Changelog

Changelog

All notable changes to this project will be documented in this file.

[Unreleased] - 2026-05-09

Fixed

  • hey ops deploy wrong hostname: ops.janet set HEYENV from the local machine’s hostname, causing remote hosts to inherit the wrong networking.hostName. Fixed by overriding HEYENV’s :host with the target flake host.
  • networking.hostName now uses flake attr: lib/nixos.nix sets hostname from mapAttrs key (hosts/ directory) directly — HEYENV’s args.host no longer overrides it. Flake attribute name is the single source of truth.
  • SSH MaxAuthTries exhaustion: Added IdentitiesOnly yes to Host * in ~/.ssh/config, preventing agent keys from inflating offered identities past the server limit (6). Stripped redundant ServerAliveInterval/ServerAliveCountMax/IdentitiesOnly from individual host blocks — now inherited from Host *.

Added

  • docs/ssh.md: Comprehensive SSH architecture doc covering config layers, agent vs IdentityFile, MaxAuthTries pitfall, and agenix host key interaction.

[Unreleased] - 2026-05-08

Changed

  • User options refactor: Simplified modules/user.nix to pure option declarations with mkOpt (empty defaults for key paths, simple fallbacks for identity). Explicit values moved to modules/profiles/user/alienzj.nix.
  • Git SSH host config: Moved programs.ssh.extraConfig generation for git hosts into modules/shell/git.nix via new modules.shell.git.sshGitHosts option. Git host SSH config now lives alongside other git configuration.
  • default.nix user bridge: Replaced blanket mkAliasDefinitions options.user with explicit per-attribute aliases (name, description, home, group, uid, extraGroups, isNormalUser) to prevent non-user-submodule options (email, github, signing, etc.) from being forwarded to users.users.<name>.
  • yubikeyPrefix removed: No longer a standalone option; inlined as local let binding in alienzj.nix.

Added

  • user.signing.allowedSignersSource: New option decoupling the git allowed_signers file source from the hey.configDir hardcode.

[Unreleased] - 2026-05-04

Fixed

  • Plymouth: Suppress systemd-ask-password-console in initrd to prevent YubiKey/FIDO2 PIN from being echoed in plaintext when switching to text mode (ESC) during boot.

[Unreleased] - 2026-04-29

Added

  • Neovim AstroNvim Refactor: Replaced inline Lua config with AstroNvim v6 + lazy.nvim (inspired by mic92’s dotfiles):
    • Framework: AstroNvim v6 provides keybindings, UI, LSP integration, completion (blink.cmp), and plugin management
    • Plugin manager: lazy.nvim manages 63 plugins declaratively with lazy-lock.json
    • Config structure: Lua config files in config/nvim/lua/plugins/ (14 files) linked via home.configFile
    • Theme: catppuccin-mocha (replaces inline catppuccin config)
    • LSP: 17 servers via astrolsp with native vim.lsp.config (replaces inline lspconfig)
    • Completion: blink.cmp + copilot + blink-cmp-tmux (replaces nvim-cmp)
    • Languages: 14 astrocommunity language packs (Go, Bash, C++, Lua, Markdown, Nix, Python, Rust, TOML, YAML, Zig, HTML/CSS) + custom Snakemake/Nextflow/Zsh support
    • Mason: Present but disabled — all tools provided by Nix
    • Documentation: Added docs/neovim.md with comprehensive developer guide (300+ lines covering navigation, LSP, debugging, plugin management, customization, troubleshooting)
  • Editor Extensions: Added 30+ VS Code extensions across all VS Code family editors (VS Code, Cursor, Kiro, Antigravity):
    • Languages: Go, Java, Kotlin, Ruby, PHP, Lua, Zig, Julia, Haskell, OCaml, Scala, Clojure, Elixir, Dart/Flutter, C#/.NET, PowerShell
    • AI Tools: Qwen Code IDE companion (replaced Copilot, Codeium, Continue)
    • DevOps: Kubernetes, Helm, Hadolint, Terraform, Docker/Podman
    • Database: SQLTools, PostgreSQL client
    • Data Formats: XML, GraphQL, Rainbow CSV
    • Bioinformatics: Snakemake, Snakefmt, Nextflow (now shared across all editors)
    • Code Review: GitLens (moved to shared common extensions)
  • Neovim LSP Servers: Added kotlin_language_server, ruby_lsp, zls, lua_ls (with Neovim runtime), jdtls, ruff
  • Neovim DAP: Added nvim-dap-go + delve for Go debugging
  • Neovim Formatters: Added google-java-format, ktfmt, rubocop, sql-formatter via Conform
  • File Associations: Added .smk/.snakefile → Python, .nf/nextflow.config → Groovy, .csv/.tsv, .proto, .graphql, .hcl/.tf, .toml
  • Neovim Filetype Detection: Snakemake (.smk) and Nextflow (.nf) files get proper syntax highlighting via vim.filetype.add()
  • Documentation: Added docs/editors.md with comprehensive editor architecture, extension catalog, and configuration guide
  • Documentation: Added docs/sbc-opi5p.md with complete Orange Pi 5 Plus installation guide covering RK3588 kernel, edk2 UEFI boot, cross-compilation strategy, and three installation methods
  • Rockchip Kernel: Upgraded vendor kernel from Linux 6.14 (unmaintained) to Linux 7.0 (latest stable) with Armbian rockchip64-edge patches. Added comprehensive kernel build/test/update/maintenance guide to docs/sbc-opi5p.md.
  • Markdown Preview: Added bierner.markdown-preview-github-styles extension for GitHub-style rendering in VS Code family editors.
  • Bubblewrap Sandbox: Added mkBwrapWrapper helper in lib/pkgs.nix for sandboxing GUI applications with bubblewrap (filesystem isolation, /proc hiding, namespace unsharing)

Changed

  • Telegram Client: Switched from telegram-desktop to ayugram-desktop (AyuGram fork with ghost mode, message scheduling, and enhanced proxy support)
  • WeChat & QQ Sandboxing: Replaced basic wrapFakeHome/mkWrapper with mkBwrapWrapper bubblewrap sandbox for stronger privacy hardening (filesystem isolation, hidden /proc, unshared namespaces)
  • WeMeet & Zoom Sandboxing: Applied mkBwrapWrapper to WeMeet (Tencent Meeting) and Zoom — camera, microphone, and PipeWire access preserved via /dev and XDG_RUNTIME_DIR bind-mounts
  • Discord & Telegram Sandboxing: Applied mkBwrapWrapper to Discord and AyuGram Telegram
  • Documentation: Added docs/security-hardening.md with comprehensive 7-layer defense-in-depth architecture covering hardware tokens, secure boot, disk encryption, kernel hardening, AppArmor, bubblewrap sandboxing, firewall, and secrets management

Changed

  • VS Code Family Refactor: Extracted duplicated extension lists from vscode.nix, cursor.nix, kiro.nix, antigravity.nix into shared commonExtensions in default.nix (eliminates 4x duplication)
  • GitLens: Moved from per-editor extensions to shared commonExtensions
  • AI Tools: Replaced GitHub Copilot, Codeium, and Continue with Qwen Code IDE companion

Fixed

  • CI Workflow: Removed eval check from GitHub Actions CI (fails due to missing agenix secrets, unfree packages, aarch64 platform mismatch, and per-host password assertions). Syntax check remains as the sole CI gate; full evaluation should be run locally.
  • C# Dev Kit Build Failure: Removed ms-dotnettools.csdevkit from shared VS Code extensions — nixpkgs patchPhase regex no longer matches the updated extension JS, blocking all VS Code family editors from building.

Removed

  • Neovim R Support: Removed r_language_server, rPackages.languageserver, and styler formatter from vim.nix (R is defined in modules/dev/r.nix, modules/editors/positron.nix)
  • Swift Extension: Removed swiftlang.swift-vscode from shared extensions
  • C# Dev Kit Extension: Removed ms-dotnettools.csdevkit from shared VS Code extensions (nixpkgs packaging bug — patchPhase regex mismatch)

[Unreleased] - 2026-04-27

Fixed

  • kmscon: Disabled hardware rendering (hwRender) by default and made it configurable via modules.system.kmscon.hwRender. This fixes a SEGV crash on systems with NVIDIA GPUs (like id3-eniac).

[Unreleased] - 2026-04-24

Added

  • Terminal Singleton Behavior: Mod + Return now focuses an existing workmux terminal instead of opening a new one.
  • Rofi Tmux Session Picker: Integrated singleton logic into the Rofi tmux picker; switching to an active workspace now focuses its window.
  • hey .focus-window: New helper script for cross-WM window focusing by title or class (supports Hyprland, Niri, and BSPWM).

Changed

  • hey .open-term:
    • Added focusing logic (uses session name as title/class).
    • Added -n/--new flag to force a new terminal instance.
    • Improved tmux session handling to use the provided session name consistently.
    • Now sets app-id (class) for foot to match the session name for easier window identification.
  • hey .clone-term: Updated to always use hey .open-term -n to ensure a new window is created when cloning.

[Unreleased] - 2026-04-21

Added

  • Modular Zsh Prompts: Added matrix and p10k prompt configurations in modules/themes/config/zsh/.
  • Modular Tmux Themes: Added matrix and gemini tmux configurations in modules/themes/config/tmux/.
  • boostgreeter: Added a pseudo-login greetd mode for Hyprland and Niri that starts the real desktop session directly as the user and immediately raises hyprlock, making it testable under both diy and dms shell modes.

Fixed

  • Desktop Identity Resolution: Fixed a bug where hey.info.desktop.wm was incorrectly resolved in early evaluation phases, ensuring greeters and shell components correctly identify the active compositor.
  • Niri DMS Greeter Startup: Exported the X11 fallback library path for greetd when dms-greeter runs on Niri, fixing the libXcursor.so.1 / libXi.so.6 startup crash from the bare greeter compositor path.

Changed

  • Zsh Prompt Management: Prompts are now dynamically selected via modules.theme.apps.zsh.prompt.
  • Tmux Configuration Refactor: Grouped Catppuccin settings into a configurable attribute set and enabled dynamic theme switching via modules.theme.apps.tmux.theme.
  • Browser Option Naming: Renamed modules.themes.apps.firefox to librewolf for consistency.
  • Desktop Startup Logic: Refined greeter/session startup rules so boostgreeter is the only path that triggers compositor-side pseudo-login hooks, while normal tuigreet/dms-greeter sessions start dms.service directly in Wayland dms mode and DIY wallpaper hooks remain DIY-only.

[Unreleased] - 2026-04-18

Added

  • Centralized Desktop Mode (modules.desktop.mode): Moved the mode option to the top-level modules/desktop/default.nix. All window managers now inherit a global diy (Do It Yourself) or dms (Dank Material Shell) setting.
  • Dedicated Shell Modules: Created modules/desktop/shell/diy.nix and shell/dms.nix to centrally manage shell-specific components like status bars, wallpaper managers, and notification daemons across all desktop environments.
  • Unified Greeter Service (modules/services/desktop/greetd.nix): Created a standalone module for display managers. Supports dms-greeter, tuigreet (TUI), and mini (LightDM), ensuring a consistent login experience for both Wayland and X11 sessions.
  • Standalone hyprlock and picom Services: Extracted lock screen and X11 compositor logic into dedicated service modules under modules/services/desktop/, improving modularity and simplifying WM-specific configurations.
  • Centralized Theme Shell: Created modules/themes/desktop/shell.nix to unified theming for notifications, lockscreens, terminals, and compositors across all desktop sessions.

Changed

  • Modernized Neovim Configuration: Migrated Neovim LSP setup to the native 0.11 vim.lsp.config API and implemented LspAttach autocommands for keybindings. Corrected catppuccin theme registration for Lualine.
  • Refactored Desktop Modules: hyprland.nix, niri.nix, and bspwm.nix are now significantly cleaner, focusing purely on compositor/WM-specific logic by delegating shell and greeter management to centralized services.
  • Hardened Greeter Paths: Migrated icon and cursor theme paths from user-restricted directories to system-wide locations (/run/current-system/sw/share/icons) to ensure the dms-greeter user has proper access.

Fixed

  • dms-greeter Permission Crash: Resolved a filesystem error causing greetd to crash by ensuring icon themes are available in system-wide paths and updating XCURSOR_PATH.
  • DMS Service Path Error: Fixed a failure in dms.service by ensuring quickshell is present in the service’s environment path.
  • Niri Reload Command: Corrected the Niri reload hook to use the valid niri msg action load-config-file command.
  • Redundant Persistence: Pruned redundant .npm and .positron directories from persistence modules.

[Unreleased] - 2026-04-17

Added

  • hey info closure: Added a new subcommand to calculate the total Nix closure size of a host (including all dependencies) using nix path-info. Supports an optional host name.

[Unreleased] - 2026-04-16

Added

  • mkDesktopInfo in lib/pkgs.nix: A shared helper to generate standardized hey.info structures for desktop environments. Eliminates duplication across Niri, Hyprland, and BSPWM modules. Returns { type, mode, primaryMonitor, nextMonitor, monitors }.

Changed

  • Unified hey.info across desktop modules: modules/desktop/niri.nix, hyprland.nix, and bspwm.nix now use mkDesktopInfo instead of manually constructing info attrsets. Behavior is unchanged; the generated info.json structure is backward-compatible.
  • Refactored theme imports: modules/themes/default.nix now uses a mkImport helper to import desktop theme modules, reducing repetition and standardizing heyBin parameter passing.
  • Completed BSPWM hey.info support: Removed stale TODO comments. BSPWM now provides the same hey.info.bspwm structure as Niri and Hyprland (with mode = null since BSPWM has no dms/diy mode).

Removed

  • Duplicate hey.info construction logic: ~15 lines of repeated attrset construction removed from niri.nix, hyprland.nix, and bspwm.nix.

[Unreleased] - 2026-04-15

Added

  • Modernized Agent Guides: Restored and updated AGENTS.md, CLAUDE.md, and GEMINI.md with comprehensive rules for the current architecture.
  • scripts/sync_vps-pacman.zsh: A specialized sync script for remote VPS deployment and management.
  • Agenix per-host secret scoping: Secrets in nix-secrets/secrets/secrets.nix can now declare nodes = ["host1" "host2"] to limit decryption to specific hosts. Secrets without nodes remain shared across all hosts. This prevents every host from decrypting every secret during activation.

Changed

  • modules/agenix.nix: Added filterByNodes logic that reads nodes attribute from each secret definition and filters out secrets not belonging to the current host. Fully backward compatible — secrets without nodes (old format) are still included as shared secrets.

Removed

  • HELLO.md: This unified document was replaced by the more detailed and modernized individual agent guides.

[Unreleased] - 2026-04-14

Added

  • Integrated hey subcommands:
    • hey disko: Unified disk management (format, mount, install).
    • hey install: Standardized system installation wrapper.
    • hey build: Enhanced support for iso, disko-image, and raw-efi.
  • justfile: A high-level task-oriented interface for the entire fleet.
  • bin/start-usb-test.zsh: Generalized script for testing live USB setups in QEMU.
  • just package: Added to environment.systemPackages in modules/hey.nix.

Changed

  • hey sync: Now prefers nh and nvd for better visuals and generational diffing.
  • Script Modernization: Renamed legacy .sh scripts to .zsh and removed leading numbers (build_hey.zsh, setup_kanidm.zsh).
  • Documentation Refactor:
    • Overhauled README.md with a high-level “HeyOS” ecosystem overview, system highlights, and a clearer navigation map.
    • Consolidated docs/toolchain.md and docs/hey-integration.md into a single, comprehensive guide.
    • Added a task-oriented “Operator Manual” and “Common Workflows” section to docs/toolchain.md.
    • Updated GEMINI.md to reflect the new toolchain architecture.
  • justfile refinements: Updated rsync-etc to use --delete and --exclude .git for safe, efficient mirroring. Updated recipes to use the new .zsh script names.

Removed

  • Legacy Scripts: Deleted 30+ host-specific shell scripts in scripts/, successfully migrating their logic to the hey toolchain.