diff --git a/ci/agentcomputer-cli-stub/flake.nix b/ci/agentcomputer-cli-stub/flake.nix deleted file mode 100644 index aafbc22..0000000 --- a/ci/agentcomputer-cli-stub/flake.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - description = "CI stub for the local agentcomputer-cli flake input"; - - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; - - outputs = - { nixpkgs, ... }: - let - systems = [ - "aarch64-darwin" - "x86_64-darwin" - "aarch64-linux" - "x86_64-linux" - ]; - forAllSystems = nixpkgs.lib.genAttrs systems; - in - { - packages = forAllSystems ( - system: - let - pkgs = import nixpkgs { inherit system; }; - in - { - default = pkgs.writeShellScriptBin "aicomputer" '' - echo "agentcomputer-cli CI stub" - ''; - } - ); - }; -} diff --git a/docs/secrets.md b/docs/secrets.md deleted file mode 100644 index 0b0af72..0000000 --- a/docs/secrets.md +++ /dev/null @@ -1,80 +0,0 @@ -# Secrets - -## Current Model - -This repo does not store secret values in Nix. - -Instead: - -- Bitwarden vault items are the current source of truth for imported machine - secrets -- Nix/Home Manager owns the integration points -- generated runtime files live outside the repo under `~/.config/secrets` - -That boundary matters because the Nix store is not the right place for real -secret values. - -## What Is Already Wired - -- [home/zsh.nix](/Users/rathi/Documents/GitHub/nix/home/zsh.nix) sources - `~/.config/secrets/shell.zsh` when present -- [scripts/render-bw-shell-secrets.sh](/Users/rathi/Documents/GitHub/nix/scripts/render-bw-shell-secrets.sh) - renders that file from Bitwarden vault items -- [scripts/restore-bw-files.sh](/Users/rathi/Documents/GitHub/nix/scripts/restore-bw-files.sh) - restores file-based credentials and SSH material from Bitwarden vault items -- [justfile](/Users/rathi/Documents/GitHub/nix/justfile) exposes this as - `just secrets-sync` and `just secrets-restore-files` - -## Daily Shell Flow - -```bash -export BW_SESSION="$(bw unlock --raw)" -just secrets-sync -exec zsh -l -``` - -That flow currently materializes: - -- `OPENAI_API_KEY` -- `GREPTILE_API_KEY` -- `CONTEXT7_API_KEY` -- `MISTRAL_API_KEY` - -## Machine Secret Coverage - -The Bitwarden vault now holds: - -- API keys and CLI tokens -- AWS default credentials -- GCloud ADC -- Stripe CLI config -- Codex auth -- Vercel auth -- SSH configs -- SSH private keys - -The vault is currently the backup/recovery source of truth for those values. - -## Sandbox Strategy - -For a fresh sandbox or new machine, the clean bootstrap is: - -1. `darwin-rebuild switch` or Home Manager activation -2. authenticate `bw` -3. `just secrets-sync` -4. `just secrets-restore-files` - -That gives you a usable dev shell quickly without committing any secret values -into the repo. - -## Future Upgrade - -If you want fully non-interactive sandbox secret injection, the next step is to -move the env-style secrets from normal Bitwarden vault items into Bitwarden -Secrets Manager (`bws`) and keep file-based credentials and SSH material in the -normal vault. - -That would give you: - -- `bws` for machine/app secrets -- `bw` for human-managed vault items, SSH material, and recovery data diff --git a/flake.nix b/flake.nix index 5b340ef..d38b59b 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,5 @@ { - description = "Rathi's macOS nix-darwin + NixOS + Home Manager config"; + description = "Hari's nix config"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; @@ -25,11 +25,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - agentcomputer-cli = { - url = "path:/Users/rathi/Documents/GitHub/companion/agentcomputer/apps/cli"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - openspec = { url = "github:Fission-AI/OpenSpec"; }; diff --git a/home/bat.nix b/home/bat.nix index 50f1b76..a7a1fc2 100644 --- a/home/bat.nix +++ b/home/bat.nix @@ -1,7 +1,4 @@ -{ config, ... }: -let - theme = import ../lib/theme.nix { inherit config; }; -in +{ theme, ... }: { programs.bat = { enable = true; diff --git a/home/common.nix b/home/common.nix index cd53bdc..eba4f83 100644 --- a/home/common.nix +++ b/home/common.nix @@ -1,5 +1,7 @@ -{ ... }: +{ config, ... }: { + _module.args.theme = import ../lib/theme.nix { inherit config; }; + imports = [ ./bat.nix ./eza.nix diff --git a/home/fzf.nix b/home/fzf.nix index be0c859..08d5d74 100644 --- a/home/fzf.nix +++ b/home/fzf.nix @@ -1,7 +1,4 @@ -{ config, ... }: -let - theme = import ../lib/theme.nix { inherit config; }; -in +{ theme, ... }: { home.sessionVariables = { FZF_DEFAULT_OPTS_FILE = theme.paths.fzfCurrentFile; diff --git a/home/ghostty.nix b/home/ghostty.nix index dd768df..5e611e6 100644 --- a/home/ghostty.nix +++ b/home/ghostty.nix @@ -1,12 +1,11 @@ { - config, lib, pkgs, hostConfig, + theme, ... }: let - theme = import ../lib/theme.nix { inherit config; }; ghosttyConfig = '' theme = "cozybox-current" font-family = Berkeley Mono diff --git a/home/git.nix b/home/git.nix index 8ef05d2..dc1bfcc 100644 --- a/home/git.nix +++ b/home/git.nix @@ -1,7 +1,4 @@ -{ config, ... }: -let - theme = import ../lib/theme.nix { inherit config; }; -in +{ theme, ... }: { programs.git = { enable = true; diff --git a/home/prompt.nix b/home/prompt.nix index 97ee72b..5dafdc9 100644 --- a/home/prompt.nix +++ b/home/prompt.nix @@ -1,12 +1,9 @@ { - config, lib, pkgs, + theme, ... }: -let - theme = import ../lib/theme.nix { inherit config; }; -in { home.packages = [ pkgs.pure-prompt ]; @@ -38,12 +35,14 @@ in typeset -g prompt_pure_git_branch_color=$prompt_pure_colors[git:branch] [[ -n ''${prompt_pure_git_last_dirty_check_timestamp+x} ]] && prompt_pure_git_branch_color=$prompt_pure_colors[git:branch:cached] - # Branch + arrows turn yellow when dirty + # Branch, arrows, and prompt symbol turn yellow when dirty if [[ -n $prompt_pure_git_dirty ]]; then prompt_pure_git_branch_color=$prompt_pure_colors[git:dirty] prompt_pure_colors[git:arrow]=$prompt_pure_colors[git:dirty] + prompt_pure_colors[prompt:success]=$prompt_pure_colors[git:dirty] else prompt_pure_colors[git:arrow]=$_codex_pure_default_arrow + prompt_pure_colors[prompt:success]=$_codex_pure_default_success fi psvar[12]=; ((''${(M)#jobstates:#suspended:*} != 0)) && psvar[12]=''${PURE_SUSPENDED_JOBS_SYMBOL:-✦} @@ -66,6 +65,7 @@ in } typeset -g _codex_pure_default_arrow=$prompt_pure_colors[git:arrow] + typeset -g _codex_pure_default_success=$prompt_pure_colors[prompt:success] _codex_apply_prompt_theme() { local mode="$(_codex_read_theme_mode)" @@ -78,6 +78,7 @@ in fi typeset -g _codex_pure_default_arrow=$prompt_pure_colors[git:arrow] + typeset -g _codex_pure_default_success=$prompt_pure_colors[prompt:success] typeset -g _CODEX_LAST_PROMPT_THEME="$mode" } '') diff --git a/home/tmux.nix b/home/tmux.nix index c6662b9..d6bf988 100644 --- a/home/tmux.nix +++ b/home/tmux.nix @@ -1,12 +1,9 @@ { - config, lib, pkgs, + theme, ... }: -let - theme = import ../lib/theme.nix { inherit config; }; -in { programs.tmux = { enable = true; diff --git a/home/zsh.nix b/home/zsh.nix index ce65475..b2ae327 100644 --- a/home/zsh.nix +++ b/home/zsh.nix @@ -3,11 +3,9 @@ lib, pkgs, hostConfig, + theme, ... }: -let - theme = import ../lib/theme.nix { inherit config; }; -in { programs.zsh = { enable = true; @@ -156,12 +154,6 @@ in _codex_apply_prompt_theme _codex_apply_highlight_styles - ${lib.optionalString hostConfig.isDarwin '' - if command -v wt >/dev/null 2>&1; then - eval "$(command wt config shell init zsh)" - wtc() { wt switch --create --base @ "$@"; } - fi - ''} '') (lib.mkAfter '' diff --git a/lib/package-sets.nix b/lib/package-sets.nix index ebd0033..8e8aff1 100644 --- a/lib/package-sets.nix +++ b/lib/package-sets.nix @@ -6,56 +6,8 @@ let gwsPackage = inputs.googleworkspace-cli.packages.${pkgs.stdenv.hostPlatform.system}.default; claudePackage = inputs.claudeCode.packages.${pkgs.stdenv.hostPlatform.system}.default; - agentcomputerPackage = inputs.agentcomputer-cli.packages.${pkgs.stdenv.hostPlatform.system}.default; openspecPackage = inputs.openspec.packages.${pkgs.stdenv.hostPlatform.system}.default; - graphite = pkgs.stdenvNoCC.mkDerivation rec { - pname = "graphite"; - version = "1.7.20"; - - src = pkgs.fetchurl { - url = "https://github.com/withgraphite/homebrew-tap/releases/download/v${version}/gt-macos-arm64"; - hash = "sha256-ho9VQw1ic3jhG3yxNwUL0W1WvNFku9zw6DQnGehs7+8="; - }; - - dontUnpack = true; - - installPhase = '' - install -Dm755 "$src" "$out/bin/gt" - ''; - - meta = { - description = "Manage stacked Git changes and submit them for review"; - homepage = "https://graphite.dev/"; - license = lib.licenses.agpl3Only; - mainProgram = "gt"; - platforms = lib.platforms.darwin; - }; - }; - - worktrunk = pkgs.rustPlatform.buildRustPackage rec { - pname = "worktrunk"; - version = "0.23.1"; - - src = pkgs.fetchurl { - url = "https://github.com/max-sixty/worktrunk/archive/refs/tags/v${version}.tar.gz"; - hash = "sha256-cdQDUz7to3JkriWE9i5iJ2RftJFZivw7CTwGxDZPAqw="; - }; - - cargoHash = "sha256-DHjwNqMiVkWqL3CuOCITvyqkdKe+GOZ2nlMSstDIcTg="; - doCheck = false; - - meta = { - description = "CLI for Git worktree management"; - homepage = "https://worktrunk.dev"; - license = with lib.licenses; [ - asl20 - mit - ]; - mainProgram = "wt"; - platforms = lib.platforms.darwin; - }; - }; in { core = with pkgs; [ @@ -107,15 +59,10 @@ in yt-dlp ]) ++ lib.optionals pkgs.stdenv.isDarwin [ - agentcomputerPackage pkgs.texliveFull ] ++ [ openspecPackage - ] - ++ lib.optionals pkgs.stdenv.isDarwin [ - graphite - worktrunk ]; fonts = with pkgs; [