feat: enable orchestrator + switch TTS to Edge (Seraphina voice)

- Enable delegation.orchestrator_enabled with max_spawn_depth=2 - Switch TTS from ElevenLabs (paid) to Edge TTS (free) - Voice: de-DE-SeraphinaMultilingualNeural — friendly, multilingual German female - No API key required
chore: hermes update
2026-05-01 16:06:49 +02:00 · 2026-05-01 12:06:23 +02:00 · 2026-04-29 20:14:07 +02:00 · 2026-04-29 19:48:29 +02:00 · 2026-04-29 16:24:17 +02:00 · 2026-04-29 16:18:41 +02:00
243 changed files with 11614 additions and 7 deletions
@@ -0,0 +1,73 @@
 # Dolt database (managed by Dolt, not git)
 dolt/
 embeddeddolt/
 # Runtime files
 bd.sock
 bd.sock.startlock
 sync-state.json
 last-touched
 .exclusive-lock
 # Daemon runtime (lock, log, pid)
 daemon.*
 # Interactions log (runtime, not versioned)
 interactions.jsonl
 # Push state (runtime, per-machine)
 push-state.json
 # Lock files (various runtime locks)
 *.lock
 # Credential key (encryption key for federation peer auth — never commit)
 .beads-credential-key
 # Local version tracking (prevents upgrade notification spam after git ops)
 .local_version
 # Worktree redirect file (contains relative path to main repo's .beads/)
 # Must not be committed as paths would be wrong in other clones
 redirect
 # Sync state (local-only, per-machine)
 # These files are machine-specific and should not be shared across clones
 .sync.lock
 export-state/
 export-state.json
 # Ephemeral store (SQLite - wisps/molecules, intentionally not versioned)
 ephemeral.sqlite3
 ephemeral.sqlite3-journal
 ephemeral.sqlite3-wal
 ephemeral.sqlite3-shm
 # Dolt server management (auto-started by bd)
 dolt-server.pid
 dolt-server.log
 dolt-server.lock
 dolt-server.port
 dolt-server.activity
 # Corrupt backup directories (created by bd doctor --fix recovery)
 *.corrupt.backup/
 # Backup data (auto-exported JSONL, local-only)
 backup/
 # Per-project environment file (Dolt connection config, GH#2520)
 .env
 # Legacy files (from pre-Dolt versions)
 *.db
 *.db?*
 *.db-journal
 *.db-wal
 *.db-shm
 db.sqlite
 bd.db
 # NOTE: Do NOT add negation patterns here.
 # They would override fork protection in .git/info/exclude.
 # Config files (metadata.json, config.yaml) are tracked by git by default
 # since no pattern above ignores them.
@@ -0,0 +1,81 @@
 # Beads - AI-Native Issue Tracking
 Welcome to Beads! This repository uses **Beads** for issue tracking - a modern, AI-native tool designed to live directly in your codebase alongside your code.
 ## What is Beads?
 Beads is issue tracking that lives in your repo, making it perfect for AI coding agents and developers who want their issues close to their code. No web UI required - everything works through the CLI and integrates seamlessly with git.
 **Learn more:** [github.com/steveyegge/beads](https://github.com/steveyegge/beads)
 ## Quick Start
 ### Essential Commands
 ```bash
 # Create new issues
 bd create "Add user authentication"
 # View all issues
 bd list
 # View issue details
 bd show <issue-id>
 # Update issue status
 bd update <issue-id> --claim
 bd update <issue-id> --status done
 # Sync with Dolt remote
 bd dolt push
 ```
 ### Working with Issues
 Issues in Beads are:
 - **Git-native**: Stored in Dolt database with version control and branching
 - **AI-friendly**: CLI-first design works perfectly with AI coding agents
 - **Branch-aware**: Issues can follow your branch workflow
 - **Always in sync**: Auto-syncs with your commits
 ## Why Beads?
 ✨ **AI-Native Design**
 - Built specifically for AI-assisted development workflows
 - CLI-first interface works seamlessly with AI coding agents
 - No context switching to web UIs
 🚀 **Developer Focused**
 - Issues live in your repo, right next to your code
 - Works offline, syncs when you push
 - Fast, lightweight, and stays out of your way
 🔧 **Git Integration**
 - Automatic sync with git commits
 - Branch-aware issue tracking
 - Dolt-native three-way merge resolution
 ## Get Started with Beads
 Try Beads in your own projects:
 ```bash
 # Install Beads
 curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash
 # Initialize in your repo
 bd init
 # Create your first issue
 bd create "Try out Beads"
 ```
 ## Learn More
 - **Documentation**: [github.com/steveyegge/beads/docs](https://github.com/steveyegge/beads/tree/main/docs)
 - **Quick Start Guide**: Run `bd quickstart`
 - **Examples**: [github.com/steveyegge/beads/examples](https://github.com/steveyegge/beads/tree/main/examples)
 ---
 *Beads: Issue tracking that moves at the speed of thought* ⚡
@@ -0,0 +1,56 @@
 # Beads Configuration File
 # This file configures default behavior for all bd commands in this repository
 # All settings can also be set via environment variables (BD_* prefix)
 # or overridden with command-line flags
 # Issue prefix for this repository (used by bd init)
 # If not set, bd init will auto-detect from directory name
 # Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
 # issue-prefix: ""
 # Use no-db mode: JSONL-only, no Dolt database
 # When true, bd will use .beads/issues.jsonl as the source of truth
 # no-db: false
 # Enable JSON output by default
 # json: false
 # Feedback title formatting for mutating commands (create/update/close/dep/edit)
 # 0 = hide titles, N > 0 = truncate to N characters
 # output:
 #   title-length: 255
 # Default actor for audit trails (overridden by BEADS_ACTOR or --actor)
 # actor: ""
 # Export events (audit trail) to .beads/events.jsonl on each flush/sync
 # When enabled, new events are appended incrementally using a high-water mark.
 # Use 'bd export --events' to trigger manually regardless of this setting.
 # events-export: false
 # Multi-repo configuration (experimental - bd-307)
 # Allows hydrating from multiple repositories and routing writes to the correct database
 # repos:
 #   primary: "."  # Primary repo (where this database lives)
 #   additional:   # Additional repos to hydrate from (read-only)
 #     - ~/beads-planning  # Personal planning repo
 #     - ~/work-planning   # Work planning repo
 # JSONL backup (periodic export for off-machine recovery)
 # Auto-enabled when a git remote exists. Override explicitly:
 # backup:
 #   enabled: false     # Disable auto-backup entirely
 #   interval: 15m      # Minimum time between auto-exports
 #   git-push: false    # Disable git push (export locally only)
 #   git-repo: ""       # Separate git repo for backups (default: project repo)
 # Integration settings (access with 'bd config get/set')
 # These are stored in the database, not in this file:
 # - jira.url
 # - jira.project
 # - linear.url
 # - linear.api-key
 # - github.org
 # - github.repo
 sync.remote: "git+ssh://gitea@code.m3ta.dev/m3tam3re/nixos-config.git"
@@ -0,0 +1,24 @@
 #!/usr/bin/env sh
 # --- BEGIN BEADS INTEGRATION v1.0.2 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
  export BD_GIT_HOOK=1
  _bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
  if command -v timeout >/dev/null 2>&1; then
    timeout "$_bd_timeout" bd hooks run post-checkout "$@"
    _bd_exit=$?
    if [ $_bd_exit -eq 124 ]; then
      echo >&2 "beads: hook 'post-checkout' timed out after ${_bd_timeout}s — continuing without beads"
      _bd_exit=0
    fi
  else
    bd hooks run post-checkout "$@"
    _bd_exit=$?
  fi
  if [ $_bd_exit -eq 3 ]; then
    echo >&2 "beads: database not initialized — skipping hook 'post-checkout'"
    _bd_exit=0
  fi
  if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
 # --- END BEADS INTEGRATION v1.0.2 ---
@@ -0,0 +1,24 @@
 #!/usr/bin/env sh
 # --- BEGIN BEADS INTEGRATION v1.0.2 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
  export BD_GIT_HOOK=1
  _bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
  if command -v timeout >/dev/null 2>&1; then
    timeout "$_bd_timeout" bd hooks run post-merge "$@"
    _bd_exit=$?
    if [ $_bd_exit -eq 124 ]; then
      echo >&2 "beads: hook 'post-merge' timed out after ${_bd_timeout}s — continuing without beads"
      _bd_exit=0
    fi
  else
    bd hooks run post-merge "$@"
    _bd_exit=$?
  fi
  if [ $_bd_exit -eq 3 ]; then
    echo >&2 "beads: database not initialized — skipping hook 'post-merge'"
    _bd_exit=0
  fi
  if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
 # --- END BEADS INTEGRATION v1.0.2 ---
@@ -0,0 +1,24 @@
 #!/usr/bin/env sh
 # --- BEGIN BEADS INTEGRATION v1.0.2 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
  export BD_GIT_HOOK=1
  _bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
  if command -v timeout >/dev/null 2>&1; then
    timeout "$_bd_timeout" bd hooks run pre-commit "$@"
    _bd_exit=$?
    if [ $_bd_exit -eq 124 ]; then
      echo >&2 "beads: hook 'pre-commit' timed out after ${_bd_timeout}s — continuing without beads"
      _bd_exit=0
    fi
  else
    bd hooks run pre-commit "$@"
    _bd_exit=$?
  fi
  if [ $_bd_exit -eq 3 ]; then
    echo >&2 "beads: database not initialized — skipping hook 'pre-commit'"
    _bd_exit=0
  fi
  if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
 # --- END BEADS INTEGRATION v1.0.2 ---
@@ -0,0 +1,24 @@
 #!/usr/bin/env sh
 # --- BEGIN BEADS INTEGRATION v1.0.2 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
  export BD_GIT_HOOK=1
  _bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
  if command -v timeout >/dev/null 2>&1; then
    timeout "$_bd_timeout" bd hooks run pre-push "$@"
    _bd_exit=$?
    if [ $_bd_exit -eq 124 ]; then
      echo >&2 "beads: hook 'pre-push' timed out after ${_bd_timeout}s — continuing without beads"
      _bd_exit=0
    fi
  else
    bd hooks run pre-push "$@"
    _bd_exit=$?
  fi
  if [ $_bd_exit -eq 3 ]; then
    echo >&2 "beads: database not initialized — skipping hook 'pre-push'"
    _bd_exit=0
  fi
  if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
 # --- END BEADS INTEGRATION v1.0.2 ---
@@ -0,0 +1,24 @@
 #!/usr/bin/env sh
 # --- BEGIN BEADS INTEGRATION v1.0.2 ---
 # This section is managed by beads. Do not remove these markers.
 if command -v bd >/dev/null 2>&1; then
  export BD_GIT_HOOK=1
  _bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
  if command -v timeout >/dev/null 2>&1; then
    timeout "$_bd_timeout" bd hooks run prepare-commit-msg "$@"
    _bd_exit=$?
    if [ $_bd_exit -eq 124 ]; then
      echo >&2 "beads: hook 'prepare-commit-msg' timed out after ${_bd_timeout}s — continuing without beads"
      _bd_exit=0
    fi
  else
    bd hooks run prepare-commit-msg "$@"
    _bd_exit=$?
  fi
  if [ $_bd_exit -eq 3 ]; then
    echo >&2 "beads: database not initialized — skipping hook 'prepare-commit-msg'"
    _bd_exit=0
  fi
  if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
 fi
 # --- END BEADS INTEGRATION v1.0.2 ---
@@ -0,0 +1,3 @@
 {"id":"home-profile-restructuring-edz","title":"Create copy-hermes-skills systemd service","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:44:42Z","started_at":"2026-04-26T12:36:30Z","closed_at":"2026-04-26T12:44:42Z","close_reason":"Created systemd service in hosts/m3-hermes/services/hermes-agent.nix - copies skills to /var/lib/hermes/.agents/skills before hermes-agent starts","labels":["hermes-agent","nixos"],"dependencies":[{"issue_id":"home-profile-restructuring-edz","depends_on_id":"home-profile-restructuring-ycz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":1,"comment_count":0}
 {"id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkOpencodeSkills","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkOpencodeSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0}
 {"id":"home-profile-restructuring-cxa","title":"Verify skills available at /var/lib/hermes/.agents/skills","status":"closed","priority":2,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:50:58Z","started_at":"2026-04-26T12:38:15Z","closed_at":"2026-04-26T12:50:58Z","close_reason":"Manually verified - skills are present at /var/lib/hermes/.agents/skills on m3-hermes","labels":["hermes-agent","testing"],"dependencies":[{"issue_id":"home-profile-restructuring-cxa","depends_on_id":"home-profile-restructuring-edz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":0,"comment_count":0}
@@ -0,0 +1,7 @@
 {
  "database": "dolt",
  "backend": "dolt",
  "dolt_mode": "embedded",
  "dolt_database": "home_profile_restructuring",
  "project_id": "664fc7e3-94eb-4874-aab6-e47835abe9d8"
 }
@@ -0,0 +1,3 @@
 # Use bd merge for beads JSONL files
 .beads/issues.jsonl merge=beads
@@ -0,0 +1,46 @@
 # Sisyphus work session data
 .sisyphus/
 # Editor files
 *~
 .*.swp
 .*.swo
 .*.swx
 # Build artifacts
 result
 result-*
 .direnv/
 # IDE
 .vscode/
 .idea/
 *.iml
 # OS
 .DS_Store
 Thumbs.db
 # Opencode rules
 .opencode-rules
 opencode.json
 # AI agent state
 .sidecar/
 .sidecar-*
 .sisyphus/
 .sidecar-agent
 .sidecar-task
 .sidecar-pr
 .sidecar-start.sh
 .sidecar-base
 .td-root
 .cache
 .pi*
 .worktrees/
 docs/plans/
 # Beads / Dolt files (added by bd init)
 .dolt/
 *.db
 .beads-credential-key
@@ -0,0 +1,383 @@
 # Agent Instructions
 This project uses **bd** (beads) for issue tracking. Run `bd prime` for full workflow context.
 ## Quick Reference
 ```bash
 bd ready              # Find available work
 bd show <id>          # View issue details
 bd update <id> --claim  # Claim work atomically
 bd close <id>         # Complete work
 bd dolt push          # Push beads data to remote
 ```
 ## Non-Interactive Shell Commands
 **ALWAYS use non-interactive flags** with file operations to avoid hanging on confirmation prompts.
 Shell commands like `cp`, `mv`, and `rm` may be aliased to include `-i` (interactive) mode on some systems, causing the agent to hang indefinitely waiting for y/n input.
 **Use these forms instead:**
 ```bash
 # Force overwrite without prompting
 cp -f source dest           # NOT: cp source dest
 mv -f source dest           # NOT: mv source dest
 rm -f file                  # NOT: rm file
 # For recursive operations
 rm -rf directory            # NOT: rm -r directory
 cp -rf source dest          # NOT: cp -r source dest
 ```
 **Other commands that may prompt:**
 - `scp` - use `-o BatchMode=yes` for non-interactive
 - `ssh` - use `-o BatchMode=yes` to fail instead of prompting
 - `apt-get` - use `-y` flag
 - `brew` - use `HOMEBREW_NO_AUTO_UPDATE=1` env var
 <!-- BEGIN BEADS INTEGRATION v:1 profile:minimal hash:ca08a54f -->
 ## Beads Issue Tracker
 This project uses **bd (beads)** for persistent task tracking. Run `bd prime` for full workflow context.
 ### Why Beads?
 - **Prefer Beads over ad-hoc markdown TODO lists** — Beads provides structured, queryable, shareable issue tracking with dependency management
 - **Never use `bd edit`** — it opens an interactive editor which blocks agent workflows
 - **Use flags and stdin instead** — `bd update <id> --claim`, `bd create --title "..." --estimate 2`
 ### Slash Commands (Agent Workflow)
 | Command | Purpose |
 |---------|---------|
 | `/beads:ready` | Find unblocked issues |
 | `/beads:create` | Create a new issue |
 | `/beads:update` | Update an issue (claim, status) |
 | `/beads:close` | Close completed work |
 | `/beads:stats` | Project-level snapshot |
 ### Core Workflow (6 Steps)
 #### 1. Find Unblocked Work
 ```bash
 bd ready --json
 ```
 Lists issues with no blocking dependencies that are ready to work on.
 #### 2. Claim Work
 ```bash
 bd update <id> --claim
 ```
 Atomically assigns the issue to you (sets status to "in-progress").
 #### 3. Inspect Details
 ```bash
 bd show <id>
 ```
 View full issue details including:
 - Description and acceptance criteria
 - Blocking/blocked-by dependencies
 - Time estimates
 - Status history
 #### 4. Create Newly Discovered Work
 ```bash
 # Create a new issue
 bd create \
  --title "Fix audio on m3-helios" \
  --estimate 2 \
  --priority high \
  --labels nixos,audio
 # Link dependencies
 bd dep <id> --blocks <blocked-id>      # This issue blocks another
 bd dep <id> --after <after-id>         # This issue after another completes
 bd dep <id> --requires <requires-id>  # This issue requires another
 ```
 #### 5. Complete Work
 ```bash
 bd close <id> --reason "Added PulseAudio fallback to configuration.nix"
 ```
 Provide a concise summary of what was done. The `--reason` is mandatory.
 #### 6. Project Snapshot
 ```bash
 bd status --json    # Current state of all issues
 bd stats            # Metrics: velocity, cycle time, bottlenecks
 ```
 ### Example Complete Workflow
 ```bash
 # Start session - find work
 bd ready --json
 # Claim available issue
 bd update 42 --claim
 # Do the work...
 # Discover something else needed
 bd create --title "Document hermes-agent setup" --estimate 1
 # Link as related
 bd dep 43 --after 42
 # Complete original
 bd close 42 --reason "Added Hyprland idle timeout config"
 # Close related
 bd close 43 --reason "Added setup docs to AGENTS.md"
 # Push state to remote
 bd dolt push
 ```
 ### Rules
 - Use `bd` for ALL task tracking — do NOT use TodoWrite, TaskCreate, or markdown TODO lists
 - Run `bd prime` for detailed command reference and session close protocol
 - Use `bd remember` for persistent knowledge — do NOT use MEMORY.md files
 ## Session Completion
 **When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
 **MANDATORY WORKFLOW:**
 1. **File issues for remaining work** - Create issues for anything that needs follow-up
 2. **Run quality gates** (if code changed) - Tests, linters, builds
 3. **Update issue status** - Close finished work, update in-progress items
 4. **PUSH TO REMOTE** - This is MANDATORY:
   ```bash
   git pull --rebase
   bd dolt push
   git push
   git status  # MUST show "up to date with origin"
   ```
 5. **Clean up** - Clear stashes, prune remote branches
 6. **Verify** - All changes committed AND pushed
 7. **Hand off** - Provide context for next session
 **CRITICAL RULES:**
 - Work is NOT complete until `git push` succeeds
 - NEVER stop before pushing - that leaves work stranded locally
 - NEVER say "ready to push when you are" - YOU must push
 - If push fails, resolve and retry until it succeeds
 <!-- END BEADS INTEGRATION -->
 # Project Agent
 **Workspace Path:** `/home/m3tam3re/p/NIX/nixos-config`
 _(Note to Pi: Your file write/edit tools run in a different directory by default. You MUST use absolute paths starting with the Workspace Path above for ALL file operations!)_
 **Generated:** 2026-04-26
 ---
 ## Stack
 | Component        | Version/Source                    |
 | ---------------- | --------------------------------- |
 | **Nixpkgs**      | nixos-unstable + 25.05 stable     |
 | **Home Manager** | github:nix-community/home-manager |
 | **Agenix**       | github:ryantm/agenix              |
 | **Disko**        | github:nix-community/disko        |
 | **NUR**          | github:nix-community/NUR          |
 | **Formatter**    | alejandra                         |
 | **Linters**      | statix, deadnix                   |
 | **IDE**          | nixd                              |
 | **Hermes Agent** | NousResearch/hermes-agent         |
 | **LLM Agents**   | numtide/llm-agents.nix            |
 ---
 ## Structure
 ```
 nixos-config/
 ├── flake.nix                    # Entry point: hosts, overlays, dev shells
 ├── coding-rules.json            # Opencode rules configuration
 │
 ├── hosts/                        # Per-host NixOS configurations
 │   ├── common/                   # Shared across all hosts
 │   │   ├── users/                # User definitions
 │   │   ├── ports.nix             # Network ports config
 │   │   └── extraServices/        # Common service toggles
 │   ├── m3-ares/                  # Main desktop
 │   ├── m3-atlas/                 # Desktop with disko
 │   ├── m3-helios/                # Desktop with disko
 │   ├── m3-hermes/                # Desktop with disko + hermes-agent
 │   └── m3-kratos/                # Server with NUR
 │
 ├── modules/                      # Reusable NixOS/home-manager modules
 │   ├── nixos/                    # NixOS-specific modules
 │   │   └── default.nix           # Imports common + service configs
 │   └── home-manager/            # Home-manager configurations
 │
 ├── home/                         # Per-user, per-host home configs
 │   └── m3tam3re/
 │       └── m3-daedalus.nix
 │
 ├── overlays/                    # Package overlays
 │   ├── default.nix              # Stable/locked/master branches
 │   └── mods/                    # Package modifications
 │
 ├── pkgs/                        # Custom packages
 │
 ├── secrets/                     # Encrypted secrets (agenix)
 │   └── secrets.nix
 │
 ├── .opencode-rules/             # Opencode AI rules
 │   ├── concerns/                 # Coding style rules
 │   ├── languages/nix.md         # Nix conventions
 │   └── USAGE.md
 │
 └── .pi/                         # Agent configuration
 ```
 ---
 ## Commands
 | Action               | Command                                                                | Notes                                             |
 | -------------------- | ---------------------------------------------------------------------- | ------------------------------------------------- |
 | **Enter dev shell**  | `nix develop`                                                          | Includes alejandra, nixd, agenix, statix, deadnix |
 | **Build host**       | `sudo nixos-rebuild switch --flake .#m3-ares`                          | Replace hostname as needed                        |
 | **Dry run build**    | `sudo nixos-rebuild dry-run --flake .#m3-ares`                         | Validate without applying                         |
 | **List hosts**       | `nix flake show`                                                       | Shows all NixOS configurations                    |
 | **Update flake**     | `sudo nixos-rebuild switch --flake .#m3-ares --update-input nixpkgs`   | Update specific input                             |
 | **Format code**      | `alejandra .`                                                          | Run before committing                             |
 | **Check lint**       | `statix check .`                                                       | Run statix for antipatterns                       |
 | **Remove dead code** | `deadnix -w .`                                                         | Clean up unused let bindings                      |
 | **Build ISO**        | `nix build .#nixosConfigurations.m3-ares.config.system.build.isoImage` | Generate install ISO                              |
 ---
 ## Conventions
 ### Formatting & Style
 - **Formatter:** `alejandra` (mandatory, run before commits)
 - **Indentation:** 2 spaces (alejandra default)
 - **Variables:** camelCase (e.g., `maxRetryAttempts`)
 - **Types/Modules:** PascalCase (e.g., `MyService`)
 - **Constants:** UPPER_SNAKE_CASE (e.g., `MAX_RETRIES`)
 - **Files:** hyphen-case (e.g., `my-file.nix`)
 ### Nix Module Patterns
 ```nix
 { config, lib, pkgs, ... }:
 {
  options.myService.enable = lib.mkEnableOption "my service";
  config = lib.mkIf config.myService.enable {
    services.myService.enable = true;
  };
 }
 ```
 ### Conditionals
 ```nix
 config = lib.mkMerge [
  (lib.mkIf cfg.enable { ... })
  (lib.mkIf cfg.extraConfig { ... })
 ];
 ```
 ### Anti-Patterns (AVOID)
 - **Never use `with pkgs;`** — always use explicit package references
 - **Never use `builtins.fetchTarball`** — use flake inputs instead
 - **Never use `import <nixpkgs>`** — always use inputs
 - **Never use `builtins.getAttr/hasAttr`** — use `lib.attrByPath` or `lib.optionalAttrs`
 - **Avoid anonymous functions in config** — extract to named lets
 ### Imports
 - Use flake inputs for dependencies (e.g., `inputs.home-manager.nixosModules.home-manager`)
 - Import relative paths with `./` or `../`
 - Never use absolute paths in imports
 ### Secrets
 - Secrets managed via **agenix** in `secrets/` directory
 - Never commit plaintext secrets
 - Use `.nix` extension for secret files
 ---
 ## Key Files
 | File                               | Purpose                                                                                    |
 | ---------------------------------- | ------------------------------------------------------------------------------------------ |
 | `flake.nix`                        | Central entry point defining all hosts, overlays, packages, dev shells, and nixpkgs config |
 | `hosts/common/default.nix`         | Shared Nix settings, nixpkgs overlays, home-manager integration, user defaults             |
 | `hosts/m3-ares/default.nix`        | Main desktop host configuration, imports common + service modules                          |
 | `hosts/m3-ares/configuration.nix`  | Desktop environment config (Hyprland, display, audio, etc.)                                |
 | `hosts/m3-ares/programs.nix`       | CLI tools, dev tools, shell configs                                                        |
 | `hosts/m3-ares/services/`          | Service-specific configs (firewall, printing, etc.)                                        |
 | `modules/nixos/default.nix`        | Orchestrates common + configuration imports                                                |
 | `overlays/default.nix`             | Package version overrides (stable/locked/master branches)                                  |
 | `.opencode-rules/languages/nix.md` | Nix-specific conventions and patterns                                                      |
 ---
 ## What to Avoid
 1. **Don't modify `flake.lock`** directly — use `nix flake update`
 2. **Don't use impure operations** — this is a pure flake-based config
 3. **Don't commit without formatting** — always run `alejandra .` first
 4. **Don't add packages to hosts directly** — prefer adding to overlays or using NUR
 5. **Don't hardcode paths** — use `inputs` and relative imports
 6. **Don't create monolithic modules** — keep functions under 20 lines
 7. **Don't skip the dry-run** — always test with `--dry-run` before switching
 8. **Don't use lib.mkDefault lightly** — understand the precedence implications
 ---
 ## Notes
 ### Adding a New Host
 1. Add entry to `flake.nix` → `nixosConfigurations`
 2. Create directory in `hosts/` with:
   - `default.nix` — imports common + specific configs
   - `configuration.nix` — host-specific system config
   - `hardware-configuration.nix` — from `nixos-generate-config`
   - `programs.nix`, `services/`, `secrets.nix` as needed
 3. Run `sudo nixos-generate-config --dir ./hosts/new-host` first time
 ### Adding a New Package
 1. For simple packages: add to appropriate overlay in `overlays/default.nix`
 2. For complex packages: create in `pkgs/` directory
 3. For upstream packages: use NUR or add as flake input
 ### Development Workflow
 1. Edit config files
 2. Run `alejandra .` to format
 3. Run `statix check .` for linting
 4. Run `sudo nixos-rebuild dry-run --flake .#m3-ares`
 5. If successful: `sudo nixos-rebuild switch --flake .#m3-ares`
 ### Remote Building
 ```bash
 # Build on remote machine
 nix copy --to ssh://user@host .#nixosConfigurations.m3-ares.config.system.build.toplevel
 ssh user@host 'sudo nixos-rebuild switch --flake /nix/store/...-closure'
 ```
 ### Home Manager
 - Home configs live in `home/m3tam3re/`
 - Use `home-manager.users.m3tam3re` in host config
 - Access via `config.home-manager.users.m3tam3re`
@@ -1,7 +0,0 @@
 This repository is being used as a Dolt remote.
 ref=refs/dolt/data
 head=b30121458bb0b75b61e483e49b5084835b3777d8
 timestamp=2026-06-13T06:18:23Z
@@ -0,0 +1 @@
 {"$schema":"https://opencode.ai/config.json","instructions":[".opencode-rules/concerns/coding-style.md",".opencode-rules/concerns/naming.md",".opencode-rules/concerns/documentation.md",".opencode-rules/concerns/testing.md",".opencode-rules/concerns/git-workflow.md",".opencode-rules/concerns/project-structure.md",".opencode-rules/languages/nix.md"]}
@@ -0,0 +1,202 @@
 {
  description = ''
    For questions just DM me on X: https://twitter.com/@m3tam3re
    There is also some NIXOS content on my YT channel: https://www.youtube.com/@m3tam3re
    One of the best ways to learn NIXOS is to read other peoples configurations. I have personally learned a lot from Gabriel Fontes configs:
    https://github.com/Misterio77/nix-starter-configs
    https://github.com/Misterio77/nix-config
    Please also check out the starter configs mentioned above.
  '';
  inputs = {
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
    nixpkgs-45570c2.url = "github:nixos/nixpkgs/45570c299dc2b63c8c574c4cd77f0b92f7e2766e";
    nixpkgs-locked.url = "github:nixos/nixpkgs/2744d988fa116fc6d46cdfa3d1c936d0abd7d121";
    nixpkgs-9e58ed7.url = "github:nixos/nixpkgs/9e58ed7ba759d81c98f033b7f5eba21ca68f53b0";
    nixpkgs-master.url = "github:nixos/nixpkgs/master";
    m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs";
    llm-agents.url = "github:numtide/llm-agents.nix";
    #
    nur = {
      url = "github:nix-community/NUR";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix.url = "github:ryantm/agenix";
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-generators = {url = "github:nix-community/nixos-generators";};
    hyprpanel.url = "github:Jas-SinghFSU/HyprPanel";
    rose-pine-hyprcursor.url = "github:ndom91/rose-pine-hyprcursor";
    nix-colors.url = "github:misterio77/nix-colors";
    agents = {
      # url = "path:/home/m3tam3re/p/AI/AGENTS";
      url = "git+https://code.m3ta.dev/m3tam3re/AGENTS";
    };
    ## Skills
    skills-basecamp = {
      url = "github:basecamp/basecamp-cli";
      flake = false;
    };
    skills-anthropic = {
      url = "github:anthropics/skills";
      flake = false;
    };
    skills-kestra = {
      url = "github:kestra-io/agent-skills";
      flake = false;
    };
    skills-superpowers = {
      url = "github:obra/superpowers";
      flake = false;
    };
    skills-vercel = {
      url = "github:vercel-labs/skills";
      flake = false;
    };
    hermes-agent.url = "github:NousResearch/hermes-agent/v2026.4.30";
  };
  outputs = {
    self,
    agenix,
    home-manager,
    nixpkgs,
    m3ta-nixpkgs,
    nur,
    agents,
    ...
  } @ inputs: let
    inherit (self) outputs;
    systems = [
      "aarch64-linux"
      "i686-linux"
      "x86_64-linux"
      "aarch64-darwin"
      "x86_64-darwin"
    ];
    forAllSystems = nixpkgs.lib.genAttrs systems;
    allOverlays = import ./overlays {inherit inputs outputs;};
  in {
    packages =
      forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
    overlays = builtins.removeAttrs allOverlays ["mkLlmAgentsOverlay"];
    lib.mkLlmAgentsOverlay = allOverlays.mkLlmAgentsOverlay;
    homeManagerModules = import ./modules/home-manager;
    nixosConfigurations = {
      m3-ares = nixpkgs.lib.nixosSystem {
        specialArgs = {
          inherit inputs outputs;
          system = "x86_64-linux";
          hostname = "m3-ares";
        };
        modules = [
          ./hosts/m3-ares
          agenix.nixosModules.default
          m3ta-nixpkgs.nixosModules.default
          inputs.hermes-agent.nixosModules.default
        ];
      };
      m3-atlas = nixpkgs.lib.nixosSystem {
        specialArgs = {
          inherit inputs outputs;
          system = "x86_64-linux";
        };
        modules = [
          ./hosts/m3-atlas
          inputs.disko.nixosModules.disko
          agenix.nixosModules.default
          m3ta-nixpkgs.nixosModules.default
        ];
      };
      m3-kratos = nixpkgs.lib.nixosSystem {
        specialArgs = {
          inherit inputs outputs;
          system = "x86_64-linux";
          hostname = "m3-kratos";
        };
        modules = [
          ./hosts/m3-kratos
          agenix.nixosModules.default
          nur.modules.nixos.default
          m3ta-nixpkgs.nixosModules.default
          inputs.hermes-agent.nixosModules.default
        ];
      };
      m3-helios = nixpkgs.lib.nixosSystem {
        specialArgs = {
          inherit inputs outputs;
          system = "x86_64-linux";
        };
        modules = [
          ./hosts/m3-helios
          inputs.disko.nixosModules.disko
          agenix.nixosModules.default
          m3ta-nixpkgs.nixosModules.default
        ];
      };
      m3-hermes = nixpkgs.lib.nixosSystem {
        specialArgs = {
          inherit inputs outputs;
          system = "x86_64-linux";
        };
        modules = [
          ./hosts/m3-hermes
          inputs.disko.nixosModules.disko
          agenix.nixosModules.default
          m3ta-nixpkgs.nixosModules.default
          inputs.hermes-agent.nixosModules.default
        ];
      };
    };
    homeConfigurations = {
      "m3tam3re@m3-daedalus" = home-manager.lib.homeManagerConfiguration {
        pkgs = nixpkgs.legacyPackages."x86_64-linux";
        extraSpecialArgs = {
          inherit inputs outputs;
          system = "x86_64-linux";
          hostname = "m3-daedalus";
        };
        modules = [./home/m3tam3re/m3-daedalus.nix];
      };
    };
    devShells = forAllSystems (system: let
      pkgs = import nixpkgs {
        inherit system;
        config.allowUnfree = true; # Allow unfree packages in devShell
      };
      m3taLib = m3ta-nixpkgs.lib.x86_64-linux;
      rules = m3taLib.coding-rules.mkCodingRules {
        inherit agents;
        languages = ["nix"];
      };
    in {
      default = pkgs.mkShell {
        buildInputs = with pkgs; [
          alejandra
          nixd
          openssh
          agenix.packages.${system}.default
          statix
          deadnix
        ];
        inherit (rules) instructions shellHook;
      };
    });
  };
 }
@@ -0,0 +1,145 @@
 # Bat — cat replacement with nix-colors syntax highlighting theme.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.bat;
  palette = config.colorScheme.palette;
 in {
  # Enabled by default — base modules are always-on.
  options.base.cliTools.bat.enable = (mkEnableOption "enable bat with nix-colors theme") // {default = true;};
  config = mkIf cfg.enable {
    programs.bat = {
      enable = true;
      config = {theme = "universal";};
      themes = {
        universal = {
          src = pkgs.writeText "universal.tmTheme" ''
            <?xml version="1.0" encoding="UTF-8"?>
            <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
            <plist version="1.0">
            <dict>
              <key>name</key>
              <string>Universal (nix-colors)</string>
              <key>settings</key>
              <array>
                <dict>
                  <key>settings</key>
                  <dict>
                    <key>background</key>
                    <string>#${palette.base00}</string>
                    <key>foreground</key>
                    <string>#${palette.base05}</string>
                    <key>caret</key>
                    <string>#${palette.base05}</string>
                    <key>selection</key>
                    <string>#${palette.base02}</string>
                    <key>selectionForeground</key>
                    <string>#${palette.base05}</string>
                    <key>lineHighlight</key>
                    <string>#${palette.base01}</string>
                  </dict>
                </dict>
                <dict>
                  <key>name</key>
                  <string>Comment</string>
                  <key>scope</key>
                  <string>comment</string>
                  <key>settings</key>
                  <dict>
                    <key>foreground</key>
                    <string>#${palette.base03}</string>
                    <key>fontStyle</key>
                    <string>italic</string>
                  </dict>
                </dict>
                <dict>
                  <key>name</key>
                  <string>String</string>
                  <key>scope</key>
                  <string>string</string>
                  <key>settings</key>
                  <dict>
                    <key>foreground</key>
                    <string>#${palette.base0A}</string>
                  </dict>
                </dict>
                <dict>
                  <key>name</key>
                  <string>Number</string>
                  <key>scope</key>
                  <string>constant.numeric</string>
                  <key>settings</key>
                  <dict>
                    <key>foreground</key>
                    <string>#${palette.base0E}</string>
                  </dict>
                </dict>
                <dict>
                  <key>name</key>
                  <string>Keyword</string>
                  <key>scope</key>
                  <string>keyword</string>
                  <key>settings</key>
                  <dict>
                    <key>foreground</key>
                    <string>#${palette.base08}</string>
                  </dict>
                </dict>
                <dict>
                  <key>name</key>
                  <string>Function</string>
                  <key>scope</key>
                  <string>entity.name.function</string>
                  <key>settings</key>
                  <dict>
                    <key>foreground</key>
                    <string>#${palette.base0B}</string>
                  </dict>
                </dict>
                <dict>
                  <key>name</key>
                  <string>Type</string>
                  <key>scope</key>
                  <string>entity.name.type, storage.type</string>
                  <key>settings</key>
                  <dict>
                    <key>foreground</key>
                    <string>#${palette.base0D}</string>
                  </dict>
                </dict>
                <dict>
                  <key>name</key>
                  <string>Variable</string>
                  <key>scope</key>
                  <string>variable</string>
                  <key>settings</key>
                  <dict>
                    <key>foreground</key>
                    <string>#${palette.base05}</string>
                  </dict>
                </dict>
                <dict>
                  <key>name</key>
                  <string>Constant</string>
                  <key>scope</key>
                  <string>constant</string>
                  <key>settings</key>
                  <dict>
                    <key>foreground</key>
                    <string>#${palette.base0E}</string>
                  </dict>
                </dict>
              </array>
            </dict>
            </plist>
          '';
        };
      };
    };
  };
 }
@@ -0,0 +1,21 @@
 # Carapace — multi-shell completion engine with Fish, Nushell, and Bash integration.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.carapace;
 in {
  # Enabled by default — base modules are always-on.
  options.base.cliTools.carapace.enable = (mkEnableOption "enable carapace completion engine") // {default = true;};
  config = mkIf cfg.enable {
    programs.carapace = {
      enable = true;
      enableFishIntegration = true;
      enableNushellIntegration = true;
      enableBashIntegration = true;
    };
  };
 }
@@ -0,0 +1,17 @@
 # CLI tools aggregator — imports all base command-line utilities.
 {...}: {
  imports = [
    ./bat.nix
    ./carapace.nix
    ./direnv.nix
    ./eza.nix
    ./fzf.nix
    ./lf.nix
    ./nitch.nix
    ./packages.nix
    ./television.nix
    ./zellij.nix
    ./zellij-ps.nix
    ./zoxide.nix
  ];
 }
@@ -0,0 +1,20 @@
 # Direnv — automatic environment loading with nix-direnv integration.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.direnv;
 in {
  # Enabled by default — base modules are always-on.
  options.base.cliTools.direnv.enable = (mkEnableOption "enable direnv with nix-direnv") // {default = true;};
  config = mkIf cfg.enable {
    programs.direnv = {
      enable = true;
      enableNushellIntegration = true;
      nix-direnv.enable = true;
    };
  };
 }
@@ -0,0 +1,21 @@
 # Eza — modern ls replacement with icons, git status, and long format by default.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.eza;
 in {
  # Enabled by default — base modules are always-on.
  options.base.cliTools.eza.enable = (mkEnableOption "enable eza modern ls replacement") // {default = true;};
  config = mkIf cfg.enable {
    programs.eza = {
      enable = true;
      enableFishIntegration = true;
      enableBashIntegration = true;
      extraOptions = ["-l" "--icons" "--git" "-a"];
    };
  };
 }
@@ -0,0 +1,41 @@
 # Fuzzy finder with nix-colors palette and Wayland clipboard integration.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.fzf;
 in {
  # Enabled by default — base modules are always-on.
  options.base.cliTools.fzf.enable = (mkEnableOption "enable fuzzy finder") // {default = true;};
  config = mkIf cfg.enable {
    programs.fzf = {
      enable = true;
      enableFishIntegration = true;
      colors = {
        "fg" = "#${config.colorScheme.palette.base05}";
        "bg" = "#${config.colorScheme.palette.base00}";
        "hl" = "#${config.colorScheme.palette.base0E}";
        "fg+" = "#${config.colorScheme.palette.base05}";
        "bg+" = "#${config.colorScheme.palette.base02}";
        "hl+" = "#${config.colorScheme.palette.base0E}";
        "info" = "#${config.colorScheme.palette.base09}";
        "prompt" = "#${config.colorScheme.palette.base0B}";
        "pointer" = "#${config.colorScheme.palette.base08}";
        "marker" = "#${config.colorScheme.palette.base08}";
        "spinner" = "#${config.colorScheme.palette.base09}";
        "header" = "#${config.colorScheme.palette.base03}";
      };
      defaultOptions = [
        "--preview='bat --color=always -n {}'"
        "--bind 'ctrl-/:toggle-preview'"
        "--header 'Press CTRL-Y to copy command into clipboard'"
        "--bind 'ctrl-y:execute-silent(echo -n {2..} | wl-copy)+abort'"
      ];
      defaultCommand = "fd --type f --exclude .git --follow --hidden";
      changeDirWidgetCommand = "fd --type d --exclude .git --follow --hidden";
    };
  };
 }
@@ -0,0 +1,28 @@
 # Lf — terminal file manager with bat preview and Dracula theme.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.lf;
 in {
  # Enabled by default — base modules are always-on.
  options.base.cliTools.lf.enable = (mkEnableOption "enable lf terminal file manager") // {default = true;};
  config = mkIf cfg.enable {
    home.packages = [pkgs.lf];
    programs.lf = {
      enable = true;
      settings = {
        preview = true;
        drawbox = true;
        hidden = true;
        icons = true;
        previewer = "bat";
      };
    };
  };
 }
@@ -0,0 +1,17 @@
 # Nitch — minimal system information display tool.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.nitch;
 in {
  # Enabled by default — base modules are always-on.
  options.base.cliTools.nitch.enable = (mkEnableOption "enable nitch") // {default = true;};
  config = mkIf cfg.enable {
    home.packages = [pkgs.nitch];
  };
 }
@@ -0,0 +1,62 @@
 # Essential CLI packages — core utilities always available on every host.
 # NOTE: `lazylib` does not exist in nixpkgs. `lazygit` is the correct package
 # (Git TUI) and is intentionally used here instead.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.essentials;
 in {
  # Enabled by default — base modules are always-on.
  options.base.cliTools.essentials.enable = (mkEnableOption "enable essential CLI packages") // {default = true;};
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      # Core utilities
      coreutils
      fd
      htop
      jq
      ripgrep
      # Nix
      alejandra
      comma
      nixd
      nix-diff
      nix-index
      nix-update
      # Dev tools
      bc
      cmake
      devenv
      gcc
      gnumake
      go
      httpie
      just
      lazygit
      progress
      sqlite
      sqlite-vec
      tldr
      # AI tools
      fabric-ai
      llm
      # Misc
      basecamp
      hyprpaper-random
      libnotify
      trash-cli
      unzip
      yazi
      zip
    ];
  };
 }
@@ -0,0 +1,60 @@
 # Television — fuzzy finder with custom channels for tldr, git-diff, and git-log.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.television;
 in {
  # Enabled by default — base modules are always-on.
  options.base.cliTools.television.enable = (mkEnableOption "enable television") // {default = true;};
  config = mkIf cfg.enable {
    programs.television = {
      enable = true;
      channels = {
        tldr = {
          metadata = {
            description = "Browse TLDR pages";
            name = "tldr";
            requirements = ["tldr"];
          };
          preview = {
            command = "tldr '{}'";
          };
          source = {
            command = "tldr --list";
          };
        };
        git-diff = {
          metadata = {
            description = "A channel to select files from git diff commands";
            name = "git-diff";
            requirements = ["git"];
          };
          preview = {
            command = "git diff HEAD --color=always -- '{}'";
          };
          source = {
            command = "git diff --name-only HEAD";
          };
        };
        git-log = {
          metadata = {
            description = "A channel to select from git log entries";
            name = "git-log";
            requirements = ["git"];
          };
          preview = {
            command = "git show -p --stat --pretty=fuller --color=always '{0}'";
          };
          source = {
            command = "git log --oneline --date=short --pretty=\"format:%h %s %an %cd\" \"$@\"";
            output = "{split: :0}";
          };
        };
      };
    };
  };
 }
@@ -0,0 +1,30 @@
 # Zellij-ps — project-aware Zellij session manager from m3ta-nixpkgs.
 # Delegates to `cli.zellij-ps` — the home-manager module namespace provided by
 # m3ta-nixpkgs (inputs.m3ta-nixpkgs.nixosModules.default). This is intentional;
 # `cli.*` is the convention used by m3ta-nixpkgs home-manager modules.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.zellijPs;
 in {
  options.base.cliTools.zellijPs = {
    # Enabled by default — base modules are always-on.
    enable = (mkEnableOption "enable zellij-ps project session manager") // {default = true;};
    projectFolders = mkOption {
      type = types.listOf types.path;
      description = "Project root folders scanned by zellij-ps.";
      default = ["${config.home.homeDirectory}/p"];
    };
  };
  config = mkIf cfg.enable {
    cli.zellij-ps = {
      enable = true;
      projectFolders = cfg.projectFolders;
    };
  };
 }
@@ -0,0 +1,34 @@
 # Zellij terminal multiplexer with nix-colors theming.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.zellij;
 in {
  # Enabled by default — base modules are always-on.
  options.base.cliTools.zellij.enable = (mkEnableOption "enable zellij multiplexer") // {default = true;};
  config = mkIf cfg.enable {
    programs.zellij = {
      enable = true;
      settings = {
        theme = "universal";
        themes.universal = {
          bg = "#${config.colorScheme.palette.base00}";
          fg = "#${config.colorScheme.palette.base05}";
          black = "#${config.colorScheme.palette.base01}";
          red = "#${config.colorScheme.palette.base08}";
          green = "#${config.colorScheme.palette.base0B}";
          yellow = "#${config.colorScheme.palette.base0A}";
          blue = "#${config.colorScheme.palette.base0D}";
          magenta = "#${config.colorScheme.palette.base0E}";
          cyan = "#${config.colorScheme.palette.base0C}";
          white = "#${config.colorScheme.palette.base07}";
          orange = "#${config.colorScheme.palette.base09}";
        };
      };
    };
  };
 }
@@ -0,0 +1,20 @@
 # Zoxide — smarter cd with Fish and Nushell integration.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.base.cliTools.zoxide;
 in {
  # Enabled by default — base modules are always-on.
  options.base.cliTools.zoxide.enable = (mkEnableOption "enable zoxide smarter cd") // {default = true;};
  config = mkIf cfg.enable {
    programs.zoxide = {
      enable = true;
      enableFishIntegration = true;
      enableNushellIntegration = true;
    };
  };
 }
@@ -0,0 +1,9 @@
 # Base home-manager configuration — always loaded on every host.
 # Includes shell, CLI tools, and secrets modules.
 {...}: {
  imports = [
    ./shell
    ./cli-tools
    ./secrets/secrets.nix
  ];
 }
@@ -0,0 +1,24 @@
 # Password store and secrets management via pass-wayland with OTP and import extensions.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.base.secrets;
 in {
  # Enabled by default — base modules are always-on.
  options.base.secrets.enable = (mkEnableOption "enable secrets management") // {default = true;};
  config = mkIf cfg.enable {
    programs.password-store = {
      enable = true;
      package =
        pkgs.pass-wayland.withExtensions
        (exts: [exts.pass-otp exts.pass-import]);
      settings = {PASSWORD_STORE_DIR = "$XDG_DATA_HOME/password-store";};
    };
    home.packages = [pkgs.pinentry-gnome3];
  };
 }
@@ -0,0 +1,8 @@
 # Shell aggregator — imports Nushell (primary), Fish, and Starship prompt.
 {...}: {
  imports = [
    ./nushell.nix
    ./fish.nix
    ./starship.nix
  ];
 }
@@ -0,0 +1,118 @@
 # Fish shell configuration exposed under the new base namespace.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.base.shell.fish;
 in {
  # Enabled by default — base modules are always-on.
  options.base.shell.fish.enable = (mkEnableOption "enable fish shell") // {default = true;};
  config = mkIf cfg.enable {
    programs.fish = {
      enable = true;
      interactiveShellInit = ''
        # Fish colors using universal nix-colors palette
        # Text colors
        set -g fish_color_normal ${config.colorScheme.palette.base05}      # text
        set -g fish_color_param ${config.colorScheme.palette.base05}       # text
        set -g fish_color_comment ${config.colorScheme.palette.base03}     # muted
        set -g fish_color_autosuggestion ${config.colorScheme.palette.base03} # muted
        # Command colors
        set -g fish_color_command ${config.colorScheme.palette.base0D}     # accent6 (blue)
        set -g fish_color_quote ${config.colorScheme.palette.base0A}       # accent3 (yellow)
        set -g fish_color_redirection ${config.colorScheme.palette.base0E} # accent7 (purple)
        set -g fish_color_end ${config.colorScheme.palette.base08}         # accent1 (red)
        set -g fish_color_error ${config.colorScheme.palette.base08}       # accent1 (red)
        set -g fish_color_operator ${config.colorScheme.palette.base0C}    # accent5 (cyan)
        set -g fish_color_escape ${config.colorScheme.palette.base09}      # accent2 (orange)
        # Path colors
        set -g fish_color_cwd ${config.colorScheme.palette.base0B}         # accent4 (green)
        set -g fish_color_cwd_root ${config.colorScheme.palette.base08}    # accent1 (red)
        set -g fish_color_valid_path --underline
        # Interactive colors
        set -g fish_color_match ${config.colorScheme.palette.base0B}       # accent4 (green)
        set -g fish_color_selection --background=${config.colorScheme.palette.base02} # overlay
        set -g fish_color_search_match --background=${config.colorScheme.palette.base02} # overlay
        set -g fish_color_history_current --bold
        set -g fish_color_user ${config.colorScheme.palette.base0B}        # accent4 (green)
        set -g fish_color_host ${config.colorScheme.palette.base0D}        # accent6 (blue)
        set -g fish_color_cancel -r
        # Pager colors
        set -g fish_pager_color_completion normal
        set -g fish_pager_color_description ${config.colorScheme.palette.base03} # muted
        set -g fish_pager_color_prefix ${config.colorScheme.palette.base0E}      # accent7 (purple)
        set -g fish_pager_color_progress ${config.colorScheme.palette.base0B}    # accent4 (green)
      '';
      loginShellInit = ''
        set -x NIX_PATH nixpkgs=channel:nixos-unstable
        set -x NIX_LOG info
        set -x WEBKIT_DISABLE_COMPOSITING_MODE 1
        set -x TERMINAL ghostty
        set -x EDITOR nvim
        set -x VISUAL zed
        set -x XDG_DATA_HOME $HOME/.local/share
        set -x FZF_CTRL_R_OPTS "
        --preview='bat --color=always -n {}'
        --preview-window up:3:hidden:wrap
        --bind 'ctrl-/:toggle-preview'
        --bind 'ctrl-y:execute-silent(echo -n {2..} | wl-copy)+abort'
        --color header:bold
        --header 'Press CTRL-Y to copy command into clipboard'"
        set -x FZF_DEFAULT_COMMAND fd --type f --exclude .git --follow --hidden
        set -x FZF_CTRL_T_COMMAND "$FZF_DEFAULT_COMMAND"
        set -x FLAKE $HOME/p/nixos/nixos-config
        source /run/agenix/${config.home.username}-secrets
        if test (tty) = "/dev/tty1"
          exec uwsm start -F /run/current-system/sw/bin/Hyprland
        end
        if test (tty) = "/dev/tty2"
          exec gamescope -O HDMI-A-1 -W 1920 -H 1080 --adaptive-sync --hdr-enabled --rt --steam -- steam -pipewire-dmabuf -tenfoot
        end
      '';
      shellAbbrs = {
        ".." = "cd ..";
        "..." = "cd ../..";
        b = "yazi";
        ls = "eza";
        l = "eza -l --icons --git -a";
        lt = "eza --tree --level=2 --long --icons --git";
        grep = "rg";
        ps = "procs";
        just = "just --unstable";
        node = "bun";
        npx = "bunx";
        fs = "du -ah . | sort -hr | head -n 10";
        n = "nix";
        nd = "nix develop -c $SHELL";
        ns = "nix shell";
        nsn = "nix shell nixpkgs#";
        nb = "nix build";
        nbn = "nix build nixpkgs#";
        nf = "nix flake";
        nr = "sudo nixos-rebuild --flake .";
        nrs = "sudo nixos-rebuild switch --flake .#(uname -n)";
        snr = "sudo nixos-rebuild --flake .";
        snrs = "sudo nixos-rebuild --flake . switch";
        hm = "home-manager --flake .";
        hms = "home-manager --flake . switch";
        hmr = "cd ~/projects/nix-configurations; nix flake lock --update-input dotfiles; home-manager --flake .#(whoami)@(hostname) switch";
        tsu = "sudo tailscale up";
        tsd = "sudo tailscale down";
        vi = "nvim";
        vim = "nvim";
      };
    };
  };
 }
@@ -0,0 +1,86 @@
 # Primary shell configuration — Nushell with environment, aliases, and integrations.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.base.shell.nushell;
 in {
  # Enabled by default — base modules are always-on.
  options.base.shell.nushell.enable = (mkEnableOption "enable nushell") // {default = true;};
  config = mkIf cfg.enable {
    programs.nushell = {
      enable = true;
      envFile.text = ''
        $env.config.show_banner = false
        $env.NIX_PATH = "nixpkgs=channel:nixos-unstable"
        $env.NIX_LOG = "iunfo"
        $env.WEBKIT_DISABLE_COMPOSITING_MODE = "1"
        $env.TERMINAL = "ghostty"
        $env.EDITOR = "nvim"
        $env.VISUAL = "zeditor"
        $env.FZF_DEFAULT_COMMAND = "fd --type f --exclude .git --follow --hidden"
        $env.FZF_DEFAULT_OPTS = "--preview='bat --color=always -n {}' --bind 'ctrl-/:toggle-preview' --header 'Press CTRL-Y to copy command into clipboard' --bind 'ctrl-y:execute-silent(echo -n {2..} | wl-copy)+abort' --color bg:#282a36,bg+:#44475a,fg:#f8f8f2,fg+:#f8f8f2,header:#6272a4,hl:#bd93f9,hl+:#bd93f9,info:#ffb86c,marker:#ff79c6,pointer:#ff79c6,prompt:#50fa7b,spinner:#ffb86c"
        $env.XDG_DATA_HOME = $"($env.HOME)/.local/share"
        $env.SSH_AUTH_SOCK = "/run/user/1000/gnupg/S.gpg-agent.ssh"
        $env.PATH = ($env.PATH | split row (char esep) | append $"($env.HOME)/.cache/.bun/bin" | append $"($env.HOME)/.npm-global/bin" | uniq)
        $env.NPM_CONFIG_PREFIX = $"($env.HOME)/.npm-global"
        $env.FLAKE = $"($env.HOME)/p/NIX/nixos-config"
        # Load kestractl-env from agenix
        if ("/run/agenix/kestractl-env" | path exists) {
          open /run/agenix/kestractl-env
            | lines
            | where {($in | str trim | str length) > 0}
            | parse "{key}={value}"
            | update value {str trim -c '"'}
            | transpose -r -d
            | load-env
        }
      '';
      configFile.text = ''
        # Aliases
        alias .. = cd ..
        alias ... = cd ...
        alias h = cd $env.HOME
        alias b = yazi
        alias lt = eza --tree --level=2 --long --icons --git
        alias grep = rg
        alias just = just --unstable
        alias node = bun
        alias npx = bunx
        alias n = nix
        alias nd = nix develop -c $nu.current-shell
        alias ns = nix shell
        alias nsn = nix shell nixpkgs#
        alias nb = nix build
        alias nbn = nix build nixpkgs#
        alias nf = nix flake
        alias nr = sudo nixos-rebuild --flake .
        alias nrs = sudo nixos-rebuild switch --flake .#(sys host | get hostname)
        alias snr = sudo nixos-rebuild --flake .
        alias snrs = sudo nixos-rebuild --flake . switch
        alias hm = home-manager --flake .
        alias hms = home-manager --flake . switch
        alias hmr = do { cd ~/projects/nix-configurations; nix flake lock --update-input dotfiles; home-manager --flake .#(whoami)@(hostname) switch }
        alias tsu = sudo tailscale up
        alias tsd = sudo tailscale down
        alias vi = nvim
        alias vim = nvim
        if (which tv | is-not-empty) {
          mkdir ($nu.data-dir | path join "vendor/autoload")
          tv init nu | save -f ($nu.data-dir | path join "vendor/autoload/tv.nu")
        }
      '';
    };
  };
 }
@@ -0,0 +1,70 @@
 # Starship cross-shell prompt with nix-colors theming.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.base.shell.starship;
 in {
  # Enabled by default — base modules are always-on.
  options.base.shell.starship.enable = (mkEnableOption "enable starship prompt") // {default = true;};
  config = mkIf cfg.enable {
    programs.starship = {
      enable = true;
      enableFishIntegration = true;
      enableNushellIntegration = true;
      settings = {
        format = "$all$character";
        palette = "universal";
        palettes.universal = {
          background = "#${config.colorScheme.palette.base00}";
          surface = "#${config.colorScheme.palette.base01}";
          muted = "#${config.colorScheme.palette.base03}";
          text = "#${config.colorScheme.palette.base05}";
          bright = "#${config.colorScheme.palette.base07}";
          accent1 = "#${config.colorScheme.palette.base08}";
          accent2 = "#${config.colorScheme.palette.base09}";
          accent3 = "#${config.colorScheme.palette.base0A}";
          accent4 = "#${config.colorScheme.palette.base0B}";
          accent5 = "#${config.colorScheme.palette.base0C}";
          accent6 = "#${config.colorScheme.palette.base0D}";
          accent7 = "#${config.colorScheme.palette.base0E}";
        };
        character = {
          success_symbol = "[❯](accent7)";
          error_symbol = "[❯](accent1)";
        };
        directory = {
          style = "accent6";
          truncation_length = 3;
          truncate_to_repo = false;
        };
        git_branch = {
          style = "accent7";
        };
        git_status = {
          style = "accent5";
        };
        cmd_duration = {
          style = "accent3";
        };
        hostname = {
          style = "accent4";
        };
        username = {
          style_user = "accent2";
        };
      };
    };
  };
 }
@@ -0,0 +1,85 @@
 # AI agent system — OpenCode, Pi, and MCP server configuration.
 # Relies on coding.agents options provided by home/common/default.nix
 # (inputs.m3ta-nixpkgs.homeManagerModules.default).
 {
  config,
  inputs,
  lib,
  pkgs,
  videoDrivers ? [],
  ...
 }: {
  # Agent Git Identity configuration
  # Note: Uses existing gitea SSH key (m3tam3re identity) for push auth
  coding.agents.gitIdentity = {
    enable = true;
    name = "m3ta-chiron";
    email = "m3ta-chiron@agentmail.to";
    sshKey = "/home/m3tam3re/.ssh/gitea";
  };
  imports = [
    # OpenCode and Pi agent configurations
    ./opencode.nix
    ./pi.nix
  ];
  coding.agents.skills = {
    agentsInput = inputs.agents;
    externalSkills = [
      {
        src = inputs.skills-anthropic;
        selectSkills = ["pdf" "docx" "frontend-design"];
      }
      {src = inputs.skills-superpowers;}
      {src = inputs.skills-vercel;}
      {src = inputs.skills-basecamp;}
      {src = inputs.skills-kestra;}
    ];
  };
  programs.mcp = {
    enable = true;
    servers = {
      DeepWiki = {
        url = "https://mcp.deepwiki.com/mcp";
      };
      Ref = {
        command = "bash";
        args = ["-c" "REF_API_KEY=$(cat /run/agenix/ref-key) exec bunx ref-tools-mcp@latest"];
      };
      Exa = {
        command = "bash";
        args = ["-c" "EXA_API_KEY=$(cat /run/agenix/exa-key) exec bunx exa-mcp-server@latest tools=web_search_exa"];
      };
      Outline = {
        url = "https://wiki.az-gruppe.com/mcp";
      };
      ContextMode = {
        command = "bash";
        args = ["-c" "exec bunx context-mode@latest"];
      };
      Honcho = {
        command = "bash";
        args = [
          "-c"
          ''exec bunx mcp-remote@latest https://mcp.honcho.dev --header "Authorization:Bearer $(cat /run/agenix/honcho-key)" --header "X-Honcho-User-Name:m3tam3re"''
        ];
      };
    };
  };
  home.packages = with pkgs; [
    agenix-cli
    agent-browser
    beads
    pi
    (qmd.override {
      vulkanSupport = videoDrivers == ["amdgpu"];
      cudaSupport = videoDrivers == ["nvidia"];
    })
    # opencode-desktop
    openshell
    openspec
  ];
 }
@@ -0,0 +1,260 @@
 {
  inputs,
  lib,
  ...
 }: {
  coding.agents.opencode = {
    enable = true;
    agentsInput = inputs.agents;
  };
  coding.opencode = {
    enable = true;
    ohMyOpencodeSettings = {
      agents = {
        sisyphus.model = "litellm/claude-opus-4-6";
        oracle.model = "litellm/claude-sonnet-4-6";
        librarian.model = "litellm/claude-sonnet-4-6";
        explore.model = "litellm/claude-haiku-4-5";
        multimodal-looker.model = "litellm/gpt-5.3-codex";
        prometheus.model = "litellm/claude-opus-4-6";
        metis.model = "litellm/claude-opus-4-6";
        momus.model = "litellm/claude-opus-4-6";
        atlas.model = "litellm/claude-sonnet-4-6";
      };
      categories = {
        visual-engineering.model = "zai-coding-plan/glm-5.1";
        ultrabrain.model = "litellm/claude-opus-4-6";
        deep.model = "litellm/claude-sonnet-4-6";
        artistry.model = "zai-coding-plan/glm-5.1";
        quick.model = "litellm/claude-haiku-4-5";
        unspecified-low.model = "litellm/claude-sonnet-4-6";
        unspecified-high.model = "litellm/claude-opus-4-6";
        writing.model = "zai-coding-plan/glm-5.1";
      };
    };
  };
  # Keep TUI settings in programs.opencode.tui to satisfy OpenCode v1.2.15+.
  programs.opencode.tui.theme = "opencode";
  # Override legacy default settings to avoid deprecated TUI keys in settings.
  programs.opencode.settings = lib.mkForce {
    plugin = ["oh-my-openagent"];
    formatter = {
      alejandra = {
        command = ["alejandra" "-q" "-"];
        extensions = [".nix"];
      };
    };
    # Security: permission hardening for OpenCode
    # Last matching rule wins. Glob patterns: * = any chars, ? = single char.
    # ~ and $HOME are expanded to the user's home directory.
    # external_directory gates paths outside the working directory.
    permission = {
      # External directory access: ask by default, allow safe paths
      "external_directory" = {
        "*" = "ask";
        "/nix/store/**" = "allow";
        "/tmp/**" = "allow";
      };
      # Read access: allow by default, deny sensitive paths
      "read" = {
        "*" = "allow";
        "~/.ssh/**" = "deny";
        "~/.gnupg/**" = "deny";
        "~/.aws/**" = "deny";
        "~/.kube/**" = "deny";
        "~/.config/gh/**" = "deny";
        "~/.config/gcloud/**" = "deny";
        "~/.config/op/**" = "deny";
        "~/.config/sops/**" = "deny";
        "/run/agenix/**" = "deny";
        "~/.pi/agent/auth.json" = "deny";
        "~/.pi/agent/sessions/**" = "deny";
        "*.env" = "deny";
        "*.env.*" = "deny";
        "*.pem" = "deny";
        "*.key" = "deny";
        "*.p12" = "deny";
        "*.pfx" = "deny";
        "*id_rsa*" = "deny";
        "*id_ed25519*" = "deny";
        "*id_ecdsa*" = "deny";
        "*.example.env" = "allow";
        "*.sample.env" = "allow";
        "*.test.env" = "allow";
        ".env.example" = "allow";
        ".env.sample" = "allow";
        ".env.test" = "allow";
        "~/.ssh/*.pub" = "allow";
        "*.pub" = "allow";
        "*.csr" = "allow";
      };
      # Edit access: ask by default, deny sensitive paths
      "edit" = {
        "*" = "ask";
        "~/.ssh/**" = "deny";
        "~/.gnupg/**" = "deny";
        "~/.aws/**" = "deny";
        "~/.kube/**" = "deny";
        "~/.config/gh/**" = "deny";
        "~/.config/gcloud/**" = "deny";
        "~/.config/op/**" = "deny";
        "~/.config/sops/**" = "deny";
        "/run/agenix/**" = "deny";
        "~/.pi/agent/auth.json" = "deny";
        "~/.pi/agent/sessions/**" = "deny";
        "*.env" = "deny";
        "*.env.*" = "deny";
        "*.pem" = "deny";
        "*.key" = "deny";
        "*.p12" = "deny";
        "*.pfx" = "deny";
        "*id_rsa*" = "deny";
        "*id_ed25519*" = "deny";
        "*id_ecdsa*" = "deny";
        "~/.ssh/*.pub" = "allow";
        "*.pub" = "allow";
        "*.csr" = "allow";
      };
      # Glob patterns: same rules as read for file matching
      "glob" = {
        "*" = "allow";
        "~/.ssh/**" = "deny";
        "~/.gnupg/**" = "deny";
        "/run/agenix/**" = "deny";
        "*.env" = "deny";
        "*.env.*" = "deny";
        "*.pem" = "deny";
        "*.key" = "deny";
        "*.p12" = "deny";
        "*.pfx" = "deny";
      };
      # Grep: allow search, but deny searching for secrets
      "grep" = {
        "*" = "allow";
        "~/.ssh/**" = "deny";
        "~/.gnupg/**" = "deny";
        "/run/agenix/**" = "deny";
        "*PASSWORD*" = "ask";
        "*SECRET*" = "ask";
        "*API_KEY*" = "ask";
        "*PRIVATE_KEY*" = "ask";
      };
      # Bash: ask by default, deny dangerous and env-leak commands
      "bash" = {
        "*" = "ask";
        "git status*" = "allow";
        "git diff*" = "allow";
        "git log*" = "allow";
        "git branch*" = "allow";
        "git show*" = "allow";
        "git remote*" = "allow";
        "nix --version" = "allow";
        "nix eval*" = "allow";
        "nix build*" = "allow";
        "nix develop*" = "allow";
        "nix shell*" = "allow";
        "nix search*" = "allow";
        "alejandra*" = "allow";
        "git add*" = "allow";
        "git commit*" = "allow";
        "git push*" = "ask";
        "git pull*" = "allow";
        "rm *" = "ask";
        "rm -rf *" = "deny";
        "sudo *" = "ask";
        "env" = "deny";
        "printenv" = "deny";
        "cat /proc/*/environ" = "deny";
        "gpg *--export-secret*" = "deny";
        "ssh-add -D" = "deny";
        "docker run --privileged*" = "deny";
        "curl *| *sh" = "deny";
        "wget *| *sh" = "deny";
      };
      # Web fetch: ask for sensitive URLs
      "webfetch" = {
        "*" = "ask";
        "https://api.github.com*" = "allow";
        "https://search.nixos.org*" = "allow";
      };
      # Doom loop guard
      "doom_loop" = "ask";
    };
    # AZ-Gruppe LiteLLM endpoint + available models
    provider = {
      litellm = {
        npm = "@ai-sdk/openai-compatible";
        name = "LiteLLM (AZ-Gruppe)";
        options.baseURL = "https://llm.az-gruppe.com/v1";
        models = {
          "gpt-5.2" = {
            name = "GPT-5.2";
            limit = {
              context = 400000;
              output = 128000;
            };
          };
          "gpt-5.3-codex" = {
            name = "GPT-5.3 Codex";
            limit = {
              context = 400000;
              output = 128000;
            };
          };
          "claude-haiku-4-5" = {
            name = "Claude Haiku 4.5";
            options = {
              thinking = {
                type = "enabled";
                budget_tokens = 16000;
              };
            };
            limit = {
              context = 200000;
              output = 64000;
            };
          };
          "claude-sonnet-4-6" = {
            name = "Claude Sonnet 4.6";
            options = {
              thinking = {
                type = "enabled";
                budget_tokens = 16000;
              };
            };
            limit = {
              context = 200000;
              output = 64000;
            };
          };
          "claude-opus-4-6" = {
            name = "Claude Opus 4.6";
            options = {
              thinking = {
                type = "enabled";
                budget_tokens = 16000;
              };
            };
            limit = {
              context = 200000;
              output = 128000;
            };
          };
        };
      };
    };
  };
 }
@@ -0,0 +1,269 @@
 {inputs, ...}: {
  coding.agents.pi = {
    enable = true;
    agentsInput = inputs.agents;
    modelOverrides = {
      chiron = "minimax/MiniMax-M2.7";
      chiron-forge = "minimax/MiniMax-M2.7";
    };
    # Coding rules for Pi agent
    # Rules sourced from AGENTS repo
    codingRules = {
      # Language-specific rules
      languages = [
        "nix" # Nix language conventions
      ];
      # Standard concerns from AGENTS repo
      concerns = [
        "coding-style" # General coding principles
        "naming" # Naming conventions (camelCase, snake_case, etc.)
        "documentation" # Documentation standards
        "testing" # Testing guidelines (Arrange-Act-Assert)
        "git-workflow" # Conventional commits, branch naming
        "git-identity" # Git identity configuration for agents
        "project-structure" # Project layout conventions
      ];
      # No framework-specific rules for NixOS config
      frameworks = [];
    };
    settings = {
      packages = [
        "npm:@dreadedzombie/pi-init"
        "npm:@plannotator/pi-extension"
        "npm:@thesethrose/pi-zai-provider"
        "npm:pi-agent-browser-native"
        "npm:pi-beads-extension"
        "npm:pi-lens"
        "npm:pi-markdown-preview"
        "npm:pi-mcp-adapter"
        "npm:pi-powerline-footer"
        "npm:pi-prompt-template-model"
        "npm:pi-subagents"
        "npm:pi-tool-display"
        "npm:pi-web-access"
        "git:github.com/hk-vk/pi-connect"
      ];
      defaultProvider = "minimax";
      defaultModel = "MiniMax-M2.7";
      defaultThinkingLevel = "high";
    };
    # pi-guardrails: strict security config
    # NOTE: Path access checks are lexical (not symlink-safe).
    # NOTE: Local project .pi/extensions/guardrails.json can override same rule IDs.
    #       For immutable global policies, consider a wrapper or upstream patch.
    guardrails = {
      enable = true;
      config = {
        enabled = true;
        applyBuiltinDefaults = true;
        onboarding = {
          completed = true;
        };
        features = {
          policies = true;
          permissionGate = true;
          pathAccess = true;
        };
        pathAccess = {
          mode = "ask";
          allowedPaths = [
            "/nix/store/"
            "/tmp/"
          ];
        };
        policies = {
          rules = [
            # ── SSH keys ───────────────────────────────────────────
            {
              id = "home-ssh";
              enabled = true;
              protection = "noAccess";
              onlyIfExists = false;
              patterns = [
                {pattern = "~/.ssh/**";}
                {pattern = "~/.ssh/*_rsa";}
                {pattern = "~/.ssh/*_ed25519";}
                {pattern = "~/.ssh/*.pem";}
              ];
              allowedPatterns = [
                {pattern = "~/.ssh/*.pub";}
              ];
            }
            # ── GPG keys ─────────────────────────────────────────
            {
              id = "home-gpg";
              enabled = true;
              protection = "noAccess";
              onlyIfExists = false;
              patterns = [
                {pattern = "~/.gnupg/**";}
                {pattern = "~/*.gpg";}
                {pattern = "~/.gpg-agent.conf";}
              ];
            }
            # ── AWS credentials ────────────────────────────────────
            {
              id = "home-aws";
              enabled = true;
              protection = "noAccess";
              onlyIfExists = false;
              patterns = [
                {pattern = "~/.aws/**";}
                {pattern = "~/.aws/credentials";}
                {pattern = "~/.aws/config";}
              ];
            }
            # ── Kubernetes configs ────────────────────────────────
            {
              id = "home-kube";
              enabled = true;
              protection = "noAccess";
              onlyIfExists = false;
              patterns = [
                {pattern = "~/.kube/**";}
                {pattern = "*kubeconfig*";}
              ];
            }
            # ── Cloud CLI configs ────────────────────────────────
            {
              id = "home-config";
              enabled = true;
              protection = "noAccess";
              onlyIfExists = false;
              patterns = [
                {pattern = "~/.config/gh/**";}
                {pattern = "~/.config/gcloud/**";}
                {pattern = "~/.config/op/**";}
                {pattern = "~/.config/sops/**";}
              ];
            }
            # ── agenix secrets ───────────────────────────────────
            {
              id = "agenix-secrets";
              enabled = true;
              protection = "noAccess";
              onlyIfExists = false;
              patterns = [
                {pattern = "/run/agenix/**";}
              ];
            }
            # ── Pi auth and sessions ────────────────────────────
            {
              id = "pi-auth-sessions";
              enabled = true;
              protection = "noAccess";
              onlyIfExists = false;
              patterns = [
                {pattern = "~/.pi/agent/auth.json";}
                {pattern = "~/.pi/agent/sessions/**";}
              ];
            }
            # ── Environment files ─────────────────────────────────
            {
              id = "secret-files";
              enabled = true;
              protection = "noAccess";
              onlyIfExists = true;
              patterns = [
                {pattern = ".env";}
                {pattern = ".env.*";}
                {pattern = ".dev.vars";}
              ];
              allowedPatterns = [
                {pattern = "*.example.env";}
                {pattern = "*.sample.env";}
                {pattern = "*.test.env";}
                {pattern = ".env.example";}
                {pattern = ".env.sample";}
                {pattern = ".env.test";}
              ];
            }
            # ── Private keys and certificates ───────────────────
            {
              id = "private-keys";
              enabled = true;
              protection = "noAccess";
              onlyIfExists = false;
              patterns = [
                {pattern = "*.pem";}
                {pattern = "*.key";}
                {pattern = "*.p12";}
                {pattern = "*.pfx";}
                {pattern = "*id_rsa*";}
                {pattern = "*id_ed25519*";}
                {pattern = "*id_ecdsa*";}
              ];
              allowedPatterns = [
                {pattern = "*.pub";}
                {pattern = "*.csr";}
              ];
            }
          ];
        };
        permissionGate = {
          explainCommands = false;
          # Auto-deny patterns: env leakage and credential dumping
          autoDenyPatterns = [
            {
              pattern = "\\benv\\b";
              regex = true;
              description = "env command (may dump environment)";
            }
            {
              pattern = "\\bprintenv\\b";
              regex = true;
              description = "printenv command (dumps environment variables)";
            }
            {
              pattern = "/proc/[0-9]+/environ";
              regex = true;
              description = "reading process environment files";
            }
            {
              pattern = "gpg\\s+--export-secret-keys";
              regex = true;
              description = "GPG secret key export";
            }
            {
              pattern = "gpg\\s+--export-secret-subkeys";
              regex = true;
              description = "GPG secret subkey export";
            }
            {
              pattern = "ssh-add\\s+-D";
              regex = true;
              description = "delete all SSH identities";
            }
            {
              pattern = "\\b(op|pass)\\s+(read|show|get)";
              regex = true;
              description = "password manager read operations";
            }
          ];
        };
      };
    };
    # MCP servers auto-inherited from programs.mcp in default.nix
  };
 }
@@ -0,0 +1,12 @@
 # Coding environment aggregator — profile-independent development tooling.
 # Imports editors, LSP servers, git configuration, the agent system, language runtimes, and optional packages.
 {...}: {
  imports = [
    ./editor
    ./lsp
    ./git/git.nix
    ./agents/agents.nix
    ./languages
    ./packages.nix
  ];
 }
@@ -0,0 +1,6 @@
 # Editor aggregator — delegates to m3ta-nixpkgs editor modules.
 {...}: {
  imports = [
    ./neovim.nix
  ];
 }
@@ -0,0 +1,7 @@
 # NeoVim base configuration via m3ta-nixpkgs coding.editors module.
 # The option `coding.editors.neovim.enable` is declared by
 # inputs.m3ta-nixpkgs.homeManagerModules.default — no re-declaration here.
 {...}: {
  # Placeholder for host-agnostic NeoVim overrides.
  # Set coding.editors.neovim.enable = true in per-host files to activate.
 }
@@ -0,0 +1,41 @@
 # Git configuration with signing, aliases, and global ignore.
 # Identity and host-specific SSH keys are set per-host in home/m3tam3re/.
 {
  lib,
  pkgs,
  ...
 }:
 with lib; {
  programs.git = {
    enable = true;
    signing.format = null;
    settings = {
      user = {
        name = lib.mkDefault "m3tam3re";
        email = lib.mkDefault "p@m3ta.dev";
      };
      core.excludesfile = "~/.gitignore_global";
      init.defaultBranch = "master";
      alias = {
        st = "status";
        logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
      };
    };
  };
  programs.difftastic.enable = true;
  programs.jujutsu = {
    enable = true;
    settings = {
      user = {
        email = "m@m3tam3re.com";
        name = "Sascha Koenig";
      };
    };
  };
  home.packages = with pkgs; [
    lazygit
  ];
 }
@@ -0,0 +1,10 @@
 # Language runtimes — Python, JavaScript, Rust, Go, TypeScript.
 {...}: {
  imports = [
    ./python.nix
    ./javascript.nix
    ./rust-toolchain.nix
    ./go.nix
    ./typescript.nix
  ];
 }
@@ -0,0 +1,19 @@
 # Go toolchain — compiler and language server.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.coding.languages.go;
 in {
  options.coding.languages.go.enable = mkEnableOption "Go toolchain";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      go
      gopls
    ];
  };
 }
@@ -0,0 +1,25 @@
 # JavaScript/TypeScript runtime — Node.js and Bun.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.coding.languages.javascript;
  npmGlobalPrefix = "${config.home.homeDirectory}/.npm-global";
 in {
  options.coding.languages.javascript.enable = mkEnableOption "JavaScript runtime (Node.js + Bun)";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      nodejs
      bun
    ];
    home.file.".npmrc".text = ''
      prefix=${npmGlobalPrefix}
    '';
    home.sessionVariables.NPM_CONFIG_PREFIX = npmGlobalPrefix;
  };
 }
@@ -0,0 +1,35 @@
 # Python runtime with pip and uv.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.coding.languages.python;
 in {
  options.coding.languages.python = {
    enable = mkEnableOption "Python runtime with pip and uv";
    extraPackages = mkOption {
      type = types.listOf types.package;
      default = [];
      example = literalExpression "[ pkgs.python3Packages.numpy ]";
      description = "Additional Python packages to include";
    };
  };
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      (pkgs.python3.withPackages (ps:
        with ps;
          [
            uv
          ]
          ++ cfg.extraPackages))
      (writeShellScriptBin "pip" "exec uv pip $@")
      (writeShellScriptBin "pip3" "exec uv pip $@")
      pyrefly
      ruff
    ];
  };
 }
@@ -0,0 +1,20 @@
 # Rust toolchain — compiler, package manager, and language server.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.coding.languages.rustToolchain;
 in {
  options.coding.languages.rustToolchain.enable = mkEnableOption "Rust toolchain";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      rustc
      cargo
      rust-analyzer
    ];
  };
 }
@@ -0,0 +1,19 @@
 # TypeScript support — language server and type checking tools.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.coding.languages.typescript;
 in {
  options.coding.languages.typescript.enable = mkEnableOption "TypeScript support";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      typescript
      typescript-language-server
    ];
  };
 }
@@ -0,0 +1,6 @@
 # LSP aggregator — language server protocol tooling.
 {...}: {
  imports = [
    ./servers.nix
  ];
 }
@@ -0,0 +1,23 @@
 # LSP server configuration — language servers for the development environment.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.coding.lsp;
 in {
  options.coding.lsp.enable = mkEnableOption "enable LSP servers";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      # Nix
      nixd
      # General
      typescript-language-server
      tailwindcss-language-server
      pyrefly
    ];
  };
 }
@@ -0,0 +1,20 @@
 # Additional coding packages — API clients and GUI development tools.
 # Opt-in since not all coding hosts need these desktop-oriented tools.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.coding.packages;
 in {
  options.coding.packages.enable = mkEnableOption "additional coding packages (bruno, insomnia)";
  config = mkIf cfg.enable {
    home.packages = [
      pkgs.bruno
      pkgs.insomnia
    ];
  };
 }
@@ -0,0 +1,56 @@
 {
  inputs,
  lib,
  outputs,
  pkgs,
  system,
  ...
 }: {
  imports = [
    inputs.nix-colors.homeManagerModules.default
    inputs.m3ta-nixpkgs.homeManagerModules.default
  ]; #imports = builtins.attrValues outputs.homeManagerModules;
  nixpkgs = {
    # You can add overlays here
    overlays = [
      # Add overlays your own flake exports (from overlays and pkgs dir):
      #outputs.overlays.additions
      #outputs.overlays.modifications
      outputs.overlays.temp-packages
      outputs.overlays.stable-packages
      outputs.overlays.locked-packages
      outputs.overlays.pinned-packages
      outputs.overlays.master-packages
      inputs.nur.overlays.default
      inputs.m3ta-nixpkgs.overlays.default
      inputs.m3ta-nixpkgs.overlays.modifications
      (outputs.lib.mkLlmAgentsOverlay system)
      # You can also add overlays exported from other flakes:
      # neovim-nightly-overlay.overlays.default
      # Or define it inline, for example:
      # (final: prev: {
      #   hi = final.hello.overrideAttrs (oldAttrs: {
      #     patches = [ ./change-hello-to-hi.patch ];
      #   });
      # })
    ];
    # Configure your nixpkgs instance
    config = {
      # Disable if you don't want unfree packages
      allowUnfree = true;
      # Workaround for https://github.com/nix-community/home-manager/issues/2942
      allowUnfreePredicate = _: true;
    };
  };
  nix = {
    package = lib.mkDefault pkgs.nix;
    settings = {
      experimental-features = ["nix-command" "flakes"];
      warn-dirty = false;
    };
  };
  colorScheme = inputs.nix-colors.colorSchemes.dracula;
 }
@@ -0,0 +1,16 @@
 # Cryptocurrency applications — Bisq, Monero GUI, and Trezor Suite.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.desktop.apps.crypto;
 in {
  options.desktop.apps.crypto.enable = mkEnableOption "enable crypto applications";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [bisq2 monero-gui trezor-suite];
  };
 }
@@ -0,0 +1,10 @@
 # Desktop apps aggregator — Obsidian, Office, web apps, crypto tools, and productivity.
 {...}: {
  imports = [
    ./obsidian.nix
    ./office.nix
    ./webapps.nix
    ./crypto.nix
    ./productivity.nix
  ];
 }
@@ -0,0 +1,25 @@
 # Obsidian knowledge base with markdown MIME association.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.desktop.apps.obsidian;
 in {
  options.desktop.apps.obsidian.enable = mkEnableOption "enable Obsidian knowledge base";
  config = mkIf cfg.enable {
    programs.obsidian.enable = true;
    xdg.mimeApps = {
      enable = true;
      associations.added = {
        "text/markdown" = ["obsidian.desktop"];
      };
      defaultApplications = {
        "text/markdown" = ["obsidian.desktop"];
      };
    };
  };
 }
@@ -0,0 +1,16 @@
 # Office and productivity applications — LibreOffice and document tools.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.desktop.apps.office;
 in {
  options.desktop.apps.office.enable = mkEnableOption "install office and paperwork apps";
  config = mkIf cfg.enable {
    home.packages = [pkgs.libreoffice-fresh];
  };
 }
@@ -0,0 +1,18 @@
 # Productivity tools — Pomodoro timer and focus utilities.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.desktop.apps.productivity;
 in {
  options.desktop.apps.productivity.enable = mkEnableOption "enable productivity tools";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      pomodoro-timer
    ];
  };
 }
@@ -0,0 +1,56 @@
 # Web application desktop entries — Teams, Outlook, Basecamp, and OpenCode launchers.
 {
  config,
  pkgs,
  ...
 }: let
  icons = {
    teams = pkgs.fetchurl {
      url = "https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/microsoft-teams.svg";
      sha256 = "sha256-Pr9QS8nnXJq97r4/G3c6JXi34zxHl0ps9gcyI8cN/s8=";
    };
    outlook = pkgs.fetchurl {
      url = "https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/microsoft-outlook.svg";
      sha256 = "sha256-3u8t5QNHFZvrAegxBiGicO4PjtMWhEaQSCv7MSSfLLc=";
    };
    opencode = pkgs.fetchurl {
      url = "https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/opencode-dark.svg";
      sha256 = "1lms4f8habamvdh2qqqz9psx4py9wx23mmlkkds44pvrbq3bkj3n";
    };
  };
 in {
  xdg.desktopEntries = {
    teams = {
      name = "Microsoft Teams";
      exec = "launch-webapp https://teams.microsoft.com";
      comment = "Open Microsoft Teams as a Desktop App";
      categories = ["Application" "Network" "Chat"];
      terminal = false;
      icon = icons.teams;
    };
    outlook = {
      name = "Microsoft Outlook";
      exec = "launch-webapp https://outlook.office.com/mail/";
      comment = "Open Microsoft Outlook as a Desktop App";
      categories = ["Application" "Network"];
      terminal = false;
      icon = icons.outlook;
    };
    basecamp = {
      name = "Basecamp";
      exec = "launch-webapp https://3.basecamp.com/5996442/";
      comment = "Open Basecamp as a Desktop App";
      categories = ["Application" "Network"];
      terminal = false;
      icon = "${config.home.homeDirectory}/.local/share/icons/basecamp-logo.png";
    };
    opencode = {
      name = "Opencode";
      exec = "rofi-project-opener";
      comment = "Open Opencode Terminal App";
      categories = ["Application" "Development"];
      terminal = false;
      icon = icons.opencode;
    };
  };
 }
@@ -0,0 +1,125 @@
 # Desktop environment aggregator — only loaded when context=desktop.
 # Includes window manager, applications, theming, and desktop session config.
 {
  config,
  pkgs,
  ...
 }: {
  imports = [
    ./wm
    ./apps
    ./theme
  ];
  xdg = {
    enable = true;
    configFile."mimeapps.list".force = true;
    mimeApps = {
      enable = true;
      associations.added = {
        "application/zip" = ["org.gnome.FileRoller.desktop"];
        "application/csv" = ["calc.desktop"];
        "application/pdf" = ["okularApplication_pdf.desktop"];
      };
      defaultApplications = {
        "application/zip" = ["org.gnome.FileRoller.desktop"];
        "application/csv" = ["calc.desktop"];
        "application/pdf" = ["okularApplication_pdf.desktop"];
        "application/md" = ["nvim.desktop"];
        "application/text" = ["nvim.desktop"];
        "x-scheme-handler/http" = ["io.github.zen_browser.zen"];
        "x-scheme-handler/https" = ["io.github.zen_browser.zen"];
      };
    };
    userDirs = {
      enable = true;
      createDirectories = true;
      setSessionVariables = true;
    };
  };
  home.sessionVariables = {
    WEBKIT_DISABLE_COMPOSITING_MODE = "1";
    NIXOS_OZONE_WL = "1";
    TERMINAL = "ghostty";
    QT_QPA_PLATFORM = "wayland";
    XDG_CURRENT_DESKTOP = "Hyprland";
    XDG_SESSION_TYPE = "wayland";
    XDG_SESSION_DESKTOP = "Hyprland";
  };
  home.sessionPath = [
    "\${XDG_BIN_HOME}"
    "\${HOME}/.cargo/bin"
    "$HOME/.npm-global/bin"
    "$HOME/.cache/.bun/bin"
  ];
  fonts.fontconfig.enable = true;
  programs.ghostty = {
    enable = true;
    enableFishIntegration = true;
    enableBashIntegration = true;
    settings = {
      font-family = "Fira Code";
      copy-on-select = true;
      foreground = "#${config.colorScheme.palette.base05}";
      background = "#${config.colorScheme.palette.base00}";
      selection-foreground = "#${config.colorScheme.palette.base07}";
      selection-background = "#${config.colorScheme.palette.base02}";
      cursor-color = "#${config.colorScheme.palette.base05}";
      palette = [
        "0=#${config.colorScheme.palette.base01}"
        "1=#${config.colorScheme.palette.base08}"
        "2=#${config.colorScheme.palette.base0B}"
        "3=#${config.colorScheme.palette.base0A}"
        "4=#${config.colorScheme.palette.base0D}"
        "5=#${config.colorScheme.palette.base0E}"
        "6=#${config.colorScheme.palette.base0C}"
        "7=#${config.colorScheme.palette.base05}"
        "8=#${config.colorScheme.palette.base03}"
        "9=#${config.colorScheme.palette.base08}"
        "10=#${config.colorScheme.palette.base0B}"
        "11=#${config.colorScheme.palette.base0A}"
        "12=#${config.colorScheme.palette.base0D}"
        "13=#${config.colorScheme.palette.base0E}"
        "14=#${config.colorScheme.palette.base0C}"
        "15=#${config.colorScheme.palette.base07}"
      ];
    };
  };
  home.pointerCursor = {
    gtk.enable = true;
    package = pkgs.bibata-cursors;
    name = "Bibata-Modern-Ice";
    size = 20;
  };
  home.packages = with pkgs; [
    appimage-run
    bemoji
    brave
    distrobox
    eigent
    (element-desktop.override {
      commandLineArgs = "--password-store=gnome-libsecret";
    })
    launch-webapp
    file-roller
    hyprpanel
    seahorse
    sushi
    ksnip
    msty-studio
    nwg-look
    rose-pine-hyprcursor
    remmina
    slack
    telegram-desktop
    vivaldi
    vivaldi-ffmpeg-codecs
    vibetyper
  ];
 }
@@ -0,0 +1,8 @@
 # Theme aggregator — fonts, GTK/Qt theming, and wallpapers.
 {...}: {
  imports = [
    ./fonts.nix
    ./theme.nix
    ./wallpapers.nix
  ];
 }
@@ -0,0 +1,24 @@
 # Font packages — Fira Code, JetBrains Mono Nerd Font, and supporting icon fonts.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.desktop.theme.fonts;
 in {
  options.desktop.theme.fonts.enable = mkEnableOption "install desktop fonts";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      fira-code
      fira-code-symbols
      nerd-fonts.fira-code
      nerd-fonts.jetbrains-mono
      font-manager
      font-awesome_5
      noto-fonts
    ];
  };
 }
@@ -0,0 +1,24 @@
 # GTK and Qt theming — Dracula theme with matching icons and cursor.
 {
  pkgs,
  config,
  ...
 }: {
  qt = {
    enable = true;
    platformTheme.name = "gtk";
  };
  gtk = {
    enable = true;
    theme = {
      name = "Dracula";
      package = pkgs.dracula-theme;
    };
    iconTheme = {
      name = "Dracula";
      package = pkgs.dracula-icon-theme;
    };
    gtk4.theme = config.gtk.theme;
  };
 }
@@ -0,0 +1,19 @@
 # Wallpaper collection — copies wallpapers to Hyprland config directory.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.desktop.theme.wallpapers.enable;
 in {
  options.desktop.theme.wallpapers.enable = mkEnableOption "wallpapers for Hyprland";
  config = mkIf cfg {
    xdg.configFile."hypr/wallpapers" = {
      # Wallpapers are stored relative to the home/m3tam3re directory.
      source = ../../m3tam3re/wallpapers;
      recursive = true;
    };
  };
 }
@@ -0,0 +1,8 @@
 # Window manager aggregator — Hyprland, Wayland tools, and Rofi launcher.
 {...}: {
  imports = [
    ./hyprland.nix
    ./wayland.nix
    ./rofi.nix
  ];
 }
@@ -0,0 +1,318 @@
 # Hyprland window manager with keybindings, window rules, idle/lock, and hyprpaper.
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.desktop.wm.hyprland;
 in {
  options.desktop.wm.hyprland.enable = mkEnableOption "Hyprland window manager";
  config = mkIf cfg.enable {
    wayland.windowManager.hyprland = {
      settings = {
        xwayland = {
          force_zero_scaling = true;
        };
        exec-once = [
          "hyprpanel"
          "while ! hyprpaper-random; do sleep 0.5; done"
          "wl-paste --type text --watch cliphist store"
          "wl-paste --type image --watch cliphist store"
          "vibetyper"
        ];
        env = [
          "XCURSOR_SIZE,32"
          "HYPRCURSOR_THEME,Bibata-Modern-Ice"
          "WLR_NO_HARDWARE_CURSORS,1"
          "GTK_THEME,Dracula"
          "XDG_CURRENT_DESKTOP,Hyprland"
          "XDG_SESSION_TYPE,wayland"
          "XDG_SESSION_DESKTOP,Hyprland"
          "XKB_DEFAULT_LAYOUT,de"
          "NIXOS_OZONE_WL,1"
        ];
        input = {
          kb_layout = "de,us";
          kb_variant = "";
          kb_model = "";
          kb_rules = "";
          kb_options = "ctrl:nocaps";
          follow_mouse = 1;
        };
        general = {
          gaps_in = 5;
          gaps_out = 5;
          border_size = 1;
          "col.active_border" = "rgba(9742b5ee) rgba(9742b5ee) 45deg";
          "col.inactive_border" = "rgba(${config.colorScheme.palette.base03}aa)";
          layout = "dwindle";
        };
        decoration = {
          shadow = {
            enabled = true;
            range = 60;
            render_power = 3;
            color = "rgba(${config.colorScheme.palette.base00}66)";
            offset = "1 2";
            scale = 0.97;
          };
          rounding = 8;
          blur = {
            enabled = true;
            size = 3;
            passes = 3;
          };
          active_opacity = 0.9;
          inactive_opacity = 0.5;
        };
        animations = {
          enabled = true;
          bezier = "myBezier, 0.05, 0.9, 0.1, 1.05";
          animation = [
            "windows, 1, 7, myBezier"
            "windowsOut, 1, 7, default, popin 80%"
            "border, 1, 10, default"
            "borderangle, 1, 8, default"
            "fade, 1, 7, default"
            "workspaces, 1, 6, default"
          ];
        };
        dwindle = {
          pseudotile = true;
          preserve_split = true;
        };
        master = {
          new_status = "master";
        };
        device = [
          {
            name = "epic-mouse-v1";
            sensitivity = -0.5;
          }
          {
            name = "zsa-technology-labs-moonlander-mark-i";
            kb_layout = "us";
          }
          {
            name = "keychron-keychron-k7";
            kb_layout = "us";
          }
        ];
        windowrule = [
          "match:class file_progress, float on"
          "match:class confirm, float on"
          "match:class dialog, float on"
          "match:class download, float on"
          "match:class notification, float on"
          "match:class error, float on"
          "match:class splash, float on"
          "match:class confirmreset, float on"
          "match:title Open File, float on"
          "match:title branchdialog, float on"
          "match:class pavucontrol-qt, float on"
          "match:class pavucontrol, float on"
          "match:class class:^(espanso)$, float on"
          "match:class wlogout, fullscreen on"
          "match:title wlogout, float on"
          "match:title wlogout, fullscreen on"
          "match:class mpv, float on"
          "match:class mpv, idle_inhibit focus"
          "match:class mpv, opacity 1.0 override"
          "match:title ^(Media viewer)$, float on"
          "match:title ^(Volume Control)$, float on"
          "match:title ^(Picture-in-Picture)$, float on"
          "match:title ^(floating-pomodoro)$, float on"
          "match:title ^(floating-pomodoro)$, size 250 50"
          "match:title ^(floating-pomodoro)$, move 12 (monitor_h-150)"
          "match:title ^(floating-pomodoro)$, pin on"
          "match:initial_title .*streamlabs.com.*, float on"
          "match:initial_title .*streamlabs.com.*, pin on"
          "match:initial_title .*streamlabs.com.*, size 800 400"
          "match:initial_title .*alert-box.*, move 100%-820 102"
          "match:initial_title .*chat-box.*, move 100%-820 512"
          "match:initial_title .*streamlabs.com.*, opacity 0.5 override"
          "match:initial_title .*streamlabs.com.*, idle_inhibit focus"
          "match:initial_title .*streamlabs.com.*, no_anim on"
          "match:initial_title .*streamlabs.com.*, decorate off"
          "match:initial_title .*streamlabs.com.*, no_shadow on"
          "match:initial_title .*streamlabs.com.*, no_blur on"
          "match:class ^vibe-typer$, match:title ^Recording Indicator$, no_blur on"
          "border_color rgb(ffffff), match:xwayland 1"
        ];
        "$mainMod" = "SUPER";
        "$terminal" = "ghostty";
        bind = [
          "$mainMod, return, exec, $terminal nu -c zellij-ps"
          "$mainMod, t, exec, $terminal -e nu -c 'nitch; exec nu'"
          "$mainMod SHIFT, t, exec, launch-timer"
          "$mainMod, n, exec, $terminal -e nvim"
          "$mainMod, z, exec, uwsm app -- zeditor"
          "$mainMod, o, exec, hyprctl dispatch setprop activewindow opaque toggle"
          "$mainMod, r, exec, hyprctl dispatch focuswindow \"initialtitle:.*alert-box.*\" && hyprctl dispatch moveactive exact 4300 102 && hyprctl dispatch focuswindow \"initialtitle:.*chat-box.*\" && hyprctl dispatch moveactive exact 4300 512"
          "$mainMod, b, exec, uwsm app -- thunar"
          "$mainMod SHIFT, B, exec, uwsm app -- vivaldi"
          "$mainMod, Escape, exec, uwsm app -- wlogout -p layer-shell"
          "$mainMod, Space, togglefloating"
          "$mainMod, q, killactive"
          "$mainMod, M, exit"
          "$mainMod, F, fullscreen"
          "$mainMod SHIFT, V, togglefloating"
          "$mainMod, D, exec, uwsm app -- rofi -show drun -run-command \"uwsm app -- {cmd}\""
          "$mainMod, V, exec, uwsm app -- cliphist list | rofi -dmenu | cliphist decode | wl-copy"
          "$mainMod, C, exec, bash -c 'FILE=/tmp/screenshot_$(date +%s).png; grim -g \"$(slurp)\" \"$FILE\" && ksnip \"$FILE\"'"
          "$mainMod SHIFT, S, exec, uwsm app -- rofi -show emoji"
          "$mainMod, P, exec, uwsm app -- rofi-pass"
          "$mainMod SHIFT, P, pseudo"
          "$mainMod, R, exec, stt-ptt start"
          "$mainMod, S, exec, stt-ptt start"
          "$mainMod, J, togglesplit"
          "$mainMod, h, movefocus, l"
          "$mainMod, l, movefocus, r"
          "$mainMod, k, movefocus, u"
          "$mainMod, j, movefocus, d"
          "$mainMod, 1, workspace, 1"
          "$mainMod, 2, workspace, 2"
          "$mainMod, 3, workspace, 3"
          "$mainMod, 4, workspace, 4"
          "$mainMod, 5, workspace, 5"
          "$mainMod, 6, workspace, 6"
          "$mainMod, 7, workspace, 7"
          "$mainMod, 8, workspace, 8"
          "$mainMod, 9, workspace, 9"
          "$mainMod, 0, workspace, 10"
          "$mainMod SHIFT, 1, movetoworkspace, 1"
          "$mainMod SHIFT, 2, movetoworkspace, 2"
          "$mainMod SHIFT, 3, movetoworkspace, 3"
          "$mainMod SHIFT, 4, movetoworkspace, 4"
          "$mainMod SHIFT, 5, movetoworkspace, 5"
          "$mainMod SHIFT, 6, movetoworkspace, 6"
          "$mainMod SHIFT, 7, movetoworkspace, 7"
          "$mainMod SHIFT, 8, movetoworkspace, 8"
          "$mainMod SHIFT, 9, movetoworkspace, 9"
          "$mainMod SHIFT, 0, movetoworkspace, 10"
          "$mainMod, mouse_down, workspace, e+1"
          "$mainMod, mouse_up, workspace, e-1"
        ];
        bindr = [
          "$mainMod, R, exec, stt-ptt stop"
          "$mainMod, S, exec, stt-ptt format-stop"
        ];
        bindm = [
          "$mainMod, mouse:272, movewindow"
          "$mainMod, mouse:273, resizewindow"
        ];
      };
    };
    services.hypridle = {
      enable = true;
      settings = {
        general = {
          before_sleep_cmd = "hyprlock";
          after_sleep_cmd = "hyprctl dispatch dpms on";
          inhibit_sleep = 3;
        };
        listener = [
          {
            timeout = 300;
            on-timeout = "hyprlock";
          }
          {
            timeout = 420;
            on-timeout = "hyprctl dispatch dpms off";
            on-resume = "hyprctl dispatch dpms on";
          }
        ];
      };
    };
    services.hyprpaper.enable = true;
    programs.hyprlock = {
      enable = true;
      settings = {
        "$font" = "JetBrainsMono Nerd Font";
        "$base" = "rgb(${config.colorScheme.palette.base00})";
        "$text" = "rgb(${config.colorScheme.palette.base05})";
        "$textAlpha" = "${config.colorScheme.palette.base05}";
        "$accentAlpha" = "${config.colorScheme.palette.base0D}";
        "$red" = "rgb(${config.colorScheme.palette.base08})";
        "$yellow" = "rgb(${config.colorScheme.palette.base0A})";
        general = {
          hide_cursor = true;
        };
        background = {
          monitor = "";
          path = "${config.home.homeDirectory}/.config/hypr/wallpapers/wallhaven-lmmo8r.jpg";
          blur_passes = 0;
          color = "rgb(${config.colorScheme.palette.base00})";
        };
        label = [
          {
            monitor = "";
            text = "$TIME";
            color = "$text";
            font_size = 90;
            font_family = "$font";
            position = "30, 0";
            halign = "left";
            valign = "top";
          }
          {
            monitor = "";
            text = ''cmd[update:43200000] echo "$(date +"%A, %d %B %Y")"'';
            color = "$text";
            font_size = 25;
            font_family = "$font";
            position = "30, -150";
            halign = "left";
            valign = "top";
          }
        ];
        input-field = [
          {
            monitor = "";
            size = "300, 60";
            outline_thickness = 4;
            dots_size = 0.2;
            dots_spacing = 0.2;
            dots_center = true;
            outer_color = "rgb(${config.colorScheme.palette.base0D})";
            inner_color = "rgb(${config.colorScheme.palette.base00})";
            font_color = "rgb(${config.colorScheme.palette.base05})";
            fade_on_empty = false;
            placeholder_text = ''<span foreground="##${config.colorScheme.palette.base05}">󰌾  Logged in as <span foreground="##${config.colorScheme.palette.base0D}">$USER</span></span>'';
            hide_input = false;
            check_color = "rgb(${config.colorScheme.palette.base0D})";
            fail_color = "rgb(${config.colorScheme.palette.base08})";
            fail_text = ''<i>$FAIL <b>($ATTEMPTS)</b></i>'';
            capslock_color = "rgb(${config.colorScheme.palette.base0A})";
            position = "0, -35";
            halign = "center";
            valign = "center";
          }
        ];
      };
    };
  };
 }
@@ -0,0 +1,207 @@
 # Rofi application launcher with nix-colors theme, pass integration, and project opener.
 {
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; let
  cfg = config.desktop.wm.rofi;
 in {
  options.desktop.wm.rofi.enable = mkEnableOption "enable rofi";
  config = mkIf cfg.enable {
    programs.rofi = {
      enable = true;
      package = pkgs.rofi.override {
        plugins = [
          pkgs.rofi-calc
          pkgs.rofi-emoji
          pkgs.stable.rofi-file-browser
        ];
      };
      pass = {
        enable = true;
        package = pkgs.rofi-pass-wayland;
      };
      terminal = "${pkgs.ghostty}/bin/ghostty";
      font = "Fira Code";
      extraConfig = {
        show-icons = true;
        disable-history = false;
        modi = "drun,calc,emoji,filebrowser";
        kb-primary-paste = "Control+V,Shift+Insert";
        kb-secondary-paste = "Control+v,Insert";
      };
      theme = let
        inherit (config.colorScheme) palette;
      in
        builtins.toString (pkgs.writeText "rofi-universal-theme.rasi" ''
          * {
            /* Universal theme colors from nix-colors */
            background:  #${palette.base00};
            surface:     #${palette.base01};
            overlay:     #${palette.base02};
            muted:       #${palette.base03};
            subtle:      #${palette.base04};
            text:        #${palette.base05};
            bright-text: #${palette.base06};
            highlight:   #${palette.base07};
            accent1:     #${palette.base08};
            accent2:     #${palette.base09};
            accent3:     #${palette.base0A};
            accent4:     #${palette.base0B};
            accent5:     #${palette.base0C};
            accent6:     #${palette.base0D};
            accent7:     #${palette.base0E};
            accent8:     #${palette.base0F};
            /* Global properties */
            background-color: @background;
            text-color: @text;
            font: "Fira Code 12";
            border: 0;
            margin: 0;
            padding: 0;
            spacing: 0;
          }
          window {
            background-color: @background;
            border: 1px;
            border-color: @accent7;
            border-radius: 6px;
            width: 40%;
            padding: 16px;
          }
          inputbar {
            children: [ prompt, entry ];
            spacing: 12px;
            padding: 8px;
            border-radius: 4px;
            background-color: @surface;
          }
          prompt {
            text-color: @accent7;
            background-color: transparent;
          }
          entry {
            placeholder: "Search...";
            placeholder-color: @subtle;
            text-color: @text;
            background-color: transparent;
            cursor-color: @accent7;
          }
          message {
            background-color: @surface;
            border-radius: 4px;
            padding: 8px;
            margin: 8px 0;
          }
          textbox {
            text-color: @text;
            background-color: transparent;
          }
          listview {
            background-color: transparent;
            margin: 8px 0 0;
            lines: 10;
            columns: 1;
            fixed-height: true;
            scrollbar: false;
          }
          element {
            background-color: transparent;
            text-color: @text;
            padding: 8px;
            border-radius: 4px;
            spacing: 8px;
          }
          element normal.normal {
            background-color: transparent;
            text-color: @text;
          }
          element selected.normal {
            background-color: @accent7;
            text-color: @background;
          }
          element alternate.normal {
            background-color: transparent;
            text-color: @text;
          }
          element-icon {
            background-color: transparent;
            size: 24px;
          }
          element-text {
            background-color: transparent;
            text-color: inherit;
            vertical-align: 0.5;
          }
          mode-switcher {
            spacing: 0;
            background-color: @surface;
            border-radius: 4px;
            margin: 8px 0 0;
          }
          button {
            padding: 8px 16px;
            background-color: transparent;
            text-color: @text;
            border-radius: 4px;
          }
          button selected {
            background-color: @accent7;
            text-color: @background;
          }
          scrollbar {
            width: 4px;
            border: 0;
            handle-color: @accent7;
            handle-width: 4px;
            padding: 0;
          }
        '');
    };
    cli.rofi-project-opener = {
      enable = true;
      projectDirs = {
        AI = {
          path = "~/p/AI";
          args = "";
        };
        CHAT = {
          path = "~/p/CHAT";
          args = "--agent chiron";
        };
        MISC = {
          path = "~/p/MISC";
          args = "--agent chiron-forge";
        };
        NIX = {
          path = "~/p/NIX";
          args = "";
        };
      };
      terminal = pkgs.ghostty;
      terminalCommand = "opencode %a";
    };
  };
 }
@@ -0,0 +1,30 @@
 # Wayland extra tooling — screenshot, clipboard, cursor, and display utilities.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.desktop.wm.wayland;
 in {
  options.desktop.wm.wayland.enable = mkEnableOption "wayland extra tools and config";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      grim
      hyprcursor
      hyprlock
      hyprpaper
      qt6.qtwayland
      slurp
      waypipe
      wl-clipboard
      wf-recorder
      wl-mirror
      wlogout
      wtype
      ydotool
    ];
  };
 }
@@ -0,0 +1,95 @@
 # home/lib/default.nix
 # Profile loading utilities for home-manager configurations.
 #
 # Usage:
 #   let homeLib = import ../lib { inherit lib; };
 #   in {
 #     imports = [
 #       (homeLib.mkHomeConfig { profiles = ["coding" "gaming"]; context = "desktop"; })
 #     ];
 #   }
 {lib}: let
  # Infrastructure layer — nixpkgs overlays, nix-colors, m3ta-nixpkgs modules.
  # Always loaded on every host.
  commonModule = ../common;
  # Base user environment — shell (nushell, starship), CLI tools, secrets.
  # Always loaded on every host.
  baseModule = ../base;
  # Context-specific modules — desktop and server are mutually exclusive.
  contextModuleMap = {
    desktop = ../desktop;
    server = ../server;
  };
  # Profile modules — freely combinable additions on top of base + context.
  profileModuleMap = {
    coding = ../coding;
    gaming = ../profiles/gaming;
    media = ../profiles/media;
  };
 in {
  # Generate a home-manager module with imports based on profiles and context.
  #
  # Args:
  #   profiles: list of profile names (e.g. ["coding" "gaming" "media"])
  #   context: host context, one of "desktop" | "server" | null
  #
  # Returns: a home-manager module attrset with imports and assertions.
  #   Desktop and server contexts are mutually exclusive by design — passing
  #   any value other than "desktop", "server", or null causes an assertion
  #   failure at evaluation time.
  mkHomeConfig = {
    profiles ? [],
    context ? null,
  }: let
    contextImport =
      if context == "desktop"
      then [contextModuleMap.desktop]
      else if context == "server"
      then [contextModuleMap.server]
      else [];
    # Partition profiles into known and unknown for assertion + safe import.
    unknownProfiles =
      builtins.filter
      (profileName: ! builtins.hasAttr profileName profileModuleMap)
      profiles;
    # Only import known profiles; the assertion below catches unknowns.
    activeProfiles =
      builtins.filter
      (profileName: builtins.hasAttr profileName profileModuleMap)
      profiles;
    profileImports = map (profileName: profileModuleMap.${profileName}) activeProfiles;
    contextStr =
      if context == null
      then "null"
      else context;
  in {
    imports =
      [commonModule baseModule]
      ++ contextImport
      ++ profileImports;
    assertions = [
      {
        assertion = builtins.elem context ["desktop" "server" null];
        message =
          "m3ta home: context must be 'desktop', 'server', or null"
          + " (got: '${contextStr}')";
      }
      {
        assertion = unknownProfiles == [];
        message =
          "m3ta home: unknown profiles requested:"
          + " [ ${builtins.concatStringsSep " " unknownProfiles} ]."
          + " Valid profiles are:"
          + " [ ${builtins.concatStringsSep " " (builtins.attrNames profileModuleMap)} ]";
      }
    ];
  };
 }
@@ -0,0 +1,121 @@
 # This is a default home.nix generated by the follwing hone-manager command
 #
 # home-manager init ./
 {
  config,
  lib,
  pkgs,
  ...
 }: {
  # Home Manager needs a bit of information about you and the paths it should
  # manage.
  home.username = lib.mkDefault "your-name";
  home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
  # This value determines the Home Manager release that your configuration is
  # compatible with. This helps avoid breakage when a new Home Manager release
  # introduces backwards incompatible changes.
  #
  # You should not change this value, even if you update Home Manager. If you do
  # want to update the value, then make sure to first check the Home Manager
  # release notes.
  home.stateVersion = "26.05"; # Updated to adopt HM 26.05 defaults.
  # The home.packages option allows you to install Nix packages into your
  # environment.
  home.packages = with pkgs; [
    # # Adds the 'hello' command to your environment. It prints a friendly
    # # "Hello, world!" when run.
    # pkgs.hello
    # # It is sometimes useful to fine-tune packages, for example, by applying
    # # overrides. You can do that directly here, just don't forget the
    # # parentheses. Maybe you want to install Nerd Fonts with a limited number of
    # # fonts?
    # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
    # # You can also create simple shell scripts directly inside your
    # # configuration. For example, this adds a command 'my-hello' to your
    # # environment:
    # (pkgs.writeShellScriptBin "my-hello" ''
    #   echo "Hello, ${config.home.username}!"
    # '')
  ];
  # Home Manager is pretty good at managing dotfiles. The primary way to manage
  # plain files is through 'home.file'.
  home.file = {
    # # Building this configuration will create a copy of 'dotfiles/screenrc' in
    # # the Nix store. Activating the configuration will then make '~/.screenrc' a
    # # symlink to the Nix store copy.
    # ".screenrc".source = dotfiles/screenrc;
    # # You can also set the file content immediately.
    # ".gradle/gradle.properties".text = ''
    #   org.gradle.console=verbose
    #   org.gradle.daemon.idletimeout=3600000
    # '';
  };
  # Home Manager can also manage your environment variables through
  # 'home.sessionVariables'. If you don't want to manage your shell through Home
  # Manager then you have to manually source 'hm-session-vars.sh' located at
  # either
  #
  #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
  #
  # or
  #
  #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
  #
  # or
  #
  #  /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
  #
  home.sessionVariables = {
    # EDITOR = "emacs";
  };
  # Let Home Manager install and manage itself.
  programs.home-manager.enable = true;
  programs.git = {
    enable = true;
    signing.format = null;
    settings = {
      user = {
        name = "m3tm3re";
        email = "p@m3ta.dev";
      };
      core.excludesfile = "~/.gitignore_global";
      init.defaultBranch = "master";
      alias = {
        st = "status";
        logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
      };
    };
  };
  # programs.zellij-ps = {
  #   enable = true;
  #   projectFolders = [
  #     "${config.home.homeDirectory}/p/c"
  #     "${config.home.homeDirectory}/p"
  #     "${config.home.homeDirectory}/.config"
  #   ];
  #   layout = ''
  #     layout {
  #         pane size=1 borderless=true {
  #             plugin location="zellij:tab-bar"
  #         }
  #         pane size="70%" command="nvim"
  #         pane split_direction="vertical" {
  #             pane
  #             pane command="unimatrix"
  #         }
  #         pane size=1 borderless=true {
  #             plugin location="zellij:status-bar"
  #         }
  #     }
  #   '';
  # };
 }
@@ -0,0 +1,262 @@
 # This is a default home.nix generated by the follwing hone-manager command
 #
 # home-manager init ./
 {
  config,
  lib,
  pkgs,
  ...
 }: {
  # Home Manager needs a bit of information about you and the paths it should
  # manage.
  home.username = lib.mkDefault "your-name";
  home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
  # This value determines the Home Manager release that your configuration is
  # compatible with. This helps avoid breakage when a new Home Manager release
  # introduces backwards incompatible changes.
  #
  # You should not change this value, even if you update Home Manager. If you do
  # want to update the value, then make sure to first check the Home Manager
  # release notes.
  home.stateVersion = "26.05"; # Updated to adopt HM 26.05 defaults.
  # The home.packages option allows you to install Nix packages into your
  # environment.
  home.packages = with pkgs; [
    libgtop
    # # Adds the 'hello' command to your environment. It prints a friendly
    # # "Hello, world!" when run.
    # pkgs.hello
    # # It is sometimes useful to fine-tune packages, for example, by applying
    # # overrides. You can do that directly here, just don't forget the
    # # parentheses. Maybe you want to install Nerd Fonts with a limited number of
    # # fonts?
    # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
    # # You can also create simple shell scripts directly inside your
    # # configuration. For example, this adds a command 'my-hello' to your
    # # environment:
    # (pkgs.writeShellScriptBin "my-hello" ''
    #   echo "Hello, ${config.home.username}!"
    # '')
  ];
  # Home Manager is pretty good at managing dotfiles. The primary way to manage
  # plain files is through 'home.file'.
  home.file = {
    # # Building this configuration will create a copy of 'dotfiles/screenrc' in
    # # the Nix store. Activating the configuration will then make '~/.screenrc' a
    # # symlink to the Nix store copy.
    # ".screenrc".source = dotfiles/screenrc;
    # # You can also set the file content immediately.
    # ".gradle/gradle.properties".text = ''
    #   org.gradle.console=verbose
    #   org.gradle.daemon.idletimeout=3600000
    # '';
  };
  # Home Manager can also manage your environment variables through
  # 'home.sessionVariables'. If you don't want to manage your shell through Home
  # Manager then you have to manually source 'hm-session-vars.sh' located at
  # either
  #
  #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
  #
  # or
  #
  #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
  #
  # or
  #
  #  /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
  #
  home.sessionVariables = {
    # EDITOR = "emacs";
  };
  # Let Home Manager install and manage itself.
  programs.home-manager.enable = true;
  services.cliphist = {
    enable = true;
    allowImages = true;
  };
  programs.git = {
    enable = true;
    signing.format = null;
    settings = {
      user = {
        name = "m3tm3re";
        email = "p@m3ta.dev";
      };
      core.excludesfile = "~/.gitignore_global";
      init.defaultBranch = "master";
      alias = {
        st = "status";
        logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
      };
    };
  };
  programs.difftastic.enable = true;
  programs.jujutsu = {
    enable = true;
    settings = {
      user = {
        email = "m@m3tam3re.com";
        name = "Sascha Koenig";
      };
    };
  };
  programs.ssh = {
    enable = true;
    enableDefaultConfig = false;
    matchBlocks = {
      "AZ-CLD-1" = {
        hostname = "152.53.186.119";
        user = "sascha.koenig";
        port = 2022;
        identityFile = "~/.ssh/sascha.koenig";
      };
      "AZ-PRM-1" = {
        hostname = "192.168.152.76";
        user = "sascha.koenig";
        port = 2022;
        identityFile = "~/.ssh/sascha.koenig";
      };
      "github.com" = {
        hostname = "github.com";
        user = "m3tam3re";
        port = 22;
        identityFile = "~/.ssh/github";
      };
      "nikhil" = {
        hostname = "91.99.176.80";
        user = "nikhilmaddirala";
        identityFile = "~/.ssh/m3tam3re";
      };
      "code.m3ta.dev" = {
        hostname = "code.m3ta.dev";
        user = "m3tam3re";
        identityFile = "~/.ssh/gitea";
      };
      "git.az-gruppe.com" = {
        hostname = "git.az-gruppe.com";
        port = 2022;
        user = "sascha.koenig";
        identityFile = "~/.ssh/sascha.koenig";
      };
      "lkk-nix-1" = {
        hostname = "89.58.10.189";
        user = "lkk-admin";
        identityFile = "~/.ssh/lkk-admin";
      };
      "m3-r1" = {
        hostname = "202.61.226.110";
        user = "m3tam3re";
        identityFile = "~/.ssh/m3tam3re";
      };
      "lkk-prod-test" = {
        hostname = "192.168.122.215";
        user = "root";
        identityFile = "~/.ssh/m3tam3re";
      };
      "lkk-prod-1" = {
        hostname = "192.168.0.24";
        user = "root";
        identityFile = "~/.ssh/m3tam3re";
      };
      "lkk-prod-2" = {
        hostname = "192.168.0.20";
        user = "root";
        identityFile = "~/.ssh/m3tam3re";
      };
      "m3-deck" = {
        hostname = "192.168.178.193";
        user = "m3tam3re";
        identityFile = "~/.ssh/m3tam3re";
      };
      "m3-kratos-vm" = {
        hostname = "192.168.122.43";
        user = "m3tam3re";
        identityFile = "~/.ssh/m3tam3re";
      };
      "m3-helios" = {
        hostname = "192.168.178.210";
        user = "m3tam3re";
        identityFile = "~/.ssh/m3tam3re";
      };
      "m3-ares" = {
        hostname = "192.168.1.30";
        user = "m3tam3re";
        identityFile = "~/.ssh/m3tam3re";
      };
      "m3-atlas" = {
        hostname = "152.53.85.162";
        user = "m3tam3re";
        identityFile = "~/.ssh/m3tam3re";
      };
      "m3-hermes" = {
        hostname = "204.168.229.93";
        user = "m3tam3re";
        identityFile = "~/.ssh/m3tam3re";
      };
      "m3-zelda" = {
        hostname = "95.217.189.186";
        user = "m3tam3re";
        identityFile = "~/.ssh/m3tam3re";
      };
      "m3-skynet" = {
        hostname = "m3-skynet";
        user = "admin";
        identityFile = "~/.ssh/m3tam3re";
      };
      "m3-prox-1" = {
        hostname = "192.168.1.110";
        user = "root";
        identityFile = "~/.ssh/m3tam3re";
      };
      "shp-old" = {
        hostname = "95.217.3.250";
        port = 2222;
        user = "m3tam3re";
        identityFile = "~/.ssh/self-host-playbook";
      };
      "shp-1" = {
        hostname = "95.217.189.186";
        port = 2222;
        user = "m3tam3re";
        identityFile = "~/.ssh/self-host-playbook";
      };
    };
  };
  # programs.zellij-ps = {
  #   enable = true;
  #   projectFolders = [
  #     "${config.home.homeDirectory}/p/c"
  #     "${config.home.homeDirectory}/p"
  #     "${config.home.homeDirectory}/.config"
  #   ];
  #   layout = ''
  #     layout {
  #         pane size=1 borderless=true {
  #             plugin location="zellij:tab-bar"
  #         }
  #         pane size="70%" command="nvim"
  #         pane split_direction="vertical" {
  #             pane
  #             pane command="unimatrix"
  #         }
  #         pane size=1 borderless=true {
  #             plugin location="zellij:status-bar"
  #         }
  #     }
  #   '';
  # };
 }
@@ -0,0 +1,25 @@
 # m3-aether — cloud VM.
 # Context: server | Profiles: (none)
 {lib, ...}: let
  homeLib = import ../lib {inherit lib;};
 in {
  imports = [
    (homeLib.mkHomeConfig {
      profiles = [];
      context = "server";
    })
    ./home-server.nix
  ];
  # Base CLI tools (new namespace)
  base = {
    shell = {
      fish.enable = true;
      starship.enable = true;
    };
    cliTools = {
      fzf.enable = true;
      nitch.enable = true;
    };
  };
 }
@@ -0,0 +1,142 @@
 # m3-ares — TUXEDO laptop desktop workstation.
 # Context: desktop | Profiles: coding, gaming, media
 {
  config,
  lib,
  ...
 }: let
  homeLib = import ../lib {inherit lib;};
 in
  with lib; {
    imports = [
      (homeLib.mkHomeConfig {
        profiles = ["coding" "gaming" "media"];
        context = "desktop";
      })
      ./home.nix
    ];
    config = mkMerge [
      {
        # Base CLI tools (new namespace)
        base = {
          shell = {
            fish.enable = true;
            nushell.enable = true;
            starship.enable = true;
          };
          cliTools = {
            fzf.enable = true;
            nitch.enable = true;
            television.enable = true;
          };
          secrets.enable = true;
        };
        # Desktop features (new namespace)
        desktop = {
          wm = {
            hyprland.enable = true;
            rofi.enable = true;
            wayland.enable = true;
          };
          apps = {
            crypto.enable = true;
            obsidian.enable = true;
            office.enable = true;
          };
          theme = {
            fonts.enable = true;
            wallpapers.enable = true;
          };
        };
        # Coding environment
        coding = {
          editors = {
            neovim.enable = true;
            zed.enable = true;
          };
          lsp.enable = true;
          packages.enable = true;
          languages = {
            python.enable = true;
            javascript.enable = true;
            rustToolchain.enable = true;
            go.enable = true;
            typescript.enable = true;
          };
        };
        # Gaming profile features
        profiles.gaming = {
          steam.enable = true;
          gamescope.enable = true;
        };
        # Media profile features
        profiles.media = {
          obs.enable = true;
          ffmpeg.enable = true;
          kdenlive.enable = true;
          ytDlp.enable = true;
        };
        xdg = {
          enable = true;
          configFile."mimeapps.list".force = true;
          mimeApps = {
            enable = true;
            associations.added = {
              "application/zip" = ["org.gnome.FileRoller.desktop"];
              "application/csv" = ["calc.desktop"];
              "application/pdf" = ["vivaldi-stable.desktop"];
              "x-scheme-handler/http" = ["vivaldi-stable.desktop"];
              "x-scheme-handler/https" = ["vivaldi-stable.desktop"];
            };
            defaultApplications = {
              "application/zip" = ["org.gnome.FileRoller.desktop"];
              "application/csv" = ["calc.desktop"];
              "application/pdf" = ["vivaldi-stable.desktop"];
              "application/md" = ["dev.zed.Zed.desktop"];
              "application/text" = ["dev.zed.Zed.desktop"];
              "x-scheme-handler/http" = ["vivaldi-stable.desktop"];
              "x-scheme-handler/https" = ["vivaldi-stable.desktop"];
            };
          };
        };
      }
      # Host-specific Hyprland monitor and workspace layout
      (mkIf config.desktop.wm.hyprland.enable {
        wayland.windowManager.hyprland = {
          enable = true;
          settings = {
            exec-once = ["tuxedo-backlight"];
            monitor = [
              "eDP-1,preferred,0x0,1.25"
              "HDMI-A-1,1920x1080@120,2560x0,1"
            ];
            workspace = [
              "1, monitor:eDP-1, default:true"
              "2, monitor:eDP-1"
              "3, monitor:eDP-1"
              "4, monitor:HDMI-A-1,"
              "5, monitor:HDMI-A-1,border:false,rounding:false"
              "6, monitor:HDMI-A-1"
            ];
            windowrule = [
              "match:class dev.zed.Zed, workspace 1"
              "match:class Msty, workspace 1"
              "match:class ^(com.obsproject.Studio)$, workspace 2"
              "match:class ^(brave-browser)$, workspace 4, opacity 1.0"
              "match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
              "match:class ^steam_app_\\d+$, fullscreen on"
              "match:class ^steam_app_\\d+$, workspace 5"
              "match:class ^steam_app_\\d+$, idle_inhibit focus"
            ];
          };
        };
      })
    ];
  }
@@ -0,0 +1,29 @@
 # m3-atlas — primary server, Traefik hub and container host.
 # Context: server | Profiles: coding
 {lib, ...}: let
  homeLib = import ../lib {inherit lib;};
 in {
  imports = [
    (homeLib.mkHomeConfig {
      profiles = ["coding"];
      context = "server";
    })
    ./home-server.nix
  ];
  # Base CLI tools (new namespace)
  base = {
    shell = {
      nushell.enable = true;
      starship.enable = true;
    };
    cliTools = {
      fzf.enable = true;
      nitch.enable = true;
      zellij.enable = true;
    };
  };
  # Coding environment
  coding.editors.neovim.enable = true;
 }
@@ -0,0 +1,127 @@
 # m3-daedalus — portable laptop (standalone home-manager).
 # Context: desktop | Profiles: coding, media
 {
  config,
  lib,
  ...
 }: let
  homeLib = import ../lib {inherit lib;};
 in
  with lib; {
    imports = [
      (homeLib.mkHomeConfig {
        profiles = ["coding" "media"];
        context = "desktop";
      })
      ./home.nix
    ];
    config = mkMerge [
      {
        # Base CLI tools (new namespace)
        base = {
          shell = {
            fish.enable = true;
            nushell.enable = true;
            starship.enable = true;
          };
          cliTools = {
            fzf.enable = true;
            nitch.enable = true;
            television.enable = true;
          };
          secrets.enable = true;
        };
        # Desktop features (new namespace)
        desktop = {
          wm = {
            hyprland.enable = false;
            rofi.enable = true;
            wayland.enable = false;
          };
          apps = {
            obsidian.enable = true;
            office.enable = false;
            crypto.enable = false;
          };
          theme = {
            fonts.enable = true;
            wallpapers.enable = false;
          };
        };
        # Coding environment
        coding = {
          editors = {
            neovim.enable = true;
            zed.enable = true;
          };
          lsp.enable = true;
        };
        # Media profile features
        profiles.media = {
          obs.enable = false;
          ffmpeg.enable = false;
          kdenlive.enable = false;
          ytDlp.enable = true;
        };
        xdg = {
          enable = true;
          configFile."mimeapps.list".force = true;
          mimeApps = {
            enable = true;
            associations.added = {
              "application/zip" = ["org.gnome.FileRoller.desktop"];
              "application/csv" = ["calc.desktop"];
              "application/pdf" = ["vivaldi-stable.desktop"];
              "x-scheme-handler/http" = ["vivaldi-stable.desktop"];
              "x-scheme-handler/https" = ["vivaldi-stable.desktop"];
            };
            defaultApplications = {
              "application/zip" = ["org.gnome.FileRoller.desktop"];
              "application/csv" = ["calc.desktop"];
              "application/pdf" = ["vivaldi-stable.desktop"];
              "application/md" = ["dev.zed.Zed.desktop"];
              "application/text" = ["dev.zed.Zed.desktop"];
              "x-scheme-handler/http" = ["vivaldi-stable.desktop"];
              "x-scheme-handler/https" = ["vivaldi-stable.desktop"];
            };
          };
        };
      }
      # Host-specific Hyprland layout — only applies when hyprland is enabled
      (mkIf config.desktop.wm.hyprland.enable {
        wayland.windowManager.hyprland = {
          enable = true;
          settings = {
            monitor = [
              "eDP-1,preferred,0x0,1.25"
              "HDMI-A-1,preferred,2560x0,1"
            ];
            workspace = [
              "1, monitor:eDP-1, default:true"
              "2, monitor:eDP-1"
              "3, monitor:eDP-1"
              "4, monitor:HDMI-A-1"
              "5, monitor:HDMI-A-1,border:false,rounding:false"
              "6, monitor:HDMI-A-1"
            ];
            windowrule = [
              "match:class dev.zed.Zed, workspace 1"
              "match:class Msty, workspace 1"
              "match:class ^(com.obsproject.Studio)$, workspace 2"
              "match:class ^(brave-browser)$, workspace 4, opacity 1.0"
              "match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
              "match:class ^steam_app_\\d+$, fullscreen on"
              "match:class ^steam_app_\\d+$, workspace 5"
              "match:class ^steam_app_\\d+$, idle_inhibit focus"
            ];
          };
        };
      })
    ];
  }
@@ -0,0 +1,25 @@
 # m3-helios — AdGuard DNS and internal routing server.
 # Context: server | Profiles: (none)
 {lib, ...}: let
  homeLib = import ../lib {inherit lib;};
 in {
  imports = [
    (homeLib.mkHomeConfig {
      profiles = [];
      context = "server";
    })
    ./home-server.nix
  ];
  # Base CLI tools (new namespace)
  base = {
    shell = {
      fish.enable = true;
      starship.enable = true;
    };
    cliTools = {
      fzf.enable = true;
      nitch.enable = true;
    };
  };
 }
@@ -0,0 +1,25 @@
 # m3-hermes — secondary server.
 # Context: server | Profiles: (none)
 {lib, ...}: let
  homeLib = import ../lib {inherit lib;};
 in {
  imports = [
    (homeLib.mkHomeConfig {
      profiles = [];
      context = "server";
    })
    ./home-server.nix
  ];
  # Base CLI tools (new namespace)
  base = {
    shell = {
      fish.enable = true;
      starship.enable = true;
    };
    cliTools = {
      fzf.enable = true;
      nitch.enable = true;
    };
  };
 }
@@ -0,0 +1,138 @@
 # m3-kratos — AMD desktop workstation.
 # Context: desktop | Profiles: coding, gaming, media
 {
  config,
  lib,
  ...
 }: let
  homeLib = import ../lib {inherit lib;};
 in
  with lib; {
    imports = [
      (homeLib.mkHomeConfig {
        profiles = ["coding" "gaming" "media"];
        context = "desktop";
      })
      ./home.nix
    ];
    config = mkMerge [
      {
        # Base CLI tools (new namespace)
        base = {
          shell = {
            nushell.enable = true;
            starship.enable = true;
          };
          cliTools = {
            fzf.enable = true;
            nitch.enable = true;
            television.enable = true;
          };
          secrets.enable = true;
        };
        # Desktop features (new namespace)
        desktop = {
          wm = {
            hyprland.enable = true;
            rofi.enable = true;
            wayland.enable = true;
          };
          apps = {
            crypto.enable = true;
            obsidian.enable = true;
            office.enable = true;
          };
          theme = {
            fonts.enable = true;
            wallpapers.enable = true;
          };
        };
        # Coding environment
        coding = {
          editors = {
            neovim.enable = true;
            zed.enable = true;
          };
          lsp.enable = true;
          languages = {
            python.enable = true;
            javascript.enable = true;
            rustToolchain.enable = true;
            go.enable = true;
            typescript.enable = true;
          };
        };
        # Gaming profile features
        profiles.gaming = {
          steam.enable = true;
          gamescope.enable = true;
        };
        # Media profile features
        profiles.media = {
          obs.enable = true;
          ffmpeg.enable = true;
          kdenlive.enable = true;
          ytDlp.enable = true;
        };
        xdg = {
          enable = true;
          configFile."mimeapps.list".force = true;
          mimeApps = {
            enable = true;
            associations.added = {
              "application/zip" = ["org.gnome.FileRoller.desktop"];
              "application/csv" = ["calc.desktop"];
              "application/pdf" = ["vivaldi-stable.desktop"];
              "x-scheme-handler/http" = ["vivaldi-stable.desktop"];
              "x-scheme-handler/https" = ["vivaldi-stable.desktop"];
            };
            defaultApplications = {
              "application/zip" = ["org.gnome.FileRoller.desktop"];
              "application/csv" = ["calc.desktop"];
              "application/pdf" = ["vivaldi-stable.desktop"];
              "application/md" = ["dev.zed.Zed.desktop"];
              "application/text" = ["dev.zed.Zed.desktop"];
              "x-scheme-handler/http" = ["vivaldi-stable.desktop"];
              "x-scheme-handler/https" = ["vivaldi-stable.desktop"];
            };
          };
        };
      }
      # Host-specific Hyprland monitor and workspace layout (dual 1440p monitors)
      (mkIf config.desktop.wm.hyprland.enable {
        wayland.windowManager.hyprland = {
          enable = true;
          settings = {
            monitor = [
              "DP-1,2560x1440@144,0x0,1"
              "DP-2,2560x1440@144,2560x0,1"
            ];
            workspace = [
              "1, monitor:DP-1, default:true"
              "2, monitor:DP-1"
              "3, monitor:DP-1"
              "4, monitor:DP-2"
              "5, monitor:DP-2"
              "6, monitor:DP-2"
              "7, monitor:DP-2"
            ];
            windowrule = [
              "match:class dev.zed.Zed, workspace 1"
              "match:class Msty, workspace 1"
              "match:class ^(com.obsproject.Studio)$, workspace 2"
              "match:class ^(brave-browser)$, workspace 4, opacity 1.0"
              "match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
              "match:class ^steam_app_\\d+$, idle_inhibit focus"
            ];
          };
        };
      })
    ];
  }
@@ -0,0 +1,8 @@
 # Gaming profile aggregator — Steam platform, Gamescope session, and AMD GPU tools.
 {...}: {
  imports = [
    ./steam.nix
    ./gamescope.nix
    ./gpu.nix
  ];
 }
@@ -0,0 +1,16 @@
 # Gamescope — Valve's micro-compositor for Steam gaming sessions.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.profiles.gaming.gamescope;
 in {
  options.profiles.gaming.gamescope.enable = mkEnableOption "enable Gamescope session";
  config = mkIf cfg.enable {
    home.packages = [pkgs.gamescope];
  };
 }
@@ -0,0 +1,21 @@
 # AMD GPU tools — ROCm runtime, monitoring, and Vulkan utilities for gaming.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.profiles.gaming.gpu;
 in {
  options.profiles.gaming.gpu.enable = mkEnableOption "enable AMD GPU tools";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      rocmPackages.rocm-runtime
      rocmPackages.rocm-smi
      rocmPackages.rocminfo
      vulkan-tools
    ];
  };
 }
@@ -0,0 +1,21 @@
 # Steam gaming platform with Steam Deck compatibility tools and gaming utilities.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.profiles.gaming.steam;
 in {
  options.profiles.gaming.steam.enable = mkEnableOption "enable Steam gaming";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      gamemode
      goverlay
      mangohud
      protonplus
    ];
  };
 }
@@ -0,0 +1,10 @@
 # Media profile aggregator — OBS, FFmpeg, yt-dlp, Kdenlive, and HandBrake.
 {...}: {
  imports = [
    ./obs.nix
    ./ffmpeg.nix
    ./yt-dlp.nix
    ./kdenlive.nix
    ./handbrake.nix
  ];
 }
@@ -0,0 +1,24 @@
 # FFmpeg — full-featured multimedia processing toolchain.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.profiles.media.ffmpeg;
 in {
  options.profiles.media.ffmpeg.enable = mkEnableOption "enable FFmpeg tools";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      amf
      ffmpeg_6-full
      gst_all_1.gstreamer
      gst_all_1.gst-vaapi
      pamixer
      pavucontrol
      qpwgraph
    ];
  };
 }
@@ -0,0 +1,21 @@
 # HandBrake — open-source video transcoder.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.profiles.media.handbrake;
 in {
  options.profiles.media.handbrake.enable = mkEnableOption "enable HandBrake transcoder";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      handbrake
      gimp
      inkscape
      libation
    ];
  };
 }
@@ -0,0 +1,16 @@
 # Kdenlive — KDE non-linear video editor.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.profiles.media.kdenlive;
 in {
  options.profiles.media.kdenlive.enable = mkEnableOption "enable Kdenlive video editor";
  config = mkIf cfg.enable {
    home.packages = [pkgs.kdePackages.kdenlive];
  };
 }
@@ -0,0 +1,21 @@
 # OBS Studio — open broadcaster software for streaming and recording.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.profiles.media.obs;
 in {
  options.profiles.media.obs.enable = mkEnableOption "enable OBS Studio";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      v4l-utils
    ];
    # OBS is managed via NixOS programs.obs-studio at the system level.
    # Home-manager only installs supporting tools.
  };
 }
@@ -0,0 +1,32 @@
 # yt-dlp and media playback — YouTube downloader with MPV integration.
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.profiles.media.ytDlp;
 in {
  options.profiles.media.ytDlp.enable = mkEnableOption "enable yt-dlp and media playback";
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      plexamp
      unimatrix
      webcord
    ];
    programs.mpv = {
      enable = true;
      bindings = {
        WHEEL_UP = "seek 10";
        WHEEL_DOWN = "seek -10";
      };
      config = {
        profile = "gpu-hq";
        ytdl-format = "bestvideo+bestaudio";
      };
    };
  };
 }
@@ -0,0 +1,6 @@
 # Server context home-manager configuration — minimal headless setup.
 # Loaded on server hosts: m3-atlas, m3-helios, m3-aether.
 {...}: {
  # Server hosts use the base and coding modules directly.
  # No desktop environment or GUI applications.
 }
@@ -0,0 +1,76 @@
 # COMMON HOST CONFIGURATION
 **Shared base configuration and abstractions for all hosts**
 ## OVERVIEW
 Common imports, overlays, and custom patterns (extraServices, ports) used across 6 hosts.
 ## STRUCTURE
 ```
 common/
 ├── default.nix          # Base imports, overlays, nix settings
 ├── ports.nix            # Centralized port registry
 ├── extraServices/       # Optional service modules
 │   ├── default.nix
 │   ├── flatpak.nix
 │   ├── ollama.nix
 │   ├── podman.nix
 │   └── virtualisation.nix
 └── users/
    ├── default.nix
    └── m3tam3re.nix     # Primary user definition
 ```
 ## WHERE TO LOOK
 | Task | Location | Notes |
 |------|----------|-------|
 | Add port definition | ports.nix | Use config.m3ta.ports.get |
 | Enable optional service | Host config extraServices | Boolean flags |
 | Modify overlays | default.nix lines 27-36 | 5 overlay sources |
 | Add new user | users/ | Shared across all hosts |
 ## CONVENTIONS
 ### Port Registry Pattern
 ```nix
 # Define in ports.nix
 definitions = {
  myservice = 3099;
 };
 # Access in host config
 config.m3ta.ports.get "myservice"  # Returns 3099
 ```
 ### extraServices Abstraction
 Host configs enable via boolean:
 ```nix
 extraServices = {
  podman.enable = true;      # Container runtime
  ollama.enable = true;      # LLM inference
  flatpak.enable = false;    # Flatpak apps
  virtualisation.enable = true;  # QEMU/KVM
 };
 ```
 ### Overlay Precedence (bottom overrides top)
 1. stable-packages (nixpkgs-stable)
 2. locked-packages (nixpkgs-locked)
 3. pinned-packages (nixpkgs-45570c2, nixpkgs-9e58ed7)
 4. master-packages (nixpkgs-master)
 5. m3ta-nixpkgs (local custom overlay)
 ## ANTI-PATTERNS
 - **DON'T** add host-specific logic to common/ - belongs in hosts/<name>/
 - **DON'T** bypass port registry - hardcoded ports break consistency
 - **DON'T** modify user shell globally - set per-user if needed
 ## NOTES
 - Nix GC runs weekly, keeps 30 days
 - Trusted users: root, m3tam3re
 - Default shell: Nushell (set line 77)
 - Home-manager integrated at common level, not per-host
 - TODO on line 69: ports should only return actually used ports
@@ -0,0 +1,81 @@
 # Common configuration for all hosts
 {
  config,
  pkgs,
  lib,
  inputs,
  outputs,
  system,
  ...
 }: {
  imports = [
    ./extraServices
    ./ports.nix
    ./users
    inputs.home-manager.nixosModules.home-manager
  ];
  environment.pathsToLink = ["/share/xdg-desktop-portal" "/share/applications"];
  home-manager = {
    useUserPackages = true;
    extraSpecialArgs = {
      inherit inputs outputs system;
      videoDrivers = config.services.xserver.videoDrivers or [];
    };
  };
  nixpkgs = {
    # You can add overlays here
    overlays = [
      # Add overlays your own flake exports (from overlays and pkgs dir):
      #outputs.overlays.additions
      #outputs.overlays.modifications
      outputs.overlays.stable-packages
      outputs.overlays.locked-packages
      outputs.overlays.pinned-packages
      outputs.overlays.master-packages
      inputs.m3ta-nixpkgs.overlays.default
      inputs.m3ta-nixpkgs.overlays.modifications
      (outputs.lib.mkLlmAgentsOverlay system)
      # You can also add overlays exported from other flakes:
      # neovim-nightly-overlay.overlays.default
      # Or define it inline, for example:
      # (final: prev: {
      #   hi = final.hello.overrideAttrs (oldAttrs: {
      #     patches = [ ./change-hello-to-hi.patch ];
      #   });
      # })
    ];
    # Configure your nixpkgs instance
    config = {
      # Disable if you don't want unfree packages
      allowUnfree = true;
    };
  };
  nix = {
    settings = {
      experimental-features = "nix-command flakes";
      cores = 2;
      max-jobs = 8;
      trusted-users = [
        "root"
        "m3tam3re"
      ]; # Set users that are allowed to use the flake command
    };
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    optimise.automatic = true;
    registry =
      (lib.mapAttrs (_: flake: {inherit flake;}))
      ((lib.filterAttrs (_: lib.isType "flake")) inputs);
    nixPath = ["/etc/nix/path"];
  };
  users.defaultUserShell = pkgs.nushell;
 }
@@ -0,0 +1,8 @@
 {
  imports = [
    ./flatpak.nix
    ./podman.nix
    ./ollama.nix
    ./virtualisation.nix
  ];
 }
@@ -0,0 +1,23 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.extraServices.flatpak;
 in {
  options.extraServices.flatpak.enable = mkEnableOption "enable flatpak";
  config = mkIf cfg.enable {
    services.flatpak.enable = true;
    xdg.portal = {
      # xdg desktop intergration (required for flatpak)
      enable = true;
      extraPortals = with pkgs; [
        xdg-desktop-portal-hyprland
      ];
      config.common.default = "*";
    };
  };
 }
@@ -0,0 +1,33 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.extraServices.ollama;
 in {
  options.extraServices.ollama.enable = mkEnableOption "enable ollama";
  config = mkIf cfg.enable {
    services.ollama = {
      enable = true;
      package =
        if config.services.xserver.videoDrivers == ["amdgpu"]
        then pkgs.ollama-rocm
        else if config.services.xserver.videoDrivers == ["nvidia"]
        then pkgs.ollama-cuda
        else pkgs.ollama-cpu;
      host = "[::]";
      openFirewall = true;
      environmentVariables = {
        OLLAMA_ORIGINS = "https://msty.studio";
        OLLAMA_HOST = "0.0.0.0";
      };
    };
    nixpkgs.config = {
      rocmSupport = config.services.xserver.videoDrivers == ["amdgpu"];
      cudaSupport = config.services.xserver.videoDrivers == ["nvidia"];
    };
  };
 }
@@ -0,0 +1,33 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.extraServices.podman;
 in {
  options.extraServices.podman.enable = mkEnableOption "enable podman";
  config = mkIf cfg.enable {
    virtualisation = {
      podman = {
        enable = true;
        dockerCompat = true;
        dockerSocket.enable = true;
        autoPrune = {
          enable = true;
          dates = "weekly";
          flags = [
            "--filter=until=24h"
            "--filter=label!=important"
          ];
        };
        defaultNetwork.settings.dns_enabled = true;
      };
    };
    environment.systemPackages = with pkgs; [
      podman-compose
    ];
  };
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,3 @@`

							`# Use bd merge for beads JSONL files`
							`.beads/issues.jsonl merge=beads`
		`@@ -0,0 +1 @@`
							`{"$schema":"https://opencode.ai/config.json","instructions":[".opencode-rules/concerns/coding-style.md",".opencode-rules/concerns/naming.md",".opencode-rules/concerns/documentation.md",".opencode-rules/concerns/testing.md",".opencode-rules/concerns/git-workflow.md",".opencode-rules/concerns/project-structure.md",".opencode-rules/languages/nix.md"]}`