servo: gitea: increase client_max_body_size in nginx config

Ben was unable to upload a clone of a repo over HTTP, due to a 413 error.

Nginx's default limit is 1 megabyte ;( https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size

See https://forum.gitea.com/t/unable-to-push-to-repo-due-to-rpc-failed-http-413-error/2630/4

TODO.md

@@ -64,7 +64,6 @@
   - likely requires updating envelope to a more recent version (for multi-accounting), and therefore updating libadwaita...
 
 ### security/resilience
-- enable `snapper` btrfs snapshots (`services.snapper`)
 - /mnt/desko/home, etc, shouldn't include secrets (~/private)
   - 95% of its use is for remote media access and stuff which isn't in VCS (~/records)
 - harden systemd services:

hosts/by-name/lappy/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
   imports = [
     ./fs.nix
@@ -30,18 +30,10 @@
   # 1024 solves *most* crackles, but still noticable under heavier loads.
   sane.programs.pipewire.config.min-quantum = 2048;
 
-  # TODO: enable snapper (need to make `/nix` or `/nix/persist` a subvolume, somehow).
-  # default config: https://man.archlinux.org/man/snapper-configs.5
-  # defaults to something like:
-  #   - hourly snapshots
-  #   - auto cleanup; keep the last 10 hourlies, last 10 daylies, last 10 monthlys.
-  # to list snapshots: `sudo snapper --config nix list`
-  # to take a snapshot: `sudo snapper --config nix create`
-  # services.snapper.configs.nix = {
-  #   # TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
-  #   # but that also requires setting up the persist dir as a subvol
-  #   SUBVOLUME = "/nix";
-  #   # TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
-  #   ALLOW_USERS = [ "colin" ];
-  # };
+  # limit how many snapshots we keep, due to extremely limited disk space (TODO: remove this override after upgrading lappy hard drive)
+  services.snapper.configs.root.TIMELINE_LIMIT_HOURLY = lib.mkForce 2;
+  services.snapper.configs.root.TIMELINE_LIMIT_DAILY = lib.mkForce 2;
+  services.snapper.configs.root.TIMELINE_LIMIT_WEEKLY = lib.mkForce 0;
+  services.snapper.configs.root.TIMELINE_LIMIT_MONTHLY = lib.mkForce 0;
+  services.snapper.configs.root.TIMELINE_LIMIT_YEARLY = lib.mkForce 0;
 }

hosts/by-name/servo/services/email/dovecot.nix

@@ -124,7 +124,9 @@
       # ];
     };
   };
-  services.dovecot2.modules = [
+  environment.systemPackages = [
+    # XXX(2025-03-16): dovecot loads modules from /run/current-system/sw/lib/dovecot/modules
+    # see: <https://github.com/NixOS/nixpkgs/pull/387642>
     pkgs.dovecot_pigeonhole  # enables sieve execution (?)
   ];
   services.dovecot2.sieve = {

hosts/by-name/servo/services/gitea.nix

@@ -128,6 +128,9 @@
     forceSSL = true;  # gitea complains if served over a different protocol than its config file says
     enableACME = true;
     # inherit kTLS;
+    extraConfig = ''
+      client_max_body_size 100m;
+    '';
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:3000";

hosts/by-name/servo/services/nixos-prebuild.nix

@@ -6,7 +6,7 @@ lib.optionalAttrs false  # disabled until i can be sure it's not gonna OOM my se
     description = "build a nixos image with all updated deps";
     path = with pkgs; [ coreutils git nix ];
     script = ''
-      working=$(mktemp -d /tmp/nixos-prebuild.XXXXXX)
+      working=$(mktemp -d nixos-prebuild.XXXXXX --tmpdir)
       pushd "$working"
       git clone https://git.uninsane.org/colin/nix-files.git \
         && cd nix-files \

hosts/by-name/servo/services/transmission/torrent-done

@@ -3,8 +3,20 @@
 
 # transmission invokes this with no args, and the following env vars:
 # - TR_TORRENT_DIR: full path to the folder i told transmission to download it to.
-#     e.g. /var/media/torrents/Videos/Film/Jason.Bourne-2016
-# optionally:
+#     e.g. "/var/media/torrents/Videos/Film/Jason.Bourne-2016"
+# - TR_APP_VERSION
+# - TR_TIME_LOCALTIME
+# - TR_TORRENT_BYTES_DOWNLOADED
+# - TR_TORRENT_HASH
+# - TR_TORRENT_ID: local number to uniquely identify this torrent, used by e.g. transmission-remote.
+#     e.g. "67"
+# - TR_TORRENT_LABELS
+# - TR_TORRENT_NAME: file/folder name of the toplevel torrent item
+#     e.g. "Jason Bourne (2016) [2160p] [4K] [BluRay] [5.1] [YTS.MX]"
+# - TR_TORRENT_PRIORITY
+# - TR_TORRENT_TRACKERS
+
+# optionally, set these variables for debugging (these are specific to my script and not used upstream):
 # - TR_DRY_RUN=1
 # - TR_DEBUG=1
 
@@ -24,7 +36,7 @@ debug() {
   fi
 }
 
-echo "TR_TORRENT_DIR=$TR_TORRENT_DIR torrent-done $*"
+echo "TR_TORRENT_DIR=$TR_TORRENT_DIR TR_TORRENT_NAME=$TR_TORRENT_NAME torrent-done $*"
 
 if [[ "$TR_TORRENT_DIR" =~ ^.*freeleech.*$ ]]; then
   # freeleech torrents have no place in my permanent library
@@ -33,20 +45,35 @@ if [[ "$TR_TORRENT_DIR" =~ ^.*freeleech.*$ ]]; then
 fi
 if ! [[ "$TR_TORRENT_DIR" =~ ^$DOWNLOAD_DIR/.*$ ]]; then
   echo "unexpected torrent dir, aborting: $TR_TORRENT_DIR"
-  exit 0
+  exit 1
+fi
+
+TORRENT_PATH="$TR_TORRENT_DIR/$TR_TORRENT_NAME"
+if [[ ! -e "$TORRENT_PATH" ]]; then
+  echo "torrent unexpectedly doesn't exist at $TORRENT_PATH. will try fallback"
+  TORRENT_PATH="$TR_TORRENT_DIR"
+fi
+
+if [[ -d "$TORRENT_PATH" ]]; then
+  # trailing slash so that rsync copies the directory contents, without creating an extra toplevel dir.
+  TORRENT_PATH="$TORRENT_PATH/"
+elif [[ ! -e "$TORRENT_PATH" ]]; then
+  echo "torrent unexpectedly doesn't exist at TR_TORRENT_DIR=$TORRENT_PATH: bailing"
+  exit 1
 fi
 
 REL_DIR="${TR_TORRENT_DIR#$DOWNLOAD_DIR/}"
 MEDIA_DIR="/var/media/$REL_DIR"
 
 destructive mkdir -p "$(dirname "$MEDIA_DIR")"
-destructive rsync -rlv "$TR_TORRENT_DIR/" "$MEDIA_DIR/"
+destructive rsync -rlv "$TORRENT_PATH" "$MEDIA_DIR/"
 # make the media rwx by anyone in the group
 destructive find "$MEDIA_DIR" -type d -exec setfacl --recursive --modify d:g::rwx,o::rx {} \;
 destructive find "$MEDIA_DIR" -type d -exec chmod g+rw,a+rx {} \;
 destructive find "$MEDIA_DIR" -type f -exec chmod g+rw,a+r {} \;
 
-# if there's a single directory inside the media dir, then inline that
+# if there's a single directory inside the media dir, then inline that.
+# TODO: this is probably obsolete now that i process TR_TORRENT_NAME
 subdirs=("$MEDIA_DIR"/*)
 debug "top-level items in torrent dir:" "${subdirs[@]}"
 if [ ${#subdirs[@]} -eq 1 ]; then
@@ -61,10 +88,24 @@ fi
 # -iname means "insensitive", but the syntax is NOT regex -- more similar to shell matching
 destructive find "$MEDIA_DIR/" -type f \(\
      -iname '*downloaded?from*' \
-  -o -iname 'source.txt' \
+  -o -iname '(xxxpav69).txt' \
   -o -iname '*upcoming?releases*' \
-  -o -iname 'www.YTS*.jpg' \
+  -o -iname 'ETRG.mp4' \
+  -o -iname 'Encoded by*.txt' \
+  -o -iname 'PSArips.com.txt' \
+  -o -iname 'RARBG.com*' \
+  -o -iname 'RARBG.txt' \
+  -o -iname 'RARBG_DO_NOT_MIRROR.exe' \
+  -o -iname 'Tellytorrent.net.txt' \
+  -o -iname 'WWW.VPPV.LA.txt' \
   -o -iname 'WWW.YIFY*.COM.jpg' \
   -o -iname 'YIFY*.com.txt' \
   -o -iname 'YTS*.com.txt' \
+  -o -iname 'YTSYify*.txt' \
+  -o -iname 'www.YTS*.jpg' \
   \) -exec rm {} \;
+
+# might want to keep, might want to remove:
+# -o -iname 'info.txt'
+# -o -iname 'source.txt'
+# -o -iname 'sample.mkv'

hosts/common/feeds.nix

@@ -66,6 +66,7 @@ let
     (fromDb "api.oyez.org/podcasts/oral-arguments/2015" // pol)  # Supreme Court Oral Arguments ("2015" in URL means nothing -- it's still updated)
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)  # Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/2da69154/podcast/rss" // tech)  # POD OF JAKE -- https://podofjake.com/
+    (fromDb "bluecityblues.org.podcastpage.io" // pol)  # hosts overlap with Seattle Nice
     (fromDb "cast.postmarketos.org" // tech)
     (fromDb "congressionaldish.libsyn.com" // pol)  # Jennifer Briney
     (fromDb "craphound.com" // pol)  # Cory Doctorow -- both podcast & text entries
@@ -88,7 +89,6 @@ let
     (fromDb "feeds.megaphone.fm/thiswontlast" // tech)  # <https://www.podpage.com/thiswontlast/>
     (fromDb "feeds.megaphone.fm/unexplainable")
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)  # Econ Talk
-    (fromDb "feeds.simplecast.com/whlwDbyc" // tech)  # Tech Lounge: <https://chrischinchilla.com/podcast/techlounge/>
     (fromDb "feeds.transistor.fm/acquired" // tech)
     (fromDb "feeds.transistor.fm/complex-systems-with-patrick-mckenzie-patio11" // tech)  # Patrick Mackenzie (from Bits About Money)
     (fromDb "feeds.twit.tv/floss.xml" // tech)
@@ -101,6 +101,7 @@ let
     (fromDb "malicious.life" // tech)
     (fromDb "mapspodcast.libsyn.com" // uncat)  # Multidisciplinary Association for Psychedelic Studies
     (fromDb "microarch.club" // tech)
+    (fromDb "nocturnepodcast.org")
     (fromDb "omegataupodcast.net" // tech)  # 3/4 German; 1/4 eps are English
     (fromDb "omny.fm/shows/cool-people-who-did-cool-stuff" // pol)  # Maggie Killjoy -- referenced by Cory Doctorow
     (fromDb "omny.fm/shows/money-stuff-the-podcast")  # Matt Levine
@@ -109,6 +110,7 @@ let
     (fromDb "omny.fm/shows/weird-little-guys")  # Cool Zone Media
     (fromDb "originstories.libsyn.com" // uncat)
     (fromDb "podcast.ergaster.org/@flintandsilicon" // tech)  # Thib's podcast: public interest tech, gnome, etc: <https://fed.uninsane.org/users/$ALLO9MZ5g5CsQTCBH6>
+    (fromDb "pods.media/api/rss/feed/channel/unchained" // tech)  # cryptocurrency happenings; rec via patio11
     (fromDb "politicalorphanage.libsyn.com" // pol)
     (fromDb "reverseengineering.libsyn.com/rss" // tech)  # UnNamed Reverse Engineering Podcast
     (fromDb "rss.acast.com/ft-tech-tonic" // tech)  # Financial Time's: Tech Tonic
@@ -136,6 +138,7 @@ let
     # (fromDb "feeds.simplecast.com/54nAGcIl" // pol)  # The Daily
     # (fromDb "feeds.simplecast.com/82FI35Px" // pol)  # Ezra Klein Show
     # (fromDb "feeds.simplecast.com/l2i9YnTd" // tech // pol)  # Hard Fork (NYtimes tech)
+    # (fromDb "feeds.simplecast.com/whlwDbyc" // tech)  # Tech Lounge: <https://chrischinchilla.com/podcast/techlounge/>
     # (fromDb "feeds.simplecast.com/xKJ93w_w" // uncat)  # Atlas Obscura
     # (fromDb "lastweekinai.com" // tech)  # Last Week in AI
     # (fromDb "mintcast.org" // tech)

hosts/common/net/upnp.nix

@@ -7,7 +7,8 @@
   ];
 
   networking.firewall.extraCommands = with pkgs; ''
-    # after an outgoing SSDP query to the multicast address, open FW for incoming responses.
+    # after an outgoing SSDP query to the multicast address (dest port=1900, src port=any),
+    # open FW for incoming responses (i.e. accept any packet, so long as it's sent to the port we sent from).
     # necessary for anything DLNA, especially go2tv
     # source: <https://serverfault.com/a/911286>
     # context: <https://github.com/alexballas/go2tv/issues/72>
@@ -16,6 +17,7 @@
     ${ipset}/bin/ipset create -! upnp hash:ip,port timeout 10
     ${iptables}/bin/iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
     ${iptables}/bin/iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
+
     # IPv6 ruleset. ff02::/16 means *any* link-local multicast group (so this is probably more broad than it needs to be)
     ${ipset}/bin/ipset create -! upnp6 hash:ip,port timeout 10 family inet6
     ${iptables}/bin/ip6tables -A OUTPUT -d ff02::/16 -p udp -m udp --dport 1900 -j SET --add-set upnp6 src,src --exist

hosts/common/programs/assorted.nix

@@ -107,6 +107,7 @@ in
       # "s6-rc"  # service manager
       # "screen"
       "see-cat"  # pretty-print equivalent to 'cat'
+      "ssh"
       "smartmontools"  # smartctl
       # "socat"
       "strace"
@@ -166,6 +167,7 @@ in
       # "node2nix"
       # "oathToolkit"  # for oathtool
       "objdump"
+      "oils-for-unix"
       # "ponymix"
       "pulsemixer"
       "python3-repl"
@@ -177,7 +179,7 @@ in
       "sane-scripts.cli"
       "sane-secrets-unlock"
       "sane-sysload"
-      "sc-im"
+      "sc-im"  # CLI spreadsheet editor
       "snapper"
       "sops"  # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!)
       "speedtest-cli"
@@ -186,7 +188,7 @@ in
       "sudo"
       # "tageditor"  # music tagging
       # "unar"
-      # "unzip"
+      "unzip"
       "wireguard-tools"  # for `wg`
       "xdg-utils"  # for xdg-open
       # "yarn"
@@ -203,7 +205,7 @@ in
       "nixpkgs-review"
       "qmk-udev-rules"
       "sane-scripts.dev"
-      "sequoia"
+      "sequoia"  # gpg tool
       # "via"
       "wally-cli"
       # "zsa-udev-rules"
@@ -222,9 +224,12 @@ in
 
     pcTuiApps = declPackageSet [
       "aerc"  # email client
+      # "cassini"  # Elegoo printer control. need here especially, for opening firewalls.
+      "mslicer"  # TODO: upstream, and then move this to the phone-case-cq repo
       # "msmtp"  # sendmail
       # "offlineimap"  # email mailbox sync
       # "sfeed"  # RSS fetcher
+      # "uvtools"
       "visidata"  # TUI spreadsheet viewer/editor
       "w3m"  # web browser
     ];
@@ -251,7 +256,7 @@ in
       "celeste64"
       # "cutemaze"      # meh: trivial maze game; qt6 and keyboard-only
       # "cuyo"          # trivial puyo-puyo clone
-      "endless-sky"     # space merchantilism/exploration
+      # "endless-sky"     # space merchantilism/exploration
       # "factorio"
       # "frozen-bubble"   # WAN + LAN + 1P/2P bubble bobble
       # "hase"            # WAN worms game
@@ -264,16 +269,17 @@ in
       # "osu-lazer"
       # "pinball"       # 3d pinball; kb/mouse. old sourceforge project
       # "powermanga"    # STYLISH space invaders derivative (keyboard-only)
-      "shattered-pixel-dungeon"  # doesn't cross compile
+      # "shattered-pixel-dungeon"  # doesn't cross compile
       # "sm64ex-coop"
       "sm64coopdx"
       "space-cadet-pinball"  # LMB/RMB controls (bindable though. volume buttons?)
       "steam"
       "superTux"  # keyboard-only controls
       "superTuxKart"  # poor FPS on pinephone
-      "tumiki-fighters" # keyboard-only
+      # "tumiki-fighters" # keyboard-only
       "vvvvvv"  # keyboard-only controls
       # "wine"
+      "zelda64recomp"
     ];
 
     guiApps = declPackageSet [
@@ -295,11 +301,11 @@ in
       "dino"  # XMPP client
       "dissent"  # Discord client (formerly known as: gtkcord4)
       # "emote"
-      "envelope"  # GTK4 email client (alpha)
+      # "envelope"  # GTK4 email client (alpha)
       # "evince"  # PDF viewer
       # "flare-signal"  # gtk4 signal client
       "fractal"  # matrix client
-      "g4music"  # local music player
+      # "g4music"  # local music player
       # "gnome.cheese"
       # "gnome-feeds"  # RSS reader (with claimed mobile support)
       # "gnome.file-roller"
@@ -314,6 +320,7 @@ in
       "gnome-frog"  # OCR/QR decoder
       "gnome-maps"
       "gnome-screenshot"  # libcamera-based screenshotter, for debugging; should be compatible with gc2145 camera on Pinephone
+      "gnome-sound-recorder"  # a simple microphone recorder/tester
       "gnome-weather"
       "gpodder"
       "gsettings"
@@ -408,7 +415,7 @@ in
       # "kid3"  # audio tagging
       "krita"
       "libreoffice"  # TODO: replace with an office suite that uses saner packaging?
-      "losslesscut-bin"  # x86-only
+      "losslesscut-bin"  # x86-only  (TODO: replace with from-source build: <https://github.com/NixOS/nixpkgs/pull/385535>)
       # "makemkv"  # x86-only
       # "monero-gui"  # x86-only
       "mumble"
@@ -861,6 +868,8 @@ in
       "records/finance/cryptocurrencies/monero"
     ];
 
+    mslicer.sandbox.method = null;  #< TODO: sandbox
+
     nano.sandbox.autodetectCliPaths = "existingFileOrParent";
 
     netcat.sandbox.net = "all";
@@ -927,6 +936,8 @@ in
     # settings (electron app)
     obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];
 
+    oils-for-unix.sandbox.enable = false;  #< it's a shell; doesn't make sense to sandbox
+
     openscad-lsp.sandbox.whitelistPwd = true;
 
     passt.sandbox.enable = false;  #< sandbox helper (netns specifically)
@@ -997,6 +1008,7 @@ in
       unidecode
     ]);
     python3-repl.sandbox.net = "clearnet";
+    python3-repl.sandbox.autodetectCliPaths = "existing";  #< for invoking scripts like `python3 ./my-script.py`
     python3-repl.sandbox.extraHomePaths = [
       "/"  #< this is 'safe' because with don't expose .persist/private, so no .ssh/id_ed25519
       ".persist/plaintext"
@@ -1042,10 +1054,10 @@ in
 
     screen.sandbox.enable = false;  #< tty; needs to run anything
 
-    sequoia.packageUnwrapped = pkgs.sequoia.overrideAttrs (_: {
-      # XXX(2024-07-30): sq_autocrypt_import test failure: "Warning: 9B7DD433F254904A is expired."
-      doCheck = false;
-    });
+    # sequoia.packageUnwrapped = pkgs.sequoia.overrideAttrs (_: {
+    #   # XXX(2024-07-30): sq_autocrypt_import test failure: "Warning: 9B7DD433F254904A is expired."
+    #   doCheck = false;
+    # });
     sequoia.buildCost = 1;
     sequoia.sandbox.whitelistPwd = true;
     sequoia.sandbox.autodetectCliPaths = "existingFileOrParent";  # supports `-o <file-to-create>`
@@ -1180,6 +1192,8 @@ in
       "/sys/bus/usb"
     ];
 
+    uvtools.sandbox.method = null;  #< TODO: sandbox
+
     vala-language-server.sandbox.whitelistPwd = true;
     vala-language-server.suggestedPrograms = [
       # might someday support cmake, too: <https://github.com/vala-lang/vala-language-server/issues/73>

hosts/common/programs/bemenu.nix

@@ -88,18 +88,6 @@ in
 {
   sane.programs.bemenu = {
     sandbox.whitelistWayland = true;
-
-    packageUnwrapped = pkgs.bemenu.overrideAttrs (upstream: {
-      nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
-        pkgs.makeBinaryWrapper
-      ];
-      # can alternatively be specified as CLI flags
-      postInstall = (upstream.postInstall or "") + ''
-        wrapProgram $out/bin/bemenu \
-          --set BEMENU_OPTS "${bemenuOpts}"
-        wrapProgram $out/bin/bemenu-run \
-          --set BEMENU_OPTS "${bemenuOpts}"
-      '';
-    });
+    env.BEMENU_OPTS = bemenuOpts;
   };
 }

hosts/common/programs/cargo.nix

@@ -1,9 +1,10 @@
-{ pkgs, ... }:
+{ ... }:
 {
   sane.programs.cargo = {
     #v XXX(2025-02-23): normal `cargo` fails to build for cross (temporarily?). use prebuilt instead.
     # NOT easy to debug/fix. git bisect pins this between ceba2c6c3b (good) and 62a28e5a3d (bad)
-    packageUnwrapped = pkgs.rust.packages.prebuilt.cargo;
+    # packageUnwrapped = pkgs.rust.packages.prebuilt.cargo;
+
     persist.byStore.plaintext = [ ".cargo" ];
     # probably this sandboxing is too restrictive; i'm sandboxing it for rust-analyzer / neovim LSP
     sandbox.whitelistPwd = true;

hosts/common/programs/cassini.nix

@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ...}:
+let
+  cfg = config.sane.programs.cassini;
+in
+{
+  sane.programs.cassini = {
+    sandbox.method = null;  #< TODO: sandbox
+  };
+
+  # inspired by SSDP firewall code.
+  # Elegoo printers use their own SSDP-like discovery method, but on port 3000 instead of 1900 and 255.255.255.255 instead of 239.255.255.250:
+  # 1. i send a broadcast packet to 255.255.255.255 port 3000;
+  # 2. printers respond with a packet that originates from their port 3000, addressed to whichever port i sent from.
+  #
+  # TODO: can i generalize the SSDP rule from <hosts/common/net/upnp.nix> to be generic over port?
+  networking.firewall.extraCommands = with pkgs; lib.mkIf cfg.enabled ''
+    # originally for SSDP: <https://serverfault.com/a/911286>
+    # ipset -! means "don't fail if set already exists"
+    ${ipset}/bin/ipset create -! upnp hash:ip,port timeout 10
+    ${iptables}/bin/iptables -A OUTPUT -d 255.255.255.255/32 -p udp -m udp --dport 3000 -j SET --add-set upnp src,src --exist
+    ${iptables}/bin/iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
+
+    # IPv6 ruleset. ff02::/16 means *any* link-local multicast group (so this is probably more broad than it needs to be)
+    ${ipset}/bin/ipset create -! upnp6 hash:ip,port timeout 10 family inet6
+    ${iptables}/bin/ip6tables -A OUTPUT -d ff02::/16 -p udp -m udp --dport 3000 -j SET --add-set upnp6 src,src --exist
+    ${iptables}/bin/ip6tables -A INPUT -p udp -m set --match-set upnp6 dst,dst -j ACCEPT
+  '';
+}

hosts/common/programs/default.nix

@@ -28,6 +28,7 @@
     ./capsh.nix
     ./captree.nix
     ./cargo.nix
+    ./cassini.nix
     ./catt.nix
     ./celeste64.nix
     ./chatty.nix
@@ -83,6 +84,7 @@
     ./gnome-frog.nix
     ./gnome-keyring
     ./gnome-maps.nix
+    ./gnome-sound-recorder.nix
     ./gnome-weather.nix
     ./go2tv.nix
     ./gocryptfs.nix
@@ -188,6 +190,7 @@
     ./spot.nix
     ./spotify.nix
     ./steam.nix
+    ./ssh.nix
     ./stepmania.nix
     ./strings.nix
     ./sublime-music.nix
@@ -231,6 +234,7 @@
     ./zathura.nix
     ./zeal.nix
     ./zecwallet-lite.nix
+    ./zelda64recomp.nix
     ./zulip.nix
     ./zsa-udev-rules.nix
     ./zfs-tools.nix

hosts/common/programs/dialect.nix

@@ -1,15 +1,6 @@
-{ pkgs, ... }:
+{ ... }:
 {
   sane.programs.dialect = {
-    packageUnwrapped = pkgs.dialect.overrideAttrs (upstream: {
-      # TODO: send upstream
-      # TODO: figure out how to get audio working
-      # TODO: move to runtimeDependencies?
-      buildInputs = upstream.buildInputs ++ [
-        pkgs.glib-networking  # for TLS
-      ];
-    });
-
     buildCost = 1;
 
     sandbox.wrapperType = "inplace";  # share/search_providers/ calls back into the binary, weird wrap semantics

hosts/common/programs/dtrx.nix

@@ -1,14 +1,24 @@
 { pkgs, ... }:
 {
   sane.programs.dtrx = {
-    packageUnwrapped = pkgs.dtrx.override {
+    packageUnwrapped = (pkgs.dtrx.override {
       # `binutils` is the nix wrapper, which reads nix-related env vars
       # before passing on to e.g. `ld`.
       # dtrx probably only needs `ar` at runtime, not even `ld`.
       binutils = pkgs.binutils-unwrapped;
       # build without rpm support, since `rpm` package doesn't cross-compile.
       rpm = null;
-    };
+    }).overrideAttrs (upstream: {
+      patches = (upstream.patches or []) ++ [
+        (pkgs.fetchpatch2 {
+          # https://github.com/dtrx-py/dtrx/pull/62
+          # this is needed for as long as i'm interacting with .tar.lz archives which are actually LZMA and not lzip.
+          name = "fix .tar.lz mapping";
+          url = "https://github.com/dtrx-py/dtrx/commit/ff379f1444b142bb461f26780e32f82e60856be2.patch";
+          hash = "sha256-WNz5i/iJqyxmZh/1mw6M8hWeiQdRvyhCta7gN/va6lQ=";
+        })
+      ];
+    });
     sandbox.whitelistPwd = true;
     sandbox.autodetectCliPaths = "existing";  #< for the archive
   };

hosts/common/programs/epiphany.nix

@@ -5,23 +5,28 @@
 # - touch-based scroll works well (for moby)
 # - URL bar constantly resets cursor to the start of the line as i type
 #   - maybe due to the URLbar suggestions getting in the way
-{ pkgs, ... }:
+#
+# TODO: consider wrapping with `WEBKIT_USE_SINGLE_WEB_PROCESS=1` for better perf
+# - this runs all tabs in 1 process. which is fine, if i'm not a heavy multi-tabber
+{ ... }:
 {
   sane.programs.epiphany = {
     sandbox.wrapperType = "inplace";  # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus.user.own = [ "org.gnome.Epiphany" ];
-    sandbox.whitelistPortal = [
-      # these are all speculative
-      "Camera"
-      "FileChooser"
-      "Location"
-      "OpenURI"
-      "Print"
-      "ProxyResolver"  #< required else it doesn't load websites
-      "ScreenCast"
-    ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce. requires to support nested dbus proxy though.
+    # sandbox.whitelistDbus.user.own = [ "org.gnome.Epiphany" ];
+    # sandbox.whitelistPortal = [
+    #   # these are all speculative
+    #   "Camera"
+    #   "FileChooser"
+    #   "Location"
+    #   "OpenURI"
+    #   "Print"
+    #   "ProxyResolver"  #< required else it doesn't load websites
+    #   "ScreenCast"
+    # ];
+
     # default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
     # enabling DRI/DRM (as below) seems to fix that.
     sandbox.whitelistDri = true;
@@ -30,30 +35,16 @@
       ".config/epiphany"  #< else it gets angry at launch
       "tmp"
     ];
+    sandbox.extraPaths = [
+      # epiphany sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
+      # TODO: these could maybe be mounted empty.
+      "/sys/block"
+      "/sys/bus"
+      "/sys/class"
+    ];
 
     buildCost = 2;
 
-    # XXX(2023/07/08): running on moby without `WEBKIT_DISABLE_SANDBOX...` fails, with:
-    # - `bwrap: Can't make symlink at /var/run: File exists`
-    # this could be due to:
-    # - epiphany is somewhere following a symlink into /var/run instead of /run
-    #   - (nothing in `env` or in this repo touches /var/run)
-    # - no xdg-desktop-portal is installed  (unlikely)
-    #
-    # a few other users have hit this, in different contexts:
-    # - <https://gitlab.gnome.org/GNOME/gnome-builder/-/issues/1164>
-    # - <https://github.com/flatpak/flatpak/issues/3477>
-    # - <https://github.com/NixOS/nixpkgs/issues/197085>
-    #
-    # TODO: consider `WEBKIT_USE_SINGLE_WEB_PROCESS=1` for better perf
-    # - this runs all tabs in 1 process. which is fine, if i'm not a heavy multi-tabber
-    packageUnwrapped = pkgs.epiphany.overrideAttrs (upstream: {
-      preFixup = ''
-        gappsWrapperArgs+=(
-          --set WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS "1"
-        );
-      '' + (upstream.preFixup or "");
-    });
     persist.byStore.private = [
       ".cache/epiphany"
       ".local/share/epiphany"

hosts/common/programs/fftest.nix

@@ -1,12 +1,29 @@
 # fftest can test the haptics/vibrator on a phone:
 # - `fftest /dev/input/by-path/platform-vibrator-event`
 { pkgs, ... }:
+let
+  # fftestOnly = pkgs.linkIntoOwnPackage linuxConsoleTools [
+  #   "bin/fftest"
+  #   "share/man/man1/fftest.1.gz"
+  # ];
+  #
+  # XXX(2025-03-24): upstream `linuxConsoleTools` depends on SDL, which doesn't cross compile.
+  # but `fftest` component doesn't use SDL, so if we build only that then it can cross compile:
+  fftestOnly = pkgs.linuxConsoleTools.overrideAttrs (upstream: {
+    buildInputs = [ ];  #< disable SDL
+    buildFlags = (upstream.buildFlags or []) ++ [
+      "-C" "utils" "fftest"
+    ];
+
+    installPhase = ''
+      install -Dm755 utils/fftest $out/bin/fftest
+      install -Dm644 docs/fftest.1 $out/share/man/man1/fftest.1
+    '';
+  });
+in
 {
   sane.programs.fftest = {
-    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.linuxConsoleTools [
-      "bin/fftest"
-      "share/man/man1/fftest.1.gz"
-    ];
+    packageUnwrapped = fftestOnly;
     sandbox.autodetectCliPaths = "existing";
   };
 }

hosts/common/programs/firefox/bookmarks.html

@@ -17,6 +17,7 @@
     <dt><a href="https://github.com/search?type=repositories&q=%s" shortcuturl="gh">Search GitHub
     <dt><a href="https://lib.rs/search?q=%s" shortcuturl="librs">Search lib.rs (Rust)
     <dt><a href="https://myanimelist.net/search/all?cat=all&q=%s" shortcuturl="mal">Search MyAnimeList
+    <dt><a href="https://pypi.org/search/?q=%s" shortcuturl="pypi">Search PyPi PYthon Packaging Index
     <dt><a href="https://repology.org/projects/?maintainer=&category=&inrepo=&notinrepo=&repos=&families=&repos_newest=&families_newest=&search=%s" shortcuturl="repo">Search Repology - packages
     <dt><a href="https://search.nixos.org/options?channel=unstable&query=%s" shortcuturl="opt">Search NixOS Options
     <dt><a href="https://search.nixos.org/packages?channel=unstable&query=%s" shortcuturl="pkg">Search NixOS Packages
@@ -29,6 +30,7 @@
     <dt><a href="https://www.amazon.com/s/?k=%s" shortcuturl="am">Search Amazon
     <dt><a href="https://www.amazon.com/s/?k=%s&" shortcuturl="amazon">Search Amazon
     <dt><a href="https://www.ebay.com/sch/i.html?_sacat=0&_nkw=%s" shortcuturl="ebay">Search eBay
+    <dt><a href="https://www.etsy.com/search?q=%s" shortcuturl="etsy">Search Etsy
     <dt><a href="https://www.etymonline.com/search?q=%s" shortcuturl="etym">Search Etymonline
     <dt><a href="https://www.google.com/maps/search/%s" shortcuturl="maps">Search Google Maps
     <dt><a href="https://www.google.com/search?q=%s" shortcuturl="g">Search Google
@@ -36,6 +38,7 @@
     <dt><a href="https://www.google.com/search?tbm=shop&q=%s" shortcuturl="shopping">Search Google Shopping
     <dt><a href="https://www.google.com/search?tbm=vid&q=%s" shortcuturl="v">Search Google Videos
     <dt><a href="https://www.google.com/search?tbm=vid&q=%s&" shortcuturl="videos">Search Google Videos
+    <dt><a href="https://www.google.com/search?udm=2&q=%s" shortcuturl="i">Search Google Images
     <dt><a href="https://www.imdb.com/find/?q=%s" shortcuturl="imdb">Search Internet Movie DataBase
     <dt><a href="https://www.reddit.com/search/?q=%s" shortcuturl="reddit">Search Reddit
     <dt><a href="https://www.rottentomatoes.com/search?search=%s" shortcuturl="rt">Search Rotten Tomatoes

hosts/common/programs/fontconfig.nix

@@ -9,27 +9,11 @@
 let
   # see: <repo:nixos/nixpkgs:nixos/modules/config/fonts/fontconfig.nix>
   # and: <repo:nixos/nixpkgs:pkgs/development/libraries/fontconfig/make-fonts-cache.nix>
-  # nixpkgs creates a fontconfig cache, but only when *not* cross compiling.
-  # but the alternative is that fonts are cached purely at runtime, in ~/.cache/fontconfig,
+  # nixpkgs creates a fontconfig cache, which covers 99% of apps.
+  # if build-time caching fails for some reason, then fonts are cached at runtime, in ~/.cache/fontconfig,
   # and that needs to either be added to the sandbox of *every* app,
   # or font-heavy apps are several *seconds* slower to launch.
-  #
-  # TODO: upstream this into `make-fonts-cache.nix`?
-  cache = (pkgs.makeFontsCache { fontDirectories = config.fonts.packages; }).overrideAttrs (upstream: {
-    buildCommand = lib.replaceStrings
-      [ "fc-cache" ]
-      [ "${pkgs.stdenv.hostPlatform.emulator pkgs.buildPackages} ${lib.getExe' pkgs.fontconfig.bin "fc-cache"}" ]
-      upstream.buildCommand
-    ;
-  });
-  cacheConf = pkgs.writeTextDir "etc/fonts/conf.d/01-nixos-cache-cross.conf" ''
-    <?xml version='1.0'?>
-    <!DOCTYPE fontconfig SYSTEM 'urn:fontconfig:fonts.dtd'>
-    <fontconfig>
-      <!-- Pre-generated font caches -->
-      <cachedir>${cache}</cachedir>
-    </fontconfig>
-  '';
+
   noUserCacheConf = pkgs.runCommandNoCC "etc-fonts-fonts.conf-no-user" {} ''
     cp ${pkgs.fontconfig.out}/etc/fonts/fonts.conf .
     substituteInPlace fonts.conf \
@@ -74,16 +58,13 @@ in
       ];
     };
 
-    fontconfig.confPackages = lib.mkBefore ([
+    fontconfig.confPackages = lib.mkBefore [
       # XXX(2024-12-18): electron apps (signal-desktop, discord) duplicate the entire font cache (1-2MB) to ~/.cache/fontconfig
       # just to update a tiny section (4KB).
       # patch instead to not have a user font cache. they will work, but complain "Fontconfig error: No writable cache directories".
       # proper fix: see if electron apps need some specific font i'm missing, or are just being dumb?
       noUserCacheConf
-    ] ++ lib.optionals (pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform) [
-      # nixpkgs builds a cache file, but only for non-cross. i want it always, so add my own cache -- but ONLY for cross.
-      cacheConf
-    ]);
+    ];
 
     #vvv enables dejavu_fonts, freefont_ttf, gyre-fonts, liberation_ttf, unifont, noto-fonts-emoji
     enableDefaultPackages = false;

hosts/common/programs/gnome-sound-recorder.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  sane.programs.gnome-sound-recorder = {
+    sandbox.wrapperType = "inplace";  #< the binary lives in `share/org.gnome.SoundRecorder`, for some reason.
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      ".local/share/org.gnome.SoundRecorder"  #< this is where it saves recordings
+      # additionally, gnome-sound-recorder has the option to "export" audio out of this directory:
+      # opens a file chooser for where to save the file (maybe via the portal??)
+    ];
+  };
+}

hosts/common/programs/go2tv.nix

@@ -42,12 +42,22 @@
 # - mkv container + H.265 video + E-AC-3/48k stereo audio:
 #   - LGTV: no transcoding needed
 #
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.sane.programs.go2tv;
 in
 {
   sane.programs.go2tv = {
+    # `go2tv`: interactive, via GUI or curses
+    # `go2tv-lite`: non-interactive, logs to console
+    packageUnwrapped = pkgs.symlinkJoin {
+      name = "go2tv";
+      paths = [
+        pkgs.go2tv
+        pkgs.go2tv-lite
+      ];
+    };
+
     sandbox.net = "clearnet";
     sandbox.autodetectCliPaths = "existingFile";
     # for GUI invocation, allow the common media directories

hosts/common/programs/gpodder.nix

@@ -19,8 +19,10 @@ in {
       # - GPODDER_DISABLE_EXTENSIONS ("yes" or "no")
       extraMakeWrapperArgs = (base.extraMakeWrapperArgs or []) ++ [
         "--set" "GPODDER_HOME" "~/.local/share/gPodder"
+        # "--run" "export GPODDER_HOME=~/.local/share/gPodder"  #< unquote `~/.local/share/gPodder` to force run-time home expansion
         # place downloads in a shared media directory to ensure sandboxed apps can read them
         "--set" "GPODDER_DOWNLOAD_DIR" "~/Videos/gPodder"
+        # "--run" "export GPODDER_DOWNLOAD_DIR=~/Videos/gPodder"
       ];
     });
 
@@ -34,6 +36,12 @@ in {
 
     fs.".config/gpodderFeeds.opml".symlink.text = feeds.feedsToOpml wanted-feeds;
 
+    services.gpodder-ensure-feeds = {
+      description = "synchronize static OPML feeds into gPodder's subscription database";
+      partOf = [ "default" ];
+      startCommand = ''gpodder-ensure-feeds ''${HOME}/.config/gpodderFeeds.opml'';
+    };
+
     persist.byStore.plaintext = [
       "Videos/gPodder"
       # if you don't persist its database, you get untracked (and hence non-gc'd) downloads, plus slooow startup.

hosts/common/programs/gst-launch.nix

@@ -8,8 +8,9 @@
     packageUnwrapped = (
       pkgs.linkBinIntoOwnPackage pkgs.gst_all_1.gstreamer "gst-launch-1.0"
     ).overrideAttrs (base: {
-      # XXX the binaries need `GST_PLUGIN_SYSTEM_PATH_1_0` set to function,
-      # but nixpkgs doesn't set those.
+      # XXX the binaries need `GST_PLUGIN_SYSTEM_PATH_1_0` set to function.
+      # nixpkgs sets that to /run/current-system/sw/lib/gstreamer-1.0 and /etc/profiles/per-user/colin/lib/gstreamer-1.0,
+      # but that only works so long as i install the plugins system-wide (which i don't want to).
       nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
         pkgs.wrapGAppsNoGuiHook
       ];

hosts/common/programs/itgmania.nix

@@ -17,23 +17,11 @@
 #   - https://fitupyourstyle.com/
 #     allows search by difficulty
 # - dl packs from <https://stepmaniaonline.net>
-{ lib, pkgs, ... }:
+{ ... }:
 {
   sane.programs.itgmania = {
     buildCost = 1;
 
-    packageUnwrapped = pkgs.itgmania.overrideAttrs (upstream: {
-      # XXX(2024-12-29): itgmania (and stepmania) have to be run from their bin directory, else they silently exit
-      nativeBuildInputs = upstream.nativeBuildInputs ++ [
-        pkgs.makeWrapper
-      ];
-      postInstall = lib.replaceStrings
-        [ "ln -s $out/itgmania/itgmania $out/bin/itgmania" ]
-        [ "makeWrapper $out/itgmania/itgmania $out/bin/itgmania --run 'cd ${placeholder "out"}/itgmania'" ]
-        upstream.postInstall
-      ;
-    });
-
     sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;
     sandbox.whitelistX = true;  #< TODO: is this needed? try QT_QPA_PLATFORM=wayland or SDL_VIDEODRIVER=wayland

hosts/common/programs/mpv/default.nix

@@ -233,6 +233,7 @@ in
 
     # mime.priority = 200;  # default = 100; 200 means to yield to other apps
     mime.priority = 50;  # default = 100; 50 in order to take precedence over vlc.
+    mime.associations."audio/amr" = "mpv.desktop";  #< GSM, e.g. voicemail files
     mime.associations."audio/flac" = "mpv.desktop";
     mime.associations."audio/mpeg" = "mpv.desktop";
     mime.associations."audio/x-opus+ogg" = "mpv.desktop";

hosts/common/programs/neovim/default.nix

@@ -4,7 +4,9 @@ moduleArgs@{ lib, pkgs, ... }:
 
 let
   plugins = import ./plugins.nix moduleArgs;
-  plugin-packages = builtins.map (p: p.plugin) plugins;
+  plugin-packages = builtins.filter (x: x != null) (
+    builtins.map (p: p.plugin or null) plugins
+  );
   plugin-configs = lib.concatMapStrings (p:
     lib.optionalString
       (p ? config) (
@@ -77,8 +79,9 @@ in
         # - neovim vendors lua `mpack` library,
         #   which it tries to build for the wrong platform
         #   and its vendored version has diverged in symbol names anyway
+        # TODO: lift this into `overlays/cross.nix`, where i can monitor its upstreaming!
         postPatch = (upstream.postPatch or "") + ''
-          substituteInPlace src/nvim/generators/preload.lua --replace-fail \
+          substituteInPlace src/gen/preload_nlua.lua --replace-fail \
             "require 'nlua0'" "
               vim.mpack = require 'mpack'
               vim.mpack.encode = vim.mpack.pack

hosts/common/programs/neovim/nix_shell.lua

@@ -0,0 +1,78 @@
+-- add to ~/.vimrc to enable file-type detection for `nix-shell` scripts,
+-- e.g. files with `#!nix-shell -i python3 -p python3 -p ...` are recognized as `python` files
+
+-- see <https://neovim.io/doc/user/lua.html#vim.filetype.add()>
+vim.filetype.add {
+  pattern = {
+    ['.*'] = {
+      function(path, bufnr)
+        function test_for_nix_shell_shebang(maybe_hashbang)
+          local bang_payload = string.match(maybe_hashbang, '^#!(.*)$')
+          if not bang_payload then
+            return false -- not a shebang
+          end
+          -- look for `nix-shell` _as its own word_ anywhere in the shebang line
+          for word in string.gmatch(bang_payload, "[^ ]+") do
+            if word == "nix-shell" then
+              return true
+            end
+          end
+        end
+
+        -- extract `$interpreter` from some `#!nix-shell -i $interpreter ...` line
+        function parse_nix_shell(maybe_nix_shell)
+          local shell_payload = string.match(maybe_nix_shell, "^#!nix%-shell(.*)$")
+
+          if not shell_payload then
+            return
+          end
+
+          local interpreters = {}
+          local context = nil
+          for word in string.gmatch(shell_payload, "[^ ]+") do
+            if context == "-i" then
+              table.insert(interpreters, word)
+              context = nil
+            elseif word == "-i" then
+              context = "-i"
+            end
+            -- this parser doesn't consider _all_ nix flags, and especially things like quotes, etc.
+            -- just keep your nix-shell lines simple...
+          end
+
+          return interpreters[1]
+        end
+
+        function filetype_from_interpreter(i)
+          if string.match(i, "^python") then
+            -- python3, python2.7, etc
+            return "python"
+          else
+            -- very common for interpreter name to be the same as filetype
+            return i
+          end
+        end
+
+        -- docs: <https://neovim.io/doc/user/api.html#nvim_buf_get_lines()>
+        -- nvim_buf_get_lines({buffer}, {start}, {end}, {strict_indexing})
+        -- `start` and `end` are inclusive
+        local first_few_lines = vim.api.nvim_buf_get_lines(bufnr, 0, 5, false)
+        local maybe_hashbang = first_few_lines[1] or ''
+
+        if not test_for_nix_shell_shebang(maybe_hashbang) then
+          return
+        end
+
+        -- search for `#!nix-shell -i $interpreter ...` anywhere in the first few lines of the file
+        for _, line in ipairs(first_few_lines) do
+          local interpreter = parse_nix_shell(line)
+          if interpreter then
+            return filetype_from_interpreter(interpreter)
+          end
+        end
+      end,
+      -- high priority, to overrule vim's native detection (which gives ft=nix to all nix-shell files)
+      { priority = math.huge },
+    },
+  },
+}

hosts/common/programs/neovim/plugins.nix

@@ -192,8 +192,20 @@ with pkgs.vimPlugins;
     plugin = nvim-treesitter.withPlugins (_: (lib.filter (p: p.pname != "unison-grammar") nvim-treesitter.allGrammars) ++ [
       # XXX: this is apparently not enough to enable syntax highlighting!
       # nvim-treesitter ships its own queries which may be distinct from e.g. helix.
-      # the queries aren't included when i ship the grammar in this manner
-      pkgs.tree-sitter-nix-shell
+      # the queries aren't included when i ship the grammar in this manner.
+      # maybe check: <https://github.com/nvim-treesitter/nvim-treesitter/wiki/Extra-modules-and-plugins> ?
+      #
+      # however: tree-sitter for `#!nix-shell` is the WRONG APPROACH.
+      # - because it works via "injection"s, i don't get proper LSP integration.
+      #   i.e. no undefined variable checks, or language-aware function completions
+      # upstream vim showed interest in a similar approach as mine, but w/o the tree-sitter integration:
+      # - <https://groups.google.com/g/vim_dev/c/c-VXsJu-EKA>
+      #   this likely still has the same problem w.r.t. LSP integration.
+      # vim-nix project also has a solution:
+      # - <https://github.com/LnL7/vim-nix/pull/51>
+      #   this overrides the active filetype, so likely *is* what i want.
+      # and i've implemented my own pure-lua .vimrc integration further below
+      # pkgs.tree-sitter-nix-shell
     ]);
     type = "lua";
     config = ''
@@ -227,6 +239,11 @@ with pkgs.vimPlugins;
       vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
     '';
   }
+  {
+    # detect `#!nix-shell -i $interpreter ...` files as filetype=$interpreter
+    type = "lua";
+    config = builtins.readFile ./nix_shell.lua;
+  }
   {
     # show commit which last modified text under the cursor.
     # trigger with `:GitMessenger` or `<Leader>gm` (i.e. `\gm`)

hosts/common/programs/nix.nix

@@ -1,7 +1,7 @@
-{ pkgs, ... }:
+{ ... }:
 {
   sane.programs.nix = {
-    packageUnwrapped = pkgs.nixVersions.latest;
+    # packageUnwrapped = pkgs.nixVersions.latest;  #< XXX(2025-03-17): sometimes `nixVersions.latest` fails to eval T_T
     sandbox.method = null;  #< TODO: sandbox ?
     env.NIXPKGS_ALLOW_UNFREE = "1";  #< FUCK OFF YOU'RE SO ANNOYING
     persist.byStore.plaintext = [

hosts/common/programs/ols.nix

@@ -19,7 +19,7 @@
       preferLocalBuild = true;
       nativeBuildInputs = [ pkgs.geoclue-ols ];
     } ''
-      cellid-ols-import -o "$out" "${pkgs.opencellid}"
+      cellid-ols-import -o "$out" "${pkgs.opencellid}/cell_towers.csv"
     '';
 
     persist.byStore.private = [

hosts/common/programs/radicale.nix

@@ -29,7 +29,8 @@ in
     settings.storage.use_cache_subfolder_for_synctoken = true;
     # settings.storage.filesystem_cache_folder = "/var/lib/radicale/cache";
     # settings.storage.filesystem_folder = "/path/to/storage"
-    # settings.auth.type = "none";  # default: none
+    # auth options: none, remote_user, http_x_remote_user, denyall, htpasswd, ldap, imap, dovecot
+    settings.auth.type = "none";  # "none" = allow unrestricted access to any client who can connect
   };
 
   # TODO: service is considered 'up' too early: we should wait, and notify once the http port is bound/listening

hosts/common/programs/sane-input-handler/default.nix

@@ -73,18 +73,17 @@ in
         };
       };
     };
-    packageUnwrapped = pkgs.static-nix-shell.mkBash {
+    packageUnwrapped = pkgs.static-nix-shell.mkYsh {
       pname = "sane-input-handler";
       srcRoot = ./.;
       pkgs = {
-        inherit (pkgs) coreutils jq killall playerctl procps sane-open util-linux wireplumber;
+        inherit (pkgs) coreutils killall playerctl procps sane-open util-linux wireplumber;
         sway = config.sane.programs.sway.package;
       };
     };
     suggestedPrograms = [
       "bonsai"
       # dependencies which get pulled in unconditionally:
-      "jq"
       "killall"
       "playerctl"
       "procps"  #< TODO: reduce to just those parts of procps which are really needed

hosts/common/programs/sane-input-handler/sane-input-handler

@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p bash -p coreutils -p jq -p killall -p playerctl -p procps -p sane-open -p sway -p util-linux -p wireplumber
+#!nix-shell -i ysh -p coreutils -p killall -p oils-for-unix -p playerctl -p procps -p sane-open -p sway -p util-linux -p wireplumber
 # vim: set filetype=bash :
 
 # input map considerations
@@ -56,14 +56,41 @@
 
 
 # increments to use for volume adjustment (in %)
-VOL_INCR=5
-KEYBOARD="${KEYBOARD:-wvkbd-mobintl}"
-CAMERA="${CAMERA:-org.postmarketos.Megapixels.desktop}"
+var VOL_INCR = 5
+var SEEK_INCR = 30
+var SEEK_DECR = 10
+var KEYBOARD = "${KEYBOARD:-wvkbd-mobintl}"
+var CAMERA = "${CAMERA:-org.postmarketos.Megapixels.desktop}"
+var VERBOSITY = 0
+var DRY_RUN = false
 
-action="$1"
+# all known triggers:
+var Triggers = {
+  PowerTap1        : "power_tap_1",
+  PowerTap2        : "power_tap_2",
+  PowerHold        : "power_hold",
+  PowerTap1Hold    : "power_tap_1_hold",
+  PowerAndVolup    : "power_and_volup",
+  PowerAndVoldown  : "power_and_voldown",
+  PowerThenVolup   : "power_then_volup",
+  PowerThenVoldown : "power_then_voldown",
+  VolupTap1        : "volup_tap_1",
+  VolupTap2        : "volup_tap_2",
+  VolupTap3        : "volup_tap_3",
+  VolupHold1       : "volup_hold_1",
+  VolupHold2       : "volup_hold_2",
+  VolupHold3       : "volup_hold_3",
+  VoldownTap1      : "voldown_tap_1",
+  VoldownTap2      : "voldown_tap_2",
+  VoldownTap3      : "voldown_tap_3",
+  VoldownHold1     : "voldown_hold_1",
+  VoldownHold2     : "voldown_hold_2",
+  VoldownHold3     : "voldown_hold_3",
+  VoldownStart     : "voldown_start",
+}
 
-showHelp() {
-  echo "usage: sane-input-handler <action>"
+proc showHelp {
+  echo "usage: sane-input-handler [--verbose [--verbose]] [--dry-run] <action>"
   echo ""
   echo "where action is one of:"
   echo "- power_tap_{1,2}"
@@ -80,239 +107,489 @@ showHelp() {
   echo "- voldown_start"
 }
 
-log() {
-  printf "sane-input-handler: %s\n" "$1"
+proc log (; ...stmts; level, context) {
+  var prefix = "";
+  var formatted = "";
+  if (stmts) {
+    setvar prefix = "$context: " if context else ""
+    setvar formatted = "$(pp value (stmts))"
+  } else {
+    # bare log statement; nothing to pretty-print
+    setvar formatted = context;
+  }
+  echo "[$level] sane-input-handler: $prefix$formatted" >&2
+}
+
+proc die (context=""; ...stmts) {
+  log (level="ERRR", context=context, ...stmts)
+  exit 1
+}
+
+proc info (context=""; ...stmts) {
+  log (level="INFO", context=context, ...stmts)
+}
+
+proc debug (context=""; ...stmts) {
+  if (VERBOSITY >= 1) {
+    log (level="DEBG", context=context, ...stmts)
+  }
+}
+
+proc verbose (context=""; ...stmts) {
+  if (VERBOSITY >= 2) {
+    log (level="VERB", context=context, ...stmts)
+  }
+}
+
+proc trace (...args) {
+  debug (...args)
+  @[args]
+}
+
+proc effect (...args) {
+  if (DRY_RUN) {
+    info "SKIP(dry run)" (...args)
+  } else {
+    trace @[args]
+  }
 }
 
 ## HELPERS
 
 # swaySetOutput true|false
 # turns the display on or off
-swaySetOutput() {
-  swaymsg -- output '*' power "$1"
+proc swaySetOutput (value) {
+  effect swaymsg -- output '*' power "$value"
 }
+
 # swaySetTouch enabled|disabled
 # turns touch input on or off
-swaySetTouch() {
+proc swaySetTouch (value) {
   # XXX(2024/06/09): `type:touch` method is documented, but now silently fails
   # swaymsg -- input type:touch events "$1"
 
-  local inputs=$(swaymsg -t get_inputs --raw | jq '. | map(select(.type == "touch")) | map(.identifier) | join(" ")' --raw-output)
-  for id in "${inputs[@]}"; do
-    swaymsg -- input "$id" events "$1"
-  done
+  var inputs = null
+  swaymsg -t get_inputs --raw | json read (&inputs)
+  for input in (inputs) {
+    if (input.type === "touch") {
+      effect swaymsg -- input "$[input.identifier]" events "$value"
+    }
+  }
 }
 
-# success if all touch inputs have their events enabled
-swayGetTouch() {
-  swaymsg -t get_inputs --raw \
-    | jq --exit-status '. | map(select(.type == "touch")) | all(.libinput.send_events == "enabled")' \
-    > /dev/null
-}
-# success if all outputs have power
-swayGetOutput() {
-  swaymsg -t get_outputs --raw \
-    | jq --exit-status '. | all(.power)' \
-    > /dev/null
+# true if all touch inputs have their events enabled
+func swayGetTouch () {
+  var inputs = null
+  swaymsg -t get_inputs --raw | json read (&inputs)
+
+  var num_touch_enabled = 0
+  var num_touch_disabled = 0
+  for input in (inputs) {
+    if (input.type === "touch") {
+      var send_events = input.libinput.send_events
+      case (send_events) {
+        ("enabled") {
+          setvar num_touch_enabled += 1
+        }
+        ("disabled") {
+          setvar num_touch_disabled += 1
+        }
+        (else) {
+          info "swayGetTouch" ("unknown 'libinput.send_events' value:", send_events)
+        }
+      }
+    }
+  }
+  return (num_touch_disabled === 0)
 }
 
-isAllOn() {
-  swayGetOutput && swayGetTouch
+# true if all outputs have power
+func swayGetOutput () {
+  var outputs = null
+  swaymsg -t get_outputs --raw | json read (&outputs)
+
+  var num_power_true = 0
+  var num_power_false = 0
+  for output in (outputs) {
+    case (output.power) {
+      (true) {
+        setvar num_power_true += 1
+      }
+      (false) {
+        setvar num_power_false += 1
+      }
+      (else) {
+        info "swayGetOutput" ("unknown 'power' value:", output.power)
+      }
+    }
+  }
+  return (num_power_false === 0)
 }
 
-isInhibited() {
-  pidof rofi
+# crawls the `swaymsg -t get_tree` output recursively, to return all window objects
+func swayWindowsFromTree (root) {
+  var windows = []
+  for node in (root.nodes) {
+    for w in (swayWindowsFromTree (node)) {
+      call windows->append(w)
+    }
+  }
+
+  if (root.type === "con") {
+    # windows are identified, perhaps, by type = "con" or app_id = *
+    call windows->append(root)
+  }
+
+  return (windows)
 }
 
-handleWith() {
-  local state=
-  if [ -n "$_isInhibited" ]; then
-    state="inhibited+"
-  fi
-  if [ -n "$_isAllOn" ]; then
-    state="${state}on"
-  else
-    state="${state}off"
-  fi
-  log "state=$state action=$action: handleWith: $*"
-  "$@"
-  exit $?
+# returns a json object representing the currently focused window
+func swayGetFocusedWindow () {
+  var nodes = null;
+  swaymsg -t get_tree --raw | json read (&nodes)
+
+  var windows = swayWindowsFromTree (nodes)
+  for w in (windows) {
+    if (w.focused) {
+      return (w)
+    }
+  }
 }
 
+func swayIsFullscreen () {
+  var w = swayGetFocusedWindow()
+  if (not w) {
+    info swayIsFullscreen ("couldn't determine focused window")
+    return (false)
+  }
+  debug "swayIsFullscreen" (w)
+  return (w.fullscreen_mode === 1)
+}
+
+# true if rofi is visible
+func rofiGet () {
+  if pidof rofi {
+    return (true)
+  } else {
+    return (false)
+  }
+}
+
+var MEMOIZED = {}
+func memoize (name, f) {
+  var expr = null
+  if (name in MEMOIZED) {
+    setvar expr = MEMOIZED[name]
+    verbose "memoize(cached)" (name, expr)
+  } else {
+    verbose "memoize(uncached)" (name)
+    # setvar expr = f()
+    setvar expr = io->evalExpr (f)
+    verbose "memoize(uncached -> cached)" (name, expr)
+    setglobal MEMOIZED[name] = expr
+  }
+  return (expr)
+}
+
+func isAllOn () {
+  return (memoize ("isAllOn", ^[swayGetOutput() and swayGetTouch()]))
+}
+
+func isInhibited () {
+  return (memoize ("rofiGet", ^[rofiGet()]))
+}
+
+func isFullscreen () {
+  return (memoize ("swayIsFullscreen", ^[swayIsFullscreen()]))
+}
 
 ## HANDLERS
-ignore() {
-  true
+proc ignore {
+  :
 }
-inhibited() {
-  true
-}
-unmapped() {
-  true
+proc inhibited {
+  :
 }
 
-allOn() {
+proc allOn {
   swaySetOutput true
   swaySetTouch enabled
 }
-allOff() {
+proc allOff {
   swaySetOutput false
   swaySetTouch disabled
 }
 
-toggleKeyboard() {
-  local keyboardPid=$(pidof "$KEYBOARD")
-  if [ -z "$keyboardPid" ]; then
-    log "cannot find $KEYBOARD"
+proc toggleKeyboard {
+  var keyboardPids = $(pidof "$KEYBOARD" || echo "") => split(" ")
+  if (not keyboardPids) {
+    info "toggleKeyboard: cannot find keyboard" (KEYBOARD)
     return
-  fi
+  }
 
-  for p in $keyboardPid; do
+  for p in (keyboardPids) {
     # `env` so that we get the right `kill` binary instead of bash's builtin
     # `kill` only one keyboard process. in the case of e.g. sandboxing,
     # the keyboard might consist of multiple processes and each one we signal would cause a toggle
-    if env kill -s RTMIN+0 "$p"; then
+    try {
+      effect env kill -s RTMIN+0 "$p"
+    }
+    if ! failed {
       break
-    fi
-  done
+    }
+  }
 }
 
-## DISPATCHERS
-
-dispatchDefault() {
-  case "$action" in
-    "power_tap_2")
-      # power twice => screenoff
-      handleWith allOff
-      ;;
-    "power_hold")
-      # power twice => toggle media player
-      handleWith playerctl play-pause
-      ;;
-
-    volup_tap*)
-      handleWith wpctl set-volume @DEFAULT_AUDIO_SINK@ "$VOL_INCR"%+
-      ;;
-    voldown_tap*)
-      handleWith wpctl set-volume @DEFAULT_AUDIO_SINK@ "$VOL_INCR"%-
-      ;;
-  esac
+proc togglePlayback {
+  effect playerctl play-pause
 }
 
-dispatchOff() {
-  case "$action" in
-    "power_tap_1")
-      # power once => unlock
-      handleWith allOn
-      ;;
-    "power_tap_1_hold")
-      # power tap->hold: escape hatch for when bonsaid locks up
-      handleWith systemctl restart bonsaid
-      ;;
-    volup_hold*)
-      handleWith playerctl position 30+
-      ;;
-    voldown_hold*)
-      handleWith playerctl position 10-
-      ;;
-  esac
+proc volumeUp {
+  effect wpctl set-volume '@DEFAULT_AUDIO_SINK@' "$VOL_INCR"%+
 }
 
-dispatchOn() {
-  case "$action" in
-    # power_tap_1: intentional default to no-op (it's important this be unmapped, because events can be misordered with power_tap_1 arriving *after* power_tap_2)
-    # power_tap_2: intentional default to screenoff
-    "power_tap_1_hold")
-      # power tap->hold: kill active window
-      # TODO: disable this if locked (with e.g. schlock, swaylock, etc)
-      handleWith swaymsg kill
-      ;;
-    "power_and_volup")
-      # power (hold) -> volup: take screenshot
-      handleWith sane-open --application sane-screenshot.desktop
-      ;;
-    "power_and_voldown")
-      # power (hold) -> voldown: open camera
-      handleWith sane-open --auto-keyboard --application "$CAMERA"
-      ;;
-    "power_then_volup")
-      # power (tap) -> volup: rotate CCW
-      handleWith swaymsg -- output '-' transform 90 anticlockwise
-      ;;
-    "power_then_voldown")
-      # power (tap) -> voldown: rotate CW
-      handleWith swaymsg -- output '-' transform 90 clockwise
-      ;;
-
-    "volup_tap_1")
-      # volume up once: filesystem browser
-      handleWith sane-open --auto-keyboard --application rofi-filebrowser.desktop
-      ;;
-    "volup_hold_1")
-      # volume up hold: browse files and apps
-      # reset fs directory: useful in case you get stuck in broken directory (e.g. one which lacks a `..` entry)
-      rm -f ~/.cache/rofi/rofi3.filebrowsercache
-      handleWith sane-open --auto-keyboard --application rofi.desktop
-      ;;
-
-    "voldown_start")
-      # volume down once: toggle keyboard
-      handleWith toggleKeyboard
-      ;;
-    "voldown_hold_1")
-      # hold voldown to launch terminal
-      # note we already triggered the keyboard; that's fine: usually keyboard + terminal go together :)
-      handleWith sane-open --auto-keyboard --application xdg-terminal-exec.desktop
-      ;;
-    "voldown_tap_1")
-      # swallow, to prevent keyboard from also triggering media controls
-      handleWith ignore
-      ;;
-    voldown_hold_*)
-      # swallow, to prevent terminal from also triggering media controls
-      handleWith ignore
-      ;;
-  esac
+proc volumeDown {
+  effect wpctl set-volume '@DEFAULT_AUDIO_SINK@' "$VOL_INCR"%-
 }
 
-dispatchInhibited() {
-  case "$action" in
-    "power_tap_1_hold")
-      # power hold: escape hatch in case rofi has hung
-      handleWith killall -9 rofi
-      ;;
-    *)
-      # eat everything else (and let rofi consume it)
-      handleWith inhibited
-      ;;
-  esac
+proc restartBonsai {
+  effect systemctl restart bonsaid
 }
 
-dispatchToplevel() {
-  _isAllOn="$(isAllOn && echo 1 || true)"
-
-  if [ -z "$_isAllOn" ]; then
-    dispatchOff
-  else
-    _isInhibited="$(isInhibited && echo 1 || true)"
-    if [ -n "$_isInhibited" ]; then
-      dispatchInhibited
-    else
-      dispatchOn
-    fi
-  fi
-
-  dispatchDefault
+proc seekForward {
+  effect playerctl position "$SEEK_INCR"+
 }
 
-case "$action" in
-  (--help)
+proc seekBackward {
+  effect playerctl position "$SEEK_DECR"-
+}
+
+proc killWindow {
+  effect swaymsg kill
+}
+
+proc takeScreenshot {
+  effect sane-open --application sane-screenshot.desktop
+}
+
+proc openCamera {
+  effect sane-open --auto-keyboard --application "$CAMERA"
+}
+
+proc rotateCCW {
+  effect swaymsg -- output '-' transform 90 anticlockwise
+}
+
+proc rotateCW {
+  effect swaymsg -- output '-' transform 90 clockwise
+}
+
+proc openFilebrowser {
+  effect sane-open --auto-keyboard --application rofi-filebrowser.desktop
+}
+
+proc openFilebrowserWithApps {
+  # reset fs directory: useful in case you get stuck in broken directory (e.g. one which lacks a `..` entry)
+  effect rm -f ~/.cache/rofi/rofi3.filebrowsercache
+  effect sane-open --auto-keyboard --application rofi.desktop
+}
+
+proc openTerminal {
+  effect sane-open --auto-keyboard --application xdg-terminal-exec.desktop
+}
+
+proc killRofi {
+  effect killall -9 rofi
+}
+
+# index of all possible responses, to allow lookup by-name
+var Responses = {
+  allOn: allOn,
+  allOff: allOff,
+  toggleKeyboard: toggleKeyboard,
+  togglePlayback: togglePlayback,
+  volumeUp: volumeUp,
+  volumeDown: volumeDown,
+  restartBonsai: restartBonsai,
+  seekForward: seekForward,
+  seekBackward: seekBackward,
+  killWindow: killWindow,
+  takeScreenshot: takeScreenshot,
+  openCamera: openCamera,
+  rotateCCW: rotateCCW,
+  rotateCW: rotateCW,
+  openFilebrowser: openFilebrowser,
+  openFilebrowserWithApps: openFilebrowserWithApps,
+  openTerminal: openTerminal,
+  killRofi: killRofi,
+}
+
+func Handler_exec(self) {
+  var resp = self.response
+  resp  #< this executes the response
+}
+
+var Handler = Object(null, {
+  # methods
+  exec: Handler_exec,
+  # instance state
+  trigger: null, #< name of action the _user_ performed
+  response: null, #< bound proc to invoke in response to the trigger
+  name: null, #< friendly name of response; should just be the stringified form of `response`
+  screen: false, #< screen must be on for this response to trigger
+  fullscreen: false, #< desktop view must be fullscreen for this response to trigger
+  sys_menu: false, #< system menu must be active for this response to trigger
+  off: false, #< screen must be off for this response to trigger
+})
+
+func Dispatcher_add_handler(self, trigger, response; screen=false, fullscreen=false, sys_menu=false, off=false) {
+  call self.handlers[trigger]->append(Object(Handler, {
+    trigger: trigger,
+    response: Responses[response],
+    name: response,
+    screen: screen,
+    fullscreen: fullscreen,
+    sys_menu: sys_menu,
+    off: off,
+  }))
+}
+
+func Dispatcher_new() {
+  var handlers = {}
+  for _k, v in (Triggers) {
+    assert (v not in handlers)
+    setvar handlers[v] = []
+  }
+  return (Object(Dispatcher, { handlers: handlers }))
+}
+
+func Dispatcher_default() {
+  var inst = Dispatcher.new()
+
+  call inst->add_handler(Triggers.PowerHold,        "togglePlayback",  fullscreen=true, screen=true, off=true)
+  call inst->add_handler(Triggers.VolupHold1,       "seekForward",     fullscreen=true, off=true)
+  call inst->add_handler(Triggers.VolupHold2,       "seekForward",     fullscreen=true, off=true)
+  call inst->add_handler(Triggers.VolupHold3,       "seekForward",     fullscreen=true, off=true)
+  call inst->add_handler(Triggers.VoldownHold1,     "seekBackward",    fullscreen=true, off=true)
+  call inst->add_handler(Triggers.VoldownHold2,     "seekBackward",    fullscreen=true, off=true)
+  call inst->add_handler(Triggers.VoldownHold3,     "seekBackward",    fullscreen=true, off=true)
+  call inst->add_handler(Triggers.VolupTap1,        "volumeUp",        fullscreen=true, off=true)
+  call inst->add_handler(Triggers.VolupTap2,        "volumeUp",        fullscreen=true, off=true)
+  call inst->add_handler(Triggers.VolupTap3,        "volumeUp",        fullscreen=true, off=true)
+  call inst->add_handler(Triggers.VoldownTap1,      "volumeDown",      fullscreen=true, off=true)
+  call inst->add_handler(Triggers.VoldownTap2,      "volumeDown",      fullscreen=true, off=true)
+  call inst->add_handler(Triggers.VoldownTap3,      "volumeDown",      fullscreen=true, off=true)
+
+  call inst->add_handler(Triggers.PowerTap1,        "allOn",           off=true)
+  call inst->add_handler(Triggers.PowerTap1Hold,    "restartBonsai",   off=true)
+
+  call inst->add_handler(Triggers.PowerTap2,        "allOff",          fullscreen=true, screen=true, off=true)
+  call inst->add_handler(Triggers.PowerTap1Hold,    "killWindow",      fullscreen=true, screen=true)
+  call inst->add_handler(Triggers.PowerThenVolup,   "rotateCCW",       fullscreen=true, screen=true)
+  call inst->add_handler(Triggers.PowerThenVoldown, "rotateCW",        fullscreen=true, screen=true)
+
+  call inst->add_handler(Triggers.PowerAndVolup,    "takeScreenshot",  screen=true)
+  call inst->add_handler(Triggers.PowerAndVoldown,  "openCamera",      screen=true)
+  call inst->add_handler(Triggers.VolupTap1,        "openFilebrowser", screen=true)
+  call inst->add_handler(Triggers.VolupHold1,       "openFilebrowserWithApps", screen=true)
+  call inst->add_handler(Triggers.VoldownStart,     "toggleKeyboard",  screen=true)
+  call inst->add_handler(Triggers.VoldownHold1,     "openTerminal",    screen=true)
+
+  call inst->add_handler(Triggers.PowerTap1Hold,    "killRofi",        sys_menu=true)
+
+  return (inst)
+}
+
+func Dispatcher_get(self, trigger) {
+  var candidates = self.handlers[trigger]
+
+  var applicable = []
+  for c in (candidates) {
+    # TODO: this logic can be optimized!
+    var match = false
+    if (isAllOn()) {
+      if (isFullscreen()) {
+        verbose "state = fullscreen"
+        setvar match = c.fullscreen
+      } elif (isInhibited()) {
+        verbose "state = inhibited"
+        setvar match = c.sys_menu
+      } else {
+        verbose "state = screen"
+        setvar match = c.screen
+      }
+    } else {
+      verbose "state = off"
+      setvar match = c.off
+    }
+    if (match) {
+      debug "Dispatcher.get: found applicable" (c)
+      call applicable->append(c)
+    }
+  }
+
+  case (len(applicable)) {
+    (0) {
+      debug "Dispatcher.get: no applicable candidates for trigger" (trigger)
+      return (null)
+    }
+    (1) {
+      var a = applicable[0]
+      verbose "Dispatcher.get: filtered to 1 candidate" (trigger, a)
+      return (a)
+    }
+    (else) {
+      # TODO: this should be a static assertion, not a runtime check!
+      die "Dispatcher.get: filtered to multiple candidates" (trigger, applicable)
+    }
+  }
+}
+
+var Dispatcher = Object(null, {
+  ## class methods
+  default: Dispatcher_default,
+  new: Dispatcher_new,
+  ## methods
+  "M/add_handler": Dispatcher_add_handler,
+  get: Dispatcher_get,
+  ## instance state
+  handlers: {}  # trigger -> List[Handler]
+})
+
+
+var trigger = null
+var doShowHelp = false
+proc parseArgs (; ...args) {
+  for arg in (args) {
+    case (arg) {
+      ("--dry-run") {
+        setglobal DRY_RUN = true
+      }
+      ("--help") {
+        setglobal doShowHelp = true
+      }
+      ("--verbose") {
+        setglobal VERBOSITY += 1
+      }
+      (else) {
+        setglobal trigger = "$arg"
+      }
+    }
+  }
+}
+
+if is-main {
+  parseArgs (...ARGV)
+
+  if (doShowHelp) {
     showHelp
     exit 0
-    ;;
-  (*)
-    dispatchToplevel
-    handleWith unmapped
-    ;;
-esac
+  }
 
+  var dispatcher = Dispatcher.default()
+  var handler = dispatcher.get(trigger)
+  info "handling" (trigger, handler and handler.name)
+  if (handler) {
+    call handler.exec()
+  }
+}

hosts/common/programs/sane-scripts.nix

@@ -135,6 +135,10 @@ in
     "sane-scripts.reboot".sandbox = {
       method = "bunpen";
       whitelistSystemctl = true;
+      capabilities = [
+        "sys_admin"
+      ];
+      tryKeepUsers = true;  #< allow `sudo sane-reboot`, for the case where the service manager is unreachable
     };
 
     "sane-scripts.reclaim-disk-space".sandbox = {

hosts/common/programs/ssh.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.programs.ssh;
+in
+{
+  sane.programs.ssh = {
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.openssh "ssh";
+    sandbox.method = null;  #< TODO: sandbox
+  };
+
+  programs.ssh = lib.mkIf cfg.enabled {
+    # fixes the following error when running ssh (e.g. via `git`) in a sandbox:
+    # "Bad owner or permissions on /nix/store/<hash>-systemd-257.3/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf"
+    # - that error is caused because openssh wants config files to be 0220 UNLESS said config file is owned by root or self.
+    #   the `bunpen` and `bwrap` user namespace sandboxes map root -> nobody, so openssh fails the check.
+    #   by avoiding the include, we hack around this limitation.
+    systemd-ssh-proxy.enable = false;
+  };
+}

hosts/common/programs/sway/config

@@ -218,6 +218,8 @@ input type:touchpad {
 input "type:keyboard" xkb_options caps:escape
 
 ## SHARED
+# USB DAC: don't emulate media keys, as they tend to false trigger on plug events or noisy lines
+input "3034:19984:Generic_USB_Audio_Consumer_Control" events disabled
 # TV
 output $out_tv {
   pos 1920,0

hosts/common/programs/tangram.nix

@@ -2,20 +2,9 @@
 # it views each tab as a distinct application, persisted, and where the 'home' button action is specific to each tab.
 # it supports ephemeral tabs, but UX is heavily geared to GCing those as early as possible.
 
-{ pkgs, ... }:
+{ ... }:
 {
   sane.programs.tangram = {
-    # XXX(2023/07/08): running on moby without disabling the webkit sandbox fails, with:
-    # - `bwrap: Can't make symlink at /var/run: File exists`
-    # see epiphany.nix for more info
-    packageUnwrapped = pkgs.tangram.overrideAttrs (upstream: {
-      preFixup = ''
-        gappsWrapperArgs+=(
-          --set WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS "1"
-        );
-      '' + (upstream.preFixup or "");
-    });
-
     buildCost = 2;
 
     sandbox.net = "clearnet";

hosts/common/programs/zelda64recomp.nix

@@ -0,0 +1,30 @@
+{ pkgs, ... }:
+{
+  sane.programs.zelda64recomp = {
+    # upstream package places non-binaries (e.g. art assets) in `bin/`;
+    # this especially confuses my sandboxer.
+    # so link only the files i want to be visible:
+    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.zelda64recomp [
+      "bin/Zelda64Recompiled"
+      "share/applications"
+      "share/icons"
+    ];
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
+    sandbox.whitelistX = true;  #< TODO: it uses SDL; i might be able to get it to run on wayland only
+
+    sandbox.extraPaths = [
+      "/dev/input"  #< for controllers (speculative)
+    ];
+
+    sandbox.mesaCacheDir = ".cache/Zelda64Recompiled/mesa";
+
+    fs.".config/Zelda64Recompiled/mm.n64.us.1.0.z64".symlink.target = pkgs.mm64baserom;
+    # also config files for: graphics.json, general.json, controls.json, sound.json
+
+    persist.byStore.plaintext = [
+      ".config/Zelda64Recompiled/saves"
+    ];
+  };
+}

hosts/common/programs/zsh/default.nix

@@ -78,10 +78,34 @@ in
 
       # fixup bindings not handled by bash, see: <https://wiki.archlinux.org/title/Zsh#Key_bindings>
       # `bindkey -e` seems to define most of the `key` array. everything in the Arch defaults except for these:
-      key[Backspace]="''${terminfo[kbs]}"
-      key[Control-Left]="''${terminfo[kLFT5]}"
-      key[Control-Right]="''${terminfo[kRIT5]}"
-      key[Shift-Tab]="''${terminfo[kcbt]}"
+      if [[ -z "''${key[Backspace]}" ]]; then
+        key[Backspace]="''${terminfo[kbs]}"
+      fi
+      if [[ -z "''${key[Control-Left]}" ]]; then
+        key[Control-Left]="''${terminfo[kLFT5]}"
+      fi
+      if [[ -z "''${key[Control-Right]}" ]]; then
+        key[Control-Right]="''${terminfo[kRIT5]}"
+      fi
+      if [[ -z "''${key[Shift-Tab]}" ]]; then
+        key[Shift-Tab]="''${terminfo[kcbt]}"
+      fi
+
+      # XXX(2025-04-12): Control-Left and Control-Right sometimes _still_ don't exist (e.g. raw TTYs, ssh).
+      # build them from `^` + `Left` instead:
+      if [[ -z "''${key[Left]}" ]]; then
+        key[Left]="''${terminfo[kcub1]}"
+      fi
+      if [[ -z "''${key[Right]}" ]]; then
+        key[Right]="''${terminfo[kcuf1]}"
+      fi
+      if [[ -z "''${key[Control-Left]}" ]] && [[ -n "''${key[Left]}" ]]; then
+        key[Control-Left]="^''${key[Left]}"
+      fi
+      if [[ -z "''${key[Control-Right]}" ]] && [[ -n "''${key[Right]}" ]]; then
+        key[Control-Right]="^''${key[Right]}"
+      fi
+
       bindkey -- "''${key[Delete]}"     delete-char
       bindkey -- "''${key[Control-Left]}"  backward-word
       bindkey -- "''${key[Control-Right]}"  forward-word
@@ -95,8 +119,14 @@ in
       # bindkey "^''${key[Left]}"  backward-word
       # bindkey "^''${key[Right]}" forward-word
 
+      # disable "flow control" (Ctrl+S to suspend terminal, Ctrl+Q to resume).
+      # see: <https://forum.endeavouros.com/t/alacritty-flow-control-turn-off/6199/12>
+      stty -ixon
+
       # run any additional, sh-generic commands (useful for e.g. launching a login manager on login)
-      test -e ~/.profile && source ~/.profile
+      if [[ -e ~/.profile ]]; then
+        source ~/.profile
+      fi
     '';
   };
 

hosts/common/snapper.nix

@@ -21,18 +21,11 @@
     TIMELINE_CLEANUP = true;  # remove old snapshots every 24h
     TIMELINE_CREATE = true;  # take a snapshot every hour
 
-    TIMELINE_LIMIT_HOURLY = 2;
-    TIMELINE_LIMIT_DAILY = 2;
-    TIMELINE_LIMIT_WEEKLY = 0;
+    TIMELINE_LIMIT_HOURLY = 12;
+    TIMELINE_LIMIT_DAILY = 7;  # keep snapshots for 1d ago, 2d ago, ... 7day ago
+    TIMELINE_LIMIT_WEEKLY = 4;  # keep snapshots for 7d ago, 14d ago, 21d ago, 28d ago
     TIMELINE_LIMIT_MONTHLY = 0;
     TIMELINE_LIMIT_YEARLY = 0;
-
-    # TODO: enable these better settings, but i need higher capacity drives first!
-    # TIMELINE_LIMIT_HOURLY = 12;
-    # TIMELINE_LIMIT_DAILY = 7;  # keep snapshots for 1d ago, 2d ago, ... 7day ago
-    # TIMELINE_LIMIT_WEEKLY = 4;  # keep snapshots for 7d ago, 14d ago, 21d ago, 28d ago
-    # TIMELINE_LIMIT_MONTHLY = 0;
-    # TIMELINE_LIMIT_YEARLY = 0;
   };
 
   services.snapper.cleanupInterval = "2h";  # how frequently to gc snapshots no longer covered by the above policy (default: daily)

hosts/modules/hal/pine64-pinephone/kernel.nix

@@ -34,7 +34,6 @@ in
     # boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux-megous.override {
     #   withMegiPinephoneConfig = true;  #< N.B.: does not boot as of 2024/05/22!
     # });
-    # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-manjaro;
     # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
     # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_testing;
     boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-armbian;

impure.nix

@@ -10,7 +10,7 @@
 let
   mkNixpkgs = import ./pkgs/by-name/nixpkgs-bootstrap/mkNixpkgs.nix {};
   mkPkgs = branch: args: (
-    mkNixpkgs (args // { inherit branch; })
+    (mkNixpkgs (args // { inherit branch; })).pkgs
   ).extend (import ./overlays/all.nix);
   pkgs = mkPkgs "master" { inherit localSystem; };
   inherit (pkgs) lib;
@@ -31,7 +31,7 @@ let
       passthru = (base.passthru or {}) // {
         inherit (host) config;
         inherit (host.config.sane) fs;
-        inherit (host.config.system.build) imgs pkgs;
+        inherit (host.config.system.build) img pkgs;
         programs = builtins.mapAttrs (_: p: p.package) host.config.sane.programs;
         toplevel = host.config.system.build.toplevel;  #< self
         extendModules = arg: addPassthru (host.extendModules arg);
@@ -39,18 +39,15 @@ let
     });
   in addPassthru plainHost;
   mkHost = args: {
-    # TODO: swap order: $host-{next,staging}-{min,light}:
-    # then lexicographically-adjacent targets would also have the minimal difference in closure,
-    # and the order in which each target should be built is more evident
     "${args.name}" = mkFlavoredHost args;
-    "${args.name}-next" = mkFlavoredHost (args // { branch = "staging-next"; });
-    "${args.name}-staging" = mkFlavoredHost (args // { branch = "staging"; });
     "${args.name}-light" = mkFlavoredHost (args // { variant = "light"; });
-    "${args.name}-light-next" = mkFlavoredHost (args // { variant = "light"; branch = "staging-next"; });
-    "${args.name}-light-staging" = mkFlavoredHost (args // { variant = "light"; branch = "staging"; });
     "${args.name}-min" = mkFlavoredHost (args // { variant = "min"; });
-    "${args.name}-min-next" = mkFlavoredHost (args // { variant = "min"; branch = "staging-next"; });
-    "${args.name}-min-staging" = mkFlavoredHost (args // { variant = "min"; branch = "staging"; });
+    "${args.name}-staging" = mkFlavoredHost (args // { branch = "staging"; });
+    "${args.name}-staging-light" = mkFlavoredHost (args // { branch = "staging"; variant = "light"; });
+    "${args.name}-staging-min" = mkFlavoredHost (args // { branch = "staging"; variant = "min"; });
+    "${args.name}-next" = mkFlavoredHost (args // { branch = "staging-next"; });
+    "${args.name}-next-light" = mkFlavoredHost (args // { branch = "staging-next"; variant = "light"; });
+    "${args.name}-next-min" = mkFlavoredHost (args // { branch = "staging-next"; variant = "min"; });
   };
 
   # this exists to unify my kernel configs across different platforms.
@@ -162,7 +159,9 @@ let
         script = pkgs.writeShellScriptBin "update-${pname}" ''
           # update script assumes $PWD is an entry point to a writable copy of my nix config,
           # so provide that:
-          pushd /home/colin/nixos/integrations/nix-update
+          SELF_PATH=$PWD/$0
+          REPO_ROOT=$(${lib.getExe pkgs.git} -C "$(dirname SELF_PATH)" rev-parse --show-toplevel)
+          pushd $REPO_ROOT/integrations/nix-update
           UPDATE_NIX_NAME=${pkg.name or ""} \
           UPDATE_NIX_PNAME=${pkg.pname or ""} \
           UPDATE_NIX_OLD_VERSION=${pkg.version or ""} \

modules/data/feeds/sources/bluecityblues.org.podcastpage.io/default.json

@@ -0,0 +1,9 @@
+{
+  "description": "<p><b>Twenty years ago, Dan Savage encouraged progressives to move to blue cities to escape the reactionary politics of red places. And he got his wish. Over the last two decades, rural places have gotten redder and urban areas much bluer. &nbsp;</b></p><p><b>&nbsp;<br />America's bluest cities developed their own distinctive culture, politics and governance. They became the leading edge of a cultural transformation that reshaped progressivism, redefined urbanism and remade the Democratic Party.</b></p><p><br /><b>But as blue cities went their own way, as they thrived as economically and culturally vibrant trend-setters, these urban cosmopolitan islands also developed their own distinctive set of problems. Inequality soared, and affordability tanked. And the conversation about those problems stagnated, relegated to the narrowly provincial local section of regional newspapers or local NPR programming.&nbsp;<br /><br />The Blue City Blues podcast aims to pick up where Savage's Urban Archipelago idea left off, with a national perspective on the present and the future of urban America. We will consider blue cities as a collective whole. What unites them? What troubles them? What defines them?&nbsp;</b></p><p><br /></p><p><br /></p>",
+  "is_podcast": true,
+  "site_name": "",
+  "site_url": "",
+  "title": "Blue City Blues",
+  "url": "https://feeds.buzzsprout.com/2418871.rss",
+  "velocity": 0.058
+}

modules/data/feeds/sources/nocturnepodcast.org/default.json

@@ -0,0 +1,9 @@
+{
+  "description": "Peering into the dusty corners of the night",
+  "is_podcast": true,
+  "site_name": "Nocturne",
+  "site_url": "https://www.nocturnepodcast.org",
+  "title": "Nocturne",
+  "url": "https://www.nocturnepodcast.org/feed/podcast",
+  "velocity": 0.03
+}

modules/data/feeds/sources/pods.media/api/rss/feed/channel/unchained/default.json

@@ -0,0 +1,9 @@
+{
+  "description": "Unchained is your no-hype resource for all things crypto. In this podcast, host Laura Shin, founder and CEO of crypto media news outlet Unchained and author of The Cryptopians, talks with industry pioneers about how crypto assets and blockchains will change our digital lives.",
+  "is_podcast": true,
+  "site_name": "pods.media",
+  "site_url": "https://pods.media",
+  "title": "Unchained",
+  "url": "https://pods.media/api/rss/feed/channel/unchained",
+  "velocity": 0.307
+}

modules/services/ollama.nix

@@ -87,7 +87,7 @@ in
 
     # these acceleration settings are relevant to `desko`.
     services.ollama.acceleration = lib.mkIf config.hardware.amdgpu.opencl.enable "rocm";  # AMD GPU acceleration (achieves the same as `nixpkgs.config.rocmSupport = true` but just for ollama)
-    services.ollama.rocmOverrideGfx = "10.1.0";  #< `nix-shell -p "rocmPackages.rocminfo" --run "rocminfo" | grep "gfx"`
+    services.ollama.rocmOverrideGfx = "10.1.0";  #< `nix-shell -p "rocmPackages.rocminfo" --run "rocminfo" | grep "gfx"`  (e.g. gfx1010)
     # services.ollama.environmentVariables.HCC_AMDGPU_TARGET = "gfx1010";  # seems to be unnecessary
 
     users.groups.ollama = {};

overlays/cross.nix

@@ -49,18 +49,35 @@ let
   addDepsBuildBuild = depsBuildBuild: addInputs { inherit depsBuildBuild; };
   mvToNativeInputs = nativeBuildInputs: mvInputs { inherit nativeBuildInputs; };
   mvToBuildInputs = buildInputs: mvInputs { inherit buildInputs; };
-  rmInputs = { buildInputs ? [], nativeBuildInputs ? [] }: pkg: pkg.overrideAttrs (upstream: {
-    buildInputs = lib.subtractLists buildInputs (upstream.buildInputs or []);
-    nativeBuildInputs = lib.subtractLists nativeBuildInputs (upstream.nativeBuildInputs or []);
+  mvToDepsBuildBuild = depsBuildBuild: mvInputs { inherit depsBuildBuild; };
+  rmInputs = { buildInputs ? [], depsBuildBuild ? [], nativeBuildInputs ? [] }: pkg: pkg.overrideAttrs (upstream: {
+    buildInputs = lib.filter
+      (p: !lib.any (rm: p == rm || (p ? name && rm ? name && p.name == rm.name)) buildInputs)
+      (upstream.buildInputs or [])
+    ;
+    depsBuildBuild = lib.filter
+      (p: !lib.any (rm: p == rm || (p ? name && rm ? name && p.name == rm.name)) depsBuildBuild)
+      (upstream.depsBuildBuild or [])
+    ;
+    nativeBuildInputs = lib.filter
+      (p: !lib.any (rm: p == rm || (p ? name && rm ? name && p.name == rm.name)) nativeBuildInputs)
+      (upstream.nativeBuildInputs or [])
+    ;
   });
+  rmBuildInputs = buildInputs: rmInputs { inherit buildInputs; };
   rmNativeInputs = nativeBuildInputs: rmInputs { inherit nativeBuildInputs; };
   # move items from buildInputs into nativeBuildInputs, or vice-versa.
   # arguments represent the final location of specific inputs.
-  mvInputs = { buildInputs ? [], nativeBuildInputs ? [] }: pkg:
-    addInputs { buildInputs = buildInputs; nativeBuildInputs = nativeBuildInputs; }
+  mvInputs = { buildInputs ? [], depsBuildBuild ? [], nativeBuildInputs ? [] }: pkg:
+    addInputs { inherit buildInputs depsBuildBuild nativeBuildInputs; }
     (
-      rmInputs { buildInputs = nativeBuildInputs; nativeBuildInputs = buildInputs; }
-      pkg
+      rmInputs
+        {
+          buildInputs = depsBuildBuild ++ nativeBuildInputs;
+          depsBuildBuild = buildInputs ++ nativeBuildInputs;
+          nativeBuildInputs = buildInputs ++ depsBuildBuild;
+        }
+        pkg
     );
 
   # build a GI_TYPELIB_PATH out of some packages, useful for build-time tools which otherwise
@@ -77,10 +94,41 @@ let
   #     wrapProgram $out/bin/blueprint-compiler --set GI_TYPELIB_PATH ${typelibPath typelibs}
   #   '';
   # });
-  wrapBlueprint = typelibs: final.buildPackages.writeShellScriptBin "blueprint-compiler" ''
-    export GI_TYPELIB_PATH=${typelibPath typelibs}
-    exec ${lib.getExe final.buildPackages.blueprint-compiler} "$@"
-  '';
+  # wrapBlueprint = typelibs: final.buildPackages.writeShellScriptBin "blueprint-compiler" ''
+  #   export GI_TYPELIB_PATH=${typelibPath typelibs}
+  #   exec ${lib.getExe final.buildPackages.blueprint-compiler} "$@"
+  # '';
+
+  #  use like: `p.override { blueprint-compiler = crossBlueprint; }`
+  crossBlueprint = final.buildPackages.blueprint-compiler.overrideAttrs (upstream: {
+    nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
+      final.buildPackages.buildPackages.wrapGAppsNoGuiHook
+    ];
+  });
+  # crossBlueprint = final.pkgsBuildBuild.blueprint-compiler.overrideAttrs (upstream: {
+  #   # blueprint-compiler isn't invokable in a standalone environment.
+  #   # i.e. `blueprint-compiler --help` fails.
+  #   # fix by adding glib typelib.
+  #   # TODO: upstream!  (see `wip-blueprint-compiler` nixpkgs branch)
+  #   nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
+  #     final.pkgsBuildBuild.makeWrapper
+  #   ];
+  #   postFixup = (upstream.postFixup or "") + ''
+  #     wrapProgram $out/bin/blueprint-compiler \
+  #       --prefix GI_TYPELIB_PATH : "${lib.getLib final.pkgsBuildBuild.glib}/lib/girepository-1.0:${lib.getLib final.pkgsBuildBuild.gobject-introspection}/lib/girepository-1.0"
+  #   '';
+
+  #   # propagate gobject-introspection such that it appears in the same host offset as us,
+  #   # and populates GI_TYPELIB_PATH with the correct offset.
+  #   propagatedBuildInputs = [];
+  #   depsTargetTargetPropagated = [ final.gobject-introspection ];
+  # });
+
+  # build a blueprint-based package in a way that is cross-compatible
+  # fixBlueprint = p: mvToDepsBuildBuild [ crossBlueprint ] p;
+  fixBlueprint = p: p.override {
+    blueprint-compiler = crossBlueprint;
+  };
 
   # `cargo` which adds the correct env vars and `--target` flag when invoked from meson build scripts
   crossCargo = let
@@ -178,30 +226,33 @@ in with final; {
   #   shell = runtimeShell;
   # };
 
-  blanket = prev.blanket.override {
-    blueprint-compiler = wrapBlueprint [
-      buildPackages.gdk-pixbuf
-      buildPackages.glib
-      buildPackages.graphene
-      buildPackages.gtk4
-      buildPackages.harfbuzz
-      buildPackages.libadwaita
-      buildPackages.pango
-    ];
-  };
+  # blanket = fixBlueprint prev.blanket;
+  # blanket = prev.blanket.override {
+  #   blueprint-compiler = wrapBlueprint [
+  #     buildPackages.gdk-pixbuf
+  #     buildPackages.glib
+  #     buildPackages.graphene
+  #     buildPackages.gtk4
+  #     buildPackages.harfbuzz
+  #     buildPackages.libadwaita
+  #     buildPackages.pango
+  #   ];
+  # };
 
   # 2025/02/04: upstreaming is unblocked, but a cleaner solution than this doesn't seem to exist yet
-  confy = (prev.confy.override {
-    blueprint-compiler = wrapBlueprint [
-      buildPackages.gdk-pixbuf
-      buildPackages.glib
-      buildPackages.graphene
-      buildPackages.gtk4
-      buildPackages.harfbuzz
-      buildPackages.libadwaita
-      buildPackages.pango
-    ];
-  }).overrideAttrs (upstream: {
+  # confy = (prev.confy.override {
+  #   blueprint-compiler = wrapBlueprint [
+  #     buildPackages.gdk-pixbuf
+  #     buildPackages.glib
+  #     buildPackages.graphene
+  #     buildPackages.gtk4
+  #     buildPackages.harfbuzz
+  #     buildPackages.libadwaita
+  #     buildPackages.pango
+  #   ];
+  # }).overrideAttrs (upstream: {
+  # confy = (fixBlueprint prev.confy).overrideAttrs (upstream: {
+  confy = prev.confy.overrideAttrs (upstream: {
     # meson's `python.find_installation` method somehow just doesn't support cross compilation.
     # - <https://mesonbuild.com/Python-module.html#find_installation>
     # so, build it to target build python, then patch in the host python
@@ -229,17 +280,19 @@ in with final; {
   });
 
   # 2024/11/19: upstreaming is unblocked
-  dialect = (prev.dialect.override {
-    blueprint-compiler = wrapBlueprint [
-      buildPackages.gdk-pixbuf
-      buildPackages.glib
-      buildPackages.graphene
-      buildPackages.gtk4
-      buildPackages.harfbuzz
-      buildPackages.libadwaita
-      buildPackages.pango
-    ];
-  }).overrideAttrs (upstream: {
+  # dialect = (prev.dialect.override {
+  #   blueprint-compiler = wrapBlueprint [
+  #     buildPackages.gdk-pixbuf
+  #     buildPackages.glib
+  #     buildPackages.graphene
+  #     buildPackages.gtk4
+  #     buildPackages.harfbuzz
+  #     buildPackages.libadwaita
+  #     buildPackages.pango
+  #   ];
+  # }).overrideAttrs (upstream: {
+  # dialect = (fixBlueprint prev.dialect).overrideAttrs (upstream: {
+  dialect = prev.dialect.overrideAttrs (upstream: {
     # error: "<dialect> is not allowed to refer to the following paths: <build python>"
     # dialect's meson build script sets host binaries to use build PYTHON
     # disallowedReferences = [];
@@ -269,6 +322,19 @@ in with final; {
     cargo = crossCargo;  #< fixes openssl not being able to find its library
   };
 
+  # extra-cmake-modules = buildPackages.extra-cmake-modules;
+
+  # out for PR: <https://github.com/NixOS/nixpkgs/pull/399981>
+  # fcitx5 = prev.fcitx5.overrideAttrs (upstream: {
+  #   # TODO: CMake probably has some emulator, or cross compiler infra to use here?
+  #   postPatch = (upstream.postPatch or "") + ''
+  #     substituteInPlace src/modules/spell/CMakeLists.txt \
+  #       --replace-fail 'COMMAND Fcitx5::comp-spell-dict' 'COMMAND ${stdenv.hostPlatform.emulator buildPackages} comp-spell-dict'
+  #   '';
+
+  #   buildInputs = lib.filter (p: p.name != extra-cmake-modules.name) upstream.buildInputs;
+  # });
+
   # 2025/01/25: upstreaming is unblocked
   # firejail = prev.firejail.overrideAttrs (upstream: {
   #   # firejail executes its build outputs to produce the default filter list.
@@ -318,32 +384,18 @@ in with final; {
   #    };
   # });
 
-  flare-signal-nixified = prev.flare-signal-nixified.override {
-    blueprint-compiler = wrapBlueprint [
-      buildPackages.gdk-pixbuf
-      buildPackages.glib
-      buildPackages.graphene
-      buildPackages.gtk4
-      buildPackages.harfbuzz
-      buildPackages.libadwaita
-      buildPackages.pango
-    ];
-  };
-
-  # 2025/02/08: upstreaming is unblocked
-  flatpak = prev.flatpak.overrideAttrs (upstream: {
-    outputs = lib.remove "devdoc" upstream.outputs;
-    depsBuildBuild = (upstream.depsBuildBuild or []) ++ [
-      pkgsBuildBuild.pkg-config
-    ];
-    nativeBuildInputs = upstream.nativeBuildInputs ++ [
-      gtk-doc
-      pkgsBuildHost.wayland-scanner
-    ];
-    mesonFlags = upstream.mesonFlags ++ [
-      "-Dgtkdoc=disabled"
-    ];
-  });
+  # flare-signal-nixified = fixBlueprint prev.flare-signal-nixified;
+  # flare-signal-nixified = prev.flare-signal-nixified.override {
+  #   blueprint-compiler = wrapBlueprint [
+  #     buildPackages.gdk-pixbuf
+  #     buildPackages.glib
+  #     buildPackages.graphene
+  #     buildPackages.gtk4
+  #     buildPackages.harfbuzz
+  #     buildPackages.libadwaita
+  #     buildPackages.pango
+  #   ];
+  # };
 
   # 2025/01/13: upstreaming is blocked by glycin-loaders
   fractal = prev.fractal.override {
@@ -353,11 +405,6 @@ in with final; {
   # 2025/01/13: upstreaming is unblocked
   glycin-loaders = (prev.glycin-loaders.override {
     cargo = crossCargo;
-  }).overrideAttrs (upstream: {
-    nativeBuildInputs = upstream.nativeBuildInputs ++ [
-      # fixes: loaders/meson.build:72:7: ERROR: Program 'msgfmt' not found or not executable
-      buildPackages.gettext
-    ];
   });
 
   # gnustep = prev.gnustep.overrideScope (self: super: {
@@ -370,23 +417,24 @@ in with final; {
   # });
 
   # 2024/11/19: upstreaming is blocked on qtx11extras (via zbar)
-  gnome-frog = prev.gnome-frog.override {
-    blueprint-compiler = wrapBlueprint [
-      buildPackages.gdk-pixbuf
-      buildPackages.glib
-      buildPackages.graphene
-      buildPackages.gtk4
-      buildPackages.harfbuzz
-      buildPackages.libadwaita
-      buildPackages.pango
-    ];
-  };
+  # gnome-frog = prev.gnome-frog.override {
+  #   blueprint-compiler = wrapBlueprint [
+  #     buildPackages.gdk-pixbuf
+  #     buildPackages.glib
+  #     buildPackages.graphene
+  #     buildPackages.gtk4
+  #     buildPackages.harfbuzz
+  #     buildPackages.libadwaita
+  #     buildPackages.pango
+  #   ];
+  # };
+  # gnome-frog = fixBlueprint prev.gnome-frog;
 
   # 2025/01/13: upstreaming is blocked on gnome-shell
   # fixes: "gdbus-codegen not found or executable"
   # gnome-session = mvToNativeInputs [ glib ] super.gnome-session;
 
-  # 2025/01/28: upstreaming is unblocked
+  # 2025/04/19: upstreaming is unblocked
   # gnome-shell = super.gnome-shell.overrideAttrs (orig: {
   #   # fixes "meson.build:128:0: ERROR: Program 'gjs' not found or not executable"
   #   # does not fix "_giscanner.cpython-310-x86_64-linux-gnu.so: cannot open shared object file: No such file or directory"  (python import failure)
@@ -411,7 +459,7 @@ in with final; {
   #   ];
   # });
 
-  # 2025/01/13: blocked on psqlodbc
+  # 2025/04/19: blocked on psqlodbc
   # used by hyprland (which is an indirect dep of waybar, nwg-panel, etc),
   # which it shells out to at runtime (and hence, not ever used by me).
   hyprland-qtutils = null;
@@ -449,17 +497,18 @@ in with final; {
   # });
 
   # 2024/11/19: upstreaming is unblocked
-  komikku = prev.komikku.override {
-    blueprint-compiler = wrapBlueprint [
-      buildPackages.gdk-pixbuf
-      buildPackages.glib
-      buildPackages.graphene
-      buildPackages.gtk4
-      buildPackages.harfbuzz
-      buildPackages.libadwaita
-      buildPackages.pango
-    ];
-  };
+  # komikku = fixBlueprint prev.komikku;
+  # komikku = prev.komikku.override {
+  #   blueprint-compiler = wrapBlueprint [
+  #     buildPackages.gdk-pixbuf
+  #     buildPackages.glib
+  #     buildPackages.graphene
+  #     buildPackages.gtk4
+  #     buildPackages.harfbuzz
+  #     buildPackages.libadwaita
+  #     buildPackages.pango
+  #   ];
+  # };
 
   # 2024/08/12: upstreaming is unblocked -- but is this necessary?
   # koreader = prev.koreader.overrideAttrs (upstream: {
@@ -470,14 +519,6 @@ in with final; {
 
   lemoa = prev.lemoa.override { cargo = crossCargo; };
 
-  libqmi = prev.libqmi.overrideAttrs (upstream: {
-    # gtk-doc fails (even with mesonEmulatorHook present)
-    outputs = lib.remove "devdoc" upstream.outputs;
-    mesonFlags = (lib.remove "-Dgtk_doc=true" upstream.mesonFlags) ++ [
-      "-Dgtk_doc=false"
-    ];
-  });
-
   # libsForQt5 = prev.libsForQt5.overrideScope (self: super: {
   #   phonon = super.phonon.overrideAttrs (orig: {
   #     # fixes "ECM (required version >= 5.60), Extra CMake Modules"
@@ -491,7 +532,7 @@ in with final; {
   #   callPackage = self.newScope { inherit (self) qtCompatVersion qtModule srcs; inherit stdenv; };
   # });
 
-  # 2024/11/19: upstreaming blocked on glycin-loaders
+  # 2025/04/04: upstreaming blocked on glycin-loaders
   loupe = prev.loupe.override {
     cargo = crossCargo;
   };
@@ -534,24 +575,28 @@ in with final; {
 
   # fixes: "ar: command not found"
   # `ar` is provided by bintools
-  # 2025/01/13: upstreaming is unblocked by deps; but turns out to not be this simple
+  # 2025/04/04: upstreaming is unblocked by deps; but turns out to not be this simple
   # ncftp = addNativeInputs [ bintools ] prev.ncftp;
 
-  # 2024/11/19: upstreaming is unblocked
+  # 2025/04/04: upstreaming is unblocked
+  # newsflash = (prev.newsflash.override {
+  #   blueprint-compiler = wrapBlueprint [
+  #     buildPackages.clapper
+  #     buildPackages.glib
+  #     buildPackages.gtk4
+  #     buildPackages.gst_all_1.gstreamer
+  #     buildPackages.gst_all_1.gst-plugins-base
+  #     buildPackages.gdk-pixbuf
+  #     buildPackages.pango
+  #     buildPackages.graphene
+  #     buildPackages.harfbuzz
+  #     buildPackages.libadwaita
+  #   ];
+  #   cargo = crossCargo;  #< fixes openssl not being able to find its library
+  # }).overrideAttrs (upstream: {
   newsflash = (prev.newsflash.override {
-    blueprint-compiler = wrapBlueprint [
-      buildPackages.clapper
-      buildPackages.glib
-      buildPackages.gtk4
-      buildPackages.gst_all_1.gstreamer
-      buildPackages.gst_all_1.gst-plugins-base
-      buildPackages.gdk-pixbuf
-      buildPackages.pango
-      buildPackages.graphene
-      buildPackages.harfbuzz
-      buildPackages.libadwaita
-    ];
-    cargo = crossCargo;  #< fixes openssl not being able to find its library
+    # blueprint-compiler = crossBlueprint;
+    cargo = crossCargo;
   }).overrideAttrs (upstream: {
     postPatch = (upstream.postPatch or "") + ''
       rm build.rs
@@ -658,18 +703,33 @@ in with final; {
   #   # buildInputs = lib.remove gnupg upstream.buildInputs;
   # });
 
-  # 2025/02/10: upstreaming is blocked on ruby
-  nvimpager = prev.nvimpager.overrideAttrs (upstream: {
-    # fix so nvimpager specifies host machine sh as interpreter, not build sh
-    buildInputs = upstream.buildInputs ++ [
-      bash
-    ];
-    postFixup = (upstream.postFixup or "") + ''
-      patchShebangs --update --host $out/bin/nvimpager
+  # 2025-03-29: upstreaming is unblocked, but most of this belongs in _oils_ repo
+  oils-for-unix = prev.oils-for-unix.overrideAttrs (upstream: {
+    postPatch = (upstream.postPatch or "") + ''
+      substituteInPlace configure \
+        --replace-fail 'if ! cc ' 'if ! $FLAG_cxx_for_configure '
+      substituteInPlace _build/oils.sh \
+        --replace-fail ' strip ' ' ${stdenv.cc.targetPrefix}strip '
     '';
+
+    buildPhase = lib.replaceStrings
+      [ "_build/oils.sh" ]
+      [ "_build/oils.sh --cxx ${stdenv.cc.targetPrefix}c++" ]
+      upstream.buildPhase
+    ;
+
+    installPhase = lib.replaceStrings
+      [ "./install" ]
+      [ "./install _bin/${stdenv.cc.targetPrefix}c++-opt-sh/oils-for-unix.stripped" ]
+      upstream.installPhase
+    ;
+
+    configureFlags = upstream.configureFlags ++ [
+      "--cxx-for-configure=${stdenv.cc}/bin/${stdenv.cc.targetPrefix}c++"
+    ];
   });
 
-  # 2025/01/25: upstreaming is unblocked
+  # 2025/04/04: upstreaming is unblocked
   papers = prev.papers.override {
     cargo = crossCargo;
   };
@@ -700,7 +760,7 @@ in with final; {
   #   ];
   # } prev.phosh-mobile-settings;
 
-  # 2025/01/13: upstreaming is unblocked
+  # 2025/04/04: upstreaming is unblocked
   pwvucontrol = prev.pwvucontrol.override {
     cargo = crossCargo;
   };
@@ -795,38 +855,31 @@ in with final; {
   #   });
   # });
 
-  # 2024/05/31: upstreaming is unblocked; requires some changes, as configure tries to invoke our `python`
-  # implemented (broken) on servo cross-staging-2023-07-30 branch
-  # rpm = prev.rpm.overrideAttrs (upstream: {
-  #   # fixes "python too old". might also be specifiable as a configure flag?
-  #   env = upstream.env // lib.optionalAttrs (upstream.version == "4.18.1") {
-  #     # 4.19.0 upgrade should fix cross compilation.
-  #     # see: <https://github.com/NixOS/nixpkgs/pull/260558>
-  #     PYTHON = python3.interpreter;
-  #   };
-  # });
-
-  # 2025/01/13: upstreaming is blocked on glycin-loaders
+  # 2025/04/04: upstreaming is blocked on glycin-loaders
   snapshot = prev.snapshot.override {
     # fixes "error: linker `cc` not found"
     cargo = crossCargo;
   };
 
-  # 2025/01/13: upstreaming is unblocked
+  # 2025/04/04: upstreaming is unblocked
+  # spot = prev.spot.override {
+  #   blueprint-compiler = wrapBlueprint [
+  #     buildPackages.gdk-pixbuf
+  #     buildPackages.glib
+  #     buildPackages.graphene
+  #     buildPackages.gtk4
+  #     buildPackages.harfbuzz
+  #     buildPackages.libadwaita
+  #     buildPackages.pango
+  #   ];
+  #   cargo = crossCargo;
+  # };
   spot = prev.spot.override {
-    blueprint-compiler = wrapBlueprint [
-      buildPackages.gdk-pixbuf
-      buildPackages.glib
-      buildPackages.graphene
-      buildPackages.gtk4
-      buildPackages.harfbuzz
-      buildPackages.libadwaita
-      buildPackages.pango
-    ];
+    # blueprint-compiler = crossBlueprint;
     cargo = crossCargo;
   };
 
-  # 2025/01/13: upstreaming is unblocked
+  # 2025/04/04: upstreaming is unblocked
   # squeekboard = prev.squeekboard.overrideAttrs (upstream: {
   #   # fixes: "meson.build:1:0: ERROR: 'rust' compiler binary not defined in cross or native file"
   #   # new error: "meson.build:1:0: ERROR: Rust compiler rustc --target aarch64-unknown-linux-gnu -C linker=aarch64-unknown-linux-gnu-gcc can not compile programs."
@@ -871,36 +924,42 @@ in with final; {
   # });
 
   # 2024/11/19: upstreaming is unblocked
-  tangram = (prev.tangram.override {
-    blueprint-compiler = wrapBlueprint [
-      buildPackages.gdk-pixbuf
-      buildPackages.glib
-      buildPackages.graphene
-      buildPackages.gtk4
-      buildPackages.harfbuzz
-      buildPackages.libadwaita
-      buildPackages.pango
-    ];
-  }).overrideAttrs (upstream: {
+  # tangram = (prev.tangram.override {
+  #   blueprint-compiler = wrapBlueprint [
+  #     buildPackages.gdk-pixbuf
+  #     buildPackages.glib
+  #     buildPackages.graphene
+  #     buildPackages.gtk4
+  #     buildPackages.harfbuzz
+  #     buildPackages.libadwaita
+  #     buildPackages.pango
+  #   ];
+  # }).overrideAttrs (upstream: {
+  # tangram = (fixBlueprint prev.tangram).overrideAttrs (upstream: {
+  tangram = prev.tangram.overrideAttrs (upstream: {
     # gsjpack has a shebang for the host gjs. patchShebangs --build doesn't fix that: just manually specify the build gjs
-    postPatch = (upstream.postPatch or "") + ''
+    postPatch = let
+      gjspack' = buildPackages.writeShellScriptBin "gjspack" ''
+        export GI_TYPELIB_PATH=${typelibPath [ buildPackages.glib ]}:$GI_TYPELIB_PATH
+        exec ${buildPackages.gjs}/bin/gjs $@
+      '';
+    in (upstream.postPatch or "") + ''
       substituteInPlace src/meson.build \
         --replace-fail "find_program('gjs').full_path()" "'${gjs}/bin/gjs'" \
-        --replace-fail "gjspack," "'env', 'GI_TYPELIB_PATH=${typelibPath [
-          buildPackages.glib
-        ]}', '${buildPackages.gjs}/bin/gjs', '-m', gjspack,"
+        --replace-fail "gjspack,"  "'${gjspack'}/bin/gjspack', '-m', gjspack,"
     '';
-  });
-
-  # 2025/01/19: upstreaming is unblocked
-  tree-sitter = prev.tree-sitter.overrideAttrs (upstream: {
-    # shell completions were enabled, but aren't cross-compatible: <https://github.com/nixos/nixpkgs/pull/368976>
-    postInstall = lib.replaceStrings [ "installShellCompletion" ] [ "true || installShellCompletion" ] upstream.postInstall;
+    # postPatch = (upstream.postPatch or "") + ''
+    #   substituteInPlace src/meson.build \
+    #     --replace-fail "find_program('gjs').full_path()" "'${gjs}/bin/gjs'" \
+    #     --replace-fail "gjspack," "'env', 'GI_TYPELIB_PATH=${typelibPath [
+    #       buildPackages.glib
+    #     ]}', '${buildPackages.gjs}/bin/gjs', '-m', gjspack,"
+    # '';
   });
 
   # fixes: "ar: command not found"
   # `ar` is provided by bintools
-  # 2024/05/31: upstreaming is blocked on gnustep-base cross compilation
+  # 2025/04/04: upstreaming is blocked on gnustep-base cross compilation
   # unar = addNativeInputs [ bintools ] prev.unar;
 
   # unixODBCDrivers = prev.unixODBCDrivers // {
@@ -920,16 +979,20 @@ in with final; {
   # };
 
   # 2025/01/13: upstreaming is unblocked
+  # video-trimmer = prev.video-trimmer.override {
+  #   blueprint-compiler = wrapBlueprint [
+  #     buildPackages.gdk-pixbuf
+  #     buildPackages.glib
+  #     buildPackages.graphene
+  #     buildPackages.gtk4
+  #     buildPackages.harfbuzz
+  #     buildPackages.libadwaita
+  #     buildPackages.pango
+  #   ];
+  #   cargo = crossCargo;
+  # };
   video-trimmer = prev.video-trimmer.override {
-    blueprint-compiler = wrapBlueprint [
-      buildPackages.gdk-pixbuf
-      buildPackages.glib
-      buildPackages.graphene
-      buildPackages.gtk4
-      buildPackages.harfbuzz
-      buildPackages.libadwaita
-      buildPackages.pango
-    ];
+    # blueprint-compiler = crossBlueprint;
     cargo = crossCargo;
   };
 
@@ -963,12 +1026,15 @@ in with final; {
   #     upstream.postBuild;
   # });
 
-  wvkbd = prev.wvkbd.overrideAttrs (upstream: {
-    nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
-      buildPackages.scdoc
-    ];
-  });
-
-  # 2024/11/19: upstreaming is blocked on unar (gnustep), unless i also make that optional
+  # 2025/04/04: upstreaming is blocked on unar (gnustep), unless i also make that optional
   xarchiver = mvToNativeInputs [ libxslt ] prev.xarchiver;
+
+  # 2025/04/17: upstreaming is unblocked
+  # out for PR: <https://github.com/NixOS/nixpkgs/pull/399981>
+  # xcb-imdkit = prev.xcb-imdkit.overrideAttrs (upstream: {
+  #   buildInputs = lib.filter (p: p.name != extra-cmake-modules.name) upstream.buildInputs;
+  #   nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
+  #     buildPackages.extra-cmake-modules
+  #   ];
+  # });
 }

overlays/preferences.nix

@@ -11,13 +11,13 @@ let
   # the patch here ASSUMES THE BUILD MACHINE IS x86, and it works by forcing cc/bintools to be built as native packages, not gnu64 cross packages.
   # TODO: this is a hack and can hopefully be someday removed!
 
-  x86_64PkgsCrossToolchain = pkgs.pkgsBuildBuild;
-  hare = pkgs.pkgsBuildTarget.hare.override {
-    inherit x86_64PkgsCrossToolchain;
-  };
-  crossHareHook = pkgs.hareHook.override {
-    inherit hare;
-  };
+  # x86_64PkgsCrossToolchain = pkgs.pkgsBuildBuild;
+  # hare = pkgs.pkgsBuildTarget.hare.override {
+  #   inherit x86_64PkgsCrossToolchain;
+  # };
+  # crossHareHook = pkgs.hareHook.override {
+  #   inherit hare;
+  # };
 in
 {
   # DISABLE HDCP BLOB in pinephone pro.
@@ -34,17 +34,18 @@ in
   #   };
   # };
 
-  bonsai = super.bonsai.override {
-    hareHook = crossHareHook;
-  };
-  bunpen = super.bunpen.override {
-    hareHook = crossHareHook;
-  };
+  # bonsai = super.bonsai.override {
+  #   hareHook = crossHareHook;
+  # };
+  # bunpen = super.bunpen.override {
+  #   hareHook = crossHareHook;
+  # };
 
   # XXX(2024-12-26): prefer pre-built electron because otherwise it takes 4 hrs to build from source.
   # but wait 2 days after staging -> master merge, and normal electron should be cached and safe to remove
-  # electron = electron-bin;
-  # electron_33 = electron_33-bin;
+  electron = electron-bin;
+  electron_33 = electron_33-bin;
+  electron_34 = electron_34-bin;
 
   # evolution-data-server = super.evolution-data-server.override {
   #   # OAuth depends on webkitgtk_4_1: old, forces an annoying recompilation
@@ -67,6 +68,47 @@ in
   #   withSamba = false;
   # };
 
+  go2tv = super.go2tv.overrideAttrs (upstream: {
+    # XXX(2025-02-12): with release 1.18.0 (due to a4cd63f512), listing devices gives error (even with UDP 1900 whitelisted in firewall):
+    # > Encountered error(s): checkflags error: checkTflag service loading error: loadSSDPservices: No available Media Renderers
+    # this would apparently be because many UPnP servers do not respond to requests _from_ port 1900.
+    # still present in 1.18.1.
+    #
+    # a commit to gssdp (177f2772cf) suggests this is due to "security reasons" (perhaps it allows neighbors to hole-punch port 1900 of clients?)
+    # although it itself responds perfectly fine to M-SEARCH requests from port 1900.
+    # "DLNA requirement 7.2.3.4" could shed some light, but it's a private spec.
+    # so just don't use port 1900 for now.
+    #
+    # done as overlay instead of in hosts/common/programs/go2tv.nix so that python consumers like sane-cast also get this fix.
+    postPatch = (upstream.postPatch or "") + ''
+      substituteInPlace devices/devices.go --replace-fail "port := 1900" "port := 1901"
+
+      # by default, go2tv passes `ffmpeg -re`, which limits ffmpeg to never stream faster than realtime.
+      # patch that out to let the receiver stream as fast as it wants.
+      # maybe not necessary, was added during debugging.
+      substituteInPlace soapcalls/utils/transcode.go --replace-fail '"-re",' ""
+    '';
+
+    patches = (upstream.patches or []) ++ [
+      (fetchpatch {
+        name = "enable ffmpeg functionality outside the GUI paths";
+        url = "https://git.uninsane.org/colin/go2tv/commit/9afa10dd2e2ef16def26be07eb72fbc5b0382ddd.patch";
+        hash = "sha256-PW989bb/xHk7EncZ3Ra69y2p1U1XeePKq2h7v5O47go=";
+      })
+      (fetchpatch {
+        # this causes it to advertize that weird `video/vnd.dlna.mpeg-tts` MIME type.
+        # TODO: try `video/mpeg`.
+        # the following were tried, and failed:
+        # - video/mp2t
+        # - video/x-mpegts
+        # - video/MP2T
+        name = "advertise the correct MediaType when transcoding";
+        url = "https://git.uninsane.org/colin/go2tv/commit/3bbb98318df2fc3d1a61cecd2b06d1bec9964651.patch";
+        hash = "sha256-9n43QXfCWyEn5qw1rWnmFb8oTY6xgkih5ySAcxdBVZo=";
+      })
+    ];
+  });
+
   # gnome-control-center = super.gnome-control-center.override {
   #   # i build goa without the "backend", to avoid webkit_4_1.
   #   # however gnome-control-center *directly* uses goa-backend because it manages the accounts...
@@ -91,17 +133,17 @@ in
   #   samba = null;
   # };
 
-  haredoc = super.haredoc.override {
-    hareHook = crossHareHook;
-  };
-  hareThirdParty = super.hareThirdParty.overrideScope (sself: ssuper: {
-    hare-ev = (ssuper.hare-ev.override {
-      hareHook = crossHareHook;
-    }).overrideAttrs { doCheck = false; };
-    hare-json = (ssuper.hare-json.override {
-      hareHook = crossHareHook;
-    }).overrideAttrs { doCheck = false; };
-  });
+  # haredoc = super.haredoc.override {
+  #   hareHook = crossHareHook;
+  # };
+  # hareThirdParty = super.hareThirdParty.overrideScope (sself: ssuper: {
+  #   hare-ev = (ssuper.hare-ev.override {
+  #     hareHook = crossHareHook;
+  #   }).overrideAttrs { doCheck = false; };
+  #   hare-json = (ssuper.hare-json.override {
+  #     hareHook = crossHareHook;
+  #   }).overrideAttrs { doCheck = false; };
+  # });
 
   # hare = pkgsBuildTarget.hare.override {
   #   x86_64PkgsCrossToolchain = super.pkgsBuildBuild;

pkgs/by-name/cassini/package.nix

@@ -0,0 +1,96 @@
+{
+  lib,
+  fetchFromGitHub,
+  fetchFromGitea,
+  fetchpatch,
+  python3,
+  stdenv,
+}: stdenv.mkDerivation (finalAttrs: {
+  pname = "cassini";
+  version = "0-unstable-2024-03-30";
+
+  # src = fetchFromGitHub {
+  #   owner = "vvuk";
+  #   repo = "cassini";
+  #   rev = "052265f2a287b40e06971cfa3d66fc83bda19f93";
+  #   hash = "sha256-lk4Y5aGSVHBY4Lju7Q9QDknSvo8PK6YdhQkmoIhFVec=";
+  # };
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
+    repo = "cassini";
+    rev = "4c8fae92cac1f15101cfb96f71aaf8e491a4f392";
+    hash = "sha256-fHhR4hiBowQzl2GW8z7ugYvYYyWYVc70pILwRzw+lPU=";
+  };
+
+  # patches = [
+  #   # project has only requirements.txt,
+  #   # i'm not sure how to _install_ it, except by switching it to setuptools
+  #   (fetchpatch {
+  #     name = "Update to Setuptools Python Packaging";
+  #     url = "https://github.com/vvuk/cassini/pull/13.patch";
+  #     hash = "sha256-XNK3Oxxu7Xm7rbr1cWgtXa/jNNk3T1Z5qXikuTSuL6U=";
+  #   })
+  # ];
+
+  # postPatch = ''
+  #   substituteInPlace setup.py \
+  #     --replace-fail 'packages=find_packages()' 'packages=["cassini"]' \
+
+  #   # --replace-fail 'entry_points=' '# entry_points=' \
+  # '';
+
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/opt/cassini
+
+    cp *.py $out/opt/cassini
+  '';
+
+  postFixup = ''
+    wrapPythonProgramsIn "$out/opt/cassini" "$out $pythonPath"
+
+    mkdir -p $out/bin
+    ln -s $out/opt/cassini/cassini.py $out/bin/cassini
+  '';
+
+  nativeBuildInputs = [
+    # python3.pkgs.hatch-fancy-pypi-readme
+    # python3.pkgs.hatch-vcs
+    # python3.pkgs.hatchling
+
+    # python3.pkgs.poetry-core
+
+    # python3.pkgs.pypaBuildHook
+    python3.pkgs.pypaInstallHook
+    # python3.pkgs.setuptoolsBuildHook
+    # python3.pkgs.wheel
+    # python3.pkgs.eggUnpackHook
+    # python3.pkgs.eggBuildHook
+    # python3.pkgs.eggInstallHook
+    python3.pkgs.wrapPython
+    # python3.pkgs.pythonOutputDistHook
+  ];
+
+  propagatedBuildInputs = [
+    python3.pkgs.alive-progress
+    python3.pkgs.scapy
+  ];
+  nativeCheckInputs = [
+    python3.pkgs.pythonImportsCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "cassini"
+  ];
+
+  # TODO: this isn't a "proper" Python package, because even though i've been writing Python for 15 years i still don't have a fucking clue how to navigate its packaging system.
+  doCheck = false;
+
+  meta = with lib; {
+    homepage = "https://github.com/vvuk/cassini";
+    description = "ELEGOO 3D printer network protocol client";
+    maintainers = with maintainers; [ colinsane ];
+  };
+})

pkgs/by-name/euicc-manual/package.nix

@@ -13,13 +13,13 @@ let
   self = stdenv.mkDerivation
 {
   pname = "euicc-manual";
-  version = "0-unstable-2025-03-03";
+  version = "0-unstable-2025-04-06";
 
   # XXX: their gitea downloads are broken, so use fetchgit
   src = fetchgit {
     url = "https://gitea.osmocom.org/sim-card/euicc-manual";
-    rev = "0d2cc285e33e85e90af316e10c183efdcfb38279";
-    hash = "sha256-ADR5iy0lzoGIBBnTV0JGAGtePcI5WftVJLHkDJ/itw8=";
+    rev = "66a4d21abfeb145b2968e28a16e961f90724c0b7";
+    hash = "sha256-n+JtRiVY7pfLD53YA4wD2abzSypRSl0mEtOBAr0ydpc=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/feedsearch-crawler/package.nix

@@ -3,10 +3,11 @@
   fetchFromGitHub,
   python3,
   stdenv,
+  unstableGitUpdater,
 }:
 stdenv.mkDerivation {
   pname = "feedsearch-crawler";
-  version = "2022-05-28";
+  version = "0.2.7-unstable-2022-05-28";
   format = "pyproject";
 
   src = fetchFromGitHub {
@@ -59,10 +60,12 @@ stdenv.mkDerivation {
   doCheck = true;
   strictDeps = true;
 
-  meta = with lib; {
+  passthru.updateScript = unstableGitUpdater { };
+
+  meta = {
     homepage = "https://feedsearch.dev";
     description = "Crawl sites for RSS, Atom, and JSON feeds";
-    license = licenses.mit;
-    maintainers = with maintainers; [ colinsane ];
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ colinsane ];
   };
 }

pkgs/by-name/firefox-extensions/addon-version-lister

@@ -0,0 +1,122 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i ysh -p common-updater-scripts -p coreutils -p curl -p oils-for-unix
+
+source $LIB_YSH/args.ysh
+
+proc usage {
+  echo "USAGE: addon-version-lister [--max-versions N] [-v] [-vv] --old-version SEMVER URL"
+  echo ""
+  echo "--max-versions N  (default: 10)"
+  echo "  only show up to this many of the most recent valid versions."
+  echo "  the lower this value, the faster this script will complete."
+  echo "  many use cases can set this to '1'."
+  echo ""
+  echo "-v --verbose: more logging"
+  echo ""
+  echo "-vv --really-verbose: even more logging"
+  echo ""
+  echo "--old-version SEMVER"
+  echo "  version which yielded the provided url, used to recognize how the URL needs to be updated per version."
+  echo ""
+  echo "URL"
+  echo "  URL at which to expect a .xpi file."
+  echo "  combined with '--old-version', this is treated as a template for discovering newer versions."
+}
+
+parser (&spec) {
+  flag "" --max-versions (Int, default=10)
+  flag -v --verbose (Bool, default=false)
+  flag -vv --really-verbose (Bool, default=false)
+  flag "" --old-version (Str)
+  flag -h --help (Bool, default=false)
+  arg url
+}
+
+func numeric_version (tag) {
+  # TODO: consider `b<n>` or `rc<n>` suffixes?
+  return ($(echo "$tag" | egrep --only-matching "[0-9.]+" | head -n1))
+}
+
+func sort_versions (versions) {
+  var numerics = []
+  for v in (versions) {
+    var row = [numeric_version(v), v] => join(" ")
+    call numerics->append (row)
+  }
+  var lines = numerics => join($'\n')
+  var sorted = $(echo "$lines" | sort --version-sort --reverse | cut -d" " -f 2)
+  return (sorted => split ($'\n'))
+}
+
+proc log (; ...stmts; level, context) {
+  for s in (stmts) {
+    var prefix = " $context:" if context else ""
+    var formatted = "$(pp value (s))"
+    echo "[$level]$prefix $formatted" >&2
+  }
+}
+
+proc info (context=""; ...stmts) {
+  log (level="INFO", context=context, ...stmts)
+}
+
+proc debug (context=""; ...stmts) {
+  if (VERBOSE) {
+    log (level="DEBUG", context=context, ...stmts)
+  }
+}
+
+var CURL_FLAGS = []
+
+try {
+  var args = parseArgs(spec, ARGV)
+}
+if failed {
+  usage
+  exit 1
+}
+
+var MAX_VERSIONS = args['max-versions']
+var OLD_VERSION = args['old-version']
+var URL = args.url
+var VERBOSE = args.verbose or args['really-verbose']
+
+if (args['really-verbose']) {
+  call CURL_FLAGS->append("--verbose")
+}
+
+debug "invoked" (ARGV)
+
+if (args.help) {
+  usage
+  exit 0
+}
+
+# we need the bare git URL.
+# strip `https://github.com/OWNER/NAME/releases/download/...` -> `https://github.com/OWNER/NAME`
+var repo_url = URL.replace(/ '/releases/' .* $ /, "")
+debug "extracted" (repo_url)
+
+var all_tags = $(list-git-tags --url="$repo_url") => split($'\n')
+debug "extracted tags" (all_tags)
+setvar all_tags = sort_versions (all_tags)
+debug "sorted tags" (all_tags)
+
+# # filter to the versions for which we can actually download an artifact.
+# # some packages (uBlock) publish releases even before all artifacts are available.
+var online_versions = []
+
+for v in (all_tags) {
+  var url_to_test = URL => replace (OLD_VERSION, v);
+  debug "testing url" (url_to_test)
+  if curl @CURL_FLAGS --fail "$url_to_test" {
+    info "found online tag" (v)
+    call online_versions -> append (v)
+    if (len(online_versions) >= MAX_VERSIONS) {
+      break
+    }
+  }
+}
+
+var pretty_versions = online_versions => join(" ")
+echo "$pretty_versions"

pkgs/by-name/firefox-extensions/package.nix

@@ -2,24 +2,33 @@
   callPackage,
   concatTextFile,
   fetchurl,
+  genericUpdater,
   jq,
   lib,
   newScope,
   nix-update-script,
   runCommand,
+  static-nix-shell,
   stdenv,
   strip-nondeterminism,
   unzip,
   writers,
+  writeShellScript,
   zip,
 }:
 let
+  addon-version-lister = static-nix-shell.mkYsh {
+    pname = "addon-version-lister";
+    pkgs = [ "common-updater-scripts" "coreutils" "curl" ];
+    srcRoot = ./.;
+  };
+
   wrapAddon = addon: args:
   let
     extid = addon.passthru.extid;
     # merge our requirements into the derivation args
     args' = args // {
-      passthru = addon.passthru // (args.passthru or {});
+      passthru = (builtins.removeAttrs addon.passthru ["updateScript"]) // (args.passthru or {});
       nativeBuildInputs = [
         jq
         strip-nondeterminism
@@ -107,14 +116,18 @@ let
       cp $src $out
     '';
 
-    passthru.updateScript = nix-update-script {
-      # ignore beta versions
-      extraArgs = [ "--version-regex" "([0-9.]+)" ];
+    passthru.updateScript = genericUpdater {
+      versionLister = writeShellScript "${pname}-version-lister" ''
+        ${lib.getExe addon-version-lister} --verbose --old-version "$UPDATE_NIX_OLD_VERSION" ${url}
+      '';
+      ignoredVersions = "(b|rc)[0-9]*$";
     };
     passthru.extid = extid;
   };
 
   firefox-extensions = (lib.makeScope newScope (self: with self; {
+    inherit addon-version-lister;
+
     unwrapped = lib.recurseIntoAttrs {
       # get names from:
       # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
@@ -154,8 +167,8 @@ let
         extid = "sponsorBlocker@ajay.app";
         pname = "sponsorblock";
         url = "https://github.com/ajayyy/SponsorBlock/releases/download/${version}/FirefoxSignedInstaller.xpi";
-        version = "5.11.6";
-        hash = "sha256-IaPNt9Yh0Gi8/yZxlYINgpNLFQ2PumZaouPCdeQ67MA=";
+        version = "5.11.11";
+        hash = "sha256-i64HPxWrsguGEHnvRaSphXI+lKRLfOQKDfAFxSeMdPM=";
       };
       ublacklist = fetchVersionedAddon rec {
         extid = "@ublacklist";
@@ -167,11 +180,14 @@ let
       ublock-origin = fetchVersionedAddon rec {
         extid = "uBlock0@raymondhill.net";
         pname = "ublock-origin";
-        # N.B.: a handful of versions are released unsigned
-        url = "https://github.com/gorhill/uBlock/releases/download/${version}/uBlock0_${version}.firefox.xpi";
-        # url = "https://github.com/gorhill/uBlock/releases/download/${version}/uBlock0_${version}.firefox.signed.xpi";
-        version = "1.62.0";
-        hash = "sha256-IEt2ImiuhxOIuanGB0h7eZoq+JJAb1Y7BmIcvJ0xaaY=";
+        # N.B.: the release process seems to be to first release an unsigned .xpi,
+        #       then sign it a few days later,
+        #       and then REMOVE THE UNSIGNED RELEASE.
+        #       therefore, only grab signed releases, to avoid having the artifact disappear out from under us :(
+        # url = "https://github.com/gorhill/uBlock/releases/download/${version}/uBlock0_${version}.firefox.xpi";
+        url = "https://github.com/gorhill/uBlock/releases/download/${version}/uBlock0_${version}.firefox.signed.xpi";
+        version = "1.63.2";
+        hash = "sha256-2TF2zvTcBC5BulAKoqkOXVe1vndEnL1SIRFYXjoM0Vg=";
       };
     };
 })  ).overrideScope (self: super:

pkgs/by-name/firefox-extensions/passff/default.nix

@@ -6,13 +6,13 @@
 }:
 stdenv.mkDerivation rec {
   pname = "passff";
-  version = "1.21";
+  version = "1.22";
   src = fetchFromGitea {
     domain = "codeberg.org";
     owner = "PassFF";
     repo = "passff";
     rev = version;
-    hash = "sha256-6lxtF1YI2ssYXjOscgkJj8aAtnJOJfk87SxmCVRIkRY=";
+    hash = "sha256-9uuLsNSom6cF3yMrbwexsyttwxcCLez17ZxxZvTLBRI=";
   };
 
   nativeBuildInputs = [ zip ];

pkgs/by-name/gpodder-adaptive/package.nix

@@ -25,17 +25,12 @@ self = gpodder.overridePythonAttrs (upstream: rec {
   format = "setuptools";
   preBuild = ''
     make \
-      "PREFIX=$(out)" \
+      "PREFIX=$out" \
       "share/applications/gpodder-url-handler.desktop" \
       "share/applications/gpodder.desktop" \
       "share/dbus-1/services/org.gpodder.service"
   '';
 
-  postFixup = ''
-    substituteInPlace $out/share/applications/gpodder-url-handler.desktop \
-      --replace-fail 'Exec=/bin/gpodder' 'Exec=gpodder'
-  '';
-
   buildInputs = upstream.buildInputs ++ [
     libhandy
   ];

pkgs/by-name/gpodder-configured/gpodder-ensure-feeds

@@ -2,6 +2,7 @@
 #!nix-shell -i python3 -p gpodder -p listparser -p python3
 
 from dataclasses import dataclass, field
+from typing import Optional
 import argparse
 import listparser
 import subprocess
@@ -10,10 +11,10 @@ import sys
 @dataclass(repr=True)
 class Feed:
     url: str
-    title: str  # Optional
-    def __init__(self, url: str, title: str):
+    title: Optional[str]
+    def __init__(self, url: str, title: Optional[str]):
         self.url = url
-        self.title = title if title else None
+        self.title = title if title else None  # coerce title="" -> None
 
     def __eq__(self, other: "Feed") -> bool:
         return self.url == other.url and \
@@ -61,7 +62,7 @@ def partition_feeds(wanted: list[Feed], has: list[Feed]) -> Partitioned:
 def remove_feed(feed: Feed):
     subprocess.check_output(["gpo", "unsubscribe", feed.url])
 
-def remove_feeds(feeds: list[str]):
+def remove_feeds(feeds: list[Feed]):
     if not feeds:
         print("removing extra feeds: (none)")
         return
@@ -71,7 +72,7 @@ def remove_feeds(feeds: list[str]):
     for f in feeds:
         remove_feed(f)
 
-def add_feeds(opml_path: str, feeds: list[str]):
+def add_feeds(opml_path: str, feeds: list[Feed]):
     if not feeds:
         print("adding missing feeds: (none)")
         return

pkgs/by-name/gpodder-configured/package.nix

@@ -1,9 +1,15 @@
+# gpodder keeps all its feeds in a sqlite3 database.
+# the binary provided here, `gpodder-ensure-feeds`, may be run to import
+# my nix-synchronized feeds into gpodder, and remove any extras i've since deleted.
+# repeat imports are deduplicated by url, even when offline.
+# suggested usage: `gpodder-ensure-feeds ~/.config/gpodderFeeds.opml` as part of activation or some default .service
+
 {
   gpodder,
+  lib,
   listparser,
-  makeWrapper,
+  makeShellWrapper,
   static-nix-shell,
-  symlinkJoin,
 }:
 
 let
@@ -16,32 +22,24 @@ let
     };
   };
 in
-# we use a symlinkJoin so that we can inherit the .desktop and icon files from the original gPodder
-(symlinkJoin {
-  name = "${gpodder.pname}-configured";
-  paths = [ gpodder remove-extra ];
-  nativeBuildInputs = [
-    makeWrapper
-  ];
+  gpodder.overrideAttrs (upstream: {
+    # use `makeShellWrapper` here so that we can get expansion of env vars like `$HOME`, at runtime
+    nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
+      makeShellWrapper
+    ];
 
-  # gpodder keeps all its feeds in a sqlite3 database.
-  # we can configure the feeds externally by wrapping gpodder and just instructing it to import
-  # a feedlist every time we run it.
-  # repeat imports are deduplicated by url, even when offline.
-  postBuild = ''
-    wrapProgram $out/bin/gpodder \
-      $extraMakeWrapperArgs \
-      --run "$out/bin/gpodder-ensure-feeds"' ~/.config/gpodderFeeds.opml "$@" || true' \
-      --run 'while [[ -n "$1" && "$1" != -- && "$1" != --help ]]; do shift; done ; if [[ "$1" == --help ]]; then exit; elif [[ "$1" == -- ]]; then shift; fi'
+    dontWrapGApps = true;
+    postFixup = (upstream.postFixup or "") + ''
+      # XXX(2025-03-21): splat the makeWrapperArgs here because upstream gpodder specifies
+      # `--suffix PATH ...` all as _one_ argument, but makeShellWrapper requires it to be multiple :(
+      # splat `extraMakeWrapperArgs` because nix passes that through as a single string instead of as a bash array.
+      # be careful when changing this: we rely on `~` being expanded at the right time (i.e. by the python interpreter),
+      # and never before that (e.g. the makePythonApplication c wrapper)
+      makeWrapperArgs=(''${makeWrapperArgs[*]} "''${gappsWrapperArgs[@]}" ''${extraMakeWrapperArgs[@]})
 
-    # fix up the .desktop file to invoke our wrapped application
-    # (rather, invoke `gpodder` by PATH, which could be this, or an outer layer of wrapping)
-    orig_desktop=$(readlink $out/share/applications/gpodder.desktop)
-    unlink $out/share/applications/gpodder.desktop
-    sed "s:Exec=.*/gpodder:Exec=gpodder:" $orig_desktop > $out/share/applications/gpodder.desktop
-  '';
-
-  passthru = {
-    inherit gpodder remove-extra;
-  };
-})
+      for f in $out/bin/*; do
+        wrapProgramShell "$f" "''${makeWrapperArgs[@]}"
+      done
+      makeShellWrapper ${lib.getExe remove-extra} "$out/bin/${remove-extra.meta.mainProgram}" "''${makeWrapperArgs[@]}"
+    '';
+  })

pkgs/by-name/gps-share/package.nix

@@ -1,22 +1,26 @@
-{ lib
-, fetchFromGitHub
-, pkg-config
-, rustPlatform
-, udev
+{
+  fetchFromGitHub,
+  lib,
+  nix-update-script,
+  pkg-config,
+  rustPlatform,
+  udev,
 }:
 
-rustPlatform.buildRustPackage rec {
+rustPlatform.buildRustPackage {
   pname = "gps-share";
-  version = "0.3.1";
+  # require 0.3.1-unstable because 0.3.1 doesn't pass `doCheck`; tip has test fixes
+  version = "0.3.1-unstable-2024-03-19";
 
   src = fetchFromGitHub {
     owner = "zeenix";
     repo = "gps-share";
-    rev = version;
-    hash = "sha256-Rh7Pt9JN30TyuxwHOn8dwZrUfmkknUhOGonbhROpGxA=";
+    rev = "2b3955549643ae99ebe0681079d6fa1deaee20ea";
+    hash = "sha256-GBO5b8yqQkEcmAEsvcLTZoQF8MOdutvNIbqk7OTVdFk=";
   };
 
-  cargoHash = "sha256-8txHiK+aBh4hO66VQWTH/7li62O74xMqCg+sBFZ6KKU=";
+  cargoHash = "sha256-WhYHFaSZfnlEmlXFLj7BIt0agMFuz07LcAXJ9ZOOrvY=";
+  useFetchCargoVendor = true;
 
   nativeBuildInputs = [
     pkg-config
@@ -26,7 +30,9 @@ rustPlatform.buildRustPackage rec {
     udev
   ];
 
-  doCheck = false;  #< 'Failed to start gps-share: Os { code: 2, kind: NotFound, message: "No such file or directory" }'
+  passthru.updateScript = nix-update-script {
+    extraArgs = [ "--version=branch" ];
+  };
 
   meta = with lib; {
     description = "utility to share your GPS device on local network";

pkgs/by-name/lemoa/package.nix

@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
 
   src = fetchFromGitHub {
     owner = "lemmy-gtk";
-    repo = pname;
+    repo = "lemoa";
     rev = "v${version}";
     hash = "sha256-XyVl0vreium83d6NqiMkdER3U0Ra0GeAgTq4pyrZyZE=";
   };

pkgs/by-name/libmegapixels/package.nix

@@ -10,13 +10,13 @@
 }:
 stdenv.mkDerivation {
   pname = "libmegapixels";
-  version = "0.2.0-unstable-2025-03-03";
+  version = "0.2.1-unstable-2025-04-04";
 
   src = fetchFromGitLab {
     owner = "megapixels-org";
     repo = "libmegapixels";
-    rev = "adf65ca8fc585b08f4172c11b6b1eae827dd173a";
-    hash = "sha256-Q5alwVk3afQIgwtlslKyou5qhX8pYFz7mW/9Kr21EjE=";
+    rev = "7af18a935bebfedded7cebb08bf6c547f47dcfd9";
+    hash = "sha256-UyZcVjOsGBcSl6yJtcUSGDhYnMkbRirLadbU4vyLBhs=";
   };
 
   # patches = [

pkgs/by-name/linux-manjaro/package.nix

@@ -1,37 +0,0 @@
-{ linux_6_4
-, fetchpatch
-, pkgs
-# something inside nixpkgs calls `override` on the kernel and passes in extra arguments; we'll forward them
-, ...
-}@args:
-let
-  # use the latest commit: for linux 6.4.7
-  # manjaro's changes between kernel patch versions tend to be minimal if any.
-  manjaroBase = "https://gitlab.manjaro.org/manjaro-arm/packages/core/linux/-/raw/6c64aa18076a7dc75bfd854b27906467f5d95336";
-  manjaroPatch = args: {
-    inherit (args) name;
-    patch = fetchpatch ({
-      url = "${manjaroBase}/${args.name}?inline=false";
-    } // args);
-  };
-
-  # the idea for patching off Manjaro's kernel comes from jakewaksbaum:
-  # - https://git.sr.ht/~jakewaksbaum/pi/tree/af20aae5653545d6e67a459b59ee3e1ca8a680b0/item/kernel/default.nix
-  # - he later abandoned this, i think because he's using the Pinephone Pro which received mainline support.
-  manjaroPatches = [
-    (manjaroPatch {
-      # this patch is critical to enable wifi (RTL8723CS)
-      # - the alternative is a wholly forked kernel by megi/megous:
-      #   - https://xnux.eu/howtos/build-pinephone-kernel.html#toc-how-to-build-megi-s-pinehpone-kernel
-      # - i don't know if this patch is based on megi's or original.
-      # - it might be possible to build this rtl8723cs out of tree?
-      name = "2001-staging-add-rtl8723cs-driver.patch";
-      hash = "sha256-M4MR9Oi90BmaB68kWjezHon/NzXDxu13Hc+TWm3tcjg=";
-    })
-  ];
-in linux_6_4.override (args // {
-  kernelPatches = (args.kernelPatches or []) ++ [
-    pkgs.kernelPatches.bridge_stp_helper
-    pkgs.kernelPatches.request_key_helper
-  ] ++ manjaroPatches;
-})

pkgs/by-name/megapixels-next/package.nix

@@ -25,13 +25,13 @@ let
 in
 stdenv.mkDerivation {
   pname = "megapixels-next";
-  version = "2.0.0-alpha1-unstable-2025-02-17";
+  version = "2.0.0-alpha1-unstable-2025-04-08";
 
   src = fetchFromGitLab {
     owner = "megapixels-org";
     repo = "Megapixels";
-    rev = "9acea2849d3a3539edccb24fc837a3b966f911f1";
-    hash = "sha256-W64iZLcTW7M4YQpnHWbzMYky7ZqNuprvVnHiFsnF92I=";
+    rev = "c8e0808ea5ff4b8db073f0c7256ff58d42bbbdcc";
+    hash = "sha256-NHCa10ISLW8MUy34RAibtFaO9vKIpYTH1gs2sV9c9VQ=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/mm64baserom/package.nix

@@ -0,0 +1,14 @@
+# this derivation is consumed by the upstream `zelda64recomp` package via overlay/override.
+# it replaces the upstream `requireFile` expression with an equivalent expression that's actually buildable (what a concept).
+{ fetchzip }:
+fetchzip {
+  name = "mm.us.rev1.rom.z64";
+  url = "https://serve.emulatorgames.net/roms/nintendo-64/Legend%20of%20Zelda,%20The%20-%20Majora's%20Mask%20(U)%20%5b!%5d.zip";
+  hash = "sha256-W7aLDUxMVx57JgjNIowF5a94mJ+qHaHIybK3m1jOWBc=";
+  # .zip contains a single .z64 file inside it: move that to the toplevel, as expected by zelda64recomp package.
+  postFetch = ''
+    mv $out/* mm.us.rev1.rom.z64
+    rmdir $out
+    mv mm.us.rev1.rom.z64 $out
+  '';
+}

pkgs/by-name/mslicer/package.nix

@@ -0,0 +1,81 @@
+{
+  fetchFromGitHub,
+  lib,
+  libglvnd,
+  libxkbcommon,
+  nix-update-script,
+  rustPlatform,
+  vulkan-loader,
+  wayland,
+}:
+
+rustPlatform.buildRustPackage {
+  pname = "mslicer";
+  version = "0.2.1-unstable-2025-04-13";
+
+  src = fetchFromGitHub {
+    owner = "connorslade";
+    repo = "mslicer";
+    rev = "ce1f43e61ca83b727561ff0aa193512c8b164331";
+    hash = "sha256-VgbHFUQpxlQcYh3TNyw1IX7vyaWrHRxl4Oe5jake9Qg=";
+  };
+
+  cargoHash = "sha256-Bs/mQTMEQxRvKK9ibIAf4KLv9jzGv3hnduXFYEdjljc=";
+  useFetchCargoVendor = true;
+
+  buildInputs = [
+    libglvnd
+    libxkbcommon
+    vulkan-loader
+    wayland
+  ];
+
+  # from pkgs/by-name/al/alvr/package.nix, to get it to actually link against wayland
+  # RUSTFLAGS = map (a: "-C link-arg=${a}") [
+  #   "-Wl,--push-state,--no-as-needed"
+  #   # "-lEGL"
+  #   "-lwayland-client"
+  #   # "-lxkbcommon"
+  #   "-Wl,--pop-state"
+  # ];
+
+  # Force linking to libEGL, which is always dlopen()ed, and to
+  # libwayland-client & libxkbcommon, which is dlopen()ed based on the
+  # winit backend.
+  # from <repo:nixos/nixpkgs:pkgs/by-name/uk/ukmm/package.nix>
+  NIX_LDFLAGS = [
+    "--push-state"
+    "--no-as-needed"
+    "-lEGL"
+    "-lvulkan"
+    "-lwayland-client"
+    "-lxkbcommon"
+    "--pop-state"
+  ];
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    runHook preInstallCheck
+
+    # spot-check the binaries
+    $out/bin/goo_format --help
+    # these other binaries can't be invoked w/ interactivity or real data:
+    test -x $out/bin/mslicer
+    test -x $out/bin/remote_send
+    test -x $out/bin/slicer
+
+    runHook postInstallCheck
+  '';
+
+  strictDeps = true;
+
+  passthru.updateScript = nix-update-script {
+    extraArgs = [ "--version=branch" ];
+  };
+
+  meta = with lib; {
+    description = "An experimental open source slicer for masked stereolithography (resin) printers.";
+    homepage = "https://connorcode.com/projects/mslicer";
+    maintainers = with maintainers; [ colinsane ];
+  };
+}

pkgs/by-name/nixpkgs-bootstrap/2024-10-01-python-cross-resource-usage.patch

@@ -1,23 +0,0 @@
-commit bd996f1383845e255fb7efddd044996fcf45d578 (HEAD -> 2024-09-30-python-cross-fix)
-Author: Colin <colin@uninsane.org>
-Date:   2024-10-01 09:44:35 +0000
-
-    NOT FOR MERGE: reduce resource usage for cross-compiled python
-
-    this breaks `python.override { ... }`
-
-    for context, see: <https://github.com/NixOS/nixpkgs/issues/338231>
-
-diff --git a/pkgs/development/interpreters/python/cpython/default.nix b/pkgs/development/interpreters/python/cpython/default.nix
-index bb3dba534b79..4e0e2ced6e6b 100644
---- a/pkgs/development/interpreters/python/cpython/default.nix
-+++ b/pkgs/development/interpreters/python/cpython/default.nix
-@@ -132,7 +132,7 @@ let
-     # When we override the interpreter we also need to override the spliced versions of the interpreter
-     # bluez is excluded manually to break an infinite recursion.
-     inputs' = lib.filterAttrs (n: v: n != "bluez" && n != "passthruFun" && ! lib.isDerivation v) inputs;
--    override = attr: let python = attr.override (inputs' // { self = python; }); in python;
-+    override = attr: attr;
-   in passthruFun rec {
-     inherit self sourceVersion packageOverrides;
-     implementation = "cpython";

pkgs/by-name/nixpkgs-bootstrap/master.nix

@@ -8,8 +8,8 @@
   mkNixpkgs ? import ./mkNixpkgs.nix {},
 }:
 mkNixpkgs {
-  rev = "72bccb2960235fd31de456566789c324a251f297";
-  sha256 = "sha256-8qmLpDUmaiBGLZkFfVyK5/T5fyTXXGdzCRdqAtO0gf4=";
-  version = "0-unstable-2025-03-04";
+  rev = "31dac92988dd79d638feaa70569c2a4d56c40356";
+  sha256 = "sha256-Hgr1NaqxMV6YXNhb8FVihSfvFO8k/Z5PKvRb3YnOdE0=";
+  version = "0-unstable-2025-04-20";
   branch = "master";
 }

pkgs/by-name/nixpkgs-bootstrap/mkNixpkgs.nix

@@ -91,17 +91,16 @@ let
         } // args');
       }
     else
-      # N.B.: this is crafted to allow `nixpkgs.FOO` from other nix code
-      # AND `nix-build -A nixpkgs`
       patchedSrc.overrideAttrs (base: {
         # attributes needed for update scripts
         inherit version;
         pname = "nixpkgs";
-        passthru = (base.passthru or {}) // nixpkgs // {
+        passthru = (base.passthru or {}) // {
           # override is used to configure hostPlatform higher up.
           override = overrideArgs: mkNixpkgs (args // overrideArgs);
 
-          # N.B.: src has to be specified in passthru, not the outer scope, so as to take precedence over the nixpkgs `src` package
+          pkgs = nixpkgs;
+
           src = {
             # required by unstableGitUpdater
             gitRepoUrl = "https://github.com/NixOS/nixpkgs.git";

pkgs/by-name/nixpkgs-bootstrap/patches.nix

@@ -29,36 +29,37 @@ let
     );
 in
 [
-  ./2024-10-01-python-cross-resource-usage.patch
-
   (fetchpatch' {
-    name = "librsvg: generate loaders.cache even when cross compiling";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/384957";
-    hash = "sha256-pBN+KVkU9AhcoYBVLbkGVICBYO0RyfIJ3Mr4OjO8yFA=";
-    # saneCommit = "25d740a21c53b9ac2da33571e3fad7e33a765ddf";
-    # hash = "sha256-PvewYks5P6QX59SG9sEcV89ddJdcNcEO9bB9x05Xgf0=";
+    name = "blueprint-compiler: wrap with required dependencies";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/400415";
+    # saneCommit = "8f5822c7c949aea432b5b361998e781ff273e058";
+    hash = "sha256-m6o4nWGWtsYerJAJtOL5+TVNoyyUcptDfZr47RMkHb0=";
   })
 
   (fetchpatch' {
-    name = "aerc: make notmuch optional";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/386733";
-    hash = "sha256-gLxRQ+mF7RTciV7dfVA8ADOyl6u1sv4MW6GzCZDjAdw=";
+    name = "fcitx5: fix cross compilation";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/399981";
+    hash = "sha256-BSnp80+8cpb+1yFaB0g7ZnPgQQqC7qo+ReMJUtlKgr4=";
   })
 
   (fetchpatch' {
-    name = "kiwix-tools: 3.7.0 -> 3.7.0-unstable-2024-12-21 to fix build against kiwix-14.0";
-    saneGhCommit = "4ccec684a6f5096e56918758a85a794ad0564157";
-    prUrl = "https://github.com/NixOS/nixpkgs/pull/387044";
-    hash = "sha256-s6llAcopDvx7I8ZwzJ4mL+mSo6BWIKDM7gjpzZiMxok=";
+    name = "git: fix cross compilation";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/399955";
+    hash = "sha256-UsVH6NhHIEoipi9fzl89mZolo/Lo1l0dos7trOGdU9A=";
   })
 
-  # (fetchpatch' {
-  #   # 2024-12-26: required to build ollama (with AMD acceleration)
-  #   name = "rocm-6: bump packages to 6.3.1 and add missing packages";
-  #   prUrl = "https://github.com/NixOS/nixpkgs/pull/367695";
-  #   # hash = "sha256-6XXgSCXhC5DneSICguPtdnjX00SVJeiHxmJ55MoB+Xs=";
-  #   hash = "sha256-Hzz+aAzdgdnTu4jvLqpHzdIE3xYMP02/EuA+KvFbUeI=";
-  # })
+  (fetchpatch' {
+    # fixes build
+    name = "sm64coopdx: 1.2.1 -> 1.3.0";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/399415";
+    hash = "sha256-ExoGrUlZKBNeHyor22D/mi5cQrgbCxapcSdDE5o6Ow8=";
+  })
+
+  (fetchpatch' {
+    name = "zelda64recomp: init at 1.1.1-unstable-2025-02-14";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/313013";
+    hash = "sha256-9GjvmZoDmU2vIR4g5ADAGRixe13/js44dzVfh2IIDBw=";
+  })
 
   # (fetchpatch' {
   #   # XXX(2025-01-06): patch does not produce valid binaries for cross

pkgs/by-name/nixpkgs-bootstrap/staging-next.nix

@@ -2,8 +2,8 @@
   mkNixpkgs ? import ./mkNixpkgs.nix {},
 }:
 mkNixpkgs {
-  rev = "749375426d72ead4bdac625818e7be62a6bbbaf4";
-  sha256 = "sha256-IDxPfbSdIy7XAP1hneGOfr2jsj+hFUsvFhpRksYqols=";
-  version = "0-unstable-2025-02-28";
+  rev = "e6ddbb6271183c5602f3df59eab5fe29f43ba3c7";
+  sha256 = "sha256-g1x7zioawUcLWq7dyIZgJtbaSjUyVVR7VLBKvWBcABo=";
+  version = "0-unstable-2025-04-19";
   branch = "staging-next";
 }

pkgs/by-name/nixpkgs-bootstrap/staging.nix

@@ -2,8 +2,8 @@
   mkNixpkgs ? import ./mkNixpkgs.nix {},
 }:
 mkNixpkgs {
-  rev = "476a8a9af32b94b6b43e7e17231ef566ae61ae0f";
-  sha256 = "sha256-q8aNISLX+sotNnVgacRAtQ/zJYKYsouV0efJbo2w/qg=";
-  version = "0-unstable-2025-03-04";
+  rev = "bcb880ef3c962e4379d4ae086fc5c49c1b0e47c8";
+  sha256 = "sha256-2v8hW21YAT8ZMFF0bdWsBYn6+wkCXfa0uu46Jey0Zjw=";
+  version = "0-unstable-2025-04-20";
   branch = "staging";
 }

pkgs/by-name/nixpkgs-wayland/package.nix

@@ -7,8 +7,8 @@ let
   src = fetchFromGitHub {
     owner = "nix-community";
     repo = "nixpkgs-wayland";
-    rev = "078152a76357f7815a675a59d76fc08f4845b19f";
-    hash = "sha256-FoTcI4jte5p7mzRjEEhaksWQ5z9w62opZNLdIsYSO48=";
+    rev = "d4ac027a0293d7f5be58d2acda27df3f45b8d930";
+    hash = "sha256-IY8frTWselDuqg0UMdbiTKSl59wZEGoOleaEYkFpigc=";
   };
   flake = import "${src}/flake.nix";
   evaluated = flake.outputs {
@@ -25,7 +25,7 @@ let
 in src.overrideAttrs (base: {
   # attributes required by update scripts
   pname = "nixpkgs-wayland";
-  version = "0-unstable-2025-03-04";
+  version = "0-unstable-2025-04-20";
   src = src;
 
   # passthru only nixpkgs-wayland's own packages -- not the whole nixpkgs-with-nixpkgs-wayland-as-overlay:

pkgs/by-name/opencellid/package.nix

@@ -1,49 +1,66 @@
 {
-  common-updater-scripts,
-  coreutils,
-  fetchurl,
+  _experimental-update-script-combinators,
+  curl,
+  fetchFromGitea,
+  git,
+  gzip,
   lib,
+  nix-update-script,
   stdenv,
   writeShellApplication,
-# database downloads are limited per API key, so please consider supplying your own API key if using this package
-  apiKey ? "pk.758ba60a9bf5fc060451153c3e2542dc",
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation {
   pname = "opencellid";
-  version = "0-unstable-2025-02-25";
+  version = "0-unstable-2025-04-20";
 
-  src = fetchurl {
-    # this is a live url. updated... weekly? the server seems to silently ignore unrecognized query parameters,
-    # so i append a version tag such that bumping it forces nix to re-fetch the data.
-    # the API key should allow for at least 2 downloads per day (maybe more?)
-    # TODO: repackage this such that hashes can be stable (mirror the data in a versioned repo, and point to that here?)
-    url = "https://opencellid.org/ocid/downloads?token=${apiKey}&type=full&file=cell_towers.csv.gz&_stamp=${version}";
-    hash = "sha256-HTPZS9Vp8y+WmuB7RMjyhC7NFLl0i4YFjAO3e7X0AZg=";
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
+    repo = "opencellid-mirror";
+    rev = "b34f4816d1fe0343c6b0144a48c5780c5b813a23";
+    hash = "sha256-mRGlHmje03sjFk+4ioOrTvifWNpOJdZEeENUPSaLElg=";
   };
 
-  unpackPhase = ''
-    gunzip "$src" --stdout > cell_towers.csv
-  '';
+  dontBuild = true;
 
   installPhase = ''
     runHook preInstall
 
+    mkdir $out
     cp cell_towers.csv $out
 
     runHook postInstall
   '';
 
-  passthru.updateScript = writeShellApplication {
-    name = "opencellid-update-script";
-    runtimeInputs = [ common-updater-scripts coreutils ];
-    text = ''
-      # UPDATE_NIX_ATTR_PATH is supplied by the caller
-      version=0-unstable-$(date +%Y-%m-%d)
-      update-source-version "$UPDATE_NIX_ATTR_PATH" "$version" \
-        --ignore-same-version \
-        --print-changes
-    '';
+  passthru = rec {
+    updateFromMirror = nix-update-script {
+      extraArgs = [ "--version" "branch" ];
+    };
+    opencellid-update-script = writeShellApplication {
+      name = "opencellid-update-script";
+      runtimeInputs = [ curl git gzip ];
+      text = ''
+        set -x
+        pushd "$(mktemp -d opencellid.XXXXXXXX --tmpdir)"
+
+        git clone git@git.uninsane.org:colin/opencellid-mirror.git
+        cd opencellid-mirror
+        ./update
+
+        # with `git gc` a daily commit is compressed from ~160MB -> 4-8MB (as measured by the reported size of .git dir).
+        # not sure if this affects the size when pushed to the remote though.
+        git gc
+        git push origin master
+
+        popd
+      '';
+    };
+    updateFromOpenCellId = lib.getExe opencellid-update-script;
+    updateScript = _experimental-update-script-combinators.sequence [
+      updateFromOpenCellId
+      updateFromMirror
+    ];
   };
 
   meta = with lib; {

pkgs/by-name/sane-scripts/package.nix

@@ -32,10 +32,9 @@ let
       doCheck = true;
       strictDeps = true;
     };
-    ssdp = python3.pkgs.buildPythonPackage {
+    ssdp = stdenv.mkDerivation {
       pname = "sane-lib-ssdp";
       version = "0.1.0";
-      format = "setuptools";
       src = ./src/lib/ssdp;
 
       nativeBuildInputs = [

pkgs/by-name/sane-scripts/src/sane-private-unlock-remote

@@ -4,11 +4,16 @@
 # unlock a remote private store by dropping the password in a discoverable place.
 # this only works if our own private store has been unlocked and this machine has access to the relevant secret.
 
-set -xeu
+set -eu
 
 host=$1
 passwd=$(sane-secrets-dump --field password "$host")
 
-test -n "$passwd"
+if [ -z "$passwd" ]; then
+  echo "failed to decode password" | tee /dev/stderr
+  exit 1
+fi
 
+echo "attempting to mount private store on $host"
 echo "$passwd" | ssh "$host" 'if ! test -f /mnt/persist/private/init; then cat /dev/stdin > /run/gocryptfs/private.key; fi'
+echo "mount succeeded"

pkgs/by-name/sane-scripts/src/sane-reboot

@@ -9,8 +9,9 @@ if [ "$host" = "$target" ]
 then
   # N.B.: anything other than just `reboot` with no args requires `sudo` privileges (to write to /run/systemd/).
   # `systemctl reboot -i` tells systemd to ignore inhibitors (i.e. other users logged in).
-  reboot "$@" || \
-    systemctl reboot -i "$@"
+  timeout 5 reboot "$@" || \
+    timeout 5 systemctl reboot -i "$@" || \
+    (sync && reboot --force --force "$@")  #< XXX: requires root
 else
   echo "WRONG MACHINE. you're on $host."
   exit 1

pkgs/by-name/signal-desktop-from-src/package.nix

@@ -88,11 +88,8 @@
   at-spi2-core,
   atk,
   autoPatchelfHook,
-  bash,
-  buildNpmPackage,
-  buildPackages,
   cups,
-  electron_33-bin,
+  electron_35-bin,
   fetchFromGitHub,
   fetchurl,
   flac,
@@ -103,18 +100,21 @@
   gtk3,
   icu,
   lib,
+  libgbm,
   libpulseaudio,
   libwebp,
   libxslt,
   makeShellWrapper,
-  mesa,
   nix-update-script,
+  nodejs,
   nspr,
   nss,
   pango,
+  pkgsBuildHost,
+  pnpm_10,
   python3,
   rsync,
-  signal-desktop,
+  signal-desktop-bin,
 #  sqlite,
 #  sqlcipher,
   stdenv,
@@ -122,9 +122,10 @@
   xdg-utils,
 }:
 let
-  ringrtcPrebuild = "${signal-desktop}/lib/Signal/resources/app.asar.unpacked/node_modules/@signalapp/ringrtc";
+  ringrtcPrebuild = "${signal-desktop-bin}/lib/signal-desktop/resources/app.asar.unpacked/node_modules/@signalapp/ringrtc";
 
-  betterSqlitePrebuild = "${signal-desktop}/lib/Signal/resources/app.asar.unpacked/node_modules/@signalapp/better-sqlite3";
+  betterSqlitePrebuild = null;
+  # betterSqlitePrebuild = "${signal-desktop-bin}/lib/signal-desktop/resources/app.asar.unpacked/node_modules/@signalapp/better-sqlite3";
 
   # ringrtcPrebuild = stdenv.mkDerivation {
   #   name = "ringrtc-bin";
@@ -142,19 +143,19 @@ let
 
   # better-sqlite3 can be built from source, or use the prebuilt version from nixpkgs' signal-desktop.
   # just do whatever's easiest (and works) at the time of upgrade; set `null` to use the prebuild
-  # sqlcipherTarball = null;
-  sqlcipherTarball = fetchurl {
-    # this is a dependency of better-sqlite3.
-    # version/url is found in <repo:signalapp/better-sqlite3:deps/download.js>
-    # - checkout the better-sqlite3 tag which matches signal-dekstop's package.json "@signalapp/better-sqlite3" key.
-    url = let
-      BETTER_SQLITE3_VERSION = "9.0.11";  #< from Signal-Desktop/package.json
-      HASH = "6253f886c40e49bf892d5cdc92b2eb200b12cd8d80c48ce5b05967cfd01ee8c7";
-      SQLCIPHER_VERSION = "4.6.1-signal-patch2";
-      EXTENSION_VERSION = "0.2.1-asm2";
-    in "https://build-artifacts.signal.org/desktop/sqlcipher-v2-${SQLCIPHER_VERSION}--${EXTENSION_VERSION}-${HASH}.tar.gz";
-    hash = "sha256-YlP4hsQOSb+JLVzckrLrIAsSzY2AxIzlsFlnz9Ae6Mc=";
-  };
+  sqlcipherTarball = null;
+  # sqlcipherTarball = fetchurl {
+  #   # this is a dependency of better-sqlite3.
+  #   # version/url is found in <repo:signalapp/better-sqlite3:deps/download.js>
+  #   # - checkout the better-sqlite3 tag which matches signal-dekstop's package.json "@signalapp/better-sqlite3" key.
+  #   url = let
+  #     BETTER_SQLITE3_VERSION = "9.0.11";  #< from Signal-Desktop/package.json
+  #     HASH = "6253f886c40e49bf892d5cdc92b2eb200b12cd8d80c48ce5b05967cfd01ee8c7";
+  #     SQLCIPHER_VERSION = "4.6.1-signal-patch2";
+  #     EXTENSION_VERSION = "0.2.1-asm2";
+  #   in "https://build-artifacts.signal.org/desktop/sqlcipher-v2-${SQLCIPHER_VERSION}--${EXTENSION_VERSION}-${HASH}.tar.gz";
+  #   hash = "sha256-YlP4hsQOSb+JLVzckrLrIAsSzY2AxIzlsFlnz9Ae6Mc=";
+  # };
 
   # signal-fts5-extension = callPackage ./fts5-extension { };
   # bettersqlitePatch = substituteAll {
@@ -172,25 +173,28 @@ let
   # prefer to use the same electron version as everywhere else, and a `-bin` version to avoid 4hr rebuilds.
   # the non-bin varieties *seem* to ship the wrong `electron.headers` property.
   # - maybe they can work if i manually DL and ship the corresponding headers
-  electron' = electron_33-bin;
+  electron' = electron_35-bin;
 
   buildNpmArch = if stdenv.buildPlatform.isAarch64 then "arm64" else "x64";
   hostNpmArch = if stdenv.hostPlatform.isAarch64 then "arm64" else "x64";
   crossNpmArchExt = if buildNpmArch == hostNpmArch then "" else "-${hostNpmArch}";
 in
-buildNpmPackage rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "signal-desktop-from-src";
-  version = "7.44.0";
+  version = "7.52.0";
 
   src = fetchFromGitHub {
     owner = "signalapp";
     repo = "Signal-Desktop";
     leaveDotGit = true;  # signal calculates the release date via `git`
-    rev = "v${version}";
-    hash = "sha256-Gxb5kI2SAtJ/j9mHsL80yHS8XxFwHDlKUAxVcG2X9CE=";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-MbccRQ652kDGJP/vRL2x+fLmeTNhgLSNvSpRSGm3fX8=";
   };
 
-  npmDepsHash = "sha256-r7HtaYBORc8I241EgTcLCZeZpi4rbqviOyKbfqJyJvE=";
+  pnpmDeps = pnpm_10.fetchDeps {
+    inherit (finalAttrs) pname version src patches;
+    hash = "sha256-fCA1tBpj0l3Ur9z1o1IAz+HtfDlC5DzPa3m1/8NsFkY=";
+  };
 
   patches = [
     # ./debug.patch
@@ -231,9 +235,12 @@ buildNpmPackage rec {
     git  # to calculate build date
     gnused
     makeShellWrapper
+    nodejs
+    # nodejs.python
     python3
     rsync
     wrapGAppsHook
+    pkgsBuildHost.pnpm_10.configHook  #< XXX: buildPackages because it doesn't splice right (fixes cross compilation)
   ];
 
   buildInputs = [
@@ -249,7 +256,8 @@ buildNpmPackage rec {
     libpulseaudio
     libwebp
     libxslt
-    mesa # for libgbm
+    libgbm
+    nodejs
     nspr
     nss
     pango
@@ -269,16 +277,21 @@ buildNpmPackage rec {
 
   dontWrapGApps = true;
   # dontStrip = false;
-  makeCacheWritable = true;  # "Your cache folder contains root-owned files, due to a bug in previous versions of npm which has since been addressed."
+  # makeCacheWritable = true;  # "Your cache folder contains root-owned files, due to a bug in previous versions of npm which has since been addressed."
 
-  npmRebuildFlags = [
-    # "--offline"
-    "--ignore-scripts"
-  ];
+  # npmRebuildFlags = [
+  #   # "--offline"
+  #   "--ignore-scripts"
+  # ];
+  # pnpmRebuildFlags = [
+  #   # "--offline"
+  #   "--ignore-scripts"
+  # ];
 
   # NIX_DEBUG = 6;
 
-  postConfigure = ''
+  # should really be `postConfigure`, but `pnpmConfigHook` runs _after_ postConfigure
+  preBuild = ''
     # XXX: Signal does not let clients connect if they're running a version that's > 90d old.
     # to calculate the build date, it uses SOURCE_DATE_EPOCH (if set), else `git log`.
     # nixpkgs sets SOURCE_DATE_EPOCH to 1980/01/01 by default, so unset it so Signal falls back to git date.
@@ -290,34 +303,38 @@ buildNpmPackage rec {
     # need to build against electron's versions of the node headers, or something.
     # without patching this, Signal can build, but will fail with `undefined symbol: ...` errors at runtime.
     # see: <https://www.electronjs.org/docs/latest/tutorial/using-native-node-modules>
-    tar xzf ${electron'.headers}
-    export npm_config_nodedir=$(pwd)/node_headers
+    export npm_config_nodedir=${electron'.headers}
 
     # patchShebangs --build --update node_modules/{bufferutil/node_modules/node-gyp-build/,node-gyp-build,utf-8-validate/node_modules/node-gyp-build}
     # patch these out to remove a runtime reference back to the build bash
     # (better, perhaps, would be for these build scripts to not be included in the asar...)
     substituteInPlace node_modules/dashdash/etc/dashdash.bash_completion.in --replace-fail '#!/bin/bash' '#!/bin/sh'
+    # substituteInPlace node_modules/pino/inc-version.sh --replace-fail '#!/bin/bash' '#!/bin/sh'
+    substituteInPlace node_modules/pino/inc-version.sh --replace-fail '#!${stdenv.shell}' '#!/bin/sh'
 
     # provide necessities which were skipped as part of --ignore-scripts
     rsync -arv ${ringrtcPrebuild}/ node_modules/@signalapp/ringrtc/
 
-    ${if sqlcipherTarball == null then ''
-      # option 1: replace the entire better-sqlite3 library with the prebuilt version from nixpkgs' signal-desktop
+    ${if sqlcipherTarball != null then ''
+      # option 1: replace only the sqlcipher plugin with Signal's prebuilt version,
+      # and build the rest of better-sqlite3 from source
+      cp ${sqlcipherTarball} node_modules/@signalapp/better-sqlite3/deps/sqlcipher.tar.gz
+    '' else if betterSqlitePrebuild != null then ''
+      # option 2: replace the entire better-sqlite3 library with the prebuilt version from nixpkgs' signal-desktop
       rsync -arv ${betterSqlitePrebuild}/ node_modules/@signalapp/better-sqlite3/
       # patch so signal doesn't try to *rebuild* better-sqlite3
       substituteInPlace node_modules/@signalapp/better-sqlite3/package.json \
         --replace-fail '"download": "node ./deps/download.js"'  '"download": "true"' \
         --replace-fail '"build-release": "node-gyp rebuild --release"'  '"build-release": "true"' \
-        --replace-fail '"install": "npm run download && npm run build-release"'  '"install": "true"'
-    '' else ''
-      # option 2: replace only the sqlcipher plugin with Signal's prebuilt version,
-      # and build the rest of better-sqlite3 from source
-      cp ${sqlcipherTarball} node_modules/@signalapp/better-sqlite3/deps/sqlcipher.tar.gz
-    ''}
+        --replace-fail '"install": "pnpm run download && pnpm run build-release"'  '"install": "true"'
+    '' else
+      # XXX(2025-03-27): seems that signal can build *and run* without any patching of sqlcipher/better-sqlite now
+      ""
+    }
 
     # pushd node_modules/@signalapp/better-sqlite3
     #   # node-gyp isn't consistently linked into better-sqlite's `node_modules` (maybe due to version mismatch with signal-desktop's node-gyp?)
-    #   PATH="$PATH:$(pwd)/../../.bin" npm --offline run build-release
+    #   PATH="$PATH:$(pwd)/../../.bin" pnpm --offline run build-release
     # popd
 
     # pushd node_modules/@signalapp/libsignal-client
@@ -328,7 +345,7 @@ buildNpmPackage rec {
     # - npm run build:acknowledgments
     # - npm exec patch-package
     # - npm run electron:install-app-deps
-    npm run postinstall
+    pnpm run postinstall
   '';
 
   # excerpts from package.json:
@@ -354,11 +371,14 @@ buildNpmPackage rec {
   buildPhase = ''
     runHook preBuild
 
-    npm run generate
+    pnpm run generate
 
-    npm run build:esbuild:prod --offline --frozen-lockfile
+    pnpm run build:esbuild:prod --offline --frozen-lockfile
 
-    npm run build:release -- \
+    SIGNAL_ENV=production \
+    pnpm exec electron-builder \
+      --config.extraMetadata.environment=production \
+      --config.directories.output=release \
       --${hostNpmArch} \
       --config.electronDist=${electron'}/libexec/electron \
       --config.electronVersion=${electron'.version} \
@@ -370,11 +390,11 @@ buildNpmPackage rec {
   installPhase = ''
     runHook preInstall
 
-    # directory structure follows the original `signal-desktop` nix package
+    # directory structure follows the upstream `signal-desktop` nix package
     mkdir -p $out/lib
-    cp -R release/linux${crossNpmArchExt}-unpacked $out/lib/Signal
-    # cp -R release/linux-unpacked/resources $out/lib/Signal/resources
-    # cp -R release/linux-unpacked/locales $out/lib/Signal/locales
+    cp -R release/linux${crossNpmArchExt}-unpacked $out/lib/signal-desktop
+    # cp -R release/linux-unpacked/resources $out/lib/signal-desktop/resources
+    # cp -R release/linux-unpacked/locales $out/lib/signal-desktop/locales
 
     mkdir $out/bin
 
@@ -385,25 +405,38 @@ buildNpmPackage rec {
     # fixup the app.asar to:
     # - use host nodejs
     # - use host libpulse.so
-    asar extract $out/lib/Signal/resources/app.asar unpacked
-    rm $out/lib/Signal/resources/app.asar
+    asar extract $out/lib/signal-desktop/resources/app.asar unpacked
+    rm $out/lib/signal-desktop/resources/app.asar
     patchShebangs --host --update unpacked
     patchelf --add-needed ${libpulseaudio}/lib/libpulse.so unpacked/node_modules/@signalapp/ringrtc/build/linux/libringrtc-*.node
-    asar pack unpacked $out/lib/Signal/resources/app.asar
+    cp -R unpacked "$asar"
+    asar pack unpacked $out/lib/signal-desktop/resources/app.asar
 
-    # XXX: add --ozone-platform-hint=auto to make it so that NIXOS_OZONE_WL isn't *needed*.
-    # electron should auto-detect x11 v.s. wayland: launching with `NIXOS_OZONE_WL=1` is an optional way to force it when debugging.
-    # xdg-utils: needed for ozone-platform-hint=auto to work
-    # else `LaunchProcess: failed to execvp: xdg-settings`
-    makeShellWrapper ${lib.getExe electron'} $out/bin/signal-desktop \
+    # patchShebangs --host --update $out/lib/signal-desktop/resources
+    # patchelf --add-needed ${libpulseaudio}/lib/libpulse.so $out/lib/signal-desktop/resources/app.asar.unpacked/node_modules/@signalapp/ringrtc/build/linux/libringrtc-*.node
+
+    # # XXX: add --ozone-platform-hint=auto to make it so that NIXOS_OZONE_WL isn't *needed*.
+    # # electron should auto-detect x11 v.s. wayland: launching with `NIXOS_OZONE_WL=1` is an optional way to force it when debugging.
+    # # xdg-utils: needed for ozone-platform-hint=auto to work
+    # # else `LaunchProcess: failed to execvp: xdg-settings`
+    # makeShellWrapper ${lib.getExe electron'} $out/bin/signal-desktop \
+    #   "''${gappsWrapperArgs[@]}" \
+    #   --add-flags $out/lib/signal-desktop/resources/app.asar \
+    #   --suffix PATH : ${lib.makeBinPath [ xdg-utils ]} \
+    #   --add-flags --ozone-platform-hint=auto \
+    #   --add-flags "\''${WAYLAND_DISPLAY:+--ozone-platform=wayland --enable-features=WaylandWindowDecorations}" \
+    #   --inherit-argv0
+
+    makeShellWrapper $out/lib/signal-desktop/signal-desktop $out/bin/signal-desktop \
       "''${gappsWrapperArgs[@]}" \
-      --add-flags $out/lib/Signal/resources/app.asar \
       --suffix PATH : ${lib.makeBinPath [ xdg-utils ]} \
       --add-flags --ozone-platform-hint=auto \
       --add-flags "\''${WAYLAND_DISPLAY:+--ozone-platform=wayland --enable-features=WaylandWindowDecorations}" \
       --inherit-argv0
   '';
 
+  outputs = [ "out" "asar" ];
+
   passthru = {
     inherit ringrtcPrebuild betterSqlitePrebuild;
     # inherit ringrtcPrebuild sqlcipherTarball;
@@ -425,7 +458,7 @@ buildNpmPackage rec {
       "Signal Android" or "Signal iOS" app.
     '';
     homepage = "https://signal.org/";
-    changelog = "https://github.com/signalapp/Signal-Desktop/releases/tag/v${version}";
+    changelog = "https://github.com/signalapp/Signal-Desktop/releases/tag/v${finalAttrs.version}";
     license = lib.licenses.agpl3Only;
   };
-}
+})

pkgs/by-name/sm64baserom/package.nix

@@ -1,10 +1,10 @@
 # "baseRom" (previously) / "sm64baserom" (in the future) is used by `sm64coopdx`, `sm64ex-coop`: braindead packages which use `requireFile` instead of fetching their sources.
-{ fetchurl, ... }:
+{ fetchurl, region ? "us", showRegionMessage ? false }:
 let
-  baserom = fetchurl {
+  baserom.us = fetchurl {
     url = "https://github.com/jb1361/Super-Mario-64-AI/raw/development/Super%20Mario%2064%20(USA).z64";
     hash = "sha256-F84Hc0PGEz+Mny1tbZpKtiyM0qpXxArqH0kLTIuyHZE=";
   };
 in {
-  romPath = "${baserom}";
+  romPath = "${baserom.${region}}";
 }

pkgs/by-name/sops-nix/package.nix

@@ -6,8 +6,8 @@ let
   src = fetchFromGitHub {
     owner = "Mic92";
     repo = "sops-nix";
-    rev = "07af005bb7d60c7f118d9d9f5530485da5d1e975";
-    hash = "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=";
+    rev = "69d5a5a4635c27dae5a742f36108beccc506c1ba";
+    hash = "sha256-SR6+qjkPjGQG+8eM4dCcVtss8r9bre/LAxFMPJpaZeU=";
   };
   flake = import "${src}/flake.nix";
   evaluated = flake.outputs {
@@ -20,7 +20,7 @@ in src.overrideAttrs (base: {
   # attributes required by update scripts
   pname = "sops-nix";
   # nix-update-script insists on this weird `assets-` version format
-  version = "assets-unstable-2025-02-11";
+  version = "assets-unstable-2025-04-08";
   src = src;
 
   passthru = base.passthru

pkgs/by-name/static-nix-shell/package.nix

@@ -3,6 +3,7 @@
   bash,
   lib,
   makeBinaryWrapper,
+  oils-for-unix,
   python3,
   stdenv,
   zsh,
@@ -148,6 +149,18 @@ in rec {
     } // (removeAttrs attrs [ "bash" "pkgs" ])
   );
 
+  # `mkShell` specialization for `nix-shell -i ysh` (oil) scripts.
+  mkYsh = { pkgs ? {}, ...}@attrs:
+    let
+      pkgsAsAttrs = pkgsToAttrs "" pkgs' pkgs;
+      pkgsEnv = [ oils-for-unix ] ++ (builtins.attrValues pkgsAsAttrs);
+      pkgExprs = insertTopo "oils-for-unix" (builtins.attrNames pkgsAsAttrs);
+    in mkShell ({
+      inherit pkgsEnv pkgExprs;
+      interpreter = lib.getExe' oils-for-unix "ysh";
+    } // (removeAttrs attrs [ "oils-for-unix" "pkgs" ])
+  );
+
   # `mkShell` specialization for `nix-shell -i zsh` scripts.
   mkZsh = { pkgs ? {}, ...}@attrs:
     let

pkgs/by-name/sublime-music-mobile/package.nix

@@ -2,7 +2,7 @@
 # , lib
 # , libhandy
 # , ... }:
-# 
+#
 # (pkgs.sublime-music.overrideAttrs (upstream: {
 #   pname = "sublime-music-mobile";
 #   version = "0.11.10";
@@ -13,7 +13,7 @@
 #     rev = "4ce2f222f13020574d54110d90839f48d8689b9d";
 #     sha256 = "sha256-V6YyBbPKAfZb5FVOesNcC6TfJbO73WZ4DvlOSWSSZzU=";
 #   };
-# 
+#
 #   buildInputs = upstream.buildInputs ++ [
 #     # requires this PR that adds the drawtab:
 #     # - <https://gitlab.gnome.org/GNOME/libhandy/-/merge_requests/707>
@@ -33,33 +33,34 @@
 #       ];
 #     }))
 #   ];
-# 
+#
 #   # i think Benjamin didn't update the tests?
 #   doCheck = false;
 #   doInstallCheck = false;
-# 
+#
 #   meta.description = "A mobile-friendly sublime music fork";
 # }))
 
-{ fetchFromGitLab
-, fetchFromGitea
-, docbook_xml_dtd_43
-, docbook-xsl-nons
-, gtk-doc
-, lib
-, libhandy
-, fetchFromGitHub
-, python3
-, gobject-introspection
-, gtk3
-, pango
-, wrapGAppsHook
-, xvfb-run
-, chromecastSupport ? false
-, serverSupport ? false
-, keyringSupport ? true
-, notifySupport ? true, libnotify
-, networkSupport ? true, networkmanager
+{
+  docbook-xsl-nons,
+  docbook_xml_dtd_43,
+  fetchFromGitHub,
+  fetchFromGitLab,
+  fetchFromGitea,
+  gobject-introspection,
+  gtk-doc,
+  gtk3,
+  lib,
+  libhandy,
+  pango,
+  python3,
+  wrapGAppsHook,
+  xvfb-run,
+  chromecastSupport ? false,
+  keyringSupport ? true,
+  networkSupport ? true, networkmanager,
+  notifySupport ? true, libnotify,
+  serverSupport ? false,
 }:
 
 let
@@ -84,7 +85,7 @@ python.pkgs.buildPythonApplication rec {
 
   # src = fetchFromGitLab {
   #   owner = "sublime-music";
-  #   repo = pname;
+  #   repo = "sublime-music-mobile;
   #   rev = "v${version}";
   #   sha256 = "sha256-n77mTgElwwFaX3WQL8tZzbkPwnsyQ08OW9imSOjpBlg=";
   # };
@@ -102,13 +103,15 @@ python.pkgs.buildPythonApplication rec {
     sha256 = "sha256-jyC3Fh+b+MBLjHlFr3nOOM7eT/3PPF7dynHsPJaIzLU=";
   };
 
-  nativeBuildInputs = [
-    gobject-introspection
-    wrapGAppsHook
-  ] ++ (with python.pkgs; [
-   poetry-core
-   pythonRelaxDepsHook
- ]);
+  nativeBuildInputs =
+    [
+      gobject-introspection
+      wrapGAppsHook
+    ]
+    ++ (with python.pkgs; [
+      poetry-core
+      pythonRelaxDepsHook
+    ]);
 
   # Can be removed in later versions (probably > 0.11.16)
   pythonRelaxDeps = [
@@ -116,46 +119,47 @@ python.pkgs.buildPythonApplication rec {
     "python-mpv"
   ];
 
-  buildInputs = [
-    gtk3
-    pango
-    (libhandy.overrideAttrs (superhandy: {
-      version = "1.5.0";
-      src = fetchFromGitLab {
-        domain = "gitlab.gnome.org";
-        owner = "BenjaminSchaaf";
-        repo = "libhandy";
-        rev = "0557503278a099c1b9999ceebb7c21fa9c15a3a5";
-        sha256 = "sha256-MwOnQ2h1ypSvxOSaXDdSFoMKOMr9DonTCMNT796kaQs=";
-      };
-      nativeBuildInputs = superhandy.nativeBuildInputs ++ [
-        docbook_xml_dtd_43
-        docbook-xsl-nons
-        gtk-doc
-      ];
-    }))
-  ]
-   ++ lib.optional notifySupport libnotify
-   ++ lib.optional networkSupport networkmanager
-  ;
+  buildInputs =
+    [
+      gtk3
+      pango
+      (libhandy.overrideAttrs (superhandy: {
+        version = "1.5.0";
+        src = fetchFromGitLab {
+          domain = "gitlab.gnome.org";
+          owner = "BenjaminSchaaf";
+          repo = "libhandy";
+          rev = "0557503278a099c1b9999ceebb7c21fa9c15a3a5";
+          sha256 = "sha256-MwOnQ2h1ypSvxOSaXDdSFoMKOMr9DonTCMNT796kaQs=";
+        };
+        nativeBuildInputs = superhandy.nativeBuildInputs ++ [
+          docbook_xml_dtd_43
+          docbook-xsl-nons
+          gtk-doc
+        ];
+      }))
+    ]
+    ++ lib.optional notifySupport libnotify
+    ++ lib.optional networkSupport networkmanager;
 
-  propagatedBuildInputs = with python.pkgs; [
-    bleach
-    dataclasses-json
-    deepdiff
-    fuzzywuzzy
-    levenshtein
-    mpv
-    peewee
-    pygobject3
-    python-dateutil
-    requests
-    semver
-  ]
-   ++ lib.optional chromecastSupport pychromecast
-   ++ lib.optional keyringSupport keyring
-   ++ lib.optional serverSupport bottle
-  ;
+  propagatedBuildInputs =
+    with python.pkgs;
+    [
+      bleach
+      dataclasses-json
+      deepdiff
+      fuzzywuzzy
+      levenshtein
+      mpv
+      peewee
+      pygobject3
+      python-dateutil
+      requests
+      semver
+    ]
+    ++ lib.optional chromecastSupport pychromecast
+    ++ lib.optional keyringSupport keyring
+    ++ lib.optional serverSupport bottle;
 
   postPatch = ''
     sed -i "/--cov/d" setup.cfg
@@ -199,6 +203,9 @@ python.pkgs.buildPythonApplication rec {
     description = "GTK3 Subsonic/Airsonic client";
     homepage = "https://sublimemusic.app/";
     license = licenses.gpl3Plus;
-    maintainers = with maintainers; [ albakham sumnerevans ];
+    maintainers = with maintainers; [
+      albakham
+      sumnerevans
+    ];
   };
 }

pkgs/by-name/syshud/package.nix

@@ -14,13 +14,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "syshud";
-  version = "0-unstable-2025-01-13";
+  version = "0-unstable-2025-03-11";
 
   src = fetchFromGitHub {
     owner = "System64fumo";
     repo = "syshud";
-    rev = "ca5c05145d440c7e96a3521af327da91bb1ac539";
-    hash = "sha256-mglmmIZz1bbRT15/Xr1vrYBy+PVgIaKpjRfAAFT5OcQ=";
+    rev = "6a90edad20437a1d933937a44a4e3553caeb248f";
+    hash = "sha256-Lmv75OaPOK+NxDe+7Xgf/NDvyms+zXn8tYThQJRxf9k=";
   };
 
   postPatch = ''

pkgs/by-name/tree-sitter-nix-shell/package.nix

@@ -1,18 +1,21 @@
-{ lib
-, fetchFromGitea
-, htmlq
-, tree-sitter
-, tree-sitter-nix-shell
+{
+  fetchFromGitea,
+  htmlq,
+  lib,
+  neovimUtils,
+  tree,
+  tree-sitter,
+  tree-sitter-nix-shell,
 }:
 
 tree-sitter.buildGrammar {
-  version = "0.1.0";
+  version = "0.2.0";
   src = fetchFromGitea {
     domain = "git.uninsane.org";
     owner = "colin";
     repo = "tree-sitter-nix-shell";
-    rev = "c2fcc8b6ee91af2cb58a38f62c0800f82d783738";
-    hash = "sha256-NU7p4KieSkYRhTSgL5qwFJ9n7hGJwTn0rynicfOf9oA=";
+    rev = "41849dc40d776841a3104d15c8b8ac69425f17f7";
+    hash = "sha256-6+I3EiKj82yzyteV1jkhI2aHaBPw5E7cLUztnYhieWk=";
   };
 
   language = "nix-shell";
@@ -21,17 +24,39 @@ tree-sitter.buildGrammar {
 
   nativeCheckInputs = [ htmlq ];
   checkPhase = ''
+    runHook preCheck
     (cd ..; make test)
+    runHook postCheck
   '';
   doCheck = true;
 
+  nativeInstallCheckInputs = [ tree ];
+  installCheckPhase = ''
+    runHook preInstallCheck
+
+    # i'm too dumb to know which installed files are necessary for e.g. neovim,
+    # but the original package (pre 2025-03-15) had:
+    # - $out/parser (elf file; also found in e.g. vimPlugins.nvim-treesitter.grammarPlugins.latex.origGrammar)
+    # - $out/queries/{highlights.scm,injections.scm}
+    #
+    # N.B. that said original parser never actually worked with neovim (only with helix?)
+    (test -x $out/parser && test -f $out/queries/highlights.scm && test -f $out/queries/injections.scm) || \
+      (tree $out; echo "expected output to contain /parser and /queries/"; false)
+
+    runHook postInstallCheck
+  '';
+  doInstallCheck = true;
+
   passthru = {
     generated = tree-sitter-nix-shell.overrideAttrs (orig: {
       # provide a package which has the output of `tree-sitter generate`, but not the binary compiled parser
-      buildPhase = "true";
+      dontBuild = true;
       installPhase = "cp -r . $out";
-      checkPhase = "true";
+      doCheck = false;
+      doInstallCheck = false;
     });
+    # see comment in <repo:nixos/nixpkgs:pkgs/applications/editors/neovim/utils.nix>
+    nvimPlugin = neovimUtils.grammarToPlugin tree-sitter-nix-shell;
   };
 
   meta = with lib; {

pkgs/by-name/uassets/package.nix

@@ -5,12 +5,12 @@
 }:
 stdenv.mkDerivation {
   pname = "uassets";
-  version = "0-unstable-2025-03-04";
+  version = "0-unstable-2025-04-13";
   src = fetchFromGitHub {
     owner = "uBlockOrigin";
     repo = "uAssets";
-    rev = "6b6a7392677cd6ca3d643f430e38505fb2946ef9";
-    hash = "sha256-FHxR15cVJvv59paYy3//6klp/XXrC2I9gSpGLUZ7BHg=";
+    rev = "b89a7ae3a82c795d56462d522aaa755627454a42";
+    hash = "sha256-IYMYTp+G7/J+Ueqdrun95n9obeWxSQR7+pi+rPa94I4=";
   };
 
   dontBuild = true;

pkgs/by-name/unftp/package.nix

@@ -1,6 +1,7 @@
-{ lib
-, rustPlatform
-, fetchFromGitHub
+{
+  lib,
+  rustPlatform,
+  fetchFromGitHub,
 }:
 
 rustPlatform.buildRustPackage rec {
@@ -9,7 +10,7 @@ rustPlatform.buildRustPackage rec {
 
   src = fetchFromGitHub {
     owner = "bolcom";
-    repo = pname;
+    repo = "unftp";
     rev = "v${version}";
     hash = "sha256-+UL8xflnumOiWL5b9/azH9OW+X+6hRcxjiyWhCSWQRg=";
   };

pkgs/by-name/uvtools/deps.json

@@ -19,15 +19,10 @@
     "version": "4.10.0.5680",
     "hash": "sha256-j7I+xgLo8gB+5rKqW5FVtP6o3xqx3acrcMjKGr8ZlJ8="
   },
-  {
-    "pname": "Emgu.CV",
-    "version": "4.9.0.5494",
-    "hash": "sha256-mU7daSkOHtA/obp0Cq67+K9yHJhLNM+XYh0B4jfWI8c="
-  },
   {
     "pname": "Emgu.CV.runtime.mini.macos",
-    "version": "4.9.0.5494",
-    "hash": "sha256-/Q560p1jViBIn2cKLymGMArtYEmd17HjZArHFTror/Y="
+    "version": "4.10.0.5683",
+    "hash": "sha256-tIBd9EJ74MVWuEzESZHx75g3rXDPkObrcfep10zC+28="
   },
   {
     "pname": "Emgu.CV.runtime.mini.ubuntu-x64",
@@ -66,28 +61,28 @@
   },
   {
     "pname": "Microsoft.CodeAnalysis.Analyzers",
-    "version": "3.3.4",
-    "hash": "sha256-qDzTfZBSCvAUu9gzq2k+LOvh6/eRvJ9++VCNck/ZpnE="
+    "version": "3.11.0",
+    "hash": "sha256-hQ2l6E6PO4m7i+ZsfFlEx+93UsLPo4IY3wDkNG11/Sw="
   },
   {
     "pname": "Microsoft.CodeAnalysis.Common",
-    "version": "4.12.0",
-    "hash": "sha256-mm/OKG3zPLAeTVGZtuLxSG+jpQDOchn1oyHqBBJW2Ho="
+    "version": "4.13.0",
+    "hash": "sha256-Bu5ev3JM+fyf9USnLM7AJbd5lFmpVfaxm6EQYoYM9Vc="
   },
   {
     "pname": "Microsoft.CodeAnalysis.CSharp",
-    "version": "4.12.0",
-    "hash": "sha256-m1i1Q5pyEq4lAoYjNE9baEjTplH8+bXx5wSA+eMmehk="
+    "version": "4.13.0",
+    "hash": "sha256-jzO7/2j7rPqu4Xtm4lhh2Ijaiw+aUkiR+yYn+a8mg/M="
   },
   {
     "pname": "Microsoft.CodeAnalysis.CSharp.Scripting",
-    "version": "4.12.0",
-    "hash": "sha256-CiCGoxL/EgyLp7j1CT99x0SnUwMO/7zS1K6BCnO5XEs="
+    "version": "4.13.0",
+    "hash": "sha256-4eTynAM4ruf2gYDNrEmVk2lqwC0aZPLWEH04C0lwArU="
   },
   {
     "pname": "Microsoft.CodeAnalysis.Scripting.Common",
-    "version": "4.12.0",
-    "hash": "sha256-Ci6ULpUvAqoHIcBGBk6/qincQgkh+bkyI+jDd2J8Y/Q="
+    "version": "4.13.0",
+    "hash": "sha256-0Z25a8Yc7N3Y59Td0ga5H78dUOZV8yoS6PubqcCsktA="
   },
   {
     "pname": "Microsoft.CSharp",
@@ -346,8 +341,8 @@
   },
   {
     "pname": "SixLabors.ImageSharp",
-    "version": "3.1.6",
-    "hash": "sha256-FQjLyC4158F1GyhlKjzjGo6TxAu698rYWTY9lkko/fA="
+    "version": "3.1.7",
+    "hash": "sha256-jMD/FiIwW1kNhTI6hKig8/QFOO3eTQX/C22cSAcKBH4="
   },
   {
     "pname": "System.AppContext",
@@ -461,8 +456,8 @@
   },
   {
     "pname": "System.Memory",
-    "version": "4.6.0",
-    "hash": "sha256-OhAEKzUM6eEaH99DcGaMz2pFLG/q/N4KVWqqiBYUOFo="
+    "version": "4.6.2",
+    "hash": "sha256-Ku7QoTMAwkaWgtms0n1YYxmWZqQt31SEJF25+WTWPd4="
   },
   {
     "pname": "System.Net.Http",
@@ -656,8 +651,8 @@
   },
   {
     "pname": "System.Text.Json",
-    "version": "9.0.2",
-    "hash": "sha256-kftKUuGgZtF4APmp77U79ws76mEIi+R9+DSVGikA5y8="
+    "version": "9.0.3",
+    "hash": "sha256-I7z6sRb2XbbXNZ2MyNbn2wysh1P2cnk4v6BM0zucj1w="
   },
   {
     "pname": "System.Text.RegularExpressions",

pkgs/by-name/uvtools/package.nix

@@ -7,12 +7,12 @@
 }:
 buildDotnetModule rec {
   pname = "UVtools";
-  version = "5.0.7";
+  version = "5.0.9";
   src = fetchFromGitHub {
     owner = "sn4k3";
     repo = "UVtools";
     rev = "v${version}";
-    hash = "sha256-QF+cGdz0Y5dreeKBlITX9z9PomLpcmlOQ5ft8/Sau2g=";
+    hash = "sha256-ujdtE2ubv4T3KYEdMEPDp+w3YHY7xO8fbDT4DEQ3bsQ=";
   };
 
   nugetDeps = ./deps.json;

pkgs/by-name/zecwallet-light-cli/package.nix

@@ -1,8 +1,9 @@
-{ lib
-, buildPackages
-, fetchFromGitHub
-, rustfmt
-, rustPlatform
+{
+  buildPackages,
+  fetchFromGitHub,
+  lib,
+  rustPlatform,
+  rustfmt,
 }:
 
 rustPlatform.buildRustPackage rec {
@@ -11,7 +12,7 @@ rustPlatform.buildRustPackage rec {
 
   src = fetchFromGitHub {
     owner = "adityapk00";
-    repo = pname;
+    repo = "zecwallet-light-cli";
     rev = "v${version}";
     hash = "sha256-8qr6GIldJcybQwXbdZxFVGvFPJErLpqCEIuGJw1z0qQ=";
   };

pkgs/by-name/zimPackages/archlinux_en_all_maxi.nix

@@ -1,6 +1,6 @@
 { mkVersionedHttpZim }: mkVersionedHttpZim {
   owner = "other";
   pname = "archlinux_en_all_maxi";
-  version = "2025-02";
-  hash = "sha256-TWIChQ7ZN/FkeaAptLopEQPUny7HVAuuDNUuD1kumFQ=";
+  version = "2025-03";
+  hash = "sha256-Y07ua8uLMqIaZWxDG57Z4+o7IO04mUoDb/3UDyko0Ew=";
 }

pkgs/by-name/zimPackages/devdocs_en_nix.nix

@@ -1,6 +1,6 @@
 { mkVersionedHttpZim }: mkVersionedHttpZim {
   owner = "devdocs";
   pname = "devdocs_en_nix";
-  version = "2025-01";
-  hash = "sha256-njenhXV+6fu6LPZXaqfWLipCcF89m0CZPqzVIxJXWTU=";
+  version = "2025-04";
+  hash = "sha256-HOLuIcp/gED96foNqYYKnC49+yl12e+gv5+h7nun2UY=";
 }

pkgs/by-name/zimPackages/wikipedia_en_100.nix

@@ -1,6 +1,6 @@
 { mkVersionedHttpZim }: mkVersionedHttpZim {
   owner = "wikipedia";
   pname = "wikipedia_en_100";
-  version = "2025-03";
-  hash = "sha256-iNrGYTPVkbc41YJTWU3CwPg4c/KMYiBkLD+yNu9eFIA=";
+  version = "2025-04";
+  hash = "sha256-Pf2WFX+6efeVaKbSEQG1KvRFWbDYBYY8rHhSf/ogRoQ=";
 }

pkgs/by-name/zimPackages/zimgit-food-preparation_en.nix

@@ -1,6 +1,6 @@
 { mkVersionedHttpZim }: mkVersionedHttpZim {
   owner = "other";
   pname = "zimgit-food-preparation_en";
-  version = "2024-08";
-  hash = "sha256-nGuBmmj+KnRWQq1DqbTh/nnYl28jmr2ErjjUwtJg7RQ=";
+  version = "2025-04";
+  hash = "sha256-25LGydrBT/MPHLwVqoNKfAEsbofU/wUZ8zoJAqtucys=";
 }

pkgs/default.nix

@@ -54,9 +54,6 @@ let
     });
 
     ### aliases
-    # nixpkgs = nixpkgs-bootstrap.master;
-    # nixpkgs-staging = nixpkgs-bootstrap.staging;
-    # nixpkgs-next = nixpkgs-bootstrap.staging-next;
     inherit (trivial-builders)
       copyIntoOwnPackage
       deepLinkIntoOwnPackage

scripts/check-nur

@@ -1,8 +1,12 @@
-#!/bin/sh
-NIX_FILES_TOP=/home/colin/nixos
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p git
+
+SELF_PATH=$PWD/$0
+REPO_ROOT=$(git -C "$(dirname SELF_PATH)" rev-parse --show-toplevel)
+
 nixpkgs=$(nix-store --realize $(nix-instantiate -A nixpkgs-bootstrap.master.src))
 
-cd $NIX_FILES_TOP/integrations/nur
+cd $REPO_ROOT/integrations/nur
 
 NIX_PATH= NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix-env -f . -qa \* --meta --xml \
   --allowed-uris https://static.rust-lang.org \

scripts/check-uninsane

@@ -137,6 +137,8 @@ _bitcoindSynchronized() {
 check "Bitcoind synchronized" _bitcoindSynchronized
 check "Bitcoin Lightning" runOnHost servo clightning-sane status
 
+check "/mnt/persist/private" runOnHost servo systemctl status gocryptfs-private.service
+
 echo ""
 echo "systemctl --failed:"
 runOnHost servo systemctl -q --failed

scripts/deploy

@@ -8,6 +8,7 @@ usage() {
   echo ""
   echo "usage: deploy [options] [host] [host2 ...]"
   echo "options:"
+  echo "- --build: only build; don't copy or deploy"
   echo "- --copy: only build + copy files, nothing more"
   echo "- --switch  (default)"
   echo "- --test: switch to the new configuration, but do not make it bootable"
@@ -18,7 +19,7 @@ usage() {
   echo "- --variant light|min|''|all  (default: '')"
   echo "- --wireguard always|never|opportunistic: deploy over wireguard"
   echo "- --ip <address>: deploy to the specific IP address"
-  echo "- --deriv /nix/store/...: prebuilt store path to deploy instead of (re-)building the default target"
+  echo "- --deriv /nix/store/...: prebuilt store path (or .drv to realize) to deploy instead of (re-)building the default target"
   echo ""
   echo "common idioms:"
   echo "- deploy all: deploy all hosts, sequentially"
@@ -48,14 +49,14 @@ storePath=
 addHost() {
   if [ "$1" = all ]; then
     # order matters:
-    hosts+=(moby lappy desko servo crappy)
+    hosts+=(moby lappy desko servo)
   else
     hosts+=("$1")
   fi
 }
 addVariant() {
   if [ "$1" = all ]; then
-    variants+=("-min" "-light" "" "-min-next" "-light-next" "-next")
+    variants+=("-min" "-light" "" "-next-min" "-next-light" "-next")
   elif [ -n "$1" ]; then
     variants+=("-$1")
   else
@@ -68,7 +69,7 @@ parseArgs() {
     local arg=$1
     shift
     case "$arg" in
-      (--copy|--switch|--test)
+      (--build|--copy|--switch|--test)
         action=${arg/--/}
         ;;
       (--deriv)
@@ -165,7 +166,7 @@ timeoutFor() {
     (-min|-light|-next)
       echo 3600
       ;;
-    (-min-next|-light-next)
+    (-next-min|-next-light)
       echo 1800
       ;;
     (*)
@@ -196,14 +197,19 @@ deployOneHost() {
 
   local timeout=$(timeoutFor "$variant")
 
+  # storePath is allowed to be either a realized derivation,
+  # or the path to a .drv file itself
   local myStorePath="$storePath"
   if [ -z "$myStorePath" ]; then
     # `nix-build -A foo` evals and then realizes foo, but it never unloads the memory used to eval foo.
     # my exprs are heavyweight, we need that memory for building, so do the evals separately from the realizations:
     info "evaluating $host$variant..."
-    local drvPath=$(nix eval --raw -f . "hosts.$host$variant.toplevel.drvPath")
+    myStorePath=$(nix eval --raw -f . "hosts.$host$variant.toplevel.drvPath")
+  fi
+
+  if [[ "$myStorePath" == *.drv ]]; then
     info "building $host$variant ($drvPath)"
-    myStorePath=$(destructive nix-store --realize "$drvPath" "${nixArgs[@]}")
+    myStorePath=$(destructive nix-store --realize "$myStorePath" "${nixArgs[@]}")
     if [ -z "$myStorePath" ]; then
       return 1
     fi
@@ -221,30 +227,36 @@ deployOneHost() {
 
   local netHost=$(resolveHost "$host")
 
-  if [ -n "$host" ] && [ "$host" != "$SELF" ]; then
-    if [ -e /run/secrets/nix_signing_key ]; then
-      info "signing store paths ..."
-      destructive sudo nix store sign -r -k /run/secrets/nix_signing_key "$myStorePath"
-    else
-      info "not signing store paths: /run/secrets/nix_signing_key does not exist"
-    fi
-    # add more `-v` for more verbosity (up to 5).
-    # builders-use-substitutes false: optimizes so that the remote machine doesn't try to get paths from its substituters.
-    #   we already have all paths here, and the remote substitution is slow to check and SERIOUSLY flaky on moby in particular.
-    ECHO_CMD=1 destructive timeout "$timeout" nix copy -vv --option builders-use-substitutes false --to "ssh-ng://$netHost" "$myStorePath" || return 1
-  fi
+  case "$action" in
+    (copy|switch|test)
+      if [ -n "$host" ] && [ "$host" != "$SELF" ]; then
+        if [ -e /run/secrets/nix_signing_key ]; then
+          info "signing store paths ..."
+          destructive sudo nix store sign -r -k /run/secrets/nix_signing_key "$myStorePath"
+        else
+          info "not signing store paths: /run/secrets/nix_signing_key does not exist"
+        fi
+        # add more `-v` for more verbosity (up to 5).
+        # builders-use-substitutes false: optimizes so that the remote machine doesn't try to get paths from its substituters.
+        #   we already have all paths here, and the remote substitution is slow to check and SERIOUSLY flaky on moby in particular.
+        ECHO_CMD=1 destructive timeout "$timeout" nix copy -vv --option builders-use-substitutes false --to "ssh-ng://$netHost" "$myStorePath" || return 1
+      fi
+      ;;
+  esac
 
-  if [ -n "$action" ] && [ "$action" != "copy" ]; then
-    info "activating profile... "
-    destructive runOnTarget "$netHost" sudo nix-env -p /nix/var/nix/profiles/system --set "$myStorePath" || return 1
-    destructive runOnTarget "$netHost" sudo "$myStorePath/bin/switch-to-configuration" "$action"
-    local rc=$?
-    if [[ -n "$doReboot" && ("$rc" -eq 0 || -n "$doRebootForce") ]]; then
-      info "rebooting $host"
-      destructive runOnTarget "$netHost" sane-reboot "$host" || return 1
-    fi
-    return $rc
-  fi
+  case "$action" in
+    (switch|test)
+      info "activating profile... "
+      destructive runOnTarget "$netHost" sudo nix-env -p /nix/var/nix/profiles/system --set "$myStorePath" || return 1
+      destructive runOnTarget "$netHost" sudo "$myStorePath/bin/switch-to-configuration" "$action"
+      local rc=$?
+      if [[ -n "$doReboot" && ("$rc" -eq 0 || -n "$doRebootForce") ]]; then
+        info "rebooting $host"
+        destructive runOnTarget "$netHost" sane-reboot "$host" || return 1
+      fi
+      return $rc
+      ;;
+  esac
 }
 
 failedDeploys=()

scripts/update

@@ -1,7 +1,9 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p findutils -p nix-update
+#!nix-shell -i bash -p findutils -p git -p nix-update
 
-NIX_FILES_TOP=/home/colin/nixos
+# each update job has to do an entire nix eval, which can be memory intensive; be careful when tuning this
+PARALLELISM=8
+SELF_PATH=$PWD/$0
 
 usage() {
   echo "update: update rev/hash for one or more packages"
@@ -10,6 +12,7 @@ usage() {
   echo "options:"
   echo "- --dry-run"
   echo "- --verbose"
+  echo "- -j <n>  (default: $PARALLELISM)"
   echo ""
   echo "examples:"
   echo "- update nixpkgs: update only the nixpkgs input"
@@ -38,6 +41,14 @@ hasEffect() {
   fi
 }
 
+REPO_ROOT=
+repo_root() {
+  if [ -z "$REPO_ROOT" ]; then
+    REPO_ROOT=$(git -C "$(dirname SELF_PATH)" rev-parse --show-toplevel)
+  fi
+  echo "$REPO_ROOT"
+}
+
 # usage: getPkgs outVar prefix
 getPkgs() {
   local -n attrsArr="$1"
@@ -50,10 +61,10 @@ getPkgs() {
   # # but since i use Import From Derivation along paths which i also want to query,
   # # then i need to ensure those derivations are available for import.
   # debug "creating requisite .drv store paths"
-  # nix-instantiate -A nix "$NIX_FILES_TOP"
-  # nix-instantiate -A nixpkgs-bootstrap.master "$NIX_FILES_TOP"
+  # nix-instantiate -A nix "$(repo_root)"
+  # nix-instantiate -A nixpkgs-bootstrap.master "$(repo_root)"
   debug "querying packages to update as part of '$attrPrefix'"
-  local attrs=$(nix eval --raw -f "$NIX_FILES_TOP" 'updateTargets."'"$attrPrefix"'"' --apply 'builtins.concatStringsSep " "' "${nixFlags[@]}")
+  local attrs=$(nix eval --raw -f "$(repo_root)" 'updateTargets."'"$attrPrefix"'"' --apply 'builtins.concatStringsSep " "' "${nixFlags[@]}")
   debug "got: $attrs"
   attrsArr+=($attrs)
 }
@@ -61,29 +72,40 @@ getPkgs() {
 updateOnePkg() {
   local attrPath="$1"
 
-  local updateScript=$(nix eval --raw -f "$NIX_FILES_TOP" 'updateScripts."'"$attrPath"'"' "${nixFlags[@]}")
+  local updateScript=$(nix eval --raw -f "$(repo_root)" 'updateScripts."'"$attrPath"'"' "${nixFlags[@]}")
   if [ -z "$updateScript" ]; then
     warn "don't know how to update '$attrPath'"
     return
   fi
 
   # make sure everything needed to invoke the update script exists in-store
-  local context=$(nix eval --raw -f "$NIX_FILES_TOP" 'updateScripts."'"$attrPath"'"' --apply 's: builtins.concatStringsSep " " (builtins.attrNames (builtins.getContext s))' "${nixFlags[@]}")
+  local context=$(nix eval --raw -f "$(repo_root)" 'updateScripts."'"$attrPath"'"' --apply 's: builtins.concatStringsSep " " (builtins.attrNames (builtins.getContext s))' "${nixFlags[@]}")
   for c in $context; do
     debug "realizing updateScript requisite: $context"
     nix-store --realize "$c" "${nixFlags[@]}" || true
   done
 
+  local workingDir="$(repo_root)/.working/update/$attrPath"
+  rm -rf "$workingDir"
+  mkdir -p "$workingDir"
+
   info "updating: '$attrPath'"
+  info "working out of $workingDir"
   debug "$updateScript"
-  "$updateScript"
+
+  # update scripts often write artifacts (e.g. `git-commits.txt`) to the working directory,
+  # so change to a unique directory before running the update script to avoid interfering with any other
+  # update scripts that might be running simultaneously.
+  pushd "$workingDir"
+    "$updateScript" > >(tee update.log)  2> >(tee update.stderr >&2)
+  popd
 }
 
 updatePkgsInParallel() {
   debug "updating packages in parallel using xargs"
   debug "- $@"
-  debug "- xargs -n 1 -P 4 $0 ${scriptFlags[*]}"
-  echo "$@" | xargs -n 1 -P 4 "$0" "${scriptFlags[@]}"
+  debug "- xargs -n 1 -P $PARALLELISM $0 ${scriptFlags[*]}"
+  echo "$@" | xargs -n 1 -P "$PARALLELISM" "$0" "${scriptFlags[@]}"
 }
 
 scriptFlags=()
@@ -107,6 +129,10 @@ parseArgs() {
         scriptFlags+=(--verbose)
         verbose=1
         ;;
+      (-j)
+        PARALLELISM=$1
+        shift
+        ;;
       (--*)
         nixFlags+=("$arg")
         ;;

templates/pkgs/make/default.nix

@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   src = fetchFromGitHub {
     owner = "TODO";
-    repo = pname;
+    repo = "TODO";
     rev = "v${version}";
     hash = "sha256-TODO";
   };

templates/pkgs/python/default.nix

@@ -19,6 +19,10 @@
   '';
 
   nativeBuildInputs = [
+    # python3.pkgs.eggUnpackHook
+    # python3.pkgs.eggBuildHook
+    # python3.pkgs.eggInstallHook
+
     # python3.pkgs.hatch-fancy-pypi-readme
     # python3.pkgs.hatch-vcs
     # python3.pkgs.hatchling
@@ -26,7 +30,8 @@
     # python3.pkgs.poetry-core
 
     # python3.pkgs.pypaBuildHook
-    # python3.pkgs.pypaInstallHook
+    # python3.pkgs.pypaInstallHook  # pretty much always want this (even if using setuptoolsBuildHook)
+    # python3.pkgs.setuptoolsBuildHook  # if project has `setup.py`
     python3.pkgs.wrapPython
   ];
 

templates/pkgs/rust/default.nix

@@ -1,6 +1,7 @@
-{ lib
-, rustPlatform
-, fetchFromGitHub
+{
+  lib,
+  rustPlatform,
+  fetchFromGitHub,
 }:
 
 rustPlatform.buildRustPackage rec {
@@ -9,12 +10,13 @@ rustPlatform.buildRustPackage rec {
 
   src = fetchFromGitHub {
     owner = "ruslashev";
-    repo = pname;
+    repo = "elfcat";
     rev = version;
     hash = "sha256-NzFKNCCPWBj/fhaEJF34nyeyvLMeQwIcQgTlYc6mgYo=";
   };
 
   cargoHash = "sha256-Dc+SuLwbLFcNSr9RiNSc7dgisBOvOUEIDR8dFAkC/O0=";
+  useFetchCargoVendor = true;
 
   meta = with lib; {
     description = "TODO: FILLME";