Touch ID for sudo failed because pam_tid can't reach the GUI session
from inside tmux (terminals here auto-start tmux); enable sudo_local
reattach (pam_reattach) so the session is re-attached first. Also drop
the dock autohide and tilesize defaults.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
nix-darwin 26.05 forces activation to run as root, and mas cannot reach
the App Store/StoreKit session from root, so homebrew.masApps silently
failed to install. Remove the masApps list; install those apps by hand
with `mas install <id>` from a GUI Terminal. The mas CLI stays in
systemPackages for that.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Vendor the auto-memory directory into the repo (claude/memory/) and
symlink it read-only into ~/.claude/memory. Recall keeps working; the
runtime "save a memory" path no longer writes there. CLAUDE.md instructs
Claude to add/change memories in this repo and rebuild instead, so the
flake stays the single source of truth. README documents the split.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
programs.claude-code on every host: the global CLAUDE.md (persona) and
the Soviet Engineer output style are now declared. settings.json is left
unmanaged on purpose — Claude rewrites it at runtime (permission grants,
/config) and a read-only store symlink would break those writes. Drops
the now-redundant explicit claude-code package from work.nix (the module
installs it).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Update the home README (editor plugins + format-on-save, btop/lazygit/
hyperfine/sd, git aliases, tmux extrakto, fonts/emoji coverage),
KEYBINDINGS (telescope/trouble/comment), and the top README (shared
module layers + nix-flake-check CI). Correct the last work/default.nix
reference in default.nix.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Replace the formatting-only build with `nix flake check`, so deadnix,
statix and the pre-commit hooks are enforced in CI (not just local
hooks). Add the nix-community binary cache to the runner's nix config to
speed up the check closure. The explicit per-host eval pass is kept for
granular output.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Touch ID now authorises sudo (via sudo_local, update-safe). Adds the
standard system.defaults blocks — dock autohide / no-recents, Finder
extensions + path bar + list view, dark mode, fast key repeat, trackpad
tap-to-click — so the Mac's UI is managed declaratively too.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Polkit authentication agent (lxqt-policykit) as a sway-session user
service — programs.sway only enables the daemon, so GUI auth dialogs
(nemo mount, NM/blueman) previously failed silently. Corrected the
header comment that wrongly claimed the agent was handled system-side.
- kanshi for output/display management (safe internal-panel default; a
documented template for docked/Cinema-Display profiles).
- gammastep night-light (manual location; adjust coordinates).
- inhibit_idle on fullscreen so video doesn't get blanked/locked.
- logind lid policy on the laptops: suspend on battery, lock on AC.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
In common-nixos.nix (every NixOS host):
- programs.nix-ld for all hosts, not just WSL — foreign dynamic binaries
(VS Code server, prebuilt toolchains) run on the dev boxes too. Removed
the now-redundant per-host enable from the EDaaS config.
- nix-community.cachix.org substituter (merges with the Asahi cache).
- Noto sans + colour-emoji fonts and fontconfig defaultFonts mapping, so
the WSL box (and anything asking fontconfig for "monospace") stops
rendering tofu.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- thermald on the x86 hosts (guarded; the Asahi MBP self-governs).
- T400 battery charge thresholds (75/80) via tp_smapi; tlp itself comes
from the nixos-hardware profile.
- Bluetooth (bluez + powerOnBoot) and blueman on the laptops — the MBP
already loads Apple BT firmware but bluez was never running.
- earlyoom + fwupd on the physical graphical hosts; zram on the Mac Pro.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
New system/modules/ssh.nix disables password and keyboard-interactive
auth and root login, and installs the authorized key for the primary
user. Imported by the two hosts that run sshd; each still enables the
service and opens port 22 in its own config.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
T400 gets the generic lenovo-thinkpad + common-pc-laptop(-ssd) +
common-cpu-intel blocks (no t400-specific profile exists); this also
enables tlp and the tp_smapi/acpi_call battery tooling. Mac Pro 3,1 gets
common-pc-ssd + common-cpu-intel. nixos-hardware follows our nixpkgs to
keep a single nixpkgs in the closure.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Set programs.zsh.dotDir to ~/.config/zsh, adopting the new home-manager
default and silencing the dotDir deprecation warning on rebuild. Pin
history.path to the existing ~/.zsh_history so the move doesn't orphan it,
and extend the zcompdump-reset activation to the new $ZDOTDIR location
(legacy $HOME and cache paths still swept). README updated.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rewrite editor.nix on programs.nixvim, keeping every prior feature: file
tree (nvim-tree, toggle ,,), indent guides (indent-blankline), fugitive,
vim-tmux-navigator, Catppuccin Mocha, 2-space hard tabs, and the
*Jenkinsfile=groovy rule. Replace the inert ALE with a real LSP stack —
nvim-lspconfig, nvim-cmp completion, and tree-sitter for highlighting.
Leader is Space; LSP keymaps gd/gr/K/<leader>rn/<leader>ca.
Universal servers: nil (Nix), lua_ls, pyright (Python), terraformls. The
work box (work.nix) additionally enables omnisharp (C#) and helm_ls (Helm),
so the heavy omnisharp closure stays off the personal machines.
default.nix drops VISUAL=vim so nixvim's defaultEditor owns $EDITOR/$VISUAL.
README and KEYBINDINGS updated (and two stale references corrected).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Declarative Neovim, on the nixos-26.05 release branch and following our
nixpkgs to keep a single nixpkgs in the closure. Consumed by
lyrathorpe/home/editor.nix.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- treefmt-nix drives `nix fmt` and the formatting check (nixfmt/shfmt/
prettier; generated files and flake.lock excluded). Replaces the
bespoke find-based check.
- deadnix and statix as flake checks and pre-commit hooks; deadnix
ignores module-arg patterns, statix.toml disables the two house-style
lints (repeated_keys, empty_pattern). Fixed the one real deadnix hit
(unused overlay arg) and statix hit (use inherit for claude-code).
- git-hooks.nix installs the pre-commit gate via the devShell.
- .editorconfig for the base style.
- Move system/modules/work/default.nix -> lyrathorpe/home/work.nix (it is
a home-manager module). README gains a Development section; docs
reformatted by the new formatter.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- common-nixos: nix.settings.auto-optimise-store + larger download buffer.
- workstation: fstrim, boot.tmp.cleanOnBoot, and the shared graphical
options moved here from the per-host configs (pipewire, swaylock PAM
stub, redistributable firmware) -- MBP-Asahi gains audio it lacked.
- T400: zramSwap for the low-RAM host.
- MBP-Asahi: nixos-apple-silicon binary cache substituter.
- MacPro31 README: describe the real (LVM/UUID) hardware config; it is no
longer a placeholder.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Update the interactive-shell README and keybindings reference for changes
made after the initial docs commit: no scheduled GC (manual only),
NO_TMUX escape hatch, default-terminal tmux-256color + truecolor, the
JetBrainsMono Nerd Font (new Fonts section + iTerm2 caveat), the
UseKeychain IgnoreUnknown guard, and the vim-tmux-navigator (Ctrl-hjkl) +
resurrect save/restore tmux bindings.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
nixpkgs' openssh lacks Apple's keychain patch, so `UseKeychain yes` is
rejected as "Bad configuration option" when that ssh is on PATH. Prefix
it with `IgnoreUnknown UseKeychain` (the module emits IgnoreUnknown first)
so a non-Apple ssh skips it while Apple's ssh still honours it. Still
Darwin-only.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The tmux statusline draws powerline/Nerd glyphs that default fonts lack,
so they render as blank/"?". tmux runs on every host (not just the Sway
ones), so install the font in the shared common-nixos module rather than
swaywm -- a future console-only or non-Sway host gets it too. The Mac
installs it via the Darwin config (/Library/Fonts). foot names it as its
main font (home/sway.nix).
On macOS, iTerm2's font is still a GUI setting: Settings -> Profiles ->
Text -> Font -> "JetBrainsMono Nerd Font".
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
tmux-direct as default-terminal desyncs zsh's line redraw on some
terminals (iTerm2: duplicated characters on Tab, stray newlines). Switch
to the standard tmux-256color and advertise truecolor per outer terminal
via terminal-features (add xterm-256color:RGB alongside the foot ones).
Also add a NO_TMUX escape hatch to the auto-start guard, so
`NO_TMUX=1 <terminal>` opens a bare shell.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The scheduled `nh clean` only reclaimed disk and risked reaping store
paths the current generation still references (notably on nix-darwin).
Keep `programs.nh` (nicer rebuilds + $NH_FLAKE) but remove clean.enable;
GC manually (`nh clean all` / `nix-collect-garbage -d`) when nothing
important is running. The resetZcompdump activation stays as a safety net
for stale completion dumps across rebuilds/manual GC.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add lyrathorpe/home/README.md covering the zsh / CLI tools / tmux / git /
ssh features and nice-to-haves configured across shell.nix and git.nix
(history, fzf/zoxide/direnv/eza/bat, nix-index, nh, tmux plugins +
auto-start, git aliases/settings/signing, ssh agent + Gitea host, the
zcompdump/GC maintenance behaviours, and per-host differences). Link it
from the top-level README alongside the keybindings reference.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Set HostName 10.187.1.76 on the code.emmathe.dev block so the Gitea
remote resolves to the fixed IP without relying on DNS (same user, port
30009 and key).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The home-manager bump deprecated programs.ssh.addKeysToAgent /
matchBlocks / the implicit default block. Move to programs.ssh.settings
with enableDefaultConfig = false, carrying the old defaults under
settings."*" plus AddKeysToAgent, the Darwin UseKeychain, and the
code.emmathe.dev (Port 30009) host. Silences all three ssh warnings.
Also drop ~/.zcompdump on each activation: a stale dump caches /nix/store
paths to completion functions, and once a rebuild or the weekly nh GC
removes them compinit fails with "_git: function definition file not
found" for every completion. Deleting it forces a fresh rebuild from the
current fpath.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The flake's origin (ssh://git@code.emmathe.dev) must resolve on every host.
Add a matchBlock for code.emmathe.dev: user git, Port 30009 (Gitea's
non-default SSH port -- the critical bit), the dedicated
~/.ssh/code.emmathe.dev key, and identitiesOnly. The work box keeps its own
ssh config (programs.ssh forced off there) which already has the entry.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Set user.email = iam@emmathe.dev on the personal hosts (mkDefault, so the
work module's address still wins on the work box). Add git aliases for
commitizen -- `git cz <sub>` (e.g. `git cz c`) and `git cc` for the commit
prompt; commitizen is already installed on every host (home.packages) and
defaults to the Conventional Commits ruleset.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Move the tmux auto-start out of the graphical-only desktop layer into the
shared shell config so it also covers WSL, iTerm2 and the Linux console
(folded into programs.zsh.initContent via mkMerge alongside the SSH PS1
block). Same guards: interactive, not-already-in-tmux, not-SSH,
not-VS-Code, tmux-present.
ssh: run a user ssh-agent on Linux (macOS uses launchd) and add keys on
first use (addKeysToAgent), so the passphrase is entered once per login
session instead of per commit/push -- which also feeds commit signing.
macOS additionally caches in the login keychain (UseKeychain). The work
box keeps its own ~/.ssh/config (programs.ssh forced off there); its
ssh-agent still runs via the work module.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Opening a terminal (foot) execs `tmux new-session -A -s main`, so every new
terminal lands in the multiplexer; panes run a plain non-login zsh. Guarded
to interactive, not-already-in-tmux, not-SSH, not-VS-Code, tmux-present --
preventing re-exec loops, hijacked scp/ssh shells, and lockout. Lives in the
graphical desktop layer, so the WSL work box keeps a plain shell.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
settings: pull.rebase + rebase autostash/autosquash, fetch.prune,
merge.conflictStyle=zdiff3, diff histogram + colorMoved, rerere,
commit.verbose, branch.sort, column.ui, help.autocorrect, and a small alias
set (st/co/sw/br/ci/last/unstage/lg). Global ignore file (result, .direnv,
*.swp, .DS_Store).
SSH commit/tag signing on personal hosts too, reusing the existing key
(the work module already signs on the work host). gpgsign is mkDefault so a
host lacking the key in its ssh-agent can disable it -- otherwise commits
there would fail. No personal user.email is set (unknown); signing does not
require one, but author email still falls back to user@host until set.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Vim half of the tmux plugin so Ctrl-h/j/k/l moves seamlessly between vim
splits and tmux panes.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Prebuilt nix-index database (follows nixpkgs) so command-not-found works
immediately without a manual `nix-index` run. Consumed in shell.nix.
Lock change is purely additive; existing pins are unchanged.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The eval steps listed hosts by hand and still referenced lyrathorpe-x1c,
which was removed (replaced by t400/macpro31), so CI errored. Derive the
NixOS and Darwin host lists from attrNames of nixos/darwinConfigurations
instead, so adding or removing a host needs no workflow change.
Verified locally under bash: all current hosts (edaas, macpro31, mbp,
t400, mac) evaluate; no removed host is referenced.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rebuild after the lock-maintenance bump surfaced two home-manager
warnings on the Firefox config added in #17:
- pin programs.firefox.configPath = ".mozilla/firefox" (the legacy
location the system Firefox uses) to silence the stateVersion<26.05
default-change warning,
- address the add-on by pkgs.stdenv.hostPlatform.system (pkgs.system is
deprecated).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
lyrathorpe
Renovate Bot