update agent-lib

.a5c/inputs/fix-eval-warnings-inputs.json

@@ -0,0 +1,5 @@
+{
+  "nixosConfigDir": "/home/m3tam3re/p/NIX/nixos-config",
+  "m3taHomeDir": "/home/m3tam3re/p/NIX/m3ta-home",
+  "specPath": "/home/m3tam3re/p/NIX/nixos-config/.a5c/inputs/fix-eval-warnings-spec.md"
+}

.a5c/inputs/fix-eval-warnings-spec.md

@@ -0,0 +1,10 @@
+Fix the following Nix/Home Manager evaluation warnings except for the gc/nh conflict warning:
+
+- `evaluation warning: 'system' has been renamed to/replaced by 'stdenv.hostPlatform.system'`
+- `evaluation warning: m3tam3re profile: programs.ssh.matchBlocks defined in /nix/store/...-users/m3tam3re/identities/private.nix is deprecated. Use programs.ssh.settings.`
+
+Do not fix or change the warning:
+
+- `evaluation warning: programs.nh.clean.enable and nix.gc.automatic are both enabled. Please use one or the other to avoid conflict.`
+
+The private identity source file is in `/home/m3tam3re/p/NIX/m3ta-home/users/m3tam3re/identities/private.nix`.

.a5c/processes/fix-nix-eval-warnings.js

@@ -0,0 +1,301 @@
+/**
+ * @process local/fix-nix-eval-warnings
+ * @description Fix Nix/Home Manager evaluation warnings except the nh/gc conflict warning.
+ * @skill systematic-debugging methodologies/superpowers/systematic-debugging.js
+ * @skill verification-before-completion methodologies/superpowers/verification-before-completion.js
+ * @skill root-cause-diagnosis methodologies/shared/root-cause-diagnosis.js
+ */
+
+import { defineTask } from '@a5c-ai/babysitter-sdk';
+
+const q = (value) => `'${String(value).replace(/'/g, `'\\''`)}'`;
+
+export async function process(inputs, ctx) {
+  const nixosConfigDir = inputs.nixosConfigDir || '/home/m3tam3re/p/NIX/nixos-config';
+  const m3taHomeDir = inputs.m3taHomeDir || '/home/m3tam3re/p/NIX/m3ta-home';
+  const specPath = inputs.specPath || `${nixosConfigDir}/.a5c/inputs/fix-eval-warnings-spec.md`;
+
+  const spec = await ctx.task(readSpecTask, { specPath });
+
+  const inspection = await ctx.task(inspectWarningSourcesTask, {
+    nixosConfigDir,
+    m3taHomeDir,
+  });
+
+  const implementation = await ctx.task(implementFixesTask, {
+    nixosConfigDir,
+    m3taHomeDir,
+    spec: spec.stdout,
+    inspection: inspection.stdout,
+  });
+
+  const formatting = await ctx.task(formatChangedNixTask, {
+    m3taHomeDir,
+  });
+
+  const verification = await ctx.task(verifyWarningsTask, {
+    nixosConfigDir,
+    m3taHomeDir,
+  });
+
+  const artifacts = await ctx.task(collectArtifactsTask, {
+    nixosConfigDir,
+    m3taHomeDir,
+    verifyStdout: verification.stdout || '',
+    verifyStderr: verification.stderr || '',
+  });
+
+  const acceptance = await ctx.task(acceptanceReviewTask, {
+    spec: spec.stdout,
+    artifacts: artifacts.stdout,
+  });
+
+  if (!acceptance.accepted) {
+    await ctx.breakpoint({
+      title: 'Warning fix acceptance review failed',
+      question: `Acceptance review did not approve the changes: ${acceptance.reason}`,
+      context: {
+        runId: ctx.runId,
+        files: [
+          { path: `${m3taHomeDir}/users/m3tam3re/identities/private.nix`, format: 'nix', label: 'Private SSH identity' },
+          { path: `${m3taHomeDir}/profiles/sets/coding/agents/agents.nix`, format: 'nix', label: 'Agent packages' },
+          { path: `${m3taHomeDir}/profiles/contexts/desktop/default.nix`, format: 'nix', label: 'Desktop packages' },
+        ],
+      },
+    });
+  }
+
+  return {
+    success: acceptance.accepted,
+    summary: implementation.summary,
+    changedFiles: implementation.changedFiles,
+    verification: {
+      formatting: formatting.stdout,
+      warnings: verification.stdout,
+      review: acceptance,
+    },
+  };
+}
+
+export const readSpecTask = defineTask('read-spec', (args, taskCtx) => ({
+  kind: 'shell',
+  title: 'Read warning-fix spec',
+  shell: {
+    command: `cat ${q(args.specPath)}`,
+    expectedExitCode: 0,
+    timeout: 10000,
+  },
+  io: {
+    inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
+    outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
+  },
+  labels: ['spec', 'shell'],
+}));
+
+export const inspectWarningSourcesTask = defineTask('inspect-warning-sources', (args, taskCtx) => ({
+  kind: 'shell',
+  title: 'Inspect current warning sources',
+  shell: {
+    command: [
+      'set -euo pipefail',
+      `echo '== nixos-config status =='`,
+      `cd ${q(args.nixosConfigDir)} && git status --short`,
+      `echo`,
+      `echo '== m3ta-home status =='`,
+      `cd ${q(args.m3taHomeDir)} && git status --short`,
+      `echo`,
+      `echo '== active pkgs.system-style package selectors =='`,
+      `grep -RIn --include='*.nix' -E 'packages[.]\\$\\{pkgs[.]system\\}|packages[.]\\$\\{prev[.]system\\}|packages[.]\\$\\{final[.]system\\}' ${q(args.nixosConfigDir)} ${q(args.m3taHomeDir)} || true`,
+      `echo`,
+      `echo '== SSH matchBlocks in m3ta-home identities =='`,
+      `grep -RIn --include='*.nix' 'matchBlocks' ${q(`${args.m3taHomeDir}/users/m3tam3re/identities`)} || true`,
+    ].join('\n'),
+    expectedExitCode: 0,
+    timeout: 30000,
+  },
+  io: {
+    inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
+    outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
+  },
+  labels: ['diagnosis', 'shell'],
+}));
+
+export const implementFixesTask = defineTask('implement-warning-fixes', (args, taskCtx) => ({
+  kind: 'agent',
+  title: 'Implement requested warning fixes',
+  agent: {
+    name: 'worker',
+    prompt: {
+      role: 'Nix/Home Manager maintenance engineer',
+      task: 'Edit the repositories to remove the requested evaluation warnings, excluding the nh/gc warning by request.',
+      context: {
+        nixosConfigDir: args.nixosConfigDir,
+        m3taHomeDir: args.m3taHomeDir,
+        specVerbatim: args.spec,
+        inspectionStdout: args.inspection,
+      },
+      instructions: [
+        'Execute the task fully; do not just provide a plan.',
+        'Do not invoke the babysit skill or create another babysitter run.',
+        'Read every file before editing it.',
+        'Preserve unrelated existing user changes, especially any dirty files in nixos-config such as flake.nix or flake.lock.',
+        'Fix active uses of pkgs.system/prev.system/final.system that trigger the Nixpkgs deprecation warning by using stdenv.hostPlatform.system through the appropriate package set.',
+        'Migrate /home/m3tam3re/p/NIX/m3ta-home/users/m3tam3re/identities/private.nix from programs.ssh.matchBlocks to programs.ssh.settings.',
+        'For programs.ssh.settings, use OpenSSH directive names such as HostName, User, Port, and IdentityFile; do not keep legacy camelCase option names under settings.',
+        'Do not change programs.nh.clean.enable or nix.gc.automatic; the user explicitly excluded that warning.',
+        'Keep the change minimal and focused on the warnings in the spec.',
+        'Run a quick static check of the edited files if practical, but leave deterministic verification to the process quality gate.',
+      ],
+      outputFormat: 'JSON with summary, changedFiles, and verificationNotes.',
+    },
+    outputSchema: {
+      type: 'object',
+      required: ['summary', 'changedFiles', 'verificationNotes'],
+      properties: {
+        summary: { type: 'string' },
+        changedFiles: { type: 'array', items: { type: 'string' } },
+        verificationNotes: { type: 'array', items: { type: 'string' } },
+      },
+    },
+  },
+  io: {
+    inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
+    outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
+  },
+  labels: ['implementation', 'agent', 'nix'],
+}));
+
+export const formatChangedNixTask = defineTask('format-changed-nix', (args, taskCtx) => ({
+  kind: 'shell',
+  title: 'Format changed Nix files',
+  shell: {
+    command: [
+      'set -euo pipefail',
+      `cd ${q(args.m3taHomeDir)}`,
+      `if command -v alejandra >/dev/null 2>&1; then`,
+      `  alejandra users/m3tam3re/identities/private.nix profiles/sets/coding/agents/agents.nix profiles/contexts/desktop/default.nix`,
+      `else`,
+      `  nix run nixpkgs#alejandra -- users/m3tam3re/identities/private.nix profiles/sets/coding/agents/agents.nix profiles/contexts/desktop/default.nix`,
+      `fi`,
+    ].join('\n'),
+    expectedExitCode: 0,
+    timeout: 120000,
+  },
+  io: {
+    inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
+    outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
+  },
+  labels: ['format', 'shell'],
+}));
+
+export const verifyWarningsTask = defineTask('verify-warning-removal', (args, taskCtx) => ({
+  kind: 'shell',
+  title: 'Verify requested warnings are gone',
+  shell: {
+    command: [
+      'set -euo pipefail',
+      `echo '== static checks =='`,
+      `! grep -RIn --include='*.nix' -E 'packages[.]\\$\\{pkgs[.]system\\}|packages[.]\\$\\{prev[.]system\\}|packages[.]\\$\\{final[.]system\\}' ${q(`${args.m3taHomeDir}/profiles`)} || { echo 'Found deprecated package system selector' >&2; exit 1; }`,
+      `! grep -n 'matchBlocks' ${q(`${args.m3taHomeDir}/users/m3tam3re/identities/private.nix`)} || { echo 'private.nix still uses matchBlocks' >&2; exit 1; }`,
+      `grep -n 'settings = {' ${q(`${args.m3taHomeDir}/users/m3tam3re/identities/private.nix`)}`,
+      `echo`,
+      `echo '== nix eval m3-ares =='`,
+      `cd ${q(args.nixosConfigDir)}`,
+      `eval_stdout=$(mktemp)`,
+      `eval_stderr=$(mktemp)`,
+      `set +e`,
+      `nix eval .#nixosConfigurations.m3-ares.config.system.build.toplevel.drvPath --show-trace >"$eval_stdout" 2>"$eval_stderr"`,
+      `status=$?`,
+      `set -e`,
+      `cat "$eval_stdout"`,
+      `cat "$eval_stderr" >&2`,
+      `if [ "$status" -ne 0 ]; then exit "$status"; fi`,
+      `if grep -F "'system' has been renamed" "$eval_stderr"; then echo 'Deprecated system warning still present' >&2; exit 1; fi`,
+      `if grep -F 'programs.ssh.matchBlocks' "$eval_stderr"; then echo 'Deprecated SSH matchBlocks warning still present' >&2; exit 1; fi`,
+      `if grep -F 'programs.nh.clean.enable and nix.gc.automatic' "$eval_stderr" >/dev/null; then echo 'Allowed nh/gc warning remains by request.'; fi`,
+    ].join('\n'),
+    expectedExitCode: 0,
+    timeout: 300000,
+  },
+  io: {
+    inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
+    outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
+  },
+  labels: ['verification', 'shell', 'nix'],
+}));
+
+export const collectArtifactsTask = defineTask('collect-artifacts', (args, taskCtx) => ({
+  kind: 'shell',
+  title: 'Collect diffs and verification output',
+  shell: {
+    command: [
+      'set -euo pipefail',
+      `echo '== m3ta-home diff =='`,
+      `cd ${q(args.m3taHomeDir)} && git diff -- users/m3tam3re/identities/private.nix profiles/sets/coding/agents/agents.nix profiles/contexts/desktop/default.nix`,
+      `echo`,
+      `echo '== nixos-config diff (should not include warning fix unless needed) =='`,
+      `cd ${q(args.nixosConfigDir)} && git diff -- overlays/default.nix flake.nix flake.lock || true`,
+      `echo`,
+      `echo '== verification stdout =='`,
+      `cat <<'VERIFY_STDOUT'`,
+      args.verifyStdout || '',
+      `VERIFY_STDOUT`,
+      `echo`,
+      `echo '== verification stderr =='`,
+      `cat <<'VERIFY_STDERR'`,
+      args.verifyStderr || '',
+      `VERIFY_STDERR`,
+    ].join('\n'),
+    expectedExitCode: 0,
+    timeout: 30000,
+  },
+  io: {
+    inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
+    outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
+  },
+  labels: ['artifacts', 'shell'],
+}));
+
+export const acceptanceReviewTask = defineTask('acceptance-review', (args, taskCtx) => ({
+  kind: 'agent',
+  title: 'Review changes against requested warning fixes',
+  agent: {
+    name: 'reviewer',
+    prompt: {
+      role: 'Acceptance reviewer for a Nix/Home Manager warning fix',
+      task: 'Compare SPEC to ARTIFACTS directly and decide whether the requested warnings were fixed without touching the excluded nh/gc warning.',
+      instructions: [
+        'Ignore any narrative in your context about how ARTIFACTS were built.',
+        'Do not ask for additional changes unless they are required by the SPEC.',
+        'Accept if the system deprecation warning and private SSH matchBlocks warning are addressed, and the nh/gc conflict remains untouched.',
+        '',
+        'SPEC (verbatim):',
+        '---',
+        args.spec,
+        '---',
+        '',
+        'ARTIFACTS (verbatim):',
+        '---',
+        args.artifacts,
+        '---',
+        '',
+        'Compare SPEC to ARTIFACTS directly. Ignore any narrative in your context about how ARTIFACTS were built.',
+      ],
+      outputFormat: 'JSON with accepted boolean, reason string, and checkedCriteria array.',
+    },
+    outputSchema: {
+      type: 'object',
+      required: ['accepted', 'reason', 'checkedCriteria'],
+      properties: {
+        accepted: { type: 'boolean' },
+        reason: { type: 'string' },
+        checkedCriteria: { type: 'array', items: { type: 'string' } },
+      },
+    },
+  },
+  io: {
+    inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
+    outputJsonPath: `tasks/${taskCtx.effectId}/output.json`,
+  },
+  labels: ['acceptance', 'agent', 'review'],
+}));

flake.nix

@@ -15,7 +15,7 @@
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
     nixpkgs-45570c2.url = "github:nixos/nixpkgs/45570c299dc2b63c8c574c4cd77f0b92f7e2766e";
     nixpkgs-locked.url = "github:nixos/nixpkgs/2744d988fa116fc6d46cdfa3d1c936d0abd7d121";
@@ -25,7 +25,6 @@
     m3ta-nixpkgs.url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs";
     llm-agents.url = "github:numtide/llm-agents.nix";
 
-    #
     nur = {
       url = "github:nix-community/NUR";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -39,46 +38,16 @@
 
     nixos-generators = {url = "github:nix-community/nixos-generators";};
 
-    hyprpanel.url = "github:Jas-SinghFSU/HyprPanel";
     rose-pine-hyprcursor.url = "github:ndom91/rose-pine-hyprcursor";
     nix-colors.url = "github:misterio77/nix-colors";
 
     m3ta-home = {
-      # url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home";
-      url = "path:/home/m3tam3re/p/NIX/m3ta-home";
+      url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home";
+      # url = "path:/home/m3tam3re/p/NIX/m3ta-home";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    agents = {
-      # url = "path:/home/m3tam3re/p/AI/AGENTS";
-      url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/AGENTS";
-    };
-    ## Skills
-    skills-basecamp = {
-      url = "github:basecamp/basecamp-cli";
-      flake = false;
-    };
-    skills-anthropic = {
-      url = "github:anthropics/skills";
-      flake = false;
-    };
-    skills-kestra = {
-      url = "github:kestra-io/agent-skills";
-      flake = false;
-    };
-    skills-mattpocock = {
-      url = "github:mattpocock/skills";
-      flake = false;
-    };
-    skills-superpowers = {
-      url = "github:obra/superpowers";
-      flake = false;
-    };
-    skills-vercel = {
-      url = "github:vercel-labs/skills";
-      flake = false;
-    };
-    hermes-agent.url = "github:NousResearch/hermes-agent/v2026.5.16";
+    hermes-agent.url = "github:NousResearch/hermes-agent/v2026.6.5";
 
     rustfs = {
       url = "github:rustfs/rustfs-flake";
@@ -93,7 +62,6 @@
     nixpkgs,
     m3ta-nixpkgs,
     nur,
-    agents,
     ...
   } @ inputs: let
     inherit (self) outputs;
@@ -196,11 +164,6 @@
         inherit system;
         config.allowUnfree = true; # Allow unfree packages in devShell
       };
-      m3taLib = m3ta-nixpkgs.lib.x86_64-linux;
-      rules = m3taLib.coding-rules.mkCodingRules {
-        inherit agents;
-        languages = ["nix"];
-      };
     in {
       default = pkgs.mkShell {
         buildInputs = with pkgs; [
@@ -211,7 +174,6 @@
           statix
           deadnix
         ];
-        inherit (rules) instructions shellHook;
       };
     });
   };

hosts/common/default.nix

@@ -21,7 +21,8 @@
     useGlobalPkgs = true;
     useUserPackages = true;
     extraSpecialArgs = {
-      inherit inputs outputs system;
+      inputs = inputs // {agents = null;};
+      inherit outputs system;
       videoDrivers = config.services.xserver.videoDrivers or [];
     };
   };

hosts/common/users/m3tam3re.nix

@@ -90,6 +90,7 @@
           hyprland.enable = true;
           rofi.enable = true;
           wayland.enable = true;
+          dms.enable = true;
         };
         apps = {
           crypto.enable = true;

hosts/m3-ares/services/default.nix

@@ -1,6 +1,7 @@
 {pkgs, ...}: {
   imports = [
     ./containers
+    ./greetd.nix
     ./hermes-agent.nix
     ./netbird.nix
     #./n8n.nix

hosts/m3-ares/services/greetd.nix

@@ -0,0 +1,38 @@
+# greetd login manager for m3-kratos (replaces broken GDM on nixos-unstable).
+# Uses tuigreet as the greeter, launching Hyprland after authentication.
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  tuigreet = "${lib.getExe pkgs.tuigreet}";
+  # Use start-hyprland wrapper to avoid Hyprland startup warnings
+  # withUWSM=true is set in programs.nix; start-hyprland handles this correctly
+  hyprlandCmd = "${config.programs.hyprland.package}/bin/start-hyprland";
+in {
+  services.greetd = {
+    enable = true;
+
+    settings = {
+      default_session = {
+        user = "greeter";
+        # Minimal config: verified supported flags only
+        # The --time and --remember are tested; power commands omitted
+        # to avoid potential quoting/parsing issues
+        command = builtins.concatStringsSep " " [
+          tuigreet
+          "--time"
+          "--remember"
+          "--asterisks"
+          "--cmd ${hyprlandCmd}"
+        ];
+      };
+    };
+  };
+
+  # Required for --remember to persist username between logins
+  systemd.tmpfiles.rules = [
+    "d /var/cache/tuigreet 0755 greeter greeter - -"
+  ];
+}

hosts/m3-atlas/services/containers/ghost.nix

@@ -1,6 +1,6 @@
 {config, ...}: {
   virtualisation.oci-containers.containers."ghost" = {
-    image = "docker.io/ghost:latest";
+    image = "docker.io/ghost:6-alpine";
     environmentFiles = [config.age.secrets.ghost-env.path];
     ports = ["127.0.0.1:3002:2368"];
     volumes = ["ghost_data:/var/lib/ghost/content"];

hosts/m3-hermes/services/hermes-agent.nix

@@ -1,5 +1,6 @@
 {
   config,
+  lib,
   pkgs,
   inputs,
   ...
@@ -7,24 +8,33 @@
   # Edge TTS: Seraphina — friendly, multilingual German female voice (free, no API key)
   edgeVoice = "de-DE-SeraphinaMultilingualNeural";
 
-  # Build skills using agents flake lib for hermes user
-  hermesSkills = inputs.agents.lib.mkSkills {
-    inherit pkgs;
-    customSkills = "${inputs.agents}/skills";
-    externalSkills = [
-      {
-        src = inputs.skills-basecamp;
-        skillsDir = "skills";
-      }
-      {
-        src = inputs.skills-anthropic;
-        skillsDir = "skills";
-      }
-      {
-        src = inputs.skills-kestra;
-        skillsDir = "skills";
-      }
-    ];
+  agentSkillExclusions = {
+    m3ta-agents = [];
+    anthropic = ["pdf" "skill-creator" "xlsx"];
+    basecamp = [];
+    kestra = [];
+    mattpocock = ["grill-me" "caveman"];
+    superpowers = ["brainstorming" "systematic-debugging"];
+    vercel = [];
+  };
+
+  agentLibSourceSelections =
+    lib.mapAttrs (_sourceName: exclude: {
+      skills = {
+        all = true;
+        inherit exclude;
+      };
+    })
+    agentSkillExclusions;
+
+  # Deterministic store renderer consumed directly by Hermes. m3ta-home
+  # re-exports the focused helper so nixos-config does not need a direct
+  # agent-lib flake input.
+  hermesSkills = inputs.m3ta-home.lib.mkHermesSkillsDir {
+    system = pkgs.stdenv.hostPlatform.system;
+    name = "hermes-agent-lib-skills";
+    lockFile = ../../../agent-sources.lock.json;
+    sources = agentLibSourceSelections;
   };
 in {
   virtualisation.docker.enable = true;
@@ -43,18 +53,7 @@ in {
     ''}"
   ];
 
-  systemd.services.copy-hermes-skills = {
-    description = "Copy agent skills to hermes home directory";
-    wantedBy = ["hermes-agent.service"];
-    before = ["hermes-agent.service"];
-    serviceConfig.Type = "oneshot";
-    serviceConfig.RemainAfterExit = true;
-    script = ''
-      mkdir -p /var/lib/hermes/.agents
-      cp -rT ${hermesSkills} /var/lib/hermes/.agents/skills
-      chown -R hermes:hermes /var/lib/hermes/.agents
-    '';
-  };
+  systemd.services.hermes-agent.restartTriggers = [hermesSkills];
 
   services.hermes-agent = {
     enable = true;
@@ -72,6 +71,7 @@ in {
     ];
 
     extraPackages = with pkgs; [
+      basecamp
       docker
       git
       curl
@@ -155,7 +155,7 @@ in {
 
       skills = {
         external_dirs = [
-          "/var/lib/hermes/.agents/skills"
+          hermesSkills
         ];
       };
 

hosts/m3-kratos/configuration.nix

@@ -11,6 +11,7 @@
   boot.supportedFilesystems = ["zfs"];
   boot.zfs.package = pkgs.zfs_unstable;
   boot.zfs.forceImportAll = false;
+  boot.zfs.forceImportRoot = false;
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.initrd.kernelModules = ["amdgpu"];

hosts/m3-kratos/default.nix

@@ -48,6 +48,7 @@
     podman.enable = true;
     virtualisation.enable = true;
   };
+  services.power-profiles-daemon.enable = true;
   services.ollama = {
     environmentVariables = {
       # HCC_AMDGPU_TARGET = "gfx1103";

hosts/m3-kratos/home.nix

@@ -8,9 +8,14 @@
   ...
 }:
 with lib; {
+  imports = [
+  ];
+
   config = mkMerge [
     # ── XDG / MIME defaults ──
     {
+      qt.platformTheme.name = mkForce "qtct";
+
       xdg = {
         enable = true;
         configFile."mimeapps.list".force = true;
@@ -54,6 +59,22 @@ with lib; {
             "6, monitor:DP-2"
             "7, monitor:DP-2"
           ];
+          # m3ta-home sets QT_QPA_PLATFORMTHEME=gtk3 globally for Hyprland.
+          # ksnip crashes with duplicate GDK type registration under that Qt GTK
+          # platform theme, so use qtct for Qt apps on this host instead.
+          env = mkForce [
+            "XCURSOR_SIZE,32"
+            "HYPRCURSOR_THEME,Bibata-Modern-Ice"
+            "WLR_NO_HARDWARE_CURSORS,1"
+            "XDG_CURRENT_DESKTOP,Hyprland"
+            "XDG_SESSION_TYPE,wayland"
+            "XDG_SESSION_DESKTOP,Hyprland"
+            "XKB_DEFAULT_LAYOUT,de"
+            "NIXOS_OZONE_WL,1"
+            "QT_QPA_PLATFORM,wayland;xcb"
+            "QT_QPA_PLATFORMTHEME,qt5ct"
+            "QT_QPA_PLATFORMTHEME_QT6,qt6ct"
+          ];
           windowrule = [
             "match:class dev.zed.Zed, workspace 1"
             "match:class ^(com.obsproject.Studio)$, workspace 2"

secrets/hermes-api-server-key.age

@@ -1,26 +1,25 @@
 age-encryption.org/v1
--> ssh-ed25519 4NLKrw 2TwbZwX9SwWg4SVC0A2ICmyRjSfO+xtfBcBOK1lh3T4
-DSf4DrOAvW7L49lh6cq5IqrMM7gqXv2+67rR3ttn+CE
--> ssh-ed25519 5kwcsA K1hqFOAxq2T+oLp3bQjLYpXtlQVkA7RHCM/8ETMGbwU
-xIE4xz50LB5vbDTTLKVcx9vC2iXIsRLThHYYxGjcJyY
--> ssh-ed25519 9d4YIQ bXYb62OM/N+EXpMOZZ6zEbpfaH10Vz62PuUdGODXolw
-j64kKzOn8CmSnykEuWnXHZ0nfqwOfOxX4FPR4GSouR0
--> ssh-ed25519 3Bcr1w C4alN6ud7q0K4I7NHuBgC77D6zeTfZVGjNS3EKpvL00
-NpjOsg3eJ5LvX0lV7NYuVHLeqeYylHdmw60H+KeG1GY
--> ssh-ed25519 c4NQlA In5wsg4+LTIEbP75B83GMXPCItSPGwKWUW8QO+QjXyY
-oK1kikhr4RMq6QMv9kjNjiKrf5srlGh7hGbU2qns2rM
+-> ssh-ed25519 4NLKrw 42tBp6EbDJpC7EBt0++QxmF3N9rQJ/AP+7A/S174rCs
+bRzpQku0GLEBvANvCdeH3L4Kf06k6w2C4FfZCOp2QWI
+-> ssh-ed25519 5kwcsA YAYkQzsxfbHwrCPMW2eqLS9mRuuxr+EjHKl7MV3DDEo
+dN3TitETbdPbXzBtIDBglienhY4oDsFGgfe0VYdsP1o
+-> ssh-ed25519 9d4YIQ 2vTWMSuLrgpgaTWeu0ARoUOukLBKupCfMdqJhLvTqwA
+Lzk2Uo2U3tUJiq29on/a5zYfuUjgOZvCHhZYuFGSDG4
+-> ssh-ed25519 3Bcr1w x689Z0/TsOLLk1JNPXg2jj6y5ucaH37zRt46d/Z1l2w
+Bkzg3umkDYFBemmgev/M5LUFuobFugXe0u85mLmsDSo
+-> ssh-ed25519 c4NQlA 5Dn6e8bILaYl9FVt+ZwuZ6rOC0k0Kg1+KOSP4JakyWI
+AT6LeCo+P7RjgNhRex04kJ/7NHD2DAWRqs33uOJ7e5E
 -> ssh-rsa DQlE7w
-tcP4yPgGWqHYeE1gw/KD6cswik+9WU2s2f7hg5mK78085sQ7npXRsBVAz2OCRn07
-foeAAmnY4YmKriBh421JOVNBDOXHR5dfaIKY9b663L+rYj99ic0rfW26C+dqKitF
-SnvveL3Zf16nqg6duSVA7LIcIFgkIlA+RXnHPVho+P4GwEH7W8nCf/4kUquuhB7B
-F4Hx1qOknmGyNBJBFi27D04ZDDk/ZVxioYsO6P6TUu7MuaGmQCoVKREDl5RRh4zO
-XD8/TFDRsJLqqcbCKIlU+6CN1+L0r4FN4K0UaTjwPNzGvn5EEjBKw9RpOhdvI28I
-WlAQ+w6gdQiz9Ju4e5p7Doz2MbNb6894DimawHjzl968Xy5ifX2XA+FBdcW5hU9A
-u+7VXKZmbfMyvRA7lmKRoi4SurJAyQd6iXBrVKfTwFc53V/tJi48bsKcE3yXxHH+
-lKGuZFNGDDkqCruycjvz94WaIHy3fv5hhmBdgwoCZK1VGSLAnwdm1rG4B9m3t/K8
+M9pUnzZDa1v6X5UbQOE6HILaGU36VkQtnfXaJJdxJSRQ/sE9R3ZQoLjRZAw+UhUf
+09JwLkS55477xaar3bpvvOxeP4MrtTHLJ7593eEkFT3i45FfVmxutq6EYckZrCJB
+WjrCG7Cbvc20o6s54PYiF4Xk8AuPxt+SElRxBtcOK+SPba84f+WWHqrBA1YRzTDK
+fsM15eKWsJgzaz5y36grv4xSj4KbWMFtmEt5V5BEW32+zXBU5CPhonO59TxEQgh4
+hI2+gNmAzKQja7xbuxCyr3jcXWJz7IuXcrklr+2ZjF1wx3BDll1z+vxSX0C88MCc
+OLKDfnUiDa6BlgUfLK90dLIia8v0oIPXs4OWRfYs7SC/Z3QOPpSO62Ky9dKYRrod
+PHvCgxX28QvROE4TekL9PV81AfAbMVJrnkRiybg6id8CscldtDmgaKqoaIoJlAuF
+g5/LGd+FPfmlv2iNfGUn2Glhui8SkrBK1MzGJpeQw+l4CXLH33yQzHX0m6TdQBzr
 
--> ssh-ed25519 CSMyhg FNYYdEIJYcxkjMuM5lnIs9gIilvgD44uazZE8CjNeho
-QHeghlsOOlYNMwhMHT4o7DeuyxGP/3wyqm94HUHjn44
---- zRG6aCTS+X18VpeN+tz38kaUoilk1kN5KrWTWYZ6pV4
-ræX_qÔÁ’Ð껿H#p¯f™”}(žA(ã|»?ë0ªyJk¥SD‡\Jm&uõÃ&Ô9€ýÄ5Ù+çÊ…!v%Y˜ù~ãÁ$û“šZÇÓ°j„z–Â\ßá1,Vf˜
-£’æ1zª»#Ó
+-> ssh-ed25519 CSMyhg 5YHqBNbkkUFVhDEfOM4P2tAxT2t1rDn5KItUcjUs4DY
+oWEKUGiIVkRQvEkY33PpOUcoqsmacgHAaX58H6sRpP4
+--- KH+IYh4+bS3JMeEmFYakwIceMxOrlEZj0Fqt3VMgFRk
+�96¨ºà·ènÅϬuk!ß±1ÝNItŽNŸ8E�çwĹ]3µ”S*¡õ«0>!ý9zc‡(”2O;åI.^jC”&$ºÚ\ÛËWtÇÃNÿ#Õ€Å3
¾ÜøÞÌÏcMuÈAߢ•<¾)¬MÄ´¼a¥rdí'p’ÄggPä5’ÆõOQòNfà”×1AZ|1v\š4F›‡�Ò6;„T<l£