add damocles-lab container

flake.nix

@@ -129,6 +129,9 @@
         damocles = {
           system = "x86_64-linux";
         };
+        damocles-lab = {
+          system = "x86_64-linux";
+        };
         epimetheus = {
           system = "aarch64-linux";
         };

nixosConfigurations/damocles-lab/default.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+{
+  imports = [../damocles/claude-container.nix];
+
+  services.openssh = {
+    enable = true;
+    ports = [ 2222 ];
+    # Path written into sshd_config as a string — not read at eval time.
+    # Key can be rotated without a rebuild.
+    authorizedKeysFiles = [ "/persist/damocles-ssh/id_ed25519.pub" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+
+  ];
+}

nixosConfigurations/damocles/claude-container.nix

@@ -0,0 +1,41 @@
+{ pkgs,self,lib, ... }: {
+
+  nixpkgs.overlays = [ self.overlays.unstable-packages ];
+  allowedUnfreePackages = [ "claude-code" ];
+
+  environment.systemPackages = with pkgs; [
+    unstable.claude-code
+    git
+    python3
+    coreutils-full
+    gawk
+    gnugrep
+    curl
+    cargo
+    rustc
+    clippy
+  ];
+
+  boot.isContainer = true;
+
+  programs.nix-ld = {
+    enable = true;
+    libraries = with pkgs; [
+      stdenv.cc.cc.lib
+      zlib
+    ];
+  };
+
+  # Container shares host network namespace (privateNetwork = false), so the
+  # host's tailscale already covers this. Running a second tailscaled in the
+  # same netns fights over routing and breaks connectivity after sleep/wake.
+  services.tailscale.enable = lib.mkForce false;
+  networking.firewall.checkReversePath = lib.mkForce "strict";
+
+  users.users.muede = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+}

nixosConfigurations/damocles/default.nix

@@ -1,45 +1,3 @@
 {
-  pkgs,
+  imports = [ ./android-dev.nix ./claude-container.nix ];
-  lib,
-  self,
-  ...
-}:
-{
-  imports = [ ./android-dev.nix ];
-
-  nixpkgs.overlays = [ self.overlays.unstable-packages ];
-
-  boot.isContainer = true;
-
-  # Container shares host network namespace (privateNetwork = false), so the
-  # host's tailscale already covers this. Running a second tailscaled in the
-  # same netns fights over routing and breaks connectivity after sleep/wake.
-  services.tailscale.enable = lib.mkForce false;
-  networking.firewall.checkReversePath = lib.mkForce "strict";
-
-  allowedUnfreePackages = [ "claude-code" ];
-
-  environment.systemPackages = with pkgs; [
-    unstable.claude-code
-    git
-    python3
-    coreutils-full
-    gawk
-    gnugrep
-  ];
-
-  users.users.muede = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-  };
-
-  security.sudo.wheelNeedsPassword = false;
-
-  programs.nix-ld = {
-    enable = true;
-    libraries = with pkgs; [
-      stdenv.cc.cc.lib
-      zlib
-    ];
-  };
 }

nixosConfigurations/muede-lpt2/default.nix

@@ -65,6 +65,28 @@
       autoStart = false;
       privateNetwork = false;
       path = self.nixosConfigurations.damocles.config.system.build.toplevel;
+      bindMounts."/persist/damocles-ssh" = {
+        hostPath = "/persist/damocles-ssh";
+        isReadOnly = true;
+      };
+      bindMounts."/persist/damocles-lab" = {
+        hostPath = "/persist/damocles-lab";
+        isReadOnly = false;
+      };
+    };
+
+    containers.damocles-lab = {
+      autoStart = false;
+      privateNetwork = false;
+      path = self.nixosConfigurations.damocles-lab.config.system.build.toplevel;
+      bindMounts."/workspace" = {
+        hostPath = "/persist/damocles-lab";
+        isReadOnly = false;
+      };
+      bindMounts."/persist/damocles-ssh" = {
+        hostPath = "/persist/damocles-ssh";
+        isReadOnly = true;
+      };
     };
 
     # Global DefaultTimeoutStopSec is 10s (modern-desktop.nix), which kills systemd-nspawn
@@ -76,6 +98,11 @@
       RestartSec = "5s";
     };
 
+    systemd.services."container@damocles-lab".serviceConfig = {
+      TimeoutStopSec = "60s";
+      RestartSec = "5s";
+    };
+
     boot.enableContainers = true;
     virtualisation.containers.enable = true;
   };