| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Inverts the hook delegation model. Previously per-repo hooks required
a project to either (a) write the entire hook themselves and lose the
global signed-commit / agent-author gate, or (b) override
core.hooksPath and write passthrough stubs that exec back to
$HOME/.config/git/hooks/*. Both are ergonomically miserable.
Now: the global hooks at ~/.config/git/hooks/ are *always* the entry
point. Each one calls a shared dispatcher (_dispatch.sh) that runs
<repo>/.githooks/<hookname> if it exists, propagating its exit status,
and then continues with whatever the global hook itself wants to do.
Projects just drop an executable file at .githooks/<name> — no
core.hooksPath, no stubs, no boilerplate. Repos that don't have a
.githooks/ dir keep working exactly as before.
GIT_HOOK_DISPATCHED guards against re-entry so legacy repos using the
old stub-and-exec pattern don't loop. pre-push tees stdin so both the
repo hook and the global ref-list loop see the full push payload.
Adds two new always-no-op global hooks (pre-commit, post-commit)
purely so the dispatch happens for those events too — previously only
commit-msg and pre-push existed globally.
Refactors this dotfiles repo to use the new pattern: drops the
self-delegating .githooks/pre-push stub and removes the per-repo
core.hooksPath override from `just init` (now an idempotent unsetter
to clean up the override from past bootstraps). The remote-dev VM's
home-manager profile symlinks all four hooks plus _dispatch.sh.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Various agentic tools (Copilot CLI, VS Code chat, etc.) auto-append
`Co-authored-by: Copilot <...>` / Claude / Codex trailers, which then
trip the pre-push hook's agent-coauthor check and force a manual
amend before the push goes through. Scrub at commit time instead.
Uses the same agent-substring list as executable_pre-push (kept in
sync by comment). Triggered as commit-msg (not pre-commit — pre-commit
runs before the message exists). Drops matching trailers in-place,
collapses trailing blanks, and is a no-op otherwise.
Also symlinks the new hook in the remote-dev home-manager config so
it deploys on the Ubuntu VM.
Bypass: `git commit --no-verify`.
|
| |
|
|
|
|
|
|
|
|
| |
`dot_config/git/hooks/executable_pre-push` only loses the
`executable_` chezmoi attribute prefix during `chezmoi apply`. On
remote-dev we use raw home-manager symlinks, so a directory symlink
gave git a file literally named `executable_pre-push` — which is not
a valid hook name and was silently ignored. Symlink each hook to its
stripped target name (executable bit comes from the working-tree mode,
which git follows through the symlink).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
home.sessionVariables get written to hm-session-vars.sh, which HM only
auto-sources when programs.bash/zsh.enable = true (it injects a snippet
into the rc file) or via ~/.profile (which zsh login shells don't
read). We use a ZDOTDIR redirect and no HM-managed shells, so
PODMAN_IGNORE_CGROUPSV1_WARNING (and any future session var) was never
reaching the shell.
Source it explicitly from the generated ~/.zshenv before redirecting
to ZDOTDIR.
|
| |
|
|
|
|
|
|
| |
Ubuntu 20.04 still defaults to cgroups v1; podman 5 emits a deprecation
warning on every single invocation. Flipping the host to v2 is a reboot
that affects every workload and only matters if we need rootless
--memory/--cpus, so just silence the warning via the documented
PODMAN_IGNORE_CGROUPSV1_WARNING env var on the home-manager side.
|
| |
|
|
|
|
| |
Affects the whole host and requires a reboot — only worth doing if you
need rootless --memory/--cpus limits. Rootless podman otherwise runs
fine on cgroups v1.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Adds podman + helpers (crun, conmon, netavark, aardvark-dns,
slirp4netns, passt) to the home-manager profile, plus rootless-sane
registries.conf, storage.conf (overlay driver, kernel-native — VM
kernel 5.15 supports rootless overlay since 5.13, no fuse-overlayfs
needed), and policy.json.
Documents host-side prerequisites in remote-dev/README.md: install
uidmap, ensure subuid/subgid entries for the user, and enable cgroups
v2 (systemd.unified_cgroup_hierarchy=1) so rootless resource limits
work on Ubuntu 20.04.
|
| |
|
|
|
| |
git config defines a mergiraf merge driver; install it on the VM so
.gitattributes references actually resolve.
|
| |
|
|
|
|
|
|
|
| |
mkOutOfStoreSymlink exposes the working-tree file's perms. Under
Ubuntu's default umask 002, git checks out private_dot_ssh/config
as 0664; OpenSSH refuses any group-writable ssh_config.
Replace the home.file symlink with a home-manager activation step
that copies the file to a real ~/.ssh/config with 0600.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mason's pypi distribution of basedpyright pulls nodejs-wheel-binaries
which only ships manylinux_2_28 Linux wheels. uv's python-build-
standalone interpreter is tagged manylinux2014 (glibc 2.17 for max
portability) and rejects those wheels; pip then falls back to building
Node 24 from source, which fails on Ubuntu 20.04's gcc 9.4 (needs
gcc >=10 for -std=gnu++20).
Provide basedpyright via the system package manager instead:
- pacman on Arch (added to meta/base.txt)
- pkgs.basedpyright on the VM (added to remote-dev/home.nix)
Drop it from mason-tool-installer's ensure_installed; lspconfig picks
it up from PATH. Document the exception in remote-dev/README.md.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The deadsnakes PPA may not be reachable on every VM (corporate apt
proxy, Ubuntu derivatives that add-apt-repository misdetects, etc.).
`uv python install 3.11` works on any distro: it fetches a portable
python-build-standalone CPython into ~/.local/share/uv/python/, which
is manylinux-wheel-compatible.
Symlink the resulting binary to ~/.local/bin/python3.11 (already on
PATH from zprofile). Move the step to after `home-manager switch`
since uv comes from the nix profile.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Nix's python rejects manylinux wheels by design (its libc is patched),
which forced pip in Mason's per-pkg venvs to compile nodejs-wheel-binaries
(pulled in by basedpyright) from source. That source build then failed on
Ubuntu 20.04's gcc 9.4 — Node 24 requires C++20 (g++ >= 12.2.0).
Replace the nix python311-versioned-only derivation with an Ubuntu-native
python3.11 from the deadsnakes PPA. It satisfies Mason's >=3.10 version
requirement, accepts manylinux wheels, and the versioned binary name
leaves /usr/bin/python3 untouched (leaf-tools policy preserved).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
User policy: Mason should install everything it lists regardless of
host-provided versions. Revert the PATH-filtering wrapper around
ensure_installed (b2f129e) — back to a plain table literal.
For shellharden specifically, Mason's only install source is
`cargo install`. The Arch host has cargo via base-devel/rustup; the
VM previously didn't, so Mason errored "ENOENT cargo". Add `cargo`
and `rustc` to the remote-dev nix profile so Mason can build it on
the VM too. Drop the shellharden package from home.nix — Mason owns
it now, no more provider competition with the nix-profile binary.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ubuntu 20.04's stock python3 is 3.8.10, which fails Mason's pep440
checks for autotools-language-server, codespell, mdformat,
nginx-language-server, systemdlint, yamllint (all want >=3.9 or
>=3.10).
Mason's pypi installer (verified against upstream
lua/mason-core/installer/managers/pypi.lua) probes python3.6 through
python3.14 in PATH in addition to plain python3, so providing
python3.11 alone (without python3) is enough.
Add a thin runCommand derivation that symlinks ONLY
pkgs.python311/bin/python3.11 into the profile — not python3 or
python — so we don't shadow Ubuntu's /usr/bin/python3 and keep the
leaf-tools policy intact.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JRE/shellharden/python3-venv
copilot.lua was hard-coding the chezmoi-pinned Node 24 at
~/.local/share/copilot-node/bin/node, which only exists on the Arch
host where chezmoi runs run_onchange_after_install-copilot-node.sh.
On the remote-dev VM the path is absent, so copilot-language-server
spawned with cmd[0]=<missing> and printed 'Could not determine
Node.js version'. Probe the pinned path with vim.fn.executable() and
fall back to 'node' from PATH otherwise.
For the VM PATH 'node' to be a supported version, switch home.nix
from the rolling 'nodejs' alias to 'nodejs_24' (the version the
chezmoi script also pins on the host).
Address the cluster of Mason install failures on the VM:
- autotools-language-server, codespell, mdformat,
nginx-language-server, systemdlint -- pip-installed; fail because
Ubuntu's python3 ships without venv. bootstrap.sh now apt-installs
python3-venv; README documents the manual command for existing VMs.
- groovy-language-server -- needs a JRE. Add 'jre' to home.packages.
- shellharden -- Mason's cargo fallback can't run under our
leaf-tools policy. Provide the binary via nix-profile instead so
Mason finds it on PATH.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Wraps the bootstrap-day-2 incantations so you don't have to remember
`home-manager switch --impure --flake '.#vm' -b backup` and its zsh
quoting gotcha. Recipes:
- `just update` — pull + switch (the everyday one)
- `just pull` — config-only changes, no nix rebuild
- `just switch` — rebuild HM from the current checkout
- `just gc` — expire HM generations >7d and gc the nix store
README updated to use these.
|
| |
|
|
|
|
|
|
| |
The flake set `allowUnfree = false` so `home-manager switch` failed
with "Refusing to evaluate package 'claude-code-...' because it has
an unfree license". Switch to `allowUnfreePredicate` with an explicit
name allowlist — keeps the door closed for everything else while
permitting just the two AI agents we actually want.
|
| |
|
|
|
|
| |
`home-manager switch --flake .#vm` fails under our zsh (which sets
`extendedglob`) because `#` then becomes a glob qualifier and `.#vm`
parses as an unmatched pattern. Quoting the ref sidesteps it.
|
| |
|
|
|
| |
So the dotfiles `justfile` (and any in-tree project justfiles the user
checks out on the VM) work without falling back to make/scripts.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSH-format signing
home.nix:
- Add zoxide (fixes 'command not found' on shell start), clang-tools
(no compiler driver), nodejs (Mason npm LSPs), uv (Mason python LSPs;
does not install python3 in PATH, so Ubuntu's /usr/bin/python3 stays
the system default), claude-code, github-copilot-cli.
- Refine the leaf-tools policy comment: explicit denylist of build-
toolchain binaries that would shadow Ubuntu's via PATH, plus a
carve-out for editor/AI runtimes (node, uv, clang-tools).
- Symlink ~/.config/git/{config,attributes,ignore} and ~/.ssh/config
from the dotfiles tree.
dot_config/zsh/dot_zshrc: guard direnv/zoxide/fzf inits with
'command -v X >/dev/null &&' so a fresh machine without one of them
no longer prints a stderr error on every shell start.
dot_config/git/config: append unconditional '[include] path =
~/.config/git/config.local' for machine-local overrides (used on the
remote-dev VM to switch to SSH-format signing via the forwarded
agent). Git silently skips missing include files.
remote-dev/README.md: document the update flow (config-only vs HM
rebuild), the single-shell leaf-tools policy, and the one-time VM
setup for SSH-format commit signing (allowed_signers + config.local,
ForwardAgent yes on the host).
|
| | |
|
|
|
New remote-dev/ subdir with a Home-Manager flake that provisions a
headless dev environment on a remote Ubuntu 22.04 VM accessed via SSH.
Shares nvim, zellij, zsh, direnv, and ghostty configs from the same
dotfiles repo via mkOutOfStoreSymlink (no rebuilds on config edits).
CLI tool set mirrors the dev-tool subset of meta/base.txt; sysadmin
tools (procs, gdu, duf), lazygit, and node/yarn (only needed for
markdown-preview on GUI hosts) are excluded.
bootstrap.sh is one-shot: installs Nix via Determinate Systems
installer, clones the repo to ~/.local/share/dotfiles, runs
home-manager switch, and chshes to the nix-store zsh.
dot_config/zsh/dot_zshrc loses its hardcoded Arch plugin/git-prompt
paths in favour of a fallback search: Arch path first, then
$HOME/.nix-profile/share/. Same file works on host and VM.
.chezmoiignore: exclude remote-dev/ from chezmoi deploy on the host.
|
sommerfeld