The agent binary is now managed by the operator (scp + install to
/srv/mcp/mcp-agent), not by the Nix flake. This allows agent upgrades
without a full NixOS rebuild.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Podman/skopeo don't use the system CA bundle for registry TLS — they
use /etc/containers/certs.d/<host:port>/ca.crt. Add the WNTRMUTE CA
there so podman push/pull to MCR works without --tls-verify=false.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add gen-update-targets.sh to parse flake.nix and generate grouped
update targets (update-kyle, update-mc). Makefile now has install
(copy) and link (symlink) targets for rebuild-nixos. Also fix mc
flake input URLs to use /mc/ org path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add mcp flake input (git+ssh://git@git.wntrmute.dev/mc/mcp.git)
- Add mcp CLI to mcpkg.nix system packages (installed on all machines)
- Update mcp.nix to use Nix-managed mcp-agent binary path instead of
hardcoded /usr/local/bin/mcp-agent
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The previous commit removed the systemd service that stripped Tailscale's
~. DNS catch-all, breaking all DNS resolution — even when Tailscale is
disconnected. Restore it as fix-tailscale-dns, which restricts tailscale0
to only route ~scylla-hammerhead.ts.net queries.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The u2f udev rules set GROUP=plugdev on hidraw devices, but the
group didn't exist. Create it and add kyle to it so FIDO2 keys
are accessible without relying on logind uaccess ACLs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace vendor-specific hidraw rule (3434) with libfido2 udev
package which covers all FIDO2 devices. Fixes FIDO2 key visibility
on orion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
