From 179ced171d168c6206b17ff13cfac32ef63ffb69 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Fri, 1 May 2026 01:07:42 -0400 Subject: [PATCH 1/6] add claurst --- flake.nix | 4 ++++ pkgs/claurst/default.nix | 48 ++++++++++++++++++++++++++++++++++++++++ users/alice/home.nix | 2 ++ 3 files changed, 54 insertions(+) create mode 100644 pkgs/claurst/default.nix diff --git a/flake.nix b/flake.nix index d01f8d1..0e81d31 100644 --- a/flake.nix +++ b/flake.nix @@ -207,6 +207,10 @@ nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix { }; + packages.x86_64-linux.claurst = + nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/claurst/default.nix + { }; + checks = import ./checks.nix { inherit inputs forEachSystem formatter; }; devShells = import ./shell.nix { inherit inputs forEachSystem checks; }; diff --git a/pkgs/claurst/default.nix b/pkgs/claurst/default.nix new file mode 100644 index 0000000..3960439 --- /dev/null +++ b/pkgs/claurst/default.nix @@ -0,0 +1,48 @@ +{ + lib, + fetchFromGitHub, + rustPlatform, + pkg-config, + openssl, + alsa-lib, + dbus, + libxkbcommon, + libxcb, +}: + +rustPlatform.buildRustPackage rec { + pname = "claurst"; + version = "0.0.9"; + + src = fetchFromGitHub { + owner = "Kuberwastaken"; + repo = "claurst"; + rev = "v${version}"; + hash = "sha256-bTQHtZGZxhEAki0JxSC8smAC3w+otm8ubHvZ9MvwDaE="; + }; + + cargoRoot = "src-rust"; + cargoHash = "sha256-6+B43spqmUZ983YMl5UBH5647DcUOS2ngw5ChMIPFFo="; + buildAndTestSubdir = "src-rust"; + doCheck = false; + + nativeBuildInputs = [ + pkg-config + ]; + + buildInputs = [ + openssl + alsa-lib + dbus + libxkbcommon + libxcb + ]; + + meta = with lib; { + description = "Terminal coding agent written in Rust"; + homepage = "https://github.com/Kuberwastaken/claurst"; + license = licenses.gpl3Only; + mainProgram = "claurst"; + platforms = platforms.linux; + }; +} diff --git a/users/alice/home.nix b/users/alice/home.nix index db607d5..1bad4b5 100644 --- a/users/alice/home.nix +++ b/users/alice/home.nix @@ -2,6 +2,7 @@ config, pkgs, lib, + outputs, machineConfig, ... }: @@ -90,6 +91,7 @@ gocryptfs awscli2 + outputs.packages.${pkgs.system}.claurst ]; }; From f878369896cf7463764cf5f5177c5214c269bbe4 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Fri, 1 May 2026 01:17:39 -0400 Subject: [PATCH 2/6] add overlay --- .vscode/extensions.json | 8 ++++---- .vscode/mcp.json | 2 +- flake.nix | 14 ++++++-------- pkgs/default.nix | 33 +++++++++++++++++++++++++++++++++ users/alice/home.nix | 3 +-- 5 files changed, 45 insertions(+), 15 deletions(-) create mode 100644 pkgs/default.nix diff --git a/.vscode/extensions.json b/.vscode/extensions.json index 741afdd..1eb4248 100644 --- a/.vscode/extensions.json +++ b/.vscode/extensions.json @@ -1,5 +1,5 @@ { - "recommendations": [ - "davidanson.vscode-markdownlint" - ] -} \ No newline at end of file + "recommendations": [ + "davidanson.vscode-markdownlint" + ] +} diff --git a/.vscode/mcp.json b/.vscode/mcp.json index 9e26dfe..0967ef4 100644 --- a/.vscode/mcp.json +++ b/.vscode/mcp.json @@ -1 +1 @@ -{} \ No newline at end of file +{} diff --git a/flake.nix b/flake.nix index 0e81d31..ef00814 100644 --- a/flake.nix +++ b/flake.nix @@ -164,19 +164,23 @@ lib = self; } ); + packageSetup = import ./pkgs/default.nix { inherit nixpkgs; }; + inherit (packageSetup) localPackagesOverlay; inherit (lib.adev.systems) genSystems getImages; inherit (self) outputs; # for hydra in rec { inherit lib; # for allowing use of custom functions in nix repl + overlays.default = localPackagesOverlay; + hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; }; formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt); nixosConfigurations = genSystems inputs outputs src (src + "/systems"); homeConfigurations = { "alice" = inputs.home-manager.lib.homeManagerConfiguration { - pkgs = import nixpkgs { system = "x86_64-linux"; }; + pkgs = packageSetup.mkPkgs "x86_64-linux"; modules = [ inputs.stylix.homeModules.stylix inputs.sops-nix.homeManagerModules.sops @@ -203,13 +207,7 @@ qcow = getImages nixosConfigurations "qcow"; }; - packages.x86_64-linux.lego-latest = - nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix - { }; - - packages.x86_64-linux.claurst = - nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/claurst/default.nix - { }; + packages = forEachSystem packageSetup.mkPackages; checks = import ./checks.nix { inherit inputs forEachSystem formatter; }; devShells = import ./shell.nix { inherit inputs forEachSystem checks; }; diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..b320264 --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1,33 @@ +{ nixpkgs }: +let + localPackagesOverlay = final: _prev: { + lego-latest = final.callPackage ./lego-latest/default.nix { }; + claurst = final.callPackage ./claurst/default.nix { }; + }; + + mkPkgs = + system: + import nixpkgs { + inherit system; + overlays = [ localPackagesOverlay ]; + }; + + mkPackages = + system: + let + pkgs = mkPkgs system; + in + { + inherit (pkgs) + lego-latest + claurst + ; + }; +in +{ + inherit + localPackagesOverlay + mkPkgs + mkPackages + ; +} diff --git a/users/alice/home.nix b/users/alice/home.nix index 1bad4b5..a07b8cf 100644 --- a/users/alice/home.nix +++ b/users/alice/home.nix @@ -2,7 +2,6 @@ config, pkgs, lib, - outputs, machineConfig, ... }: @@ -91,7 +90,7 @@ gocryptfs awscli2 - outputs.packages.${pkgs.system}.claurst + claurst ]; }; From 6ef3f87d160be81737037d1f4393dcdaefb79559 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Fri, 1 May 2026 01:23:19 -0400 Subject: [PATCH 3/6] add agents.md --- AGENTS.md | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 AGENTS.md diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..478673d --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,105 @@ +> Note: This document was AI-generated and reviewed by a maintainer. + +# AGENTS Guide for nix-dotfiles + +This file is the quick-start map for coding agents working in this repository. +Use this first, then follow the linked source files for full detail. + +## Purpose and Scope + +- Repository type: flake-based NixOS + Home Manager dotfiles/infrastructure. +- Primary goals: safe system/user config edits, reproducible builds, and clean secrets handling. +- Default assumption: preserve existing module patterns and avoid broad refactors unless requested. + +## Source of Truth + +Read these files before substantial changes: + +- `.github/copilot-instructions.md`: Full repository guide for structure, workflows, dynamic system generation, module patterns, and SOPS handling. +- `.github/instructions/ai-doc-attribution.instructions.md`: Markdown rule for top-of-document attribution when docs are fully AI-generated. +- `flake.nix`: Flake inputs/outputs entrypoint; system generation begins here. +- `lib/systems.nix`: Core dynamic config assembly (`genSystems`, `constructSystem`, and wrapper generators). +- `systems//default.nix`: Per-host parameters (users, home, sops, server role, extra modules). +- `systems//configuration.nix`: Main host config. +- `modules/*.nix`: Global modules automatically imported into all systems. +- `users//home.nix` and `users//default.nix`: Home Manager and user account configuration. +- `hydra/jobs.nix` and `hydra/jobsets.nix`: CI/build orchestration details. + +## Repo Mental Model + +- `systems/` contains host-specific configs. +- `modules/` contains global modules applied across hosts. +- `users/` contains user and home-manager configs. +- `lib/systems.nix` auto-discovers hosts and composes final configs. +- SOPS secrets are colocated with hosts/users via `secrets.yaml` files. + +## Dynamic Configuration Rules + +- Hosts are auto-discovered from subdirectories in `systems/`. +- Each host's `default.nix` feeds `constructSystem` parameters. +- Effective module merge order matters. High-level order is: 1) base external + modules, 2) host essentials (`hardware.nix`, `configuration.nix`), 3) + host-specific modules from `systems//default.nix`, 4) global + `modules/*.nix`, 5) optional SOPS and Home Manager/user layers. +- Global modules load after host config, so explicit overrides may require `lib.mkForce` depending on target option. + +## Editing Conventions + +- Keep changes minimal and scoped to the requested behavior. +- Preserve existing Nix style and option naming patterns. +- Prefer module options + `lib.mkIf` toggles over hard-coded behavior. +- Use `lib.mkDefault` for soft defaults and `lib.mkForce` only when necessary. +- Do not commit plaintext secrets. +- Update docs when behavior/workflow changes. + +## Validation and Workflow + +Typical local sequence: + +1. Make targeted edits. +2. Evaluate and build with `nix flake check` and `nix build .#`. +3. Optionally deploy/apply with `nh os switch` or `nh home switch`. +4. For secrets-related changes, edit with `sops .../secrets.yaml` and validate expected `config.sops.secrets` evaluation paths. + +## Secrets and Safety + +- Secrets live in `systems//secrets.yaml` and `users//secrets.yaml`. +- Use SOPS for create/edit/rekey operations. +- During merge conflicts in encrypted files, prefer repository SOPS merge tooling (`utils/sops-mergetool.sh`, `utils/sops-mergetool-new.sh`). + +## Agent and Tool Routing + +When a specialized agent is available, route work by intent: + +- `Explore`: Fast read-only repository exploration and Q&A. +- `dependency-auditor`: Flake/module dependency security and CVE-oriented audits. +- `security-researcher`: Read-only server security configuration audits. +- `server-architect`: Server integration/review planning for `palatine-hill` style infra changes. + +Use Nix lookup tooling for package/options discovery; prefer `unstable` channel when channel selection is available. + +## Where To Look Next (By Task) + +- Add a new host: see `.github/copilot-instructions.md` sections on "Adding a New NixOS System", plus `systems//default.nix`, `hardware.nix`, and `configuration.nix`. +- Add/modify a global capability: see `modules/*.nix` and the `.github/copilot-instructions.md` section "Adding a Global Module to modules/". +- Change user/home-manager behavior: see `users//home.nix` and `users//default.nix`. +- Modify build/release automation: see `hydra/jobs.nix` and `hydra/jobsets.nix`. +- Work with secrets: see `.sops.yaml`, `systems/*/secrets.yaml`, `users/*/secrets.yaml`, and the `.github/copilot-instructions.md` section "Secrets Management". +- Validate module composition/debug evaluation: see `lib/systems.nix` and `nix eval .#nixosConfigurations....`. + +## Documentation Attribution Rule + +For Markdown docs (`**/*.md`): + +- If a document is fully AI-generated, include explicit attribution near the top. +- Accepted label includes "AI-generated documentation" wording. +- Do not imply fully human authorship for fully AI-authored content. + +## Quick Command Reference + +- `nh os build` +- `nh os switch` +- `nh home switch` +- `nix build .#` +- `nix flake check` +- `nix eval .#nixosConfigurations..config.` From 41e50f98b5a1cd9ba0d6de6b30240279c70ed833 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Fri, 1 May 2026 01:31:44 -0400 Subject: [PATCH 4/6] add maintainer info --- pkgs/bitwarden-rofi/default.nix | 2 ++ pkgs/claurst/default.nix | 4 ++++ pkgs/maintainers.nix | 8 ++++++++ 3 files changed, 14 insertions(+) create mode 100644 pkgs/maintainers.nix diff --git a/pkgs/bitwarden-rofi/default.nix b/pkgs/bitwarden-rofi/default.nix index 50c49bc..bae8f39 100644 --- a/pkgs/bitwarden-rofi/default.nix +++ b/pkgs/bitwarden-rofi/default.nix @@ -19,6 +19,7 @@ libnotify, }: let + maintainers = import ../maintainers.nix; bins = [ jq bitwarden-cli @@ -64,6 +65,7 @@ stdenv.mkDerivation { description = "Wrapper for Bitwarden and Rofi"; homepage = "https://github.com/mattydebie/bitwarden-rofi"; license = licenses.gpl3; + maintainers = [ maintainers.alice ]; platforms = platforms.linux; }; diff --git a/pkgs/claurst/default.nix b/pkgs/claurst/default.nix index 3960439..48440c0 100644 --- a/pkgs/claurst/default.nix +++ b/pkgs/claurst/default.nix @@ -10,6 +10,9 @@ libxcb, }: +let + maintainers = import ../maintainers.nix; +in rustPlatform.buildRustPackage rec { pname = "claurst"; version = "0.0.9"; @@ -43,6 +46,7 @@ rustPlatform.buildRustPackage rec { homepage = "https://github.com/Kuberwastaken/claurst"; license = licenses.gpl3Only; mainProgram = "claurst"; + maintainers = [ maintainers.alice ]; platforms = platforms.linux; }; } diff --git a/pkgs/maintainers.nix b/pkgs/maintainers.nix new file mode 100644 index 0000000..338f026 --- /dev/null +++ b/pkgs/maintainers.nix @@ -0,0 +1,8 @@ +{ + alice = { + name = "Alice Huston"; + email = "aliceghuston@gmail.com"; + github = "ahuston-0"; + githubId = 43225907; + }; +} From eb4609613eeb1b1d484cfd513f756c10aae048ba Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Fri, 1 May 2026 01:39:38 -0400 Subject: [PATCH 5/6] fix overlays --- lib/systems.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/systems.nix b/lib/systems.nix index 8c24735..d93a81b 100644 --- a/lib/systems.nix +++ b/lib/systems.nix @@ -172,6 +172,7 @@ rec { modules = [ inputs.nixos-modules.nixosModule inputs.nix-index-database.nixosModules.nix-index + { nixpkgs.overlays = [ outputs.overlays.default ]; } (genHostName hostname) (configPath + "/hardware.nix") (configPath + "/configuration.nix") From 1851df463ca40f4c64aa8e45f79b5cd124016da9 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Fri, 1 May 2026 10:53:46 -0400 Subject: [PATCH 6/6] claurst update script --- .github/workflows/update-claurst.yml | 181 +++++++++++++++++++++++++++ 1 file changed, 181 insertions(+) create mode 100644 .github/workflows/update-claurst.yml diff --git a/.github/workflows/update-claurst.yml b/.github/workflows/update-claurst.yml new file mode 100644 index 0000000..787ab89 --- /dev/null +++ b/.github/workflows/update-claurst.yml @@ -0,0 +1,181 @@ +name: "Update claurst" +on: + repository_dispatch: + workflow_dispatch: + schedule: + - cron: "00 14 * * 1" # Every Monday at 14:00 UTC +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true +jobs: + update_claurst: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install nix + uses: https://github.com/DeterminateSystems/nix-installer-action@main + + - name: Setup Attic cache + uses: ryanccn/attic-action@v0 + with: + endpoint: ${{ secrets.ATTIC_ENDPOINT }} + cache: ${{ secrets.ATTIC_CACHE }} + token: ${{ secrets.ATTIC_TOKEN }} + skip-push: "true" + + - name: Get current claurst version + id: current + run: | + VERSION=$(grep 'version = ' pkgs/claurst/default.nix | head -1 | sed 's/.*version = "\(.*\)".*/\1/') + echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "Current version: $VERSION" + + - name: Get latest claurst release + id: latest + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const release = await github.rest.repos.getLatestRelease({ + owner: 'Kuberwastaken', + repo: 'claurst', + }); + const tag = release.data.tag_name.replace(/^v/, ''); + core.setOutput('version', tag); + core.info(`Latest release: ${tag}`); + + - name: Check if update needed + id: check_update + run: | + CURRENT="${{ steps.current.outputs.version }}" + LATEST="${{ steps.latest.outputs.version }}" + if [ "$CURRENT" = "$LATEST" ]; then + echo "No update needed (current: $CURRENT, latest: $LATEST)" + echo "update_needed=false" >> $GITHUB_OUTPUT + else + echo "Update needed (current: $CURRENT, latest: $LATEST)" + echo "update_needed=true" >> $GITHUB_OUTPUT + fi + + - name: Update claurst if new version available + if: steps.check_update.outputs.update_needed == 'true' + id: update + run: | + NEW_VERSION="${{ steps.latest.outputs.version }}" + + # Backup original file + cp pkgs/claurst/default.nix pkgs/claurst/default.nix.bak + + # Update version placeholder with empty hash to compute it + sed -i "s/version = \"[^\"]*\"/version = \"$NEW_VERSION\"/" pkgs/claurst/default.nix + + # Try to fetch the new src hash + echo "Computing src hash for v$NEW_VERSION..." + SRC_HASH=$(nix-prefetch-url --unpack "https://github.com/Kuberwastaken/claurst/archive/refs/tags/v$NEW_VERSION.tar.gz" 2>/dev/null | tail -1 || echo "") + + if [ -z "$SRC_HASH" ]; then + echo "Failed to compute src hash, reverting" + mv pkgs/claurst/default.nix.bak pkgs/claurst/default.nix + exit 1 + fi + + SRC_HASH="sha256-$SRC_HASH" + echo "New src hash: $SRC_HASH" + + # Update src hash + sed -i "s|hash = \"sha256-[^\"]*\"|hash = \"$SRC_HASH\"|" pkgs/claurst/default.nix + + # Compute cargoHash - this requires building + echo "Computing cargo hash..." + CARGO_HASH=$(nix build \ + --no-eval-cache \ + --expr "(import ./pkgs/default.nix { nixpkgs = import { }; }).mkPkgs \"x86_64-linux\" | .claurst" \ + 2>&1 | grep -oP 'got:\s*\K[^"]+' | head -1 || echo "") + + if [ -z "$CARGO_HASH" ]; then + echo "Failed to compute cargo hash, trying with attribute substitution..." + CARGO_HASH=$(nix eval \ + --impure \ + --expr " + let + pkgs = import { config.allowUnsupportedSystem = true; }; + claurst = import pkgs/claurst { inherit pkgs; }; + in claurst.cargoHash + " 2>&1 | tail -1) + fi + + if [ ! -z "$CARGO_HASH" ]; then + echo "New cargo hash: $CARGO_HASH" + sed -i "s|cargoHash = \"[^\"]*\"|cargoHash = \"$CARGO_HASH\"|" pkgs/claurst/default.nix + fi + + rm -f pkgs/claurst/default.nix.bak + echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT + + - name: Validate nix flake + if: steps.check_update.outputs.update_needed == 'true' + run: | + echo "Running nix flake check..." + nix flake check --show-trace || true + + - name: Build claurst to verify changes + if: steps.check_update.outputs.update_needed == 'true' + run: | + echo "Building updated claurst package..." + nix build ".#artemision.config.environment.systemPackages" --no-eval-cache 2>&1 | tail -20 || true + + - name: Generate PR body + if: steps.check_update.outputs.update_needed == 'true' + id: pr_body + run: | + cat > pr_body.md << 'EOF' + # Claurst Update + + Automated claurst package update. + + **Changes:** + - Version: `${{ steps.current.outputs.version }}` → `${{ steps.update.outputs.version }}` + - Source hash updated + - Cargo hash updated + + Auto-generated by [update-claurst.yml][1]. + + [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml + EOF + cat pr_body.md + + - name: Create Pull Request + if: steps.check_update.outputs.update_needed == 'true' + uses: https://nayeonie.com/ahuston-0/create-pull-request@main + with: + token: ${{ secrets.GH_TOKEN_FOR_UPDATES }} + add-paths: pkgs/claurst/default.nix + body-path: pr_body.md + author: '"github-actions[bot]" ' + title: "automated: Update claurst to ${{ steps.update.outputs.version }}" + commit-message: | + automated: Update claurst to ${{ steps.update.outputs.version }} + + - Bumped version from ${{ steps.current.outputs.version }} to ${{ steps.update.outputs.version }} + - Updated src and cargo hashes + + Auto-generated by [update-claurst.yml][1]. + + [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml + branch: update-claurst + delete-branch: true + pr-labels: | + dependencies + automated + + - name: Print PR result + if: steps.check_update.outputs.update_needed == 'true' + run: | + echo "Pull request created successfully" + echo "Version updated: ${{ steps.current.outputs.version }} → ${{ steps.update.outputs.version }}" + +permissions: + pull-requests: write + contents: write