diff --git a/configuration.nix b/configuration.nix index 4848963..b11c576 100644 --- a/configuration.nix +++ b/configuration.nix @@ -51,7 +51,20 @@ alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; - # jack.enable = true; + jack.enable = true; + wireplumber.extraConfig = { + "monitor.bluez.properties" = { + "bluez5.enable-sbc-xq" = true; + "bluez5.enable-msbc" = true; + "bluez5.enable-hw-volume" = true; + "bluez5.roles" = [ + "hsp_hs" + "hsp_ag" + "hfp_hf" + "hfp_ag" + ]; + }; + }; }; logind.settings.Login = { HandlePowerKey = "ignore"; @@ -76,9 +89,22 @@ # }; # }; tailscale.enable = true; + openssh = { + enable = true; + ports = [ 22 ]; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + AllowUsers = [ + "user" + ]; + }; + }; }; hardware = { + enableAllFirmware = true; graphics = { enable = true; enable32Bit = true; @@ -88,7 +114,8 @@ powerOnBoot = true; settings = { General = { - Enable = "Source,Sink,Media,Socket"; + Experimental = true; + # Enable = "Source,Sink,Media,Socket"; }; }; }; @@ -139,5 +166,12 @@ }; }; }; - services.openssh.enable = true; + + systemd.tmpfiles.rules = [ + "d /home/public 2775 root public - -" + "d /home/public/pictures 2775 root public - -" + + "a+ /home/public - - - - d:g:public:rwX,d:m::rwX" + "a+ /home/public/pictures - - - - d:g:public:rwX,d:m::rwX" + ]; } diff --git a/flake.lock b/flake.lock index 2b40de6..66ebce0 100644 --- a/flake.lock +++ b/flake.lock @@ -1,26 +1,5 @@ { "nodes": { - "dgop": { - "inputs": { - "nixpkgs": [ - "dms", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1765838956, - "narHash": "sha256-A3a2ZfvjirX8VIdIPI+nAyukWs6vx4vet3fU0mpr7lU=", - "owner": "AvengeMedia", - "repo": "dgop", - "rev": "0ff697a4e3418966caa714c838fc73f1ef6ba59b", - "type": "github" - }, - "original": { - "owner": "AvengeMedia", - "repo": "dgop", - "type": "github" - } - }, "disko": { "inputs": { "nixpkgs": [ @@ -44,47 +23,41 @@ }, "dms": { "inputs": { - "dgop": "dgop", + "flake-compat": "flake-compat", "nixpkgs": "nixpkgs", "quickshell": "quickshell" }, "locked": { - "lastModified": 1766776522, - "narHash": "sha256-wS2fSepxdtOr4RErdEY91hkxOjsrs2nA2nm72eZMEEU=", + "lastModified": 1777675128, + "narHash": "sha256-2zuDs9Lju99dg8MsSPf1frKPPgCRakDn+CEGX71cHJ0=", "owner": "AvengeMedia", "repo": "DankMaterialShell", - "rev": "987856a1de35c62dc0930b007b561545d6a832a8", + "rev": "c1cbd0994f5a3585dded85069f2c9103c54f5285", "type": "github" }, "original": { "owner": "AvengeMedia", "repo": "DankMaterialShell", - "rev": "987856a1de35c62dc0930b007b561545d6a832a8", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", + "repo": "flake-compat", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "flake-compat", "type": "github" } }, "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "neovim-nightly-overlay", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1769996383, - "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "57928607ea566b5db3ad13af0e57e921e6b12381", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nur", @@ -130,17 +103,16 @@ ] }, "locked": { - "lastModified": 1770260404, - "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=", + "lastModified": 1777679572, + "narHash": "sha256-egYNbRrkn+6SwTHinhdb6WUfzzdC3nXfCRqS321VylY=", "owner": "nix-community", "repo": "home-manager", - "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b", + "rev": "9cb587ade2aa1b4a7257f0238d41072690b0ca4f", "type": "github" }, "original": { "owner": "nix-community", "repo": "home-manager", - "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b", "type": "github" } }, @@ -184,63 +156,6 @@ "type": "github" } }, - "microvm": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "spectrum": "spectrum" - }, - "locked": { - "lastModified": 1770310890, - "narHash": "sha256-lyWAs4XKg3kLYaf4gm5qc5WJrDkYy3/qeV5G733fJww=", - "owner": "microvm-nix", - "repo": "microvm.nix", - "rev": "68c9f9c6ca91841f04f726a298c385411b7bfcd5", - "type": "github" - }, - "original": { - "owner": "microvm-nix", - "repo": "microvm.nix", - "type": "github" - } - }, - "neovim-nightly-overlay": { - "inputs": { - "flake-parts": "flake-parts", - "neovim-src": "neovim-src", - "nixpkgs": "nixpkgs_3" - }, - "locked": { - "lastModified": 1771632300, - "narHash": "sha256-uP5SbbbN86+LZ8VubL01UKD6bez5DK9prqIqQOMy3Jw=", - "owner": "nix-community", - "repo": "neovim-nightly-overlay", - "rev": "0f601090d4d54b3da0d03e270cb6a5c68bf84dd3", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "neovim-nightly-overlay", - "type": "github" - } - }, - "neovim-src": { - "flake": false, - "locked": { - "lastModified": 1771630915, - "narHash": "sha256-7RPG+RG/e0O79HjNT/ztC7K7j/xXazltq3TPk1mauqY=", - "owner": "neovim", - "repo": "neovim", - "rev": "d79a9dcd422133bc1e4b4ef94444962560d7a6d7", - "type": "github" - }, - "original": { - "owner": "neovim", - "repo": "neovim", - "type": "github" - } - }, "niri-branch": { "inputs": { "nixpkgs": [ @@ -249,11 +164,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1769284707, - "narHash": "sha256-X60XGpLjNTgYyaC/gChHGpqQqLWGI+0n5BbWaybXKiE=", + "lastModified": 1771283045, + "narHash": "sha256-AgD3KAkrQ4cs34kKZE8v/+FyFTc1Vq2sOJaPrWiCRio=", "owner": "argosnothing", "repo": "niri", - "rev": "6dcaa349acf3b04ed1593022388b4f1cbef8893b", + "rev": "eab116015a5a4d8f027c915dbd7b0a90e1e9a5e1", "type": "github" }, "original": { @@ -272,11 +187,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1765743947, - "narHash": "sha256-kx8XFbzG59eLNImygoN9jRjgaxR7kvmjg64equccmK0=", + "lastModified": 1774389340, + "narHash": "sha256-zPxNCLGMQ5gbziogsTl3COikFFco6Em6NDeHOy4fmUg=", "owner": "argosnothing", "repo": "niri-scratchpad-rs", - "rev": "163420c14c9199d311627501eedee2a3b2507db2", + "rev": "7288342f08036bfc9abd58ab6a4bc692679dfcd3", "type": "github" }, "original": { @@ -288,11 +203,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1766651565, - "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=", + "lastModified": 1776169885, + "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539", + "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9", "type": "github" }, "original": { @@ -319,22 +234,6 @@ } }, "nixpkgs_3": { - "locked": { - "lastModified": 1771207753, - "narHash": "sha256-b9uG8yN50DRQ6A7JdZBfzq718ryYrlmGgqkRm9OOwCE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d1c15b7d5806069da59e819999d70e1cec0760bf", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { "locked": { "lastModified": 1744536153, "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", @@ -350,13 +249,13 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { - "lastModified": 1771342064, - "narHash": "sha256-Aros+b3kQpzJAyxjDyhLUmnEfzQfyor2tiIoUTSgki0=", + "lastModified": 1777731324, + "narHash": "sha256-piLMdJYPP/9+/yiHxVMpqbAAoP8EnsqRO5921ilx0lk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3f03a5f1bede585f58c878c22cb12988bb0d1ed2", + "rev": "38e436af6ec1a3b1c9b666ceea098bf5ef05fc66", "type": "github" }, "original": { @@ -365,13 +264,13 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { - "lastModified": 1770562336, - "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", + "lastModified": 1777578337, + "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", + "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab", "type": "github" }, "original": { @@ -383,15 +282,15 @@ }, "nur": { "inputs": { - "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_6" + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1770758031, - "narHash": "sha256-YEq6M9OOEOl7l2zr/YjOi2UnuQZZ02HvXebpWGpkEHM=", + "lastModified": 1777729540, + "narHash": "sha256-tF5WMS4SSSmDvEZ7qgOosh8q0BVdz/ynb4Wnruc1rgY=", "owner": "nix-community", "repo": "NUR", - "rev": "6701aa01b90606ab75078c1910bb991b8e7a389b", + "rev": "1091dd1d0f6589dc9a88d808052dda9b85835670", "type": "github" }, "original": { @@ -408,16 +307,16 @@ ] }, "locked": { - "lastModified": 1766386896, - "narHash": "sha256-1uql4y229Rh+/2da99OVNe6DfsjObukXkf60TYRCvhI=", + "lastModified": 1776854048, + "narHash": "sha256-lLbV66V3RMNp1l8/UelmR4YzoJ5ONtgvEtiUMJATH/o=", "ref": "refs/heads/master", - "rev": "3918290c1bcd93ed81291844d9f1ed146672dbfc", - "revCount": 714, + "rev": "783c953987dc56ff0601abe6845ed96f1d00495a", + "revCount": 806, "type": "git", "url": "https://git.outfoxxed.me/quickshell/quickshell" }, "original": { - "rev": "3918290c1bcd93ed81291844d9f1ed146672dbfc", + "rev": "783c953987dc56ff0601abe6845ed96f1d00495a", "type": "git", "url": "https://git.outfoxxed.me/quickshell/quickshell" } @@ -428,11 +327,9 @@ "dms": "dms", "home-manager": "home-manager", "impermanence": "impermanence", - "microvm": "microvm", - "neovim-nightly-overlay": "neovim-nightly-overlay", "niri-branch": "niri-branch", "niri-scratchpad": "niri-scratchpad", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "nur": "nur", "sops-nix": "sops-nix" } @@ -460,14 +357,14 @@ }, "rust-overlay_2": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1763952169, - "narHash": "sha256-+PeDBD8P+NKauH+w7eO/QWCIp8Cx4mCfWnh9sJmy9CM=", + "lastModified": 1772075164, + "narHash": "sha256-93XcvAt+6p7aAq1ERlxD2T17zLGoYGo64KJYasGcpgc=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "ab726555a9a72e6dc80649809147823a813fa95b", + "rev": "07601339b15fa6810541c0e7dc2f3664d92a7ad0", "type": "github" }, "original": { @@ -483,11 +380,11 @@ ] }, "locked": { - "lastModified": 1770683991, - "narHash": "sha256-xVfPvXDf9QN3Eh9dV+Lw6IkWG42KSuQ1u2260HKvpnc=", + "lastModified": 1777338324, + "narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=", "owner": "Mic92", "repo": "sops-nix", - "rev": "8b89f44c2cc4581e402111d928869fe7ba9f7033", + "rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5", "type": "github" }, "original": { @@ -496,22 +393,6 @@ "type": "github" } }, - "spectrum": { - "flake": false, - "locked": { - "lastModified": 1759482047, - "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=", - "ref": "refs/heads/main", - "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9", - "revCount": 996, - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - }, - "original": { - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - } - }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index d6a7c79..7790e94 100644 --- a/flake.nix +++ b/flake.nix @@ -7,18 +7,18 @@ url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - microvm = { - url = "github:microvm-nix/microvm.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + # microvm = { + # url = "github:microvm-nix/microvm.nix/da28962a2ba84718895b7325f600686c3b4ee099"; + # inputs.nixpkgs.follows = "nixpkgs"; + # }; disko = { url = "github:nix-community/disko/latest"; inputs.nixpkgs.follows = "nixpkgs"; }; impermanence.url = "github:nix-community/impermanence"; - neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay"; + # neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay"; home-manager = { - url = "github:nix-community/home-manager/0d782ee42c86b196acff08acfbf41bb7d13eed5b"; + url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; nur.url = "github:nix-community/NUR"; @@ -30,7 +30,7 @@ url = "github:argosnothing/niri-scratchpad-rs/hidden-workspaces"; inputs.nixpkgs.follows = "nixpkgs"; }; - dms.url = "github:AvengeMedia/DankMaterialShell/987856a1de35c62dc0930b007b561545d6a832a8"; + dms.url = "github:AvengeMedia/DankMaterialShell"; }; outputs = @@ -49,7 +49,7 @@ config.allowUnfree = true; # overlays = [ inputs.neovim-nightly-overlay.overlays.default ]; }; - microvm = inputs.microvm.nixosModules.host; + # microvm = inputs.microvm.nixosModules.host; in { nixosConfigurations."${hostname}" = nixpkgs.lib.nixosSystem { @@ -59,7 +59,7 @@ nixpkgs impermanence home-manager - microvm + # microvm sops-nix ; hostname = hostname; @@ -74,8 +74,8 @@ ./kernel ./home inputs.sops-nix.nixosModules.sops - inputs.microvm.nixosModules.host - (import ./vms) + # inputs.microvm.nixosModules.host + # (import ./vms) inputs.disko.nixosModules.disko inputs.impermanence.nixosModules.impermanence inputs.home-manager.nixosModules.home-manager @@ -88,15 +88,13 @@ ]; nixpkgs.overlays = [ (_: prev: { + + openldap = prev.openldap.overrideAttrs { + doCheck = !prev.stdenv.hostPlatform.isi686; + }; niri-scratchpad = inputs.niri-scratchpad.packages.${prev.system}.default; vimPlugins = prev.vimPlugins.extend ( f: p: { - neotest = p.neotest.overrideAttrs { - src = prev.fetchzip { - url = "https://github.com/archie-judd/neotest/archive/c8dd7597bb4182c0547d188e1dd5f684a4f01852.zip"; - sha256 = "sha256-E/Heh+mAxvN5RaWqv1UJuHSA90c0evMKFkDD1BrpV7g="; - }; - }; neotest-pest = p.neotest-pest.overrideAttrs (_: { src = prev.fetchFromGitHub { owner = "jradtilbrook"; diff --git a/home/agents.nix b/home/agents.nix new file mode 100644 index 0000000..0429d5c --- /dev/null +++ b/home/agents.nix @@ -0,0 +1,193 @@ +{ pkgs, lib, ... }: +let + home-manager-config = + { + uid, + username, + }: + let + HOME = "/home/${username}"; + in + { + ${username} = + { config, ... }: + { + imports = [ + ./nvim + ./tmux.nix + ]; + + home.username = username; + home.homeDirectory = "${HOME}"; + home.stateVersion = "25.11"; + home.enableNixpkgsReleaseCheck = false; + home.sessionVariables = { + DISPLAY = ":1"; + }; + + programs = { + chromium.enable = true; + claude-code.enable = true; + opencode.enable = true; + ssh = { + enable = true; + enableDefaultConfig = false; + matchBlocks = { + "*" = { + serverAliveInterval = 60; + serverAliveCountMax = 3; + }; + "github.com" = { + identityFile = "${HOME}/.ssh/id_ed25519"; + }; + }; + }; + delta = { + enable = true; + options = { + navigate = true; + line-numbers = true; + side-by-side = true; + }; + enableGitIntegration = true; + }; + git = { + enable = true; + lfs.enable = true; + signing = { + key = "${HOME}/.ssh/id_ed25519.pub"; + signByDefault = true; + }; + includes = [ + { + condition = "gitdir:~/dealwise/"; + contents = { + user = { + name = "felipematos"; + email = "5471818+fnzr@users.noreply.github.com"; + signingkey = "${HOME}/.ssh/id_ed25519.pub"; + }; + }; + } + { + contents = { + user = { + name = "${username}"; + email = "${username}@sandbox.dev"; + signingkey = "${HOME}/.ssh/id_ed25519.pub"; + }; + }; + } + ]; + settings = { + user = { + email = "${username}@sandbox.dev"; + name = "${username}"; + signingkey = "${HOME}/.ssh/id_ed25519.pub"; + }; + gpg.format = "ssh"; + commit.gpgsign = true; + tag.gpgsign = true; + core = { + editor = "nvim"; + whitespace = "fix,only-indent-error,trailing-space,space-before-tab"; + quotepath = false; + }; + diff = { + algorithm = "histogram"; + renames = "copies"; + tool = "nvim"; + }; + difftool = { + prompt = false; + nvim.cmd = "nvim -d $LOCAL $REMOTE"; + }; + merge = { + conflictstyle = "zdiff3"; + tool = "nvim"; + }; + mergetool = { + prompt = false; + keepBackup = false; + nvim.cmd = "nvim -d $LOCAL $REMOTE $MERGED -c 'wincmd w' -c 'wincmd J'"; + }; + init = { + defaultBranch = "master"; + }; + push = { + autoSetupRemote = true; + default = "current"; + }; + pull = { + rebase = true; + }; + fetch = { + prune = true; + }; + help = { + autocorrect = "prompt"; + }; + }; + }; + fish = { + enable = true; + plugins = [ + { + name = "puffer"; + src = pkgs.fetchFromGitHub { + owner = "nickeb96"; + repo = "puffer-fish"; + rev = "83174b0"; + sha256 = "sha256-Dhx5+XRxJvlhdnFyimNxFyFiASrGU4ZwyefsDwtKnSg="; + }; + } + ]; + + interactiveShellInit = '' + set fish_greeting + bind ctrl-space "" + ''; + }; + starship.enable = true; + }; + custom.tmux.enable = true; + custom.neovim = { + enable = true; + colorscheme = "rose-pine-moon"; + hostname = "amelia"; + }; + xdg.configFile."containers/containers.conf".text = '' + [engine] + compose_warning_logs=false + events_logger="file" + + [containers] + log_driver="k8s-file" + ''; + xdg.configFile."opencode/opencode.json".text = builtins.toJSON { + "$schema" = "https://opencode.ai/config.json"; + # provider = { + # ollama = { + # model = "qwen3.6"; + # base_url = "http://localhost:11434"; + # }; + # }; + }; + xdg.userDirs = { + enable = true; + setSessionVariables = false; + extraConfig = { + XDG_CACHE_HOME = "$HOME/.cache"; + }; + }; + }; + }; +in +{ + home-manager.users = lib.mkMerge [ + (home-manager-config { + uid = 1002; + username = "agent"; + }) + ]; +} diff --git a/home/files/lf/lfrc b/home/files/lf/lfrc deleted file mode 100644 index e69de29..0000000 diff --git a/home/nvim/default.nix b/home/nvim/default.nix index d99962e..fec98e7 100644 --- a/home/nvim/default.nix +++ b/home/nvim/default.nix @@ -29,6 +29,8 @@ in viAlias = true; vimAlias = false; vimdiffAlias = true; + withPython3 = false; + withRuby = false; plugins = with pkgs.vimPlugins; [ { plugin = auto-session; @@ -86,6 +88,7 @@ in blade = { "blade-formatter" }, go = { "gofmt" }, wgsl = { "wgsl_fmt" }, + odin = { "odinfmt" }, }, }) vim.api.nvim_create_autocmd("BufWritePre", { @@ -127,7 +130,14 @@ in }, adapters = { require('neotest-pest'), - } + require('neotest-zig'), + -- require('neotest-odin'), + }, + watch = { + filter_path = function(path, root) + return true + end, + }, }) vim.keymap.set('n', 'pn', function() require('neotest').run.run() end, { desc = "test nearest" }) vim.keymap.set('n', 'pe', function() require('neotest').run.run(vim.fn.expand('%')) end, { desc = "test file" }) @@ -138,6 +148,10 @@ in type = "lua"; } # { + # plugin = neotest-zig; + # type = "lua"; + # } + # { # plugin = nvim-autopairs; # type = "lua"; # config = '' @@ -149,19 +163,43 @@ in type = "lua"; config = '' local dap = require("dap") - dap.adapters.php = { - type = 'executable', - command = '${pkgs.nodejs}/bin/node', - args = { '${pkgs.vscode-extensions.xdebug.php-debug}/share/vscode/extensions/xdebug.php-debug/out/phpDebug.js' }, + dap.adapters = { + php = { + type = "executable", + command = "${pkgs.nodejs}/bin/node", + args = { "${pkgs.vscode-extensions.xdebug.php-debug}/share/vscode/extensions/xdebug.php-debug/out/phpDebug.js" }, + }, + + codelldb = { + type = "server", + port = "''${port}", + executable = { + command = '${pkgs.vscode-extensions.vadimcn.vscode-lldb}/share/vscode/extensions/vadimcn.vscode-lldb/adapter/codelldb', + args = { "--port", "''${port}" }, + }, + }, } - dap.configurations.php = { - { - type = 'php', - request = 'launch', - name = 'listen for xdebug', - port = 9003, - } + dap.configurations = { + php = { + { + type = 'php', + request = 'launch', + name = 'listen for xdebug', + port = 9003, + } + }, + zig = { + { + name = 'launch', + type = 'codelldb', + request = 'launch', + program = "''${workspaceFolder}/zig-out/bin/''${workspaceFolderBasename}", + cwd = "''${workspaceFolder}", + stopOnEntry = false, + args = {}, + } + }, } ''; } @@ -199,7 +237,7 @@ in 'fsharp', 'git_config', 'git_rebase', 'gitignore', 'glsl', 'go', 'gomod', 'graphql', 'haskell', 'hlsl', 'http', 'ini', 'javadoc', 'jq', 'jsdoc', 'json', 'json5', 'kitty', 'latex', 'markdown', 'nginx', 'nix', 'php', 'php_only', 'phpdoc', 'regex', 'rust', 'sql', - 'ssh_config', 'tmux', 'vim', 'wgsl', 'yaml', 'zig', 'ols', + 'ssh_config', 'tmux', 'vim', 'wgsl', 'yaml', 'zig', 'odin', }, callback = function() vim.treesitter.start() @@ -246,12 +284,11 @@ in config = '' vim.o.autoread = true -- Recommended/example keymaps. - vim.keymap.set({ "n", "x" }, "", function() require("opencode").ask("@this: ", { submit = true }) end, { desc = "Ask opencode…" }) + vim.keymap.set({ "n", "x" }, "h", function() require("opencode").ask("@this: ", { submit = true }) end, { desc = "Ask opencode…" }) vim.keymap.set({ "n", "x" }, "", function() require("opencode").select() end, { desc = "Execute opencode action…" }) vim.keymap.set({ "n", "t" }, "", function() require("opencode").toggle() end, { desc = "Toggle opencode" }) vim.keymap.set({ "n", "x" }, "go", function() return require("opencode").operator("@this ") end, { desc = "Add range to opencode", expr = true }) - vim.keymap.set("n", "goo", function() return require("opencode").operator("@this ") .. "_" end, { desc = "Add line to opencode", expr = true }) vim.keymap.set("n", "", function() require("opencode").command("session.half.page.up") end, { desc = "Scroll opencode up" }) vim.keymap.set("n", "", function() require("opencode").command("session.half.page.down") end, { desc = "Scroll opencode down" }) @@ -403,12 +440,10 @@ in } vim-fugitive ]; - extraConfig = '' - colorscheme ${cfg.colorscheme} - ''; - extraLuaConfig = '' + initLua = '' ${builtins.readFile ./settings.lua} ${builtins.replaceStrings [ "@HOSTNAME@" ] [ cfg.hostname ] (builtins.readFile ./plugins.lua)} + vim.cmd.colorscheme("${cfg.colorscheme}") require("custom") ''; }; diff --git a/home/nvim/plugins.lua b/home/nvim/plugins.lua index e94ea77..a0ea9f2 100644 --- a/home/nvim/plugins.lua +++ b/home/nvim/plugins.lua @@ -42,6 +42,7 @@ local servers = { zls = { enable_build_on_save = true, semantic_tokens = "partial", + global_cache_path = vim.fn.getcwd(0, 0) .. "/.cache/zls", }, }, }, @@ -52,7 +53,11 @@ local servers = { html = { filetypes = { "html", "blade" } }, htmx = { filetypes = { "html", "blade" } }, gopls = {}, - ols = {}, + ols = { + enable_semantic_tokens = true, + enable_auto_import = true, + checker_args = "-vet", + }, wgsl_analyzer = {}, } for server, config in pairs(servers) do @@ -77,12 +82,12 @@ local leap = require("leap") leap.opts.preview = function(ch0, ch1, ch2) return not (ch1:match("%s") or (ch0:match("%a") and ch1:match("%a") and ch2:match("%a"))) end -leap.opts.equivalence_classes = { - " \t\r\n", - "([{", - ")]}", - "'\"`", -} +-- leap.opts.equivalence_classes = { +-- " \t\r\n", +-- "([{", +-- ")]}", +-- "'\"`", +-- } vim.api.nvim_set_hl(0, "LeapBackdrop", { link = "Comment" }) do diff --git a/home/nvim/settings.lua b/home/nvim/settings.lua index 83d9a76..7cdbfb3 100644 --- a/home/nvim/settings.lua +++ b/home/nvim/settings.lua @@ -107,9 +107,6 @@ vim.keymap.set({ "n", "t" }, "", function() end, { desc = "Go to previous tab" }) vim.keymap.set({ "n", "t" }, "", "p", { desc = "Go to previous pane" }) -vim.keymap.set("n", "v", "vsplit", { desc = "split (vertical line)" }) -vim.keymap.set("n", "h", "split", { desc = "split (horizontal line)" }) - vim.keymap.set("n", "", "w", { desc = "save buffer" }) vim.diagnostic.config({ diff --git a/home/root.nix b/home/root.nix index eaa3dee..f601343 100644 --- a/home/root.nix +++ b/home/root.nix @@ -2,6 +2,9 @@ { home-manager.users.root = { config, ... }: + let + HOME = "/root"; + in { imports = [ ./nvim ]; home.username = "root"; @@ -12,13 +15,6 @@ home.file."/.ssh/desktop.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILquARrJ3Vyh5z6aeVoiYrkLpgiMts+V/JzFEvs3Cnth root@icefox.sh"; - xdg.userDirs = { - enable = false; - extraConfig = { - XDG_CACHE_HOME = "${config.home.homeDirectory}/.cache"; - }; - }; - programs = { ssh = { enable = true; @@ -48,7 +44,7 @@ name = "root"; }; gpg.format = "ssh"; - user.signingkey = "${config.home.homeDirectory}/.ssh/desktop.pub"; + user.signingkey = "${HOME}/.ssh/desktop.pub"; commit.gpgsign = true; tag.gpgsign = true; core = { diff --git a/home/user.nix b/home/user.nix index 74eb5bf..1dae7c0 100644 --- a/home/user.nix +++ b/home/user.nix @@ -7,12 +7,17 @@ lib, ... }: + let + HOME = "/home/user"; + in { home.username = "user"; - home.homeDirectory = "/home/user"; + home.homeDirectory = HOME; home.stateVersion = "25.11"; home.sessionVariables = { - HOME = "/home/user"; + QMK_HOME = "${HOME}/var/qmk"; + GOMODCACHE = "${HOME}/.cache/go_mod"; + GOPATH = "${HOME}/.local/share/go"; }; imports = [ @@ -21,15 +26,15 @@ ]; sops.defaultSopsFile = ../secrets/home.yaml; - sops.age.keyFile = "/.persist/${config.home.homeDirectory}/.config/sops/age/keys.txt"; + sops.age.keyFile = "/.persist/${HOME}/.config/sops/age/keys.txt"; sops.secrets."user/ssh/desktop" = { - path = "${config.home.homeDirectory}/.ssh/desktop"; + path = "${HOME}/.ssh/desktop"; mode = "0600"; }; home.file."/.ssh/desktop.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILABd/iSJ4gn/ystDqNxLJTG0n0z5VIC9YXlmdUfOhHf desktop@icefox.sh"; sops.secrets."user/ssh/legacy_ed25519" = { - path = "${config.home.homeDirectory}/.ssh/legacy_ed25519"; + path = "${HOME}/.ssh/legacy_ed25519"; mode = "0600"; }; home.file."/.ssh/legacy_ed25519.pub".text = @@ -51,18 +56,21 @@ # "Xft.rgba" = "rgb"; # }; - # systemd.user.services.xrdb-configure = { - # Unit = { - # Description = "Load Xresources"; - # }; - # Intall = { - # WantedBy = [ "graphical-session.target" ]; - # }; - # Service = { - # ExecStart = "${pkgs.xrdb}/bin/xrdb -merge ${config.home.homeDirectory}/.Xresources"; - # Type = "oneshot"; - # }; - # }; + systemd.user.services.waypipe-socket = { + Unit = { + Description = "start waypipe client"; + }; + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + Service = { + ExecStart = "${pkgs.waypipe}/bin/waypipe --socket /tmp/waypipe.sock client"; + ExecStartPost = "${pkgs.acl}/bin/setfacl -m u:agent:rw /tmp/waypipe.sock"; + RuntimeDirectory = "waypipe"; + Type = "simple"; + Restart = "on-failure"; + }; + }; sops.secrets."user/gpg/legacy_fnzr" = { }; home.activation.importGpgKey = config.lib.dag.entryAfter [ "writeBoundary" ] '' if [[ -f "${config.sops.secrets."user/gpg/legacy_fnzr".path}" ]]; then @@ -92,225 +100,6 @@ }; }; - # xdg.configFile."opencode/opencode.json".text = builtins.toJSON { - # "$schema" = "https://opencode.ai/config.json"; - # plugin = [ "opencode-antigravity-auth@latest" ]; - # provider = { - # google = { - # models = { - # antigravity-gemini-3-pro = { - # name = "Gemini 3 Pro (Antigravity)"; - # limit = { - # context = 1048576; - # output = 65535; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # variants = { - # low = { - # thinkingLevel = "low"; - # }; - # high = { - # thinkingLevel = "high"; - # }; - # }; - # }; - # antigravity-gemini-3-flash = { - # name = "Gemini 3 Flash (Antigravity)"; - # limit = { - # context = 1048576; - # output = 65536; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # variants = { - # minimal = { - # thinkingLevel = "minimal"; - # }; - # low = { - # thinkingLevel = "low"; - # }; - # medium = { - # thinkingLevel = "medium"; - # }; - # high = { - # thinkingLevel = "high"; - # }; - # }; - # }; - # antigravity-claude-sonnet-4-5 = { - # name = "Claude Sonnet 4.5 (Antigravity)"; - # limit = { - # context = 200000; - # output = 64000; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # }; - # antigravity-claude-sonnet-4-5-thinking = { - # name = "Claude Sonnet 4.5 Thinking (Antigravity)"; - # limit = { - # context = 200000; - # output = 64000; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # variants = { - # low = { - # thinkingConfig = { - # thinkingBudget = 8192; - # }; - # }; - # max = { - # thinkingConfig = { - # thinkingBudget = 32768; - # }; - # }; - # }; - # }; - # antigravity-claude-opus-4-5-thinking = { - # name = "Claude Opus 4.5 Thinking (Antigravity)"; - # limit = { - # context = 200000; - # output = 64000; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # variants = { - # low = { - # thinkingConfig = { - # thinkingBudget = 8192; - # }; - # }; - # max = { - # thinkingConfig = { - # thinkingBudget = 32768; - # }; - # }; - # }; - # }; - # antigravity-claude-opus-4-6-thinking = { - # name = "Claude Opus 4.6 Thinking (Antigravity)"; - # limit = { - # context = 200000; - # output = 64000; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # variants = { - # low = { - # thinkingConfig = { - # thinkingBudget = 8192; - # }; - # }; - # max = { - # thinkingConfig = { - # thinkingBudget = 32768; - # }; - # }; - # }; - # }; - # "gemini-2.5-flash" = { - # name = "Gemini 2.5 Flash (Gemini CLI)"; - # limit = { - # context = 1048576; - # output = 65536; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # }; - # "gemini-2.5-pro" = { - # name = "Gemini 2.5 Pro (Gemini CLI)"; - # limit = { - # context = 1048576; - # output = 65536; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # }; - # gemini-3-flash-preview = { - # name = "Gemini 3 Flash Preview (Gemini CLI)"; - # limit = { - # context = 1048576; - # output = 65536; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # }; - # gemini-3-pro-preview = { - # name = "Gemini 3 Pro Preview (Gemini CLI)"; - # limit = { - # context = 1048576; - # output = 65535; - # }; - # modalities = { - # input = [ - # "text" - # "image" - # "pdf" - # ]; - # output = [ "text" ]; - # }; - # }; - # }; - # }; - # }; - # }; - xdg.desktopEntries = { google-chrome = { name = "Google Chrome"; @@ -427,19 +216,20 @@ xdg.userDirs = { enable = true; createDirectories = true; + setSessionVariables = true; - download = "${config.home.homeDirectory}/downloads"; - documents = "${config.home.homeDirectory}/documents"; - desktop = "${config.home.homeDirectory}/desktop"; - pictures = "${config.home.homeDirectory}/pictures"; - music = "${config.home.homeDirectory}/music"; - videos = "${config.home.homeDirectory}/videos"; - templates = "${config.home.homeDirectory}"; - publicShare = "${config.home.homeDirectory}"; + download = "${HOME}/downloads"; + documents = "${HOME}/documents"; + desktop = "${HOME}/desktop"; + pictures = "${HOME}/pictures"; + music = "${HOME}/music"; + videos = "${HOME}/videos"; + templates = "${HOME}"; + publicShare = "${HOME}"; extraConfig = { - SCREENSHOTS = "${config.home.homeDirectory}/pictures/screenshots"; - XDG_CACHE_HOME = "${config.home.homeDirectory}/.cache"; + SCREENSHOTS = "$HOME/pictures/screenshots"; + XDG_CACHE_HOME = "$HOME/.cache"; }; }; @@ -475,7 +265,7 @@ enable = true; lfs.enable = true; signing = { - key = "${config.home.homeDirectory}/.ssh/desktop.pub"; + key = "${HOME}/.ssh/desktop.pub"; signByDefault = true; }; includes = [ @@ -485,6 +275,7 @@ user = { name = "felipematos"; email = "5471818+fnzr@users.noreply.github.com"; + signingkey = "${HOME}/.ssh/desktop.pub"; }; }; } @@ -493,7 +284,7 @@ user = { email = "felipe@icefox.sh"; name = "icefox"; - signingkey = "${config.home.homeDirectory}/.ssh/desktop.pub"; + signingkey = "${HOME}/.ssh/desktop.pub"; }; gpg.format = "ssh"; commit.gpgsign = true; @@ -537,12 +328,20 @@ help = { autocorrect = "prompt"; }; + safe = { + directory = [ + "/home/agent/*" + ]; + }; }; }; }; home.packages = with pkgs; [ xrdb + (writeShellScriptBin "agent" '' + machinectl shell agent@ ${waypipe}/bin/waypipe --socket /run/waypipe.sock server fish + '') (writeShellApplication { name = "tmux-sessionizer"; runtimeInputs = [ @@ -551,20 +350,7 @@ ]; text = builtins.readFile ./bin/tmux-sessionizer; }) - (writeShellScriptBin "opencode" '' - ssh -t user@192.168.77.2 " - cd $(pwd) 2>/dev/null || cd \$(mktemp -d) - opencode $* - " - '') - (writeShellScriptBin "claude" '' - ssh -t user@192.168.77.2 " - cd $(pwd) 2>/dev/null || cd \$(mktemp -d) - claude $* - " - '') ]; - custom.tmux.enable = true; custom.neovim = { enable = true; @@ -624,6 +410,7 @@ programs.firefox = { enable = true; package = pkgs.firefox; + configPath = ".mozilla/firefox"; nativeMessagingHosts = [ pkgs.browserpass pkgs.tridactyl-native diff --git a/kernel/default.nix b/kernel/default.nix index c823c54..404a84e 100644 --- a/kernel/default.nix +++ b/kernel/default.nix @@ -3,6 +3,22 @@ pkgs, ... }: +let + nsExec = pkgs.writeShellScriptBin "ns-raw" '' + ns="$1" + shift + exec ${pkgs.iproute2}/bin/ip netns exec "$ns" \ + ${pkgs.util-linux}/bin/setpriv \ + --reuid="$DOAS_USER" --regid="$DOAS_USER" \ + --clear-groups \ + --inh-caps=-all \ + "$@" + ''; + nsWrapper = pkgs.writeShellScriptBin "ns" '' + + exec /run/wrappers/bin/doas ${nsExec}/bin/ns-raw "$@" + ''; +in { imports = [ ./hardened.nix @@ -38,24 +54,47 @@ extraRules = [ { users = [ "user" ]; + runAs = "root"; keepEnv = true; persist = true; } { users = [ "user" ]; - runAs = "agent"; + runAs = "work"; noPass = true; keepEnv = false; } + { + users = [ "user" ]; + runAs = "agent"; + noPass = true; + keepEnv = true; + } + { + users = [ + "user" + "agent" + "work" + ]; + runAs = "root"; + noPass = true; + keepEnv = true; + cmd = "${nsExec}/bin/ns-raw"; + } ]; }; + environment.systemPackages = [ nsWrapper ]; + + security.pam.services.su.requireWheel = true; + security.pam.services.newgrp.requireWheel = true; + boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; - kernelPackages = pkgs.linuxPackages_zen; + kernelPackages = pkgs.linuxPackages_latest; kernelParams = [ "amd_iommu=on" ]; diff --git a/networking.nix b/networking.nix index d0627e5..65c34eb 100644 --- a/networking.nix +++ b/networking.nix @@ -33,6 +33,8 @@ # interfaces = [ inetInterface ]; # }; firewall.allowedTCPPorts = [ + 5900 + 8080 9003 10000 10001 diff --git a/packages.nix b/packages.nix index 531f167..3c863b3 100644 --- a/packages.nix +++ b/packages.nix @@ -2,6 +2,10 @@ { environment.systemPackages = with pkgs; [ bat + bc + (pkgs.writeShellScriptBin "bci" '' + echo "$@" | ${bc}/bin/bc -l + '') black blade-formatter cmake @@ -15,6 +19,7 @@ clang-tools clevis cliphist + chromium distrobox dos2unix dnsutils @@ -23,6 +28,7 @@ eza fd ffmpeg + file fira-code-symbols fish fractal @@ -46,9 +52,10 @@ poppler jetbrains.datagrip jq + kitty lazygit (pkgs.writeShellScriptBin "lf" '' - cd_file="/tmp/lf-lastdir-$$" + cd_file="/tmp/lf-lastdir" ${pkgs.lf}/bin/lf "$@" @@ -81,12 +88,13 @@ php84Packages.composer php84Packages.php-cs-fixer phpactor + pistol podman-compose podman-tui prettierd playerctl - qemu_full qmk + quickemu quickshell resvg ripgrep @@ -104,7 +112,6 @@ tmux thunderbird tor-browser - ungoogled-chromium unzip virt-manager virt-viewer @@ -146,12 +153,7 @@ virtualisation.podman = { enable = true; dockerCompat = true; - # rootless = { - # enable = true; - # setSocketVariable = true; - # }; defaultNetwork.settings.dns_enabled = true; - # storageDriver = "btrfs"; }; virtualisation.spiceUSBRedirection.enable = true; @@ -163,7 +165,7 @@ onBoot = "ignore"; onShutdown = "shutdown"; qemu = { - package = pkgs.qemu_full; + package = pkgs.qemu; verbatimConfig = '' cgroup_device_acl = [ "/dev/null", "/dev/full", "/dev/zero", @@ -228,16 +230,15 @@ }; }; - # services.ollama = { - # enable = true; - # package = pkgs.ollama-cuda; - # home = "/data/ollama"; - # user = "ollama"; - # group = "user"; - # loadModels = [ - # "llama3" - # ]; - # }; + services.ollama = { + enable = true; + package = pkgs.ollama-cuda; + home = "/data/ollama"; + loadModels = [ + "qwen3.6" + "glm-5.1" + ]; + }; # services.open-webui = { # enable = true; # port = 11347; diff --git a/users.nix b/users.nix index 4780839..b56284c 100644 --- a/users.nix +++ b/users.nix @@ -7,6 +7,7 @@ imports = [ ./home/user.nix ./home/root.nix + ./home/agents.nix ]; sops.secrets."user/password" = { neededForUsers = true; @@ -24,17 +25,41 @@ homeMode = "700"; hashedPasswordFile = config.sops.secrets."root/password".path; }; - microvm = { - uid = 999; - isSystemUser = true; - }; - # agent = { + # microvm = { + # uid = 999; + # isSystemUser = true; + # }; + # work = { # uid = 1001; # homeMode = "770"; + # home = "/home/work"; + # isNormalUser = true; + # shell = pkgs.fish; + # group = "work"; + # extraGroups = [ + # "public" + # ]; + # linger = true; + # }; + agent = { + uid = 1002; + homeMode = "770"; + home = "/home/agent"; + shell = pkgs.fish; + isNormalUser = true; + group = "agent"; + extraGroups = [ "public" ]; + linger = true; + }; + # sandbox = { + # uid = 1003; + # homeMode = "770"; + # home = "/home/sandbox"; # shell = pkgs.fish; # isNormalUser = true; - # group = "agents"; - # extraGroups = [ "user" ]; + # group = "sandbox"; + # extraGroups = [ "public" ]; + # linger = true; # }; user = { uid = 1000; @@ -47,14 +72,23 @@ "libvirt" "systemd-journal" "kvm" - "agents" + "public" + "agent" + "sandbox" + "audio" + "video" + "bluetooth" + # "work" ]; hashedPasswordFile = config.sops.secrets."user/password".path; + linger = true; }; }; groups = { user.gid = 1000; - agents.gid = 777; + agent.gid = 1002; + public.gid = 777; + # sandbox.gid = 1003; }; }; } diff --git a/vms/default.nix b/vms/default.nix deleted file mode 100644 index 2b47a76..0000000 --- a/vms/default.nix +++ /dev/null @@ -1,571 +0,0 @@ -{ - nixpkgs, - sops-nix, - impermanence, - home-manager, - ... -}: -{ - systemd.network.netdevs."20-microbr".netdevConfig = { - Kind = "bridge"; - Name = "microbr"; - }; - - systemd.network.networks."20-microbr" = { - matchConfig.Name = "microbr"; - addresses = [ { Address = "192.168.77.1/24"; } ]; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - }; - - systemd.network.networks."21-microvm-tap" = { - matchConfig.Name = "vm-*"; - networkConfig.Bridge = "microbr"; - }; - - networking.nat = { - enable = true; - internalInterfaces = [ "microbr" ]; - externalInterface = "enp7e0"; - }; - networking.nftables = { - enable = true; - tables.nat = { - family = "ip"; - content = '' - chain postrouting { - type nat hook postrouting priority srcnat; - iifname "microbr" masquerade - } - ''; - }; - }; - - microvm.vms = { - "dealwise" = { - pkgs = import nixpkgs { - system = "x86_64-linux"; - config.allowUnfreePredicate = - pkg: - builtins.elem (nixpkgs.lib.getName pkg) [ - "claude-code" - ]; - }; - - config = - let - hostname = "ai-sandbox"; - mac = "02:00:00:00:00:06"; - in - { - config, - pkgs, - ... - }: - { - imports = [ - impermanence.nixosModules.impermanence - sops-nix.nixosModules.sops - home-manager.nixosModules.home-manager - ]; - sops = { - defaultSopsFile = ./secrets/secrets.yaml; - age.keyFile = "/.persist/root/.config/sops/age/keys.txt"; - secrets = { - "wg0/private_key" = { }; - }; - }; - boot.kernel.sysctl."kernel.unprivileged_userns_clone" = 1; - systemd.network = { - enable = true; - networks = { - "10-net" = { - matchConfig.MACAddress = mac; - linkConfig.RequiredForOnline = "routable"; - addresses = [ { Address = "192.168.77.2/24"; } ]; - routes = [ - { - Gateway = "192.168.77.1"; - Metric = 100; - } - { - Destination = "103.69.224.4/32"; - Gateway = "192.168.77.1"; - } - ]; - }; - }; - }; - - services.resolved.enable = false; - environment.etc."resolv.conf".text = '' - nameserver 10.2.0.1 - ''; - networking = { - hostName = hostname; - useNetworkd = true; - useDHCP = false; - firewall.enable = false; - wireguard.interfaces.wg0 = { - ips = [ "10.2.0.2/32" ]; - listenPort = 45974; - privateKeyFile = config.sops.secrets."wg0/private_key".path; - metric = 10; - peers = [ - { - publicKey = "D8Sqlj3TYwwnTkycV08HAlxcXXS3Ura4oamz8rB5ImM="; - endpoint = "103.69.224.4:51820"; - allowedIPs = [ - "0.0.0.0/0" - "::/0" - ]; - persistentKeepalive = 25; - } - ]; - }; - }; - - users.mutableUsers = false; - users.users.root = { - password = ""; - home = "/root"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILABd/iSJ4gn/ystDqNxLJTG0n0z5VIC9YXlmdUfOhHf desktop@icefox.sh" - ]; - }; - users.users.user = { - linger = true; - home = "/home/user"; - password = ""; - group = "user"; - isNormalUser = true; - uid = 1000; - shell = pkgs.fish; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILABd/iSJ4gn/ystDqNxLJTG0n0z5VIC9YXlmdUfOhHf desktop@icefox.sh" - ]; - }; - users.groups.user.gid = 1000; - - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - users.user = { - home.username = "user"; - home.homeDirectory = "/home/user"; - home.stateVersion = "25.11"; - home.enableNixpkgsReleaseCheck = false; - xdg.configFile."containers/containers.conf".text = '' - [engine] - compose_warning_logs=false - events_logger="file" - - [containers] - log_driver="k8s-file" - ''; - xdg.configFile."opencode/opencode.json".text = builtins.toJSON { - "$schema" = "https://opencode.ai/config.json"; - plugin = [ "opencode-antigravity-auth@latest" ]; - provider = { - google = { - models = { - antigravity-gemini-3-pro = { - name = "Gemini 3 Pro (Antigravity)"; - limit = { - context = 1048576; - output = 65535; - }; - modalities = { - input = [ - "text" - "image" - "pdf" - ]; - output = [ "text" ]; - }; - variants = { - low = { - thinkingLevel = "low"; - }; - high = { - thinkingLevel = "high"; - }; - }; - }; - antigravity-gemini-3-flash = { - name = "Gemini 3 Flash (Antigravity)"; - limit = { - context = 1048576; - output = 65536; - }; - modalities = { - input = [ - "text" - "image" - "pdf" - ]; - output = [ "text" ]; - }; - variants = { - minimal = { - thinkingLevel = "minimal"; - }; - low = { - thinkingLevel = "low"; - }; - medium = { - thinkingLevel = "medium"; - }; - high = { - thinkingLevel = "high"; - }; - }; - }; - antigravity-claude-sonnet-4-5 = { - name = "Claude Sonnet 4.5 (Antigravity)"; - limit = { - context = 200000; - output = 64000; - }; - modalities = { - input = [ - "text" - "image" - "pdf" - ]; - output = [ "text" ]; - }; - }; - antigravity-claude-sonnet-4-5-thinking = { - name = "Claude Sonnet 4.5 Thinking (Antigravity)"; - limit = { - context = 200000; - output = 64000; - }; - modalities = { - input = [ - "text" - "image" - "pdf" - ]; - output = [ "text" ]; - }; - variants = { - low = { - thinkingConfig = { - thinkingBudget = 8192; - }; - }; - max = { - thinkingConfig = { - thinkingBudget = 32768; - }; - }; - }; - }; - antigravity-claude-opus-4-5-thinking = { - name = "Claude Opus 4.5 Thinking (Antigravity)"; - limit = { - context = 200000; - output = 64000; - }; - modalities = { - input = [ - "text" - "image" - "pdf" - ]; - output = [ "text" ]; - }; - variants = { - low = { - thinkingConfig = { - thinkingBudget = 8192; - }; - }; - max = { - thinkingConfig = { - thinkingBudget = 32768; - }; - }; - }; - }; - antigravity-claude-opus-4-6-thinking = { - name = "Claude Opus 4.6 Thinking (Antigravity)"; - limit = { - context = 200000; - output = 64000; - }; - modalities = { - input = [ - "text" - "image" - "pdf" - ]; - output = [ "text" ]; - }; - variants = { - low = { - thinkingConfig = { - thinkingBudget = 8192; - }; - }; - max = { - thinkingConfig = { - thinkingBudget = 32768; - }; - }; - }; - }; - "gemini-2.5-flash" = { - name = "Gemini 2.5 Flash (Gemini CLI)"; - limit = { - context = 1048576; - output = 65536; - }; - modalities = { - input = [ - "text" - "image" - "pdf" - ]; - output = [ "text" ]; - }; - }; - "gemini-2.5-pro" = { - name = "Gemini 2.5 Pro (Gemini CLI)"; - limit = { - context = 1048576; - output = 65536; - }; - modalities = { - input = [ - "text" - "image" - "pdf" - ]; - output = [ "text" ]; - }; - }; - gemini-3-flash-preview = { - name = "Gemini 3 Flash Preview (Gemini CLI)"; - limit = { - context = 1048576; - output = 65536; - }; - modalities = { - input = [ - "text" - "image" - "pdf" - ]; - output = [ "text" ]; - }; - }; - gemini-3-pro-preview = { - name = "Gemini 3 Pro Preview (Gemini CLI)"; - limit = { - context = 1048576; - output = 65535; - }; - modalities = { - input = [ - "text" - "image" - "pdf" - ]; - output = [ "text" ]; - }; - }; - }; - }; - }; - }; - }; - }; - - fileSystems = { - "/.persist".neededForBoot = true; - }; - environment.systemPackages = with pkgs; [ - coreutils - jq - git - fzf - claude-code - neovim - ripgrep - fd - podman-compose - opencode - - php - php.packages.composer - pkgs.nodejs_24 - pkgs.dotnet-sdk_9 - pkgs.go_1_24 - ]; - - programs = { - fish.enable = true; - starship.enable = true; - ssh = { - knownHosts = { - "github.com".publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; - }; - }; - }; - - systemd.tmpfiles.rules = [ - "d /var/log/laravel 0755 1000 1000" - ]; - - environment.persistence."/.persist" = { - enable = true; - hideMounts = true; - directories = [ - "/var/lib/nixos" - ]; - files = [ - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - ]; - users.root = { - files = [ - ".config/sops/age/keys.txt" - ]; - }; - users.user = { - files = [ - ".claude.json" - ".claude.json.backup" - ]; - directories = [ - ".claude" - ".local/share/containers" - ".local/share/opencode" - ]; - }; - }; - - services = { - openssh = { - enable = true; - ports = [ 22 ]; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = "yes"; - AllowUsers = [ - "user" - "root" - ]; - }; - }; - getty = { - autologinUser = "root"; - autologinOnce = true; - }; - }; - - virtualisation = { - containers.enable = true; - podman = { - enable = true; - defaultNetwork.settings.dns_enabled = true; - dockerCompat = true; - }; - }; - - environment.sessionVariables = { - EDITOR = "nvim"; - }; - - microvm = { - hypervisor = "qemu"; - - vcpu = 4; - mem = 8192; - socket = "control.sock"; - - interfaces = [ - { - id = "vm-${hostname}"; - type = "tap"; - mac = mac; - } - ]; - - volumes = [ - { - mountPoint = "/.persist"; - image = "persist.img"; - size = 1024 * 128; - } - { - mountPoint = "/nix/.rw-store"; - image = "nix-store.img"; - size = 1024 * 128; - } - ]; - - writableStoreOverlay = "/nix/.rw-store"; - shares = [ - { - proto = "virtiofs"; - tag = "downloads"; - source = "/home/user/downloads"; - mountPoint = "/home/user/downloads"; - } - { - proto = "virtiofs"; - tag = "pictures"; - source = "/home/user/pictures"; - mountPoint = "/home/user/pictures"; - } - { - proto = "virtiofs"; - tag = "dealwise"; - source = "/home/user/work/dealwise"; - mountPoint = "/home/user/work/dealwise"; - } - { - proto = "virtiofs"; - tag = "php-data-transfer-object"; - source = "/home/user/dev/icefox/php/data-transfer-object"; - mountPoint = "/home/user/dev/icefox/php/data-transfer-object"; - } - { - proto = "virtiofs"; - tag = "uni"; - source = "/home/user/uni"; - mountPoint = "/home/user/uni"; - } - { - proto = "virtiofs"; - tag = "dev"; - source = "/home/user/dev"; - mountPoint = "/home/user/dev"; - } - { - proto = "virtiofs"; - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - - qemu.extraArgs = [ - "-cpu" - "host" - ]; - }; - system.stateVersion = "25.11"; - }; - }; - }; -} diff --git a/vms/secrets/secrets.yaml b/vms/secrets/secrets.yaml deleted file mode 100644 index 74be351..0000000 --- a/vms/secrets/secrets.yaml +++ /dev/null @@ -1,32 +0,0 @@ -ssh: - private_key: ENC[AES256_GCM,data:0EDM0MEirn14hmU3UV0yFcB6kG8zjYyt+sbIb6v2vr3sqaK0EmBf4VxX1TRxjlT3nDk7NZG60+Lw6+c45COhZX0ApYkElUxPtKXsLM4HZKruJiL3cLicdFDsL7/53tMyp6waFVejq5dbog/kya+dbUujM8p2ILqO9GjB2k0truipq6ThpinytRqu5xccjJzUbEqCrr1U2lKTIm6s83zAJfcrnwEipIoV2WqxjPpeGjGBKwfi4284O1J5zZHvbxB+CQ+4rHrkcsio4CEDLdV6s93d5FHARGt/Ni/ZXfcP2Yve5M4PrakliHVv7dVNrGqX6tDXZkhVlhzCHk0vY9dSTONuvlmeoFtSWpJXG8MfaGzmfkT+/F39U1TpbRyIPL4OyeidvBV4hTJuKmCOSraXnFwz5l3EnZhBbrCBRw8XFTZGS8v8jMcC7QTFYxCDL4GcrSJac9cgDlggygr3Vv8627a+zYSwauuNWPYEf1Nr56owZdJUc6LJpOBd+QR2fiV+coA/cNbNhWOaRS3K/NRS,iv:1lU+UUhH4m5OjyDO5s/sNGGGoT/7NxI5Cs1GL5CEIGU=,tag:EG8YZERDyeG/XkCNO7f/cQ==,type:str] -wg0: - private_key: ENC[AES256_GCM,data:nr7y3wp7EtVW6uI6MBSwyMO9YuMyx/F0AZmD8GmuA3BPQTVTsVSctoKIxLE=,iv:KN68DwGuDo+aPP4mBk1MqY+lxFjisKSwXn0w+yngDRQ=,tag:gpjxIFWaZE+5hbYHVsO1ZQ==,type:str] - address: ENC[AES256_GCM,data:9Tnph2SHKeEt9Ss=,iv:CPR1N7fqqlaThGltSpfqeAOc5bAe13KWskGWj3jI8LQ=,tag:xha/hQOVqfUoGyfKbHhnuQ==,type:str] - conf: ENC[AES256_GCM,data:SRDnI+2PvK7Zz1L5XBvrBNejgJEg8DK+qVO5XEtx6Nal+f7IeB3Ascp8Bkit5fd5myn/RxiK80wYmvLkDmcJAk46UjHKOpbxJl1s5FmKDuZJ3c3MXLwH7k2PeZP14VDDlyQqlcyGBrSu74L64ZMh/6EWGKbONTD1Wt3Ykg+/RegzQFDr2CPbj6XQeXsNS2p0ugicP5ffBMTUa9KSYDMQVV80mjSZ246aeY0owU1VUsitdvsCbfxtFd5gr/9zdfOXOvGY/BKxAlvVbszCalNs9DgJDHt/,iv:FP90SvUGnsZJS7F/uxtbOqTvGOgtC4+r2+YgF5FBoQY=,tag:9G1tkXHTpbytmG9T6sTpMw==,type:str] -wg-br0: - private_key: ENC[AES256_GCM,data:AwGwtS6Bkx5SUwxfaz/UaogGQIwqJidHzyOC0EWCA1UzEo1XV+bFKpdvOjg=,iv:O5RTjtNHC3lY+uVb6JBTwCrxpDSOsVAy8VOvsSatr0M=,tag:HelKY1PtxI3Zi+9Alrw+Ow==,type:str] -sops: - age: - - recipient: age1y0tj3kt67pfnj38t9c8g2ghry3a0mhcq8rrqv5xr4jekwepxaelqzu3dkf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtOHZSRkpBVVdUUk9OYUFH - cVBra014WXJyRTJ0QWFKallLQlc0SXhNSlFBCmpwME92M2lCN2liVjZBRndlSVBk - OEpUU1YyakdCa0xVaHdhRlpXbGxYdUEKLS0tIDFlV1k0Qkx1UDd2NUVHTTI3NDZE - OWhIdUxDcHB4Z3dTdDkyZWF6NEJCYzAKfPB9AZFQ08yqil+4AhIi6EMy8PXI4CAz - lK4ON/M67T0UrlWN/m3pryOOr4Lj4oiZvdOR0BCO3kn4Pj0nq5jQOA== - -----END AGE ENCRYPTED FILE----- - - recipient: age16v8w7q4wmn22hhakq2uzaus2508rhldm7lcwh0kukshzjzyhuqesqz44ze - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMSC9Td1NTMzk2NlJDTDNM - UVUzTSt1dGkrUVRGT1UzeXcwR1REN1U0dW5JCnNJRzdKZHVyR0dzaUw2TlVzQnQ2 - SHhSSGlDWUNBSXZiME5GM0JPTFRseDQKLS0tIEFnOXgzWFo2Rmo2THN4VFFIY1h0 - OEZ4WUp1QlVrTkVTN1BHMG0yaXFuSk0KLw3ZuvWTurJDTpyoq5YafLm8YFT4v4Vh - s+ay8ju3kA1CKjMF3gBQF08EoCdP/jU6tZerNwwcs17el5zIvRmG7Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-06T22:06:59Z" - mac: ENC[AES256_GCM,data:IJXeoVdP8/R51hHNTkpYSj9f1bGRBh5PtlEdbcXuD12DFGZtEFcAeBgfKHSnYBRxZMedd/IxhsQYNatW8T/spAuPi0dEh2mnn9yz3evGjkc1WKGOy24Ou3xhZBboo9tzYfkX3PVGd10kx+vTJh3by7Eq4LjAfyq1vyGj1g3S5nU=,iv:wQsntFE/TO0Z5An9U7yYUIQ/nXbo5nnUQ9ukVMm0KRo=,tag:D9HpVrYEbzaCktzGmD0xvg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.11.0