Add codex environment scripts, README and AGENTS

AGENTS.md

@@ -0,0 +1,33 @@
+# AGENTS.md
+
+## Repo purpose
+
+This repository contains flake-based NixOS configurations for Wayne’s LAN servers and workstation.
+
+The flake currently exposes these NixOS configurations:
+
+- `nixos`
+- `docker`
+- `kuma`
+- `server`
+- `nix-cache`
+- `nix-minimal`
+
+Do not deploy, switch, reboot, repartition, format disks, or run destructive install commands from this repository unless explicitly asked.
+
+## Safety rules
+
+- Never run `nixos-rebuild switch`, `boot`, `test`, `nixos-install`, `parted`, `mkfs`, `mkswap`, `swapon`, `mount`, or destructive disk commands in Codex.
+- Validation work should be limited to evaluation, linting, formatting checks, and `nix build --dry-run --no-link`.
+- Do not add secrets, tokens, private keys, password hashes, or live credentials to the repo.
+- Treat `flake.nix`, Home Manager config, and Nix config files as public.
+- If you find committed tokens or hashes, flag them immediately and recommend rotation/removal.
+
+## Expected commands
+
+Use these commands when validating changes:
+
+```bash
+bash scripts/codex-setup.sh
+bash scripts/codex-maintenance.sh
+bash scripts/codex-maintenance.sh dry-run

README.md

@@ -1,2 +1,25 @@
-# nixos
 
+## `README.md`
+
+```markdown
+# NixOS LAN Configurations
+
+Flake-based NixOS configuration repository for Wayne’s LAN machines.
+
+## Hosts
+
+This flake currently defines:
+
+| Host | Purpose |
+|---|---|
+| `nixos` | Main NixOS workstation / desktop |
+| `docker` | Docker host for the main container stack |
+| `kuma` | Docker-enabled Uptime Kuma style host |
+| `server` | Storage / NFS / backup style server |
+| `nix-cache` | Local Nix binary cache host |
+| `nix-minimal` | Minimal NixOS host profile |
+
+List hosts with:
+
+```bash
+nix eval --json .#nixosConfigurations --apply builtins.attrNames | jq -r '.[]'

scripts/codex-maintenance.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+export NIX_CONFIG="${NIX_CONFIG:-}
+experimental-features = nix-command flakes
+accept-flake-config = false
+warn-dirty = false
+"
+
+MODE="${1:-validate}"
+
+hosts_json="$(nix eval --json --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames)"
+hosts="$(echo "$hosts_json" | jq -r '.[]')"
+
+echo "Hosts:"
+echo "$hosts"
+
+echo
+echo "Checking for obvious committed secrets..."
+if grep -RInE 'github_pat_|ghp_|access-tokens|hashedPassword[[:space:]]*=' \
+  --exclude-dir=.git \
+  --exclude=flake.lock \
+  .; then
+  echo
+  echo "WARNING: Potential secrets or password hashes found. Review before committing."
+else
+  echo "No obvious token patterns found."
+fi
+
+echo
+echo "Checking Nix formatting with nixpkgs-fmt..."
+nix run --no-accept-flake-config nixpkgs#nixpkgs-fmt -- --check .
+
+echo
+echo "Running statix lint..."
+nix run --no-accept-flake-config nixpkgs#statix -- check .
+
+echo
+echo "Evaluating host toplevel derivations..."
+for host in $hosts; do
+  echo "==> $host"
+  nix eval --raw --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath"
+done
+
+if [[ "$MODE" == "dry-run" ]]; then
+  echo
+  echo "Running dry-run builds for all hosts. This will not create result symlinks."
+  for host in $hosts; do
+    echo "==> Dry-run build: $host"
+    nix build --dry-run --no-link --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel"
+  done
+fi
+
+echo
+echo "Maintenance checks complete."

scripts/codex-setup.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+export NIX_CONFIG="${NIX_CONFIG:-}
+experimental-features = nix-command flakes
+accept-flake-config = false
+warn-dirty = false
+"
+
+if ! command -v nix >/dev/null 2>&1; then
+  echo "Installing Nix in single-user mode..."
+  sh <(curl -L https://nixos.org/nix/install) --no-daemon
+  # shellcheck disable=SC1090
+  . "$HOME/.nix-profile/etc/profile.d/nix.sh"
+fi
+
+mkdir -p "$HOME/.config/nix"
+cat > "$HOME/.config/nix/nix.conf" <<'EOF'
+experimental-features = nix-command flakes
+accept-flake-config = false
+warn-dirty = false
+EOF
+
+echo "Nix version:"
+nix --version
+
+echo "Available NixOS hosts:"
+nix eval --json --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames | jq -r '.[]'
+
+echo "Evaluating all host toplevel derivations..."
+for host in $(nix eval --json --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames | jq -r '.[]'); do
+  echo "==> Evaluating $host"
+  nix eval --raw --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath"
+done
+
+echo "Codex setup complete."