From 27a71e94ce6dd0f32a2c73645670a178814077e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?m=C3=BCde?= <git@darkest.space>
Date: Wed, 29 Apr 2026 21:38:40 +0200
Subject: [PATCH] add damocles-lab container

---
 flake.nix                                     |  3 ++
 nixosConfigurations/damocles-lab/default.nix  | 16 +++++++
 .../damocles/claude-container.nix             | 41 +++++++++++++++++
 nixosConfigurations/damocles/default.nix      | 44 +------------------
 nixosConfigurations/muede-lpt2/default.nix    | 27 ++++++++++++
 5 files changed, 88 insertions(+), 43 deletions(-)
 create mode 100644 nixosConfigurations/damocles-lab/default.nix
 create mode 100644 nixosConfigurations/damocles/claude-container.nix

diff --git a/flake.nix b/flake.nix
index 5a0fe15..ea6d9fe 100644
--- a/flake.nix
+++ b/flake.nix
@@ -129,6 +129,9 @@
         damocles = {
           system = "x86_64-linux";
         };
+        damocles-lab = {
+          system = "x86_64-linux";
+        };
         epimetheus = {
           system = "aarch64-linux";
         };
diff --git a/nixosConfigurations/damocles-lab/default.nix b/nixosConfigurations/damocles-lab/default.nix
new file mode 100644
index 0000000..752065d
--- /dev/null
+++ b/nixosConfigurations/damocles-lab/default.nix
@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+{
+  imports = [../damocles/claude-container.nix];
+
+  services.openssh = {
+    enable = true;
+    ports = [ 2222 ];
+    # Path written into sshd_config as a string — not read at eval time.
+    # Key can be rotated without a rebuild.
+    authorizedKeysFiles = [ "/persist/damocles-ssh/id_ed25519.pub" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+
+  ];
+}
diff --git a/nixosConfigurations/damocles/claude-container.nix b/nixosConfigurations/damocles/claude-container.nix
new file mode 100644
index 0000000..c754f47
--- /dev/null
+++ b/nixosConfigurations/damocles/claude-container.nix
@@ -0,0 +1,41 @@
+{ pkgs,self,lib, ... }: {
+
+  nixpkgs.overlays = [ self.overlays.unstable-packages ];
+  allowedUnfreePackages = [ "claude-code" ];
+
+  environment.systemPackages = with pkgs; [
+    unstable.claude-code
+    git
+    python3
+    coreutils-full
+    gawk
+    gnugrep
+    curl
+    cargo
+    rustc
+    clippy
+  ];
+
+  boot.isContainer = true;
+
+  programs.nix-ld = {
+    enable = true;
+    libraries = with pkgs; [
+      stdenv.cc.cc.lib
+      zlib
+    ];
+  };
+
+  # Container shares host network namespace (privateNetwork = false), so the
+  # host's tailscale already covers this. Running a second tailscaled in the
+  # same netns fights over routing and breaks connectivity after sleep/wake.
+  services.tailscale.enable = lib.mkForce false;
+  networking.firewall.checkReversePath = lib.mkForce "strict";
+
+  users.users.muede = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+}
diff --git a/nixosConfigurations/damocles/default.nix b/nixosConfigurations/damocles/default.nix
index 75c5439..e0c276b 100644
--- a/nixosConfigurations/damocles/default.nix
+++ b/nixosConfigurations/damocles/default.nix
@@ -1,45 +1,3 @@
 {
-  pkgs,
-  lib,
-  self,
-  ...
-}:
-{
-  imports = [ ./android-dev.nix ];
-
-  nixpkgs.overlays = [ self.overlays.unstable-packages ];
-
-  boot.isContainer = true;
-
-  # Container shares host network namespace (privateNetwork = false), so the
-  # host's tailscale already covers this. Running a second tailscaled in the
-  # same netns fights over routing and breaks connectivity after sleep/wake.
-  services.tailscale.enable = lib.mkForce false;
-  networking.firewall.checkReversePath = lib.mkForce "strict";
-
-  allowedUnfreePackages = [ "claude-code" ];
-
-  environment.systemPackages = with pkgs; [
-    unstable.claude-code
-    git
-    python3
-    coreutils-full
-    gawk
-    gnugrep
-  ];
-
-  users.users.muede = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-  };
-
-  security.sudo.wheelNeedsPassword = false;
-
-  programs.nix-ld = {
-    enable = true;
-    libraries = with pkgs; [
-      stdenv.cc.cc.lib
-      zlib
-    ];
-  };
+  imports = [ ./android-dev.nix ./claude-container.nix ];
 }
diff --git a/nixosConfigurations/muede-lpt2/default.nix b/nixosConfigurations/muede-lpt2/default.nix
index 19b2119..711a578 100644
--- a/nixosConfigurations/muede-lpt2/default.nix
+++ b/nixosConfigurations/muede-lpt2/default.nix
@@ -65,6 +65,28 @@
       autoStart = false;
       privateNetwork = false;
       path = self.nixosConfigurations.damocles.config.system.build.toplevel;
+      bindMounts."/persist/damocles-ssh" = {
+        hostPath = "/persist/damocles-ssh";
+        isReadOnly = true;
+      };
+      bindMounts."/persist/damocles-lab" = {
+        hostPath = "/persist/damocles-lab";
+        isReadOnly = false;
+      };
+    };
+
+    containers.damocles-lab = {
+      autoStart = false;
+      privateNetwork = false;
+      path = self.nixosConfigurations.damocles-lab.config.system.build.toplevel;
+      bindMounts."/workspace" = {
+        hostPath = "/persist/damocles-lab";
+        isReadOnly = false;
+      };
+      bindMounts."/persist/damocles-ssh" = {
+        hostPath = "/persist/damocles-ssh";
+        isReadOnly = true;
+      };
     };
 
     # Global DefaultTimeoutStopSec is 10s (modern-desktop.nix), which kills systemd-nspawn
@@ -76,6 +98,11 @@
       RestartSec = "5s";
     };
 
+    systemd.services."container@damocles-lab".serviceConfig = {
+      TimeoutStopSec = "60s";
+      RestartSec = "5s";
+    };
+
     boot.enableContainers = true;
     virtualisation.containers.enable = true;
   };