Refactor/flake dedup and wsl input (#3)

* fix: configure docker for EDaaS WSL VDI

Enable rootful docker with the Docker Desktop proxy patch, add emmathorpe to the docker group, disable resolvconf and enable nix-ld.

* feat: flesh out work module and pin claude-code to nixpkgs unstable

Migrate git config to the settings option, fix the signing key path and email, add argo-rollouts/google-cloud-sdk and other tooling, and enable go. claude-code is sourced from the nixpkgs-unstable overlay.

* chore: update personal git, delta and editor config

Move git config to the settings option, switch to the standalone programs.delta module with git integration, add commitizen, and treat Jenkinsfiles as groovy.

* refactor: dedupe flake with mkHost and add nixos-wsl flake input

Extract a shared mkHost helper to remove duplicated home-manager scaffolding, add nixos-wsl as a flake input so the EDaaS host builds without --impure, source claude-code via a nixpkgs-unstable overlay, and expose a nixfmt formatter output.

* style: format nix files with nixfmt

* refactor: migrate to stable nixpkgs 26.05 and track upstream asahi flake

Pin nixpkgs to nixos-26.05 and home-manager to release-26.05; claude-code stays bleeding-edge via the nixpkgs-unstable overlay.

Centralize allowUnfree and experimental-features in mkHost and pin nix.registry/nixPath to the flake nixpkgs.

Replace the vendored apple-silicon-support module with the nixos-apple-silicon flake input, dropping ~8.8k lines of vendored code.

Fix stable-induced package renames: neofetch -> fastfetch, noto-fonts-emoji -> noto-fonts-color-emoji.

* refactor: adopt flake-parts with host table and scoped unfree

Wrap outputs in flake-parts.lib.mkFlake, replacing forAllSystems boilerplate with systems + perSystem. Drop the unused self argument.

Collapse the three mkHost calls into a hosts attrset mapped with lib.mapAttrs; adding a machine is now a single table entry.

Replace blanket allowUnfree with an allowUnfreePredicate allowlist (claude-code, lens). Add devShells.default (nixfmt, nil, git) and a checks.formatting nixfmt --check gate.

* docs(flake): annotate inputs, mkHost, host table and perSystem

Explanatory comments only; no eval change (drvPath identical).

* refactor(home): split home-manager into focused modules; clarify desktop scope

Break the home.nix monolith into emmathorpe/home/{default,shell,git,editor,desktop}.nix. The host table now composes desktop.nix onto graphical hosts only, so element-desktop, the Sway session vars and cursor theme are no longer installed on the headless WSL host.

Consolidate chat apps: legcord moves from user.nix (system) into the home desktop module alongside element-desktop. The tty1 'exec sway' autostart moves into desktop.nix so it never runs on headless hosts.

Desktop functionality: add xdg.portal (wlr + gtk) in swaywm.nix to enable screen sharing and native file pickers for Element and Firefox under wlroots.

* feat(desktop): declarative Sway config with idle-lock, notifications and bar

Add emmathorpe/home/sway.nix managing wayland.windowManager.sway (package = null, reusing the system Sway wrapper) plus swaylock, swayidle, dunst and an i3status-rust bar. home-manager's systemd integration wires sway-session.target so the swayidle/dunst user services start with the session.

swayidle locks after 5 min, powers outputs off after 10, and locks before sleep. Media/brightness keys use wpctl (pipewire) and brightnessctl; the launcher is sway-launcher-desktop in a floating foot window; keyboard is set to dvorak to match the console.

Move swaylock/swayidle/dunst/i3status-rust out of the system programs.sway extraPackages (now home-managed). Add security.pam.services.swaylock on the MBP host so the lock screen can authenticate (X1 already had it with fingerprint auth).

---------

Co-authored-by: Emma Thorpe <emma.thorpe@citrix.com>

flake.nix

@@ -2,59 +2,172 @@
   description = "NixOS configuration";
 
   inputs = {
-	nixpkgs.url = "nixpkgs/nixos-unstable";
-	nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-	home-manager.url = "github:nix-community/home-manager";
-  home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    # Pinned stable channel; the single source of truth for every host.
+    nixpkgs.url = "nixpkgs/nixos-26.05";
+    # Bleeding-edge channel, used only to pull individual packages via overlay.
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    # Home-manager release matched to the stable nixpkgs; `follows` keeps a single nixpkgs eval.
+    home-manager.url = "github:nix-community/home-manager/release-26.05";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    # WSL module for the EDaaS host; flake input avoids the impure <nixos-wsl> NIX_PATH lookup.
+    nixos-wsl.url = "github:nix-community/NixOS-WSL";
+    nixos-wsl.inputs.nixpkgs.follows = "nixpkgs";
+    # Apple Silicon (Asahi) support for the MacBook host.
+    nixos-apple-silicon.url = "github:nix-community/nixos-apple-silicon";
+    nixos-apple-silicon.inputs.nixpkgs.follows = "nixpkgs";
+    # Provides mkFlake: the systems/perSystem scaffolding used below.
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
   };
 
-  outputs = inputs @ { self, nixpkgs, home-manager, ... }: {
-    nixosConfigurations.emmathorpe-mbp = nixpkgs.lib.nixosSystem {
-      system = "aarch64-linux";  
-	    specialArgs = { inherit inputs; };
-      modules = [
-        ./system/machine/MBP-Asahi/configuration.nix
-	      ./emmathorpe/user.nix
-	      ./emmathorpe/swaywm.nix
-	      home-manager.nixosModules.home-manager 
-        {
-		      home-manager.useGlobalPkgs = true;
-		      home-manager.useUserPackages = true;
-		      home-manager.users.emmathorpe = import ./emmathorpe/home.nix;
-	      }
-      ];
-    };
-    nixosConfigurations.emmathorpe-x1c = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";  
-      specialArgs = { inherit inputs; };
-      modules = [
-        ./system/machine/X1/configuration.nix
-	      ./emmathorpe/user.nix
-	      ./emmathorpe/swaywm.nix
-	      home-manager.nixosModules.home-manager
-	      {
-		      home-manager.useGlobalPkgs = true;
-		      home-manager.useUserPackages = true;
-		      home-manager.users.emmathorpe = import ./emmathorpe/home.nix;
-	      }
-      ];
-    };
-    nixosConfigurations.emmathorpe-edaas = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";  
-      specialArgs = { inherit inputs; };
-      modules = [
+  outputs =
+    inputs@{
+      flake-parts,
+      nixpkgs,
+      nixpkgs-unstable,
+      home-manager,
+      nixos-wsl,
+      nixos-apple-silicon,
+      ...
+    }:
+    flake-parts.lib.mkFlake { inherit inputs; } (
+      { lib, ... }:
+      let
+        # claude-code tracks nixpkgs-unstable regardless of the pinned nixpkgs.
+        overlays = [
+          (final: prev: {
+            claude-code =
+              (import nixpkgs-unstable {
+                inherit (prev.stdenv.hostPlatform) system;
+                config.allowUnfree = true;
+              }).claude-code;
+          })
+        ];
+
+        # Unfree packages permitted to be built (replaces blanket allowUnfree).
+        unfreePackages = [
+          "claude-code"
+          "lens"
+          "lens-desktop"
+        ];
+
+        # Shared scaffolding for every host: common user, overlays, home-manager.
+        baseModules = [
+          ./emmathorpe/user.nix
+          {
+            nixpkgs.overlays = overlays;
+            nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) unfreePackages;
+            nix.settings.experimental-features = [
+              "nix-command"
+              "flakes"
+            ];
+            # Make `nix shell nixpkgs#...` and <nixpkgs> use the pinned nixpkgs.
+            nix.registry.nixpkgs.flake = nixpkgs;
+            nix.nixPath = [ "nixpkgs=${nixpkgs}" ];
+          }
+          home-manager.nixosModules.home-manager
+          {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.extraSpecialArgs = { inherit inputs; };
+          }
+        ];
+
+        # mkHost :: { system, modules } -> nixosSystem
+        # Builds one machine by appending its host-specific modules to the shared
+        # baseModules. `inputs` is threaded into specialArgs so any module can
+        # reach the flake inputs (e.g. the work module uses inputs for claude-code).
+        mkHost =
+          { system, modules }:
+          nixpkgs.lib.nixosSystem {
+            inherit system;
+            specialArgs = { inherit inputs; };
+            modules = baseModules ++ modules;
+          };
+
+        # Host table — declarative registry of every machine. To add a host:
+        # give it a name, its `system`, and the list of machine-specific modules.
+        # mapAttrs below turns each entry into a nixosConfiguration of the same name.
+        hosts = {
+          emmathorpe-mbp = {
+            system = "aarch64-linux";
+            modules = [
+              ./system/machine/MBP-Asahi/configuration.nix
+              nixos-apple-silicon.nixosModules.default
+              ./emmathorpe/swaywm.nix
+              {
+                home-manager.users.emmathorpe.imports = [
+                  ./emmathorpe/home
+                  ./emmathorpe/home/desktop.nix
+                ];
+              }
+            ];
+          };
+
+          emmathorpe-x1c = {
+            system = "x86_64-linux";
+            modules = [
+              ./system/machine/X1/configuration.nix
+              ./emmathorpe/swaywm.nix
+              {
+                home-manager.users.emmathorpe.imports = [
+                  ./emmathorpe/home
+                  ./emmathorpe/home/desktop.nix
+                ];
+              }
+            ];
+          };
+
+          emmathorpe-edaas = {
+            system = "x86_64-linux";
+            modules = [
               ./system/machine/EDaaS/configuration.nix
-	      ./emmathorpe/user.nix
-        ./emmathorpe/swaywm.nix
-        home-manager.nixosModules.home-manager
-        {
-	        home-manager.useGlobalPkgs = true;
-	        home-manager.useUserPackages = true;
-	        home-manager.extraSpecialArgs = { inherit inputs; };
+              nixos-wsl.nixosModules.default
+              ./emmathorpe/swaywm.nix
+              {
+                home-manager.users.emmathorpe.imports = [
+                  ./emmathorpe/home
+                  ./system/modules/work/default.nix
+                ];
+              }
+            ];
+          };
+        };
+      in
+      {
+        systems = [
+          "x86_64-linux"
+          "aarch64-linux"
+        ];
 
-          home-manager.users.emmathorpe.imports = [ ./emmathorpe/home.nix ./system/modules/work/default.nix ];
-        }
-      ];
-    };
-  };
+        # perSystem is evaluated once per entry in `systems`; `pkgs` is the
+        # nixpkgs instance for that system. Outputs here become per-system
+        # attrsets automatically (e.g. devShells.<system>.default).
+        perSystem =
+          { pkgs, ... }:
+          {
+            # `nix fmt` formatter for the repo.
+            formatter = pkgs.nixfmt;
+
+            # `nix develop` shell with the tooling needed to hack on this flake.
+            devShells.default = pkgs.mkShellNoCC {
+              packages = with pkgs; [
+                nixfmt
+                nil
+                git
+              ];
+            };
+
+            checks.formatting =
+              pkgs.runCommandLocal "check-formatting" { nativeBuildInputs = [ pkgs.nixfmt ]; }
+                ''
+                  # Generated hardware-configuration.nix files are excluded.
+                  nixfmt --check $(find ${./.} -name '*.nix' -not -name 'hardware-configuration.nix') && touch $out
+                '';
+          };
+
+        # Realise the host table: each `hosts` entry becomes a nixosConfiguration.
+        flake.nixosConfigurations = lib.mapAttrs (_name: mkHost) hosts;
+      }
+    );
 }