
 , stdenv
 , fetchFromGitHub
 , substituteAll
 -, binutils
 +, buildPackages
 , asciidoctor
 , cmake
 , perl
@@ -33,7 +33,7 @@ let ccache = stdenv.mkDerivation rec {
     # Darwin.
     (substituteAll {
       src = ./force-objdump-on-darwin.patch;
 -      objdump = "${binutils.bintools}/bin/objdump";
 +      objdump = "${buildPackages.binutils.bintools}/bin/objdump";
     })
   ];
@@ -71,11 +71,12 @@ let ccache = stdenv.mkDerivation rec {
   passthru = {
     # A derivation that provides gcc and g++ commands, but that
     # will end up calling ccache for the given cacheDir
 -    links = {unwrappedCC, extraConfig}: stdenv.mkDerivation {
 +    links = {unwrappedCC, extraConfig, targetPrefix ? ""}: stdenv.mkDerivation {
       name = "ccache-links";
       passthru = {
         isClang = unwrappedCC.isClang or false;
         isGNU = unwrappedCC.isGNU or false;
 +        cc = unwrappedCC;
       };
       inherit (unwrappedCC) lib;
       nativeBuildInputs = [ makeWrapper ];
@@ -83,7 +84,7 @@ let ccache = stdenv.mkDerivation rec {
         mkdir -p $out/bin
         wrap() {
 -          local cname="$1"
 +          local cname="${targetPrefix}$1"
           if [ -x "${unwrappedCC}/bin/$cname" ]; then
             makeWrapper ${ccache}/bin/ccache $out/bin/$cname \
               --run ${lib.escapeShellArg extraConfig} \
 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
 index cb6fd2f0c4d..da4aadff3cb 100644
 --- a/pkgs/top-level/all-packages.nix
 +++ b/pkgs/top-level/all-packages.nix
@@ -17383,10 +17383,12 @@ with pkgs;
   # should be owned by user root, group nixbld with permissions 0770.
   ccacheWrapper = makeOverridable ({ extraConfig, cc }:
     cc.override {
 -      cc = ccache.links {
 +      cc = ccache.links ({
         inherit extraConfig;
         unwrappedCC = cc.cc;
 -      };
 +      } // lib.optionalAttrs (cc ? targetPrefix) {
 +        inherit (cc) targetPrefix;
 +      });
     }) {
       extraConfig = "";
       inherit (stdenv) cc;
--- a/nixpatches/flake.lock
+++ b/nixpatches/flake.lock
@@ -2,16 +2,15 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1673163619,
+        "lastModified": 1675123384,
-        "narHash": "sha256-B33PFBL64ZgTWgMnhFL3jgheAN/DjHPsZ1Ih3z0VE5I=",
+        "narHash": "sha256-RpU+kboEWlIYwbRMGIPBIcztH63CvmqWN1B8GpJogd4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8c54d842d9544361aac5f5b212ba04e4089e8efe",
+        "rev": "e0fa1ece2f3929726c9b98c539ad14b63ae8e4fd",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-22.11",
        "type": "indirect"
      }
    },
--- a/nixpatches/list.nix
+++ b/nixpatches/list.nix
@@ -13,26 +13,27 @@
    hash = "sha256-IvsIcd2wPdz4b/7FMrDrcVlIZjFecCQ9uiL0Umprbx0=";
  })
-  # fix libreoffice build by: Revert "mdds: 2.0.3 -> 2.1.0"
+  # (fetchpatch {
-  # merged 2023/01/25
+  #   # stdenv: fix cc for pseudo-crosscompilation
-  (fetchpatch {
+  #   # closed because it breaks pkgsStatic (as of 2023/02/12)
-    url = "https://github.com/NixOS/nixpkgs/pull/212583.diff";
+  #   url = "https://github.com/NixOS/nixpkgs/pull/196497.diff";
-    hash = "sha256-nkXgwQUtxYkJT2OzG6Jc72snizW5wHvR1nmh2KDnaPc=";
+  #   hash = "sha256-eTwEbVULYjmOW7zUFcTUqvBZqUFjHTKFhvmU2m3XQeo=";
-  })
+  # })
  # fix handbrake build by: handbrake: 1.5.1 -> 1.6.1
  # PR opened 2023/01/23
  (fetchpatch {
    # see alternate fix: <https://github.com/NixOS/nixpkgs/pull/211834>
    url = "https://github.com/NixOS/nixpkgs/pull/212306.diff";
    hash = "sha256-iQX2NaZaCzZVRlCM0pgXt0gecNwhXGeh3kXEiY38ZIM=";
  })
  ./2022-12-19-i2p-aarch64.patch
-  # fix for <https://gitlab.com/signald/signald/-/issues/345>
+  # fix for CMA memory leak in mesa: <https://gitlab.freedesktop.org/mesa/mesa/-/issues/8198>
-  # allows to actually run signald
+  # fixed in mesa 22.3.6: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21330/diffs>
-  ./2023-01-25-signald-update.patch
+  # only necessary on aarch64.
  # it's a revert of nixpkgs commit dcf630c172df2a9ecaa47c77f868211e61ae8e52
  ./2023-01-30-mesa-cma-leak.patch
  # fix qt6.qtbase and qt6.qtModule to cross-compile.
  # unfortunately there's some tangle that makes that difficult to do via the normal `override` facilities
  ./2023-03-03-qtbase-cross-compile.patch
  # let ccache cross-compile
  ./2023-03-04-ccache-cross-fix.patch
  # # kaiteki: init at 2022-09-03
  # vendorHash changes too frequently (might not be reproducible).
--- a/overlays/disable-flakey-tests.nix
+++ b/overlays/disable-flakey-tests.nix
@@ -0,0 +1,187 @@
 # disable tests for packages which flake.
 # tests will fail for a variety of reasons:
 # - they were coded with timeouts that aren't reliable under heavy load.
 # - they assume a particular architecture (e.g. x86) whereas i compile on multiple archs.
 # - they assume too much about their environment and fail under qemu.
 #
 (next: prev: {
  ell = prev.ell.overrideAttrs (_upstream: {
    # 2023/02/11
    # fixes "TEST FAILED in get_random_return_callback at unit/test-dbus-message-fds.c:278: !l_dbus_message_get_error(message, ((void *)0), ((void *)0))"
    # unclear *why* this test fails.
    doCheck = false;
  });
  fish = prev.fish.overrideAttrs (_upstream: {
    # 2023/02/28
    # The following tests FAILED:
    #     177 - sigint.fish (Failed)
    #     241 - torn_escapes.py (Failed)
    doCheck = false;
  });
  gjs = prev.gjs.overrideAttrs (_upstream: {
    # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
    doCheck = false;
  });
  gssdp = prev.gssdp.overrideAttrs (_upstream: {
    # 2023/02/11
    # fixes "ERROR:../tests/test-regression.c:429:test_ggo_7: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-error, 1)"
    doCheck = false;
  });
  gupnp = prev.gupnp.overrideAttrs (_upstream: {
    # 2023/02/22
    # fixes "Bail out! ERROR:../tests/test-bugs.c:205:test_bgo_696762: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-erro>"
    doCheck = false;
  });
  json-glib = prev.json-glib.overrideAttrs (_upstream: {
    # 2023/02/11
    # fixes: "15/15 json-glib:docs / doc-check    TIMEOUT        30.52s   killed by signal 15 SIGTERM"
    doCheck = false;
  });
  lapack-reference = prev.lapack-reference.overrideAttrs (_upstream: {
    # 2023/02/11: test timeouts
    # > The following tests FAILED:
    # >       93 - LAPACK-xlintstz_ztest_in (Timeout)
    # >        98 - LAPACK-xeigtstz_svd_in (Timeout)
    # >          99 - LAPACK-xeigtstz_zec_in (Timeout)
    doCheck = false;
  });
  libadwaita = prev.libadwaita.overrideAttrs (_upstream: {
    # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
    doCheck = false;
  });
  libsecret = prev.libsecret.overrideAttrs (_upstream: {
    # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
    doCheck = false;
  });
  libuv = prev.libuv.overrideAttrs (_upstream: {
    # 2023/02/11
    # 2 tests fail:
    # - not ok 261 - tcp_bind6_error_addrinuse
    # - not ok 267 - tcp_bind_error_addrinuse_listen
    doCheck = false;
  });
  llvmPackages_12 =
    let
      tools = prev.llvmPackages_12.tools.extend (self: super: {
        libllvm = super.libllvm.overrideAttrs (upstream: {
          # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITTest.return_global (2857 of 42084)"
          # - nix log /nix/store/6vydavlxh1gvs0vmrkcx9qp67g3h7kcz-llvm-12.0.1.drv
          # - wanted by sequoia, rav1e, rustc-1.66.1  (is this right?)
          doCheck = false;
          # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
          cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
        });
      });
    in
      # see <nixpkgs:pkgs/development/compilers/llvm/12/default.nix>
      # - we copy their strategy / attrset mutilation
      prev.llvmPackages_12 // { inherit tools; } // tools;
  llvmPackages_14 =
    let
      tools = prev.llvmPackages_14.tools.extend (self: super: {
        libllvm = super.libllvm.overrideAttrs (upstream: {
          # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITMultipleModuleTest.two_module_global_variables_case (43769 of 46988)"
          # - nix log /nix/store/ib2yw6sajnhlmibxkrn7lj7chllbr85h-llvm-14.0.6.drv
          # - wanted by clang-11-12-LLVMgold-path, compiler-rt-libc-12.0.1, clang-wrapper-12.0.1  (is this right?)
          doCheck = false;
          # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
          cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
        });
      });
    in
      # see <nixpkgs:pkgs/development/compilers/llvm/14/default.nix>
      # - we copy their strategy / attrset mutilation
      prev.llvmPackages_14 // { inherit tools; } // tools;
  llvmPackages_15 =
    let
      tools = prev.llvmPackages_15.tools.extend (self: super: {
        libllvm = super.libllvm.override {
          # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/..."
          # llvm15 passes doCheck as a call arg, so we don't need to set cmakeFlags explicitly as in previous versions
          doCheck = false;
        };
      });
    in
      prev.llvmPackages_15 // { inherit tools; } // tools;
  modemmanager = prev.modemmanager.overrideAttrs (_upstream: {
    # 2023/02/25
    # "ERROR:test-modem-helpers.c:257:test_cmgl_response: assertion failed: (list != NULL)"
    doCheck = false;
    doInstallCheck = false;  # tests are run during install check??
  });
  pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
    (py-next: py-prev: {
      ipython = py-prev.ipython.overridePythonAttrs (upstream: {
        # > FAILED IPython/core/tests/test_debugger.py::test_xmode_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
        # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
        # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_disabled - pexpect.exceptions.TIMEOUT: Timeout exceeded.
        # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_with_breakpoint - pexpect.exceptions.TIMEOUT: Timeout exceeded.
        # > FAILED IPython/core/tests/test_debugger.py::test_where_erase_value - pexpect.exceptions.TIMEOUT: Timeout exceeded.
        # > FAILED IPython/terminal/tests/test_debug_magic.py::test_debug_magic_passes_through_generators - pexpect.exceptions.TIMEOUT: Timeout exceeded.
        # > FAILED IPython/terminal/tests/test_embed.py::test_nest_embed - pexpect.exceptions.TIMEOUT: Timeout exceeded.
        disabledTestPaths = upstream.disabledTestPaths or [] ++ [
          "IPython/core/tests/test_debugger.py"
          "IPython/terminal/tests/test_debug_magic.py"
          "IPython/terminal/tests/test_embed.py"
        ];
      });
      pytest-xdist = py-prev.pytest-xdist.overridePythonAttrs (upstream: {
        # 2023/02/19
        # 4 tests fail:
        # - FAILED: testing/test_remote.py::TestWorkInteractor::* - execnet.gateway_base.TimeoutError: no item after 10.0 seconds
        # doCheck = false;
        disabledTestPaths = upstream.disabledTestPaths or [] ++ [
          "testing/test_remote.py"
        ];
        # disabledTests = upstream.disabledTests or [] ++ [
        #   "test_basic_collect_and_runtests"
        #   "test_remote_collect_fail"
        #   "test_remote_collect_skip"
        #   "test_runtests_all"
        # ];
      });
      twisted = py-prev.twisted.overridePythonAttrs (upstream: {
        # 2023/02/25
        # ```
        # [ERROR]
        # Traceback (most recent call last):
        #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/test/test_udp.py", line 645, in test_interface
        #     self.assertEqual(self.client.transport.getOutgoingInterface(), "0.0.0.0")
        #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/internet/udp.py", line 449, in getOutgoingInterface
        #     i = self.socket.getsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_IF)
        # builtins.OSError: [Errno 92] Protocol not available
        #
        # twisted.test.test_udp.MulticastTests.test_interface
        # ```
        postPatch = upstream.postPatch + ''
          echo 'MulticastTests.test_interface.skip = "Protocol not available"'>> src/twisted/test/test_udp.py
        '';
      });
    })
  ];
  strp = prev.srtp.overrideAttrs (_upstream: {
    # 2023/02/11
    # roc_driver test times out after 30s
    doCheck = false;
  });
  tracker = prev.tracker.overrideAttrs (_upstream: {
    # 2023/02/22
    # "27/37 tracker:core / service                          TIMEOUT         60.37s   killed by signal 15 SIGTERM"
    doCheck = false;
  });
  udisks2 = prev.udisks2.overrideAttrs (_upstream: {
    # 2023/02/25
    # "udisks-test:ERROR:test.c:61:on_completed_expect_failure: assertion failed (message == expected_message): ("Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11):\nstdout: `OK, deliberately causing a segfault\n'\nstderr: `qemu: uncaught target signal 11 (Segmentation fault) - core dumped\n'" == "Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11): OK, deliberately causing a segfault\n")"
    doCheck = false;
  });
  upower = prev.upower.overrideAttrs (_upstream: {
    # 2023/02/25
    # "Tests.test_battery_state_guessing                          TIMEOUT        60.80s   killed by signal 15 SIGTERM"
    doCheck = false;
  });
 })
--- a/overlays/optimizations.nix
+++ b/overlays/optimizations.nix
@@ -0,0 +1,32 @@
 (self: super:
 with self;
 let
  # ccache-able = drv: drv.override { stdenv = builtins.trace "with ccache ${drv.name}" ccacheStdenv; };
  ccache-able = drv: drv.override { stdenv = builtins.trace "with ccache: ${drv.name}" ccacheStdenv; };
 in {
  # TODO: if we link /homeless-shelter/.ccache into the nix environment,
  # then maybe we get better use of upstream caches?
  # ccacheWrapper = super.ccacheWrapper.override {
  #   extraConfig = ''
  #     export CCACHE_DIR="/var/cache/ccache"
  #   '';
  # };
  # ccacheStdenv = super.ccacheStdenv.override {
  #   extraConfig = ''
  #     export CCACHE_DIR="/homeless-shelter/.ccache"
  #   '';
  # };
  # firefox-esr = ccache-able super.firefox-esr;
  # firefox/librewolf distribution is wacky: it grabs the stdenv off of `rustc.llvmPackages`, and really wants those to match.
  # buildMozillaMach = opts: ccache-able (super.buildMozillaMach opts);
  # webkitgtk = ccache-able super.webkitgtk;
  # mesa = ccache-able super.mesa;
  webkitgtk = super.webkitgtk.overrideAttrs (_upstream: {
    # means we drop debug info when linking.
    # this is a trade-off to require less memory when linking, since
    # building `webkitgtk` otherwise requires about 40G+ of RAM.
    # <https://github.com/NixOS/nixpkgs/issues/153528>
    separateDebugInfo = false;
  });
 })
--- a/overlays/pins.nix
+++ b/overlays/pins.nix
@@ -4,31 +4,15 @@
 # - if it's broken by that upstream builder, then pin it: somebody will come along and fix the package.
 # - otherwise, search github issues/PRs for knowledge of it before pinning.
 # - if nobody's said anything about it yet, probably want to root cause it or hold off on updating.
 #
 # note that these pins apply to *all* platforms:
 # - natively compiled packages
 # - cross compiled packages
 # - qemu-emulated packages
 (next: prev: {
  # XXX: when invoked outside our flake (e.g. via NIX_PATH) there is no `next.stable`,
  # so just forward the unstable packages.
  inherit (next.stable or prev)
    # broken on 2023/01/14 via mtxclient dep, aarch64-only:
    # fixed on 2023/01/24?
    #   error: builder for '/nix/store/gwidl0c9ksxjgx0dgwnjssix4ikq73v5-mtxclient-0.9.0.drv' failed with exit code 2;
    #      last 10 log lines:
    #      > make[2]: *** [CMakeFiles/matrix_client.dir/build.make:370: CMakeFiles/matrix_client.dir/lib/structs/events/encrypted.cpp.o] Error 1
    #      > In file included from /build/source/include/mtxclient/crypto/client.hpp:17,
    #      >                  from /build/source/lib/crypto/utils.cpp:17:
    #      > /build/source/include/mtx/identifiers.hpp:12:10: fatal error: compare: No such file or directory
    #      >    12 | #include <compare>
    #      >       |          ^~~~~~~~~
    #      > compilation terminated.
    #      > make[2]: *** [CMakeFiles/matrix_client.dir/build.make:132: CMakeFiles/matrix_client.dir/lib/crypto/utils.cpp.o] Error 1
    #      > make[1]: *** [CMakeFiles/Makefile2:83: CMakeFiles/matrix_client.dir/all] Error 2
    #      > make: *** [Makefile:136: all] Error 2
    #      For full logs, run 'nix log /nix/store/gwidl0c9ksxjgx0dgwnjssix4ikq73v5-mtxclient-0.9.0.drv'.
    #   error: 1 dependencies of derivation '/nix/store/4i2d1qdh4x6n23h1jbcbhm8q9q2hch9a-nheko-0.11.0.drv' failed to build
    #   error: 1 dependencies of derivation '/nix/store/k4f7k7cvjp8rb7clhlfq3yxgs6lbfmk7-home-manager-path.drv' failed to build
    #   error: 1 dependencies of derivation '/nix/store/67d9k554188lh4ddl4ar6j74mpc3r4sv-home-manager-generation.drv' failed to build
    #   error: 1 dependencies of derivation '/nix/store/5qjxzhsw1jvh2d7jypbcam9409ivb472-user-environment.drv' failed to build
    #   error: 1 dependencies of derivation '/nix/store/hrb3qpdbisqh0lzlyz1g9g4164khmqwn-etc.drv' failed to build
    #   error: 1 dependencies of derivation '/nix/store/ny21xyicbgim5wy7ksg2hibd9gn7i01b-nixos-system-moby-23.05pre-git.drv' failed to build
    # nheko
  ;
 })
--- a/pkgs/gpodder-configured/default.nix
+++ b/pkgs/gpodder-configured/default.nix
@@ -1,19 +1,35 @@
-{ makeWrapper
+{ stdenv
 , gnome-feeds
 , gpodder
-, linkFarm
+, makeWrapper
 , python3
 , symlinkJoin
 }:
 let
-  remove-extra = linkFarm "gpodder-remove-extra" [
+  pyEnv = python3.withPackages (_ps: [ gnome-feeds.listparser ]);
-    { name = "bin/gpodder-remove-extra"; path = ./remove_extra.py; }
+  remove-extra = stdenv.mkDerivation {
-  ];
+    pname = "gpodder-remove-extra";
    version = "0.1.0";
    src = ./.;
    patchPhase = ''
      substituteInPlace ./remove_extra.py \
        --replace "#!/usr/bin/env nix-shell" "#!${pyEnv.interpreter}"
    '';
    installPhase = ''
      mkdir -p $out/bin
      mv remove_extra.py $out/bin/gpodder-remove-extra
    '';
  };
 in
 # we use a symlinkJoin so that we can inherit the .desktop and icon files from the original gPodder
 (symlinkJoin {
  name = "gpodder-configured";
  paths = [ gpodder remove-extra ];
-  buildInputs = [ makeWrapper ];
+  nativeBuildInputs = [ makeWrapper ];
  # gpodder keeps all its feeds in a sqlite3 database.
  # we can configure the feeds externally by wrapping gpodder and just instructing it to import
@@ -29,4 +45,8 @@ in
    unlink $out/share/applications/gpodder.desktop
    sed "s:Exec=.*:Exec=$out/bin/gpodder-configured:" $orig_desktop > $out/share/applications/gpodder.desktop
  '';
  passthru = {
    remove-extra = remove-extra;
  };
 })
--- a/pkgs/sane-scripts/src/sane-ip-check
+++ b/pkgs/sane-scripts/src/sane-ip-check
@@ -1,3 +1,4 @@
 #!/usr/bin/env bash
-curl https://ipinfo.io/ip
+ip=$(curl --silent https://ipinfo.io/ip)
-echo
+echo "$ip" | grep -P " *^\d+\.\d+\.\d+\.\d+ *$"
 exit $?
--- a/pkgs/sane-scripts/src/sane-ip-check-router-wan
+++ b/pkgs/sane-scripts/src/sane-ip-check-router-wan
@@ -3,13 +3,16 @@
 # requires creds
 passwd=$(sudo cat /run/secrets/router_passwd)
 cookie=$(mktemp)
 curlflags="curl --silent --insecure --cookie-jar $cookie --connect-timeout 5"
 # authenticate
-curl -s --insecure --cookie-jar $cookie \
+curl $curlflags \
  --data "username=admin&password=$passwd" \
  https://192.168.0.1
 # query the WAN IP
-curl -s --insecure --cookie $cookie \
+ip=$(curl $curlflags \
  -H "X-Requested-With: XMLHttpRequest" \
  "https://192.168.0.1/cgi/cgi_action?Action=GetConnectionStatus" \
-  | jq -r .wan_status.ipaddr
+  | jq -r .wan_status.ipaddr)
 echo "$ip" | grep -P " *^\d+\.\d+\.\d+\.\d+ *$"
 exit $?
--- a/readme.md
+++ b/readme.md
@@ -32,6 +32,13 @@ this can then be `dd`'d onto a disk and directly booted from a EFI system.
 there's some post-processing to do before running a rebuild on the deployed system (deploying ssh keys, optionally changing fs UUIDs, etc).
 refer to flake.nix for more details.
 ## remote deployment
 some of my systems support cross compilation (i.e. building from x86-64 for an aarch64 host without using emulation).
 - `nixos-rebuild --flake '.#cross-moby' build`
 - `sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)`
 - `nixos-rebuild --flake '.#cross-moby' switch --target-host colin@moby --use-remote-sudo`
 ## building packages
 build anything with
@@ -45,11 +52,15 @@ on the other hand the `packages` output contains only my own packages.
 in addition, my packages are placed into both the global scope and a `sane` scope.
 so use the scoped path when you want to be explicit.
 ```
 nix build sane.linux-megous
 ```
 to build a package precisely how a specific host would see it (in case the host's config customizes it):
 ```
 nix build '.#host-pkgs.moby-cross.xdg-utils'
 ```
 ## using this repo in your own config
 this should be a pretty "standard" flake. just reference it, and import either
--- a/secrets/universal/net/README.md
+++ b/secrets/universal/net/README.md
@@ -0,0 +1,5 @@
 ## to add a new network
 - connect to it (via GUI or `iwctl` TUI)
 - find it under `/var/lib/iwd`
 - `sops ./<NETWORK_NICKNAME>.psk.bin` and paste the contents from `/var/lib/iwd/SSID.psk`
        - in same file: add `# SSID=UNQUOTED_NETWORK_NAME` to the top
--- a/secrets/universal/net/archive/2023-02-home-bedroom.psk.bin
+++ b/secrets/universal/net/archive/2023-02-home-bedroom.psk.bin
--- a/secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin
+++ b/secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin
--- a/secrets/universal/net/archive/2023-02-home-shared.psk.bin
+++ b/secrets/universal/net/archive/2023-02-home-shared.psk.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:OaFr+OOaBxi0PaApOYLUjJ0NgD5ABBQOaf6KpR9rheE2d1pQNa0jqnD4/ttqJrq8JjZT2Y6GDSwM5gPM,iv:TuyQPPDXM8cJU/GhJpdvxwB8+v6JavHcA+vmLHA3/74=,tag:V6RTKw6Cot4B4sK1JcRGmA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNzNHZWcvTmVVaGFabUU3\ndnZwVFdVcFBXZkoxTFA5WEZMMnRvUDBsS1NrCnRKUTNDZExFL1drSjBTakw1VmZW\nYWJzTUtVN0lrWXdiRk9QaVNmZmRqSjAKLS0tIGtHTzNUUnlnU2duNDF6UUlzUUJa\nSXhxQmRXZEZKK2htenF6N1kzV1VvancKP8jZotJe9188kId6cwVzITNwtELegpzi\nOKrWPWuIveSdMGmMsRDAcQbL0xVN0qd+Y4qsZ9l6e+cVAT3cHb1vDg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLemhLZUwzSVJLNUhYQXQ3\nY3ExU1BJUzY4a24vUjRmazhtc1RIcVpyem1jCmFEVzlIZkxjSUc0RTdqQWRLTGNS\nL3FaRFhjdnZqNFk0WDFSY0xOTENxMkEKLS0tIDVzK1lPM1FlWmZLZFA0ZDlPKzla\naXRqTk90aVNTRHlNZ2FmcVY3b1JKbEkKTu8tiEKyab1bOsgdsRlEWeG9wzdg/d/s\nPfh7rnvf7Ex8Jl6qSq6xMPkv+19EbSpfSq0FRtCue/Wcce3cUmGToA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZUY4OW5UNXFjOXQrUklu\nK3poU3RNVnBtc251TmRtMGJ6Z0ordDFhUGhjCms2a1o1Z1plNlpwSlYrUEEzRDZm\naHdEVVIzRnExNVhzci8vN0ZIODh3QzgKLS0tIGUxZ2gvbGM3YnMwVXU1RnNOSlBO\nVE94UFdKaDkwbmV5YjlBWm9ZZkk4Q0UK6CaPAtRrXKUzR29ZfXV8MvqszTu8LkT2\nQPlNJ4ckgTyivyseukR8X5fPKrrXIVtE+C6Xk5mJ6nGKD+oLprhpag==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUk1yL3dLUnBpNWNxMzQw\ncDdVa0szNjBVNnNXdmZwNVNEK1RwUzJTMlhZCm9oV3NaZ3k0SERKMEZCQTRtRUI2\nVmdzWndQT1c4UUh2MzQyMEErdm96NG8KLS0tIG1aUElzK2VjUTNYOGRpbkpZTDVz\ncG9jR0VzNi9jYmdCTU1qMmJtNFNUaU0KkrIx2BKjj7l+52Kk/L8rNZYAsa87z9UH\nDtxhLTnQu8DPtm5o2sbGdEZgt9qKPJiylLNKVne3EyscMaehdB17RA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSUtONWlzZ0JQbDB0L1FU\nWlhCL0p4d3lpamg3YWdIUVhDc1hVRWR1MVhFCkdZbEhnUG0vYTJVZnphdTZNSXBW\nVGdpemc5Q3hSenN4V09ZbTFOK3kzK0UKLS0tIG9ZWkdSMHhzTGJleFF5L2RsdUxK\nSEdtSlB0L2d4TTVWcDJWaE13NjFiTkkKWgfem58/ZKqVaXiL0UGVTjA7AhSkD8Fq\ne/i5HKN1Pvgv8TVPnZ9mtGP2gwwkoFYgxM8/0jBjJUm4QDbTkocVJw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNR05jQnJZZDNndmZnOVNO\nRFhVU3pLUzBxeC9rQlRoVWFCN1Y0bjhBM25VCmJKSzhkMjF1L3pGRjZmOURNeUZE\nTU8vN2pYVmZzdWdpaVdqcXloNGhTSlUKLS0tIGovSG84amhyTFZHZ2FNdTl3SzJj\nN1dObkd6K2J0Y2Q5bG5DR0VaUk1uSlUKxShDW7BD6sENlFjqp7/wFbV4g4gD7u5d\npidF9F+vXhpoBIwLlhruzvwyNXG4hQcKfWCnliXhVvNYbgaooDDhRw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MkJ1RkVBeHJnR1FGeDVi\nN0htdHZ3cVNCcTJabnlkSUQ4aHUxRndvbVhZClk2d2ZRTlJIVTg1T3dkKzdMRXJt\nNXh5OWtud3gvNWNkRWI1UE1kSytYOUUKLS0tIHhhQVpmRWtTYVFjSUN5aEVYWDJx\nS3hDMlFkVGQyM2U5QjlJMko4OGRWdkEKG98s0QVSs1o4MQ9937okXDS4WH41S1Aq\nUSL8idmlPUJzgdHshuLv2Ic2RXVjJu8V508trO8bTymrqkNAQ0miMA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraXJQOHR6ZzE5TjNQYmpB\nSStEQS9mcUpMSXlFQ05DcllFSjNOT1pWdVJZCmtSL3FkZ2Q1cU1Fc1dZbG13eXJC\nTXJkN0NzWTlDOEFMRGNQUG5HQUNUVDgKLS0tIGRwcmVxS0lNQ09GdmxKY2pkQ2Yz\nSkpZam1ZQUN1L1FZZ010ZlhUV1N4VlkKqsFAE+xZ24IMzIFjbsgANdjiGwVZk5rq\n66y00bjw+uj6WOwQuE1I9WcYDhCXEUQB9u4Q+hzejaFzCJ90N/WF4w==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2023-01-07T03:06:02Z",
 		"mac": "ENC[AES256_GCM,data:L3wY2ZdR1ASbLbKXiipWfBiQ5cumItuiL1+TwTJhU5ZtxLe6SMUyhckvuX8hczlFPUlJQJDCwpgVBs9C6GRAU45jzHYmpcfF30auiRT2dF/2doH9yiYZoF7JtbTas0Kvt1yxlPfuTi5mFuJGAKDOw6+a5ayQHYlK3/RxAUn0yPc=,iv:U/vlmvI1l4u92eUDXRphS0tscLOlWorOdmT7wDwGbAM=,tag:bQayboRgsMKT6akDq+rzQw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/home-shared.psk.bin
+++ b/secrets/universal/net/home-shared.psk.bin
@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:OaFr+OOaBxi0PaApOYLUjJ0NgD5ABBQOaf6KpR9rheE2d1pQNa0jqnD4/ttqJrq8JjZT2Y6GDSwM5gPM,iv:TuyQPPDXM8cJU/GhJpdvxwB8+v6JavHcA+vmLHA3/74=,tag:V6RTKw6Cot4B4sK1JcRGmA==,type:str]",
+	"data": "ENC[AES256_GCM,data:HB8H4esi1JeRDvcvcAm9WAqr5L3Tre0aWQ/erwKro6q960NYJMNO0xbUSbp/QBd/u5zjuR56a+Jjhw+SWtxdjtMW2Iu2yFScQBoVTggeL4i1p7q4/HO2F4EMW8Q3pSu9AAa5RbXzCkHHvpB+eceQQIAYjVUC+9lFuUvCpBTfcqomNsonqfPmyGCu2iiK4VYV5uH56kwJMhRQCY+KpWXpdCE2pr3u1ikWHmBY/5Gr8r5srPVbpsb0JJG8+puPPiQ98Fplev9+kfw4KJHbgZ7CoQbL8Lg5eFqEJag7cTO2AlBWcA/oMfn1mOAffMhLXSDHxoOei2Ty5NXKe5oooeRCBd2PNxWMCRz+uprdkIlW9CBxppaP4S4c5g0bcotLjm7P9ms9DNEgHi89Qgjlu7yIQVEP7mp15g/srgvodURrjEQSnNvLZhlLNuncO4TzWM/9HgC2M+wzSt2ypJRp8nAkWfw1IuZ9Oz9BO6zOvPhNUJy361EGdOXwC435zUAydZakBTrlNd/Rw5+WFiFfJdTFeOzeQvqyQy+WrNS0jg91tMw8oNDf1p1iJ0j6D0Br3DYSNK0TxfdUXGyDLUpVpQpbVvMBbvwozTinuLkQzmXuqqb74nd0aBon8g4BJJSeVHFl13/eFdNKfbLLvD/ubIdKtg==,iv:OtYRb1AfJLVyZ9rmnUoCkzXHtO6yk7RZFcmnZYvHLek=,tag:I2wMiheAxY/j1jG0Rhying==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -8,39 +8,39 @@
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNzNHZWcvTmVVaGFabUU3\ndnZwVFdVcFBXZkoxTFA5WEZMMnRvUDBsS1NrCnRKUTNDZExFL1drSjBTakw1VmZW\nYWJzTUtVN0lrWXdiRk9QaVNmZmRqSjAKLS0tIGtHTzNUUnlnU2duNDF6UUlzUUJa\nSXhxQmRXZEZKK2htenF6N1kzV1VvancKP8jZotJe9188kId6cwVzITNwtELegpzi\nOKrWPWuIveSdMGmMsRDAcQbL0xVN0qd+Y4qsZ9l6e+cVAT3cHb1vDg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRGdDWXc2eW5VYVkxbXJp\nSWE1VE8wdEZVK2x3MHdmeEk1dWZyU1Q1QUVvCjJCV05ZV3FZdjl5VkNvMGkreWt0\nZTVWY1FwV21mQlIrVFFIWVFjOWw0TkUKLS0tIGRNRWlEaTdMM1l5M3MramVtZ0dh\nelh6RVM5TTh0MENOamsxRng5SnVpU3MKRwrQBe1PSYidsYakba+53yy1DoJb3Ppq\nDBhsYOBrkdQrS/0yG1ojm+VonVdZfBo53lUb+eGhroibhbOLZytdaQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLemhLZUwzSVJLNUhYQXQ3\nY3ExU1BJUzY4a24vUjRmazhtc1RIcVpyem1jCmFEVzlIZkxjSUc0RTdqQWRLTGNS\nL3FaRFhjdnZqNFk0WDFSY0xOTENxMkEKLS0tIDVzK1lPM1FlWmZLZFA0ZDlPKzla\naXRqTk90aVNTRHlNZ2FmcVY3b1JKbEkKTu8tiEKyab1bOsgdsRlEWeG9wzdg/d/s\nPfh7rnvf7Ex8Jl6qSq6xMPkv+19EbSpfSq0FRtCue/Wcce3cUmGToA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZSXU2TnQyT2JtUDRKMVhZ\nclNtNHNEWTlXY2JNN2ZVcXY5OVlNcWhHNFNrCjJnTUlpaDVmcHo1NUJpUk5GMldz\nSzQ2QWhHN2VSeGlPSmtMSSt2TG1CN00KLS0tIGY0U3UzN0NwWE96b3kwUU9tbW5U\ncjhETWV0R3lJSHcydXQ1bTVOYnVHN2cKs35cc525DpaAnsNzDa/ooq53QSaquMxW\nvjI/+9I+q4MP+XrRTPNSl0YRyy7ZZyDQaGgj6ljOFEb66irMEotKGw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZUY4OW5UNXFjOXQrUklu\nK3poU3RNVnBtc251TmRtMGJ6Z0ordDFhUGhjCms2a1o1Z1plNlpwSlYrUEEzRDZm\naHdEVVIzRnExNVhzci8vN0ZIODh3QzgKLS0tIGUxZ2gvbGM3YnMwVXU1RnNOSlBO\nVE94UFdKaDkwbmV5YjlBWm9ZZkk4Q0UK6CaPAtRrXKUzR29ZfXV8MvqszTu8LkT2\nQPlNJ4ckgTyivyseukR8X5fPKrrXIVtE+C6Xk5mJ6nGKD+oLprhpag==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvVWZMU3RoTDNqc0ZtcDBQ\nUllueVdFRjJhRGQ0MG5oMjNVUmt3SDgxMHhRCk10cCtGMUdEMW8zVFMvckJ5aXF5\nRjB5eHE3K1lIeGNOWFVRQVA1SkRRbVkKLS0tIDZJRDNCOW9iZFBISDg1OWtWcWto\nV3VUSmtzUXdtQ2Zsa2F5eWVXUXFZUG8KsqIQV7vKqbC1LKbDHJzQCbKmBqKLWZrI\nyt/mK0jfpQGS4vucmitMoEMsACrV1vG8hLC1yrt+gHudZX9zvtVLSw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUk1yL3dLUnBpNWNxMzQw\ncDdVa0szNjBVNnNXdmZwNVNEK1RwUzJTMlhZCm9oV3NaZ3k0SERKMEZCQTRtRUI2\nVmdzWndQT1c4UUh2MzQyMEErdm96NG8KLS0tIG1aUElzK2VjUTNYOGRpbkpZTDVz\ncG9jR0VzNi9jYmdCTU1qMmJtNFNUaU0KkrIx2BKjj7l+52Kk/L8rNZYAsa87z9UH\nDtxhLTnQu8DPtm5o2sbGdEZgt9qKPJiylLNKVne3EyscMaehdB17RA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbi9kSnUvdDdlWVBBQXY5\ncy9DYjNBNlMxd2tXMHRDUjl2WFZTd3NySVRZClZJendtditxZVluQUNXM1VlS0tz\nSFBMQ1FHbks1VFgvM0ExQmw5SkYwZE0KLS0tIHUvVGkrV3VmZ2RodDhFMktYcTYv\nRGhxL1hQMDlPZHhXRTdRcnVnZjdxQ1EKFcSljMApXgz3sKoiBTstm9BErhlLL5HR\n7LTocTL1s2s0yLFHedNmbad4kRA3mTAywwNtfAEZ3vWx+WB4NOhS7A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSUtONWlzZ0JQbDB0L1FU\nWlhCL0p4d3lpamg3YWdIUVhDc1hVRWR1MVhFCkdZbEhnUG0vYTJVZnphdTZNSXBW\nVGdpemc5Q3hSenN4V09ZbTFOK3kzK0UKLS0tIG9ZWkdSMHhzTGJleFF5L2RsdUxK\nSEdtSlB0L2d4TTVWcDJWaE13NjFiTkkKWgfem58/ZKqVaXiL0UGVTjA7AhSkD8Fq\ne/i5HKN1Pvgv8TVPnZ9mtGP2gwwkoFYgxM8/0jBjJUm4QDbTkocVJw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUU5VenRYVTBQT0o0dFdz\nRHFjNGpRQ3VkaWF4a3p5ZitrY1JWTnVuckUwClFjZG96VVVDaWZPNnJaK0Q5VG83\nUkpGME5KQk1IL0tQendPSEwwZGptMVEKLS0tIHJDZTg2UFBJNytPL285cy8wcVFL\ncjRYZXVoamUwRVZwK3JnQUxhM3lEOVkK6obmbqk+5PNp1dflUb1l12hfat33JOFD\nFfr7iCU16nGeNYKqQ6VWXkPeRmr7xLi4FKHSgG0q/KFjlpEikBwD/g==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNR05jQnJZZDNndmZnOVNO\nRFhVU3pLUzBxeC9rQlRoVWFCN1Y0bjhBM25VCmJKSzhkMjF1L3pGRjZmOURNeUZE\nTU8vN2pYVmZzdWdpaVdqcXloNGhTSlUKLS0tIGovSG84amhyTFZHZ2FNdTl3SzJj\nN1dObkd6K2J0Y2Q5bG5DR0VaUk1uSlUKxShDW7BD6sENlFjqp7/wFbV4g4gD7u5d\npidF9F+vXhpoBIwLlhruzvwyNXG4hQcKfWCnliXhVvNYbgaooDDhRw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaTZOdWtsWFRoVktXSjJF\nRHBQTVd3OXFBbkRJZzZiQXFIRlRrdFh0M2lFCnpmS1pxYzFvSmlZSTIrMTgvangy\nWDhySUdpUXExRnphazNBcjg0cktSN1EKLS0tIG03dTlqQ25EV0dRWHJvUy96TzRU\nRVFOL2ZZMmVLc1g5SGgrc2VHTlNMeGcKqy+ulNsanMLch1oMq/gSlPO0gy/NO6Gn\ndX1hAe4UPo05nxf58rEDd3ejXliU4ZEvk9p999nFcg85vTvyw9/K/A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MkJ1RkVBeHJnR1FGeDVi\nN0htdHZ3cVNCcTJabnlkSUQ4aHUxRndvbVhZClk2d2ZRTlJIVTg1T3dkKzdMRXJt\nNXh5OWtud3gvNWNkRWI1UE1kSytYOUUKLS0tIHhhQVpmRWtTYVFjSUN5aEVYWDJx\nS3hDMlFkVGQyM2U5QjlJMko4OGRWdkEKG98s0QVSs1o4MQ9937okXDS4WH41S1Aq\nUSL8idmlPUJzgdHshuLv2Ic2RXVjJu8V508trO8bTymrqkNAQ0miMA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpYXYzVEJyYUs2a0s2aW84\neHZwbWhUSmpTbFg5c3RiV2N0OE05R21IeGhvClRzTDk1M1VPMFZpWlNPcEp3Q0tJ\nUjlWMHVBbUtiRmlwZUpKZWlPdHYxaWMKLS0tIDBVOUNxbW8yM1JJRk81QmdBOWp5\nL0xsL2U2VDdMR1YrWHpEQVNWU3YySG8KceuhQOvfHl3EDlxXbUT9PR0CAxP5+iDs\ngEBnRKpCfhq+Fr84fmlZmIBF9R5fmAn1Aq290U0ak3eHz+GWLlTgjA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraXJQOHR6ZzE5TjNQYmpB\nSStEQS9mcUpMSXlFQ05DcllFSjNOT1pWdVJZCmtSL3FkZ2Q1cU1Fc1dZbG13eXJC\nTXJkN0NzWTlDOEFMRGNQUG5HQUNUVDgKLS0tIGRwcmVxS0lNQ09GdmxKY2pkQ2Yz\nSkpZam1ZQUN1L1FZZ010ZlhUV1N4VlkKqsFAE+xZ24IMzIFjbsgANdjiGwVZk5rq\n66y00bjw+uj6WOwQuE1I9WcYDhCXEUQB9u4Q+hzejaFzCJ90N/WF4w==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTU1tT2cvUEpQWnpOWE1x\nNXlENUgvckd1dzZHU21PbVprOUpnVVA1OHpnCjZjOFJBR3hRbHBlbkMrbUFNa0Fl\nNDVKZ0IxWkgyWUhvckQxaW5wbEIxWmsKLS0tIGxTdUVWcEh2K3g2NFFIb2FmZG5a\nOWkwRUtlMVpRMWFOb25QVWF1bU9QZzgKcjkcHLqSSncBsmaricXdAzSWeaKlgbmb\nMbU1lXSZymzmNiu7J1O4MsgWgZv8N/E1HTFqcRv2+wPz8FVDLPL0Fg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2023-01-07T03:06:02Z",
+		"lastmodified": "2023-02-15T01:53:52Z",
-		"mac": "ENC[AES256_GCM,data:L3wY2ZdR1ASbLbKXiipWfBiQ5cumItuiL1+TwTJhU5ZtxLe6SMUyhckvuX8hczlFPUlJQJDCwpgVBs9C6GRAU45jzHYmpcfF30auiRT2dF/2doH9yiYZoF7JtbTas0Kvt1yxlPfuTi5mFuJGAKDOw6+a5ayQHYlK3/RxAUn0yPc=,iv:U/vlmvI1l4u92eUDXRphS0tscLOlWorOdmT7wDwGbAM=,tag:bQayboRgsMKT6akDq+rzQw==,type:str]",
+		"mac": "ENC[AES256_GCM,data:C0zS4XzJ4HHaOZiZrZnd3fbdoEoMcWTQmJnyu0irYo9UGbXzs58EoHC1PJjoxdauD7zIby5DqW88Y9tzG0j5Wc8AveAHZ97XQs/9vHMBI2PeBrduUDVPZL7UwBxKSimaXcJLBylUvpO5/j1Ceg+/nf4lzD0OJksJP5B2MFWIH0A=,iv:DEiGZyvc0ugiJ9DHDNqkA6+D2r7PvTi5qsCzpvzxXdM=,tag:wFzeFvrrK8FqQ3LapHCB9Q==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
--- a/secrets/universal/net/makespace-south.psk.bin
+++ b/secrets/universal/net/makespace-south.psk.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:tNQEuMx+Cp8vRELzeQoWLQail2jy5TEBSqJM1o+tV5mSStTLQFMR+L/cnKQYqEpNWJgZ3kSaqkAUqvY5yG/y7TIUZDWqeLLnOJDrmahku0CFPmC3BC8yjrTaISaDRT0FlLH7Osdk2pbDlmcerPwRaEtptovgHvMeJC9cMrfFUOF6LXdNIh7zslWyYvEzrAPtnxKiyIA7pan8sua2FG6AIfMj10c+p/ck29pqhtxAGJvmMMCjMBB1XNjaYjzRzEddbry84cJjhF2Hyr0j/W4U0SLDdD9cfh8idwmrBAP9zI1/nlHjO1labI+U9WGdyyeoPFY+Phm8qm7WxpFsDZnk4B5IGaN1yB9I7KP4tneSw8VOmz5L7BBJszJRUEOQ95Q7D7gos+ytfbnzIBeHh55eSuRzj5xSqG4dPSp8biBGEC9Y4gShCvxNa7r7tGF82jrI32Xe3MFz5zRsx5HvbpB/xytBS0fguxgtnFm8OJf7j3vyGwQoCCJT4pLpHmhei0JpmicbAIgKCcmz//sSUZKXNMV+rb58ntjvNu/Cy9TgOaNTpmeIpe60Gg5ONXypM8Zdmv+cY3NATg9ukdXpdtjW0+SMTTOC+Ug2z9D0Wy4NUQOsNevVUr/22155v+SGcSImVJtiOZ3xYgjND1n/smoUs7tvOVxb1Qjwty40VLwHi+Od3w==,iv:cBgkFEs/bUBRdQnmxqYiJwqQWMXoJ61lHEnMwkfQ6YQ=,tag:E/Vj1nwF1VrxjSyo55W/Ag==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieFRHNnN3L2FzMGcraHds\ndDFYU2dwUUU1OVh3WnhtWWk5QlZJNmFLd1Q4CkVaNTYreVRGOXdLWitSc2pleDly\nQjRBbERydFFZbkRpekN5T2xCM2x0bkEKLS0tIFhvNnc5M2x0Q2FvUkRXUVNHOXR5\ncThGazRYaHhrdjlCSFE3TWJ6L09jR2cK50dHVdb6XAsgB9WGlfnbIeYluFNFcfSb\n1m+ElNfsE9VOdEzeEI8sNHvfNtleEv0i1CwdRA48mmMc1LetiDgV+g==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhOStKYTkvYTFZWkFJZk9F\nbW55RTZLWHJXK1lwSE9OSERrdlRQZWdzbDFzCjcycDdsaVNtVTlPYkh5QVZScExl\nbjNzaVRHaVdlU0dHOTRxS1VvSkRjS1kKLS0tIE1zZkJ2K2FxZFpmeEVxdGVkSXEv\nSklmYmJ0TWx6K0FGc2FqejRQQjNmM1UKwInOj1HG+4zKMkocVI7japkdc1FHNORF\nAMfAlEaB36alown3NmxBVD7zZexEU6Stsvv9eKE6clX/vj7Ny+dKgA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTby9zMm5UTmpGS0JMNlNj\nYVlES0RpVWxsV1ZQZm5NTHZzV0pzdjZFS3o4CkRLWVJGU2g5WjN0eWdDMTIvTzE5\naDJnNjJNNitIaDZaaURxVnhacldtODAKLS0tIDNnRWhlN3ZJNklWUVFkOXdCVjVl\nRkdLcTVsb09oemhxWWZEWENsTlFZM00KQRYOR6rD7pOFSWl9KfNRxbWPVwLnMMXW\nLYRReL1xvK+UdYpae/rKbmExoo94W6IZSxoxeB2BFR9Bna5obbFNjA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQU2k1WkRVZW1paS9id0hw\ncXhucTlCeThjYm5Fb3A1RnNzREN4eFA5OGh3Cmg2Ym9nOEF3Y0FGYVlra0RuTXh3\nZFVKUnVlSEZGaXlMdVJuZno5K3RTL00KLS0tIHNDV3FJOVhybWpGZ1h3TTZDWGtj\nNEhQQ1A0SGFYNnVzQUhFa25tOW82NWcKTX/QwhOVAWL9tgfzopMAdWuBmzCni1mg\nTfI9R6ZP6gdBESUk7+kLc8uiEJIxuiWCivp9gWr7Xletbm00Pnkglg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVjN6Q2gvNVFwQ3hjOElE\ndXVUVDdQQWNCdTB0Y1VuVnlsNjg3UlhyMWdRCmpEQ3pZUyswditHd2s2dUlMRmFa\nY3lFc0FwdzNrZzdyZ2hOYzJXdWVXUUUKLS0tIHV4dWcyb0dnWVJnY1pudUxUK1Y0\nbWVhRzdLMjNpc2xxaWQ5U2x0SVdHck0K2gB1itweNVt0kKZj2gO+ek7hlJoxfkoY\ndMCEH+kWxhtXuXHznCZb+Itrm7vGgqWQdXlqilMEYuhLbPHvs5jXMw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxNVhjK3hWSVNnb1Y5SUFy\nRWt6TDByWFphNnhNbThubnpIaHc0RERpTlhFCk5reUIzanIvVUxuSEg3RWhZNTBL\nUlNMc2hvejZSUUtXZFFDQ0M0QzBiTjQKLS0tIHhtUjd6ZUVpM2JXaXdsejU3bmFE\nQklLL0NwNjFzOGpGUHoxd2drNUVyTnMKGOEhPALGhyvDBPpuib1R425JBih3cBzs\nofk+eL5cRTwfLe7a/kOeNudNtamKLR8IEfJKgokjtBEaYBNo1P+Vuw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOVVwZUM5ODNsNFFzOWdo\nS2RiejlsQVVrSmJ2SVFGbklsSUpCckVnSlZ3CjlmSTJZaE9pMlRiamNtUmxyK3Na\nMFljczFnNktCaUs0eC90M0c1akNxdWcKLS0tIDFoRlNyZVo2R243WGNHR3B3cDI5\nRHZYK2lBM1ZLZWFWM3hzdnR2cTM4aTgK67Ik3qwQEuOuL60BRRGmpmVgdIv/Bavi\njeC4BTwBanXxbhZodFfdtHmgxkqE3w2Eu5ojwFje+obUagj8B3PmNA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcndDbG03cW0ycTlNeFBT\nbEhxcWVDb2N0MkwxNlN5Tjk0T2NTaEw3bFdFCmJYZnZXZ2xYblBtTi9MWEN5amVa\neDFEN01sTHgxLzNrcVB5OC9TU0ViYUEKLS0tIG8rQ21kU0xlcUEvZkVObFJhRUdp\nNG1EYXBZNVpKUGUxK2xXdFpieVBNZ3MK+bGQrmaY1bE23iuKu1UPoChOOnuSBl9d\ncQlr+Wh4CoKp8YTnTTkFAVrWoXcM0eAVapR7f89GqO2vgefo6bnFHg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2023-02-27T01:05:22Z",
 		"mac": "ENC[AES256_GCM,data:QWj5rcyT9xBLdVCkf1mo0lnpeNR3o+HK6MP1n/XWwSWzMM794+byWDWEfjJIq5EuNL3YirbB5ANrGjdWTzL3UU1WsW3kr0pan2dSrBs9wR4d9RNS1TcFXvxhC0WEEVP1n3wwfOb/TKd9irpv8n2M973atQKJXSTecqOFgDxDa0M=,iv:TcjQuwW9SZlMbHtEj2O+76qnvPsvhrJ3mNmsobEA6rU=,tag:GeVf5bPecUNn8TQ1C12aFA==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/offlineimaprc.bin
+++ b/secrets/universal/offlineimaprc.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:YQ3g+zqZoOv6+cjsxahFLlzzJsyNmIzOf0UW/V5Q8WJ5BlfJem/u9SJd9HbYfAZuTGkSzRVTvC3woivV0WOCf+EZ1SPSOLwCFtNKh0kgIsSbZRHJqfMQPzZkd93tAARXj7Gtgi2yGGvIhW9MTDvUDDW1umho46fP61f9JRPflAXRu9JwEDpwVIIkAqk4Jdq3G3wnrkjK7fNQkpULAYqDJzH7IeUUNFbt1/tsI8uj1bzpYzjLkZ9r8grgSO7mpt2h4vPdGrd+XVRT0WG/MLZnukN9rXDfHkrqFtn4XBkp+biQj4RFflNr9/FyZUEqb5wvB5pMMatRdv+PUdgtuSQubfKPHdYXic0Bi+Lgm3gA8FlYnel6dP5I8DXgo4Jupyhw/KMTySn3nhHrhFieSmTItZZ1KKtaQxFGNdnYVcCJCUkwKNM6M5nX+LryxD9MkAn+L2o11QYW6q9HhxO+hXi0IWfq9aRRtU/mw2Og7nA9oesoJqmid7zXVsErsRhnFlEHt7Z6qCbnhcC9lyT/KhK4E0+sJpeukyDVmNAb31040zIKEOQMFyMHw1nRFHxth4Kw2AGIRA/UiB1JxR/QW+1tZSB8MPS6GtklXE6GAlphAnssrkIc+5L+bWJTOwSYsw6T6SYCMO5I/0OEgZTys6/dYVLSl6GVmYb5Ck8GEzOx7W1fnFQt7KepZUTGstMQ0CsI1zktmXzJel1C+MBga7IC6+P8mB42GZv1mBRiEGs8fjo3HqaoF3omC/7FUrc6UlQnExMEXqgm7jbENL5mfk04zS1YzbMHR6JZapVSD8ykHMkGSYbpqhzgcam0c6aQLD7mGcMZ4L+2FZtgnSPmmfjKxlZJIQE66NWq586N7e+7SWSi9rqEstXGhAahM1RWIog4EW3npOUmNBbz152QaYZeNNTYE+L/9n+oVeWT0evlHxiCpATxgo+DoR6z66U5QYN5EFXcsR/I1s2UUc8xTwwjgEfXkM/IEZUkEHH/kZNJPdmqtpA=,iv:HYjtUSGs1JgxE8HzZ+xYUZoPYanOC6HAVlIdJR8O77o=,tag:teJOFIMtHLs9yzDQIPV0oA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Wmx4QUZSZVFYM1NjRGxO\nRzhmSGV1RTViTjljM0kyaitsV05Jc1dQcXpNCjdFR1FWTFY0L1NkclVJQ2t2bk1P\nNk1WeDA4TE9Zcjc2MkNTeDltQk5TSW8KLS0tIGIvcmNVdDN6eldMamxrWUJ0ekZF\nWlcyN0haZFpmQVcyWS9vOFBHVmFiamMKwROo4FD5Y6TiSDK8byxAq4T9Rtvy1Dr+\nExZFzLeJxXBukLJgzxV8UpBNbcGejetyOZiH+GPwdwO4QKlMGiCsog==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYzhiZjFVWEZidGJpRkpl\nOSszdUNiWDlIMVVTaGFVdi9oZjFoYVhwOFM0CjFNR0ZadExxZDBnOEU1eEJXaHda\nK0NyWmhHZzdSOHFHbEYrQnhwMTcxdVUKLS0tIGd0WjFOczRCSkpkZFpOSDdlTFhG\nQUFQMlRDa1YwM0F0N2U2ZFdxa3YrMFEKXNdULEzPEh3Wk+PxgRt0fypVNAaa682u\nMZBfQbNnAOVU5xlM66+YGWXY/ENWwr3nEauNKq7pWLZqQOCA9RnvvQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TFcvWll5RGZDeU5RYnpS\nb1hHcG4vbzBxL3RiRjl2eUhGbHFjSTJYZ0hBCkhyQUtacktuR0ZZNkM3cEdyMTd1\nVnpMZlNPL1NzcUZzWnd0VC9veW1jL0UKLS0tIHdQalI4N3ZRVFdsMEtCUllBREZG\nUmdQYVVqUGZ0QXJKODFvblgvYnRnZTgKKMmEswejP1HdEtg9hK10pRlt89Iz2iF8\npcZTBFjMnahLvxI4M8HCF7ESxI46jebyna43ZzELQQLPGLuZG0n3Bg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBScXJpV2NkMFhJaDNGVHRZ\nVlRCZVkzSWFyTFRCUktYNFNYekwrNkpITUMwCkZlZm14Q2dZVGlFd2VZZWpmSFU4\nelhNVmE1b015YWYzcGRRa2VMS1ErMDQKLS0tIHFxaEJ4M3cxSHlNV2ppaFUzcTlk\nZWVuN085TnRES0ZGZko3Ym9vOXRhSEEKU8YZFKtDzokS1OXlqA3vBe2C5N7Em+Oq\nDh5N+2qrvqKUzT/YVg9j/YIPswrn2WMJ2xgMgT5VVK+2kn38fk4n4A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZWWFFZGVPTEVlc1hvQ3Qy\nUTNrc1Y0ek9ONlQ0RzlkbTNWangrdnFVZ0hNCkovNCtkaG9JUlpnRFJBMFE0Nmkz\nNXByUjlLRUd6RUV1OU53UjBEZnNjTUUKLS0tIDd4S3VrVDkvanlzZStkYllQT3NN\nYWxyYW1pVmt3djIyWVhtdEZCVlducmMKI94q+UTXpUGa/up0lVbWqmBYcPpuoLZD\neW2KbX2MTzotJVXlJyckYvaylEyyN1pKO37OViPnzik2cJYCyD8QSQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhN2ZkbzB1K0g4V0NPQ21x\nckQ3MFVwZzBwNDMzVk9mb0YvVmJxYm5hTTB3CkgzWTR1dUkrdkFKeDBjNWpCcnl2\nY2lCU0dPcUh1VXdWbExST29nRFFQcHMKLS0tIEFucEpGc2s4VGhGYWlQQW9Kd1pt\nTGY5YURVa1NYUit1UHpPVm4zTHNTVVUKTyKPabMpXBkiV9MSfoJr41DfJjzW6FVP\nHWVfUwoVeKEYVJEPYIcso4kywroBWJ5tBpeOdsbth9en3TOHHlBXCQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvN2dvUDRXUWc2eVVoQ2xK\ndXc2anJZVjhobjJrODVlbXNuZjNhZ2lpNERnCkN6V0Y2QmlGNHVJM3JoQ3hwbHJo\nTncrVVN3R0wvQVAzb293WFpCV29BNUEKLS0tIFdhV3RSbkZQVVBxVWpuYzk4bzZt\nekhxSEFFMHRBZWZaOWxUVnFUbkluUFUK53HBDttykEO7lB/86d/ey4I4AZsLrvLm\n7J/rItqQeNJ1qYp/J3HSilbDZmQBI8jM95SP75tUPsmWndK1i9gHlA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNXB2dkJoMzlJRlJxbGRS\nNTl2YmRUb3YxdEcwRnhuT1RHMTJMNm1MQUZjCkMrNGEzV05sdWc1OUROU2V2UVlJ\nSGl1bGxNSzBZalRZd0YyMElEbGlXZWsKLS0tIFRVQmpqRGNmTW9YaTN2Y0JtNHp6\nbkw0dTlmNVFwQkl6Q1ZIcUNxTGp2TzAKaZawNzF3mYl/m0X/IbfWL8WhLllF6fkT\nl5BQg3uMLC4pTnRcZHmBLrzRHhoOy9qLLkiimkQaseUhI+hAUt9bAQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2023-03-03T08:41:07Z",
 		"mac": "ENC[AES256_GCM,data:cxu1p3O0CLiIrqD7HrFUiDPrbF7N3puR3C6VKLfmWa0liHIrkwylOHhyP2WYL1GnbXrMdSZEZ9W487yqsFMiVLyVYmvrg6/TB0I936+PdPgb3miBlb1aE+g23FHQNbpTthbdLJow2tbw1n152ZwtjHPZ+swQhoexeZrpNJipBZ4=,iv:/uua9R2uXvJISgETRBaAREFW3+DsAi+dN4DoMMYHKi8=,tag:wUITr1eIhndhK6EVEyOmog==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }