m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
312 Commits 4 Branches 0 Tags
fc39e05bebc17960580581d4c4b10d6601503ed6
Commit Graph

312 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
m3ta-chiron fc39e05beb feat: Hermes Dashboard via m3-atlas Traefik with TLS + Netbird-only access 
m3-hermes:
- Add --insecure flag (required for 0.0.0.0 bind, safe behind Netbird firewall)
- Update comments to document the Traefik proxy flow

m3-atlas Traefik:
- New service: hermes-dashboard → http://100.81.231.152:9119 (Netbird)
- New router: dash.m3ta.dev with GoDaddy TLS cert
- New middleware: netbird-only (IP whitelist 100.64.0.0/16)

Flow: Browser → dash.m3ta.dev (TLS) → Traefik → Netbird → m3-hermes:9119
 2026-05-11 15:53:04 +02:00
m3tam3re e6f184f24a chore: hermes dashboard over netbird 2026-05-11 11:36:49 +02:00
m3tam3re 72ef896297 Merge pull request 'feat(m3-hermes): Hermes Dashboard as systemd service with Netbird-only firewall' (#13) from feat/hermes-dashboard-service into master 
Reviewed-on: #13
 2026-05-11 11:26:51 +02:00
m3ta-chiron 20bd28d567 feat(m3-hermes): add Hermes Dashboard as systemd service with Netbird-only firewall 
- New hermes-dashboard.service: runs 'hermes dashboard' on 0.0.0.0:9119
- Firewall restricts port 9119 to Netbird mesh VPN range (100.64.0.0/16)
- Runs as hermes user with NoNewPrivileges + ProtectSystem hardening
- Depends on hermes-agent.service (starts after gateway)
- Added placeholder hermes-api-server-key.age (needs real encryption on host)
 2026-05-11 11:19:21 +02:00
m3tam3re e743808d2b Merge pull request 'feat(m3-hermes): Netbird mesh VPN + API server for Desktop App' (#12) from feat/hermes-netbird-api-server into master 
Reviewed-on: #12
 2026-05-11 09:15:48 +02:00
m3ta-chiron c6df5d3836 feat(m3-hermes): add Netbird mesh VPN + enable API server for Hermes Desktop 2026-05-10 11:46:21 +02:00
m3tam3re 1544764f37 chore: m3-atlas -coding 2026-05-09 10:46:47 +02:00
m3tam3re c4fefdd172 Merge pull request 'feat(m3-hermes): enable Kanban board + update for v0.13.0' (#11) from feat/hermes-v0.13-kanban into master 
Reviewed-on: #11
 2026-05-09 10:43:53 +02:00
m3ta-chiron ee94ebf660 feat(m3-hermes): enable kanban board + update for v0.13.0 
- Add kanban config block with gateway-embedded dispatcher
  (dispatch_in_gateway=true, 60s interval)
- Update venvSitePackages path from python3.11 to python3.12
  (v0.13.0 upgraded Python runtime)
- Update checkpoints section comment for v2
 2026-05-09 10:29:22 +02:00
m3tam3re 6128d0ae61 chore: udate m3-atlas 2026-05-09 10:17:14 +02:00
m3tam3re 22f15abd34 chore: flake update 2026-05-09 09:58:33 +02:00
m3tam3re 90e417525b Merge pull request 'feat: integrate m3ta-home for centralized user profiles' (#9) from feat/m3ta-home-integration into master 
Reviewed-on: #9
 2026-05-02 11:02:54 +02:00
m3ta-chiron a455789bee refactor: remove old home/ directory (77 files migrated to m3ta-home) 
All home-manager configuration is now centralized in the m3ta-home repo:
- profiles/base/     ← shell, CLI tools, secrets
- profiles/contexts/ ← desktop, server
- profiles/sets/     ← coding, gaming, media
- users/             ← identities, preferences

Per-host overrides (monitors, XDG/MIME) remain in hosts/<name>/home.nix.
Central user integration via hosts/common/users/m3tam3re.nix.
 2026-05-02 11:01:12 +02:00
m3ta-chiron 2078d6bccd docs: update AGENTS.md for m3ta-home integration, work identity, new structure 2026-05-02 10:54:42 +02:00
m3ta-chiron 5cbb975c78 feat: complete host home.nix files + add m3-daedalus, clean up m3tam3re.nix 
- hosts/m3-kratos/home.nix: XDG/MIME defaults + dual DP Hyprland monitors
- hosts/m3-ares/home.nix: XDG/MIME defaults + eDP+HDMI Hyprland monitors
- hosts/m3-daedalus/home.nix: XDG/MIME defaults (no Hyprland)
- hosts/common/users/m3tam3re.nix: refactored hostFlags into let binding,
  added m3-daedalus profile (desktop/coding+media, no gaming/Hyprland)
 2026-05-02 10:41:12 +02:00
m3ta-chiron f2ecd13780 fix: set home-manager.useGlobalPkgs=true for m3ta-nixpkgs overlays 2026-05-02 10:08:50 +02:00
m3ta-chiron ab1bdc9848 feat: integrate m3ta-home for centralized user profiles 2026-05-02 09:53:27 +02:00
m3tam3re 1692a34f6e Merge pull request 'feat: enable orchestrator + switch TTS to Edge (Katja voice)' (#8) from feature/orchestrator-edge-tts into master 
Reviewed-on: #8
 2026-05-01 16:15:13 +02:00
m3ta-chiron 2403e54039 feat: enable orchestrator + switch TTS to Edge (Seraphina voice) 
- Enable delegation.orchestrator_enabled with max_spawn_depth=2
- Switch TTS from ElevenLabs (paid) to Edge TTS (free)
- Voice: de-DE-SeraphinaMultilingualNeural — friendly, multilingual German female
- No API key required
 2026-05-01 16:06:49 +02:00
m3tm3re 3e8c95944c chore: hermes update 2026-05-01 12:06:23 +02:00
m3ta-chiron fbc555feeb feat: pi guardrails 2026-04-29 20:14:07 +02:00
m3ta-chiron 6a5d8f0011 feat(agents): add strict security hardening for Pi and OpenCode 
Pi Guardrails:
- Enables @aliou/pi-guardrails with strict default config
- Sets onboarding.completed = true to skip onboarding prompt
- Enables pathAccess in ask mode for /nix/store and /tmp
- Adds noAccess policies for: SSH keys, GPG keys, AWS config,
  Kubernetes config, cloud CLI configs (gh/gcloud/1password/sops),
  agenix secrets, Pi auth/sessions, env files, private keys/certs
- Adds auto-deny patterns for env leakage commands:
  env, printenv, /proc/*/environ, GPG secret exports,
  ssh-add -D, password manager reads

OpenCode permissions:
- Adds permission section with global security rules
- external_directory: ask by default, allow /nix/store and /tmp
- read/edit: allow by default, deny SSH/GPG/AWS/Kube/cloud configs,
  agenix secrets, Pi auth/sessions, env files, private keys/certs
- glob: restrict sensitive path patterns
- grep: deny SSH/GPG/agenix, ask for PASSWORD/SECRET/API_KEY/PRIVATE_KEY
- bash: ask by default, allow safe git/nix commands,
  deny env/printenv/proc/GPG secret/sudo/ssh-add deletion/curl|sh
- webfetch: ask by default, allow github/nixos search
- doom_loop: ask
 2026-04-29 19:48:29 +02:00
m3tam3re 9c3d10836f Merge pull request 'fix: add uv to hermes-agent service PATH' (#7) from fix/hermes-agent-uv-path into master 
Reviewed-on: #7
 2026-04-29 16:24:17 +02:00
m3ta-chiron a615ab61e8 fix: add uv to hermes-agent service PATH 
Add pkgs.uv to systemd.services.hermes-agent.path so that CronJobs
and terminal sessions can execute PEP 723 scripts via 'uv run'
(e.g. garmin-daily.py for Garmin Connect health data).

Also adds uv to environment.systemPackages for general availability.
 2026-04-29 16:18:41 +02:00
m3ta-chiron 193b8c0115 fix(git-identity): use existing gitea SSH key for agent commits 
The m3ta-chiron SSH key was not accepted by Gitea.
Using the existing gitea key instead for push authentication.
 2026-04-27 19:52:11 +02:00
m3tm3re f76c4dd5d4 chore: smlink pip to uv pip 2026-04-27 19:36:52 +02:00
m3tm3re 05dc6bf608 chore: smlink pip to uv pip 2026-04-27 19:07:26 +02:00
m3tam3re d524864fc3 Merge pull request 'feature/agent-git-identity' (#6) from feature/agent-git-identity into master 
Reviewed-on: #6
 2026-04-27 17:55:06 +02:00
m3tm3re 09e2ba8538 chore: AGENTS + nixpkgs input urls 2026-04-27 17:53:08 +02:00
m3tm3re a427f319d4 feat(agents): add gitIdentity config and git-identity rule 
- coding.agents.gitIdentity enabled with m3ta-chiron identity
- coding.agents.pi.codingRules.concerns includes 'git-identity'
- Uses feature/agent-git-identity branches for m3ta-nixpkgs and agents
 2026-04-27 13:24:34 +02:00
m3tm3re 936eb13794 feat: add global skills to hermes environment 2026-04-26 15:14:54 +02:00
m3tm3re 5b0e6cbd5d feat(hermes-agent): add copy-hermes-skills systemd service 2026-04-26 14:37:43 +02:00
m3tm3re 2302810d11 chore: update beads issue state and gitignore docs/plans 2026-04-26 14:35:38 +02:00
m3tm3re 25ac47a422 feat(hermes-agent): add mkOpencodeSkills integration for skills provisioning 
- Add inputs parameter to module signature for flake input access
- Define hermesSkills via inputs.agents.lib.mkOpencodeSkills
- Includes customSkills from agents flake and external skills:
  - skills-basecamp (basecamp/basecamp-cli)
  - skills-anthropic (anthropics/skills)
  - skills-kestra (kestra-io/agent-skills)
- Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors)
 2026-04-26 14:35:06 +02:00
m3tm3re e6cfcc346b docs(agents): expand Beads workflow documentation 
- Add 6-step core workflow with examples
- Document slash commands for agent integration
- Add 'Why Beads?' section emphasizing persistence
- Note to avoid bd edit in agent contexts
- Include dependency linking examples
 2026-04-26 14:12:30 +02:00
m3tm3re 09bc9da6d9 chore: complete AGENTS.md documentation 
- Add comprehensive project documentation to AGENTS.md
- Remove stale docs from docs/ directory
- Update agent configs (agents.nix, pi.nix)
- Update python.nix language config
- Update .gitignore
 2026-04-26 14:10:54 +02:00
m3tm3re eb06533174 Merge feature/home-profile-restructuring: home-manager profile refactoring 
Refactor home-manager configuration structure:
- Reorganize from features/ to base/coding/desktop/server/profiles/
- Add language runtime modules (go, js, python, rust, typescript)
- Add LSP server configuration
- Add gaming and media profiles
- Add shell modules (fish, nushell, starship)
- Consolidate editor and git configuration
 2026-04-26 13:53:00 +02:00
m3tm3re 0d81b0e5e9 chore: add beads issue tracker configuration 2026-04-26 13:49:23 +02:00
m3tm3re 0ea8b8d2eb feat(home): extract CLI tools into modular home/base structure 
- Add individual modules for: bat, carapace, direnv, eza, fzf, lf, nitch,
  television, zellij, zellij-ps, zoxide
- Centralize in home/base/cli-tools/ with default.nix aggregator
- Simplify home/base/packages by removing extracted tools
 2026-04-26 13:49:17 +02:00
m3tm3re 30a9a23de2 refactor: add language runtimes module and cleanup agent config 
- Add home/coding/languages/ with Python, JavaScript, Rust, Go, TypeScript
- Move bun/nodejs from agents.nix to languages/javascript.nix
- Move python3 with packages to languages/python.nix
- Move npm config to javascript.nix (broader context)
- Add language options to m3-ares and m3-kratos host configs
- Move pyrefly from agents.nix to lsp/servers.nix
- Remove duplicate python3 reference (build conflict fix)
- Remove unused base/secrets/cli-tools/ duplicates
 2026-04-26 13:20:22 +02:00
m3tm3re 6d0149ee6e feat: add AMD GPU tools, media packages, and productivity module 
Task 3 - Gaming profile:
- Add gpu.nix with ROCm runtime/smi/info and vulkan-tools
- Import gpu.nix in gaming profile aggregator

Task 4 - Media profile:
- Add unimatrix to yt-dlp.nix packages
- (plexamp, webcord, mpv config were already present)

Task 5 - Desktop apps:
- Add productivity.nix with pomodoro-timer
- Import productivity.nix in desktop apps aggregator
 2026-04-26 12:32:47 +02:00
m3tm3re d19b87f8cd feat: add coding packages module (bruno, insomnia) 2026-04-26 12:29:14 +02:00
m3tm3re 8f5d076d7b fix: make base modules enabled by default; document lazylib→lazygit 
- All base/* modules now use (mkEnableOption "...") // { default = true; }
  so they activate automatically when imported — no explicit .enable = true
  required in host configs
- packages.nix: add comment documenting that lazylib does not exist in
  nixpkgs; lazygit is the correct and intended package
- zellij-ps.nix: clarify that cli.zellij-ps namespace is intentional —
  it is the home-manager module convention from m3ta-nixpkgs
- nix flake check passes (warnings are pre-existing)
 2026-04-26 12:16:44 +02:00
m3tm3re 3c9a107608 feat: add missing packages and programs to base cli-tools 
- packages.nix: essential packages (jq, ripgrep, fd, htop, coreutils,
  lazygit, httpie, just, devenv, gcc, go, sqlite, sqlite-vec, nix-index,
  nix-update, progress, comma, fabric-ai, llm, basecamp, hyprpaper-random,
  libnotify, trash-cli, unzip, zip, yazi)
- bat.nix: bat with nix-colors derived syntax theme
- carapace.nix: multi-shell completion (fish, nushell, bash)
- direnv.nix: automatic env loading with nix-direnv
- eza.nix: modern ls with icons, git status, long format
- lf.nix: terminal file manager with bat preview
- zoxide.nix: smarter cd with fish and nushell integration
- zellij-ps.nix: project session manager wrapping cli.zellij-ps
 2026-04-26 12:06:36 +02:00
m3tm3re cc01c1d0aa fix(agents): make videoDrivers optional with safe default 
For standalone Home Manager evaluation where videoDrivers may be absent
 2026-04-26 11:37:17 +02:00
m3tm3re d59a6b82b6 chore: remove features.old archive and format all files 
- Delete home/features.old/ (archived old flat feature modules)
- All content migrated to new profile-based structure
- Run alejandra formatter over 13 changed files
- nix flake check passes cleanly
 2026-04-26 11:29:49 +02:00
m3tm3re d44bdad73a refactor: archive old features directory to features.old 
The new profile-based structure (home/base, home/desktop, home/server,
home/profiles/, home/coding) is fully operational and imported via
home/lib/mkHomeConfig. The legacy home/features directory is no longer
referenced anywhere in the configuration.

Archived rather than deleted to preserve history for reference.
 2026-04-26 11:22:17 +02:00
m3tm3re 797ffb2b8a fix: assert unknown profiles in mkHomeConfig; move agent modules to coding/agents 
- home/lib/default.nix: add assertion for unknown profile names instead of
  silently filtering them out; remove unused 'inherit (lib) optional'
- home/coding/agents/{opencode,pi}.nix: moved from home/features/coding/
  to co-locate with agents.nix (eliminating cross-directory back-references)
- home/coding/agents/agents.nix: update imports to ./opencode.nix and ./pi.nix
- home/features/coding/: remove now-dead default.nix (nothing imported it)
 2026-04-26 11:17:03 +02:00
m3tm3re 73bd2b1f2e fix: spec review - add missing fish module to base/shell 
- Create home/base/shell/fish.nix
- Add to base/shell/default.nix imports
- Migrate remaining hosts from features.cli.fish to base.shell.fish
 2026-04-26 11:09:50 +02:00
m3tm3re f3749c5679 feat: implement profile system with mkHomeConfig and context constraints 
- Add home/lib/default.nix with mkHomeConfig utility
  - Loads base + common modules always
  - Maps profiles (coding, gaming, media) to module imports
  - Enforces desktop/server mutual exclusion via assertion
  - Context must be 'desktop', 'server', or null

- Migrate all per-host home configs to new profile system
  - m3-ares: context=desktop, profiles=[coding, gaming, media]
  - m3-kratos: context=desktop, profiles=[coding, gaming, media]
  - m3-atlas: context=server, profiles=[coding]
  - m3-helios: context=server, profiles=[]
  - m3-hermes: context=server, profiles=[]
  - m3-aether: context=server, profiles=[]
  - m3-daedalus: context=desktop, profiles=[coding, media]

- Replace features.* options with new namespaces:
  - features.cli.* -> base.shell.* / base.cliTools.* / base.secrets
  - features.desktop.* -> desktop.wm.* / desktop.apps.* / desktop.theme.*
  - gaming/media moved to profiles.gaming.* / profiles.media.*

- Fix home/coding/editor/neovim.nix: remove duplicate option declaration
  (coding.editors.neovim.enable already declared by m3ta-nixpkgs)

- Fix home/coding/lsp/servers.nix: replace removed nodePackages.typescript-language-server
  with typescript-language-server

- Fix home/desktop/theme/wallpapers.nix: correct relative path
  (was ../../.. which resolved to project root, should be ../..)
 2026-04-26 11:03:43 +02:00