Mount docker from persistence

Add python, ruby, go, custom paths.

flake.lock

@@ -3,16 +3,16 @@
     "brew-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1778427648,
-        "narHash": "sha256-pt9KaDGsMyYWB9JeHs4XGHs870f1lOZe3vx9LpVIhUE=",
+        "lastModified": 1781226006,
+        "narHash": "sha256-w4ZTuOnhYiDxjaynrMTASzp802QblBWmo3wpB8wVN4Y=",
         "owner": "Homebrew",
         "repo": "brew",
-        "rev": "6f293daa9f9f5832e13b497976335e90509886d7",
+        "rev": "109191be4988470b51a60a5ef1998520aa24c01b",
         "type": "github"
       },
       "original": {
         "owner": "Homebrew",
-        "ref": "5.1.11",
+        "ref": "6.0.1",
         "repo": "brew",
         "type": "github"
       }
@@ -24,11 +24,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1779036909,
-        "narHash": "sha256-zXcwYQGCT6pzinK+1dBB2ekTVtfxGZAapb3Evdcu4fY=",
+        "lastModified": 1781761792,
+        "narHash": "sha256-rCPytmKNjctLloB6UgK5CRrHSwV4b0ygxtJLPPp8R14=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "56c666e108467d87d13508936aade6d567f2a501",
+        "rev": "a1fa429e945becaf60468600daf649be4ba0350c",
         "type": "github"
       },
       "original": {
@@ -96,11 +96,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1779558945,
-        "narHash": "sha256-G9CDHTBQvOglYRistiZ2nHvyupowPIGwn0cOFlvzo10=",
+        "lastModified": 1781866110,
+        "narHash": "sha256-eysWGLqD/9ZshEAg1bj1O8QpJZ6UoDEpjWzBJaR6ono=",
         "ref": "refs/heads/main",
-        "rev": "438bd6ee8fb77d3f3de364913e58b8dd5ef8d982",
-        "revCount": 33,
+        "rev": "7fdd373d58137cdcddd8ba6f00ee06186affe5a5",
+        "revCount": 36,
         "type": "git",
         "url": "https://github.com/futureware-tech/nix.git"
       },
@@ -141,11 +141,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1778507602,
-        "narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=",
+        "lastModified": 1781733627,
+        "narHash": "sha256-U3yTuGBnmXvXoQI3qkpfEDsn9RovQPAjN7ndRco+3u0=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a",
+        "rev": "3bbec39bc90eadfa031e6f3b77272f3f60803e39",
         "type": "github"
       },
       "original": {
@@ -204,11 +204,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1779678629,
-        "narHash": "sha256-gHcIFg0mm+KFsg7iZQt67kni3+qR5U3PhEC9P7vKlZ4=",
+        "lastModified": 1781844424,
+        "narHash": "sha256-sWBr0D6eu6UhmtM87NOd4oOYilIclFXGDd/s7tVvO10=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "612bbe3b405ad5f71d7bf9edecc04b678a061652",
+        "rev": "c804fab681f03ec772390af4421bcc9bce80c1d9",
         "type": "github"
       },
       "original": {
@@ -219,11 +219,11 @@
     },
     "jail-nix": {
       "locked": {
-        "lastModified": 1772137954,
-        "narHash": "sha256-h4MGNbOo7L3RHi4uNFmsg5g17/DHXEfnv/xiG6BrNFQ=",
+        "lastModified": 1776230864,
+        "narHash": "sha256-YsEjjdOsGEzTeD+iT7ONh071BqWAOQWpzYVei3okAXE=",
         "owner": "~alexdavid",
         "repo": "jail.nix",
-        "rev": "42b355c38ca63dab4904acc5c0d95f17954a8c9b",
+        "rev": "404e7da9da5ab9aa643666682b2ba1312fa5fbe8",
         "type": "sourcehut"
       },
       "original": {
@@ -237,11 +237,11 @@
         "brew-src": "brew-src"
       },
       "locked": {
-        "lastModified": 1778851564,
-        "narHash": "sha256-p8wzcnpB2Iys+QzAKM9/Eyw/pUyqCO3sw/NCnDH4dTE=",
+        "lastModified": 1781389246,
+        "narHash": "sha256-ORqLAo/hoJdsZC7UPAuEHev6S0+XIqKEC7vjo5prz1k=",
         "owner": "zhaofengli",
         "repo": "nix-homebrew",
-        "rev": "b3a87b4793205cc111f3c61e25e018ffac3b8039",
+        "rev": "de7953a08ed4bb9245be043e468561c17b89130d",
         "type": "github"
       },
       "original": {
@@ -252,11 +252,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1779508470,
-        "narHash": "sha256-Ap9KJX+5xHIn3bPIpfNgT6MEXdAECECwo4/rmlQD74M=",
+        "lastModified": 1781577229,
+        "narHash": "sha256-lrp67w8AulE9Ks53n27I45ADSzbOCn4H+CNW1Ck8B+8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "29916453413845e54a65b8a1cf996842300cd299",
+        "rev": "567a49d1913ce81ac6e9582e3553dd90a955875f",
         "type": "github"
       },
       "original": {
@@ -266,22 +266,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-master": {
-      "locked": {
-        "lastModified": 1779694939,
-        "narHash": "sha256-Ly4j75O8ICaSQx3uxPnwk2x7PMF0XQvn5r0c3yBA7FI=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "f9d8b65950353691ab56561e7c73d2e1063d810b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "master",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "darwin": "darwin",
@@ -291,7 +275,6 @@
         "jail-nix": "jail-nix",
         "nix-homebrew": "nix-homebrew",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-master": "nixpkgs-master",
         "systems": "systems_2",
         "vscode-server": "vscode-server"
       }

flake.nix

@@ -3,7 +3,6 @@
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-master.url = "github:nixos/nixpkgs/master";
     systems.url = "github:nix-systems/default";
     home-manager = {
       url = "github:nix-community/home-manager";
@@ -33,7 +32,6 @@
     {
       self,
       nixpkgs,
-      nixpkgs-master,
       systems,
       home-manager,
       vscode-server,
@@ -41,18 +39,8 @@
       ...
     }@inputs:
     let
+      homeManagerUser = "artem";
       eachSystem = nixpkgs.lib.genAttrs (import systems);
-      overlay-master = _: prev: {
-        inherit
-          (import nixpkgs-master {
-            system = prev.stdenv.hostPlatform.system;
-            config = {
-              allowUnfree = true;
-            };
-          })
-          antigravity-cli
-          ;
-      };
     in
     {
       checks = eachSystem (system: {
@@ -74,14 +62,14 @@
       nixosModules = {
         linux-headless = import ./modules/nixos/linux-headless.nix;
         linux-lxc = import ./modules/nixos/linux-lxc.nix;
+        jailed-agy = import ./modules/nixos/jailed-agy.nix;
       };
 
-      homeConfigurations."artem@deimos" = home-manager.lib.homeManagerConfiguration {
+      homeConfigurations."${homeManagerUser}@deimos" = home-manager.lib.homeManagerConfiguration {
         pkgs = import nixpkgs {
           system = "x86_64-linux";
-          overlays = [ overlay-master ];
         };
-        extraSpecialArgs.primaryUser = "artem";
+        extraSpecialArgs.primaryUser = homeManagerUser;
         modules = [
           inputs.fw_nix.nixosModules.identities
           vscode-server.homeModules.default
@@ -90,13 +78,13 @@
         ];
       };
 
-      homeConfigurations."artem@mars" = home-manager.lib.homeManagerConfiguration {
+      homeConfigurations."${homeManagerUser}@mars" = home-manager.lib.homeManagerConfiguration {
         pkgs = import nixpkgs {
           system = "x86_64-darwin";
-          overlays = [ overlay-master ];
+          config.allowDeprecatedx86_64Darwin = true;
         };
         extraSpecialArgs = {
-          primaryUser = "artem";
+          primaryUser = homeManagerUser;
         };
         modules = [
           inputs.fw_nix.nixosModules.identities
@@ -107,7 +95,7 @@
 
       darwinConfigurations.mars = darwin.lib.darwinSystem {
         system = "x86_64-darwin";
-        specialArgs.primaryUser = "artem";
+        specialArgs.primaryUser = homeManagerUser;
         modules = [
           inputs.fw_nix.nixosModules.identities
           self.darwinModules.mac-portable
@@ -117,31 +105,29 @@
           inputs.fw_nix.nixosModules.futureware
           inputs.nix-homebrew.darwinModules.nix-homebrew
           ./hosts/mars/darwin.nix
-          (_: {
-            nixpkgs.overlays = [ overlay-master ];
-          })
+          {
+            nixpkgs.config.allowDeprecatedx86_64Darwin = true;
+          }
         ];
       };
 
       nixosConfigurations.deimos = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = {
-          primaryUser = "artem";
+          primaryUser = homeManagerUser;
           inherit (inputs) jail-nix;
         };
         modules = [
           inputs.fw_nix.nixosModules.identities
           self.nixosModules.linux-headless
           self.nixosModules.linux-lxc
+          self.nixosModules.jailed-agy
           inputs.fw_nix.nixosModules.nix-gc
           inputs.fw_nix.nixosModules.nix-settings
           inputs.fw_nix.nixosModules.tools
           inputs.fw_nix.nixosModules.sshd
           inputs.fw_nix.nixosModules.futureware
           ./hosts/deimos/nixos.nix
-          (_: {
-            nixpkgs.overlays = [ overlay-master ];
-          })
         ];
       };
 

hosts/deimos/nixos.nix

@@ -2,12 +2,8 @@
   pkgs,
   identities,
   primaryUser,
-  jail-nix,
   ...
 }:
-let
-  jail = jail-nix.lib.init pkgs;
-in
 {
   users.users.${primaryUser} = {
     uid = 1000;
@@ -24,56 +20,14 @@ in
 
   virtualisation.docker.enable = true;
 
+  nixpkgs.config.allowUnfree = true;
+
   environment.systemPackages = with pkgs; [
     # TODO: move below into hosts/deimos/home.nix
     sshfs
     nixd
     home-assistant-cli
     yt-dlp
-
-    # jailed-agy --yolo
-    (jail "jailed-agy" pkgs.antigravity-cli (
-      with jail.combinators;
-      [
-        network
-        time-zone
-        no-new-session
-        mount-cwd
-
-        (readwrite (noescape "~/.gemini"))
-        # The above is a stow-controlled symlink to the following.
-        (readwrite (noescape "~/dotfiles/legacy/.gemini"))
-
-        (add-pkg-deps (
-          with pkgs;
-          [
-            bashInteractive
-            curl
-            wget
-            jq
-            git
-            which
-            ripgrep
-            gnugrep
-            gnused
-            gawkInteractive
-            ps
-            findutils
-            gzip
-            unzip
-            gnutar
-            diffutils
-            coreutils
-            procps
-
-            python3
-            esphome
-
-            nix
-          ]
-        ))
-      ]
-    ))
   ];
 
   # For building RPi configs. Extra steps are handled by the host (nas).

legacy/.ssh/config

@@ -1,25 +0,0 @@
-Host *
-	# Share SSH connection.
-	# If disabling, consider impact on ssh agent forwarding in screen
-	# sessions (see .ssh/rc file).
-	ControlMaster auto
-	ControlPath ~/.ssh/ctl/%r@%h:%p
-	ControlPersist 10m
-	# When a shared connection is broken (remote reboot), detect it faster.
-	ServerAliveInterval 11
-	ServerAliveCountMax 2
-
-	ConnectTimeout 10
-	AddKeysToAgent yes
-
-#Host custom-host-with-xorg
-#	HostName custom-hostname
-#	User crate
-#	ForwardX11 yes
-#	ForwardX11Trusted yes
-
-#Host always-changing-keys-dont-care
-#	StrictHostKeyChecking no
-#	UserKnownHostsFile=/dev/null
-
-Include config.d/*

legacy/.ssh/rc

@@ -1,11 +0,0 @@
-#!/bin/sh
-
-# When SSH-ing with agent forwarding enabled, this variable is set by sshd
-# itself. However, an existing screen session that we attach to will not have
-# its SSH_AUTH_SOCK environment variable updated, so we hardcode this path in
-# .screenrc and create a symlink to keep it alive.
-#
-# It WILL break if two sessions are opened to a machine, and a newer one is
-# terminated. ControlMaster in .ssh/config solves this problem by sharing the
-# connection (and as a result, sharing SSH agent socket).
-[ -n "$SSH_AUTH_SOCK" ] && ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock

migrated/.vimrc

@@ -35,6 +35,9 @@ if exists("+undofile")
 	" Enable the persistent undo file(s)
 	set undodir=~/.vim/undo
 	set undofile
+	if !isdirectory(expand(&undodir))
+		call mkdir(expand(&undodir), "p")
+	endif
 endif
 
 set switchbuf+=usetab " Switch to existing tab; open a new tab for the new buf

migrated/.zshrc

@@ -62,7 +62,6 @@ alias grep='grep --line-buffered --color=auto'
 alias ipt='iptables -nvL --line-numbers'
 alias ip6t='ip6tables -nvL --line-numbers'
 alias tcpdump='tcpdump -l'
-alias ag='ag -C 2 --noaffinity --pager="$PAGER" --smart-case'
 alias mysql='mysql --select_limit=1000'
 alias logcat='adb logcat -v "color printable usec year zone" -T 10'
 alias readelf='readelf -W'
@@ -81,6 +80,10 @@ starttransfer: %{time_starttransfer} | \
 total: %{time_total} | \
 size: %{size_download}\n"'
 
+rg() {
+	command rg -C 2 --smart-case --pretty "$@" | pager
+}
+
 # nix-deploy # current host
 # nix-deploy nas # deploy nas
 # nix-deploy test secondary # deploy secondary but do not add to boot

modules/home/common.nix

@@ -13,7 +13,6 @@
     stow
     wget
     antigravity-cli
-    silver-searcher
     yubikey-manager
   ];
 
@@ -189,5 +188,49 @@
     '';
   };
 
+  programs.ssh = {
+    enable = true;
+    enableDefaultConfig = false;
+    includes = [ "config.d/*" ];
+
+    settings = {
+      "*" = {
+        # Share SSH connection.
+        # If disabling, consider impact on ssh agent forwarding in screen
+        # sessions (see .ssh/rc file).
+        ControlMaster = "auto";
+        ControlPath = "~/.ssh/ctl/%r@%h:%p";
+        ControlPersist = "10m";
+
+        # When a shared connection is broken (remote reboot), detect it faster.
+        ServerAliveInterval = 11;
+        ServerAliveCountMax = 2;
+
+        ConnectTimeout = 10;
+        AddKeysToAgent = "yes";
+      };
+    };
+  };
+
+  home.file = {
+    ".ssh/rc" = {
+      executable = true;
+      text = ''
+        #!/bin/sh
+
+        # When SSH-ing with agent forwarding enabled, this variable is set by sshd
+        # itself. However, an existing screen session that we attach to will not have
+        # its SSH_AUTH_SOCK environment variable updated, so we hardcode this path in
+        # .screenrc and create a symlink to keep it alive.
+        #
+        # It WILL break if two sessions are opened to a machine, and a newer one is
+        # terminated. ControlMaster in .ssh/config solves this problem by sharing the
+        # connection (and as a result, sharing SSH agent socket).
+        [ -n "$SSH_AUTH_SOCK" ] && ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
+      '';
+    };
+    ".ssh/ctl/.keep".text = "";
+  };
+
   home.stateVersion = "25.11"; # never modify
 }

modules/home/mac-portable.nix

@@ -35,6 +35,10 @@
     TripleClickSelectsFullWrappedLines = true;
     WordChars = "/-._~";
     PromptOnQuit = false;
+
+    # Use system browser to open links.
+    NoSyncBrowserUpsell = 1;
+    NoSyncBrowserUpsell_selection = 1;
   };
   home.file."Library/Application Support/iTerm2/DynamicProfiles/nix-profile.json".text =
     builtins.toJSON

modules/nixos/jailed-agy.nix

@@ -0,0 +1,148 @@
+{
+  config,
+  lib,
+  pkgs,
+  jail-nix,
+  primaryUser,
+  ...
+}:
+let
+  jail = jail-nix.lib.init pkgs;
+  allPackages =
+    with pkgs;
+    [
+      bashInteractive
+      curl
+      wget
+      jq
+      git
+      which
+      ripgrep
+      gnugrep
+      gnused
+      gawkInteractive
+      ps
+      findutils
+      gzip
+      unzip
+      gnutar
+      diffutils
+      coreutils
+      procps
+
+      python3
+      python3Packages.pip
+      esphome
+
+      ruby
+      go
+      gcc
+      gnumake
+      pkg-config
+
+      nix
+    ]
+    ++ config.programs.jailed-agy.extraPackages;
+in
+{
+  options.programs.jailed-agy = {
+    extraPackages = lib.mkOption {
+      type = lib.types.listOf lib.types.package;
+      default = [ ];
+      description = "Extra packages to append to the jailed-agy environment.";
+    };
+  };
+
+  config = {
+    environment.systemPackages = [
+      (jail "jailed-agy" pkgs.antigravity-cli (
+        with jail.combinators;
+        [
+          network
+          time-zone
+          no-new-session
+          mount-cwd
+
+          # Enforce that the wrapper is not run as root/privileged user
+          (add-runtime ''
+            if [ "$(id -u)" -eq 0 ]; then
+              echo "Error: jailed-agy must not be run as root/privileged user!" >&2
+              exit 1
+            fi
+          '')
+
+          # Automatically append --dangerously-skip-permissions to agy invocation
+          (set-argv [
+            "--dangerously-skip-permissions"
+            (noescape "\"$@\"")
+          ])
+
+          (readwrite (noescape "~/.gemini"))
+          # The above is a stow-controlled symlink to the following.
+          (readwrite (noescape "~/dotfiles/legacy/.gemini"))
+
+          # Enable easy installation of pip packages in the current directory.
+          (set-env "PYTHONPATH" (noescape "\"$PWD/.pip-packages\""))
+          (set-env "PIP_TARGET" (noescape "\"$PWD/.pip-packages\""))
+          (set-env "PIP_CACHE_DIR" (noescape "\"$PWD/.pip-cache\""))
+          (set-env "PIP_BREAK_SYSTEM_PACKAGES" "1")
+
+          # Enable easy installation and persistence of RubyGems in the current directory.
+          (set-env "GEM_HOME" (noescape "\"$PWD/.gem\""))
+
+          # Enable easy installation and persistence of Go modules and caches in the current directory.
+          (set-env "GOPATH" (noescape "\"$PWD/.go\""))
+          (set-env "GOCACHE" (noescape "\"$PWD/.go-cache\""))
+
+          # Preconfigure compiler and linker flags dynamically for all jail packages.
+          # This allows compiling Ruby gems (e.g. ffi, which requires libffi) and Go packages
+          # (e.g. YubiKey plugins, which require pcsclite) out-of-the-box.
+          (set-env "PKG_CONFIG_PATH" (
+            lib.concatStringsSep ":" (map (pkg: "${pkg.dev or pkg}/lib/pkgconfig") allPackages)
+          ))
+          (set-env "NIX_CFLAGS_COMPILE" (
+            lib.concatStringsSep " " (map (pkg: "-isystem ${pkg.dev or pkg}/include") allPackages)
+          ))
+          (set-env "NIX_LDFLAGS" (
+            lib.concatStringsSep " " (map (pkg: "-L${pkg.out or pkg}/lib") allPackages)
+          ))
+
+          # Mount system and user profiles so their packages are automatically available at runtime
+          (try-ro-bind "/run/current-system/sw" "/run/current-system/sw")
+          (try-ro-bind "/etc/profiles/per-user/${primaryUser}" "/etc/profiles/per-user/${primaryUser}")
+
+          # Mount Nix files and directories to support nix-shell and Nix operations in jail
+          (try-ro-bind "/nix/store" "/nix/store")
+          (try-ro-bind "/nix/var/nix/daemon-socket" "/nix/var/nix/daemon-socket")
+          (try-ro-bind "/nix/var/nix/profiles" "/nix/var/nix/profiles")
+          (try-ro-bind "/etc/nix" "/etc/nix")
+          (try-ro-bind "/etc/static" "/etc/static")
+
+          # Forward Nix environment variables
+          (try-fwd-env "NIX_REMOTE")
+          (try-fwd-env "NIX_PATH")
+          (try-fwd-env "NIX_SSL_CERT_FILE")
+
+          (add-pkg-deps allPackages)
+
+          # Prepend local project binary directories, system, and user bin paths to the jail's PATH.
+          # Note: We place this after `add-pkg-deps` so that local paths take highest precedence.
+          # We use explicit double quotes to allow bash to expand $PWD at runtime and handle spaces.
+          (
+            state:
+            state
+            // {
+              env = state.env // {
+                PATH =
+                  if state.env ? PATH && state.env.PATH != "" then
+                    "\"\$PWD/.gem/bin:\$PWD/.go/bin:\$PWD/.pip-packages/bin:/run/current-system/sw/bin:/etc/profiles/per-user/${primaryUser}/bin:${state.env.PATH}\""
+                  else
+                    "\"\$PWD/.gem/bin:\$PWD/.go/bin:\$PWD/.pip-packages/bin:/run/current-system/sw/bin:/etc/profiles/per-user/${primaryUser}/bin\"";
+              };
+            }
+          )
+        ]
+      ))
+    ];
+  };
+}

modules/nixos/linux-lxc.nix

@@ -48,6 +48,7 @@
       for item in \
           "mkdir -p:/var/lib/nixos" \
           "mkdir -p:/var/lib/systemd" \
+          "mkdir -p:/var/lib/docker" \
           "touch:/etc/machine-id" \
           "touch:/etc/ssh/ssh_host_ed25519_key" \
       ; do