1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
{ config, pkgs, lib, dotfilesRoot, ... }:
# Shared Home-Manager module: ONLY package installation. Config-file
# deployment is *not* handled here — on the Arch host, chezmoi owns
# every dotfile under $HOME; on the remote-dev VM, `vm.nix` carries
# its own `xdg.configFile`/`home.activation` block since chezmoi isn't
# installed there. Keeping this module deployment-agnostic prevents
# home-manager from conflicting with chezmoi on the host (which would
# otherwise materialize as `.backup` files on every `nix-switch`).
#
# Policy: this profile carries leaf CLI tools, editor/AI-agent runtimes
# (node, uv), and build *orchestrators* (cmake, ninja, ccache, sccache).
# It must NEVER carry actual compilers or linkers — those would shadow
# the system's and silently link projects against nixpkgs glibc/libstdc++
# instead of the system sysroot.
#
# Forbidden on PATH from this module: cc, c++, gcc, g++, clang, clang++,
# ld, ld.lld, ar, nm, objcopy, make, meson, pkg-config, autoconf,
# automake, libtool, python, python3, pip, cargo, rustc, go.
#
# Allowed: orchestrators that delegate to whatever compiler is in PATH
# (cmake, ninja, ccache, sccache), instrumentation/analysis that hooks
# at the syscall/library boundary (valgrind, gdb, lldb, strace), and
# source-only tooling (doxygen, clang-tools — clangd/clang-format/
# clang-tidy, no compiler driver). Project-specific compilers/linkers
# go in project-local flake.nix + direnv `.envrc`, NOT here.
#
# Editor/AI runtimes: node, npm, npx (via `nodejs`), uv, uvx (via `uv`
# — manages its own python interpreters under XDG, doesn't install a
# system python3).
{
home.stateVersion = "25.05";
# ── Packages ────────────────────────────────────────────────────────────────
home.packages = with pkgs; [
# Editor + multiplexer
neovim
zellij
tree-sitter
# Search / move
ripgrep
fd
fzf
sd
choose
zoxide
just
# Viewers
bat
lsd
glow
# Git stack
git
gh
delta
mergiraf
git-absorb
difftastic
# JSON / YAML
jq
yq-go
# System
htop
fastfetch
hyperfine
duf
gdu
procs
yazi
# Net
curl
curlie
wget
dog
nmap
rsync
openssh
# Debug / trace / profile — moved off pacman. User policy: only
# used against own builds, so glibc/kernel version skew vs the
# system isn't an issue. Only `perf` stays system (it links against
# the running kernel ABI; pacman's matches the kernel package).
gdb
lldb # also brings lldb-dap (used by dap.lua via type="lldb")
strace
samply
t-rec
valgrind
# Build orchestrators — these only delegate to whatever compiler is
# in PATH; they don't ship cc/c++/ld themselves, so no shadowing.
cmake
ninja
ccache
sccache
# Source-only docs/analysis (no compiler driver)
doxygen
# Docs
tldr
man-db
man-pages
pandoc
# Secrets — `pass-otp` is wired as an extension so `pass otp ...`
# works against the same store. `pass` from pacman is removed.
gnupg
(pass.withExtensions (exts: [ exts.pass-otp ]))
# C/C++ source tooling (no compiler driver in PATH)
clang-tools
# CI runner (drives podman from pacman; act itself is just a Go binary)
act
# Editor/AI agent runtimes — NOT for project builds (see policy above)
nodejs_24 # copilot-language-server requires Node 24 (see ai.lua)
uv # for project tooling that asks for `uv`/`uvx`; brings no python
# AI coding agents
claude-code
# github-copilot-cli intentionally not here: nixpkgs derivation (as
# of 1.0.40) fails to build on Determinate nix with EACCES on
# /var/empty/.cache (HOME not redirected during npm postinstall).
# Install manually from https://github.com/github/copilot-cli into
# /usr/local/bin/ instead.
# ── LSPs / formatters / linters / DAPs ─────────────────────────────────
# Replaces Mason entirely (phase p6 of the nix migration rips out
# mason-tool-installer). The set tracks the previous
# `ensure_installed` list in dot_config/nvim/lua/plugins/lsp.lua, with
# five niche tools dropped: groovy-language-server (Mason-only build,
# upstream stale), npm-groovy-lint, nginx-language-server,
# nginx-config-formatter, systemdlint (all rarely-edited domains;
# losing them is acceptable).
# LSPs
actionlint
autotools-language-server
basedpyright
bash-language-server
dockerfile-language-server
just-lsp
lua-language-server
neocmakelsp
ruff
rust-analyzer
systemd-language-server
taplo
typescript-language-server
vscode-langservers-extracted # cssls + html + jsonls + eslint
yaml-language-server
# Formatters
mdformat
prettier
shfmt
stylua
# Linters
codespell
hadolint
markdownlint-cli
selene
shellcheck
shellharden
stylelint
typos
yamllint
# DAPs / debuggers — `lldb-dap` ships in pkgs.lldb (declared in the
# debug/trace block above). dap configs in plugins/debug.lua target
# it via `type = "lldb"`.
# Zsh and plugins (loaded from $HOME/.nix-profile/share/... by the
# shared zshrc; nix-profile path is preferred, system path is the
# fallback for un-bootstrapped states).
zsh
zsh-completions
zsh-syntax-highlighting
zsh-autosuggestions
zsh-history-substring-search
];
# ── direnv + nix-direnv ─────────────────────────────────────────────────────
programs.direnv = {
enable = true;
nix-direnv.enable = true;
enableZshIntegration = false; # zshrc already calls `eval "$(direnv hook zsh)"`
};
# ── XDG base dirs ──────────────────────────────────────────────────────────
xdg.enable = true;
# ── Enable HM-managed activation messages ──────────────────────────────────
programs.home-manager.enable = true;
}
|
