From c01f195d59eeab96525f9edaf842202467720d85 Mon Sep 17 00:00:00 2001 From: Fabian Montero Date: Fri, 13 Feb 2026 00:08:14 -0600 Subject: [PATCH 1/7] update config to new 25.11 options --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 2b53ebd..151c3d3 100644 --- a/flake.nix +++ b/flake.nix @@ -210,7 +210,7 @@ }: flakes.nixpkgs.lib.makeOverridable flakes.nixpkgs.lib.nixosSystem { inherit pkgs; - inherit (pkgs) system; + inherit (pkgs.stdenv.hostPlatform) system; modules = [self.nixosModules.default] ++ modules; From f133a894d89bbedfc17e56189d3ef77005b6b877 Mon Sep 17 00:00:00 2001 From: Alejandro Soto Date: Wed, 18 Feb 2026 18:56:39 -0600 Subject: [PATCH 2/7] trivionomicon: athena-bccr: fix Polkit authentication failures --- modules/athena-bccr/sys.nix | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/modules/athena-bccr/sys.nix b/modules/athena-bccr/sys.nix index 631185d..9532358 100644 --- a/modules/athena-bccr/sys.nix +++ b/modules/athena-bccr/sys.nix @@ -19,8 +19,22 @@ in { systemPackages = [athena.ase-pkcs11]; }; - #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA - security.pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"]; + security = { + #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA + pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"]; + + polkit = { + enable = lib.mkDefault true; + + extraConfig = '' + polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.isInGroup("users")) { + return polkit.Result.YES; + } + }); + ''; + }; + }; services = { pcscd.enable = true; From cbc0180d60888b0eaf005e9042f7bccbc4afbc7d Mon Sep 17 00:00:00 2001 From: Alejandro Soto Date: Wed, 18 Feb 2026 19:06:23 -0600 Subject: [PATCH 3/7] trivionomicon: athena-bccr: allow the 'users' group to access any card --- modules/athena-bccr/sys.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/athena-bccr/sys.nix b/modules/athena-bccr/sys.nix index 9532358..2dd56e2 100644 --- a/modules/athena-bccr/sys.nix +++ b/modules/athena-bccr/sys.nix @@ -28,7 +28,8 @@ in { extraConfig = '' polkit.addRule(function(action, subject) { - if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.isInGroup("users")) { + if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") && + subject.isInGroup("users")) { return polkit.Result.YES; } }); From d835588135cdac30b5bf0fe0479636b85a0240cc Mon Sep 17 00:00:00 2001 From: Alejandro Soto Date: Wed, 18 Feb 2026 19:25:49 -0600 Subject: [PATCH 4/7] trivionomicon: athena-bccr: update 1.9.8 -> latest master --- ...01-Remove-CheckUpdatePlugin-from-default-list.patch | 10 +++++----- pkgs/athena-bccr/firmador.nix | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch b/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch index e7fc5d5..a15896a 100644 --- a/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch +++ b/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch @@ -8,18 +8,18 @@ Subject: [PATCH] Remove CheckUpdatePlugin from default list 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/cr/libre/firmador/Settings.java b/src/main/java/cr/libre/firmador/Settings.java -index e5ddf01..a028d6e 100644 +index e392a82..c2ab5e4 100644 --- a/src/main/java/cr/libre/firmador/Settings.java +++ b/src/main/java/cr/libre/firmador/Settings.java -@@ -81,7 +81,7 @@ public class Settings { - +@@ -160,7 +160,7 @@ public class Settings { + @SuppressWarnings("this-escape") public Settings() { activePlugins.add("cr.libre.firmador.plugins.DummyPlugin"); - activePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin"); + // activePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin"); + // activePlugins.add("cr.libre.firmador.plugins.DocumentSignLogs"); availablePlugins.add("cr.libre.firmador.plugins.DummyPlugin"); availablePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin"); - } -- -2.49.0 +2.51.2 diff --git a/pkgs/athena-bccr/firmador.nix b/pkgs/athena-bccr/firmador.nix index 8ae8750..e07235b 100644 --- a/pkgs/athena-bccr/firmador.nix +++ b/pkgs/athena-bccr/firmador.nix @@ -11,7 +11,7 @@ enableJavaFX = true; }; - version = "1.9.8"; + version = "1.9.8+master"; in maven.buildMavenPackage { pname = "firmador"; @@ -19,15 +19,15 @@ in src = fetchgit { url = "https://codeberg.org/firmador/firmador"; - rev = version; - hash = "sha256-xdiVPjihRADPK4nG+WQHWsDzVYLCeN6ouQ6SDtjf1qQ="; + rev = "676b0e3c0dc5adb0628d4d98efcfccfca3daa8a7"; + hash = "sha256-f/EKll1csvUCRSt4G1SeDB4gVW+ZtUgJjlmM7PlafyQ="; }; patches = [ ./0001-Remove-CheckUpdatePlugin-from-default-list.patch ]; - mvnHash = "sha256-m3UaOLNyIlVAOI5tzxMlxg4KZ1N5gT2O2WSka+jBat4="; + mvnHash = "sha256-0vwJ1f+0UXxrXRaJ1BHqfOXDU/pxrSPdYYEQ71m4jJQ="; nativeBuildInputs = [ makeWrapper @@ -35,7 +35,7 @@ in ]; postPatch = lib.optionalString (libasep11 != null) '' - sed -i 's@/usr/lib/x64-athena/libASEP11.so@${libasep11}@g' src/main/java/cr/libre/firmador/CRSigner.java + sed -i 's@/usr/lib/x64-athena/libASEP11.so@${libasep11}@g' src/main/java/cr/libre/firmador/signers/CRSigner.java ''; installPhase = '' From 39789ad3914d9a1970edb14fa7446904eccb6fb6 Mon Sep 17 00:00:00 2001 From: Fabian Montero Date: Sat, 28 Feb 2026 23:19:12 -0600 Subject: [PATCH 5/7] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'homepage': 'git+https://git.posixlycorrect.com/fabian/homepage.git?ref=refs/heads/master&rev=0de7c28109045758ca5fd032e098a72520eec481' (2026-02-04) → 'git+https://git.posixlycorrect.com/fabian/homepage.git?ref=refs/heads/master&rev=1ef6d4cd8517855b9aaf7671dccc6f992eea1f6c' (2026-03-01) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 3ebc308..1efb9fa 100644 --- a/flake.lock +++ b/flake.lock @@ -276,11 +276,11 @@ ] }, "locked": { - "lastModified": 1770237702, - "narHash": "sha256-a2gUeJd7B4KxYSI17MaEjVMJUMS4zRR2Ha2vFplssmc=", + "lastModified": 1772342291, + "narHash": "sha256-hXlWBR5yBOtxgF/7Vr2tVknh4LxFGheiS7yHD8sWbfs=", "ref": "refs/heads/master", - "rev": "0de7c28109045758ca5fd032e098a72520eec481", - "revCount": 73, + "rev": "1ef6d4cd8517855b9aaf7671dccc6f992eea1f6c", + "revCount": 74, "type": "git", "url": "https://git.posixlycorrect.com/fabian/homepage.git" }, From 9f1bf715865cb392fc499aa1a92b06bfc55f28d3 Mon Sep 17 00:00:00 2001 From: Fabian Montero Date: Mon, 2 Mar 2026 13:38:57 -0600 Subject: [PATCH 6/7] android support: update udev rules management --- sys/modules/android.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/sys/modules/android.nix b/sys/modules/android.nix index 504a5d4..0891e97 100644 --- a/sys/modules/android.nix +++ b/sys/modules/android.nix @@ -11,11 +11,6 @@ in { enable = mkEnableOption "androidSupport settings"; }; config = mkIf cfg.enable { - services.udev.packages = with pkgs; [ - # android-udev-rules - # todo: 'android-udev-rules' has been removed due to being superseded by built-in systemd uaccess rules - ]; - environment.systemPackages = with pkgs; [ android-tools ]; From a0789edb6ec87ee2756b96c9d3f4a1b4da4aa41b Mon Sep 17 00:00:00 2001 From: Fabian Montero Date: Mon, 2 Mar 2026 20:35:36 -0600 Subject: [PATCH 7/7] yeah i use some ai lol, sorry --- CLAUDE.md | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 CLAUDE.md diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..4d171d4 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,105 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Architecture + +This is a unified NixOS and Home Manager configuration using the **trivionomicon doctrine system** as a git subtree. + +### Directory Structure + +- `home/` - Home Manager user configuration + - `modules/` - User-level feature modules (terminal, neovim, firefox, ai, etc.) + - `platforms/` - User-specific configs per host (`fabian@t14`, `fabian@posixlycorrect`, `fabian@vps`) +- `sys/` - NixOS system configuration + - `modules/` - System-level feature modules (audio, graphics, networking, etc.) + - `platforms/` - Machine-specific configs (`t14`, `posixlycorrect`, `vps`) +- `pkgs/` - Custom package overlays and nixpkgs configuration +- `trivionomicon/` - Shared doctrine framework (git subtree) + - `doctrine/` - Core library (`mkModule`, `mkSystemFlake`) + - `modules/` - Shared modules usable by any host + +### Namespace Conventions + +- `config.local.*` - Home Manager modules (user level) +- `config.local.sys.*` - NixOS modules (system level) +- `config.trivium.*` - Trivionomicon shared modules + +### Module Patterns + +**Simple module** (single layer): +```nix +{config, lib, pkgs, ...}: +with lib; let + cfg = config.local.programs.terminal; +in { + options.local.programs.terminal = { enable = mkEnableOption "..."; }; + config = mkIf cfg.enable { ... }; +} +``` + +### Platform Configuration + +Each host has paired directories: +- `sys/platforms/{hostname}/` - Machine-specific NixOS config +- `home/platforms/{user}@{hostname}/` - User-specific Home Manager config + +The `flake.nix` uses `trivionomicon.lib.mkSystemFlake` to auto-generate configurations from these platform directories. + +## Trivionomicon System + +The trivionomicon is a shared NixOS/Home Manager module framework maintained collaboratively. It lives as a git subtree at `trivionomicon/` and provides unified modules that work across both NixOS and Home Manager contexts. + +### Core Functions + +- **`mkDoctrine`** - Creates namespace context with the "trivium" prefix and hm/sys awareness +- **`mkModule`** - Composes hm.nix + sys.nix + options.nix into a unified module +- **`mkSystemFlake`** - Auto-generates flake outputs from platform directories + +### Module Structure + +``` +moduleName/ +├── default.nix # Entry: calls doctrine.lib.mkModule +├── options.nix # Options split by hm/sys keys +├── hm.nix # Home Manager implementation (optional) +└── sys.nix # NixOS implementation (optional) +``` + +### Available Modules + +Modules are located at `trivionomicon/modules`. + +### Git Subtree Workflow + +#### Commit separation (critical): +Never create commits that include both: +- Changes inside `trivionomicon/` +- Changes outside `trivionomicon/` (home/, sys/, pkgs/, flake.nix, etc.) + +The trivionomicon is a shared project. Each commit touching `trivionomicon/` must contain only trivionomicon changes so it can be cleanly pushed upstream. + +#### Commit message conventions: +- If a module was modified: `trivionomicon/modules/: one line summary of changes` + +Similar layout if something other than a module was modified. + +#### Sync changes with the shared repository: +```bash +# Pull updates +git subtree pull --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master + +# Push changes back +git subtree push --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master +``` + +## Key Files + +- `pkgs/config/unfree.nix` - Allowlist for unfree packages (add packages here when needed) +- `pkgs/default.nix` - Package overlays and overrides +- `trivionomicon/doctrine/lib/` - Core doctrine functions for module composition + +## Restrictions + +Never use any `nix`, `home-manager`, `nixos-rebuild` or `nix-collect-garbage` commands. +Ask before using any `git` commands.