flake.lock

@@ -268,11 +268,11 @@
         "uv2nix": "uv2nix_2"
       },
       "locked": {
-        "lastModified": 1775818389,
+        "lastModified": 1776145260,
-        "narHash": "sha256-Ex2WE+apD96FZt8e/uRgbTUxSWslxv37zd2Ovbd4LYA=",
+        "narHash": "sha256-jyxv5PCRMOA8mU+ng3EDXGLAw0Xq0dDQLgiYgEZudLA=",
         "owner": "NousResearch",
         "repo": "hermes-agent",
-        "rev": "0b143f2ea3ddef4e0bf725bdd931541f8af27882",
+        "rev": "d6314318721cc8f3eba6e1a6138ccc03355764bc",
         "type": "github"
       },
       "original": {
@@ -410,11 +410,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1775818866,
+        "lastModified": 1776137484,
-        "narHash": "sha256-zkjkwAGYNxRsXm3TBSqTwqbQbJpTEqwBC6KPGnh7Wxw=",
+        "narHash": "sha256-3gUwNO4y8ZmTyQBb3fCrLNRnqzAuuwNNSlPjmhrGnMo=",
         "owner": "numtide",
         "repo": "llm-agents.nix",
-        "rev": "290a25e026fa42bb74ae49a3a9a74904eb68be34",
+        "rev": "e70ca11dc1a327e99c58dcd580ed209056a61130",
         "type": "github"
       },
       "original": {
@@ -432,8 +432,8 @@
         "openspec": "openspec"
       },
       "locked": {
-        "lastModified": 1776108132,
+        "lastModified": 1776184481,
-        "narHash": "sha256-XViouXku09/lGDN4xpfUTejo+i9W09ecVEDYXqJdrwY=",
+        "narHash": "sha256-X4b1SRiUUhlp1ciL1pwHI5KvXmrM3A9zxb4GaeNkJ9I=",
         "path": "/home/m3tam3re/p/NIX/nixpkgs",
         "type": "path"
       },
@@ -672,11 +672,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1775763530,
+        "lastModified": 1775888245,
-        "narHash": "sha256-BuTK9z1QEwWPOIakQ1gCN4pa4VwVJpfptYCviy2uOGc=",
+        "narHash": "sha256-nwASzrRDD1JBEu/o8ekKYEXm/oJW6EMCzCRdrwcLe90=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b0188973b4b2a5b6bdba8b65381d6cd09a533da0",
+        "rev": "13043924aaa7375ce482ebe2494338e058282925",
         "type": "github"
       },
       "original": {

home/features/coding/pi.nix

@@ -3,18 +3,19 @@
     enable = true;
     agentsInput = inputs.agents;
 
-    container = {
+    externalSkills = [
-      enable = true;
+      {
-      name = "pi-agent";
+        src = inputs.skills-anthropic;
-      projectRoots = ["/home/m3tam3re/p"];
+        selectSkills = ["pdf" "docx" "frontend-design"];
-      autoStart = true;
+      }
-      autoNixDevelop = true;
+      {src = inputs.skills-vercel;}
-      extraRunArgs = [];
+      {src = inputs.skills-basecamp;}
-      extraEnv = {
+      {src = inputs.skills-kestra;}
-        NIX_CONFIG = "experimental-features = nix-command flakes";
+    ];
-      };
 
-    };
+    # Source materialized for m3ta.pi-agent wrapper sync into /var/lib/pi-agent/.pi/agent
+    # Use .pi/agents to match Pi's native directory layout.
+    path = ".pi/agents";
 
     modelOverrides = {
       chiron = "zai-coding-plan/glm-5.1";

hosts/m3-hermes/configuration.nix

@@ -30,6 +30,18 @@
     };
   };
 
+  security.sudo.extraRules = [
+    {
+      users = ["hermes"];
+      commands = [
+        {
+          command = "/run/current-system/sw/bin/podman";
+          options = ["NOPASSWD"];
+        }
+      ];
+    }
+  ];
+
   services.fstrim = {
     enable = true;
     interval = "weekly";

hosts/m3-kratos/configuration.nix

@@ -68,7 +68,7 @@
 
   # List packages installed in system profile. To search, run:
   # $ nix search wget
-  environment.systemPackages = with pkgs; [neovim git n8n];
+  environment.systemPackages = with pkgs; [neovim git];
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.

hosts/m3-kratos/services/default.nix

@@ -3,8 +3,9 @@
     ./containers
     ./hermes-agent.nix
     ./mem0.nix
-    ./n8n.nix
+    # ./n8n.nix
     ./netbird.nix
+    ./pi-agent.nix
     ./postgres.nix
     ./sound.nix
     ./udev.nix

hosts/m3-kratos/services/n8n.nix

@@ -1,6 +1,6 @@
 {lib, ...}: {
   services.n8n = {
-    enable = true;
+    enable = false;
     openFirewall = true;
     environment = {
       N8N_SECURE_COOKIE = "false";

hosts/m3-kratos/services/pi-agent.nix

@@ -0,0 +1,52 @@
+{config, ...}: let
+  cfg = config.m3ta.pi-agent;
+in {
+  m3ta.pi-agent = {
+    enable = true;
+    binaryName = "pi";
+
+    # Per-user policy map: authorized host users + their allowed project roots.
+    hostUsers = {
+      m3tam3re = {
+        projectRoots = ["~/p"];
+        # Optional (default comes from wrapper.hostConfigPath)
+        configPath = ".pi/agents";
+      };
+    };
+
+    wrapper = {
+      enable = true;
+      commandName = "pi";
+      hideDirectBinary = true;
+
+      # Sync Home Manager rendered Pi config from invoking user home.
+      hostConfigPath = ".pi/agents";
+    };
+  };
+
+  # Manage isolated pi-agent git identity via Home Manager (declarative + reusable pattern).
+  home-manager.users.${cfg.user} = {
+    home.username = cfg.user;
+    home.homeDirectory = cfg.stateDir;
+    home.stateVersion = "26.05";
+
+    programs.git = {
+      enable = true;
+      signing.format = null;
+      settings = {
+        user = {
+          name = "m3ta-chiron";
+          email = "m3ta-chiron@agentmail.to";
+        };
+        core.excludesfile = "~/.gitignore_global";
+        init.defaultBranch = "master";
+        alias = {
+          st = "status";
+          logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
+        };
+      };
+    };
+
+    home.file.".gitignore_global".text = "";
+  };
+}