diff --git a/flake.lock b/flake.lock index d290e63..45addb6 100644 --- a/flake.lock +++ b/flake.lock @@ -268,11 +268,11 @@ "uv2nix": "uv2nix_2" }, "locked": { - "lastModified": 1775818389, - "narHash": "sha256-Ex2WE+apD96FZt8e/uRgbTUxSWslxv37zd2Ovbd4LYA=", + "lastModified": 1776145260, + "narHash": "sha256-jyxv5PCRMOA8mU+ng3EDXGLAw0Xq0dDQLgiYgEZudLA=", "owner": "NousResearch", "repo": "hermes-agent", - "rev": "0b143f2ea3ddef4e0bf725bdd931541f8af27882", + "rev": "d6314318721cc8f3eba6e1a6138ccc03355764bc", "type": "github" }, "original": { @@ -410,11 +410,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1775818866, - "narHash": "sha256-zkjkwAGYNxRsXm3TBSqTwqbQbJpTEqwBC6KPGnh7Wxw=", + "lastModified": 1776137484, + "narHash": "sha256-3gUwNO4y8ZmTyQBb3fCrLNRnqzAuuwNNSlPjmhrGnMo=", "owner": "numtide", "repo": "llm-agents.nix", - "rev": "290a25e026fa42bb74ae49a3a9a74904eb68be34", + "rev": "e70ca11dc1a327e99c58dcd580ed209056a61130", "type": "github" }, "original": { @@ -432,8 +432,8 @@ "openspec": "openspec" }, "locked": { - "lastModified": 1776108132, - "narHash": "sha256-XViouXku09/lGDN4xpfUTejo+i9W09ecVEDYXqJdrwY=", + "lastModified": 1776184481, + "narHash": "sha256-X4b1SRiUUhlp1ciL1pwHI5KvXmrM3A9zxb4GaeNkJ9I=", "path": "/home/m3tam3re/p/NIX/nixpkgs", "type": "path" }, @@ -672,11 +672,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1775763530, - "narHash": "sha256-BuTK9z1QEwWPOIakQ1gCN4pa4VwVJpfptYCviy2uOGc=", + "lastModified": 1775888245, + "narHash": "sha256-nwASzrRDD1JBEu/o8ekKYEXm/oJW6EMCzCRdrwcLe90=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b0188973b4b2a5b6bdba8b65381d6cd09a533da0", + "rev": "13043924aaa7375ce482ebe2494338e058282925", "type": "github" }, "original": { diff --git a/home/features/coding/pi.nix b/home/features/coding/pi.nix index d9ca97c..10f37a3 100644 --- a/home/features/coding/pi.nix +++ b/home/features/coding/pi.nix @@ -3,18 +3,19 @@ enable = true; agentsInput = inputs.agents; - container = { - enable = true; - name = "pi-agent"; - projectRoots = ["/home/m3tam3re/p"]; - autoStart = true; - autoNixDevelop = true; - extraRunArgs = []; - extraEnv = { - NIX_CONFIG = "experimental-features = nix-command flakes"; - }; + externalSkills = [ + { + src = inputs.skills-anthropic; + selectSkills = ["pdf" "docx" "frontend-design"]; + } + {src = inputs.skills-vercel;} + {src = inputs.skills-basecamp;} + {src = inputs.skills-kestra;} + ]; - }; + # Source materialized for m3ta.pi-agent wrapper sync into /var/lib/pi-agent/.pi/agent + # Use .pi/agents to match Pi's native directory layout. + path = ".pi/agents"; modelOverrides = { chiron = "zai-coding-plan/glm-5.1"; diff --git a/hosts/m3-hermes/configuration.nix b/hosts/m3-hermes/configuration.nix index 63bac3f..4c7389d 100644 --- a/hosts/m3-hermes/configuration.nix +++ b/hosts/m3-hermes/configuration.nix @@ -30,6 +30,18 @@ }; }; + security.sudo.extraRules = [ + { + users = ["hermes"]; + commands = [ + { + command = "/run/current-system/sw/bin/podman"; + options = ["NOPASSWD"]; + } + ]; + } + ]; + services.fstrim = { enable = true; interval = "weekly"; diff --git a/hosts/m3-kratos/configuration.nix b/hosts/m3-kratos/configuration.nix index 5517108..08e6c85 100644 --- a/hosts/m3-kratos/configuration.nix +++ b/hosts/m3-kratos/configuration.nix @@ -68,7 +68,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [neovim git n8n]; + environment.systemPackages = with pkgs; [neovim git]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. diff --git a/hosts/m3-kratos/services/default.nix b/hosts/m3-kratos/services/default.nix index 0719e75..2e0e7db 100644 --- a/hosts/m3-kratos/services/default.nix +++ b/hosts/m3-kratos/services/default.nix @@ -3,8 +3,9 @@ ./containers ./hermes-agent.nix ./mem0.nix - ./n8n.nix + # ./n8n.nix ./netbird.nix + ./pi-agent.nix ./postgres.nix ./sound.nix ./udev.nix diff --git a/hosts/m3-kratos/services/n8n.nix b/hosts/m3-kratos/services/n8n.nix index 00c2653..5daa055 100644 --- a/hosts/m3-kratos/services/n8n.nix +++ b/hosts/m3-kratos/services/n8n.nix @@ -1,6 +1,6 @@ {lib, ...}: { services.n8n = { - enable = true; + enable = false; openFirewall = true; environment = { N8N_SECURE_COOKIE = "false"; diff --git a/hosts/m3-kratos/services/pi-agent.nix b/hosts/m3-kratos/services/pi-agent.nix new file mode 100644 index 0000000..59b74fb --- /dev/null +++ b/hosts/m3-kratos/services/pi-agent.nix @@ -0,0 +1,52 @@ +{config, ...}: let + cfg = config.m3ta.pi-agent; +in { + m3ta.pi-agent = { + enable = true; + binaryName = "pi"; + + # Per-user policy map: authorized host users + their allowed project roots. + hostUsers = { + m3tam3re = { + projectRoots = ["~/p"]; + # Optional (default comes from wrapper.hostConfigPath) + configPath = ".pi/agents"; + }; + }; + + wrapper = { + enable = true; + commandName = "pi"; + hideDirectBinary = true; + + # Sync Home Manager rendered Pi config from invoking user home. + hostConfigPath = ".pi/agents"; + }; + }; + + # Manage isolated pi-agent git identity via Home Manager (declarative + reusable pattern). + home-manager.users.${cfg.user} = { + home.username = cfg.user; + home.homeDirectory = cfg.stateDir; + home.stateVersion = "26.05"; + + programs.git = { + enable = true; + signing.format = null; + settings = { + user = { + name = "m3ta-chiron"; + email = "m3ta-chiron@agentmail.to"; + }; + core.excludesfile = "~/.gitignore_global"; + init.defaultBranch = "master"; + alias = { + st = "status"; + logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit"; + }; + }; + }; + + home.file.".gitignore_global".text = ""; + }; +}