artem/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: artem:master
Branches Tags
artem:master artem:static
..
compare: artem:static
Branches Tags
artem:master artem:static

2 Commits
master ... static

Author SHA1 Message Date
Artem Sheremet
2928c14adb Generate static mac-portable config 2026-05-14 16:40:54 +02:00
Artem Sheremet
35e92af403 Create static build of mac-portable config 2026-05-14 14:36:47 +00:00
31 changed files with 1036 additions and 454 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -6,6 +6,3 @@ result
# nix pre-commit autogenerated by devShell
/.pre-commit-config.yaml
# agy sessions
.antigravitycli

13
README.md
View File

@@ -10,11 +10,11 @@ git clone git@github.com:dotdoom/dotfiles.git
cd dotfiles
```
Step 2 - stow.
Step 2 - if Nix is not an option.
```
stow migrated
stow legacy
stow exported/{machine}
```
Step 2 - Nix.
@@ -30,15 +30,12 @@ nix run \
## Layout
- `migrated`: files which are assets for home-manager, but can still be used to
stow
- `assets`: files which are assets for home-manager
- `legacy`: files to be placed under `$HOME` which are still under stow
- `hosts/*/{darwin,nixos,home}.nix`: personal machine nix configs
- `modules/{darwin,nixos,home}/*.nix`: exported nix configs
TODO: rename `migrated` to `assets` and create `exported` which would be the
exact mirror of nix-built configuration, but without nix (for machines where nix
can not be installed). That `exported` will then be used by stow.
- `exported`: for those poor souls who can not run nix, a pre-built collection
of files for `$HOME`, best effort
## Security

3
migrated/.vimrc → assets/.vimrc
View File

@@ -35,9 +35,6 @@ if exists("+undofile")
" Enable the persistent undo file(s)
set undodir=~/.vim/undo
set undofile
if !isdirectory(expand(&undodir))
call mkdir(expand(&undodir), "p")
endif
endif
set switchbuf+=usetab " Switch to existing tab; open a new tab for the new buf

0
migrated/.zshenv → assets/.zshenv
View File

22
migrated/.zshrc → assets/.zshrc
View File

@@ -62,6 +62,7 @@ alias grep='grep --line-buffered --color=auto'
alias ipt='iptables -nvL --line-numbers'
alias ip6t='ip6tables -nvL --line-numbers'
alias tcpdump='tcpdump -l'
alias ag='ag -C 2 --noaffinity --pager="$PAGER" --smart-case'
alias mysql='mysql --select_limit=1000'
alias logcat='adb logcat -v "color printable usec year zone" -T 10'
alias readelf='readelf -W'
@@ -80,10 +81,6 @@ starttransfer: %{time_starttransfer} | \
total: %{time_total} | \
size: %{size_download}\n"'
rg() {
command rg -C 2 --smart-case --pretty "$@" | pager
}
# nix-deploy # current host
# nix-deploy nas # deploy nas
# nix-deploy test secondary # deploy secondary but do not add to boot
@@ -128,22 +125,7 @@ nix-deploy() {
cmd=(nixos-rebuild)
command -v nixos-rebuild >/dev/null 2>&1 || cmd=(nix run "nixpkgs#nixos-rebuild" --)
nix build ".#nixosConfigurations.$config.config.system.build.toplevel" \
--out-link "result.$config" |& nom
local build_status=$pipestatus[1]
if (( build_status != 0 )); then
return $build_status
fi
if [[ "$action" != "build" ]]; then
# Bypass nixos-rebuild self-update check which errors in
# flake-only setups when --store-path is used.
_NIXOS_REBUILD_REEXEC=1 "${cmd[@]}" "$action" \
--store-path "$(readlink -f "result.$config")" \
--target-host "$target" \
--sudo \
"$@"
fi
"${cmd[@]}" "$action" --flake ".#$config" --target-host "$target" --sudo "$@" |& nom
}
myip() {

7
bin/export-home-config Executable file
View File

@@ -0,0 +1,7 @@
#!/bin/sh
set -e
CONFIG=$1
OUT_DIR="exported/$CONFIG"
STORE_PATH=$(nix build .#homeConfigurations."$CONFIG".activationPackage --extra-experimental-features 'nix-command flakes' --no-link --print-out-paths)
mkdir -p "$OUT_DIR"
cp -rL "$STORE_PATH/home-files/." "$OUT_DIR/"

0
exported/mac-portable/.cache/.keep Normal file
View File

3
exported/mac-portable/.config/direnv/direnv.toml Normal file
View File

@@ -0,0 +1,3 @@
[global]
hide_env_diff = true
warn_timeout = "30s"

603
exported/mac-portable/.config/direnv/lib/hm-nix-direnv.sh Normal file
View File

@@ -0,0 +1,603 @@
# -*- mode: sh -*-
# shellcheck shell=bash
# begin prologue inserted by resholve
NIX_DIRENV_FALLBACK_NIX=${NIX_DIRENV_FALLBACK_NIX:-/nix/store/bym3ycma17qshv526xjbdn2iayn6q7kr-nix-2.34.7/bin/nix}
# end prologue inserted by resholve
NIX_DIRENV_VERSION=3.1.1
# min required versions
BASH_MIN_VERSION=4.4
DIRENV_MIN_VERSION=2.21.3
_NIX_DIRENV_LOG_PREFIX="nix-direnv: "
_nix_direnv_info() {
log_status "${_NIX_DIRENV_LOG_PREFIX}$*"
}
_nix_direnv_warning() {
local msg=$*
local color_normal=""
local color_warning=""
if [[ -t 2 ]]; then
color_normal="\e[m"
color_warning="\e[33m"
fi
printf "%b" "$color_warning"
log_status "${_NIX_DIRENV_LOG_PREFIX}${msg}"
printf "%b" "$color_normal"
}
_nix_direnv_error() { log_error "${_NIX_DIRENV_LOG_PREFIX}$*"; }
_nix_direnv_nix=""
_nix() {
${_nix_direnv_nix} --no-warn-dirty --extra-experimental-features "nix-command flakes" "$@"
}
_require_version() {
local cmd=$1 raw_version=$2 version=${2%%[^0-9.]*} required=$3
if ! printf "%s\n" "$required" "$version" | LC_ALL=C /nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/sort -c -V 2>/dev/null; then
_nix_direnv_error \
"minimum required $(/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/basename "$cmd") version is $required (installed: $raw_version)"
return 1
fi
}
_require_cmd_version() {
local cmd=$1 required=$2 version
if ! has "$cmd"; then
_nix_direnv_error "command not found: $cmd"
return 1
fi
version=$($cmd --version)
[[ $version =~ ([0-9]+\.[0-9]+(\.[0-9]+)?) ]]
_require_version "$cmd" "${BASH_REMATCH[1]}" "$required"
}
_nix_direnv_preflight() {
if [[ -z $direnv ]]; then
# shellcheck disable=2016
_nix_direnv_error '$direnv environment variable was not defined. Was this script run inside direnv?'
return 1
fi
# check command min versions
if [[ -z ${NIX_DIRENV_SKIP_VERSION_CHECK:-} ]]; then
# bash check uses $BASH_VERSION with _require_version instead of
# _require_cmd_version because _require_cmd_version uses =~ operator which would be
# a syntax error on bash < 3
if ! _require_version bash "$BASH_VERSION" "$BASH_MIN_VERSION" ||
# direnv stdlib defines $direnv
! _require_cmd_version "$direnv" "$DIRENV_MIN_VERSION"; then
return 1
fi
fi
if command -v nix >/dev/null 2>&1; then
_nix_direnv_nix=$(command -v nix)
elif [[ -n ${NIX_DIRENV_FALLBACK_NIX:-} ]]; then
_nix_direnv_nix="${NIX_DIRENV_FALLBACK_NIX}"
else
_nix_direnv_error "Could not find Nix binary, please add Nix to PATH or set NIX_DIRENV_FALLBACK_NIX"
return 1
fi
local layout_dir
layout_dir=$(direnv_layout_dir)
if [[ ! -d "$layout_dir/bin" ]]; then
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/mkdir -p "$layout_dir/bin"
fi
# N.B. This script relies on variable expansion in *this* shell.
# (i.e. The written out file will have the variables expanded)
# If the source path changes, the script becomes broken.
# Because direnv_layout_dir is user controlled,
# we can't assume to be able to reverse it to get the source dir
# So there's little to be done about this.
# Remove first to handle case where file is owned by a different user
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/rm -f "${layout_dir}/bin/nix-direnv-reload"
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/cat >"${layout_dir}/bin/nix-direnv-reload" <<-EOF
#!/usr/bin/env bash
set -e
if [[ ! -d "$PWD" ]]; then
echo "Cannot find source directory; Did you move it?"
echo "(Looking for "$PWD")"
echo 'Cannot force reload with this script - use "direnv reload" manually and then try again'
exit 1
fi
# rebuild the cache forcefully
_nix_direnv_force_reload=1 direnv exec "$PWD" true
# Update the mtime for .envrc.
# This will cause direnv to reload again - but without re-building.
touch "$PWD/.envrc"
# Also update the timestamp of whatever profile_rc we have.
# This makes sure that we know we are up to date.
touch -r "$PWD/.envrc" "${layout_dir}"/*.rc
EOF
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/chmod +x "${layout_dir}/bin/nix-direnv-reload"
PATH_add "${layout_dir}/bin"
}
# Usage: nix_direnv_version <version_at_least>
#
# Checks that the nix-direnv version is at least as old as <version_at_least>.
nix_direnv_version() {
_require_version nix-direnv $NIX_DIRENV_VERSION "$1"
}
_nix_export_or_unset() {
local key=$1 value=$2
if [[ $value == __UNSET__ ]]; then
unset "$key"
else
export "$key=$value"
fi
}
_nix_import_env() {
local profile_rc=$1
local -A values_to_restore=(
["NIX_BUILD_TOP"]=${NIX_BUILD_TOP:-__UNSET__}
["TMP"]=${TMP:-__UNSET__}
["TMPDIR"]=${TMPDIR:-__UNSET__}
["TEMP"]=${TEMP:-__UNSET__}
["TEMPDIR"]=${TEMPDIR:-__UNSET__}
["terminfo"]=${terminfo:-__UNSET__}
)
local old_xdg_data_dirs=${XDG_DATA_DIRS:-}
# On the first run in manual mode, the profile_rc does not exist.
if [[ ! -e $profile_rc ]]; then
return
fi
eval "$(<"$profile_rc")"
# `nix print-dev-env` will create a temporary directory and use it as TMPDIR
# We cannot rely on this directory being available at all times,
# as it may be garbage collected.
# Instead - just remove it immediately.
# Use recursive & force as it may not be empty.
if [[ -n ${NIX_BUILD_TOP+x} && $NIX_BUILD_TOP == */nix-shell.* && -d $NIX_BUILD_TOP ]]; then
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/rm -rf "$NIX_BUILD_TOP"
fi
for key in "${!values_to_restore[@]}"; do
_nix_export_or_unset "$key" "${values_to_restore[${key}]}"
done
local new_xdg_data_dirs=${XDG_DATA_DIRS:-}
export XDG_DATA_DIRS=
local IFS=:
for dir in $new_xdg_data_dirs${old_xdg_data_dirs:+:}$old_xdg_data_dirs; do
dir="${dir%/}" # remove trailing slashes
if [[ :$XDG_DATA_DIRS: == *:$dir:* ]]; then
continue # already present, skip
fi
XDG_DATA_DIRS="$XDG_DATA_DIRS${XDG_DATA_DIRS:+:}$dir"
done
}
_nix_add_gcroot() {
local storepath=$1
local symlink=$2
_nix build --out-link "$symlink" "$storepath"
}
_nix_refresh_gcroots() {
# Use touch to update all symlinks' timestamps to prevent nh
# from garbage collecting the frequently used direnv environment.
local layout_dir
layout_dir=$(direnv_layout_dir)
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/touch -h "${layout_dir}"/flake-profile-* "${layout_dir}"/flake-inputs/* "${layout_dir}"/nix-profile-*
}
_nix_clean_old_gcroots() {
local layout_dir=$1
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/rm -rf "$layout_dir/flake-inputs/"
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/rm -f "$layout_dir"/{nix,flake}-profile*
}
_nix_argsum_suffix() {
local out checksum
if [ -n "$1" ]; then
if has sha1sum; then
out=$(/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/sha1sum <<<"$1")
elif has shasum; then
out=$(shasum <<<"$1")
else
# degrade gracefully both tools are not present
return
fi
read -r checksum _ <<<"$out"
echo "-$checksum"
fi
}
nix_direnv_watch_file() {
# shellcheck disable=2016
log_error '`nix_direnv_watch_file` is deprecated - use `watch_file`'
watch_file "$@"
}
_nix_direnv_watches() {
local -n _watches=$1
if [[ -z ${DIRENV_WATCHES-} ]]; then
return
fi
while IFS= read -r line; do
local regex='"[Pp]ath": "(.+)"$'
if [[ $line =~ $regex ]]; then
local path="${BASH_REMATCH[1]}"
if [[ $path == "${XDG_DATA_HOME:-${HOME:-/var/empty}/.local/share}/direnv/allow/"* ]]; then
continue
fi
# expand new lines and other json escapes
# shellcheck disable=2059
path=$(printf "$path")
_watches+=("$path")
fi
done < <($direnv show_dump "${DIRENV_WATCHES}")
}
: "${_nix_direnv_manual_reload:=0}"
nix_direnv_manual_reload() {
_nix_direnv_manual_reload=1
}
: "${_nix_direnv_allow_fallback:=1}"
nix_direnv_disallow_fallback() {
_nix_direnv_info "Fallback disallowed"
_nix_direnv_allow_fallback=0
}
_nix_direnv_warn_manual_reload() {
if [[ -e $1 ]]; then
_nix_direnv_warning 'cache is out of date. use "nix-direnv-reload" to reload'
else
_nix_direnv_warning 'cache does not exist. use "nix-direnv-reload" to create it'
fi
}
use_flake() {
if ! _nix_direnv_preflight; then
return 1
fi
flake_expr="${1:-.}"
flake_uri="${flake_expr%#*}"
flake_dir=${flake_uri#"path:"}
if [[ $flake_expr == -* ]]; then
local message="the first argument must be a flake expression"
if [[ -n ${2:-} ]]; then
_nix_direnv_error "$message"
return 1
else
_nix_direnv_error "$message. did you mean 'use flake . $1'?"
return 1
fi
fi
local files_to_watch
files_to_watch=("$HOME/.direnvrc" "$HOME/.config/direnv/direnvrc")
if [[ -d $flake_dir ]]; then
files_to_watch+=("$flake_dir/flake.nix" "$flake_dir/flake.lock" "$flake_dir/devshell.toml")
fi
watch_file "${files_to_watch[@]}"
local layout_dir profile
layout_dir=$(direnv_layout_dir)
profile="${layout_dir}/flake-profile$(_nix_argsum_suffix "$flake_expr")"
local profile_rc="${profile}.rc"
local flake_inputs="${layout_dir}/flake-inputs/"
local watches
_nix_direnv_watches watches
local profile_missing=0
if [[ ! -e $profile ]]; then
_nix_direnv_info "cache invalidated: profile ($profile) does not exist"
profile_missing=1
fi
local profile_rc_missing=0
if [[ ! -e $profile_rc ]]; then
_nix_direnv_info "cache invalidated: profile_rc ($profile_rc) does not exist"
profile_rc_missing=1
fi
local file_nt_profilerc=0
local file=
local newer_files
for file in "${watches[@]}"; do
if [[ $file -nt $profile_rc ]]; then
newer_files+=("$file")
file_nt_profilerc=1
fi
done
if [[ $file_nt_profilerc -eq 1 ]]; then
_nix_direnv_info "cache invalidated: files newer than cache:"
echo -n "$_NIX_DIRENV_LOG_PREFIX" >/dev/stderr
printf "%s\n" "${newer_files[@]}" >/dev/stderr
fi
if [[ $profile_missing -eq 1 || $profile_rc_missing -eq 1 || $file_nt_profilerc -eq 1 ]]; then
if [[ $_nix_direnv_manual_reload -eq 1 && -z ${_nix_direnv_force_reload-} ]]; then
_nix_direnv_warn_manual_reload "$profile_rc"
else
local tmp_profile_rc
local tmp_profile="${layout_dir}/flake-tmp-profile.$$"
if tmp_profile_rc=$(_nix print-dev-env --profile "$tmp_profile" "$@"); then
# If we've gotten here, the user's current devShell is valid and we should cache it
_nix_clean_old_gcroots "$layout_dir"
# We need to update our cache
echo "$tmp_profile_rc" >"$profile_rc"
_nix_add_gcroot "$tmp_profile" "$profile"
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/rm -f "$tmp_profile" "$tmp_profile"*
# also add garbage collection root for source
local flake_input_paths
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/mkdir -p "$flake_inputs"
flake_input_paths=$(_nix flake archive \
--json --no-write-lock-file \
-- "$flake_uri")
while [[ $flake_input_paths =~ /nix/store/[^\"]+ ]]; do
local store_path="${BASH_REMATCH[0]}"
_nix_add_gcroot "${store_path}" "${flake_inputs}/${store_path##*/}"
flake_input_paths="${flake_input_paths/${store_path}/}"
done
_nix_direnv_info "Renewed cache"
else
# The user's current flake failed to evaluate,
# but there is already a prior profile_rc,
# which is probably more useful than nothing.
# Fallback to use that (which means just leaving profile_rc alone!)
if [[ $_nix_direnv_allow_fallback -eq 1 ]]; then
_nix_direnv_warning "Evaluating current devShell failed. Falling back to previous environment!"
export NIX_DIRENV_DID_FALLBACK=1
else
return 1
fi
fi
fi
else
if [[ -e ${profile_rc} ]]; then
# Our cache is valid, use that
_nix_direnv_info "Using cached dev shell"
_nix_refresh_gcroots
else
# We don't have a profile_rc to use!
_nix_direnv_error "use_flake failed - Is your flake's devShell working?"
return 1
fi
fi
_nix_import_env "$profile_rc"
}
use_nix() {
if ! _nix_direnv_preflight; then
return 1
fi
local layout_dir path version
layout_dir=$(direnv_layout_dir)
if path=$(/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/realpath -e "$(_nix eval --impure --expr "<nixpkgs>" 2>/dev/null)"); then
if [[ -f "${path}/.version-suffix" ]]; then
version=$(<"${path}/.version-suffix")
elif [[ -f "${path}/.git/HEAD" ]]; then
local head
read -r head <"${path}/.git/HEAD"
local regex="ref: (.*)"
if [[ $head =~ $regex ]]; then
read -r version <"${path}/.git/${BASH_REMATCH[1]}"
else
version="$head"
fi
elif [[ -f "${path}/.version" && ${path} == "/nix/store/"* ]]; then
# borrow some bits from the store path
local version_prefix
read -r version_prefix < <(
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/cat "${path}/.version"
echo
)
version="${version_prefix}-${path:11:16}"
fi
fi
local profile
profile="${layout_dir}/nix-profile-${version:-unknown}$(_nix_argsum_suffix "$*")"
local profile_rc="${profile}.rc"
local in_packages=0
local attribute=
local packages=""
local extra_args=()
local nixfile=
if [[ -e "shell.nix" ]]; then
nixfile="./shell.nix"
elif [[ -e "default.nix" ]]; then
nixfile="./default.nix"
fi
while [[ $# -gt 0 ]]; do
i="$1"
shift
case $i in
-p | --packages)
in_packages=1
;;
--command | --run | --exclude)
# These commands are unsupported
# ignore them
shift
;;
--pure | -i | --keep)
# These commands are unsupported (but take no argument)
# ignore them
;;
--include | -I)
extra_args+=("$i" "${1:-}")
shift
;;
--attr | -A)
attribute="${1:-}"
shift
;;
--option | -o | --arg | --argstr)
extra_args+=("$i" "${1:-}" "${2:-}")
shift
shift
;;
-*)
# Other arguments are assumed to be of a single arg form
# (--foo=bar or -j4)
extra_args+=("$i")
;;
*)
if [[ $in_packages -eq 1 ]]; then
packages+=" $i"
else
nixfile=$i
fi
;;
esac
done
watch_file "$HOME/.direnvrc" "$HOME/.config/direnv/direnvrc" "shell.nix" "default.nix"
local watches
_nix_direnv_watches watches
local profile_missing=0
if [[ ! -e $profile ]]; then
_nix_direnv_info "cache invalidated: profile ($profile) does not exist"
profile_missing=1
fi
local profile_rc_missing=0
if [[ ! -e $profile_rc ]]; then
_nix_direnv_info "cache invalidated: profile_rc ($profile_rc) does not exist"
profile_rc_missing=1
fi
local file_nt_profilerc=0
local file=
local newer_files
for file in "${watches[@]}"; do
if [[ $file -nt $profile_rc ]]; then
newer_files+=("$file")
file_nt_profilerc=1
fi
done
if [[ $file_nt_profilerc -eq 1 ]]; then
_nix_direnv_info "cache invalidated: files newer than cache:"
echo -n "$_NIX_DIRENV_LOG_PREFIX" >/dev/stderr
printf "%s\n" "${newer_files[@]}" >/dev/stderr
fi
if [[ $profile_missing -eq 1 || $profile_rc_missing -eq 1 || $file_nt_profilerc -eq 1 ]]; then
if [[ $_nix_direnv_manual_reload -eq 1 && -z ${_nix_direnv_force_reload-} ]]; then
_nix_direnv_warn_manual_reload "$profile_rc"
else
local tmp_profile="${layout_dir}/nix-tmp-profile.$$"
local tmp_profile_rc
if [[ -n $packages ]]; then
extra_args+=("--expr" "with import <nixpkgs> {}; mkShell { buildInputs = [ $packages ]; }")
else
extra_args+=("--file" "$nixfile" --arg inNixShell true)
if [[ -n $attribute ]]; then
extra_args+=("$attribute")
fi
fi
# Some builtin nix tooling depends on this variable being set BEFORE their invocation to change their behavior
# (notably haskellPackages.developPackage returns an env if this is set)
# This allows us to more closely mimic nix-shell.
export IN_NIX_SHELL="impure"
if tmp_profile_rc=$(_nix \
print-dev-env \
--profile "$tmp_profile" \
--impure \
"${extra_args[@]}"); then
_nix_clean_old_gcroots "$layout_dir"
echo "$tmp_profile_rc" >"$profile_rc"
_nix_add_gcroot "$tmp_profile" "$profile"
/nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/rm -f "$tmp_profile" "$tmp_profile"*
_nix_direnv_info "Renewed cache"
else
if [[ $_nix_direnv_allow_fallback -eq 1 ]]; then
_nix_direnv_warning "Evaluating current nix shell failed. Falling back to previous environment!"
export NIX_DIRENV_DID_FALLBACK=1
else
unset IN_NIX_SHELL
return 1
fi
fi
fi
else
if [[ -e ${profile_rc} ]]; then
_nix_direnv_info "Using cached dev shell"
_nix_refresh_gcroots
else
_nix_direnv_error "use_nix failed - Is your nix shell working?"
unset IN_NIX_SHELL
return 1
fi
fi
_nix_import_env "$profile_rc"
}
### resholve directives (auto-generated) ## format_version: 3
# resholve: fake builtin:PATH_add
# resholve: fake builtin:direnv_layout_dir
# resholve: fake builtin:has
# resholve: fake builtin:log_error
# resholve: fake builtin:log_status
# resholve: fake builtin:watch_file
# resholve: fake external:nix
# resholve: fake function:shasum
# resholve: keep $NIX_DIRENV_FALLBACK_NIX
# resholve: keep $_nix_direnv_nix
# resholve: keep $ambient_nix
# resholve: keep $cmd
# resholve: keep $direnv
# resholve: keep /nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/basename
# resholve: keep /nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/cat
# resholve: keep /nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/chmod
# resholve: keep /nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/mkdir
# resholve: keep /nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/realpath
# resholve: keep /nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/rm
# resholve: keep /nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/sha1sum
# resholve: keep /nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/sort
# resholve: keep /nix/store/imxdgy6dqqmhb3mzzxg14zkfxx9vc1w0-coreutils-9.10/bin/touch

83
exported/mac-portable/.config/tmux/tmux.conf Normal file
View File

@@ -0,0 +1,83 @@
set -g default-terminal "screen"
set -g base-index 0
setw -g pane-base-index 0
set -g status-keys vi
set -g mode-keys vi
bind -N "Select pane to the left of the active pane" h select-pane -L
bind -N "Select pane below the active pane" j select-pane -D
bind -N "Select pane above the active pane" k select-pane -U
bind -N "Select pane to the right of the active pane" l select-pane -R
bind -r -N "Resize the pane left by 5" \
H resize-pane -L 5
bind -r -N "Resize the pane down by 5" \
J resize-pane -D 5
bind -r -N "Resize the pane up by 5" \
K resize-pane -U 5
bind -r -N "Resize the pane right by 5" \
L resize-pane -R 5
# rebind main key: C-a
unbind C-b
set -g prefix C-a
bind -N "Send the prefix key through to the application" \
C-a send-prefix
set -g mouse on
set -g focus-events off
setw -g aggressive-resize off
setw -g clock-mode-style 12
set -s escape-time 0
set -g history-limit 10240
set-environment -g SSH_AUTH_SOCK $HOME/.ssh/ssh_auth_sock
set-option -g update-environment "DISPLAY SSH_ASKPASS SSH_AGENT_PID SSH_CONNECTION"
# Instead of flashing or beeping, blink the window in status.
set -g visual-bell off
set -g monitor-activity on
set -g bell-action none
set -g window-status-activity-style "fg=yellow,blink"
# Requires support from terminal (e.g. iTerm2).
set -s set-clipboard on
# For scrolling through logs.
bind y set-window-option synchronize-panes
# Panel configuration.
bind | split-window -h -c "#{pane_current_path}"
bind - split-window -v -c "#{pane_current_path}"
bind Enter resize-pane -Z
# Navigation.
bind -n M-Up new-window -c "#{pane_current_path}"
bind -n M-Down confirm-before -p "kill-window #W? (y/n)" kill-window
bind -n M-Left previous-window
bind -n M-Right next-window
# Status bar.
set -g status-interval 5
set -g status-position bottom
set -g status-style "bg=default,fg=white"
set -g status-left-length 20
set -g status-left "#[fg=green,bold]#H #[fg=white]| "
set -g status-right-length 60
set -g status-right "#[fg=cyan]%H:%M%Z %d.%m.%Y #[fg=white]| #[fg=yellow]Load: #(cut -d ' ' -f 1-3 /proc/loadavg)"
set -g status-justify left
set -g window-status-format "#[fg=white,dim]#I:#W#F"
set -g window-status-current-format "#[fg=white,bold,bg=blue] #I:#W#F "

0
exported/mac-portable/.local/state/.keep Normal file
View File

27
exported/mac-portable/.zshenv Normal file
View File

@@ -0,0 +1,27 @@
# Environment variables
. "/nix/store/qvbn8gycz1r5r2n7ffx60258jwhsf9qs-hm-session-vars.sh/etc/profile.d/hm-session-vars.sh"
# Only source this once
if [[ -z "$__HM_ZSH_SESS_VARS_SOURCED" ]]; then
export __HM_ZSH_SESS_VARS_SOURCED=1
fi
[ -r ~/.zshenv_local ] && source ~/.zshenv_local || true
# Can't use ssh-agent-mux to mux Secretive and yubikey-agent:
# https://github.com/overhacked/ssh-agent-mux/issues/56
# export SSH_AUTH_SOCK=~/.ssh/ssh-agent-mux.sock
# Can't use Secretive to SSH using PIV from Yubikey:
# https://github.com/maxgoedjen/secretive/issues/330
#
# If PIV entry was generated by yubikey-agent, Secretive may not see it at
# all. Running 'ykman piv objects generate chuid' should fix that.
# https://github.com/maxgoedjen/secretive/issues/333
# See README.md "Security" section to learn how we create keys.
# Setting IdentityAgent in SSH config achieves a similar result, but doesn't
# work with commit signing.
export SSH_AUTH_SOCK=~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh

41
exported/mac-portable/.zshrc Normal file
View File

@@ -0,0 +1,41 @@
typeset -U path cdpath fpath manpath
for profile in ${(z)NIX_PROFILES}; do
fpath+=($profile/share/zsh/site-functions $profile/share/zsh/$ZSH_VERSION/functions $profile/share/zsh/vendor-completions)
done
HELPDIR="/nix/store/0vkfqzpklvs9nmx6439vqwvlzwryd60j-zsh-5.9/share/zsh/$ZSH_VERSION/help"
autoload -U compinit && compinit
# History options should be set in .zshrc and after oh-my-zsh sourcing.
# See https://github.com/nix-community/home-manager/issues/177.
HISTSIZE="10000"
SAVEHIST="10000"
HISTFILE="/Users/empty/.zsh_history"
mkdir -p "$(dirname "$HISTFILE")"
# Set shell options
set_opts=(
HIST_FCNTL_LOCK HIST_IGNORE_DUPS HIST_IGNORE_SPACE SHARE_HISTORY
NO_APPEND_HISTORY NO_EXTENDED_HISTORY NO_HIST_EXPIRE_DUPS_FIRST
NO_HIST_FIND_NO_DUPS NO_HIST_IGNORE_ALL_DUPS NO_HIST_SAVE_NO_DUPS
)
for opt in "${set_opts[@]}"; do
setopt "$opt"
done
unset opt set_opts
# Outside NixOS, we need to load this manually. Same on MacOS, if
# /etc/zshrc is reset to its default content (post-upgrade).
if [ -r /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
fi
if [ -r ~/dotfiles/assets/.zshrc ]; then
# Hack for faster iterations
. ~/dotfiles/assets/.zshrc
else
. /nix/store/036d8d9k0wqwsg88azvzb8lb02hd22n2-.zshrc
fi
eval "$(/nix/store/wjg69ndjcayriaav4rqrfq93rqn8hsq4-direnv-2.37.1/bin/direnv hook zsh)"

1
exported/mac-portable/Library/Application Support/iTerm2/DynamicProfiles/nix-profile.json Normal file
View File

@@ -0,0 +1 @@
{"Profiles":[{"Columns":160,"Guid":"17DF2CCB-C7CD-4BCC-AC28-666DD6C8AF4A","Mouse Reporting":true,"Name":"Nix-Managed","Normal Font":"Menlo-Regular 13","Rows":45}]}

1
exported/mac-portable/Library/Fonts/.home-manager-fonts-version Normal file
View File

@@ -0,0 +1 @@
/nix/store/f1p62r5lq4ilsj6kla8mmzfqj4q57x45-home-manager-fonts

52
flake.lock generated
View File

@@ -3,16 +3,16 @@
"brew-src": {
"flake": false,
"locked": {
"lastModified": 1781226006,
"narHash": "sha256-w4ZTuOnhYiDxjaynrMTASzp802QblBWmo3wpB8wVN4Y=",
"lastModified": 1778146321,
"narHash": "sha256-HeBwuJmuBioZHyZqDOcf7W/xsMFupSD583v6I5Cl7a8=",
"owner": "Homebrew",
"repo": "brew",
"rev": "109191be4988470b51a60a5ef1998520aa24c01b",
"rev": "af835384ac574f76025adb38b292b04cecee1f1f",
"type": "github"
},
"original": {
"owner": "Homebrew",
"ref": "6.0.1",
"ref": "5.1.10",
"repo": "brew",
"type": "github"
}
@@ -24,11 +24,11 @@
]
},
"locked": {
"lastModified": 1781761792,
"narHash": "sha256-rCPytmKNjctLloB6UgK5CRrHSwV4b0ygxtJLPPp8R14=",
"lastModified": 1777780666,
"narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
"owner": "nix-darwin",
"repo": "nix-darwin",
"rev": "a1fa429e945becaf60468600daf649be4ba0350c",
"rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
"type": "github"
},
"original": {
@@ -96,11 +96,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1781866110,
"narHash": "sha256-eysWGLqD/9ZshEAg1bj1O8QpJZ6UoDEpjWzBJaR6ono=",
"lastModified": 1778705491,
"narHash": "sha256-LOZbixhLsv2QbUbqH+I06eRMAI7FBDDkGoMWH523OkE=",
"ref": "refs/heads/main",
"rev": "7fdd373d58137cdcddd8ba6f00ee06186affe5a5",
"revCount": 36,
"rev": "b6fb4221bd5f54bc427de84230e0c95952399c21",
"revCount": 25,
"type": "git",
"url": "https://github.com/futureware-tech/nix.git"
},
@@ -141,11 +141,11 @@
]
},
"locked": {
"lastModified": 1781733627,
"narHash": "sha256-U3yTuGBnmXvXoQI3qkpfEDsn9RovQPAjN7ndRco+3u0=",
"lastModified": 1778507602,
"narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "3bbec39bc90eadfa031e6f3b77272f3f60803e39",
"rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a",
"type": "github"
},
"original": {
@@ -204,11 +204,11 @@
]
},
"locked": {
"lastModified": 1781844424,
"narHash": "sha256-sWBr0D6eu6UhmtM87NOd4oOYilIclFXGDd/s7tVvO10=",
"lastModified": 1778503501,
"narHash": "sha256-08L/X4/do7nET4rzidJ76eV/1r+mB7DchVpdPypsghc=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c804fab681f03ec772390af4421bcc9bce80c1d9",
"rev": "85ba629c79449badf4338117c27f0ee92b4b9f1a",
"type": "github"
},
"original": {
@@ -219,11 +219,11 @@
},
"jail-nix": {
"locked": {
"lastModified": 1776230864,
"narHash": "sha256-YsEjjdOsGEzTeD+iT7ONh071BqWAOQWpzYVei3okAXE=",
"lastModified": 1772137954,
"narHash": "sha256-h4MGNbOo7L3RHi4uNFmsg5g17/DHXEfnv/xiG6BrNFQ=",
"owner": "~alexdavid",
"repo": "jail.nix",
"rev": "404e7da9da5ab9aa643666682b2ba1312fa5fbe8",
"rev": "42b355c38ca63dab4904acc5c0d95f17954a8c9b",
"type": "sourcehut"
},
"original": {
@@ -237,11 +237,11 @@
"brew-src": "brew-src"
},
"locked": {
"lastModified": 1781389246,
"narHash": "sha256-ORqLAo/hoJdsZC7UPAuEHev6S0+XIqKEC7vjo5prz1k=",
"lastModified": 1778332591,
"narHash": "sha256-ctJ3ADtugrnbMfMBobA645gCqXVIyHnsCNMkVaIuSiM=",
"owner": "zhaofengli",
"repo": "nix-homebrew",
"rev": "de7953a08ed4bb9245be043e468561c17b89130d",
"rev": "7d0038b5bb60568ec41f5f4ef5067cd221ca7c0d",
"type": "github"
},
"original": {
@@ -252,11 +252,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1781577229,
"narHash": "sha256-lrp67w8AulE9Ks53n27I45ADSzbOCn4H+CNW1Ck8B+8=",
"lastModified": 1777954456,
"narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "567a49d1913ce81ac6e9582e3553dd90a955875f",
"rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
"type": "github"
},
"original": {

61
flake.nix
View File

@@ -39,7 +39,13 @@
...
}@inputs:
let
homeManagerUser = "artem";
trustedSSHKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxRBsFGa8OFbviYDGSAKLgfm/K2XUxvCo+31FW37yab artem"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPAtIXXHm58julnr7S0xzBTM1jN5JkKxOL4JpuWDOa2jAAAABHNzaDo= office-dock-usb-a"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHY1xx0huqV6Mcc2WngYDabITeNUbGamJ8//206MxxVTAAAABHNzaDo= keychain-usb-c"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHzY2eOz+JdaKOpIgZbF5FsZzQy0l8vPJjAQdTpBFGsoAAAABHNzaDo= safe"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJg7zQ4H0LQeQcILZBwCzQ+MYKtCgKm7HPe9oFeoyprKZXAvpm+HDHtaYdU39JF9f+nvRztzXuMhgETAQMAQCkc= fingerprint@macbook"
];
eachSystem = nixpkgs.lib.genAttrs (import systems);
in
{
@@ -47,6 +53,13 @@
pre-commit-check = inputs.git-hooks.lib.${system}.run (
{
src = ./.;
excludes = [ "^exported/" ];
hooks.export-mac-portable = {
enable = nixpkgs.lib.hasInfix "darwin" system;
name = "Build static mac-portable home directory files";
entry = "bin/export-home-config mac-portable && git add exported/mac-portable";
pass_filenames = false;
};
}
// inputs.fw_nix.lib.pre-commit
);
@@ -62,66 +75,62 @@
nixosModules = {
linux-headless = import ./modules/nixos/linux-headless.nix;
linux-lxc = import ./modules/nixos/linux-lxc.nix;
jailed-agy = import ./modules/nixos/jailed-agy.nix;
};
homeConfigurations."${homeManagerUser}@deimos" = home-manager.lib.homeManagerConfiguration {
pkgs = import nixpkgs {
system = "x86_64-linux";
};
extraSpecialArgs.primaryUser = homeManagerUser;
homeConfigurations."artem@deimos" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.x86_64-linux;
extraSpecialArgs.primaryUser = "artem";
modules = [
inputs.fw_nix.nixosModules.identities
vscode-server.homeModules.default
self.homeModules.linux-headless
./hosts/deimos/home.nix
];
};
homeConfigurations."${homeManagerUser}@mars" = home-manager.lib.homeManagerConfiguration {
pkgs = import nixpkgs {
system = "x86_64-darwin";
config.allowDeprecatedx86_64Darwin = true;
};
homeConfigurations."artem@mars" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.x86_64-darwin;
extraSpecialArgs = {
primaryUser = homeManagerUser;
primaryUser = "artem";
inherit trustedSSHKeys;
};
modules = [
inputs.fw_nix.nixosModules.identities
self.homeModules.mac-portable
./hosts/mars/home.nix
];
};
homeConfigurations.mac-portable = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.x86_64-darwin;
extraSpecialArgs.primaryUser = "empty";
modules = [ self.homeModules.mac-portable ];
};
darwinConfigurations.mars = darwin.lib.darwinSystem {
system = "x86_64-darwin";
specialArgs.primaryUser = homeManagerUser;
specialArgs.primaryUser = "artem";
modules = [
inputs.fw_nix.nixosModules.identities
self.darwinModules.mac-portable
inputs.fw_nix.nixosModules.nix-gc
inputs.fw_nix.nixosModules.nix-settings
inputs.fw_nix.nixosModules.tools
inputs.fw_nix.nixosModules.nix-settings
inputs.fw_nix.nixosModules.futureware
inputs.nix-homebrew.darwinModules.nix-homebrew
./hosts/mars/darwin.nix
{
nixpkgs.config.allowDeprecatedx86_64Darwin = true;
}
];
};
nixosConfigurations.deimos = nixpkgs.lib.nixosSystem {
nixosConfigurations.deimos =
let
system = "x86_64-linux";
in
nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = {
primaryUser = homeManagerUser;
inherit trustedSSHKeys;
inherit (inputs) jail-nix;
};
modules = [
inputs.fw_nix.nixosModules.identities
self.nixosModules.linux-headless
self.nixosModules.linux-lxc
self.nixosModules.jailed-agy
inputs.fw_nix.nixosModules.nix-gc
inputs.fw_nix.nixosModules.nix-settings
inputs.fw_nix.nixosModules.tools

22
hosts/common/home.nix
View File

@@ -1,22 +0,0 @@
{
identities,
primaryUser,
...
}:
let
user = identities.users.${primaryUser};
in
{
programs.git = {
signing = {
# Will be available on remote machines via SSH agent (Secretive).
key = "key::" + user.sign."sign@mars".publicKey;
signByDefault = true;
};
settings.user = {
name = "Artem Sheremet";
inherit (user) email;
};
};
}

29
hosts/deimos/home.nix
View File

@@ -1,18 +1,5 @@
{
config,
lib,
pkgs,
...
}:
let
utils = import "${pkgs.path}/nixos/lib/utils.nix" { inherit lib pkgs config; };
haremote-path = "${config.home.homeDirectory}/src/haremote";
haremote-unit = utils.escapeSystemdPath haremote-path;
in
{
imports = [
../common/home.nix
];
_: {
home.homeDirectory = "/home/artem";
services.vscode-server.enable = true;
services.vscode-server.installPath = [
@@ -20,17 +7,17 @@ in
"$HOME/.antigravity-server"
];
systemd.user.mounts."${haremote-unit}" = {
systemd.user.mounts.home-artem-src-haremote = {
Unit = {
Description = "Mount ${haremote-path}";
Description = "Mount ~/src/haremote";
After = [ "network-online.target" ];
Wants = [ "network-online.target" ];
};
Mount = {
What = "root@homeassistant.home.arpa:/homeassistant";
Where = haremote-path;
Where = "/home/artem/src/haremote";
Type = "fuse.sshfs";
Options = "reconnect,ServerAliveInterval=15,uid=1000,gid=1000,IdentityAgent=${config.home.homeDirectory}/.ssh/ssh_auth_sock";
Options = "reconnect,ServerAliveInterval=15,uid=1000,gid=1000,IdentityAgent=/home/artem/.ssh/ssh_auth_sock";
};
Install = {
WantedBy = [ "default.target" ];
@@ -39,8 +26,8 @@ in
programs.zsh.loginExtra = ''
if [ -n "$SSH_AUTH_SOCK" ]; then
mkdir -p ${haremote-path}
[ -z "$(ls -A ${haremote-path} 2>/dev/null)" ] && systemctl --user restart ${haremote-unit}.mount
mkdir -p ~/src/haremote
[ -z "$(ls -A ~/src/haremote 2>/dev/null)" ] && systemctl --user restart home-artem-src-haremote.mount
fi
'';
}

58
hosts/deimos/nixos.nix
View File

@@ -1,33 +1,77 @@
{
pkgs,
identities,
primaryUser,
trustedSSHKeys,
jail-nix,
...
}:
let
jail = jail-nix.lib.init pkgs;
in
{
users.users.${primaryUser} = {
users.users.artem = {
uid = 1000;
isNormalUser = true;
extraGroups = [
"wheel"
"docker"
"kvm"
];
openssh.authorizedKeys.keys = identities.getAccessKeys { user = primaryUser; };
openssh.authorizedKeys.keys = trustedSSHKeys;
shell = pkgs.zsh;
linger = true; # Keep sshfs mounted even on logout.
};
virtualisation.docker.enable = true;
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
# TODO: move below into hosts/deimos/home.nix
sshfs
nixd
home-assistant-cli
yt-dlp
# jailed-gemini --yolo
(jail "jailed-gemini" pkgs.gemini-cli (
with jail.combinators;
[
network
time-zone
no-new-session
mount-cwd
(readwrite (noescape "~/.gemini"))
# The above is a stow-controlled symlink to the following.
(readwrite (noescape "~/dotfiles/legacy/.gemini"))
(add-pkg-deps (
with pkgs;
[
bashInteractive
curl
wget
jq
git
which
ripgrep
gnugrep
gnused
gawkInteractive
ps
findutils
gzip
unzip
gnutar
diffutils
coreutils
procps
python3
esphome
nix
]
))
]
))
];
# For building RPi configs. Extra steps are handled by the host (nas).

16
hosts/mars/home.nix
View File

@@ -1,16 +1,10 @@
{
pkgs,
lib,
config,
identities,
primaryUser,
trustedSSHKeys,
...
}:
{
imports = [
../common/home.nix
];
home.packages = with pkgs; [
dosbox-staging # dosbox appears broken on darwin
@@ -24,12 +18,8 @@
home.activation.setupAuthorizedKeys = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
run install -m 0600 -D \
${
pkgs.writeText "keys" (
builtins.concatStringsSep "\n" (identities.getAccessKeys { user = primaryUser; })
)
} \
${config.home.homeDirectory}/.ssh/ephemeral_sshd/authorized_keys
${pkgs.writeText "keys" (builtins.concatStringsSep "\n" trustedSSHKeys)} \
''${HOME?}/.ssh/ephemeral_sshd/authorized_keys
'';
# TODO: consider

29
legacy/.gemini/config/mcp_config.json
View File

@@ -1,29 +0,0 @@
{
"mcpServers": {
"nix": {
"command": "nix",
"args": [
"run",
"github:utensils/mcp-nixos",
"--"
]
},
"ha": {
"command": "nix",
"args": [
"shell",
"nixpkgs#uv",
"nixpkgs#python3",
"--command",
"uv",
"tool",
"run",
"ha-mcp"
],
"env": {
"UV_PYTHON_DOWNLOADS": "never",
"UV_PYTHON_PREFERENCE": "system"
}
}
}
}

35
legacy/.gemini/settings.json Normal file
View File

@@ -0,0 +1,35 @@
{
"mcpServers": {
"nix": {
"command": "nix",
"args": [
"run",
"github:utensils/mcp-nixos",
"--"
]
},
"ha": {
"url": "${HASS_SERVER}/mcp_server/sse",
"headers": {
"Authorization": "Bearer ${HASS_TOKEN}"
},
"timeout": 5000
}
},
"security": {
"auth": {
"selectedType": "oauth-personal"
}
},
"general": {
"sessionRetention": {
"warningAcknowledged": true,
"enabled": true,
"maxAge": "30d"
},
"preferredEditor": "vim"
},
"model": {
"name": "auto-gemini-3"
}
}

45
legacy/.gitconfig Normal file
View File

@@ -0,0 +1,45 @@
[color]
ui = auto
[alias]
co = checkout
st = status
di = diff -w --no-prefix
df = diff
dc = diff --cached
ci = commit
br = branch
lg = log -p --decorate=full --show-signature
lol = log --graph --decorate=full --pretty=oneline --abbrev-commit
lola = log --graph --decorate=full --pretty=oneline --abbrev-commit --all
ls = ls-files
# Show files ignored by git:
ign = ls-files -o -i --exclude-standard
[apply]
whitespace = nowarn
[push]
default = tracking
[rebase]
stat = yes
[format]
pretty = fuller
[fetch]
prune = yes
[credential "https://source.developers.google.com"]
helper = gcloud.sh
[core]
autocrlf = input
[branch]
# 0 times I wanted this when doing "git checkout".
autoSetupMerge = false
# Set up new branches in a way that "git pull" does a rebase by default.
autoSetupRebase = always
# Commit signing, currently using ssh@mars -- to be switched to sign@mars after 2026-05-15
[gpg]
format = ssh
[commit]
gpgsign = true
[user]
signingkey = key::ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNwSX/Ib6kNzgRKqWfcb3HsAQQo++Gt9KeXSvP6NDk6YQPjDsi+//IiBovgLjQ34El+x8l8y3aYhfIGlCyX7aOM= sign@mars
name = Artem Sheremet
email = dot.doom@gmail.com

25
legacy/.ssh/config Normal file
View File

@@ -0,0 +1,25 @@
Host *
# Share SSH connection.
# If disabling, consider impact on ssh agent forwarding in screen
# sessions (see .ssh/rc file).
ControlMaster auto
ControlPath ~/.ssh/ctl/%r@%h:%p
ControlPersist 10m
# When a shared connection is broken (remote reboot), detect it faster.
ServerAliveInterval 11
ServerAliveCountMax 2
ConnectTimeout 10
AddKeysToAgent yes
#Host custom-host-with-xorg
# HostName custom-hostname
# User crate
# ForwardX11 yes
# ForwardX11Trusted yes
#Host always-changing-keys-dont-care
# StrictHostKeyChecking no
# UserKnownHostsFile=/dev/null
Include config.d/*

0
legacy/.ssh/ctl/.gitkeep Normal file
View File

11
legacy/.ssh/rc Executable file
View File

@@ -0,0 +1,11 @@
#!/bin/sh
# When SSH-ing with agent forwarding enabled, this variable is set by sshd
# itself. However, an existing screen session that we attach to will not have
# its SSH_AUTH_SOCK environment variable updated, so we hardcode this path in
# .screenrc and create a symlink to keep it alive.
#
# It WILL break if two sessions are opened to a machine, and a newer one is
# terminated. ControlMaster in .ssh/config solves this problem by sharing the
# connection (and as a result, sharing SSH agent socket).
[ -n "$SSH_AUTH_SOCK" ] && ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock

112
modules/home/common.nix
View File

@@ -1,75 +1,24 @@
{
pkgs,
lib,
identities,
primaryUser,
...
}:
{
home.username = primaryUser;
nixpkgs.config.allowUnfree = true;
home.packages = with pkgs; [
stow
wget
antigravity-cli
gemini-cli
silver-searcher
yubikey-manager
];
home.activation.stowLegacy = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
if [ -d "$HOME/dotfiles/legacy" ]; then
run ${pkgs.stow}/bin/stow -d $HOME/dotfiles -t $HOME legacy
fi
'';
home.activation.report-changes = lib.hm.dag.entryAnywhere ''
# oldGenPath can be undefined with home-manager used as part of NixOS config
if [ -n "''${oldGenPath+x}" ]; then
${pkgs.nvd}/bin/nvd diff $oldGenPath $newGenPath
fi
'';
programs.git = {
enable = true;
settings = {
alias = {
co = "checkout";
st = "status";
di = "diff -w --no-prefix";
df = "diff";
dc = "diff --cached";
ci = "commit";
br = "branch";
lg = "log -p --decorate=full --show-signature";
lol = "log --graph --decorate=full --pretty=oneline --abbrev-commit";
lola = "log --graph --decorate=full --pretty=oneline --abbrev-commit --all";
ls = "ls-files";
# Show files ignored by git:
ign = "ls-files -o -i --exclude-standard";
};
color.ui = "auto";
apply.whitespace = "nowarn";
push.default = "tracking";
rebase.stat = "yes";
format.pretty = "fuller";
fetch.prune = "yes";
core.autocrlf = "input";
branch = {
# 0 times I wanted this when doing "git checkout".
autoSetupMerge = false;
# Set up new branches in a way that "git pull" does a rebase by default.
autoSetupRebase = "always";
};
gpg.format = "ssh";
gpg.ssh.allowedSignersFile = "${pkgs.writeText "allowed_signers" (
lib.concatStringsSep "\n" (identities.getSigningEntries { })
)}";
credential."https://source.developers.google.com".helper = "gcloud.sh";
};
};
programs.zsh = {
enable = true;
initContent = ''
@@ -79,11 +28,11 @@
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
fi
if [ -r ~/dotfiles/migrated/.zshrc ]; then
if [ -r ~/dotfiles/assets/.zshrc ]; then
# Hack for faster iterations
. ~/dotfiles/migrated/.zshrc
. ~/dotfiles/assets/.zshrc
else
. ${../../migrated/.zshrc}
. ${../../assets/.zshrc}
fi
'';
@@ -112,10 +61,11 @@
vim-startify
];
extraConfig = ''
if filereadable(expand("~/dotfiles/migrated/.vimrc"))
source ~/dotfiles/migrated/.vimrc
if filereadable(expand("~/dotfiles/assets/.vimrc"))
# Hack for faster iterations
source ~/dotfiles/assets/.vimrc
else
source ${../../migrated/.vimrc}
source ${../../assets/.vimrc}
endif
'';
};
@@ -188,49 +138,5 @@
'';
};
programs.ssh = {
enable = true;
enableDefaultConfig = false;
includes = [ "config.d/*" ];
settings = {
"*" = {
# Share SSH connection.
# If disabling, consider impact on ssh agent forwarding in screen
# sessions (see .ssh/rc file).
ControlMaster = "auto";
ControlPath = "~/.ssh/ctl/%r@%h:%p";
ControlPersist = "10m";
# When a shared connection is broken (remote reboot), detect it faster.
ServerAliveInterval = 11;
ServerAliveCountMax = 2;
ConnectTimeout = 10;
AddKeysToAgent = "yes";
};
};
};
home.file = {
".ssh/rc" = {
executable = true;
text = ''
#!/bin/sh
# When SSH-ing with agent forwarding enabled, this variable is set by sshd
# itself. However, an existing screen session that we attach to will not have
# its SSH_AUTH_SOCK environment variable updated, so we hardcode this path in
# .screenrc and create a symlink to keep it alive.
#
# It WILL break if two sessions are opened to a machine, and a newer one is
# terminated. ControlMaster in .ssh/config solves this problem by sharing the
# connection (and as a result, sharing SSH agent socket).
[ -n "$SSH_AUTH_SOCK" ] && ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
'';
};
".ssh/ctl/.keep".text = "";
};
home.stateVersion = "25.11"; # never modify
}

11
modules/home/mac-portable.nix
View File

@@ -35,10 +35,6 @@
TripleClickSelectsFullWrappedLines = true;
WordChars = "/-._~";
PromptOnQuit = false;
# Use system browser to open links.
NoSyncBrowserUpsell = 1;
NoSyncBrowserUpsell_selection = 1;
};
home.file."Library/Application Support/iTerm2/DynamicProfiles/nix-profile.json".text =
builtins.toJSON
@@ -51,7 +47,6 @@
Columns = 160;
Rows = 45;
"Scrollback Lines" = 1000000;
# For tmux selection and moving borders.
"Mouse Reporting" = true;
@@ -78,10 +73,6 @@
export SSH_AUTH_SOCK=~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
'';
# TODO: defaults read NSGlobalDomain
# https://nix-darwin.github.io/nix-darwin/manual/index.html
# -> set system.defaults.NSGlobalDomain
# or system.defaults.CustomSystemPreferences
nixpkgs.config.allowUnfree = true;
programs.vscode.enable = true;
}

148
modules/nixos/jailed-agy.nix
View File

@@ -1,148 +0,0 @@
{
config,
lib,
pkgs,
jail-nix,
primaryUser,
...
}:
let
jail = jail-nix.lib.init pkgs;
allPackages =
with pkgs;
[
bashInteractive
curl
wget
jq
git
which
ripgrep
gnugrep
gnused
gawkInteractive
ps
findutils
gzip
unzip
gnutar
diffutils
coreutils
procps
python3
python3Packages.pip
esphome
ruby
go
gcc
gnumake
pkg-config
nix
]
++ config.programs.jailed-agy.extraPackages;
in
{
options.programs.jailed-agy = {
extraPackages = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [ ];
description = "Extra packages to append to the jailed-agy environment.";
};
};
config = {
environment.systemPackages = [
(jail "jailed-agy" pkgs.antigravity-cli (
with jail.combinators;
[
network
time-zone
no-new-session
mount-cwd
# Enforce that the wrapper is not run as root/privileged user
(add-runtime ''
if [ "$(id -u)" -eq 0 ]; then
echo "Error: jailed-agy must not be run as root/privileged user!" >&2
exit 1
fi
'')
# Automatically append --dangerously-skip-permissions to agy invocation
(set-argv [
"--dangerously-skip-permissions"
(noescape "\"$@\"")
])
(readwrite (noescape "~/.gemini"))
# The above is a stow-controlled symlink to the following.
(readwrite (noescape "~/dotfiles/legacy/.gemini"))
# Enable easy installation of pip packages in the current directory.
(set-env "PYTHONPATH" (noescape "\"$PWD/.pip-packages\""))
(set-env "PIP_TARGET" (noescape "\"$PWD/.pip-packages\""))
(set-env "PIP_CACHE_DIR" (noescape "\"$PWD/.pip-cache\""))
(set-env "PIP_BREAK_SYSTEM_PACKAGES" "1")
# Enable easy installation and persistence of RubyGems in the current directory.
(set-env "GEM_HOME" (noescape "\"$PWD/.gem\""))
# Enable easy installation and persistence of Go modules and caches in the current directory.
(set-env "GOPATH" (noescape "\"$PWD/.go\""))
(set-env "GOCACHE" (noescape "\"$PWD/.go-cache\""))
# Preconfigure compiler and linker flags dynamically for all jail packages.
# This allows compiling Ruby gems (e.g. ffi, which requires libffi) and Go packages
# (e.g. YubiKey plugins, which require pcsclite) out-of-the-box.
(set-env "PKG_CONFIG_PATH" (
lib.concatStringsSep ":" (map (pkg: "${pkg.dev or pkg}/lib/pkgconfig") allPackages)
))
(set-env "NIX_CFLAGS_COMPILE" (
lib.concatStringsSep " " (map (pkg: "-isystem ${pkg.dev or pkg}/include") allPackages)
))
(set-env "NIX_LDFLAGS" (
lib.concatStringsSep " " (map (pkg: "-L${pkg.out or pkg}/lib") allPackages)
))
# Mount system and user profiles so their packages are automatically available at runtime
(try-ro-bind "/run/current-system/sw" "/run/current-system/sw")
(try-ro-bind "/etc/profiles/per-user/${primaryUser}" "/etc/profiles/per-user/${primaryUser}")
# Mount Nix files and directories to support nix-shell and Nix operations in jail
(try-ro-bind "/nix/store" "/nix/store")
(try-ro-bind "/nix/var/nix/daemon-socket" "/nix/var/nix/daemon-socket")
(try-ro-bind "/nix/var/nix/profiles" "/nix/var/nix/profiles")
(try-ro-bind "/etc/nix" "/etc/nix")
(try-ro-bind "/etc/static" "/etc/static")
# Forward Nix environment variables
(try-fwd-env "NIX_REMOTE")
(try-fwd-env "NIX_PATH")
(try-fwd-env "NIX_SSL_CERT_FILE")
(add-pkg-deps allPackages)
# Prepend local project binary directories, system, and user bin paths to the jail's PATH.
# Note: We place this after `add-pkg-deps` so that local paths take highest precedence.
# We use explicit double quotes to allow bash to expand $PWD at runtime and handle spaces.
(
state:
state
// {
env = state.env // {
PATH =
if state.env ? PATH && state.env.PATH != "" then
"\"\$PWD/.gem/bin:\$PWD/.go/bin:\$PWD/.pip-packages/bin:/run/current-system/sw/bin:/etc/profiles/per-user/${primaryUser}/bin:${state.env.PATH}\""
else
"\"\$PWD/.gem/bin:\$PWD/.go/bin:\$PWD/.pip-packages/bin:/run/current-system/sw/bin:/etc/profiles/per-user/${primaryUser}/bin\"";
};
}
)
]
))
];
};
}

1
modules/nixos/linux-lxc.nix
View File

@@ -48,7 +48,6 @@
for item in \
"mkdir -p:/var/lib/nixos" \
"mkdir -p:/var/lib/systemd" \
"mkdir -p:/var/lib/docker" \
"touch:/etc/machine-id" \
"touch:/etc/ssh/ssh_host_ed25519_key" \
; do