From 664eb70e8ca1ea6965f533787528e0f9a1d6d793 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 2 May 2026 10:03:39 -0300 Subject: [PATCH] . --- configuration.nix | 21 ++- flake.lock | 111 +++++---------- flake.nix | 18 +-- home/agents.nix | 200 +++++++++++++++++++++++++++ home/nvim/default.nix | 67 ++++++--- home/nvim/plugins.lua | 19 ++- home/nvim/settings.lua | 3 - home/root.nix | 12 +- home/user.nix | 307 ++++++----------------------------------- kernel/default.nix | 63 ++++++++- networking.nix | 2 + packages.nix | 39 +++--- users.nix | 49 +++++-- vms/default.nix | 282 ++++++++++++++++++++++++++----------- 14 files changed, 698 insertions(+), 495 deletions(-) create mode 100644 home/agents.nix diff --git a/configuration.nix b/configuration.nix index 4848963..bb41e1b 100644 --- a/configuration.nix +++ b/configuration.nix @@ -76,6 +76,18 @@ # }; # }; tailscale.enable = true; + openssh = { + enable = true; + ports = [ 22 ]; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + AllowUsers = [ + "user" + ]; + }; + }; }; hardware = { @@ -139,5 +151,12 @@ }; }; }; - services.openssh.enable = true; + + systemd.tmpfiles.rules = [ + "d /home/public 2775 root public - -" + "d /home/public/pictures 2775 root public - -" + + "a+ /home/public - - - - d:g:public:rwX,d:m::rwX" + "a+ /home/public/pictures - - - - d:g:public:rwX,d:m::rwX" + ]; } diff --git a/flake.lock b/flake.lock index 2b40de6..5f3eff3 100644 --- a/flake.lock +++ b/flake.lock @@ -71,11 +71,11 @@ ] }, "locked": { - "lastModified": 1769996383, - "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", + "lastModified": 1772408722, + "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "57928607ea566b5db3ad13af0e57e921e6b12381", + "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", "type": "github" }, "original": { @@ -130,17 +130,16 @@ ] }, "locked": { - "lastModified": 1770260404, - "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=", + "lastModified": 1774738535, + "narHash": "sha256-2jfBEZUC67IlnxO5KItFCAd7Oc+1TvyV/jQlR+2ykGQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b", + "rev": "769e07ef8f4cf7b1ec3b96ef015abec9bc6b1e2a", "type": "github" }, "original": { "owner": "nix-community", "repo": "home-manager", - "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b", "type": "github" } }, @@ -184,27 +183,6 @@ "type": "github" } }, - "microvm": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "spectrum": "spectrum" - }, - "locked": { - "lastModified": 1770310890, - "narHash": "sha256-lyWAs4XKg3kLYaf4gm5qc5WJrDkYy3/qeV5G733fJww=", - "owner": "microvm-nix", - "repo": "microvm.nix", - "rev": "68c9f9c6ca91841f04f726a298c385411b7bfcd5", - "type": "github" - }, - "original": { - "owner": "microvm-nix", - "repo": "microvm.nix", - "type": "github" - } - }, "neovim-nightly-overlay": { "inputs": { "flake-parts": "flake-parts", @@ -212,11 +190,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1771632300, - "narHash": "sha256-uP5SbbbN86+LZ8VubL01UKD6bez5DK9prqIqQOMy3Jw=", + "lastModified": 1774742707, + "narHash": "sha256-a3FjZJxDOn0t18VwtIAgpNuUNaIEl6T+Awu5tXifQQw=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "0f601090d4d54b3da0d03e270cb6a5c68bf84dd3", + "rev": "7966a9c203276bea3b7e8dd2e125fd2b4c8b6753", "type": "github" }, "original": { @@ -228,11 +206,11 @@ "neovim-src": { "flake": false, "locked": { - "lastModified": 1771630915, - "narHash": "sha256-7RPG+RG/e0O79HjNT/ztC7K7j/xXazltq3TPk1mauqY=", + "lastModified": 1774725909, + "narHash": "sha256-aOiiQCmjCrvo+jAUDO2oMa377FvOtU97aqvTm74ZRGU=", "owner": "neovim", "repo": "neovim", - "rev": "d79a9dcd422133bc1e4b4ef94444962560d7a6d7", + "rev": "d5516daf121aa718e79bcd423ee24c24492893c0", "type": "github" }, "original": { @@ -249,11 +227,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1769284707, - "narHash": "sha256-X60XGpLjNTgYyaC/gChHGpqQqLWGI+0n5BbWaybXKiE=", + "lastModified": 1771283045, + "narHash": "sha256-AgD3KAkrQ4cs34kKZE8v/+FyFTc1Vq2sOJaPrWiCRio=", "owner": "argosnothing", "repo": "niri", - "rev": "6dcaa349acf3b04ed1593022388b4f1cbef8893b", + "rev": "eab116015a5a4d8f027c915dbd7b0a90e1e9a5e1", "type": "github" }, "original": { @@ -272,11 +250,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1765743947, - "narHash": "sha256-kx8XFbzG59eLNImygoN9jRjgaxR7kvmjg64equccmK0=", + "lastModified": 1774389340, + "narHash": "sha256-zPxNCLGMQ5gbziogsTl3COikFFco6Em6NDeHOy4fmUg=", "owner": "argosnothing", "repo": "niri-scratchpad-rs", - "rev": "163420c14c9199d311627501eedee2a3b2507db2", + "rev": "7288342f08036bfc9abd58ab6a4bc692679dfcd3", "type": "github" }, "original": { @@ -320,11 +298,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1771207753, - "narHash": "sha256-b9uG8yN50DRQ6A7JdZBfzq718ryYrlmGgqkRm9OOwCE=", + "lastModified": 1774610258, + "narHash": "sha256-HaThtroVD9wRdx7KQk0B75JmFcXlMUoEdDFNOMOlsOs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d1c15b7d5806069da59e819999d70e1cec0760bf", + "rev": "832efc09b4caf6b4569fbf9dc01bec3082a00611", "type": "github" }, "original": { @@ -352,11 +330,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1771342064, - "narHash": "sha256-Aros+b3kQpzJAyxjDyhLUmnEfzQfyor2tiIoUTSgki0=", + "lastModified": 1774786714, + "narHash": "sha256-Hwf8ylZAX3wIk8oRec1AH/0JDp1OTrruuE0w7uUhCAI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3f03a5f1bede585f58c878c22cb12988bb0d1ed2", + "rev": "566e0e6a542cde5fd168783a4b4ed376b6d0435a", "type": "github" }, "original": { @@ -367,11 +345,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1770562336, - "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", + "lastModified": 1774386573, + "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", + "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", "type": "github" }, "original": { @@ -387,11 +365,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1770758031, - "narHash": "sha256-YEq6M9OOEOl7l2zr/YjOi2UnuQZZ02HvXebpWGpkEHM=", + "lastModified": 1774786962, + "narHash": "sha256-d1q1KXQ/IvF0rWtc6LL5lle/Bfsx2PBCCottS5yYCgc=", "owner": "nix-community", "repo": "NUR", - "rev": "6701aa01b90606ab75078c1910bb991b8e7a389b", + "rev": "7ed0fb4ccb47ccac7652056e42f42bb70c56ac48", "type": "github" }, "original": { @@ -428,7 +406,6 @@ "dms": "dms", "home-manager": "home-manager", "impermanence": "impermanence", - "microvm": "microvm", "neovim-nightly-overlay": "neovim-nightly-overlay", "niri-branch": "niri-branch", "niri-scratchpad": "niri-scratchpad", @@ -463,11 +440,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1763952169, - "narHash": "sha256-+PeDBD8P+NKauH+w7eO/QWCIp8Cx4mCfWnh9sJmy9CM=", + "lastModified": 1772075164, + "narHash": "sha256-93XcvAt+6p7aAq1ERlxD2T17zLGoYGo64KJYasGcpgc=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "ab726555a9a72e6dc80649809147823a813fa95b", + "rev": "07601339b15fa6810541c0e7dc2f3664d92a7ad0", "type": "github" }, "original": { @@ -483,11 +460,11 @@ ] }, "locked": { - "lastModified": 1770683991, - "narHash": "sha256-xVfPvXDf9QN3Eh9dV+Lw6IkWG42KSuQ1u2260HKvpnc=", + "lastModified": 1774760784, + "narHash": "sha256-D+tgywBHldTc0klWCIC49+6Zlp57Y4GGwxP1CqfxZrY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "8b89f44c2cc4581e402111d928869fe7ba9f7033", + "rev": "8adb84861fe70e131d44e1e33c426a51e2e0bfa5", "type": "github" }, "original": { @@ -496,22 +473,6 @@ "type": "github" } }, - "spectrum": { - "flake": false, - "locked": { - "lastModified": 1759482047, - "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=", - "ref": "refs/heads/main", - "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9", - "revCount": 996, - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - }, - "original": { - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - } - }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index d6a7c79..59604b0 100644 --- a/flake.nix +++ b/flake.nix @@ -7,10 +7,10 @@ url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - microvm = { - url = "github:microvm-nix/microvm.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + # microvm = { + # url = "github:microvm-nix/microvm.nix/da28962a2ba84718895b7325f600686c3b4ee099"; + # inputs.nixpkgs.follows = "nixpkgs"; + # }; disko = { url = "github:nix-community/disko/latest"; inputs.nixpkgs.follows = "nixpkgs"; @@ -18,7 +18,7 @@ impermanence.url = "github:nix-community/impermanence"; neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay"; home-manager = { - url = "github:nix-community/home-manager/0d782ee42c86b196acff08acfbf41bb7d13eed5b"; + url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; nur.url = "github:nix-community/NUR"; @@ -49,7 +49,7 @@ config.allowUnfree = true; # overlays = [ inputs.neovim-nightly-overlay.overlays.default ]; }; - microvm = inputs.microvm.nixosModules.host; + # microvm = inputs.microvm.nixosModules.host; in { nixosConfigurations."${hostname}" = nixpkgs.lib.nixosSystem { @@ -59,7 +59,7 @@ nixpkgs impermanence home-manager - microvm + # microvm sops-nix ; hostname = hostname; @@ -74,8 +74,8 @@ ./kernel ./home inputs.sops-nix.nixosModules.sops - inputs.microvm.nixosModules.host - (import ./vms) + # inputs.microvm.nixosModules.host + # (import ./vms) inputs.disko.nixosModules.disko inputs.impermanence.nixosModules.impermanence inputs.home-manager.nixosModules.home-manager diff --git a/home/agents.nix b/home/agents.nix new file mode 100644 index 0000000..dba7e99 --- /dev/null +++ b/home/agents.nix @@ -0,0 +1,200 @@ +{ pkgs, lib, ... }: +let + home-manager-config = + { + uid, + username, + }: + let + HOME = "/home/${username}"; + in + { + ${username} = + { config, ... }: + { + imports = [ + ./nvim + ./tmux.nix + ]; + + home.username = username; + home.homeDirectory = "${HOME}"; + home.stateVersion = "25.11"; + home.enableNixpkgsReleaseCheck = false; + home.sessionVariables = { + DISPLAY = ":1"; + }; + + programs = { + chromium.enable = true; + claude-code.enable = true; + opencode.enable = true; + ssh = { + enable = true; + enableDefaultConfig = false; + matchBlocks = { + "*" = { + serverAliveInterval = 60; + serverAliveCountMax = 3; + }; + "github.com" = { + identityFile = "${HOME}/.ssh/id_ed25519"; + }; + }; + }; + delta = { + enable = true; + options = { + navigate = true; + line-numbers = true; + side-by-side = true; + }; + enableGitIntegration = true; + }; + git = { + enable = true; + lfs.enable = true; + signing = { + key = "${HOME}/.ssh/id_ed25519.pub"; + signByDefault = true; + }; + includes = [ + { + condition = "gitdir:~/dealwise/"; + contents = { + user = { + name = "felipematos"; + email = "5471818+fnzr@users.noreply.github.com"; + signingkey = "${HOME}/.ssh/id_ed25519.pub"; + }; + }; + } + { + contents = { + user = { + name = "${username}"; + email = "${username}@sandbox.dev"; + signingkey = "${HOME}/.ssh/id_ed25519.pub"; + }; + }; + } + ]; + settings = { + user = { + email = "${username}@sandbox.dev"; + name = "${username}"; + signingkey = "${HOME}/.ssh/id_ed25519.pub"; + }; + gpg.format = "ssh"; + commit.gpgsign = true; + tag.gpgsign = true; + core = { + editor = "nvim"; + whitespace = "fix,only-indent-error,trailing-space,space-before-tab"; + quotepath = false; + }; + diff = { + algorithm = "histogram"; + renames = "copies"; + tool = "nvim"; + }; + difftool = { + prompt = false; + nvim.cmd = "nvim -d $LOCAL $REMOTE"; + }; + merge = { + conflictstyle = "zdiff3"; + tool = "nvim"; + }; + mergetool = { + prompt = false; + keepBackup = false; + nvim.cmd = "nvim -d $LOCAL $REMOTE $MERGED -c 'wincmd w' -c 'wincmd J'"; + }; + init = { + defaultBranch = "master"; + }; + push = { + autoSetupRemote = true; + default = "current"; + }; + pull = { + rebase = true; + }; + fetch = { + prune = true; + }; + help = { + autocorrect = "prompt"; + }; + }; + }; + fish = { + enable = true; + plugins = [ + { + name = "puffer"; + src = pkgs.fetchFromGitHub { + owner = "nickeb96"; + repo = "puffer-fish"; + rev = "83174b0"; + sha256 = "sha256-Dhx5+XRxJvlhdnFyimNxFyFiASrGU4ZwyefsDwtKnSg="; + }; + } + ]; + + interactiveShellInit = '' + set fish_greeting + bind ctrl-space "" + ''; + }; + starship.enable = true; + }; + custom.tmux.enable = true; + custom.neovim = { + enable = true; + colorscheme = "rose-pine-moon"; + hostname = "amelia"; + }; + xdg.configFile."containers/containers.conf".text = '' + [engine] + compose_warning_logs=false + events_logger="file" + + [containers] + log_driver="k8s-file" + ''; + xdg.configFile."opencode/opencode.json".text = builtins.toJSON { + "$schema" = "https://opencode.ai/config.json"; + plugin = [ "opencode-antigravity-auth@latest" ]; + # { + # "provider": "ollama", + # "ollama": { + # "base_url": "http://localhost:11434", + # "model": "llama3.2" + # } + # } + provider = { + ollama = { + model = "qwen3.6"; + base_url = "http://localhost:11434"; + }; + }; + }; + xdg.userDirs = { + enable = true; + extraConfig = { + XDG_CACHE_HOME = "$HOME/.cache"; + }; + }; + }; + }; +in +{ + home-manager.users = lib.mkMerge [ + (home-manager-config { + uid = 1002; + username = "agent"; + }) + ]; +} diff --git a/home/nvim/default.nix b/home/nvim/default.nix index d99962e..f2b23ac 100644 --- a/home/nvim/default.nix +++ b/home/nvim/default.nix @@ -86,6 +86,7 @@ in blade = { "blade-formatter" }, go = { "gofmt" }, wgsl = { "wgsl_fmt" }, + odin = { "odinfmt" }, }, }) vim.api.nvim_create_autocmd("BufWritePre", { @@ -127,7 +128,14 @@ in }, adapters = { require('neotest-pest'), - } + require('neotest-zig'), + -- require('neotest-odin'), + }, + watch = { + filter_path = function(path, root) + return true + end, + }, }) vim.keymap.set('n', 'pn', function() require('neotest').run.run() end, { desc = "test nearest" }) vim.keymap.set('n', 'pe', function() require('neotest').run.run(vim.fn.expand('%')) end, { desc = "test file" }) @@ -138,6 +146,10 @@ in type = "lua"; } # { + # plugin = neotest-zig; + # type = "lua"; + # } + # { # plugin = nvim-autopairs; # type = "lua"; # config = '' @@ -149,19 +161,43 @@ in type = "lua"; config = '' local dap = require("dap") - dap.adapters.php = { - type = 'executable', - command = '${pkgs.nodejs}/bin/node', - args = { '${pkgs.vscode-extensions.xdebug.php-debug}/share/vscode/extensions/xdebug.php-debug/out/phpDebug.js' }, + dap.adapters = { + php = { + type = "executable", + command = "${pkgs.nodejs}/bin/node", + args = { "${pkgs.vscode-extensions.xdebug.php-debug}/share/vscode/extensions/xdebug.php-debug/out/phpDebug.js" }, + }, + + codelldb = { + type = "server", + port = "''${port}", + executable = { + command = '${pkgs.vscode-extensions.vadimcn.vscode-lldb}/share/vscode/extensions/vadimcn.vscode-lldb/adapter/codelldb', + args = { "--port", "''${port}" }, + }, + }, } - dap.configurations.php = { - { - type = 'php', - request = 'launch', - name = 'listen for xdebug', - port = 9003, - } + dap.configurations = { + php = { + { + type = 'php', + request = 'launch', + name = 'listen for xdebug', + port = 9003, + } + }, + zig = { + { + name = 'launch', + type = 'codelldb', + request = 'launch', + program = "''${workspaceFolder}/zig-out/bin/''${workspaceFolderBasename}", + cwd = "''${workspaceFolder}", + stopOnEntry = false, + args = {}, + } + }, } ''; } @@ -199,7 +235,7 @@ in 'fsharp', 'git_config', 'git_rebase', 'gitignore', 'glsl', 'go', 'gomod', 'graphql', 'haskell', 'hlsl', 'http', 'ini', 'javadoc', 'jq', 'jsdoc', 'json', 'json5', 'kitty', 'latex', 'markdown', 'nginx', 'nix', 'php', 'php_only', 'phpdoc', 'regex', 'rust', 'sql', - 'ssh_config', 'tmux', 'vim', 'wgsl', 'yaml', 'zig', 'ols', + 'ssh_config', 'tmux', 'vim', 'wgsl', 'yaml', 'zig', 'odin', }, callback = function() vim.treesitter.start() @@ -246,12 +282,11 @@ in config = '' vim.o.autoread = true -- Recommended/example keymaps. - vim.keymap.set({ "n", "x" }, "", function() require("opencode").ask("@this: ", { submit = true }) end, { desc = "Ask opencode…" }) + vim.keymap.set({ "n", "x" }, "h", function() require("opencode").ask("@this: ", { submit = true }) end, { desc = "Ask opencode…" }) vim.keymap.set({ "n", "x" }, "", function() require("opencode").select() end, { desc = "Execute opencode action…" }) vim.keymap.set({ "n", "t" }, "", function() require("opencode").toggle() end, { desc = "Toggle opencode" }) vim.keymap.set({ "n", "x" }, "go", function() return require("opencode").operator("@this ") end, { desc = "Add range to opencode", expr = true }) - vim.keymap.set("n", "goo", function() return require("opencode").operator("@this ") .. "_" end, { desc = "Add line to opencode", expr = true }) vim.keymap.set("n", "", function() require("opencode").command("session.half.page.up") end, { desc = "Scroll opencode up" }) vim.keymap.set("n", "", function() require("opencode").command("session.half.page.down") end, { desc = "Scroll opencode down" }) @@ -406,7 +441,7 @@ in extraConfig = '' colorscheme ${cfg.colorscheme} ''; - extraLuaConfig = '' + initLua = '' ${builtins.readFile ./settings.lua} ${builtins.replaceStrings [ "@HOSTNAME@" ] [ cfg.hostname ] (builtins.readFile ./plugins.lua)} require("custom") diff --git a/home/nvim/plugins.lua b/home/nvim/plugins.lua index e94ea77..a0ea9f2 100644 --- a/home/nvim/plugins.lua +++ b/home/nvim/plugins.lua @@ -42,6 +42,7 @@ local servers = { zls = { enable_build_on_save = true, semantic_tokens = "partial", + global_cache_path = vim.fn.getcwd(0, 0) .. "/.cache/zls", }, }, }, @@ -52,7 +53,11 @@ local servers = { html = { filetypes = { "html", "blade" } }, htmx = { filetypes = { "html", "blade" } }, gopls = {}, - ols = {}, + ols = { + enable_semantic_tokens = true, + enable_auto_import = true, + checker_args = "-vet", + }, wgsl_analyzer = {}, } for server, config in pairs(servers) do @@ -77,12 +82,12 @@ local leap = require("leap") leap.opts.preview = function(ch0, ch1, ch2) return not (ch1:match("%s") or (ch0:match("%a") and ch1:match("%a") and ch2:match("%a"))) end -leap.opts.equivalence_classes = { - " \t\r\n", - "([{", - ")]}", - "'\"`", -} +-- leap.opts.equivalence_classes = { +-- " \t\r\n", +-- "([{", +-- ")]}", +-- "'\"`", +-- } vim.api.nvim_set_hl(0, "LeapBackdrop", { link = "Comment" }) do diff --git a/home/nvim/settings.lua b/home/nvim/settings.lua index 83d9a76..7cdbfb3 100644 --- a/home/nvim/settings.lua +++ b/home/nvim/settings.lua @@ -107,9 +107,6 @@ vim.keymap.set({ "n", "t" }, "", function() end, { desc = "Go to previous tab" }) vim.keymap.set({ "n", "t" }, "", "p", { desc = "Go to previous pane" }) -vim.keymap.set("n", "v", "vsplit", { desc = "split (vertical line)" }) -vim.keymap.set("n", "h", "split", { desc = "split (horizontal line)" }) - vim.keymap.set("n", "", "w", { desc = "save buffer" }) vim.diagnostic.config({ diff --git a/home/root.nix b/home/root.nix index eaa3dee..f601343 100644 --- a/home/root.nix +++ b/home/root.nix @@ -2,6 +2,9 @@ { home-manager.users.root = { config, ... }: + let + HOME = "/root"; + in { imports = [ ./nvim ]; home.username = "root"; @@ -12,13 +15,6 @@ home.file."/.ssh/desktop.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILquARrJ3Vyh5z6aeVoiYrkLpgiMts+V/JzFEvs3Cnth root@icefox.sh"; - xdg.userDirs = { - enable = false; - extraConfig = { - XDG_CACHE_HOME = "${config.home.homeDirectory}/.cache"; - }; - }; - programs = { ssh = { enable = true; @@ -48,7 +44,7 @@ name = "root"; }; gpg.format = "ssh"; - user.signingkey = "${config.home.homeDirectory}/.ssh/desktop.pub"; + user.signingkey = "${HOME}/.ssh/desktop.pub"; commit.gpgsign = true; tag.gpgsign = true; core = { diff --git a/home/user.nix b/home/user.nix index 74eb5bf..6b454a5 100644 --- a/home/user.nix +++ b/home/user.nix @@ -7,13 +7,13 @@ lib, ... }: + let + HOME = "/home/user"; + in { home.username = "user"; - home.homeDirectory = "/home/user"; + home.homeDirectory = HOME; home.stateVersion = "25.11"; - home.sessionVariables = { - HOME = "/home/user"; - }; imports = [ ./nvim @@ -21,15 +21,15 @@ ]; sops.defaultSopsFile = ../secrets/home.yaml; - sops.age.keyFile = "/.persist/${config.home.homeDirectory}/.config/sops/age/keys.txt"; + sops.age.keyFile = "/.persist/${HOME}/.config/sops/age/keys.txt"; sops.secrets."user/ssh/desktop" = { - path = "${config.home.homeDirectory}/.ssh/desktop"; + path = "${HOME}/.ssh/desktop"; mode = "0600"; }; home.file."/.ssh/desktop.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILABd/iSJ4gn/ystDqNxLJTG0n0z5VIC9YXlmdUfOhHf desktop@icefox.sh"; sops.secrets."user/ssh/legacy_ed25519" = { - path = "${config.home.homeDirectory}/.ssh/legacy_ed25519"; + path = "${HOME}/.ssh/legacy_ed25519"; mode = "0600"; }; home.file."/.ssh/legacy_ed25519.pub".text = @@ -51,18 +51,21 @@ # "Xft.rgba" = "rgb"; # }; - # systemd.user.services.xrdb-configure = { - # Unit = { - # Description = "Load Xresources"; - # }; - # Intall = { - # WantedBy = [ "graphical-session.target" ]; - # }; - # Service = { - # ExecStart = "${pkgs.xrdb}/bin/xrdb -merge ${config.home.homeDirectory}/.Xresources"; - # Type = "oneshot"; - # }; - # }; + systemd.user.services.waypipe-socket = { + Unit = { + Description = "start waypipe client"; + }; + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + Service = { + ExecStart = "${pkgs.waypipe}/bin/waypipe --socket /tmp/waypipe.sock client"; + ExecStartPost = "${pkgs.acl}/bin/setfacl -m u:agent:rw /tmp/waypipe.sock"; + RuntimeDirectory = "waypipe"; + Type = "simple"; + Restart = "on-failure"; + }; + }; sops.secrets."user/gpg/legacy_fnzr" = { }; home.activation.importGpgKey = config.lib.dag.entryAfter [ "writeBoundary" ] '' if [[ -f "${config.sops.secrets."user/gpg/legacy_fnzr".path}" ]]; then @@ -92,225 +95,6 @@ }; }; - # xdg.configFile."opencode/opencode.json".text = builtins.toJSON { - # "$schema" = "https://opencode.ai/config.json"; - # plugin = [ "opencode-antigravity-auth@latest" ]; - # provider = { - # google = { - # models = { - # antigravity-gemini-3-pro = { - # name = "Gemini 3 Pro (Antigravity)"; - # limit = { - # context = 1048576; - # output = 65535; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # variants = { - # low = { - # thinkingLevel = "low"; - # }; - # high = { - # thinkingLevel = "high"; - # }; - # }; - # }; - # antigravity-gemini-3-flash = { - # name = "Gemini 3 Flash (Antigravity)"; - # limit = { - # context = 1048576; - # output = 65536; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # variants = { - # minimal = { - # thinkingLevel = "minimal"; - # }; - # low = { - # thinkingLevel = "low"; - # }; - # medium = { - # thinkingLevel = "medium"; - # }; - # high = { - # thinkingLevel = "high"; - # }; - # }; - # }; - # antigravity-claude-sonnet-4-5 = { - # name = "Claude Sonnet 4.5 (Antigravity)"; - # limit = { - # context = 200000; - # output = 64000; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # }; - # antigravity-claude-sonnet-4-5-thinking = { - # name = "Claude Sonnet 4.5 Thinking (Antigravity)"; - # limit = { - # context = 200000; - # output = 64000; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # variants = { - # low = { - # thinkingConfig = { - # thinkingBudget = 8192; - # }; - # }; - # max = { - # thinkingConfig = { - # thinkingBudget = 32768; - # }; - # }; - # }; - # }; - # antigravity-claude-opus-4-5-thinking = { - # name = "Claude Opus 4.5 Thinking (Antigravity)"; - # limit = { - # context = 200000; - # output = 64000; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # variants = { - # low = { - # thinkingConfig = { - # thinkingBudget = 8192; - # }; - # }; - # max = { - # thinkingConfig = { - # thinkingBudget = 32768; - # }; - # }; - # }; - # }; - # antigravity-claude-opus-4-6-thinking = { - # name = "Claude Opus 4.6 Thinking (Antigravity)"; - # limit = { - # context = 200000; - # output = 64000; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # variants = { - # low = { - # thinkingConfig = { - # thinkingBudget = 8192; - # }; - # }; - # max = { - # thinkingConfig = { - # thinkingBudget = 32768; - # }; - # }; - # }; - # }; - # "gemini-2.5-flash" = { - # name = "Gemini 2.5 Flash (Gemini CLI)"; - # limit = { - # context = 1048576; - # output = 65536; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # }; - # "gemini-2.5-pro" = { - # name = "Gemini 2.5 Pro (Gemini CLI)"; - # limit = { - # context = 1048576; - # output = 65536; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # }; - # gemini-3-flash-preview = { - # name = "Gemini 3 Flash Preview (Gemini CLI)"; - # limit = { - # context = 1048576; - # output = 65536; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # }; - # gemini-3-pro-preview = { - # name = "Gemini 3 Pro Preview (Gemini CLI)"; - # limit = { - # context = 1048576; - # output = 65535; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # }; - # }; - # }; - # }; - # }; - xdg.desktopEntries = { google-chrome = { name = "Google Chrome"; @@ -427,19 +211,20 @@ xdg.userDirs = { enable = true; createDirectories = true; + setSessionVariables = true; - download = "${config.home.homeDirectory}/downloads"; - documents = "${config.home.homeDirectory}/documents"; - desktop = "${config.home.homeDirectory}/desktop"; - pictures = "${config.home.homeDirectory}/pictures"; - music = "${config.home.homeDirectory}/music"; - videos = "${config.home.homeDirectory}/videos"; - templates = "${config.home.homeDirectory}"; - publicShare = "${config.home.homeDirectory}"; + download = "${HOME}/downloads"; + documents = "${HOME}/documents"; + desktop = "${HOME}/desktop"; + pictures = "${HOME}/pictures"; + music = "${HOME}/music"; + videos = "${HOME}/videos"; + templates = "${HOME}"; + publicShare = "${HOME}"; extraConfig = { - SCREENSHOTS = "${config.home.homeDirectory}/pictures/screenshots"; - XDG_CACHE_HOME = "${config.home.homeDirectory}/.cache"; + SCREENSHOTS = "$HOME/pictures/screenshots"; + XDG_CACHE_HOME = "$HOME/.cache"; }; }; @@ -475,7 +260,7 @@ enable = true; lfs.enable = true; signing = { - key = "${config.home.homeDirectory}/.ssh/desktop.pub"; + key = "${HOME}/.ssh/desktop.pub"; signByDefault = true; }; includes = [ @@ -485,6 +270,7 @@ user = { name = "felipematos"; email = "5471818+fnzr@users.noreply.github.com"; + signingkey = "${HOME}/.ssh/desktop.pub"; }; }; } @@ -493,7 +279,7 @@ user = { email = "felipe@icefox.sh"; name = "icefox"; - signingkey = "${config.home.homeDirectory}/.ssh/desktop.pub"; + signingkey = "${HOME}/.ssh/desktop.pub"; }; gpg.format = "ssh"; commit.gpgsign = true; @@ -537,12 +323,20 @@ help = { autocorrect = "prompt"; }; + safe = { + directory = [ + "/home/agent/*" + ]; + }; }; }; }; home.packages = with pkgs; [ xrdb + (writeShellScriptBin "agent" '' + machinectl shell agent@ ${waypipe}/bin/waypipe --socket /run/waypipe.sock server fish + '') (writeShellApplication { name = "tmux-sessionizer"; runtimeInputs = [ @@ -551,20 +345,7 @@ ]; text = builtins.readFile ./bin/tmux-sessionizer; }) - (writeShellScriptBin "opencode" '' - ssh -t user@192.168.77.2 " - cd $(pwd) 2>/dev/null || cd \$(mktemp -d) - opencode $* - " - '') - (writeShellScriptBin "claude" '' - ssh -t user@192.168.77.2 " - cd $(pwd) 2>/dev/null || cd \$(mktemp -d) - claude $* - " - '') ]; - custom.tmux.enable = true; custom.neovim = { enable = true; diff --git a/kernel/default.nix b/kernel/default.nix index c823c54..c8eed45 100644 --- a/kernel/default.nix +++ b/kernel/default.nix @@ -3,6 +3,22 @@ pkgs, ... }: +let + nsExec = pkgs.writeShellScriptBin "ns-raw" '' + ns="$1" + shift + exec ${pkgs.iproute2}/bin/ip netns exec "$ns" \ + ${pkgs.util-linux}/bin/setpriv \ + --reuid="$DOAS_USER" --regid="$DOAS_USER" \ + --clear-groups \ + --inh-caps=-all \ + "$@" + ''; + nsWrapper = pkgs.writeShellScriptBin "ns" '' + + exec /run/wrappers/bin/doas ${nsExec}/bin/ns-raw "$@" + ''; +in { imports = [ ./hardened.nix @@ -38,18 +54,63 @@ extraRules = [ { users = [ "user" ]; + runAs = "root"; keepEnv = true; persist = true; } { users = [ "user" ]; - runAs = "agent"; + runAs = "work"; noPass = true; keepEnv = false; } + { + users = [ "user" ]; + runAs = "agent"; + noPass = true; + keepEnv = true; + } + { + users = [ + "user" + "agent" + "work" + ]; + runAs = "root"; + noPass = true; + keepEnv = true; + cmd = "${nsExec}/bin/ns-raw"; + } ]; }; + environment.systemPackages = [ nsWrapper ]; + + security.pam.services.su.requireWheel = true; + security.pam.services.newgrp.requireWheel = true; + security.pam.services.login.text = '' + # Account management. + account required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so # unix (order 10900) + + # Authentication management. + auth optional /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so likeauth nullok # unix-early (order 11700) + auth optional /nix/store/r7z6w4c2nq9cwjf0m2mjabpa0xy4c7d3-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so # gnome_keyring (order 12200) + auth sufficient /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so likeauth nullok try_first_pass # unix (order 12900) + auth required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_deny.so # deny (order 13700) + + # Password management. + password sufficient /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so nullok yescrypt # unix (order 10200) + password optional /nix/store/r7z6w4c2nq9cwjf0m2mjabpa0xy4c7d3-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so use_authtok # gnome_keyring (order 11100) + + # Session management. + session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100) + session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_unix.so # unix (order 10200) + session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_loginuid.so # loginuid (order 10300) + session optional /nix/store/wxyn8d3m8g4fnn6xazinjwhzhzdg6wib-systemd-259/lib/security/pam_systemd.so # systemd (order 12000) + session required /nix/store/2hp2kc85zapzjaj9y22jf9xgwqmlsk6m-linux-pam-1.7.1/lib/security/pam_limits.so conf=/nix/store/zxagblabdf6xawphfs1w50pg2b0ml9px-limits.conf # limits (order 12200) + session optional /nix/store/r7z6w4c2nq9cwjf0m2mjabpa0xy4c7d3-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so auto_start # gnome_keyring (order 12600) + ''; + boot = { loader = { systemd-boot.enable = true; diff --git a/networking.nix b/networking.nix index d0627e5..65c34eb 100644 --- a/networking.nix +++ b/networking.nix @@ -33,6 +33,8 @@ # interfaces = [ inetInterface ]; # }; firewall.allowedTCPPorts = [ + 5900 + 8080 9003 10000 10001 diff --git a/packages.nix b/packages.nix index 531f167..3c863b3 100644 --- a/packages.nix +++ b/packages.nix @@ -2,6 +2,10 @@ { environment.systemPackages = with pkgs; [ bat + bc + (pkgs.writeShellScriptBin "bci" '' + echo "$@" | ${bc}/bin/bc -l + '') black blade-formatter cmake @@ -15,6 +19,7 @@ clang-tools clevis cliphist + chromium distrobox dos2unix dnsutils @@ -23,6 +28,7 @@ eza fd ffmpeg + file fira-code-symbols fish fractal @@ -46,9 +52,10 @@ poppler jetbrains.datagrip jq + kitty lazygit (pkgs.writeShellScriptBin "lf" '' - cd_file="/tmp/lf-lastdir-$$" + cd_file="/tmp/lf-lastdir" ${pkgs.lf}/bin/lf "$@" @@ -81,12 +88,13 @@ php84Packages.composer php84Packages.php-cs-fixer phpactor + pistol podman-compose podman-tui prettierd playerctl - qemu_full qmk + quickemu quickshell resvg ripgrep @@ -104,7 +112,6 @@ tmux thunderbird tor-browser - ungoogled-chromium unzip virt-manager virt-viewer @@ -146,12 +153,7 @@ virtualisation.podman = { enable = true; dockerCompat = true; - # rootless = { - # enable = true; - # setSocketVariable = true; - # }; defaultNetwork.settings.dns_enabled = true; - # storageDriver = "btrfs"; }; virtualisation.spiceUSBRedirection.enable = true; @@ -163,7 +165,7 @@ onBoot = "ignore"; onShutdown = "shutdown"; qemu = { - package = pkgs.qemu_full; + package = pkgs.qemu; verbatimConfig = '' cgroup_device_acl = [ "/dev/null", "/dev/full", "/dev/zero", @@ -228,16 +230,15 @@ }; }; - # services.ollama = { - # enable = true; - # package = pkgs.ollama-cuda; - # home = "/data/ollama"; - # user = "ollama"; - # group = "user"; - # loadModels = [ - # "llama3" - # ]; - # }; + services.ollama = { + enable = true; + package = pkgs.ollama-cuda; + home = "/data/ollama"; + loadModels = [ + "qwen3.6" + "glm-5.1" + ]; + }; # services.open-webui = { # enable = true; # port = 11347; diff --git a/users.nix b/users.nix index 4780839..6a404d8 100644 --- a/users.nix +++ b/users.nix @@ -7,6 +7,7 @@ imports = [ ./home/user.nix ./home/root.nix + ./home/agents.nix ]; sops.secrets."user/password" = { neededForUsers = true; @@ -24,17 +25,41 @@ homeMode = "700"; hashedPasswordFile = config.sops.secrets."root/password".path; }; - microvm = { - uid = 999; - isSystemUser = true; - }; - # agent = { + # microvm = { + # uid = 999; + # isSystemUser = true; + # }; + # work = { # uid = 1001; # homeMode = "770"; + # home = "/home/work"; + # isNormalUser = true; + # shell = pkgs.fish; + # group = "work"; + # extraGroups = [ + # "public" + # ]; + # linger = true; + # }; + agent = { + uid = 1002; + homeMode = "770"; + home = "/home/agent"; + shell = pkgs.fish; + isNormalUser = true; + group = "agent"; + extraGroups = [ "public" ]; + linger = true; + }; + # sandbox = { + # uid = 1003; + # homeMode = "770"; + # home = "/home/sandbox"; # shell = pkgs.fish; # isNormalUser = true; - # group = "agents"; - # extraGroups = [ "user" ]; + # group = "sandbox"; + # extraGroups = [ "public" ]; + # linger = true; # }; user = { uid = 1000; @@ -47,14 +72,20 @@ "libvirt" "systemd-journal" "kvm" - "agents" + "public" + "agent" + "sandbox" + # "work" ]; hashedPasswordFile = config.sops.secrets."user/password".path; + linger = true; }; }; groups = { user.gid = 1000; - agents.gid = 777; + agent.gid = 1002; + public.gid = 777; + # sandbox.gid = 1003; }; }; } diff --git a/vms/default.nix b/vms/default.nix index 2b47a76..4f17465 100644 --- a/vms/default.nix +++ b/vms/default.nix @@ -43,7 +43,7 @@ }; microvm.vms = { - "dealwise" = { + "agent" = { pkgs = import nixpkgs { system = "x86_64-linux"; config.allowUnfreePredicate = @@ -55,27 +55,24 @@ config = let - hostname = "ai-sandbox"; - mac = "02:00:00:00:00:06"; + hostname = "agent"; + mac = "02:00:00:00:00:07"; in { config, + lib, pkgs, ... }: { imports = [ impermanence.nixosModules.impermanence - sops-nix.nixosModules.sops home-manager.nixosModules.home-manager ]; - sops = { - defaultSopsFile = ./secrets/secrets.yaml; - age.keyFile = "/.persist/root/.config/sops/age/keys.txt"; - secrets = { - "wg0/private_key" = { }; - }; - }; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; boot.kernel.sysctl."kernel.unprivileged_userns_clone" = 1; systemd.network = { enable = true; @@ -97,6 +94,17 @@ }; }; }; + systemd.user.services.wayland-proxy = { + enable = true; + description = "Wayland Proxy"; + serviceConfig = with pkgs; { + # Environment = "WAYLAND_DISPLAY=wayland-1"; + ExecStart = "${wayland-proxy-virtwl}/bin/wayland-proxy-virtwl --virtio-gpu --x-display=0 --xwayland-binary=${xwayland}/bin/Xwayland"; + Restart = "on-failure"; + RestartSec = 5; + }; + wantedBy = [ "default.target" ]; + }; services.resolved.enable = false; environment.etc."resolv.conf".text = '' @@ -107,23 +115,6 @@ useNetworkd = true; useDHCP = false; firewall.enable = false; - wireguard.interfaces.wg0 = { - ips = [ "10.2.0.2/32" ]; - listenPort = 45974; - privateKeyFile = config.sops.secrets."wg0/private_key".path; - metric = 10; - peers = [ - { - publicKey = "D8Sqlj3TYwwnTkycV08HAlxcXXS3Ura4oamz8rB5ImM="; - endpoint = "103.69.224.4:51820"; - allowedIPs = [ - "0.0.0.0/0" - "::/0" - ]; - persistentKeepalive = 25; - } - ]; - }; }; users.mutableUsers = false; @@ -140,6 +131,9 @@ password = ""; group = "user"; isNormalUser = true; + extraGroups = [ + "video" + ]; uid = 1000; shell = pkgs.fish; openssh.authorizedKeys.keys = [ @@ -148,10 +142,24 @@ }; users.groups.user.gid = 1000; + environment.sessionVariables = { + WAYLAND_DISPLAY = "/var/host/wayland-agent"; + DISPLAY = ":0"; + QT_QPA_PLATFORM = "wayland"; # Qt Applications + GDK_BACKEND = "wayland"; # GTK Applications + XDG_SESSION_TYPE = "wayland"; # Electron Applications + SDL_VIDEODRIVER = "wayland"; + CLUTTER_BACKEND = "wayland"; + }; + home-manager = { useGlobalPkgs = true; useUserPackages = true; users.user = { + imports = [ + ../home/nvim + ../home/tmux.nix + ]; home.username = "user"; home.homeDirectory = "/home/user"; home.stateVersion = "25.11"; @@ -164,6 +172,13 @@ [containers] log_driver="k8s-file" ''; + xdg.configFile."lazygit/config.yml".text = lib.generators.toYAML { } { + gui = { + theme = { + selectedLineBgColor = [ "reverse" ]; + }; + }; + }; xdg.configFile."opencode/opencode.json".text = builtins.toJSON { "$schema" = "https://opencode.ai/config.json"; plugin = [ "opencode-antigravity-auth@latest" ]; @@ -382,6 +397,106 @@ }; }; }; + + home.packages = with pkgs; [ + (writeShellApplication { + name = "tmux-sessionizer"; + runtimeInputs = [ + tmux + fzf + ]; + text = builtins.readFile ../home/bin/tmux-sessionizer; + }) + ]; + custom.tmux.enable = true; + custom.neovim = { + enable = true; + colorscheme = "rose-pine-moon"; + hostname = hostname; + }; + + programs.fish = { + enable = true; + plugins = [ + { + name = "puffer"; + src = pkgs.fetchFromGitHub { + owner = "nickeb96"; + repo = "puffer-fish"; + rev = "83174b0"; + sha256 = "sha256-Dhx5+XRxJvlhdnFyimNxFyFiASrGU4ZwyefsDwtKnSg="; + }; + } + ]; + + interactiveShellInit = '' + set fish_greeting + bind ctrl-space "" + ''; + }; + programs = { + delta = { + enable = true; + options = { + navigate = true; + line-numbers = true; + side-by-side = true; + }; + enableGitIntegration = true; + }; + git = { + enable = true; + lfs.enable = true; + settings = { + user = { + email = "user@sandbox.dev"; + name = "sandbox"; + }; + gpg.format = "ssh"; + commit.gpgsign = true; + tag.gpgsign = true; + core = { + editor = "nvim"; + whitespace = "fix,only-indent-error,trailing-space,space-before-tab"; + quotepath = false; + }; + diff = { + algorithm = "histogram"; + renames = "copies"; + tool = "nvim"; + }; + difftool = { + prompt = false; + nvim.cmd = "nvim -d $LOCAL $REMOTE"; + }; + merge = { + conflictstyle = "zdiff3"; + tool = "nvim"; + }; + mergetool = { + prompt = false; + keepBackup = false; + nvim.cmd = "nvim -d $LOCAL $REMOTE $MERGED -c 'wincmd w' -c 'wincmd J'"; + }; + init = { + defaultBranch = "master"; + }; + push = { + autoSetupRemote = true; + default = "current"; + }; + pull = { + rebase = true; + }; + fetch = { + prune = true; + }; + help = { + autocorrect = "prompt"; + }; + }; + }; + }; }; }; @@ -389,6 +504,7 @@ "/.persist".neededForBoot = true; }; environment.systemPackages = with pkgs; [ + xdg-utils coreutils jq git @@ -399,14 +515,21 @@ fd podman-compose opencode - - php - php.packages.composer - pkgs.nodejs_24 - pkgs.dotnet-sdk_9 - pkgs.go_1_24 + lf + lazygit + ungoogled-chromium + bat + eza + ffmpeg + fira-code-symbols + gh + imagemagick + luarocks + wl-clipboard ]; + hardware.graphics.enable = true; + programs = { fish.enable = true; starship.enable = true; @@ -418,10 +541,6 @@ }; }; - systemd.tmpfiles.rules = [ - "d /var/log/laravel 0755 1000 1000" - ]; - environment.persistence."/.persist" = { enable = true; hideMounts = true; @@ -439,17 +558,6 @@ ".config/sops/age/keys.txt" ]; }; - users.user = { - files = [ - ".claude.json" - ".claude.json.backup" - ]; - directories = [ - ".claude" - ".local/share/containers" - ".local/share/opencode" - ]; - }; }; services = { @@ -486,11 +594,12 @@ }; microvm = { - hypervisor = "qemu"; + hypervisor = "crosvm"; + graphics.enable = true; - vcpu = 4; - mem = 8192; - socket = "control.sock"; + vcpu = 20; + mem = 16384; + # socket = "control.sock"; interfaces = [ { @@ -515,12 +624,6 @@ writableStoreOverlay = "/nix/.rw-store"; shares = [ - { - proto = "virtiofs"; - tag = "downloads"; - source = "/home/user/downloads"; - mountPoint = "/home/user/downloads"; - } { proto = "virtiofs"; tag = "pictures"; @@ -529,27 +632,9 @@ } { proto = "virtiofs"; - tag = "dealwise"; - source = "/home/user/work/dealwise"; - mountPoint = "/home/user/work/dealwise"; - } - { - proto = "virtiofs"; - tag = "php-data-transfer-object"; - source = "/home/user/dev/icefox/php/data-transfer-object"; - mountPoint = "/home/user/dev/icefox/php/data-transfer-object"; - } - { - proto = "virtiofs"; - tag = "uni"; - source = "/home/user/uni"; - mountPoint = "/home/user/uni"; - } - { - proto = "virtiofs"; - tag = "dev"; - source = "/home/user/dev"; - mountPoint = "/home/user/dev"; + tag = "home"; + source = "/data/vm/${hostname}"; + mountPoint = "/home/user"; } { proto = "virtiofs"; @@ -557,12 +642,41 @@ source = "/nix/store"; mountPoint = "/nix/.ro-store"; } + # { + # proto = "virtiofs"; + # tag = "xdg-host"; + # source = "/run/user/1000"; + # mountPoint = "/var/host"; + # } + # { + # proto = "virtiofs"; + # tag = "gpu"; + # source = "/dev/dri"; + # mountPoint = "/dev/dri"; + # } ]; - - qemu.extraArgs = [ - "-cpu" - "host" + crosvm.extraArgs = [ + "--disable-sandbox" ]; + # qemu.extraArgs = [ + # "-cpu" + # "host" + # "-vnc" + # ":0" + # "-vga" + # "qxl" + # "-device" + # "virtio-keyboard" + # "-usb" + # "-device" + # "usb-table,bus=usb-bus.0" + # "-display" + # "spice-app" + # "-device" + # "virtio-gpu" + # "-spice" + # "port=5900,disable-ticketing=on" + # ]; }; system.stateVersion = "25.11"; };