# CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

## What This Is

A flake-based NixOS configuration managing 6 hosts (all x86_64-linux). Pinned to nixpkgs `nixos-25.11`.

## Common Commands

- **Build/deploy locally**: `rebuild-nixos` (installed to `~/.local/bin` via `make`)
  - This runs on the target machine: pulls from local git remote, then `doas nixos-rebuild switch --flake .`
- **Build a specific host** (dry run): `nixos-rebuild build --flake .#<hostname>`
- **Flash a remote machine**: `./script/flash.sh <config-name> <ssh-address>` (uses nixos-anywhere)
- **Check if reboot needed**: `./script/check-restart.sh`
- **Install the rebuild script**: `make`

## Architecture

### Flake Structure

All hosts are generated via `lib.genAttrs` in `flake.nix`. Each host gets:
- `disko` module (declarative disk management)
- `nix-index-database` with comma
- Host-specific config from `./hw/<hostname>/`
- Shared base from `./configuration.nix`

Custom packages `ke` and `kte` are flake inputs from `git.wntrmute.dev/kyle/`.

### Host Layout

Each host has a directory under `hw/<hostname>/` containing:
- `default.nix` — imports hardware-config and (for desktops) desktop/qemu modules
- `hardware-configuration.nix` — auto-generated hardware config
- `disk-config.nix` — disko disk layout (where applicable)

Desktop hosts (imladris, orion, vade, ono-sendai) import `configs/desktop.nix` and `configs/qemu.nix`.
Server hosts (rift, sk) are minimal — hardware config + disk config only.

### Shared Modules (`configs/`)

- `pkgs.nix` — system-wide packages
- `desktop.nix` — GDM + i3, PipeWire audio, Bluetooth, CUPS
- `desktop-packages.nix` — GUI applications (imported by desktop.nix)
- `git.nix` — git identity config
- `qemu.nix` — QEMU/KVM virtualization

### Key Design Decisions

- **No home-manager** — all config is system-level NixOS modules
- **No overlays** — packages are used directly; `allowUnfree = true`
- **No secrets manager** — SSH keys via gpg-agent, `doas` (not sudo) for privilege escalation
- **Podman** with Docker compatibility enabled on all hosts
- **Tailscale** and **Syncthing** enabled on all hosts
- **LUKS encryption** on some hosts (rift, ono-sendai)
- `inputs` are passed to modules via `specialArgs`