nixpkgs: 2023-06-26 -> 2023-06-27

```
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/6b3d1b1cf13f407fef5e634b224d575eb7211975' (2023-06-26)
  → 'github:nixos/nixpkgs/e18dc963075ed115afb3e312b64643bf8fd4b474' (2023-06-27)
```

TODO.md

@@ -3,6 +3,9 @@
 	- else DNS fails
 
 ## REFACTORING:
+
+- remove unused `overlays/pins.nix`
+
 ### sops/secrets
 - attach secrets to the thing they're used by (sane.programs)
 - rework secrets to leverage `sane.fs`
@@ -19,8 +22,6 @@
 - add updateScripts to all my packages in nixpkgs
 - fix lightdm-mobile-greeter for newer libhandy
 - port zecwallet-lite to a from-source build
-- fix or abandon Whalebird
-- FIX failed CI on bonsai PR: <https://github.com/NixOS/nixpkgs/pull/233892>
 - REVIEW/integrate jellyfin dataDir config: <https://github.com/NixOS/nixpkgs/pull/233617>
 - remove `libsForQt5.callPackage` broadly: <https://github.com/NixOS/nixpkgs/issues/180841>
 
@@ -33,10 +34,15 @@
 - have `sane.programs` be wrapped such that they run in a cgroup?
     - at least, only give them access to the portion of the fs they *need*.
     - Android takes approach of giving each app its own user: could hack that in here.
+    - flatpak does this, somehow
+    - apparmor?  SElinux?  (desktop) "portals"?
+    - see Spectrum OS; Alyssa Ross; etc
 - canaries for important services
     - e.g. daily email checks; daily backup checks
+    - integrate `nix check` into Gitea actions?
 
 ### user experience
+- neovim: set up language server (lsp; rnix-lsp; nvim-lspconfig)
 - firefox/librewolf: don't show browserpass/sponsorblock/metamask "first run" on every boot
 - moby: improve gPodder launch time
 - moby: replace jellyfin-desktop with jellyfin-vue?
@@ -44,16 +50,15 @@
     - "newer" jellyfin client
     - not packaged for nix
 - moby/sxmo: display numerical vol percentage in topbar
-- moby/sxmo: include librewolf, jellyfin in `apps` menu
-- find a nice desktop ActivityPub client
 - package Nix/NixOS docs for Zeal
     - install [doc-browser](https://github.com/qwfy/doc-browser)
     - this supports both dash (zeal) *and* the datasets from <https://devdocs.io> (which includes nix!)
     - install [devhelp](https://wiki.gnome.org/Apps/Devhelp)  (gnome)
-- auto-mount servo
 - have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
 - `sane.programs`: auto-populate defaults with everything from `pkgs`
-- zsh: disable "command not found" corrections
+- `sane.persist`: auto-create parent dirs in ~/private
+  - currently if the application doesn't autocreate dirs leading to its destination, then ~/private storage fails
+  - this might be why librewolf on mobile is still amnesiac
 - sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
 
 ### perf
@@ -65,13 +70,13 @@
     - these use significant /tmp space.
     - either place /tmp on encrypted-cleared-at-boot storage
         - which probably causes each CPU load for the encryption
+    - or have nix builds use a subdir of /tmp like /tmp/nix/...
+        - and place that on non-encrypted clear-on-boot (with very lax writeback/swappiness to minimize writes)
     - **or set up encrypted swap**
         - encrypted swap could remove the need for my encrypted-cleared-at-boot stuff
 
 
 ## NEW FEATURES:
-- add a FTP-accessible file share to servo
-    - just /var/www?
 - migrate MAME cabinet to nix
     - boot it from PXE from servo?
 - enable IPv6

flake.lock

@@ -1,12 +1,15 @@
 {
   "nodes": {
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1687709756,
+        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
         "type": "github"
       },
       "original": {
@@ -36,11 +39,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1684319086,
-        "narHash": "sha256-5wwlkWqP1cQUPXp/PJsi09FkgAule5yBghngRZZbUQg=",
+        "lastModified": 1687251388,
+        "narHash": "sha256-E9cVlgeCvzPbA/G3mCDCzz8TdRwXyGYzIjmwcvIfghg=",
         "owner": "edolstra",
         "repo": "nix-serve",
-        "rev": "e6e3d09438e803daa5374ad8edf1271289348456",
+        "rev": "d6df5bd8584f37e22cff627db2fc4058a4aab5ee",
         "type": "github"
       },
       "original": {
@@ -82,11 +85,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1686960236,
-        "narHash": "sha256-AYCC9rXNLpUWzD9hm+askOfpliLEC9kwAo7ITJc4HIw=",
+        "lastModified": 1687898314,
+        "narHash": "sha256-B4BHon3uMXQw8ZdbwxRK1BmxVOGBV4viipKpGaIlGwk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "04af42f3b31dba0ef742d254456dc4c14eedac86",
+        "rev": "e18dc963075ed115afb3e312b64643bf8fd4b474",
         "type": "github"
       },
       "original": {
@@ -113,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1687058111,
-        "narHash": "sha256-xDSn/APfAdJinHV4reTfplX5XnLsJSGdVwHpmdgP9Mo=",
+        "lastModified": 1687398569,
+        "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "1634d2da53f079e7f5924efa7a96511cd9596f81",
+        "rev": "2ff6973350682f8d16371f8c071a304b8067f192",
         "type": "github"
       },
       "original": {
@@ -126,6 +129,21 @@
         "type": "github"
       }
     },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "uninsane-dot-org": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -134,11 +152,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1686876043,
-        "narHash": "sha256-71SNPU2aeeJx29JSeW4JCJb8HXAuZRvL7sbh+c3wgkk=",
+        "lastModified": 1687821285,
+        "narHash": "sha256-pw0UYKG8yhW1H3nPgAhVYCzYFXYtamMh2DmF8YhtRec=",
         "ref": "refs/heads/master",
-        "rev": "0e0aa12aca143639f158b3a5c0c00349fcc2166c",
-        "revCount": 199,
+        "rev": "ae27eb61b55b6c6d83c25384fb163df398a80265",
+        "revCount": 201,
         "type": "git",
         "url": "https://git.uninsane.org/colin/uninsane"
       },

flake.nix

@@ -252,7 +252,7 @@
           deployScript = action: pkgs.writeShellScript "deploy-moby" ''
             nixos-rebuild --flake '.#moby' build $@
             sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
-            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby-hn --use-remote-sudo $@
+            nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby --use-remote-sudo $@
           '';
         in {
           update-feeds = {
@@ -276,6 +276,22 @@
             type = "app";
             program = ''${deployScript "switch"}'';
           };
+
+          check-nur = {
+            # `nix run '.#check-nur'`
+            # validates that my repo can be included in the Nix User Repository
+            type = "app";
+            program = builtins.toString (pkgs.writeShellScript "check-nur" ''
+              cd ${./.}/integrations/nur
+              NIX_PATH= NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix-env -f . -qa \* --meta --xml \
+                --allowed-uris https://static.rust-lang.org \
+                --option restrict-eval true \
+                --option allow-import-from-derivation true \
+                --drv-path --show-trace \
+                -I nixpkgs=$(nix-instantiate --find-file nixpkgs) \
+                -I ../../
+            '');
+          };
         };
 
       templates = {

hosts/by-name/desko/default.nix

@@ -4,6 +4,10 @@
     ./fs.nix
   ];
 
+  # TODO: make sure this plays nice with impermanence
+  services.distccd.enable = true;
+  sane.programs.distcc.enableFor.user.guest = true;
+
   sops.secrets.colin-passwd.neededForUsers = true;
 
   sane.roles.build-machine.enable = true;

hosts/by-name/lappy/polyfill.nix

@@ -1,6 +1,6 @@
 # doesn't actually *enable* anything,
 # but sets up any modules such that if they *were* enabled, they'll act as expected.
-{ ... }:
+{ pkgs, ... }:
 {
   sane.gui.sxmo = {
     greeter = "sway";
@@ -28,5 +28,11 @@
       # see <repo:mil/sxmo-utils:scripts/deviceprofiles>
       # SXMO_DEVICE_NAME = "pine64,pinephone-1.2";
     };
+    package = pkgs.sxmo-utils.overrideAttrs (base: {
+      postPatch = (base.postPatch or "") + ''
+        # after volume-button navigation mode, restore full keyboard functionality
+        cp ${./xkb_mobile_normal_buttons} ./configs/xkb/xkb_mobile_normal_buttons
+      '';
+    });
   };
 }

hosts/by-name/moby/polyfill.nix

@@ -1,4 +1,4 @@
-{ sane-lib, ... }:
+{ pkgs, sane-lib, ... }:
 {
   sane.gui.sxmo = {
     settings = {
@@ -10,8 +10,17 @@
       # N.B. some deviceprofiles explicitly set SXMO_SWAY_SCALE, overwriting what we put here.
       SXMO_SWAY_SCALE = "1.5";
       SXMO_ROTATION_GRAVITY = "12800";
+      SXMO_LOCK_IDLE_TIME = "15";  # how long between screenoff -> lock -> back to screenoff
       DEFAULT_COUNTRY = "US";
       BROWSWER = "librewolf";
     };
+    package = pkgs.sxmo-utils.overrideAttrs (base: {
+      postPatch = (base.postPatch or "") + ''
+        cat <<EOF >> ./configs/default_hooks/sxmo_hook_start.sh
+        # rotate UI based on physical display angle by default
+        sxmo_daemons.sh start autorotate sxmo_autorotate.sh
+        EOF
+      '';
+    });
   };
 }

hosts/by-name/servo/services/matrix/irc.nix

@@ -5,12 +5,11 @@
 { config, lib, ... }:
 
 let
-  ircServer = { name, additionalAddresses ? [], sasl ? true }: let
+  ircServer = { name, additionalAddresses ? [], sasl ? true, port ? 6697 }: let
     lowerName = lib.toLower name;
   in {
     # XXX sasl: appservice doesn't support NickServ identification (only SASL, or PASS if sasl = false)
-    inherit name additionalAddresses sasl;
-    port = 6697;
+    inherit name additionalAddresses sasl port;
     ssl = true;
     botConfig = {
       # bot has no presence in IRC channel; only real Matrix users
@@ -151,6 +150,7 @@ in
         };
         "irc.oftc.net" = ircServer {
           name = "oftc";
+          sasl = false;
           # notable channels:
           # - #sxmo
           # - #sxmo-offtopic

hosts/common/default.nix

@@ -13,7 +13,7 @@
     ./programs
     ./secrets.nix
     ./ssh.nix
-    ./users.nix
+    ./users
     ./vpn.nix
   ];
 
@@ -71,19 +71,6 @@
   # disable non-required packages like nano, perl, rsync, strace
   environment.defaultPackages = [];
 
-  # programs.vim.defaultEditor = true;
-  environment.variables = {
-    EDITOR = "vim";
-    # git claims it should use EDITOR, but it doesn't!
-    GIT_EDITOR = "vim";
-    # TODO: these should be moved to `home.sessionVariables` (home-manager)
-    # Electron apps should use native wayland backend:
-    #   https://nixos.wiki/wiki/Slack#Wayland
-    # Discord under sway crashes with this.
-    # NIXOS_OZONE_WL = "1";
-    # LIBGL_ALWAYS_SOFTWARE = "1";
-  };
-
   # dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
   # find keys/values with `dconf dump /`
   programs.dconf.enable = true;

hosts/common/feeds.nix

@@ -1,3 +1,6 @@
+# where to find good stuff?
+# - podcast rec thread: <https://lemmy.ml/post/1565858>
+#
 # candidates:
 # - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
 #   - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
@@ -104,6 +107,8 @@ let
     (fromDb "feeds.megaphone.fm/recodedecode" // tech)
     ## Matrix (chat) Live
     (fromDb "feed.podbean.com/matrixlive/feed.xml" // tech)
+    (fromDb "cast.postmarketos.org" // tech)
+    (fromDb "podcast.thelinuxexp.com" // tech)
     ## Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
     (fromDb "rss.art19.com/your-welcome" // pol)
     (fromDb "seattlenice.buzzsprout.com" // pol)

hosts/common/programs/assorted.nix

@@ -43,6 +43,7 @@ let
       lsof
       miniupnpc
       nano
+      neovim
       netcat
       nethogs
       nmap
@@ -107,24 +108,24 @@ let
   consolePkgs = {
     inherit (pkgs)
       alsaUtils  # for aplay, speaker-test
-      cdrtools
+      # cdrtools
       clinfo
       dmidecode
       efivar
-      flashrom
+      # flashrom
       fwupd
       gh  # MS GitHub cli
       git  # needed as a user package, for config.
-      gnupg
-      gocryptfs
-      gopass  # TODO: shouldn't be needed here
-      gopass-jsonapi
+      # gnupg
+      # gocryptfs
+      # gopass
+      # gopass-jsonapi
       kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-      libsecret  # for managing user keyrings
-      lm_sensors  # for sensors-detect
+      libsecret  # for managing user keyrings. TODO: what needs this? lift into the consumer
+      lm_sensors  # for sensors-detect. TODO: what needs this? lift into the consumer
       lshw
       # memtester
-      neovim
+      neovim  # needed as a user package, for swap persistence
       # nettools
       # networkmanager
       nixpkgs-review
@@ -186,6 +187,7 @@ let
       komikku
       koreader
       # lollypop
+      mepo  # maps viewer
       # mpv
       # networkmanagerapplet
       # newsflash
@@ -197,6 +199,7 @@ let
       # sublime-music
       # tdesktop  # broken on phosh
       # tokodon
+      tuba  # mastodon/pleroma client (stores pw in keyring)
       vlc
       # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
       # whalebird

hosts/common/programs/default.nix

@@ -14,6 +14,7 @@
     ./komikku.nix
     ./koreader
     ./libreoffice.nix
+    ./mepo.nix
     ./mpv.nix
     ./neovim.nix
     ./newsflash.nix

hosts/common/programs/git.nix

@@ -11,7 +11,13 @@ in
     user.name = "Colin";
     user.email = "colin@uninsane.org";
 
-    alias.co = "checkout";
+    alias.co      = "checkout";
+    alias.cp      = "cherry-pick";
+    alias.d       = "difftool";
+    alias.difsum  = "diff --compact-summary";  #< show only the list of files which changed, not contents
+    alias.rb      = "rebase";
+    alias.st      = "status";
+    alias.stat    = "status";
 
     # difftastic docs:
     # - <https://difftastic.wilfred.me.uk/git.html>
@@ -22,5 +28,7 @@ in
 
     # render dates as YYYY-MM-DD HH:MM:SS +TZ
     log.date = "iso";
+
+    stash.showPatch = true;
   };
 }

hosts/common/programs/mepo.nix

@@ -0,0 +1,18 @@
+# docs: <https://git.sr.ht/~mil/mepo>
+# irc #mepo:irc.oftc.net
+{ config, lib, ... }:
+
+{
+  sane.programs.mepo = {
+    persist.plaintext = [ ".cache/mepo/tiles" ];
+    # ~/.cache/mepo/savestate has precise coordinates and pins: keep those private
+    persist.private = [ ".cache/mepo/savestate" ];
+  };
+
+  programs.mepo = lib.mkIf config.sane.programs.mepo.enabled {
+    # enable location services (via geoclue)
+    enable = true;
+    # more precise, via gpsd ("may require additional config")
+    # programs.mepo.gpsd.enable = true
+  };
+}

hosts/common/programs/neovim.nix

@@ -5,30 +5,11 @@ let
   inherit (lib) concatMapStrings mkIf optionalString;
   # this structure roughly mirrors home-manager's `programs.neovim.plugins` option
   plugins = with pkgs.vimPlugins; [
-    # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
-    # docs: vim-surround: https://github.com/tpope/vim-surround
-    { plugin = vim-surround; }
-    # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
-    { plugin = fzf-vim; }
-    ({
-      # docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
-      plugin = tex-conceal-vim;
-      type = "viml";
-      config = ''
-        " present prettier fractions
-        let g:tex_conceal_frac=1
-      '';
-    })
-    ({
-      plugin = vim-SyntaxRange;
-      type = "viml";
-      config = ''
-        " enable markdown-style codeblock highlighting for tex code
-        autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
-        " autocmd Syntax tex set conceallevel=2
-      '';
-    })
-    ({
+    {
+      # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
+      plugin = fzf-vim;
+    }
+    {
       # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
       # docs: https://github.com/nvim-treesitter/nvim-treesitter
       # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
@@ -64,7 +45,35 @@ let
         vim.o.foldmethod = 'expr'
         vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
       '';
-    })
+    }
+    {
+      # docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
+      plugin = tex-conceal-vim;
+      type = "viml";
+      config = ''
+        " present prettier fractions
+        let g:tex_conceal_frac=1
+      '';
+    }
+    {
+      # source: <https://github.com/LnL7/vim-nix>
+      # fixes auto-indent (incl tab size) when editing .nix files
+      plugin = vim-nix;
+    }
+    {
+      # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
+      # docs: vim-surround: https://github.com/tpope/vim-surround
+      plugin = vim-surround;
+    }
+    {
+      plugin = vim-SyntaxRange;
+      type = "viml";
+      config = ''
+        " enable markdown-style codeblock highlighting for tex code
+        autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
+        " autocmd Syntax tex set conceallevel=2
+      '';
+    }
   ];
   plugin-packages = map (p: p.plugin) plugins;
   plugin-config-tex = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
@@ -72,7 +81,12 @@ let
 in
 {
   # private because there could be sensitive things in the swap
-  sane.programs.neovim.persist.private = [ ".cache/vim-swap" ];
+  sane.programs.neovim = {
+    persist.private = [ ".cache/vim-swap" ];
+    env.EDITOR = "vim";
+    # git claims it should use EDITOR, but it doesn't!
+    env.GIT_EDITOR = "vim";
+  };
 
   programs.neovim = mkIf config.sane.programs.neovim.enabled {
     # neovim: https://github.com/neovim/neovim

hosts/common/programs/web-browser.nix

@@ -13,17 +13,15 @@ let
   # allow easy switching between firefox and librewolf with `defaultSettings`, below
   librewolfSettings = {
     browser = pkgs.librewolf-unwrapped;
-    # browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
-    #   # this allows side-loading unsigned addons
-    #   MOZ_REQUIRE_SIGNING = false;
-    # });
+    extraPrefsFiles = pkgs.librewolf-unwrapped.extraPrefsFiles ++ pkgs.librewolf-pmos-mobile.extraPrefsFiles;
     libName = "librewolf";
     dotDir = ".librewolf";
-    cacheDir = ".cache/librewolf";  # TODO: is it?
+    cacheDir = ".cache/librewolf";
     desktop = "librewolf.desktop";
   };
   firefoxSettings = {
     browser = pkgs.firefox-esr-unwrapped;
+    extraPrefsFiles = pkgs.firefox-pmos-mobile.extraPrefsFiles;
     libName = "firefox";
     dotDir = ".mozilla/firefox";
     cacheDir = ".cache/mozilla";
@@ -47,8 +45,7 @@ let
   package = pkgs.wrapFirefox cfg.browser.browser {
     # inherit the default librewolf.cfg
     # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
-    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
-    inherit (cfg.browser) libName;
+    inherit (cfg.browser) extraPrefsFiles libName;
 
     extraNativeMessagingHosts = optional cfg.addons.browserpass-extension.enable pkgs.browserpass;
     # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
@@ -72,7 +69,10 @@ let
       };
       UserMessaging = {
         ExtensionRecommendations = false;
+        FeatureRecommendations = false;
         SkipOnboarding = true;
+        UrlbarInterventions = false;
+        WhatsNew = false;
       };
 
       # these were taken from Librewolf
@@ -162,8 +162,9 @@ in
         # bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
         # bypass-paywalls-clean.enable = lib.mkDefault true;
 
+        # TODO: give these update scripts, make them reachable via `pkgs`
         ether-metamask = {
-          package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
+          package = addon "ether-metamask" "webextension@metamask.io" "sha256-UI83wUUc33OlQYX+olgujeppoo2D2PAUJ+Wma5mH2O0=";
           enable = lib.mkDefault true;
         };
         i2p-in-private-browsing = {
@@ -175,15 +176,15 @@ in
           enable = lib.mkDefault true;
         };
         sponsorblock = {
-          package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
+          package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-b/OTFmhSEUZ/CYrYCE4rHVMQmY+Y78k8jSGMoR8vsZA=";
           enable = lib.mkDefault true;
         };
         ublacklist = {
-          package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
+          package = addon "ublacklist" "@ublacklist" "sha256-NZ2FmgJiYnH7j2Lkn0wOembxaEphmUuUk0Ytmb0rNWo=";
           enable = lib.mkDefault true;
         };
         ublock-origin = {
-          package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
+          package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-EGGAA+cLUow/F5luNzFG055rFfd3rEyh8hTaL/23pbM=";
           enable = lib.mkDefault true;
         };
       };
@@ -210,6 +211,7 @@ in
            }
           }
         '';
+        # TODO: this is better suited in `extraPrefs` during `wrapFirefox` call
         fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg".symlink.text = ''
           // if we can't query the revocation status of a SSL cert because the issuer is offline,
           // treat it as unrevoked.

hosts/common/programs/zsh/default.nix

@@ -159,8 +159,8 @@ in
       };
 
       # enable a command-not-found hook to show nix packages that might provide the binary typed.
-      programs.nix-index.enable = true;
-      programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
+      # programs.nix-index.enable = true;
+      # programs.command-not-found.enable = false;  #< mutually exclusive with nix-index
     })
   ];
 }

hosts/common/users.nix

@@ -1,134 +0,0 @@
-{ config, pkgs, lib, sane-lib, ... }:
-
-# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
-with lib;
-let
-  cfg = config.sane.guest;
-  fs = sane-lib.fs;
-in
-{
-  options = {
-    sane.guest.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-  };
-
-  config = {
-    # Users are exactly these specified here;
-    # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
-    users.mutableUsers = false;
-
-    # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
-    users.users.colin = {
-      # sets group to "users" (?)
-      isNormalUser = true;
-      home = "/home/colin";
-      createHome = true;
-      homeMode = "0700";
-      # i don't get exactly what this is, but nixos defaults to this non-deterministically
-      # in /var/lib/nixos/auto-subuid-map and i don't want that.
-      subUidRanges = [
-        { startUid=100000; count=1; }
-      ];
-      group = "users";
-      extraGroups = [
-        "dialout"  # required for modem access (moby)
-        "feedbackd"
-        "input"  # for /dev/input/<xyz>: sxmo
-        "networkmanager"
-        "nixbuild"
-        "transmission"  # servo, to admin /var/lib/uninsane/media
-        "video"  # phosh/mobile. XXX colin: unsure if necessary
-        "wheel"
-        "wireshark"
-      ];
-
-      # initial password is empty, in case anything goes wrong.
-      # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
-      initialPassword = lib.mkDefault "";
-      passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
-
-      shell = pkgs.zsh;
-
-      # mount encrypted stuff at login
-      # some other nix pam users:
-      # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
-      # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
-      # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
-      pamMount = let
-        priv = config.fileSystems."/home/colin/private";
-      in {
-        fstype = priv.fsType;
-        path = priv.device;
-        mountpoint = priv.mountPoint;
-        options = builtins.concatStringsSep "," priv.options;
-      };
-    };
-
-    security.pam.mount.enable = true;
-
-    sane.users.colin.default = true;
-    # ensure ~ perms are known to sane.fs module.
-    # TODO: this is generic enough to be lifted up into sane.fs itself.
-    sane.fs."/home/colin".dir.acl = {
-      user = "colin";
-      group = config.users.users.colin.group;
-      mode = config.users.users.colin.homeMode;
-    };
-
-    sane.user.persist.plaintext = [
-      "archive"
-      "dev"
-      # TODO: records should be private
-      "records"
-      "ref"
-      "tmp"
-      "use"
-      "Music"
-      "Pictures"
-      "Videos"
-
-      ".cache/nix"
-      ".cache/nix-index"
-
-      # ".cargo"
-      # ".rustup"
-    ];
-
-    # convenience
-    sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
-    sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
-    sane.user.fs."Books/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Books";
-    sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
-    sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
-    sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
-    sane.user.fs."Pictures/servo-macros" = fs.wantedSymlinkTo "/mnt/servo-media/Pictures/macros";
-
-    # used by password managers, e.g. unix `pass`
-    sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";
-
-    sane.persist.sys.plaintext = mkIf cfg.enable [
-      # intentionally allow other users to write to the guest folder
-      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
-    ];
-    users.users.guest = mkIf cfg.enable {
-      isNormalUser = true;
-      home = "/home/guest";
-      subUidRanges = [
-        { startUid=200000; count=1; }
-      ];
-      group = "users";
-      initialPassword = lib.mkDefault "";
-      shell = pkgs.zsh;
-      openssh.authorizedKeys.keys = [
-        # TODO: insert pubkeys that should be allowed in
-      ];
-    };
-
-    security.sudo = {
-      enable = true;
-      wheelNeedsPassword = false;
-    };
-  };
-}

hosts/common/users/colin.nix

@@ -0,0 +1,94 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
+  users.users.colin = {
+    # sets group to "users" (?)
+    isNormalUser = true;
+    home = "/home/colin";
+    createHome = true;
+    homeMode = "0700";
+    # i don't get exactly what this is, but nixos defaults to this non-deterministically
+    # in /var/lib/nixos/auto-subuid-map and i don't want that.
+    subUidRanges = [
+      { startUid=100000; count=1; }
+    ];
+    group = "users";
+    extraGroups = [
+      "dialout"  # required for modem access (moby)
+      "feedbackd"
+      "input"  # for /dev/input/<xyz>: sxmo
+      "networkmanager"
+      "nixbuild"
+      "transmission"  # servo, to admin /var/lib/uninsane/media
+      "video"  # phosh/mobile. XXX colin: unsure if necessary
+      "wheel"
+      "wireshark"
+    ];
+
+    # initial password is empty, in case anything goes wrong.
+    # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
+    initialPassword = lib.mkDefault "";
+    passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
+
+    shell = pkgs.zsh;
+
+    # mount encrypted stuff at login
+    # some other nix pam users:
+    # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
+    # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
+    # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
+    pamMount = let
+      priv = config.fileSystems."/home/colin/private";
+    in {
+      fstype = priv.fsType;
+      path = priv.device;
+      mountpoint = priv.mountPoint;
+      options = builtins.concatStringsSep "," priv.options;
+    };
+  };
+
+  security.pam.mount.enable = true;
+
+  sane.users.colin = {
+    default = true;
+    # ensure ~ perms are known to sane.fs module.
+    # TODO: this is generic enough to be lifted up into sane.fs itself.
+    fs."/".dir.acl = {
+      user = "colin";
+      group = config.users.users.colin.group;
+      mode = config.users.users.colin.homeMode;
+    };
+
+    persist.plaintext = [
+      "archive"
+      "dev"
+      # TODO: records should be private
+      "records"
+      "ref"
+      "tmp"
+      "use"
+      "Music"
+      "Pictures"
+      "Videos"
+
+      ".cache/nix"
+      ".cache/nix-index"
+
+      # ".cargo"
+      # ".rustup"
+    ];
+
+    # convenience
+    fs."knowledge".symlink.target = "private/knowledge";
+    fs."nixos".symlink.target = "dev/nixos";
+    fs."Books/servo".symlink.target = "/mnt/servo-media/Books";
+    fs."Videos/servo".symlink.target = "/mnt/servo-media/Videos";
+    fs."Videos/servo-incomplete".symlink.target = "/mnt/servo-media/incomplete";
+    fs."Music/servo".symlink.target = "/mnt/servo-media/Music";
+    fs."Pictures/servo-macros".symlink.target = "/mnt/servo-media/Pictures/macros";
+
+    # used by password managers, e.g. unix `pass`
+    fs.".password-store".symlink.target = "knowledge/secrets/accounts";
+  };
+}

hosts/common/users/default.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, lib, sane-lib, ... }:
+
+{
+  imports = [
+    ./colin.nix
+    ./guest.nix
+  ];
+
+  # Users are exactly these specified here;
+  # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
+  users.mutableUsers = false;
+
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+}

hosts/common/users/guest.nix

@@ -0,0 +1,41 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.sane.guest;
+in
+{
+  options = with lib; {
+    sane.guest.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    sane.guest.authorizedKeys = mkOption {
+      default = [];
+      type = types.listOf types.str;
+      description = ''
+      list of "<key-type> <pubkey> <hostname>" keys.
+      e.g.
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko
+      '';
+    };
+  };
+
+  config = {
+    users.users.guest = lib.mkIf cfg.enable {
+      isNormalUser = true;
+      home = "/home/guest";
+      subUidRanges = [
+        { startUid=200000; count=1; }
+      ];
+      group = "users";
+      initialPassword = lib.mkDefault "";
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = cfg.authorizedKeys;
+    };
+
+    sane.persist.sys.plaintext = lib.mkIf cfg.enable [
+      # intentionally allow other users to write to the guest folder
+      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
+    ];
+  };
+}

hosts/modules/gui/sxmo.nix

@@ -63,29 +63,13 @@ in
         "sway" => layered sway greeter. behaves as if you booted to swaylock.
       '';
     };
-    sane.gui.sxmo.hooks = mkOption {
+    sane.gui.sxmo.package = mkOption {
       type = types.package;
-      default = pkgs.runCommand "sxmo-hooks" { } ''
-        mkdir -p $out
-        ln -s ${pkgs.sxmo-utils}/share/sxmo/default_hooks $out/bin
-      '';
+      default = pkgs.sxmo-utils;
       description = ''
-        hooks to make visible to sxmo.
-        a hook is a script generally of the name sxmo_hook_<thing>.sh
-        which is called by sxmo at key moments to proide user programmability.
-      '';
-    };
-    sane.gui.sxmo.deviceHooks = mkOption {
-      type = types.package;
-      default = pkgs.runCommand "sxmo-device-hooks" { } ''
-        mkdir -p $out
-        ln -s ${pkgs.sxmo-utils}/share/sxmo/default_hooks/unknown $out/bin
-      '';
-      description = ''
-        device-specific hooks to make visible to sxmo.
-        this package supplies things like `sxmo_hook_inputhandler.sh`.
-        a hook is a script generally of the name sxmo_hook_<thing>.sh
-        which is called by sxmo at key moments to proide user programmability.
+        sxmo base scripts and hooks collection.
+        consider overriding the outputs under /share/sxmo/default_hooks
+        to insert your own user scripts.
       '';
     };
     sane.gui.sxmo.terminal = mkOption {
@@ -170,7 +154,7 @@ in
       security.doas.enable = true;
       security.doas.wheelNeedsPassword = false;
 
-      # TODO: not all of these fonts seem to be mapped to the correct icon
+      # TODO: nerdfonts is 4GB. it accepts an option to ship only some fonts: probably want to use that.
       fonts.fonts = [ pkgs.nerdfonts ];
 
       # sxmo has first-class support only for pulseaudio and alsa -- not pipewire.
@@ -186,40 +170,15 @@ in
       systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
 
       # TODO: could use `displayManager.sessionPackages`?
-      environment.systemPackages = with pkgs; [
-        bc
-        bemenu
-        bonsai
-        conky
-        gojq
-        inotify-tools
-        j4-dmenu-desktop
-        jq
-        libnotify
-        lisgd
-        mako
-        sfeed
-        superd
-        sway
-        swayidle
-        sxmo-utils
-        wob
-        wvkbd
-        xdg-user-dirs
-
-        # X11 only?
-        xdotool
-
-        cfg.deviceHooks
-        cfg.hooks
-      ] ++ lib.optionals (config.services.pipewire.pulse.enable) [ pulseaudio ]  # for pactl
-        ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
+      environment.systemPackages = [
+        cfg.package
+      ] ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
         ++ lib.optionals (cfg.keyboard != null) [ pkgs."${cfg.keyboard}" ];
 
       environment.sessionVariables = {
         XDG_DATA_DIRS = [
           # TODO: only need the share/sxmo directly linked
-          "${pkgs.sxmo-utils}/share"
+          "${cfg.package}/share"
         ];
       } // cfg.settings;
 
@@ -238,7 +197,7 @@ in
         '';
 
         displayManager.sessionPackages = with pkgs; [
-          sxmo-utils  # this gets share/wayland-sessions/swmo.desktop linked
+          cfg.package  # this gets share/wayland-sessions/swmo.desktop linked
         ];
 
         # taken from gui/phosh:
@@ -273,6 +232,15 @@ in
         in "${sway-as-greeter}/bin/sway-as-greeter";
       };
 
+      systemd.services."sxmo-set-permissions" = {
+        description = "configure specific /sys and /dev nodes to be writable by sxmo scripts";
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${cfg.package}/bin/sxmo_setpermissions.sh";
+        };
+        wantedBy = [ "display-manager.service" ];
+      };
+
       sane.fs."/var/log/sway" = lib.mkIf (cfg.greeter == "sway") {
         dir.acl.mode = "0777";
         wantedBeforeBy = [ "greetd.service" "display-manager.service" ];
@@ -285,7 +253,7 @@ in
       #   name = "sxmo";
       #   desktopNames = [ "sxmo" ];
       #   start = ''
-      #     ${pkgs.sxmo-utils}/bin/sxmo_xinit.sh &
+      #     ${cfg.package}/bin/sxmo_xinit.sh &
       #     waitPID=$!
       #   '';
       # }];
@@ -295,7 +263,7 @@ in
       #   enable = true;
       #   settings = {
       #     default_session = {
-      #       command = "${pkgs.sxmo-utils}/bin/sxmo_winit.sh";
+      #       command = "${cfg.package}/bin/sxmo_winit.sh";
       #       user = "colin";
       #     };
       #   };

hosts/modules/roles/build-machine.nix

@@ -32,6 +32,11 @@ in
       # serve packages to other machines that ask for them
       sane.services.nixserve.enable = true;
 
+      # each concurrent derivation realization uses a different nix build user.
+      # default is 32 build users, limiting us to that many concurrent jobs.
+      # it's nice to not be limited in that way, so increase this a bit.
+      nix.nrBuildUsers = 64;
+
       # enable cross compilation
       # TODO: do this via stdenv injection, linking into /run/binfmt the stuff in <nixpkgs:nixos/modules/system/boot/binfmt.nix>
       boot.binfmt.emulatedSystems = lib.optionals cfg.emulation [

hosts/modules/roles/dev-machine.nix

@@ -18,7 +18,7 @@ in
     ({
       sane.programs.docsets.config.rustPkgs = [
         # "lemmy-server"
-        "mx-sanebot"
+        # "mx-sanebot"
       ];
     })
     (mkIf cfg {

integrations/nur/default.nix

@@ -22,6 +22,7 @@
 # ^ source: <https://github.com/nix-community/nur-packages-template/blob/master/.github/workflows/build.yml#L63>
 #   N.B.: nur eval allows only PATH (inherited) and NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM="1" (forced),
 #   hence the erasing of NIX_PATH above (to remove external overlays)
+# - or do: `nix run '.#check-nur'` via the toplevel flake.nix in this repo
 #
 # if it validates here but not upstream, likely to do with different `nixpkgs` inputs.
 # - CI logs: <https://github.com/nix-community/NUR/actions/workflows/update.yml>

modules/programs.nix

@@ -110,6 +110,11 @@ let
           the secret will have same owner as the user under which the program is enabled.
         '';
       };
+      env = mkOption {
+        type = types.attrsOf types.str;
+        default = {};
+        description = "environment variables to set when this program is enabled";
+      };
       configOption = mkOption {
         type = types.raw;
         default = mkOption {
@@ -137,10 +142,11 @@ let
       message = ''program "${sug}" referenced by "${name}", but not defined'';
     }) p.suggestedPrograms;
 
-    # conditionally add to system PATH
-    environment.systemPackages = optional
-      (p.package != null && p.enableFor.system)
-      p.package;
+    # conditionally add to system PATH and env
+    environment = lib.optionalAttrs p.enableFor.system {
+      systemPackages = lib.optional (p.package != null) p.package;
+      variables = p.env;
+    };
 
     # conditionally add to user(s) PATH
     users.users = mapAttrs (user: en: {
@@ -196,6 +202,7 @@ in
       take = f: {
         assertions = f.assertions;
         environment.systemPackages = f.environment.systemPackages;
+        environment.variables = f.environment.variables;
         users.users = f.users.users;
         sane.users = f.sane.users;
         sops.secrets = f.sops.secrets;

modules/users.nix

@@ -12,9 +12,13 @@ let
         type = types.attrs;
         default = {};
         description = ''
-          entries to pass onto `sane.fs` after prepending the user's home-dir to the path.
+        entries to pass onto `sane.fs` after prepending the user's home-dir to the path
+        and marking them as wanted.
           e.g. `sane.users.colin.fs."/.config/aerc" = X`
-            => `sane.fs."/home/colin/.config/aerc" = X;
+          => `sane.fs."/home/colin/.config/aerc" = { wantedBy = [ "multi-user.target"]; } // X;
+
+          conventions are similar as to toplevel `sane.fs`. so `sane.users.foo.fs."/"` represents the home directory,
+          whereas every other entry is expected to *not* have a trailing slash.
         '';
       };
 
@@ -55,9 +59,13 @@ let
         name = path-lib.concat [ defn.home path ];
         inherit value;
       });
+      makeWanted = lib.mapAttrs (n: v: {
+        # default if not otherwise provided
+        wantedBeforeBy = [ "multi-user.target" ];
+      } // v);
     in
     {
-      sane.fs = prefixWithHome defn.fs;
+      sane.fs = makeWanted (prefixWithHome defn.fs);
 
       # `byPath` is the actual output here, computed from the other keys.
       sane.persist.sys.byPath = prefixWithHome defn.persist.byPath;

nixpatches/flake.nix

@@ -9,7 +9,7 @@
         name = "nixpkgs-patched-uninsane";
         src = nixpkgs;
         patches = import ./list.nix {
-          inherit (nixpkgs.legacyPackages.${system}) fetchpatch fetchurl;
+          inherit (nixpkgs.legacyPackages.${system}) fetchpatch2 fetchurl;
         };
       };
       patchedFlakeFor = system: import "${patchedPkgsFor system}/flake.nix";

nixpatches/list.nix

@@ -1,4 +1,4 @@
-{ fetchpatch, fetchurl }:
+{ fetchpatch2, fetchurl }:
 let
   fetchpatch' = {
     saneCommit ? null,
@@ -13,13 +13,56 @@ let
       else
         "https://git.uninsane.org/colin/nixpkgs/commit/${saneCommit}.diff"
       ;
-    in fetchpatch (
+    in fetchpatch2 (
       { inherit url; }
       // (if hash != null then { inherit hash; } else {})
       // (if title != null then { name = title; } else {})
     );
 in [
 
+  # (fetchpatch' {
+  #   # XXX: doesn't cleanly apply; fetch `firefox-pmos-mobile` branch from my git instead
+  #   title = "firefox-pmos-mobile: init at -pmos-2.2.0";
+  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/121356";
+  #   hash = "sha256-eDsR1cJC/IMmhJl5wERpTB1VGawcnMw/gck9sI64GtQ=";
+  # })
+
+  # (fetchpatch' {
+  #   saneCommit = "70c12451b783d6310ab90229728d63e8a903c8cb";
+  #   title = "firefox-pmos-mobile: init at -pmos-2.2.0";
+  #   hash = "sha256-mA22g3ZIERVctq8Uk5nuEsS1JprxA+3DvukJMDTOyso=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "ee19a28aa188bb87df836a4edc7b73355b8766eb";
+  #   title = "firefox-pmos-mobile: format the generated policies.nix file";
+  #   hash = "sha256-K8b3QpyVEjajilB5w4F1UHGDRGlmN7i66lP7SwLZpWI=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "c068439c701c160ba15b6ed5abe9cf09b159d584";
+  #   title = "firefox-pmos-mobile: implement an updateScript";
+  #   hash = "sha256-afiGDHbZIVR3kJuWABox2dakyiRb/8EgDr39esqwcEk=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "865c9849a9f7bd048e066c2efd8068ecddd48e33";
+  #   title = "firefox-pmos-mobile: 2.2.0 -> 4.0.2";
+  #   hash = "sha256-WjWSW0qE+cypvUkDRfK7d9Te8m5zQXwF33z8nEhbvrE=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "eb6aae632c55ce7b0a76bca549c09da5e1f7761b";
+  #   title = "firefox-pmos-mobile: refactor and populate `passthru` to aid external consumers";
+  #   hash = "sha256-/LhbwXjC8vuKzIuGQ3/FGplbLllsz57nR5y+PeDjGuA=";
+  # })
+  # (fetchpatch' {
+  #   saneCommit = "c9b90ef1e17ea21ac779a86994e5d9079a2057b9";
+  #   title = "librewolf-pmos-mobile: init";
+  #   hash = "sha256-oQEM3EZfAOmfZzDu9faCqyOFZsdHYGn1mVBgkxt68Zg=";
+  # })
+  (fetchpatch' {
+    saneCommit = "c3becd7cdf144d85d12e2e76663e9549a0536efd";
+    title = "firefox-pmos-mobile: init at 4.0.2";
+    hash = "sha256-NRh2INUMA2K7q8zioqKA7xwoqg7v6sxpuJRpTG5IP1Q=";
+  })
+
   # splatmoji: init at 1.2.0
   (fetchpatch' {
     saneCommit = "75149039b6eaf57d8a92164e90aab20eb5d89196";
@@ -58,13 +101,6 @@ in [
     hash = "sha256-jl6SZwSDhQTlpM5FyGaFU/svwTb1ySdKtvWMgsneq3A=";
   })
 
-  (fetchpatch' {
-    title = "cargo-docset: init at 0.3.1";
-    saneCommit = "5a09e84c6159ce545029483384580708bc04c08f";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/231188";
-    hash = "sha256-Z1HOps3w/WvxAiyUAHWszKqwS9EwA6rf4XfgPGp+2sQ=";
-  })
-
   # (fetchpatch' {
   #   # phoc: 0.25.0 -> 0.27.0
   #   # TODO: move wayland-scanner & glib to nativeBuildInputs
@@ -141,7 +177,7 @@ in [
   ./2023-06-06-jellyfin-no-libsForQt5-callPackage.patch
 
   # pin to a pre-0.17.3 release
-  # removing this and using stock 0.17.3 causes:
+  # removing this and using stock 0.17.3 (also 0.17.4) causes:
   #   INFO lemmy_server::code_migrations: No Local Site found, creating it.
   #   Error: LemmyError { message: None, inner: duplicate key value violates unique constraint "local_site_site_id_key", context: "SpanTrace" }
   # more specifically, lemmy can't find the site because it receives an error from diesel:
@@ -149,7 +185,7 @@ in [
   # this is likely some mis-ordered db migrations
   # or perhaps the whole set of migrations here isn't being running right.
   # related: <https://github.com/NixOS/nixpkgs/issues/236890#issuecomment-1585030861>
-  ./2023-06-10-lemmy-downgrade.patch
+  # ./2023-06-10-lemmy-downgrade.patch
 
   # (fetchpatch' {
   #   title = "gpodder: wrap with missing `xdg-utils` path";
@@ -157,19 +193,31 @@ in [
   #   hash = "sha256-cu8L30ZiUJnWFGRR/SK917TC7TalzpGkurGkUAAxl54=";
   # })
 
-  (fetchpatch' {
-    title = "sequoia: 0.28.0 -> 0.30.1";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/237698";
-    saneCommit = "71f47689d11e09b6ff70cbd4238e386b50d46899";
-    hash = "sha256-cadnRzZ0sjwdSc845zFtgYzLrsPGsZ9ShELibvQWLUU=";
-  })
-
   (fetchpatch' {
     title = "koreader: 2023.04 -> 2023.05.1";
     saneCommit = "a5c471bd263abe93e291239e0078ac4255a94262";
     hash = "sha256-m++Vv/FK7cxONCz6n0MLO3CiKNrRH0ttFmoC1Xmba+A=";
   })
 
+  (fetchpatch' {
+    title = "mepo: 1.1 -> 1.1.2";
+    saneCommit = "eee68d7146a6cd985481cdd8bca52ffb204de423";
+    hash = "sha256-uNerTwyFzivTU+o9bEKmNMFceOmy2AKONfKJWI5qkzo=";
+  })
+
+  (fetchpatch' {
+    title = "spdlog: use fmt 9";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/240270";
+    hash = "sha256-f0QCnrtPN7XwWk0cHSUW7/XlWPFu6XnuoQL6vARYILM=";
+  })
+
+  (fetchpatch' {
+    title = "nmap: lua5_3 -> lua5_4";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/240440";
+    saneCommit = "a2a5c711e7c0ff43143fc58ec08853ec063f35b3";
+    hash = "sha256-YZycbNJfRFD/8bpnS/28ac1x1wWkEhjB3QaGBGAJkUM=";
+  })
+
   # (fetchpatch' {
   #   # N.B.: compiles, but runtime error on launch suggestive of some module not being shipped
   #   title = "matrix-appservice-irc: 0.38.0 -> 1.0.0";

overlays/cross.nix

@@ -83,6 +83,7 @@ in {
     jellyfin-web  # in node-dependencies-jellyfin-web: "node: command not found"  (nodePackages don't cross compile)
     # libgccjit  # "../../gcc-9.5.0/gcc/jit/jit-result.c:52:3: error: 'dlclose' was not declared in this scope"  (needed by emacs!)
     # libsForQt5  # if we emulate qt5, we're better off emulating libsForQt5 else qt complains about multiple versions of qtbase
+    mepo  # /build/source/src/sdlshim.zig:1:20: error: C import failed
     perlInterpreters  # perl5.36.0-Module-Build perl5.36.0-Test-utf8 (see tracking issues ^)
     # qgnomeplatform
     # qtbase
@@ -521,6 +522,11 @@ in {
       # fixes -msse2, -mfpmath=ssh flags AND "Settings schema 'org.gtk.gtk4.Settings.FileChooser' is not installed"
       wrapGAppsHook4 = emulated.wrapGAppsHook4;
     };
+
+    zenity = super.zenity.override {
+      # fixes -msse2, -mfpmath=sse flags
+      wrapGAppsHook4 = final.wrapGAppsHook;
+    };
   });
 
   gnome2 = prev.gnome2.overrideScope' (self: super: {
@@ -739,6 +745,33 @@ in {
   #   callPackage = self.newScope { inherit (self) qtCompatVersion qtModule srcs; inherit (final) stdenv; };
   # });
 
+  # mepo = (prev.mepo.override {
+  #   inherit (emulated)
+  #     stdenv
+  #     SDL2
+  #     SDL2_gfx
+  #     SDL2_image
+  #     SDL2_ttf
+  #     zig
+  #   ;
+  # }).overrideAttrs (_upstream: {
+  #   doCheck = false;
+  #   # dontConfigure = true;
+  #   # dontBuild = true;
+  #   # preInstall = ''
+  #   #   export HOME=$TMPDIR
+  #   # '';
+  #   # installPhase = ''
+  #   #   runHook preInstall
+
+  #   #   zig build -Drelease-safe=true -Dtarget=aarch64-linux-gnu -Dcpu=baseline --prefix $out
+  #   #   install -d $out/share/man/man1
+  #   #   $out/bin/mepo -docman > $out/share/man/man1/mepo.1
+
+  #   #   runHook postInstall
+  #   # '';
+  # });
+
   # fixes: "ar: command not found"
   # `ar` is provided by bintools
   ncftp = addNativeInputs [ final.bintools ] prev.ncftp;
@@ -1203,6 +1236,13 @@ in {
     # fixes "meson.build:183:0: ERROR: Can not run test applications in this cross environment."
     inherit (emulated) stdenv;
   };
+  tuba = (prev.tuba.override {
+    # fixes -msse2, -mfpmath=sse flags
+    wrapGAppsHook4 = final.wrapGAppsHook;
+  }).overrideAttrs (upstream: {
+    # error: Package `{libadwaita-1,gtksourceview-5,libsecret-1,gee-0.8}' not found in specified Vala API directories or GObject-Introspection GIR directories
+    buildInputs = upstream.buildInputs ++ [ final.vala ];
+  });
   # twitter-color-emoji = prev.twitter-color-emoji.override {
   #   # fails to fix original error
   #   inherit (emulated) stdenv;
@@ -1278,9 +1318,19 @@ in {
   });
   # XXX: aarch64 webp-pixbuf-loader wanted by gdk-pixbuf-loaders.cache.drv, wanted by aarch64 gnome-control-center
 
-  # "extract-binary-wrapper-cmd: line 2: strings: command not found"
-  # XXX: technically this belongs in pkgs/build-support/setup-hooks/make-binary-wrapper/default.nix ?
-  wrapFirefox = browser: args: addNativeInputs [ final.bintools-unwrapped ] (prev.wrapFirefox browser args);
+  wrapFirefox = prev.wrapFirefox.override {
+    buildPackages = let
+      bpkgs = final.buildPackages;
+    in bpkgs // {
+      # fixes "extract-binary-wrapper-cmd: line 2: strings: command not found"
+      # ^- in the `nix log` output of cross-compiled `firefox` (it's non-fatal)
+      makeBinaryWrapper = bpkgs.makeBinaryWrapper.overrideAttrs (upstream: {
+        passthru.extractCmd = bpkgs.writeShellScript "extract-binary-wrapper-cmd" ''
+          ${final.stdenv.cc.targetPrefix}strings -dw "$1" | sed -n '/^makeCWrapper/,/^$/ p'
+        '';
+      });
+    };
+  };
 
   wvkbd = (
     # "wayland-scanner: no such program"

pkgs/additional/cargo-docset/default.nix

@@ -1,30 +0,0 @@
-{ lib
-, fetchFromGitHub
-, rustPlatform
-, sqlite
-}:
-
-rustPlatform.buildRustPackage rec {
-  pname = "cargo-docset";
-  version = "0.3.1";
-
-  src = fetchFromGitHub {
-    owner = "Robzz";
-    repo = pname;
-    rev = "v${version}";
-    hash = "sha256-o2CSQiU9fEoS3eRmwphtYGZTwn3mstRm2Tlvval83+U=";
-  };
-
-  cargoHash = "sha256-YHrSvfHfQ7kbVeCOgggYf3E7gHq+RhVKZrzP8LqX5I0=";
-
-  buildInputs = [
-    sqlite
-  ];
-
-  meta = with lib; {
-    description = "Cargo subcommand to generate a Dash/Zeal docset for your Rust packages. ";
-    homepage = "https://github.com/Robzz/cargo-docset";
-    license = licenses.asl20;
-    maintainers = with maintainers; [ colinsane ];
-  };
-}

pkgs/additional/gpodder-configured/default.nix

@@ -15,13 +15,14 @@ let
       "gnome-feeds.listparser" = gnome-feeds.listparser;
     };
     pkgs = {
+      # important for this to explicitly use `gpodder` here, because it may be overriden/different from the toplevel `gpodder`!
       inherit gpodder;
     };
   };
 in
 # we use a symlinkJoin so that we can inherit the .desktop and icon files from the original gPodder
 (symlinkJoin {
-  name = "gpodder-configured";
+  name = "${gpodder.pname}-configured";
   paths = [ gpodder remove-extra ];
   nativeBuildInputs = [ makeWrapper ];
 
@@ -30,7 +31,7 @@ in
   # a feedlist every time we run it.
   # repeat imports are deduplicated by url, even when offline.
   postBuild = ''
-    makeWrapper $out/bin/gpodder $out/bin/gpodder-configured \
+    wrapProgram $out/bin/gpodder \
       --run "$out/bin/gpodder-remove-extra ~/.config/gpodderFeeds.opml || true" \
       --run "$out/bin/gpo import ~/.config/gpodderFeeds.opml || true" \
 
@@ -41,6 +42,6 @@ in
   '';
 
   passthru = {
-    remove-extra = remove-extra;
+    inherit gpodder remove-extra;
   };
 })

pkgs/additional/jellyfin-media-player-qt6/default.nix

@@ -20,14 +20,14 @@
     owner = "jellyfin";
     repo = "jellyfin-media-player";
     rev = "qt6";
-    hash = "sha256-saR/P2daqjF0G8N7BX6Rtsb1dWGjdf5MPDx1lhoioEw=";
+    hash = "sha256-CXuK6PLGOiBDbnLqXcr5sUtQmXksMc6X6GKVMEzmu30=";
   };
   # nixos ships two patches:
   # - the first fixes "web paths" and has *mostly* been upstreamed  (so skip and manually tweak a bit)
   # - the second disables auto-update notifications  (keep)
   patches = (builtins.tail upstream.patches) ++ [
     ./0001-fix-web-path.patch
-    ./0002-qt6-build-fixes.patch
+    # ./0002-qt6-build-fixes.patch
     # ./0003-qt6-components-webengine.patch
   ];
   buildInputs = [

pkgs/additional/lemoa/default.nix

@@ -0,0 +1,45 @@
+{ lib
+, fetchFromGitHub
+, gdk-pixbuf
+, glib
+, graphene
+, gtk4
+, libadwaita
+, openssl
+, pango
+, pkg-config
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "lemoa";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "lemmy-gtk";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-7tq9XP79GXnIoibrZugdir79P14qJevTzY44fC3R7cA=";
+  };
+
+  cargoLock = {
+    lockFile = ./Cargo.lock;
+    outputHashes = {
+      "lemmy_api_common-0.18.0" = "sha256-l4UNO5Obx73nOiVnl6dc+sw2tekDLn2ixTs1GwqdE8I=";
+    };
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    gtk4
+    libadwaita
+    openssl
+  ];
+
+  meta = with lib; {
+    description = "Native Gtk client for Lemmy";
+    homepage = "https://github.com/lemmy-gtk/lemoa";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ colinsane ];
+  };
+}

pkgs/additional/linux-megous/default.nix

@@ -18,6 +18,7 @@ let
   # - grab VERSION/PATCHLEVEL/SUBLEVEL/EXTRAVERSION from Makefile.
   # - megi publishes release notes as the most recent commit on any stable branch, so just `git log`.
   # - orange-pi is listed as the "main integration branch".
+  #   - this suggests it's NOT a stable branch, only `orange-pi-X.YY-YYYYMMDD-NNNN` branches are "formal" releases
   #   - specific branches like `pp` (pinephone) are dev branches, and probably less stable.
   rev = "orange-pi-6.4-20230619-0323";
   hash = "sha256-il32UQM/8Fc7VHft3+M4TLMxk5+h28C9Suu1kRdZj2M=";

pkgs/additional/sane-scripts/default.nix

@@ -30,7 +30,7 @@ let
     };
   };
 
-  nix-shell-scripts = {
+  sane-bin = {
     # anything added to this attrset gets symlink-joined into `sane-scripts`
     # and is made available through `sane-scripts.passthru`
     backup-ls = static-nix-shell.mkBash {
@@ -228,8 +228,8 @@ let
 in
 symlinkJoin {
   name = "sane-scripts";
-  paths = lib.attrValues nix-shell-scripts;
-  passthru = nix-shell-scripts // {
+  paths = lib.attrValues sane-bin;
+  passthru = sane-bin // {
     lib = sane-lib;
   };
   meta = {

pkgs/additional/sane-scripts/src/sane-wipe-browser

@@ -4,6 +4,8 @@
 rm -rf \
   ~/.librewolf/default/* \
   ~/.cache/librewolf/* \
+  ~/.mozilla/* \
+  ~/.cache/mozilla/firefox/* \
   ~/.config/chromium \
   ~/.cache/chromium \
   || true  # in case no matches

pkgs/additional/sxmo-utils/0005-system-audio.patch

@@ -0,0 +1,21 @@
+diff --git a/configs/default_hooks/sxmo_hook_start.sh b/configs/default_hooks/sxmo_hook_start.sh
+index 194814d..beb9232 100755
+--- a/configs/default_hooks/sxmo_hook_start.sh
++++ b/configs/default_hooks/sxmo_hook_start.sh
+@@ -16,16 +16,6 @@ while ! superctl status > /dev/null 2>&1; do
+ 	sleep 0.5
+ done
+ 
+-# Load our sound daemons
+-
+-if [ "$(command -v pulseaudio)" ]; then
+-	superctl start pulseaudio
+-elif [ "$(command -v pipewire)" ]; then
+-	# pipewire-pulse will start pipewire
+-	superctl start pipewire-pulse
+-	superctl start wireplumber
+-fi
+-
+ # Periodically update some status bar components
+ sxmo_hook_statusbar.sh all
+ sxmo_daemons.sh start statusbar_periodics sxmo_run_aligned.sh 60 \

pkgs/additional/sxmo-utils/0006-block-suspend-any-mpris.patch

@@ -0,0 +1,13 @@
+diff --git a/configs/default_hooks/sxmo_hook_block_suspend.sh b/configs/default_hooks/sxmo_hook_block_suspend.sh
+index f394575..873b7b2 100755
+--- a/configs/default_hooks/sxmo_hook_block_suspend.sh
++++ b/configs/default_hooks/sxmo_hook_block_suspend.sh
+@@ -68,7 +68,7 @@ playing_mpc() {
+ }
+ 
+ playing_mpris() {
+-	command -v playerctl && [ "$(playerctl status)" = "Playing" ]
++	command -v playerctl && playerctl --all-players status | grep -q "Playing"
+ }
+ 
+ photos_processing() {

pkgs/additional/sxmo-utils/0105-more-apps.patch

@@ -0,0 +1,46 @@
+diff --git a/configs/default_hooks/sxmo_hook_apps.sh b/configs/default_hooks/sxmo_hook_apps.sh
+index ba70a31..085ef7d 100755
+--- a/configs/default_hooks/sxmo_hook_apps.sh
++++ b/configs/default_hooks/sxmo_hook_apps.sh
+@@ -31,6 +31,7 @@ write_line_app audacity "$icon_mic Audacity" "audacity"
+ write_line_app gnome-calculator "$icon_clc Calculator" "gnome-calculator"
+ write_line_app calcurse "$icon_clk Calcurse" "sxmo_terminal.sh calcurse"
+ write_line_app cmus "$icon_mus Cmus" "sxmo_terminal.sh cmus"
++write_line_app cozy "$icon_mus Cozy" "cozy"
+ write_line_app dino "$icon_msg Dino" "GDK_SCALE=1 dino"
+ write_line_app dolphin "$icon_dir Dolphin" "dolphin"
+ write_line_app emacs "$icon_edt Emacs (Terminal)" "sxmo_terminal.sh emacs -nw"
+@@ -60,13 +61,17 @@ write_line_app htop "$icon_cfg Htop" "sxmo_terminal.sh htop"
+ write_line_app irssi "$icon_msg Irssi" "sxmo_terminal.sh irssi"
+ write_line_app ii "$icon_msg Ii" "sxmo_terminal.sh ii"
+ write_line_app ipython "$icon_trm IPython" "sxmo_terminal.sh ipython"
++write_line_app jellyfinmediaplayer "$icon_mvi Jellyfin" "jellyfinmediaplayer"
+ write_line_app kasts "$icon_rss Kasts" "kasts"
+ write_line_app kmail "$icon_eml KMail" "kmail"
++write_line_app komikku "$icon_bok Komikku" "komikku"
+ write_line_app kontact "$icon_msg Kontact" "kontact"
+ write_line_app konversation "$icon_msg Konversation" "konversation"
++write_line_app koreader "$icon_bok KOReader" "koreader"
+ write_line_app kwrite "$icon_edt Kwrite" "kwrite"
+ write_line_app lagrange "$icon_glb Lagrange" "lagrange"
+ write_line_app lf "$icon_dir Lf" "sxmo_terminal.sh lf"
++write_line_app librewolf "$icon_glb Librewolf" "librewolf"
+ write_line_app lollypop "$icon_mus Lollypop" "lollypop"
+ write_line_app luakit "$icon_glb Luakit" "luakit"
+ write_line_app marble "$icon_map Marble" "marble"
+@@ -97,6 +102,7 @@ write_line_app senpai "$icon_msg Senpai" "sxmo_terminal.sh senpai"
+ write_line_app sic "$icon_msg Sic" "sxmo_terminal.sh sic"
+ ([ "$SXMO_WM" = dwm ] && command -v st >/dev/null) && \
+ 	write_line "$icon_trm St" "st -e $SHELL"
++write_line_app sublime-music "$icon_mus Sublime Music" "sublime-music"
+ write_line_app surf "$icon_glb Surf" "surf"
+ write_line_app syncthing "$icon_rld Syncthing" "syncthing"
+ write_line_app telegram-desktop "$icon_tgm Telegram" "telegram-desktop"
+@@ -105,6 +111,7 @@ write_line_app thunar "$icon_dir Thunar" "sxmo_terminal.sh thunar"
+ write_line_app thunderbird "$icon_eml Thunderbird" "thunderbird"
+ write_line_app com.github.bleakgrey.tootle "$icon_msg Tootle" "com.github.bleakgrey.tootle"
+ write_line_app totem "$icon_mvi Totem" "totem"
++write_line_app dev.geopjr.Tuba "$icon_msg Tuba" "dev.geopjr.Tuba"
+ write_line_app tuir "$icon_red Tuir" "sxmo_terminal.sh tuir"
+ write_line_app tut "$icon_msg Tut" "sxmo_terminal.sh tut"
+ write_line_app waydroid "$icon_and Waydroid" "waydroid show-full-ui"

pkgs/additional/sxmo-utils/0106-configurable-auto-screenoff.patch

@@ -0,0 +1,13 @@
+diff --git a/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh b/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh
+index c9c4263..4c0fccf 100755
+--- a/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh
++++ b/configs/default_hooks/three_button_touchscreen/sxmo_hook_lock.sh
+@@ -37,7 +37,7 @@ sxmo_daemons.sh stop periodic_wakelock_check
+ # Go to screenoff after 8 seconds of inactivity
+ if ! [ -e "$XDG_CACHE_HOME/sxmo/sxmo.noidle" ]; then
+ 	sxmo_daemons.sh start idle_locker sxmo_idle.sh -w \
+-		timeout 8 "sxmo_hook_screenoff.sh"
++		timeout "${SXMO_LOCK_IDLE_TIME:-8}" "sxmo_hook_screenoff.sh"
+ fi
+ 
+ wait

pkgs/additional/sxmo-utils/customization/configs/default_hooks/sxmo_hook_start.sh

@@ -1,57 +0,0 @@
-#!/bin/sh
-
-# include common definitions
-# shellcheck source=scripts/core/sxmo_common.sh
-. sxmo_common.sh
-
-# Create xdg user directories, such as ~/Pictures
-xdg-user-dirs-update
-
-sxmo_daemons.sh start daemon_manager superd -v
-
-# let time to superd to start correctly
-while ! superctl status > /dev/null 2>&1; do
-	sleep 0.5
-done
-
-# Periodically update some status bar components
-sxmo_hook_statusbar.sh all
-sxmo_daemons.sh start statusbar_periodics sxmo_run_aligned.sh 60 \
-	sxmo_hook_statusbar.sh periodics
-
-# mako/dunst are required for warnings.
-# load some other little things here too.
-superctl start mako
-superctl start sxmo_wob
-superctl start sxmo_menumode_toggler
-superctl start bonsaid
-swaymsg output '*' bg "$SXMO_BG_IMG" fill
-
-# To setup initial lock state
-sxmo_hook_unlock.sh
-
-# Turn on auto-suspend
-if [ -w "/sys/power/wakeup_count" ] && [ -f "/sys/power/wake_lock" ]; then
-	superctl start sxmo_autosuspend
-fi
-
-# Turn on lisgd
-superctl start sxmo_hook_lisgd
-
-# Start the desktop widget (e.g. clock)
-superctl start sxmo_conky
-
-# Monitor the battery
-superctl start sxmo_battery_monitor
-
-# It watch network changes and update the status bar icon by example
-superctl start sxmo_networkmonitor
-
-# The daemon that display notifications popup messages
-superctl start sxmo_notificationmonitor
-
-# monitor for headphone for statusbar
-superctl start sxmo_soundmonitor
-
-# rotate UI based on physical display angle by default
-sxmo_daemons.sh start autorotate sxmo_autorotate.sh

pkgs/additional/sxmo-utils/default.nix

@@ -1,11 +1,74 @@
 { stdenv
+, bc
+, bemenu
+, bonsai
+, conky
+, dbus
 , fetchgit
 , gitUpdater
+, gnugrep
+, gojq
+, inotify-tools
+, j4-dmenu-desktop
+, jq
 , lib
+, libnotify
+, lisgd
+, makeWrapper
+, mako
+, mepo
+, modemmanager
+, nettools
+, playerctl
+, procps
+, pulseaudio
 , rsync
 , scdoc
+, sfeed
+, superd
+, sway
+, swayidle
+, wob
+, wvkbd
+, xdg-user-dirs
+, xdotool
 }:
 
+let
+  # anything which any sxmo script or default hook in this package might invoke
+  runtimeDeps = [
+    bc
+    bemenu
+    bonsai
+    conky
+    dbus
+    # dmenu  # or dmenu-wayland? only used on x11?
+    gnugrep
+    gojq
+    inotify-tools
+    j4-dmenu-desktop
+    jq
+    libnotify
+    lisgd
+    mako
+    mepo  # mepo_ui_central_menu.sh
+    modemmanager  # mmcli
+    nettools  # netstat
+    playerctl
+    procps  # pgrep
+    pulseaudio  # pactl
+    sfeed
+    superd
+    sway
+    swayidle
+    wob
+    wvkbd
+    xdg-user-dirs
+
+    # X11 only?
+    xdotool
+  ];
+in
 stdenv.mkDerivation rec {
   pname = "sxmo-utils";
   version = "1.14.2";
@@ -22,9 +85,14 @@ stdenv.mkDerivation rec {
     ./0002-ensure-log-dir.patch
     ./0003-fix-xkb-paths.patch
     ./0004-no-busybox.patch
+    # wanted to fix/silence some non-fatal errors
+    ./0005-system-audio.patch
+    ./0006-block-suspend-any-mpris.patch
 
-    # personal preferences:
+    # personal (but upstreamable) preferences:
     ./0104-full-auto-rotate.patch
+    ./0105-more-apps.patch
+    ./0106-configurable-auto-screenoff.patch
   ];
 
   postPatch = ''
@@ -32,15 +100,10 @@ stdenv.mkDerivation rec {
     sed -i "s@/etc/profile\.d/sxmo_init.sh@$out/etc/profile.d/sxmo_init.sh@" scripts/core/*.sh
     sed -i "s@/usr/bin/@@g" scripts/core/sxmo_version.sh
     sed -i 's:ExecStart=/usr/bin/:ExecStart=/usr/bin/env :' configs/superd/services/*.service
-
-    # apply customizations
-    # - xkb_mobile_normal_buttons:
-    #   - on devices where volume is part of the primary keyboard (e.g. thinkpad), we want to avoid overwriting the default map
-    #   - this provided map is the en_US 105 key map
-    ${rsync}/bin/rsync -rlv ${./customization}/ ./
   '';
 
   nativeBuildInputs = [
+    makeWrapper
     scdoc
   ];
 
@@ -50,6 +113,29 @@ stdenv.mkDerivation rec {
     "PREFIX="
   ];
 
+  # we don't wrap sxmo_common.sh or sxmo_init.sh
+  # which is unfortunate, for non-sxmo-utils files that might source though.
+  # if that's a problem, could inject a PATH=... line into them with sed.
+  postInstall = ''
+    for f in \
+      $out/bin/*.sh \
+      $out/share/sxmo/default_hooks/desktop/sxmo_hook_*.sh \
+      $out/share/sxmo/default_hooks/one_button_e_reader/sxmo_hook_*.sh \
+      $out/share/sxmo/default_hooks/three_button_touchscreen/sxmo_hook_*.sh \
+      $out/share/sxmo/default_hooks/sxmo_hook_*.sh \
+    ; do
+      case $(basename $f) in
+        (sxmo_common.sh|sxmo_deviceprofile_*.sh|sxmo_hook_icons.sh|sxmo_init.sh)
+          # these are sourced by other scripts: don't wrap them else the `exec` in the wrapper breaks the outer script
+        ;;
+        (*)
+          wrapProgram "$f" \
+            --prefix PATH : "${lib.makeBinPath runtimeDeps}"
+        ;;
+      esac
+    done
+  '';
+
   passthru = {
     providedSessions = [ "sxmo" "swmo" ];
     updateScript = gitUpdater { };

pkgs/default.nix

@@ -10,8 +10,9 @@ let
   lib = pkgs.lib;
   unpatched = pkgs;
 
-  pythonPackagesOverlay = py-final: py-prev: import ./python-packages {
+  pythonPackagesOverlayFor = pkgs: py-final: py-prev: import ./python-packages {
     inherit (py-final) callPackage;
+    inherit pkgs;
   };
   final' = if final != null then final else pkgs.appendOverlays [(_: _: sane)];
   sane = with final'; {
@@ -25,11 +26,12 @@ let
     browserpass-extension = callPackage ./additional/browserpass-extension { };
     cargoDocsetHook = callPackage ./additional/cargo-docset/hook.nix { };
     feeds = lib.recurseIntoAttrs (callPackage ./additional/feeds { });
+    lemoa = callPackage ./additional/lemoa { };
     jellyfin-media-player-qt6 = callPackage ./additional/jellyfin-media-player-qt6 { };
     gopass-native-messaging-host = callPackage ./additional/gopass-native-messaging-host { };
     gpodder-adaptive = callPackage ./additional/gpodder-adaptive { };
     gpodder-adaptive-configured = callPackage ./additional/gpodder-configured {
-      gpodder = final.gpodder-adaptive;
+      gpodder = final'.gpodder-adaptive;
     };
     gpodder-configured = callPackage ./additional/gpodder-configured { };
     hare-ev = unpatched.hare-ev or (callPackage ./additional/hare-ev { });
@@ -38,6 +40,7 @@ let
     linux-megous = callPackage ./additional/linux-megous { };
     mx-sanebot = callPackage ./additional/mx-sanebot { };
     rtl8723cs-firmware = callPackage ./additional/rtl8723cs-firmware { };
+    # TODO: use `recurseIntoAttrs` ?
     sane-scripts = callPackage ./additional/sane-scripts { };
     static-nix-shell = callPackage ./additional/static-nix-shell { };
     sublime-music-mobile = callPackage ./additional/sublime-music-mobile { };
@@ -61,7 +64,6 @@ let
 
     # provided by nixpkgs patch or upstream PR
     # i still conditionally callPackage these to make them available to external consumers (like NUR)
-    cargo-docset = unpatched.cargo-docset or (callPackage ./additional/cargo-docset { });
     splatmoji = unpatched.splatmoji or (callPackage ./additional/splatmoji { });
 
 
@@ -103,12 +105,12 @@ let
 
     ### PYTHON PACKAGES
     pythonPackagesExtensions = (unpatched.pythonPackagesExtensions or []) ++ [
-      pythonPackagesOverlay
+      (pythonPackagesOverlayFor final')
     ];
     # when this scope's applied as an overlay pythonPackagesExtensions is propagated as desired.
     # but when freestanding (e.g. NUR), it never gets plumbed into the outer pkgs, so we have to do that explicitly.
     python3 = unpatched.python3.override {
-      packageOverrides = pythonPackagesOverlay;
+      packageOverrides = pythonPackagesOverlayFor final';
     };
   };
 in sane

pkgs/python-packages/default.nix

@@ -1,5 +1,5 @@
-{ callPackage }:
+{ callPackage, pkgs }:
 {
   feedsearch-crawler = callPackage ./feedsearch-crawler { };
-  sane-lib = (callPackage ../additional/sane-scripts { }).lib;
+  sane-lib = pkgs.sane-scripts.lib;
 }