m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: m3tam3re/nixos-config:e6f184f24a076d2bba2d98a96d4c10049c6dece5
Branches Tags
m3tam3re/nixos-config:master m3tam3re/nixos-config:__dolt_remote_info__ m3tam3re/nixos-config:feature/agent-lib-m3-kratos m3tam3re/nixos-config:feat/hyprland-lua
...
compare: m3tam3re/nixos-config:feat/hyprland-lua
Branches Tags
m3tam3re/nixos-config:master m3tam3re/nixos-config:__dolt_remote_info__ m3tam3re/nixos-config:feature/agent-lib-m3-kratos m3tam3re/nixos-config:feat/hyprland-lua

7 Commits
e6f184f24a ... feat/hyprland-lua

Author SHA1 Message Date
m3ta-chiron 826569ed98 feat: migrate host Hyprland configs to Lua (Hyprland 0.55+) 
- m3-kratos/home.nix: use hl.monitor({}), hl.workspace_rule({}),
  hl.window_rule({}) table-based Lua API
- m3-ares/home.nix: same Lua API + tuxedo-backlight via hl.on()
- Update flake.lock: home-manager -> 74f170c6 (2026-05-18)
 2026-05-18 17:27:15 +02:00
m3tam3re af08084692 chore: fix git identity for m3-hermes 2026-05-11 19:27:11 +02:00
m3tam3re 4f9944101f chore: optimize hermes 2026-05-11 19:01:17 +02:00
m3tam3re 20d2548791 Merge pull request 'fix(m3-atlas): remove netbird-only middleware from dashboard router' (#16) from fix/remove-netbird-middleware into master 
Reviewed-on: #16
 2026-05-11 17:16:42 +02:00
m3ta-chiron a957fd1372 fix(m3-atlas): remove netbird-only middleware from dashboard router 
Access control is handled at DNS level — dash.m3ta.dev resolves to
Netbird IP (100.81.142.56) which is unreachable from the public internet.
No need for IP whitelist middleware.
 2026-05-11 17:15:16 +02:00
m3tam3re 354791f252 Merge pull request 'feat: Hermes Dashboard via m3-atlas Traefik (TLS + Netbird-only)' (#15) from feat/hermes-dashboard-traefik into master 
Reviewed-on: #15
 2026-05-11 16:09:53 +02:00
m3ta-chiron fc39e05beb feat: Hermes Dashboard via m3-atlas Traefik with TLS + Netbird-only access 
m3-hermes:
- Add --insecure flag (required for 0.0.0.0 bind, safe behind Netbird firewall)
- Update comments to document the Traefik proxy flow

m3-atlas Traefik:
- New service: hermes-dashboard → http://100.81.231.152:9119 (Netbird)
- New router: dash.m3ta.dev with GoDaddy TLS cert
- New middleware: netbird-only (IP whitelist 100.64.0.0/16)

Flow: Browser → dash.m3ta.dev (TLS) → Traefik → Netbird → m3-hermes:9119
 2026-05-11 15:53:04 +02:00
12 changed files with 114 additions and 460 deletions
Expand all files Collapse all files
flake.lock
Generated
+31 -31
View File
@@ -47,11 +47,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1777399938, "lastModified": 1778518220,
"narHash": "sha256-xXPqUQezDdDtF8MbpZnwD1HkybOYwF92evx8rJ6OXCU=", "narHash": "sha256-6AQs9VZ0/DuD4njPbYHRE4v+SgJc6SBrGwemTWxikVc=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "9a91f1ee0cf011a7eaf1f16a9e17610b0457e055", "rev": "b6e1aaa6261c5056d024d8d4785659eaa4e675e6",
"revCount": 85, "revCount": 87,
"type": "git", "type": "git",
"url": "ssh://gitea@code.m3ta.dev/m3tam3re/AGENTS" "url": "ssh://gitea@code.m3ta.dev/m3tam3re/AGENTS"
}, },
@@ -448,11 +448,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1778248595, "lastModified": 1779113444,
"narHash": "sha256-dhFgEjoeJMYN/7OY6xfxS799YB4IjbbYXTjyGIJyLpc=", "narHash": "sha256-/L61sT1PIKmGWIQpIh0uJGH/ANvcsf6y4alxtb9kelg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "fdb2ccba9d5e1238d32e0c4a3ec1a277efa80c1d", "rev": "74f170c62d57f90e656841f1f699e6bdf40f0a24",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -512,11 +512,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1778444552, "lastModified": 1778503501,
"narHash": "sha256-f18pIiR9q/p1vHY93gmAum7aHhQOG49oGvAB9+lptRo=", "narHash": "sha256-08L/X4/do7nET4rzidJ76eV/1r+mB7DchVpdPypsghc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "dcebe66f958673729896eec2de4abfd86ef22d21", "rev": "85ba629c79449badf4338117c27f0ee92b4b9f1a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -602,11 +602,11 @@
"nur": "nur" "nur": "nur"
}, },
"locked": { "locked": {
"lastModified": 1778340253, "lastModified": 1778520138,
"narHash": "sha256-Fa/41Ab4AI6zxKEjJ8IjNWIapFMXm/L78IMUTJFqaj4=", "narHash": "sha256-X58c8BUIshyUnp6XEKumFUYXqMFnrDTj+aGuGIbKwxg=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "b7b9addbe0f2064db82906f3cc1cf6b4f7a82f31", "rev": "a87d9510bd84f51bf93970730b8688ab7221bbdd",
"revCount": 24, "revCount": 30,
"type": "git", "type": "git",
"url": "ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home" "url": "ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home"
}, },
@@ -627,11 +627,11 @@
"openspec": "openspec" "openspec": "openspec"
}, },
"locked": { "locked": {
"lastModified": 1778464839, "lastModified": 1778508052,
"narHash": "sha256-AoJGWHEiUyO+EvyxxkdW5YK0jV6Q7nOHDoDrwT58cZw=", "narHash": "sha256-kxzZvJv757TGfHReR21aX6N/jkGMWzGSy9GQEclYD4Y=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "14fd00426cebeca2bd918e1600c038e886d667fb", "rev": "8113723a48c4afa016881ccd5bc4be3fad2c7d5f",
"revCount": 293, "revCount": 294,
"type": "git", "type": "git",
"url": "ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs" "url": "ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs"
}, },
@@ -649,11 +649,11 @@
"openspec": "openspec_2" "openspec": "openspec_2"
}, },
"locked": { "locked": {
"lastModified": 1778309566, "lastModified": 1778518789,
"narHash": "sha256-VMc0IOYWzNj6+KdWqggpZ9Mt9MkxYPcKP7smOIkbapo=", "narHash": "sha256-9WZvO2BBofC2Wp4dvP4/aQ6Jhmcxh9lEGTYj09hLXrI=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "db1a29df1584c0046a110ef693229be73b986cfc", "rev": "d64c581516c02702ec28e5d2304330d7b035235d",
"revCount": 289, "revCount": 295,
"type": "git", "type": "git",
"url": "ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs" "url": "ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs"
}, },
@@ -830,11 +830,11 @@
}, },
"nixpkgs-master": { "nixpkgs-master": {
"locked": { "locked": {
"lastModified": 1778462231, "lastModified": 1778507606,
"narHash": "sha256-ETxNoYDzDJRsQ9i8H20SLHfpyEhS5RsO6Es9rQiGr0Y=", "narHash": "sha256-6Yc2dIhijc8G+dbMNocyclxF19dUrjaT+EeXGrXmXlg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "38ebdae768604c382e08a0dd08912ef79425fb7e", "rev": "39a7b8d815fcc8b689d56fc4a3fa8de4ef93d169",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -846,11 +846,11 @@
}, },
"nixpkgs-master_2": { "nixpkgs-master_2": {
"locked": { "locked": {
"lastModified": 1778291595, "lastModified": 1778507606,
"narHash": "sha256-XZRSWn32HgzPiVBUgFu4QgefWq6LjXNljQbmdf52Q5U=", "narHash": "sha256-6Yc2dIhijc8G+dbMNocyclxF19dUrjaT+EeXGrXmXlg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "67d18561bfe53cee9d84a19cb5c0be3c8ef5c186", "rev": "39a7b8d815fcc8b689d56fc4a3fa8de4ef93d169",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1079,11 +1079,11 @@
"nixpkgs": "nixpkgs_7" "nixpkgs": "nixpkgs_7"
}, },
"locked": { "locked": {
"lastModified": 1778482942, "lastModified": 1778506944,
"narHash": "sha256-sZuVkKuDiwj0TG9UG+1hmMnW/cLKbmY++xw4P6TRVLw=", "narHash": "sha256-lU0Bleh0reE+WU7j8Uiqsu6ekPav50L8sXsgOvEQS+0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "a89886f8103fe501ba97ad74dce6d087db69c9f9", "rev": "0166493cfe4e0e9927435c1cfbf5505cfb0d10d1",
"type": "github" "type": "github"
}, },
"original": { "original": {
hosts/m3-ares/home.nix
+24 -20
View File
@@ -36,35 +36,39 @@ with lib; {
}; };
} }
# ── Hyprland monitor layout ── # ── Hyprland monitor layout & host-specific rules ──
(mkIf config.desktop.wm.hyprland.enable { (mkIf config.desktop.wm.hyprland.enable {
wayland.windowManager.hyprland = { wayland.windowManager.hyprland = {
enable = true; enable = true;
settings = { settings = {
exec-once = ["tuxedo-backlight"]; # Laptop internal + external HDMI
monitor = [ monitor = [
"eDP-1,preferred,0x0,1.25" { output = "eDP-1"; mode = "preferred"; position = "0x0"; scale = 1.25; }
"HDMI-A-1,1920x1080@120,2560x0,1" { output = "HDMI-A-1"; mode = "1920x1080@120"; position = "2560x0"; scale = 1; }
]; ];
workspace = [ workspace_rule = [
"1, monitor:eDP-1, default:true" { workspace = 1; monitor = "eDP-1"; default = true; }
"2, monitor:eDP-1" { workspace = 2; monitor = "eDP-1"; }
"3, monitor:eDP-1" { workspace = 3; monitor = "eDP-1"; }
"4, monitor:HDMI-A-1" { workspace = 4; monitor = "HDMI-A-1"; }
"5, monitor:HDMI-A-1,border:false,rounding:false" { workspace = 5; monitor = "HDMI-A-1"; border = false; rounding = false; }
"6, monitor:HDMI-A-1" { workspace = 6; monitor = "HDMI-A-1"; }
]; ];
windowrule = [ window_rule = [
"match:class dev.zed.Zed, workspace 1" { match = { class = "dev.zed.Zed" }; workspace = "1"; }
"match:class Msty, workspace 1" { match = { class = "Msty" }; workspace = "1"; }
"match:class ^(com.obsproject.Studio)$, workspace 2" { match = { class = "^com.obsproject.Studio$" }; workspace = "2"; }
"match:class ^(brave-browser)$, workspace 4, opacity 1.0" { match = { class = "^(brave-browser)$" }; workspace = "4"; opacity = 1.0; }
"match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0" { match = { class = "^(vivaldi-stable)$" }; workspace = "4"; opacity = 1.0; }
"match:class ^steam_app_\\d+$, fullscreen on" { match = { class = "^steam_app_\\d+$" }; fullscreen = true; workspace = "5"; idle_inhibit = "focus"; }
"match:class ^steam_app_\\d+$, workspace 5"
"match:class ^steam_app_\\d+$, idle_inhibit focus"
]; ];
}; };
extraConfig = mkAfter ''
-- Host startup: TUXEDO backlight
hl.on("hyprland.start", function()
hl.exec_cmd("tuxedo-backlight")
end)
'';
}; };
}) })
]; ];
hosts/m3-atlas/services/hermes-agent.nix
-191
View File
@@ -1,191 +0,0 @@
{config, ...}: let
# Default ElevenLabs voice: Bella (German-capable female)
elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
in {
services.hermes-agent = {
enable = true;
addToSystemPackages = true;
# Secrets via agenix
environmentFiles = [config.age.secrets."hermes-env".path];
# Non-secret environment variables
environment = {
#
};
# ── Container mode (podman) ──────────────────────────────────────────
container = {
enable = true;
backend = "podman";
};
settings = {
# ── Model ──────────────────────────────────────────────────────────
model = {
default = "glm-5.1";
provider = "zai";
base_url = "https://api.z.ai/api/coding/paas/v4/";
};
credential_pool_strategies = {
zai = "fill_first";
};
toolsets = ["all"];
# ── Agent ──────────────────────────────────────────────────────────
agent = {
max_turns = 90;
gateway_timeout = 1800;
tool_use_enforcement = "auto";
};
# ── Terminal ───────────────────────────────────────────────────────
terminal = {
backend = "local";
modal_mode = "auto";
cwd = ".";
timeout = 180;
persistent_shell = true;
};
# ── Browser ────────────────────────────────────────────────────────
browser = {
inactivity_timeout = 120;
command_timeout = 30;
cloud_provider = "local";
};
# ── Checkpoints / Compression ──────────────────────────────────────
checkpoints = {
enabled = true;
max_snapshots = 50;
};
file_read_max_chars = 100000;
compression = {
enabled = true;
threshold = 0.5;
target_ratio = 0.2;
protect_last_n = 20;
};
# ── Display ────────────────────────────────────────────────────────
display = {
compact = false;
personality = "kawaii";
resume_display = "full";
busy_input_mode = "interrupt";
inline_diffs = true;
skin = "default";
tool_progress = "all";
};
# ── TTS / STT / Voice ──────────────────────────────────────────────
tts = {
provider = "elevenlabs";
elevenlabs = {
voice_id = elevenlabsVoiceId;
model_id = "eleven_multilingual_v2";
};
};
stt = {
enabled = true;
provider = "local";
local = {model = "base";};
};
voice = {
record_key = "ctrl+b";
max_recording_seconds = 120;
silence_threshold = 200;
silence_duration = 3.0;
};
# ── Memory ─────────────────────────────────────────────────────────
memory = {
memory_enabled = true;
user_profile_enabled = true;
memory_char_limit = 2200;
user_char_limit = 1375;
};
# ── Delegation ─────────────────────────────────────────────────────
delegation = {
max_iterations = 50;
};
# ── Discord ────────────────────────────────────────────────────────
discord = {
require_mention = true;
auto_thread = true;
reactions = true;
};
# ── Approvals / Security ───────────────────────────────────────────
approvals = {
mode = "manual";
timeout = 60;
};
security = {
redact_secrets = true;
tirith_enabled = true;
tirith_fail_open = true;
};
# ── Cron / Session ─────────────────────────────────────────────────
cron = {wrap_response = true;};
session_reset = {
mode = "both";
idle_minutes = 1440;
at_hour = 4;
};
# ── Web ────────────────────────────────────────────────────────────
web = {backend = "exa";};
# ── Platform Toolsets ──────────────────────────────────────────────
platform_toolsets = {
cli = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
telegram = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
};
};
};
}
hosts/m3-atlas/services/traefik.nix
+15
View File
@@ -43,6 +43,12 @@
dynamicConfigOptions = { dynamicConfigOptions = {
http = { http = {
services = { services = {
# ── Hermes Dashboard (m3-hermes over Netbird) ────────────────
hermes-dashboard = {
loadBalancer.servers = [
{url = "http://100.81.231.152:9119";}
];
};
dummy = { dummy = {
loadBalancer.servers = [ loadBalancer.servers = [
{url = "http://192.168.0.1";} # Diese URL wird nie verwendet {url = "http://192.168.0.1";} # Diese URL wird nie verwendet
@@ -79,6 +85,15 @@
}; };
routers = { routers = {
# ── Hermes Dashboard — Netbird mesh only ─────────────────────
hermes-dashboard = {
rule = "Host(`dash.m3ta.dev`)";
service = "hermes-dashboard";
entrypoints = ["websecure"];
tls = {
certResolver = "godaddy";
};
};
api = { api = {
rule = "Host(`r.m3tam3re.com`)"; rule = "Host(`r.m3tam3re.com`)";
service = "api@internal"; service = "api@internal";
hosts/m3-hermes/services/hermes-agent.nix
+16 -9
View File
@@ -16,7 +16,7 @@
gccLibPath = "${pkgs.stdenv.cc.cc.lib}/lib"; gccLibPath = "${pkgs.stdenv.cc.cc.lib}/lib";
# Build skills using agents flake lib for hermes user # Build skills using agents flake lib for hermes user
hermesSkills = inputs.agents.lib.mkOpencodeSkills { hermesSkills = inputs.agents.lib.mkSkills {
inherit pkgs; inherit pkgs;
customSkills = "${inputs.agents}/skills"; customSkills = "${inputs.agents}/skills";
externalSkills = [ externalSkills = [
@@ -49,13 +49,6 @@ in {
user: m3ta-chiron user: m3ta-chiron
default: true default: true
''}" ''}"
"f /home/hermes/.gitconfig 0644 hermes hermes - ${pkgs.writeText "gitconfig" ''
[user]
name = m3ta-chiron
email = m3ta-chiron@agentmail.to
[init]
defaultBranch = master
''}"
]; ];
systemd.services.copy-hermes-skills = { systemd.services.copy-hermes-skills = {
@@ -79,7 +72,13 @@ in {
enable = true; enable = true;
addToSystemPackages = true; addToSystemPackages = true;
extraPackages = with pkgs; [docker git tea nix]; extraPackages = with pkgs; [
docker
git
tea
nix
zellij
];
# Secrets via agenix # Secrets via agenix
environmentFiles = [ environmentFiles = [
@@ -89,12 +88,17 @@ in {
]; ];
# Non-secret environment variables # Non-secret environment variables
# Git identity is set entirely via env vars (GIT_AUTHOR_*, GIT_COMMITTER_*,
# GIT_INIT_DEFAULT_BRANCH) — no .gitconfig file needed. Env vars take
# precedence over any gitconfig, and the hermes gateway injects them into
# all terminal sessions via .env.
environment = { environment = {
GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/"; GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/";
GIT_AUTHOR_NAME = "m3ta-chiron"; GIT_AUTHOR_NAME = "m3ta-chiron";
GIT_AUTHOR_EMAIL = "m3ta-chiron@agentmail.to"; GIT_AUTHOR_EMAIL = "m3ta-chiron@agentmail.to";
GIT_COMMITTER_NAME = "m3ta-chiron"; GIT_COMMITTER_NAME = "m3ta-chiron";
GIT_COMMITTER_EMAIL = "m3ta-chiron@agentmail.to"; GIT_COMMITTER_EMAIL = "m3ta-chiron@agentmail.to";
GIT_INIT_DEFAULT_BRANCH = "master";
# ── API Server (OpenAI-compatible, for Hermes Desktop App) ───────── # ── API Server (OpenAI-compatible, for Hermes Desktop App) ─────────
# Accessible via Netbird mesh VPN — not exposed to the public internet. # Accessible via Netbird mesh VPN — not exposed to the public internet.
@@ -240,6 +244,9 @@ in {
user_id = "@chiron:m3ta.dev"; user_id = "@chiron:m3ta.dev";
allowed_users = ["@m3tam3re:m3ta.dev"]; allowed_users = ["@m3tam3re:m3ta.dev"];
encryption = true; encryption = true;
group_sessions_per_user = true;
auto_thread = true;
dm_mention_threads = true;
}; };
# ── Approvals / Security ─────────────────────────────────────────── # ── Approvals / Security ───────────────────────────────────────────
hosts/m3-hermes/services/hermes-dashboard.nix
+8 -5
View File
@@ -4,7 +4,8 @@
inputs, inputs,
... ...
}: let }: let
# Netbird mesh VPN range — dashboard only accessible from mesh peers # Netbird mesh VPN range — dashboard only accessible from mesh peers.
# m3-atlas Traefik proxies to this port over Netbird.
netbirdRange = "100.64.0.0/16"; netbirdRange = "100.64.0.0/16";
# Reference the hermes-agent package from the running service config # Reference the hermes-agent package from the running service config
@@ -12,7 +13,11 @@
in { in {
# ── Hermes Dashboard systemd service ─────────────────────────────────── # ── Hermes Dashboard systemd service ───────────────────────────────────
# Web UI for managing Hermes Agent — sessions, config, kanban, cron, etc. # Web UI for managing Hermes Agent — sessions, config, kanban, cron, etc.
# Binds to 0.0.0.0:9119 but firewall restricts to Netbird mesh only. #
# Flow: Browser → dash.m3ta.dev (TLS via m3-atlas Traefik) → Netbird → :9119
#
# --insecure is required to bind 0.0.0.0 (hermes refuses non-localhost otherwise).
# Safe because firewall restricts port 9119 to Netbird mesh only.
systemd.services.hermes-dashboard = { systemd.services.hermes-dashboard = {
description = "Hermes Agent Web Dashboard"; description = "Hermes Agent Web Dashboard";
after = ["network.target" "hermes-agent.service"]; after = ["network.target" "hermes-agent.service"];
@@ -24,7 +29,7 @@ in {
User = "hermes"; User = "hermes";
Group = "hermes"; Group = "hermes";
ExecStart = "${hermesPkg}/bin/hermes dashboard --host 0.0.0.0 --port 9119 --no-open"; ExecStart = "${hermesPkg}/bin/hermes dashboard --host 0.0.0.0 --port 9119 --no-open --insecure";
# Environment matching the hermes-agent service # Environment matching the hermes-agent service
Environment = [ Environment = [
@@ -48,8 +53,6 @@ in {
# ── Firewall: Dashboard only from Netbird mesh ───────────────────────── # ── Firewall: Dashboard only from Netbird mesh ─────────────────────────
networking.firewall = { networking.firewall = {
# Use extraCommands for source-IP-restricted port (NixOS firewall
# allowedTCPPorts is all-or-nothing per port).
extraCommands = '' extraCommands = ''
# Allow Hermes Dashboard (9119/tcp) only from Netbird mesh VPN # Allow Hermes Dashboard (9119/tcp) only from Netbird mesh VPN
ip46tables -A nixos-fw -p tcp --dport 9119 -s ${netbirdRange} -j nixos-fw-accept ip46tables -A nixos-fw -p tcp --dport 9119 -s ${netbirdRange} -j nixos-fw-accept
hosts/m3-kratos/home.nix
+19 -18
View File
@@ -36,31 +36,32 @@ with lib; {
}; };
} }
# ── Hyprland monitor layout ── # ── Hyprland monitor layout & host-specific rules ──
(mkIf config.desktop.wm.hyprland.enable { (mkIf config.desktop.wm.hyprland.enable {
wayland.windowManager.hyprland = { wayland.windowManager.hyprland = {
enable = true; enable = true;
settings = { settings = {
# Dual monitor: DP-1 left, DP-2 right
monitor = [ monitor = [
"DP-1,2560x1440@144,0x0,1" { output = "DP-1"; mode = "2560x1440@144"; position = "0x0"; scale = 1; }
"DP-2,2560x1440@144,2560x0,1" { output = "DP-2"; mode = "2560x1440@144"; position = "2560x0"; scale = 1; }
]; ];
workspace = [ workspace_rule = [
"1, monitor:DP-1, default:true" { workspace = 1; monitor = "DP-1"; default = true; }
"2, monitor:DP-1" { workspace = 2; monitor = "DP-1"; }
"3, monitor:DP-1" { workspace = 3; monitor = "DP-1"; }
"4, monitor:DP-2" { workspace = 4; monitor = "DP-2"; }
"5, monitor:DP-2" { workspace = 5; monitor = "DP-2"; }
"6, monitor:DP-2" { workspace = 6; monitor = "DP-2"; }
"7, monitor:DP-2" { workspace = 7; monitor = "DP-2"; }
]; ];
windowrule = [ window_rule = [
"match:class dev.zed.Zed, workspace 1" { match = { class = "dev.zed.Zed" }; workspace = "1"; }
"match:class Msty, workspace 1" { match = { class = "Msty" }; workspace = "1"; }
"match:class ^(com.obsproject.Studio)$, workspace 2" { match = { class = "^com.obsproject.Studio$" }; workspace = "2"; }
"match:class ^(brave-browser)$, workspace 4, opacity 1.0" { match = { class = "^(brave-browser)$" }; workspace = "4"; opacity = 1.0; }
"match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0" { match = { class = "^(vivaldi-stable)$" }; workspace = "4"; opacity = 1.0; }
"match:class ^steam_app_\\d+$, idle_inhibit focus" { match = { class = "^steam_app_\\d+$" }; idle_inhibit = "focus"; }
]; ];
}; };
}; };
hosts/m3-kratos/services/default.nix
-1
View File
@@ -1,7 +1,6 @@
{pkgs, ...}: { {pkgs, ...}: {
imports = [ imports = [
./containers ./containers
./hermes-agent.nix
./mem0.nix ./mem0.nix
# ./n8n.nix # ./n8n.nix
./netbird.nix ./netbird.nix
hosts/m3-kratos/services/hermes-agent.nix
-184
View File
@@ -1,184 +0,0 @@
{config, ...}: let
# Default ElevenLabs voice: Bella (German-capable female)
elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
in {
services.hermes-agent = {
enable = true;
addToSystemPackages = true;
# Secrets via agenix
environmentFiles = [config.age.secrets."hermes-env".path];
# Non-secret environment variables
environment = {
GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/";
};
settings = {
# ── Model ──────────────────────────────────────────────────────────
model = {
default = "glm-5.1";
provider = "zai";
};
credential_pool_strategies = {
zai = "fill_first";
};
toolsets = ["all"];
# ── Agent ──────────────────────────────────────────────────────────
agent = {
max_turns = 90;
gateway_timeout = 1800;
tool_use_enforcement = "auto";
};
# ── Terminal ───────────────────────────────────────────────────────
terminal = {
backend = "ssh";
modal_mode = "auto";
cwd = ".";
timeout = 180;
persistent_shell = true;
};
# ── Browser ────────────────────────────────────────────────────────
browser = {
inactivity_timeout = 120;
command_timeout = 30;
cloud_provider = "local";
};
# ── Checkpoints / Compression ──────────────────────────────────────
checkpoints = {
enabled = true;
max_snapshots = 50;
};
file_read_max_chars = 100000;
compression = {
enabled = true;
threshold = 0.5;
target_ratio = 0.2;
protect_last_n = 20;
};
# ── Display ────────────────────────────────────────────────────────
display = {
compact = false;
personality = "kawaii";
resume_display = "full";
busy_input_mode = "interrupt";
inline_diffs = true;
skin = "default";
tool_progress = "all";
};
# ── TTS / STT / Voice ──────────────────────────────────────────────
tts = {
provider = "elevenlabs";
elevenlabs = {
voice_id = elevenlabsVoiceId;
model_id = "eleven_multilingual_v2";
};
};
stt = {
enabled = true;
provider = "local";
local = {model = "base";};
};
voice = {
record_key = "ctrl+b";
max_recording_seconds = 120;
silence_threshold = 200;
silence_duration = 3.0;
};
# ── Memory ─────────────────────────────────────────────────────────
memory = {
memory_enabled = true;
user_profile_enabled = true;
memory_char_limit = 2200;
user_char_limit = 1375;
};
# ── Delegation ─────────────────────────────────────────────────────
delegation = {
max_iterations = 50;
};
# ── Discord ────────────────────────────────────────────────────────
discord = {
require_mention = true;
auto_thread = true;
reactions = true;
};
# ── Approvals / Security ───────────────────────────────────────────
approvals = {
mode = "manual";
timeout = 60;
};
security = {
redact_secrets = true;
tirith_enabled = true;
tirith_fail_open = true;
};
# ── Cron / Session ─────────────────────────────────────────────────
cron = {wrap_response = true;};
session_reset = {
mode = "both";
idle_minutes = 1440;
at_hour = 4;
};
# ── Web ────────────────────────────────────────────────────────────
web = {backend = "exa";};
# ── Platform Toolsets ──────────────────────────────────────────────
platform_toolsets = {
cli = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
telegram = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
};
};
};
}
issues.jsonl
+1 -1
View File
@@ -1,3 +1,3 @@
{"id":"home-profile-restructuring-edz","title":"Create copy-hermes-skills systemd service","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:44:42Z","started_at":"2026-04-26T12:36:30Z","closed_at":"2026-04-26T12:44:42Z","close_reason":"Created systemd service in hosts/m3-hermes/services/hermes-agent.nix - copies skills to /var/lib/hermes/.agents/skills before hermes-agent starts","labels":["hermes-agent","nixos"],"dependencies":[{"issue_id":"home-profile-restructuring-edz","depends_on_id":"home-profile-restructuring-ycz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":1,"comment_count":0} {"id":"home-profile-restructuring-edz","title":"Create copy-hermes-skills systemd service","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:44:42Z","started_at":"2026-04-26T12:36:30Z","closed_at":"2026-04-26T12:44:42Z","close_reason":"Created systemd service in hosts/m3-hermes/services/hermes-agent.nix - copies skills to /var/lib/hermes/.agents/skills before hermes-agent starts","labels":["hermes-agent","nixos"],"dependencies":[{"issue_id":"home-profile-restructuring-edz","depends_on_id":"home-profile-restructuring-ycz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":1,"comment_count":0}
{"id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkOpencodeSkills","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkOpencodeSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0} {"id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkSkills","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0}
{"id":"home-profile-restructuring-cxa","title":"Verify skills available at /var/lib/hermes/.agents/skills","status":"closed","priority":2,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:50:58Z","started_at":"2026-04-26T12:38:15Z","closed_at":"2026-04-26T12:50:58Z","close_reason":"Manually verified - skills are present at /var/lib/hermes/.agents/skills on m3-hermes","labels":["hermes-agent","testing"],"dependencies":[{"issue_id":"home-profile-restructuring-cxa","depends_on_id":"home-profile-restructuring-edz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":0,"comment_count":0} {"id":"home-profile-restructuring-cxa","title":"Verify skills available at /var/lib/hermes/.agents/skills","status":"closed","priority":2,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:50:58Z","started_at":"2026-04-26T12:38:15Z","closed_at":"2026-04-26T12:50:58Z","close_reason":"Manually verified - skills are present at /var/lib/hermes/.agents/skills on m3-hermes","labels":["hermes-agent","testing"],"dependencies":[{"issue_id":"home-profile-restructuring-cxa","depends_on_id":"home-profile-restructuring-edz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":0,"comment_count":0}
secrets/hermes-cloud-env.age
BIN
View File
Binary file not shown.
secrets/honcho-key.age
BIN
View File
Binary file not shown.