chore: update lockfile

dots/.config/nvim/after/plugin/hydra.lua

@@ -0,0 +1,35 @@
+local hydra_repl = "hydra-repl"
+
+if not vim.fn.executable(hydra_repl) then
+  return
+end
+
+local function send(lines)
+  vim.system({ hydra_repl, table.concat(lines, "\n") })
+end
+
+local function get_paragraph(buf)
+  local start_ = vim.fn.search("^$", "bnW")
+  local end_ = vim.fn.search("^$", "nW") - 1
+  if end_ < vim.api.nvim_win_get_cursor(0)[1] then
+    end_ = vim.api.nvim_buf_line_count(buf)
+  end
+  return vim.api.nvim_buf_get_lines(buf, start_, end_, false)
+end
+
+local function get_selection(buf)
+  return vim.api.nvim_buf_get_lines(buf, vim.fn.line("'<") - 1, vim.fn.line("'>"), false)
+end
+
+vim.api.nvim_create_autocmd("FileType", {
+  pattern = "javascript",
+  callback = function(e)
+    if vim.fn.fnamemodify(vim.api.nvim_buf_get_name(e.buf), ":e") ~= "hydra" then
+      return
+    end
+
+    local buf = e.buf
+    vim.keymap.set("n", "<CR>", function() send(get_paragraph(buf)) end, { buffer = buf, desc = "hydra: send block" })
+    vim.keymap.set("v", "<CR>", function() send(get_selection(buf)) end, { buffer = buf, desc = "hydra: send selection" })
+  end,
+})

dots/.config/nvim/after/plugin/wiki.vim.lua

@@ -13,11 +13,16 @@ nm <leader>ww <plug>(wiki-index)
 " nm <leader>s <plug>(wiki-link-follow-split)
 " nm <leader>v <plug>(wiki-link-follow-vsplit)
 
-autocmd BufEnter *.md if expand('%:t') =~ '_' | echo 'hierarchical relation' | endif
+function! ZKContextualEcho()
-autocmd BufEnter *.md if expand('%:t') =~ '--' | echo 'relation' | endif
+  let l:name = expand('%:t')
-autocmd BufEnter *.md if expand('%:t') =~ '<>' | echo 'dichotomy' | endif
+  if l:name =~ '_' | echo 'hierarchical relation'
-autocmd BufEnter *.md if expand('%:t') =~ 'my-' | echo 'personal file' | endif
+  elseif l:name =~ '--' | echo 'relation'
-autocmd BufEnter *.md if expand('%:t') =~ 'project_' | echo 'project file' | endif
+  elseif l:name =~ '<>' | echo 'dichotomy'
+  elseif l:name =~ 'my-' | echo 'personal file'
+  elseif l:name =~ 'project_' | echo 'project file'
+  endif
+endfunction
+execute 'autocmd BufEnter' g:zk_path . '/*.md' 'call ZKContextualEcho()'
 
 " Only load wiki.vim for zk directory
 let g:wiki_index_name='index'

dots/.config/nvim/flake.lock

@@ -42,11 +42,11 @@
     },
     "nixCats": {
       "locked": {
-        "lastModified": 1774835836,
+        "lastModified": 1777273601,
-        "narHash": "sha256-6ok7iv/9R82vl6MYe3Lwyyb6S5bmW2PxEZtmjzlqyPs=",
+        "narHash": "sha256-xBUa8Tl9V7IXI+VmLEuDc81La/EhoSn1C3EVSnJ3cfU=",
         "owner": "BirdeeHub",
         "repo": "nixCats-nvim",
-        "rev": "ebb9f279a55ca60ff4e37e4accf6518dc627aa8d",
+        "rev": "f69ea013e328841a7def7037ed59788a76be8816",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1775608838,
+        "lastModified": 1777270315,
-        "narHash": "sha256-2ySoGH+SAi34U0PeuQgABC0WiH9LQ3tkyHTiE93KUeg=",
+        "narHash": "sha256-yKB4G6cKsQsWN7M6rZGk6gkJPDNPIzT05y4qzRyCDlI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9a01fad67a57e44e1b3e1d905c6881bcfb209e8a",
+        "rev": "6368eda62c9775c38ef7f714b2555a741c20c72d",
         "type": "github"
       },
       "original": {

dots/.config/nvim/flake.nix

@@ -45,7 +45,23 @@
       inherit (nixCats) utils;
       luaPath = ./.;
       forEachSystem = utils.eachSystem nixpkgs.lib.platforms.all;
-      extra_pkg_config = { };
+      extra_pkg_config = {
+        allowUnfreePredicate =
+          pkg:
+          builtins.elem (nixpkgs.lib.getName pkg) [
+            "vim-sandwich"
+            "jupytext.nvim"
+            "eyeliner.nvim"
+            "context_filetype.vim"
+            "editorconfig-vim"
+            "unicode.vim"
+            "quarto-nvim"
+            "vim-openscad"
+            "lsp_lines.nvim"
+            "nvim-highlight-colors"
+            "nvim-lint"
+          ];
+      };
 
       mkDependencyOverlays = system: [
         (utils.standardPluginOverlay inputs)
@@ -71,9 +87,11 @@
         {
           lspsAndRuntimeDeps = with pkgs; {
             general = [
+              nodejs_24
               black
               clang
               clang-tools
+              curl # → plenary-nvim, mcp-hub
               delta
               emmet-language-server
               eslint_d
@@ -87,6 +105,8 @@
               mcp-hub
               nixd
               nixfmt
+              prettier
+              typescript-language-server
               ormolu
               prettierd
               rust-analyzer
@@ -95,6 +115,7 @@
               stylelint
               stylua
               tree-sitter
+              tailwindcss-language-server
               typescript-language-server
               vscode-langservers-extracted
               vtsls

dots/.config/nvim/lua/ftdetect.lua

@@ -9,5 +9,6 @@ vim.filetype.add({
     ["%.env.*"] = "dotenv",
     ["%.pl$"] = "prolog",
     [".*.containerfile.*"] = "dockerfile",
+    ["%.hydra$"] = "javascript",
   },
 })

dots/.config/nvim/lua/zk/cmp.lua

@@ -13,13 +13,19 @@ local function get_markdown_files(base)
   return items
 end
 
+function source:get_keyword_pattern()
+  return "[%w%./%-]*"
+end
+
 function source:complete(params, callback)
   local cursor_before_line = params.context.cursor_before_line
   local cursor_after_line = params.context.cursor_after_line or ""
 
-  local trigger = cursor_before_line:match("%[[^%]]*%]%(([^)]*)$")
+  if not cursor_before_line:match("%[[^%]]*%]%(") then
+    callback({})
+    return
+  end
 
-  if trigger ~= nil then
   local items = get_markdown_files(".")
   local next_char = cursor_after_line:sub(1, 1)
 
@@ -32,9 +38,6 @@ function source:complete(params, callback)
   end
 
   callback(items)
-  else
-    callback({})
-  end
 end
 
 function source:get_trigger_characters()

flake.lock

@@ -38,11 +38,11 @@
     "base16-helix": {
       "flake": false,
       "locked": {
-        "lastModified": 1760703920,
+        "lastModified": 1776754714,
-        "narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=",
+        "narHash": "sha256-E3OAK27smtATTmX45uoTSRsVD+Y+ZiVVfgM/tjpbtYg=",
         "owner": "tinted-theming",
         "repo": "base16-helix",
-        "rev": "d646af9b7d14bff08824538164af99d0c521b185",
+        "rev": "4d508123037e7851ad36ebf7d9c48b0e9e1eb581",
         "type": "github"
       },
       "original": {
@@ -121,11 +121,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1777176175,
+        "lastModified": 1778040175,
-        "narHash": "sha256-l/0TJCLEarrsyHIKNhAjI4+7lkyGsFqojyx1X1h64Ks=",
+        "narHash": "sha256-SSXJp3BMjO2LrW/VLjNdGGcjd3RFEyV4FemYA6OGrYw=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "515c8c1296021efe49ba1b1318ff27a43e93442b",
+        "rev": "3bd76b0f41e65661866bddcac57ebe83aeadb581",
         "type": "gitlab"
       },
       "original": {
@@ -138,11 +138,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1775176642,
+        "lastModified": 1776136500,
-        "narHash": "sha256-2veEED0Fg7Fsh81tvVDNYR6SzjqQxa7hbi18Jv4LWpM=",
+        "narHash": "sha256-r0gN2brVWA351zwMV0Flmlcd6SGMvYqFbvC3DfKFM8Y=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "179704030c5286c729b5b0522037d1d51341022c",
+        "rev": "0f8ba203d475587f477e7ae12661bd8459e225b7",
         "type": "github"
       },
       "original": {
@@ -342,11 +342,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777196875,
+        "lastModified": 1778009629,
-        "narHash": "sha256-6M/rTHxFRdKJ6WZYxrCl68qIyh3BvjWBmYC7Vufolbg=",
+        "narHash": "sha256-nUoQtf4Zq7DRYJrfv904hjrxjAlWVP6a1pNNFKx3FCg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "38bf0202cae280174cbb80fc24a63978f16333f7",
+        "rev": "00ed86e58bb6979a7921859fd1615d19382eac5c",
         "type": "github"
       },
       "original": {
@@ -415,11 +415,11 @@
     },
     "nixCats": {
       "locked": {
-        "lastModified": 1774835836,
+        "lastModified": 1777273601,
-        "narHash": "sha256-6ok7iv/9R82vl6MYe3Lwyyb6S5bmW2PxEZtmjzlqyPs=",
+        "narHash": "sha256-xBUa8Tl9V7IXI+VmLEuDc81La/EhoSn1C3EVSnJ3cfU=",
         "owner": "BirdeeHub",
         "repo": "nixCats-nvim",
-        "rev": "ebb9f279a55ca60ff4e37e4accf6518dc627aa8d",
+        "rev": "f69ea013e328841a7def7037ed59788a76be8816",
         "type": "github"
       },
       "original": {
@@ -451,11 +451,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1776983936,
+        "lastModified": 1777917524,
-        "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
+        "narHash": "sha256-k+LVe9YaO2BEPB9AaCtTtOMCeGi4dxDo6gt4Un3qoPY=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
+        "rev": "df7783100babf59001340a7a874ba3824e441ecb",
         "type": "github"
       },
       "original": {
@@ -467,11 +467,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1776877367,
+        "lastModified": 1777954456,
-        "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=",
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
         "type": "github"
       },
       "original": {
@@ -509,11 +509,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775228139,
+        "lastModified": 1777598946,
-        "narHash": "sha256-ebbeHmg+V7w8050bwQOuhmQHoLOEOfqKzM1KgCTexK4=",
+        "narHash": "sha256-X239dAGaU1+gfDj8jKH8GzlqKMcxaVfXOio+uzBOkeE=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "601971b9c89e0304561977f2c28fa25e73aa7132",
+        "rev": "5d55af01c0f86be583931fe99207fc56c14134b3",
         "type": "github"
       },
       "original": {
@@ -665,11 +665,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776771786,
+        "lastModified": 1777944972,
-        "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=",
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
         "type": "github"
       },
       "original": {
@@ -714,11 +714,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1776893932,
+        "lastModified": 1777835090,
-        "narHash": "sha256-AFD5cf9eNqXq1brHS63xeZy2xKZMgG9J86XJ9I2eLn8=",
+        "narHash": "sha256-VLH8zPweblCOvpnQXp4fVs7f6Q79YhXF5XFKlOrvIFk=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "84971726c7ef0bb3669a5443e151cc226e65c518",
+        "rev": "7989a1054b01153212dede6005abfd1576b8328c",
         "type": "github"
       },
       "original": {
@@ -776,11 +776,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1772661346,
+        "lastModified": 1777041405,
-        "narHash": "sha256-4eu3LqB9tPqe0Vaqxd4wkZiBbthLbpb7llcoE/p5HT0=",
+        "narHash": "sha256-BAGZ7ObFV/9Z61OJZun7ifPyhkuHqNuW1QIhQ8LuzCo=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "13b5b0c299982bb361039601e2d72587d6846294",
+        "rev": "5f868b3a338b6904c47f3833b9c411be641983a8",
         "type": "github"
       },
       "original": {
@@ -792,11 +792,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1772934010,
+        "lastModified": 1777169200,
-        "narHash": "sha256-x+6+4UvaG+RBRQ6UaX+o6DjEg28u4eqhVRM9kpgJGjQ=",
+        "narHash": "sha256-h7dDbIzP5hDr9v97w9PL6jdAgXawmj6krcH+959rqpU=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "c3529673a5ab6e1b6830f618c45d9ce1bcdd829d",
+        "rev": "f798c2dce44ef815bb6b8f05a82135c7942d35ac",
         "type": "github"
       },
       "original": {
@@ -808,11 +808,11 @@
     "tinted-zed": {
       "flake": false,
       "locked": {
-        "lastModified": 1772909925,
+        "lastModified": 1777463218,
-        "narHash": "sha256-jx/5+pgYR0noHa3hk2esin18VMbnPSvWPL5bBjfTIAU=",
+        "narHash": "sha256-Bhkozqtq3BKLqWTlmKm8uAptfX4aRGI8QX3eEL54Vpc=",
         "owner": "tinted-theming",
         "repo": "base16-zed",
-        "rev": "b4d3a1b3bcbd090937ef609a0a3b37237af974df",
+        "rev": "5768d08ed2e7944a26a958868cdb073cb8856dae",
         "type": "github"
       },
       "original": {

flake.nix

@@ -76,7 +76,10 @@
           nixpkgs.lib.nixosSystem {
             modules = [
               ./hosts/${host}
-              { nixpkgs.hostPlatform = (myUtils.hostMeta ./hosts/${host}).system; }
+              {
+                nixpkgs.hostPlatform = (myUtils.hostMeta ./hosts/${host}).system;
+                host.name = host;
+              }
             ];
             specialArgs = {
               inherit

home/hosts/andromache/default.nix

@@ -47,7 +47,10 @@
     printing.enable = true;
     modeling.enable = true;
   };
-  ai-tools.opencode.enable = true;
+  ai-tools = {
+    claude-code.enable = true;
+    opencode.enable = true;
+  };
   browser.primary = "librewolf";
   cloud.hetzner.enable = true;
   comms.signal.enable = true;

home/hosts/astyanax/default.nix

@@ -43,7 +43,10 @@
   };
 
   modules."3d".printing.enable = true;
-  ai-tools.opencode.enable = true;
+  ai-tools = {
+    claude-code.enable = true;
+    opencode.enable = true;
+  };
   browser.primary = "librewolf";
   cloud.hetzner.enable = true;
   comms.signal.enable = true;

home/hosts/work/default.nix

@@ -73,8 +73,11 @@
     tirith.enable = true;
     opencode.enable = true;
   };
-  database.mssql.enable = true;
+  database = {
-  database.postgresql.enable = true;
+    mssql.enable = true;
+    postgresql.enable = true;
+    redis.enable = true;
+  };
   git.github.enable = true;
   git.gitlab.enable = true;
   secrets.vault.enable = true;

home/modules/ai-tools/claude-code.nix

@@ -0,0 +1,60 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ai-tools.claude-code;
+  rtk-version = "0.18.1";
+in
+{
+  options.ai-tools.claude-code.enable = lib.mkEnableOption "claude code with rtk and ccline";
+
+  config = lib.mkIf cfg.enable {
+    programs.claude-code.enable = true;
+
+    home.packages = with pkgs; [
+      (stdenv.mkDerivation {
+        name = "ccline";
+        src = fetchurl {
+          url = "https://github.com/Haleclipse/CCometixLine/releases/download/v1.0.8/ccline-linux-x64.tar.gz";
+          hash = "sha256-Joe3Dd6uSMGi66QT6xr2oY/Tz8rA5RuKa6ckBVJIzI0=";
+        };
+        unpackPhase = "tar xzf $src";
+        installPhase = ''
+          mkdir -p $out/bin
+          cp ccline $out/bin/
+          chmod +x $out/bin/ccline
+        '';
+        meta = {
+          description = "CCometixLine Linux x64 CLI (Claude Code statusline)";
+          homepage = "https://github.com/Haleclipse/CCometixLine";
+          license = lib.licenses.mit;
+          platforms = [ "x86_64-linux" ];
+        };
+      })
+      (stdenv.mkDerivation {
+        name = "rtk-${rtk-version}";
+        version = rtk-version;
+        src = fetchurl {
+          url = "https://github.com/rtk-ai/rtk/releases/download/v${rtk-version}/rtk-x86_64-unknown-linux-gnu.tar.gz";
+          hash = "sha256-XoTia5K8b00OzcKYCufwx8ApkAS31DxUCpGSU0jFs2Q=";
+        };
+        unpackPhase = "tar xzf $src";
+        installPhase = ''
+          mkdir -p $out/bin
+          cp rtk $out/bin/
+          chmod +x $out/bin/rtk
+        '';
+        meta = {
+          description = "RTK - AI coding tool enhancer";
+          homepage = "https://www.rtk-ai.app";
+          license = lib.licenses.mit;
+          platforms = [ "x86_64-linux" ];
+        };
+      })
+      mcp-nixos
+    ];
+  };
+}

home/modules/ai-tools/default.nix

@@ -1,116 +1,8 @@
 {
-  lib,
+  imports = [
-  config,
+    ./claude-code.nix
-  pkgs,
+    ./opencode.nix
-  ...
+    ./skills.nix
-}:
+    ./tirith.nix
-let
-  cfg = config.ai-tools;
-  rtk-version = "0.18.1";
-in
-{
-  options.ai-tools = {
-    claude-code.enable = lib.mkEnableOption "claude code with rtk and ccline";
-    tirith.enable = lib.mkEnableOption "tirith shell security guard";
-    opencode.enable = lib.mkEnableOption "opencode";
-  };
-
-  config = lib.mkMerge [
-    (lib.mkIf cfg.claude-code.enable {
-      home.packages = with pkgs; [
-        claude-code
-        (pkgs.stdenv.mkDerivation {
-          name = "ccline";
-          src = pkgs.fetchurl {
-            url = "https://github.com/Haleclipse/CCometixLine/releases/download/v1.0.8/ccline-linux-x64.tar.gz";
-            hash = "sha256-Joe3Dd6uSMGi66QT6xr2oY/Tz8rA5RuKa6ckBVJIzI0=";
-          };
-
-          unpackPhase = ''
-            tar xzf $src
-          '';
-
-          installPhase = ''
-            mkdir -p $out/bin
-            cp ccline $out/bin/
-            chmod +x $out/bin/ccline
-          '';
-
-          meta = with pkgs.lib; {
-            description = "CCometixLine Linux x64 CLI (Claude Code statusline)";
-            homepage = "https://github.com/Haleclipse/CCometixLine";
-            license = licenses.mit;
-            platforms = [ "x86_64-linux" ];
-          };
-        })
-        (pkgs.stdenv.mkDerivation {
-          name = "rtk-${rtk-version}";
-          version = rtk-version;
-          src = pkgs.fetchurl {
-            url = "https://github.com/rtk-ai/rtk/releases/download/v${rtk-version}/rtk-x86_64-unknown-linux-gnu.tar.gz";
-            hash = "sha256-XoTia5K8b00OzcKYCufwx8ApkAS31DxUCpGSU0jFs2Q=";
-          };
-
-          unpackPhase = ''
-            tar xzf $src
-          '';
-
-          installPhase = ''
-            mkdir -p $out/bin
-            cp rtk $out/bin/
-            chmod +x $out/bin/rtk
-          '';
-
-          meta = with pkgs.lib; {
-            description = "RTK - AI coding tool enhancer";
-            homepage = "https://www.rtk-ai.app";
-            license = licenses.mit;
-            platforms = [ "x86_64-linux" ];
-          };
-        })
-        mcp-nixos
-      ];
-    })
-    (lib.mkIf cfg.tirith.enable {
-      home.packages = with pkgs; [
-        tirith
-      ];
-    })
-    (lib.mkIf (cfg.tirith.enable && cfg.claude-code.enable) {
-      home.file.".claude/hooks/tirith-check.py" = {
-        source = ./tirith-check.py;
-        executable = true;
-      };
-
-      home.activation.tirith-claude-code = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
-        ${pkgs.tirith}/bin/tirith setup claude-code --with-mcp --scope user --force 2>/dev/null || true
-      '';
-    })
-    (lib.mkIf cfg.opencode.enable {
-      home.packages = with pkgs; [
-        opencode
-      ];
-      home.file.".config/opencode/opencode.json".text = builtins.toJSON {
-        "$schema" = "https://opencode.ai/config.json";
-        permission = {
-          external_directory = {
-            "/run/secrets/" = "deny";
-            "~/.config/sops/age/keys.txt" = "deny";
-            "~/.ssh/id_rsa" = "deny";
-            "~/.ssh/id_ed25519" = "deny";
-            "~/.ssh/id_ecdsa" = "deny";
-            "~/.ssh/id_dsa" = "deny";
-            "/etc/ssh/ssh_host_rsa_key" = "deny";
-            "/etc/ssh/ssh_host_ed25519_key" = "deny";
-            "/etc/ssh/ssh_host_ecdsa_key" = "deny";
-            "/etc/ssh/ssh_host_dsa_key" = "deny";
-          };
-          command = {
-            sops = "deny";
-          };
-        };
-        plugin = [ "@mohak34/opencode-notifier@latest" ];
-      };
-    })
   ];
 }

home/modules/ai-tools/opencode.nix

@@ -0,0 +1,40 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ai-tools.opencode;
+in
+{
+  options.ai-tools.opencode = {
+    enable = lib.mkEnableOption "opencode";
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = [ pkgs.opencode ];
+
+    home.file.".config/opencode/opencode.json".text = builtins.toJSON {
+      "$schema" = "https://opencode.ai/config.json";
+      permission = {
+        external_directory = {
+          "/run/secrets/" = "deny";
+          "~/.config/sops/age/keys.txt" = "deny";
+          "~/.ssh/id_rsa" = "deny";
+          "~/.ssh/id_ed25519" = "deny";
+          "~/.ssh/id_ecdsa" = "deny";
+          "~/.ssh/id_dsa" = "deny";
+          "/etc/ssh/ssh_host_rsa_key" = "deny";
+          "/etc/ssh/ssh_host_ed25519_key" = "deny";
+          "/etc/ssh/ssh_host_ecdsa_key" = "deny";
+          "/etc/ssh/ssh_host_dsa_key" = "deny";
+        };
+        command = {
+          sops = "deny";
+        };
+      };
+      plugin = [ "@mohak34/opencode-notifier@latest" ];
+    };
+  };
+}

home/modules/ai-tools/skills.nix

@@ -0,0 +1,49 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ai-tools.claude-code;
+
+  skillType = lib.types.submodule {
+    options = {
+      owner = lib.mkOption { type = lib.types.str; };
+      repo = lib.mkOption { type = lib.types.str; };
+      rev = lib.mkOption { type = lib.types.str; };
+      hash = lib.mkOption { type = lib.types.str; };
+      skill = lib.mkOption { type = lib.types.str; };
+    };
+  };
+
+  fetchSkill =
+    skill:
+    let
+      src = pkgs.fetchFromGitHub {
+        inherit (skill)
+          owner
+          repo
+          rev
+          hash
+          ;
+      };
+    in
+    {
+      name = ".claude/skills/${skill.skill}";
+      value = {
+        source = "${src}/${skill.skill}";
+        recursive = true;
+      };
+    };
+in
+{
+  options.ai-tools.claude-code.skills = lib.mkOption {
+    type = lib.types.listOf skillType;
+    default = [ ];
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.file = builtins.listToAttrs (map fetchSkill cfg.skills);
+  };
+}

home/modules/ai-tools/tirith.nix

@@ -0,0 +1,30 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ai-tools.tirith;
+in
+{
+  options.ai-tools.tirith = {
+    enable = lib.mkEnableOption "tirith shell security guard";
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      home.packages = [ pkgs.tirith ];
+    })
+    (lib.mkIf (cfg.enable && config.ai-tools.claude-code.enable) {
+      home.file.".claude/hooks/tirith-check.py" = {
+        source = ./tirith-check.py;
+        executable = true;
+      };
+
+      home.activation.tirith-claude-code = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+        ${pkgs.tirith}/bin/tirith setup claude-code --with-mcp --scope user --force 2>/dev/null || true
+      '';
+    })
+  ];
+}

home/modules/database/default.nix

@@ -9,14 +9,18 @@
   options.database = {
     mssql.enable = lib.mkEnableOption "MSSQL";
     postgresql.enable = lib.mkEnableOption "PostgreSQL";
+    redis.enable = lib.mkEnableOption "Redis";
   };
 
   config = lib.mkMerge [
     (lib.mkIf config.database.mssql.enable {
-      home.packages = [ (config.nixgl.wrap pkgs.dbeaver-bin) ];
+      home.packages = with pkgs; [ (config.nixgl.wrap dbeaver-bin) ];
     })
     (lib.mkIf config.database.postgresql.enable {
-      home.packages = [ (config.nixgl.wrap pkgs.pgadmin4-desktopmode) ];
+      home.packages = with pkgs; [ (config.nixgl.wrap pgadmin4-desktopmode) ];
+    })
+    (lib.mkIf config.database.postgresql.enable {
+      home.packages = with pkgs; [ redis ];
     })
   ];
 }

home/modules/dconf/default.nix

@@ -41,7 +41,7 @@ in
       clock-show-weekday = true;
       color-scheme = "prefer-dark";
       enable-hot-corners = false;
-      font-name = font;
+      # font-name = font;
       locate-pointer = true;
       monospace-font-name = font;
     };

hosts/andromache/default.nix

@@ -51,9 +51,7 @@ in
     ../../modules/yubikey
   ];
 
-  home-manager.users.${config.host.username} = import ../../home/hosts/andromache;
+  home-manager.users.${config.host.username} = import ../../home/hosts/${config.host.name};
-
-  ssh.authorizedHosts = [ "astyanax" ];
 
   secrets.nixSigningKey.enable = true;
 

hosts/andromache/host.nix

@@ -1,7 +1,7 @@
 {
   host = {
     username = "h";
-    name = "andromache";
     highRam = true;
+    admin = true;
   };
 }

hosts/astyanax/default.nix

@@ -47,9 +47,7 @@ in
     ../../modules/yubikey
   ];
 
-  home-manager.users.${config.host.username} = import ../../home/hosts/astyanax;
+  home-manager.users.${config.host.username} = import ../../home/hosts/${config.host.name};
-
-  ssh.authorizedHosts = [ "andromache" ];
 
   secrets.nixSigningKey.enable = true;
 

hosts/astyanax/host.nix

@@ -1,7 +1,7 @@
 {
   host = {
     username = "h";
-    name = "astyanax";
     highRam = true;
+    admin = true;
   };
 }

hosts/eetion-02/default.nix

@@ -11,13 +11,6 @@
     ../../modules/ssh
   ];
 
-  ssh = {
-    authorizedHosts = [
-      "andromache"
-      "astyanax"
-    ];
-  };
-
   boot = {
     kernelParams = [
       "console=ttyS1,115200n8"

hosts/eetion-02/host.nix

@@ -1,6 +1,5 @@
 {
   host = {
     username = "h";
-    name = "eetion-02";
   };
 }

hosts/eetion/default.nix

@@ -15,13 +15,6 @@
 
   tailscale.enable = true;
 
-  ssh = {
-    authorizedHosts = [
-      "andromache"
-      "astyanax"
-    ];
-  };
-
   boot.loader = {
     grub.enable = false;
     generic-extlinux-compatible.enable = true;

hosts/eetion/host.nix

@@ -1,6 +1,5 @@
 {
   host = {
     username = "h";
-    name = "eetion";
   };
 }

hosts/hecuba/default.nix

@@ -18,13 +18,6 @@
   ];
 
   networking.hostName = config.host.name;
-  ssh = {
-    authorizedHosts = [
-      "andromache"
-      "astyanax"
-    ];
-  };
-
   docker.enable = true;
 
   fileSystems."/" = {

hosts/hecuba/host.nix

@@ -1,6 +1,5 @@
 {
   host = {
     username = "username";
-    name = "hecuba";
   };
 }

hosts/vm/host.nix

@@ -1,6 +1,5 @@
 {
   host = {
     username = "h";
-    name = "vm";
   };
 }

images/sd-image-orange-pi-aarch64.nix

@@ -21,11 +21,6 @@ in
     name = "orange-pi";
   };
 
-  ssh.authorizedHosts = [
-    "andromache"
-    "astyanax"
-  ];
-
   nix.settings.experimental-features = [
     "nix-command"
     "flakes"

images/sd-image-raspberry-pi-aarch64.nix

@@ -21,11 +21,6 @@ in
     name = "raspberry-pi";
   };
 
-  ssh.authorizedHosts = [
-    "andromache"
-    "astyanax"
-  ];
-
   boot.kernelParams = [
     "console=ttyS1,115200n8"
   ];

modules/ai-tools/default.nix

@@ -6,6 +6,7 @@ let
 in
 {
   config = {
+    nixpkgs.allowedUnfree = [ "claude-code" ];
     secrets.groups.opencode = [ "api-key" ];
 
     sops.templates."opencode/auth.json" = {

modules/common/host.nix

@@ -24,5 +24,10 @@
       type = lib.types.bool;
       default = false;
     };
+
+    admin = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
   };
 }

modules/desktops/logind.nix

@@ -0,0 +1,7 @@
+{
+  services.logind.settings.Login = {
+    HandleLidSwitch = "suspend";
+    IdleAction = "suspend";
+    IdleActionSec = 1800;
+  };
+}

modules/desktops/niri/default.nix

@@ -9,6 +9,8 @@ let
   cfg = config.desktop;
 in
 {
+  imports = [ ../logind.nix ];
+
   options.desktop = {
     ly = {
       enable = lib.mkOption {
@@ -35,15 +37,23 @@ in
       ];
     };
 
+    #  error:
+    #  Failed assertions:
+    #  - h profile: xdg.portal: since you installed Home Manager via its NixOS module and
+    #  'home-manager.useUserPackages' is enabled, you need to add
+    #
+    #  environment.pathsToLink = [ `/share/applications` `/share/xdg-desktop-portal` ];
+    #
+    #  to your NixOS configuration so that the portal definitions and DE
+    #  provided configurations get linked.
+    environment.pathsToLink = [
+      "/share/applications"
+      "/share/xdg-desktop-portal"
+    ];
+
     services = {
       gnome.gnome-keyring.enable = false;
       dbus.enable = true;
-      logind.settings.Login = {
-        HandleLidSwitch = "suspend";
-        IdleAction = "suspend";
-        IdleActionSec = 1800;
-      };
-
       displayManager.ly = lib.mkIf cfg.ly.enable {
         enable = true;
       };

modules/ssh/authorized-keys.nix

@@ -1,7 +1,12 @@
-{ lib, config, ... }:
+{
+  lib,
+  config,
+  ...
+}:
 
 let
   inherit (config.host) username;
+  adminHosts = (import ../../utils { inherit lib; }).adminHosts ../../hosts;
 in
 {
   options.ssh = {
@@ -19,6 +24,6 @@ in
         keyFile = ../../hosts/${hostname}/ssh_user.pub;
       in
       lib.optionals (builtins.pathExists keyFile) (lib.splitString "\n" (builtins.readFile keyFile))
-    ) config.ssh.authorizedHosts
+    ) ((builtins.filter (h: h != config.host.name) adminHosts) ++ config.ssh.authorizedHosts)
   );
 }

utils/default.nix

@@ -1,12 +1,8 @@
 { lib }:
 
 let
-  hosts = import ./hosts.nix;
+  fs = import ./fs.nix { inherit lib; };
+  hosts = import ./hosts.nix { inherit lib; };
   secrets = import ./secrets.nix { inherit lib; };
 in
-{
+fs // hosts // secrets
-  dirNames =
-    path: builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir path));
-}
-// hosts
-// secrets

utils/fs.nix

@@ -0,0 +1,6 @@
+{ lib }:
+
+{
+  dirNames =
+    path: builtins.attrNames (lib.filterAttrs (_: t: t == "directory") (builtins.readDir path));
+}

utils/hosts.nix

@@ -1,3 +1,8 @@
+{ lib }:
+
+let
+  fs = import ./fs.nix { inherit lib; };
+in
 {
   hostMeta =
     hostDir:
@@ -5,4 +10,10 @@
       import (hostDir + "/meta.nix")
     else
       throw "meta.nix required in ${hostDir}";
+
+  adminHosts =
+    hostsPath:
+    builtins.filter (host: ((import (hostsPath + "/${host}/host.nix")).host.admin or false)) (
+      fs.dirNames hostsPath
+    );
 }