feat: update systemd.user.extraConfig to systemd.user.settings.Manager

- bump claude-code to v2.1.175

features/bootloader.nix

@@ -3,11 +3,23 @@
     {
       config,
       lib,
+      pkgs,
       inputs,
       ...
     }:
     let
       cfg = config.features.bootloader;
+      keyDir = "/etc/secrets/initrd";
+
+      mkIpString =
+        {
+          address,
+          gateway,
+          netmask,
+          interface,
+          ...
+        }:
+        "${address}::${gateway}:${netmask}::${interface}:none";
     in
     {
       imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
@@ -23,15 +35,92 @@
           default = "systemd-boot";
         };
 
-        plymouth.enable = lib.mkEnableOption "plymouth boot splash";
+        configurationLimit = lib.mkOption {
+          type = lib.types.int;
+          default = 10;
+        };
+
+        consoleFont = lib.mkOption {
+          type = lib.types.str;
+          default = "ter-v32n";
+        };
+
+        resumeDevice = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+
+        initrdSsh = {
+          enable = lib.mkEnableOption "remote LUKS unlock via ssh in initrd";
+
+          networkModule = lib.mkOption {
+            type = lib.types.str;
+          };
+
+          ip = {
+            enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
+
+            address = lib.mkOption {
+              type = lib.types.str;
+            };
+
+            gateway = lib.mkOption {
+              type = lib.types.str;
+            };
+
+            netmask = lib.mkOption {
+              type = lib.types.str;
+              default = "255.255.255.0";
+            };
+
+            interface = lib.mkOption {
+              type = lib.types.str;
+            };
+          };
+
+          authorizedKeys = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            default = [ ];
+          };
+        };
       };
 
       config = lib.mkIf cfg.enable (
         lib.mkMerge [
           {
             boot.loader.efi.canTouchEfiVariables = true;
-            # request the largest framebuffer uefi offers; plymouth inherits it
+
-            boot.loader.systemd-boot.consoleMode = "max";
+            # lanzaboote inherits editor + configurationLimit from systemd-boot.*
+            boot.loader.systemd-boot = {
+              editor = false;
+              inherit (cfg) configurationLimit;
+            };
+
+            boot.initrd.systemd.enable = true;
+
+            # wait forever at the luks prompt instead of timing out the device
+            # job; applies whether the prompt is local or forwarded via initrd ssh
+            boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
+
+            # block simpledrm so fbcon defers until the gpu driver binds; avoids
+            # the simpledrm -> real-driver fbcon transition that mangles console
+            # text and leaves the luks prompt typing offset from the visible
+            # surface. hosts must put the gpu driver in initrd (nixos-hardware
+            # does this for amd; manual hardware.amdgpu.initrd.enable on others)
+            boot.kernelParams = [ "initcall_blacklist=simpledrm_platform_driver_init" ];
+
+            # verbose boot: kernel messages and systemd unit lines visible end
+            # to end. trade-off: the luks prompt will be interleaved with the
+            # last few "Starting/Started ..." lines (no upstream fix exists
+            # without plymouth). boot.initrd.verbose is a no-op under
+            # systemd-initrd, so not set here.
+
+            # readable luks prompt at panel-native dpi
+            console = {
+              earlySetup = true;
+              font = cfg.consoleFont;
+              packages = [ pkgs.terminus_font ];
+            };
           }
 
           (lib.mkIf (cfg.mode == "systemd-boot") {
@@ -46,26 +135,39 @@
             };
           })
 
-          (lib.mkIf cfg.plymouth.enable {
+          (lib.mkIf (cfg.resumeDevice != null) {
-            # plymouth needs systemd-initrd to render the luks prompt cleanly
+            boot.resumeDevice = cfg.resumeDevice;
-            boot.initrd.systemd.enable = true;
+          })
 
-            # host is responsible for early-KMS so plymouth lands on the gpu driver,
+          (lib.mkIf cfg.initrdSsh.enable {
-            # not simpledrm (e.g. hardware.amdgpu.initrd.enable on amd hosts)
+            boot.initrd.availableKernelModules = [ cfg.initrdSsh.networkModule ];
-            boot.plymouth.enable = true;
-            stylix.targets.plymouth.logoAnimated = false;
 
-            boot.kernelParams = [
+            boot.kernelParams = lib.mkIf cfg.initrdSsh.ip.enable [
-              "quiet"
+              "ip=${mkIpString cfg.initrdSsh.ip}"
-              "splash"
-              "loglevel=3"
-              "rd.systemd.show_status=false"
-              "rd.udev.log_level=3"
-              "udev.log_priority=3"
-              "plymouth.force-scale=1"
             ];
-            boot.consoleLogLevel = 0;
+
-            boot.initrd.verbose = false;
+            boot.initrd.network = {
+              enable = true;
+              ssh = {
+                enable = true;
+                port = 22;
+                hostKeys = [
+                  "${keyDir}/ssh_host_rsa_key"
+                  "${keyDir}/ssh_host_ed25519_key"
+                ];
+                inherit (cfg.initrdSsh) authorizedKeys;
+              };
+            };
+
+            # forward LUKS password prompt to the ssh session (systemd-initrd idiom)
+            boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
+
+            boot.initrd.systemd.network.networks = lib.mkIf (!cfg.initrdSsh.ip.enable) {
+              "10-initrd" = {
+                matchConfig.Driver = cfg.initrdSsh.networkModule;
+                networkConfig.DHCP = "yes";
+              };
+            };
           })
         ]
       );

features/desktop.nix

@@ -87,6 +87,9 @@
               inherit (cfg.theme) polarity;
               image = cfg.theme.wallpaper;
               base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme.scheme}.yaml";
+
+              # TEMP:(@janezicmatej) stylix kmscon target sets nixpkgs-removed options
+              targets.kmscon.enable = false;
             };
           }
 
@@ -124,7 +127,7 @@
               rocketchat-desktop
               telegram-desktop
               slack
-              jellyfin-media-player
+              jellyfin-desktop
               cider-2
               mpv
               ffmpeg

features/initrd-ssh.nix

@@ -1,90 +0,0 @@
-{
-  nixos =
-    { lib, config, ... }:
-    let
-      cfg = config.features.initrd-ssh;
-      keyDir = "/etc/secrets/initrd";
-
-      mkIpString =
-        {
-          address,
-          gateway,
-          netmask,
-          interface,
-          ...
-        }:
-        "${address}::${gateway}:${netmask}::${interface}:none";
-    in
-    {
-      options.features.initrd-ssh = {
-        enable = lib.mkEnableOption "initrd ssh";
-
-        ip = {
-          enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
-
-          address = lib.mkOption {
-            type = lib.types.str;
-          };
-
-          gateway = lib.mkOption {
-            type = lib.types.str;
-          };
-
-          netmask = lib.mkOption {
-            type = lib.types.str;
-            default = "255.255.255.0";
-          };
-
-          interface = lib.mkOption {
-            type = lib.types.str;
-          };
-        };
-
-        authorizedKeys = lib.mkOption {
-          type = lib.types.listOf lib.types.str;
-          default = [ ];
-        };
-
-        networkModule = lib.mkOption {
-          type = lib.types.str;
-        };
-      };
-
-      config = lib.mkIf cfg.enable {
-        boot.initrd.availableKernelModules = [ cfg.networkModule ];
-        boot.initrd.kernelModules = [ cfg.networkModule ];
-        boot.kernelParams = lib.mkIf cfg.ip.enable [
-          "ip=${mkIpString cfg.ip}"
-        ];
-
-        boot.initrd.systemd.enable = true;
-
-        # remote unlock may take a while; don't let device units give up
-        boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
-
-        boot.initrd.network = {
-          enable = true;
-          ssh = {
-            enable = true;
-            port = 22;
-            hostKeys = [
-              "${keyDir}/ssh_host_rsa_key"
-              "${keyDir}/ssh_host_ed25519_key"
-            ];
-            inherit (cfg) authorizedKeys;
-          };
-        };
-
-        # systemd-networkd retries DHCP indefinitely, unlike udhcpc
-        boot.initrd.systemd.network.networks = lib.mkIf (!cfg.ip.enable) {
-          "10-initrd" = {
-            matchConfig.Driver = cfg.networkModule;
-            networkConfig.DHCP = "yes";
-          };
-        };
-
-        # forward LUKS password prompt to the SSH session
-        boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
-      };
-    };
-}

features/networkmanager.nix

@@ -1,6 +1,11 @@
 {
   nixos =
-    { config, lib, ... }:
+    {
+      config,
+      lib,
+      user,
+      ...
+    }:
     let
       cfg = config.features.networkmanager;
     in
@@ -13,6 +18,8 @@
           "1.1.1.1"
           "8.8.8.8"
         ];
+
+        users.users.${user}.extraGroups = [ "networkmanager" ];
       };
     };
 }

features/power.nix

@@ -8,11 +8,6 @@
       options.features.power = {
         enable = lib.mkEnableOption "laptop power management";
 
-        resumeDevice = lib.mkOption {
-          type = lib.types.nullOr lib.types.str;
-          default = null;
-        };
-
         lidSwitch = lib.mkOption {
           type = lib.types.str;
           default = "suspend-then-hibernate";
@@ -40,8 +35,6 @@
       };
 
       config = lib.mkIf cfg.enable {
-        boot.resumeDevice = lib.mkIf (cfg.resumeDevice != null) cfg.resumeDevice;
-
         services.logind.settings.Login = {
           HandleLidSwitch = cfg.lidSwitch;
           HandlePowerKey = cfg.powerKey;

flake.lock

@@ -106,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777713215,
+        "lastModified": 1781152676,
-        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
+        "narHash": "sha256-RxWs5ND31KzTG7wvMM+PMfUjyNpmIEr999lqNARaM5o=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
+        "rev": "ff8702b4de27f72b4c78573dfb89ec74e36abdf1",
         "type": "github"
       },
       "original": {
@@ -122,11 +122,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1776136500,
+        "lastModified": 1779670703,
-        "narHash": "sha256-r0gN2brVWA351zwMV0Flmlcd6SGMvYqFbvC3DfKFM8Y=",
+        "narHash": "sha256-UdfMivNMwCCqQsYDg5pSz8X2IOaOrIZLIIy+Bg3CO2o=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "0f8ba203d475587f477e7ae12661bd8459e225b7",
+        "rev": "942159e73e40bf785816f7f1f5feed9ef3d7c8f9",
         "type": "github"
       },
       "original": {
@@ -156,11 +156,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1777678872,
+        "lastModified": 1778716662,
-        "narHash": "sha256-EPIFsulyon7Z1vLQq5Fk64GR8L7cQsT+IPhcsukVbgk=",
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "5250617bffd85403b14dbf43c3870e7f255d2c16",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
         "type": "github"
       },
       "original": {
@@ -177,11 +177,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777678872,
+        "lastModified": 1778716662,
-        "narHash": "sha256-EPIFsulyon7Z1vLQq5Fk64GR8L7cQsT+IPhcsukVbgk=",
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "5250617bffd85403b14dbf43c3870e7f255d2c16",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
         "type": "github"
       },
       "original": {
@@ -198,11 +198,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775087534,
+        "lastModified": 1778716662,
-        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
         "type": "github"
       },
       "original": {
@@ -273,11 +273,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777852249,
+        "lastModified": 1781189114,
-        "narHash": "sha256-XdbGWnFlX4McOEG5NioVsp35Ic6XL/rXnp8as71cu6o=",
+        "narHash": "sha256-5inaamLgUMWy+MOBE9ChF9QAF1o/74LFuHkI0W/9rqc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c909892de502b4de9e92838a503c09a9c8ebe4aa",
+        "rev": "486595d2cf49cfcd649b58a284fa11ac0e34da22",
         "type": "github"
       },
       "original": {
@@ -317,11 +317,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1777853108,
+        "lastModified": 1781247552,
-        "narHash": "sha256-GyUvw2G212P0nDfUh6/4fPfZK1UBJak1MYr6If8b7H4=",
+        "narHash": "sha256-WBnopP5Ln0BsEb1Ix2ylLuBvfV6YB5Zr4z6Hqo31Ccs=",
         "owner": "nix-community",
         "repo": "neovim-nightly-overlay",
-        "rev": "06974a7b4913f950c67eaa398ac0c5781e29fe9c",
+        "rev": "2a8dddeeea5e6b98159a90c73deb65351b1748f9",
         "type": "github"
       },
       "original": {
@@ -333,11 +333,11 @@
     "neovim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1777850416,
+        "lastModified": 1781212614,
-        "narHash": "sha256-a/mK2LVrU8zFBt2iZRngGv2Qu+7ju/SL4je8BewBpBg=",
+        "narHash": "sha256-ZJXg/EUJvbrMx8Qprs/Sg9EYsbXJc49NxVmHdzJn1s0=",
         "owner": "neovim",
         "repo": "neovim",
-        "rev": "0e69a380263f5a78d11cd05c65cc224a3c74b53e",
+        "rev": "3ed78daf83aa88003f52234e6b493c9718b2d987",
         "type": "github"
       },
       "original": {
@@ -347,12 +347,15 @@
       }
     },
     "nixos-hardware": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
       "locked": {
-        "lastModified": 1777796046,
+        "lastModified": 1781168557,
-        "narHash": "sha256-bEJp/zaQApzynGRaAO62BZSz9tFikKtIHCn2yIA/s7Q=",
+        "narHash": "sha256-LOnLQ2tpYF9gqIDDr3+j3DbpJJr/QCH6zPRT2GzEUOE=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "eeb02f6e29fc8139c0b15af5ff0fdfdc6d0d3d90",
+        "rev": "6358ff76821101c178e3ab4919a62799bfe3652e",
         "type": "github"
       },
       "original": {
@@ -364,11 +367,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1777641297,
+        "lastModified": 1781173989,
-        "narHash": "sha256-WNGcmeOZ8Tr9dq6ztCspYbzWFswr2mPebM9LpsfGxPk=",
+        "narHash": "sha256-fnzKKPvS+oieI/pTzotA5tkoM47EB1NpaBcgk4R97hE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c6d65881c5624c9cae5ea6cedef24699b0c0a4c0",
+        "rev": "8c91a71d13451abc40eb9dae8910f972f979852f",
         "type": "github"
       },
       "original": {
@@ -395,11 +398,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1777879473,
+        "lastModified": 1781257547,
-        "narHash": "sha256-tRKCOIIFH8gj6YZtd2PdTKwhPRJUmHa0I+vold0EcgY=",
+        "narHash": "sha256-hJdOzVAu4sFVlVDmTO5nD1+71jqnp2bJDmd4fw1BrVg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "93fb83c111c35a6f88e9edfb0d9c3a494f3e1400",
+        "rev": "ac8a9daf3acf68ae5e259081204afa447b55f871",
         "type": "github"
       },
       "original": {
@@ -411,11 +414,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1777673416,
+        "lastModified": 1780952837,
-        "narHash": "sha256-5c2POKPOjU40Kh0MirOdScBLG0bu9TAuPYAtPRNZMBs=",
+        "narHash": "sha256-Fwd1+spDtQ0hDyBwme6ufG3n4mY0UrjjFdYHv+G/Hds=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "26ef669cffa904b6f6832ab57b77892a37c1a671",
+        "rev": "e820eb4a444b46a19b2e03e8dfd2359439ff30fe",
         "type": "github"
       },
       "original": {
@@ -427,11 +430,24 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1777578337,
+        "lastModified": 1767892417,
-        "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
+        "narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
+        "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1781074563,
+        "narHash": "sha256-md8WlXOlfnIeHeOScMTTHFyf2d6iaTwPl2apR5EQ3P4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
+        "rev": "9ae611a455b90cf061d8f332b977e387bda8e1ca",
         "type": "github"
       },
       "original": {
@@ -453,11 +469,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777598946,
+        "lastModified": 1780281641,
-        "narHash": "sha256-X239dAGaU1+gfDj8jKH8GzlqKMcxaVfXOio+uzBOkeE=",
+        "narHash": "sha256-M/+hUKoKbHXpV0xGVfELbN1Ds1aoe3pL5p5/t46YhVo=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "5d55af01c0f86be583931fe99207fc56c14134b3",
+        "rev": "30f9ae2f04174de63ba8bcf3580ca90843b28a01",
         "type": "github"
       },
       "original": {
@@ -514,7 +530,7 @@
         "lanzaboote": "lanzaboote",
         "neovim-nightly-overlay": "neovim-nightly-overlay",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
         "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-stable": "nixpkgs-stable",
         "nvim": "nvim",
@@ -550,11 +566,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777338324,
+        "lastModified": 1780547341,
-        "narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=",
+        "narHash": "sha256-Gq8KNx5A7hBB3uGJaj6eQfLDIz5YdLu92gqBcvHvoUo=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5",
+        "rev": "9ed65852b6257fbeae4355bc24ecfea307ca759a",
         "type": "github"
       },
       "original": {
@@ -583,11 +599,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1777835090,
+        "lastModified": 1781018772,
-        "narHash": "sha256-VLH8zPweblCOvpnQXp4fVs7f6Q79YhXF5XFKlOrvIFk=",
+        "narHash": "sha256-C+cGIUaC6dqfwTbI+BwCd572PbESGA3WYxR1sLTqxkY=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "7989a1054b01153212dede6005abfd1576b8328c",
+        "rev": "a378e4c09031fb15a4d65da88aa628f71fc52f6b",
         "type": "github"
       },
       "original": {
@@ -630,11 +646,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1777041405,
+        "lastModified": 1777806186,
-        "narHash": "sha256-BAGZ7ObFV/9Z61OJZun7ifPyhkuHqNuW1QIhQ8LuzCo=",
+        "narHash": "sha256-PDF0/wObw4nIsSBeXVYLsloXOiphXCgIdsrNcVXguKs=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "5f868b3a338b6904c47f3833b9c411be641983a8",
+        "rev": "0c94645546f4f3ddac77a1a5fce54eb95bf50795",
         "type": "github"
       },
       "original": {
@@ -646,11 +662,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1777169200,
+        "lastModified": 1778379944,
-        "narHash": "sha256-h7dDbIzP5hDr9v97w9PL6jdAgXawmj6krcH+959rqpU=",
+        "narHash": "sha256-wPDFzMGSlARlw0Sfsn48Q2+jPSfk6N0Ng6BC/d+7Q24=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "f798c2dce44ef815bb6b8f05a82135c7942d35ac",
+        "rev": "fe0203a198690e71a5ff11e08812a4673de3678d",
         "type": "github"
       },
       "original": {
@@ -662,11 +678,11 @@
     "tinted-zed": {
       "flake": false,
       "locked": {
-        "lastModified": 1777463218,
+        "lastModified": 1778378178,
-        "narHash": "sha256-Bhkozqtq3BKLqWTlmKm8uAptfX4aRGI8QX3eEL54Vpc=",
+        "narHash": "sha256-OXPXRIQgGwV77HjYRryOHguh4ALX96jkg+tseLkGgHA=",
         "owner": "tinted-theming",
         "repo": "base16-zed",
-        "rev": "5768d08ed2e7944a26a958868cdb073cb8856dae",
+        "rev": "9cd816033ff969415b190722cddf134e78a5665f",
         "type": "github"
       },
       "original": {

flake/dev-components.nix

@@ -14,11 +14,9 @@ let
   mkNode = nodejs: {
     packages = [
       nodejs
-      pkgs.corepack
+      (pkgs.pnpm.override { withNode = false; })
+      (pkgs.yarn.override { withNode = false; })
     ];
-    env = {
-      COREPACK_ENABLE_STRICT = "0";
-    };
   };
 
   mkUv = python: {

flake/hosts.nix

@@ -55,7 +55,6 @@ in
         "git"
         "gnupg"
         "harmonia"
-        "initrd-ssh"
         "localisation"
         "neovim"
         "networkmanager"
@@ -124,6 +123,7 @@ in
         "localisation"
         "networkmanager"
         "nix-settings"
+        "onepassword"
         "sway"
         "udev"
         "zsh"

flake/overlays.nix

@@ -2,6 +2,6 @@
 
 {
   flake.overlays.default = final: _prev: {
-    mcp-nixos = inputs.nixpkgs-stable.legacyPackages.${final.stdenv.hostPlatform.system}.mcp-nixos;
+    inherit (inputs.nixpkgs-stable.legacyPackages.${final.stdenv.hostPlatform.system}) mcp-nixos;
   };
 }

hosts/fw16/configuration.nix

@@ -10,16 +10,13 @@
     inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series
   ];
 
-  features.bootloader.plymouth.enable = true;
+  features.bootloader.resumeDevice = "/dev/mapper/vg0-swap";
   features.desktop.bluetooth.enable = true;
   features.gnupg.yubikey.enable = true;
   features.udev = {
     ledger.enable = true;
     keyboard-zsa.enable = true;
   };
-  features.power.resumeDevice = "/dev/disk/by-uuid/ff4750e7-3a9f-42c2-bb68-c458a6560540";
-
-  boot.kernelParams = [ "pcie_aspm.policy=powersupersave" ];
 
   programs.nix-ld.libraries = options.programs.nix-ld.libraries.default;
 

hosts/fw16/hardware-configuration.nix

@@ -37,10 +37,7 @@
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/42D9-FAFD";
     fsType = "vfat";
-    options = [
+    options = [ "umask=0077" ];
-      "fmask=0022"
-      "dmask=0022"
-    ];
   };
 
   swapDevices = [

hosts/tower/configuration.nix

@@ -8,7 +8,11 @@
   features.nix-settings.towerCache.enable = false;
   features.bootloader = {
     mode = "lanzaboote";
-    plymouth.enable = true;
+    initrdSsh = {
+      enable = true;
+      networkModule = "r8169";
+      authorizedKeys = userKeys.sshAuthorizedKeys;
+    };
   };
   features.desktop.bluetooth.enable = true;
   features.gnupg.yubikey.enable = true;
@@ -16,17 +20,14 @@
     ledger.enable = true;
     keyboard-zsa.enable = true;
   };
-  features.initrd-ssh = {
-    networkModule = "r8169";
-    authorizedKeys = userKeys.sshAuthorizedKeys;
-  };
 
   # nix store signing
   sops.secrets.nix-signing-key.sopsFile = ../../secrets/tower.yaml;
   nix.settings.secret-key-files = [ config.sops.secrets.nix-signing-key.path ];
 
   boot.kernelParams = [ "btusb.reset=1" ];
-  # early kms so plymouth lands on amdgpu, not simpledrm
+  # pairs with bootloader's simpledrm initcall blacklist: amdgpu owns fbcon
+  # from the start, no driver-swap mode-set
   hardware.amdgpu.initrd.enable = true;
 
   services.udisks2.enable = true;

justfile

@@ -2,31 +2,20 @@
 default:
     @just --list
 
-# rebuild and switch
+# rebuild the system
-switch config="":
+rebuild op="switch" host=`hostname`:
-    nixos-rebuild switch --flake .{{ if config != "" { "#" + config } else { "" } }} --sudo
+    nixos-rebuild {{op}} --flake .#{{host}} --sudo
-
-# fetch flake inputs
-sync:
-    nix flake prefetch-inputs
 
 # update flake inputs
 update:
     nix flake update
 
-# update flake inputs, rebuild and switch
-bump: update switch
-
-# update a package to latest version
-update-package pkg:
-    bash packages/{{pkg}}/update.sh
-
 # update all packages with update scripts
-update-package-all:
+update-package:
     @for script in packages/*/update.sh; do bash "$script"; done
 
 # build all packages and hosts
-build:
+check:
     nix flake check
 
 # build installation iso
@@ -37,10 +26,6 @@ iso:
 ephvm *ARGS:
     bash scripts/ephvm-run.sh {{ARGS}}
 
-# ssh into running ephemeral VM
-ephvm-ssh port="2222":
-    ssh -p {{port}} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null matej@localhost
-
 # provision a host with nixos-anywhere
 provision host ip:
     #!/usr/bin/env bash
@@ -59,9 +44,9 @@ provision host ip:
     ssh root@{{ip}} reboot
 
 # deploy config to a remote host
-deploy host remote=host:
+deploy op="switch" host=`hostname` remote=host:
-    nixos-rebuild switch --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
+    nixos-rebuild {{op}} --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
 
 # garbage collect old generations
-clean:
+clean host=`hostname`:
-    sudo nix-collect-garbage $(nix eval --raw -f ./nix.nix nix.gc.options)
+    sudo nix-collect-garbage $(nix eval --raw .#nixosConfigurations.{{host}}.config.nix.gc.options)

lib/mkHost.nix

@@ -87,6 +87,25 @@ nixpkgs.lib.nixosSystem {
     { nixpkgs.config.allowUnfree = true; }
     { networking.hostName = name; }
 
+    # TEMP:(@janezicmatej) temporary mitigation for dirty frag
+    # blocks esp4/esp6 (CVE-2026-43284) and rxrpc (CVE-2026-43500)
+    # remove once nixpkgs ships a kernel with f4c50a4034e6 and the rxrpc fix
+    {
+      boot.blacklistedKernelModules = [
+        "esp4"
+        "esp6"
+        "rxrpc"
+      ];
+    }
+
+    # cap unit stop timeout so a single misbehaving app (electron, etc) can't
+    # block poweroff for the full 90s default. user-scope cap is required for
+    # session-N.scope to honor it. see discourse/49711
+    {
+      systemd.settings.Manager.DefaultTimeoutStopSec = "10s";
+      systemd.user.settings.Manager.DefaultTimeoutStopSec = "10s";
+    }
+
     featureEnableModule
     hostConfig
   ]

nix.nix

@@ -1,33 +0,0 @@
-{
-  nix = {
-    settings = {
-      experimental-features = [
-        "nix-command"
-        "flakes"
-      ];
-      download-buffer-size = 2 * 1024 * 1024 * 1024;
-      warn-dirty = false;
-      substituters = [
-        "https://cache.nixos.org"
-        "https://nix-community.cachix.org?priority=45"
-        "http://tower:5000?priority=50"
-      ];
-      trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "matej.nix-1:TdbemLVYblvAxqJcwb3mVKmmr3cfzXbMcZHE5ILnZDE="
-      ];
-    };
-
-    gc = {
-      automatic = true;
-      dates = "monthly";
-      options = "--delete-older-than 30d";
-    };
-
-    optimise = {
-      automatic = true;
-      dates = [ "monthly" ];
-    };
-  };
-}

packages/claude-code/package.nix

@@ -2,7 +2,7 @@
 
 let
   inherit (pkgs) stdenv lib;
-  version = "2.1.126";
+  version = "2.1.175";
 
   # upstream ships platform-native binaries as separate npm packages under
   # @anthropic-ai/claude-code-<platform>; the wrapper package is just a
@@ -10,19 +10,19 @@ let
   sources = {
     "x86_64-linux" = {
       slug = "linux-x64";
-      hash = "sha256-RTei2TOHb4OB9RTWILLuYDnwJT2PxyAwn3TwASOFYIc=";
+      hash = "sha256-UtPkBFG+XoNunpJ6OECQNrlIooNVATOZpT2jPQd3iMk=";
     };
     "aarch64-linux" = {
       slug = "linux-arm64";
-      hash = "sha256-RTBJeh99Yiqdq5sNPLRENGD5mOapW3t9FkDlW+MiAQQ=";
+      hash = "sha256-xUdp09sTdMqWNdFXQbQDHdSvhrt4vPcO9loUFfEWSlo=";
     };
     "x86_64-darwin" = {
       slug = "darwin-x64";
-      hash = "sha256-Xii9HPQEdg6HQVHMqkIV7Js4aeedCjlg5xJBF3Ef7oQ=";
+      hash = "sha256-DbvJSEsXMPxXXjXbCf0NLabrhaV/Q83YLPPZI1ubPkM=";
     };
     "aarch64-darwin" = {
       slug = "darwin-arm64";
-      hash = "sha256-UKgwm0AGcO7fFZttIUR4LEQAH2NRfjerV7IByp3Nbqk=";
+      hash = "sha256-FUig303ozhhubYtq6FjIM3tGIwlESttQVS1khC4pLwA=";
     };
   };