{ nixpkgs, sops-nix, impermanence, home-manager, ... }: { systemd.network.netdevs."20-microbr".netdevConfig = { Kind = "bridge"; Name = "microbr"; }; systemd.network.networks."20-microbr" = { matchConfig.Name = "microbr"; addresses = [ { Address = "192.168.77.1/24"; } ]; networkConfig = { ConfigureWithoutCarrier = true; }; }; systemd.network.networks."21-microvm-tap" = { matchConfig.Name = "vm-*"; networkConfig.Bridge = "microbr"; }; networking.nat = { enable = true; internalInterfaces = [ "microbr" ]; externalInterface = "enp7e0"; }; networking.nftables = { enable = true; tables.nat = { family = "ip"; content = '' chain postrouting { type nat hook postrouting priority srcnat; iifname "microbr" masquerade } ''; }; }; microvm.vms = { "dealwise" = { pkgs = import nixpkgs { system = "x86_64-linux"; config.allowUnfreePredicate = pkg: builtins.elem (nixpkgs.lib.getName pkg) [ "claude-code" ]; }; config = let hostname = "ai-sandbox"; mac = "02:00:00:00:00:06"; in { config, pkgs, ... }: { imports = [ impermanence.nixosModules.impermanence sops-nix.nixosModules.sops home-manager.nixosModules.home-manager ]; sops = { defaultSopsFile = ./secrets/secrets.yaml; age.keyFile = "/.persist/root/.config/sops/age/keys.txt"; secrets = { "wg0/private_key" = { }; }; }; boot.kernel.sysctl."kernel.unprivileged_userns_clone" = 1; systemd.network = { enable = true; networks = { "10-net" = { matchConfig.MACAddress = mac; linkConfig.RequiredForOnline = "routable"; addresses = [ { Address = "192.168.77.2/24"; } ]; routes = [ { Gateway = "192.168.77.1"; Metric = 100; } { Destination = "103.69.224.4/32"; Gateway = "192.168.77.1"; } ]; }; }; }; services.resolved.enable = false; environment.etc."resolv.conf".text = '' nameserver 10.2.0.1 ''; networking = { hostName = hostname; useNetworkd = true; useDHCP = false; firewall.enable = false; wireguard.interfaces.wg0 = { ips = [ "10.2.0.2/32" ]; listenPort = 45974; privateKeyFile = config.sops.secrets."wg0/private_key".path; metric = 10; peers = [ { publicKey = "D8Sqlj3TYwwnTkycV08HAlxcXXS3Ura4oamz8rB5ImM="; endpoint = "103.69.224.4:51820"; allowedIPs = [ "0.0.0.0/0" "::/0" ]; persistentKeepalive = 25; } ]; }; }; users.mutableUsers = false; users.users.root = { password = ""; home = "/root"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILABd/iSJ4gn/ystDqNxLJTG0n0z5VIC9YXlmdUfOhHf desktop@icefox.sh" ]; }; users.users.user = { linger = true; home = "/home/user"; password = ""; group = "user"; isNormalUser = true; uid = 1000; shell = pkgs.fish; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILABd/iSJ4gn/ystDqNxLJTG0n0z5VIC9YXlmdUfOhHf desktop@icefox.sh" ]; }; users.groups.user.gid = 1000; home-manager = { useGlobalPkgs = true; useUserPackages = true; users.user = { home.username = "user"; home.homeDirectory = "/home/user"; home.stateVersion = "25.11"; home.enableNixpkgsReleaseCheck = false; xdg.configFile."containers/containers.conf".text = '' [engine] compose_warning_logs=false events_logger="file" [containers] log_driver="k8s-file" ''; xdg.configFile."opencode/opencode.json".text = builtins.toJSON { "$schema" = "https://opencode.ai/config.json"; plugin = [ "opencode-antigravity-auth@latest" ]; provider = { google = { models = { antigravity-gemini-3-pro = { name = "Gemini 3 Pro (Antigravity)"; limit = { context = 1048576; output = 65535; }; modalities = { input = [ "text" "image" "pdf" ]; output = [ "text" ]; }; variants = { low = { thinkingLevel = "low"; }; high = { thinkingLevel = "high"; }; }; }; antigravity-gemini-3-flash = { name = "Gemini 3 Flash (Antigravity)"; limit = { context = 1048576; output = 65536; }; modalities = { input = [ "text" "image" "pdf" ]; output = [ "text" ]; }; variants = { minimal = { thinkingLevel = "minimal"; }; low = { thinkingLevel = "low"; }; medium = { thinkingLevel = "medium"; }; high = { thinkingLevel = "high"; }; }; }; antigravity-claude-sonnet-4-5 = { name = "Claude Sonnet 4.5 (Antigravity)"; limit = { context = 200000; output = 64000; }; modalities = { input = [ "text" "image" "pdf" ]; output = [ "text" ]; }; }; antigravity-claude-sonnet-4-5-thinking = { name = "Claude Sonnet 4.5 Thinking (Antigravity)"; limit = { context = 200000; output = 64000; }; modalities = { input = [ "text" "image" "pdf" ]; output = [ "text" ]; }; variants = { low = { thinkingConfig = { thinkingBudget = 8192; }; }; max = { thinkingConfig = { thinkingBudget = 32768; }; }; }; }; antigravity-claude-opus-4-5-thinking = { name = "Claude Opus 4.5 Thinking (Antigravity)"; limit = { context = 200000; output = 64000; }; modalities = { input = [ "text" "image" "pdf" ]; output = [ "text" ]; }; variants = { low = { thinkingConfig = { thinkingBudget = 8192; }; }; max = { thinkingConfig = { thinkingBudget = 32768; }; }; }; }; antigravity-claude-opus-4-6-thinking = { name = "Claude Opus 4.6 Thinking (Antigravity)"; limit = { context = 200000; output = 64000; }; modalities = { input = [ "text" "image" "pdf" ]; output = [ "text" ]; }; variants = { low = { thinkingConfig = { thinkingBudget = 8192; }; }; max = { thinkingConfig = { thinkingBudget = 32768; }; }; }; }; "gemini-2.5-flash" = { name = "Gemini 2.5 Flash (Gemini CLI)"; limit = { context = 1048576; output = 65536; }; modalities = { input = [ "text" "image" "pdf" ]; output = [ "text" ]; }; }; "gemini-2.5-pro" = { name = "Gemini 2.5 Pro (Gemini CLI)"; limit = { context = 1048576; output = 65536; }; modalities = { input = [ "text" "image" "pdf" ]; output = [ "text" ]; }; }; gemini-3-flash-preview = { name = "Gemini 3 Flash Preview (Gemini CLI)"; limit = { context = 1048576; output = 65536; }; modalities = { input = [ "text" "image" "pdf" ]; output = [ "text" ]; }; }; gemini-3-pro-preview = { name = "Gemini 3 Pro Preview (Gemini CLI)"; limit = { context = 1048576; output = 65535; }; modalities = { input = [ "text" "image" "pdf" ]; output = [ "text" ]; }; }; }; }; }; }; }; }; fileSystems = { "/.persist".neededForBoot = true; }; environment.systemPackages = with pkgs; [ coreutils jq git fzf claude-code neovim ripgrep fd podman-compose opencode php php.packages.composer pkgs.nodejs_24 pkgs.dotnet-sdk_9 pkgs.go_1_24 ]; programs = { fish.enable = true; starship.enable = true; ssh = { knownHosts = { "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; }; }; }; systemd.tmpfiles.rules = [ "d /var/log/laravel 0755 1000 1000" ]; environment.persistence."/.persist" = { enable = true; hideMounts = true; directories = [ "/var/lib/nixos" ]; files = [ "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key.pub" ]; users.root = { files = [ ".config/sops/age/keys.txt" ]; }; users.user = { files = [ ".claude.json" ".claude.json.backup" ]; directories = [ ".claude" ".local/share/containers" ".local/share/opencode" ]; }; }; services = { openssh = { enable = true; ports = [ 22 ]; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; PermitRootLogin = "yes"; AllowUsers = [ "user" "root" ]; }; }; getty = { autologinUser = "root"; autologinOnce = true; }; }; virtualisation = { containers.enable = true; podman = { enable = true; defaultNetwork.settings.dns_enabled = true; dockerCompat = true; }; }; environment.sessionVariables = { EDITOR = "nvim"; }; microvm = { hypervisor = "qemu"; vcpu = 4; mem = 8192; socket = "control.sock"; interfaces = [ { id = "vm-${hostname}"; type = "tap"; mac = mac; } ]; volumes = [ { mountPoint = "/.persist"; image = "persist.img"; size = 1024 * 128; } { mountPoint = "/nix/.rw-store"; image = "nix-store.img"; size = 1024 * 128; } ]; writableStoreOverlay = "/nix/.rw-store"; shares = [ { proto = "virtiofs"; tag = "downloads"; source = "/home/user/downloads"; mountPoint = "/home/user/downloads"; } { proto = "virtiofs"; tag = "pictures"; source = "/home/user/pictures"; mountPoint = "/home/user/pictures"; } { proto = "virtiofs"; tag = "dealwise"; source = "/home/user/work/dealwise"; mountPoint = "/home/user/work/dealwise"; } { proto = "virtiofs"; tag = "php-data-transfer-object"; source = "/home/user/dev/icefox/php/data-transfer-object"; mountPoint = "/home/user/dev/icefox/php/data-transfer-object"; } { proto = "virtiofs"; tag = "uni"; source = "/home/user/uni"; mountPoint = "/home/user/uni"; } { proto = "virtiofs"; tag = "dev"; source = "/home/user/dev"; mountPoint = "/home/user/dev"; } { proto = "virtiofs"; tag = "ro-store"; source = "/nix/store"; mountPoint = "/nix/.ro-store"; } ]; qemu.extraArgs = [ "-cpu" "host" ]; }; system.stateVersion = "25.11"; }; }; }; }