Creates a second normal user `rialo` (uid 1001) on the amd system,
member of wheel/docker/dialout/tss and listed in nix.settings.trusted-users
so they can manage the Nix daemon. The home config imports harald@amd
and replicates the bash→fish auto-exec snippet (which lives in the NixOS
user module and only fires for the primary metacfg user).
Add the rag CLI to the m4 and amd hosts and point its default API_BASE
and QDRANT_URL at sgx (where the gateway and Qdrant run) instead of
localhost. The services live on sgx, so a localhost default only worked
there; sgx resolves to itself on sgx, so this default is correct on every
host and leaves only RAG_API_KEY to set.
New `metacfg.services.opencode` module under modules/nixos/services/opencode/
with options for port, user, homeDir, sopsFile, and extraPackages. User and
homeDir default off `metacfg.user`. Host configs for amd and sgx reduce to
enabling the module and pointing at their respective sops file.
Service PATH gains jq, yq-go, python3, gh, gnutar, gzip, unzip, wget,
diffutils, patch, file, tree, bun, uv, ast-grep, claude-code, and tmux for
agent ergonomics.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The full nix-ld library list shadowed nix's own curl, breaking
libnixstore.so with "CURL_OPENSSL_4 not found". The prebuilt node
watcher binding only needs libstdc++/libgcc_s, so use stdenv.cc.cc.lib
and let nix-built tools resolve their own deps via RUNPATH.
The file watcher binding (and other node-precompiled .node modules
loaded via dlopen) failed with "libstdc++.so.6: cannot open shared
object file" because systemd services don't inherit the user shell's
LD path. Reuse the nix-ld library list so the service sees the same
common libraries unwrapped binaries get globally.
The opencode-serve unit ran with systemd's minimal default PATH, so
shell commands invoked by the agent (git, make, nix, node, rg, etc.)
were not found. Set systemd.services.opencode-serve.path on both sgx
and amd to a common dev toolset.
Mirror of the sgx opencode setup: systemd service on port 4196 fronted
by nginx with a per-host ACME cert (DNS-01 via internetbs). Adds amd
key + path rule to .sops.yaml so secrets under .secrets/amd/ encrypt
for the host.
- Included `opencode` in the `packages` list for both HALO and AMD system configurations.
- Improves development environment by providing additional tooling.
- Introduced `sound.nix` to manage audio device priorities using PipeWire's WirePlumber configuration.
- Linked `sound.nix` to `default.nix` for streamlined system audio customization.
- Ensures defined priority levels for HDMI, USB microphones, and SPDIF outputs.
- Added `nvtopPackages.amd` to the package list for better GPU monitoring on AMD systems.
- Enhances system configuration by enabling real-time visualization of GPU usage.
Create 6 new NixOS modules to reduce duplication across system configs:
- hardware/wooting: Wooting keyboard udev rules and Bluetooth compat
- services/nginx-base: Common nginx server settings
- services/acme-base: ACME certificate defaults
- services/xremap: Key remapping with sensible defaults
- system/no-sleep: Disable sleep/suspend/hibernate targets
- system/kernel-tweaks: PM freeze timeout and zram configuration
Update system configuration files to use these new modules.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Tune sysctl parameters for better I/O and memory performance:
- Lower swappiness to reduce disk swapping with zram
- Reduce vfs_cache_pressure to keep filesystem caches longer
- Adjust dirty page writeback ratios for SSD performance
- Configure zram with zstd compression
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Enabled Docker support by setting `docker.enable` to true.
- Disabled Podman's Docker compatibility mode with `podman.dockerCompat`.
- Improves virtualization configuration by prioritizing Docker usage.
- Added support for Steam by enabling it in `default.nix` under `programs.steam`.
- Aligns with the pattern of including widely used software for enhanced functionality.
- Dropped `mitigations=off` from `boot.kernelParams` for improved alignment with security best practices.
- Ensures the system maintains mitigations against CPU vulnerabilities by default.
- Added `cider-2` to the `programs` list in `default.nix` for extended functionality.
- Aligns with the existing pattern of including commonly used utilities.
- Added `lockdown=confidentiality`, `quiet`, `splash`, `video=efifb:nobgrt`, and `mitigations=off` to `boot.kernelParams` for improved boot behavior.
- Enhances security, reduces verbosity, and
- Refactored hardware-configuration.nix for better formatting and added `noatime` option for `/` filesystem.
- Enabled `build` service and set CPU frequency governor to `performance` for enhanced optimization.
- Updated default.nix with additional service and power management features.
