fix: resolve CI failures — ints.between type error + hyprlandPlugins.hy3 flake ID

[RacciDev-Bot]

Problems

1. ints.between type error

The .#docs flake output fails to evaluate with:

error: attempt to call something which is not a function but a set

at modules/home-manager/core/hyprland/types.nix where ints.between 0 3 is used as arguments to either() without parentheses. Nix parses 0 3 as additional arguments to the return value of either() — but either() returns a type set, not a function, so the call fails.

Fix: Wrap ints.between 0 3 in parentheses: (ints.between 0 3). Affects 4 occurrences across both fullscreenstate submodules.

2. hyprlandPlugins.hy3 flake resolution error

The --inputs-from flag (used by CI setup-nix action) fails with:

error: hyprlandPlugins.hy3 is not a valid flake ID

The dot in the input name "hyprlandPlugins.hy3" causes Nix to interpret it as a sub-flake path during flake resolution. Since it is a file-type input (not a flake), renaming removes the ambiguity.

Fix: Renamed input from "hyprlandPlugins.hy3" to hy3 in flake.nix and flake.lock. Updated overlays/singleton.nix to explicitly map inputs.hy3 to the nested hyprlandPlugins.hy3 package path.

[coderabbitai]

Warning

Review limit reached

@DaRacci, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 21 minutes and 34 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 47b241e4-6fec-4937-9576-d72875aafda8

📥 Commits

Reviewing files that changed from the base of the PR and between 8ee41f4 and dd06d46.

📒 Files selected for processing (1)

• docs/default.nix

📝 Walkthrough

Walkthrough

This PR renames the distributedBuilder option to distributedBuilds, switches the ssh module to ssh-shell and groups.nix to default-groups.nix, removes the hyprlandPlugins.hy3 flake input, fixes Hyprland type parenthesisation, overhauls the docs generation pipeline to support server modules and options.nix deduplication, and corrects numerous documentation include paths.

Changes

Module Renames, Option Fixes, and Flake Cleanup

Layer / File(s)	Summary
distributed-builds option rename and apply wiring modules/nixos/server/distributed-builds.nix, modules/flake/apply/system.nix	Renames options.server.distributedBuilder → options.server.distributedBuilds and updates the apply key from distributedBuilder.builders to distributedBuilds.builders.
ssh-shell and default-groups import switches modules/nixos/server/default.nix, modules/nixos/core/default.nix	Switches ./ssh → ./ssh-shell and ./groups.nix → ./default-groups.nix in the respective imports lists.
hy3 flake input and singleton removal flake.nix, overlays/singleton.nix	Removes the hyprlandPlugins.hy3 input from flake inputs and its entry from singletonInputs.
Hyprland fullscreenState type parenthesisation fix modules/home-manager/core/hyprland/types.nix	Corrects ints.between 0 3 placement inside either (enum [ "*" ]) (ints.between 0 3) for fullscreenState and windowMatch.fullscreenstate internal/client fields.
Profile option defaultText additions modules/home-manager/core/profile.nix	Adds literalExpression-based defaultText for avatar.path and wallpaper.directory options.
Formatting-only pipeline reformats flake/nixos/flake-module.nix, modules/nixos/server/proxy/config.nix, modules/nixos/server/proxy/extensions.nix, modules/home-manager/core/hyprland/input.nix	Expands single-line pipelines into multi-line form with no logic changes.

Docs Generation Pipeline Overhaul

Layer / File(s)	Summary
docs/default.nix: server helpers and module inclusion docs/default.nix	Adds serverHelpers stubs via lib.fix and merges them into the evaluation environment; expands the NixOS module list to include core and server entry points.
docs/default.nix: options.nix discovery, deduplication, and naming docs/default.nix	Extends pathToPrefix to strip options.nix, deduplicates default.nix entries superseded by options.nix, fixes empty-prefix naming to use category, clears prefixOverrides, and hoists moduleOptionsJSON/allModules inheritance.
gen-options-md.py: camelCase prefix variants and empty-output guard docs/preprocessor/gen-options-md.py	Adds dotted+camelCase prefix candidates to add_variants and skips writing the output file with a stderr warning when no options are matched.
flake/packages.nix: filter docs import to derivations only flake/packages.nix	Wraps the docs import in lib.filterAttrs lib.isDerivation to exclude non-derivation attributes from the packages output.
book.toml preprocessor switch docs/book.toml	Replaces the gitinfo preprocessor with rewrite-links targeting the master branch with the html renderer.
Documentation source file include path corrections docs/src/components/server_monitoring.md, docs/src/modules/home-manager/..., docs/src/modules/nixos/...	Updates {{#include}} paths across multiple docs pages to reflect renamed modules, corrected relative depths, and new generated option fragments for database, SSH shell, default-groups, and gaming.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• DaRacci/nix-config#585: Direct overlap—both PRs modify the docs build/option-fragment pipeline code in docs/default.nix, docs/preprocessor/gen-options-md.py, and mdBook {{#include ...}} paths.
• DaRacci/nix-config#586: Connected through flake inputs—both PRs modify flake.nix/overlays/singleton.nix around the hyprlandPlugins.hy3 flake input and overlay singleton handling.

Suggested labels

merge-queue

Suggested reviewers

• DaRacci

🐇 A rabbit tidies the warren with glee,
Renaming old tunnels so modules run free,
The hy3 input hops off into the night,
Options.nix wins the deduplication fight,
And docs now generate perfectly right! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly and specifically summarises the main changes: resolving two CI failures related to an ints.between type error and a hyprlandPlugins.hy3 flake ID issue.
Description check	✅ Passed	The pull request description provides comprehensive context for both issues, explaining the problems encountered, why they occur, and how they are fixed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?:

🟢 Do not merge outdated PRs

Wonderful, this rule succeeded.

Make sure PRs are almost up to date before merging

• #commits-behind <= 10

🟢 🚦 Auto-queue

Wonderful, this rule succeeded.

When all merge protections are satisfied, this pull request will be queued automatically.

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modules/home-manager/services/mcp.nix`:
- Around line 70-81: The code in the services.mcpo.environment configuration
does not properly handle non-file environment values that are attrsets with a
literal attribute. In the else branch of the conditional that checks if value
has a file attribute, you need to add logic to extract the literal string when
value is an attrset containing a literal field, rather than returning the entire
attrset. Update the else clause to check if value is an attrset with a literal
attribute using the ? operator and extract value.literal in that case, otherwise
return the value as-is to maintain proper string type compatibility with
services.mcpo.environment.
- Around line 84-95: The sops.secrets configuration is passing null values to
lib.listToAttrs when processing env vars that are not file-based, which causes
evaluation to fail since lib.listToAttrs expects a list of {name, value}
attrsets. Filter out the null values returned from the mapAttrsToList on line 91
before passing the result to lib.listToAttrs on line 86. You can either wrap the
mapAttrsToList result with lib.filter to remove nulls, or use lib.filterAttrs to
pre-filter the server.env to only include file-based env vars before mapping
over them.

In `@modules/mcp/integrations/hermes-agent.nix`:
- Line 42: The lib.nameValuePair call for generating sops secrets entries
currently passes an empty attribute set, which lacks the required explicit
configuration. Modify the empty attribute set to include explicit owner, group,
and mode attributes with appropriate values for the secret, and add either
restartUnits or reloadUnits to ensure services depending on this secret are
properly restarted when the secret changes. This applies to the secret
declaration generated by the lib.nameValuePair call with parameters (secretKey
serverName varName).
- Around line 39-46: The sopsSecrets expression creates null values when plain
string env variables fail the value ? file check, and these nulls are being
passed to lib.listToAttrs which expects only valid name-value pair attribute
sets. Fix this by wrapping the lib.concatLists result with lib.filter to remove
all null entries before passing the list to lib.listToAttrs. Apply the filter
between lib.concatLists and lib.listToAttrs to ensure only valid attribute sets
from the mapAttrsToList operations (those with file references) are converted to
an attribute set.

In `@modules/mcp/integrations/mcpo.nix`:
- Line 39: The secret entry in the `lib.nameValuePair` call at line 39 uses an
empty set `{ }` for the secret value, which omits critical metadata and service
restart behavior. Replace the empty set with an object containing the required
`owner`, `group`, and `mode` attributes to properly declare secret ownership and
permissions, and add either `restartUnits` or `reloadUnits` to ensure services
that depend on these secrets are automatically restarted or reloaded when the
secrets are rotated or changed.
- Around line 36-43: The sopsSecrets construction fails when env contains string
literals mixed with file-reference objects because the code returns null for
string values, and listToAttrs cannot handle null entries. Filter out all null
values from the concatenated list before passing it to listToAttrs by wrapping
the lib.concatLists call with a filter that removes null entries, ensuring only
valid name-value pairs for file-based environment values are included in the
final attribute set.

In `@modules/mcp/types.nix`:
- Around line 10-84: The serverSubmodule lacks validation to enforce mutual
exclusivity between the command and url options, which are documented as
mutually exclusive but not validated at the configuration level. Add assertions
to the serverSubmodule that verify command and url cannot both be defined
simultaneously. Additionally, add assertions to ensure transport-specific fields
are only used with their corresponding transport type: args and env should only
be valid when command is set, and headers should only be valid when url is set.
Use appropriate assertion error messages that clearly explain the exclusivity
requirements to users.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5693fd9e-425c-40dd-8d9b-d45ebf1403b1

📥 Commits

Reviewing files that changed from the base of the PR and between 0c41dcb and 9f718b3.

📒 Files selected for processing (11)

• home/racci/features/ai.nix
• hosts/server/nixai/backend.nix
• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/purpose/development/editors/ai/default.nix
• modules/home-manager/services/default.nix
• modules/home-manager/services/mcp.nix
• modules/mcp/integrations/hermes-agent.nix
• modules/mcp/integrations/mcpo.nix
• modules/mcp/types.nix
• modules/nixos/services/default.nix
• modules/nixos/services/mcp.nix

📜 Review details

⏰ Context from checks skipped due to timeout. (2)

• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

🧰 Additional context used

📓 Path-based instructions (11)

**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/code-style-nix)

**/*.nix: Follow Nix code style conventions and best practices
Use consistent indentation and formatting in Nix configuration files
Follow established patterns for module organization in home-manager configurations

**/*.nix: Format code and check syntax using nix fmt
Evaluate Nix expressions without building using nix eval with the target configuration path
Format specific Nix files or directories using nix fmt followed by the file or directory path
Use --show-trace flag with nix build or nix eval commands to diagnose evaluation errors
For infinite recursion errors in Nix builds, check for circular imports or conflicting option definitions

**/*.nix: Use builtins.trace to add trace statements and inspect values during Nix evaluation (format: builtins.trace "message: ${toString var}" var)
Use builtins.toJSON to convert complex Nix attribute sets to JSON for easier inspection during evaluation
Check for circular imports between modules and option definitions that depend on themselves to resolve infinite recursion errors
Verify attribute names are correct and imports are complete when debugging 'attribute not found' errors in Nix
Check option type definitions and ensure provided values match the expected type to resolve type mismatch errors
Read assertion messages and provide required configuration values when assertion failures occur in NixOS modules

Run nix fmt on all changed Nix files after modification

**/*.nix: Store sensitive data in secrets.yaml encrypted with sops instead of hardcoding passwords, API keys, or tokens in plain text
Declare sops secrets with proper owner, group, and mode attributes; use restrictive modes like 0400 for secrets files
Set restartUnits or reloadUnits for sops secrets declarations so services that depend on secrets are restarted when secrets change
Use config.sops.placeholder in sops templates instead of directly interpolating secret paths in multi-secret templates
Do not pass secrets as e...

Files:

• modules/nixos/services/default.nix
• modules/home-manager/services/default.nix
• modules/mcp/integrations/mcpo.nix
• modules/mcp/integrations/hermes-agent.nix
• modules/mcp/types.nix
• home/racci/features/ai.nix
• modules/nixos/services/mcp.nix
• modules/home-manager/services/mcp.nix
• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/purpose/development/editors/ai/default.nix
• hosts/server/nixai/backend.nix

modules/nixos/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

modules/nixos/**/*.nix: NixOS module structure must follow standard pattern: define config, lib, pkgs as parameters; create cfg variable from config; define options with mkEnableOption, mkOption, mkIf; define config section with mkIf conditional
Create NixOS modules at file path modules/nixos/<category>/<name>.nix

Reusable NixOS module fragments should be placed in modules/nixos/

Files:

• modules/nixos/services/default.nix
• modules/nixos/services/mcp.nix

modules/nixos/**/default.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Register NixOS modules in parent default.nix using imports list pattern

Files:

• modules/nixos/services/default.nix

modules/nixos/services/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Use namespace services.<name> for NixOS system service modules

Files:

• modules/nixos/services/default.nix
• modules/nixos/services/mcp.nix

modules/**/**/default.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Use import list pattern in subdirectory default.nix files: define imports array with list of .nix files (e.g., imports = [ ./service-a.nix ./service-b.nix ])

Files:

• modules/nixos/services/default.nix
• modules/home-manager/services/default.nix
• modules/home-manager/purpose/development/editors/ai/default.nix

modules/home-manager/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

modules/home-manager/**/*.nix: Home-Manager module structure must follow standard pattern: accept optional osConfig parameter; define cfg variable; define options section; define config section with mkIf conditional
Create Home-Manager modules at file path modules/home-manager/<category>/<name>.nix

Reusable Home-Manager module fragments should be placed in modules/home-manager/

Files:

• modules/home-manager/services/default.nix
• modules/home-manager/services/mcp.nix
• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/purpose/development/editors/ai/default.nix

modules/home-manager/**/default.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Register Home-Manager modules in parent default.nix using imports list pattern

Files:

• modules/home-manager/services/default.nix
• modules/home-manager/purpose/development/editors/ai/default.nix

home/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/users/SKILL.md)

Import shared user configurations from home/shared/ in user-specific Nix configuration files to promote reusability

Files:

• home/racci/features/ai.nix

{modules/nixos,modules/home-manager}/**/core/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Use namespace core.<name> for shared NixOS and Home-Manager opinionated configuration modules

Files:

• modules/home-manager/core/hyprland/types.nix

modules/home-manager/purpose/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Use namespace purpose.<category> for Home-Manager use-case modules

Files:

• modules/home-manager/purpose/development/editors/ai/default.nix

hosts/server/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/project-structure/SKILL.md)

Server machine-specific NixOS configs should be placed in hosts/server/<machine>/

Files:

• hosts/server/nixai/backend.nix

🧠 Learnings (8)

📚 Learning: 2026-04-13T14:02:32.760Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 546
File: hosts/server/nixdev/default.nix:18-18
Timestamp: 2026-04-13T14:02:32.760Z
Learning: When configuring NixOS Docker via `virtualisation.docker.daemon.settings`, it is valid to set `storage-driver = "overlayfs"` (do not flag it as an invalid Docker storage-driver). Use `overlayfs` specifically for Docker Engine 29+ and/or when the containerd snapshotter integration is enabled (`virtualisation.docker.features.containerd-snapshotter = true`). Treat this as the containerd snapshotter name for OverlayFS, distinct from the legacy `overlay2` classic Docker storage driver.

Applied to files:

• modules/nixos/services/default.nix
• modules/home-manager/services/default.nix
• modules/mcp/integrations/mcpo.nix
• modules/mcp/integrations/hermes-agent.nix
• modules/mcp/types.nix
• home/racci/features/ai.nix
• modules/nixos/services/mcp.nix
• modules/home-manager/services/mcp.nix
• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/purpose/development/editors/ai/default.nix
• hosts/server/nixai/backend.nix

📚 Learning: 2026-05-01T10:02:55.261Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 544
File: modules/nixos/core/sops.nix:49-53
Timestamp: 2026-05-01T10:02:55.261Z
Learning: In this nix-config repo, when declaring `sops.secrets` in Nix files, avoid explicitly setting `owner = "root"` and/or `group = "root"` if the intended ownership is root. `sops-nix` defaults `sops.secrets` to `root:root`, so adding these fields explicitly is redundant boilerplate.

Applied to files:

• modules/nixos/services/default.nix
• modules/home-manager/services/default.nix
• modules/mcp/integrations/mcpo.nix
• modules/mcp/integrations/hermes-agent.nix
• modules/mcp/types.nix
• home/racci/features/ai.nix
• modules/nixos/services/mcp.nix
• modules/home-manager/services/mcp.nix
• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/purpose/development/editors/ai/default.nix
• hosts/server/nixai/backend.nix

📚 Learning: 2026-05-01T14:14:49.691Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 544
File: modules/nixos/core/gaming.nix:119-119
Timestamp: 2026-05-01T14:14:49.691Z
Learning: When configuring the NixOS `wivrn` module option `services.wivrn.config.json.application`, pass the raw package/derivation (e.g., `pkgs.wayvr`) rather than converting it to a string executable path (e.g., `lib.getExe pkgs.wayvr`). The upstream module expects a list of derivations/packages (it internally `toList`s the value, asserts the first element is a derivation, and then resolves the executable internally). Code review should not recommend changing `pkgs.wayvr` to `lib.getExe pkgs.wayvr` for this option.

Applied to files:

• modules/nixos/services/default.nix
• modules/home-manager/services/default.nix
• modules/mcp/integrations/mcpo.nix
• modules/mcp/integrations/hermes-agent.nix
• modules/mcp/types.nix
• home/racci/features/ai.nix
• modules/nixos/services/mcp.nix
• modules/home-manager/services/mcp.nix
• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/purpose/development/editors/ai/default.nix
• hosts/server/nixai/backend.nix

📚 Learning: 2026-05-20T13:12:46.610Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 546
File: docs/site.nix:127-127
Timestamp: 2026-05-20T13:12:46.610Z
Learning: In DaRacci/nix-config, treating `passthru.discovery = false` as a known repo-wide convention to exclude a derivation from automated flake discovery/package CI. Do not require or flag an inline explanatory comment specifically for the absence of a comment when `passthru.discovery = false` is set.

Applied to files:

• modules/nixos/services/default.nix
• modules/home-manager/services/default.nix
• modules/mcp/integrations/mcpo.nix
• modules/mcp/integrations/hermes-agent.nix
• modules/mcp/types.nix
• home/racci/features/ai.nix
• modules/nixos/services/mcp.nix
• modules/home-manager/services/mcp.nix
• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/purpose/development/editors/ai/default.nix
• hosts/server/nixai/backend.nix

📚 Learning: 2026-05-01T09:11:22.009Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 544
File: modules/nixos/core/gaming.nix:65-65
Timestamp: 2026-05-01T09:11:22.009Z
Learning: In Nix code, do not flag shell-variable literals like "$XDG_RUNTIME_DIR" used inside Steam’s `extraEnv` (e.g., `pkgs.steam.override { extraEnv = { ... }; }`, including `modules/nixos/core/gaming.nix`). The Steam wrapper script expands these shell variables at runtime, so they should be treated as intended unexpanded literals rather than an interpolation/quoting mistake.

Applied to files:

• modules/nixos/services/default.nix
• modules/nixos/services/mcp.nix

📚 Learning: 2026-05-01T14:35:32.037Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 544
File: modules/nixos/core/remote.nix:153-179
Timestamp: 2026-05-01T14:35:32.037Z
Learning: In this repo’s NixOS module code (e.g., shell scripts produced via `writeShellApplication` inside `modules/nixos/**`), do not treat missing `XDG_STATE_HOME` fallbacks (like `${XDG_STATE_HOME:-$HOME/.local/state}`) as an error in the embedded shell script. On NixOS user sessions, `XDG_STATE_HOME` is reliably set via PAM/systemd, so flagging its absence as potentially unset is overly defensive for these generated scripts.

Applied to files:

• modules/nixos/services/default.nix
• modules/nixos/services/mcp.nix

📚 Learning: 2026-06-20T14:33:25.328Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 590
File: modules/nixos/server/monitoring/collector/tempo.nix:71-72
Timestamp: 2026-06-20T14:33:25.328Z
Learning: When reviewing DaRacci/nix-config NixOS modules that use sops-nix, do not flag `sops.secrets` entries as missing `owner`, `group`, `mode`, or `restartUnits` if the secret declarations are only placeholder sources for `sops.templates`:
- The secret value is referenced exclusively via `config.sops.placeholder.<NAME>` inside a `sops.templates` definition (i.e., no other code reads the decrypted secret from the raw secret path).
- The rendered `sops.templates` output is what is used by systemd via a `systemd.services.*.serviceConfig.EnvironmentFile` (the template is the effective boundary).
In this pattern, the template’s own `restartUnits` are the relevant access-control/restart boundary; the raw `sops.secrets` files are only decrypted in-memory by sops-nix (run as root) to render the template. Therefore, empty-attrset `sops.secrets.<NAME> = { };` declarations should not be treated as missing permissions/restart hooks when they are only feeding a `sops.templates` placeholder.

Applied to files:

• modules/nixos/services/default.nix
• modules/nixos/services/mcp.nix

📚 Learning: 2026-05-01T09:57:09.578Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 544
File: modules/nixos/services/ai-agent.nix:15-15
Timestamp: 2026-05-01T09:57:09.578Z
Learning: In this repo’s Nix modules, `inputs.services-zeroclaw` is a flake input that resolves to an attrset containing a `_file` attribute, and Nix coerces that attrset to a file path via `_file`. When importing/using it as a path in `imports` (e.g., `modules/nixos/services/ai-agent.nix`), use the string interpolation form "${inputs.services-zeroclaw}". Do not change it to `inputs.services-zeroclaw` (raw attrset form) in `imports`, because it will not work correctly.

Applied to files:

• modules/nixos/services/default.nix
• modules/home-manager/services/default.nix
• modules/mcp/integrations/mcpo.nix
• modules/mcp/integrations/hermes-agent.nix
• modules/mcp/types.nix
• modules/nixos/services/mcp.nix
• modules/home-manager/services/mcp.nix
• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/purpose/development/editors/ai/default.nix

🔇 Additional comments (14)

modules/home-manager/core/hyprland/types.nix (3)

99-104: LGTM — fullscreenState syntax fix is correct.

The parenthesisation of ints.between 0 3 in the either type expression resolves the parsing issue that prevented the documentation flake from evaluating. The fix is applied consistently to both internal and client options.

---

517-522: LGTM — windowMatch.fullscreenstate syntax fix is correct.

The parenthesisation of ints.between 0 3 in the wrapped nullOr (either ...) type expression is applied consistently to both internal and client options, mirroring the fix in the fullscreenState submodule above.

---

99-104: Verification of nix fmt formatting cannot be completed in this environment.

The sandbox does not have the nix formatter available, preventing automated verification of whether nix fmt has been applied to modules/home-manager/core/hyprland/types.nix. Manual inspection of the file content shows consistent indentation and structure, however definitive formatting verification requires running nix fmt --check with the Nix toolchain available.

modules/nixos/services/mcp.nix (2)

1-34: LGTM!

Also applies to: 36-80, 98-105

---

82-96: Code correctly handles env value types; literal submodule option does not exist.

The env type definition in modules/mcp/types.nix supports only string or submodules with a file key—there is no literal option. The code at lines 82–96 correctly handles both cases: strings are returned as-is, and file references are replaced with sops placeholders via the if value ? file check. The proposed fix is unnecessary.

			> Likely an incorrect or invalid review comment.

modules/nixos/services/default.nix (1)

5-5: LGTM!

modules/home-manager/services/mcp.nix (1)

1-68: LGTM!

modules/home-manager/services/default.nix (1)

3-3: LGTM!

home/racci/features/ai.nix (2)

7-27: LGTM!

---

39-44: LGTM!

hosts/server/nixai/backend.nix (3)

9-9: LGTM!

---

45-79: LGTM!

Also applies to: 86-88, 104-104

---

56-59: Placeholders are correctly processed through sops templates—no action required.

The sops.templates.mcpoConfiguration template properly handles the placeholder syntax. The configuration containing placeholder."MCP/GITHUB_TOKEN" is embedded in builtins.toJSON { mcpServers = cfg.configuration; }, which produces a JSON string with sops-compatible placeholder syntax (e.g., ${MCP/GITHUB_TOKEN}). This is then processed as a sops template, which replaces placeholders with actual secret values at deployment time. The concern raised is not applicable to the current implementation.

			> Likely an incorrect or invalid review comment.

modules/home-manager/purpose/development/editors/ai/default.nix (1)

92-93: LGTM!

Also applies to: 297-298

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/preprocessor/gen-options-md.py`:
- Around line 127-134: The issue is that when no options are found for the given
prefixes (when lines is empty), the code skips writing to output_path entirely,
which breaks mdBook's {{`#include`}} directive since it expects the file to exist.
Instead of only writing the file in the else block when lines is not empty,
restructure the logic to always create the output_path file regardless of
whether options were found, ensuring an empty file is written when no lines are
present so that the include contract is preserved and mdBook builds succeed.

In `@docs/src/modules/home-manager/programs/list_ephemeral.md`:
- Line 7: The include directive on line 7 references an incorrect filename that
does not match the output generated by the documentation build system. The build
pipeline normalizes module paths to camelCase format, so the file is generated
as `programs-listEphemeral-options.md` not `programs-list-ephemeral-options.md`.
Update the include directive to use the correct camelCase filename that matches
the actual generated file from the build system.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a7bdb82b-3fe4-4764-96d9-8a85edc3d151

📥 Commits

Reviewing files that changed from the base of the PR and between 9f718b3 and b4058c9.

⛔ Files ignored due to path filters (1)

• flake.lock is excluded by !**/*.lock

📒 Files selected for processing (27)

• docs/book.toml
• docs/default.nix
• docs/preprocessor/gen-options-md.py
• docs/src/components/server_monitoring.md
• docs/src/modules/home-manager/hyprland.md
• docs/src/modules/home-manager/programs/list_ephemeral.md
• docs/src/modules/nixos/core/default.md
• docs/src/modules/nixos/core/default_groups.md
• docs/src/modules/nixos/core/gaming.md
• docs/src/modules/nixos/server/database.md
• docs/src/modules/nixos/server/ssh.md
• flake.nix
• flake/nixos/flake-module.nix
• flake/packages.nix
• modules/flake/apply/system.nix
• modules/home-manager/core/hyprland/input.nix
• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/core/profile.nix
• modules/nixos/core/default-groups.nix
• modules/nixos/core/default.nix
• modules/nixos/server/default.nix
• modules/nixos/server/distributed-builds.nix
• modules/nixos/server/proxy/config.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/ssh-shell/default.nix
• modules/nixos/server/ssh-shell/shell.nix
• overlays/singleton.nix

💤 Files with no reviewable changes (4)

• docs/src/modules/nixos/core/gaming.md
• docs/book.toml
• overlays/singleton.nix
• flake.nix

📜 Review details

⏰ Context from checks skipped due to timeout. (2)

• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

🧰 Additional context used

📓 Path-based instructions (15)

**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/code-style-nix)

**/*.nix: Follow Nix code style conventions and best practices
Use consistent indentation and formatting in Nix configuration files
Follow established patterns for module organization in home-manager configurations

**/*.nix: Format code and check syntax using nix fmt
Evaluate Nix expressions without building using nix eval with the target configuration path
Format specific Nix files or directories using nix fmt followed by the file or directory path
Use --show-trace flag with nix build or nix eval commands to diagnose evaluation errors
For infinite recursion errors in Nix builds, check for circular imports or conflicting option definitions

**/*.nix: Use builtins.trace to add trace statements and inspect values during Nix evaluation (format: builtins.trace "message: ${toString var}" var)
Use builtins.toJSON to convert complex Nix attribute sets to JSON for easier inspection during evaluation
Check for circular imports between modules and option definitions that depend on themselves to resolve infinite recursion errors
Verify attribute names are correct and imports are complete when debugging 'attribute not found' errors in Nix
Check option type definitions and ensure provided values match the expected type to resolve type mismatch errors
Read assertion messages and provide required configuration values when assertion failures occur in NixOS modules

Run nix fmt on all changed Nix files after modification

**/*.nix: Store sensitive data in secrets.yaml encrypted with sops instead of hardcoding passwords, API keys, or tokens in plain text
Declare sops secrets with proper owner, group, and mode attributes; use restrictive modes like 0400 for secrets files
Set restartUnits or reloadUnits for sops secrets declarations so services that depend on secrets are restarted when secrets change
Use config.sops.placeholder in sops templates instead of directly interpolating secret paths in multi-secret templates
Do not pass secrets as e...

Files:

• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/core/hyprland/input.nix
• flake/packages.nix
• modules/nixos/server/default.nix
• modules/nixos/core/default.nix
• modules/flake/apply/system.nix
• modules/nixos/server/distributed-builds.nix
• flake/nixos/flake-module.nix
• modules/home-manager/core/profile.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/proxy/config.nix
• docs/default.nix

modules/home-manager/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

modules/home-manager/**/*.nix: Home-Manager module structure must follow standard pattern: accept optional osConfig parameter; define cfg variable; define options section; define config section with mkIf conditional
Create Home-Manager modules at file path modules/home-manager/<category>/<name>.nix

Reusable Home-Manager module fragments should be placed in modules/home-manager/

Files:

• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/core/hyprland/input.nix
• modules/home-manager/core/profile.nix

{modules/nixos,modules/home-manager}/**/core/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Use namespace core.<name> for shared NixOS and Home-Manager opinionated configuration modules

Files:

• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/core/hyprland/input.nix
• modules/nixos/core/default.nix
• modules/home-manager/core/profile.nix

modules/nixos/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

modules/nixos/**/*.nix: NixOS module structure must follow standard pattern: define config, lib, pkgs as parameters; create cfg variable from config; define options with mkEnableOption, mkOption, mkIf; define config section with mkIf conditional
Create NixOS modules at file path modules/nixos/<category>/<name>.nix

Reusable NixOS module fragments should be placed in modules/nixos/

Files:

• modules/nixos/server/default.nix
• modules/nixos/core/default.nix
• modules/nixos/server/distributed-builds.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/proxy/config.nix

modules/nixos/**/default.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Register NixOS modules in parent default.nix using imports list pattern

Files:

• modules/nixos/server/default.nix
• modules/nixos/core/default.nix

modules/nixos/server/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Use namespace server.<name> for NixOS server cluster option modules

Files:

• modules/nixos/server/default.nix
• modules/nixos/server/distributed-builds.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/proxy/config.nix

modules/**/**/default.nix

📄 CodeRabbit inference engine (.opencode/skills/modules/SKILL.md)

Use import list pattern in subdirectory default.nix files: define imports array with list of .nix files (e.g., imports = [ ./service-a.nix ./service-b.nix ])

Files:

• modules/nixos/server/default.nix
• modules/nixos/core/default.nix

docs/**/*

📄 CodeRabbit inference engine (.opencode/skills/project-structure/SKILL.md)

Project documentation should be placed in the docs/ directory

Files:

• docs/src/modules/nixos/server/database.md
• docs/src/components/server_monitoring.md
• docs/src/modules/nixos/server/ssh.md
• docs/src/modules/nixos/core/default_groups.md
• docs/src/modules/home-manager/programs/list_ephemeral.md
• docs/src/modules/nixos/core/default.md
• docs/preprocessor/gen-options-md.py
• docs/src/modules/home-manager/hyprland.md
• docs/default.nix

docs/src/**/*.md

📄 CodeRabbit inference engine (.opencode/skills/docs/SKILL.md)

docs/src/**/*.md: Use underscore filenames (e.g., my_new_feature.md) instead of hyphens for documentation files
Keep documentation prose focused on behavior, architecture, usage examples, and operational notes; let generated fragments provide exhaustive option reference

Files:

• docs/src/modules/nixos/server/database.md
• docs/src/components/server_monitoring.md
• docs/src/modules/nixos/server/ssh.md
• docs/src/modules/nixos/core/default_groups.md
• docs/src/modules/home-manager/programs/list_ephemeral.md
• docs/src/modules/nixos/core/default.md
• docs/src/modules/home-manager/hyprland.md

docs/src/modules/**/*.md

📄 CodeRabbit inference engine (.opencode/skills/docs/SKILL.md)

For documented modules, prefer build-time generated option fragments via {{#include}} from docs/src/generated/*.md instead of hand-maintained option tables

Files:

• docs/src/modules/nixos/server/database.md
• docs/src/modules/nixos/server/ssh.md
• docs/src/modules/nixos/core/default_groups.md
• docs/src/modules/home-manager/programs/list_ephemeral.md
• docs/src/modules/nixos/core/default.md
• docs/src/modules/home-manager/hyprland.md

docs/**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Verify documentation accurately reflects new behavior in docs/ directory before proceeding to commit

Files:

• docs/src/modules/nixos/server/database.md
• docs/src/components/server_monitoring.md
• docs/src/modules/nixos/server/ssh.md
• docs/src/modules/nixos/core/default_groups.md
• docs/src/modules/home-manager/programs/list_ephemeral.md
• docs/src/modules/nixos/core/default.md
• docs/src/modules/home-manager/hyprland.md

flake/nixos/flake-module.nix

📄 CodeRabbit inference engine (.opencode/skills/hosts/SKILL.md)

For hosts requiring CUDA or ROCm acceleration support, add the host name to the corresponding array in flake/nixos/flake-module.nix under accelerationHosts

Files:

• flake/nixos/flake-module.nix

flake/nixos/**/*.nix

📄 CodeRabbit inference engine (.opencode/skills/project-structure/SKILL.md)

NixOS flake module definitions should be organized in flake/nixos/

Files:

• flake/nixos/flake-module.nix

**/*.{js,jsx,ts,tsx,py,java,cs,cpp,c,go,rb,php}

📄 CodeRabbit inference engine (.opencode/skills/openspec-onboard/SKILL.md)

Scan for TODO/FIXME comments in code files to identify improvement opportunities

Files:

• docs/preprocessor/gen-options-md.py

**/*.{js,jsx,ts,tsx,py,java,cs}

📄 CodeRabbit inference engine (.opencode/skills/openspec-onboard/SKILL.md)

Identify missing validation in user input handlers

Files:

• docs/preprocessor/gen-options-md.py

🧠 Learnings (8)

📚 Learning: 2026-04-13T14:02:32.760Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 546
File: hosts/server/nixdev/default.nix:18-18
Timestamp: 2026-04-13T14:02:32.760Z
Learning: When configuring NixOS Docker via `virtualisation.docker.daemon.settings`, it is valid to set `storage-driver = "overlayfs"` (do not flag it as an invalid Docker storage-driver). Use `overlayfs` specifically for Docker Engine 29+ and/or when the containerd snapshotter integration is enabled (`virtualisation.docker.features.containerd-snapshotter = true`). Treat this as the containerd snapshotter name for OverlayFS, distinct from the legacy `overlay2` classic Docker storage driver.

Applied to files:

• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/core/hyprland/input.nix
• flake/packages.nix
• modules/nixos/server/default.nix
• modules/nixos/core/default.nix
• modules/flake/apply/system.nix
• modules/nixos/server/distributed-builds.nix
• flake/nixos/flake-module.nix
• modules/home-manager/core/profile.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/proxy/config.nix
• docs/default.nix

📚 Learning: 2026-05-01T10:02:55.261Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 544
File: modules/nixos/core/sops.nix:49-53
Timestamp: 2026-05-01T10:02:55.261Z
Learning: In this nix-config repo, when declaring `sops.secrets` in Nix files, avoid explicitly setting `owner = "root"` and/or `group = "root"` if the intended ownership is root. `sops-nix` defaults `sops.secrets` to `root:root`, so adding these fields explicitly is redundant boilerplate.

Applied to files:

• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/core/hyprland/input.nix
• flake/packages.nix
• modules/nixos/server/default.nix
• modules/nixos/core/default.nix
• modules/flake/apply/system.nix
• modules/nixos/server/distributed-builds.nix
• flake/nixos/flake-module.nix
• modules/home-manager/core/profile.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/proxy/config.nix
• docs/default.nix

📚 Learning: 2026-05-01T14:14:49.691Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 544
File: modules/nixos/core/gaming.nix:119-119
Timestamp: 2026-05-01T14:14:49.691Z
Learning: When configuring the NixOS `wivrn` module option `services.wivrn.config.json.application`, pass the raw package/derivation (e.g., `pkgs.wayvr`) rather than converting it to a string executable path (e.g., `lib.getExe pkgs.wayvr`). The upstream module expects a list of derivations/packages (it internally `toList`s the value, asserts the first element is a derivation, and then resolves the executable internally). Code review should not recommend changing `pkgs.wayvr` to `lib.getExe pkgs.wayvr` for this option.

Applied to files:

• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/core/hyprland/input.nix
• flake/packages.nix
• modules/nixos/server/default.nix
• modules/nixos/core/default.nix
• modules/flake/apply/system.nix
• modules/nixos/server/distributed-builds.nix
• flake/nixos/flake-module.nix
• modules/home-manager/core/profile.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/proxy/config.nix
• docs/default.nix

📚 Learning: 2026-05-20T13:12:46.610Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 546
File: docs/site.nix:127-127
Timestamp: 2026-05-20T13:12:46.610Z
Learning: In DaRacci/nix-config, treating `passthru.discovery = false` as a known repo-wide convention to exclude a derivation from automated flake discovery/package CI. Do not require or flag an inline explanatory comment specifically for the absence of a comment when `passthru.discovery = false` is set.

Applied to files:

• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/core/hyprland/input.nix
• flake/packages.nix
• modules/nixos/server/default.nix
• modules/nixos/core/default.nix
• modules/flake/apply/system.nix
• modules/nixos/server/distributed-builds.nix
• flake/nixos/flake-module.nix
• modules/home-manager/core/profile.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/proxy/config.nix
• docs/default.nix

📚 Learning: 2026-05-01T09:57:09.578Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 544
File: modules/nixos/services/ai-agent.nix:15-15
Timestamp: 2026-05-01T09:57:09.578Z
Learning: In this repo’s Nix modules, `inputs.services-zeroclaw` is a flake input that resolves to an attrset containing a `_file` attribute, and Nix coerces that attrset to a file path via `_file`. When importing/using it as a path in `imports` (e.g., `modules/nixos/services/ai-agent.nix`), use the string interpolation form "${inputs.services-zeroclaw}". Do not change it to `inputs.services-zeroclaw` (raw attrset form) in `imports`, because it will not work correctly.

Applied to files:

• modules/home-manager/core/hyprland/types.nix
• modules/home-manager/core/hyprland/input.nix
• modules/nixos/server/default.nix
• modules/nixos/core/default.nix
• modules/flake/apply/system.nix
• modules/nixos/server/distributed-builds.nix
• modules/home-manager/core/profile.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/proxy/config.nix

📚 Learning: 2026-05-01T09:11:22.009Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 544
File: modules/nixos/core/gaming.nix:65-65
Timestamp: 2026-05-01T09:11:22.009Z
Learning: In Nix code, do not flag shell-variable literals like "$XDG_RUNTIME_DIR" used inside Steam’s `extraEnv` (e.g., `pkgs.steam.override { extraEnv = { ... }; }`, including `modules/nixos/core/gaming.nix`). The Steam wrapper script expands these shell variables at runtime, so they should be treated as intended unexpanded literals rather than an interpolation/quoting mistake.

Applied to files:

• modules/nixos/server/default.nix
• modules/nixos/core/default.nix
• modules/nixos/server/distributed-builds.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/proxy/config.nix

📚 Learning: 2026-05-01T14:35:32.037Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 544
File: modules/nixos/core/remote.nix:153-179
Timestamp: 2026-05-01T14:35:32.037Z
Learning: In this repo’s NixOS module code (e.g., shell scripts produced via `writeShellApplication` inside `modules/nixos/**`), do not treat missing `XDG_STATE_HOME` fallbacks (like `${XDG_STATE_HOME:-$HOME/.local/state}`) as an error in the embedded shell script. On NixOS user sessions, `XDG_STATE_HOME` is reliably set via PAM/systemd, so flagging its absence as potentially unset is overly defensive for these generated scripts.

Applied to files:

• modules/nixos/server/default.nix
• modules/nixos/core/default.nix
• modules/nixos/server/distributed-builds.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/proxy/config.nix

📚 Learning: 2026-06-20T14:33:25.328Z

Learnt from: DaRacci
Repo: DaRacci/nix-config PR: 590
File: modules/nixos/server/monitoring/collector/tempo.nix:71-72
Timestamp: 2026-06-20T14:33:25.328Z
Learning: When reviewing DaRacci/nix-config NixOS modules that use sops-nix, do not flag `sops.secrets` entries as missing `owner`, `group`, `mode`, or `restartUnits` if the secret declarations are only placeholder sources for `sops.templates`:
- The secret value is referenced exclusively via `config.sops.placeholder.<NAME>` inside a `sops.templates` definition (i.e., no other code reads the decrypted secret from the raw secret path).
- The rendered `sops.templates` output is what is used by systemd via a `systemd.services.*.serviceConfig.EnvironmentFile` (the template is the effective boundary).
In this pattern, the template’s own `restartUnits` are the relevant access-control/restart boundary; the raw `sops.secrets` files are only decrypted in-memory by sops-nix (run as root) to render the template. Therefore, empty-attrset `sops.secrets.<NAME> = { };` declarations should not be treated as missing permissions/restart hooks when they are only feeding a `sops.templates` placeholder.

Applied to files:

• modules/nixos/server/default.nix
• modules/nixos/core/default.nix
• modules/nixos/server/distributed-builds.nix
• modules/nixos/server/proxy/extensions.nix
• modules/nixos/server/proxy/config.nix

🪛 ast-grep (0.44.0)

docs/preprocessor/gen-options-md.py

[warning] 132-132: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(output_path, "w", encoding="utf-8")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)

🪛 LanguageTool

docs/src/modules/home-manager/hyprland.md

[uncategorized] ~105-~105: Possible missing article found.
Context: ...d into Lua generation. Each attr key is bind string (for example "SUPER+Return") a...

(AI_HYDRA_LEO_MISSING_A)

---

[uncategorized] ~105-~105: Possible missing comma found.
Context: ...tion. Each attr key is bind string (for example "SUPER+Return") and each attr value i...

(AI_HYDRA_LEO_MISSING_COMMA)

---

[uncategorized] ~105-~105: Possible missing article found.
Context: ..."SUPER+Return") and each attr value is command string. Rendered into @applicationBind...

(AI_HYDRA_LEO_MISSING_A)

---

[uncategorized] ~114-~114: Possible missing article found.
Context: ....nautilus}/bin/nautilus"; }; ``` Generated Lua iterates over those table entries a...

(AI_HYDRA_LEO_MISSING_THE)

🪛 markdownlint-cli2 (0.22.1)

docs/src/modules/home-manager/hyprland.md

[warning] 15-15: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (24)

flake/packages.nix (1)

28-39: LGTM!

modules/nixos/server/distributed-builds.nix (1)

18-22: LGTM!

modules/flake/apply/system.nix (1)

22-22: LGTM!

modules/nixos/server/default.nix (1)

187-187: LGTM!

modules/nixos/core/default.nix (1)

32-32: LGTM!

modules/home-manager/core/hyprland/types.nix (1)

99-104: LGTM!

Also applies to: 517-522

modules/home-manager/core/profile.nix (1)

1-43: LGTM!

flake/nixos/flake-module.nix (1)

62-66: LGTM!

modules/nixos/server/proxy/config.nix (1)

103-107: LGTM!

modules/nixos/server/proxy/extensions.nix (1)

36-40: LGTM!

modules/home-manager/core/hyprland/input.nix (1)

1-43: 📐 Maintainability & Code Quality

No action required. The Hyprland input configuration is already adequately documented at docs/src/modules/home-manager/hyprland.md under the "### input.nix" section, which accurately describes the module's purpose of providing sensible defaults for cursor, binds, input, and misc settings. Since the change is purely formatting-related (as indicated by "input.nix top-level attribute spacing"), the documentation guideline is satisfied without modification. The file structure is correct as a reusable configuration fragment within the Hyprland module hierarchy.

docs/preprocessor/gen-options-md.py (2)

132-134: The static-analysis path-traversal flag on open(output_path, ...) is a false positive here: output_path is the third positional argument supplied internally by docs/site.nix build wiring, not request- or user-derived input.

Source: Linters/SAST tools

---

49-66: LGTM!

docs/default.nix (2)

25-43: LGTM!

---

246-258: 🎯 Functional Correctness

Both isDefault and relPath fields are correctly populated by findModuleFilesRec.

Verification confirms the function at lines 177 and 189 of docs/default.nix sets both fields as expected. The dedup logic functions correctly: whilst dirOf "options.nix" at root evaluates to "." (not filtered by (d: d != "")), the matching root default.nix also has dirOf == ".", so the intended dedup behaviour is preserved.

docs/src/modules/nixos/core/default.md (1)

37-37: LGTM!

docs/src/modules/nixos/core/default_groups.md (1)

5-5: Module and prefix naming updates are consistent with the groups.nix → default-groups.nix rename.

Both the entry point reference (line 5) and the generated options include path (line 17) correctly reflect the module rename. The prefix changes from core-groups-options.md to core-default-groups-options.md, which aligns with the updated option namespace core.defaultGroups.

Also applies to: 17-17

docs/src/modules/nixos/server/ssh.md (1)

11-11: SSH module rename updates are consistent across all three lines.

Lines 11, 13, and 27 all correctly reflect the module rename from ssh to ssh-shell. The generated options include path changes from server-ssh-options.md to server-ssh-shell-options.md, and internal file references update accordingly. All changes are interdependent and logically consistent.

Also applies to: 13-13, 27-27

docs/src/modules/home-manager/hyprland.md (4)

15-15: 📐 Maintainability & Code Quality | ⚡ Quick win

Add language identifier to the fenced code block.

The module structure diagram block (line 15) should specify a language for the code fence to comply with the MD040 linting rule. Either use ```text or ```nix depending on content, or convert to a different markup format if this is purely structural documentation.

Proposed fix

-```
+```text
 default.nix       # Top-level importer (imports all submodules)
 ├── permission.nix   # custom-settings.permission

Source: Linters/SAST tools

---

105-105: 📐 Maintainability & Code Quality | 💤 Low value

Fix grammatical issues: add missing articles in bind descriptions.

Two sentences lack articles before nouns:

• Line 105: "Each attr key is a bind string" (missing article a)
• Line 105: "each attr value is a command string" (missing article a)
• Line 114: "Generated Lua iterates over those table entries and creates" (run-on; consider restructuring)

Proposed fixes

- **`applicationBinds`** (attrs of `str`, default `{}`) — Application keybinds passed into Lua generation. Each attr key is bind string (for example `"SUPER+Return"`) and each attr value is command string. Rendered into `@applicationBinds@` as Lua table entries consumed by `binds.lua`:
+ **`applicationBinds`** (attrs of `str`, default `{}`) — Application keybinds passed into Lua generation. Each attr key is a bind string (for example `"SUPER+Return"`) and each attr value is a command string. Rendered into `@applicationBinds@` as Lua table entries consumed by `binds.lua`:

Also applies to: 114-114

Source: Linters/SAST tools

---

136-145: Placeholder table reformatting is clear and well-aligned.

The markdown table restructure improves readability whilst preserving all placeholder descriptions and mappings. No content issues.

---

86-87: 🎯 Functional Correctness

This review comment is based on incorrect assumptions and should be dismissed.

The documentation reference to pkgs.hyprlandPlugins.hy3 does not depend on any flake input rename or overlay mapping. There is no hy3 or hyprlandPlugins flake input defined in flake.nix, nor is there any corresponding mapping in overlays/singleton.nix. The pkgs.hyprlandPlugins.hy3 reference resolves through the standard nixpkgs package set, not through a custom overlay.

			> Likely an incorrect or invalid review comment.

docs/src/modules/nixos/server/database.md (1)

28-33: 📐 Maintainability & Code Quality

The includes are correctly configured and will be generated during the docs build. The module discovery system in docs/default.nix automatically discovers the three database modules (server/database/default.nix, server/database/postgres.nix, server/database/redis.nix) and generates the corresponding option fragments (server-database-options.md, server-database-postgres-options.md, server-database-redis-options.md) in the generated/ directory during the build phase defined in docs/site.nix. The relative paths (4 levels up from docs/src/modules/nixos/server/) correctly resolve to docs/src/generated/, and the module discovery logic properly handles the prefix-to-filename conversion. No additional action is required.

docs/src/components/server_monitoring.md (1)

65-65: 📐 Maintainability & Code Quality

No action required. The module discovery and build process will generate docs/src/generated/server-monitoring-options.md with the correct prefix server.monitoring. The include path ../../generated/server-monitoring-options.md is mathematically correct and will resolve properly during the build.

[DaRacci]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[mergify]

Queued — the merge queue status continues in this comment ↓.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-06-23 09:05 UTC · Rule: default · triggered by merge protections
• 🟠 Checks running · on draft merge queue: queuing master (0c41dcb) and #592 together #593
• 🚫 Left the queue — 2026-06-23 09:06 UTC · at 8ee41f494a811d326acc2cc38ba914f55c787b23

This pull request spent 21 seconds in the queue, including 4 seconds running CI.

Waiting for

• #approved-reviews-by>=1

All conditions

• #approved-reviews-by>=1
  • fix: resolve CI failures — ints.between type error + hyprlandPlugins.hy3 flake ID #592
• #check-failure==0
• #commits-behind <= 10
  • fix: resolve CI failures — ints.between type error + hyprlandPlugins.hy3 flake ID #592
• #review-threads-unresolved = 0 [🛡 GitHub branch protection]
  • fix: resolve CI failures — ints.between type error + hyprlandPlugins.hy3 flake ID #592
• all of [🛡 Merge Protections rule Do not merge outdated PRs]:
  • #commits-behind <= 10
    • fix: resolve CI failures — ints.between type error + hyprlandPlugins.hy3 flake ID #592
• all of [🛡 Merge Protections rule Enforce conventional commit]:
  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?:
    • fix: resolve CI failures — ints.between type error + hyprlandPlugins.hy3 flake ID #592

Reason

Pull request #592 has been dequeued

merge conditions no longer match. Blocked by:

• #approved-reviews-by>=1

• #approved-reviews-by>=1

Hint

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.
If you do update this pull request, it will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue instead, you can requeue the pull request, without updating it, by posting a @mergifyio queue comment.

Tick the box to put this pull request back in the merge queue (same as @mergifyio queue).

• Requeue this pull request