feat: pi-agent wrapper

2026-04-14 18:36:55 +02:00
parent e289698960
commit 7e0d60c95b
7 changed files with 91 additions and 25 deletions
--- a/hosts/m3-kratos/configuration.nix
+++ b/hosts/m3-kratos/configuration.nix
@@ -68,7 +68,7 @@

  # List packages installed in system profile. To search, run:
  # $ nix search wget
-  environment.systemPackages = with pkgs; [neovim git n8n];
+  environment.systemPackages = with pkgs; [neovim git];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
--- a/hosts/m3-kratos/services/default.nix
+++ b/hosts/m3-kratos/services/default.nix
@@ -3,8 +3,9 @@
    ./containers
    ./hermes-agent.nix
    ./mem0.nix
-    ./n8n.nix
+    # ./n8n.nix
    ./netbird.nix
+    ./pi-agent.nix
    ./postgres.nix
    ./sound.nix
    ./udev.nix
--- a/hosts/m3-kratos/services/n8n.nix
+++ b/hosts/m3-kratos/services/n8n.nix
@@ -1,6 +1,6 @@
 {lib, ...}: {
  services.n8n = {
-    enable = true;
+    enable = false;
    openFirewall = true;
    environment = {
      N8N_SECURE_COOKIE = "false";
--- a/hosts/m3-kratos/services/pi-agent.nix
+++ b/hosts/m3-kratos/services/pi-agent.nix
@@ -0,0 +1,52 @@
+{config, ...}: let
+  cfg = config.m3ta.pi-agent;
+in {
+  m3ta.pi-agent = {
+    enable = true;
+    binaryName = "pi";
+
+    # Per-user policy map: authorized host users + their allowed project roots.
+    hostUsers = {
+      m3tam3re = {
+        projectRoots = ["~/p"];
+        # Optional (default comes from wrapper.hostConfigPath)
+        configPath = ".pi/agents";
+      };
+    };
+
+    wrapper = {
+      enable = true;
+      commandName = "pi";
+      hideDirectBinary = true;
+
+      # Sync Home Manager rendered Pi config from invoking user home.
+      hostConfigPath = ".pi/agents";
+    };
+  };
+
+  # Manage isolated pi-agent git identity via Home Manager (declarative + reusable pattern).
+  home-manager.users.${cfg.user} = {
+    home.username = cfg.user;
+    home.homeDirectory = cfg.stateDir;
+    home.stateVersion = "26.05";
+
+    programs.git = {
+      enable = true;
+      signing.format = null;
+      settings = {
+        user = {
+          name = "m3ta-chiron";
+          email = "m3ta-chiron@agentmail.to";
+        };
+        core.excludesfile = "~/.gitignore_global";
+        init.defaultBranch = "master";
+        alias = {
+          st = "status";
+          logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
+        };
+      };
+    };
+
+    home.file.".gitignore_global".text = "";
+  };
+}