WIP: theme gtk apps

still need to do hardening and docs

TODO.md

@@ -3,6 +3,7 @@
 	- else DNS fails
 
 ## REFACTORING:
+
 ### sops/secrets
 - attach secrets to the thing they're used by (sane.programs)
 - rework secrets to leverage `sane.fs`
@@ -15,12 +16,11 @@
 ### upstreaming
 - split out a trust-dns module
   - see: <https://github.com/NixOS/nixpkgs/pull/205866#issuecomment-1575753054>
+- split out a sxmo module usable by NUR consumers
 - bump nodejs version in lemmy-ui
 - add updateScripts to all my packages in nixpkgs
 - fix lightdm-mobile-greeter for newer libhandy
 - port zecwallet-lite to a from-source build
-- fix or abandon Whalebird
-- FIX failed CI on bonsai PR: <https://github.com/NixOS/nixpkgs/pull/233892>
 - REVIEW/integrate jellyfin dataDir config: <https://github.com/NixOS/nixpkgs/pull/233617>
 - remove `libsForQt5.callPackage` broadly: <https://github.com/NixOS/nixpkgs/issues/180841>
 
@@ -33,30 +33,39 @@
 - have `sane.programs` be wrapped such that they run in a cgroup?
     - at least, only give them access to the portion of the fs they *need*.
     - Android takes approach of giving each app its own user: could hack that in here.
+    - **systemd-run** takes a command and runs it in a temporary scope (cgroup)
+      - presumably uses the same options as systemd services
+      - see e.g. <https://github.com/NixOS/nixpkgs/issues/113903#issuecomment-857296349>
+    - flatpak does this, somehow
+    - apparmor?  SElinux?  (desktop) "portals"?
+    - see Spectrum OS; Alyssa Ross; etc
 - canaries for important services
     - e.g. daily email checks; daily backup checks
+    - integrate `nix check` into Gitea actions?
 
 ### user experience
+- neovim: set up language server (lsp; rnix-lsp; nvim-lspconfig)
 - firefox/librewolf: don't show browserpass/sponsorblock/metamask "first run" on every boot
 - moby: improve gPodder launch time
-- moby: replace jellyfin-desktop with jellyfin-vue?
-    - allows (maybe) to cache media for offline use
-    - "newer" jellyfin client
-    - not packaged for nix
-- moby/sxmo: display numerical vol percentage in topbar
-- moby/sxmo: include librewolf, jellyfin in `apps` menu
-- find a nice desktop ActivityPub client
+- moby: theme GTK apps (i.e. non-adwaita styles)
+  - especially, make the menubar collapsible
 - package Nix/NixOS docs for Zeal
     - install [doc-browser](https://github.com/qwfy/doc-browser)
     - this supports both dash (zeal) *and* the datasets from <https://devdocs.io> (which includes nix!)
     - install [devhelp](https://wiki.gnome.org/Apps/Devhelp)  (gnome)
-- auto-mount servo
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
 - `sane.programs`: auto-populate defaults with everything from `pkgs`
-- zsh: disable "command not found" corrections
+- `sane.persist`: auto-create parent dirs in ~/private
+  - currently if the application doesn't autocreate dirs leading to its destination, then ~/private storage fails
+  - this might be why librewolf on mobile is still amnesiac
 - sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
+- uninsane.org: make URLs relative to allow local use (and as offline homepage)
+- email: fix so that local mail doesn't go to junk
+  - git sendmail flow adds the DKIM signatures, but gets delivered locally w/o having the sig checked, so goes into Junk
+  - could change junk filter from "no DKIM success" to explicit "DKIM failed"
 
 ### perf
+- why does zsh take so long to init?
 - why does nixos-rebuild switch take 5 minutes when net is flakey?
     - trying to auto-mount servo?
     - something to do with systemd services restarting/stalling
@@ -65,13 +74,13 @@
     - these use significant /tmp space.
     - either place /tmp on encrypted-cleared-at-boot storage
         - which probably causes each CPU load for the encryption
+    - or have nix builds use a subdir of /tmp like /tmp/nix/...
+        - and place that on non-encrypted clear-on-boot (with very lax writeback/swappiness to minimize writes)
     - **or set up encrypted swap**
         - encrypted swap could remove the need for my encrypted-cleared-at-boot stuff
 
 
 ## NEW FEATURES:
-- add a FTP-accessible file share to servo
-    - just /var/www?
 - migrate MAME cabinet to nix
     - boot it from PXE from servo?
 - enable IPv6

flake.lock

@@ -1,12 +1,15 @@
 {
   "nodes": {
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1687709756,
+        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
         "type": "github"
       },
       "original": {
@@ -36,11 +39,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1684319086,
-        "narHash": "sha256-5wwlkWqP1cQUPXp/PJsi09FkgAule5yBghngRZZbUQg=",
+        "lastModified": 1687251388,
+        "narHash": "sha256-E9cVlgeCvzPbA/G3mCDCzz8TdRwXyGYzIjmwcvIfghg=",
         "owner": "edolstra",
         "repo": "nix-serve",
-        "rev": "e6e3d09438e803daa5374ad8edf1271289348456",
+        "rev": "d6df5bd8584f37e22cff627db2fc4058a4aab5ee",
         "type": "github"
       },
       "original": {
@@ -82,11 +85,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1686960236,
-        "narHash": "sha256-AYCC9rXNLpUWzD9hm+askOfpliLEC9kwAo7ITJc4HIw=",
+        "lastModified": 1688049487,
+        "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "04af42f3b31dba0ef742d254456dc4c14eedac86",
+        "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
         "type": "github"
       },
       "original": {
@@ -113,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1687058111,
-        "narHash": "sha256-xDSn/APfAdJinHV4reTfplX5XnLsJSGdVwHpmdgP9Mo=",
+        "lastModified": 1687398569,
+        "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "1634d2da53f079e7f5924efa7a96511cd9596f81",
+        "rev": "2ff6973350682f8d16371f8c071a304b8067f192",
         "type": "github"
       },
       "original": {
@@ -126,6 +129,21 @@
         "type": "github"
       }
     },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "uninsane-dot-org": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -134,11 +152,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1686876043,
-        "narHash": "sha256-71SNPU2aeeJx29JSeW4JCJb8HXAuZRvL7sbh+c3wgkk=",
+        "lastModified": 1687821285,
+        "narHash": "sha256-pw0UYKG8yhW1H3nPgAhVYCzYFXYtamMh2DmF8YhtRec=",
         "ref": "refs/heads/master",
-        "rev": "0e0aa12aca143639f158b3a5c0c00349fcc2166c",
-        "revCount": 199,
+        "rev": "ae27eb61b55b6c6d83c25384fb163df398a80265",
+        "revCount": 201,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -23,9 +23,6 @@
   # preferably, i would rewrite the human-readable https URLs to nix-specific github: URLs with a helper,
   # but `inputs` is required to be a strict attrset: not an expression.
   inputs = {
-    # <https://github.com/nixos/nixpkgs/tree/nixos-22.11>
-    # nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
-
     # branch workflow:
     # - daily:
     #   - nixos-unstable cut from master after enough packages have been built in caches.
@@ -180,12 +177,6 @@
         optimizations = final: prev: import ./overlays/optimizations.nix final prev;
         passthru = final: prev:
           let
-            stable =
-              if inputs ? "nixpkgs-stable" then (
-                final': prev': {
-                  stable = inputs.nixpkgs-stable.legacyPackages."${prev'.stdenv.hostPlatform.system}";
-                }
-              ) else (final': prev': {});
             mobile = (import "${mobile-nixos}/overlay/overlay.nix");
             uninsane = uninsane-dot-org.overlay;
             # nix-serve' = nix-serve.overlay;
@@ -196,11 +187,10 @@
               inherit (nix-serve.packages."${next.system}") nix-serve;
             };
           in
-              (stable final prev)
-              // (mobile final prev)
-              // (uninsane final prev)
-              // (nix-serve' final prev)
-            ;
+            (mobile final prev)
+            // (uninsane final prev)
+            // (nix-serve' final prev)
+          ;
       };
 
       nixosModules = rec {
@@ -252,7 +242,7 @@
           deployScript = action: pkgs.writeShellScript "deploy-moby" ''
             nixos-rebuild --flake '.#moby' build $@
             sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
-            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby-hn --use-remote-sudo $@
+            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby --use-remote-sudo $@
           '';
         in {
           update-feeds = {
@@ -276,6 +266,22 @@
             type = "app";
             program = ''${deployScript "switch"}'';
           };
+
+          check-nur = {
+            # `nix run '.#check-nur'`
+            # validates that my repo can be included in the Nix User Repository
+            type = "app";
+            program = builtins.toString (pkgs.writeShellScript "check-nur" ''
+              cd ${./.}/integrations/nur
+              NIX_PATH= NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix-env -f . -qa \* --meta --xml \
+                --allowed-uris https://static.rust-lang.org \
+                --option restrict-eval true \
+                --option allow-import-from-derivation true \
+                --drv-path --show-trace \
+                -I nixpkgs=$(nix-instantiate --find-file nixpkgs) \
+                -I ../../
+            '');
+          };
         };
 
       templates = {

hosts/by-name/desko/default.nix

@@ -4,6 +4,12 @@
     ./fs.nix
   ];
 
+  sane.guest.enable = true;
+
+  # TODO: make sure this plays nice with impermanence
+  services.distccd.enable = true;
+  sane.programs.distcc.enableFor.user.guest = true;
+
   sops.secrets.colin-passwd.neededForUsers = true;
 
   sane.roles.build-machine.enable = true;

hosts/by-name/lappy/polyfill.nix

@@ -1,6 +1,6 @@
 # doesn't actually *enable* anything,
 # but sets up any modules such that if they *were* enabled, they'll act as expected.
-{ ... }:
+{ pkgs, ... }:
 {
   sane.gui.sxmo = {
     greeter = "sway";
@@ -28,5 +28,11 @@
       # see <repo:mil/sxmo-utils:scripts/deviceprofiles>
       # SXMO_DEVICE_NAME = "pine64,pinephone-1.2";
     };
+    package = pkgs.sxmo-utils.overrideAttrs (base: {
+      postPatch = (base.postPatch or "") + ''
+        # after volume-button navigation mode, restore full keyboard functionality
+        cp ${./xkb_mobile_normal_buttons} ./configs/xkb/xkb_mobile_normal_buttons
+      '';
+    });
   };
 }

hosts/by-name/moby/default.nix

@@ -40,7 +40,6 @@
   sane.programs.tuiApps.enableFor.user.colin = false;  # visidata, others, don't compile well
   # disabled for faster deploys (gthumb depends on webkitgtk, particularly)
   sane.programs.soundconverter.enableFor.user.colin = false;
-  sane.programs.gthumb.enableFor.user.colin = false;
   sane.programs.jellyfin-media-player.enableFor.user.colin = false;
   # sane.programs.mpv.enableFor.user.colin = true;
 

hosts/by-name/moby/polyfill.nix

@@ -1,4 +1,4 @@
-{ sane-lib, ... }:
+{ pkgs, sane-lib, ... }:
 {
   sane.gui.sxmo = {
     settings = {
@@ -10,8 +10,17 @@
       # N.B. some deviceprofiles explicitly set SXMO_SWAY_SCALE, overwriting what we put here.
       SXMO_SWAY_SCALE = "1.5";
       SXMO_ROTATION_GRAVITY = "12800";
+      SXMO_LOCK_IDLE_TIME = "15";  # how long between screenoff -> lock -> back to screenoff
       DEFAULT_COUNTRY = "US";
       BROWSWER = "librewolf";
     };
+    package = pkgs.sxmo-utils.overrideAttrs (base: {
+      postPatch = (base.postPatch or "") + ''
+        cat <<EOF >> ./configs/default_hooks/sxmo_hook_start.sh
+        # rotate UI based on physical display angle by default
+        sxmo_daemons.sh start autorotate sxmo_autorotate.sh
+        EOF
+      '';
+    });
   };
 }

hosts/by-name/servo/services/matrix/irc.nix

@@ -5,12 +5,11 @@
 { config, lib, ... }:
 
 let
-  ircServer = { name, additionalAddresses ? [], sasl ? true }: let
+  ircServer = { name, additionalAddresses ? [], sasl ? true, port ? 6697 }: let
     lowerName = lib.toLower name;
   in {
     # XXX sasl: appservice doesn't support NickServ identification (only SASL, or PASS if sasl = false)
-    inherit name additionalAddresses sasl;
-    port = 6697;
+    inherit name additionalAddresses sasl port;
     ssl = true;
     botConfig = {
       # bot has no presence in IRC channel; only real Matrix users
@@ -151,6 +150,7 @@ in
         };
         "irc.oftc.net" = ircServer {
           name = "oftc";
+          sasl = false;
           # notable channels:
           # - #sxmo
           # - #sxmo-offtopic

hosts/by-name/servo/services/pleroma.nix

@@ -3,6 +3,8 @@
 # - https://docs.pleroma.social/backend/configuration/cheatsheet/
 #
 # to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
+#
+# admin frontend: <https://fed.uninsane.org/pleroma/admin>
 { config, pkgs, ... }:
 
 {
@@ -100,6 +102,8 @@
     #  level: :debug
 
     # XXX colin: not sure if this actually _does_ anything
+    # better to steal emoji from other instances?
+    # - <https://docs.pleroma.social/backend/configuration/cheatsheet/#mrf_steal_emoji>
     config :pleroma, :emoji,
       shortcode_globs: ["/emoji/**/*.png"],
       groups: [

hosts/by-name/servo/services/trust-dns.nix

@@ -3,13 +3,21 @@
 {
   sane.services.trust-dns.enable = true;
 
-  sane.services.trust-dns.listenAddrsIPv4 = [
+  sane.services.trust-dns.settings.listen_addrs_ipv4 = [
     # specify each address explicitly, instead of using "*".
     # this ensures responses are sent from the address at which the request was received.
     config.sane.hosts.by-name."servo".lan-ip
     "10.0.1.5"
   ];
   sane.services.trust-dns.quiet = true;
+  # sane.services.trust-dns.debug = true;
+
+  sane.ports.ports."53" = {
+    protocol = [ "udp" "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-dns-hosting";
+  };
 
   sane.dns.zones."uninsane.org".TTL = 900;
 
@@ -53,8 +61,11 @@
 
   # we need trust-dns to load our zone by relative path instead of /nix/store path
   # because we generate it at runtime.
-  sane.services.trust-dns.zones."uninsane.org".file = lib.mkForce "uninsane.org.zone";
-  sane.services.trust-dns.zonedir = null;
+  sane.services.trust-dns.settings.zones = [
+    {
+      zone = "uninsane.org";
+    }
+  ];
 
   sane.services.trust-dns.package =
     let
@@ -62,7 +73,7 @@
       zone-dir = "/var/lib/trust-dns";
       zone-wan = "${zone-dir}/wan/uninsane.org.zone";
       zone-lan = "${zone-dir}/lan/uninsane.org.zone";
-      zone-template = pkgs.writeText "uninsane.org.zone.in" config.sane.services.trust-dns.zones."uninsane.org".text;
+      zone-template = pkgs.writeText "uninsane.org.zone.in" config.sane.dns.zones."uninsane.org".rendered;
     in pkgs.writeShellScriptBin "named" ''
       # compute wan/lan values
       mkdir -p ${zone-dir}/{ovpn,wan,lan}

hosts/common/default.nix

@@ -13,7 +13,7 @@
     ./programs
     ./secrets.nix
     ./ssh.nix
-    ./users.nix
+    ./users
     ./vpn.nix
   ];
 
@@ -43,6 +43,24 @@
   # does the builder use some content-addressed db to efficiently dedupe?
   nix.settings.auto-optimise-store = true;
 
+  systemd.services.nix-daemon.serviceConfig = {
+    # the nix-daemon manages nix builders
+    # kill nix-daemon subprocesses when systemd-oomd detects an out-of-memory condition
+    # see:
+    # - nixos PR that enabled systemd-oomd: <https://github.com/NixOS/nixpkgs/pull/169613>
+    # - systemd's docs on these properties: <https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill>
+    #
+    # systemd's docs warn that without swap, systemd-oomd might not be able to react quick enough to save the system.
+    # see `man oomd.conf` for further tunables that may help.
+    #
+    # alternatively, apply this more broadly with `systemd.oomd.enableSystemSlice = true` or `enableRootSlice`
+    # TODO: also apply this to the guest user's slice (user-1100.slice)
+    # TODO: also apply this to distccd
+    ManagedOOMMemoryPressure = "kill";
+    ManagedOOMSwap = "kill";
+  };
+
+  # TODO: move this to gui machines only
   fonts = {
     enableDefaultFonts = true;
     fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
@@ -71,19 +89,6 @@
   # disable non-required packages like nano, perl, rsync, strace
   environment.defaultPackages = [];
 
-  # programs.vim.defaultEditor = true;
-  environment.variables = {
-    EDITOR = "vim";
-    # git claims it should use EDITOR, but it doesn't!
-    GIT_EDITOR = "vim";
-    # TODO: these should be moved to `home.sessionVariables` (home-manager)
-    # Electron apps should use native wayland backend:
-    #   https://nixos.wiki/wiki/Slack#Wayland
-    # Discord under sway crashes with this.
-    # NIXOS_OZONE_WL = "1";
-    # LIBGL_ALWAYS_SOFTWARE = "1";
-  };
-
   # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
   # find keys/values with `dconf dump /`
   programs.dconf.enable = true;

hosts/common/feeds.nix

@@ -1,3 +1,6 @@
+# where to find good stuff?
+# - podcast rec thread: <https://lemmy.ml/post/1565858>
+#
 # candidates:
 # - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
 #   - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
@@ -104,6 +107,8 @@ let
     (fromDb "feeds.megaphone.fm/recodedecode" // tech)
     ## Matrix (chat) Live
     (fromDb "feed.podbean.com/matrixlive/feed.xml" // tech)
+    (fromDb "cast.postmarketos.org" // tech)
+    (fromDb "podcast.thelinuxexp.com" // tech)
     ## Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
     (fromDb "rss.art19.com/your-welcome" // pol)
     (fromDb "seattlenice.buzzsprout.com" // pol)

hosts/common/fs.nix

@@ -7,6 +7,7 @@ let fsOpts = rec {
   common = [
     "_netdev"
     "noatime"
+    "user"  # allow any user with access to the device to mount the fs
     "x-systemd.requires=network-online.target"
     "x-systemd.after=network-online.target"
     "x-systemd.mount-timeout=10s"  # how long to wait for mount **and** how long to wait for unmount
@@ -19,7 +20,6 @@ let fsOpts = rec {
   ];
 
   ssh = common ++ [
-    "user"
     "identityfile=/home/colin/.ssh/id_ed25519"
     "allow_other"
     "default_permissions"

hosts/common/home/keyring.nix

@@ -7,5 +7,6 @@
     generated.script.script = builtins.readFile ../../../scripts/init-keyring;
     # TODO: is this `wantedBy` needed? can we inherit it?
     wantedBy = [ config.sane.fs."/home/colin/private".unit ];
+    wantedBeforeBy = [ ];  # don't created this as part of `multi-user.target`
   };
 }

hosts/common/home/mime.nix

@@ -1,6 +1,7 @@
 { config, sane-lib, ...}:
 
 let
+  # TODO: should move all of this into `sane.programs` to not ship broken associations
   www = config.sane.programs.web-browser.config.browser.desktop;
   pdf = "org.gnome.Evince.desktop";
   md = "obsidian.desktop";
@@ -8,6 +9,7 @@ let
   video = "vlc.desktop";
   # audio = "mpv.desktop";
   audio = "vlc.desktop";
+  email = "aerc.desktop";
 in
 {
 
@@ -39,5 +41,6 @@ in
     # RICH-TEXT DOCUMENTS
     "application/pdf" = pdf;
     "text/markdown" = md;
+    "x-scheme-handler/mailto" = email;
   };
 }

hosts/common/net.nix

@@ -21,6 +21,20 @@
     General.RoamThreshold5G = "-52";  # default -76
   };
 
+  # plugins mostly add support for establishing different VPN connections.
+  # the default plugin set includes mostly proprietary VPNs:
+  # - fortisslvpn (Fortinet)
+  # - iodine (DNS tunnels)
+  # - l2tp
+  # - openconnect (Cisco Anyconnect / Juniper / ocserv)
+  # - openvpn
+  # - vpnc (Cisco VPN)
+  # - sstp
+  #
+  # i don't use these, and notably they drag in huge dependency sets and don't cross compile well.
+  # e.g. openconnect drags in webkitgtk (for SSO)!
+  networking.networkmanager.plugins = lib.mkForce [];
+
   networking.firewall.allowedUDPPorts = [
     1900  # to received UPnP advertisements. required by sane-ip-check-upnp
   ];

hosts/common/programs/assorted.nix

@@ -43,6 +43,7 @@ let
       lsof
       miniupnpc
       nano
+      neovim
       netcat
       nethogs
       nmap
@@ -84,6 +85,7 @@ let
   tuiPkgs = {
     inherit (pkgs)
       aerc  # email client
+      msmtp  # sendmail
       offlineimap  # email mailox sync
       sfeed  # RSS fetcher
       visidata  # TUI spreadsheet viewer/editor
@@ -107,26 +109,27 @@ let
   consolePkgs = {
     inherit (pkgs)
       alsaUtils  # for aplay, speaker-test
-      cdrtools
+      # cdrtools
       clinfo
       dmidecode
       efivar
-      flashrom
+      # flashrom
       fwupd
       gh  # MS GitHub cli
       git  # needed as a user package, for config.
-      gnupg
-      gocryptfs
-      gopass  # TODO: shouldn't be needed here
-      gopass-jsonapi
+      # gnupg
+      # gocryptfs
+      # gopass
+      # gopass-jsonapi
       kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-      libsecret  # for managing user keyrings
-      lm_sensors  # for sensors-detect
+      libsecret  # for managing user keyrings. TODO: what needs this? lift into the consumer
+      lm_sensors  # for sensors-detect. TODO: what needs this? lift into the consumer
       lshw
       # memtester
-      neovim
+      neovim  # needed as a user package, for swap persistence
       # nettools
       # networkmanager
+      nix-index
       nixpkgs-review
       # nixos-generators
       nmon
@@ -148,6 +151,7 @@ let
       # tageditor  # music tagging
       unar
       wireguard-tools
+      xdg-terminal-exec
       xdg-utils  # for xdg-open
       # yarn
       zsh
@@ -185,7 +189,9 @@ let
       jellyfin-media-player
       komikku
       koreader
+      lemoa  # lemmy app
       # lollypop
+      mepo  # maps viewer
       # mpv
       # networkmanagerapplet
       # newsflash
@@ -197,6 +203,7 @@ let
       # sublime-music
       # tdesktop  # broken on phosh
       # tokodon
+      tuba  # mastodon/pleroma client (stores pw in keyring)
       vlc
       # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
       # whalebird
@@ -211,7 +218,7 @@ let
       dino
       electrum
       element-desktop
-      font-manager
+      # font-manager  #< depends on webkitgtk4_0 (expensive to build)
       gajim  # XMPP client
       gimp  # broken on phosh
       "gnome.dconf-editor"

hosts/common/programs/default.nix

@@ -8,15 +8,20 @@
     ./git.nix
     ./gnome-feeds.nix
     ./gpodder.nix
+    ./gthumb.nix
     ./imagemagick.nix
     ./jellyfin-media-player.nix
     ./kitty
     ./komikku.nix
     ./koreader
     ./libreoffice.nix
+    ./lemoa.nix
+    ./mepo.nix
     ./mpv.nix
+    ./msmtp.nix
     ./neovim.nix
     ./newsflash.nix
+    ./nix-index.nix
     ./offlineimap.nix
     ./ripgrep.nix
     ./sfeed.nix

hosts/common/programs/git.nix

@@ -11,7 +11,15 @@ in
     user.name = "Colin";
     user.email = "colin@uninsane.org";
 
-    alias.co = "checkout";
+    alias.br      = "branch";
+    alias.co      = "checkout";
+    alias.cp      = "cherry-pick";
+    alias.d       = "difftool";
+    alias.dif     = "diff";  # common typo
+    alias.difsum  = "diff --compact-summary";  #< show only the list of files which changed, not contents
+    alias.rb      = "rebase";
+    alias.st      = "status";
+    alias.stat    = "status";
 
     # difftastic docs:
     # - <https://difftastic.wilfred.me.uk/git.html>
@@ -22,5 +30,10 @@ in
 
     # render dates as YYYY-MM-DD HH:MM:SS +TZ
     log.date = "iso";
+
+    sendemail.annotate = "yes";
+    sendemail.confirm = "always";
+
+    stash.showPatch = true;
   };
 }

hosts/common/programs/gthumb.nix

@@ -0,0 +1,4 @@
+{ pkgs, ... }:
+{
+  sane.programs.gthumb.package = pkgs.gthumb.override { withWebservices = false; };
+}

hosts/common/programs/kitty/default.nix

@@ -1,14 +1,17 @@
-{ ... }:
+{ lib, ... }:
 
 {
-  sane.programs.kitty.fs.".config/kitty/kitty.conf".symlink.text = ''
-    # docs: https://sw.kovidgoyal.net/kitty/conf/
-    # disable terminal bell (when e.g. you backspace too many times)
-    enable_audio_bell no
+  sane.programs.kitty = {
+    fs.".config/kitty/kitty.conf".symlink.text = ''
+      # docs: https://sw.kovidgoyal.net/kitty/conf/
+      # disable terminal bell (when e.g. you backspace too many times)
+      enable_audio_bell no
 
-    map ctrl+n new_os_window_with_cwd
-    include ${./PaperColor_dark.conf}
-  '';
+      map ctrl+n new_os_window_with_cwd
+      include ${./PaperColor_dark.conf}
+    '';
+    env.TERMINAL = lib.mkDefault "kitty";
+  };
 
   #  include ${pkgs.kitty-themes}/themes/PaperColor_dark.conf
 

hosts/common/programs/lemoa.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  sane.programs.lemoa = {
+    # creds
+    persist.private = [ ".local/share/io.github.lemmygtk.lemoa" ];
+  };
+}

hosts/common/programs/mepo.nix

@@ -0,0 +1,18 @@
+# docs: <https://git.sr.ht/~mil/mepo>
+# irc #mepo:irc.oftc.net
+{ config, lib, ... }:
+
+{
+  sane.programs.mepo = {
+    persist.plaintext = [ ".cache/mepo/tiles" ];
+    # ~/.cache/mepo/savestate has precise coordinates and pins: keep those private
+    persist.private = [ ".cache/mepo/savestate" ];
+  };
+
+  programs.mepo = lib.mkIf config.sane.programs.mepo.enabled {
+    # enable location services (via geoclue)
+    enable = true;
+    # more precise, via gpsd ("may require additional config")
+    # programs.mepo.gpsd.enable = true
+  };
+}

hosts/common/programs/msmtp.nix

@@ -0,0 +1,25 @@
+# docs: <https://nixos.wiki/wiki/Msmtp>
+# validate with e.g.
+# - `echo -e "Content-Type: text/plain\r\nSubject: Test\r\n\r\nHello World" | sendmail test@uninsane.org`
+{ config, lib, ... }:
+
+{
+  sane.programs.msmtp = {
+    secrets.".config/msmtp/password.txt" = ../../../secrets/common/msmtp_password.txt.bin;
+  };
+
+  programs.msmtp = lib.mkIf config.sane.programs.msmtp.enabled {
+    enable = true;
+    accounts = {
+      default = {
+        auth = true;
+        tls = true;
+        tls_starttls = false;  # needed else sendmail hangs
+        from = "Colin <colin@uninsane.org>";
+        host = "mx.uninsane.org";
+        user = "colin";
+        passwordeval = "cat ~/.config/msmtp/password.txt";
+      };
+    };
+  };
+}

hosts/common/programs/neovim.nix

@@ -5,30 +5,11 @@ let
   inherit (lib) concatMapStrings mkIf optionalString;
   # this structure roughly mirrors home-manager's `programs.neovim.plugins` option
   plugins = with pkgs.vimPlugins; [
-    # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
-    # docs: vim-surround: https://github.com/tpope/vim-surround
-    { plugin = vim-surround; }
-    # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
-    { plugin = fzf-vim; }
-    ({
-      # docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
-      plugin = tex-conceal-vim;
-      type = "viml";
-      config = ''
-        " present prettier fractions
-        let g:tex_conceal_frac=1
-      '';
-    })
-    ({
-      plugin = vim-SyntaxRange;
-      type = "viml";
-      config = ''
-        " enable markdown-style codeblock highlighting for tex code
-        autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
-        " autocmd Syntax tex set conceallevel=2
-      '';
-    })
-    ({
+    {
+      # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
+      plugin = fzf-vim;
+    }
+    {
       # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
       # docs: https://github.com/nvim-treesitter/nvim-treesitter
       # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
@@ -64,7 +45,35 @@ let
         vim.o.foldmethod = 'expr'
         vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
       '';
-    })
+    }
+    {
+      # docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
+      plugin = tex-conceal-vim;
+      type = "viml";
+      config = ''
+        " present prettier fractions
+        let g:tex_conceal_frac=1
+      '';
+    }
+    {
+      # source: <https://github.com/LnL7/vim-nix>
+      # fixes auto-indent (incl tab size) when editing .nix files
+      plugin = vim-nix;
+    }
+    {
+      # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
+      # docs: vim-surround: https://github.com/tpope/vim-surround
+      plugin = vim-surround;
+    }
+    {
+      plugin = vim-SyntaxRange;
+      type = "viml";
+      config = ''
+        " enable markdown-style codeblock highlighting for tex code
+        autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
+        " autocmd Syntax tex set conceallevel=2
+      '';
+    }
   ];
   plugin-packages = map (p: p.plugin) plugins;
   plugin-config-tex = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
@@ -72,7 +81,12 @@ let
 in
 {
   # private because there could be sensitive things in the swap
-  sane.programs.neovim.persist.private = [ ".cache/vim-swap" ];
+  sane.programs.neovim = {
+    persist.private = [ ".cache/vim-swap" ];
+    env.EDITOR = "vim";
+    # git claims it should use EDITOR, but it doesn't!
+    env.GIT_EDITOR = "vim";
+  };
 
   programs.neovim = mkIf config.sane.programs.neovim.enabled {
     # neovim: https://github.com/neovim/neovim

hosts/common/programs/nix-index.nix

@@ -0,0 +1,7 @@
+{ config, lib, ... }:
+{
+  # provides `nix-locate`, backed by the manually run `nix-index`
+  sane.programs.nix-index = {
+    persist.plaintext = [ ".cache/nix-index" ];
+  };
+}

hosts/common/programs/web-browser.nix

@@ -13,17 +13,15 @@ let
   # allow easy switching between firefox and librewolf with `defaultSettings`, below
   librewolfSettings = {
     browser = pkgs.librewolf-unwrapped;
-    # browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
-    #   # this allows side-loading unsigned addons
-    #   MOZ_REQUIRE_SIGNING = false;
-    # });
+    extraPrefsFiles = pkgs.librewolf-unwrapped.extraPrefsFiles ++ pkgs.librewolf-pmos-mobile.extraPrefsFiles;
     libName = "librewolf";
     dotDir = ".librewolf";
-    cacheDir = ".cache/librewolf";  # TODO: is it?
+    cacheDir = ".cache/librewolf";
     desktop = "librewolf.desktop";
   };
   firefoxSettings = {
     browser = pkgs.firefox-esr-unwrapped;
+    extraPrefsFiles = pkgs.firefox-pmos-mobile.extraPrefsFiles;
     libName = "firefox";
     dotDir = ".mozilla/firefox";
     cacheDir = ".cache/mozilla";
@@ -47,8 +45,7 @@ let
   package = pkgs.wrapFirefox cfg.browser.browser {
     # inherit the default librewolf.cfg
     # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
-    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
-    inherit (cfg.browser) libName;
+    inherit (cfg.browser) extraPrefsFiles libName;
 
     extraNativeMessagingHosts = optional cfg.addons.browserpass-extension.enable pkgs.browserpass;
     # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
@@ -72,7 +69,10 @@ let
       };
       UserMessaging = {
         ExtensionRecommendations = false;
+        FeatureRecommendations = false;
         SkipOnboarding = true;
+        UrlbarInterventions = false;
+        WhatsNew = false;
       };
 
       # these were taken from Librewolf
@@ -162,8 +162,9 @@ in
         # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
         # bypass-paywalls-clean.enable = lib.mkDefault true;
 
+        # TODO: give these update scripts, make them reachable via `pkgs`
         ether-metamask = {
-          package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
+          package = addon "ether-metamask" "webextension@metamask.io" "sha256-UI83wUUc33OlQYX+olgujeppoo2D2PAUJ+Wma5mH2O0=";
           enable = lib.mkDefault true;
         };
         i2p-in-private-browsing = {
@@ -175,15 +176,15 @@ in
           enable = lib.mkDefault true;
         };
         sponsorblock = {
-          package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
+          package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-b/OTFmhSEUZ/CYrYCE4rHVMQmY+Y78k8jSGMoR8vsZA=";
           enable = lib.mkDefault true;
         };
         ublacklist = {
-          package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
+          package = addon "ublacklist" "@ublacklist" "sha256-NZ2FmgJiYnH7j2Lkn0wOembxaEphmUuUk0Ytmb0rNWo=";
           enable = lib.mkDefault true;
         };
         ublock-origin = {
-          package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
+          package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-EGGAA+cLUow/F5luNzFG055rFfd3rEyh8hTaL/23pbM=";
           enable = lib.mkDefault true;
         };
       };
@@ -192,6 +193,9 @@ in
       sane.programs.web-browser = {
         inherit package;
 
+        # env.BROWSER = "${package}/bin/${cfg.browser.libName}";
+        env.BROWSER = cfg.browser.libName;  # used by misc tools like xdg-email, as fallback
+
         # uBlock filter list configuration.
         # specifically, enable the GDPR cookie prompt blocker.
         # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
@@ -210,6 +214,7 @@ in
            }
           }
         '';
+        # TODO: this is better suited in `extraPrefs` during `wrapFirefox` call
         fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg".symlink.text = ''
           // if we can't query the revocation status of a SSL cert because the issuer is offline,
           // treat it as unrevoked.

hosts/common/programs/zsh/default.nix

@@ -1,3 +1,20 @@
+# zsh files/init order
+# - see `man zsh` => "STARTUP/SHUTDOWN FILES"
+# - /etc/zshenv
+# - $ZDOTDIR/.zshenv
+# - if login shell:
+#   - /etc/zprofile
+#   - $ZDOTDIR/.zprofile
+# - if interactive:
+#   - /etc/zshrc
+#   - $ZDOTDIR/.zshrc
+# - if login (again):
+#   - /etc/zlogin
+#   - ZDOTDIR/.zlogin
+# - at exit:
+#   - $ZDOTDIR/.zlogout
+#   - /etc/zlogout
+
 { config, lib, pkgs, ... }:
 
 let
@@ -33,7 +50,7 @@ in
       showDeadlines = mkOption {
         type = types.bool;
         default = true;
-        description = "show upcoming deadlines (frommy PKM) upon shell init";
+        description = "show upcoming deadlines (from my PKM) upon shell init";
       };
     };
   };
@@ -41,41 +58,60 @@ in
   config = mkMerge [
     ({
       sane.programs.zsh = {
-        persist.plaintext = [
+        persist.private = [
           # we don't need to full zsh dir -- just the history file --
-          # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
-          # TODO: should be private?
+          # but zsh will sometimes backup the history file and symlinking just the file messes things up
           ".local/share/zsh"
-          # cache gitstatus otherwise p10k fetched it from the net EVERY BOOT
+        ];
+        persist.plaintext = [
+          # cache gitstatus otherwise p10k fetches it from the net EVERY BOOT
           ".cache/gitstatus"
         ];
 
-        # zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
-        fs.".config/zsh/.zshrc".symlink.text = "# ";
+        fs.".config/zsh/.zshrc".symlink.text = ''
+          # zsh/prezto complains if zshrc doesn't exist or is empty;
+          # preserve this comment to prevent that from ever happening.
+        '' + lib.optionalString cfg.showDeadlines ''
+          ${pkgs.sane-scripts.deadlines}/bin/sane-deadlines
+        '' + ''
+          # auto-cd into any of these dirs by typing them and pressing 'enter':
+          hash -d 3rd="/home/colin/dev/3rd"
+          hash -d dev="/home/colin/dev"
+          hash -d knowledge="/home/colin/knowledge"
+          hash -d nixos="/home/colin/nixos"
+          hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
+          hash -d ref="/home/colin/ref"
+          hash -d secrets="/home/colin/knowledge/secrets"
+          hash -d tmp="/home/colin/tmp"
+          hash -d uninsane="/home/colin/dev/uninsane"
+          hash -d Videos="/home/colin/Videos"
+        '';
 
         # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
         # see: https://github.com/sorin-ionescu/prezto
-        # i believe this file is auto-sourced by the prezto init.zsh script.
+        # this file is auto-sourced by the prezto init.zsh script.
+        # TODO: i should work to move away from prezto:
+        # - it's FUCKING SLOW to initialize (that might also be powerlevel10k tho)
+        # - it messes with my other `setopt`s
         fs.".config/zsh/.zpreztorc".symlink.text = ''
           zstyle ':prezto:*:*' color 'yes'
+          zstyle ':prezto:module:utility' correct 'no'  # prezto: don't setopt CORRECT
 
           # modules (they ship with prezto):
           # ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
           # TERMINAL: auto-titles terminal (e.g. based on cwd)
           # EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
           # HISTORY: `history-stat` alias, setopts for good history defaults
-          # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
+          # DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack. also overrides CLOBBER and some other options
           # SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
           # UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
           #   adds aliases like `get` to fetch a file. also adds `http-serve` alias??
           # COMPLETION: tab completion. requires `utility` module prior to loading
-          # TODO: enable AUTO_PARAM_SLASH
           zstyle ':prezto:load' pmodule \
             'environment' \
             'terminal' \
             'editor' \
             'history' \
-            'directory' \
             'spectrum' \
             'utility' \
             'completion' \
@@ -105,12 +141,19 @@ in
           "cd../" = "cd ../";
         };
         setOptions = [
-          # defaults:
+          # docs: `man zshoptions`
+          # nixos defaults:
+          "HIST_FCNTL_LOCK"
           "HIST_IGNORE_DUPS"
           "SHARE_HISTORY"
-          "HIST_FCNTL_LOCK"
-          # disable `rm *` confirmations
-          "rmstarsilent"
+          # customizations:
+          "AUTO_CD"  # type directory name to go there
+          "AUTO_MENU"  # show auto-complete menu on double-tab
+          "CDABLE_VARS"  # allow auto-cd to use my `hash` aliases -- not just immediate subdirs
+          "CLOBBER"  # allow `foo > bar.txt` to overwrite bar.txt
+          "NO_CORRECT"  # don't try to correct commands
+          "PIPE_FAIL"  # when `cmd_a | cmd_b`, make $? be non-zero if *any* of cmd_a or cmd_b fail
+          "RM_STAR_SILENT"  # disable `rm *` confirmations
         ];
 
         # .zshenv config:
@@ -118,7 +161,7 @@ in
           ZDOTDIR=$HOME/.config/zsh
         '';
 
-        # .zshrc config:
+        # system-wide .zshrc config:
         interactiveShellInit =
           (builtins.readFile ./p10k.zsh)
         + p10k-overrides
@@ -136,22 +179,6 @@ in
             mkdir -p "$1";
             pushd "$1";
           }
-        ''
-        + lib.optionalString cfg.showDeadlines ''
-          ${pkgs.sane-scripts.deadlines}/bin/sane-deadlines
-        ''
-        + ''
-          # auto-cd into any of these dirs by typing them and pressing 'enter':
-          hash -d 3rd="/home/colin/dev/3rd"
-          hash -d dev="/home/colin/dev"
-          hash -d knowledge="/home/colin/knowledge"
-          hash -d nixos="/home/colin/nixos"
-          hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
-          hash -d ref="/home/colin/ref"
-          hash -d secrets="/home/colin/knowledge/secrets"
-          hash -d tmp="/home/colin/tmp"
-          hash -d uninsane="/home/colin/dev/uninsane"
-          hash -d Videos="/home/colin/Videos"
         '';
 
         syntaxHighlighting.enable = true;
@@ -159,8 +186,8 @@ in
       };
 
       # enable a command-not-found hook to show nix packages that might provide the binary typed.
-      programs.nix-index.enable = true;
-      programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
+      # programs.nix-index.enableZshIntegration = true;
+      programs.command-not-found.enable = false;
     })
   ];
 }

hosts/common/secrets.nix

@@ -29,14 +29,18 @@
 
 let
   inherit (lib.strings) hasSuffix removeSuffix;
-  secretsForHost = host: sane-lib.joinAttrsets (
+  secretsForHost = host: let
+    extraAttrsForPath = path: lib.optionalAttrs (sane-lib.path.isChild "guest" path) {
+      owner = "guest";
+    };
+  in sane-lib.joinAttrsets (
     map
       (path: lib.optionalAttrs (hasSuffix ".bin" path) (sane-lib.nameValueToAttrs {
         name = removeSuffix ".bin" path;
         value = {
           sopsFile = ../../secrets/${host}/${path};
           format = "binary";
-        };
+        } // (extraAttrsForPath path);
       }))
       (sane-lib.enumerateFilePaths ../../secrets/${host})
   );

hosts/common/users.nix

@@ -1,134 +0,0 @@
-{ config, pkgs, lib, sane-lib, ... }:
-
-# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
-with lib;
-let
-  cfg = config.sane.guest;
-  fs = sane-lib.fs;
-in
-{
-  options = {
-    sane.guest.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-  };
-
-  config = {
-    # Users are exactly these specified here;
-    # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
-    users.mutableUsers = false;
-
-    # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
-    users.users.colin = {
-      # sets group to "users" (?)
-      isNormalUser = true;
-      home = "/home/colin";
-      createHome = true;
-      homeMode = "0700";
-      # i don't get exactly what this is, but nixos defaults to this non-deterministically
-      # in /var/lib/nixos/auto-subuid-map and i don't want that.
-      subUidRanges = [
-        { startUid=100000; count=1; }
-      ];
-      group = "users";
-      extraGroups = [
-        "dialout"  # required for modem access (moby)
-        "feedbackd"
-        "input"  # for /dev/input/<xyz>: sxmo
-        "networkmanager"
-        "nixbuild"
-        "transmission"  # servo, to admin /var/lib/uninsane/media
-        "video"  # phosh/mobile. XXX colin: unsure if necessary
-        "wheel"
-        "wireshark"
-      ];
-
-      # initial password is empty, in case anything goes wrong.
-      # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
-      initialPassword = lib.mkDefault "";
-      passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
-
-      shell = pkgs.zsh;
-
-      # mount encrypted stuff at login
-      # some other nix pam users:
-      # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
-      # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
-      # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
-      pamMount = let
-        priv = config.fileSystems."/home/colin/private";
-      in {
-        fstype = priv.fsType;
-        path = priv.device;
-        mountpoint = priv.mountPoint;
-        options = builtins.concatStringsSep "," priv.options;
-      };
-    };
-
-    security.pam.mount.enable = true;
-
-    sane.users.colin.default = true;
-    # ensure ~ perms are known to sane.fs module.
-    # TODO: this is generic enough to be lifted up into sane.fs itself.
-    sane.fs."/home/colin".dir.acl = {
-      user = "colin";
-      group = config.users.users.colin.group;
-      mode = config.users.users.colin.homeMode;
-    };
-
-    sane.user.persist.plaintext = [
-      "archive"
-      "dev"
-      # TODO: records should be private
-      "records"
-      "ref"
-      "tmp"
-      "use"
-      "Music"
-      "Pictures"
-      "Videos"
-
-      ".cache/nix"
-      ".cache/nix-index"
-
-      # ".cargo"
-      # ".rustup"
-    ];
-
-    # convenience
-    sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
-    sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
-    sane.user.fs."Books/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Books";
-    sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
-    sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
-    sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
-    sane.user.fs."Pictures/servo-macros" = fs.wantedSymlinkTo "/mnt/servo-media/Pictures/macros";
-
-    # used by password managers, e.g. unix `pass`
-    sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";
-
-    sane.persist.sys.plaintext = mkIf cfg.enable [
-      # intentionally allow other users to write to the guest folder
-      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
-    ];
-    users.users.guest = mkIf cfg.enable {
-      isNormalUser = true;
-      home = "/home/guest";
-      subUidRanges = [
-        { startUid=200000; count=1; }
-      ];
-      group = "users";
-      initialPassword = lib.mkDefault "";
-      shell = pkgs.zsh;
-      openssh.authorizedKeys.keys = [
-        # TODO: insert pubkeys that should be allowed in
-      ];
-    };
-
-    security.sudo = {
-      enable = true;
-      wheelNeedsPassword = false;
-    };
-  };
-}

hosts/common/users/colin.nix

@@ -0,0 +1,93 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
+  users.users.colin = {
+    # sets group to "users" (?)
+    isNormalUser = true;
+    home = "/home/colin";
+    createHome = true;
+    homeMode = "0700";
+    # i don't get exactly what this is, but nixos defaults to this non-deterministically
+    # in /var/lib/nixos/auto-subuid-map and i don't want that.
+    subUidRanges = [
+      { startUid=100000; count=1; }
+    ];
+    group = "users";
+    extraGroups = [
+      "dialout"  # required for modem access (moby)
+      "feedbackd"
+      "input"  # for /dev/input/<xyz>: sxmo
+      "networkmanager"
+      "nixbuild"
+      "transmission"  # servo, to admin /var/lib/uninsane/media
+      "video"  # phosh/mobile. XXX colin: unsure if necessary
+      "wheel"
+      "wireshark"
+    ];
+
+    # initial password is empty, in case anything goes wrong.
+    # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
+    initialPassword = lib.mkDefault "";
+    passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
+
+    shell = pkgs.zsh;
+
+    # mount encrypted stuff at login
+    # some other nix pam users:
+    # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
+    # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
+    # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
+    pamMount = let
+      priv = config.fileSystems."/home/colin/private";
+    in {
+      fstype = priv.fsType;
+      path = priv.device;
+      mountpoint = priv.mountPoint;
+      options = builtins.concatStringsSep "," priv.options;
+    };
+  };
+
+  security.pam.mount.enable = true;
+
+  sane.users.colin = {
+    default = true;
+    # ensure ~ perms are known to sane.fs module.
+    # TODO: this is generic enough to be lifted up into sane.fs itself.
+    fs."/".dir.acl = {
+      user = "colin";
+      group = config.users.users.colin.group;
+      mode = config.users.users.colin.homeMode;
+    };
+
+    persist.plaintext = [
+      "archive"
+      "dev"
+      # TODO: records should be private
+      "records"
+      "ref"
+      "tmp"
+      "use"
+      "Music"
+      "Pictures"
+      "Videos"
+
+      ".cache/nix"
+
+      # ".cargo"
+      # ".rustup"
+    ];
+
+    # convenience
+    fs."knowledge".symlink.target = "private/knowledge";
+    fs."nixos".symlink.target = "dev/nixos";
+    fs."Books/servo".symlink.target = "/mnt/servo-media/Books";
+    fs."Videos/servo".symlink.target = "/mnt/servo-media/Videos";
+    fs."Videos/servo-incomplete".symlink.target = "/mnt/servo-media/incomplete";
+    fs."Music/servo".symlink.target = "/mnt/servo-media/Music";
+    fs."Pictures/servo-macros".symlink.target = "/mnt/servo-media/Pictures/macros";
+
+    # used by password managers, e.g. unix `pass`
+    fs.".password-store".symlink.target = "knowledge/secrets/accounts";
+  };
+}

hosts/common/users/default.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, lib, sane-lib, ... }:
+
+{
+  imports = [
+    ./colin.nix
+    ./guest.nix
+  ];
+
+  # Users are exactly these specified here;
+  # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
+  users.mutableUsers = false;
+
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+}

hosts/common/users/guest.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.sane.guest;
+in
+{
+  options = with lib; {
+    sane.guest.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+
+  config = {
+    users.users.guest = lib.mkIf cfg.enable {
+      isNormalUser = true;
+      home = "/home/guest";
+      subUidRanges = [
+        { startUid=200000; count=1; }
+      ];
+      group = "users";
+      initialPassword = lib.mkDefault "";
+      shell = pkgs.zsh;
+    };
+
+    sane.users.guest.fs.".ssh/authorized_keys".symlink.target = config.sops.secrets."guest/authorized_keys".path or "/dev/null";
+
+    sane.persist.sys.plaintext = lib.mkIf cfg.enable [
+      # intentionally allow other users to write to the guest folder
+      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
+    ];
+  };
+}

hosts/modules/gui/default.nix

@@ -7,6 +7,7 @@ in
 {
   imports = [
     ./gnome.nix
+    ./gtk.nix
     ./phosh.nix
     ./plasma.nix
     ./plasma-mobile.nix

hosts/modules/gui/gtk.nix

@@ -0,0 +1,133 @@
+{ config, lib, pkgs }:
+let
+  cfg = config.sane.gui.gtk;
+  themes = {
+    inherit (pkgs)
+      # themes are in <repo:nixos/nixpkgs:pkgs/data/themes>
+      adapta-gtk-theme
+      adapta-kde-theme
+      adementary-theme
+      adi1090x-plymouth-themes
+      adw-gtk3
+      adwaita-qt
+      adwaita-qt6
+      albatross
+      amarena-theme
+      amber-theme
+      ant-bloody-theme
+      ant-nebula-theme
+      ant-theme
+      arc-kde-theme
+      arc-theme
+      artim-dark
+      ayu-theme-gtk
+      base16-schemes
+      blackbird
+      breath-theme
+      canta-theme
+      catppuccin-gtk
+      catppuccin-kde
+      catppuccin-kvantum
+      catppuccin-plymouth
+      clearlooks-phenix
+      colloid-gtk-theme
+      colloid-kde
+      dracula-theme
+      e17gtk
+      equilux-theme
+      flat-remix-gnome
+      flat-remix-gtk
+      fluent-gtk-theme
+      graphite-gtk-theme
+      graphite-kde-theme
+      greybird
+      gruvbox-dark-gtk
+      gruvbox-gtk-theme
+      gruvterial-theme
+      juno-theme
+      kde-gruvbox
+      kde-rounded-corners
+      layan-gtk-theme
+      layan-kde
+      lightly-boehs
+      lightly-qt
+      lounge-gtk-theme
+      marwaita
+      marwaita-manjaro
+      marwaita-peppermint
+      marwaita-pop_os
+      marwaita-ubuntu
+      matcha-gtk-theme
+      materia-kde-theme
+      materia-theme
+      material-kwin-decoration
+      mojave-gtk-theme
+      nixos-bgrt-plymouth
+      nordic
+      numix-gtk-theme
+      numix-solarized-gtk-theme
+      numix-sx-gtk-theme
+      oceanic-theme
+      omni-gtk-theme
+      onestepback
+      openzone-cursors
+      orchis-theme
+      orion
+      palenight-theme
+      paper-gtk-theme
+      pitch-black
+      plano-theme
+      plasma-overdose-kde-theme
+      plata-theme
+      pop-gtk-theme
+      qogir-kde
+      qogir-theme
+      rose-pine-gtk-theme
+      shades-of-gray-theme
+      sierra-breeze-enhanced
+      sierra-gtk-theme
+      skeu
+      snowblind
+      solarc-gtk-theme
+      spacx-gtk-theme
+      stilo-themes
+      sweet
+      sweet-nova
+      theme-jade1
+      theme-obsidian2
+      theme-vertex
+      tokyo-night-gtk
+      ubuntu-themes
+      venta
+      vimix-gtk-themes
+      whitesur-gtk-theme
+      yaru-remix-theme
+      yaru-theme
+      zuki-themes
+    ;
+  };
+in
+{
+  options = with lib; {
+    sane.gui.gtk.enable = mkOption {
+      default = false;
+      type = types.bool;
+      description = "apply theme to gtk4 apps";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs.dconf.packages = [
+      (pkgs.writeTextFile {
+        name = "dconf-sway-settings";
+        destination = "/etc/dconf/db/site.d/10_sway_settings";
+        text = ''
+          [org/gnome/desktop/interface]
+          gtk-theme="Dracula"
+          icon-theme="Dracula"
+        '';
+      })
+    ];
+    environment.systemPackages = lib.attrValues themes;
+  };
+}

hosts/modules/gui/phosh.nix

@@ -43,7 +43,7 @@ in
         })
           phosh-mobile-settings
           "plasma5Packages.konsole"
-          # "gnome.gnome-bluetooth"
+          "gnome.gnome-bluetooth"
           "gnome.gnome-terminal"
         ;
       };

hosts/modules/gui/sway/default.nix

@@ -66,16 +66,17 @@ in
           "mako"  # notification daemon
           # # "pavucontrol"
           # "gnome.gnome-bluetooth"  # XXX(2023/05/14): broken
-          "gnome.gnome-control-center"
+          # "gnome.gnome-control-center"  # XXX(2023/06/28): depends on webkitgtk4_1
           "sway-contrib.grimshot"
+          "wdisplays"  # like xrandr
         ];
       };
     }
     {
       sane.programs = {
         inherit (pkgs // {
-          "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
-          "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
+          # "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
+          # "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
           "sway-contrib.grimshot" = pkgs.sway-contrib.grimshot;
         })
           swaylock
@@ -83,15 +84,17 @@ in
           wl-clipboard
           blueberry
           mako
-          "gnome.gnome-bluetooth"
-          "gnome.gnome-control-center"
+          # "gnome.gnome-bluetooth"
+          # "gnome.gnome-control-center"
           "sway-contrib.grimshot"
+          wdisplays
         ;
       };
     }
 
     (mkIf cfg.enable {
       sane.programs.swayApps.enableFor.user.colin = true;
+      sane.gui.gtk.enable = lib.mkDefault true;
 
       # swap in these lines to use SDDM instead of `services.greetd`.
       # services.xserver.displayManager.sddm.enable = true;
@@ -126,13 +129,13 @@ in
       hardware.bluetooth.enable = true;
       services.blueman.enable = true;
       # gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
-      services.gnome.gnome-settings-daemon.enable = true;
+      # services.gnome.gnome-settings-daemon.enable = true;
       # start the components of gsd we need at login
-      systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
+      # systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
       # go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
       # the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
       # it doesn't actually seem to need ANY of them in the first place T_T
-      systemd.user.targets."gnome-session-initialized".enable = false;
+      # systemd.user.targets."gnome-session-initialized".enable = false;
       # bluez can't connect to audio devices unless pipewire is running.
       # a system service can't depend on a user service, so just launch it at graphical-session
       systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];

hosts/modules/gui/sxmo.nix

@@ -63,29 +63,13 @@ in
         "sway" => layered sway greeter. behaves as if you booted to swaylock.
       '';
     };
-    sane.gui.sxmo.hooks = mkOption {
+    sane.gui.sxmo.package = mkOption {
       type = types.package;
-      default = pkgs.runCommand "sxmo-hooks" { } ''
-        mkdir -p $out
-        ln -s ${pkgs.sxmo-utils}/share/sxmo/default_hooks $out/bin
-      '';
+      default = pkgs.sxmo-utils;
       description = ''
-        hooks to make visible to sxmo.
-        a hook is a script generally of the name sxmo_hook_<thing>.sh
-        which is called by sxmo at key moments to proide user programmability.
-      '';
-    };
-    sane.gui.sxmo.deviceHooks = mkOption {
-      type = types.package;
-      default = pkgs.runCommand "sxmo-device-hooks" { } ''
-        mkdir -p $out
-        ln -s ${pkgs.sxmo-utils}/share/sxmo/default_hooks/unknown $out/bin
-      '';
-      description = ''
-        device-specific hooks to make visible to sxmo.
-        this package supplies things like `sxmo_hook_inputhandler.sh`.
-        a hook is a script generally of the name sxmo_hook_<thing>.sh
-        which is called by sxmo at key moments to proide user programmability.
+        sxmo base scripts and hooks collection.
+        consider overriding the outputs under /share/sxmo/default_hooks
+        to insert your own user scripts.
       '';
     };
     sane.gui.sxmo.terminal = mkOption {
@@ -170,7 +154,7 @@ in
       security.doas.enable = true;
       security.doas.wheelNeedsPassword = false;
 
-      # TODO: not all of these fonts seem to be mapped to the correct icon
+      # TODO: nerdfonts is 4GB. it accepts an option to ship only some fonts: probably want to use that.
       fonts.fonts = [ pkgs.nerdfonts ];
 
       # sxmo has first-class support only for pulseaudio and alsa -- not pipewire.
@@ -186,40 +170,15 @@ in
       systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
 
       # TODO: could use `displayManager.sessionPackages`?
-      environment.systemPackages = with pkgs; [
-        bc
-        bemenu
-        bonsai
-        conky
-        gojq
-        inotify-tools
-        j4-dmenu-desktop
-        jq
-        libnotify
-        lisgd
-        mako
-        sfeed
-        superd
-        sway
-        swayidle
-        sxmo-utils
-        wob
-        wvkbd
-        xdg-user-dirs
-
-        # X11 only?
-        xdotool
-
-        cfg.deviceHooks
-        cfg.hooks
-      ] ++ lib.optionals (config.services.pipewire.pulse.enable) [ pulseaudio ]  # for pactl
-        ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
+      environment.systemPackages = [
+        cfg.package
+      ] ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
         ++ lib.optionals (cfg.keyboard != null) [ pkgs."${cfg.keyboard}" ];
 
       environment.sessionVariables = {
         XDG_DATA_DIRS = [
           # TODO: only need the share/sxmo directly linked
-          "${pkgs.sxmo-utils}/share"
+          "${cfg.package}/share"
         ];
       } // cfg.settings;
 
@@ -238,7 +197,7 @@ in
         '';
 
         displayManager.sessionPackages = with pkgs; [
-          sxmo-utils  # this gets share/wayland-sessions/swmo.desktop linked
+          cfg.package  # this gets share/wayland-sessions/swmo.desktop linked
         ];
 
         # taken from gui/phosh:
@@ -273,6 +232,15 @@ in
         in "${sway-as-greeter}/bin/sway-as-greeter";
       };
 
+      systemd.services."sxmo-set-permissions" = {
+        description = "configure specific /sys and /dev nodes to be writable by sxmo scripts";
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${cfg.package}/bin/sxmo_setpermissions.sh";
+        };
+        wantedBy = [ "display-manager.service" ];
+      };
+
       sane.fs."/var/log/sway" = lib.mkIf (cfg.greeter == "sway") {
         dir.acl.mode = "0777";
         wantedBeforeBy = [ "greetd.service" "display-manager.service" ];
@@ -285,7 +253,7 @@ in
       #   name = "sxmo";
       #   desktopNames = [ "sxmo" ];
       #   start = ''
-      #     ${pkgs.sxmo-utils}/bin/sxmo_xinit.sh &
+      #     ${cfg.package}/bin/sxmo_xinit.sh &
       #     waitPID=$!
       #   '';
       # }];
@@ -295,7 +263,7 @@ in
       #   enable = true;
       #   settings = {
       #     default_session = {
-      #       command = "${pkgs.sxmo-utils}/bin/sxmo_winit.sh";
+      #       command = "${cfg.package}/bin/sxmo_winit.sh";
       #       user = "colin";
       #     };
       #   };

hosts/modules/roles/build-machine.nix

@@ -32,6 +32,11 @@ in
       # serve packages to other machines that ask for them
       sane.services.nixserve.enable = true;
 
+      # each concurrent derivation realization uses a different nix build user.
+      # default is 32 build users, limiting us to that many concurrent jobs.
+      # it's nice to not be limited in that way, so increase this a bit.
+      nix.nrBuildUsers = 64;
+
       # enable cross compilation
       # TODO: do this via stdenv injection, linking into /run/binfmt the stuff in <nixpkgs:nixos/modules/system/boot/binfmt.nix>
       boot.binfmt.emulatedSystems = lib.optionals cfg.emulation [

hosts/modules/roles/dev-machine.nix

@@ -18,7 +18,7 @@ in
     ({
       sane.programs.docsets.config.rustPkgs = [
         # "lemmy-server"
-        "mx-sanebot"
+        # "mx-sanebot"
       ];
     })
     (mkIf cfg {

integrations/nur/default.nix

@@ -22,6 +22,7 @@
 # ^ source: <https://github.com/nix-community/nur-packages-template/blob/master/.github/workflows/build.yml#L63>
 #   N.B.: nur eval allows only PATH (inherited) and NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM="1" (forced),
 #   hence the erasing of NIX_PATH above (to remove external overlays)
+# - or do: `nix run '.#check-nur'` via the toplevel flake.nix in this repo
 #
 # if it validates here but not upstream, likely to do with different `nixpkgs` inputs.
 # - CI logs: <https://github.com/nix-community/NUR/actions/workflows/update.yml>

modules/dns.nix

@@ -1,3 +1,5 @@
+# TODO: consider using this library for .zone file generation:
+# - <https://github.com/kirelagin/dns.nix>
 { config, lib, pkgs, ... }:
 
 with builtins;
@@ -63,12 +65,22 @@ in
   options = {
     sane.dns = with lib; {
       zones = mkOption {
-        type = types.attrsOf (types.submodule {
+        description = ''
+          declarative zone config.
+          this doesn't feed into anything, rather, one should read `config.sane.dns.zones."foo".rendered`
+          and do something with it.
+        '';
+        default = {};
+        type = types.attrsOf (types.submodule ({ name, config, ... }: {
           options = {
             name = mkOption {
               type = types.nullOr types.str;
               description = "zone name. defaults to the attribute name in zones";
-              default = null;
+              default = name;
+            };
+            rendered = mkOption {
+              type = types.str;
+              description = "rendered .zone text for this zone (read-only)";
             };
             TTL = mkOption {
               type = types.int;
@@ -122,25 +134,12 @@ in
                 default = {};
               };
             };
-
-            file = mkOption {
-              type = types.nullOr types.str;
-              default = null;
-              description = ''
-                instead of using the generated zone file, use the specified path (user should populate the file specified here).
-              '';
-            };
           };
-        });
-        default = {};
-        description = "Declarative zone config";
+          config = {
+            rendered = genZone config;
+          };
+        }));
       };
     };
   };
-
-  config = {
-    sane.services.trust-dns.zones = mapAttrs (_name: zcfg: {
-      text = genZone zcfg;
-    }) cfg.zones;
-  };
 }

modules/lib/path.nix

@@ -24,6 +24,8 @@ let path = rec {
   # return the last path component; error on the empty path
   leaf = str: lib.last (split str);
 
+  # XXX: this is bugged in that
+  # from "/foo/bar" "/foo/barbag" => "/bag"
   from = start: end: let
     s = path.norm start;
     e = path.norm end;
@@ -32,6 +34,12 @@ let path = rec {
     "/" +  (lib.removePrefix s e)
   );
 
+  isChild = parent: child:
+    lib.any
+      (p: p == norm parent)
+      (walk "/" child)
+  ;
+
   # yield every node between start and end, including each the endpoints
   # e.g. walk "/foo" "/foo/bar/baz" => [ "/foo" "/foo/bar" "/foo/bar/baz" ]
   # XXX: assumes input paths are normalized

modules/programs.nix

@@ -110,6 +110,11 @@ let
           the secret will have same owner as the user under which the program is enabled.
         '';
       };
+      env = mkOption {
+        type = types.attrsOf types.str;
+        default = {};
+        description = "environment variables to set when this program is enabled";
+      };
       configOption = mkOption {
         type = types.raw;
         default = mkOption {
@@ -137,10 +142,11 @@ let
       message = ''program "${sug}" referenced by "${name}", but not defined'';
     }) p.suggestedPrograms;
 
-    # conditionally add to system PATH
-    environment.systemPackages = optional
-      (p.package != null && p.enableFor.system)
-      p.package;
+    # conditionally add to system PATH and env
+    environment = lib.optionalAttrs p.enableFor.system {
+      systemPackages = lib.optional (p.package != null) p.package;
+      variables = p.env;
+    };
 
     # conditionally add to user(s) PATH
     users.users = mapAttrs (user: en: {
@@ -150,6 +156,7 @@ let
     # conditionally persist relevant user dirs and create files
     sane.users = mapAttrs (user: en: optionalAttrs en {
       inherit (p) persist;
+      environment = p.env;
       fs = mkMerge [
         # make every fs entry wanted by system boot:
         (mapAttrs (_path: sane-lib.fs.wanted) p.fs)
@@ -196,6 +203,7 @@ in
       take = f: {
         assertions = f.assertions;
         environment.systemPackages = f.environment.systemPackages;
+        environment.variables = f.environment.variables;
         users.users = f.users.users;
         sane.users = f.sane.users;
         sops.secrets = f.sops.secrets;

modules/services/trust-dns.nix

@@ -1,23 +1,16 @@
+# WIP: porting to the API described here:
+# - <https://github.com/NixOS/nixpkgs/pull/205866>
+# - TODO: hardening!
 { config, lib, pkgs, ... }:
 
-# TODO: consider using this library for .zone file generation:
-# - <https://github.com/kirelagin/dns.nix>
-
 with lib;
 let
   cfg = config.sane.services.trust-dns;
   toml = pkgs.formats.toml { };
 
-  configFile = toml.generate "trust-dns.toml" {
-    listen_addrs_ipv4 = cfg.listenAddrsIPv4;
-    zones = attrValues (
-      mapAttrs (zname: zcfg: rec {
-        zone = if zcfg.name == null then zname else zcfg.name;
-        zone_type = "Primary";
-        file = zcfg.file;
-      }) cfg.zones
-    );
-  };
+  configFile = toml.generate "trust-dns.toml" (
+    lib.filterAttrsRecursive (_: v: v != null) cfg.settings
+  );
 in
 {
   options = {
@@ -34,79 +27,113 @@ in
           should provide bin/named, which will be invoked with --config x and --zonedir d and maybe -q.
         '';
       };
-      listenAddrsIPv4 = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = "array of ipv4 addresses on which to listen for DNS queries";
-      };
       quiet = mkOption {
         type = types.bool;
         default = false;
-      };
-      zonedir = mkOption {
-        type = types.nullOr types.str;
-        default = "/";
         description = ''
-          where the `file` option in zones.* is relative to.
+          log ERROR level messages only.
+          if not specified, defaults to INFO level logging.
+          mutually exclusive with the `debug` option.
         '';
       };
-      # reference <nixpkgs:nixos/modules/services/web-servers/nginx/vhost-options.nix>
-      zones = mkOption {
-        type = types.attrsOf (types.submodule ({ config, name, ... }: {
+      debug = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          log DEBUG, INFO, WARN and ERROR messages.
+          if not specified, defaults to INFO level logging.
+          mutually exclusive with the `quiet` option.
+        '';
+      };
+      settings = mkOption {
+        type = types.submodule {
+          freeformType = toml.type;
           options = {
-            name = mkOption {
-              type = types.nullOr types.str;
-              description = "zone name. defaults to the attribute name in zones";
-              default = name;
+            listen_addrs_ipv4 = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              description = "array of ipv4 addresses on which to listen for DNS queries";
             };
-            text = mkOption {
-              type = types.nullOr types.lines;
-              default = null;
+            listen_addrs_ipv6 = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              description = "array of ipv6 addresses on which to listen for DNS queries";
             };
-            file = mkOption {
-              type = types.nullOr (types.either types.path types.str);
+            listen_port = mkOption {
+              type = types.port;
+              default = 53;
               description = ''
-                path to a .zone file.
-                if omitted, will be generated from the `text` option.
+                port to listen on (applies to all listen addresses).
               '';
             };
+            directory = mkOption {
+              type = types.nullOr types.str;
+              default = null;
+              description = ''
+                directory in which trust-dns will look for .zone files
+                whenever zones aren't specified by absolute path.
+                upstream defaults this to "/var/named".
+              '';
+            };
+            zones = mkOption {
+              description = "Declarative zone config";
+              default = {};
+              type = types.listOf (types.submodule ({ config, name, ... }: {
+                options = {
+                  zone = mkOption {
+                    type = types.str;
+                    description = ''
+                      zone name, like "example.com", "localhost", or "0.0.127.in-addr.arpa".
+                    '';
+                  };
+                  zone_type = mkOption {
+                    type = types.enum [ "Primary" "Secondary" "Hint" "Forward" ];
+                    default = "Primary";
+                    description = ''
+                      one of:
+                      - "Primary" (the master, authority for the zone)
+                      - "Secondary" (the slave, replicated from the primary)
+                      - "Hint" (a cached zone with recursive resolver abilities)
+                      - "Forward" (a cached zone where all requests are forwarded to another resolver)
+                    '';
+                  };
+                  file = mkOption {
+                    type = types.either types.path types.str;
+                    description = ''
+                      path to a .zone file.
+                      if not a fully-qualified path, it will be interpreted relative to the `directory` option.
+                      defaults to the value of `zone` suffixed with ".zone".
+                    '';
+                  };
+                };
+                config = {
+                  file = lib.mkDefault "${config.zone}.zone";
+                };
+              }));
+            };
           };
-
-          config = {
-            file = lib.mkIf (config.text != null) (pkgs.writeText "${config.name}.zone" config.text);
-          };
-        }));
-        default = {};
-        description = "Declarative zone config";
+        };
       };
     };
   };
 
   config = mkIf cfg.enable {
-    sane.ports.ports."53" = {
-      protocol = [ "udp" "tcp" ];
-      visibleTo.lan = true;
-      visibleTo.wan = true;
-      description = "colin-dns-hosting";
-    };
-
     systemd.services.trust-dns = {
       description = "trust-dns DNS server";
       serviceConfig = {
         ExecStart =
-          let
-            flags = lib.optional cfg.quiet "-q" ++
-              lib.optionals (cfg.zonedir != null) [ "--zonedir" cfg.zonedir ];
-            flagsStr = builtins.concatStringsSep " " flags;
-          in ''
-            ${cfg.package}/bin/named \
-              --config ${configFile} \
-              ${flagsStr}
-          '';
+        let
+          flags = lib.optional cfg.debug "--debug"
+            ++ lib.optional cfg.quiet "--quiet";
+          flagsStr = builtins.concatStringsSep " " flags;
+        in ''
+          ${cfg.package}/bin/named --config ${configFile} ${flagsStr}
+        '';
         Type = "simple";
         Restart = "on-failure";
         RestartSec = "10s";
         # TODO: hardening (like, don't run as root!)
+        # TODO: link to docs
       };
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];

modules/users.nix

@@ -12,9 +12,13 @@ let
         type = types.attrs;
         default = {};
         description = ''
-          entries to pass onto `sane.fs` after prepending the user's home-dir to the path.
+        entries to pass onto `sane.fs` after prepending the user's home-dir to the path
+        and marking them as wanted.
           e.g. `sane.users.colin.fs."/.config/aerc" = X`
-            => `sane.fs."/home/colin/.config/aerc" = X;
+          => `sane.fs."/home/colin/.config/aerc" = { wantedBy = [ "multi-user.target"]; } // X;
+
+          conventions are similar as to toplevel `sane.fs`. so `sane.users.foo.fs."/"` represents the home directory,
+          whereas every other entry is expected to *not* have a trailing slash.
         '';
       };
 
@@ -25,6 +29,15 @@ let
           entries to pass onto `sane.persist.sys` after prepending the user's home-dir to the path.
         '';
       };
+
+      environment = mkOption {
+        type = types.attrsOf types.str;
+        default = {};
+        description = ''
+          environment variables to place in user's shell profile.
+          these end up in ~/.profile
+        '';
+      };
     };
   };
   userModule = types.submodule ({ name, config, ... }: {
@@ -46,8 +59,20 @@ let
       };
     };
 
+    config = lib.mkMerge [
     # if we're the default user, inherit whatever settings were routed to the default user
-    config = mkIf config.default sane-user-cfg;
+      (mkIf config.default sane-user-cfg)
+      {
+        fs.".profile".symlink.text =
+          let
+            env = lib.mapAttrsToList
+              (key: value: ''export ${key}="${value}"'')
+              config.environment
+            ;
+          in
+            lib.concatStringsSep "\n" env;
+      }
+    ];
   });
   processUser = user: defn:
     let
@@ -55,9 +80,13 @@ let
         name = path-lib.concat [ defn.home path ];
         inherit value;
       });
+      makeWanted = lib.mapAttrs (n: v: {
+        # default if not otherwise provided
+        wantedBeforeBy = [ "multi-user.target" ];
+      } // v);
     in
     {
-      sane.fs = prefixWithHome defn.fs;
+      sane.fs = makeWanted (prefixWithHome defn.fs);
 
       # `byPath` is the actual output here, computed from the other keys.
       sane.persist.sys.byPath = prefixWithHome defn.persist.byPath;

nixpatches/flake.nix

@@ -9,7 +9,7 @@
         name = "nixpkgs-patched-uninsane";
         src = nixpkgs;
         patches = import ./list.nix {
-          inherit (nixpkgs.legacyPackages.${system}) fetchpatch fetchurl;
+          inherit (nixpkgs.legacyPackages.${system}) fetchpatch2 fetchurl;
         };
       };
       patchedFlakeFor = system: import "${patchedPkgsFor system}/flake.nix";

nixpatches/list.nix

@@ -1,4 +1,4 @@
-{ fetchpatch, fetchurl }:
+{ fetchpatch2, fetchurl }:
 let
   fetchpatch' = {
     saneCommit ? null,
@@ -13,13 +13,56 @@ let
       else
         "https://git.uninsane.org/colin/nixpkgs/commit/${saneCommit}.diff"
       ;
-    in fetchpatch (
+    in fetchpatch2 (
       { inherit url; }
       // (if hash != null then { inherit hash; } else {})
       // (if title != null then { name = title; } else {})
     );
 in [
 
+  # (fetchpatch' {
+  #   # XXX: doesn't cleanly apply; fetch `firefox-pmos-mobile` branch from my git instead
+  #   title = "firefox-pmos-mobile: init at -pmos-2.2.0";
+  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/121356";
+  #   hash = "sha256-eDsR1cJC/IMmhJl5wERpTB1VGawcnMw/gck9sI64GtQ=";
+  # })
+
+  # (fetchpatch' {
+  #   saneCommit = "70c12451b783d6310ab90229728d63e8a903c8cb";
+  #   title = "firefox-pmos-mobile: init at -pmos-2.2.0";
+  #   hash = "sha256-mA22g3ZIERVctq8Uk5nuEsS1JprxA+3DvukJMDTOyso=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "ee19a28aa188bb87df836a4edc7b73355b8766eb";
+  #   title = "firefox-pmos-mobile: format the generated policies.nix file";
+  #   hash = "sha256-K8b3QpyVEjajilB5w4F1UHGDRGlmN7i66lP7SwLZpWI=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "c068439c701c160ba15b6ed5abe9cf09b159d584";
+  #   title = "firefox-pmos-mobile: implement an updateScript";
+  #   hash = "sha256-afiGDHbZIVR3kJuWABox2dakyiRb/8EgDr39esqwcEk=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "865c9849a9f7bd048e066c2efd8068ecddd48e33";
+  #   title = "firefox-pmos-mobile: 2.2.0 -> 4.0.2";
+  #   hash = "sha256-WjWSW0qE+cypvUkDRfK7d9Te8m5zQXwF33z8nEhbvrE=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "eb6aae632c55ce7b0a76bca549c09da5e1f7761b";
+  #   title = "firefox-pmos-mobile: refactor and populate `passthru` to aid external consumers";
+  #   hash = "sha256-/LhbwXjC8vuKzIuGQ3/FGplbLllsz57nR5y+PeDjGuA=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "c9b90ef1e17ea21ac779a86994e5d9079a2057b9";
+  #   title = "librewolf-pmos-mobile: init";
+  #   hash = "sha256-oQEM3EZfAOmfZzDu9faCqyOFZsdHYGn1mVBgkxt68Zg=";
+  # })
+  (fetchpatch' {
+    saneCommit = "c3becd7cdf144d85d12e2e76663e9549a0536efd";
+    title = "firefox-pmos-mobile: init at 4.0.2";
+    hash = "sha256-NRh2INUMA2K7q8zioqKA7xwoqg7v6sxpuJRpTG5IP1Q=";
+  })
+
   # splatmoji: init at 1.2.0
   (fetchpatch' {
     saneCommit = "75149039b6eaf57d8a92164e90aab20eb5d89196";
@@ -58,13 +101,6 @@ in [
     hash = "sha256-jl6SZwSDhQTlpM5FyGaFU/svwTb1ySdKtvWMgsneq3A=";
   })
 
-  (fetchpatch' {
-    title = "cargo-docset: init at 0.3.1";
-    saneCommit = "5a09e84c6159ce545029483384580708bc04c08f";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/231188";
-    hash = "sha256-Z1HOps3w/WvxAiyUAHWszKqwS9EwA6rf4XfgPGp+2sQ=";
-  })
-
   # (fetchpatch' {
   #   # phoc: 0.25.0 -> 0.27.0
   #   # TODO: move wayland-scanner & glib to nativeBuildInputs
@@ -141,7 +177,7 @@ in [
   ./2023-06-06-jellyfin-no-libsForQt5-callPackage.patch
 
   # pin to a pre-0.17.3 release
-  # removing this and using stock 0.17.3 causes:
+  # removing this and using stock 0.17.3 (also 0.17.4) causes:
   #   INFO lemmy_server::code_migrations: No Local Site found, creating it.
   #   Error: LemmyError { message: None, inner: duplicate key value violates unique constraint "local_site_site_id_key", context: "SpanTrace" }
   # more specifically, lemmy can't find the site because it receives an error from diesel:
@@ -149,7 +185,7 @@ in [
   # this is likely some mis-ordered db migrations
   # or perhaps the whole set of migrations here isn't being running right.
   # related: <https://github.com/NixOS/nixpkgs/issues/236890#issuecomment-1585030861>
-  ./2023-06-10-lemmy-downgrade.patch
+  # ./2023-06-10-lemmy-downgrade.patch
 
   # (fetchpatch' {
   #   title = "gpodder: wrap with missing `xdg-utils` path";
@@ -157,19 +193,24 @@ in [
   #   hash = "sha256-cu8L30ZiUJnWFGRR/SK917TC7TalzpGkurGkUAAxl54=";
   # })
 
-  (fetchpatch' {
-    title = "sequoia: 0.28.0 -> 0.30.1";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/237698";
-    saneCommit = "71f47689d11e09b6ff70cbd4238e386b50d46899";
-    hash = "sha256-cadnRzZ0sjwdSc845zFtgYzLrsPGsZ9ShELibvQWLUU=";
-  })
-
   (fetchpatch' {
     title = "koreader: 2023.04 -> 2023.05.1";
     saneCommit = "a5c471bd263abe93e291239e0078ac4255a94262";
     hash = "sha256-m++Vv/FK7cxONCz6n0MLO3CiKNrRH0ttFmoC1Xmba+A=";
   })
 
+  (fetchpatch' {
+    title = "mepo: 1.1 -> 1.1.2";
+    saneCommit = "eee68d7146a6cd985481cdd8bca52ffb204de423";
+    hash = "sha256-uNerTwyFzivTU+o9bEKmNMFceOmy2AKONfKJWI5qkzo=";
+  })
+
+  (fetchpatch' {
+    title = "gthumb: make the webservices feature be optional";
+    saneCommit = "50767d5746fd80657e997b43fc5d82ba0c2c2447";
+    hash = "sha256-lXuLHdSPhWol9X5QX4cxnZqoVGUWEQTCZLmosvLX+WY=";
+  })
+
   # (fetchpatch' {
   #   # N.B.: compiles, but runtime error on launch suggestive of some module not being shipped
   #   title = "matrix-appservice-irc: 0.38.0 -> 1.0.0";

overlays/all.nix

@@ -4,7 +4,6 @@
 
 final: prev:
 let
-  pins = import ./pins.nix;
   pkgs = import ./pkgs.nix;
   disable-flakey-tests = import ./disable-flakey-tests.nix;
   optimizations = import ./optimizations.nix;
@@ -18,7 +17,6 @@ let
     overlays;
 in
   renderOverlays [
-    pins
     pkgs
     disable-flakey-tests
     (ifCross optimizations)

overlays/cross.nix

@@ -83,6 +83,7 @@ in {
     jellyfin-web  # in node-dependencies-jellyfin-web: "node: command not found"  (nodePackages don't cross compile)
     # libgccjit  # "../../gcc-9.5.0/gcc/jit/jit-result.c:52:3: error: 'dlclose' was not declared in this scope"  (needed by emacs!)
     # libsForQt5  # if we emulate qt5, we're better off emulating libsForQt5 else qt complains about multiple versions of qtbase
+    mepo  # /build/source/src/sdlshim.zig:1:20: error: C import failed
     perlInterpreters  # perl5.36.0-Module-Build perl5.36.0-Test-utf8 (see tracking issues ^)
     # qgnomeplatform
     # qtbase
@@ -521,6 +522,11 @@ in {
       # fixes -msse2, -mfpmath=ssh flags AND "Settings schema 'org.gtk.gtk4.Settings.FileChooser' is not installed"
       wrapGAppsHook4 = emulated.wrapGAppsHook4;
     };
+
+    zenity = super.zenity.override {
+      # fixes -msse2, -mfpmath=sse flags
+      wrapGAppsHook4 = final.wrapGAppsHook;
+    };
   });
 
   gnome2 = prev.gnome2.overrideScope' (self: super: {
@@ -739,6 +745,33 @@ in {
   #   callPackage = self.newScope { inherit (self) qtCompatVersion qtModule srcs; inherit (final) stdenv; };
   # });
 
+  # mepo = (prev.mepo.override {
+  #   inherit (emulated)
+  #     stdenv
+  #     SDL2
+  #     SDL2_gfx
+  #     SDL2_image
+  #     SDL2_ttf
+  #     zig
+  #   ;
+  # }).overrideAttrs (_upstream: {
+  #   doCheck = false;
+  #   # dontConfigure = true;
+  #   # dontBuild = true;
+  #   # preInstall = ''
+  #   #   export HOME=$TMPDIR
+  #   # '';
+  #   # installPhase = ''
+  #   #   runHook preInstall
+
+  #   #   zig build -Drelease-safe=true -Dtarget=aarch64-linux-gnu -Dcpu=baseline --prefix $out
+  #   #   install -d $out/share/man/man1
+  #   #   $out/bin/mepo -docman > $out/share/man/man1/mepo.1
+
+  #   #   runHook postInstall
+  #   # '';
+  # });
+
   # fixes: "ar: command not found"
   # `ar` is provided by bintools
   ncftp = addNativeInputs [ final.bintools ] prev.ncftp;
@@ -1203,6 +1236,13 @@ in {
     # fixes "meson.build:183:0: ERROR: Can not run test applications in this cross environment."
     inherit (emulated) stdenv;
   };
+  tuba = (prev.tuba.override {
+    # fixes -msse2, -mfpmath=sse flags
+    wrapGAppsHook4 = final.wrapGAppsHook;
+  }).overrideAttrs (upstream: {
+    # error: Package `{libadwaita-1,gtksourceview-5,libsecret-1,gee-0.8}' not found in specified Vala API directories or GObject-Introspection GIR directories
+    buildInputs = upstream.buildInputs ++ [ final.vala ];
+  });
   # twitter-color-emoji = prev.twitter-color-emoji.override {
   #   # fails to fix original error
   #   inherit (emulated) stdenv;
@@ -1278,9 +1318,19 @@ in {
   });
   # XXX: aarch64 webp-pixbuf-loader wanted by gdk-pixbuf-loaders.cache.drv, wanted by aarch64 gnome-control-center
 
-  # "extract-binary-wrapper-cmd: line 2: strings: command not found"
-  # XXX: technically this belongs in pkgs/build-support/setup-hooks/make-binary-wrapper/default.nix ?
-  wrapFirefox = browser: args: addNativeInputs [ final.bintools-unwrapped ] (prev.wrapFirefox browser args);
+  wrapFirefox = prev.wrapFirefox.override {
+    buildPackages = let
+      bpkgs = final.buildPackages;
+    in bpkgs // {
+      # fixes "extract-binary-wrapper-cmd: line 2: strings: command not found"
+      # ^- in the `nix log` output of cross-compiled `firefox` (it's non-fatal)
+      makeBinaryWrapper = bpkgs.makeBinaryWrapper.overrideAttrs (upstream: {
+        passthru.extractCmd = bpkgs.writeShellScript "extract-binary-wrapper-cmd" ''
+          ${final.stdenv.cc.targetPrefix}strings -dw "$1" | sed -n '/^makeCWrapper/,/^$/ p'
+        '';
+      });
+    };
+  };
 
   wvkbd = (
     # "wayland-scanner: no such program"

overlays/optimizations.nix

@@ -22,11 +22,12 @@ in {
   # webkitgtk = ccache-able super.webkitgtk;
   # mesa = ccache-able super.mesa;
 
-  webkitgtk = super.webkitgtk.overrideAttrs (_upstream: {
-    # means we drop debug info when linking.
-    # this is a trade-off to require less memory when linking, since
-    # building `webkitgtk` otherwise requires about 40G+ of RAM.
-    # <https://github.com/NixOS/nixpkgs/issues/153528>
-    separateDebugInfo = false;
-  });
+  # webkitgtk = super.webkitgtk.overrideAttrs (_upstream: {
+  #   # means we drop debug info when linking.
+  #   # this is a trade-off to require less memory when linking, since
+  #   # building `webkitgtk` otherwise requires about 40G+ of RAM.
+  #   # <https://github.com/NixOS/nixpkgs/issues/153528>
+  #   # XXX(2023/06/29): doesn't seem to actually reduce the resource requirements
+  #   separateDebugInfo = false;
+  # });
 })

overlays/pins.nix

@@ -1,31 +0,0 @@
-# when a `nixos-rebuild` fails after a nixpkgs update:
-# - take the failed package
-# - search it here: <https://hydra.nixos.org/search?query=pkgname>
-# - if it's broken by that upstream builder, then pin it: somebody will come along and fix the package.
-# - otherwise, search github issues/PRs for knowledge of it before pinning.
-# - if nobody's said anything about it yet, probably want to root cause it or hold off on updating.
-#
-# note that these pins apply to *all* platforms:
-# - natively compiled packages
-# - cross compiled packages
-# - qemu-emulated packages
-
-(next: prev: {
-  # XXX: when invoked outside our flake (e.g. via NIX_PATH) there is no `next.stable`,
-  # so just forward the unstable packages.
-  inherit (next.stable or prev)
-  ;
-  # chromium can take 4 hours to build from source, with no signs of progress.
-  # disable it if you're in a rush.
-  # chromium = next.emptyDirectory;
-
-  # lemmy-server = prev.lemmy-server.overrideAttrs (upstream: {
-  #   patches = upstream.patches or [] ++ [
-  #     (next.fetchpatch {
-  #       # "Fix docker federation setup (#2706)"
-  #       url = "https://github.com/LemmyNet/lemmy/commit/2891856b486ad9397bca1c9839255d73be66361.diff";
-  #       hash = "sha256-qgRvBO2y7pmOWdteu4uiZNi8hs0VazOV+L5Z0wu60/E=";
-  #     })
-  #   ];
-  # });
-})

pkgs/additional/cargo-docset/default.nix

@@ -1,30 +0,0 @@
-{ lib
-, fetchFromGitHub
-, rustPlatform
-, sqlite
-}:
-
-rustPlatform.buildRustPackage rec {
-  pname = "cargo-docset";
-  version = "0.3.1";
-
-  src = fetchFromGitHub {
-    owner = "Robzz";
-    repo = pname;
-    rev = "v${version}";
-    hash = "sha256-o2CSQiU9fEoS3eRmwphtYGZTwn3mstRm2Tlvval83+U=";
-  };
-
-  cargoHash = "sha256-YHrSvfHfQ7kbVeCOgggYf3E7gHq+RhVKZrzP8LqX5I0=";
-
-  buildInputs = [
-    sqlite
-  ];
-
-  meta = with lib; {
-    description = "Cargo subcommand to generate a Dash/Zeal docset for your Rust packages. ";
-    homepage = "https://github.com/Robzz/cargo-docset";
-    license = licenses.asl20;
-    maintainers = with maintainers; [ colinsane ];
-  };
-}

pkgs/additional/gpodder-configured/default.nix

@@ -15,13 +15,14 @@ let
       "gnome-feeds.listparser" = gnome-feeds.listparser;
     };
     pkgs = {
+      # important for this to explicitly use `gpodder` here, because it may be overriden/different from the toplevel `gpodder`!
       inherit gpodder;
     };
   };
 in
 # we use a symlinkJoin so that we can inherit the .desktop and icon files from the original gPodder
 (symlinkJoin {
-  name = "gpodder-configured";
+  name = "${gpodder.pname}-configured";
   paths = [ gpodder remove-extra ];
   nativeBuildInputs = [ makeWrapper ];
 
@@ -30,7 +31,7 @@ in
   # a feedlist every time we run it.
   # repeat imports are deduplicated by url, even when offline.
   postBuild = ''
-    makeWrapper $out/bin/gpodder $out/bin/gpodder-configured \
+    wrapProgram $out/bin/gpodder \
       --run "$out/bin/gpodder-remove-extra ~/.config/gpodderFeeds.opml || true" \
       --run "$out/bin/gpo import ~/.config/gpodderFeeds.opml || true" \
 
@@ -41,6 +42,6 @@ in
   '';
 
   passthru = {
-    remove-extra = remove-extra;
+    inherit gpodder remove-extra;
   };
 })

pkgs/additional/jellyfin-media-player-qt6/default.nix

@@ -20,14 +20,14 @@
     owner = "jellyfin";
     repo = "jellyfin-media-player";
     rev = "qt6";
-    hash = "sha256-saR/P2daqjF0G8N7BX6Rtsb1dWGjdf5MPDx1lhoioEw=";
+    hash = "sha256-CXuK6PLGOiBDbnLqXcr5sUtQmXksMc6X6GKVMEzmu30=";
   };
   # nixos ships two patches:
   # - the first fixes "web paths" and has *mostly* been upstreamed  (so skip and manually tweak a bit)
   # - the second disables auto-update notifications  (keep)
   patches = (builtins.tail upstream.patches) ++ [
     ./0001-fix-web-path.patch
-    ./0002-qt6-build-fixes.patch
+    # ./0002-qt6-build-fixes.patch
     # ./0003-qt6-components-webengine.patch
   ];
   buildInputs = [

pkgs/additional/lemoa/default.nix

@@ -0,0 +1,45 @@
+{ lib
+, fetchFromGitHub
+, gdk-pixbuf
+, glib
+, graphene
+, gtk4
+, libadwaita
+, openssl
+, pango
+, pkg-config
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "lemoa";
+  version = "0.2.0";
+
+  src = fetchFromGitHub {
+    owner = "lemmy-gtk";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-krd/w8YTzqQHZYmU3Pt/lKS7eg8n1N8hfL3Rgl1wGfM=";
+  };
+
+  cargoLock = {
+    lockFile = ./Cargo.lock;
+    outputHashes = {
+      "lemmy_api_common-0.18.0" = "sha256-l4UNO5Obx73nOiVnl6dc+sw2tekDLn2ixTs1GwqdE8I=";
+    };
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    gtk4
+    libadwaita
+    openssl
+  ];
+
+  meta = with lib; {
+    description = "Native Gtk client for Lemmy";
+    homepage = "https://github.com/lemmy-gtk/lemoa";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ colinsane ];
+  };
+}

pkgs/additional/linux-megous/default.nix

@@ -18,6 +18,7 @@ let
   # - grab VERSION/PATCHLEVEL/SUBLEVEL/EXTRAVERSION from Makefile.
   # - megi publishes release notes as the most recent commit on any stable branch, so just `git log`.
   # - orange-pi is listed as the "main integration branch".
+  #   - this suggests it's NOT a stable branch, only `orange-pi-X.YY-YYYYMMDD-NNNN` branches are "formal" releases
   #   - specific branches like `pp` (pinephone) are dev branches, and probably less stable.
   rev = "orange-pi-6.4-20230619-0323";
   hash = "sha256-il32UQM/8Fc7VHft3+M4TLMxk5+h28C9Suu1kRdZj2M=";

pkgs/additional/sane-scripts/default.nix

@@ -30,7 +30,7 @@ let
     };
   };
 
-  nix-shell-scripts = {
+  sane-bin = {
     # anything added to this attrset gets symlink-joined into `sane-scripts`
     # and is made available through `sane-scripts.passthru`
     backup-ls = static-nix-shell.mkBash {
@@ -228,8 +228,8 @@ let
 in
 symlinkJoin {
   name = "sane-scripts";
-  paths = lib.attrValues nix-shell-scripts;
-  passthru = nix-shell-scripts // {
+  paths = lib.attrValues sane-bin;
+  passthru = sane-bin // {
     lib = sane-lib;
   };
   meta = {

pkgs/additional/sane-scripts/src/sane-wipe-browser

@@ -4,6 +4,8 @@
 rm -rf \
   ~/.librewolf/default/* \
   ~/.cache/librewolf/* \
+  ~/.mozilla/* \
+  ~/.cache/mozilla/firefox/* \
   ~/.config/chromium \
   ~/.cache/chromium \
   || true  # in case no matches

pkgs/additional/sxmo-utils/0005-system-audio.patch

@@ -0,0 +1,21 @@
+diff --git a/configs/default_hooks/sxmo_hook_start.sh b/configs/default_hooks/sxmo_hook_start.sh
+index 194814d..beb9232 100755
+--- a/configs/default_hooks/sxmo_hook_start.sh
++++ b/configs/default_hooks/sxmo_hook_start.sh
+@@ -16,16 +16,6 @@ while ! superctl status > /dev/null 2>&1; do
+ 	sleep 0.5
+ done
+ 
+-# Load our sound daemons
+-
+-if [ "$(command -v pulseaudio)" ]; then
+-	superctl start pulseaudio
+-elif [ "$(command -v pipewire)" ]; then
+-	# pipewire-pulse will start pipewire
+-	superctl start pipewire-pulse
+-	superctl start wireplumber
+-fi
+-
+ # Periodically update some status bar components
+ sxmo_hook_statusbar.sh all
+ sxmo_daemons.sh start statusbar_periodics sxmo_run_aligned.sh 60 \

pkgs/additional/sxmo-utils/0006-block-suspend-any-mpris.patch

@@ -0,0 +1,13 @@
+diff --git a/configs/default_hooks/sxmo_hook_block_suspend.sh b/configs/default_hooks/sxmo_hook_block_suspend.sh
+index f394575..873b7b2 100755
+--- a/configs/default_hooks/sxmo_hook_block_suspend.sh
++++ b/configs/default_hooks/sxmo_hook_block_suspend.sh
+@@ -68,7 +68,7 @@ playing_mpc() {
+ }
+ 
+ playing_mpris() {
+-	command -v playerctl && [ "$(playerctl status)" = "Playing" ]
++	command -v playerctl && playerctl --all-players status | grep -q "Playing"
+ }
+ 
+ photos_processing() {

pkgs/additional/sxmo-utils/0105-more-apps.patch

@@ -0,0 +1,54 @@
+diff --git a/configs/default_hooks/sxmo_hook_apps.sh b/configs/default_hooks/sxmo_hook_apps.sh
+index ba70a31..9f5a129 100755
+--- a/configs/default_hooks/sxmo_hook_apps.sh
++++ b/configs/default_hooks/sxmo_hook_apps.sh
+@@ -31,6 +31,7 @@ write_line_app audacity "$icon_mic Audacity" "audacity"
+ write_line_app gnome-calculator "$icon_clc Calculator" "gnome-calculator"
+ write_line_app calcurse "$icon_clk Calcurse" "sxmo_terminal.sh calcurse"
+ write_line_app cmus "$icon_mus Cmus" "sxmo_terminal.sh cmus"
++write_line_app cozy "$icon_mus Cozy" "com.github.geigi.cozy"
+ write_line_app dino "$icon_msg Dino" "GDK_SCALE=1 dino"
+ write_line_app dolphin "$icon_dir Dolphin" "dolphin"
+ write_line_app emacs "$icon_edt Emacs (Terminal)" "sxmo_terminal.sh emacs -nw"
+@@ -54,19 +55,25 @@ write_line_app giara "$icon_red Giara" "giara"
+ write_line_app gnome-chess "$icon_chs Gnome Chess" "gnome-chess"
+ write_line_app gomuks "$icon_msg Gomuks" "sxmo_terminal.sh gomuks"
+ write_line_app gpodder "$icon_rss gPodder" "gpodder"
++write_line_app gthumb "$icon_img gThumb" "gthumb"
+ write_line_app gucharmap "$icon_inf Gucharmap" "gucharmap"
+ write_line_app hexchat "$icon_msg Hexchat" "hexchat"
+ write_line_app htop "$icon_cfg Htop" "sxmo_terminal.sh htop"
+ write_line_app irssi "$icon_msg Irssi" "sxmo_terminal.sh irssi"
+ write_line_app ii "$icon_msg Ii" "sxmo_terminal.sh ii"
+ write_line_app ipython "$icon_trm IPython" "sxmo_terminal.sh ipython"
++write_line_app jellyfinmediaplayer "$icon_mvi Jellyfin" "jellyfinmediaplayer"
+ write_line_app kasts "$icon_rss Kasts" "kasts"
+ write_line_app kmail "$icon_eml KMail" "kmail"
++write_line_app komikku "$icon_bok Komikku" "komikku"
+ write_line_app kontact "$icon_msg Kontact" "kontact"
+ write_line_app konversation "$icon_msg Konversation" "konversation"
++write_line_app koreader "$icon_bok KOReader" "koreader"
+ write_line_app kwrite "$icon_edt Kwrite" "kwrite"
+ write_line_app lagrange "$icon_glb Lagrange" "lagrange"
++write_line_app lemoa "$icon_grp Lemoa" "lemoa"
+ write_line_app lf "$icon_dir Lf" "sxmo_terminal.sh lf"
++write_line_app librewolf "$icon_glb Librewolf" "librewolf"
+ write_line_app lollypop "$icon_mus Lollypop" "lollypop"
+ write_line_app luakit "$icon_glb Luakit" "luakit"
+ write_line_app marble "$icon_map Marble" "marble"
+@@ -97,6 +104,7 @@ write_line_app senpai "$icon_msg Senpai" "sxmo_terminal.sh senpai"
+ write_line_app sic "$icon_msg Sic" "sxmo_terminal.sh sic"
+ ([ "$SXMO_WM" = dwm ] && command -v st >/dev/null) && \
+ 	write_line "$icon_trm St" "st -e $SHELL"
++write_line_app sublime-music "$icon_mus Sublime Music" "sublime-music"
+ write_line_app surf "$icon_glb Surf" "surf"
+ write_line_app syncthing "$icon_rld Syncthing" "syncthing"
+ write_line_app telegram-desktop "$icon_tgm Telegram" "telegram-desktop"
+@@ -105,6 +113,7 @@ write_line_app thunar "$icon_dir Thunar" "sxmo_terminal.sh thunar"
+ write_line_app thunderbird "$icon_eml Thunderbird" "thunderbird"
+ write_line_app com.github.bleakgrey.tootle "$icon_msg Tootle" "com.github.bleakgrey.tootle"
+ write_line_app totem "$icon_mvi Totem" "totem"
++write_line_app dev.geopjr.Tuba "$icon_grp Tuba" "dev.geopjr.Tuba"
+ write_line_app tuir "$icon_red Tuir" "sxmo_terminal.sh tuir"
+ write_line_app tut "$icon_msg Tut" "sxmo_terminal.sh tut"
+ write_line_app waydroid "$icon_and Waydroid" "waydroid show-full-ui"

pkgs/additional/sxmo-utils/0106-configurable-auto-screenoff.patch

@@ -0,0 +1,13 @@
+diff --git a/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh b/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh
+index c9c4263..4c0fccf 100755
+--- a/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh
++++ b/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh
+@@ -37,7 +37,7 @@ sxmo_daemons.sh stop periodic_wakelock_check
+ # Go to screenoff after 8 seconds of inactivity
+ if ! [ -e "$XDG_CACHE_HOME/sxmo/sxmo.noidle" ]; then
+ 	sxmo_daemons.sh start idle_locker sxmo_idle.sh -w \
+-		timeout 8 "sxmo_hook_screenoff.sh"
++		timeout "${SXMO_LOCK_IDLE_TIME:-8}" "sxmo_hook_screenoff.sh"
+ fi
+ 
+ wait

pkgs/additional/sxmo-utils/customization/configs/default_hooks/sxmo_hook_start.sh

@@ -1,57 +0,0 @@
-#!/bin/sh
-
-# include common definitions
-# shellcheck source=scripts/core/sxmo_common.sh
-. sxmo_common.sh
-
-# Create xdg user directories, such as ~/Pictures
-xdg-user-dirs-update
-
-sxmo_daemons.sh start daemon_manager superd -v
-
-# let time to superd to start correctly
-while ! superctl status > /dev/null 2>&1; do
-	sleep 0.5
-done
-
-# Periodically update some status bar components
-sxmo_hook_statusbar.sh all
-sxmo_daemons.sh start statusbar_periodics sxmo_run_aligned.sh 60 \
-	sxmo_hook_statusbar.sh periodics
-
-# mako/dunst are required for warnings.
-# load some other little things here too.
-superctl start mako
-superctl start sxmo_wob
-superctl start sxmo_menumode_toggler
-superctl start bonsaid
-swaymsg output '*' bg "$SXMO_BG_IMG" fill
-
-# To setup initial lock state
-sxmo_hook_unlock.sh
-
-# Turn on auto-suspend
-if [ -w "/sys/power/wakeup_count" ] && [ -f "/sys/power/wake_lock" ]; then
-	superctl start sxmo_autosuspend
-fi
-
-# Turn on lisgd
-superctl start sxmo_hook_lisgd
-
-# Start the desktop widget (e.g. clock)
-superctl start sxmo_conky
-
-# Monitor the battery
-superctl start sxmo_battery_monitor
-
-# It watch network changes and update the status bar icon by example
-superctl start sxmo_networkmonitor
-
-# The daemon that display notifications popup messages
-superctl start sxmo_notificationmonitor
-
-# monitor for headphone for statusbar
-superctl start sxmo_soundmonitor
-
-# rotate UI based on physical display angle by default
-sxmo_daemons.sh start autorotate sxmo_autorotate.sh

pkgs/additional/sxmo-utils/default.nix

@@ -1,11 +1,74 @@
 { stdenv
+, bc
+, bemenu
+, bonsai
+, conky
+, dbus
 , fetchgit
 , gitUpdater
+, gnugrep
+, gojq
+, inotify-tools
+, j4-dmenu-desktop
+, jq
 , lib
+, libnotify
+, lisgd
+, makeWrapper
+, mako
+, mepo
+, modemmanager
+, nettools
+, playerctl
+, procps
+, pulseaudio
 , rsync
 , scdoc
+, sfeed
+, superd
+, sway
+, swayidle
+, wob
+, wvkbd
+, xdg-user-dirs
+, xdotool
 }:
 
+let
+  # anything which any sxmo script or default hook in this package might invoke
+  runtimeDeps = [
+    bc
+    bemenu
+    bonsai
+    conky
+    dbus
+    # dmenu  # or dmenu-wayland? only used on x11?
+    gnugrep
+    gojq
+    inotify-tools
+    j4-dmenu-desktop
+    jq
+    libnotify
+    lisgd
+    mako
+    mepo  # mepo_ui_central_menu.sh
+    modemmanager  # mmcli
+    nettools  # netstat
+    playerctl
+    procps  # pgrep
+    pulseaudio  # pactl
+    sfeed
+    superd
+    sway
+    swayidle
+    wob
+    wvkbd
+    xdg-user-dirs
+
+    # X11 only?
+    xdotool
+  ];
+in
 stdenv.mkDerivation rec {
   pname = "sxmo-utils";
   version = "1.14.2";
@@ -18,13 +81,18 @@ stdenv.mkDerivation rec {
 
   patches = [
     # needed for basic use:
-    ./0001-group-differs-from-user.patch
-    ./0002-ensure-log-dir.patch
+    ./0001-group-differs-from-user.patch  # proposed upstream: <https://lists.sr.ht/~mil/sxmo-devel/patches/42309>
+    ./0002-ensure-log-dir.patch  # proposed upstream: <https://lists.sr.ht/~mil/sxmo-devel/patches/42309>
     ./0003-fix-xkb-paths.patch
     ./0004-no-busybox.patch
+    # wanted to fix/silence some non-fatal errors
+    ./0005-system-audio.patch
+    ./0006-block-suspend-any-mpris.patch
 
-    # personal preferences:
+    # personal (but upstreamable) preferences:
     ./0104-full-auto-rotate.patch
+    ./0105-more-apps.patch
+    ./0106-configurable-auto-screenoff.patch
   ];
 
   postPatch = ''
@@ -32,15 +100,10 @@ stdenv.mkDerivation rec {
     sed -i "s@/etc/profile\.d/sxmo_init.sh@$out/etc/profile.d/sxmo_init.sh@" scripts/core/*.sh
     sed -i "s@/usr/bin/@@g" scripts/core/sxmo_version.sh
     sed -i 's:ExecStart=/usr/bin/:ExecStart=/usr/bin/env :' configs/superd/services/*.service
-
-    # apply customizations
-    # - xkb_mobile_normal_buttons:
-    #   - on devices where volume is part of the primary keyboard (e.g. thinkpad), we want to avoid overwriting the default map
-    #   - this provided map is the en_US 105 key map
-    ${rsync}/bin/rsync -rlv ${./customization}/ ./
   '';
 
   nativeBuildInputs = [
+    makeWrapper
     scdoc
   ];
 
@@ -50,6 +113,29 @@ stdenv.mkDerivation rec {
     "PREFIX="
   ];
 
+  # we don't wrap sxmo_common.sh or sxmo_init.sh
+  # which is unfortunate, for non-sxmo-utils files that might source though.
+  # if that's a problem, could inject a PATH=... line into them with sed.
+  postInstall = ''
+    for f in \
+      $out/bin/*.sh \
+      $out/share/sxmo/default_hooks/desktop/sxmo_hook_*.sh \
+      $out/share/sxmo/default_hooks/one_button_e_reader/sxmo_hook_*.sh \
+      $out/share/sxmo/default_hooks/three_button_touchscreen/sxmo_hook_*.sh \
+      $out/share/sxmo/default_hooks/sxmo_hook_*.sh \
+    ; do
+      case $(basename $f) in
+        (sxmo_common.sh|sxmo_deviceprofile_*.sh|sxmo_hook_icons.sh|sxmo_init.sh)
+          # these are sourced by other scripts: don't wrap them else the `exec` in the wrapper breaks the outer script
+        ;;
+        (*)
+          wrapProgram "$f" \
+            --prefix PATH : "${lib.makeBinPath runtimeDeps}"
+        ;;
+      esac
+    done
+  '';
+
   passthru = {
     providedSessions = [ "sxmo" "swmo" ];
     updateScript = gitUpdater { };

pkgs/additional/xdg-terminal-exec/default.nix

@@ -0,0 +1,2 @@
+{ writeShellScriptBin }:
+writeShellScriptBin "xdg-terminal-exec" (builtins.readFile ./xdg-terminal-exec)

pkgs/additional/xdg-terminal-exec/xdg-terminal-exec

@@ -0,0 +1,39 @@
+#!/bin/sh
+# xdg-terminal-exec is a proposed XDG extension, with example implementation:
+# - <https://github.com/Vladimir-csp/xdg-terminal-exec>
+#
+# its purpose is to allow any program which needs to launch a terminal to do so
+# in a manner which respects user preferences.
+# it aims to be `xdg-open`, but for opening a terminal.
+#
+# a notable user is glib/gio: <repo:gnome/glib:gio/gdesktopappinfo.c>
+# and by extension, Firefox
+#
+# it's not actually packaged for NixOS, nor Alpine, as of 2023/06/29.
+# this script is just a hackier version. it lets me insert my preferences
+
+termargs="$@"
+
+try_term() {
+  if command -v "$1" > /dev/null
+  then
+    exec "$1" $termargs
+  fi
+}
+
+# user preference
+if [ -n "$TERMINAL" ]
+then
+  exec "$TERMINAL" $termargs
+fi
+
+# hardcoded checks, imprecise order
+try_term kitty
+try_term alacritty
+try_term foot
+try_term st
+try_term gnome-terminal
+try_term konsole
+
+# fallback to default
+exec xterm "$termargs"

pkgs/default.nix

@@ -10,8 +10,9 @@ let
   lib = pkgs.lib;
   unpatched = pkgs;
 
-  pythonPackagesOverlay = py-final: py-prev: import ./python-packages {
+  pythonPackagesOverlayFor = pkgs: py-final: py-prev: import ./python-packages {
     inherit (py-final) callPackage;
+    inherit pkgs;
   };
   final' = if final != null then final else pkgs.appendOverlays [(_: _: sane)];
   sane = with final'; {
@@ -25,11 +26,12 @@ let
     browserpass-extension = callPackage ./additional/browserpass-extension { };
     cargoDocsetHook = callPackage ./additional/cargo-docset/hook.nix { };
     feeds = lib.recurseIntoAttrs (callPackage ./additional/feeds { });
+    lemoa = callPackage ./additional/lemoa { };
     jellyfin-media-player-qt6 = callPackage ./additional/jellyfin-media-player-qt6 { };
     gopass-native-messaging-host = callPackage ./additional/gopass-native-messaging-host { };
     gpodder-adaptive = callPackage ./additional/gpodder-adaptive { };
     gpodder-adaptive-configured = callPackage ./additional/gpodder-configured {
-      gpodder = final.gpodder-adaptive;
+      gpodder = final'.gpodder-adaptive;
     };
     gpodder-configured = callPackage ./additional/gpodder-configured { };
     hare-ev = unpatched.hare-ev or (callPackage ./additional/hare-ev { });
@@ -38,12 +40,14 @@ let
     linux-megous = callPackage ./additional/linux-megous { };
     mx-sanebot = callPackage ./additional/mx-sanebot { };
     rtl8723cs-firmware = callPackage ./additional/rtl8723cs-firmware { };
+    # TODO: use `recurseIntoAttrs` ?
     sane-scripts = callPackage ./additional/sane-scripts { };
     static-nix-shell = callPackage ./additional/static-nix-shell { };
     sublime-music-mobile = callPackage ./additional/sublime-music-mobile { };
     sxmo-utils = callPackage ./additional/sxmo-utils { };
     tow-boot-pinephone = callPackage ./additional/tow-boot-pinephone { };
     unftp = callPackage ./additional/unftp { };
+    xdg-terminal-exec = callPackage ./additional/xdg-terminal-exec { };
     zecwallet-light-cli = callPackage ./additional/zecwallet-light-cli { };
 
     # packages i haven't used for a while, may or may not still work
@@ -61,7 +65,6 @@ let
 
     # provided by nixpkgs patch or upstream PR
     # i still conditionally callPackage these to make them available to external consumers (like NUR)
-    cargo-docset = unpatched.cargo-docset or (callPackage ./additional/cargo-docset { });
     splatmoji = unpatched.splatmoji or (callPackage ./additional/splatmoji { });
 
 
@@ -103,12 +106,12 @@ let
 
     ### PYTHON PACKAGES
     pythonPackagesExtensions = (unpatched.pythonPackagesExtensions or []) ++ [
-      pythonPackagesOverlay
+      (pythonPackagesOverlayFor final')
     ];
     # when this scope's applied as an overlay pythonPackagesExtensions is propagated as desired.
     # but when freestanding (e.g. NUR), it never gets plumbed into the outer pkgs, so we have to do that explicitly.
     python3 = unpatched.python3.override {
-      packageOverrides = pythonPackagesOverlay;
+      packageOverrides = pythonPackagesOverlayFor final';
     };
   };
 in sane

pkgs/patched/lemmy-server/default.nix

@@ -3,7 +3,7 @@
 lemmy-server.overrideAttrs (upstream: {
   patches = upstream.patches or [] ++ [
     # "thread 'main' panicked at 'Couldn't run DB Migrations: Failed to run 2022-07-07-182650_comment_ltrees with: permission denied: "RI_ConstraintTrigger_a_647340" is a system trigger', crates/db_schema/src/utils.rs:165:25"
-    ./fix-db-migrations.patch
+    # ./fix-db-migrations.patch  #< upstreamed as of 2023/06/28
     # log the database connection events, for debugging
     # ./log-startup.patch
     # print more debug info about specific problem paths i've encountered

pkgs/python-packages/default.nix

@@ -1,5 +1,5 @@
-{ callPackage }:
+{ callPackage, pkgs }:
 {
   feedsearch-crawler = callPackage ./feedsearch-crawler { };
-  sane-lib = (callPackage ../additional/sane-scripts { }).lib;
+  sane-lib = pkgs.sane-scripts.lib;
 }

secrets/common/aerc_accounts.conf.bin

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:Uh/nvEjCjFKOjwAfmIbJ+PDvwLaPe2kIBES5XzAgxmjvWN2EGUu5f87E6hakmfRSYb8UWf5HlhlGsxj81eucLyzmyw3a3UNzE0UAFW6ozjNRDwDbqXyBj2hQoHKtixLJNzlDjhTdgQMRKZW7GVqly8EThLQDC7s2tDZ0snz+DTEH3JTSUKKAnHfjc+YC6Xp7hQ3g/hmhoIoQyteeYjbWnFAAY7UaIYXde17jvp2N8iNtLaaLM9NNrNHS3OD66L7KXW1otk1+LYNAVRiQOENVwqlF5UGBlFpp2P0Lrv7/EwJjZQxfFD08pOhb+8O5yal60K69+BpAQx4nnQOmpg6NSXeWyaJ0WzD8C6fZFCimWCAKUn2vKtUKjOHJp2bUop696gUkdodEtub9KK/Wa93J8BRp2tYKpNm46+/dv8fiRYJ6HohdoHUyhpJ+uwLFgwpIBcEXIXZGA4YMpo/pskZriuuYrXRWdIE3K2JxtGY3PDM2pufWa+7tp2o6hKAQod8dJKi5Wwe5yNIIV8g/x1gOJQCfPt4JAE8srE73QdLkrXPon3opbYyL4xHEtuA8W7gjpwqZP9A+3KzdsCt/,iv:wUMwP3pfmcuyd5smntbeDmS/c6RYFQl3dhnEIfFIMM8=,tag:k0V/XbERPrpgF9rhxhgMkA==,type:str]",
+	"data": "ENC[AES256_GCM,data:8rWe9S+2tIii7eFUzvBbZOwS+b8GlDlc9RL4syHc9rGe4LQpFKeTPKG0sFMvtzZuN6B4PGUivwaWmRfqD6rPlaM1GhkaKjFUZ8+kPVo8XS/M0WcOLwM5JlqP6sHAMb++XuF/LHPDF8m6WJ+LBaBhwd05ssvAwQhH6IkEnN7nFGnbK0U8lV+rM8mZLFUZHLwamWO298XdXufeTmUoR4ciZd3xXIS+En2phnZcjbkPAMGEuMgErD8CvhSZQY6R1MfdToUO7Hh7I8s8tD9G3HAyZdIND3hM5NQHA+vjzEjMCD3C1xUly1nsBC0uZHbJVoHpUqc0b7jrMZKY6z3zdetPuHYPA0tyXWZ287njYdxYYhaWLz2BrtZMgj6PtiNDAbzyhrWV0x8SUmCj4QKbov1lar3D0NyS0WTY5kYUnsNWKs8ZKxrE01zR2vEA34ztn84Q2czKNwISf3hIbskX29lpy2pB7EPeKxMQ/BVLShD3/vzs/8fiJPZLGVJw2c9hbKMpnhMPW7G7OifoMjUIHXURp3ljj1Mtk2ukRyy65OPe+edUxgp1yAiWdP0kb3fCajgtALhFFhQ1xQ==,iv:o1Ba9vleFSbMfHFzNKqO2cLUZY1Bc/tWZvsjhsknWXc=,tag:b4Rwk4FY1iX2+ycXCbIeaA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -39,8 +39,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWU0xDUFRJZXVocGwreEVo\nSVFqRWpLSktBaFpoTXYvMTNYMHEzZjRraTI0CmoyN2pHL003TnBUdnFpSE1NdnJZ\nd0k3Q1ZvaXk3aWZtNEo2dWpTU1N5Y1EKLS0tIHdRNklxOWI4YytWcC9NSVVxTkhn\nTnZ5SzZaMnV5Rms5Q2NrZFkrSGRtT1UK/yBKQzkC+HQveQJtAJ+qulDCxjEhwJ1/\nSqEojNY/OV8q7YSR+PNJBsllQYS64z72hCyPpkQ67v5C2Xk5LCd+PQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2022-06-21T07:13:52Z",
-		"mac": "ENC[AES256_GCM,data:AXFeOZhnpYOytxhU7ISGMikngd7dJbRzYJyu7mEFBPNTW77/1Bl6UwTz6Xy7HtLwX/vlH6eWELScfOUkFMkdxe2Tm8X0/ojB5k0uizpCjD6lQB4LjeMCnUfvA7cRIzTQSycc81VJ9AK0X+Ad+82KzMqQgKJOhFJjlJSColhOfwc=,iv:KXgdQ2547x//u4826q/y339X5TaWFmW4ayAThHTsGTY=,tag:k8N9Bic9d070ed6839mE2g==,type:str]",
+		"lastmodified": "2023-06-30T11:08:58Z",
+		"mac": "ENC[AES256_GCM,data:uEUEMmW533dr3/lzd185fQ4zX3FzRSmaPJW1t4Ys97j1ddKspL40HiBHYw+pb+4QZHz41zBlL6ylDewmW2xX7vm2C+qHGKzAC+J90C6zfsxdgBDT96aWXAY58kkw1BUZjw371ICOlBSAwiBOzMo+/oH5vVMTASyTSF7haUtZFJw=,iv:gfO5OZKSBa4yaRuWrKbnES5l7i0B9Jogv5UGpaHRuMA=,tag:7QE/YeOR+Yp/TjcqkaCdhg==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"

secrets/common/msmtp_password.txt.bin

@@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:YyO7oLY57w2k0wkyLH88VHuBew==,iv:Q6rNypn3vmuYy/g9DQ0oY9WYU7j5j3XHNp5v1whOaSE=,tag:hSlLQBuH2EpzujMS/HPAJw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGcEdPbGJ6RWFZYUVKRUtZ\ncDFYQUxEYWhIYUtxQ1FFZmtrbWdSTU5GM3g4ClFXdE1GQTZiM0ttZTlMVlQ3bVpt\nY2w4blVpRFppclp5WFlSWnNzRm5JT1EKLS0tIFFvZUdqUHE4VGVOR0RxR3BUQnJo\nVngrVlVtTHhCd1NML3ZpeC9XdHU4c3MKDXdy69z+LjN4qpVyoGDdCxFJBrJpNYY5\nr7eD0LXGxQ7Z5/YemPzc2FJQ+IUkxnwB1z7o0hYGQIrvX0TvpjlHig==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUEZCdmdmZHJmUjhUTUV1\nZnFBQzl2M29MY2tKcnRyeGhNYUZlSEEyT0ZnCjRuMGgzZWtYQWZaZGpYWlJHMHVo\nNi9WU1grK01lVGZkdGZENU5XOTBCbWMKLS0tIFN5SkNhbXZTZDEwbE84T1Z6M0RS\nQmhlbHQwN2ZzSXR5Q1ZsbHBvOUdiZ2cKSTLrKPM0TELStaqGZ7PvTyQeotREzYll\nbVNpxfpHadfOYTu0Qn2d/H8haY58hYia6tzKrMFRrnxl8r5fnk4jeg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMjV5WjI2YmYzdWNtU1Fw\ndVNlUFZQYmVmallCNFYvOWxxdHVZRjgzWWxRCmovenJqL2JpRHMxYkZXS2RBcUtL\nWmRndFZuaW5WMFlGSWgrVFZuaDJid0UKLS0tIDVpaGZhVmFSYVkrQzlSeGFxQkFQ\nMklCNDlndkFTb2l1aU5Pa0FEZ2UveHMKQnm7zJxPNvCw92Jog76nDaDQYUQpSXZ+\nmbIf0daqIu4yQhKlen/I6p4hWvr8a4mvmVqIkwL13MNRS4hzKb3NLg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTEZONjRZa0FvWVcxSkMy\nYjZKaFpxcnBYbFI3SFVzc2Y0cWVEZGlCVHpVCi9tZGFnazVOeHZEZVdnSmUvL2FE\nQnJJbS9KNmtwNElvcWE1WGVQcG1Rd1kKLS0tIFpzQXp2ODBiaWtCbnVtTEZyYlRD\nSU5KTWdJdW5oNUpLQmVIZXM5bGxMK0kKNMTR3OpNL0POPmS9SbMAPFzW33uaz5EJ\nnOTnSlaSe/50bBPiHY9P5UAmNSr6prA86FV4sneGDz9C8yxFGaA0fw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtS3JDY2NpeFpJNi9HZHF5\nVkViTkJvdUsyTmVEMUN2UVFBQ0dybUFLY1UwCnl1L1RTdGlkYlhSTEQ3N0xYQzBj\nV3lTRGFyVzgwWDhJTXMweVhsWm1nQUUKLS0tIEErL1k5QmpkektkNm1ocjJ0Mlg5\nakpySVdjQ1c4Y05PUi9uYTR5V3p1bU0KCM7XHKnwS356DuKE/P0uOXO4Yu6Eyi58\nDtmgsaojXMnD9+dIP0Y1+2BY6L/uXizEakdfLTaGJcELq2sZX9Qmdw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiK24zS0h0Q1FEZDBKM2t3\nUHdlWXpaYzNQQzQrN0NPUXVVdWo5dmY4dVZrCktNRXNvVDZpejIxT2FvZmlHWlRU\nWmRZb1N1VFJ0ampRRVhuZGJIQU9pL0UKLS0tIEFXZk1zLzh1NFFKQnF5RzVSM2J1\ndlRXYnFUTFVDS1pybjRzNWkyaUlyQmcKysTv+9YJ7E+KBBtzlAlilZlkGg94nWGE\nE773pduaDN12ojMfc+JPdOU5oTISZk4/QvBL+kmAQI8AlmSap9Ix4w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhciswMkkrRDVBZmdSeml4\nTkhHeUh6UkVUb2tielkydmh5U0NmaGVWUEFVCndra0ZLeHYwaS9lMHladzVybWNX\nL1hsYlFPTzJCMElJZ2hWVGcyYTdCZkkKLS0tIHI0b3lyaldqNS9WT3BZUjVKMmZu\nZzBmakRFeHFxT0RMWCtONVIwV0VpT28KizkDpls5SVyypJY7aUF4v1DGdVLTMLLM\n2efp7mQB5YYvjKzXCiG+hYRWSbIS/5sHtE40ofmcCPijj7jY3wegUA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNHlhMkpscUJzdk5JMXVI\naGpjdEYxV3BvdFd5bjJLaUNQVndRWERkOXk4CnU5NW9aS0NNVEM4b2xvemtEc05V\nT3h4UjNOZ3F3ZW9VclQvOTNtcER0dU0KLS0tIGN5WisxWHBNQk9sYWlDbUp2eE8z\nR2RweVR4ZEo2ek45N0UwQWM1eVBFdUkK4e2noR5Xn8evKxh7GbAi7szT8uXBfn8K\nqgWlCWkUusUanRqJkmdi0y3zJxjtgs5bMU8JSF14hTwWveoIc/Ec+A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-06-30T23:57:28Z",
+		"mac": "ENC[AES256_GCM,data:ScjOtgbxqhHLf7egk6Dpd46VioYMzOSA5/bPM2JckuSJodxAhE4HIlZuTP5kxOX1Bx2sNSIsgL0NMoXNxVkfHlMWq4PnzhZg9t0tPqXs2+zxIgKaQdXrRmEstlaFEgoEr7nEMcrzILyKefKIBqPisruilPrRiso5n/yf/LKUV+U=,iv:S+Fjf+h+t0VD07LLQdsl6k1VDx7FjvWby4WseeqF2AQ=,tag:6n76tJKS9bciSZy5a2CM+g==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

secrets/desko/README.md

@@ -4,3 +4,5 @@
     - see <https://search.nixos.org/options?channel=unstable&show=users.users.%3Cname%3E.passwordFile&from=0&size=50&sort=relevance&type=packages&query=users.users>
     - update by running `sudo passwd colin` and then taking the 2nd item from the colin: line in /etc/shadow
     - N.B.: you MUST do `sudo passwd colin` instead of just `passwd`, i guess because of immutable users or something
+- guest/authorized_keys.bin
+    - who's allowed to login to the guest account

secrets/desko/guest/authorized_keys.bin

@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:Ny0DzkX975vtS9IY9a0pzmq99RqYquwV8SBDXpDh2dhJo9gW0vbtyvww8zdHN+vtMSL7oriDIORdNa1kpQnppo6mIto0mIh2ZolRRbIySm6ppIrWP+I+P3XMpYH1jwY0RfeHwSHcPXBmL7XFhIdSPu+LwYAfPw9AVzIFDBLMNZUeKpxYqcLtXG0SVDTVzAV1KBrSrFKpz54Rw9rs4dBtj28ZiejGGrI3zBly423vDtuthkMB1R/uI7mxXWVNbufBYwGn97WiVWfu68kL13Q/js3rX4QcO4jccVwf7BYgKV3wSLBACUbl9h9eebxKLNf+UncrWf3wIAywjYYD2ElMMQ0Kn+cjd2FOzuN0E84HMgfFD/EXB010bSUhggwelH4qrmky5DvnS9QtHm4vRAdDfv+5+j98hl+Lcct7h7cKME5RLCZ4OmCo/U7RIjMqgUhSgWCAKVC4uVkhp8WJUH5IETAY8w2CqCN92H9bH0rz7ngdGzlh084vQXLt4hZzZ45cv2wsPUiL2ASy7MQMBcuU2IKKxpHlPMunzbeOD9QpdjOkZLN6m6ySO+7KmwE08LZf4qTiV6JdMpBsuDySJQRCalbHf9gHgdVGnTN9u3NdaHh2gm0Sn6KOxyMktAwmiqLZBbwmKBLtYbyHWTG5qVOP5JIy,iv:hz1CO7t8as7G3oYbHKp412lPqJoUeb+A/Y36g/yAktk=,tag:AkEEapeEAjsFJok42Aq+tw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MU5TbTFMSFlmTG0xK0hi\nQmtialJRV21XbWpuYVJXOWFiVkZMNXkrRERnCkRpK1R2K0p2dzdvV0dUcEpzaFBL\nbWx2WDVRSlNoL0ErOXdqV1lFYU4zVVUKLS0tIFQxZUwyS0JVRVN3aTlEa3JQdTA5\nSjQ3cjhyYitvRkI0dVBoZk41cXAxb0EKmnP7UrqX57nLfD+6FNT29nPqHyk/O9Tg\n7Jut7DD1S9yZu0C4FW/iuNspjV3kVbtZ4B0h2AYBwl1EFEv7mL65Gw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWMWF5VnZRQVhLYnREOUV2\nUDJkQWxJSGEweXRNU2xMUEVqb0NOSVlZTjNRCjlMUWxhMmtrODNtbms1VitwbnpZ\nOCtOMnZ1bEtWb1FIVDVEQzRlQS9IbVUKLS0tIEtZL2ZqNHRJNmFXM3BsbnhUbHYw\nQTNKUTZZWFZPUko5TFBZek9MMHBEZlUKyzrEJjTnMcnuyYrVAwb36WDVBRCDKLMe\n5eiKYepLa1+AH93wHAgoAW9kv1pmFfMOLfGhV1CALb2v8yabHmlVMg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByakhjME1WcTU5U241aTdu\nMzg1QlViTUEvcGtBNVFPTHV5ZWNyS3FEVm1BCjFicDFwcDY2N3orQjB0UFd2eEF0\nUVBodnBPSThtbUFUcmxnWG5RWDluNVkKLS0tIHJCWXNxdDdqMlRsY3o5Q2dWVlB2\na3BtQjBzc1MyeTNLcEcyTWFWTytlMjQKs74/B41lR4FXuUomschiy9pgvsO7RKQ6\nVESvelgDNWvB4HikXj0CCC7vWR43X0dggFsxoDaQhU87CI6g3mauNQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-06-29T02:50:40Z",
+		"mac": "ENC[AES256_GCM,data:wNgxe6nBYoT00Sg28VOOzvgoGbcXUvtEfsqx+mxGviSidDrMImvBkOgEs/eKNdXvZyRj2TjKEFBLWLZfqpPCczKQbPUMmAQD8SQjWIBOotiMgKLHfLzC+cGM6uPxcrJruXKJJv8U1QmznV+X+x2uaQjqDvtnGJFwl8X1qHy2uCQ=,iv:KpUPOpS45/K8zONOFoeZUQ7rdPDBJyOGlpjVMCLcdic=,tag:uvBu+bnG2nVO79n8IsMZDQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}