wip

flake.lock

@@ -255,11 +255,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770260404,
-        "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
+        "lastModified": 1771744638,
+        "narHash": "sha256-EDLi+YAsEEAmMeZe1v6GccuGRbCkpSZp/+A6g+pivR8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
+        "rev": "cb6c151f5c9db4df0b69d06894dc8484de1f16a0",
         "type": "github"
       },
       "original": {
@@ -300,11 +300,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1771545891,
-        "narHash": "sha256-aaVUfc/9q2pCsELZmYhf+uvYRMCUlBvccgL1VS27R+o=",
+        "lastModified": 1771891493,
+        "narHash": "sha256-L0OCnG8rsWJYZ3mzHSz0iENtlBXQjjcGgvMgsBqN14U=",
         "owner": "nix-community",
         "repo": "neovim-nightly-overlay",
-        "rev": "917b72d5e27bc217440655b81f701d7062bdd198",
+        "rev": "7db85d094c68697fc36801bccdf015b4c2bdb274",
         "type": "github"
       },
       "original": {
@@ -316,11 +316,11 @@
     "neovim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1771541613,
-        "narHash": "sha256-1Rpt5B4pNW/MNkWoEamqwCa5I4/9G84dSqp4eHS5zsA=",
+        "lastModified": 1771885993,
+        "narHash": "sha256-2c4H+5f0qhsp13Vx8pbsGiSRTHBJIfQaRAAUSHGEpgo=",
         "owner": "neovim",
         "repo": "neovim",
-        "rev": "e3d46a63375c84b7bd409f1f07ef56eb985eae50",
+        "rev": "d9d8c660fd5559d928c8870a21970a375674e310",
         "type": "github"
       },
       "original": {
@@ -331,11 +331,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1771207753,
-        "narHash": "sha256-b9uG8yN50DRQ6A7JdZBfzq718ryYrlmGgqkRm9OOwCE=",
+        "lastModified": 1771423170,
+        "narHash": "sha256-K7Dg9TQ0mOcAtWTO/FX/FaprtWQ8BmEXTpLIaNRhEwU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d1c15b7d5806069da59e819999d70e1cec0760bf",
+        "rev": "bcc4a9d9533c033d806a46b37dc444f9b0da49dd",
         "type": "github"
       },
       "original": {
@@ -347,11 +347,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1771612900,
-        "narHash": "sha256-ToJ0wYbphG1ZN7bgGpCJxu69Tt3ij0+T6W4YljLCHak=",
+        "lastModified": 1771932323,
+        "narHash": "sha256-3PadsTzuMJT/x0KmiD/Me1GG6rW8kaHoWVduSs0ue7o=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f65d4c996f96838b8f50253859cf7b17e956a792",
+        "rev": "89bb5c5da7a857869cc88ef9b856bffdff8af264",
         "type": "github"
       },
       "original": {
@@ -363,11 +363,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1771207753,
-        "narHash": "sha256-b9uG8yN50DRQ6A7JdZBfzq718ryYrlmGgqkRm9OOwCE=",
+        "lastModified": 1771482645,
+        "narHash": "sha256-MpAKyXfJRDTgRU33Hja+G+3h9ywLAJJNRq4Pjbb4dQs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d1c15b7d5806069da59e819999d70e1cec0760bf",
+        "rev": "724cf38d99ba81fbb4a347081db93e2e3a9bc2ae",
         "type": "github"
       },
       "original": {
@@ -379,11 +379,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1771419570,
-        "narHash": "sha256-bxAlQgre3pcQcaRUm/8A0v/X8d2nhfraWSFqVmMcBcU=",
+        "lastModified": 1771714954,
+        "narHash": "sha256-nhZJPnBavtu40/L2aqpljrfUNb2rxmWTmSjK2c9UKds=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6d41bc27aaf7b6a3ba6b169db3bd5d6159cfaa47",
+        "rev": "afbbf774e2087c3d734266c22f96fca2e78d3620",
         "type": "github"
       },
       "original": {
@@ -496,11 +496,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1771429540,
-        "narHash": "sha256-YKytDx8LOPOvE+dip1ja+1nbIpDVdqTaFbP4MaXwveM=",
+        "lastModified": 1771788390,
+        "narHash": "sha256-RzBpBwn93GWxLjacTte+ngwwg0L/BVOg4G/sSIeK3Rw=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "1a5c9d8be82127aeccc929f60b952e8a3df6b63c",
+        "rev": "ebb238f14d6f930068be4718472da3105fd5d3bf",
         "type": "github"
       },
       "original": {

flake.nix

@@ -94,6 +94,12 @@
           system = "x86_64-linux";
           users = [ ];
         };
+
+        # nixos-rebuild build-image --image-variant qemu --flake .#sandbox
+        sandbox = mkHost "sandbox" {
+          system = "x86_64-linux";
+          users = [ "gorazd" ];
+        };
       };
 
       nixosModules = import ./modules/nixos {

hosts/matej-nixos/configuration.nix

@@ -25,6 +25,7 @@ in
     inputs.self.nixosModules.workstation
     inputs.self.nixosModules.nvidia
     inputs.self.nixosModules.initrd-ssh
+    inputs.self.nixosModules.localisation
   ];
 
   yubikey.enable = true;
@@ -67,9 +68,11 @@ in
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  time.timeZone = "Europe/Ljubljana";
-  environment.variables.TZ = "America/New_York";
-  i18n.defaultLocale = "en_US.UTF-8";
+  localisation = {
+    enable = true;
+    timeZone = "Europe/Ljubljana";
+    defaultLocale = "en_US.UTF-8";
+  };
 
   # WARN:(@janezicmatej) nix-ld for running pip-installed binaries outside nix, probably want to drop this
   programs.nix-ld.enable = true;

hosts/matej-tower/configuration.nix

@@ -23,6 +23,7 @@
     inputs.self.nixosModules.tuigreet
     inputs.self.nixosModules.workstation
     inputs.self.nixosModules.initrd-ssh
+    inputs.self.nixosModules.localisation
   ];
 
   yubikey.enable = true;
@@ -59,8 +60,11 @@
     pkiBundle = "/var/lib/sbctl";
   };
 
-  time.timeZone = "Europe/Ljubljana";
-  environment.variables.TZ = "Europe/Ljubljana";
+  localisation = {
+    enable = true;
+    timeZone = "Europe/Ljubljana";
+    defaultLocale = "en_US.UTF-8";
+  };
 
   services.udisks2.enable = true;
 

hosts/sandbox/configuration.nix

@@ -0,0 +1,132 @@
+{
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    inputs.self.nixosModules.vm-guest
+    inputs.self.nixosModules.desktop
+    inputs.self.nixosModules.zsh
+  ];
+
+  vm-guest.enable = true;
+  desktop.enable = true;
+  zsh.enable = true;
+
+  programs.labwc.enable = true;
+
+  # labwc stacking compositor with auto-login
+  services.greetd =
+    let
+      labwc-session = pkgs.writeShellScript "labwc-session" ''
+        export XDG_SESSION_TYPE=wayland
+        export XDG_CURRENT_DESKTOP=labwc:wlroots
+        # software renderer for qemu virtio-vga
+        export WLR_RENDERER=pixman
+        export WLR_DRM_NO_ATOMIC=1
+        exec ${pkgs.labwc}/bin/labwc
+      '';
+    in
+    {
+      enable = true;
+      settings = {
+        default_session = {
+          command = labwc-session;
+          user = "gorazd";
+        };
+        initial_session = {
+          command = labwc-session;
+          user = "gorazd";
+        };
+      };
+    };
+
+  users = {
+    groups.gorazd = {
+      gid = 1000;
+    };
+    users.gorazd = {
+      group = "gorazd";
+      uid = 1000;
+      isNormalUser = true;
+      home = "/home/gorazd";
+      createHome = true;
+      password = "sandbox";
+      extraGroups = [
+        "wheel"
+        "users"
+      ];
+    };
+  };
+
+  # 9p mounts for host files
+  fileSystems."/home/gorazd/projects" = {
+    device = "projects";
+    fsType = "9p";
+    options = [
+      "trans=virtio"
+      "version=9p2000.L"
+      "msize=65536"
+      "nofail"
+    ];
+  };
+
+  fileSystems."/mnt/host-claude" = {
+    device = "hostclaude";
+    fsType = "9p";
+    options = [
+      "trans=virtio"
+      "version=9p2000.L"
+      "msize=65536"
+      "nofail"
+    ];
+  };
+
+  fileSystems."/mnt/host-home" = {
+    device = "hosthome";
+    fsType = "9p";
+    options = [
+      "trans=virtio"
+      "version=9p2000.L"
+      "msize=65536"
+      "nofail"
+      "ro"
+    ];
+  };
+
+  # pre-auth claude-code from host config
+  systemd.services.claude-auth = {
+    description = "Copy claude-code credentials from host mount";
+    after = [
+      "mnt-host\\x2dclaude.mount"
+      "mnt-host\\x2dhome.mount"
+    ];
+    requires = [
+      "mnt-host\\x2dclaude.mount"
+      "mnt-host\\x2dhome.mount"
+    ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "claude-auth" ''
+        mkdir -p /home/gorazd/.claude
+        cp -a /mnt/host-claude/. /home/gorazd/.claude/
+        cp /mnt/host-home/.claude.json /home/gorazd/.claude.json || true
+        chown -R gorazd:gorazd /home/gorazd/.claude /home/gorazd/.claude.json
+      '';
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    claude-code
+    labwc
+    sfwbar
+    foot
+    firefox
+  ];
+
+  system.stateVersion = "25.11";
+}

hosts/sandbox/hardware-configuration.nix

@@ -0,0 +1,18 @@
+{
+  lib,
+  modulesPath,
+  ...
+}:
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    autoResize = true;
+    fsType = "ext4";
+  };
+
+  boot.loader.grub.device = lib.mkDefault "/dev/vda";
+}

justfile

@@ -24,3 +24,37 @@ iso:
 # garbage collect old generations
 clean:
     sudo nix-collect-garbage $(nix eval --raw -f ./nix.nix nix.gc.options)
+
+# build sandbox VM image
+sandbox-build:
+    nixos-rebuild build-image --image-variant qemu --flake .#sandbox
+
+# run sandbox with GUI (ephemeral, changes discarded)
+sandbox-run:
+    nix shell nixpkgs#qemu -c qemu-system-x86_64 -enable-kvm -m 8G -smp 4 \
+      -drive file=$(find -L result -name '*.qcow2' | head -1),format=qcow2,snapshot=on \
+      -vga virtio -display gtk,zoom-to-fit=false \
+      -device virtio-serial-pci \
+      -chardev qemu-vdagent,id=ch1,name=vdagent,clipboard=on \
+      -device virtserialport,chardev=ch1,id=ch1,name=com.redhat.spice.0 \
+      -virtfs local,path=$HOME/git,mount_tag=projects,security_model=mapped-xattr,id=fs0 \
+      -virtfs local,path=$HOME/.claude,mount_tag=hostclaude,security_model=mapped-xattr,id=fs1 \
+      -virtfs local,path=$HOME,mount_tag=hosthome,security_model=mapped-xattr,id=fs2,readonly=on \
+      -nic user,hostfwd=tcp::2222-:22
+
+# run sandbox headless (ephemeral, changes discarded)
+sandbox-run-headless:
+    nix shell nixpkgs#qemu -c qemu-system-x86_64 -enable-kvm -m 8G -smp 4 \
+      -drive file=$(find -L result -name '*.qcow2' | head -1),format=qcow2,snapshot=on \
+      -virtfs local,path=$HOME/git,mount_tag=projects,security_model=mapped-xattr,id=fs0 \
+      -virtfs local,path=$HOME/.claude,mount_tag=hostclaude,security_model=mapped-xattr,id=fs1 \
+      -virtfs local,path=$HOME,mount_tag=hosthome,security_model=mapped-xattr,id=fs2,readonly=on \
+      -nic user,hostfwd=tcp::2222-:22 -nographic
+
+# ssh into running sandbox
+sandbox-ssh:
+    ssh -A -p 2222 gorazd@localhost
+
+# hot-mount a host directory into the running sandbox
+sandbox-mount path:
+    ssh -p 2222 gorazd@localhost "mkdir -p ~/mnt/$(basename {{path}}) && sshfs matej@10.0.2.2:{{path}} ~/mnt/$(basename {{path}})"

modules/nixos/localisation.nix

@@ -0,0 +1,28 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  options = {
+    localisation = {
+      enable = lib.mkEnableOption "localisation defaults";
+
+      timeZone = lib.mkOption {
+        type = lib.types.str;
+      };
+
+      defaultLocale = lib.mkOption {
+        type = lib.types.str;
+      };
+    };
+  };
+
+  config = lib.mkIf config.localisation.enable {
+    time.timeZone = config.localisation.timeZone;
+    i18n.defaultLocale = config.localisation.defaultLocale;
+
+    # NOTE:(@janezicmatej) some apps (e.g. java) need TZ env var explicitly
+    environment.variables.TZ = config.localisation.timeZone;
+  };
+}

modules/nixos/vm-guest.nix

@@ -0,0 +1,55 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+{
+
+  options = {
+    vm-guest = {
+      enable = lib.mkEnableOption "VM guest configuration";
+    };
+  };
+
+  config = lib.mkIf config.vm-guest.enable {
+    services.qemuGuest.enable = true;
+    services.spice-vdagentd.enable = true;
+
+    # 9p for host file mounting
+    boot.initrd.availableKernelModules = [
+      "9p"
+      "9pnet_virtio"
+    ];
+    boot.kernelModules = [
+      "9p"
+      "9pnet_virtio"
+    ];
+
+    # ssh with agent forwarding for git and hot-mount
+    services.openssh = {
+      enable = true;
+      ports = [ 22 ];
+      settings = {
+        PasswordAuthentication = true;
+        PermitRootLogin = "no";
+        AllowAgentForwarding = true;
+        StreamLocalBindUnlink = "yes";
+      };
+    };
+
+    networking = {
+      useDHCP = true;
+      firewall.allowedTCPPorts = [ 22 ];
+    };
+
+    security.sudo.wheelNeedsPassword = false;
+
+    environment.systemPackages = with pkgs; [
+      curl
+      wget
+      htop
+      sshfs
+    ];
+  };
+}

users/gorazd/home-manager.nix

@@ -17,6 +17,26 @@ in
     pkgs.git
   ];
 
+  # labwc desktop menu (right-click)
+  xdg.configFile."labwc/menu.xml".text = ''
+    <?xml version="1.0" encoding="UTF-8"?>
+    <openbox_menu>
+      <menu id="root-menu" label="">
+        <item label="Terminal"><action name="Execute"><command>foot</command></action></item>
+        <item label="Firefox"><action name="Execute"><command>firefox</command></action></item>
+        <item label="Files"><action name="Execute"><command>foot -e ranger</command></action></item>
+        <separator />
+        <item label="Reconfigure"><action name="Reconfigure" /></item>
+        <item label="Exit"><action name="Exit" /></item>
+      </menu>
+    </openbox_menu>
+  '';
+
+  # labwc autostart panel
+  xdg.configFile."labwc/autostart".text = ''
+    sfwbar &
+  '';
+
   programs.neovim = {
     enable = true;
     vimAlias = true;