Update the home README (editor plugins + format-on-save, btop/lazygit/
hyperfine/sd, git aliases, tmux extrakto, fonts/emoji coverage),
KEYBINDINGS (telescope/trouble/comment), and the top README (shared
module layers + nix-flake-check CI). Correct the last work/default.nix
reference in default.nix.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Replace the formatting-only build with `nix flake check`, so deadnix,
statix and the pre-commit hooks are enforced in CI (not just local
hooks). Add the nix-community binary cache to the runner's nix config to
speed up the check closure. The explicit per-host eval pass is kept for
granular output.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Touch ID now authorises sudo (via sudo_local, update-safe). Adds the
standard system.defaults blocks — dock autohide / no-recents, Finder
extensions + path bar + list view, dark mode, fast key repeat, trackpad
tap-to-click — so the Mac's UI is managed declaratively too.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Polkit authentication agent (lxqt-policykit) as a sway-session user
service — programs.sway only enables the daemon, so GUI auth dialogs
(nemo mount, NM/blueman) previously failed silently. Corrected the
header comment that wrongly claimed the agent was handled system-side.
- kanshi for output/display management (safe internal-panel default; a
documented template for docked/Cinema-Display profiles).
- gammastep night-light (manual location; adjust coordinates).
- inhibit_idle on fullscreen so video doesn't get blanked/locked.
- logind lid policy on the laptops: suspend on battery, lock on AC.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
In common-nixos.nix (every NixOS host):
- programs.nix-ld for all hosts, not just WSL — foreign dynamic binaries
(VS Code server, prebuilt toolchains) run on the dev boxes too. Removed
the now-redundant per-host enable from the EDaaS config.
- nix-community.cachix.org substituter (merges with the Asahi cache).
- Noto sans + colour-emoji fonts and fontconfig defaultFonts mapping, so
the WSL box (and anything asking fontconfig for "monospace") stops
rendering tofu.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- thermald on the x86 hosts (guarded; the Asahi MBP self-governs).
- T400 battery charge thresholds (75/80) via tp_smapi; tlp itself comes
from the nixos-hardware profile.
- Bluetooth (bluez + powerOnBoot) and blueman on the laptops — the MBP
already loads Apple BT firmware but bluez was never running.
- earlyoom + fwupd on the physical graphical hosts; zram on the Mac Pro.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
New system/modules/ssh.nix disables password and keyboard-interactive
auth and root login, and installs the authorized key for the primary
user. Imported by the two hosts that run sshd; each still enables the
service and opens port 22 in its own config.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
T400 gets the generic lenovo-thinkpad + common-pc-laptop(-ssd) +
common-cpu-intel blocks (no t400-specific profile exists); this also
enables tlp and the tp_smapi/acpi_call battery tooling. Mac Pro 3,1 gets
common-pc-ssd + common-cpu-intel. nixos-hardware follows our nixpkgs to
keep a single nixpkgs in the closure.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Emma Thorpe