wip

- bump flake inputs
- bump claude-code to 2.1.138

.git-blame-ignore-revs

@@ -2,6 +2,7 @@
 f011c8d71ba09bd94ab04b8d771858b90a03fbf9
 3aff25b4486a143cd6282f8845c16216598e1c7e
 2204b12fadf27886058e6945806ce93a547f5278
+77236af5896524218605badcd3cdfc2267b213da
 
 # host rename
 cfe4c43887a41e52be4e6472474c0fc3788f86e8

features/bootloader.nix

@@ -3,11 +3,23 @@
     {
       config,
       lib,
+      pkgs,
       inputs,
       ...
     }:
     let
       cfg = config.features.bootloader;
+      keyDir = "/etc/secrets/initrd";
+
+      mkIpString =
+        {
+          address,
+          gateway,
+          netmask,
+          interface,
+          ...
+        }:
+        "${address}::${gateway}:${netmask}::${interface}:none";
     in
     {
       imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
@@ -22,12 +34,89 @@
           ];
           default = "systemd-boot";
         };
+
+        configurationLimit = lib.mkOption {
+          type = lib.types.int;
+          default = 10;
+        };
+
+        consoleFont = lib.mkOption {
+          type = lib.types.str;
+          default = "ter-v32n";
+        };
+
+        resumeDevice = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+
+        initrdSsh = {
+          enable = lib.mkEnableOption "remote LUKS unlock via ssh in initrd";
+
+          networkModule = lib.mkOption {
+            type = lib.types.str;
+          };
+
+          ip = {
+            enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
+
+            address = lib.mkOption {
+              type = lib.types.str;
+            };
+
+            gateway = lib.mkOption {
+              type = lib.types.str;
+            };
+
+            netmask = lib.mkOption {
+              type = lib.types.str;
+              default = "255.255.255.0";
+            };
+
+            interface = lib.mkOption {
+              type = lib.types.str;
+            };
+          };
+
+          authorizedKeys = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            default = [ ];
+          };
+        };
       };
 
       config = lib.mkIf cfg.enable (
         lib.mkMerge [
           {
             boot.loader.efi.canTouchEfiVariables = true;
+
+            # lanzaboote inherits editor + configurationLimit from systemd-boot.*
+            boot.loader.systemd-boot = {
+              editor = false;
+              inherit (cfg) configurationLimit;
+            };
+
+            boot.initrd.systemd.enable = true;
+
+            # block simpledrm so fbcon defers until the gpu driver binds; avoids
+            # the simpledrm -> real-driver fbcon transition that mangles console
+            # text and leaves the luks prompt typing offset from the visible
+            # surface. hosts must put the gpu driver in initrd (nixos-hardware
+            # does this for amd; manual hardware.amdgpu.initrd.enable on others)
+            boot.kernelParams = [ "initcall_blacklist=simpledrm_platform_driver_init" ];
+
+            # verbose boot: kernel messages and systemd unit lines visible end
+            # to end. trade-off: the luks prompt will be interleaved with the
+            # last few "Starting/Started ..." lines (no upstream fix exists
+            # without plymouth). boot.initrd.verbose is a no-op under
+            # systemd-initrd, so not set here.
+
+            # readable luks prompt at panel-native dpi
+            console = {
+              earlySetup = true;
+              font = cfg.consoleFont;
+              packages = [ pkgs.terminus_font ];
+            };
           }
 
           (lib.mkIf (cfg.mode == "systemd-boot") {
@@ -41,6 +130,43 @@
               pkiBundle = "/var/lib/sbctl";
             };
           })
+
+          (lib.mkIf (cfg.resumeDevice != null) {
+            boot.resumeDevice = cfg.resumeDevice;
+          })
+
+          (lib.mkIf cfg.initrdSsh.enable {
+            boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
+
+            boot.initrd.availableKernelModules = [ cfg.initrdSsh.networkModule ];
+
+            boot.kernelParams = lib.mkIf cfg.initrdSsh.ip.enable [
+              "ip=${mkIpString cfg.initrdSsh.ip}"
+            ];
+
+            boot.initrd.network = {
+              enable = true;
+              ssh = {
+                enable = true;
+                port = 22;
+                hostKeys = [
+                  "${keyDir}/ssh_host_rsa_key"
+                  "${keyDir}/ssh_host_ed25519_key"
+                ];
+                inherit (cfg.initrdSsh) authorizedKeys;
+              };
+            };
+
+            # forward LUKS password prompt to the ssh session (systemd-initrd idiom)
+            boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
+
+            boot.initrd.systemd.network.networks = lib.mkIf (!cfg.initrdSsh.ip.enable) {
+              "10-initrd" = {
+                matchConfig.Driver = cfg.initrdSsh.networkModule;
+                networkConfig.DHCP = "yes";
+              };
+            };
+          })
         ]
       );
     };

features/desktop.nix

@@ -71,6 +71,12 @@
               ];
             };
 
+            # honor persist_mode so electron apps don't re-prompt for screencast every login
+            systemd.user.services.xdg-desktop-portal-wlr.environment.XDPW_PERSIST_MODE = "permanent";
+
+            # enable ozone/wayland for electron apps so idle detection works
+            environment.sessionVariables.NIXOS_OZONE_WL = "1";
+
             fonts.packages = with pkgs; [
               font-awesome
               nerd-fonts.jetbrains-mono
@@ -99,7 +105,11 @@
           # bluetooth
           (lib.mkIf cfg.bluetooth.enable {
             hardware.bluetooth.enable = true;
-            services.blueman.enable = true;
+            services.blueman = {
+              enable = true;
+              # TEMP:(@janezicmatej) workaround for nixpkgs#514705, fix in nixpkgs#517250
+              withApplet = false;
+            };
           })
 
           # apps
@@ -114,7 +124,7 @@
               bolt-launcher
               libnotify
               bibata-cursors
-              vesktop
+              discord
               rocketchat-desktop
               telegram-desktop
               slack
@@ -256,7 +266,7 @@
 
                 # app deep links
                 "x-scheme-handler/tg" = "org.telegram.desktop.desktop";
-                "x-scheme-handler/discord" = "vesktop.desktop";
+                "x-scheme-handler/discord" = "discord.desktop";
                 "x-scheme-handler/slack" = "slack.desktop";
               };
             };

features/initrd-ssh.nix

@@ -1,87 +0,0 @@
-{
-  nixos =
-    { lib, config, ... }:
-    let
-      cfg = config.features.initrd-ssh;
-      keyDir = "/etc/secrets/initrd";
-
-      mkIpString =
-        {
-          address,
-          gateway,
-          netmask,
-          interface,
-          ...
-        }:
-        "${address}::${gateway}:${netmask}::${interface}:none";
-    in
-    {
-      options.features.initrd-ssh = {
-        enable = lib.mkEnableOption "initrd ssh";
-
-        ip = {
-          enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
-
-          address = lib.mkOption {
-            type = lib.types.str;
-          };
-
-          gateway = lib.mkOption {
-            type = lib.types.str;
-          };
-
-          netmask = lib.mkOption {
-            type = lib.types.str;
-            default = "255.255.255.0";
-          };
-
-          interface = lib.mkOption {
-            type = lib.types.str;
-          };
-        };
-
-        authorizedKeys = lib.mkOption {
-          type = lib.types.listOf lib.types.str;
-          default = [ ];
-        };
-
-        networkModule = lib.mkOption {
-          type = lib.types.str;
-        };
-      };
-
-      config = lib.mkIf cfg.enable {
-        boot.initrd.availableKernelModules = [ cfg.networkModule ];
-        boot.initrd.kernelModules = [ cfg.networkModule ];
-        boot.kernelParams = lib.mkIf cfg.ip.enable [
-          "ip=${mkIpString cfg.ip}"
-        ];
-
-        boot.initrd.systemd.enable = true;
-
-        boot.initrd.network = {
-          enable = true;
-          ssh = {
-            enable = true;
-            port = 22;
-            hostKeys = [
-              "${keyDir}/ssh_host_rsa_key"
-              "${keyDir}/ssh_host_ed25519_key"
-            ];
-            inherit (cfg) authorizedKeys;
-          };
-        };
-
-        # systemd-networkd retries DHCP indefinitely, unlike udhcpc
-        boot.initrd.systemd.network.networks = lib.mkIf (!cfg.ip.enable) {
-          "10-initrd" = {
-            matchConfig.Driver = cfg.networkModule;
-            networkConfig.DHCP = "yes";
-          };
-        };
-
-        # forward LUKS password prompt to the SSH session
-        boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
-      };
-    };
-}

features/neovim.nix

@@ -39,6 +39,7 @@
 
             programs.neovim = {
               enable = true;
+              sideloadInitLua = true;
               vimAlias = true;
               defaultEditor = true;
               package = inputs.neovim-nightly-overlay.packages.${pkgs.stdenv.hostPlatform.system}.default;

features/nix-settings.nix

@@ -40,6 +40,8 @@
               "flakes"
             ];
             download-buffer-size = 2 * 1024 * 1024 * 1024;
+            download-attempts = 3;
+            fallback = true;
             warn-dirty = false;
             substituters = [
               "https://cache.nixos.org"

features/power.nix

@@ -8,11 +8,6 @@
       options.features.power = {
         enable = lib.mkEnableOption "laptop power management";
 
-        resumeDevice = lib.mkOption {
-          type = lib.types.nullOr lib.types.str;
-          default = null;
-        };
-
         lidSwitch = lib.mkOption {
           type = lib.types.str;
           default = "suspend-then-hibernate";
@@ -40,8 +35,6 @@
       };
 
       config = lib.mkIf cfg.enable {
-        boot.resumeDevice = lib.mkIf (cfg.resumeDevice != null) cfg.resumeDevice;
-
         services.logind.settings.Login = {
           HandleLidSwitch = cfg.lidSwitch;
           HandlePowerKey = cfg.powerKey;

features/vm-guest.nix

@@ -43,19 +43,15 @@
       config = lib.mkIf cfg.enable (
         lib.mkMerge [
           {
-            services.qemuGuest.enable = true;
             services.spice-vdagentd.enable = lib.mkIf (!cfg.headless) true;
 
             boot.kernelParams = lib.mkIf cfg.headless [ "console=ttyS0,115200" ];
 
+            # 9p autoloads on first mount
             boot.initrd.availableKernelModules = [
               "9p"
               "9pnet_virtio"
             ];
-            boot.kernelModules = [
-              "9p"
-              "9pnet_virtio"
-            ];
 
             networking = {
               useDHCP = true;
@@ -68,7 +64,6 @@
               curl
               wget
               htop
-              sshfs
             ];
           }
 

flake.lock

@@ -54,11 +54,11 @@
     "base16-helix": {
       "flake": false,
       "locked": {
-        "lastModified": 1760703920,
+        "lastModified": 1776754714,
-        "narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=",
+        "narHash": "sha256-E3OAK27smtATTmX45uoTSRsVD+Y+ZiVVfgM/tjpbtYg=",
         "owner": "tinted-theming",
         "repo": "base16-helix",
-        "rev": "d646af9b7d14bff08824538164af99d0c521b185",
+        "rev": "4d508123037e7851ad36ebf7d9c48b0e9e1eb581",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773889306,
+        "lastModified": 1777713215,
-        "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
+        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
+        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
         "type": "github"
       },
       "original": {
@@ -122,11 +122,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1775176642,
+        "lastModified": 1776136500,
-        "narHash": "sha256-2veEED0Fg7Fsh81tvVDNYR6SzjqQxa7hbi18Jv4LWpM=",
+        "narHash": "sha256-r0gN2brVWA351zwMV0Flmlcd6SGMvYqFbvC3DfKFM8Y=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "179704030c5286c729b5b0522037d1d51341022c",
+        "rev": "0f8ba203d475587f477e7ae12661bd8459e225b7",
         "type": "github"
       },
       "original": {
@@ -156,11 +156,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1775087534,
+        "lastModified": 1777988971,
-        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
+        "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
+        "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
         "type": "github"
       },
       "original": {
@@ -177,11 +177,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775087534,
+        "lastModified": 1777988971,
-        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
+        "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
+        "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
         "type": "github"
       },
       "original": {
@@ -273,11 +273,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776030105,
+        "lastModified": 1778248595,
-        "narHash": "sha256-b4cNpWPDSH+/CTTiw8++yGh1UYG2kQNrbIehV2iGoeo=",
+        "narHash": "sha256-dhFgEjoeJMYN/7OY6xfxS799YB4IjbbYXTjyGIJyLpc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "49088dc2e7a876e338e510c5f5f60f659819c650",
+        "rev": "fdb2ccba9d5e1238d32e0c4a3ec1a277efa80c1d",
         "type": "github"
       },
       "original": {
@@ -317,11 +317,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1775952282,
+        "lastModified": 1778285091,
-        "narHash": "sha256-iJcGy0pW0wX7q6HAQuKx8sskTyu8an0l0gI3TBgzk3E=",
+        "narHash": "sha256-4YwkGkjvLD0EB7rQGCRA9J/zgwrnTL20dJd7Wmnicj0=",
         "owner": "nix-community",
         "repo": "neovim-nightly-overlay",
-        "rev": "f719e136a8e0cd91e70515e590385356abce1341",
+        "rev": "cca2a2d1c03f763fdcd7066791363d792313c641",
         "type": "github"
       },
       "original": {
@@ -333,11 +333,11 @@
     "neovim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1775949028,
+        "lastModified": 1778266020,
-        "narHash": "sha256-JXrr9lxKfTIm/VW4jvaB1RU9r+7pAoaXeDsy24TGPiw=",
+        "narHash": "sha256-qoydKalrn/QGsGYVRicz0Hzb7bfGmV7Z9CnVONXN/Lc=",
         "owner": "neovim",
         "repo": "neovim",
-        "rev": "4a289bfce3e71bf00d1eced168a6a7bbb270b95b",
+        "rev": "b7d8a41d91dcfebe9a5f3d0cf2f0bb0b8d59e32e",
         "type": "github"
       },
       "original": {
@@ -348,11 +348,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1775490113,
+        "lastModified": 1778143761,
-        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
+        "narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
+        "rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
         "type": "github"
       },
       "original": {
@@ -364,11 +364,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1775888245,
+        "lastModified": 1778124196,
-        "narHash": "sha256-nwASzrRDD1JBEu/o8ekKYEXm/oJW6EMCzCRdrwcLe90=",
+        "narHash": "sha256-pYEytCNic/czazbV9r3tbQ6BZzqRBg/41x2dIC5ymOo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "13043924aaa7375ce482ebe2494338e058282925",
+        "rev": "68a8af93ff4297686cb68880845e61e5e2e41d92",
         "type": "github"
       },
       "original": {
@@ -380,11 +380,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1774748309,
+        "lastModified": 1777168982,
-        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
+        "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
+        "rev": "f5901329dade4a6ea039af1433fb087bd9c1fe14",
         "type": "github"
       },
       "original": {
@@ -395,11 +395,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1776031281,
+        "lastModified": 1778360830,
-        "narHash": "sha256-MCXhNHfTvsvbdkn9WV3Rv5Z0tUig1CtINZV+jaWh04k=",
+        "narHash": "sha256-tD44tgf123UcERx3cC91rwefFmGmlTd2M1QdL6d5iLc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4ee46f65286df51761a238bb0f024f8d696ac683",
+        "rev": "82cbc979e10cf2b893566a0f259daf5e1f26c887",
         "type": "github"
       },
       "original": {
@@ -411,11 +411,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1775811116,
+        "lastModified": 1778003029,
-        "narHash": "sha256-t+HZK42pB6N+i5RGbuy7Xluez/VvWbembBdvzsc23Ss=",
+        "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "54170c54449ea4d6725efd30d719c5e505f1c10e",
+        "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
         "type": "github"
       },
       "original": {
@@ -427,11 +427,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1775710090,
+        "lastModified": 1777954456,
-        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
         "type": "github"
       },
       "original": {
@@ -453,11 +453,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775228139,
+        "lastModified": 1777598946,
-        "narHash": "sha256-ebbeHmg+V7w8050bwQOuhmQHoLOEOfqKzM1KgCTexK4=",
+        "narHash": "sha256-X239dAGaU1+gfDj8jKH8GzlqKMcxaVfXOio+uzBOkeE=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "601971b9c89e0304561977f2c28fa25e73aa7132",
+        "rev": "5d55af01c0f86be583931fe99207fc56c14134b3",
         "type": "github"
       },
       "original": {
@@ -550,11 +550,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775971308,
+        "lastModified": 1777944972,
-        "narHash": "sha256-VKp9bhVSm0bT6JWctFy06ocqxGGnWHi1NfoE90IgIcY=",
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "31ac5fe5d015f76b54058c69fcaebb66a55871a4",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
         "type": "github"
       },
       "original": {
@@ -583,11 +583,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1775936757,
+        "lastModified": 1778104276,
-        "narHash": "sha256-KJO/7qoxJ+hlsb3WlFSl6IGrExBIf1GvKdrhOlnGdKY=",
+        "narHash": "sha256-/DSSnU0LLmOTG/OCgGwYpxP6+5YvxRx2g/GhI4x6aCU=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "d3e447786b74d62c75f665e17cb3e681c66e90c7",
+        "rev": "18ed8d270231e067fe2739998479ed5d7c659c2c",
         "type": "github"
       },
       "original": {
@@ -630,11 +630,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1772661346,
+        "lastModified": 1777041405,
-        "narHash": "sha256-4eu3LqB9tPqe0Vaqxd4wkZiBbthLbpb7llcoE/p5HT0=",
+        "narHash": "sha256-BAGZ7ObFV/9Z61OJZun7ifPyhkuHqNuW1QIhQ8LuzCo=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "13b5b0c299982bb361039601e2d72587d6846294",
+        "rev": "5f868b3a338b6904c47f3833b9c411be641983a8",
         "type": "github"
       },
       "original": {
@@ -646,11 +646,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1772934010,
+        "lastModified": 1777169200,
-        "narHash": "sha256-x+6+4UvaG+RBRQ6UaX+o6DjEg28u4eqhVRM9kpgJGjQ=",
+        "narHash": "sha256-h7dDbIzP5hDr9v97w9PL6jdAgXawmj6krcH+959rqpU=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "c3529673a5ab6e1b6830f618c45d9ce1bcdd829d",
+        "rev": "f798c2dce44ef815bb6b8f05a82135c7942d35ac",
         "type": "github"
       },
       "original": {
@@ -662,11 +662,11 @@
     "tinted-zed": {
       "flake": false,
       "locked": {
-        "lastModified": 1772909925,
+        "lastModified": 1777463218,
-        "narHash": "sha256-jx/5+pgYR0noHa3hk2esin18VMbnPSvWPL5bBjfTIAU=",
+        "narHash": "sha256-Bhkozqtq3BKLqWTlmKm8uAptfX4aRGI8QX3eEL54Vpc=",
         "owner": "tinted-theming",
         "repo": "base16-zed",
-        "rev": "b4d3a1b3bcbd090937ef609a0a3b37237af974df",
+        "rev": "5768d08ed2e7944a26a958868cdb073cb8856dae",
         "type": "github"
       },
       "original": {

flake/hosts.nix

@@ -55,7 +55,6 @@ in
         "git"
         "gnupg"
         "harmonia"
-        "initrd-ssh"
         "localisation"
         "neovim"
         "networkmanager"
@@ -124,6 +123,7 @@ in
         "localisation"
         "networkmanager"
         "nix-settings"
+        "onepassword"
         "sway"
         "udev"
         "zsh"

flake/overlays.nix

@@ -1,5 +1,7 @@
-_:
+{ inputs, ... }:
 
 {
-  flake.overlays.default = _: _: { };
+  flake.overlays.default = final: _prev: {
+    inherit (inputs.nixpkgs-stable.legacyPackages.${final.stdenv.hostPlatform.system}) mcp-nixos;
+  };
 }

hosts/ephvm/configuration.nix

@@ -13,19 +13,38 @@
   documentation.enable = false;
   environment.defaultPackages = [ ];
 
-  # compressed qcow2, no channel copy
+  # qcow2, no channel copy; post-processed with parallel zstd on qcow2 v3
+  # (~half the size of zlib v2, faster decompress)
   image.modules.qemu =
     { config, modulesPath, ... }:
     {
       system.build.image = lib.mkForce (
-        import (modulesPath + "/../lib/make-disk-image.nix") {
+        let
+          rawImage = import (modulesPath + "/../lib/make-disk-image.nix") {
             inherit lib config pkgs;
             inherit (config.virtualisation) diskSize;
             inherit (config.image) baseName;
-          format = "qcow2-compressed";
+            format = "qcow2";
             copyChannel = false;
             partitionTableType = "legacy";
-        }
+          };
+          inherit (config.image) baseName;
+        in
+        pkgs.runCommand baseName { nativeBuildInputs = [ pkgs.qemu-utils ]; } ''
+          mkdir -p $out
+          # qemu-img caps -m at 16
+          cores="''${NIX_BUILD_CORES:-4}"
+          [ "$cores" -gt 0 ] || cores=4
+          [ "$cores" -gt 16 ] && cores=16
+          qemu-img convert \
+            -f qcow2 \
+            -O qcow2 \
+            -c \
+            -o compression_type=zstd \
+            -m "$cores" \
+            ${rawImage}/${baseName}.qcow2 \
+            $out/${baseName}.qcow2
+        ''
       );
     };
 
@@ -70,7 +89,7 @@
   features.neovim.dotfiles = inputs.nvim;
 
   # ensure .config exists with correct ownership before automount
-  systemd.tmpfiles.rules = [ "d /home/matej/.config 0755 matej users -" ];
+  systemd.tmpfiles.rules = [ "d /home/matej/.config 0700 matej users -" ];
 
   # TODO:(@janezicmatej) replace ssh with virtio-console (hvc0) when qemu 11.0 lands
   # https://www.mail-archive.com/qemu-devel@nongnu.org/msg1162844.html

hosts/fw16/configuration.nix

@@ -10,15 +10,13 @@
     inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series
   ];
 
+  features.bootloader.resumeDevice = "/dev/mapper/vg0-swap";
   features.desktop.bluetooth.enable = true;
   features.gnupg.yubikey.enable = true;
   features.udev = {
     ledger.enable = true;
     keyboard-zsa.enable = true;
   };
-  features.power.resumeDevice = "/dev/disk/by-uuid/ff4750e7-3a9f-42c2-bb68-c458a6560540";
-
-  boot.kernelParams = [ "pcie_aspm.policy=powersupersave" ];
 
   programs.nix-ld.libraries = options.programs.nix-ld.libraries.default;
 

hosts/fw16/hardware-configuration.nix

@@ -37,10 +37,7 @@
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/42D9-FAFD";
     fsType = "vfat";
-    options = [
+    options = [ "umask=0077" ];
-      "fmask=0022"
-      "dmask=0022"
-    ];
   };
 
   swapDevices = [

hosts/tower/configuration.nix

@@ -6,23 +6,29 @@
 
 {
   features.nix-settings.towerCache.enable = false;
-  features.bootloader.mode = "lanzaboote";
+  features.bootloader = {
+    mode = "lanzaboote";
+    initrdSsh = {
+      enable = true;
+      networkModule = "r8169";
+      authorizedKeys = userKeys.sshAuthorizedKeys;
+    };
+  };
   features.desktop.bluetooth.enable = true;
   features.gnupg.yubikey.enable = true;
   features.udev = {
     ledger.enable = true;
     keyboard-zsa.enable = true;
   };
-  features.initrd-ssh = {
-    networkModule = "r8169";
-    authorizedKeys = userKeys.sshAuthorizedKeys;
-  };
 
   # nix store signing
   sops.secrets.nix-signing-key.sopsFile = ../../secrets/tower.yaml;
   nix.settings.secret-key-files = [ config.sops.secrets.nix-signing-key.path ];
 
   boot.kernelParams = [ "btusb.reset=1" ];
+  # pairs with bootloader's simpledrm initcall blacklist: amdgpu owns fbcon
+  # from the start, no driver-swap mode-set
+  hardware.amdgpu.initrd.enable = true;
 
   services.udisks2.enable = true;
 

justfile

@@ -2,31 +2,20 @@
 default:
     @just --list
 
-# rebuild and switch
+# rebuild the system
-switch config="":
+rebuild op="switch" host=`hostname`:
-    nixos-rebuild switch --flake .{{ if config != "" { "#" + config } else { "" } }} --sudo
+    nixos-rebuild {{op}} --flake .#{{host}} --sudo
-
-# fetch flake inputs
-sync:
-    nix flake prefetch-inputs
 
 # update flake inputs
 update:
     nix flake update
 
-# update flake inputs, rebuild and switch
-bump: update switch
-
-# update a package to latest version
-update-package pkg:
-    bash packages/{{pkg}}/update.sh
-
 # update all packages with update scripts
-update-package-all:
+update-package:
     @for script in packages/*/update.sh; do bash "$script"; done
 
 # build all packages and hosts
-build:
+check:
     nix flake check
 
 # build installation iso
@@ -37,10 +26,6 @@ iso:
 ephvm *ARGS:
     bash scripts/ephvm-run.sh {{ARGS}}
 
-# ssh into running ephemeral VM
-ephvm-ssh port="2222":
-    ssh -p {{port}} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null matej@localhost
-
 # provision a host with nixos-anywhere
 provision host ip:
     #!/usr/bin/env bash
@@ -59,9 +44,9 @@ provision host ip:
     ssh root@{{ip}} reboot
 
 # deploy config to a remote host
-deploy host remote=host:
+deploy op="switch" host=`hostname` remote=host:
-    nixos-rebuild switch --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
+    nixos-rebuild {{op}} --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
 
 # garbage collect old generations
-clean:
+clean host=`hostname`:
-    sudo nix-collect-garbage $(nix eval --raw -f ./nix.nix nix.gc.options)
+    sudo nix-collect-garbage $(nix eval --raw .#nixosConfigurations.{{host}}.config.nix.gc.options)

lib/mkHost.nix

@@ -87,6 +87,17 @@ nixpkgs.lib.nixosSystem {
     { nixpkgs.config.allowUnfree = true; }
     { networking.hostName = name; }
 
+    # TEMP:(@janezicmatej) temporary mitigation for dirty frag
+    # blocks esp4/esp6 (CVE-2026-43284) and rxrpc (CVE-2026-43500)
+    # remove once nixpkgs ships a kernel with f4c50a4034e6 and the rxrpc fix
+    {
+      boot.blacklistedKernelModules = [
+        "esp4"
+        "esp6"
+        "rxrpc"
+      ];
+    }
+
     featureEnableModule
     hostConfig
   ]

nix.nix

@@ -1,33 +0,0 @@
-{
-  nix = {
-    settings = {
-      experimental-features = [
-        "nix-command"
-        "flakes"
-      ];
-      download-buffer-size = 2 * 1024 * 1024 * 1024;
-      warn-dirty = false;
-      substituters = [
-        "https://cache.nixos.org"
-        "https://nix-community.cachix.org?priority=45"
-        "http://tower:5000?priority=50"
-      ];
-      trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "matej.nix-1:TdbemLVYblvAxqJcwb3mVKmmr3cfzXbMcZHE5ILnZDE="
-      ];
-    };
-
-    gc = {
-      automatic = true;
-      dates = "monthly";
-      options = "--delete-older-than 30d";
-    };
-
-    optimise = {
-      automatic = true;
-      dates = [ "monthly" ];
-    };
-  };
-}

packages/claude-code/package-lock.json

@@ -1,334 +0,0 @@
-{
-  "name": "@anthropic-ai/claude-code",
-  "version": "2.1.112",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {
-    "": {
-      "name": "@anthropic-ai/claude-code",
-      "version": "2.1.112",
-      "license": "SEE LICENSE IN README.md",
-      "bin": {
-        "claude": "cli.js"
-      },
-      "engines": {
-        "node": ">=18.0.0"
-      },
-      "optionalDependencies": {
-        "@img/sharp-darwin-arm64": "^0.34.2",
-        "@img/sharp-darwin-x64": "^0.34.2",
-        "@img/sharp-linux-arm": "^0.34.2",
-        "@img/sharp-linux-arm64": "^0.34.2",
-        "@img/sharp-linux-x64": "^0.34.2",
-        "@img/sharp-linuxmusl-arm64": "^0.34.2",
-        "@img/sharp-linuxmusl-x64": "^0.34.2",
-        "@img/sharp-win32-arm64": "^0.34.2",
-        "@img/sharp-win32-x64": "^0.34.2"
-      }
-    },
-    "node_modules/@img/sharp-darwin-arm64": {
-      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.34.5.tgz",
-      "integrity": "sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w==",
-      "cpu": [
-        "arm64"
-      ],
-      "license": "Apache-2.0",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "engines": {
-        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      },
-      "optionalDependencies": {
-        "@img/sharp-libvips-darwin-arm64": "1.2.4"
-      }
-    },
-    "node_modules/@img/sharp-darwin-x64": {
-      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-x64/-/sharp-darwin-x64-0.34.5.tgz",
-      "integrity": "sha512-YNEFAF/4KQ/PeW0N+r+aVVsoIY0/qxxikF2SWdp+NRkmMB7y9LBZAVqQ4yhGCm/H3H270OSykqmQMKLBhBJDEw==",
-      "cpu": [
-        "x64"
-      ],
-      "license": "Apache-2.0",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "engines": {
-        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      },
-      "optionalDependencies": {
-        "@img/sharp-libvips-darwin-x64": "1.2.4"
-      }
-    },
-    "node_modules/@img/sharp-libvips-darwin-arm64": {
-      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-arm64/-/sharp-libvips-darwin-arm64-1.2.4.tgz",
-      "integrity": "sha512-zqjjo7RatFfFoP0MkQ51jfuFZBnVE2pRiaydKJ1G/rHZvnsrHAOcQALIi9sA5co5xenQdTugCvtb1cuf78Vf4g==",
-      "cpu": [
-        "arm64"
-      ],
-      "license": "LGPL-3.0-or-later",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      }
-    },
-    "node_modules/@img/sharp-libvips-darwin-x64": {
-      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-x64/-/sharp-libvips-darwin-x64-1.2.4.tgz",
-      "integrity": "sha512-1IOd5xfVhlGwX+zXv2N93k0yMONvUlANylbJw1eTah8K/Jtpi15KC+WSiaX/nBmbm2HxRM1gZ0nSdjSsrZbGKg==",
-      "cpu": [
-        "x64"
-      ],
-      "license": "LGPL-3.0-or-later",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      }
-    },
-    "node_modules/@img/sharp-libvips-linux-arm": {
-      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm/-/sharp-libvips-linux-arm-1.2.4.tgz",
-      "integrity": "sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A==",
-      "cpu": [
-        "arm"
-      ],
-      "license": "LGPL-3.0-or-later",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      }
-    },
-    "node_modules/@img/sharp-libvips-linux-arm64": {
-      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm64/-/sharp-libvips-linux-arm64-1.2.4.tgz",
-      "integrity": "sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw==",
-      "cpu": [
-        "arm64"
-      ],
-      "license": "LGPL-3.0-or-later",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      }
-    },
-    "node_modules/@img/sharp-libvips-linux-x64": {
-      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-x64/-/sharp-libvips-linux-x64-1.2.4.tgz",
-      "integrity": "sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw==",
-      "cpu": [
-        "x64"
-      ],
-      "license": "LGPL-3.0-or-later",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      }
-    },
-    "node_modules/@img/sharp-libvips-linuxmusl-arm64": {
-      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-arm64/-/sharp-libvips-linuxmusl-arm64-1.2.4.tgz",
-      "integrity": "sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw==",
-      "cpu": [
-        "arm64"
-      ],
-      "license": "LGPL-3.0-or-later",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      }
-    },
-    "node_modules/@img/sharp-libvips-linuxmusl-x64": {
-      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-x64/-/sharp-libvips-linuxmusl-x64-1.2.4.tgz",
-      "integrity": "sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg==",
-      "cpu": [
-        "x64"
-      ],
-      "license": "LGPL-3.0-or-later",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      }
-    },
-    "node_modules/@img/sharp-linux-arm": {
-      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm/-/sharp-linux-arm-0.34.5.tgz",
-      "integrity": "sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw==",
-      "cpu": [
-        "arm"
-      ],
-      "license": "Apache-2.0",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      },
-      "optionalDependencies": {
-        "@img/sharp-libvips-linux-arm": "1.2.4"
-      }
-    },
-    "node_modules/@img/sharp-linux-arm64": {
-      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm64/-/sharp-linux-arm64-0.34.5.tgz",
-      "integrity": "sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg==",
-      "cpu": [
-        "arm64"
-      ],
-      "license": "Apache-2.0",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      },
-      "optionalDependencies": {
-        "@img/sharp-libvips-linux-arm64": "1.2.4"
-      }
-    },
-    "node_modules/@img/sharp-linux-x64": {
-      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-linux-x64/-/sharp-linux-x64-0.34.5.tgz",
-      "integrity": "sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ==",
-      "cpu": [
-        "x64"
-      ],
-      "license": "Apache-2.0",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      },
-      "optionalDependencies": {
-        "@img/sharp-libvips-linux-x64": "1.2.4"
-      }
-    },
-    "node_modules/@img/sharp-linuxmusl-arm64": {
-      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-arm64/-/sharp-linuxmusl-arm64-0.34.5.tgz",
-      "integrity": "sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg==",
-      "cpu": [
-        "arm64"
-      ],
-      "license": "Apache-2.0",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      },
-      "optionalDependencies": {
-        "@img/sharp-libvips-linuxmusl-arm64": "1.2.4"
-      }
-    },
-    "node_modules/@img/sharp-linuxmusl-x64": {
-      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-x64/-/sharp-linuxmusl-x64-0.34.5.tgz",
-      "integrity": "sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==",
-      "cpu": [
-        "x64"
-      ],
-      "license": "Apache-2.0",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      },
-      "optionalDependencies": {
-        "@img/sharp-libvips-linuxmusl-x64": "1.2.4"
-      }
-    },
-    "node_modules/@img/sharp-win32-arm64": {
-      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-win32-arm64/-/sharp-win32-arm64-0.34.5.tgz",
-      "integrity": "sha512-WQ3AgWCWYSb2yt+IG8mnC6Jdk9Whs7O0gxphblsLvdhSpSTtmu69ZG1Gkb6NuvxsNACwiPV6cNSZNzt0KPsw7g==",
-      "cpu": [
-        "arm64"
-      ],
-      "license": "Apache-2.0 AND LGPL-3.0-or-later",
-      "optional": true,
-      "os": [
-        "win32"
-      ],
-      "engines": {
-        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      }
-    },
-    "node_modules/@img/sharp-win32-x64": {
-      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-win32-x64/-/sharp-win32-x64-0.34.5.tgz",
-      "integrity": "sha512-+29YMsqY2/9eFEiW93eqWnuLcWcufowXewwSNIT6UwZdUUCrM3oFjMWH/Z6/TMmb4hlFenmfAVbpWeup2jryCw==",
-      "cpu": [
-        "x64"
-      ],
-      "license": "Apache-2.0 AND LGPL-3.0-or-later",
-      "optional": true,
-      "os": [
-        "win32"
-      ],
-      "engines": {
-        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/libvips"
-      }
-    }
-  }
-}

packages/claude-code/package.nix

@@ -1,41 +1,78 @@
 { pkgs, ... }:
 
-pkgs.buildNpmPackage (finalAttrs: {
+let
-  pname = "claude-code";
+  inherit (pkgs) stdenv lib;
-  version = "2.1.112";
+  version = "2.1.138";
 
-  src = pkgs.fetchzip {
+  # upstream ships platform-native binaries as separate npm packages under
-    url = "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-${finalAttrs.version}.tgz";
+  # @anthropic-ai/claude-code-<platform>; the wrapper package is just a
-    hash = "sha256-SJJqU7XHbu9IRGPMJNUg6oaMZiQUKqJhI2wm7BnR1gs=";
+  # postinstall shim that copies the matching one into place
+  sources = {
+    "x86_64-linux" = {
+      slug = "linux-x64";
+      hash = "sha256-MGYEPPO4O84Egb5Ym/9f56l+TzPqogpSabosvHTIJZg=";
+    };
+    "aarch64-linux" = {
+      slug = "linux-arm64";
+      hash = "sha256-LWBtOAjPDFtLP93TNrsd8bPHJd7VKK6J90CRxUp1/XQ=";
+    };
+    "x86_64-darwin" = {
+      slug = "darwin-x64";
+      hash = "sha256-tkupKzb+XAPmdCRNoT90cfVLKUar3FCTRgufiMVuVPc=";
+    };
+    "aarch64-darwin" = {
+      slug = "darwin-arm64";
+      hash = "sha256-jmB4t11BI1LKanuuXRJv5IBe8a9gSrFvTMP3KarsioU=";
+    };
   };
 
-  npmDepsHash = "sha256-bdkej9Z41GLew9wi1zdNX+Asauki3nT1+SHmBmaUIBU=";
+  source =
+    sources.${stdenv.hostPlatform.system}
+      or (throw "claude-code: unsupported system ${stdenv.hostPlatform.system}");
+in
+stdenv.mkDerivation {
+  pname = "claude-code";
+  inherit version;
 
-  strictDeps = true;
+  src = pkgs.fetchzip {
+    url = "https://registry.npmjs.org/@anthropic-ai/claude-code-${source.slug}/-/claude-code-${source.slug}-${version}.tgz";
+    inherit (source) hash;
+  };
 
-  postPatch = ''
+  nativeBuildInputs = [
-    cp ${./package-lock.json} package-lock.json
+    pkgs.makeWrapper
+  ]
+  ++ lib.optionals stdenv.hostPlatform.isLinux [ pkgs.patchelf ];
 
-    substituteInPlace cli.js \
+  dontBuild = true;
-          --replace-fail '#!/bin/sh' '#!/usr/bin/env sh'
+  dontConfigure = true;
+  dontStrip = true;
+
+  installPhase = ''
+    runHook preInstall
+    install -Dm755 claude $out/bin/claude
+    runHook postInstall
   '';
 
-  dontNpmBuild = true;
+  # NOTE:(@janezicmatej) upstream is a bun single-file-executable; the
-
+  # embedded script payload sits at the tail of the ELF, so autoPatchelfHook's
-  env.AUTHORIZED = "1";
+  # section-layout changes corrupt it — only the interpreter can be rewritten
-
+  postFixup =
-  postInstall = ''
+    lib.optionalString stdenv.hostPlatform.isLinux ''
+      patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} $out/bin/claude
+    ''
+    + ''
       wrapProgram $out/bin/claude \
         --set DISABLE_AUTOUPDATER 1 \
         --set-default FORCE_AUTOUPDATE_PLUGINS 1 \
         --set DISABLE_INSTALLATION_CHECKS 1 \
         --unset DEV \
         --prefix PATH : ${
-        pkgs.lib.makeBinPath (
+          lib.makeBinPath (
             [
               pkgs.procps
             ]
-          ++ pkgs.lib.optionals pkgs.stdenv.hostPlatform.isLinux [
+            ++ lib.optionals stdenv.hostPlatform.isLinux [
               pkgs.bubblewrap
               pkgs.socat
             ]
@@ -47,7 +84,8 @@ pkgs.buildNpmPackage (finalAttrs: {
     description = "Agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster";
     homepage = "https://github.com/anthropics/claude-code";
     downloadPage = "https://www.npmjs.com/package/@anthropic-ai/claude-code";
-    license = pkgs.lib.licenses.unfree;
+    license = lib.licenses.unfree;
     mainProgram = "claude";
+    platforms = lib.attrNames sources;
   };
-})
+}

packages/claude-code/update.sh

@@ -1,17 +1,18 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p curl jq nodejs prefetch-npm-deps nix-prefetch
+#!nix-shell -i bash -p curl jq nix
 # shellcheck shell=bash
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-ROOT_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)"
 PKG_FILE="$SCRIPT_DIR/package.nix"
-LOCK_FILE="$SCRIPT_DIR/package-lock.json"
 
-cd "$ROOT_DIR"
+# keep in sync with the `sources` attrset in package.nix
+PLATFORMS=(linux-x64 linux-arm64 darwin-x64 darwin-arm64)
 
-extract_hash() {
+prefetch() {
-	sed 's/\x1b\[[0-9;]*m//g' | grep 'got:' | tail -1 | grep -oP 'sha256-[A-Za-z0-9+/]+='
+	local url="$1"
+	nix --extra-experimental-features 'nix-command flakes' \
+		store prefetch-file --unpack --json "$url" 2>/dev/null | jq -r '.hash'
 }
 
 main() {
@@ -27,35 +28,24 @@ main() {
 
 	echo "updating claude-code: $current -> $latest"
 
-	local url="https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-${latest}.tgz"
-
-	echo "  prefetching source..."
-	local base32 src_hash
-	base32=$(nix-prefetch-url --unpack "$url" 2>/dev/null)
-	src_hash=$(nix hash convert --to sri "sha256:$base32")
-	echo "  source: $src_hash"
-
-	echo "  generating package-lock.json..."
-	local tmpdir
-	tmpdir=$(mktemp -d)
-	trap 'rm -rf "$tmpdir"' RETURN
-	curl -sf "$url" -o "$tmpdir/pkg.tgz"
-	tar xzf "$tmpdir/pkg.tgz" -C "$tmpdir" --strip-components=1
-	(cd "$tmpdir" && npm install --package-lock-only --ignore-scripts --no-audit --no-fund 2>/dev/null)
-	cp "$tmpdir/package-lock.json" "$LOCK_FILE"
-
-	echo "  computing npm deps hash..."
-	local npm_hash
-	npm_hash=$(prefetch-npm-deps "$LOCK_FILE" 2>/dev/null)
-	echo "  npmDepsHash: $npm_hash"
-
-	local old_src old_npm
-	old_src=$(grep 'hash = "sha256-' "$PKG_FILE" | head -1 | grep -oP 'sha256-[A-Za-z0-9+/]+=')
-	old_npm=$(grep 'npmDepsHash = "sha256-' "$PKG_FILE" | grep -oP 'sha256-[A-Za-z0-9+/]+=')
-
 	sed -i "s|version = \"$current\"|version = \"$latest\"|" "$PKG_FILE"
-	sed -i "s|$old_src|$src_hash|" "$PKG_FILE"
+
-	sed -i "s|$old_npm|$npm_hash|" "$PKG_FILE"
+	local slug url new_hash old_hash
+	for slug in "${PLATFORMS[@]}"; do
+		url="https://registry.npmjs.org/@anthropic-ai/claude-code-${slug}/-/claude-code-${slug}-${latest}.tgz"
+		echo "  prefetching $slug..."
+		new_hash=$(prefetch "$url")
+		old_hash=$(awk -v slug="$slug" '
+			$0 ~ "slug = \"" slug "\";" { found=1; next }
+			found && /hash = "sha256-/ {
+				match($0, /sha256-[A-Za-z0-9+\/]+=*/)
+				print substr($0, RSTART, RLENGTH)
+				exit
+			}
+		' "$PKG_FILE")
+		sed -i "s|$old_hash|$new_hash|" "$PKG_FILE"
+		echo "    $new_hash"
+	done
 
 	echo "claude-code updated to $latest"
 }

scripts/ephvm-run.sh

@@ -27,14 +27,32 @@ info() {
 
 # globals for cleanup trap
 CLEANUP_OVERLAY=""
+CLEANUP_TMPDIR=""
 QEMU_PID=""
+VM_READY=false
 cleanup() {
 	[ -n "$QEMU_PID" ] && kill "$QEMU_PID" 2>/dev/null && wait "$QEMU_PID" 2>/dev/null
 	[ -n "$CLEANUP_OVERLAY" ] && rm -rf "$CLEANUP_OVERLAY"
+	# preserve tmpdir on abnormal exit so the qemu log survives for inspection
+	if [ -n "$CLEANUP_TMPDIR" ]; then
+		if [ "$VM_READY" = true ]; then
+			rm -rf "$CLEANUP_TMPDIR"
+		else
+			echo "qemu log preserved: $CLEANUP_TMPDIR/qemu.log" >&2
+		fi
+	fi
 	return 0
 }
 trap cleanup EXIT
 
+# returns 0 once the guest's sshd is speaking (first bytes are "SSH-")
+awaiting_ssh_banner() {
+	local port="$1"
+	local banner
+	banner=$(timeout 2 bash -c "exec 3<>/dev/tcp/localhost/$port; head -c 4 <&3" 2>/dev/null) || return 1
+	[ "$banner" = "SSH-" ]
+}
+
 usage() {
 	cat <<EOF
 Usage: ephvm-run.sh [options]
@@ -55,6 +73,8 @@ EOF
 main() {
 	setup_colors
 
+	[ "$EUID" -eq 0 ] && die "ephvm-run.sh must not run as root"
+
 	local ssh_port="" memory=4G cpus=2 claude=true disk_size="" serial=false
 	local -a mounts=()
 
@@ -110,15 +130,13 @@ main() {
 		CLEANUP_OVERLAY=$(mktemp -d)
 		local overlay="$CLEANUP_OVERLAY/overlay.qcow2"
 		qemu-img create -f qcow2 -b "$(realpath "$image")" -F qcow2 "$overlay" "$disk_size"
-		drive_arg="file=$overlay,format=qcow2"
+		drive_arg="if=none,id=hd0,file=$overlay,format=qcow2,cache=writeback,aio=threads,discard=unmap,detect-zeroes=unmap"
 	else
-		drive_arg="file=$image,format=qcow2,snapshot=on"
+		drive_arg="if=none,id=hd0,file=$image,format=qcow2,snapshot=on,cache=writeback,aio=threads,discard=unmap,detect-zeroes=unmap"
 	fi
 
 	command -v qemu-system-x86_64 &>/dev/null || die "qemu-system-x86_64 not found"
-
+	[ -r /dev/kvm ] || die "/dev/kvm not readable; kvm is required"
-	local accel="tcg"
-	[ -r /dev/kvm ] && accel="kvm"
 
 	# auto-allocate ssh port unless serial mode
 	if [ "$serial" = false ] && [ -z "$ssh_port" ]; then
@@ -128,28 +146,33 @@ main() {
 		done
 	fi
 
-	local nic_arg="user"
+	local nic_arg="user,model=virtio-net-pci"
 	if [ -n "$ssh_port" ]; then
-		nic_arg="user,hostfwd=tcp::${ssh_port}-:22"
+		nic_arg="user,model=virtio-net-pci,hostfwd=tcp:127.0.0.1:${ssh_port}-:22"
 	fi
 
 	local -a qemu_args=(
 		qemu-system-x86_64
-		-accel "$accel"
+		-accel kvm
+		-cpu host
 		-m "$memory"
 		-smp "$cpus"
 		-drive "$drive_arg"
+		-device "virtio-blk-pci,drive=hd0"
+		-device virtio-rng-pci
 		-nic "$nic_arg"
 		-nographic
+		-sandbox "on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny"
 	)
 
-	if [ "$accel" != "tcg" ]; then
-		qemu_args+=(-cpu host)
-	fi
-
 	local fs_id=0 mount_path name tag
 	for mount_path in "${mounts[@]}"; do
+		[ -e "$mount_path" ] || die "--mount path does not exist: $mount_path"
 		mount_path=$(realpath "$mount_path")
+		# qemu parses -virtfs as csv, a comma in the path would inject options
+		case "$mount_path" in
+		*,*) die "--mount path may not contain commas: $mount_path" ;;
+		esac
 		name=$(basename "$mount_path")
 		tag="m_${name:0:29}"
 		qemu_args+=(
@@ -163,6 +186,9 @@ main() {
 		mkdir -p "$CLAUDE_CONFIG_DIR"
 		local claude_dir
 		claude_dir=$(realpath "$CLAUDE_CONFIG_DIR")
+		case "$claude_dir" in
+		*,*) die "claude config dir may not contain commas: $claude_dir" ;;
+		esac
 
 		qemu_args+=(
 			-virtfs "local,path=$claude_dir,mount_tag=claude,security_model=none,id=fs${fs_id}"
@@ -171,27 +197,38 @@ main() {
 	fi
 
 	info "---"
-	info "Accel: $accel"
+	[ -n "$ssh_port" ] && info "SSH: ssh -p $ssh_port matej@localhost"
 	info "---"
 
 	if [ "$serial" = true ]; then
 		exec "${qemu_args[@]}"
 	fi
 
+	CLEANUP_TMPDIR=$(mktemp -d)
+	local qemu_log="$CLEANUP_TMPDIR/qemu.log"
+
 	# start qemu in background and auto-ssh
-	"${qemu_args[@]}" &>/dev/null &
+	"${qemu_args[@]}" &>"$qemu_log" &
 	QEMU_PID=$!
 
+	# throwaway ssh key (vm accepts any key via AuthorizedKeysCommand)
+	local ssh_key="$CLEANUP_TMPDIR/id_ed25519"
+	ssh-keygen -t ed25519 -f "$ssh_key" -N "" -q
+
 	info "waiting for vm (port $ssh_port)..."
 	local attempts=0
-	while ! (echo > /dev/tcp/localhost/"$ssh_port") 2>/dev/null; do
+	# poll for the real SSH banner, not TCP accept: qemu's user-mode nic
+	# accepts host-side the moment qemu starts, well before guest sshd is up
+	while ! awaiting_ssh_banner "$ssh_port"; do
 		attempts=$((attempts + 1))
-		[ $attempts -gt 60 ] && die "vm did not become ready in 60s"
+		[ $attempts -gt 120 ] && die "vm did not become ready in 60s"
 		kill -0 "$QEMU_PID" 2>/dev/null || die "qemu exited unexpectedly"
-		sleep 1
+		sleep 0.5
 	done
+	VM_READY=true
 
 	ssh -p "$ssh_port" -t \
+		-i "$ssh_key" \
 		-o StrictHostKeyChecking=no \
 		-o UserKnownHostsFile=/dev/null \
 		-o LogLevel=ERROR \