- bsd-finger, ytalk, fortune in systemPackages
- Fortune displays on interactive shell login via programs.bash.interactiveShellInit
- Avoids breaking nix copy/rsync/scp (loginShellInit was wrong approach)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add users.groups.devs for shared resources
- dev-add: check devs group exists before creating user
- dev-add: use .profile for login shell PATH setup
- dev-add: configure npm prefix and .npm-global directory
- dev-add: create AGENTS.md with friendly capability guide
- Update onboarding message with npm install examples
- Add docs/server-AGENTS.md for reference
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Covers four methods: system-wide, per-user nix profile,
per-project devShell, and external flakes.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Creates drop-in at /run/systemd/system/user-.slice.d/50-limits.conf
to enforce per-user limits (vs slice-wide):
- MemoryMax=50% (~1GB per user)
- TasksMax=200 per user
- CPUQuota=200% (max 2 cores sustained)
Prevents one user from starving others.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- egress-watchdog: Use process substitution to avoid subshell gotcha
- killswitch: Rename USER to TARGET_USER (avoid shadowing builtin)
- Add documentation comments for UID range and grep -P dependency
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Monitors EGRESS-LIMIT kernel log entries, tracks strikes per user,
triggers killswitch after 3 consecutive violations within a minute.
Runs every minute via systemd timer.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Kills all processes for a user
- Terminates login session
- Logs to syslog with reason
- Refuses to kill system users (uid < 1000)
- Closes ops-jrz1-396
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- docs/security-posture.md: Threat model, risk assessment, recommendations
- Make home directories private (chmod 700)
- Update learner-add.sh to create private homes
- Closes ops-jrz1-k2a
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove manual /usr/local/bin/claude install
- Remove claude symlink setup from learner-add.sh
- Update onboarding docs with npm install instructions
- Users choose their AI coder: claude, opencode, gemini, codex
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- opencode (v1.0.224) via flake input from github:sst/opencode
- nodejs_22 for npm-based AI tools (gemini-cli, codex)
- Closes ops-jrz1-ecw
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- tmux for session persistence
- beads (bd CLI) via flake input from github:steveyegge/beads
- Closes ops-jrz1-d38, ops-jrz1-jvt
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
