Flesh out programs.htop: tree view, sensible highlights, hidden kernel
threads, left CPU/Memory/Swap bar meters and right Tasks/LoadAverage/Uptime
text meters. color_scheme = 0 inherits the terminal's Catppuccin Mocha
palette, as htop has no custom-theme support of its own.
Drop the explicit pkgs.htop: programs.htop.enable already installs it.
The zcompdump reset was declared under home.actiVation (stray capital V),
an unknown option that fails module evaluation, so the activation script
never ran. Restore the correct home.activation attribute.
Extend the daily Renovate review so it triages instead of only advising,
and surface results in the interactive shell.
- Auto-approve: PRs graded low risk (patch/minor bumps to tooling, infra,
test or framework libs; symmetric diff; CI passing; no app logic) that
are not already approved get an APPROVE review via
pull_request_review_write. These repos automerge on approval, so this
merges them with no human in the loop -- intentional. Medium/high risk,
failing/pending CI, stale branches and anything needing judgement are
left untouched for Emma. No merge tool is granted.
- State + reminder: each run records ~/.local/state/renovate-review/
{last-run,needs-review.txt}. A once-a-day interactive zsh reminder
(programs.zsh.initContent) warns if the timer hasn't run, lists the PRs
needing review, or confirms an all-clear.
Verified: nix build (eval + shellcheck) green; triage parsing and the
reminder's run/stale/all-clear/throttle branches exercised against
synthetic state. The first live auto-approval is left for a supervised
scheduled/manual run.
Add a systemd user timer on the EDaaS/WSL host that runs Claude Code
headless once a day (08:47) to review Renovate dependency PRs awaiting
Emma's review. It queries GitHub via the project-scoped github MCP
server, excludes PRs against archived repositories, grades each PR's
risk, and writes a recommendation-only summary to the journal
(journalctl --user -u renovate-review). It never approves or merges.
- lyrathorpe/home/renovate-review.nix: wrapper + service + timer.
Auth is Vertex AI via the inherited project/region/model env; Claude
Code provisions its own network egress, so no proxy is set. The
prompt lives in a store file so its literal backticks/$ don't trip
shellcheck in the wrapper.
- lyrathorpe/home/work.nix: import the module (host-scoped to EDaaS).
- system/machine/EDaaS/configuration.nix: enable user linger so the
timer fires without an attached login session.
Touch ID for sudo failed because pam_tid can't reach the GUI session
from inside tmux (terminals here auto-start tmux); enable sudo_local
reattach (pam_reattach) so the session is re-attached first. Also drop
the dock autohide and tilesize defaults.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
nix-darwin 26.05 forces activation to run as root, and mas cannot reach
the App Store/StoreKit session from root, so homebrew.masApps silently
failed to install. Remove the masApps list; install those apps by hand
with `mas install <id>` from a GUI Terminal. The mas CLI stays in
systemPackages for that.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Vendor the auto-memory directory into the repo (claude/memory/) and
symlink it read-only into ~/.claude/memory. Recall keeps working; the
runtime "save a memory" path no longer writes there. CLAUDE.md instructs
Claude to add/change memories in this repo and rebuild instead, so the
flake stays the single source of truth. README documents the split.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
programs.claude-code on every host: the global CLAUDE.md (persona) and
the Soviet Engineer output style are now declared. settings.json is left
unmanaged on purpose — Claude rewrites it at runtime (permission grants,
/config) and a read-only store symlink would break those writes. Drops
the now-redundant explicit claude-code package from work.nix (the module
installs it).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Update the home README (editor plugins + format-on-save, btop/lazygit/
hyperfine/sd, git aliases, tmux extrakto, fonts/emoji coverage),
KEYBINDINGS (telescope/trouble/comment), and the top README (shared
module layers + nix-flake-check CI). Correct the last work/default.nix
reference in default.nix.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Replace the formatting-only build with `nix flake check`, so deadnix,
statix and the pre-commit hooks are enforced in CI (not just local
hooks). Add the nix-community binary cache to the runner's nix config to
speed up the check closure. The explicit per-host eval pass is kept for
granular output.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Touch ID now authorises sudo (via sudo_local, update-safe). Adds the
standard system.defaults blocks — dock autohide / no-recents, Finder
extensions + path bar + list view, dark mode, fast key repeat, trackpad
tap-to-click — so the Mac's UI is managed declaratively too.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Polkit authentication agent (lxqt-policykit) as a sway-session user
service — programs.sway only enables the daemon, so GUI auth dialogs
(nemo mount, NM/blueman) previously failed silently. Corrected the
header comment that wrongly claimed the agent was handled system-side.
- kanshi for output/display management (safe internal-panel default; a
documented template for docked/Cinema-Display profiles).
- gammastep night-light (manual location; adjust coordinates).
- inhibit_idle on fullscreen so video doesn't get blanked/locked.
- logind lid policy on the laptops: suspend on battery, lock on AC.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
In common-nixos.nix (every NixOS host):
- programs.nix-ld for all hosts, not just WSL — foreign dynamic binaries
(VS Code server, prebuilt toolchains) run on the dev boxes too. Removed
the now-redundant per-host enable from the EDaaS config.
- nix-community.cachix.org substituter (merges with the Asahi cache).
- Noto sans + colour-emoji fonts and fontconfig defaultFonts mapping, so
the WSL box (and anything asking fontconfig for "monospace") stops
rendering tofu.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- thermald on the x86 hosts (guarded; the Asahi MBP self-governs).
- T400 battery charge thresholds (75/80) via tp_smapi; tlp itself comes
from the nixos-hardware profile.
- Bluetooth (bluez + powerOnBoot) and blueman on the laptops — the MBP
already loads Apple BT firmware but bluez was never running.
- earlyoom + fwupd on the physical graphical hosts; zram on the Mac Pro.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
New system/modules/ssh.nix disables password and keyboard-interactive
auth and root login, and installs the authorized key for the primary
user. Imported by the two hosts that run sshd; each still enables the
service and opens port 22 in its own config.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
T400 gets the generic lenovo-thinkpad + common-pc-laptop(-ssd) +
common-cpu-intel blocks (no t400-specific profile exists); this also
enables tlp and the tp_smapi/acpi_call battery tooling. Mac Pro 3,1 gets
common-pc-ssd + common-cpu-intel. nixos-hardware follows our nixpkgs to
keep a single nixpkgs in the closure.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Set programs.zsh.dotDir to ~/.config/zsh, adopting the new home-manager
default and silencing the dotDir deprecation warning on rebuild. Pin
history.path to the existing ~/.zsh_history so the move doesn't orphan it,
and extend the zcompdump-reset activation to the new $ZDOTDIR location
(legacy $HOME and cache paths still swept). README updated.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rewrite editor.nix on programs.nixvim, keeping every prior feature: file
tree (nvim-tree, toggle ,,), indent guides (indent-blankline), fugitive,
vim-tmux-navigator, Catppuccin Mocha, 2-space hard tabs, and the
*Jenkinsfile=groovy rule. Replace the inert ALE with a real LSP stack —
nvim-lspconfig, nvim-cmp completion, and tree-sitter for highlighting.
Leader is Space; LSP keymaps gd/gr/K/<leader>rn/<leader>ca.
Universal servers: nil (Nix), lua_ls, pyright (Python), terraformls. The
work box (work.nix) additionally enables omnisharp (C#) and helm_ls (Helm),
so the heavy omnisharp closure stays off the personal machines.
default.nix drops VISUAL=vim so nixvim's defaultEditor owns $EDITOR/$VISUAL.
README and KEYBINDINGS updated (and two stale references corrected).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Declarative Neovim, on the nixos-26.05 release branch and following our
nixpkgs to keep a single nixpkgs in the closure. Consumed by
lyrathorpe/home/editor.nix.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- treefmt-nix drives `nix fmt` and the formatting check (nixfmt/shfmt/
prettier; generated files and flake.lock excluded). Replaces the
bespoke find-based check.
- deadnix and statix as flake checks and pre-commit hooks; deadnix
ignores module-arg patterns, statix.toml disables the two house-style
lints (repeated_keys, empty_pattern). Fixed the one real deadnix hit
(unused overlay arg) and statix hit (use inherit for claude-code).
- git-hooks.nix installs the pre-commit gate via the devShell.
- .editorconfig for the base style.
- Move system/modules/work/default.nix -> lyrathorpe/home/work.nix (it is
a home-manager module). README gains a Development section; docs
reformatted by the new formatter.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- common-nixos: nix.settings.auto-optimise-store + larger download buffer.
- workstation: fstrim, boot.tmp.cleanOnBoot, and the shared graphical
options moved here from the per-host configs (pipewire, swaylock PAM
stub, redistributable firmware) -- MBP-Asahi gains audio it lacked.
- T400: zramSwap for the low-RAM host.
- MBP-Asahi: nixos-apple-silicon binary cache substituter.
- MacPro31 README: describe the real (LVM/UUID) hardware config; it is no
longer a placeholder.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Update the interactive-shell README and keybindings reference for changes
made after the initial docs commit: no scheduled GC (manual only),
NO_TMUX escape hatch, default-terminal tmux-256color + truecolor, the
JetBrainsMono Nerd Font (new Fonts section + iTerm2 caveat), the
UseKeychain IgnoreUnknown guard, and the vim-tmux-navigator (Ctrl-hjkl) +
resurrect save/restore tmux bindings.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
nixpkgs' openssh lacks Apple's keychain patch, so `UseKeychain yes` is
rejected as "Bad configuration option" when that ssh is on PATH. Prefix
it with `IgnoreUnknown UseKeychain` (the module emits IgnoreUnknown first)
so a non-Apple ssh skips it while Apple's ssh still honours it. Still
Darwin-only.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The tmux statusline draws powerline/Nerd glyphs that default fonts lack,
so they render as blank/"?". tmux runs on every host (not just the Sway
ones), so install the font in the shared common-nixos module rather than
swaywm -- a future console-only or non-Sway host gets it too. The Mac
installs it via the Darwin config (/Library/Fonts). foot names it as its
main font (home/sway.nix).
On macOS, iTerm2's font is still a GUI setting: Settings -> Profiles ->
Text -> Font -> "JetBrainsMono Nerd Font".
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
tmux-direct as default-terminal desyncs zsh's line redraw on some
terminals (iTerm2: duplicated characters on Tab, stray newlines). Switch
to the standard tmux-256color and advertise truecolor per outer terminal
via terminal-features (add xterm-256color:RGB alongside the foot ones).
Also add a NO_TMUX escape hatch to the auto-start guard, so
`NO_TMUX=1 <terminal>` opens a bare shell.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The scheduled `nh clean` only reclaimed disk and risked reaping store
paths the current generation still references (notably on nix-darwin).
Keep `programs.nh` (nicer rebuilds + $NH_FLAKE) but remove clean.enable;
GC manually (`nh clean all` / `nix-collect-garbage -d`) when nothing
important is running. The resetZcompdump activation stays as a safety net
for stale completion dumps across rebuilds/manual GC.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add lyrathorpe/home/README.md covering the zsh / CLI tools / tmux / git /
ssh features and nice-to-haves configured across shell.nix and git.nix
(history, fzf/zoxide/direnv/eza/bat, nix-index, nh, tmux plugins +
auto-start, git aliases/settings/signing, ssh agent + Gitea host, the
zcompdump/GC maintenance behaviours, and per-host differences). Link it
from the top-level README alongside the keybindings reference.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Set HostName 10.187.1.76 on the code.emmathe.dev block so the Gitea
remote resolves to the fixed IP without relying on DNS (same user, port
30009 and key).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The home-manager bump deprecated programs.ssh.addKeysToAgent /
matchBlocks / the implicit default block. Move to programs.ssh.settings
with enableDefaultConfig = false, carrying the old defaults under
settings."*" plus AddKeysToAgent, the Darwin UseKeychain, and the
code.emmathe.dev (Port 30009) host. Silences all three ssh warnings.
Also drop ~/.zcompdump on each activation: a stale dump caches /nix/store
paths to completion functions, and once a rebuild or the weekly nh GC
removes them compinit fails with "_git: function definition file not
found" for every completion. Deleting it forces a fresh rebuild from the
current fpath.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The flake's origin (ssh://git@code.emmathe.dev) must resolve on every host.
Add a matchBlock for code.emmathe.dev: user git, Port 30009 (Gitea's
non-default SSH port -- the critical bit), the dedicated
~/.ssh/code.emmathe.dev key, and identitiesOnly. The work box keeps its own
ssh config (programs.ssh forced off there) which already has the entry.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Set user.email = iam@emmathe.dev on the personal hosts (mkDefault, so the
work module's address still wins on the work box). Add git aliases for
commitizen -- `git cz <sub>` (e.g. `git cz c`) and `git cc` for the commit
prompt; commitizen is already installed on every host (home.packages) and
defaults to the Conventional Commits ruleset.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Move the tmux auto-start out of the graphical-only desktop layer into the
shared shell config so it also covers WSL, iTerm2 and the Linux console
(folded into programs.zsh.initContent via mkMerge alongside the SSH PS1
block). Same guards: interactive, not-already-in-tmux, not-SSH,
not-VS-Code, tmux-present.
ssh: run a user ssh-agent on Linux (macOS uses launchd) and add keys on
first use (addKeysToAgent), so the passphrase is entered once per login
session instead of per commit/push -- which also feeds commit signing.
macOS additionally caches in the login keychain (UseKeychain). The work
box keeps its own ~/.ssh/config (programs.ssh forced off there); its
ssh-agent still runs via the work module.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Opening a terminal (foot) execs `tmux new-session -A -s main`, so every new
terminal lands in the multiplexer; panes run a plain non-login zsh. Guarded
to interactive, not-already-in-tmux, not-SSH, not-VS-Code, tmux-present --
preventing re-exec loops, hijacked scp/ssh shells, and lockout. Lives in the
graphical desktop layer, so the WSL work box keeps a plain shell.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
settings: pull.rebase + rebase autostash/autosquash, fetch.prune,
merge.conflictStyle=zdiff3, diff histogram + colorMoved, rerere,
commit.verbose, branch.sort, column.ui, help.autocorrect, and a small alias
set (st/co/sw/br/ci/last/unstage/lg). Global ignore file (result, .direnv,
*.swp, .DS_Store).
SSH commit/tag signing on personal hosts too, reusing the existing key
(the work module already signs on the work host). gpgsign is mkDefault so a
host lacking the key in its ssh-agent can disable it -- otherwise commits
there would fail. No personal user.email is set (unknown); signing does not
require one, but author email still falls back to user@host until set.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Emma Thorpe
lyrathorpe