nix flake update

flake.lock

@@ -363,11 +363,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776200608,
-        "narHash": "sha256-broZ6RFQr4Fv0wT73gGmzNX14A43TmTFF8g4wDKlNss=",
+        "lastModified": 1777031541,
+        "narHash": "sha256-KZ4s1kolHXFQrRGlnB503gDcTrVQMhiczO+LvvwKEPg=",
         "owner": "nix-community",
         "repo": "naersk",
-        "rev": "8b23250ab45c2a38cd91031aee26478ca4d0a28e",
+        "rev": "5e73301621274c44798bf6c6211ed27fc2ced201",
         "type": "github"
       },
       "original": {
@@ -390,11 +390,11 @@
         "xwayland-satellite-unstable": "xwayland-satellite-unstable"
       },
       "locked": {
-        "lastModified": 1776879043,
-        "narHash": "sha256-M9RjuowtoqQbFRdQAm2P6GjFwgHjRcnWYcB7ChSjDms=",
+        "lastModified": 1777472199,
+        "narHash": "sha256-gJr/OrHv6s8ANqv915sb69LLThow1u5yAO/ouElVGGM=",
         "owner": "sodiboo",
         "repo": "niri-flake",
-        "rev": "535ebbe038039215a5d1c6c0c67f833409a5be96",
+        "rev": "323a80f2ce4541c595d491acbd15a8800201cbae",
         "type": "github"
       },
       "original": {
@@ -423,11 +423,11 @@
     "niri-unstable": {
       "flake": false,
       "locked": {
-        "lastModified": 1776853441,
-        "narHash": "sha256-mSxfoEs7DiDhMCBzprI/1K7UXzMISuGq0b7T06LVJXE=",
+        "lastModified": 1777468255,
+        "narHash": "sha256-lBZc1UMy+1P1T/E41j3jQrpS7EFI3qegd+ktHZdamIg=",
         "owner": "YaLTeR",
         "repo": "niri",
-        "rev": "74d2b18603366b98ec9045ecf4a632422f472365",
+        "rev": "dd1c3bcb9f1ef416df33ffa22d1d9bcee1398e7d",
         "type": "github"
       },
       "original": {
@@ -458,11 +458,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776828494,
-        "narHash": "sha256-gQ5+syn8ndyF/+c5g5ZpeAScNKhkTF4/63JsO2hqGHo=",
+        "lastModified": 1777434090,
+        "narHash": "sha256-i7p7ajtdKF6oVjs3ERyECCg6m1lWEchHNPKQjgRW4h4=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "ea6764d22ff5478f5db39ede57eeafc70d14e8e6",
+        "rev": "f32bb01e6a12b74fa67261e9d690ff9d0603d86b",
         "type": "github"
       },
       "original": {
@@ -588,11 +588,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1776329215,
-        "narHash": "sha256-a8BYi3mzoJ/AcJP8UldOx8emoPRLeWqALZWu4ZvjPXw=",
+        "lastModified": 1777270315,
+        "narHash": "sha256-yKB4G6cKsQsWN7M6rZGk6gkJPDNPIzT05y4qzRyCDlI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b86751bc4085f48661017fa226dee99fab6c651b",
+        "rev": "6368eda62c9775c38ef7f714b2555a741c20c72d",
         "type": "github"
       },
       "original": {
@@ -604,11 +604,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1776734388,
-        "narHash": "sha256-vl3dkhlE5gzsItuHoEMVe+DlonsK+0836LIRDnm6MXQ=",
+        "lastModified": 1777077449,
+        "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "10e7ad5bbcb421fe07e3a4ad53a634b0cd57ffac",
+        "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160",
         "type": "github"
       },
       "original": {
@@ -643,11 +643,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1777295064,
-        "narHash": "sha256-A+Ooli4ckGyiT+zh10Ybj3nY2ql4QX1p6q6HrKCDvpA=",
+        "lastModified": 1777479755,
+        "narHash": "sha256-rKha1HlZIYn+nhptqOSaSPGywXXdM5S462oiXh64EWM=",
         "ref": "refs/heads/main",
-        "rev": "adb6c21135c93e0c57517ba90a32dd8f6bf2704d",
-        "revCount": 578,
+        "rev": "7ab784e101b69f35f65e300d5779888624f7a7a5",
+        "revCount": 596,
         "type": "git",
         "url": "https://git.berlin.ccc.de/vinzenz/nova-shell"
       },
@@ -666,11 +666,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776893492,
-        "narHash": "sha256-V4r/mdAFHe6fRiu3D+3+UdclSH7LJoHfv+4Y1YNawK0=",
+        "lastModified": 1777499139,
+        "narHash": "sha256-s817mwTTkW0VIReee1z41LJAz13AUw3DOK41jZooFGw=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "0aa8e8fc21887cc34a4c0e3816f08b56795f52ca",
+        "rev": "c0295550b00f0d0d4a9f41efd5e6c14d38a671fc",
         "type": "github"
       },
       "original": {
@@ -887,11 +887,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1775935110,
-        "narHash": "sha256-twTHKUFXjNNsaAvX0KoaIClt+923jXDRbfCd9PC/f0o=",
+        "lastModified": 1776894428,
+        "narHash": "sha256-wuT915MyCtMTfLj+uo9y8wtCwkEgJXiXvcbSleFrlN0=",
         "owner": "nix-community",
         "repo": "stylix",
-        "rev": "14f248ad1a7668e7858c6d9163608c208b7daf02",
+        "rev": "f34be27ce83efaa1c85ad1e5b1f8b6dea65b147d",
         "type": "github"
       },
       "original": {

flake.nix

@@ -129,6 +129,9 @@
         damocles = {
           system = "x86_64-linux";
         };
+        damocles-lab = {
+          system = "x86_64-linux";
+        };
         epimetheus = {
           system = "aarch64-linux";
         };
@@ -232,7 +235,7 @@
           device,
           system,
           home-manager-users ? { },
-          nixosSystem ? nixpkgs.lib.nixosSystem
+          nixosSystem ? nixpkgs.lib.nixosSystem,
         }:
         let
           specialArgs = inputs // {
@@ -244,7 +247,7 @@
           modules = [
             {
               imports = [
-                 ./nixosConfigurations/${device}
+                ./nixosConfigurations/${device}
                 self.nixosModules.global-settings
               ]
               ++ (lib.optionals (home-manager-users != { }) [

nixosConfigurations/aur0ra-installer/default.nix

@@ -8,10 +8,10 @@
 {
   imports = [
     ../aur0ra
-   # nixos-images.nixosModules.sdimage-installer
+    # nixos-images.nixosModules.sdimage-installer
   ];
   disabledModules = [
     # disable the sd-image module that nixos-images uses
-   # (modulesPath + "/installer/sd-card/sd-image-aarch64-installer.nix")
+    # (modulesPath + "/installer/sd-card/sd-image-aarch64-installer.nix")
   ];
 }

nixosConfigurations/damocles-lab/default.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+{
+  imports = [ ../damocles/claude-container.nix ];
+
+  services.openssh = {
+    enable = true;
+    ports = [ 2222 ];
+    # Path written into sshd_config as a string — not read at eval time.
+    # Key can be rotated without a rebuild.
+    authorizedKeysFiles = [ "/persist/damocles-ssh/id_ed25519.pub" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+
+  ];
+}

nixosConfigurations/damocles/claude-container.nix

@@ -0,0 +1,44 @@
+{
+  pkgs,
+  self,
+  lib,
+  ...
+}:
+{
+
+  nixpkgs.overlays = [ self.overlays.unstable-packages ];
+  allowedUnfreePackages = [ "claude-code" ];
+
+  environment.systemPackages = with pkgs; [
+    unstable.claude-code
+    git
+    python3
+    coreutils-full
+    gawk
+    gnugrep
+    curl
+  ];
+
+  boot.isContainer = true;
+
+  programs.nix-ld = {
+    enable = true;
+    libraries = with pkgs; [
+      stdenv.cc.cc.lib
+      zlib
+    ];
+  };
+
+  # Container shares host network namespace (privateNetwork = false), so the
+  # host's tailscale already covers this. Running a second tailscaled in the
+  # same netns fights over routing and breaks connectivity after sleep/wake.
+  services.tailscale.enable = lib.mkForce false;
+  networking.firewall.checkReversePath = lib.mkForce "strict";
+
+  users.users.muede = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+}

nixosConfigurations/damocles/default.nix

@@ -1,45 +1,14 @@
+{ pkgs, ... }:
 {
-  pkgs,
-  lib,
-  self,
-  ...
-}:
-{
-  imports = [ ./android-dev.nix ];
-
-  nixpkgs.overlays = [ self.overlays.unstable-packages ];
-
-  boot.isContainer = true;
-
-  # Container shares host network namespace (privateNetwork = false), so the
-  # host's tailscale already covers this. Running a second tailscaled in the
-  # same netns fights over routing and breaks connectivity after sleep/wake.
-  services.tailscale.enable = lib.mkForce false;
-  networking.firewall.checkReversePath = lib.mkForce "strict";
-
-  allowedUnfreePackages = [ "claude-code" ];
-
-  environment.systemPackages = with pkgs; [
-    unstable.claude-code
-    git
-    python3
-    coreutils-full
-    gawk
-    gnugrep
+  imports = [
+    ./android-dev.nix
+    ./claude-container.nix
   ];
 
-  users.users.muede = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-  };
-
-  security.sudo.wheelNeedsPassword = false;
-
-  programs.nix-ld = {
-    enable = true;
-    libraries = with pkgs; [
-      stdenv.cc.cc.lib
-      zlib
-    ];
-  };
+  environment.systemPackages = with pkgs; [
+    cargo
+    rustc
+    clippy
+    gh
+  ];
 }

nixosConfigurations/muede-lpt2/default.nix

@@ -65,6 +65,28 @@
       autoStart = false;
       privateNetwork = false;
       path = self.nixosConfigurations.damocles.config.system.build.toplevel;
+      bindMounts."/persist/damocles-ssh" = {
+        hostPath = "/persist/damocles-ssh";
+        isReadOnly = true;
+      };
+      bindMounts."/persist/damocles-lab" = {
+        hostPath = "/persist/damocles-lab";
+        isReadOnly = false;
+      };
+    };
+
+    containers.damocles-lab = {
+      autoStart = false;
+      privateNetwork = false;
+      path = self.nixosConfigurations.damocles-lab.config.system.build.toplevel;
+      bindMounts."/workspace" = {
+        hostPath = "/persist/damocles-lab";
+        isReadOnly = false;
+      };
+      bindMounts."/persist/damocles-ssh" = {
+        hostPath = "/persist/damocles-ssh";
+        isReadOnly = true;
+      };
     };
 
     # Global DefaultTimeoutStopSec is 10s (modern-desktop.nix), which kills systemd-nspawn
@@ -76,6 +98,11 @@
       RestartSec = "5s";
     };
 
+    systemd.services."container@damocles-lab".serviceConfig = {
+      TimeoutStopSec = "60s";
+      RestartSec = "5s";
+    };
+
     boot.enableContainers = true;
     virtualisation.containers.enable = true;
   };