From c8752086a25801bfdb5f2e05d1fa0ad1b28583c5 Mon Sep 17 00:00:00 2001 From: m3tm3re Date: Tue, 6 Jan 2026 08:54:17 +0100 Subject: [PATCH] Opencode permissions + agent configs --- flake.lock | 14 +++ flake.nix | 10 +- home/features/coding/opencode.nix | 181 +++++++++++++++++++++++++----- hosts/m3-ares/secrets.nix | 4 + hosts/m3-kratos/secrets.nix | 4 + secrets.nix | 1 + secrets/exa-key.age | 21 ++++ 7 files changed, 203 insertions(+), 32 deletions(-) create mode 100644 secrets/exa-key.age diff --git a/flake.lock b/flake.lock index af65267..76de1dd 100644 --- a/flake.lock +++ b/flake.lock @@ -21,6 +21,19 @@ "type": "github" } }, + "agents": { + "flake": false, + "locked": { + "lastModified": 1767685523, + "narHash": "sha256-shTEa+ekFgzB7G+V8ijvQx1N4OKXIEMjlCgtQxL+jqs=", + "path": "/home/m3tam3re/p/MISC/AGENTS", + "type": "path" + }, + "original": { + "path": "/home/m3tam3re/p/MISC/AGENTS", + "type": "path" + } + }, "base16-schemes": { "flake": false, "locked": { @@ -505,6 +518,7 @@ "root": { "inputs": { "agenix": "agenix", + "agents": "agents", "disko": "disko", "home-manager": "home-manager_2", "hyprpanel": "hyprpanel", diff --git a/flake.nix b/flake.nix index f10af80..a46386d 100644 --- a/flake.nix +++ b/flake.nix @@ -22,8 +22,8 @@ nixpkgs-9e58ed7.url = "github:nixos/nixpkgs/9e58ed7ba759d81c98f033b7f5eba21ca68f53b0"; nixpkgs-master.url = "github:nixos/nixpkgs/master"; - # m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs"; - m3ta-nixpkgs.url = "path:/home/m3tam3re/p/NIX/nixpkgs"; + m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs"; + # m3ta-nixpkgs.url = "path:/home/m3tam3re/p/NIX/nixpkgs"; # nur = { url = "github:nix-community/NUR"; @@ -43,6 +43,12 @@ hyprpanel.url = "github:Jas-SinghFSU/HyprPanel"; rose-pine-hyprcursor.url = "github:ndom91/rose-pine-hyprcursor"; nix-colors.url = "github:misterio77/nix-colors"; + + agents = { + # url = "path:/home/m3tam3re/p/MISC/AGENTS"; + url = "git+https://code.m3ta.dev/m3tam3re/AGENTS"; + flake = false; + }; }; outputs = { diff --git a/home/features/coding/opencode.nix b/home/features/coding/opencode.nix index 11cd2ee..d7e1426 100644 --- a/home/features/coding/opencode.nix +++ b/home/features/coding/opencode.nix @@ -1,9 +1,29 @@ -{ +{inputs, ...}: { + xdg.configFile = { + "opencode/command" = { + source = "${inputs.agents}/command"; + recursive = true; + }; + "opencode/context" = { + source = "${inputs.agents}/context"; + recursive = true; + }; + "opencode/prompts" = { + source = "${inputs.agents}/prompts"; + recursive = true; + }; + "opencode/skill" = { + source = "${inputs.agents}/skill"; + recursive = true; + }; + }; + programs.opencode = { enable = true; settings = { theme = "opencode"; plugin = ["oh-my-opencode"]; + agent = builtins.fromJSON (builtins.readFile "${inputs.agents}/agent/agents.json"); formatter = { alejandra = { command = ["alejandra" "-q" "-"]; @@ -28,37 +48,138 @@ "OPENAPI_MCP_HEADERS=$(cat /run/agenix/anytype-key) exec bunx @anyproto/anytype-mcp" ]; }; + Exa = { + type = "local"; + command = [ + "sh" + "-c" + "EXA_API_KEY=$(cat /run/agenix/exa-key) exec bunx exa-mcp-server@latest tools=web_search_exa" + ]; + enabled = true; + }; }; }; }; - home.file.".config/opencode/oh-my-opencode.json".text = '' - { - "$schema": "https://raw.githubusercontent.com/code-yeongyu/oh-my-opencode/master/assets/oh-my-opencode.schema.json", - "agents": { - "Sisyphus": { - "model": "anthropic/claude-opus-4-5" - }, - "librarian": { - "model": "anthropic/claude-sonnet-4-5" - }, - "explore": { - "model": "opencode/big-pickle" - }, - "oracle": { - "model": "anthropic/claude-sonnet-4-5" - }, - "frontend-ui-ux-engineer": { - "model": "anthropic/claude-opus-4-5" - }, - "document-writer": { - "model": "anthropic/claude-opus-4-5" - }, - "multimodal-looker": { - "model": "anthropic/claude-opus-4-5" - } - }, - "disabled_mcps": ["context7"] - } - ''; + home.file.".config/opencode/oh-my-opencode.json".text = builtins.toJSON { + "$schema" = "https://raw.githubusercontent.com/code-yeongyu/oh-my-opencode/master/assets/oh-my-opencode.schema.json"; + agents = { + Sisyphus = { + model = "anthropic/claude-opus-4-5"; + permission = { + edit = "allow"; + bash = { + "*" = "allow"; + "rm *" = "ask"; + "rmdir *" = "ask"; + "mv *" = "ask"; + "chmod *" = "ask"; + "chown *" = "ask"; + "git *" = "ask"; + "git status*" = "allow"; + "git log*" = "allow"; + "git diff*" = "allow"; + "git branch*" = "allow"; + "git show*" = "allow"; + "git stash list*" = "allow"; + "git remote -v" = "allow"; + "git add *" = "allow"; + "git commit *" = "allow"; + "jj *" = "ask"; + "jj status" = "allow"; + "jj log*" = "allow"; + "jj diff*" = "allow"; + "jj show*" = "allow"; + "npm *" = "ask"; + "npx *" = "ask"; + "bun *" = "ask"; + "bunx *" = "ask"; + "uv *" = "ask"; + "pip *" = "ask"; + "pip3 *" = "ask"; + "yarn *" = "ask"; + "pnpm *" = "ask"; + "cargo *" = "ask"; + "go *" = "ask"; + "make *" = "ask"; + "dd *" = "deny"; + "mkfs*" = "deny"; + "fdisk *" = "deny"; + "parted *" = "deny"; + "eval *" = "deny"; + "source *" = "deny"; + "curl *|*sh" = "deny"; + "wget *|*sh" = "deny"; + "sudo *" = "deny"; + "su *" = "deny"; + "systemctl *" = "deny"; + "service *" = "deny"; + "shutdown *" = "deny"; + "reboot*" = "deny"; + "init *" = "deny"; + "> /dev/*" = "deny"; + "cat * > /dev/*" = "deny"; + }; + external_directory = "ask"; + doom_loop = "ask"; + }; + }; + librarian = { + model = "anthropic/claude-sonnet-4-5"; + permission = { + edit = "deny"; + bash = "deny"; + }; + }; + explore = { + model = "opencode/big-pickle"; + permission = { + edit = "deny"; + bash = "deny"; + }; + }; + oracle = { + model = "anthropic/claude-sonnet-4-5"; + permission = { + edit = "deny"; + bash = "deny"; + }; + }; + frontend-ui-ux-engineer = { + model = "anthropic/claude-opus-4-5"; + permission = { + edit = "allow"; + bash = { + "*" = "ask"; + "npm *" = "ask"; + "npx *" = "ask"; + "bun *" = "ask"; + "bunx *" = "ask"; + "rm *" = "ask"; + "mv *" = "ask"; + "dd *" = "deny"; + "mkfs*" = "deny"; + "sudo *" = "deny"; + "curl *|*sh" = "deny"; + "wget *|*sh" = "deny"; + }; + }; + }; + document-writer = { + model = "anthropic/claude-opus-4-5"; + permission = { + edit = "allow"; + bash = "deny"; + }; + }; + multimodal-looker = { + model = "anthropic/claude-opus-4-5"; + permission = { + edit = "deny"; + bash = "deny"; + }; + }; + }; + disabled_mcps = ["context7"]; + }; } diff --git a/hosts/m3-ares/secrets.nix b/hosts/m3-ares/secrets.nix index e2bcf01..4f3b30e 100644 --- a/hosts/m3-ares/secrets.nix +++ b/hosts/m3-ares/secrets.nix @@ -25,6 +25,10 @@ file = ../../secrets/ref-key.age; owner = "m3tam3re"; }; + exa-key = { + file = ../../secrets/exa-key.age; + owner = "m3tam3re"; + }; tailscale-key.file = ../../secrets/tailscale-key.age; m3tam3re-secrets = { file = ../../secrets/m3tam3re-secrets.age; diff --git a/hosts/m3-kratos/secrets.nix b/hosts/m3-kratos/secrets.nix index c7dcaaa..949aeae 100644 --- a/hosts/m3-kratos/secrets.nix +++ b/hosts/m3-kratos/secrets.nix @@ -36,6 +36,10 @@ file = ../../secrets/ref-key.age; owner = "m3tam3re"; }; + exa-key = { + file = ../../secrets/exa-key.age; + owner = "m3tam3re"; + }; }; }; } diff --git a/secrets.nix b/secrets.nix index ae27004..e1c2761 100644 --- a/secrets.nix +++ b/secrets.nix @@ -29,6 +29,7 @@ in { "secrets/n8n-env.age".publicKeys = systems ++ users; "secrets/paperless-key.age".publicKeys = systems ++ users; "secrets/ref-key.age".publicKeys = systems ++ users; + "secrets/exa-key.age".publicKeys = systems ++ users; "secrets/restreamer-env.age".publicKeys = systems ++ users; "secrets/searx.age".publicKeys = systems ++ users; "secrets/tailscale-key.age".publicKeys = systems ++ users; diff --git a/secrets/exa-key.age b/secrets/exa-key.age new file mode 100644 index 0000000..1f5ec20 --- /dev/null +++ b/secrets/exa-key.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 4NLKrw BJ2iDD2cLf/qP+VxEHz6Y+8GJ4s4I2wP92uBMG2ttQc +Nea+eK5CELL0eBq8+xuT+qDEbPyRzUgjnhDY+Mk8bjA +-> ssh-ed25519 5kwcsA kpzfRai9rtonBkKVpYkD5kSYTsxbpwAliLO6WnyAgx8 +BXG4c2yGwkaXPCkKAiOqrNJknz/tN1jOXmTuj6mJvzA +-> ssh-ed25519 9d4YIQ fRuLFIYDaY7JdtZs9BP4xm7zwDdBYGrzuueuQgS+QWo +YM65b3HG43cP7EvcbX+WIn76a9I427MaeI0kJm0ZjHA +-> ssh-ed25519 3Bcr1w /zGBacmchTtDaaCykhuJkMatDzuo7Hi8iefvnqYDyEg +bK+aCK8cN7gDqLo15z6BC7WaWA+xXXSjP/eoe3ch71M +-> ssh-rsa DQlE7w +JRj461Gh8JYOykv4J2ce6W+q0y4imNfJgAF8r/1FvIy1VYSpDPtPqX6zIldKZ4Fs +dcTpL4AFyQHysrLlMeTuOf7+91vWxBAPqMUR4DtEqxrnYKDpDMy6Addonx7ZhmwZ +gl1dnfx7W9OxGrYZm3YsV5q4lvK1rwzDIswFduOky/kH65SUzdLl5nm8AcSQbKjy +k2jR57/0+z2wmHdxrjY4aEredqTXZNfWRbrX3RQc3xlzka4qajVKAuq4V6EsV3h0 +SjQfRgMTnqMyTxqbURl2L5juZrLSj3UAFvYLi7nLCfKjBeRmezG5zZ58eJPnq3co +A5Dy884MXuciLhc8nDUcTCSJap50P9HlyETq6ptzBV8JAF9TSpxY/gzbMt77VZFb +MKf+3gtUIOaXzmzkFp6u90XLN+0n6kM+eJw6PMAPHxHfRDHTtPXE7ZMxRt/TKv1D +Pi/Aqmi5Q9t79TfcNsIT7DcspefCSf4NdTrggxOxo0jmKNw4mdN5SLVqnZ/Ij72R + +--- gwpY8yhU+VJSvw2xbmfKHrp8lJpb/0LuGaFDRIA7ORI +¥.ÑÉ®Ÿ ùL,rð’RjmÚê<ûo ç$»ß 4!>OÖ‹S/¦v@ŽÑ‚}-uŠàÉ_¶8èåøJ¯´Ð)¹hŒ \ No newline at end of file