get sane.packages to work better. still needs cleanup

programs: enable persistence
modules: add a sane.programs interface which i can use going forward in place of sane.packages
2023-02-03 01:05:58 +00:00 · 2023-02-02 12:35:42 +00:00 · 2023-02-02 12:31:13 +00:00 · 2023-02-02 10:23:01 +00:00 · 2023-02-02 00:21:07 +00:00 · 2023-01-31 08:22:20 +00:00
54 changed files with 1135 additions and 966 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -15,35 +15,14 @@
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1667907331,
        "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-22.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1674779092,
+        "lastModified": 1674880620,
-        "narHash": "sha256-mFBD0Dvjf8tuxWtJhsCQ+8VYqI4fQeWjd/vfWsZiRRo=",
+        "narHash": "sha256-JMALuC7xcoH/T66sKTVLuItHfOJBCWsNKpE49Qrvs80=",
        "owner": "nixos",
        "repo": "mobile-nixos",
-        "rev": "80ece5a61738fbf3b96fdda402ab2dfc74ee5cee",
+        "rev": "7478a9ffad737486951186b66f6c5535dc5802e2",
        "type": "github"
      },
      "original": {
@@ -60,32 +39,16 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-5pNu9Ph1LIBj5q9RWLV3r7daANjmd4u5y+MVq8vlfS4=",
+        "narHash": "sha256-arp7Uy7ct5ryTcmSY032eN7hr33i7D2XvjTRLliCFDc=",
-        "path": "/nix/store/bjzsgw8zn4av0dv4sqyj7vxhi43na16y-source/nixpatches",
+        "path": "/nix/store/jblp2g67p3wid2qarcyd8bzrbs9wg5lb-source/nixpatches",
        "type": "path"
      },
      "original": {
-        "path": "/nix/store/bjzsgw8zn4av0dv4sqyj7vxhi43na16y-source/nixpatches",
+        "path": "/nix/store/jblp2g67p3wid2qarcyd8bzrbs9wg5lb-source/nixpatches",
        "type": "path"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1674692158,
        "narHash": "sha256-oqGpwVg4D+eMSgF7Th5Ve1ysCiH3H3g85vGJ3nvJsZQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "def9e420d27c951026d57dc96ce0218c3131f412",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-22.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable_2": {
      "locked": {
        "lastModified": 1674352297,
        "narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=",
@@ -119,10 +82,8 @@
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "mobile-nixos": "mobile-nixos",
        "nixpkgs": "nixpkgs",
        "nixpkgs-stable": "nixpkgs-stable",
        "nixpkgs-unpatched": "nixpkgs-unpatched",
        "sops-nix": "sops-nix",
        "uninsane-dot-org": "uninsane-dot-org"
@@ -133,7 +94,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
+        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1674546403,
@@ -157,11 +118,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1666870107,
+        "lastModified": 1675131883,
-        "narHash": "sha256-b9eXZxSwhzdJI5uQgfrMhu4SY2POrPkinUg7F5gQVYo=",
+        "narHash": "sha256-yBgJDG72YqIr1bltasqHD1E/kHc9uRFgDjxDmy6kI8M=",
        "ref": "refs/heads/master",
-        "rev": "80c6ec95bd430e29d231cf745f19279bb76fb382",
+        "rev": "b099c24091cc192abf3997b94342d4b31cc5757b",
-        "revCount": 164,
+        "revCount": 170,
        "type": "git",
        "url": "https://git.uninsane.org/colin/uninsane"
      },
--- a/flake.nix
+++ b/flake.nix
@@ -19,7 +19,7 @@
  # but `inputs` is required to be a strict attrset: not an expression.
  inputs = {
    # <https://github.com/nixos/nixpkgs/tree/nixos-22.11>
-    nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
+    # nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
    # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
    nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
@@ -32,11 +32,6 @@
      url = "github:nixos/mobile-nixos";
      flake = false;
    };
    home-manager = {
      # <https://github.com/nix-community/home-manager/tree/release-22.05>
      url = "github:nix-community/home-manager?ref=release-22.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
      # <https://github.com/Mic92/sops-nix>
      url = "github:Mic92/sops-nix";
@@ -51,13 +46,12 @@
  outputs = {
    self,
    nixpkgs,
    nixpkgs-stable,
    nixpkgs-unpatched,
    mobile-nixos,
    home-manager,
    sops-nix,
-    uninsane-dot-org
+    uninsane-dot-org,
-  }:
+    ...
  }@inputs:
    let
      nixpkgsCompiledBy = local: nixpkgs.legacyPackages."${local}";
@@ -123,9 +117,12 @@
        pins = import ./overlays/pins.nix;  # TODO: move to `nixpatches/` input
        passthru =
          let
-            stable = next: prev: {
+            stable =
-              stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+              if inputs ? "nixpkgs-stable" then (
-            };
+                next: prev: {
                  stable = inputs.nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
                }
              ) else (next: prev: {});
            mobile = (import "${mobile-nixos}/overlay/overlay.nix");
            uninsane = uninsane-dot-org.overlay;
          in
@@ -138,7 +135,6 @@
        sane = import ./modules;
        passthru = { ... }: {
          imports = [
            home-manager.nixosModule
            sops-nix.nixosModules.sops
          ];
        };
--- a/hosts/by-name/desko/default.nix
+++ b/hosts/by-name/desko/default.nix
@@ -54,7 +54,7 @@
    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
  };
-  sane.persist.home.plaintext = [
+  sane.user.persist.plaintext = [
    ".steam"
    ".local/share/Steam"
  ];
--- a/hosts/by-name/lappy/default.nix
+++ b/hosts/by-name/lappy/default.nix
@@ -10,7 +10,7 @@
  # sane.packages.enableDevPkgs = true;
-  # sane.users.guest.enable = true;
+  # sane.guest.enable = true;
  sane.gui.sway.enable = true;
  sane.persist.enable = true;
  sane.nixcache.enable = true;
--- a/hosts/by-name/moby/default.nix
+++ b/hosts/by-name/moby/default.nix
@@ -37,7 +37,7 @@
    # addons.sideberry.enable = false;
  };
-  sane.persist.home.plaintext = [
+  sane.user.persist.plaintext = [
    ".config/pulse"  # persist pulseaudio volume
  ];
--- a/hosts/by-name/servo/services/postfix.nix
+++ b/hosts/by-name/servo/services/postfix.nix
@@ -1,3 +1,6 @@
 # DOCS:
 # - dovecot config: <https://doc.dovecot.org/configuration_manual/>
 { config, lib, ... }:
 let
@@ -143,6 +146,25 @@ in
  # inspired by https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/
  services.dovecot2.enable = true;
  services.dovecot2.mailboxes = {
    # special-purpose mailboxes: "All" "Archive" "Drafts" "Flagged" "Junk" "Sent" "Trash"
    # RFC6154 describes these special mailboxes: https://www.ietf.org/rfc/rfc6154.html
    # how these boxes are treated is 100% up to the client and server to decide.
    # client behavior:
    # iOS
    #   - Drafts: ?
    #   - Sent: works
    #   - Trash: works
    # aerc
    #   - Drafts: works
    #   - Sent: works
    #   - Trash: no; deleted messages are actually deleted
    #       use `:move trash` instead
    # Sent mailbox: all sent messages are copied to it. unclear if this happens server-side or client-side.
    Drafts = { specialUse = "Drafts"; auto = "create"; };
    Sent = { specialUse = "Sent"; auto = "create"; };
    Trash = { specialUse = "Trash"; auto = "create"; };
  };
  services.dovecot2.sslServerCert = "/var/lib/acme/imap.uninsane.org/fullchain.pem";
  services.dovecot2.sslServerKey = "/var/lib/acme/imap.uninsane.org/key.pem";
  services.dovecot2.enablePAM = false;
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -10,26 +10,18 @@
    ./ids.nix
    ./machine-id.nix
    ./net.nix
    ./persist.nix
    ./programs.nix
    ./secrets.nix
    ./ssh.nix
    ./users.nix
    ./vpn.nix
  ];
  sane.home-manager.enable = true;
  sane.nixcache.enable-trusted-keys = true;
  sane.packages.enableConsolePkgs = true;
  sane.packages.enableSystemPkgs = true;
  sane.persist.sys.plaintext = [
    "/var/log"
    "/var/backup"  # for e.g. postgres dumps
    # TODO: move elsewhere
    "/var/lib/alsa"                # preserve output levels, default devices
    "/var/lib/colord"              # preserve color calibrations (?)
    "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
  ];
  # some services which use private directories error if the parent (/var/lib/private) isn't 700.
  sane.fs."/var/lib/private".dir.acl.mode = "0700";
@@ -75,8 +67,20 @@
    # NIXOS_OZONE_WL = "1";
    # LIBGL_ALWAYS_SOFTWARE = "1";
  };
-  # enable zsh completions
+
-  environment.pathsToLink = [ "/share/zsh" ];
+  # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
  # find keys/values with `dconf dump /`
  programs.dconf.enable = true;
  programs.dconf.packages = [
    (pkgs.writeTextFile {
      name = "dconf-user-profile";
      destination = "/etc/dconf/profile/user";
      text = ''
        user-db:user
        system-db:site
      '';
    })
  ];
  # link debug symbols into /run/current-system/sw/lib/debug
  # hopefully picked up by gdb automatically?
--- a/hosts/common/home/aerc.nix
+++ b/hosts/common/home/aerc.nix
@@ -1,12 +1,11 @@
 # Terminal UI mail client
-{ config, lib, sane-lib, ... }:
+{ config, sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  sops.secrets."aerc_accounts" = {
    owner = config.users.users.colin.name;
    sopsFile = ../../../secrets/universal/aerc_accounts.conf;
    format = "binary";
  };
-  sane.fs."/home/colin/.config/aerc/accounts.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.aerc_accounts.path;
+  sane.user.fs.".config/aerc/accounts.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.aerc_accounts.path;
 }
--- a/hosts/common/home/firefox.nix
+++ b/hosts/common/home/firefox.nix
@@ -145,7 +145,7 @@ in
    };
  };
-  config = lib.mkIf config.sane.home-manager.enable {
+  config = {
    # uBlock filter list configuration.
    # specifically, enable the GDPR cookie prompt blocker.
@@ -155,7 +155,7 @@ in
    # the specific attribute path is found via scraping ublock code here:
    # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
    # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
-    sane.fs."/home/colin/${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
+    sane.user.fs."${cfg.browser.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
      {
       "name": "uBlock0@raymondhill.net",
       "description": "ignored",
@@ -165,7 +165,7 @@ in
       }
      }
    '';
-    sane.fs."/home/colin/${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
+    sane.user.fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
      // if we can't query the revocation status of a SSL cert because the issuer is offline,
      // treat it as unrevoked.
      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
@@ -174,17 +174,17 @@ in
    sane.packages.extraGuiPkgs = [ package ];
    # flush the cache to disk to avoid it taking up too much tmp
-    sane.persist.home.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
+    sane.user.persist.byPath."${cfg.browser.cacheDir}" = lib.mkIf (cfg.persistCache != null) {
      store = cfg.persistCache;
    };
-    sane.persist.home.byPath."${cfg.browser.dotDir}/default" = lib.mkIf (cfg.persistData != null) {
+    sane.user.persist.byPath."${cfg.browser.dotDir}/default" = lib.mkIf (cfg.persistData != null) {
      store = cfg.persistData;
    };
-    sane.fs."/home/colin/${cfg.browser.dotDir}/default" = sane-lib.fs.wantedDir;
+    sane.user.fs."${cfg.browser.dotDir}/default" = sane-lib.fs.wantedDir;
    # instruct Firefox to put the profile in a predictable directory (so we can do things like persist just it).
    # XXX: the directory *must* exist, even if empty; Firefox will not create the directory itself.
-    sane.fs."/home/colin/${cfg.browser.dotDir}/profiles.ini" = sane-lib.fs.wantedText ''
+    sane.user.fs."${cfg.browser.dotDir}/profiles.ini" = sane-lib.fs.wantedText ''
      [Profile0]
      Name=default
      IsRelative=1
--- a/hosts/common/home/gfeeds.nix
+++ b/hosts/common/home/gfeeds.nix
@@ -6,7 +6,7 @@ let
  all-feeds = config.sane.feeds;
  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/org.gabmus.gfeeds.json" = sane-lib.fs.wantedText (
    builtins.toJSON {
      # feed format is a map from URL to a dict,
      #   with dict["tags"] a list of string tags.
--- a/hosts/common/home/git.nix
+++ b/hosts/common/home/git.nix
@@ -1,11 +1,10 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ lib, pkgs, sane-lib, ... }:
 let
  mkCfg = lib.generators.toINI { };
 in
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.fs."/home/colin/.config/git/config" = sane-lib.fs.wantedText (mkCfg {
+  sane.user.fs.".config/git/config" = sane-lib.fs.wantedText (mkCfg {
    user.name = "Colin";
    user.email = "colin@uninsane.org";
    alias.co = "checkout";
--- a/hosts/common/home/gpodder.nix
+++ b/hosts/common/home/gpodder.nix
@@ -6,7 +6,7 @@ let
  all-feeds = config.sane.feeds;
  wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/gpodderFeeds.opml" = sane-lib.fs.wantedText (
    feeds.feedsToOpml wanted-feeds
  );
 }
--- a/hosts/common/home/keyring.nix
+++ b/hosts/common/home/keyring.nix
@@ -1,11 +1,11 @@
-{ config, lib, sane-lib, ... }:
+{ config, sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.persist.home.private = [ ".local/share/keyrings" ];
+  sane.user.persist.private = [ ".local/share/keyrings" ];
-  sane.fs."/home/colin/private/.local/share/keyrings/default" = {
+  sane.user.fs."private/.local/share/keyrings/default" = {
    generated.script.script = builtins.readFile ../../../scripts/init-keyring;
    # TODO: is this `wantedBy` needed? can we inherit it?
    wantedBy = [ config.sane.fs."/home/colin/private".unit ];
  };
 }
--- a/hosts/common/home/kitty.nix
+++ b/hosts/common/home/kitty.nix
@@ -1,8 +1,7 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ pkgs, sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.fs."/home/colin/.config/kitty/kitty.conf" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/kitty/kitty.conf" = sane-lib.fs.wantedText ''
    # docs: https://sw.kovidgoyal.net/kitty/conf/
    # disable terminal bell (when e.g. you backspace too many times)
    enable_audio_bell no
--- a/hosts/common/home/libreoffice.nix
+++ b/hosts/common/home/libreoffice.nix
@@ -1,9 +1,8 @@
-{ config, lib, sane-lib, ... }:
+{ sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  # libreoffice: disable first-run stuff
-  sane.fs."/home/colin/.config/libreoffice/4/user/registrymodifications.xcu" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/libreoffice/4/user/registrymodifications.xcu" = sane-lib.fs.wantedText ''
    <?xml version="1.0" encoding="UTF-8"?>
    <oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <item oor:path="/org.openoffice.Office.Common/Misc"><prop oor:name="FirstRun" oor:op="fuse"><value>false</value></prop></item>
--- a/hosts/common/home/mime.nix
+++ b/hosts/common/home/mime.nix
@@ -1,4 +1,4 @@
-{ config, lib, sane-lib, ...}:
+{ config, sane-lib, ...}:
 let
  www = config.sane.web-browser.browser.desktop;
@@ -9,7 +9,6 @@ let
  # audio = "mpv.desktop";
  audio = "vlc.desktop";
 in
 lib.mkIf config.sane.home-manager.enable
 {
  # the xdg mime type for a file can be found with:
--- a/hosts/common/home/mpv.nix
+++ b/hosts/common/home/mpv.nix
@@ -1,9 +1,8 @@
-{ config, lib, sane-lib, ... }:
+{ sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  # format is <key>=%<length>%<value>
-  sane.fs."/home/colin/.config/mpv/mpv.conf" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/mpv/mpv.conf" = sane-lib.fs.wantedText ''
    save-position-on-quit=%3%yes
    keep-open=%3%yes
  '';
--- a/hosts/common/home/neovim.nix
+++ b/hosts/common/home/neovim.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ lib, pkgs, ... }:
 let
  inherit (builtins) map;
@@ -70,10 +70,9 @@ let
  plugin-config-tex = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
  plugin-config-lua = concatMapStrings (p: optionalString (p.type or "" == "lua") p.config) plugins;
 in
 lib.mkIf config.sane.home-manager.enable
 {
  # private because there could be sensitive things in the swap
-  sane.persist.home.private = [ ".cache/vim-swap" ];
+  sane.user.persist.private = [ ".cache/vim-swap" ];
  programs.neovim = {
    # neovim: https://github.com/neovim/neovim
--- a/hosts/common/home/newsflash.nix
+++ b/hosts/common/home/newsflash.nix
@@ -6,7 +6,7 @@ let
  all-feeds = config.sane.feeds;
  wanted-feeds = feeds.filterByFormat ["text" "image"] all-feeds;
 in {
-  sane.fs."/home/colin/.config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
+  sane.user.fs.".config/newsflashFeeds.opml" = sane-lib.fs.wantedText (
    feeds.feedsToOpml wanted-feeds
  );
 }
--- a/hosts/common/home/splatmoji.nix
+++ b/hosts/common/home/splatmoji.nix
@@ -4,9 +4,9 @@
 { pkgs, sane-lib, ... }:
 {
-  sane.persist.home.plaintext = [ ".local/state/splatmoji" ];
+  sane.user.persist.plaintext = [ ".local/state/splatmoji" ];
-  sane.fs."/home/colin/.config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/splatmoji/splatmoji.config" = sane-lib.fs.wantedText ''
-    history_file=/home/colin/.local/state/splatmoji/history
+    history_file=~/.local/state/splatmoji/history
    history_length=5
    # TODO: wayland equiv
    paste_command=xdotool key ctrl+v
--- a/hosts/common/home/ssh.nix
+++ b/hosts/common/home/ssh.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ config, lib, sane-lib, ... }:
 with lib;
 let
@@ -9,11 +9,12 @@ let
    "\n"
    (map (k: k.asHostKey) host-keys)
  ;
-in lib.mkIf config.sane.home-manager.enable {
+in
 {
  # ssh key is stored in private storage
-  sane.persist.home.private = [ ".ssh/id_ed25519" ];
+  sane.user.persist.private = [ ".ssh/id_ed25519" ];
-  sane.fs."/home/colin/.ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
+  sane.user.fs.".ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
-  sane.fs."/home/colin/.ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
+  sane.user.fs.".ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
  users.users.colin.openssh.authorizedKeys.keys =
  let
--- a/hosts/common/home/sublime-music.nix
+++ b/hosts/common/home/sublime-music.nix
@@ -1,6 +1,5 @@
-{ config, lib, sane-lib, ... }:
+{ config, sane-lib, ... }:
 lib.mkIf config.sane.home-manager.enable
 {
  # TODO: this should only be shipped on gui platforms
  sops.secrets."sublime_music_config" = {
@@ -8,5 +7,5 @@ lib.mkIf config.sane.home-manager.enable
    sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
    format = "binary";
  };
-  sane.fs."/home/colin/.config/sublime-music/config.json" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.sublime_music_config.path;
+  sane.user.fs.".config/sublime-music/config.json" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.sublime_music_config.path;
 }
--- a/hosts/common/home/vlc.nix
+++ b/hosts/common/home/vlc.nix
@@ -8,9 +8,8 @@ let
    builtins.map (feed: feed.url) wanted-feeds
  );
 in
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.fs."/home/colin/.config/vlc/vlcrc" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/vlc/vlcrc" = sane-lib.fs.wantedText ''
    [podcast]
    podcast-urls=${podcast-urls}
    [core]
--- a/hosts/common/home/xdg-dirs.nix
+++ b/hosts/common/home/xdg-dirs.nix
@@ -1,10 +1,9 @@
-{ config, lib, sane-lib, ...}:
+{ lib, sane-lib, ...}:
 lib.mkIf config.sane.home-manager.enable
 {
  # XDG defines things like ~/Desktop, ~/Downloads, etc.
  # these clutter the home, so i mostly don't use them.
-  sane.fs."/home/colin/.config/user-dirs.dirs" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/user-dirs.dirs" = sane-lib.fs.wantedText ''
    XDG_DESKTOP_DIR="$HOME/.xdg/Desktop"
    XDG_DOCUMENTS_DIR="$HOME/dev"
    XDG_DOWNLOAD_DIR="$HOME/tmp"
@@ -17,5 +16,5 @@ lib.mkIf config.sane.home-manager.enable
  # prevent `xdg-user-dirs-update` from overriding/updating our config
  # see <https://manpages.ubuntu.com/manpages/bionic/man5/user-dirs.conf.5.html>
-  sane.fs."/home/colin/.config/user-dirs.conf" = sane-lib.fs.wantedText "enabled=False";
+  sane.user.fs.".config/user-dirs.conf" = sane-lib.fs.wantedText "enabled=False";
 }
--- a/hosts/common/home/zsh/default.nix
+++ b/hosts/common/home/zsh/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, sane-lib, ... }:
+{ pkgs, sane-lib, ... }:
 let
  # powerlevel10k prompt config
@@ -25,9 +25,8 @@ let
    source ${pkgs.zsh-prezto}/share/zsh-prezto/init.zsh
  '';
 in
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.persist.home.plaintext = [
+  sane.user.persist.plaintext = [
    # we don't need to full zsh dir -- just the history file --
    # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
    # TODO: should be private?
@@ -37,7 +36,10 @@ lib.mkIf config.sane.home-manager.enable
  ];
  # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
-  sane.fs."/home/colin/.config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
+  sane.user.fs.".config/zsh/.zshrc" = sane-lib.fs.wantedText "# ";
  # enable zsh completions
  environment.pathsToLink = [ "/share/zsh" ];
  programs.zsh = {
    enable = true;
@@ -105,7 +107,7 @@ lib.mkIf config.sane.home-manager.enable
  # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
  # see: https://github.com/sorin-ionescu/prezto
  # i believe this file is auto-sourced by the prezto init.zsh script.
-  sane.fs."/home/colin/.config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
+  sane.user.fs.".config/zsh/.zpreztorc" = sane-lib.fs.wantedText ''
    zstyle ':prezto:*:*' color 'yes'
    # modules (they ship with prezto):
--- a/hosts/common/persist.nix
+++ b/hosts/common/persist.nix
@@ -0,0 +1,16 @@
 { ... }:
 {
  sane.persist.stores.private.origin = "/home/colin/private";
  # store /home/colin/a/b in /home/private/a/b instead of /home/private/home/colin/a/b
  sane.persist.stores.private.prefix = "/home/colin";
  sane.persist.sys.plaintext = [
    "/var/log"
    "/var/backup"  # for e.g. postgres dumps
    # TODO: move elsewhere
    "/var/lib/alsa"                # preserve output levels, default devices
    "/var/lib/colord"              # preserve color calibrations (?)
    "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
  ];
 }
--- a/hosts/common/programs.nix
+++ b/hosts/common/programs.nix
@@ -0,0 +1,21 @@
 { pkgs, ... }:
 {
  sane.programs = {
    btrfs-progs.enableFor.system = true;
    # "cacert.unbundled".enableFor.system = true;
    cryptsetup.enableFor.system = true;
    dig = {
      enableFor.system = true;
      suggestedPrograms = [ "efibootmgr" ];
    };
    efibootmgr = {};
    fatresize = {};
    backblaze-b2.enableFor.user.colin = true;
    cdrtools = {
      enableFor.user.colin = true;
      suggestedPrograms = [ "dmidecode" ];
    };
    dmidecode = {};
  };
 }
--- a/hosts/common/users.nix
+++ b/hosts/common/users.nix
@@ -3,12 +3,12 @@
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 with lib;
 let
-  cfg = config.sane.users;
+  cfg = config.sane.guest;
  fs = sane-lib.fs;
 in
 {
  options = {
-    sane.users.guest.enable = mkOption {
+    sane.guest.enable = mkOption {
      default = false;
      type = types.bool;
    };
@@ -49,6 +49,8 @@ in
      shell = pkgs.zsh;
      packages = builtins.map (p: p.pkg) config.sane.packages.enabledUserPkgs;
      # mount encrypted stuff at login
      # some other nix pam users:
      # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
@@ -66,6 +68,7 @@ in
    security.pam.mount.enable = true;
    sane.users.colin.default = true;
    # ensure ~ perms are known to sane.fs module.
    # TODO: this is generic enough to be lifted up into sane.fs itself.
    sane.fs."/home/colin".dir.acl = {
@@ -74,7 +77,7 @@ in
      mode = config.users.users.colin.homeMode;
    };
-    sane.persist.home.plaintext = [
+    sane.user.persist.plaintext = [
      "archive"
      "dev"
      # TODO: records should be private
@@ -93,20 +96,20 @@ in
    ];
    # convenience
-    sane.fs."/home/colin/knowledge" = fs.wantedSymlinkTo "/home/colin/private/knowledge";
+    sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
-    sane.fs."/home/colin/nixos" = fs.wantedSymlinkTo "/home/colin/dev/nixos";
+    sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
-    sane.fs."/home/colin/Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
+    sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
-    sane.fs."/home/colin/Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
+    sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
-    sane.fs."/home/colin/Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
+    sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
    # used by password managers, e.g. unix `pass`
-    sane.fs."/home/colin/.password-store" = fs.wantedSymlinkTo "/home/colin/knowledge/secrets/accounts";
+    sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";
-    sane.persist.sys.plaintext = mkIf cfg.guest.enable [
+    sane.persist.sys.plaintext = mkIf cfg.enable [
      # intentionally allow other users to write to the guest folder
      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
    ];
-    users.users.guest = mkIf cfg.guest.enable {
+    users.users.guest = mkIf cfg.enable {
      isNormalUser = true;
      home = "/home/guest";
      subUidRanges = [
--- a/hosts/modules/default.nix
+++ b/hosts/modules/default.nix
@@ -3,10 +3,13 @@
 {
  imports = [
    ./derived-secrets.nix
    ./gui
    ./hardware
    ./hostnames.nix
    ./hosts.nix
    ./nixcache.nix
    ./roles
    ./services
    ./wg-home.nix
  ];
 }
--- a/hosts/modules/gui/default.nix
+++ b/hosts/modules/gui/default.nix
@@ -1,7 +1,7 @@
 { lib, config, ... }:
 with lib;
 let
  inherit (lib) mkDefault mkIf mkOption types;
  cfg = config.sane.gui;
 in
 {
@@ -14,15 +14,19 @@ in
  ];
  options = {
    # doesn't directly create outputs. consumed by e.g. home-manager.nix module
    sane.gui.enable = mkOption {
      default = false;
      type = types.bool;
      description = ''
        enables config used by any GUI, like display management or select packages.
        the user should prefer to interact with specific GUIs like `sane.gui.sway`
        and let those modules auto-set this flag when necessary.
      '';
    };
  };
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.enable {
-    sane.packages.enableGuiPkgs = lib.mkDefault true;
+    sane.packages.enableGuiPkgs = mkDefault true;
    # preserve backlight brightness across power cycles
    # see `man systemd-backlight`
--- a/hosts/modules/gui/gnome.nix
+++ b/hosts/modules/gui/gnome.nix
@@ -25,7 +25,7 @@ in
    networking.networkmanager.enable = true;
    networking.wireless.enable = lib.mkForce false;
  };
-  # home-mananger.users.colin extras
+  # user extras:
  # obtain these by running `dconf dump /` after manually customizing gnome
  # TODO: fix "is not of type `GVariant value'"
  # dconf.settings = lib.mkIf (gui == "gnome") {
--- a/hosts/modules/gui/phosh.nix
+++ b/hosts/modules/gui/phosh.nix
@@ -59,6 +59,24 @@ in
        NIXOS_OZONE_WL = "1";
      };
      programs.dconf.packages = [
        (pkgs.writeTextFile {
          name = "dconf-phosh-settings";
          destination = "/etc/dconf/db/site.d/00_phosh_settings";
          text = ''
            [org/gnome/desktop/interface]
            show-battery-percentage=true
            [org/gnome/settings-daemon/plugins/power]
            sleep-inactive-ac-timeout=5400
            sleep-inactive-battery-timeout=5400
            [sm/puri/phosh]
            favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.kde.konsole.desktop']
          '';
        })
      ];
      sane.packages.extraUserPkgs = with pkgs; [
        phosh-mobile-settings
--- a/hosts/modules/gui/plasma-mobile.nix
+++ b/hosts/modules/gui/plasma-mobile.nix
--- a/hosts/modules/gui/plasma.nix
+++ b/hosts/modules/gui/plasma.nix
--- a/hosts/modules/gui/snippets.txt
+++ b/hosts/modules/gui/snippets.txt
--- a/hosts/modules/gui/sway.nix
+++ b/hosts/modules/gui/sway.nix
@@ -0,0 +1,642 @@
 { config, lib, pkgs, sane-lib, ... }:
 # docs: https://nixos.wiki/wiki/Sway
 with lib;
 let
  cfg = config.sane.gui.sway;
  # docs: https://github.com/Alexays/Waybar/wiki/Configuration
  # format specifiers: https://fmt.dev/latest/syntax.html#syntax
  waybar-config = [
    { # TOP BAR
      layer = "top";
      height = 40;
      modules-left = ["sway/workspaces" "sway/mode"];
      modules-center = ["sway/window"];
      modules-right = ["custom/mediaplayer" "clock" "battery" "cpu" "network"];
      "sway/window" = {
        max-length = 50;
      };
      # include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
      "custom/mediaplayer" = {
        exec = pkgs.writeShellScript "waybar-mediaplayer" ''
          player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
          if [ "$player_status" = "Playing" ]; then
            echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
          elif [ "$player_status" = "Paused" ]; then
            echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
          fi
        '';
        interval = 2;
        format = "{}  ";
        # return-type = "json";
        on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
        on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
        on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
      };
      network = {
        # docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
        interval = 2;
        max-length = 40;
        # custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
        format-ethernet = "  {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
        format-disconnected = "";
      };
      cpu = {
        format = " {usage:2}%";
        tooltip = false;
      };
      battery = {
        states = {
          good = 95;
          warning = 30;
          critical = 10;
        };
        format = "{icon} {capacity}%";
        format-icons = [
          ""
          ""
          ""
          ""
          ""
        ];
      };
      clock = {
        format-alt = "{:%a, %d. %b  %H:%M}";
      };
    }
  ];
  # waybar-config-text = lib.generators.toJSON {} waybar-config;
  waybar-config-text = (pkgs.formats.json {}).generate "waybar-config.json" waybar-config;
  # bare sway launcher
  sway-launcher = pkgs.writeShellScriptBin "sway-launcher" ''
    ${pkgs.sway}/bin/sway --debug > /tmp/sway.log 2>&1
  '';
  # start sway and have it construct the gtkgreeter
  sway-as-greeter = pkgs.writeShellScriptBin "sway-as-greeter" ''
    ${pkgs.sway}/bin/sway --debug --config ${sway-config-into-gtkgreet} > /tmp/sway-as-greeter.log 2>&1
  '';
  # (config file for the above)
  sway-config-into-gtkgreet = pkgs.writeText "greetd-sway-config" ''
    exec "${gtkgreet-launcher}"
  '';
  # gtkgreet which launches a layered sway instance
  gtkgreet-launcher = pkgs.writeShellScript "gtkgreet-launcher" ''
    # NB: the "command" field here is run in the user's shell.
    # so that command must exist on the specific user's path who is logging in. it doesn't need to exist system-wide.
    ${pkgs.greetd.gtkgreet}/bin/gtkgreet --layer-shell --command sway-launcher
  '';
  greeter-session = {
    # greeter session config
    command = "${sway-as-greeter}/bin/sway-as-greeter";
    # alternatives:
    # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
    # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
    # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
  };
  greeterless-session = {
    # no greeter
    command = "${sway-launcher}/bin/sway-launcher";
    user = "colin";
  };
 in
 {
  options = {
    sane.gui.sway.enable = mkOption {
      default = false;
      type = types.bool;
    };
    sane.gui.sway.useGreeter = mkOption {
      description = ''
        launch sway via a greeter (like greetd's gtkgreet).
        sway is usable without a greeter, but skipping the greeter means no PAM session.
      '';
      default = true;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
    sane.gui.enable = true;
    # swap in these lines to use SDDM instead of `services.greetd`.
    # services.xserver.displayManager.sddm.enable = true;
    # services.xserver.enable = true;
    services.greetd = {
      # greetd source/docs:
      # - <https://git.sr.ht/~kennylevinsen/greetd>
      enable = true;
      settings = {
        default_session = if cfg.useGreeter then greeter-session else greeterless-session;
      };
    };
    # we need the greeter's command to be on our PATH
    users.users.colin.packages = [ sway-launcher ];
    # some programs (e.g. fractal) **require** a "Secret Service Provider"
    services.gnome.gnome-keyring.enable = true;
    # unlike other DEs, sway configures no audio stack
    # administer with pw-cli, pw-mon, pw-top commands
    services.pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;  # ??
      pulse.enable = true;
    };
    networking.useDHCP = false;
    networking.networkmanager.enable = true;
    networking.wireless.enable = lib.mkForce false;
    hardware.bluetooth.enable = true;
    services.blueman.enable = true;
    # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
    services.gnome.gnome-settings-daemon.enable = true;
    # start the components of gsd we need at login
    systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
    # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
    # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
    # it doesn't actually seem to need ANY of them in the first place T_T
    systemd.user.targets."gnome-session-initialized".enable = false;
    # bluez can't connect to audio devices unless pipewire is running.
    # a system service can't depend on a user service, so just launch it at graphical-session
    systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
    programs.sway = {
      enable = true;
      wrapperFeatures.gtk = true;
    };
    sane.user.fs.".config/sway/config" =
      let
        fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
        sed = "${pkgs.gnused}/bin/sed";
        wtype = "${pkgs.wtype}/bin/wtype";
        kitty = "${pkgs.kitty}/bin/kitty";
        launcher-cmd = fuzzel;
        terminal-cmd = kitty;
        lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
        vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
        vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
        mute-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
        brightness-up-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set +2%";
        brightness-down-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set 2%-";
        screenshot-cmd = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
        # "bookmarking"/snippets inspired by Luke Smith:
        # - <https://www.youtube.com/watch?v=d_11QaTlf1I>
        snip-file = ./snippets.txt;
        # TODO: querying sops here breaks encapsulation
        list-snips = "cat ${snip-file} ${config.sops.secrets.snippets.path}";
        strip-comments = "${sed} 's/ #.*$//'";
        snip-cmd = "${wtype} $(${list-snips} | ${fuzzel} -d -i -w 60 | ${strip-comments})";
        # TODO: next splatmoji release should allow `-s none` to disable skin tones
        emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
      in sane-lib.fs.wantedText ''
        ### default font
        font pango:monospace 8
        ### pixel boundary between windows
        default_border pixel 3
        default_floating_border pixel 2
        hide_edge_borders smart
        ### defaults
        focus_wrapping no
        focus_follows_mouse yes
        focus_on_window_activation smart
        mouse_warping output
        workspace_layout default
        workspace_auto_back_and_forth no
        ### default colors (#border #background #text #indicator #childBorder)
        client.focused #4c7899 #285577 #ffffff #2e9ef4 #285577
        client.focused_inactive #333333 #5f676a #ffffff #484e50 #5f676a
        client.unfocused #333333 #222222 #888888 #292d2e #222222
        client.urgent #2f343a #900000 #ffffff #900000 #900000
        client.placeholder #000000 #0c0c0c #ffffff #000000 #0c0c0c
        client.background #ffffff
        ### key bindings
        floating_modifier Mod1
        ## media keys
        bindsym XF86AudioRaiseVolume exec ${vol-up-cmd}
        bindsym XF86AudioLowerVolume exec ${vol-down-cmd}
        bindsym Mod1+Page_Up exec ${vol-up-cmd}
        bindsym Mod1+Page_Down exec ${vol-down-cmd}
        bindsym XF86AudioMute exec ${mute-cmd}
        bindsym XF86MonBrightnessUp exec ${brightness-up-cmd}
        bindsym XF86MonBrightnessDown exec ${brightness-down-cmd}
        ## special functions
        bindsym Mod1+Print exec ${screenshot-cmd}
        bindsym Mod1+l exec ${lock-cmd}
        bindsym Mod1+s exec ${snip-cmd}
        bindsym Mod1+slash exec ${emoji-cmd}
        bindsym Mod1+d exec ${launcher-cmd}
        bindsym Mod1+Return exec ${terminal-cmd}
        bindsym Mod1+Shift+q kill
        bindsym Mod1+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
        bindsym Mod1+Shift+c reload
        ## layout
        bindsym Mod1+b splith
        bindsym Mod1+v splitv
        bindsym Mod1+f fullscreen toggle
        bindsym Mod1+a focus parent
        bindsym Mod1+w layout tabbed
        bindsym Mod1+e layout toggle split
        bindsym Mod1+Shift+space floating toggle
        bindsym Mod1+space focus mode_toggle
        bindsym Mod1+r mode resize
        ## movement
        bindsym Mod1+Up focus up
        bindsym Mod1+Down focus down
        bindsym Mod1+Left focus left
        bindsym Mod1+Right focus right
        bindsym Mod1+Shift+Up move up
        bindsym Mod1+Shift+Down move down
        bindsym Mod1+Shift+Left move left
        bindsym Mod1+Shift+Right move right
        ## workspaces
        bindsym Mod1+1 workspace number 1
        bindsym Mod1+2 workspace number 2
        bindsym Mod1+3 workspace number 3
        bindsym Mod1+4 workspace number 4
        bindsym Mod1+5 workspace number 5
        bindsym Mod1+6 workspace number 6
        bindsym Mod1+7 workspace number 7
        bindsym Mod1+8 workspace number 8
        bindsym Mod1+9 workspace number 9
        bindsym Mod1+Shift+1 move container to workspace number 1
        bindsym Mod1+Shift+2 move container to workspace number 2
        bindsym Mod1+Shift+3 move container to workspace number 3
        bindsym Mod1+Shift+4 move container to workspace number 4
        bindsym Mod1+Shift+5 move container to workspace number 5
        bindsym Mod1+Shift+6 move container to workspace number 6
        bindsym Mod1+Shift+7 move container to workspace number 7
        bindsym Mod1+Shift+8 move container to workspace number 8
        bindsym Mod1+Shift+9 move container to workspace number 9
        ## "scratchpad" = ??
        bindsym Mod1+Shift+minus move scratchpad
        bindsym Mod1+minus scratchpad show
        ### defaults
        mode "resize" {
          bindsym Down resize grow height 10 px
          bindsym Escape mode default
          bindsym Left resize shrink width 10 px
          bindsym Return mode default
          bindsym Right resize grow width 10 px
          bindsym Up resize shrink height 10 px
          bindsym h resize shrink width 10 px
          bindsym j resize grow height 10 px
          bindsym k resize shrink height 10 px
          bindsym l resize grow width 10 px
        }
        ### lightly modified bars
        bar {
          # TODO: fonts was:
          #   config.fonts.fontconfig.defaultFonts; (monospace ++ emoji)
          font pango:Hack, Font Awesome 6 Free, Twitter Color Emoji 24.000000
          mode dock
          hidden_state hide
          position top
          status_command ${pkgs.i3status}/bin/i3status
          swaybar_command ${pkgs.waybar}/bin/waybar
          workspace_buttons yes
          strip_workspace_numbers no
          tray_output primary
          colors {
            background #000000
            statusline #ffffff
            separator #666666
            #  #border #background #text
            focused_workspace #4c7899 #285577 #ffffff
            active_workspace #333333 #5f676a #ffffff
            inactive_workspace #333333 #222222 #888888
            urgent_workspace #2f343a #900000 #ffffff
            binding_mode #2f343a #900000 #ffffff
        }
        }
        ### displays
        ## DESKTOP
        output "Samsung Electric Company S22C300 0x00007F35" {
        pos 0,0
        res 1920x1080
        }
        output "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" {
        pos 1920,0
        res 3440x1440
        }
        ## LAPTOP
        # sh/en TV
        output "Pioneer Electronic Corporation VSX-524 0x00000101" {
        pos 0,0
        res 1920x1080
        }
        # internal display
        output "Unknown 0x0637 0x00000000" {
        pos 1920,0
        res 1920x1080
        }
      '';
    sane.user.fs.".config/waybar/config" = sane-lib.fs.wantedSymlinkTo waybar-config-text;
    # style docs: https://github.com/Alexays/Waybar/wiki/Styling
    sane.user.fs.".config/waybar/style.css" = sane-lib.fs.wantedText ''
      * {
        font-family: monospace;
      }
      /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
      window#waybar {
        background-color: rgba(43, 48, 59, 0.5);
        border-bottom: 3px solid rgba(100, 114, 125, 0.5);
        color: #ffffff;
        transition-property: background-color;
        transition-duration: .5s;
      }
      window#waybar.hidden {
        opacity: 0.2;
      }
      /*
      window#waybar.empty {
        background-color: transparent;
      }
      window#waybar.solo {
        background-color: #FFFFFF;
      }
      */
      window#waybar.termite {
        background-color: #3F3F3F;
      }
      window#waybar.chromium {
        background-color: #000000;
        border: none;
      }
      #workspaces button {
        padding: 0 5px;
        background-color: transparent;
        color: #ffffff;
        /* Use box-shadow instead of border so the text isn't offset */
        box-shadow: inset 0 -3px transparent;
        /* Avoid rounded borders under each workspace name */
        border: none;
        border-radius: 0;
      }
      /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
      #workspaces button:hover {
        background: rgba(0, 0, 0, 0.2);
        box-shadow: inset 0 -3px #ffffff;
      }
      #workspaces button.focused {
        background-color: #64727D;
        box-shadow: inset 0 -3px #ffffff;
      }
      #workspaces button.urgent {
        background-color: #eb4d4b;
      }
      #mode {
        background-color: #64727D;
        border-bottom: 3px solid #ffffff;
      }
      #clock,
      #battery,
      #cpu,
      #memory,
      #disk,
      #temperature,
      #backlight,
      #network,
      #pulseaudio,
      #custom-media,
      #tray,
      #mode,
      #idle_inhibitor,
      #mpd {
        padding: 0 10px;
        color: #ffffff;
      }
      #window,
      #workspaces {
        margin: 0 4px;
      }
      /* If workspaces is the leftmost module, omit left margin */
      .modules-left > widget:first-child > #workspaces {
        margin-left: 0;
      }
      /* If workspaces is the rightmost module, omit right margin */
      .modules-right > widget:last-child > #workspaces {
        margin-right: 0;
      }
      #clock {
        background-color: #64727D;
      }
      #battery {
        background-color: #ffffff;
        color: #000000;
      }
      #battery.charging, #battery.plugged {
        color: #ffffff;
        background-color: #26A65B;
      }
      @keyframes blink {
        to {
          background-color: #ffffff;
          color: #000000;
        }
      }
      #battery.critical:not(.charging) {
        background-color: #f53c3c;
        color: #ffffff;
        animation-name: blink;
        animation-duration: 0.5s;
        animation-timing-function: linear;
        animation-iteration-count: infinite;
        animation-direction: alternate;
      }
      label:focus {
        background-color: #000000;
      }
      #cpu {
        background-color: #2ecc71;
        color: #000000;
      }
      #memory {
        background-color: #9b59b6;
      }
      #disk {
        background-color: #964B00;
      }
      #backlight {
        background-color: #90b1b1;
      }
      #network {
        background-color: #2980b9;
      }
      #network.disconnected {
        background-color: #f53c3c;
      }
      #pulseaudio {
        background-color: #f1c40f;
        color: #000000;
      }
      #pulseaudio.muted {
        background-color: #90b1b1;
        color: #2a5c45;
      }
      #custom-media {
        background-color: #66cc99;
        color: #2a5c45;
        min-width: 100px;
      }
      #custom-media.custom-spotify {
        background-color: #66cc99;
      }
      #custom-media.custom-vlc {
        background-color: #ffa000;
      }
      #temperature {
        background-color: #f0932b;
      }
      #temperature.critical {
        background-color: #eb4d4b;
      }
      #tray {
        background-color: #2980b9;
      }
      #tray > .passive {
        -gtk-icon-effect: dim;
      }
      #tray > .needs-attention {
        -gtk-icon-effect: highlight;
        background-color: #eb4d4b;
      }
      #idle_inhibitor {
        background-color: #2d3436;
      }
      #idle_inhibitor.activated {
        background-color: #ecf0f1;
        color: #2d3436;
      }
      #mpd {
        background-color: #66cc99;
        color: #2a5c45;
      }
      #mpd.disconnected {
        background-color: #f53c3c;
      }
      #mpd.stopped {
        background-color: #90b1b1;
      }
      #mpd.paused {
        background-color: #51a37a;
      }
      #language {
        background: #00b093;
        color: #740864;
        padding: 0 5px;
        margin: 0 5px;
        min-width: 16px;
      }
      #keyboard-state {
        background: #97e1ad;
        color: #000000;
        padding: 0 0px;
        margin: 0 5px;
        min-width: 16px;
      }
      #keyboard-state > label {
        padding: 0 5px;
      }
      #keyboard-state > label.locked {
        background: rgba(0, 0, 0, 0.2);
      }
    '';
    # style = ''
    #   * {
    #     border: none;
    #     border-radius: 0;
    #     font-family: Source Code Pro;
    #   }
    #   window#waybar {
    #     background: #16191C;
    #     color: #AAB2BF;
    #   }
    #   #workspaces button {
    #     padding: 0 5px;
    #   }
    #   .custom-spotify {
    #     padding: 0 10px;
    #     margin: 0 4px;
    #     background-color: #1DB954;
    #     color: black;
    #   }
    # '';
    sane.packages.extraUserPkgs = with pkgs; [
      swaylock
      swayidle  # (unused)
      wl-clipboard
      mako # notification daemon
      xdg-utils  # for xdg-open
      # user stuff
      # pavucontrol
      sway-contrib.grimshot
      gnome.gnome-bluetooth
      gnome.gnome-control-center
    ];
  };
 }
--- a/hosts/modules/nixcache.nix
+++ b/hosts/modules/nixcache.nix
--- a/hosts/modules/services/default.nix
+++ b/hosts/modules/services/default.nix
@@ -0,0 +1,6 @@
 { ... }:
 {
  imports = [
    ./duplicity.nix
  ];
 }
--- a/hosts/modules/services/duplicity.nix
+++ b/hosts/modules/services/duplicity.nix
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -4,16 +4,15 @@
  imports = [
    ./feeds.nix
    ./fs
    ./gui
    ./home-manager
    ./ids.nix
    ./packages.nix
    ./programs.nix
    ./image.nix
    ./nixcache.nix
    ./persist
    ./services
    ./sops.nix
    ./ssh.nix
    ./users.nix
  ];
  _module.args =  {
--- a/modules/gui/sway.nix
+++ b/modules/gui/sway.nix
@@ -1,650 +0,0 @@
 { pkgs, lib, config, ... }:
 # docs: https://nixos.wiki/wiki/Sway
 with lib;
 let
  cfg = config.sane.gui.sway;
 in
 {
  options = {
    sane.gui.sway.enable = mkOption {
      default = false;
      type = types.bool;
    };
    sane.gui.sway.useGreeter = mkOption {
      description = ''
        launch sway via a greeter (like greetd's gtkgreet).
        sway is usable without a greeter, but skipping the greeter means no PAM session.
      '';
      default = true;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
    sane.gui.enable = true;
    programs.sway = {
      # we configure sway with home-manager, but this enable gets us e.g. opengl and fonts
      enable = true;
    };
    # instead of using `services.greetd`, can instead use SDDM by swapping in these lines.
    # services.xserver.displayManager.sddm.enable = true;
    # services.xserver.enable = true;
    services.greetd = let
      swayConfig-greeter = pkgs.writeText "greetd-sway-config" ''
        # `-l` activates layer-shell mode.
        exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
      '';
      default_session = {
        "01" = {
          # greeter session config
          command = "${pkgs.sway}/bin/sway --config ${swayConfig-greeter}";
          # alternatives:
          # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
          # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
          # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
        };
        "0" = {
          # no greeter
          command = "${pkgs.sway}/bin/sway";
          user = "colin";
        };
      };
    in {
      # greetd source/docs:
      # - <https://git.sr.ht/~kennylevinsen/greetd>
      enable = true;
      settings = {
        default_session = default_session."0${builtins.toString cfg.useGreeter}";
      };
    };
    # some programs (e.g. fractal) **require** a "Secret Service Provider"
    services.gnome.gnome-keyring.enable = true;
    # unlike other DEs, sway configures no audio stack
    # administer with pw-cli, pw-mon, pw-top commands
    services.pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;  # ??
      pulse.enable = true;
    };
    networking.useDHCP = false;
    networking.networkmanager.enable = true;
    networking.wireless.enable = lib.mkForce false;
    hardware.bluetooth.enable = true;
    services.blueman.enable = true;
    # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
    services.gnome.gnome-settings-daemon.enable = true;
    # start the components of gsd we need at login
    systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
    # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
    # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
    # it doesn't actually seem to need ANY of them in the first place T_T
    systemd.user.targets."gnome-session-initialized".enable = false;
    # bluez can't connect to audio devices unless pipewire is running.
    # a system service can't depend on a user service, so just launch it at graphical-session
    systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
    sane.home-manager.windowManager.sway = {
      enable = true;
      wrapperFeatures.gtk = true;
      config = let
        fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
        sed = "${pkgs.gnused}/bin/sed";
        wtype = "${pkgs.wtype}/bin/wtype";
        kitty = "${pkgs.kitty}/bin/kitty";
        lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
        vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
        vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
        mute-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
        brightness-up-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set +2%";
        brightness-down-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set 2%-";
        screenshot-cmd = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
        # "bookmarking"/snippets inspired by Luke Smith:
        # - <https://www.youtube.com/watch?v=d_11QaTlf1I>
        snip-file = ./snippets.txt;
        # TODO: querying sops here breaks encapsulation
        list-snips = "cat ${snip-file} ${config.sops.secrets.snippets.path}";
        strip-comments = "${sed} 's/ #.*$//'";
        snip-cmd = "${wtype} $(${list-snips} | ${fuzzel} -d -i -w 60 | ${strip-comments})";
        # TODO: next splatmoji release should allow `-s none` to disable skin tones
        emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
      in rec {
        terminal = kitty;
        window = {
          border = 3; # pixel boundary between windows
          hideEdgeBorders = "smart"; # don't show border if only window on workspace
        };
        output = {
          ### DESKTOP
          "Samsung Electric Company S22C300 0x00007F35" = { pos = "0,0"; res = "1920x1080"; };
          "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" = { pos = "1920,0"; res = "3440x1440"; };
          ### LAPTOP
          # shen TV
          "Pioneer Electronic Corporation VSX-524 0x00000101" = { pos = "0,0"; res = "1920x1080"; };
          # internal display
          "Unknown 0x0637 0x00000000" = { pos = "1920,0"; res = "1920x1080"; };
        };
        # defaults; required for keybindings decl.
        modifier = "Mod1";
        # list of launchers: https://www.reddit.com/r/swaywm/comments/v39hxa/your_favorite_launcher/
        # menu = "${pkgs.dmenu}/bin/dmenu_path";
        menu = fuzzel;
        # menu = "${pkgs.albert}/bin/albert";
        left = "h";
        down = "j";
        up = "k";
        right = "l";
        # XKB key names: https://wiki.linuxquestions.org/wiki/List_of_Keysyms_Recognised_by_Xmodmap
        keybindings = {
          "${modifier}+Return" = "exec ${terminal}";
          "${modifier}+Shift+q" = "kill";
          "${modifier}+d" = "exec ${menu}";
          "${modifier}+s" = "exec ${snip-cmd}";
          "${modifier}+l" = "exec ${lock-cmd}";
          "${modifier}+slash" = "exec ${emoji-cmd}";
          # "${modifier}+${left}" = "focus left";
          # "${modifier}+${down}" = "focus down";
          # "${modifier}+${up}" = "focus up";
          # "${modifier}+${right}" = "focus right";
          "${modifier}+Left" = "focus left";
          "${modifier}+Down" = "focus down";
          "${modifier}+Up" = "focus up";
          "${modifier}+Right" = "focus right";
          # "${modifier}+Shift+${left}" = "move left";
          # "${modifier}+Shift+${down}" = "move down";
          # "${modifier}+Shift+${up}" = "move up";
          # "${modifier}+Shift+${right}" = "move right";
          "${modifier}+Shift+Left" = "move left";
          "${modifier}+Shift+Down" = "move down";
          "${modifier}+Shift+Up" = "move up";
          "${modifier}+Shift+Right" = "move right";
          "${modifier}+b" = "splith";
          "${modifier}+v" = "splitv";
          "${modifier}+f" = "fullscreen toggle";
          "${modifier}+a" = "focus parent";
          # "${modifier}+s" = "layout stacking";
          "${modifier}+w" = "layout tabbed";
          "${modifier}+e" = "layout toggle split";
          "${modifier}+Shift+space" = "floating toggle";
          "${modifier}+space" = "focus mode_toggle";
          "${modifier}+1" = "workspace number 1";
          "${modifier}+2" = "workspace number 2";
          "${modifier}+3" = "workspace number 3";
          "${modifier}+4" = "workspace number 4";
          "${modifier}+5" = "workspace number 5";
          "${modifier}+6" = "workspace number 6";
          "${modifier}+7" = "workspace number 7";
          "${modifier}+8" = "workspace number 8";
          "${modifier}+9" = "workspace number 9";
          "${modifier}+Shift+1" =
            "move container to workspace number 1";
          "${modifier}+Shift+2" =
            "move container to workspace number 2";
          "${modifier}+Shift+3" =
            "move container to workspace number 3";
          "${modifier}+Shift+4" =
            "move container to workspace number 4";
          "${modifier}+Shift+5" =
            "move container to workspace number 5";
          "${modifier}+Shift+6" =
            "move container to workspace number 6";
          "${modifier}+Shift+7" =
            "move container to workspace number 7";
          "${modifier}+Shift+8" =
            "move container to workspace number 8";
          "${modifier}+Shift+9" =
            "move container to workspace number 9";
          "${modifier}+Shift+minus" = "move scratchpad";
          "${modifier}+minus" = "scratchpad show";
          "${modifier}+Shift+c" = "reload";
          "${modifier}+Shift+e" =
            "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
          "${modifier}+r" = "mode resize";
          # media keys
          XF86MonBrightnessDown = "exec ${brightness-down-cmd}";
          XF86MonBrightnessUp = "exec ${brightness-up-cmd}";
          # TODO: hook into a visual prompt to display volume?
          XF86AudioRaiseVolume = "exec ${vol-up-cmd}";
          XF86AudioLowerVolume = "exec ${vol-down-cmd}";
          XF86AudioMute = "exec ${mute-cmd}";
          "${modifier}+Page_Up" = "exec ${vol-up-cmd}";
          "${modifier}+Page_Down" = "exec ${vol-down-cmd}";
          "${modifier}+Print" = "exec ${screenshot-cmd}";
        };
        # mostly defaults:
        bars = [{
          mode = "dock";
          hiddenState = "hide";
          position = "top";
          command = "${pkgs.waybar}/bin/waybar";
          workspaceButtons = true;
          workspaceNumbers = true;
          statusCommand = "${pkgs.i3status}/bin/i3status";
          fonts = {
            # names = [ "monospace" "Noto Color Emoji" ];
            # size = 8.0;
            # names = [ "Font Awesome 6 Free" "DejaVu Sans" "Hack" ];
            # names = with config.fonts.fontconfig.defaultFonts; (emoji ++ monospace ++ serif ++ sansSerif);
            names = with config.fonts.fontconfig.defaultFonts; (monospace ++ emoji);
            size = 24.0;
          };
          trayOutput = "primary";
          colors = {
            background = "#000000";
            statusline = "#ffffff";
            separator = "#666666";
            focusedWorkspace = {
              border = "#4c7899";
              background = "#285577";
              text = "#ffffff";
            };
            activeWorkspace = {
              border = "#333333";
              background = "#5f676a";
              text = "#ffffff";
            };
            inactiveWorkspace = {
              border = "#333333";
              background = "#222222";
              text = "#888888";
            };
            urgentWorkspace = {
              border = "#2f343a";
              background = "#900000";
              text = "#ffffff";
            };
            bindingMode = {
              border = "#2f343a";
              background = "#900000";
              text = "#ffffff";
            };
          };
        }];
      };
    };
    sane.home-manager.programs.waybar = {
      enable = true;
      # docs: https://github.com/Alexays/Waybar/wiki/Configuration
      # format specifiers: https://fmt.dev/latest/syntax.html#syntax
      settings = {
        mainBar = {
          layer = "top";
          height = 40;
          modules-left = ["sway/workspaces" "sway/mode"];
          modules-center = ["sway/window"];
          modules-right = ["custom/mediaplayer" "clock" "battery" "cpu" "network"];
          "sway/window" = {
            max-length = 50;
          };
          # include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
          "custom/mediaplayer" = {
            exec = pkgs.writeShellScript "waybar-mediaplayer" ''
              player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
              if [ "$player_status" = "Playing" ]; then
                echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
              elif [ "$player_status" = "Paused" ]; then
                echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
              fi
            '';
            interval = 2;
            format = "{}  ";
            # return-type = "json";
            on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
            on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
            on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
          };
          network = {
            # docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
            interval = 2;
            max-length = 40;
            # custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
            format-ethernet = "  {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            format-disconnected = "";
          };
          cpu = {
            format = " {usage:2}%";
            tooltip = false;
          };
          battery = {
            states = {
              good = 95;
              warning = 30;
              critical = 10;
            };
            format = "{icon} {capacity}%";
            format-icons = [
              ""
              ""
              ""
              ""
              ""
            ];
          };
          clock = {
            format-alt = "{:%a, %d. %b  %H:%M}";
          };
        };
      };
      # style docs: https://github.com/Alexays/Waybar/wiki/Styling
      style = ''
        * {
          font-family: monospace;
        }
        /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
        window#waybar {
          background-color: rgba(43, 48, 59, 0.5);
          border-bottom: 3px solid rgba(100, 114, 125, 0.5);
          color: #ffffff;
          transition-property: background-color;
          transition-duration: .5s;
        }
        window#waybar.hidden {
          opacity: 0.2;
        }
        /*
        window#waybar.empty {
          background-color: transparent;
        }
        window#waybar.solo {
          background-color: #FFFFFF;
        }
        */
        window#waybar.termite {
          background-color: #3F3F3F;
        }
        window#waybar.chromium {
          background-color: #000000;
          border: none;
        }
        #workspaces button {
          padding: 0 5px;
          background-color: transparent;
          color: #ffffff;
          /* Use box-shadow instead of border so the text isn't offset */
          box-shadow: inset 0 -3px transparent;
          /* Avoid rounded borders under each workspace name */
          border: none;
          border-radius: 0;
        }
        /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
        #workspaces button:hover {
          background: rgba(0, 0, 0, 0.2);
          box-shadow: inset 0 -3px #ffffff;
        }
        #workspaces button.focused {
          background-color: #64727D;
          box-shadow: inset 0 -3px #ffffff;
        }
        #workspaces button.urgent {
          background-color: #eb4d4b;
        }
        #mode {
          background-color: #64727D;
          border-bottom: 3px solid #ffffff;
        }
        #clock,
        #battery,
        #cpu,
        #memory,
        #disk,
        #temperature,
        #backlight,
        #network,
        #pulseaudio,
        #custom-media,
        #tray,
        #mode,
        #idle_inhibitor,
        #mpd {
          padding: 0 10px;
          color: #ffffff;
        }
        #window,
        #workspaces {
          margin: 0 4px;
        }
        /* If workspaces is the leftmost module, omit left margin */
        .modules-left > widget:first-child > #workspaces {
          margin-left: 0;
        }
        /* If workspaces is the rightmost module, omit right margin */
        .modules-right > widget:last-child > #workspaces {
          margin-right: 0;
        }
        #clock {
          background-color: #64727D;
        }
        #battery {
          background-color: #ffffff;
          color: #000000;
        }
        #battery.charging, #battery.plugged {
          color: #ffffff;
          background-color: #26A65B;
        }
        @keyframes blink {
          to {
            background-color: #ffffff;
            color: #000000;
          }
        }
        #battery.critical:not(.charging) {
          background-color: #f53c3c;
          color: #ffffff;
          animation-name: blink;
          animation-duration: 0.5s;
          animation-timing-function: linear;
          animation-iteration-count: infinite;
          animation-direction: alternate;
        }
        label:focus {
          background-color: #000000;
        }
        #cpu {
          background-color: #2ecc71;
          color: #000000;
        }
        #memory {
          background-color: #9b59b6;
        }
        #disk {
          background-color: #964B00;
        }
        #backlight {
          background-color: #90b1b1;
        }
        #network {
          background-color: #2980b9;
        }
        #network.disconnected {
          background-color: #f53c3c;
        }
        #pulseaudio {
          background-color: #f1c40f;
          color: #000000;
        }
        #pulseaudio.muted {
          background-color: #90b1b1;
          color: #2a5c45;
        }
        #custom-media {
          background-color: #66cc99;
          color: #2a5c45;
          min-width: 100px;
        }
        #custom-media.custom-spotify {
          background-color: #66cc99;
        }
        #custom-media.custom-vlc {
          background-color: #ffa000;
        }
        #temperature {
          background-color: #f0932b;
        }
        #temperature.critical {
          background-color: #eb4d4b;
        }
        #tray {
          background-color: #2980b9;
        }
        #tray > .passive {
          -gtk-icon-effect: dim;
        }
        #tray > .needs-attention {
          -gtk-icon-effect: highlight;
          background-color: #eb4d4b;
        }
        #idle_inhibitor {
          background-color: #2d3436;
        }
        #idle_inhibitor.activated {
          background-color: #ecf0f1;
          color: #2d3436;
        }
        #mpd {
          background-color: #66cc99;
          color: #2a5c45;
        }
        #mpd.disconnected {
          background-color: #f53c3c;
        }
        #mpd.stopped {
          background-color: #90b1b1;
        }
        #mpd.paused {
          background-color: #51a37a;
        }
        #language {
          background: #00b093;
          color: #740864;
          padding: 0 5px;
          margin: 0 5px;
          min-width: 16px;
        }
        #keyboard-state {
          background: #97e1ad;
          color: #000000;
          padding: 0 0px;
          margin: 0 5px;
          min-width: 16px;
        }
        #keyboard-state > label {
          padding: 0 5px;
        }
        #keyboard-state > label.locked {
          background: rgba(0, 0, 0, 0.2);
        }
      '';
      # style = ''
      #   * {
      #     border: none;
      #     border-radius: 0;
      #     font-family: Source Code Pro;
      #   }
      #   window#waybar {
      #     background: #16191C;
      #     color: #AAB2BF;
      #   }
      #   #workspaces button {
      #     padding: 0 5px;
      #   }
      #   .custom-spotify {
      #     padding: 0 10px;
      #     margin: 0 4px;
      #     background-color: #1DB954;
      #     color: black;
      #   }
      # '';
    };
    sane.packages.extraUserPkgs = with pkgs; [
      swaylock
      swayidle  # (unused)
      wl-clipboard
      mako # notification daemon
      xdg-utils  # for xdg-open
      # user stuff
      # pavucontrol
      sway-contrib.grimshot
      gnome.gnome-bluetooth
      gnome.gnome-control-center
    ];
  };
 }
--- a/modules/home-manager/default.nix
+++ b/modules/home-manager/default.nix
@@ -1,61 +0,0 @@
 # docs:
 #   https://rycee.gitlab.io/home-manager/
 #   https://rycee.gitlab.io/home-manager/options.html
 #   man home-configuration.nix
 #
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.sane.home-manager;
  # extract `pkg` from `sane.packages.enabledUserPkgs`
  pkg-list = pkgspec: builtins.map (e: e.pkg) pkgspec;
 in
 {
  options = {
    sane.home-manager.enable = mkOption {
      default = false;
      type = types.bool;
    };
    # attributes to copy directly to home-manager's `wayland.windowManager` option
    sane.home-manager.windowManager = mkOption {
      default = {};
      type = types.attrs;
    };
    # extra attributes to include in home-manager's `programs` option
    sane.home-manager.programs = mkOption {
      default = {};
      type = types.attrs;
    };
  };
  config = lib.mkIf cfg.enable {
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
    home-manager.users.colin = {
      # run `home-manager-help` to access manpages
      # or `man home-configuration.nix`
      manual.html.enable = false;  # TODO: set to true later (build failure)
      manual.manpages.enable = false;  # TODO: enable after https://github.com/nix-community/home-manager/issues/3344
      home.packages = pkg-list config.sane.packages.enabledUserPkgs;
      wayland.windowManager = cfg.windowManager;
      home.stateVersion = "21.11";
      home.username = "colin";
      home.homeDirectory = "/home/colin";
      programs = lib.mkMerge [
        {
          # XXX: unsure what this does?
          home-manager.enable = true;
        }
        cfg.programs
      ];
    };
  };
 }
--- a/modules/lib/default.nix
+++ b/modules/lib/default.nix
@@ -20,9 +20,13 @@ sane-lib = rec {
  isPrefixOfList = p: l: (lib.sublist 0 (lib.length p) l) == p;
  # merges N attrsets
-  # Type: flattenAttrsList :: [AttrSet] -> AttrSet
+  # Type: joinAttrsets :: [AttrSet] -> AttrSet
  joinAttrsets = l: lib.foldl' lib.attrsets.unionOfDisjoint {} l;
  # merges N attrsets, recursively
  # Type: joinAttrsetsRecursive :: [AttrSet] -> AttrSet
  joinAttrsetsRecursive = l: lib.foldl' (lib.attrsets.recursiveUpdateUntil (path: lhs: rhs: false)) {} l;
  # evaluate a `{ name, value }` pair in the same way that `listToAttrs` does.
  # Type: nameValueToAttrs :: { name :: String, value :: Any } -> Any
  nameValueToAttrs = { name, value }: {
--- a/modules/lib/merge.nix
+++ b/modules/lib/merge.nix
@@ -17,7 +17,7 @@ rec {
      merged = builtins.map (p: lib.setAttrByPath p (mergeAtPath p discharged)) pathsToMerge;
    in
      assert builtins.all (assertNoExtraPaths pathsToMerge) discharged;
-      sane-lib.joinAttrsets merged;
+      sane-lib.joinAttrsetsRecursive merged;
  # `take` is as in mkTypedMerge. this function queries which items `take` is interested in.
  # for example:
--- a/modules/packages.nix
+++ b/modules/packages.nix
@@ -25,6 +25,7 @@ let
    ifuse
    imagemagick
    ipfs
    kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
    libimobiledevice
    libsecret  # for managing user keyrings
    lm_sensors  # for sensors-detect
@@ -46,6 +47,7 @@ let
    sequoia
    snapper
    sops
    sox
    speedtest-cli
    sqlite  # to debug sqlite3 databases
    ssh-to-age
@@ -79,7 +81,7 @@ let
    # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
-    foliate
+    foliate  # e-book reader
    font-manager
    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
@@ -107,12 +109,10 @@ let
    { pkg = gpodder-configured; dir = [ "gPodder" ]; }
    gthumb
    handbrake
    inkscape
    kdenlive
    kid3  # audio tagging
    kitty
    krita
    libreoffice-fresh  # XXX colin: maybe don't want this on mobile
    lollypop
@@ -130,7 +130,7 @@ let
      ".local/share/nheko"  # per-account state database
    ]; }
-    # settings (electron app). TODO: can i manage these settings with home-manager?
+    # settings (electron app)
    { pkg = obsidian; dir = [ ".config/obsidian" ]; }
    pavucontrol
@@ -174,6 +174,9 @@ let
    # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
    # gpt2tc  # XXX: unreliable mirror
    # TODO(unpin): handbrake is broken on aarch64-linux 2023/01/29
    handbrake
    logseq
    losslesscut-bin
    makemkv
@@ -184,7 +187,7 @@ let
    # creds, media
    { pkg = signal-desktop; private = [ ".config/Signal" ]; }
-    # creds. TODO: can i manage this with home-manager?
+    # creds, widevine .so download. TODO: could easily manage these statically.
    { pkg = spotify; dir = [ ".config/spotify" ]; }
    # hardenedMalloc solves a crash at startup
@@ -320,8 +323,8 @@ in
  config = {
    environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
-    sane.persist.home.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs);
+    sane.user.persist.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs);
-    sane.persist.home.private = concatLists (map (p: p.private) cfg.enabledUserPkgs);
+    sane.user.persist.private = concatLists (map (p: p.private) cfg.enabledUserPkgs);
    # XXX: this might not be necessary. try removing this and cacert.unbundled?
    environment.etc."ssl/certs".source = mkIf cfg.enableSystemPkgs "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
  };
--- a/modules/persist/computed.nix
+++ b/modules/persist/computed.nix
@@ -1,18 +0,0 @@
 { config, lib, sane-lib, ... }:
 let
  path = sane-lib.path;
  cfg = config.sane.persist;
  withPrefix = relativeTo: entries: lib.mapAttrs' (fspath: value: {
    name = path.concat [ relativeTo fspath ];
    inherit value;
  }) entries;
 in
 {
  # merge the `byPath` mappings from both `home` and `sys` into one namespace
  sane.persist.byPath = lib.mkMerge [
    (withPrefix "/home/colin" cfg.home.byPath)
    (withPrefix "/" cfg.sys.byPath)
  ];
 }
--- a/modules/persist/default.nix
+++ b/modules/persist/default.nix
@@ -179,23 +179,11 @@ in
      type = types.bool;
      description = "define / fs root to be a tmpfs. make sure to mount some other device to /nix";
    };
    sane.persist.home = mkOption {
      description = "directories to persist to disk, relative to a user's home ~";
      default = {};
      type = dirsSubModule;
    };
    sane.persist.sys = mkOption {
      description = "directories to persist to disk, relative to the fs root /";
      default = {};
      type = dirsSubModule;
    };
    sane.persist.byPath = mkOption {
      type = types.attrsOf (convertInlineAcl entryAtPath);
      description = ''
        map of <path> => <path config> for all paths to be persisted.
        this is computed from the other options, but users can also set it explicitly (useful for overriding)
      '';
    };
    sane.persist.stores = mkOption {
      type = types.attrsOf storeType;
      default = {};
@@ -206,7 +194,6 @@ in
  };
  imports = [
    ./computed.nix
    ./root-on-tmpfs.nix
    ./stores
  ];
@@ -247,7 +234,7 @@ in
          );
        }
      ];
-    configs = lib.mapAttrsToList cfgFor cfg.byPath;
+    configs = lib.mapAttrsToList cfgFor cfg.sys.byPath;
    take = f: { sane.fs = f.sane.fs; };
  in mkIf cfg.enable (
    take (sane-lib.mkTypedMerge take configs)
--- a/modules/persist/stores/crypt.nix
+++ b/modules/persist/stores/crypt.nix
@@ -1,14 +1,10 @@
-{ config, lib, pkgs, utils, ... }:
+{ config, lib, pkgs, sane-lib, utils, ... }:
 let
-  store = rec {
+  persist-base = config.sane.persist.stores."plaintext".origin;
-    device = "/mnt/persist/crypt/clearedonboot";
+  device = config.sane.persist.stores."cryptClearOnBoot".origin;
-    underlying = {
+  key = "${device}.key";
-      path = "/nix/persist/crypt/clearedonboot";
+  underlying = sane-lib.path.concat [ persist-base "crypt/clearedonboot" ];
      # TODO: consider moving this to /tmp, but that requires tmp be mounted first?
      key = "/mnt/persist/crypt/clearedonboot.key";
    };
  };
 in
 lib.mkIf config.sane.persist.enable
 {
@@ -17,35 +13,35 @@ lib.mkIf config.sane.persist.enable
      stored to disk, but encrypted to an in-memory key and cleared on every boot
      so that it's unreadable after power-off
    '';
-    origin = store.device;
+    origin = lib.mkDefault "/mnt/persist/crypt/clearedonboot";
  };
-  fileSystems."${store.device}" = {
+  fileSystems."${device}" = {
-    device = store.underlying.path;
+    device = underlying;
    fsType = "fuse.gocryptfs";
    options = [
      "nodev"
      "nosuid"
      "allow_other"
-      "passfile=${store.underlying.key}"
+      "passfile=${key}"
      "defaults"
    ];
    noCheck = true;
  };
  # let sane.fs know about our fileSystem and automatically add the appropriate dependencies
-  sane.fs."${store.device}".mount = {
+  sane.fs."${device}".mount = {
    # technically the dependency on the keyfile is extraneous because that *happens* to
    # be needed to init the store.
    depends = let
-      cryptfile = config.sane.fs."${store.underlying.path}/gocryptfs.conf";
+      cryptfile = config.sane.fs."${underlying}/gocryptfs.conf";
-      keyfile = config.sane.fs."${store.underlying.key}";
+      keyfile = config.sane.fs."${key}";
    in [ keyfile.unit cryptfile.unit ];
  };
  # let sane.fs know how to initialize the gocryptfs store,
  # and that it MUST do so
-  sane.fs."${store.underlying.path}/gocryptfs.conf".generated = {
+  sane.fs."${underlying}/gocryptfs.conf".generated = {
    script.script = ''
      backing="$1"
      passfile="$2"
@@ -54,17 +50,17 @@ lib.mkIf config.sane.persist.enable
      rm -rf "''${backing:?}"/*
      ${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing"
    '';
-    script.scriptArgs = [ store.underlying.path store.underlying.key ];
+    script.scriptArgs = [ underlying key ];
    # we need the key in order to initialize the store
-    depends = [ config.sane.fs."${store.underlying.key}".unit ];
+    depends = [ config.sane.fs."${key}".unit ];
  };
  # let sane.fs know how to generate the key for gocryptfs
-  sane.fs."${store.underlying.key}".generated = {
+  sane.fs."${key}".generated = {
    script.script = ''
      dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1"
    '';
-    script.scriptArgs = [ store.underlying.key ];
+    script.scriptArgs = [ key ];
    # no need for anyone else to be able to read the key
    acl.mode = "0400";
  };
--- a/modules/persist/stores/plaintext.nix
+++ b/modules/persist/stores/plaintext.nix
@@ -3,7 +3,7 @@
 let
  cfg = config.sane.persist;
 in lib.mkIf cfg.enable {
-  sane.persist.stores."plaintext" = {
+  sane.persist.stores."plaintext" = lib.mkDefault {
    origin = "/nix/persist";
  };
  # TODO: needed?
--- a/modules/persist/stores/private.nix
+++ b/modules/persist/stores/private.nix
@@ -1,21 +1,23 @@
-{ config, lib, pkgs, utils, ... }:
+{ config, lib, pkgs, sane-lib, utils, ... }:
 let
  persist-base = config.sane.persist.stores."plaintext".origin;
  private-dir = config.sane.persist.stores."private".origin;
  private-backing-dir = sane-lib.path.concat [ persist-base private-dir ];
 in
 lib.mkIf config.sane.persist.enable
 {
  sane.persist.stores."private" = {
    storeDescription = ''
-      encrypted to the user's password and auto-unlocked at login
+      encrypted store which persists across boots.
      typical use case is for the user to encrypt this store using their login password so that it
      can be auto-unlocked at login.
    '';
-    origin = "/home/colin/private";
+    origin = lib.mkDefault "/mnt/private";
    # files stored under here *must* have the /home/colin prefix.
    # internally, this prefix is removed so that e.g.
    # /home/colin/foo/bar when stored in `private` is visible at
    # /home/colin/private/foo/bar
    prefix = "/home/colin";
    defaultOrdering = let
-      private-unit = config.sane.fs."/home/colin/private".unit;
+      private-unit = config.sane.fs."${private-dir}".unit;
    in {
-      # auto create only after ~/private is mounted
+      # auto create only after the store is mounted
      wantedBy = [ private-unit ];
      # we can't create things in private before local-fs.target
      wantedBeforeBy = [ ];
@@ -23,13 +25,13 @@ lib.mkIf config.sane.persist.enable
    defaultMethod = "symlink";
  };
-  fileSystems."/home/colin/private" = {
+  fileSystems."${private-dir}" = {
-    device = "/nix/persist/home/colin/private";
+    device = private-backing-dir;
    fsType = "fuse.gocryptfs";
    options = [
      "noauto"  # don't try to mount, until the user logs in!
      "nofail"
-      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to `colin`.
+      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to other users.
      "nodev"
      "nosuid"
      "quiet"
@@ -39,9 +41,9 @@ lib.mkIf config.sane.persist.enable
  };
  # let sane.fs know about the mount
-  sane.fs."/home/colin/private".mount = {};
+  sane.fs."${private-dir}".mount = {};
  # it also needs to know that the underlying device is an ordinary folder
-  sane.fs."/nix/persist/home/colin/private".dir = {};
+  sane.fs."${private-backing-dir}".dir = {};
  # TODO: could add this *specifically* to the .mount file for the encrypted fs?
  system.fsPackages = [ pkgs.gocryptfs ];  # fuse needs to find gocryptfs
--- a/modules/programs.nix
+++ b/modules/programs.nix
@@ -0,0 +1,131 @@
 { config, lib, pkgs, sane-lib, ... }:
 let
  inherit (builtins) any elem map;
  inherit (lib) filterAttrs mapAttrs mapAttrsToList mkDefault mkIf mkMerge mkOption optionalAttrs types;
  inherit (sane-lib) joinAttrsets;
  cfg = config.sane.programs;
  pkgSpec = types.submodule ({ name, ... }: {
    options = {
      package = mkOption {
        type = types.package;
      };
      enableFor.system = mkOption {
        type = types.bool;
        default = any (en: en) (
          mapAttrsToList
            (otherName: otherPkg:
              otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested && otherPkg.enableFor.system
            )
            cfg
        );
        description = ''
          place this program on the system PATH
        '';
      };
      enableFor.user = mkOption {
        type = types.attrsOf types.bool;
        # default = mkMerge (mapAttrsToList (_otherName: otherPkg:
        #   optionalAttrs
        #     (otherPkg.enableSuggested && elem name otherPkg.suggestedPrograms)
        #     otherPkg.enableFor.user
        # ) cfg);
        default = joinAttrsets (mapAttrsToList (otherName: otherPkg:
           optionalAttrs
             (otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested)
             (filterAttrs (user: en: en) otherPkg.enableFor.user)
        ) cfg);
        description = ''
          place this program on the PATH for some specified user(s).
        '';
      };
      suggestedPrograms = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
          list of other programs a user may want to enable alongside this one.
          for example, the gnome desktop environment would suggest things like its settings app.
        '';
      };
      enableSuggested = mkOption {
        type = types.bool;
        default = true;
      };
      dir = mkOption {
        type = types.listOf types.str;
        default = [];
        description = "list of home-relative paths to persist for this package";
      };
      private = mkOption {
        type = types.listOf types.str;
        default = [];
        description = "list of home-relative paths to persist (in encrypted format) for this package";
      };
    };
    config = {
      # package can be inferred by the attr name, allowing shorthand like
      # sane.packages.nano.enable = true;
      package = mkIf (pkgs ? "${name}") (mkDefault pkgs."${name}");
      # enableFor = mkIf (name == "btrfs-progs") (mkDefault cfg.cryptsetup.enableFor);
      # enable this package if it's in the `suggestedPrograms` of any other enabled program
      # enableFor = mkMerge (mapAttrsToList (_otherName: otherPkg:
      #   optionalAttrs
      #     (otherPkg.enableSuggested && elem name otherPkg.suggestedPrograms)
      #     (mkDefault otherPkg.enableFor)
      # ) cfg);
    };
  });
  toPkgSpec = types.coercedTo types.package (p: { package = p; }) pkgSpec;
  configs = mapAttrsToList (_name: p: {
    # conditionally add to system PATH
    environment.systemPackages = mkIf p.enableFor.system [ p.package ];
    # conditionally add to user(s) PATH
    users.users = mapAttrs (user: en: optionalAttrs en {
      packages = [ p.package ];
    }) p.enableFor.user;
    # conditionally persist relevant user dirs
    sane.users = mapAttrs (user: en: optionalAttrs en {
      persist.plaintext = p.dir;
      persist.private = p.private;
    }) p.enableFor.user;
  }) cfg;
 in
 {
  options = {
    sane.programs = mkOption {
      type = types.attrsOf toPkgSpec;
      default = {};
    };
  };
  config =
    let
      take = f: {
        environment.systemPackages = f.environment.systemPackages;
        users.users = f.users.users;
        sane.users = f.sane.users;
      };
    in mkMerge [
      (take (sane-lib.mkTypedMerge take configs))
      {
        # sane.programs.cryptsetup.enableFor = mkDefault cfg.btrfs-progs.enableFor;
        # sane.programs.cryptsetup.enableFor = mkMerge (mapAttrsToList (otherName: otherPkg:
        #   optionalAttrs
        #   (otherName != "cryptsetup")
        #   (mkDefault otherPkg.enableFor)
        # ) cfg);
        # sane.programs = mapAttrs (myName: _me: optionalAttrs (myName == "btrfs-progs") {
        #   enableFor = mkMerge (mapAttrsToList (otherName: otherPkg:
        #     optionalAttrs
        #     (otherName != "cryptsetup")
        #     (mkDefault otherPkg.enableFor)
        #   ) cfg);
        # }) cfg;
      }
    ];
 }
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -1,7 +1,6 @@
 { ... }:
 {
  imports = [
    ./duplicity.nix
    ./dyn-dns.nix
    ./kiwix-serve.nix
    ./mautrix-signal.nix
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -0,0 +1,110 @@
 { config, lib, options, sane-lib, ... }:
 let
  inherit (builtins) attrValues;
  inherit (lib) count mapAttrs' mapAttrsToList mkIf mkMerge mkOption types;
  sane-user-cfg = config.sane.user;
  cfg = config.sane.users;
  path-lib = sane-lib.path;
  userOptions = {
    options = {
      fs = mkOption {
        type = types.attrs;
        default = {};
        description = ''
          entries to pass onto `sane.fs` after prepending the user's home-dir to the path.
          e.g. `sane.users.colin.fs."/.config/aerc" = X`
            => `sane.fs."/home/colin/.config/aerc" = X;
        '';
      };
      persist = mkOption {
        type = options.sane.persist.sys.type;
        default = {};
        description = ''
          entries to pass onto `sane.persist.sys` after prepending the user's home-dir to the path.
        '';
      };
    };
  };
  userModule = types.submodule ({ name, config, ... }: {
    options = userOptions.options // {
      default = mkOption {
        type = types.bool;
        default = false;
        description = ''
          only one default user may exist.
          this option determines what the `sane.user` shorthand evaluates to.
        '';
      };
      home = mkOption {
        type = types.str;
        # XXX: we'd prefer to set this to `config.users.users.home`, but that causes infinite recursion...
        # TODO: maybe assert that this matches the actual home?
        default = "/home/${name}";
      };
    };
    # if we're the default user, inherit whatever settings were routed to the default user
    config = mkIf config.default sane-user-cfg;
  });
  processUser = user: defn:
    let
      prefixWithHome = mapAttrs' (path: value: {
        name = path-lib.concat [ defn.home path ];
        inherit value;
      });
    in
    {
      sane.fs = prefixWithHome defn.fs;
      # `byPath` is the actual output here, computed from the other keys.
      sane.persist.sys.byPath = prefixWithHome defn.persist.byPath;
    };
 in
 {
  options = {
    sane.users = mkOption {
      type = types.attrsOf userModule;
      default = {};
      description = ''
        options to apply to the given user.
        the user is expected to be created externally.
        configs applied at this level are simply transformed and then merged
        into the toplevel `sane` options. it's merely a shorthand.
      '';
    };
    sane.user = mkOption {
      type = types.nullOr (types.submodule userOptions);
      default = null;
      description = ''
        options to pass down to the default user
      '';
    };
  };
  config =
    let
      configs = mapAttrsToList processUser cfg;
      num-default-users = count (u: u.default) (attrValues cfg);
      take = f: {
        sane.fs = f.sane.fs;
        sane.persist.sys.byPath = f.sane.persist.sys.byPath;
      };
    in mkMerge [
      (take (sane-lib.mkTypedMerge take configs))
      {
        assertions = [
          {
            assertion = sane-user-cfg == null || num-default-users != 0;
            message = "cannot set `sane.user` without first setting `sane.users.<user>.default = true` for some user";
          }
          {
            assertion = num-default-users <= 1;
            message = "cannot set more than one default user";
          }
        ];
      }
    ];
 }
--- a/overlays/pins.nix
+++ b/overlays/pins.nix
@@ -8,27 +8,5 @@
  # XXX: when invoked outside our flake (e.g. via NIX_PATH) there is no `next.stable`,
  # so just forward the unstable packages.
  inherit (next.stable or prev)
    # broken on 2023/01/14 via mtxclient dep, aarch64-only:
    # fixed on 2023/01/24?
    #   error: builder for '/nix/store/gwidl0c9ksxjgx0dgwnjssix4ikq73v5-mtxclient-0.9.0.drv' failed with exit code 2;
    #      last 10 log lines:
    #      > make[2]: *** [CMakeFiles/matrix_client.dir/build.make:370: CMakeFiles/matrix_client.dir/lib/structs/events/encrypted.cpp.o] Error 1
    #      > In file included from /build/source/include/mtxclient/crypto/client.hpp:17,
    #      >                  from /build/source/lib/crypto/utils.cpp:17:
    #      > /build/source/include/mtx/identifiers.hpp:12:10: fatal error: compare: No such file or directory
    #      >    12 | #include <compare>
    #      >       |          ^~~~~~~~~
    #      > compilation terminated.
    #      > make[2]: *** [CMakeFiles/matrix_client.dir/build.make:132: CMakeFiles/matrix_client.dir/lib/crypto/utils.cpp.o] Error 1
    #      > make[1]: *** [CMakeFiles/Makefile2:83: CMakeFiles/matrix_client.dir/all] Error 2
    #      > make: *** [Makefile:136: all] Error 2
    #      For full logs, run 'nix log /nix/store/gwidl0c9ksxjgx0dgwnjssix4ikq73v5-mtxclient-0.9.0.drv'.
    #   error: 1 dependencies of derivation '/nix/store/4i2d1qdh4x6n23h1jbcbhm8q9q2hch9a-nheko-0.11.0.drv' failed to build
    #   error: 1 dependencies of derivation '/nix/store/k4f7k7cvjp8rb7clhlfq3yxgs6lbfmk7-home-manager-path.drv' failed to build
    #   error: 1 dependencies of derivation '/nix/store/67d9k554188lh4ddl4ar6j74mpc3r4sv-home-manager-generation.drv' failed to build
    #   error: 1 dependencies of derivation '/nix/store/5qjxzhsw1jvh2d7jypbcam9409ivb472-user-environment.drv' failed to build
    #   error: 1 dependencies of derivation '/nix/store/hrb3qpdbisqh0lzlyz1g9g4164khmqwn-etc.drv' failed to build
    #   error: 1 dependencies of derivation '/nix/store/ny21xyicbgim5wy7ksg2hibd9gn7i01b-nixos-system-moby-23.05pre-git.drv' failed to build
    # nheko
  ;
 })
Author	SHA1	Message	Date
Colin	09cb75319f	get sane.packages to work better. still needs cleanup	2023-02-03 01:05:58 +00:00
Colin	4ed0a9127c	programs: enable persistence	2023-02-02 12:35:42 +00:00
Colin	d0dca651be	modules: add a `sane.programs` interface which i can use going forward in place of `sane.packages`	2023-02-02 12:31:13 +00:00
Colin	0e756d5064	packages: add `sox` sound converter	2023-02-02 10:23:01 +00:00
Colin	a52ead5aec	nit: document what "foliate" application is	2023-02-02 00:21:07 +00:00
Colin	c0377ff1a0	dovecot: define Drafts and Trash folders	2023-01-31 08:22:20 +00:00
Colin	062ef20d05	dovecot: auto-create the "Sent" message box	2023-01-31 06:57:35 +00:00
Colin	a0861edc5f	packages: enable kitty on servo to fix login error	2023-01-31 06:43:02 +00:00
Colin	eae075acb5	flake: remove unused nixpkgs-stable argument. we can re-add it when needed	2023-01-31 04:09:49 +00:00
Colin	ef2ba01141	pins: remove dead nheko code	2023-01-31 04:05:18 +00:00
Colin	2756e15bab	flake update: nixpkgs-stable 2023-01-29 -> 2023-01-30 ``` • Updated input 'nixpkgs-stable': 'github:nixos/nixpkgs/22c4a7a4796a91c297a7e59078a84ec29515f86e' (2023-01-29) → 'github:nixos/nixpkgs/f413457e0dd7a42adefdbcea4391dd9751509025' (2023-01-30) • Updated input 'uninsane-dot-org': 'git+https://git.uninsane.org/colin/uninsane?ref=refs%2fheads%2fmaster&rev=80c6ec95bd430e29d231cf745f19279bb76fb382' (2022-10-27) → 'git+https://git.uninsane.org/colin/uninsane?ref=refs%2fheads%2fmaster&rev=b099c24091cc192abf3997b94342d4b31cc5757b' (2023-01-31) ```	2023-01-31 03:56:39 +00:00
Colin	940aac3a22	refactor: move persist settings into persist.nix	2023-01-31 03:44:48 +00:00
Colin	5f24e029af	persist stores: make private/crypt support backing stores that aren't /nix/persist	2023-01-31 03:38:41 +00:00
Colin	98b542332b	persist: crypt store: make paths overridable	2023-01-31 03:36:15 +00:00
Colin	70b62e9f76	persist stores: define the path for `private` at the host level	2023-01-31 03:29:53 +00:00
Colin	7c81df00df	move nixcache.nix from modules -> hosts/modules	2023-01-30 11:25:46 +00:00
Colin	f288f34d1e	nixpkgs-stable: 2023-01-28 -> 2023-01-29 ``` • Updated input 'nixpkgs-stable': 'github:nixos/nixpkgs/ce20e9ebe1903ea2ba1ab006ec63093020c761cb' (2023-01-28) → 'github:nixos/nixpkgs/22c4a7a4796a91c297a7e59078a84ec29515f86e' (2023-01-29) ```	2023-01-30 11:13:37 +00:00
Colin	854977c3aa	move `duplicity` out of modules -> hosts	2023-01-30 11:11:42 +00:00
Colin	3653776399	cleanup: modules/users.nix: allow explicitly setting `home`, if needed	2023-01-30 11:06:47 +00:00
Colin	e4bff9b5ef	refactor: persist: remove dead code	2023-01-30 10:51:41 +00:00
Colin	ec22c128e0	remove reference to /home/colin from modules/persist	2023-01-30 10:48:32 +00:00
Colin	77cc560052	use sane.user.persist instead of sane.persist.home	2023-01-30 10:35:03 +00:00
Colin	c1f3fc502d	sane.users.<user>.persist: forward to sane.persist.home	2023-01-30 10:34:36 +00:00
Colin	4d3248d315	lib: mkTypedMerge: fix to work with recursive attrsets	2023-01-30 10:33:59 +00:00
Colin	45a1c07210	refactor: make use of `sane.user.fs`	2023-01-30 09:27:19 +00:00
Colin	a1a711190f	refactor: make use of `sane.user`	2023-01-30 09:13:43 +00:00
Colin	ee9a2b320d	add a sane.user option which is shorthand for the default user	2023-01-30 08:53:40 +00:00
Colin	870afec07e	add which is shorthand to define a fs entry inside that user's home	2023-01-30 08:32:55 +00:00
Colin	5f8154e6ce	phosh: add favorite apps to homescreen	2023-01-30 03:38:46 +00:00
Colin	0bc3b78a52	docs: document how to find dconf keys/values	2023-01-30 03:02:22 +00:00
Colin	5288be1822	phosh: statically configure a few dconf settings (experimental)	2023-01-30 03:00:55 +00:00
Colin	5b1113929a	refactor: link /share/zsh in the zsh config instead of hosts/common/default.nix	2023-01-30 02:32:19 +00:00
Colin	216c812f7b	remove config.sane.home-manager.enable as it was always set anyway	2023-01-30 02:10:12 +00:00
Colin	39effa15ad	flake: remove unused home-manager input	2023-01-30 01:56:22 +00:00
Colin	f66de76b76	disable home-manager	2023-01-30 01:54:57 +00:00
Colin	427ee669c5	refactor: home.packages: move out of home-manager	2023-01-30 01:53:59 +00:00
Colin	8e81b5827c	remove dead `sane.home-manager.windowManager` option	2023-01-30 01:51:36 +00:00
Colin	cb3e7623ae	refactor: modules/gui/default.nix: fold into hosts/modules/gui/default.nix	2023-01-30 01:49:51 +00:00
Colin	a9cf619a14	plasma: move modules/gui/plasma.nix -> hosts/modules/gui/plasma.nix	2023-01-30 01:44:32 +00:00
Colin	02100ed1a2	plasma-mobile: move modules/gui/plasma-mobile.nix -> hosts/modules/gui/plasma-mobile.nix	2023-01-30 01:43:33 +00:00
Colin	ae22865099	gnome: move modules/gui/gnome.nix -> hosts/modules/gui/gnome.nix	2023-01-30 01:42:12 +00:00
Colin	6c85c6ecd8	handbrake: disable on aarch64-linux	2023-01-30 01:40:12 +00:00
Colin	161bbc1159	phosh: move out of modules/gui/phosh.nix -> hosts/modules/gui/phosh.nix	2023-01-30 01:39:20 +00:00
Colin	b94d0672cc	flake update: nixpkgs-stable 2023-01-26 -> 2023-01-28; mobile-nixos ``` • Updated input 'mobile-nixos': 'github:nixos/mobile-nixos/80ece5a61738fbf3b96fdda402ab2dfc74ee5cee' (2023-01-27) → 'github:nixos/mobile-nixos/7478a9ffad737486951186b66f6c5535dc5802e2' (2023-01-28) • Updated input 'nixpkgs': 'path:/nix/store/6jkp58bwsyshh7gz3shjlrn8a5zi3lk2-source/nixpatches?lastModified=1&narHash=sha256-arp7Uy7ct5ryTcmSY032eN7hr33i7D2XvjTRLliCFDc=' (1970-01-01) → 'path:/nix/store/xm7cg47bcix1s2cfmngvz0hjf0qqsgm1-source/nixpatches?lastModified=1&narHash=sha256-arp7Uy7ct5ryTcmSY032eN7hr33i7D2XvjTRLliCFDc=' (1970-01-01) • Updated input 'nixpkgs-stable': 'github:nixos/nixpkgs/def9e420d27c951026d57dc96ce0218c3131f412' (2023-01-26) → 'github:nixos/nixpkgs/ce20e9ebe1903ea2ba1ab006ec63093020c761cb' (2023-01-28) ```	2023-01-29 19:37:50 +00:00
Colin	768bc35940	sway: enable logging at both levels (base sway and layered sway)	2023-01-29 09:48:41 +00:00
Colin	9aca00c186	sway: re-enable the greeter	2023-01-29 08:13:09 +00:00
Colin	443100daa4	sway: move out of home-manager	2023-01-29 08:11:52 +00:00
Colin	ac25909a10	Merge branch 'wip/sway2'	2023-01-29 08:07:20 +00:00
Colin	ed70e045cb	waybar: fix by specifying bars as list instead of attrs (wtf home-manager?)	2023-01-29 08:07:03 +00:00
Colin	fd19802e91	WIP: fixup sway bugs	2023-01-28 12:25:12 +00:00
Colin	d84846e293	refactor: sway: port away from home-manager	2023-01-28 11:13:54 +00:00
Colin	b46ccb9bc2	zsh: add an empty .zshrc to shutup prezto	2023-01-28 10:59:06 +00:00
Colin	1958c1f36b	refactor: port waybar config out of home-manager	2023-01-28 09:58:18 +00:00