Merge pull request 'feature/claurst' (#221) from feature/claurst into main

Reviewed-on: #221

.vscode/extensions.json

@@ -1,5 +1,5 @@
 {
-    "recommendations": [
-        "davidanson.vscode-markdownlint"
-    ]
-}
+  "recommendations": [
+    "davidanson.vscode-markdownlint"
+  ]
+}

.vscode/mcp.json

@@ -1 +1 @@
-{}
+{}

AGENTS.md

@@ -0,0 +1,105 @@
+> Note: This document was AI-generated and reviewed by a maintainer.
+
+# AGENTS Guide for nix-dotfiles
+
+This file is the quick-start map for coding agents working in this repository.
+Use this first, then follow the linked source files for full detail.
+
+## Purpose and Scope
+
+- Repository type: flake-based NixOS + Home Manager dotfiles/infrastructure.
+- Primary goals: safe system/user config edits, reproducible builds, and clean secrets handling.
+- Default assumption: preserve existing module patterns and avoid broad refactors unless requested.
+
+## Source of Truth
+
+Read these files before substantial changes:
+
+- `.github/copilot-instructions.md`: Full repository guide for structure, workflows, dynamic system generation, module patterns, and SOPS handling.
+- `.github/instructions/ai-doc-attribution.instructions.md`: Markdown rule for top-of-document attribution when docs are fully AI-generated.
+- `flake.nix`: Flake inputs/outputs entrypoint; system generation begins here.
+- `lib/systems.nix`: Core dynamic config assembly (`genSystems`, `constructSystem`, and wrapper generators).
+- `systems/<hostname>/default.nix`: Per-host parameters (users, home, sops, server role, extra modules).
+- `systems/<hostname>/configuration.nix`: Main host config.
+- `modules/*.nix`: Global modules automatically imported into all systems.
+- `users/<username>/home.nix` and `users/<username>/default.nix`: Home Manager and user account configuration.
+- `hydra/jobs.nix` and `hydra/jobsets.nix`: CI/build orchestration details.
+
+## Repo Mental Model
+
+- `systems/` contains host-specific configs.
+- `modules/` contains global modules applied across hosts.
+- `users/` contains user and home-manager configs.
+- `lib/systems.nix` auto-discovers hosts and composes final configs.
+- SOPS secrets are colocated with hosts/users via `secrets.yaml` files.
+
+## Dynamic Configuration Rules
+
+- Hosts are auto-discovered from subdirectories in `systems/`.
+- Each host's `default.nix` feeds `constructSystem` parameters.
+- Effective module merge order matters. High-level order is: 1) base external
+  modules, 2) host essentials (`hardware.nix`, `configuration.nix`), 3)
+  host-specific modules from `systems/<host>/default.nix`, 4) global
+  `modules/*.nix`, 5) optional SOPS and Home Manager/user layers.
+- Global modules load after host config, so explicit overrides may require `lib.mkForce` depending on target option.
+
+## Editing Conventions
+
+- Keep changes minimal and scoped to the requested behavior.
+- Preserve existing Nix style and option naming patterns.
+- Prefer module options + `lib.mkIf` toggles over hard-coded behavior.
+- Use `lib.mkDefault` for soft defaults and `lib.mkForce` only when necessary.
+- Do not commit plaintext secrets.
+- Update docs when behavior/workflow changes.
+
+## Validation and Workflow
+
+Typical local sequence:
+
+1. Make targeted edits.
+2. Evaluate and build with `nix flake check` and `nix build .#<hostname>`.
+3. Optionally deploy/apply with `nh os switch` or `nh home switch`.
+4. For secrets-related changes, edit with `sops .../secrets.yaml` and validate expected `config.sops.secrets` evaluation paths.
+
+## Secrets and Safety
+
+- Secrets live in `systems/<hostname>/secrets.yaml` and `users/<username>/secrets.yaml`.
+- Use SOPS for create/edit/rekey operations.
+- During merge conflicts in encrypted files, prefer repository SOPS merge tooling (`utils/sops-mergetool.sh`, `utils/sops-mergetool-new.sh`).
+
+## Agent and Tool Routing
+
+When a specialized agent is available, route work by intent:
+
+- `Explore`: Fast read-only repository exploration and Q&A.
+- `dependency-auditor`: Flake/module dependency security and CVE-oriented audits.
+- `security-researcher`: Read-only server security configuration audits.
+- `server-architect`: Server integration/review planning for `palatine-hill` style infra changes.
+
+Use Nix lookup tooling for package/options discovery; prefer `unstable` channel when channel selection is available.
+
+## Where To Look Next (By Task)
+
+- Add a new host: see `.github/copilot-instructions.md` sections on "Adding a New NixOS System", plus `systems/<new-host>/default.nix`, `hardware.nix`, and `configuration.nix`.
+- Add/modify a global capability: see `modules/*.nix` and the `.github/copilot-instructions.md` section "Adding a Global Module to modules/".
+- Change user/home-manager behavior: see `users/<username>/home.nix` and `users/<username>/default.nix`.
+- Modify build/release automation: see `hydra/jobs.nix` and `hydra/jobsets.nix`.
+- Work with secrets: see `.sops.yaml`, `systems/*/secrets.yaml`, `users/*/secrets.yaml`, and the `.github/copilot-instructions.md` section "Secrets Management".
+- Validate module composition/debug evaluation: see `lib/systems.nix` and `nix eval .#nixosConfigurations.<host>...`.
+
+## Documentation Attribution Rule
+
+For Markdown docs (`**/*.md`):
+
+- If a document is fully AI-generated, include explicit attribution near the top.
+- Accepted label includes "AI-generated documentation" wording.
+- Do not imply fully human authorship for fully AI-authored content.
+
+## Quick Command Reference
+
+- `nh os build`
+- `nh os switch`
+- `nh home switch`
+- `nix build .#<hostname>`
+- `nix flake check`
+- `nix eval .#nixosConfigurations.<hostname>.config.<path>`

flake.lock

@@ -76,11 +76,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1777262571,
-        "narHash": "sha256-ni1Cz9BChOXO6C0H4cRAq6bJRQIUV40Yet306ZOEEHs=",
+        "lastModified": 1776398575,
+        "narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "0827fcbe30e591e79b0554ecc5be9c79ba71a86b",
+        "rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30",
         "type": "gitlab"
       },
       "original": {
@@ -240,11 +240,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777258755,
-        "narHash": "sha256-EC07KwADRE2LdIk7vEDyAaD3I0ZUq24T9jQF9L0iEPk=",
+        "lastModified": 1776454077,
+        "narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "7f8bbc93d63401e41368d6ddc46a4f631610fa90",
+        "rev": "565e5349208fe7d0831ef959103c9bafbeac0681",
         "type": "github"
       },
       "original": {
@@ -335,11 +335,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777181277,
-        "narHash": "sha256-yVJbd07ortDRAttDFmDV5p220aOLTHgVAx//0nW/xW8=",
+        "lastModified": 1775970782,
+        "narHash": "sha256-7jt9Vpm48Yy5yAWigYpde+HxtYEpEuyzIQJF4VYehhk=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "b8eb7acee0f7604fe1bf6a5b3dcf5254369180fa",
+        "rev": "bedba5989b04614fc598af9633033b95a937933f",
         "type": "github"
       },
       "original": {
@@ -415,11 +415,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1776983936,
-        "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
+        "lastModified": 1775490113,
+        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
+        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
         "type": "github"
       },
       "original": {
@@ -500,11 +500,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1776877367,
-        "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=",
+        "lastModified": 1776169885,
+        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57",
+        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
         "type": "github"
       },
       "original": {
@@ -550,11 +550,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776796298,
-        "narHash": "sha256-PcRvlWayisPSjd0UcRQbhG8Oqw78AcPE6x872cPRHN8=",
+        "lastModified": 1775585728,
+        "narHash": "sha256-8Psjt+TWvE4thRKktJsXfR6PA/fWWsZ04DVaY6PUhr4=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "3cfd774b0a530725a077e17354fbdb87ea1c4aad",
+        "rev": "580633fa3fe5fc0379905986543fd7495481913d",
         "type": "github"
       },
       "original": {
@@ -594,11 +594,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777259803,
-        "narHash": "sha256-fIb/EoVu/1U0qVrE6qZCJ2WCfprRpywNIAVzKEACIQc=",
+        "lastModified": 1776395632,
+        "narHash": "sha256-Mi1uF5f2FsdBIvy+v7MtsqxD3Xjhd0ARJdwoqqqPtJo=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "a6cb2224d975e16b5e67de688c6ad306f7203425",
+        "rev": "8087ff1f47fff983a1fba70fa88b759f2fd8ae97",
         "type": "github"
       },
       "original": {
@@ -614,11 +614,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776771786,
-        "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=",
+        "lastModified": 1776119890,
+        "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598",
+        "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
         "type": "github"
       },
       "original": {
@@ -647,11 +647,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1776893932,
-        "narHash": "sha256-AFD5cf9eNqXq1brHS63xeZy2xKZMgG9J86XJ9I2eLn8=",
+        "lastModified": 1776170745,
+        "narHash": "sha256-Tl1aZVP5EIlT+k0+iAKH018GLHJpLz3hhJ0LNQOWxCc=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "84971726c7ef0bb3669a5443e151cc226e65c518",
+        "rev": "e3861617645a43c9bbefde1aa6ac54dd0a44bfa9",
         "type": "github"
       },
       "original": {
@@ -767,11 +767,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777064547,
-        "narHash": "sha256-hssXWvyy6bzaGi9FuZQPGxVBLzQKRPDht13O0Y+Qxmo=",
+        "lastModified": 1775531246,
+        "narHash": "sha256-sbVYa4TS2Q1pkSjs8CvHsPGYFM5w4d9od4ltzIGV/bA=",
         "owner": "Toqozz",
         "repo": "wired-notify",
-        "rev": "95edd8613b1636639857a3fba403155cef82eb5d",
+        "rev": "4fd4283803f198302af1a6a75b2225568004b343",
         "type": "github"
       },
       "original": {

flake.nix

@@ -164,19 +164,23 @@
           lib = self;
         }
       );
+      packageSetup = import ./pkgs/default.nix { inherit nixpkgs; };
+      inherit (packageSetup) localPackagesOverlay;
       inherit (lib.adev.systems) genSystems getImages;
       inherit (self) outputs; # for hydra
     in
     rec {
       inherit lib; # for allowing use of custom functions in nix repl
 
+      overlays.default = localPackagesOverlay;
+
       hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
       formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt);
 
       nixosConfigurations = genSystems inputs outputs src (src + "/systems");
       homeConfigurations = {
         "alice" = inputs.home-manager.lib.homeManagerConfiguration {
-          pkgs = import nixpkgs { system = "x86_64-linux"; };
+          pkgs = packageSetup.mkPkgs "x86_64-linux";
           modules = [
             inputs.stylix.homeModules.stylix
             inputs.sops-nix.homeManagerModules.sops
@@ -203,9 +207,7 @@
         qcow = getImages nixosConfigurations "qcow";
       };
 
-      packages.x86_64-linux.lego-latest =
-        nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
-          { };
+      packages = forEachSystem packageSetup.mkPackages;
 
       checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
       devShells = import ./shell.nix { inherit inputs forEachSystem checks; };

lib/systems.nix

@@ -172,6 +172,7 @@ rec {
       modules = [
         inputs.nixos-modules.nixosModule
         inputs.nix-index-database.nixosModules.nix-index
+        { nixpkgs.overlays = [ outputs.overlays.default ]; }
         (genHostName hostname)
         (configPath + "/hardware.nix")
         (configPath + "/configuration.nix")

pkgs/bitwarden-rofi/default.nix

@@ -19,6 +19,7 @@
   libnotify,
 }:
 let
+  maintainers = import ../maintainers.nix;
   bins = [
     jq
     bitwarden-cli
@@ -64,6 +65,7 @@ stdenv.mkDerivation {
     description = "Wrapper for Bitwarden and Rofi";
     homepage = "https://github.com/mattydebie/bitwarden-rofi";
     license = licenses.gpl3;
+    maintainers = [ maintainers.alice ];
     platforms = platforms.linux;
   };
 

pkgs/claurst/default.nix

@@ -0,0 +1,52 @@
+{
+  lib,
+  fetchFromGitHub,
+  rustPlatform,
+  pkg-config,
+  openssl,
+  alsa-lib,
+  dbus,
+  libxkbcommon,
+  libxcb,
+}:
+
+let
+  maintainers = import ../maintainers.nix;
+in
+rustPlatform.buildRustPackage rec {
+  pname = "claurst";
+  version = "0.0.9";
+
+  src = fetchFromGitHub {
+    owner = "Kuberwastaken";
+    repo = "claurst";
+    rev = "v${version}";
+    hash = "sha256-bTQHtZGZxhEAki0JxSC8smAC3w+otm8ubHvZ9MvwDaE=";
+  };
+
+  cargoRoot = "src-rust";
+  cargoHash = "sha256-6+B43spqmUZ983YMl5UBH5647DcUOS2ngw5ChMIPFFo=";
+  buildAndTestSubdir = "src-rust";
+  doCheck = false;
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    openssl
+    alsa-lib
+    dbus
+    libxkbcommon
+    libxcb
+  ];
+
+  meta = with lib; {
+    description = "Terminal coding agent written in Rust";
+    homepage = "https://github.com/Kuberwastaken/claurst";
+    license = licenses.gpl3Only;
+    mainProgram = "claurst";
+    maintainers = [ maintainers.alice ];
+    platforms = platforms.linux;
+  };
+}

pkgs/default.nix

@@ -0,0 +1,33 @@
+{ nixpkgs }:
+let
+  localPackagesOverlay = final: _prev: {
+    lego-latest = final.callPackage ./lego-latest/default.nix { };
+    claurst = final.callPackage ./claurst/default.nix { };
+  };
+
+  mkPkgs =
+    system:
+    import nixpkgs {
+      inherit system;
+      overlays = [ localPackagesOverlay ];
+    };
+
+  mkPackages =
+    system:
+    let
+      pkgs = mkPkgs system;
+    in
+    {
+      inherit (pkgs)
+        lego-latest
+        claurst
+        ;
+    };
+in
+{
+  inherit
+    localPackagesOverlay
+    mkPkgs
+    mkPackages
+    ;
+}

pkgs/maintainers.nix

@@ -0,0 +1,8 @@
+{
+  alice = {
+    name = "Alice Huston";
+    email = "aliceghuston@gmail.com";
+    github = "ahuston-0";
+    githubId = 43225907;
+  };
+}

users/alice/home.nix

@@ -90,6 +90,7 @@
 
       gocryptfs
       awscli2
+      claurst
     ];
   };