evan/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: evan:master
Branches Tags
evan:master evan:snowfall
..
compare: evan:dca79232ce5ccf3497373073f31cd767c9b6fbaa
Branches Tags
evan:master evan:snowfall

1 Commits
master ... dca79232ce

Author SHA1 Message Date
Evan Reichard
dca79232ce chore(llama-cpp): bump 8815 → 8914 2026-04-24 07:25:41 -04:00
92 changed files with 900 additions and 10588 deletions
Expand all files Collapse all files

107
.agents/skills/update-package-hashes/SKILL.md
View File

@@ -12,112 +12,65 @@ If the user provides only a **package name** (no version), look up the latest ve
## Hard Rules — Read First
1. **Never run `nix build .#<pkg>`** or `.#packages.<system>.<pkg>`. That compiles the package. Only realise **FOD sub-attributes** (`.src`, `.goModules`, `.npmDeps`, `.cargoDeps`) — those are pure downloads, not builds.
2. **Never** use `nix-prefetch-git`, `nix-prefetch-github`, `nix-prefetch-url`, `nix hash path`, `nix hash file` (on a raw patch/tarball), `git clone` + manual hashing, `builtins.fetchGit`, or any other ad-hoc method to compute hashes. They produce hashes in formats that don't match what `fetchgit`/`fetchFromGitHub`/`fetchpatch` expect (notably: `fetchFromGitHub { leaveDotGit = true; }` is non-deterministic across machines, and `fetchpatch` normalizes patches — strips `index abc..def`, `From <sha>`, signatures — so its hash ≠ `nix hash file` of the raw `.patch`).
2. **Never** use `nix-prefetch-git`, `nix-prefetch-url`, `nix hash path`, `git clone` + manual hashing, `builtins.fetchGit`, or any other ad-hoc method to compute hashes. They produce hashes in formats that don't match what `fetchgit`/`fetchFromGitHub`/etc. expect, and you will waste time chasing mismatches.
3. There are exactly **two** correct ways to get a hash, both listed below. If neither fits, stop and ask the user — don't improvise.
## The Only Two Methods
### Method A — `nurl` via helper script (preferred for `src` on any git forge)
### Method A — `nurl` (preferred for `src` on any git forge)
Use the co-located helper script. It wraps `nurl` and works for any git URL.
`nurl` works for **any git URL**, not just GitHub: `gitea.va.reichard.io`, `gitlab`, `codeberg`, `sourcehut`, plain `https://...git`, all fine. It downloads the source and prints a complete fetcher expression with the correct hash.
```bash
./update-package-hashes.sh hash <git-url> <rev-or-tag>
nix run nixpkgs#nurl -- <git-url> <rev-or-tag>
```
Copy the `hash = "sha256-..."` line from the output into the package's `src` block.
Examples:
```bash
nix run nixpkgs#nurl -- https://github.com/owner/repo v1.2.3
nix run nixpkgs#nurl -- https://gitea.va.reichard.io/evan/slack-cli.git 0a9484257a2adc414aa4cdab4fb9539a37e04d1f
```
Copy the `hash = "sha256-..."` line into the package's `src` block.
### Method B — FOD mismatch trick (for everything else)
For `vendorHash`, `npmDepsHash`, `cargoHash`, `cargoLock.outputHashes.<crate>`, `fetchpatch` hashes, or any `src` using a custom fetcher (`leaveDotGit`, `postFetch`, `fetchSubmodules`, etc. — applies to `llama-cpp` and `llama-swap`), realise the **specific FOD sub-attribute** and read the `got:` line from the error.
For `vendorHash`, `npmDepsHash`, `cargoHash`, `cargoLock.outputHashes.<crate>`, or any `src` using a custom fetcher (`leaveDotGit`, `postFetch`, `fetchSubmodules`, etc. — applies to `llama-cpp` and `llama-swap`), realise the **specific FOD sub-attribute** and read the `got:` line from the error.
```bash
nix build .#<name>.src --no-link 2>&1 | tee /tmp/hash.log # for src
nix build .#<name>.goModules --no-link 2>&1 | tee /tmp/hash.log # for vendorHash
nix build .#<name>.npmDeps --no-link 2>&1 | tee /tmp/hash.log # for npmDepsHash
nix build .#<name>.cargoDeps --no-link 2>&1 | tee /tmp/hash.log # for cargoHash
nix build .#<name> --no-link 2>&1 | tee /tmp/hash.log # for fetchpatch / other input FODs (see note)
grep -E '^[[:space:]]*got:' /tmp/hash.log | tail -1 | awk '{print $2}'
```
**`fetchpatch` note:** patches don't have a dedicated sub-attribute, so you must target the package itself. This is safe *only* when the patch hash is wrong (e.g. `lib.fakeHash`) — Nix realizes the patch FOD before compilation starts, so a hash mismatch aborts with `0 built (1 failed)` and zero compile work. If you accidentally fix all FODs correctly, `nix build .#<name>` will start compiling. To guard against this: always start patch hashes as `lib.fakeHash`, run the build, copy `got:`, paste, and only then re-verify with `.src` / sub-attribute builds (never re-run `.#<name>` to confirm).
**GitHub PR patches — `.patch` vs `.diff`:** When fetching a patch from a GitHub pull request, prefer the `.diff` endpoint over `.patch`.
- `https://github.com/<owner>/<repo>/pull/<N>.patch` — a `git format-patch` **mbox** containing each commit in the PR separately. `git apply` (which `fetchpatch` and the Nix `patchPhase` use) does **not** replay commit history; it applies hunks against the working tree. PRs that create a file in one commit and delete/rename it in a later commit will fail with errors like `The next patch would delete the file X, which does not exist`.
- `https://github.com/<owner>/<repo>/pull/<N>.diff` — a **squashed** unified diff of the PR's net change. Applies cleanly against any base the PR is mergeable against.
Default to `.diff`. Only fall back to `.patch` if you specifically need authorship metadata (rare for Nix patching). If a previously-working `.patch` URL suddenly fails to apply, switching to `.diff` is the first thing to try.
Always use `lib.fakeHash` (or `pkgs.lib.fakeHash` if only `pkgs` is in scope). This is the only reliable way to set a bogus hash — never write a literal `sha256-...` placeholder string. The build will fail at the FOD with `got: sha256-...` which is the correct value.
Setting the hash to `sha256-AAAA...` (44 A's) or leaving the old one in place both work — the build will fail at the FOD with `got: sha256-...` which is the correct value.
**Note:** `.src`, `.goModules`, etc. are sub-attributes of the derivation. They download but do not compile. `nix build .#<name>` (without the `.src` suffix) compiles — never do that.
### Example — Package With `src`, `npmDepsHash`, and `vendorHash`
Use the same pattern for packages that combine a custom `src` fetcher, Go dependencies, and a nested npm UI derivation. `llama-swap` is a concrete example because it uses `leaveDotGit` + `postFetch`, `vendorHash`, and a UI package exposed under `passthru.ui`.
1. Set stale hashes to `lib.fakeHash` where possible:
```nix
src.hash = lib.fakeHash;
vendorHash = lib.fakeHash;
passthru.npmDepsHash = lib.fakeHash;
```
2. Resolve the custom `src` hash first; downstream FODs depend on it:
```bash
nix build .#llama-swap.src --no-link 2>&1 | tee /tmp/llama-swap-src.log
grep -E '^[[:space:]]*got:' /tmp/llama-swap-src.log | tail -1 | awk '{print $2}'
```
Put the `got:` value into `src.hash` before resolving dependency hashes.
3. Resolve the UI npm dependency hash from the nested UI derivation:
```bash
nix build .#llama-swap.passthru.ui.npmDeps --no-link 2>&1 | tee /tmp/llama-swap-npm.log
grep -E '^[[:space:]]*got:' /tmp/llama-swap-npm.log | tail -1 | awk '{print $2}'
```
Put the `got:` value into `passthru.npmDepsHash`.
4. Resolve the Go `vendorHash`:
```bash
nix build .#llama-swap.goModules --no-link 2>&1 | tee /tmp/llama-swap-go.log
grep -E '^[[:space:]]*got:' /tmp/llama-swap-go.log | tail -1 | awk '{print $2}'
```
Put the `got:` value into `vendorHash`.
For other packages, adapt the flake attribute path to where the FOD is exposed (for example, `.#<name>.npmDeps`, `.#<name>.passthru.ui.npmDeps`, or `.#<name>.goModules`).
5. Re-run the FOD sub-attribute builds to confirm they realise successfully:
```bash
nix build .#llama-swap.src --no-link
nix build .#llama-swap.passthru.ui.npmDeps --no-link
nix build .#llama-swap.goModules --no-link
```
If a dependency FOD fails before a hash mismatch (for example, `go.mod requires go >= ...`), fix the package inputs minimally (for example, switch to the matching `buildGo126Module`) and re-run the same FOD sub-attribute. Do not build `.#llama-swap`.
## Lookup Latest Version
When the user asks to update a package but doesn't specify a version:
When the user asks to update a package but doesn't specify a version, look it up and present it for confirmation.
1. Read `packages/<name>/default.nix` to find the git URL and current version/tag.
2. Determine the tag pattern from the `tag` field (e.g. `"b${version}"` → `'b*'`, `"v${version}"` → `'v*'`).
3. Run the helper script:
2. Determine the tag pattern from the current `tag` field (e.g. `"b${version}"`tags like `b8815`; `"v${version}"`tags like `v1.2.3`).
3. Fetch the newest matching tag:
```bash
./update-package-hashes.sh releases <git-url> '<pattern>'
# Find the latest tag matching the package's pattern
git ls-remote --tags https://github.com/ggml-org/llama.cpp.git 'b*' 2>&1 | tail -1
```
Shows main HEAD + 5 newest matching tags with commit hashes.
4. **Ask the user** before proceeding (`Current: b8815 → Latest: b8914 — proceed?`).
For non-GitHub repos, use the appropriate remote URL from the package's `fetchFrom*` expression.
4. Present the result to the user and **ask for confirmation** before proceeding:
```
Current: b8815 → Latest: b8914
Proceed with update? (yes/no)
```
If the user confirms, use the latest version. If they provide a different target, use that instead. If they say no, abort.
## Flow
@@ -128,6 +81,12 @@ When the user asks to update a package but doesn't specify a version:
5. **Opaque `outputHash` FODs** (e.g. opencode's `node_modules` which runs `bun install`) — do NOT attempt locally. Leave as-is and flag for CI in the summary.
6. Show `git diff -- packages/<name>/` and list any hashes left for CI.
## Resolving Tags Without Cloning
```bash
git ls-remote <url> refs/tags/<tag>
```
## Don't Touch What Didn't Change
Skip pinned sub-dependencies whose inputs didn't change — e.g. `slack-cli`'s `python-snappy` / `zstd-python` PyPI tarballs are pinned by the upstream `dfindexeddb`, not by the slack-cli rev.

206
.agents/skills/update-package-hashes/update-package-hashes.sh
View File

@@ -1,206 +0,0 @@
#!/usr/bin/env bash
#
# update-package-hashes.sh — Helper for the update-package-hashes skill.
# Co-located in .agents/skills/update-package-hashes/
#
# Usage:
# ./update-package-hashes.sh releases <git-url> [pattern]
# ./update-package-hashes.sh hash <git-url> <rev-or-tag>
# ./update-package-hashes.sh hash <git-url> <rev-or-tag> <fetcher>
# ./update-package-hashes.sh all <git-url> <rev-or-tag> [fetcher]
#
# Examples:
# ./update-package-hashes.sh releases https://github.com/ggml-org/llama.cpp
# ./update-package-hashes.sh releases https://github.com/ggml-org/llama.cpp b*
# ./update-package-hashes.sh hash https://github.com/owner/repo v1.2.3
# ./update-package-hashes.sh hash https://github.com/owner/repo abc1234 fetchFromGitLab
# ./update-package-hashes.sh all https://github.com/owner/repo v1.2.3
set -euo pipefail
usage() {
cat <<'EOF'
Usage:
$0 releases <git-url> [tag-pattern]
Show main branch HEAD + 5 most recent matching releases/tags.
$0 hash <git-url> <rev-or-tag> [fetcher]
Fetch source and print the nix fetcher expression with hash (via nurl).
$0 all <git-url> <rev-or-tag> [fetcher]
Same as hash, but also shows main HEAD + recent releases for context.
Options:
tag-pattern Glob pattern for filtering tags (e.g. 'v*', 'b*').
If omitted, all tags are shown.
fetcher Override the auto-detected fetcher:
fetchFromGitHub (default)
fetchFromGitLab
fetchFromGitLab (e.g. gitea.va.reichard.io)
fetchFromSourceHut
fetchgit (fallback for non-standard forges)
Requires: nix (for nurl), git.
EOF
exit 1
}
# ── Helpers ──────────────────────────────────────────────────────────────────
detect_fetcher() {
local url="$1"
local host
host=$(echo "$url" | sed -E 's|^https?://||' | cut -d/ -f1)
case "$host" in
*github.com)
echo "fetchFromGitHub"
;;
*gitlab.com)
echo "fetchFromGitLab"
;;
*gitea*|*gitlab.reichard*|*gitlab.va.reichard*)
echo "fetchFromGitLab"
;;
*sourcehut*)
echo "fetchFromSourceHut"
;;
*)
echo "fetchgit"
;;
esac
}
normalise_url() {
echo "${1%.git}"
}
# ── Commands ─────────────────────────────────────────────────────────────────
# Show main/master branch HEAD.
show_main_head() {
local url="$1"
local clean_url
clean_url=$(normalise_url "$url")
for branch in main master; do
local line
line=$(git ls-remote "$url" "refs/heads/$branch" 2>/dev/null | head -1)
if [[ -n "$line" ]]; then
local full_rev="${line%% *}"
echo " main: $full_rev"
echo
return
fi
done
# Fallback: try to find any branch
echo " (no main/master branch found)"
echo
}
# List recent tags/releases for a repo.
cmd_releases() {
local url="$1"
local pattern="${2:-}"
local clean_url
clean_url=$(normalise_url "$url")
echo "Recent tags for: $clean_url"
echo "────────────────────────────────────────────────────────"
echo
# Always show main HEAD first
show_main_head "$url"
# Get tags sorted by date (newest first), limited to 5
local tags
if [[ -n "$pattern" ]]; then
tags=$(git ls-remote --tags "$url" "$pattern" 2>&1 \
| grep -v '\^{}' \
| sed -E 's/^[a-f0-9]+[[:space:]]+refs\/tags\/([^\/]+)[[:space:]]*$/\1/' \
| sort -V \
| tail -5 || true)
else
tags=$(git ls-remote --tags "$url" 2>&1 \
| grep -v '\^{}' \
| sed -E 's/^[a-f0-9]+[[:space:]]+refs\/tags\/([^\/]+)[[:space:]]*$/\1/' \
| sort -V \
| tail -5 || true)
fi
if [[ -z "$tags" ]]; then
echo " (no tags found)"
return
fi
printf " %-30s %s\n" "TAG" "COMMIT"
echo " $(printf '%.0s-' {1..72})"
echo "$tags" | tac | while IFS= read -r tag_name; do
local full_rev
full_rev=$(git ls-remote "$url" "refs/tags/$tag_name" 2>/dev/null | head -1 | cut -f1)
if [[ -n "$full_rev" ]]; then
printf " %-30s %s\n" "$tag_name" "$full_rev"
else
printf " %-30s %s\n" "$tag_name" "(not found)"
fi
done
}
# Get the nix fetcher expression with hash for a specific rev/tag.
cmd_hash() {
local url="$1"
local rev="$2"
local fetcher="${3:-}"
if [[ -z "$fetcher" ]]; then
fetcher=$(detect_fetcher "$url")
fi
local clean_url
clean_url=$(normalise_url "$url")
echo "Fetching hash for: $clean_url @ $rev"
echo "Fetcher: $fetcher"
echo "────────────────────────────────────────────────────────"
echo
nix run nixpkgs#nurl -- "$url" "$rev"
}
# Get hash + recent releases for context.
cmd_all() {
local url="$1"
local rev="$2"
local fetcher="${3:-}"
cmd_releases "$url"
echo
cmd_hash "$url" "$rev" "$fetcher"
}
# ── Main ─────────────────────────────────────────────────────────────────────
if [[ $# -lt 2 ]]; then
usage
fi
case "$1" in
releases)
[[ $# -lt 2 ]] && { echo "Error: missing <git-url>" >&2; usage; }
cmd_releases "$2" "${3:-}"
;;
hash)
[[ $# -lt 3 ]] && { echo "Error: missing <git-url> <rev-or-tag>" >&2; usage; }
cmd_hash "$2" "$3" "${4:-}"
;;
all)
[[ $# -lt 3 ]] && { echo "Error: missing <git-url> <rev-or-tag>" >&2; usage; }
cmd_all "$2" "$3" "${4:-}"
;;
*)
echo "Unknown command: $1" >&2
usage
;;
esac

71
.agents/skills/update-vllm-3090-configs/SKILL.md
View File

@@ -1,71 +0,0 @@
---
name: update-vllm-3090-configs
description: Update only the qwen3.6-27b vLLM 3090 llama-swap configs from club-3090 refs; compare diffs, present a plan, and require approval before editing.
---
# Update vLLM 3090 Configs
## Scope
Use only for Qwen3.6 27B vLLM 3090 configs in `modules/nixos/services/llama-swap/`.
Do not use this skill for other models, other Qwen sizes, non-vLLM configs, or package bumps.
Local files:
- `modules/nixos/services/llama-swap/config.nix`
- `modules/nixos/services/llama-swap/setup-qwen36-vllm.sh`
Local config keys:
- `vllm-qwen3.6-27b-tools-text`
- `vllm-qwen3.6-27b-long-text`
- `vllm-qwen3.6-27b-long-vision`
## Hash Tracking
Each config entry stores an upstream commit hash comment:
`# Upstream: club-3090 <hash> (<date>) - <compose-file>`
When comparing, first extract stored hashes. If a config's hash matches
upstream HEAD, skip it (report "already synced"). Only full-diff configs
whose hash differs. Update the hash comment when edits are applied.
## Upstream References
Compare against `club-3090` master:
- `models/qwen3.6-27b/vllm/compose/single/tools-text.yml`
- `models/qwen3.6-27b/vllm/compose/single/long-text.yml`
- `models/qwen3.6-27b/vllm/compose/single/long-vision.yml`
- `scripts/setup.sh` for the current `GENESIS_PIN="${GENESIS_PIN:-...}"`
Use raw URLs or a temp clone under `_scratch/club-3090`. Prefer a temp clone when checking broad changes:
```bash
mkdir -p _scratch
git clone https://github.com/noonghunna/club-3090 _scratch/club-3090 2>/dev/null || git -C _scratch/club-3090 pull --ff-only
```
## Required Workflow
1. Fetch/update upstream refs under `_scratch/club-3090` or fetch the raw files.
2. Extract stored upstream hashes from `# Upstream: club-3090 ...` comments in config.nix. Skip any config whose hash matches upstream HEAD (report "already synced").
3. Compare upstream compose files to the remaining local llama-swap entries. Translate docker-compose semantics into the existing `docker run`/llama-swap format.
4. Compare upstream `scripts/setup.sh` Genesis pin to local `GENESIS_PIN` in `setup-qwen36-vllm.sh`.
5. Check upstream compose volumes/entrypoint for sidecar patches. If patches are added, removed, renamed, or invoked differently, update both:
- runtime mounts and `python3 /patches/...` calls in `config.nix`
- download/install logic and summary in `setup-qwen36-vllm.sh`
6. Ignore these diffs unless the user explicitly asks otherwise:
- `shm_size` / shm-related compose settings
- local timing patch `patch_timings_07351e088.py` and its mount/invocation
- model served-name differences caused by llama-swap `${MODEL_ID}`
- `HUGGING_FACE_HUB_TOKEN`; keep local CUDA device/env choices
- upstream relative paths vs local `/mnt/ssd/vLLM/...` paths
- docker-compose format vs local llama-swap/Nix format
7. Before editing, present:
- upstream files/commit checked
- meaningful diffs found
- ignored diffs
- exact planned local changes
Then wait for explicit user approval.
8. After approval, edit minimally and update the `# Upstream: club-3090 ...` hash comments. Validate:
- `bash -n modules/nixos/services/llama-swap/setup-qwen36-vllm.sh`
- `nix-instantiate --parse modules/nixos/services/llama-swap/config.nix`
9. Summarize changed files and any remaining upstream differences.

19
.sops.yaml
View File

@@ -5,16 +5,14 @@ keys:
# User SSH Derived
- &user_lin-va-desktop age15hdlen5dgjvdfgg2j0uzvchs5vs3xuptkhsw9xeuatcuk6uwrvcsz7hcsg
- &user_lin-va-mbp-personal age17ayje4uv2mhwehhp9jr3u9l0ds07396kt7ef40sufx89vm7cgfjq6d5d4y
- &user_lin-va-mbp-work-vm age1mar507c9mxmwalg486chs5kfh0mya38rv5w64ypfwnwlawewrpnswerpg8
- &user_lin-va-terminal age1w6avj7gd4f5frk90lsyh4e2k5am6z92hzlr0vpgrm767muyj59qsnuah62
- &user_lin-va-thinkpad age1avlhszrryt4gf4ya536jhzm7qwt9xfttm8x4sns6h9w2tahzqp8sspz9y5
- &user_mac-va-mbp-personal age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
- &user_mac-va-mbp-work age1ped3hpugq06908ex8kgama33qckqe03rmac5pa6th87vks5d249qhshvqu
- &user_mac-va-mbp-work age1jf7yuycuajc5m8vupgrndjvw8knekr2v9979j68xc5ykvcxag4lss454au
- &user_lin-va-terminal age1w6avj7gd4f5frk90lsyh4e2k5am6z92hzlr0vpgrm767muyj59qsnuah62
# System SSH Derived
- &system_lin-va-desktop age1mxjrvjxkn69kfn2np3wpd73g44fuhsgykw7l5ss9rx30em5jfp2scnrq32
- &system_lin-va-thinkpad age13gymlygyac9z2slecl53jp8spq7e8n4zkan86n0gmnm3nrj4muxqa5ullm
- &system_lin-va-terminal age1rfgh40p6wmaam4ttwgv9xfukgxjruskhfvm0q3ud6lvxtlqc2y8snhwjft
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
@@ -26,24 +24,11 @@ creation_rules:
- *admin_reichard
- *system_lin-va-desktop
- *system_lin-va-thinkpad
- *system_lin-va-terminal
- path_regex: secrets/common/llama-swap.yaml
key_groups:
- age:
- *admin_reichard
- *system_lin-va-desktop
- *user_lin-va-mbp-personal
- *user_lin-va-mbp-work-vm
- *user_lin-va-terminal
- *user_lin-va-thinkpad
- *user_mac-va-mbp-personal
- *user_mac-va-mbp-work
- path_regex: secrets/common/evanreichard.yaml
key_groups:
- age:
- *admin_reichard
- *user_lin-va-mbp-personal
- *user_lin-va-mbp-work-vm
- *user_lin-va-terminal
- *user_lin-va-thinkpad
- *user_mac-va-mbp-personal

110
flake.lock generated
View File

@@ -8,11 +8,11 @@
]
},
"locked": {
"lastModified": 1778234684,
"narHash": "sha256-usIHfvSt7aXvMvRGtcbsue3rA13Z+9TW/7I3WBzLqFY=",
"lastModified": 1776147994,
"narHash": "sha256-c5F8jYiB0fjWsP4j/yeszqszA3laflzDj6/pmoJTeG4=",
"owner": "nix-community",
"repo": "nixos-apple-silicon",
"rev": "3d7fe422ef6162154830209b9e50bf69e150cff7",
"rev": "81439a7fb8067ab43641efd79c84607701da1ccd",
"type": "github"
},
"original": {
@@ -28,16 +28,16 @@
]
},
"locked": {
"lastModified": 1779036909,
"narHash": "sha256-zXcwYQGCT6pzinK+1dBB2ekTVtfxGZAapb3Evdcu4fY=",
"lastModified": 1772129556,
"narHash": "sha256-Utk0zd8STPsUJPyjabhzPc5BpPodLTXrwkpXBHYnpeg=",
"owner": "nix-darwin",
"repo": "nix-darwin",
"rev": "56c666e108467d87d13508936aade6d567f2a501",
"rev": "ebec37af18215214173c98cf6356d0aca24a2585",
"type": "github"
},
"original": {
"owner": "nix-darwin",
"ref": "nix-darwin-26.05",
"ref": "nix-darwin-25.11",
"repo": "nix-darwin",
"type": "github"
}
@@ -51,11 +51,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1778179392,
"narHash": "sha256-W6zorvjBYbzMNvqKIqCdpDF4rq3gj50Xximl56YM9/I=",
"lastModified": 1775584659,
"narHash": "sha256-NA5oZRunqxD+4LNdU7ZKJHqwuazKyAmBjO4OHXL14X4=",
"owner": "determinatesystems",
"repo": "determinate",
"rev": "efd54faa68be8cd777b5c28cab11e638998a0853",
"rev": "21dcaa011d3d35cf42a04e988eaac9b28c97a707",
"type": "github"
},
"original": {
@@ -67,37 +67,37 @@
"determinate-nixd-aarch64-darwin": {
"flake": false,
"locked": {
"narHash": "sha256-z4mCqKI3Qd6weuHrlfzGccJG0giym/VJhKv20ijRSs0=",
"narHash": "sha256-qLWfYk9qkb21wKCDWnhMfqBFjcdBBJkNUKBlvdHSLgA=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.20.0/macOS"
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/macOS"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.20.0/macOS"
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/macOS"
}
},
"determinate-nixd-aarch64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-yW+VNepSRytzfanSssPMJPvwioCcmlZYaBX8++UFkAk=",
"narHash": "sha256-0BmprPIRTopvJ2QdImOMP+TujAPVgRdl0bUL3vhqGIY=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.20.0/aarch64-linux"
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/aarch64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.20.0/aarch64-linux"
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/aarch64-linux"
}
},
"determinate-nixd-x86_64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-+L102C3Hhkd1GlXmRm2eLTLsZKBxEvooiQZFqQRlBf0=",
"narHash": "sha256-+Q85cySxr0FB/cr97hk/WWYgeJY+iC4OH+FjGYygIbU=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.20.0/x86_64-linux"
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/x86_64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.20.0/x86_64-linux"
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.17.3/x86_64-linux"
}
},
"disko": {
@@ -105,11 +105,11 @@
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1777713215,
"narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
"lastModified": 1773889306,
"narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
"owner": "nix-community",
"repo": "disko",
"rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
"rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
"type": "github"
},
"original": {
@@ -126,11 +126,11 @@
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1778385775,
"narHash": "sha256-n0MUvWA2SML/qBB4hpShQ7i+i961MX4oPtaQfYo0+uU=",
"lastModified": 1776199335,
"narHash": "sha256-ImihxU7ReZZuNdrASq8qzOmmO/UQtkuqQ9V9KKb1dD0=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "268324916742a48cd03b94fd63f2822d6b66d519",
"rev": "95066e56aaa948f170747f57a20c99511a953eed",
"type": "gitlab"
},
"original": {
@@ -278,16 +278,16 @@
]
},
"locked": {
"lastModified": 1780361225,
"narHash": "sha256-wnV9ttf4fPWNonBIQmvlrSlNpQYgx5HgWWd007mwIFA=",
"lastModified": 1775425411,
"narHash": "sha256-KY6HsebJHEe5nHOWP7ur09mb0drGxYSzE3rQxy62rJo=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e28654b71096e08c019d4861ca26acb646f583d8",
"rev": "0d02ec1d0a05f88ef9e74b516842900c41f0f2fe",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-26.05",
"ref": "release-25.11",
"repo": "home-manager",
"type": "github"
}
@@ -301,12 +301,12 @@
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
"lastModified": 1778177425,
"narHash": "sha256-oyHvP5HDRe59opmjTrq2ED9lh+R9FrHyaCGPPNfBqWM=",
"rev": "f0ccb960d3ad5bff28acd9cabf8bdef885b5d52f",
"revCount": 25858,
"lastModified": 1775583600,
"narHash": "sha256-/shs/3GA4R3rxhhqpPbEMnDZKbCvf3VpwnHB75nkTcI=",
"rev": "e9b4735be7b90cf49767faf5c36f770ac1bdc586",
"revCount": 24880,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.20.0/019e03bc-3f83-7833-aba3-b691ef4956c7/source.tar.gz"
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.17.3/019d6913-e8c2-7128-ba76-3dc4f6b58158/source.tar.gz"
},
"original": {
"type": "tarball",
@@ -351,16 +351,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1773222311,
"narHash": "sha256-BHoB/XpbqoZkVYZCfXJXfkR+GXFqwb/4zbWnOr2cRcU=",
"rev": "0590cd39f728e129122770c029970378a79d076a",
"revCount": 909248,
"lastModified": 1761597516,
"narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
"rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
"revCount": 811874,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2511.909248%2Brev-0590cd39f728e129122770c029970378a79d076a/019ce32b-8ace-7339-b129-cceaa8dd10c6/source.tar.gz"
"url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.2511"
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
}
},
"nixpkgs-23-11": {
@@ -397,11 +397,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1777954456,
"narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
"lastModified": 1775710090,
"narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
"rev": "4c1018dae018162ec878d42fec712642d214fdfa",
"type": "github"
},
"original": {
@@ -413,12 +413,12 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1777826146,
"narHash": "sha256-wQ/iN5Zp5VIa3ebBibijPnLyKhor+xEbDy4d0goa9Zs=",
"rev": "73c703c22422b8951895a960959dbbaca7296492",
"revCount": 991389,
"lastModified": 1775464765,
"narHash": "sha256-nex6TL2x1/sVHCyDWcvl1t/dbTedb9bAGC4DLf/pmYk=",
"rev": "83e29f2b8791f6dec20804382fcd9a666d744c07",
"revCount": 975711,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.991389%2Brev-73c703c22422b8951895a960959dbbaca7296492/019df6c8-934b-7d40-b402-027bb5def30f/source.tar.gz"
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.975711%2Brev-83e29f2b8791f6dec20804382fcd9a666d744c07/019d6689-cde2-7061-b044-e0ef61ade488/source.tar.gz"
},
"original": {
"type": "tarball",
@@ -443,16 +443,16 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1780203844,
"narHash": "sha256-K5sT4jTpGs15ADhviMKNBH38REpPf5Q6mM1+N6cArVE=",
"lastModified": 1776067740,
"narHash": "sha256-B35lpsqnSZwn1Lmz06BpwF7atPgFmUgw1l8KAV3zpVQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b51242d7d43689db2f3be91bd05d5b24fbb469c4",
"rev": "7e495b747b51f95ae15e74377c5ce1fe69c1765f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-26.05",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
@@ -501,11 +501,11 @@
]
},
"locked": {
"lastModified": 1777944972,
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"lastModified": 1776119890,
"narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
"type": "github"
},
"original": {

6
flake.nix
View File

@@ -2,7 +2,7 @@
description = "NixOS Hosts";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-26.05";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
disko.url = "github:nix-community/disko";
determinate.url = "github:determinatesystems/determinate";
@@ -11,7 +11,7 @@
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager/release-26.05";
url = "github:nix-community/home-manager/release-25.11";
inputs.nixpkgs.follows = "nixpkgs";
};
apple-silicon = {
@@ -31,7 +31,7 @@
inputs.nixpkgs.follows = "nixpkgs";
};
darwin = {
url = "github:nix-darwin/nix-darwin/nix-darwin-26.05";
url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
inputs.nixpkgs.follows = "nixpkgs";
};
};

2
homes/aarch64-darwin/evanreichard@mac-va-mbp-personal/default.nix
View File

@@ -7,7 +7,7 @@ let
inherit (lib.${namespace}) enabled;
in
{
home.stateVersion = "26.05";
home.stateVersion = "25.11";
reichard = {
user = {

7
homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix
View File

@@ -8,7 +8,7 @@ let
inherit (lib.${namespace}) enabled;
in
{
home.stateVersion = "26.05";
home.stateVersion = "25.11";
reichard = {
user = {
@@ -34,14 +34,15 @@ in
git = enabled;
k9s = enabled;
nvim = enabled;
opencode = enabled;
pi = enabled;
zk = enabled;
};
};
services = {
# nunc = enabled;
sketchybar = enabled;
open-proxy.server = enabled;
};
security = {
@@ -53,6 +54,8 @@ in
programs.jq = enabled;
programs.pandoc = enabled;
home.packages = with pkgs; [
# colima
docker
keycastr
reichard.slack-cli
_1password-cli

10
homes/aarch64-darwin/evanreichard@mac-va-mbp-work/vm-init.sh
View File

@@ -33,16 +33,6 @@ else
echo " [✓] VM SOCKS Proxy Already Running"
fi
# Reverse tunnel so the VM's `open`/`xdg-open` reach open-proxy serve on this host.
if ! pgrep -f "ssh -N -R 7777:127.0.0.1:7777 adios-cs" > /dev/null; then
echo " [*] VM Open Proxy Starting..."
ssh -N -R 7777:127.0.0.1:7777 adios-cs &> /dev/null &
disown
echo " [✓] VM Open Proxy Started"
else
echo " [✓] VM Open Proxy Already Running"
fi
echo -e " [*] Connecting..."
# Connect to VM

5
homes/aarch64-linux/evanreichard@lin-va-mbp-personal/default.nix
View File

@@ -9,7 +9,7 @@ let
inherit (lib.${namespace}) enabled;
in
{
home.stateVersion = "26.05";
home.stateVersion = "25.11";
reichard = {
user = {
@@ -20,7 +20,7 @@ in
services = {
ssh-agent = enabled;
fusuma = enabled;
awww = enabled;
swww = enabled;
};
security = {
@@ -58,7 +58,6 @@ in
home.packages = with pkgs; [
orca-slicer
reichard.tuxguitar
];
dconf = {

9
homes/aarch64-linux/evanreichard@lin-va-mbp-work-vm/default.nix
View File

@@ -7,7 +7,7 @@ let
inherit (lib.${namespace}) enabled;
in
{
home.stateVersion = "26.05";
home.stateVersion = "25.11";
reichard = {
user = {
@@ -17,12 +17,6 @@ in
services = {
ssh-agent = enabled;
open-proxy.client = enabled;
};
security = {
pass-keyring = enabled;
sops = enabled;
};
programs = {
@@ -31,7 +25,6 @@ in
enable = true;
customFastFetchLogo = ./prophet.txt;
};
conduit = enabled;
btop = enabled;
claude-code = enabled;
direnv = enabled;

2
homes/aarch64-raw-efi/evanreichard@lin-terminal-image/default.nix
View File

@@ -7,7 +7,7 @@ let
inherit (lib.${namespace}) enabled;
in
{
home.stateVersion = "26.05";
home.stateVersion = "25.11";
reichard = {
user = {

3
homes/x86_64-linux/evanreichard@lin-va-desktop/default.nix
View File

@@ -7,7 +7,7 @@ let
inherit (lib.${namespace}) enabled;
in
{
home.stateVersion = "26.05";
home.stateVersion = "25.11";
reichard = {
user = {
@@ -25,7 +25,6 @@ in
btop = enabled;
direnv = enabled;
tmux = enabled;
git = enabled;
};
};
};

11
homes/x86_64-linux/evanreichard@lin-va-terminal/default.nix
View File

@@ -1,14 +1,13 @@
{ lib
, config
, namespace
, osConfig
, ...
}:
let
inherit (lib.${namespace}) enabled;
in
{
home.stateVersion = "26.05";
home.stateVersion = "25.11";
reichard = {
user = {
@@ -28,7 +27,6 @@ in
terminal = {
bash = enabled;
btop = enabled;
conduit = enabled;
direnv = enabled;
git = enabled;
k9s = enabled;
@@ -39,11 +37,4 @@ in
};
};
};
# Kubernetes Secrets
sops.secrets = lib.mkIf osConfig.${namespace}.security.sops.enable {
rke2_kubeconfig = {
path = "${config.home.homeDirectory}/.kube/lin-va-kube";
};
};
}

15
homes/x86_64-linux/evanreichard@lin-va-thinkpad/default.nix
View File

@@ -9,7 +9,7 @@ let
inherit (lib.${namespace}) enabled;
in
{
home.stateVersion = "26.05";
home.stateVersion = "25.11";
reichard = {
user = {
@@ -20,7 +20,7 @@ in
services = {
ssh-agent = enabled;
fusuma = enabled;
awww = enabled;
swww = enabled;
poweralertd = enabled;
};
@@ -30,10 +30,7 @@ in
programs = {
graphical = {
wms.hyprland = {
enable = true;
menuMod = "ALT";
};
wms.hyprland = enabled;
ghostty = enabled;
strawberry = enabled;
gimp = enabled;
@@ -53,7 +50,7 @@ in
git = enabled;
k9s = enabled;
nvim = enabled;
pi = enabled;
opencode = enabled;
};
};
};
@@ -68,10 +65,6 @@ in
};
};
home.packages = with pkgs; [
orca-slicer
];
home.pointerCursor = {
gtk.enable = true;
name = "catppuccin-macchiato-mauve-cursors";

2
homes/x86_64-linux/evanreichard@lin-va-utility/default.nix
View File

@@ -20,7 +20,7 @@ in
services = {
ssh-agent = enabled;
fusuma = enabled;
awww = enabled;
swww = enabled;
};
security = {

6
modules/home/common/default.nix
View File

@@ -2,13 +2,11 @@
{
home.packages = with pkgs; [
sqlite-interactive
jnv
jq
mosh
ncdu
reichard.codexis
ripgrep
sqlite-interactive
unzip
reichard.codexis
];
}

22
modules/home/programs/graphical/browsers/firefox/default.nix
View File

@@ -1,9 +1,4 @@
{ config
, lib
, pkgs
, namespace
, ...
}:
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib)
types
@@ -67,47 +62,40 @@ in
extensions.packages = mkOpt (with lib.types; listOf package)
(with pkgs.firefox-addons; [
bitwarden
pkgs.firefox-addons."ctrl-number-to-switch-tabs"
darkreader
gruvbox-dark-theme
kagi-search
sponsorblock
ublock-origin
# bypass-paywalls-clean
]) "Extensions to install";
};
config = mkIf cfg.enable {
programs.firefox = {
enable = true;
configPath = ".mozilla/firefox";
inherit (cfg) policies;
profiles = {
${config.${namespace}.user.name} = {
inherit (cfg) extraConfig;
inherit (cfg) extraConfig extensions;
inherit (config.${namespace}.user) name;
extensions = {
packages = cfg.extensions.packages;
force = true;
};
id = 0;
settings = mkMerge [
cfg.settings
{
"browser.aboutConfig.showWarning" = false;
"extensions.autoDisableScopes" = 0;
"extensions.activeThemeID" = "{eb8c4a94-e603-49ef-8e81-73d3c4cc04ff}";
"browser.aboutwelcome.enabled" = false;
"browser.sessionstore.warnOnQuit" = true;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
"browser.shell.checkDefaultBrowser" = false;
"general.smoothScroll.msdPhysics.enabled" = true;
"intl.accept_languages" = "en-US,en";
"ui.key.accelKey" = 91;
"ui.key.accelKey" = "224";
# "devtools.chrome.enabled" = true;
# "xpinstall.signatures.required" = false;

154
modules/home/programs/graphical/wms/hyprland/config/hyprland.conf Executable file
View File

@@ -0,0 +1,154 @@
exec-once = uwsm app -- waybar
exec-once = uwsm app -- $terminal
exec-once = uwsm app -- firefox
general {
gaps_in = 5
gaps_out = 12
border_size = 2
# https://wiki.hyprland.org/Configuring/Variables/#variable-types for info about colors
col.active_border = rgba(33ccffee) rgba(00ff99ee) 45deg
col.inactive_border = rgba(595959aa)
# Set to true enable resizing windows by clicking and dragging on borders and gaps
resize_on_border = false
# Please see https://wiki.hyprland.org/Configuring/Tearing/ before you turn this on
allow_tearing = false
layout = dwindle
}
# https://wiki.hyprland.org/Configuring/Variables/#decoration
decoration {
rounding = 10
active_opacity = 1.0
inactive_opacity = 1.0
shadow {
enabled = true
range = 4
render_power = 3
color = rgba(1a1a1aee)
}
blur {
enabled = true
size = 3
passes = 1
vibrancy = 0.1696
}
}
# https://wiki.hyprland.org/Configuring/Variables/#animations
animations {
enabled = yes, please :)
bezier = easeOutQuint,0.23,1,0.32,1
bezier = easeInOutCubic,0.65,0.05,0.36,1
bezier = linear,0,0,1,1
bezier = almostLinear,0.5,0.5,0.75,1.0
bezier = quick,0.15,0,0.1,1
animation = global, 1, 10, default
animation = border, 1, 5.39, easeOutQuint
animation = windows, 1, 4.79, easeOutQuint
animation = windowsIn, 1, 4.1, easeOutQuint, popin 87%
animation = windowsOut, 1, 1.49, linear, popin 87%
animation = fadeIn, 1, 1.73, almostLinear
animation = fadeOut, 1, 1.46, almostLinear
animation = fade, 1, 3.03, quick
animation = layers, 1, 3.81, easeOutQuint
animation = layersIn, 1, 4, easeOutQuint, fade
animation = layersOut, 1, 1.5, linear, fade
animation = fadeLayersIn, 1, 1.79, almostLinear
animation = fadeLayersOut, 1, 1.39, almostLinear
animation = workspaces, 1, 1.94, almostLinear, fade
animation = workspacesIn, 1, 1.21, almostLinear, fade
animation = workspacesOut, 1, 1.94, almostLinear, fade
}
# Ref https://wiki.hyprland.org/Configuring/Workspace-Rules/
# "Smart gaps" / "No gaps when only"
# uncomment all if you wish to use that.
# workspace = w[tv1], gapsout:0, gapsin:0
# workspace = f[1], gapsout:0, gapsin:0
# windowrulev2 = bordersize 0, floating:0, onworkspace:w[tv1]
# windowrulev2 = rounding 0, floating:0, onworkspace:w[tv1]
# windowrulev2 = bordersize 0, floating:0, onworkspace:f[1]
# windowrulev2 = rounding 0, floating:0, onworkspace:f[1]
# See https://wiki.hyprland.org/Configuring/Dwindle-Layout/ for more
dwindle {
pseudotile = true # Master switch for pseudotiling. Enabling is bound to mainMod + P in the keybinds section below
preserve_split = true # You probably want this
}
# See https://wiki.hyprland.org/Configuring/Master-Layout/ for more
master {
new_status = master
}
# https://wiki.hyprland.org/Configuring/Variables/#misc
misc {
force_default_wallpaper = -1 # Set to 0 or 1 to disable the anime mascot wallpapers
disable_hyprland_logo = false # If true disables the random hyprland logo / anime girl background. :(
}
#############
### INPUT ###
#############
# https://wiki.hyprland.org/Configuring/Variables/#input
input {
kb_layout = us
kb_variant =
kb_model =
kb_options =
kb_rules =
follow_mouse = 1
sensitivity = 0.0 # -1.0 - 1.0, 0 means no modification.
touchpad {
scroll_factor = 0.5
disable_while_typing = true
natural_scroll = true
clickfinger_behavior = true
tap-to-click = false
}
}
# https://wiki.hyprland.org/Configuring/Variables/#gestures
gesture = 4, horizontal, workspace, invert
# Thinkpad Trackpoint
device {
name = tpps/2-elan-trackpoint
sensitivity = -0.3
}
##############################
### WINDOWS AND WORKSPACES ###
##############################
# See https://wiki.hyprland.org/Configuring/Window-Rules/ for more
# See https://wiki.hyprland.org/Configuring/Workspace-Rules/ for workspace rules
# Example windowrule v1
# windowrule = float, ^(kitty)$
# Example windowrule v2
# windowrulev2 = float,class:^(kitty)$,title:^(kitty)$
# Ignore maximize requests from apps. You'll probably like this.
windowrulev2 = suppressevent maximize, class:.*
# Fix some dragging issues with XWayland
windowrulev2 = nofocus,class:^$,title:^$,xwayland:1,floating:1,fullscreen:0,pinned:0

217
modules/home/programs/graphical/wms/hyprland/config/hyprland.lua
View File

@@ -1,217 +0,0 @@
-- Hyprland config (lua backend, Hyprland 0.55+).
-- `mainMod`, `menuMod`, and the monitor(s) are injected by Nix above this file.
-- See https://wiki.hypr.land/Configuring/Start/
local terminal = "ghostty"
local menu = "wofi --show drun"
-------------------
---- AUTOSTART ----
-------------------
hl.on("hyprland.start", function()
hl.exec_cmd("uwsm app -- waybar")
hl.exec_cmd("uwsm app -- " .. terminal)
hl.exec_cmd("uwsm app -- firefox")
end)
-----------------------
---- LOOK AND FEEL ----
-----------------------
hl.config({
general = {
gaps_in = 5,
gaps_out = 12,
border_size = 2,
col = {
active_border = { colors = { "rgba(33ccffee)", "rgba(00ff99ee)" }, angle = 45 },
inactive_border = "rgba(595959aa)",
},
resize_on_border = false,
allow_tearing = false,
layout = "dwindle",
},
decoration = {
rounding = 10,
active_opacity = 1.0,
inactive_opacity = 1.0,
shadow = {
enabled = true,
range = 4,
render_power = 3,
color = 0xee1a1a1a,
},
blur = {
enabled = true,
size = 3,
passes = 1,
vibrancy = 0.1696,
},
},
animations = {
enabled = true,
},
dwindle = {
preserve_split = true,
},
master = {
new_status = "master",
},
misc = {
force_default_wallpaper = -1,
disable_hyprland_logo = false,
},
})
----------------------
---- ANIMATIONS ------
----------------------
hl.curve("easeOutQuint", { type = "bezier", points = { { 0.23, 1 }, { 0.32, 1 } } })
hl.curve("easeInOutCubic", { type = "bezier", points = { { 0.65, 0.05 }, { 0.36, 1 } } })
hl.curve("linear", { type = "bezier", points = { { 0, 0 }, { 1, 1 } } })
hl.curve("almostLinear", { type = "bezier", points = { { 0.5, 0.5 }, { 0.75, 1 } } })
hl.curve("quick", { type = "bezier", points = { { 0.15, 0 }, { 0.1, 1 } } })
hl.animation({ leaf = "global", enabled = true, speed = 10, bezier = "default" })
hl.animation({ leaf = "border", enabled = true, speed = 5.39, bezier = "easeOutQuint" })
hl.animation({ leaf = "windows", enabled = true, speed = 4.79, bezier = "easeOutQuint" })
hl.animation({ leaf = "windowsIn", enabled = true, speed = 4.1, bezier = "easeOutQuint", style = "popin 87%" })
hl.animation({ leaf = "windowsOut", enabled = true, speed = 1.49, bezier = "linear", style = "popin 87%" })
hl.animation({ leaf = "fadeIn", enabled = true, speed = 1.73, bezier = "almostLinear" })
hl.animation({ leaf = "fadeOut", enabled = true, speed = 1.46, bezier = "almostLinear" })
hl.animation({ leaf = "fade", enabled = true, speed = 3.03, bezier = "quick" })
hl.animation({ leaf = "layers", enabled = true, speed = 3.81, bezier = "easeOutQuint" })
hl.animation({ leaf = "layersIn", enabled = true, speed = 4, bezier = "easeOutQuint", style = "fade" })
hl.animation({ leaf = "layersOut", enabled = true, speed = 1.5, bezier = "linear", style = "fade" })
hl.animation({ leaf = "fadeLayersIn", enabled = true, speed = 1.79, bezier = "almostLinear" })
hl.animation({ leaf = "fadeLayersOut", enabled = true, speed = 1.39, bezier = "almostLinear" })
hl.animation({ leaf = "workspaces", enabled = true, speed = 1.94, bezier = "almostLinear", style = "fade" })
hl.animation({ leaf = "workspacesIn", enabled = true, speed = 1.21, bezier = "almostLinear", style = "fade" })
hl.animation({ leaf = "workspacesOut", enabled = true, speed = 1.94, bezier = "almostLinear", style = "fade" })
---------------
---- INPUT ----
---------------
hl.config({
input = {
kb_layout = "us",
kb_variant = "",
kb_model = "",
kb_options = "",
kb_rules = "",
follow_mouse = 1,
sensitivity = 0.0,
touchpad = {
scroll_factor = 0.5,
disable_while_typing = true,
natural_scroll = true,
clickfinger_behavior = true,
tap_to_click = false,
},
},
})
-- 4-finger horizontal swipe to switch workspaces. The old `invert` modifier was
-- removed in the 0.51 gesture rework; flip the physical swipe direction if needed.
hl.gesture({ fingers = 4, direction = "horizontal", action = "workspace" })
-- Thinkpad Trackpoint
hl.device({ name = "tpps/2-elan-trackpoint", sensitivity = -0.3 })
---------------------
---- KEYBINDINGS ----
---------------------
-- Menu Mod Bindings (macOS Transition - Spotlight & Screenshots)
hl.bind(menuMod .. " + SPACE", hl.dsp.exec_cmd(menu))
hl.bind(menuMod .. " + SHIFT + 1", hl.dsp.exec_cmd("hyprshot -m output"))
hl.bind(menuMod .. " + SHIFT + 2", hl.dsp.exec_cmd("hyprshot -m window"))
hl.bind(menuMod .. " + SHIFT + 3", hl.dsp.exec_cmd("hyprshot -m region"))
hl.bind(menuMod .. " + Q", hl.dsp.window.close())
-- Primary Bindings
hl.bind(mainMod .. " + RETURN", hl.dsp.exec_cmd(terminal))
hl.bind(mainMod .. " + M", hl.dsp.exec_cmd("uwsm stop"))
hl.bind(mainMod .. " + V", hl.dsp.window.float({ action = "toggle" }))
hl.bind(mainMod .. " + P", hl.dsp.window.pin())
hl.bind(mainMod .. " + J", hl.dsp.layout("togglesplit"))
hl.bind(mainMod .. " + S", hl.dsp.workspace.toggle_special("magic"))
hl.bind(mainMod .. " + SHIFT + S", hl.dsp.window.move({ workspace = "special:magic" }))
-- Window Focus
hl.bind(mainMod .. " + left", hl.dsp.focus({ direction = "left" }))
hl.bind(mainMod .. " + right", hl.dsp.focus({ direction = "right" }))
hl.bind(mainMod .. " + up", hl.dsp.focus({ direction = "up" }))
hl.bind(mainMod .. " + down", hl.dsp.focus({ direction = "down" }))
-- Workspace switch + move active window to workspace (1-9, 0 -> 10)
for i = 1, 10 do
local key = i % 10
hl.bind(mainMod .. " + " .. key, hl.dsp.focus({ workspace = i }))
hl.bind(mainMod .. " + SHIFT + " .. key, hl.dsp.window.move({ workspace = i }))
end
hl.bind(mainMod .. " + SHIFT + right", hl.dsp.focus({ workspace = "+1" }))
hl.bind(mainMod .. " + SHIFT + left", hl.dsp.focus({ workspace = "-1" }))
-- Window move/resize with mouse
hl.bind(mainMod .. " + mouse:272", hl.dsp.window.drag(), { mouse = true })
hl.bind(mainMod .. " + mouse:273", hl.dsp.window.resize(), { mouse = true })
-- Multimedia & Brightness Keys
hl.bind("XF86AudioRaiseVolume", hl.dsp.exec_cmd("wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"), { locked = true, repeating = true })
hl.bind("XF86AudioLowerVolume", hl.dsp.exec_cmd("wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"), { locked = true, repeating = true })
hl.bind("XF86AudioMute", hl.dsp.exec_cmd("wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"), { locked = true, repeating = true })
hl.bind("XF86AudioMicMute", hl.dsp.exec_cmd("wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"), { locked = true, repeating = true })
hl.bind("XF86MonBrightnessUp", hl.dsp.exec_cmd("brightnessctl s 4%+"), { locked = true, repeating = true })
hl.bind("XF86MonBrightnessDown", hl.dsp.exec_cmd("brightnessctl s 5%-"), { locked = true, repeating = true })
-- macOS Keyboard Brightness
hl.bind(menuMod .. " + XF86MonBrightnessUp", hl.dsp.exec_cmd("brightnessctl -d kbd_backlight s 10%+"), { locked = true, repeating = true })
hl.bind(menuMod .. " + XF86MonBrightnessDown", hl.dsp.exec_cmd("brightnessctl -d kbd_backlight s 10%-"), { locked = true, repeating = true })
-- Player Controls
hl.bind("XF86AudioNext", hl.dsp.exec_cmd("playerctl next"), { locked = true })
hl.bind("XF86AudioPause", hl.dsp.exec_cmd("playerctl play-pause"), { locked = true })
hl.bind("XF86AudioPlay", hl.dsp.exec_cmd("playerctl play-pause"), { locked = true })
hl.bind("XF86AudioPrev", hl.dsp.exec_cmd("playerctl previous"), { locked = true })
--------------------------------
---- WINDOWS AND WORKSPACES ----
--------------------------------
hl.window_rule({
name = "suppress-maximize-events",
match = { class = ".*" },
suppress_event = "maximize",
})
hl.window_rule({
name = "fix-xwayland-drags",
match = {
class = "^$",
title = "^$",
xwayland = true,
float = true,
fullscreen = false,
pin = false,
},
no_focus = true,
})

107
modules/home/programs/graphical/wms/hyprland/default.nix
View File

@@ -24,27 +24,90 @@ in
wayland.windowManager.hyprland = {
enable = true;
# Lua Backend - Hyprland 0.55 deprecated hyprlang and home-manager 26.05 defaults configType to "lua".
configType = "lua";
extraConfig =
let
# Quote unless the value is numeric, so scale can be `2` or `"auto"`.
luaScalar = v: if builtins.match "[0-9]+(\\.[0-9]+)?" v != null then v else ''"${v}"'';
mkMonitor =
s:
let
parts = map lib.trim (lib.splitString "," s);
field = i: if builtins.length parts > i then builtins.elemAt parts i else "";
in
''hl.monitor({ output = "${field 0}", mode = "${field 1}", position = "${field 2}", scale = ${luaScalar (field 3)} })'';
in
''
local mainMod = "${cfg.mainMod}"
local menuMod = "${cfg.menuMod}"
extraConfig = builtins.readFile ./config/hyprland.conf;
settings = {
"$mainMod" = cfg.mainMod;
"$menuMod" = cfg.menuMod;
"$terminal" = "ghostty";
"$menu" = "wofi --show drun";
${lib.concatMapStringsSep "\n" mkMonitor cfg.monitors}
''
+ builtins.readFile ./config/hyprland.lua;
monitor = cfg.monitors;
bind = [
# Menu Mod Bindings (macOS Transition - Spotlight & Screenshots)
"$menuMod, SPACE, exec, $menu"
"$menuMod SHIFT, 1, exec, hyprshot -m output"
"$menuMod SHIFT, 2, exec, hyprshot -m window"
"$menuMod SHIFT, 3, exec, hyprshot -m region"
"$menuMod, Q, killactive"
# Primary Bindings
"$mainMod, RETURN, exec, $terminal"
"$mainMod, M, exit"
"$mainMod, V, togglefloating"
"$mainMod, P, pin"
"$mainMod, J, togglesplit"
"$mainMod, S, togglespecialworkspace, magic"
"$mainMod SHIFT, S, movetoworkspace, special:magic"
# Window Focus
"$mainMod, left, movefocus, l"
"$mainMod, right, movefocus, r"
"$mainMod, up, movefocus, u"
"$mainMod, down, movefocus, d"
# Workspace Switch
"$mainMod, 1, workspace, 1"
"$mainMod, 2, workspace, 2"
"$mainMod, 3, workspace, 3"
"$mainMod, 4, workspace, 4"
"$mainMod, 5, workspace, 5"
"$mainMod, 6, workspace, 6"
"$mainMod, 7, workspace, 7"
"$mainMod, 8, workspace, 8"
"$mainMod, 9, workspace, 9"
"$mainMod, 0, workspace, 10"
# Window Workspace Move
"$mainMod SHIFT, 1, movetoworkspace, 1"
"$mainMod SHIFT, 2, movetoworkspace, 2"
"$mainMod SHIFT, 3, movetoworkspace, 3"
"$mainMod SHIFT, 4, movetoworkspace, 4"
"$mainMod SHIFT, 5, movetoworkspace, 5"
"$mainMod SHIFT, 6, movetoworkspace, 6"
"$mainMod SHIFT, 7, movetoworkspace, 7"
"$mainMod SHIFT, 8, movetoworkspace, 8"
"$mainMod SHIFT, 9, movetoworkspace, 9"
"$mainMod SHIFT, 0, movetoworkspace, 10"
"$mainMod SHIFT, right, workspace, +1"
"$mainMod SHIFT, left, workspace, -1"
];
bindm = [
# Window Resizing
"$mainMod, mouse:272, movewindow"
"$mainMod, mouse:273, resizewindow"
];
bindel = [
# Multimedia & Brightness Keys
",XF86AudioRaiseVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"
",XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"
",XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"
",XF86AudioMicMute, exec, wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"
",XF86MonBrightnessUp, exec, brightnessctl s 4%+"
",XF86MonBrightnessDown, exec, brightnessctl s 5%-"
# macOS Keyboard Brightness
"$menuMod, XF86MonBrightnessUp, exec, brightnessctl -d kbd_backlight s 10%+"
"$menuMod, XF86MonBrightnessDown, exec, brightnessctl -d kbd_backlight s 10%-"
];
bindl = [
# Player Controls
", XF86AudioNext, exec, playerctl next"
", XF86AudioPause, exec, playerctl play-pause"
", XF86AudioPlay, exec, playerctl play-pause"
", XF86AudioPrev, exec, playerctl previous"
];
};
};
programs.waybar = {
@@ -54,9 +117,9 @@ in
{
layer = "top";
position = "top";
mode = "dock";
mod = "dock";
exclusive = true;
passthrough = false;
passtrough = false;
gtk-layer-shell = true;
height = 0;
modules-left = [

2
modules/home/programs/terminal/bash/config/hey-intern.sh
View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash
MODEL="qwen3.6-27b-vllm-180k-cuda0"
MODEL="qwen3-coder-next-80b-instruct"
SYSTEM_PROMPT="You are a shell command expert. Given a natural language query, generate a single shell command that accomplishes the task."
# Colors

2
modules/home/programs/terminal/bash/default.nix
View File

@@ -34,7 +34,7 @@ in
profileExtra = ''
export COLORTERM=truecolor
SHELL="$BASH"
PATH=~/.local/bin:$PATH
PATH=~/.bin:$PATH
bind "set show-mode-in-prompt on"
set -o vi || true

38
modules/home/programs/terminal/conduit/default.nix
View File

@@ -1,38 +0,0 @@
{ lib
, pkgs
, config
, namespace
, ...
}:
let
inherit (lib) mkIf;
cfg = config.${namespace}.programs.terminal.conduit;
in
{
options.${namespace}.programs.terminal.conduit = {
enable = lib.mkEnableOption "conduit";
};
config = mkIf cfg.enable {
# Add Conduit
home.packages = with pkgs; [
reichard.conduit
];
# Define Conduit Configuration
sops = {
secrets.conduit_apikey = {
sopsFile = lib.snowfall.fs.get-file "secrets/common/evanreichard.yaml";
};
templates."conduit.json" = {
path = "${config.xdg.configHome}/conduit/config.json";
content = builtins.toJSON {
server = "https://conduit.va.reichard.io";
api_key = "${config.sops.placeholder.conduit_apikey}";
log_level = "info";
log_format = "text";
};
};
};
};
}

2
modules/home/programs/terminal/git/config/.gitignore vendored
View File

@@ -2,5 +2,3 @@ _scratch
.direnv
.envrc
.agents
.pi
.nvim.lua

1
modules/home/programs/terminal/git/default.nix
View File

@@ -16,7 +16,6 @@ in
config = mkIf cfg.enable {
programs.git = {
enable = true;
lfs.enable = true;
settings = {
aliases = {
lg = "log --graph --abbrev-commit --decorate --date=relative --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(bold yellow)%d%C(reset)' --all -n 15";

36
modules/home/programs/terminal/glimpse/default.nix
View File

@@ -1,36 +0,0 @@
{ lib
, pkgs
, config
, namespace
, ...
}:
let
inherit (lib) mkIf;
cfg = config.${namespace}.programs.terminal.glimpse;
in
{
options.${namespace}.programs.terminal.glimpse = {
enable = lib.mkEnableOption "glimpse";
};
config = mkIf cfg.enable {
# Add Glimpse
home.packages = with pkgs; [
reichard.glimpse
];
# Define Glimpse Configuration
sops = {
secrets.kagi_token = {
sopsFile = lib.snowfall.fs.get-file "secrets/common/evanreichard.yaml";
};
templates."glimpse.json" = {
path = "${config.home.homeDirectory}/.config/glimpse/config.json";
content = builtins.toJSON {
search.provider = "kagi";
providers.kagi.token = "${config.sops.placeholder.kagi_token}";
};
};
};
};
}

6
modules/home/programs/terminal/nvim/config/lua/diagnostics-config.lua
View File

@@ -2,7 +2,11 @@
local diagnostics_active = true
local toggle_diagnostics = function()
diagnostics_active = not diagnostics_active
vim.diagnostic.enable(diagnostics_active)
if diagnostics_active then
vim.diagnostic.enable()
else
vim.diagnostic.disable()
end
end
local diagnostics_loclist_active = false

6
modules/home/programs/terminal/nvim/config/lua/llm-config.lua
View File

@@ -1,7 +1,7 @@
local llm_endpoint = "https://llm-api.va.reichard.io"
local llm_assistant_model = "qwen3.6-27b-vllm-75k-cuda0"
local llm_infill_model = "qwen3.5-4b-cuda1"
local current_fim = "llama"
local llm_assistant_model = "qwen3.5-27b-thinking"
local llm_infill_model = llm_assistant_model
local current_fim = "copilot"
-- Copilot Configuration
vim.g.copilot_no_tab_map = true

34
modules/home/programs/terminal/nvim/config/lua/lsp-config.lua
View File

@@ -241,12 +241,7 @@ setup_lsp("gopls", {
})
end,
filetypes = { "go" },
cmd = function(dispatchers, config)
return vim.lsp.rpc.start({ "gopls", "-remote=auto" }, dispatchers, {
cwd = config.root_dir,
env = { GOMEMLIMIT = "6GiB" },
})
end,
cmd = { "gopls", "-remote=auto" },
settings = {
gopls = {
buildFlags = { "-tags=e2e" },
@@ -309,30 +304,3 @@ none_ls.setup({
end
end,
})
------------------------------------------------------
---------------------- EXRC LSP ----------------------
------------------------------------------------------
vim.o.exrc = true -- native path: <cwd>/.nvim.lua on startup
local loaded = {} -- absolute path -> true
local function load_project_config(buf)
local fname = vim.api.nvim_buf_get_name(buf)
if fname == "" then return end
local found = vim.fs.find(".nvim.lua", {
upward = true,
path = vim.fs.dirname(fname),
})[1]
if not found or loaded[found] then return end
local content = vim.secure.read(found)
if content then
loaded[found] = true
local chunk, err = loadfile(found)
if chunk then chunk() else vim.notify("project config: " .. err, vim.log.levels.ERROR) end
end
end
vim.api.nvim_create_autocmd({ "BufReadPost", "BufNewFile" }, {
callback = function(args) load_project_config(args.buf) end,
})

2
modules/home/programs/terminal/nvim/config/lua/lualine-config.lua
View File

@@ -49,7 +49,7 @@ local function pr_status()
end
require("lualine").setup({
options = { theme = "catppuccin-mocha" },
options = { theme = "catppuccin" },
sections = {
lualine_c = { { pr_status } },
-- lualine_z = { require("opencode").statusline }

9
modules/home/programs/terminal/nvim/config/lua/ts-config.lua
View File

@@ -1,7 +1,4 @@
vim.treesitter.language.register("markdown", "octo")
vim.api.nvim_create_autocmd("FileType", {
callback = function(args)
pcall(vim.treesitter.start, args.buf)
end,
require("nvim-treesitter.configs").setup({
highlight = { enable = true, additional_vim_regex_highlighting = false },
})
vim.treesitter.language.register("markdown", "octo")

18
modules/home/programs/terminal/nvim/default.nix
View File

@@ -135,18 +135,18 @@ in
golangci-lint-langserver
lua-language-server
nil
eslint
svelte-language-server
typescript
typescript-language-server
vscode-langservers-extracted
nodePackages.eslint
nodePackages.svelte-language-server
nodePackages.typescript
nodePackages.typescript-language-server
nodePackages.vscode-langservers-extracted
pyright
python312Packages.autopep8
# Formatters
luaformatter
nixpkgs-fmt
prettier
nodePackages.prettier
stylua
sql-formatter
@@ -177,9 +177,9 @@ in
clangd = "${pkgs.clang-tools}/bin/clangd",
golintls = "${pkgs.golangci-lint-langserver}/bin/golangci-lint-langserver",
luals = "${pkgs.lua-language-server}/bin/lua-language-server",
sveltels = "${pkgs.svelte-language-server}/bin/svelteserver",
tsls = "${pkgs.typescript-language-server}/bin/typescript-language-server",
vscls = "${pkgs.vscode-langservers-extracted}",
sveltels = "${pkgs.nodePackages.svelte-language-server}/bin/svelteserver",
tsls = "${pkgs.nodePackages.typescript-language-server}/bin/typescript-language-server",
vscls = "${pkgs.nodePackages.vscode-langservers-extracted}",
sqls = "${pkgs.sqls}/bin/sqls",
}
return nix_vars

84
modules/home/programs/terminal/pi/config/AGENTS.md
View File

@@ -1,81 +1,63 @@
# AI Agent Guidelines
Be cognizant of context use; this file is loaded for all LLMs. Keep guidance concise and high-signal.
## Important Rules
## Critical Rules
1. **Timeout for bash tool**: The `bash` tool MUST have a timeout specified. Without a timeout, the tool will hang indefinitely and cause the task to fail.
2. **File writing**: Do NOT use `cat` with heredocs to write files. Use the `write` tool instead (or `edit` for modifications).
## Example of Correct Usage
### Incorrect (will hang):
```bash
bash(command="some long-running command")
```
### Correct (with timeout):
1. **Bash timeouts**: Every `bash` tool call MUST specify a timeout.
```bash
bash(command="some command", timeout=30)
```
2. **File writing**: Do NOT use `cat` with heredocs to write files. Use `write` for new/rewritten files and `edit` for targeted modifications.
### Incorrect (file writing):
3. **Scratch files**: Put temporary scripts, plans, notes, and reusable exploration artifacts in `_scratch/`. It is gitignored.
4. **Missing commands**: If a tool is not installed, prefer `nix run` instead of installing it.
```bash
nix run nixpkgs#python3 -- script.py
bash(command="cat > file.txt << 'EOF'\ncontent\nEOF")
```
## Asking Questions
### Correct (file writing):
If a task is ambiguous, underspecified, or you foresee a non-obvious tradeoff during implementation, **surface it before coding** rather than guessing and producing rework. Treat this as always-on; an explicit "any questions?" is never required.
## Context Discipline
Prefer a **search → targeted read** pattern:
1. Search with `rg -n` / `grep -n` to find relevant line numbers.
2. Read only the needed range with `read(path, offset, limit)`.
Full-file reads are fine when genuinely needed, but avoid them as the default reflex.
```bash
write(path="file.txt", content="content")
```
## Principles
1. **Priority order**: When goals conflict, optimize in this order:
1. **Correctness** — solve the actual use case, including the realistic failure modes (not just the happy path).
2. **Maintainability / readability** — non-negotiable. Code is read far more than it is written; clarity wins over cleverness.
3. **Abstraction & polish** — only after the above are solid, and only when a concrete need justifies it.
1. **KISS / YAGNI** - Keep solutions simple and straightforward. Don't introduce abstractions, generics, or indirection unless there is a concrete, immediate need. Prefer obvious code over clever code.
All three matter, but never sacrifice (2) for (3). Prefer obvious, boring code over slick code that requires a paragraph to explain.
2. **KISS / YAGNI**: Avoid abstractions, generics, or indirection unless there is a concrete, present need. Speculative flexibility is a maintainability tax.
3. **Maintain AGENTS.md**: Keep project guidance up to date, but BLUF: concise, actionable, and context-size conscious.
4. **Rephrase over append**: When extending existing content (docs, comments, prose, code), prefer rephrasing to capture the new intent over tacking on more verbosity.
5. **Positive framing over prohibition**: State what _to_ do, not what _not_ to do. Default to omitting an instruction entirely rather than adding a "don't do X" rule — omission costs less context and avoids the failure mode where deleting a prohibition gets inverted into a mandate. Reserve explicit prohibitions for cases where the wrong behavior is a likely default that positive guidance alone can't redirect.
6. **Knowledge Capture Check**: Before the final response, ask whether the task revealed a non-obvious convention, pitfall, repeatable workflow, or missing helper. If yes, briefly recommend exactly where to capture it: package/project AGENTS.md, global AGENTS.md, a skill, or a helper script. Skip this note when there is nothing meaningful.
2. **Maintain AGENTS.md** - If the project has an `AGENTS.md`, keep it up to date as conventions or architecture evolve. However, follow the **BLUF** (Bottom Line Up Front) principle: keep it concise, actionable, and context-size conscious. Don't overload it with information that belongs in code comments or external docs.
## Style
### Comment Style
Default to **no comment**. Code should be self-explanatory through naming and structure. Only add a comment when it earns its place by explaining something the code cannot.
Write a comment when, and only when:
1. The _why_ is non-obvious (intent, constraint, workaround, surprising invariant).
2. A reader familiar with the language/codebase would otherwise stop and ask "why?".
Do not narrate _what_ the code does. Do not add Title Case section headers over logical blocks just to label them.
When a comment _is_ warranted, use a short Title Case label, a dash, and the _why_:
A logical "block" of code (doesn't have to be a scope, but a cohesive group of statements responsible for something) should have a comment above it with a short "title". The title must be in **Title Case**. For example:
```go
// Map Component Results - Downstream consumers expect a name-keyed lookup.
// Map Component Results
for _, comp := range components {
results[comp.Name] = comp.Result
}
```
Rules for the explanation after the dash:
If the block is more complicated or non-obvious, explain _why_ it does what it does after the title:
- Keep it to **23 sentences max**. Never a paragraph.
- State the _why_ directly. Do not restate what the code does, recap prior context, or hedge.
- Do **not** hard-wrap comments at 80 columns. Up to ~120 is fine.
If a block is complex enough that it needs a heading just to be navigable, that is usually a signal to extract a well-named function instead.
```go
// Map Component Results - This is needed because downstream consumers
// expect a name-keyed lookup. Without it, the renderer would fall back
// to O(n) scans on every frame.
for _, comp := range components {
results[comp.Name] = comp.Result
}
```

14
modules/home/programs/terminal/pi/config/extensions/replace-pi-with-claude-code.ts
View File

@@ -1,17 +1,11 @@
import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
export default function replacePiWithClaudeCodeExtension(pi: ExtensionAPI) {
pi.on("before_agent_start", async (event, ctx) => {
// Anthropic-Only Guard - Other providers (e.g. OpenAI, Google) should
// see the unmodified pi system prompt.
if (ctx.model?.provider !== "anthropic") {
return undefined;
}
// Replace "pi" With "claude code"
pi.on("before_agent_start", async (event) => {
// Replace "pi" With "claude code" - Exclude Literal ".pi" (e.g. Paths)
const transformedSystemPrompt = event.systemPrompt.replace(
/(^|\s)pi(?![\w-])/gi,
"$1claude code",
/(?<!\.)pi/gi,
"claude code",
);
if (transformedSystemPrompt === event.systemPrompt) {

42
modules/home/programs/terminal/pi/config/skills/address-gh-review/SKILL.md
View File

@@ -1,34 +1,19 @@
---
name: address-gh-review
description: 'Fetch and address unresolved GitHub PR review comments. Use when user asks to handle PR reviews, address review feedback, mentions "/address-gh-review", or wants to see what reviewers requested. Fetches unresolved threads, presents an actionable summary, lets the user select which items to address, and resolves threads on GitHub.'
description: 'Fetch and address unresolved GitHub PR review comments. Use when user asks to handle PR reviews, address review feedback, mentions "/address-gh-review", or wants to see what reviewers requested. Fetches unresolved threads, presents an actionable summary, and lets the user select which items to address.'
---
# GitHub PR Review
## Overview
Fetch unresolved review threads from the current PR, consolidate them into actionable items, address selected items (each as a separate commit), and resolve threads on GitHub with reactions or explanatory comments.
Fetch unresolved review threads from the current PR, consolidate them into actionable items, and address selected items each as a separate commit.
## Prerequisites
- `gh` CLI authenticated and in a repo with an open PR on the current branch
- The `git-commit` skill available for committing changes
## Scripts
- `gh_review.sh` — Fetches unresolved threads, prints human-readable summary, and appends a compact thread mapping block at the end with item numbers, thread IDs, and comment IDs for downstream resolution.
- `gh_resolve_thread.sh` — Resolves a GitHub review thread, optionally adding reactions or a comment first.
### `gh_resolve_thread.sh` Usage
```bash
# Thumbs-up on comments, then resolve
bash gh_resolve_thread.sh thumbsup <thread-id> [comment-id1 comment-id2 ...]
# Post a reply explaining why, then resolve
bash gh_resolve_thread.sh comment "reason" <thread-id>
```
## Workflow
### 1. Fetch Review Comments
@@ -41,16 +26,6 @@ bash gh_review.sh
If the script fails (no PR, not authenticated, etc.), report the error and stop.
The script appends a thread mapping block at the end of its output:
```
# Thread Mapping (item_num | thread_id | comment_ids)
1 PRRT_kwDOKhRdjM5-yKNp PRRC_kwDOKhRdjM6849mq PRRC_kwDOKhRdjM6849mr
2 PRRT_kwDOKhRdjM5-yKOJ PRRC_kwDOKhRdjM6849nZ
```
Capture these IDs from the script output — they are needed in step 5.
### 2. Consolidate into Actionable Items
Parse the output and group into actionable items. Combine threads that ask for the same change (e.g. multiple reviewers commenting on the same function about the same concern). Keep items separate when they require distinct code changes.
@@ -84,15 +59,6 @@ For each selected item, in order:
3. Run relevant linting/tests if applicable (e.g. `quicklint`)
4. Commit using the `git-commit` skill — **one commit per item**
### 5. Resolve Threads on GitHub
### 5. Summary
After all code changes are committed, resolve the corresponding threads on GitHub using the thread IDs and comment IDs from the script output in step 1:
1. For **addressed items**: run `bash gh_resolve_thread.sh thumbsup <thread-id> <comment-ids...>` — adds 👍 to each comment, then resolves the thread.
2. For **skipped items**: ask the user for a brief reason, then run `bash gh_resolve_thread.sh comment "<reason>" <thread-id>` — posts an explanation, then resolves.
Only resolve threads for items the user explicitly selected (addressed or skipped). Leave untouched items unresolved.
### 6. Summary
After all selected items are addressed and threads resolved, print a brief summary of what was done (code changes + thread resolutions).
After all selected items are addressed, print a brief summary of what was done.

85
modules/home/programs/terminal/pi/config/skills/address-gh-review/gh_resolve_thread.sh
View File

@@ -1,85 +0,0 @@
#!/usr/bin/env bash
# Resolve a GitHub PR review thread, optionally adding reactions or a comment.
#
# Usage:
# gh_resolve_thread.sh thumbsup <thread-id> [comment-id1 comment-id2 ...]
# gh_resolve_thread.sh comment "reason" <thread-id>
#
# - thumbsup: adds 👍 to each supplied comment ID, then resolves the thread
# - comment: posts a reply explaining why the thread is being resolved, then resolves
#
# Requires: gh CLI authenticated, running on a branch with an open PR.
set -euo pipefail
err() { echo "error: $1" >&2; exit 1; }
command -v gh >/dev/null 2>&1 || err "'gh' CLI not found"
if [[ $# -lt 1 ]]; then
err "usage: $0 {thumbsup|comment} ..."
fi
ACTION="$1"
shift
case "$ACTION" in
thumbsup)
[[ $# -lt 1 ]] && err "usage: $0 thumbsup <thread-id> [comment-id ...]"
THREAD_ID="$1"
shift
COMMENT_IDS=("$@")
# Add thumbs-up reaction to each comment
for cid in "${COMMENT_IDS[@]+"${COMMENT_IDS[@]}"}"; do
[[ -z "$cid" ]] && continue
# shellcheck disable=SC2016 # GraphQL uses -f flags, not shell expansion
gh api graphql -f query='
mutation($subjectId: ID!, $content: ReactionContent!) {
addReaction(input: { subjectId: $subjectId, content: $content }) {
reaction { content }
}
}' -f subjectId="$cid" -f content=THUMBS_UP --jq '.data.addReaction.reaction.content' >/dev/null 2>&1 || true
done
# Resolve the thread
# shellcheck disable=SC2016 # GraphQL uses -f flags, not shell expansion
gh api graphql -f query='
mutation($threadId: ID!) {
resolveReviewThread(input: { threadId: $threadId }) {
clientMutationId
}
}' -f threadId="$THREAD_ID" --jq '.data.resolveReviewThread.clientMutationId' >/dev/null 2>&1 || err "failed to resolve thread $THREAD_ID"
echo "Resolved thread $THREAD_ID (thumbs-up on ${#COMMENT_IDS[@]} comment(s))"
;;
comment)
[[ $# -lt 2 ]] && err "usage: $0 comment \"reason\" <thread-id>"
REASON="$1"
THREAD_ID="$2"
# Post a reply on the thread
# shellcheck disable=SC2016 # GraphQL uses -f flags, not shell expansion
gh api graphql -f query='
mutation($threadId: ID!, $body: String!) {
addPullRequestReviewThreadReply(input: { pullRequestReviewThreadId: $threadId, body: $body }) {
comment { id }
}
}' -f threadId="$THREAD_ID" -f body="$REASON" --jq '.data.addPullRequestReviewThreadReply.comment.id' >/dev/null 2>&1 || err "failed to post reply on thread $THREAD_ID"
# Resolve the thread
# shellcheck disable=SC2016 # GraphQL uses -f flags, not shell expansion
gh api graphql -f query='
mutation($threadId: ID!) {
resolveReviewThread(input: { threadId: $threadId }) {
clientMutationId
}
}' -f threadId="$THREAD_ID" --jq '.data.resolveReviewThread.clientMutationId' >/dev/null 2>&1 || err "failed to resolve thread $THREAD_ID"
echo "Resolved thread $THREAD_ID (commented: $REASON)"
;;
*)
err "unknown action: $ACTION (expected thumbsup|comment)"
;;
esac

73
modules/home/programs/terminal/pi/config/skills/address-gh-review/gh_review.sh
View File

@@ -2,8 +2,6 @@
# Fetch unresolved PR review threads, formatted for LLM consumption.
# Omits diff hunks (the LLM can read files from the repo directly).
# Groups comments into threads so conversation context is preserved.
# Appends a compact thread mapping block at the end with item numbers,
# thread IDs, and comment IDs for downstream resolution.
set -euo pipefail
@@ -26,18 +24,16 @@ ME=$(gh api user -q .login 2>/dev/null) || err "failed to fetch GitHub user - ar
OWNER=$(gh repo view --json owner -q .owner.login 2>/dev/null) || err "failed to determine repository owner"
REPO=$(gh repo view --json name -q .name 2>/dev/null) || err "failed to determine repository name"
# Fetch Unresolved Review Threads via GraphQL
QUERY=$(cat <<EOF
# Fetch unresolved review threads via GraphQL
OUTPUT=$(gh api graphql -f query='
query {
repository(owner: "${OWNER}", name: "${REPO}") {
pullRequest(number: ${PR_NUM}) {
repository(owner: "'"$OWNER"'", name: "'"$REPO"'") {
pullRequest(number: '"$PR_NUM"') {
reviewThreads(first: 100) {
nodes {
id
isResolved
comments(first: 100) {
nodes {
id
author { login }
body
path
@@ -48,53 +44,28 @@ query {
}
}
}
}' --jq '
[
.data.repository.pullRequest.reviewThreads.nodes[]
| select(.isResolved == false)
| {
file: .comments.nodes[0].path,
line: .comments.nodes[0].line,
comments: [
.comments.nodes[]
| select(.author.login != "'"$ME"'")
| {author: .author.login, body: .body}
]
}
EOF
)
RAW_JSON=$(gh api graphql -f query="$QUERY" 2>/dev/null | jq -c '.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false)') || err "GraphQL query failed - check your permissions and token scopes"
# Build human-readable output + thread mapping block
OUTPUT=""
MAPPING=""
ITEM_NUM=0
while IFS= read -r thread; do
[[ -z "$thread" ]] && continue
THREAD_ID=$(echo "$thread" | jq -r '.id')
FILE=$(echo "$thread" | jq -r '.comments.nodes[0].path')
LINE=$(echo "$thread" | jq -r '.comments.nodes[0].line')
# Collect comment IDs (for reactions) — exclude own comments
COMMENT_IDS=$(echo "$thread" | jq -r --arg me "$ME" '[.comments.nodes[] | select(.author.login != $me) | .id] | join(" ")')
# Build human-readable comments (exclude own comments)
COMMENTS=$(echo "$thread" | jq -r --arg me "$ME" '[.comments.nodes[] | select(.author.login != $me) | "- **\(.author.login)**: \(.body)"] | join("\n")')
if [[ -z "$COMMENTS" ]]; then
continue
fi
ITEM_NUM=$((ITEM_NUM + 1))
# Append human-readable block
OUTPUT+="## ${FILE}:${LINE}
${COMMENTS}
"
# Append mapping line
MAPPING+="${ITEM_NUM} ${THREAD_ID} ${COMMENT_IDS}
"
done <<< "$RAW_JSON"
| select(.comments | length > 0)
]
| .[]
| "## \(.file):\(.line)\n\(.comments | map("- **\(.author)**: \(.body)") | join("\n"))\n"
' 2>/dev/null) || err "GraphQL query failed - check your permissions and token scopes"
# Format output
if [[ -z "$OUTPUT" ]]; then
echo "No unresolved review comments found."
else
echo "$OUTPUT"
echo "---"
echo "# Thread Mapping (item_num | thread_id | comment_ids)"
echo "$MAPPING"
echo "$OUTPUT" | sed 's/\\n/\n/g'
fi

60
modules/home/programs/terminal/pi/config/skills/create-skill/SKILL.md
View File

@@ -1,60 +0,0 @@
---
name: create-skill
description: 'Create a new skill in the skills directory. Use when user asks to add a skill, create a skill, or mentions "/create-skill". Produces a SKILL.md with frontmatter and optional helper scripts, following conventions from existing skills.'
---
# Create Skill
## Overview
Scaffold a new skill directory with a `SKILL.md` and optional helper scripts under the project's skills directory.
## Workflow
### 1. Gather Requirements
Ask the user:
- **What does the skill do?** (trigger conditions, purpose)
- **Are there repeatable commands?** (if yes, these become scripts)
If the user already provided enough detail, skip straight to drafting.
### 2. Draft the Skill
Create `skills/<skill-name>/SKILL.md` with this structure:
```markdown
---
name: <skill-name>
description: "<One-liner: what it does and when to trigger. Keep under ~200 chars.>"
---
# <Skill Title>
## Overview
[1-2 sentences on purpose and scope]
## Workflow
[Numbered steps the agent follows]
```
**Guidelines:**
- **Be concise.** Skills are injected into agent context — every line costs tokens. Aim for the minimum needed to reliably guide the agent.
- **Use scripts for repeatable logic.** If a step involves a multi-line shell command, `jq` pipeline, or API call that won't change between runs, put it in a `.sh` file next to `SKILL.md` and reference it from the workflow. See `address-gh-review/` for an example.
- **Needs configurable values (paths, identifiers, etc.; not secrets — values are stored as plaintext files)?** Copy `assets/variable.sh` into the new skill's `scripts/` dir as-is. Callers use `variable.sh --get NAME [--require-exec RELPATH]`; the helper prints self-explaining `--set` instructions on "unset" or "set-but-invalid" and exits non-zero, so callers just propagate. The helper self-ignores its `.vars/` store on first `--set`, so no `.gitignore` setup is needed.
- **Frontmatter is required.** `name` and `description` fields. The description is what the agent uses to decide whether to load the skill, so make it specific about trigger conditions.
- **Don't over-specify.** Trust the agent to fill gaps. Document the _what_ and _when_, not every micro-step.
- **Frame positively; omit rather than prohibit.** Write what the agent _should_ do. Prefer leaving a rule out over adding "don't do X" (see AGENTS.md principle: _Positive framing over prohibition_).
- **Split workflow from reference when the reference surface grows.** If a skill accumulates lookup tables, mapping rules, or capability references that the workflow consults, move them into a sibling `<skill>/<category>/` directory (e.g. `mappings/`, `references/`) with one sub-doc per category and an index `README.md`. Keep `SKILL.md` focused on the hot path — workflow, hard rules, and a short table pointing at the sub-docs. Include a brief style guide in the index README covering (a) defer to authoritative sources (stubs, schemas, generated docs) whenever possible, (b) row/entry formatting conventions, (c) when to create a new sub-doc vs. extend an existing one.
### 3. Present for Review
Show the user the draft and wait for approval before finalizing. Apply any requested changes.
### 4. Git Add
Run `git add` on the new skill directory so the flake/tooling can discover it.

60
modules/home/programs/terminal/pi/config/skills/create-skill/assets/variable.sh
View File

@@ -1,60 +0,0 @@
#!/usr/bin/env bash
# Skill-local variable store. Values live in <skill-dir>/.vars/<NAME>.
#
# Usage:
# variable.sh --get NAME # prints value to stdout, exits 0
# # or prints a self-explaining hint to
# # stderr and exits 2 if unset.
# variable.sh --set NAME VALUE # writes value, exits 0.
#
# Callers should treat a non-zero exit as fatal; the stderr message tells
# the caller (agent or user) exactly how to populate the missing value.
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
SKILL_DIR="$(dirname "$SCRIPT_DIR")"
STORE="$SKILL_DIR/.vars"
SELF="$0"
usage() {
cat >&2 <<EOF
Usage:
$SELF --get NAME
$SELF --set NAME VALUE
EOF
exit 2
}
case "${1:-}" in
--get)
[[ $# -eq 2 ]] || usage
name="$2"
file="$STORE/$name"
if [[ ! -f "$file" ]]; then
cat >&2 <<EOF
$SELF: $name is not set.
Ask the user for the value, then set it:
$SELF --set $name <value>
EOF
exit 2
fi
cat "$file"
;;
--set)
[[ $# -eq 3 ]] || usage
name="$2"; value="$3"
[[ "$name" =~ ^[A-Z][A-Z0-9_]*$ ]] || {
echo >&2 "$SELF: invalid name '$name' (must match [A-Z][A-Z0-9_]*)"
exit 2
}
mkdir -p "$STORE"
# Self-ignore the store so values never get committed, even if the
# skill root lacks a .gitignore entry for .vars/.
[[ -f "$STORE/.gitignore" ]] || printf '*\n' > "$STORE/.gitignore"
printf '%s' "$value" > "$STORE/$name"
;;
*)
usage
;;
esac

2
modules/home/programs/terminal/pi/config/skills/git-commit/SKILL.md
View File

@@ -126,8 +126,6 @@ EOF
- Imperative mood: "fix bug" not "fixes bug"
- Reference issues: `Closes #123`, `Refs #456`
- Keep description under 72 characters
- Keep commit bodies short: 4 sentences max.
- If you are unsure whether a body is useful, omit it entirely.
## Git Safety Protocol

71
modules/home/programs/terminal/pi/config/skills/planning/SKILL.md
View File

@@ -1,71 +0,0 @@
---
name: planning
description: 'Create a structured plan before implementing broad or non-trivial changes. Use when user requests a new feature spanning multiple areas, significant refactoring, or explicitly asks to "plan this out". Produces a plan document in _scratch/, waits for user approval, then tracks progress as tasks are completed.'
---
# Planning Workflow Skill
## When to Use
Trigger this workflow when:
- A user requests a **broad or non-trivial change** (e.g. new feature spanning frontend/backend, significant refactoring)
- A user says things like "plan this out", "create a plan", or "do this properly"
Don't trigger for routine multi-file changes like renames, simple bug fixes, or mechanical refactors.
## Rules
### 1. Always Start with a Plan
**Before touching any code**, create a markdown plan in `_scratch/plan-[short-name].md` with:
- A clear title and status
- Clarifications section (if any unknowns)
- Phased tasks as checkboxes (`- [ ]`)
### 2. Ask Clarifying Questions First
When a requirement is **ambiguous or has multiple valid interpretations**:
- List your interpretations
- Ask the user to confirm
- Document answers in the plan's "Clarifications" section
### 3. Wait for User Approval
Present the plan and wait for the user to confirm before implementing. If the user requests changes, update the plan first.
### 4. Update the Plan as You Work
- Change `- [ ]` to `- [x]` for completed items
- Note any deviations from the original plan
- If you discover new tasks, add them with a note explaining why
### 5. Plan Document Format
```markdown
# Plan: [Feature Name]
> **Status**: ⏳ In Progress | ✅ Complete | ❌ Blocked
## Clarifications
- ~~Question?~~ **Answer**
## Tasks
### Phase 1: [Name]
- [ ] Task 1
- [ ] Task 2
### Phase 2: [Name]
- [ ] Task 3
## Rollback Plan (if destructive/irreversible)
[How to undo if needed]
```
## Anti-Patterns
- ❌ Coding before the user approves the plan
- ❌ Making assumptions about ambiguous requirements
- ❌ Plans that are too vague ("update code")
- ❌ Forgetting to update the plan as you work

10
modules/home/programs/terminal/pi/config/subagents/scout.md
View File

@@ -1,10 +0,0 @@
---
name: scout
description: Fast codebase reconnaissance. Reads and searches files, then returns concise findings with paths.
approved_tools:
- read
- bash
---
You are a focused codebase scout running as a subagent with isolated context.
Find the information requested by the task and return a concise report. Prefer exact file paths, symbol names, and line numbers. Do not modify files.

172
modules/home/programs/terminal/pi/default.nix
View File

@@ -11,74 +11,6 @@ let
llamaSwapConfig = import ./../../../../nixos/services/llama-swap/config.nix { inherit pkgs; };
cfg = config.${namespace}.programs.terminal.pi;
# Nix-Owned Plugin List - Source of truth for `packages` in settings.json.
# Merged into the (mutable) settings.json on activation so pi can keep
# writing other fields (current model, etc.) without us clobbering them.
piPackages = [
"https://gitea.va.reichard.io/evan/pi-lsp.git@main"
"https://gitea.va.reichard.io/evan/pi-web.git@main"
"https://gitea.va.reichard.io/evan/pi-subagents.git@main"
"https://gitea.va.reichard.io/evan/pi-statusline.git@main"
];
piPackagesJson = pkgs.writeText "pi-packages.json" (builtins.toJSON piPackages);
# Pi Auth Api Keys - These are merged into mutable auth.json on activation.
# Add another entry here to manage another top-level provider auth key.
piAuthApiKeys = [
{
provider = "zai";
secretName = "zai_apikey";
jqVar = "zai";
sopsFile = lib.snowfall.fs.get-file "secrets/common/evanreichard.yaml";
}
];
piAuthJqRawfiles = lib.concatStringsSep " \\\n " (
map
(
auth: ''--rawfile ${auth.jqVar} "${config.sops.secrets.${auth.secretName}.path}"''
)
piAuthApiKeys
);
piAuthJqFilter = lib.concatStringsSep " | " (
map
(
auth: ''.["${auth.provider}"] = { type: "api_key", key: ($'' + auth.jqVar + ''| rtrimstr("\n")) }''
)
piAuthApiKeys
);
piAuthMergeScript = pkgs.writeShellScript "pi-auth-merge" ''
set -euo pipefail
PI_AUTH="$HOME/.pi/agent/auth.json"
mkdir -p "$(dirname "$PI_AUTH")"
if [ -L "$PI_AUTH" ]; then
rm "$PI_AUTH"
fi
for secret in ${
lib.concatStringsSep " " (
map (auth: ''"${config.sops.secrets.${auth.secretName}.path}"'') piAuthApiKeys
)
}; do
if [ ! -e "$secret" ]; then
echo "Skipping pi auth merge; missing sops secret: $secret" >&2
exit 0
fi
done
[ -s "$PI_AUTH" ] || echo '{}' > "$PI_AUTH"
tmp=$(mktemp)
${pkgs.jq}/bin/jq ${piAuthJqRawfiles} \
'${piAuthJqFilter}' "$PI_AUTH" > "$tmp"
mv "$tmp" "$PI_AUTH"
chmod 600 "$PI_AUTH"
'';
in
{
options.${namespace}.programs.terminal.pi = {
@@ -86,14 +18,25 @@ in
};
config = mkIf cfg.enable {
# Enable Glimpse
${namespace}.programs.terminal.glimpse.enable = true;
# Add Pi Coding Agent to Home Packages
home.packages = with pkgs; [ reichard.pi-coding-agent ];
home.packages = with pkgs; [
reichard.pi-coding-agent
];
# Define Pi Configuration
home.file = {
".pi/agent/models.json" = {
text = builtins.toJSON {
providers = {
"llama-swap" = {
baseUrl = "https://llm-api.va.reichard.io/v1";
api = "openai-completions";
apiKey = "none";
models = helpers.toPiModels llamaSwapConfig;
};
};
};
};
".pi/agent/AGENTS.md" = {
source = ./config/AGENTS.md;
};
@@ -101,10 +44,6 @@ in
source = ./config/skills;
recursive = true;
};
".pi/agent/subagents" = {
source = ./config/subagents;
recursive = true;
};
".pi/agent/prompts" = {
source = ./config/prompts;
recursive = true;
@@ -114,86 +53,5 @@ in
recursive = true;
};
};
# Pi Models Config - Inject llama-swap API key from sops into models.json
# so pi can authenticate against the llm-api endpoint.
sops = lib.mkIf config.${namespace}.security.sops.enable {
secrets = {
"llama_swap_api_keys/pi" = {
sopsFile = lib.snowfall.fs.get-file "secrets/common/llama-swap.yaml";
};
}
// lib.listToAttrs (
map
(auth: {
name = auth.secretName;
value.sopsFile = auth.sopsFile;
})
piAuthApiKeys
);
# Pi Web Config - Sops template so the kagi token (declared by the
# glimpse module, which pi enables above) can be embedded alongside
# the non-secret searxng base URL.
templates."pi-web.json" = {
path = "${config.home.homeDirectory}/.pi/pi-web/config.json";
content = builtins.toJSON {
provider = "searxng";
kagi.token = "${config.sops.placeholder.kagi_token}";
searxng.baseUrl = "https://search.va.reichard.io";
};
};
templates."pi-models.json" = {
path = "${config.home.homeDirectory}/.pi/agent/models.json";
content = builtins.toJSON {
providers = {
"llama-swap" = {
baseUrl = "https://llm-api.va.reichard.io/v1";
api = "openai-completions";
apiKey = config.sops.placeholder."llama_swap_api_keys/pi";
models = helpers.toPiModels llamaSwapConfig;
};
};
};
};
};
# Merge Nix-Defined Plugins Into Mutable settings.json - We can't symlink
# this file into the nix store because pi rewrites it at runtime (e.g. to
# persist the last-used model). Instead, on every activation we use jq to
# set `.packages` from Nix while preserving every other field.
home.activation.piSettingsMerge = config.lib.dag.entryAfter [ "writeBoundary" ] ''
PI_SETTINGS="$HOME/.pi/agent/settings.json"
mkdir -p "$(dirname "$PI_SETTINGS")"
[ -s "$PI_SETTINGS" ] || echo '{}' > "$PI_SETTINGS"
tmp=$(mktemp)
${pkgs.jq}/bin/jq --slurpfile pkgs ${piPackagesJson} \
'.packages = $pkgs[0]' "$PI_SETTINGS" > "$tmp"
mv "$tmp" "$PI_SETTINGS"
'';
# Merge Api Key Auth Into Mutable auth.json - Pi needs auth.json to stay
# writable, so merge sops-managed API keys instead of symlinking the whole
# file. Existing provider auth entries are preserved.
home.activation.piAuthMerge = lib.mkIf config.${namespace}.security.sops.enable (
config.lib.dag.entryAfter [ "sops-nix" "writeBoundary" ] ''
${piAuthMergeScript}
''
);
# Run Pi Auth Merge After Sops - During NixOS system activation, sops-nix
# can be restarted asynchronously and secrets may not exist yet. This user
# service retries the merge in the normal user systemd graph after sops-nix.
systemd.user.services.pi-auth-merge = lib.mkIf config.${namespace}.security.sops.enable {
Unit = {
Description = "Merge sops-managed Pi auth entries";
After = [ "sops-nix.service" ];
Requires = [ "sops-nix.service" ];
};
Service = {
Type = "oneshot";
ExecStart = piAuthMergeScript;
};
Install.WantedBy = [ "default.target" ];
};
};
}

19
modules/home/programs/terminal/pi/lib.nix
View File

@@ -13,9 +13,9 @@ in
toPiModels =
llamaSwapConfig:
let
hasType = type: model: any (t: t == type) (model.metadata.type or [ ]);
codingModels = filterAttrs (_name: model: hasType "coding" model) (llamaSwapConfig.models or { });
textGenModels = filterAttrs (name: model: any (t: t == "coding") (model.metadata.type or [ ])) (
llamaSwapConfig.models or { }
);
localModels = mapAttrs
(
@@ -32,19 +32,8 @@ in
else
{ }
)
// (
if hasType "vision" model then
{
input = [
"text"
"image"
];
}
else
{ }
)
)
codingModels;
textGenModels;
peerModels = listToAttrs (
flatten (

40
modules/home/security/pass-keyring/default.nix
View File

@@ -1,40 +0,0 @@
{ config
, lib
, namespace
, pkgs
, ...
}:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.security.pass-keyring;
in
{
options.${namespace}.security.pass-keyring = {
enable = mkEnableOption "Enable pass-backed keyring";
};
config = mkIf cfg.enable {
home.packages = [ pkgs.pass ];
# GPG + Pass Keyring - Provides credential storage for CLI
# tools (e.g. python keyring) via pass (GPG-backed). The
# keyringrc.cfg forces keyring to use the pass backend instead
# of SecretService (which requires a working D-Bus provider).
programs.gpg.enable = true;
services.gpg-agent = {
enable = true;
enableBashIntegration = true;
pinentry.package = pkgs.pinentry-curses;
defaultCacheTtl = 86400; # 24 hours
maxCacheTtl = 604800; # 7 days
};
# Keyring Backend Config - Forces keyring to use the pass
# backend instead of SecretService (broken on headless Linux).
xdg.configFile."python_keyring/keyringrc.cfg".text = ''
[backend]
default-keyring=keyring_pass.PasswordStoreBackend
'';
};
}

76
modules/home/services/open-proxy/default.nix
View File

@@ -1,76 +0,0 @@
{ config
, lib
, pkgs
, namespace
, ...
}:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.open-proxy;
package = pkgs.reichard.open-proxy;
secretName = "open_proxy_token";
tokenPath = config.sops.secrets.${secretName}.path;
in
{
options.${namespace}.services.open-proxy = {
server.enable = mkEnableOption "open-proxy host server (opens forwarded URLs/files on this machine)";
client.enable = mkEnableOption "open-proxy client (shadows open/xdg-open to forward to the host)";
};
config = lib.mkMerge [
(mkIf (cfg.server.enable || cfg.client.enable) {
sops.secrets.${secretName} = {
sopsFile = lib.snowfall.fs.get-file "secrets/common/evanreichard.yaml";
};
})
(mkIf cfg.server.enable {
assertions = [
{
assertion = pkgs.stdenv.isDarwin;
message = "reichard.services.open-proxy.server is only supported on macOS (Darwin).";
}
];
launchd.agents.open-proxy = {
enable = true;
config = {
Label = "io.reichard.open-proxy";
ProgramArguments = [ "${package}/bin/open-proxy" "serve" ];
RunAtLoad = true;
KeepAlive = true;
EnvironmentVariables = {
OPEN_PROXY_TOKEN_FILE = tokenPath;
# open(1) lives in /usr/bin; launchd agents don't inherit a login PATH.
PATH = "/usr/bin:/bin:/usr/sbin:/sbin";
};
StandardOutPath = "${config.home.homeDirectory}/Library/Logs/open-proxy/open-proxy.out.log";
StandardErrorPath = "${config.home.homeDirectory}/Library/Logs/open-proxy/open-proxy.err.log";
};
};
})
(mkIf cfg.client.enable {
assertions = [
{
assertion = pkgs.stdenv.isLinux;
message = "reichard.services.open-proxy.client is only supported on Linux.";
}
];
# Shadow the openers via ~/.local/bin (prepended to PATH below). open-proxy
# keys off argv[0], so these symlinks run in client mode and fall back to
# any real opener further down PATH when the host is unreachable.
home.file = {
".local/bin/open".source = "${package}/bin/open-proxy";
".local/bin/xdg-open".source = "${package}/bin/open-proxy";
};
home.sessionPath = [ "$HOME/.local/bin" ];
home.sessionVariables = {
BROWSER = "open";
OPEN_PROXY_TOKEN_FILE = tokenPath;
};
})
];
}

28
modules/home/services/awww/default.nix → modules/home/services/swww/default.nix
View File

@@ -5,23 +5,23 @@
, ...
}:
let
cfg = config.${namespace}.services.awww;
cfg = config.${namespace}.services.swww;
in
{
options.${namespace}.services.awww = {
enable = lib.mkEnableOption "awww wallpaper service";
options.${namespace}.services.swww = {
enable = lib.mkEnableOption "swww wallpaper service";
};
config = lib.mkIf cfg.enable {
home.packages = with pkgs; [
awww
swww
];
systemd.user = {
services = {
awww-daemon = {
swww-daemon = {
Unit = {
Description = "AWWW Wallpaper Daemon";
Description = "SWWW Wallpaper Daemon";
After = [ "graphical-session.target" ];
};
@@ -31,7 +31,7 @@ in
Service = {
Type = "simple";
ExecStart = "${pkgs.awww}/bin/awww-daemon";
ExecStart = "${pkgs.swww}/bin/swww-daemon";
Restart = "on-failure";
RestartSec = 5;
};
@@ -39,28 +39,28 @@ in
change-wallpaper = {
Unit = {
Description = "AWWW Wallpaper Changer";
After = [ "awww-daemon.service" ];
Requires = [ "awww-daemon.service" ];
Description = "SWWW Wallpaper Changer";
After = [ "swww-daemon.service" ];
Requires = [ "swww-daemon.service" ];
};
Install = {
WantedBy = [ "awww-daemon.service" ];
WantedBy = [ "swww-daemon.service" ];
};
Service = {
Type = "oneshot";
ExecStart = "${pkgs.writeShellScript "change-wallpaper-script" ''
WALLPAPER=$(${pkgs.findutils}/bin/find $HOME/Wallpapers -type f | ${pkgs.coreutils}/bin/shuf -n 1)
${pkgs.awww}/bin/awww img "$WALLPAPER" --transition-type random
${pkgs.swww}/bin/swww img "$WALLPAPER" --transition-type random
''}";
};
};
};
timers.awww-schedule = {
timers.swww-schedule = {
Unit = {
Description = "AWWW Wallpaper Schedule";
Description = "SWWW Wallpaper Schedule";
};
Install = {

8
modules/nixos/hardware/opengl/default.nix
View File

@@ -16,12 +16,6 @@ in
enable32Bit = mkBoolOpt false "enable 32-bit";
enableIntel = mkBoolOpt false "support for intel";
enableNvidia = mkBoolOpt false "support for nvidia";
nvidiaPackage = lib.mkOption {
type = lib.types.package;
default = config.boot.kernelPackages.nvidiaPackages.stable;
defaultText = "config.boot.kernelPackages.nvidiaPackages.stable";
description = "nvidia driver package; pin to legacy_580 for Pascal (GTX 10xx) and older";
};
};
config = mkIf cfg.enable {
@@ -38,7 +32,7 @@ in
# Enable Nvidia Hardware
hardware.nvidia = mkIf cfg.enableNvidia {
package = cfg.nvidiaPackage;
package = config.boot.kernelPackages.nvidiaPackages.stable;
modesetting.enable = true;
powerManagement.enable = true;
open = false;

1
modules/nixos/nix/default.nix
View File

@@ -38,7 +38,6 @@ in
sshUser = "evanreichard";
protocol = "ssh";
sshKey = config.sops.secrets.builder_ssh_key.path;
publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUdscEMwcm9yQVRLeks4bUxNS2dDWXFNNU4yTi9HZ1MydDRNMTNjd25BT1M=";
supportedFeatures = [
"benchmark"
"big-parallel"

45
modules/nixos/services/llama-swap/AGENTS.md
View File

@@ -1,45 +0,0 @@
# llama-swap Module — Agent Guide
## Model ID Convention
Use `<family>-<size>[-backend/variant][-context][-vl]-<placement>`. Omit `thinking` from IDs, use `vl` for vision-language models, and keep placement as the final suffix (`cuda0`, `cuda1`, or `dual`). Keep quantization and richer behavior details in the display `name` unless they are needed to distinguish two active configs for the same family/placement.
## Syncing vLLM Configs from club-3090
The three vLLM model configs in `config.nix` (`qwen3.6-27b-vllm-180k-cuda0`, `qwen3.6-27b-vllm-145k-vl-cuda0`, `qwen3.6-27b-vllm-75k-cuda0`) are derived from the club-3090 repo's Docker Compose files. Each config block has a `Synced from:` comment with the commit hash it was last aligned to.
### Source Files
The upstream compose files live at https://github.com/noonghunna/club-3090 under `models/qwen3.6-27b/vllm/compose/`:
| config.nix model ID | Compose file |
|------------------------------------|-------------------------------------|
| `qwen3.6-27b-vllm-180k-cuda0` | `docker-compose.long-text.yml` |
| `qwen3.6-27b-vllm-145k-vl-cuda0` | `docker-compose.long-vision.yml` |
| `qwen3.6-27b-vllm-75k-cuda0` | `docker-compose.tools-text.yml` |
### Sync Process
1. **Fetch the latest compose files** from https://github.com/noonghunna/club-3090 (master branch) and note the HEAD commit hash.
2. **Diff each compose file** against the current config.nix block. The mapping is:
- Compose `command:` args → Nix `vllmCmd` string (the `exec vllm serve ...` block)
- Compose `environment:` → Nix docker `-e` flags
- Compose `volumes:` → Nix docker `-v` flags
- Compose `image:` → Nix docker image tag at the end of the `docker run` command
- Compose `entrypoint:` → Nix `vllmCmd` preamble (the `set -e; pip install ...; python3 ...` lines before `exec vllm serve`)
3. **Apply changes** to `config.nix`. Key things to watch:
- `--max-model-len` and `--gpu-memory-utilization` — these change across versions
- Genesis env vars — the full set grows frequently; add new ones, remove deprecated ones
- Sidecar patches — old patches get absorbed into Genesis; drop them from entrypoint + volume mounts
- Docker image tag — update when the compose files move to a new nightly
4. **Keep `patch_timings_1acd67a.py`** — this is our own patch, not from club-3090. Always retain it in the entrypoint and volume mounts.
5. **Update the `Synced from:` comment** on each config block with the new commit hash and date.
6. **Update `setup-qwen36-vllm.sh`** if the upstream `patches/` directory changed (new patches added, old ones removed). The setup script downloads sidecar patches and creates cache directories.
7. **Verify syntax**: `nix-instantiate --parse config.nix`
### Structural Notes
- `config.nix` uses Nix string interpolation. Newlines in `vllmCmd` are flattened to spaces via `builtins.replaceStrings` before passing to `docker run -c`.
- We pin `CUDA_VISIBLE_DEVICES=0` and `CUDA_DEVICE_ORDER=PCI_BUS_ID` (not in compose files) because the host has multiple GPUs and llama-swap's concurrency matrix manages GPU assignment.
- Volume mounts use `/mnt/ssd/vLLM/` paths (Models, Patches, Cache) — these match what `setup-qwen36-vllm.sh` creates.
- The `patches/` subdirectory in this module contains our custom timings patch and its source `.patch` file — unrelated to club-3090's `patches/` dir.

949
modules/nixos/services/llama-swap/config.nix
View File

File diff suppressed because it is too large Load Diff

43
modules/nixos/services/llama-swap/default.nix
View File

@@ -5,37 +5,10 @@
, ...
}:
let
inherit (lib) mkIf mkEnableOption recursiveUpdate listToAttrs;
apiKeys = [ "evan" "pi" "aethera" ];
inherit (lib) mkIf mkEnableOption recursiveUpdate;
cfg = config.${namespace}.services.llama-swap;
llama-swap = pkgs.reichard.llama-swap;
llamaCppPresets =
let
models = (import ./config.nix { inherit pkgs; }).models;
llamaCppModels = lib.filterAttrs (_: model: lib.hasInfix "/bin/llama-server" (model.cmd or "")) models;
in
builtins.mapAttrs (_: model: {
inherit (model) cmd;
name = model.name or "";
env = model.env or [ ];
}) llamaCppModels;
llamaCppPresetFile = pkgs.writeText "llama-cpp-presets.json" (builtins.toJSON llamaCppPresets);
llama-cpp-bisect-context = pkgs.writeShellApplication {
name = "llama-cpp-bisect-context";
runtimeInputs = with pkgs; [
coreutils
curl
gnused
python3
util-linux
];
text = builtins.replaceStrings
[ "__LLAMA_CPP_PRESETS__" ]
[ "${llamaCppPresetFile}" ]
(builtins.readFile ./scripts/llama-cpp-bisect-context);
};
in
{
options.${namespace}.services.llama-swap = {
@@ -54,7 +27,6 @@ in
users.users.llama-swap = {
isSystemUser = true;
group = "llama-swap";
extraGroups = [ "podman" ];
};
# Create Service
@@ -62,6 +34,7 @@ in
description = "Model swapping for LLaMA C++ Server (or any local OpenAPI compatible server)";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "exec";
ExecStart = "${lib.getExe llama-swap} --listen :8080 --config ${
@@ -114,27 +87,21 @@ in
# Create Config
sops = {
secrets = listToAttrs (map (name: {
name = "llama_swap_api_keys/${name}";
value = {
sopsFile = lib.snowfall.fs.get-file "secrets/common/llama-swap.yaml";
secrets.synthetic_apikey = {
sopsFile = lib.snowfall.fs.get-file "secrets/common/systems.yaml";
};
}) apiKeys);
templates."llama-swap.json" = {
restartUnits = [ "llama-swap.service" ];
owner = "llama-swap";
group = "llama-swap";
mode = "0400";
content = builtins.toJSON (
recursiveUpdate cfg.config {
apiKeys = map (name: config.sops.placeholder."llama_swap_api_keys/${name}") apiKeys;
peers.synthetic.apiKey = config.sops.placeholder.synthetic_apikey;
}
);
};
};
environment.systemPackages = [ llama-cpp-bisect-context ];
networking.firewall.allowedTCPPorts = [ 8080 ];
};
}

1
modules/nixos/services/llama-swap/patches/.gitignore vendored
View File

@@ -1 +0,0 @@
__pycache__

69
modules/nixos/services/llama-swap/patches/README.md
View File

@@ -1,69 +0,0 @@
# vLLM Timings Patch
This directory contains the custom timings patch for the current vLLM Docker image used by the llama-swap module:
```text
vllm/vllm-openai:nightly-1acd67a795ebccdf9b9db7697ae9082058301657
```
The patch adds a top-level llama.cpp-compatible `timings` object to OpenAI-compatible responses so llama-swap can populate cached tokens, prompt processing speed, and generation speed.
## Files
- `patch_timings_1acd67a.py` — idempotent boot-time disk-edit patch script for the vLLM Docker container.
- `vllm-timings-1acd67a.patch` — equivalent standard unified git patch against the current image's vLLM source.
## Runtime Script
Deploy the script under `/mnt/ssd/vLLM/Patches/` and mount it into the container:
```nix
-v /mnt/ssd/vLLM/Patches/patch_timings_1acd67a.py:/patches/patch_timings_1acd67a.py:ro \
```
Run it before `exec vllm serve`:
```bash
python3 /patches/patch_timings_1acd67a.py;
exec vllm serve ...
```
The script is idempotent. Re-running it skips files that already contain `# [patch_timings]`.
## Standard Patch
For a source checkout at commit `1acd67a795ebccdf9b9db7697ae9082058301657`:
```bash
git apply --check /path/to/vllm-timings-1acd67a.patch
git apply /path/to/vllm-timings-1acd67a.patch
```
At container runtime, applying the `.patch` directly is possible if the image has `patch` or `git` installed:
```bash
cd /usr/local/lib/python3.12/dist-packages
patch -p1 < /patches/vllm-timings-1acd67a.patch
```
The Python script remains the safer boot-time option because it is idempotent and does not depend on external patch tools being present in the Docker image.
## Timings Fields
```json
{
"prompt_n": 123,
"prompt_ms": 456.7,
"prompt_per_second": 269.3,
"predicted_n": 50,
"predicted_ms": 1000.0,
"predicted_per_second": 50.0,
"cache_n": 100
}
```
Data comes from vLLM's existing internal `RequestStateStats` and `RequestOutput.num_cached_tokens`:
- prompt/prefill time: `first_token_ts - scheduled_ts`
- generation/decode time: `last_token_ts - first_token_ts`
- cached tokens: `num_cached_tokens`

269
modules/nixos/services/llama-swap/patches/patch_timings_1acd67a.py
View File

@@ -1,269 +0,0 @@
"""
Disk-edit patch for vLLM nightly-1acd67a795ebccdf9b9db7697ae9082058301657:
inject llama.cpp-compatible `timings` into chat/completion API responses.
Adds `timings` to:
- /v1/chat/completions non-streaming responses
- /v1/chat/completions streaming final usage chunk
- /v1/completions non-streaming responses
- /v1/completions streaming final usage chunk
The `timings` object matches llama.cpp fields consumed by llama-swap:
prompt_n, prompt_ms, prompt_per_second,
predicted_n, predicted_ms, predicted_per_second, cache_n
Usage, before `exec vllm serve`:
python3 /patches/patch_timings_1acd67a.py
"""
import logging
import os
import sys
log = logging.getLogger("patch_timings")
log.setLevel(logging.INFO)
if not log.handlers:
log.addHandler(logging.StreamHandler())
PATCH_TAG = "# [patch_timings]"
TIMINGS_HELPER = f'''
{PATCH_TAG}
def _compute_timings(metrics, num_prompt, num_gen, num_cached=None):
"""Compute llama.cpp-compatible timings from RequestStateStats."""
t = {{
"prompt_n": num_prompt,
"prompt_ms": 0.0,
"prompt_per_second": 0.0,
"predicted_n": num_gen,
"predicted_ms": 0.0,
"predicted_per_second": 0.0,
"cache_n": num_cached if num_cached is not None else -1,
}}
if metrics is None:
return t
if metrics.first_token_ts > 0 and metrics.scheduled_ts > 0:
ps = metrics.first_token_ts - metrics.scheduled_ts
if ps > 0:
t["prompt_ms"] = ps * 1000.0
t["prompt_per_second"] = num_prompt / ps
if metrics.last_token_ts > 0 and metrics.first_token_ts > 0:
ds = metrics.last_token_ts - metrics.first_token_ts
if ds > 0:
t["predicted_ms"] = ds * 1000.0
t["predicted_per_second"] = num_gen / ds
return t
'''
def _find_vllm_dir():
"""Auto-discover vLLM install directory."""
try:
import vllm
return os.path.dirname(vllm.__file__)
except ImportError:
pass
for path in [
"/usr/local/lib/python3.12/dist-packages/vllm",
"/usr/lib/python3.12/site-packages/vllm",
]:
if os.path.isdir(path):
return path
return None
def _read(path):
with open(path, "r") as f:
return f.read()
def _write(path, content):
with open(path, "w") as f:
f.write(content)
def _replace_once(content, old, new, label):
count = content.count(old)
if count != 1:
raise RuntimeError(f"{label}: anchor matched {count} times")
return content.replace(old, new, 1)
def _patch_protocol(path, label, replacements):
if not os.path.exists(path):
log.error(" %s: file not found: %s", label, path)
return False
content = _read(path)
if PATCH_TAG in content:
log.info(" %s: already patched, skipping", label)
return True
try:
for old, new in replacements:
content = _replace_once(content, old, new, label)
except RuntimeError as e:
log.error(" %s", e)
return False
_write(path, content)
log.info(" %s: patched successfully", label)
return True
def _patch_chat_protocol(vllm_dir):
path = os.path.join(vllm_dir, "entrypoints/openai/chat_completion/protocol.py")
return _patch_protocol(path, "chat_completion/protocol.py", [
(
''' kv_transfer_params: dict[str, Any] | None = Field(\n default=None, description="KVTransfer parameters."\n )\n''',
''' kv_transfer_params: dict[str, Any] | None = Field(\n default=None, description="KVTransfer parameters."\n )\n\n # llama.cpp-compatible per-request timings # [patch_timings]\n timings: dict[str, Any] | None = None\n''',
),
(
''' # not part of the OpenAI spec but for tracing the tokens\n prompt_token_ids: list[int] | None = None\n''',
''' # not part of the OpenAI spec but for tracing the tokens\n prompt_token_ids: list[int] | None = None\n\n # llama.cpp-compatible per-request timings # [patch_timings]\n timings: dict[str, Any] | None = None\n''',
),
])
def _patch_completion_protocol(vllm_dir):
path = os.path.join(vllm_dir, "entrypoints/openai/completion/protocol.py")
return _patch_protocol(path, "completion/protocol.py", [
(
''' kv_transfer_params: dict[str, Any] | None = Field(\n default=None, description="KVTransfer parameters."\n )\n''',
''' kv_transfer_params: dict[str, Any] | None = Field(\n default=None, description="KVTransfer parameters."\n )\n\n # llama.cpp-compatible per-request timings # [patch_timings]\n timings: dict[str, Any] | None = None\n''',
),
(
'''class CompletionStreamResponse(OpenAIBaseModel):\n id: str = Field(default_factory=lambda: f"cmpl-{random_uuid()}")\n object: str = "text_completion"\n created: int = Field(default_factory=lambda: int(time.time()))\n model: str\n choices: list[CompletionResponseStreamChoice]\n usage: UsageInfo | None = Field(default=None)\n''',
'''class CompletionStreamResponse(OpenAIBaseModel):\n id: str = Field(default_factory=lambda: f"cmpl-{random_uuid()}")\n object: str = "text_completion"\n created: int = Field(default_factory=lambda: int(time.time()))\n model: str\n choices: list[CompletionResponseStreamChoice]\n usage: UsageInfo | None = Field(default=None)\n\n # llama.cpp-compatible per-request timings # [patch_timings]\n timings: dict[str, Any] | None = None\n''',
),
])
def _patch_chat_serving(vllm_dir):
path = os.path.join(vllm_dir, "entrypoints/openai/chat_completion/serving.py")
label = "chat_completion/serving.py"
if not os.path.exists(path):
log.error(" %s: file not found: %s", label, path)
return False
content = _read(path)
if PATCH_TAG in content:
log.info(" %s: already patched, skipping", label)
return True
try:
# Helper Function
content = _replace_once(
content,
"class OpenAIServingChat(OpenAIServing):",
TIMINGS_HELPER + "\n\nclass OpenAIServingChat(OpenAIServing):",
label,
)
# Streaming Last Result Capture - first streaming loop only.
content = _replace_once(
content,
" async for res in result_generator:\n if res.prompt_token_ids is not None:",
f" async for res in result_generator:\n _last_stream_res = res {PATCH_TAG}\n if res.prompt_token_ids is not None:",
label,
)
# Streaming Final Usage Chunk
content = _replace_once(
content,
''' final_usage_chunk = ChatCompletionStreamResponse(\n id=request_id,\n object=chunk_object_type,\n created=created_time,\n choices=[],\n model=model_name,\n usage=final_usage,\n system_fingerprint=self.system_fingerprint,\n )\n''',
f''' final_usage_chunk = ChatCompletionStreamResponse(\n id=request_id,\n object=chunk_object_type,\n created=created_time,\n choices=[],\n model=model_name,\n usage=final_usage,\n system_fingerprint=self.system_fingerprint,\n )\n # Inject Timings {PATCH_TAG}\n try:\n _s_cached = _last_stream_res.num_cached_tokens\n final_usage_chunk.timings = _compute_timings(\n _last_stream_res.metrics,\n num_prompt_tokens, completion_tokens, _s_cached,\n )\n except NameError:\n pass\n''',
label,
)
# Non-Streaming Response
content = _replace_once(
content,
''' response = ChatCompletionResponse(\n id=request_id,\n created=created_time,\n model=model_name,\n choices=choices,\n usage=usage,\n system_fingerprint=self.system_fingerprint,\n prompt_logprobs=clamp_prompt_logprobs(final_res.prompt_logprobs),\n prompt_token_ids=(\n final_res.prompt_token_ids if request.return_token_ids else None\n ),\n kv_transfer_params=final_res.kv_transfer_params,\n prompt_routed_experts=prompt_routed_experts,\n )\n''',
f''' response = ChatCompletionResponse(\n id=request_id,\n created=created_time,\n model=model_name,\n choices=choices,\n usage=usage,\n system_fingerprint=self.system_fingerprint,\n prompt_logprobs=clamp_prompt_logprobs(final_res.prompt_logprobs),\n prompt_token_ids=(\n final_res.prompt_token_ids if request.return_token_ids else None\n ),\n kv_transfer_params=final_res.kv_transfer_params,\n prompt_routed_experts=prompt_routed_experts,\n )\n\n # Inject Timings {PATCH_TAG}\n _cached = final_res.num_cached_tokens\n response.timings = _compute_timings(\n final_res.metrics, num_prompt_tokens, num_generated_tokens,\n _cached,\n )\n''',
label,
)
except RuntimeError as e:
log.error(" %s", e)
return False
_write(path, content)
log.info(" %s: patched successfully", label)
return True
def _patch_completion_serving(vllm_dir):
path = os.path.join(vllm_dir, "entrypoints/openai/completion/serving.py")
label = "completion/serving.py"
if not os.path.exists(path):
log.error(" %s: file not found: %s", label, path)
return False
content = _read(path)
if PATCH_TAG in content:
log.info(" %s: already patched, skipping", label)
return True
try:
# Helper Function
content = _replace_once(
content,
"class OpenAIServingCompletion(OpenAIServing):",
TIMINGS_HELPER + "\n\nclass OpenAIServingCompletion(OpenAIServing):",
label,
)
# Streaming Last Result Capture.
content = _replace_once(
content,
" async for prompt_idx, res in result_generator:\n prompt_token_ids = res.prompt_token_ids",
f" async for prompt_idx, res in result_generator:\n _last_comp_res = res {PATCH_TAG}\n prompt_token_ids = res.prompt_token_ids",
label,
)
# Streaming Final Usage Chunk
content = _replace_once(
content,
''' final_usage_chunk = CompletionStreamResponse(\n id=request_id,\n created=created_time,\n model=model_name,\n choices=[],\n usage=final_usage_info,\n system_fingerprint=self.system_fingerprint,\n )\n''',
f''' final_usage_chunk = CompletionStreamResponse(\n id=request_id,\n created=created_time,\n model=model_name,\n choices=[],\n usage=final_usage_info,\n system_fingerprint=self.system_fingerprint,\n )\n # Inject Timings {PATCH_TAG}\n try:\n _sc_cached = _last_comp_res.num_cached_tokens\n final_usage_chunk.timings = _compute_timings(\n _last_comp_res.metrics,\n total_prompt_tokens, total_completion_tokens,\n _sc_cached,\n )\n except NameError:\n pass\n''',
label,
)
# Non-Streaming Response
content = _replace_once(
content,
''' return CompletionResponse(\n id=request_id,\n created=created_time,\n model=model_name,\n choices=choices,\n usage=usage,\n system_fingerprint=self.system_fingerprint,\n kv_transfer_params=kv_transfer_params,\n prompt_routed_experts=prompt_routed_experts,\n )\n''',
f''' _comp_response = CompletionResponse( {PATCH_TAG}\n id=request_id,\n created=created_time,\n model=model_name,\n choices=choices,\n usage=usage,\n system_fingerprint=self.system_fingerprint,\n kv_transfer_params=kv_transfer_params,\n prompt_routed_experts=prompt_routed_experts,\n )\n # Inject Timings {PATCH_TAG}\n if last_final_res is not None:\n _comp_cached = last_final_res.num_cached_tokens\n _comp_response.timings = _compute_timings(\n last_final_res.metrics, num_prompt_tokens,\n num_generated_tokens, _comp_cached,\n )\n return _comp_response\n''',
label,
)
except RuntimeError as e:
log.error(" %s", e)
return False
_write(path, content)
log.info(" %s: patched successfully", label)
return True
def apply():
vllm_dir = _find_vllm_dir()
if vllm_dir is None:
log.error("Could not find vLLM installation directory")
return False
log.info("Found vLLM at: %s", vllm_dir)
ok = True
ok &= _patch_chat_protocol(vllm_dir)
ok &= _patch_chat_serving(vllm_dir)
ok &= _patch_completion_protocol(vllm_dir)
ok &= _patch_completion_serving(vllm_dir)
return ok
if __name__ == "__main__":
if apply():
print("patch_timings: All patches applied successfully")
else:
print("patch_timings: Some patches failed!", file=sys.stderr)
sys.exit(1)

213
modules/nixos/services/llama-swap/patches/vllm-timings-1acd67a.patch
View File

@@ -1,213 +0,0 @@
diff --git a/vllm/entrypoints/openai/chat_completion/protocol.py b/vllm/entrypoints/openai/chat_completion/protocol.py
index 742f9cc..ade939f 100644
--- a/vllm/entrypoints/openai/chat_completion/protocol.py
+++ b/vllm/entrypoints/openai/chat_completion/protocol.py
@@ -115,6 +115,9 @@ class ChatCompletionResponse(OpenAIBaseModel):
default=None, description="KVTransfer parameters."
)
+ # llama.cpp-compatible per-request timings # [patch_timings]
+ timings: dict[str, Any] | None = None
+
class ChatCompletionResponseStreamChoice(OpenAIBaseModel):
index: int
@@ -139,6 +142,9 @@ class ChatCompletionStreamResponse(OpenAIBaseModel):
# not part of the OpenAI spec but for tracing the tokens
prompt_token_ids: list[int] | None = None
+ # llama.cpp-compatible per-request timings # [patch_timings]
+ timings: dict[str, Any] | None = None
+
class ChatCompletionToolsParam(OpenAIBaseModel):
type: Literal["function"] = "function"
diff --git a/vllm/entrypoints/openai/chat_completion/serving.py b/vllm/entrypoints/openai/chat_completion/serving.py
index 1026e0a..a9c5708 100644
--- a/vllm/entrypoints/openai/chat_completion/serving.py
+++ b/vllm/entrypoints/openai/chat_completion/serving.py
@@ -79,6 +79,34 @@ if TYPE_CHECKING:
logger = init_logger(__name__)
+
+# [patch_timings]
+def _compute_timings(metrics, num_prompt, num_gen, num_cached=None):
+ """Compute llama.cpp-compatible timings from RequestStateStats."""
+ t = {
+ "prompt_n": num_prompt,
+ "prompt_ms": 0.0,
+ "prompt_per_second": 0.0,
+ "predicted_n": num_gen,
+ "predicted_ms": 0.0,
+ "predicted_per_second": 0.0,
+ "cache_n": num_cached if num_cached is not None else -1,
+ }
+ if metrics is None:
+ return t
+ if metrics.first_token_ts > 0 and metrics.scheduled_ts > 0:
+ ps = metrics.first_token_ts - metrics.scheduled_ts
+ if ps > 0:
+ t["prompt_ms"] = ps * 1000.0
+ t["prompt_per_second"] = num_prompt / ps
+ if metrics.last_token_ts > 0 and metrics.first_token_ts > 0:
+ ds = metrics.last_token_ts - metrics.first_token_ts
+ if ds > 0:
+ t["predicted_ms"] = ds * 1000.0
+ t["predicted_per_second"] = num_gen / ds
+ return t
+
+
class OpenAIServingChat(OpenAIServing):
def __init__(
self,
@@ -485,6 +513,7 @@ class OpenAIServingChat(OpenAIServing):
try:
async for res in result_generator:
+ _last_stream_res = res # [patch_timings]
if res.prompt_token_ids is not None:
num_prompt_tokens = len(res.prompt_token_ids)
if res.encoder_prompt_token_ids is not None:
@@ -947,6 +976,15 @@ class OpenAIServingChat(OpenAIServing):
usage=final_usage,
system_fingerprint=self.system_fingerprint,
)
+ # Inject Timings # [patch_timings]
+ try:
+ _s_cached = _last_stream_res.num_cached_tokens
+ final_usage_chunk.timings = _compute_timings(
+ _last_stream_res.metrics,
+ num_prompt_tokens, completion_tokens, _s_cached,
+ )
+ except NameError:
+ pass
final_usage_data = final_usage_chunk.model_dump_json(
exclude_unset=True, exclude_none=True
)
@@ -1377,6 +1415,13 @@ class OpenAIServingChat(OpenAIServing):
prompt_routed_experts=prompt_routed_experts,
)
+ # Inject Timings # [patch_timings]
+ _cached = final_res.num_cached_tokens
+ response.timings = _compute_timings(
+ final_res.metrics, num_prompt_tokens, num_generated_tokens,
+ _cached,
+ )
+
# Log complete response if output logging is enabled
if self.enable_log_outputs and self.request_logger:
for choice in choices:
diff --git a/vllm/entrypoints/openai/completion/protocol.py b/vllm/entrypoints/openai/completion/protocol.py
index 7bb3c8d..8487e93 100644
--- a/vllm/entrypoints/openai/completion/protocol.py
+++ b/vllm/entrypoints/openai/completion/protocol.py
@@ -489,6 +489,9 @@ class CompletionResponse(OpenAIBaseModel):
default=None, description="KVTransfer parameters."
)
+ # llama.cpp-compatible per-request timings # [patch_timings]
+ timings: dict[str, Any] | None = None
+
class CompletionResponseStreamChoice(OpenAIBaseModel):
index: int
@@ -516,6 +519,9 @@ class CompletionStreamResponse(OpenAIBaseModel):
model: str
choices: list[CompletionResponseStreamChoice]
usage: UsageInfo | None = Field(default=None)
+
+ # llama.cpp-compatible per-request timings # [patch_timings]
+ timings: dict[str, Any] | None = None
# Set only on the final chunk of a stream to mirror non-streaming responses
# without the per-chunk serialization overhead.
system_fingerprint: str | None = None
diff --git a/vllm/entrypoints/openai/completion/serving.py b/vllm/entrypoints/openai/completion/serving.py
index ee4ca9f..8b27011 100644
--- a/vllm/entrypoints/openai/completion/serving.py
+++ b/vllm/entrypoints/openai/completion/serving.py
@@ -48,6 +48,34 @@ if TYPE_CHECKING:
logger = init_logger(__name__)
+
+# [patch_timings]
+def _compute_timings(metrics, num_prompt, num_gen, num_cached=None):
+ """Compute llama.cpp-compatible timings from RequestStateStats."""
+ t = {
+ "prompt_n": num_prompt,
+ "prompt_ms": 0.0,
+ "prompt_per_second": 0.0,
+ "predicted_n": num_gen,
+ "predicted_ms": 0.0,
+ "predicted_per_second": 0.0,
+ "cache_n": num_cached if num_cached is not None else -1,
+ }
+ if metrics is None:
+ return t
+ if metrics.first_token_ts > 0 and metrics.scheduled_ts > 0:
+ ps = metrics.first_token_ts - metrics.scheduled_ts
+ if ps > 0:
+ t["prompt_ms"] = ps * 1000.0
+ t["prompt_per_second"] = num_prompt / ps
+ if metrics.last_token_ts > 0 and metrics.first_token_ts > 0:
+ ds = metrics.last_token_ts - metrics.first_token_ts
+ if ds > 0:
+ t["predicted_ms"] = ds * 1000.0
+ t["predicted_per_second"] = num_gen / ds
+ return t
+
+
class OpenAIServingCompletion(OpenAIServing):
def __init__(
self,
@@ -291,6 +319,7 @@ class OpenAIServingCompletion(OpenAIServing):
try:
async for prompt_idx, res in result_generator:
+ _last_comp_res = res # [patch_timings]
prompt_token_ids = res.prompt_token_ids
prompt_logprobs = res.prompt_logprobs
@@ -445,6 +474,16 @@ class OpenAIServingCompletion(OpenAIServing):
usage=final_usage_info,
system_fingerprint=self.system_fingerprint,
)
+ # Inject Timings # [patch_timings]
+ try:
+ _sc_cached = _last_comp_res.num_cached_tokens
+ final_usage_chunk.timings = _compute_timings(
+ _last_comp_res.metrics,
+ total_prompt_tokens, total_completion_tokens,
+ _sc_cached,
+ )
+ except NameError:
+ pass
final_usage_data = final_usage_chunk.model_dump_json(
exclude_unset=False, exclude_none=True
)
@@ -577,7 +616,7 @@ class OpenAIServingCompletion(OpenAIServing):
if pre is not None:
prompt_routed_experts = pre.tolist()
- return CompletionResponse(
+ _comp_response = CompletionResponse( # [patch_timings]
id=request_id,
created=created_time,
model=model_name,
@@ -587,6 +626,14 @@ class OpenAIServingCompletion(OpenAIServing):
kv_transfer_params=kv_transfer_params,
prompt_routed_experts=prompt_routed_experts,
)
+ # Inject Timings # [patch_timings]
+ if last_final_res is not None:
+ _comp_cached = last_final_res.num_cached_tokens
+ _comp_response.timings = _compute_timings(
+ last_final_res.metrics, num_prompt_tokens,
+ num_generated_tokens, _comp_cached,
+ )
+ return _comp_response
def _create_completion_logprobs(
self,

464
modules/nixos/services/llama-swap/scripts/llama-cpp-bisect-context
View File

@@ -1,464 +0,0 @@
#!/usr/bin/env bash
set -Eeuo pipefail
usage() {
cat <<'EOF'
Usage:
llama-cpp-bisect-context MODEL --low N --high N [options]
llama-cpp-bisect-context --cmd-template CMD --low N --high N [options]
llama-cpp-bisect-context --cmd-file FILE --low N --high N [options]
Bisect the largest llama.cpp llama-server context that can start and complete
a near-context prompt without OOMing. Startup-only mode is available for isolating the first cliff.
MODEL is a llama.cpp preset generated from the Nix llama-swap config.
Command templates are evaluated with these environment variables:
PORT random listen port for this trial
CTX candidate context size
Options:
--cmd-template CMD llama-server command, e.g. 'llama-server --port ${PORT} -c ${CTX} ...'
--cmd-file FILE executable or shell snippet using $PORT and $CTX
--preset-file FILE preset JSON file (default: Nix-generated presets)
--list-presets list available Nix-generated presets and exit
--low N known/assumed lower context bound
--high N upper context bound to test
--step N stop when high-low <= N (default: 1024)
--prompt-ratio PCT prompt fill target as percent of CTX (default: 90)
--chars-per-token N rough prompt sizing ratio (default: 4)
--prompt-turns N split the prompt across N user/assistant turns (default: 4)
--max-tokens N generated tokens for prompt test (default: 32)
--startup-timeout SEC seconds to wait for /health readiness (default: 300)
--request-timeout SEC seconds to wait for prompt response (default: 600)
--cooldown SEC seconds to sleep after stopping server (default: 5)
--startup-only only test server startup, not prompt/runtime OOM
--verbose print llama-server logs for each failed trial
--keep-logs keep trial logs after a successful run too
-h, --help show this help
Examples:
llama-cpp-bisect-context \
--cmd-template 'llama-server --port ${PORT} -m model.gguf -c ${CTX} -ngl 99' \
--low 32768 --high 196608
llama-cpp-bisect-context qwen3.6-27b-ik-cuda0 --low 32768 --high 180000
llama-cpp-bisect-context --cmd-file ./server-command.sh --low 32768 --high 196608
EOF
}
preset_model=""
preset_file="__LLAMA_CPP_PRESETS__"
list_presets=0
cmd_template=""
cmd_file=""
low=""
high=""
step=1024
prompt_ratio=90
chars_per_token=4
prompt_turns=4
max_tokens=32
startup_timeout=300
request_timeout=600
cooldown=5
startup_only=0
verbose=0
keep_logs=0
while [[ $# -gt 0 ]]; do
case "$1" in
--cmd-template) cmd_template="${2:-}"; shift 2 ;;
--cmd-file) cmd_file="${2:-}"; shift 2 ;;
--preset-file) preset_file="${2:-}"; shift 2 ;;
--list-presets) list_presets=1; shift ;;
--low) low="${2:-}"; shift 2 ;;
--high) high="${2:-}"; shift 2 ;;
--step) step="${2:-}"; shift 2 ;;
--prompt-ratio) prompt_ratio="${2:-}"; shift 2 ;;
--chars-per-token) chars_per_token="${2:-}"; shift 2 ;;
--prompt-turns) prompt_turns="${2:-}"; shift 2 ;;
--max-tokens) max_tokens="${2:-}"; shift 2 ;;
--startup-timeout) startup_timeout="${2:-}"; shift 2 ;;
--request-timeout) request_timeout="${2:-}"; shift 2 ;;
--cooldown) cooldown="${2:-}"; shift 2 ;;
--startup-only) startup_only=1; shift ;;
--verbose) verbose=1; shift ;;
--keep-logs) keep_logs=1; shift ;;
-h|--help) usage; exit 0 ;;
--*) echo "unknown argument: $1" >&2; usage >&2; exit 2 ;;
*)
if [[ -n "$preset_model" ]]; then
echo "unexpected positional argument: $1" >&2
usage >&2
exit 2
fi
preset_model="$1"
shift
;;
esac
done
list_presets_json() {
python3 - "$preset_file" <<'PY'
import json
import sys
with open(sys.argv[1]) as f:
presets = json.load(f)
for key in sorted(presets):
name = presets[key].get("name", "")
print(f"{key}\t{name}" if name else key)
PY
exit 0
}
if (( list_presets )); then
list_presets_json
fi
load_preset() {
local command_file="$tmpdir/preset-command.sh"
python3 - "$preset_file" "$preset_model" "$command_file" <<'PY'
import json
import shlex
import sys
preset_file, model_id, command_file = sys.argv[1:]
with open(preset_file) as f:
presets = json.load(f)
try:
preset = presets[model_id]
except KeyError:
print(f"unknown preset: {model_id}", file=sys.stderr)
print("available presets:", file=sys.stderr)
for key in sorted(presets):
print(f" {key}", file=sys.stderr)
sys.exit(2)
cmd = preset["cmd"].replace("${ctx}", "${CTX}").replace("$ctx", "${CTX}")
env = preset.get("env", [])
with open(command_file, "w") as f:
f.write("set -e\n")
for item in env:
key, sep, value = item.partition("=")
if not sep or not key:
continue
f.write(f"export {key}={shlex.quote(value)}\n")
f.write(cmd)
if not cmd.endswith("\n"):
f.write("\n")
PY
cmd_file="$command_file"
}
require_int() {
local name="$1" value="$2"
if [[ ! "$value" =~ ^[0-9]+$ ]]; then
echo "$name must be a positive integer" >&2
exit 2
fi
}
mode_count=0
[[ -n "$preset_model" ]] && mode_count=$((mode_count + 1))
[[ -n "$cmd_template" ]] && mode_count=$((mode_count + 1))
[[ -n "$cmd_file" ]] && mode_count=$((mode_count + 1))
if (( mode_count != 1 )); then
echo "use exactly one of MODEL, --cmd-template, or --cmd-file" >&2
exit 2
fi
if [[ -z "$low" || -z "$high" ]]; then
echo "missing --low or --high" >&2
exit 2
fi
for pair in \
"--low:$low" \
"--high:$high" \
"--step:$step" \
"--prompt-ratio:$prompt_ratio" \
"--chars-per-token:$chars_per_token" \
"--prompt-turns:$prompt_turns" \
"--max-tokens:$max_tokens" \
"--startup-timeout:$startup_timeout" \
"--request-timeout:$request_timeout" \
"--cooldown:$cooldown"; do
require_int "${pair%%:*}" "${pair#*:}"
done
if (( low <= 0 || high <= low || step <= 0 || prompt_ratio <= 0 || chars_per_token <= 0 || prompt_turns <= 0 )); then
echo "invalid numeric bounds/options" >&2
exit 2
fi
if [[ -n "$cmd_file" && ! -f "$cmd_file" ]]; then
echo "cmd file not found: $cmd_file" >&2
exit 2
fi
for dep in curl python3; do
if ! command -v "$dep" >/dev/null 2>&1; then
echo "missing required command: $dep" >&2
exit 2
fi
done
tmpdir="$(mktemp -d)"
server_pid=""
log_file=""
terminate_server() {
if [[ -z "${server_pid:-}" ]]; then
return 0
fi
kill -- "-${server_pid}" >/dev/null 2>&1 || true
kill "$server_pid" >/dev/null 2>&1 || true
local waited=0
while kill -0 "$server_pid" >/dev/null 2>&1 && (( waited < 30 )); do
sleep 1
waited=$((waited + 1))
done
if kill -0 "$server_pid" >/dev/null 2>&1; then
kill -9 -- "-${server_pid}" >/dev/null 2>&1 || true
kill -9 "$server_pid" >/dev/null 2>&1 || true
fi
wait "$server_pid" >/dev/null 2>&1 || true
server_pid=""
}
cleanup() {
local status=$?
trap - EXIT INT TERM HUP
terminate_server
if (( keep_logs || status != 0 )); then
echo "logs kept in: $tmpdir" >&2
else
rm -rf "$tmpdir"
fi
}
interrupt() {
echo "interrupted; stopping llama-server" >&2
exit 130
}
trap cleanup EXIT
trap interrupt INT TERM HUP
if [[ -n "$preset_model" ]]; then
load_preset
fi
free_port() {
python3 - <<'PY'
import socket
with socket.socket() as s:
s.bind(("127.0.0.1", 0))
print(s.getsockname()[1])
PY
}
start_server() {
local ctx="$1"
PORT="$(free_port)"
CTX="$ctx"
export PORT CTX
log_file="$tmpdir/llama-server-${ctx}.log"
{
printf 'CTX=%s\n' "$CTX"
printf 'PORT=%s\n' "$PORT"
if [[ -n "$cmd_file" ]]; then
printf 'CMD_FILE=%s\n' "$cmd_file"
else
printf 'CMD_TEMPLATE=%s\n' "$cmd_template"
fi
printf -- '--- llama-server output ---\n'
} >"$log_file"
if [[ -n "$cmd_file" ]]; then
setsid bash "$cmd_file" >>"$log_file" 2>&1 &
else
setsid bash -c "$cmd_template" >>"$log_file" 2>&1 &
fi
server_pid="$!"
}
stop_server() {
terminate_server
sleep "$cooldown"
}
print_failure_log() {
local label="$1" ctx="$2"
echo "[$label] ctx=$ctx failed; log: $log_file" >&2
if (( verbose )) && [[ -f "$log_file" ]]; then
sed -n '1,220p' "$log_file" >&2 || true
fi
}
wait_ready() {
local deadline=$((SECONDS + startup_timeout))
while (( SECONDS < deadline )); do
if [[ -n "${server_pid:-}" ]] && ! kill -0 "$server_pid" >/dev/null 2>&1; then
return 1
fi
if curl -fsS --max-time 5 "http://127.0.0.1:${PORT}/health" >/dev/null 2>&1; then
return 0
fi
if curl -fsS --max-time 5 "http://127.0.0.1:${PORT}/v1/models" >/dev/null 2>&1; then
return 0
fi
sleep 2
done
return 1
}
make_prompt_json() {
local ctx="$1"
local approx_tokens=$(( ctx * prompt_ratio / 100 ))
local chars=$(( approx_tokens * chars_per_token ))
python3 - "$chars" "$max_tokens" "$prompt_turns" <<'PY'
import json
import sys
chars = int(sys.argv[1])
max_tokens = int(sys.argv[2])
prompt_turns = int(sys.argv[3])
seed = (
"This is deterministic context filler for memory testing. "
"It uses normal words so token estimates are closer to real prompts. "
)
messages = []
remaining = chars
for turn in range(prompt_turns):
turns_left = prompt_turns - turn
chunk_chars = max(1, remaining // turns_left)
content = (seed * ((chunk_chars // len(seed)) + 1))[:chunk_chars]
messages.append({"role": "user", "content": content})
remaining -= chunk_chars
if turn != prompt_turns - 1:
messages.append({"role": "assistant", "content": "Acknowledged."})
print(json.dumps({
"messages": messages,
"max_tokens": max_tokens,
"temperature": 0,
"stream": False,
}))
PY
}
run_prompt() {
local ctx="$1"
local payload="$tmpdir/prompt-${ctx}.json"
make_prompt_json "$ctx" >"$payload"
curl -fsS \
--max-time "$request_timeout" \
-H 'Content-Type: application/json' \
-d "@$payload" \
"http://127.0.0.1:${PORT}/v1/chat/completions" \
>/dev/null
}
test_startup() {
local ctx="$1"
echo "[startup] testing ctx=$ctx" >&2
start_server "$ctx"
if wait_ready; then
stop_server
echo "[startup] ctx=$ctx PASS" >&2
return 0
fi
print_failure_log startup "$ctx"
stop_server
return 1
}
test_qualified_context() {
local ctx="$1"
echo "[ctx] testing ctx=$ctx with prompt_ratio=${prompt_ratio}% prompt_turns=${prompt_turns}" >&2
start_server "$ctx"
if ! wait_ready; then
print_failure_log ctx-startup "$ctx"
stop_server
return 1
fi
if run_prompt "$ctx"; then
stop_server
echo "[ctx] ctx=$ctx PASS" >&2
return 0
fi
print_failure_log ctx-prompt "$ctx"
stop_server
return 1
}
bisect_max() {
local label="$1" pass="$2" fail="$3" fn="$4"
while (( fail - pass > step )); do
local mid=$(( (pass + fail) / 2 ))
if "$fn" "$mid"; then
pass="$mid"
else
fail="$mid"
fi
done
printf '%s:%s:%s\n' "$label" "$pass" "$fail"
}
if (( startup_only )); then
if ! test_startup "$low"; then
echo "low bound does not pass startup: $low" >&2
exit 1
fi
result="$(bisect_max startup "$low" "$high" test_startup)"
pass="$(cut -d: -f2 <<<"$result")"
fail="$(cut -d: -f3 <<<"$result")"
printf '\nResult:\n'
printf ' startup max passing ctx: %s\n' "$pass"
printf ' startup min failing ctx: %s\n' "$fail"
python3 - "$pass" "$fail" <<'PY'
import json
import sys
max_passing, min_failing = map(int, sys.argv[1:])
print(json.dumps({"startup": {"maxPassingCtx": max_passing, "minFailingCtx": min_failing}}, indent=2))
PY
exit 0
fi
if ! test_qualified_context "$low"; then
echo "low bound does not pass qualified context test: $low" >&2
exit 1
fi
result="$(bisect_max context "$low" "$high" test_qualified_context)"
pass="$(cut -d: -f2 <<<"$result")"
fail="$(cut -d: -f3 <<<"$result")"
printf '\nResult:\n'
printf ' context max passing ctx: %s\n' "$pass"
printf ' context min failing ctx: %s\n' "$fail"
printf ' prompt ratio: %s%%\n' "$prompt_ratio"
printf ' prompt turns: %s\n' "$prompt_turns"
python3 - "$pass" "$fail" "$prompt_ratio" "$prompt_turns" <<'PY'
import json
import sys
max_passing = int(sys.argv[1])
min_failing = int(sys.argv[2])
prompt_ratio = int(sys.argv[3])
prompt_turns = int(sys.argv[4])
print(json.dumps({
"context": {
"maxPassingCtx": max_passing,
"minFailingCtx": min_failing,
"promptRatio": prompt_ratio,
"promptTurns": prompt_turns,
}
}, indent=2))
PY

112
modules/nixos/services/llama-swap/setup-qwen36-vllm.sh
View File

@@ -1,112 +0,0 @@
#!/usr/bin/env bash
# Setup script for vLLM Qwen3.6-27B on a single 3090.
#
# Idempotent - safe to re-run; skips steps already completed.
#
# Prerequisites: git (with git-lfs), docker
set -euo pipefail
# Model Directories
MODEL_DIR="/mnt/ssd/vLLM/Models"
MODEL_SUBDIR="qwen3.6-27b-autoround-int4"
PATCHES_DIR="/mnt/ssd/vLLM/Patches"
TEMPLATES_DIR="/mnt/ssd/vLLM/Templates"
CACHE_DIR="/mnt/ssd/vLLM/Cache"
GENESIS_DIR="${PATCHES_DIR}/genesis"
GENESIS_PIN="${GENESIS_PIN:-7b9fd319}"
# Timings Patch
TIMINGS_PATCH="${PATCHES_DIR}/patch_timings_1acd67a.py"
TIMINGS_PATCH_URL="${TIMINGS_PATCH_URL:-https://gitea.va.reichard.io/evan/nix/raw/branch/master/modules/nixos/services/llama-swap/patches/patch_timings_1acd67a.py}"
# Template
TEMPLATE="${TEMPLATES_DIR}/chat_template-v11.jinja"
TEMPLATE_URL="https://huggingface.co/froggeric/Qwen-Fixed-Chat-Templates/resolve/main/qwen3.6/chat_template-v11.jinja"
# ---------- Preflight Checks ----------
for cmd in git git-lfs curl; do
if ! command -v "$cmd" &>/dev/null; then
echo "ERROR: '$cmd' not found in PATH." >&2
exit 1
fi
done
# ---------- Create Directories ----------
echo "Creating directories..."
mkdir -p "${TEMPLATES_DIR}" "${MODEL_DIR}" "${PATCHES_DIR}" "${CACHE_DIR}/torch_compile" "${CACHE_DIR}/triton"
# ---------- Download Model ----------
if [ -d "${MODEL_DIR}/${MODEL_SUBDIR}/.git" ]; then
echo "Model already cloned at ${MODEL_DIR}/${MODEL_SUBDIR}, skipping."
else
echo "Cloning Lorbus/Qwen3.6-27B-int4-AutoRound (with LFS)..."
git clone https://huggingface.co/Lorbus/Qwen3.6-27B-int4-AutoRound \
"${MODEL_DIR}/${MODEL_SUBDIR}"
echo "Model cloned."
fi
# ---------- Clone / Pin Genesis Patches ----------
if [ -d "${GENESIS_DIR}/.git" ]; then
echo "Genesis already cloned - fetching + checking out ${GENESIS_PIN} ..."
(cd "${GENESIS_DIR}" && git fetch origin && git checkout "${GENESIS_PIN}" 2>&1 | tail -3)
else
echo "Cloning Genesis patches at ${GENESIS_PIN} ..."
git clone https://github.com/Sandermage/genesis-vllm-patches "${GENESIS_DIR}"
(cd "${GENESIS_DIR}" && git checkout "${GENESIS_PIN}")
fi
# Sanity Check
if [[ ! -d "${GENESIS_DIR}/vllm/_genesis" ]]; then
echo "ERROR: genesis tree at ${GENESIS_PIN} missing vllm/_genesis package." >&2
echo " Re-run with GENESIS_PIN=<other-ref> to try a different version." >&2
exit 1
fi
echo "Genesis pinned to ${GENESIS_PIN} ($(cd "${GENESIS_DIR}" && git rev-parse --short HEAD))"
# ---------- Download URL Patch ----------
install_via_url() {
local name="$1"
local url="$2"
local dest="$3"
local tmp_patch
tmp_patch="$(mktemp)"
echo "Downloading ${name}..."
curl -fsSL "${url}" -o "${tmp_patch}"
if [ -f "${dest}" ] && cmp -s "${tmp_patch}" "${dest}"; then
echo "${name} already current at ${dest}, skipping."
else
echo "Installing ${name} to ${dest}..."
install -m 0644 "${tmp_patch}" "${dest}"
echo "${name} installed."
fi
rm -f "${tmp_patch}"
}
# ---------- Download Assets ----------
install_via_url "patch_timings_1acd67a.py" "${TIMINGS_PATCH_URL}" "${TIMINGS_PATCH}"
install_via_url "chat_template-v11.jinja" "${TEMPLATE_URL}" "${TEMPLATE}"
# ---------- Summary ----------
echo ""
echo "=== Setup Complete ==="
echo " Model: ${MODEL_DIR}/${MODEL_SUBDIR}"
echo " Cache: ${CACHE_DIR}/{torch_compile,triton}"
echo " Genesis: ${GENESIS_DIR} (pinned: ${GENESIS_PIN})"
echo ""
echo "Expected layout:"
echo " /mnt/ssd/vLLM/"
echo " ├── Models/"
echo " │ └── qwen3.6-27b-autoround-int4/ (model weights)"
echo " ├── Templates/"
echo " │ └── chat_template-v11.jinja (chat template)"
echo " ├── Cache/"
echo " │ ├── torch_compile/ (torch.compile cache)"
echo " │ └── triton/ (Triton kernel cache)"
echo " └── Patches/"
echo " ├── genesis/ (Genesis @ ${GENESIS_PIN})"
echo " │ └── vllm/_genesis/ (mounted into container)"
echo " └── patch_timings_1acd67a.py (boot-time: llama.cpp-compatible timings)"

2
overlays/firefox-addons/default.nix
View File

@@ -1,4 +1,4 @@
{ inputs, ... }:
final: _prev: {
firefox-addons = inputs.firefox-addons.packages.${final.stdenv.hostPlatform.system};
firefox-addons = inputs.firefox-addons.packages.${final.system};
}

12
overlays/fish/default.nix Normal file
View File

@@ -0,0 +1,12 @@
# Workaround for aarch64-darwin codesigning bug (nixpkgs#208951 / #507531):
# fish binaries from the binary cache occasionally have invalid ad-hoc
# signatures on Apple Silicon. Forcing a local rebuild ensures codesigning
# is applied on this machine with a valid signature.
{ inputs, ... }:
final: prev: {
fish = prev.fish.overrideAttrs (_old: {
# Bust the cache key so fish is always built locally rather than
# substituted from the binary cache where the signature may be stale.
NIX_FORCE_LOCAL_REBUILD = "darwin-codesign-fix";
});
}

25
packages/conduit/default.nix
View File

@@ -1,25 +0,0 @@
{ lib
, buildGoModule
, fetchgit
}:
buildGoModule rec {
pname = "conduit";
version = "unstable-2026-05-15";
src = fetchgit {
url = "https://gitea.va.reichard.io/evan/conduit.git";
rev = "8dfb14f1e7f952bee92cad29703dba55fb156f0c";
hash = "sha256-Fc0FHLCNBbEpOFFD0bHSDo1E5AsOzL2fJzHufleKBIo=";
};
vendorHash = "sha256-LOFT8eCNRm5Q2tVl7ifu4dB5cr828B/E2NJW5WiW0LI=";
meta = {
description = "Self-hosted tunneling service";
homepage = "https://gitea.va.reichard.io/evan/conduit";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ evanreichard ];
mainProgram = "conduit";
};
}

41
packages/glimpse/default.nix
View File

@@ -1,41 +0,0 @@
{ lib
, buildNpmPackage
, fetchgit
, firefox
, geckodriver
, makeWrapper
,
}:
buildNpmPackage rec {
pname = "glimpse";
version = "unstable-2026-05-02";
src = fetchgit {
url = "https://gitea.va.reichard.io/evan/glimpse.git";
rev = "e3d7c28820ed9bd838e96f2419de946685ab8d23";
hash = "sha256-LtrwD7mkh3wUXr2do3IeKiljHgpxCL8drZrJBI32Bu0=";
};
npmDepsHash = "sha256-ycAjPZZqI3ZMIUubJbWy8G6X6LaXDcgdZGswikfkQj8=";
npmBuildScript = "build";
nativeBuildInputs = [ makeWrapper ];
postInstall = ''
wrapProgram $out/bin/glimpse \
--prefix PATH : ${lib.makeBinPath [
firefox
geckodriver
]}
'';
meta = {
description = "Browser automation CLI for inspecting web pages";
homepage = "https://gitea.va.reichard.io/evan/glimpse";
license = lib.licenses.isc;
maintainers = with lib.maintainers; [ evanreichard ];
mainProgram = "glimpse";
};
}

43
packages/ik-llama-cpp/default.nix
View File

@@ -1,43 +0,0 @@
{ pkgs }:
let
rev = "f9a93c37e2fc021760c3c1aa99cf74c73b7591a7";
src = pkgs.fetchFromGitHub {
owner = "ikawrakow";
repo = "ik_llama.cpp";
inherit rev;
hash = "sha256-vBVosqBi8FyrllWGJOYsOYaNYAKoTTq6bn+i0Y32pu4=";
leaveDotGit = true;
postFetch = ''
git -C "$out" rev-parse --short HEAD > $out/COMMIT
find "$out" -name .git -print0 | xargs -0 rm -rf
'';
};
in
(pkgs.callPackage "${src}/.devops/nix/package.nix" {
useCuda = true;
useVulkan = true;
useBlas = true;
useRocm = false;
useMetalKit = false;
}).overrideAttrs
(oldAttrs: {
inherit src;
# Add SPIR-V Headers for Vulkan Backend
# Newer ggml requires spirv/unified1/spirv.hpp which isn't pulled in by
# vulkan-headers alone.
buildInputs = (oldAttrs.buildInputs or [ ]) ++ [ pkgs.spirv-headers ];
# Auto CPU Optimizations + CUDA Arches
# Appended after upstream's flags so CMAKE_CUDA_ARCHITECTURES wins.
cmakeFlags = (oldAttrs.cmakeFlags or [ ]) ++ [
"-DGGML_CUDA_ENABLE_UNIFIED_MEMORY=1"
"-DCMAKE_CUDA_ARCHITECTURES=61;86" # GTX 1070 / GTX 1080ti / RTX 3090
];
# Disable Nix's march=native Stripping
preConfigure = ''
export NIX_ENFORCE_NO_NATIVE=0
${oldAttrs.preConfigure or ""}
'';
})

35
packages/llama-cpp/AGENTS.md
View File

@@ -1,35 +0,0 @@
# llama-cpp — Agent Notes
Override of `pkgs.llama-cpp` with CUDA + Vulkan + BLAS, custom CMake flags, and an optional fork pin.
## Pitfalls
### `version` must be numeric
Upstream `pkgs/by-name/ll/llama-cpp/package.nix` passes `version` straight through as a C integer via:
```nix
(cmakeFeature "LLAMA_BUILD_NUMBER" finalAttrs.version)
```
`build-info.cpp` then emits `int LLAMA_BUILD_NUMBER = <version>;`. A non-numeric `version` (e.g. `"mtp-clean-08b1474"`) breaks the build with:
```
error: '<value>' was not declared in this scope
int LLAMA_BUILD_NUMBER = <value>;
```
**Convention:**
- Upstream tag pins: use the bare build number, e.g. `version = "9048";` with `tag = "b${version}";`.
- Fork / arbitrary commit pins: use a `YYYYMMDD` date derived from the commit's author/commit date (`gh api repos/<owner>/<repo>/commits/<sha>``.commit.committer.date`).
### `leaveDotGit` + `postFetch`
We keep `.git` only long enough to record the short SHA into `$out/COMMIT`, then strip it. Preserve this pattern when changing `src` so downstream tooling that reads `COMMIT` keeps working.
## Refreshing the pinned commit (fork)
1. `git ls-remote https://github.com/<owner>/llama.cpp refs/heads/<branch>` → get the full SHA.
2. `nix run nixpkgs#nix-prefetch-github -- <owner> llama.cpp --rev <sha> --leave-dot-git` → get the hash.
3. Look up the commit date: `curl -s https://api.github.com/repos/<owner>/llama.cpp/commits/<sha> | jq -r '.commit.committer.date'`.
4. Update `src.{owner,rev,hash}` and set `version = "YYYYMMDD"`.

38
packages/llama-cpp/default.nix
View File

@@ -1,22 +1,4 @@
{ pkgs }:
let
# Version MUST be an integer string.
# For tagged releases use the tag number (e.g. "9222").
# For HEAD builds use YYYYMMDD (e.g. "20260519").
version = "9496";
src = pkgs.fetchFromGitHub {
owner = "ggml-org";
repo = "llama.cpp";
rev = "94a220cd6745e6e3f8de62870b66fd5b9bc92700";
hash = "sha256-1jAowfGVzrrHDwWWzKESY7aV82whnuIg1N37fmtcgyw=";
leaveDotGit = true;
postFetch = ''
git -C "$out" rev-parse --short HEAD > $out/COMMIT
find "$out" -name .git -print0 | xargs -0 rm -rf
'';
};
in
(pkgs.llama-cpp.override {
cudaSupport = true;
blasSupport = true;
@@ -24,13 +6,19 @@ in
metalSupport = false;
vulkanSupport = true;
}).overrideAttrs
(oldAttrs: {
inherit version src;
# WebUI npm deps hash for our pinned src. Upstream nixpkgs builds the WebUI
# from tools/ui via `npm run build` in preConfigure (offline, using these
# deps), so no custom webui derivation / HF-bucket workaround is needed.
npmDepsHash = "sha256-1iM0LGeI9e+gZEHk46lkBe51DxIhiimfAm9o3Z3m9Ik=";
(oldAttrs: rec {
version = "8914";
src = pkgs.fetchFromGitHub {
owner = "ggml-org";
repo = "llama.cpp";
tag = "b${version}";
hash = "sha256-Luw4huVAJAYm+N5PMEI0cmOhNao/WUb6AoPEBmrN9T0=";
leaveDotGit = true;
postFetch = ''
git -C "$out" rev-parse --short HEAD > $out/COMMIT
find "$out" -name .git -print0 | xargs -0 rm -rf
'';
};
# Add SPIR-V Headers for Vulkan Backend
# Newer llama.cpp requires spirv/unified1/spirv.hpp which isn't

12
packages/llama-swap/default.nix
View File

@@ -1,6 +1,6 @@
{ lib
, stdenv
, buildGo126Module
, buildGoModule
, fetchFromGitHub
, versionCheckHook
, callPackage
@@ -11,15 +11,15 @@
let
canExecute = stdenv.buildPlatform.canExecute stdenv.hostPlatform;
in
buildGo126Module (finalAttrs: {
buildGoModule (finalAttrs: {
pname = "llama-swap";
version = "216";
version = "197";
src = fetchFromGitHub {
owner = "mostlygeek";
repo = "llama-swap";
tag = "v${finalAttrs.version}";
hash = "sha256-PHSY4z2h406xL+EcIYyrzr4s28txO7SCsWm8hrXf+2U=";
hash = "sha256-EXgyYmpbN/zzr6KeSpvFEB+FS7gDIZFinNMv70v5boY=";
# populate values that require us to use git. By doing this in postFetch we
# can delete .git afterwards and maintain better reproducibility of the src.
leaveDotGit = true;
@@ -32,10 +32,10 @@ buildGo126Module (finalAttrs: {
'';
};
vendorHash = "sha256-QysQ7YdwJcLTziwL25j73n3tQVvzVQIFxN4GkTU8JZg=";
vendorHash = "sha256-XiDYlw/byu8CWvg4KSPC7m8PGCZXtp08Y1velx4BR8U=";
passthru.ui = callPackage ./ui.nix { llama-swap = finalAttrs.finalPackage; };
passthru.npmDepsHash = "sha256-NJqEJ+XTdpPFtJJxP4CGu+JDUW7lKDcFgsixQJ3SXtQ=";
passthru.npmDepsHash = "sha256-Fs7+JKE8YBp2Xj8bVBlwmT+UwuD642VeUHiPx+fv94c=";
nativeBuildInputs = [
versionCheckHook

25
packages/open-proxy/default.nix
View File

@@ -1,25 +0,0 @@
{ lib
, buildGoModule
, fetchgit
}:
buildGoModule rec {
pname = "open-proxy";
version = "unstable-2026-06-16";
src = fetchgit {
url = "https://gitea.va.reichard.io/evan/open-proxy.git";
rev = "a589341214a1e035b6ce2b2d79870e591a25ccca";
hash = "sha256-onfvxOl4TdeRrVLD1oJWcnhEDzKFYU/V0qxV1+NpQrg=";
};
vendorHash = null;
meta = {
description = "Forward `open`/`xdg-open` from a remote VM to the host machine";
homepage = "https://gitea.va.reichard.io/evan/open-proxy";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ evanreichard ];
mainProgram = "open-proxy";
};
}

23
packages/pi-coding-agent/AGENTS.md
View File

@@ -1,23 +0,0 @@
# pi-coding-agent Packaging Notes
`pi-coding-agent` is built from the `earendil-works/pi-mono` monorepo with `buildNpmPackage`.
## Lockfile Metadata
Upstream `package-lock.json` may omit `resolved` / `integrity` metadata that npm can recover online, but Nix needs for its offline npm cache. Keep a package-local enriched lockfile at `packages/pi-coding-agent/package-lock.json` and copy it in during `prePatch` before `npmConfigHook` validates/generates `npmDeps`.
After bumping `version` in `default.nix`, regenerate it with:
```bash
node packages/pi-coding-agent/update-lockfile.mjs
# or explicitly:
node packages/pi-coding-agent/update-lockfile.mjs 0.74.0
```
Then refresh `npmDepsHash` from the FOD mismatch:
```bash
nix build .#packages.aarch64-linux.pi-coding-agent.npmDeps --no-link
```
Remember: new files must be `git add`ed before the flake can see them.

35
packages/pi-coding-agent/default.nix
View File

@@ -2,10 +2,6 @@
, buildNpmPackage
, fetchFromGitHub
, nodejs
, nodejs_22
, firefox
, geckodriver
, makeWrapper
, pkg-config
, pixman
, cairo
@@ -18,23 +14,18 @@
buildNpmPackage rec {
pname = "pi-coding-agent";
version = "0.78.1";
version = "0.70.0";
src = fetchFromGitHub {
owner = "earendil-works";
owner = "badlogic";
repo = "pi-mono";
rev = "v${version}";
hash = "sha256-K5+reVdi9LPwUHxFgM1iFWojuj6M/m25ymhkDOQdBE4=";
hash = "sha256-gB3QUxA4OZ8Zg5YGbAHmknSnAHrhEGxzz/DXRiKiK50=";
};
npmDepsHash = "sha256-PknwCOAr61Fq2Mhl6jd79Rdsje1OXFts2MDLM/gIEYE=";
npmDepsHash = "sha256-SBm5GPmHNZ24zYBo3rA9n3XTz8Y7oNOaGJ2dY/X2ccw=";
nativeBuildInputs = [ pkg-config makeWrapper ];
# Restore NPM Metadata - upstream lockfile omits resolved/integrity entries needed by buildNpmPackage.
prePatch = ''
cp ${./package-lock.json} package-lock.json
'';
nativeBuildInputs = [ pkg-config ];
buildInputs = [
pixman
@@ -48,7 +39,7 @@ buildNpmPackage rec {
# Skip generate-models in ai package (models.generated.ts already in repo)
preBuild = ''
substituteInPlace packages/ai/package.json \
--replace-fail '"build": "npm run generate-models && npm run generate-image-models && tsgo -p tsconfig.build.json"' \
--replace-fail '"build": "npm run generate-models && tsgo -p tsconfig.build.json"' \
'"build": "tsgo -p tsconfig.build.json"'
'';
@@ -79,22 +70,14 @@ buildNpmPackage rec {
EOF
chmod +x $out/bin/pi
wrapProgram $out/bin/pi \
--prefix PATH : ${lib.makeBinPath [
nodejs_22
# evan/pi-web - Browser automation tools are needed for web-fetch support.
firefox
geckodriver
]}
runHook postInstall
'';
meta = {
description = "Coding agent CLI with read, bash, edit, write tools and session management";
homepage = "https://github.com/earendil-works/pi-mono";
downloadPage = "https://www.npmjs.com/package/@earendil-works/pi-coding-agent";
changelog = "https://github.com/earendil-works/pi-mono/blob/main/packages/coding-agent/CHANGELOG.md";
homepage = "https://github.com/badlogic/pi-mono";
downloadPage = "https://www.npmjs.com/package/@mariozechner/pi-coding-agent";
changelog = "https://github.com/badlogic/pi-mono/blob/main/packages/coding-agent/CHANGELOG.md";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ evanreichard ];
mainProgram = "pi";

6375
packages/pi-coding-agent/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

92
packages/pi-coding-agent/update-lockfile.mjs
View File

@@ -1,92 +0,0 @@
#!/usr/bin/env node
import fs from 'node:fs/promises';
import path from 'node:path';
import process from 'node:process';
const repoRoot = new URL('../..', import.meta.url);
const packageDir = new URL('.', import.meta.url);
const defaultNixPath = new URL('default.nix', packageDir);
const lockfilePath = new URL('package-lock.json', packageDir);
const registryCache = new Map();
// Version Selection
async function getVersion() {
const argVersion = process.argv[2];
if (argVersion) return argVersion.replace(/^v/, '');
const defaultNix = await fs.readFile(defaultNixPath, 'utf8');
const match = defaultNix.match(/version\s*=\s*"([^"]+)";/);
if (!match) throw new Error(`Unable to find version in ${defaultNixPath.pathname}`);
return match[1];
}
// Package Name Extraction
function packageNameFromLockPath(lockPath) {
const parts = lockPath.split('/');
const idx = parts.lastIndexOf('node_modules');
if (idx < 0 || idx + 1 >= parts.length) return null;
const first = parts[idx + 1];
if (first.startsWith('@')) return `${first}/${parts[idx + 2]}`;
return first;
}
// Registry Fetching
function registryUrl(name, version) {
const encodedName = name.startsWith('@') ? name.replace('/', '%2f') : name;
return `https://registry.npmjs.org/${encodedName}/${version}`;
}
async function fetchPackageMetadata(name, version) {
const key = `${name}@${version}`;
if (registryCache.has(key)) return registryCache.get(key);
const response = await fetch(registryUrl(name, version), {
headers: { accept: 'application/json' },
});
if (!response.ok) {
throw new Error(`Failed to fetch ${key}: HTTP ${response.status}`);
}
const metadata = await response.json();
const dist = metadata.dist;
if (!dist?.tarball || !dist?.integrity) {
throw new Error(`Missing dist.tarball/dist.integrity for ${key}`);
}
registryCache.set(key, dist);
return dist;
}
// Lockfile Enrichment
async function enrichLockfile(lock) {
let updated = 0;
for (const [lockPath, entry] of Object.entries(lock.packages ?? {})) {
if (!lockPath || entry.link || !entry.version || entry.resolved) continue;
if (!lockPath.includes('node_modules')) continue;
const name = packageNameFromLockPath(lockPath);
if (!name) continue;
const dist = await fetchPackageMetadata(name, entry.version);
entry.resolved = dist.tarball;
entry.integrity = dist.integrity;
updated += 1;
}
return updated;
}
// Main
const version = await getVersion();
const lockUrl = `https://raw.githubusercontent.com/earendil-works/pi-mono/v${version}/package-lock.json`;
const response = await fetch(lockUrl, { headers: { accept: 'application/json' } });
if (!response.ok) throw new Error(`Failed to fetch ${lockUrl}: HTTP ${response.status}`);
const lock = await response.json();
const updated = await enrichLockfile(lock);
await fs.writeFile(lockfilePath, JSON.stringify(lock, null, 2) + '\n');
const displayPath = path.relative(repoRoot.pathname, lockfilePath.pathname);
console.error(`Wrote ${displayPath} for v${version}; restored metadata for ${updated} entries.`);

40
packages/qwen-code/default.nix
View File

@@ -11,18 +11,16 @@
}:
buildNpmPackage (finalAttrs: {
pname = "qwen-code";
version = "0.16.0-preview.0";
version = "0.4.0-nightly.20251209.a6a57233";
src = fetchFromGitHub {
owner = "QwenLM";
repo = "qwen-code";
tag = "v${finalAttrs.version}";
hash = "sha256-UAJNw1RjHRoZqtgIWJ1dOTWnE9LoBpfJCAM0Jay+VPI=";
hash = "sha256-s9m1IN6jDDbNPr/vI/UcrauYPiyQTDODarLP3EvnG3Y=";
};
npmDepsHash = "sha256-uJtOeNnhbGE7EzTwkNbg2EHLonjHCbdPH5rcV2bgQUw=";
makeCacheWritable = true;
npmFlags = [ "--legacy-peer-deps" ];
npmDepsHash = "sha256-ngAjCCoHLPZ+GgBRmAKbRYaF7l+RK3YGf1kEkwFbyQg=";
nativeBuildInputs = [
jq
@@ -36,13 +34,8 @@ buildNpmPackage (finalAttrs: {
libsecret
];
prePatch = ''
${jq}/bin/jq '.dependencies."iconv-lite" = "^0.7.0"' \
packages/core/package.json > packages/core/package.json.tmp
mv packages/core/package.json.tmp packages/core/package.json
postPatch = ''
${jq}/bin/jq '
.packages."packages/core".dependencies."iconv-lite" = "^0.7.0" |
del(.packages."node_modules/node-pty") |
del(.packages."node_modules/@lydell/node-pty") |
del(.packages."node_modules/@lydell/node-pty-darwin-arm64") |
@@ -69,26 +62,9 @@ buildNpmPackage (finalAttrs: {
' package-lock.json > package-lock.json.tmp && mv package-lock.json.tmp package-lock.json
'';
preBuild = ''
mkdir -p node_modules/@lydell/node-pty
printf '%s\n' \
'export interface IPty {' \
' pid: number;' \
' onData(callback: (data: string) => void): void;' \
' onExit(callback: (event: { exitCode: number; signal?: number }) => void): void;' \
' kill(signal?: string): void;' \
' write(data: string): void;' \
' resize(columns: number, rows: number): void;' \
' removeListener(event: string, listener: (...args: unknown[]) => void): void;' \
' exitCode?: number;' \
'}' \
> node_modules/@lydell/node-pty/node-pty.d.ts
'';
buildPhase = ''
runHook preBuild
npm run generate
npm run build
npm run bundle
runHook postBuild
'';
@@ -99,14 +75,6 @@ buildNpmPackage (finalAttrs: {
cp -r dist/* $out/share/qwen-code/
npm prune --production
cp -r node_modules $out/share/qwen-code/
if [ -d $out/share/qwen-code/vendor/ripgrep ]; then
find $out/share/qwen-code/vendor/ripgrep -type f -name rg -exec sh -c '
for rg; do
rm "$rg"
ln -s ${ripgrep}/bin/rg "$rg"
done
' sh {} +
fi
find $out/share/qwen-code/node_modules -type l -delete || true
patchShebangs $out/share/qwen-code
ln -s $out/share/qwen-code/cli.js $out/bin/qwen

114
packages/tuxguitar/default.nix
View File

@@ -1,114 +0,0 @@
{ lib
, stdenv
, maven
, fetchFromGitHub
, jdk17
, jre
, swt
, makeWrapper
, wrapGAppsHook3
, pkg-config
, alsa-lib
, jack2
, fluidsynth
, libpulseaudio
, lilv
, suil
, qt5
, which
}:
maven.buildMavenPackage rec {
pname = "tuxguitar";
version = "2.0.1";
src = fetchFromGitHub {
owner = "helge17";
repo = "tuxguitar";
rev = version;
hash = "sha256-USdYj8ebosXkiZpDqyN5J+g1kjyWm225iQlx/szXmLA=";
};
mvnHash = "sha256-XTODH8SG7iwhACJT4AbIokORUe00r6theV18TEXbrIs=";
doCheck = false;
mvnJdk = jdk17;
nativeBuildInputs = [
makeWrapper
pkg-config
wrapGAppsHook3
];
buildInputs = [
alsa-lib
fluidsynth
jack2
lilv
qt5.qtbase
suil
];
mvnFetchExtraArgs = {
inherit buildInputs;
dontWrapQtApps = true;
};
postPatch = ''
substituteInPlace desktop/build-scripts/native-modules/tuxguitar-synth-lv2-linux/pom.xml \
--replace-fail /usr/include/lilv-0/lilv ${lib.getDev lilv}/include/lilv-0/lilv \
--replace-fail /usr/include/suil-0/suil ${lib.getDev suil}/include/suil-0/suil
if [[ "$name" == maven-deps-* ]]; then
mvn install:install-file \
-Dfile=${swt}/jars/swt.jar \
-DgroupId=org.eclipse.swt \
-DartifactId=org.eclipse.swt.gtk.linux \
-Dpackaging=jar \
-Dversion=4.36 \
-Dmaven.repo.local=$out/.m2
fi
'';
mvnParameters = "-f desktop/build-scripts/tuxguitar-linux-swt/pom.xml verify -P native-modules";
dontWrapGApps = true;
dontWrapQtApps = true;
installPhase = ''
runHook preInstall
mkdir -p $out/bin
cp -r desktop/build-scripts/tuxguitar-linux-swt/target/tuxguitar-*-linux-swt/{dist,lib,share,tuxguitar.sh} $out/
ln -sf ${swt}/jars/swt.jar $out/lib/swt.jar
ln -s ../tuxguitar.sh $out/bin/tuxguitar
runHook postInstall
'';
postFixup = ''
wrapProgram $out/tuxguitar.sh \
"''${gappsWrapperArgs[@]}" \
--prefix PATH : ${lib.makeBinPath [ jre which ]} \
--prefix LD_LIBRARY_PATH : "$out/lib:${lib.makeLibraryPath [
swt
alsa-lib
fluidsynth
jack2
libpulseaudio
lilv
qt5.qtbase
suil
]}"
'';
meta = {
description = "Multitrack guitar tablature editor";
homepage = "https://github.com/helge17/tuxguitar";
license = lib.licenses.lgpl2;
maintainers = with lib.maintainers; [ evanreichard ];
mainProgram = "tuxguitar";
platforms = lib.platforms.linux;
};
}

105
secrets/common/evanreichard.yaml
View File

@@ -1,75 +1,58 @@
open_proxy_token: ENC[AES256_GCM,data:LxC0dR2EQ8XPmw4fwKnKJD3usqImMKH+81I9RSTNsjg=,iv:LQmf+kxtwgAMxcHvIe6y3Qw/oxXvdWGbyV/kdwPpKw4=,tag:TUQbM8sIK6KB7eOsYfHuqw==,type:str]
conduit_apikey: ENC[AES256_GCM,data:4mjvEI00V7nAhPkDa97eOfLCqItxoRALFe8OdxzUiUc=,iv:2mtSu1LDUvaneTnqs3Z4GVAj+HuAY2+VXrpIITSg/64=,tag:trkgxyX0ssCjyKMB42bFGg==,type:str]
context7_apikey: ENC[AES256_GCM,data:K8/OoJMWBhN3ufmTa/tAiD3iMergDZQ1OBucUtLsrg+L26DXDPAko9D41w==,iv:/IVpaaPivUTn2rbIAPIwyN5nb7TmtDh05YlMdOlBkhE=,tag:0XJfoNlDelBwMXMAAqKjtQ==,type:str]
zai_apikey: ENC[AES256_GCM,data:eNgIfEqs8JGM7Qo6D5KMMqRF8fd1qLakYQ9F5oEDUvLqPJ+TAktz8GMVuSndwW5BxA==,iv:eR8IR/MDmhk2JUoT2chCwRYOJGfxEBFGARf1CI7EG8Q=,tag:3fmRWA5eof304WSWKntDFg==,type:str]
kagi_token: ENC[AES256_GCM,data:6pxxMMQ3RCy6sdUFiuAy8rUzsIMMiBgPzphpgTVMfiHC98ejgVolvFszR8SHwEgTxMzzc8wMs3Eun8PzkZQt+7lqIKeNWeauiXJAHIsMZiaBJVDrxXVW,iv:zz48rUwbxAGV5+eff0Sg5Q5Pm1lGvOScUwo+g0t02z8=,tag:XgvUbgmOnXxYBZbXe3/Wkg==,type:str]
rke2_kubeconfig: ENC[AES256_GCM,data:DmmaV5bSnSSbLfenT7/xsv9qq5V1s2b9mzdeOe5JbhXLcvC9RRX3z1TkAwdC9IEAtr0cIiPigJS2fUCo0/baYSZ+lKTZ6pUmuPwX0x1g2O8Vdfe7jTTnTDnZ/A8+CIrS79uhsNxlmQNpEOCCSAOQ4+XAnFbPbLh/0QhV2M3a19ocJBQnFyNpYCxverRvNIfgHOoMskvwn3MEsmp6foOGnwPsbeQ1RRiIyCmf7c6jJQH7O5qDLcTIFNYNKiorr8veRhI5av0eX+5/rM8wWgBVNo/lf4TJnX+ufIUZQYCIz4vpfaw8N1jcpiAJiUFGdlKX+AR9b3ti8owa5+JmQkLNp4GBEI+I0tdMp15K6RjKqkKrkPujtUFntxXC07r+eQ37oUUvS9qilIMrkX0TxWoooShgOgQfVUEAEdtb2o830TL1FFZHTiy5RBkeRQxol4yAW/M0B0S4iIj/W07UHNdp5tBaPotsdyj9QQrumYS67GwWolVW007pG8nvD/lvP55nAndsLZpHAYSFI6z1N5ayx0N4I8OP+dT5ElaQv/tt/KO69EQYEwJetgRLnMQ34WKfAr3akLYja6QxkrhEnhfa60mXP9QLynEWGsfYdMUjPioIiImvdRi+5FkyvQ7aZyVzCRsMNGL3I5f1dXWz2wS+B1oB9yimOpfz4wr2794w64EKO1gF5dso17ebVEBuT8myeOenZREVUJCEunYcFPsMDD8bI+VD/VJDwQI/aWmukBWW9dztySiAJA0RWOb69LeApgx2SUwcPnx1yLerb5FWjA8hzY6GKGKyO8cNMRbH/l6QjAL/oMg3cgi7dH/7o1dGSphvGpTAOmcb82ZiT4gMSHhKIrxdLKyZclGu4Rf/mSjadGzLrEA6qj5r07wJOxZHu2bcMafWnoUZBuo7yE/ogVkruW1vI9c4lNBsOIUescE4sE5qjRncJkPEh9pcwWWLFnRQVCxVSpp72VyeJTxvo9gEBHuZGFF3J7R3YsTq1YhcXAR5+PIseIY46rdxqIh2WmVfG4W/iteuQh+JEcspvHNMB7a7j3yTEOHQ7ILaslLYDDnma4qo6SPuTzhx3Tbkx1WN5FelVkw1INV6qSjL83ghfk5nOVumbYurrTXviqqWg5ikCJ/Ewy2nrpNMbeVMs0x9Wcdpe7xi405IdJm6ry5Ipo9ZMKNJxRDP+ebUBgfiB3WzVI68AvvTpePz3KxGDwzh2aWu3Ei7CJoBrCrkEk2DPxoGvBinOvslZYuGhvUqL5XuNoDjLuxNCY1Dt67dvLi3ydiekZU8mNQ1qraMSFBg4KXH9e718X1zjuAGv86TVUfllxiXeoo6L/Sgn2iO1YW5w6igO5qkuIYEIi1rpx0jFOrbgvZeU6qjBHQmFwEw7h03IVw54s62E2dCy1wSq1BcUu1jUR5iJ0mPJ8ajGhb4D7MRO2wanAQxrzKJhSJ1OAdCzrebprLJRoo1v4YySiQkZ5cD57YnABST+i3/u0aWcS3xDi8Z/NKr0TMyvf2rWpvlOYUfIDgZLQiHBiph0UZNk/XNpvH23e6lEHG/ztmIu8CbcAuAbAy7Qwf664UGq9cK82gklvebO6lo5vCUGpx8mLOQYLIOefdoDJEei3DoTeZvtOpLkNXnRlwSlCY4geCNOioU3H6mtF4JdlLSFM7QMt/4CpMGEEzXDVCu7GI2Gem7VmBuLOBhGYxiF1zG+D6ZKUxOx1rmo7f2flgdfEtlkpQrIbeZfVEnqgb5z9Vw8bziW+Kc5CJyo9iV09BK0aeZWstnR6SKIWwuImWrGM0zSQBHd8QdrgicuR416PnFuElT3dkrF3TedLTKWKasWhlGOYeILMzCz/dnwy85ihp5zc10AbIpLISAvHSaMtEgdiwIc2n2Ti94ntnwfIB3AG20X3/yljDZKezn95+SZV8jOhMk/OcrpGH3UTB7ezHyf6gVD0qLXM6xUgi5vehhsO8ihFFTSNHf0881fimokRHQPjMJ9NC3J26JLhqJEs0Zfwvx2+7NrGq0pnRQ0W0FExy14dWWx270/EF8L91YRFohCJidJYgD5oTEab3eG1itM+OAAIA5xG+g5N6Re+34yO3JDMVUfuxGYpxKxfF8eVvAXB46+CH/lXQH6cPO8plWmlrzT8TS3rPj8MtvXrNaCVHuoWQ3oNu0cSGtsgcX/kJ8P8rOV8wNEdj2EpA8Fq8o741OapgFxpc5fMN3gKc6n7uwnKBHMMaQsZ2ymWeEn+qa6f/Me0DlyOkVLQFTYqAKibOoeyCtNILMf/NPMFMLe7Oktl6f9dvsMtu1zwCSYAV83/Ti8sZdnPFLET4OttQB+Bk8IX7BeTndAc3uMrVuOBwJC4sh2uGvRIJPEYbfw6p2amcn8mylN1o+l6sntpMrudEFo+oAz6M4UCEoNpotRIIMBB+uZo8T876TxSbENz31IDrOJ8ka4hCE0dK/gxZQsnoa16VvouTSc92se52n3RdELu+q9Oeeubd4htUJHhqxpbSmEQGVTWH2kJT7c76NZu7B634aUtoYI5eYmcLB3zsqVwZeG9fpzNeHMS2C6qzT4uKjxmbTW8eicDYSZSyJg4rpEjxf9GZn8f4898JtGvKF+esthhOlaxCEFcVoPQLC4pOAzY/TN+XTPk55bEPQ5LP3cByTfIv1UnZvSjXpAz2m+DlbkGfEqiICHr4HkISJS297CKI05tjpQNfO1Ylp89uL1hqwcddRee6+34kb+1XjSYwKMooZvSf/pasjj5xlpbCtxkiEIHp996H4MNXaySjZ7QU49Yy3EAKjulbc7xQXpkSUZb5Rh8yge/KpCK/5gK/fwlYIJ3tR4mIMN/b7HmfulBmktekK0G2fxagoKFot3DOwY1OnwIJhNzo0fCS3qFe9r2Ixs76C78gXo+DChKxYcYS7N5wmQy1PxKOsBpxeiWyaHCIC8Ey5dPSEoYi0zr+1A6wbkPaCrKI/C9Bwu8f04ySCBdbQQa52uCdWM2ctIsPHZNzkWNcXCfz9XLQZYZG/bQJtj+lDXgKKd8AiF0+WKzinGWHkKQbZPVYJI0s0jLXfH3G+kg5QztkfXedHNY6y0F5hh15jRYWsLAn6Ls2NJVP9SmCvl+pj6wHRKqDV7SbHz2bqCwLzzD68Wvv7b44OLFZEAH8F1TW8D205Dw7YFDiLMnWjeWv8ZX5CNUi7tkiCeORdQGiiv6n3CItvqWQ00tKnO5h+4/E97PtsSgfqG+Pgyjjscz4z02stB1XuaGbfPKe604CeYcmhjf9mV8gjfewOYTs+E2j6aoSKJbOtdiWfIHNngn92D/tOLB2UsuErYd3ZGLoH2yBOVL1rLnkY1QG4JxzXCwpnauQTzHRmg/WpJXurETbVyzFkzkF9YnX9iuJFt1mZglZuaO0JtC93xhdjMqjJyau4Oba7ZwwzyvM4TkgvffbPZit5nNAAZO0HO4r3t5nMIJeS1uBin66pjUWEuZ8ptjA5iYuAJwAg2VOPUuDKc9HBYmQjJ+Yx+KhO0aDmJd2pV/R6TOKua6jAnmny2FFqbyC3znPTfJZHOnVPZZ0V1D0NJ8dP62EDBebTnoFScE+93xyB9ETE3ubrBACAPTMuCQlqAY5ix2F1MpCCT7c0ovMyRlDaUJyFXS93UfJf4MmQg1+yCHuGX9E/bqUXsXC6SdJU9PdJ/3QdhN7iIcy8rPxOfYjJSwFrdUZn9sJcrVsbbPuObOM9HPOtp/E2xTOlYkfIeValLFxBb2lEBZghYXT05X82fSoe9ZBZdJfIMmLnuh/bP++bBVU7/y/aCYFcRCOafDdLQrTOpJ62SIDP0zN0YkmRy41qNlSaMp0ZZpxiK45ihqGP4aqWBmGC822dTsY4og1V07rRnfdG2wQcW+VHLldg72vRoc2brhfRZAOvwHQQCy0NxMD5pCgoSXJD4qsJrOFBcsmbs8YZ2omHzkVf+9ybnUD4WNCjVIvM,iv:CMrKYb+2QZVKEJMjW51rbiYW/cN6ATDzgwfBdSi9B10=,tag:qVqO5byXdj7DZdaHNx7S9A==,type:str]
rke2_kubeconfig: ENC[AES256_GCM,data:Rfls+wsKywqic5ZphpnmQ2GO/Pum+FC6XqhojYVS+AGwbsCNP3P4HzERa2RcDewXNEMUKro2Rr8dVMZIN4IAoMN/02gvHfBE0L9EmnZAZoaYCpbbazk7YHjFdPg+/3mDCH5TvZTp/jP9A3hy0KB6r5ksQaKJVE1RYD1I+WSPkLiLKy0gH/hJI5xUao7Vd5QhAINILCxFXK9qh68RIYa5faa1nEPk6e28wwNo7cOXsdHbYfg0m1ZwG7s11OVxAR0pDgJGhuPPD5DVqVTtaZtTOh5OqtH5zaCjkpK+c4JxcK6rpr0g1d/+aulPy1HYUEBIjNTrlV4aToy7m6wx4xbK/oCYqgUQVQyiJe5Ojm63UDBf8dSxAMVgu7Lmer++ADnICUBFaogvo3yYXKdhf6C3wbO6Z+4XqBqw+u4RJeCQNmaVL+AJSm+BjZlYA0I98kahmZ1iv3iEHltsCotSmKuBRPFInvyVbTlz1Q//bQC8ZwCD/Sf1WGfVJTnzFuMnROYrvt1qVaqj8Fl38+1dmdlpSE/rCBUM7Kg4IHakz5DxEMLflojo266DX46AnXBR7RRE8X32/RZcDYWeE14bWUZLFV3fhsCvQXX7H3q7jnr127UOQi0h4HjPS5SHCIxscaVjz0DZUzgo3WAMRW6vuD1S0XOAusD/B13mYku1sadQxxQGaeZyfcMvVN4Fb/udRhpOQEZLFunkrGF0GByh2JsYvyW22vkNoOc+Vclw2nWIt4B7DcTH7LJN47kACywR6U75d6AUmzEtPnXDJwikg+NE/HomGhmY1w7OJK+IiN1AhQ58jCEOsC+jlvN0qfr3LnoXt3mWJzyicoI1v7lY9mEpBcCP6/nTgHOazKlPP90Gm4G6jWRQIBGKbnQxe2Gpkf30e3hymPJkgSI2CexLQQjBwyEa5ozE2ri9xtWBSyPtSulKb+VU7vahGyV4ETgdwE86ixyjR8HRYNQX2sBGK0BtLAz3/MnUuhJcHv+RVJ3dbdR3XCu8s+oHC5Y+VC46i6vJ9RJnRjw9rH43kUinRSuZVfFQdipVEI/kiyuqpgOm7RcCDRFYb0aJAV4BCIKQqzwVpOtCMLPzuHtzuFmcbOWiViwh1zhAyZLdWv3WmDwQpCmEDfGvgwiw7eg646EuzhHhtenP9LNReTrxy9bqJUrYfE2BogpTzEuWGqNZvv+HlJzPhG0Ze4sYC1viyiuJehsv647pa/ywHmrca1X+yGLf7Qu0nKbVbTcOD6TePB7l14bT9nUrXEEuf8TDhvsNeO8tfPi3AG2+LdyQ9zi7DBxnaofxoF6XquSbvIlvwSvGSZD2cjd9W2DxeUWB7r+6cLhMHyldNgxThAQRoKhnEDb35ma4fgZfeh3bYc0eVsp1qJpHPfAU7M9BAShnIMUp+smOk04i4aIAtqrl6sZm0qDB96ouF+aCUKSzmCTopomxL487ItZ9X5CpYEfUoGeTiEiH7RWYB0qBx24yBj3vSN3n4JRR8+c/Dc9SKtRUJHVbyCD3bGtc9cGxDeQgmXizRaUFajCbvIMW7G4Lp1lBxcLSmUnE+eRPqKsbRt703jmDnv9wMEA5SZpZnFeF5p7Klm5orZnsADQE71VnDeqHFb3wrUnDZnzMbUVBLu66kTQ2nZKCF63N8/QyxGJmWB2aGsCB80foi/yxqXYxvuW9pAX88hyAHztSQISZ9pANq6Nils0A1+u8qwcPepZnMwNtn8PHaWs0KHOGYVL5v2FRLjMKmPP22uvXL/tCpi9E/nNP/qinkyt+dV6mCkkKRgDj9rrqGd8qoQHsHMb+XUCtaESzebPJmL77tIJqHvgozbdQnKPmbQRUoGobP3NS9p2i6KrbTW4NnYsNFH2jlOaWI9n352wVz2nNOZgWmsc3FDyyN6wMJNMI87iwili21lu6SUMpPq0mq+Mvd4vH0fHur0li68JHQK/ytrzaB2X82LmNqR47ETwmkHw2WYfhElRET4HUAVjmx4ei4WilnsUfvgWaBs3oBy6zwmDMTEnn/JI1IbEIOC2nasUlUwabpYRNQ6U+zRs1OgSs9aiPx4gIIoGTQZ1MKuh1RFGN4SmdW0IOWbCeMcX0Mipb0GyhXZeYuMy3GOVWp/xATkntKiwrAOg11Wv6ah8aNPHmhbu/eI5gTkCSw7kNLtGf4EdZHAKPOl79wys7MtmmyH+CRgWBvXqN9xYBxoIVP+oMfRk9Y4uz6mLK0XmC0knT+bz6KSXpsrAL0gMZlOKSMtQ8nX0/1kr99Uh6mIPMHPH6Mxy4OWklBLnLVTFxVt4Nl6wkVq6EBsF7RvQ2vC4gKs7ARF6JjZ2/KG1TYUn0BQ9h78EDwO7WdhGYqbsGy+wxtEDgUbIigpQ63X8hNxQZO6QC6Ij1bxlyGDlLwcX3erMtmDzf8A78jECMyQVSnxUNU7z5/oAkjm/qnmPMtZm082kNITOFU/idAS754EGmc2IXVlMsM49fS534J57hjibl2OhruBgkvSrJNZhmaOrs4LLI2SD9nZryH+bmEcgZ05xuVM6DkfvylTDtvC8AuzVeD7TgOlHef68KgsS8QI4CjiuZgD3dpakFhJr5LFagi+xUniLoTthQ3sLab8pamtq55GrQmtxkJAlVU5hp2/B5ap3hZxrknqTqE4XNGUl0JSfwi7QWCpVfu17wAai7JQpvUi9e2sVYl27+OF3siwWeY6WqXB7fMCSCPoZl0MWZFitzX3pquVYjTdBbsuolg/qeKQP5NLA3yLvjs9Iekqtk0AXk2CLqEOa49tc+FozV82JYGwvzBHEUqFyUqotUQTisbVMUsZu9TgR4ZVK6DVv4n1RpZzSsILTBKgBYD5Xv+mBboLKh3gyn16bsS0atkk4b+zciqbQkTBv6vffPvQS46vhi0AkUC9tcO3kw39ztl6m21HHTxG+rnH+wyY5hAoSiOxgZ6qb5Aaku3ZjfI0bebhQoYUdVAoe5rqe64h2s5LzDmfqj73SziTSliX5W5QQ+tP6GFmJDysGkEgSbZbQ2JkjRubgLaXL+RDH1kirWMtKgIJ0pA/7t2/MYl6wgwMB8pXNP3k/TlgPmFc0QyavEZijNsTQUkyBlL4fHASp7J3G0VAOfoUcS0el7C0B6q4RCCA4CnSCzj4Uj1ZvwK0dmnSky+CpG4Shwd7/36Rc35379f5UKB7ixwReXqGngdAwJ88BUUeMUfC7ApDKb/SaJICEE3l0Uc32mHzHW7prmgifaaeheYa3intxj+hN7EdBZam9/62LnKXaad1DJnqqSbJLxKh/8Nbx8ZXasAbWwVkIlaOvAjSD2Eh+DtAsfAB9F8mYvCoLUXChKeJ1MBKT9fqVSWUqeK5+ePp1idY4RVW1ELhV0Ew/QmHkW6dvoIlhNl/f7+q65wCoIj7zbfx8/Bw4B1PZnpe8WIHYAXrw/1si1jalmCKA1gvJTZaBGzz/96p3cr+DJNOAhoLzXnKMWfh2WQLVpcaYFiVBMxXGEFHTOzZMaE9pe9MIrOr1zI9HwEPrEFon1qmo+gnd0vsuZsOpIL6V7vB0z/Dw3+Wc3RBggNYYzMPSa+gY/Lq2WSMBrN1/k4qGm3cU/7g3Kf1xkptOHCM+CIAipA2Ji8A8I6xsxid1+HYjpaAAB01EZGhBQ5MiS+5HmkzSOcvlGQ9hvNvNtFedYX2mBBUcB9RmrR+OiU1jx01L56WFR61mARQHfUu3YM5L4vO7nylPACZfnb1MCfQL4+zv5gclHco8lhyPJACfC6T0LuVk2/3D0p/9Qcyhj1IzKZFSFW3d6DVI+JOW9CK4kn2+0M1mLP6ardJCjm1YUO3nL+d5XVkcsz0iSO+8TmowqM9EvJLg6jQ4mBPYqw2tBZhV0dDVdGmON+qo5WjSw7aqkufVKEI9d8Z9euyc+M4yBK8/6WCMfoR5q+u/EQX78smAMnPfKbbNJczPe,iv:p+HEgeqmySS8uG2yk7Ar1Bkr/LY2e2dMu4DSF0YdIyQ=,tag:0/+Z2ojLmKeSeAeHc7JzaQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- enc: |
- recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrY0pseTB5R290aXAzdnB3
aTVMS2tBdnEvSjR5K241dElEa1Z1Tmt2a0ZJCnRSbVBsZ3lNVlNzdnFlY3VvaWpB
aTd1ODFianpQR3RSMlk0Qk1IRE1jYlkKLS0tIENzVGgyUUFBcloweFdOMlE5cGNn
S3hOa3p1MHVLek5zaUxhWXFiV2Z3R0UKxSrnYSoN6KcuFdg5K6qwcwh9/j9lI0HB
HqujumuIfWkcctNk38AMn4beeesmXsbJQcUPHUVOZQw6Ov4jXaGz/Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnaEYrY1ZsRGgvZmxhQ1ZU
dEdpd1lyTzExZzU1SVgwTllQL0RGdzBoYnl3Ckt5Rm01UkxDTndQSGY3Tysza2hE
RmszeDFHcXFtR29UOUZrbGxaYzd4MEkKLS0tIExkZjFaUERnRDZlejE1Nm1ncFV3
aE1ZdGt5MUd0am9oK2xQQWs2bHdWTG8K9L1SP4HuONB0ems8Cacze455sLnBveY2
sOx9riAGvi8QiR/FTfI+O9BHbgIhTVlRQMLF33FLfV+BIwBl+yQZXg==
-----END AGE ENCRYPTED FILE-----
recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
- enc: |
- recipient: age17ayje4uv2mhwehhp9jr3u9l0ds07396kt7ef40sufx89vm7cgfjq6d5d4y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMazJ5VmNXQ2FRYzFuejBU
bWNPWnI2a2R3NVBpY0Y2N0lXd1RXbUdmTkc0ClZDTSs4bklpeVEyMDNrVXJXRHRF
UjIvRnd3VnFtbi9TMjVvd3UybTEvakEKLS0tIHpoRGtZb2VyUkJkd3hWcnZNWlln
a3dPbEZtL0tsOWpWSEtPblZSYk9NVTgKM6TfK7VX6v059FXpRjpAlgX+ab4f6vq2
jH8jyO33YxQYI1kSgXJ5AR8evCoV3FzbZ5rzIy2PRmCOwFV8Im2bRg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpME5hVk4vZnl1Q1FNR0Ev
d2pWcGpQNUlLcVJReGNUYjhVeDYxRjVLZ1hBCjVLRjdKMTBHUzFZaVR1ekN1aENw
bldhdW5ERngwc1M5ZjJtWFlLanU5YlEKLS0tICs1Q1RKYUs4WFE1TUQxVmREbWpO
LzlSR0NneVYvOG1OekJKejExMFFuTjAKGkWw4s5DU7uEPg+c2pXXfHymHHJHFNlD
zselZ73dBQly6GrTXomNYFlINE3s7J78rbVxo3aA098Nu1vAOKkU/Q==
-----END AGE ENCRYPTED FILE-----
recipient: age17ayje4uv2mhwehhp9jr3u9l0ds07396kt7ef40sufx89vm7cgfjq6d5d4y
- enc: |
- recipient: age1avlhszrryt4gf4ya536jhzm7qwt9xfttm8x4sns6h9w2tahzqp8sspz9y5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4S0NrbGF4WXN5KzY4S0lt
ZW1PMWE5NUF6NEIyWmp6RWY4MzNYbE0wQnpFCkdOaGtIWmtJT08zNmZNNzcvQldp
bDFzdUcrRjcvaWdhWENGTlFPSUdWTkEKLS0tIENJeWRKenY1SVBpYXNwck5TSUwr
VFJrQWNnNTJ4azVpMElHbmsrZnJPM2MKx/7XxkZfd1tPMck9FmoM6g28dp5JeXQ5
OdiOLlKc2If1f6dLKkjDmmscMui6aLMQ8RJ8dLK7FKlYy+95VsHVrw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycGhUNTV0UCt6N3R6NHV3
TE5VRi9VR3hpWHRjNERJYUJkWjJSc01BOXdFCnlGeWY0bThzWkVjM2ZUbEtzRStp
Uk1paVEzc0hjQ0dXSmxuV0pwazAzdjQKLS0tIExTWFlWVEZsL29sTlE2cWtpS1c2
cmZTdjhPNERqdlVCY1dIdGpxMDQxQkEKhw0y9SMDVFuCfQqGh44ZCepFuLPBrn0r
6BXPFJoExcoMiIEAAA+5s6Cwzg7cn2Q0ZDWYmQMu/Pb9YE5lXZAEhg==
-----END AGE ENCRYPTED FILE-----
recipient: age1mar507c9mxmwalg486chs5kfh0mya38rv5w64ypfwnwlawewrpnswerpg8
- enc: |
- recipient: age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZFpKSVpWMCt6Z3M5UGUz
YVI4TG85UVh1eXYwVStQWk5xdEhhSjdNTzFJCk1mNnBtSVV0VFB0TnFIeVdocWFP
VzVKekdjUWYrbUVsRDJ3ZmdhaGhERDQKLS0tIE9rR3hpZmM2TWJDeEZxczlyRlFj
MzNuSHlWWnNMYkJMMHZkcnh0cXZaREkKE+j0yWV/zK8lz8vRa0cywpLL2DiAFsgi
fgCdeysSacrQLxB8iBWbusJ31ktyJMYLrsWFAdPkl0WN6HjaR3k3CQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4NUxJNGpOeS9oQ0dobDlt
c28zQmJSRDgyK3kzU2dqUFoydzFDSThBSmdBClZ0UUEvQkpkWllHQ0IwcDRreHdX
ZmdqTFRrZnRxSUV3TDNvdmhhUnl3WGcKLS0tIEpFQXFaMjBkZHAwSlo3eTNhRjBw
SVVQV1lKRjFUZE5oNktUZVFnL3RTcW8KoMSLJTM7BFrpjAYSYgblowWBpz9hDL3B
et4snoEatB4x4p09Gm1IjpiCPp7RjRNETR3IaicpttNXdoKDjaj5pA==
-----END AGE ENCRYPTED FILE-----
recipient: age1w6avj7gd4f5frk90lsyh4e2k5am6z92hzlr0vpgrm767muyj59qsnuah62
- enc: |
- recipient: age1jf7yuycuajc5m8vupgrndjvw8knekr2v9979j68xc5ykvcxag4lss454au
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDUFYyTzdpQlJ4VVJJbDF5
cEhIQ1NSRVcwRUFBUzdaeXdkOWhPVjFIdGtBCk5qVmx1L09kVGhiNnlaQ0xoeTVz
SEpTSjRLU2FkeGl5Q0hETStoR093VFEKLS0tIGIwblBVd2hKTGQyOENOMDR4Y1dP
VmFINkwvZEFuWnkyb2JpTCtmRUVBbUkKKzbifH6Ue84MkpaLHrwDvJu8uvjY7yOY
+qYg0rOqFuZAx9YiOjDR7JVeGpfHM+7pO9ZjSNTPH0f1NC3XwsNp1A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZHpTR3JRbTdwN3ljS0NN
NlJqUVpsZGJ1b2cvZ3VwRTFROENHQlZVb0dBCnlZMHlTTjdoREQrWTIyTUJOTDk4
dWFQeW9Wd3Y0RHA4b0JoOHkxeUVIcGsKLS0tIGdVZnc0Mk00QVFYRlVmeEtleFZy
ZjVDNHNKajArSy9CYitnUXJFdkxMRTAKO0e842Rsq1w6pCF7mnhOXnAy0BHyRsIw
JUNuMKYS7gsimPgmxt9pXsRuOvb+fgXWoh/+72wN9XgsnVf8bZqk/g==
-----END AGE ENCRYPTED FILE-----
recipient: age1avlhszrryt4gf4ya536jhzm7qwt9xfttm8x4sns6h9w2tahzqp8sspz9y5
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBSS9CQlE0azMwbFo4V0Ez
V3pKL2QvY0NNdmoxZXhQRUU1cG9Temk5M3pZCjBZUHJFRmZ1bTZzQ2RGU2F3WXF5
UGpPMGc5SmdiamlOUmpuZ3QrTkhhd3MKLS0tIDlaOUNhcmE0eUFaYTNIWWFoRXFx
Zm1ReDlMWW8wak5Jb0VncFV2bFJROWsKWi9DTgveMgGG8eK4qNeAGGG/gfiJS96G
232Tgf94Pb8eAU2zbF77pLWMaqTBbYPz1tggcMTfrAeDohq+/0sU8g==
-----END AGE ENCRYPTED FILE-----
recipient: age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqS0p2TVhWd2VMQTNNR0or
amhNdTh5bmY3WWh1QkgveWZEMEtxSCt3Tng4CnVEKzhDMFVzRktndmI5OFhSei94
dysxVnBUSXdnVDJOdHV1eFZDVzdXVlEKLS0tIDIwMnhyaUZPZWI2NnRmellnZjZI
TC91cmtZWm03dzYwS2E3dkorNkdFY2sKj5OZHOtKx1NGPSGKsWjC/8+seUAhvmxb
wQ0iuPAq6yDLhYV69n7Jx4G9fKoidLIQxq+Ia+tLcYt58UDX7aixJQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1ped3hpugq06908ex8kgama33qckqe03rmac5pa6th87vks5d249qhshvqu
lastmodified: "2026-06-16T18:49:15Z"
mac: ENC[AES256_GCM,data:Q51p1A317BYzKvXSpkx2HBduGLGvxdQFi/BCfUtKWV9uAJGlQDp//eGJ7kJEG6DIO6sWUddf75fBLYAQcqm3iogIetTLUuQl3OhHSpAPvGpUDC6Hh87sAZy/ebaN2cy7BhJy5cjPJ9JAkfHqLCFRP+cVIwS/eb87GzwvWdSGZbc=,iv:yTTwhHCB09Qb6a437VENFiWQPp8CHwd0TelFj4ugO3U=,tag:JXN58pSy2I04O44Hg4pQcw==,type:str]
lastmodified: "2026-01-19T18:14:58Z"
mac: ENC[AES256_GCM,data:mui6kiEDHvk8+Nh2/DToiGbAEu3rdWADkWDNI3Cy4eSrys7pFaeUx7o7RYHWOToFGAHLRVEGiZPg75mVmdcOtajvYytAMA/XE0TyVJ/dRkOk/R4Lbc0FQrKuExCla+TFuTAJSkvKHjeVu3EqFXuO3jHbCViEj+iRVrhv+UO+ZIM=,iv:E/Qkk1XC1oh9z7sx3ejfmO3gKc23XIANSwcjFxPyq+k=,tag:fO4Gp2uN9DVGh1BfCndraw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.13.1
version: 3.11.0

83
secrets/common/llama-swap.yaml
View File

@@ -1,83 +0,0 @@
#ENC[AES256_GCM,data:GdmmcWLHlE3LJvl9VfzbuEgZyGGqlKcrtNa+78/FFKO5coPf0n27eKwfo6UGuhf3ln++ePv37Eg=,iv:M+DWl7AZeQXJ0z4l6LHJBYrI/jW5NFY6b2tW9QnL9jM=,tag:fdy4feWIvKPCHbAcNZ6mmQ==,type:comment]
llama_swap_api_keys:
pi: ENC[AES256_GCM,data:7Cw7RPQemcf5/zO7uazjA+dzpQu2MQo/Nbe3K3/CJ+OeQR90SJx4Z0TZudFugZoIHWR+sPEGQxUk8ne5xcfY6GSHJA==,iv:B5fX93BtSNwIDUdWTXr3ZhBQ4AuUqDHjeeVbkcCk7HI=,tag:6RMyFEF5872waHzxUCUh0Q==,type:str]
aethera: ENC[AES256_GCM,data:IcVya8MVZ/tzFchSWp8mkaLJfUqMgDsWQL4gZsZZmppXZ0+xOTRf5vjMc3sGNuRvOixU5nLaeTaESqoWfoq5gDNMfQ==,iv:WYFbAaNiSrHxJ4e8PU1hEyKGYKgWdFg72CSAQJmXaHw=,tag:X45Y7h0ME1e7Yryl6ES9SQ==,type:str]
evan: ENC[AES256_GCM,data:QKoFxv0gnDd1TZn9a+hFxu/J,iv:rje8Pk4ko8kjt1za/LOiLkoid4mmR5NtHCk0QX6rakg=,tag:MYTTE3KfWvfv2i98rTZUhQ==,type:str]
sops:
age:
- recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZm9hY3BOa1Fmd1A0cGlz
Z0JWQ0Z4UnZGdUN0Q0JYLzBzczdsNi95d2tZCndYM2pLdENZTW53YmZUMy9GMUx3
TzIraGY0NTM0bmtUWWd3MXhPWGNDNVUKLS0tIFd4SlMrdWxLeDd6K2ZVM2hPai9q
djVIQldUaU96Vk9xUWptR3RxV3o4dEUKY4ti95K2052gWXpTJo4zw82pYSPhY53D
tKeeTBrfBs1PQ8bAYJ63exWam5HOz+fp0qu5HqO3reNairkgcH3Mhg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mxjrvjxkn69kfn2np3wpd73g44fuhsgykw7l5ss9rx30em5jfp2scnrq32
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1b0JTTUtoTDJRdGNHaHJj
SUNieDhhRUM3VkQzelV1ZDZTSVZqNy9oVjFnCjllWWFhcVprZ3BzamFEMmZXNzVo
NzdrVC9lcXpkYWpuR2lWdmtHQmx2UzgKLS0tIEtGTGI4M2RNNFRSSFRyaWRNNDhS
K2lsb3ZrYjB4RzRLTWpEVVpsQkoyQ0EK2nxzVyMoPI7P269oUVPUQfFbZIPPwjJy
IP9s6BvX8dkEssk2QDhqAKhugEHQ9czzutqcg9ZzepyrfIZde6bbYA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17ayje4uv2mhwehhp9jr3u9l0ds07396kt7ef40sufx89vm7cgfjq6d5d4y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRVdtRnBXbFdKemtZclZ2
R3RDc2NOeDFLU0NuT2pRM1pDaDFGbDd0d2p3CkZkL0lYdlhhWE5iS2hNN2hoelc1
NXN4U1M5azk1ZHA4cEtNUnA5ZWhNaEEKLS0tIGdobWlDTnY4SzIwZDNWSTc0UjR4
NEJrT3JScC9XV2RoRW8xTEhwR01RaDgKuGGUk0GTJiBH/9r9EImZqhVoc8czS+qb
mdUQTzHt9c19R1a6BU99owQqPUShuoZh+4TR9ntEejODmo/wLDQUsw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mar507c9mxmwalg486chs5kfh0mya38rv5w64ypfwnwlawewrpnswerpg8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMHRrekI4ZWZvS0ZkOVFx
OHl1aFhNWTQ2US8waVRET3NjMXpWQXJtRGprCldyMXdNMnF0S1RaV2FoL1M3cVpz
bmVNaWNSRHJKa0xrUTJJdndtUTB6YTgKLS0tIHFDWEd0VGxzT1I3cnhJV2VHaDlN
M050QzkyQVIwa2sxc0h1TktxMDdlY28KWfobSicg0Z85yN7JZfKPiysHL8UvVucj
M27JLgbuvRw+tRKtuPdurfiSXQnHBXl1KKp7/HFeRWYYIf1CbjleXg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w6avj7gd4f5frk90lsyh4e2k5am6z92hzlr0vpgrm767muyj59qsnuah62
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMjRzS3ZQWkJEZXkrWmJ6
Zi84OWhFYnVuQWJLaFN1OS9uUW9GVTdtTjBvClVpZkYvc0tKTmxjbnR0eXpzeFZF
UDNnU3ZLQ0R1Nm4wS3ZoQm1pUCtuelkKLS0tIGlpbEtLNFpPU21SWWhhWEpxMUJO
elV3Z1RuM2RNemtEN1dTejNZWVZWTDAKP8DLC1+yoIWeVFa/m9ZE9VWi5kfU6NS9
918BrKOp3+Fzxf2/L+u3txmyDDKjAkax2ngNtcSCrF9FcW4oQMjOMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1avlhszrryt4gf4ya536jhzm7qwt9xfttm8x4sns6h9w2tahzqp8sspz9y5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPcXpOb05mTWhHYUJQSXB6
Zzh6QWNyRUgvcVhtNU4zclBnVHo2Y3czZFFRCklkWmlWaXRWZHhvME5XcTBDTTVM
clQxZW0xWFl0UFlvOEtSdjVLc0VzYlUKLS0tIEpIQU9uRkJ6MHdSWU0vc0V5R3Vj
bDE3SS91Mk5LdHd4QnhQS0xXS0c3MWMKQJ+dKG5TFo/K0Ds2Tuf4xpKUmJS+bri1
HnXCB5MTyLO8OrTsT8eiiBsNWjOyny7f8SHI2gGpQpvOjsh9IsmzjA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UkdSRnFnRjlTOGFGc05S
SWNXQnNHL1VUSE8xS0RFN1FLcEpOcnl0VHdVCkpOTFZVYW5Wb3RLc2NMWnZLSkRI
QTRWQ2l1WUt0SXZWWVdzN2IxSEtzNEUKLS0tIHhZc056Z3pCL2lvQmQ0dWxZV21Q
RnR2UVVCSkMvRllzcVU4bmpndmpWNncKd6tk1HLfofPc714enTIiLGgQyQoEgnUH
PQSx9ipnMAnl4N0lVogn6P79xs37q3+DRPLoZi0XUeSpQnqLgBdQ7A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ped3hpugq06908ex8kgama33qckqe03rmac5pa6th87vks5d249qhshvqu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMZm5hUkJBKzNTK3pydHRM
eTE5YVY5SjluUEh0U2o1amFoNG0yQkpld0Q4CjBxNllmL3BublZUdzF0bWdQbmxn
ZiszY3l0L2RMb1gvbTFWU2V6MHE1SVkKLS0tIENBdmRxc24wMFF6akNRQjRBSXUw
SmpMYnNBTWVYTENWSUQvWXMrZXVqbncK6KtP4pOEBDM8gK26uYp3a/WRP4TrkyWV
4ugL2Y7sGkVrWz0Cvr3Jp9QDuPh3xs4jZyEvB8RbxQDMFJzdOEBv2A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-02T19:41:27Z"
mac: ENC[AES256_GCM,data:uL+15e31xhsZ3p1h3HqkWxjnEbwI3NuV9g+Apt/lw/1Q9IB29ViNl9H11qAptcJNz9gjTi9k2J9ITLgOqUkP2+3Saz1fK+QLJ11W91cQxAeLVSWdDwpJKrTL6tbWwH1+Ri/p5odyC1tqwwUX3AHy7WMYNq3f20+SJKbCBNc3k3I=,iv:H74r14tlmpJZzaFRGIkoM9UVMSDnyWgrhPpDAw5/rIQ=,tag:O67E2OZ2+HLrlEkvfTrQyA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1

39
secrets/common/systems.yaml
View File

@@ -5,38 +5,29 @@ sops:
- recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeXRGUldvcVpFNEtHS05a
QjhlZGhQZFlaSjRKSWFNRHNrQldNMTRWdUFNCm1pRE04SndFNG9iMkZWRlVIaXh2
TXpYcldYUk9sVGlBcWxiWTJTdWtPS00KLS0tIHhSN2hCZjllajVialhXYktyRTIz
Q0hTbExTRTl3VjFSek5Ga0dGRGs0UUEKHICfAk9HISav51w5jkAZcQptpwpz9L4m
4O+gPPW8vk+TSP9pzGfLoxj0n5qu8qYQ2071zzpMfbaYTZrI8RYY/Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNzNQMlF1MGI2TkQxZFl1
WGV2d3lVTVFRSmQwamx5eG9NRi92WWF4U0JrClF2SWdaNStwK1UraUF5Z2RpQ0dQ
TGs4angrM1lrWkZzVm9EU2xoV1hieWcKLS0tIFVHN3hlVFFnSElpcTJvUDRwdVlU
OVNDc0VpbDVmUmlwS3lHTlFBaGZ0UEkKMhxvuNH2lw2rn31G26u9ur8ShHRCZQHg
PXPPBxMmbuoU4t5g1ongWqERG85YgOAOMO3werVw0Iw49AtQQzGE8w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mxjrvjxkn69kfn2np3wpd73g44fuhsgykw7l5ss9rx30em5jfp2scnrq32
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOWGh5RVVjeFRZSHFDSlpy
Z0UzWU14eWVsc1VMYW1yZVFZbEtFNVN5NENrCmM2TEhqUVcwS0x1bXR5NW5NQmJ0
RGp0eEtNelpiNjBDdDBrdXhCSXFabUkKLS0tIERiaUtLOFZaSjF6RUp3UCsvSXJP
TDMyK0Y0ZXNUdEd1WjZYbnhNbEhzY2sKxuDAWIwRw+mUyPiQuUqTM9l6rkT0yWSA
cgHaWeWLgrLAmJ7vbjo24aDld1RVV8MG6ofAPBGpon7zZgmzFxSQyQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YTZUMUNUeElqbmFKanc2
TklFbk8yTU93YUFTUW4vM3BwREgzditnSFMwCk1nNW1XWnBBWXBTb3k4enpwZlVQ
bFVwNkNWOHZ3MTZUSjN4SWZYaDFzak0KLS0tIEtLYUhvNFVkOUp0QzVOei9XTm9C
ZVNmVktSNDYxdGFvRUpmYnlJbGFHQTgKf7ovzPU3Vo84gwGTKU/SNCy+76WY88ve
ZPkJ29D8BeaEwFCbNcDOygwiKGSFYV31a+2zYnTP4j5pf01d2it2eQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age13gymlygyac9z2slecl53jp8spq7e8n4zkan86n0gmnm3nrj4muxqa5ullm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UDJJWGluaEJoRlhRbHpF
UUZhRVRmejFpREkyYllhV1IxTjJWYjM0bGowCmM2K2FKczNpSmU1SlgyWmJDa3Rh
MlpQUWZRTVhqcHF0b3VlK3YrWUo5dXMKLS0tIG5RTnhZTWlFOVAxV0IwcTJEYWxp
OThzTW82YXRYMGt4VjlLQkNSbTBweVkKyJhjsDc1hf/1StbOybX3ccNp8jPC9kU8
InhF+++apu7vocTyuTxRfSB7BU3o8ZAog+qvoz+34PbVHSfxXufcuQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rfgh40p6wmaam4ttwgv9xfukgxjruskhfvm0q3ud6lvxtlqc2y8snhwjft
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aEF6QmY4OXBJeVVNSngy
VHlsMm8yalFkaktGYlpGYmd0Umk3RjF3TFhVCkNSOTIwYXRqRU5lMnNqek1zYUts
TEdEcXNZY3hwMUh4RThpYXhJWXhNWG8KLS0tIFpXL0RhQWVma3p1dG5MRDF1SGo5
bWkxUDhBL24xMFJDUnR4eXNVUXE5N3cKyHtp6HAOh/qc4vkWhGiT+9kLlN6YROtE
y2RZTVC840ABTA2XsCWpSiBviT6StJGhK4vl6vNzF5gbO9mVB9pbDg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2c2dEWVRDbzYxeWkyRmdo
RzdBcm9UbXE5Q01zeHRxMisxajlDMnMvZW5vCm9pMEVlU3pEUGpoNmFlRlV4OXJ4
QXg5ZTZSVkMzcTlFc2cvNzVQR2ZwelEKLS0tIDhhQmtGYTZjcEZwMXJoMjdMNVFt
aHc4a3UvZUFRNzRtQTc2NTloWE0zdkUKL5FRH7D8MlR8ofvIieFqIStwEXQUvu2w
+/SHKsi3lt9/1Vkk/Jlm1aymglp3ZdGVzTS/cxpM43VDDx+E3HYOQQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-12T02:56:42Z"
mac: ENC[AES256_GCM,data:R6s3ErVrw2nvRhkCdiaa6FCmIxBKZGQggQX5bYe1xmhIXuujsl9NZ9aqlzlS1XvVDICJEIbryfoEnOqSCrY/vAmdlKNfzakZqLZRrkfOZed6PWFWjk3SX6HmuMR9dQSQgLRlDZINZcKMNE0kuLL+mx4bo8lV84VoqMHGHtkwAJI=,iv:NCh3zDMEiYcrYxPxP5lfGWYwWLl1/yylq7+gTEHyWF4=,tag:t7MOwGHejUFotIBi7kfecw==,type:str]

3
shells/default/default.nix
View File

@@ -2,9 +2,6 @@
let
sync-repo = pkgs.writeShellScriptBin "sync-repo" ''
# Navigate to repo root so rsync copies the entire repository
cd "$(git rev-parse --show-toplevel)"
if [ -z "$1" ]; then
echo "Usage: sync-repo <ip-address>"
echo "Example: sync-repo 23.29.118.42"

2
systems/aarch64-linux/lin-o1-headscale/default.nix
View File

@@ -15,7 +15,7 @@ in
(modulesPath + "/profiles/qemu-guest.nix")
];
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "UTC";
boot.loader.grub = {

2
systems/aarch64-linux/lin-o1-node/default.nix
View File

@@ -12,7 +12,7 @@ in
(modulesPath + "/profiles/qemu-guest.nix")
];
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "UTC";
boot.loader.grub = {

12
systems/aarch64-linux/lin-va-mbp-personal/default.nix
View File

@@ -11,24 +11,14 @@ in
./hardware-configuration.nix
];
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "America/New_York";
programs.firejail.enable = true;
programs.nix-ld.enable = true;
# Asahi Wi-Fi Resume Bug - The Broadcom driver can fail to reconnect after suspend on this MacBook.
powerManagement.resumeCommands = ''
${pkgs.kmod}/bin/modprobe -r brcmfmac_wcc 2>/dev/null || true
${pkgs.kmod}/bin/modprobe -r brcmfmac 2>/dev/null || true
${pkgs.kmod}/bin/modprobe brcmfmac
${pkgs.systemd}/bin/systemctl restart NetworkManager.service
'';
# System Config
reichard = {
nix = enabled;
user.extraGroups = [ "dialout" ];
system = {
boot = {

2
systems/aarch64-linux/lin-va-mbp-work-vm/default.nix
View File

@@ -11,7 +11,7 @@ in
(modulesPath + "/profiles/qemu-guest.nix")
];
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "America/New_York";
programs.nix-ld.enable = true;

2
systems/aarch64-raw-efi/lin-terminal-image/default.nix
View File

@@ -3,7 +3,7 @@ let
inherit (lib.${namespace}) enabled;
in
{
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "America/New_York";
# Config Boot

2
systems/x86_64-linux/lin-o1-x86-node/default.nix
View File

@@ -15,7 +15,7 @@ in
(modulesPath + "/profiles/qemu-guest.nix")
];
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "UTC";
boot.loader.grub = {

2
systems/x86_64-linux/lin-ovh-kube1/default.nix
View File

@@ -15,7 +15,7 @@ in
(modulesPath + "/profiles/qemu-guest.nix")
];
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "UTC";
networking.firewall.allowedTCPPorts = [ 443 ];

2
systems/x86_64-linux/lin-ssd-kube1/default.nix
View File

@@ -12,7 +12,7 @@ in
(modulesPath + "/profiles/qemu-guest.nix")
];
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "UTC";
networking.firewall.allowedTCPPorts = [ 443 ];

29
systems/x86_64-linux/lin-va-desktop/default.nix
View File

@@ -1,5 +1,4 @@
{ namespace
, config
, pkgs
, lib
, ...
@@ -7,15 +6,13 @@
let
inherit (lib.${namespace}) enabled;
nvidia-smi = "${config.hardware.nvidia.package.bin}/bin/nvidia-smi";
llama-cpp = pkgs.reichard.llama-cpp;
ik-llama-cpp = pkgs.reichard.ik-llama-cpp;
stable-diffusion-cpp = pkgs.reichard.stable-diffusion-cpp.override {
cudaSupport = true;
};
in
{
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "America/New_York";
nixpkgs.config.allowUnfree = true;
hardware.nvidia-container-toolkit.enable = true;
@@ -49,27 +46,6 @@ in
allowedTCPPorts = [ 8081 ];
};
# NVIDIA GPU Power Limit
systemd.services = {
nvidia-persistence-mode = {
description = "Enable NVIDIA GPU Persistence Mode";
after = [ "nvidia-modules-load.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
script = "${nvidia-smi} -pm 1";
};
nvidia-power-limit = {
description = "Set NVIDIA GPU Power Limit";
after = [ "nvidia-persistence-mode.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
script = "${nvidia-smi} -i 0 -pl 290";
};
};
# System Config
reichard = {
nix = enabled;
@@ -100,8 +76,6 @@ in
opengl = {
enable = true;
enableNvidia = true;
# GTX 1080 Ti is Pascal; NVIDIA 590+ (nixpkgs stable = 595) dropped Pascal support.
nvidiaPackage = config.boot.kernelPackages.nvidiaPackages.legacy_580;
};
};
@@ -132,7 +106,6 @@ in
# Local Packages
llama-cpp
ik-llama-cpp
stable-diffusion-cpp
];
}

2
systems/x86_64-linux/lin-va-nix-builder/default.nix
View File

@@ -3,7 +3,7 @@
}:
{
time.timeZone = "America/New_York";
system.stateVersion = "26.05";
system.stateVersion = "25.11";
reichard = {
system = {

2
systems/x86_64-linux/lin-va-office/default.nix
View File

@@ -9,7 +9,7 @@ let
cfg = config.${namespace}.user;
in
{
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "America/New_York";
nixpkgs.config.allowUnfree = true;

4
systems/x86_64-linux/lin-va-terminal/default.nix
View File

@@ -3,11 +3,9 @@ let
inherit (lib.${namespace}) enabled;
in
{
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "America/New_York";
programs.nix-ld.enable = true;
reichard = {
nix = enabled;

20
systems/x86_64-linux/lin-va-thinkpad/default.nix
View File

@@ -7,10 +7,15 @@ let
inherit (lib.${namespace}) enabled;
in
{
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "America/New_York";
programs.nix-ld.enable = true;
boot = {
kernelParams = [
# Mask GPE03 (EC wakeup events) to allow hibernation without spurious CPU wakeups
"acpi_mask_gpe=0x03"
];
};
hardware = {
enableRedistributableFirmware = true;
@@ -52,7 +57,6 @@ in
};
services = {
printing = enabled;
openssh = enabled;
tailscale = enabled;
avahi = enabled;
@@ -78,4 +82,14 @@ in
sops = enabled;
};
};
# Additional System Packages
environment.systemPackages = with pkgs; [
dool
jq
mosh
rclone
sqlite-interactive
unzip
];
}

2
systems/x86_64-vmware/lin-va-rke2/default.nix
View File

@@ -13,7 +13,7 @@ in
config = {
# Basic System
system.stateVersion = "26.05";
system.stateVersion = "25.11";
time.timeZone = "UTC";
reichard = {