yeah i use some ai lol, sorry

Flake lock file updates:

• Updated input 'homepage':
    'git+https://git.posixlycorrect.com/fabian/homepage.git?ref=refs/heads/master&rev=0de7c28109045758ca5fd032e098a72520eec481' (2026-02-04)
  → 'git+https://git.posixlycorrect.com/fabian/homepage.git?ref=refs/heads/master&rev=1ef6d4cd8517855b9aaf7671dccc6f992eea1f6c' (2026-03-01)

CLAUDE.md

@@ -0,0 +1,105 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Architecture
+
+This is a unified NixOS and Home Manager configuration using the **trivionomicon doctrine system** as a git subtree.
+
+### Directory Structure
+
+- `home/` - Home Manager user configuration
+  - `modules/` - User-level feature modules (terminal, neovim, firefox, ai, etc.)
+  - `platforms/` - User-specific configs per host (`fabian@t14`, `fabian@posixlycorrect`, `fabian@vps`)
+- `sys/` - NixOS system configuration
+  - `modules/` - System-level feature modules (audio, graphics, networking, etc.)
+  - `platforms/` - Machine-specific configs (`t14`, `posixlycorrect`, `vps`)
+- `pkgs/` - Custom package overlays and nixpkgs configuration
+- `trivionomicon/` - Shared doctrine framework (git subtree)
+  - `doctrine/` - Core library (`mkModule`, `mkSystemFlake`)
+  - `modules/` - Shared modules usable by any host
+
+### Namespace Conventions
+
+- `config.local.*` - Home Manager modules (user level)
+- `config.local.sys.*` - NixOS modules (system level)
+- `config.trivium.*` - Trivionomicon shared modules
+
+### Module Patterns
+
+**Simple module** (single layer):
+```nix
+{config, lib, pkgs, ...}:
+with lib; let
+  cfg = config.local.programs.terminal;
+in {
+  options.local.programs.terminal = { enable = mkEnableOption "..."; };
+  config = mkIf cfg.enable { ... };
+}
+```
+
+### Platform Configuration
+
+Each host has paired directories:
+- `sys/platforms/{hostname}/` - Machine-specific NixOS config
+- `home/platforms/{user}@{hostname}/` - User-specific Home Manager config
+
+The `flake.nix` uses `trivionomicon.lib.mkSystemFlake` to auto-generate configurations from these platform directories.
+
+## Trivionomicon System
+
+The trivionomicon is a shared NixOS/Home Manager module framework maintained collaboratively. It lives as a git subtree at `trivionomicon/` and provides unified modules that work across both NixOS and Home Manager contexts.
+
+### Core Functions
+
+- **`mkDoctrine`** - Creates namespace context with the "trivium" prefix and hm/sys awareness
+- **`mkModule`** - Composes hm.nix + sys.nix + options.nix into a unified module
+- **`mkSystemFlake`** - Auto-generates flake outputs from platform directories
+
+### Module Structure
+
+```
+moduleName/
+├── default.nix    # Entry: calls doctrine.lib.mkModule
+├── options.nix    # Options split by hm/sys keys
+├── hm.nix         # Home Manager implementation (optional)
+└── sys.nix        # NixOS implementation (optional)
+```
+
+### Available Modules
+
+Modules are located at `trivionomicon/modules`.
+
+### Git Subtree Workflow
+
+#### Commit separation (critical):
+Never create commits that include both:
+- Changes inside `trivionomicon/`
+- Changes outside `trivionomicon/` (home/, sys/, pkgs/, flake.nix, etc.)
+
+The trivionomicon is a shared project. Each commit touching `trivionomicon/` must contain only trivionomicon changes so it can be cleanly pushed upstream.
+
+#### Commit message conventions:
+- If a module was modified: `trivionomicon/modules/<module name>: one line summary of changes`
+
+Similar layout if something other than a module was modified.
+
+#### Sync changes with the shared repository:
+```bash
+# Pull updates
+git subtree pull --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
+
+# Push changes back
+git subtree push --prefix=trivionomicon forgejo@git.posixlycorrect.com:deepState/trivionomicon.git master
+```
+
+## Key Files
+
+- `pkgs/config/unfree.nix` - Allowlist for unfree packages (add packages here when needed)
+- `pkgs/default.nix` - Package overlays and overrides
+- `trivionomicon/doctrine/lib/` - Core doctrine functions for module composition
+
+## Restrictions
+
+Never use any `nix`, `home-manager`, `nixos-rebuild` or `nix-collect-garbage` commands.
+Ask before using any `git` commands.

flake.lock

@@ -276,11 +276,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770237702,
+        "lastModified": 1772342291,
-        "narHash": "sha256-a2gUeJd7B4KxYSI17MaEjVMJUMS4zRR2Ha2vFplssmc=",
+        "narHash": "sha256-hXlWBR5yBOtxgF/7Vr2tVknh4LxFGheiS7yHD8sWbfs=",
         "ref": "refs/heads/master",
-        "rev": "0de7c28109045758ca5fd032e098a72520eec481",
+        "rev": "1ef6d4cd8517855b9aaf7671dccc6f992eea1f6c",
-        "revCount": 73,
+        "revCount": 74,
         "type": "git",
         "url": "https://git.posixlycorrect.com/fabian/homepage.git"
       },

sys/modules/android.nix

@@ -11,11 +11,6 @@ in {
     enable = mkEnableOption "androidSupport settings";
   };
   config = mkIf cfg.enable {
-    services.udev.packages = with pkgs; [
-      # android-udev-rules
-      # todo: 'android-udev-rules' has been removed due to being superseded by built-in systemd uaccess rules
-    ];
-
     environment.systemPackages = with pkgs; [
       android-tools
     ];

trivionomicon/modules/athena-bccr/sys.nix

@@ -19,8 +19,23 @@ in {
     systemPackages = [athena.ase-pkcs11];
   };
 
-  #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
+  security = {
-  security.pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];
+    #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
+    pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];
+
+    polkit = {
+      enable = lib.mkDefault true;
+
+      extraConfig = ''
+        polkit.addRule(function(action, subject) {
+            if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") &&
+                subject.isInGroup("users")) {
+                    return polkit.Result.YES;
+            }
+        });
+      '';
+    };
+  };
 
   services = {
     pcscd.enable = true;

trivionomicon/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch

@@ -8,18 +8,18 @@ Subject: [PATCH] Remove CheckUpdatePlugin from default list
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/main/java/cr/libre/firmador/Settings.java b/src/main/java/cr/libre/firmador/Settings.java
-index e5ddf01..a028d6e 100644
+index e392a82..c2ab5e4 100644
 --- a/src/main/java/cr/libre/firmador/Settings.java
 +++ b/src/main/java/cr/libre/firmador/Settings.java
-@@ -81,7 +81,7 @@ public class Settings {
+@@ -160,7 +160,7 @@ public class Settings {
- 
+     @SuppressWarnings("this-escape")
      public Settings() {
          activePlugins.add("cr.libre.firmador.plugins.DummyPlugin");
 -        activePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
 +        // activePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
+         // activePlugins.add("cr.libre.firmador.plugins.DocumentSignLogs");
          availablePlugins.add("cr.libre.firmador.plugins.DummyPlugin");
          availablePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
-     }
 -- 
-2.49.0
+2.51.2
 

trivionomicon/pkgs/athena-bccr/firmador.nix

@@ -11,7 +11,7 @@
     enableJavaFX = true;
   };
 
-  version = "1.9.8";
+  version = "1.9.8+master";
 in
   maven.buildMavenPackage {
     pname = "firmador";
@@ -19,15 +19,15 @@ in
 
     src = fetchgit {
       url = "https://codeberg.org/firmador/firmador";
-      rev = version;
+      rev = "676b0e3c0dc5adb0628d4d98efcfccfca3daa8a7";
-      hash = "sha256-xdiVPjihRADPK4nG+WQHWsDzVYLCeN6ouQ6SDtjf1qQ=";
+      hash = "sha256-f/EKll1csvUCRSt4G1SeDB4gVW+ZtUgJjlmM7PlafyQ=";
     };
 
     patches = [
       ./0001-Remove-CheckUpdatePlugin-from-default-list.patch
     ];
 
-    mvnHash = "sha256-m3UaOLNyIlVAOI5tzxMlxg4KZ1N5gT2O2WSka+jBat4=";
+    mvnHash = "sha256-0vwJ1f+0UXxrXRaJ1BHqfOXDU/pxrSPdYYEQ71m4jJQ=";
 
     nativeBuildInputs = [
       makeWrapper
@@ -35,7 +35,7 @@ in
     ];
 
     postPatch = lib.optionalString (libasep11 != null) ''
-      sed -i 's@/usr/lib/x64-athena/libASEP11.so@${libasep11}@g' src/main/java/cr/libre/firmador/CRSigner.java
+      sed -i 's@/usr/lib/x64-athena/libASEP11.so@${libasep11}@g' src/main/java/cr/libre/firmador/signers/CRSigner.java
     '';
 
     installPhase = ''