ci: drop darwin shims, rebuild locally on netty runner

- remove macOS-era `sudo mkdir /Users/rathi/...` shim steps from flake-check
  and nix-format (Linux runner, paths don't exist, gitea-runner has no sudo)
- deploy-netty now runs `sudo nixos-rebuild switch --flake .#netty` directly
  on the runner (it *is* netty), no SSH, no `just switch-netty`
- grant gitea-runner NOPASSWD sudo for nixos-rebuild only
- apply current nixfmt to home/scripts.nix, hermes-gateway.nix, devshells.nix

Made-with: Cursor

.github/workflows/quality.yml

@@ -37,11 +37,6 @@ jobs:
     if: ${{ needs.changes.outputs.quality == 'true' }}
     steps:
       - uses: actions/checkout@v4
-      - name: Prepare local flake input shims
-        run: |
-          set -euo pipefail
-          sudo mkdir -p /Users/rathi/Documents/GitHub/companion/agentcomputer/apps
-          sudo ln -sfn "$GITHUB_WORKSPACE/ci/agentcomputer-cli-stub" /Users/rathi/Documents/GitHub/companion/agentcomputer/apps/cli
       - run: nix flake check
 
   nix-format:
@@ -51,11 +46,6 @@ jobs:
     if: ${{ needs.changes.outputs.quality == 'true' }}
     steps:
       - uses: actions/checkout@v4
-      - name: Prepare local flake input shims
-        run: |
-          set -euo pipefail
-          sudo mkdir -p /Users/rathi/Documents/GitHub/companion/agentcomputer/apps
-          sudo ln -sfn "$GITHUB_WORKSPACE/ci/agentcomputer-cli-stub" /Users/rathi/Documents/GitHub/companion/agentcomputer/apps/cli
       - run: nix fmt -- --ci
 
   deploy-netty:
@@ -67,8 +57,8 @@ jobs:
       group: deploy-netty
     steps:
       - uses: actions/checkout@v4
-      - name: Deploy netty
+      - name: Rebuild netty
         shell: bash
         run: |
           set -euo pipefail
-          just switch-netty
+          sudo nixos-rebuild switch --flake ".#netty"

home/scripts.nix

@@ -38,9 +38,9 @@ in
     ln -sfn "$THEME_TMUX_TARGET" "${customScripts.theme.paths.tmuxCurrentFile}"
     ln -sfn "$THEME_LAZYGIT_TARGET" "${customScripts.theme.paths.lazygitCurrentFile}"
     ${lib.optionalString hostConfig.isDarwin ''
-    lg_darwin="${config.home.homeDirectory}/Library/Application Support/lazygit"
+      lg_darwin="${config.home.homeDirectory}/Library/Application Support/lazygit"
-    mkdir -p "$lg_darwin"
+      mkdir -p "$lg_darwin"
-    ln -sfn "$THEME_DARWIN_LAZYGIT_TARGET" "$lg_darwin/config.yml"
+      ln -sfn "$THEME_DARWIN_LAZYGIT_TARGET" "$lg_darwin/config.yml"
     ''}
 
     # seed wallpapers from static assets if no generated ones exist yet

hosts/netty/forgejo-runner.nix

@@ -8,6 +8,21 @@ let
   cacheRoot = "/var/cache/forgejo-runner";
 in
 {
+  security.sudo.extraRules = [
+    {
+      users = [ "gitea-runner" ];
+      commands = [
+        {
+          command = "/run/current-system/sw/bin/nixos-rebuild";
+          options = [
+            "NOPASSWD"
+            "SETENV"
+          ];
+        }
+      ];
+    }
+  ];
+
   systemd.tmpfiles.rules = [
     "d ${cacheRoot} 0750 gitea-runner gitea-runner -"
     "d ${cacheRoot}/cargo 0750 gitea-runner gitea-runner -"

hosts/netty/hermes-gateway.nix

@@ -63,7 +63,7 @@ in
       };
     };
 
-    mcpServers = {};
+    mcpServers = { };
 
     extraPackages = with pkgs; [
       nodejs_22

modules/devshells.nix

@@ -9,13 +9,12 @@
     {
       formatter = pkgs.nixfmt-tree;
 
-      packages =
+      packages = {
-        {
+        home-manager = inputs.home-manager.packages.${system}.home-manager;
-          home-manager = inputs.home-manager.packages.${system}.home-manager;
+      }
-        }
+      // lib.optionalAttrs (lib.hasSuffix "darwin" system) {
-        // lib.optionalAttrs (lib.hasSuffix "darwin" system) {
+        darwin-rebuild = inputs.nix-darwin.packages.${system}.darwin-rebuild;
-          darwin-rebuild = inputs.nix-darwin.packages.${system}.darwin-rebuild;
+      };
-        };
 
       devShells.default = pkgs.mkShell {
         packages = with pkgs; [