Add system/machine/RPi5/README.md (flash/boot, regenerate hardware-config,
Docker-socket security caveat and remote-client usage, how to add a
reverse-proxy vhost). Add lyrathorpe-rpi5 to the README host table and note
that the swayDesktop flag now lives in system/modules/features.nix so headless
hosts keep TTY login.
Tie the RPi5 submodules together: import hardware-config, docker.nix and
reverse-proxy.nix; pin networking.hostName to the flake attr name so nh
resolves; use U-Boot/extlinux boot (raspberry-pi-5 profile supplies kernel +
firmware); enable key-only sshd and a default-deny firewall opening 22.
Headless -- swaywm.nix is not imported, so swayDesktop stays off.
Enable nginx with the recommended proxy/TLS/optimisation/gzip settings and a
declarative virtualHosts table -- each proxied service is a Nix entry, so the
routing lives in-repo. Ships one HTTP-only example vhost; enableACME/forceSSL
are present but commented, to be flipped per-vhost once a DNS name and cert
exist. Opens 80 and 443.
Enable Docker and expose the daemon over TCP 2375 by extending the systemd
docker.socket ListenStream (avoids the daemon.json hosts vs unit -H fd://
conflict). The port is not added to allowedTCPPorts; instead an nftables
rule accepts it only from the trusted LAN subnet. Plain 2375 is
root-equivalent, so the source restriction is the only safeguard -- mTLS on
2376 is the documented upgrade path.
Committed so the lyrathorpe-rpi5 host evaluates in CI before the Pi is
provisioned. It is a placeholder, not a bootable config: on first install,
regenerate it on the device with nixos-generate-config and replace this file.
Excluded from formatters/linters by the existing hardware-configuration.nix
rules.
The host inherited the stock NixOS default hostname 'nixos', which does not
match the flake's nixosConfigurations attribute 'emmathorpe-edaas'. nh
selects the configuration by the local hostname, so bare 'nh os switch'
failed to resolve. Pin the hostname to the attribute name so it resolves
without an explicit -H/--hostname flag.
Add a systemd user timer on the EDaaS/WSL host that runs Claude Code
headless once a day (08:47) to review Renovate dependency PRs awaiting
Emma's review. It queries GitHub via the project-scoped github MCP
server, excludes PRs against archived repositories, grades each PR's
risk, and writes a recommendation-only summary to the journal
(journalctl --user -u renovate-review). It never approves or merges.
- lyrathorpe/home/renovate-review.nix: wrapper + service + timer.
Auth is Vertex AI via the inherited project/region/model env; Claude
Code provisions its own network egress, so no proxy is set. The
prompt lives in a store file so its literal backticks/$ don't trip
shellcheck in the wrapper.
- lyrathorpe/home/work.nix: import the module (host-scoped to EDaaS).
- system/machine/EDaaS/configuration.nix: enable user linger so the
timer fires without an attached login session.
Touch ID for sudo failed because pam_tid can't reach the GUI session
from inside tmux (terminals here auto-start tmux); enable sudo_local
reattach (pam_reattach) so the session is re-attached first. Also drop
the dock autohide and tilesize defaults.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
nix-darwin 26.05 forces activation to run as root, and mas cannot reach
the App Store/StoreKit session from root, so homebrew.masApps silently
failed to install. Remove the masApps list; install those apps by hand
with `mas install <id>` from a GUI Terminal. The mas CLI stays in
systemPackages for that.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Touch ID now authorises sudo (via sudo_local, update-safe). Adds the
standard system.defaults blocks — dock autohide / no-recents, Finder
extensions + path bar + list view, dark mode, fast key repeat, trackpad
tap-to-click — so the Mac's UI is managed declaratively too.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
In common-nixos.nix (every NixOS host):
- programs.nix-ld for all hosts, not just WSL — foreign dynamic binaries
(VS Code server, prebuilt toolchains) run on the dev boxes too. Removed
the now-redundant per-host enable from the EDaaS config.
- nix-community.cachix.org substituter (merges with the Asahi cache).
- Noto sans + colour-emoji fonts and fontconfig defaultFonts mapping, so
the WSL box (and anything asking fontconfig for "monospace") stops
rendering tofu.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- thermald on the x86 hosts (guarded; the Asahi MBP self-governs).
- T400 battery charge thresholds (75/80) via tp_smapi; tlp itself comes
from the nixos-hardware profile.
- Bluetooth (bluez + powerOnBoot) and blueman on the laptops — the MBP
already loads Apple BT firmware but bluez was never running.
- earlyoom + fwupd on the physical graphical hosts; zram on the Mac Pro.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- common-nixos: nix.settings.auto-optimise-store + larger download buffer.
- workstation: fstrim, boot.tmp.cleanOnBoot, and the shared graphical
options moved here from the per-host configs (pipewire, swaylock PAM
stub, redistributable firmware) -- MBP-Asahi gains audio it lacked.
- T400: zramSwap for the low-RAM host.
- MBP-Asahi: nixos-apple-silicon binary cache substituter.
- MacPro31 README: describe the real (LVM/UUID) hardware config; it is no
longer a placeholder.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The tmux statusline draws powerline/Nerd glyphs that default fonts lack,
so they render as blank/"?". tmux runs on every host (not just the Sway
ones), so install the font in the shared common-nixos module rather than
swaywm -- a future console-only or non-Sway host gets it too. The Mac
installs it via the Darwin config (/Library/Fonts). foot names it as its
main font (home/sway.nix).
On macOS, iTerm2's font is still a GUI setting: Settings -> Profiles ->
Text -> Font -> "JetBrainsMono Nerd Font".
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Document the greetd/ReGreet greeter in the top-level README and the T400
and Mac Pro install notes, including that the user account needs a
password set before the greeter can authenticate.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add system/machine/{T400,MacPro31}/README.md covering the placeholder
hardware-configuration regeneration, partition labels, bootloader selection
(T400 boot variants; Mac Pro EFI quirks), and GPU notes. Link each from its
configuration.nix header, and refresh the top-level README host table (T400
replaces X1, Mac Pro 3,1 added) with links to both.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Split the T400 bootloader into self-contained, importable modules so the host
can match whatever firmware is flashed (switch by changing one import):
- boot-bios.nix stock BIOS / coreboot+SeaBIOS -> GRUB on the MBR (default)
- boot-coreboot-grub.nix coreboot GRUB payload -> config-only GRUB (device=nodev)
- boot-coreboot-uefi.nix coreboot Tianocore/UEFI payload -> systemd-boot; carries
its own ESP (/boot vfat) so it travels with the mode
Cover the optional discrete ATI Mobility Radeon HD 3470 (RV620): load the open
`radeon` KMS driver in the initrd for early modesetting (firmware via
enableRedistributableFirmware), with a note on the T400's switchable graphics.
All three boot variants evaluate; nixfmt clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- lyrathorpe-t400 replaces lyrathorpe-x1c: ThinkPad T400 (legacy BIOS -> GRUB,
Intel microcode + redistributable firmware for iwlwifi, pipewire, sshd).
- lyrathorpe-macpro31: new desktop host (portable = false) importing
desktop.nix. Mac Pro 3,1 has 64-bit EFI -> systemd-boot; wired NetworkManager
via desktop.nix; desktop status bar (temperature + net, no battery).
Both ship hand-written placeholder hardware-configuration.nix (root/swap/ESP by
label, GRUB device /dev/sda) to be regenerated with nixos-generate-config and
committed at install time. All five host configs evaluate; nixfmt clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The bootloader is firmware-specific, not form-factor: UEFI hosts use
systemd-boot, BIOS hosts use GRUB. Drop boot.loader.systemd-boot.enable from
workstation.nix and declare it on the MBP instead, so the incoming BIOS-only
T400 (GRUB) doesn't have to force it off.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Add common-nixos.nix (timezone, locale, git/fastfetch) imported by every
NixOS host, and laptop.nix (systemd-boot, sway, dvorak, iwd, firewall)
imported by X1 and MBP. Strip the nixos-generate-config boilerplate from
both machine configs and reduce them to host-specific settings.
- Enable the firewall on the laptops (was disabled); X1 opens 22 next to
its sshd.
- Pin nixpkgs input to github:nixos/nixpkgs/nixos-26.05 for consistency;
lock rev unchanged (still b51242d).
- Drop unused module arguments.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The NixOS-WSL store is a read-only VHD whose files are owned by nobody
(65534), not root. programs.ssh.systemd-ssh-proxy.enable (default true)
adds `Include <systemd>/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf`
to /etc/ssh/ssh_config. OpenSSH permission-checks Include'd config files
and rejects any not owned by root or the caller, so the nobody-owned
include fails with "Bad owner or permissions" and breaks ssh/git for
every command.
Disable it on the WSL host: the proxy plugin only serves `ssh unix/…` /
`vsock` connections to local machined VMs, which WSL does not use. Other
hosts keep the default (root-owned store, include works).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add the installed App Store apps to homebrew.masApps so mas manages them declaratively: Amphetamine, Apple Configurator, Game Controller Tester, Keynote, Numbers, Pages, PDFgear, PL2303Serial, WireGuard.
Migrate the prior Homebrew package set onto the nix-darwin host. Leaf CLI formulae move to nixpkgs (environment.systemPackages); pure library deps are dropped since nix resolves them transitively. firefoxpwa and version-pinned llvm@21/lld@21/python@3.14 stay on brew. All GUI apps remain brew casks, since nixpkgs darwin GUI support is unreliable.
Add the nix-homebrew input and darwin module so the Homebrew prefix is installed and owned declaratively (no manual bootstrap), with enableRosetta for x86_64 formulae on Apple Silicon and user = host username.
Set homebrew.onActivation.cleanup = zap so the taps/brews/casks/masApps lists are authoritative: anything not declared is removed on activation.
Turn on nix-darwin's homebrew module with empty taps/brews/casks/masApps lists to fill in, onActivation autoUpdate+upgrade, and cleanup=none (manual formulae left intact; flip to zap for fully authoritative lists). Set system.primaryUser so brew activation runs as the host user.
Add the nix-darwin input (nix-darwin-26.05, follows nixpkgs) and a mkDarwinHost mirroring mkHost: shared commonModule (nixpkgs/nix settings) is factored out and reused, home-manager is wired via darwinModules, and identity is threaded through specialArgs.
New darwinConfigurations.lyrathorpe-mac (aarch64-darwin) reuses the cross-platform ./lyrathorpe/home modules (shell, git, editor); Linux-only sway/desktop modules are excluded. Build with: darwin-rebuild switch --flake .#lyrathorpe-mac.
* fix: configure docker for EDaaS WSL VDI
Enable rootful docker with the Docker Desktop proxy patch, add emmathorpe to the docker group, disable resolvconf and enable nix-ld.
* feat: flesh out work module and pin claude-code to nixpkgs unstable
Migrate git config to the settings option, fix the signing key path and email, add argo-rollouts/google-cloud-sdk and other tooling, and enable go. claude-code is sourced from the nixpkgs-unstable overlay.
* chore: update personal git, delta and editor config
Move git config to the settings option, switch to the standalone programs.delta module with git integration, add commitizen, and treat Jenkinsfiles as groovy.
* refactor: dedupe flake with mkHost and add nixos-wsl flake input
Extract a shared mkHost helper to remove duplicated home-manager scaffolding, add nixos-wsl as a flake input so the EDaaS host builds without --impure, source claude-code via a nixpkgs-unstable overlay, and expose a nixfmt formatter output.
* style: format nix files with nixfmt
* refactor: migrate to stable nixpkgs 26.05 and track upstream asahi flake
Pin nixpkgs to nixos-26.05 and home-manager to release-26.05; claude-code stays bleeding-edge via the nixpkgs-unstable overlay.
Centralize allowUnfree and experimental-features in mkHost and pin nix.registry/nixPath to the flake nixpkgs.
Replace the vendored apple-silicon-support module with the nixos-apple-silicon flake input, dropping ~8.8k lines of vendored code.
Fix stable-induced package renames: neofetch -> fastfetch, noto-fonts-emoji -> noto-fonts-color-emoji.
* refactor: adopt flake-parts with host table and scoped unfree
Wrap outputs in flake-parts.lib.mkFlake, replacing forAllSystems boilerplate with systems + perSystem. Drop the unused self argument.
Collapse the three mkHost calls into a hosts attrset mapped with lib.mapAttrs; adding a machine is now a single table entry.
Replace blanket allowUnfree with an allowUnfreePredicate allowlist (claude-code, lens). Add devShells.default (nixfmt, nil, git) and a checks.formatting nixfmt --check gate.
* docs(flake): annotate inputs, mkHost, host table and perSystem
Explanatory comments only; no eval change (drvPath identical).
* refactor(home): split home-manager into focused modules; clarify desktop scope
Break the home.nix monolith into emmathorpe/home/{default,shell,git,editor,desktop}.nix. The host table now composes desktop.nix onto graphical hosts only, so element-desktop, the Sway session vars and cursor theme are no longer installed on the headless WSL host.
Consolidate chat apps: legcord moves from user.nix (system) into the home desktop module alongside element-desktop. The tty1 'exec sway' autostart moves into desktop.nix so it never runs on headless hosts.
Desktop functionality: add xdg.portal (wlr + gtk) in swaywm.nix to enable screen sharing and native file pickers for Element and Firefox under wlroots.
* feat(desktop): declarative Sway config with idle-lock, notifications and bar
Add emmathorpe/home/sway.nix managing wayland.windowManager.sway (package = null, reusing the system Sway wrapper) plus swaylock, swayidle, dunst and an i3status-rust bar. home-manager's systemd integration wires sway-session.target so the swayidle/dunst user services start with the session.
swayidle locks after 5 min, powers outputs off after 10, and locks before sleep. Media/brightness keys use wpctl (pipewire) and brightnessctl; the launcher is sway-launcher-desktop in a floating foot window; keyboard is set to dvorak to match the console.
Move swaylock/swayidle/dunst/i3status-rust out of the system programs.sway extraPackages (now home-managed). Add security.pam.services.swaylock on the MBP host so the lock screen can authenticate (X1 already had it with fingerprint auth).
---------
Co-authored-by: Emma Thorpe <emma.thorpe@citrix.com>
Enable rootful docker with Docker Desktop proxy patch, add emmathorpe to the docker group, disable resolvconf and enable nix-ld so the WSL distro behaves.
lyrathorpe
Emma Thorpe