diff --git a/flake.lock b/flake.lock index f2eef87..9445a9a 100644 --- a/flake.lock +++ b/flake.lock @@ -363,11 +363,11 @@ ] }, "locked": { - "lastModified": 1776200608, - "narHash": "sha256-broZ6RFQr4Fv0wT73gGmzNX14A43TmTFF8g4wDKlNss=", + "lastModified": 1777031541, + "narHash": "sha256-KZ4s1kolHXFQrRGlnB503gDcTrVQMhiczO+LvvwKEPg=", "owner": "nix-community", "repo": "naersk", - "rev": "8b23250ab45c2a38cd91031aee26478ca4d0a28e", + "rev": "5e73301621274c44798bf6c6211ed27fc2ced201", "type": "github" }, "original": { @@ -390,11 +390,11 @@ "xwayland-satellite-unstable": "xwayland-satellite-unstable" }, "locked": { - "lastModified": 1776879043, - "narHash": "sha256-M9RjuowtoqQbFRdQAm2P6GjFwgHjRcnWYcB7ChSjDms=", + "lastModified": 1777472199, + "narHash": "sha256-gJr/OrHv6s8ANqv915sb69LLThow1u5yAO/ouElVGGM=", "owner": "sodiboo", "repo": "niri-flake", - "rev": "535ebbe038039215a5d1c6c0c67f833409a5be96", + "rev": "323a80f2ce4541c595d491acbd15a8800201cbae", "type": "github" }, "original": { @@ -423,11 +423,11 @@ "niri-unstable": { "flake": false, "locked": { - "lastModified": 1776853441, - "narHash": "sha256-mSxfoEs7DiDhMCBzprI/1K7UXzMISuGq0b7T06LVJXE=", + "lastModified": 1777468255, + "narHash": "sha256-lBZc1UMy+1P1T/E41j3jQrpS7EFI3qegd+ktHZdamIg=", "owner": "YaLTeR", "repo": "niri", - "rev": "74d2b18603366b98ec9045ecf4a632422f472365", + "rev": "dd1c3bcb9f1ef416df33ffa22d1d9bcee1398e7d", "type": "github" }, "original": { @@ -458,11 +458,11 @@ ] }, "locked": { - "lastModified": 1776828494, - "narHash": "sha256-gQ5+syn8ndyF/+c5g5ZpeAScNKhkTF4/63JsO2hqGHo=", + "lastModified": 1777434090, + "narHash": "sha256-i7p7ajtdKF6oVjs3ERyECCg6m1lWEchHNPKQjgRW4h4=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "ea6764d22ff5478f5db39ede57eeafc70d14e8e6", + "rev": "f32bb01e6a12b74fa67261e9d690ff9d0603d86b", "type": "github" }, "original": { @@ -588,11 +588,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1776329215, - "narHash": "sha256-a8BYi3mzoJ/AcJP8UldOx8emoPRLeWqALZWu4ZvjPXw=", + "lastModified": 1777270315, + "narHash": "sha256-yKB4G6cKsQsWN7M6rZGk6gkJPDNPIzT05y4qzRyCDlI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b86751bc4085f48661017fa226dee99fab6c651b", + "rev": "6368eda62c9775c38ef7f714b2555a741c20c72d", "type": "github" }, "original": { @@ -604,11 +604,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1776734388, - "narHash": "sha256-vl3dkhlE5gzsItuHoEMVe+DlonsK+0836LIRDnm6MXQ=", + "lastModified": 1777077449, + "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "10e7ad5bbcb421fe07e3a4ad53a634b0cd57ffac", + "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160", "type": "github" }, "original": { @@ -643,11 +643,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1777295064, - "narHash": "sha256-A+Ooli4ckGyiT+zh10Ybj3nY2ql4QX1p6q6HrKCDvpA=", + "lastModified": 1777479755, + "narHash": "sha256-rKha1HlZIYn+nhptqOSaSPGywXXdM5S462oiXh64EWM=", "ref": "refs/heads/main", - "rev": "adb6c21135c93e0c57517ba90a32dd8f6bf2704d", - "revCount": 578, + "rev": "7ab784e101b69f35f65e300d5779888624f7a7a5", + "revCount": 596, "type": "git", "url": "https://git.berlin.ccc.de/vinzenz/nova-shell" }, @@ -666,11 +666,11 @@ ] }, "locked": { - "lastModified": 1776893492, - "narHash": "sha256-V4r/mdAFHe6fRiu3D+3+UdclSH7LJoHfv+4Y1YNawK0=", + "lastModified": 1777499139, + "narHash": "sha256-s817mwTTkW0VIReee1z41LJAz13AUw3DOK41jZooFGw=", "owner": "nix-community", "repo": "NUR", - "rev": "0aa8e8fc21887cc34a4c0e3816f08b56795f52ca", + "rev": "c0295550b00f0d0d4a9f41efd5e6c14d38a671fc", "type": "github" }, "original": { @@ -887,11 +887,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1775935110, - "narHash": "sha256-twTHKUFXjNNsaAvX0KoaIClt+923jXDRbfCd9PC/f0o=", + "lastModified": 1776894428, + "narHash": "sha256-wuT915MyCtMTfLj+uo9y8wtCwkEgJXiXvcbSleFrlN0=", "owner": "nix-community", "repo": "stylix", - "rev": "14f248ad1a7668e7858c6d9163608c208b7daf02", + "rev": "f34be27ce83efaa1c85ad1e5b1f8b6dea65b147d", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5a0fe15..dce3929 100644 --- a/flake.nix +++ b/flake.nix @@ -129,6 +129,9 @@ damocles = { system = "x86_64-linux"; }; + damocles-lab = { + system = "x86_64-linux"; + }; epimetheus = { system = "aarch64-linux"; }; @@ -232,7 +235,7 @@ device, system, home-manager-users ? { }, - nixosSystem ? nixpkgs.lib.nixosSystem + nixosSystem ? nixpkgs.lib.nixosSystem, }: let specialArgs = inputs // { @@ -244,7 +247,7 @@ modules = [ { imports = [ - ./nixosConfigurations/${device} + ./nixosConfigurations/${device} self.nixosModules.global-settings ] ++ (lib.optionals (home-manager-users != { }) [ diff --git a/nixosConfigurations/aur0ra-installer/default.nix b/nixosConfigurations/aur0ra-installer/default.nix index 5557fae..b6c1e1a 100644 --- a/nixosConfigurations/aur0ra-installer/default.nix +++ b/nixosConfigurations/aur0ra-installer/default.nix @@ -8,10 +8,10 @@ { imports = [ ../aur0ra - # nixos-images.nixosModules.sdimage-installer + # nixos-images.nixosModules.sdimage-installer ]; disabledModules = [ # disable the sd-image module that nixos-images uses - # (modulesPath + "/installer/sd-card/sd-image-aarch64-installer.nix") + # (modulesPath + "/installer/sd-card/sd-image-aarch64-installer.nix") ]; } diff --git a/nixosConfigurations/damocles-lab/default.nix b/nixosConfigurations/damocles-lab/default.nix new file mode 100644 index 0000000..705e31a --- /dev/null +++ b/nixosConfigurations/damocles-lab/default.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +{ + imports = [ ../damocles/claude-container.nix ]; + + services.openssh = { + enable = true; + ports = [ 2222 ]; + # Path written into sshd_config as a string — not read at eval time. + # Key can be rotated without a rebuild. + authorizedKeysFiles = [ "/persist/damocles-ssh/id_ed25519.pub" ]; + }; + + environment.systemPackages = with pkgs; [ + + ]; +} diff --git a/nixosConfigurations/damocles/claude-container.nix b/nixosConfigurations/damocles/claude-container.nix new file mode 100644 index 0000000..17d599f --- /dev/null +++ b/nixosConfigurations/damocles/claude-container.nix @@ -0,0 +1,44 @@ +{ + pkgs, + self, + lib, + ... +}: +{ + + nixpkgs.overlays = [ self.overlays.unstable-packages ]; + allowedUnfreePackages = [ "claude-code" ]; + + environment.systemPackages = with pkgs; [ + unstable.claude-code + git + python3 + coreutils-full + gawk + gnugrep + curl + ]; + + boot.isContainer = true; + + programs.nix-ld = { + enable = true; + libraries = with pkgs; [ + stdenv.cc.cc.lib + zlib + ]; + }; + + # Container shares host network namespace (privateNetwork = false), so the + # host's tailscale already covers this. Running a second tailscaled in the + # same netns fights over routing and breaks connectivity after sleep/wake. + services.tailscale.enable = lib.mkForce false; + networking.firewall.checkReversePath = lib.mkForce "strict"; + + users.users.muede = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + }; + + security.sudo.wheelNeedsPassword = false; +} diff --git a/nixosConfigurations/damocles/default.nix b/nixosConfigurations/damocles/default.nix index 75c5439..c5eff0a 100644 --- a/nixosConfigurations/damocles/default.nix +++ b/nixosConfigurations/damocles/default.nix @@ -1,45 +1,14 @@ +{ pkgs, ... }: { - pkgs, - lib, - self, - ... -}: -{ - imports = [ ./android-dev.nix ]; - - nixpkgs.overlays = [ self.overlays.unstable-packages ]; - - boot.isContainer = true; - - # Container shares host network namespace (privateNetwork = false), so the - # host's tailscale already covers this. Running a second tailscaled in the - # same netns fights over routing and breaks connectivity after sleep/wake. - services.tailscale.enable = lib.mkForce false; - networking.firewall.checkReversePath = lib.mkForce "strict"; - - allowedUnfreePackages = [ "claude-code" ]; - - environment.systemPackages = with pkgs; [ - unstable.claude-code - git - python3 - coreutils-full - gawk - gnugrep + imports = [ + ./android-dev.nix + ./claude-container.nix ]; - users.users.muede = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - }; - - security.sudo.wheelNeedsPassword = false; - - programs.nix-ld = { - enable = true; - libraries = with pkgs; [ - stdenv.cc.cc.lib - zlib - ]; - }; + environment.systemPackages = with pkgs; [ + cargo + rustc + clippy + gh + ]; } diff --git a/nixosConfigurations/muede-lpt2/default.nix b/nixosConfigurations/muede-lpt2/default.nix index 19b2119..711a578 100644 --- a/nixosConfigurations/muede-lpt2/default.nix +++ b/nixosConfigurations/muede-lpt2/default.nix @@ -65,6 +65,28 @@ autoStart = false; privateNetwork = false; path = self.nixosConfigurations.damocles.config.system.build.toplevel; + bindMounts."/persist/damocles-ssh" = { + hostPath = "/persist/damocles-ssh"; + isReadOnly = true; + }; + bindMounts."/persist/damocles-lab" = { + hostPath = "/persist/damocles-lab"; + isReadOnly = false; + }; + }; + + containers.damocles-lab = { + autoStart = false; + privateNetwork = false; + path = self.nixosConfigurations.damocles-lab.config.system.build.toplevel; + bindMounts."/workspace" = { + hostPath = "/persist/damocles-lab"; + isReadOnly = false; + }; + bindMounts."/persist/damocles-ssh" = { + hostPath = "/persist/damocles-ssh"; + isReadOnly = true; + }; }; # Global DefaultTimeoutStopSec is 10s (modern-desktop.nix), which kills systemd-nspawn @@ -76,6 +98,11 @@ RestartSec = "5s"; }; + systemd.services."container@damocles-lab".serviceConfig = { + TimeoutStopSec = "60s"; + RestartSec = "5s"; + }; + boot.enableContainers = true; virtualisation.containers.enable = true; };