Allows dev users to use nix develop, nix build, etc.
Previously blocked by daemon access restrictions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove beads from VPS deployment (kept locally for dev workflow)
- Add slack-bot-token and slack-app-token secrets with devs group access
- Remove dead acme-email secret reference
- Increase egress limits from 30/min to 150/min (burst 60→300)
- Change egress blocking from REJECT to DROP for better app behavior
- Add egress-status script for user self-diagnosis
- Update dev-slack-direct.md with new /run/secrets access patterns
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
VM imports configuration.nix which already has the permission.
Clarified comments explaining why both flake.nix and configuration.nix
need the permission (different pkgs sources).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- mosh package in systemPackages
- UDP ports 60000-60010 for mosh sessions
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- bsd-finger, ytalk, fortune in systemPackages
- Fortune displays on interactive shell login via programs.bash.interactiveShellInit
- Avoids breaking nix copy/rsync/scp (loginShellInit was wrong approach)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add users.groups.devs for shared resources
- dev-add: check devs group exists before creating user
- dev-add: use .profile for login shell PATH setup
- dev-add: configure npm prefix and .npm-global directory
- dev-add: create AGENTS.md with friendly capability guide
- Update onboarding message with npm install examples
- Add docs/server-AGENTS.md for reference
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Creates drop-in at /run/systemd/system/user-.slice.d/50-limits.conf
to enforce per-user limits (vs slice-wide):
- MemoryMax=50% (~1GB per user)
- TasksMax=200 per user
- CPUQuota=200% (max 2 cores sustained)
Prevents one user from starving others.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- egress-watchdog: Use process substitution to avoid subshell gotcha
- killswitch: Rename USER to TARGET_USER (avoid shadowing builtin)
- Add documentation comments for UID range and grep -P dependency
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Monitors EGRESS-LIMIT kernel log entries, tracks strikes per user,
triggers killswitch after 3 consecutive violations within a minute.
Runs every minute via systemd timer.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- opencode (v1.0.224) via flake input from github:sst/opencode
- nodejs_22 for npm-based AI tools (gemini-cli, codex)
- Closes ops-jrz1-ecw
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- tmux for session persistence
- beads (bd CLI) via flake input from github:steveyegge/beads
- Closes ops-jrz1-d38, ops-jrz1-jvt
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Install claude binary to /usr/local/bin
- Symlink to ~/.local/bin for users (in PATH)
- Update learner-add.sh to set up symlink for new users
- Add /usr/local/bin to PATH via shellInit
- test-learner-env.sh: SSH, nix-ld, Slack tokens, Python, API connectivity
- test-slack-bolt.py: Socket Mode connection test
- Makefile: test runner with env/slack-bolt/vscode targets
- Add python3 + uv to system packages
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add permittedInsecurePackages for deprecated olm library
- Required by mautrix-slack, mautrix-whatsapp, mautrix-gmessages bridges
- Acceptable risk for Matrix bridge functionality until alternatives available
- Accept Let's Encrypt terms of service
- Configure email for certificate notifications (dlei@duck.com)
- Nginx virtual hosts already configured with enableACME and forceSSL
Ready for deployment to VPS.
- Add hardware-configuration.nix from VPS (45.77.205.49)
- Update configuration.nix with correct boot loader (/dev/vda) and network (ens3)
- Enable Matrix homeserver and dev-platform services in hosts/ops-jrz1.nix
- Configure for clarun.xyz domain with Matrix, Forgejo, and mautrix-slack
- Add SSH authorized keys and enable Nix flakes
Ready to deploy to replace ops-base configuration.
