feat: cluster test framework

[DaRacci]

Based off #544

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• New Features

  • Added hardware backlight support with DDC-CI driver integration
  • Introduced cluster testing infrastructure

• Removed Features

  • Removed encrypted root boot device support

• Chores

  • Restructured core system configuration modules for audio, Bluetooth, and networking
  • Added VS Code workspace settings

Walkthrough

This PR reorganises the NixOS module hierarchy by consolidating modules into a shared/features/ subdirectory structure, refactoring the core module into a directory-based composition, introducing a new cluster test framework, and removing deprecated modules. The flake CI configuration is extended to integrate cluster checks support.

Changes

Cohort / File(s)	Summary
Flake CI & Build System flake/ci/flake-module.nix, flake/default.nix	Added config parameter and perSystem.checks.cluster attribute to flake CI module; remapped checks attribute generation from lib.genAttrs to explicit partitionedAttrs.checks = "ci" mapping.
Module Path Migration lib/builders/mkSystem.nix, modules/home-manager/services/mcpo.nix, modules/nixos/desktop/default.nix, modules/nixos/laptop/default.nix	Updated import paths to reflect module reorganisation—hm-helper moved to shared/features/hm-helper, mcpo moved to shared/services/mcpo, and display-manager/remote moved to shared/features/.
Module Structure Flattening modules/nixos/default.nix	Removed top-level re-exports (boot, hardware, vfio, host, services, virtual-machine); retained only shared = import ./shared; for namespace consolidation.
Core Module Refactoring modules/nixos/shared/core.nix, modules/nixos/shared/core/default.nix, modules/nixos/shared/core/printing.nix	Deleted monolithic core.nix; replaced with directory structure where core/default.nix implements configurable core options and conditional configuration for audio, Bluetooth, and networking; printing.nix updated to depend on config.custom.core instead of nested printing config.
Core Shared Module Aggregation modules/nixos/shared/default.nix, modules/nixos/shared/services/default.nix	Updated shared/default.nix imports to reference ./services instead of individual modules; introduced shared/services/default.nix as aggregate module importing service submodules (huntress, mcpo, metrics, tailscale).
New Test Framework tests/default.nix, tests/lib.nix, tests/mkNode.nix, modules/nixos/server/default.nix, modules/nixos/server/tests.nix	Added cluster test infrastructure: tests/default.nix orchestrates multi-node tests via pkgs.testers.runNixOSTest; mkNode.nix constructs test nodes from allocations; lib.nix exports runOnAllNodes utility; server/tests.nix defines server.tests configuration options for test units.
Module Removals modules/nixos/encrypted-root.nix, modules/nixos/proxies.nix	Deleted encrypted-root.nix (LUKS device configuration) and proxies.nix (empty module stub).
Hardware & Type Updates modules/nixos/desktop/virtual-machine.nix, modules/nixos/shared/core/hardware/backlight.nix	Changed mounts type from generic types to types.attrsOf types.anything; introduced new backlight.nix module exposing hardware.backlight.enable with DDC/CI driver and udev rule configuration.
Development Configuration .vscode/settings.json	Added VS Code workspace setting to disable Git support (git.enabled = false).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• PR#541: Extends modules/nixos/server/default.nix import list with monitoring configuration, complementing this PR's addition of tests.nix to the same module composition surface.

Poem

🐰 ✨ The warren's modules reorganise with glee,
Features hop to shared directories, wild and free,
Tests bloom in clusters, nodes dance in rows,
Paths consolidated where the configuration flows! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: cluster test framework' directly aligns with the main changeset objective, which introduces a comprehensive cluster test framework including test definitions, test helpers, and CI integration.
Description check	✅ Passed	The description 'Based off #544' is minimal but remains related to the changeset as it provides context about the PR's relationship to a prior change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch push-xvsqsqnwmrup

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch push-xvsqsqnwmrup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🔴 Enforce conventional commit

Waiting for

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?:

This rule is failing.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?:

🔴 Do not merge outdated PRs

Waiting for

• #commits-behind <= 10

This rule is failing.

Make sure PRs are almost up to date before merging

• #commits-behind <= 10

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for 072e115.

🟢 All jobs passed!

But CI Insights is watching 👀

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

flake/ci/flake-module.nix (1)

12-29: ⚠️ Potential issue | 🟠 Major

checks.cluster never consults the new server.tests.enable flag.

clusterHosts is derived only from getHostsByType self, and tests/default.nix:17-19 turns every entry in that list into a VM node. As written, flipping server.tests.enable in modules/nixos/server/tests.nix cannot change which hosts participate in the cluster test, so the new opt-in flag is ineffective for membership.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@flake/ci/flake-module.nix` around lines 12 - 29, The cluster test currently
uses clusterHosts = (getHostsByType self).server or [] which ignores the new
server.tests.enable flag; update the clusterHosts computation so it filters the
hosts list to only include hosts whose server.tests.enable is true (i.e.,
evaluate each host's module/config and keep it only when server.tests.enable is
truthy) before passing clusterHosts into checks.cluster (references:
clusterHosts, getHostsByType, checks.cluster, server.tests.enable,
tests/default.nix).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/src/modules/nixos/desktop.md`:
- Around line 7-8: The docs currently imply RGB and VFIO are enabled by default;
update the desktop.md wording to state these are opt-in features and are only
enabled when their config flag is set (they are gated with mkIf cfg.enable in
the rgb.nix and vfio.nix modules), and clarify how
modules/nixos/desktop/default.nix composes those modules rather than enabling
them globally; change the two spots called out to mention "opt-in via
cfg.enable" and mirror the suggested wording.

In `@modules/nixos/desktop/virtual-machine.nix`:
- Around line 92-96: The mounts option currently uses mkOption with type =
types.attrsOf types.anything which removes validation; update the description
for the mounts option (the mkOption named "mounts") to document the expected
attribute structure and provide a concrete example showing host-path keys
mapping to attrs including target and readonly (e.g. host path -> { target =
"/guest/path"; readonly = false; }) so users know the required fields and shape;
keep the existing type but make the description clear and copyable for users.

In `@modules/nixos/server/tests.nix`:
- Around line 10-11: The module is incorrectly inheriting type helpers from lib
(which has no .type); update the inherits to pull from lib.types so the NixOS
module type helpers are resolved: change the first inherit to reference
lib.types when bringing in type, mkOption and mkEnableOption, and change the
second inherit to reference lib.types for submodule, attrsOf, either, listOf,
str, bool, functionTo (or alternatively only import type once and then inherit
(type) ...), ensuring mkOption, mkEnableOption, submodule, attrsOf, either,
listOf, str, bool, and functionTo come from lib.types.
- Around line 17-38: The options declaration for server.tests.units currently
assigns a raw attrsOf (submodule ...) value instead of an option; wrap the whole
attrsOf (submodule ({ name, ... }: { ... })) expression in mkOption so
server.tests.units is an actual Nix option. Specifically, replace the bare units
= attrsOf (...) with units = mkOption (attrsOf (submodule ({ name, ... }: {
options = { ... } }))) (or equivalent mkOption form), keeping the same inner
options (name, testScript) to match other modules (metrics.nix, mcpo.nix,
virtual-machine.nix, dashboard.nix) that use mkOption for units.

In `@tests/lib.nix`:
- Around line 6-9: The helper runOnAllNodes is passing the literal string
"node.name" to the callback so callers receive a string instead of the node
object; change the interpolation so the callback is invoked with the node object
(not node.name) inside the for-loop/subtest, i.e. pass node into ${f(...)} so
callers can call methods like wait_for_unit on the actual node object; update
any related docs/tests to expect the node object argument and keep using
subtest(node.name) as the subtest label.

In `@tests/mkNode.nix`:
- Around line 7-11: The test node import currently uses only
modules/flake/apply/system.nix causing tests to build minimal VMs; update the
imports to build test nodes with the full production module stack by either
reusing the existing builder lib/builders/mkSystem.nix or by expanding the
imports to include the NixOS modules, device-type modules, host directory and
shared config modules (preserve existing attributes like allocations, hostName
and deviceType). Locate the imports block that references
modules/flake/apply/system.nix and replace it with a call to
lib/builders/mkSystem.nix (or mirror its module list) so test VMs are built the
same way as production.

---

Outside diff comments:
In `@flake/ci/flake-module.nix`:
- Around line 12-29: The cluster test currently uses clusterHosts =
(getHostsByType self).server or [] which ignores the new server.tests.enable
flag; update the clusterHosts computation so it filters the hosts list to only
include hosts whose server.tests.enable is true (i.e., evaluate each host's
module/config and keep it only when server.tests.enable is truthy) before
passing clusterHosts into checks.cluster (references: clusterHosts,
getHostsByType, checks.cluster, server.tests.enable, tests/default.nix).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4df9fa6f-3aca-4579-86f4-9a365402645c

📥 Commits

Reviewing files that changed from the base of the PR and between baec492 and 072e115.

📒 Files selected for processing (60)

• docs/src/modules/nixos/desktop.md
• docs/src/modules/nixos/services.md
• flake/ci/flake-module.nix
• flake/default.nix
• home/shared/applications/media.nix
• home/shared/desktop/gnome/default.nix
• lib/builders/mkSystem.nix
• modules/home-manager/services/mcpo.nix
• modules/nixos/default.nix
• modules/nixos/desktop/default.nix
• modules/nixos/desktop/rgb.nix
• modules/nixos/desktop/vfio.nix
• modules/nixos/desktop/virtual-machine.nix
• modules/nixos/encrypted-root.nix
• modules/nixos/laptop/default.nix
• modules/nixos/proxies.nix
• modules/nixos/server/default.nix
• modules/nixos/server/proxy/kanidm.nix
• modules/nixos/server/tests.nix
• modules/nixos/shared/core.nix
• modules/nixos/shared/core/auto-upgrade.nix
• modules/nixos/shared/core/boot/default.nix
• modules/nixos/shared/core/boot/quietboot.nix
• modules/nixos/shared/core/boot/secureboot.nix
• modules/nixos/shared/core/boot/systemd-boot.nix
• modules/nixos/shared/core/default.nix
• modules/nixos/shared/core/hardware/backlight.nix
• modules/nixos/shared/core/hardware/biometrics.nix
• modules/nixos/shared/core/hardware/bluetooth.nix
• modules/nixos/shared/core/hardware/cooling.nix
• modules/nixos/shared/core/hardware/default.nix
• modules/nixos/shared/core/hardware/display.nix
• modules/nixos/shared/core/hardware/graphics.nix
• modules/nixos/shared/core/hardware/openrgb.nix
• modules/nixos/shared/core/hardware/storage/default.nix
• modules/nixos/shared/core/hardware/storage/ephemeral.nix
• modules/nixos/shared/core/hardware/storage/maintenance.nix
• modules/nixos/shared/core/hardware/storage/partitions/btrfs.nix
• modules/nixos/shared/core/hardware/storage/partitions/esp.nix
• modules/nixos/shared/core/hardware/storage/partitions/luks.nix
• modules/nixos/shared/core/hardware/storage/partitions/tmpfs.nix
• modules/nixos/shared/core/host/default.nix
• modules/nixos/shared/core/host/device.nix
• modules/nixos/shared/core/host/persistence.nix
• modules/nixos/shared/default.nix
• modules/nixos/shared/features/display-manager.nix
• modules/nixos/shared/features/hm-helper/1password.nix
• modules/nixos/shared/features/hm-helper/default.nix
• modules/nixos/shared/features/hm-helper/kde-connect.nix
• modules/nixos/shared/features/hm-helper/mpv.nix
• modules/nixos/shared/features/hm-helper/nautilus.nix
• modules/nixos/shared/features/remote.nix
• modules/nixos/shared/services/default.nix
• modules/nixos/shared/services/huntress.nix
• modules/nixos/shared/services/mcpo.nix
• modules/nixos/shared/services/metrics.nix
• modules/nixos/shared/services/tailscale.nix
• tests/default.nix
• tests/lib.nix
• tests/mkNode.nix

💤 Files with no reviewable changes (4)

• modules/nixos/default.nix
• modules/nixos/encrypted-root.nix
• modules/nixos/proxies.nix
• modules/nixos/shared/core.nix

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: Build nixosConfigurations.nixmi.config.system.build.toplevel on x86_64-linux
• GitHub Check: Build nixosConfigurations.nixarr.config.system.build.toplevel on x86_64-linux
• GitHub Check: Build nixosConfigurations.nixdev.config.system.build.toplevel on x86_64-linux
• GitHub Check: Build nixosConfigurations.nixcloud.config.system.build.toplevel on x86_64-linux
• GitHub Check: Build nixosConfigurations.nixio.config.system.build.toplevel on x86_64-linux
• GitHub Check: Build homeConfigurations.racci.activationPackage on x86_64-linux
• GitHub Check: Build nixosConfigurations.nixmon.config.system.build.toplevel on x86_64-linux
• GitHub Check: Build nixosConfigurations.nixserv.config.system.build.toplevel on x86_64-linux
• GitHub Check: Build nixosConfigurations.nixai.config.system.build.toplevel on x86_64-linux
• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

🧰 Additional context used

📓 Path-based instructions (15)

**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/building/SKILL.md)

Use nix fmt to format Nix code and check syntax

**/*.nix: Run nix fmt <paths...> after making any changes to ensure consistent formatting
Use 2 spaces for indentation in Nix files
Use kebab-case for Nix file and directory names
Use camelCase for Nix attributes (e.g., myOption, enableFeature)
Use camelCase for Nix option paths (e.g., services.myService.enable)
Prefer minimal comments; code should be self-explanatory, using comments to explain why, not what
Prefer relative imports over absolute imports (e.g., ./modules/foo.nix)
Group imports at the top of the Nix file and use list format for multiple imports
When generating JSON, YAML, or other structured formats, define as Nix attribute sets and convert using builtins functions (e.g., builtins.toJSON), rather than using inline string literals
Follow the standard module structure pattern with config, lib, pkgs destructuring, let bindings for module configuration, and options/config sections
Use let bindings with inherit for importing functions from libraries (e.g., inherit (lib) mkIf mkEnableOption)

Run nix fmt to format code before submitting changes

**/*.nix: Use builtins.trace to add trace statements for seeing values during Nix evaluation, with builtins.toJSON for complex attribute sets
Check for circular dependencies in imports or option definitions as the root cause of infinite recursion errors in Nix
Verify attribute names, imports, and option paths to resolve 'attribute missing' errors in Nix configurations

Run nix fmt on changed Nix files after modifying modules

**/*.nix: Declare secrets in Nix using sops.secrets with the secret path as the key
Specify custom permissions for secrets using owner, group, and mode attributes in sops.secrets declarations
Use sops.templates to combine multiple secrets into configuration files with placeholders
Add restartUnits to secret declarations to automatically restart services when secrets change
Use empty `k...

Files:

• modules/nixos/shared/default.nix
• modules/home-manager/services/mcpo.nix
• lib/builders/mkSystem.nix
• tests/lib.nix
• modules/nixos/server/proxy/kanidm.nix
• modules/nixos/desktop/default.nix
• modules/nixos/desktop/virtual-machine.nix
• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix
• modules/nixos/server/default.nix
• flake/ci/flake-module.nix
• modules/nixos/laptop/default.nix
• flake/default.nix
• tests/mkNode.nix
• modules/nixos/server/tests.nix
• modules/nixos/shared/core/default.nix
• tests/default.nix

modules/nixos/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Create NixOS modules at modules/nixos/<category>/<name>.nix with standard pattern including options definition, lib imports (mkEnableOption, mkOption, mkIf, types), config variable binding, and conditional config application using mkIf

Files:

• modules/nixos/shared/default.nix
• modules/nixos/server/proxy/kanidm.nix
• modules/nixos/desktop/default.nix
• modules/nixos/desktop/virtual-machine.nix
• modules/nixos/server/default.nix
• modules/nixos/laptop/default.nix
• modules/nixos/server/tests.nix
• modules/nixos/shared/core/default.nix

modules/nixos/*/default.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Register NixOS modules in parent default.nix using imports list pattern: _: { imports = [ ./module-a.nix ./module-b.nix ]; }

Files:

• modules/nixos/shared/default.nix
• modules/nixos/desktop/default.nix
• modules/nixos/server/default.nix
• modules/nixos/laptop/default.nix

modules/nixos/**

📄 CodeRabbit inference engine (.opencode/skills/project-structure/SKILL.md)

Reusable NixOS module fragments should be placed in modules/nixos/ directory

Files:

• modules/nixos/shared/default.nix
• modules/nixos/server/proxy/kanidm.nix
• modules/nixos/desktop/default.nix
• modules/nixos/desktop/virtual-machine.nix
• modules/nixos/server/default.nix
• modules/nixos/laptop/default.nix
• modules/nixos/server/tests.nix
• modules/nixos/shared/core/default.nix

modules/home-manager/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

modules/home-manager/**/*.nix: Create Home-Manager modules at modules/home-manager/<category>/<name>.nix with osConfig parameter support and conditional config application using mkIf
Use purpose.<category> namespace for use-case modules in Home-Manager modules
Use custom.<name> namespace for custom extensions in Home-Manager modules
Use user.<name> namespace for user-specific options in Home-Manager modules

Files:

• modules/home-manager/services/mcpo.nix

modules/home-manager/**

📄 CodeRabbit inference engine (.opencode/skills/project-structure/SKILL.md)

Reusable Home-Manager module fragments should be placed in modules/home-manager/ directory

Files:

• modules/home-manager/services/mcpo.nix

lib/builders/**

📄 CodeRabbit inference engine (.opencode/skills/project-structure/SKILL.md)

Custom system and home builders should be implemented in lib/builders/ directory with mkSystem.nix and mkHome.nix as entry points

Files:

• lib/builders/mkSystem.nix

modules/nixos/server/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Use server.<name> namespace for server cluster options in NixOS modules

Files:

• modules/nixos/server/proxy/kanidm.nix
• modules/nixos/server/default.nix
• modules/nixos/server/tests.nix

home/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/contributing/SKILL.md)

Test at least one affected home configuration before submitting changes

Files:

• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix

home/shared/**

📄 CodeRabbit inference engine (.opencode/skills/project-structure/SKILL.md)

Shared Home-Manager configurations across all users should be placed in home/shared/ directory

Files:

• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix

home/shared/desktop/**

📄 CodeRabbit inference engine (.opencode/skills/project-structure/SKILL.md)

Shared desktop environment configurations should be in home/shared/desktop/

Files:

• home/shared/desktop/gnome/default.nix

home/shared/applications/**

📄 CodeRabbit inference engine (.opencode/skills/project-structure/SKILL.md)

Shared application-specific Home-Manager configurations should be in home/shared/applications/

Files:

• home/shared/applications/media.nix

flake/ci/**

📄 CodeRabbit inference engine (.opencode/skills/project-structure/SKILL.md)

CI-specific flake definitions and scripts should be located in the flake/ci/ directory

Files:

• flake/ci/flake-module.nix

docs/src/**/*.md

📄 CodeRabbit inference engine (.opencode/skills/docs/SKILL.md)

docs/src/**/*.md: Create or update Markdown files in docs/src following the documentation workflow: analyze changes, identify impact on documentation files, draft content with underscore filenames, update docs/src/SUMMARY.md, and verify Nix code examples are valid
Keep documentation explanations concise and focus on why something is configured a certain way rather than just what the code does

Files:

• docs/src/modules/nixos/services.md
• docs/src/modules/nixos/desktop.md

docs/**

📄 CodeRabbit inference engine (.opencode/skills/project-structure/SKILL.md)

Project documentation should be maintained in the docs/ directory

Files:

• docs/src/modules/nixos/services.md
• docs/src/modules/nixos/desktop.md

🧠 Learnings (85)

📓 Common learnings

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/users/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:41.504Z
Learning: Applies to home/*/features/**/*.nix : User's feature modules should be organized in a `features/` directory within the user directory (`home/<username>/features/`)

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to modules/nixos/** : Reusable NixOS module fragments should be placed in `modules/nixos/` directory

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/code-style/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:22.881Z
Learning: Applies to **/*.nix : Follow the standard module structure pattern with `config`, `lib`, `pkgs` destructuring, `let` bindings for module configuration, and `options`/`config` sections

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to hosts/shared/optional/** : Optional NixOS features (gaming, containers, etc.) should be organized in `hosts/shared/optional/`

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/nixos/**/*.nix : Create NixOS modules at `modules/nixos/<category>/<name>.nix` with standard pattern including options definition, lib imports (mkEnableOption, mkOption, mkIf, types), config variable binding, and conditional config application using mkIf

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to home/shared/features/** : Shared feature modules (CLI tools, features, etc.) should be in `home/shared/features/`

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/nixos/default.nix : Export module categories from top-level `modules/nixos/default.nix` as attribute set with structure: `{ boot = import ./boot; hardware = import ./hardware; services = import ./services; }`

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to modules/nixos/default.nix : NixOS modules should be exported through `modules/nixos/default.nix`

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to flake/nixos/** : NixOS flake modules should be organized in the `flake/nixos/` directory

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/nixos/server/**/*.nix : Use `server.<name>` namespace for server cluster options in NixOS modules

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/nixos/*/default.nix : Register NixOS modules in parent `default.nix` using imports list pattern: `_: { imports = [ ./module-a.nix ./module-b.nix ]; }`

Applied to files:

• modules/nixos/shared/default.nix
• lib/builders/mkSystem.nix
• modules/nixos/desktop/default.nix
• modules/nixos/server/default.nix
• modules/nixos/laptop/default.nix
• modules/nixos/shared/core/default.nix

📚 Learning: 2026-03-01T12:26:14.740Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to modules/nixos/default.nix : NixOS modules should be exported through `modules/nixos/default.nix`

Applied to files:

• modules/nixos/shared/default.nix
• modules/home-manager/services/mcpo.nix
• lib/builders/mkSystem.nix
• modules/nixos/desktop/default.nix
• modules/nixos/server/default.nix
• docs/src/modules/nixos/services.md
• modules/nixos/laptop/default.nix
• tests/mkNode.nix
• modules/nixos/shared/core/default.nix
• docs/src/modules/nixos/desktop.md
• tests/default.nix

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/nixos/default.nix : Export module categories from top-level `modules/nixos/default.nix` as attribute set with structure: `{ boot = import ./boot; hardware = import ./hardware; services = import ./services; }`

Applied to files:

• modules/nixos/shared/default.nix
• modules/nixos/desktop/default.nix
• modules/nixos/server/default.nix
• docs/src/modules/nixos/services.md
• modules/nixos/laptop/default.nix
• tests/mkNode.nix
• modules/nixos/server/tests.nix
• modules/nixos/shared/core/default.nix
• docs/src/modules/nixos/desktop.md

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/home-manager/*/default.nix : Register Home-Manager modules in parent `default.nix` using imports list pattern

Applied to files:

• modules/nixos/shared/default.nix
• modules/home-manager/services/mcpo.nix
• lib/builders/mkSystem.nix
• modules/nixos/desktop/default.nix
• modules/nixos/server/default.nix
• docs/src/modules/nixos/services.md
• modules/nixos/laptop/default.nix
• modules/nixos/shared/core/default.nix
• docs/src/modules/nixos/desktop.md

📚 Learning: 2026-03-01T12:24:22.881Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/code-style/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:22.881Z
Learning: Applies to **/*.nix : Prefer relative imports over absolute imports (e.g., `./modules/foo.nix`)

Applied to files:

• modules/nixos/shared/default.nix
• modules/home-manager/services/mcpo.nix
• lib/builders/mkSystem.nix
• modules/nixos/desktop/default.nix
• modules/nixos/server/default.nix
• modules/nixos/laptop/default.nix

📚 Learning: 2026-03-01T12:26:14.740Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to modules/home-manager/default.nix : Home-Manager modules should be exported through `modules/home-manager/default.nix`

Applied to files:

• modules/nixos/shared/default.nix
• modules/home-manager/services/mcpo.nix
• lib/builders/mkSystem.nix
• modules/nixos/desktop/default.nix
• docs/src/modules/nixos/services.md
• modules/nixos/laptop/default.nix
• tests/mkNode.nix
• modules/nixos/shared/core/default.nix
• docs/src/modules/nixos/desktop.md

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Prefer relative imports (e.g., `./modules/foo.nix`) over absolute paths

Applied to files:

• modules/nixos/shared/default.nix
• modules/home-manager/services/mcpo.nix
• lib/builders/mkSystem.nix
• modules/nixos/desktop/default.nix
• modules/nixos/laptop/default.nix

📚 Learning: 2026-03-01T12:24:57.319Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/hosts/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:57.319Z
Learning: Applies to hosts/{server,desktop,laptop}/*/default.nix : Host `default.nix` files must import `${modulesPath}/virtualisation/proxmox-lxc.nix` for LXC containers or `./hardware.nix` for physical machines

Applied to files:

• modules/nixos/shared/default.nix
• modules/nixos/desktop/default.nix
• modules/nixos/laptop/default.nix
• tests/mkNode.nix
• docs/src/modules/nixos/desktop.md
• tests/default.nix

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/nixos/services/**/*.nix : Use `services.<name>` namespace for system services in NixOS modules

Applied to files:

• modules/nixos/shared/default.nix
• modules/home-manager/services/mcpo.nix
• docs/src/modules/nixos/services.md

📚 Learning: 2026-03-01T12:26:51.425Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/ci-failure.md:0-0
Timestamp: 2026-03-01T12:26:51.425Z
Learning: Applies to **/*.nix : Check for infinite recursion by examining recent changes for circular imports between modules or option definitions that reference themselves

Applied to files:

• modules/nixos/shared/default.nix
• lib/builders/mkSystem.nix
• modules/nixos/server/default.nix

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Avoid hardcoded paths that should be configurable options

Applied to files:

• modules/nixos/shared/default.nix
• modules/nixos/desktop/virtual-machine.nix
• home/shared/applications/media.nix
• modules/nixos/server/default.nix
• modules/nixos/shared/core/default.nix

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Group imports at the top of the file and use list format for multiple imports

Applied to files:

• modules/nixos/shared/default.nix
• modules/nixos/desktop/default.nix
• modules/nixos/laptop/default.nix

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Ensure all used functions are properly inherited to avoid circular imports and hidden dependencies

Applied to files:

• modules/nixos/shared/default.nix
• tests/lib.nix
• modules/nixos/desktop/default.nix
• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix
• modules/nixos/server/default.nix
• modules/nixos/laptop/default.nix
• tests/mkNode.nix

📚 Learning: 2026-03-01T12:26:01.611Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/packages/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:01.611Z
Learning: Applies to overlays/default.nix : Expose custom packages via overlays/default.nix by importing the pkgs directory with inputs, lib, and pkgs parameters

Applied to files:

• modules/nixos/shared/default.nix
• modules/nixos/desktop/default.nix

📚 Learning: 2026-03-01T12:24:22.881Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/code-style/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:22.881Z
Learning: Applies to **/*.nix : Group imports at the top of the Nix file and use list format for multiple imports

Applied to files:

• modules/nixos/shared/default.nix
• modules/nixos/desktop/default.nix
• modules/nixos/laptop/default.nix

📚 Learning: 2026-03-01T12:24:22.881Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/code-style/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:22.881Z
Learning: Applies to **/*.nix : Follow the standard module structure pattern with `config`, `lib`, `pkgs` destructuring, `let` bindings for module configuration, and `options`/`config` sections

Applied to files:

• modules/nixos/shared/default.nix
• modules/nixos/server/default.nix
• docs/src/modules/nixos/services.md
• modules/nixos/server/tests.nix
• modules/nixos/shared/core/default.nix

📚 Learning: 2026-03-01T12:24:22.881Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/code-style/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:22.881Z
Learning: Applies to **/*.nix : Use camelCase for Nix option paths (e.g., `services.myService.enable`)

Applied to files:

• modules/nixos/shared/default.nix
• docs/src/modules/nixos/services.md

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Ensure all required options are defined before use in configuration blocks

Applied to files:

• modules/nixos/shared/default.nix
• modules/nixos/server/default.nix
• modules/nixos/shared/core/default.nix

📚 Learning: 2026-03-01T12:26:41.504Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/users/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:41.504Z
Learning: Applies to home/*/hm-config.nix : Import shared user configurations from `home/shared/` directories in user configs: use `../shared/global/` for configs applied to all users, `../shared/applications/` for application configs, `../shared/desktop/` for desktop environment configs, and `../shared/features/cli/` for CLI tool configurations

Applied to files:

• modules/home-manager/services/mcpo.nix
• lib/builders/mkSystem.nix
• modules/nixos/desktop/default.nix
• modules/nixos/laptop/default.nix

📚 Learning: 2026-03-01T12:24:22.881Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/code-style/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:22.881Z
Learning: Applies to **/*.nix : Use `let` bindings with `inherit` for importing functions from libraries (e.g., `inherit (lib) mkIf mkEnableOption`)

Applied to files:

• modules/home-manager/services/mcpo.nix
• modules/nixos/shared/core/default.nix

📚 Learning: 2026-03-01T12:26:01.611Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/packages/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:01.611Z
Learning: Applies to pkgs/*/default.nix : For multi-output packages, use a let binding to define multiple outputs and register them with inherit syntax in pkgs/default.nix

Applied to files:

• modules/home-manager/services/mcpo.nix

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Always use `inherit` to bring functions and values into scope instead of manual assignment

Applied to files:

• modules/home-manager/services/mcpo.nix

📚 Learning: 2026-03-01T12:24:57.319Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/hosts/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:57.319Z
Learning: Applies to hosts/{desktop,laptop}/*/hardware.nix : Physical hardware configurations should import appropriate modules from `inputs.nixos-hardware` (e.g., CPU, SSD, GPU modules) in `hardware.nix`

Applied to files:

• modules/home-manager/services/mcpo.nix
• lib/builders/mkSystem.nix
• modules/nixos/desktop/default.nix
• modules/nixos/desktop/virtual-machine.nix
• flake/ci/flake-module.nix
• modules/nixos/laptop/default.nix
• tests/mkNode.nix
• modules/nixos/shared/core/default.nix
• docs/src/modules/nixos/desktop.md

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Follow the standard NixOS module structure pattern with config, lib, pkgs parameters and proper `let`/`in` blocks

Applied to files:

• modules/home-manager/services/mcpo.nix
• modules/nixos/shared/core/default.nix

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/nixos/host/**/*.nix : Use `host.<name>` namespace for host-specific options in NixOS modules

Applied to files:

• modules/home-manager/services/mcpo.nix
• modules/nixos/desktop/virtual-machine.nix
• docs/src/modules/nixos/services.md
• tests/mkNode.nix
• modules/nixos/server/tests.nix

📚 Learning: 2026-03-01T12:26:14.740Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to lib/builders/** : Custom system and home builders should be implemented in `lib/builders/` directory with `mkSystem.nix` and `mkHome.nix` as entry points

Applied to files:

• lib/builders/mkSystem.nix

📚 Learning: 2026-03-01T12:27:25.837Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/test.md:0-0
Timestamp: 2026-03-01T12:27:25.837Z
Learning: For changes affecting only hosts, build at least one affected host configuration using 'nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel'

Applied to files:

• lib/builders/mkSystem.nix
• flake/ci/flake-module.nix

📚 Learning: 2026-03-01T12:26:41.504Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/users/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:41.504Z
Learning: Applies to home/*/hm-config.nix : Create `hm-config.nix` in `home/<username>/` as the main Home-Manager entry point containing shared configuration across all hosts for that user

Applied to files:

• lib/builders/mkSystem.nix
• docs/src/modules/nixos/services.md

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/home-manager/**/*.nix : Use `user.<name>` namespace for user-specific options in Home-Manager modules

Applied to files:

• lib/builders/mkSystem.nix
• docs/src/modules/nixos/services.md

📚 Learning: 2026-03-01T12:26:41.504Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/users/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:41.504Z
Learning: Applies to home/*/features/**/*.nix : User's feature modules should be organized in a `features/` directory within the user directory (`home/<username>/features/`)

Applied to files:

• lib/builders/mkSystem.nix
• modules/nixos/laptop/default.nix

📚 Learning: 2026-03-01T12:26:41.504Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/users/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:41.504Z
Learning: Applies to home/*/[!.]*@(hm-config|os-config|secrets).nix : Create host-specific configuration files named `<hostname>.nix` in the user directory (`home/<username>/<hostname>.nix`), containing Home-Manager configuration with user-specific git settings, imports of shared features, and host-specific customizations

Applied to files:

• lib/builders/mkSystem.nix
• flake/default.nix

📚 Learning: 2026-03-01T12:26:25.327Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/secrets/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:25.327Z
Learning: Applies to **/*.nix : Declare secrets in Nix using `sops.secrets` with the secret path as the key

Applied to files:

• lib/builders/mkSystem.nix

📚 Learning: 2026-03-01T12:24:57.319Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/hosts/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:57.319Z
Learning: Applies to hosts/{desktop,laptop}/*/hardware.nix : Hardware configurations must define filesystem mount points with device labels and filesystem types (e.g., `fileSystems./`)

Applied to files:

• modules/nixos/desktop/virtual-machine.nix

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Verify option type definitions match their usage and configuration values

Applied to files:

• modules/nixos/desktop/virtual-machine.nix
• flake/default.nix

📚 Learning: 2026-03-01T12:26:51.425Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/ci-failure.md:0-0
Timestamp: 2026-03-01T12:26:51.425Z
Learning: Applies to **/*.nix : Verify type mismatches by checking option type definitions and the value being provided in NixOS options

Applied to files:

• modules/nixos/desktop/virtual-machine.nix

📚 Learning: 2026-03-01T12:24:38.213Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/debugging/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:38.213Z
Learning: Applies to **/*.nix : Verify attribute names, imports, and option paths to resolve 'attribute missing' errors in Nix configurations

Applied to files:

• modules/nixos/desktop/virtual-machine.nix
• modules/nixos/server/default.nix
• flake/default.nix
• tests/mkNode.nix
• modules/nixos/shared/core/default.nix

📚 Learning: 2026-03-01T12:26:14.740Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to hosts/{desktop,laptop,server}/** : Per-machine NixOS configurations should be organized in `hosts/<type>/<hostname>/` where type is desktop, laptop, or server

Applied to files:

• modules/nixos/desktop/virtual-machine.nix
• flake/ci/flake-module.nix

📚 Learning: 2026-03-01T12:26:14.740Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to hosts/{desktop,laptop,server}/*/default.nix : Host system configurations should follow the pattern `hosts/<type>/<hostname>/default.nix`

Applied to files:

• modules/nixos/desktop/virtual-machine.nix
• flake/ci/flake-module.nix
• tests/mkNode.nix
• docs/src/modules/nixos/desktop.md
• tests/default.nix

📚 Learning: 2026-03-01T12:24:22.881Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/code-style/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:22.881Z
Learning: Applies to **/*.nix : Use camelCase for Nix attributes (e.g., `myOption`, `enableFeature`)

Applied to files:

• modules/nixos/desktop/virtual-machine.nix

📚 Learning: 2026-03-01T12:24:29.910Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/contributing/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:29.910Z
Learning: Applies to **/*.nix : Run `nix fmt` to format code before submitting changes

Applied to files:

• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix

📚 Learning: 2026-03-01T12:27:25.837Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/test.md:0-0
Timestamp: 2026-03-01T12:27:25.837Z
Learning: Applies to **/*.nix : Always ensure formatting is correct by running 'nix fmt' on changed files

Applied to files:

• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix

📚 Learning: 2026-03-01T12:26:51.425Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/ci-failure.md:0-0
Timestamp: 2026-03-01T12:26:51.425Z
Learning: Applies to **/*.nix : Run `nix fmt <changed-files>` to fix Nix formatting failures in CI checks

Applied to files:

• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to **/*.nix : Run `nix fmt` on changed Nix files after modifying modules

Applied to files:

• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Code MUST pass `nix fmt` formatting validation

Applied to files:

• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix
• modules/nixos/server/default.nix

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Remove unused let bindings

Applied to files:

• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix

📚 Learning: 2026-03-01T12:24:22.881Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/code-style/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:22.881Z
Learning: Applies to **/*.nix : Run `nix fmt <paths...>` after making any changes to ensure consistent formatting

Applied to files:

• home/shared/desktop/gnome/default.nix

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Use intermediate bindings instead of deeply nested attribute access for improved readability

Applied to files:

• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix
• modules/nixos/server/default.nix

📚 Learning: 2026-03-01T12:24:29.910Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/contributing/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:29.910Z
Learning: Applies to home/**/*.nix : Test at least one affected home configuration before submitting changes

Applied to files:

• home/shared/desktop/gnome/default.nix
• home/shared/applications/media.nix
• modules/nixos/server/default.nix
• flake/ci/flake-module.nix
• flake/default.nix
• tests/mkNode.nix
• tests/default.nix

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/nixos/server/**/*.nix : Use `server.<name>` namespace for server cluster options in NixOS modules

Applied to files:

• modules/nixos/server/default.nix
• docs/src/modules/nixos/services.md
• tests/mkNode.nix
• modules/nixos/server/tests.nix
• tests/default.nix

📚 Learning: 2026-03-01T12:26:31.937Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/testing/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:31.937Z
Learning: Run `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel` to test a host configuration

Applied to files:

• modules/nixos/server/default.nix
• flake/ci/flake-module.nix
• tests/mkNode.nix
• tests/default.nix

📚 Learning: 2026-03-01T12:24:57.319Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/hosts/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:57.319Z
Learning: Applies to hosts/{server,desktop,laptop}/*/default.nix : Each host requires a `default.nix` file as the main configuration entry point

Applied to files:

• modules/nixos/server/default.nix
• tests/mkNode.nix
• docs/src/modules/nixos/desktop.md
• tests/default.nix

📚 Learning: 2026-03-01T12:27:29.965Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-01T12:27:29.965Z
Learning: Applies to **/*.nix : All affected configurations MUST be tested before completing any task, using the test agent and testing skill to identify affected configurations

Applied to files:

• modules/nixos/server/default.nix
• flake/ci/flake-module.nix
• tests/default.nix

📚 Learning: 2026-03-01T12:24:29.910Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/contributing/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:29.910Z
Learning: Applies to hosts/**/*.nix : Test at least one affected host configuration before submitting changes

Applied to files:

• modules/nixos/server/default.nix
• flake/ci/flake-module.nix
• tests/default.nix

📚 Learning: 2026-03-01T12:26:14.740Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to flake.nix : Top-level flake definitions and inputs/outputs configuration should be placed in `flake.nix`

Applied to files:

• flake/ci/flake-module.nix
• flake/default.nix

📚 Learning: 2026-03-01T12:27:25.837Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/test.md:0-0
Timestamp: 2026-03-01T12:27:25.837Z
Learning: For flake.nix or flake.lock changes, run a full flake check in addition to building representative configs

Applied to files:

• flake/ci/flake-module.nix
• flake/default.nix

📚 Learning: 2026-03-01T12:24:29.910Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/contributing/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:29.910Z
Learning: Applies to {flake.nix,flake.lock} : Run `nix flake check` (with devenv-root override) before submitting changes

Applied to files:

• flake/ci/flake-module.nix
• flake/default.nix

📚 Learning: 2026-03-01T12:26:14.740Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to flake/nixos/** : NixOS flake modules should be organized in the `flake/nixos/` directory

Applied to files:

• flake/ci/flake-module.nix

📚 Learning: 2026-03-01T12:24:57.319Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/hosts/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:57.319Z
Learning: Applies to flake/nixos/flake-module.nix : For CUDA or ROCm hardware acceleration support, register the host in `flake/nixos/flake-module.nix` under the appropriate `accelerationHosts` category

Applied to files:

• flake/ci/flake-module.nix

📚 Learning: 2026-03-01T12:26:51.425Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/ci-failure.md:0-0
Timestamp: 2026-03-01T12:26:51.425Z
Learning: Applies to flake.nix : Use `./flake/ci/detect-affected-outputs.nu nixosConfigurations --json` and `./flake/ci/detect-affected-outputs.nu homeConfigurations --json` to identify which outputs are affected by dirty files in CI

Applied to files:

• flake/ci/flake-module.nix
• flake/default.nix

📚 Learning: 2026-03-01T12:24:57.319Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/hosts/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:57.319Z
Learning: Host auto-discovery scans `hosts/` for subdirectories, filters out `shared/` and `secrets.yaml`, and automatically registers each as a nixosConfiguration

Applied to files:

• flake/ci/flake-module.nix

📚 Learning: 2026-03-01T12:26:51.425Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/ci-failure.md:0-0
Timestamp: 2026-03-01T12:26:51.425Z
Learning: Applies to **/*.nix : Use `nix eval .#nixosConfigurations.<host>.config.system.build.toplevel --apply 'x: "ok"'` to check if Nix expressions evaluate correctly

Applied to files:

• flake/ci/flake-module.nix
• flake/default.nix
• tests/default.nix

📚 Learning: 2026-03-01T12:24:15.388Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/building/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:15.388Z
Learning: Build a host's NixOS system using `nix build .#nixosConfigurations.<host>.config.system.build.toplevel`

Applied to files:

• flake/ci/flake-module.nix
• tests/mkNode.nix

📚 Learning: 2026-03-01T12:27:16.409Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/security.md:0-0
Timestamp: 2026-03-01T12:27:16.409Z
Learning: Applies to **/*.nix : Apply systemd hardening options (DynamicUser, ProtectSystem, ProtectHome, PrivateTmp, NoNewPrivileges, CapabilityBoundingSet, RestrictNamespaces, RestrictRealtime, RestrictSUIDSGID, MemoryDenyWriteExecute, LockPersonality) to service definitions

Applied to files:

• docs/src/modules/nixos/services.md

📚 Learning: 2026-03-01T12:26:14.740Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to hosts/shared/optional/** : Optional NixOS features (gaming, containers, etc.) should be organized in `hosts/shared/optional/`

Applied to files:

• docs/src/modules/nixos/services.md
• modules/nixos/laptop/default.nix
• modules/nixos/shared/core/default.nix
• docs/src/modules/nixos/desktop.md

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/home-manager/**/*.nix : Create Home-Manager modules at `modules/home-manager/<category>/<name>.nix` with osConfig parameter support and conditional config application using mkIf

Applied to files:

• docs/src/modules/nixos/services.md

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/home-manager/**/*.nix : Use `custom.<name>` namespace for custom extensions in Home-Manager modules

Applied to files:

• docs/src/modules/nixos/services.md

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/nixos/**/*.nix : Create NixOS modules at `modules/nixos/<category>/<name>.nix` with standard pattern including options definition, lib imports (mkEnableOption, mkOption, mkIf, types), config variable binding, and conditional config application using mkIf

Applied to files:

• docs/src/modules/nixos/services.md
• tests/mkNode.nix
• modules/nixos/server/tests.nix
• modules/nixos/shared/core/default.nix

📚 Learning: 2026-03-01T12:26:51.425Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/ci-failure.md:0-0
Timestamp: 2026-03-01T12:26:51.425Z
Learning: Applies to flake.{nix,lock} : Verify `flake.lock` conflicts by checking if inputs were updated and ensuring compatibility between updated inputs

Applied to files:

• flake/default.nix

📚 Learning: 2026-03-01T12:24:38.213Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/debugging/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:38.213Z
Learning: Use `nix flake check --no-build` to verify flake syntax validity without building

Applied to files:

• flake/default.nix

📚 Learning: 2026-03-01T12:26:31.937Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/testing/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:31.937Z
Learning: Run `nix flake check --override-input devenv-root "file+file://$PWD/.devenv/root"` to perform a full flake check

Applied to files:

• flake/default.nix

📚 Learning: 2026-03-01T12:24:15.388Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/building/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:15.388Z
Learning: Use `nix flake check` to evaluate all configurations and run linters

Applied to files:

• flake/default.nix

📚 Learning: 2026-03-01T12:27:25.837Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/test.md:0-0
Timestamp: 2026-03-01T12:27:25.837Z
Learning: Use 'nix eval .#homeConfigurations --apply "builtins.attrNames"' to list available home configurations

Applied to files:

• flake/default.nix

📚 Learning: 2026-03-01T12:27:25.837Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/test.md:0-0
Timestamp: 2026-03-01T12:27:25.837Z
Learning: Use 'nix eval .#nixosConfigurations --apply "builtins.attrNames"' to list available host configurations

Applied to files:

• flake/default.nix
• tests/mkNode.nix

📚 Learning: 2026-03-01T12:26:51.425Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/ci-failure.md:0-0
Timestamp: 2026-03-01T12:26:51.425Z
Learning: Applies to **/*.nix : Use `nix eval .#nixosConfigurations.<host>.config.services --apply 'builtins.attrNames'` to diagnose 'attribute not found' errors by listing available attributes

Applied to files:

• flake/default.nix

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Always use `mkIf` guards on config sections that are conditionally applied

Applied to files:

• flake/default.nix

📚 Learning: 2026-03-01T12:26:51.425Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/ci-failure.md:0-0
Timestamp: 2026-03-01T12:26:51.425Z
Learning: Applies to **/*.nix : When a new module isn't being found, verify the imports list in the parent module, check that the file path is correct (use kebab-case), and ensure the module is syntactically valid

Applied to files:

• tests/mkNode.nix

📚 Learning: 2026-03-01T12:24:57.319Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/hosts/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:57.319Z
Learning: Applies to hosts/server/*/default.nix : Server hosts must set `host.device.isHeadless = true` in their configuration

Applied to files:

• tests/mkNode.nix

📚 Learning: 2026-03-01T12:26:14.740Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to modules/nixos/** : Reusable NixOS module fragments should be placed in `modules/nixos/` directory

Applied to files:

• modules/nixos/server/tests.nix

📚 Learning: 2026-03-01T12:26:14.740Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to pkgs/default.nix : Custom packages should export their definitions through `pkgs/default.nix`

Applied to files:

• modules/nixos/shared/core/default.nix
• tests/default.nix

📚 Learning: 2026-03-01T12:27:02.914Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/agent/nix-review.md:0-0
Timestamp: 2026-03-01T12:27:02.914Z
Learning: Applies to **/*.nix : Use `mkDefault`, `mkForce`, and `mkOverride` correctly to control option priority

Applied to files:

• modules/nixos/shared/core/default.nix
• tests/default.nix

📚 Learning: 2026-03-01T12:25:06.603Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/modules/SKILL.md:0-0
Timestamp: 2026-03-01T12:25:06.603Z
Learning: Applies to modules/nixos/hardware/**/*.nix : Use `hardware.<name>` namespace for hardware configuration in NixOS modules

Applied to files:

• docs/src/modules/nixos/desktop.md

📚 Learning: 2026-03-01T12:24:57.319Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/hosts/SKILL.md:0-0
Timestamp: 2026-03-01T12:24:57.319Z
Learning: Applies to hosts/{desktop,laptop}/*/hardware.nix : Physical host machines (desktops/laptops) must include a `hardware.nix` file with hardware-specific configuration

Applied to files:

• docs/src/modules/nixos/desktop.md

📚 Learning: 2026-03-01T12:26:14.740Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/project-structure/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:14.740Z
Learning: Applies to home/shared/desktop/** : Shared desktop environment configurations should be in `home/shared/desktop/`

Applied to files:

• docs/src/modules/nixos/desktop.md

📚 Learning: 2026-03-01T12:26:01.610Z

Learnt from: CR
Repo: DaRacci/nix-config PR: 0
File: .opencode/skills/packages/SKILL.md:0-0
Timestamp: 2026-03-01T12:26:01.610Z
Learning: Applies to pkgs/*/default.nix : Each package should have its own directory under pkgs/ with a default.nix file containing the package definition

Applied to files:

• tests/default.nix

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Describe RGB and VFIO as opt-in features.

modules/nixos/desktop/rgb.nix:25-42 and modules/nixos/desktop/vfio.nix:50-91 both gate their config behind mkIf cfg.enable. The current wording reads as if every desktop gets those features by default, which misstates what modules/nixos/desktop/default.nix actually does.

✏️ Suggested wording

-The primary purpose of this module is to bundle common desktop-related services and configurations that should be present on all workstations, such as display managers, remote access tools, and hardware features like RGB lighting and VFIO passthrough.
+The primary purpose of this module is to bundle common desktop-related services and configurations for workstations, and to expose optional hardware features such as RGB lighting and VFIO passthrough.

-- **RGB Lighting**: Configured via `./rgb.nix` — OpenRGB-based hardware lighting control.
-- **VFIO Passthrough**: Configured via `./vfio.nix` — GPU/device passthrough for virtual machines.
+- **RGB Lighting**: Optional via `./rgb.nix` — OpenRGB-based hardware lighting control.
+- **VFIO Passthrough**: Optional via `./vfio.nix` — GPU/device passthrough for virtual machines.

Also applies to: 17-18

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/src/modules/nixos/desktop.md` around lines 7 - 8, The docs currently
imply RGB and VFIO are enabled by default; update the desktop.md wording to
state these are opt-in features and are only enabled when their config flag is
set (they are gated with mkIf cfg.enable in the rgb.nix and vfio.nix modules),
and clarify how modules/nixos/desktop/default.nix composes those modules rather
than enabling them globally; change the two spots called out to mention "opt-in
via cfg.enable" and mirror the suggested wording.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Type change is reasonable, but consider documenting expected structure.

Using types.attrsOf types.anything provides flexibility for arbitrary mount configurations, but it bypasses type validation entirely. Consider adding documentation or examples in the description to clarify the expected attribute structure for mounts.

📝 Suggested improvement for documentation

         mounts = mkOption {
           type = types.attrsOf types.anything;
           default = { };
-          description = "The mounts to attach to the guest.";
+          description = ''
+            The mounts to attach to the guest.
+
+            Example:
+            ```nix
+            {
+              "/host/path" = { target = "/guest/path"; readonly = false; };
+            }
+            ```
+          '';
         };

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	mounts = mkOption {
	type = types;
	type = types.attrsOf types.anything;
	default = { };
	description = "The mounts to attach to the guest.";
	};
	mounts = mkOption {
	type = types.attrsOf types.anything;
	default = { };
	description = ''
	The mounts to attach to the guest.
	Example:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/desktop/virtual-machine.nix` around lines 92 - 96, The mounts
option currently uses mkOption with type = types.attrsOf types.anything which
removes validation; update the description for the mounts option (the mkOption
named "mounts") to document the expected attribute structure and provide a
concrete example showing host-path keys mapping to attrs including target and
readonly (e.g. host path -> { target = "/guest/path"; readonly = false; }) so
users know the required fields and shape; keep the existing type but make the
description clear and copyable for users.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether the repo defines a non-standard `lib.type` alias.
rg -n -C2 --type=nix '\binherit\s+\(lib\)\s+type\b|\blib\.type\b|\btype\s*=\s*types\b'

Repository: DaRacci/nix-config

Length of output: 11299

---

Import the module types from lib.types.

The NixOS module type helpers live under lib.types. The pattern inherit (lib) type will fail because lib.type does not exist in the standard NixOS library, leaving submodule, attrsOf, either, and other type helpers unresolved. This module will fail during evaluation.

Suggested fix

 let
-  inherit (lib) type mkOption mkEnableOption;
-  inherit (type) submodule attrsOf either listOf str bool functionTo;
+  inherit (lib) mkEnableOption mkOption;
+  inherit (lib.types) attrsOf bool either functionTo listOf str submodule;
 in {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/server/tests.nix` around lines 10 - 11, The module is
incorrectly inheriting type helpers from lib (which has no .type); update the
inherits to pull from lib.types so the NixOS module type helpers are resolved:
change the first inherit to reference lib.types when bringing in type, mkOption
and mkEnableOption, and change the second inherit to reference lib.types for
submodule, attrsOf, either, listOf, str, bool, functionTo (or alternatively only
import type once and then inherit (type) ...), ensuring mkOption,
mkEnableOption, submodule, attrsOf, either, listOf, str, bool, and functionTo
come from lib.types.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Inspect how `attrsOf (submodule ...)` options are declared elsewhere in the repo.
rg -n -C4 --type=nix 'attrsOf\s*\(submodule'

Repository: DaRacci/nix-config

Length of output: 5820

---

Wrap server.tests.units in mkOption.

Inside options, this assigns a raw type instead of an option declaration. The module system requires mkOption/mkEnableOption values, and all other similar attrsOf (submodule ...) declarations in the codebase (metrics.nix, mcpo.nix, virtual-machine.nix, dashboard.nix, etc.) follow this pattern. The units option will not evaluate correctly without wrapping it in mkOption with the type as an argument.

Suggested fix

-      units = attrsOf (submodule ({ name, ... }: {
-        options = {
-          name = mkOption {
-            type = str;
-            default = name;
-            description = ''
-              The name to give to this unit test.
-              This is used to enter into a subtest within the testScript of the cluster test.
-            '';
-          };
-
-          testScript = mkOption {
-            type = either str (functionTo str);
-            description = ''
-              Python code to be ran within the subtest for this unit.
-
-              If this is a function with one argument of this nodes config.
-              If this is a function with two arguments, the second argument is the entire cluster configuration.
-            '';
-          };
-        };
-      }));
+      units = mkOption {
+        type = attrsOf (submodule ({ name, ... }: {
+          options = {
+            name = mkOption {
+              type = str;
+              default = name;
+              description = ''
+                The name to give to this unit test.
+                This is used to enter into a subtest within the testScript of the cluster test.
+              '';
+            };
+
+            testScript = mkOption {
+              type = either str (functionTo str);
+              description = ''
+                Python code to be ran within the subtest for this unit.
+
+                If this is a function with one argument of this nodes config.
+                If this is a function with two arguments, the second argument is the entire cluster configuration.
+              '';
+            };
+          };
+        }));
+        default = { };
+      };

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	units = attrsOf (submodule ({ name, ... }: {
	options = {
	name = mkOption {
	type = str;
	default = name;
	description = ''
	The name to give to this unit test.
	This is used to enter into a subtest within the testScript of the cluster test.
	'';
	};
	testScript = mkOption {
	type = either str (functionTo str);
	description = ''
	Python code to be ran within the subtest for this unit.
	If this is a function with one argument of this nodes config.
	If this is a function with two arguments, the second argument is the entire cluster configuration.
	'';
	};
	};
	}));
	units = mkOption {
	type = attrsOf (submodule ({ name, ... }: {
	options = {
	name = mkOption {
	type = str;
	default = name;
	description = ''
	The name to give to this unit test.
	This is used to enter into a subtest within the testScript of the cluster test.
	'';
	};
	testScript = mkOption {
	type = either str (functionTo str);
	description = ''
	Python code to be ran within the subtest for this unit.
	If this is a function with one argument of this nodes config.
	If this is a function with two arguments, the second argument is the entire cluster configuration.
	'';
	};
	};
	}));
	default = { };
	};

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/server/tests.nix` around lines 17 - 38, The options declaration
for server.tests.units currently assigns a raw attrsOf (submodule ...) value
instead of an option; wrap the whole attrsOf (submodule ({ name, ... }: { ...
})) expression in mkOption so server.tests.units is an actual Nix option.
Specifically, replace the bare units = attrsOf (...) with units = mkOption
(attrsOf (submodule ({ name, ... }: { options = { ... } }))) (or equivalent
mkOption form), keeping the same inner options (name, testScript) to match other
modules (metrics.nix, mcpo.nix, virtual-machine.nix, dashboard.nix) that use
mkOption for units.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -e
echo '== tests/mkNode.nix =='
sed -n '1,80p' tests/mkNode.nix
echo
echo '== lib/builders/mkSystem.nix =='
sed -n '30,70p' lib/builders/mkSystem.nix

Repository: DaRacci/nix-config

Length of output: 1518

---

Build each test node from the real host module stack.

The test node only imports modules/flake/apply/system.nix, whilst the production builder (lib/builders/mkSystem.nix) includes all nixos modules, device-type modules, the host directory, and shared configuration modules. The cluster test will pass with near-empty VMs, failing to validate actual server configurations.

Either include the full module stack or reuse lib/builders/mkSystem.nix to ensure test parity with production builds.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/mkNode.nix` around lines 7 - 11, The test node import currently uses
only modules/flake/apply/system.nix causing tests to build minimal VMs; update
the imports to build test nodes with the full production module stack by either
reusing the existing builder lib/builders/mkSystem.nix or by expanding the
imports to include the NixOS modules, device-type modules, host directory and
shared config modules (preserve existing attributes like allocations, hostName
and deviceType). Locate the imports block that references
modules/flake/apply/system.nix and replace it with a call to
lib/builders/mkSystem.nix (or mirror its module list) so test VMs are built the
same way as production.

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

modules/nixos/desktop/virtual-machine.nix (1)

74-74: ⚠️ Potential issue | 🔴 Critical

mkDoc is not a standard lib function — this will cause evaluation failure.

The mkDoc function used here does not exist in nixpkgs.lib. This will throw an "attribute 'mkDoc' missing" error during evaluation. Use a plain string instead.

🐛 Proposed fix

-            description = mkDoc "The percentage of maxMemory to reserve for the host.";
+            description = "The percentage of maxMemory to reserve for the host.";

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/desktop/virtual-machine.nix` at line 74, The description
attribute for the virtual machine option uses a non-existent mkDoc function
which will break evaluation; replace the use of mkDoc in the description
assignment (the line containing description = mkDoc "The percentage of maxMemory
to reserve for the host."; ) with a plain string literal (e.g. description =
"The percentage of maxMemory to reserve for the host.";), ensuring no mkDoc
references remain in the virtual-machine.nix option definition.

modules/nixos/shared/core/printing.nix (1)

16-21: ⚠️ Potential issue | 🟠 Major

Wrap the enable assignment with lib.mkDefault for consistency with other custom.core toggles.

The custom.core.audio, custom.core.bluetooth, and custom.core.network options in default.nix define their defaults at the option level (lines 34–53). However, custom.core.printing.enable lacks a default in its option definition and instead assigns its value in the config section (line 18) without mkDefault. This creates an inconsistency: if a host-level configuration sets custom.core.printing.enable without using mkDefault, both the module and host assignment would be at priority 100, causing a merge conflict. Wrap the assignment in lib.mkDefault to allow host-level overrides to take precedence and align with NixOS module conventions.

Suggested fix

  config = mkMerge [
    {
-      custom.core.printing.enable = config.host.device.role != "server" && !config.host.device.isVirtual;
+      custom.core.printing.enable = lib.mkDefault (
+        config.host.device.role != "server" && !config.host.device.isVirtual
+      );
    }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/shared/core/printing.nix` around lines 16 - 21, The
config-level assignment for custom.core.printing.enable should be wrapped with
lib.mkDefault to match other custom.core toggles; update the config = mkMerge
block where custom.core.printing.enable is set (currently using
config.host.device.role != "server" && !config.host.device.isVirtual) to instead
call lib.mkDefault(...) so host-level overrides win and avoid merge-priority
conflicts with option-level defaults (see related symbols:
custom.core.printing.enable, lib.mkDefault, config = mkMerge, cfg.enable).

♻️ Duplicate comments (2)

modules/nixos/server/tests.nix (2)

10-11: ⚠️ Potential issue | 🔴 Critical

Import type helpers from lib.types, not lib.type.

Line 10 and Line 11 currently pull types from lib.type, which will fail evaluation in standard NixOS modules.

Proposed fix

 let
-  inherit (lib) type mkOption mkEnableOption;
-  inherit (type) submodule attrsOf either listOf str bool functionTo;
+  inherit (lib) mkEnableOption mkOption;
+  inherit (lib.types) attrsOf bool either functionTo listOf str submodule;
 in {

#!/bin/bash
# Verify current type-helper imports and whether any custom lib.type alias exists.
rg -n -C2 --type=nix '\binherit\s+\(lib\)\s+type\b|\blib\.type\b|\blib\.types\b'

Based on learnings: Verify attribute names, imports, and option paths to resolve attribute-missing errors in Nix configurations.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/server/tests.nix` around lines 10 - 11, The module is importing
type helpers from lib.type which is incorrect; change the imports to use
lib.types so the type helpers (mkOption, mkEnableOption, submodule, attrsOf,
either, listOf, str, bool, functionTo) are pulled from lib.types instead of
lib.type and update both inherit statements accordingly to reference lib.types.

---

17-38: ⚠️ Potential issue | 🔴 Critical

Wrap server.tests.units in mkOption.

Line 17 assigns a raw type under options; this needs to be an option declaration to evaluate correctly in the module system.

Proposed fix

-      units = attrsOf (submodule ({ name, ... }: {
-        options = {
-          name = mkOption {
-            type = str;
-            default = name;
-            description = ''
-              The name to give to this unit test.
-              This is used to enter into a subtest within the testScript of the cluster test.
-            '';
-          };
-
-          testScript = mkOption {
-            type = either str (functionTo str);
-            description = ''
-              Python code to be ran within the subtest for this unit.
-
-              If this is a function with one argument of this nodes config.
-              If this is a function with two arguments, the second argument is the entire cluster configuration.
-            '';
-          };
-        };
-      }));
+      units = mkOption {
+        type = attrsOf (submodule ({ name, ... }: {
+          options = {
+            name = mkOption {
+              type = str;
+              default = name;
+              description = ''
+                The name to give to this unit test.
+                This is used to enter into a subtest within the testScript of the cluster test.
+              '';
+            };
+
+            testScript = mkOption {
+              type = either str (functionTo str);
+              description = ''
+                Python code to be ran within the subtest for this unit.
+
+                If this is a function with one argument of this nodes config.
+                If this is a function with two arguments, the second argument is the entire cluster configuration.
+              '';
+            };
+          };
+        }));
+        default = { };
+      };

#!/bin/bash
# Verify how attrsOf/submodule options are declared in this repo and in this file.
rg -n -C3 --type=nix 'attrsOf\s*\(submodule|units\s*=\s*mkOption|units\s*=\s*attrsOf'

As per coding guidelines, follow the standard NixOS module structure pattern with proper options declarations.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/server/tests.nix` around lines 17 - 38, The block assigning
server.tests.units uses attrsOf(submodule(...)) directly under options instead
of declaring it as an option; wrap the entire units value in a mkOption so it
becomes a proper NixOS option declaration. Specifically, change the declaration
of server.tests.units (the attrsOf(submodule({...}) value that defines options
name and testScript) to be returned from mkOption with appropriate type (e.g.,
attrsOf _ or an attributeset of submodules) and include its existing nested
options (name, testScript) as the option's documentation/type; ensure references
to attrsOf, submodule, and the nested options name and testScript remain intact
while replacing the raw value with mkOption(...) so the module system evaluates
it correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@flake/ci/flake-module.nix`:
- Line 28: The partition allocations accessor is incorrect: change the inherited
path from config.partitions.nixos.module.allocations to
config.partitions.nixos.allocations; locate the inherit statement that
references (config.partitions.nixos.module) allocations and update it to inherit
from (config.partitions.nixos) allocations so it matches how the flake module is
merged and aligns with other accessors like config.partitions.docs.extraInputs.

In `@modules/home-manager/services/mcpo.nix`:
- Line 11: The import in modules/home-manager/services/mcpo.nix currently uses
the `${self}`-style absolute path in the expression `(import
"${self}/modules/nixos/shared/services/mcpo.nix" {` — replace that with a
file-relative import (e.g., `./modules/nixos/shared/services/mcpo.nix`) to
follow repo conventions; update the import expression in the same file by
changing the path string to the relative path so the module is loaded relative
to modules/home-manager/services/mcpo.nix rather than via `${self}`.

In `@modules/nixos/server/tests.nix`:
- Around line 13-42: The server.tests options are declared but never used;
update the test harness (tests/default.nix) to read the evaluated host config's
server.tests.* and build a composite testScript passed to runNixOSTest: iterate
over server.tests.units, call each unit's testScript (handling both string and
function signatures—1-arg node config or 2-arg node+cluster config) to produce
the per-host subtests, and respect server.tests.enable to skip wiring when
disabled; ensure the evaluated host config is threaded into the harness so
testScript functions receive the proper node/cluster args before invoking
runNixOSTest.

In `@modules/nixos/shared/core/default.nix`:
- Around line 58-62: Update the custom.defaultGroups list to use the correct
NetworkManager group name and avoid adding non-existent PipeWire group: replace
any occurrence of "network" in custom.defaultGroups with "networkmanager", and
only append "pipewire" to custom.defaultGroups when services.pipewire.systemWide
is true (guard the addition with that condition); apply the same change for the
other occurrence of custom.defaultGroups later in the file (the second block
around lines referenced in the review).

In `@tests/default.nix`:
- Line 24: Fix the typo in the comment string "Wait for all nodes to each
multi-user.target" by changing "each" to "reach" so it reads "Wait for all nodes
to reach multi-user.target"; update the comment where that exact phrase appears
to correct the wording.
- Line 12: The import binding testLib in tests/default.nix is unused; remove the
unused import statement (the line defining testLib = import ./lib.nix;) so the
file no longer creates an unused symbol and to avoid lint warnings.

---

Outside diff comments:
In `@modules/nixos/desktop/virtual-machine.nix`:
- Line 74: The description attribute for the virtual machine option uses a
non-existent mkDoc function which will break evaluation; replace the use of
mkDoc in the description assignment (the line containing description = mkDoc
"The percentage of maxMemory to reserve for the host."; ) with a plain string
literal (e.g. description = "The percentage of maxMemory to reserve for the
host.";), ensuring no mkDoc references remain in the virtual-machine.nix option
definition.

In `@modules/nixos/shared/core/printing.nix`:
- Around line 16-21: The config-level assignment for custom.core.printing.enable
should be wrapped with lib.mkDefault to match other custom.core toggles; update
the config = mkMerge block where custom.core.printing.enable is set (currently
using config.host.device.role != "server" && !config.host.device.isVirtual) to
instead call lib.mkDefault(...) so host-level overrides win and avoid
merge-priority conflicts with option-level defaults (see related symbols:
custom.core.printing.enable, lib.mkDefault, config = mkMerge, cfg.enable).

---

Duplicate comments:
In `@modules/nixos/server/tests.nix`:
- Around line 10-11: The module is importing type helpers from lib.type which is
incorrect; change the imports to use lib.types so the type helpers (mkOption,
mkEnableOption, submodule, attrsOf, either, listOf, str, bool, functionTo) are
pulled from lib.types instead of lib.type and update both inherit statements
accordingly to reference lib.types.
- Around line 17-38: The block assigning server.tests.units uses
attrsOf(submodule(...)) directly under options instead of declaring it as an
option; wrap the entire units value in a mkOption so it becomes a proper NixOS
option declaration. Specifically, change the declaration of server.tests.units
(the attrsOf(submodule({...}) value that defines options name and testScript) to
be returned from mkOption with appropriate type (e.g., attrsOf _ or an
attributeset of submodules) and include its existing nested options (name,
testScript) as the option's documentation/type; ensure references to attrsOf,
submodule, and the nested options name and testScript remain intact while
replacing the raw value with mkOption(...) so the module system evaluates it
correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 56811165-b6e5-477d-a481-a22044ea4ca2

📥 Commits

Reviewing files that changed from the base of the PR and between 072e115 and 2a6a397.

📒 Files selected for processing (58)

• docs/src/modules/nixos/desktop.md
• docs/src/modules/nixos/services.md
• flake/ci/flake-module.nix
• flake/default.nix
• lib/builders/mkSystem.nix
• modules/home-manager/services/mcpo.nix
• modules/nixos/default.nix
• modules/nixos/desktop/default.nix
• modules/nixos/desktop/rgb.nix
• modules/nixos/desktop/vfio.nix
• modules/nixos/desktop/virtual-machine.nix
• modules/nixos/encrypted-root.nix
• modules/nixos/laptop/default.nix
• modules/nixos/proxies.nix
• modules/nixos/server/default.nix
• modules/nixos/server/tests.nix
• modules/nixos/shared/core.nix
• modules/nixos/shared/core/auto-upgrade.nix
• modules/nixos/shared/core/boot/default.nix
• modules/nixos/shared/core/boot/quietboot.nix
• modules/nixos/shared/core/boot/secureboot.nix
• modules/nixos/shared/core/boot/systemd-boot.nix
• modules/nixos/shared/core/default.nix
• modules/nixos/shared/core/hardware/backlight.nix
• modules/nixos/shared/core/hardware/biometrics.nix
• modules/nixos/shared/core/hardware/bluetooth.nix
• modules/nixos/shared/core/hardware/cooling.nix
• modules/nixos/shared/core/hardware/default.nix
• modules/nixos/shared/core/hardware/display.nix
• modules/nixos/shared/core/hardware/graphics.nix
• modules/nixos/shared/core/hardware/openrgb.nix
• modules/nixos/shared/core/hardware/storage/default.nix
• modules/nixos/shared/core/hardware/storage/ephemeral.nix
• modules/nixos/shared/core/hardware/storage/maintenance.nix
• modules/nixos/shared/core/hardware/storage/partitions/btrfs.nix
• modules/nixos/shared/core/hardware/storage/partitions/esp.nix
• modules/nixos/shared/core/hardware/storage/partitions/luks.nix
• modules/nixos/shared/core/hardware/storage/partitions/tmpfs.nix
• modules/nixos/shared/core/host/default.nix
• modules/nixos/shared/core/host/device.nix
• modules/nixos/shared/core/host/persistence.nix
• modules/nixos/shared/core/printing.nix
• modules/nixos/shared/default.nix
• modules/nixos/shared/features/display-manager.nix
• modules/nixos/shared/features/hm-helper/1password.nix
• modules/nixos/shared/features/hm-helper/default.nix
• modules/nixos/shared/features/hm-helper/kde-connect.nix
• modules/nixos/shared/features/hm-helper/mpv.nix
• modules/nixos/shared/features/hm-helper/nautilus.nix
• modules/nixos/shared/features/remote.nix
• modules/nixos/shared/services/default.nix
• modules/nixos/shared/services/huntress.nix
• modules/nixos/shared/services/mcpo.nix
• modules/nixos/shared/services/metrics.nix
• modules/nixos/shared/services/tailscale.nix
• tests/default.nix
• tests/lib.nix
• tests/mkNode.nix

💤 Files with no reviewable changes (4)

• modules/nixos/proxies.nix
• modules/nixos/default.nix
• modules/nixos/encrypted-root.nix
• modules/nixos/shared/core.nix

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify allocations is defined in the nixos partition's flake module
echo "=== Checking allocations option definition ==="
rg -n 'options\.allocations' modules/flake/

echo ""
echo "=== Checking how nixos partition is defined ==="
rg -n -A5 'nixos.*=' flake/default.nix | head -20

echo ""
echo "=== Checking nixos flake-module structure ==="
cat flake/nixos/flake-module.nix 2>/dev/null || echo "File not found"

Repository: DaRacci/nix-config

Length of output: 1973

---

🏁 Script executed:

# Check the context around line 28 in flake/ci/flake-module.nix
sed -n '20,40p' flake/ci/flake-module.nix

echo ""
echo "=== Search for other config.partitions usage patterns ==="
rg -n 'config\.partitions\.' flake/ | head -20

echo ""
echo "=== Check if there are any examples of .module access ==="
rg -n '\.module\.' flake/ | head -10

Repository: DaRacci/nix-config

Length of output: 793

---

Correct the partition allocations access path.

The path config.partitions.nixos.module.allocations is incorrect. Based on the flake-modules structure and how the nixos partition is defined (with module = ./nixos/flake-module.nix), the module's outputs are merged directly into the partition config. The correct path is config.partitions.nixos.allocations, which is also consistent with other partition accessors in the codebase (e.g., config.partitions.docs.extraInputs).

Change line 28 to:

inherit (config.partitions.nixos) allocations;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@flake/ci/flake-module.nix` at line 28, The partition allocations accessor is
incorrect: change the inherited path from
config.partitions.nixos.module.allocations to
config.partitions.nixos.allocations; locate the inherit statement that
references (config.partitions.nixos.module) allocations and update it to inherit
from (config.partitions.nixos) allocations so it matches how the flake module is
merged and aligns with other accessors like config.partitions.docs.extraInputs.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Use a relative import for the moved module path

Line 11 uses an absolute-style ${self} path. Prefer a file-relative import here to match repo conventions and keep modules less coupled to flake root pathing.

Suggested change

-    (import "${self}/modules/nixos/shared/services/mcpo.nix" {
+    (import ../../nixos/shared/services/mcpo.nix {

As per coding guidelines, "Prefer relative imports over absolute imports (e.g., ./modules/foo.nix)."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/home-manager/services/mcpo.nix` at line 11, The import in
modules/home-manager/services/mcpo.nix currently uses the `${self}`-style
absolute path in the expression `(import
"${self}/modules/nixos/shared/services/mcpo.nix" {` — replace that with a
file-relative import (e.g., `./modules/nixos/shared/services/mcpo.nix`) to
follow repo conventions; update the import expression in the same file by
changing the path string to the relative path so the module is loaded relative
to modules/home-manager/services/mcpo.nix rather than via `${self}`.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

server.tests is declared but not wired into test execution.

This module only defines options (Line 13–Line 42), but tests/default.nix Line 14–Line 29 still runs a static script and does not consume server.tests.enable or server.tests.units.*.testScript. That leaves the new framework inert in CI.

You should thread evaluated host test config into the harness and generate testScript from declared units (including function/string handling) before calling runNixOSTest.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/server/tests.nix` around lines 13 - 42, The server.tests
options are declared but never used; update the test harness (tests/default.nix)
to read the evaluated host config's server.tests.* and build a composite
testScript passed to runNixOSTest: iterate over server.tests.units, call each
unit's testScript (handling both string and function signatures—1-arg node
config or 2-arg node+cluster config) to produce the per-host subtests, and
respect server.tests.enable to skip wiring when disabled; ensure the evaluated
host config is threaded into the harness so testScript functions receive the
proper node/cluster args before invoking runNixOSTest.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Find and read the file in question
find . -name "default.nix" -path "*/modules/nixos/shared/core/*" -type f

Repository: DaRacci/nix-config

Length of output: 297

---

🏁 Script executed:

# Read the relevant sections of the file
if [ -f "modules/nixos/shared/core/default.nix" ]; then
  echo "=== Lines 50-80 (around lines 58-62) ===" && sed -n '50,80p' modules/nixos/shared/core/default.nix && \
  echo -e "\n=== Lines 120-140 (around lines 129-131) ===" && sed -n '120,140p' modules/nixos/shared/core/default.nix
fi

Repository: DaRacci/nix-config

Length of output: 1321

---

🌐 Web query:

NixOS NetworkManager module users.groups networkmanager access control

💡 Result:

In NixOS, the NetworkManager module handles access control for users via the 'networkmanager' group. When networking.networkmanager.enable = true is set, the module automatically creates the 'networkmanager' group with a dedicated GID and adds a Polkit rule granting users in that group permission to perform NetworkManager actions (org.freedesktop.NetworkManager.*) without root privileges. Users must be explicitly added to this group using users.users.<name>.extraGroups = [ "networkmanager" ]; to manage networks via nmcli, nmtui, or graphical tools. There is no direct 'users.groups' option within the NetworkManager module itself for customizing group membership or Polkit rules; access is controlled solely through membership in the auto-created 'networkmanager' group. The Polkit configuration is hardcoded in the module as: security.polkit.extraConfig = '' polkit.addRule(function(action, subject) { if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.NetworkManager.") == 0) { return polkit.Result.YES; } }); ''; This is NixOS-specific behavior, differing from some other distributions where local session users may have broader default access. Example configuration: networking.networkmanager.enable = true; users.users.alice = { isNormalUser = true; extraGroups = [ "networkmanager" ]; }; After nixos-rebuild switch, user 'alice' can manage networks without sudo.

Citations:

• 1: https://nlewo.github.io/nixos-manual-sphinx/configuration/network-manager.xml.html
• 2: https://wiki.nixos.org/wiki/NetworkManager
• 3: Documentation: About the networkmanager group NixOS/nixpkgs#222943
• 4: https://nlewo.github.io/nixos-manual-sphinx/configuration/user-mgmt.xml.html
• 5: https://mynixos.com/nixpkgs/option/networking.networkmanager.enable
• 6: https://github.com/NixOS/nixpkgs/blob/5b7cd5c39befee629be284970415b6eb3b0ff000/nixos/modules/services/networking/networkmanager.nix

---

🌐 Web query:

NixOS PipeWire module services.pipewire.systemWide users.groups.pipewire

💡 Result:

The NixOS PipeWire module is configured under services.pipewire. Key options include: services.pipewire.enable: Enables the PipeWire service (default: false). services.pipewire.systemWide: If true, enables a system-wide PipeWire service and socket, allowing all users in the "pipewire" group to use it simultaneously. Default is false (user units only), and system-wide is not recommended per upstream. Declared in nixos/modules/services/desktops/pipewire/pipewire.nix. For system-wide access, add users to the pipewire group, e.g.: users.users.username.extraGroups = [ "pipewire" ]; or for services: systemd.services.myservice.serviceConfig.SupplementaryGroups = [ "pipewire" ]; There is no direct users.groups.pipewire option in the module; the "pipewire" group is created implicitly when systemWide = true, and users/services must be manually assigned to it via extraGroups or SupplementaryGroups. Other common options: - services.pipewire.alsa.enable = true; (ALSA support) - services.pipewire.pulse.enable = true; (PulseAudio compatibility) - security.rtkit.enable = true; (recommended for realtime scheduling)

Citations:

• 1: https://mynixos.com/nixpkgs/option/services.pipewire.systemWide
• 2: https://wiki.nixos.org/wiki/PipeWire
• 3: https://aux-docs.pyrox.pages.gay/NixOS/services/pipewire/
• 4: nixos/pipewire: add systemWide option NixOS/nixpkgs#153426

---

Replace network with networkmanager, and conditionally add pipewire only when system-wide is enabled.

NetworkManager creates the networkmanager group and grants access via Polkit rules; the current network group name won't provide the necessary permissions. PipeWire only creates the pipewire group when services.pipewire.systemWide = true, which isn't set in this configuration (defaults to false). Users will fail to be added to non-existent groups.

Suggested fix

     (mkIf cfg.audio.enable {
       custom.defaultGroups = [
         "audio"
-        "pipewire"
         "rtkit"
       ];
@@
     (mkIf cfg.network.enable {
-      custom.defaultGroups = [ "network" ];
+      custom.defaultGroups = [ "networkmanager" ];
       networking.networkmanager.enable = true;
     })

Also applies to: 129-131

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/shared/core/default.nix` around lines 58 - 62, Update the
custom.defaultGroups list to use the correct NetworkManager group name and avoid
adding non-existent PipeWire group: replace any occurrence of "network" in
custom.defaultGroups with "networkmanager", and only append "pipewire" to
custom.defaultGroups when services.pipewire.systemWide is true (guard the
addition with that condition); apply the same change for the other occurrence of
custom.defaultGroups later in the file (the second block around lines referenced
in the review).

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Remove unused import.

testLib is imported but never used in this file.

🧹 Proposed fix

 let
   inherit (lib) nameValuePair listToAttrs;
-
-  testLib = import ./lib.nix;
 in

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/default.nix` at line 12, The import binding testLib in
tests/default.nix is unused; remove the unused import statement (the line
defining testLib = import ./lib.nix;) so the file no longer creates an unused
symbol and to avoid lint warnings.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Typo in comment.

"each" should be "reach".

📝 Proposed fix

-    # Wait for all nodes to each multi-user.target
+    # Wait for all nodes to reach multi-user.target

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Wait for all nodes to each multi-user.target
	# Wait for all nodes to reach multi-user.target

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/default.nix` at line 24, Fix the typo in the comment string "Wait for
all nodes to each multi-user.target" by changing "each" to "reach" so it reads
"Wait for all nodes to reach multi-user.target"; update the comment where that
exact phrase appears to correct the wording.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

modules/nixos/desktop/virtual-machine.nix (1)

74-74: ⚠️ Potential issue | 🔴 Critical

Replace mkDoc with plain string—mkDoc is undefined.

The code uses mkDoc on line 74, but this function is not defined in your custom lib or standard Nix lib. This will cause module evaluation to fail with an "undefined variable" error.

Use a plain string instead:

Suggested fix

-            description = mkDoc "The percentage of maxMemory to reserve for the host.";
+            description = "The percentage of maxMemory to reserve for the host.";

If you need markdown formatting in descriptions, use lib.mdDoc instead, but for plain text a simple string is sufficient.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/desktop/virtual-machine.nix` at line 74, Replace the undefined
mkDoc call used for the description attribute with a plain string (or lib.mdDoc
if markdown is needed); specifically change the description = mkDoc "The
percentage of maxMemory to reserve for the host."; to use a simple string value
for the description property (or lib.mdDoc("...") if you want markdown),
ensuring you update the description assignment in the virtual-machine module
where description is set so evaluation no longer fails due to mkDoc being
undefined.

♻️ Duplicate comments (6)

tests/lib.nix (1)

6-10: ⚠️ Potential issue | 🟠 Major

Pass the node object into the callback, not node.name.

The helper currently feeds a string expression to f, so generated snippets can’t safely call node methods.

Suggested fix

   runOnAllNodes = f: ''
     for node in cluster.nodes:
       with subtest(node.name):
-        ${f "node.name"}
+        ${f "node"}
   '';

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/lib.nix` around lines 6 - 10, The helper runOnAllNodes currently
invokes the callback f with the string "node.name", preventing consumers from
accessing node methods; change the invocation from ${f "node.name"} to ${f
"node"} so the actual node object is passed (keep the surrounding for node in
cluster.nodes and the with subtest(node.name) as-is), and update any callers of
runOnAllNodes to expect a node object instead of a name string.

tests/default.nix (1)

21-29: ⚠️ Potential issue | 🟠 Major

Wire server.tests units into testScript generation.

This script is static and never reads server.tests.enable / server.tests.units.*.testScript, so the newly declared framework remains inert in CI.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/default.nix` around lines 21 - 29, The testScript in default.nix is
static and omits any server.tests configuration; update the generation of
testScript (the value bound to testScript and the start_all()/cluster.nodes
logic) to conditionally include server.tests when server.tests.enable is true by
iterating server.tests.units and injecting each unit's testScript (e.g.,
server.tests.units.*.testScript) or calling its test routine into the combined
testScript; ensure the produced script still calls start_all(), waits for
multi-user.target on cluster.nodes, and then executes or sources each enabled
unit's testScript so CI picks up server.tests units.

modules/nixos/server/tests.nix (2)

17-38: ⚠️ Potential issue | 🔴 Critical

Declare server.tests.units with mkOption.

Inside options, this is currently a raw type expression, not an option declaration. That prevents the option tree from evaluating correctly.

Suggested fix

-      units = attrsOf (submodule ({ name, ... }: {
-        options = {
-          name = mkOption {
-            type = str;
-            default = name;
-            description = ''
-              The name to give to this unit test.
-              This is used to enter into a subtest within the testScript of the cluster test.
-            '';
-          };
-
-          testScript = mkOption {
-            type = either str (functionTo str);
-            description = ''
-              Python code to be ran within the subtest for this unit.
-
-              If this is a function with one argument of this nodes config.
-              If this is a function with two arguments, the second argument is the entire cluster configuration.
-            '';
-          };
-        };
-      }));
+      units = mkOption {
+        type = attrsOf (submodule ({ name, ... }: {
+          options = {
+            name = mkOption {
+              type = str;
+              default = name;
+              description = ''
+                The name to give to this unit test.
+                This is used to enter into a subtest within the testScript of the cluster test.
+              '';
+            };
+
+            testScript = mkOption {
+              type = either str (functionTo str);
+              description = ''
+                Python code to be ran within the subtest for this unit.
+
+                If this is a function with one argument of this nodes config.
+                If this is a function with two arguments, the second argument is the entire cluster configuration.
+              '';
+            };
+          };
+        }));
+        default = { };
+      };

As per coding guidelines: Create NixOS modules with standard options definitions using mkOption/mkEnableOption.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/server/tests.nix` around lines 17 - 38, The top-level option
server.tests.units is currently defined as a raw attrsOf(submodule(...))
expression instead of an mkOption declaration; wrap that expression in mkOption
(e.g., set server.tests.units = mkOption { type = attrsOf (submodule ({ name,
... }: { options = { name = mkOption { ... }; testScript = mkOption { ... }; };
})); description = "..."; }); so the option tree evaluates correctly and follows
the NixOS module pattern; keep the inner submodule options (name, testScript) as
mkOption entries and add an appropriate description/defaults for
server.tests.units.

---

10-11: ⚠️ Potential issue | 🔴 Critical

Import type helpers from lib.types, not lib.type.

This currently resolves from a non-standard path and will break evaluation when type constructors are used.

Suggested fix

 let
-  inherit (lib) type mkOption mkEnableOption;
-  inherit (type) submodule attrsOf either listOf str bool functionTo;
+  inherit (lib) mkOption mkEnableOption;
+  inherit (lib.types) submodule attrsOf either listOf str bool functionTo;
 in {

Based on learnings: Verify attribute names, imports, and option paths to resolve 'attribute missing' errors in Nix configurations.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/server/tests.nix` around lines 10 - 11, The import uses
lib.type which is incorrect; change the inherits so the type constructors come
from lib.types (e.g. reference mkOption and mkEnableOption from lib.types) and
ensure the second inherit uses the correct symbol source for submodule, attrsOf,
either, listOf, str, bool, and functionTo; update the inherit lines to import
mkOption/mkEnableOption and the listed type helpers from lib.types so Nix
evaluation uses the standard type constructors.

tests/mkNode.nix (1)

7-12: ⚠️ Potential issue | 🟠 Major

Build test nodes from the full host module stack.

Right now the node definition only applies the flake-apply layer, so cluster checks can pass without exercising the actual server host modules.

Based on learnings: All affected configurations MUST be tested, and this requires node definitions that mirror real host configuration paths.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/mkNode.nix` around lines 7 - 12, The test node currently imports only
the flake-apply layer ("${self}/modules/flake/apply/system.nix") so cluster
checks bypass real host modules; change the import to load the full host module
stack used in production (the real host module path that composes allocations
and hostName) instead of the flake-apply shortcut, keeping the same inherited
attributes (inherit allocations hostName) and deviceType = "server" so tests
exercise the actual server host modules.

modules/nixos/shared/core/default.nix (1)

58-62: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use service-aligned group names and gate pipewire membership.

Line 130 uses "network", which does not match the usual NetworkManager access group, and Line 60 adds "pipewire" unconditionally. This can produce ineffective or invalid group assignments.

Suggested fix

     (mkIf cfg.audio.enable {
-      custom.defaultGroups = [
-        "audio"
-        "pipewire"
-        "rtkit"
-      ];
+      custom.defaultGroups =
+        [
+          "audio"
+          "rtkit"
+        ]
+        ++ lib.optional config.services.pipewire.systemWide "pipewire";
@@
     (mkIf cfg.network.enable {
-      custom.defaultGroups = [ "network" ];
+      custom.defaultGroups = [ "networkmanager" ];
       networking.networkmanager.enable = true;
     })

#!/bin/bash
# Read-only verification of relevant group usage and toggles.
rg -n -C2 'custom\.defaultGroups\s*=\s*\[\s*"network"' --type nix
rg -n -C2 '"pipewire"' --type nix
rg -n -C2 'services\.pipewire\.systemWide\s*=\s*true' --type nix
rg -n -C2 'users\.groups\.(network|networkmanager|pipewire)\b' --type nix

As per coding guidelines, "Verify attribute names, imports, and option paths to resolve 'attribute missing' errors in Nix configurations".

Also applies to: 129-131

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/shared/core/default.nix` around lines 58 - 62, Update
custom.defaultGroups to use service-aligned group names and make pipewire
membership conditional: replace the hardcoded "network" with the
Distribution/Service group used by NetworkManager (e.g., "networkmanager") and
remove the unconditional "pipewire" entry in custom.defaultGroups; instead, add
"pipewire" to defaultGroups only when services.pipewire.systemWide is true. Also
verify that users.groups contains the corresponding group attributes
(networkmanager and pipewire) so group names match existing definitions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.vscode/settings.json:
- Line 2: Remove the workspace-level setting that disables Git by deleting the
"git.enabled": false entry from .vscode/settings.json (or revert that file to
not include the key) and instead apply this preference in your personal VS Code
user settings if needed; look for the "git.enabled" key in the settings file and
remove or relocate it so the repository does not force-disable Source Control
for all users.

In `@modules/nixos/shared/core/hardware/backlight.nix`:
- Around line 44-46: Change the udev rule so i2c devices are assigned to a
dedicated group and restrictive mode: update services.udev.extraRules replacing
GROUP="users" with GROUP="i2c", MODE="0660" for the KERNEL=="i2c-[0-9]*" rule,
and ensure the group exists (e.g., add a users.groups.i2c declaration elsewhere
in the Nix config). This scopes access to the i2c group and enforces least
privilege for the KERNEL=="i2c-[0-9]*" devices.

---

Outside diff comments:
In `@modules/nixos/desktop/virtual-machine.nix`:
- Line 74: Replace the undefined mkDoc call used for the description attribute
with a plain string (or lib.mdDoc if markdown is needed); specifically change
the description = mkDoc "The percentage of maxMemory to reserve for the host.";
to use a simple string value for the description property (or lib.mdDoc("...")
if you want markdown), ensuring you update the description assignment in the
virtual-machine module where description is set so evaluation no longer fails
due to mkDoc being undefined.

---

Duplicate comments:
In `@modules/nixos/server/tests.nix`:
- Around line 17-38: The top-level option server.tests.units is currently
defined as a raw attrsOf(submodule(...)) expression instead of an mkOption
declaration; wrap that expression in mkOption (e.g., set server.tests.units =
mkOption { type = attrsOf (submodule ({ name, ... }: { options = { name =
mkOption { ... }; testScript = mkOption { ... }; }; })); description = "...";
}); so the option tree evaluates correctly and follows the NixOS module pattern;
keep the inner submodule options (name, testScript) as mkOption entries and add
an appropriate description/defaults for server.tests.units.
- Around line 10-11: The import uses lib.type which is incorrect; change the
inherits so the type constructors come from lib.types (e.g. reference mkOption
and mkEnableOption from lib.types) and ensure the second inherit uses the
correct symbol source for submodule, attrsOf, either, listOf, str, bool, and
functionTo; update the inherit lines to import mkOption/mkEnableOption and the
listed type helpers from lib.types so Nix evaluation uses the standard type
constructors.

In `@modules/nixos/shared/core/default.nix`:
- Around line 58-62: Update custom.defaultGroups to use service-aligned group
names and make pipewire membership conditional: replace the hardcoded "network"
with the Distribution/Service group used by NetworkManager (e.g.,
"networkmanager") and remove the unconditional "pipewire" entry in
custom.defaultGroups; instead, add "pipewire" to defaultGroups only when
services.pipewire.systemWide is true. Also verify that users.groups contains the
corresponding group attributes (networkmanager and pipewire) so group names
match existing definitions.

In `@tests/default.nix`:
- Around line 21-29: The testScript in default.nix is static and omits any
server.tests configuration; update the generation of testScript (the value bound
to testScript and the start_all()/cluster.nodes logic) to conditionally include
server.tests when server.tests.enable is true by iterating server.tests.units
and injecting each unit's testScript (e.g., server.tests.units.*.testScript) or
calling its test routine into the combined testScript; ensure the produced
script still calls start_all(), waits for multi-user.target on cluster.nodes,
and then executes or sources each enabled unit's testScript so CI picks up
server.tests units.

In `@tests/lib.nix`:
- Around line 6-10: The helper runOnAllNodes currently invokes the callback f
with the string "node.name", preventing consumers from accessing node methods;
change the invocation from ${f "node.name"} to ${f "node"} so the actual node
object is passed (keep the surrounding for node in cluster.nodes and the with
subtest(node.name) as-is), and update any callers of runOnAllNodes to expect a
node object instead of a name string.

In `@tests/mkNode.nix`:
- Around line 7-12: The test node currently imports only the flake-apply layer
("${self}/modules/flake/apply/system.nix") so cluster checks bypass real host
modules; change the import to load the full host module stack used in production
(the real host module path that composes allocations and hostName) instead of
the flake-apply shortcut, keeping the same inherited attributes (inherit
allocations hostName) and deviceType = "server" so tests exercise the actual
server host modules.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5f064077-dd35-408a-abda-03433eadc7e6

📥 Commits

Reviewing files that changed from the base of the PR and between 2a6a397 and 692fe91.

⛔ Files ignored due to path filters (11)

• openspec/changes/testing-framework-predeploy/.openspec.yaml is excluded by !openspec/**
• openspec/changes/testing-framework-predeploy/README.md is excluded by !openspec/**
• openspec/changes/testing-framework-predeploy/design.md is excluded by !openspec/**
• openspec/changes/testing-framework-predeploy/proposal.md is excluded by !openspec/**
• openspec/changes/testing-framework-predeploy/specs/server-vm-test-harness/spec.md is excluded by !openspec/**
• openspec/changes/testing-framework-predeploy/specs/service-aware-vm-tests/spec.md is excluded by !openspec/**
• openspec/changes/testing-framework-predeploy/specs/vm-test-documentation/spec.md is excluded by !openspec/**
• openspec/changes/testing-framework-predeploy/specs/vm-test-profile-overrides/spec.md is excluded by !openspec/**
• openspec/changes/testing-framework-predeploy/specs/vm-test-secret-generation/spec.md is excluded by !openspec/**
• openspec/changes/testing-framework-predeploy/specs/woodpecker-vm-test-gating/spec.md is excluded by !openspec/**
• openspec/changes/testing-framework-predeploy/tasks.md is excluded by !openspec/**

📒 Files selected for processing (57)

• .vscode/settings.json
• flake/ci/flake-module.nix
• flake/default.nix
• lib/builders/mkSystem.nix
• modules/home-manager/services/mcpo.nix
• modules/nixos/default.nix
• modules/nixos/desktop/default.nix
• modules/nixos/desktop/rgb.nix
• modules/nixos/desktop/vfio.nix
• modules/nixos/desktop/virtual-machine.nix
• modules/nixos/encrypted-root.nix
• modules/nixos/laptop/default.nix
• modules/nixos/proxies.nix
• modules/nixos/server/default.nix
• modules/nixos/server/tests.nix
• modules/nixos/shared/core.nix
• modules/nixos/shared/core/auto-upgrade.nix
• modules/nixos/shared/core/boot/default.nix
• modules/nixos/shared/core/boot/quietboot.nix
• modules/nixos/shared/core/boot/secureboot.nix
• modules/nixos/shared/core/boot/systemd-boot.nix
• modules/nixos/shared/core/default.nix
• modules/nixos/shared/core/hardware/backlight.nix
• modules/nixos/shared/core/hardware/biometrics.nix
• modules/nixos/shared/core/hardware/bluetooth.nix
• modules/nixos/shared/core/hardware/cooling.nix
• modules/nixos/shared/core/hardware/default.nix
• modules/nixos/shared/core/hardware/display.nix
• modules/nixos/shared/core/hardware/graphics.nix
• modules/nixos/shared/core/hardware/openrgb.nix
• modules/nixos/shared/core/hardware/storage/default.nix
• modules/nixos/shared/core/hardware/storage/ephemeral.nix
• modules/nixos/shared/core/hardware/storage/maintenance.nix
• modules/nixos/shared/core/hardware/storage/partitions/btrfs.nix
• modules/nixos/shared/core/hardware/storage/partitions/esp.nix
• modules/nixos/shared/core/hardware/storage/partitions/luks.nix
• modules/nixos/shared/core/hardware/storage/partitions/tmpfs.nix
• modules/nixos/shared/core/host/default.nix
• modules/nixos/shared/core/host/device.nix
• modules/nixos/shared/core/host/persistence.nix
• modules/nixos/shared/core/printing.nix
• modules/nixos/shared/default.nix
• modules/nixos/shared/features/display-manager.nix
• modules/nixos/shared/features/hm-helper/1password.nix
• modules/nixos/shared/features/hm-helper/default.nix
• modules/nixos/shared/features/hm-helper/kde-connect.nix
• modules/nixos/shared/features/hm-helper/mpv.nix
• modules/nixos/shared/features/hm-helper/nautilus.nix
• modules/nixos/shared/features/remote.nix
• modules/nixos/shared/services/default.nix
• modules/nixos/shared/services/huntress.nix
• modules/nixos/shared/services/mcpo.nix
• modules/nixos/shared/services/metrics.nix
• modules/nixos/shared/services/tailscale.nix
• tests/default.nix
• tests/lib.nix
• tests/mkNode.nix

💤 Files with no reviewable changes (4)

• modules/nixos/proxies.nix
• modules/nixos/encrypted-root.nix
• modules/nixos/default.nix
• modules/nixos/shared/core.nix

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Avoid disabling Git integration in shared workspace settings

Committing "git.enabled": false at workspace level turns off VS Code Source Control for everyone using this repo. Please remove this from tracked settings (or keep it user-local only).

Suggested change

 {
-    "git.enabled": false
+    
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"git.enabled": false
	{
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vscode/settings.json at line 2, Remove the workspace-level setting that
disables Git by deleting the "git.enabled": false entry from
.vscode/settings.json (or revert that file to not include the key) and instead
apply this preference in your personal VS Code user settings if needed; look for
the "git.enabled" key in the settings file and remove or relocate it so the
repository does not force-disable Source Control for all users.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use a dedicated group instead of users for I²C device access.

Line 45 grants broad access to all users for i2c-* devices. That weakens least-privilege boundaries for hardware control. Scope this to a dedicated group (for example i2c) and set an explicit mode.

Suggested patch

       services.udev.extraRules = ''
-        KERNEL=="i2c-[0-9]*", GROUP="users"
+        KERNEL=="i2c-[0-9]*", GROUP="i2c", MODE="0660"
       '';
+
+      users.groups.i2c = {};

As per coding guidelines: "Run services with the minimum required privileges; avoid running services as root unless absolutely necessary" and "Ensure proper user isolation between services; each service should run with its own dedicated user where feasible".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	services.udev.extraRules = ''
	KERNEL=="i2c-[0-9]*", GROUP="users"
	'';
	services.udev.extraRules = ''
	KERNEL=="i2c-[0-9]*", GROUP="i2c", MODE="0660"
	'';
	users.groups.i2c = {};

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/nixos/shared/core/hardware/backlight.nix` around lines 44 - 46,
Change the udev rule so i2c devices are assigned to a dedicated group and
restrictive mode: update services.udev.extraRules replacing GROUP="users" with
GROUP="i2c", MODE="0660" for the KERNEL=="i2c-[0-9]*" rule, and ensure the group
exists (e.g., add a users.groups.i2c declaration elsewhere in the Nix config).
This scopes access to the i2c group and enforces least privilege for the
KERNEL=="i2c-[0-9]*" devices.