m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: m3tam3re/nixos-config:9f1e7fd5688de5c85a17660f2347cc11f2eea874
Branches Tags
m3tam3re/nixos-config:master m3tam3re/nixos-config:__dolt_remote_info__ m3tam3re/nixos-config:feature/agent-lib-m3-kratos m3tam3re/nixos-config:feat/hyprland-lua
...
compare: m3tam3re/nixos-config:master
Branches Tags
m3tam3re/nixos-config:master m3tam3re/nixos-config:__dolt_remote_info__ m3tam3re/nixos-config:feature/agent-lib-m3-kratos m3tam3re/nixos-config:feat/hyprland-lua

22 Commits
9f1e7fd568 ... master

Author SHA1 Message Date
m3ta-chiron 45ac13141c update agent-lib 2026-06-13 14:22:20 +02:00
m3ta-chiron 879bdb3005 refactor: consume agent-lib through m3ta-home 2026-06-13 09:25:40 +02:00
m3ta-chiron c692ca1c63 fix: nix eval warnings 2026-06-11 17:42:43 +02:00
m3ta-chiron 2a1dbe540a fix: ksnip crash 2026-06-11 09:29:20 +02:00
m3ta-chiron 93216125d6 Merge branch 'master' of code.m3ta.dev:m3tam3re/nixos-config 2026-06-11 08:53:30 +02:00
m3ta-chiron 690475af84 flake update 2026-06-11 07:50:09 +02:00
m3ta-chiron 80c49a6727 chore: pin m3-atlas ghost to version 6 2026-06-09 18:40:25 +02:00
m3ta-chiron 8b495c6bc9 fix: lock m3ta-home git input 2026-06-07 11:11:06 +02:00
m3ta-chiron 9bceb1c6d0 fix: make inputs self-contained 2026-06-06 13:15:27 +02:00
m3ta-chiron a5d321805b merge into master 2026-06-06 08:02:37 +02:00
m3ta-chiron 0519de4f1d chore: m3-are to new ui 2026-06-06 07:54:30 +02:00
m3ta-chiron 9316aab5ca +nier wallpaper 2026-06-02 19:26:39 +02:00
m3ta-chiron a87234bd7f +dms 2026-06-02 18:20:43 +02:00
m3ta-chiron 651b808f15 +agents-lib in m3ta-home 2026-05-31 14:37:46 +02:00
m3ta-chiron a9ffe3ed28 feat: agent-lib exlude agents 2026-05-31 14:10:15 +02:00
m3ta-chiron 7c5b92c377 Align nixpkgs with Home Manager 26.11 2026-05-31 13:14:24 +02:00
m3ta-chiron 6c4e16de3d feat(m3-kratos): enable agent-lib shared skills 2026-05-30 10:01:47 +02:00
m3ta-chiron f20dd18b5f +babysitter 2026-05-29 18:35:12 +02:00
m3ta-chiron 23b4e825b1 m3ta-home update 2026-05-29 17:38:20 +02:00
m3ta-chiron 2a37ea8fbc fix(kratos): launch Hyprland via wrapper from greetd 2026-05-25 09:51:06 +02:00
m3ta-chiron b1fb63c814 fix(kratos): simplify tuigreet login command 
Root cause: The complex concatStringsSep command with power commands
(--power-shutdown, --power-reboot) and multiple --remember flags was
causing tuigreet to display its usage/flags instead of the login UI.
The quoting in the systemd binary paths may have been problematic.

Changes:
- Use lib.getExe instead of manual bin path for tuigreet
- Use simple 'Hyprland' command (found via PATH) instead of
  the full start-hyprland path which may have issues
- Remove unverified options: --remember-session, --remember-user-session,
  --user-menu, --user-menu-min-uid, --power-shutdown, --power-reboot
- Keep only verified options: --time, --remember, --asterisks, --cmd
- Update tmpfiles comment to reflect actual requirement

This provides a minimal, stable login that works reliably.
User can reboot to test.
 2026-05-25 09:34:01 +02:00
m3ta-chiron 32677cfb40 fix(kratos): replace gdm with greetd/tuigreet login manager 2026-05-25 09:19:08 +02:00
27 changed files with 7831 additions and 425 deletions
Expand all files Collapse all files
.a5c/.gitignore
+3
View File
@@ -0,0 +1,3 @@
node_modules/
runs/
*.log
.a5c/inputs/fix-eval-warnings-inputs.json
+5
View File
@@ -0,0 +1,5 @@
{
"nixosConfigDir": "/home/m3tam3re/p/NIX/nixos-config",
"m3taHomeDir": "/home/m3tam3re/p/NIX/m3ta-home",
"specPath": "/home/m3tam3re/p/NIX/nixos-config/.a5c/inputs/fix-eval-warnings-spec.md"
}
.a5c/inputs/fix-eval-warnings-spec.md
+10
View File
@@ -0,0 +1,10 @@
Fix the following Nix/Home Manager evaluation warnings except for the gc/nh conflict warning:
- `evaluation warning: 'system' has been renamed to/replaced by 'stdenv.hostPlatform.system'`
- `evaluation warning: m3tam3re profile: programs.ssh.matchBlocks defined in /nix/store/...-users/m3tam3re/identities/private.nix is deprecated. Use programs.ssh.settings.`
Do not fix or change the warning:
- `evaluation warning: programs.nh.clean.enable and nix.gc.automatic are both enabled. Please use one or the other to avoid conflict.`
The private identity source file is in `/home/m3tam3re/p/NIX/m3ta-home/users/m3tam3re/identities/private.nix`.
.a5c/inputs/project-install.json
+5
View File
@@ -0,0 +1,5 @@
{
"projectRoot": "/home/m3tam3re/p/NIX/nixos-config",
"isNewProject": false,
"additionalContext": "Install and configure babysitter for this existing NixOS flake configuration repository. Respect AGENTS.md instructions, Beads workflow, Nix conventions, and avoid interactive/destructive operations unless explicitly approved."
}
.a5c/package-lock.json
Generated
+4570
View File
File diff suppressed because it is too large Load Diff
.a5c/package.json
+9
View File
@@ -0,0 +1,9 @@
{
"name": "nixos-config-a5c",
"version": "1.0.0",
"private": true,
"type": "module",
"dependencies": {
"@a5c-ai/babysitter-sdk": "latest"
}
}
.a5c/processes/fix-nix-eval-warnings.js
+301
View File
@@ -0,0 +1,301 @@
/**
* @process local/fix-nix-eval-warnings
* @description Fix Nix/Home Manager evaluation warnings except the nh/gc conflict warning.
* @skill systematic-debugging methodologies/superpowers/systematic-debugging.js
* @skill verification-before-completion methodologies/superpowers/verification-before-completion.js
* @skill root-cause-diagnosis methodologies/shared/root-cause-diagnosis.js
*/
import { defineTask } from '@a5c-ai/babysitter-sdk';
const q = (value) => `'${String(value).replace(/'/g, `'\\''`)}'`;
export async function process(inputs, ctx) {
const nixosConfigDir = inputs.nixosConfigDir || '/home/m3tam3re/p/NIX/nixos-config';
const m3taHomeDir = inputs.m3taHomeDir || '/home/m3tam3re/p/NIX/m3ta-home';
const specPath = inputs.specPath || `${nixosConfigDir}/.a5c/inputs/fix-eval-warnings-spec.md`;
const spec = await ctx.task(readSpecTask, { specPath });
const inspection = await ctx.task(inspectWarningSourcesTask, {
nixosConfigDir,
m3taHomeDir,
});
const implementation = await ctx.task(implementFixesTask, {
nixosConfigDir,
m3taHomeDir,
spec: spec.stdout,
inspection: inspection.stdout,
});
const formatting = await ctx.task(formatChangedNixTask, {
m3taHomeDir,
});
const verification = await ctx.task(verifyWarningsTask, {
nixosConfigDir,
m3taHomeDir,
});
const artifacts = await ctx.task(collectArtifactsTask, {
nixosConfigDir,
m3taHomeDir,
verifyStdout: verification.stdout || '',
verifyStderr: verification.stderr || '',
});
const acceptance = await ctx.task(acceptanceReviewTask, {
spec: spec.stdout,
artifacts: artifacts.stdout,
});
if (!acceptance.accepted) {
await ctx.breakpoint({
title: 'Warning fix acceptance review failed',
question: `Acceptance review did not approve the changes: ${acceptance.reason}`,
context: {
runId: ctx.runId,
files: [
{ path: `${m3taHomeDir}/users/m3tam3re/identities/private.nix`, format: 'nix', label: 'Private SSH identity' },
{ path: `${m3taHomeDir}/profiles/sets/coding/agents/agents.nix`, format: 'nix', label: 'Agent packages' },
{ path: `${m3taHomeDir}/profiles/contexts/desktop/default.nix`, format: 'nix', label: 'Desktop packages' },
],
},
});
}
return {
success: acceptance.accepted,
summary: implementation.summary,
changedFiles: implementation.changedFiles,
verification: {
formatting: formatting.stdout,
warnings: verification.stdout,
review: acceptance,
},
};
}
export const readSpecTask = defineTask('read-spec', (args, taskCtx) => ({
kind: 'shell',
title: 'Read warning-fix spec',
shell: {
command: `cat ${q(args.specPath)}`,
expectedExitCode: 0,
timeout: 10000,
},
io: {
inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
},
labels: ['spec', 'shell'],
}));
export const inspectWarningSourcesTask = defineTask('inspect-warning-sources', (args, taskCtx) => ({
kind: 'shell',
title: 'Inspect current warning sources',
shell: {
command: [
'set -euo pipefail',
`echo '== nixos-config status =='`,
`cd ${q(args.nixosConfigDir)} && git status --short`,
`echo`,
`echo '== m3ta-home status =='`,
`cd ${q(args.m3taHomeDir)} && git status --short`,
`echo`,
`echo '== active pkgs.system-style package selectors =='`,
`grep -RIn --include='*.nix' -E 'packages[.]\\$\\{pkgs[.]system\\}|packages[.]\\$\\{prev[.]system\\}|packages[.]\\$\\{final[.]system\\}' ${q(args.nixosConfigDir)} ${q(args.m3taHomeDir)} || true`,
`echo`,
`echo '== SSH matchBlocks in m3ta-home identities =='`,
`grep -RIn --include='*.nix' 'matchBlocks' ${q(`${args.m3taHomeDir}/users/m3tam3re/identities`)} || true`,
].join('\n'),
expectedExitCode: 0,
timeout: 30000,
},
io: {
inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
},
labels: ['diagnosis', 'shell'],
}));
export const implementFixesTask = defineTask('implement-warning-fixes', (args, taskCtx) => ({
kind: 'agent',
title: 'Implement requested warning fixes',
agent: {
name: 'worker',
prompt: {
role: 'Nix/Home Manager maintenance engineer',
task: 'Edit the repositories to remove the requested evaluation warnings, excluding the nh/gc warning by request.',
context: {
nixosConfigDir: args.nixosConfigDir,
m3taHomeDir: args.m3taHomeDir,
specVerbatim: args.spec,
inspectionStdout: args.inspection,
},
instructions: [
'Execute the task fully; do not just provide a plan.',
'Do not invoke the babysit skill or create another babysitter run.',
'Read every file before editing it.',
'Preserve unrelated existing user changes, especially any dirty files in nixos-config such as flake.nix or flake.lock.',
'Fix active uses of pkgs.system/prev.system/final.system that trigger the Nixpkgs deprecation warning by using stdenv.hostPlatform.system through the appropriate package set.',
'Migrate /home/m3tam3re/p/NIX/m3ta-home/users/m3tam3re/identities/private.nix from programs.ssh.matchBlocks to programs.ssh.settings.',
'For programs.ssh.settings, use OpenSSH directive names such as HostName, User, Port, and IdentityFile; do not keep legacy camelCase option names under settings.',
'Do not change programs.nh.clean.enable or nix.gc.automatic; the user explicitly excluded that warning.',
'Keep the change minimal and focused on the warnings in the spec.',
'Run a quick static check of the edited files if practical, but leave deterministic verification to the process quality gate.',
],
outputFormat: 'JSON with summary, changedFiles, and verificationNotes.',
},
outputSchema: {
type: 'object',
required: ['summary', 'changedFiles', 'verificationNotes'],
properties: {
summary: { type: 'string' },
changedFiles: { type: 'array', items: { type: 'string' } },
verificationNotes: { type: 'array', items: { type: 'string' } },
},
},
},
io: {
inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
},
labels: ['implementation', 'agent', 'nix'],
}));
export const formatChangedNixTask = defineTask('format-changed-nix', (args, taskCtx) => ({
kind: 'shell',
title: 'Format changed Nix files',
shell: {
command: [
'set -euo pipefail',
`cd ${q(args.m3taHomeDir)}`,
`if command -v alejandra >/dev/null 2>&1; then`,
` alejandra users/m3tam3re/identities/private.nix profiles/sets/coding/agents/agents.nix profiles/contexts/desktop/default.nix`,
`else`,
` nix run nixpkgs#alejandra -- users/m3tam3re/identities/private.nix profiles/sets/coding/agents/agents.nix profiles/contexts/desktop/default.nix`,
`fi`,
].join('\n'),
expectedExitCode: 0,
timeout: 120000,
},
io: {
inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
},
labels: ['format', 'shell'],
}));
export const verifyWarningsTask = defineTask('verify-warning-removal', (args, taskCtx) => ({
kind: 'shell',
title: 'Verify requested warnings are gone',
shell: {
command: [
'set -euo pipefail',
`echo '== static checks =='`,
`! grep -RIn --include='*.nix' -E 'packages[.]\\$\\{pkgs[.]system\\}|packages[.]\\$\\{prev[.]system\\}|packages[.]\\$\\{final[.]system\\}' ${q(`${args.m3taHomeDir}/profiles`)} || { echo 'Found deprecated package system selector' >&2; exit 1; }`,
`! grep -n 'matchBlocks' ${q(`${args.m3taHomeDir}/users/m3tam3re/identities/private.nix`)} || { echo 'private.nix still uses matchBlocks' >&2; exit 1; }`,
`grep -n 'settings = {' ${q(`${args.m3taHomeDir}/users/m3tam3re/identities/private.nix`)}`,
`echo`,
`echo '== nix eval m3-ares =='`,
`cd ${q(args.nixosConfigDir)}`,
`eval_stdout=$(mktemp)`,
`eval_stderr=$(mktemp)`,
`set +e`,
`nix eval .#nixosConfigurations.m3-ares.config.system.build.toplevel.drvPath --show-trace >"$eval_stdout" 2>"$eval_stderr"`,
`status=$?`,
`set -e`,
`cat "$eval_stdout"`,
`cat "$eval_stderr" >&2`,
`if [ "$status" -ne 0 ]; then exit "$status"; fi`,
`if grep -F "'system' has been renamed" "$eval_stderr"; then echo 'Deprecated system warning still present' >&2; exit 1; fi`,
`if grep -F 'programs.ssh.matchBlocks' "$eval_stderr"; then echo 'Deprecated SSH matchBlocks warning still present' >&2; exit 1; fi`,
`if grep -F 'programs.nh.clean.enable and nix.gc.automatic' "$eval_stderr" >/dev/null; then echo 'Allowed nh/gc warning remains by request.'; fi`,
].join('\n'),
expectedExitCode: 0,
timeout: 300000,
},
io: {
inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
},
labels: ['verification', 'shell', 'nix'],
}));
export const collectArtifactsTask = defineTask('collect-artifacts', (args, taskCtx) => ({
kind: 'shell',
title: 'Collect diffs and verification output',
shell: {
command: [
'set -euo pipefail',
`echo '== m3ta-home diff =='`,
`cd ${q(args.m3taHomeDir)} && git diff -- users/m3tam3re/identities/private.nix profiles/sets/coding/agents/agents.nix profiles/contexts/desktop/default.nix`,
`echo`,
`echo '== nixos-config diff (should not include warning fix unless needed) =='`,
`cd ${q(args.nixosConfigDir)} && git diff -- overlays/default.nix flake.nix flake.lock || true`,
`echo`,
`echo '== verification stdout =='`,
`cat <<'VERIFY_STDOUT'`,
args.verifyStdout || '',
`VERIFY_STDOUT`,
`echo`,
`echo '== verification stderr =='`,
`cat <<'VERIFY_STDERR'`,
args.verifyStderr || '',
`VERIFY_STDERR`,
].join('\n'),
expectedExitCode: 0,
timeout: 30000,
},
io: {
inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
},
labels: ['artifacts', 'shell'],
}));
export const acceptanceReviewTask = defineTask('acceptance-review', (args, taskCtx) => ({
kind: 'agent',
title: 'Review changes against requested warning fixes',
agent: {
name: 'reviewer',
prompt: {
role: 'Acceptance reviewer for a Nix/Home Manager warning fix',
task: 'Compare SPEC to ARTIFACTS directly and decide whether the requested warnings were fixed without touching the excluded nh/gc warning.',
instructions: [
'Ignore any narrative in your context about how ARTIFACTS were built.',
'Do not ask for additional changes unless they are required by the SPEC.',
'Accept if the system deprecation warning and private SSH matchBlocks warning are addressed, and the nh/gc conflict remains untouched.',
'',
'SPEC (verbatim):',
'---',
args.spec,
'---',
'',
'ARTIFACTS (verbatim):',
'---',
args.artifacts,
'---',
'',
'Compare SPEC to ARTIFACTS directly. Ignore any narrative in your context about how ARTIFACTS were built.',
],
outputFormat: 'JSON with accepted boolean, reason string, and checkedCriteria array.',
},
outputSchema: {
type: 'object',
required: ['accepted', 'reason', 'checkedCriteria'],
properties: {
accepted: { type: 'boolean' },
reason: { type: 'string' },
checkedCriteria: { type: 'array', items: { type: 'string' } },
},
},
},
io: {
inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
},
labels: ['acceptance', 'agent', 'review'],
}));
.a5c/project-profile.json
+596
View File
@@ -0,0 +1,596 @@
{
"projectName": "nixos-config",
"description": "A reliable, elegant, multi-system NixOS flake configuration for personal desktop, server, cloud, Home Manager, package, overlay, and secret management.",
"goals": [
{
"id": "goal-reliability-1",
"description": "Keep all managed NixOS systems reproducible, reliable, and easy to validate before deployment.",
"category": "reliability",
"priority": "high",
"status": "active"
},
{
"id": "goal-architecture-1",
"description": "Maintain an elegant multi-system architecture with clear host boundaries and reusable common modules.",
"category": "architecture",
"priority": "high",
"status": "active"
},
{
"id": "goal-modularization-1",
"description": "Continue breaking up the former monorepo by keeping Home Manager profiles in m3ta-home and custom packages/modules in m3ta-nixpkgs where appropriate.",
"category": "modularization",
"priority": "high",
"status": "active"
},
{
"id": "goal-cicd-1",
"description": "CI/CD is not currently configured; add useful Gitea Actions validation later for formatting, linting, flake evaluation, and safe host checks.",
"category": "automation",
"priority": "medium",
"status": "deferred"
}
],
"techStack": {
"languages": [
{
"name": "Nix",
"role": "primary system, module, overlay, and package configuration language"
},
{
"name": "Markdown",
"role": "project, agent, and workflow documentation"
},
{
"name": "JSON/YAML",
"role": "tool configuration and metadata"
}
],
"frameworks": [
{
"name": "Nix flakes",
"category": "reproducible dependency and output model"
},
{
"name": "NixOS modules",
"category": "host and service configuration"
},
{
"name": "Home Manager",
"category": "user environment management"
},
{
"name": "Agenix",
"category": "encrypted secret management"
},
{
"name": "Disko",
"category": "server disk provisioning"
},
{
"name": "NUR",
"category": "community package access"
},
{
"name": "llm-agents.nix",
"category": "LLM agent packages overlay"
},
{
"name": "m3ta-home",
"category": "external reusable Home Manager profiles"
},
{
"name": "m3ta-nixpkgs",
"category": "external custom packages/modules/overlays"
}
],
"databases": [],
"infrastructure": [
{
"name": "m3-ares",
"category": "desktop NixOS host"
},
{
"name": "m3-kratos",
"category": "desktop NixOS host"
},
{
"name": "m3-daedalus",
"category": "portable laptop/Home Manager configuration"
},
{
"name": "m3-atlas",
"category": "primary server NixOS host"
},
{
"name": "m3-helios",
"category": "minimal server/AdGuard host"
},
{
"name": "m3-hermes",
"category": "secondary server/Hermes host"
},
{
"name": "m3-aether",
"category": "cloud VM/minimal server host"
}
],
"buildTools": [
"nix",
"nixos-rebuild",
"nix build",
"nix flake show",
"alejandra",
"statix",
"deadnix"
],
"packageManagers": [
"nix flakes"
]
},
"architecture": {
"pattern": "Pure Nix flake-based NixOS configuration repository with host-specific modules, common shared modules, overlays, custom packages, agenix secrets, and externalized Home Manager/package inputs.",
"modules": [
{
"name": "flake.nix",
"path": "flake.nix",
"description": "Top-level entry point defining inputs, packages, overlays, Home Manager modules, NixOS configurations, and dev shells."
},
{
"name": "hosts/common",
"path": "hosts/common",
"description": "Shared NixOS configuration, nix settings, overlays, Home Manager setup, ports, extra services, and users."
},
{
"name": "hosts",
"path": "hosts",
"description": "Per-host NixOS/Home Manager configurations for desktops, servers, and cloud VM."
},
{
"name": "modules/nixos",
"path": "modules/nixos",
"description": "Reusable NixOS modules."
},
{
"name": "modules/home-manager",
"path": "modules/home-manager",
"description": "Reusable Home Manager module exports."
},
{
"name": "overlays",
"path": "overlays",
"description": "Nixpkgs overlays for stable, locked, pinned, master, temporary, and agent packages."
},
{
"name": "pkgs",
"path": "pkgs",
"description": "Custom package export set."
},
{
"name": "secrets",
"path": "secrets",
"description": "Encrypted agenix secret files and registry."
}
],
"entryPoints": [
"flake.nix",
"hosts/<host>/default.nix",
"hosts/<host>/configuration.nix",
"hosts/common/default.nix",
"hosts/common/users/m3tam3re.nix",
"overlays/default.nix",
"pkgs/default.nix",
"secrets.nix"
],
"dataFlow": "flake.nix wires inputs, overlays, packages, NixOS modules, and Home Manager. Host modules import common configuration and host-specific hardware/programs/services/secrets. Host profile flags in hosts/common/users/m3tam3re.nix feed the external m3ta-home mkHome integration. Secrets flow through agenix registry and host secret modules."
},
"team": [
{
"name": "m3tam3re",
"role": "solo developer and operator",
"responsibilities": [
"architecture",
"implementation",
"host maintenance",
"deployments",
"review"
]
},
{
"name": "m3ta-chiron",
"role": "agent contributor",
"responsibilities": [
"semi-autonomous implementation",
"validation",
"documentation updates",
"conventional commits"
]
}
],
"workflows": [
{
"name": "development",
"description": "Default feature-branch workflow for solo development with conventional commits and validation before push.",
"steps": [
"review Beads issues with bd ready --json",
"claim work with bd update <id> --claim when applicable",
"edit Nix modules or project files",
"run alejandra .",
"run statix check .",
"run targeted nix flake or host dry-run checks",
"commit with conventional commit format",
"pull --rebase and push"
],
"triggers": [
"new feature",
"bug fix",
"refactor",
"agent task"
]
},
{
"name": "nix validation",
"description": "Quality gate for Nix configuration changes.",
"steps": [
"alejandra .",
"statix check .",
"deadnix check or deadnix -w when appropriate",
"nix flake show",
"sudo nixos-rebuild dry-run --flake .#<host> for affected hosts"
],
"triggers": [
"Nix code changes",
"before deployment",
"before commit"
]
},
{
"name": "host deployment",
"description": "Manual deployment after successful dry-run validation.",
"steps": [
"sudo nixos-rebuild dry-run --flake .#<host>",
"sudo nixos-rebuild switch --flake .#<host>"
],
"triggers": [
"manual host update"
]
},
{
"name": "dependency/input update",
"description": "Controlled flake input updates without manually editing flake.lock.",
"steps": [
"use nix flake update or nixos-rebuild --update-input <input>",
"validate affected outputs",
"commit flake.nix/flake.lock changes"
],
"triggers": [
"planned dependency update",
"security update"
]
},
{
"name": "beads issue tracking",
"description": "Persistent issue tracking and session handoff workflow.",
"steps": [
"bd ready --json",
"bd show <id>",
"bd update <id> --claim",
"bd close <id> --reason <summary>",
"bd dolt push"
],
"triggers": [
"start of tracked work",
"completion of tracked work"
]
}
],
"processes": [
{
"id": "cradle/project-install",
"name": "Babysitter project install",
"status": "installing",
"purpose": "Create and save a Babysitter project profile and setup recommendations."
}
],
"tools": {
"formatting": [
{
"name": "alejandra",
"purpose": "Nix formatting",
"configPaths": [
"flake.nix devShells.default"
]
}
],
"linting": [
{
"name": "statix",
"purpose": "Nix anti-pattern linting",
"configPaths": [
"flake.nix devShells.default"
]
},
{
"name": "deadnix",
"purpose": "Detect unused Nix code",
"configPaths": [
"flake.nix devShells.default"
]
}
],
"testing": [
{
"name": "nix flake show",
"purpose": "Evaluate flake outputs",
"configPaths": [
"flake.nix"
]
},
{
"name": "nixos-rebuild dry-run",
"purpose": "Validate host configurations without applying changes",
"configPaths": [
"flake.nix",
"hosts/*"
]
},
{
"name": "nix build",
"purpose": "Build selected outputs such as host toplevels or ISOs",
"configPaths": [
"flake.nix"
]
}
],
"issueTracking": [
{
"name": "Beads",
"command": "bd",
"purpose": "Persistent task tracking"
}
]
},
"services": [
{
"name": "code.m3ta.dev",
"type": "git hosting",
"url": "git+ssh://gitea@code.m3ta.dev"
},
{
"name": "GitHub",
"type": "flake input hosting",
"url": "github:* flake inputs"
},
{
"name": "Agenix",
"type": "secret encryption",
"url": "github:ryantm/agenix"
},
{
"name": "Hermes Agent",
"type": "NixOS module/agent service",
"url": "github:NousResearch/hermes-agent"
},
{
"name": "RustFS",
"type": "NixOS server service flake",
"url": "github:rustfs/rustfs-flake"
}
],
"externalIntegrations": [
{
"service": "Beads",
"category": "issue tracking",
"enabled": true
},
{
"service": "Dolt",
"category": "Beads storage/sync",
"enabled": true
},
{
"service": "Agenix",
"category": "secrets",
"enabled": true
},
{
"service": "Home Manager",
"category": "user environment",
"enabled": true
},
{
"service": "m3ta-home",
"category": "external home profiles",
"enabled": true
},
{
"service": "m3ta-nixpkgs",
"category": "external Nix modules/packages",
"enabled": true
},
{
"service": "NUR",
"category": "Nix packages",
"enabled": true
},
{
"service": "Disko",
"category": "disk provisioning",
"enabled": true
},
{
"service": "Hermes Agent",
"category": "LLM/agent service",
"enabled": true
}
],
"cicd": {
"provider": null,
"enabled": false,
"configPaths": [],
"pipelines": [],
"notes": "CI/CD is intentionally disabled for now. If re-enabled later, prefer Gitea Actions because this repository is hosted on code.m3ta.dev.",
"babysitterIntegration": {
"enabled": false,
"triggerOn": [],
"processIds": []
}
},
"painPoints": [
{
"id": "pp-architecture-1",
"description": "The repository is transitioning away from a monorepo; boundaries with m3ta-home and m3ta-nixpkgs must remain clear.",
"severity": "high",
"category": "architecture",
"discoveredVia": "user interview",
"suggestedRemediation": "Keep host-specific decisions local while moving reusable Home Manager profiles and package/module abstractions to their dedicated inputs."
},
{
"id": "pp-validation-1",
"description": "A single shared Nix change can require validating several hosts to be confident.",
"severity": "medium",
"category": "validation",
"discoveredVia": "repo structure and AGENTS workflow",
"suggestedRemediation": "Use targeted affected-host validation locally for now; add a Gitea Actions validation matrix later if CI/CD is re-enabled."
},
{
"id": "pp-dependency-1",
"description": "Multiple pinned, locked, stable, master, and external SSH flake inputs increase update complexity.",
"severity": "medium",
"category": "dependency management",
"discoveredVia": "flake and history analysis",
"suggestedRemediation": "Update inputs intentionally, group related updates, and validate affected host outputs."
},
{
"id": "pp-operations-1",
"description": "Service additions often need synchronized module, secret, and network/TLS changes.",
"severity": "medium",
"category": "operations",
"discoveredVia": "git history and tree structure",
"suggestedRemediation": "Use checklist-style issue templates or Babysitter processes for service changes."
}
],
"bottlenecks": [
{
"id": "bn-flake-1",
"description": "flake.nix and flake.lock are high-churn files whose changes can affect many hosts at once.",
"impact": "High; evaluation failures can block all hosts.",
"location": "flake.nix, flake.lock",
"frequency": "very frequent"
},
{
"id": "bn-secrets-1",
"description": "Secret registry and host secret modules must stay aligned with encrypted .age files.",
"impact": "Medium to high; missing or mismatched secrets break host deployment.",
"location": "secrets.nix, hosts/*/secrets.nix, secrets/*.age",
"frequency": "recurring"
},
{
"id": "bn-services-1",
"description": "Server service changes can span service modules, secrets, Traefik/networking, and flake inputs.",
"impact": "High for m3-atlas and m3-hermes changes; requires host-specific dry-runs.",
"location": "hosts/m3-atlas/services, hosts/m3-hermes/services, hosts/common",
"frequency": "frequent"
},
{
"id": "bn-home-1",
"description": "Home Manager behavior depends on both the external m3ta-home input and local host flags.",
"impact": "Medium; may require coordinated updates across repositories.",
"location": "flake.nix, hosts/common/users/m3tam3re.nix, m3ta-home input",
"frequency": "frequent after migration"
}
],
"conventions": {
"naming": {
"files": "hyphen-case for Nix/docs where practical; host directories use m3-* names",
"hosts": "m3-<greek-name>",
"modules": "one module per file/directory where possible",
"nixVariables": "camelCase"
},
"git": {
"branchStrategy": "default feature branches for non-trivial work; master as integration branch",
"commits": "conventional commits for agent work",
"reviews": "optional for solo development",
"releaseCadence": "continuous/manual as needed",
"remote": "code.m3ta.dev over SSH for private inputs and repo access"
},
"codeStyle": {
"formatter": "alejandra",
"indentation": "2 spaces",
"nixStyle": "explicit pkgs references preferred; avoid with pkgs, builtins.fetchTarball, import <nixpkgs>, builtins.getAttr/hasAttr"
},
"importOrder": [
"module function arguments",
"imports",
"let bindings",
"options/config"
],
"errorHandling": "Nix configuration should fail explicitly during evaluation/build; avoid hiding errors or impure paths.",
"testingConventions": "Run alejandra, statix, deadnix as appropriate, nix flake show, and host-specific nixos-rebuild dry-run before switching.",
"additionalRules": [
"Use Beads for persistent task tracking.",
"Use non-interactive flags for shell file operations.",
"Do not modify flake.lock directly; use nix flake update.",
"Do not commit plaintext secrets.",
"Use SSH URLs for code.m3ta.dev flake inputs.",
"Operate Babysitter semi-autonomously with breakpoints for destructive, deployment, or architecture-changing decisions."
]
},
"repositories": [
{
"name": "nixos-config",
"path": "/home/m3tam3re/p/NIX/nixos-config",
"role": "primary multi-host NixOS configuration"
},
{
"name": "m3ta-home",
"url": "git+ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home",
"role": "external Home Manager profiles"
},
{
"name": "m3ta-nixpkgs",
"url": "git+ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs",
"role": "external custom packages/modules/overlays"
}
],
"claudeMdInstructions": [
"Respect AGENTS.md as the source of project workflow rules.",
"Resolve the active Babysitter process library before using library processes.",
"Use cradle/project-install for project setup or profile refresh.",
"Use evolutionary GSD: map affected Nix modules/hosts, make focused changes, verify, and iterate.",
"Prefer alejandra, statix, deadnix, nix flake show, and targeted host dry-runs for Nix changes.",
"Preserve boundaries between nixos-config, m3ta-home, and m3ta-nixpkgs.",
"Use breakpoints for destructive operations, deployments, architecture changes, and secret-handling decisions.",
"Babysitter CI/CD is not currently enabled; if re-added later, use Gitea Actions rather than GitHub Actions."
],
"installedSkills": [
"project-install",
"babysit",
"specializations/devops-sre-platform/skills/cicd-pipelines/SKILL.md",
"specializations/devops-sre-platform/skills/gitops/SKILL.md",
"specializations/devops-sre-platform/skills/secrets-management/SKILL.md"
],
"installedAgents": [
"general-purpose",
"specializations/devops-sre-platform/agents/platform-engineer/AGENT.md",
"specializations/devops-sre-platform/agents/cicd-specialist/AGENT.md"
],
"installedProcesses": [
"cradle/project-install",
"methodologies/gsd/quick.js",
"methodologies/gsd/verify-work.js",
"methodologies/gsd/iterative-convergence.js",
"methodologies/evolutionary.js",
"specializations/devops-sre-platform/iac-testing.js"
],
"preferences": {
"babysitterAutonomy": "semi-autonomous",
"breakpointTolerance": "moderate",
"externalIntegrationsRequested": false,
"cicdDesired": false,
"cicdNote": "Deferred for now; Gitea Actions is the preferred provider if CI/CD is added later."
},
"createdAt": "2026-05-29T15:50:48.754Z",
"updatedAt": "2026-05-29T16:07:19.245463Z",
"version": 1
}
.a5c/project-profile.md
+238
View File
@@ -0,0 +1,238 @@
# Project Profile: nixos-config
A reliable, elegant, multi-system NixOS flake configuration for personal desktop, server, cloud, Home Manager, package, overlay, and secret management.
> Last updated: 2026-05-29T16:02:11.092188Z | Version: 1
## Goals
- **reliability** [high]: Keep all managed NixOS systems reproducible, reliable, and easy to validate before deployment. (active)
- **architecture** [high]: Maintain an elegant multi-system architecture with clear host boundaries and reusable common modules. (active)
- **modularization** [high]: Continue breaking up the former monorepo by keeping Home Manager profiles in m3ta-home and custom packages/modules in m3ta-nixpkgs where appropriate. (active)
- **automation** [medium]: CI/CD is not currently configured; add useful Gitea Actions validation later for formatting, linting, flake evaluation, and safe host checks. (deferred)
## Tech Stack
### Languages
- Nix (primary system, module, overlay, and package configuration language)
- Markdown (project, agent, and workflow documentation)
- JSON/YAML (tool configuration and metadata)
### Frameworks
- Nix flakes [reproducible dependency and output model]
- NixOS modules [host and service configuration]
- Home Manager [user environment management]
- Agenix [encrypted secret management]
- Disko [server disk provisioning]
- NUR [community package access]
- llm-agents.nix [LLM agent packages overlay]
- m3ta-home [external reusable Home Manager profiles]
- m3ta-nixpkgs [external custom packages/modules/overlays]
### Infrastructure
- m3-ares [desktop NixOS host]
- m3-kratos [desktop NixOS host]
- m3-daedalus [portable laptop/Home Manager configuration]
- m3-atlas [primary server NixOS host]
- m3-helios [minimal server/AdGuard host]
- m3-hermes [secondary server/Hermes host]
- m3-aether [cloud VM/minimal server host]
**Build tools:** nix, nixos-rebuild, nix build, nix flake show, alejandra, statix, deadnix
**Package managers:** nix flakes
## Architecture
**Pattern:** Pure Nix flake-based NixOS configuration repository with host-specific modules, common shared modules, overlays, custom packages, agenix secrets, and externalized Home Manager/package inputs.
**Data flow:** flake.nix wires inputs, overlays, packages, NixOS modules, and Home Manager. Host modules import common configuration and host-specific hardware/programs/services/secrets. Host profile flags in hosts/common/users/m3tam3re.nix feed the external m3ta-home mkHome integration. Secrets flow through agenix registry and host secret modules.
### Modules
| Module | Path | Description |
|--------|------|-------------|
| flake.nix | `flake.nix` | Top-level entry point defining inputs, packages, overlays, Home Manager modules, NixOS configurations, and dev shells. |
| hosts/common | `hosts/common` | Shared NixOS configuration, nix settings, overlays, Home Manager setup, ports, extra services, and users. |
| hosts | `hosts` | Per-host NixOS/Home Manager configurations for desktops, servers, and cloud VM. |
| modules/nixos | `modules/nixos` | Reusable NixOS modules. |
| modules/home-manager | `modules/home-manager` | Reusable Home Manager module exports. |
| overlays | `overlays` | Nixpkgs overlays for stable, locked, pinned, master, temporary, and agent packages. |
| pkgs | `pkgs` | Custom package export set. |
| secrets | `secrets` | Encrypted agenix secret files and registry. |
**Entry points:** `flake.nix`, `hosts/<host>/default.nix`, `hosts/<host>/configuration.nix`, `hosts/common/default.nix`, `hosts/common/users/m3tam3re.nix`, `overlays/default.nix`, `pkgs/default.nix`, `secrets.nix`
## Team
- **m3tam3re** (solo developer and operator): architecture, implementation, host maintenance, deployments, review
- **m3ta-chiron** (agent contributor): semi-autonomous implementation, validation, documentation updates, conventional commits
## Workflows
### development
Default feature-branch workflow for solo development with conventional commits and validation before push.
**Triggers:** new feature, bug fix, refactor, agent task
1. review Beads issues with bd ready --json
2. claim work with bd update <id> --claim when applicable
3. edit Nix modules or project files
4. run alejandra .
5. run statix check .
6. run targeted nix flake or host dry-run checks
7. commit with conventional commit format
8. pull --rebase and push
### nix validation
Quality gate for Nix configuration changes.
**Triggers:** Nix code changes, before deployment, before commit
1. alejandra .
2. statix check .
3. deadnix check or deadnix -w when appropriate
4. nix flake show
5. sudo nixos-rebuild dry-run --flake .#<host> for affected hosts
### host deployment
Manual deployment after successful dry-run validation.
**Triggers:** manual host update
1. sudo nixos-rebuild dry-run --flake .#<host>
2. sudo nixos-rebuild switch --flake .#<host>
### dependency/input update
Controlled flake input updates without manually editing flake.lock.
**Triggers:** planned dependency update, security update
1. use nix flake update or nixos-rebuild --update-input <input>
2. validate affected outputs
3. commit flake.nix/flake.lock changes
### beads issue tracking
Persistent issue tracking and session handoff workflow.
**Triggers:** start of tracked work, completion of tracked work
1. bd ready --json
2. bd show <id>
3. bd update <id> --claim
4. bd close <id> --reason <summary>
5. bd dolt push
## Processes
- **Babysitter project install** (`cradle/project-install`, undefined)
## Tools
### Linting
- statix
- deadnix
### Testing
- nix flake show
- nixos-rebuild dry-run
- nix build
### Formatting
- alejandra
## Services
- **code.m3ta.dev** (git hosting) - git+ssh://gitea@code.m3ta.dev
- **GitHub** (flake input hosting) - github:* flake inputs
- **Agenix** (secret encryption) - github:ryantm/agenix
- **Hermes Agent** (NixOS module/agent service) - github:NousResearch/hermes-agent
- **RustFS** (NixOS server service flake) - github:rustfs/rustfs-flake
## CI/CD
**Status:** Not configured/enabled for now.
No Babysitter CI/CD workflow is currently installed. If CI/CD is added later, prefer Gitea Actions because this repository is hosted on code.m3ta.dev.
## Pain Points
- **high** [architecture]: The repository is transitioning away from a monorepo; boundaries with m3ta-home and m3ta-nixpkgs must remain clear.
- Remediation: Keep host-specific decisions local while moving reusable Home Manager profiles and package/module abstractions to their dedicated inputs.
- **medium** [validation]: A single shared Nix change can require validating several hosts to be confident.
- Remediation: Use targeted affected-host validation locally for now; add a Gitea Actions validation matrix later if CI/CD is re-enabled.
- **medium** [dependency management]: Multiple pinned, locked, stable, master, and external SSH flake inputs increase update complexity.
- Remediation: Update inputs intentionally, group related updates, and validate affected host outputs.
- **medium** [operations]: Service additions often need synchronized module, secret, and network/TLS changes.
- Remediation: Use checklist-style issue templates or Babysitter processes for service changes.
## Bottlenecks
- flake.nix and flake.lock are high-churn files whose changes can affect many hosts at once. at flake.nix, flake.lock (very frequent)
Impact: High; evaluation failures can block all hosts.
- Secret registry and host secret modules must stay aligned with encrypted .age files. at secrets.nix, hosts/*/secrets.nix, secrets/*.age (recurring)
Impact: Medium to high; missing or mismatched secrets break host deployment.
- Server service changes can span service modules, secrets, Traefik/networking, and flake inputs. at hosts/m3-atlas/services, hosts/m3-hermes/services, hosts/common (frequent)
Impact: High for m3-atlas and m3-hermes changes; requires host-specific dry-runs.
- Home Manager behavior depends on both the external m3ta-home input and local host flags. at flake.nix, hosts/common/users/m3tam3re.nix, m3ta-home input (frequent after migration)
Impact: Medium; may require coordinated updates across repositories.
## Conventions
### Naming
- **files:** hyphen-case for Nix/docs where practical; host directories use m3-* names
- **hosts:** m3-<greek-name>
- **modules:** one module per file/directory where possible
- **nixVariables:** camelCase
### Git
- **branchStrategy:** default feature branches for non-trivial work; master as integration branch
- **commits:** conventional commits for agent work
- **reviews:** optional for solo development
- **releaseCadence:** continuous/manual as needed
- **remote:** code.m3ta.dev over SSH for private inputs and repo access
**Import order:** module function arguments > imports > let bindings > options/config
**Error handling:** Nix configuration should fail explicitly during evaluation/build; avoid hiding errors or impure paths.
**Testing:** Run alejandra, statix, deadnix as appropriate, nix flake show, and host-specific nixos-rebuild dry-run before switching.
### Additional Rules
- Use Beads for persistent task tracking.
- Use non-interactive flags for shell file operations.
- Do not modify flake.lock directly; use nix flake update.
- Do not commit plaintext secrets.
- Use SSH URLs for code.m3ta.dev flake inputs.
- Operate Babysitter semi-autonomously with breakpoints for destructive, deployment, or architecture-changing decisions.
## Repositories
- **nixos-config** [`/home/m3tam3re/p/NIX/nixos-config`]
- **m3ta-home** - git+ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home
- **m3ta-nixpkgs** - git+ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs
## CLAUDE.md Instructions
- Respect AGENTS.md as the source of project workflow rules.
- Resolve the active Babysitter process library before using library processes.
- Use cradle/project-install for project setup or profile refresh.
- Use evolutionary GSD: map affected Nix modules/hosts, make focused changes, verify, and iterate.
- Prefer alejandra, statix, deadnix, nix flake show, and targeted host dry-runs for Nix changes.
- Preserve boundaries between nixos-config, m3ta-home, and m3ta-nixpkgs.
- Use breakpoints for destructive operations, deployments, architecture changes, and secret-handling decisions.
- Babysitter CI/CD is not currently enabled; if re-added later, use Gitea Actions rather than GitHub Actions.
## Installed Extensions
- Skills: project-install, babysit, specializations/devops-sre-platform/skills/cicd-pipelines/SKILL.md, specializations/devops-sre-platform/skills/gitops/SKILL.md, specializations/devops-sre-platform/skills/secrets-management/SKILL.md
- Agents: general-purpose, specializations/devops-sre-platform/agents/platform-engineer/AGENT.md, specializations/devops-sre-platform/agents/cicd-specialist/AGENT.md
- Processes: cradle/project-install, methodologies/gsd/quick.js, methodologies/gsd/verify-work.js, methodologies/gsd/iterative-convergence.js, methodologies/evolutionary.js, specializations/devops-sre-platform/iac-testing.js
.a5c/quality-gates.json
+53
View File
@@ -0,0 +1,53 @@
{
"qualityThreshold": 80,
"testCoverage": {
"minimum": 0,
"rationale": "NixOS configuration repository without a coverage-producing test suite."
},
"formatting": [
{
"name": "alejandra",
"command": "alejandra .",
"ciCommand": "alejandra --check ."
}
],
"linting": [
{
"name": "statix",
"command": "statix check ."
},
{
"name": "deadnix",
"command": "deadnix . --fail"
}
],
"evaluation": [
{
"name": "flake outputs",
"command": "nix flake show"
},
{
"name": "affected host dry-run",
"command": "sudo nixos-rebuild dry-run --flake .#<host>",
"when": "Run for affected hosts when practical and safe."
}
],
"commitChecks": [
"alejandra .",
"statix check .",
"deadnix . --fail",
"nix flake show"
],
"deployGates": [
"formatting passes",
"linting passes",
"flake outputs evaluate",
"affected host dry-run succeeds",
"secrets are encrypted and host secret modules remain aligned"
],
"cicdIntegrationPoints": [],
"cicd": {
"enabled": false,
"notes": "No CI/CD integration is currently configured. Add Gitea Actions later if automated Babysitter or Nix validation is desired."
}
}
.gitignore
+7
View File
@@ -46,3 +46,10 @@ CLAUDE.md
.dolt/ .dolt/
*.db *.db
.beads-credential-key .beads-credential-key
# --- babysitter managed ---
.a5c/creds.env
.a5c/creds.env.tmp.*
.a5c/logs/
.a5c/runs/
# --- end babysitter managed ---
agent-sources.lock.json
+1411
View File
File diff suppressed because it is too large Load Diff
flake.lock
Generated
+459 -330
View File
File diff suppressed because it is too large Load Diff
flake.nix
+3 -36
View File
@@ -15,7 +15,7 @@
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
nixpkgs-45570c2.url = "github:nixos/nixpkgs/45570c299dc2b63c8c574c4cd77f0b92f7e2766e"; nixpkgs-45570c2.url = "github:nixos/nixpkgs/45570c299dc2b63c8c574c4cd77f0b92f7e2766e";
nixpkgs-locked.url = "github:nixos/nixpkgs/2744d988fa116fc6d46cdfa3d1c936d0abd7d121"; nixpkgs-locked.url = "github:nixos/nixpkgs/2744d988fa116fc6d46cdfa3d1c936d0abd7d121";
@@ -25,7 +25,6 @@
m3ta-nixpkgs.url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs"; m3ta-nixpkgs.url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs";
llm-agents.url = "github:numtide/llm-agents.nix"; llm-agents.url = "github:numtide/llm-agents.nix";
#
nur = { nur = {
url = "github:nix-community/NUR"; url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@@ -39,41 +38,16 @@
nixos-generators = {url = "github:nix-community/nixos-generators";}; nixos-generators = {url = "github:nix-community/nixos-generators";};
hyprpanel.url = "github:Jas-SinghFSU/HyprPanel";
rose-pine-hyprcursor.url = "github:ndom91/rose-pine-hyprcursor"; rose-pine-hyprcursor.url = "github:ndom91/rose-pine-hyprcursor";
nix-colors.url = "github:misterio77/nix-colors"; nix-colors.url = "github:misterio77/nix-colors";
m3ta-home = { m3ta-home = {
url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home"; url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home";
# url = "path:/home/m3tam3re/p/NIX/m3ta-home";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
agents = { hermes-agent.url = "github:NousResearch/hermes-agent/v2026.6.5";
# url = "path:/home/m3tam3re/p/AI/AGENTS";
url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/AGENTS";
};
## Skills
skills-basecamp = {
url = "github:basecamp/basecamp-cli";
flake = false;
};
skills-anthropic = {
url = "github:anthropics/skills";
flake = false;
};
skills-kestra = {
url = "github:kestra-io/agent-skills";
flake = false;
};
skills-superpowers = {
url = "github:obra/superpowers";
flake = false;
};
skills-vercel = {
url = "github:vercel-labs/skills";
flake = false;
};
hermes-agent.url = "github:NousResearch/hermes-agent/v2026.5.16";
rustfs = { rustfs = {
url = "github:rustfs/rustfs-flake"; url = "github:rustfs/rustfs-flake";
@@ -88,7 +62,6 @@
nixpkgs, nixpkgs,
m3ta-nixpkgs, m3ta-nixpkgs,
nur, nur,
agents,
... ...
} @ inputs: let } @ inputs: let
inherit (self) outputs; inherit (self) outputs;
@@ -191,11 +164,6 @@
inherit system; inherit system;
config.allowUnfree = true; # Allow unfree packages in devShell config.allowUnfree = true; # Allow unfree packages in devShell
}; };
m3taLib = m3ta-nixpkgs.lib.x86_64-linux;
rules = m3taLib.coding-rules.mkCodingRules {
inherit agents;
languages = ["nix"];
};
in { in {
default = pkgs.mkShell { default = pkgs.mkShell {
buildInputs = with pkgs; [ buildInputs = with pkgs; [
@@ -206,7 +174,6 @@
statix statix
deadnix deadnix
]; ];
inherit (rules) instructions shellHook;
}; };
}); });
}; };
hosts/common/default.nix
+2 -1
View File
@@ -21,7 +21,8 @@
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;
extraSpecialArgs = { extraSpecialArgs = {
inherit inputs outputs system; inputs = inputs // {agents = null;};
inherit outputs system;
videoDrivers = config.services.xserver.videoDrivers or []; videoDrivers = config.services.xserver.videoDrivers or [];
}; };
}; };
hosts/common/users/m3tam3re.nix
+1
View File
@@ -90,6 +90,7 @@
hyprland.enable = true; hyprland.enable = true;
rofi.enable = true; rofi.enable = true;
wayland.enable = true; wayland.enable = true;
dms.enable = true;
}; };
apps = { apps = {
crypto.enable = true; crypto.enable = true;
hosts/m3-ares/services/default.nix
+1
View File
@@ -1,6 +1,7 @@
{pkgs, ...}: { {pkgs, ...}: {
imports = [ imports = [
./containers ./containers
./greetd.nix
./hermes-agent.nix ./hermes-agent.nix
./netbird.nix ./netbird.nix
#./n8n.nix #./n8n.nix
hosts/m3-ares/services/greetd.nix
+38
View File
@@ -0,0 +1,38 @@
# greetd login manager for m3-kratos (replaces broken GDM on nixos-unstable).
# Uses tuigreet as the greeter, launching Hyprland after authentication.
{
pkgs,
config,
lib,
...
}: let
tuigreet = "${lib.getExe pkgs.tuigreet}";
# Use start-hyprland wrapper to avoid Hyprland startup warnings
# withUWSM=true is set in programs.nix; start-hyprland handles this correctly
hyprlandCmd = "${config.programs.hyprland.package}/bin/start-hyprland";
in {
services.greetd = {
enable = true;
settings = {
default_session = {
user = "greeter";
# Minimal config: verified supported flags only
# The --time and --remember are tested; power commands omitted
# to avoid potential quoting/parsing issues
command = builtins.concatStringsSep " " [
tuigreet
"--time"
"--remember"
"--asterisks"
"--cmd ${hyprlandCmd}"
];
};
};
};
# Required for --remember to persist username between logins
systemd.tmpfiles.rules = [
"d /var/cache/tuigreet 0755 greeter greeter - -"
];
}
hosts/m3-atlas/services/containers/ghost.nix
+1 -1
View File
@@ -1,6 +1,6 @@
{config, ...}: { {config, ...}: {
virtualisation.oci-containers.containers."ghost" = { virtualisation.oci-containers.containers."ghost" = {
image = "docker.io/ghost:latest"; image = "docker.io/ghost:6-alpine";
environmentFiles = [config.age.secrets.ghost-env.path]; environmentFiles = [config.age.secrets.ghost-env.path];
ports = ["127.0.0.1:3002:2368"]; ports = ["127.0.0.1:3002:2368"];
volumes = ["ghost_data:/var/lib/ghost/content"]; volumes = ["ghost_data:/var/lib/ghost/content"];
hosts/m3-hermes/services/hermes-agent.nix
+32 -31
View File
@@ -1,5 +1,6 @@
{ {
config, config,
lib,
pkgs, pkgs,
inputs, inputs,
... ...
@@ -7,24 +8,33 @@
# Edge TTS: Seraphina — friendly, multilingual German female voice (free, no API key) # Edge TTS: Seraphina — friendly, multilingual German female voice (free, no API key)
edgeVoice = "de-DE-SeraphinaMultilingualNeural"; edgeVoice = "de-DE-SeraphinaMultilingualNeural";
# Build skills using agents flake lib for hermes user agentSkillExclusions = {
hermesSkills = inputs.agents.lib.mkSkills { m3ta-agents = [];
inherit pkgs; anthropic = ["pdf" "skill-creator" "xlsx"];
customSkills = "${inputs.agents}/skills"; basecamp = [];
externalSkills = [ kestra = [];
{ mattpocock = ["grill-me" "caveman"];
src = inputs.skills-basecamp; superpowers = ["brainstorming" "systematic-debugging"];
skillsDir = "skills"; vercel = [];
} };
{
src = inputs.skills-anthropic; agentLibSourceSelections =
skillsDir = "skills"; lib.mapAttrs (_sourceName: exclude: {
} skills = {
{ all = true;
src = inputs.skills-kestra; inherit exclude;
skillsDir = "skills"; };
} })
]; agentSkillExclusions;
# Deterministic store renderer consumed directly by Hermes. m3ta-home
# re-exports the focused helper so nixos-config does not need a direct
# agent-lib flake input.
hermesSkills = inputs.m3ta-home.lib.mkHermesSkillsDir {
system = pkgs.stdenv.hostPlatform.system;
name = "hermes-agent-lib-skills";
lockFile = ../../../agent-sources.lock.json;
sources = agentLibSourceSelections;
}; };
in { in {
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
@@ -43,18 +53,7 @@ in {
''}" ''}"
]; ];
systemd.services.copy-hermes-skills = { systemd.services.hermes-agent.restartTriggers = [hermesSkills];
description = "Copy agent skills to hermes home directory";
wantedBy = ["hermes-agent.service"];
before = ["hermes-agent.service"];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
script = ''
mkdir -p /var/lib/hermes/.agents
cp -rT ${hermesSkills} /var/lib/hermes/.agents/skills
chown -R hermes:hermes /var/lib/hermes/.agents
'';
};
services.hermes-agent = { services.hermes-agent = {
enable = true; enable = true;
@@ -72,6 +71,7 @@ in {
]; ];
extraPackages = with pkgs; [ extraPackages = with pkgs; [
basecamp
docker docker
git git
curl curl
@@ -148,13 +148,14 @@ in {
max_turns = 90; max_turns = 90;
gateway_timeout = 1800; gateway_timeout = 1800;
tool_use_enforcement = "auto"; tool_use_enforcement = "auto";
reasoning_effort = "high";
}; };
# ── Skills ───────────────────────────────────────────────────────── # ── Skills ─────────────────────────────────────────────────────────
skills = { skills = {
external_dirs = [ external_dirs = [
"/var/lib/hermes/.agents/skills" hermesSkills
]; ];
}; };
hosts/m3-kratos/configuration.nix
+2 -1
View File
@@ -11,10 +11,11 @@
boot.supportedFilesystems = ["zfs"]; boot.supportedFilesystems = ["zfs"];
boot.zfs.package = pkgs.zfs_unstable; boot.zfs.package = pkgs.zfs_unstable;
boot.zfs.forceImportAll = false; boot.zfs.forceImportAll = false;
boot.zfs.forceImportRoot = false;
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.kernelModules = ["amdgpu"]; boot.initrd.kernelModules = ["amdgpu"];
boot.kernelPackages = pkgs.linuxPackages_6_18; boot.kernelPackages = pkgs.linuxPackages_7_0;
services.xserver.videoDrivers = ["amdgpu"]; services.xserver.videoDrivers = ["amdgpu"];
security.polkit.enable = true; security.polkit.enable = true;
security.pam.services.gdm.enableGnomeKeyring = true; security.pam.services.gdm.enableGnomeKeyring = true;
hosts/m3-kratos/default.nix
+1
View File
@@ -48,6 +48,7 @@
podman.enable = true; podman.enable = true;
virtualisation.enable = true; virtualisation.enable = true;
}; };
services.power-profiles-daemon.enable = true;
services.ollama = { services.ollama = {
environmentVariables = { environmentVariables = {
# HCC_AMDGPU_TARGET = "gfx1103"; # HCC_AMDGPU_TARGET = "gfx1103";
hosts/m3-kratos/home.nix
+21 -1
View File
@@ -8,9 +8,14 @@
... ...
}: }:
with lib; { with lib; {
imports = [
];
config = mkMerge [ config = mkMerge [
# ── XDG / MIME defaults ── # ── XDG / MIME defaults ──
{ {
qt.platformTheme.name = mkForce "qtct";
xdg = { xdg = {
enable = true; enable = true;
configFile."mimeapps.list".force = true; configFile."mimeapps.list".force = true;
@@ -54,9 +59,24 @@ with lib; {
"6, monitor:DP-2" "6, monitor:DP-2"
"7, monitor:DP-2" "7, monitor:DP-2"
]; ];
# m3ta-home sets QT_QPA_PLATFORMTHEME=gtk3 globally for Hyprland.
# ksnip crashes with duplicate GDK type registration under that Qt GTK
# platform theme, so use qtct for Qt apps on this host instead.
env = mkForce [
"XCURSOR_SIZE,32"
"HYPRCURSOR_THEME,Bibata-Modern-Ice"
"WLR_NO_HARDWARE_CURSORS,1"
"XDG_CURRENT_DESKTOP,Hyprland"
"XDG_SESSION_TYPE,wayland"
"XDG_SESSION_DESKTOP,Hyprland"
"XKB_DEFAULT_LAYOUT,de"
"NIXOS_OZONE_WL,1"
"QT_QPA_PLATFORM,wayland;xcb"
"QT_QPA_PLATFORMTHEME,qt5ct"
"QT_QPA_PLATFORMTHEME_QT6,qt6ct"
];
windowrule = [ windowrule = [
"match:class dev.zed.Zed, workspace 1" "match:class dev.zed.Zed, workspace 1"
"match:class Msty, workspace 1"
"match:class ^(com.obsproject.Studio)$, workspace 2" "match:class ^(com.obsproject.Studio)$, workspace 2"
"match:class ^(brave-browser)$, workspace 4, opacity 1.0" "match:class ^(brave-browser)$, workspace 4, opacity 1.0"
"match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0" "match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
hosts/m3-kratos/services/default.nix
+2 -1
View File
@@ -1,6 +1,7 @@
{pkgs, ...}: { {pkgs, ...}: {
imports = [ imports = [
./containers ./containers
./greetd.nix
./mem0.nix ./mem0.nix
# ./n8n.nix # ./n8n.nix
./netbird.nix ./netbird.nix
@@ -29,6 +30,6 @@
userServices = true; userServices = true;
}; };
}; };
displayManager.gdm.enable = true; # displayManager.gdm.enable = true;
}; };
} }
hosts/m3-kratos/services/greetd.nix
+38
View File
@@ -0,0 +1,38 @@
# greetd login manager for m3-kratos (replaces broken GDM on nixos-unstable).
# Uses tuigreet as the greeter, launching Hyprland after authentication.
{
pkgs,
config,
lib,
...
}: let
tuigreet = "${lib.getExe pkgs.tuigreet}";
# Use start-hyprland wrapper to avoid Hyprland startup warnings
# withUWSM=true is set in programs.nix; start-hyprland handles this correctly
hyprlandCmd = "${config.programs.hyprland.package}/bin/start-hyprland";
in {
services.greetd = {
enable = true;
settings = {
default_session = {
user = "greeter";
# Minimal config: verified supported flags only
# The --time and --remember are tested; power commands omitted
# to avoid potential quoting/parsing issues
command = builtins.concatStringsSep " " [
tuigreet
"--time"
"--remember"
"--asterisks"
"--cmd ${hyprlandCmd}"
];
};
};
};
# Required for --remember to persist username between logins
systemd.tmpfiles.rules = [
"d /var/cache/tuigreet 0755 greeter greeter - -"
];
}
secrets/hermes-api-server-key.age
+22 -23
View File
@@ -1,26 +1,25 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 4NLKrw 2TwbZwX9SwWg4SVC0A2ICmyRjSfO+xtfBcBOK1lh3T4 -> ssh-ed25519 4NLKrw 42tBp6EbDJpC7EBt0++QxmF3N9rQJ/AP+7A/S174rCs
DSf4DrOAvW7L49lh6cq5IqrMM7gqXv2+67rR3ttn+CE bRzpQku0GLEBvANvCdeH3L4Kf06k6w2C4FfZCOp2QWI
-> ssh-ed25519 5kwcsA K1hqFOAxq2T+oLp3bQjLYpXtlQVkA7RHCM/8ETMGbwU -> ssh-ed25519 5kwcsA YAYkQzsxfbHwrCPMW2eqLS9mRuuxr+EjHKl7MV3DDEo
xIE4xz50LB5vbDTTLKVcx9vC2iXIsRLThHYYxGjcJyY dN3TitETbdPbXzBtIDBglienhY4oDsFGgfe0VYdsP1o
-> ssh-ed25519 9d4YIQ bXYb62OM/N+EXpMOZZ6zEbpfaH10Vz62PuUdGODXolw -> ssh-ed25519 9d4YIQ 2vTWMSuLrgpgaTWeu0ARoUOukLBKupCfMdqJhLvTqwA
j64kKzOn8CmSnykEuWnXHZ0nfqwOfOxX4FPR4GSouR0 Lzk2Uo2U3tUJiq29on/a5zYfuUjgOZvCHhZYuFGSDG4
-> ssh-ed25519 3Bcr1w C4alN6ud7q0K4I7NHuBgC77D6zeTfZVGjNS3EKpvL00 -> ssh-ed25519 3Bcr1w x689Z0/TsOLLk1JNPXg2jj6y5ucaH37zRt46d/Z1l2w
NpjOsg3eJ5LvX0lV7NYuVHLeqeYylHdmw60H+KeG1GY Bkzg3umkDYFBemmgev/M5LUFuobFugXe0u85mLmsDSo
-> ssh-ed25519 c4NQlA In5wsg4+LTIEbP75B83GMXPCItSPGwKWUW8QO+QjXyY -> ssh-ed25519 c4NQlA 5Dn6e8bILaYl9FVt+ZwuZ6rOC0k0Kg1+KOSP4JakyWI
oK1kikhr4RMq6QMv9kjNjiKrf5srlGh7hGbU2qns2rM AT6LeCo+P7RjgNhRex04kJ/7NHD2DAWRqs33uOJ7e5E
-> ssh-rsa DQlE7w -> ssh-rsa DQlE7w
tcP4yPgGWqHYeE1gw/KD6cswik+9WU2s2f7hg5mK78085sQ7npXRsBVAz2OCRn07 M9pUnzZDa1v6X5UbQOE6HILaGU36VkQtnfXaJJdxJSRQ/sE9R3ZQoLjRZAw+UhUf
foeAAmnY4YmKriBh421JOVNBDOXHR5dfaIKY9b663L+rYj99ic0rfW26C+dqKitF 09JwLkS55477xaar3bpvvOxeP4MrtTHLJ7593eEkFT3i45FfVmxutq6EYckZrCJB
SnvveL3Zf16nqg6duSVA7LIcIFgkIlA+RXnHPVho+P4GwEH7W8nCf/4kUquuhB7B WjrCG7Cbvc20o6s54PYiF4Xk8AuPxt+SElRxBtcOK+SPba84f+WWHqrBA1YRzTDK
F4Hx1qOknmGyNBJBFi27D04ZDDk/ZVxioYsO6P6TUu7MuaGmQCoVKREDl5RRh4zO fsM15eKWsJgzaz5y36grv4xSj4KbWMFtmEt5V5BEW32+zXBU5CPhonO59TxEQgh4
XD8/TFDRsJLqqcbCKIlU+6CN1+L0r4FN4K0UaTjwPNzGvn5EEjBKw9RpOhdvI28I hI2+gNmAzKQja7xbuxCyr3jcXWJz7IuXcrklr+2ZjF1wx3BDll1z+vxSX0C88MCc
WlAQ+w6gdQiz9Ju4e5p7Doz2MbNb6894DimawHjzl968Xy5ifX2XA+FBdcW5hU9A OLKDfnUiDa6BlgUfLK90dLIia8v0oIPXs4OWRfYs7SC/Z3QOPpSO62Ky9dKYRrod
u+7VXKZmbfMyvRA7lmKRoi4SurJAyQd6iXBrVKfTwFc53V/tJi48bsKcE3yXxHH+ PHvCgxX28QvROE4TekL9PV81AfAbMVJrnkRiybg6id8CscldtDmgaKqoaIoJlAuF
lKGuZFNGDDkqCruycjvz94WaIHy3fv5hhmBdgwoCZK1VGSLAnwdm1rG4B9m3t/K8 g5/LGd+FPfmlv2iNfGUn2Glhui8SkrBK1MzGJpeQw+l4CXLH33yQzHX0m6TdQBzr
-> ssh-ed25519 CSMyhg FNYYdEIJYcxkjMuM5lnIs9gIilvgD44uazZE8CjNeho -> ssh-ed25519 CSMyhg 5YHqBNbkkUFVhDEfOM4P2tAxT2t1rDn5KItUcjUs4DY
QHeghlsOOlYNMwhMHT4o7DeuyxGP/3wyqm94HUHjn44 oWEKUGiIVkRQvEkY33PpOUcoqsmacgHAaX58H6sRpP4
--- zRG6aCTS+X18VpeN+tz38kaUoilk1kN5KrWTWYZ6pV4 --- KH+IYh4+bS3JMeEmFYakwIceMxOrlEZj0Fqt3VMgFRk
ræX _qÔÁ’Ð껿H#p¯f™”}(žA(ã|»?ë0ªyJk¥SD‡\Jm&uõà &Ô9€ýÄ5Ù+çÊ…!v%Y˜ù~ãÁ$û“šZÇÓ° j„z–Â\ßá1,Vf˜ 96¨ºà·ènÅϬuk!ß±1ÝNItŽNŸ8EçwĹ]3µ”S*¡õ«0>!ý9zc‡(”2OI.^jC”&$ºÚ\ÛËWtÇÃNÿ#Õ€Å3¾ÜøÞÌÏcMuÈAߢ•<¾)¬´¼a¥rdí'pÄggPä5’ÆõOQòNfà”×1AZ|1v\š4F›‡Ò 6;„T<l£
£’æ1zª»#Ó
secrets/m3tam3re-secrets.age
BIN
View File
Binary file not shown.