Mount docker from persistence

Add python, ruby, go, custom paths.

.gitignore

@@ -6,3 +6,6 @@ result
 
 # nix pre-commit autogenerated by devShell
 /.pre-commit-config.yaml
+
+# agy sessions
+.antigravitycli

flake.lock

@@ -3,16 +3,16 @@
     "brew-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1778146321,
+        "lastModified": 1781226006,
-        "narHash": "sha256-HeBwuJmuBioZHyZqDOcf7W/xsMFupSD583v6I5Cl7a8=",
+        "narHash": "sha256-w4ZTuOnhYiDxjaynrMTASzp802QblBWmo3wpB8wVN4Y=",
         "owner": "Homebrew",
         "repo": "brew",
-        "rev": "af835384ac574f76025adb38b292b04cecee1f1f",
+        "rev": "109191be4988470b51a60a5ef1998520aa24c01b",
         "type": "github"
       },
       "original": {
         "owner": "Homebrew",
-        "ref": "5.1.10",
+        "ref": "6.0.1",
         "repo": "brew",
         "type": "github"
       }
@@ -24,11 +24,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777780666,
+        "lastModified": 1781761792,
-        "narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
+        "narHash": "sha256-rCPytmKNjctLloB6UgK5CRrHSwV4b0ygxtJLPPp8R14=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
+        "rev": "a1fa429e945becaf60468600daf649be4ba0350c",
         "type": "github"
       },
       "original": {
@@ -96,11 +96,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1778705491,
+        "lastModified": 1781866110,
-        "narHash": "sha256-LOZbixhLsv2QbUbqH+I06eRMAI7FBDDkGoMWH523OkE=",
+        "narHash": "sha256-eysWGLqD/9ZshEAg1bj1O8QpJZ6UoDEpjWzBJaR6ono=",
         "ref": "refs/heads/main",
-        "rev": "b6fb4221bd5f54bc427de84230e0c95952399c21",
+        "rev": "7fdd373d58137cdcddd8ba6f00ee06186affe5a5",
-        "revCount": 25,
+        "revCount": 36,
         "type": "git",
         "url": "https://github.com/futureware-tech/nix.git"
       },
@@ -141,11 +141,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1778507602,
+        "lastModified": 1781733627,
-        "narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=",
+        "narHash": "sha256-U3yTuGBnmXvXoQI3qkpfEDsn9RovQPAjN7ndRco+3u0=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a",
+        "rev": "3bbec39bc90eadfa031e6f3b77272f3f60803e39",
         "type": "github"
       },
       "original": {
@@ -204,11 +204,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1778503501,
+        "lastModified": 1781844424,
-        "narHash": "sha256-08L/X4/do7nET4rzidJ76eV/1r+mB7DchVpdPypsghc=",
+        "narHash": "sha256-sWBr0D6eu6UhmtM87NOd4oOYilIclFXGDd/s7tVvO10=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "85ba629c79449badf4338117c27f0ee92b4b9f1a",
+        "rev": "c804fab681f03ec772390af4421bcc9bce80c1d9",
         "type": "github"
       },
       "original": {
@@ -219,11 +219,11 @@
     },
     "jail-nix": {
       "locked": {
-        "lastModified": 1772137954,
+        "lastModified": 1776230864,
-        "narHash": "sha256-h4MGNbOo7L3RHi4uNFmsg5g17/DHXEfnv/xiG6BrNFQ=",
+        "narHash": "sha256-YsEjjdOsGEzTeD+iT7ONh071BqWAOQWpzYVei3okAXE=",
         "owner": "~alexdavid",
         "repo": "jail.nix",
-        "rev": "42b355c38ca63dab4904acc5c0d95f17954a8c9b",
+        "rev": "404e7da9da5ab9aa643666682b2ba1312fa5fbe8",
         "type": "sourcehut"
       },
       "original": {
@@ -237,11 +237,11 @@
         "brew-src": "brew-src"
       },
       "locked": {
-        "lastModified": 1778332591,
+        "lastModified": 1781389246,
-        "narHash": "sha256-ctJ3ADtugrnbMfMBobA645gCqXVIyHnsCNMkVaIuSiM=",
+        "narHash": "sha256-ORqLAo/hoJdsZC7UPAuEHev6S0+XIqKEC7vjo5prz1k=",
         "owner": "zhaofengli",
         "repo": "nix-homebrew",
-        "rev": "7d0038b5bb60568ec41f5f4ef5067cd221ca7c0d",
+        "rev": "de7953a08ed4bb9245be043e468561c17b89130d",
         "type": "github"
       },
       "original": {
@@ -252,11 +252,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1777954456,
+        "lastModified": 1781577229,
-        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
+        "narHash": "sha256-lrp67w8AulE9Ks53n27I45ADSzbOCn4H+CNW1Ck8B+8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
+        "rev": "567a49d1913ce81ac6e9582e3553dd90a955875f",
         "type": "github"
       },
       "original": {

flake.nix

@@ -39,13 +39,7 @@
       ...
     }@inputs:
     let
-      trustedSSHKeys = [
+      homeManagerUser = "artem";
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxRBsFGa8OFbviYDGSAKLgfm/K2XUxvCo+31FW37yab artem"
-        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPAtIXXHm58julnr7S0xzBTM1jN5JkKxOL4JpuWDOa2jAAAABHNzaDo= office-dock-usb-a"
-        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHY1xx0huqV6Mcc2WngYDabITeNUbGamJ8//206MxxVTAAAABHNzaDo= keychain-usb-c"
-        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHzY2eOz+JdaKOpIgZbF5FsZzQy0l8vPJjAQdTpBFGsoAAAABHNzaDo= safe"
-        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJg7zQ4H0LQeQcILZBwCzQ+MYKtCgKm7HPe9oFeoyprKZXAvpm+HDHtaYdU39JF9f+nvRztzXuMhgETAQMAQCkc= fingerprint@macbook"
-      ];
       eachSystem = nixpkgs.lib.genAttrs (import systems);
     in
     {
@@ -68,25 +62,32 @@
       nixosModules = {
         linux-headless = import ./modules/nixos/linux-headless.nix;
         linux-lxc = import ./modules/nixos/linux-lxc.nix;
+        jailed-agy = import ./modules/nixos/jailed-agy.nix;
       };
 
-      homeConfigurations."artem@deimos" = home-manager.lib.homeManagerConfiguration {
+      homeConfigurations."${homeManagerUser}@deimos" = home-manager.lib.homeManagerConfiguration {
-        pkgs = nixpkgs.legacyPackages.x86_64-linux;
+        pkgs = import nixpkgs {
-        extraSpecialArgs.primaryUser = "artem";
+          system = "x86_64-linux";
+        };
+        extraSpecialArgs.primaryUser = homeManagerUser;
         modules = [
+          inputs.fw_nix.nixosModules.identities
           vscode-server.homeModules.default
           self.homeModules.linux-headless
           ./hosts/deimos/home.nix
         ];
       };
 
-      homeConfigurations."artem@mars" = home-manager.lib.homeManagerConfiguration {
+      homeConfigurations."${homeManagerUser}@mars" = home-manager.lib.homeManagerConfiguration {
-        pkgs = nixpkgs.legacyPackages.x86_64-darwin;
+        pkgs = import nixpkgs {
+          system = "x86_64-darwin";
+          config.allowDeprecatedx86_64Darwin = true;
+        };
         extraSpecialArgs = {
-          primaryUser = "artem";
+          primaryUser = homeManagerUser;
-          inherit trustedSSHKeys;
         };
         modules = [
+          inputs.fw_nix.nixosModules.identities
           self.homeModules.mac-portable
           ./hosts/mars/home.nix
         ];
@@ -94,30 +95,33 @@
 
       darwinConfigurations.mars = darwin.lib.darwinSystem {
         system = "x86_64-darwin";
-        specialArgs.primaryUser = "artem";
+        specialArgs.primaryUser = homeManagerUser;
         modules = [
+          inputs.fw_nix.nixosModules.identities
           self.darwinModules.mac-portable
-          inputs.fw_nix.nixosModules.tools
+          inputs.fw_nix.nixosModules.nix-gc
           inputs.fw_nix.nixosModules.nix-settings
+          inputs.fw_nix.nixosModules.tools
           inputs.fw_nix.nixosModules.futureware
           inputs.nix-homebrew.darwinModules.nix-homebrew
           ./hosts/mars/darwin.nix
+          {
+            nixpkgs.config.allowDeprecatedx86_64Darwin = true;
+          }
         ];
       };
 
-      nixosConfigurations.deimos =
+      nixosConfigurations.deimos = nixpkgs.lib.nixosSystem {
-        let
         system = "x86_64-linux";
-        in
-        nixpkgs.lib.nixosSystem {
-          inherit system;
         specialArgs = {
-            inherit trustedSSHKeys;
+          primaryUser = homeManagerUser;
           inherit (inputs) jail-nix;
         };
         modules = [
+          inputs.fw_nix.nixosModules.identities
           self.nixosModules.linux-headless
           self.nixosModules.linux-lxc
+          self.nixosModules.jailed-agy
           inputs.fw_nix.nixosModules.nix-gc
           inputs.fw_nix.nixosModules.nix-settings
           inputs.fw_nix.nixosModules.tools

hosts/common/home.nix

@@ -0,0 +1,22 @@
+{
+  identities,
+  primaryUser,
+  ...
+}:
+let
+  user = identities.users.${primaryUser};
+in
+{
+  programs.git = {
+    signing = {
+      # Will be available on remote machines via SSH agent (Secretive).
+      key = "key::" + user.sign."sign@mars".publicKey;
+      signByDefault = true;
+    };
+
+    settings.user = {
+      name = "Artem Sheremet";
+      inherit (user) email;
+    };
+  };
+}

hosts/deimos/home.nix

@@ -1,5 +1,18 @@
-_: {
+{
-  home.homeDirectory = "/home/artem";
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  utils = import "${pkgs.path}/nixos/lib/utils.nix" { inherit lib pkgs config; };
+  haremote-path = "${config.home.homeDirectory}/src/haremote";
+  haremote-unit = utils.escapeSystemdPath haremote-path;
+in
+{
+  imports = [
+    ../common/home.nix
+  ];
 
   services.vscode-server.enable = true;
   services.vscode-server.installPath = [
@@ -7,17 +20,17 @@ _: {
     "$HOME/.antigravity-server"
   ];
 
-  systemd.user.mounts.home-artem-src-haremote = {
+  systemd.user.mounts."${haremote-unit}" = {
     Unit = {
-      Description = "Mount ~/src/haremote";
+      Description = "Mount ${haremote-path}";
       After = [ "network-online.target" ];
       Wants = [ "network-online.target" ];
     };
     Mount = {
       What = "root@homeassistant.home.arpa:/homeassistant";
-      Where = "/home/artem/src/haremote";
+      Where = haremote-path;
       Type = "fuse.sshfs";
-      Options = "reconnect,ServerAliveInterval=15,uid=1000,gid=1000,IdentityAgent=/home/artem/.ssh/ssh_auth_sock";
+      Options = "reconnect,ServerAliveInterval=15,uid=1000,gid=1000,IdentityAgent=${config.home.homeDirectory}/.ssh/ssh_auth_sock";
     };
     Install = {
       WantedBy = [ "default.target" ];
@@ -26,8 +39,8 @@ _: {
 
   programs.zsh.loginExtra = ''
     if [ -n "$SSH_AUTH_SOCK" ]; then
-      mkdir -p ~/src/haremote
+      mkdir -p ${haremote-path}
-      [ -z "$(ls -A ~/src/haremote 2>/dev/null)" ] && systemctl --user restart home-artem-src-haremote.mount
+      [ -z "$(ls -A ${haremote-path} 2>/dev/null)" ] && systemctl --user restart ${haremote-unit}.mount
     fi
   '';
 }

hosts/deimos/nixos.nix

@@ -1,77 +1,33 @@
 {
   pkgs,
-  trustedSSHKeys,
+  identities,
-  jail-nix,
+  primaryUser,
   ...
 }:
-let
-  jail = jail-nix.lib.init pkgs;
-in
 {
-  users.users.artem = {
+  users.users.${primaryUser} = {
     uid = 1000;
     isNormalUser = true;
     extraGroups = [
       "wheel"
       "docker"
+      "kvm"
     ];
-    openssh.authorizedKeys.keys = trustedSSHKeys;
+    openssh.authorizedKeys.keys = identities.getAccessKeys { user = primaryUser; };
     shell = pkgs.zsh;
     linger = true; # Keep sshfs mounted even on logout.
   };
 
   virtualisation.docker.enable = true;
 
+  nixpkgs.config.allowUnfree = true;
+
   environment.systemPackages = with pkgs; [
     # TODO: move below into hosts/deimos/home.nix
     sshfs
     nixd
     home-assistant-cli
     yt-dlp
-
-    # jailed-gemini --yolo
-    (jail "jailed-gemini" pkgs.gemini-cli (
-      with jail.combinators;
-      [
-        network
-        time-zone
-        no-new-session
-        mount-cwd
-
-        (readwrite (noescape "~/.gemini"))
-        # The above is a stow-controlled symlink to the following.
-        (readwrite (noescape "~/dotfiles/legacy/.gemini"))
-
-        (add-pkg-deps (
-          with pkgs;
-          [
-            bashInteractive
-            curl
-            wget
-            jq
-            git
-            which
-            ripgrep
-            gnugrep
-            gnused
-            gawkInteractive
-            ps
-            findutils
-            gzip
-            unzip
-            gnutar
-            diffutils
-            coreutils
-            procps
-
-            python3
-            esphome
-
-            nix
-          ]
-        ))
-      ]
-    ))
   ];
 
   # For building RPi configs. Extra steps are handled by the host (nas).

hosts/mars/home.nix

@@ -2,10 +2,15 @@
   pkgs,
   lib,
   config,
-  trustedSSHKeys,
+  identities,
+  primaryUser,
   ...
 }:
 {
+  imports = [
+    ../common/home.nix
+  ];
+
   home.packages = with pkgs; [
     dosbox-staging # dosbox appears broken on darwin
 
@@ -19,7 +24,11 @@
 
   home.activation.setupAuthorizedKeys = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
     run install -m 0600 -D \
-      ${pkgs.writeText "keys" (builtins.concatStringsSep "\n" trustedSSHKeys)} \
+      ${
+        pkgs.writeText "keys" (
+          builtins.concatStringsSep "\n" (identities.getAccessKeys { user = primaryUser; })
+        )
+      } \
       ${config.home.homeDirectory}/.ssh/ephemeral_sshd/authorized_keys
   '';
 

legacy/.gemini/config/mcp_config.json

@@ -0,0 +1,29 @@
+{
+  "mcpServers": {
+    "nix": {
+      "command": "nix",
+      "args": [
+        "run",
+        "github:utensils/mcp-nixos",
+        "--"
+      ]
+    },
+    "ha": {
+      "command": "nix",
+      "args": [
+        "shell",
+        "nixpkgs#uv",
+        "nixpkgs#python3",
+        "--command",
+        "uv",
+        "tool",
+        "run",
+        "ha-mcp"
+      ],
+      "env": {
+        "UV_PYTHON_DOWNLOADS": "never",
+        "UV_PYTHON_PREFERENCE": "system"
+      }
+    }
+  }
+}

legacy/.gemini/settings.json

@@ -1,35 +0,0 @@
-{
-  "mcpServers": {
-    "nix": {
-      "command": "nix",
-      "args": [
-        "run",
-        "github:utensils/mcp-nixos",
-        "--"
-      ]
-    },
-    "ha": {
-      "url": "${HASS_SERVER}/mcp_server/sse",
-      "headers": {
-        "Authorization": "Bearer ${HASS_TOKEN}"
-      },
-      "timeout": 5000
-    }
-  },
-  "security": {
-    "auth": {
-      "selectedType": "oauth-personal"
-    }
-  },
-  "general": {
-    "sessionRetention": {
-      "warningAcknowledged": true,
-      "enabled": true,
-      "maxAge": "30d"
-    },
-    "preferredEditor": "vim"
-  },
-  "model": {
-    "name": "auto-gemini-3"
-  }
-}

legacy/.gitconfig

@@ -1,45 +0,0 @@
-[color]
-	ui = auto
-[alias]
-	co = checkout
-	st = status
-	di = diff -w --no-prefix
-	df = diff
-	dc = diff --cached
-	ci = commit
-	br = branch
-	lg = log -p --decorate=full --show-signature
-	lol = log --graph --decorate=full --pretty=oneline --abbrev-commit
-	lola = log --graph --decorate=full --pretty=oneline --abbrev-commit --all
-	ls = ls-files
-	# Show files ignored by git:
-	ign = ls-files -o -i --exclude-standard
-[apply]
-	whitespace = nowarn
-[push]
-	default = tracking
-[rebase]
-	stat = yes
-[format]
-	pretty = fuller
-[fetch]
-	prune = yes
-[credential "https://source.developers.google.com"]
-	helper = gcloud.sh
-[core]
-	autocrlf = input
-[branch]
-	# 0 times I wanted this when doing "git checkout".
-	autoSetupMerge = false
-	# Set up new branches in a way that "git pull" does a rebase by default.
-	autoSetupRebase = always
-
-# Commit signing, currently using ssh@mars -- to be switched to sign@mars after 2026-05-15
-[gpg]
-	format = ssh
-[commit]
-	gpgsign = true
-[user]
-	signingkey = key::ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNwSX/Ib6kNzgRKqWfcb3HsAQQo++Gt9KeXSvP6NDk6YQPjDsi+//IiBovgLjQ34El+x8l8y3aYhfIGlCyX7aOM= sign@mars
-	name = Artem Sheremet
-	email = dot.doom@gmail.com

legacy/.ssh/config

@@ -1,25 +0,0 @@
-Host *
-	# Share SSH connection.
-	# If disabling, consider impact on ssh agent forwarding in screen
-	# sessions (see .ssh/rc file).
-	ControlMaster auto
-	ControlPath ~/.ssh/ctl/%r@%h:%p
-	ControlPersist 10m
-	# When a shared connection is broken (remote reboot), detect it faster.
-	ServerAliveInterval 11
-	ServerAliveCountMax 2
-
-	ConnectTimeout 10
-	AddKeysToAgent yes
-
-#Host custom-host-with-xorg
-#	HostName custom-hostname
-#	User crate
-#	ForwardX11 yes
-#	ForwardX11Trusted yes
-
-#Host always-changing-keys-dont-care
-#	StrictHostKeyChecking no
-#	UserKnownHostsFile=/dev/null
-
-Include config.d/*

legacy/.ssh/rc

@@ -1,11 +0,0 @@
-#!/bin/sh
-
-# When SSH-ing with agent forwarding enabled, this variable is set by sshd
-# itself. However, an existing screen session that we attach to will not have
-# its SSH_AUTH_SOCK environment variable updated, so we hardcode this path in
-# .screenrc and create a symlink to keep it alive.
-#
-# It WILL break if two sessions are opened to a machine, and a newer one is
-# terminated. ControlMaster in .ssh/config solves this problem by sharing the
-# connection (and as a result, sharing SSH agent socket).
-[ -n "$SSH_AUTH_SOCK" ] && ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock

migrated/.vimrc

@@ -35,6 +35,9 @@ if exists("+undofile")
 	" Enable the persistent undo file(s)
 	set undodir=~/.vim/undo
 	set undofile
+	if !isdirectory(expand(&undodir))
+		call mkdir(expand(&undodir), "p")
+	endif
 endif
 
 set switchbuf+=usetab " Switch to existing tab; open a new tab for the new buf

migrated/.zshrc

@@ -62,7 +62,6 @@ alias grep='grep --line-buffered --color=auto'
 alias ipt='iptables -nvL --line-numbers'
 alias ip6t='ip6tables -nvL --line-numbers'
 alias tcpdump='tcpdump -l'
-alias ag='ag -C 2 --noaffinity --pager="$PAGER" --smart-case'
 alias mysql='mysql --select_limit=1000'
 alias logcat='adb logcat -v "color printable usec year zone" -T 10'
 alias readelf='readelf -W'
@@ -81,6 +80,10 @@ starttransfer: %{time_starttransfer} | \
 total: %{time_total} | \
 size: %{size_download}\n"'
 
+rg() {
+	command rg -C 2 --smart-case --pretty "$@" | pager
+}
+
 # nix-deploy # current host
 # nix-deploy nas # deploy nas
 # nix-deploy test secondary # deploy secondary but do not add to boot
@@ -125,7 +128,22 @@ nix-deploy() {
 	cmd=(nixos-rebuild)
 	command -v nixos-rebuild >/dev/null 2>&1 || cmd=(nix run "nixpkgs#nixos-rebuild" --)
 
-	"${cmd[@]}" "$action" --flake ".#$config" --target-host "$target" --sudo "$@" |& nom
+	nix build ".#nixosConfigurations.$config.config.system.build.toplevel" \
+		--out-link "result.$config" |& nom
+	local build_status=$pipestatus[1]
+	if (( build_status != 0 )); then
+		return $build_status
+	fi
+
+	if [[ "$action" != "build" ]]; then
+		# Bypass nixos-rebuild self-update check which errors in
+		# flake-only setups when --store-path is used.
+		_NIXOS_REBUILD_REEXEC=1 "${cmd[@]}" "$action" \
+			--store-path "$(readlink -f "result.$config")" \
+			--target-host "$target" \
+			--sudo \
+			"$@"
+	fi
 }
 
 myip() {

modules/home/common.nix

@@ -1,24 +1,75 @@
 {
   pkgs,
   lib,
+  identities,
   primaryUser,
   ...
 }:
 {
   home.username = primaryUser;
+
+  nixpkgs.config.allowUnfree = true;
   home.packages = with pkgs; [
     stow
     wget
-    gemini-cli
+    antigravity-cli
-    silver-searcher
     yubikey-manager
   ];
+
   home.activation.stowLegacy = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
     if [ -d "$HOME/dotfiles/legacy" ]; then
       run ${pkgs.stow}/bin/stow -d $HOME/dotfiles -t $HOME legacy
     fi
   '';
 
+  home.activation.report-changes = lib.hm.dag.entryAnywhere ''
+    # oldGenPath can be undefined with home-manager used as part of NixOS config
+    if [ -n "''${oldGenPath+x}" ]; then
+      ${pkgs.nvd}/bin/nvd diff $oldGenPath $newGenPath
+    fi
+  '';
+
+  programs.git = {
+    enable = true;
+
+    settings = {
+      alias = {
+        co = "checkout";
+        st = "status";
+        di = "diff -w --no-prefix";
+        df = "diff";
+        dc = "diff --cached";
+        ci = "commit";
+        br = "branch";
+        lg = "log -p --decorate=full --show-signature";
+        lol = "log --graph --decorate=full --pretty=oneline --abbrev-commit";
+        lola = "log --graph --decorate=full --pretty=oneline --abbrev-commit --all";
+        ls = "ls-files";
+        # Show files ignored by git:
+        ign = "ls-files -o -i --exclude-standard";
+      };
+
+      color.ui = "auto";
+      apply.whitespace = "nowarn";
+      push.default = "tracking";
+      rebase.stat = "yes";
+      format.pretty = "fuller";
+      fetch.prune = "yes";
+      core.autocrlf = "input";
+      branch = {
+        # 0 times I wanted this when doing "git checkout".
+        autoSetupMerge = false;
+        # Set up new branches in a way that "git pull" does a rebase by default.
+        autoSetupRebase = "always";
+      };
+      gpg.format = "ssh";
+      gpg.ssh.allowedSignersFile = "${pkgs.writeText "allowed_signers" (
+        lib.concatStringsSep "\n" (identities.getSigningEntries { })
+      )}";
+      credential."https://source.developers.google.com".helper = "gcloud.sh";
+    };
+  };
+
   programs.zsh = {
     enable = true;
     initContent = ''
@@ -137,5 +188,49 @@
     '';
   };
 
+  programs.ssh = {
+    enable = true;
+    enableDefaultConfig = false;
+    includes = [ "config.d/*" ];
+
+    settings = {
+      "*" = {
+        # Share SSH connection.
+        # If disabling, consider impact on ssh agent forwarding in screen
+        # sessions (see .ssh/rc file).
+        ControlMaster = "auto";
+        ControlPath = "~/.ssh/ctl/%r@%h:%p";
+        ControlPersist = "10m";
+
+        # When a shared connection is broken (remote reboot), detect it faster.
+        ServerAliveInterval = 11;
+        ServerAliveCountMax = 2;
+
+        ConnectTimeout = 10;
+        AddKeysToAgent = "yes";
+      };
+    };
+  };
+
+  home.file = {
+    ".ssh/rc" = {
+      executable = true;
+      text = ''
+        #!/bin/sh
+
+        # When SSH-ing with agent forwarding enabled, this variable is set by sshd
+        # itself. However, an existing screen session that we attach to will not have
+        # its SSH_AUTH_SOCK environment variable updated, so we hardcode this path in
+        # .screenrc and create a symlink to keep it alive.
+        #
+        # It WILL break if two sessions are opened to a machine, and a newer one is
+        # terminated. ControlMaster in .ssh/config solves this problem by sharing the
+        # connection (and as a result, sharing SSH agent socket).
+        [ -n "$SSH_AUTH_SOCK" ] && ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
+      '';
+    };
+    ".ssh/ctl/.keep".text = "";
+  };
+
   home.stateVersion = "25.11"; # never modify
 }

modules/home/mac-portable.nix

@@ -35,6 +35,10 @@
     TripleClickSelectsFullWrappedLines = true;
     WordChars = "/-._~";
     PromptOnQuit = false;
+
+    # Use system browser to open links.
+    NoSyncBrowserUpsell = 1;
+    NoSyncBrowserUpsell_selection = 1;
   };
   home.file."Library/Application Support/iTerm2/DynamicProfiles/nix-profile.json".text =
     builtins.toJSON
@@ -47,6 +51,7 @@
 
             Columns = 160;
             Rows = 45;
+            "Scrollback Lines" = 1000000;
 
             # For tmux selection and moving borders.
             "Mouse Reporting" = true;
@@ -73,6 +78,10 @@
     export SSH_AUTH_SOCK=~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
   '';
 
-  nixpkgs.config.allowUnfree = true;
+  # TODO: defaults read NSGlobalDomain
+  #       https://nix-darwin.github.io/nix-darwin/manual/index.html
+  #       -> set system.defaults.NSGlobalDomain
+  #          or  system.defaults.CustomSystemPreferences
+
   programs.vscode.enable = true;
 }

modules/nixos/jailed-agy.nix

@@ -0,0 +1,148 @@
+{
+  config,
+  lib,
+  pkgs,
+  jail-nix,
+  primaryUser,
+  ...
+}:
+let
+  jail = jail-nix.lib.init pkgs;
+  allPackages =
+    with pkgs;
+    [
+      bashInteractive
+      curl
+      wget
+      jq
+      git
+      which
+      ripgrep
+      gnugrep
+      gnused
+      gawkInteractive
+      ps
+      findutils
+      gzip
+      unzip
+      gnutar
+      diffutils
+      coreutils
+      procps
+
+      python3
+      python3Packages.pip
+      esphome
+
+      ruby
+      go
+      gcc
+      gnumake
+      pkg-config
+
+      nix
+    ]
+    ++ config.programs.jailed-agy.extraPackages;
+in
+{
+  options.programs.jailed-agy = {
+    extraPackages = lib.mkOption {
+      type = lib.types.listOf lib.types.package;
+      default = [ ];
+      description = "Extra packages to append to the jailed-agy environment.";
+    };
+  };
+
+  config = {
+    environment.systemPackages = [
+      (jail "jailed-agy" pkgs.antigravity-cli (
+        with jail.combinators;
+        [
+          network
+          time-zone
+          no-new-session
+          mount-cwd
+
+          # Enforce that the wrapper is not run as root/privileged user
+          (add-runtime ''
+            if [ "$(id -u)" -eq 0 ]; then
+              echo "Error: jailed-agy must not be run as root/privileged user!" >&2
+              exit 1
+            fi
+          '')
+
+          # Automatically append --dangerously-skip-permissions to agy invocation
+          (set-argv [
+            "--dangerously-skip-permissions"
+            (noescape "\"$@\"")
+          ])
+
+          (readwrite (noescape "~/.gemini"))
+          # The above is a stow-controlled symlink to the following.
+          (readwrite (noescape "~/dotfiles/legacy/.gemini"))
+
+          # Enable easy installation of pip packages in the current directory.
+          (set-env "PYTHONPATH" (noescape "\"$PWD/.pip-packages\""))
+          (set-env "PIP_TARGET" (noescape "\"$PWD/.pip-packages\""))
+          (set-env "PIP_CACHE_DIR" (noescape "\"$PWD/.pip-cache\""))
+          (set-env "PIP_BREAK_SYSTEM_PACKAGES" "1")
+
+          # Enable easy installation and persistence of RubyGems in the current directory.
+          (set-env "GEM_HOME" (noescape "\"$PWD/.gem\""))
+
+          # Enable easy installation and persistence of Go modules and caches in the current directory.
+          (set-env "GOPATH" (noescape "\"$PWD/.go\""))
+          (set-env "GOCACHE" (noescape "\"$PWD/.go-cache\""))
+
+          # Preconfigure compiler and linker flags dynamically for all jail packages.
+          # This allows compiling Ruby gems (e.g. ffi, which requires libffi) and Go packages
+          # (e.g. YubiKey plugins, which require pcsclite) out-of-the-box.
+          (set-env "PKG_CONFIG_PATH" (
+            lib.concatStringsSep ":" (map (pkg: "${pkg.dev or pkg}/lib/pkgconfig") allPackages)
+          ))
+          (set-env "NIX_CFLAGS_COMPILE" (
+            lib.concatStringsSep " " (map (pkg: "-isystem ${pkg.dev or pkg}/include") allPackages)
+          ))
+          (set-env "NIX_LDFLAGS" (
+            lib.concatStringsSep " " (map (pkg: "-L${pkg.out or pkg}/lib") allPackages)
+          ))
+
+          # Mount system and user profiles so their packages are automatically available at runtime
+          (try-ro-bind "/run/current-system/sw" "/run/current-system/sw")
+          (try-ro-bind "/etc/profiles/per-user/${primaryUser}" "/etc/profiles/per-user/${primaryUser}")
+
+          # Mount Nix files and directories to support nix-shell and Nix operations in jail
+          (try-ro-bind "/nix/store" "/nix/store")
+          (try-ro-bind "/nix/var/nix/daemon-socket" "/nix/var/nix/daemon-socket")
+          (try-ro-bind "/nix/var/nix/profiles" "/nix/var/nix/profiles")
+          (try-ro-bind "/etc/nix" "/etc/nix")
+          (try-ro-bind "/etc/static" "/etc/static")
+
+          # Forward Nix environment variables
+          (try-fwd-env "NIX_REMOTE")
+          (try-fwd-env "NIX_PATH")
+          (try-fwd-env "NIX_SSL_CERT_FILE")
+
+          (add-pkg-deps allPackages)
+
+          # Prepend local project binary directories, system, and user bin paths to the jail's PATH.
+          # Note: We place this after `add-pkg-deps` so that local paths take highest precedence.
+          # We use explicit double quotes to allow bash to expand $PWD at runtime and handle spaces.
+          (
+            state:
+            state
+            // {
+              env = state.env // {
+                PATH =
+                  if state.env ? PATH && state.env.PATH != "" then
+                    "\"\$PWD/.gem/bin:\$PWD/.go/bin:\$PWD/.pip-packages/bin:/run/current-system/sw/bin:/etc/profiles/per-user/${primaryUser}/bin:${state.env.PATH}\""
+                  else
+                    "\"\$PWD/.gem/bin:\$PWD/.go/bin:\$PWD/.pip-packages/bin:/run/current-system/sw/bin:/etc/profiles/per-user/${primaryUser}/bin\"";
+              };
+            }
+          )
+        ]
+      ))
+    ];
+  };
+}

modules/nixos/linux-lxc.nix

@@ -48,6 +48,7 @@
       for item in \
           "mkdir -p:/var/lib/nixos" \
           "mkdir -p:/var/lib/systemd" \
+          "mkdir -p:/var/lib/docker" \
           "touch:/etc/machine-id" \
           "touch:/etc/ssh/ssh_host_ed25519_key" \
       ; do