hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: hektor:de7a7866e963a437f3d3fcb9f6960b50d84d6fd1
Branches Tags
hektor:main
..
compare: hektor:478e253fed097cc950fe948e02ed6fccf6e4bec0
Branches Tags
hektor:main

4 Commits
de7a7866e9 ... 478e253fed

Author SHA1 Message Date
hektor
478e253fed chore(ssh): rotate 'andromache' to hardware-backed ssh key 2026-04-10 23:45:04 +02:00
hektor
13f246e2ba fix: prefer hardware-backed ssh keys 2026-04-10 23:45:04 +02:00
hektor
28dc9d9570 docs: add 'tailscale' module todo 2026-04-10 23:45:04 +02:00
hektor
9d54fc70b0 refactor: modularize 'ai-tools module' 2026-04-10 23:45:04 +02:00
8 changed files with 141 additions and 115 deletions
Expand all files Collapse all files

71
home/modules/ai-tools/claude-code.nix Normal file
View File

@@ -0,0 +1,71 @@
{
lib,
config,
pkgs,
...
}:
let
cfg = config.ai-tools.claude-code;
rtk-version = "0.18.1";
in
{
options.ai-tools.claude-code = {
enable = lib.mkEnableOption "claude code with rtk and ccline";
};
config = lib.mkIf cfg.enable {
home.packages = with pkgs; [
claude-code
(pkgs.stdenv.mkDerivation {
name = "ccline";
src = pkgs.fetchurl {
url = "https://github.com/Haleclipse/CCometixLine/releases/download/v1.0.8/ccline-linux-x64.tar.gz";
hash = "sha256-Joe3Dd6uSMGi66QT6xr2oY/Tz8rA5RuKa6ckBVJIzI0=";
};
unpackPhase = ''
tar xzf $src
'';
installPhase = ''
mkdir -p $out/bin
cp ccline $out/bin/
chmod +x $out/bin/ccline
'';
meta = with pkgs.lib; {
description = "CCometixLine Linux x64 CLI (Claude Code statusline)";
homepage = "https://github.com/Haleclipse/CCometixLine";
license = licenses.mit;
platforms = [ "x86_64-linux" ];
};
})
(pkgs.stdenv.mkDerivation {
name = "rtk-${rtk-version}";
version = rtk-version;
src = pkgs.fetchurl {
url = "https://github.com/rtk-ai/rtk/releases/download/v${rtk-version}/rtk-x86_64-unknown-linux-gnu.tar.gz";
hash = "sha256-XoTia5K8b00OzcKYCufwx8ApkAS31DxUCpGSU0jFs2Q=";
};
unpackPhase = ''
tar xzf $src
'';
installPhase = ''
mkdir -p $out/bin
cp rtk $out/bin/
chmod +x $out/bin/rtk
'';
meta = with pkgs.lib; {
description = "RTK - AI coding tool enhancer";
homepage = "https://www.rtk-ai.app";
license = licenses.mit;
platforms = [ "x86_64-linux" ];
};
})
mcp-nixos
];
};
}

117
home/modules/ai-tools/default.nix
View File

@@ -1,116 +1,7 @@
{
lib,
config,
pkgs,
...
}:
let
cfg = config.ai-tools;
rtk-version = "0.18.1";
in
{
options.ai-tools = {
claude-code.enable = lib.mkEnableOption "claude code with rtk and ccline";
tirith.enable = lib.mkEnableOption "tirith shell security guard";
opencode.enable = lib.mkEnableOption "opencode";
};
config = lib.mkMerge [
(lib.mkIf cfg.claude-code.enable {
home.packages = with pkgs; [
claude-code
(pkgs.stdenv.mkDerivation {
name = "ccline";
src = pkgs.fetchurl {
url = "https://github.com/Haleclipse/CCometixLine/releases/download/v1.0.8/ccline-linux-x64.tar.gz";
hash = "sha256-Joe3Dd6uSMGi66QT6xr2oY/Tz8rA5RuKa6ckBVJIzI0=";
};
unpackPhase = ''
tar xzf $src
'';
installPhase = ''
mkdir -p $out/bin
cp ccline $out/bin/
chmod +x $out/bin/ccline
'';
meta = with pkgs.lib; {
description = "CCometixLine Linux x64 CLI (Claude Code statusline)";
homepage = "https://github.com/Haleclipse/CCometixLine";
license = licenses.mit;
platforms = [ "x86_64-linux" ];
};
})
(pkgs.stdenv.mkDerivation {
name = "rtk-${rtk-version}";
version = rtk-version;
src = pkgs.fetchurl {
url = "https://github.com/rtk-ai/rtk/releases/download/v${rtk-version}/rtk-x86_64-unknown-linux-gnu.tar.gz";
hash = "sha256-XoTia5K8b00OzcKYCufwx8ApkAS31DxUCpGSU0jFs2Q=";
};
unpackPhase = ''
tar xzf $src
'';
installPhase = ''
mkdir -p $out/bin
cp rtk $out/bin/
chmod +x $out/bin/rtk
'';
meta = with pkgs.lib; {
description = "RTK - AI coding tool enhancer";
homepage = "https://www.rtk-ai.app";
license = licenses.mit;
platforms = [ "x86_64-linux" ];
};
})
mcp-nixos
];
})
(lib.mkIf cfg.tirith.enable {
home.packages = with pkgs; [
tirith
];
})
(lib.mkIf (cfg.tirith.enable && cfg.claude-code.enable) {
home.file.".claude/hooks/tirith-check.py" = {
source = ./tirith-check.py;
executable = true;
};
home.activation.tirith-claude-code = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
${pkgs.tirith}/bin/tirith setup claude-code --with-mcp --scope user --force 2>/dev/null || true
'';
})
(lib.mkIf cfg.opencode.enable {
home.packages = with pkgs; [
opencode
];
home.file.".config/opencode/opencode.json".text = builtins.toJSON {
"$schema" = "https://opencode.ai/config.json";
permission = {
external_directory = {
"/run/secrets/" = "deny";
"~/.config/sops/age/keys.txt" = "deny";
"~/.ssh/id_rsa" = "deny";
"~/.ssh/id_ed25519" = "deny";
"~/.ssh/id_ecdsa" = "deny";
"~/.ssh/id_dsa" = "deny";
"/etc/ssh/ssh_host_rsa_key" = "deny";
"/etc/ssh/ssh_host_ed25519_key" = "deny";
"/etc/ssh/ssh_host_ecdsa_key" = "deny";
"/etc/ssh/ssh_host_dsa_key" = "deny";
};
command = {
sops = "deny";
};
};
plugin = [ "@mohak34/opencode-notifier@latest" ];
};
})
imports = [
./claude-code.nix
./opencode.nix
./tirith.nix
];
}

23
home/modules/ai-tools/opencode.nix Normal file
View File

@@ -0,0 +1,23 @@
{
lib,
config,
pkgs,
...
}:
let
cfg = config.ai-tools.opencode;
in
{
options.ai-tools.opencode = {
enable = lib.mkEnableOption "opencode";
};
config = lib.mkIf cfg.enable {
home.packages = with pkgs; [
opencode
];
home.file.".config/opencode/opencode.json".text = builtins.toJSON {
plugin = [ "@mohak34/opencode-notifier@latest" ];
};
};
}

32
home/modules/ai-tools/tirith.nix Normal file
View File

@@ -0,0 +1,32 @@
{
lib,
config,
pkgs,
...
}:
let
cfg = config.ai-tools;
in
{
options.ai-tools.tirith = {
enable = lib.mkEnableOption "tirith shell security guard";
};
config = lib.mkMerge [
(lib.mkIf cfg.tirith.enable {
home.packages = with pkgs; [
tirith
];
})
(lib.mkIf (cfg.tirith.enable && cfg.claude-code.enable) {
home.file.".claude/hooks/tirith-check.py" = {
source = ./tirith-check.py;
executable = true;
};
home.activation.tirith-claude-code = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
${pkgs.tirith}/bin/tirith setup claude-code --with-mcp --scope user --force 2>/dev/null || true
'';
})
];
}

4
home/modules/ssh/default.nix
View File

@@ -39,6 +39,10 @@ in
// {
"*" = {
addKeysToAgent = "yes";
identityFile = [
"~/.ssh/id_ed25519_sk"
"~/.ssh/id_ed25519"
];
};
};
};

2
hosts/andromache/ssh_user.pub
View File

@@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOXPEhdKOVnb6mkeLLUcFGt+mnUR5pMie17JtjrxwgO h@andromache
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILoWbtyewa2LUWpWCYK46OCWs+2E+BeIsk+0We20qsf9AAAABHNzaDo= h@andromache

3
modules/ssh/extract-keys.nix
View File

@@ -14,7 +14,10 @@ in
chmod 644 "$HOST_DIR/ssh_host.pub"
fi
USER_KEY="/home/${username}/.ssh/id_ed25519_sk.pub"
if [ ! -f "$USER_KEY" ]; then
USER_KEY="/home/${username}/.ssh/id_ed25519.pub"
fi
if [ -f "$USER_KEY" ] && [ -d "$HOST_DIR" ]; then
cp "$USER_KEY" "$HOST_DIR/ssh_user.pub"
chown ${username}:users "$HOST_DIR/ssh_user.pub"

2
modules/tailscale/default.nix
View File

@@ -4,6 +4,8 @@
...
}:
{
# TODO: handle auth declaratively to skip `tailscale up`
options.tailscale = {
enable = lib.mkEnableOption "tailscale";
};