diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..04fb443 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,33 @@ +# AGENTS.md + +## Repo purpose + +This repository contains flake-based NixOS configurations for Wayne’s LAN servers and workstation. + +The flake currently exposes these NixOS configurations: + +- `nixos` +- `docker` +- `kuma` +- `server` +- `nix-cache` +- `nix-minimal` + +Do not deploy, switch, reboot, repartition, format disks, or run destructive install commands from this repository unless explicitly asked. + +## Safety rules + +- Never run `nixos-rebuild switch`, `boot`, `test`, `nixos-install`, `parted`, `mkfs`, `mkswap`, `swapon`, `mount`, or destructive disk commands in Codex. +- Validation work should be limited to evaluation, linting, formatting checks, and `nix build --dry-run --no-link`. +- Do not add secrets, tokens, private keys, password hashes, or live credentials to the repo. +- Treat `flake.nix`, Home Manager config, and Nix config files as public. +- If you find committed tokens or hashes, flag them immediately and recommend rotation/removal. + +## Expected commands + +Use these commands when validating changes: + +```bash +bash scripts/codex-setup.sh +bash scripts/codex-maintenance.sh +bash scripts/codex-maintenance.sh dry-run diff --git a/README.md b/README.md index f8a2a26..4010c1b 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,25 @@ -# nixos +## `README.md` + +```markdown +# NixOS LAN Configurations + +Flake-based NixOS configuration repository for Wayne’s LAN machines. + +## Hosts + +This flake currently defines: + +| Host | Purpose | +|---|---| +| `nixos` | Main NixOS workstation / desktop | +| `docker` | Docker host for the main container stack | +| `kuma` | Docker-enabled Uptime Kuma style host | +| `server` | Storage / NFS / backup style server | +| `nix-cache` | Local Nix binary cache host | +| `nix-minimal` | Minimal NixOS host profile | + +List hosts with: + +```bash +nix eval --json .#nixosConfigurations --apply builtins.attrNames | jq -r '.[]' diff --git a/scripts/codex-maintenance.sh b/scripts/codex-maintenance.sh new file mode 100644 index 0000000..843eb38 --- /dev/null +++ b/scripts/codex-maintenance.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +set -euo pipefail + +export NIX_CONFIG="${NIX_CONFIG:-} +experimental-features = nix-command flakes +accept-flake-config = false +warn-dirty = false +" + +MODE="${1:-validate}" + +hosts_json="$(nix eval --json --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames)" +hosts="$(echo "$hosts_json" | jq -r '.[]')" + +echo "Hosts:" +echo "$hosts" + +echo +echo "Checking for obvious committed secrets..." +if grep -RInE 'github_pat_|ghp_|access-tokens|hashedPassword[[:space:]]*=' \ + --exclude-dir=.git \ + --exclude=flake.lock \ + .; then + echo + echo "WARNING: Potential secrets or password hashes found. Review before committing." +else + echo "No obvious token patterns found." +fi + +echo +echo "Checking Nix formatting with nixpkgs-fmt..." +nix run --no-accept-flake-config nixpkgs#nixpkgs-fmt -- --check . + +echo +echo "Running statix lint..." +nix run --no-accept-flake-config nixpkgs#statix -- check . + +echo +echo "Evaluating host toplevel derivations..." +for host in $hosts; do + echo "==> $host" + nix eval --raw --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath" +done + +if [[ "$MODE" == "dry-run" ]]; then + echo + echo "Running dry-run builds for all hosts. This will not create result symlinks." + for host in $hosts; do + echo "==> Dry-run build: $host" + nix build --dry-run --no-link --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel" + done +fi + +echo +echo "Maintenance checks complete." diff --git a/scripts/codex-setup.sh b/scripts/codex-setup.sh new file mode 100644 index 0000000..93a9afa --- /dev/null +++ b/scripts/codex-setup.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +set -euo pipefail + +export NIX_CONFIG="${NIX_CONFIG:-} +experimental-features = nix-command flakes +accept-flake-config = false +warn-dirty = false +" + +if ! command -v nix >/dev/null 2>&1; then + echo "Installing Nix in single-user mode..." + sh <(curl -L https://nixos.org/nix/install) --no-daemon + # shellcheck disable=SC1090 + . "$HOME/.nix-profile/etc/profile.d/nix.sh" +fi + +mkdir -p "$HOME/.config/nix" +cat > "$HOME/.config/nix/nix.conf" <<'EOF' +experimental-features = nix-command flakes +accept-flake-config = false +warn-dirty = false +EOF + +echo "Nix version:" +nix --version + +echo "Available NixOS hosts:" +nix eval --json --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames | jq -r '.[]' + +echo "Evaluating all host toplevel derivations..." +for host in $(nix eval --json --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames | jq -r '.[]'); do + echo "==> Evaluating $host" + nix eval --raw --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath" +done + +echo "Codex setup complete."