titaniumtown/dotfiles
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: titaniumtown:76cdd535c854cca0898e2b94ba95ae83d413ab36
Branches Tags
titaniumtown:main
titaniumtown:final-before-unify
..
compare: titaniumtown:final-before-unify
Branches Tags
titaniumtown:main
titaniumtown:final-before-unify

15 Commits
76cdd535c8 ... final-befo

Author SHA1 Message Date
Simon Gardling
e9a44f677d update
All checks were successful
Build / build (push) Successful in 7m2s
 2026-04-17 23:26:43 -04:00
Simon Gardling
0c881602e9 yarn: fix steamos update flow 2026-04-17 23:26:15 -04:00
Simon Gardling
7f375e8574 kernel: re-enable SND_PCI
All checks were successful
Build / build (push) Successful in 1h35m51s
 2026-04-17 18:26:21 -04:00
Simon Gardling
577b5eeb77 update
All checks were successful
Build / build (push) Successful in 1h36m48s
 2026-04-17 12:33:33 -04:00
Simon Gardling
91aba32afb pi: update to claude opus 4.7
All checks were successful
Build / build (push) Successful in 4m19s
 2026-04-17 00:25:38 -04:00
Simon Gardling
29e71fb127 ??!?!?!??!
All checks were successful
Build / build (push) Successful in 6m25s
 2026-04-16 23:46:13 -04:00
Simon Gardling
ff94c3b027 steamos-update: exit 0 not 7
All checks were successful
Build / build (push) Successful in 6m14s
 2026-04-16 23:05:24 -04:00
Simon Gardling
0b457b83d3 fix build
All checks were successful
Build / build (push) Successful in 5m49s
 2026-04-16 22:53:11 -04:00
Simon Gardling
c23240c529 yarn: move pull-update into steamos-update script
Some checks failed
Build / build (push) Failing after 1m25s
 2026-04-16 22:28:49 -04:00
Simon Gardling
e40929018f eww: remove
All checks were successful
Build / build (push) Successful in 1m13s
 2026-04-16 18:02:02 -04:00
Simon Gardling
5997c886f6 pull-update: improvement
All checks were successful
Build / build (push) Successful in 3m0s
 2026-04-16 17:43:35 -04:00
Simon Gardling
72d37f57ac update
All checks were successful
Build / build (push) Successful in 12m59s
 2026-04-16 16:31:49 -04:00
Simon Gardling
0718568bec pull-update: forgot lib.getExe 2026-04-16 15:03:06 -04:00
Simon Gardling
982cc4aebc pull-update: use writeShellApplication instead 2026-04-16 15:02:08 -04:00
Simon Gardling
d2d25bbdfe omp: remove patch that didn't work 2026-04-16 14:52:51 -04:00
18 changed files with 196 additions and 875 deletions
Expand all files Collapse all files

78
flake.lock generated
View File

@@ -79,11 +79,11 @@
"cachyos-kernel-patches": {
"flake": false,
"locked": {
"lastModified": 1776181525,
"narHash": "sha256-g07GhYlAOH0agNE8dIOT33vZ0eviF/HY5xgAQRwLytk=",
"lastModified": 1776355454,
"narHash": "sha256-b9Hc0sTxjEzDbphzS9yQqxVha/7bsPIs2cQQQvaG45E=",
"owner": "CachyOS",
"repo": "kernel-patches",
"rev": "fcd21edaf0ff9b69f9d32ea8590002d6acd1c503",
"rev": "b5e029226df5cc30c103651072d49a7af2878202",
"type": "github"
},
"original": {
@@ -131,11 +131,11 @@
"doomemacs": {
"flake": false,
"locked": {
"lastModified": 1776049930,
"narHash": "sha256-6nuelk+8qSRsh5Ryj9EpWOWXeeh/g3lI5mZsBfiFZQI=",
"lastModified": 1776400245,
"narHash": "sha256-RuQB1PxazI4DOw3O+rEVU2FPT0vP0Xb+Gp/M6Yqer20=",
"owner": "doomemacs",
"repo": "doomemacs",
"rev": "5eb006f455f0558c97210ba7579880aacb045b67",
"rev": "860a91aaac235701f30b70fdc74259d438818968",
"type": "github"
},
"original": {
@@ -154,11 +154,11 @@
]
},
"locked": {
"lastModified": 1776331221,
"narHash": "sha256-I9HJO6ceghosCSraLRdAzz7f8pm+1zBo7sRVSvJbqUU=",
"lastModified": 1776478519,
"narHash": "sha256-4TWCOVYe0iWEKuW7OH93nRI4Z7u68wNT6k9UJn0FZ5w=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "23055e4c66f6b873d6d6299bf5a7fdfe6012be5c",
"rev": "513e332b074507e1b46992952e7d83f329f2c22c",
"type": "github"
},
"original": {
@@ -175,11 +175,11 @@
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1776312172,
"narHash": "sha256-jxZfeRd9mxqrLlsFc9+MLcqTy1eN1hQMLWhX0MJMno8=",
"lastModified": 1776398575,
"narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "501d3ee969edad2167e57a1499312cd4fdfdbc78",
"rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30",
"type": "gitlab"
},
"original": {
@@ -307,11 +307,11 @@
]
},
"locked": {
"lastModified": 1776184304,
"narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=",
"lastModified": 1776454077,
"narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3c7524c68348ef79ce48308e0978611a050089b2",
"rev": "565e5349208fe7d0831ef959103c9bafbeac0681",
"type": "github"
},
"original": {
@@ -366,11 +366,11 @@
]
},
"locked": {
"lastModified": 1776335039,
"narHash": "sha256-2lkQhrv6YUCeMlC/lclzq9vkTALv/ptv7d0jIhZnrPQ=",
"lastModified": 1776428236,
"narHash": "sha256-+0SyQglnT2xUiyY07155G+O7aUWISELwqtTnfURufRU=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "cbdf76c063b48d5d755fb26540367b8c2457c2ca",
"rev": "eac78fc379ca47f7e21be8539c405e5fb489a857",
"type": "github"
},
"original": {
@@ -437,11 +437,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1776351423,
"narHash": "sha256-JySMZu8hLD8kV2HerIZ6uZyrijc7SUaGhRAKH63X6R4=",
"lastModified": 1776482297,
"narHash": "sha256-KmsWPwtbO8vrlH/R9stIun0LKZ4PFSCCEdqWDeLgbTE=",
"owner": "numtide",
"repo": "llm-agents.nix",
"rev": "1fb51dbe453f1c8ec5b7133df561512e43dc7cc2",
"rev": "66c76393570f8fc4730caa2dc2d2c470fe33a3c9",
"type": "github"
},
"original": {
@@ -464,11 +464,11 @@
"xwayland-satellite-unstable": "xwayland-satellite-unstable"
},
"locked": {
"lastModified": 1776337800,
"narHash": "sha256-yZvCnzf0NDL1vfMGRBkKthRmg8V93FzQ4CQNXhxh0Wg=",
"lastModified": 1776435348,
"narHash": "sha256-qsZnMThxTqxCJZ7DEKu3DD3KjIPcuUBvZ0C9a2uIvaQ=",
"owner": "sodiboo",
"repo": "niri-flake",
"rev": "3877b9fd1f78e831b3ea223f9e992c758d13df0f",
"rev": "55b5b1fc9481ab267603a1099e5d4b4ebc7394d7",
"type": "github"
},
"original": {
@@ -497,11 +497,11 @@
"niri-unstable": {
"flake": false,
"locked": {
"lastModified": 1776332135,
"narHash": "sha256-7cKy5sGmN4Yt47Op0+A/b3iEMk/E2Ru+UiI42KfiEPc=",
"lastModified": 1776432730,
"narHash": "sha256-Pq1ZVvRGq/IFiFH6vkNwMfZEpWk23NjgGdX50COdj/c=",
"owner": "YaLTeR",
"repo": "niri",
"rev": "892470afd3dce5396828dd9b211b19210a16eaeb",
"rev": "c814c656c53ea9d69f5afb45c88f4dc4d25338cd",
"type": "github"
},
"original": {
@@ -521,11 +521,11 @@
]
},
"locked": {
"lastModified": 1776278748,
"narHash": "sha256-mLvw1+fa6vr0C87XfX0ja8yZMx0H+HWL0ena2SBMdp8=",
"lastModified": 1776386586,
"narHash": "sha256-eVAUaL/6n8mnmBiPpEVW1NDNVSKLWhYVfycG+P0SvWU=",
"owner": "xddxdd",
"repo": "nix-cachyos-kernel",
"rev": "65eaf1492a6f0850ef2f08943c6bfc59b144e72a",
"rev": "c65c3faf90ae07bae101c15ef502f0bcb06c5d74",
"type": "github"
},
"original": {
@@ -547,11 +547,11 @@
"systems": "systems_3"
},
"locked": {
"lastModified": 1776333106,
"narHash": "sha256-RR8gh+adHxFzpDm0yqKOtJAao8zqRyBcj8O5N1iIuoc=",
"lastModified": 1776419397,
"narHash": "sha256-vmWJwNYtQFexLG6r/v8Dlou/5z8FbFCLo3QqZ/stLYQ=",
"owner": "marienz",
"repo": "nix-doom-emacs-unstraightened",
"rev": "191a0107f4863132f723fdc0bf43b322fe849a0a",
"rev": "7623dd4adbdf5f8a8464ecc5fd089e5c5cb5dada",
"type": "github"
},
"original": {
@@ -740,11 +740,11 @@
]
},
"locked": {
"lastModified": 1776350315,
"narHash": "sha256-ijD4bgb5Iyap9F3MX73vLAZF/SYu+q7Gd7Ux4cbfCWw=",
"lastModified": 1776481912,
"narHash": "sha256-Xq7p+Ex3YHFAd+fFFLOYw2Wv67582X7SAmrEDtIDZQ4=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "62e3b8aedabc240e5b0cc9fae003bc9edfebbc9b",
"rev": "e611106c527e8ab0adbb641183cda284411d575c",
"type": "github"
},
"original": {
@@ -899,11 +899,11 @@
]
},
"locked": {
"lastModified": 1776317517,
"narHash": "sha256-JP1XVRabZquf7pnXvRUjp7DV+EBrB6Qmp3+vG3HMy/k=",
"lastModified": 1776403742,
"narHash": "sha256-ZmGY9XiOsuMS/THsSNkgp2fnc3asXQX/xRrQpWnY9nA=",
"owner": "0xc000022070",
"repo": "zen-browser-flake",
"rev": "0a7be59e988bb2cb452080f59aaabae70bc415ae",
"rev": "ca7077bea5c830470437ea878da2a1940773324c",
"type": "github"
},
"original": {

4
home-manager/desktop.nix
View File

@@ -9,9 +9,6 @@
# niri wayland compositor
./progs/niri.nix
# statusbar
# ./progs/eww/eww.nix
# lockscreen
./progs/swaylock.nix
@@ -29,5 +26,4 @@
# used by /etc/nixos logic to launch niri
config.programs.niri.package
];
}

109
home-manager/progs/eww/config/eww.scss
View File

@@ -1,109 +0,0 @@
$background: #1e1e2e;
$pink: #f5c2e7;
$lavendar: #b4befe;
$red: #f38ba8;
$maroon: #eba0ac;
$peach: #fab387;
$yellow: #f9e2af;
$green: #a6e3a1;
$text: #cdd6f4;
$subtext: #a6adc8;
$surface: #585b70;
* {
color: $text;
font-family: CaskaydiaCove Nerd Font Mono;
font-weight: 600;
font-size: 10pt;
padding: 0 1px;
}
.red {
color: $red;
}
.maroon {
color: $maroon;
}
.peach {
color: $peach;
}
.yellow {
color: $yellow;
}
.green {
color: $green;
}
.lavendar {
color: $lavendar;
}
.symbol {
color: $lavendar;
font-size: 20px;
}
.button {
* {
all: unset;
margin: 0 5px;
font-size: 14pt;
transition: color 0.2s ease-in-out;
}
&:hover * {
color: $pink;
}
}
.bluetooth * {
font-size: 10pt;
padding: 0 0.3em;
}
.padded>*:not(:last-child) {
padding: 0 10px;
border-right: 1px solid $surface;
}
.background {
border: 1px solid $pink;
background-color: $background;
border-radius: 12px;
opacity: 0.8;
}
scale trough {
margin: 0 10px;
border: none;
background-color: #FFF;
min-height: 3px;
min-width: 100px;
& slider {
box-shadow: none;
background-image: none;
border: none;
background-color: $pink;
min-width: 5pt;
min-height: 5pt;
margin: -5pt;
}
& highlight {
border: none;
background-color: $lavendar;
}
}
.clipboard {
color: $subtext;
}
.time {
padding-right: 10px;
}

1
home-manager/progs/eww/config/eww.yuck
View File

@@ -1 +0,0 @@
(include "./statusbar.yuck")

17
home-manager/progs/eww/config/scripts/currentWindow.sh
View File

@@ -1,17 +0,0 @@
#!/usr/bin/env bash
niri_data=$(niri msg --json focused-window)
if [[ "$niri_data" == "null" ]]; then
exit 0
fi
name=$(echo "$niri_data" | jq -r '.["app_id"], .["title"]' | tr '\n' ' ' | sed 's/.$//')
proc_name=$(echo "$name" | head -c 55)
# TODO! fix this logic, add a '...' at the end
if [[ "$name" != "$proc_name" ]]; then
proc_name="$proc_name..."
fi
echo "$proc_name"

3
home-manager/progs/eww/config/scripts/currentWorkspace.sh
View File

@@ -1,3 +0,0 @@
#!/usr/bin/env fish
niri msg --json workspaces | jq -r '.[] | select(.is_focused == true) | .["id"]'

58
home-manager/progs/eww/config/scripts/power_bat.rs
View File

@@ -1,58 +0,0 @@
#!/usr/bin/env rust-script
use std::{fmt, fs::read_to_string, str::FromStr};
const BASE_PATH: &str = "/sys/class/power_supply/BAT1/";
const CURRENT_NOW_PATH: &str = "current_now";
const VOLTAGE_NOW_PATH: &str = "voltage_now";
const STATUS_PATH: &str = "status";
const FACTOR: f32 = 1e6_f32;
#[derive(Debug)]
enum Status {
Charging,
Discharging,
NotCharging,
}
impl FromStr for Status {
type Err = &'static str;
fn from_str(input: &str) -> Result<Status, Self::Err> {
match input {
"Charging" => Ok(Status::Charging),
"Discharging" => Ok(Status::Discharging),
"Not charging" => Ok(Status::NotCharging),
_ => Err("unknown state"),
}
}
}
impl fmt::Display for Status {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
fmt::Debug::fmt(self, f)
}
}
fn fetch_and_trim_into<T: FromStr<Err = impl fmt::Debug>>(path: &str) -> T {
let mut content = read_to_string(BASE_PATH.to_owned() + path).unwrap();
content.pop();
T::from_str(&content).unwrap()
}
fn fetch_bat_info(path: &str) -> f32 {
let value: f32 = fetch_and_trim_into(path);
value / FACTOR
}
fn main() {
let current_now: f32 = fetch_bat_info(CURRENT_NOW_PATH);
let voltage_now: f32 = fetch_bat_info(VOLTAGE_NOW_PATH);
let watts: f32 = current_now * voltage_now;
let status: Status = fetch_and_trim_into(STATUS_PATH);
println!(
"voltage: {:.4}\ncurrent: {:.4}\nwatts: {:.4}\nstatus: {}",
voltage_now, current_now, watts, status
);
}

2
home-manager/progs/eww/config/scripts/sound/getSink.sh
View File

@@ -1,2 +0,0 @@
#!/usr/bin/env sh
wpctl inspect @DEFAULT_SINK@ | grep -E "^ +\* node\.description" | cut -d' ' -f6- | tr -d '"'

22
home-manager/progs/eww/config/scripts/sound/getVolume.sh
View File

@@ -1,22 +0,0 @@
#!/usr/bin/env bash
output=$(wpctl get-volume @DEFAULT_SINK@ | cut -d' ' -f2- | sed -E 's/\.//g' | sed 's/^0*//g')
count=$(echo "$output" | awk -F, '{print $1+0}')
muted=$(echo "$output" | cut -d'[' -f2 | cut -d ']' -f1)
# if not muted, set to empty string
if [ "$muted" == "$count" ]; then
muted=""
fi
color="green"
if ((count > 75)); then color="yellow"; fi
if ((count > 90)); then color="peach"; fi
if ((count > 100)); then color="maroon"; fi
if ((count > 110)); then color="red"; fi
output="${count}%"
if [ "$muted" != "" ]; then
output="${output} [${muted}]"
fi
echo "{\"count\":\"${output}\", \"color\":\"${color}\"}"

23
home-manager/progs/eww/config/scripts/wifiInfo.zsh
View File

@@ -1,23 +0,0 @@
#!/usr/bin/env zsh
export CHARSET=ASCII
case $1 in
name)
nmcli -f IN-USE,SSID d w | grep '*' | sed 's/[\* ]//g' | cat
exit 0;;
strength)
str=$(nmcli -f ACTIVE,BARS d w | grep 'yes' | tr -d ' yesno')
case ${str: 0:-1} in
'****')
icon="󰤨"; colour="green";;
'***')
icon="󰤥"; colour="yellow";;
'**')
icon="󰤢"; colour="peach";;
'*')
icon="󰤟"; colour="maroon";;
*)
icon="󰤯"; colour="red";;
esac
echo "{\"icon\":\"$icon\",\"colour\":\"$colour\"}"
exit 0;;
esac

130
home-manager/progs/eww/config/statusbar.yuck
View File

@@ -1,130 +0,0 @@
(defwindow statusbar
:monitor 0
:stacking "fg"
:exclusive true
:geometry (geometry
:y "0.5%"
:width "100%"
:height "24px"
:anchor "top center")
(statusbar))
(defwidget statusbar []
(centerbox
(box :space-evenly false :halign 'start' :class 'padded'
(window-title))
(time)
(box :space-evenly false :halign 'end' :class 'padded'
(brightness-ctl)
(brightness-ctl-opener)
(volume)
(battery)
(bluetooth)
(wifi))))
(defwidget cmd-slider [?symbol value command max color]
(box :space-evenly false
(label :text symbol :class "symbol")
(scale
:min 0 :max max
:value value
:round-digits 0
:timeout "200ms"
:onchange command)
(label :text "${value}%" :class color)))
(defpoll windowtitle :interval "1s" `scripts/currentWindow.sh`)
(defwidget window-title []
(label
:text {windowtitle == "" ? "" : "(${windowtitle})"}))
(defwidget brightness-ctl []
(box :visible brightnessctl-open
(cmd-slider :symbol "󰃠" :value brightness
:command `brightnessctl set {}%`
:max 101 :color {
brightness >= 80 ? "green" :
brightness >= 50 ? "yellow" :
brightness >= 30 ? "peach" :
brightness >= 10 ? "maroon" : "red"
})))
(defpoll brightness :interval "1s" :run-while brightnessctl-open `brightnessctl -m | awk -F, '{print $4+0}'`)
(defvar brightnessctl-open false)
(defwidget brightness-ctl-opener []
(eventbox :class "button"
(button
:onclick `${EWW_CMD} update brightnessctl-open=${!brightnessctl-open}`
"󰃠")))
(defwidget wifi []
(eventbox
:class "button ${wifi-strength.colour}"
(label
:text {wifi-strength.icon}
:tooltip "Connected To: ${wifi-name}")))
(defpoll wifi-strength :interval "10s" `scripts/wifiInfo.zsh strength`)
(defpoll wifi-name :interval "1m" `scripts/wifiInfo.zsh name`)
(defwidget bluetooth []
(eventbox
:class "bluetooth button ${ bluetooth-name != "" ? "green" : "lavendar" }"
:onclick `blueman-manager &`
(label
:text "${bluetooth-name} 󰂯")))
; `FNR == 1 + head -c 30` so the name doesn't explode the screen
(defpoll bluetooth-name :interval "10s" `bluetoothctl devices Connected | awk '$1 == "Device" {print $0}' | cut -d' ' -f3-`)
(defwidget time []
(box
:space-evenly false
:class "time"
:tooltip {time.long}
(label :class "yellow" :text {time.hour})
(label :text ":")
(label :class "yellow" :text {time.minute})))
(defpoll time :interval "1s" `date +'{"long":"%a %b %e %H:%M:%S %Z %Y","hour":"%H","minute":"%M"}'`)
(defpoll powerstats :interval "2s" `power_bat`)
(defwidget battery []
(box :space-evenly false
:tooltip powerstats
(label
:text {EWW_BATTERY.BAT1.status == "Charging" ? "󰂄" :
EWW_BATTERY.BAT1.capacity >= 90 ? "󰁹" :
EWW_BATTERY.BAT1.capacity >= 80 ? "󰂂" :
EWW_BATTERY.BAT1.capacity >= 70 ? "󰂁" :
EWW_BATTERY.BAT1.capacity >= 60 ? "󰂀" :
EWW_BATTERY.BAT1.capacity >= 50 ? "󰁿" :
EWW_BATTERY.BAT1.capacity >= 40 ? "󰁾" :
EWW_BATTERY.BAT1.capacity >= 30 ? "󰁽" :
EWW_BATTERY.BAT1.capacity >= 20 ? "󰁼" :
EWW_BATTERY.BAT1.capacity >= 10 ? "󰁻" : "󰁺"
}
:class {
EWW_BATTERY.BAT1.capacity >= 80 ? "green" :
EWW_BATTERY.BAT1.capacity >= 50 ? "yellow" :
EWW_BATTERY.BAT1.capacity >= 30 ? "peach" :
EWW_BATTERY.BAT1.capacity >= 10 ? "maroon" : "red"
})
(label :text "${EWW_BATTERY.BAT1.capacity}%" :class "yellow")))
(defpoll volumevalue :interval "1s" `scripts/sound/getVolume.sh`)
(defpoll volumesink :interval "1s" `scripts/sound/getSink.sh`)
(defwidget volume []
(eventbox :tooltip volumesink
:onclick `pwvucontrol &`
(label :text "${volumevalue.count}" :class {volumevalue.color})))
(defpoll currentworkspace :interval "1s" `scripts/currentWorkspace.sh`)

40
home-manager/progs/eww/eww.nix
View File

@@ -1,40 +0,0 @@
{
pkgs,
lib,
config,
...
}:
{
home.packages = with pkgs; [
zsh
bluez
brightnessctl
(callPackage ./power_bat.nix { })
];
programs.eww = {
enable = true;
configDir = ./config;
};
programs.niri.settings.spawn-at-startup = [
{
command = [
(lib.getExe config.programs.eww.package)
"-c"
"${config.programs.eww.configDir}"
"open"
"statusbar"
];
}
# swaybg works on more than just sway (sets a wallpaper)
{
command = [
(lib.getExe pkgs.swaybg)
"-i"
"${../wallpaper.png}"
];
}
];
}

4
home-manager/progs/eww/power_bat.nix
View File

@@ -1,4 +0,0 @@
{ pkgs, lib, ... }:
pkgs.writeShellScriptBin "power_bat" ''
exec ${lib.getExe pkgs.rust-script} ${./config/scripts/power_bat.rs} "$@"
''

8
home-manager/progs/pi.nix
View File

@@ -10,10 +10,10 @@ let
# librarian/explore/quick → smol/commit = haiku
ompSettings = {
modelRoles = {
default = "anthropic/claude-opus-4-6:high";
default = "anthropic/claude-opus-4-7:high";
smol = "anthropic/claude-haiku-4-5:low";
slow = "anthropic/claude-opus-4-6:xhigh";
plan = "anthropic/claude-opus-4-6:high";
slow = "anthropic/claude-opus-4-7:xhigh";
plan = "anthropic/claude-opus-4-7:high";
commit = "anthropic/claude-haiku-4-5:low";
};
};
@@ -38,7 +38,7 @@ in
{
home.packages = [
(inputs.llm-agents.packages.${pkgs.stdenv.hostPlatform.system}.omp.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [ ../../patches/omp-fix-auth.patch ];
patches = (old.patches or [ ]) ++ [ ];
}))
];

298
patches/omp-fix-auth.patch
View File

@@ -1,298 +0,0 @@
commit 02b80dd74e2f962fffc9b0076bb7966eea4e45ff
Author: Simon Gardling <titaniumtown@proton.me>
Date: Wed Apr 8 13:05:09 2026 -0400
Fix key reauth with parallel sessions
diff --git a/packages/ai/CHANGELOG.md b/packages/ai/CHANGELOG.md
index 3f50b7bd4..248dacbff 100644
--- a/packages/ai/CHANGELOG.md
+++ b/packages/ai/CHANGELOG.md
@@ -5,6 +5,10 @@
- Removed `coerceNullStrings` function and its automatic null-string coercion behavior from JSON parsing
+### Fixed
+
+- Fixed concurrent OAuth refresh token rotation race: when multiple instances share the same credential DB, one instance refreshing a token no longer causes other instances to permanently disable the credential on `invalid_grant` ([#607](https://github.com/can1357/oh-my-pi/issues/607))
+
## [13.19.0] - 2026-04-05
### Fixed
diff --git a/packages/ai/src/auth-storage.ts b/packages/ai/src/auth-storage.ts
index 9fdb4473b..fc81a6f3b 100644
--- a/packages/ai/src/auth-storage.ts
+++ b/packages/ai/src/auth-storage.ts
@@ -1865,7 +1865,35 @@ export class AuthStorage {
});
if (isDefinitiveFailure) {
- // Permanently disable invalid credentials with an explicit cause for inspection/debugging
+ // Before permanently disabling, check if another instance already refreshed
+ // the token in the shared DB. Concurrent instances hold stale in-memory
+ // copies; refresh token rotation by one instance invalidates the token
+ // that other instances still hold. Re-read from DB before giving up.
+ if (/invalid_grant/i.test(errorMsg)) {
+ const entries = this.#getStoredCredentials(provider);
+ const entry = entries[selection.index];
+ if (entry) {
+ const dbCredentials = this.#store.listAuthCredentials(provider);
+ const dbEntry = dbCredentials.find(row => row.id === entry.id);
+ if (
+ dbEntry?.credential.type === "oauth" &&
+ dbEntry.credential.refresh !== selection.credential.refresh
+ ) {
+ // DB has a newer refresh token — another instance refreshed.
+ // Update in-memory state and retry with the fresh credential.
+ logger.warn("Concurrent refresh detected, syncing from DB and retrying", {
+ provider,
+ index: selection.index,
+ rowId: entry.id,
+ });
+ const updated = [...entries];
+ updated[selection.index] = { id: entry.id, credential: dbEntry.credential };
+ this.#setStoredCredentials(provider, updated);
+ return this.getApiKey(provider, sessionId, options);
+ }
+ }
+ }
+ // Genuinely invalid — disable the credential
this.#disableCredentialAt(provider, selection.index, `oauth refresh failed: ${errorMsg}`);
if (this.#getCredentialsForProvider(provider).some(credential => credential.type === "oauth")) {
return this.getApiKey(provider, sessionId, options);
diff --git a/packages/ai/test/auth-storage-refresh-race.test.ts b/packages/ai/test/auth-storage-refresh-race.test.ts
new file mode 100644
index 000000000..5a8098a18
--- /dev/null
+++ b/packages/ai/test/auth-storage-refresh-race.test.ts
@@ -0,0 +1,230 @@
+import { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test, vi } from "bun:test";
+import * as fs from "node:fs/promises";
+import * as os from "node:os";
+import * as path from "node:path";
+import { AuthCredentialStore, AuthStorage, type OAuthCredential } from "../src/auth-storage";
+import * as oauthUtils from "../src/utils/oauth";
+import type { OAuthCredentials } from "../src/utils/oauth/types";
+
+/**
+ * Tests for the concurrent OAuth refresh token rotation race condition.
+ *
+ * When multiple omp instances share the same SQLite credential DB but hold
+ * independent in-memory caches, refresh token rotation by one instance
+ * invalidates the token that other instances still hold. Without the fix,
+ * the stale instance permanently disables the credential on `invalid_grant`
+ * even though a valid refresh token exists in the DB.
+ */
+
+function readDisabledCauses(dbPath: string, provider: string): string[] {
+ const db = new Database(dbPath, { readonly: true });
+ try {
+ const rows = db
+ .prepare(
+ "SELECT disabled_cause FROM auth_credentials WHERE provider = ? AND disabled_cause IS NOT NULL ORDER BY id ASC",
+ )
+ .all(provider) as Array<{ disabled_cause?: string | null }>;
+ return rows.flatMap(row => (typeof row.disabled_cause === "string" ? [row.disabled_cause] : []));
+ } finally {
+ db.close();
+ }
+}
+
+function countActiveCredentials(dbPath: string, provider: string): number {
+ const db = new Database(dbPath, { readonly: true });
+ try {
+ const row = db
+ .prepare("SELECT COUNT(*) AS count FROM auth_credentials WHERE provider = ? AND disabled_cause IS NULL")
+ .get(provider) as { count?: number } | undefined;
+ return row?.count ?? 0;
+ } finally {
+ db.close();
+ }
+}
+
+const EXPIRED_TOKEN_EXPIRES = Date.now() - 60_000;
+const FRESH_TOKEN_EXPIRES = Date.now() + 3_600_000;
+
+function makeOAuthCredential(suffix: string, opts?: { expires?: number }): OAuthCredential {
+ return {
+ type: "oauth",
+ access: `access-${suffix}`,
+ refresh: `refresh-${suffix}`,
+ expires: opts?.expires ?? FRESH_TOKEN_EXPIRES,
+ accountId: "acct-shared",
+ email: "user@example.com",
+ };
+}
+
+describe("AuthStorage concurrent OAuth refresh token rotation race", () => {
+ let tempDir = "";
+ let dbPath = "";
+ let storeA: AuthCredentialStore | null = null;
+ let storeB: AuthCredentialStore | null = null;
+ let authStorageA: AuthStorage | null = null;
+ let authStorageB: AuthStorage | null = null;
+
+ beforeEach(async () => {
+ tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "pi-ai-auth-refresh-race-"));
+ dbPath = path.join(tempDir, "agent.db");
+
+ // Both stores point at the same SQLite DB — simulates two omp instances
+ storeA = await AuthCredentialStore.open(dbPath);
+ storeB = await AuthCredentialStore.open(dbPath);
+ });
+
+ afterEach(async () => {
+ vi.restoreAllMocks();
+ storeA?.close();
+ storeB?.close();
+ storeA = null;
+ storeB = null;
+ authStorageA = null;
+ authStorageB = null;
+ if (tempDir) {
+ await fs.rm(tempDir, { recursive: true, force: true });
+ tempDir = "";
+ }
+ });
+
+ test("instance B recovers from invalid_grant when instance A already refreshed", async () => {
+ if (!storeA || !storeB) throw new Error("test setup failed");
+
+ // Store an expired OAuth credential — both instances will need to refresh
+ const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
+ authStorageA = new AuthStorage(storeA);
+ await authStorageA.set("anthropic", [staleCredential]);
+
+ // Instance B loads same credential from DB into its own in-memory cache
+ authStorageB = new AuthStorage(storeB);
+ await authStorageB.reload();
+
+ // The refreshed credential that instance A will produce
+ const refreshedCredential: OAuthCredentials = {
+ access: "access-v2",
+ refresh: "refresh-v2",
+ expires: FRESH_TOKEN_EXPIRES,
+ accountId: "acct-shared",
+ email: "user@example.com",
+ };
+
+ // Mock both refresh paths:
+ // - refreshOAuthToken: called by pre-refresh in #resolveOAuthApiKey for expired tokens
+ // - getOAuthApiKey: called by #tryOAuthCredential for the actual token exchange
+ const refreshSpy = vi.spyOn(oauthUtils, "refreshOAuthToken");
+ const getApiKeySpy = vi.spyOn(oauthUtils, "getOAuthApiKey");
+
+ // Step 1: Instance A refreshes successfully
+ refreshSpy.mockImplementation(async (_provider, credential) => {
+ return { ...credential, ...refreshedCredential };
+ });
+ getApiKeySpy.mockImplementation(async (_provider, credentials) => {
+ const cred = credentials.anthropic as OAuthCredentials | undefined;
+ if (!cred) return null;
+ return { newCredentials: refreshedCredential, apiKey: "sk-ant-new-key" };
+ });
+
+ const keyA = await authStorageA.getApiKey("anthropic", "session-a");
+ expect(keyA).toBe("sk-ant-new-key");
+
+ // DB now has refreshed credential from instance A.
+ // Instance B still has stale refresh-v1 in memory.
+
+ // Step 2: Instance B tries to refresh with stale token.
+ // The pre-refresh (refreshOAuthToken) runs first, then #tryOAuthCredential calls getOAuthApiKey.
+ // Both throw invalid_grant for stale tokens. After DB re-read, retry with fresh token succeeds.
+ let getApiKeyCallCount = 0;
+ refreshSpy.mockImplementation(async (_provider, credential) => {
+ if (credential.refresh === "refresh-v1") {
+ throw new Error("invalid_grant: Refresh token not found or invalid");
+ }
+ return { ...credential, ...refreshedCredential };
+ });
+ getApiKeySpy.mockImplementation(async (_provider, credentials) => {
+ const cred = credentials.anthropic as OAuthCredentials | undefined;
+ if (!cred) return null;
+ getApiKeyCallCount++;
+
+ if (cred.refresh === "refresh-v1") {
+ // Stale token — Anthropic would return invalid_grant
+ throw new Error("invalid_grant: Refresh token not found or invalid");
+ }
+ if (cred.refresh === "refresh-v2") {
+ // Fresh token from instance A — success
+ return { newCredentials: refreshedCredential, apiKey: "sk-ant-new-key-b" };
+ }
+ return null;
+ });
+
+ const keyB = await authStorageB.getApiKey("anthropic", "session-b");
+
+ // The credential must NOT be disabled — instance B should have recovered
+ expect(keyB).toBeDefined();
+ expect(typeof keyB).toBe("string");
+
+ // DB should still have exactly 1 active credential, none disabled
+ expect(countActiveCredentials(dbPath, "anthropic")).toBe(1);
+ expect(readDisabledCauses(dbPath, "anthropic")).toEqual([]);
+ // The getOAuthApiKey mock must have been called at least twice: once with stale, once with fresh
+ expect(getApiKeyCallCount).toBeGreaterThanOrEqual(2);
+ });
+
+ test("credential is still disabled when DB has same stale token (genuine failure)", async () => {
+ if (!storeA || !storeB) throw new Error("test setup failed");
+
+ // Store an expired credential — only one instance, no concurrent refresh
+ const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
+ authStorageA = new AuthStorage(storeA);
+ await authStorageA.set("anthropic", [staleCredential]);
+
+ // Mock: always fail with invalid_grant (genuinely revoked token)
+ vi.spyOn(oauthUtils, "refreshOAuthToken").mockImplementation(async () => {
+ throw new Error("invalid_grant: Refresh token not found or invalid");
+ });
+ vi.spyOn(oauthUtils, "getOAuthApiKey").mockImplementation(async () => {
+ throw new Error("invalid_grant: Refresh token not found or invalid");
+ });
+
+ const key = await authStorageA.getApiKey("anthropic", "session-a");
+
+ // Should return undefined — no valid credentials
+ expect(key).toBeUndefined();
+
+ // Credential should be disabled in DB
+ const causes = readDisabledCauses(dbPath, "anthropic");
+ expect(causes.length).toBe(1);
+ expect(causes[0]).toContain("invalid_grant");
+ });
+
+ test("terminates when DB token matches stale token (no concurrent refresh)", async () => {
+ if (!storeA || !storeB) throw new Error("test setup failed");
+
+ // Both instances share the same stale credential — nobody refreshed
+ const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
+ authStorageA = new AuthStorage(storeA);
+ await authStorageA.set("anthropic", [staleCredential]);
+
+ // Instance B loads same stale credential
+ authStorageB = new AuthStorage(storeB);
+ await authStorageB.reload();
+
+ // Mock: always fail — the token is genuinely revoked, nobody refreshed
+ vi.spyOn(oauthUtils, "refreshOAuthToken").mockImplementation(async () => {
+ throw new Error("invalid_grant: Refresh token not found or invalid");
+ });
+ vi.spyOn(oauthUtils, "getOAuthApiKey").mockImplementation(async () => {
+ throw new Error("invalid_grant: Refresh token not found or invalid");
+ });
+
+ // Instance B fails. DB has the same token (nobody refreshed), so the
+ // fix correctly falls through to disable instead of retrying forever.
+ const keyB = await authStorageB.getApiKey("anthropic", "session-b");
+ expect(keyB).toBeUndefined();
+
+ // Credential should be disabled — the fix did not prevent a genuine failure
+ const causes = readDisabledCauses(dbPath, "anthropic");
+ expect(causes.length).toBe(1);
+ expect(causes[0]).toContain("invalid_grant");
+ });
+});

2
system/common.nix
View File

@@ -165,7 +165,7 @@
# staging drivers (experimental/unmaintained)
STAGING = lib.mkForce no;
SND_PCI = lib.mkForce no;
# SND_PCI stays — SND_HDA_INTEL (AMD HDA audio) lives under it
ACCESSIBILITY = lib.mkForce no;
MTD = lib.mkForce no;
MEDIA_RC_SUPPORT = lib.mkForce no;

67
system/pull-update.nix
View File

@@ -1,67 +0,0 @@
# Pull-based NixOS updates for hosts that can't be pushed to reliably.
# CI builds the system closure on muffin (which Harmonia serves), then
# records the output store path at /deploy/<hostname>. On boot this
# service fetches that path, pulls the closure from the binary cache,
# sets it as the boot profile, and reboots into it.
{ pkgs, hostname, ... }:
let
deploy-url = "https://nix-cache.sigkill.computer/deploy/${hostname}";
pull-update = pkgs.writeShellScript "pull-update" ''
set -uo pipefail
export PATH=${
pkgs.lib.makeBinPath [
pkgs.curl
pkgs.coreutils
pkgs.nix
pkgs.systemd
pkgs.util-linux
]
}
# wait for actual connectivity, not just networkd "up"
for i in $(seq 1 30); do
if curl -sf --max-time 5 "${deploy-url}" >/dev/null; then
break
fi
echo "Waiting for network... ($i/30)"
sleep 2
done
STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
if [ -z "$STORE_PATH" ]; then
echo "Server unreachable or no deployment available, skipping"
exit 0
fi
CURRENT=$(readlink -f /nix/var/nix/profiles/system)
if [ "$CURRENT" = "$STORE_PATH" ]; then
echo "Already on latest configuration"
exit 0
fi
echo "Update available: $CURRENT -> $STORE_PATH"
nix-store -r "$STORE_PATH" || { echo "Failed to fetch closure"; exit 1; }
nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { echo "Failed to set profile"; exit 1; }
"$STORE_PATH/bin/switch-to-configuration" boot || { echo "Failed to install boot entry"; exit 1; }
wall "System update installed. Rebooting in 10 seconds..."
sleep 10
systemctl reboot
'';
in
{
systemd.services.pull-update = {
description = "Pull latest NixOS configuration from binary cache";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = false;
serviceConfig = {
Type = "oneshot";
ExecStart = pull-update;
};
};
}

205
system/system-yarn.nix
View File

@@ -11,7 +11,6 @@
./disk_yarn.nix
./common.nix
./impermanence.nix
./pull-update.nix
./no-rgb.nix
./vr.nix
@@ -76,12 +75,54 @@
# LACT (Linux AMDGPU Configuration Tool): https://github.com/ilya-zlobintsev/LACT
environment.systemPackages = with pkgs; [
lact
jovian-stubs
];
systemd.packages = with pkgs; [ lact ];
systemd.services.lactd.wantedBy = [ "multi-user.target" ];
systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\"";
# root-level service that applies a pending update. Triggered by
# steamos-update (via systemctl start) when the user accepts an update.
# Runs as root so it can write the system profile and boot entry.
systemd.services.pull-update-apply = {
description = "Apply pending NixOS update pulled from binary cache";
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "pull-update-apply" ''
set -uo pipefail
export PATH=${
pkgs.lib.makeBinPath [
pkgs.curl
pkgs.coreutils
pkgs.nix
]
}
STORE_PATH=$(curl -sf --max-time 30 "https://nix-cache.sigkill.computer/deploy/yarn" || true)
if [ -z "$STORE_PATH" ]; then
echo "server unreachable"
exit 1
fi
echo "applying $STORE_PATH"
nix-store -r "$STORE_PATH" || { echo "fetch failed"; exit 1; }
nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { echo "profile set failed"; exit 1; }
"$STORE_PATH/bin/switch-to-configuration" boot || { echo "boot entry failed"; exit 1; }
echo "update applied; reboot required"
'';
};
};
# Allow primary user to start pull-update-apply.service without a password
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "pull-update-apply.service" &&
subject.user == "${username}") {
return polkit.Result.YES;
}
});
'';
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
@@ -97,65 +138,123 @@
# This prevents Steam from requesting reboots for "system updates"
# Steam client updates will still work normally
nixpkgs.overlays = [
(final: prev: {
jovian-stubs = prev.stdenv.mkDerivation {
name = "jovian-stubs-no-update";
dontUnpack = true;
installPhase = ''
mkdir -p $out/bin
(
final: prev:
let
deploy-url = "https://nix-cache.sigkill.computer/deploy/yarn";
# steamos-update: always report "no update available" (exit 7)
# This disables the kernel mismatch check that triggers reboot prompts
cat > $out/bin/steamos-update << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $* (system updates disabled)"
exit 7
STUB
steamos-update-script = final.writeShellScript "steamos-update" ''
export PATH=${
final.lib.makeBinPath [
final.curl
final.coreutils
final.systemd
]
}
# steamos-reboot: reboot the system
cat > $out/bin/steamos-reboot << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
systemctl reboot
STUB
STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
# steamos-select-branch: no-op stub
cat > $out/bin/steamos-select-branch << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
exit 0
STUB
if [ -z "$STORE_PATH" ]; then
>&2 echo "[steamos-update] server unreachable"
exit 7
fi
# steamos-factory-reset-config: no-op stub
cat > $out/bin/steamos-factory-reset-config << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
exit 0
STUB
CURRENT=$(readlink -f /nix/var/nix/profiles/system)
if [ "$CURRENT" = "$STORE_PATH" ]; then
>&2 echo "[steamos-update] no update available"
exit 0
fi
# steamos-firmware-update: no-op stub
cat > $out/bin/steamos-firmware-update << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
exit 0
STUB
# check-only mode: just report that an update exists
if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
>&2 echo "[steamos-update] update available"
exit 0
fi
# pkexec: pass through to real pkexec
cat > $out/bin/pkexec << 'STUB'
#!/bin/sh
exec /run/wrappers/bin/pkexec "$@"
STUB
# sudo: pass through to doas
cat > $out/bin/sudo << 'STUB'
#!/bin/sh
exec /run/wrappers/bin/doas "$@"
STUB
chmod 755 $out/bin/*
# apply: trigger the root-running systemd service to install the update
>&2 echo "[steamos-update] applying update..."
if systemctl start --wait pull-update-apply.service; then
>&2 echo "[steamos-update] update installed, reboot to apply"
exit 0
else
>&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
exit 1
fi
'';
};
})
in
{
jovian-stubs = prev.stdenv.mkDerivation {
name = "jovian-stubs";
dontUnpack = true;
installPhase = ''
mkdir -p $out/bin
ln -s ${steamos-update-script} $out/bin/steamos-update
ln -s ${steamos-update-script} $out/bin/steamos-mandatory-update
# jupiter-initial-firmware-update: no-op (not a real steam deck)
cat > $out/bin/jupiter-initial-firmware-update << 'STUB'
#!/bin/sh
exit 0
STUB
# jupiter-biosupdate: no-op (not a real steam deck)
cat > $out/bin/jupiter-biosupdate << 'STUB'
#!/bin/sh
exit 0
STUB
# steamos-reboot: reboot the system
cat > $out/bin/steamos-reboot << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
systemctl reboot
STUB
# steamos-select-branch: no-op stub
cat > $out/bin/steamos-select-branch << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
exit 0
STUB
# steamos-factory-reset-config: no-op stub
cat > $out/bin/steamos-factory-reset-config << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
exit 0
STUB
# steamos-firmware-update: no-op stub
cat > $out/bin/steamos-firmware-update << 'STUB'
#!/bin/sh
>&2 echo "[JOVIAN] $0: stub called with: $*"
exit 0
STUB
# pkexec: pass through to real pkexec
cat > $out/bin/pkexec << 'STUB'
#!/bin/sh
exec /run/wrappers/bin/pkexec "$@"
STUB
# sudo: strip flags and run the command directly (no escalation).
# privileged ops are delegated to root systemd services via systemctl.
cat > $out/bin/sudo << 'STUB'
#!/bin/sh
while [ $# -gt 0 ]; do
case "$1" in
-*) shift ;;
*) break ;;
esac
done
exec "$@"
STUB
find $out/bin -type f -exec chmod 755 {} +
'';
};
}
)
];
jovian = {